From c12498aced30249f595644ebfc3f087c06aa5382 Mon Sep 17 00:00:00 2001
From: Dmitry Smirnov <onlyjob@debian.org>
Date: Tue, 11 Sep 2018 05:03:46 +0100
Subject: [PATCH 1/1] Import docker.io_18.06.1+dfsg1.orig.tar.xz

[dgit import orig docker.io_18.06.1+dfsg1.orig.tar.xz]
---
 CHANGELOG.md                                  |   203 +
 CONTRIBUTING.md                               |   126 +
 Makefile                                      |    56 +
 README.md                                     |    94 +
 VERSION                                       |     1 +
 cli/.dockerignore                             |     2 +
 cli/.mailmap                                  |   477 +
 cli/AUTHORS                                   |   648 +
 cli/CONTRIBUTING.md                           |   365 +
 cli/Jenkinsfile                               |    12 +
 cli/LICENSE                                   |   191 +
 cli/MAINTAINERS                               |   136 +
 cli/Makefile                                  |    90 +
 cli/NOTICE                                    |    19 +
 cli/README.md                                 |    69 +
 cli/TESTING.md                                |    87 +
 cli/VERSION                                   |     1 +
 cli/appveyor.yml                              |    23 +
 cli/circle.yml                                |   116 +
 cli/cli/cobra.go                              |   152 +
 cli/cli/command/bundlefile/bundlefile.go      |    70 +
 cli/cli/command/bundlefile/bundlefile_test.go |    78 +
 cli/cli/command/checkpoint/client_test.go     |    36 +
 cli/cli/command/checkpoint/cmd.go             |    28 +
 cli/cli/command/checkpoint/create.go          |    57 +
 cli/cli/command/checkpoint/create_test.go     |    72 +
 cli/cli/command/checkpoint/list.go            |    54 +
 cli/cli/command/checkpoint/list_test.go       |    67 +
 cli/cli/command/checkpoint/remove.go          |    44 +
 cli/cli/command/checkpoint/remove_test.go     |    65 +
 .../checkpoint-list-with-options.golden       |     2 +
 cli/cli/command/cli.go                        |   320 +
 cli/cli/command/cli_test.go                   |   228 +
 cli/cli/command/commands/commands.go          |   133 +
 cli/cli/command/config/client_test.go         |    45 +
 cli/cli/command/config/cmd.go                 |    29 +
 cli/cli/command/config/create.go              |    86 +
 cli/cli/command/config/create_test.go         |   143 +
 cli/cli/command/config/inspect.go             |    66 +
 cli/cli/command/config/inspect_test.go        |   172 +
 cli/cli/command/config/ls.go                  |    77 +
 cli/cli/command/config/ls_test.go             |   158 +
 cli/cli/command/config/remove.go              |    53 +
 cli/cli/command/config/remove_test.go         |    79 +
 .../testdata/config-create-with-name.golden   |     1 +
 .../config-inspect-pretty.simple.golden       |     8 +
 ...g-inspect-with-format.json-template.golden |     1 +
 ...inspect-with-format.simple-template.golden |     1 +
 ...format.multiple-configs-with-labels.golden |    26 +
 ...nspect-without-format.single-config.golden |    12 +
 .../config/testdata/config-list-sort.golden   |     4 +
 .../config-list-with-config-format.golden     |     2 +
 .../testdata/config-list-with-filter.golden   |     3 +
 .../testdata/config-list-with-format.golden   |     2 +
 .../config-list-with-quiet-option.golden      |     2 +
 cli/cli/command/container/attach.go           |   181 +
 cli/cli/command/container/attach_test.go      |   129 +
 cli/cli/command/container/client_test.go      |   126 +
 cli/cli/command/container/cmd.go              |    45 +
 cli/cli/command/container/commit.go           |    75 +
 cli/cli/command/container/cp.go               |   304 +
 cli/cli/command/container/cp_test.go          |   192 +
 cli/cli/command/container/create.go           |   229 +
 cli/cli/command/container/create_test.go      |   172 +
 cli/cli/command/container/diff.go             |    47 +
 cli/cli/command/container/exec.go             |   214 +
 cli/cli/command/container/exec_test.go        |   227 +
 cli/cli/command/container/export.go           |    58 +
 cli/cli/command/container/hijack.go           |   208 +
 cli/cli/command/container/inspect.go          |    47 +
 cli/cli/command/container/kill.go             |    56 +
 cli/cli/command/container/list.go             |   140 +
 cli/cli/command/container/list_test.go        |   164 +
 cli/cli/command/container/logs.go             |    80 +
 cli/cli/command/container/logs_test.go        |    62 +
 cli/cli/command/container/opts.go             |   836 +
 cli/cli/command/container/opts_test.go        |   646 +
 cli/cli/command/container/pause.go            |    49 +
 cli/cli/command/container/port.go             |    78 +
 cli/cli/command/container/prune.go            |    78 +
 cli/cli/command/container/ps_test.go          |   119 +
 cli/cli/command/container/rename.go           |    51 +
 cli/cli/command/container/restart.go          |    62 +
 cli/cli/command/container/rm.go               |    73 +
 cli/cli/command/container/run.go              |   341 +
 cli/cli/command/container/run_test.go         |    75 +
 cli/cli/command/container/start.go            |   202 +
 cli/cli/command/container/stats.go            |   245 +
 cli/cli/command/container/stats_helpers.go    |   239 +
 .../command/container/stats_helpers_test.go   |    47 +
 cli/cli/command/container/stats_unit_test.go  |    25 +
 cli/cli/command/container/stop.go             |    67 +
 .../container-list-format-name-name.golden    |     2 +
 .../container-list-format-with-arg.golden     |     2 +
 .../container-list-with-config-format.golden  |     2 +
 .../container-list-with-format.golden         |     2 +
 ...tainer-list-without-format-no-trunc.golden |     3 +
 .../container-list-without-format.golden      |     6 +
 cli/cli/command/container/testdata/utf16.env  |   Bin 0 -> 54 bytes
 .../command/container/testdata/utf16be.env    |   Bin 0 -> 54 bytes
 cli/cli/command/container/testdata/utf8.env   |     3 +
 cli/cli/command/container/testdata/valid.env  |     1 +
 .../command/container/testdata/valid.label    |     1 +
 cli/cli/command/container/top.go              |    57 +
 cli/cli/command/container/tty.go              |   103 +
 cli/cli/command/container/unpause.go          |    50 +
 cli/cli/command/container/update.go           |   133 +
 cli/cli/command/container/utils.go            |   162 +
 cli/cli/command/container/utils_test.go       |    70 +
 cli/cli/command/container/wait.go             |    53 +
 cli/cli/command/events_utils.go               |    47 +
 cli/cli/command/formatter/checkpoint.go       |    52 +
 cli/cli/command/formatter/checkpoint_test.go  |    52 +
 cli/cli/command/formatter/config.go           |   171 +
 cli/cli/command/formatter/config_test.go      |    64 +
 cli/cli/command/formatter/container.go        |   344 +
 cli/cli/command/formatter/container_test.go   |   658 +
 cli/cli/command/formatter/custom.go           |    35 +
 cli/cli/command/formatter/custom_test.go      |    28 +
 cli/cli/command/formatter/diff.go             |    72 +
 cli/cli/command/formatter/diff_test.go        |    60 +
 cli/cli/command/formatter/disk_usage.go       |   425 +
 cli/cli/command/formatter/disk_usage_test.go  |   110 +
 cli/cli/command/formatter/displayutils.go     |    61 +
 .../command/formatter/displayutils_test.go    |    31 +
 cli/cli/command/formatter/formatter.go        |   119 +
 cli/cli/command/formatter/history.go          |   109 +
 cli/cli/command/formatter/history_test.go     |   226 +
 cli/cli/command/formatter/image.go            |   272 +
 cli/cli/command/formatter/image_test.go       |   356 +
 cli/cli/command/formatter/network.go          |   129 +
 cli/cli/command/formatter/network_test.go     |   213 +
 cli/cli/command/formatter/node.go             |   336 +
 cli/cli/command/formatter/node_test.go        |   348 +
 cli/cli/command/formatter/plugin.go           |    94 +
 cli/cli/command/formatter/plugin_test.go      |   183 +
 cli/cli/command/formatter/reflect.go          |    66 +
 cli/cli/command/formatter/reflect_test.go     |    66 +
 cli/cli/command/formatter/search.go           |   103 +
 cli/cli/command/formatter/search_test.go      |   280 +
 cli/cli/command/formatter/secret.go           |   178 +
 cli/cli/command/formatter/secret_test.go      |    64 +
 cli/cli/command/formatter/service.go          |   646 +
 cli/cli/command/formatter/service_test.go     |   359 +
 cli/cli/command/formatter/stack.go            |    77 +
 cli/cli/command/formatter/stack_test.go       |    73 +
 cli/cli/command/formatter/stats.go            |   224 +
 cli/cli/command/formatter/stats_test.go       |   301 +
 cli/cli/command/formatter/task.go             |   150 +
 cli/cli/command/formatter/task_test.go        |   106 +
 ...ainer-context-write-special-headers.golden |     3 +
 .../disk-usage-context-write-custom.golden    |     5 +
 .../testdata/disk-usage-raw-format.golden     |    24 +
 .../search-context-write-stars-table.golden   |     2 +
 .../search-context-write-table.golden         |     3 +
 .../testdata/service-context-write-raw.golden |    14 +
 .../task-context-write-table-custom.golden    |     3 +
 cli/cli/command/formatter/trust.go            |   150 +
 cli/cli/command/formatter/trust_test.go       |   239 +
 cli/cli/command/formatter/volume.go           |   131 +
 cli/cli/command/formatter/volume_test.go      |   183 +
 cli/cli/command/idresolver/client_test.go     |    29 +
 cli/cli/command/idresolver/idresolver.go      |    70 +
 cli/cli/command/idresolver/idresolver_test.go |   146 +
 cli/cli/command/image/build.go                |   627 +
 cli/cli/command/image/build/context.go        |   425 +
 cli/cli/command/image/build/context_test.go   |   299 +
 cli/cli/command/image/build/context_unix.go   |    11 +
 .../command/image/build/context_windows.go    |    17 +
 cli/cli/command/image/build/dockerignore.go   |    39 +
 cli/cli/command/image/build_buildkit.go       |   346 +
 cli/cli/command/image/build_session.go        |   158 +
 cli/cli/command/image/build_test.go           |   216 +
 cli/cli/command/image/client_test.go          |   124 +
 cli/cli/command/image/cmd.go                  |    33 +
 cli/cli/command/image/history.go              |    64 +
 cli/cli/command/image/history_test.go         |   105 +
 cli/cli/command/image/import.go               |    87 +
 cli/cli/command/image/import_test.go          |    97 +
 cli/cli/command/image/inspect.go              |    44 +
 cli/cli/command/image/inspect_test.go         |    88 +
 cli/cli/command/image/list.go                 |    96 +
 cli/cli/command/image/list_test.go            |    98 +
 cli/cli/command/image/load.go                 |    76 +
 cli/cli/command/image/load_test.go            |   101 +
 cli/cli/command/image/prune.go                |    94 +
 cli/cli/command/image/prune_test.go           |    94 +
 cli/cli/command/image/pull.go                 |    83 +
 cli/cli/command/image/pull_test.go            |   121 +
 cli/cli/command/image/push.go                 |    70 +
 cli/cli/command/image/push_test.go            |    71 +
 cli/cli/command/image/remove.go               |    86 +
 cli/cli/command/image/remove_test.go          |   134 +
 cli/cli/command/image/save.go                 |    73 +
 cli/cli/command/image/save_test.go            |   103 +
 cli/cli/command/image/tag.go                  |    41 +
 cli/cli/command/image/tag_test.go             |    41 +
 .../history-command-success.non-human.golden  |     2 +
 ...tory-command-success.quiet-no-trunc.golden |     1 +
 .../history-command-success.quiet.golden      |     1 +
 .../history-command-success.simple.golden     |     2 +
 .../testdata/import-command-success.input.txt |     1 +
 .../inspect-command-success.format.golden     |     1 +
 ...inspect-command-success.simple-many.golden |    56 +
 .../inspect-command-success.simple.golden     |    29 +
 .../list-command-success.filters.golden       |     1 +
 .../list-command-success.format.golden        |     0
 .../list-command-success.match-name.golden    |     1 +
 .../list-command-success.quiet-format.golden  |     0
 .../list-command-success.simple.golden        |     1 +
 .../load-command-success.input-file.golden    |     1 +
 .../testdata/load-command-success.input.txt   |     1 +
 .../testdata/load-command-success.json.golden |     1 +
 .../load-command-success.simple.golden        |     1 +
 .../testdata/prune-command-success.all.golden |     2 +
 ...prune-command-success.force-deleted.golden |     4 +
 ...rune-command-success.force-untagged.golden |     4 +
 .../pull-command-success.simple-no-tag.golden |     1 +
 .../pull-command-success.simple.golden        |     0
 ...-success.Image Deleted and Untagged.golden |     2 +
 ...emove-command-success.Image Deleted.golden |     1 +
 ...move-command-success.Image Untagged.golden |     1 +
 ...s.Image not found with force option.golden |     0
 cli/cli/command/image/trust.go                |   352 +
 cli/cli/command/image/trust_test.go           |    73 +
 cli/cli/command/in.go                         |    56 +
 cli/cli/command/inspect/inspector.go          |   199 +
 cli/cli/command/inspect/inspector_test.go     |   259 +
 cli/cli/command/manifest/annotate.go          |    97 +
 cli/cli/command/manifest/annotate_test.go     |    77 +
 cli/cli/command/manifest/client_test.go       |    48 +
 cli/cli/command/manifest/cmd.go               |    45 +
 cli/cli/command/manifest/create_list.go       |    82 +
 cli/cli/command/manifest/create_test.go       |   116 +
 cli/cli/command/manifest/inspect.go           |   148 +
 cli/cli/command/manifest/inspect_test.go      |   146 +
 cli/cli/command/manifest/push.go              |   281 +
 cli/cli/command/manifest/push_test.go         |    69 +
 .../manifest/testdata/inspect-annotate.golden |    32 +
 .../testdata/inspect-manifest-list.golden     |    24 +
 .../manifest/testdata/inspect-manifest.golden |    16 +
 cli/cli/command/manifest/util.go              |    80 +
 cli/cli/command/network/client_test.go        |    45 +
 cli/cli/command/network/cmd.go                |    28 +
 cli/cli/command/network/connect.go            |    63 +
 cli/cli/command/network/connect_test.go       |    70 +
 cli/cli/command/network/create.go             |   248 +
 cli/cli/command/network/create_test.go        |   174 +
 cli/cli/command/network/disconnect.go         |    41 +
 cli/cli/command/network/disconnect_test.go    |    41 +
 cli/cli/command/network/inspect.go            |    48 +
 cli/cli/command/network/list.go               |    75 +
 cli/cli/command/network/list_test.go          |    63 +
 cli/cli/command/network/prune.go              |    76 +
 cli/cli/command/network/remove.go             |    53 +
 .../network/testdata/network-list.golden      |     2 +
 cli/cli/command/node/client_test.go           |    69 +
 cli/cli/command/node/cmd.go                   |    60 +
 cli/cli/command/node/demote.go                |    36 +
 cli/cli/command/node/demote_test.go           |    84 +
 cli/cli/command/node/inspect.go               |    72 +
 cli/cli/command/node/inspect_test.go          |   118 +
 cli/cli/command/node/list.go                  |    85 +
 cli/cli/command/node/list_test.go             |   141 +
 cli/cli/command/node/opts.go                  |    23 +
 cli/cli/command/node/promote.go               |    36 +
 cli/cli/command/node/promote_test.go          |    84 +
 cli/cli/command/node/ps.go                    |   104 +
 cli/cli/command/node/ps_test.go               |   128 +
 cli/cli/command/node/remove.go                |    56 +
 cli/cli/command/node/remove_test.go           |    44 +
 .../node-inspect-pretty.manager-leader.golden |    24 +
 .../node-inspect-pretty.manager.golden        |    24 +
 .../node-inspect-pretty.simple.golden         |    22 +
 .../testdata/node-list-format-flag.golden     |     2 +
 .../node-list-format-from-config.golden       |     3 +
 .../node/testdata/node-list-sort.golden       |     4 +
 .../node/testdata/node-ps.simple.golden       |     2 +
 .../node/testdata/node-ps.with-errors.golden  |     4 +
 cli/cli/command/node/update.go                |   120 +
 cli/cli/command/node/update_test.go           |   169 +
 cli/cli/command/orchestrator.go               |    77 +
 cli/cli/command/orchestrator_test.go          |   118 +
 cli/cli/command/out.go                        |    50 +
 cli/cli/command/plugin/client_test.go         |    45 +
 cli/cli/command/plugin/cmd.go                 |    32 +
 cli/cli/command/plugin/create.go              |   128 +
 cli/cli/command/plugin/create_test.go         |   123 +
 cli/cli/command/plugin/disable.go             |    36 +
 cli/cli/command/plugin/disable_test.go        |    58 +
 cli/cli/command/plugin/enable.go              |    48 +
 cli/cli/command/plugin/enable_test.go         |    70 +
 cli/cli/command/plugin/inspect.go             |    43 +
 cli/cli/command/plugin/install.go             |   174 +
 cli/cli/command/plugin/list.go                |    64 +
 cli/cli/command/plugin/push.go                |    76 +
 cli/cli/command/plugin/remove.go              |    54 +
 cli/cli/command/plugin/remove_test.go         |    71 +
 cli/cli/command/plugin/set.go                 |    22 +
 cli/cli/command/plugin/upgrade.go             |    90 +
 cli/cli/command/registry.go                   |   199 +
 cli/cli/command/registry/login.go             |   169 +
 cli/cli/command/registry/login_test.go        |   157 +
 cli/cli/command/registry/logout.go            |    76 +
 cli/cli/command/registry/search.go            |   104 +
 cli/cli/command/registry_test.go              |   147 +
 cli/cli/command/secret/client_test.go         |    45 +
 cli/cli/command/secret/cmd.go                 |    29 +
 cli/cli/command/secret/create.go              |   109 +
 cli/cli/command/secret/create_test.go         |   169 +
 cli/cli/command/secret/inspect.go             |    65 +
 cli/cli/command/secret/inspect_test.go        |   173 +
 cli/cli/command/secret/ls.go                  |    76 +
 cli/cli/command/secret/ls_test.go             |   160 +
 cli/cli/command/secret/remove.go              |    53 +
 cli/cli/command/secret/remove_test.go         |    79 +
 .../testdata/secret-create-with-name.golden   |     1 +
 .../secret-inspect-pretty.simple.golden       |     7 +
 ...t-inspect-with-format.json-template.golden |     1 +
 ...inspect-with-format.simple-template.golden |     1 +
 ...format.multiple-secrets-with-labels.golden |    26 +
 ...nspect-without-format.single-secret.golden |    12 +
 .../secret/testdata/secret-list-sort.golden   |     4 +
 .../secret-list-with-config-format.golden     |     2 +
 .../testdata/secret-list-with-filter.golden   |     3 +
 .../testdata/secret-list-with-format.golden   |     2 +
 .../secret-list-with-quiet-option.golden      |     2 +
 cli/cli/command/service/client_test.go        |    77 +
 cli/cli/command/service/cmd.go                |    34 +
 cli/cli/command/service/create.go             |   137 +
 .../command/service/generic_resource_opts.go  |   105 +
 .../service/generic_resource_opts_test.go     |    23 +
 cli/cli/command/service/helpers.go            |    33 +
 cli/cli/command/service/inspect.go            |    93 +
 cli/cli/command/service/inspect_test.go       |   160 +
 cli/cli/command/service/list.go               |   139 +
 cli/cli/command/service/list_test.go          |    28 +
 cli/cli/command/service/logs.go               |   349 +
 cli/cli/command/service/opts.go               |   909 +
 cli/cli/command/service/opts_test.go          |   226 +
 cli/cli/command/service/parse.go              |   118 +
 cli/cli/command/service/progress/progress.go  |   504 +
 .../command/service/progress/progress_test.go |   375 +
 cli/cli/command/service/ps.go                 |   155 +
 cli/cli/command/service/ps_test.go            |   135 +
 cli/cli/command/service/remove.go             |    48 +
 cli/cli/command/service/rollback.go           |    64 +
 cli/cli/command/service/rollback_test.go      |   104 +
 cli/cli/command/service/scale.go              |   122 +
 .../service/testdata/service-list-sort.golden |     3 +
 cli/cli/command/service/trust.go              |    87 +
 cli/cli/command/service/update.go             |  1205 +
 cli/cli/command/service/update_test.go        |   778 +
 cli/cli/command/stack/client_test.go          |   239 +
 cli/cli/command/stack/cmd.go                  |   128 +
 cli/cli/command/stack/common.go               |    31 +
 cli/cli/command/stack/deploy.go               |    90 +
 cli/cli/command/stack/deploy_test.go          |    17 +
 cli/cli/command/stack/kubernetes/cli.go       |   126 +
 cli/cli/command/stack/kubernetes/client.go    |   103 +
 .../command/stack/kubernetes/conversion.go    |   240 +
 .../stack/kubernetes/conversion_test.go       |   192 +
 cli/cli/command/stack/kubernetes/convert.go   |   332 +
 cli/cli/command/stack/kubernetes/deploy.go    |   158 +
 cli/cli/command/stack/kubernetes/list.go      |   136 +
 cli/cli/command/stack/kubernetes/ps.go        |   112 +
 cli/cli/command/stack/kubernetes/remove.go    |    27 +
 cli/cli/command/stack/kubernetes/services.go  |   158 +
 .../command/stack/kubernetes/services_test.go |   138 +
 cli/cli/command/stack/kubernetes/stack.go     |   107 +
 .../command/stack/kubernetes/stackclient.go   |   197 +
 .../stack/kubernetes/stackclient_test.go      |    64 +
 .../stack/kubernetes/testdata/warnings.golden |    31 +
 cli/cli/command/stack/kubernetes/warnings.go  |   145 +
 .../command/stack/kubernetes/warnings_test.go |    78 +
 cli/cli/command/stack/kubernetes/watcher.go   |   255 +
 .../command/stack/kubernetes/watcher_test.go  |   218 +
 cli/cli/command/stack/list.go                 |    79 +
 cli/cli/command/stack/list_test.go            |   152 +
 cli/cli/command/stack/loader/loader.go        |   152 +
 cli/cli/command/stack/loader/loader_test.go   |    47 +
 cli/cli/command/stack/options/opts.go         |    43 +
 cli/cli/command/stack/ps.go                   |    48 +
 cli/cli/command/stack/ps_test.go              |   171 +
 cli/cli/command/stack/remove.go               |    43 +
 cli/cli/command/stack/remove_test.go          |   166 +
 cli/cli/command/stack/services.go             |    46 +
 cli/cli/command/stack/services_test.go        |   170 +
 cli/cli/command/stack/swarm/client_test.go    |   239 +
 cli/cli/command/stack/swarm/common.go         |    50 +
 cli/cli/command/stack/swarm/deploy.go         |    80 +
 .../command/stack/swarm/deploy_bundlefile.go  |   124 +
 .../stack/swarm/deploy_bundlefile_test.go     |    50 +
 .../command/stack/swarm/deploy_composefile.go |   281 +
 .../stack/swarm/deploy_composefile_test.go    |    67 +
 cli/cli/command/stack/swarm/deploy_test.go    |   110 +
 cli/cli/command/stack/swarm/list.go           |    45 +
 cli/cli/command/stack/swarm/ps.go             |    35 +
 cli/cli/command/stack/swarm/remove.go         |   140 +
 cli/cli/command/stack/swarm/services.go       |    66 +
 .../testdata/bundlefile_with_two_services.dab |    29 +
 .../testdata/stack-list-sort-natural.golden   |     4 +
 .../stack/testdata/stack-list-sort.golden     |     3 +
 .../testdata/stack-list-with-format.golden    |     1 +
 .../testdata/stack-list-without-format.golden |     2 +
 .../stack-ps-with-config-format.golden        |     1 +
 .../testdata/stack-ps-with-format.golden      |     1 +
 .../stack-ps-with-no-resolve-option.golden    |     1 +
 .../stack-ps-with-no-trunc-option.golden      |     1 +
 .../stack-ps-with-quiet-option.golden         |     1 +
 .../testdata/stack-ps-without-format.golden   |     2 +
 .../stack-services-with-config-format.golden  |     1 +
 .../stack-services-with-format.golden         |     1 +
 .../stack-services-with-quiet-option.golden   |     1 +
 .../stack-services-without-format.golden      |     2 +
 cli/cli/command/stream.go                     |    34 +
 cli/cli/command/swarm/ca.go                   |   141 +
 cli/cli/command/swarm/ca_test.go              |   300 +
 cli/cli/command/swarm/client_test.go          |    85 +
 cli/cli/command/swarm/cmd.go                  |    33 +
 cli/cli/command/swarm/init.go                 |    98 +
 cli/cli/command/swarm/init_test.go            |   125 +
 cli/cli/command/swarm/join.go                 |    87 +
 cli/cli/command/swarm/join_test.go            |   100 +
 cli/cli/command/swarm/join_token.go           |   119 +
 cli/cli/command/swarm/join_token_test.go      |   211 +
 cli/cli/command/swarm/leave.go                |    43 +
 cli/cli/command/swarm/leave_test.go           |    50 +
 cli/cli/command/swarm/opts.go                 |   273 +
 cli/cli/command/swarm/opts_test.go            |   111 +
 .../command/swarm/progress/root_rotation.go   |   120 +
 .../swarm/testdata/init-init-autolock.golden  |    11 +
 .../command/swarm/testdata/init-init.golden   |     4 +
 .../testdata/jointoken-manager-quiet.golden   |     1 +
 .../testdata/jointoken-manager-rotate.golden  |     6 +
 .../swarm/testdata/jointoken-manager.golden   |     4 +
 .../testdata/jointoken-worker-quiet.golden    |     1 +
 .../swarm/testdata/jointoken-worker.golden    |     4 +
 .../unlockkeys-unlock-key-quiet.golden        |     1 +
 .../unlockkeys-unlock-key-rotate-quiet.golden |     1 +
 .../unlockkeys-unlock-key-rotate.golden       |     9 +
 .../testdata/unlockkeys-unlock-key.golden     |     7 +
 .../testdata/update-all-flags-quiet.golden    |     1 +
 .../update-autolock-unlock-key.golden         |     8 +
 .../swarm/testdata/update-noargs.golden       |    14 +
 cli/cli/command/swarm/unlock.go               |    74 +
 cli/cli/command/swarm/unlock_key.go           |    89 +
 cli/cli/command/swarm/unlock_key_test.go      |   171 +
 cli/cli/command/swarm/unlock_test.go          |    98 +
 cli/cli/command/swarm/update.go               |    71 +
 cli/cli/command/swarm/update_test.go          |   185 +
 cli/cli/command/system/client_test.go         |    23 +
 cli/cli/command/system/cmd.go                 |    25 +
 cli/cli/command/system/df.go                  |    70 +
 cli/cli/command/system/events.go              |   142 +
 cli/cli/command/system/info.go                |   360 +
 cli/cli/command/system/info_test.go           |   238 +
 cli/cli/command/system/inspect.go             |   218 +
 cli/cli/command/system/prune.go               |   139 +
 cli/cli/command/system/prune_test.go          |    22 +
 .../testdata/docker-client-version.golden     |    44 +
 .../testdata/docker-info-no-swarm.golden      |    51 +
 .../testdata/docker-info-warnings.golden      |    11 +
 .../testdata/docker-info-with-swarm.golden    |    73 +
 cli/cli/command/system/version.go             |   270 +
 cli/cli/command/system/version_test.go        |   113 +
 cli/cli/command/task/client_test.go           |    29 +
 cli/cli/command/task/print.go                 |    93 +
 cli/cli/command/task/print_test.go            |   128 +
 .../task-print-with-global-service.golden     |     1 +
 .../task-print-with-indentation.golden        |     3 +
 .../task-print-with-no-trunc-option.golden    |     1 +
 .../task-print-with-quiet-option.golden       |     1 +
 .../task-print-with-replicated-service.golden |     1 +
 .../task-print-with-resolution.golden         |     1 +
 cli/cli/command/trust.go                      |    15 +
 cli/cli/command/trust/cmd.go                  |    25 +
 cli/cli/command/trust/common.go               |   167 +
 cli/cli/command/trust/helpers.go              |    47 +
 cli/cli/command/trust/helpers_test.go         |    24 +
 cli/cli/command/trust/inspect.go              |   115 +
 cli/cli/command/trust/inspect_pretty.go       |    90 +
 cli/cli/command/trust/inspect_pretty_test.go  |   442 +
 cli/cli/command/trust/inspect_test.go         |   131 +
 cli/cli/command/trust/key.go                  |    22 +
 cli/cli/command/trust/key_generate.go         |   134 +
 cli/cli/command/trust/key_generate_test.go    |   134 +
 cli/cli/command/trust/key_load.go             |   115 +
 cli/cli/command/trust/key_load_test.go        |   253 +
 cli/cli/command/trust/revoke.go               |   125 +
 cli/cli/command/trust/revoke_test.go          |   148 +
 cli/cli/command/trust/sign.go                 |   247 +
 cli/cli/command/trust/sign_test.go            |   309 +
 cli/cli/command/trust/signer.go               |    22 +
 cli/cli/command/trust/signer_add.go           |   141 +
 cli/cli/command/trust/signer_add_test.go      |   147 +
 cli/cli/command/trust/signer_remove.go        |   142 +
 cli/cli/command/trust/signer_remove_test.go   |   128 +
 .../testdata/trust-inspect-empty-repo.golden  |    25 +
 .../trust-inspect-full-repo-no-signers.golden |    33 +
 ...rust-inspect-full-repo-with-signers.golden |    65 +
 ...inspect-multiple-repos-with-signers.golden |   128 +
 .../trust-inspect-one-tag-no-signers.golden   |    33 +
 ...inspect-pretty-full-repo-no-signers.golden |    10 +
 ...spect-pretty-full-repo-with-signers.golden |    18 +
 ...t-inspect-pretty-one-tag-no-signers.golden |    10 +
 ...ct-pretty-unsigned-tag-with-signers.golden |    14 +
 .../trust-inspect-uninitialized.golden        |     1 +
 ...t-inspect-unsigned-tag-with-signers.golden |    42 +
 cli/cli/command/utils.go                      |   127 +
 cli/cli/command/volume/client_test.go         |    54 +
 cli/cli/command/volume/cmd.go                 |    26 +
 cli/cli/command/volume/create.go              |    69 +
 cli/cli/command/volume/create_test.go         |   126 +
 cli/cli/command/volume/inspect.go             |    46 +
 cli/cli/command/volume/inspect_test.go        |   141 +
 cli/cli/command/volume/list.go                |    73 +
 cli/cli/command/volume/list_test.go           |   111 +
 cli/cli/command/volume/prune.go               |    78 +
 cli/cli/command/volume/prune_test.go          |   119 +
 cli/cli/command/volume/remove.go              |    69 +
 cli/cli/command/volume/remove_test.go         |    44 +
 ...e-inspect-with-format.json-template.golden |     1 +
 ...inspect-with-format.simple-template.golden |     1 +
 ...-format.multiple-volume-with-labels.golden |    22 +
 ...nspect-without-format.single-volume.golden |    10 +
 .../volume-list-with-config-format.golden     |     3 +
 .../testdata/volume-list-with-format.golden   |     3 +
 .../volume-list-without-format.golden         |     4 +
 .../volume/testdata/volume-prune-no.golden    |     2 +
 .../volume/testdata/volume-prune-yes.golden   |     7 +
 .../volume-prune.deletedVolumes.golden        |     6 +
 .../volume/testdata/volume-prune.empty.golden |     1 +
 cli/cli/compose/convert/compose.go            |   159 +
 cli/cli/compose/convert/compose_test.go       |   171 +
 cli/cli/compose/convert/service.go            |   615 +
 cli/cli/compose/convert/service_test.go       |   566 +
 cli/cli/compose/convert/volume.go             |   140 +
 cli/cli/compose/convert/volume_test.go        |   345 +
 .../compose/interpolation/interpolation.go    |   163 +
 .../interpolation/interpolation_test.go       |   147 +
 cli/cli/compose/loader/example1.env           |     8 +
 cli/cli/compose/loader/example2.env           |     4 +
 cli/cli/compose/loader/full-example.yml       |   404 +
 cli/cli/compose/loader/full-struct_test.go    |   889 +
 cli/cli/compose/loader/interpolate.go         |    69 +
 cli/cli/compose/loader/loader.go              |   907 +
 cli/cli/compose/loader/loader_test.go         |  1465 +
 cli/cli/compose/loader/merge.go               |   233 +
 cli/cli/compose/loader/merge_test.go          |  1016 +
 cli/cli/compose/loader/types_test.go          |    26 +
 cli/cli/compose/loader/volume.go              |   122 +
 cli/cli/compose/loader/volume_test.go         |   223 +
 cli/cli/compose/schema/bindata.go             |   520 +
 .../schema/data/config_schema_v3.0.json       |   384 +
 .../schema/data/config_schema_v3.1.json       |   429 +
 .../schema/data/config_schema_v3.2.json       |   476 +
 .../schema/data/config_schema_v3.3.json       |   536 +
 .../schema/data/config_schema_v3.4.json       |   544 +
 .../schema/data/config_schema_v3.5.json       |   573 +
 .../schema/data/config_schema_v3.6.json       |   582 +
 .../schema/data/config_schema_v3.7.json       |   602 +
 cli/cli/compose/schema/schema.go              |   168 +
 cli/cli/compose/schema/schema_test.go         |   238 +
 cli/cli/compose/template/template.go          |   168 +
 cli/cli/compose/template/template_test.go     |   174 +
 cli/cli/compose/types/types.go                |   428 +
 cli/cli/config/config.go                      |   120 +
 cli/cli/config/config_test.go                 |   550 +
 cli/cli/config/configfile/file.go             |   335 +
 cli/cli/config/configfile/file_test.go        |   415 +
 cli/cli/config/credentials/credentials.go     |    17 +
 cli/cli/config/credentials/default_store.go   |    21 +
 .../credentials/default_store_darwin.go       |     5 +
 .../config/credentials/default_store_linux.go |    13 +
 .../credentials/default_store_unsupported.go  |     7 +
 .../credentials/default_store_windows.go      |     5 +
 cli/cli/config/credentials/file_store.go      |    64 +
 cli/cli/config/credentials/file_store_test.go |   136 +
 cli/cli/config/credentials/native_store.go    |   143 +
 .../config/credentials/native_store_test.go   |   277 +
 cli/cli/debug/debug.go                        |    26 +
 cli/cli/debug/debug_test.go                   |    43 +
 cli/cli/error.go                              |    33 +
 cli/cli/flags/client.go                       |    12 +
 cli/cli/flags/common.go                       |   118 +
 cli/cli/flags/common_test.go                  |    43 +
 cli/cli/manifest/store/store.go               |   180 +
 cli/cli/manifest/store/store_test.go          |   136 +
 cli/cli/manifest/types/types.go               |   114 +
 cli/cli/registry/client/client.go             |   183 +
 cli/cli/registry/client/endpoint.go           |   133 +
 cli/cli/registry/client/fetcher.go            |   302 +
 cli/cli/required.go                           |   107 +
 cli/cli/required_test.go                      |   138 +
 cli/cli/trust/trust.go                        |   388 +
 cli/cli/trust/trust_test.go                   |    61 +
 cli/cli/version.go                            |    10 +
 cli/cli/winresources/res_windows.go           |    18 +
 cli/cmd/docker/docker.go                      |   378 +
 cli/cmd/docker/docker_test.go                 |    33 +
 cli/cmd/docker/docker_windows.go              |     3 +
 cli/codecov.yml                               |    22 +
 cli/contrib/completion/bash/docker            |  5159 ++
 cli/contrib/completion/fish/docker.fish       |   564 +
 cli/contrib/completion/powershell/readme.txt  |     2 +
 cli/contrib/completion/zsh/REVIEWERS          |     2 +
 cli/contrib/completion/zsh/_docker            |  3032 +
 cli/docker.Makefile                           |   123 +
 cli/dockerfiles/Dockerfile.binary-native      |     8 +
 cli/dockerfiles/Dockerfile.cross              |     3 +
 cli/dockerfiles/Dockerfile.dev                |    24 +
 cli/dockerfiles/Dockerfile.e2e                |    34 +
 cli/dockerfiles/Dockerfile.lint               |    24 +
 cli/dockerfiles/Dockerfile.shellcheck         |     9 +
 cli/docs/README.md                            |    30 +
 cli/docs/deprecated.md                        |   356 +
 cli/docs/extend/EBS_volume.md                 |   165 +
 cli/docs/extend/config.md                     |   237 +
 .../extend/images/authz_additional_info.png   |   Bin 0 -> 45916 bytes
 cli/docs/extend/images/authz_allow.png        |   Bin 0 -> 33505 bytes
 cli/docs/extend/images/authz_chunked.png      |   Bin 0 -> 33168 bytes
 .../extend/images/authz_connection_hijack.png |   Bin 0 -> 38780 bytes
 cli/docs/extend/images/authz_deny.png         |   Bin 0 -> 27099 bytes
 cli/docs/extend/index.md                      |   263 +
 cli/docs/extend/legacy_plugins.md             |   104 +
 cli/docs/extend/plugin_api.md                 |   195 +
 cli/docs/extend/plugins_authorization.md      |   259 +
 cli/docs/extend/plugins_graphdriver.md        |   403 +
 cli/docs/extend/plugins_logging.md            |   219 +
 cli/docs/extend/plugins_metrics.md            |    84 +
 cli/docs/extend/plugins_network.md            |    78 +
 cli/docs/extend/plugins_services.md           |   185 +
 cli/docs/extend/plugins_volume.md             |   359 +
 cli/docs/reference/builder.md                 |  1983 +
 cli/docs/reference/commandline/attach.md      |   160 +
 cli/docs/reference/commandline/build.md       |   611 +
 cli/docs/reference/commandline/cli.md         |   328 +
 cli/docs/reference/commandline/commit.md      |   117 +
 cli/docs/reference/commandline/container.md   |    61 +
 .../reference/commandline/container_prune.md  |   126 +
 cli/docs/reference/commandline/cp.md          |   118 +
 cli/docs/reference/commandline/create.md      |   260 +
 cli/docs/reference/commandline/deploy.md      |   111 +
 cli/docs/reference/commandline/diff.md        |    67 +
 cli/docs/reference/commandline/dockerd.md     |  1514 +
 cli/docs/reference/commandline/events.md      |   413 +
 cli/docs/reference/commandline/exec.md        |   125 +
 cli/docs/reference/commandline/export.md      |    48 +
 cli/docs/reference/commandline/history.md     |    87 +
 cli/docs/reference/commandline/image.md       |    47 +
 cli/docs/reference/commandline/image_prune.md |   213 +
 cli/docs/reference/commandline/images.md      |   343 +
 cli/docs/reference/commandline/import.md      |    89 +
 cli/docs/reference/commandline/index.md       |   184 +
 cli/docs/reference/commandline/info.md        |   245 +
 cli/docs/reference/commandline/inspect.md     |   122 +
 cli/docs/reference/commandline/kill.md        |    71 +
 cli/docs/reference/commandline/load.md        |    63 +
 cli/docs/reference/commandline/login.md       |   184 +
 cli/docs/reference/commandline/logout.md      |    32 +
 cli/docs/reference/commandline/logs.md        |    85 +
 cli/docs/reference/commandline/manifest.md    |   274 +
 cli/docs/reference/commandline/network.md     |    51 +
 .../reference/commandline/network_connect.md  |   117 +
 .../reference/commandline/network_create.md   |   240 +
 .../commandline/network_disconnect.md         |    48 +
 .../reference/commandline/network_inspect.md  |   307 +
 cli/docs/reference/commandline/network_ls.md  |   250 +
 .../reference/commandline/network_prune.md    |   104 +
 cli/docs/reference/commandline/network_rm.md  |    68 +
 cli/docs/reference/commandline/node.md        |    42 +
 cli/docs/reference/commandline/node_demote.md |    47 +
 .../reference/commandline/node_inspect.md     |   167 +
 cli/docs/reference/commandline/node_ls.md     |   172 +
 .../reference/commandline/node_promote.md     |    45 +
 cli/docs/reference/commandline/node_ps.md     |   148 +
 cli/docs/reference/commandline/node_rm.md     |    80 +
 cli/docs/reference/commandline/node_update.md |    77 +
 cli/docs/reference/commandline/pause.md       |    48 +
 cli/docs/reference/commandline/plugin.md      |    44 +
 .../reference/commandline/plugin_create.md    |    66 +
 .../reference/commandline/plugin_disable.md   |    69 +
 .../reference/commandline/plugin_enable.md    |    68 +
 .../reference/commandline/plugin_inspect.md   |   166 +
 .../reference/commandline/plugin_install.md   |    75 +
 cli/docs/reference/commandline/plugin_ls.md   |   118 +
 cli/docs/reference/commandline/plugin_push.md |    57 +
 cli/docs/reference/commandline/plugin_rm.md   |    63 +
 cli/docs/reference/commandline/plugin_set.md  |   172 +
 .../reference/commandline/plugin_upgrade.md   |   100 +
 cli/docs/reference/commandline/port.md        |    47 +
 cli/docs/reference/commandline/ps.md          |   434 +
 cli/docs/reference/commandline/pull.md        |   254 +
 cli/docs/reference/commandline/push.md        |    82 +
 cli/docs/reference/commandline/rename.md      |    35 +
 cli/docs/reference/commandline/restart.md     |    32 +
 cli/docs/reference/commandline/rm.md          |   100 +
 cli/docs/reference/commandline/rmi.md         |   105 +
 cli/docs/reference/commandline/run.md         |   816 +
 cli/docs/reference/commandline/save.md        |    62 +
 cli/docs/reference/commandline/search.md      |   202 +
 cli/docs/reference/commandline/secret.md      |    45 +
 .../reference/commandline/secret_create.md    |    99 +
 .../reference/commandline/secret_inspect.md   |    95 +
 cli/docs/reference/commandline/secret_ls.md   |   157 +
 cli/docs/reference/commandline/secret_rm.md   |    54 +
 cli/docs/reference/commandline/service.md     |    42 +
 .../reference/commandline/service_create.md   |   964 +
 .../reference/commandline/service_inspect.md  |   171 +
 .../reference/commandline/service_logs.md     |    86 +
 cli/docs/reference/commandline/service_ls.md  |   165 +
 cli/docs/reference/commandline/service_ps.md  |   195 +
 cli/docs/reference/commandline/service_rm.md  |    61 +
 .../reference/commandline/service_rollback.md |    94 +
 .../reference/commandline/service_scale.md    |   106 +
 .../reference/commandline/service_update.md   |   311 +
 cli/docs/reference/commandline/stack.md       |    41 +
 .../reference/commandline/stack_deploy.md     |   148 +
 cli/docs/reference/commandline/stack_ls.md    |    81 +
 cli/docs/reference/commandline/stack_ps.md    |   233 +
 cli/docs/reference/commandline/stack_rm.md    |    81 +
 .../reference/commandline/stack_services.md   |   122 +
 cli/docs/reference/commandline/start.md       |    34 +
 cli/docs/reference/commandline/stats.md       |   175 +
 cli/docs/reference/commandline/stop.md        |    37 +
 cli/docs/reference/commandline/swarm.md       |    41 +
 cli/docs/reference/commandline/swarm_ca.md    |   122 +
 cli/docs/reference/commandline/swarm_init.md  |   168 +
 cli/docs/reference/commandline/swarm_join.md  |   133 +
 .../reference/commandline/swarm_join_token.md |   115 +
 cli/docs/reference/commandline/swarm_leave.md |    72 +
 .../reference/commandline/swarm_unlock.md     |    49 +
 .../reference/commandline/swarm_unlock_key.md |    92 +
 .../reference/commandline/swarm_update.md     |    52 +
 cli/docs/reference/commandline/system.md      |    37 +
 cli/docs/reference/commandline/system_df.md   |   140 +
 .../reference/commandline/system_events.md    |   345 +
 .../reference/commandline/system_prune.md     |   155 +
 cli/docs/reference/commandline/tag.md         |    84 +
 cli/docs/reference/commandline/top.md         |    25 +
 .../reference/commandline/trust_inspect.md    |   470 +
 .../commandline/trust_key_generate.md         |    67 +
 .../reference/commandline/trust_key_load.md   |    57 +
 .../reference/commandline/trust_revoke.md     |   130 +
 cli/docs/reference/commandline/trust_sign.md  |   184 +
 .../reference/commandline/trust_signer_add.md |   211 +
 .../commandline/trust_signer_remove.md        |   172 +
 cli/docs/reference/commandline/unpause.md     |    45 +
 cli/docs/reference/commandline/update.md      |   127 +
 cli/docs/reference/commandline/version.md     |    75 +
 cli/docs/reference/commandline/volume.md      |    48 +
 .../reference/commandline/volume_create.md    |   125 +
 .../reference/commandline/volume_inspect.md   |    61 +
 cli/docs/reference/commandline/volume_ls.md   |   199 +
 .../reference/commandline/volume_prune.md     |    73 +
 cli/docs/reference/commandline/volume_rm.md   |    48 +
 cli/docs/reference/commandline/wait.md        |    58 +
 cli/docs/reference/glossary.md                |   373 +
 cli/docs/reference/index.md                   |    20 +
 cli/docs/reference/run.md                     |  1615 +
 cli/docs/yaml/Dockerfile                      |     4 +
 cli/docs/yaml/generate.go                     |    86 +
 cli/docs/yaml/yaml.go                         |   270 +
 cli/e2e/compose-env.yaml                      |    18 +
 cli/e2e/container/attach_test.go              |    31 +
 cli/e2e/container/create_test.go              |    35 +
 cli/e2e/container/kill_test.go                |    50 +
 cli/e2e/container/main_test.go                |    17 +
 cli/e2e/container/run_test.go                 |    61 +
 ...run-attached-from-remote-and-remove.golden |     4 +
 cli/e2e/image/build_test.go                   |   110 +
 cli/e2e/image/main_test.go                    |    17 +
 cli/e2e/image/pull_test.go                    |    71 +
 cli/e2e/image/push_test.go                    |   392 +
 cli/e2e/image/testdata/notary/delgkey1.crt    |    21 +
 cli/e2e/image/testdata/notary/delgkey1.key    |    27 +
 cli/e2e/image/testdata/notary/delgkey2.crt    |    21 +
 cli/e2e/image/testdata/notary/delgkey2.key    |    27 +
 cli/e2e/image/testdata/notary/delgkey3.crt    |    21 +
 cli/e2e/image/testdata/notary/delgkey3.key    |    27 +
 cli/e2e/image/testdata/notary/delgkey4.crt    |    21 +
 cli/e2e/image/testdata/notary/delgkey4.key    |    27 +
 cli/e2e/image/testdata/notary/gen.sh          |    18 +
 cli/e2e/image/testdata/notary/localhost.cert  |    19 +
 cli/e2e/image/testdata/notary/localhost.key   |    27 +
 .../pull-with-content-trust-err.golden        |     1 +
 .../testdata/pull-with-content-trust.golden   |     4 +
 .../push-with-content-trust-err.golden        |     0
 cli/e2e/internal/fixtures/fixtures.go         |   126 +
 cli/e2e/plugin/basic/basic.go                 |    34 +
 cli/e2e/plugin/main_test.go                   |    17 +
 cli/e2e/plugin/trust_test.go                  |   114 +
 cli/e2e/stack/deploy_test.go                  |    44 +
 cli/e2e/stack/help_test.go                    |    24 +
 cli/e2e/stack/main_test.go                    |    17 +
 cli/e2e/stack/remove_test.go                  |    85 +
 cli/e2e/stack/testdata/data                   |     1 +
 cli/e2e/stack/testdata/full-stack.yml         |     9 +
 .../stack-deploy-help-kubernetes.golden       |    14 +
 .../testdata/stack-deploy-help-swarm.golden   |    19 +
 .../stack-deploy-with-names-kubernetes.golden |     7 +
 .../stack-deploy-with-names-swarm.golden      |     7 +
 .../testdata/stack-deploy-with-names.golden   |     7 +
 .../stack-remove-kubernetes-success.golden    |     1 +
 .../stack-remove-swarm-success.golden         |     3 +
 .../testdata/stack-with-named-resources.yml   |    30 +
 cli/e2e/system/inspect_test.go                |    18 +
 cli/e2e/system/main_test.go                   |    17 +
 cli/e2e/testdata/Dockerfile.notary-server     |     4 +
 cli/e2e/testdata/notary/notary-config.json    |    19 +
 cli/e2e/testdata/notary/notary-server.cert    |    64 +
 cli/e2e/testdata/notary/notary-server.key     |    28 +
 cli/e2e/testdata/notary/root-ca.cert          |    32 +
 cli/e2e/trust/main_test.go                    |    17 +
 cli/e2e/trust/revoke_test.go                  |    71 +
 cli/e2e/trust/sign_test.go                    |    62 +
 cli/experimental/README.md                    |    53 +
 cli/experimental/checkpoint-restore.md        |    88 +
 cli/experimental/docker-stacks-and-bundles.md |   202 +
 cli/experimental/images/ipvlan-l3.gliffy      |     1 +
 cli/experimental/images/ipvlan-l3.png         |   Bin 0 -> 18260 bytes
 cli/experimental/images/ipvlan-l3.svg         |     1 +
 .../images/ipvlan_l2_simple.gliffy            |     1 +
 cli/experimental/images/ipvlan_l2_simple.png  |   Bin 0 -> 20145 bytes
 cli/experimental/images/ipvlan_l2_simple.svg  |     1 +
 .../images/macvlan-bridge-ipvlan-l2.gliffy    |     1 +
 .../images/macvlan-bridge-ipvlan-l2.png       |   Bin 0 -> 14527 bytes
 .../images/macvlan-bridge-ipvlan-l2.svg       |     1 +
 .../images/multi_tenant_8021q_vlans.gliffy    |     1 +
 .../images/multi_tenant_8021q_vlans.png       |   Bin 0 -> 17879 bytes
 .../images/multi_tenant_8021q_vlans.svg       |     1 +
 .../images/vlans-deeper-look.gliffy           |     1 +
 cli/experimental/images/vlans-deeper-look.png |   Bin 0 -> 38837 bytes
 cli/experimental/images/vlans-deeper-look.svg |     1 +
 cli/experimental/vlan-networks.md             |   475 +
 cli/gometalinter.json                         |    42 +
 cli/internal/test/builders/config.go          |    68 +
 cli/internal/test/builders/container.go       |    79 +
 cli/internal/test/builders/doc.go             |     3 +
 cli/internal/test/builders/network.go         |    45 +
 cli/internal/test/builders/node.go            |   134 +
 cli/internal/test/builders/secret.go          |    70 +
 cli/internal/test/builders/service.go         |    74 +
 cli/internal/test/builders/swarm.go           |    39 +
 cli/internal/test/builders/task.go            |   160 +
 cli/internal/test/builders/volume.go          |    43 +
 cli/internal/test/cli.go                      |   169 +
 cli/internal/test/doc.go                      |     5 +
 cli/internal/test/environment/testenv.go      |    78 +
 cli/internal/test/network/client.go           |    57 +
 cli/internal/test/notary/client.go            |   543 +
 cli/internal/test/output/output.go            |    65 +
 cli/internal/test/store.go                    |    79 +
 cli/kubernetes/README.md                      |     4 +
 cli/kubernetes/check.go                       |    55 +
 cli/kubernetes/check_test.go                  |    51 +
 cli/kubernetes/client/clientset/clientset.go  |    96 +
 .../client/clientset/scheme/register.go       |    41 +
 .../typed/compose/v1beta1/compose_client.go   |    74 +
 .../clientset/typed/compose/v1beta1/stack.go  |   157 +
 .../typed/compose/v1beta2/compose_client.go   |    74 +
 .../clientset/typed/compose/v1beta2/stack.go  |   155 +
 .../client/informers/compose/interface.go     |    25 +
 .../informers/compose/v1beta2/interface.go    |    25 +
 .../client/informers/compose/v1beta2/stack.go |    51 +
 cli/kubernetes/client/informers/factory.go    |   101 +
 cli/kubernetes/client/informers/generic.go    |    44 +
 .../internalinterfaces/factory_interfaces.go  |    18 +
 .../compose/v1beta2/expansion_generated.go    |     9 +
 .../client/listers/compose/v1beta2/stack.go   |    78 +
 cli/kubernetes/compose/clone/maps.go          |    25 +
 cli/kubernetes/compose/clone/slices.go        |    11 +
 cli/kubernetes/compose/doc.go                 |     5 +
 .../impersonation/impersonationconfig.go      |    26 +
 cli/kubernetes/compose/v1beta1/doc.go         |    11 +
 cli/kubernetes/compose/v1beta1/owner.go       |    31 +
 cli/kubernetes/compose/v1beta1/parsing.go     |     4 +
 cli/kubernetes/compose/v1beta1/register.go    |    39 +
 cli/kubernetes/compose/v1beta1/stack.go       |    87 +
 cli/kubernetes/compose/v1beta1/stack_test.go  |     1 +
 .../v1beta2/composefile_stack_types.go        |    26 +
 cli/kubernetes/compose/v1beta2/doc.go         |     6 +
 cli/kubernetes/compose/v1beta2/owner.go       |    30 +
 cli/kubernetes/compose/v1beta2/register.go    |    42 +
 cli/kubernetes/compose/v1beta2/scale.go       |    29 +
 cli/kubernetes/compose/v1beta2/stack.go       |   256 +
 cli/kubernetes/config.go                      |    26 +
 cli/kubernetes/doc.go                         |     4 +
 cli/kubernetes/labels/labels.go               |    45 +
 cli/kubernetes/labels/labels_test.go          |    23 +
 cli/man/Dockerfile.5.md                       |   474 +
 cli/man/README.md                             |    15 +
 cli/man/docker-build.1.md                     |   359 +
 cli/man/docker-config-json.5.md               |    72 +
 cli/man/docker-run.1.md                       |  1126 +
 cli/man/docker.1.md                           |    70 +
 cli/man/dockerd.8.md                          |   839 +
 cli/man/generate.go                           |   108 +
 cli/man/import.go                             |     7 +
 cli/man/md2man-all.sh                         |    22 +
 cli/man/src/attach.md                         |     2 +
 cli/man/src/commit.md                         |     1 +
 cli/man/src/container/attach.md               |    66 +
 cli/man/src/container/commit.md               |    30 +
 cli/man/src/container/cp.md                   |   145 +
 cli/man/src/container/create-example.md       |    35 +
 cli/man/src/container/create.md               |    88 +
 cli/man/src/container/diff.md                 |    39 +
 cli/man/src/container/exec.md                 |    25 +
 cli/man/src/container/export.md               |    20 +
 cli/man/src/container/kill.md                 |     2 +
 cli/man/src/container/logs.md                 |    40 +
 cli/man/src/container/ls.md                   |   117 +
 cli/man/src/container/pause.md                |    12 +
 cli/man/src/container/port.md                 |    26 +
 cli/man/src/container/rename.md               |     1 +
 cli/man/src/container/restart.md              |     1 +
 cli/man/src/container/rm.md                   |    37 +
 cli/man/src/container/run.md                  |     1 +
 cli/man/src/container/start.md                |     1 +
 cli/man/src/container/stats.md                |    43 +
 cli/man/src/container/stop.md                 |     1 +
 cli/man/src/container/top.md                  |    11 +
 cli/man/src/container/unpause.md              |     6 +
 cli/man/src/container/update.md               |   102 +
 cli/man/src/container/wait.md                 |     8 +
 cli/man/src/cp.md                             |     1 +
 cli/man/src/create.md                         |     1 +
 cli/man/src/diff.md                           |     1 +
 cli/man/src/events.md                         |     1 +
 cli/man/src/exec.md                           |     1 +
 cli/man/src/export.md                         |     1 +
 cli/man/src/history.md                        |     1 +
 cli/man/src/image/build.md                    |     1 +
 cli/man/src/image/history.md                  |    54 +
 cli/man/src/image/import.md                   |    42 +
 cli/man/src/image/load.md                     |    25 +
 cli/man/src/image/ls.md                       |   118 +
 cli/man/src/image/pull.md                     |   189 +
 cli/man/src/image/push.md                     |    34 +
 cli/man/src/image/rm.md                       |    11 +
 cli/man/src/image/save.md                     |    19 +
 cli/man/src/image/tag.md                      |    54 +
 cli/man/src/images.md                         |     1 +
 cli/man/src/import.md                         |     1 +
 cli/man/src/info.md                           |     1 +
 cli/man/src/inspect.md                        |   286 +
 cli/man/src/kill.md                           |     1 +
 cli/man/src/load.md                           |     1 +
 cli/man/src/login.md                          |    22 +
 cli/man/src/logout.md                         |    13 +
 cli/man/src/logs.md                           |     1 +
 cli/man/src/network/connect.md                |    39 +
 cli/man/src/network/create.md                 |   177 +
 cli/man/src/network/disconnect.md             |     5 +
 cli/man/src/network/inspect.md                |   183 +
 cli/man/src/network/ls.md                     |   182 +
 cli/man/src/network/rm.md                     |    20 +
 cli/man/src/pause.md                          |     1 +
 cli/man/src/plugin/ls.md                      |    43 +
 cli/man/src/port.md                           |     1 +
 cli/man/src/ps.md                             |     1 +
 cli/man/src/pull.md                           |     1 +
 cli/man/src/push.md                           |     1 +
 cli/man/src/rename.md                         |     1 +
 cli/man/src/restart.md                        |     1 +
 cli/man/src/rm.md                             |     1 +
 cli/man/src/rmi.md                            |     1 +
 cli/man/src/save.md                           |     1 +
 cli/man/src/search.md                         |    36 +
 cli/man/src/start.md                          |     1 +
 cli/man/src/stats.md                          |     1 +
 cli/man/src/stop.md                           |     1 +
 cli/man/src/system/events.md                  |   134 +
 cli/man/src/system/info.md                    |   163 +
 cli/man/src/tag.md                            |     1 +
 cli/man/src/top.md                            |     1 +
 cli/man/src/unpause.md                        |     1 +
 cli/man/src/update.md                         |     1 +
 cli/man/src/version.md                        |    37 +
 cli/man/src/volume.md                         |    14 +
 cli/man/src/volume/create.md                  |    35 +
 cli/man/src/volume/inspect.md                 |     4 +
 cli/man/src/volume/ls.md                      |    11 +
 cli/man/src/wait.md                           |     1 +
 cli/opts/config.go                            |    98 +
 cli/opts/duration.go                          |    64 +
 cli/opts/duration_test.go                     |    30 +
 cli/opts/env.go                               |    46 +
 cli/opts/env_test.go                          |    42 +
 cli/opts/envfile.go                           |    22 +
 cli/opts/envfile_test.go                      |   141 +
 cli/opts/file.go                              |    71 +
 cli/opts/hosts.go                             |   165 +
 cli/opts/hosts_test.go                        |   181 +
 cli/opts/hosts_unix.go                        |     8 +
 cli/opts/hosts_windows.go                     |     6 +
 cli/opts/ip.go                                |    47 +
 cli/opts/ip_test.go                           |    54 +
 cli/opts/mount.go                             |   174 +
 cli/opts/mount_test.go                        |   185 +
 cli/opts/network.go                           |   106 +
 cli/opts/network_test.go                      |   100 +
 cli/opts/opts.go                              |   524 +
 cli/opts/opts_test.go                         |   308 +
 cli/opts/opts_unix.go                         |     6 +
 cli/opts/opts_windows.go                      |    56 +
 cli/opts/parse.go                             |    99 +
 cli/opts/port.go                              |   167 +
 cli/opts/port_test.go                         |   296 +
 cli/opts/quotedstring.go                      |    37 +
 cli/opts/quotedstring_test.go                 |    30 +
 cli/opts/runtime.go                           |    79 +
 cli/opts/secret.go                            |    98 +
 cli/opts/secret_test.go                       |    80 +
 cli/opts/throttledevice.go                    |   108 +
 cli/opts/ulimit.go                            |    57 +
 cli/opts/ulimit_test.go                       |    42 +
 cli/opts/weightdevice.go                      |    84 +
 cli/poule.yml                                 |    41 +
 cli/scripts/build/.variables                  |    26 +
 cli/scripts/build/binary                      |    14 +
 cli/scripts/build/cross                       |    33 +
 cli/scripts/build/dynbinary                   |    14 +
 cli/scripts/build/osx                         |    21 +
 cli/scripts/build/windows                     |    23 +
 cli/scripts/docs/generate-authors.sh          |    15 +
 cli/scripts/docs/generate-man.sh              |    14 +
 cli/scripts/docs/generate-yaml.sh             |     8 +
 cli/scripts/gen/windows-resources             |    44 +
 cli/scripts/make.ps1                          |   172 +
 cli/scripts/test/e2e/entry                    |    11 +
 cli/scripts/test/e2e/load-image               |    53 +
 cli/scripts/test/e2e/run                      |   104 +
 cli/scripts/test/e2e/wait-on-daemon           |     9 +
 cli/scripts/test/e2e/wrapper                  |    17 +
 cli/scripts/test/unit                         |     4 +
 cli/scripts/test/unit-with-coverage           |    19 +
 cli/scripts/validate/check-git-diff           |    17 +
 cli/scripts/validate/shellcheck               |     5 +
 cli/scripts/warn-outside-container            |    18 +
 cli/scripts/winresources/common.rc            |    38 +
 cli/scripts/winresources/docker.exe.manifest  |    18 +
 cli/scripts/winresources/docker.ico           |   Bin 0 -> 370070 bytes
 cli/scripts/winresources/docker.png           |   Bin 0 -> 658195 bytes
 cli/scripts/winresources/docker.rc            |     3 +
 cli/service/logs/parse_logs.go                |    39 +
 cli/service/logs/parse_logs_test.go           |    34 +
 cli/templates/templates.go                    |    84 +
 cli/templates/templates_test.go               |    89 +
 cli/vendor.conf                               |    96 +
 cli/vendor/github.com/Nvveen/Gotty/LICENSE    |    26 +
 cli/vendor/github.com/Nvveen/Gotty/README     |     5 +
 .../github.com/Nvveen/Gotty/attributes.go     |   514 +
 cli/vendor/github.com/Nvveen/Gotty/gotty.go   |   244 +
 cli/vendor/github.com/Nvveen/Gotty/parser.go  |   362 +
 cli/vendor/github.com/Nvveen/Gotty/types.go   |    23 +
 .../github.com/containerd/continuity/LICENSE  |   202 +
 .../containerd/continuity/README.md           |    74 +
 .../continuity/pathdriver/path_driver.go      |    85 +
 .../continuity/syscallx/syscall_unix.go       |    10 +
 .../continuity/syscallx/syscall_windows.go    |    96 +
 .../containerd/continuity/sysx/asm.s          |    10 +
 .../continuity/sysx/chmod_darwin.go           |    18 +
 .../continuity/sysx/chmod_darwin_386.go       |    25 +
 .../continuity/sysx/chmod_darwin_amd64.go     |    25 +
 .../continuity/sysx/chmod_freebsd.go          |    17 +
 .../continuity/sysx/chmod_freebsd_amd64.go    |    25 +
 .../containerd/continuity/sysx/chmod_linux.go |    12 +
 .../continuity/sysx/chmod_solaris.go          |    11 +
 .../containerd/continuity/sysx/file_posix.go  |   112 +
 .../continuity/sysx/nodata_linux.go           |     7 +
 .../continuity/sysx/nodata_solaris.go         |     8 +
 .../containerd/continuity/sysx/nodata_unix.go |     9 +
 .../containerd/continuity/sysx/sys.go         |    37 +
 .../containerd/continuity/sysx/xattr.go       |    67 +
 .../continuity/sysx/xattr_darwin.go           |    71 +
 .../continuity/sysx/xattr_darwin_386.go       |   111 +
 .../continuity/sysx/xattr_darwin_amd64.go     |   111 +
 .../continuity/sysx/xattr_freebsd.go          |    12 +
 .../containerd/continuity/sysx/xattr_linux.go |    44 +
 .../continuity/sysx/xattr_openbsd.go          |     7 +
 .../continuity/sysx/xattr_solaris.go          |    12 +
 .../continuity/sysx/xattr_unsupported.go      |    44 +
 .../containerd/continuity/vendor.conf         |    13 +
 .../gregjones/httpcache/LICENSE.txt           |     7 +
 .../github.com/gregjones/httpcache/README.md  |    24 +
 .../httpcache/diskcache/diskcache.go          |    61 +
 .../gregjones/httpcache/httpcache.go          |   557 +
 .../grpc-ecosystem/grpc-opentracing/LICENSE   |    27 +
 .../grpc-ecosystem/grpc-opentracing/PATENTS   |    23 +
 .../grpc-opentracing/README.rst               |    25 +
 .../grpc-opentracing/go/otgrpc/README.md      |    57 +
 .../grpc-opentracing/go/otgrpc/client.go      |   239 +
 .../grpc-opentracing/go/otgrpc/errors.go      |    69 +
 .../grpc-opentracing/go/otgrpc/options.go     |    76 +
 .../grpc-opentracing/go/otgrpc/package.go     |     5 +
 .../grpc-opentracing/go/otgrpc/server.go      |   141 +
 .../grpc-opentracing/go/otgrpc/shared.go      |    42 +
 .../grpc-opentracing/python/README.md         |     4 +
 .../python/examples/protos/command_line.proto |    15 +
 .../python/examples/protos/store.proto        |    37 +
 .../github.com/howeyc/gopass/LICENSE.txt      |    15 +
 cli/vendor/github.com/howeyc/gopass/README.md |    27 +
 cli/vendor/github.com/howeyc/gopass/pass.go   |    91 +
 .../github.com/howeyc/gopass/terminal.go      |    25 +
 cli/vendor/github.com/moby/buildkit/LICENSE   |   201 +
 cli/vendor/github.com/moby/buildkit/README.md |   274 +
 .../api/services/control/control.pb.go        |  4589 ++
 .../api/services/control/control.proto        |   121 +
 .../buildkit/api/services/control/generate.go |     3 +
 .../moby/buildkit/api/types/generate.go       |     3 +
 .../moby/buildkit/api/types/worker.pb.go      |   523 +
 .../moby/buildkit/api/types/worker.proto      |    16 +
 .../github.com/moby/buildkit/client/client.go |   132 +
 .../moby/buildkit/client/client_unix.go       |    19 +
 .../moby/buildkit/client/client_windows.go    |    24 +
 .../moby/buildkit/client/diskusage.go         |    73 +
 .../moby/buildkit/client/exporters.go         |     8 +
 .../github.com/moby/buildkit/client/graph.go  |    45 +
 .../moby/buildkit/client/llb/exec.go          |   409 +
 .../moby/buildkit/client/llb/marshal.go       |   112 +
 .../moby/buildkit/client/llb/meta.go          |   170 +
 .../moby/buildkit/client/llb/resolver.go      |    18 +
 .../moby/buildkit/client/llb/source.go        |   363 +
 .../moby/buildkit/client/llb/state.go         |   396 +
 .../github.com/moby/buildkit/client/prune.go  |    50 +
 .../github.com/moby/buildkit/client/solve.go  |   251 +
 .../moby/buildkit/client/workers.go           |    53 +
 .../moby/buildkit/identity/randomid.go        |    53 +
 .../moby/buildkit/session/auth/auth.go        |    26 +
 .../moby/buildkit/session/auth/auth.pb.go     |   673 +
 .../moby/buildkit/session/auth/auth.proto     |    19 +
 .../session/auth/authprovider/authprovider.go |    44 +
 .../moby/buildkit/session/auth/generate.go    |     3 +
 .../moby/buildkit/session/context.go          |    22 +
 .../buildkit/session/filesync/diffcopy.go     |   114 +
 .../buildkit/session/filesync/filesync.go     |   289 +
 .../buildkit/session/filesync/filesync.pb.go  |   644 +
 .../buildkit/session/filesync/filesync.proto  |    20 +
 .../buildkit/session/filesync/generate.go     |     3 +
 .../github.com/moby/buildkit/session/grpc.go  |    81 +
 .../moby/buildkit/session/grpchijack/dial.go  |   156 +
 .../buildkit/session/grpchijack/hijack.go     |    14 +
 .../moby/buildkit/session/manager.go          |   218 +
 .../moby/buildkit/session/session.go          |   143 +
 .../moby/buildkit/solver/pb/attr.go           |    17 +
 .../moby/buildkit/solver/pb/const.go          |    12 +
 .../moby/buildkit/solver/pb/generate.go       |     3 +
 .../moby/buildkit/solver/pb/ops.pb.go         |  4960 ++
 .../moby/buildkit/solver/pb/ops.proto         |   165 +
 .../moby/buildkit/solver/pb/platform.go       |    41 +
 .../buildkit/util/appcontext/appcontext.go    |    41 +
 .../util/appcontext/appcontext_unix.go        |    11 +
 .../util/appcontext/appcontext_windows.go     |     7 +
 .../util/appdefaults/appdefaults_unix.go      |    55 +
 .../util/appdefaults/appdefaults_windows.go   |    18 +
 .../util/progress/progressui/display.go       |   427 +
 .../util/progress/progressui/printer.go       |   248 +
 .../moby/buildkit/util/system/path_unix.go    |    14 +
 .../moby/buildkit/util/system/path_windows.go |    37 +
 .../buildkit/util/system/seccomp_linux.go     |    29 +
 .../buildkit/util/system/seccomp_nolinux.go   |     7 +
 .../buildkit/util/system/seccomp_noseccomp.go |     7 +
 .../github.com/moby/buildkit/vendor.conf      |    69 +
 cli/vendor/github.com/morikuni/aec/LICENSE    |    21 +
 cli/vendor/github.com/morikuni/aec/README.md  |   178 +
 cli/vendor/github.com/morikuni/aec/aec.go     |   137 +
 cli/vendor/github.com/morikuni/aec/ansi.go    |    59 +
 cli/vendor/github.com/morikuni/aec/builder.go |   388 +
 cli/vendor/github.com/morikuni/aec/sgr.go     |   202 +
 .../github.com/tonistiigi/fsutil/LICENSE      |    22 +
 .../tonistiigi/fsutil/chtimes_linux.go        |    20 +
 .../tonistiigi/fsutil/chtimes_nolinux.go      |    20 +
 .../github.com/tonistiigi/fsutil/diff.go      |    43 +
 .../tonistiigi/fsutil/diff_containerd.go      |   199 +
 .../fsutil/diff_containerd_linux.go           |    37 +
 .../tonistiigi/fsutil/diskwriter.go           |   340 +
 .../tonistiigi/fsutil/diskwriter_unix.go      |    51 +
 .../tonistiigi/fsutil/diskwriter_windows.go   |    17 +
 .../tonistiigi/fsutil/followlinks.go          |   150 +
 .../github.com/tonistiigi/fsutil/generate.go  |     3 +
 .../github.com/tonistiigi/fsutil/hardlinks.go |    46 +
 .../github.com/tonistiigi/fsutil/readme.md    |    45 +
 .../github.com/tonistiigi/fsutil/receive.go   |   269 +
 .../github.com/tonistiigi/fsutil/send.go      |   208 +
 .../github.com/tonistiigi/fsutil/stat.pb.go   |   931 +
 .../github.com/tonistiigi/fsutil/stat.proto   |    17 +
 .../github.com/tonistiigi/fsutil/validator.go |    92 +
 .../github.com/tonistiigi/fsutil/walker.go    |   246 +
 .../tonistiigi/fsutil/walker_unix.go          |    61 +
 .../tonistiigi/fsutil/walker_windows.go       |    14 +
 .../github.com/tonistiigi/fsutil/wire.pb.go   |   567 +
 .../github.com/tonistiigi/fsutil/wire.proto   |    19 +
 .../github.com/tonistiigi/units/LICENSE       |    21 +
 .../github.com/tonistiigi/units/bytes.go      |   125 +
 .../github.com/tonistiigi/units/readme.md     |    29 +
 cli/vendor/k8s.io/api/LICENSE                 |   202 +
 cli/vendor/k8s.io/api/README.md               |     1 +
 .../api/admissionregistration/v1alpha1/doc.go |    25 +
 .../v1alpha1/generated.pb.go                  |  2187 +
 .../v1alpha1/generated.proto                  |   196 +
 .../v1alpha1/register.go                      |    53 +
 .../admissionregistration/v1alpha1/types.go   |   219 +
 .../v1alpha1/types_swagger_doc_generated.go   |   132 +
 .../v1alpha1/zz_generated.deepcopy.go         |   363 +
 cli/vendor/k8s.io/api/apps/v1beta1/doc.go     |    20 +
 .../k8s.io/api/apps/v1beta1/generated.pb.go   |  4964 ++
 .../k8s.io/api/apps/v1beta1/generated.proto   |   457 +
 .../k8s.io/api/apps/v1beta1/register.go       |    58 +
 cli/vendor/k8s.io/api/apps/v1beta1/types.go   |   542 +
 .../v1beta1/types_swagger_doc_generated.go    |   259 +
 .../api/apps/v1beta1/zz_generated.deepcopy.go |   737 +
 cli/vendor/k8s.io/api/apps/v1beta2/doc.go     |    20 +
 .../k8s.io/api/apps/v1beta2/generated.pb.go   |  6934 +++
 .../k8s.io/api/apps/v1beta2/generated.proto   |   688 +
 .../k8s.io/api/apps/v1beta2/register.go       |    61 +
 cli/vendor/k8s.io/api/apps/v1beta2/types.go   |   820 +
 .../v1beta2/types_swagger_doc_generated.go    |   368 +
 .../api/apps/v1beta2/zz_generated.deepcopy.go |  1017 +
 .../k8s.io/api/authentication/v1/doc.go       |    20 +
 .../api/authentication/v1/generated.pb.go     |  1302 +
 .../api/authentication/v1/generated.proto     |    99 +
 .../k8s.io/api/authentication/v1/register.go  |    51 +
 .../k8s.io/api/authentication/v1/types.go     |   107 +
 .../v1/types_swagger_doc_generated.go         |    72 +
 .../v1/zz_generated.deepcopy.go               |   147 +
 .../k8s.io/api/authentication/v1beta1/doc.go  |    20 +
 .../authentication/v1beta1/generated.pb.go    |  1302 +
 .../authentication/v1beta1/generated.proto    |    99 +
 .../api/authentication/v1beta1/register.go    |    51 +
 .../api/authentication/v1beta1/types.go       |    92 +
 .../v1beta1/types_swagger_doc_generated.go    |    72 +
 .../v1beta1/zz_generated.deepcopy.go          |   147 +
 cli/vendor/k8s.io/api/authorization/v1/doc.go |    21 +
 .../api/authorization/v1/generated.pb.go      |  3498 ++
 .../api/authorization/v1/generated.proto      |   265 +
 .../k8s.io/api/authorization/v1/register.go   |    55 +
 .../k8s.io/api/authorization/v1/types.go      |   261 +
 .../v1/types_swagger_doc_generated.go         |   172 +
 .../authorization/v1/zz_generated.deepcopy.go |   445 +
 .../k8s.io/api/authorization/v1beta1/doc.go   |    21 +
 .../api/authorization/v1beta1/generated.pb.go |  3498 ++
 .../api/authorization/v1beta1/generated.proto |   265 +
 .../api/authorization/v1beta1/register.go     |    55 +
 .../k8s.io/api/authorization/v1beta1/types.go |   261 +
 .../v1beta1/types_swagger_doc_generated.go    |   172 +
 .../v1beta1/zz_generated.deepcopy.go          |   445 +
 cli/vendor/k8s.io/api/autoscaling/v1/doc.go   |    20 +
 .../k8s.io/api/autoscaling/v1/generated.pb.go |  3786 ++
 .../k8s.io/api/autoscaling/v1/generated.proto |   321 +
 .../k8s.io/api/autoscaling/v1/register.go     |    53 +
 cli/vendor/k8s.io/api/autoscaling/v1/types.go |   337 +
 .../v1/types_swagger_doc_generated.go         |   218 +
 .../autoscaling/v1/zz_generated.deepcopy.go   |   561 +
 .../k8s.io/api/autoscaling/v2beta1/doc.go     |    20 +
 .../api/autoscaling/v2beta1/generated.pb.go   |  3401 ++
 .../api/autoscaling/v2beta1/generated.proto   |   301 +
 .../api/autoscaling/v2beta1/register.go       |    52 +
 .../k8s.io/api/autoscaling/v2beta1/types.go   |   312 +
 .../v2beta1/types_swagger_doc_generated.go    |   189 +
 .../v2beta1/zz_generated.deepcopy.go          |   491 +
 cli/vendor/k8s.io/api/batch/v1/doc.go         |    20 +
 .../k8s.io/api/batch/v1/generated.pb.go       |  1615 +
 .../k8s.io/api/batch/v1/generated.proto       |   173 +
 cli/vendor/k8s.io/api/batch/v1/register.go    |    52 +
 cli/vendor/k8s.io/api/batch/v1/types.go       |   181 +
 .../batch/v1/types_swagger_doc_generated.go   |    94 +
 .../api/batch/v1/zz_generated.deepcopy.go     |   254 +
 cli/vendor/k8s.io/api/batch/v1beta1/doc.go    |    20 +
 .../k8s.io/api/batch/v1beta1/generated.pb.go  |  1509 +
 .../k8s.io/api/batch/v1beta1/generated.proto  |   135 +
 .../k8s.io/api/batch/v1beta1/register.go      |    53 +
 cli/vendor/k8s.io/api/batch/v1beta1/types.go  |   155 +
 .../v1beta1/types_swagger_doc_generated.go    |    96 +
 .../batch/v1beta1/zz_generated.deepcopy.go    |   258 +
 cli/vendor/k8s.io/api/batch/v2alpha1/doc.go   |    20 +
 .../k8s.io/api/batch/v2alpha1/generated.pb.go |  1510 +
 .../k8s.io/api/batch/v2alpha1/generated.proto |   133 +
 .../k8s.io/api/batch/v2alpha1/register.go     |    53 +
 cli/vendor/k8s.io/api/batch/v2alpha1/types.go |   153 +
 .../v2alpha1/types_swagger_doc_generated.go   |    96 +
 .../batch/v2alpha1/zz_generated.deepcopy.go   |   258 +
 .../k8s.io/api/certificates/v1beta1/doc.go    |    21 +
 .../api/certificates/v1beta1/generated.pb.go  |  1693 +
 .../api/certificates/v1beta1/generated.proto  |   122 +
 .../api/certificates/v1beta1/register.go      |    59 +
 .../k8s.io/api/certificates/v1beta1/types.go  |   155 +
 .../v1beta1/types_swagger_doc_generated.go    |    74 +
 .../v1beta1/zz_generated.deepcopy.go          |   207 +
 .../api/core/v1/annotation_key_constants.go   |    94 +
 cli/vendor/k8s.io/api/core/v1/doc.go          |    21 +
 cli/vendor/k8s.io/api/core/v1/generated.pb.go | 47534 ++++++++++++++++
 cli/vendor/k8s.io/api/core/v1/generated.proto |  4337 ++
 cli/vendor/k8s.io/api/core/v1/meta.go         |   108 +
 .../k8s.io/api/core/v1/objectreference.go     |    33 +
 cli/vendor/k8s.io/api/core/v1/register.go     |   102 +
 cli/vendor/k8s.io/api/core/v1/resource.go     |    63 +
 cli/vendor/k8s.io/api/core/v1/taint.go        |    33 +
 cli/vendor/k8s.io/api/core/v1/toleration.go   |    56 +
 cli/vendor/k8s.io/api/core/v1/types.go        |  4932 ++
 .../core/v1/types_swagger_doc_generated.go    |  2133 +
 .../api/core/v1/zz_generated.deepcopy.go      |  6351 +++
 .../k8s.io/api/extensions/v1beta1/doc.go      |    20 +
 .../api/extensions/v1beta1/generated.pb.go    | 12890 +++++
 .../api/extensions/v1beta1/generated.proto    |  1124 +
 .../k8s.io/api/extensions/v1beta1/register.go |    70 +
 .../k8s.io/api/extensions/v1beta1/types.go    |  1315 +
 .../v1beta1/types_swagger_doc_generated.go    |   667 +
 .../v1beta1/zz_generated.deepcopy.go          |  1965 +
 cli/vendor/k8s.io/api/networking/v1/doc.go    |    20 +
 .../k8s.io/api/networking/v1/generated.pb.go  |  1869 +
 .../k8s.io/api/networking/v1/generated.proto  |   190 +
 .../k8s.io/api/networking/v1/register.go      |    53 +
 cli/vendor/k8s.io/api/networking/v1/types.go  |   196 +
 .../v1/types_swagger_doc_generated.go         |   113 +
 .../networking/v1/zz_generated.deepcopy.go    |   331 +
 cli/vendor/k8s.io/api/policy/v1beta1/doc.go   |    23 +
 .../k8s.io/api/policy/v1beta1/generated.pb.go |  1454 +
 .../k8s.io/api/policy/v1beta1/generated.proto |   114 +
 .../k8s.io/api/policy/v1beta1/register.go     |    54 +
 cli/vendor/k8s.io/api/policy/v1beta1/types.go |   115 +
 .../v1beta1/types_swagger_doc_generated.go    |    83 +
 .../policy/v1beta1/zz_generated.deepcopy.go   |   227 +
 cli/vendor/k8s.io/api/rbac/v1/doc.go          |    21 +
 cli/vendor/k8s.io/api/rbac/v1/generated.pb.go |  2555 +
 cli/vendor/k8s.io/api/rbac/v1/generated.proto |   182 +
 cli/vendor/k8s.io/api/rbac/v1/register.go     |    58 +
 cli/vendor/k8s.io/api/rbac/v1/types.go        |   219 +
 .../rbac/v1/types_swagger_doc_generated.go    |   148 +
 .../api/rbac/v1/zz_generated.deepcopy.go      |   427 +
 cli/vendor/k8s.io/api/rbac/v1alpha1/doc.go    |    21 +
 .../k8s.io/api/rbac/v1alpha1/generated.pb.go  |  2556 +
 .../k8s.io/api/rbac/v1alpha1/generated.proto  |   184 +
 .../k8s.io/api/rbac/v1alpha1/register.go      |    58 +
 cli/vendor/k8s.io/api/rbac/v1alpha1/types.go  |   221 +
 .../v1alpha1/types_swagger_doc_generated.go   |   148 +
 .../rbac/v1alpha1/zz_generated.deepcopy.go    |   427 +
 cli/vendor/k8s.io/api/rbac/v1beta1/doc.go     |    21 +
 .../k8s.io/api/rbac/v1beta1/generated.pb.go   |  2555 +
 .../k8s.io/api/rbac/v1beta1/generated.proto   |   182 +
 .../k8s.io/api/rbac/v1beta1/register.go       |    58 +
 cli/vendor/k8s.io/api/rbac/v1beta1/types.go   |   219 +
 .../v1beta1/types_swagger_doc_generated.go    |   148 +
 .../api/rbac/v1beta1/zz_generated.deepcopy.go |   427 +
 .../k8s.io/api/scheduling/v1alpha1/doc.go     |    21 +
 .../api/scheduling/v1alpha1/generated.pb.go   |   641 +
 .../api/scheduling/v1alpha1/generated.proto   |    65 +
 .../api/scheduling/v1alpha1/register.go       |    52 +
 .../k8s.io/api/scheduling/v1alpha1/types.go   |    63 +
 .../v1alpha1/types_swagger_doc_generated.go   |    52 +
 .../v1alpha1/zz_generated.deepcopy.go         |   109 +
 .../k8s.io/api/settings/v1alpha1/doc.go       |    21 +
 .../api/settings/v1alpha1/generated.pb.go     |   930 +
 .../api/settings/v1alpha1/generated.proto     |    76 +
 .../k8s.io/api/settings/v1alpha1/register.go  |    52 +
 .../k8s.io/api/settings/v1alpha1/types.go     |    70 +
 .../v1alpha1/types_swagger_doc_generated.go   |    61 +
 .../v1alpha1/zz_generated.deepcopy.go         |   160 +
 cli/vendor/k8s.io/api/storage/v1/doc.go       |    20 +
 .../k8s.io/api/storage/v1/generated.pb.go     |   884 +
 .../k8s.io/api/storage/v1/generated.proto     |    78 +
 cli/vendor/k8s.io/api/storage/v1/register.go  |    53 +
 cli/vendor/k8s.io/api/storage/v1/types.go     |    76 +
 .../storage/v1/types_swagger_doc_generated.go |    54 +
 .../api/storage/v1/zz_generated.deepcopy.go   |   140 +
 cli/vendor/k8s.io/api/storage/v1beta1/doc.go  |    20 +
 .../api/storage/v1beta1/generated.pb.go       |   883 +
 .../api/storage/v1beta1/generated.proto       |    78 +
 .../k8s.io/api/storage/v1beta1/register.go    |    53 +
 .../k8s.io/api/storage/v1beta1/types.go       |    76 +
 .../v1beta1/types_swagger_doc_generated.go    |    54 +
 .../storage/v1beta1/zz_generated.deepcopy.go  |   140 +
 cli/vendor/k8s.io/apimachinery/LICENSE        |   202 +
 cli/vendor/k8s.io/apimachinery/README.md      |    29 +
 .../apimachinery/pkg/api/equality/semantic.go |    49 +
 .../k8s.io/apimachinery/pkg/api/errors/doc.go |    18 +
 .../apimachinery/pkg/api/errors/errors.go     |   545 +
 .../k8s.io/apimachinery/pkg/api/meta/doc.go   |    19 +
 .../apimachinery/pkg/api/meta/errors.go       |   105 +
 .../pkg/api/meta/firsthit_restmapper.go       |    97 +
 .../k8s.io/apimachinery/pkg/api/meta/help.go  |   205 +
 .../apimachinery/pkg/api/meta/interfaces.go   |   146 +
 .../k8s.io/apimachinery/pkg/api/meta/meta.go  |   636 +
 .../pkg/api/meta/multirestmapper.go           |   210 +
 .../apimachinery/pkg/api/meta/priority.go     |   222 +
 .../apimachinery/pkg/api/meta/restmapper.go   |   548 +
 .../apimachinery/pkg/api/meta/unstructured.go |    31 +
 .../apimachinery/pkg/api/resource/amount.go   |   299 +
 .../pkg/api/resource/generated.pb.go          |    77 +
 .../pkg/api/resource/generated.proto          |    94 +
 .../apimachinery/pkg/api/resource/math.go     |   314 +
 .../apimachinery/pkg/api/resource/quantity.go |   792 +
 .../pkg/api/resource/quantity_proto.go        |   284 +
 .../pkg/api/resource/scale_int.go             |    95 +
 .../apimachinery/pkg/api/resource/suffix.go   |   198 +
 .../apis/meta/internalversion/conversion.go   |    77 +
 .../pkg/apis/meta/internalversion/doc.go      |    19 +
 .../pkg/apis/meta/internalversion/register.go |   108 +
 .../pkg/apis/meta/internalversion/types.go    |    70 +
 .../zz_generated.conversion.go                |   113 +
 .../internalversion/zz_generated.deepcopy.go  |   126 +
 .../pkg/apis/meta/v1/controller_ref.go        |    54 +
 .../pkg/apis/meta/v1/conversion.go            |   282 +
 .../apimachinery/pkg/apis/meta/v1/doc.go      |    22 +
 .../apimachinery/pkg/apis/meta/v1/duration.go |    47 +
 .../pkg/apis/meta/v1/generated.pb.go          |  7871 +++
 .../pkg/apis/meta/v1/generated.proto          |   828 +
 .../pkg/apis/meta/v1/group_version.go         |   148 +
 .../apimachinery/pkg/apis/meta/v1/helpers.go  |   234 +
 .../apimachinery/pkg/apis/meta/v1/labels.go   |    75 +
 .../apimachinery/pkg/apis/meta/v1/meta.go     |   216 +
 .../pkg/apis/meta/v1/micro_time.go            |   184 +
 .../pkg/apis/meta/v1/micro_time_proto.go      |    72 +
 .../apimachinery/pkg/apis/meta/v1/register.go |    95 +
 .../apimachinery/pkg/apis/meta/v1/time.go     |   180 +
 .../pkg/apis/meta/v1/time_proto.go            |    92 +
 .../apimachinery/pkg/apis/meta/v1/types.go    |   931 +
 .../meta/v1/types_swagger_doc_generated.go    |   330 +
 .../apis/meta/v1/unstructured/unstructured.go |   862 +
 .../v1/unstructured/zz_generated.deepcopy.go  |    75 +
 .../apimachinery/pkg/apis/meta/v1/watch.go    |    89 +
 .../pkg/apis/meta/v1/zz_generated.deepcopy.go |  1096 +
 .../pkg/apis/meta/v1/zz_generated.defaults.go |    32 +
 .../pkg/apis/meta/v1alpha1/conversion.go      |    27 +
 .../pkg/apis/meta/v1alpha1/deepcopy.go        |    61 +
 .../pkg/apis/meta/v1alpha1/doc.go             |    22 +
 .../pkg/apis/meta/v1alpha1/generated.pb.go    |   633 +
 .../pkg/apis/meta/v1alpha1/generated.proto    |    58 +
 .../pkg/apis/meta/v1alpha1/register.go        |    57 +
 .../pkg/apis/meta/v1alpha1/types.go           |   161 +
 .../v1alpha1/types_swagger_doc_generated.go   |   104 +
 .../meta/v1alpha1/zz_generated.deepcopy.go    |   232 +
 .../meta/v1alpha1/zz_generated.defaults.go    |    32 +
 .../apimachinery/pkg/conversion/cloner.go     |   249 +
 .../apimachinery/pkg/conversion/converter.go  |   898 +
 .../apimachinery/pkg/conversion/deep_equal.go |    36 +
 .../k8s.io/apimachinery/pkg/conversion/doc.go |    24 +
 .../apimachinery/pkg/conversion/helper.go     |    39 +
 .../pkg/conversion/queryparams/convert.go     |   188 +
 .../pkg/conversion/queryparams/doc.go         |    19 +
 .../pkg/conversion/unstructured/converter.go  |   738 +
 .../pkg/conversion/unstructured/doc.go        |    19 +
 .../k8s.io/apimachinery/pkg/fields/doc.go     |    19 +
 .../k8s.io/apimachinery/pkg/fields/fields.go  |    62 +
 .../apimachinery/pkg/fields/requirements.go   |    30 +
 .../apimachinery/pkg/fields/selector.go       |   455 +
 .../k8s.io/apimachinery/pkg/labels/doc.go     |    19 +
 .../k8s.io/apimachinery/pkg/labels/labels.go  |   181 +
 .../apimachinery/pkg/labels/selector.go       |   879 +
 .../pkg/labels/zz_generated.deepcopy.go       |    59 +
 .../k8s.io/apimachinery/pkg/runtime/codec.go  |   316 +
 .../apimachinery/pkg/runtime/codec_check.go   |    48 +
 .../apimachinery/pkg/runtime/conversion.go    |   113 +
 .../k8s.io/apimachinery/pkg/runtime/doc.go    |    45 +
 .../apimachinery/pkg/runtime/embedded.go      |   142 +
 .../k8s.io/apimachinery/pkg/runtime/error.go  |   113 +
 .../apimachinery/pkg/runtime/extension.go     |    51 +
 .../apimachinery/pkg/runtime/generated.pb.go  |   773 +
 .../apimachinery/pkg/runtime/generated.proto  |   129 +
 .../k8s.io/apimachinery/pkg/runtime/helper.go |   212 +
 .../apimachinery/pkg/runtime/interfaces.go    |   256 +
 .../apimachinery/pkg/runtime/register.go      |    61 +
 .../pkg/runtime/schema/generated.pb.go        |    65 +
 .../pkg/runtime/schema/generated.proto        |    28 +
 .../pkg/runtime/schema/group_version.go       |   277 +
 .../pkg/runtime/schema/interfaces.go          |    40 +
 .../k8s.io/apimachinery/pkg/runtime/scheme.go |   569 +
 .../pkg/runtime/scheme_builder.go             |    48 +
 .../pkg/runtime/serializer/codec_factory.go   |   237 +
 .../pkg/runtime/serializer/json/json.go       |   277 +
 .../pkg/runtime/serializer/json/meta.go       |    63 +
 .../runtime/serializer/negotiated_codec.go    |    43 +
 .../pkg/runtime/serializer/protobuf/doc.go    |    18 +
 .../runtime/serializer/protobuf/protobuf.go   |   448 +
 .../runtime/serializer/protobuf_extension.go  |    48 +
 .../serializer/recognizer/recognizer.go       |   127 +
 .../runtime/serializer/streaming/streaming.go |   137 +
 .../serializer/versioning/versioning.go       |   273 +
 .../pkg/runtime/swagger_doc_generator.go      |   262 +
 .../k8s.io/apimachinery/pkg/runtime/types.go  |   137 +
 .../apimachinery/pkg/runtime/types_proto.go   |    69 +
 .../pkg/runtime/zz_generated.deepcopy.go      |   139 +
 .../apimachinery/pkg/selection/operator.go    |    33 +
 .../k8s.io/apimachinery/pkg/types/doc.go      |    18 +
 .../apimachinery/pkg/types/namespacedname.go  |    60 +
 .../k8s.io/apimachinery/pkg/types/nodename.go |    43 +
 .../k8s.io/apimachinery/pkg/types/patch.go    |    28 +
 .../k8s.io/apimachinery/pkg/types/uid.go      |    22 +
 .../apimachinery/pkg/util/cache/cache.go      |    83 +
 .../pkg/util/cache/lruexpirecache.go          |   102 +
 .../apimachinery/pkg/util/clock/clock.go      |   327 +
 .../k8s.io/apimachinery/pkg/util/diff/diff.go |   280 +
 .../apimachinery/pkg/util/errors/doc.go       |    18 +
 .../apimachinery/pkg/util/errors/errors.go    |   201 +
 .../apimachinery/pkg/util/framer/framer.go    |   167 +
 .../pkg/util/intstr/generated.pb.go           |   381 +
 .../pkg/util/intstr/generated.proto           |    43 +
 .../apimachinery/pkg/util/intstr/intstr.go    |   177 +
 .../k8s.io/apimachinery/pkg/util/json/json.go |   119 +
 .../k8s.io/apimachinery/pkg/util/net/http.go  |   429 +
 .../apimachinery/pkg/util/net/interface.go    |   392 +
 .../apimachinery/pkg/util/net/port_range.go   |   113 +
 .../apimachinery/pkg/util/net/port_split.go   |    77 +
 .../k8s.io/apimachinery/pkg/util/net/util.go  |    56 +
 .../apimachinery/pkg/util/runtime/runtime.go  |   161 +
 .../k8s.io/apimachinery/pkg/util/sets/byte.go |   203 +
 .../k8s.io/apimachinery/pkg/util/sets/doc.go  |    20 +
 .../apimachinery/pkg/util/sets/empty.go       |    23 +
 .../k8s.io/apimachinery/pkg/util/sets/int.go  |   203 +
 .../apimachinery/pkg/util/sets/int64.go       |   203 +
 .../apimachinery/pkg/util/sets/string.go      |   203 +
 .../pkg/util/validation/field/errors.go       |   254 +
 .../pkg/util/validation/field/path.go         |    91 +
 .../pkg/util/validation/validation.go         |   391 +
 .../k8s.io/apimachinery/pkg/util/wait/doc.go  |    19 +
 .../k8s.io/apimachinery/pkg/util/wait/wait.go |   385 +
 .../apimachinery/pkg/util/yaml/decoder.go     |   346 +
 .../k8s.io/apimachinery/pkg/version/doc.go    |    19 +
 .../k8s.io/apimachinery/pkg/version/types.go  |    37 +
 .../k8s.io/apimachinery/pkg/watch/doc.go      |    19 +
 .../k8s.io/apimachinery/pkg/watch/filter.go   |   109 +
 .../k8s.io/apimachinery/pkg/watch/mux.go      |   264 +
 .../apimachinery/pkg/watch/streamwatcher.go   |   119 +
 .../k8s.io/apimachinery/pkg/watch/until.go    |    87 +
 .../k8s.io/apimachinery/pkg/watch/watch.go    |   270 +
 .../pkg/watch/zz_generated.deepcopy.go        |    59 +
 .../forked/golang/reflect/deep_equal.go       |   388 +
 cli/vendor/k8s.io/client-go/LICENSE           |   202 +
 cli/vendor/k8s.io/client-go/README.md         |   157 +
 .../client-go/discovery/discovery_client.go   |   458 +
 .../k8s.io/client-go/discovery/helper.go      |   121 +
 .../k8s.io/client-go/discovery/restmapper.go  |   331 +
 .../client-go/discovery/unstructured.go       |    95 +
 .../k8s.io/client-go/kubernetes/clientset.go  |   532 +
 cli/vendor/k8s.io/client-go/kubernetes/doc.go |    20 +
 .../k8s.io/client-go/kubernetes/import.go     |    19 +
 .../k8s.io/client-go/kubernetes/scheme/doc.go |    20 +
 .../client-go/kubernetes/scheme/register.go   |    99 +
 .../v1alpha1/admissionregistration_client.go  |    93 +
 .../admissionregistration/v1alpha1/doc.go     |    20 +
 .../externaladmissionhookconfiguration.go     |   145 +
 .../v1alpha1/generated_expansion.go           |    21 +
 .../v1alpha1/initializerconfiguration.go      |   145 +
 .../typed/apps/v1beta1/apps_client.go         |   103 +
 .../typed/apps/v1beta1/controllerrevision.go  |   155 +
 .../typed/apps/v1beta1/deployment.go          |   172 +
 .../kubernetes/typed/apps/v1beta1/doc.go      |    20 +
 .../typed/apps/v1beta1/generated_expansion.go |    25 +
 .../kubernetes/typed/apps/v1beta1/scale.go    |    46 +
 .../typed/apps/v1beta1/statefulset.go         |   172 +
 .../typed/apps/v1beta2/apps_client.go         |   113 +
 .../typed/apps/v1beta2/controllerrevision.go  |   155 +
 .../typed/apps/v1beta2/daemonset.go           |   172 +
 .../typed/apps/v1beta2/deployment.go          |   172 +
 .../kubernetes/typed/apps/v1beta2/doc.go      |    20 +
 .../typed/apps/v1beta2/generated_expansion.go |    29 +
 .../typed/apps/v1beta2/replicaset.go          |   172 +
 .../kubernetes/typed/apps/v1beta2/scale.go    |    46 +
 .../typed/apps/v1beta2/statefulset.go         |   203 +
 .../v1/authentication_client.go               |    88 +
 .../kubernetes/typed/authentication/v1/doc.go |    20 +
 .../authentication/v1/generated_expansion.go  |    17 +
 .../typed/authentication/v1/tokenreview.go    |    44 +
 .../v1/tokenreview_expansion.go               |    35 +
 .../v1beta1/authentication_client.go          |    88 +
 .../typed/authentication/v1beta1/doc.go       |    20 +
 .../v1beta1/generated_expansion.go            |    17 +
 .../authentication/v1beta1/tokenreview.go     |    44 +
 .../v1beta1/tokenreview_expansion.go          |    35 +
 .../authorization/v1/authorization_client.go  |   103 +
 .../kubernetes/typed/authorization/v1/doc.go  |    20 +
 .../authorization/v1/generated_expansion.go   |    17 +
 .../v1/localsubjectaccessreview.go            |    46 +
 .../v1/localsubjectaccessreview_expansion.go  |    36 +
 .../v1/selfsubjectaccessreview.go             |    44 +
 .../v1/selfsubjectaccessreview_expansion.go   |    35 +
 .../v1/selfsubjectrulesreview.go              |    44 +
 .../v1/selfsubjectrulesreview_expansion.go    |    35 +
 .../authorization/v1/subjectaccessreview.go   |    44 +
 .../v1/subjectaccessreview_expansion.go       |    36 +
 .../v1beta1/authorization_client.go           |   103 +
 .../typed/authorization/v1beta1/doc.go        |    20 +
 .../v1beta1/generated_expansion.go            |    17 +
 .../v1beta1/localsubjectaccessreview.go       |    46 +
 .../localsubjectaccessreview_expansion.go     |    36 +
 .../v1beta1/selfsubjectaccessreview.go        |    44 +
 .../selfsubjectaccessreview_expansion.go      |    35 +
 .../v1beta1/selfsubjectrulesreview.go         |    44 +
 .../selfsubjectrulesreview_expansion.go       |    35 +
 .../v1beta1/subjectaccessreview.go            |    44 +
 .../v1beta1/subjectaccessreview_expansion.go  |    36 +
 .../autoscaling/v1/autoscaling_client.go      |    88 +
 .../kubernetes/typed/autoscaling/v1/doc.go    |    20 +
 .../autoscaling/v1/generated_expansion.go     |    19 +
 .../autoscaling/v1/horizontalpodautoscaler.go |   172 +
 .../autoscaling/v2beta1/autoscaling_client.go |    88 +
 .../typed/autoscaling/v2beta1/doc.go          |    20 +
 .../v2beta1/generated_expansion.go            |    19 +
 .../v2beta1/horizontalpodautoscaler.go        |   172 +
 .../kubernetes/typed/batch/v1/batch_client.go |    88 +
 .../kubernetes/typed/batch/v1/doc.go          |    20 +
 .../typed/batch/v1/generated_expansion.go     |    19 +
 .../kubernetes/typed/batch/v1/job.go          |   172 +
 .../typed/batch/v1beta1/batch_client.go       |    88 +
 .../kubernetes/typed/batch/v1beta1/cronjob.go |   172 +
 .../kubernetes/typed/batch/v1beta1/doc.go     |    20 +
 .../batch/v1beta1/generated_expansion.go      |    19 +
 .../typed/batch/v2alpha1/batch_client.go      |    88 +
 .../typed/batch/v2alpha1/cronjob.go           |   172 +
 .../kubernetes/typed/batch/v2alpha1/doc.go    |    20 +
 .../batch/v2alpha1/generated_expansion.go     |    19 +
 .../v1beta1/certificates_client.go            |    88 +
 .../v1beta1/certificatesigningrequest.go      |   161 +
 .../certificatesigningrequest_expansion.go    |    37 +
 .../typed/certificates/v1beta1/doc.go         |    20 +
 .../v1beta1/generated_expansion.go            |    17 +
 .../typed/core/v1/componentstatus.go          |   145 +
 .../kubernetes/typed/core/v1/configmap.go     |   155 +
 .../kubernetes/typed/core/v1/core_client.go   |   163 +
 .../client-go/kubernetes/typed/core/v1/doc.go |    20 +
 .../kubernetes/typed/core/v1/endpoints.go     |   155 +
 .../kubernetes/typed/core/v1/event.go         |   155 +
 .../typed/core/v1/event_expansion.go          |   164 +
 .../typed/core/v1/generated_expansion.go      |    39 +
 .../kubernetes/typed/core/v1/limitrange.go    |   155 +
 .../kubernetes/typed/core/v1/namespace.go     |   161 +
 .../typed/core/v1/namespace_expansion.go      |    31 +
 .../kubernetes/typed/core/v1/node.go          |   161 +
 .../typed/core/v1/node_expansion.go           |    43 +
 .../typed/core/v1/persistentvolume.go         |   161 +
 .../typed/core/v1/persistentvolumeclaim.go    |   172 +
 .../client-go/kubernetes/typed/core/v1/pod.go |   172 +
 .../kubernetes/typed/core/v1/pod_expansion.go |    45 +
 .../kubernetes/typed/core/v1/podtemplate.go   |   155 +
 .../typed/core/v1/replicationcontroller.go    |   204 +
 .../kubernetes/typed/core/v1/resourcequota.go |   172 +
 .../kubernetes/typed/core/v1/secret.go        |   155 +
 .../kubernetes/typed/core/v1/service.go       |   172 +
 .../typed/core/v1/service_expansion.go        |    41 +
 .../typed/core/v1/serviceaccount.go           |   155 +
 .../typed/extensions/v1beta1/daemonset.go     |   172 +
 .../typed/extensions/v1beta1/deployment.go    |   203 +
 .../v1beta1/deployment_expansion.go           |    29 +
 .../typed/extensions/v1beta1/doc.go           |    20 +
 .../extensions/v1beta1/extensions_client.go   |   118 +
 .../extensions/v1beta1/generated_expansion.go |    27 +
 .../typed/extensions/v1beta1/ingress.go       |   172 +
 .../extensions/v1beta1/podsecuritypolicy.go   |   145 +
 .../typed/extensions/v1beta1/replicaset.go    |   203 +
 .../typed/extensions/v1beta1/scale.go         |    46 +
 .../extensions/v1beta1/scale_expansion.go     |    65 +
 .../extensions/v1beta1/thirdpartyresource.go  |   145 +
 .../kubernetes/typed/networking/v1/doc.go     |    20 +
 .../networking/v1/generated_expansion.go      |    19 +
 .../typed/networking/v1/networking_client.go  |    88 +
 .../typed/networking/v1/networkpolicy.go      |   155 +
 .../kubernetes/typed/policy/v1beta1/doc.go    |    20 +
 .../typed/policy/v1beta1/eviction.go          |    46 +
 .../policy/v1beta1/eviction_expansion.go      |    38 +
 .../policy/v1beta1/generated_expansion.go     |    19 +
 .../policy/v1beta1/poddisruptionbudget.go     |   172 +
 .../typed/policy/v1beta1/policy_client.go     |    93 +
 .../kubernetes/typed/rbac/v1/clusterrole.go   |   145 +
 .../typed/rbac/v1/clusterrolebinding.go       |   145 +
 .../client-go/kubernetes/typed/rbac/v1/doc.go |    20 +
 .../typed/rbac/v1/generated_expansion.go      |    25 +
 .../kubernetes/typed/rbac/v1/rbac_client.go   |   103 +
 .../kubernetes/typed/rbac/v1/role.go          |   155 +
 .../kubernetes/typed/rbac/v1/rolebinding.go   |   155 +
 .../typed/rbac/v1alpha1/clusterrole.go        |   145 +
 .../typed/rbac/v1alpha1/clusterrolebinding.go |   145 +
 .../kubernetes/typed/rbac/v1alpha1/doc.go     |    20 +
 .../rbac/v1alpha1/generated_expansion.go      |    25 +
 .../typed/rbac/v1alpha1/rbac_client.go        |   103 +
 .../kubernetes/typed/rbac/v1alpha1/role.go    |   155 +
 .../typed/rbac/v1alpha1/rolebinding.go        |   155 +
 .../typed/rbac/v1beta1/clusterrole.go         |   145 +
 .../typed/rbac/v1beta1/clusterrolebinding.go  |   145 +
 .../kubernetes/typed/rbac/v1beta1/doc.go      |    20 +
 .../typed/rbac/v1beta1/generated_expansion.go |    25 +
 .../typed/rbac/v1beta1/rbac_client.go         |   103 +
 .../kubernetes/typed/rbac/v1beta1/role.go     |   155 +
 .../typed/rbac/v1beta1/rolebinding.go         |   155 +
 .../typed/scheduling/v1alpha1/doc.go          |    20 +
 .../v1alpha1/generated_expansion.go           |    19 +
 .../scheduling/v1alpha1/priorityclass.go      |   145 +
 .../scheduling/v1alpha1/scheduling_client.go  |    88 +
 .../kubernetes/typed/settings/v1alpha1/doc.go |    20 +
 .../settings/v1alpha1/generated_expansion.go  |    19 +
 .../typed/settings/v1alpha1/podpreset.go      |   155 +
 .../settings/v1alpha1/settings_client.go      |    88 +
 .../kubernetes/typed/storage/v1/doc.go        |    20 +
 .../typed/storage/v1/generated_expansion.go   |    19 +
 .../typed/storage/v1/storage_client.go        |    88 +
 .../typed/storage/v1/storageclass.go          |   145 +
 .../kubernetes/typed/storage/v1beta1/doc.go   |    20 +
 .../storage/v1beta1/generated_expansion.go    |    19 +
 .../typed/storage/v1beta1/storage_client.go   |    88 +
 .../typed/storage/v1beta1/storageclass.go     |   145 +
 .../k8s.io/client-go/pkg/version/base.go      |    63 +
 .../k8s.io/client-go/pkg/version/doc.go       |    20 +
 .../k8s.io/client-go/pkg/version/version.go   |    42 +
 cli/vendor/k8s.io/client-go/rest/client.go    |   258 +
 cli/vendor/k8s.io/client-go/rest/config.go    |   424 +
 cli/vendor/k8s.io/client-go/rest/plugin.go    |    73 +
 cli/vendor/k8s.io/client-go/rest/request.go   |  1095 +
 cli/vendor/k8s.io/client-go/rest/transport.go |   101 +
 cli/vendor/k8s.io/client-go/rest/url_utils.go |    90 +
 .../k8s.io/client-go/rest/urlbackoff.go       |   107 +
 cli/vendor/k8s.io/client-go/rest/versions.go  |    88 +
 .../k8s.io/client-go/rest/watch/decoder.go    |    72 +
 .../k8s.io/client-go/rest/watch/encoder.go    |    56 +
 .../client-go/rest/zz_generated.deepcopy.go   |    69 +
 .../k8s.io/client-go/testing/actions.go       |   528 +
 cli/vendor/k8s.io/client-go/testing/fake.go   |   259 +
 .../k8s.io/client-go/testing/fixture.go       |   464 +
 .../k8s.io/client-go/tools/auth/clientauth.go |   125 +
 .../client-go/tools/cache/controller.go       |   394 +
 .../client-go/tools/cache/delta_fifo.go       |   681 +
 .../k8s.io/client-go/tools/cache/doc.go       |    24 +
 .../client-go/tools/cache/expiration_cache.go |   208 +
 .../tools/cache/expiration_cache_fakes.go     |    54 +
 .../tools/cache/fake_custom_store.go          |   102 +
 .../k8s.io/client-go/tools/cache/fifo.go      |   358 +
 .../k8s.io/client-go/tools/cache/heap.go      |   323 +
 .../k8s.io/client-go/tools/cache/index.go     |    87 +
 .../k8s.io/client-go/tools/cache/listers.go   |   160 +
 .../k8s.io/client-go/tools/cache/listwatch.go |   173 +
 .../client-go/tools/cache/mutation_cache.go   |   261 +
 .../tools/cache/mutation_detector.go          |   133 +
 .../k8s.io/client-go/tools/cache/reflector.go |   442 +
 .../tools/cache/reflector_metrics.go          |   119 +
 .../client-go/tools/cache/shared_informer.go  |   576 +
 .../k8s.io/client-go/tools/cache/store.go     |   244 +
 .../tools/cache/thread_safe_store.go          |   306 +
 .../client-go/tools/cache/undelta_store.go    |    83 +
 .../client-go/tools/clientcmd/api/doc.go      |    18 +
 .../client-go/tools/clientcmd/api/helpers.go  |   183 +
 .../tools/clientcmd/api/latest/latest.go      |    66 +
 .../client-go/tools/clientcmd/api/register.go |    46 +
 .../client-go/tools/clientcmd/api/types.go    |   186 +
 .../tools/clientcmd/api/v1/conversion.go      |   227 +
 .../client-go/tools/clientcmd/api/v1/doc.go   |    18 +
 .../tools/clientcmd/api/v1/register.go        |    56 +
 .../client-go/tools/clientcmd/api/v1/types.go |   171 +
 .../clientcmd/api/v1/zz_generated.deepcopy.go |   358 +
 .../clientcmd/api/zz_generated.deepcopy.go    |   309 +
 .../client-go/tools/clientcmd/auth_loaders.go |   106 +
 .../tools/clientcmd/client_config.go          |   549 +
 .../client-go/tools/clientcmd/config.go       |   472 +
 .../k8s.io/client-go/tools/clientcmd/doc.go   |    37 +
 .../k8s.io/client-go/tools/clientcmd/flag.go  |    49 +
 .../client-go/tools/clientcmd/helpers.go      |    35 +
 .../client-go/tools/clientcmd/loader.go       |   612 +
 .../tools/clientcmd/merged_client_builder.go  |   169 +
 .../client-go/tools/clientcmd/overrides.go    |   247 +
 .../client-go/tools/clientcmd/validation.go   |   275 +
 .../k8s.io/client-go/tools/metrics/metrics.go |    61 +
 .../k8s.io/client-go/tools/pager/pager.go     |   118 +
 .../k8s.io/client-go/tools/reference/ref.go   |   122 +
 .../k8s.io/client-go/transport/cache.go       |    92 +
 .../k8s.io/client-go/transport/config.go      |   105 +
 .../client-go/transport/round_trippers.go     |   455 +
 .../k8s.io/client-go/transport/transport.go   |   141 +
 cli/vendor/k8s.io/client-go/util/cert/cert.go |   215 +
 cli/vendor/k8s.io/client-go/util/cert/csr.go  |    75 +
 cli/vendor/k8s.io/client-go/util/cert/io.go   |   164 +
 cli/vendor/k8s.io/client-go/util/cert/pem.go  |   269 +
 .../client-go/util/flowcontrol/backoff.go     |   149 +
 .../client-go/util/flowcontrol/throttle.go    |   148 +
 .../k8s.io/client-go/util/homedir/homedir.go  |    47 +
 .../k8s.io/client-go/util/integer/integer.go  |    67 +
 cli/vendor/k8s.io/kube-openapi/LICENSE        |   202 +
 cli/vendor/k8s.io/kube-openapi/README.md      |    14 +
 .../k8s.io/kube-openapi/pkg/common/common.go  |   167 +
 .../k8s.io/kube-openapi/pkg/common/doc.go     |    19 +
 cli/vendor/k8s.io/kubernetes/LICENSE          |   202 +
 cli/vendor/k8s.io/kubernetes/README.md        |    86 +
 cli/vendor/k8s.io/kubernetes/build/README.md  |   112 +
 .../k8s.io/kubernetes/build/pause/orphan.c    |    36 +
 .../k8s.io/kubernetes/build/pause/pause.c     |    51 +
 .../k8s.io/kubernetes/pkg/api/v1/pod/util.go  |   296 +
 .../google/protobuf/compiler/plugin.proto     |   150 +
 .../protobuf/google/protobuf/descriptor.proto |   779 +
 cli/vendor/vbom.ml/util/LICENSE               |    17 +
 cli/vendor/vbom.ml/util/README.md             |     5 +
 cli/vendor/vbom.ml/util/sortorder/README.md   |     5 +
 cli/vendor/vbom.ml/util/sortorder/doc.go      |     5 +
 cli/vendor/vbom.ml/util/sortorder/natsort.go  |    76 +
 components.conf                               |     9 +
 engine/.DEREK.yml                             |    17 +
 engine/.dockerignore                          |     7 +
 engine/.mailmap                               |   491 +
 engine/AUTHORS                                |  1984 +
 engine/CHANGELOG.md                           |  3609 ++
 engine/CONTRIBUTING.md                        |   458 +
 engine/Dockerfile                             |   240 +
 engine/Dockerfile.e2e                         |    74 +
 engine/Dockerfile.simple                      |    62 +
 engine/Dockerfile.windows                     |   256 +
 engine/LICENSE                                |   191 +
 engine/MAINTAINERS                            |   486 +
 engine/Makefile                               |   208 +
 engine/NOTICE                                 |    19 +
 engine/README.md                              |    57 +
 engine/ROADMAP.md                             |    68 +
 engine/TESTING.md                             |    89 +
 engine/VENDORING.md                           |    46 +
 engine/api/README.md                          |    42 +
 engine/api/common.go                          |    11 +
 engine/api/common_unix.go                     |     6 +
 engine/api/common_windows.go                  |     8 +
 engine/api/server/backend/build/backend.go    |   136 +
 engine/api/server/backend/build/tag.go        |    77 +
 engine/api/server/httputils/decoder.go        |    16 +
 engine/api/server/httputils/errors.go         |   131 +
 engine/api/server/httputils/form.go           |    76 +
 engine/api/server/httputils/form_test.go      |   105 +
 engine/api/server/httputils/httputils.go      |   100 +
 engine/api/server/httputils/httputils_test.go |    18 +
 .../server/httputils/httputils_write_json.go  |    15 +
 .../api/server/httputils/write_log_stream.go  |    84 +
 engine/api/server/middleware.go               |    24 +
 engine/api/server/middleware/cors.go          |    37 +
 engine/api/server/middleware/debug.go         |    94 +
 engine/api/server/middleware/debug_test.go    |    59 +
 engine/api/server/middleware/experimental.go  |    28 +
 engine/api/server/middleware/middleware.go    |    12 +
 engine/api/server/middleware/version.go       |    65 +
 engine/api/server/middleware/version_test.go  |    92 +
 engine/api/server/router/build/backend.go     |    24 +
 engine/api/server/router/build/build.go       |    30 +
 .../api/server/router/build/build_routes.go   |   409 +
 .../api/server/router/checkpoint/backend.go   |    10 +
 .../server/router/checkpoint/checkpoint.go    |    36 +
 .../router/checkpoint/checkpoint_routes.go    |    65 +
 engine/api/server/router/container/backend.go |    83 +
 .../api/server/router/container/container.go  |    70 +
 .../router/container/container_routes.go      |   661 +
 engine/api/server/router/container/copy.go    |   140 +
 engine/api/server/router/container/exec.go    |   149 +
 engine/api/server/router/container/inspect.go |    21 +
 engine/api/server/router/debug/debug.go       |    53 +
 .../api/server/router/debug/debug_routes.go   |    12 +
 .../api/server/router/distribution/backend.go |    15 +
 .../router/distribution/distribution.go       |    31 +
 .../distribution/distribution_routes.go       |   138 +
 engine/api/server/router/experimental.go      |    68 +
 engine/api/server/router/image/backend.go     |    41 +
 engine/api/server/router/image/image.go       |    44 +
 .../api/server/router/image/image_routes.go   |   324 +
 engine/api/server/router/local.go             |   104 +
 engine/api/server/router/network/backend.go   |    32 +
 engine/api/server/router/network/filter.go    |    93 +
 .../api/server/router/network/filter_test.go  |   149 +
 engine/api/server/router/network/network.go   |    43 +
 .../server/router/network/network_routes.go   |   597 +
 engine/api/server/router/plugin/backend.go    |    27 +
 engine/api/server/router/plugin/plugin.go     |    39 +
 .../api/server/router/plugin/plugin_routes.go |   310 +
 engine/api/server/router/router.go            |    19 +
 engine/api/server/router/session/backend.go   |    11 +
 engine/api/server/router/session/session.go   |    29 +
 .../server/router/session/session_routes.go   |    16 +
 engine/api/server/router/swarm/backend.go     |    48 +
 engine/api/server/router/swarm/cluster.go     |    63 +
 .../api/server/router/swarm/cluster_routes.go |   494 +
 engine/api/server/router/swarm/helpers.go     |    66 +
 engine/api/server/router/system/backend.go    |    28 +
 engine/api/server/router/system/system.go     |    44 +
 .../api/server/router/system/system_routes.go |   230 +
 engine/api/server/router/volume/backend.go    |    20 +
 engine/api/server/router/volume/volume.go     |    36 +
 .../api/server/router/volume/volume_routes.go |    96 +
 engine/api/server/router_swapper.go           |    30 +
 engine/api/server/server.go                   |   209 +
 engine/api/server/server_test.go              |    45 +
 engine/api/swagger-gen.yaml                   |    12 +
 engine/api/swagger.yaml                       | 10136 ++++
 engine/api/templates/server/operation.gotmpl  |    26 +
 engine/api/types/auth.go                      |    22 +
 engine/api/types/backend/backend.go           |   128 +
 engine/api/types/backend/build.go             |    45 +
 engine/api/types/blkiodev/blkio.go            |    23 +
 engine/api/types/client.go                    |   406 +
 engine/api/types/configs.go                   |    57 +
 engine/api/types/container/config.go          |    69 +
 .../api/types/container/container_changes.go  |    21 +
 .../api/types/container/container_create.go   |    21 +
 engine/api/types/container/container_top.go   |    21 +
 .../api/types/container/container_update.go   |    17 +
 engine/api/types/container/container_wait.go  |    29 +
 engine/api/types/container/host_config.go     |   412 +
 engine/api/types/container/hostconfig_unix.go |    41 +
 .../api/types/container/hostconfig_windows.go |    40 +
 engine/api/types/container/waitcondition.go   |    22 +
 engine/api/types/error_response.go            |    13 +
 engine/api/types/events/events.go             |    52 +
 engine/api/types/filters/example_test.go      |    24 +
 engine/api/types/filters/parse.go             |   350 +
 engine/api/types/filters/parse_test.go        |   423 +
 engine/api/types/graph_driver_data.go         |    17 +
 engine/api/types/id_response.go               |    13 +
 engine/api/types/image/image_history.go       |    37 +
 .../api/types/image_delete_response_item.go   |    15 +
 engine/api/types/image_summary.go             |    49 +
 engine/api/types/mount/mount.go               |   130 +
 engine/api/types/network/network.go           |   108 +
 engine/api/types/plugin.go                    |   203 +
 engine/api/types/plugin_device.go             |    25 +
 engine/api/types/plugin_env.go                |    25 +
 engine/api/types/plugin_interface_type.go     |    21 +
 engine/api/types/plugin_mount.go              |    37 +
 engine/api/types/plugin_responses.go          |    71 +
 .../api/types/plugins/logdriver/entry.pb.go   |   449 +
 .../api/types/plugins/logdriver/entry.proto   |     8 +
 engine/api/types/plugins/logdriver/gen.go     |     3 +
 engine/api/types/plugins/logdriver/io.go      |    87 +
 engine/api/types/port.go                      |    23 +
 engine/api/types/registry/authenticate.go     |    21 +
 engine/api/types/registry/registry.go         |   119 +
 engine/api/types/seccomp.go                   |    93 +
 engine/api/types/service_update_response.go   |    12 +
 engine/api/types/stats.go                     |   181 +
 engine/api/types/strslice/strslice.go         |    30 +
 engine/api/types/strslice/strslice_test.go    |    86 +
 engine/api/types/swarm/common.go              |    40 +
 engine/api/types/swarm/config.go              |    35 +
 engine/api/types/swarm/container.go           |    74 +
 engine/api/types/swarm/network.go             |   121 +
 engine/api/types/swarm/node.go                |   115 +
 engine/api/types/swarm/runtime.go             |    27 +
 engine/api/types/swarm/runtime/gen.go         |     3 +
 engine/api/types/swarm/runtime/plugin.pb.go   |   712 +
 engine/api/types/swarm/runtime/plugin.proto   |    20 +
 engine/api/types/swarm/secret.go              |    36 +
 engine/api/types/swarm/service.go             |   124 +
 engine/api/types/swarm/swarm.go               |   217 +
 engine/api/types/swarm/task.go                |   191 +
 engine/api/types/time/duration_convert.go     |    12 +
 .../api/types/time/duration_convert_test.go   |    26 +
 engine/api/types/time/timestamp.go            |   129 +
 engine/api/types/time/timestamp_test.go       |    93 +
 engine/api/types/types.go                     |   602 +
 engine/api/types/versions/README.md           |    14 +
 engine/api/types/versions/compare.go          |    62 +
 engine/api/types/versions/compare_test.go     |    26 +
 engine/api/types/versions/v1p19/types.go      |    35 +
 engine/api/types/versions/v1p20/types.go      |    40 +
 engine/api/types/volume.go                    |    69 +
 engine/api/types/volume/volume_create.go      |    29 +
 engine/api/types/volume/volume_list.go        |    23 +
 .../adapters/containerimage/pull.go           |   733 +
 .../builder-next/adapters/snapshot/layer.go   |   113 +
 .../adapters/snapshot/snapshot.go             |   467 +
 engine/builder/builder-next/builder.go        |   419 +
 engine/builder/builder-next/controller.go     |   154 +
 engine/builder/builder-next/executor_unix.go  |    17 +
 .../builder/builder-next/executor_windows.go  |    21 +
 .../builder/builder-next/exporter/export.go   |   146 +
 .../builder/builder-next/exporter/writer.go   |   177 +
 engine/builder/builder-next/reqbodyhandler.go |    67 +
 engine/builder/builder-next/worker/worker.go  |   331 +
 engine/builder/builder.go                     |   115 +
 engine/builder/dockerfile/buildargs.go        |   172 +
 engine/builder/dockerfile/buildargs_test.go   |   102 +
 engine/builder/dockerfile/builder.go          |   437 +
 engine/builder/dockerfile/builder_unix.go     |     7 +
 engine/builder/dockerfile/builder_windows.go  |     8 +
 engine/builder/dockerfile/clientsession.go    |    76 +
 engine/builder/dockerfile/containerbackend.go |   146 +
 engine/builder/dockerfile/copy.go             |   567 +
 engine/builder/dockerfile/copy_test.go        |   148 +
 engine/builder/dockerfile/copy_unix.go        |    48 +
 engine/builder/dockerfile/copy_windows.go     |    43 +
 engine/builder/dockerfile/dispatchers.go      |   585 +
 engine/builder/dockerfile/dispatchers_test.go |   552 +
 engine/builder/dockerfile/dispatchers_unix.go |    23 +
 .../dockerfile/dispatchers_unix_test.go       |    34 +
 .../builder/dockerfile/dispatchers_windows.go |    95 +
 .../dockerfile/dispatchers_windows_test.go    |    46 +
 engine/builder/dockerfile/evaluator.go        |   250 +
 engine/builder/dockerfile/evaluator_test.go   |   144 +
 engine/builder/dockerfile/imagecontext.go     |   122 +
 engine/builder/dockerfile/imageprobe.go       |    63 +
 engine/builder/dockerfile/internals.go        |   496 +
 engine/builder/dockerfile/internals_linux.go  |    88 +
 .../dockerfile/internals_linux_test.go        |   138 +
 engine/builder/dockerfile/internals_test.go   |   173 +
 .../builder/dockerfile/internals_windows.go   |     7 +
 .../dockerfile/internals_windows_test.go      |    53 +
 engine/builder/dockerfile/metrics.go          |    44 +
 engine/builder/dockerfile/mockbackend_test.go |   148 +
 engine/builder/dockerfile/utils_test.go       |    50 +
 engine/builder/dockerignore/dockerignore.go   |    64 +
 .../builder/dockerignore/dockerignore_test.go |    69 +
 engine/builder/fscache/fscache.go             |   652 +
 engine/builder/fscache/fscache_test.go        |   132 +
 engine/builder/fscache/naivedriver.go         |    28 +
 engine/builder/remotecontext/archive.go       |   125 +
 engine/builder/remotecontext/detect.go        |   180 +
 engine/builder/remotecontext/detect_test.go   |   123 +
 engine/builder/remotecontext/filehash.go      |    45 +
 engine/builder/remotecontext/generate.go      |     3 +
 engine/builder/remotecontext/git.go           |    35 +
 engine/builder/remotecontext/git/gitutils.go  |   204 +
 .../remotecontext/git/gitutils_test.go        |   278 +
 engine/builder/remotecontext/lazycontext.go   |   102 +
 engine/builder/remotecontext/mimetype.go      |    27 +
 engine/builder/remotecontext/mimetype_test.go |    16 +
 engine/builder/remotecontext/remote.go        |   127 +
 engine/builder/remotecontext/remote_test.go   |   242 +
 engine/builder/remotecontext/tarsum.go        |   157 +
 engine/builder/remotecontext/tarsum.pb.go     |   525 +
 engine/builder/remotecontext/tarsum.proto     |     7 +
 engine/builder/remotecontext/tarsum_test.go   |   151 +
 engine/builder/remotecontext/utils_test.go    |    55 +
 engine/cli/cobra.go                           |   131 +
 engine/cli/config/configdir.go                |    25 +
 engine/cli/debug/debug.go                     |    26 +
 engine/cli/debug/debug_test.go                |    43 +
 engine/cli/error.go                           |    33 +
 engine/cli/required.go                        |    27 +
 engine/client/README.md                       |    35 +
 engine/client/build_cancel.go                 |    21 +
 engine/client/build_prune.go                  |    30 +
 engine/client/checkpoint_create.go            |    14 +
 engine/client/checkpoint_create_test.go       |    73 +
 engine/client/checkpoint_delete.go            |    20 +
 engine/client/checkpoint_delete_test.go       |    54 +
 engine/client/checkpoint_list.go              |    28 +
 engine/client/checkpoint_list_test.go         |    68 +
 engine/client/client.go                       |   402 +
 engine/client/client_mock_test.go             |    53 +
 engine/client/client_test.go                  |   321 +
 engine/client/client_unix.go                  |     9 +
 engine/client/client_windows.go               |     7 +
 engine/client/config_create.go                |    25 +
 engine/client/config_create_test.go           |    70 +
 engine/client/config_inspect.go               |    36 +
 engine/client/config_inspect_test.go          |   103 +
 engine/client/config_list.go                  |    38 +
 engine/client/config_list_test.go             |   107 +
 engine/client/config_remove.go                |    13 +
 engine/client/config_remove_test.go           |    60 +
 engine/client/config_update.go                |    21 +
 engine/client/config_update_test.go           |    61 +
 engine/client/container_attach.go             |    57 +
 engine/client/container_commit.go             |    55 +
 engine/client/container_commit_test.go        |    96 +
 engine/client/container_copy.go               |   101 +
 engine/client/container_copy_test.go          |   273 +
 engine/client/container_create.go             |    56 +
 engine/client/container_create_test.go        |   118 +
 engine/client/container_diff.go               |    23 +
 engine/client/container_diff_test.go          |    61 +
 engine/client/container_exec.go               |    54 +
 engine/client/container_exec_test.go          |   156 +
 engine/client/container_export.go             |    19 +
 engine/client/container_export_test.go        |    49 +
 engine/client/container_inspect.go            |    53 +
 engine/client/container_inspect_test.go       |   138 +
 engine/client/container_kill.go               |    16 +
 engine/client/container_kill_test.go          |    45 +
 engine/client/container_list.go               |    56 +
 engine/client/container_list_test.go          |    96 +
 engine/client/container_logs.go               |    80 +
 engine/client/container_logs_test.go          |   166 +
 engine/client/container_pause.go              |    10 +
 engine/client/container_pause_test.go         |    40 +
 engine/client/container_prune.go              |    36 +
 engine/client/container_prune_test.go         |   125 +
 engine/client/container_remove.go             |    27 +
 engine/client/container_remove_test.go        |    66 +
 engine/client/container_rename.go             |    15 +
 engine/client/container_rename_test.go        |    45 +
 engine/client/container_resize.go             |    29 +
 engine/client/container_resize_test.go        |    82 +
 engine/client/container_restart.go            |    22 +
 engine/client/container_restart_test.go       |    47 +
 engine/client/container_start.go              |    23 +
 engine/client/container_start_test.go         |    57 +
 engine/client/container_stats.go              |    26 +
 engine/client/container_stats_test.go         |    69 +
 engine/client/container_stop.go               |    26 +
 engine/client/container_stop_test.go          |    47 +
 engine/client/container_top.go                |    28 +
 engine/client/container_top_test.go           |    74 +
 engine/client/container_unpause.go            |    10 +
 engine/client/container_unpause_test.go       |    40 +
 engine/client/container_update.go             |    22 +
 engine/client/container_update_test.go        |    58 +
 engine/client/container_wait.go               |    83 +
 engine/client/container_wait_test.go          |    73 +
 engine/client/disk_usage.go                   |    26 +
 engine/client/disk_usage_test.go              |    55 +
 engine/client/distribution_inspect.go         |    38 +
 engine/client/distribution_inspect_test.go    |    32 +
 engine/client/errors.go                       |   132 +
 engine/client/events.go                       |   101 +
 engine/client/events_test.go                  |   164 +
 engine/client/hijack.go                       |   129 +
 engine/client/hijack_test.go                  |   103 +
 engine/client/image_build.go                  |   138 +
 engine/client/image_build_test.go             |   232 +
 engine/client/image_create.go                 |    37 +
 engine/client/image_create_test.go            |    75 +
 engine/client/image_history.go                |    22 +
 engine/client/image_history_test.go           |    60 +
 engine/client/image_import.go                 |    40 +
 engine/client/image_import_test.go            |    81 +
 engine/client/image_inspect.go                |    32 +
 engine/client/image_inspect_test.go           |    84 +
 engine/client/image_list.go                   |    45 +
 engine/client/image_list_test.go              |   159 +
 engine/client/image_load.go                   |    29 +
 engine/client/image_load_test.go              |    94 +
 engine/client/image_prune.go                  |    36 +
 engine/client/image_prune_test.go             |   120 +
 engine/client/image_pull.go                   |    64 +
 engine/client/image_pull_test.go              |   198 +
 engine/client/image_push.go                   |    55 +
 engine/client/image_push_test.go              |   179 +
 engine/client/image_remove.go                 |    31 +
 engine/client/image_remove_test.go            |   105 +
 engine/client/image_save.go                   |    21 +
 engine/client/image_save_test.go              |    56 +
 engine/client/image_search.go                 |    51 +
 engine/client/image_search_test.go            |   164 +
 engine/client/image_tag.go                    |    37 +
 engine/client/image_tag_test.go               |   142 +
 engine/client/info.go                         |    26 +
 engine/client/info_test.go                    |    76 +
 engine/client/interface.go                    |   198 +
 engine/client/interface_experimental.go       |    18 +
 engine/client/interface_stable.go             |    10 +
 engine/client/login.go                        |    29 +
 engine/client/network_connect.go              |    19 +
 engine/client/network_connect_test.go         |   110 +
 engine/client/network_create.go               |    25 +
 engine/client/network_create_test.go          |    72 +
 engine/client/network_disconnect.go           |    15 +
 engine/client/network_disconnect_test.go      |    64 +
 engine/client/network_inspect.go              |    49 +
 engine/client/network_inspect_test.go         |   118 +
 engine/client/network_list.go                 |    31 +
 engine/client/network_list_test.go            |   108 +
 engine/client/network_prune.go                |    36 +
 engine/client/network_prune_test.go           |   113 +
 engine/client/network_remove.go               |    10 +
 engine/client/network_remove_test.go          |    46 +
 engine/client/node_inspect.go                 |    32 +
 engine/client/node_inspect_test.go            |    78 +
 engine/client/node_list.go                    |    36 +
 engine/client/node_list_test.go               |    94 +
 engine/client/node_remove.go                  |    20 +
 engine/client/node_remove_test.go             |    68 +
 engine/client/node_update.go                  |    18 +
 engine/client/node_update_test.go             |    48 +
 engine/client/ping.go                         |    32 +
 engine/client/ping_test.go                    |    83 +
 engine/client/plugin_create.go                |    26 +
 engine/client/plugin_disable.go               |    19 +
 engine/client/plugin_disable_test.go          |    48 +
 engine/client/plugin_enable.go                |    19 +
 engine/client/plugin_enable_test.go           |    48 +
 engine/client/plugin_inspect.go               |    31 +
 engine/client/plugin_inspect_test.go          |    67 +
 engine/client/plugin_install.go               |   113 +
 engine/client/plugin_list.go                  |    32 +
 engine/client/plugin_list_test.go             |   107 +
 engine/client/plugin_push.go                  |    16 +
 engine/client/plugin_push_test.go             |    50 +
 engine/client/plugin_remove.go                |    20 +
 engine/client/plugin_remove_test.go           |    48 +
 engine/client/plugin_set.go                   |    12 +
 engine/client/plugin_set_test.go              |    46 +
 engine/client/plugin_upgrade.go               |    39 +
 engine/client/request.go                      |   259 +
 engine/client/request_test.go                 |    89 +
 engine/client/secret_create.go                |    25 +
 engine/client/secret_create_test.go           |    70 +
 engine/client/secret_inspect.go               |    36 +
 engine/client/secret_inspect_test.go          |    92 +
 engine/client/secret_list.go                  |    38 +
 engine/client/secret_list_test.go             |   107 +
 engine/client/secret_remove.go                |    13 +
 engine/client/secret_remove_test.go           |    60 +
 engine/client/secret_update.go                |    21 +
 engine/client/secret_update_test.go           |    61 +
 engine/client/service_create.go               |   166 +
 engine/client/service_create_test.go          |   211 +
 engine/client/service_inspect.go              |    37 +
 engine/client/service_inspect_test.go         |    79 +
 engine/client/service_list.go                 |    35 +
 engine/client/service_list_test.go            |    94 +
 engine/client/service_logs.go                 |    52 +
 engine/client/service_logs_test.go            |   135 +
 engine/client/service_remove.go               |    10 +
 engine/client/service_remove_test.go          |    57 +
 engine/client/service_update.go               |    92 +
 engine/client/service_update_test.go          |    76 +
 engine/client/session.go                      |    18 +
 engine/client/swarm_get_unlock_key.go         |    21 +
 engine/client/swarm_get_unlock_key_test.go    |    59 +
 engine/client/swarm_init.go                   |    21 +
 engine/client/swarm_init_test.go              |    53 +
 engine/client/swarm_inspect.go                |    21 +
 engine/client/swarm_inspect_test.go           |    56 +
 engine/client/swarm_join.go                   |    14 +
 engine/client/swarm_join_test.go              |    50 +
 engine/client/swarm_leave.go                  |    17 +
 engine/client/swarm_leave_test.go             |    65 +
 engine/client/swarm_unlock.go                 |    14 +
 engine/client/swarm_unlock_test.go            |    48 +
 engine/client/swarm_update.go                 |    22 +
 engine/client/swarm_update_test.go            |    48 +
 engine/client/task_inspect.go                 |    32 +
 engine/client/task_inspect_test.go            |    67 +
 engine/client/task_list.go                    |    35 +
 engine/client/task_list_test.go               |    94 +
 engine/client/task_logs.go                    |    51 +
 engine/client/testdata/ca.pem                 |    18 +
 engine/client/testdata/cert.pem               |    18 +
 engine/client/testdata/key.pem                |    27 +
 engine/client/transport.go                    |    17 +
 engine/client/utils.go                        |    34 +
 engine/client/version.go                      |    21 +
 engine/client/volume_create.go                |    21 +
 engine/client/volume_create_test.go           |    75 +
 engine/client/volume_inspect.go               |    38 +
 engine/client/volume_inspect_test.go          |    79 +
 engine/client/volume_list.go                  |    32 +
 engine/client/volume_list_test.go             |    98 +
 engine/client/volume_prune.go                 |    36 +
 engine/client/volume_remove.go                |    21 +
 engine/client/volume_remove_test.go           |    46 +
 engine/cmd/dockerd/README.md                  |     3 +
 engine/cmd/dockerd/config.go                  |    99 +
 engine/cmd/dockerd/config_common_unix.go      |    34 +
 engine/cmd/dockerd/config_unix.go             |    50 +
 engine/cmd/dockerd/config_unix_test.go        |    23 +
 engine/cmd/dockerd/config_windows.go          |    26 +
 engine/cmd/dockerd/daemon.go                  |   638 +
 engine/cmd/dockerd/daemon_freebsd.go          |     9 +
 engine/cmd/dockerd/daemon_linux.go            |    13 +
 engine/cmd/dockerd/daemon_test.go             |   182 +
 engine/cmd/dockerd/daemon_unix.go             |   117 +
 engine/cmd/dockerd/daemon_unix_test.go        |    99 +
 engine/cmd/dockerd/daemon_windows.go          |    85 +
 engine/cmd/dockerd/docker.go                  |    74 +
 engine/cmd/dockerd/docker_unix.go             |     8 +
 engine/cmd/dockerd/docker_windows.go          |    38 +
 .../dockerd/hack/malformed_host_override.go   |   121 +
 .../hack/malformed_host_override_test.go      |   124 +
 engine/cmd/dockerd/metrics.go                 |    27 +
 engine/cmd/dockerd/options.go                 |   122 +
 engine/cmd/dockerd/options_test.go            |    44 +
 engine/cmd/dockerd/service_unsupported.go     |    10 +
 engine/cmd/dockerd/service_windows.go         |   430 +
 engine/codecov.yml                            |    17 +
 engine/container/archive.go                   |    86 +
 engine/container/container.go                 |   720 +
 engine/container/container_unit_test.go       |   126 +
 engine/container/container_unix.go            |   463 +
 engine/container/container_windows.go         |   213 +
 engine/container/env.go                       |    43 +
 engine/container/env_test.go                  |    24 +
 engine/container/health.go                    |    82 +
 engine/container/history.go                   |    30 +
 engine/container/memory_store.go              |    95 +
 engine/container/memory_store_test.go         |   106 +
 engine/container/monitor.go                   |    46 +
 engine/container/mounts_unix.go               |    12 +
 engine/container/mounts_windows.go            |     8 +
 engine/container/state.go                     |   409 +
 engine/container/state_test.go                |   192 +
 engine/container/store.go                     |    28 +
 engine/container/stream/attach.go             |   175 +
 engine/container/stream/streams.go            |   146 +
 engine/container/view.go                      |   494 +
 engine/container/view_test.go                 |   186 +
 engine/contrib/README.md                      |     4 +
 engine/contrib/REVIEWERS                      |     1 +
 engine/contrib/apparmor/main.go               |    56 +
 engine/contrib/apparmor/template.go           |   268 +
 engine/contrib/check-config.sh                |   360 +
 engine/contrib/desktop-integration/README.md  |    11 +
 .../desktop-integration/chromium/Dockerfile   |    36 +
 .../desktop-integration/gparted/Dockerfile    |    31 +
 engine/contrib/docker-device-tool/README.md   |    14 +
 .../contrib/docker-device-tool/device_tool.go |   167 +
 .../docker-device-tool/device_tool_windows.go |     4 +
 .../contrib/docker-machine-install-bundle.sh  |   111 +
 engine/contrib/dockerize-disk.sh              |   118 +
 engine/contrib/download-frozen-image-v1.sh    |   108 +
 engine/contrib/download-frozen-image-v2.sh    |   345 +
 engine/contrib/editorconfig                   |    13 +
 engine/contrib/gitdm/aliases                  |   148 +
 engine/contrib/gitdm/domain-map               |    47 +
 engine/contrib/gitdm/generate_aliases.sh      |    16 +
 engine/contrib/gitdm/gitdm.config             |    17 +
 engine/contrib/httpserver/Dockerfile          |     4 +
 engine/contrib/httpserver/server.go           |    12 +
 engine/contrib/init/openrc/docker.confd       |    23 +
 engine/contrib/init/openrc/docker.initd       |    24 +
 engine/contrib/init/systemd/REVIEWERS         |     3 +
 engine/contrib/init/systemd/docker.service    |    34 +
 .../contrib/init/systemd/docker.service.rpm   |    33 +
 engine/contrib/init/systemd/docker.socket     |    12 +
 engine/contrib/init/sysvinit-debian/docker    |   156 +
 .../init/sysvinit-debian/docker.default       |    20 +
 engine/contrib/init/sysvinit-redhat/docker    |   153 +
 .../init/sysvinit-redhat/docker.sysconfig     |     7 +
 engine/contrib/init/upstart/REVIEWERS         |     2 +
 engine/contrib/init/upstart/docker.conf       |    72 +
 engine/contrib/mac-install-bundle.sh          |    45 +
 engine/contrib/mkimage-alpine.sh              |    90 +
 engine/contrib/mkimage-arch-pacman.conf       |    92 +
 engine/contrib/mkimage-arch.sh                |   126 +
 engine/contrib/mkimage-archarm-pacman.conf    |    98 +
 engine/contrib/mkimage-crux.sh                |    75 +
 engine/contrib/mkimage-pld.sh                 |    73 +
 engine/contrib/mkimage-yum.sh                 |   136 +
 engine/contrib/mkimage.sh                     |   120 +
 engine/contrib/mkimage/.febootstrap-minimize  |    28 +
 engine/contrib/mkimage/busybox-static         |    34 +
 engine/contrib/mkimage/debootstrap            |   251 +
 engine/contrib/mkimage/mageia-urpmi           |    61 +
 engine/contrib/mkimage/rinse                  |    25 +
 engine/contrib/nnp-test/Dockerfile            |     9 +
 engine/contrib/nnp-test/nnp-test.c            |    10 +
 engine/contrib/nuke-graph-directory.sh        |    64 +
 engine/contrib/report-issue.sh                |   105 +
 engine/contrib/syntax/nano/Dockerfile.nanorc  |    26 +
 engine/contrib/syntax/nano/README.md          |    32 +
 .../Preferences/Dockerfile.tmPreferences      |    24 +
 .../Syntaxes/Dockerfile.tmLanguage            |   160 +
 .../textmate/Docker.tmbundle/info.plist       |    16 +
 engine/contrib/syntax/textmate/README.md      |    17 +
 engine/contrib/syntax/textmate/REVIEWERS      |     1 +
 engine/contrib/syntax/vim/LICENSE             |    22 +
 engine/contrib/syntax/vim/README.md           |    26 +
 engine/contrib/syntax/vim/doc/dockerfile.txt  |    18 +
 .../syntax/vim/ftdetect/dockerfile.vim        |     1 +
 .../contrib/syntax/vim/syntax/dockerfile.vim  |    31 +
 engine/contrib/syscall-test/Dockerfile        |    15 +
 engine/contrib/syscall-test/acct.c            |    16 +
 engine/contrib/syscall-test/exit32.s          |     7 +
 engine/contrib/syscall-test/ns.c              |    63 +
 engine/contrib/syscall-test/raw.c             |    14 +
 engine/contrib/syscall-test/setgid.c          |    11 +
 engine/contrib/syscall-test/setuid.c          |    11 +
 engine/contrib/syscall-test/socket.c          |    30 +
 engine/contrib/syscall-test/userns.c          |    63 +
 engine/contrib/udev/80-docker.rules           |     3 +
 engine/contrib/vagrant-docker/README.md       |    50 +
 engine/daemon/apparmor_default.go             |    36 +
 engine/daemon/apparmor_default_unsupported.go |     7 +
 engine/daemon/archive.go                      |   449 +
 engine/daemon/archive_tarcopyoptions.go       |    15 +
 engine/daemon/archive_tarcopyoptions_unix.go  |    25 +
 .../daemon/archive_tarcopyoptions_windows.go  |    10 +
 engine/daemon/archive_unix.go                 |    31 +
 engine/daemon/archive_windows.go              |    39 +
 engine/daemon/attach.go                       |   187 +
 engine/daemon/auth.go                         |    13 +
 engine/daemon/bindmount_unix.go               |     5 +
 engine/daemon/caps/utils.go                   |   139 +
 engine/daemon/changes.go                      |    34 +
 engine/daemon/checkpoint.go                   |   143 +
 engine/daemon/cluster.go                      |    26 +
 engine/daemon/cluster/cluster.go              |   450 +
 engine/daemon/cluster/configs.go              |   118 +
 .../cluster/controllers/plugin/controller.go  |   261 +
 .../controllers/plugin/controller_test.go     |   390 +
 engine/daemon/cluster/convert/config.go       |    78 +
 engine/daemon/cluster/convert/container.go    |   398 +
 engine/daemon/cluster/convert/network.go      |   240 +
 engine/daemon/cluster/convert/network_test.go |    34 +
 engine/daemon/cluster/convert/node.go         |    94 +
 engine/daemon/cluster/convert/secret.go       |    80 +
 engine/daemon/cluster/convert/service.go      |   639 +
 engine/daemon/cluster/convert/service_test.go |   308 +
 engine/daemon/cluster/convert/swarm.go        |   147 +
 engine/daemon/cluster/convert/task.go         |    69 +
 engine/daemon/cluster/errors.go               |    61 +
 engine/daemon/cluster/executor/backend.go     |    76 +
 .../cluster/executor/container/adapter.go     |   475 +
 .../cluster/executor/container/attachment.go  |    74 +
 .../cluster/executor/container/container.go   |   680 +
 .../executor/container/container_test.go      |    37 +
 .../cluster/executor/container/controller.go  |   692 +
 .../cluster/executor/container/errors.go      |    17 +
 .../cluster/executor/container/executor.go    |   293 +
 .../cluster/executor/container/health_test.go |   100 +
 .../cluster/executor/container/validate.go    |    40 +
 .../executor/container/validate_test.go       |   142 +
 .../executor/container/validate_unix_test.go  |     8 +
 .../container/validate_windows_test.go        |     8 +
 engine/daemon/cluster/filters.go              |   123 +
 engine/daemon/cluster/filters_test.go         |   102 +
 engine/daemon/cluster/helpers.go              |   246 +
 engine/daemon/cluster/listen_addr.go          |   301 +
 engine/daemon/cluster/listen_addr_linux.go    |    89 +
 engine/daemon/cluster/listen_addr_others.go   |     9 +
 engine/daemon/cluster/networks.go             |   316 +
 engine/daemon/cluster/noderunner.go           |   388 +
 engine/daemon/cluster/nodes.go                |   105 +
 engine/daemon/cluster/provider/network.go     |    37 +
 engine/daemon/cluster/secrets.go              |   118 +
 engine/daemon/cluster/services.go             |   602 +
 engine/daemon/cluster/swarm.go                |   569 +
 engine/daemon/cluster/tasks.go                |    87 +
 engine/daemon/cluster/utils.go                |    63 +
 engine/daemon/commit.go                       |   186 +
 engine/daemon/config/config.go                |   567 +
 engine/daemon/config/config_common_unix.go    |    71 +
 .../daemon/config/config_common_unix_test.go  |    84 +
 engine/daemon/config/config_test.go           |   518 +
 engine/daemon/config/config_unix.go           |    87 +
 engine/daemon/config/config_unix_test.go      |   134 +
 engine/daemon/config/config_windows.go        |    57 +
 engine/daemon/config/config_windows_test.go   |    60 +
 engine/daemon/config/opts.go                  |    22 +
 engine/daemon/configs.go                      |    21 +
 engine/daemon/configs_linux.go                |     5 +
 engine/daemon/configs_unsupported.go          |     7 +
 engine/daemon/configs_windows.go              |     5 +
 engine/daemon/container.go                    |   358 +
 engine/daemon/container_linux.go              |    30 +
 engine/daemon/container_operations.go         |  1150 +
 engine/daemon/container_operations_unix.go    |   403 +
 engine/daemon/container_operations_windows.go |   201 +
 engine/daemon/container_unix_test.go          |    44 +
 engine/daemon/container_windows.go            |     9 +
 engine/daemon/create.go                       |   304 +
 engine/daemon/create_test.go                  |    21 +
 engine/daemon/create_unix.go                  |    94 +
 engine/daemon/create_windows.go               |    93 +
 engine/daemon/daemon.go                       |  1320 +
 engine/daemon/daemon_linux.go                 |   133 +
 engine/daemon/daemon_linux_test.go            |   322 +
 engine/daemon/daemon_test.go                  |   319 +
 engine/daemon/daemon_unix.go                  |  1523 +
 engine/daemon/daemon_unix_test.go             |   268 +
 engine/daemon/daemon_unsupported.go           |     5 +
 engine/daemon/daemon_windows.go               |   655 +
 engine/daemon/daemon_windows_test.go          |    72 +
 engine/daemon/debugtrap_unix.go               |    27 +
 engine/daemon/debugtrap_unsupported.go        |     7 +
 engine/daemon/debugtrap_windows.go            |    46 +
 engine/daemon/delete.go                       |   152 +
 engine/daemon/delete_test.go                  |    95 +
 engine/daemon/dependency.go                   |    17 +
 engine/daemon/discovery/discovery.go          |   202 +
 engine/daemon/discovery/discovery_test.go     |    96 +
 engine/daemon/disk_usage.go                   |    50 +
 engine/daemon/errors.go                       |   155 +
 engine/daemon/events.go                       |   308 +
 engine/daemon/events/events.go                |   165 +
 engine/daemon/events/events_test.go           |   282 +
 engine/daemon/events/filter.go                |   138 +
 engine/daemon/events/metrics.go               |    15 +
 engine/daemon/events/testutils/testutils.go   |    76 +
 engine/daemon/events_test.go                  |    90 +
 engine/daemon/exec.go                         |   324 +
 engine/daemon/exec/exec.go                    |   146 +
 engine/daemon/exec_linux.go                   |    59 +
 engine/daemon/exec_linux_test.go              |    53 +
 engine/daemon/exec_windows.go                 |    16 +
 engine/daemon/export.go                       |    86 +
 engine/daemon/graphdriver/aufs/aufs.go        |   678 +
 engine/daemon/graphdriver/aufs/aufs_test.go   |   805 +
 engine/daemon/graphdriver/aufs/dirs.go        |    64 +
 engine/daemon/graphdriver/aufs/mount.go       |    17 +
 engine/daemon/graphdriver/aufs/mount_linux.go |     7 +
 .../graphdriver/aufs/mount_unsupported.go     |    12 +
 engine/daemon/graphdriver/btrfs/btrfs.go      |   663 +
 engine/daemon/graphdriver/btrfs/btrfs_test.go |    65 +
 .../graphdriver/btrfs/dummy_unsupported.go    |     3 +
 engine/daemon/graphdriver/btrfs/version.go    |    26 +
 .../daemon/graphdriver/btrfs/version_none.go  |    14 +
 .../daemon/graphdriver/btrfs/version_test.go  |    13 +
 engine/daemon/graphdriver/copy/copy.go        |   277 +
 engine/daemon/graphdriver/copy/copy_test.go   |   159 +
 engine/daemon/graphdriver/counter.go          |    62 +
 engine/daemon/graphdriver/devmapper/README.md |    98 +
 .../graphdriver/devmapper/device_setup.go     |   231 +
 .../daemon/graphdriver/devmapper/deviceset.go |  2824 +
 .../graphdriver/devmapper/devmapper_doc.go    |   106 +
 .../graphdriver/devmapper/devmapper_test.go   |   205 +
 engine/daemon/graphdriver/devmapper/driver.go |   258 +
 engine/daemon/graphdriver/devmapper/mount.go  |    66 +
 engine/daemon/graphdriver/driver.go           |   307 +
 engine/daemon/graphdriver/driver_freebsd.go   |    21 +
 engine/daemon/graphdriver/driver_linux.go     |   124 +
 engine/daemon/graphdriver/driver_test.go      |    36 +
 .../daemon/graphdriver/driver_unsupported.go  |    13 +
 engine/daemon/graphdriver/driver_windows.go   |    12 +
 engine/daemon/graphdriver/errors.go           |    36 +
 engine/daemon/graphdriver/fsdiff.go           |   175 +
 .../graphdriver/graphtest/graphbench_unix.go  |   257 +
 .../graphdriver/graphtest/graphtest_unix.go   |   352 +
 .../graphtest/graphtest_windows.go            |     1 +
 .../daemon/graphdriver/graphtest/testutil.go  |   337 +
 .../graphdriver/graphtest/testutil_unix.go    |    69 +
 engine/daemon/graphdriver/lcow/lcow.go        |  1052 +
 engine/daemon/graphdriver/lcow/lcow_svm.go    |   378 +
 engine/daemon/graphdriver/lcow/remotefs.go    |   139 +
 .../daemon/graphdriver/lcow/remotefs_file.go  |   211 +
 .../graphdriver/lcow/remotefs_filedriver.go   |   123 +
 .../graphdriver/lcow/remotefs_pathdriver.go   |   212 +
 engine/daemon/graphdriver/overlay/overlay.go  |   524 +
 .../graphdriver/overlay/overlay_test.go       |    93 +
 .../overlay/overlay_unsupported.go            |     3 +
 engine/daemon/graphdriver/overlay2/check.go   |   134 +
 engine/daemon/graphdriver/overlay2/mount.go   |    89 +
 engine/daemon/graphdriver/overlay2/overlay.go |   758 +
 .../graphdriver/overlay2/overlay_test.go      |   109 +
 .../overlay2/overlay_unsupported.go           |     3 +
 .../daemon/graphdriver/overlay2/randomid.go   |    81 +
 .../graphdriver/overlayutils/overlayutils.go  |    25 +
 engine/daemon/graphdriver/plugin.go           |    55 +
 engine/daemon/graphdriver/proxy.go            |   264 +
 engine/daemon/graphdriver/quota/errors.go     |    19 +
 .../daemon/graphdriver/quota/projectquota.go  |   384 +
 .../graphdriver/quota/projectquota_test.go    |   152 +
 .../graphdriver/register/register_aufs.go     |     8 +
 .../graphdriver/register/register_btrfs.go    |     8 +
 .../register/register_devicemapper.go         |     8 +
 .../graphdriver/register/register_overlay.go  |     8 +
 .../graphdriver/register/register_overlay2.go |     8 +
 .../graphdriver/register/register_vfs.go      |     6 +
 .../graphdriver/register/register_windows.go  |     7 +
 .../graphdriver/register/register_zfs.go      |     8 +
 engine/daemon/graphdriver/vfs/copy_linux.go   |     7 +
 .../graphdriver/vfs/copy_unsupported.go       |     9 +
 engine/daemon/graphdriver/vfs/driver.go       |   167 +
 engine/daemon/graphdriver/vfs/quota_linux.go  |    26 +
 .../graphdriver/vfs/quota_unsupported.go      |    20 +
 engine/daemon/graphdriver/vfs/vfs_test.go     |    41 +
 engine/daemon/graphdriver/windows/windows.go  |   942 +
 engine/daemon/graphdriver/zfs/MAINTAINERS     |     2 +
 engine/daemon/graphdriver/zfs/zfs.go          |   431 +
 engine/daemon/graphdriver/zfs/zfs_freebsd.go  |    38 +
 engine/daemon/graphdriver/zfs/zfs_linux.go    |    28 +
 engine/daemon/graphdriver/zfs/zfs_test.go     |    35 +
 .../daemon/graphdriver/zfs/zfs_unsupported.go |    11 +
 engine/daemon/health.go                       |   381 +
 engine/daemon/health_test.go                  |   154 +
 engine/daemon/images/cache.go                 |    27 +
 engine/daemon/images/image.go                 |    64 +
 engine/daemon/images/image_builder.go         |   225 +
 engine/daemon/images/image_commit.go          |   127 +
 engine/daemon/images/image_delete.go          |   414 +
 engine/daemon/images/image_events.go          |    39 +
 engine/daemon/images/image_exporter.go        |    25 +
 engine/daemon/images/image_history.go         |    87 +
 engine/daemon/images/image_import.go          |   138 +
 engine/daemon/images/image_inspect.go         |   104 +
 engine/daemon/images/image_prune.go           |   211 +
 engine/daemon/images/image_pull.go            |   126 +
 engine/daemon/images/image_push.go            |    66 +
 engine/daemon/images/image_search.go          |    95 +
 engine/daemon/images/image_search_test.go     |   357 +
 engine/daemon/images/image_tag.go             |    41 +
 engine/daemon/images/image_unix.go            |    45 +
 engine/daemon/images/image_windows.go         |    41 +
 engine/daemon/images/images.go                |   348 +
 engine/daemon/images/locals.go                |    32 +
 engine/daemon/images/service.go               |   251 +
 engine/daemon/info.go                         |   206 +
 engine/daemon/info_unix.go                    |    93 +
 engine/daemon/info_unix_test.go               |    53 +
 engine/daemon/info_windows.go                 |    10 +
 engine/daemon/initlayer/setup_unix.go         |    73 +
 engine/daemon/initlayer/setup_windows.go      |    16 +
 engine/daemon/inspect.go                      |   273 +
 engine/daemon/inspect_linux.go                |    73 +
 engine/daemon/inspect_test.go                 |    33 +
 engine/daemon/inspect_windows.go              |    26 +
 engine/daemon/keys.go                         |    59 +
 engine/daemon/keys_unsupported.go             |     8 +
 engine/daemon/kill.go                         |   180 +
 engine/daemon/links.go                        |    91 +
 engine/daemon/links/links.go                  |   141 +
 engine/daemon/links/links_test.go             |   213 +
 engine/daemon/list.go                         |   607 +
 engine/daemon/list_test.go                    |    26 +
 engine/daemon/list_unix.go                    |    11 +
 engine/daemon/list_windows.go                 |    20 +
 engine/daemon/listeners/group_unix.go         |    34 +
 engine/daemon/listeners/listeners_linux.go    |   102 +
 engine/daemon/listeners/listeners_windows.go  |    54 +
 engine/daemon/logdrivers_linux.go             |    15 +
 engine/daemon/logdrivers_windows.go           |    14 +
 engine/daemon/logger/adapter.go               |   139 +
 engine/daemon/logger/adapter_test.go          |   216 +
 .../daemon/logger/awslogs/cloudwatchlogs.go   |   744 +
 .../logger/awslogs/cloudwatchlogs_test.go     |  1391 +
 .../logger/awslogs/cwlogsiface_mock_test.go   |   119 +
 engine/daemon/logger/copier.go                |   186 +
 engine/daemon/logger/copier_test.go           |   484 +
 .../daemon/logger/etwlogs/etwlogs_windows.go  |   168 +
 engine/daemon/logger/factory.go               |   162 +
 engine/daemon/logger/fluentd/fluentd.go       |   263 +
 engine/daemon/logger/gcplogs/gcplogging.go    |   244 +
 .../daemon/logger/gcplogs/gcplogging_linux.go |    29 +
 .../logger/gcplogs/gcplogging_others.go       |     7 +
 engine/daemon/logger/gelf/gelf.go             |   268 +
 engine/daemon/logger/gelf/gelf_test.go        |   260 +
 engine/daemon/logger/journald/journald.go     |   127 +
 .../daemon/logger/journald/journald_test.go   |    23 +
 .../logger/journald/journald_unsupported.go   |     6 +
 engine/daemon/logger/journald/read.go         |   441 +
 engine/daemon/logger/journald/read_native.go  |     6 +
 .../logger/journald/read_native_compat.go     |     6 +
 .../logger/journald/read_unsupported.go       |     7 +
 .../daemon/logger/jsonfilelog/jsonfilelog.go  |   185 +
 .../logger/jsonfilelog/jsonfilelog_test.go    |   302 +
 .../logger/jsonfilelog/jsonlog/jsonlog.go     |    25 +
 .../jsonfilelog/jsonlog/jsonlogbytes.go       |   125 +
 .../jsonfilelog/jsonlog/jsonlogbytes_test.go  |    51 +
 .../jsonfilelog/jsonlog/time_marshalling.go   |    20 +
 .../jsonlog/time_marshalling_test.go          |    34 +
 engine/daemon/logger/jsonfilelog/read.go      |    89 +
 engine/daemon/logger/jsonfilelog/read_test.go |    64 +
 engine/daemon/logger/logentries/logentries.go |   115 +
 engine/daemon/logger/logger.go                |   145 +
 engine/daemon/logger/logger_test.go           |    21 +
 engine/daemon/logger/loggerutils/log_tag.go   |    31 +
 .../daemon/logger/loggerutils/log_tag_test.go |    47 +
 engine/daemon/logger/loggerutils/logfile.go   |   680 +
 .../loggerutils/multireader/multireader.go    |   212 +
 .../multireader/multireader_test.go           |   225 +
 engine/daemon/logger/loginfo.go               |   129 +
 engine/daemon/logger/metrics.go               |    21 +
 engine/daemon/logger/plugin.go                |   116 +
 engine/daemon/logger/plugin_unix.go           |    23 +
 engine/daemon/logger/plugin_unsupported.go    |    12 +
 engine/daemon/logger/proxy.go                 |   107 +
 engine/daemon/logger/ring.go                  |   223 +
 engine/daemon/logger/ring_test.go             |   299 +
 engine/daemon/logger/splunk/splunk.go         |   649 +
 engine/daemon/logger/splunk/splunk_test.go    |  1389 +
 .../logger/splunk/splunkhecmock_test.go       |   182 +
 engine/daemon/logger/syslog/syslog.go         |   266 +
 engine/daemon/logger/syslog/syslog_test.go    |    62 +
 engine/daemon/logger/templates/templates.go   |    50 +
 .../daemon/logger/templates/templates_test.go |    19 +
 engine/daemon/logs.go                         |   209 +
 engine/daemon/logs_test.go                    |    15 +
 engine/daemon/metrics.go                      |   192 +
 engine/daemon/metrics_unix.go                 |    60 +
 engine/daemon/metrics_unsupported.go          |    12 +
 engine/daemon/monitor.go                      |   212 +
 engine/daemon/mounts.go                       |    55 +
 engine/daemon/names.go                        |   113 +
 engine/daemon/names/names.go                  |     9 +
 engine/daemon/network.go                      |   884 +
 engine/daemon/network/settings.go             |    69 +
 engine/daemon/oci.go                          |    78 +
 engine/daemon/oci_linux.go                    |   881 +
 engine/daemon/oci_linux_test.go               |   102 +
 engine/daemon/oci_windows.go                  |   419 +
 engine/daemon/pause.go                        |    55 +
 engine/daemon/prune.go                        |   250 +
 engine/daemon/reload.go                       |   324 +
 engine/daemon/reload_test.go                  |   573 +
 engine/daemon/reload_unix.go                  |    56 +
 engine/daemon/reload_windows.go               |     9 +
 engine/daemon/rename.go                       |   123 +
 engine/daemon/resize.go                       |    50 +
 engine/daemon/resize_test.go                  |   103 +
 engine/daemon/restart.go                      |    70 +
 engine/daemon/seccomp_disabled.go             |    19 +
 engine/daemon/seccomp_linux.go                |    55 +
 engine/daemon/seccomp_unsupported.go          |     5 +
 engine/daemon/secrets.go                      |    23 +
 engine/daemon/secrets_linux.go                |     5 +
 engine/daemon/secrets_unsupported.go          |     7 +
 engine/daemon/secrets_windows.go              |     5 +
 engine/daemon/selinux_linux.go                |    15 +
 engine/daemon/selinux_unsupported.go          |    13 +
 engine/daemon/start.go                        |   254 +
 engine/daemon/start_unix.go                   |    57 +
 engine/daemon/start_windows.go                |    38 +
 engine/daemon/stats.go                        |   155 +
 engine/daemon/stats/collector.go              |   159 +
 engine/daemon/stats/collector_unix.go         |    83 +
 engine/daemon/stats/collector_windows.go      |    17 +
 engine/daemon/stats_collector.go              |    26 +
 engine/daemon/stats_unix.go                   |    57 +
 engine/daemon/stats_windows.go                |    11 +
 engine/daemon/stop.go                         |    89 +
 engine/daemon/testdata/keyfile                |     7 +
 engine/daemon/top_unix.go                     |   189 +
 engine/daemon/top_unix_test.go                |    79 +
 engine/daemon/top_windows.go                  |    63 +
 engine/daemon/trustkey.go                     |    57 +
 engine/daemon/trustkey_test.go                |    71 +
 engine/daemon/unpause.go                      |    44 +
 engine/daemon/update.go                       |    95 +
 engine/daemon/update_linux.go                 |    54 +
 engine/daemon/update_windows.go               |    11 +
 engine/daemon/util_test.go                    |    65 +
 engine/daemon/volumes.go                      |   421 +
 engine/daemon/volumes_linux.go                |    36 +
 engine/daemon/volumes_linux_test.go           |    56 +
 engine/daemon/volumes_unit_test.go            |    42 +
 engine/daemon/volumes_unix.go                 |   156 +
 engine/daemon/volumes_unix_test.go            |   256 +
 engine/daemon/volumes_windows.go              |    51 +
 engine/daemon/wait.go                         |    23 +
 engine/daemon/workdir.go                      |    20 +
 engine/distribution/config.go                 |   266 +
 engine/distribution/errors.go                 |   206 +
 engine/distribution/errors_test.go            |    85 +
 .../fixtures/validate_manifest/bad_manifest   |    38 +
 .../validate_manifest/extra_data_manifest     |    46 +
 .../fixtures/validate_manifest/good_manifest  |    38 +
 engine/distribution/metadata/metadata.go      |    75 +
 engine/distribution/metadata/v1_id_service.go |    51 +
 .../metadata/v1_id_service_test.go            |    88 +
 .../metadata/v2_metadata_service.go           |   241 +
 .../metadata/v2_metadata_service_test.go      |   115 +
 engine/distribution/oci.go                    |    45 +
 engine/distribution/pull.go                   |   201 +
 engine/distribution/pull_v1.go                |   368 +
 engine/distribution/pull_v2.go                |   976 +
 engine/distribution/pull_v2_test.go           |   184 +
 engine/distribution/pull_v2_unix.go           |    60 +
 engine/distribution/pull_v2_windows.go        |   138 +
 engine/distribution/push.go                   |   186 +
 engine/distribution/push_v1.go                |   457 +
 engine/distribution/push_v2.go                |   709 +
 engine/distribution/push_v2_test.go           |   740 +
 engine/distribution/registry.go               |   158 +
 engine/distribution/registry_unit_test.go     |   127 +
 engine/distribution/utils/progress.go         |    44 +
 engine/distribution/xfer/download.go          |   474 +
 engine/distribution/xfer/download_test.go     |   362 +
 engine/distribution/xfer/transfer.go          |   401 +
 engine/distribution/xfer/transfer_test.go     |   410 +
 engine/distribution/xfer/upload.go            |   174 +
 engine/distribution/xfer/upload_test.go       |   134 +
 engine/dockerversion/useragent.go             |    76 +
 engine/dockerversion/version_lib.go           |    18 +
 engine/docs/api/v1.18.md                      |  2179 +
 engine/docs/api/v1.19.md                      |  2259 +
 engine/docs/api/v1.20.md                      |  2414 +
 engine/docs/api/v1.21.md                      |  3003 +
 engine/docs/api/v1.22.md                      |  3343 ++
 engine/docs/api/v1.23.md                      |  3459 ++
 engine/docs/api/v1.24.md                      |  5377 ++
 engine/docs/api/version-history.md            |   424 +
 engine/docs/contributing/README.md            |     8 +
 .../docs/contributing/images/branch-sig.png   |   Bin 0 -> 56537 bytes
 .../contributing/images/contributor-edit.png  |   Bin 0 -> 17933 bytes
 engine/docs/contributing/images/copy_url.png  |   Bin 0 -> 69486 bytes
 .../docs/contributing/images/fork_docker.png  |   Bin 0 -> 52190 bytes
 engine/docs/contributing/images/git_bash.png  |   Bin 0 -> 26097 bytes
 .../docs/contributing/images/list_example.png |   Bin 0 -> 51194 bytes
 engine/docs/contributing/set-up-dev-env.md    |   372 +
 engine/docs/contributing/set-up-git.md        |   280 +
 engine/docs/contributing/software-req-win.md  |   177 +
 engine/docs/contributing/software-required.md |    94 +
 engine/docs/contributing/test.md              |   244 +
 engine/docs/contributing/who-written-for.md   |    49 +
 engine/docs/static_files/contributors.png     |   Bin 0 -> 23100 bytes
 .../docs/static_files/moby-project-logo.png   |   Bin 0 -> 20458 bytes
 engine/errdefs/defs.go                        |    74 +
 engine/errdefs/doc.go                         |     8 +
 engine/errdefs/helpers.go                     |   240 +
 engine/errdefs/helpers_test.go                |   194 +
 engine/errdefs/is.go                          |   114 +
 engine/hack/README.md                         |    55 +
 engine/hack/ci/arm                            |    10 +
 engine/hack/ci/experimental                   |     9 +
 engine/hack/ci/janky                          |    17 +
 engine/hack/ci/powerpc                        |     6 +
 engine/hack/ci/z                              |     6 +
 engine/hack/dind                              |    33 +
 .../dockerfile/install/containerd.installer   |    36 +
 .../dockerfile/install/dockercli.installer    |    31 +
 .../dockerfile/install/gometalinter.installer |    12 +
 engine/hack/dockerfile/install/install.sh     |    30 +
 .../hack/dockerfile/install/proxy.installer   |    38 +
 engine/hack/dockerfile/install/runc.installer |    22 +
 engine/hack/dockerfile/install/tini.installer |    14 +
 .../hack/dockerfile/install/tomlv.installer   |    12 +
 engine/hack/dockerfile/install/vndr.installer |    11 +
 engine/hack/generate-authors.sh               |    15 +
 engine/hack/generate-swagger-api.sh           |    27 +
 .../hack/integration-cli-on-swarm/README.md   |    69 +
 .../integration-cli-on-swarm/agent/Dockerfile |     6 +
 .../agent/master/call.go                      |   132 +
 .../agent/master/master.go                    |    65 +
 .../agent/master/set.go                       |    28 +
 .../agent/master/set_test.go                  |    63 +
 .../agent/types/types.go                      |    18 +
 .../agent/vendor.conf                         |     2 +
 .../github.com/bfirsh/funker-go/LICENSE       |   191 +
 .../github.com/bfirsh/funker-go/call.go       |    50 +
 .../github.com/bfirsh/funker-go/handle.go     |    54 +
 .../agent/worker/executor.go                  |   118 +
 .../agent/worker/worker.go                    |    69 +
 .../integration-cli-on-swarm/host/compose.go  |   122 +
 .../host/dockercmd.go                         |    64 +
 .../host/enumerate.go                         |    55 +
 .../host/enumerate_test.go                    |    84 +
 .../integration-cli-on-swarm/host/host.go     |   198 +
 .../integration-cli-on-swarm/host/volume.go   |    88 +
 engine/hack/make.ps1                          |   457 +
 engine/hack/make.sh                           |   224 +
 engine/hack/make/.binary                      |    73 +
 engine/hack/make/.binary-setup                |     9 +
 engine/hack/make/.detect-daemon-osarch        |    43 +
 engine/hack/make/.ensure-emptyfs              |    23 +
 engine/hack/make/.go-autogen                  |    90 +
 engine/hack/make/.go-autogen.ps1              |    95 +
 engine/hack/make/.integration-daemon-setup    |     7 +
 engine/hack/make/.integration-daemon-start    |   126 +
 engine/hack/make/.integration-daemon-stop     |    28 +
 engine/hack/make/.integration-test-helpers    |   122 +
 engine/hack/make/.resources-windows/common.rc |    38 +
 .../.resources-windows/docker.exe.manifest    |    18 +
 .../hack/make/.resources-windows/docker.ico   |   Bin 0 -> 370070 bytes
 .../hack/make/.resources-windows/docker.png   |   Bin 0 -> 658195 bytes
 engine/hack/make/.resources-windows/docker.rc |     3 +
 .../hack/make/.resources-windows/dockerd.rc   |     4 +
 .../make/.resources-windows/event_messages.mc |    39 +
 .../hack/make/.resources-windows/resources.go |    18 +
 engine/hack/make/README.md                    |    16 +
 engine/hack/make/binary                       |    10 +
 engine/hack/make/binary-daemon                |    27 +
 .../hack/make/build-integration-test-binary   |     7 +
 engine/hack/make/cross                        |    29 +
 engine/hack/make/dynbinary                    |    10 +
 engine/hack/make/dynbinary-daemon             |    10 +
 engine/hack/make/install-binary               |    29 +
 engine/hack/make/run                          |    44 +
 engine/hack/make/test-docker-py               |    20 +
 engine/hack/make/test-integration             |    21 +
 engine/hack/make/test-integration-cli         |     6 +
 engine/hack/make/test-integration-shell       |     9 +
 engine/hack/test/e2e-run.sh                   |    72 +
 engine/hack/test/unit                         |    38 +
 engine/hack/validate/.swagger-yamllint        |     4 +
 engine/hack/validate/.validate                |    30 +
 engine/hack/validate/all                      |     8 +
 .../hack/validate/changelog-date-descending   |    12 +
 engine/hack/validate/changelog-well-formed    |    25 +
 engine/hack/validate/dco                      |    55 +
 engine/hack/validate/default                  |    17 +
 engine/hack/validate/default-seccomp          |    28 +
 .../hack/validate/deprecate-integration-cli   |    25 +
 engine/hack/validate/gometalinter             |    13 +
 engine/hack/validate/gometalinter.json        |    27 +
 engine/hack/validate/pkg-imports              |    33 +
 engine/hack/validate/swagger                  |    13 +
 engine/hack/validate/swagger-gen              |    29 +
 engine/hack/validate/test-imports             |    38 +
 engine/hack/validate/toml                     |    31 +
 engine/hack/validate/vendor                   |    55 +
 engine/hack/vendor.sh                         |    15 +
 engine/image/cache/cache.go                   |   253 +
 engine/image/cache/compare.go                 |    63 +
 engine/image/cache/compare_test.go            |   126 +
 engine/image/fs.go                            |   175 +
 engine/image/fs_test.go                       |   270 +
 engine/image/image.go                         |   232 +
 engine/image/image_test.go                    |   125 +
 engine/image/rootfs.go                        |    52 +
 engine/image/spec/README.md                   |    46 +
 engine/image/spec/v1.1.md                     |   623 +
 engine/image/spec/v1.2.md                     |   677 +
 engine/image/spec/v1.md                       |   562 +
 engine/image/store.go                         |   346 +
 engine/image/store_test.go                    |   197 +
 engine/image/tarexport/load.go                |   432 +
 engine/image/tarexport/save.go                |   431 +
 engine/image/tarexport/tarexport.go           |    47 +
 engine/image/v1/imagev1.go                    |   150 +
 engine/image/v1/imagev1_test.go               |    55 +
 engine/integration-cli/benchmark_test.go      |    95 +
 engine/integration-cli/check_test.go          |   409 +
 engine/integration-cli/checker/checker.go     |    46 +
 engine/integration-cli/cli/build/build.go     |    82 +
 engine/integration-cli/cli/cli.go             |   226 +
 engine/integration-cli/daemon/daemon.go       |   143 +
 engine/integration-cli/daemon/daemon_swarm.go |   197 +
 .../integration-cli/daemon_swarm_hack_test.go |    23 +
 .../integration-cli/docker_api_attach_test.go |   260 +
 .../integration-cli/docker_api_build_test.go  |   558 +
 .../docker_api_build_windows_test.go          |    39 +
 .../docker_api_containers_test.go             |  2207 +
 .../docker_api_containers_windows_test.go     |    76 +
 .../integration-cli/docker_api_create_test.go |   136 +
 .../docker_api_exec_resize_test.go            |   113 +
 .../integration-cli/docker_api_exec_test.go   |   313 +
 .../integration-cli/docker_api_images_test.go |   187 +
 .../docker_api_inspect_test.go                |   181 +
 .../docker_api_ipcmode_test.go                |   213 +
 .../integration-cli/docker_api_logs_test.go   |   216 +
 .../docker_api_network_test.go                |   376 +
 .../integration-cli/docker_api_stats_test.go  |   314 +
 .../docker_api_swarm_node_test.go             |   127 +
 .../docker_api_swarm_service_test.go          |   612 +
 .../integration-cli/docker_api_swarm_test.go  |  1034 +
 engine/integration-cli/docker_api_test.go     |   110 +
 .../integration-cli/docker_cli_attach_test.go |   179 +
 .../docker_cli_attach_unix_test.go            |   229 +
 .../integration-cli/docker_cli_build_test.go  |  6209 ++
 .../docker_cli_build_unix_test.go             |   228 +
 .../docker_cli_by_digest_test.go              |   693 +
 .../integration-cli/docker_cli_commit_test.go |   168 +
 .../docker_cli_config_create_test.go          |   131 +
 .../docker_cli_cp_from_container_test.go      |   399 +
 engine/integration-cli/docker_cli_cp_test.go  |   664 +
 .../docker_cli_cp_to_container_test.go        |   495 +
 .../docker_cli_cp_to_container_unix_test.go   |    81 +
 .../docker_cli_cp_utils_test.go               |   305 +
 .../integration-cli/docker_cli_create_test.go |   374 +
 .../docker_cli_daemon_plugins_test.go         |   328 +
 .../integration-cli/docker_cli_daemon_test.go |  3131 +
 .../integration-cli/docker_cli_events_test.go |   769 +
 .../docker_cli_events_unix_test.go            |   511 +
 .../integration-cli/docker_cli_exec_test.go   |   607 +
 .../docker_cli_exec_unix_test.go              |    97 +
 .../docker_cli_export_import_test.go          |    34 +
 ...er_cli_external_volume_driver_unix_test.go |   631 +
 .../integration-cli/docker_cli_health_test.go |   167 +
 .../docker_cli_history_test.go                |   119 +
 .../integration-cli/docker_cli_images_test.go |   366 +
 .../integration-cli/docker_cli_import_test.go |   142 +
 .../integration-cli/docker_cli_info_test.go   |   238 +
 .../docker_cli_info_unix_test.go              |    15 +
 .../docker_cli_inspect_test.go                |   460 +
 .../integration-cli/docker_cli_links_test.go  |   239 +
 .../integration-cli/docker_cli_login_test.go  |    30 +
 .../integration-cli/docker_cli_logout_test.go |   106 +
 .../docker_cli_logs_bench_test.go             |    32 +
 .../integration-cli/docker_cli_logs_test.go   |   336 +
 .../docker_cli_netmode_test.go                |    96 +
 .../docker_cli_network_unix_test.go           |  1835 +
 .../docker_cli_plugins_logdriver_test.go      |    48 +
 .../docker_cli_plugins_test.go                |   493 +
 .../integration-cli/docker_cli_port_test.go   |   351 +
 .../integration-cli/docker_cli_proxy_test.go  |    51 +
 .../docker_cli_prune_unix_test.go             |   309 +
 engine/integration-cli/docker_cli_ps_test.go  |   874 +
 .../docker_cli_pull_local_test.go             |   470 +
 .../integration-cli/docker_cli_pull_test.go   |   274 +
 .../integration-cli/docker_cli_push_test.go   |   382 +
 .../docker_cli_registry_user_agent_test.go    |   103 +
 .../docker_cli_restart_test.go                |   309 +
 engine/integration-cli/docker_cli_rmi_test.go |   338 +
 engine/integration-cli/docker_cli_run_test.go |  4540 ++
 .../docker_cli_run_unix_test.go               |  1585 +
 .../docker_cli_save_load_test.go              |   405 +
 .../docker_cli_save_load_unix_test.go         |   107 +
 .../integration-cli/docker_cli_search_test.go |   131 +
 .../docker_cli_secret_create_test.go          |    92 +
 .../docker_cli_service_create_test.go         |   447 +
 .../docker_cli_service_health_test.go         |   136 +
 .../docker_cli_service_logs_test.go           |   388 +
 .../docker_cli_service_scale_test.go          |    57 +
 .../docker_cli_service_update_test.go         |   137 +
 engine/integration-cli/docker_cli_sni_test.go |    44 +
 .../integration-cli/docker_cli_start_test.go  |   199 +
 .../integration-cli/docker_cli_stats_test.go  |   180 +
 .../integration-cli/docker_cli_swarm_test.go  |  2062 +
 .../docker_cli_swarm_unix_test.go             |   104 +
 engine/integration-cli/docker_cli_top_test.go |    73 +
 .../docker_cli_update_unix_test.go            |   339 +
 .../integration-cli/docker_cli_userns_test.go |    98 +
 .../docker_cli_v2_only_test.go                |    58 +
 .../integration-cli/docker_cli_volume_test.go |   639 +
 .../integration-cli/docker_cli_wait_test.go   |    98 +
 .../docker_deprecated_api_v124_test.go        |   250 +
 .../docker_deprecated_api_v124_unix_test.go   |    31 +
 .../docker_hub_pull_suite_test.go             |    90 +
 engine/integration-cli/docker_utils_test.go   |   466 +
 .../environment/environment.go                |    49 +
 engine/integration-cli/events_utils_test.go   |   206 +
 .../auth/docker-credential-shell-test         |    55 +
 .../fixtures/credentialspecs/valid.json       |    25 +
 engine/integration-cli/fixtures/https/ca.pem  |     1 +
 .../fixtures/https/client-cert.pem            |     1 +
 .../fixtures/https/client-key.pem             |     1 +
 .../fixtures/https/client-rogue-cert.pem      |    73 +
 .../fixtures/https/client-rogue-key.pem       |    16 +
 .../fixtures/https/server-cert.pem            |     1 +
 .../fixtures/https/server-key.pem             |     1 +
 .../fixtures/https/server-rogue-cert.pem      |    76 +
 .../fixtures/https/server-rogue-key.pem       |    16 +
 .../fixtures/registry/cert.pem                |    21 +
 .../fixtures_linux_daemon_test.go             |   139 +
 .../requirement/requirement.go                |    34 +
 engine/integration-cli/requirements_test.go   |   219 +
 .../integration-cli/requirements_unix_test.go |   117 +
 engine/integration-cli/test_vars_exec_test.go |     8 +
 .../integration-cli/test_vars_noexec_test.go  |     8 +
 .../test_vars_noseccomp_test.go               |     8 +
 .../integration-cli/test_vars_seccomp_test.go |     8 +
 engine/integration-cli/test_vars_test.go      |    11 +
 engine/integration-cli/test_vars_unix_test.go |    14 +
 .../integration-cli/test_vars_windows_test.go |    15 +
 .../integration-cli/testdata/emptyLayer.tar   |   Bin 0 -> 30720 bytes
 engine/integration-cli/utils_test.go          |   183 +
 .../integration/build/build_session_test.go   |   129 +
 engine/integration/build/build_squash_test.go |   103 +
 engine/integration/build/build_test.go        |   460 +
 engine/integration/build/main_test.go         |    33 +
 engine/integration/config/config_test.go      |   356 +
 engine/integration/config/main_test.go        |    33 +
 engine/integration/container/copy_test.go     |    65 +
 engine/integration/container/create_test.go   |   303 +
 .../container/daemon_linux_test.go            |    78 +
 engine/integration/container/diff_test.go     |    42 +
 engine/integration/container/exec_test.go     |    50 +
 engine/integration/container/export_test.go   |    78 +
 engine/integration/container/health_test.go   |    47 +
 engine/integration/container/inspect_test.go  |    48 +
 engine/integration/container/kill_test.go     |   183 +
 .../integration/container/links_linux_test.go |    57 +
 engine/integration/container/logs_test.go     |    35 +
 engine/integration/container/main_test.go     |    33 +
 .../container/mounts_linux_test.go            |   208 +
 engine/integration/container/nat_test.go      |   120 +
 engine/integration/container/pause_test.go    |    98 +
 engine/integration/container/ps_test.go       |    49 +
 engine/integration/container/remove_test.go   |   112 +
 engine/integration/container/rename_test.go   |   213 +
 engine/integration/container/resize_test.go   |    66 +
 engine/integration/container/restart_test.go  |   114 +
 engine/integration/container/stats_test.go    |    43 +
 engine/integration/container/stop_test.go     |   127 +
 .../container/update_linux_test.go            |   107 +
 engine/integration/container/update_test.go   |    64 +
 engine/integration/doc.go                     |     3 +
 engine/integration/image/commit_test.go       |    48 +
 engine/integration/image/import_test.go       |    42 +
 engine/integration/image/main_test.go         |    33 +
 engine/integration/image/remove_test.go       |    59 +
 engine/integration/image/tag_test.go          |   140 +
 .../internal/container/container.go           |    54 +
 engine/integration/internal/container/exec.go |    86 +
 engine/integration/internal/container/ops.go  |   136 +
 .../integration/internal/container/states.go  |    41 +
 .../integration/internal/network/network.go   |    35 +
 engine/integration/internal/network/ops.go    |    94 +
 .../internal/requirement/requirement.go       |    53 +
 engine/integration/internal/swarm/service.go  |   200 +
 engine/integration/network/delete_test.go     |    91 +
 engine/integration/network/helpers.go         |    85 +
 engine/integration/network/inspect_test.go    |   177 +
 .../integration/network/ipvlan/ipvlan_test.go |   432 +
 .../integration/network/ipvlan/main_test.go   |    33 +
 .../network/macvlan/macvlan_test.go           |   281 +
 .../integration/network/macvlan/main_test.go  |    33 +
 engine/integration/network/main_test.go       |    33 +
 engine/integration/network/service_test.go    |   315 +
 .../plugin/authz/authz_plugin_test.go         |   521 +
 .../plugin/authz/authz_plugin_v2_test.go      |   175 +
 engine/integration/plugin/authz/main_test.go  |   180 +
 .../plugin/graphdriver/external_test.go       |   462 +
 .../plugin/graphdriver/main_test.go           |    36 +
 .../plugin/logging/cmd/close_on_start/main.go |    48 +
 .../logging/cmd/close_on_start/main_test.go   |     1 +
 .../plugin/logging/cmd/cmd_test.go            |     1 +
 .../plugin/logging/cmd/dummy/main.go          |    19 +
 .../plugin/logging/cmd/dummy/main_test.go     |     1 +
 .../plugin/logging/helpers_test.go            |    67 +
 .../plugin/logging/logging_test.go            |    79 +
 .../integration/plugin/logging/main_test.go   |    29 +
 .../plugin/logging/validation_test.go         |    35 +
 engine/integration/plugin/pkg_test.go         |     1 +
 .../plugin/volumes/cmd/cmd_test.go            |     1 +
 .../plugin/volumes/cmd/dummy/main.go          |    19 +
 .../plugin/volumes/cmd/dummy/main_test.go     |     1 +
 .../plugin/volumes/helpers_test.go            |    73 +
 .../integration/plugin/volumes/main_test.go   |    32 +
 .../integration/plugin/volumes/mounts_test.go |    58 +
 engine/integration/secret/main_test.go        |    33 +
 engine/integration/secret/secret_test.go      |   366 +
 engine/integration/service/create_test.go     |   374 +
 engine/integration/service/inspect_test.go    |   153 +
 engine/integration/service/main_test.go       |    33 +
 engine/integration/service/network_test.go    |    75 +
 engine/integration/service/plugin_test.go     |   121 +
 engine/integration/session/main_test.go       |    33 +
 engine/integration/session/session_test.go    |    48 +
 .../system/cgroupdriver_systemd_test.go       |    56 +
 engine/integration/system/event_test.go       |   122 +
 engine/integration/system/info_linux_test.go  |    48 +
 engine/integration/system/info_test.go        |    42 +
 engine/integration/system/login_test.go       |    28 +
 engine/integration/system/main_test.go        |    33 +
 engine/integration/system/version_test.go     |    23 +
 engine/integration/testdata/https/ca.pem      |    23 +
 .../testdata/https/client-cert.pem            |    73 +
 .../integration/testdata/https/client-key.pem |    16 +
 .../testdata/https/server-cert.pem            |    76 +
 .../integration/testdata/https/server-key.pem |    16 +
 engine/integration/volume/main_test.go        |    33 +
 engine/integration/volume/volume_test.go      |   116 +
 engine/internal/test/daemon/config.go         |    82 +
 engine/internal/test/daemon/container.go      |    40 +
 engine/internal/test/daemon/daemon.go         |   681 +
 engine/internal/test/daemon/daemon_unix.go    |    39 +
 engine/internal/test/daemon/daemon_windows.go |    25 +
 engine/internal/test/daemon/node.go           |    82 +
 engine/internal/test/daemon/ops.go            |    44 +
 engine/internal/test/daemon/plugin.go         |    77 +
 engine/internal/test/daemon/secret.go         |    84 +
 engine/internal/test/daemon/service.go        |   131 +
 engine/internal/test/daemon/swarm.go          |   194 +
 engine/internal/test/environment/clean.go     |   217 +
 .../internal/test/environment/environment.go  |   158 +
 engine/internal/test/environment/protect.go   |   254 +
 engine/internal/test/fakecontext/context.go   |   131 +
 engine/internal/test/fakegit/fakegit.go       |   136 +
 engine/internal/test/fakestorage/fixtures.go  |    92 +
 engine/internal/test/fakestorage/storage.go   |   200 +
 engine/internal/test/fixtures/load/frozen.go  |   196 +
 .../test/fixtures/plugin/basic/basic.go       |    34 +
 .../internal/test/fixtures/plugin/plugin.go   |   216 +
 engine/internal/test/helper.go                |     6 +
 engine/internal/test/registry/ops.go          |    26 +
 engine/internal/test/registry/registry.go     |   255 +
 .../internal/test/registry/registry_mock.go   |    71 +
 engine/internal/test/request/npipe.go         |    12 +
 engine/internal/test/request/npipe_windows.go |    12 +
 engine/internal/test/request/ops.go           |    78 +
 engine/internal/test/request/request.go       |   218 +
 engine/internal/testutil/helpers.go           |    17 +
 engine/internal/testutil/stringutils.go       |    14 +
 engine/internal/testutil/stringutils_test.go  |    34 +
 engine/layer/empty.go                         |    61 +
 engine/layer/empty_test.go                    |    52 +
 engine/layer/filestore.go                     |   355 +
 engine/layer/filestore_test.go                |   104 +
 engine/layer/filestore_unix.go                |    15 +
 engine/layer/filestore_windows.go             |    35 +
 engine/layer/layer.go                         |   237 +
 engine/layer/layer_store.go                   |   754 +
 engine/layer/layer_store_windows.go           |    11 +
 engine/layer/layer_test.go                    |   768 +
 engine/layer/layer_unix.go                    |     9 +
 engine/layer/layer_unix_test.go               |    73 +
 engine/layer/layer_windows.go                 |    46 +
 engine/layer/migration.go                     |   252 +
 engine/layer/migration_test.go                |   429 +
 engine/layer/mount_test.go                    |   239 +
 engine/layer/mounted_layer.go                 |   100 +
 engine/layer/ro_layer.go                      |   182 +
 engine/layer/ro_layer_windows.go              |     9 +
 engine/libcontainerd/client_daemon.go         |   894 +
 engine/libcontainerd/client_daemon_linux.go   |   108 +
 engine/libcontainerd/client_daemon_windows.go |    55 +
 engine/libcontainerd/client_local_windows.go  |  1328 +
 engine/libcontainerd/errors.go                |    13 +
 engine/libcontainerd/process_windows.go       |    44 +
 engine/libcontainerd/queue.go                 |    35 +
 engine/libcontainerd/queue_test.go            |    31 +
 engine/libcontainerd/remote_daemon.go         |   344 +
 engine/libcontainerd/remote_daemon_linux.go   |    65 +
 engine/libcontainerd/remote_daemon_options.go |   141 +
 .../remote_daemon_options_linux.go            |    18 +
 engine/libcontainerd/remote_daemon_windows.go |    50 +
 engine/libcontainerd/remote_local.go          |    59 +
 engine/libcontainerd/types.go                 |   108 +
 engine/libcontainerd/types_linux.go           |    30 +
 engine/libcontainerd/types_windows.go         |    42 +
 engine/libcontainerd/utils_linux.go           |    12 +
 engine/libcontainerd/utils_windows.go         |    46 +
 engine/libcontainerd/utils_windows_test.go    |    13 +
 engine/migrate/v1/migratev1.go                |   501 +
 engine/migrate/v1/migratev1_test.go           |   437 +
 engine/oci/defaults.go                        |   212 +
 engine/oci/devices_linux.go                   |    86 +
 engine/oci/devices_unsupported.go             |    20 +
 engine/oci/namespaces.go                      |    13 +
 engine/opts/address_pools.go                  |    84 +
 engine/opts/address_pools_test.go             |    20 +
 engine/opts/env.go                            |    48 +
 engine/opts/env_test.go                       |   124 +
 engine/opts/hosts.go                          |   165 +
 engine/opts/hosts_test.go                     |   181 +
 engine/opts/hosts_unix.go                     |     8 +
 engine/opts/hosts_windows.go                  |     4 +
 engine/opts/ip.go                             |    47 +
 engine/opts/ip_test.go                        |    54 +
 engine/opts/opts.go                           |   337 +
 engine/opts/opts_test.go                      |   264 +
 engine/opts/opts_unix.go                      |     6 +
 engine/opts/opts_windows.go                   |    56 +
 engine/opts/quotedstring.go                   |    37 +
 engine/opts/quotedstring_test.go              |    30 +
 engine/opts/runtime.go                        |    79 +
 engine/opts/ulimit.go                         |    81 +
 engine/opts/ulimit_test.go                    |    42 +
 engine/pkg/README.md                          |    11 +
 engine/pkg/aaparser/aaparser.go               |    89 +
 engine/pkg/aaparser/aaparser_test.go          |    73 +
 engine/pkg/archive/README.md                  |     1 +
 engine/pkg/archive/archive.go                 |  1291 +
 engine/pkg/archive/archive_linux.go           |    92 +
 engine/pkg/archive/archive_linux_test.go      |   162 +
 engine/pkg/archive/archive_other.go           |     7 +
 engine/pkg/archive/archive_test.go            |  1364 +
 engine/pkg/archive/archive_unix.go            |   114 +
 engine/pkg/archive/archive_unix_test.go       |   318 +
 engine/pkg/archive/archive_windows.go         |    77 +
 engine/pkg/archive/archive_windows_test.go    |    93 +
 engine/pkg/archive/changes.go                 |   441 +
 engine/pkg/archive/changes_linux.go           |   286 +
 engine/pkg/archive/changes_other.go           |    97 +
 engine/pkg/archive/changes_posix_test.go      |   127 +
 engine/pkg/archive/changes_test.go            |   504 +
 engine/pkg/archive/changes_unix.go            |    37 +
 engine/pkg/archive/changes_windows.go         |    30 +
 engine/pkg/archive/copy.go                    |   472 +
 engine/pkg/archive/copy_unix.go               |    11 +
 engine/pkg/archive/copy_unix_test.go          |   958 +
 engine/pkg/archive/copy_windows.go            |     9 +
 engine/pkg/archive/diff.go                    |   258 +
 engine/pkg/archive/diff_test.go               |   386 +
 engine/pkg/archive/example_changes.go         |    97 +
 engine/pkg/archive/testdata/broken.tar        |   Bin 0 -> 13824 bytes
 engine/pkg/archive/time_linux.go              |    16 +
 engine/pkg/archive/time_unsupported.go        |    16 +
 engine/pkg/archive/utils_test.go              |   166 +
 engine/pkg/archive/whiteouts.go               |    23 +
 engine/pkg/archive/wrap.go                    |    59 +
 engine/pkg/archive/wrap_test.go               |    92 +
 engine/pkg/authorization/api.go               |    88 +
 engine/pkg/authorization/api_test.go          |    76 +
 engine/pkg/authorization/authz.go             |   189 +
 engine/pkg/authorization/authz_unix_test.go   |   342 +
 engine/pkg/authorization/middleware.go        |   110 +
 engine/pkg/authorization/middleware_test.go   |    53 +
 .../pkg/authorization/middleware_unix_test.go |    66 +
 engine/pkg/authorization/plugin.go            |   118 +
 engine/pkg/authorization/response.go          |   210 +
 engine/pkg/broadcaster/unbuffered.go          |    49 +
 engine/pkg/broadcaster/unbuffered_test.go     |   161 +
 engine/pkg/chrootarchive/archive.go           |    73 +
 engine/pkg/chrootarchive/archive_test.go      |   413 +
 engine/pkg/chrootarchive/archive_unix.go      |    88 +
 engine/pkg/chrootarchive/archive_windows.go   |    22 +
 engine/pkg/chrootarchive/chroot_linux.go      |   113 +
 engine/pkg/chrootarchive/chroot_unix.go       |    12 +
 engine/pkg/chrootarchive/diff.go              |    23 +
 engine/pkg/chrootarchive/diff_unix.go         |   130 +
 engine/pkg/chrootarchive/diff_windows.go      |    45 +
 engine/pkg/chrootarchive/init_unix.go         |    28 +
 engine/pkg/chrootarchive/init_windows.go      |     4 +
 engine/pkg/containerfs/archiver.go            |   203 +
 engine/pkg/containerfs/containerfs.go         |    87 +
 engine/pkg/containerfs/containerfs_unix.go    |    10 +
 engine/pkg/containerfs/containerfs_windows.go |    15 +
 engine/pkg/devicemapper/devmapper.go          |   826 +
 engine/pkg/devicemapper/devmapper_log.go      |   124 +
 engine/pkg/devicemapper/devmapper_wrapper.go  |   252 +
 .../devicemapper/devmapper_wrapper_dynamic.go |     6 +
 ...vmapper_wrapper_dynamic_deferred_remove.go |    35 +
 ...r_wrapper_dynamic_dlsym_deferred_remove.go |   128 +
 .../devmapper_wrapper_no_deferred_remove.go   |    17 +
 engine/pkg/devicemapper/ioctl.go              |    28 +
 engine/pkg/devicemapper/log.go                |    11 +
 engine/pkg/directory/directory.go             |    26 +
 engine/pkg/directory/directory_test.go        |   193 +
 engine/pkg/directory/directory_unix.go        |    54 +
 engine/pkg/directory/directory_windows.go     |    42 +
 engine/pkg/discovery/README.md                |    41 +
 engine/pkg/discovery/backends.go              |   107 +
 engine/pkg/discovery/discovery.go             |    35 +
 engine/pkg/discovery/discovery_test.go        |   137 +
 engine/pkg/discovery/entry.go                 |    94 +
 engine/pkg/discovery/file/file.go             |   107 +
 engine/pkg/discovery/file/file_test.go        |   114 +
 engine/pkg/discovery/generator.go             |    35 +
 engine/pkg/discovery/generator_test.go        |    53 +
 engine/pkg/discovery/kv/kv.go                 |   192 +
 engine/pkg/discovery/kv/kv_test.go            |   322 +
 engine/pkg/discovery/memory/memory.go         |    93 +
 engine/pkg/discovery/memory/memory_test.go    |    48 +
 engine/pkg/discovery/nodes/nodes.go           |    54 +
 engine/pkg/discovery/nodes/nodes_test.go      |    51 +
 engine/pkg/dmesg/dmesg_linux.go               |    18 +
 engine/pkg/dmesg/dmesg_linux_test.go          |     9 +
 engine/pkg/filenotify/filenotify.go           |    40 +
 engine/pkg/filenotify/fsnotify.go             |    18 +
 engine/pkg/filenotify/poller.go               |   204 +
 engine/pkg/filenotify/poller_test.go          |   119 +
 engine/pkg/fileutils/fileutils.go             |   298 +
 engine/pkg/fileutils/fileutils_darwin.go      |    27 +
 engine/pkg/fileutils/fileutils_test.go        |   591 +
 engine/pkg/fileutils/fileutils_unix.go        |    22 +
 engine/pkg/fileutils/fileutils_windows.go     |     7 +
 engine/pkg/fsutils/fsutils_linux.go           |    86 +
 engine/pkg/fsutils/fsutils_linux_test.go      |    92 +
 engine/pkg/homedir/homedir_linux.go           |    21 +
 engine/pkg/homedir/homedir_others.go          |    13 +
 engine/pkg/homedir/homedir_test.go            |    24 +
 engine/pkg/homedir/homedir_unix.go            |    34 +
 engine/pkg/homedir/homedir_windows.go         |    24 +
 engine/pkg/idtools/idtools.go                 |   266 +
 engine/pkg/idtools/idtools_unix.go            |   230 +
 engine/pkg/idtools/idtools_unix_test.go       |   397 +
 engine/pkg/idtools/idtools_windows.go         |    23 +
 engine/pkg/idtools/usergroupadd_linux.go      |   164 +
 .../pkg/idtools/usergroupadd_unsupported.go   |    12 +
 engine/pkg/idtools/utils_unix.go              |    32 +
 engine/pkg/ioutils/buffer.go                  |    51 +
 engine/pkg/ioutils/buffer_test.go             |   153 +
 engine/pkg/ioutils/bytespipe.go               |   186 +
 engine/pkg/ioutils/bytespipe_test.go          |   159 +
 engine/pkg/ioutils/fswriters.go               |   162 +
 engine/pkg/ioutils/fswriters_test.go          |   132 +
 engine/pkg/ioutils/readers.go                 |   157 +
 engine/pkg/ioutils/readers_test.go            |    95 +
 engine/pkg/ioutils/temp_unix.go               |    10 +
 engine/pkg/ioutils/temp_windows.go            |    16 +
 engine/pkg/ioutils/writeflusher.go            |    92 +
 engine/pkg/ioutils/writers.go                 |    66 +
 engine/pkg/ioutils/writers_test.go            |    65 +
 engine/pkg/jsonmessage/jsonmessage.go         |   335 +
 engine/pkg/jsonmessage/jsonmessage_test.go    |   298 +
 engine/pkg/locker/README.md                   |    65 +
 engine/pkg/locker/locker.go                   |   112 +
 engine/pkg/locker/locker_test.go              |   161 +
 engine/pkg/longpath/longpath.go               |    26 +
 engine/pkg/longpath/longpath_test.go          |    22 +
 engine/pkg/loopback/attach_loopback.go        |   137 +
 engine/pkg/loopback/ioctl.go                  |    48 +
 engine/pkg/loopback/loop_wrapper.go           |    52 +
 engine/pkg/loopback/loopback.go               |    64 +
 engine/pkg/mount/flags.go                     |   149 +
 engine/pkg/mount/flags_freebsd.go             |    49 +
 engine/pkg/mount/flags_linux.go               |    87 +
 engine/pkg/mount/flags_unsupported.go         |    31 +
 engine/pkg/mount/mount.go                     |   141 +
 engine/pkg/mount/mount_unix_test.go           |   170 +
 engine/pkg/mount/mounter_freebsd.go           |    60 +
 engine/pkg/mount/mounter_linux.go             |    57 +
 engine/pkg/mount/mounter_linux_test.go        |   228 +
 engine/pkg/mount/mounter_unsupported.go       |    11 +
 engine/pkg/mount/mountinfo.go                 |    40 +
 engine/pkg/mount/mountinfo_freebsd.go         |    55 +
 engine/pkg/mount/mountinfo_linux.go           |   132 +
 engine/pkg/mount/mountinfo_linux_test.go      |   508 +
 engine/pkg/mount/mountinfo_unsupported.go     |    12 +
 engine/pkg/mount/mountinfo_windows.go         |     6 +
 engine/pkg/mount/sharedsubtree_linux.go       |    67 +
 engine/pkg/mount/sharedsubtree_linux_test.go  |   348 +
 .../cmd/names-generator/main.go               |    14 +
 engine/pkg/namesgenerator/names-generator.go  |   645 +
 .../namesgenerator/names-generator_test.go    |    27 +
 engine/pkg/parsers/kernel/kernel.go           |    74 +
 engine/pkg/parsers/kernel/kernel_darwin.go    |    56 +
 engine/pkg/parsers/kernel/kernel_unix.go      |    35 +
 engine/pkg/parsers/kernel/kernel_unix_test.go |    96 +
 engine/pkg/parsers/kernel/kernel_windows.go   |    51 +
 engine/pkg/parsers/kernel/uname_linux.go      |    17 +
 engine/pkg/parsers/kernel/uname_solaris.go    |    14 +
 .../pkg/parsers/kernel/uname_unsupported.go   |    18 +
 .../operatingsystem/operatingsystem_linux.go  |    77 +
 .../operatingsystem/operatingsystem_unix.go   |    25 +
 .../operatingsystem_unix_test.go              |   247 +
 .../operatingsystem_windows.go                |    51 +
 engine/pkg/parsers/parsers.go                 |    69 +
 engine/pkg/parsers/parsers_test.go            |    70 +
 engine/pkg/pidfile/pidfile.go                 |    53 +
 engine/pkg/pidfile/pidfile_darwin.go          |    14 +
 engine/pkg/pidfile/pidfile_test.go            |    38 +
 engine/pkg/pidfile/pidfile_unix.go            |    16 +
 engine/pkg/pidfile/pidfile_windows.go         |    25 +
 engine/pkg/platform/architecture_linux.go     |    18 +
 engine/pkg/platform/architecture_unix.go      |    20 +
 engine/pkg/platform/architecture_windows.go   |    60 +
 engine/pkg/platform/platform.go               |    23 +
 engine/pkg/plugingetter/getter.go             |    52 +
 engine/pkg/plugins/client.go                  |   242 +
 engine/pkg/plugins/client_test.go             |   277 +
 engine/pkg/plugins/discovery.go               |   154 +
 engine/pkg/plugins/discovery_test.go          |   152 +
 engine/pkg/plugins/discovery_unix.go          |     5 +
 engine/pkg/plugins/discovery_unix_test.go     |   159 +
 engine/pkg/plugins/discovery_windows.go       |     8 +
 engine/pkg/plugins/errors.go                  |    33 +
 engine/pkg/plugins/plugin_test.go             |   154 +
 engine/pkg/plugins/pluginrpc-gen/README.md    |    58 +
 .../pkg/plugins/pluginrpc-gen/fixtures/foo.go |    83 +
 .../fixtures/otherfixture/spaceship.go        |     4 +
 engine/pkg/plugins/pluginrpc-gen/main.go      |    91 +
 engine/pkg/plugins/pluginrpc-gen/parser.go    |   263 +
 .../pkg/plugins/pluginrpc-gen/parser_test.go  |   222 +
 engine/pkg/plugins/pluginrpc-gen/template.go  |   118 +
 engine/pkg/plugins/plugins.go                 |   337 +
 engine/pkg/plugins/plugins_unix.go            |     9 +
 engine/pkg/plugins/plugins_windows.go         |     7 +
 engine/pkg/plugins/transport/http.go          |    36 +
 engine/pkg/plugins/transport/http_test.go     |    21 +
 engine/pkg/plugins/transport/transport.go     |    36 +
 engine/pkg/pools/pools.go                     |   137 +
 engine/pkg/pools/pools_test.go                |   163 +
 engine/pkg/progress/progress.go               |    89 +
 engine/pkg/progress/progressreader.go         |    66 +
 engine/pkg/progress/progressreader_test.go    |    75 +
 engine/pkg/pubsub/publisher.go                |   121 +
 engine/pkg/pubsub/publisher_test.go           |   142 +
 engine/pkg/reexec/README.md                   |     5 +
 engine/pkg/reexec/command_linux.go            |    28 +
 engine/pkg/reexec/command_unix.go             |    23 +
 engine/pkg/reexec/command_unsupported.go      |    16 +
 engine/pkg/reexec/command_windows.go          |    21 +
 engine/pkg/reexec/reexec.go                   |    47 +
 engine/pkg/reexec/reexec_test.go              |    52 +
 engine/pkg/signal/README.md                   |     1 +
 engine/pkg/signal/signal.go                   |    54 +
 engine/pkg/signal/signal_darwin.go            |    41 +
 engine/pkg/signal/signal_freebsd.go           |    43 +
 engine/pkg/signal/signal_linux.go             |    81 +
 engine/pkg/signal/signal_linux_test.go        |    59 +
 engine/pkg/signal/signal_test.go              |    34 +
 engine/pkg/signal/signal_unix.go              |    21 +
 engine/pkg/signal/signal_unsupported.go       |    10 +
 engine/pkg/signal/signal_windows.go           |    26 +
 engine/pkg/signal/testfiles/main.go           |    43 +
 engine/pkg/signal/trap.go                     |   104 +
 engine/pkg/signal/trap_linux_test.go          |    82 +
 engine/pkg/stdcopy/stdcopy.go                 |   190 +
 engine/pkg/stdcopy/stdcopy_test.go            |   289 +
 engine/pkg/streamformatter/streamformatter.go |   159 +
 .../streamformatter/streamformatter_test.go   |   112 +
 engine/pkg/streamformatter/streamwriter.go    |    47 +
 .../pkg/streamformatter/streamwriter_test.go  |    35 +
 engine/pkg/stringid/README.md                 |     1 +
 engine/pkg/stringid/stringid.go               |    99 +
 engine/pkg/stringid/stringid_test.go          |    72 +
 engine/pkg/symlink/LICENSE.APACHE             |   191 +
 engine/pkg/symlink/LICENSE.BSD                |    27 +
 engine/pkg/symlink/README.md                  |     6 +
 engine/pkg/symlink/fs.go                      |   144 +
 engine/pkg/symlink/fs_unix.go                 |    15 +
 engine/pkg/symlink/fs_unix_test.go            |   407 +
 engine/pkg/symlink/fs_windows.go              |   169 +
 engine/pkg/sysinfo/README.md                  |     1 +
 engine/pkg/sysinfo/numcpu.go                  |    12 +
 engine/pkg/sysinfo/numcpu_linux.go            |    42 +
 engine/pkg/sysinfo/numcpu_windows.go          |    35 +
 engine/pkg/sysinfo/sysinfo.go                 |   144 +
 engine/pkg/sysinfo/sysinfo_linux.go           |   254 +
 engine/pkg/sysinfo/sysinfo_linux_test.go      |   104 +
 engine/pkg/sysinfo/sysinfo_test.go            |    26 +
 engine/pkg/sysinfo/sysinfo_unix.go            |     9 +
 engine/pkg/sysinfo/sysinfo_windows.go         |     7 +
 engine/pkg/system/chtimes.go                  |    31 +
 engine/pkg/system/chtimes_test.go             |    94 +
 engine/pkg/system/chtimes_unix.go             |    14 +
 engine/pkg/system/chtimes_unix_test.go        |    91 +
 engine/pkg/system/chtimes_windows.go          |    26 +
 engine/pkg/system/chtimes_windows_test.go     |    86 +
 engine/pkg/system/errors.go                   |    13 +
 engine/pkg/system/exitcode.go                 |    19 +
 engine/pkg/system/filesys.go                  |    67 +
 engine/pkg/system/filesys_windows.go          |   296 +
 engine/pkg/system/init.go                     |    22 +
 engine/pkg/system/init_unix.go                |     7 +
 engine/pkg/system/init_windows.go             |    12 +
 engine/pkg/system/lcow.go                     |    32 +
 engine/pkg/system/lcow_unix.go                |     8 +
 engine/pkg/system/lcow_windows.go             |     6 +
 engine/pkg/system/lstat_unix.go               |    19 +
 engine/pkg/system/lstat_unix_test.go          |    30 +
 engine/pkg/system/lstat_windows.go            |    14 +
 engine/pkg/system/meminfo.go                  |    17 +
 engine/pkg/system/meminfo_linux.go            |    65 +
 engine/pkg/system/meminfo_unix_test.go        |    40 +
 engine/pkg/system/meminfo_unsupported.go      |     8 +
 engine/pkg/system/meminfo_windows.go          |    45 +
 engine/pkg/system/mknod.go                    |    22 +
 engine/pkg/system/mknod_windows.go            |    11 +
 engine/pkg/system/path.go                     |    60 +
 engine/pkg/system/path_windows_test.go        |    83 +
 engine/pkg/system/process_unix.go             |    24 +
 engine/pkg/system/process_windows.go          |    18 +
 engine/pkg/system/rm.go                       |    80 +
 engine/pkg/system/rm_test.go                  |    84 +
 engine/pkg/system/stat_darwin.go              |    13 +
 engine/pkg/system/stat_freebsd.go             |    13 +
 engine/pkg/system/stat_linux.go               |    19 +
 engine/pkg/system/stat_openbsd.go             |    13 +
 engine/pkg/system/stat_solaris.go             |    13 +
 engine/pkg/system/stat_unix.go                |    65 +
 engine/pkg/system/stat_unix_test.go           |    40 +
 engine/pkg/system/stat_windows.go             |    49 +
 engine/pkg/system/syscall_unix.go             |    17 +
 engine/pkg/system/syscall_windows.go          |   127 +
 engine/pkg/system/syscall_windows_test.go     |     9 +
 engine/pkg/system/umask.go                    |    13 +
 engine/pkg/system/umask_windows.go            |     7 +
 engine/pkg/system/utimes_freebsd.go           |    24 +
 engine/pkg/system/utimes_linux.go             |    25 +
 engine/pkg/system/utimes_unix_test.go         |    68 +
 engine/pkg/system/utimes_unsupported.go       |    10 +
 engine/pkg/system/xattrs_linux.go             |    29 +
 engine/pkg/system/xattrs_unsupported.go       |    13 +
 engine/pkg/tailfile/tailfile.go               |    66 +
 engine/pkg/tailfile/tailfile_test.go          |   148 +
 engine/pkg/tarsum/builder_context.go          |    21 +
 engine/pkg/tarsum/builder_context_test.go     |    67 +
 engine/pkg/tarsum/fileinfosums.go             |   133 +
 engine/pkg/tarsum/fileinfosums_test.go        |    62 +
 engine/pkg/tarsum/tarsum.go                   |   301 +
 engine/pkg/tarsum/tarsum_spec.md              |   230 +
 engine/pkg/tarsum/tarsum_test.go              |   657 +
 .../json                                      |     1 +
 .../layer.tar                                 |   Bin 0 -> 9216 bytes
 .../json                                      |     1 +
 .../layer.tar                                 |   Bin 0 -> 1536 bytes
 .../tarsum/testdata/collision/collision-0.tar |   Bin 0 -> 10240 bytes
 .../tarsum/testdata/collision/collision-1.tar |   Bin 0 -> 10240 bytes
 .../tarsum/testdata/collision/collision-2.tar |   Bin 0 -> 10240 bytes
 .../tarsum/testdata/collision/collision-3.tar |   Bin 0 -> 10240 bytes
 engine/pkg/tarsum/testdata/xattr/json         |     1 +
 engine/pkg/tarsum/testdata/xattr/layer.tar    |   Bin 0 -> 2560 bytes
 engine/pkg/tarsum/versioning.go               |   158 +
 engine/pkg/tarsum/versioning_test.go          |    98 +
 engine/pkg/tarsum/writercloser.go             |    22 +
 engine/pkg/term/ascii.go                      |    66 +
 engine/pkg/term/ascii_test.go                 |    25 +
 engine/pkg/term/proxy.go                      |    78 +
 engine/pkg/term/proxy_test.go                 |   115 +
 engine/pkg/term/tc.go                         |    20 +
 engine/pkg/term/term.go                       |   124 +
 engine/pkg/term/term_linux_test.go            |   117 +
 engine/pkg/term/term_windows.go               |   228 +
 engine/pkg/term/termios_bsd.go                |    42 +
 engine/pkg/term/termios_linux.go              |    39 +
 engine/pkg/term/windows/ansi_reader.go        |   263 +
 engine/pkg/term/windows/ansi_writer.go        |    64 +
 engine/pkg/term/windows/console.go            |    35 +
 engine/pkg/term/windows/windows.go            |    33 +
 engine/pkg/term/windows/windows_test.go       |     3 +
 engine/pkg/term/winsize.go                    |    20 +
 engine/pkg/truncindex/truncindex.go           |   139 +
 engine/pkg/truncindex/truncindex_test.go      |   453 +
 engine/pkg/urlutil/urlutil.go                 |    52 +
 engine/pkg/urlutil/urlutil_test.go            |    56 +
 engine/pkg/useragent/README.md                |     1 +
 engine/pkg/useragent/useragent.go             |    55 +
 engine/pkg/useragent/useragent_test.go        |    31 +
 engine/plugin/backend_linux.go                |   876 +
 engine/plugin/backend_linux_test.go           |    81 +
 engine/plugin/backend_unsupported.go          |    72 +
 engine/plugin/blobstore.go                    |   190 +
 engine/plugin/defs.go                         |    50 +
 engine/plugin/errors.go                       |    66 +
 engine/plugin/events.go                       |   111 +
 .../plugin/executor/containerd/containerd.go  |   175 +
 .../executor/containerd/containerd_test.go    |   148 +
 engine/plugin/manager.go                      |   384 +
 engine/plugin/manager_linux.go                |   335 +
 engine/plugin/manager_linux_test.go           |   279 +
 engine/plugin/manager_test.go                 |    55 +
 engine/plugin/manager_windows.go              |    28 +
 engine/plugin/store.go                        |   291 +
 engine/plugin/store_test.go                   |    64 +
 engine/plugin/v2/plugin.go                    |   311 +
 engine/plugin/v2/plugin_linux.go              |   141 +
 engine/plugin/v2/plugin_unsupported.go        |    14 +
 engine/plugin/v2/settable.go                  |   102 +
 engine/plugin/v2/settable_test.go             |    91 +
 engine/poule.yml                              |   129 +
 engine/profiles/apparmor/apparmor.go          |   114 +
 engine/profiles/apparmor/template.go          |    44 +
 engine/profiles/seccomp/default.json          |   751 +
 engine/profiles/seccomp/fixtures/example.json |    27 +
 engine/profiles/seccomp/generate.go           |    32 +
 engine/profiles/seccomp/seccomp.go            |   160 +
 engine/profiles/seccomp/seccomp_default.go    |   640 +
 engine/profiles/seccomp/seccomp_test.go       |    32 +
 .../profiles/seccomp/seccomp_unsupported.go   |    12 +
 engine/project/ARM.md                         |    45 +
 engine/project/BRANCHES-AND-TAGS.md           |    35 +
 engine/project/CONTRIBUTING.md                |     1 +
 engine/project/GOVERNANCE.md                  |   120 +
 engine/project/IRC-ADMINISTRATION.md          |    37 +
 engine/project/ISSUE-TRIAGE.md                |   132 +
 engine/project/PACKAGE-REPO-MAINTENANCE.md    |    74 +
 engine/project/PACKAGERS.md                   |   307 +
 engine/project/PATCH-RELEASES.md              |    68 +
 engine/project/PRINCIPLES.md                  |    19 +
 engine/project/README.md                      |    24 +
 engine/project/RELEASE-PROCESS.md             |    78 +
 engine/project/REVIEWING.md                   |   246 +
 engine/project/TOOLS.md                       |    63 +
 engine/reference/errors.go                    |    25 +
 engine/reference/store.go                     |   343 +
 engine/reference/store_test.go                |   350 +
 engine/registry/auth.go                       |   296 +
 engine/registry/auth_test.go                  |   120 +
 engine/registry/config.go                     |   442 +
 engine/registry/config_test.go                |   381 +
 engine/registry/config_unix.go                |    16 +
 engine/registry/config_windows.go             |    18 +
 engine/registry/endpoint_test.go              |    78 +
 engine/registry/endpoint_v1.go                |   198 +
 engine/registry/errors.go                     |    31 +
 engine/registry/registry.go                   |   191 +
 engine/registry/registry_mock_test.go         |   476 +
 engine/registry/registry_test.go              |   934 +
 .../resumable/resumablerequestreader.go       |    96 +
 .../resumable/resumablerequestreader_test.go  |   257 +
 engine/registry/service.go                    |   328 +
 engine/registry/service_v1.go                 |    40 +
 engine/registry/service_v1_test.go            |    32 +
 engine/registry/service_v2.go                 |    82 +
 engine/registry/session.go                    |   779 +
 engine/registry/types.go                      |    70 +
 engine/reports/2017-05-01.md                  |    35 +
 engine/reports/2017-05-08.md                  |    34 +
 engine/reports/2017-05-15.md                  |    52 +
 engine/reports/2017-06-05.md                  |    36 +
 engine/reports/2017-06-12.md                  |    78 +
 engine/reports/2017-06-26.md                  |   120 +
 engine/reports/builder/2017-05-01.md          |    47 +
 engine/reports/builder/2017-05-08.md          |    57 +
 engine/reports/builder/2017-05-15.md          |    64 +
 engine/reports/builder/2017-05-22.md          |    47 +
 engine/reports/builder/2017-05-29.md          |    52 +
 engine/reports/builder/2017-06-05.md          |    58 +
 engine/reports/builder/2017-06-12.md          |    58 +
 engine/reports/builder/2017-06-26.md          |    78 +
 engine/reports/builder/2017-07-10.md          |    65 +
 engine/reports/builder/2017-07-17.md          |    79 +
 engine/restartmanager/restartmanager.go       |   133 +
 engine/restartmanager/restartmanager_test.go  |    36 +
 engine/runconfig/config.go                    |    81 +
 engine/runconfig/config_test.go               |   190 +
 engine/runconfig/config_unix.go               |    59 +
 engine/runconfig/config_windows.go            |    19 +
 engine/runconfig/errors.go                    |    42 +
 .../fixtures/unix/container_config_1_14.json  |    30 +
 .../fixtures/unix/container_config_1_17.json  |    50 +
 .../fixtures/unix/container_config_1_19.json  |    58 +
 .../unix/container_hostconfig_1_14.json       |    18 +
 .../unix/container_hostconfig_1_19.json       |    30 +
 .../windows/container_config_1_19.json        |    58 +
 engine/runconfig/hostconfig.go                |    79 +
 engine/runconfig/hostconfig_test.go           |   273 +
 engine/runconfig/hostconfig_unix.go           |   110 +
 engine/runconfig/hostconfig_windows.go        |    96 +
 engine/runconfig/hostconfig_windows_test.go   |    17 +
 engine/runconfig/opts/parse.go                |    20 +
 engine/vendor.conf                            |   164 +
 .../github.com/Graylog2/go-gelf/LICENSE       |    21 +
 .../github.com/Graylog2/go-gelf/README.md     |   117 +
 .../Graylog2/go-gelf/gelf/message.go          |   147 +
 .../Graylog2/go-gelf/gelf/reader.go           |   140 +
 .../Graylog2/go-gelf/gelf/tcpreader.go        |   156 +
 .../Graylog2/go-gelf/gelf/tcpwriter.go        |   105 +
 .../Graylog2/go-gelf/gelf/udpwriter.go        |   231 +
 .../github.com/Graylog2/go-gelf/gelf/utils.go |    41 +
 .../Graylog2/go-gelf/gelf/writer.go           |    34 +
 engine/vendor/github.com/Nvveen/Gotty/LICENSE |    26 +
 engine/vendor/github.com/Nvveen/Gotty/README  |     5 +
 .../github.com/Nvveen/Gotty/attributes.go     |   514 +
 .../vendor/github.com/Nvveen/Gotty/gotty.go   |   244 +
 .../vendor/github.com/Nvveen/Gotty/parser.go  |   362 +
 .../vendor/github.com/Nvveen/Gotty/types.go   |    23 +
 .../github.com/containerd/continuity/LICENSE  |   202 +
 .../containerd/continuity/README.md           |    74 +
 .../containerd/continuity/devices/devices.go  |     5 +
 .../continuity/devices/devices_unix.go        |    58 +
 .../continuity/devices/devices_windows.go     |    11 +
 .../containerd/continuity/driver/driver.go    |   158 +
 .../continuity/driver/driver_unix.go          |   127 +
 .../continuity/driver/driver_windows.go       |    28 +
 .../containerd/continuity/driver/utils.go     |    74 +
 .../containerd/continuity/fs/copy.go          |   121 +
 .../containerd/continuity/fs/copy_linux.go    |   101 +
 .../containerd/continuity/fs/copy_unix.go     |    80 +
 .../containerd/continuity/fs/copy_windows.go  |    33 +
 .../containerd/continuity/fs/diff.go          |   310 +
 .../containerd/continuity/fs/diff_unix.go     |    58 +
 .../containerd/continuity/fs/diff_windows.go  |    32 +
 .../containerd/continuity/fs/dtype_linux.go   |    87 +
 .../github.com/containerd/continuity/fs/du.go |    22 +
 .../containerd/continuity/fs/du_unix.go       |    88 +
 .../containerd/continuity/fs/du_windows.go    |    60 +
 .../containerd/continuity/fs/hardlink.go      |    27 +
 .../containerd/continuity/fs/hardlink_unix.go |    18 +
 .../continuity/fs/hardlink_windows.go         |     7 +
 .../containerd/continuity/fs/path.go          |   276 +
 .../containerd/continuity/fs/stat_bsd.go      |    28 +
 .../containerd/continuity/fs/stat_linux.go    |    27 +
 .../containerd/continuity/fs/time.go          |    13 +
 .../continuity/pathdriver/path_driver.go      |    85 +
 .../continuity/syscallx/syscall_unix.go       |    10 +
 .../continuity/syscallx/syscall_windows.go    |    96 +
 .../containerd/continuity/sysx/asm.s          |    10 +
 .../continuity/sysx/chmod_darwin.go           |    18 +
 .../continuity/sysx/chmod_darwin_386.go       |    25 +
 .../continuity/sysx/chmod_darwin_amd64.go     |    25 +
 .../continuity/sysx/chmod_freebsd.go          |    17 +
 .../continuity/sysx/chmod_freebsd_amd64.go    |    25 +
 .../containerd/continuity/sysx/chmod_linux.go |    12 +
 .../continuity/sysx/chmod_solaris.go          |    11 +
 .../containerd/continuity/sysx/file_posix.go  |   112 +
 .../continuity/sysx/nodata_linux.go           |     7 +
 .../continuity/sysx/nodata_solaris.go         |     8 +
 .../containerd/continuity/sysx/nodata_unix.go |     9 +
 .../containerd/continuity/sysx/sys.go         |    37 +
 .../containerd/continuity/sysx/xattr.go       |    67 +
 .../continuity/sysx/xattr_darwin.go           |    71 +
 .../continuity/sysx/xattr_darwin_386.go       |   111 +
 .../continuity/sysx/xattr_darwin_amd64.go     |   111 +
 .../continuity/sysx/xattr_freebsd.go          |    12 +
 .../containerd/continuity/sysx/xattr_linux.go |    44 +
 .../continuity/sysx/xattr_openbsd.go          |     7 +
 .../continuity/sysx/xattr_solaris.go          |    12 +
 .../continuity/sysx/xattr_unsupported.go      |    44 +
 .../containerd/continuity/vendor.conf         |    13 +
 .../github.com/containerd/go-runc/LICENSE     |   201 +
 .../github.com/containerd/go-runc/README.md   |    14 +
 .../containerd/go-runc/command_linux.go       |    39 +
 .../containerd/go-runc/command_other.go       |    32 +
 .../github.com/containerd/go-runc/console.go  |   157 +
 .../containerd/go-runc/container.go           |    30 +
 .../github.com/containerd/go-runc/events.go   |   100 +
 .../github.com/containerd/go-runc/io.go       |   229 +
 .../github.com/containerd/go-runc/monitor.go  |    76 +
 .../github.com/containerd/go-runc/runc.go     |   703 +
 .../github.com/containerd/go-runc/utils.go    |   107 +
 .../github.com/containerd/ttrpc/LICENSE       |   201 +
 .../github.com/containerd/ttrpc/README.md     |    52 +
 .../github.com/containerd/ttrpc/channel.go    |   154 +
 .../github.com/containerd/ttrpc/client.go     |   280 +
 .../github.com/containerd/ttrpc/codec.go      |    42 +
 .../github.com/containerd/ttrpc/config.go     |    39 +
 .../github.com/containerd/ttrpc/handshake.go  |    50 +
 .../github.com/containerd/ttrpc/server.go     |   456 +
 .../github.com/containerd/ttrpc/services.go   |   150 +
 .../github.com/containerd/ttrpc/types.go      |    42 +
 .../containerd/ttrpc/unixcreds_linux.go       |   108 +
 .../github.com/fernet/fernet-go/License       |    20 +
 .../vendor/github.com/fernet/fernet-go/Readme |    22 +
 .../github.com/fernet/fernet-go/fernet.go     |   168 +
 .../vendor/github.com/fernet/fernet-go/key.go |    91 +
 engine/vendor/github.com/golang/gddo/LICENSE  |    27 +
 .../github.com/golang/gddo/README.markdown    |    44 +
 .../github.com/golang/gddo/httputil/buster.go |    95 +
 .../golang/gddo/httputil/header/header.go     |   298 +
 .../golang/gddo/httputil/httputil.go          |    25 +
 .../golang/gddo/httputil/negotiate.go         |    79 +
 .../golang/gddo/httputil/respbuf.go           |    58 +
 .../github.com/golang/gddo/httputil/static.go |   265 +
 .../golang/gddo/httputil/transport.go         |    87 +
 .../grpc-ecosystem/grpc-opentracing/LICENSE   |    27 +
 .../grpc-ecosystem/grpc-opentracing/PATENTS   |    23 +
 .../grpc-opentracing/README.rst               |    25 +
 .../grpc-opentracing/go/otgrpc/README.md      |    57 +
 .../grpc-opentracing/go/otgrpc/client.go      |   239 +
 .../grpc-opentracing/go/otgrpc/errors.go      |    69 +
 .../grpc-opentracing/go/otgrpc/options.go     |    76 +
 .../grpc-opentracing/go/otgrpc/package.go     |     5 +
 .../grpc-opentracing/go/otgrpc/server.go      |   141 +
 .../grpc-opentracing/go/otgrpc/shared.go      |    42 +
 .../grpc-opentracing/python/README.md         |     4 +
 .../python/examples/protos/command_line.proto |    15 +
 .../python/examples/protos/store.proto        |    37 +
 .../hashicorp/go-immutable-radix/LICENSE      |   363 +
 .../hashicorp/go-immutable-radix/README.md    |    41 +
 .../hashicorp/go-immutable-radix/edges.go     |    21 +
 .../hashicorp/go-immutable-radix/iradix.go    |   657 +
 .../hashicorp/go-immutable-radix/iter.go      |    91 +
 .../hashicorp/go-immutable-radix/node.go      |   352 +
 .../hashicorp/go-immutable-radix/raw_iter.go  |    78 +
 .../github.com/ishidawataru/sctp/LICENSE      |   201 +
 .../github.com/ishidawataru/sctp/README.md    |    18 +
 .../github.com/ishidawataru/sctp/sctp.go      |   656 +
 .../ishidawataru/sctp/sctp_linux.go           |   227 +
 .../ishidawataru/sctp/sctp_unsupported.go     |    47 +
 .../vendor/github.com/moby/buildkit/LICENSE   |   201 +
 .../vendor/github.com/moby/buildkit/README.md |   274 +
 .../api/services/control/control.pb.go        |  4589 ++
 .../api/services/control/control.proto        |   121 +
 .../buildkit/api/services/control/generate.go |     3 +
 .../moby/buildkit/api/types/generate.go       |     3 +
 .../moby/buildkit/api/types/worker.pb.go      |   523 +
 .../moby/buildkit/api/types/worker.proto      |    16 +
 .../buildkit/cache/contenthash/checksum.go    |   634 +
 .../buildkit/cache/contenthash/checksum.pb.go |   755 +
 .../buildkit/cache/contenthash/checksum.proto |    30 +
 .../buildkit/cache/contenthash/filehash.go    |    98 +
 .../cache/contenthash/filehash_unix.go        |    47 +
 .../cache/contenthash/filehash_windows.go     |    23 +
 .../buildkit/cache/contenthash/generate.go    |     3 +
 .../moby/buildkit/cache/contenthash/tarsum.go |    60 +
 .../github.com/moby/buildkit/cache/fsutil.go  |    71 +
 .../github.com/moby/buildkit/cache/gc.go      |    27 +
 .../github.com/moby/buildkit/cache/manager.go |   573 +
 .../moby/buildkit/cache/metadata.go           |   206 +
 .../moby/buildkit/cache/metadata/metadata.go  |   382 +
 .../github.com/moby/buildkit/cache/refs.go    |   387 +
 .../moby/buildkit/cache/remotecache/export.go |   128 +
 .../moby/buildkit/cache/remotecache/import.go |    98 +
 .../cache/remotecache/registry/registry.go    |    73 +
 .../cache/remotecache/v1/cachestorage.go      |   247 +
 .../buildkit/cache/remotecache/v1/chains.go   |   127 +
 .../moby/buildkit/cache/remotecache/v1/doc.go |    50 +
 .../buildkit/cache/remotecache/v1/parse.go    |   102 +
 .../buildkit/cache/remotecache/v1/spec.go     |    35 +
 .../buildkit/cache/remotecache/v1/utils.go    |   306 +
 .../github.com/moby/buildkit/client/client.go |   132 +
 .../moby/buildkit/client/client_unix.go       |    19 +
 .../moby/buildkit/client/client_windows.go    |    24 +
 .../moby/buildkit/client/diskusage.go         |    73 +
 .../moby/buildkit/client/exporters.go         |     8 +
 .../github.com/moby/buildkit/client/graph.go  |    45 +
 .../moby/buildkit/client/llb/exec.go          |   409 +
 .../client/llb/imagemetaresolver/resolver.go  |    92 +
 .../moby/buildkit/client/llb/marshal.go       |   112 +
 .../moby/buildkit/client/llb/meta.go          |   170 +
 .../moby/buildkit/client/llb/resolver.go      |    18 +
 .../moby/buildkit/client/llb/source.go        |   363 +
 .../moby/buildkit/client/llb/state.go         |   396 +
 .../github.com/moby/buildkit/client/prune.go  |    50 +
 .../github.com/moby/buildkit/client/solve.go  |   251 +
 .../moby/buildkit/client/workers.go           |    53 +
 .../moby/buildkit/control/control.go          |   304 +
 .../moby/buildkit/executor/executor.go        |    30 +
 .../moby/buildkit/executor/oci/hosts.go       |    38 +
 .../moby/buildkit/executor/oci/mounts.go      |    68 +
 .../moby/buildkit/executor/oci/resolvconf.go  |    81 +
 .../moby/buildkit/executor/oci/spec_unix.go   |   163 +
 .../moby/buildkit/executor/oci/user.go        |   107 +
 .../executor/runcexecutor/executor.go         |   247 +
 .../moby/buildkit/exporter/exporter.go        |    16 +
 .../frontend/dockerfile/builder/build.go      |   310 +
 .../frontend/dockerfile/command/command.go    |    46 +
 .../dockerfile/dockerfile2llb/convert.go      |  1030 +
 .../dockerfile2llb/convert_norunmount.go      |    16 +
 .../dockerfile2llb/convert_runmount.go        |    85 +
 .../dockerfile2llb/defaultshell_unix.go       |     7 +
 .../dockerfile2llb/defaultshell_windows.go    |     7 +
 .../dockerfile/dockerfile2llb/directives.go   |    38 +
 .../dockerfile/dockerfile2llb/image.go        |    74 +
 .../frontend/dockerfile/instructions/bflag.go |   200 +
 .../dockerfile/instructions/commands.go       |   446 +
 .../instructions/commands_runmount.go         |   181 +
 .../dockerfile/instructions/errors_unix.go    |     9 +
 .../dockerfile/instructions/errors_windows.go |    27 +
 .../frontend/dockerfile/instructions/parse.go |   649 +
 .../dockerfile/instructions/support.go        |    19 +
 .../dockerfile/parser/line_parsers.go         |   368 +
 .../frontend/dockerfile/parser/parser.go      |   327 +
 .../dockerfile/parser/split_command.go        |   118 +
 .../dockerfile/shell/equal_env_unix.go        |    10 +
 .../dockerfile/shell/equal_env_windows.go     |    10 +
 .../buildkit/frontend/dockerfile/shell/lex.go |   373 +
 .../moby/buildkit/frontend/frontend.go        |    29 +
 .../frontend/gateway/client/client.go         |    52 +
 .../frontend/gateway/client/result.go         |    54 +
 .../frontend/gateway/forwarder/forward.go     |   149 +
 .../frontend/gateway/forwarder/frontend.go    |    38 +
 .../moby/buildkit/frontend/gateway/gateway.go |   513 +
 .../moby/buildkit/frontend/gateway/pb/caps.go |    64 +
 .../frontend/gateway/pb/gateway.pb.go         |  3360 ++
 .../frontend/gateway/pb/gateway.proto         |    99 +
 .../buildkit/frontend/gateway/pb/generate.go  |     3 +
 .../moby/buildkit/frontend/result.go          |    23 +
 .../moby/buildkit/identity/randomid.go        |    53 +
 .../moby/buildkit/session/auth/auth.go        |    26 +
 .../moby/buildkit/session/auth/auth.pb.go     |   673 +
 .../moby/buildkit/session/auth/auth.proto     |    19 +
 .../moby/buildkit/session/auth/generate.go    |     3 +
 .../moby/buildkit/session/context.go          |    22 +
 .../buildkit/session/filesync/diffcopy.go     |   114 +
 .../buildkit/session/filesync/filesync.go     |   289 +
 .../buildkit/session/filesync/filesync.pb.go  |   644 +
 .../buildkit/session/filesync/filesync.proto  |    20 +
 .../buildkit/session/filesync/generate.go     |     3 +
 .../github.com/moby/buildkit/session/grpc.go  |    81 +
 .../moby/buildkit/session/grpchijack/dial.go  |   156 +
 .../buildkit/session/grpchijack/hijack.go     |    14 +
 .../moby/buildkit/session/manager.go          |   218 +
 .../moby/buildkit/session/session.go          |   143 +
 .../snapshot/blobmapping/snapshotter.go       |   129 +
 .../moby/buildkit/snapshot/localmounter.go    |    72 +
 .../buildkit/snapshot/localmounter_unix.go    |    29 +
 .../buildkit/snapshot/localmounter_windows.go |    26 +
 .../moby/buildkit/snapshot/snapshotter.go     |   137 +
 .../solver/boltdbcachestorage/storage.go      |   449 +
 .../moby/buildkit/solver/cachekey.go          |    66 +
 .../moby/buildkit/solver/cachemanager.go      |   270 +
 .../moby/buildkit/solver/cachestorage.go      |    51 +
 .../moby/buildkit/solver/combinedcache.go     |   124 +
 .../github.com/moby/buildkit/solver/edge.go   |   866 +
 .../moby/buildkit/solver/exporter.go          |   208 +
 .../github.com/moby/buildkit/solver/index.go  |   243 +
 .../buildkit/solver/internal/pipe/pipe.go     |   197 +
 .../github.com/moby/buildkit/solver/jobs.go   |   774 +
 .../moby/buildkit/solver/llbsolver/bridge.go  |   191 +
 .../buildkit/solver/llbsolver/ops/build.go    |   132 +
 .../buildkit/solver/llbsolver/ops/exec.go     |   535 +
 .../buildkit/solver/llbsolver/ops/source.go   |    78 +
 .../moby/buildkit/solver/llbsolver/result.go  |   152 +
 .../moby/buildkit/solver/llbsolver/solver.go  |   177 +
 .../moby/buildkit/solver/llbsolver/vertex.go  |   185 +
 .../buildkit/solver/memorycachestorage.go     |   307 +
 .../moby/buildkit/solver/pb/attr.go           |    17 +
 .../moby/buildkit/solver/pb/const.go          |    12 +
 .../moby/buildkit/solver/pb/generate.go       |     3 +
 .../moby/buildkit/solver/pb/ops.pb.go         |  4960 ++
 .../moby/buildkit/solver/pb/ops.proto         |   165 +
 .../moby/buildkit/solver/pb/platform.go       |    41 +
 .../moby/buildkit/solver/progress.go          |   109 +
 .../github.com/moby/buildkit/solver/result.go |   105 +
 .../moby/buildkit/solver/scheduler.go         |   396 +
 .../github.com/moby/buildkit/solver/types.go  |   168 +
 .../moby/buildkit/source/git/gitsource.go     |   406 +
 .../buildkit/source/git/gitsource_unix.go     |    27 +
 .../buildkit/source/git/gitsource_windows.go  |    23 +
 .../moby/buildkit/source/gitidentifier.go     |    70 +
 .../moby/buildkit/source/http/httpsource.go   |   429 +
 .../moby/buildkit/source/identifier.go        |   205 +
 .../moby/buildkit/source/local/local.go       |   249 +
 .../moby/buildkit/source/manager.go           |    48 +
 .../moby/buildkit/util/apicaps/caps.go        |   161 +
 .../moby/buildkit/util/apicaps/pb/caps.pb.go  |   535 +
 .../moby/buildkit/util/apicaps/pb/caps.proto  |    19 +
 .../moby/buildkit/util/apicaps/pb/generate.go |     3 +
 .../util/appdefaults/appdefaults_unix.go      |    55 +
 .../util/appdefaults/appdefaults_windows.go   |    18 +
 .../moby/buildkit/util/cond/cond.go           |    40 +
 .../moby/buildkit/util/contentutil/buffer.go  |   156 +
 .../moby/buildkit/util/contentutil/copy.go    |    43 +
 .../moby/buildkit/util/contentutil/fetcher.go |    70 +
 .../util/contentutil/multiprovider.go         |    44 +
 .../moby/buildkit/util/contentutil/pusher.go  |    58 +
 .../util/flightcontrol/flightcontrol.go       |   324 +
 .../moby/buildkit/util/imageutil/config.go    |   159 +
 .../moby/buildkit/util/progress/logs/logs.go  |    53 +
 .../buildkit/util/progress/multireader.go     |    77 +
 .../buildkit/util/progress/multiwriter.go     |   105 +
 .../moby/buildkit/util/progress/progress.go   |   252 +
 .../util/rootless/specconv/specconv_linux.go  |   113 +
 .../moby/buildkit/util/system/path_unix.go    |    14 +
 .../moby/buildkit/util/system/path_windows.go |    37 +
 .../buildkit/util/system/seccomp_linux.go     |    29 +
 .../buildkit/util/system/seccomp_nolinux.go   |     7 +
 .../buildkit/util/system/seccomp_noseccomp.go |     7 +
 .../moby/buildkit/util/tracing/tracing.go     |   109 +
 .../github.com/moby/buildkit/vendor.conf      |    69 +
 .../github.com/moby/buildkit/worker/filter.go |    33 +
 .../github.com/moby/buildkit/worker/result.go |    40 +
 .../github.com/moby/buildkit/worker/worker.go |    41 +
 .../moby/buildkit/worker/workercontroller.go  |    77 +
 .../github.com/tonistiigi/fsutil/LICENSE      |    22 +
 .../tonistiigi/fsutil/chtimes_linux.go        |    20 +
 .../tonistiigi/fsutil/chtimes_nolinux.go      |    20 +
 .../github.com/tonistiigi/fsutil/diff.go      |    43 +
 .../tonistiigi/fsutil/diff_containerd.go      |   199 +
 .../fsutil/diff_containerd_linux.go           |    37 +
 .../tonistiigi/fsutil/diskwriter.go           |   340 +
 .../tonistiigi/fsutil/diskwriter_unix.go      |    51 +
 .../tonistiigi/fsutil/diskwriter_windows.go   |    17 +
 .../tonistiigi/fsutil/followlinks.go          |   150 +
 .../github.com/tonistiigi/fsutil/generate.go  |     3 +
 .../github.com/tonistiigi/fsutil/hardlinks.go |    46 +
 .../github.com/tonistiigi/fsutil/readme.md    |    45 +
 .../github.com/tonistiigi/fsutil/receive.go   |   269 +
 .../github.com/tonistiigi/fsutil/send.go      |   208 +
 .../github.com/tonistiigi/fsutil/stat.pb.go   |   931 +
 .../github.com/tonistiigi/fsutil/stat.proto   |    17 +
 .../github.com/tonistiigi/fsutil/validator.go |    92 +
 .../github.com/tonistiigi/fsutil/walker.go    |   246 +
 .../tonistiigi/fsutil/walker_unix.go          |    61 +
 .../tonistiigi/fsutil/walker_windows.go       |    14 +
 .../github.com/tonistiigi/fsutil/wire.pb.go   |   567 +
 .../github.com/tonistiigi/fsutil/wire.proto   |    19 +
 engine/volume/drivers/adapter.go              |   176 +
 engine/volume/drivers/extpoint.go             |   235 +
 engine/volume/drivers/extpoint_test.go        |    24 +
 engine/volume/drivers/proxy.go                |   255 +
 engine/volume/drivers/proxy_test.go           |   132 +
 engine/volume/local/local.go                  |   378 +
 engine/volume/local/local_test.go             |   335 +
 engine/volume/local/local_unix.go             |    99 +
 engine/volume/local/local_windows.go          |    46 +
 engine/volume/mounts/lcow_parser.go           |    34 +
 engine/volume/mounts/linux_parser.go          |   417 +
 engine/volume/mounts/mounts.go                |   181 +
 engine/volume/mounts/parser.go                |    47 +
 engine/volume/mounts/parser_test.go           |   480 +
 engine/volume/mounts/validate.go              |    28 +
 engine/volume/mounts/validate_test.go         |    73 +
 engine/volume/mounts/validate_unix_test.go    |     8 +
 engine/volume/mounts/validate_windows_test.go |     6 +
 engine/volume/mounts/volume_copy.go           |    23 +
 engine/volume/mounts/volume_unix.go           |    18 +
 engine/volume/mounts/volume_windows.go        |     8 +
 engine/volume/mounts/windows_parser.go        |   456 +
 engine/volume/service/by.go                   |    89 +
 engine/volume/service/convert.go              |   132 +
 engine/volume/service/db.go                   |    95 +
 engine/volume/service/db_test.go              |    52 +
 engine/volume/service/default_driver.go       |    21 +
 engine/volume/service/default_driver_stubs.go |    10 +
 engine/volume/service/errors.go               |   111 +
 engine/volume/service/opts/opts.go            |    89 +
 engine/volume/service/restore.go              |    85 +
 engine/volume/service/restore_test.go         |    58 +
 engine/volume/service/service.go              |   243 +
 engine/volume/service/service_linux_test.go   |    66 +
 engine/volume/service/service_test.go         |   253 +
 engine/volume/service/store.go                |   858 +
 engine/volume/service/store_test.go           |   421 +
 engine/volume/service/store_unix.go           |     9 +
 engine/volume/service/store_windows.go        |    12 +
 engine/volume/testutils/testutils.go          |   230 +
 engine/volume/volume.go                       |    69 +
 4032 files changed, 731565 insertions(+)
 create mode 100644 CHANGELOG.md
 create mode 100644 CONTRIBUTING.md
 create mode 100644 Makefile
 create mode 100644 README.md
 create mode 100644 VERSION
 create mode 100644 cli/.dockerignore
 create mode 100644 cli/.mailmap
 create mode 100644 cli/AUTHORS
 create mode 100644 cli/CONTRIBUTING.md
 create mode 100644 cli/Jenkinsfile
 create mode 100644 cli/LICENSE
 create mode 100644 cli/MAINTAINERS
 create mode 100644 cli/Makefile
 create mode 100644 cli/NOTICE
 create mode 100644 cli/README.md
 create mode 100644 cli/TESTING.md
 create mode 100644 cli/VERSION
 create mode 100644 cli/appveyor.yml
 create mode 100644 cli/circle.yml
 create mode 100644 cli/cli/cobra.go
 create mode 100644 cli/cli/command/bundlefile/bundlefile.go
 create mode 100644 cli/cli/command/bundlefile/bundlefile_test.go
 create mode 100644 cli/cli/command/checkpoint/client_test.go
 create mode 100644 cli/cli/command/checkpoint/cmd.go
 create mode 100644 cli/cli/command/checkpoint/create.go
 create mode 100644 cli/cli/command/checkpoint/create_test.go
 create mode 100644 cli/cli/command/checkpoint/list.go
 create mode 100644 cli/cli/command/checkpoint/list_test.go
 create mode 100644 cli/cli/command/checkpoint/remove.go
 create mode 100644 cli/cli/command/checkpoint/remove_test.go
 create mode 100644 cli/cli/command/checkpoint/testdata/checkpoint-list-with-options.golden
 create mode 100644 cli/cli/command/cli.go
 create mode 100644 cli/cli/command/cli_test.go
 create mode 100644 cli/cli/command/commands/commands.go
 create mode 100644 cli/cli/command/config/client_test.go
 create mode 100644 cli/cli/command/config/cmd.go
 create mode 100644 cli/cli/command/config/create.go
 create mode 100644 cli/cli/command/config/create_test.go
 create mode 100644 cli/cli/command/config/inspect.go
 create mode 100644 cli/cli/command/config/inspect_test.go
 create mode 100644 cli/cli/command/config/ls.go
 create mode 100644 cli/cli/command/config/ls_test.go
 create mode 100644 cli/cli/command/config/remove.go
 create mode 100644 cli/cli/command/config/remove_test.go
 create mode 100644 cli/cli/command/config/testdata/config-create-with-name.golden
 create mode 100644 cli/cli/command/config/testdata/config-inspect-pretty.simple.golden
 create mode 100644 cli/cli/command/config/testdata/config-inspect-with-format.json-template.golden
 create mode 100644 cli/cli/command/config/testdata/config-inspect-with-format.simple-template.golden
 create mode 100644 cli/cli/command/config/testdata/config-inspect-without-format.multiple-configs-with-labels.golden
 create mode 100644 cli/cli/command/config/testdata/config-inspect-without-format.single-config.golden
 create mode 100644 cli/cli/command/config/testdata/config-list-sort.golden
 create mode 100644 cli/cli/command/config/testdata/config-list-with-config-format.golden
 create mode 100644 cli/cli/command/config/testdata/config-list-with-filter.golden
 create mode 100644 cli/cli/command/config/testdata/config-list-with-format.golden
 create mode 100644 cli/cli/command/config/testdata/config-list-with-quiet-option.golden
 create mode 100644 cli/cli/command/container/attach.go
 create mode 100644 cli/cli/command/container/attach_test.go
 create mode 100644 cli/cli/command/container/client_test.go
 create mode 100644 cli/cli/command/container/cmd.go
 create mode 100644 cli/cli/command/container/commit.go
 create mode 100644 cli/cli/command/container/cp.go
 create mode 100644 cli/cli/command/container/cp_test.go
 create mode 100644 cli/cli/command/container/create.go
 create mode 100644 cli/cli/command/container/create_test.go
 create mode 100644 cli/cli/command/container/diff.go
 create mode 100644 cli/cli/command/container/exec.go
 create mode 100644 cli/cli/command/container/exec_test.go
 create mode 100644 cli/cli/command/container/export.go
 create mode 100644 cli/cli/command/container/hijack.go
 create mode 100644 cli/cli/command/container/inspect.go
 create mode 100644 cli/cli/command/container/kill.go
 create mode 100644 cli/cli/command/container/list.go
 create mode 100644 cli/cli/command/container/list_test.go
 create mode 100644 cli/cli/command/container/logs.go
 create mode 100644 cli/cli/command/container/logs_test.go
 create mode 100644 cli/cli/command/container/opts.go
 create mode 100644 cli/cli/command/container/opts_test.go
 create mode 100644 cli/cli/command/container/pause.go
 create mode 100644 cli/cli/command/container/port.go
 create mode 100644 cli/cli/command/container/prune.go
 create mode 100644 cli/cli/command/container/ps_test.go
 create mode 100644 cli/cli/command/container/rename.go
 create mode 100644 cli/cli/command/container/restart.go
 create mode 100644 cli/cli/command/container/rm.go
 create mode 100644 cli/cli/command/container/run.go
 create mode 100644 cli/cli/command/container/run_test.go
 create mode 100644 cli/cli/command/container/start.go
 create mode 100644 cli/cli/command/container/stats.go
 create mode 100644 cli/cli/command/container/stats_helpers.go
 create mode 100644 cli/cli/command/container/stats_helpers_test.go
 create mode 100644 cli/cli/command/container/stats_unit_test.go
 create mode 100644 cli/cli/command/container/stop.go
 create mode 100644 cli/cli/command/container/testdata/container-list-format-name-name.golden
 create mode 100644 cli/cli/command/container/testdata/container-list-format-with-arg.golden
 create mode 100644 cli/cli/command/container/testdata/container-list-with-config-format.golden
 create mode 100644 cli/cli/command/container/testdata/container-list-with-format.golden
 create mode 100644 cli/cli/command/container/testdata/container-list-without-format-no-trunc.golden
 create mode 100644 cli/cli/command/container/testdata/container-list-without-format.golden
 create mode 100755 cli/cli/command/container/testdata/utf16.env
 create mode 100755 cli/cli/command/container/testdata/utf16be.env
 create mode 100755 cli/cli/command/container/testdata/utf8.env
 create mode 100644 cli/cli/command/container/testdata/valid.env
 create mode 100644 cli/cli/command/container/testdata/valid.label
 create mode 100644 cli/cli/command/container/top.go
 create mode 100644 cli/cli/command/container/tty.go
 create mode 100644 cli/cli/command/container/unpause.go
 create mode 100644 cli/cli/command/container/update.go
 create mode 100644 cli/cli/command/container/utils.go
 create mode 100644 cli/cli/command/container/utils_test.go
 create mode 100644 cli/cli/command/container/wait.go
 create mode 100644 cli/cli/command/events_utils.go
 create mode 100644 cli/cli/command/formatter/checkpoint.go
 create mode 100644 cli/cli/command/formatter/checkpoint_test.go
 create mode 100644 cli/cli/command/formatter/config.go
 create mode 100644 cli/cli/command/formatter/config_test.go
 create mode 100644 cli/cli/command/formatter/container.go
 create mode 100644 cli/cli/command/formatter/container_test.go
 create mode 100644 cli/cli/command/formatter/custom.go
 create mode 100644 cli/cli/command/formatter/custom_test.go
 create mode 100644 cli/cli/command/formatter/diff.go
 create mode 100644 cli/cli/command/formatter/diff_test.go
 create mode 100644 cli/cli/command/formatter/disk_usage.go
 create mode 100644 cli/cli/command/formatter/disk_usage_test.go
 create mode 100644 cli/cli/command/formatter/displayutils.go
 create mode 100644 cli/cli/command/formatter/displayutils_test.go
 create mode 100644 cli/cli/command/formatter/formatter.go
 create mode 100644 cli/cli/command/formatter/history.go
 create mode 100644 cli/cli/command/formatter/history_test.go
 create mode 100644 cli/cli/command/formatter/image.go
 create mode 100644 cli/cli/command/formatter/image_test.go
 create mode 100644 cli/cli/command/formatter/network.go
 create mode 100644 cli/cli/command/formatter/network_test.go
 create mode 100644 cli/cli/command/formatter/node.go
 create mode 100644 cli/cli/command/formatter/node_test.go
 create mode 100644 cli/cli/command/formatter/plugin.go
 create mode 100644 cli/cli/command/formatter/plugin_test.go
 create mode 100644 cli/cli/command/formatter/reflect.go
 create mode 100644 cli/cli/command/formatter/reflect_test.go
 create mode 100644 cli/cli/command/formatter/search.go
 create mode 100644 cli/cli/command/formatter/search_test.go
 create mode 100644 cli/cli/command/formatter/secret.go
 create mode 100644 cli/cli/command/formatter/secret_test.go
 create mode 100644 cli/cli/command/formatter/service.go
 create mode 100644 cli/cli/command/formatter/service_test.go
 create mode 100644 cli/cli/command/formatter/stack.go
 create mode 100644 cli/cli/command/formatter/stack_test.go
 create mode 100644 cli/cli/command/formatter/stats.go
 create mode 100644 cli/cli/command/formatter/stats_test.go
 create mode 100644 cli/cli/command/formatter/task.go
 create mode 100644 cli/cli/command/formatter/task_test.go
 create mode 100644 cli/cli/command/formatter/testdata/container-context-write-special-headers.golden
 create mode 100644 cli/cli/command/formatter/testdata/disk-usage-context-write-custom.golden
 create mode 100644 cli/cli/command/formatter/testdata/disk-usage-raw-format.golden
 create mode 100644 cli/cli/command/formatter/testdata/search-context-write-stars-table.golden
 create mode 100644 cli/cli/command/formatter/testdata/search-context-write-table.golden
 create mode 100644 cli/cli/command/formatter/testdata/service-context-write-raw.golden
 create mode 100644 cli/cli/command/formatter/testdata/task-context-write-table-custom.golden
 create mode 100644 cli/cli/command/formatter/trust.go
 create mode 100644 cli/cli/command/formatter/trust_test.go
 create mode 100644 cli/cli/command/formatter/volume.go
 create mode 100644 cli/cli/command/formatter/volume_test.go
 create mode 100644 cli/cli/command/idresolver/client_test.go
 create mode 100644 cli/cli/command/idresolver/idresolver.go
 create mode 100644 cli/cli/command/idresolver/idresolver_test.go
 create mode 100644 cli/cli/command/image/build.go
 create mode 100644 cli/cli/command/image/build/context.go
 create mode 100644 cli/cli/command/image/build/context_test.go
 create mode 100644 cli/cli/command/image/build/context_unix.go
 create mode 100644 cli/cli/command/image/build/context_windows.go
 create mode 100644 cli/cli/command/image/build/dockerignore.go
 create mode 100644 cli/cli/command/image/build_buildkit.go
 create mode 100644 cli/cli/command/image/build_session.go
 create mode 100644 cli/cli/command/image/build_test.go
 create mode 100644 cli/cli/command/image/client_test.go
 create mode 100644 cli/cli/command/image/cmd.go
 create mode 100644 cli/cli/command/image/history.go
 create mode 100644 cli/cli/command/image/history_test.go
 create mode 100644 cli/cli/command/image/import.go
 create mode 100644 cli/cli/command/image/import_test.go
 create mode 100644 cli/cli/command/image/inspect.go
 create mode 100644 cli/cli/command/image/inspect_test.go
 create mode 100644 cli/cli/command/image/list.go
 create mode 100644 cli/cli/command/image/list_test.go
 create mode 100644 cli/cli/command/image/load.go
 create mode 100644 cli/cli/command/image/load_test.go
 create mode 100644 cli/cli/command/image/prune.go
 create mode 100644 cli/cli/command/image/prune_test.go
 create mode 100644 cli/cli/command/image/pull.go
 create mode 100644 cli/cli/command/image/pull_test.go
 create mode 100644 cli/cli/command/image/push.go
 create mode 100644 cli/cli/command/image/push_test.go
 create mode 100644 cli/cli/command/image/remove.go
 create mode 100644 cli/cli/command/image/remove_test.go
 create mode 100644 cli/cli/command/image/save.go
 create mode 100644 cli/cli/command/image/save_test.go
 create mode 100644 cli/cli/command/image/tag.go
 create mode 100644 cli/cli/command/image/tag_test.go
 create mode 100644 cli/cli/command/image/testdata/history-command-success.non-human.golden
 create mode 100644 cli/cli/command/image/testdata/history-command-success.quiet-no-trunc.golden
 create mode 100644 cli/cli/command/image/testdata/history-command-success.quiet.golden
 create mode 100644 cli/cli/command/image/testdata/history-command-success.simple.golden
 create mode 100644 cli/cli/command/image/testdata/import-command-success.input.txt
 create mode 100644 cli/cli/command/image/testdata/inspect-command-success.format.golden
 create mode 100644 cli/cli/command/image/testdata/inspect-command-success.simple-many.golden
 create mode 100644 cli/cli/command/image/testdata/inspect-command-success.simple.golden
 create mode 100644 cli/cli/command/image/testdata/list-command-success.filters.golden
 create mode 100644 cli/cli/command/image/testdata/list-command-success.format.golden
 create mode 100644 cli/cli/command/image/testdata/list-command-success.match-name.golden
 create mode 100644 cli/cli/command/image/testdata/list-command-success.quiet-format.golden
 create mode 100644 cli/cli/command/image/testdata/list-command-success.simple.golden
 create mode 100644 cli/cli/command/image/testdata/load-command-success.input-file.golden
 create mode 100644 cli/cli/command/image/testdata/load-command-success.input.txt
 create mode 100644 cli/cli/command/image/testdata/load-command-success.json.golden
 create mode 100644 cli/cli/command/image/testdata/load-command-success.simple.golden
 create mode 100644 cli/cli/command/image/testdata/prune-command-success.all.golden
 create mode 100644 cli/cli/command/image/testdata/prune-command-success.force-deleted.golden
 create mode 100644 cli/cli/command/image/testdata/prune-command-success.force-untagged.golden
 create mode 100644 cli/cli/command/image/testdata/pull-command-success.simple-no-tag.golden
 create mode 100644 cli/cli/command/image/testdata/pull-command-success.simple.golden
 create mode 100644 cli/cli/command/image/testdata/remove-command-success.Image Deleted and Untagged.golden
 create mode 100644 cli/cli/command/image/testdata/remove-command-success.Image Deleted.golden
 create mode 100644 cli/cli/command/image/testdata/remove-command-success.Image Untagged.golden
 create mode 100644 cli/cli/command/image/testdata/remove-command-success.Image not found with force option.golden
 create mode 100644 cli/cli/command/image/trust.go
 create mode 100644 cli/cli/command/image/trust_test.go
 create mode 100644 cli/cli/command/in.go
 create mode 100644 cli/cli/command/inspect/inspector.go
 create mode 100644 cli/cli/command/inspect/inspector_test.go
 create mode 100644 cli/cli/command/manifest/annotate.go
 create mode 100644 cli/cli/command/manifest/annotate_test.go
 create mode 100644 cli/cli/command/manifest/client_test.go
 create mode 100644 cli/cli/command/manifest/cmd.go
 create mode 100644 cli/cli/command/manifest/create_list.go
 create mode 100644 cli/cli/command/manifest/create_test.go
 create mode 100644 cli/cli/command/manifest/inspect.go
 create mode 100644 cli/cli/command/manifest/inspect_test.go
 create mode 100644 cli/cli/command/manifest/push.go
 create mode 100644 cli/cli/command/manifest/push_test.go
 create mode 100644 cli/cli/command/manifest/testdata/inspect-annotate.golden
 create mode 100644 cli/cli/command/manifest/testdata/inspect-manifest-list.golden
 create mode 100644 cli/cli/command/manifest/testdata/inspect-manifest.golden
 create mode 100644 cli/cli/command/manifest/util.go
 create mode 100644 cli/cli/command/network/client_test.go
 create mode 100644 cli/cli/command/network/cmd.go
 create mode 100644 cli/cli/command/network/connect.go
 create mode 100644 cli/cli/command/network/connect_test.go
 create mode 100644 cli/cli/command/network/create.go
 create mode 100644 cli/cli/command/network/create_test.go
 create mode 100644 cli/cli/command/network/disconnect.go
 create mode 100644 cli/cli/command/network/disconnect_test.go
 create mode 100644 cli/cli/command/network/inspect.go
 create mode 100644 cli/cli/command/network/list.go
 create mode 100644 cli/cli/command/network/list_test.go
 create mode 100644 cli/cli/command/network/prune.go
 create mode 100644 cli/cli/command/network/remove.go
 create mode 100644 cli/cli/command/network/testdata/network-list.golden
 create mode 100644 cli/cli/command/node/client_test.go
 create mode 100644 cli/cli/command/node/cmd.go
 create mode 100644 cli/cli/command/node/demote.go
 create mode 100644 cli/cli/command/node/demote_test.go
 create mode 100644 cli/cli/command/node/inspect.go
 create mode 100644 cli/cli/command/node/inspect_test.go
 create mode 100644 cli/cli/command/node/list.go
 create mode 100644 cli/cli/command/node/list_test.go
 create mode 100644 cli/cli/command/node/opts.go
 create mode 100644 cli/cli/command/node/promote.go
 create mode 100644 cli/cli/command/node/promote_test.go
 create mode 100644 cli/cli/command/node/ps.go
 create mode 100644 cli/cli/command/node/ps_test.go
 create mode 100644 cli/cli/command/node/remove.go
 create mode 100644 cli/cli/command/node/remove_test.go
 create mode 100644 cli/cli/command/node/testdata/node-inspect-pretty.manager-leader.golden
 create mode 100644 cli/cli/command/node/testdata/node-inspect-pretty.manager.golden
 create mode 100644 cli/cli/command/node/testdata/node-inspect-pretty.simple.golden
 create mode 100644 cli/cli/command/node/testdata/node-list-format-flag.golden
 create mode 100644 cli/cli/command/node/testdata/node-list-format-from-config.golden
 create mode 100644 cli/cli/command/node/testdata/node-list-sort.golden
 create mode 100644 cli/cli/command/node/testdata/node-ps.simple.golden
 create mode 100644 cli/cli/command/node/testdata/node-ps.with-errors.golden
 create mode 100644 cli/cli/command/node/update.go
 create mode 100644 cli/cli/command/node/update_test.go
 create mode 100644 cli/cli/command/orchestrator.go
 create mode 100644 cli/cli/command/orchestrator_test.go
 create mode 100644 cli/cli/command/out.go
 create mode 100644 cli/cli/command/plugin/client_test.go
 create mode 100644 cli/cli/command/plugin/cmd.go
 create mode 100644 cli/cli/command/plugin/create.go
 create mode 100644 cli/cli/command/plugin/create_test.go
 create mode 100644 cli/cli/command/plugin/disable.go
 create mode 100644 cli/cli/command/plugin/disable_test.go
 create mode 100644 cli/cli/command/plugin/enable.go
 create mode 100644 cli/cli/command/plugin/enable_test.go
 create mode 100644 cli/cli/command/plugin/inspect.go
 create mode 100644 cli/cli/command/plugin/install.go
 create mode 100644 cli/cli/command/plugin/list.go
 create mode 100644 cli/cli/command/plugin/push.go
 create mode 100644 cli/cli/command/plugin/remove.go
 create mode 100644 cli/cli/command/plugin/remove_test.go
 create mode 100644 cli/cli/command/plugin/set.go
 create mode 100644 cli/cli/command/plugin/upgrade.go
 create mode 100644 cli/cli/command/registry.go
 create mode 100644 cli/cli/command/registry/login.go
 create mode 100644 cli/cli/command/registry/login_test.go
 create mode 100644 cli/cli/command/registry/logout.go
 create mode 100644 cli/cli/command/registry/search.go
 create mode 100644 cli/cli/command/registry_test.go
 create mode 100644 cli/cli/command/secret/client_test.go
 create mode 100644 cli/cli/command/secret/cmd.go
 create mode 100644 cli/cli/command/secret/create.go
 create mode 100644 cli/cli/command/secret/create_test.go
 create mode 100644 cli/cli/command/secret/inspect.go
 create mode 100644 cli/cli/command/secret/inspect_test.go
 create mode 100644 cli/cli/command/secret/ls.go
 create mode 100644 cli/cli/command/secret/ls_test.go
 create mode 100644 cli/cli/command/secret/remove.go
 create mode 100644 cli/cli/command/secret/remove_test.go
 create mode 100644 cli/cli/command/secret/testdata/secret-create-with-name.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-inspect-pretty.simple.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-inspect-with-format.json-template.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-inspect-with-format.simple-template.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-inspect-without-format.multiple-secrets-with-labels.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-inspect-without-format.single-secret.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-list-sort.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-list-with-config-format.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-list-with-filter.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-list-with-format.golden
 create mode 100644 cli/cli/command/secret/testdata/secret-list-with-quiet-option.golden
 create mode 100644 cli/cli/command/service/client_test.go
 create mode 100644 cli/cli/command/service/cmd.go
 create mode 100644 cli/cli/command/service/create.go
 create mode 100644 cli/cli/command/service/generic_resource_opts.go
 create mode 100644 cli/cli/command/service/generic_resource_opts_test.go
 create mode 100644 cli/cli/command/service/helpers.go
 create mode 100644 cli/cli/command/service/inspect.go
 create mode 100644 cli/cli/command/service/inspect_test.go
 create mode 100644 cli/cli/command/service/list.go
 create mode 100644 cli/cli/command/service/list_test.go
 create mode 100644 cli/cli/command/service/logs.go
 create mode 100644 cli/cli/command/service/opts.go
 create mode 100644 cli/cli/command/service/opts_test.go
 create mode 100644 cli/cli/command/service/parse.go
 create mode 100644 cli/cli/command/service/progress/progress.go
 create mode 100644 cli/cli/command/service/progress/progress_test.go
 create mode 100644 cli/cli/command/service/ps.go
 create mode 100644 cli/cli/command/service/ps_test.go
 create mode 100644 cli/cli/command/service/remove.go
 create mode 100644 cli/cli/command/service/rollback.go
 create mode 100644 cli/cli/command/service/rollback_test.go
 create mode 100644 cli/cli/command/service/scale.go
 create mode 100644 cli/cli/command/service/testdata/service-list-sort.golden
 create mode 100644 cli/cli/command/service/trust.go
 create mode 100644 cli/cli/command/service/update.go
 create mode 100644 cli/cli/command/service/update_test.go
 create mode 100644 cli/cli/command/stack/client_test.go
 create mode 100644 cli/cli/command/stack/cmd.go
 create mode 100644 cli/cli/command/stack/common.go
 create mode 100644 cli/cli/command/stack/deploy.go
 create mode 100644 cli/cli/command/stack/deploy_test.go
 create mode 100644 cli/cli/command/stack/kubernetes/cli.go
 create mode 100644 cli/cli/command/stack/kubernetes/client.go
 create mode 100644 cli/cli/command/stack/kubernetes/conversion.go
 create mode 100644 cli/cli/command/stack/kubernetes/conversion_test.go
 create mode 100644 cli/cli/command/stack/kubernetes/convert.go
 create mode 100644 cli/cli/command/stack/kubernetes/deploy.go
 create mode 100644 cli/cli/command/stack/kubernetes/list.go
 create mode 100644 cli/cli/command/stack/kubernetes/ps.go
 create mode 100644 cli/cli/command/stack/kubernetes/remove.go
 create mode 100644 cli/cli/command/stack/kubernetes/services.go
 create mode 100644 cli/cli/command/stack/kubernetes/services_test.go
 create mode 100644 cli/cli/command/stack/kubernetes/stack.go
 create mode 100644 cli/cli/command/stack/kubernetes/stackclient.go
 create mode 100644 cli/cli/command/stack/kubernetes/stackclient_test.go
 create mode 100644 cli/cli/command/stack/kubernetes/testdata/warnings.golden
 create mode 100644 cli/cli/command/stack/kubernetes/warnings.go
 create mode 100644 cli/cli/command/stack/kubernetes/warnings_test.go
 create mode 100644 cli/cli/command/stack/kubernetes/watcher.go
 create mode 100644 cli/cli/command/stack/kubernetes/watcher_test.go
 create mode 100644 cli/cli/command/stack/list.go
 create mode 100644 cli/cli/command/stack/list_test.go
 create mode 100644 cli/cli/command/stack/loader/loader.go
 create mode 100644 cli/cli/command/stack/loader/loader_test.go
 create mode 100644 cli/cli/command/stack/options/opts.go
 create mode 100644 cli/cli/command/stack/ps.go
 create mode 100644 cli/cli/command/stack/ps_test.go
 create mode 100644 cli/cli/command/stack/remove.go
 create mode 100644 cli/cli/command/stack/remove_test.go
 create mode 100644 cli/cli/command/stack/services.go
 create mode 100644 cli/cli/command/stack/services_test.go
 create mode 100644 cli/cli/command/stack/swarm/client_test.go
 create mode 100644 cli/cli/command/stack/swarm/common.go
 create mode 100644 cli/cli/command/stack/swarm/deploy.go
 create mode 100644 cli/cli/command/stack/swarm/deploy_bundlefile.go
 create mode 100644 cli/cli/command/stack/swarm/deploy_bundlefile_test.go
 create mode 100644 cli/cli/command/stack/swarm/deploy_composefile.go
 create mode 100644 cli/cli/command/stack/swarm/deploy_composefile_test.go
 create mode 100644 cli/cli/command/stack/swarm/deploy_test.go
 create mode 100644 cli/cli/command/stack/swarm/list.go
 create mode 100644 cli/cli/command/stack/swarm/ps.go
 create mode 100644 cli/cli/command/stack/swarm/remove.go
 create mode 100644 cli/cli/command/stack/swarm/services.go
 create mode 100644 cli/cli/command/stack/swarm/testdata/bundlefile_with_two_services.dab
 create mode 100644 cli/cli/command/stack/testdata/stack-list-sort-natural.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-list-sort.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-list-with-format.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-list-without-format.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-ps-with-config-format.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-ps-with-format.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-ps-with-no-resolve-option.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-ps-with-no-trunc-option.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-ps-with-quiet-option.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-ps-without-format.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-services-with-config-format.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-services-with-format.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-services-with-quiet-option.golden
 create mode 100644 cli/cli/command/stack/testdata/stack-services-without-format.golden
 create mode 100644 cli/cli/command/stream.go
 create mode 100644 cli/cli/command/swarm/ca.go
 create mode 100644 cli/cli/command/swarm/ca_test.go
 create mode 100644 cli/cli/command/swarm/client_test.go
 create mode 100644 cli/cli/command/swarm/cmd.go
 create mode 100644 cli/cli/command/swarm/init.go
 create mode 100644 cli/cli/command/swarm/init_test.go
 create mode 100644 cli/cli/command/swarm/join.go
 create mode 100644 cli/cli/command/swarm/join_test.go
 create mode 100644 cli/cli/command/swarm/join_token.go
 create mode 100644 cli/cli/command/swarm/join_token_test.go
 create mode 100644 cli/cli/command/swarm/leave.go
 create mode 100644 cli/cli/command/swarm/leave_test.go
 create mode 100644 cli/cli/command/swarm/opts.go
 create mode 100644 cli/cli/command/swarm/opts_test.go
 create mode 100644 cli/cli/command/swarm/progress/root_rotation.go
 create mode 100644 cli/cli/command/swarm/testdata/init-init-autolock.golden
 create mode 100644 cli/cli/command/swarm/testdata/init-init.golden
 create mode 100644 cli/cli/command/swarm/testdata/jointoken-manager-quiet.golden
 create mode 100644 cli/cli/command/swarm/testdata/jointoken-manager-rotate.golden
 create mode 100644 cli/cli/command/swarm/testdata/jointoken-manager.golden
 create mode 100644 cli/cli/command/swarm/testdata/jointoken-worker-quiet.golden
 create mode 100644 cli/cli/command/swarm/testdata/jointoken-worker.golden
 create mode 100644 cli/cli/command/swarm/testdata/unlockkeys-unlock-key-quiet.golden
 create mode 100644 cli/cli/command/swarm/testdata/unlockkeys-unlock-key-rotate-quiet.golden
 create mode 100644 cli/cli/command/swarm/testdata/unlockkeys-unlock-key-rotate.golden
 create mode 100644 cli/cli/command/swarm/testdata/unlockkeys-unlock-key.golden
 create mode 100644 cli/cli/command/swarm/testdata/update-all-flags-quiet.golden
 create mode 100644 cli/cli/command/swarm/testdata/update-autolock-unlock-key.golden
 create mode 100644 cli/cli/command/swarm/testdata/update-noargs.golden
 create mode 100644 cli/cli/command/swarm/unlock.go
 create mode 100644 cli/cli/command/swarm/unlock_key.go
 create mode 100644 cli/cli/command/swarm/unlock_key_test.go
 create mode 100644 cli/cli/command/swarm/unlock_test.go
 create mode 100644 cli/cli/command/swarm/update.go
 create mode 100644 cli/cli/command/swarm/update_test.go
 create mode 100644 cli/cli/command/system/client_test.go
 create mode 100644 cli/cli/command/system/cmd.go
 create mode 100644 cli/cli/command/system/df.go
 create mode 100644 cli/cli/command/system/events.go
 create mode 100644 cli/cli/command/system/info.go
 create mode 100644 cli/cli/command/system/info_test.go
 create mode 100644 cli/cli/command/system/inspect.go
 create mode 100644 cli/cli/command/system/prune.go
 create mode 100644 cli/cli/command/system/prune_test.go
 create mode 100644 cli/cli/command/system/testdata/docker-client-version.golden
 create mode 100644 cli/cli/command/system/testdata/docker-info-no-swarm.golden
 create mode 100644 cli/cli/command/system/testdata/docker-info-warnings.golden
 create mode 100644 cli/cli/command/system/testdata/docker-info-with-swarm.golden
 create mode 100644 cli/cli/command/system/version.go
 create mode 100644 cli/cli/command/system/version_test.go
 create mode 100644 cli/cli/command/task/client_test.go
 create mode 100644 cli/cli/command/task/print.go
 create mode 100644 cli/cli/command/task/print_test.go
 create mode 100644 cli/cli/command/task/testdata/task-print-with-global-service.golden
 create mode 100644 cli/cli/command/task/testdata/task-print-with-indentation.golden
 create mode 100644 cli/cli/command/task/testdata/task-print-with-no-trunc-option.golden
 create mode 100644 cli/cli/command/task/testdata/task-print-with-quiet-option.golden
 create mode 100644 cli/cli/command/task/testdata/task-print-with-replicated-service.golden
 create mode 100644 cli/cli/command/task/testdata/task-print-with-resolution.golden
 create mode 100644 cli/cli/command/trust.go
 create mode 100644 cli/cli/command/trust/cmd.go
 create mode 100644 cli/cli/command/trust/common.go
 create mode 100644 cli/cli/command/trust/helpers.go
 create mode 100644 cli/cli/command/trust/helpers_test.go
 create mode 100644 cli/cli/command/trust/inspect.go
 create mode 100644 cli/cli/command/trust/inspect_pretty.go
 create mode 100644 cli/cli/command/trust/inspect_pretty_test.go
 create mode 100644 cli/cli/command/trust/inspect_test.go
 create mode 100644 cli/cli/command/trust/key.go
 create mode 100644 cli/cli/command/trust/key_generate.go
 create mode 100644 cli/cli/command/trust/key_generate_test.go
 create mode 100644 cli/cli/command/trust/key_load.go
 create mode 100644 cli/cli/command/trust/key_load_test.go
 create mode 100644 cli/cli/command/trust/revoke.go
 create mode 100644 cli/cli/command/trust/revoke_test.go
 create mode 100644 cli/cli/command/trust/sign.go
 create mode 100644 cli/cli/command/trust/sign_test.go
 create mode 100644 cli/cli/command/trust/signer.go
 create mode 100644 cli/cli/command/trust/signer_add.go
 create mode 100644 cli/cli/command/trust/signer_add_test.go
 create mode 100644 cli/cli/command/trust/signer_remove.go
 create mode 100644 cli/cli/command/trust/signer_remove_test.go
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-empty-repo.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-full-repo-no-signers.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-full-repo-with-signers.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-multiple-repos-with-signers.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-one-tag-no-signers.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-no-signers.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-with-signers.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-pretty-one-tag-no-signers.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-pretty-unsigned-tag-with-signers.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-uninitialized.golden
 create mode 100644 cli/cli/command/trust/testdata/trust-inspect-unsigned-tag-with-signers.golden
 create mode 100644 cli/cli/command/utils.go
 create mode 100644 cli/cli/command/volume/client_test.go
 create mode 100644 cli/cli/command/volume/cmd.go
 create mode 100644 cli/cli/command/volume/create.go
 create mode 100644 cli/cli/command/volume/create_test.go
 create mode 100644 cli/cli/command/volume/inspect.go
 create mode 100644 cli/cli/command/volume/inspect_test.go
 create mode 100644 cli/cli/command/volume/list.go
 create mode 100644 cli/cli/command/volume/list_test.go
 create mode 100644 cli/cli/command/volume/prune.go
 create mode 100644 cli/cli/command/volume/prune_test.go
 create mode 100644 cli/cli/command/volume/remove.go
 create mode 100644 cli/cli/command/volume/remove_test.go
 create mode 100644 cli/cli/command/volume/testdata/volume-inspect-with-format.json-template.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-inspect-with-format.simple-template.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-inspect-without-format.multiple-volume-with-labels.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-inspect-without-format.single-volume.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-list-with-config-format.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-list-with-format.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-list-without-format.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-prune-no.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-prune-yes.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-prune.deletedVolumes.golden
 create mode 100644 cli/cli/command/volume/testdata/volume-prune.empty.golden
 create mode 100644 cli/cli/compose/convert/compose.go
 create mode 100644 cli/cli/compose/convert/compose_test.go
 create mode 100644 cli/cli/compose/convert/service.go
 create mode 100644 cli/cli/compose/convert/service_test.go
 create mode 100644 cli/cli/compose/convert/volume.go
 create mode 100644 cli/cli/compose/convert/volume_test.go
 create mode 100644 cli/cli/compose/interpolation/interpolation.go
 create mode 100644 cli/cli/compose/interpolation/interpolation_test.go
 create mode 100644 cli/cli/compose/loader/example1.env
 create mode 100644 cli/cli/compose/loader/example2.env
 create mode 100644 cli/cli/compose/loader/full-example.yml
 create mode 100644 cli/cli/compose/loader/full-struct_test.go
 create mode 100644 cli/cli/compose/loader/interpolate.go
 create mode 100644 cli/cli/compose/loader/loader.go
 create mode 100644 cli/cli/compose/loader/loader_test.go
 create mode 100644 cli/cli/compose/loader/merge.go
 create mode 100644 cli/cli/compose/loader/merge_test.go
 create mode 100644 cli/cli/compose/loader/types_test.go
 create mode 100644 cli/cli/compose/loader/volume.go
 create mode 100644 cli/cli/compose/loader/volume_test.go
 create mode 100644 cli/cli/compose/schema/bindata.go
 create mode 100644 cli/cli/compose/schema/data/config_schema_v3.0.json
 create mode 100644 cli/cli/compose/schema/data/config_schema_v3.1.json
 create mode 100644 cli/cli/compose/schema/data/config_schema_v3.2.json
 create mode 100644 cli/cli/compose/schema/data/config_schema_v3.3.json
 create mode 100644 cli/cli/compose/schema/data/config_schema_v3.4.json
 create mode 100644 cli/cli/compose/schema/data/config_schema_v3.5.json
 create mode 100644 cli/cli/compose/schema/data/config_schema_v3.6.json
 create mode 100644 cli/cli/compose/schema/data/config_schema_v3.7.json
 create mode 100644 cli/cli/compose/schema/schema.go
 create mode 100644 cli/cli/compose/schema/schema_test.go
 create mode 100644 cli/cli/compose/template/template.go
 create mode 100644 cli/cli/compose/template/template_test.go
 create mode 100644 cli/cli/compose/types/types.go
 create mode 100644 cli/cli/config/config.go
 create mode 100644 cli/cli/config/config_test.go
 create mode 100644 cli/cli/config/configfile/file.go
 create mode 100644 cli/cli/config/configfile/file_test.go
 create mode 100644 cli/cli/config/credentials/credentials.go
 create mode 100644 cli/cli/config/credentials/default_store.go
 create mode 100644 cli/cli/config/credentials/default_store_darwin.go
 create mode 100644 cli/cli/config/credentials/default_store_linux.go
 create mode 100644 cli/cli/config/credentials/default_store_unsupported.go
 create mode 100644 cli/cli/config/credentials/default_store_windows.go
 create mode 100644 cli/cli/config/credentials/file_store.go
 create mode 100644 cli/cli/config/credentials/file_store_test.go
 create mode 100644 cli/cli/config/credentials/native_store.go
 create mode 100644 cli/cli/config/credentials/native_store_test.go
 create mode 100644 cli/cli/debug/debug.go
 create mode 100644 cli/cli/debug/debug_test.go
 create mode 100644 cli/cli/error.go
 create mode 100644 cli/cli/flags/client.go
 create mode 100644 cli/cli/flags/common.go
 create mode 100644 cli/cli/flags/common_test.go
 create mode 100644 cli/cli/manifest/store/store.go
 create mode 100644 cli/cli/manifest/store/store_test.go
 create mode 100644 cli/cli/manifest/types/types.go
 create mode 100644 cli/cli/registry/client/client.go
 create mode 100644 cli/cli/registry/client/endpoint.go
 create mode 100644 cli/cli/registry/client/fetcher.go
 create mode 100644 cli/cli/required.go
 create mode 100644 cli/cli/required_test.go
 create mode 100644 cli/cli/trust/trust.go
 create mode 100644 cli/cli/trust/trust_test.go
 create mode 100644 cli/cli/version.go
 create mode 100644 cli/cli/winresources/res_windows.go
 create mode 100644 cli/cmd/docker/docker.go
 create mode 100644 cli/cmd/docker/docker_test.go
 create mode 100644 cli/cmd/docker/docker_windows.go
 create mode 100644 cli/codecov.yml
 create mode 100644 cli/contrib/completion/bash/docker
 create mode 100644 cli/contrib/completion/fish/docker.fish
 create mode 100644 cli/contrib/completion/powershell/readme.txt
 create mode 100644 cli/contrib/completion/zsh/REVIEWERS
 create mode 100644 cli/contrib/completion/zsh/_docker
 create mode 100644 cli/docker.Makefile
 create mode 100644 cli/dockerfiles/Dockerfile.binary-native
 create mode 100644 cli/dockerfiles/Dockerfile.cross
 create mode 100644 cli/dockerfiles/Dockerfile.dev
 create mode 100644 cli/dockerfiles/Dockerfile.e2e
 create mode 100644 cli/dockerfiles/Dockerfile.lint
 create mode 100644 cli/dockerfiles/Dockerfile.shellcheck
 create mode 100644 cli/docs/README.md
 create mode 100644 cli/docs/deprecated.md
 create mode 100644 cli/docs/extend/EBS_volume.md
 create mode 100644 cli/docs/extend/config.md
 create mode 100644 cli/docs/extend/images/authz_additional_info.png
 create mode 100644 cli/docs/extend/images/authz_allow.png
 create mode 100644 cli/docs/extend/images/authz_chunked.png
 create mode 100644 cli/docs/extend/images/authz_connection_hijack.png
 create mode 100644 cli/docs/extend/images/authz_deny.png
 create mode 100644 cli/docs/extend/index.md
 create mode 100644 cli/docs/extend/legacy_plugins.md
 create mode 100644 cli/docs/extend/plugin_api.md
 create mode 100644 cli/docs/extend/plugins_authorization.md
 create mode 100644 cli/docs/extend/plugins_graphdriver.md
 create mode 100644 cli/docs/extend/plugins_logging.md
 create mode 100644 cli/docs/extend/plugins_metrics.md
 create mode 100644 cli/docs/extend/plugins_network.md
 create mode 100644 cli/docs/extend/plugins_services.md
 create mode 100644 cli/docs/extend/plugins_volume.md
 create mode 100644 cli/docs/reference/builder.md
 create mode 100644 cli/docs/reference/commandline/attach.md
 create mode 100644 cli/docs/reference/commandline/build.md
 create mode 100644 cli/docs/reference/commandline/cli.md
 create mode 100644 cli/docs/reference/commandline/commit.md
 create mode 100644 cli/docs/reference/commandline/container.md
 create mode 100644 cli/docs/reference/commandline/container_prune.md
 create mode 100644 cli/docs/reference/commandline/cp.md
 create mode 100644 cli/docs/reference/commandline/create.md
 create mode 100644 cli/docs/reference/commandline/deploy.md
 create mode 100644 cli/docs/reference/commandline/diff.md
 create mode 100644 cli/docs/reference/commandline/dockerd.md
 create mode 100644 cli/docs/reference/commandline/events.md
 create mode 100644 cli/docs/reference/commandline/exec.md
 create mode 100644 cli/docs/reference/commandline/export.md
 create mode 100644 cli/docs/reference/commandline/history.md
 create mode 100644 cli/docs/reference/commandline/image.md
 create mode 100644 cli/docs/reference/commandline/image_prune.md
 create mode 100644 cli/docs/reference/commandline/images.md
 create mode 100644 cli/docs/reference/commandline/import.md
 create mode 100644 cli/docs/reference/commandline/index.md
 create mode 100644 cli/docs/reference/commandline/info.md
 create mode 100644 cli/docs/reference/commandline/inspect.md
 create mode 100644 cli/docs/reference/commandline/kill.md
 create mode 100644 cli/docs/reference/commandline/load.md
 create mode 100644 cli/docs/reference/commandline/login.md
 create mode 100644 cli/docs/reference/commandline/logout.md
 create mode 100644 cli/docs/reference/commandline/logs.md
 create mode 100644 cli/docs/reference/commandline/manifest.md
 create mode 100644 cli/docs/reference/commandline/network.md
 create mode 100644 cli/docs/reference/commandline/network_connect.md
 create mode 100644 cli/docs/reference/commandline/network_create.md
 create mode 100644 cli/docs/reference/commandline/network_disconnect.md
 create mode 100644 cli/docs/reference/commandline/network_inspect.md
 create mode 100644 cli/docs/reference/commandline/network_ls.md
 create mode 100644 cli/docs/reference/commandline/network_prune.md
 create mode 100644 cli/docs/reference/commandline/network_rm.md
 create mode 100644 cli/docs/reference/commandline/node.md
 create mode 100644 cli/docs/reference/commandline/node_demote.md
 create mode 100644 cli/docs/reference/commandline/node_inspect.md
 create mode 100644 cli/docs/reference/commandline/node_ls.md
 create mode 100644 cli/docs/reference/commandline/node_promote.md
 create mode 100644 cli/docs/reference/commandline/node_ps.md
 create mode 100644 cli/docs/reference/commandline/node_rm.md
 create mode 100644 cli/docs/reference/commandline/node_update.md
 create mode 100644 cli/docs/reference/commandline/pause.md
 create mode 100644 cli/docs/reference/commandline/plugin.md
 create mode 100644 cli/docs/reference/commandline/plugin_create.md
 create mode 100644 cli/docs/reference/commandline/plugin_disable.md
 create mode 100644 cli/docs/reference/commandline/plugin_enable.md
 create mode 100644 cli/docs/reference/commandline/plugin_inspect.md
 create mode 100644 cli/docs/reference/commandline/plugin_install.md
 create mode 100644 cli/docs/reference/commandline/plugin_ls.md
 create mode 100644 cli/docs/reference/commandline/plugin_push.md
 create mode 100644 cli/docs/reference/commandline/plugin_rm.md
 create mode 100644 cli/docs/reference/commandline/plugin_set.md
 create mode 100644 cli/docs/reference/commandline/plugin_upgrade.md
 create mode 100644 cli/docs/reference/commandline/port.md
 create mode 100644 cli/docs/reference/commandline/ps.md
 create mode 100644 cli/docs/reference/commandline/pull.md
 create mode 100644 cli/docs/reference/commandline/push.md
 create mode 100644 cli/docs/reference/commandline/rename.md
 create mode 100644 cli/docs/reference/commandline/restart.md
 create mode 100644 cli/docs/reference/commandline/rm.md
 create mode 100644 cli/docs/reference/commandline/rmi.md
 create mode 100644 cli/docs/reference/commandline/run.md
 create mode 100644 cli/docs/reference/commandline/save.md
 create mode 100644 cli/docs/reference/commandline/search.md
 create mode 100644 cli/docs/reference/commandline/secret.md
 create mode 100644 cli/docs/reference/commandline/secret_create.md
 create mode 100644 cli/docs/reference/commandline/secret_inspect.md
 create mode 100644 cli/docs/reference/commandline/secret_ls.md
 create mode 100644 cli/docs/reference/commandline/secret_rm.md
 create mode 100644 cli/docs/reference/commandline/service.md
 create mode 100644 cli/docs/reference/commandline/service_create.md
 create mode 100644 cli/docs/reference/commandline/service_inspect.md
 create mode 100644 cli/docs/reference/commandline/service_logs.md
 create mode 100644 cli/docs/reference/commandline/service_ls.md
 create mode 100644 cli/docs/reference/commandline/service_ps.md
 create mode 100644 cli/docs/reference/commandline/service_rm.md
 create mode 100644 cli/docs/reference/commandline/service_rollback.md
 create mode 100644 cli/docs/reference/commandline/service_scale.md
 create mode 100644 cli/docs/reference/commandline/service_update.md
 create mode 100644 cli/docs/reference/commandline/stack.md
 create mode 100644 cli/docs/reference/commandline/stack_deploy.md
 create mode 100644 cli/docs/reference/commandline/stack_ls.md
 create mode 100644 cli/docs/reference/commandline/stack_ps.md
 create mode 100644 cli/docs/reference/commandline/stack_rm.md
 create mode 100644 cli/docs/reference/commandline/stack_services.md
 create mode 100644 cli/docs/reference/commandline/start.md
 create mode 100644 cli/docs/reference/commandline/stats.md
 create mode 100644 cli/docs/reference/commandline/stop.md
 create mode 100644 cli/docs/reference/commandline/swarm.md
 create mode 100644 cli/docs/reference/commandline/swarm_ca.md
 create mode 100644 cli/docs/reference/commandline/swarm_init.md
 create mode 100644 cli/docs/reference/commandline/swarm_join.md
 create mode 100644 cli/docs/reference/commandline/swarm_join_token.md
 create mode 100644 cli/docs/reference/commandline/swarm_leave.md
 create mode 100644 cli/docs/reference/commandline/swarm_unlock.md
 create mode 100644 cli/docs/reference/commandline/swarm_unlock_key.md
 create mode 100644 cli/docs/reference/commandline/swarm_update.md
 create mode 100644 cli/docs/reference/commandline/system.md
 create mode 100644 cli/docs/reference/commandline/system_df.md
 create mode 100644 cli/docs/reference/commandline/system_events.md
 create mode 100644 cli/docs/reference/commandline/system_prune.md
 create mode 100644 cli/docs/reference/commandline/tag.md
 create mode 100644 cli/docs/reference/commandline/top.md
 create mode 100644 cli/docs/reference/commandline/trust_inspect.md
 create mode 100644 cli/docs/reference/commandline/trust_key_generate.md
 create mode 100644 cli/docs/reference/commandline/trust_key_load.md
 create mode 100644 cli/docs/reference/commandline/trust_revoke.md
 create mode 100644 cli/docs/reference/commandline/trust_sign.md
 create mode 100644 cli/docs/reference/commandline/trust_signer_add.md
 create mode 100644 cli/docs/reference/commandline/trust_signer_remove.md
 create mode 100644 cli/docs/reference/commandline/unpause.md
 create mode 100644 cli/docs/reference/commandline/update.md
 create mode 100644 cli/docs/reference/commandline/version.md
 create mode 100644 cli/docs/reference/commandline/volume.md
 create mode 100644 cli/docs/reference/commandline/volume_create.md
 create mode 100644 cli/docs/reference/commandline/volume_inspect.md
 create mode 100644 cli/docs/reference/commandline/volume_ls.md
 create mode 100644 cli/docs/reference/commandline/volume_prune.md
 create mode 100644 cli/docs/reference/commandline/volume_rm.md
 create mode 100644 cli/docs/reference/commandline/wait.md
 create mode 100644 cli/docs/reference/glossary.md
 create mode 100644 cli/docs/reference/index.md
 create mode 100644 cli/docs/reference/run.md
 create mode 100644 cli/docs/yaml/Dockerfile
 create mode 100644 cli/docs/yaml/generate.go
 create mode 100644 cli/docs/yaml/yaml.go
 create mode 100644 cli/e2e/compose-env.yaml
 create mode 100644 cli/e2e/container/attach_test.go
 create mode 100644 cli/e2e/container/create_test.go
 create mode 100644 cli/e2e/container/kill_test.go
 create mode 100644 cli/e2e/container/main_test.go
 create mode 100644 cli/e2e/container/run_test.go
 create mode 100644 cli/e2e/container/testdata/run-attached-from-remote-and-remove.golden
 create mode 100644 cli/e2e/image/build_test.go
 create mode 100644 cli/e2e/image/main_test.go
 create mode 100644 cli/e2e/image/pull_test.go
 create mode 100644 cli/e2e/image/push_test.go
 create mode 100644 cli/e2e/image/testdata/notary/delgkey1.crt
 create mode 100644 cli/e2e/image/testdata/notary/delgkey1.key
 create mode 100644 cli/e2e/image/testdata/notary/delgkey2.crt
 create mode 100644 cli/e2e/image/testdata/notary/delgkey2.key
 create mode 100644 cli/e2e/image/testdata/notary/delgkey3.crt
 create mode 100644 cli/e2e/image/testdata/notary/delgkey3.key
 create mode 100644 cli/e2e/image/testdata/notary/delgkey4.crt
 create mode 100644 cli/e2e/image/testdata/notary/delgkey4.key
 create mode 100755 cli/e2e/image/testdata/notary/gen.sh
 create mode 100644 cli/e2e/image/testdata/notary/localhost.cert
 create mode 100644 cli/e2e/image/testdata/notary/localhost.key
 create mode 100644 cli/e2e/image/testdata/pull-with-content-trust-err.golden
 create mode 100644 cli/e2e/image/testdata/pull-with-content-trust.golden
 create mode 100644 cli/e2e/image/testdata/push-with-content-trust-err.golden
 create mode 100644 cli/e2e/internal/fixtures/fixtures.go
 create mode 100644 cli/e2e/plugin/basic/basic.go
 create mode 100644 cli/e2e/plugin/main_test.go
 create mode 100644 cli/e2e/plugin/trust_test.go
 create mode 100644 cli/e2e/stack/deploy_test.go
 create mode 100644 cli/e2e/stack/help_test.go
 create mode 100644 cli/e2e/stack/main_test.go
 create mode 100644 cli/e2e/stack/remove_test.go
 create mode 100644 cli/e2e/stack/testdata/data
 create mode 100644 cli/e2e/stack/testdata/full-stack.yml
 create mode 100644 cli/e2e/stack/testdata/stack-deploy-help-kubernetes.golden
 create mode 100644 cli/e2e/stack/testdata/stack-deploy-help-swarm.golden
 create mode 100644 cli/e2e/stack/testdata/stack-deploy-with-names-kubernetes.golden
 create mode 100644 cli/e2e/stack/testdata/stack-deploy-with-names-swarm.golden
 create mode 100644 cli/e2e/stack/testdata/stack-deploy-with-names.golden
 create mode 100644 cli/e2e/stack/testdata/stack-remove-kubernetes-success.golden
 create mode 100644 cli/e2e/stack/testdata/stack-remove-swarm-success.golden
 create mode 100644 cli/e2e/stack/testdata/stack-with-named-resources.yml
 create mode 100644 cli/e2e/system/inspect_test.go
 create mode 100644 cli/e2e/system/main_test.go
 create mode 100644 cli/e2e/testdata/Dockerfile.notary-server
 create mode 100644 cli/e2e/testdata/notary/notary-config.json
 create mode 100644 cli/e2e/testdata/notary/notary-server.cert
 create mode 100644 cli/e2e/testdata/notary/notary-server.key
 create mode 100644 cli/e2e/testdata/notary/root-ca.cert
 create mode 100644 cli/e2e/trust/main_test.go
 create mode 100644 cli/e2e/trust/revoke_test.go
 create mode 100644 cli/e2e/trust/sign_test.go
 create mode 100644 cli/experimental/README.md
 create mode 100644 cli/experimental/checkpoint-restore.md
 create mode 100644 cli/experimental/docker-stacks-and-bundles.md
 create mode 100644 cli/experimental/images/ipvlan-l3.gliffy
 create mode 100644 cli/experimental/images/ipvlan-l3.png
 create mode 100644 cli/experimental/images/ipvlan-l3.svg
 create mode 100644 cli/experimental/images/ipvlan_l2_simple.gliffy
 create mode 100644 cli/experimental/images/ipvlan_l2_simple.png
 create mode 100644 cli/experimental/images/ipvlan_l2_simple.svg
 create mode 100644 cli/experimental/images/macvlan-bridge-ipvlan-l2.gliffy
 create mode 100644 cli/experimental/images/macvlan-bridge-ipvlan-l2.png
 create mode 100644 cli/experimental/images/macvlan-bridge-ipvlan-l2.svg
 create mode 100644 cli/experimental/images/multi_tenant_8021q_vlans.gliffy
 create mode 100644 cli/experimental/images/multi_tenant_8021q_vlans.png
 create mode 100644 cli/experimental/images/multi_tenant_8021q_vlans.svg
 create mode 100644 cli/experimental/images/vlans-deeper-look.gliffy
 create mode 100644 cli/experimental/images/vlans-deeper-look.png
 create mode 100644 cli/experimental/images/vlans-deeper-look.svg
 create mode 100644 cli/experimental/vlan-networks.md
 create mode 100644 cli/gometalinter.json
 create mode 100644 cli/internal/test/builders/config.go
 create mode 100644 cli/internal/test/builders/container.go
 create mode 100644 cli/internal/test/builders/doc.go
 create mode 100644 cli/internal/test/builders/network.go
 create mode 100644 cli/internal/test/builders/node.go
 create mode 100644 cli/internal/test/builders/secret.go
 create mode 100644 cli/internal/test/builders/service.go
 create mode 100644 cli/internal/test/builders/swarm.go
 create mode 100644 cli/internal/test/builders/task.go
 create mode 100644 cli/internal/test/builders/volume.go
 create mode 100644 cli/internal/test/cli.go
 create mode 100644 cli/internal/test/doc.go
 create mode 100644 cli/internal/test/environment/testenv.go
 create mode 100644 cli/internal/test/network/client.go
 create mode 100644 cli/internal/test/notary/client.go
 create mode 100644 cli/internal/test/output/output.go
 create mode 100644 cli/internal/test/store.go
 create mode 100644 cli/kubernetes/README.md
 create mode 100644 cli/kubernetes/check.go
 create mode 100644 cli/kubernetes/check_test.go
 create mode 100644 cli/kubernetes/client/clientset/clientset.go
 create mode 100644 cli/kubernetes/client/clientset/scheme/register.go
 create mode 100644 cli/kubernetes/client/clientset/typed/compose/v1beta1/compose_client.go
 create mode 100644 cli/kubernetes/client/clientset/typed/compose/v1beta1/stack.go
 create mode 100644 cli/kubernetes/client/clientset/typed/compose/v1beta2/compose_client.go
 create mode 100644 cli/kubernetes/client/clientset/typed/compose/v1beta2/stack.go
 create mode 100644 cli/kubernetes/client/informers/compose/interface.go
 create mode 100644 cli/kubernetes/client/informers/compose/v1beta2/interface.go
 create mode 100644 cli/kubernetes/client/informers/compose/v1beta2/stack.go
 create mode 100644 cli/kubernetes/client/informers/factory.go
 create mode 100644 cli/kubernetes/client/informers/generic.go
 create mode 100644 cli/kubernetes/client/informers/internalinterfaces/factory_interfaces.go
 create mode 100644 cli/kubernetes/client/listers/compose/v1beta2/expansion_generated.go
 create mode 100644 cli/kubernetes/client/listers/compose/v1beta2/stack.go
 create mode 100644 cli/kubernetes/compose/clone/maps.go
 create mode 100644 cli/kubernetes/compose/clone/slices.go
 create mode 100644 cli/kubernetes/compose/doc.go
 create mode 100644 cli/kubernetes/compose/impersonation/impersonationconfig.go
 create mode 100644 cli/kubernetes/compose/v1beta1/doc.go
 create mode 100644 cli/kubernetes/compose/v1beta1/owner.go
 create mode 100644 cli/kubernetes/compose/v1beta1/parsing.go
 create mode 100644 cli/kubernetes/compose/v1beta1/register.go
 create mode 100644 cli/kubernetes/compose/v1beta1/stack.go
 create mode 100644 cli/kubernetes/compose/v1beta1/stack_test.go
 create mode 100644 cli/kubernetes/compose/v1beta2/composefile_stack_types.go
 create mode 100644 cli/kubernetes/compose/v1beta2/doc.go
 create mode 100644 cli/kubernetes/compose/v1beta2/owner.go
 create mode 100644 cli/kubernetes/compose/v1beta2/register.go
 create mode 100644 cli/kubernetes/compose/v1beta2/scale.go
 create mode 100644 cli/kubernetes/compose/v1beta2/stack.go
 create mode 100644 cli/kubernetes/config.go
 create mode 100644 cli/kubernetes/doc.go
 create mode 100644 cli/kubernetes/labels/labels.go
 create mode 100644 cli/kubernetes/labels/labels_test.go
 create mode 100644 cli/man/Dockerfile.5.md
 create mode 100644 cli/man/README.md
 create mode 100644 cli/man/docker-build.1.md
 create mode 100644 cli/man/docker-config-json.5.md
 create mode 100644 cli/man/docker-run.1.md
 create mode 100644 cli/man/docker.1.md
 create mode 100644 cli/man/dockerd.8.md
 create mode 100644 cli/man/generate.go
 create mode 100644 cli/man/import.go
 create mode 100755 cli/man/md2man-all.sh
 create mode 100644 cli/man/src/attach.md
 create mode 100644 cli/man/src/commit.md
 create mode 100644 cli/man/src/container/attach.md
 create mode 100644 cli/man/src/container/commit.md
 create mode 100644 cli/man/src/container/cp.md
 create mode 100644 cli/man/src/container/create-example.md
 create mode 100644 cli/man/src/container/create.md
 create mode 100644 cli/man/src/container/diff.md
 create mode 100644 cli/man/src/container/exec.md
 create mode 100644 cli/man/src/container/export.md
 create mode 100644 cli/man/src/container/kill.md
 create mode 100644 cli/man/src/container/logs.md
 create mode 100644 cli/man/src/container/ls.md
 create mode 100644 cli/man/src/container/pause.md
 create mode 100644 cli/man/src/container/port.md
 create mode 100644 cli/man/src/container/rename.md
 create mode 100644 cli/man/src/container/restart.md
 create mode 100644 cli/man/src/container/rm.md
 create mode 100644 cli/man/src/container/run.md
 create mode 100644 cli/man/src/container/start.md
 create mode 100644 cli/man/src/container/stats.md
 create mode 100644 cli/man/src/container/stop.md
 create mode 100644 cli/man/src/container/top.md
 create mode 100644 cli/man/src/container/unpause.md
 create mode 100644 cli/man/src/container/update.md
 create mode 100644 cli/man/src/container/wait.md
 create mode 100644 cli/man/src/cp.md
 create mode 100644 cli/man/src/create.md
 create mode 100644 cli/man/src/diff.md
 create mode 100644 cli/man/src/events.md
 create mode 100644 cli/man/src/exec.md
 create mode 100644 cli/man/src/export.md
 create mode 100644 cli/man/src/history.md
 create mode 100644 cli/man/src/image/build.md
 create mode 100644 cli/man/src/image/history.md
 create mode 100644 cli/man/src/image/import.md
 create mode 100644 cli/man/src/image/load.md
 create mode 100644 cli/man/src/image/ls.md
 create mode 100644 cli/man/src/image/pull.md
 create mode 100644 cli/man/src/image/push.md
 create mode 100644 cli/man/src/image/rm.md
 create mode 100644 cli/man/src/image/save.md
 create mode 100644 cli/man/src/image/tag.md
 create mode 100644 cli/man/src/images.md
 create mode 100644 cli/man/src/import.md
 create mode 100644 cli/man/src/info.md
 create mode 100644 cli/man/src/inspect.md
 create mode 100644 cli/man/src/kill.md
 create mode 100644 cli/man/src/load.md
 create mode 100644 cli/man/src/login.md
 create mode 100644 cli/man/src/logout.md
 create mode 100644 cli/man/src/logs.md
 create mode 100644 cli/man/src/network/connect.md
 create mode 100644 cli/man/src/network/create.md
 create mode 100644 cli/man/src/network/disconnect.md
 create mode 100644 cli/man/src/network/inspect.md
 create mode 100644 cli/man/src/network/ls.md
 create mode 100644 cli/man/src/network/rm.md
 create mode 100644 cli/man/src/pause.md
 create mode 100644 cli/man/src/plugin/ls.md
 create mode 100644 cli/man/src/port.md
 create mode 100644 cli/man/src/ps.md
 create mode 100644 cli/man/src/pull.md
 create mode 100644 cli/man/src/push.md
 create mode 100644 cli/man/src/rename.md
 create mode 100644 cli/man/src/restart.md
 create mode 100644 cli/man/src/rm.md
 create mode 100644 cli/man/src/rmi.md
 create mode 100644 cli/man/src/save.md
 create mode 100644 cli/man/src/search.md
 create mode 100644 cli/man/src/start.md
 create mode 100644 cli/man/src/stats.md
 create mode 100644 cli/man/src/stop.md
 create mode 100644 cli/man/src/system/events.md
 create mode 100644 cli/man/src/system/info.md
 create mode 100644 cli/man/src/tag.md
 create mode 100644 cli/man/src/top.md
 create mode 100644 cli/man/src/unpause.md
 create mode 100644 cli/man/src/update.md
 create mode 100644 cli/man/src/version.md
 create mode 100644 cli/man/src/volume.md
 create mode 100644 cli/man/src/volume/create.md
 create mode 100644 cli/man/src/volume/inspect.md
 create mode 100644 cli/man/src/volume/ls.md
 create mode 100644 cli/man/src/wait.md
 create mode 100644 cli/opts/config.go
 create mode 100644 cli/opts/duration.go
 create mode 100644 cli/opts/duration_test.go
 create mode 100644 cli/opts/env.go
 create mode 100644 cli/opts/env_test.go
 create mode 100644 cli/opts/envfile.go
 create mode 100644 cli/opts/envfile_test.go
 create mode 100644 cli/opts/file.go
 create mode 100644 cli/opts/hosts.go
 create mode 100644 cli/opts/hosts_test.go
 create mode 100644 cli/opts/hosts_unix.go
 create mode 100644 cli/opts/hosts_windows.go
 create mode 100644 cli/opts/ip.go
 create mode 100644 cli/opts/ip_test.go
 create mode 100644 cli/opts/mount.go
 create mode 100644 cli/opts/mount_test.go
 create mode 100644 cli/opts/network.go
 create mode 100644 cli/opts/network_test.go
 create mode 100644 cli/opts/opts.go
 create mode 100644 cli/opts/opts_test.go
 create mode 100644 cli/opts/opts_unix.go
 create mode 100644 cli/opts/opts_windows.go
 create mode 100644 cli/opts/parse.go
 create mode 100644 cli/opts/port.go
 create mode 100644 cli/opts/port_test.go
 create mode 100644 cli/opts/quotedstring.go
 create mode 100644 cli/opts/quotedstring_test.go
 create mode 100644 cli/opts/runtime.go
 create mode 100644 cli/opts/secret.go
 create mode 100644 cli/opts/secret_test.go
 create mode 100644 cli/opts/throttledevice.go
 create mode 100644 cli/opts/ulimit.go
 create mode 100644 cli/opts/ulimit_test.go
 create mode 100644 cli/opts/weightdevice.go
 create mode 100644 cli/poule.yml
 create mode 100755 cli/scripts/build/.variables
 create mode 100755 cli/scripts/build/binary
 create mode 100755 cli/scripts/build/cross
 create mode 100755 cli/scripts/build/dynbinary
 create mode 100755 cli/scripts/build/osx
 create mode 100755 cli/scripts/build/windows
 create mode 100755 cli/scripts/docs/generate-authors.sh
 create mode 100755 cli/scripts/docs/generate-man.sh
 create mode 100755 cli/scripts/docs/generate-yaml.sh
 create mode 100755 cli/scripts/gen/windows-resources
 create mode 100644 cli/scripts/make.ps1
 create mode 100755 cli/scripts/test/e2e/entry
 create mode 100755 cli/scripts/test/e2e/load-image
 create mode 100755 cli/scripts/test/e2e/run
 create mode 100755 cli/scripts/test/e2e/wait-on-daemon
 create mode 100755 cli/scripts/test/e2e/wrapper
 create mode 100755 cli/scripts/test/unit
 create mode 100755 cli/scripts/test/unit-with-coverage
 create mode 100755 cli/scripts/validate/check-git-diff
 create mode 100755 cli/scripts/validate/shellcheck
 create mode 100755 cli/scripts/warn-outside-container
 create mode 100644 cli/scripts/winresources/common.rc
 create mode 100644 cli/scripts/winresources/docker.exe.manifest
 create mode 100644 cli/scripts/winresources/docker.ico
 create mode 100644 cli/scripts/winresources/docker.png
 create mode 100644 cli/scripts/winresources/docker.rc
 create mode 100644 cli/service/logs/parse_logs.go
 create mode 100644 cli/service/logs/parse_logs_test.go
 create mode 100644 cli/templates/templates.go
 create mode 100644 cli/templates/templates_test.go
 create mode 100755 cli/vendor.conf
 create mode 100644 cli/vendor/github.com/Nvveen/Gotty/LICENSE
 create mode 100644 cli/vendor/github.com/Nvveen/Gotty/README
 create mode 100644 cli/vendor/github.com/Nvveen/Gotty/attributes.go
 create mode 100644 cli/vendor/github.com/Nvveen/Gotty/gotty.go
 create mode 100644 cli/vendor/github.com/Nvveen/Gotty/parser.go
 create mode 100644 cli/vendor/github.com/Nvveen/Gotty/types.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/LICENSE
 create mode 100644 cli/vendor/github.com/containerd/continuity/README.md
 create mode 100644 cli/vendor/github.com/containerd/continuity/pathdriver/path_driver.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/syscallx/syscall_unix.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/syscallx/syscall_windows.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/asm.s
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin_386.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin_amd64.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/chmod_freebsd.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/chmod_freebsd_amd64.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/chmod_linux.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/chmod_solaris.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/file_posix.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/nodata_linux.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/nodata_solaris.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/nodata_unix.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/sys.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin_386.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin_amd64.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr_freebsd.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr_linux.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr_openbsd.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr_solaris.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go
 create mode 100644 cli/vendor/github.com/containerd/continuity/vendor.conf
 create mode 100644 cli/vendor/github.com/gregjones/httpcache/LICENSE.txt
 create mode 100644 cli/vendor/github.com/gregjones/httpcache/README.md
 create mode 100644 cli/vendor/github.com/gregjones/httpcache/diskcache/diskcache.go
 create mode 100644 cli/vendor/github.com/gregjones/httpcache/httpcache.go
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/LICENSE
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/PATENTS
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/README.rst
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/README.md
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/client.go
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/errors.go
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/options.go
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/package.go
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/server.go
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/shared.go
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/README.md
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/command_line.proto
 create mode 100644 cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/store.proto
 create mode 100644 cli/vendor/github.com/howeyc/gopass/LICENSE.txt
 create mode 100644 cli/vendor/github.com/howeyc/gopass/README.md
 create mode 100644 cli/vendor/github.com/howeyc/gopass/pass.go
 create mode 100644 cli/vendor/github.com/howeyc/gopass/terminal.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/LICENSE
 create mode 100644 cli/vendor/github.com/moby/buildkit/README.md
 create mode 100644 cli/vendor/github.com/moby/buildkit/api/services/control/control.pb.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/api/services/control/control.proto
 create mode 100644 cli/vendor/github.com/moby/buildkit/api/services/control/generate.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/api/types/generate.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/api/types/worker.pb.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/api/types/worker.proto
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/client.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/client_unix.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/client_windows.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/diskusage.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/exporters.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/graph.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/llb/exec.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/llb/marshal.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/llb/meta.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/llb/resolver.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/llb/source.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/llb/state.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/prune.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/solve.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/client/workers.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/identity/randomid.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/auth/auth.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/auth/auth.pb.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/auth/auth.proto
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/auth/generate.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/context.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/filesync/filesync.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/filesync/filesync.proto
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/filesync/generate.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/grpc.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/grpchijack/dial.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/manager.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/session/session.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/solver/pb/attr.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/solver/pb/const.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/solver/pb/generate.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/solver/pb/ops.pb.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/solver/pb/ops.proto
 create mode 100644 cli/vendor/github.com/moby/buildkit/solver/pb/platform.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext_unix.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext_windows.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_unix.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_windows.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/progress/progressui/display.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/progress/progressui/printer.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/system/path_unix.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/system/path_windows.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/system/seccomp_linux.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/system/seccomp_nolinux.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/util/system/seccomp_noseccomp.go
 create mode 100644 cli/vendor/github.com/moby/buildkit/vendor.conf
 create mode 100644 cli/vendor/github.com/morikuni/aec/LICENSE
 create mode 100644 cli/vendor/github.com/morikuni/aec/README.md
 create mode 100644 cli/vendor/github.com/morikuni/aec/aec.go
 create mode 100644 cli/vendor/github.com/morikuni/aec/ansi.go
 create mode 100644 cli/vendor/github.com/morikuni/aec/builder.go
 create mode 100644 cli/vendor/github.com/morikuni/aec/sgr.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/LICENSE
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/chtimes_linux.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/chtimes_nolinux.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/diff.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/diff_containerd.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/diff_containerd_linux.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/diskwriter.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/diskwriter_unix.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/diskwriter_windows.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/followlinks.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/generate.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/hardlinks.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/readme.md
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/receive.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/send.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/stat.pb.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/stat.proto
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/validator.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/walker.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/walker_unix.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/walker_windows.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/wire.pb.go
 create mode 100644 cli/vendor/github.com/tonistiigi/fsutil/wire.proto
 create mode 100644 cli/vendor/github.com/tonistiigi/units/LICENSE
 create mode 100644 cli/vendor/github.com/tonistiigi/units/bytes.go
 create mode 100644 cli/vendor/github.com/tonistiigi/units/readme.md
 create mode 100644 cli/vendor/k8s.io/api/LICENSE
 create mode 100644 cli/vendor/k8s.io/api/README.md
 create mode 100644 cli/vendor/k8s.io/api/admissionregistration/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/admissionregistration/v1alpha1/register.go
 create mode 100644 cli/vendor/k8s.io/api/admissionregistration/v1alpha1/types.go
 create mode 100644 cli/vendor/k8s.io/api/admissionregistration/v1alpha1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta2/doc.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta2/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta2/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta2/register.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta2/types.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/apps/v1beta2/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1/register.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1/types.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/authentication/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1/register.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1/types.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/authorization/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v1/register.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v1/types.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v2beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v2beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v2beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v2beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v2beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v2beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/autoscaling/v2beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/batch/v1/register.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1/types.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/batch/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v2alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v2alpha1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v2alpha1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/batch/v2alpha1/register.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v2alpha1/types.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v2alpha1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/batch/v2alpha1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/certificates/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/certificates/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/certificates/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/certificates/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/certificates/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/annotation_key_constants.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/core/v1/meta.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/objectreference.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/register.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/resource.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/taint.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/toleration.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/types.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/extensions/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/extensions/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/extensions/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/extensions/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/extensions/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/networking/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/networking/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/networking/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/networking/v1/register.go
 create mode 100644 cli/vendor/k8s.io/api/networking/v1/types.go
 create mode 100644 cli/vendor/k8s.io/api/networking/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/networking/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/policy/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/policy/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/policy/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/policy/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/policy/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/policy/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1/register.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1/types.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1alpha1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1alpha1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1alpha1/register.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1alpha1/types.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1alpha1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1alpha1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/rbac/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/scheduling/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/scheduling/v1alpha1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/scheduling/v1alpha1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/scheduling/v1alpha1/register.go
 create mode 100644 cli/vendor/k8s.io/api/scheduling/v1alpha1/types.go
 create mode 100644 cli/vendor/k8s.io/api/scheduling/v1alpha1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/scheduling/v1alpha1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/settings/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/settings/v1alpha1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/settings/v1alpha1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/settings/v1alpha1/register.go
 create mode 100644 cli/vendor/k8s.io/api/settings/v1alpha1/types.go
 create mode 100644 cli/vendor/k8s.io/api/settings/v1alpha1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/settings/v1alpha1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/storage/v1/register.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1/types.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1beta1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1beta1/generated.proto
 create mode 100644 cli/vendor/k8s.io/api/storage/v1beta1/register.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1beta1/types.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/api/storage/v1beta1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/LICENSE
 create mode 100644 cli/vendor/k8s.io/apimachinery/README.md
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/equality/semantic.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/errors/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/errors/errors.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/errors.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/firsthit_restmapper.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/help.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/interfaces.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/meta.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/multirestmapper.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/priority.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/restmapper.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/meta/unstructured.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/resource/amount.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/resource/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/resource/math.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/resource/scale_int.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/api/resource/suffix.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/conversion.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/register.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/types.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.conversion.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/controller_ref.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/conversion.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/duration.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/group_version.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/helpers.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/labels.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/meta.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_proto.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/register.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructured.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/watch.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.defaults.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/conversion.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.proto
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/register.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/types.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/types_swagger_doc_generated.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/zz_generated.defaults.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/cloner.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/converter.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/deep_equal.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/helper.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/queryparams/convert.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/queryparams/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/unstructured/converter.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/conversion/unstructured/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/fields/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/fields/fields.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/fields/requirements.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/fields/selector.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/labels/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/labels/labels.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/labels/selector.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/labels/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/codec.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/codec_check.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/conversion.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/embedded.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/error.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/extension.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/helper.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/interfaces.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/register.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/group_version.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/interfaces.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/scheme.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/scheme_builder.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/json.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/meta.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/negotiated_codec.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf_extension.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/recognizer/recognizer.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/streaming/streaming.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/types.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/types_proto.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/runtime/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/selection/operator.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/types/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/types/namespacedname.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/types/nodename.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/types/patch.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/types/uid.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/cache/cache.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/cache/lruexpirecache.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/clock/clock.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/diff/diff.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/errors/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/errors/errors.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/framer/framer.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/intstr/intstr.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/json/json.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/net/http.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/net/interface.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/net/port_range.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/net/port_split.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/net/util.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/sets/byte.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/sets/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/sets/empty.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/sets/int.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/sets/int64.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/sets/string.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/validation/field/path.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/validation/validation.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/wait/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/util/yaml/decoder.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/version/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/version/types.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/watch/doc.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/watch/filter.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/watch/mux.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/watch/streamwatcher.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/watch/until.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/watch/watch.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/pkg/watch/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/apimachinery/third_party/forked/golang/reflect/deep_equal.go
 create mode 100644 cli/vendor/k8s.io/client-go/LICENSE
 create mode 100644 cli/vendor/k8s.io/client-go/README.md
 create mode 100644 cli/vendor/k8s.io/client-go/discovery/discovery_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/discovery/helper.go
 create mode 100644 cli/vendor/k8s.io/client-go/discovery/restmapper.go
 create mode 100644 cli/vendor/k8s.io/client-go/discovery/unstructured.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/clientset.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/import.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/scheme/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/scheme/register.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/admissionregistration_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/externaladmissionhookconfiguration.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/initializerconfiguration.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/apps_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/controllerrevision.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/deployment.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/scale.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/statefulset.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/apps_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/controllerrevision.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/daemonset.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/deployment.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/replicaset.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/scale.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/statefulset.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/tokenreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/tokenreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/authentication_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/tokenreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/tokenreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/authorization_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/localsubjectaccessreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/localsubjectaccessreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectaccessreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectaccessreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/subjectaccessreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/subjectaccessreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/authorization_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/localsubjectaccessreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/localsubjectaccessreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectaccessreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectaccessreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/subjectaccessreview.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/subjectaccessreview_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/autoscaling_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/horizontalpodautoscaler.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/autoscaling_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/horizontalpodautoscaler.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/batch_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/job.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/batch_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/cronjob.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/batch_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/cronjob.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificates_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificatesigningrequest.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificatesigningrequest_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/componentstatus.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/configmap.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/core_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/endpoints.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/event.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/event_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/limitrange.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/namespace.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/namespace_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/node.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/node_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/persistentvolume.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/persistentvolumeclaim.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/pod.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/pod_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/podtemplate.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/replicationcontroller.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/resourcequota.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/secret.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/service.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/service_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/serviceaccount.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/daemonset.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/deployment.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/deployment_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/extensions_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/ingress.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/podsecuritypolicy.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/replicaset.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/scale.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/scale_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/thirdpartyresource.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/networking_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/networkpolicy.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/eviction.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/eviction_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/poddisruptionbudget.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/policy_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/clusterrole.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/clusterrolebinding.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/rbac_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/role.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/rolebinding.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/clusterrole.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/clusterrolebinding.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/rbac_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/role.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/rolebinding.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/clusterrole.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/clusterrolebinding.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/rbac_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/role.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/rolebinding.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/priorityclass.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/scheduling_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/podpreset.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/settings_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/storage_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/storageclass.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/generated_expansion.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/storage_client.go
 create mode 100644 cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/storageclass.go
 create mode 100644 cli/vendor/k8s.io/client-go/pkg/version/base.go
 create mode 100644 cli/vendor/k8s.io/client-go/pkg/version/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/pkg/version/version.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/client.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/config.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/plugin.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/request.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/transport.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/url_utils.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/urlbackoff.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/versions.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/watch/decoder.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/watch/encoder.go
 create mode 100644 cli/vendor/k8s.io/client-go/rest/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/client-go/testing/actions.go
 create mode 100644 cli/vendor/k8s.io/client-go/testing/fake.go
 create mode 100644 cli/vendor/k8s.io/client-go/testing/fixture.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/auth/clientauth.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/controller.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/delta_fifo.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/expiration_cache.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/expiration_cache_fakes.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/fake_custom_store.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/fifo.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/heap.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/index.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/listers.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/listwatch.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/mutation_cache.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/mutation_detector.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/reflector.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/reflector_metrics.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/shared_informer.go
 create mode 100755 cli/vendor/k8s.io/client-go/tools/cache/store.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/thread_safe_store.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/cache/undelta_store.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/helpers.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/latest/latest.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/register.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/types.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/conversion.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/register.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/types.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/api/zz_generated.deepcopy.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/auth_loaders.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/client_config.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/config.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/doc.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/flag.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/helpers.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/loader.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/overrides.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/clientcmd/validation.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/metrics/metrics.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/pager/pager.go
 create mode 100644 cli/vendor/k8s.io/client-go/tools/reference/ref.go
 create mode 100644 cli/vendor/k8s.io/client-go/transport/cache.go
 create mode 100644 cli/vendor/k8s.io/client-go/transport/config.go
 create mode 100644 cli/vendor/k8s.io/client-go/transport/round_trippers.go
 create mode 100644 cli/vendor/k8s.io/client-go/transport/transport.go
 create mode 100644 cli/vendor/k8s.io/client-go/util/cert/cert.go
 create mode 100644 cli/vendor/k8s.io/client-go/util/cert/csr.go
 create mode 100644 cli/vendor/k8s.io/client-go/util/cert/io.go
 create mode 100644 cli/vendor/k8s.io/client-go/util/cert/pem.go
 create mode 100644 cli/vendor/k8s.io/client-go/util/flowcontrol/backoff.go
 create mode 100644 cli/vendor/k8s.io/client-go/util/flowcontrol/throttle.go
 create mode 100644 cli/vendor/k8s.io/client-go/util/homedir/homedir.go
 create mode 100644 cli/vendor/k8s.io/client-go/util/integer/integer.go
 create mode 100644 cli/vendor/k8s.io/kube-openapi/LICENSE
 create mode 100644 cli/vendor/k8s.io/kube-openapi/README.md
 create mode 100644 cli/vendor/k8s.io/kube-openapi/pkg/common/common.go
 create mode 100644 cli/vendor/k8s.io/kube-openapi/pkg/common/doc.go
 create mode 100644 cli/vendor/k8s.io/kubernetes/LICENSE
 create mode 100644 cli/vendor/k8s.io/kubernetes/README.md
 create mode 100644 cli/vendor/k8s.io/kubernetes/build/README.md
 create mode 100644 cli/vendor/k8s.io/kubernetes/build/pause/orphan.c
 create mode 100644 cli/vendor/k8s.io/kubernetes/build/pause/pause.c
 create mode 100644 cli/vendor/k8s.io/kubernetes/pkg/api/v1/pod/util.go
 create mode 100644 cli/vendor/k8s.io/kubernetes/third_party/protobuf/google/protobuf/compiler/plugin.proto
 create mode 100644 cli/vendor/k8s.io/kubernetes/third_party/protobuf/google/protobuf/descriptor.proto
 create mode 100644 cli/vendor/vbom.ml/util/LICENSE
 create mode 100644 cli/vendor/vbom.ml/util/README.md
 create mode 100644 cli/vendor/vbom.ml/util/sortorder/README.md
 create mode 100644 cli/vendor/vbom.ml/util/sortorder/doc.go
 create mode 100644 cli/vendor/vbom.ml/util/sortorder/natsort.go
 create mode 100644 components.conf
 create mode 100644 engine/.DEREK.yml
 create mode 100644 engine/.dockerignore
 create mode 100644 engine/.mailmap
 create mode 100644 engine/AUTHORS
 create mode 100644 engine/CHANGELOG.md
 create mode 100644 engine/CONTRIBUTING.md
 create mode 100644 engine/Dockerfile
 create mode 100644 engine/Dockerfile.e2e
 create mode 100644 engine/Dockerfile.simple
 create mode 100644 engine/Dockerfile.windows
 create mode 100644 engine/LICENSE
 create mode 100644 engine/MAINTAINERS
 create mode 100644 engine/Makefile
 create mode 100644 engine/NOTICE
 create mode 100644 engine/README.md
 create mode 100644 engine/ROADMAP.md
 create mode 100644 engine/TESTING.md
 create mode 100644 engine/VENDORING.md
 create mode 100644 engine/api/README.md
 create mode 100644 engine/api/common.go
 create mode 100644 engine/api/common_unix.go
 create mode 100644 engine/api/common_windows.go
 create mode 100644 engine/api/server/backend/build/backend.go
 create mode 100644 engine/api/server/backend/build/tag.go
 create mode 100644 engine/api/server/httputils/decoder.go
 create mode 100644 engine/api/server/httputils/errors.go
 create mode 100644 engine/api/server/httputils/form.go
 create mode 100644 engine/api/server/httputils/form_test.go
 create mode 100644 engine/api/server/httputils/httputils.go
 create mode 100644 engine/api/server/httputils/httputils_test.go
 create mode 100644 engine/api/server/httputils/httputils_write_json.go
 create mode 100644 engine/api/server/httputils/write_log_stream.go
 create mode 100644 engine/api/server/middleware.go
 create mode 100644 engine/api/server/middleware/cors.go
 create mode 100644 engine/api/server/middleware/debug.go
 create mode 100644 engine/api/server/middleware/debug_test.go
 create mode 100644 engine/api/server/middleware/experimental.go
 create mode 100644 engine/api/server/middleware/middleware.go
 create mode 100644 engine/api/server/middleware/version.go
 create mode 100644 engine/api/server/middleware/version_test.go
 create mode 100644 engine/api/server/router/build/backend.go
 create mode 100644 engine/api/server/router/build/build.go
 create mode 100644 engine/api/server/router/build/build_routes.go
 create mode 100644 engine/api/server/router/checkpoint/backend.go
 create mode 100644 engine/api/server/router/checkpoint/checkpoint.go
 create mode 100644 engine/api/server/router/checkpoint/checkpoint_routes.go
 create mode 100644 engine/api/server/router/container/backend.go
 create mode 100644 engine/api/server/router/container/container.go
 create mode 100644 engine/api/server/router/container/container_routes.go
 create mode 100644 engine/api/server/router/container/copy.go
 create mode 100644 engine/api/server/router/container/exec.go
 create mode 100644 engine/api/server/router/container/inspect.go
 create mode 100644 engine/api/server/router/debug/debug.go
 create mode 100644 engine/api/server/router/debug/debug_routes.go
 create mode 100644 engine/api/server/router/distribution/backend.go
 create mode 100644 engine/api/server/router/distribution/distribution.go
 create mode 100644 engine/api/server/router/distribution/distribution_routes.go
 create mode 100644 engine/api/server/router/experimental.go
 create mode 100644 engine/api/server/router/image/backend.go
 create mode 100644 engine/api/server/router/image/image.go
 create mode 100644 engine/api/server/router/image/image_routes.go
 create mode 100644 engine/api/server/router/local.go
 create mode 100644 engine/api/server/router/network/backend.go
 create mode 100644 engine/api/server/router/network/filter.go
 create mode 100644 engine/api/server/router/network/filter_test.go
 create mode 100644 engine/api/server/router/network/network.go
 create mode 100644 engine/api/server/router/network/network_routes.go
 create mode 100644 engine/api/server/router/plugin/backend.go
 create mode 100644 engine/api/server/router/plugin/plugin.go
 create mode 100644 engine/api/server/router/plugin/plugin_routes.go
 create mode 100644 engine/api/server/router/router.go
 create mode 100644 engine/api/server/router/session/backend.go
 create mode 100644 engine/api/server/router/session/session.go
 create mode 100644 engine/api/server/router/session/session_routes.go
 create mode 100644 engine/api/server/router/swarm/backend.go
 create mode 100644 engine/api/server/router/swarm/cluster.go
 create mode 100644 engine/api/server/router/swarm/cluster_routes.go
 create mode 100644 engine/api/server/router/swarm/helpers.go
 create mode 100644 engine/api/server/router/system/backend.go
 create mode 100644 engine/api/server/router/system/system.go
 create mode 100644 engine/api/server/router/system/system_routes.go
 create mode 100644 engine/api/server/router/volume/backend.go
 create mode 100644 engine/api/server/router/volume/volume.go
 create mode 100644 engine/api/server/router/volume/volume_routes.go
 create mode 100644 engine/api/server/router_swapper.go
 create mode 100644 engine/api/server/server.go
 create mode 100644 engine/api/server/server_test.go
 create mode 100644 engine/api/swagger-gen.yaml
 create mode 100644 engine/api/swagger.yaml
 create mode 100644 engine/api/templates/server/operation.gotmpl
 create mode 100644 engine/api/types/auth.go
 create mode 100644 engine/api/types/backend/backend.go
 create mode 100644 engine/api/types/backend/build.go
 create mode 100644 engine/api/types/blkiodev/blkio.go
 create mode 100644 engine/api/types/client.go
 create mode 100644 engine/api/types/configs.go
 create mode 100644 engine/api/types/container/config.go
 create mode 100644 engine/api/types/container/container_changes.go
 create mode 100644 engine/api/types/container/container_create.go
 create mode 100644 engine/api/types/container/container_top.go
 create mode 100644 engine/api/types/container/container_update.go
 create mode 100644 engine/api/types/container/container_wait.go
 create mode 100644 engine/api/types/container/host_config.go
 create mode 100644 engine/api/types/container/hostconfig_unix.go
 create mode 100644 engine/api/types/container/hostconfig_windows.go
 create mode 100644 engine/api/types/container/waitcondition.go
 create mode 100644 engine/api/types/error_response.go
 create mode 100644 engine/api/types/events/events.go
 create mode 100644 engine/api/types/filters/example_test.go
 create mode 100644 engine/api/types/filters/parse.go
 create mode 100644 engine/api/types/filters/parse_test.go
 create mode 100644 engine/api/types/graph_driver_data.go
 create mode 100644 engine/api/types/id_response.go
 create mode 100644 engine/api/types/image/image_history.go
 create mode 100644 engine/api/types/image_delete_response_item.go
 create mode 100644 engine/api/types/image_summary.go
 create mode 100644 engine/api/types/mount/mount.go
 create mode 100644 engine/api/types/network/network.go
 create mode 100644 engine/api/types/plugin.go
 create mode 100644 engine/api/types/plugin_device.go
 create mode 100644 engine/api/types/plugin_env.go
 create mode 100644 engine/api/types/plugin_interface_type.go
 create mode 100644 engine/api/types/plugin_mount.go
 create mode 100644 engine/api/types/plugin_responses.go
 create mode 100644 engine/api/types/plugins/logdriver/entry.pb.go
 create mode 100644 engine/api/types/plugins/logdriver/entry.proto
 create mode 100644 engine/api/types/plugins/logdriver/gen.go
 create mode 100644 engine/api/types/plugins/logdriver/io.go
 create mode 100644 engine/api/types/port.go
 create mode 100644 engine/api/types/registry/authenticate.go
 create mode 100644 engine/api/types/registry/registry.go
 create mode 100644 engine/api/types/seccomp.go
 create mode 100644 engine/api/types/service_update_response.go
 create mode 100644 engine/api/types/stats.go
 create mode 100644 engine/api/types/strslice/strslice.go
 create mode 100644 engine/api/types/strslice/strslice_test.go
 create mode 100644 engine/api/types/swarm/common.go
 create mode 100644 engine/api/types/swarm/config.go
 create mode 100644 engine/api/types/swarm/container.go
 create mode 100644 engine/api/types/swarm/network.go
 create mode 100644 engine/api/types/swarm/node.go
 create mode 100644 engine/api/types/swarm/runtime.go
 create mode 100644 engine/api/types/swarm/runtime/gen.go
 create mode 100644 engine/api/types/swarm/runtime/plugin.pb.go
 create mode 100644 engine/api/types/swarm/runtime/plugin.proto
 create mode 100644 engine/api/types/swarm/secret.go
 create mode 100644 engine/api/types/swarm/service.go
 create mode 100644 engine/api/types/swarm/swarm.go
 create mode 100644 engine/api/types/swarm/task.go
 create mode 100644 engine/api/types/time/duration_convert.go
 create mode 100644 engine/api/types/time/duration_convert_test.go
 create mode 100644 engine/api/types/time/timestamp.go
 create mode 100644 engine/api/types/time/timestamp_test.go
 create mode 100644 engine/api/types/types.go
 create mode 100644 engine/api/types/versions/README.md
 create mode 100644 engine/api/types/versions/compare.go
 create mode 100644 engine/api/types/versions/compare_test.go
 create mode 100644 engine/api/types/versions/v1p19/types.go
 create mode 100644 engine/api/types/versions/v1p20/types.go
 create mode 100644 engine/api/types/volume.go
 create mode 100644 engine/api/types/volume/volume_create.go
 create mode 100644 engine/api/types/volume/volume_list.go
 create mode 100644 engine/builder/builder-next/adapters/containerimage/pull.go
 create mode 100644 engine/builder/builder-next/adapters/snapshot/layer.go
 create mode 100644 engine/builder/builder-next/adapters/snapshot/snapshot.go
 create mode 100644 engine/builder/builder-next/builder.go
 create mode 100644 engine/builder/builder-next/controller.go
 create mode 100644 engine/builder/builder-next/executor_unix.go
 create mode 100644 engine/builder/builder-next/executor_windows.go
 create mode 100644 engine/builder/builder-next/exporter/export.go
 create mode 100644 engine/builder/builder-next/exporter/writer.go
 create mode 100644 engine/builder/builder-next/reqbodyhandler.go
 create mode 100644 engine/builder/builder-next/worker/worker.go
 create mode 100644 engine/builder/builder.go
 create mode 100644 engine/builder/dockerfile/buildargs.go
 create mode 100644 engine/builder/dockerfile/buildargs_test.go
 create mode 100644 engine/builder/dockerfile/builder.go
 create mode 100644 engine/builder/dockerfile/builder_unix.go
 create mode 100644 engine/builder/dockerfile/builder_windows.go
 create mode 100644 engine/builder/dockerfile/clientsession.go
 create mode 100644 engine/builder/dockerfile/containerbackend.go
 create mode 100644 engine/builder/dockerfile/copy.go
 create mode 100644 engine/builder/dockerfile/copy_test.go
 create mode 100644 engine/builder/dockerfile/copy_unix.go
 create mode 100644 engine/builder/dockerfile/copy_windows.go
 create mode 100644 engine/builder/dockerfile/dispatchers.go
 create mode 100644 engine/builder/dockerfile/dispatchers_test.go
 create mode 100644 engine/builder/dockerfile/dispatchers_unix.go
 create mode 100644 engine/builder/dockerfile/dispatchers_unix_test.go
 create mode 100644 engine/builder/dockerfile/dispatchers_windows.go
 create mode 100644 engine/builder/dockerfile/dispatchers_windows_test.go
 create mode 100644 engine/builder/dockerfile/evaluator.go
 create mode 100644 engine/builder/dockerfile/evaluator_test.go
 create mode 100644 engine/builder/dockerfile/imagecontext.go
 create mode 100644 engine/builder/dockerfile/imageprobe.go
 create mode 100644 engine/builder/dockerfile/internals.go
 create mode 100644 engine/builder/dockerfile/internals_linux.go
 create mode 100644 engine/builder/dockerfile/internals_linux_test.go
 create mode 100644 engine/builder/dockerfile/internals_test.go
 create mode 100644 engine/builder/dockerfile/internals_windows.go
 create mode 100644 engine/builder/dockerfile/internals_windows_test.go
 create mode 100644 engine/builder/dockerfile/metrics.go
 create mode 100644 engine/builder/dockerfile/mockbackend_test.go
 create mode 100644 engine/builder/dockerfile/utils_test.go
 create mode 100644 engine/builder/dockerignore/dockerignore.go
 create mode 100644 engine/builder/dockerignore/dockerignore_test.go
 create mode 100644 engine/builder/fscache/fscache.go
 create mode 100644 engine/builder/fscache/fscache_test.go
 create mode 100644 engine/builder/fscache/naivedriver.go
 create mode 100644 engine/builder/remotecontext/archive.go
 create mode 100644 engine/builder/remotecontext/detect.go
 create mode 100644 engine/builder/remotecontext/detect_test.go
 create mode 100644 engine/builder/remotecontext/filehash.go
 create mode 100644 engine/builder/remotecontext/generate.go
 create mode 100644 engine/builder/remotecontext/git.go
 create mode 100644 engine/builder/remotecontext/git/gitutils.go
 create mode 100644 engine/builder/remotecontext/git/gitutils_test.go
 create mode 100644 engine/builder/remotecontext/lazycontext.go
 create mode 100644 engine/builder/remotecontext/mimetype.go
 create mode 100644 engine/builder/remotecontext/mimetype_test.go
 create mode 100644 engine/builder/remotecontext/remote.go
 create mode 100644 engine/builder/remotecontext/remote_test.go
 create mode 100644 engine/builder/remotecontext/tarsum.go
 create mode 100644 engine/builder/remotecontext/tarsum.pb.go
 create mode 100644 engine/builder/remotecontext/tarsum.proto
 create mode 100644 engine/builder/remotecontext/tarsum_test.go
 create mode 100644 engine/builder/remotecontext/utils_test.go
 create mode 100644 engine/cli/cobra.go
 create mode 100644 engine/cli/config/configdir.go
 create mode 100644 engine/cli/debug/debug.go
 create mode 100644 engine/cli/debug/debug_test.go
 create mode 100644 engine/cli/error.go
 create mode 100644 engine/cli/required.go
 create mode 100644 engine/client/README.md
 create mode 100644 engine/client/build_cancel.go
 create mode 100644 engine/client/build_prune.go
 create mode 100644 engine/client/checkpoint_create.go
 create mode 100644 engine/client/checkpoint_create_test.go
 create mode 100644 engine/client/checkpoint_delete.go
 create mode 100644 engine/client/checkpoint_delete_test.go
 create mode 100644 engine/client/checkpoint_list.go
 create mode 100644 engine/client/checkpoint_list_test.go
 create mode 100644 engine/client/client.go
 create mode 100644 engine/client/client_mock_test.go
 create mode 100644 engine/client/client_test.go
 create mode 100644 engine/client/client_unix.go
 create mode 100644 engine/client/client_windows.go
 create mode 100644 engine/client/config_create.go
 create mode 100644 engine/client/config_create_test.go
 create mode 100644 engine/client/config_inspect.go
 create mode 100644 engine/client/config_inspect_test.go
 create mode 100644 engine/client/config_list.go
 create mode 100644 engine/client/config_list_test.go
 create mode 100644 engine/client/config_remove.go
 create mode 100644 engine/client/config_remove_test.go
 create mode 100644 engine/client/config_update.go
 create mode 100644 engine/client/config_update_test.go
 create mode 100644 engine/client/container_attach.go
 create mode 100644 engine/client/container_commit.go
 create mode 100644 engine/client/container_commit_test.go
 create mode 100644 engine/client/container_copy.go
 create mode 100644 engine/client/container_copy_test.go
 create mode 100644 engine/client/container_create.go
 create mode 100644 engine/client/container_create_test.go
 create mode 100644 engine/client/container_diff.go
 create mode 100644 engine/client/container_diff_test.go
 create mode 100644 engine/client/container_exec.go
 create mode 100644 engine/client/container_exec_test.go
 create mode 100644 engine/client/container_export.go
 create mode 100644 engine/client/container_export_test.go
 create mode 100644 engine/client/container_inspect.go
 create mode 100644 engine/client/container_inspect_test.go
 create mode 100644 engine/client/container_kill.go
 create mode 100644 engine/client/container_kill_test.go
 create mode 100644 engine/client/container_list.go
 create mode 100644 engine/client/container_list_test.go
 create mode 100644 engine/client/container_logs.go
 create mode 100644 engine/client/container_logs_test.go
 create mode 100644 engine/client/container_pause.go
 create mode 100644 engine/client/container_pause_test.go
 create mode 100644 engine/client/container_prune.go
 create mode 100644 engine/client/container_prune_test.go
 create mode 100644 engine/client/container_remove.go
 create mode 100644 engine/client/container_remove_test.go
 create mode 100644 engine/client/container_rename.go
 create mode 100644 engine/client/container_rename_test.go
 create mode 100644 engine/client/container_resize.go
 create mode 100644 engine/client/container_resize_test.go
 create mode 100644 engine/client/container_restart.go
 create mode 100644 engine/client/container_restart_test.go
 create mode 100644 engine/client/container_start.go
 create mode 100644 engine/client/container_start_test.go
 create mode 100644 engine/client/container_stats.go
 create mode 100644 engine/client/container_stats_test.go
 create mode 100644 engine/client/container_stop.go
 create mode 100644 engine/client/container_stop_test.go
 create mode 100644 engine/client/container_top.go
 create mode 100644 engine/client/container_top_test.go
 create mode 100644 engine/client/container_unpause.go
 create mode 100644 engine/client/container_unpause_test.go
 create mode 100644 engine/client/container_update.go
 create mode 100644 engine/client/container_update_test.go
 create mode 100644 engine/client/container_wait.go
 create mode 100644 engine/client/container_wait_test.go
 create mode 100644 engine/client/disk_usage.go
 create mode 100644 engine/client/disk_usage_test.go
 create mode 100644 engine/client/distribution_inspect.go
 create mode 100644 engine/client/distribution_inspect_test.go
 create mode 100644 engine/client/errors.go
 create mode 100644 engine/client/events.go
 create mode 100644 engine/client/events_test.go
 create mode 100644 engine/client/hijack.go
 create mode 100644 engine/client/hijack_test.go
 create mode 100644 engine/client/image_build.go
 create mode 100644 engine/client/image_build_test.go
 create mode 100644 engine/client/image_create.go
 create mode 100644 engine/client/image_create_test.go
 create mode 100644 engine/client/image_history.go
 create mode 100644 engine/client/image_history_test.go
 create mode 100644 engine/client/image_import.go
 create mode 100644 engine/client/image_import_test.go
 create mode 100644 engine/client/image_inspect.go
 create mode 100644 engine/client/image_inspect_test.go
 create mode 100644 engine/client/image_list.go
 create mode 100644 engine/client/image_list_test.go
 create mode 100644 engine/client/image_load.go
 create mode 100644 engine/client/image_load_test.go
 create mode 100644 engine/client/image_prune.go
 create mode 100644 engine/client/image_prune_test.go
 create mode 100644 engine/client/image_pull.go
 create mode 100644 engine/client/image_pull_test.go
 create mode 100644 engine/client/image_push.go
 create mode 100644 engine/client/image_push_test.go
 create mode 100644 engine/client/image_remove.go
 create mode 100644 engine/client/image_remove_test.go
 create mode 100644 engine/client/image_save.go
 create mode 100644 engine/client/image_save_test.go
 create mode 100644 engine/client/image_search.go
 create mode 100644 engine/client/image_search_test.go
 create mode 100644 engine/client/image_tag.go
 create mode 100644 engine/client/image_tag_test.go
 create mode 100644 engine/client/info.go
 create mode 100644 engine/client/info_test.go
 create mode 100644 engine/client/interface.go
 create mode 100644 engine/client/interface_experimental.go
 create mode 100644 engine/client/interface_stable.go
 create mode 100644 engine/client/login.go
 create mode 100644 engine/client/network_connect.go
 create mode 100644 engine/client/network_connect_test.go
 create mode 100644 engine/client/network_create.go
 create mode 100644 engine/client/network_create_test.go
 create mode 100644 engine/client/network_disconnect.go
 create mode 100644 engine/client/network_disconnect_test.go
 create mode 100644 engine/client/network_inspect.go
 create mode 100644 engine/client/network_inspect_test.go
 create mode 100644 engine/client/network_list.go
 create mode 100644 engine/client/network_list_test.go
 create mode 100644 engine/client/network_prune.go
 create mode 100644 engine/client/network_prune_test.go
 create mode 100644 engine/client/network_remove.go
 create mode 100644 engine/client/network_remove_test.go
 create mode 100644 engine/client/node_inspect.go
 create mode 100644 engine/client/node_inspect_test.go
 create mode 100644 engine/client/node_list.go
 create mode 100644 engine/client/node_list_test.go
 create mode 100644 engine/client/node_remove.go
 create mode 100644 engine/client/node_remove_test.go
 create mode 100644 engine/client/node_update.go
 create mode 100644 engine/client/node_update_test.go
 create mode 100644 engine/client/ping.go
 create mode 100644 engine/client/ping_test.go
 create mode 100644 engine/client/plugin_create.go
 create mode 100644 engine/client/plugin_disable.go
 create mode 100644 engine/client/plugin_disable_test.go
 create mode 100644 engine/client/plugin_enable.go
 create mode 100644 engine/client/plugin_enable_test.go
 create mode 100644 engine/client/plugin_inspect.go
 create mode 100644 engine/client/plugin_inspect_test.go
 create mode 100644 engine/client/plugin_install.go
 create mode 100644 engine/client/plugin_list.go
 create mode 100644 engine/client/plugin_list_test.go
 create mode 100644 engine/client/plugin_push.go
 create mode 100644 engine/client/plugin_push_test.go
 create mode 100644 engine/client/plugin_remove.go
 create mode 100644 engine/client/plugin_remove_test.go
 create mode 100644 engine/client/plugin_set.go
 create mode 100644 engine/client/plugin_set_test.go
 create mode 100644 engine/client/plugin_upgrade.go
 create mode 100644 engine/client/request.go
 create mode 100644 engine/client/request_test.go
 create mode 100644 engine/client/secret_create.go
 create mode 100644 engine/client/secret_create_test.go
 create mode 100644 engine/client/secret_inspect.go
 create mode 100644 engine/client/secret_inspect_test.go
 create mode 100644 engine/client/secret_list.go
 create mode 100644 engine/client/secret_list_test.go
 create mode 100644 engine/client/secret_remove.go
 create mode 100644 engine/client/secret_remove_test.go
 create mode 100644 engine/client/secret_update.go
 create mode 100644 engine/client/secret_update_test.go
 create mode 100644 engine/client/service_create.go
 create mode 100644 engine/client/service_create_test.go
 create mode 100644 engine/client/service_inspect.go
 create mode 100644 engine/client/service_inspect_test.go
 create mode 100644 engine/client/service_list.go
 create mode 100644 engine/client/service_list_test.go
 create mode 100644 engine/client/service_logs.go
 create mode 100644 engine/client/service_logs_test.go
 create mode 100644 engine/client/service_remove.go
 create mode 100644 engine/client/service_remove_test.go
 create mode 100644 engine/client/service_update.go
 create mode 100644 engine/client/service_update_test.go
 create mode 100644 engine/client/session.go
 create mode 100644 engine/client/swarm_get_unlock_key.go
 create mode 100644 engine/client/swarm_get_unlock_key_test.go
 create mode 100644 engine/client/swarm_init.go
 create mode 100644 engine/client/swarm_init_test.go
 create mode 100644 engine/client/swarm_inspect.go
 create mode 100644 engine/client/swarm_inspect_test.go
 create mode 100644 engine/client/swarm_join.go
 create mode 100644 engine/client/swarm_join_test.go
 create mode 100644 engine/client/swarm_leave.go
 create mode 100644 engine/client/swarm_leave_test.go
 create mode 100644 engine/client/swarm_unlock.go
 create mode 100644 engine/client/swarm_unlock_test.go
 create mode 100644 engine/client/swarm_update.go
 create mode 100644 engine/client/swarm_update_test.go
 create mode 100644 engine/client/task_inspect.go
 create mode 100644 engine/client/task_inspect_test.go
 create mode 100644 engine/client/task_list.go
 create mode 100644 engine/client/task_list_test.go
 create mode 100644 engine/client/task_logs.go
 create mode 100644 engine/client/testdata/ca.pem
 create mode 100644 engine/client/testdata/cert.pem
 create mode 100644 engine/client/testdata/key.pem
 create mode 100644 engine/client/transport.go
 create mode 100644 engine/client/utils.go
 create mode 100644 engine/client/version.go
 create mode 100644 engine/client/volume_create.go
 create mode 100644 engine/client/volume_create_test.go
 create mode 100644 engine/client/volume_inspect.go
 create mode 100644 engine/client/volume_inspect_test.go
 create mode 100644 engine/client/volume_list.go
 create mode 100644 engine/client/volume_list_test.go
 create mode 100644 engine/client/volume_prune.go
 create mode 100644 engine/client/volume_remove.go
 create mode 100644 engine/client/volume_remove_test.go
 create mode 100644 engine/cmd/dockerd/README.md
 create mode 100644 engine/cmd/dockerd/config.go
 create mode 100644 engine/cmd/dockerd/config_common_unix.go
 create mode 100644 engine/cmd/dockerd/config_unix.go
 create mode 100644 engine/cmd/dockerd/config_unix_test.go
 create mode 100644 engine/cmd/dockerd/config_windows.go
 create mode 100644 engine/cmd/dockerd/daemon.go
 create mode 100644 engine/cmd/dockerd/daemon_freebsd.go
 create mode 100644 engine/cmd/dockerd/daemon_linux.go
 create mode 100644 engine/cmd/dockerd/daemon_test.go
 create mode 100644 engine/cmd/dockerd/daemon_unix.go
 create mode 100644 engine/cmd/dockerd/daemon_unix_test.go
 create mode 100644 engine/cmd/dockerd/daemon_windows.go
 create mode 100644 engine/cmd/dockerd/docker.go
 create mode 100644 engine/cmd/dockerd/docker_unix.go
 create mode 100644 engine/cmd/dockerd/docker_windows.go
 create mode 100644 engine/cmd/dockerd/hack/malformed_host_override.go
 create mode 100644 engine/cmd/dockerd/hack/malformed_host_override_test.go
 create mode 100644 engine/cmd/dockerd/metrics.go
 create mode 100644 engine/cmd/dockerd/options.go
 create mode 100644 engine/cmd/dockerd/options_test.go
 create mode 100644 engine/cmd/dockerd/service_unsupported.go
 create mode 100644 engine/cmd/dockerd/service_windows.go
 create mode 100644 engine/codecov.yml
 create mode 100644 engine/container/archive.go
 create mode 100644 engine/container/container.go
 create mode 100644 engine/container/container_unit_test.go
 create mode 100644 engine/container/container_unix.go
 create mode 100644 engine/container/container_windows.go
 create mode 100644 engine/container/env.go
 create mode 100644 engine/container/env_test.go
 create mode 100644 engine/container/health.go
 create mode 100644 engine/container/history.go
 create mode 100644 engine/container/memory_store.go
 create mode 100644 engine/container/memory_store_test.go
 create mode 100644 engine/container/monitor.go
 create mode 100644 engine/container/mounts_unix.go
 create mode 100644 engine/container/mounts_windows.go
 create mode 100644 engine/container/state.go
 create mode 100644 engine/container/state_test.go
 create mode 100644 engine/container/store.go
 create mode 100644 engine/container/stream/attach.go
 create mode 100644 engine/container/stream/streams.go
 create mode 100644 engine/container/view.go
 create mode 100644 engine/container/view_test.go
 create mode 100644 engine/contrib/README.md
 create mode 100644 engine/contrib/REVIEWERS
 create mode 100644 engine/contrib/apparmor/main.go
 create mode 100644 engine/contrib/apparmor/template.go
 create mode 100755 engine/contrib/check-config.sh
 create mode 100644 engine/contrib/desktop-integration/README.md
 create mode 100644 engine/contrib/desktop-integration/chromium/Dockerfile
 create mode 100644 engine/contrib/desktop-integration/gparted/Dockerfile
 create mode 100644 engine/contrib/docker-device-tool/README.md
 create mode 100644 engine/contrib/docker-device-tool/device_tool.go
 create mode 100644 engine/contrib/docker-device-tool/device_tool_windows.go
 create mode 100755 engine/contrib/docker-machine-install-bundle.sh
 create mode 100755 engine/contrib/dockerize-disk.sh
 create mode 100755 engine/contrib/download-frozen-image-v1.sh
 create mode 100755 engine/contrib/download-frozen-image-v2.sh
 create mode 100644 engine/contrib/editorconfig
 create mode 100644 engine/contrib/gitdm/aliases
 create mode 100644 engine/contrib/gitdm/domain-map
 create mode 100755 engine/contrib/gitdm/generate_aliases.sh
 create mode 100644 engine/contrib/gitdm/gitdm.config
 create mode 100644 engine/contrib/httpserver/Dockerfile
 create mode 100644 engine/contrib/httpserver/server.go
 create mode 100644 engine/contrib/init/openrc/docker.confd
 create mode 100644 engine/contrib/init/openrc/docker.initd
 create mode 100644 engine/contrib/init/systemd/REVIEWERS
 create mode 100644 engine/contrib/init/systemd/docker.service
 create mode 100644 engine/contrib/init/systemd/docker.service.rpm
 create mode 100644 engine/contrib/init/systemd/docker.socket
 create mode 100755 engine/contrib/init/sysvinit-debian/docker
 create mode 100644 engine/contrib/init/sysvinit-debian/docker.default
 create mode 100755 engine/contrib/init/sysvinit-redhat/docker
 create mode 100644 engine/contrib/init/sysvinit-redhat/docker.sysconfig
 create mode 100644 engine/contrib/init/upstart/REVIEWERS
 create mode 100644 engine/contrib/init/upstart/docker.conf
 create mode 100755 engine/contrib/mac-install-bundle.sh
 create mode 100755 engine/contrib/mkimage-alpine.sh
 create mode 100644 engine/contrib/mkimage-arch-pacman.conf
 create mode 100755 engine/contrib/mkimage-arch.sh
 create mode 100644 engine/contrib/mkimage-archarm-pacman.conf
 create mode 100755 engine/contrib/mkimage-crux.sh
 create mode 100755 engine/contrib/mkimage-pld.sh
 create mode 100755 engine/contrib/mkimage-yum.sh
 create mode 100755 engine/contrib/mkimage.sh
 create mode 100755 engine/contrib/mkimage/.febootstrap-minimize
 create mode 100755 engine/contrib/mkimage/busybox-static
 create mode 100755 engine/contrib/mkimage/debootstrap
 create mode 100755 engine/contrib/mkimage/mageia-urpmi
 create mode 100755 engine/contrib/mkimage/rinse
 create mode 100644 engine/contrib/nnp-test/Dockerfile
 create mode 100644 engine/contrib/nnp-test/nnp-test.c
 create mode 100755 engine/contrib/nuke-graph-directory.sh
 create mode 100755 engine/contrib/report-issue.sh
 create mode 100644 engine/contrib/syntax/nano/Dockerfile.nanorc
 create mode 100644 engine/contrib/syntax/nano/README.md
 create mode 100644 engine/contrib/syntax/textmate/Docker.tmbundle/Preferences/Dockerfile.tmPreferences
 create mode 100644 engine/contrib/syntax/textmate/Docker.tmbundle/Syntaxes/Dockerfile.tmLanguage
 create mode 100644 engine/contrib/syntax/textmate/Docker.tmbundle/info.plist
 create mode 100644 engine/contrib/syntax/textmate/README.md
 create mode 100644 engine/contrib/syntax/textmate/REVIEWERS
 create mode 100644 engine/contrib/syntax/vim/LICENSE
 create mode 100644 engine/contrib/syntax/vim/README.md
 create mode 100644 engine/contrib/syntax/vim/doc/dockerfile.txt
 create mode 100644 engine/contrib/syntax/vim/ftdetect/dockerfile.vim
 create mode 100644 engine/contrib/syntax/vim/syntax/dockerfile.vim
 create mode 100644 engine/contrib/syscall-test/Dockerfile
 create mode 100644 engine/contrib/syscall-test/acct.c
 create mode 100644 engine/contrib/syscall-test/exit32.s
 create mode 100644 engine/contrib/syscall-test/ns.c
 create mode 100644 engine/contrib/syscall-test/raw.c
 create mode 100644 engine/contrib/syscall-test/setgid.c
 create mode 100644 engine/contrib/syscall-test/setuid.c
 create mode 100644 engine/contrib/syscall-test/socket.c
 create mode 100644 engine/contrib/syscall-test/userns.c
 create mode 100644 engine/contrib/udev/80-docker.rules
 create mode 100644 engine/contrib/vagrant-docker/README.md
 create mode 100644 engine/daemon/apparmor_default.go
 create mode 100644 engine/daemon/apparmor_default_unsupported.go
 create mode 100644 engine/daemon/archive.go
 create mode 100644 engine/daemon/archive_tarcopyoptions.go
 create mode 100644 engine/daemon/archive_tarcopyoptions_unix.go
 create mode 100644 engine/daemon/archive_tarcopyoptions_windows.go
 create mode 100644 engine/daemon/archive_unix.go
 create mode 100644 engine/daemon/archive_windows.go
 create mode 100644 engine/daemon/attach.go
 create mode 100644 engine/daemon/auth.go
 create mode 100644 engine/daemon/bindmount_unix.go
 create mode 100644 engine/daemon/caps/utils.go
 create mode 100644 engine/daemon/changes.go
 create mode 100644 engine/daemon/checkpoint.go
 create mode 100644 engine/daemon/cluster.go
 create mode 100644 engine/daemon/cluster/cluster.go
 create mode 100644 engine/daemon/cluster/configs.go
 create mode 100644 engine/daemon/cluster/controllers/plugin/controller.go
 create mode 100644 engine/daemon/cluster/controllers/plugin/controller_test.go
 create mode 100644 engine/daemon/cluster/convert/config.go
 create mode 100644 engine/daemon/cluster/convert/container.go
 create mode 100644 engine/daemon/cluster/convert/network.go
 create mode 100644 engine/daemon/cluster/convert/network_test.go
 create mode 100644 engine/daemon/cluster/convert/node.go
 create mode 100644 engine/daemon/cluster/convert/secret.go
 create mode 100644 engine/daemon/cluster/convert/service.go
 create mode 100644 engine/daemon/cluster/convert/service_test.go
 create mode 100644 engine/daemon/cluster/convert/swarm.go
 create mode 100644 engine/daemon/cluster/convert/task.go
 create mode 100644 engine/daemon/cluster/errors.go
 create mode 100644 engine/daemon/cluster/executor/backend.go
 create mode 100644 engine/daemon/cluster/executor/container/adapter.go
 create mode 100644 engine/daemon/cluster/executor/container/attachment.go
 create mode 100644 engine/daemon/cluster/executor/container/container.go
 create mode 100644 engine/daemon/cluster/executor/container/container_test.go
 create mode 100644 engine/daemon/cluster/executor/container/controller.go
 create mode 100644 engine/daemon/cluster/executor/container/errors.go
 create mode 100644 engine/daemon/cluster/executor/container/executor.go
 create mode 100644 engine/daemon/cluster/executor/container/health_test.go
 create mode 100644 engine/daemon/cluster/executor/container/validate.go
 create mode 100644 engine/daemon/cluster/executor/container/validate_test.go
 create mode 100644 engine/daemon/cluster/executor/container/validate_unix_test.go
 create mode 100644 engine/daemon/cluster/executor/container/validate_windows_test.go
 create mode 100644 engine/daemon/cluster/filters.go
 create mode 100644 engine/daemon/cluster/filters_test.go
 create mode 100644 engine/daemon/cluster/helpers.go
 create mode 100644 engine/daemon/cluster/listen_addr.go
 create mode 100644 engine/daemon/cluster/listen_addr_linux.go
 create mode 100644 engine/daemon/cluster/listen_addr_others.go
 create mode 100644 engine/daemon/cluster/networks.go
 create mode 100644 engine/daemon/cluster/noderunner.go
 create mode 100644 engine/daemon/cluster/nodes.go
 create mode 100644 engine/daemon/cluster/provider/network.go
 create mode 100644 engine/daemon/cluster/secrets.go
 create mode 100644 engine/daemon/cluster/services.go
 create mode 100644 engine/daemon/cluster/swarm.go
 create mode 100644 engine/daemon/cluster/tasks.go
 create mode 100644 engine/daemon/cluster/utils.go
 create mode 100644 engine/daemon/commit.go
 create mode 100644 engine/daemon/config/config.go
 create mode 100644 engine/daemon/config/config_common_unix.go
 create mode 100644 engine/daemon/config/config_common_unix_test.go
 create mode 100644 engine/daemon/config/config_test.go
 create mode 100644 engine/daemon/config/config_unix.go
 create mode 100644 engine/daemon/config/config_unix_test.go
 create mode 100644 engine/daemon/config/config_windows.go
 create mode 100644 engine/daemon/config/config_windows_test.go
 create mode 100644 engine/daemon/config/opts.go
 create mode 100644 engine/daemon/configs.go
 create mode 100644 engine/daemon/configs_linux.go
 create mode 100644 engine/daemon/configs_unsupported.go
 create mode 100644 engine/daemon/configs_windows.go
 create mode 100644 engine/daemon/container.go
 create mode 100644 engine/daemon/container_linux.go
 create mode 100644 engine/daemon/container_operations.go
 create mode 100644 engine/daemon/container_operations_unix.go
 create mode 100644 engine/daemon/container_operations_windows.go
 create mode 100644 engine/daemon/container_unix_test.go
 create mode 100644 engine/daemon/container_windows.go
 create mode 100644 engine/daemon/create.go
 create mode 100644 engine/daemon/create_test.go
 create mode 100644 engine/daemon/create_unix.go
 create mode 100644 engine/daemon/create_windows.go
 create mode 100644 engine/daemon/daemon.go
 create mode 100644 engine/daemon/daemon_linux.go
 create mode 100644 engine/daemon/daemon_linux_test.go
 create mode 100644 engine/daemon/daemon_test.go
 create mode 100644 engine/daemon/daemon_unix.go
 create mode 100644 engine/daemon/daemon_unix_test.go
 create mode 100644 engine/daemon/daemon_unsupported.go
 create mode 100644 engine/daemon/daemon_windows.go
 create mode 100644 engine/daemon/daemon_windows_test.go
 create mode 100644 engine/daemon/debugtrap_unix.go
 create mode 100644 engine/daemon/debugtrap_unsupported.go
 create mode 100644 engine/daemon/debugtrap_windows.go
 create mode 100644 engine/daemon/delete.go
 create mode 100644 engine/daemon/delete_test.go
 create mode 100644 engine/daemon/dependency.go
 create mode 100644 engine/daemon/discovery/discovery.go
 create mode 100644 engine/daemon/discovery/discovery_test.go
 create mode 100644 engine/daemon/disk_usage.go
 create mode 100644 engine/daemon/errors.go
 create mode 100644 engine/daemon/events.go
 create mode 100644 engine/daemon/events/events.go
 create mode 100644 engine/daemon/events/events_test.go
 create mode 100644 engine/daemon/events/filter.go
 create mode 100644 engine/daemon/events/metrics.go
 create mode 100644 engine/daemon/events/testutils/testutils.go
 create mode 100644 engine/daemon/events_test.go
 create mode 100644 engine/daemon/exec.go
 create mode 100644 engine/daemon/exec/exec.go
 create mode 100644 engine/daemon/exec_linux.go
 create mode 100644 engine/daemon/exec_linux_test.go
 create mode 100644 engine/daemon/exec_windows.go
 create mode 100644 engine/daemon/export.go
 create mode 100644 engine/daemon/graphdriver/aufs/aufs.go
 create mode 100644 engine/daemon/graphdriver/aufs/aufs_test.go
 create mode 100644 engine/daemon/graphdriver/aufs/dirs.go
 create mode 100644 engine/daemon/graphdriver/aufs/mount.go
 create mode 100644 engine/daemon/graphdriver/aufs/mount_linux.go
 create mode 100644 engine/daemon/graphdriver/aufs/mount_unsupported.go
 create mode 100644 engine/daemon/graphdriver/btrfs/btrfs.go
 create mode 100644 engine/daemon/graphdriver/btrfs/btrfs_test.go
 create mode 100644 engine/daemon/graphdriver/btrfs/dummy_unsupported.go
 create mode 100644 engine/daemon/graphdriver/btrfs/version.go
 create mode 100644 engine/daemon/graphdriver/btrfs/version_none.go
 create mode 100644 engine/daemon/graphdriver/btrfs/version_test.go
 create mode 100644 engine/daemon/graphdriver/copy/copy.go
 create mode 100644 engine/daemon/graphdriver/copy/copy_test.go
 create mode 100644 engine/daemon/graphdriver/counter.go
 create mode 100644 engine/daemon/graphdriver/devmapper/README.md
 create mode 100644 engine/daemon/graphdriver/devmapper/device_setup.go
 create mode 100644 engine/daemon/graphdriver/devmapper/deviceset.go
 create mode 100644 engine/daemon/graphdriver/devmapper/devmapper_doc.go
 create mode 100644 engine/daemon/graphdriver/devmapper/devmapper_test.go
 create mode 100644 engine/daemon/graphdriver/devmapper/driver.go
 create mode 100644 engine/daemon/graphdriver/devmapper/mount.go
 create mode 100644 engine/daemon/graphdriver/driver.go
 create mode 100644 engine/daemon/graphdriver/driver_freebsd.go
 create mode 100644 engine/daemon/graphdriver/driver_linux.go
 create mode 100644 engine/daemon/graphdriver/driver_test.go
 create mode 100644 engine/daemon/graphdriver/driver_unsupported.go
 create mode 100644 engine/daemon/graphdriver/driver_windows.go
 create mode 100644 engine/daemon/graphdriver/errors.go
 create mode 100644 engine/daemon/graphdriver/fsdiff.go
 create mode 100644 engine/daemon/graphdriver/graphtest/graphbench_unix.go
 create mode 100644 engine/daemon/graphdriver/graphtest/graphtest_unix.go
 create mode 100644 engine/daemon/graphdriver/graphtest/graphtest_windows.go
 create mode 100644 engine/daemon/graphdriver/graphtest/testutil.go
 create mode 100644 engine/daemon/graphdriver/graphtest/testutil_unix.go
 create mode 100644 engine/daemon/graphdriver/lcow/lcow.go
 create mode 100644 engine/daemon/graphdriver/lcow/lcow_svm.go
 create mode 100644 engine/daemon/graphdriver/lcow/remotefs.go
 create mode 100644 engine/daemon/graphdriver/lcow/remotefs_file.go
 create mode 100644 engine/daemon/graphdriver/lcow/remotefs_filedriver.go
 create mode 100644 engine/daemon/graphdriver/lcow/remotefs_pathdriver.go
 create mode 100644 engine/daemon/graphdriver/overlay/overlay.go
 create mode 100644 engine/daemon/graphdriver/overlay/overlay_test.go
 create mode 100644 engine/daemon/graphdriver/overlay/overlay_unsupported.go
 create mode 100644 engine/daemon/graphdriver/overlay2/check.go
 create mode 100644 engine/daemon/graphdriver/overlay2/mount.go
 create mode 100644 engine/daemon/graphdriver/overlay2/overlay.go
 create mode 100644 engine/daemon/graphdriver/overlay2/overlay_test.go
 create mode 100644 engine/daemon/graphdriver/overlay2/overlay_unsupported.go
 create mode 100644 engine/daemon/graphdriver/overlay2/randomid.go
 create mode 100644 engine/daemon/graphdriver/overlayutils/overlayutils.go
 create mode 100644 engine/daemon/graphdriver/plugin.go
 create mode 100644 engine/daemon/graphdriver/proxy.go
 create mode 100644 engine/daemon/graphdriver/quota/errors.go
 create mode 100644 engine/daemon/graphdriver/quota/projectquota.go
 create mode 100644 engine/daemon/graphdriver/quota/projectquota_test.go
 create mode 100644 engine/daemon/graphdriver/register/register_aufs.go
 create mode 100644 engine/daemon/graphdriver/register/register_btrfs.go
 create mode 100644 engine/daemon/graphdriver/register/register_devicemapper.go
 create mode 100644 engine/daemon/graphdriver/register/register_overlay.go
 create mode 100644 engine/daemon/graphdriver/register/register_overlay2.go
 create mode 100644 engine/daemon/graphdriver/register/register_vfs.go
 create mode 100644 engine/daemon/graphdriver/register/register_windows.go
 create mode 100644 engine/daemon/graphdriver/register/register_zfs.go
 create mode 100644 engine/daemon/graphdriver/vfs/copy_linux.go
 create mode 100644 engine/daemon/graphdriver/vfs/copy_unsupported.go
 create mode 100644 engine/daemon/graphdriver/vfs/driver.go
 create mode 100644 engine/daemon/graphdriver/vfs/quota_linux.go
 create mode 100644 engine/daemon/graphdriver/vfs/quota_unsupported.go
 create mode 100644 engine/daemon/graphdriver/vfs/vfs_test.go
 create mode 100644 engine/daemon/graphdriver/windows/windows.go
 create mode 100644 engine/daemon/graphdriver/zfs/MAINTAINERS
 create mode 100644 engine/daemon/graphdriver/zfs/zfs.go
 create mode 100644 engine/daemon/graphdriver/zfs/zfs_freebsd.go
 create mode 100644 engine/daemon/graphdriver/zfs/zfs_linux.go
 create mode 100644 engine/daemon/graphdriver/zfs/zfs_test.go
 create mode 100644 engine/daemon/graphdriver/zfs/zfs_unsupported.go
 create mode 100644 engine/daemon/health.go
 create mode 100644 engine/daemon/health_test.go
 create mode 100644 engine/daemon/images/cache.go
 create mode 100644 engine/daemon/images/image.go
 create mode 100644 engine/daemon/images/image_builder.go
 create mode 100644 engine/daemon/images/image_commit.go
 create mode 100644 engine/daemon/images/image_delete.go
 create mode 100644 engine/daemon/images/image_events.go
 create mode 100644 engine/daemon/images/image_exporter.go
 create mode 100644 engine/daemon/images/image_history.go
 create mode 100644 engine/daemon/images/image_import.go
 create mode 100644 engine/daemon/images/image_inspect.go
 create mode 100644 engine/daemon/images/image_prune.go
 create mode 100644 engine/daemon/images/image_pull.go
 create mode 100644 engine/daemon/images/image_push.go
 create mode 100644 engine/daemon/images/image_search.go
 create mode 100644 engine/daemon/images/image_search_test.go
 create mode 100644 engine/daemon/images/image_tag.go
 create mode 100644 engine/daemon/images/image_unix.go
 create mode 100644 engine/daemon/images/image_windows.go
 create mode 100644 engine/daemon/images/images.go
 create mode 100644 engine/daemon/images/locals.go
 create mode 100644 engine/daemon/images/service.go
 create mode 100644 engine/daemon/info.go
 create mode 100644 engine/daemon/info_unix.go
 create mode 100644 engine/daemon/info_unix_test.go
 create mode 100644 engine/daemon/info_windows.go
 create mode 100644 engine/daemon/initlayer/setup_unix.go
 create mode 100644 engine/daemon/initlayer/setup_windows.go
 create mode 100644 engine/daemon/inspect.go
 create mode 100644 engine/daemon/inspect_linux.go
 create mode 100644 engine/daemon/inspect_test.go
 create mode 100644 engine/daemon/inspect_windows.go
 create mode 100644 engine/daemon/keys.go
 create mode 100644 engine/daemon/keys_unsupported.go
 create mode 100644 engine/daemon/kill.go
 create mode 100644 engine/daemon/links.go
 create mode 100644 engine/daemon/links/links.go
 create mode 100644 engine/daemon/links/links_test.go
 create mode 100644 engine/daemon/list.go
 create mode 100644 engine/daemon/list_test.go
 create mode 100644 engine/daemon/list_unix.go
 create mode 100644 engine/daemon/list_windows.go
 create mode 100644 engine/daemon/listeners/group_unix.go
 create mode 100644 engine/daemon/listeners/listeners_linux.go
 create mode 100644 engine/daemon/listeners/listeners_windows.go
 create mode 100644 engine/daemon/logdrivers_linux.go
 create mode 100644 engine/daemon/logdrivers_windows.go
 create mode 100644 engine/daemon/logger/adapter.go
 create mode 100644 engine/daemon/logger/adapter_test.go
 create mode 100644 engine/daemon/logger/awslogs/cloudwatchlogs.go
 create mode 100644 engine/daemon/logger/awslogs/cloudwatchlogs_test.go
 create mode 100644 engine/daemon/logger/awslogs/cwlogsiface_mock_test.go
 create mode 100644 engine/daemon/logger/copier.go
 create mode 100644 engine/daemon/logger/copier_test.go
 create mode 100644 engine/daemon/logger/etwlogs/etwlogs_windows.go
 create mode 100644 engine/daemon/logger/factory.go
 create mode 100644 engine/daemon/logger/fluentd/fluentd.go
 create mode 100644 engine/daemon/logger/gcplogs/gcplogging.go
 create mode 100644 engine/daemon/logger/gcplogs/gcplogging_linux.go
 create mode 100644 engine/daemon/logger/gcplogs/gcplogging_others.go
 create mode 100644 engine/daemon/logger/gelf/gelf.go
 create mode 100644 engine/daemon/logger/gelf/gelf_test.go
 create mode 100644 engine/daemon/logger/journald/journald.go
 create mode 100644 engine/daemon/logger/journald/journald_test.go
 create mode 100644 engine/daemon/logger/journald/journald_unsupported.go
 create mode 100644 engine/daemon/logger/journald/read.go
 create mode 100644 engine/daemon/logger/journald/read_native.go
 create mode 100644 engine/daemon/logger/journald/read_native_compat.go
 create mode 100644 engine/daemon/logger/journald/read_unsupported.go
 create mode 100644 engine/daemon/logger/jsonfilelog/jsonfilelog.go
 create mode 100644 engine/daemon/logger/jsonfilelog/jsonfilelog_test.go
 create mode 100644 engine/daemon/logger/jsonfilelog/jsonlog/jsonlog.go
 create mode 100644 engine/daemon/logger/jsonfilelog/jsonlog/jsonlogbytes.go
 create mode 100644 engine/daemon/logger/jsonfilelog/jsonlog/jsonlogbytes_test.go
 create mode 100644 engine/daemon/logger/jsonfilelog/jsonlog/time_marshalling.go
 create mode 100644 engine/daemon/logger/jsonfilelog/jsonlog/time_marshalling_test.go
 create mode 100644 engine/daemon/logger/jsonfilelog/read.go
 create mode 100644 engine/daemon/logger/jsonfilelog/read_test.go
 create mode 100644 engine/daemon/logger/logentries/logentries.go
 create mode 100644 engine/daemon/logger/logger.go
 create mode 100644 engine/daemon/logger/logger_test.go
 create mode 100644 engine/daemon/logger/loggerutils/log_tag.go
 create mode 100644 engine/daemon/logger/loggerutils/log_tag_test.go
 create mode 100644 engine/daemon/logger/loggerutils/logfile.go
 create mode 100644 engine/daemon/logger/loggerutils/multireader/multireader.go
 create mode 100644 engine/daemon/logger/loggerutils/multireader/multireader_test.go
 create mode 100644 engine/daemon/logger/loginfo.go
 create mode 100644 engine/daemon/logger/metrics.go
 create mode 100644 engine/daemon/logger/plugin.go
 create mode 100644 engine/daemon/logger/plugin_unix.go
 create mode 100644 engine/daemon/logger/plugin_unsupported.go
 create mode 100644 engine/daemon/logger/proxy.go
 create mode 100644 engine/daemon/logger/ring.go
 create mode 100644 engine/daemon/logger/ring_test.go
 create mode 100644 engine/daemon/logger/splunk/splunk.go
 create mode 100644 engine/daemon/logger/splunk/splunk_test.go
 create mode 100644 engine/daemon/logger/splunk/splunkhecmock_test.go
 create mode 100644 engine/daemon/logger/syslog/syslog.go
 create mode 100644 engine/daemon/logger/syslog/syslog_test.go
 create mode 100644 engine/daemon/logger/templates/templates.go
 create mode 100644 engine/daemon/logger/templates/templates_test.go
 create mode 100644 engine/daemon/logs.go
 create mode 100644 engine/daemon/logs_test.go
 create mode 100644 engine/daemon/metrics.go
 create mode 100644 engine/daemon/metrics_unix.go
 create mode 100644 engine/daemon/metrics_unsupported.go
 create mode 100644 engine/daemon/monitor.go
 create mode 100644 engine/daemon/mounts.go
 create mode 100644 engine/daemon/names.go
 create mode 100644 engine/daemon/names/names.go
 create mode 100644 engine/daemon/network.go
 create mode 100644 engine/daemon/network/settings.go
 create mode 100644 engine/daemon/oci.go
 create mode 100644 engine/daemon/oci_linux.go
 create mode 100644 engine/daemon/oci_linux_test.go
 create mode 100644 engine/daemon/oci_windows.go
 create mode 100644 engine/daemon/pause.go
 create mode 100644 engine/daemon/prune.go
 create mode 100644 engine/daemon/reload.go
 create mode 100644 engine/daemon/reload_test.go
 create mode 100644 engine/daemon/reload_unix.go
 create mode 100644 engine/daemon/reload_windows.go
 create mode 100644 engine/daemon/rename.go
 create mode 100644 engine/daemon/resize.go
 create mode 100644 engine/daemon/resize_test.go
 create mode 100644 engine/daemon/restart.go
 create mode 100644 engine/daemon/seccomp_disabled.go
 create mode 100644 engine/daemon/seccomp_linux.go
 create mode 100644 engine/daemon/seccomp_unsupported.go
 create mode 100644 engine/daemon/secrets.go
 create mode 100644 engine/daemon/secrets_linux.go
 create mode 100644 engine/daemon/secrets_unsupported.go
 create mode 100644 engine/daemon/secrets_windows.go
 create mode 100644 engine/daemon/selinux_linux.go
 create mode 100644 engine/daemon/selinux_unsupported.go
 create mode 100644 engine/daemon/start.go
 create mode 100644 engine/daemon/start_unix.go
 create mode 100644 engine/daemon/start_windows.go
 create mode 100644 engine/daemon/stats.go
 create mode 100644 engine/daemon/stats/collector.go
 create mode 100644 engine/daemon/stats/collector_unix.go
 create mode 100644 engine/daemon/stats/collector_windows.go
 create mode 100644 engine/daemon/stats_collector.go
 create mode 100644 engine/daemon/stats_unix.go
 create mode 100644 engine/daemon/stats_windows.go
 create mode 100644 engine/daemon/stop.go
 create mode 100644 engine/daemon/testdata/keyfile
 create mode 100644 engine/daemon/top_unix.go
 create mode 100644 engine/daemon/top_unix_test.go
 create mode 100644 engine/daemon/top_windows.go
 create mode 100644 engine/daemon/trustkey.go
 create mode 100644 engine/daemon/trustkey_test.go
 create mode 100644 engine/daemon/unpause.go
 create mode 100644 engine/daemon/update.go
 create mode 100644 engine/daemon/update_linux.go
 create mode 100644 engine/daemon/update_windows.go
 create mode 100644 engine/daemon/util_test.go
 create mode 100644 engine/daemon/volumes.go
 create mode 100644 engine/daemon/volumes_linux.go
 create mode 100644 engine/daemon/volumes_linux_test.go
 create mode 100644 engine/daemon/volumes_unit_test.go
 create mode 100644 engine/daemon/volumes_unix.go
 create mode 100644 engine/daemon/volumes_unix_test.go
 create mode 100644 engine/daemon/volumes_windows.go
 create mode 100644 engine/daemon/wait.go
 create mode 100644 engine/daemon/workdir.go
 create mode 100644 engine/distribution/config.go
 create mode 100644 engine/distribution/errors.go
 create mode 100644 engine/distribution/errors_test.go
 create mode 100644 engine/distribution/fixtures/validate_manifest/bad_manifest
 create mode 100644 engine/distribution/fixtures/validate_manifest/extra_data_manifest
 create mode 100644 engine/distribution/fixtures/validate_manifest/good_manifest
 create mode 100644 engine/distribution/metadata/metadata.go
 create mode 100644 engine/distribution/metadata/v1_id_service.go
 create mode 100644 engine/distribution/metadata/v1_id_service_test.go
 create mode 100644 engine/distribution/metadata/v2_metadata_service.go
 create mode 100644 engine/distribution/metadata/v2_metadata_service_test.go
 create mode 100644 engine/distribution/oci.go
 create mode 100644 engine/distribution/pull.go
 create mode 100644 engine/distribution/pull_v1.go
 create mode 100644 engine/distribution/pull_v2.go
 create mode 100644 engine/distribution/pull_v2_test.go
 create mode 100644 engine/distribution/pull_v2_unix.go
 create mode 100644 engine/distribution/pull_v2_windows.go
 create mode 100644 engine/distribution/push.go
 create mode 100644 engine/distribution/push_v1.go
 create mode 100644 engine/distribution/push_v2.go
 create mode 100644 engine/distribution/push_v2_test.go
 create mode 100644 engine/distribution/registry.go
 create mode 100644 engine/distribution/registry_unit_test.go
 create mode 100644 engine/distribution/utils/progress.go
 create mode 100644 engine/distribution/xfer/download.go
 create mode 100644 engine/distribution/xfer/download_test.go
 create mode 100644 engine/distribution/xfer/transfer.go
 create mode 100644 engine/distribution/xfer/transfer_test.go
 create mode 100644 engine/distribution/xfer/upload.go
 create mode 100644 engine/distribution/xfer/upload_test.go
 create mode 100644 engine/dockerversion/useragent.go
 create mode 100644 engine/dockerversion/version_lib.go
 create mode 100644 engine/docs/api/v1.18.md
 create mode 100644 engine/docs/api/v1.19.md
 create mode 100644 engine/docs/api/v1.20.md
 create mode 100644 engine/docs/api/v1.21.md
 create mode 100644 engine/docs/api/v1.22.md
 create mode 100644 engine/docs/api/v1.23.md
 create mode 100644 engine/docs/api/v1.24.md
 create mode 100644 engine/docs/api/version-history.md
 create mode 100644 engine/docs/contributing/README.md
 create mode 100644 engine/docs/contributing/images/branch-sig.png
 create mode 100644 engine/docs/contributing/images/contributor-edit.png
 create mode 100644 engine/docs/contributing/images/copy_url.png
 create mode 100644 engine/docs/contributing/images/fork_docker.png
 create mode 100644 engine/docs/contributing/images/git_bash.png
 create mode 100644 engine/docs/contributing/images/list_example.png
 create mode 100644 engine/docs/contributing/set-up-dev-env.md
 create mode 100644 engine/docs/contributing/set-up-git.md
 create mode 100644 engine/docs/contributing/software-req-win.md
 create mode 100644 engine/docs/contributing/software-required.md
 create mode 100644 engine/docs/contributing/test.md
 create mode 100644 engine/docs/contributing/who-written-for.md
 create mode 100644 engine/docs/static_files/contributors.png
 create mode 100644 engine/docs/static_files/moby-project-logo.png
 create mode 100644 engine/errdefs/defs.go
 create mode 100644 engine/errdefs/doc.go
 create mode 100644 engine/errdefs/helpers.go
 create mode 100644 engine/errdefs/helpers_test.go
 create mode 100644 engine/errdefs/is.go
 create mode 100644 engine/hack/README.md
 create mode 100755 engine/hack/ci/arm
 create mode 100755 engine/hack/ci/experimental
 create mode 100755 engine/hack/ci/janky
 create mode 100755 engine/hack/ci/powerpc
 create mode 100755 engine/hack/ci/z
 create mode 100755 engine/hack/dind
 create mode 100755 engine/hack/dockerfile/install/containerd.installer
 create mode 100755 engine/hack/dockerfile/install/dockercli.installer
 create mode 100755 engine/hack/dockerfile/install/gometalinter.installer
 create mode 100755 engine/hack/dockerfile/install/install.sh
 create mode 100755 engine/hack/dockerfile/install/proxy.installer
 create mode 100755 engine/hack/dockerfile/install/runc.installer
 create mode 100755 engine/hack/dockerfile/install/tini.installer
 create mode 100755 engine/hack/dockerfile/install/tomlv.installer
 create mode 100755 engine/hack/dockerfile/install/vndr.installer
 create mode 100755 engine/hack/generate-authors.sh
 create mode 100755 engine/hack/generate-swagger-api.sh
 create mode 100644 engine/hack/integration-cli-on-swarm/README.md
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/Dockerfile
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/master/call.go
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/master/master.go
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/master/set.go
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/master/set_test.go
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/types/types.go
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/vendor.conf
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/LICENSE
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/call.go
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/handle.go
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/worker/executor.go
 create mode 100644 engine/hack/integration-cli-on-swarm/agent/worker/worker.go
 create mode 100644 engine/hack/integration-cli-on-swarm/host/compose.go
 create mode 100644 engine/hack/integration-cli-on-swarm/host/dockercmd.go
 create mode 100644 engine/hack/integration-cli-on-swarm/host/enumerate.go
 create mode 100644 engine/hack/integration-cli-on-swarm/host/enumerate_test.go
 create mode 100644 engine/hack/integration-cli-on-swarm/host/host.go
 create mode 100644 engine/hack/integration-cli-on-swarm/host/volume.go
 create mode 100644 engine/hack/make.ps1
 create mode 100755 engine/hack/make.sh
 create mode 100644 engine/hack/make/.binary
 create mode 100644 engine/hack/make/.binary-setup
 create mode 100644 engine/hack/make/.detect-daemon-osarch
 create mode 100644 engine/hack/make/.ensure-emptyfs
 create mode 100644 engine/hack/make/.go-autogen
 create mode 100644 engine/hack/make/.go-autogen.ps1
 create mode 100644 engine/hack/make/.integration-daemon-setup
 create mode 100644 engine/hack/make/.integration-daemon-start
 create mode 100644 engine/hack/make/.integration-daemon-stop
 create mode 100644 engine/hack/make/.integration-test-helpers
 create mode 100644 engine/hack/make/.resources-windows/common.rc
 create mode 100644 engine/hack/make/.resources-windows/docker.exe.manifest
 create mode 100644 engine/hack/make/.resources-windows/docker.ico
 create mode 100644 engine/hack/make/.resources-windows/docker.png
 create mode 100644 engine/hack/make/.resources-windows/docker.rc
 create mode 100644 engine/hack/make/.resources-windows/dockerd.rc
 create mode 100644 engine/hack/make/.resources-windows/event_messages.mc
 create mode 100644 engine/hack/make/.resources-windows/resources.go
 create mode 100644 engine/hack/make/README.md
 create mode 100644 engine/hack/make/binary
 create mode 100644 engine/hack/make/binary-daemon
 create mode 100755 engine/hack/make/build-integration-test-binary
 create mode 100644 engine/hack/make/cross
 create mode 100644 engine/hack/make/dynbinary
 create mode 100644 engine/hack/make/dynbinary-daemon
 create mode 100644 engine/hack/make/install-binary
 create mode 100644 engine/hack/make/run
 create mode 100644 engine/hack/make/test-docker-py
 create mode 100755 engine/hack/make/test-integration
 create mode 100755 engine/hack/make/test-integration-cli
 create mode 100644 engine/hack/make/test-integration-shell
 create mode 100755 engine/hack/test/e2e-run.sh
 create mode 100755 engine/hack/test/unit
 create mode 100644 engine/hack/validate/.swagger-yamllint
 create mode 100644 engine/hack/validate/.validate
 create mode 100755 engine/hack/validate/all
 create mode 100755 engine/hack/validate/changelog-date-descending
 create mode 100755 engine/hack/validate/changelog-well-formed
 create mode 100755 engine/hack/validate/dco
 create mode 100755 engine/hack/validate/default
 create mode 100755 engine/hack/validate/default-seccomp
 create mode 100755 engine/hack/validate/deprecate-integration-cli
 create mode 100755 engine/hack/validate/gometalinter
 create mode 100644 engine/hack/validate/gometalinter.json
 create mode 100755 engine/hack/validate/pkg-imports
 create mode 100755 engine/hack/validate/swagger
 create mode 100755 engine/hack/validate/swagger-gen
 create mode 100755 engine/hack/validate/test-imports
 create mode 100755 engine/hack/validate/toml
 create mode 100755 engine/hack/validate/vendor
 create mode 100755 engine/hack/vendor.sh
 create mode 100644 engine/image/cache/cache.go
 create mode 100644 engine/image/cache/compare.go
 create mode 100644 engine/image/cache/compare_test.go
 create mode 100644 engine/image/fs.go
 create mode 100644 engine/image/fs_test.go
 create mode 100644 engine/image/image.go
 create mode 100644 engine/image/image_test.go
 create mode 100644 engine/image/rootfs.go
 create mode 100644 engine/image/spec/README.md
 create mode 100644 engine/image/spec/v1.1.md
 create mode 100644 engine/image/spec/v1.2.md
 create mode 100644 engine/image/spec/v1.md
 create mode 100644 engine/image/store.go
 create mode 100644 engine/image/store_test.go
 create mode 100644 engine/image/tarexport/load.go
 create mode 100644 engine/image/tarexport/save.go
 create mode 100644 engine/image/tarexport/tarexport.go
 create mode 100644 engine/image/v1/imagev1.go
 create mode 100644 engine/image/v1/imagev1_test.go
 create mode 100644 engine/integration-cli/benchmark_test.go
 create mode 100644 engine/integration-cli/check_test.go
 create mode 100644 engine/integration-cli/checker/checker.go
 create mode 100644 engine/integration-cli/cli/build/build.go
 create mode 100644 engine/integration-cli/cli/cli.go
 create mode 100644 engine/integration-cli/daemon/daemon.go
 create mode 100644 engine/integration-cli/daemon/daemon_swarm.go
 create mode 100644 engine/integration-cli/daemon_swarm_hack_test.go
 create mode 100644 engine/integration-cli/docker_api_attach_test.go
 create mode 100644 engine/integration-cli/docker_api_build_test.go
 create mode 100644 engine/integration-cli/docker_api_build_windows_test.go
 create mode 100644 engine/integration-cli/docker_api_containers_test.go
 create mode 100644 engine/integration-cli/docker_api_containers_windows_test.go
 create mode 100644 engine/integration-cli/docker_api_create_test.go
 create mode 100644 engine/integration-cli/docker_api_exec_resize_test.go
 create mode 100644 engine/integration-cli/docker_api_exec_test.go
 create mode 100644 engine/integration-cli/docker_api_images_test.go
 create mode 100644 engine/integration-cli/docker_api_inspect_test.go
 create mode 100644 engine/integration-cli/docker_api_ipcmode_test.go
 create mode 100644 engine/integration-cli/docker_api_logs_test.go
 create mode 100644 engine/integration-cli/docker_api_network_test.go
 create mode 100644 engine/integration-cli/docker_api_stats_test.go
 create mode 100644 engine/integration-cli/docker_api_swarm_node_test.go
 create mode 100644 engine/integration-cli/docker_api_swarm_service_test.go
 create mode 100644 engine/integration-cli/docker_api_swarm_test.go
 create mode 100644 engine/integration-cli/docker_api_test.go
 create mode 100644 engine/integration-cli/docker_cli_attach_test.go
 create mode 100644 engine/integration-cli/docker_cli_attach_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_build_test.go
 create mode 100644 engine/integration-cli/docker_cli_build_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_by_digest_test.go
 create mode 100644 engine/integration-cli/docker_cli_commit_test.go
 create mode 100644 engine/integration-cli/docker_cli_config_create_test.go
 create mode 100644 engine/integration-cli/docker_cli_cp_from_container_test.go
 create mode 100644 engine/integration-cli/docker_cli_cp_test.go
 create mode 100644 engine/integration-cli/docker_cli_cp_to_container_test.go
 create mode 100644 engine/integration-cli/docker_cli_cp_to_container_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_cp_utils_test.go
 create mode 100644 engine/integration-cli/docker_cli_create_test.go
 create mode 100644 engine/integration-cli/docker_cli_daemon_plugins_test.go
 create mode 100644 engine/integration-cli/docker_cli_daemon_test.go
 create mode 100644 engine/integration-cli/docker_cli_events_test.go
 create mode 100644 engine/integration-cli/docker_cli_events_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_exec_test.go
 create mode 100644 engine/integration-cli/docker_cli_exec_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_export_import_test.go
 create mode 100644 engine/integration-cli/docker_cli_external_volume_driver_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_health_test.go
 create mode 100644 engine/integration-cli/docker_cli_history_test.go
 create mode 100644 engine/integration-cli/docker_cli_images_test.go
 create mode 100644 engine/integration-cli/docker_cli_import_test.go
 create mode 100644 engine/integration-cli/docker_cli_info_test.go
 create mode 100644 engine/integration-cli/docker_cli_info_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_inspect_test.go
 create mode 100644 engine/integration-cli/docker_cli_links_test.go
 create mode 100644 engine/integration-cli/docker_cli_login_test.go
 create mode 100644 engine/integration-cli/docker_cli_logout_test.go
 create mode 100644 engine/integration-cli/docker_cli_logs_bench_test.go
 create mode 100644 engine/integration-cli/docker_cli_logs_test.go
 create mode 100644 engine/integration-cli/docker_cli_netmode_test.go
 create mode 100644 engine/integration-cli/docker_cli_network_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_plugins_logdriver_test.go
 create mode 100644 engine/integration-cli/docker_cli_plugins_test.go
 create mode 100644 engine/integration-cli/docker_cli_port_test.go
 create mode 100644 engine/integration-cli/docker_cli_proxy_test.go
 create mode 100644 engine/integration-cli/docker_cli_prune_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_ps_test.go
 create mode 100644 engine/integration-cli/docker_cli_pull_local_test.go
 create mode 100644 engine/integration-cli/docker_cli_pull_test.go
 create mode 100644 engine/integration-cli/docker_cli_push_test.go
 create mode 100644 engine/integration-cli/docker_cli_registry_user_agent_test.go
 create mode 100644 engine/integration-cli/docker_cli_restart_test.go
 create mode 100644 engine/integration-cli/docker_cli_rmi_test.go
 create mode 100644 engine/integration-cli/docker_cli_run_test.go
 create mode 100644 engine/integration-cli/docker_cli_run_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_save_load_test.go
 create mode 100644 engine/integration-cli/docker_cli_save_load_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_search_test.go
 create mode 100644 engine/integration-cli/docker_cli_secret_create_test.go
 create mode 100644 engine/integration-cli/docker_cli_service_create_test.go
 create mode 100644 engine/integration-cli/docker_cli_service_health_test.go
 create mode 100644 engine/integration-cli/docker_cli_service_logs_test.go
 create mode 100644 engine/integration-cli/docker_cli_service_scale_test.go
 create mode 100644 engine/integration-cli/docker_cli_service_update_test.go
 create mode 100644 engine/integration-cli/docker_cli_sni_test.go
 create mode 100644 engine/integration-cli/docker_cli_start_test.go
 create mode 100644 engine/integration-cli/docker_cli_stats_test.go
 create mode 100644 engine/integration-cli/docker_cli_swarm_test.go
 create mode 100644 engine/integration-cli/docker_cli_swarm_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_top_test.go
 create mode 100644 engine/integration-cli/docker_cli_update_unix_test.go
 create mode 100644 engine/integration-cli/docker_cli_userns_test.go
 create mode 100644 engine/integration-cli/docker_cli_v2_only_test.go
 create mode 100644 engine/integration-cli/docker_cli_volume_test.go
 create mode 100644 engine/integration-cli/docker_cli_wait_test.go
 create mode 100644 engine/integration-cli/docker_deprecated_api_v124_test.go
 create mode 100644 engine/integration-cli/docker_deprecated_api_v124_unix_test.go
 create mode 100644 engine/integration-cli/docker_hub_pull_suite_test.go
 create mode 100644 engine/integration-cli/docker_utils_test.go
 create mode 100644 engine/integration-cli/environment/environment.go
 create mode 100644 engine/integration-cli/events_utils_test.go
 create mode 100755 engine/integration-cli/fixtures/auth/docker-credential-shell-test
 create mode 100644 engine/integration-cli/fixtures/credentialspecs/valid.json
 create mode 120000 engine/integration-cli/fixtures/https/ca.pem
 create mode 120000 engine/integration-cli/fixtures/https/client-cert.pem
 create mode 120000 engine/integration-cli/fixtures/https/client-key.pem
 create mode 100644 engine/integration-cli/fixtures/https/client-rogue-cert.pem
 create mode 100644 engine/integration-cli/fixtures/https/client-rogue-key.pem
 create mode 120000 engine/integration-cli/fixtures/https/server-cert.pem
 create mode 120000 engine/integration-cli/fixtures/https/server-key.pem
 create mode 100644 engine/integration-cli/fixtures/https/server-rogue-cert.pem
 create mode 100644 engine/integration-cli/fixtures/https/server-rogue-key.pem
 create mode 100644 engine/integration-cli/fixtures/registry/cert.pem
 create mode 100644 engine/integration-cli/fixtures_linux_daemon_test.go
 create mode 100644 engine/integration-cli/requirement/requirement.go
 create mode 100644 engine/integration-cli/requirements_test.go
 create mode 100644 engine/integration-cli/requirements_unix_test.go
 create mode 100644 engine/integration-cli/test_vars_exec_test.go
 create mode 100644 engine/integration-cli/test_vars_noexec_test.go
 create mode 100644 engine/integration-cli/test_vars_noseccomp_test.go
 create mode 100644 engine/integration-cli/test_vars_seccomp_test.go
 create mode 100644 engine/integration-cli/test_vars_test.go
 create mode 100644 engine/integration-cli/test_vars_unix_test.go
 create mode 100644 engine/integration-cli/test_vars_windows_test.go
 create mode 100644 engine/integration-cli/testdata/emptyLayer.tar
 create mode 100644 engine/integration-cli/utils_test.go
 create mode 100644 engine/integration/build/build_session_test.go
 create mode 100644 engine/integration/build/build_squash_test.go
 create mode 100644 engine/integration/build/build_test.go
 create mode 100644 engine/integration/build/main_test.go
 create mode 100644 engine/integration/config/config_test.go
 create mode 100644 engine/integration/config/main_test.go
 create mode 100644 engine/integration/container/copy_test.go
 create mode 100644 engine/integration/container/create_test.go
 create mode 100644 engine/integration/container/daemon_linux_test.go
 create mode 100644 engine/integration/container/diff_test.go
 create mode 100644 engine/integration/container/exec_test.go
 create mode 100644 engine/integration/container/export_test.go
 create mode 100644 engine/integration/container/health_test.go
 create mode 100644 engine/integration/container/inspect_test.go
 create mode 100644 engine/integration/container/kill_test.go
 create mode 100644 engine/integration/container/links_linux_test.go
 create mode 100644 engine/integration/container/logs_test.go
 create mode 100644 engine/integration/container/main_test.go
 create mode 100644 engine/integration/container/mounts_linux_test.go
 create mode 100644 engine/integration/container/nat_test.go
 create mode 100644 engine/integration/container/pause_test.go
 create mode 100644 engine/integration/container/ps_test.go
 create mode 100644 engine/integration/container/remove_test.go
 create mode 100644 engine/integration/container/rename_test.go
 create mode 100644 engine/integration/container/resize_test.go
 create mode 100644 engine/integration/container/restart_test.go
 create mode 100644 engine/integration/container/stats_test.go
 create mode 100644 engine/integration/container/stop_test.go
 create mode 100644 engine/integration/container/update_linux_test.go
 create mode 100644 engine/integration/container/update_test.go
 create mode 100644 engine/integration/doc.go
 create mode 100644 engine/integration/image/commit_test.go
 create mode 100644 engine/integration/image/import_test.go
 create mode 100644 engine/integration/image/main_test.go
 create mode 100644 engine/integration/image/remove_test.go
 create mode 100644 engine/integration/image/tag_test.go
 create mode 100644 engine/integration/internal/container/container.go
 create mode 100644 engine/integration/internal/container/exec.go
 create mode 100644 engine/integration/internal/container/ops.go
 create mode 100644 engine/integration/internal/container/states.go
 create mode 100644 engine/integration/internal/network/network.go
 create mode 100644 engine/integration/internal/network/ops.go
 create mode 100644 engine/integration/internal/requirement/requirement.go
 create mode 100644 engine/integration/internal/swarm/service.go
 create mode 100644 engine/integration/network/delete_test.go
 create mode 100644 engine/integration/network/helpers.go
 create mode 100644 engine/integration/network/inspect_test.go
 create mode 100644 engine/integration/network/ipvlan/ipvlan_test.go
 create mode 100644 engine/integration/network/ipvlan/main_test.go
 create mode 100644 engine/integration/network/macvlan/macvlan_test.go
 create mode 100644 engine/integration/network/macvlan/main_test.go
 create mode 100644 engine/integration/network/main_test.go
 create mode 100644 engine/integration/network/service_test.go
 create mode 100644 engine/integration/plugin/authz/authz_plugin_test.go
 create mode 100644 engine/integration/plugin/authz/authz_plugin_v2_test.go
 create mode 100644 engine/integration/plugin/authz/main_test.go
 create mode 100644 engine/integration/plugin/graphdriver/external_test.go
 create mode 100644 engine/integration/plugin/graphdriver/main_test.go
 create mode 100644 engine/integration/plugin/logging/cmd/close_on_start/main.go
 create mode 100644 engine/integration/plugin/logging/cmd/close_on_start/main_test.go
 create mode 100644 engine/integration/plugin/logging/cmd/cmd_test.go
 create mode 100644 engine/integration/plugin/logging/cmd/dummy/main.go
 create mode 100644 engine/integration/plugin/logging/cmd/dummy/main_test.go
 create mode 100644 engine/integration/plugin/logging/helpers_test.go
 create mode 100644 engine/integration/plugin/logging/logging_test.go
 create mode 100644 engine/integration/plugin/logging/main_test.go
 create mode 100644 engine/integration/plugin/logging/validation_test.go
 create mode 100644 engine/integration/plugin/pkg_test.go
 create mode 100644 engine/integration/plugin/volumes/cmd/cmd_test.go
 create mode 100644 engine/integration/plugin/volumes/cmd/dummy/main.go
 create mode 100644 engine/integration/plugin/volumes/cmd/dummy/main_test.go
 create mode 100644 engine/integration/plugin/volumes/helpers_test.go
 create mode 100644 engine/integration/plugin/volumes/main_test.go
 create mode 100644 engine/integration/plugin/volumes/mounts_test.go
 create mode 100644 engine/integration/secret/main_test.go
 create mode 100644 engine/integration/secret/secret_test.go
 create mode 100644 engine/integration/service/create_test.go
 create mode 100644 engine/integration/service/inspect_test.go
 create mode 100644 engine/integration/service/main_test.go
 create mode 100644 engine/integration/service/network_test.go
 create mode 100644 engine/integration/service/plugin_test.go
 create mode 100644 engine/integration/session/main_test.go
 create mode 100644 engine/integration/session/session_test.go
 create mode 100644 engine/integration/system/cgroupdriver_systemd_test.go
 create mode 100644 engine/integration/system/event_test.go
 create mode 100644 engine/integration/system/info_linux_test.go
 create mode 100644 engine/integration/system/info_test.go
 create mode 100644 engine/integration/system/login_test.go
 create mode 100644 engine/integration/system/main_test.go
 create mode 100644 engine/integration/system/version_test.go
 create mode 100644 engine/integration/testdata/https/ca.pem
 create mode 100644 engine/integration/testdata/https/client-cert.pem
 create mode 100644 engine/integration/testdata/https/client-key.pem
 create mode 100644 engine/integration/testdata/https/server-cert.pem
 create mode 100644 engine/integration/testdata/https/server-key.pem
 create mode 100644 engine/integration/volume/main_test.go
 create mode 100644 engine/integration/volume/volume_test.go
 create mode 100644 engine/internal/test/daemon/config.go
 create mode 100644 engine/internal/test/daemon/container.go
 create mode 100644 engine/internal/test/daemon/daemon.go
 create mode 100644 engine/internal/test/daemon/daemon_unix.go
 create mode 100644 engine/internal/test/daemon/daemon_windows.go
 create mode 100644 engine/internal/test/daemon/node.go
 create mode 100644 engine/internal/test/daemon/ops.go
 create mode 100644 engine/internal/test/daemon/plugin.go
 create mode 100644 engine/internal/test/daemon/secret.go
 create mode 100644 engine/internal/test/daemon/service.go
 create mode 100644 engine/internal/test/daemon/swarm.go
 create mode 100644 engine/internal/test/environment/clean.go
 create mode 100644 engine/internal/test/environment/environment.go
 create mode 100644 engine/internal/test/environment/protect.go
 create mode 100644 engine/internal/test/fakecontext/context.go
 create mode 100644 engine/internal/test/fakegit/fakegit.go
 create mode 100644 engine/internal/test/fakestorage/fixtures.go
 create mode 100644 engine/internal/test/fakestorage/storage.go
 create mode 100644 engine/internal/test/fixtures/load/frozen.go
 create mode 100644 engine/internal/test/fixtures/plugin/basic/basic.go
 create mode 100644 engine/internal/test/fixtures/plugin/plugin.go
 create mode 100644 engine/internal/test/helper.go
 create mode 100644 engine/internal/test/registry/ops.go
 create mode 100644 engine/internal/test/registry/registry.go
 create mode 100644 engine/internal/test/registry/registry_mock.go
 create mode 100644 engine/internal/test/request/npipe.go
 create mode 100644 engine/internal/test/request/npipe_windows.go
 create mode 100644 engine/internal/test/request/ops.go
 create mode 100644 engine/internal/test/request/request.go
 create mode 100644 engine/internal/testutil/helpers.go
 create mode 100644 engine/internal/testutil/stringutils.go
 create mode 100644 engine/internal/testutil/stringutils_test.go
 create mode 100644 engine/layer/empty.go
 create mode 100644 engine/layer/empty_test.go
 create mode 100644 engine/layer/filestore.go
 create mode 100644 engine/layer/filestore_test.go
 create mode 100644 engine/layer/filestore_unix.go
 create mode 100644 engine/layer/filestore_windows.go
 create mode 100644 engine/layer/layer.go
 create mode 100644 engine/layer/layer_store.go
 create mode 100644 engine/layer/layer_store_windows.go
 create mode 100644 engine/layer/layer_test.go
 create mode 100644 engine/layer/layer_unix.go
 create mode 100644 engine/layer/layer_unix_test.go
 create mode 100644 engine/layer/layer_windows.go
 create mode 100644 engine/layer/migration.go
 create mode 100644 engine/layer/migration_test.go
 create mode 100644 engine/layer/mount_test.go
 create mode 100644 engine/layer/mounted_layer.go
 create mode 100644 engine/layer/ro_layer.go
 create mode 100644 engine/layer/ro_layer_windows.go
 create mode 100644 engine/libcontainerd/client_daemon.go
 create mode 100644 engine/libcontainerd/client_daemon_linux.go
 create mode 100644 engine/libcontainerd/client_daemon_windows.go
 create mode 100644 engine/libcontainerd/client_local_windows.go
 create mode 100644 engine/libcontainerd/errors.go
 create mode 100644 engine/libcontainerd/process_windows.go
 create mode 100644 engine/libcontainerd/queue.go
 create mode 100644 engine/libcontainerd/queue_test.go
 create mode 100644 engine/libcontainerd/remote_daemon.go
 create mode 100644 engine/libcontainerd/remote_daemon_linux.go
 create mode 100644 engine/libcontainerd/remote_daemon_options.go
 create mode 100644 engine/libcontainerd/remote_daemon_options_linux.go
 create mode 100644 engine/libcontainerd/remote_daemon_windows.go
 create mode 100644 engine/libcontainerd/remote_local.go
 create mode 100644 engine/libcontainerd/types.go
 create mode 100644 engine/libcontainerd/types_linux.go
 create mode 100644 engine/libcontainerd/types_windows.go
 create mode 100644 engine/libcontainerd/utils_linux.go
 create mode 100644 engine/libcontainerd/utils_windows.go
 create mode 100644 engine/libcontainerd/utils_windows_test.go
 create mode 100644 engine/migrate/v1/migratev1.go
 create mode 100644 engine/migrate/v1/migratev1_test.go
 create mode 100644 engine/oci/defaults.go
 create mode 100644 engine/oci/devices_linux.go
 create mode 100644 engine/oci/devices_unsupported.go
 create mode 100644 engine/oci/namespaces.go
 create mode 100644 engine/opts/address_pools.go
 create mode 100644 engine/opts/address_pools_test.go
 create mode 100644 engine/opts/env.go
 create mode 100644 engine/opts/env_test.go
 create mode 100644 engine/opts/hosts.go
 create mode 100644 engine/opts/hosts_test.go
 create mode 100644 engine/opts/hosts_unix.go
 create mode 100644 engine/opts/hosts_windows.go
 create mode 100644 engine/opts/ip.go
 create mode 100644 engine/opts/ip_test.go
 create mode 100644 engine/opts/opts.go
 create mode 100644 engine/opts/opts_test.go
 create mode 100644 engine/opts/opts_unix.go
 create mode 100644 engine/opts/opts_windows.go
 create mode 100644 engine/opts/quotedstring.go
 create mode 100644 engine/opts/quotedstring_test.go
 create mode 100644 engine/opts/runtime.go
 create mode 100644 engine/opts/ulimit.go
 create mode 100644 engine/opts/ulimit_test.go
 create mode 100644 engine/pkg/README.md
 create mode 100644 engine/pkg/aaparser/aaparser.go
 create mode 100644 engine/pkg/aaparser/aaparser_test.go
 create mode 100644 engine/pkg/archive/README.md
 create mode 100644 engine/pkg/archive/archive.go
 create mode 100644 engine/pkg/archive/archive_linux.go
 create mode 100644 engine/pkg/archive/archive_linux_test.go
 create mode 100644 engine/pkg/archive/archive_other.go
 create mode 100644 engine/pkg/archive/archive_test.go
 create mode 100644 engine/pkg/archive/archive_unix.go
 create mode 100644 engine/pkg/archive/archive_unix_test.go
 create mode 100644 engine/pkg/archive/archive_windows.go
 create mode 100644 engine/pkg/archive/archive_windows_test.go
 create mode 100644 engine/pkg/archive/changes.go
 create mode 100644 engine/pkg/archive/changes_linux.go
 create mode 100644 engine/pkg/archive/changes_other.go
 create mode 100644 engine/pkg/archive/changes_posix_test.go
 create mode 100644 engine/pkg/archive/changes_test.go
 create mode 100644 engine/pkg/archive/changes_unix.go
 create mode 100644 engine/pkg/archive/changes_windows.go
 create mode 100644 engine/pkg/archive/copy.go
 create mode 100644 engine/pkg/archive/copy_unix.go
 create mode 100644 engine/pkg/archive/copy_unix_test.go
 create mode 100644 engine/pkg/archive/copy_windows.go
 create mode 100644 engine/pkg/archive/diff.go
 create mode 100644 engine/pkg/archive/diff_test.go
 create mode 100644 engine/pkg/archive/example_changes.go
 create mode 100644 engine/pkg/archive/testdata/broken.tar
 create mode 100644 engine/pkg/archive/time_linux.go
 create mode 100644 engine/pkg/archive/time_unsupported.go
 create mode 100644 engine/pkg/archive/utils_test.go
 create mode 100644 engine/pkg/archive/whiteouts.go
 create mode 100644 engine/pkg/archive/wrap.go
 create mode 100644 engine/pkg/archive/wrap_test.go
 create mode 100644 engine/pkg/authorization/api.go
 create mode 100644 engine/pkg/authorization/api_test.go
 create mode 100644 engine/pkg/authorization/authz.go
 create mode 100644 engine/pkg/authorization/authz_unix_test.go
 create mode 100644 engine/pkg/authorization/middleware.go
 create mode 100644 engine/pkg/authorization/middleware_test.go
 create mode 100644 engine/pkg/authorization/middleware_unix_test.go
 create mode 100644 engine/pkg/authorization/plugin.go
 create mode 100644 engine/pkg/authorization/response.go
 create mode 100644 engine/pkg/broadcaster/unbuffered.go
 create mode 100644 engine/pkg/broadcaster/unbuffered_test.go
 create mode 100644 engine/pkg/chrootarchive/archive.go
 create mode 100644 engine/pkg/chrootarchive/archive_test.go
 create mode 100644 engine/pkg/chrootarchive/archive_unix.go
 create mode 100644 engine/pkg/chrootarchive/archive_windows.go
 create mode 100644 engine/pkg/chrootarchive/chroot_linux.go
 create mode 100644 engine/pkg/chrootarchive/chroot_unix.go
 create mode 100644 engine/pkg/chrootarchive/diff.go
 create mode 100644 engine/pkg/chrootarchive/diff_unix.go
 create mode 100644 engine/pkg/chrootarchive/diff_windows.go
 create mode 100644 engine/pkg/chrootarchive/init_unix.go
 create mode 100644 engine/pkg/chrootarchive/init_windows.go
 create mode 100644 engine/pkg/containerfs/archiver.go
 create mode 100644 engine/pkg/containerfs/containerfs.go
 create mode 100644 engine/pkg/containerfs/containerfs_unix.go
 create mode 100644 engine/pkg/containerfs/containerfs_windows.go
 create mode 100644 engine/pkg/devicemapper/devmapper.go
 create mode 100644 engine/pkg/devicemapper/devmapper_log.go
 create mode 100644 engine/pkg/devicemapper/devmapper_wrapper.go
 create mode 100644 engine/pkg/devicemapper/devmapper_wrapper_dynamic.go
 create mode 100644 engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
 create mode 100644 engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
 create mode 100644 engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
 create mode 100644 engine/pkg/devicemapper/ioctl.go
 create mode 100644 engine/pkg/devicemapper/log.go
 create mode 100644 engine/pkg/directory/directory.go
 create mode 100644 engine/pkg/directory/directory_test.go
 create mode 100644 engine/pkg/directory/directory_unix.go
 create mode 100644 engine/pkg/directory/directory_windows.go
 create mode 100644 engine/pkg/discovery/README.md
 create mode 100644 engine/pkg/discovery/backends.go
 create mode 100644 engine/pkg/discovery/discovery.go
 create mode 100644 engine/pkg/discovery/discovery_test.go
 create mode 100644 engine/pkg/discovery/entry.go
 create mode 100644 engine/pkg/discovery/file/file.go
 create mode 100644 engine/pkg/discovery/file/file_test.go
 create mode 100644 engine/pkg/discovery/generator.go
 create mode 100644 engine/pkg/discovery/generator_test.go
 create mode 100644 engine/pkg/discovery/kv/kv.go
 create mode 100644 engine/pkg/discovery/kv/kv_test.go
 create mode 100644 engine/pkg/discovery/memory/memory.go
 create mode 100644 engine/pkg/discovery/memory/memory_test.go
 create mode 100644 engine/pkg/discovery/nodes/nodes.go
 create mode 100644 engine/pkg/discovery/nodes/nodes_test.go
 create mode 100644 engine/pkg/dmesg/dmesg_linux.go
 create mode 100644 engine/pkg/dmesg/dmesg_linux_test.go
 create mode 100644 engine/pkg/filenotify/filenotify.go
 create mode 100644 engine/pkg/filenotify/fsnotify.go
 create mode 100644 engine/pkg/filenotify/poller.go
 create mode 100644 engine/pkg/filenotify/poller_test.go
 create mode 100644 engine/pkg/fileutils/fileutils.go
 create mode 100644 engine/pkg/fileutils/fileutils_darwin.go
 create mode 100644 engine/pkg/fileutils/fileutils_test.go
 create mode 100644 engine/pkg/fileutils/fileutils_unix.go
 create mode 100644 engine/pkg/fileutils/fileutils_windows.go
 create mode 100644 engine/pkg/fsutils/fsutils_linux.go
 create mode 100644 engine/pkg/fsutils/fsutils_linux_test.go
 create mode 100644 engine/pkg/homedir/homedir_linux.go
 create mode 100644 engine/pkg/homedir/homedir_others.go
 create mode 100644 engine/pkg/homedir/homedir_test.go
 create mode 100644 engine/pkg/homedir/homedir_unix.go
 create mode 100644 engine/pkg/homedir/homedir_windows.go
 create mode 100644 engine/pkg/idtools/idtools.go
 create mode 100644 engine/pkg/idtools/idtools_unix.go
 create mode 100644 engine/pkg/idtools/idtools_unix_test.go
 create mode 100644 engine/pkg/idtools/idtools_windows.go
 create mode 100644 engine/pkg/idtools/usergroupadd_linux.go
 create mode 100644 engine/pkg/idtools/usergroupadd_unsupported.go
 create mode 100644 engine/pkg/idtools/utils_unix.go
 create mode 100644 engine/pkg/ioutils/buffer.go
 create mode 100644 engine/pkg/ioutils/buffer_test.go
 create mode 100644 engine/pkg/ioutils/bytespipe.go
 create mode 100644 engine/pkg/ioutils/bytespipe_test.go
 create mode 100644 engine/pkg/ioutils/fswriters.go
 create mode 100644 engine/pkg/ioutils/fswriters_test.go
 create mode 100644 engine/pkg/ioutils/readers.go
 create mode 100644 engine/pkg/ioutils/readers_test.go
 create mode 100644 engine/pkg/ioutils/temp_unix.go
 create mode 100644 engine/pkg/ioutils/temp_windows.go
 create mode 100644 engine/pkg/ioutils/writeflusher.go
 create mode 100644 engine/pkg/ioutils/writers.go
 create mode 100644 engine/pkg/ioutils/writers_test.go
 create mode 100644 engine/pkg/jsonmessage/jsonmessage.go
 create mode 100644 engine/pkg/jsonmessage/jsonmessage_test.go
 create mode 100644 engine/pkg/locker/README.md
 create mode 100644 engine/pkg/locker/locker.go
 create mode 100644 engine/pkg/locker/locker_test.go
 create mode 100644 engine/pkg/longpath/longpath.go
 create mode 100644 engine/pkg/longpath/longpath_test.go
 create mode 100644 engine/pkg/loopback/attach_loopback.go
 create mode 100644 engine/pkg/loopback/ioctl.go
 create mode 100644 engine/pkg/loopback/loop_wrapper.go
 create mode 100644 engine/pkg/loopback/loopback.go
 create mode 100644 engine/pkg/mount/flags.go
 create mode 100644 engine/pkg/mount/flags_freebsd.go
 create mode 100644 engine/pkg/mount/flags_linux.go
 create mode 100644 engine/pkg/mount/flags_unsupported.go
 create mode 100644 engine/pkg/mount/mount.go
 create mode 100644 engine/pkg/mount/mount_unix_test.go
 create mode 100644 engine/pkg/mount/mounter_freebsd.go
 create mode 100644 engine/pkg/mount/mounter_linux.go
 create mode 100644 engine/pkg/mount/mounter_linux_test.go
 create mode 100644 engine/pkg/mount/mounter_unsupported.go
 create mode 100644 engine/pkg/mount/mountinfo.go
 create mode 100644 engine/pkg/mount/mountinfo_freebsd.go
 create mode 100644 engine/pkg/mount/mountinfo_linux.go
 create mode 100644 engine/pkg/mount/mountinfo_linux_test.go
 create mode 100644 engine/pkg/mount/mountinfo_unsupported.go
 create mode 100644 engine/pkg/mount/mountinfo_windows.go
 create mode 100644 engine/pkg/mount/sharedsubtree_linux.go
 create mode 100644 engine/pkg/mount/sharedsubtree_linux_test.go
 create mode 100644 engine/pkg/namesgenerator/cmd/names-generator/main.go
 create mode 100644 engine/pkg/namesgenerator/names-generator.go
 create mode 100644 engine/pkg/namesgenerator/names-generator_test.go
 create mode 100644 engine/pkg/parsers/kernel/kernel.go
 create mode 100644 engine/pkg/parsers/kernel/kernel_darwin.go
 create mode 100644 engine/pkg/parsers/kernel/kernel_unix.go
 create mode 100644 engine/pkg/parsers/kernel/kernel_unix_test.go
 create mode 100644 engine/pkg/parsers/kernel/kernel_windows.go
 create mode 100644 engine/pkg/parsers/kernel/uname_linux.go
 create mode 100644 engine/pkg/parsers/kernel/uname_solaris.go
 create mode 100644 engine/pkg/parsers/kernel/uname_unsupported.go
 create mode 100644 engine/pkg/parsers/operatingsystem/operatingsystem_linux.go
 create mode 100644 engine/pkg/parsers/operatingsystem/operatingsystem_unix.go
 create mode 100644 engine/pkg/parsers/operatingsystem/operatingsystem_unix_test.go
 create mode 100644 engine/pkg/parsers/operatingsystem/operatingsystem_windows.go
 create mode 100644 engine/pkg/parsers/parsers.go
 create mode 100644 engine/pkg/parsers/parsers_test.go
 create mode 100644 engine/pkg/pidfile/pidfile.go
 create mode 100644 engine/pkg/pidfile/pidfile_darwin.go
 create mode 100644 engine/pkg/pidfile/pidfile_test.go
 create mode 100644 engine/pkg/pidfile/pidfile_unix.go
 create mode 100644 engine/pkg/pidfile/pidfile_windows.go
 create mode 100644 engine/pkg/platform/architecture_linux.go
 create mode 100644 engine/pkg/platform/architecture_unix.go
 create mode 100644 engine/pkg/platform/architecture_windows.go
 create mode 100644 engine/pkg/platform/platform.go
 create mode 100644 engine/pkg/plugingetter/getter.go
 create mode 100644 engine/pkg/plugins/client.go
 create mode 100644 engine/pkg/plugins/client_test.go
 create mode 100644 engine/pkg/plugins/discovery.go
 create mode 100644 engine/pkg/plugins/discovery_test.go
 create mode 100644 engine/pkg/plugins/discovery_unix.go
 create mode 100644 engine/pkg/plugins/discovery_unix_test.go
 create mode 100644 engine/pkg/plugins/discovery_windows.go
 create mode 100644 engine/pkg/plugins/errors.go
 create mode 100644 engine/pkg/plugins/plugin_test.go
 create mode 100644 engine/pkg/plugins/pluginrpc-gen/README.md
 create mode 100644 engine/pkg/plugins/pluginrpc-gen/fixtures/foo.go
 create mode 100644 engine/pkg/plugins/pluginrpc-gen/fixtures/otherfixture/spaceship.go
 create mode 100644 engine/pkg/plugins/pluginrpc-gen/main.go
 create mode 100644 engine/pkg/plugins/pluginrpc-gen/parser.go
 create mode 100644 engine/pkg/plugins/pluginrpc-gen/parser_test.go
 create mode 100644 engine/pkg/plugins/pluginrpc-gen/template.go
 create mode 100644 engine/pkg/plugins/plugins.go
 create mode 100644 engine/pkg/plugins/plugins_unix.go
 create mode 100644 engine/pkg/plugins/plugins_windows.go
 create mode 100644 engine/pkg/plugins/transport/http.go
 create mode 100644 engine/pkg/plugins/transport/http_test.go
 create mode 100644 engine/pkg/plugins/transport/transport.go
 create mode 100644 engine/pkg/pools/pools.go
 create mode 100644 engine/pkg/pools/pools_test.go
 create mode 100644 engine/pkg/progress/progress.go
 create mode 100644 engine/pkg/progress/progressreader.go
 create mode 100644 engine/pkg/progress/progressreader_test.go
 create mode 100644 engine/pkg/pubsub/publisher.go
 create mode 100644 engine/pkg/pubsub/publisher_test.go
 create mode 100644 engine/pkg/reexec/README.md
 create mode 100644 engine/pkg/reexec/command_linux.go
 create mode 100644 engine/pkg/reexec/command_unix.go
 create mode 100644 engine/pkg/reexec/command_unsupported.go
 create mode 100644 engine/pkg/reexec/command_windows.go
 create mode 100644 engine/pkg/reexec/reexec.go
 create mode 100644 engine/pkg/reexec/reexec_test.go
 create mode 100644 engine/pkg/signal/README.md
 create mode 100644 engine/pkg/signal/signal.go
 create mode 100644 engine/pkg/signal/signal_darwin.go
 create mode 100644 engine/pkg/signal/signal_freebsd.go
 create mode 100644 engine/pkg/signal/signal_linux.go
 create mode 100644 engine/pkg/signal/signal_linux_test.go
 create mode 100644 engine/pkg/signal/signal_test.go
 create mode 100644 engine/pkg/signal/signal_unix.go
 create mode 100644 engine/pkg/signal/signal_unsupported.go
 create mode 100644 engine/pkg/signal/signal_windows.go
 create mode 100644 engine/pkg/signal/testfiles/main.go
 create mode 100644 engine/pkg/signal/trap.go
 create mode 100644 engine/pkg/signal/trap_linux_test.go
 create mode 100644 engine/pkg/stdcopy/stdcopy.go
 create mode 100644 engine/pkg/stdcopy/stdcopy_test.go
 create mode 100644 engine/pkg/streamformatter/streamformatter.go
 create mode 100644 engine/pkg/streamformatter/streamformatter_test.go
 create mode 100644 engine/pkg/streamformatter/streamwriter.go
 create mode 100644 engine/pkg/streamformatter/streamwriter_test.go
 create mode 100644 engine/pkg/stringid/README.md
 create mode 100644 engine/pkg/stringid/stringid.go
 create mode 100644 engine/pkg/stringid/stringid_test.go
 create mode 100644 engine/pkg/symlink/LICENSE.APACHE
 create mode 100644 engine/pkg/symlink/LICENSE.BSD
 create mode 100644 engine/pkg/symlink/README.md
 create mode 100644 engine/pkg/symlink/fs.go
 create mode 100644 engine/pkg/symlink/fs_unix.go
 create mode 100644 engine/pkg/symlink/fs_unix_test.go
 create mode 100644 engine/pkg/symlink/fs_windows.go
 create mode 100644 engine/pkg/sysinfo/README.md
 create mode 100644 engine/pkg/sysinfo/numcpu.go
 create mode 100644 engine/pkg/sysinfo/numcpu_linux.go
 create mode 100644 engine/pkg/sysinfo/numcpu_windows.go
 create mode 100644 engine/pkg/sysinfo/sysinfo.go
 create mode 100644 engine/pkg/sysinfo/sysinfo_linux.go
 create mode 100644 engine/pkg/sysinfo/sysinfo_linux_test.go
 create mode 100644 engine/pkg/sysinfo/sysinfo_test.go
 create mode 100644 engine/pkg/sysinfo/sysinfo_unix.go
 create mode 100644 engine/pkg/sysinfo/sysinfo_windows.go
 create mode 100644 engine/pkg/system/chtimes.go
 create mode 100644 engine/pkg/system/chtimes_test.go
 create mode 100644 engine/pkg/system/chtimes_unix.go
 create mode 100644 engine/pkg/system/chtimes_unix_test.go
 create mode 100644 engine/pkg/system/chtimes_windows.go
 create mode 100644 engine/pkg/system/chtimes_windows_test.go
 create mode 100644 engine/pkg/system/errors.go
 create mode 100644 engine/pkg/system/exitcode.go
 create mode 100644 engine/pkg/system/filesys.go
 create mode 100644 engine/pkg/system/filesys_windows.go
 create mode 100644 engine/pkg/system/init.go
 create mode 100644 engine/pkg/system/init_unix.go
 create mode 100644 engine/pkg/system/init_windows.go
 create mode 100644 engine/pkg/system/lcow.go
 create mode 100644 engine/pkg/system/lcow_unix.go
 create mode 100644 engine/pkg/system/lcow_windows.go
 create mode 100644 engine/pkg/system/lstat_unix.go
 create mode 100644 engine/pkg/system/lstat_unix_test.go
 create mode 100644 engine/pkg/system/lstat_windows.go
 create mode 100644 engine/pkg/system/meminfo.go
 create mode 100644 engine/pkg/system/meminfo_linux.go
 create mode 100644 engine/pkg/system/meminfo_unix_test.go
 create mode 100644 engine/pkg/system/meminfo_unsupported.go
 create mode 100644 engine/pkg/system/meminfo_windows.go
 create mode 100644 engine/pkg/system/mknod.go
 create mode 100644 engine/pkg/system/mknod_windows.go
 create mode 100644 engine/pkg/system/path.go
 create mode 100644 engine/pkg/system/path_windows_test.go
 create mode 100644 engine/pkg/system/process_unix.go
 create mode 100644 engine/pkg/system/process_windows.go
 create mode 100644 engine/pkg/system/rm.go
 create mode 100644 engine/pkg/system/rm_test.go
 create mode 100644 engine/pkg/system/stat_darwin.go
 create mode 100644 engine/pkg/system/stat_freebsd.go
 create mode 100644 engine/pkg/system/stat_linux.go
 create mode 100644 engine/pkg/system/stat_openbsd.go
 create mode 100644 engine/pkg/system/stat_solaris.go
 create mode 100644 engine/pkg/system/stat_unix.go
 create mode 100644 engine/pkg/system/stat_unix_test.go
 create mode 100644 engine/pkg/system/stat_windows.go
 create mode 100644 engine/pkg/system/syscall_unix.go
 create mode 100644 engine/pkg/system/syscall_windows.go
 create mode 100644 engine/pkg/system/syscall_windows_test.go
 create mode 100644 engine/pkg/system/umask.go
 create mode 100644 engine/pkg/system/umask_windows.go
 create mode 100644 engine/pkg/system/utimes_freebsd.go
 create mode 100644 engine/pkg/system/utimes_linux.go
 create mode 100644 engine/pkg/system/utimes_unix_test.go
 create mode 100644 engine/pkg/system/utimes_unsupported.go
 create mode 100644 engine/pkg/system/xattrs_linux.go
 create mode 100644 engine/pkg/system/xattrs_unsupported.go
 create mode 100644 engine/pkg/tailfile/tailfile.go
 create mode 100644 engine/pkg/tailfile/tailfile_test.go
 create mode 100644 engine/pkg/tarsum/builder_context.go
 create mode 100644 engine/pkg/tarsum/builder_context_test.go
 create mode 100644 engine/pkg/tarsum/fileinfosums.go
 create mode 100644 engine/pkg/tarsum/fileinfosums_test.go
 create mode 100644 engine/pkg/tarsum/tarsum.go
 create mode 100644 engine/pkg/tarsum/tarsum_spec.md
 create mode 100644 engine/pkg/tarsum/tarsum_test.go
 create mode 100644 engine/pkg/tarsum/testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/json
 create mode 100644 engine/pkg/tarsum/testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar
 create mode 100644 engine/pkg/tarsum/testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/json
 create mode 100644 engine/pkg/tarsum/testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/layer.tar
 create mode 100644 engine/pkg/tarsum/testdata/collision/collision-0.tar
 create mode 100644 engine/pkg/tarsum/testdata/collision/collision-1.tar
 create mode 100644 engine/pkg/tarsum/testdata/collision/collision-2.tar
 create mode 100644 engine/pkg/tarsum/testdata/collision/collision-3.tar
 create mode 100644 engine/pkg/tarsum/testdata/xattr/json
 create mode 100644 engine/pkg/tarsum/testdata/xattr/layer.tar
 create mode 100644 engine/pkg/tarsum/versioning.go
 create mode 100644 engine/pkg/tarsum/versioning_test.go
 create mode 100644 engine/pkg/tarsum/writercloser.go
 create mode 100644 engine/pkg/term/ascii.go
 create mode 100644 engine/pkg/term/ascii_test.go
 create mode 100644 engine/pkg/term/proxy.go
 create mode 100644 engine/pkg/term/proxy_test.go
 create mode 100644 engine/pkg/term/tc.go
 create mode 100644 engine/pkg/term/term.go
 create mode 100644 engine/pkg/term/term_linux_test.go
 create mode 100644 engine/pkg/term/term_windows.go
 create mode 100644 engine/pkg/term/termios_bsd.go
 create mode 100644 engine/pkg/term/termios_linux.go
 create mode 100644 engine/pkg/term/windows/ansi_reader.go
 create mode 100644 engine/pkg/term/windows/ansi_writer.go
 create mode 100644 engine/pkg/term/windows/console.go
 create mode 100644 engine/pkg/term/windows/windows.go
 create mode 100644 engine/pkg/term/windows/windows_test.go
 create mode 100644 engine/pkg/term/winsize.go
 create mode 100644 engine/pkg/truncindex/truncindex.go
 create mode 100644 engine/pkg/truncindex/truncindex_test.go
 create mode 100644 engine/pkg/urlutil/urlutil.go
 create mode 100644 engine/pkg/urlutil/urlutil_test.go
 create mode 100644 engine/pkg/useragent/README.md
 create mode 100644 engine/pkg/useragent/useragent.go
 create mode 100644 engine/pkg/useragent/useragent_test.go
 create mode 100644 engine/plugin/backend_linux.go
 create mode 100644 engine/plugin/backend_linux_test.go
 create mode 100644 engine/plugin/backend_unsupported.go
 create mode 100644 engine/plugin/blobstore.go
 create mode 100644 engine/plugin/defs.go
 create mode 100644 engine/plugin/errors.go
 create mode 100644 engine/plugin/events.go
 create mode 100644 engine/plugin/executor/containerd/containerd.go
 create mode 100644 engine/plugin/executor/containerd/containerd_test.go
 create mode 100644 engine/plugin/manager.go
 create mode 100644 engine/plugin/manager_linux.go
 create mode 100644 engine/plugin/manager_linux_test.go
 create mode 100644 engine/plugin/manager_test.go
 create mode 100644 engine/plugin/manager_windows.go
 create mode 100644 engine/plugin/store.go
 create mode 100644 engine/plugin/store_test.go
 create mode 100644 engine/plugin/v2/plugin.go
 create mode 100644 engine/plugin/v2/plugin_linux.go
 create mode 100644 engine/plugin/v2/plugin_unsupported.go
 create mode 100644 engine/plugin/v2/settable.go
 create mode 100644 engine/plugin/v2/settable_test.go
 create mode 100644 engine/poule.yml
 create mode 100644 engine/profiles/apparmor/apparmor.go
 create mode 100644 engine/profiles/apparmor/template.go
 create mode 100755 engine/profiles/seccomp/default.json
 create mode 100755 engine/profiles/seccomp/fixtures/example.json
 create mode 100644 engine/profiles/seccomp/generate.go
 create mode 100644 engine/profiles/seccomp/seccomp.go
 create mode 100644 engine/profiles/seccomp/seccomp_default.go
 create mode 100644 engine/profiles/seccomp/seccomp_test.go
 create mode 100644 engine/profiles/seccomp/seccomp_unsupported.go
 create mode 100644 engine/project/ARM.md
 create mode 100644 engine/project/BRANCHES-AND-TAGS.md
 create mode 120000 engine/project/CONTRIBUTING.md
 create mode 100644 engine/project/GOVERNANCE.md
 create mode 100644 engine/project/IRC-ADMINISTRATION.md
 create mode 100644 engine/project/ISSUE-TRIAGE.md
 create mode 100644 engine/project/PACKAGE-REPO-MAINTENANCE.md
 create mode 100644 engine/project/PACKAGERS.md
 create mode 100644 engine/project/PATCH-RELEASES.md
 create mode 100644 engine/project/PRINCIPLES.md
 create mode 100644 engine/project/README.md
 create mode 100644 engine/project/RELEASE-PROCESS.md
 create mode 100644 engine/project/REVIEWING.md
 create mode 100644 engine/project/TOOLS.md
 create mode 100644 engine/reference/errors.go
 create mode 100644 engine/reference/store.go
 create mode 100644 engine/reference/store_test.go
 create mode 100644 engine/registry/auth.go
 create mode 100644 engine/registry/auth_test.go
 create mode 100644 engine/registry/config.go
 create mode 100644 engine/registry/config_test.go
 create mode 100644 engine/registry/config_unix.go
 create mode 100644 engine/registry/config_windows.go
 create mode 100644 engine/registry/endpoint_test.go
 create mode 100644 engine/registry/endpoint_v1.go
 create mode 100644 engine/registry/errors.go
 create mode 100644 engine/registry/registry.go
 create mode 100644 engine/registry/registry_mock_test.go
 create mode 100644 engine/registry/registry_test.go
 create mode 100644 engine/registry/resumable/resumablerequestreader.go
 create mode 100644 engine/registry/resumable/resumablerequestreader_test.go
 create mode 100644 engine/registry/service.go
 create mode 100644 engine/registry/service_v1.go
 create mode 100644 engine/registry/service_v1_test.go
 create mode 100644 engine/registry/service_v2.go
 create mode 100644 engine/registry/session.go
 create mode 100644 engine/registry/types.go
 create mode 100644 engine/reports/2017-05-01.md
 create mode 100644 engine/reports/2017-05-08.md
 create mode 100644 engine/reports/2017-05-15.md
 create mode 100644 engine/reports/2017-06-05.md
 create mode 100644 engine/reports/2017-06-12.md
 create mode 100644 engine/reports/2017-06-26.md
 create mode 100644 engine/reports/builder/2017-05-01.md
 create mode 100644 engine/reports/builder/2017-05-08.md
 create mode 100644 engine/reports/builder/2017-05-15.md
 create mode 100644 engine/reports/builder/2017-05-22.md
 create mode 100644 engine/reports/builder/2017-05-29.md
 create mode 100644 engine/reports/builder/2017-06-05.md
 create mode 100644 engine/reports/builder/2017-06-12.md
 create mode 100644 engine/reports/builder/2017-06-26.md
 create mode 100644 engine/reports/builder/2017-07-10.md
 create mode 100644 engine/reports/builder/2017-07-17.md
 create mode 100644 engine/restartmanager/restartmanager.go
 create mode 100644 engine/restartmanager/restartmanager_test.go
 create mode 100644 engine/runconfig/config.go
 create mode 100644 engine/runconfig/config_test.go
 create mode 100644 engine/runconfig/config_unix.go
 create mode 100644 engine/runconfig/config_windows.go
 create mode 100644 engine/runconfig/errors.go
 create mode 100644 engine/runconfig/fixtures/unix/container_config_1_14.json
 create mode 100644 engine/runconfig/fixtures/unix/container_config_1_17.json
 create mode 100644 engine/runconfig/fixtures/unix/container_config_1_19.json
 create mode 100644 engine/runconfig/fixtures/unix/container_hostconfig_1_14.json
 create mode 100644 engine/runconfig/fixtures/unix/container_hostconfig_1_19.json
 create mode 100644 engine/runconfig/fixtures/windows/container_config_1_19.json
 create mode 100644 engine/runconfig/hostconfig.go
 create mode 100644 engine/runconfig/hostconfig_test.go
 create mode 100644 engine/runconfig/hostconfig_unix.go
 create mode 100644 engine/runconfig/hostconfig_windows.go
 create mode 100644 engine/runconfig/hostconfig_windows_test.go
 create mode 100644 engine/runconfig/opts/parse.go
 create mode 100644 engine/vendor.conf
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/LICENSE
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/README.md
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/gelf/message.go
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/gelf/reader.go
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/gelf/tcpreader.go
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/gelf/tcpwriter.go
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/gelf/udpwriter.go
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/gelf/utils.go
 create mode 100644 engine/vendor/github.com/Graylog2/go-gelf/gelf/writer.go
 create mode 100644 engine/vendor/github.com/Nvveen/Gotty/LICENSE
 create mode 100644 engine/vendor/github.com/Nvveen/Gotty/README
 create mode 100644 engine/vendor/github.com/Nvveen/Gotty/attributes.go
 create mode 100644 engine/vendor/github.com/Nvveen/Gotty/gotty.go
 create mode 100644 engine/vendor/github.com/Nvveen/Gotty/parser.go
 create mode 100644 engine/vendor/github.com/Nvveen/Gotty/types.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/LICENSE
 create mode 100644 engine/vendor/github.com/containerd/continuity/README.md
 create mode 100644 engine/vendor/github.com/containerd/continuity/devices/devices.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/devices/devices_unix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/devices/devices_windows.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/driver/driver.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/driver/driver_unix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/driver/driver_windows.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/driver/utils.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/copy.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/copy_linux.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/copy_unix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/copy_windows.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/diff.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/diff_unix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/diff_windows.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/dtype_linux.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/du.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/du_unix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/du_windows.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/hardlink.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/hardlink_unix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/hardlink_windows.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/path.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/stat_bsd.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/stat_linux.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/fs/time.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/pathdriver/path_driver.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/syscallx/syscall_unix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/syscallx/syscall_windows.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/asm.s
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin_386.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin_amd64.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/chmod_freebsd.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/chmod_freebsd_amd64.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/chmod_linux.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/chmod_solaris.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/file_posix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/nodata_linux.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/nodata_solaris.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/nodata_unix.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/sys.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin_386.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin_amd64.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr_freebsd.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr_linux.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr_openbsd.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr_solaris.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go
 create mode 100644 engine/vendor/github.com/containerd/continuity/vendor.conf
 create mode 100644 engine/vendor/github.com/containerd/go-runc/LICENSE
 create mode 100644 engine/vendor/github.com/containerd/go-runc/README.md
 create mode 100644 engine/vendor/github.com/containerd/go-runc/command_linux.go
 create mode 100644 engine/vendor/github.com/containerd/go-runc/command_other.go
 create mode 100644 engine/vendor/github.com/containerd/go-runc/console.go
 create mode 100644 engine/vendor/github.com/containerd/go-runc/container.go
 create mode 100644 engine/vendor/github.com/containerd/go-runc/events.go
 create mode 100644 engine/vendor/github.com/containerd/go-runc/io.go
 create mode 100644 engine/vendor/github.com/containerd/go-runc/monitor.go
 create mode 100644 engine/vendor/github.com/containerd/go-runc/runc.go
 create mode 100644 engine/vendor/github.com/containerd/go-runc/utils.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/LICENSE
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/README.md
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/channel.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/client.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/codec.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/config.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/handshake.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/server.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/services.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/types.go
 create mode 100644 engine/vendor/github.com/containerd/ttrpc/unixcreds_linux.go
 create mode 100644 engine/vendor/github.com/fernet/fernet-go/License
 create mode 100644 engine/vendor/github.com/fernet/fernet-go/Readme
 create mode 100644 engine/vendor/github.com/fernet/fernet-go/fernet.go
 create mode 100644 engine/vendor/github.com/fernet/fernet-go/key.go
 create mode 100644 engine/vendor/github.com/golang/gddo/LICENSE
 create mode 100644 engine/vendor/github.com/golang/gddo/README.markdown
 create mode 100644 engine/vendor/github.com/golang/gddo/httputil/buster.go
 create mode 100644 engine/vendor/github.com/golang/gddo/httputil/header/header.go
 create mode 100644 engine/vendor/github.com/golang/gddo/httputil/httputil.go
 create mode 100644 engine/vendor/github.com/golang/gddo/httputil/negotiate.go
 create mode 100644 engine/vendor/github.com/golang/gddo/httputil/respbuf.go
 create mode 100644 engine/vendor/github.com/golang/gddo/httputil/static.go
 create mode 100644 engine/vendor/github.com/golang/gddo/httputil/transport.go
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/LICENSE
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/PATENTS
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/README.rst
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/README.md
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/client.go
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/errors.go
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/options.go
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/package.go
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/server.go
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/shared.go
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/README.md
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/command_line.proto
 create mode 100644 engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/store.proto
 create mode 100644 engine/vendor/github.com/hashicorp/go-immutable-radix/LICENSE
 create mode 100644 engine/vendor/github.com/hashicorp/go-immutable-radix/README.md
 create mode 100644 engine/vendor/github.com/hashicorp/go-immutable-radix/edges.go
 create mode 100644 engine/vendor/github.com/hashicorp/go-immutable-radix/iradix.go
 create mode 100644 engine/vendor/github.com/hashicorp/go-immutable-radix/iter.go
 create mode 100644 engine/vendor/github.com/hashicorp/go-immutable-radix/node.go
 create mode 100644 engine/vendor/github.com/hashicorp/go-immutable-radix/raw_iter.go
 create mode 100644 engine/vendor/github.com/ishidawataru/sctp/LICENSE
 create mode 100644 engine/vendor/github.com/ishidawataru/sctp/README.md
 create mode 100644 engine/vendor/github.com/ishidawataru/sctp/sctp.go
 create mode 100644 engine/vendor/github.com/ishidawataru/sctp/sctp_linux.go
 create mode 100644 engine/vendor/github.com/ishidawataru/sctp/sctp_unsupported.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/LICENSE
 create mode 100644 engine/vendor/github.com/moby/buildkit/README.md
 create mode 100644 engine/vendor/github.com/moby/buildkit/api/services/control/control.pb.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/api/services/control/control.proto
 create mode 100644 engine/vendor/github.com/moby/buildkit/api/services/control/generate.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/api/types/generate.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/api/types/worker.pb.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/api/types/worker.proto
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.pb.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.proto
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/contenthash/generate.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/contenthash/tarsum.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/fsutil.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/gc.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/manager.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/metadata.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/metadata/metadata.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/refs.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/export.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/import.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/registry/registry.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/cachestorage.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/chains.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/doc.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/parse.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/spec.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/utils.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/client.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/client_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/client_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/diskusage.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/exporters.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/graph.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/llb/exec.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/llb/imagemetaresolver/resolver.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/llb/marshal.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/llb/meta.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/llb/resolver.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/llb/source.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/llb/state.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/prune.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/solve.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/client/workers.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/control/control.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/executor/executor.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/executor/oci/hosts.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/executor/oci/mounts.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/executor/oci/resolvconf.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/executor/oci/user.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/exporter/exporter.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/command/command.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_norunmount.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_runmount.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/defaultshell_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/defaultshell_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/directives.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/image.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/bflag.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_runmount.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/errors_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/errors_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/parse.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/support.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/line_parsers.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/parser.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/split_command.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/lex.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/frontend.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/client/client.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/client/result.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/caps.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.pb.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.proto
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/generate.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/frontend/result.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/identity/randomid.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/auth/auth.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/auth/auth.pb.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/auth/auth.proto
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/auth/generate.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/context.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/filesync/filesync.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/filesync/filesync.proto
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/filesync/generate.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/grpc.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/grpchijack/dial.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/manager.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/session/session.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/snapshot/blobmapping/snapshotter.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/snapshot/localmounter.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/snapshot/localmounter_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/snapshot/snapshotter.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/boltdbcachestorage/storage.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/cachekey.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/cachemanager.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/cachestorage.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/combinedcache.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/edge.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/exporter.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/index.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/internal/pipe/pipe.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/jobs.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/build.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/exec.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/source.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/llbsolver/result.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/memorycachestorage.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/pb/attr.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/pb/const.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/pb/generate.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/pb/ops.pb.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/pb/ops.proto
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/pb/platform.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/progress.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/result.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/scheduler.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/solver/types.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/source/git/gitsource.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/source/git/gitsource_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/source/git/gitsource_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/source/gitidentifier.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/source/http/httpsource.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/source/identifier.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/source/local/local.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/source/manager.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/apicaps/caps.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/apicaps/pb/caps.pb.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/apicaps/pb/caps.proto
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/apicaps/pb/generate.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/cond/cond.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/contentutil/buffer.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/contentutil/copy.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/contentutil/fetcher.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/contentutil/multiprovider.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/contentutil/pusher.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/flightcontrol/flightcontrol.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/imageutil/config.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/progress/logs/logs.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/progress/multireader.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/progress/multiwriter.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/progress/progress.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/rootless/specconv/specconv_linux.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/system/path_unix.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/system/path_windows.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/system/seccomp_linux.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/system/seccomp_nolinux.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/system/seccomp_noseccomp.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/util/tracing/tracing.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/vendor.conf
 create mode 100644 engine/vendor/github.com/moby/buildkit/worker/filter.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/worker/result.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/worker/worker.go
 create mode 100644 engine/vendor/github.com/moby/buildkit/worker/workercontroller.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/LICENSE
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/chtimes_linux.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/chtimes_nolinux.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/diff.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/diff_containerd.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/diff_containerd_linux.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/diskwriter.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/diskwriter_unix.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/diskwriter_windows.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/followlinks.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/generate.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/hardlinks.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/readme.md
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/receive.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/send.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/stat.pb.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/stat.proto
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/validator.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/walker.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/walker_unix.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/walker_windows.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/wire.pb.go
 create mode 100644 engine/vendor/github.com/tonistiigi/fsutil/wire.proto
 create mode 100644 engine/volume/drivers/adapter.go
 create mode 100644 engine/volume/drivers/extpoint.go
 create mode 100644 engine/volume/drivers/extpoint_test.go
 create mode 100644 engine/volume/drivers/proxy.go
 create mode 100644 engine/volume/drivers/proxy_test.go
 create mode 100644 engine/volume/local/local.go
 create mode 100644 engine/volume/local/local_test.go
 create mode 100644 engine/volume/local/local_unix.go
 create mode 100644 engine/volume/local/local_windows.go
 create mode 100644 engine/volume/mounts/lcow_parser.go
 create mode 100644 engine/volume/mounts/linux_parser.go
 create mode 100644 engine/volume/mounts/mounts.go
 create mode 100644 engine/volume/mounts/parser.go
 create mode 100644 engine/volume/mounts/parser_test.go
 create mode 100644 engine/volume/mounts/validate.go
 create mode 100644 engine/volume/mounts/validate_test.go
 create mode 100644 engine/volume/mounts/validate_unix_test.go
 create mode 100644 engine/volume/mounts/validate_windows_test.go
 create mode 100644 engine/volume/mounts/volume_copy.go
 create mode 100644 engine/volume/mounts/volume_unix.go
 create mode 100644 engine/volume/mounts/volume_windows.go
 create mode 100644 engine/volume/mounts/windows_parser.go
 create mode 100644 engine/volume/service/by.go
 create mode 100644 engine/volume/service/convert.go
 create mode 100644 engine/volume/service/db.go
 create mode 100644 engine/volume/service/db_test.go
 create mode 100644 engine/volume/service/default_driver.go
 create mode 100644 engine/volume/service/default_driver_stubs.go
 create mode 100644 engine/volume/service/errors.go
 create mode 100644 engine/volume/service/opts/opts.go
 create mode 100644 engine/volume/service/restore.go
 create mode 100644 engine/volume/service/restore_test.go
 create mode 100644 engine/volume/service/service.go
 create mode 100644 engine/volume/service/service_linux_test.go
 create mode 100644 engine/volume/service/service_test.go
 create mode 100644 engine/volume/service/store.go
 create mode 100644 engine/volume/service/store_test.go
 create mode 100644 engine/volume/service/store_unix.go
 create mode 100644 engine/volume/service/store_windows.go
 create mode 100644 engine/volume/testutils/testutils.go
 create mode 100644 engine/volume/volume.go

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 00000000..6f285a85
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,203 @@
+# Changelog
+
+For more information on the list of deprecated flags and APIs, have a look at
+https://docs.docker.com/engine/deprecated/ where you can find the target removal dates 
+
+## 18.06.1-ce (2018-08-21)
+
+### Builder
+
+- Fix no error if build args are missing during docker build. [docker/engine#25](https://github.com/docker/engine/pull/25)
++ Set BuildKit's ExportedProduct variable to show useful errors. [docker/engine#21](https://github.com/docker/engine/pull/21)
+
+### Client
+
++ Various shell completion script updates. [docker/cli#1229](https://github.com/docker/cli/pull/1229) [docker/cli#1268](https://github.com/docker/cli/pull/1268) [docker/cli#1272](https://github.com/docker/cli/pull/1272)
+- Fix `DOCKER_CONFIG` warning message and fallback search. [docker/cli#1241](https://github.com/docker/cli/pull/1241)
+- Fix help message flags on `docker stack` commands and sub-commands. [docker/cli#1267](https://github.com/docker/cli/pull/1267)
+
+### Runtime
+
+* Disable CRI plugin listening on port 10010 by default. [docker/engine#29](https://github.com/docker/engine/pull/29)
+* Update containerd to v1.1.2. [docker/engine#33](https://github.com/docker/engine/pull/33)
+- Windows: Do not invoke HCS shutdown if terminate called. [docker/engine#31](https://github.com/docker/engine/pull/31)
+* Windows: Select polling-based watcher for Windows log watcher. [docker/engine#34](https://github.com/docker/engine/pull/34)
+
+### Swarm Mode
+
+- Fix the condition used for skipping over running tasks. [docker/swarmkit#2677](https://github.com/docker/swarmkit/pull/2677)
+- Fix task sorting. [docker/swarmkit#2712](https://github.com/docker/swarmkit/pull/2712)
+
+## 18.06.0-ce (2018-07-18)
+
+### Important notes about this release
+
+- Docker 18.06 CE will be the last release with a 4-month maintenance lifecycle. The planned Docker 18.09 CE release will be supported for 7 months with Docker 19.03 CE being the next release in line. More details about the release process can be found [here](https://docs.docker.com/install/).
+
+### Builder
+
+* Builder: fix layer leak on multi-stage wildcard copy. [moby/moby#37178](https://github.com/moby/moby/pull/37178)
+* Fix parsing of invalid environment variable substitution . [moby/moby#37134](https://github.com/moby/moby/pull/37134)
+* Builder: use the arch info from base image. [moby/moby#36816](https://github.com/moby/moby/pull/36816) [moby/moby#37197](https://github.com/moby/moby/pull/37197)
++ New experimental builder backend based on [BuildKit](https://github.com/moby/buildkit). To enable, run daemon in experimental mode and set `DOCKER_BUILDKIT=1` environment variable on the docker CLI. [moby/moby#37151](https://github.com/moby/moby/pull/37151) [docker/cli#1111](https://github.com/docker/cli/pull/1111)
+- Fix handling uppercase targets names in multi-stage builds. [moby/moby#36960](https://github.com/moby/moby/pull/36960)
+
+### Client
+
+* Bump spf13/cobra to v0.0.3, pflag to v1.0.1. [moby/moby#37106](https://github.com/moby/moby/pull/37106)
+* Add support for the new Stack API for Kubernetes v1beta2. [docker/cli#899](https://github.com/docker/cli/pull/899)
+* K8s: more robust stack error detection on deploy. [docker/cli#948](https://github.com/docker/cli/pull/948)
+* Support for rollback config in compose 3.7. [docker/cli#409](https://github.com/docker/cli/pull/409)
+* Update Cobra and pflag, and use built-in --version feature. [docker/cli#1069](https://github.com/docker/cli/pull/1069)
+* Fix `docker stack deploy --prune` with empty name removing all services. [docker/cli#1088](https://github.com/docker/cli/pull/1088)
+* [Kubernetes] stack services filters. [docker/cli#1023](https://github.com/docker/cli/pull/1023)
++ Only show orchestrator flag in root, stack and version commands in help. [docker/cli#1106](https://github.com/docker/cli/pull/1106)
++ Add an `Extras` field on the compose config types. [docker/cli#1126](https://github.com/docker/cli/pull/1126)
++ Add options to the compose loader. [docker/cli#1128](https://github.com/docker/cli/pull/1128)
+- Fix always listing nodes in docker stack ps command on Kubernetes. [docker/cli#1093](https://github.com/docker/cli/pull/1093)
+- Fix output being shown twice on stack rm error message. [docker/cli#1093](https://github.com/docker/cli/pull/1093)
+* Extend client API with custom HTTP requests. [moby/moby#37071](https://github.com/moby/moby/pull/37071)
+* Changed error message for unreadable files to clarify possibility of a .Dockerignore entry. [docker/cli#1053](https://github.com/docker/cli/pull/1053)
+* Restrict kubernetes.allNamespaces value to 'enabled' or 'disabled' in configuration file. [docker/cli#1087](https://github.com/docker/cli/pull/1087)
+* Check errors when initializing the docker client in the help command. [docker/cli#1119](https://github.com/docker/cli/pull/1119)
+* Better namespace experience with Kubernetes. Fix using namespace defined in ~/.kube/config for stack commands. Add a NAMESPACE column for docker stack ls command. Add a --all-namespaces flag for docker stack ls command. [docker/cli#991](https://github.com/docker/cli/pull/991)
+* Export Push and Save. [docker/cli#1123](https://github.com/docker/cli/pull/1123)
+* Export pull as a public function. [docker/cli#1026](https://github.com/docker/cli/pull/1026)
+* Remove Kubernetes commands from experimental. [docker/cli#1068](https://github.com/docker/cli/pull/1068)
+* Adding configs/secrets to service inspect pretty. [docker/cli#1006](https://github.com/docker/cli/pull/1006)
+- Fix service filtering by name on Kubernetes. [docker/cli#1101](https://github.com/docker/cli/pull/1101)
+- Fix component information alignment in `docker version`. [docker/cli#1065](https://github.com/docker/cli/pull/1065)
+- Fix cpu/memory limits and reservations being reset on service update. [docker/cli#1079](https://github.com/docker/cli/pull/1079)
+* Manifest list: request specific permissions. [docker/cli#1024](https://github.com/docker/cli/pull/1024)
+* Setting --orchestrator=all also sets --all-namespaces unless specific --namespace are set. [docker/cli#1059](https://github.com/docker/cli/pull/1059)
+- Fix panics when --compress and --stream are used together. [docker/cli#1105](https://github.com/docker/cli/pull/1105)
+* Switch from x/net/context to context. [docker/cli#1038](https://github.com/docker/cli/pull/1038)
++ Add --init option to `docker service create`. [docker/cli#479](https://github.com/docker/cli/pull/479)
++ Fixed bug displaying garbage output for build command when --stream and --quiet flags combined. [docker/cli#1090](https://github.com/docker/cli/pull/1090)
++ Add `init` support in 3.7 schema. [docker/cli#1129](https://github.com/docker/cli/pull/1129)
+- Fix docker trust signer removal. [docker/cli#1112](https://github.com/docker/cli/pull/1112)
+- Fix error message from docker inspect. [docker/cli#1071](https://github.com/docker/cli/pull/1071)
+* Allow `x-*` extension on 3rd level objects. [docker/cli#1097](https://github.com/docker/cli/pull/1097)
+* An invalid orchestrator now generates an error instead of being silently ignored. [docker/cli#1055](https://github.com/docker/cli/pull/1055)
+* Added ORCHESTRATOR column to docker stack ls command. [docker/cli#973](https://github.com/docker/cli/pull/973)
+* Warn when using host-ip for published ports for services. [docker/cli#1017](https://github.com/docker/cli/pull/1017)
++ Added the option to enable experimental cli features through the `DOCKER_CLI_EXPERIMENTAL` environment variable. [docker/cli#1138](https://github.com/docker/cli/pull/1138)
++ Add exec_die to the list of known container events. [docker/cli#1028](https://github.com/docker/cli/pull/1028)
+* [K8s] Do env-variable expansion on the uninterpreted Config files. [docker/cli#974](https://github.com/docker/cli/pull/974)
++ Print warnings on stderr for each unsupported features while parsing a compose file for deployment on Kubernetes. [docker/cli#903](https://github.com/docker/cli/pull/903)
++ Added description about pids count. [docker/cli#1045](https://github.com/docker/cli/pull/1045)
+- Warn user of filter when pruning. [docker/cli#1043](https://github.com/docker/cli/pull/1043)
+- Fix `--rollback-*` options overwriting `--update-*` options. [docker/cli#1052](https://github.com/docker/cli/pull/1052)
+* Update Attach, Build, Commit, Cp, Create subcommand fish completions. [docker/cli#1005](https://github.com/docker/cli/pull/1005)
++ Add bash completion for `dockerd --default-address-pool`. [docker/cli#1173](https://github.com/docker/cli/pull/1173)
++ Add bash completion for `exec_die` event. [docker/cli#1173](https://github.com/docker/cli/pull/1173)
+* Update docker-credential-helper so `pass` is not called on every docker command. [docker/cli#1184](https://github.com/docker/cli/pull/1184)
+* Fix for rotating swarm external CA. [docker/cli#1199](https://github.com/docker/cli/pull/1199)
+* Improve version output alignment. [docker/cli#1207](https://github.com/docker/cli/pull/1207)
++ Add bash completion for `service create|update --init`. [docker/cli#1210](https://github.com/docker/cli/pull/1210)
+
+### Deprecation
+
+* Document reserved namespaces deprecation. [docker/cli#1040](https://github.com/docker/cli/pull/1040)
+
+### Logging
+
+* Allow awslogs to use non-blocking mode. [moby/moby#36522](https://github.com/moby/moby/pull/36522)
+* Improve logging of long log lines on fluentd log driver.. [moby/moby#36159](https://github.com/moby/moby/pull/36159)
+* Re-order CHANGELOG.md to pass `make validate` test. [moby/moby#37047](https://github.com/moby/moby/pull/37047)
+* Update Events, Exec, Export, History, Images, Import, Inspect, Load, and Login subcommand fish completions. [docker/cli#1061](https://github.com/docker/cli/pull/1061)
+* Update documentation for RingLogger's ring buffer. [moby/moby#37084](https://github.com/moby/moby/pull/37084)
++ Add metrics for log failures/partials. [moby/moby#37034](https://github.com/moby/moby/pull/37034)
+- Fix logging plugin crash unrecoverable. [moby/moby#37028](https://github.com/moby/moby/pull/37028)
+- Fix logging test type. [moby/moby#37070](https://github.com/moby/moby/pull/37070)
+- Fix race conditions in logs API. [moby/moby#37062](https://github.com/moby/moby/pull/37062)
+- Fix some issues in logfile reader and rotation. [moby/moby#37063](https://github.com/moby/moby/pull/37063)
+
+### Networking
+
+* Allow user to specify default address pools for docker networks. [moby/moby#36396](https://github.com/moby/moby/pull/36396) [docker/cli#818](https://github.com/docker/cli/pull/818)
+* Adding logs for ipam state [doccker/libnetwork#2417](https://github.com/docker/libnetwork/pull/2147)
+* Fix race conditions in the overlay network driver [doccker/libnetwork#2143](https://github.com/docker/libnetwork/pull/2143)
+* Add wait time into xtables lock warning [doccker/libnetwork#2142](https://github.com/docker/libnetwork/pull/2142)
+* filter xtables lock warnings when firewalld is active [doccker/libnetwork#2135](https://github.com/docker/libnetwork/pull/2135)
+* Switch from x/net/context to context [doccker/libnetwork#2140](https://github.com/docker/libnetwork/pull/2140)
+* Adding a recovery mechanism for a split gossip cluster [doccker/libnetwork#2134](https://github.com/docker/libnetwork/pull/2134)
+* Running docker inspect on network attachment tasks now returns a full task object. [moby/moby#35246](https://github.com/moby/moby/pull/35246)
+* Some container/network cleanups. [moby/moby#37033](https://github.com/moby/moby/pull/37033)
+- Fix network inspect for overlay network. [moby/moby#37045](https://github.com/moby/moby/pull/37045)
+* Improve Scalability of the Linux load balancing. [docker/engine#16](https://github.com/docker/engine/pull/16)
+* Change log level from error to warning. [docker/engine#19](https://github.com/docker/engine/pull/19)
+
+### Runtime
+
+* Aufs: log why aufs is not supported. [moby/moby#36995](https://github.com/moby/moby/pull/36995)
+* Hide experimental checkpoint features on Windows. [docker/cli#1094](https://github.com/docker/cli/pull/1094)
+* Lcow: Allow the client to customize capabilities and device cgroup rules for LCOW containers. [moby/moby#37294](https://github.com/moby/moby/pull/37294)
+* Changed path given for executable output in windows to actual location of executable output. [moby/moby#37295](https://github.com/moby/moby/pull/37295)
++ Add windows recycle bin test and update hcsshim to v0.6.11. [moby/moby#36994](https://github.com/moby/moby/pull/36994)
+* Allow to add any args when doing a make run. [moby/moby#37190](https://github.com/moby/moby/pull/37190)
+* Optimize ContainerTop() aka docker top. [moby/moby#37131](https://github.com/moby/moby/pull/37131)
+- Fix compilation on 32bit machines. [moby/moby#37292](https://github.com/moby/moby/pull/37292)
+* Update API version to v1 38. [moby/moby#37141](https://github.com/moby/moby/pull/37141)
+- Fix `docker service update --host-add` does not update existing host entry. [docker/cli#1054](https://github.com/docker/cli/pull/1054)
+- Fix swagger file type for ExecIds. [moby/moby#36962](https://github.com/moby/moby/pull/36962)
+- Fix swagger volume type generation. [moby/moby#37060](https://github.com/moby/moby/pull/37060)
+- Fix wrong assertion in volume/service package. [moby/moby#37211](https://github.com/moby/moby/pull/37211)
+- Fix daemon panic on restart when a plugin is running. [moby/moby#37234](https://github.com/moby/moby/pull/37234)
+* Construct and add 'LABEL' command from 'label' option to last stage. [moby/moby#37011](https://github.com/moby/moby/pull/37011)
+- Fix race condition between exec start and resize.. [moby/moby#37172](https://github.com/moby/moby/pull/37172)
+* Alternative failure mitigation of `TestExecInteractiveStdinClose`. [moby/moby#37143](https://github.com/moby/moby/pull/37143)
+* RawAccess allows a set of paths to be not set as masked or readonly. [moby/moby#36644](https://github.com/moby/moby/pull/36644)
+* Be explicit about github.com prefix being a legacy feature. [moby/moby#37174](https://github.com/moby/moby/pull/37174)
+* Bump Golang to 1.10.3. [docker/cli#1122](https://github.com/docker/cli/pull/1122)
+* Close ReadClosers to prevent xz zombies. [moby/moby#34218](https://github.com/moby/moby/pull/34218)
+* Daemon.ContainerStop(): fix for a negative timeout. [moby/moby#36874](https://github.com/moby/moby/pull/36874)
+* Daemon.setMounts(): copy slice in place. [moby/moby#36991](https://github.com/moby/moby/pull/36991)
+* Describe IP field of swagger Port definition. [moby/moby#36971](https://github.com/moby/moby/pull/36971)
+* Extract volume interaction to a volumes service. [moby/moby#36688](https://github.com/moby/moby/pull/36688)
+* Fixed markdown formatting in docker image v1, v1.1, and v1.2 spec. [moby/moby#37051](https://github.com/moby/moby/pull/37051)
+* Improve GetTimestamp parsing. [moby/moby#35402](https://github.com/moby/moby/pull/35402)
+* Jsonmessage: pass message to aux callback. [moby/moby#37064](https://github.com/moby/moby/pull/37064)
+* Overlay2: remove unused cdMountFrom() helper function. [moby/moby#37041](https://github.com/moby/moby/pull/37041)
+- Overlay: Fix overlay storage-driver silently ignoring unknown storage-driver options. [moby/moby#37040](https://github.com/moby/moby/pull/37040)
+* Remove some unused contrib items. [moby/moby#36977](https://github.com/moby/moby/pull/36977)
+* Restartmanager: do not apply restart policy on created containers. [moby/moby#36924](https://github.com/moby/moby/pull/36924)
+* Set item-type for ExecIDs. [moby/moby#37121](https://github.com/moby/moby/pull/37121)
+* Use go-systemd const instead of magic string in Linux version of dockerd. [moby/moby#37136](https://github.com/moby/moby/pull/37136)
+* Use stdlib TLS dialer. [moby/moby#36687](https://github.com/moby/moby/pull/36687)
+* Warn when an engine label using a reserved namespace (com.docker.\*, io.docker.\*, or org.dockerproject.\*) is configured, as per https://docs.docker.com/config/labels-custom-metadata/. [moby/moby#36921](https://github.com/moby/moby/pull/36921)
+- Fix missing plugin name in message. [moby/moby#37052](https://github.com/moby/moby/pull/37052)
+- Fix link anchors in CONTRIBUTING.md. [moby/moby#37276](https://github.com/moby/moby/pull/37276)
+- Fix link to Docker Toolbox. [moby/moby#37240](https://github.com/moby/moby/pull/37240)
+- Fix mis-used skip condition. [moby/moby#37179](https://github.com/moby/moby/pull/37179)
+- Fix bind mounts not working in some cases. [moby/moby#37031](https://github.com/moby/moby/pull/37031)
+- Fix fd leak on attach. [moby/moby#37184](https://github.com/moby/moby/pull/37184)
+- Fix fluentd partial detection. [moby/moby#37029](https://github.com/moby/moby/pull/37029)
+- Fix incorrect link in version-history.md. [moby/moby#37049](https://github.com/moby/moby/pull/37049)
+* Allow vim to be case insensitive for D in dockerfile. [moby/moby#37235](https://github.com/moby/moby/pull/37235)
++ Add `t.Name()` to tests so that service names are unique. [moby/moby#37166](https://github.com/moby/moby/pull/37166)
++ Add additional message when backendfs is extfs without d_type support. [moby/moby#37022](https://github.com/moby/moby/pull/37022)
++ Add api version checking for tests from new feature. [moby/moby#37169](https://github.com/moby/moby/pull/37169)
++ Add image metrics for push and pull. [moby/moby#37233](https://github.com/moby/moby/pull/37233)
++ Add support for `init` on services. [moby/moby#37183](https://github.com/moby/moby/pull/37183)
++ Add verification of escapeKeys array length in pkg/term/proxy.go. [moby/moby#36918](https://github.com/moby/moby/pull/36918)
+* When link id is empty for overlay2, do not remove this link.. [moby/moby#36161](https://github.com/moby/moby/pull/36161)
+- Fix build on OpenBSD by defining Self(). [moby/moby#37301](https://github.com/moby/moby/pull/37301)
+- Windows: Fix named pipe support for hyper-v isolated containers. [docker/engine#2](https://github.com/docker/engine/pull/2) [docker/cli#1165](https://github.com/docker/cli/pull/1165)
+- Fix manifest lists to always use correct size. [docker/cli#1183](https://github.com/docker/cli/pull/1183)
+* Register OCI media types. [docker/engine#4](https://github.com/docker/engine/pull/4)
+* Update containerd to v1.1.1 [docker/engine#17](https://github.com/docker/engine/pull/17)
+* LCOW: Prefer Windows over Linux in a manifest list. [docker/engine#3](https://github.com/docker/engine/pull/3)
+* Add updated `MaskPaths` that are used in code paths directly using containerd to address [CVE-2018-10892](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10892). [docker/engine#15](https://github.com/docker/engine/pull/15)
+* Add `/proc/acpi` to masked paths to address [CVE-2018-10892](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10892). [docker/engine#14](https://github.com/docker/engine/pull/14)
+- Fix bindmount autocreate race. [docker/engine#11](https://github.com/docker/engine/pull/11)
+
+### Swarm Mode
+
+* List stacks for both Swarm and Kubernetes with --orchestrator=all in docker stack ls. Allow several occurrences of --namespace for Kubernetes with docker stack ls. [docker/cli#1031](https://github.com/docker/cli/pull/1031)
+* Bump SwarmKit to remove deprecated grpc metadata wrappers. [moby/moby#36905](https://github.com/moby/moby/pull/36905)
+* Issue an error for --orchestrator=all when working on mismatched Swarm and Kubernetes hosts. [docker/cli#1035](https://github.com/docker/cli/pull/1035)
+- Fix broken swarm commands with Kubernetes defined as orchestrator. "--orchestrator" flag is no longer global but local to stack commands and subcommands [docker/cli#1137](https://github.com/docker/cli/pull/1137) [docker/cli#1139](https://github.com/docker/cli/pull/1139)
+* Bump swarmkit to include task reaper fixes and more metrics. [docker/engine#13](https://github.com/docker/engine/pull/13)
+- Avoid a leak when a service with unassigned tasks is deleted. [docker/engine#27](https://github.com/docker/engine/pull/27)
+- Fix racy batching on the dispatcher. [docker/engine#27](https://github.com/docker/engine/pull/27)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 00000000..737db485
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,126 @@
+# Contributing to Docker CE
+
+Want to contribute on Docker CE? Awesome!
+
+This page contains information about reporting issues as well as some tips and
+guidelines useful to experienced open source contributors. Finally, make sure
+you read our [community guidelines](#docker-community-guidelines) before you
+start participating.
+
+## Topics
+
+* [Reporting Security Issues](#reporting-security-issues)
+* [Reporting Issues](#reporting-other-issues)
+* [Submitting Pull Requests](#submitting-pull-requests)
+* [Community Guidelines](#docker-community-guidelines)
+
+## Reporting security issues
+
+The Docker maintainers take security seriously. If you discover a security
+issue, please bring it to their attention right away!
+
+Please **DO NOT** file a public issue, instead send your report privately to
+[security@docker.com](mailto:security@docker.com).
+
+Security reports are greatly appreciated and we will publicly thank you for it.
+We also like to send gifts&mdash;if you're into Docker schwag, make sure to let
+us know. We currently do not offer a paid security bounty program, but are not
+ruling it out in the future.
+
+## Reporting other issues
+
+There are separate issue-tracking repos for the end user Docker CE
+products specialized for a platform. Find your issue or file a new issue
+for the platform you are using:
+
+* https://github.com/docker/for-linux
+* https://github.com/docker/for-mac
+* https://github.com/docker/for-win
+* https://github.com/docker/for-aws
+* https://github.com/docker/for-azure
+
+When reporting issues, always include:
+
+* The output of `docker version`.
+* The output of `docker info`.
+
+If presented with a template when creating an issue, please follow its directions.
+
+Also include the steps required to reproduce the problem if possible and
+applicable. This information will help us review and fix your issue faster.
+When sending lengthy log-files, consider posting them as a gist (https://gist.github.com).
+Don't forget to remove sensitive data from your logfiles before posting (you can
+replace those parts with "REDACTED").
+
+## Submitting pull requests
+
+Please see the corresponding `CONTRIBUTING.md` file of each component for more information:
+
+* Changes to the `engine` should be directed upstream to https://github.com/moby/moby
+* Changes to the `cli` should be directed upstream to https://github.com/docker/cli
+* Changes to the `packaging` should be directed upstream to https://github.com/docker/docker-ce-packaging
+
+## Docker community guidelines
+
+We want to keep the Docker community awesome, growing and collaborative. We need
+your help to keep it that way. To help with this we've come up with some general
+guidelines for the community as a whole:
+
+* Be nice: Be courteous, respectful and polite to fellow community members.
+  Regional, racial, gender, or other abuse will not be tolerated. We like
+  nice people way better than mean ones!
+
+* Encourage diversity and participation: Make everyone in our community feel
+  welcome, regardless of their background and the extent of their
+  contributions, and do everything possible to encourage participation in
+  our community.
+
+* Keep it legal: Basically, don't get us in trouble. Share only content that
+  you own, do not share private or sensitive information, and don't break
+  the law.
+
+* Stay on topic: Make sure that you are posting to the correct channel and
+  avoid off-topic discussions. Remember when you update an issue or respond
+  to an email you are potentially sending to a large number of people. Please
+  consider this before you update. Also remember that nobody likes spam.
+
+* Don't send email to the maintainers: There's no need to send email to the
+  maintainers to ask them to investigate an issue or to take a look at a
+  pull request. Instead of sending an email, GitHub mentions should be
+  used to ping maintainers to review a pull request, a proposal or an
+  issue.
+
+### Guideline violations — 3 strikes method
+
+The point of this section is not to find opportunities to punish people, but we
+do need a fair way to deal with people who are making our community suck.
+
+1. First occurrence: We'll give you a friendly, but public reminder that the
+   behavior is inappropriate according to our guidelines.
+
+2. Second occurrence: We will send you a private message with a warning that
+   any additional violations will result in removal from the community.
+
+3. Third occurrence: Depending on the violation, we may need to delete or ban
+   your account.
+
+**Notes:**
+
+* Obvious spammers are banned on first occurrence. If we don't do this, we'll
+  have spam all over the place.
+
+* Violations are forgiven after 6 months of good behavior, and we won't hold a
+  grudge.
+
+* People who commit minor infractions will get some education, rather than
+  hammering them in the 3 strikes process.
+
+* The rules apply equally to everyone in the community, no matter how much
+        you've contributed.
+
+* Extreme violations of a threatening, abusive, destructive or illegal nature
+        will be addressed immediately and are not subject to 3 strikes or forgiveness.
+
+* Contact abuse@docker.com to report abuse or appeal violations. In the case of
+        appeals, we know that mistakes happen, and we'll work with you to come up with a
+        fair solution if there has been a misunderstanding.
\ No newline at end of file
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..8c30ea60
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,56 @@
+CLI_DIR:=$(CURDIR)/components/cli
+ENGINE_DIR:=$(CURDIR)/components/engine
+PACKAGING_DIR:=$(CURDIR)/components/packaging
+MOBY_COMPONENTS_SHA=ab7c118272b02d8672dc0255561d0c4015979780
+MOBY_COMPONENTS_URL=https://raw.githubusercontent.com/docker/moby-extras/$(MOBY_COMPONENTS_SHA)/cmd/moby-components
+MOBY_COMPONENTS=.helpers/moby-components-$(MOBY_COMPONENTS_SHA)
+VERSION=$(shell cat VERSION)
+
+.PHONY: help
+help: ## show make targets
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf " \033[36m%-20s\033[0m  %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+.PHONY: test-integration-cli
+test-integration-cli: $(CLI_DIR)/build/docker ## test integration of cli and engine
+	$(MAKE) -C $(ENGINE_DIR) DOCKER_CLI_PATH=$< test-integration-cli
+
+$(CLI_DIR)/build/docker:
+	$(MAKE) -C $(CLI_DIR) -f docker.Makefile build
+
+.PHONY: deb
+deb: ## build deb packages
+	$(MAKE) VERSION=$(VERSION) CLI_DIR=$(CLI_DIR) ENGINE_DIR=$(ENGINE_DIR) -C $(PACKAGING_DIR) deb
+
+.PHONY: rpm
+rpm: ## build rpm packages
+	$(MAKE) VERSION=$(VERSION) CLI_DIR=$(CLI_DIR) ENGINE_DIR=$(ENGINE_DIR) -C $(PACKAGING_DIR) rpm
+
+.PHONY: static
+static: ## build static packages
+	$(MAKE) VERSION=$(VERSION) CLI_DIR=$(CLI_DIR) ENGINE_DIR=$(ENGINE_DIR) -C $(PACKAGING_DIR) static
+
+.PHONY: clean
+clean: ## clean the build artifacts
+	-$(MAKE) -C $(CLI_DIR) clean
+	-$(MAKE) -C $(ENGINE_DIR) clean
+	-$(MAKE) -C $(PACKAGING_DIR) clean
+
+$(MOBY_COMPONENTS):
+	mkdir -p .helpers
+	curl -fsSL $(MOBY_COMPONENTS_URL) > $(MOBY_COMPONENTS)
+	chmod +x $(MOBY_COMPONENTS)
+
+.PHONY: update-components
+update-components: update-components-cli update-components-engine update-components-packaging ## udpate components using moby extra tool
+
+.PHONY: update-components-cli
+update-components-cli: $(MOBY_COMPONENTS)
+	$(MOBY_COMPONENTS) update cli
+
+.PHONY: update-components-engine
+update-components-engine: $(MOBY_COMPONENTS)
+	$(MOBY_COMPONENTS) update engine
+
+.PHONY: update-components-packaging
+update-components-packaging: $(MOBY_COMPONENTS)
+	$(MOBY_COMPONENTS) update packaging
diff --git a/README.md b/README.md
new file mode 100644
index 00000000..18cbd391
--- /dev/null
+++ b/README.md
@@ -0,0 +1,94 @@
+# Docker CE
+
+This repository hosts open source components of Docker CE products. The
+`master` branch serves to unify the upstream components on a regular
+basis. Long-lived release branches host the code that goes into a product
+version for the lifetime of the product.
+
+This repository is solely maintained by Docker, Inc.
+
+## Issues
+
+There are separate issue-tracking repos for the end user Docker CE
+products specialized for a platform. Find your issue or file a new issue
+for the platform you are using:
+
+* https://github.com/docker/for-linux
+* https://github.com/docker/for-mac
+* https://github.com/docker/for-win
+* https://github.com/docker/for-aws
+* https://github.com/docker/for-azure
+
+## Unifying upstream sources
+
+The `master` branch is a combination of components adapted from
+different upstream git repos into a unified directory structure using the
+[moby-components](https://github.com/shykes/moby-extras/blob/master/cmd/moby-components)
+tool.
+
+You can view the upstream git repos in the
+[components.conf](components.conf) file. Each component is isolated into
+its own directory under the [components](components) directory.
+
+The tool will import each component git history within the appropriate path.
+
+For example, this shows a commit
+is imported into the component `engine` from
+[moby/moby@a27b4b8](https://github.com/moby/moby/commit/a27b4b8cb8e838d03a99b6d2b30f76bdaf2f9e5d)
+into the `components/engine` directory.
+
+```
+commit 5c70746915d4589a692cbe50a43cf619ed0b7152
+Author: Andrea Luzzardi <aluzzardi@gmail.com>
+Date:   Sat Jan 19 00:13:39 2013
+
+    Initial commit
+    Upstream-commit: a27b4b8cb8e838d03a99b6d2b30f76bdaf2f9e5d
+    Component: engine
+
+ components/engine/container.go       | 203 ++++++++++++++++++++++++++++...
+ components/engine/container_test.go  | 186 ++++++++++++++++++++++++++++...
+ components/engine/docker.go          | 112 ++++++++++++++++++++++++++++...
+ components/engine/docker_test.go     | 175 ++++++++++++++++++++++++++++...
+ components/engine/filesystem.go      |  52 ++++++++++++++++++++++++++++...
+ components/engine/filesystem_test.go |  35 +++++++++++++++++++++++++++
+ components/engine/lxc_template.go    |  94 ++++++++++++++++++++++++++++...
+ components/engine/state.go           |  48 ++++++++++++++++++++++++++++...
+ components/engine/utils.go           | 115 ++++++++++++++++++++++++++++...
+ components/engine/utils_test.go      | 126 ++++++++++++++++++++++++++++...
+ 10 files changed, 1146 insertions(+)
+```
+
+## Updates to `master` branch
+
+Main development of new features should be directed towards the upstream
+git repos. The `master` branch of this repo will periodically pull in new
+changes from upstream to provide a point for integration.
+
+## Branching for release
+
+When a release is started for Docker CE, a new branch will be created
+from `master`. Branch names will be `YY.MM` to represent the time-based
+release version of the product, e.g. `17.06`.
+
+## Adding fixes to release branch
+
+Note: every commit of a fix should affect files only within one component
+directory.
+
+### Fix available upstream
+
+A PR cherry-picking the necessary commits should be created against
+the release branch. If the the cherry-pick cannot be applied cleanly,
+the logic of the fix should be ported manually.
+
+### No fix yet
+
+First create the PR with the fix for the release branch. Once the fix has
+been merged, be sure to port the fix to the respective upstream git repo.
+
+## Release tags
+
+There will be a git tag for each release candidate (RC) and general
+availablilty (GA) release. The tag will only point to commits on release
+branches.
diff --git a/VERSION b/VERSION
new file mode 100644
index 00000000..cf091aa3
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+18.06.1-ce
diff --git a/cli/.dockerignore b/cli/.dockerignore
new file mode 100644
index 00000000..b0e1ba59
--- /dev/null
+++ b/cli/.dockerignore
@@ -0,0 +1,2 @@
+.git
+build
\ No newline at end of file
diff --git a/cli/.mailmap b/cli/.mailmap
new file mode 100644
index 00000000..990fd0ea
--- /dev/null
+++ b/cli/.mailmap
@@ -0,0 +1,477 @@
+# Generate AUTHORS: scripts/docs/generate-authors.sh
+
+# Tip for finding duplicates (besides scanning the output of AUTHORS for name
+# duplicates that aren't also email duplicates): scan the output of:
+#   git log --format='%aE - %aN' | sort -uf
+#
+# For explanation on this file format: man git-shortlog
+
+Aaron L. Xu <liker.xu@foxmail.com>
+Abhinandan Prativadi <abhi@docker.com>
+Adrien Gallouët <adrien@gallouet.fr> <angt@users.noreply.github.com>
+Ahmed Kamal <email.ahmedkamal@googlemail.com>
+Ahmet Alp Balkan <ahmetb@microsoft.com> <ahmetalpbalkan@gmail.com>
+AJ Bowen <aj@gandi.net>
+AJ Bowen <aj@gandi.net> <amy@gandi.net>
+Akihiro Matsushima <amatsusbit@gmail.com> <amatsus@users.noreply.github.com>
+Akihiro Suda <suda.akihiro@lab.ntt.co.jp> <suda.kyoto@gmail.com>
+Aleksa Sarai <asarai@suse.de>
+Aleksa Sarai <asarai@suse.de> <asarai@suse.com>
+Aleksa Sarai <asarai@suse.de> <cyphar@cyphar.com>
+Aleksandrs Fadins <aleks@s-ko.net>
+Alessandro Boch <aboch@tetrationanalytics.com> <aboch@docker.com>
+Alex Chen <alexchenunix@gmail.com> <root@localhost.localdomain>
+Alex Ellis <alexellis2@gmail.com>
+Alexander Larsson <alexl@redhat.com> <alexander.larsson@gmail.com>
+Alexander Morozov <lk4d4@docker.com>
+Alexander Morozov <lk4d4@docker.com> <lk4d4math@gmail.com>
+Alexandre Beslic <alexandre.beslic@gmail.com> <abronan@docker.com>
+Alicia Lauerman <alicia@eta.im> <allydevour@me.com>
+Allen Sun <allensun.shl@alibaba-inc.com> <allen.sun@daocloud.io>
+Allen Sun <allensun.shl@alibaba-inc.com> <shlallen1990@gmail.com>
+Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@microsoft.com>
+Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@outlook.com>
+André Martins  <aanm90@gmail.com> <martins@noironetworks.com>
+Andy Rothfusz <github@developersupport.net> <github@metaliveblog.com>
+Andy Smith <github@anarkystic.com>
+Ankush Agarwal <ankushagarwal11@gmail.com> <ankushagarwal@users.noreply.github.com>
+Antonio Murdaca <antonio.murdaca@gmail.com> <amurdaca@redhat.com>
+Antonio Murdaca <antonio.murdaca@gmail.com> <me@runcom.ninja>
+Antonio Murdaca <antonio.murdaca@gmail.com> <runcom@linux.com>
+Antonio Murdaca <antonio.murdaca@gmail.com> <runcom@redhat.com>
+Antonio Murdaca <antonio.murdaca@gmail.com> <runcom@users.noreply.github.com>
+Anuj Bahuguna <anujbahuguna.dev@gmail.com>
+Anuj Bahuguna <anujbahuguna.dev@gmail.com> <abahuguna@fiberlink.com>
+Anusha Ragunathan <anusha.ragunathan@docker.com> <anusha@docker.com>
+Arnaud Porterie <arnaud.porterie@docker.com>
+Arnaud Porterie <arnaud.porterie@docker.com> <icecrime@gmail.com>
+Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
+Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
+Ben Bonnefoy <frenchben@docker.com>
+Ben Golub <ben.golub@dotcloud.com>
+Ben Toews <mastahyeti@gmail.com> <mastahyeti@users.noreply.github.com>
+Benoit Chesneau <bchesneau@gmail.com>
+Bhiraj Butala <abhiraj.butala@gmail.com>
+Bhumika Bayani <bhumikabayani@gmail.com>
+Bilal Amarni <bilal.amarni@gmail.com> <bamarni@users.noreply.github.com>
+Bill Wang <ozbillwang@gmail.com> <SydOps@users.noreply.github.com>
+Bin Liu <liubin0329@gmail.com>
+Bin Liu <liubin0329@gmail.com> <liubin0329@users.noreply.github.com>
+Bingshen Wang <bingshen.wbs@alibaba-inc.com>
+Boaz Shuster <ripcurld.github@gmail.com>
+Brandon Philips <brandon.philips@coreos.com> <brandon@ifup.co>
+Brandon Philips <brandon.philips@coreos.com> <brandon@ifup.org>
+Brent Salisbury <brent.salisbury@docker.com> <brent@docker.com>
+Brian Goff <cpuguy83@gmail.com>
+Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.home>
+Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.local>
+Chander Govindarajan <chandergovind@gmail.com>
+Chao Wang <wangchao.fnst@cn.fujitsu.com> <chaowang@localhost.localdomain>
+Charles Hooper <charles.hooper@dotcloud.com> <chooper@plumata.com>
+Chen Chao <cc272309126@gmail.com>
+Chen Chuanliang <chen.chuanliang@zte.com.cn>
+Chen Mingjie <chenmingjie0828@163.com>
+Chen Qiu <cheney-90@hotmail.com>
+Chen Qiu <cheney-90@hotmail.com> <21321229@zju.edu.cn>
+Chris Dias <cdias@microsoft.com>
+Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
+Christopher Biscardi <biscarch@sketcht.com>
+Christopher Latham <sudosurootdev@gmail.com>
+Chun Chen <ramichen@tencent.com> <chenchun.feed@gmail.com>
+Corbin Coleman <corbin.coleman@docker.com>
+Cristian Staretu <cristian.staretu@gmail.com>
+Cristian Staretu <cristian.staretu@gmail.com> <unclejack@users.noreply.github.com>
+Cristian Staretu <cristian.staretu@gmail.com> <unclejacksons@gmail.com>
+CUI Wei <ghostplant@qq.com> cuiwei13 <cuiwei13@pku.edu.cn>
+Daehyeok Mun <daehyeok@gmail.com>
+Daehyeok Mun <daehyeok@gmail.com> <daehyeok@daehyeok-ui-MacBook-Air.local>
+Daehyeok Mun <daehyeok@gmail.com> <daehyeok@daehyeokui-MacBook-Air.local>
+Dan Feldman <danf@jfrog.com>
+Daniel Dao <dqminh@cloudflare.com>
+Daniel Dao <dqminh@cloudflare.com> <dqminh89@gmail.com>
+Daniel Garcia <daniel@danielgarcia.info>
+Daniel Gasienica <daniel@gasienica.ch> <dgasienica@zynga.com>
+Daniel Goosen <daniel.goosen@surveysampling.com> <djgoosen@users.noreply.github.com>
+Daniel Grunwell <mwgrunny@gmail.com>
+Daniel J Walsh <dwalsh@redhat.com>
+Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com> <daniel@dotcloud.com>
+Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com> <mzdaniel@glidelink.net>
+Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com> <root@vagrant-ubuntu-12.10.vagrantup.com>
+Daniel Nephin <dnephin@docker.com> <dnephin@gmail.com>
+Daniel Norberg <dano@spotify.com> <daniel.norberg@gmail.com>
+Daniel Watkins <daniel@daniel-watkins.co.uk>
+Danny Yates <danny@codeaholics.org> <Danny.Yates@mailonline.co.uk>
+Darren Shepherd <darren.s.shepherd@gmail.com> <darren@rancher.com>
+Dattatraya Kumbhar <dattatraya.kumbhar@gslab.com>
+Dave Goodchild <buddhamagnet@gmail.com>
+Dave Henderson <dhenderson@gmail.com> <Dave.Henderson@ca.ibm.com>
+Dave Tucker <dt@docker.com> <dave@dtucker.co.uk>
+David M. Karr <davidmichaelkarr@gmail.com>
+David Sheets <dsheets@docker.com> <sheets@alum.mit.edu>
+David Sissitka <me@dsissitka.com>
+David Williamson <david.williamson@docker.com> <davidwilliamson@users.noreply.github.com>
+Deshi Xiao <dxiao@redhat.com> <dsxiao@dataman-inc.com>
+Deshi Xiao <dxiao@redhat.com> <xiaods@gmail.com>
+Diego Siqueira <dieg0@live.com>
+Diogo Monica <diogo@docker.com> <diogo.monica@gmail.com>
+Dominik Honnef <dominik@honnef.co> <dominikh@fork-bomb.org>
+Doug Davis <dug@us.ibm.com> <duglin@users.noreply.github.com>
+Doug Tangren <d.tangren@gmail.com>
+Elan Ruusamäe <glen@pld-linux.org>
+Elan Ruusamäe <glen@pld-linux.org> <glen@delfi.ee>
+Eric G. Noriega <enoriega@vizuri.com> <egnoriega@users.noreply.github.com>
+Eric Hanchrow <ehanchrow@ine.com> <eric.hanchrow@gmail.com>
+Eric Rosenberg <ehaydenr@gmail.com> <ehaydenr@users.noreply.github.com>
+Erica Windisch <erica@windisch.us> <eric@windisch.us>
+Erica Windisch <erica@windisch.us> <ewindisch@docker.com>
+Erik Hollensbe <github@hollensbe.org> <erik+github@hollensbe.org>
+Erwin van der Koogh <info@erronis.nl>
+Euan Kemp <euan.kemp@coreos.com> <euank@amazon.com>
+Eugen Krizo <eugen.krizo@gmail.com>
+Evan Hazlett <ejhazlett@gmail.com> <ehazlett@users.noreply.github.com>
+Evelyn Xu <evelynhsu21@gmail.com>
+Evgeny Shmarnev <shmarnev@gmail.com>
+Faiz Khan <faizkhan00@gmail.com>
+Felix Hupfeld <felix@quobyte.com> <quofelix@users.noreply.github.com>
+Felix Ruess <felix.ruess@gmail.com> <felix.ruess@roboception.de>
+Feng Yan <fy2462@gmail.com>
+Fengtu Wang <wangfengtu@huawei.com> <wangfengtu@huawei.com>
+Francisco Carriedo <fcarriedo@gmail.com>
+Frank Rosquin <frank.rosquin+github@gmail.com> <frank.rosquin@gmail.com>
+Frederick F. Kautz IV <fkautz@redhat.com> <fkautz@alumni.cmu.edu>
+Gabriel Nicolas Avellaneda <avellaneda.gabriel@gmail.com>
+Gaetan de Villele <gdevillele@gmail.com>
+Gang Qiao <qiaohai8866@gmail.com> <1373319223@qq.com>
+George Kontridze <george@bugsnag.com>
+Gerwim Feiken <g.feiken@tfe.nl> <gerwim@gmail.com>
+Giampaolo Mancini <giampaolo@trampolineup.com>
+Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
+Gou Rao <gou@portworx.com> <gourao@users.noreply.github.com>
+Greg Stephens <greg@udon.org>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <charmes.guillaume@gmail.com>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume.charmes@dotcloud.com>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@charmes.net>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@docker.com>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@dotcloud.com>
+Gurjeet Singh <gurjeet@singh.im> <singh.gurjeet@gmail.com>
+Gustav Sinder <gustav.sinder@gmail.com>
+Günther Jungbluth <gunther@gameslabs.net>
+Hakan Özler <hakan.ozler@kodcu.com>
+Hao Shu Wei <haosw@cn.ibm.com>
+Hao Shu Wei <haosw@cn.ibm.com> <haoshuwei1989@163.com>
+Harald Albers <github@albersweb.de> <albers@users.noreply.github.com>
+Harold Cooper <hrldcpr@gmail.com>
+Harry Zhang <harryz@hyper.sh> <harryzhang@zju.edu.cn>
+Harry Zhang <harryz@hyper.sh> <resouer@163.com>
+Harry Zhang <harryz@hyper.sh> <resouer@gmail.com>
+Harry Zhang <resouer@163.com>
+Harshal Patil <harshal.patil@in.ibm.com> <harche@users.noreply.github.com>
+Helen Xie <chenjg@harmonycloud.cn>
+Hollie Teal <hollie@docker.com>
+Hollie Teal <hollie@docker.com> <hollie.teal@docker.com>
+Hollie Teal <hollie@docker.com> <hollietealok@users.noreply.github.com>
+Hu Keping <hukeping@huawei.com>
+Huu Nguyen <huu@prismskylabs.com> <whoshuu@gmail.com>
+Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
+Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com> <1187766782@qq.com>
+Ilya Khlopotov <ilya.khlopotov@gmail.com>
+Jack Laxson <jackjrabbit@gmail.com>
+Jacob Atzen <jacob@jacobatzen.dk> <jatzen@gmail.com>
+Jacob Tomlinson <jacob@tom.linson.uk> <jacobtomlinson@users.noreply.github.com>
+Jaivish Kothari <janonymous.codevulture@gmail.com>
+Jamie Hannaford <jamie@limetree.org> <jamie.hannaford@rackspace.com>
+Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
+Jean-Baptiste Dalido <jeanbaptiste@appgratis.com>
+Jean-Tiare Le Bigot <jt@yadutaf.fr> <admin@jtlebi.fr>
+Jeff Anderson <jeff@docker.com> <jefferya@programmerq.net>
+Jeff Nickoloff <jeff.nickoloff@gmail.com> <jeff@allingeek.com>
+Jeroen Franse <jeroenfranse@gmail.com>
+Jessica Frazelle <jessfraz@google.com>
+Jessica Frazelle <jessfraz@google.com> <acidburn@docker.com>
+Jessica Frazelle <jessfraz@google.com> <acidburn@google.com>
+Jessica Frazelle <jessfraz@google.com> <jess@docker.com>
+Jessica Frazelle <jessfraz@google.com> <jess@mesosphere.com>
+Jessica Frazelle <jessfraz@google.com> <jfrazelle@users.noreply.github.com>
+Jessica Frazelle <jessfraz@google.com> <me@jessfraz.com>
+Jessica Frazelle <jessfraz@google.com> <princess@docker.com>
+Jim Galasyn <jim.galasyn@docker.com>
+Jiuyue Ma <majiuyue@huawei.com>
+Joey Geiger <jgeiger@gmail.com>
+Joffrey F <joffrey@docker.com>
+Joffrey F <joffrey@docker.com> <f.joffrey@gmail.com>
+Joffrey F <joffrey@docker.com> <joffrey@dotcloud.com>
+Johan Euphrosine <proppy@google.com> <proppy@aminche.com>
+John Harris <john@johnharris.io>
+John Howard (VM) <John.Howard@microsoft.com>
+John Howard (VM) <John.Howard@microsoft.com> <jhoward@microsoft.com>
+John Howard (VM) <John.Howard@microsoft.com> <jhoward@ntdev.microsoft.com>
+John Howard (VM) <John.Howard@microsoft.com> <jhowardmsft@users.noreply.github.com>
+John Howard (VM) <John.Howard@microsoft.com> <john.howard@microsoft.com>
+John Stephens <johnstep@docker.com> <johnstep@users.noreply.github.com>
+Jordan Arentsen <blissdev@gmail.com>
+Jordan Jennings <jjn2009@gmail.com> <jjn2009@users.noreply.github.com>
+Jorit Kleine-Möllhoff <joppich@bricknet.de> <joppich@users.noreply.github.com>
+Jose Diaz-Gonzalez <jose@seatgeek.com> <josegonzalez@users.noreply.github.com>
+Josh Eveleth <joshe@opendns.com> <jeveleth@users.noreply.github.com>
+Josh Hawn <josh.hawn@docker.com> <jlhawn@berkeley.edu>
+Josh Horwitz <horwitz@addthis.com> <horwitzja@gmail.com>
+Josh Soref <jsoref@gmail.com> <jsoref@users.noreply.github.com>
+Josh Wilson <josh.wilson@fivestars.com> <jcwilson@users.noreply.github.com>
+Joyce Jang <mail@joycejang.com>
+Julien Bordellier <julienbordellier@gmail.com> <git@julienbordellier.com>
+Julien Bordellier <julienbordellier@gmail.com> <me@julienbordellier.com>
+Justin Cormack <justin.cormack@docker.com>
+Justin Cormack <justin.cormack@docker.com> <justin.cormack@unikernel.com>
+Justin Cormack <justin.cormack@docker.com> <justin@specialbusservice.com>
+Justin Simonelis <justin.p.simonelis@gmail.com> <justin.simonelis@PTS-JSIMON2.toronto.exclamation.com>
+Jérôme Petazzoni <jerome.petazzoni@docker.com> <jerome.petazzoni@dotcloud.com>
+Jérôme Petazzoni <jerome.petazzoni@docker.com> <jerome.petazzoni@gmail.com>
+Jérôme Petazzoni <jerome.petazzoni@docker.com> <jp@enix.org>
+K. Heller <pestophagous@gmail.com> <pestophagous@users.noreply.github.com>
+Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
+Kai Qiang Wu (Kennan) <wkq5325@gmail.com> <wkqwu@cn.ibm.com>
+Kamil Domański <kamil@domanski.co>
+Kamjar Gerami <kami.gerami@gmail.com>
+Kat Samperi <kat.samperi@gmail.com> <kizzie@users.noreply.github.com>
+Ken Cochrane <kencochrane@gmail.com> <KenCochrane@gmail.com>
+Ken Herner <kherner@progress.com> <chosenken@gmail.com>
+Kenfe-Mickaël Laventure <mickael.laventure@gmail.com>
+Kevin Feyrer <kevin.feyrer@btinternet.com> <kevinfeyrer@users.noreply.github.com>
+Kevin Kern <kaiwentan@harmonycloud.cn>
+Kevin Meredith <kevin.m.meredith@gmail.com>
+Kir Kolyshkin <kolyshkin@gmail.com>
+Kir Kolyshkin <kolyshkin@gmail.com> <kir@openvz.org>
+Kir Kolyshkin <kolyshkin@gmail.com> <kolyshkin@users.noreply.github.com>
+Konrad Kleine <konrad.wilhelm.kleine@gmail.com> <kwk@users.noreply.github.com>
+Konstantin Gribov <grossws@gmail.com>
+Konstantin Pelykh <kpelykh@zettaset.com>
+Kotaro Yoshimatsu <kotaro.yoshimatsu@gmail.com>
+Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> <kunal.kushwaha@gmail.com>
+Lajos Papp <lajos.papp@sequenceiq.com> <lalyos@yahoo.com>
+Lei Jitang <leijitang@huawei.com>
+Lei Jitang <leijitang@huawei.com> <leijitang@gmail.com>
+Liang Mingqiang <mqliang.zju@gmail.com>
+Liang-Chi Hsieh <viirya@gmail.com>
+Liao Qingwei <liaoqingwei@huawei.com>
+Linus Heckemann <lheckemann@twig-world.com>
+Linus Heckemann <lheckemann@twig-world.com> <anonymouse2048@gmail.com>
+Lokesh Mandvekar <lsm5@fedoraproject.org> <lsm5@redhat.com>
+Lorenzo Fontana <lo@linux.com> <fontanalorenzo@me.com>
+Louis Opter <kalessin@kalessin.fr>
+Louis Opter <kalessin@kalessin.fr> <louis@dotcloud.com>
+Luca Favatella <luca.favatella@erlang-solutions.com> <lucafavatella@users.noreply.github.com>
+Luke Marsden <me@lukemarsden.net> <luke@digital-crocus.com>
+Lyn <energylyn@zju.edu.cn>
+Lynda O'Leary <lyndaoleary29@gmail.com>
+Lynda O'Leary <lyndaoleary29@gmail.com> <lyndaoleary@hotmail.com>
+Ma Müller <mueller-ma@users.noreply.github.com>
+Madhan Raj Mookkandy <MadhanRaj.Mookkandy@microsoft.com> <madhanm@microsoft.com>
+Madhu Venugopal <madhu@socketplane.io> <madhu@docker.com>
+Mageee <fangpuyi@foxmail.com> <21521230.zju.edu.cn>
+Mansi Nahar <mmn4185@rit.edu> <mansi.nahar@macbookpro-mansinahar.local>
+Mansi Nahar <mmn4185@rit.edu> <mansinahar@users.noreply.github.com>
+Marc Abramowitz <marc@marc-abramowitz.com> <msabramo@gmail.com>
+Marcelo Horacio Fortino <info@fortinux.com> <fortinux@users.noreply.github.com>
+Marcus Linke <marcus.linke@gmx.de>
+Marianna Tessel <mtesselh@gmail.com>
+Mark Oates <fl0yd@me.com>
+Markan Patel <mpatel678@gmail.com>
+Markus Kortlang <hyp3rdino@googlemail.com> <markus.kortlang@lhsystems.com>
+Martin Redmond <redmond.martin@gmail.com> <martin@tinychat.com>
+Martin Redmond <redmond.martin@gmail.com> <xgithub@redmond5.com>
+Mary Anthony <mary.anthony@docker.com> <mary@docker.com>
+Mary Anthony <mary.anthony@docker.com> <moxieandmore@gmail.com>
+Mary Anthony <mary.anthony@docker.com> moxiegirl <mary@docker.com>
+Mateusz Major <apkd@users.noreply.github.com>
+Matt Bentley <matt.bentley@docker.com> <mbentley@mbentley.net>
+Matt Schurenko <matt.schurenko@gmail.com>
+Matt Williams <mattyw@me.com>
+Matt Williams <mattyw@me.com> <gh@mattyw.net>
+Matthew Heon <mheon@redhat.com> <mheon@mheonlaptop.redhat.com>
+Matthew Mosesohn <raytrac3r@gmail.com>
+Matthew Mueller <mattmuelle@gmail.com>
+Matthias Kühnle <git.nivoc@neverbox.com> <kuehnle@online.de>
+Mauricio Garavaglia <mauricio@medallia.com> <mauriciogaravaglia@gmail.com>
+Michael Crosby <michael@docker.com> <crosby.michael@gmail.com>
+Michael Crosby <michael@docker.com> <crosbymichael@gmail.com>
+Michael Crosby <michael@docker.com> <michael@crosbymichael.com>
+Michael Hudson-Doyle <michael.hudson@canonical.com> <michael.hudson@linaro.org>
+Michael Huettermann <michael@huettermann.net>
+Michael Käufl <docker@c.michael-kaeufl.de> <michael-k@users.noreply.github.com>
+Michael Spetsiotis <michael_spets@hotmail.com>
+Michal Minář <miminar@redhat.com>
+Miguel Angel Alvarez Cabrerizo <doncicuto@gmail.com> <30386061+doncicuto@users.noreply.github.com>
+Miguel Angel Fernández <elmendalerenda@gmail.com>
+Mihai Borobocea <MihaiBorob@gmail.com> <MihaiBorobocea@gmail.com>
+Mike Casas <mkcsas0@gmail.com> <mikecasas@users.noreply.github.com>
+Mike Goelzer <mike.goelzer@docker.com> <mgoelzer@docker.com>
+Milind Chawre <milindchawre@gmail.com>
+Misty Stanley-Jones <misty@docker.com> <misty@apache.org>
+Mohit Soni <mosoni@ebay.com> <mohitsoni1989@gmail.com>
+Moorthy RS <rsmoorthy@gmail.com> <rsmoorthy@users.noreply.github.com>
+Moysés Borges <moysesb@gmail.com>
+Moysés Borges <moysesb@gmail.com> <moyses.furtado@wplex.com.br>
+Nace Oroz <orkica@gmail.com>
+Nathan LeClaire <nathan.leclaire@docker.com> <nathan.leclaire@gmail.com>
+Nathan LeClaire <nathan.leclaire@docker.com> <nathanleclaire@gmail.com>
+Neil Horman <nhorman@tuxdriver.com> <nhorman@hmswarspite.think-freely.org>
+Nick Russo <nicholasjamesrusso@gmail.com> <nicholasrusso@icloud.com>
+Nicolas Borboën <ponsfrilus@gmail.com> <ponsfrilus@users.noreply.github.com>
+Nigel Poulton <nigelpoulton@hotmail.com>
+Nik Nyby <nikolas@gnu.org> <nnyby@columbia.edu>
+Nolan Darilek <nolan@thewordnerd.info>
+O.S. Tezer <ostezer@gmail.com>
+O.S. Tezer <ostezer@gmail.com> <ostezer@users.noreply.github.com>
+Oh Jinkyun <tintypemolly@gmail.com> <tintypemolly@Ohui-MacBook-Pro.local>
+Ouyang Liduo <oyld0210@163.com>
+Patrick Stapleton <github@gdi2290.com>
+Paul Liljenberg <liljenberg.paul@gmail.com> <letters@paulnotcom.se>
+Pavel Tikhomirov <ptikhomirov@virtuozzo.com> <ptikhomirov@parallels.com>
+Pawel Konczalski <mail@konczalski.de>
+Peter Choi <phkchoi89@gmail.com> <reikani@Peters-MacBook-Pro.local>
+Peter Dave Hello <hsu@peterdavehello.org> <PeterDaveHello@users.noreply.github.com>
+Peter Hsu <shhsu@microsoft.com>
+Peter Jaffe <pjaffe@nevo.com>
+Peter Nagy <xificurC@gmail.com> <pnagy@gratex.com>
+Peter Waller <p@pwaller.net> <peter@scraperwiki.com>
+Phil Estes <estesp@linux.vnet.ibm.com> <estesp@gmail.com>
+Philip Alexander Etling <paetling@gmail.com>
+Philipp Gillé <philipp.gille@gmail.com> <philippgille@users.noreply.github.com>
+Qiang Huang <h.huangqiang@huawei.com>
+Qiang Huang <h.huangqiang@huawei.com> <qhuang@10.0.2.15>
+Ray Tsang <rayt@google.com> <saturnism@users.noreply.github.com>
+Renaud Gaubert <rgaubert@nvidia.com> <renaud.gaubert@gmail.com>
+Robert Terhaar <rterhaar@atlanticdynamic.com> <robbyt@users.noreply.github.com>
+Roberto G. Hashioka <roberto.hashioka@docker.com> <roberto_hashioka@hotmail.com>
+Roberto Muñoz Fernández <robertomf@gmail.com> <roberto.munoz.fernandez.contractor@bbva.com>
+Roman Dudin <katrmr@gmail.com> <decadent@users.noreply.github.com>
+Ross Boucher <rboucher@gmail.com>
+Runshen Zhu <runshen.zhu@gmail.com>
+Ryan Stelly <ryan.stelly@live.com>
+Sakeven Jiang <jc5930@sina.cn>
+Sandeep Bansal <sabansal@microsoft.com>
+Sandeep Bansal <sabansal@microsoft.com> <msabansal@microsoft.com>
+Sargun Dhillon <sargun@netflix.com> <sargun@sargun.me>
+Sean Lee <seanlee@tw.ibm.com> <scaleoutsean@users.noreply.github.com>
+Sebastiaan van Stijn <github@gone.nl> <sebastiaan@ws-key-sebas3.dpi1.dpi>
+Sebastiaan van Stijn <github@gone.nl> <thaJeztah@users.noreply.github.com>
+Shaun Kaasten <shaunk@gmail.com>
+Shawn Landden <shawn@churchofgit.com> <shawnlandden@gmail.com>
+Shengbo Song <thomassong@tencent.com>
+Shengbo Song <thomassong@tencent.com> <mymneo@163.com>
+Shih-Yuan Lee <fourdollars@gmail.com>
+Shishir Mahajan <shishir.mahajan@redhat.com> <smahajan@redhat.com>
+Shukui Yang <yangshukui@huawei.com>
+Shuwei Hao <haosw@cn.ibm.com>
+Shuwei Hao <haosw@cn.ibm.com> <haoshuwei24@gmail.com>
+Sidhartha Mani <sidharthamn@gmail.com>
+Sjoerd Langkemper <sjoerd-github@linuxonly.nl> <sjoerd@byte.nl>
+Solomon Hykes <solomon@docker.com> <s@docker.com>
+Solomon Hykes <solomon@docker.com> <solomon.hykes@dotcloud.com>
+Solomon Hykes <solomon@docker.com> <solomon@dotcloud.com>
+Soshi Katsuta <soshi.katsuta@gmail.com>
+Soshi Katsuta <soshi.katsuta@gmail.com> <katsuta_soshi@cyberagent.co.jp>
+Sridhar Ratnakumar <sridharr@activestate.com>
+Sridhar Ratnakumar <sridharr@activestate.com> <github@srid.name>
+Srini Brahmaroutu <srbrahma@us.ibm.com> <sbrahma@us.ibm.com>
+Srinivasan Srivatsan <srinivasan.srivatsan@hpe.com> <srinsriv@users.noreply.github.com>
+Stefan Berger <stefanb@linux.vnet.ibm.com>
+Stefan Berger <stefanb@linux.vnet.ibm.com> <stefanb@us.ibm.com>
+Stefan J. Wernli <swernli@microsoft.com> <swernli@ntdev.microsoft.com>
+Stefan S. <tronicum@user.github.com>
+Stephen Day <stevvooe@gmail.com>
+Stephen Day <stephen.day@docker.com> <stevvooe@users.noreply.github.com>
+Stephen Day <stevvooe@gmail.com> <stephen.day@docker.com>
+Steve Desmond <steve@vtsv.ca> <stevedesmond-ca@users.noreply.github.com>
+Sun Gengze <690388648@qq.com>
+Sun Jianbo <wonderflow.sun@gmail.com>
+Sun Jianbo <wonderflow.sun@gmail.com> <wonderflow@zju.edu.cn>
+Sven Dowideit <SvenDowideit@home.org.au>
+Sven Dowideit <SvenDowideit@home.org.au> <sven@t440s.home.gateway>
+Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@docker.com>
+Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@fosiki.com>
+Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@home.org.au>
+Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@users.noreply.github.com>
+Sven Dowideit <SvenDowideit@home.org.au> <¨SvenDowideit@home.org.au¨>
+Sylvain Bellemare <sylvain@ascribe.io>
+Sylvain Bellemare <sylvain@ascribe.io> <sylvain.bellemare@ezeep.com>
+Tangi Colin <tangicolin@gmail.com>
+Tejesh Mehta <tejesh.mehta@gmail.com> <tj@init.me>
+Thatcher Peskens <thatcher@docker.com>
+Thatcher Peskens <thatcher@docker.com> <thatcher@dotcloud.com>
+Thatcher Peskens <thatcher@docker.com> <thatcher@gmx.net>
+Thomas Gazagnaire <thomas@gazagnaire.org> <thomas@gazagnaire.com>
+Thomas Krzero <thomas.kovatchitch@gmail.com>
+Thomas Léveil <thomasleveil@gmail.com>
+Thomas Léveil <thomasleveil@gmail.com> <thomasleveil@users.noreply.github.com>
+Tibor Vass <teabee89@gmail.com> <tibor@docker.com>
+Tibor Vass <teabee89@gmail.com> <tiborvass@users.noreply.github.com>
+Tim Bart <tim@fewagainstmany.com>
+Tim Bosse <taim@bosboot.org> <maztaim@users.noreply.github.com>
+Tim Ruffles <oi@truffles.me.uk> <timruffles@googlemail.com>
+Tim Terhorst <mynamewastaken+git@gmail.com>
+Tim Zju <21651152@zju.edu.cn>
+Timothy Hobbs <timothyhobbs@seznam.cz>
+Toli Kuznets <toli@docker.com>
+Tom Barlow <tomwbarlow@gmail.com>
+Tom Sweeney <tsweeney@redhat.com>
+Tõnis Tiigi <tonistiigi@gmail.com>
+Trishna Guha <trishnaguha17@gmail.com>
+Tristan Carel <tristan@cogniteev.com>
+Tristan Carel <tristan@cogniteev.com> <tristan.carel@gmail.com>
+Umesh Yadav <umesh4257@gmail.com>
+Umesh Yadav <umesh4257@gmail.com> <dungeonmaster18@users.noreply.github.com>
+Victor Lyuboslavsky <victor@victoreda.com>
+Victor Vieux <victor.vieux@docker.com> <dev@vvieux.com>
+Victor Vieux <victor.vieux@docker.com> <victor.vieux@dotcloud.com>
+Victor Vieux <victor.vieux@docker.com> <victor@docker.com>
+Victor Vieux <victor.vieux@docker.com> <victor@dotcloud.com>
+Victor Vieux <victor.vieux@docker.com> <victorvieux@gmail.com>
+Victor Vieux <victor.vieux@docker.com> <vieux@docker.com>
+Viktor Vojnovski <viktor.vojnovski@amadeus.com> <vojnovski@gmail.com>
+Vincent Batts <vbatts@redhat.com> <vbatts@hashbangbash.com>
+Vincent Bernat <Vincent.Bernat@exoscale.ch> <bernat@luffy.cx>
+Vincent Bernat <Vincent.Bernat@exoscale.ch> <vincent@bernat.im>
+Vincent Demeester <vincent.demeester@docker.com> <vincent+github@demeester.fr>
+Vincent Demeester <vincent.demeester@docker.com> <vincent@demeester.fr>
+Vincent Demeester <vincent.demeester@docker.com> <vincent@sbr.pm>
+Vishnu Kannan <vishnuk@google.com>
+Vladimir Rutsky <altsysrq@gmail.com> <iamironbob@gmail.com>
+Walter Stanish <walter@pratyeka.org>
+Wang Guoliang <liangcszzu@163.com>
+Wang Jie <wangjie5@chinaskycloud.com>
+Wang Ping <present.wp@icloud.com>
+Wang Xing <hzwangxing@corp.netease.com> <root@localhost>
+Wang Yuexiao <wang.yuexiao@zte.com.cn>
+Wayne Chang <wayne@neverfear.org>
+Wayne Song <wsong@docker.com> <wsong@users.noreply.github.com>
+Wei Wu <wuwei4455@gmail.com> cizixs <cizixs@163.com>
+Wenjun Tang <tangwj2@lenovo.com> <dodia@163.com>
+Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
+Will Weaver <monkey@buildingbananas.com>
+Xianglin Gao <xlgao@zju.edu.cn>
+Xianlu Bird <xianlubird@gmail.com>
+Xiaoyu Zhang <zhang.xiaoyu33@zte.com.cn>
+Xuecong Liao <satorulogic@gmail.com>
+Yamasaki Masahide <masahide.y@gmail.com>
+Yao Zaiyong <yaozaiyong@hotmail.com>
+Yassine Tijani <yasstij11@gmail.com>
+Yazhong Liu <yorkiefixer@gmail.com>
+Yestin Sun <sunyi0804@gmail.com> <yestin.sun@polyera.com>
+Yi EungJun <eungjun.yi@navercorp.com> <semtlenori@gmail.com>
+Ying Li <ying.li@docker.com>
+Ying Li <ying.li@docker.com> <cyli@twistedmatrix.com>
+Yong Tang <yong.tang.github@outlook.com> <yongtang@users.noreply.github.com>
+Yosef Fertel <yfertel@gmail.com> <frosforever@users.noreply.github.com>
+Yu Changchun <yuchangchun1@huawei.com>
+Yu Chengxia <yuchengxia@huawei.com>
+Yu Peng <yu.peng36@zte.com.cn>
+Yu Peng <yu.peng36@zte.com.cn> <yupeng36@zte.com.cn>
+Zachary Jaffee <zjaffee@us.ibm.com> <zij@case.edu>
+Zachary Jaffee <zjaffee@us.ibm.com> <zjaffee@apache.org>
+ZhangHang <stevezhang2014@gmail.com>
+Zhenkun Bi <bi.zhenkun@zte.com.cn>
+Zhou Hao <zhouhao@cn.fujitsu.com>
+Zhu Kunjia <zhu.kunjia@zte.com.cn>
+Zou Yu <zouyu7@huawei.com>
+
diff --git a/cli/AUTHORS b/cli/AUTHORS
new file mode 100644
index 00000000..bc1edce7
--- /dev/null
+++ b/cli/AUTHORS
@@ -0,0 +1,648 @@
+# This file lists all individuals having contributed content to the repository.
+# For how it is generated, see `scripts/docs/generate-authors.sh`.
+
+Aanand Prasad <aanand.prasad@gmail.com>
+Aaron L. Xu <liker.xu@foxmail.com>
+Aaron Lehmann <aaron.lehmann@docker.com>
+Aaron.L.Xu <likexu@harmonycloud.cn>
+Abdur Rehman <abdur_rehman@mentor.com>
+Abhinandan Prativadi <abhi@docker.com>
+Abin Shahab <ashahab@altiscale.com>
+Addam Hardy <addam.hardy@gmail.com>
+Adolfo Ochagavía <aochagavia92@gmail.com>
+Adrien Duermael <adrien@duermael.com>
+Adrien Folie <folie.adrien@gmail.com>
+Ahmet Alp Balkan <ahmetb@microsoft.com>
+Aidan Feldman <aidan.feldman@gmail.com>
+Aidan Hobson Sayers <aidanhs@cantab.net>
+AJ Bowen <aj@gandi.net>
+Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
+Akim Demaille <akim.demaille@docker.com>
+Alan Thompson <cloojure@gmail.com>
+Albert Callarisa <shark234@gmail.com>
+Aleksa Sarai <asarai@suse.de>
+Alessandro Boch <aboch@tetrationanalytics.com>
+Alex Mavrogiannis <alex.mavrogiannis@docker.com>
+Alexander Boyd <alex@opengroove.org>
+Alexander Larsson <alexl@redhat.com>
+Alexander Morozov <lk4d4@docker.com>
+Alexander Ryabov <i@sepa.spb.ru>
+Alexandre González <agonzalezro@gmail.com>
+Alfred Landrum <alfred.landrum@docker.com>
+Alicia Lauerman <alicia@eta.im>
+Allen Sun <allensun.shl@alibaba-inc.com>
+Alvin Deng <alvin.q.deng@utexas.edu>
+Amen Belayneh <amenbelayneh@gmail.com>
+Amir Goldstein <amir73il@aquasec.com>
+Amit Krishnan <amit.krishnan@oracle.com>
+Amit Shukla <amit.shukla@docker.com>
+Amy Lindburg <amy.lindburg@docker.com>
+Andrea Luzzardi <aluzzardi@gmail.com>
+Andreas Köhler <andi5.py@gmx.net>
+Andrew France <andrew@avito.co.uk>
+Andrew Hsu <andrewhsu@docker.com>
+Andrew Macpherson <hopscotch23@gmail.com>
+Andrew McDonnell <bugs@andrewmcdonnell.net>
+Andrew Po <absourd.noise@gmail.com>
+Andrey Petrov <andrey.petrov@shazow.net>
+André Martins <aanm90@gmail.com>
+Andy Goldstein <agoldste@redhat.com>
+Andy Rothfusz <github@developersupport.net>
+Anil Madhavapeddy <anil@recoil.org>
+Ankush Agarwal <ankushagarwal11@gmail.com>
+Anton Polonskiy <anton.polonskiy@gmail.com>
+Antonio Murdaca <antonio.murdaca@gmail.com>
+Antonis Kalipetis <akalipetis@gmail.com>
+Anusha Ragunathan <anusha.ragunathan@docker.com>
+Arash Deshmeh <adeshmeh@ca.ibm.com>
+Arnaud Porterie <arnaud.porterie@docker.com>
+Ashwini Oruganti <ashwini.oruganti@gmail.com>
+Azat Khuyiyakhmetov <shadow_uz@mail.ru>
+Bardia Keyoumarsi <bkeyouma@ucsc.edu>
+Barnaby Gray <barnaby@pickle.me.uk>
+Bastiaan Bakker <bbakker@xebia.com>
+BastianHofmann <bastianhofmann@me.com>
+Ben Bonnefoy <frenchben@docker.com>
+Ben Firshman <ben@firshman.co.uk>
+Benjamin Boudreau <boudreau.benjamin@gmail.com>
+Bhumika Bayani <bhumikabayani@gmail.com>
+Bill Wang <ozbillwang@gmail.com>
+Bin Liu <liubin0329@gmail.com>
+Bingshen Wang <bingshen.wbs@alibaba-inc.com>
+Boaz Shuster <ripcurld.github@gmail.com>
+Bogdan Anton <contact@bogdananton.ro>
+Boris Pruessmann <boris@pruessmann.org>
+Bradley Cicenas <bradley.cicenas@gmail.com>
+Brandon Philips <brandon.philips@coreos.com>
+Brent Salisbury <brent.salisbury@docker.com>
+Bret Fisher <bret@bretfisher.com>
+Brian (bex) Exelbierd <bexelbie@redhat.com>
+Brian Goff <cpuguy83@gmail.com>
+Bryan Bess <squarejaw@bsbess.com>
+Bryan Boreham <bjboreham@gmail.com>
+Bryan Murphy <bmurphy1976@gmail.com>
+bryfry <bryon.fryer@gmail.com>
+Cameron Spear <cameronspear@gmail.com>
+Cao Weiwei <cao.weiwei30@zte.com.cn>
+Carlo Mion <mion00@gmail.com>
+Carlos Alexandro Becker <caarlos0@gmail.com>
+Ce Gao <ce.gao@outlook.com>
+Cedric Davies <cedricda@microsoft.com>
+Cezar Sa Espinola <cezarsa@gmail.com>
+Chao Wang <wangchao.fnst@cn.fujitsu.com>
+Charles Chan <charleswhchan@users.noreply.github.com>
+Charles Law <claw@conduce.com>
+Charles Smith <charles.smith@docker.com>
+Charlie Drage <charlie@charliedrage.com>
+ChaYoung You <yousbe@gmail.com>
+Chen Chuanliang <chen.chuanliang@zte.com.cn>
+Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
+Chen Mingjie <chenmingjie0828@163.com>
+Chen Qiu <cheney-90@hotmail.com>
+Chris Gavin <chris@chrisgavin.me>
+Chris Gibson <chris@chrisg.io>
+Chris McKinnel <chrismckinnel@gmail.com>
+Chris Snow <chsnow123@gmail.com>
+Chris Weyl <cweyl@alumni.drew.edu>
+Christian Persson <saser@live.se>
+Christian Stefanescu <st.chris@gmail.com>
+Christophe Robin <crobin@nekoo.com>
+Christophe Vidal <kriss@krizalys.com>
+Christopher Biscardi <biscarch@sketcht.com>
+Christopher Jones <tophj@linux.vnet.ibm.com>
+Christy Perez <christy@linux.vnet.ibm.com>
+Chun Chen <ramichen@tencent.com>
+Clinton Kitson <clintonskitson@gmail.com>
+Coenraad Loubser <coenraad@wish.org.za>
+Colin Hebert <hebert.colin@gmail.com>
+Collin Guarino <collin.guarino@gmail.com>
+Colm Hally <colmhally@gmail.com>
+Corey Farrell <git@cfware.com>
+Cristian Staretu <cristian.staretu@gmail.com>
+Daehyeok Mun <daehyeok@gmail.com>
+Dafydd Crosby <dtcrsby@gmail.com>
+dalanlan <dalanlan925@gmail.com>
+Damien Nadé <github@livna.org>
+Dan Cotora <dan@bluevision.ro>
+Daniel Dao <dqminh@cloudflare.com>
+Daniel Farrell <dfarrell@redhat.com>
+Daniel Gasienica <daniel@gasienica.ch>
+Daniel Goosen <daniel.goosen@surveysampling.com>
+Daniel Hiltgen <daniel.hiltgen@docker.com>
+Daniel J Walsh <dwalsh@redhat.com>
+Daniel Nephin <dnephin@docker.com>
+Daniel Norberg <dano@spotify.com>
+Daniel Watkins <daniel@daniel-watkins.co.uk>
+Daniel Zhang <jmzwcn@gmail.com>
+Danny Berger <dpb587@gmail.com>
+Darren Shepherd <darren.s.shepherd@gmail.com>
+Darren Stahl <darst@microsoft.com>
+Dattatraya Kumbhar <dattatraya.kumbhar@gslab.com>
+Dave Goodchild <buddhamagnet@gmail.com>
+Dave Henderson <dhenderson@gmail.com>
+Dave Tucker <dt@docker.com>
+David Beitey <david@davidjb.com>
+David Calavera <david.calavera@gmail.com>
+David Cramer <davcrame@cisco.com>
+David Dooling <dooling@gmail.com>
+David Gageot <david@gageot.net>
+David Lechner <david@lechnology.com>
+David Sheets <dsheets@docker.com>
+David Williamson <david.williamson@docker.com>
+David Xia <dxia@spotify.com>
+David Young <yangboh@cn.ibm.com>
+Deng Guangxing <dengguangxing@huawei.com>
+Denis Defreyne <denis@soundcloud.com>
+Denis Gladkikh <denis@gladkikh.email>
+Denis Ollier <larchunix@users.noreply.github.com>
+Dennis Docter <dennis@d23.nl>
+Derek McGowan <derek@mcgstyle.net>
+Deshi Xiao <dxiao@redhat.com>
+Dharmit Shah <shahdharmit@gmail.com>
+Dhawal Yogesh Bhanushali <dbhanushali@vmware.com>
+Dieter Reuter <dieter.reuter@me.com>
+Dima Stopel <dima@twistlock.com>
+Dimitry Andric <d.andric@activevideo.com>
+Ding Fei <dingfei@stars.org.cn>
+Diogo Monica <diogo@docker.com>
+Dmitry Gusev <dmitry.gusev@gmail.com>
+Dmitry Smirnov <onlyjob@member.fsf.org>
+Dmitry V. Krivenok <krivenok.dmitry@gmail.com>
+Don Kjer <don.kjer@gmail.com>
+Dong Chen <dongluo.chen@docker.com>
+Doug Davis <dug@us.ibm.com>
+Drew Erny <drew.erny@docker.com>
+Ed Costello <epc@epcostello.com>
+Eli Uriegas <eli.uriegas@docker.com>
+Eli Uriegas <seemethere101@gmail.com>
+Elias Faxö <elias.faxo@tre.se>
+Eric G. Noriega <enoriega@vizuri.com>
+Eric Rosenberg <ehaydenr@gmail.com>
+Eric Sage <eric.david.sage@gmail.com>
+Eric-Olivier Lamey <eo@lamey.me>
+Erica Windisch <erica@windisch.us>
+Erik Hollensbe <github@hollensbe.org>
+Erik St. Martin <alakriti@gmail.com>
+Ethan Haynes <ethanhaynes@alumni.harvard.edu>
+Eugene Yakubovich <eugene.yakubovich@coreos.com>
+Evan Allrich <evan@unguku.com>
+Evan Hazlett <ejhazlett@gmail.com>
+Evan Krall <krall@yelp.com>
+Evelyn Xu <evelynhsu21@gmail.com>
+Everett Toews <everett.toews@rackspace.com>
+Fabio Falci <fabiofalci@gmail.com>
+Fabrizio Soppelsa <fsoppelsa@mirantis.com>
+Felix Hupfeld <felix@quobyte.com>
+Felix Rabe <felix@rabe.io>
+Flavio Crisciani <flavio.crisciani@docker.com>
+Florian Klein <florian.klein@free.fr>
+Foysal Iqbal <foysal.iqbal.fb@gmail.com>
+Fred Lifton <fred.lifton@docker.com>
+Frederick F. Kautz IV <fkautz@redhat.com>
+Frederik Nordahl Jul Sabroe <frederikns@gmail.com>
+Frieder Bluemle <frieder.bluemle@gmail.com>
+Gabriel Nicolas Avellaneda <avellaneda.gabriel@gmail.com>
+Gaetan de Villele <gdevillele@gmail.com>
+Gang Qiao <qiaohai8866@gmail.com>
+Gary Schaetz <gary@schaetzkc.com>
+Genki Takiuchi <genki@s21g.com>
+George MacRorie <gmacr31@gmail.com>
+George Xie <georgexsh@gmail.com>
+Gianluca Borello <g.borello@gmail.com>
+Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
+Gou Rao <gou@portworx.com>
+Grant Reaber <grant.reaber@gmail.com>
+Greg Pflaum <gpflaum@users.noreply.github.com>
+Guilhem Lettron <guilhem+github@lettron.fr>
+Guillaume J. Charmes <guillaume.charmes@docker.com>
+gwx296173 <gaojing3@huawei.com>
+Günther Jungbluth <gunther@gameslabs.net>
+Hakan Özler <hakan.ozler@kodcu.com>
+Hao Zhang <21521210@zju.edu.cn>
+Harald Albers <github@albersweb.de>
+Harold Cooper <hrldcpr@gmail.com>
+Harry Zhang <harryz@hyper.sh>
+He Simei <hesimei@zju.edu.cn>
+Helen Xie <chenjg@harmonycloud.cn>
+Henning Sprang <henning.sprang@gmail.com>
+Henry N <henrynmail-github@yahoo.de>
+Hernan Garcia <hernandanielg@gmail.com>
+Hongbin Lu <hongbin034@gmail.com>
+Hu Keping <hukeping@huawei.com>
+Huayi Zhang <irachex@gmail.com>
+huqun <huqun@zju.edu.cn>
+Huu Nguyen <huu@prismskylabs.com>
+Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
+Ian Campbell <ian.campbell@docker.com>
+Ian Philpot <ian.philpot@microsoft.com>
+Ignacio Capurro <icapurrofagian@gmail.com>
+Ilya Dmitrichenko <errordeveloper@gmail.com>
+Ilya Khlopotov <ilya.khlopotov@gmail.com>
+Ilya Sotkov <ilya@sotkov.com>
+Isabel Jimenez <contact.isabeljimenez@gmail.com>
+Ivan Grcic <igrcic@gmail.com>
+Ivan Markin <sw@nogoegst.net>
+Jacob Atzen <jacob@jacobatzen.dk>
+Jacob Tomlinson <jacob@tom.linson.uk>
+Jaivish Kothari <janonymous.codevulture@gmail.com>
+Jake Sanders <jsand@google.com>
+James Nesbitt <james.nesbitt@wunderkraut.com>
+James Turnbull <james@lovedthanlost.net>
+Jamie Hannaford <jamie@limetree.org>
+Jan Koprowski <jan.koprowski@gmail.com>
+Jan Pazdziora <jpazdziora@redhat.com>
+Jan-Jaap Driessen <janjaapdriessen@gmail.com>
+Jana Radhakrishnan <mrjana@docker.com>
+Jared Hocutt <jaredh@netapp.com>
+Jasmine Hegman <jasmine@jhegman.com>
+Jason Heiss <jheiss@aput.net>
+Jason Plum <jplum@devonit.com>
+Jay Kamat <github@jgkamat.33mail.com>
+Jean-Pierre Huynh <jean-pierre.huynh@ounet.fr>
+Jean-Pierre Huynh <jp@moogsoft.com>
+Jeff Lindsay <progrium@gmail.com>
+Jeff Nickoloff <jeff.nickoloff@gmail.com>
+Jeff Silberman <jsilberm@gmail.com>
+Jeremy Chambers <jeremy@thehipbot.com>
+Jeremy Unruh <jeremybunruh@gmail.com>
+Jeremy Yallop <yallop@docker.com>
+Jeroen Franse <jeroenfranse@gmail.com>
+Jesse Adametz <jesseadametz@gmail.com>
+Jessica Frazelle <jessfraz@google.com>
+Jezeniel Zapanta <jpzapanta22@gmail.com>
+Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
+Jie Luo <luo612@zju.edu.cn>
+Jilles Oldenbeuving <ojilles@gmail.com>
+Jim Galasyn <jim.galasyn@docker.com>
+Jimmy Leger <jimmy.leger@gmail.com>
+Jimmy Song <rootsongjc@gmail.com>
+jimmyxian <jimmyxian2004@yahoo.com.cn>
+Joao Fernandes <joao.fernandes@docker.com>
+Joe Doliner <jdoliner@pachyderm.io>
+Joe Gordon <joe.gordon0@gmail.com>
+Joel Handwell <joelhandwell@gmail.com>
+Joey Geiger <jgeiger@gmail.com>
+Joffrey F <joffrey@docker.com>
+Johan Euphrosine <proppy@google.com>
+Johannes 'fish' Ziemke <github@freigeist.org>
+John Feminella <jxf@jxf.me>
+John Harris <john@johnharris.io>
+John Howard (VM) <John.Howard@microsoft.com>
+John Laswell <john.n.laswell@gmail.com>
+John Maguire <jmaguire@duosecurity.com>
+John Mulhausen <john@docker.com>
+John Starks <jostarks@microsoft.com>
+John Stephens <johnstep@docker.com>
+John Tims <john.k.tims@gmail.com>
+John V. Martinez <jvmatl@gmail.com>
+John Willis <john.willis@docker.com>
+Jonathan Boulle <jonathanboulle@gmail.com>
+Jonathan Lee <jonjohn1232009@gmail.com>
+Jonathan Lomas <jonathan@floatinglomas.ca>
+Jonathan McCrohan <jmccrohan@gmail.com>
+Jonh Wendell <jonh.wendell@redhat.com>
+Jordan Jennings <jjn2009@gmail.com>
+Joseph Kern <jkern@semafour.net>
+Josh Bodah <jb3689@yahoo.com>
+Josh Chorlton <jchorlton@gmail.com>
+Josh Hawn <josh.hawn@docker.com>
+Josh Horwitz <horwitz@addthis.com>
+Josh Soref <jsoref@gmail.com>
+Julien Barbier <write0@gmail.com>
+Julien Kassar <github@kassisol.com>
+Julien Maitrehenry <julien.maitrehenry@me.com>
+Justas Brazauskas <brazauskasjustas@gmail.com>
+Justin Cormack <justin.cormack@docker.com>
+Justin Simonelis <justin.p.simonelis@gmail.com>
+Jyrki Puttonen <jyrkiput@gmail.com>
+Jérôme Petazzoni <jerome.petazzoni@docker.com>
+Jörg Thalheim <joerg@higgsboson.tk>
+Kai Blin <kai@samba.org>
+Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
+Kara Alexandra <kalexandra@us.ibm.com>
+Kareem Khazem <karkhaz@karkhaz.com>
+Karthik Nayak <Karthik.188@gmail.com>
+Kat Samperi <kat.samperi@gmail.com>
+Katie McLaughlin <katie@glasnt.com>
+Ke Xu <leonhartx.k@gmail.com>
+Kei Ohmura <ohmura.kei@gmail.com>
+Keith Hudgins <greenman@greenman.org>
+Ken Cochrane <kencochrane@gmail.com>
+Ken ICHIKAWA <ichikawa.ken@jp.fujitsu.com>
+Kenfe-Mickaël Laventure <mickael.laventure@gmail.com>
+Kevin Burke <kev@inburke.com>
+Kevin Feyrer <kevin.feyrer@btinternet.com>
+Kevin Kern <kaiwentan@harmonycloud.cn>
+Kevin Kirsche <Kev.Kirsche+GitHub@gmail.com>
+Kevin Meredith <kevin.m.meredith@gmail.com>
+Kevin Richardson <kevin@kevinrichardson.co>
+khaled souf <khaled.souf@gmail.com>
+Kim Eik <kim@heldig.org>
+Kir Kolyshkin <kolyshkin@gmail.com>
+Kotaro Yoshimatsu <kotaro.yoshimatsu@gmail.com>
+Krasi Georgiev <krasi@vip-consult.solutions>
+Kris-Mikael Krister <krismikael@protonmail.com>
+Kun Zhang <zkazure@gmail.com>
+Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
+Kyle Spiers <kyle@spiers.me>
+Lachlan Cooper <lachlancooper@gmail.com>
+Lai Jiangshan <jiangshanlai@gmail.com>
+Lars Kellogg-Stedman <lars@redhat.com>
+Laura Frank <ljfrank@gmail.com>
+Laurent Erignoux <lerignoux@gmail.com>
+Lei Jitang <leijitang@huawei.com>
+Lennie <github@consolejunkie.net>
+Leo Gallucci <elgalu3@gmail.com>
+Lewis Daly <lewisdaly@me.com>
+Li Yi <denverdino@gmail.com>
+Li Yi <weiyuan.yl@alibaba-inc.com>
+Liang-Chi Hsieh <viirya@gmail.com>
+Lily Guo <lily.guo@docker.com>
+Lin Lu <doraalin@163.com>
+Linus Heckemann <lheckemann@twig-world.com>
+Liping Xue <lipingxue@gmail.com>
+Liron Levin <liron@twistlock.com>
+liwenqi <vikilwq@zju.edu.cn>
+lixiaobing10051267 <li.xiaobing1@zte.com.cn>
+Lloyd Dewolf <foolswisdom@gmail.com>
+Lorenzo Fontana <lo@linux.com>
+Louis Opter <kalessin@kalessin.fr>
+Luca Favatella <luca.favatella@erlang-solutions.com>
+Luca Marturana <lucamarturana@gmail.com>
+Lucas Chan <lucas-github@lucaschan.com>
+Luka Hartwig <mail@lukahartwig.de>
+Lukasz Zajaczkowski <Lukasz.Zajaczkowski@ts.fujitsu.com>
+Lydell Manganti <LydellManganti@users.noreply.github.com>
+Lénaïc Huard <lhuard@amadeus.com>
+Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
+Mabin <bin.ma@huawei.com>
+Madhav Puri <madhav.puri@gmail.com>
+Madhu Venugopal <madhu@socketplane.io>
+Malte Janduda <mail@janduda.net>
+Manjunath A Kumatagi <mkumatag@in.ibm.com>
+Mansi Nahar <mmn4185@rit.edu>
+mapk0y <mapk0y@gmail.com>
+Marc Bihlmaier <marc.bihlmaier@reddoxx.com>
+Marco Mariani <marco.mariani@alterway.fr>
+Marcus Martins <marcus@docker.com>
+Marianna Tessel <mtesselh@gmail.com>
+Marius Sturm <marius@graylog.com>
+Mark Oates <fl0yd@me.com>
+Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
+Mary Anthony <mary.anthony@docker.com>
+Mason Malone <mason.malone@gmail.com>
+Mateusz Major <apkd@users.noreply.github.com>
+Matt Gucci <matt9ucci@gmail.com>
+Matt Robenolt <matt@ydekproductions.com>
+Matthew Heon <mheon@redhat.com>
+Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Max Shytikov <mshytikov@gmail.com>
+Maxime Petazzoni <max@signalfuse.com>
+Mei ChunTao <mei.chuntao@zte.com.cn>
+Micah Zoltu <micah@newrelic.com>
+Michael A. Smith <michael@smith-li.com>
+Michael Bridgen <mikeb@squaremobius.net>
+Michael Crosby <michael@docker.com>
+Michael Friis <friism@gmail.com>
+Michael Irwin <mikesir87@gmail.com>
+Michael Käufl <docker@c.michael-kaeufl.de>
+Michael Prokop <github@michael-prokop.at>
+Michael Scharf <github@scharf.gr>
+Michael Spetsiotis <michael_spets@hotmail.com>
+Michael Steinert <mike.steinert@gmail.com>
+Michael West <mwest@mdsol.com>
+Michal Minář <miminar@redhat.com>
+Michał Czeraszkiewicz <czerasz@gmail.com>
+Miguel Angel Alvarez Cabrerizo <doncicuto@gmail.com>
+Mihai Borobocea <MihaiBorob@gmail.com>
+Mihuleacc Sergiu <mihuleac.sergiu@gmail.com>
+Mike Brown <brownwm@us.ibm.com>
+Mike Casas <mkcsas0@gmail.com>
+Mike Danese <mikedanese@google.com>
+Mike Dillon <mike@embody.org>
+Mike Goelzer <mike.goelzer@docker.com>
+Mike MacCana <mike.maccana@gmail.com>
+mikelinjie <294893458@qq.com>
+Mikhail Vasin <vasin@cloud-tv.ru>
+Milind Chawre <milindchawre@gmail.com>
+Misty Stanley-Jones <misty@docker.com>
+Mohammad Banikazemi <mb@us.ibm.com>
+Mohammed Aaqib Ansari <maaquib@gmail.com>
+Moorthy RS <rsmoorthy@gmail.com>
+Morgan Bauer <mbauer@us.ibm.com>
+Moysés Borges <moysesb@gmail.com>
+Mrunal Patel <mrunalp@gmail.com>
+muicoder <muicoder@gmail.com>
+Muthukumar R <muthur@gmail.com>
+Máximo Cuadros <mcuadros@gmail.com>
+Nace Oroz <orkica@gmail.com>
+Nahum Shalman <nshalman@omniti.com>
+Nalin Dahyabhai <nalin@redhat.com>
+Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>
+Natalie Parker <nparker@omnifone.com>
+Nate Brennand <nate.brennand@clever.com>
+Nathan Hsieh <hsieh.nathan@gmail.com>
+Nathan LeClaire <nathan.leclaire@docker.com>
+Nathan McCauley <nathan.mccauley@docker.com>
+Neil Peterson <neilpeterson@outlook.com>
+Nicola Kabar <nicolaka@gmail.com>
+Nicolas Borboën <ponsfrilus@gmail.com>
+Nicolas De Loof <nicolas.deloof@gmail.com>
+Nikhil Chawla <chawlanikhil24@gmail.com>
+Nikolas Garofil <nikolas.garofil@uantwerpen.be>
+Nikolay Milovanov <nmil@itransformers.net>
+Nishant Totla <nishanttotla@gmail.com>
+NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
+Noah Treuhaft <noah.treuhaft@docker.com>
+O.S. Tezer <ostezer@gmail.com>
+ohmystack <jun.jiang02@ele.me>
+Olle Jonsson <olle.jonsson@gmail.com>
+Otto Kekäläinen <otto@seravo.fi>
+Ovidio Mallo <ovidio.mallo@gmail.com>
+Pascal Borreli <pascal@borreli.com>
+Patrick Böänziger <patrick.baenziger@bsi-software.com>
+Patrick Hemmer <patrick.hemmer@gmail.com>
+Patrick Lang <plang@microsoft.com>
+Paul <paul9869@gmail.com>
+Paul Kehrer <paul.l.kehrer@gmail.com>
+Paul Lietar <paul@lietar.net>
+Paul Weaver <pauweave@cisco.com>
+Pavel Pospisil <pospispa@gmail.com>
+Paweł Szczekutowicz <pszczekutowicz@gmail.com>
+Peeyush Gupta <gpeeyush@linux.vnet.ibm.com>
+Per Lundberg <per.lundberg@ecraft.com>
+Peter Edge <peter.edge@gmail.com>
+Peter Hsu <shhsu@microsoft.com>
+Peter Jaffe <pjaffe@nevo.com>
+Peter Nagy <xificurC@gmail.com>
+Peter Salvatore <peter@psftw.com>
+Peter Waller <p@pwaller.net>
+Phil Estes <estesp@linux.vnet.ibm.com>
+Philip Alexander Etling <paetling@gmail.com>
+Philipp Gillé <philipp.gille@gmail.com>
+pidster <pid@pidster.com>
+pixelistik <pixelistik@users.noreply.github.com>
+Pratik Karki <prertik@outlook.com>
+Prayag Verma <prayag.verma@gmail.com>
+Preston Cowley <preston.cowley@sony.com>
+Pure White <daniel48@126.com>
+Qiang Huang <h.huangqiang@huawei.com>
+Qinglan Peng <qinglanpeng@zju.edu.cn>
+qudongfang <qudongfang@gmail.com>
+Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
+Ray Tsang <rayt@google.com>
+Reficul <xuzhenglun@gmail.com>
+Remy Suen <remy.suen@gmail.com>
+Renaud Gaubert <rgaubert@nvidia.com>
+Ricardo N Feliciano <FelicianoTech@gmail.com>
+Rich Moyse <rich@moyse.us>
+Richard Mathie <richard.mathie@amey.co.uk>
+Richard Scothern <richard.scothern@gmail.com>
+Rick Wieman <git@rickw.nl>
+Ritesh H Shukla <sritesh@vmware.com>
+Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
+Robert Wallis <smilingrob@gmail.com>
+Robin Naundorf <r.naundorf@fh-muenster.de>
+Robin Speekenbrink <robin@kingsquare.nl>
+Rodolfo Ortiz <rodolfo.ortiz@definityfirst.com>
+Rogelio Canedo <rcanedo@mappy.priv>
+Roland Kammerer <roland.kammerer@linbit.com>
+Roman Dudin <katrmr@gmail.com>
+Rory Hunter <roryhunter2@gmail.com>
+Ross Boucher <rboucher@gmail.com>
+Rubens Figueiredo <r.figueiredo.52@gmail.com>
+Ryan Belgrave <rmb1993@gmail.com>
+Ryan Detzel <ryan.detzel@gmail.com>
+Ryan Stelly <ryan.stelly@live.com>
+Sainath Grandhi <sainath.grandhi@intel.com>
+Sakeven Jiang <jc5930@sina.cn>
+Sally O'Malley <somalley@redhat.com>
+Sam Neirinck <sam@samneirinck.com>
+Sambuddha Basu <sambuddhabasu1@gmail.com>
+Samuel Karp <skarp@amazon.com>
+Santhosh Manohar <santhosh@docker.com>
+Scott Collier <emailscottcollier@gmail.com>
+Sean Christopherson <sean.j.christopherson@intel.com>
+Sean Rodman <srodman7689@gmail.com>
+Sebastiaan van Stijn <github@gone.nl>
+Sergey Tryuber <Sergeant007@users.noreply.github.com>
+Serhat Gülçiçek <serhat25@gmail.com>
+Sevki Hasirci <s@sevki.org>
+Shaun Kaasten <shaunk@gmail.com>
+Sheng Yang <sheng@yasker.org>
+Shijiang Wei <mountkin@gmail.com>
+Shishir Mahajan <shishir.mahajan@redhat.com>
+Shoubhik Bose <sbose78@gmail.com>
+Shukui Yang <yangshukui@huawei.com>
+Sian Lerk Lau <kiawin@gmail.com>
+Sidhartha Mani <sidharthamn@gmail.com>
+sidharthamani <sid@rancher.com>
+Silvin Lubecki <silvin.lubecki@docker.com>
+Simei He <hesimei@zju.edu.cn>
+Simon Ferquel <simon.ferquel@docker.com>
+Sindhu S <sindhus@live.in>
+Slava Semushin <semushin@redhat.com>
+Solomon Hykes <solomon@docker.com>
+Song Gao <song@gao.io>
+Spencer Brown <spencer@spencerbrown.org>
+squeegels <1674195+squeegels@users.noreply.github.com>
+Srini Brahmaroutu <srbrahma@us.ibm.com>
+Stefan S. <tronicum@user.github.com>
+Stefan Scherer <scherer_stefan@icloud.com>
+Stefan Weil <sw@weilnetz.de>
+Stephen Day <stevvooe@gmail.com>
+Stephen Rust <srust@blockbridge.com>
+Steve Durrheimer <s.durrheimer@gmail.com>
+Steven Burgess <steven.a.burgess@hotmail.com>
+Subhajit Ghosh <isubuz.g@gmail.com>
+Sun Jianbo <wonderflow.sun@gmail.com>
+Sungwon Han <sungwon.han@navercorp.com>
+Sven Dowideit <SvenDowideit@home.org.au>
+Sylvain Baubeau <sbaubeau@redhat.com>
+Sébastien HOUZÉ <cto@verylastroom.com>
+T K Sourabh <sourabhtk37@gmail.com>
+TAGOMORI Satoshi <tagomoris@gmail.com>
+Taylor Jones <monitorjbl@gmail.com>
+Thatcher Peskens <thatcher@docker.com>
+Thomas Gazagnaire <thomas@gazagnaire.org>
+Thomas Krzero <thomas.kovatchitch@gmail.com>
+Thomas Leonard <thomas.leonard@docker.com>
+Thomas Léveil <thomasleveil@gmail.com>
+Thomas Riccardi <riccardi@systran.fr>
+Thomas Swift <tgs242@gmail.com>
+Tianon Gravi <admwiggin@gmail.com>
+Tianyi Wang <capkurmagati@gmail.com>
+Tibor Vass <teabee89@gmail.com>
+Tim Dettrick <t.dettrick@uq.edu.au>
+Tim Hockin <thockin@google.com>
+Tim Smith <timbot@google.com>
+Tim Waugh <twaugh@redhat.com>
+Tim Wraight <tim.wraight@tangentlabs.co.uk>
+timfeirg <kkcocogogo@gmail.com>
+Timothy Hobbs <timothyhobbs@seznam.cz>
+Tobias Bradtke <webwurst@gmail.com>
+Tobias Gesellchen <tobias@gesellix.de>
+Todd Whiteman <todd.whiteman@joyent.com>
+Tom Denham <tom@tomdee.co.uk>
+Tom Fotherby <tom+github@peopleperhour.com>
+Tom X. Tobin <tomxtobin@tomxtobin.com>
+Tomas Tomecek <ttomecek@redhat.com>
+Tomasz Kopczynski <tomek@kopczynski.net.pl>
+Tomáš Hrčka <thrcka@redhat.com>
+Tony Abboud <tdabboud@hotmail.com>
+Tõnis Tiigi <tonistiigi@gmail.com>
+Trapier Marshall <trapier.marshall@docker.com>
+Travis Cline <travis.cline@gmail.com>
+Tristan Carel <tristan@cogniteev.com>
+Tycho Andersen <tycho@docker.com>
+Tycho Andersen <tycho@tycho.ws>
+uhayate <uhayate.gong@daocloud.io>
+Umesh Yadav <umesh4257@gmail.com>
+Valentin Lorentz <progval+git@progval.net>
+Veres Lajos <vlajos@gmail.com>
+Victor Vieux <victor.vieux@docker.com>
+Victoria Bialas <victoria.bialas@docker.com>
+Viktor Stanchev <me@viktorstanchev.com>
+Vincent Batts <vbatts@redhat.com>
+Vincent Bernat <Vincent.Bernat@exoscale.ch>
+Vincent Demeester <vincent.demeester@docker.com>
+Vincent Woo <me@vincentwoo.com>
+Vishnu Kannan <vishnuk@google.com>
+Vivek Goyal <vgoyal@redhat.com>
+Wang Jie <wangjie5@chinaskycloud.com>
+Wang Long <long.wanglong@huawei.com>
+Wang Ping <present.wp@icloud.com>
+Wang Xing <hzwangxing@corp.netease.com>
+Wang Yuexiao <wang.yuexiao@zte.com.cn>
+Wataru Ishida <ishida.wataru@lab.ntt.co.jp>
+Wayne Song <wsong@docker.com>
+Wen Cheng Ma <wenchma@cn.ibm.com>
+Wenzhi Liang <wenzhi.liang@gmail.com>
+Wes Morgan <cap10morgan@gmail.com>
+Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
+William Henry <whenry@redhat.com>
+Xianglin Gao <xlgao@zju.edu.cn>
+Xinbo Weng <xihuanbo_0521@zju.edu.cn>
+Xuecong Liao <satorulogic@gmail.com>
+Yan Feng <yanfeng2@huawei.com>
+Yanqiang Miao <miao.yanqiang@zte.com.cn>
+Yassine Tijani <yasstij11@gmail.com>
+Yi EungJun <eungjun.yi@navercorp.com>
+Ying Li <ying.li@docker.com>
+Yong Tang <yong.tang.github@outlook.com>
+Yosef Fertel <yfertel@gmail.com>
+Yu Peng <yu.peng36@zte.com.cn>
+Yuan Sun <sunyuan3@huawei.com>
+Yunxiang Huang <hyxqshk@vip.qq.com>
+zebrilee <zebrilee@gmail.com>
+Zhang Kun <zkazure@gmail.com>
+Zhang Wei <zhangwei555@huawei.com>
+Zhang Wentao <zhangwentao234@huawei.com>
+ZhangHang <stevezhang2014@gmail.com>
+zhenghenghuo <zhenghenghuo@zju.edu.cn>
+Zhou Hao <zhouhao@cn.fujitsu.com>
+Zhu Guihua <zhugh.fnst@cn.fujitsu.com>
+Álex González <agonzalezro@gmail.com>
+Álvaro Lázaro <alvaro.lazaro.g@gmail.com>
+Átila Camurça Alves <camurca.home@gmail.com>
+徐俊杰 <paco.xu@daocloud.io>
diff --git a/cli/CONTRIBUTING.md b/cli/CONTRIBUTING.md
new file mode 100644
index 00000000..245d3a3a
--- /dev/null
+++ b/cli/CONTRIBUTING.md
@@ -0,0 +1,365 @@
+# Contributing to Docker
+
+Want to hack on Docker? Awesome!  We have a contributor's guide that explains
+[setting up a Docker development environment and the contribution
+process](https://docs.docker.com/opensource/project/who-written-for/). 
+
+This page contains information about reporting issues as well as some tips and
+guidelines useful to experienced open source contributors. Finally, make sure
+you read our [community guidelines](#docker-community-guidelines) before you
+start participating.
+
+## Topics
+
+* [Reporting Security Issues](#reporting-security-issues)
+* [Design and Cleanup Proposals](#design-and-cleanup-proposals)
+* [Reporting Issues](#reporting-other-issues)
+* [Quick Contribution Tips and Guidelines](#quick-contribution-tips-and-guidelines)
+* [Community Guidelines](#docker-community-guidelines)
+
+## Reporting security issues
+
+The Docker maintainers take security seriously. If you discover a security
+issue, please bring it to their attention right away!
+
+Please **DO NOT** file a public issue, instead send your report privately to
+[security@docker.com](mailto:security@docker.com).
+
+Security reports are greatly appreciated and we will publicly thank you for it.
+We also like to send gifts&mdash;if you're into Docker schwag, make sure to let
+us know. We currently do not offer a paid security bounty program, but are not
+ruling it out in the future.
+
+
+## Reporting other issues
+
+A great way to contribute to the project is to send a detailed report when you
+encounter an issue. We always appreciate a well-written, thorough bug report,
+and will thank you for it!
+
+Check that [our issue database](https://github.com/docker/cli/issues)
+doesn't already include that problem or suggestion before submitting an issue.
+If you find a match, you can use the "subscribe" button to get notified on
+updates. Do *not* leave random "+1" or "I have this too" comments, as they
+only clutter the discussion, and don't help resolving it. However, if you
+have ways to reproduce the issue or have additional information that may help
+resolving the issue, please leave a comment.
+
+When reporting issues, always include:
+
+* The output of `docker version`.
+* The output of `docker info`.
+
+Also include the steps required to reproduce the problem if possible and
+applicable. This information will help us review and fix your issue faster.
+When sending lengthy log-files, consider posting them as a gist (https://gist.github.com).
+Don't forget to remove sensitive data from your logfiles before posting (you can
+replace those parts with "REDACTED").
+
+## Quick contribution tips and guidelines
+
+This section gives the experienced contributor some tips and guidelines.
+
+### Pull requests are always welcome
+
+Not sure if that typo is worth a pull request? Found a bug and know how to fix
+it? Do it! We will appreciate it. Any significant improvement should be
+documented as [a GitHub issue](https://github.com/docker/cli/issues) before
+anybody starts working on it.
+
+We are always thrilled to receive pull requests. We do our best to process them
+quickly. If your pull request is not accepted on the first try,
+don't get discouraged! Our contributor's guide explains [the review process we
+use for simple changes](https://docs.docker.com/opensource/workflow/make-a-contribution/).
+
+### Talking to other Docker users and contributors
+
+<table class="tg">
+  <col width="45%">
+  <col width="65%">
+  <tr>
+    <td>Forums</td>
+    <td>
+      A public forum for users to discuss questions and explore current design patterns and
+      best practices about Docker and related projects in the Docker Ecosystem. To participate,
+      just log in with your Docker Hub account on <a href="https://forums.docker.com" target="_blank">https://forums.docker.com</a>.
+    </td>
+  </tr>
+  <tr>
+    <td>Community Slack</td>
+    <td>
+      The Docker Community has a dedicated Slack chat to discuss features and issues.  You can sign-up <a href="https://community.docker.com/registrations/groups/4316" target="_blank">with this link</a>.
+    </td>
+  </tr>
+  <tr>
+    <td>Twitter</td>
+    <td>
+      You can follow <a href="https://twitter.com/docker/" target="_blank">Docker's Twitter feed</a>
+      to get updates on our products. You can also tweet us questions or just
+      share blogs or stories.
+    </td>
+  </tr>
+  <tr>
+    <td>Stack Overflow</td>
+    <td>
+      Stack Overflow has over 17000 Docker questions listed. We regularly
+      monitor <a href="https://stackoverflow.com/search?tab=newest&q=docker" target="_blank">Docker questions</a>
+      and so do many other knowledgeable Docker users.
+    </td>
+  </tr>
+</table>
+
+
+### Conventions
+
+Fork the repository and make changes on your fork in a feature branch:
+
+- If it's a bug fix branch, name it XXXX-something where XXXX is the number of
+    the issue. 
+- If it's a feature branch, create an enhancement issue to announce
+    your intentions, and name it XXXX-something where XXXX is the number of the
+    issue.
+
+Submit unit tests for your changes. Go has a great test framework built in; use
+it! Take a look at existing tests for inspiration. [Run the full test
+suite](README.md) on your branch before
+submitting a pull request.
+
+Update the documentation when creating or modifying features. Test your
+documentation changes for clarity, concision, and correctness, as well as a
+clean documentation build. See our contributors guide for [our style
+guide](https://docs.docker.com/opensource/doc-style) and instructions on [building
+the documentation](https://docs.docker.com/opensource/project/test-and-docs/#build-and-test-the-documentation).
+
+Write clean code. Universally formatted code promotes ease of writing, reading,
+and maintenance. Always run `gofmt -s -w file.go` on each changed file before
+committing your changes. Most editors have plug-ins that do this automatically.
+
+Pull request descriptions should be as clear as possible and include a reference
+to all the issues that they address.
+
+Commit messages must start with a capitalized and short summary (max. 50 chars)
+written in the imperative, followed by an optional, more detailed explanatory
+text which is separated from the summary by an empty line.
+
+Code review comments may be added to your pull request. Discuss, then make the
+suggested modifications and push additional commits to your feature branch. Post
+a comment after pushing. New commits show up in the pull request automatically,
+but the reviewers are notified only when you comment.
+
+Pull requests must be cleanly rebased on top of master without multiple branches
+mixed into the PR.
+
+**Git tip**: If your PR no longer merges cleanly, use `rebase master` in your
+feature branch to update your pull request rather than `merge master`.
+
+Before you make a pull request, squash your commits into logical units of work
+using `git rebase -i` and `git push -f`. A logical unit of work is a consistent
+set of patches that should be reviewed together: for example, upgrading the
+version of a vendored dependency and taking advantage of its now available new
+feature constitute two separate units of work. Implementing a new function and
+calling it in another file constitute a single logical unit of work. The very
+high majority of submissions should have a single commit, so if in doubt: squash
+down to one.
+
+After every commit, make sure the test suite passes. Include documentation
+changes in the same pull request so that a revert would remove all traces of
+the feature or fix.
+
+Include an issue reference like `Closes #XXXX` or `Fixes #XXXX` in the pull request
+description that close an issue. Including references automatically closes the issue
+on a merge.
+
+Please do not add yourself to the `AUTHORS` file, as it is regenerated regularly
+from the Git history.
+
+Please see the [Coding Style](#coding-style) for further guidelines.
+
+### Merge approval
+
+Docker maintainers use LGTM (Looks Good To Me) in comments on the code review to
+indicate acceptance.
+
+A change requires LGTMs from an absolute majority of the maintainers of each
+component affected. For example, if a change affects `docs/` and `registry/`, it
+needs an absolute majority from the maintainers of `docs/` AND, separately, an
+absolute majority of the maintainers of `registry/`.
+
+For more details, see the [MAINTAINERS](MAINTAINERS) page.
+
+### Sign your work
+
+The sign-off is a simple line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are pretty simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+### How can I become a maintainer?
+
+The procedures for adding new maintainers are explained in the 
+global [MAINTAINERS](https://github.com/docker/opensource/blob/master/MAINTAINERS)
+file in the [https://github.com/docker/opensource/](https://github.com/docker/opensource/)
+repository.
+
+Don't forget: being a maintainer is a time investment. Make sure you
+will have time to make yourself available. You don't have to be a
+maintainer to make a difference on the project!
+
+## Docker community guidelines
+
+We want to keep the Docker community awesome, growing and collaborative. We need
+your help to keep it that way. To help with this we've come up with some general
+guidelines for the community as a whole:
+
+* Be nice: Be courteous, respectful and polite to fellow community members:
+  no regional, racial, gender, or other abuse will be tolerated. We like
+  nice people way better than mean ones!
+
+* Encourage diversity and participation: Make everyone in our community feel
+  welcome, regardless of their background and the extent of their
+  contributions, and do everything possible to encourage participation in
+  our community.
+
+* Keep it legal: Basically, don't get us in trouble. Share only content that
+  you own, do not share private or sensitive information, and don't break
+  the law.
+
+* Stay on topic: Make sure that you are posting to the correct channel and
+  avoid off-topic discussions. Remember when you update an issue or respond
+  to an email you are potentially sending to a large number of people. Please
+  consider this before you update. Also remember that nobody likes spam.
+
+* Don't send email to the maintainers: There's no need to send email to the
+  maintainers to ask them to investigate an issue or to take a look at a
+  pull request. Instead of sending an email, GitHub mentions should be
+  used to ping maintainers to review a pull request, a proposal or an
+  issue.
+
+### Guideline violations — 3 strikes method
+
+The point of this section is not to find opportunities to punish people, but we
+do need a fair way to deal with people who are making our community suck.
+
+1. First occurrence: We'll give you a friendly, but public reminder that the
+   behavior is inappropriate according to our guidelines.
+
+2. Second occurrence: We will send you a private message with a warning that
+   any additional violations will result in removal from the community.
+
+3. Third occurrence: Depending on the violation, we may need to delete or ban
+   your account.
+
+**Notes:**
+
+* Obvious spammers are banned on first occurrence. If we don't do this, we'll
+  have spam all over the place.
+
+* Violations are forgiven after 6 months of good behavior, and we won't hold a
+  grudge.
+
+* People who commit minor infractions will get some education, rather than
+  hammering them in the 3 strikes process.
+
+* The rules apply equally to everyone in the community, no matter how much
+    you've contributed.
+
+* Extreme violations of a threatening, abusive, destructive or illegal nature
+    will be addressed immediately and are not subject to 3 strikes or forgiveness.
+
+* Contact abuse@docker.com to report abuse or appeal violations. In the case of
+    appeals, we know that mistakes happen, and we'll work with you to come up with a
+    fair solution if there has been a misunderstanding.
+
+## Coding Style
+
+Unless explicitly stated, we follow all coding guidelines from the Go
+community. While some of these standards may seem arbitrary, they somehow seem
+to result in a solid, consistent codebase.
+
+It is possible that the code base does not currently comply with these
+guidelines. We are not looking for a massive PR that fixes this, since that
+goes against the spirit of the guidelines. All new contributions should make a
+best effort to clean up and make the code base better than they left it.
+Obviously, apply your best judgement. Remember, the goal here is to make the
+code base easier for humans to navigate and understand. Always keep that in
+mind when nudging others to comply.
+
+The rules:
+
+1. All code should be formatted with `gofmt -s`.
+2. All code should pass the default levels of
+   [`golint`](https://github.com/golang/lint).
+3. All code should follow the guidelines covered in [Effective
+   Go](http://golang.org/doc/effective_go.html) and [Go Code Review
+   Comments](https://github.com/golang/go/wiki/CodeReviewComments).
+4. Comment the code. Tell us the why, the history and the context.
+5. Document _all_ declarations and methods, even private ones. Declare
+   expectations, caveats and anything else that may be important. If a type
+   gets exported, having the comments already there will ensure it's ready.
+6. Variable name length should be proportional to its context and no longer.
+   `noCommaALongVariableNameLikeThisIsNotMoreClearWhenASimpleCommentWouldDo`.
+   In practice, short methods will have short variable names and globals will
+   have longer names.
+7. No underscores in package names. If you need a compound name, step back,
+   and re-examine why you need a compound name. If you still think you need a
+   compound name, lose the underscore.
+8. No utils or helpers packages. If a function is not general enough to
+   warrant its own package, it has not been written generally enough to be a
+   part of a util package. Just leave it unexported and well-documented.
+9. All tests should run with `go test` and outside tooling should not be
+   required. No, we don't need another unit testing framework. Assertion
+   packages are acceptable if they provide _real_ incremental value.
+10. Even though we call these "rules" above, they are actually just
+    guidelines. Since you've read all the rules, you now know that.
+
+If you are having trouble getting into the mood of idiomatic Go, we recommend
+reading through [Effective Go](https://golang.org/doc/effective_go.html). The
+[Go Blog](https://blog.golang.org) is also a great resource. Drinking the
+kool-aid is a lot easier than going thirsty.
\ No newline at end of file
diff --git a/cli/Jenkinsfile b/cli/Jenkinsfile
new file mode 100644
index 00000000..c5fd5055
--- /dev/null
+++ b/cli/Jenkinsfile
@@ -0,0 +1,12 @@
+wrappedNode(label: 'linux && x86_64', cleanWorkspace: true) {
+  timeout(time: 60, unit: 'MINUTES') {
+    stage "Git Checkout"
+    checkout scm
+
+    stage "Run end-to-end test suite"
+    sh "docker version"
+    sh "E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \
+        IMAGE_TAG=clie2e${BUILD_NUMBER} \
+        make -f docker.Makefile test-e2e"
+  }
+}
diff --git a/cli/LICENSE b/cli/LICENSE
new file mode 100644
index 00000000..9c8e20ab
--- /dev/null
+++ b/cli/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2013-2017 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/cli/MAINTAINERS b/cli/MAINTAINERS
new file mode 100644
index 00000000..c0b64509
--- /dev/null
+++ b/cli/MAINTAINERS
@@ -0,0 +1,136 @@
+# Docker maintainers file
+#
+# This file describes who runs the docker/cli project and how.
+# This is a living document - if you see something out of date or missing, speak up!
+#
+# It is structured to be consumable by both humans and programs.
+# To extract its contents programmatically, use any TOML-compliant
+# parser.
+#
+# This file is compiled into the MAINTAINERS file in docker/opensource.
+#
+[Org]
+
+	[Org."Core maintainers"]
+
+	# The Core maintainers are the ghostbusters of the project: when there's a problem others
+	# can't solve, they show up and fix it with bizarre devices and weaponry.
+	# They have final say on technical implementation and coding style.
+	# They are ultimately responsible for quality in all its forms: usability polish,
+	# bugfixes, performance, stability, etc. When ownership  can cleanly be passed to
+	# a subsystem, they are responsible for doing so and holding the
+	# subsystem maintainers accountable. If ownership is unclear, they are the de facto owners.
+
+		people = [
+			"aaronlehmann",
+			"albers",
+			"cpuguy83",
+			"dnephin",
+			"justincormack",
+			"silvin-lubecki",
+			"stevvooe",
+			"thajeztah",
+			"tibor",
+			"tonistiigi",
+			"vdemeester",
+			"vieux",
+		]
+
+	[Org."Docs maintainers"]
+
+	# TODO Describe the docs maintainers role.
+
+		people = [
+			"thajeztah"
+		]
+
+	[Org.Curators]
+
+	# The curators help ensure that incoming issues and pull requests are properly triaged and
+	# that our various contribution and reviewing processes are respected. With their knowledge of
+	# the repository activity, they can also guide contributors to relevant material or
+	# discussions.
+	#
+	# They are neither code nor docs reviewers, so they are never expected to merge. They can
+	# however:
+	# - close an issue or pull request when it's an exact duplicate
+	# - close an issue or pull request when it's inappropriate or off-topic
+
+		people = [
+			"programmerq",
+			"thajeztah"
+		]
+
+[people]
+
+# A reference list of all people associated with the project.
+# All other sections should refer to people by their canonical key
+# in the people section.
+
+	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
+
+	[people.aaronlehmann]
+	Name = "Aaron Lehmann"
+	Email = "aaron.lehmann@docker.com"
+	GitHub = "aaronlehmann"
+
+	[people.albers]
+	Name = "Harald Albers"
+	Email = "github@albersweb.de"
+	GitHub = "albers"
+
+	[people.cpuguy83]
+	Name = "Brian Goff"
+	Email = "cpuguy83@gmail.com"
+	GitHub = "cpuguy83"
+
+	[people.dnephin]
+	Name = "Daniel Nephin"
+	Email = "dnephin@gmail.com"
+	GitHub = "dnephin"
+
+	[people.justincormack]
+	Name = "Justin Cormack"
+	Email = "justin.cormack@docker.com"
+	GitHub = "justincormack"
+
+	[people.programmerq]
+	Name = "Jeff Anderson"
+	Email = "jeff@docker.com"
+	GitHub = "programmerq"
+
+	[people.silvin-lubecki]
+	Name = "Silvin Lubecki"
+	Email = "silvin.lubecki@docker.com"
+	GitHub = "silvin-lubecki"
+
+	[people.stevvooe]
+	Name = "Stephen Day"
+	Email = "stevvooe@gmail.com"
+	GitHub = "stevvooe"
+
+	[people.thajeztah]
+	Name = "Sebastiaan van Stijn"
+	Email = "github@gone.nl"
+	GitHub = "thaJeztah"
+
+	[people.tibor]
+	Name = "Tibor Vass"
+	Email = "tibor@docker.com"
+	GitHub = "tiborvass"
+
+	[people.tonistiigi]
+	Name = "Tõnis Tiigi"
+	Email = "tonis@docker.com"
+	GitHub = "tonistiigi"
+
+	[people.vdemeester]
+	Name = "Vincent Demeester"
+	Email = "vincent@sbr.pm"
+	GitHub = "vdemeester"
+
+	[people.vieux]
+	Name = "Victor Vieux"
+	Email = "vieux@docker.com"
+	GitHub = "vieux"
+
diff --git a/cli/Makefile b/cli/Makefile
new file mode 100644
index 00000000..b56befa3
--- /dev/null
+++ b/cli/Makefile
@@ -0,0 +1,90 @@
+#
+# github.com/docker/cli
+#
+all: binary
+
+
+_:=$(shell ./scripts/warn-outside-container $(MAKECMDGOALS))
+
+.PHONY: clean
+clean: ## remove build artifacts
+	rm -rf ./build/* cli/winresources/rsrc_* ./man/man[1-9] docs/yaml/gen
+
+.PHONY: test-unit
+test-unit: ## run unit test
+	./scripts/test/unit $(shell go list ./... | grep -vE '/vendor/|/e2e/')
+
+.PHONY: test
+test: test-unit ## run tests
+
+.PHONY: test-coverage
+test-coverage: ## run test coverage
+	./scripts/test/unit-with-coverage $(shell go list ./... | grep -vE '/vendor/|/e2e/')
+
+.PHONY: lint
+lint: ## run all the lint tools
+	gometalinter --config gometalinter.json ./...
+
+.PHONY: binary
+binary: ## build executable for Linux
+	@echo "WARNING: binary creates a Linux executable. Use cross for macOS or Windows."
+	./scripts/build/binary
+
+.PHONY: cross
+cross: ## build executable for macOS and Windows
+	./scripts/build/cross
+
+.PHONY: binary-windows
+binary-windows: ## build executable for Windows
+	./scripts/build/windows
+
+.PHONY: binary-osx
+binary-osx: ## build executable for macOS
+	./scripts/build/osx
+
+.PHONY: dynbinary
+dynbinary: ## build dynamically linked binary
+	./scripts/build/dynbinary
+
+.PHONY: watch
+watch: ## monitor file changes and run go test
+	./scripts/test/watch
+
+vendor: vendor.conf ## check that vendor matches vendor.conf
+	rm -rf vendor
+	bash -c 'vndr |& grep -v -i clone'
+	scripts/validate/check-git-diff vendor
+
+.PHONY: authors
+authors: ## generate AUTHORS file from git history
+	scripts/docs/generate-authors.sh
+
+.PHONY: manpages
+manpages: ## generate man pages from go source and markdown
+	scripts/docs/generate-man.sh
+
+.PHONY: yamldocs
+yamldocs: ## generate documentation YAML files consumed by docs repo
+	scripts/docs/generate-yaml.sh
+
+.PHONY: shellcheck
+shellcheck: ## run shellcheck validation
+	scripts/validate/shellcheck
+
+.PHONY: help
+help: ## print this help
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+
+cli/compose/schema/bindata.go: cli/compose/schema/data/*.json
+	go generate github.com/docker/cli/cli/compose/schema
+
+compose-jsonschema: cli/compose/schema/bindata.go
+	scripts/validate/check-git-diff cli/compose/schema/bindata.go
+
+.PHONY: ci-validate
+ci-validate:
+	time make -B vendor
+	time make -B compose-jsonschema
+	time make manpages
+	time make yamldocs
diff --git a/cli/NOTICE b/cli/NOTICE
new file mode 100644
index 00000000..0c74e15b
--- /dev/null
+++ b/cli/NOTICE
@@ -0,0 +1,19 @@
+Docker
+Copyright 2012-2017 Docker, Inc.
+
+This product includes software developed at Docker, Inc. (https://www.docker.com).
+
+This product contains software (https://github.com/kr/pty) developed
+by Keith Rarick, licensed under the MIT License.
+
+The following is courtesy of our legal counsel:
+
+
+Use and transfer of Docker may be subject to certain restrictions by the
+United States and other governments.
+It is your responsibility to ensure that your use and/or transfer does not
+violate applicable laws.
+
+For more information, please see https://www.bis.doc.gov
+
+See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/cli/README.md b/cli/README.md
new file mode 100644
index 00000000..2964377e
--- /dev/null
+++ b/cli/README.md
@@ -0,0 +1,69 @@
+[![build status](https://circleci.com/gh/docker/cli.svg?style=shield)](https://circleci.com/gh/docker/cli/tree/master) [![Build Status](https://jenkins.dockerproject.org/job/docker/job/cli/job/master/badge/icon)](https://jenkins.dockerproject.org/job/docker/job/cli/job/master/)
+
+docker/cli
+==========
+
+This repository is the home of the cli used in the Docker CE and
+Docker EE products.
+
+Development
+===========
+
+`docker/cli` is developed using Docker.
+
+Build a linux binary:
+
+```
+$ make -f docker.Makefile binary
+```
+
+Build binaries for all supported platforms:
+
+```
+$ make -f docker.Makefile cross
+```
+
+Run all linting:
+
+```
+$ make -f docker.Makefile lint
+```
+
+List all the available targets:
+
+```
+$ make help
+```
+
+### In-container development environment
+
+Start an interactive development environment:
+
+```
+$ make -f docker.Makefile shell
+```
+
+In the development environment you can run many tasks, including build binaries:
+
+```
+$ make binary
+```
+
+Legal
+=====
+*Brought to you courtesy of our legal counsel. For more context,
+please see the [NOTICE](https://github.com/docker/cli/blob/master/NOTICE) document in this repo.*
+
+Use and transfer of Docker may be subject to certain restrictions by the
+United States and other governments.
+
+It is your responsibility to ensure that your use and/or transfer does not
+violate applicable laws.
+
+For more information, please see https://www.bis.doc.gov
+
+Licensing
+=========
+docker/cli is licensed under the Apache License, Version 2.0. See
+[LICENSE](https://github.com/docker/docker/blob/master/LICENSE) for the full
+license text.
diff --git a/cli/TESTING.md b/cli/TESTING.md
new file mode 100644
index 00000000..63bba1d3
--- /dev/null
+++ b/cli/TESTING.md
@@ -0,0 +1,87 @@
+# Testing
+
+The following guidelines summarize the testing policy for docker/cli.
+
+## Unit Test Suite
+
+All code changes should have unit test coverage.
+
+Error cases should be tested with unit tests.
+
+Bug fixes should be covered by new unit tests or additional assertions in
+existing unit tests.
+
+### Details
+
+The unit test suite follows the standard Go testing convention. Tests are
+located in the package directory in `_test.go` files.
+
+Unit tests should be named using the convention:
+
+```
+Test<Function Name><Test Case Name>
+```
+
+[Table tests](https://github.com/golang/go/wiki/TableDrivenTests) should be used
+where appropriate, but may not be appropriate in all cases.
+
+Assertions should be made using
+[testify/assert](https://godoc.org/github.com/stretchr/testify/assert) and test
+requirements should be verified using
+[testify/require](https://godoc.org/github.com/stretchr/testify/require).
+
+Fakes, and testing utilities can be found in
+[internal/test](https://godoc.org/github.com/docker/cli/internal/test) and
+[gotestyourself](https://godoc.org/github.com/gotestyourself/gotestyourself).
+
+## End-to-End Test Suite
+
+The end-to-end test suite tests a cli binary against a real API backend.
+
+### Guidelines
+
+Each feature (subcommand) should have a single end-to-end test for 
+the success case. The test should include all (or most) flags/options supported
+by that feature.
+
+In some rare cases a couple additional end-to-end tests may be written for a
+sufficiently complex and critical feature (ex: `container run`, `service 
+create`, `service update`, and `docker build` may have ~3-5 cases each).
+
+In some rare cases a sufficiently critical error paths may have a single
+end-to-end test case.
+
+In all other cases the behaviour should be covered by unit tests.
+
+If a code change adds a new flag, that flag should be added to the existing 
+"success case" end-to-end test.
+
+If a code change fixes a bug, that bug fix should be covered either by adding 
+assertions to the existing end-to-end test, or with one or more unit test.
+
+### Details
+
+The end-to-end test suite is located in
+[./e2e](https://github.com/docker/cli/tree/master/e2e). Each directory in `e2e`
+corresponds to a directory in `cli/command` and contains the tests for that
+subcommand. Files in each directory should be named `<command>_test.go` where
+command is the basename of the command (ex: the test for `docker stack deploy`
+is found in `e2e/stack/deploy_test.go`).
+
+Tests should be named using the convention:
+
+```
+Test<Command Basename>[<Test Case Name>]
+```
+
+where the test case name is only required when there are multiple test cases for
+a single command.
+
+End-to-end test should run the `docker` binary using
+[gotestyourself/icmd](https://godoc.org/github.com/gotestyourself/gotestyourself/icmd)
+and make assertions about the exit code, stdout, stderr, and local file system.
+
+Any Docker image or registry operations should use `registry:5000/<image name>`
+to communicate with the local instance of the Docker registry. To load 
+additional fixture images to the registry see
+[scripts/test/e2e/run](https://github.com/docker/cli/blob/master/scripts/test/e2e/run).
diff --git a/cli/VERSION b/cli/VERSION
new file mode 100644
index 00000000..944d763c
--- /dev/null
+++ b/cli/VERSION
@@ -0,0 +1 @@
+18.06.0-dev
diff --git a/cli/appveyor.yml b/cli/appveyor.yml
new file mode 100644
index 00000000..bb1e7d47
--- /dev/null
+++ b/cli/appveyor.yml
@@ -0,0 +1,23 @@
+version: "{build}"
+
+clone_folder: c:\gopath\src\github.com\docker\cli
+
+environment:
+  GOPATH: c:\gopath
+  GOVERSION: 1.10.3
+  DEPVERSION: v0.4.1
+
+install:
+  - rmdir c:\go /s /q
+  - appveyor DownloadFile https://storage.googleapis.com/golang/go%GOVERSION%.windows-amd64.msi
+  - msiexec /i go%GOVERSION%.windows-amd64.msi /q
+  - go version
+  - go env
+
+deploy: false
+
+build_script:
+  - ps: .\scripts\make.ps1 -Binary
+
+test_script:
+  - ps: .\scripts\make.ps1 -TestUnit
\ No newline at end of file
diff --git a/cli/circle.yml b/cli/circle.yml
new file mode 100644
index 00000000..53fcac73
--- /dev/null
+++ b/cli/circle.yml
@@ -0,0 +1,116 @@
+version: 2
+
+jobs:
+
+  lint:
+    working_directory: /work
+    docker: [{image: 'docker:17.06-git'}]
+    steps:
+      - checkout
+      - setup_remote_docker:
+            reusable: true
+            exclusive: false
+      - run:
+          command: docker version
+      - run:
+          name: "Lint"
+          command: |
+            dockerfile=dockerfiles/Dockerfile.lint
+            echo "COPY . ." >> $dockerfile
+            docker build -f $dockerfile --tag cli-linter:$CIRCLE_BUILD_NUM .
+            docker run --rm cli-linter:$CIRCLE_BUILD_NUM
+
+  cross:
+    working_directory: /work
+    docker: [{image: 'docker:17.06-git'}]
+    parallelism: 3
+    steps:
+      - checkout
+      - setup_remote_docker:
+            reusable: true
+            exclusive: false
+      - run:
+          name: "Cross"
+          command: |
+            dockerfile=dockerfiles/Dockerfile.cross
+            echo "COPY . ." >> $dockerfile
+            docker build -f $dockerfile --tag cli-builder:$CIRCLE_BUILD_NUM .
+            name=cross-$CIRCLE_BUILD_NUM-$CIRCLE_NODE_INDEX
+            docker run \
+                -e CROSS_GROUP=$CIRCLE_NODE_INDEX \
+                --name $name cli-builder:$CIRCLE_BUILD_NUM \
+                make cross
+            docker cp \
+                $name:/go/src/github.com/docker/cli/build \
+                /work/build
+      - store_artifacts:
+          path: /work/build
+
+  test:
+    working_directory: /work
+    docker: [{image: 'docker:17.06-git'}]
+    steps:
+      - checkout
+      - setup_remote_docker:
+            reusable: true
+            exclusive: false
+      - run:
+          name: "Unit Test with Coverage"
+          command: |
+            dockerfile=dockerfiles/Dockerfile.dev
+            echo "COPY . ." >> $dockerfile
+            docker build -f $dockerfile --tag cli-builder:$CIRCLE_BUILD_NUM .
+            docker run --name \
+                test-$CIRCLE_BUILD_NUM cli-builder:$CIRCLE_BUILD_NUM \
+                make test-coverage
+
+      - run:
+          name: "Upload to Codecov"
+          command: |
+            docker cp \
+                test-$CIRCLE_BUILD_NUM:/go/src/github.com/docker/cli/coverage.txt \
+                coverage.txt
+            apk add -U bash curl
+            curl -s https://codecov.io/bash | bash || \
+                echo 'Codecov failed to upload'
+
+  validate:
+    working_directory: /work
+    docker: [{image: 'docker:17.06-git'}]
+    steps:
+      - checkout
+      - setup_remote_docker:
+            reusable: true
+            exclusive: false
+      - run:
+          name: "Validate Vendor, Docs, and Code Generation"
+          command: |
+            dockerfile=dockerfiles/Dockerfile.dev
+            echo "COPY . ." >> $dockerfile
+            rm -f .dockerignore # include .git
+            docker build -f $dockerfile --tag cli-builder-with-git:$CIRCLE_BUILD_NUM .
+            docker run --rm cli-builder-with-git:$CIRCLE_BUILD_NUM \
+                make ci-validate
+  shellcheck:
+    working_directory: /work
+    docker: [{image: 'docker:17.06-git'}]
+    steps:
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: "Run shellcheck"
+          command: |
+            dockerfile=dockerfiles/Dockerfile.shellcheck
+            echo "COPY . ." >> $dockerfile
+            docker build -f $dockerfile --tag cli-validator:$CIRCLE_BUILD_NUM .
+            docker run --rm cli-validator:$CIRCLE_BUILD_NUM \
+                make shellcheck
+workflows:
+  version: 2
+  ci:
+    jobs:
+      - lint
+      - cross
+      - test
+      - validate
+      - shellcheck
diff --git a/cli/cli/cobra.go b/cli/cli/cobra.go
new file mode 100644
index 00000000..03cdfcc5
--- /dev/null
+++ b/cli/cli/cobra.go
@@ -0,0 +1,152 @@
+package cli
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/pkg/term"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// SetupRootCommand sets default usage, help, and error handling for the
+// root command.
+func SetupRootCommand(rootCmd *cobra.Command) {
+	cobra.AddTemplateFunc("hasSubCommands", hasSubCommands)
+	cobra.AddTemplateFunc("hasManagementSubCommands", hasManagementSubCommands)
+	cobra.AddTemplateFunc("operationSubCommands", operationSubCommands)
+	cobra.AddTemplateFunc("managementSubCommands", managementSubCommands)
+	cobra.AddTemplateFunc("wrappedFlagUsages", wrappedFlagUsages)
+
+	rootCmd.SetUsageTemplate(usageTemplate)
+	rootCmd.SetHelpTemplate(helpTemplate)
+	rootCmd.SetFlagErrorFunc(FlagErrorFunc)
+	rootCmd.SetHelpCommand(helpCommand)
+	rootCmd.SetVersionTemplate("Docker version {{.Version}}\n")
+
+	rootCmd.PersistentFlags().BoolP("help", "h", false, "Print usage")
+	rootCmd.PersistentFlags().MarkShorthandDeprecated("help", "please use --help")
+	rootCmd.PersistentFlags().Lookup("help").Hidden = true
+}
+
+// FlagErrorFunc prints an error message which matches the format of the
+// docker/cli/cli error messages
+func FlagErrorFunc(cmd *cobra.Command, err error) error {
+	if err == nil {
+		return nil
+	}
+
+	usage := ""
+	if cmd.HasSubCommands() {
+		usage = "\n\n" + cmd.UsageString()
+	}
+	return StatusError{
+		Status:     fmt.Sprintf("%s\nSee '%s --help'.%s", err, cmd.CommandPath(), usage),
+		StatusCode: 125,
+	}
+}
+
+var helpCommand = &cobra.Command{
+	Use:               "help [command]",
+	Short:             "Help about the command",
+	PersistentPreRun:  func(cmd *cobra.Command, args []string) {},
+	PersistentPostRun: func(cmd *cobra.Command, args []string) {},
+	RunE: func(c *cobra.Command, args []string) error {
+		cmd, args, e := c.Root().Find(args)
+		if cmd == nil || e != nil || len(args) > 0 {
+			return errors.Errorf("unknown help topic: %v", strings.Join(args, " "))
+		}
+
+		helpFunc := cmd.HelpFunc()
+		helpFunc(cmd, args)
+		return nil
+	},
+}
+
+func hasSubCommands(cmd *cobra.Command) bool {
+	return len(operationSubCommands(cmd)) > 0
+}
+
+func hasManagementSubCommands(cmd *cobra.Command) bool {
+	return len(managementSubCommands(cmd)) > 0
+}
+
+func operationSubCommands(cmd *cobra.Command) []*cobra.Command {
+	cmds := []*cobra.Command{}
+	for _, sub := range cmd.Commands() {
+		if sub.IsAvailableCommand() && !sub.HasSubCommands() {
+			cmds = append(cmds, sub)
+		}
+	}
+	return cmds
+}
+
+func wrappedFlagUsages(cmd *cobra.Command) string {
+	width := 80
+	if ws, err := term.GetWinsize(0); err == nil {
+		width = int(ws.Width)
+	}
+	return cmd.Flags().FlagUsagesWrapped(width - 1)
+}
+
+func managementSubCommands(cmd *cobra.Command) []*cobra.Command {
+	cmds := []*cobra.Command{}
+	for _, sub := range cmd.Commands() {
+		if sub.IsAvailableCommand() && sub.HasSubCommands() {
+			cmds = append(cmds, sub)
+		}
+	}
+	return cmds
+}
+
+var usageTemplate = `Usage:
+
+{{- if not .HasSubCommands}}	{{.UseLine}}{{end}}
+{{- if .HasSubCommands}}	{{ .CommandPath}}{{- if .HasAvailableFlags}} [OPTIONS]{{end}} COMMAND{{end}}
+
+{{ .Short | trim }}
+
+{{- if gt .Aliases 0}}
+
+Aliases:
+  {{.NameAndAliases}}
+
+{{- end}}
+{{- if .HasExample}}
+
+Examples:
+{{ .Example }}
+
+{{- end}}
+{{- if .HasAvailableFlags}}
+
+Options:
+{{ wrappedFlagUsages . | trimRightSpace}}
+
+{{- end}}
+{{- if hasManagementSubCommands . }}
+
+Management Commands:
+
+{{- range managementSubCommands . }}
+  {{rpad .Name .NamePadding }} {{.Short}}
+{{- end}}
+
+{{- end}}
+{{- if hasSubCommands .}}
+
+Commands:
+
+{{- range operationSubCommands . }}
+  {{rpad .Name .NamePadding }} {{.Short}}
+{{- end}}
+{{- end}}
+
+{{- if .HasSubCommands }}
+
+Run '{{.CommandPath}} COMMAND --help' for more information on a command.
+{{- end}}
+`
+
+var helpTemplate = `
+{{if or .Runnable .HasSubCommands}}{{.UsageString}}{{end}}`
diff --git a/cli/cli/command/bundlefile/bundlefile.go b/cli/cli/command/bundlefile/bundlefile.go
new file mode 100644
index 00000000..07e2c8b0
--- /dev/null
+++ b/cli/cli/command/bundlefile/bundlefile.go
@@ -0,0 +1,70 @@
+package bundlefile
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/pkg/errors"
+)
+
+// Bundlefile stores the contents of a bundlefile
+type Bundlefile struct {
+	Version  string
+	Services map[string]Service
+}
+
+// Service is a service from a bundlefile
+type Service struct {
+	Image      string
+	Command    []string          `json:",omitempty"`
+	Args       []string          `json:",omitempty"`
+	Env        []string          `json:",omitempty"`
+	Labels     map[string]string `json:",omitempty"`
+	Ports      []Port            `json:",omitempty"`
+	WorkingDir *string           `json:",omitempty"`
+	User       *string           `json:",omitempty"`
+	Networks   []string          `json:",omitempty"`
+}
+
+// Port is a port as defined in a bundlefile
+type Port struct {
+	Protocol string
+	Port     uint32
+}
+
+// LoadFile loads a bundlefile from a path to the file
+func LoadFile(reader io.Reader) (*Bundlefile, error) {
+	bundlefile := &Bundlefile{}
+
+	decoder := json.NewDecoder(reader)
+	if err := decoder.Decode(bundlefile); err != nil {
+		switch jsonErr := err.(type) {
+		case *json.SyntaxError:
+			return nil, errors.Errorf(
+				"JSON syntax error at byte %v: %s",
+				jsonErr.Offset,
+				jsonErr.Error())
+		case *json.UnmarshalTypeError:
+			return nil, errors.Errorf(
+				"Unexpected type at byte %v. Expected %s but received %s.",
+				jsonErr.Offset,
+				jsonErr.Type,
+				jsonErr.Value)
+		}
+		return nil, err
+	}
+
+	return bundlefile, nil
+}
+
+// Print writes the contents of the bundlefile to the output writer
+// as human readable json
+func Print(out io.Writer, bundle *Bundlefile) error {
+	bytes, err := json.MarshalIndent(*bundle, "", "    ")
+	if err != nil {
+		return err
+	}
+
+	_, err = out.Write(bytes)
+	return err
+}
diff --git a/cli/cli/command/bundlefile/bundlefile_test.go b/cli/cli/command/bundlefile/bundlefile_test.go
new file mode 100644
index 00000000..cbaa341c
--- /dev/null
+++ b/cli/cli/command/bundlefile/bundlefile_test.go
@@ -0,0 +1,78 @@
+package bundlefile
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestLoadFileV01Success(t *testing.T) {
+	reader := strings.NewReader(`{
+		"Version": "0.1",
+		"Services": {
+			"redis": {
+				"Image": "redis@sha256:4b24131101fa0117bcaa18ac37055fffd9176aa1a240392bb8ea85e0be50f2ce",
+				"Networks": ["default"]
+			},
+			"web": {
+				"Image": "dockercloud/hello-world@sha256:fe79a2cfbd17eefc344fb8419420808df95a1e22d93b7f621a7399fd1e9dca1d",
+				"Networks": ["default"],
+				"User": "web"
+			}
+		}
+	}`)
+
+	bundle, err := LoadFile(reader)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("0.1", bundle.Version))
+	assert.Check(t, is.Len(bundle.Services, 2))
+}
+
+func TestLoadFileSyntaxError(t *testing.T) {
+	reader := strings.NewReader(`{
+		"Version": "0.1",
+		"Services": unquoted string
+	}`)
+
+	_, err := LoadFile(reader)
+	assert.Error(t, err, "JSON syntax error at byte 37: invalid character 'u' looking for beginning of value")
+}
+
+func TestLoadFileTypeError(t *testing.T) {
+	reader := strings.NewReader(`{
+		"Version": "0.1",
+		"Services": {
+			"web": {
+				"Image": "redis",
+				"Networks": "none"
+			}
+		}
+	}`)
+
+	_, err := LoadFile(reader)
+	assert.Error(t, err, "Unexpected type at byte 94. Expected []string but received string.")
+}
+
+func TestPrint(t *testing.T) {
+	var buffer bytes.Buffer
+	bundle := &Bundlefile{
+		Version: "0.1",
+		Services: map[string]Service{
+			"web": {
+				Image:   "image",
+				Command: []string{"echo", "something"},
+			},
+		},
+	}
+	assert.Check(t, Print(&buffer, bundle))
+	output := buffer.String()
+	assert.Check(t, is.Contains(output, "\"Image\": \"image\""))
+	assert.Check(t, is.Contains(output,
+		`"Command": [
+                "echo",
+                "something"
+            ]`))
+}
diff --git a/cli/cli/command/checkpoint/client_test.go b/cli/cli/command/checkpoint/client_test.go
new file mode 100644
index 00000000..c8fe190e
--- /dev/null
+++ b/cli/cli/command/checkpoint/client_test.go
@@ -0,0 +1,36 @@
+package checkpoint
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	checkpointCreateFunc func(container string, options types.CheckpointCreateOptions) error
+	checkpointDeleteFunc func(container string, options types.CheckpointDeleteOptions) error
+	checkpointListFunc   func(container string, options types.CheckpointListOptions) ([]types.Checkpoint, error)
+}
+
+func (cli *fakeClient) CheckpointCreate(ctx context.Context, container string, options types.CheckpointCreateOptions) error {
+	if cli.checkpointCreateFunc != nil {
+		return cli.checkpointCreateFunc(container, options)
+	}
+	return nil
+}
+
+func (cli *fakeClient) CheckpointDelete(ctx context.Context, container string, options types.CheckpointDeleteOptions) error {
+	if cli.checkpointDeleteFunc != nil {
+		return cli.checkpointDeleteFunc(container, options)
+	}
+	return nil
+}
+
+func (cli *fakeClient) CheckpointList(ctx context.Context, container string, options types.CheckpointListOptions) ([]types.Checkpoint, error) {
+	if cli.checkpointListFunc != nil {
+		return cli.checkpointListFunc(container, options)
+	}
+	return []types.Checkpoint{}, nil
+}
diff --git a/cli/cli/command/checkpoint/cmd.go b/cli/cli/command/checkpoint/cmd.go
new file mode 100644
index 00000000..2a698e74
--- /dev/null
+++ b/cli/cli/command/checkpoint/cmd.go
@@ -0,0 +1,28 @@
+package checkpoint
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// NewCheckpointCommand returns the `checkpoint` subcommand (only in experimental)
+func NewCheckpointCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "checkpoint",
+		Short: "Manage checkpoints",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{
+			"experimental": "",
+			"ostype":       "linux",
+			"version":      "1.25",
+		},
+	}
+	cmd.AddCommand(
+		newCreateCommand(dockerCli),
+		newListCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/checkpoint/create.go b/cli/cli/command/checkpoint/create.go
new file mode 100644
index 00000000..45b4bd63
--- /dev/null
+++ b/cli/cli/command/checkpoint/create.go
@@ -0,0 +1,57 @@
+package checkpoint
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type createOptions struct {
+	container     string
+	checkpoint    string
+	checkpointDir string
+	leaveRunning  bool
+}
+
+func newCreateCommand(dockerCli command.Cli) *cobra.Command {
+	var opts createOptions
+
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] CONTAINER CHECKPOINT",
+		Short: "Create a checkpoint from a running container",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.container = args[0]
+			opts.checkpoint = args[1]
+			return runCreate(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.leaveRunning, "leave-running", false, "Leave the container running after checkpoint")
+	flags.StringVarP(&opts.checkpointDir, "checkpoint-dir", "", "", "Use a custom checkpoint storage directory")
+
+	return cmd
+}
+
+func runCreate(dockerCli command.Cli, opts createOptions) error {
+	client := dockerCli.Client()
+
+	checkpointOpts := types.CheckpointCreateOptions{
+		CheckpointID:  opts.checkpoint,
+		CheckpointDir: opts.checkpointDir,
+		Exit:          !opts.leaveRunning,
+	}
+
+	err := client.CheckpointCreate(context.Background(), opts.container, checkpointOpts)
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintf(dockerCli.Out(), "%s\n", opts.checkpoint)
+	return nil
+}
diff --git a/cli/cli/command/checkpoint/create_test.go b/cli/cli/command/checkpoint/create_test.go
new file mode 100644
index 00000000..70c6aad7
--- /dev/null
+++ b/cli/cli/command/checkpoint/create_test.go
@@ -0,0 +1,72 @@
+package checkpoint
+
+import (
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCheckpointCreateErrors(t *testing.T) {
+	testCases := []struct {
+		args                 []string
+		checkpointCreateFunc func(container string, options types.CheckpointCreateOptions) error
+		expectedError        string
+	}{
+		{
+			args:          []string{"too-few-arguments"},
+			expectedError: "requires exactly 2 arguments",
+		},
+		{
+			args:          []string{"too", "many", "arguments"},
+			expectedError: "requires exactly 2 arguments",
+		},
+		{
+			args: []string{"foo", "bar"},
+			checkpointCreateFunc: func(container string, options types.CheckpointCreateOptions) error {
+				return errors.Errorf("error creating checkpoint for container foo")
+			},
+			expectedError: "error creating checkpoint for container foo",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			checkpointCreateFunc: tc.checkpointCreateFunc,
+		})
+		cmd := newCreateCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestCheckpointCreateWithOptions(t *testing.T) {
+	var containerID, checkpointID, checkpointDir string
+	var exit bool
+	cli := test.NewFakeCli(&fakeClient{
+		checkpointCreateFunc: func(container string, options types.CheckpointCreateOptions) error {
+			containerID = container
+			checkpointID = options.CheckpointID
+			checkpointDir = options.CheckpointDir
+			exit = options.Exit
+			return nil
+		},
+	})
+	cmd := newCreateCommand(cli)
+	checkpoint := "checkpoint-bar"
+	cmd.SetArgs([]string{"container-foo", checkpoint})
+	cmd.Flags().Set("leave-running", "true")
+	cmd.Flags().Set("checkpoint-dir", "/dir/foo")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("container-foo", containerID))
+	assert.Check(t, is.Equal(checkpoint, checkpointID))
+	assert.Check(t, is.Equal("/dir/foo", checkpointDir))
+	assert.Check(t, is.Equal(false, exit))
+	assert.Check(t, is.Equal(checkpoint, strings.TrimSpace(cli.OutBuffer().String())))
+}
diff --git a/cli/cli/command/checkpoint/list.go b/cli/cli/command/checkpoint/list.go
new file mode 100644
index 00000000..7b041cfe
--- /dev/null
+++ b/cli/cli/command/checkpoint/list.go
@@ -0,0 +1,54 @@
+package checkpoint
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type listOptions struct {
+	checkpointDir string
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	var opts listOptions
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS] CONTAINER",
+		Aliases: []string{"list"},
+		Short:   "List checkpoints for a container",
+		Args:    cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(dockerCli, args[0], opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.checkpointDir, "checkpoint-dir", "", "", "Use a custom checkpoint storage directory")
+
+	return cmd
+
+}
+
+func runList(dockerCli command.Cli, container string, opts listOptions) error {
+	client := dockerCli.Client()
+
+	listOpts := types.CheckpointListOptions{
+		CheckpointDir: opts.checkpointDir,
+	}
+
+	checkpoints, err := client.CheckpointList(context.Background(), container, listOpts)
+	if err != nil {
+		return err
+	}
+
+	cpCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewCheckpointFormat(formatter.TableFormatKey),
+	}
+	return formatter.CheckpointWrite(cpCtx, checkpoints)
+}
diff --git a/cli/cli/command/checkpoint/list_test.go b/cli/cli/command/checkpoint/list_test.go
new file mode 100644
index 00000000..986d3ee4
--- /dev/null
+++ b/cli/cli/command/checkpoint/list_test.go
@@ -0,0 +1,67 @@
+package checkpoint
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestCheckpointListErrors(t *testing.T) {
+	testCases := []struct {
+		args               []string
+		checkpointListFunc func(container string, options types.CheckpointListOptions) ([]types.Checkpoint, error)
+		expectedError      string
+	}{
+		{
+			args:          []string{},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args:          []string{"too", "many", "arguments"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args: []string{"foo"},
+			checkpointListFunc: func(container string, options types.CheckpointListOptions) ([]types.Checkpoint, error) {
+				return []types.Checkpoint{}, errors.Errorf("error getting checkpoints for container foo")
+			},
+			expectedError: "error getting checkpoints for container foo",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			checkpointListFunc: tc.checkpointListFunc,
+		})
+		cmd := newListCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestCheckpointListWithOptions(t *testing.T) {
+	var containerID, checkpointDir string
+	cli := test.NewFakeCli(&fakeClient{
+		checkpointListFunc: func(container string, options types.CheckpointListOptions) ([]types.Checkpoint, error) {
+			containerID = container
+			checkpointDir = options.CheckpointDir
+			return []types.Checkpoint{
+				{Name: "checkpoint-foo"},
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.SetArgs([]string{"container-foo"})
+	cmd.Flags().Set("checkpoint-dir", "/dir/foo")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("container-foo", containerID))
+	assert.Check(t, is.Equal("/dir/foo", checkpointDir))
+	golden.Assert(t, cli.OutBuffer().String(), "checkpoint-list-with-options.golden")
+}
diff --git a/cli/cli/command/checkpoint/remove.go b/cli/cli/command/checkpoint/remove.go
new file mode 100644
index 00000000..3f894421
--- /dev/null
+++ b/cli/cli/command/checkpoint/remove.go
@@ -0,0 +1,44 @@
+package checkpoint
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type removeOptions struct {
+	checkpointDir string
+}
+
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	var opts removeOptions
+
+	cmd := &cobra.Command{
+		Use:     "rm [OPTIONS] CONTAINER CHECKPOINT",
+		Aliases: []string{"remove"},
+		Short:   "Remove a checkpoint",
+		Args:    cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runRemove(dockerCli, args[0], args[1], opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.checkpointDir, "checkpoint-dir", "", "", "Use a custom checkpoint storage directory")
+
+	return cmd
+}
+
+func runRemove(dockerCli command.Cli, container string, checkpoint string, opts removeOptions) error {
+	client := dockerCli.Client()
+
+	removeOpts := types.CheckpointDeleteOptions{
+		CheckpointID:  checkpoint,
+		CheckpointDir: opts.checkpointDir,
+	}
+
+	return client.CheckpointDelete(context.Background(), container, removeOpts)
+}
diff --git a/cli/cli/command/checkpoint/remove_test.go b/cli/cli/command/checkpoint/remove_test.go
new file mode 100644
index 00000000..d1a9ac4b
--- /dev/null
+++ b/cli/cli/command/checkpoint/remove_test.go
@@ -0,0 +1,65 @@
+package checkpoint
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCheckpointRemoveErrors(t *testing.T) {
+	testCases := []struct {
+		args                 []string
+		checkpointDeleteFunc func(container string, options types.CheckpointDeleteOptions) error
+		expectedError        string
+	}{
+		{
+			args:          []string{"too-few-arguments"},
+			expectedError: "requires exactly 2 arguments",
+		},
+		{
+			args:          []string{"too", "many", "arguments"},
+			expectedError: "requires exactly 2 arguments",
+		},
+		{
+			args: []string{"foo", "bar"},
+			checkpointDeleteFunc: func(container string, options types.CheckpointDeleteOptions) error {
+				return errors.Errorf("error deleting checkpoint")
+			},
+			expectedError: "error deleting checkpoint",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			checkpointDeleteFunc: tc.checkpointDeleteFunc,
+		})
+		cmd := newRemoveCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestCheckpointRemoveWithOptions(t *testing.T) {
+	var containerID, checkpointID, checkpointDir string
+	cli := test.NewFakeCli(&fakeClient{
+		checkpointDeleteFunc: func(container string, options types.CheckpointDeleteOptions) error {
+			containerID = container
+			checkpointID = options.CheckpointID
+			checkpointDir = options.CheckpointDir
+			return nil
+		},
+	})
+	cmd := newRemoveCommand(cli)
+	cmd.SetArgs([]string{"container-foo", "checkpoint-bar"})
+	cmd.Flags().Set("checkpoint-dir", "/dir/foo")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("container-foo", containerID))
+	assert.Check(t, is.Equal("checkpoint-bar", checkpointID))
+	assert.Check(t, is.Equal("/dir/foo", checkpointDir))
+}
diff --git a/cli/cli/command/checkpoint/testdata/checkpoint-list-with-options.golden b/cli/cli/command/checkpoint/testdata/checkpoint-list-with-options.golden
new file mode 100644
index 00000000..f53f016a
--- /dev/null
+++ b/cli/cli/command/checkpoint/testdata/checkpoint-list-with-options.golden
@@ -0,0 +1,2 @@
+CHECKPOINT NAME
+checkpoint-foo
diff --git a/cli/cli/command/cli.go b/cli/cli/command/cli.go
new file mode 100644
index 00000000..b17aaf23
--- /dev/null
+++ b/cli/cli/command/cli.go
@@ -0,0 +1,320 @@
+package command
+
+import (
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/config"
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	cliflags "github.com/docker/cli/cli/flags"
+	manifeststore "github.com/docker/cli/cli/manifest/store"
+	registryclient "github.com/docker/cli/cli/registry/client"
+	"github.com/docker/cli/cli/trust"
+	dopts "github.com/docker/cli/opts"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/client"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/theupdateframework/notary"
+	notaryclient "github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/passphrase"
+)
+
+// Streams is an interface which exposes the standard input and output streams
+type Streams interface {
+	In() *InStream
+	Out() *OutStream
+	Err() io.Writer
+}
+
+// Cli represents the docker command line client.
+type Cli interface {
+	Client() client.APIClient
+	Out() *OutStream
+	Err() io.Writer
+	In() *InStream
+	SetIn(in *InStream)
+	ConfigFile() *configfile.ConfigFile
+	ServerInfo() ServerInfo
+	ClientInfo() ClientInfo
+	NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error)
+	DefaultVersion() string
+	ManifestStore() manifeststore.Store
+	RegistryClient(bool) registryclient.RegistryClient
+	ContentTrustEnabled() bool
+}
+
+// DockerCli is an instance the docker command line client.
+// Instances of the client can be returned from NewDockerCli.
+type DockerCli struct {
+	configFile   *configfile.ConfigFile
+	in           *InStream
+	out          *OutStream
+	err          io.Writer
+	client       client.APIClient
+	serverInfo   ServerInfo
+	clientInfo   ClientInfo
+	contentTrust bool
+}
+
+// DefaultVersion returns api.defaultVersion or DOCKER_API_VERSION if specified.
+func (cli *DockerCli) DefaultVersion() string {
+	return cli.clientInfo.DefaultVersion
+}
+
+// Client returns the APIClient
+func (cli *DockerCli) Client() client.APIClient {
+	return cli.client
+}
+
+// Out returns the writer used for stdout
+func (cli *DockerCli) Out() *OutStream {
+	return cli.out
+}
+
+// Err returns the writer used for stderr
+func (cli *DockerCli) Err() io.Writer {
+	return cli.err
+}
+
+// SetIn sets the reader used for stdin
+func (cli *DockerCli) SetIn(in *InStream) {
+	cli.in = in
+}
+
+// In returns the reader used for stdin
+func (cli *DockerCli) In() *InStream {
+	return cli.in
+}
+
+// ShowHelp shows the command help.
+func ShowHelp(err io.Writer) func(*cobra.Command, []string) error {
+	return func(cmd *cobra.Command, args []string) error {
+		cmd.SetOutput(err)
+		cmd.HelpFunc()(cmd, args)
+		return nil
+	}
+}
+
+// ConfigFile returns the ConfigFile
+func (cli *DockerCli) ConfigFile() *configfile.ConfigFile {
+	return cli.configFile
+}
+
+// ServerInfo returns the server version details for the host this client is
+// connected to
+func (cli *DockerCli) ServerInfo() ServerInfo {
+	return cli.serverInfo
+}
+
+// ClientInfo returns the client details for the cli
+func (cli *DockerCli) ClientInfo() ClientInfo {
+	return cli.clientInfo
+}
+
+// ContentTrustEnabled returns whether content trust has been enabled by an
+// environment variable.
+func (cli *DockerCli) ContentTrustEnabled() bool {
+	return cli.contentTrust
+}
+
+// ManifestStore returns a store for local manifests
+func (cli *DockerCli) ManifestStore() manifeststore.Store {
+	// TODO: support override default location from config file
+	return manifeststore.NewStore(filepath.Join(config.Dir(), "manifests"))
+}
+
+// RegistryClient returns a client for communicating with a Docker distribution
+// registry
+func (cli *DockerCli) RegistryClient(allowInsecure bool) registryclient.RegistryClient {
+	resolver := func(ctx context.Context, index *registrytypes.IndexInfo) types.AuthConfig {
+		return ResolveAuthConfig(ctx, cli, index)
+	}
+	return registryclient.NewRegistryClient(resolver, UserAgent(), allowInsecure)
+}
+
+// Initialize the dockerCli runs initialization that must happen after command
+// line flags are parsed.
+func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions) error {
+	cli.configFile = cliconfig.LoadDefaultConfigFile(cli.err)
+
+	var err error
+	cli.client, err = NewAPIClientFromFlags(opts.Common, cli.configFile)
+	if tlsconfig.IsErrEncryptedKey(err) {
+		passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
+		newClient := func(password string) (client.APIClient, error) {
+			opts.Common.TLSOptions.Passphrase = password
+			return NewAPIClientFromFlags(opts.Common, cli.configFile)
+		}
+		cli.client, err = getClientWithPassword(passRetriever, newClient)
+	}
+	if err != nil {
+		return err
+	}
+	var experimentalValue string
+	// Environment variable always overrides configuration
+	if experimentalValue = os.Getenv("DOCKER_CLI_EXPERIMENTAL"); experimentalValue == "" {
+		experimentalValue = cli.configFile.Experimental
+	}
+	hasExperimental, err := isEnabled(experimentalValue)
+	if err != nil {
+		return errors.Wrap(err, "Experimental field")
+	}
+	cli.clientInfo = ClientInfo{
+		DefaultVersion:  cli.client.ClientVersion(),
+		HasExperimental: hasExperimental,
+	}
+	cli.initializeFromClient()
+	return nil
+}
+
+func isEnabled(value string) (bool, error) {
+	switch value {
+	case "enabled":
+		return true, nil
+	case "", "disabled":
+		return false, nil
+	default:
+		return false, errors.Errorf("%q is not valid, should be either enabled or disabled", value)
+	}
+}
+
+func (cli *DockerCli) initializeFromClient() {
+	ping, err := cli.client.Ping(context.Background())
+	if err != nil {
+		// Default to true if we fail to connect to daemon
+		cli.serverInfo = ServerInfo{HasExperimental: true}
+
+		if ping.APIVersion != "" {
+			cli.client.NegotiateAPIVersionPing(ping)
+		}
+		return
+	}
+
+	cli.serverInfo = ServerInfo{
+		HasExperimental: ping.Experimental,
+		OSType:          ping.OSType,
+	}
+	cli.client.NegotiateAPIVersionPing(ping)
+}
+
+func getClientWithPassword(passRetriever notary.PassRetriever, newClient func(password string) (client.APIClient, error)) (client.APIClient, error) {
+	for attempts := 0; ; attempts++ {
+		passwd, giveup, err := passRetriever("private", "encrypted TLS private", false, attempts)
+		if giveup || err != nil {
+			return nil, errors.Wrap(err, "private key is encrypted, but could not get passphrase")
+		}
+
+		apiclient, err := newClient(passwd)
+		if !tlsconfig.IsErrEncryptedKey(err) {
+			return apiclient, err
+		}
+	}
+}
+
+// NotaryClient provides a Notary Repository to interact with signed metadata for an image
+func (cli *DockerCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error) {
+	return trust.GetNotaryRepository(cli.In(), cli.Out(), UserAgent(), imgRefAndAuth.RepoInfo(), imgRefAndAuth.AuthConfig(), actions...)
+}
+
+// ServerInfo stores details about the supported features and platform of the
+// server
+type ServerInfo struct {
+	HasExperimental bool
+	OSType          string
+}
+
+// ClientInfo stores details about the supported features of the client
+type ClientInfo struct {
+	HasExperimental bool
+	DefaultVersion  string
+}
+
+// NewDockerCli returns a DockerCli instance with IO output and error streams set by in, out and err.
+func NewDockerCli(in io.ReadCloser, out, err io.Writer, isTrusted bool) *DockerCli {
+	return &DockerCli{in: NewInStream(in), out: NewOutStream(out), err: err, contentTrust: isTrusted}
+}
+
+// NewAPIClientFromFlags creates a new APIClient from command line flags
+func NewAPIClientFromFlags(opts *cliflags.CommonOptions, configFile *configfile.ConfigFile) (client.APIClient, error) {
+	host, err := getServerHost(opts.Hosts, opts.TLSOptions)
+	if err != nil {
+		return &client.Client{}, err
+	}
+
+	customHeaders := configFile.HTTPHeaders
+	if customHeaders == nil {
+		customHeaders = map[string]string{}
+	}
+	customHeaders["User-Agent"] = UserAgent()
+
+	verStr := api.DefaultVersion
+	if tmpStr := os.Getenv("DOCKER_API_VERSION"); tmpStr != "" {
+		verStr = tmpStr
+	}
+
+	return client.NewClientWithOpts(
+		withHTTPClient(opts.TLSOptions),
+		client.WithHTTPHeaders(customHeaders),
+		client.WithVersion(verStr),
+		client.WithHost(host),
+	)
+}
+
+func getServerHost(hosts []string, tlsOptions *tlsconfig.Options) (string, error) {
+	var host string
+	switch len(hosts) {
+	case 0:
+		host = os.Getenv("DOCKER_HOST")
+	case 1:
+		host = hosts[0]
+	default:
+		return "", errors.New("Please specify only one -H")
+	}
+
+	return dopts.ParseHost(tlsOptions != nil, host)
+}
+
+func withHTTPClient(tlsOpts *tlsconfig.Options) func(*client.Client) error {
+	return func(c *client.Client) error {
+		if tlsOpts == nil {
+			// Use the default HTTPClient
+			return nil
+		}
+
+		opts := *tlsOpts
+		opts.ExclusiveRootPools = true
+		tlsConfig, err := tlsconfig.Client(opts)
+		if err != nil {
+			return err
+		}
+
+		httpClient := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConfig,
+				DialContext: (&net.Dialer{
+					KeepAlive: 30 * time.Second,
+					Timeout:   30 * time.Second,
+				}).DialContext,
+			},
+			CheckRedirect: client.CheckRedirect,
+		}
+		return client.WithHTTPClient(httpClient)(c)
+	}
+}
+
+// UserAgent returns the user agent string used for making API requests
+func UserAgent() string {
+	return "Docker-Client/" + cli.Version + " (" + runtime.GOOS + ")"
+}
diff --git a/cli/cli/command/cli_test.go b/cli/cli/command/cli_test.go
new file mode 100644
index 00000000..a4b06e69
--- /dev/null
+++ b/cli/cli/command/cli_test.go
@@ -0,0 +1,228 @@
+package command
+
+import (
+	"context"
+	"crypto/x509"
+	"os"
+	"runtime"
+	"testing"
+
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/flags"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/env"
+	"gotest.tools/fs"
+)
+
+func TestNewAPIClientFromFlags(t *testing.T) {
+	host := "unix://path"
+	if runtime.GOOS == "windows" {
+		host = "npipe://./"
+	}
+	opts := &flags.CommonOptions{Hosts: []string{host}}
+	configFile := &configfile.ConfigFile{
+		HTTPHeaders: map[string]string{
+			"My-Header": "Custom-Value",
+		},
+	}
+	apiclient, err := NewAPIClientFromFlags(opts, configFile)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(host, apiclient.DaemonHost()))
+
+	expectedHeaders := map[string]string{
+		"My-Header":  "Custom-Value",
+		"User-Agent": UserAgent(),
+	}
+	assert.Check(t, is.DeepEqual(expectedHeaders, apiclient.(*client.Client).CustomHTTPHeaders()))
+	assert.Check(t, is.Equal(api.DefaultVersion, apiclient.ClientVersion()))
+}
+
+func TestNewAPIClientFromFlagsWithAPIVersionFromEnv(t *testing.T) {
+	customVersion := "v3.3.3"
+	defer env.Patch(t, "DOCKER_API_VERSION", customVersion)()
+
+	opts := &flags.CommonOptions{}
+	configFile := &configfile.ConfigFile{}
+	apiclient, err := NewAPIClientFromFlags(opts, configFile)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(customVersion, apiclient.ClientVersion()))
+}
+
+type fakeClient struct {
+	client.Client
+	pingFunc   func() (types.Ping, error)
+	version    string
+	negotiated bool
+}
+
+func (c *fakeClient) Ping(_ context.Context) (types.Ping, error) {
+	return c.pingFunc()
+}
+
+func (c *fakeClient) ClientVersion() string {
+	return c.version
+}
+
+func (c *fakeClient) NegotiateAPIVersionPing(types.Ping) {
+	c.negotiated = true
+}
+
+func TestInitializeFromClient(t *testing.T) {
+	defaultVersion := "v1.55"
+
+	var testcases = []struct {
+		doc            string
+		pingFunc       func() (types.Ping, error)
+		expectedServer ServerInfo
+		negotiated     bool
+	}{
+		{
+			doc: "successful ping",
+			pingFunc: func() (types.Ping, error) {
+				return types.Ping{Experimental: true, OSType: "linux", APIVersion: "v1.30"}, nil
+			},
+			expectedServer: ServerInfo{HasExperimental: true, OSType: "linux"},
+			negotiated:     true,
+		},
+		{
+			doc: "failed ping, no API version",
+			pingFunc: func() (types.Ping, error) {
+				return types.Ping{}, errors.New("failed")
+			},
+			expectedServer: ServerInfo{HasExperimental: true},
+		},
+		{
+			doc: "failed ping, with API version",
+			pingFunc: func() (types.Ping, error) {
+				return types.Ping{APIVersion: "v1.33"}, errors.New("failed")
+			},
+			expectedServer: ServerInfo{HasExperimental: true},
+			negotiated:     true,
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			apiclient := &fakeClient{
+				pingFunc: testcase.pingFunc,
+				version:  defaultVersion,
+			}
+
+			cli := &DockerCli{client: apiclient}
+			cli.initializeFromClient()
+			assert.Check(t, is.DeepEqual(testcase.expectedServer, cli.serverInfo))
+			assert.Check(t, is.Equal(testcase.negotiated, apiclient.negotiated))
+		})
+	}
+}
+
+func TestExperimentalCLI(t *testing.T) {
+	defaultVersion := "v1.55"
+
+	var testcases = []struct {
+		doc                     string
+		configfile              string
+		expectedExperimentalCLI bool
+	}{
+		{
+			doc:                     "default",
+			configfile:              `{}`,
+			expectedExperimentalCLI: false,
+		},
+		{
+			doc: "experimental",
+			configfile: `{
+	"experimental": "enabled"
+}`,
+			expectedExperimentalCLI: true,
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			dir := fs.NewDir(t, testcase.doc, fs.WithFile("config.json", testcase.configfile))
+			defer dir.Remove()
+			apiclient := &fakeClient{
+				version: defaultVersion,
+			}
+
+			cli := &DockerCli{client: apiclient, err: os.Stderr}
+			cliconfig.SetDir(dir.Path())
+			err := cli.Initialize(flags.NewClientOptions())
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal(testcase.expectedExperimentalCLI, cli.ClientInfo().HasExperimental))
+		})
+	}
+}
+
+func TestGetClientWithPassword(t *testing.T) {
+	expected := "password"
+
+	var testcases = []struct {
+		doc             string
+		password        string
+		retrieverErr    error
+		retrieverGiveup bool
+		newClientErr    error
+		expectedErr     string
+	}{
+		{
+			doc:      "successful connect",
+			password: expected,
+		},
+		{
+			doc:             "password retriever exhausted",
+			retrieverGiveup: true,
+			retrieverErr:    errors.New("failed"),
+			expectedErr:     "private key is encrypted, but could not get passphrase",
+		},
+		{
+			doc:          "password retriever error",
+			retrieverErr: errors.New("failed"),
+			expectedErr:  "failed",
+		},
+		{
+			doc:          "newClient error",
+			newClientErr: errors.New("failed to connect"),
+			expectedErr:  "failed to connect",
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			passRetriever := func(_, _ string, _ bool, attempts int) (passphrase string, giveup bool, err error) {
+				// Always return an invalid pass first to test iteration
+				switch attempts {
+				case 0:
+					return "something else", false, nil
+				default:
+					return testcase.password, testcase.retrieverGiveup, testcase.retrieverErr
+				}
+			}
+
+			newClient := func(currentPassword string) (client.APIClient, error) {
+				if testcase.newClientErr != nil {
+					return nil, testcase.newClientErr
+				}
+				if currentPassword == expected {
+					return &client.Client{}, nil
+				}
+				return &client.Client{}, x509.IncorrectPasswordError
+			}
+
+			_, err := getClientWithPassword(passRetriever, newClient)
+			if testcase.expectedErr != "" {
+				assert.ErrorContains(t, err, testcase.expectedErr)
+				return
+			}
+
+			assert.NilError(t, err)
+		})
+	}
+}
diff --git a/cli/cli/command/commands/commands.go b/cli/cli/command/commands/commands.go
new file mode 100644
index 00000000..87808305
--- /dev/null
+++ b/cli/cli/command/commands/commands.go
@@ -0,0 +1,133 @@
+package commands
+
+import (
+	"os"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/checkpoint"
+	"github.com/docker/cli/cli/command/config"
+	"github.com/docker/cli/cli/command/container"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/command/manifest"
+	"github.com/docker/cli/cli/command/network"
+	"github.com/docker/cli/cli/command/node"
+	"github.com/docker/cli/cli/command/plugin"
+	"github.com/docker/cli/cli/command/registry"
+	"github.com/docker/cli/cli/command/secret"
+	"github.com/docker/cli/cli/command/service"
+	"github.com/docker/cli/cli/command/stack"
+	"github.com/docker/cli/cli/command/swarm"
+	"github.com/docker/cli/cli/command/system"
+	"github.com/docker/cli/cli/command/trust"
+	"github.com/docker/cli/cli/command/volume"
+	"github.com/spf13/cobra"
+)
+
+// AddCommands adds all the commands from cli/command to the root command
+func AddCommands(cmd *cobra.Command, dockerCli command.Cli) {
+	cmd.AddCommand(
+		// checkpoint
+		checkpoint.NewCheckpointCommand(dockerCli),
+
+		// config
+		config.NewConfigCommand(dockerCli),
+
+		// container
+		container.NewContainerCommand(dockerCli),
+		container.NewRunCommand(dockerCli),
+
+		// image
+		image.NewImageCommand(dockerCli),
+		image.NewBuildCommand(dockerCli),
+
+		// manifest
+		manifest.NewManifestCommand(dockerCli),
+
+		// network
+		network.NewNetworkCommand(dockerCli),
+
+		// node
+		node.NewNodeCommand(dockerCli),
+
+		// plugin
+		plugin.NewPluginCommand(dockerCli),
+
+		// registry
+		registry.NewLoginCommand(dockerCli),
+		registry.NewLogoutCommand(dockerCli),
+		registry.NewSearchCommand(dockerCli),
+
+		// secret
+		secret.NewSecretCommand(dockerCli),
+
+		// service
+		service.NewServiceCommand(dockerCli),
+
+		// system
+		system.NewSystemCommand(dockerCli),
+		system.NewVersionCommand(dockerCli),
+
+		// stack
+		stack.NewStackCommand(dockerCli),
+		stack.NewTopLevelDeployCommand(dockerCli),
+
+		// swarm
+		swarm.NewSwarmCommand(dockerCli),
+
+		// trust
+		trust.NewTrustCommand(dockerCli),
+
+		// volume
+		volume.NewVolumeCommand(dockerCli),
+
+		// legacy commands may be hidden
+		hide(system.NewEventsCommand(dockerCli)),
+		hide(system.NewInfoCommand(dockerCli)),
+		hide(system.NewInspectCommand(dockerCli)),
+		hide(container.NewAttachCommand(dockerCli)),
+		hide(container.NewCommitCommand(dockerCli)),
+		hide(container.NewCopyCommand(dockerCli)),
+		hide(container.NewCreateCommand(dockerCli)),
+		hide(container.NewDiffCommand(dockerCli)),
+		hide(container.NewExecCommand(dockerCli)),
+		hide(container.NewExportCommand(dockerCli)),
+		hide(container.NewKillCommand(dockerCli)),
+		hide(container.NewLogsCommand(dockerCli)),
+		hide(container.NewPauseCommand(dockerCli)),
+		hide(container.NewPortCommand(dockerCli)),
+		hide(container.NewPsCommand(dockerCli)),
+		hide(container.NewRenameCommand(dockerCli)),
+		hide(container.NewRestartCommand(dockerCli)),
+		hide(container.NewRmCommand(dockerCli)),
+		hide(container.NewStartCommand(dockerCli)),
+		hide(container.NewStatsCommand(dockerCli)),
+		hide(container.NewStopCommand(dockerCli)),
+		hide(container.NewTopCommand(dockerCli)),
+		hide(container.NewUnpauseCommand(dockerCli)),
+		hide(container.NewUpdateCommand(dockerCli)),
+		hide(container.NewWaitCommand(dockerCli)),
+		hide(image.NewHistoryCommand(dockerCli)),
+		hide(image.NewImagesCommand(dockerCli)),
+		hide(image.NewImportCommand(dockerCli)),
+		hide(image.NewLoadCommand(dockerCli)),
+		hide(image.NewPullCommand(dockerCli)),
+		hide(image.NewPushCommand(dockerCli)),
+		hide(image.NewRemoveCommand(dockerCli)),
+		hide(image.NewSaveCommand(dockerCli)),
+		hide(image.NewTagCommand(dockerCli)),
+	)
+
+}
+
+func hide(cmd *cobra.Command) *cobra.Command {
+	// If the environment variable with name "DOCKER_HIDE_LEGACY_COMMANDS" is not empty,
+	// these legacy commands (such as `docker ps`, `docker exec`, etc)
+	// will not be shown in output console.
+	if os.Getenv("DOCKER_HIDE_LEGACY_COMMANDS") == "" {
+		return cmd
+	}
+	cmdCopy := *cmd
+	cmdCopy.Hidden = true
+	cmdCopy.Aliases = []string{}
+	return &cmdCopy
+}
diff --git a/cli/cli/command/config/client_test.go b/cli/cli/command/config/client_test.go
new file mode 100644
index 00000000..2e19b775
--- /dev/null
+++ b/cli/cli/command/config/client_test.go
@@ -0,0 +1,45 @@
+package config
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	configCreateFunc  func(swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+	configInspectFunc func(string) (swarm.Config, []byte, error)
+	configListFunc    func(types.ConfigListOptions) ([]swarm.Config, error)
+	configRemoveFunc  func(string) error
+}
+
+func (c *fakeClient) ConfigCreate(ctx context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+	if c.configCreateFunc != nil {
+		return c.configCreateFunc(spec)
+	}
+	return types.ConfigCreateResponse{}, nil
+}
+
+func (c *fakeClient) ConfigInspectWithRaw(ctx context.Context, id string) (swarm.Config, []byte, error) {
+	if c.configInspectFunc != nil {
+		return c.configInspectFunc(id)
+	}
+	return swarm.Config{}, nil, nil
+}
+
+func (c *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+	if c.configListFunc != nil {
+		return c.configListFunc(options)
+	}
+	return []swarm.Config{}, nil
+}
+
+func (c *fakeClient) ConfigRemove(ctx context.Context, name string) error {
+	if c.configRemoveFunc != nil {
+		return c.configRemoveFunc(name)
+	}
+	return nil
+}
diff --git a/cli/cli/command/config/cmd.go b/cli/cli/command/config/cmd.go
new file mode 100644
index 00000000..7defe2a6
--- /dev/null
+++ b/cli/cli/command/config/cmd.go
@@ -0,0 +1,29 @@
+package config
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+)
+
+// NewConfigCommand returns a cobra command for `config` subcommands
+func NewConfigCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "config",
+		Short: "Manage Docker configs",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{
+			"version": "1.30",
+			"swarm":   "",
+		},
+	}
+	cmd.AddCommand(
+		newConfigListCommand(dockerCli),
+		newConfigCreateCommand(dockerCli),
+		newConfigInspectCommand(dockerCli),
+		newConfigRemoveCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/config/create.go b/cli/cli/command/config/create.go
new file mode 100644
index 00000000..04130313
--- /dev/null
+++ b/cli/cli/command/config/create.go
@@ -0,0 +1,86 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type createOptions struct {
+	name           string
+	templateDriver string
+	file           string
+	labels         opts.ListOpts
+}
+
+func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
+	createOpts := createOptions{
+		labels: opts.NewListOpts(opts.ValidateEnv),
+	}
+
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] CONFIG file|-",
+		Short: "Create a config from a file or STDIN",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			createOpts.name = args[0]
+			createOpts.file = args[1]
+			return runConfigCreate(dockerCli, createOpts)
+		},
+	}
+	flags := cmd.Flags()
+	flags.VarP(&createOpts.labels, "label", "l", "Config labels")
+	flags.StringVar(&createOpts.templateDriver, "template-driver", "", "Template driver")
+	flags.SetAnnotation("driver", "version", []string{"1.37"})
+
+	return cmd
+}
+
+func runConfigCreate(dockerCli command.Cli, options createOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	var in io.Reader = dockerCli.In()
+	if options.file != "-" {
+		file, err := system.OpenSequential(options.file)
+		if err != nil {
+			return err
+		}
+		in = file
+		defer file.Close()
+	}
+
+	configData, err := ioutil.ReadAll(in)
+	if err != nil {
+		return errors.Errorf("Error reading content from %q: %v", options.file, err)
+	}
+
+	spec := swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name:   options.name,
+			Labels: opts.ConvertKVStringsToMap(options.labels.GetAll()),
+		},
+		Data: configData,
+	}
+	if options.templateDriver != "" {
+		spec.Templating = &swarm.Driver{
+			Name: options.templateDriver,
+		}
+	}
+	r, err := client.ConfigCreate(ctx, spec)
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintln(dockerCli.Out(), r.ID)
+	return nil
+}
diff --git a/cli/cli/command/config/create_test.go b/cli/cli/command/config/create_test.go
new file mode 100644
index 00000000..bb2ea946
--- /dev/null
+++ b/cli/cli/command/config/create_test.go
@@ -0,0 +1,143 @@
+package config
+
+import (
+	"io/ioutil"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+const configDataFile = "config-create-with-name.golden"
+
+func TestConfigCreateErrors(t *testing.T) {
+	testCases := []struct {
+		args             []string
+		configCreateFunc func(swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+		expectedError    string
+	}{
+		{
+			args:          []string{"too_few"},
+			expectedError: "requires exactly 2 arguments",
+		},
+		{args: []string{"too", "many", "arguments"},
+			expectedError: "requires exactly 2 arguments",
+		},
+		{
+			args: []string{"name", filepath.Join("testdata", configDataFile)},
+			configCreateFunc: func(configSpec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+				return types.ConfigCreateResponse{}, errors.Errorf("error creating config")
+			},
+			expectedError: "error creating config",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newConfigCreateCommand(
+			test.NewFakeCli(&fakeClient{
+				configCreateFunc: tc.configCreateFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestConfigCreateWithName(t *testing.T) {
+	name := "foo"
+	var actual []byte
+	cli := test.NewFakeCli(&fakeClient{
+		configCreateFunc: func(spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+			if spec.Name != name {
+				return types.ConfigCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
+			}
+
+			actual = spec.Data
+
+			return types.ConfigCreateResponse{
+				ID: "ID-" + spec.Name,
+			}, nil
+		},
+	})
+
+	cmd := newConfigCreateCommand(cli)
+	cmd.SetArgs([]string{name, filepath.Join("testdata", configDataFile)})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, string(actual), configDataFile)
+	assert.Check(t, is.Equal("ID-"+name, strings.TrimSpace(cli.OutBuffer().String())))
+}
+
+func TestConfigCreateWithLabels(t *testing.T) {
+	expectedLabels := map[string]string{
+		"lbl1": "Label-foo",
+		"lbl2": "Label-bar",
+	}
+	name := "foo"
+
+	data, err := ioutil.ReadFile(filepath.Join("testdata", configDataFile))
+	assert.NilError(t, err)
+
+	expected := swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name:   name,
+			Labels: expectedLabels,
+		},
+		Data: data,
+	}
+
+	cli := test.NewFakeCli(&fakeClient{
+		configCreateFunc: func(spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+			if !reflect.DeepEqual(spec, expected) {
+				return types.ConfigCreateResponse{}, errors.Errorf("expected %+v, got %+v", expected, spec)
+			}
+
+			return types.ConfigCreateResponse{
+				ID: "ID-" + spec.Name,
+			}, nil
+		},
+	})
+
+	cmd := newConfigCreateCommand(cli)
+	cmd.SetArgs([]string{name, filepath.Join("testdata", configDataFile)})
+	cmd.Flags().Set("label", "lbl1=Label-foo")
+	cmd.Flags().Set("label", "lbl2=Label-bar")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("ID-"+name, strings.TrimSpace(cli.OutBuffer().String())))
+}
+
+func TestConfigCreateWithTemplatingDriver(t *testing.T) {
+	expectedDriver := &swarm.Driver{
+		Name: "template-driver",
+	}
+	name := "foo"
+
+	cli := test.NewFakeCli(&fakeClient{
+		configCreateFunc: func(spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+			if spec.Name != name {
+				return types.ConfigCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
+			}
+
+			if spec.Templating.Name != expectedDriver.Name {
+				return types.ConfigCreateResponse{}, errors.Errorf("expected driver %v, got %v", expectedDriver, spec.Labels)
+			}
+
+			return types.ConfigCreateResponse{
+				ID: "ID-" + spec.Name,
+			}, nil
+		},
+	})
+
+	cmd := newConfigCreateCommand(cli)
+	cmd.SetArgs([]string{name, filepath.Join("testdata", configDataFile)})
+	cmd.Flags().Set("template-driver", expectedDriver.Name)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("ID-"+name, strings.TrimSpace(cli.OutBuffer().String())))
+}
diff --git a/cli/cli/command/config/inspect.go b/cli/cli/command/config/inspect.go
new file mode 100644
index 00000000..d1515ec9
--- /dev/null
+++ b/cli/cli/command/config/inspect.go
@@ -0,0 +1,66 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	names  []string
+	format string
+	pretty bool
+}
+
+func newConfigInspectCommand(dockerCli command.Cli) *cobra.Command {
+	opts := inspectOptions{}
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] CONFIG [CONFIG...]",
+		Short: "Display detailed information on one or more configs",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.names = args
+			return runConfigInspect(dockerCli, opts)
+		},
+	}
+
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	cmd.Flags().BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format")
+	return cmd
+}
+
+func runConfigInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	if opts.pretty {
+		opts.format = "pretty"
+	}
+
+	getRef := func(id string) (interface{}, []byte, error) {
+		return client.ConfigInspectWithRaw(ctx, id)
+	}
+	f := opts.format
+
+	// check if the user is trying to apply a template to the pretty format, which
+	// is not supported
+	if strings.HasPrefix(f, "pretty") && f != "pretty" {
+		return fmt.Errorf("Cannot supply extra formatting options to the pretty template")
+	}
+
+	configCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewConfigFormat(f, false),
+	}
+
+	if err := formatter.ConfigInspectWrite(configCtx, opts.names, getRef); err != nil {
+		return cli.StatusError{StatusCode: 1, Status: err.Error()}
+	}
+	return nil
+
+}
diff --git a/cli/cli/command/config/inspect_test.go b/cli/cli/command/config/inspect_test.go
new file mode 100644
index 00000000..1b4f275c
--- /dev/null
+++ b/cli/cli/command/config/inspect_test.go
@@ -0,0 +1,172 @@
+package config
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestConfigInspectErrors(t *testing.T) {
+	testCases := []struct {
+		args              []string
+		flags             map[string]string
+		configInspectFunc func(configID string) (swarm.Config, []byte, error)
+		expectedError     string
+	}{
+		{
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"foo"},
+			configInspectFunc: func(configID string) (swarm.Config, []byte, error) {
+				return swarm.Config{}, nil, errors.Errorf("error while inspecting the config")
+			},
+			expectedError: "error while inspecting the config",
+		},
+		{
+			args: []string{"foo"},
+			flags: map[string]string{
+				"format": "{{invalid format}}",
+			},
+			expectedError: "Template parsing error",
+		},
+		{
+			args: []string{"foo", "bar"},
+			configInspectFunc: func(configID string) (swarm.Config, []byte, error) {
+				if configID == "foo" {
+					return *Config(ConfigName("foo")), nil, nil
+				}
+				return swarm.Config{}, nil, errors.Errorf("error while inspecting the config")
+			},
+			expectedError: "error while inspecting the config",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newConfigInspectCommand(
+			test.NewFakeCli(&fakeClient{
+				configInspectFunc: tc.configInspectFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestConfigInspectWithoutFormat(t *testing.T) {
+	testCases := []struct {
+		name              string
+		args              []string
+		configInspectFunc func(configID string) (swarm.Config, []byte, error)
+	}{
+		{
+			name: "single-config",
+			args: []string{"foo"},
+			configInspectFunc: func(name string) (swarm.Config, []byte, error) {
+				if name != "foo" {
+					return swarm.Config{}, nil, errors.Errorf("Invalid name, expected %s, got %s", "foo", name)
+				}
+				return *Config(ConfigID("ID-foo"), ConfigName("foo")), nil, nil
+			},
+		},
+		{
+			name: "multiple-configs-with-labels",
+			args: []string{"foo", "bar"},
+			configInspectFunc: func(name string) (swarm.Config, []byte, error) {
+				return *Config(ConfigID("ID-"+name), ConfigName(name), ConfigLabels(map[string]string{
+					"label1": "label-foo",
+				})), nil, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{configInspectFunc: tc.configInspectFunc})
+		cmd := newConfigInspectCommand(cli)
+		cmd.SetArgs(tc.args)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("config-inspect-without-format.%s.golden", tc.name))
+	}
+}
+
+func TestConfigInspectWithFormat(t *testing.T) {
+	configInspectFunc := func(name string) (swarm.Config, []byte, error) {
+		return *Config(ConfigName("foo"), ConfigLabels(map[string]string{
+			"label1": "label-foo",
+		})), nil, nil
+	}
+	testCases := []struct {
+		name              string
+		format            string
+		args              []string
+		configInspectFunc func(name string) (swarm.Config, []byte, error)
+	}{
+		{
+			name:              "simple-template",
+			format:            "{{.Spec.Name}}",
+			args:              []string{"foo"},
+			configInspectFunc: configInspectFunc,
+		},
+		{
+			name:              "json-template",
+			format:            "{{json .Spec.Labels}}",
+			args:              []string{"foo"},
+			configInspectFunc: configInspectFunc,
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			configInspectFunc: tc.configInspectFunc,
+		})
+		cmd := newConfigInspectCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.Flags().Set("format", tc.format)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("config-inspect-with-format.%s.golden", tc.name))
+	}
+}
+
+func TestConfigInspectPretty(t *testing.T) {
+	testCases := []struct {
+		name              string
+		configInspectFunc func(string) (swarm.Config, []byte, error)
+	}{
+		{
+			name: "simple",
+			configInspectFunc: func(id string) (swarm.Config, []byte, error) {
+				return *Config(
+					ConfigLabels(map[string]string{
+						"lbl1": "value1",
+					}),
+					ConfigID("configID"),
+					ConfigName("configName"),
+					ConfigCreatedAt(time.Time{}),
+					ConfigUpdatedAt(time.Time{}),
+					ConfigData([]byte("payload here")),
+				), []byte{}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			configInspectFunc: tc.configInspectFunc,
+		})
+		cmd := newConfigInspectCommand(cli)
+
+		cmd.SetArgs([]string{"configID"})
+		cmd.Flags().Set("pretty", "true")
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("config-inspect-pretty.%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/config/ls.go b/cli/cli/command/config/ls.go
new file mode 100644
index 00000000..dd2d89ed
--- /dev/null
+++ b/cli/cli/command/config/ls.go
@@ -0,0 +1,77 @@
+package config
+
+import (
+	"context"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/spf13/cobra"
+	"vbom.ml/util/sortorder"
+)
+
+type byConfigName []swarm.Config
+
+func (r byConfigName) Len() int      { return len(r) }
+func (r byConfigName) Swap(i, j int) { r[i], r[j] = r[j], r[i] }
+func (r byConfigName) Less(i, j int) bool {
+	return sortorder.NaturalLess(r[i].Spec.Name, r[j].Spec.Name)
+}
+
+type listOptions struct {
+	quiet  bool
+	format string
+	filter opts.FilterOpt
+}
+
+func newConfigListCommand(dockerCli command.Cli) *cobra.Command {
+	listOpts := listOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List configs",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runConfigList(dockerCli, listOpts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&listOpts.quiet, "quiet", "q", false, "Only display IDs")
+	flags.StringVarP(&listOpts.format, "format", "", "", "Pretty-print configs using a Go template")
+	flags.VarP(&listOpts.filter, "filter", "f", "Filter output based on conditions provided")
+
+	return cmd
+}
+
+func runConfigList(dockerCli command.Cli, options listOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	configs, err := client.ConfigList(ctx, types.ConfigListOptions{Filters: options.filter.Value()})
+	if err != nil {
+		return err
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().ConfigFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().ConfigFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	sort.Sort(byConfigName(configs))
+
+	configCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewConfigFormat(format, options.quiet),
+	}
+	return formatter.ConfigWrite(configCtx, configs)
+}
diff --git a/cli/cli/command/config/ls_test.go b/cli/cli/command/config/ls_test.go
new file mode 100644
index 00000000..d3055b4a
--- /dev/null
+++ b/cli/cli/command/config/ls_test.go
@@ -0,0 +1,158 @@
+package config
+
+import (
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestConfigListErrors(t *testing.T) {
+	testCases := []struct {
+		args           []string
+		configListFunc func(types.ConfigListOptions) ([]swarm.Config, error)
+		expectedError  string
+	}{
+		{
+			args:          []string{"foo"},
+			expectedError: "accepts no argument",
+		},
+		{
+			configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+				return []swarm.Config{}, errors.Errorf("error listing configs")
+			},
+			expectedError: "error listing configs",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newConfigListCommand(
+			test.NewFakeCli(&fakeClient{
+				configListFunc: tc.configListFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestConfigList(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+			return []swarm.Config{
+				*Config(ConfigID("ID-1-foo"),
+					ConfigName("1-foo"),
+					ConfigVersion(swarm.Version{Index: 10}),
+					ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+					ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+				),
+				*Config(ConfigID("ID-10-foo"),
+					ConfigName("10-foo"),
+					ConfigVersion(swarm.Version{Index: 11}),
+					ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+					ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+				),
+				*Config(ConfigID("ID-2-foo"),
+					ConfigName("2-foo"),
+					ConfigVersion(swarm.Version{Index: 11}),
+					ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+					ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+				),
+			}, nil
+		},
+	})
+	cmd := newConfigListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "config-list-sort.golden")
+}
+
+func TestConfigListWithQuietOption(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+			return []swarm.Config{
+				*Config(ConfigID("ID-foo"), ConfigName("foo")),
+				*Config(ConfigID("ID-bar"), ConfigName("bar"), ConfigLabels(map[string]string{
+					"label": "label-bar",
+				})),
+			}, nil
+		},
+	})
+	cmd := newConfigListCommand(cli)
+	cmd.Flags().Set("quiet", "true")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "config-list-with-quiet-option.golden")
+}
+
+func TestConfigListWithConfigFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+			return []swarm.Config{
+				*Config(ConfigID("ID-foo"), ConfigName("foo")),
+				*Config(ConfigID("ID-bar"), ConfigName("bar"), ConfigLabels(map[string]string{
+					"label": "label-bar",
+				})),
+			}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		ConfigFormat: "{{ .Name }} {{ .Labels }}",
+	})
+	cmd := newConfigListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "config-list-with-config-format.golden")
+}
+
+func TestConfigListWithFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+			return []swarm.Config{
+				*Config(ConfigID("ID-foo"), ConfigName("foo")),
+				*Config(ConfigID("ID-bar"), ConfigName("bar"), ConfigLabels(map[string]string{
+					"label": "label-bar",
+				})),
+			}, nil
+		},
+	})
+	cmd := newConfigListCommand(cli)
+	cmd.Flags().Set("format", "{{ .Name }} {{ .Labels }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "config-list-with-format.golden")
+}
+
+func TestConfigListWithFilter(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+			assert.Check(t, is.Equal("foo", options.Filters.Get("name")[0]))
+			assert.Check(t, is.Equal("lbl1=Label-bar", options.Filters.Get("label")[0]))
+			return []swarm.Config{
+				*Config(ConfigID("ID-foo"),
+					ConfigName("foo"),
+					ConfigVersion(swarm.Version{Index: 10}),
+					ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+					ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+				),
+				*Config(ConfigID("ID-bar"),
+					ConfigName("bar"),
+					ConfigVersion(swarm.Version{Index: 11}),
+					ConfigCreatedAt(time.Now().Add(-2*time.Hour)),
+					ConfigUpdatedAt(time.Now().Add(-1*time.Hour)),
+				),
+			}, nil
+		},
+	})
+	cmd := newConfigListCommand(cli)
+	cmd.Flags().Set("filter", "name=foo")
+	cmd.Flags().Set("filter", "label=lbl1=Label-bar")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "config-list-with-filter.golden")
+}
diff --git a/cli/cli/command/config/remove.go b/cli/cli/command/config/remove.go
new file mode 100644
index 00000000..3240a5a3
--- /dev/null
+++ b/cli/cli/command/config/remove.go
@@ -0,0 +1,53 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type removeOptions struct {
+	names []string
+}
+
+func newConfigRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	return &cobra.Command{
+		Use:     "rm CONFIG [CONFIG...]",
+		Aliases: []string{"remove"},
+		Short:   "Remove one or more configs",
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts := removeOptions{
+				names: args,
+			}
+			return runConfigRemove(dockerCli, opts)
+		},
+	}
+}
+
+func runConfigRemove(dockerCli command.Cli, opts removeOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	var errs []string
+
+	for _, name := range opts.names {
+		if err := client.ConfigRemove(ctx, name); err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+
+		fmt.Fprintln(dockerCli.Out(), name)
+	}
+
+	if len(errs) > 0 {
+		return errors.Errorf("%s", strings.Join(errs, "\n"))
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/config/remove_test.go b/cli/cli/command/config/remove_test.go
new file mode 100644
index 00000000..4a1980bc
--- /dev/null
+++ b/cli/cli/command/config/remove_test.go
@@ -0,0 +1,79 @@
+package config
+
+import (
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConfigRemoveErrors(t *testing.T) {
+	testCases := []struct {
+		args             []string
+		configRemoveFunc func(string) error
+		expectedError    string
+	}{
+		{
+			args:          []string{},
+			expectedError: "requires at least 1 argument.",
+		},
+		{
+			args: []string{"foo"},
+			configRemoveFunc: func(name string) error {
+				return errors.Errorf("error removing config")
+			},
+			expectedError: "error removing config",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newConfigRemoveCommand(
+			test.NewFakeCli(&fakeClient{
+				configRemoveFunc: tc.configRemoveFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestConfigRemoveWithName(t *testing.T) {
+	names := []string{"foo", "bar"}
+	var removedConfigs []string
+	cli := test.NewFakeCli(&fakeClient{
+		configRemoveFunc: func(name string) error {
+			removedConfigs = append(removedConfigs, name)
+			return nil
+		},
+	})
+	cmd := newConfigRemoveCommand(cli)
+	cmd.SetArgs(names)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.DeepEqual(names, strings.Split(strings.TrimSpace(cli.OutBuffer().String()), "\n")))
+	assert.Check(t, is.DeepEqual(names, removedConfigs))
+}
+
+func TestConfigRemoveContinueAfterError(t *testing.T) {
+	names := []string{"foo", "bar"}
+	var removedConfigs []string
+
+	cli := test.NewFakeCli(&fakeClient{
+		configRemoveFunc: func(name string) error {
+			removedConfigs = append(removedConfigs, name)
+			if name == "foo" {
+				return errors.Errorf("error removing config: %s", name)
+			}
+			return nil
+		},
+	})
+
+	cmd := newConfigRemoveCommand(cli)
+	cmd.SetArgs(names)
+	cmd.SetOutput(ioutil.Discard)
+	assert.Error(t, cmd.Execute(), "error removing config: foo")
+	assert.Check(t, is.DeepEqual(names, removedConfigs))
+}
diff --git a/cli/cli/command/config/testdata/config-create-with-name.golden b/cli/cli/command/config/testdata/config-create-with-name.golden
new file mode 100644
index 00000000..7b28bb3f
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-create-with-name.golden
@@ -0,0 +1 @@
+config_foo_bar
diff --git a/cli/cli/command/config/testdata/config-inspect-pretty.simple.golden b/cli/cli/command/config/testdata/config-inspect-pretty.simple.golden
new file mode 100644
index 00000000..60b5c7fa
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-inspect-pretty.simple.golden
@@ -0,0 +1,8 @@
+ID:			configID
+Name:			configName
+Labels:
+ - lbl1=value1
+Created at:            	0001-01-01 00:00:00 +0000 utc
+Updated at:            	0001-01-01 00:00:00 +0000 utc
+Data:
+payload here
diff --git a/cli/cli/command/config/testdata/config-inspect-with-format.json-template.golden b/cli/cli/command/config/testdata/config-inspect-with-format.json-template.golden
new file mode 100644
index 00000000..aab678f8
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-inspect-with-format.json-template.golden
@@ -0,0 +1 @@
+{"label1":"label-foo"}
diff --git a/cli/cli/command/config/testdata/config-inspect-with-format.simple-template.golden b/cli/cli/command/config/testdata/config-inspect-with-format.simple-template.golden
new file mode 100644
index 00000000..257cc564
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-inspect-with-format.simple-template.golden
@@ -0,0 +1 @@
+foo
diff --git a/cli/cli/command/config/testdata/config-inspect-without-format.multiple-configs-with-labels.golden b/cli/cli/command/config/testdata/config-inspect-without-format.multiple-configs-with-labels.golden
new file mode 100644
index 00000000..b01a400c
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-inspect-without-format.multiple-configs-with-labels.golden
@@ -0,0 +1,26 @@
+[
+    {
+        "ID": "ID-foo",
+        "Version": {},
+        "CreatedAt": "0001-01-01T00:00:00Z",
+        "UpdatedAt": "0001-01-01T00:00:00Z",
+        "Spec": {
+            "Name": "foo",
+            "Labels": {
+                "label1": "label-foo"
+            }
+        }
+    },
+    {
+        "ID": "ID-bar",
+        "Version": {},
+        "CreatedAt": "0001-01-01T00:00:00Z",
+        "UpdatedAt": "0001-01-01T00:00:00Z",
+        "Spec": {
+            "Name": "bar",
+            "Labels": {
+                "label1": "label-foo"
+            }
+        }
+    }
+]
diff --git a/cli/cli/command/config/testdata/config-inspect-without-format.single-config.golden b/cli/cli/command/config/testdata/config-inspect-without-format.single-config.golden
new file mode 100644
index 00000000..c4f41c10
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-inspect-without-format.single-config.golden
@@ -0,0 +1,12 @@
+[
+    {
+        "ID": "ID-foo",
+        "Version": {},
+        "CreatedAt": "0001-01-01T00:00:00Z",
+        "UpdatedAt": "0001-01-01T00:00:00Z",
+        "Spec": {
+            "Name": "foo",
+            "Labels": null
+        }
+    }
+]
diff --git a/cli/cli/command/config/testdata/config-list-sort.golden b/cli/cli/command/config/testdata/config-list-sort.golden
new file mode 100644
index 00000000..141057c3
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-list-sort.golden
@@ -0,0 +1,4 @@
+ID                  NAME                CREATED             UPDATED
+ID-1-foo            1-foo               2 hours ago         About an hour ago
+ID-2-foo            2-foo               2 hours ago         About an hour ago
+ID-10-foo           10-foo              2 hours ago         About an hour ago
diff --git a/cli/cli/command/config/testdata/config-list-with-config-format.golden b/cli/cli/command/config/testdata/config-list-with-config-format.golden
new file mode 100644
index 00000000..a64bb595
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-list-with-config-format.golden
@@ -0,0 +1,2 @@
+bar label=label-bar
+foo 
diff --git a/cli/cli/command/config/testdata/config-list-with-filter.golden b/cli/cli/command/config/testdata/config-list-with-filter.golden
new file mode 100644
index 00000000..6fdc13b8
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-list-with-filter.golden
@@ -0,0 +1,3 @@
+ID                  NAME                CREATED             UPDATED
+ID-bar              bar                 2 hours ago         About an hour ago
+ID-foo              foo                 2 hours ago         About an hour ago
diff --git a/cli/cli/command/config/testdata/config-list-with-format.golden b/cli/cli/command/config/testdata/config-list-with-format.golden
new file mode 100644
index 00000000..a64bb595
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-list-with-format.golden
@@ -0,0 +1,2 @@
+bar label=label-bar
+foo 
diff --git a/cli/cli/command/config/testdata/config-list-with-quiet-option.golden b/cli/cli/command/config/testdata/config-list-with-quiet-option.golden
new file mode 100644
index 00000000..145fc38d
--- /dev/null
+++ b/cli/cli/command/config/testdata/config-list-with-quiet-option.golden
@@ -0,0 +1,2 @@
+ID-bar
+ID-foo
diff --git a/cli/cli/command/container/attach.go b/cli/cli/command/container/attach.go
new file mode 100644
index 00000000..de96a3b7
--- /dev/null
+++ b/cli/cli/command/container/attach.go
@@ -0,0 +1,181 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http/httputil"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+type attachOptions struct {
+	noStdin    bool
+	proxy      bool
+	detachKeys string
+
+	container string
+}
+
+func inspectContainerAndCheckState(ctx context.Context, cli client.APIClient, args string) (*types.ContainerJSON, error) {
+	c, err := cli.ContainerInspect(ctx, args)
+	if err != nil {
+		return nil, err
+	}
+	if !c.State.Running {
+		return nil, errors.New("You cannot attach to a stopped container, start it first")
+	}
+	if c.State.Paused {
+		return nil, errors.New("You cannot attach to a paused container, unpause it first")
+	}
+	if c.State.Restarting {
+		return nil, errors.New("You cannot attach to a restarting container, wait until it is running")
+	}
+
+	return &c, nil
+}
+
+// NewAttachCommand creates a new cobra.Command for `docker attach`
+func NewAttachCommand(dockerCli command.Cli) *cobra.Command {
+	var opts attachOptions
+
+	cmd := &cobra.Command{
+		Use:   "attach [OPTIONS] CONTAINER",
+		Short: "Attach local standard input, output, and error streams to a running container",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.container = args[0]
+			return runAttach(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.noStdin, "no-stdin", false, "Do not attach STDIN")
+	flags.BoolVar(&opts.proxy, "sig-proxy", true, "Proxy all received signals to the process")
+	flags.StringVar(&opts.detachKeys, "detach-keys", "", "Override the key sequence for detaching a container")
+	return cmd
+}
+
+func runAttach(dockerCli command.Cli, opts *attachOptions) error {
+	ctx := context.Background()
+	client := dockerCli.Client()
+
+	// request channel to wait for client
+	resultC, errC := client.ContainerWait(ctx, opts.container, "")
+
+	c, err := inspectContainerAndCheckState(ctx, client, opts.container)
+	if err != nil {
+		return err
+	}
+
+	if err := dockerCli.In().CheckTty(!opts.noStdin, c.Config.Tty); err != nil {
+		return err
+	}
+
+	if opts.detachKeys != "" {
+		dockerCli.ConfigFile().DetachKeys = opts.detachKeys
+	}
+
+	options := types.ContainerAttachOptions{
+		Stream:     true,
+		Stdin:      !opts.noStdin && c.Config.OpenStdin,
+		Stdout:     true,
+		Stderr:     true,
+		DetachKeys: dockerCli.ConfigFile().DetachKeys,
+	}
+
+	var in io.ReadCloser
+	if options.Stdin {
+		in = dockerCli.In()
+	}
+
+	if opts.proxy && !c.Config.Tty {
+		sigc := ForwardAllSignals(ctx, dockerCli, opts.container)
+		defer signal.StopCatch(sigc)
+	}
+
+	resp, errAttach := client.ContainerAttach(ctx, opts.container, options)
+	if errAttach != nil && errAttach != httputil.ErrPersistEOF {
+		// ContainerAttach returns an ErrPersistEOF (connection closed)
+		// means server met an error and put it in Hijacked connection
+		// keep the error and read detailed error message from hijacked connection later
+		return errAttach
+	}
+	defer resp.Close()
+
+	// If use docker attach command to attach to a stop container, it will return
+	// "You cannot attach to a stopped container" error, it's ok, but when
+	// attach to a running container, it(docker attach) use inspect to check
+	// the container's state, if it pass the state check on the client side,
+	// and then the container is stopped, docker attach command still attach to
+	// the container and not exit.
+	//
+	// Recheck the container's state to avoid attach block.
+	_, err = inspectContainerAndCheckState(ctx, client, opts.container)
+	if err != nil {
+		return err
+	}
+
+	if c.Config.Tty && dockerCli.Out().IsTerminal() {
+		resizeTTY(ctx, dockerCli, opts.container)
+	}
+
+	streamer := hijackedIOStreamer{
+		streams:      dockerCli,
+		inputStream:  in,
+		outputStream: dockerCli.Out(),
+		errorStream:  dockerCli.Err(),
+		resp:         resp,
+		tty:          c.Config.Tty,
+		detachKeys:   options.DetachKeys,
+	}
+
+	if err := streamer.stream(ctx); err != nil {
+		return err
+	}
+
+	if errAttach != nil {
+		return errAttach
+	}
+
+	return getExitStatus(errC, resultC)
+}
+
+func getExitStatus(errC <-chan error, resultC <-chan container.ContainerWaitOKBody) error {
+	select {
+	case result := <-resultC:
+		if result.Error != nil {
+			return fmt.Errorf(result.Error.Message)
+		}
+		if result.StatusCode != 0 {
+			return cli.StatusError{StatusCode: int(result.StatusCode)}
+		}
+	case err := <-errC:
+		return err
+	}
+
+	return nil
+}
+
+func resizeTTY(ctx context.Context, dockerCli command.Cli, containerID string) {
+	height, width := dockerCli.Out().GetTtySize()
+	// To handle the case where a user repeatedly attaches/detaches without resizing their
+	// terminal, the only way to get the shell prompt to display for attaches 2+ is to artificially
+	// resize it, then go back to normal. Without this, every attach after the first will
+	// require the user to manually resize or hit enter.
+	resizeTtyTo(ctx, dockerCli.Client(), containerID, height+1, width+1, false)
+
+	// After the above resizing occurs, the call to MonitorTtySize below will handle resetting back
+	// to the actual size.
+	if err := MonitorTtySize(ctx, dockerCli, containerID, false); err != nil {
+		logrus.Debugf("Error monitoring TTY size: %s", err)
+	}
+}
diff --git a/cli/cli/command/container/attach_test.go b/cli/cli/command/container/attach_test.go
new file mode 100644
index 00000000..7d8d3f6e
--- /dev/null
+++ b/cli/cli/command/container/attach_test.go
@@ -0,0 +1,129 @@
+package container
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+func TestNewAttachCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name                 string
+		args                 []string
+		expectedError        string
+		containerInspectFunc func(img string) (types.ContainerJSON, error)
+	}{
+		{
+			name:          "client-error",
+			args:          []string{"5cb5bb5e4a3b"},
+			expectedError: "something went wrong",
+			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
+				return types.ContainerJSON{}, errors.Errorf("something went wrong")
+			},
+		},
+		{
+			name:          "client-stopped",
+			args:          []string{"5cb5bb5e4a3b"},
+			expectedError: "You cannot attach to a stopped container",
+			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
+				c := types.ContainerJSON{}
+				c.ContainerJSONBase = &types.ContainerJSONBase{}
+				c.ContainerJSONBase.State = &types.ContainerState{Running: false}
+				return c, nil
+			},
+		},
+		{
+			name:          "client-paused",
+			args:          []string{"5cb5bb5e4a3b"},
+			expectedError: "You cannot attach to a paused container",
+			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
+				c := types.ContainerJSON{}
+				c.ContainerJSONBase = &types.ContainerJSONBase{}
+				c.ContainerJSONBase.State = &types.ContainerState{
+					Running: true,
+					Paused:  true,
+				}
+				return c, nil
+			},
+		},
+		{
+			name:          "client-restarting",
+			args:          []string{"5cb5bb5e4a3b"},
+			expectedError: "You cannot attach to a restarting container",
+			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
+				c := types.ContainerJSON{}
+				c.ContainerJSONBase = &types.ContainerJSONBase{}
+				c.ContainerJSONBase.State = &types.ContainerState{
+					Running:    true,
+					Paused:     false,
+					Restarting: true,
+				}
+				return c, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cmd := NewAttachCommand(test.NewFakeCli(&fakeClient{inspectFunc: tc.containerInspectFunc}))
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestGetExitStatus(t *testing.T) {
+	var (
+		expectedErr = fmt.Errorf("unexpected error")
+		errC        = make(chan error, 1)
+		resultC     = make(chan container.ContainerWaitOKBody, 1)
+	)
+
+	testcases := []struct {
+		result        *container.ContainerWaitOKBody
+		err           error
+		expectedError error
+	}{
+		{
+			result: &container.ContainerWaitOKBody{
+				StatusCode: 0,
+			},
+		},
+		{
+			err:           expectedErr,
+			expectedError: expectedErr,
+		},
+		{
+			result: &container.ContainerWaitOKBody{
+				Error: &container.ContainerWaitOKBodyError{Message: expectedErr.Error()},
+			},
+			expectedError: expectedErr,
+		},
+		{
+			result: &container.ContainerWaitOKBody{
+				StatusCode: 15,
+			},
+			expectedError: cli.StatusError{StatusCode: 15},
+		},
+	}
+
+	for _, testcase := range testcases {
+		if testcase.err != nil {
+			errC <- testcase.err
+		}
+		if testcase.result != nil {
+			resultC <- *testcase.result
+		}
+		err := getExitStatus(errC, resultC)
+		if testcase.expectedError == nil {
+			assert.NilError(t, err)
+		} else {
+			assert.Error(t, err, testcase.expectedError.Error())
+		}
+	}
+}
diff --git a/cli/cli/command/container/client_test.go b/cli/cli/command/container/client_test.go
new file mode 100644
index 00000000..a2c39bc6
--- /dev/null
+++ b/cli/cli/command/container/client_test.go
@@ -0,0 +1,126 @@
+package container
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	inspectFunc           func(string) (types.ContainerJSON, error)
+	execInspectFunc       func(execID string) (types.ContainerExecInspect, error)
+	execCreateFunc        func(container string, config types.ExecConfig) (types.IDResponse, error)
+	createContainerFunc   func(config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) (container.ContainerCreateCreatedBody, error)
+	containerStartFunc    func(container string, options types.ContainerStartOptions) error
+	imageCreateFunc       func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
+	infoFunc              func() (types.Info, error)
+	containerStatPathFunc func(container, path string) (types.ContainerPathStat, error)
+	containerCopyFromFunc func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
+	logFunc               func(string, types.ContainerLogsOptions) (io.ReadCloser, error)
+	waitFunc              func(string) (<-chan container.ContainerWaitOKBody, <-chan error)
+	containerListFunc     func(types.ContainerListOptions) ([]types.Container, error)
+	Version               string
+}
+
+func (f *fakeClient) ContainerList(_ context.Context, options types.ContainerListOptions) ([]types.Container, error) {
+	if f.containerListFunc != nil {
+		return f.containerListFunc(options)
+	}
+	return []types.Container{}, nil
+}
+
+func (f *fakeClient) ContainerInspect(_ context.Context, containerID string) (types.ContainerJSON, error) {
+	if f.inspectFunc != nil {
+		return f.inspectFunc(containerID)
+	}
+	return types.ContainerJSON{}, nil
+}
+
+func (f *fakeClient) ContainerExecCreate(_ context.Context, container string, config types.ExecConfig) (types.IDResponse, error) {
+	if f.execCreateFunc != nil {
+		return f.execCreateFunc(container, config)
+	}
+	return types.IDResponse{}, nil
+}
+
+func (f *fakeClient) ContainerExecInspect(_ context.Context, execID string) (types.ContainerExecInspect, error) {
+	if f.execInspectFunc != nil {
+		return f.execInspectFunc(execID)
+	}
+	return types.ContainerExecInspect{}, nil
+}
+
+func (f *fakeClient) ContainerExecStart(ctx context.Context, execID string, config types.ExecStartCheck) error {
+	return nil
+}
+
+func (f *fakeClient) ContainerCreate(
+	_ context.Context,
+	config *container.Config,
+	hostConfig *container.HostConfig,
+	networkingConfig *network.NetworkingConfig,
+	containerName string,
+) (container.ContainerCreateCreatedBody, error) {
+	if f.createContainerFunc != nil {
+		return f.createContainerFunc(config, hostConfig, networkingConfig, containerName)
+	}
+	return container.ContainerCreateCreatedBody{}, nil
+}
+
+func (f *fakeClient) ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
+	if f.imageCreateFunc != nil {
+		return f.imageCreateFunc(parentReference, options)
+	}
+	return nil, nil
+}
+
+func (f *fakeClient) Info(_ context.Context) (types.Info, error) {
+	if f.infoFunc != nil {
+		return f.infoFunc()
+	}
+	return types.Info{}, nil
+}
+
+func (f *fakeClient) ContainerStatPath(_ context.Context, container, path string) (types.ContainerPathStat, error) {
+	if f.containerStatPathFunc != nil {
+		return f.containerStatPathFunc(container, path)
+	}
+	return types.ContainerPathStat{}, nil
+}
+
+func (f *fakeClient) CopyFromContainer(_ context.Context, container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error) {
+	if f.containerCopyFromFunc != nil {
+		return f.containerCopyFromFunc(container, srcPath)
+	}
+	return nil, types.ContainerPathStat{}, nil
+}
+
+func (f *fakeClient) ContainerLogs(_ context.Context, container string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
+	if f.logFunc != nil {
+		return f.logFunc(container, options)
+	}
+	return nil, nil
+}
+
+func (f *fakeClient) ClientVersion() string {
+	return f.Version
+}
+
+func (f *fakeClient) ContainerWait(_ context.Context, container string, _ container.WaitCondition) (<-chan container.ContainerWaitOKBody, <-chan error) {
+	if f.waitFunc != nil {
+		return f.waitFunc(container)
+	}
+	return nil, nil
+}
+
+func (f *fakeClient) ContainerStart(_ context.Context, container string, options types.ContainerStartOptions) error {
+	if f.containerStartFunc != nil {
+		return f.containerStartFunc(container, options)
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/cmd.go b/cli/cli/command/container/cmd.go
new file mode 100644
index 00000000..dcf8116e
--- /dev/null
+++ b/cli/cli/command/container/cmd.go
@@ -0,0 +1,45 @@
+package container
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// NewContainerCommand returns a cobra command for `container` subcommands
+func NewContainerCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "container",
+		Short: "Manage containers",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		NewAttachCommand(dockerCli),
+		NewCommitCommand(dockerCli),
+		NewCopyCommand(dockerCli),
+		NewCreateCommand(dockerCli),
+		NewDiffCommand(dockerCli),
+		NewExecCommand(dockerCli),
+		NewExportCommand(dockerCli),
+		NewKillCommand(dockerCli),
+		NewLogsCommand(dockerCli),
+		NewPauseCommand(dockerCli),
+		NewPortCommand(dockerCli),
+		NewRenameCommand(dockerCli),
+		NewRestartCommand(dockerCli),
+		NewRmCommand(dockerCli),
+		NewRunCommand(dockerCli),
+		NewStartCommand(dockerCli),
+		NewStatsCommand(dockerCli),
+		NewStopCommand(dockerCli),
+		NewTopCommand(dockerCli),
+		NewUnpauseCommand(dockerCli),
+		NewUpdateCommand(dockerCli),
+		NewWaitCommand(dockerCli),
+		newListCommand(dockerCli),
+		newInspectCommand(dockerCli),
+		NewPruneCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/container/commit.go b/cli/cli/command/container/commit.go
new file mode 100644
index 00000000..0a30f55d
--- /dev/null
+++ b/cli/cli/command/container/commit.go
@@ -0,0 +1,75 @@
+package container
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type commitOptions struct {
+	container string
+	reference string
+
+	pause   bool
+	comment string
+	author  string
+	changes opts.ListOpts
+}
+
+// NewCommitCommand creates a new cobra.Command for `docker commit`
+func NewCommitCommand(dockerCli command.Cli) *cobra.Command {
+	var options commitOptions
+
+	cmd := &cobra.Command{
+		Use:   "commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]",
+		Short: "Create a new image from a container's changes",
+		Args:  cli.RequiresRangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.container = args[0]
+			if len(args) > 1 {
+				options.reference = args[1]
+			}
+			return runCommit(dockerCli, &options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.SetInterspersed(false)
+
+	flags.BoolVarP(&options.pause, "pause", "p", true, "Pause container during commit")
+	flags.StringVarP(&options.comment, "message", "m", "", "Commit message")
+	flags.StringVarP(&options.author, "author", "a", "", "Author (e.g., \"John Hannibal Smith <hannibal@a-team.com>\")")
+
+	options.changes = opts.NewListOpts(nil)
+	flags.VarP(&options.changes, "change", "c", "Apply Dockerfile instruction to the created image")
+
+	return cmd
+}
+
+func runCommit(dockerCli command.Cli, options *commitOptions) error {
+	ctx := context.Background()
+
+	name := options.container
+	reference := options.reference
+
+	commitOptions := types.ContainerCommitOptions{
+		Reference: reference,
+		Comment:   options.comment,
+		Author:    options.author,
+		Changes:   options.changes.GetAll(),
+		Pause:     options.pause,
+	}
+
+	response, err := dockerCli.Client().ContainerCommit(ctx, name, commitOptions)
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintln(dockerCli.Out(), response.ID)
+	return nil
+}
diff --git a/cli/cli/command/container/cp.go b/cli/cli/command/container/cp.go
new file mode 100644
index 00000000..ffb9a211
--- /dev/null
+++ b/cli/cli/command/container/cp.go
@@ -0,0 +1,304 @@
+package container
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type copyOptions struct {
+	source      string
+	destination string
+	followLink  bool
+	copyUIDGID  bool
+}
+
+type copyDirection int
+
+const (
+	fromContainer copyDirection = 1 << iota
+	toContainer
+	acrossContainers = fromContainer | toContainer
+)
+
+type cpConfig struct {
+	followLink bool
+	copyUIDGID bool
+	sourcePath string
+	destPath   string
+	container  string
+}
+
+// NewCopyCommand creates a new `docker cp` command
+func NewCopyCommand(dockerCli command.Cli) *cobra.Command {
+	var opts copyOptions
+
+	cmd := &cobra.Command{
+		Use: `cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-
+	docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH`,
+		Short: "Copy files/folders between a container and the local filesystem",
+		Long: strings.Join([]string{
+			"Copy files/folders between a container and the local filesystem\n",
+			"\nUse '-' as the source to read a tar archive from stdin\n",
+			"and extract it to a directory destination in a container.\n",
+			"Use '-' as the destination to stream a tar archive of a\n",
+			"container source to stdout.",
+		}, ""),
+		Args: cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if args[0] == "" {
+				return errors.New("source can not be empty")
+			}
+			if args[1] == "" {
+				return errors.New("destination can not be empty")
+			}
+			opts.source = args[0]
+			opts.destination = args[1]
+			return runCopy(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.followLink, "follow-link", "L", false, "Always follow symbol link in SRC_PATH")
+	flags.BoolVarP(&opts.copyUIDGID, "archive", "a", false, "Archive mode (copy all uid/gid information)")
+	return cmd
+}
+
+func runCopy(dockerCli command.Cli, opts copyOptions) error {
+	srcContainer, srcPath := splitCpArg(opts.source)
+	destContainer, destPath := splitCpArg(opts.destination)
+
+	copyConfig := cpConfig{
+		followLink: opts.followLink,
+		copyUIDGID: opts.copyUIDGID,
+		sourcePath: srcPath,
+		destPath:   destPath,
+	}
+
+	var direction copyDirection
+	if srcContainer != "" {
+		direction |= fromContainer
+		copyConfig.container = srcContainer
+	}
+	if destContainer != "" {
+		direction |= toContainer
+		copyConfig.container = destContainer
+	}
+
+	ctx := context.Background()
+
+	switch direction {
+	case fromContainer:
+		return copyFromContainer(ctx, dockerCli, copyConfig)
+	case toContainer:
+		return copyToContainer(ctx, dockerCli, copyConfig)
+	case acrossContainers:
+		return errors.New("copying between containers is not supported")
+	default:
+		return errors.New("must specify at least one container source")
+	}
+}
+
+func resolveLocalPath(localPath string) (absPath string, err error) {
+	if absPath, err = filepath.Abs(localPath); err != nil {
+		return
+	}
+	return archive.PreserveTrailingDotOrSeparator(absPath, localPath, filepath.Separator), nil
+}
+
+func copyFromContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpConfig) (err error) {
+	dstPath := copyConfig.destPath
+	srcPath := copyConfig.sourcePath
+
+	if dstPath != "-" {
+		// Get an absolute destination path.
+		dstPath, err = resolveLocalPath(dstPath)
+		if err != nil {
+			return err
+		}
+	}
+
+	client := dockerCli.Client()
+	// if client requests to follow symbol link, then must decide target file to be copied
+	var rebaseName string
+	if copyConfig.followLink {
+		srcStat, err := client.ContainerStatPath(ctx, copyConfig.container, srcPath)
+
+		// If the destination is a symbolic link, we should follow it.
+		if err == nil && srcStat.Mode&os.ModeSymlink != 0 {
+			linkTarget := srcStat.LinkTarget
+			if !system.IsAbs(linkTarget) {
+				// Join with the parent directory.
+				srcParent, _ := archive.SplitPathDirEntry(srcPath)
+				linkTarget = filepath.Join(srcParent, linkTarget)
+			}
+
+			linkTarget, rebaseName = archive.GetRebaseName(srcPath, linkTarget)
+			srcPath = linkTarget
+		}
+
+	}
+
+	content, stat, err := client.CopyFromContainer(ctx, copyConfig.container, srcPath)
+	if err != nil {
+		return err
+	}
+	defer content.Close()
+
+	if dstPath == "-" {
+		_, err = io.Copy(dockerCli.Out(), content)
+		return err
+	}
+
+	srcInfo := archive.CopyInfo{
+		Path:       srcPath,
+		Exists:     true,
+		IsDir:      stat.Mode.IsDir(),
+		RebaseName: rebaseName,
+	}
+
+	preArchive := content
+	if len(srcInfo.RebaseName) != 0 {
+		_, srcBase := archive.SplitPathDirEntry(srcInfo.Path)
+		preArchive = archive.RebaseArchiveEntries(content, srcBase, srcInfo.RebaseName)
+	}
+	return archive.CopyTo(preArchive, srcInfo, dstPath)
+}
+
+// In order to get the copy behavior right, we need to know information
+// about both the source and destination. The API is a simple tar
+// archive/extract API but we can use the stat info header about the
+// destination to be more informed about exactly what the destination is.
+func copyToContainer(ctx context.Context, dockerCli command.Cli, copyConfig cpConfig) (err error) {
+	srcPath := copyConfig.sourcePath
+	dstPath := copyConfig.destPath
+
+	if srcPath != "-" {
+		// Get an absolute source path.
+		srcPath, err = resolveLocalPath(srcPath)
+		if err != nil {
+			return err
+		}
+	}
+
+	client := dockerCli.Client()
+	// Prepare destination copy info by stat-ing the container path.
+	dstInfo := archive.CopyInfo{Path: dstPath}
+	dstStat, err := client.ContainerStatPath(ctx, copyConfig.container, dstPath)
+
+	// If the destination is a symbolic link, we should evaluate it.
+	if err == nil && dstStat.Mode&os.ModeSymlink != 0 {
+		linkTarget := dstStat.LinkTarget
+		if !system.IsAbs(linkTarget) {
+			// Join with the parent directory.
+			dstParent, _ := archive.SplitPathDirEntry(dstPath)
+			linkTarget = filepath.Join(dstParent, linkTarget)
+		}
+
+		dstInfo.Path = linkTarget
+		dstStat, err = client.ContainerStatPath(ctx, copyConfig.container, linkTarget)
+	}
+
+	// Ignore any error and assume that the parent directory of the destination
+	// path exists, in which case the copy may still succeed. If there is any
+	// type of conflict (e.g., non-directory overwriting an existing directory
+	// or vice versa) the extraction will fail. If the destination simply did
+	// not exist, but the parent directory does, the extraction will still
+	// succeed.
+	if err == nil {
+		dstInfo.Exists, dstInfo.IsDir = true, dstStat.Mode.IsDir()
+	}
+
+	var (
+		content         io.Reader
+		resolvedDstPath string
+	)
+
+	if srcPath == "-" {
+		content = os.Stdin
+		resolvedDstPath = dstInfo.Path
+		if !dstInfo.IsDir {
+			return errors.Errorf("destination \"%s:%s\" must be a directory", copyConfig.container, dstPath)
+		}
+	} else {
+		// Prepare source copy info.
+		srcInfo, err := archive.CopyInfoSourcePath(srcPath, copyConfig.followLink)
+		if err != nil {
+			return err
+		}
+
+		srcArchive, err := archive.TarResource(srcInfo)
+		if err != nil {
+			return err
+		}
+		defer srcArchive.Close()
+
+		// With the stat info about the local source as well as the
+		// destination, we have enough information to know whether we need to
+		// alter the archive that we upload so that when the server extracts
+		// it to the specified directory in the container we get the desired
+		// copy behavior.
+
+		// See comments in the implementation of `archive.PrepareArchiveCopy`
+		// for exactly what goes into deciding how and whether the source
+		// archive needs to be altered for the correct copy behavior when it is
+		// extracted. This function also infers from the source and destination
+		// info which directory to extract to, which may be the parent of the
+		// destination that the user specified.
+		dstDir, preparedArchive, err := archive.PrepareArchiveCopy(srcArchive, srcInfo, dstInfo)
+		if err != nil {
+			return err
+		}
+		defer preparedArchive.Close()
+
+		resolvedDstPath = dstDir
+		content = preparedArchive
+	}
+
+	options := types.CopyToContainerOptions{
+		AllowOverwriteDirWithFile: false,
+		CopyUIDGID:                copyConfig.copyUIDGID,
+	}
+	return client.CopyToContainer(ctx, copyConfig.container, resolvedDstPath, content, options)
+}
+
+// We use `:` as a delimiter between CONTAINER and PATH, but `:` could also be
+// in a valid LOCALPATH, like `file:name.txt`. We can resolve this ambiguity by
+// requiring a LOCALPATH with a `:` to be made explicit with a relative or
+// absolute path:
+// 	`/path/to/file:name.txt` or `./file:name.txt`
+//
+// This is apparently how `scp` handles this as well:
+// 	http://www.cyberciti.biz/faq/rsync-scp-file-name-with-colon-punctuation-in-it/
+//
+// We can't simply check for a filepath separator because container names may
+// have a separator, e.g., "host0/cname1" if container is in a Docker cluster,
+// so we have to check for a `/` or `.` prefix. Also, in the case of a Windows
+// client, a `:` could be part of an absolute Windows path, in which case it
+// is immediately proceeded by a backslash.
+func splitCpArg(arg string) (container, path string) {
+	if system.IsAbs(arg) {
+		// Explicit local absolute path, e.g., `C:\foo` or `/foo`.
+		return "", arg
+	}
+
+	parts := strings.SplitN(arg, ":", 2)
+
+	if len(parts) == 1 || strings.HasPrefix(parts[0], ".") {
+		// Either there's no `:` in the arg
+		// OR it's an explicit local relative path like `./file:name.txt`.
+		return "", arg
+	}
+
+	return parts[0], parts[1]
+}
diff --git a/cli/cli/command/container/cp_test.go b/cli/cli/command/container/cp_test.go
new file mode 100644
index 00000000..67cdaf15
--- /dev/null
+++ b/cli/cli/command/container/cp_test.go
@@ -0,0 +1,192 @@
+package container
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/archive"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+	"gotest.tools/skip"
+)
+
+func TestRunCopyWithInvalidArguments(t *testing.T) {
+	var testcases = []struct {
+		doc         string
+		options     copyOptions
+		expectedErr string
+	}{
+		{
+			doc: "copy between container",
+			options: copyOptions{
+				source:      "first:/path",
+				destination: "second:/path",
+			},
+			expectedErr: "copying between containers is not supported",
+		},
+		{
+			doc: "copy without a container",
+			options: copyOptions{
+				source:      "./source",
+				destination: "./dest",
+			},
+			expectedErr: "must specify at least one container source",
+		},
+	}
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			err := runCopy(test.NewFakeCli(nil), testcase.options)
+			assert.Error(t, err, testcase.expectedErr)
+		})
+	}
+}
+
+func TestRunCopyFromContainerToStdout(t *testing.T) {
+	tarContent := "the tar content"
+
+	fakeClient := &fakeClient{
+		containerCopyFromFunc: func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error) {
+			assert.Check(t, is.Equal("container", container))
+			return ioutil.NopCloser(strings.NewReader(tarContent)), types.ContainerPathStat{}, nil
+		},
+	}
+	options := copyOptions{source: "container:/path", destination: "-"}
+	cli := test.NewFakeCli(fakeClient)
+	err := runCopy(cli, options)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(tarContent, cli.OutBuffer().String()))
+	assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+}
+
+func TestRunCopyFromContainerToFilesystem(t *testing.T) {
+	destDir := fs.NewDir(t, "cp-test",
+		fs.WithFile("file1", "content\n"))
+	defer destDir.Remove()
+
+	fakeClient := &fakeClient{
+		containerCopyFromFunc: func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error) {
+			assert.Check(t, is.Equal("container", container))
+			readCloser, err := archive.TarWithOptions(destDir.Path(), &archive.TarOptions{})
+			return readCloser, types.ContainerPathStat{}, err
+		},
+	}
+	options := copyOptions{source: "container:/path", destination: destDir.Path()}
+	cli := test.NewFakeCli(fakeClient)
+	err := runCopy(cli, options)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("", cli.OutBuffer().String()))
+	assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+
+	content, err := ioutil.ReadFile(destDir.Join("file1"))
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("content\n", string(content)))
+}
+
+func TestRunCopyFromContainerToFilesystemMissingDestinationDirectory(t *testing.T) {
+	destDir := fs.NewDir(t, "cp-test",
+		fs.WithFile("file1", "content\n"))
+	defer destDir.Remove()
+
+	fakeClient := &fakeClient{
+		containerCopyFromFunc: func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error) {
+			assert.Check(t, is.Equal("container", container))
+			readCloser, err := archive.TarWithOptions(destDir.Path(), &archive.TarOptions{})
+			return readCloser, types.ContainerPathStat{}, err
+		},
+	}
+
+	options := copyOptions{
+		source:      "container:/path",
+		destination: destDir.Join("missing", "foo"),
+	}
+	cli := test.NewFakeCli(fakeClient)
+	err := runCopy(cli, options)
+	assert.ErrorContains(t, err, destDir.Join("missing"))
+}
+
+func TestRunCopyToContainerFromFileWithTrailingSlash(t *testing.T) {
+	srcFile := fs.NewFile(t, t.Name())
+	defer srcFile.Remove()
+
+	options := copyOptions{
+		source:      srcFile.Path() + string(os.PathSeparator),
+		destination: "container:/path",
+	}
+	cli := test.NewFakeCli(&fakeClient{})
+	err := runCopy(cli, options)
+
+	expectedError := "not a directory"
+	if runtime.GOOS == "windows" {
+		expectedError = "The filename, directory name, or volume label syntax is incorrect"
+	}
+	assert.ErrorContains(t, err, expectedError)
+}
+
+func TestRunCopyToContainerSourceDoesNotExist(t *testing.T) {
+	options := copyOptions{
+		source:      "/does/not/exist",
+		destination: "container:/path",
+	}
+	cli := test.NewFakeCli(&fakeClient{})
+	err := runCopy(cli, options)
+	expected := "no such file or directory"
+	if runtime.GOOS == "windows" {
+		expected = "cannot find the file specified"
+	}
+	assert.ErrorContains(t, err, expected)
+}
+
+func TestSplitCpArg(t *testing.T) {
+	var testcases = []struct {
+		doc               string
+		path              string
+		os                string
+		expectedContainer string
+		expectedPath      string
+	}{
+		{
+			doc:          "absolute path with colon",
+			os:           "linux",
+			path:         "/abs/path:withcolon",
+			expectedPath: "/abs/path:withcolon",
+		},
+		{
+			doc:          "relative path with colon",
+			path:         "./relative:path",
+			expectedPath: "./relative:path",
+		},
+		{
+			doc:          "absolute path with drive",
+			os:           "windows",
+			path:         `d:\abs\path`,
+			expectedPath: `d:\abs\path`,
+		},
+		{
+			doc:          "no separator",
+			path:         "relative/path",
+			expectedPath: "relative/path",
+		},
+		{
+			doc:               "with separator",
+			path:              "container:/opt/foo",
+			expectedPath:      "/opt/foo",
+			expectedContainer: "container",
+		},
+	}
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			skip.If(t, testcase.os != "" && testcase.os != runtime.GOOS)
+
+			container, path := splitCpArg(testcase.path)
+			assert.Check(t, is.Equal(testcase.expectedContainer, container))
+			assert.Check(t, is.Equal(testcase.expectedPath, path))
+		})
+	}
+}
diff --git a/cli/cli/command/container/create.go b/cli/cli/command/container/create.go
new file mode 100644
index 00000000..62d1a088
--- /dev/null
+++ b/cli/cli/command/container/create.go
@@ -0,0 +1,229 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	apiclient "github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type createOptions struct {
+	name      string
+	platform  string
+	untrusted bool
+}
+
+// NewCreateCommand creates a new cobra.Command for `docker create`
+func NewCreateCommand(dockerCli command.Cli) *cobra.Command {
+	var opts createOptions
+	var copts *containerOptions
+
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] IMAGE [COMMAND] [ARG...]",
+		Short: "Create a new container",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			copts.Image = args[0]
+			if len(args) > 1 {
+				copts.Args = args[1:]
+			}
+			return runCreate(dockerCli, cmd.Flags(), &opts, copts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.SetInterspersed(false)
+
+	flags.StringVar(&opts.name, "name", "", "Assign a name to the container")
+
+	// Add an explicit help that doesn't have a `-h` to prevent the conflict
+	// with hostname
+	flags.Bool("help", false, "Print usage")
+
+	command.AddPlatformFlag(flags, &opts.platform)
+	command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
+	copts = addFlags(flags)
+	return cmd
+}
+
+func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, opts *createOptions, copts *containerOptions) error {
+	containerConfig, err := parse(flags, copts)
+	if err != nil {
+		reportError(dockerCli.Err(), "create", err.Error(), true)
+		return cli.StatusError{StatusCode: 125}
+	}
+	response, err := createContainer(context.Background(), dockerCli, containerConfig, opts)
+	if err != nil {
+		return err
+	}
+	fmt.Fprintln(dockerCli.Out(), response.ID)
+	return nil
+}
+
+func pullImage(ctx context.Context, dockerCli command.Cli, image string, platform string, out io.Writer) error {
+	ref, err := reference.ParseNormalizedNamed(image)
+	if err != nil {
+		return err
+	}
+
+	// Resolve the Repository name from fqn to RepositoryInfo
+	repoInfo, err := registry.ParseRepositoryInfo(ref)
+	if err != nil {
+		return err
+	}
+
+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)
+	encodedAuth, err := command.EncodeAuthToBase64(authConfig)
+	if err != nil {
+		return err
+	}
+
+	options := types.ImageCreateOptions{
+		RegistryAuth: encodedAuth,
+		Platform:     platform,
+	}
+
+	responseBody, err := dockerCli.Client().ImageCreate(ctx, image, options)
+	if err != nil {
+		return err
+	}
+	defer responseBody.Close()
+
+	return jsonmessage.DisplayJSONMessagesStream(
+		responseBody,
+		out,
+		dockerCli.Out().FD(),
+		dockerCli.Out().IsTerminal(),
+		nil)
+}
+
+type cidFile struct {
+	path    string
+	file    *os.File
+	written bool
+}
+
+func (cid *cidFile) Close() error {
+	if cid.file == nil {
+		return nil
+	}
+	cid.file.Close()
+
+	if cid.written {
+		return nil
+	}
+	if err := os.Remove(cid.path); err != nil {
+		return errors.Errorf("failed to remove the CID file '%s': %s \n", cid.path, err)
+	}
+
+	return nil
+}
+
+func (cid *cidFile) Write(id string) error {
+	if cid.file == nil {
+		return nil
+	}
+	if _, err := cid.file.Write([]byte(id)); err != nil {
+		return errors.Errorf("Failed to write the container ID to the file: %s", err)
+	}
+	cid.written = true
+	return nil
+}
+
+func newCIDFile(path string) (*cidFile, error) {
+	if path == "" {
+		return &cidFile{}, nil
+	}
+	if _, err := os.Stat(path); err == nil {
+		return nil, errors.Errorf("Container ID file found, make sure the other container isn't running or delete %s", path)
+	}
+
+	f, err := os.Create(path)
+	if err != nil {
+		return nil, errors.Errorf("Failed to create the container ID file: %s", err)
+	}
+
+	return &cidFile{path: path, file: f}, nil
+}
+
+func createContainer(ctx context.Context, dockerCli command.Cli, containerConfig *containerConfig, opts *createOptions) (*container.ContainerCreateCreatedBody, error) {
+	config := containerConfig.Config
+	hostConfig := containerConfig.HostConfig
+	networkingConfig := containerConfig.NetworkingConfig
+	stderr := dockerCli.Err()
+
+	var (
+		trustedRef reference.Canonical
+		namedRef   reference.Named
+	)
+
+	containerIDFile, err := newCIDFile(hostConfig.ContainerIDFile)
+	if err != nil {
+		return nil, err
+	}
+	defer containerIDFile.Close()
+
+	ref, err := reference.ParseAnyReference(config.Image)
+	if err != nil {
+		return nil, err
+	}
+	if named, ok := ref.(reference.Named); ok {
+		namedRef = reference.TagNameOnly(named)
+
+		if taggedRef, ok := namedRef.(reference.NamedTagged); ok && !opts.untrusted {
+			var err error
+			trustedRef, err = image.TrustedReference(ctx, dockerCli, taggedRef, nil)
+			if err != nil {
+				return nil, err
+			}
+			config.Image = reference.FamiliarString(trustedRef)
+		}
+	}
+
+	//create the container
+	response, err := dockerCli.Client().ContainerCreate(ctx, config, hostConfig, networkingConfig, opts.name)
+
+	//if image not found try to pull it
+	if err != nil {
+		if apiclient.IsErrNotFound(err) && namedRef != nil {
+			fmt.Fprintf(stderr, "Unable to find image '%s' locally\n", reference.FamiliarString(namedRef))
+
+			// we don't want to write to stdout anything apart from container.ID
+			if err := pullImage(ctx, dockerCli, config.Image, opts.platform, stderr); err != nil {
+				return nil, err
+			}
+			if taggedRef, ok := namedRef.(reference.NamedTagged); ok && trustedRef != nil {
+				if err := image.TagTrusted(ctx, dockerCli, trustedRef, taggedRef); err != nil {
+					return nil, err
+				}
+			}
+			// Retry
+			var retryErr error
+			response, retryErr = dockerCli.Client().ContainerCreate(ctx, config, hostConfig, networkingConfig, opts.name)
+			if retryErr != nil {
+				return nil, retryErr
+			}
+		} else {
+			return nil, err
+		}
+	}
+
+	for _, warning := range response.Warnings {
+		fmt.Fprintf(stderr, "WARNING: %s\n", warning)
+	}
+	err = containerIDFile.Write(response.ID)
+	return &response, err
+}
diff --git a/cli/cli/command/container/create_test.go b/cli/cli/command/container/create_test.go
new file mode 100644
index 00000000..1df09c7d
--- /dev/null
+++ b/cli/cli/command/container/create_test.go
@@ -0,0 +1,172 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/internal/test/notary"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/google/go-cmp/cmp"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func TestCIDFileNoOPWithNoFilename(t *testing.T) {
+	file, err := newCIDFile("")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, &cidFile{}, file, cmp.AllowUnexported(cidFile{}))
+
+	assert.NilError(t, file.Write("id"))
+	assert.NilError(t, file.Close())
+}
+
+func TestNewCIDFileWhenFileAlreadyExists(t *testing.T) {
+	tempfile := fs.NewFile(t, "test-cid-file")
+	defer tempfile.Remove()
+
+	_, err := newCIDFile(tempfile.Path())
+	assert.ErrorContains(t, err, "Container ID file found")
+}
+
+func TestCIDFileCloseWithNoWrite(t *testing.T) {
+	tempdir := fs.NewDir(t, "test-cid-file")
+	defer tempdir.Remove()
+
+	path := tempdir.Join("cidfile")
+	file, err := newCIDFile(path)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(file.path, path))
+
+	assert.NilError(t, file.Close())
+	_, err = os.Stat(path)
+	assert.Check(t, os.IsNotExist(err))
+}
+
+func TestCIDFileCloseWithWrite(t *testing.T) {
+	tempdir := fs.NewDir(t, "test-cid-file")
+	defer tempdir.Remove()
+
+	path := tempdir.Join("cidfile")
+	file, err := newCIDFile(path)
+	assert.NilError(t, err)
+
+	content := "id"
+	assert.NilError(t, file.Write(content))
+
+	actual, err := ioutil.ReadFile(path)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(content, string(actual)))
+
+	assert.NilError(t, file.Close())
+	_, err = os.Stat(path)
+	assert.NilError(t, err)
+}
+
+func TestCreateContainerPullsImageIfMissing(t *testing.T) {
+	imageName := "does-not-exist-locally"
+	responseCounter := 0
+	containerID := "abcdef"
+
+	client := &fakeClient{
+		createContainerFunc: func(
+			config *container.Config,
+			hostConfig *container.HostConfig,
+			networkingConfig *network.NetworkingConfig,
+			containerName string,
+		) (container.ContainerCreateCreatedBody, error) {
+			defer func() { responseCounter++ }()
+			switch responseCounter {
+			case 0:
+				return container.ContainerCreateCreatedBody{}, fakeNotFound{}
+			case 1:
+				return container.ContainerCreateCreatedBody{ID: containerID}, nil
+			default:
+				return container.ContainerCreateCreatedBody{}, errors.New("unexpected")
+			}
+		},
+		imageCreateFunc: func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
+			return ioutil.NopCloser(strings.NewReader("")), nil
+		},
+		infoFunc: func() (types.Info, error) {
+			return types.Info{IndexServerAddress: "http://indexserver"}, nil
+		},
+	}
+	cli := test.NewFakeCli(client)
+	config := &containerConfig{
+		Config: &container.Config{
+			Image: imageName,
+		},
+		HostConfig: &container.HostConfig{},
+	}
+	body, err := createContainer(context.Background(), cli, config, &createOptions{
+		name:      "name",
+		platform:  runtime.GOOS,
+		untrusted: true,
+	})
+	assert.NilError(t, err)
+	expected := container.ContainerCreateCreatedBody{ID: containerID}
+	assert.Check(t, is.DeepEqual(expected, *body))
+	stderr := cli.ErrBuffer().String()
+	assert.Check(t, is.Contains(stderr, "Unable to find image 'does-not-exist-locally:latest' locally"))
+}
+
+func TestNewCreateCommandWithContentTrustErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+		notaryFunc    test.NotaryClientFuncType
+	}{
+		{
+			name:          "offline-notary-server",
+			notaryFunc:    notary.GetOfflineNotaryRepository,
+			expectedError: "client is offline",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "uninitialized-notary-server",
+			notaryFunc:    notary.GetUninitializedNotaryRepository,
+			expectedError: "remote trust data does not exist",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "empty-notary-server",
+			notaryFunc:    notary.GetEmptyTargetsNotaryRepository,
+			expectedError: "No valid trust data for tag",
+			args:          []string{"image:tag"},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			createContainerFunc: func(config *container.Config,
+				hostConfig *container.HostConfig,
+				networkingConfig *network.NetworkingConfig,
+				containerName string,
+			) (container.ContainerCreateCreatedBody, error) {
+				return container.ContainerCreateCreatedBody{}, fmt.Errorf("shouldn't try to pull image")
+			},
+		}, test.EnableContentTrust)
+		cli.SetNotaryClient(tc.notaryFunc)
+		cmd := NewCreateCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.ErrorContains(t, err, tc.expectedError)
+	}
+}
+
+type fakeNotFound struct{}
+
+func (f fakeNotFound) NotFound() bool { return true }
+func (f fakeNotFound) Error() string  { return "error fake not found" }
diff --git a/cli/cli/command/container/diff.go b/cli/cli/command/container/diff.go
new file mode 100644
index 00000000..39b71c80
--- /dev/null
+++ b/cli/cli/command/container/diff.go
@@ -0,0 +1,47 @@
+package container
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type diffOptions struct {
+	container string
+}
+
+// NewDiffCommand creates a new cobra.Command for `docker diff`
+func NewDiffCommand(dockerCli command.Cli) *cobra.Command {
+	var opts diffOptions
+
+	return &cobra.Command{
+		Use:   "diff CONTAINER",
+		Short: "Inspect changes to files or directories on a container's filesystem",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.container = args[0]
+			return runDiff(dockerCli, &opts)
+		},
+	}
+}
+
+func runDiff(dockerCli command.Cli, opts *diffOptions) error {
+	if opts.container == "" {
+		return errors.New("Container name cannot be empty")
+	}
+	ctx := context.Background()
+
+	changes, err := dockerCli.Client().ContainerDiff(ctx, opts.container)
+	if err != nil {
+		return err
+	}
+	diffCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewDiffFormat("{{.Type}} {{.Path}}"),
+	}
+	return formatter.DiffWrite(diffCtx, changes)
+}
diff --git a/cli/cli/command/container/exec.go b/cli/cli/command/container/exec.go
new file mode 100644
index 00000000..c96f4055
--- /dev/null
+++ b/cli/cli/command/container/exec.go
@@ -0,0 +1,214 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	apiclient "github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+type execOptions struct {
+	detachKeys  string
+	interactive bool
+	tty         bool
+	detach      bool
+	user        string
+	privileged  bool
+	env         opts.ListOpts
+	workdir     string
+	container   string
+	command     []string
+}
+
+func newExecOptions() execOptions {
+	return execOptions{env: opts.NewListOpts(opts.ValidateEnv)}
+}
+
+// NewExecCommand creates a new cobra.Command for `docker exec`
+func NewExecCommand(dockerCli command.Cli) *cobra.Command {
+	options := newExecOptions()
+
+	cmd := &cobra.Command{
+		Use:   "exec [OPTIONS] CONTAINER COMMAND [ARG...]",
+		Short: "Run a command in a running container",
+		Args:  cli.RequiresMinArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.container = args[0]
+			options.command = args[1:]
+			return runExec(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.SetInterspersed(false)
+
+	flags.StringVarP(&options.detachKeys, "detach-keys", "", "", "Override the key sequence for detaching a container")
+	flags.BoolVarP(&options.interactive, "interactive", "i", false, "Keep STDIN open even if not attached")
+	flags.BoolVarP(&options.tty, "tty", "t", false, "Allocate a pseudo-TTY")
+	flags.BoolVarP(&options.detach, "detach", "d", false, "Detached mode: run command in the background")
+	flags.StringVarP(&options.user, "user", "u", "", "Username or UID (format: <name|uid>[:<group|gid>])")
+	flags.BoolVarP(&options.privileged, "privileged", "", false, "Give extended privileges to the command")
+	flags.VarP(&options.env, "env", "e", "Set environment variables")
+	flags.SetAnnotation("env", "version", []string{"1.25"})
+	flags.StringVarP(&options.workdir, "workdir", "w", "", "Working directory inside the container")
+	flags.SetAnnotation("workdir", "version", []string{"1.35"})
+
+	return cmd
+}
+
+func runExec(dockerCli command.Cli, options execOptions) error {
+	execConfig := parseExec(options, dockerCli.ConfigFile())
+	ctx := context.Background()
+	client := dockerCli.Client()
+
+	// We need to check the tty _before_ we do the ContainerExecCreate, because
+	// otherwise if we error out we will leak execIDs on the server (and
+	// there's no easy way to clean those up). But also in order to make "not
+	// exist" errors take precedence we do a dummy inspect first.
+	if _, err := client.ContainerInspect(ctx, options.container); err != nil {
+		return err
+	}
+	if !execConfig.Detach {
+		if err := dockerCli.In().CheckTty(execConfig.AttachStdin, execConfig.Tty); err != nil {
+			return err
+		}
+	}
+
+	response, err := client.ContainerExecCreate(ctx, options.container, *execConfig)
+	if err != nil {
+		return err
+	}
+
+	execID := response.ID
+	if execID == "" {
+		return errors.New("exec ID empty")
+	}
+
+	if execConfig.Detach {
+		execStartCheck := types.ExecStartCheck{
+			Detach: execConfig.Detach,
+			Tty:    execConfig.Tty,
+		}
+		return client.ContainerExecStart(ctx, execID, execStartCheck)
+	}
+	return interactiveExec(ctx, dockerCli, execConfig, execID)
+}
+
+func interactiveExec(ctx context.Context, dockerCli command.Cli, execConfig *types.ExecConfig, execID string) error {
+	// Interactive exec requested.
+	var (
+		out, stderr io.Writer
+		in          io.ReadCloser
+	)
+
+	if execConfig.AttachStdin {
+		in = dockerCli.In()
+	}
+	if execConfig.AttachStdout {
+		out = dockerCli.Out()
+	}
+	if execConfig.AttachStderr {
+		if execConfig.Tty {
+			stderr = dockerCli.Out()
+		} else {
+			stderr = dockerCli.Err()
+		}
+	}
+
+	client := dockerCli.Client()
+	execStartCheck := types.ExecStartCheck{
+		Tty: execConfig.Tty,
+	}
+	resp, err := client.ContainerExecAttach(ctx, execID, execStartCheck)
+	if err != nil {
+		return err
+	}
+	defer resp.Close()
+
+	errCh := make(chan error, 1)
+
+	go func() {
+		defer close(errCh)
+		errCh <- func() error {
+			streamer := hijackedIOStreamer{
+				streams:      dockerCli,
+				inputStream:  in,
+				outputStream: out,
+				errorStream:  stderr,
+				resp:         resp,
+				tty:          execConfig.Tty,
+				detachKeys:   execConfig.DetachKeys,
+			}
+
+			return streamer.stream(ctx)
+		}()
+	}()
+
+	if execConfig.Tty && dockerCli.In().IsTerminal() {
+		if err := MonitorTtySize(ctx, dockerCli, execID, true); err != nil {
+			fmt.Fprintln(dockerCli.Err(), "Error monitoring TTY size:", err)
+		}
+	}
+
+	if err := <-errCh; err != nil {
+		logrus.Debugf("Error hijack: %s", err)
+		return err
+	}
+
+	return getExecExitStatus(ctx, client, execID)
+}
+
+func getExecExitStatus(ctx context.Context, client apiclient.ContainerAPIClient, execID string) error {
+	resp, err := client.ContainerExecInspect(ctx, execID)
+	if err != nil {
+		// If we can't connect, then the daemon probably died.
+		if !apiclient.IsErrConnectionFailed(err) {
+			return err
+		}
+		return cli.StatusError{StatusCode: -1}
+	}
+	status := resp.ExitCode
+	if status != 0 {
+		return cli.StatusError{StatusCode: status}
+	}
+	return nil
+}
+
+// parseExec parses the specified args for the specified command and generates
+// an ExecConfig from it.
+func parseExec(opts execOptions, configFile *configfile.ConfigFile) *types.ExecConfig {
+	execConfig := &types.ExecConfig{
+		User:       opts.user,
+		Privileged: opts.privileged,
+		Tty:        opts.tty,
+		Cmd:        opts.command,
+		Detach:     opts.detach,
+		Env:        opts.env.GetAll(),
+		WorkingDir: opts.workdir,
+	}
+
+	// If -d is not set, attach to everything by default
+	if !opts.detach {
+		execConfig.AttachStdout = true
+		execConfig.AttachStderr = true
+		if opts.interactive {
+			execConfig.AttachStdin = true
+		}
+	}
+
+	if opts.detachKeys != "" {
+		execConfig.DetachKeys = opts.detachKeys
+	} else {
+		execConfig.DetachKeys = configFile.DetachKeys
+	}
+	return execConfig
+}
diff --git a/cli/cli/command/container/exec_test.go b/cli/cli/command/container/exec_test.go
new file mode 100644
index 00000000..0c6e2614
--- /dev/null
+++ b/cli/cli/command/container/exec_test.go
@@ -0,0 +1,227 @@
+package container
+
+import (
+	"context"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func withDefaultOpts(options execOptions) execOptions {
+	options.env = opts.NewListOpts(opts.ValidateEnv)
+	if len(options.command) == 0 {
+		options.command = []string{"command"}
+	}
+	return options
+}
+
+func TestParseExec(t *testing.T) {
+	testcases := []struct {
+		options    execOptions
+		configFile configfile.ConfigFile
+		expected   types.ExecConfig
+	}{
+		{
+			expected: types.ExecConfig{
+				Cmd:          []string{"command"},
+				AttachStdout: true,
+				AttachStderr: true,
+			},
+			options: withDefaultOpts(execOptions{}),
+		},
+		{
+			expected: types.ExecConfig{
+				Cmd:          []string{"command1", "command2"},
+				AttachStdout: true,
+				AttachStderr: true,
+			},
+			options: withDefaultOpts(execOptions{
+				command: []string{"command1", "command2"},
+			}),
+		},
+		{
+			options: withDefaultOpts(execOptions{
+				interactive: true,
+				tty:         true,
+				user:        "uid",
+			}),
+			expected: types.ExecConfig{
+				User:         "uid",
+				AttachStdin:  true,
+				AttachStdout: true,
+				AttachStderr: true,
+				Tty:          true,
+				Cmd:          []string{"command"},
+			},
+		},
+		{
+			options: withDefaultOpts(execOptions{detach: true}),
+			expected: types.ExecConfig{
+				Detach: true,
+				Cmd:    []string{"command"},
+			},
+		},
+		{
+			options: withDefaultOpts(execOptions{
+				tty:         true,
+				interactive: true,
+				detach:      true,
+			}),
+			expected: types.ExecConfig{
+				Detach: true,
+				Tty:    true,
+				Cmd:    []string{"command"},
+			},
+		},
+		{
+			options:    withDefaultOpts(execOptions{detach: true}),
+			configFile: configfile.ConfigFile{DetachKeys: "de"},
+			expected: types.ExecConfig{
+				Cmd:        []string{"command"},
+				DetachKeys: "de",
+				Detach:     true,
+			},
+		},
+		{
+			options: withDefaultOpts(execOptions{
+				detach:     true,
+				detachKeys: "ab",
+			}),
+			configFile: configfile.ConfigFile{DetachKeys: "de"},
+			expected: types.ExecConfig{
+				Cmd:        []string{"command"},
+				DetachKeys: "ab",
+				Detach:     true,
+			},
+		},
+	}
+
+	for _, testcase := range testcases {
+		execConfig := parseExec(testcase.options, &testcase.configFile)
+		assert.Check(t, is.DeepEqual(testcase.expected, *execConfig))
+	}
+}
+
+func TestRunExec(t *testing.T) {
+	var testcases = []struct {
+		doc           string
+		options       execOptions
+		client        fakeClient
+		expectedError string
+		expectedOut   string
+		expectedErr   string
+	}{
+		{
+			doc: "successful detach",
+			options: withDefaultOpts(execOptions{
+				container: "thecontainer",
+				detach:    true,
+			}),
+			client: fakeClient{execCreateFunc: execCreateWithID},
+		},
+		{
+			doc:     "inspect error",
+			options: newExecOptions(),
+			client: fakeClient{
+				inspectFunc: func(string) (types.ContainerJSON, error) {
+					return types.ContainerJSON{}, errors.New("failed inspect")
+				},
+			},
+			expectedError: "failed inspect",
+		},
+		{
+			doc:           "missing exec ID",
+			options:       newExecOptions(),
+			expectedError: "exec ID empty",
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			cli := test.NewFakeCli(&testcase.client)
+
+			err := runExec(cli, testcase.options)
+			if testcase.expectedError != "" {
+				assert.ErrorContains(t, err, testcase.expectedError)
+			} else {
+				if !assert.Check(t, err) {
+					return
+				}
+			}
+			assert.Check(t, is.Equal(testcase.expectedOut, cli.OutBuffer().String()))
+			assert.Check(t, is.Equal(testcase.expectedErr, cli.ErrBuffer().String()))
+		})
+	}
+}
+
+func execCreateWithID(_ string, _ types.ExecConfig) (types.IDResponse, error) {
+	return types.IDResponse{ID: "execid"}, nil
+}
+
+func TestGetExecExitStatus(t *testing.T) {
+	execID := "the exec id"
+	expecatedErr := errors.New("unexpected error")
+
+	testcases := []struct {
+		inspectError  error
+		exitCode      int
+		expectedError error
+	}{
+		{
+			inspectError: nil,
+			exitCode:     0,
+		},
+		{
+			inspectError:  expecatedErr,
+			expectedError: expecatedErr,
+		},
+		{
+			exitCode:      15,
+			expectedError: cli.StatusError{StatusCode: 15},
+		},
+	}
+
+	for _, testcase := range testcases {
+		client := &fakeClient{
+			execInspectFunc: func(id string) (types.ContainerExecInspect, error) {
+				assert.Check(t, is.Equal(execID, id))
+				return types.ContainerExecInspect{ExitCode: testcase.exitCode}, testcase.inspectError
+			},
+		}
+		err := getExecExitStatus(context.Background(), client, execID)
+		assert.Check(t, is.Equal(testcase.expectedError, err))
+	}
+}
+
+func TestNewExecCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name                 string
+		args                 []string
+		expectedError        string
+		containerInspectFunc func(img string) (types.ContainerJSON, error)
+	}{
+		{
+			name:          "client-error",
+			args:          []string{"5cb5bb5e4a3b", "-t", "-i", "bash"},
+			expectedError: "something went wrong",
+			containerInspectFunc: func(containerID string) (types.ContainerJSON, error) {
+				return types.ContainerJSON{}, errors.Errorf("something went wrong")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{inspectFunc: tc.containerInspectFunc})
+		cmd := NewExecCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
diff --git a/cli/cli/command/container/export.go b/cli/cli/command/container/export.go
new file mode 100644
index 00000000..f0f67373
--- /dev/null
+++ b/cli/cli/command/container/export.go
@@ -0,0 +1,58 @@
+package container
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type exportOptions struct {
+	container string
+	output    string
+}
+
+// NewExportCommand creates a new `docker export` command
+func NewExportCommand(dockerCli command.Cli) *cobra.Command {
+	var opts exportOptions
+
+	cmd := &cobra.Command{
+		Use:   "export [OPTIONS] CONTAINER",
+		Short: "Export a container's filesystem as a tar archive",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.container = args[0]
+			return runExport(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVarP(&opts.output, "output", "o", "", "Write to a file, instead of STDOUT")
+
+	return cmd
+}
+
+func runExport(dockerCli command.Cli, opts exportOptions) error {
+	if opts.output == "" && dockerCli.Out().IsTerminal() {
+		return errors.New("cowardly refusing to save to a terminal. Use the -o flag or redirect")
+	}
+
+	clnt := dockerCli.Client()
+
+	responseBody, err := clnt.ContainerExport(context.Background(), opts.container)
+	if err != nil {
+		return err
+	}
+	defer responseBody.Close()
+
+	if opts.output == "" {
+		_, err := io.Copy(dockerCli.Out(), responseBody)
+		return err
+	}
+
+	return command.CopyToFile(opts.output, responseBody)
+}
diff --git a/cli/cli/command/container/hijack.go b/cli/cli/command/container/hijack.go
new file mode 100644
index 00000000..78fbebe0
--- /dev/null
+++ b/cli/cli/command/container/hijack.go
@@ -0,0 +1,208 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"runtime"
+	"sync"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/docker/docker/pkg/term"
+	"github.com/sirupsen/logrus"
+)
+
+// The default escape key sequence: ctrl-p, ctrl-q
+// TODO: This could be moved to `pkg/term`.
+var defaultEscapeKeys = []byte{16, 17}
+
+// A hijackedIOStreamer handles copying input to and output from streams to the
+// connection.
+type hijackedIOStreamer struct {
+	streams      command.Streams
+	inputStream  io.ReadCloser
+	outputStream io.Writer
+	errorStream  io.Writer
+
+	resp types.HijackedResponse
+
+	tty        bool
+	detachKeys string
+}
+
+// stream handles setting up the IO and then begins streaming stdin/stdout
+// to/from the hijacked connection, blocking until it is either done reading
+// output, the user inputs the detach key sequence when in TTY mode, or when
+// the given context is cancelled.
+func (h *hijackedIOStreamer) stream(ctx context.Context) error {
+	restoreInput, err := h.setupInput()
+	if err != nil {
+		return fmt.Errorf("unable to setup input stream: %s", err)
+	}
+
+	defer restoreInput()
+
+	outputDone := h.beginOutputStream(restoreInput)
+	inputDone, detached := h.beginInputStream(restoreInput)
+
+	select {
+	case err := <-outputDone:
+		return err
+	case <-inputDone:
+		// Input stream has closed.
+		if h.outputStream != nil || h.errorStream != nil {
+			// Wait for output to complete streaming.
+			select {
+			case err := <-outputDone:
+				return err
+			case <-ctx.Done():
+				return ctx.Err()
+			}
+		}
+		return nil
+	case err := <-detached:
+		// Got a detach key sequence.
+		return err
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
+func (h *hijackedIOStreamer) setupInput() (restore func(), err error) {
+	if h.inputStream == nil || !h.tty {
+		// No need to setup input TTY.
+		// The restore func is a nop.
+		return func() {}, nil
+	}
+
+	if err := setRawTerminal(h.streams); err != nil {
+		return nil, fmt.Errorf("unable to set IO streams as raw terminal: %s", err)
+	}
+
+	// Use sync.Once so we may call restore multiple times but ensure we
+	// only restore the terminal once.
+	var restoreOnce sync.Once
+	restore = func() {
+		restoreOnce.Do(func() {
+			restoreTerminal(h.streams, h.inputStream)
+		})
+	}
+
+	// Wrap the input to detect detach escape sequence.
+	// Use default escape keys if an invalid sequence is given.
+	escapeKeys := defaultEscapeKeys
+	if h.detachKeys != "" {
+		customEscapeKeys, err := term.ToBytes(h.detachKeys)
+		if err != nil {
+			logrus.Warnf("invalid detach escape keys, using default: %s", err)
+		} else {
+			escapeKeys = customEscapeKeys
+		}
+	}
+
+	h.inputStream = ioutils.NewReadCloserWrapper(term.NewEscapeProxy(h.inputStream, escapeKeys), h.inputStream.Close)
+
+	return restore, nil
+}
+
+func (h *hijackedIOStreamer) beginOutputStream(restoreInput func()) <-chan error {
+	if h.outputStream == nil && h.errorStream == nil {
+		// There is no need to copy output.
+		return nil
+	}
+
+	outputDone := make(chan error)
+	go func() {
+		var err error
+
+		// When TTY is ON, use regular copy
+		if h.outputStream != nil && h.tty {
+			_, err = io.Copy(h.outputStream, h.resp.Reader)
+			// We should restore the terminal as soon as possible
+			// once the connection ends so any following print
+			// messages will be in normal type.
+			restoreInput()
+		} else {
+			_, err = stdcopy.StdCopy(h.outputStream, h.errorStream, h.resp.Reader)
+		}
+
+		logrus.Debug("[hijack] End of stdout")
+
+		if err != nil {
+			logrus.Debugf("Error receiveStdout: %s", err)
+		}
+
+		outputDone <- err
+	}()
+
+	return outputDone
+}
+
+func (h *hijackedIOStreamer) beginInputStream(restoreInput func()) (doneC <-chan struct{}, detachedC <-chan error) {
+	inputDone := make(chan struct{})
+	detached := make(chan error)
+
+	go func() {
+		if h.inputStream != nil {
+			_, err := io.Copy(h.resp.Conn, h.inputStream)
+			// We should restore the terminal as soon as possible
+			// once the connection ends so any following print
+			// messages will be in normal type.
+			restoreInput()
+
+			logrus.Debug("[hijack] End of stdin")
+
+			if _, ok := err.(term.EscapeError); ok {
+				detached <- err
+				return
+			}
+
+			if err != nil {
+				// This error will also occur on the receive
+				// side (from stdout) where it will be
+				// propagated back to the caller.
+				logrus.Debugf("Error sendStdin: %s", err)
+			}
+		}
+
+		if err := h.resp.CloseWrite(); err != nil {
+			logrus.Debugf("Couldn't send EOF: %s", err)
+		}
+
+		close(inputDone)
+	}()
+
+	return inputDone, detached
+}
+
+func setRawTerminal(streams command.Streams) error {
+	if err := streams.In().SetRawTerminal(); err != nil {
+		return err
+	}
+	return streams.Out().SetRawTerminal()
+}
+
+// nolint: unparam
+func restoreTerminal(streams command.Streams, in io.Closer) error {
+	streams.In().RestoreTerminal()
+	streams.Out().RestoreTerminal()
+	// WARNING: DO NOT REMOVE THE OS CHECKS !!!
+	// For some reason this Close call blocks on darwin..
+	// As the client exits right after, simply discard the close
+	// until we find a better solution.
+	//
+	// This can also cause the client on Windows to get stuck in Win32 CloseHandle()
+	// in some cases. See https://github.com/docker/docker/issues/28267#issuecomment-288237442
+	// Tracked internally at Microsoft by VSO #11352156. In the
+	// Windows case, you hit this if you are using the native/v2 console,
+	// not the "legacy" console, and you start the client in a new window. eg
+	// `start docker run --rm -it microsoft/nanoserver cmd /s /c echo foobar`
+	// will hang. Remove start, and it won't repro.
+	if in != nil && runtime.GOOS != "darwin" && runtime.GOOS != "windows" {
+		return in.Close()
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/inspect.go b/cli/cli/command/container/inspect.go
new file mode 100644
index 00000000..4f50e2a0
--- /dev/null
+++ b/cli/cli/command/container/inspect.go
@@ -0,0 +1,47 @@
+package container
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	format string
+	size   bool
+	refs   []string
+}
+
+// newInspectCommand creates a new cobra.Command for `docker container inspect`
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] CONTAINER [CONTAINER...]",
+		Short: "Display detailed information on one or more containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.refs = args
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	flags.BoolVarP(&opts.size, "size", "s", false, "Display total file sizes")
+
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	getRefFunc := func(ref string) (interface{}, []byte, error) {
+		return client.ContainerInspectWithRaw(ctx, ref, opts.size)
+	}
+	return inspect.Inspect(dockerCli.Out(), opts.refs, opts.format, getRefFunc)
+}
diff --git a/cli/cli/command/container/kill.go b/cli/cli/command/container/kill.go
new file mode 100644
index 00000000..feedbc01
--- /dev/null
+++ b/cli/cli/command/container/kill.go
@@ -0,0 +1,56 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type killOptions struct {
+	signal string
+
+	containers []string
+}
+
+// NewKillCommand creates a new cobra.Command for `docker kill`
+func NewKillCommand(dockerCli command.Cli) *cobra.Command {
+	var opts killOptions
+
+	cmd := &cobra.Command{
+		Use:   "kill [OPTIONS] CONTAINER [CONTAINER...]",
+		Short: "Kill one or more running containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			return runKill(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.signal, "signal", "s", "KILL", "Signal to send to the container")
+	return cmd
+}
+
+func runKill(dockerCli command.Cli, opts *killOptions) error {
+	var errs []string
+	ctx := context.Background()
+	errChan := parallelOperation(ctx, opts.containers, func(ctx context.Context, container string) error {
+		return dockerCli.Client().ContainerKill(ctx, container, opts.signal)
+	})
+	for _, name := range opts.containers {
+		if err := <-errChan; err != nil {
+			errs = append(errs, err.Error())
+		} else {
+			fmt.Fprintln(dockerCli.Out(), name)
+		}
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/list.go b/cli/cli/command/container/list.go
new file mode 100644
index 00000000..a79507e7
--- /dev/null
+++ b/cli/cli/command/container/list.go
@@ -0,0 +1,140 @@
+package container
+
+import (
+	"context"
+	"io/ioutil"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/cli/templates"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type psOptions struct {
+	quiet   bool
+	size    bool
+	all     bool
+	noTrunc bool
+	nLatest bool
+	last    int
+	format  string
+	filter  opts.FilterOpt
+}
+
+// NewPsCommand creates a new cobra.Command for `docker ps`
+func NewPsCommand(dockerCli command.Cli) *cobra.Command {
+	options := psOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "ps [OPTIONS]",
+		Short: "List containers",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runPs(dockerCli, &options)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display numeric IDs")
+	flags.BoolVarP(&options.size, "size", "s", false, "Display total file sizes")
+	flags.BoolVarP(&options.all, "all", "a", false, "Show all containers (default shows just running)")
+	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Don't truncate output")
+	flags.BoolVarP(&options.nLatest, "latest", "l", false, "Show the latest created container (includes all states)")
+	flags.IntVarP(&options.last, "last", "n", -1, "Show n last created containers (includes all states)")
+	flags.StringVarP(&options.format, "format", "", "", "Pretty-print containers using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+
+	return cmd
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := *NewPsCommand(dockerCli)
+	cmd.Aliases = []string{"ps", "list"}
+	cmd.Use = "ls [OPTIONS]"
+	return &cmd
+}
+
+// listOptionsProcessor is used to set any container list options which may only
+// be embedded in the format template.
+// This is passed directly into tmpl.Execute in order to allow the preprocessor
+// to set any list options that were not provided by flags (e.g. `.Size`).
+// It is using a `map[string]bool` so that unknown fields passed into the
+// template format do not cause errors. These errors will get picked up when
+// running through the actual template processor.
+type listOptionsProcessor map[string]bool
+
+// Size sets the size of the map when called by a template execution.
+func (o listOptionsProcessor) Size() bool {
+	o["size"] = true
+	return true
+}
+
+// Label is needed here as it allows the correct pre-processing
+// because Label() is a method with arguments
+func (o listOptionsProcessor) Label(name string) string {
+	return ""
+}
+
+func buildContainerListOptions(opts *psOptions) (*types.ContainerListOptions, error) {
+	options := &types.ContainerListOptions{
+		All:     opts.all,
+		Limit:   opts.last,
+		Size:    opts.size,
+		Filters: opts.filter.Value(),
+	}
+
+	if opts.nLatest && opts.last == -1 {
+		options.Limit = 1
+	}
+
+	tmpl, err := templates.Parse(opts.format)
+
+	if err != nil {
+		return nil, err
+	}
+
+	optionsProcessor := listOptionsProcessor{}
+	// This shouldn't error out but swallowing the error makes it harder
+	// to track down if preProcessor issues come up. Ref #24696
+	if err := tmpl.Execute(ioutil.Discard, optionsProcessor); err != nil {
+		return nil, err
+	}
+	// At the moment all we need is to capture .Size for preprocessor
+	options.Size = opts.size || optionsProcessor["size"]
+
+	return options, nil
+}
+
+func runPs(dockerCli command.Cli, options *psOptions) error {
+	ctx := context.Background()
+
+	listOptions, err := buildContainerListOptions(options)
+	if err != nil {
+		return err
+	}
+
+	containers, err := dockerCli.Client().ContainerList(ctx, *listOptions)
+	if err != nil {
+		return err
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().PsFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().PsFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	containerCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewContainerFormat(format, options.quiet, listOptions.Size),
+		Trunc:  !options.noTrunc,
+	}
+	return formatter.ContainerWrite(containerCtx, containers)
+}
diff --git a/cli/cli/command/container/list_test.go b/cli/cli/command/container/list_test.go
new file mode 100644
index 00000000..2bc1949a
--- /dev/null
+++ b/cli/cli/command/container/list_test.go
@@ -0,0 +1,164 @@
+package container
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestContainerListErrors(t *testing.T) {
+	testCases := []struct {
+		args              []string
+		flags             map[string]string
+		containerListFunc func(types.ContainerListOptions) ([]types.Container, error)
+		expectedError     string
+	}{
+		{
+			flags: map[string]string{
+				"format": "{{invalid}}",
+			},
+			expectedError: `function "invalid" not defined`,
+		},
+		{
+			flags: map[string]string{
+				"format": "{{join}}",
+			},
+			expectedError: `wrong number of args for join`,
+		},
+		{
+			containerListFunc: func(_ types.ContainerListOptions) ([]types.Container, error) {
+				return nil, fmt.Errorf("error listing containers")
+			},
+			expectedError: "error listing containers",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newListCommand(
+			test.NewFakeCli(&fakeClient{
+				containerListFunc: tc.containerListFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestContainerListWithoutFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerListFunc: func(_ types.ContainerListOptions) ([]types.Container, error) {
+			return []types.Container{
+				*Container("c1"),
+				*Container("c2", WithName("foo")),
+				*Container("c3", WithPort(80, 80, TCP), WithPort(81, 81, TCP), WithPort(82, 82, TCP)),
+				*Container("c4", WithPort(81, 81, UDP)),
+				*Container("c5", WithPort(82, 82, IP("8.8.8.8"), TCP)),
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "container-list-without-format.golden")
+}
+
+func TestContainerListNoTrunc(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerListFunc: func(_ types.ContainerListOptions) ([]types.Container, error) {
+			return []types.Container{
+				*Container("c1"),
+				*Container("c2", WithName("foo/bar")),
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("no-trunc", "true")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "container-list-without-format-no-trunc.golden")
+}
+
+// Test for GitHub issue docker/docker#21772
+func TestContainerListNamesMultipleTime(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerListFunc: func(_ types.ContainerListOptions) ([]types.Container, error) {
+			return []types.Container{
+				*Container("c1"),
+				*Container("c2", WithName("foo/bar")),
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("format", "{{.Names}} {{.Names}}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "container-list-format-name-name.golden")
+}
+
+// Test for GitHub issue docker/docker#30291
+func TestContainerListFormatTemplateWithArg(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerListFunc: func(_ types.ContainerListOptions) ([]types.Container, error) {
+			return []types.Container{
+				*Container("c1", WithLabel("some.label", "value")),
+				*Container("c2", WithName("foo/bar"), WithLabel("foo", "bar")),
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("format", `{{.Names}} {{.Label "some.label"}}`)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "container-list-format-with-arg.golden")
+}
+
+func TestContainerListFormatSizeSetsOption(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerListFunc: func(options types.ContainerListOptions) ([]types.Container, error) {
+			assert.Check(t, options.Size)
+			return []types.Container{}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("format", `{{.Size}}`)
+	assert.NilError(t, cmd.Execute())
+}
+
+func TestContainerListWithConfigFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerListFunc: func(_ types.ContainerListOptions) ([]types.Container, error) {
+			return []types.Container{
+				*Container("c1", WithLabel("some.label", "value")),
+				*Container("c2", WithName("foo/bar"), WithLabel("foo", "bar")),
+			}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		PsFormat: "{{ .Names }} {{ .Image }} {{ .Labels }}",
+	})
+	cmd := newListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "container-list-with-config-format.golden")
+}
+
+func TestContainerListWithFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		containerListFunc: func(_ types.ContainerListOptions) ([]types.Container, error) {
+			return []types.Container{
+				*Container("c1", WithLabel("some.label", "value")),
+				*Container("c2", WithName("foo/bar"), WithLabel("foo", "bar")),
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("format", "{{ .Names }} {{ .Image }} {{ .Labels }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "container-list-with-format.golden")
+}
diff --git a/cli/cli/command/container/logs.go b/cli/cli/command/container/logs.go
new file mode 100644
index 00000000..b5b526f2
--- /dev/null
+++ b/cli/cli/command/container/logs.go
@@ -0,0 +1,80 @@
+package container
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/spf13/cobra"
+)
+
+type logsOptions struct {
+	follow     bool
+	since      string
+	until      string
+	timestamps bool
+	details    bool
+	tail       string
+
+	container string
+}
+
+// NewLogsCommand creates a new cobra.Command for `docker logs`
+func NewLogsCommand(dockerCli command.Cli) *cobra.Command {
+	var opts logsOptions
+
+	cmd := &cobra.Command{
+		Use:   "logs [OPTIONS] CONTAINER",
+		Short: "Fetch the logs of a container",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.container = args[0]
+			return runLogs(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.follow, "follow", "f", false, "Follow log output")
+	flags.StringVar(&opts.since, "since", "", "Show logs since timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)")
+	flags.StringVar(&opts.until, "until", "", "Show logs before a timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)")
+	flags.SetAnnotation("until", "version", []string{"1.35"})
+	flags.BoolVarP(&opts.timestamps, "timestamps", "t", false, "Show timestamps")
+	flags.BoolVar(&opts.details, "details", false, "Show extra details provided to logs")
+	flags.StringVar(&opts.tail, "tail", "all", "Number of lines to show from the end of the logs")
+	return cmd
+}
+
+func runLogs(dockerCli command.Cli, opts *logsOptions) error {
+	ctx := context.Background()
+
+	options := types.ContainerLogsOptions{
+		ShowStdout: true,
+		ShowStderr: true,
+		Since:      opts.since,
+		Until:      opts.until,
+		Timestamps: opts.timestamps,
+		Follow:     opts.follow,
+		Tail:       opts.tail,
+		Details:    opts.details,
+	}
+	responseBody, err := dockerCli.Client().ContainerLogs(ctx, opts.container, options)
+	if err != nil {
+		return err
+	}
+	defer responseBody.Close()
+
+	c, err := dockerCli.Client().ContainerInspect(ctx, opts.container)
+	if err != nil {
+		return err
+	}
+
+	if c.Config.Tty {
+		_, err = io.Copy(dockerCli.Out(), responseBody)
+	} else {
+		_, err = stdcopy.StdCopy(dockerCli.Out(), dockerCli.Err(), responseBody)
+	}
+	return err
+}
diff --git a/cli/cli/command/container/logs_test.go b/cli/cli/command/container/logs_test.go
new file mode 100644
index 00000000..a618ad5e
--- /dev/null
+++ b/cli/cli/command/container/logs_test.go
@@ -0,0 +1,62 @@
+package container
+
+import (
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var logFn = func(expectedOut string) func(string, types.ContainerLogsOptions) (io.ReadCloser, error) {
+	return func(container string, opts types.ContainerLogsOptions) (io.ReadCloser, error) {
+		return ioutil.NopCloser(strings.NewReader(expectedOut)), nil
+	}
+}
+
+func TestRunLogs(t *testing.T) {
+	inspectFn := func(containerID string) (types.ContainerJSON, error) {
+		return types.ContainerJSON{
+			Config:            &container.Config{Tty: true},
+			ContainerJSONBase: &types.ContainerJSONBase{State: &types.ContainerState{Running: false}},
+		}, nil
+	}
+
+	var testcases = []struct {
+		doc           string
+		options       *logsOptions
+		client        fakeClient
+		expectedError string
+		expectedOut   string
+		expectedErr   string
+	}{
+		{
+			doc:         "successful logs",
+			expectedOut: "foo",
+			options:     &logsOptions{},
+			client:      fakeClient{logFunc: logFn("foo"), inspectFunc: inspectFn},
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			cli := test.NewFakeCli(&testcase.client)
+
+			err := runLogs(cli, testcase.options)
+			if testcase.expectedError != "" {
+				assert.ErrorContains(t, err, testcase.expectedError)
+			} else {
+				if !assert.Check(t, err) {
+					return
+				}
+			}
+			assert.Check(t, is.Equal(testcase.expectedOut, cli.OutBuffer().String()))
+			assert.Check(t, is.Equal(testcase.expectedErr, cli.ErrBuffer().String()))
+		})
+	}
+}
diff --git a/cli/cli/command/container/opts.go b/cli/cli/command/container/opts.go
new file mode 100644
index 00000000..b8ff5e4a
--- /dev/null
+++ b/cli/cli/command/container/opts.go
@@ -0,0 +1,836 @@
+package container
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"path"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/compose/loader"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/go-connections/nat"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/pflag"
+)
+
+var (
+	deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)
+)
+
+// containerOptions is a data object with all the options for creating a container
+type containerOptions struct {
+	attach             opts.ListOpts
+	volumes            opts.ListOpts
+	tmpfs              opts.ListOpts
+	mounts             opts.MountOpt
+	blkioWeightDevice  opts.WeightdeviceOpt
+	deviceReadBps      opts.ThrottledeviceOpt
+	deviceWriteBps     opts.ThrottledeviceOpt
+	links              opts.ListOpts
+	aliases            opts.ListOpts
+	linkLocalIPs       opts.ListOpts
+	deviceReadIOps     opts.ThrottledeviceOpt
+	deviceWriteIOps    opts.ThrottledeviceOpt
+	env                opts.ListOpts
+	labels             opts.ListOpts
+	deviceCgroupRules  opts.ListOpts
+	devices            opts.ListOpts
+	ulimits            *opts.UlimitOpt
+	sysctls            *opts.MapOpts
+	publish            opts.ListOpts
+	expose             opts.ListOpts
+	dns                opts.ListOpts
+	dnsSearch          opts.ListOpts
+	dnsOptions         opts.ListOpts
+	extraHosts         opts.ListOpts
+	volumesFrom        opts.ListOpts
+	envFile            opts.ListOpts
+	capAdd             opts.ListOpts
+	capDrop            opts.ListOpts
+	groupAdd           opts.ListOpts
+	securityOpt        opts.ListOpts
+	storageOpt         opts.ListOpts
+	labelsFile         opts.ListOpts
+	loggingOpts        opts.ListOpts
+	privileged         bool
+	pidMode            string
+	utsMode            string
+	usernsMode         string
+	publishAll         bool
+	stdin              bool
+	tty                bool
+	oomKillDisable     bool
+	oomScoreAdj        int
+	containerIDFile    string
+	entrypoint         string
+	hostname           string
+	memory             opts.MemBytes
+	memoryReservation  opts.MemBytes
+	memorySwap         opts.MemSwapBytes
+	kernelMemory       opts.MemBytes
+	user               string
+	workingDir         string
+	cpuCount           int64
+	cpuShares          int64
+	cpuPercent         int64
+	cpuPeriod          int64
+	cpuRealtimePeriod  int64
+	cpuRealtimeRuntime int64
+	cpuQuota           int64
+	cpus               opts.NanoCPUs
+	cpusetCpus         string
+	cpusetMems         string
+	blkioWeight        uint16
+	ioMaxBandwidth     opts.MemBytes
+	ioMaxIOps          uint64
+	swappiness         int64
+	netMode            string
+	macAddress         string
+	ipv4Address        string
+	ipv6Address        string
+	ipcMode            string
+	pidsLimit          int64
+	restartPolicy      string
+	readonlyRootfs     bool
+	loggingDriver      string
+	cgroupParent       string
+	volumeDriver       string
+	stopSignal         string
+	stopTimeout        int
+	isolation          string
+	shmSize            opts.MemBytes
+	noHealthcheck      bool
+	healthCmd          string
+	healthInterval     time.Duration
+	healthTimeout      time.Duration
+	healthStartPeriod  time.Duration
+	healthRetries      int
+	runtime            string
+	autoRemove         bool
+	init               bool
+
+	Image string
+	Args  []string
+}
+
+// addFlags adds all command line flags that will be used by parse to the FlagSet
+func addFlags(flags *pflag.FlagSet) *containerOptions {
+	copts := &containerOptions{
+		aliases:           opts.NewListOpts(nil),
+		attach:            opts.NewListOpts(validateAttach),
+		blkioWeightDevice: opts.NewWeightdeviceOpt(opts.ValidateWeightDevice),
+		capAdd:            opts.NewListOpts(nil),
+		capDrop:           opts.NewListOpts(nil),
+		dns:               opts.NewListOpts(opts.ValidateIPAddress),
+		dnsOptions:        opts.NewListOpts(nil),
+		dnsSearch:         opts.NewListOpts(opts.ValidateDNSSearch),
+		deviceCgroupRules: opts.NewListOpts(validateDeviceCgroupRule),
+		deviceReadBps:     opts.NewThrottledeviceOpt(opts.ValidateThrottleBpsDevice),
+		deviceReadIOps:    opts.NewThrottledeviceOpt(opts.ValidateThrottleIOpsDevice),
+		deviceWriteBps:    opts.NewThrottledeviceOpt(opts.ValidateThrottleBpsDevice),
+		deviceWriteIOps:   opts.NewThrottledeviceOpt(opts.ValidateThrottleIOpsDevice),
+		devices:           opts.NewListOpts(validateDevice),
+		env:               opts.NewListOpts(opts.ValidateEnv),
+		envFile:           opts.NewListOpts(nil),
+		expose:            opts.NewListOpts(nil),
+		extraHosts:        opts.NewListOpts(opts.ValidateExtraHost),
+		groupAdd:          opts.NewListOpts(nil),
+		labels:            opts.NewListOpts(nil),
+		labelsFile:        opts.NewListOpts(nil),
+		linkLocalIPs:      opts.NewListOpts(nil),
+		links:             opts.NewListOpts(opts.ValidateLink),
+		loggingOpts:       opts.NewListOpts(nil),
+		publish:           opts.NewListOpts(nil),
+		securityOpt:       opts.NewListOpts(nil),
+		storageOpt:        opts.NewListOpts(nil),
+		sysctls:           opts.NewMapOpts(nil, opts.ValidateSysctl),
+		tmpfs:             opts.NewListOpts(nil),
+		ulimits:           opts.NewUlimitOpt(nil),
+		volumes:           opts.NewListOpts(nil),
+		volumesFrom:       opts.NewListOpts(nil),
+	}
+
+	// General purpose flags
+	flags.VarP(&copts.attach, "attach", "a", "Attach to STDIN, STDOUT or STDERR")
+	flags.Var(&copts.deviceCgroupRules, "device-cgroup-rule", "Add a rule to the cgroup allowed devices list")
+	flags.Var(&copts.devices, "device", "Add a host device to the container")
+	flags.VarP(&copts.env, "env", "e", "Set environment variables")
+	flags.Var(&copts.envFile, "env-file", "Read in a file of environment variables")
+	flags.StringVar(&copts.entrypoint, "entrypoint", "", "Overwrite the default ENTRYPOINT of the image")
+	flags.Var(&copts.groupAdd, "group-add", "Add additional groups to join")
+	flags.StringVarP(&copts.hostname, "hostname", "h", "", "Container host name")
+	flags.BoolVarP(&copts.stdin, "interactive", "i", false, "Keep STDIN open even if not attached")
+	flags.VarP(&copts.labels, "label", "l", "Set meta data on a container")
+	flags.Var(&copts.labelsFile, "label-file", "Read in a line delimited file of labels")
+	flags.BoolVar(&copts.readonlyRootfs, "read-only", false, "Mount the container's root filesystem as read only")
+	flags.StringVar(&copts.restartPolicy, "restart", "no", "Restart policy to apply when a container exits")
+	flags.StringVar(&copts.stopSignal, "stop-signal", signal.DefaultStopSignal, "Signal to stop a container")
+	flags.IntVar(&copts.stopTimeout, "stop-timeout", 0, "Timeout (in seconds) to stop a container")
+	flags.SetAnnotation("stop-timeout", "version", []string{"1.25"})
+	flags.Var(copts.sysctls, "sysctl", "Sysctl options")
+	flags.BoolVarP(&copts.tty, "tty", "t", false, "Allocate a pseudo-TTY")
+	flags.Var(copts.ulimits, "ulimit", "Ulimit options")
+	flags.StringVarP(&copts.user, "user", "u", "", "Username or UID (format: <name|uid>[:<group|gid>])")
+	flags.StringVarP(&copts.workingDir, "workdir", "w", "", "Working directory inside the container")
+	flags.BoolVar(&copts.autoRemove, "rm", false, "Automatically remove the container when it exits")
+
+	// Security
+	flags.Var(&copts.capAdd, "cap-add", "Add Linux capabilities")
+	flags.Var(&copts.capDrop, "cap-drop", "Drop Linux capabilities")
+	flags.BoolVar(&copts.privileged, "privileged", false, "Give extended privileges to this container")
+	flags.Var(&copts.securityOpt, "security-opt", "Security Options")
+	flags.StringVar(&copts.usernsMode, "userns", "", "User namespace to use")
+
+	// Network and port publishing flag
+	flags.Var(&copts.extraHosts, "add-host", "Add a custom host-to-IP mapping (host:ip)")
+	flags.Var(&copts.dns, "dns", "Set custom DNS servers")
+	// We allow for both "--dns-opt" and "--dns-option", although the latter is the recommended way.
+	// This is to be consistent with service create/update
+	flags.Var(&copts.dnsOptions, "dns-opt", "Set DNS options")
+	flags.Var(&copts.dnsOptions, "dns-option", "Set DNS options")
+	flags.MarkHidden("dns-opt")
+	flags.Var(&copts.dnsSearch, "dns-search", "Set custom DNS search domains")
+	flags.Var(&copts.expose, "expose", "Expose a port or a range of ports")
+	flags.StringVar(&copts.ipv4Address, "ip", "", "IPv4 address (e.g., 172.30.100.104)")
+	flags.StringVar(&copts.ipv6Address, "ip6", "", "IPv6 address (e.g., 2001:db8::33)")
+	flags.Var(&copts.links, "link", "Add link to another container")
+	flags.Var(&copts.linkLocalIPs, "link-local-ip", "Container IPv4/IPv6 link-local addresses")
+	flags.StringVar(&copts.macAddress, "mac-address", "", "Container MAC address (e.g., 92:d0:c6:0a:29:33)")
+	flags.VarP(&copts.publish, "publish", "p", "Publish a container's port(s) to the host")
+	flags.BoolVarP(&copts.publishAll, "publish-all", "P", false, "Publish all exposed ports to random ports")
+	// We allow for both "--net" and "--network", although the latter is the recommended way.
+	flags.StringVar(&copts.netMode, "net", "default", "Connect a container to a network")
+	flags.StringVar(&copts.netMode, "network", "default", "Connect a container to a network")
+	flags.MarkHidden("net")
+	// We allow for both "--net-alias" and "--network-alias", although the latter is the recommended way.
+	flags.Var(&copts.aliases, "net-alias", "Add network-scoped alias for the container")
+	flags.Var(&copts.aliases, "network-alias", "Add network-scoped alias for the container")
+	flags.MarkHidden("net-alias")
+
+	// Logging and storage
+	flags.StringVar(&copts.loggingDriver, "log-driver", "", "Logging driver for the container")
+	flags.StringVar(&copts.volumeDriver, "volume-driver", "", "Optional volume driver for the container")
+	flags.Var(&copts.loggingOpts, "log-opt", "Log driver options")
+	flags.Var(&copts.storageOpt, "storage-opt", "Storage driver options for the container")
+	flags.Var(&copts.tmpfs, "tmpfs", "Mount a tmpfs directory")
+	flags.Var(&copts.volumesFrom, "volumes-from", "Mount volumes from the specified container(s)")
+	flags.VarP(&copts.volumes, "volume", "v", "Bind mount a volume")
+	flags.Var(&copts.mounts, "mount", "Attach a filesystem mount to the container")
+
+	// Health-checking
+	flags.StringVar(&copts.healthCmd, "health-cmd", "", "Command to run to check health")
+	flags.DurationVar(&copts.healthInterval, "health-interval", 0, "Time between running the check (ms|s|m|h) (default 0s)")
+	flags.IntVar(&copts.healthRetries, "health-retries", 0, "Consecutive failures needed to report unhealthy")
+	flags.DurationVar(&copts.healthTimeout, "health-timeout", 0, "Maximum time to allow one check to run (ms|s|m|h) (default 0s)")
+	flags.DurationVar(&copts.healthStartPeriod, "health-start-period", 0, "Start period for the container to initialize before starting health-retries countdown (ms|s|m|h) (default 0s)")
+	flags.SetAnnotation("health-start-period", "version", []string{"1.29"})
+	flags.BoolVar(&copts.noHealthcheck, "no-healthcheck", false, "Disable any container-specified HEALTHCHECK")
+
+	// Resource management
+	flags.Uint16Var(&copts.blkioWeight, "blkio-weight", 0, "Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)")
+	flags.Var(&copts.blkioWeightDevice, "blkio-weight-device", "Block IO weight (relative device weight)")
+	flags.StringVar(&copts.containerIDFile, "cidfile", "", "Write the container ID to the file")
+	flags.StringVar(&copts.cpusetCpus, "cpuset-cpus", "", "CPUs in which to allow execution (0-3, 0,1)")
+	flags.StringVar(&copts.cpusetMems, "cpuset-mems", "", "MEMs in which to allow execution (0-3, 0,1)")
+	flags.Int64Var(&copts.cpuCount, "cpu-count", 0, "CPU count (Windows only)")
+	flags.SetAnnotation("cpu-count", "ostype", []string{"windows"})
+	flags.Int64Var(&copts.cpuPercent, "cpu-percent", 0, "CPU percent (Windows only)")
+	flags.SetAnnotation("cpu-percent", "ostype", []string{"windows"})
+	flags.Int64Var(&copts.cpuPeriod, "cpu-period", 0, "Limit CPU CFS (Completely Fair Scheduler) period")
+	flags.Int64Var(&copts.cpuQuota, "cpu-quota", 0, "Limit CPU CFS (Completely Fair Scheduler) quota")
+	flags.Int64Var(&copts.cpuRealtimePeriod, "cpu-rt-period", 0, "Limit CPU real-time period in microseconds")
+	flags.SetAnnotation("cpu-rt-period", "version", []string{"1.25"})
+	flags.Int64Var(&copts.cpuRealtimeRuntime, "cpu-rt-runtime", 0, "Limit CPU real-time runtime in microseconds")
+	flags.SetAnnotation("cpu-rt-runtime", "version", []string{"1.25"})
+	flags.Int64VarP(&copts.cpuShares, "cpu-shares", "c", 0, "CPU shares (relative weight)")
+	flags.Var(&copts.cpus, "cpus", "Number of CPUs")
+	flags.SetAnnotation("cpus", "version", []string{"1.25"})
+	flags.Var(&copts.deviceReadBps, "device-read-bps", "Limit read rate (bytes per second) from a device")
+	flags.Var(&copts.deviceReadIOps, "device-read-iops", "Limit read rate (IO per second) from a device")
+	flags.Var(&copts.deviceWriteBps, "device-write-bps", "Limit write rate (bytes per second) to a device")
+	flags.Var(&copts.deviceWriteIOps, "device-write-iops", "Limit write rate (IO per second) to a device")
+	flags.Var(&copts.ioMaxBandwidth, "io-maxbandwidth", "Maximum IO bandwidth limit for the system drive (Windows only)")
+	flags.SetAnnotation("io-maxbandwidth", "ostype", []string{"windows"})
+	flags.Uint64Var(&copts.ioMaxIOps, "io-maxiops", 0, "Maximum IOps limit for the system drive (Windows only)")
+	flags.SetAnnotation("io-maxiops", "ostype", []string{"windows"})
+	flags.Var(&copts.kernelMemory, "kernel-memory", "Kernel memory limit")
+	flags.VarP(&copts.memory, "memory", "m", "Memory limit")
+	flags.Var(&copts.memoryReservation, "memory-reservation", "Memory soft limit")
+	flags.Var(&copts.memorySwap, "memory-swap", "Swap limit equal to memory plus swap: '-1' to enable unlimited swap")
+	flags.Int64Var(&copts.swappiness, "memory-swappiness", -1, "Tune container memory swappiness (0 to 100)")
+	flags.BoolVar(&copts.oomKillDisable, "oom-kill-disable", false, "Disable OOM Killer")
+	flags.IntVar(&copts.oomScoreAdj, "oom-score-adj", 0, "Tune host's OOM preferences (-1000 to 1000)")
+	flags.Int64Var(&copts.pidsLimit, "pids-limit", 0, "Tune container pids limit (set -1 for unlimited)")
+
+	// Low-level execution (cgroups, namespaces, ...)
+	flags.StringVar(&copts.cgroupParent, "cgroup-parent", "", "Optional parent cgroup for the container")
+	flags.StringVar(&copts.ipcMode, "ipc", "", "IPC mode to use")
+	flags.StringVar(&copts.isolation, "isolation", "", "Container isolation technology")
+	flags.StringVar(&copts.pidMode, "pid", "", "PID namespace to use")
+	flags.Var(&copts.shmSize, "shm-size", "Size of /dev/shm")
+	flags.StringVar(&copts.utsMode, "uts", "", "UTS namespace to use")
+	flags.StringVar(&copts.runtime, "runtime", "", "Runtime to use for this container")
+
+	flags.BoolVar(&copts.init, "init", false, "Run an init inside the container that forwards signals and reaps processes")
+	flags.SetAnnotation("init", "version", []string{"1.25"})
+	return copts
+}
+
+type containerConfig struct {
+	Config           *container.Config
+	HostConfig       *container.HostConfig
+	NetworkingConfig *networktypes.NetworkingConfig
+}
+
+// parse parses the args for the specified command and generates a Config,
+// a HostConfig and returns them with the specified command.
+// If the specified args are not valid, it will return an error.
+// nolint: gocyclo
+func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, error) {
+	var (
+		attachStdin  = copts.attach.Get("stdin")
+		attachStdout = copts.attach.Get("stdout")
+		attachStderr = copts.attach.Get("stderr")
+	)
+
+	// Validate the input mac address
+	if copts.macAddress != "" {
+		if _, err := opts.ValidateMACAddress(copts.macAddress); err != nil {
+			return nil, errors.Errorf("%s is not a valid mac address", copts.macAddress)
+		}
+	}
+	if copts.stdin {
+		attachStdin = true
+	}
+	// If -a is not set, attach to stdout and stderr
+	if copts.attach.Len() == 0 {
+		attachStdout = true
+		attachStderr = true
+	}
+
+	var err error
+
+	swappiness := copts.swappiness
+	if swappiness != -1 && (swappiness < 0 || swappiness > 100) {
+		return nil, errors.Errorf("invalid value: %d. Valid memory swappiness range is 0-100", swappiness)
+	}
+
+	mounts := copts.mounts.Value()
+	if len(mounts) > 0 && copts.volumeDriver != "" {
+		logrus.Warn("`--volume-driver` is ignored for volumes specified via `--mount`. Use `--mount type=volume,volume-driver=...` instead.")
+	}
+	var binds []string
+	volumes := copts.volumes.GetMap()
+	// add any bind targets to the list of container volumes
+	for bind := range copts.volumes.GetMap() {
+		parsed, _ := loader.ParseVolume(bind)
+		if parsed.Source != "" {
+			// after creating the bind mount we want to delete it from the copts.volumes values because
+			// we do not want bind mounts being committed to image configs
+			binds = append(binds, bind)
+			// We should delete from the map (`volumes`) here, as deleting from copts.volumes will not work if
+			// there are duplicates entries.
+			delete(volumes, bind)
+		}
+	}
+
+	// Can't evaluate options passed into --tmpfs until we actually mount
+	tmpfs := make(map[string]string)
+	for _, t := range copts.tmpfs.GetAll() {
+		if arr := strings.SplitN(t, ":", 2); len(arr) > 1 {
+			tmpfs[arr[0]] = arr[1]
+		} else {
+			tmpfs[arr[0]] = ""
+		}
+	}
+
+	var (
+		runCmd     strslice.StrSlice
+		entrypoint strslice.StrSlice
+	)
+
+	if len(copts.Args) > 0 {
+		runCmd = strslice.StrSlice(copts.Args)
+	}
+
+	if copts.entrypoint != "" {
+		entrypoint = strslice.StrSlice{copts.entrypoint}
+	} else if flags.Changed("entrypoint") {
+		// if `--entrypoint=` is parsed then Entrypoint is reset
+		entrypoint = []string{""}
+	}
+
+	ports, portBindings, err := nat.ParsePortSpecs(copts.publish.GetAll())
+	if err != nil {
+		return nil, err
+	}
+
+	// Merge in exposed ports to the map of published ports
+	for _, e := range copts.expose.GetAll() {
+		if strings.Contains(e, ":") {
+			return nil, errors.Errorf("invalid port format for --expose: %s", e)
+		}
+		//support two formats for expose, original format <portnum>/[<proto>] or <startport-endport>/[<proto>]
+		proto, port := nat.SplitProtoPort(e)
+		//parse the start and end port and create a sequence of ports to expose
+		//if expose a port, the start and end port are the same
+		start, end, err := nat.ParsePortRange(port)
+		if err != nil {
+			return nil, errors.Errorf("invalid range format for --expose: %s, error: %s", e, err)
+		}
+		for i := start; i <= end; i++ {
+			p, err := nat.NewPort(proto, strconv.FormatUint(i, 10))
+			if err != nil {
+				return nil, err
+			}
+			if _, exists := ports[p]; !exists {
+				ports[p] = struct{}{}
+			}
+		}
+	}
+
+	// parse device mappings
+	deviceMappings := []container.DeviceMapping{}
+	for _, device := range copts.devices.GetAll() {
+		deviceMapping, err := parseDevice(device)
+		if err != nil {
+			return nil, err
+		}
+		deviceMappings = append(deviceMappings, deviceMapping)
+	}
+
+	// collect all the environment variables for the container
+	envVariables, err := opts.ReadKVEnvStrings(copts.envFile.GetAll(), copts.env.GetAll())
+	if err != nil {
+		return nil, err
+	}
+
+	// collect all the labels for the container
+	labels, err := opts.ReadKVStrings(copts.labelsFile.GetAll(), copts.labels.GetAll())
+	if err != nil {
+		return nil, err
+	}
+
+	pidMode := container.PidMode(copts.pidMode)
+	if !pidMode.Valid() {
+		return nil, errors.Errorf("--pid: invalid PID mode")
+	}
+
+	utsMode := container.UTSMode(copts.utsMode)
+	if !utsMode.Valid() {
+		return nil, errors.Errorf("--uts: invalid UTS mode")
+	}
+
+	usernsMode := container.UsernsMode(copts.usernsMode)
+	if !usernsMode.Valid() {
+		return nil, errors.Errorf("--userns: invalid USER mode")
+	}
+
+	restartPolicy, err := opts.ParseRestartPolicy(copts.restartPolicy)
+	if err != nil {
+		return nil, err
+	}
+
+	loggingOpts, err := parseLoggingOpts(copts.loggingDriver, copts.loggingOpts.GetAll())
+	if err != nil {
+		return nil, err
+	}
+
+	securityOpts, err := parseSecurityOpts(copts.securityOpt.GetAll())
+	if err != nil {
+		return nil, err
+	}
+
+	storageOpts, err := parseStorageOpts(copts.storageOpt.GetAll())
+	if err != nil {
+		return nil, err
+	}
+
+	// Healthcheck
+	var healthConfig *container.HealthConfig
+	haveHealthSettings := copts.healthCmd != "" ||
+		copts.healthInterval != 0 ||
+		copts.healthTimeout != 0 ||
+		copts.healthStartPeriod != 0 ||
+		copts.healthRetries != 0
+	if copts.noHealthcheck {
+		if haveHealthSettings {
+			return nil, errors.Errorf("--no-healthcheck conflicts with --health-* options")
+		}
+		test := strslice.StrSlice{"NONE"}
+		healthConfig = &container.HealthConfig{Test: test}
+	} else if haveHealthSettings {
+		var probe strslice.StrSlice
+		if copts.healthCmd != "" {
+			args := []string{"CMD-SHELL", copts.healthCmd}
+			probe = strslice.StrSlice(args)
+		}
+		if copts.healthInterval < 0 {
+			return nil, errors.Errorf("--health-interval cannot be negative")
+		}
+		if copts.healthTimeout < 0 {
+			return nil, errors.Errorf("--health-timeout cannot be negative")
+		}
+		if copts.healthRetries < 0 {
+			return nil, errors.Errorf("--health-retries cannot be negative")
+		}
+		if copts.healthStartPeriod < 0 {
+			return nil, fmt.Errorf("--health-start-period cannot be negative")
+		}
+
+		healthConfig = &container.HealthConfig{
+			Test:        probe,
+			Interval:    copts.healthInterval,
+			Timeout:     copts.healthTimeout,
+			StartPeriod: copts.healthStartPeriod,
+			Retries:     copts.healthRetries,
+		}
+	}
+
+	resources := container.Resources{
+		CgroupParent:         copts.cgroupParent,
+		Memory:               copts.memory.Value(),
+		MemoryReservation:    copts.memoryReservation.Value(),
+		MemorySwap:           copts.memorySwap.Value(),
+		MemorySwappiness:     &copts.swappiness,
+		KernelMemory:         copts.kernelMemory.Value(),
+		OomKillDisable:       &copts.oomKillDisable,
+		NanoCPUs:             copts.cpus.Value(),
+		CPUCount:             copts.cpuCount,
+		CPUPercent:           copts.cpuPercent,
+		CPUShares:            copts.cpuShares,
+		CPUPeriod:            copts.cpuPeriod,
+		CpusetCpus:           copts.cpusetCpus,
+		CpusetMems:           copts.cpusetMems,
+		CPUQuota:             copts.cpuQuota,
+		CPURealtimePeriod:    copts.cpuRealtimePeriod,
+		CPURealtimeRuntime:   copts.cpuRealtimeRuntime,
+		PidsLimit:            copts.pidsLimit,
+		BlkioWeight:          copts.blkioWeight,
+		BlkioWeightDevice:    copts.blkioWeightDevice.GetList(),
+		BlkioDeviceReadBps:   copts.deviceReadBps.GetList(),
+		BlkioDeviceWriteBps:  copts.deviceWriteBps.GetList(),
+		BlkioDeviceReadIOps:  copts.deviceReadIOps.GetList(),
+		BlkioDeviceWriteIOps: copts.deviceWriteIOps.GetList(),
+		IOMaximumIOps:        copts.ioMaxIOps,
+		IOMaximumBandwidth:   uint64(copts.ioMaxBandwidth),
+		Ulimits:              copts.ulimits.GetList(),
+		DeviceCgroupRules:    copts.deviceCgroupRules.GetAll(),
+		Devices:              deviceMappings,
+	}
+
+	config := &container.Config{
+		Hostname:     copts.hostname,
+		ExposedPorts: ports,
+		User:         copts.user,
+		Tty:          copts.tty,
+		// TODO: deprecated, it comes from -n, --networking
+		// it's still needed internally to set the network to disabled
+		// if e.g. bridge is none in daemon opts, and in inspect
+		NetworkDisabled: false,
+		OpenStdin:       copts.stdin,
+		AttachStdin:     attachStdin,
+		AttachStdout:    attachStdout,
+		AttachStderr:    attachStderr,
+		Env:             envVariables,
+		Cmd:             runCmd,
+		Image:           copts.Image,
+		Volumes:         volumes,
+		MacAddress:      copts.macAddress,
+		Entrypoint:      entrypoint,
+		WorkingDir:      copts.workingDir,
+		Labels:          opts.ConvertKVStringsToMap(labels),
+		Healthcheck:     healthConfig,
+	}
+	if flags.Changed("stop-signal") {
+		config.StopSignal = copts.stopSignal
+	}
+	if flags.Changed("stop-timeout") {
+		config.StopTimeout = &copts.stopTimeout
+	}
+
+	hostConfig := &container.HostConfig{
+		Binds:           binds,
+		ContainerIDFile: copts.containerIDFile,
+		OomScoreAdj:     copts.oomScoreAdj,
+		AutoRemove:      copts.autoRemove,
+		Privileged:      copts.privileged,
+		PortBindings:    portBindings,
+		Links:           copts.links.GetAll(),
+		PublishAllPorts: copts.publishAll,
+		// Make sure the dns fields are never nil.
+		// New containers don't ever have those fields nil,
+		// but pre created containers can still have those nil values.
+		// See https://github.com/docker/docker/pull/17779
+		// for a more detailed explanation on why we don't want that.
+		DNS:            copts.dns.GetAllOrEmpty(),
+		DNSSearch:      copts.dnsSearch.GetAllOrEmpty(),
+		DNSOptions:     copts.dnsOptions.GetAllOrEmpty(),
+		ExtraHosts:     copts.extraHosts.GetAll(),
+		VolumesFrom:    copts.volumesFrom.GetAll(),
+		NetworkMode:    container.NetworkMode(copts.netMode),
+		IpcMode:        container.IpcMode(copts.ipcMode),
+		PidMode:        pidMode,
+		UTSMode:        utsMode,
+		UsernsMode:     usernsMode,
+		CapAdd:         strslice.StrSlice(copts.capAdd.GetAll()),
+		CapDrop:        strslice.StrSlice(copts.capDrop.GetAll()),
+		GroupAdd:       copts.groupAdd.GetAll(),
+		RestartPolicy:  restartPolicy,
+		SecurityOpt:    securityOpts,
+		StorageOpt:     storageOpts,
+		ReadonlyRootfs: copts.readonlyRootfs,
+		LogConfig:      container.LogConfig{Type: copts.loggingDriver, Config: loggingOpts},
+		VolumeDriver:   copts.volumeDriver,
+		Isolation:      container.Isolation(copts.isolation),
+		ShmSize:        copts.shmSize.Value(),
+		Resources:      resources,
+		Tmpfs:          tmpfs,
+		Sysctls:        copts.sysctls.GetAll(),
+		Runtime:        copts.runtime,
+		Mounts:         mounts,
+	}
+
+	if copts.autoRemove && !hostConfig.RestartPolicy.IsNone() {
+		return nil, errors.Errorf("Conflicting options: --restart and --rm")
+	}
+
+	// only set this value if the user provided the flag, else it should default to nil
+	if flags.Changed("init") {
+		hostConfig.Init = &copts.init
+	}
+
+	// When allocating stdin in attached mode, close stdin at client disconnect
+	if config.OpenStdin && config.AttachStdin {
+		config.StdinOnce = true
+	}
+
+	networkingConfig := &networktypes.NetworkingConfig{
+		EndpointsConfig: make(map[string]*networktypes.EndpointSettings),
+	}
+
+	if copts.ipv4Address != "" || copts.ipv6Address != "" || copts.linkLocalIPs.Len() > 0 {
+		epConfig := &networktypes.EndpointSettings{}
+		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
+
+		epConfig.IPAMConfig = &networktypes.EndpointIPAMConfig{
+			IPv4Address: copts.ipv4Address,
+			IPv6Address: copts.ipv6Address,
+		}
+
+		if copts.linkLocalIPs.Len() > 0 {
+			epConfig.IPAMConfig.LinkLocalIPs = make([]string, copts.linkLocalIPs.Len())
+			copy(epConfig.IPAMConfig.LinkLocalIPs, copts.linkLocalIPs.GetAll())
+		}
+	}
+
+	if hostConfig.NetworkMode.IsUserDefined() && len(hostConfig.Links) > 0 {
+		epConfig := networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)]
+		if epConfig == nil {
+			epConfig = &networktypes.EndpointSettings{}
+		}
+		epConfig.Links = make([]string, len(hostConfig.Links))
+		copy(epConfig.Links, hostConfig.Links)
+		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
+	}
+
+	if copts.aliases.Len() > 0 {
+		epConfig := networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)]
+		if epConfig == nil {
+			epConfig = &networktypes.EndpointSettings{}
+		}
+		epConfig.Aliases = make([]string, copts.aliases.Len())
+		copy(epConfig.Aliases, copts.aliases.GetAll())
+		networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)] = epConfig
+	}
+
+	return &containerConfig{
+		Config:           config,
+		HostConfig:       hostConfig,
+		NetworkingConfig: networkingConfig,
+	}, nil
+}
+
+func parseLoggingOpts(loggingDriver string, loggingOpts []string) (map[string]string, error) {
+	loggingOptsMap := opts.ConvertKVStringsToMap(loggingOpts)
+	if loggingDriver == "none" && len(loggingOpts) > 0 {
+		return map[string]string{}, errors.Errorf("invalid logging opts for driver %s", loggingDriver)
+	}
+	return loggingOptsMap, nil
+}
+
+// takes a local seccomp daemon, reads the file contents for sending to the daemon
+func parseSecurityOpts(securityOpts []string) ([]string, error) {
+	for key, opt := range securityOpts {
+		con := strings.SplitN(opt, "=", 2)
+		if len(con) == 1 && con[0] != "no-new-privileges" {
+			if strings.Contains(opt, ":") {
+				con = strings.SplitN(opt, ":", 2)
+			} else {
+				return securityOpts, errors.Errorf("Invalid --security-opt: %q", opt)
+			}
+		}
+		if con[0] == "seccomp" && con[1] != "unconfined" {
+			f, err := ioutil.ReadFile(con[1])
+			if err != nil {
+				return securityOpts, errors.Errorf("opening seccomp profile (%s) failed: %v", con[1], err)
+			}
+			b := bytes.NewBuffer(nil)
+			if err := json.Compact(b, f); err != nil {
+				return securityOpts, errors.Errorf("compacting json for seccomp profile (%s) failed: %v", con[1], err)
+			}
+			securityOpts[key] = fmt.Sprintf("seccomp=%s", b.Bytes())
+		}
+	}
+
+	return securityOpts, nil
+}
+
+// parses storage options per container into a map
+func parseStorageOpts(storageOpts []string) (map[string]string, error) {
+	m := make(map[string]string)
+	for _, option := range storageOpts {
+		if strings.Contains(option, "=") {
+			opt := strings.SplitN(option, "=", 2)
+			m[opt[0]] = opt[1]
+		} else {
+			return nil, errors.Errorf("invalid storage option")
+		}
+	}
+	return m, nil
+}
+
+// parseDevice parses a device mapping string to a container.DeviceMapping struct
+func parseDevice(device string) (container.DeviceMapping, error) {
+	src := ""
+	dst := ""
+	permissions := "rwm"
+	arr := strings.Split(device, ":")
+	switch len(arr) {
+	case 3:
+		permissions = arr[2]
+		fallthrough
+	case 2:
+		if validDeviceMode(arr[1]) {
+			permissions = arr[1]
+		} else {
+			dst = arr[1]
+		}
+		fallthrough
+	case 1:
+		src = arr[0]
+	default:
+		return container.DeviceMapping{}, errors.Errorf("invalid device specification: %s", device)
+	}
+
+	if dst == "" {
+		dst = src
+	}
+
+	deviceMapping := container.DeviceMapping{
+		PathOnHost:        src,
+		PathInContainer:   dst,
+		CgroupPermissions: permissions,
+	}
+	return deviceMapping, nil
+}
+
+// validateDeviceCgroupRule validates a device cgroup rule string format
+// It will make sure 'val' is in the form:
+//    'type major:minor mode'
+func validateDeviceCgroupRule(val string) (string, error) {
+	if deviceCgroupRuleRegexp.MatchString(val) {
+		return val, nil
+	}
+
+	return val, errors.Errorf("invalid device cgroup format '%s'", val)
+}
+
+// validDeviceMode checks if the mode for device is valid or not.
+// Valid mode is a composition of r (read), w (write), and m (mknod).
+func validDeviceMode(mode string) bool {
+	var legalDeviceMode = map[rune]bool{
+		'r': true,
+		'w': true,
+		'm': true,
+	}
+	if mode == "" {
+		return false
+	}
+	for _, c := range mode {
+		if !legalDeviceMode[c] {
+			return false
+		}
+		legalDeviceMode[c] = false
+	}
+	return true
+}
+
+// validateDevice validates a path for devices
+// It will make sure 'val' is in the form:
+//    [host-dir:]container-path[:mode]
+// It also validates the device mode.
+func validateDevice(val string) (string, error) {
+	return validatePath(val, validDeviceMode)
+}
+
+func validatePath(val string, validator func(string) bool) (string, error) {
+	var containerPath string
+	var mode string
+
+	if strings.Count(val, ":") > 2 {
+		return val, errors.Errorf("bad format for path: %s", val)
+	}
+
+	split := strings.SplitN(val, ":", 3)
+	if split[0] == "" {
+		return val, errors.Errorf("bad format for path: %s", val)
+	}
+	switch len(split) {
+	case 1:
+		containerPath = split[0]
+		val = path.Clean(containerPath)
+	case 2:
+		if isValid := validator(split[1]); isValid {
+			containerPath = split[0]
+			mode = split[1]
+			val = fmt.Sprintf("%s:%s", path.Clean(containerPath), mode)
+		} else {
+			containerPath = split[1]
+			val = fmt.Sprintf("%s:%s", split[0], path.Clean(containerPath))
+		}
+	case 3:
+		containerPath = split[1]
+		mode = split[2]
+		if isValid := validator(split[2]); !isValid {
+			return val, errors.Errorf("bad mode specified: %s", mode)
+		}
+		val = fmt.Sprintf("%s:%s:%s", split[0], containerPath, mode)
+	}
+
+	if !path.IsAbs(containerPath) {
+		return val, errors.Errorf("%s is not an absolute path", containerPath)
+	}
+	return val, nil
+}
+
+// validateAttach validates that the specified string is a valid attach option.
+func validateAttach(val string) (string, error) {
+	s := strings.ToLower(val)
+	for _, str := range []string{"stdin", "stdout", "stderr"} {
+		if s == str {
+			return s, nil
+		}
+	}
+	return val, errors.Errorf("valid streams are STDIN, STDOUT and STDERR")
+}
diff --git a/cli/cli/command/container/opts_test.go b/cli/cli/command/container/opts_test.go
new file mode 100644
index 00000000..67f0cad4
--- /dev/null
+++ b/cli/cli/command/container/opts_test.go
@@ -0,0 +1,646 @@
+package container
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/go-connections/nat"
+	"github.com/pkg/errors"
+	"github.com/spf13/pflag"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestValidateAttach(t *testing.T) {
+	valid := []string{
+		"stdin",
+		"stdout",
+		"stderr",
+		"STDIN",
+		"STDOUT",
+		"STDERR",
+	}
+	if _, err := validateAttach("invalid"); err == nil {
+		t.Fatal("Expected error with [valid streams are STDIN, STDOUT and STDERR], got nothing")
+	}
+
+	for _, attach := range valid {
+		value, err := validateAttach(attach)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if value != strings.ToLower(attach) {
+			t.Fatalf("Expected [%v], got [%v]", attach, value)
+		}
+	}
+}
+
+// nolint: unparam
+func parseRun(args []string) (*container.Config, *container.HostConfig, *networktypes.NetworkingConfig, error) {
+	flags, copts := setupRunFlags()
+	if err := flags.Parse(args); err != nil {
+		return nil, nil, nil, err
+	}
+	// TODO: fix tests to accept ContainerConfig
+	containerConfig, err := parse(flags, copts)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return containerConfig.Config, containerConfig.HostConfig, containerConfig.NetworkingConfig, err
+}
+
+func setupRunFlags() (*pflag.FlagSet, *containerOptions) {
+	flags := pflag.NewFlagSet("run", pflag.ContinueOnError)
+	flags.SetOutput(ioutil.Discard)
+	flags.Usage = nil
+	copts := addFlags(flags)
+	return flags, copts
+}
+
+func parseMustError(t *testing.T, args string) {
+	_, _, _, err := parseRun(strings.Split(args+" ubuntu bash", " "))
+	assert.ErrorContains(t, err, "", args)
+}
+
+func mustParse(t *testing.T, args string) (*container.Config, *container.HostConfig) {
+	config, hostConfig, _, err := parseRun(append(strings.Split(args, " "), "ubuntu", "bash"))
+	assert.NilError(t, err)
+	return config, hostConfig
+}
+
+func TestParseRunLinks(t *testing.T) {
+	if _, hostConfig := mustParse(t, "--link a:b"); len(hostConfig.Links) == 0 || hostConfig.Links[0] != "a:b" {
+		t.Fatalf("Error parsing links. Expected []string{\"a:b\"}, received: %v", hostConfig.Links)
+	}
+	if _, hostConfig := mustParse(t, "--link a:b --link c:d"); len(hostConfig.Links) < 2 || hostConfig.Links[0] != "a:b" || hostConfig.Links[1] != "c:d" {
+		t.Fatalf("Error parsing links. Expected []string{\"a:b\", \"c:d\"}, received: %v", hostConfig.Links)
+	}
+	if _, hostConfig := mustParse(t, ""); len(hostConfig.Links) != 0 {
+		t.Fatalf("Error parsing links. No link expected, received: %v", hostConfig.Links)
+	}
+}
+
+func TestParseRunAttach(t *testing.T) {
+	if config, _ := mustParse(t, "-a stdin"); !config.AttachStdin || config.AttachStdout || config.AttachStderr {
+		t.Fatalf("Error parsing attach flags. Expect only Stdin enabled. Received: in: %v, out: %v, err: %v", config.AttachStdin, config.AttachStdout, config.AttachStderr)
+	}
+	if config, _ := mustParse(t, "-a stdin -a stdout"); !config.AttachStdin || !config.AttachStdout || config.AttachStderr {
+		t.Fatalf("Error parsing attach flags. Expect only Stdin and Stdout enabled. Received: in: %v, out: %v, err: %v", config.AttachStdin, config.AttachStdout, config.AttachStderr)
+	}
+	if config, _ := mustParse(t, "-a stdin -a stdout -a stderr"); !config.AttachStdin || !config.AttachStdout || !config.AttachStderr {
+		t.Fatalf("Error parsing attach flags. Expect all attach enabled. Received: in: %v, out: %v, err: %v", config.AttachStdin, config.AttachStdout, config.AttachStderr)
+	}
+	if config, _ := mustParse(t, ""); config.AttachStdin || !config.AttachStdout || !config.AttachStderr {
+		t.Fatalf("Error parsing attach flags. Expect Stdin disabled. Received: in: %v, out: %v, err: %v", config.AttachStdin, config.AttachStdout, config.AttachStderr)
+	}
+	if config, _ := mustParse(t, "-i"); !config.AttachStdin || !config.AttachStdout || !config.AttachStderr {
+		t.Fatalf("Error parsing attach flags. Expect Stdin enabled. Received: in: %v, out: %v, err: %v", config.AttachStdin, config.AttachStdout, config.AttachStderr)
+	}
+}
+
+func TestParseRunWithInvalidArgs(t *testing.T) {
+	parseMustError(t, "-a")
+	parseMustError(t, "-a invalid")
+	parseMustError(t, "-a invalid -a stdout")
+	parseMustError(t, "-a stdout -a stderr -d")
+	parseMustError(t, "-a stdin -d")
+	parseMustError(t, "-a stdout -d")
+	parseMustError(t, "-a stderr -d")
+	parseMustError(t, "-d --rm")
+}
+
+// nolint: gocyclo
+func TestParseWithVolumes(t *testing.T) {
+
+	// A single volume
+	arr, tryit := setupPlatformVolume([]string{`/tmp`}, []string{`c:\tmp`})
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds != nil {
+		t.Fatalf("Error parsing volume flags, %q should not mount-bind anything. Received %v", tryit, hostConfig.Binds)
+	} else if _, exists := config.Volumes[arr[0]]; !exists {
+		t.Fatalf("Error parsing volume flags, %q is missing from volumes. Received %v", tryit, config.Volumes)
+	}
+
+	// Two volumes
+	arr, tryit = setupPlatformVolume([]string{`/tmp`, `/var`}, []string{`c:\tmp`, `c:\var`})
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds != nil {
+		t.Fatalf("Error parsing volume flags, %q should not mount-bind anything. Received %v", tryit, hostConfig.Binds)
+	} else if _, exists := config.Volumes[arr[0]]; !exists {
+		t.Fatalf("Error parsing volume flags, %s is missing from volumes. Received %v", arr[0], config.Volumes)
+	} else if _, exists := config.Volumes[arr[1]]; !exists {
+		t.Fatalf("Error parsing volume flags, %s is missing from volumes. Received %v", arr[1], config.Volumes)
+	}
+
+	// A single bind mount
+	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`}, []string{os.Getenv("TEMP") + `:c:\containerTmp`})
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || hostConfig.Binds[0] != arr[0] {
+		t.Fatalf("Error parsing volume flags, %q should mount-bind the path before the colon into the path after the colon. Received %v %v", arr[0], hostConfig.Binds, config.Volumes)
+	}
+
+	// Two bind mounts.
+	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`, `/hostVar:/containerVar`}, []string{os.Getenv("ProgramData") + `:c:\ContainerPD`, os.Getenv("TEMP") + `:c:\containerTmp`})
+	if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+		t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
+	}
+
+	// Two bind mounts, first read-only, second read-write.
+	// TODO Windows: The Windows version uses read-write as that's the only mode it supports. Can change this post TP4
+	arr, tryit = setupPlatformVolume(
+		[]string{`/hostTmp:/containerTmp:ro`, `/hostVar:/containerVar:rw`},
+		[]string{os.Getenv("TEMP") + `:c:\containerTmp:rw`, os.Getenv("ProgramData") + `:c:\ContainerPD:rw`})
+	if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+		t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
+	}
+
+	// Similar to previous test but with alternate modes which are only supported by Linux
+	if runtime.GOOS != "windows" {
+		arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp:ro,Z`, `/hostVar:/containerVar:rw,Z`}, []string{})
+		if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+			t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
+		}
+
+		arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp:Z`, `/hostVar:/containerVar:z`}, []string{})
+		if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+			t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
+		}
+	}
+
+	// One bind mount and one volume
+	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`, `/containerVar`}, []string{os.Getenv("TEMP") + `:c:\containerTmp`, `c:\containerTmp`})
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] {
+		t.Fatalf("Error parsing volume flags, %s and %s should only one and only one bind mount %s. Received %s", arr[0], arr[1], arr[0], hostConfig.Binds)
+	} else if _, exists := config.Volumes[arr[1]]; !exists {
+		t.Fatalf("Error parsing volume flags %s and %s. %s is missing from volumes. Received %v", arr[0], arr[1], arr[1], config.Volumes)
+	}
+
+	// Root to non-c: drive letter (Windows specific)
+	if runtime.GOOS == "windows" {
+		arr, tryit = setupPlatformVolume([]string{}, []string{os.Getenv("SystemDrive") + `\:d:`})
+		if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] || len(config.Volumes) != 0 {
+			t.Fatalf("Error parsing %s. Should have a single bind mount and no volumes", arr[0])
+		}
+	}
+
+}
+
+// setupPlatformVolume takes two arrays of volume specs - a Unix style
+// spec and a Windows style spec. Depending on the platform being unit tested,
+// it returns one of them, along with a volume string that would be passed
+// on the docker CLI (e.g. -v /bar -v /foo).
+func setupPlatformVolume(u []string, w []string) ([]string, string) {
+	var a []string
+	if runtime.GOOS == "windows" {
+		a = w
+	} else {
+		a = u
+	}
+	s := ""
+	for _, v := range a {
+		s = s + "-v " + v + " "
+	}
+	return a, s
+}
+
+// check if (a == c && b == d) || (a == d && b == c)
+// because maps are randomized
+func compareRandomizedStrings(a, b, c, d string) error {
+	if a == c && b == d {
+		return nil
+	}
+	if a == d && b == c {
+		return nil
+	}
+	return errors.Errorf("strings don't match")
+}
+
+// Simple parse with MacAddress validation
+func TestParseWithMacAddress(t *testing.T) {
+	invalidMacAddress := "--mac-address=invalidMacAddress"
+	validMacAddress := "--mac-address=92:d0:c6:0a:29:33"
+	if _, _, _, err := parseRun([]string{invalidMacAddress, "img", "cmd"}); err != nil && err.Error() != "invalidMacAddress is not a valid mac address" {
+		t.Fatalf("Expected an error with %v mac-address, got %v", invalidMacAddress, err)
+	}
+	if config, _ := mustParse(t, validMacAddress); config.MacAddress != "92:d0:c6:0a:29:33" {
+		t.Fatalf("Expected the config to have '92:d0:c6:0a:29:33' as MacAddress, got '%v'", config.MacAddress)
+	}
+}
+
+func TestRunFlagsParseWithMemory(t *testing.T) {
+	flags, _ := setupRunFlags()
+	args := []string{"--memory=invalid", "img", "cmd"}
+	err := flags.Parse(args)
+	assert.ErrorContains(t, err, `invalid argument "invalid" for "-m, --memory" flag`)
+
+	_, hostconfig := mustParse(t, "--memory=1G")
+	assert.Check(t, is.Equal(int64(1073741824), hostconfig.Memory))
+}
+
+func TestParseWithMemorySwap(t *testing.T) {
+	flags, _ := setupRunFlags()
+	args := []string{"--memory-swap=invalid", "img", "cmd"}
+	err := flags.Parse(args)
+	assert.ErrorContains(t, err, `invalid argument "invalid" for "--memory-swap" flag`)
+
+	_, hostconfig := mustParse(t, "--memory-swap=1G")
+	assert.Check(t, is.Equal(int64(1073741824), hostconfig.MemorySwap))
+
+	_, hostconfig = mustParse(t, "--memory-swap=-1")
+	assert.Check(t, is.Equal(int64(-1), hostconfig.MemorySwap))
+}
+
+func TestParseHostname(t *testing.T) {
+	validHostnames := map[string]string{
+		"hostname":    "hostname",
+		"host-name":   "host-name",
+		"hostname123": "hostname123",
+		"123hostname": "123hostname",
+		"hostname-of-63-bytes-long-should-be-valid-and-without-any-error": "hostname-of-63-bytes-long-should-be-valid-and-without-any-error",
+	}
+	hostnameWithDomain := "--hostname=hostname.domainname"
+	hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
+	for hostname, expectedHostname := range validHostnames {
+		if config, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
+			t.Fatalf("Expected the config to have 'hostname' as hostname, got '%v'", config.Hostname)
+		}
+	}
+	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" && config.Domainname != "" {
+		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got '%v'", config.Hostname)
+	}
+	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" && config.Domainname != "" {
+		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got '%v'", config.Hostname)
+	}
+}
+
+func TestParseWithExpose(t *testing.T) {
+	invalids := map[string]string{
+		":":                   "invalid port format for --expose: :",
+		"8080:9090":           "invalid port format for --expose: 8080:9090",
+		"/tcp":                "invalid range format for --expose: /tcp, error: Empty string specified for ports.",
+		"/udp":                "invalid range format for --expose: /udp, error: Empty string specified for ports.",
+		"NaN/tcp":             `invalid range format for --expose: NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
+		"NaN-NaN/tcp":         `invalid range format for --expose: NaN-NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
+		"8080-NaN/tcp":        `invalid range format for --expose: 8080-NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
+		"1234567890-8080/tcp": `invalid range format for --expose: 1234567890-8080/tcp, error: strconv.ParseUint: parsing "1234567890": value out of range`,
+	}
+	valids := map[string][]nat.Port{
+		"8080/tcp":      {"8080/tcp"},
+		"8080/udp":      {"8080/udp"},
+		"8080/ncp":      {"8080/ncp"},
+		"8080-8080/udp": {"8080/udp"},
+		"8080-8082/tcp": {"8080/tcp", "8081/tcp", "8082/tcp"},
+	}
+	for expose, expectedError := range invalids {
+		if _, _, _, err := parseRun([]string{fmt.Sprintf("--expose=%v", expose), "img", "cmd"}); err == nil || err.Error() != expectedError {
+			t.Fatalf("Expected error '%v' with '--expose=%v', got '%v'", expectedError, expose, err)
+		}
+	}
+	for expose, exposedPorts := range valids {
+		config, _, _, err := parseRun([]string{fmt.Sprintf("--expose=%v", expose), "img", "cmd"})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(config.ExposedPorts) != len(exposedPorts) {
+			t.Fatalf("Expected %v exposed port, got %v", len(exposedPorts), len(config.ExposedPorts))
+		}
+		for _, port := range exposedPorts {
+			if _, ok := config.ExposedPorts[port]; !ok {
+				t.Fatalf("Expected %v, got %v", exposedPorts, config.ExposedPorts)
+			}
+		}
+	}
+	// Merge with actual published port
+	config, _, _, err := parseRun([]string{"--publish=80", "--expose=80-81/tcp", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.ExposedPorts) != 2 {
+		t.Fatalf("Expected 2 exposed ports, got %v", config.ExposedPorts)
+	}
+	ports := []nat.Port{"80/tcp", "81/tcp"}
+	for _, port := range ports {
+		if _, ok := config.ExposedPorts[port]; !ok {
+			t.Fatalf("Expected %v, got %v", ports, config.ExposedPorts)
+		}
+	}
+}
+
+func TestParseDevice(t *testing.T) {
+	valids := map[string]container.DeviceMapping{
+		"/dev/snd": {
+			PathOnHost:        "/dev/snd",
+			PathInContainer:   "/dev/snd",
+			CgroupPermissions: "rwm",
+		},
+		"/dev/snd:rw": {
+			PathOnHost:        "/dev/snd",
+			PathInContainer:   "/dev/snd",
+			CgroupPermissions: "rw",
+		},
+		"/dev/snd:/something": {
+			PathOnHost:        "/dev/snd",
+			PathInContainer:   "/something",
+			CgroupPermissions: "rwm",
+		},
+		"/dev/snd:/something:rw": {
+			PathOnHost:        "/dev/snd",
+			PathInContainer:   "/something",
+			CgroupPermissions: "rw",
+		},
+	}
+	for device, deviceMapping := range valids {
+		_, hostconfig, _, err := parseRun([]string{fmt.Sprintf("--device=%v", device), "img", "cmd"})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(hostconfig.Devices) != 1 {
+			t.Fatalf("Expected 1 devices, got %v", hostconfig.Devices)
+		}
+		if hostconfig.Devices[0] != deviceMapping {
+			t.Fatalf("Expected %v, got %v", deviceMapping, hostconfig.Devices)
+		}
+	}
+
+}
+
+func TestParseModes(t *testing.T) {
+	// pid ko
+	flags, copts := setupRunFlags()
+	args := []string{"--pid=container:", "img", "cmd"}
+	assert.NilError(t, flags.Parse(args))
+	_, err := parse(flags, copts)
+	assert.ErrorContains(t, err, "--pid: invalid PID mode")
+
+	// pid ok
+	_, hostconfig, _, err := parseRun([]string{"--pid=host", "img", "cmd"})
+	assert.NilError(t, err)
+	if !hostconfig.PidMode.Valid() {
+		t.Fatalf("Expected a valid PidMode, got %v", hostconfig.PidMode)
+	}
+
+	// uts ko
+	_, _, _, err = parseRun([]string{"--uts=container:", "img", "cmd"})
+	assert.ErrorContains(t, err, "--uts: invalid UTS mode")
+
+	// uts ok
+	_, hostconfig, _, err = parseRun([]string{"--uts=host", "img", "cmd"})
+	assert.NilError(t, err)
+	if !hostconfig.UTSMode.Valid() {
+		t.Fatalf("Expected a valid UTSMode, got %v", hostconfig.UTSMode)
+	}
+}
+
+func TestRunFlagsParseShmSize(t *testing.T) {
+	// shm-size ko
+	flags, _ := setupRunFlags()
+	args := []string{"--shm-size=a128m", "img", "cmd"}
+	expectedErr := `invalid argument "a128m" for "--shm-size" flag: invalid size: 'a128m'`
+	err := flags.Parse(args)
+	assert.ErrorContains(t, err, expectedErr)
+
+	// shm-size ok
+	_, hostconfig, _, err := parseRun([]string{"--shm-size=128m", "img", "cmd"})
+	assert.NilError(t, err)
+	if hostconfig.ShmSize != 134217728 {
+		t.Fatalf("Expected a valid ShmSize, got %d", hostconfig.ShmSize)
+	}
+}
+
+func TestParseRestartPolicy(t *testing.T) {
+	invalids := map[string]string{
+		"always:2:3":         "invalid restart policy format",
+		"on-failure:invalid": "maximum retry count must be an integer",
+	}
+	valids := map[string]container.RestartPolicy{
+		"": {},
+		"always": {
+			Name:              "always",
+			MaximumRetryCount: 0,
+		},
+		"on-failure:1": {
+			Name:              "on-failure",
+			MaximumRetryCount: 1,
+		},
+	}
+	for restart, expectedError := range invalids {
+		if _, _, _, err := parseRun([]string{fmt.Sprintf("--restart=%s", restart), "img", "cmd"}); err == nil || err.Error() != expectedError {
+			t.Fatalf("Expected an error with message '%v' for %v, got %v", expectedError, restart, err)
+		}
+	}
+	for restart, expected := range valids {
+		_, hostconfig, _, err := parseRun([]string{fmt.Sprintf("--restart=%v", restart), "img", "cmd"})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if hostconfig.RestartPolicy != expected {
+			t.Fatalf("Expected %v, got %v", expected, hostconfig.RestartPolicy)
+		}
+	}
+}
+
+func TestParseRestartPolicyAutoRemove(t *testing.T) {
+	expected := "Conflicting options: --restart and --rm"
+	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"})
+	if err == nil || err.Error() != expected {
+		t.Fatalf("Expected error %v, but got none", expected)
+	}
+}
+
+func TestParseHealth(t *testing.T) {
+	checkOk := func(args ...string) *container.HealthConfig {
+		config, _, _, err := parseRun(args)
+		if err != nil {
+			t.Fatalf("%#v: %v", args, err)
+		}
+		return config.Healthcheck
+	}
+	checkError := func(expected string, args ...string) {
+		config, _, _, err := parseRun(args)
+		if err == nil {
+			t.Fatalf("Expected error, but got %#v", config)
+		}
+		if err.Error() != expected {
+			t.Fatalf("Expected %#v, got %#v", expected, err)
+		}
+	}
+	health := checkOk("--no-healthcheck", "img", "cmd")
+	if health == nil || len(health.Test) != 1 || health.Test[0] != "NONE" {
+		t.Fatalf("--no-healthcheck failed: %#v", health)
+	}
+
+	health = checkOk("--health-cmd=/check.sh -q", "img", "cmd")
+	if len(health.Test) != 2 || health.Test[0] != "CMD-SHELL" || health.Test[1] != "/check.sh -q" {
+		t.Fatalf("--health-cmd: got %#v", health.Test)
+	}
+	if health.Timeout != 0 {
+		t.Fatalf("--health-cmd: timeout = %s", health.Timeout)
+	}
+
+	checkError("--no-healthcheck conflicts with --health-* options",
+		"--no-healthcheck", "--health-cmd=/check.sh -q", "img", "cmd")
+
+	health = checkOk("--health-timeout=2s", "--health-retries=3", "--health-interval=4.5s", "--health-start-period=5s", "img", "cmd")
+	if health.Timeout != 2*time.Second || health.Retries != 3 || health.Interval != 4500*time.Millisecond || health.StartPeriod != 5*time.Second {
+		t.Fatalf("--health-*: got %#v", health)
+	}
+}
+
+func TestParseLoggingOpts(t *testing.T) {
+	// logging opts ko
+	if _, _, _, err := parseRun([]string{"--log-driver=none", "--log-opt=anything", "img", "cmd"}); err == nil || err.Error() != "invalid logging opts for driver none" {
+		t.Fatalf("Expected an error with message 'invalid logging opts for driver none', got %v", err)
+	}
+	// logging opts ok
+	_, hostconfig, _, err := parseRun([]string{"--log-driver=syslog", "--log-opt=something", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if hostconfig.LogConfig.Type != "syslog" || len(hostconfig.LogConfig.Config) != 1 {
+		t.Fatalf("Expected a 'syslog' LogConfig with one config, got %v", hostconfig.RestartPolicy)
+	}
+}
+
+func TestParseEnvfileVariables(t *testing.T) {
+	e := "open nonexistent: no such file or directory"
+	if runtime.GOOS == "windows" {
+		e = "open nonexistent: The system cannot find the file specified."
+	}
+	// env ko
+	if _, _, _, err := parseRun([]string{"--env-file=nonexistent", "img", "cmd"}); err == nil || err.Error() != e {
+		t.Fatalf("Expected an error with message '%s', got %v", e, err)
+	}
+	// env ok
+	config, _, _, err := parseRun([]string{"--env-file=testdata/valid.env", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Env) != 1 || config.Env[0] != "ENV1=value1" {
+		t.Fatalf("Expected a config with [ENV1=value1], got %v", config.Env)
+	}
+	config, _, _, err = parseRun([]string{"--env-file=testdata/valid.env", "--env=ENV2=value2", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Env) != 2 || config.Env[0] != "ENV1=value1" || config.Env[1] != "ENV2=value2" {
+		t.Fatalf("Expected a config with [ENV1=value1 ENV2=value2], got %v", config.Env)
+	}
+}
+
+func TestParseEnvfileVariablesWithBOMUnicode(t *testing.T) {
+	// UTF8 with BOM
+	config, _, _, err := parseRun([]string{"--env-file=testdata/utf8.env", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	env := []string{"FOO=BAR", "HELLO=" + string([]byte{0xe6, 0x82, 0xa8, 0xe5, 0xa5, 0xbd}), "BAR=FOO"}
+	if len(config.Env) != len(env) {
+		t.Fatalf("Expected a config with %d env variables, got %v: %v", len(env), len(config.Env), config.Env)
+	}
+	for i, v := range env {
+		if config.Env[i] != v {
+			t.Fatalf("Expected a config with [%s], got %v", v, []byte(config.Env[i]))
+		}
+	}
+
+	// UTF16 with BOM
+	e := "contains invalid utf8 bytes at line"
+	if _, _, _, err := parseRun([]string{"--env-file=testdata/utf16.env", "img", "cmd"}); err == nil || !strings.Contains(err.Error(), e) {
+		t.Fatalf("Expected an error with message '%s', got %v", e, err)
+	}
+	// UTF16BE with BOM
+	if _, _, _, err := parseRun([]string{"--env-file=testdata/utf16be.env", "img", "cmd"}); err == nil || !strings.Contains(err.Error(), e) {
+		t.Fatalf("Expected an error with message '%s', got %v", e, err)
+	}
+}
+
+func TestParseLabelfileVariables(t *testing.T) {
+	e := "open nonexistent: no such file or directory"
+	if runtime.GOOS == "windows" {
+		e = "open nonexistent: The system cannot find the file specified."
+	}
+	// label ko
+	if _, _, _, err := parseRun([]string{"--label-file=nonexistent", "img", "cmd"}); err == nil || err.Error() != e {
+		t.Fatalf("Expected an error with message '%s', got %v", e, err)
+	}
+	// label ok
+	config, _, _, err := parseRun([]string{"--label-file=testdata/valid.label", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Labels) != 1 || config.Labels["LABEL1"] != "value1" {
+		t.Fatalf("Expected a config with [LABEL1:value1], got %v", config.Labels)
+	}
+	config, _, _, err = parseRun([]string{"--label-file=testdata/valid.label", "--label=LABEL2=value2", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Labels) != 2 || config.Labels["LABEL1"] != "value1" || config.Labels["LABEL2"] != "value2" {
+		t.Fatalf("Expected a config with [LABEL1:value1 LABEL2:value2], got %v", config.Labels)
+	}
+}
+
+func TestParseEntryPoint(t *testing.T) {
+	config, _, _, err := parseRun([]string{"--entrypoint=anything", "cmd", "img"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Entrypoint) != 1 && config.Entrypoint[0] != "anything" {
+		t.Fatalf("Expected entrypoint 'anything', got %v", config.Entrypoint)
+	}
+}
+
+func TestValidateDevice(t *testing.T) {
+	valid := []string{
+		"/home",
+		"/home:/home",
+		"/home:/something/else",
+		"/with space",
+		"/home:/with space",
+		"relative:/absolute-path",
+		"hostPath:/containerPath:r",
+		"/hostPath:/containerPath:rw",
+		"/hostPath:/containerPath:mrw",
+	}
+	invalid := map[string]string{
+		"":        "bad format for path: ",
+		"./":      "./ is not an absolute path",
+		"../":     "../ is not an absolute path",
+		"/:../":   "../ is not an absolute path",
+		"/:path":  "path is not an absolute path",
+		":":       "bad format for path: :",
+		"/tmp:":   " is not an absolute path",
+		":test":   "bad format for path: :test",
+		":/test":  "bad format for path: :/test",
+		"tmp:":    " is not an absolute path",
+		":test:":  "bad format for path: :test:",
+		"::":      "bad format for path: ::",
+		":::":     "bad format for path: :::",
+		"/tmp:::": "bad format for path: /tmp:::",
+		":/tmp::": "bad format for path: :/tmp::",
+		"path:ro": "ro is not an absolute path",
+		"path:rr": "rr is not an absolute path",
+		"a:/b:ro": "bad mode specified: ro",
+		"a:/b:rr": "bad mode specified: rr",
+	}
+
+	for _, path := range valid {
+		if _, err := validateDevice(path); err != nil {
+			t.Fatalf("ValidateDevice(`%q`) should succeed: error %q", path, err)
+		}
+	}
+
+	for path, expectedError := range invalid {
+		if _, err := validateDevice(path); err == nil {
+			t.Fatalf("ValidateDevice(`%q`) should have failed validation", path)
+		} else {
+			if err.Error() != expectedError {
+				t.Fatalf("ValidateDevice(`%q`) error should contain %q, got %q", path, expectedError, err.Error())
+			}
+		}
+	}
+}
diff --git a/cli/cli/command/container/pause.go b/cli/cli/command/container/pause.go
new file mode 100644
index 00000000..1118b7f0
--- /dev/null
+++ b/cli/cli/command/container/pause.go
@@ -0,0 +1,49 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type pauseOptions struct {
+	containers []string
+}
+
+// NewPauseCommand creates a new cobra.Command for `docker pause`
+func NewPauseCommand(dockerCli command.Cli) *cobra.Command {
+	var opts pauseOptions
+
+	return &cobra.Command{
+		Use:   "pause CONTAINER [CONTAINER...]",
+		Short: "Pause all processes within one or more containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			return runPause(dockerCli, &opts)
+		},
+	}
+}
+
+func runPause(dockerCli command.Cli, opts *pauseOptions) error {
+	ctx := context.Background()
+
+	var errs []string
+	errChan := parallelOperation(ctx, opts.containers, dockerCli.Client().ContainerPause)
+	for _, container := range opts.containers {
+		if err := <-errChan; err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+		fmt.Fprintln(dockerCli.Out(), container)
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/port.go b/cli/cli/command/container/port.go
new file mode 100644
index 00000000..83e16a98
--- /dev/null
+++ b/cli/cli/command/container/port.go
@@ -0,0 +1,78 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/go-connections/nat"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type portOptions struct {
+	container string
+
+	port string
+}
+
+// NewPortCommand creates a new cobra.Command for `docker port`
+func NewPortCommand(dockerCli command.Cli) *cobra.Command {
+	var opts portOptions
+
+	cmd := &cobra.Command{
+		Use:   "port CONTAINER [PRIVATE_PORT[/PROTO]]",
+		Short: "List port mappings or a specific mapping for the container",
+		Args:  cli.RequiresRangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.container = args[0]
+			if len(args) > 1 {
+				opts.port = args[1]
+			}
+			return runPort(dockerCli, &opts)
+		},
+	}
+	return cmd
+}
+
+func runPort(dockerCli command.Cli, opts *portOptions) error {
+	ctx := context.Background()
+
+	c, err := dockerCli.Client().ContainerInspect(ctx, opts.container)
+	if err != nil {
+		return err
+	}
+
+	if opts.port != "" {
+		port := opts.port
+		proto := "tcp"
+		parts := strings.SplitN(port, "/", 2)
+
+		if len(parts) == 2 && len(parts[1]) != 0 {
+			port = parts[0]
+			proto = parts[1]
+		}
+		natPort := port + "/" + proto
+		newP, err := nat.NewPort(proto, port)
+		if err != nil {
+			return err
+		}
+		if frontends, exists := c.NetworkSettings.Ports[newP]; exists && frontends != nil {
+			for _, frontend := range frontends {
+				fmt.Fprintf(dockerCli.Out(), "%s:%s\n", frontend.HostIP, frontend.HostPort)
+			}
+			return nil
+		}
+		return errors.Errorf("Error: No public port '%s' published for %s", natPort, opts.container)
+	}
+
+	for from, frontends := range c.NetworkSettings.Ports {
+		for _, frontend := range frontends {
+			fmt.Fprintf(dockerCli.Out(), "%s -> %s:%s\n", from, frontend.HostIP, frontend.HostPort)
+		}
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/container/prune.go b/cli/cli/command/container/prune.go
new file mode 100644
index 00000000..ba5f8055
--- /dev/null
+++ b/cli/cli/command/container/prune.go
@@ -0,0 +1,78 @@
+package container
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	units "github.com/docker/go-units"
+	"github.com/spf13/cobra"
+)
+
+type pruneOptions struct {
+	force  bool
+	filter opts.FilterOpt
+}
+
+// NewPruneCommand returns a new cobra prune command for containers
+func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
+	options := pruneOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "prune [OPTIONS]",
+		Short: "Remove all stopped containers",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			spaceReclaimed, output, err := runPrune(dockerCli, options)
+			if err != nil {
+				return err
+			}
+			if output != "" {
+				fmt.Fprintln(dockerCli.Out(), output)
+			}
+			fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(spaceReclaimed)))
+			return nil
+		},
+		Annotations: map[string]string{"version": "1.25"},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
+	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'until=<timestamp>')")
+
+	return cmd
+}
+
+const warning = `WARNING! This will remove all stopped containers.
+Are you sure you want to continue?`
+
+func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
+	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())
+
+	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
+		return 0, "", nil
+	}
+
+	report, err := dockerCli.Client().ContainersPrune(context.Background(), pruneFilters)
+	if err != nil {
+		return 0, "", err
+	}
+
+	if len(report.ContainersDeleted) > 0 {
+		output = "Deleted Containers:\n"
+		for _, id := range report.ContainersDeleted {
+			output += id + "\n"
+		}
+		spaceReclaimed = report.SpaceReclaimed
+	}
+
+	return spaceReclaimed, output, nil
+}
+
+// RunPrune calls the Container Prune API
+// This returns the amount of space reclaimed and a detailed output string
+func RunPrune(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error) {
+	return runPrune(dockerCli, pruneOptions{force: true, filter: filter})
+}
diff --git a/cli/cli/command/container/ps_test.go b/cli/cli/command/container/ps_test.go
new file mode 100644
index 00000000..28853576
--- /dev/null
+++ b/cli/cli/command/container/ps_test.go
@@ -0,0 +1,119 @@
+package container
+
+import (
+	"testing"
+
+	"github.com/docker/cli/opts"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestBuildContainerListOptions(t *testing.T) {
+	filters := opts.NewFilterOpt()
+	assert.NilError(t, filters.Set("foo=bar"))
+	assert.NilError(t, filters.Set("baz=foo"))
+
+	contexts := []struct {
+		psOpts          *psOptions
+		expectedAll     bool
+		expectedSize    bool
+		expectedLimit   int
+		expectedFilters map[string]string
+	}{
+		{
+			psOpts: &psOptions{
+				all:    true,
+				size:   true,
+				last:   5,
+				filter: filters,
+			},
+			expectedAll:   true,
+			expectedSize:  true,
+			expectedLimit: 5,
+			expectedFilters: map[string]string{
+				"foo": "bar",
+				"baz": "foo",
+			},
+		},
+		{
+			psOpts: &psOptions{
+				all:     true,
+				size:    true,
+				last:    -1,
+				nLatest: true,
+			},
+			expectedAll:     true,
+			expectedSize:    true,
+			expectedLimit:   1,
+			expectedFilters: make(map[string]string),
+		},
+		{
+			psOpts: &psOptions{
+				all:    true,
+				size:   false,
+				last:   5,
+				filter: filters,
+				// With .Size, size should be true
+				format: "{{.Size}}",
+			},
+			expectedAll:   true,
+			expectedSize:  true,
+			expectedLimit: 5,
+			expectedFilters: map[string]string{
+				"foo": "bar",
+				"baz": "foo",
+			},
+		},
+		{
+			psOpts: &psOptions{
+				all:    true,
+				size:   false,
+				last:   5,
+				filter: filters,
+				// With .Size, size should be true
+				format: "{{.Size}} {{.CreatedAt}} {{.Networks}}",
+			},
+			expectedAll:   true,
+			expectedSize:  true,
+			expectedLimit: 5,
+			expectedFilters: map[string]string{
+				"foo": "bar",
+				"baz": "foo",
+			},
+		},
+		{
+			psOpts: &psOptions{
+				all:    true,
+				size:   false,
+				last:   5,
+				filter: filters,
+				// Without .Size, size should be false
+				format: "{{.CreatedAt}} {{.Networks}}",
+			},
+			expectedAll:   true,
+			expectedSize:  false,
+			expectedLimit: 5,
+			expectedFilters: map[string]string{
+				"foo": "bar",
+				"baz": "foo",
+			},
+		},
+	}
+
+	for _, c := range contexts {
+		options, err := buildContainerListOptions(c.psOpts)
+		assert.NilError(t, err)
+
+		assert.Check(t, is.Equal(c.expectedAll, options.All))
+		assert.Check(t, is.Equal(c.expectedSize, options.Size))
+		assert.Check(t, is.Equal(c.expectedLimit, options.Limit))
+		assert.Check(t, is.Equal(len(c.expectedFilters), options.Filters.Len()))
+
+		for k, v := range c.expectedFilters {
+			f := options.Filters
+			if !f.ExactMatch(k, v) {
+				t.Fatalf("Expected filter with key %s to be %s but got %s", k, v, f.Get(k))
+			}
+		}
+	}
+}
diff --git a/cli/cli/command/container/rename.go b/cli/cli/command/container/rename.go
new file mode 100644
index 00000000..bc58ea20
--- /dev/null
+++ b/cli/cli/command/container/rename.go
@@ -0,0 +1,51 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type renameOptions struct {
+	oldName string
+	newName string
+}
+
+// NewRenameCommand creates a new cobra.Command for `docker rename`
+func NewRenameCommand(dockerCli command.Cli) *cobra.Command {
+	var opts renameOptions
+
+	cmd := &cobra.Command{
+		Use:   "rename CONTAINER NEW_NAME",
+		Short: "Rename a container",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.oldName = args[0]
+			opts.newName = args[1]
+			return runRename(dockerCli, &opts)
+		},
+	}
+	return cmd
+}
+
+func runRename(dockerCli command.Cli, opts *renameOptions) error {
+	ctx := context.Background()
+
+	oldName := strings.TrimSpace(opts.oldName)
+	newName := strings.TrimSpace(opts.newName)
+
+	if oldName == "" || newName == "" {
+		return errors.New("Error: Neither old nor new names may be empty")
+	}
+
+	if err := dockerCli.Client().ContainerRename(ctx, oldName, newName); err != nil {
+		fmt.Fprintln(dockerCli.Err(), err)
+		return errors.Errorf("Error: failed to rename container named %s", oldName)
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/restart.go b/cli/cli/command/container/restart.go
new file mode 100644
index 00000000..6e02ee46
--- /dev/null
+++ b/cli/cli/command/container/restart.go
@@ -0,0 +1,62 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type restartOptions struct {
+	nSeconds        int
+	nSecondsChanged bool
+
+	containers []string
+}
+
+// NewRestartCommand creates a new cobra.Command for `docker restart`
+func NewRestartCommand(dockerCli command.Cli) *cobra.Command {
+	var opts restartOptions
+
+	cmd := &cobra.Command{
+		Use:   "restart [OPTIONS] CONTAINER [CONTAINER...]",
+		Short: "Restart one or more containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			opts.nSecondsChanged = cmd.Flags().Changed("time")
+			return runRestart(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.IntVarP(&opts.nSeconds, "time", "t", 10, "Seconds to wait for stop before killing the container")
+	return cmd
+}
+
+func runRestart(dockerCli command.Cli, opts *restartOptions) error {
+	ctx := context.Background()
+	var errs []string
+	var timeout *time.Duration
+	if opts.nSecondsChanged {
+		timeoutValue := time.Duration(opts.nSeconds) * time.Second
+		timeout = &timeoutValue
+	}
+
+	for _, name := range opts.containers {
+		if err := dockerCli.Client().ContainerRestart(ctx, name, timeout); err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+		fmt.Fprintln(dockerCli.Out(), name)
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/rm.go b/cli/cli/command/container/rm.go
new file mode 100644
index 00000000..2dcd4b6a
--- /dev/null
+++ b/cli/cli/command/container/rm.go
@@ -0,0 +1,73 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type rmOptions struct {
+	rmVolumes bool
+	rmLink    bool
+	force     bool
+
+	containers []string
+}
+
+// NewRmCommand creates a new cobra.Command for `docker rm`
+func NewRmCommand(dockerCli command.Cli) *cobra.Command {
+	var opts rmOptions
+
+	cmd := &cobra.Command{
+		Use:   "rm [OPTIONS] CONTAINER [CONTAINER...]",
+		Short: "Remove one or more containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			return runRm(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.rmVolumes, "volumes", "v", false, "Remove the volumes associated with the container")
+	flags.BoolVarP(&opts.rmLink, "link", "l", false, "Remove the specified link")
+	flags.BoolVarP(&opts.force, "force", "f", false, "Force the removal of a running container (uses SIGKILL)")
+	return cmd
+}
+
+func runRm(dockerCli command.Cli, opts *rmOptions) error {
+	ctx := context.Background()
+
+	var errs []string
+	options := types.ContainerRemoveOptions{
+		RemoveVolumes: opts.rmVolumes,
+		RemoveLinks:   opts.rmLink,
+		Force:         opts.force,
+	}
+
+	errChan := parallelOperation(ctx, opts.containers, func(ctx context.Context, container string) error {
+		container = strings.Trim(container, "/")
+		if container == "" {
+			return errors.New("Container name cannot be empty")
+		}
+		return dockerCli.Client().ContainerRemove(ctx, container, options)
+	})
+
+	for _, name := range opts.containers {
+		if err := <-errChan; err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+		fmt.Fprintln(dockerCli.Out(), name)
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/run.go b/cli/cli/command/container/run.go
new file mode 100644
index 00000000..d2ca5873
--- /dev/null
+++ b/cli/cli/command/container/run.go
@@ -0,0 +1,341 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http/httputil"
+	"os"
+	"regexp"
+	"runtime"
+	"strings"
+	"syscall"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/docker/pkg/term"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type runOptions struct {
+	createOptions
+	detach     bool
+	sigProxy   bool
+	detachKeys string
+}
+
+// NewRunCommand create a new `docker run` command
+func NewRunCommand(dockerCli command.Cli) *cobra.Command {
+	var opts runOptions
+	var copts *containerOptions
+
+	cmd := &cobra.Command{
+		Use:   "run [OPTIONS] IMAGE [COMMAND] [ARG...]",
+		Short: "Run a command in a new container",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			copts.Image = args[0]
+			if len(args) > 1 {
+				copts.Args = args[1:]
+			}
+			return runRun(dockerCli, cmd.Flags(), &opts, copts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.SetInterspersed(false)
+
+	// These are flags not stored in Config/HostConfig
+	flags.BoolVarP(&opts.detach, "detach", "d", false, "Run container in background and print container ID")
+	flags.BoolVar(&opts.sigProxy, "sig-proxy", true, "Proxy received signals to the process")
+	flags.StringVar(&opts.name, "name", "", "Assign a name to the container")
+	flags.StringVar(&opts.detachKeys, "detach-keys", "", "Override the key sequence for detaching a container")
+
+	// Add an explicit help that doesn't have a `-h` to prevent the conflict
+	// with hostname
+	flags.Bool("help", false, "Print usage")
+
+	command.AddPlatformFlag(flags, &opts.platform)
+	command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
+	copts = addFlags(flags)
+	return cmd
+}
+
+func warnOnOomKillDisable(hostConfig container.HostConfig, stderr io.Writer) {
+	if hostConfig.OomKillDisable != nil && *hostConfig.OomKillDisable && hostConfig.Memory == 0 {
+		fmt.Fprintln(stderr, "WARNING: Disabling the OOM killer on containers without setting a '-m/--memory' limit may be dangerous.")
+	}
+}
+
+// check the DNS settings passed via --dns against localhost regexp to warn if
+// they are trying to set a DNS to a localhost address
+func warnOnLocalhostDNS(hostConfig container.HostConfig, stderr io.Writer) {
+	for _, dnsIP := range hostConfig.DNS {
+		if isLocalhost(dnsIP) {
+			fmt.Fprintf(stderr, "WARNING: Localhost DNS setting (--dns=%s) may fail in containers.\n", dnsIP)
+			return
+		}
+	}
+}
+
+// IPLocalhost is a regex pattern for IPv4 or IPv6 loopback range.
+const ipLocalhost = `((127\.([0-9]{1,3}\.){2}[0-9]{1,3})|(::1)$)`
+
+var localhostIPRegexp = regexp.MustCompile(ipLocalhost)
+
+// IsLocalhost returns true if ip matches the localhost IP regular expression.
+// Used for determining if nameserver settings are being passed which are
+// localhost addresses
+func isLocalhost(ip string) bool {
+	return localhostIPRegexp.MatchString(ip)
+}
+
+func runRun(dockerCli command.Cli, flags *pflag.FlagSet, ropts *runOptions, copts *containerOptions) error {
+	proxyConfig := dockerCli.ConfigFile().ParseProxyConfig(dockerCli.Client().DaemonHost(), copts.env.GetAll())
+	newEnv := []string{}
+	for k, v := range proxyConfig {
+		if v == nil {
+			newEnv = append(newEnv, k)
+		} else {
+			newEnv = append(newEnv, fmt.Sprintf("%s=%s", k, *v))
+		}
+	}
+	copts.env = *opts.NewListOptsRef(&newEnv, nil)
+	containerConfig, err := parse(flags, copts)
+	// just in case the parse does not exit
+	if err != nil {
+		reportError(dockerCli.Err(), "run", err.Error(), true)
+		return cli.StatusError{StatusCode: 125}
+	}
+	return runContainer(dockerCli, ropts, copts, containerConfig)
+}
+
+// nolint: gocyclo
+func runContainer(dockerCli command.Cli, opts *runOptions, copts *containerOptions, containerConfig *containerConfig) error {
+	config := containerConfig.Config
+	hostConfig := containerConfig.HostConfig
+	stdout, stderr := dockerCli.Out(), dockerCli.Err()
+	client := dockerCli.Client()
+
+	warnOnOomKillDisable(*hostConfig, stderr)
+	warnOnLocalhostDNS(*hostConfig, stderr)
+
+	config.ArgsEscaped = false
+
+	if !opts.detach {
+		if err := dockerCli.In().CheckTty(config.AttachStdin, config.Tty); err != nil {
+			return err
+		}
+	} else {
+		if copts.attach.Len() != 0 {
+			return errors.New("Conflicting options: -a and -d")
+		}
+
+		config.AttachStdin = false
+		config.AttachStdout = false
+		config.AttachStderr = false
+		config.StdinOnce = false
+	}
+
+	// Disable sigProxy when in TTY mode
+	if config.Tty {
+		opts.sigProxy = false
+	}
+
+	// Telling the Windows daemon the initial size of the tty during start makes
+	// a far better user experience rather than relying on subsequent resizes
+	// to cause things to catch up.
+	if runtime.GOOS == "windows" {
+		hostConfig.ConsoleSize[0], hostConfig.ConsoleSize[1] = dockerCli.Out().GetTtySize()
+	}
+
+	ctx, cancelFun := context.WithCancel(context.Background())
+	defer cancelFun()
+
+	createResponse, err := createContainer(ctx, dockerCli, containerConfig, &opts.createOptions)
+	if err != nil {
+		reportError(stderr, "run", err.Error(), true)
+		return runStartContainerErr(err)
+	}
+	if opts.sigProxy {
+		sigc := ForwardAllSignals(ctx, dockerCli, createResponse.ID)
+		defer signal.StopCatch(sigc)
+	}
+
+	var (
+		waitDisplayID chan struct{}
+		errCh         chan error
+	)
+	if !config.AttachStdout && !config.AttachStderr {
+		// Make this asynchronous to allow the client to write to stdin before having to read the ID
+		waitDisplayID = make(chan struct{})
+		go func() {
+			defer close(waitDisplayID)
+			fmt.Fprintln(stdout, createResponse.ID)
+		}()
+	}
+	attach := config.AttachStdin || config.AttachStdout || config.AttachStderr
+	if attach {
+		if opts.detachKeys != "" {
+			dockerCli.ConfigFile().DetachKeys = opts.detachKeys
+		}
+
+		close, err := attachContainer(ctx, dockerCli, &errCh, config, createResponse.ID)
+
+		if err != nil {
+			return err
+		}
+		defer close()
+	}
+
+	statusChan := waitExitOrRemoved(ctx, dockerCli, createResponse.ID, copts.autoRemove)
+
+	//start the container
+	if err := client.ContainerStart(ctx, createResponse.ID, types.ContainerStartOptions{}); err != nil {
+		// If we have hijackedIOStreamer, we should notify
+		// hijackedIOStreamer we are going to exit and wait
+		// to avoid the terminal are not restored.
+		if attach {
+			cancelFun()
+			<-errCh
+		}
+
+		reportError(stderr, "run", err.Error(), false)
+		if copts.autoRemove {
+			// wait container to be removed
+			<-statusChan
+		}
+		return runStartContainerErr(err)
+	}
+
+	if (config.AttachStdin || config.AttachStdout || config.AttachStderr) && config.Tty && dockerCli.Out().IsTerminal() {
+		if err := MonitorTtySize(ctx, dockerCli, createResponse.ID, false); err != nil {
+			fmt.Fprintln(stderr, "Error monitoring TTY size:", err)
+		}
+	}
+
+	if errCh != nil {
+		if err := <-errCh; err != nil {
+			if _, ok := err.(term.EscapeError); ok {
+				// The user entered the detach escape sequence.
+				return nil
+			}
+
+			logrus.Debugf("Error hijack: %s", err)
+			return err
+		}
+	}
+
+	// Detached mode: wait for the id to be displayed and return.
+	if !config.AttachStdout && !config.AttachStderr {
+		// Detached mode
+		<-waitDisplayID
+		return nil
+	}
+
+	status := <-statusChan
+	if status != 0 {
+		return cli.StatusError{StatusCode: status}
+	}
+	return nil
+}
+
+func attachContainer(
+	ctx context.Context,
+	dockerCli command.Cli,
+	errCh *chan error,
+	config *container.Config,
+	containerID string,
+) (func(), error) {
+	stdout, stderr := dockerCli.Out(), dockerCli.Err()
+	var (
+		out, cerr io.Writer
+		in        io.ReadCloser
+	)
+	if config.AttachStdin {
+		in = dockerCli.In()
+	}
+	if config.AttachStdout {
+		out = stdout
+	}
+	if config.AttachStderr {
+		if config.Tty {
+			cerr = stdout
+		} else {
+			cerr = stderr
+		}
+	}
+
+	options := types.ContainerAttachOptions{
+		Stream:     true,
+		Stdin:      config.AttachStdin,
+		Stdout:     config.AttachStdout,
+		Stderr:     config.AttachStderr,
+		DetachKeys: dockerCli.ConfigFile().DetachKeys,
+	}
+
+	resp, errAttach := dockerCli.Client().ContainerAttach(ctx, containerID, options)
+	if errAttach != nil && errAttach != httputil.ErrPersistEOF {
+		// ContainerAttach returns an ErrPersistEOF (connection closed)
+		// means server met an error and put it in Hijacked connection
+		// keep the error and read detailed error message from hijacked connection later
+		return nil, errAttach
+	}
+
+	ch := make(chan error, 1)
+	*errCh = ch
+
+	go func() {
+		ch <- func() error {
+			streamer := hijackedIOStreamer{
+				streams:      dockerCli,
+				inputStream:  in,
+				outputStream: out,
+				errorStream:  cerr,
+				resp:         resp,
+				tty:          config.Tty,
+				detachKeys:   options.DetachKeys,
+			}
+
+			if errHijack := streamer.stream(ctx); errHijack != nil {
+				return errHijack
+			}
+			return errAttach
+		}()
+	}()
+	return resp.Close, nil
+}
+
+// reportError is a utility method that prints a user-friendly message
+// containing the error that occurred during parsing and a suggestion to get help
+func reportError(stderr io.Writer, name string, str string, withHelp bool) {
+	str = strings.TrimSuffix(str, ".") + "."
+	if withHelp {
+		str += "\nSee '" + os.Args[0] + " " + name + " --help'."
+	}
+	fmt.Fprintf(stderr, "%s: %s\n", os.Args[0], str)
+}
+
+// if container start fails with 'not found'/'no such' error, return 127
+// if container start fails with 'permission denied' error, return 126
+// return 125 for generic docker daemon failures
+func runStartContainerErr(err error) error {
+	trimmedErr := strings.TrimPrefix(err.Error(), "Error response from daemon: ")
+	statusError := cli.StatusError{StatusCode: 125}
+	if strings.Contains(trimmedErr, "executable file not found") ||
+		strings.Contains(trimmedErr, "no such file or directory") ||
+		strings.Contains(trimmedErr, "system cannot find the file specified") {
+		statusError = cli.StatusError{StatusCode: 127}
+	} else if strings.Contains(trimmedErr, syscall.EACCES.Error()) {
+		statusError = cli.StatusError{StatusCode: 126}
+	}
+
+	return statusError
+}
diff --git a/cli/cli/command/container/run_test.go b/cli/cli/command/container/run_test.go
new file mode 100644
index 00000000..4938a564
--- /dev/null
+++ b/cli/cli/command/container/run_test.go
@@ -0,0 +1,75 @@
+package container
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/internal/test/notary"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestRunLabel(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		createContainerFunc: func(_ *container.Config, _ *container.HostConfig, _ *network.NetworkingConfig, _ string) (container.ContainerCreateCreatedBody, error) {
+			return container.ContainerCreateCreatedBody{
+				ID: "id",
+			}, nil
+		},
+		Version: "1.36",
+	})
+	cmd := NewRunCommand(cli)
+	cmd.Flags().Set("detach", "true")
+	cmd.SetArgs([]string{"--label", "foo", "busybox"})
+	assert.NilError(t, cmd.Execute())
+}
+
+func TestRunCommandWithContentTrustErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+		notaryFunc    test.NotaryClientFuncType
+	}{
+		{
+			name:          "offline-notary-server",
+			notaryFunc:    notary.GetOfflineNotaryRepository,
+			expectedError: "client is offline",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "uninitialized-notary-server",
+			notaryFunc:    notary.GetUninitializedNotaryRepository,
+			expectedError: "remote trust data does not exist",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "empty-notary-server",
+			notaryFunc:    notary.GetEmptyTargetsNotaryRepository,
+			expectedError: "No valid trust data for tag",
+			args:          []string{"image:tag"},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			createContainerFunc: func(config *container.Config,
+				hostConfig *container.HostConfig,
+				networkingConfig *network.NetworkingConfig,
+				containerName string,
+			) (container.ContainerCreateCreatedBody, error) {
+				return container.ContainerCreateCreatedBody{}, fmt.Errorf("shouldn't try to pull image")
+			},
+		}, test.EnableContentTrust)
+		cli.SetNotaryClient(tc.notaryFunc)
+		cmd := NewRunCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		err := cmd.Execute()
+		assert.Assert(t, err != nil)
+		assert.Assert(t, is.Contains(cli.ErrBuffer().String(), tc.expectedError))
+	}
+}
diff --git a/cli/cli/command/container/start.go b/cli/cli/command/container/start.go
new file mode 100644
index 00000000..e3883028
--- /dev/null
+++ b/cli/cli/command/container/start.go
@@ -0,0 +1,202 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http/httputil"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/docker/pkg/term"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type startOptions struct {
+	attach        bool
+	openStdin     bool
+	detachKeys    string
+	checkpoint    string
+	checkpointDir string
+
+	containers []string
+}
+
+// NewStartCommand creates a new cobra.Command for `docker start`
+func NewStartCommand(dockerCli command.Cli) *cobra.Command {
+	var opts startOptions
+
+	cmd := &cobra.Command{
+		Use:   "start [OPTIONS] CONTAINER [CONTAINER...]",
+		Short: "Start one or more stopped containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			return runStart(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.attach, "attach", "a", false, "Attach STDOUT/STDERR and forward signals")
+	flags.BoolVarP(&opts.openStdin, "interactive", "i", false, "Attach container's STDIN")
+	flags.StringVar(&opts.detachKeys, "detach-keys", "", "Override the key sequence for detaching a container")
+
+	flags.StringVar(&opts.checkpoint, "checkpoint", "", "Restore from this checkpoint")
+	flags.SetAnnotation("checkpoint", "experimental", nil)
+	flags.SetAnnotation("checkpoint", "ostype", []string{"linux"})
+	flags.StringVar(&opts.checkpointDir, "checkpoint-dir", "", "Use a custom checkpoint storage directory")
+	flags.SetAnnotation("checkpoint-dir", "experimental", nil)
+	flags.SetAnnotation("checkpoint-dir", "ostype", []string{"linux"})
+	return cmd
+}
+
+// nolint: gocyclo
+func runStart(dockerCli command.Cli, opts *startOptions) error {
+	ctx, cancelFun := context.WithCancel(context.Background())
+	defer cancelFun()
+
+	if opts.attach || opts.openStdin {
+		// We're going to attach to a container.
+		// 1. Ensure we only have one container.
+		if len(opts.containers) > 1 {
+			return errors.New("you cannot start and attach multiple containers at once")
+		}
+
+		// 2. Attach to the container.
+		container := opts.containers[0]
+		c, err := dockerCli.Client().ContainerInspect(ctx, container)
+		if err != nil {
+			return err
+		}
+
+		// We always use c.ID instead of container to maintain consistency during `docker start`
+		if !c.Config.Tty {
+			sigc := ForwardAllSignals(ctx, dockerCli, c.ID)
+			defer signal.StopCatch(sigc)
+		}
+
+		if opts.detachKeys != "" {
+			dockerCli.ConfigFile().DetachKeys = opts.detachKeys
+		}
+
+		options := types.ContainerAttachOptions{
+			Stream:     true,
+			Stdin:      opts.openStdin && c.Config.OpenStdin,
+			Stdout:     true,
+			Stderr:     true,
+			DetachKeys: dockerCli.ConfigFile().DetachKeys,
+		}
+
+		var in io.ReadCloser
+
+		if options.Stdin {
+			in = dockerCli.In()
+		}
+
+		resp, errAttach := dockerCli.Client().ContainerAttach(ctx, c.ID, options)
+		if errAttach != nil && errAttach != httputil.ErrPersistEOF {
+			// ContainerAttach return an ErrPersistEOF (connection closed)
+			// means server met an error and already put it in Hijacked connection,
+			// we would keep the error and read the detailed error message from hijacked connection
+			return errAttach
+		}
+		defer resp.Close()
+
+		cErr := make(chan error, 1)
+
+		go func() {
+			cErr <- func() error {
+				streamer := hijackedIOStreamer{
+					streams:      dockerCli,
+					inputStream:  in,
+					outputStream: dockerCli.Out(),
+					errorStream:  dockerCli.Err(),
+					resp:         resp,
+					tty:          c.Config.Tty,
+					detachKeys:   options.DetachKeys,
+				}
+
+				errHijack := streamer.stream(ctx)
+				if errHijack == nil {
+					return errAttach
+				}
+				return errHijack
+			}()
+		}()
+
+		// 3. We should open a channel for receiving status code of the container
+		// no matter it's detached, removed on daemon side(--rm) or exit normally.
+		statusChan := waitExitOrRemoved(ctx, dockerCli, c.ID, c.HostConfig.AutoRemove)
+		startOptions := types.ContainerStartOptions{
+			CheckpointID:  opts.checkpoint,
+			CheckpointDir: opts.checkpointDir,
+		}
+
+		// 4. Start the container.
+		if err := dockerCli.Client().ContainerStart(ctx, c.ID, startOptions); err != nil {
+			cancelFun()
+			<-cErr
+			if c.HostConfig.AutoRemove {
+				// wait container to be removed
+				<-statusChan
+			}
+			return err
+		}
+
+		// 5. Wait for attachment to break.
+		if c.Config.Tty && dockerCli.Out().IsTerminal() {
+			if err := MonitorTtySize(ctx, dockerCli, c.ID, false); err != nil {
+				fmt.Fprintln(dockerCli.Err(), "Error monitoring TTY size:", err)
+			}
+		}
+		if attachErr := <-cErr; attachErr != nil {
+			if _, ok := err.(term.EscapeError); ok {
+				// The user entered the detach escape sequence.
+				return nil
+			}
+			return attachErr
+		}
+
+		if status := <-statusChan; status != 0 {
+			return cli.StatusError{StatusCode: status}
+		}
+	} else if opts.checkpoint != "" {
+		if len(opts.containers) > 1 {
+			return errors.New("you cannot restore multiple containers at once")
+		}
+		container := opts.containers[0]
+		startOptions := types.ContainerStartOptions{
+			CheckpointID:  opts.checkpoint,
+			CheckpointDir: opts.checkpointDir,
+		}
+		return dockerCli.Client().ContainerStart(ctx, container, startOptions)
+
+	} else {
+		// We're not going to attach to anything.
+		// Start as many containers as we want.
+		return startContainersWithoutAttachments(ctx, dockerCli, opts.containers)
+	}
+
+	return nil
+}
+
+func startContainersWithoutAttachments(ctx context.Context, dockerCli command.Cli, containers []string) error {
+	var failedContainers []string
+	for _, container := range containers {
+		if err := dockerCli.Client().ContainerStart(ctx, container, types.ContainerStartOptions{}); err != nil {
+			fmt.Fprintln(dockerCli.Err(), err)
+			failedContainers = append(failedContainers, container)
+			continue
+		}
+		fmt.Fprintln(dockerCli.Out(), container)
+	}
+
+	if len(failedContainers) > 0 {
+		return errors.Errorf("Error: failed to start containers: %s", strings.Join(failedContainers, ", "))
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/stats.go b/cli/cli/command/container/stats.go
new file mode 100644
index 00000000..4efcb19e
--- /dev/null
+++ b/cli/cli/command/container/stats.go
@@ -0,0 +1,245 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type statsOptions struct {
+	all        bool
+	noStream   bool
+	noTrunc    bool
+	format     string
+	containers []string
+}
+
+// NewStatsCommand creates a new cobra.Command for `docker stats`
+func NewStatsCommand(dockerCli command.Cli) *cobra.Command {
+	var opts statsOptions
+
+	cmd := &cobra.Command{
+		Use:   "stats [OPTIONS] [CONTAINER...]",
+		Short: "Display a live stream of container(s) resource usage statistics",
+		Args:  cli.RequiresMinArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			return runStats(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.all, "all", "a", false, "Show all containers (default shows just running)")
+	flags.BoolVar(&opts.noStream, "no-stream", false, "Disable streaming stats and only pull the first result")
+	flags.BoolVar(&opts.noTrunc, "no-trunc", false, "Do not truncate output")
+	flags.StringVar(&opts.format, "format", "", "Pretty-print images using a Go template")
+	return cmd
+}
+
+// runStats displays a live stream of resource usage statistics for one or more containers.
+// This shows real-time information on CPU usage, memory usage, and network I/O.
+// nolint: gocyclo
+func runStats(dockerCli command.Cli, opts *statsOptions) error {
+	showAll := len(opts.containers) == 0
+	closeChan := make(chan error)
+
+	ctx := context.Background()
+
+	// monitorContainerEvents watches for container creation and removal (only
+	// used when calling `docker stats` without arguments).
+	monitorContainerEvents := func(started chan<- struct{}, c chan events.Message) {
+		f := filters.NewArgs()
+		f.Add("type", "container")
+		options := types.EventsOptions{
+			Filters: f,
+		}
+
+		eventq, errq := dockerCli.Client().Events(ctx, options)
+
+		// Whether we successfully subscribed to eventq or not, we can now
+		// unblock the main goroutine.
+		close(started)
+
+		for {
+			select {
+			case event := <-eventq:
+				c <- event
+			case err := <-errq:
+				closeChan <- err
+				return
+			}
+		}
+	}
+
+	// Get the daemonOSType if not set already
+	if daemonOSType == "" {
+		svctx := context.Background()
+		sv, err := dockerCli.Client().ServerVersion(svctx)
+		if err != nil {
+			return err
+		}
+		daemonOSType = sv.Os
+	}
+
+	// waitFirst is a WaitGroup to wait first stat data's reach for each container
+	waitFirst := &sync.WaitGroup{}
+
+	cStats := stats{}
+	// getContainerList simulates creation event for all previously existing
+	// containers (only used when calling `docker stats` without arguments).
+	getContainerList := func() {
+		options := types.ContainerListOptions{
+			All: opts.all,
+		}
+		cs, err := dockerCli.Client().ContainerList(ctx, options)
+		if err != nil {
+			closeChan <- err
+		}
+		for _, container := range cs {
+			s := formatter.NewContainerStats(container.ID[:12])
+			if cStats.add(s) {
+				waitFirst.Add(1)
+				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
+			}
+		}
+	}
+
+	if showAll {
+		// If no names were specified, start a long running goroutine which
+		// monitors container events. We make sure we're subscribed before
+		// retrieving the list of running containers to avoid a race where we
+		// would "miss" a creation.
+		started := make(chan struct{})
+		eh := command.InitEventHandler()
+		eh.Handle("create", func(e events.Message) {
+			if opts.all {
+				s := formatter.NewContainerStats(e.ID[:12])
+				if cStats.add(s) {
+					waitFirst.Add(1)
+					go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
+				}
+			}
+		})
+
+		eh.Handle("start", func(e events.Message) {
+			s := formatter.NewContainerStats(e.ID[:12])
+			if cStats.add(s) {
+				waitFirst.Add(1)
+				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
+			}
+		})
+
+		eh.Handle("die", func(e events.Message) {
+			if !opts.all {
+				cStats.remove(e.ID[:12])
+			}
+		})
+
+		eventChan := make(chan events.Message)
+		go eh.Watch(eventChan)
+		go monitorContainerEvents(started, eventChan)
+		defer close(eventChan)
+		<-started
+
+		// Start a short-lived goroutine to retrieve the initial list of
+		// containers.
+		getContainerList()
+	} else {
+		// Artificially send creation events for the containers we were asked to
+		// monitor (same code path than we use when monitoring all containers).
+		for _, name := range opts.containers {
+			s := formatter.NewContainerStats(name)
+			if cStats.add(s) {
+				waitFirst.Add(1)
+				go collect(ctx, s, dockerCli.Client(), !opts.noStream, waitFirst)
+			}
+		}
+
+		// We don't expect any asynchronous errors: closeChan can be closed.
+		close(closeChan)
+
+		// Do a quick pause to detect any error with the provided list of
+		// container names.
+		time.Sleep(1500 * time.Millisecond)
+		var errs []string
+		cStats.mu.Lock()
+		for _, c := range cStats.cs {
+			if err := c.GetError(); err != nil {
+				errs = append(errs, err.Error())
+			}
+		}
+		cStats.mu.Unlock()
+		if len(errs) > 0 {
+			return errors.New(strings.Join(errs, "\n"))
+		}
+	}
+
+	// before print to screen, make sure each container get at least one valid stat data
+	waitFirst.Wait()
+	format := opts.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().StatsFormat) > 0 {
+			format = dockerCli.ConfigFile().StatsFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+	statsCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewStatsFormat(format, daemonOSType),
+	}
+	cleanScreen := func() {
+		if !opts.noStream {
+			fmt.Fprint(dockerCli.Out(), "\033[2J")
+			fmt.Fprint(dockerCli.Out(), "\033[H")
+		}
+	}
+
+	var err error
+	for range time.Tick(500 * time.Millisecond) {
+		cleanScreen()
+		ccstats := []formatter.StatsEntry{}
+		cStats.mu.Lock()
+		for _, c := range cStats.cs {
+			ccstats = append(ccstats, c.GetStatistics())
+		}
+		cStats.mu.Unlock()
+		if err = formatter.ContainerStatsWrite(statsCtx, ccstats, daemonOSType, !opts.noTrunc); err != nil {
+			break
+		}
+		if len(cStats.cs) == 0 && !showAll {
+			break
+		}
+		if opts.noStream {
+			break
+		}
+		select {
+		case err, ok := <-closeChan:
+			if ok {
+				if err != nil {
+					// this is suppressing "unexpected EOF" in the cli when the
+					// daemon restarts so it shutdowns cleanly
+					if err == io.ErrUnexpectedEOF {
+						return nil
+					}
+					return err
+				}
+			}
+		default:
+			// just skip
+		}
+	}
+	return err
+}
diff --git a/cli/cli/command/container/stats_helpers.go b/cli/cli/command/container/stats_helpers.go
new file mode 100644
index 00000000..2300ce5c
--- /dev/null
+++ b/cli/cli/command/container/stats_helpers.go
@@ -0,0 +1,239 @@
+package container
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type stats struct {
+	mu sync.Mutex
+	cs []*formatter.ContainerStats
+}
+
+// daemonOSType is set once we have at least one stat for a container
+// from the daemon. It is used to ensure we print the right header based
+// on the daemon platform.
+var daemonOSType string
+
+func (s *stats) add(cs *formatter.ContainerStats) bool {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if _, exists := s.isKnownContainer(cs.Container); !exists {
+		s.cs = append(s.cs, cs)
+		return true
+	}
+	return false
+}
+
+func (s *stats) remove(id string) {
+	s.mu.Lock()
+	if i, exists := s.isKnownContainer(id); exists {
+		s.cs = append(s.cs[:i], s.cs[i+1:]...)
+	}
+	s.mu.Unlock()
+}
+
+func (s *stats) isKnownContainer(cid string) (int, bool) {
+	for i, c := range s.cs {
+		if c.Container == cid {
+			return i, true
+		}
+	}
+	return -1, false
+}
+
+func collect(ctx context.Context, s *formatter.ContainerStats, cli client.APIClient, streamStats bool, waitFirst *sync.WaitGroup) {
+	logrus.Debugf("collecting stats for %s", s.Container)
+	var (
+		getFirst       bool
+		previousCPU    uint64
+		previousSystem uint64
+		u              = make(chan error, 1)
+	)
+
+	defer func() {
+		// if error happens and we get nothing of stats, release wait group whatever
+		if !getFirst {
+			getFirst = true
+			waitFirst.Done()
+		}
+	}()
+
+	response, err := cli.ContainerStats(ctx, s.Container, streamStats)
+	if err != nil {
+		s.SetError(err)
+		return
+	}
+	defer response.Body.Close()
+
+	dec := json.NewDecoder(response.Body)
+	go func() {
+		for {
+			var (
+				v                      *types.StatsJSON
+				memPercent, cpuPercent float64
+				blkRead, blkWrite      uint64 // Only used on Linux
+				mem, memLimit          float64
+				pidsStatsCurrent       uint64
+			)
+
+			if err := dec.Decode(&v); err != nil {
+				dec = json.NewDecoder(io.MultiReader(dec.Buffered(), response.Body))
+				u <- err
+				if err == io.EOF {
+					break
+				}
+				time.Sleep(100 * time.Millisecond)
+				continue
+			}
+
+			daemonOSType = response.OSType
+
+			if daemonOSType != "windows" {
+				previousCPU = v.PreCPUStats.CPUUsage.TotalUsage
+				previousSystem = v.PreCPUStats.SystemUsage
+				cpuPercent = calculateCPUPercentUnix(previousCPU, previousSystem, v)
+				blkRead, blkWrite = calculateBlockIO(v.BlkioStats)
+				mem = calculateMemUsageUnixNoCache(v.MemoryStats)
+				memLimit = float64(v.MemoryStats.Limit)
+				memPercent = calculateMemPercentUnixNoCache(memLimit, mem)
+				pidsStatsCurrent = v.PidsStats.Current
+			} else {
+				cpuPercent = calculateCPUPercentWindows(v)
+				blkRead = v.StorageStats.ReadSizeBytes
+				blkWrite = v.StorageStats.WriteSizeBytes
+				mem = float64(v.MemoryStats.PrivateWorkingSet)
+			}
+			netRx, netTx := calculateNetwork(v.Networks)
+			s.SetStatistics(formatter.StatsEntry{
+				Name:             v.Name,
+				ID:               v.ID,
+				CPUPercentage:    cpuPercent,
+				Memory:           mem,
+				MemoryPercentage: memPercent,
+				MemoryLimit:      memLimit,
+				NetworkRx:        netRx,
+				NetworkTx:        netTx,
+				BlockRead:        float64(blkRead),
+				BlockWrite:       float64(blkWrite),
+				PidsCurrent:      pidsStatsCurrent,
+			})
+			u <- nil
+			if !streamStats {
+				return
+			}
+		}
+	}()
+	for {
+		select {
+		case <-time.After(2 * time.Second):
+			// zero out the values if we have not received an update within
+			// the specified duration.
+			s.SetErrorAndReset(errors.New("timeout waiting for stats"))
+			// if this is the first stat you get, release WaitGroup
+			if !getFirst {
+				getFirst = true
+				waitFirst.Done()
+			}
+		case err := <-u:
+			s.SetError(err)
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				continue
+			}
+			// if this is the first stat you get, release WaitGroup
+			if !getFirst {
+				getFirst = true
+				waitFirst.Done()
+			}
+		}
+		if !streamStats {
+			return
+		}
+	}
+}
+
+func calculateCPUPercentUnix(previousCPU, previousSystem uint64, v *types.StatsJSON) float64 {
+	var (
+		cpuPercent = 0.0
+		// calculate the change for the cpu usage of the container in between readings
+		cpuDelta = float64(v.CPUStats.CPUUsage.TotalUsage) - float64(previousCPU)
+		// calculate the change for the entire system between readings
+		systemDelta = float64(v.CPUStats.SystemUsage) - float64(previousSystem)
+		onlineCPUs  = float64(v.CPUStats.OnlineCPUs)
+	)
+
+	if onlineCPUs == 0.0 {
+		onlineCPUs = float64(len(v.CPUStats.CPUUsage.PercpuUsage))
+	}
+	if systemDelta > 0.0 && cpuDelta > 0.0 {
+		cpuPercent = (cpuDelta / systemDelta) * onlineCPUs * 100.0
+	}
+	return cpuPercent
+}
+
+func calculateCPUPercentWindows(v *types.StatsJSON) float64 {
+	// Max number of 100ns intervals between the previous time read and now
+	possIntervals := uint64(v.Read.Sub(v.PreRead).Nanoseconds()) // Start with number of ns intervals
+	possIntervals /= 100                                         // Convert to number of 100ns intervals
+	possIntervals *= uint64(v.NumProcs)                          // Multiple by the number of processors
+
+	// Intervals used
+	intervalsUsed := v.CPUStats.CPUUsage.TotalUsage - v.PreCPUStats.CPUUsage.TotalUsage
+
+	// Percentage avoiding divide-by-zero
+	if possIntervals > 0 {
+		return float64(intervalsUsed) / float64(possIntervals) * 100.0
+	}
+	return 0.00
+}
+
+func calculateBlockIO(blkio types.BlkioStats) (uint64, uint64) {
+	var blkRead, blkWrite uint64
+	for _, bioEntry := range blkio.IoServiceBytesRecursive {
+		switch strings.ToLower(bioEntry.Op) {
+		case "read":
+			blkRead = blkRead + bioEntry.Value
+		case "write":
+			blkWrite = blkWrite + bioEntry.Value
+		}
+	}
+	return blkRead, blkWrite
+}
+
+func calculateNetwork(network map[string]types.NetworkStats) (float64, float64) {
+	var rx, tx float64
+
+	for _, v := range network {
+		rx += float64(v.RxBytes)
+		tx += float64(v.TxBytes)
+	}
+	return rx, tx
+}
+
+// calculateMemUsageUnixNoCache calculate memory usage of the container.
+// Page cache is intentionally excluded to avoid misinterpretation of the output.
+func calculateMemUsageUnixNoCache(mem types.MemoryStats) float64 {
+	return float64(mem.Usage - mem.Stats["cache"])
+}
+
+func calculateMemPercentUnixNoCache(limit float64, usedNoCache float64) float64 {
+	// MemoryStats.Limit will never be 0 unless the container is not running and we haven't
+	// got any data from cgroup
+	if limit != 0 {
+		return usedNoCache / limit * 100.0
+	}
+	return 0
+}
diff --git a/cli/cli/command/container/stats_helpers_test.go b/cli/cli/command/container/stats_helpers_test.go
new file mode 100644
index 00000000..a9657e2e
--- /dev/null
+++ b/cli/cli/command/container/stats_helpers_test.go
@@ -0,0 +1,47 @@
+package container
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+)
+
+func TestCalculateMemUsageUnixNoCache(t *testing.T) {
+	// Given
+	stats := types.MemoryStats{Usage: 500, Stats: map[string]uint64{"cache": 400}}
+
+	// When
+	result := calculateMemUsageUnixNoCache(stats)
+
+	// Then
+	assert.Assert(t, inDelta(100.0, result, 1e-6))
+}
+
+func TestCalculateMemPercentUnixNoCache(t *testing.T) {
+	// Given
+	someLimit := float64(100.0)
+	noLimit := float64(0.0)
+	used := float64(70.0)
+
+	// When and Then
+	t.Run("Limit is set", func(t *testing.T) {
+		result := calculateMemPercentUnixNoCache(someLimit, used)
+		assert.Assert(t, inDelta(70.0, result, 1e-6))
+	})
+	t.Run("No limit, no cgroup data", func(t *testing.T) {
+		result := calculateMemPercentUnixNoCache(noLimit, used)
+		assert.Assert(t, inDelta(0.0, result, 1e-6))
+	})
+}
+
+func inDelta(x, y, delta float64) func() (bool, string) {
+	return func() (bool, string) {
+		diff := x - y
+		if diff < -delta || diff > delta {
+			return false, fmt.Sprintf("%f != %f within %f", x, y, delta)
+		}
+		return true, ""
+	}
+}
diff --git a/cli/cli/command/container/stats_unit_test.go b/cli/cli/command/container/stats_unit_test.go
new file mode 100644
index 00000000..21e650e2
--- /dev/null
+++ b/cli/cli/command/container/stats_unit_test.go
@@ -0,0 +1,25 @@
+package container
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestCalculateBlockIO(t *testing.T) {
+	blkio := types.BlkioStats{
+		IoServiceBytesRecursive: []types.BlkioStatEntry{
+			{Major: 8, Minor: 0, Op: "read", Value: 1234},
+			{Major: 8, Minor: 1, Op: "read", Value: 4567},
+			{Major: 8, Minor: 0, Op: "write", Value: 123},
+			{Major: 8, Minor: 1, Op: "write", Value: 456},
+		},
+	}
+	blkRead, blkWrite := calculateBlockIO(blkio)
+	if blkRead != 5801 {
+		t.Fatalf("blkRead = %d, want 5801", blkRead)
+	}
+	if blkWrite != 579 {
+		t.Fatalf("blkWrite = %d, want 579", blkWrite)
+	}
+}
diff --git a/cli/cli/command/container/stop.go b/cli/cli/command/container/stop.go
new file mode 100644
index 00000000..e2991754
--- /dev/null
+++ b/cli/cli/command/container/stop.go
@@ -0,0 +1,67 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type stopOptions struct {
+	time        int
+	timeChanged bool
+
+	containers []string
+}
+
+// NewStopCommand creates a new cobra.Command for `docker stop`
+func NewStopCommand(dockerCli command.Cli) *cobra.Command {
+	var opts stopOptions
+
+	cmd := &cobra.Command{
+		Use:   "stop [OPTIONS] CONTAINER [CONTAINER...]",
+		Short: "Stop one or more running containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			opts.timeChanged = cmd.Flags().Changed("time")
+			return runStop(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.IntVarP(&opts.time, "time", "t", 10, "Seconds to wait for stop before killing it")
+	return cmd
+}
+
+func runStop(dockerCli command.Cli, opts *stopOptions) error {
+	ctx := context.Background()
+
+	var timeout *time.Duration
+	if opts.timeChanged {
+		timeoutValue := time.Duration(opts.time) * time.Second
+		timeout = &timeoutValue
+	}
+
+	var errs []string
+
+	errChan := parallelOperation(ctx, opts.containers, func(ctx context.Context, id string) error {
+		return dockerCli.Client().ContainerStop(ctx, id, timeout)
+	})
+	for _, container := range opts.containers {
+		if err := <-errChan; err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+		fmt.Fprintln(dockerCli.Out(), container)
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/testdata/container-list-format-name-name.golden b/cli/cli/command/container/testdata/container-list-format-name-name.golden
new file mode 100644
index 00000000..858ec961
--- /dev/null
+++ b/cli/cli/command/container/testdata/container-list-format-name-name.golden
@@ -0,0 +1,2 @@
+c1 c1
+c2 c2
diff --git a/cli/cli/command/container/testdata/container-list-format-with-arg.golden b/cli/cli/command/container/testdata/container-list-format-with-arg.golden
new file mode 100644
index 00000000..782ace94
--- /dev/null
+++ b/cli/cli/command/container/testdata/container-list-format-with-arg.golden
@@ -0,0 +1,2 @@
+c1 value
+c2 
diff --git a/cli/cli/command/container/testdata/container-list-with-config-format.golden b/cli/cli/command/container/testdata/container-list-with-config-format.golden
new file mode 100644
index 00000000..6333bf57
--- /dev/null
+++ b/cli/cli/command/container/testdata/container-list-with-config-format.golden
@@ -0,0 +1,2 @@
+c1 busybox:latest some.label=value
+c2 busybox:latest foo=bar
diff --git a/cli/cli/command/container/testdata/container-list-with-format.golden b/cli/cli/command/container/testdata/container-list-with-format.golden
new file mode 100644
index 00000000..6333bf57
--- /dev/null
+++ b/cli/cli/command/container/testdata/container-list-with-format.golden
@@ -0,0 +1,2 @@
+c1 busybox:latest some.label=value
+c2 busybox:latest foo=bar
diff --git a/cli/cli/command/container/testdata/container-list-without-format-no-trunc.golden b/cli/cli/command/container/testdata/container-list-without-format-no-trunc.golden
new file mode 100644
index 00000000..5b0d652e
--- /dev/null
+++ b/cli/cli/command/container/testdata/container-list-without-format-no-trunc.golden
@@ -0,0 +1,3 @@
+CONTAINER ID        IMAGE               COMMAND             CREATED                  STATUS              PORTS               NAMES
+container_id        busybox:latest      "top"               Less than a second ago   Up 1 second                             c1
+container_id        busybox:latest      "top"               Less than a second ago   Up 1 second                             c2,foo/bar
diff --git a/cli/cli/command/container/testdata/container-list-without-format.golden b/cli/cli/command/container/testdata/container-list-without-format.golden
new file mode 100644
index 00000000..7acd4045
--- /dev/null
+++ b/cli/cli/command/container/testdata/container-list-without-format.golden
@@ -0,0 +1,6 @@
+CONTAINER ID        IMAGE               COMMAND             CREATED                  STATUS              PORTS                NAMES
+container_id        busybox:latest      "top"               Less than a second ago   Up 1 second                              c1
+container_id        busybox:latest      "top"               Less than a second ago   Up 1 second                              c2
+container_id        busybox:latest      "top"               Less than a second ago   Up 1 second         80-82/tcp            c3
+container_id        busybox:latest      "top"               Less than a second ago   Up 1 second         81/udp               c4
+container_id        busybox:latest      "top"               Less than a second ago   Up 1 second         8.8.8.8:82->82/tcp   c5
diff --git a/cli/cli/command/container/testdata/utf16.env b/cli/cli/command/container/testdata/utf16.env
new file mode 100755
index 0000000000000000000000000000000000000000..3a73358fffbc0d5d3d4df985ccf2f4a1a29cdb2a
GIT binary patch
literal 54
ucmezW&yB$!2yGdh7#tab7<d`D7(5tU8GL{cB)TG@HWDNTk+o%js0IKq+6kus

literal 0
HcmV?d00001

diff --git a/cli/cli/command/container/testdata/utf16be.env b/cli/cli/command/container/testdata/utf16be.env
new file mode 100755
index 0000000000000000000000000000000000000000..e523da7af4dab0636ed73fabf730f33a1cb915b4
GIT binary patch
literal 54
ucmezOpTUj69|&z3oERJ#f*5!ixEMSbTp4_T5Gb0kBC-}N29dRes0IKkq6wz}

literal 0
HcmV?d00001

diff --git a/cli/cli/command/container/testdata/utf8.env b/cli/cli/command/container/testdata/utf8.env
new file mode 100755
index 00000000..1ce45055
--- /dev/null
+++ b/cli/cli/command/container/testdata/utf8.env
@@ -0,0 +1,3 @@
+FOO=BAR
+HELLO=您好
+BAR=FOO
\ No newline at end of file
diff --git a/cli/cli/command/container/testdata/valid.env b/cli/cli/command/container/testdata/valid.env
new file mode 100644
index 00000000..3afbdc81
--- /dev/null
+++ b/cli/cli/command/container/testdata/valid.env
@@ -0,0 +1 @@
+ENV1=value1
diff --git a/cli/cli/command/container/testdata/valid.label b/cli/cli/command/container/testdata/valid.label
new file mode 100644
index 00000000..b4208bdf
--- /dev/null
+++ b/cli/cli/command/container/testdata/valid.label
@@ -0,0 +1 @@
+LABEL1=value1
diff --git a/cli/cli/command/container/top.go b/cli/cli/command/container/top.go
new file mode 100644
index 00000000..526e1a5a
--- /dev/null
+++ b/cli/cli/command/container/top.go
@@ -0,0 +1,57 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+type topOptions struct {
+	container string
+
+	args []string
+}
+
+// NewTopCommand creates a new cobra.Command for `docker top`
+func NewTopCommand(dockerCli command.Cli) *cobra.Command {
+	var opts topOptions
+
+	cmd := &cobra.Command{
+		Use:   "top CONTAINER [ps OPTIONS]",
+		Short: "Display the running processes of a container",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.container = args[0]
+			opts.args = args[1:]
+			return runTop(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.SetInterspersed(false)
+
+	return cmd
+}
+
+func runTop(dockerCli command.Cli, opts *topOptions) error {
+	ctx := context.Background()
+
+	procList, err := dockerCli.Client().ContainerTop(ctx, opts.container, opts.args)
+	if err != nil {
+		return err
+	}
+
+	w := tabwriter.NewWriter(dockerCli.Out(), 20, 1, 3, ' ', 0)
+	fmt.Fprintln(w, strings.Join(procList.Titles, "\t"))
+
+	for _, proc := range procList.Processes {
+		fmt.Fprintln(w, strings.Join(proc, "\t"))
+	}
+	w.Flush()
+	return nil
+}
diff --git a/cli/cli/command/container/tty.go b/cli/cli/command/container/tty.go
new file mode 100644
index 00000000..cb49ded8
--- /dev/null
+++ b/cli/cli/command/container/tty.go
@@ -0,0 +1,103 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"os"
+	gosignal "os/signal"
+	"runtime"
+	"time"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/sirupsen/logrus"
+)
+
+// resizeTtyTo resizes tty to specific height and width
+func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id string, height, width uint, isExec bool) {
+	if height == 0 && width == 0 {
+		return
+	}
+
+	options := types.ResizeOptions{
+		Height: height,
+		Width:  width,
+	}
+
+	var err error
+	if isExec {
+		err = client.ContainerExecResize(ctx, id, options)
+	} else {
+		err = client.ContainerResize(ctx, id, options)
+	}
+
+	if err != nil {
+		logrus.Debugf("Error resize: %s", err)
+	}
+}
+
+// MonitorTtySize updates the container tty size when the terminal tty changes size
+func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool) error {
+	resizeTty := func() {
+		height, width := cli.Out().GetTtySize()
+		resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
+	}
+
+	resizeTty()
+
+	if runtime.GOOS == "windows" {
+		go func() {
+			prevH, prevW := cli.Out().GetTtySize()
+			for {
+				time.Sleep(time.Millisecond * 250)
+				h, w := cli.Out().GetTtySize()
+
+				if prevW != w || prevH != h {
+					resizeTty()
+				}
+				prevH = h
+				prevW = w
+			}
+		}()
+	} else {
+		sigchan := make(chan os.Signal, 1)
+		gosignal.Notify(sigchan, signal.SIGWINCH)
+		go func() {
+			for range sigchan {
+				resizeTty()
+			}
+		}()
+	}
+	return nil
+}
+
+// ForwardAllSignals forwards signals to the container
+func ForwardAllSignals(ctx context.Context, cli command.Cli, cid string) chan os.Signal {
+	sigc := make(chan os.Signal, 128)
+	signal.CatchAll(sigc)
+	go func() {
+		for s := range sigc {
+			if s == signal.SIGCHLD || s == signal.SIGPIPE {
+				continue
+			}
+			var sig string
+			for sigStr, sigN := range signal.SignalMap {
+				if sigN == s {
+					sig = sigStr
+					break
+				}
+			}
+			if sig == "" {
+				fmt.Fprintf(cli.Err(), "Unsupported signal: %v. Discarding.\n", s)
+				continue
+			}
+
+			if err := cli.Client().ContainerKill(ctx, cid, sig); err != nil {
+				logrus.Debugf("Error sending signal: %s", err)
+			}
+		}
+	}()
+	return sigc
+}
diff --git a/cli/cli/command/container/unpause.go b/cli/cli/command/container/unpause.go
new file mode 100644
index 00000000..7af4547f
--- /dev/null
+++ b/cli/cli/command/container/unpause.go
@@ -0,0 +1,50 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type unpauseOptions struct {
+	containers []string
+}
+
+// NewUnpauseCommand creates a new cobra.Command for `docker unpause`
+func NewUnpauseCommand(dockerCli command.Cli) *cobra.Command {
+	var opts unpauseOptions
+
+	cmd := &cobra.Command{
+		Use:   "unpause CONTAINER [CONTAINER...]",
+		Short: "Unpause all processes within one or more containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			return runUnpause(dockerCli, &opts)
+		},
+	}
+	return cmd
+}
+
+func runUnpause(dockerCli command.Cli, opts *unpauseOptions) error {
+	ctx := context.Background()
+
+	var errs []string
+	errChan := parallelOperation(ctx, opts.containers, dockerCli.Client().ContainerUnpause)
+	for _, container := range opts.containers {
+		if err := <-errChan; err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+		fmt.Fprintln(dockerCli.Out(), container)
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/update.go b/cli/cli/command/container/update.go
new file mode 100644
index 00000000..d641a503
--- /dev/null
+++ b/cli/cli/command/container/update.go
@@ -0,0 +1,133 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type updateOptions struct {
+	blkioWeight        uint16
+	cpuPeriod          int64
+	cpuQuota           int64
+	cpuRealtimePeriod  int64
+	cpuRealtimeRuntime int64
+	cpusetCpus         string
+	cpusetMems         string
+	cpuShares          int64
+	memory             opts.MemBytes
+	memoryReservation  opts.MemBytes
+	memorySwap         opts.MemSwapBytes
+	kernelMemory       opts.MemBytes
+	restartPolicy      string
+	cpus               opts.NanoCPUs
+
+	nFlag int
+
+	containers []string
+}
+
+// NewUpdateCommand creates a new cobra.Command for `docker update`
+func NewUpdateCommand(dockerCli command.Cli) *cobra.Command {
+	var options updateOptions
+
+	cmd := &cobra.Command{
+		Use:   "update [OPTIONS] CONTAINER [CONTAINER...]",
+		Short: "Update configuration of one or more containers",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.containers = args
+			options.nFlag = cmd.Flags().NFlag()
+			return runUpdate(dockerCli, &options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.Uint16Var(&options.blkioWeight, "blkio-weight", 0, "Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)")
+	flags.Int64Var(&options.cpuPeriod, "cpu-period", 0, "Limit CPU CFS (Completely Fair Scheduler) period")
+	flags.Int64Var(&options.cpuQuota, "cpu-quota", 0, "Limit CPU CFS (Completely Fair Scheduler) quota")
+	flags.Int64Var(&options.cpuRealtimePeriod, "cpu-rt-period", 0, "Limit the CPU real-time period in microseconds")
+	flags.SetAnnotation("cpu-rt-period", "version", []string{"1.25"})
+	flags.Int64Var(&options.cpuRealtimeRuntime, "cpu-rt-runtime", 0, "Limit the CPU real-time runtime in microseconds")
+	flags.SetAnnotation("cpu-rt-runtime", "version", []string{"1.25"})
+	flags.StringVar(&options.cpusetCpus, "cpuset-cpus", "", "CPUs in which to allow execution (0-3, 0,1)")
+	flags.StringVar(&options.cpusetMems, "cpuset-mems", "", "MEMs in which to allow execution (0-3, 0,1)")
+	flags.Int64VarP(&options.cpuShares, "cpu-shares", "c", 0, "CPU shares (relative weight)")
+	flags.VarP(&options.memory, "memory", "m", "Memory limit")
+	flags.Var(&options.memoryReservation, "memory-reservation", "Memory soft limit")
+	flags.Var(&options.memorySwap, "memory-swap", "Swap limit equal to memory plus swap: '-1' to enable unlimited swap")
+	flags.Var(&options.kernelMemory, "kernel-memory", "Kernel memory limit")
+	flags.StringVar(&options.restartPolicy, "restart", "", "Restart policy to apply when a container exits")
+
+	flags.Var(&options.cpus, "cpus", "Number of CPUs")
+	flags.SetAnnotation("cpus", "version", []string{"1.29"})
+
+	return cmd
+}
+
+func runUpdate(dockerCli command.Cli, options *updateOptions) error {
+	var err error
+
+	if options.nFlag == 0 {
+		return errors.New("you must provide one or more flags when using this command")
+	}
+
+	var restartPolicy containertypes.RestartPolicy
+	if options.restartPolicy != "" {
+		restartPolicy, err = opts.ParseRestartPolicy(options.restartPolicy)
+		if err != nil {
+			return err
+		}
+	}
+
+	resources := containertypes.Resources{
+		BlkioWeight:        options.blkioWeight,
+		CpusetCpus:         options.cpusetCpus,
+		CpusetMems:         options.cpusetMems,
+		CPUShares:          options.cpuShares,
+		Memory:             options.memory.Value(),
+		MemoryReservation:  options.memoryReservation.Value(),
+		MemorySwap:         options.memorySwap.Value(),
+		KernelMemory:       options.kernelMemory.Value(),
+		CPUPeriod:          options.cpuPeriod,
+		CPUQuota:           options.cpuQuota,
+		CPURealtimePeriod:  options.cpuRealtimePeriod,
+		CPURealtimeRuntime: options.cpuRealtimeRuntime,
+		NanoCPUs:           options.cpus.Value(),
+	}
+
+	updateConfig := containertypes.UpdateConfig{
+		Resources:     resources,
+		RestartPolicy: restartPolicy,
+	}
+
+	ctx := context.Background()
+
+	var (
+		warns []string
+		errs  []string
+	)
+	for _, container := range options.containers {
+		r, err := dockerCli.Client().ContainerUpdate(ctx, container, updateConfig)
+		if err != nil {
+			errs = append(errs, err.Error())
+		} else {
+			fmt.Fprintln(dockerCli.Out(), container)
+		}
+		warns = append(warns, r.Warnings...)
+	}
+	if len(warns) > 0 {
+		fmt.Fprintln(dockerCli.Out(), strings.Join(warns, "\n"))
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/container/utils.go b/cli/cli/command/container/utils.go
new file mode 100644
index 00000000..f3292614
--- /dev/null
+++ b/cli/cli/command/container/utils.go
@@ -0,0 +1,162 @@
+package container
+
+import (
+	"context"
+	"strconv"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/sirupsen/logrus"
+)
+
+func waitExitOrRemoved(ctx context.Context, dockerCli command.Cli, containerID string, waitRemove bool) <-chan int {
+	if len(containerID) == 0 {
+		// containerID can never be empty
+		panic("Internal Error: waitExitOrRemoved needs a containerID as parameter")
+	}
+
+	// Older versions used the Events API, and even older versions did not
+	// support server-side removal. This legacyWaitExitOrRemoved method
+	// preserves that old behavior and any issues it may have.
+	if versions.LessThan(dockerCli.Client().ClientVersion(), "1.30") {
+		return legacyWaitExitOrRemoved(ctx, dockerCli, containerID, waitRemove)
+	}
+
+	condition := container.WaitConditionNextExit
+	if waitRemove {
+		condition = container.WaitConditionRemoved
+	}
+
+	resultC, errC := dockerCli.Client().ContainerWait(ctx, containerID, condition)
+
+	statusC := make(chan int)
+	go func() {
+		select {
+		case result := <-resultC:
+			if result.Error != nil {
+				logrus.Errorf("Error waiting for container: %v", result.Error.Message)
+				statusC <- 125
+			} else {
+				statusC <- int(result.StatusCode)
+			}
+		case err := <-errC:
+			logrus.Errorf("error waiting for container: %v", err)
+			statusC <- 125
+		}
+	}()
+
+	return statusC
+}
+
+func legacyWaitExitOrRemoved(ctx context.Context, dockerCli command.Cli, containerID string, waitRemove bool) <-chan int {
+	var removeErr error
+	statusChan := make(chan int)
+	exitCode := 125
+
+	// Get events via Events API
+	f := filters.NewArgs()
+	f.Add("type", "container")
+	f.Add("container", containerID)
+	options := types.EventsOptions{
+		Filters: f,
+	}
+	eventCtx, cancel := context.WithCancel(ctx)
+	eventq, errq := dockerCli.Client().Events(eventCtx, options)
+
+	eventProcessor := func(e events.Message) bool {
+		stopProcessing := false
+		switch e.Status {
+		case "die":
+			if v, ok := e.Actor.Attributes["exitCode"]; ok {
+				code, cerr := strconv.Atoi(v)
+				if cerr != nil {
+					logrus.Errorf("failed to convert exitcode '%q' to int: %v", v, cerr)
+				} else {
+					exitCode = code
+				}
+			}
+			if !waitRemove {
+				stopProcessing = true
+			} else {
+				// If we are talking to an older daemon, `AutoRemove` is not supported.
+				// We need to fall back to the old behavior, which is client-side removal
+				if versions.LessThan(dockerCli.Client().ClientVersion(), "1.25") {
+					go func() {
+						removeErr = dockerCli.Client().ContainerRemove(ctx, containerID, types.ContainerRemoveOptions{RemoveVolumes: true})
+						if removeErr != nil {
+							logrus.Errorf("error removing container: %v", removeErr)
+							cancel() // cancel the event Q
+						}
+					}()
+				}
+			}
+		case "detach":
+			exitCode = 0
+			stopProcessing = true
+		case "destroy":
+			stopProcessing = true
+		}
+		return stopProcessing
+	}
+
+	go func() {
+		defer func() {
+			statusChan <- exitCode // must always send an exit code or the caller will block
+			cancel()
+		}()
+
+		for {
+			select {
+			case <-eventCtx.Done():
+				if removeErr != nil {
+					return
+				}
+			case evt := <-eventq:
+				if eventProcessor(evt) {
+					return
+				}
+			case err := <-errq:
+				logrus.Errorf("error getting events from daemon: %v", err)
+				return
+			}
+		}
+	}()
+
+	return statusChan
+}
+
+func parallelOperation(ctx context.Context, containers []string, op func(ctx context.Context, container string) error) chan error {
+	if len(containers) == 0 {
+		return nil
+	}
+	const defaultParallel int = 50
+	sem := make(chan struct{}, defaultParallel)
+	errChan := make(chan error)
+
+	// make sure result is printed in correct order
+	output := map[string]chan error{}
+	for _, c := range containers {
+		output[c] = make(chan error, 1)
+	}
+	go func() {
+		for _, c := range containers {
+			err := <-output[c]
+			errChan <- err
+		}
+	}()
+
+	go func() {
+		for _, c := range containers {
+			sem <- struct{}{} // Wait for active queue sem to drain.
+			go func(container string) {
+				output[container] <- op(ctx, container)
+				<-sem
+			}(c)
+		}
+	}()
+	return errChan
+}
diff --git a/cli/cli/command/container/utils_test.go b/cli/cli/command/container/utils_test.go
new file mode 100644
index 00000000..970549c0
--- /dev/null
+++ b/cli/cli/command/container/utils_test.go
@@ -0,0 +1,70 @@
+package container
+
+import (
+	"context"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types/container"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func waitFn(cid string) (<-chan container.ContainerWaitOKBody, <-chan error) {
+	resC := make(chan container.ContainerWaitOKBody)
+	errC := make(chan error, 1)
+	var res container.ContainerWaitOKBody
+
+	go func() {
+		switch {
+		case strings.Contains(cid, "exit-code-42"):
+			res.StatusCode = 42
+			resC <- res
+		case strings.Contains(cid, "non-existent"):
+			err := errors.Errorf("No such container: %v", cid)
+			errC <- err
+		case strings.Contains(cid, "wait-error"):
+			res.Error = &container.ContainerWaitOKBodyError{Message: "removal failed"}
+			resC <- res
+		default:
+			// normal exit
+			resC <- res
+		}
+	}()
+
+	return resC, errC
+}
+
+func TestWaitExitOrRemoved(t *testing.T) {
+	testcases := []struct {
+		cid      string
+		exitCode int
+	}{
+		{
+			cid:      "normal-container",
+			exitCode: 0,
+		},
+		{
+			cid:      "give-me-exit-code-42",
+			exitCode: 42,
+		},
+		{
+			cid:      "i-want-a-wait-error",
+			exitCode: 125,
+		},
+		{
+			cid:      "non-existent-container-id",
+			exitCode: 125,
+		},
+	}
+
+	client := test.NewFakeCli(&fakeClient{waitFunc: waitFn, Version: api.DefaultVersion})
+	for _, testcase := range testcases {
+		statusC := waitExitOrRemoved(context.Background(), client, testcase.cid, true)
+		exitCode := <-statusC
+		assert.Check(t, is.Equal(testcase.exitCode, exitCode))
+	}
+}
diff --git a/cli/cli/command/container/wait.go b/cli/cli/command/container/wait.go
new file mode 100644
index 00000000..8602e253
--- /dev/null
+++ b/cli/cli/command/container/wait.go
@@ -0,0 +1,53 @@
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type waitOptions struct {
+	containers []string
+}
+
+// NewWaitCommand creates a new cobra.Command for `docker wait`
+func NewWaitCommand(dockerCli command.Cli) *cobra.Command {
+	var opts waitOptions
+
+	cmd := &cobra.Command{
+		Use:   "wait CONTAINER [CONTAINER...]",
+		Short: "Block until one or more containers stop, then print their exit codes",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.containers = args
+			return runWait(dockerCli, &opts)
+		},
+	}
+
+	return cmd
+}
+
+func runWait(dockerCli command.Cli, opts *waitOptions) error {
+	ctx := context.Background()
+
+	var errs []string
+	for _, container := range opts.containers {
+		resultC, errC := dockerCli.Client().ContainerWait(ctx, container, "")
+
+		select {
+		case result := <-resultC:
+			fmt.Fprintf(dockerCli.Out(), "%d\n", result.StatusCode)
+		case err := <-errC:
+			errs = append(errs, err.Error())
+		}
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/events_utils.go b/cli/cli/command/events_utils.go
new file mode 100644
index 00000000..16d76892
--- /dev/null
+++ b/cli/cli/command/events_utils.go
@@ -0,0 +1,47 @@
+package command
+
+import (
+	"sync"
+
+	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/sirupsen/logrus"
+)
+
+// EventHandler is abstract interface for user to customize
+// own handle functions of each type of events
+type EventHandler interface {
+	Handle(action string, h func(eventtypes.Message))
+	Watch(c <-chan eventtypes.Message)
+}
+
+// InitEventHandler initializes and returns an EventHandler
+func InitEventHandler() EventHandler {
+	return &eventHandler{handlers: make(map[string]func(eventtypes.Message))}
+}
+
+type eventHandler struct {
+	handlers map[string]func(eventtypes.Message)
+	mu       sync.Mutex
+}
+
+func (w *eventHandler) Handle(action string, h func(eventtypes.Message)) {
+	w.mu.Lock()
+	w.handlers[action] = h
+	w.mu.Unlock()
+}
+
+// Watch ranges over the passed in event chan and processes the events based on the
+// handlers created for a given action.
+// To stop watching, close the event chan.
+func (w *eventHandler) Watch(c <-chan eventtypes.Message) {
+	for e := range c {
+		w.mu.Lock()
+		h, exists := w.handlers[e.Action]
+		w.mu.Unlock()
+		if !exists {
+			continue
+		}
+		logrus.Debugf("event handler: received event: %v", e)
+		go h(e)
+	}
+}
diff --git a/cli/cli/command/formatter/checkpoint.go b/cli/cli/command/formatter/checkpoint.go
new file mode 100644
index 00000000..041fcafb
--- /dev/null
+++ b/cli/cli/command/formatter/checkpoint.go
@@ -0,0 +1,52 @@
+package formatter
+
+import "github.com/docker/docker/api/types"
+
+const (
+	defaultCheckpointFormat = "table {{.Name}}"
+
+	checkpointNameHeader = "CHECKPOINT NAME"
+)
+
+// NewCheckpointFormat returns a format for use with a checkpoint Context
+func NewCheckpointFormat(source string) Format {
+	switch source {
+	case TableFormatKey:
+		return defaultCheckpointFormat
+	}
+	return Format(source)
+}
+
+// CheckpointWrite writes formatted checkpoints using the Context
+func CheckpointWrite(ctx Context, checkpoints []types.Checkpoint) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, checkpoint := range checkpoints {
+			if err := format(&checkpointContext{c: checkpoint}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(newCheckpointContext(), render)
+}
+
+type checkpointContext struct {
+	HeaderContext
+	c types.Checkpoint
+}
+
+func newCheckpointContext() *checkpointContext {
+	cpCtx := checkpointContext{}
+	cpCtx.header = volumeHeaderContext{
+		"Name": checkpointNameHeader,
+	}
+	return &cpCtx
+}
+
+func (c *checkpointContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *checkpointContext) Name() string {
+	return c.c.Name
+}
diff --git a/cli/cli/command/formatter/checkpoint_test.go b/cli/cli/command/formatter/checkpoint_test.go
new file mode 100644
index 00000000..9b8ac5e5
--- /dev/null
+++ b/cli/cli/command/formatter/checkpoint_test.go
@@ -0,0 +1,52 @@
+package formatter
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+)
+
+func TestCheckpointContextFormatWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		{
+			Context{Format: NewCheckpointFormat(defaultCheckpointFormat)},
+			`CHECKPOINT NAME
+checkpoint-1
+checkpoint-2
+checkpoint-3
+`,
+		},
+		{
+			Context{Format: NewCheckpointFormat("{{.Name}}")},
+			`checkpoint-1
+checkpoint-2
+checkpoint-3
+`,
+		},
+		{
+			Context{Format: NewCheckpointFormat("{{.Name}}:")},
+			`checkpoint-1:
+checkpoint-2:
+checkpoint-3:
+`,
+		},
+	}
+
+	checkpoints := []types.Checkpoint{
+		{Name: "checkpoint-1"},
+		{Name: "checkpoint-2"},
+		{Name: "checkpoint-3"},
+	}
+	for _, testcase := range cases {
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := CheckpointWrite(testcase.context, checkpoints)
+		assert.NilError(t, err)
+		assert.Equal(t, out.String(), testcase.expected)
+	}
+}
diff --git a/cli/cli/command/formatter/config.go b/cli/cli/command/formatter/config.go
new file mode 100644
index 00000000..72203f35
--- /dev/null
+++ b/cli/cli/command/formatter/config.go
@@ -0,0 +1,171 @@
+package formatter
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/docker/docker/api/types/swarm"
+	units "github.com/docker/go-units"
+)
+
+const (
+	defaultConfigTableFormat           = "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}"
+	configIDHeader                     = "ID"
+	configCreatedHeader                = "CREATED"
+	configUpdatedHeader                = "UPDATED"
+	configInspectPrettyTemplate Format = `ID:			{{.ID}}
+Name:			{{.Name}}
+{{- if .Labels }}
+Labels:
+{{- range $k, $v := .Labels }}
+ - {{ $k }}{{if $v }}={{ $v }}{{ end }}
+{{- end }}{{ end }}
+Created at:            	{{.CreatedAt}}
+Updated at:            	{{.UpdatedAt}}
+Data:
+{{.Data}}`
+)
+
+// NewConfigFormat returns a Format for rendering using a config Context
+func NewConfigFormat(source string, quiet bool) Format {
+	switch source {
+	case PrettyFormatKey:
+		return configInspectPrettyTemplate
+	case TableFormatKey:
+		if quiet {
+			return defaultQuietFormat
+		}
+		return defaultConfigTableFormat
+	}
+	return Format(source)
+}
+
+// ConfigWrite writes the context
+func ConfigWrite(ctx Context, configs []swarm.Config) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, config := range configs {
+			configCtx := &configContext{c: config}
+			if err := format(configCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(newConfigContext(), render)
+}
+
+func newConfigContext() *configContext {
+	cCtx := &configContext{}
+
+	cCtx.header = map[string]string{
+		"ID":        configIDHeader,
+		"Name":      nameHeader,
+		"CreatedAt": configCreatedHeader,
+		"UpdatedAt": configUpdatedHeader,
+		"Labels":    labelsHeader,
+	}
+	return cCtx
+}
+
+type configContext struct {
+	HeaderContext
+	c swarm.Config
+}
+
+func (c *configContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *configContext) ID() string {
+	return c.c.ID
+}
+
+func (c *configContext) Name() string {
+	return c.c.Spec.Annotations.Name
+}
+
+func (c *configContext) CreatedAt() string {
+	return units.HumanDuration(time.Now().UTC().Sub(c.c.Meta.CreatedAt)) + " ago"
+}
+
+func (c *configContext) UpdatedAt() string {
+	return units.HumanDuration(time.Now().UTC().Sub(c.c.Meta.UpdatedAt)) + " ago"
+}
+
+func (c *configContext) Labels() string {
+	mapLabels := c.c.Spec.Annotations.Labels
+	if mapLabels == nil {
+		return ""
+	}
+	var joinLabels []string
+	for k, v := range mapLabels {
+		joinLabels = append(joinLabels, fmt.Sprintf("%s=%s", k, v))
+	}
+	return strings.Join(joinLabels, ",")
+}
+
+func (c *configContext) Label(name string) string {
+	if c.c.Spec.Annotations.Labels == nil {
+		return ""
+	}
+	return c.c.Spec.Annotations.Labels[name]
+}
+
+// ConfigInspectWrite renders the context for a list of configs
+func ConfigInspectWrite(ctx Context, refs []string, getRef inspect.GetRefFunc) error {
+	if ctx.Format != configInspectPrettyTemplate {
+		return inspect.Inspect(ctx.Output, refs, string(ctx.Format), getRef)
+	}
+	render := func(format func(subContext subContext) error) error {
+		for _, ref := range refs {
+			configI, _, err := getRef(ref)
+			if err != nil {
+				return err
+			}
+			config, ok := configI.(swarm.Config)
+			if !ok {
+				return fmt.Errorf("got wrong object to inspect :%v", ok)
+			}
+			if err := format(&configInspectContext{Config: config}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(&configInspectContext{}, render)
+}
+
+type configInspectContext struct {
+	swarm.Config
+	subContext
+}
+
+func (ctx *configInspectContext) ID() string {
+	return ctx.Config.ID
+}
+
+func (ctx *configInspectContext) Name() string {
+	return ctx.Config.Spec.Name
+}
+
+func (ctx *configInspectContext) Labels() map[string]string {
+	return ctx.Config.Spec.Labels
+}
+
+func (ctx *configInspectContext) CreatedAt() string {
+	return command.PrettyPrint(ctx.Config.CreatedAt)
+}
+
+func (ctx *configInspectContext) UpdatedAt() string {
+	return command.PrettyPrint(ctx.Config.UpdatedAt)
+}
+
+func (ctx *configInspectContext) Data() string {
+	if ctx.Config.Spec.Data == nil {
+		return ""
+	}
+	return string(ctx.Config.Spec.Data)
+}
diff --git a/cli/cli/command/formatter/config_test.go b/cli/cli/command/formatter/config_test.go
new file mode 100644
index 00000000..7cd310c9
--- /dev/null
+++ b/cli/cli/command/formatter/config_test.go
@@ -0,0 +1,64 @@
+package formatter
+
+import (
+	"bytes"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConfigContextFormatWrite(t *testing.T) {
+	// Check default output format (verbose and non-verbose mode) for table headers
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table format
+		{Context{Format: NewConfigFormat("table", false)},
+			`ID                  NAME                CREATED                  UPDATED
+1                   passwords           Less than a second ago   Less than a second ago
+2                   id_rsa              Less than a second ago   Less than a second ago
+`},
+		{Context{Format: NewConfigFormat("table {{.Name}}", true)},
+			`NAME
+passwords
+id_rsa
+`},
+		{Context{Format: NewConfigFormat("{{.ID}}-{{.Name}}", false)},
+			`1-passwords
+2-id_rsa
+`},
+	}
+
+	configs := []swarm.Config{
+		{ID: "1",
+			Meta: swarm.Meta{CreatedAt: time.Now(), UpdatedAt: time.Now()},
+			Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "passwords"}}},
+		{ID: "2",
+			Meta: swarm.Meta{CreatedAt: time.Now(), UpdatedAt: time.Now()},
+			Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "id_rsa"}}},
+	}
+	for _, testcase := range cases {
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		if err := ConfigWrite(testcase.context, configs); err != nil {
+			assert.ErrorContains(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(out.String(), testcase.expected))
+		}
+	}
+}
diff --git a/cli/cli/command/formatter/container.go b/cli/cli/command/formatter/container.go
new file mode 100644
index 00000000..028a9f6e
--- /dev/null
+++ b/cli/cli/command/formatter/container.go
@@ -0,0 +1,344 @@
+package formatter
+
+import (
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/go-units"
+)
+
+const (
+	defaultContainerTableFormat = "table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.RunningFor}}\t{{.Status}}\t{{.Ports}}\t{{.Names}}"
+
+	containerIDHeader = "CONTAINER ID"
+	namesHeader       = "NAMES"
+	commandHeader     = "COMMAND"
+	runningForHeader  = "CREATED"
+	statusHeader      = "STATUS"
+	portsHeader       = "PORTS"
+	mountsHeader      = "MOUNTS"
+	localVolumes      = "LOCAL VOLUMES"
+	networksHeader    = "NETWORKS"
+)
+
+// NewContainerFormat returns a Format for rendering using a Context
+func NewContainerFormat(source string, quiet bool, size bool) Format {
+	switch source {
+	case TableFormatKey:
+		if quiet {
+			return defaultQuietFormat
+		}
+		format := defaultContainerTableFormat
+		if size {
+			format += `\t{{.Size}}`
+		}
+		return Format(format)
+	case RawFormatKey:
+		if quiet {
+			return `container_id: {{.ID}}`
+		}
+		format := `container_id: {{.ID}}
+image: {{.Image}}
+command: {{.Command}}
+created_at: {{.CreatedAt}}
+status: {{- pad .Status 1 0}}
+names: {{.Names}}
+labels: {{- pad .Labels 1 0}}
+ports: {{- pad .Ports 1 0}}
+`
+		if size {
+			format += `size: {{.Size}}\n`
+		}
+		return Format(format)
+	}
+	return Format(source)
+}
+
+// ContainerWrite renders the context for a list of containers
+func ContainerWrite(ctx Context, containers []types.Container) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, container := range containers {
+			err := format(&containerContext{trunc: ctx.Trunc, c: container})
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(newContainerContext(), render)
+}
+
+type containerHeaderContext map[string]string
+
+func (c containerHeaderContext) Label(name string) string {
+	n := strings.Split(name, ".")
+	r := strings.NewReplacer("-", " ", "_", " ")
+	h := r.Replace(n[len(n)-1])
+
+	return h
+}
+
+type containerContext struct {
+	HeaderContext
+	trunc bool
+	c     types.Container
+}
+
+func newContainerContext() *containerContext {
+	containerCtx := containerContext{}
+	containerCtx.header = containerHeaderContext{
+		"ID":           containerIDHeader,
+		"Names":        namesHeader,
+		"Image":        imageHeader,
+		"Command":      commandHeader,
+		"CreatedAt":    createdAtHeader,
+		"RunningFor":   runningForHeader,
+		"Ports":        portsHeader,
+		"Status":       statusHeader,
+		"Size":         sizeHeader,
+		"Labels":       labelsHeader,
+		"Mounts":       mountsHeader,
+		"LocalVolumes": localVolumes,
+		"Networks":     networksHeader,
+	}
+	return &containerCtx
+}
+
+func (c *containerContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *containerContext) ID() string {
+	if c.trunc {
+		return stringid.TruncateID(c.c.ID)
+	}
+	return c.c.ID
+}
+
+func (c *containerContext) Names() string {
+	names := stripNamePrefix(c.c.Names)
+	if c.trunc {
+		for _, name := range names {
+			if len(strings.Split(name, "/")) == 1 {
+				names = []string{name}
+				break
+			}
+		}
+	}
+	return strings.Join(names, ",")
+}
+
+func (c *containerContext) Image() string {
+	if c.c.Image == "" {
+		return "<no image>"
+	}
+	if c.trunc {
+		if trunc := stringid.TruncateID(c.c.ImageID); trunc == stringid.TruncateID(c.c.Image) {
+			return trunc
+		}
+		// truncate digest if no-trunc option was not selected
+		ref, err := reference.ParseNormalizedNamed(c.c.Image)
+		if err == nil {
+			if nt, ok := ref.(reference.NamedTagged); ok {
+				// case for when a tag is provided
+				if namedTagged, err := reference.WithTag(reference.TrimNamed(nt), nt.Tag()); err == nil {
+					return reference.FamiliarString(namedTagged)
+				}
+			} else {
+				// case for when a tag is not provided
+				named := reference.TrimNamed(ref)
+				return reference.FamiliarString(named)
+			}
+		}
+	}
+
+	return c.c.Image
+}
+
+func (c *containerContext) Command() string {
+	command := c.c.Command
+	if c.trunc {
+		command = Ellipsis(command, 20)
+	}
+	return strconv.Quote(command)
+}
+
+func (c *containerContext) CreatedAt() string {
+	return time.Unix(c.c.Created, 0).String()
+}
+
+func (c *containerContext) RunningFor() string {
+	createdAt := time.Unix(c.c.Created, 0)
+	return units.HumanDuration(time.Now().UTC().Sub(createdAt)) + " ago"
+}
+
+func (c *containerContext) Ports() string {
+	return DisplayablePorts(c.c.Ports)
+}
+
+func (c *containerContext) Status() string {
+	return c.c.Status
+}
+
+func (c *containerContext) Size() string {
+	srw := units.HumanSizeWithPrecision(float64(c.c.SizeRw), 3)
+	sv := units.HumanSizeWithPrecision(float64(c.c.SizeRootFs), 3)
+
+	sf := srw
+	if c.c.SizeRootFs > 0 {
+		sf = fmt.Sprintf("%s (virtual %s)", srw, sv)
+	}
+	return sf
+}
+
+func (c *containerContext) Labels() string {
+	if c.c.Labels == nil {
+		return ""
+	}
+
+	var joinLabels []string
+	for k, v := range c.c.Labels {
+		joinLabels = append(joinLabels, fmt.Sprintf("%s=%s", k, v))
+	}
+	return strings.Join(joinLabels, ",")
+}
+
+func (c *containerContext) Label(name string) string {
+	if c.c.Labels == nil {
+		return ""
+	}
+	return c.c.Labels[name]
+}
+
+func (c *containerContext) Mounts() string {
+	var name string
+	var mounts []string
+	for _, m := range c.c.Mounts {
+		if m.Name == "" {
+			name = m.Source
+		} else {
+			name = m.Name
+		}
+		if c.trunc {
+			name = Ellipsis(name, 15)
+		}
+		mounts = append(mounts, name)
+	}
+	return strings.Join(mounts, ",")
+}
+
+func (c *containerContext) LocalVolumes() string {
+	count := 0
+	for _, m := range c.c.Mounts {
+		if m.Driver == "local" {
+			count++
+		}
+	}
+
+	return fmt.Sprintf("%d", count)
+}
+
+func (c *containerContext) Networks() string {
+	if c.c.NetworkSettings == nil {
+		return ""
+	}
+
+	networks := []string{}
+	for k := range c.c.NetworkSettings.Networks {
+		networks = append(networks, k)
+	}
+
+	return strings.Join(networks, ",")
+}
+
+// DisplayablePorts returns formatted string representing open ports of container
+// e.g. "0.0.0.0:80->9090/tcp, 9988/tcp"
+// it's used by command 'docker ps'
+func DisplayablePorts(ports []types.Port) string {
+	type portGroup struct {
+		first uint16
+		last  uint16
+	}
+	groupMap := make(map[string]*portGroup)
+	var result []string
+	var hostMappings []string
+	var groupMapKeys []string
+	sort.Sort(byPortInfo(ports))
+	for _, port := range ports {
+		current := port.PrivatePort
+		portKey := port.Type
+		if port.IP != "" {
+			if port.PublicPort != current {
+				hostMappings = append(hostMappings, fmt.Sprintf("%s:%d->%d/%s", port.IP, port.PublicPort, port.PrivatePort, port.Type))
+				continue
+			}
+			portKey = fmt.Sprintf("%s/%s", port.IP, port.Type)
+		}
+		group := groupMap[portKey]
+
+		if group == nil {
+			groupMap[portKey] = &portGroup{first: current, last: current}
+			// record order that groupMap keys are created
+			groupMapKeys = append(groupMapKeys, portKey)
+			continue
+		}
+		if current == (group.last + 1) {
+			group.last = current
+			continue
+		}
+
+		result = append(result, formGroup(portKey, group.first, group.last))
+		groupMap[portKey] = &portGroup{first: current, last: current}
+	}
+	for _, portKey := range groupMapKeys {
+		g := groupMap[portKey]
+		result = append(result, formGroup(portKey, g.first, g.last))
+	}
+	result = append(result, hostMappings...)
+	return strings.Join(result, ", ")
+}
+
+func formGroup(key string, start, last uint16) string {
+	parts := strings.Split(key, "/")
+	groupType := parts[0]
+	var ip string
+	if len(parts) > 1 {
+		ip = parts[0]
+		groupType = parts[1]
+	}
+	group := strconv.Itoa(int(start))
+	if start != last {
+		group = fmt.Sprintf("%s-%d", group, last)
+	}
+	if ip != "" {
+		group = fmt.Sprintf("%s:%s->%s", ip, group, group)
+	}
+	return fmt.Sprintf("%s/%s", group, groupType)
+}
+
+// byPortInfo is a temporary type used to sort types.Port by its fields
+type byPortInfo []types.Port
+
+func (r byPortInfo) Len() int      { return len(r) }
+func (r byPortInfo) Swap(i, j int) { r[i], r[j] = r[j], r[i] }
+func (r byPortInfo) Less(i, j int) bool {
+	if r[i].PrivatePort != r[j].PrivatePort {
+		return r[i].PrivatePort < r[j].PrivatePort
+	}
+
+	if r[i].IP != r[j].IP {
+		return r[i].IP < r[j].IP
+	}
+
+	if r[i].PublicPort != r[j].PublicPort {
+		return r[i].PublicPort < r[j].PublicPort
+	}
+
+	return r[i].Type < r[j].Type
+}
diff --git a/cli/cli/command/formatter/container_test.go b/cli/cli/command/formatter/container_test.go
new file mode 100644
index 00000000..cafb9abd
--- /dev/null
+++ b/cli/cli/command/formatter/container_test.go
@@ -0,0 +1,658 @@
+package formatter
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestContainerPsContext(t *testing.T) {
+	containerID := stringid.GenerateRandomID()
+	unix := time.Now().Add(-65 * time.Second).Unix()
+
+	var ctx containerContext
+	cases := []struct {
+		container types.Container
+		trunc     bool
+		expValue  string
+		call      func() string
+	}{
+		{types.Container{ID: containerID}, true, stringid.TruncateID(containerID), ctx.ID},
+		{types.Container{ID: containerID}, false, containerID, ctx.ID},
+		{types.Container{Names: []string{"/foobar_baz"}}, true, "foobar_baz", ctx.Names},
+		{types.Container{Image: "ubuntu"}, true, "ubuntu", ctx.Image},
+		{types.Container{Image: "verylongimagename"}, true, "verylongimagename", ctx.Image},
+		{types.Container{Image: "verylongimagename"}, false, "verylongimagename", ctx.Image},
+		{types.Container{
+			Image:   "a5a665ff33eced1e0803148700880edab4",
+			ImageID: "a5a665ff33eced1e0803148700880edab4269067ed77e27737a708d0d293fbf5",
+		},
+			true,
+			"a5a665ff33ec",
+			ctx.Image,
+		},
+		{types.Container{
+			Image:   "a5a665ff33eced1e0803148700880edab4",
+			ImageID: "a5a665ff33eced1e0803148700880edab4269067ed77e27737a708d0d293fbf5",
+		},
+			false,
+			"a5a665ff33eced1e0803148700880edab4",
+			ctx.Image,
+		},
+		{types.Container{Image: ""}, true, "<no image>", ctx.Image},
+		{types.Container{Command: "sh -c 'ls -la'"}, true, `"sh -c 'ls -la'"`, ctx.Command},
+		{types.Container{Created: unix}, true, time.Unix(unix, 0).String(), ctx.CreatedAt},
+		{types.Container{Ports: []types.Port{{PrivatePort: 8080, PublicPort: 8080, Type: "tcp"}}}, true, "8080/tcp", ctx.Ports},
+		{types.Container{Status: "RUNNING"}, true, "RUNNING", ctx.Status},
+		{types.Container{SizeRw: 10}, true, "10B", ctx.Size},
+		{types.Container{SizeRw: 10, SizeRootFs: 20}, true, "10B (virtual 20B)", ctx.Size},
+		{types.Container{}, true, "", ctx.Labels},
+		{types.Container{Labels: map[string]string{"cpu": "6", "storage": "ssd"}}, true, "cpu=6,storage=ssd", ctx.Labels},
+		{types.Container{Created: unix}, true, "About a minute ago", ctx.RunningFor},
+		{types.Container{
+			Mounts: []types.MountPoint{
+				{
+					Name:   "this-is-a-long-volume-name-and-will-be-truncated-if-trunc-is-set",
+					Driver: "local",
+					Source: "/a/path",
+				},
+			},
+		}, true, "this-is-a-long…", ctx.Mounts},
+		{types.Container{
+			Mounts: []types.MountPoint{
+				{
+					Driver: "local",
+					Source: "/a/path",
+				},
+			},
+		}, false, "/a/path", ctx.Mounts},
+		{types.Container{
+			Mounts: []types.MountPoint{
+				{
+					Name:   "733908409c91817de8e92b0096373245f329f19a88e2c849f02460e9b3d1c203",
+					Driver: "local",
+					Source: "/a/path",
+				},
+			},
+		}, false, "733908409c91817de8e92b0096373245f329f19a88e2c849f02460e9b3d1c203", ctx.Mounts},
+	}
+
+	for _, c := range cases {
+		ctx = containerContext{c: c.container, trunc: c.trunc}
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+
+	c1 := types.Container{Labels: map[string]string{"com.docker.swarm.swarm-id": "33", "com.docker.swarm.node_name": "ubuntu"}}
+	ctx = containerContext{c: c1, trunc: true}
+
+	sid := ctx.Label("com.docker.swarm.swarm-id")
+	node := ctx.Label("com.docker.swarm.node_name")
+	if sid != "33" {
+		t.Fatalf("Expected 33, was %s\n", sid)
+	}
+
+	if node != "ubuntu" {
+		t.Fatalf("Expected ubuntu, was %s\n", node)
+	}
+
+	c2 := types.Container{}
+	ctx = containerContext{c: c2, trunc: true}
+
+	label := ctx.Label("anything.really")
+	if label != "" {
+		t.Fatalf("Expected an empty string, was %s", label)
+	}
+}
+
+func TestContainerContextWrite(t *testing.T) {
+	unixTime := time.Now().AddDate(0, 0, -1).Unix()
+	expectedTime := time.Unix(unixTime, 0).String()
+
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table Format
+		{
+			Context{Format: NewContainerFormat("table", false, true)},
+			`CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES               SIZE
+containerID1        ubuntu              ""                  24 hours ago                                                foobar_baz          0B
+containerID2        ubuntu              ""                  24 hours ago                                                foobar_bar          0B
+`,
+		},
+		{
+			Context{Format: NewContainerFormat("table", false, false)},
+			`CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+containerID1        ubuntu              ""                  24 hours ago                                                foobar_baz
+containerID2        ubuntu              ""                  24 hours ago                                                foobar_bar
+`,
+		},
+		{
+			Context{Format: NewContainerFormat("table {{.Image}}", false, false)},
+			"IMAGE\nubuntu\nubuntu\n",
+		},
+		{
+			Context{Format: NewContainerFormat("table {{.Image}}", false, true)},
+			"IMAGE\nubuntu\nubuntu\n",
+		},
+		{
+			Context{Format: NewContainerFormat("table {{.Image}}", true, false)},
+			"IMAGE\nubuntu\nubuntu\n",
+		},
+		{
+			Context{Format: NewContainerFormat("table", true, false)},
+			"containerID1\ncontainerID2\n",
+		},
+		// Raw Format
+		{
+			Context{Format: NewContainerFormat("raw", false, false)},
+			fmt.Sprintf(`container_id: containerID1
+image: ubuntu
+command: ""
+created_at: %s
+status:
+names: foobar_baz
+labels:
+ports:
+
+container_id: containerID2
+image: ubuntu
+command: ""
+created_at: %s
+status:
+names: foobar_bar
+labels:
+ports:
+
+`, expectedTime, expectedTime),
+		},
+		{
+			Context{Format: NewContainerFormat("raw", false, true)},
+			fmt.Sprintf(`container_id: containerID1
+image: ubuntu
+command: ""
+created_at: %s
+status:
+names: foobar_baz
+labels:
+ports:
+size: 0B
+
+container_id: containerID2
+image: ubuntu
+command: ""
+created_at: %s
+status:
+names: foobar_bar
+labels:
+ports:
+size: 0B
+
+`, expectedTime, expectedTime),
+		},
+		{
+			Context{Format: NewContainerFormat("raw", true, false)},
+			"container_id: containerID1\ncontainer_id: containerID2\n",
+		},
+		// Custom Format
+		{
+			Context{Format: "{{.Image}}"},
+			"ubuntu\nubuntu\n",
+		},
+		{
+			Context{Format: NewContainerFormat("{{.Image}}", false, true)},
+			"ubuntu\nubuntu\n",
+		},
+		// Special headers for customized table format
+		{
+			Context{Format: NewContainerFormat(`table {{truncate .ID 5}}\t{{json .Image}} {{.RunningFor}}/{{title .Status}}/{{pad .Ports 2 2}}.{{upper .Names}} {{lower .Status}}`, false, true)},
+			string(golden.Get(t, "container-context-write-special-headers.golden")),
+		},
+	}
+
+	for _, testcase := range cases {
+		containers := []types.Container{
+			{ID: "containerID1", Names: []string{"/foobar_baz"}, Image: "ubuntu", Created: unixTime},
+			{ID: "containerID2", Names: []string{"/foobar_bar"}, Image: "ubuntu", Created: unixTime},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := ContainerWrite(testcase.context, containers)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+func TestContainerContextWriteWithNoContainers(t *testing.T) {
+	out := bytes.NewBufferString("")
+	containers := []types.Container{}
+
+	contexts := []struct {
+		context  Context
+		expected string
+	}{
+		{
+			Context{
+				Format: "{{.Image}}",
+				Output: out,
+			},
+			"",
+		},
+		{
+			Context{
+				Format: "table {{.Image}}",
+				Output: out,
+			},
+			"IMAGE\n",
+		},
+		{
+			Context{
+				Format: NewContainerFormat("{{.Image}}", false, true),
+				Output: out,
+			},
+			"",
+		},
+		{
+			Context{
+				Format: NewContainerFormat("table {{.Image}}", false, true),
+				Output: out,
+			},
+			"IMAGE\n",
+		},
+		{
+			Context{
+				Format: "table {{.Image}}\t{{.Size}}",
+				Output: out,
+			},
+			"IMAGE               SIZE\n",
+		},
+		{
+			Context{
+				Format: NewContainerFormat("table {{.Image}}\t{{.Size}}", false, true),
+				Output: out,
+			},
+			"IMAGE               SIZE\n",
+		},
+	}
+
+	for _, context := range contexts {
+		ContainerWrite(context.context, containers)
+		assert.Check(t, is.Equal(context.expected, out.String()))
+		// Clean buffer
+		out.Reset()
+	}
+}
+
+func TestContainerContextWriteJSON(t *testing.T) {
+	unix := time.Now().Add(-65 * time.Second).Unix()
+	containers := []types.Container{
+		{ID: "containerID1", Names: []string{"/foobar_baz"}, Image: "ubuntu", Created: unix},
+		{ID: "containerID2", Names: []string{"/foobar_bar"}, Image: "ubuntu", Created: unix},
+	}
+	expectedCreated := time.Unix(unix, 0).String()
+	expectedJSONs := []map[string]interface{}{
+		{
+			"Command":      "\"\"",
+			"CreatedAt":    expectedCreated,
+			"ID":           "containerID1",
+			"Image":        "ubuntu",
+			"Labels":       "",
+			"LocalVolumes": "0",
+			"Mounts":       "",
+			"Names":        "foobar_baz",
+			"Networks":     "",
+			"Ports":        "",
+			"RunningFor":   "About a minute ago",
+			"Size":         "0B",
+			"Status":       "",
+		},
+		{
+			"Command":      "\"\"",
+			"CreatedAt":    expectedCreated,
+			"ID":           "containerID2",
+			"Image":        "ubuntu",
+			"Labels":       "",
+			"LocalVolumes": "0",
+			"Mounts":       "",
+			"Names":        "foobar_bar",
+			"Networks":     "",
+			"Ports":        "",
+			"RunningFor":   "About a minute ago",
+			"Size":         "0B",
+			"Status":       "",
+		},
+	}
+	out := bytes.NewBufferString("")
+	err := ContainerWrite(Context{Format: "{{json .}}", Output: out}, containers)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var m map[string]interface{}
+		err := json.Unmarshal([]byte(line), &m)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.DeepEqual(expectedJSONs[i], m), msg)
+	}
+}
+
+func TestContainerContextWriteJSONField(t *testing.T) {
+	containers := []types.Container{
+		{ID: "containerID1", Names: []string{"/foobar_baz"}, Image: "ubuntu"},
+		{ID: "containerID2", Names: []string{"/foobar_bar"}, Image: "ubuntu"},
+	}
+	out := bytes.NewBufferString("")
+	err := ContainerWrite(Context{Format: "{{json .ID}}", Output: out}, containers)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var s string
+		err := json.Unmarshal([]byte(line), &s)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.Equal(containers[i].ID, s), msg)
+	}
+}
+
+func TestContainerBackCompat(t *testing.T) {
+	containers := []types.Container{{ID: "brewhaha"}}
+	cases := []string{
+		"ID",
+		"Names",
+		"Image",
+		"Command",
+		"CreatedAt",
+		"RunningFor",
+		"Ports",
+		"Status",
+		"Size",
+		"Labels",
+		"Mounts",
+	}
+	buf := bytes.NewBuffer(nil)
+	for _, c := range cases {
+		ctx := Context{Format: Format(fmt.Sprintf("{{ .%s }}", c)), Output: buf}
+		if err := ContainerWrite(ctx, containers); err != nil {
+			t.Logf("could not render template for field '%s': %v", c, err)
+			t.Fail()
+		}
+		buf.Reset()
+	}
+}
+
+type ports struct {
+	ports    []types.Port
+	expected string
+}
+
+// nolint: lll
+func TestDisplayablePorts(t *testing.T) {
+	cases := []ports{
+		{
+			[]types.Port{
+				{
+					PrivatePort: 9988,
+					Type:        "tcp",
+				},
+			},
+			"9988/tcp"},
+		{
+			[]types.Port{
+				{
+					PrivatePort: 9988,
+					Type:        "udp",
+				},
+			},
+			"9988/udp",
+		},
+		{
+			[]types.Port{
+				{
+					IP:          "0.0.0.0",
+					PrivatePort: 9988,
+					Type:        "tcp",
+				},
+			},
+			"0.0.0.0:0->9988/tcp",
+		},
+		{
+			[]types.Port{
+				{
+					PrivatePort: 9988,
+					PublicPort:  8899,
+					Type:        "tcp",
+				},
+			},
+			"9988/tcp",
+		},
+		{
+			[]types.Port{
+				{
+					IP:          "4.3.2.1",
+					PrivatePort: 9988,
+					PublicPort:  8899,
+					Type:        "tcp",
+				},
+			},
+			"4.3.2.1:8899->9988/tcp",
+		},
+		{
+			[]types.Port{
+				{
+					IP:          "4.3.2.1",
+					PrivatePort: 9988,
+					PublicPort:  9988,
+					Type:        "tcp",
+				},
+			},
+			"4.3.2.1:9988->9988/tcp",
+		},
+		{
+			[]types.Port{
+				{
+					PrivatePort: 9988,
+					Type:        "udp",
+				}, {
+					PrivatePort: 9988,
+					Type:        "udp",
+				},
+			},
+			"9988/udp, 9988/udp",
+		},
+		{
+			[]types.Port{
+				{
+					IP:          "1.2.3.4",
+					PublicPort:  9998,
+					PrivatePort: 9998,
+					Type:        "udp",
+				}, {
+					IP:          "1.2.3.4",
+					PublicPort:  9999,
+					PrivatePort: 9999,
+					Type:        "udp",
+				},
+			},
+			"1.2.3.4:9998-9999->9998-9999/udp",
+		},
+		{
+			[]types.Port{
+				{
+					IP:          "1.2.3.4",
+					PublicPort:  8887,
+					PrivatePort: 9998,
+					Type:        "udp",
+				}, {
+					IP:          "1.2.3.4",
+					PublicPort:  8888,
+					PrivatePort: 9999,
+					Type:        "udp",
+				},
+			},
+			"1.2.3.4:8887->9998/udp, 1.2.3.4:8888->9999/udp",
+		},
+		{
+			[]types.Port{
+				{
+					PrivatePort: 9998,
+					Type:        "udp",
+				}, {
+					PrivatePort: 9999,
+					Type:        "udp",
+				},
+			},
+			"9998-9999/udp",
+		},
+		{
+			[]types.Port{
+				{
+					IP:          "1.2.3.4",
+					PrivatePort: 6677,
+					PublicPort:  7766,
+					Type:        "tcp",
+				}, {
+					PrivatePort: 9988,
+					PublicPort:  8899,
+					Type:        "udp",
+				},
+			},
+			"9988/udp, 1.2.3.4:7766->6677/tcp",
+		},
+		{
+			[]types.Port{
+				{
+					IP:          "1.2.3.4",
+					PrivatePort: 9988,
+					PublicPort:  8899,
+					Type:        "udp",
+				}, {
+					IP:          "1.2.3.4",
+					PrivatePort: 9988,
+					PublicPort:  8899,
+					Type:        "tcp",
+				}, {
+					IP:          "4.3.2.1",
+					PrivatePort: 2233,
+					PublicPort:  3322,
+					Type:        "tcp",
+				},
+			},
+			"4.3.2.1:3322->2233/tcp, 1.2.3.4:8899->9988/tcp, 1.2.3.4:8899->9988/udp",
+		},
+		{
+			[]types.Port{
+				{
+					PrivatePort: 9988,
+					PublicPort:  8899,
+					Type:        "udp",
+				}, {
+					IP:          "1.2.3.4",
+					PrivatePort: 6677,
+					PublicPort:  7766,
+					Type:        "tcp",
+				}, {
+					IP:          "4.3.2.1",
+					PrivatePort: 2233,
+					PublicPort:  3322,
+					Type:        "tcp",
+				},
+			},
+			"9988/udp, 4.3.2.1:3322->2233/tcp, 1.2.3.4:7766->6677/tcp",
+		},
+		{
+			[]types.Port{
+				{
+					PrivatePort: 80,
+					Type:        "tcp",
+				}, {
+					PrivatePort: 1024,
+					Type:        "tcp",
+				}, {
+					PrivatePort: 80,
+					Type:        "udp",
+				}, {
+					PrivatePort: 1024,
+					Type:        "udp",
+				}, {
+					IP:          "1.1.1.1",
+					PublicPort:  80,
+					PrivatePort: 1024,
+					Type:        "tcp",
+				}, {
+					IP:          "1.1.1.1",
+					PublicPort:  80,
+					PrivatePort: 1024,
+					Type:        "udp",
+				}, {
+					IP:          "1.1.1.1",
+					PublicPort:  1024,
+					PrivatePort: 80,
+					Type:        "tcp",
+				}, {
+					IP:          "1.1.1.1",
+					PublicPort:  1024,
+					PrivatePort: 80,
+					Type:        "udp",
+				}, {
+					IP:          "2.1.1.1",
+					PublicPort:  80,
+					PrivatePort: 1024,
+					Type:        "tcp",
+				}, {
+					IP:          "2.1.1.1",
+					PublicPort:  80,
+					PrivatePort: 1024,
+					Type:        "udp",
+				}, {
+					IP:          "2.1.1.1",
+					PublicPort:  1024,
+					PrivatePort: 80,
+					Type:        "tcp",
+				}, {
+					IP:          "2.1.1.1",
+					PublicPort:  1024,
+					PrivatePort: 80,
+					Type:        "udp",
+				}, {
+					PrivatePort: 12345,
+					Type:        "sctp",
+				},
+			},
+			"80/tcp, 80/udp, 1024/tcp, 1024/udp, 12345/sctp, 1.1.1.1:1024->80/tcp, 1.1.1.1:1024->80/udp, 2.1.1.1:1024->80/tcp, 2.1.1.1:1024->80/udp, 1.1.1.1:80->1024/tcp, 1.1.1.1:80->1024/udp, 2.1.1.1:80->1024/tcp, 2.1.1.1:80->1024/udp",
+		},
+	}
+
+	for _, port := range cases {
+		actual := DisplayablePorts(port.ports)
+		assert.Check(t, is.Equal(port.expected, actual))
+	}
+}
diff --git a/cli/cli/command/formatter/custom.go b/cli/cli/command/formatter/custom.go
new file mode 100644
index 00000000..73487f63
--- /dev/null
+++ b/cli/cli/command/formatter/custom.go
@@ -0,0 +1,35 @@
+package formatter
+
+const (
+	imageHeader        = "IMAGE"
+	createdSinceHeader = "CREATED"
+	createdAtHeader    = "CREATED AT"
+	sizeHeader         = "SIZE"
+	labelsHeader       = "LABELS"
+	nameHeader         = "NAME"
+	driverHeader       = "DRIVER"
+	scopeHeader        = "SCOPE"
+)
+
+type subContext interface {
+	FullHeader() interface{}
+}
+
+// HeaderContext provides the subContext interface for managing headers
+type HeaderContext struct {
+	header interface{}
+}
+
+// FullHeader returns the header as an interface
+func (c *HeaderContext) FullHeader() interface{} {
+	return c.header
+}
+
+func stripNamePrefix(ss []string) []string {
+	sss := make([]string, len(ss))
+	for i, s := range ss {
+		sss[i] = s[1:]
+	}
+
+	return sss
+}
diff --git a/cli/cli/command/formatter/custom_test.go b/cli/cli/command/formatter/custom_test.go
new file mode 100644
index 00000000..6a4bfec7
--- /dev/null
+++ b/cli/cli/command/formatter/custom_test.go
@@ -0,0 +1,28 @@
+package formatter
+
+import (
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func compareMultipleValues(t *testing.T, value, expected string) {
+	// comma-separated values means probably a map input, which won't
+	// be guaranteed to have the same order as our expected value
+	// We'll create maps and use reflect.DeepEquals to check instead:
+	entriesMap := make(map[string]string)
+	expMap := make(map[string]string)
+	entries := strings.Split(value, ",")
+	expectedEntries := strings.Split(expected, ",")
+	for _, entry := range entries {
+		keyval := strings.Split(entry, "=")
+		entriesMap[keyval[0]] = keyval[1]
+	}
+	for _, expected := range expectedEntries {
+		keyval := strings.Split(expected, "=")
+		expMap[keyval[0]] = keyval[1]
+	}
+	assert.Check(t, is.DeepEqual(expMap, entriesMap))
+}
diff --git a/cli/cli/command/formatter/diff.go b/cli/cli/command/formatter/diff.go
new file mode 100644
index 00000000..9b468193
--- /dev/null
+++ b/cli/cli/command/formatter/diff.go
@@ -0,0 +1,72 @@
+package formatter
+
+import (
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/archive"
+)
+
+const (
+	defaultDiffTableFormat = "table {{.Type}}\t{{.Path}}"
+
+	changeTypeHeader = "CHANGE TYPE"
+	pathHeader       = "PATH"
+)
+
+// NewDiffFormat returns a format for use with a diff Context
+func NewDiffFormat(source string) Format {
+	switch source {
+	case TableFormatKey:
+		return defaultDiffTableFormat
+	}
+	return Format(source)
+}
+
+// DiffWrite writes formatted diff using the Context
+func DiffWrite(ctx Context, changes []container.ContainerChangeResponseItem) error {
+
+	render := func(format func(subContext subContext) error) error {
+		for _, change := range changes {
+			if err := format(&diffContext{c: change}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(newDiffContext(), render)
+}
+
+type diffContext struct {
+	HeaderContext
+	c container.ContainerChangeResponseItem
+}
+
+func newDiffContext() *diffContext {
+	diffCtx := diffContext{}
+	diffCtx.header = map[string]string{
+		"Type": changeTypeHeader,
+		"Path": pathHeader,
+	}
+	return &diffCtx
+}
+
+func (d *diffContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(d)
+}
+
+func (d *diffContext) Type() string {
+	var kind string
+	switch d.c.Kind {
+	case archive.ChangeModify:
+		kind = "C"
+	case archive.ChangeAdd:
+		kind = "A"
+	case archive.ChangeDelete:
+		kind = "D"
+	}
+	return kind
+
+}
+
+func (d *diffContext) Path() string {
+	return d.c.Path
+}
diff --git a/cli/cli/command/formatter/diff_test.go b/cli/cli/command/formatter/diff_test.go
new file mode 100644
index 00000000..aad59450
--- /dev/null
+++ b/cli/cli/command/formatter/diff_test.go
@@ -0,0 +1,60 @@
+package formatter
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/archive"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDiffContextFormatWrite(t *testing.T) {
+	// Check default output format (verbose and non-verbose mode) for table headers
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		{
+			Context{Format: NewDiffFormat("table")},
+			`CHANGE TYPE         PATH
+C                   /var/log/app.log
+A                   /usr/app/app.js
+D                   /usr/app/old_app.js
+`,
+		},
+		{
+			Context{Format: NewDiffFormat("table {{.Path}}")},
+			`PATH
+/var/log/app.log
+/usr/app/app.js
+/usr/app/old_app.js
+`,
+		},
+		{
+			Context{Format: NewDiffFormat("{{.Type}}: {{.Path}}")},
+			`C: /var/log/app.log
+A: /usr/app/app.js
+D: /usr/app/old_app.js
+`,
+		},
+	}
+
+	diffs := []container.ContainerChangeResponseItem{
+		{Kind: archive.ChangeModify, Path: "/var/log/app.log"},
+		{Kind: archive.ChangeAdd, Path: "/usr/app/app.js"},
+		{Kind: archive.ChangeDelete, Path: "/usr/app/old_app.js"},
+	}
+
+	for _, testcase := range cases {
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := DiffWrite(testcase.context, diffs)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
diff --git a/cli/cli/command/formatter/disk_usage.go b/cli/cli/command/formatter/disk_usage.go
new file mode 100644
index 00000000..d6389a14
--- /dev/null
+++ b/cli/cli/command/formatter/disk_usage.go
@@ -0,0 +1,425 @@
+package formatter
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"text/template"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	units "github.com/docker/go-units"
+)
+
+const (
+	defaultDiskUsageImageTableFormat     = "table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedSince}} ago\t{{.VirtualSize}}\t{{.SharedSize}}\t{{.UniqueSize}}\t{{.Containers}}"
+	defaultDiskUsageContainerTableFormat = "table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.LocalVolumes}}\t{{.Size}}\t{{.RunningFor}} ago\t{{.Status}}\t{{.Names}}"
+	defaultDiskUsageVolumeTableFormat    = "table {{.Name}}\t{{.Links}}\t{{.Size}}"
+	defaultDiskUsageTableFormat          = "table {{.Type}}\t{{.TotalCount}}\t{{.Active}}\t{{.Size}}\t{{.Reclaimable}}"
+	defaultBuildCacheVerboseFormat       = `
+ID: {{.ID}}
+Description: {{.Description}}
+Mutable: {{.Mutable}}
+Size: {{.Size}}
+CreatedAt: {{.CreatedAt}}
+LastUsedAt: {{.LastUsedAt}}
+UsageCount: {{.UsageCount}}
+`
+
+	typeHeader        = "TYPE"
+	totalHeader       = "TOTAL"
+	activeHeader      = "ACTIVE"
+	reclaimableHeader = "RECLAIMABLE"
+	containersHeader  = "CONTAINERS"
+	sharedSizeHeader  = "SHARED SIZE"
+	uniqueSizeHeader  = "UNIQUE SiZE"
+)
+
+// DiskUsageContext contains disk usage specific information required by the formatter, encapsulate a Context struct.
+type DiskUsageContext struct {
+	Context
+	Verbose     bool
+	LayersSize  int64
+	Images      []*types.ImageSummary
+	Containers  []*types.Container
+	Volumes     []*types.Volume
+	BuildCache  []*types.BuildCache
+	BuilderSize int64
+}
+
+func (ctx *DiskUsageContext) startSubsection(format string) (*template.Template, error) {
+	ctx.buffer = bytes.NewBufferString("")
+	ctx.header = ""
+	ctx.Format = Format(format)
+	ctx.preFormat()
+
+	return ctx.parseFormat()
+}
+
+//
+// NewDiskUsageFormat returns a format for rendering an DiskUsageContext
+func NewDiskUsageFormat(source string) Format {
+	switch source {
+	case TableFormatKey:
+		format := defaultDiskUsageTableFormat
+		return Format(format)
+	case RawFormatKey:
+		format := `type: {{.Type}}
+total: {{.TotalCount}}
+active: {{.Active}}
+size: {{.Size}}
+reclaimable: {{.Reclaimable}}
+`
+		return Format(format)
+	}
+	return Format(source)
+}
+
+func (ctx *DiskUsageContext) Write() (err error) {
+	if ctx.Verbose {
+		return ctx.verboseWrite()
+	}
+	ctx.buffer = bytes.NewBufferString("")
+	ctx.preFormat()
+
+	tmpl, err := ctx.parseFormat()
+	if err != nil {
+		return err
+	}
+
+	err = ctx.contextFormat(tmpl, &diskUsageImagesContext{
+		totalSize: ctx.LayersSize,
+		images:    ctx.Images,
+	})
+	if err != nil {
+		return err
+	}
+	err = ctx.contextFormat(tmpl, &diskUsageContainersContext{
+		containers: ctx.Containers,
+	})
+	if err != nil {
+		return err
+	}
+
+	err = ctx.contextFormat(tmpl, &diskUsageVolumesContext{
+		volumes: ctx.Volumes,
+	})
+	if err != nil {
+		return err
+	}
+
+	err = ctx.contextFormat(tmpl, &diskUsageBuilderContext{
+		builderSize: ctx.BuilderSize,
+		buildCache:  ctx.BuildCache,
+	})
+	if err != nil {
+		return err
+	}
+
+	diskUsageContainersCtx := diskUsageContainersContext{containers: []*types.Container{}}
+	diskUsageContainersCtx.header = map[string]string{
+		"Type":        typeHeader,
+		"TotalCount":  totalHeader,
+		"Active":      activeHeader,
+		"Size":        sizeHeader,
+		"Reclaimable": reclaimableHeader,
+	}
+	ctx.postFormat(tmpl, &diskUsageContainersCtx)
+
+	return err
+}
+
+func (ctx *DiskUsageContext) verboseWrite() error {
+	// First images
+	tmpl, err := ctx.startSubsection(defaultDiskUsageImageTableFormat)
+	if err != nil {
+		return err
+	}
+
+	ctx.Output.Write([]byte("Images space usage:\n\n"))
+	for _, i := range ctx.Images {
+		repo := "<none>"
+		tag := "<none>"
+		if len(i.RepoTags) > 0 && !isDangling(*i) {
+			// Only show the first tag
+			ref, err := reference.ParseNormalizedNamed(i.RepoTags[0])
+			if err != nil {
+				continue
+			}
+			if nt, ok := ref.(reference.NamedTagged); ok {
+				repo = reference.FamiliarName(ref)
+				tag = nt.Tag()
+			}
+		}
+
+		err := ctx.contextFormat(tmpl, &imageContext{
+			repo:  repo,
+			tag:   tag,
+			trunc: true,
+			i:     *i,
+		})
+		if err != nil {
+			return err
+		}
+	}
+	ctx.postFormat(tmpl, newImageContext())
+
+	// Now containers
+	ctx.Output.Write([]byte("\nContainers space usage:\n\n"))
+	tmpl, err = ctx.startSubsection(defaultDiskUsageContainerTableFormat)
+	if err != nil {
+		return err
+	}
+	for _, c := range ctx.Containers {
+		// Don't display the virtual size
+		c.SizeRootFs = 0
+		err := ctx.contextFormat(tmpl, &containerContext{trunc: true, c: *c})
+		if err != nil {
+			return err
+		}
+	}
+	ctx.postFormat(tmpl, newContainerContext())
+
+	// And volumes
+	ctx.Output.Write([]byte("\nLocal Volumes space usage:\n\n"))
+	tmpl, err = ctx.startSubsection(defaultDiskUsageVolumeTableFormat)
+	if err != nil {
+		return err
+	}
+	for _, v := range ctx.Volumes {
+		if err := ctx.contextFormat(tmpl, &volumeContext{v: *v}); err != nil {
+			return err
+		}
+	}
+	ctx.postFormat(tmpl, newVolumeContext())
+
+	// And build cache
+	fmt.Fprintf(ctx.Output, "\nBuild cache usage: %s\n\n", units.HumanSize(float64(ctx.BuilderSize)))
+
+	t := template.Must(template.New("buildcache").Parse(defaultBuildCacheVerboseFormat))
+
+	for _, v := range ctx.BuildCache {
+		t.Execute(ctx.Output, *v)
+	}
+
+	return nil
+}
+
+type diskUsageImagesContext struct {
+	HeaderContext
+	totalSize int64
+	images    []*types.ImageSummary
+}
+
+func (c *diskUsageImagesContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *diskUsageImagesContext) Type() string {
+	return "Images"
+}
+
+func (c *diskUsageImagesContext) TotalCount() string {
+	return fmt.Sprintf("%d", len(c.images))
+}
+
+func (c *diskUsageImagesContext) Active() string {
+	used := 0
+	for _, i := range c.images {
+		if i.Containers > 0 {
+			used++
+		}
+	}
+
+	return fmt.Sprintf("%d", used)
+}
+
+func (c *diskUsageImagesContext) Size() string {
+	return units.HumanSize(float64(c.totalSize))
+
+}
+
+func (c *diskUsageImagesContext) Reclaimable() string {
+	var used int64
+
+	for _, i := range c.images {
+		if i.Containers != 0 {
+			if i.VirtualSize == -1 || i.SharedSize == -1 {
+				continue
+			}
+			used += i.VirtualSize - i.SharedSize
+		}
+	}
+
+	reclaimable := c.totalSize - used
+	if c.totalSize > 0 {
+		return fmt.Sprintf("%s (%v%%)", units.HumanSize(float64(reclaimable)), (reclaimable*100)/c.totalSize)
+	}
+	return units.HumanSize(float64(reclaimable))
+}
+
+type diskUsageContainersContext struct {
+	HeaderContext
+	containers []*types.Container
+}
+
+func (c *diskUsageContainersContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *diskUsageContainersContext) Type() string {
+	return "Containers"
+}
+
+func (c *diskUsageContainersContext) TotalCount() string {
+	return fmt.Sprintf("%d", len(c.containers))
+}
+
+func (c *diskUsageContainersContext) isActive(container types.Container) bool {
+	return strings.Contains(container.State, "running") ||
+		strings.Contains(container.State, "paused") ||
+		strings.Contains(container.State, "restarting")
+}
+
+func (c *diskUsageContainersContext) Active() string {
+	used := 0
+	for _, container := range c.containers {
+		if c.isActive(*container) {
+			used++
+		}
+	}
+
+	return fmt.Sprintf("%d", used)
+}
+
+func (c *diskUsageContainersContext) Size() string {
+	var size int64
+
+	for _, container := range c.containers {
+		size += container.SizeRw
+	}
+
+	return units.HumanSize(float64(size))
+}
+
+func (c *diskUsageContainersContext) Reclaimable() string {
+	var reclaimable int64
+	var totalSize int64
+
+	for _, container := range c.containers {
+		if !c.isActive(*container) {
+			reclaimable += container.SizeRw
+		}
+		totalSize += container.SizeRw
+	}
+
+	if totalSize > 0 {
+		return fmt.Sprintf("%s (%v%%)", units.HumanSize(float64(reclaimable)), (reclaimable*100)/totalSize)
+	}
+
+	return units.HumanSize(float64(reclaimable))
+}
+
+type diskUsageVolumesContext struct {
+	HeaderContext
+	volumes []*types.Volume
+}
+
+func (c *diskUsageVolumesContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *diskUsageVolumesContext) Type() string {
+	return "Local Volumes"
+}
+
+func (c *diskUsageVolumesContext) TotalCount() string {
+	return fmt.Sprintf("%d", len(c.volumes))
+}
+
+func (c *diskUsageVolumesContext) Active() string {
+
+	used := 0
+	for _, v := range c.volumes {
+		if v.UsageData.RefCount > 0 {
+			used++
+		}
+	}
+
+	return fmt.Sprintf("%d", used)
+}
+
+func (c *diskUsageVolumesContext) Size() string {
+	var size int64
+
+	for _, v := range c.volumes {
+		if v.UsageData.Size != -1 {
+			size += v.UsageData.Size
+		}
+	}
+
+	return units.HumanSize(float64(size))
+}
+
+func (c *diskUsageVolumesContext) Reclaimable() string {
+	var reclaimable int64
+	var totalSize int64
+
+	for _, v := range c.volumes {
+		if v.UsageData.Size != -1 {
+			if v.UsageData.RefCount == 0 {
+				reclaimable += v.UsageData.Size
+			}
+			totalSize += v.UsageData.Size
+		}
+	}
+
+	if totalSize > 0 {
+		return fmt.Sprintf("%s (%v%%)", units.HumanSize(float64(reclaimable)), (reclaimable*100)/totalSize)
+	}
+
+	return units.HumanSize(float64(reclaimable))
+}
+
+type diskUsageBuilderContext struct {
+	HeaderContext
+	builderSize int64
+	buildCache  []*types.BuildCache
+}
+
+func (c *diskUsageBuilderContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *diskUsageBuilderContext) Type() string {
+	return "Build Cache"
+}
+
+func (c *diskUsageBuilderContext) TotalCount() string {
+	return fmt.Sprintf("%d", len(c.buildCache))
+}
+
+func (c *diskUsageBuilderContext) Active() string {
+	numActive := 0
+	for _, bc := range c.buildCache {
+		if bc.InUse {
+			numActive++
+		}
+	}
+	return fmt.Sprintf("%d", numActive)
+}
+
+func (c *diskUsageBuilderContext) Size() string {
+	return units.HumanSize(float64(c.builderSize))
+}
+
+func (c *diskUsageBuilderContext) Reclaimable() string {
+	var inUseBytes int64
+	for _, bc := range c.buildCache {
+		if bc.InUse {
+			inUseBytes += bc.Size
+		}
+	}
+
+	return units.HumanSize(float64(c.builderSize - inUseBytes))
+}
diff --git a/cli/cli/command/formatter/disk_usage_test.go b/cli/cli/command/formatter/disk_usage_test.go
new file mode 100644
index 00000000..878aef05
--- /dev/null
+++ b/cli/cli/command/formatter/disk_usage_test.go
@@ -0,0 +1,110 @@
+package formatter
+
+import (
+	"bytes"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestDiskUsageContextFormatWrite(t *testing.T) {
+	cases := []struct {
+		context  DiskUsageContext
+		expected string
+	}{
+		// Check default output format (verbose and non-verbose mode) for table headers
+		{
+			DiskUsageContext{
+				Context: Context{
+					Format: NewDiskUsageFormat("table"),
+				},
+				Verbose: false},
+			`TYPE                TOTAL               ACTIVE              SIZE                RECLAIMABLE
+Images              0                   0                   0B                  0B
+Containers          0                   0                   0B                  0B
+Local Volumes       0                   0                   0B                  0B
+Build Cache         0                   0                   0B                  0B
+`,
+		},
+		{
+			DiskUsageContext{Verbose: true},
+			`Images space usage:
+
+REPOSITORY          TAG                 IMAGE ID            CREATED ago         SIZE                SHARED SIZE         UNIQUE SiZE         CONTAINERS
+
+Containers space usage:
+
+CONTAINER ID        IMAGE               COMMAND             LOCAL VOLUMES       SIZE                CREATED ago         STATUS              NAMES
+
+Local Volumes space usage:
+
+VOLUME NAME         LINKS               SIZE
+
+Build cache usage: 0B
+
+`,
+		},
+		// Errors
+		{
+			DiskUsageContext{
+				Context: Context{
+					Format: "{{InvalidFunction}}",
+				},
+			},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			DiskUsageContext{
+				Context: Context{
+					Format: "{{nil}}",
+				},
+			},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table Format
+		{
+			DiskUsageContext{
+				Context: Context{
+					Format: NewDiskUsageFormat("table"),
+				},
+			},
+			`TYPE                TOTAL               ACTIVE              SIZE                RECLAIMABLE
+Images              0                   0                   0B                  0B
+Containers          0                   0                   0B                  0B
+Local Volumes       0                   0                   0B                  0B
+Build Cache         0                   0                   0B                  0B
+`,
+		},
+		{
+			DiskUsageContext{
+				Context: Context{
+					Format: NewDiskUsageFormat("table {{.Type}}\t{{.Active}}"),
+				},
+			},
+			string(golden.Get(t, "disk-usage-context-write-custom.golden")),
+		},
+		// Raw Format
+		{
+			DiskUsageContext{
+				Context: Context{
+					Format: NewDiskUsageFormat("raw"),
+				},
+			},
+			string(golden.Get(t, "disk-usage-raw-format.golden")),
+		},
+	}
+
+	for _, testcase := range cases {
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		if err := testcase.context.Write(); err != nil {
+			assert.Check(t, is.Equal(testcase.expected, err.Error()))
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
diff --git a/cli/cli/command/formatter/displayutils.go b/cli/cli/command/formatter/displayutils.go
new file mode 100644
index 00000000..0c3b6ebb
--- /dev/null
+++ b/cli/cli/command/formatter/displayutils.go
@@ -0,0 +1,61 @@
+package formatter
+
+import (
+	"unicode/utf8"
+
+	"golang.org/x/text/width"
+)
+
+// charWidth returns the number of horizontal positions a character occupies,
+// and is used to account for wide characters when displaying strings.
+//
+// In a broad sense, wide characters include East Asian Wide, East Asian Full-width,
+// (when not in East Asian context) see http://unicode.org/reports/tr11/.
+func charWidth(r rune) int {
+	switch width.LookupRune(r).Kind() {
+	case width.EastAsianWide, width.EastAsianFullwidth:
+		return 2
+	default:
+		return 1
+	}
+}
+
+// Ellipsis truncates a string to fit within maxDisplayWidth, and appends ellipsis (…).
+// For maxDisplayWidth of 1 and lower, no ellipsis is appended.
+// For maxDisplayWidth of 1, first char of string will return even if its width > 1.
+func Ellipsis(s string, maxDisplayWidth int) string {
+	if maxDisplayWidth <= 0 {
+		return ""
+	}
+	rs := []rune(s)
+	if maxDisplayWidth == 1 {
+		return string(rs[0])
+	}
+
+	byteLen := len(s)
+	if byteLen == utf8.RuneCountInString(s) {
+		if byteLen <= maxDisplayWidth {
+			return s
+		}
+		return string(rs[:maxDisplayWidth-1]) + "…"
+	}
+
+	var (
+		display      []int
+		displayWidth int
+	)
+	for _, r := range rs {
+		cw := charWidth(r)
+		displayWidth += cw
+		display = append(display, displayWidth)
+	}
+	if displayWidth <= maxDisplayWidth {
+		return s
+	}
+	for i := range display {
+		if display[i] <= maxDisplayWidth-1 && display[i+1] > maxDisplayWidth-1 {
+			return string(rs[:i+1]) + "…"
+		}
+	}
+	return s
+}
diff --git a/cli/cli/command/formatter/displayutils_test.go b/cli/cli/command/formatter/displayutils_test.go
new file mode 100644
index 00000000..db60610b
--- /dev/null
+++ b/cli/cli/command/formatter/displayutils_test.go
@@ -0,0 +1,31 @@
+package formatter
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestEllipsis(t *testing.T) {
+	var testcases = []struct {
+		source   string
+		width    int
+		expected string
+	}{
+		{source: "t🐳ststring", width: 0, expected: ""},
+		{source: "t🐳ststring", width: 1, expected: "t"},
+		{source: "t🐳ststring", width: 2, expected: "t…"},
+		{source: "t🐳ststring", width: 6, expected: "t🐳st…"},
+		{source: "t🐳ststring", width: 20, expected: "t🐳ststring"},
+		{source: "你好世界teststring", width: 0, expected: ""},
+		{source: "你好世界teststring", width: 1, expected: "你"},
+		{source: "你好世界teststring", width: 3, expected: "你…"},
+		{source: "你好世界teststring", width: 6, expected: "你好…"},
+		{source: "你好世界teststring", width: 20, expected: "你好世界teststring"},
+	}
+
+	for _, testcase := range testcases {
+		assert.Check(t, is.Equal(testcase.expected, Ellipsis(testcase.source, testcase.width)))
+	}
+}
diff --git a/cli/cli/command/formatter/formatter.go b/cli/cli/command/formatter/formatter.go
new file mode 100644
index 00000000..c63e1a49
--- /dev/null
+++ b/cli/cli/command/formatter/formatter.go
@@ -0,0 +1,119 @@
+package formatter
+
+import (
+	"bytes"
+	"io"
+	"strings"
+	"text/tabwriter"
+	"text/template"
+
+	"github.com/docker/cli/templates"
+	"github.com/pkg/errors"
+)
+
+// Format keys used to specify certain kinds of output formats
+const (
+	TableFormatKey  = "table"
+	RawFormatKey    = "raw"
+	PrettyFormatKey = "pretty"
+
+	defaultQuietFormat = "{{.ID}}"
+)
+
+// Format is the format string rendered using the Context
+type Format string
+
+// IsTable returns true if the format is a table-type format
+func (f Format) IsTable() bool {
+	return strings.HasPrefix(string(f), TableFormatKey)
+}
+
+// Contains returns true if the format contains the substring
+func (f Format) Contains(sub string) bool {
+	return strings.Contains(string(f), sub)
+}
+
+// Context contains information required by the formatter to print the output as desired.
+type Context struct {
+	// Output is the output stream to which the formatted string is written.
+	Output io.Writer
+	// Format is used to choose raw, table or custom format for the output.
+	Format Format
+	// Trunc when set to true will truncate the output of certain fields such as Container ID.
+	Trunc bool
+
+	// internal element
+	finalFormat string
+	header      interface{}
+	buffer      *bytes.Buffer
+}
+
+func (c *Context) preFormat() {
+	c.finalFormat = string(c.Format)
+
+	// TODO: handle this in the Format type
+	if c.Format.IsTable() {
+		c.finalFormat = c.finalFormat[len(TableFormatKey):]
+	}
+
+	c.finalFormat = strings.Trim(c.finalFormat, " ")
+	r := strings.NewReplacer(`\t`, "\t", `\n`, "\n")
+	c.finalFormat = r.Replace(c.finalFormat)
+}
+
+func (c *Context) parseFormat() (*template.Template, error) {
+	tmpl, err := templates.Parse(c.finalFormat)
+	if err != nil {
+		return tmpl, errors.Errorf("Template parsing error: %v\n", err)
+	}
+	return tmpl, err
+}
+
+func (c *Context) postFormat(tmpl *template.Template, subContext subContext) {
+	if c.Format.IsTable() {
+		t := tabwriter.NewWriter(c.Output, 20, 1, 3, ' ', 0)
+		buffer := bytes.NewBufferString("")
+		tmpl.Funcs(templates.HeaderFunctions).Execute(buffer, subContext.FullHeader())
+		buffer.WriteTo(t)
+		t.Write([]byte("\n"))
+		c.buffer.WriteTo(t)
+		t.Flush()
+	} else {
+		c.buffer.WriteTo(c.Output)
+	}
+}
+
+func (c *Context) contextFormat(tmpl *template.Template, subContext subContext) error {
+	if err := tmpl.Execute(c.buffer, subContext); err != nil {
+		return errors.Errorf("Template parsing error: %v\n", err)
+	}
+	if c.Format.IsTable() && c.header != nil {
+		c.header = subContext.FullHeader()
+	}
+	c.buffer.WriteString("\n")
+	return nil
+}
+
+// SubFormat is a function type accepted by Write()
+type SubFormat func(func(subContext) error) error
+
+// Write the template to the buffer using this Context
+func (c *Context) Write(sub subContext, f SubFormat) error {
+	c.buffer = bytes.NewBufferString("")
+	c.preFormat()
+
+	tmpl, err := c.parseFormat()
+	if err != nil {
+		return err
+	}
+
+	subFormat := func(subContext subContext) error {
+		return c.contextFormat(tmpl, subContext)
+	}
+	if err := f(subFormat); err != nil {
+		return err
+	}
+
+	c.postFormat(tmpl, sub)
+	return nil
+}
diff --git a/cli/cli/command/formatter/history.go b/cli/cli/command/formatter/history.go
new file mode 100644
index 00000000..6ad0a605
--- /dev/null
+++ b/cli/cli/command/formatter/history.go
@@ -0,0 +1,109 @@
+package formatter
+
+import (
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/pkg/stringid"
+	units "github.com/docker/go-units"
+)
+
+const (
+	defaultHistoryTableFormat  = "table {{.ID}}\t{{.CreatedSince}}\t{{.CreatedBy}}\t{{.Size}}\t{{.Comment}}"
+	nonHumanHistoryTableFormat = "table {{.ID}}\t{{.CreatedAt}}\t{{.CreatedBy}}\t{{.Size}}\t{{.Comment}}"
+
+	historyIDHeader = "IMAGE"
+	createdByHeader = "CREATED BY"
+	commentHeader   = "COMMENT"
+)
+
+// NewHistoryFormat returns a format for rendering an HistoryContext
+func NewHistoryFormat(source string, quiet bool, human bool) Format {
+	switch source {
+	case TableFormatKey:
+		switch {
+		case quiet:
+			return defaultQuietFormat
+		case !human:
+			return nonHumanHistoryTableFormat
+		default:
+			return defaultHistoryTableFormat
+		}
+	}
+
+	return Format(source)
+}
+
+// HistoryWrite writes the context
+func HistoryWrite(ctx Context, human bool, histories []image.HistoryResponseItem) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, history := range histories {
+			historyCtx := &historyContext{trunc: ctx.Trunc, h: history, human: human}
+			if err := format(historyCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	historyCtx := &historyContext{}
+	historyCtx.header = map[string]string{
+		"ID":           historyIDHeader,
+		"CreatedSince": createdSinceHeader,
+		"CreatedAt":    createdAtHeader,
+		"CreatedBy":    createdByHeader,
+		"Size":         sizeHeader,
+		"Comment":      commentHeader,
+	}
+	return ctx.Write(historyCtx, render)
+}
+
+type historyContext struct {
+	HeaderContext
+	trunc bool
+	human bool
+	h     image.HistoryResponseItem
+}
+
+func (c *historyContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *historyContext) ID() string {
+	if c.trunc {
+		return stringid.TruncateID(c.h.ID)
+	}
+	return c.h.ID
+}
+
+func (c *historyContext) CreatedAt() string {
+	return time.Unix(c.h.Created, 0).Format(time.RFC3339)
+}
+
+func (c *historyContext) CreatedSince() string {
+	if !c.human {
+		return c.CreatedAt()
+	}
+	created := units.HumanDuration(time.Now().UTC().Sub(time.Unix(c.h.Created, 0)))
+	return created + " ago"
+}
+
+func (c *historyContext) CreatedBy() string {
+	createdBy := strings.Replace(c.h.CreatedBy, "\t", " ", -1)
+	if c.trunc {
+		return Ellipsis(createdBy, 45)
+	}
+	return createdBy
+}
+
+func (c *historyContext) Size() string {
+	if c.human {
+		return units.HumanSizeWithPrecision(float64(c.h.Size), 3)
+	}
+	return strconv.FormatInt(c.h.Size, 10)
+}
+
+func (c *historyContext) Comment() string {
+	return c.h.Comment
+}
diff --git a/cli/cli/command/formatter/history_test.go b/cli/cli/command/formatter/history_test.go
new file mode 100644
index 00000000..7dfc146b
--- /dev/null
+++ b/cli/cli/command/formatter/history_test.go
@@ -0,0 +1,226 @@
+package formatter
+
+import (
+	"bytes"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+type historyCase struct {
+	historyCtx historyContext
+	expValue   string
+	call       func() string
+}
+
+func TestHistoryContext_ID(t *testing.T) {
+	id := stringid.GenerateRandomID()
+
+	var ctx historyContext
+	cases := []historyCase{
+		{
+			historyContext{
+				h:     image.HistoryResponseItem{ID: id},
+				trunc: false,
+			}, id, ctx.ID,
+		},
+		{
+			historyContext{
+				h:     image.HistoryResponseItem{ID: id},
+				trunc: true,
+			}, stringid.TruncateID(id), ctx.ID,
+		},
+	}
+
+	for _, c := range cases {
+		ctx = c.historyCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestHistoryContext_CreatedSince(t *testing.T) {
+	dateStr := "2009-11-10T23:00:00Z"
+	var ctx historyContext
+	cases := []historyCase{
+		{
+			historyContext{
+				h:     image.HistoryResponseItem{Created: time.Now().AddDate(0, 0, -7).Unix()},
+				trunc: false,
+				human: true,
+			}, "7 days ago", ctx.CreatedSince,
+		},
+		{
+			historyContext{
+				h:     image.HistoryResponseItem{Created: time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC).Unix()},
+				trunc: false,
+				human: false,
+			}, dateStr, ctx.CreatedSince,
+		},
+	}
+
+	for _, c := range cases {
+		ctx = c.historyCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestHistoryContext_CreatedBy(t *testing.T) {
+	withTabs := `/bin/sh -c apt-key adv --keyserver hkp://pgp.mit.edu:80	--recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62	&& echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list  && apt-get update  && apt-get install --no-install-recommends --no-install-suggests -y       ca-certificates       nginx=${NGINX_VERSION}       nginx-module-xslt       nginx-module-geoip       nginx-module-image-filter       nginx-module-perl       nginx-module-njs       gettext-base  && rm -rf /var/lib/apt/lists/*` // nolint: lll
+	expected := `/bin/sh -c apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 && echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list  && apt-get update  && apt-get install --no-install-recommends --no-install-suggests -y       ca-certificates       nginx=${NGINX_VERSION}       nginx-module-xslt       nginx-module-geoip       nginx-module-image-filter       nginx-module-perl       nginx-module-njs       gettext-base  && rm -rf /var/lib/apt/lists/*` // nolint: lll
+
+	var ctx historyContext
+	cases := []historyCase{
+		{
+			historyContext{
+				h:     image.HistoryResponseItem{CreatedBy: withTabs},
+				trunc: false,
+			}, expected, ctx.CreatedBy,
+		},
+		{
+			historyContext{
+				h:     image.HistoryResponseItem{CreatedBy: withTabs},
+				trunc: true,
+			}, Ellipsis(expected, 45), ctx.CreatedBy,
+		},
+	}
+
+	for _, c := range cases {
+		ctx = c.historyCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestHistoryContext_Size(t *testing.T) {
+	size := int64(182964289)
+	expected := "183MB"
+
+	var ctx historyContext
+	cases := []historyCase{
+		{
+			historyContext{
+				h:     image.HistoryResponseItem{Size: size},
+				trunc: false,
+				human: true,
+			}, expected, ctx.Size,
+		}, {
+			historyContext{
+				h:     image.HistoryResponseItem{Size: size},
+				trunc: false,
+				human: false,
+			}, strconv.Itoa(182964289), ctx.Size,
+		},
+	}
+
+	for _, c := range cases {
+		ctx = c.historyCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestHistoryContext_Comment(t *testing.T) {
+	comment := "Some comment"
+
+	var ctx historyContext
+	cases := []historyCase{
+		{
+			historyContext{
+				h:     image.HistoryResponseItem{Comment: comment},
+				trunc: false,
+			}, comment, ctx.Comment,
+		},
+	}
+
+	for _, c := range cases {
+		ctx = c.historyCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestHistoryContext_Table(t *testing.T) {
+	out := bytes.NewBufferString("")
+	unixTime := time.Now().AddDate(0, 0, -1).Unix()
+	histories := []image.HistoryResponseItem{
+		{
+			ID:        "imageID1",
+			Created:   unixTime,
+			CreatedBy: "/bin/bash ls && npm i && npm run test && karma -c karma.conf.js start && npm start && more commands here && the list goes on",
+			Size:      int64(182964289),
+			Comment:   "Hi",
+			Tags:      []string{"image:tag2"},
+		},
+		{ID: "imageID2", Created: unixTime, CreatedBy: "/bin/bash echo", Size: int64(182964289), Comment: "Hi", Tags: []string{"image:tag2"}},
+		{ID: "imageID3", Created: unixTime, CreatedBy: "/bin/bash ls", Size: int64(182964289), Comment: "Hi", Tags: []string{"image:tag2"}},
+		{ID: "imageID4", Created: unixTime, CreatedBy: "/bin/bash grep", Size: int64(182964289), Comment: "Hi", Tags: []string{"image:tag2"}},
+	}
+	// nolint: lll
+	expectedNoTrunc := `IMAGE               CREATED             CREATED BY                                                                                                                     SIZE                COMMENT
+imageID1            24 hours ago        /bin/bash ls && npm i && npm run test && karma -c karma.conf.js start && npm start && more commands here && the list goes on   183MB               Hi
+imageID2            24 hours ago        /bin/bash echo                                                                                                                 183MB               Hi
+imageID3            24 hours ago        /bin/bash ls                                                                                                                   183MB               Hi
+imageID4            24 hours ago        /bin/bash grep                                                                                                                 183MB               Hi
+`
+	expectedTrunc := `IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
+imageID1            24 hours ago        /bin/bash ls && npm i && npm run test && kar…   183MB               Hi
+imageID2            24 hours ago        /bin/bash echo                                  183MB               Hi
+imageID3            24 hours ago        /bin/bash ls                                    183MB               Hi
+imageID4            24 hours ago        /bin/bash grep                                  183MB               Hi
+`
+
+	contexts := []struct {
+		context  Context
+		expected string
+	}{
+		{Context{
+			Format: NewHistoryFormat("table", false, true),
+			Trunc:  true,
+			Output: out,
+		},
+			expectedTrunc,
+		},
+		{Context{
+			Format: NewHistoryFormat("table", false, true),
+			Trunc:  false,
+			Output: out,
+		},
+			expectedNoTrunc,
+		},
+	}
+
+	for _, context := range contexts {
+		HistoryWrite(context.context, true, histories)
+		assert.Check(t, is.Equal(context.expected, out.String()))
+		// Clean buffer
+		out.Reset()
+	}
+}
diff --git a/cli/cli/command/formatter/image.go b/cli/cli/command/formatter/image.go
new file mode 100644
index 00000000..e94785ef
--- /dev/null
+++ b/cli/cli/command/formatter/image.go
@@ -0,0 +1,272 @@
+package formatter
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+	units "github.com/docker/go-units"
+)
+
+const (
+	defaultImageTableFormat           = "table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedSince}}\t{{.Size}}"
+	defaultImageTableFormatWithDigest = "table {{.Repository}}\t{{.Tag}}\t{{.Digest}}\t{{.ID}}\t{{.CreatedSince}}\t{{.Size}}"
+
+	imageIDHeader    = "IMAGE ID"
+	repositoryHeader = "REPOSITORY"
+	tagHeader        = "TAG"
+	digestHeader     = "DIGEST"
+)
+
+// ImageContext contains image specific information required by the formatter, encapsulate a Context struct.
+type ImageContext struct {
+	Context
+	Digest bool
+}
+
+func isDangling(image types.ImageSummary) bool {
+	return len(image.RepoTags) == 1 && image.RepoTags[0] == "<none>:<none>" && len(image.RepoDigests) == 1 && image.RepoDigests[0] == "<none>@<none>"
+}
+
+// NewImageFormat returns a format for rendering an ImageContext
+func NewImageFormat(source string, quiet bool, digest bool) Format {
+	switch source {
+	case TableFormatKey:
+		switch {
+		case quiet:
+			return defaultQuietFormat
+		case digest:
+			return defaultImageTableFormatWithDigest
+		default:
+			return defaultImageTableFormat
+		}
+	case RawFormatKey:
+		switch {
+		case quiet:
+			return `image_id: {{.ID}}`
+		case digest:
+			return `repository: {{ .Repository }}
+tag: {{.Tag}}
+digest: {{.Digest}}
+image_id: {{.ID}}
+created_at: {{.CreatedAt}}
+virtual_size: {{.Size}}
+`
+		default:
+			return `repository: {{ .Repository }}
+tag: {{.Tag}}
+image_id: {{.ID}}
+created_at: {{.CreatedAt}}
+virtual_size: {{.Size}}
+`
+		}
+	}
+
+	format := Format(source)
+	if format.IsTable() && digest && !format.Contains("{{.Digest}}") {
+		format += "\t{{.Digest}}"
+	}
+	return format
+}
+
+// ImageWrite writes the formatter images using the ImageContext
+func ImageWrite(ctx ImageContext, images []types.ImageSummary) error {
+	render := func(format func(subContext subContext) error) error {
+		return imageFormat(ctx, images, format)
+	}
+	return ctx.Write(newImageContext(), render)
+}
+
+// needDigest determines whether the image digest should be ignored or not when writing image context
+func needDigest(ctx ImageContext) bool {
+	return ctx.Digest || ctx.Format.Contains("{{.Digest}}")
+}
+
+func imageFormat(ctx ImageContext, images []types.ImageSummary, format func(subContext subContext) error) error {
+	for _, image := range images {
+		formatted := []*imageContext{}
+		if isDangling(image) {
+			formatted = append(formatted, &imageContext{
+				trunc:  ctx.Trunc,
+				i:      image,
+				repo:   "<none>",
+				tag:    "<none>",
+				digest: "<none>",
+			})
+		} else {
+			formatted = imageFormatTaggedAndDigest(ctx, image)
+		}
+		for _, imageCtx := range formatted {
+			if err := format(imageCtx); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func imageFormatTaggedAndDigest(ctx ImageContext, image types.ImageSummary) []*imageContext {
+	repoTags := map[string][]string{}
+	repoDigests := map[string][]string{}
+	images := []*imageContext{}
+
+	for _, refString := range image.RepoTags {
+		ref, err := reference.ParseNormalizedNamed(refString)
+		if err != nil {
+			continue
+		}
+		if nt, ok := ref.(reference.NamedTagged); ok {
+			familiarRef := reference.FamiliarName(ref)
+			repoTags[familiarRef] = append(repoTags[familiarRef], nt.Tag())
+		}
+	}
+	for _, refString := range image.RepoDigests {
+		ref, err := reference.ParseNormalizedNamed(refString)
+		if err != nil {
+			continue
+		}
+		if c, ok := ref.(reference.Canonical); ok {
+			familiarRef := reference.FamiliarName(ref)
+			repoDigests[familiarRef] = append(repoDigests[familiarRef], c.Digest().String())
+		}
+	}
+
+	addImage := func(repo, tag, digest string) {
+		image := &imageContext{
+			trunc:  ctx.Trunc,
+			i:      image,
+			repo:   repo,
+			tag:    tag,
+			digest: digest,
+		}
+		images = append(images, image)
+	}
+
+	for repo, tags := range repoTags {
+		digests := repoDigests[repo]
+
+		// Do not display digests as their own row
+		delete(repoDigests, repo)
+
+		if !needDigest(ctx) {
+			// Ignore digest references, just show tag once
+			digests = nil
+		}
+
+		for _, tag := range tags {
+			if len(digests) == 0 {
+				addImage(repo, tag, "<none>")
+				continue
+			}
+			// Display the digests for each tag
+			for _, dgst := range digests {
+				addImage(repo, tag, dgst)
+			}
+
+		}
+	}
+
+	// Show rows for remaining digest only references
+	for repo, digests := range repoDigests {
+		// If digests are displayed, show row per digest
+		if ctx.Digest {
+			for _, dgst := range digests {
+				addImage(repo, "<none>", dgst)
+			}
+		} else {
+			addImage(repo, "<none>", "")
+
+		}
+	}
+	return images
+}
+
+type imageContext struct {
+	HeaderContext
+	trunc  bool
+	i      types.ImageSummary
+	repo   string
+	tag    string
+	digest string
+}
+
+func newImageContext() *imageContext {
+	imageCtx := imageContext{}
+	imageCtx.header = map[string]string{
+		"ID":           imageIDHeader,
+		"Repository":   repositoryHeader,
+		"Tag":          tagHeader,
+		"Digest":       digestHeader,
+		"CreatedSince": createdSinceHeader,
+		"CreatedAt":    createdAtHeader,
+		"Size":         sizeHeader,
+		"Containers":   containersHeader,
+		"VirtualSize":  sizeHeader,
+		"SharedSize":   sharedSizeHeader,
+		"UniqueSize":   uniqueSizeHeader,
+	}
+	return &imageCtx
+}
+
+func (c *imageContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *imageContext) ID() string {
+	if c.trunc {
+		return stringid.TruncateID(c.i.ID)
+	}
+	return c.i.ID
+}
+
+func (c *imageContext) Repository() string {
+	return c.repo
+}
+
+func (c *imageContext) Tag() string {
+	return c.tag
+}
+
+func (c *imageContext) Digest() string {
+	return c.digest
+}
+
+func (c *imageContext) CreatedSince() string {
+	createdAt := time.Unix(c.i.Created, 0)
+	return units.HumanDuration(time.Now().UTC().Sub(createdAt)) + " ago"
+}
+
+func (c *imageContext) CreatedAt() string {
+	return time.Unix(c.i.Created, 0).String()
+}
+
+func (c *imageContext) Size() string {
+	return units.HumanSizeWithPrecision(float64(c.i.Size), 3)
+}
+
+func (c *imageContext) Containers() string {
+	if c.i.Containers == -1 {
+		return "N/A"
+	}
+	return fmt.Sprintf("%d", c.i.Containers)
+}
+
+func (c *imageContext) VirtualSize() string {
+	return units.HumanSize(float64(c.i.VirtualSize))
+}
+
+func (c *imageContext) SharedSize() string {
+	if c.i.SharedSize == -1 {
+		return "N/A"
+	}
+	return units.HumanSize(float64(c.i.SharedSize))
+}
+
+func (c *imageContext) UniqueSize() string {
+	if c.i.VirtualSize == -1 || c.i.SharedSize == -1 {
+		return "N/A"
+	}
+	return units.HumanSize(float64(c.i.VirtualSize - c.i.SharedSize))
+}
diff --git a/cli/cli/command/formatter/image_test.go b/cli/cli/command/formatter/image_test.go
new file mode 100644
index 00000000..7efad0a7
--- /dev/null
+++ b/cli/cli/command/formatter/image_test.go
@@ -0,0 +1,356 @@
+package formatter
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestImageContext(t *testing.T) {
+	imageID := stringid.GenerateRandomID()
+	unix := time.Now().Unix()
+
+	var ctx imageContext
+	cases := []struct {
+		imageCtx imageContext
+		expValue string
+		call     func() string
+	}{
+		{imageContext{
+			i:     types.ImageSummary{ID: imageID},
+			trunc: true,
+		}, stringid.TruncateID(imageID), ctx.ID},
+		{imageContext{
+			i:     types.ImageSummary{ID: imageID},
+			trunc: false,
+		}, imageID, ctx.ID},
+		{imageContext{
+			i:     types.ImageSummary{Size: 10, VirtualSize: 10},
+			trunc: true,
+		}, "10B", ctx.Size},
+		{imageContext{
+			i:     types.ImageSummary{Created: unix},
+			trunc: true,
+		}, time.Unix(unix, 0).String(), ctx.CreatedAt},
+		// FIXME
+		// {imageContext{
+		// 	i:     types.ImageSummary{Created: unix},
+		// 	trunc: true,
+		// }, units.HumanDuration(time.Unix(unix, 0)), createdSinceHeader, ctx.CreatedSince},
+		{imageContext{
+			i:    types.ImageSummary{},
+			repo: "busybox",
+		}, "busybox", ctx.Repository},
+		{imageContext{
+			i:   types.ImageSummary{},
+			tag: "latest",
+		}, "latest", ctx.Tag},
+		{imageContext{
+			i:      types.ImageSummary{},
+			digest: "sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d850b2a2a67f2819a",
+		}, "sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d850b2a2a67f2819a", ctx.Digest},
+		{
+			imageContext{
+				i: types.ImageSummary{Containers: 10},
+			}, "10", ctx.Containers,
+		},
+		{
+			imageContext{
+				i: types.ImageSummary{VirtualSize: 10000},
+			}, "10kB", ctx.VirtualSize,
+		},
+		{
+			imageContext{
+				i: types.ImageSummary{SharedSize: 10000},
+			}, "10kB", ctx.SharedSize,
+		},
+		{
+			imageContext{
+				i: types.ImageSummary{SharedSize: 5000, VirtualSize: 20000},
+			}, "15kB", ctx.UniqueSize,
+		},
+	}
+
+	for _, c := range cases {
+		ctx = c.imageCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else {
+			assert.Check(t, is.Equal(c.expValue, v))
+		}
+	}
+}
+
+func TestImageContextWrite(t *testing.T) {
+	unixTime := time.Now().AddDate(0, 0, -1).Unix()
+	expectedTime := time.Unix(unixTime, 0).String()
+
+	cases := []struct {
+		context  ImageContext
+		expected string
+	}{
+		// Errors
+		{
+			ImageContext{
+				Context: Context{
+					Format: "{{InvalidFunction}}",
+				},
+			},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: "{{nil}}",
+				},
+			},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table Format
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table", false, false),
+				},
+			},
+			`REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+image               tag1                imageID1            24 hours ago        0B
+image               tag2                imageID2            24 hours ago        0B
+<none>              <none>              imageID3            24 hours ago        0B
+`,
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table {{.Repository}}", false, false),
+				},
+			},
+			"REPOSITORY\nimage\nimage\n<none>\n",
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table {{.Repository}}", false, true),
+				},
+				Digest: true,
+			},
+			`REPOSITORY          DIGEST
+image               sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf
+image               <none>
+<none>              <none>
+`,
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table {{.Repository}}", true, false),
+				},
+			},
+			"REPOSITORY\nimage\nimage\n<none>\n",
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table {{.Digest}}", true, false),
+				},
+			},
+			"DIGEST\nsha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf\n<none>\n<none>\n",
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table", true, false),
+				},
+			},
+			"imageID1\nimageID2\nimageID3\n",
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table", false, true),
+				},
+				Digest: true,
+			},
+			`REPOSITORY          TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
+image               tag1                sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf   imageID1            24 hours ago        0B
+image               tag2                <none>                                                                    imageID2            24 hours ago        0B
+<none>              <none>              <none>                                                                    imageID3            24 hours ago        0B
+`,
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table", true, true),
+				},
+				Digest: true,
+			},
+			"imageID1\nimageID2\nimageID3\n",
+		},
+		// Raw Format
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("raw", false, false),
+				},
+			},
+			fmt.Sprintf(`repository: image
+tag: tag1
+image_id: imageID1
+created_at: %s
+virtual_size: 0B
+
+repository: image
+tag: tag2
+image_id: imageID2
+created_at: %s
+virtual_size: 0B
+
+repository: <none>
+tag: <none>
+image_id: imageID3
+created_at: %s
+virtual_size: 0B
+
+`, expectedTime, expectedTime, expectedTime),
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("raw", false, true),
+				},
+				Digest: true,
+			},
+			fmt.Sprintf(`repository: image
+tag: tag1
+digest: sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf
+image_id: imageID1
+created_at: %s
+virtual_size: 0B
+
+repository: image
+tag: tag2
+digest: <none>
+image_id: imageID2
+created_at: %s
+virtual_size: 0B
+
+repository: <none>
+tag: <none>
+digest: <none>
+image_id: imageID3
+created_at: %s
+virtual_size: 0B
+
+`, expectedTime, expectedTime, expectedTime),
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("raw", true, false),
+				},
+			},
+			`image_id: imageID1
+image_id: imageID2
+image_id: imageID3
+`,
+		},
+		// Custom Format
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("{{.Repository}}", false, false),
+				},
+			},
+			"image\nimage\n<none>\n",
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("{{.Repository}}", false, true),
+				},
+				Digest: true,
+			},
+			"image\nimage\n<none>\n",
+		},
+	}
+
+	for _, testcase := range cases {
+		images := []types.ImageSummary{
+			{ID: "imageID1", RepoTags: []string{"image:tag1"}, RepoDigests: []string{"image@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"}, Created: unixTime},
+			{ID: "imageID2", RepoTags: []string{"image:tag2"}, Created: unixTime},
+			{ID: "imageID3", RepoTags: []string{"<none>:<none>"}, RepoDigests: []string{"<none>@<none>"}, Created: unixTime},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := ImageWrite(testcase.context, images)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+func TestImageContextWriteWithNoImage(t *testing.T) {
+	out := bytes.NewBufferString("")
+	images := []types.ImageSummary{}
+
+	contexts := []struct {
+		context  ImageContext
+		expected string
+	}{
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("{{.Repository}}", false, false),
+					Output: out,
+				},
+			},
+			"",
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table {{.Repository}}", false, false),
+					Output: out,
+				},
+			},
+			"REPOSITORY\n",
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("{{.Repository}}", false, true),
+					Output: out,
+				},
+			},
+			"",
+		},
+		{
+			ImageContext{
+				Context: Context{
+					Format: NewImageFormat("table {{.Repository}}", false, true),
+					Output: out,
+				},
+			},
+			"REPOSITORY          DIGEST\n",
+		},
+	}
+
+	for _, context := range contexts {
+		ImageWrite(context.context, images)
+		assert.Check(t, is.Equal(context.expected, out.String()))
+		// Clean buffer
+		out.Reset()
+	}
+}
diff --git a/cli/cli/command/formatter/network.go b/cli/cli/command/formatter/network.go
new file mode 100644
index 00000000..4aeebd17
--- /dev/null
+++ b/cli/cli/command/formatter/network.go
@@ -0,0 +1,129 @@
+package formatter
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+)
+
+const (
+	defaultNetworkTableFormat = "table {{.ID}}\t{{.Name}}\t{{.Driver}}\t{{.Scope}}"
+
+	networkIDHeader = "NETWORK ID"
+	ipv6Header      = "IPV6"
+	internalHeader  = "INTERNAL"
+)
+
+// NewNetworkFormat returns a Format for rendering using a network Context
+func NewNetworkFormat(source string, quiet bool) Format {
+	switch source {
+	case TableFormatKey:
+		if quiet {
+			return defaultQuietFormat
+		}
+		return defaultNetworkTableFormat
+	case RawFormatKey:
+		if quiet {
+			return `network_id: {{.ID}}`
+		}
+		return `network_id: {{.ID}}\nname: {{.Name}}\ndriver: {{.Driver}}\nscope: {{.Scope}}\n`
+	}
+	return Format(source)
+}
+
+// NetworkWrite writes the context
+func NetworkWrite(ctx Context, networks []types.NetworkResource) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, network := range networks {
+			networkCtx := &networkContext{trunc: ctx.Trunc, n: network}
+			if err := format(networkCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	networkCtx := networkContext{}
+	networkCtx.header = networkHeaderContext{
+		"ID":        networkIDHeader,
+		"Name":      nameHeader,
+		"Driver":    driverHeader,
+		"Scope":     scopeHeader,
+		"IPv6":      ipv6Header,
+		"Internal":  internalHeader,
+		"Labels":    labelsHeader,
+		"CreatedAt": createdAtHeader,
+	}
+	return ctx.Write(&networkCtx, render)
+}
+
+type networkHeaderContext map[string]string
+
+func (c networkHeaderContext) Label(name string) string {
+	n := strings.Split(name, ".")
+	r := strings.NewReplacer("-", " ", "_", " ")
+	h := r.Replace(n[len(n)-1])
+
+	return h
+}
+
+type networkContext struct {
+	HeaderContext
+	trunc bool
+	n     types.NetworkResource
+}
+
+func (c *networkContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *networkContext) ID() string {
+	if c.trunc {
+		return stringid.TruncateID(c.n.ID)
+	}
+	return c.n.ID
+}
+
+func (c *networkContext) Name() string {
+	return c.n.Name
+}
+
+func (c *networkContext) Driver() string {
+	return c.n.Driver
+}
+
+func (c *networkContext) Scope() string {
+	return c.n.Scope
+}
+
+func (c *networkContext) IPv6() string {
+	return fmt.Sprintf("%v", c.n.EnableIPv6)
+}
+
+func (c *networkContext) Internal() string {
+	return fmt.Sprintf("%v", c.n.Internal)
+}
+
+func (c *networkContext) Labels() string {
+	if c.n.Labels == nil {
+		return ""
+	}
+
+	var joinLabels []string
+	for k, v := range c.n.Labels {
+		joinLabels = append(joinLabels, fmt.Sprintf("%s=%s", k, v))
+	}
+	return strings.Join(joinLabels, ",")
+}
+
+func (c *networkContext) Label(name string) string {
+	if c.n.Labels == nil {
+		return ""
+	}
+	return c.n.Labels[name]
+}
+
+func (c *networkContext) CreatedAt() string {
+	return c.n.Created.String()
+}
diff --git a/cli/cli/command/formatter/network_test.go b/cli/cli/command/formatter/network_test.go
new file mode 100644
index 00000000..6831926e
--- /dev/null
+++ b/cli/cli/command/formatter/network_test.go
@@ -0,0 +1,213 @@
+package formatter
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNetworkContext(t *testing.T) {
+	networkID := stringid.GenerateRandomID()
+
+	var ctx networkContext
+	cases := []struct {
+		networkCtx networkContext
+		expValue   string
+		call       func() string
+	}{
+		{networkContext{
+			n:     types.NetworkResource{ID: networkID},
+			trunc: false,
+		}, networkID, ctx.ID},
+		{networkContext{
+			n:     types.NetworkResource{ID: networkID},
+			trunc: true,
+		}, stringid.TruncateID(networkID), ctx.ID},
+		{networkContext{
+			n: types.NetworkResource{Name: "network_name"},
+		}, "network_name", ctx.Name},
+		{networkContext{
+			n: types.NetworkResource{Driver: "driver_name"},
+		}, "driver_name", ctx.Driver},
+		{networkContext{
+			n: types.NetworkResource{EnableIPv6: true},
+		}, "true", ctx.IPv6},
+		{networkContext{
+			n: types.NetworkResource{EnableIPv6: false},
+		}, "false", ctx.IPv6},
+		{networkContext{
+			n: types.NetworkResource{Internal: true},
+		}, "true", ctx.Internal},
+		{networkContext{
+			n: types.NetworkResource{Internal: false},
+		}, "false", ctx.Internal},
+		{networkContext{
+			n: types.NetworkResource{},
+		}, "", ctx.Labels},
+		{networkContext{
+			n: types.NetworkResource{Labels: map[string]string{"label1": "value1", "label2": "value2"}},
+		}, "label1=value1,label2=value2", ctx.Labels},
+	}
+
+	for _, c := range cases {
+		ctx = c.networkCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestNetworkContextWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table format
+		{
+			Context{Format: NewNetworkFormat("table", false)},
+			`NETWORK ID          NAME                DRIVER              SCOPE
+networkID1          foobar_baz          foo                 local
+networkID2          foobar_bar          bar                 local
+`,
+		},
+		{
+			Context{Format: NewNetworkFormat("table", true)},
+			`networkID1
+networkID2
+`,
+		},
+		{
+			Context{Format: NewNetworkFormat("table {{.Name}}", false)},
+			`NAME
+foobar_baz
+foobar_bar
+`,
+		},
+		{
+			Context{Format: NewNetworkFormat("table {{.Name}}", true)},
+			`NAME
+foobar_baz
+foobar_bar
+`,
+		},
+		// Raw Format
+		{
+			Context{Format: NewNetworkFormat("raw", false)},
+			`network_id: networkID1
+name: foobar_baz
+driver: foo
+scope: local
+
+network_id: networkID2
+name: foobar_bar
+driver: bar
+scope: local
+
+`,
+		},
+		{
+			Context{Format: NewNetworkFormat("raw", true)},
+			`network_id: networkID1
+network_id: networkID2
+`,
+		},
+		// Custom Format
+		{
+			Context{Format: NewNetworkFormat("{{.Name}}", false)},
+			`foobar_baz
+foobar_bar
+`,
+		},
+		// Custom Format with CreatedAt
+		{
+			Context{Format: NewNetworkFormat("{{.Name}} {{.CreatedAt}}", false)},
+			`foobar_baz 2016-01-01 00:00:00 +0000 UTC
+foobar_bar 2017-01-01 00:00:00 +0000 UTC
+`,
+		},
+	}
+
+	timestamp1, _ := time.Parse("2006-01-02", "2016-01-01")
+	timestamp2, _ := time.Parse("2006-01-02", "2017-01-01")
+
+	for _, testcase := range cases {
+		networks := []types.NetworkResource{
+			{ID: "networkID1", Name: "foobar_baz", Driver: "foo", Scope: "local", Created: timestamp1},
+			{ID: "networkID2", Name: "foobar_bar", Driver: "bar", Scope: "local", Created: timestamp2},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := NetworkWrite(testcase.context, networks)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+func TestNetworkContextWriteJSON(t *testing.T) {
+	networks := []types.NetworkResource{
+		{ID: "networkID1", Name: "foobar_baz"},
+		{ID: "networkID2", Name: "foobar_bar"},
+	}
+	expectedJSONs := []map[string]interface{}{
+		{"Driver": "", "ID": "networkID1", "IPv6": "false", "Internal": "false", "Labels": "", "Name": "foobar_baz", "Scope": "", "CreatedAt": "0001-01-01 00:00:00 +0000 UTC"},
+		{"Driver": "", "ID": "networkID2", "IPv6": "false", "Internal": "false", "Labels": "", "Name": "foobar_bar", "Scope": "", "CreatedAt": "0001-01-01 00:00:00 +0000 UTC"},
+	}
+
+	out := bytes.NewBufferString("")
+	err := NetworkWrite(Context{Format: "{{json .}}", Output: out}, networks)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var m map[string]interface{}
+		err := json.Unmarshal([]byte(line), &m)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.DeepEqual(expectedJSONs[i], m), msg)
+	}
+}
+
+func TestNetworkContextWriteJSONField(t *testing.T) {
+	networks := []types.NetworkResource{
+		{ID: "networkID1", Name: "foobar_baz"},
+		{ID: "networkID2", Name: "foobar_bar"},
+	}
+	out := bytes.NewBufferString("")
+	err := NetworkWrite(Context{Format: "{{json .ID}}", Output: out}, networks)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var s string
+		err := json.Unmarshal([]byte(line), &s)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.Equal(networks[i].ID, s), msg)
+	}
+}
diff --git a/cli/cli/command/formatter/node.go b/cli/cli/command/formatter/node.go
new file mode 100644
index 00000000..6cfc3238
--- /dev/null
+++ b/cli/cli/command/formatter/node.go
@@ -0,0 +1,336 @@
+package formatter
+
+import (
+	"encoding/base64"
+	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	units "github.com/docker/go-units"
+)
+
+const (
+	defaultNodeTableFormat           = "table {{.ID}} {{if .Self}}*{{else}} {{ end }}\t{{.Hostname}}\t{{.Status}}\t{{.Availability}}\t{{.ManagerStatus}}\t{{.EngineVersion}}"
+	nodeInspectPrettyTemplate Format = `ID:			{{.ID}}
+{{- if .Name }}
+Name:			{{.Name}}
+{{- end }}
+{{- if .Labels }}
+Labels:
+{{- range $k, $v := .Labels }}
+ - {{ $k }}{{if $v }}={{ $v }}{{ end }}
+{{- end }}{{ end }}
+Hostname:              	{{.Hostname}}
+Joined at:             	{{.CreatedAt}}
+Status:
+ State:			{{.StatusState}}
+ {{- if .HasStatusMessage}}
+ Message:              	{{.StatusMessage}}
+ {{- end}}
+ Availability:         	{{.SpecAvailability}}
+ {{- if .Status.Addr}}
+ Address:		{{.StatusAddr}}
+ {{- end}}
+{{- if .HasManagerStatus}}
+Manager Status:
+ Address:		{{.ManagerStatusAddr}}
+ Raft Status:		{{.ManagerStatusReachability}}
+ {{- if .IsManagerStatusLeader}}
+ Leader:		Yes
+ {{- else}}
+ Leader:		No
+ {{- end}}
+{{- end}}
+Platform:
+ Operating System:	{{.PlatformOS}}
+ Architecture:		{{.PlatformArchitecture}}
+Resources:
+ CPUs:			{{.ResourceNanoCPUs}}
+ Memory:		{{.ResourceMemory}}
+{{- if .HasEnginePlugins}}
+Plugins:
+{{- range $k, $v := .EnginePlugins }}
+ {{ $k }}:{{if $v }}		{{ $v }}{{ end }}
+{{- end }}
+{{- end }}
+Engine Version:		{{.EngineVersion}}
+{{- if .EngineLabels}}
+Engine Labels:
+{{- range $k, $v := .EngineLabels }}
+ - {{ $k }}{{if $v }}={{ $v }}{{ end }}
+{{- end }}{{- end }}
+{{- if .HasTLSInfo}}
+TLS Info:
+ TrustRoot:
+{{.TLSInfoTrustRoot}}
+ Issuer Subject:	{{.TLSInfoCertIssuerSubject}}
+ Issuer Public Key:	{{.TLSInfoCertIssuerPublicKey}}
+{{- end}}`
+	nodeIDHeader        = "ID"
+	selfHeader          = ""
+	hostnameHeader      = "HOSTNAME"
+	availabilityHeader  = "AVAILABILITY"
+	managerStatusHeader = "MANAGER STATUS"
+	engineVersionHeader = "ENGINE VERSION"
+	tlsStatusHeader     = "TLS STATUS"
+)
+
+// NewNodeFormat returns a Format for rendering using a node Context
+func NewNodeFormat(source string, quiet bool) Format {
+	switch source {
+	case PrettyFormatKey:
+		return nodeInspectPrettyTemplate
+	case TableFormatKey:
+		if quiet {
+			return defaultQuietFormat
+		}
+		return defaultNodeTableFormat
+	case RawFormatKey:
+		if quiet {
+			return `node_id: {{.ID}}`
+		}
+		return `node_id: {{.ID}}\nhostname: {{.Hostname}}\nstatus: {{.Status}}\navailability: {{.Availability}}\nmanager_status: {{.ManagerStatus}}\n`
+	}
+	return Format(source)
+}
+
+// NodeWrite writes the context
+func NodeWrite(ctx Context, nodes []swarm.Node, info types.Info) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, node := range nodes {
+			nodeCtx := &nodeContext{n: node, info: info}
+			if err := format(nodeCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	header := nodeHeaderContext{
+		"ID":            nodeIDHeader,
+		"Self":          selfHeader,
+		"Hostname":      hostnameHeader,
+		"Status":        statusHeader,
+		"Availability":  availabilityHeader,
+		"ManagerStatus": managerStatusHeader,
+		"EngineVersion": engineVersionHeader,
+		"TLSStatus":     tlsStatusHeader,
+	}
+	nodeCtx := nodeContext{}
+	nodeCtx.header = header
+	return ctx.Write(&nodeCtx, render)
+}
+
+type nodeHeaderContext map[string]string
+
+type nodeContext struct {
+	HeaderContext
+	n    swarm.Node
+	info types.Info
+}
+
+func (c *nodeContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *nodeContext) ID() string {
+	return c.n.ID
+}
+
+func (c *nodeContext) Self() bool {
+	return c.n.ID == c.info.Swarm.NodeID
+}
+
+func (c *nodeContext) Hostname() string {
+	return c.n.Description.Hostname
+}
+
+func (c *nodeContext) Status() string {
+	return command.PrettyPrint(string(c.n.Status.State))
+}
+
+func (c *nodeContext) Availability() string {
+	return command.PrettyPrint(string(c.n.Spec.Availability))
+}
+
+func (c *nodeContext) ManagerStatus() string {
+	reachability := ""
+	if c.n.ManagerStatus != nil {
+		if c.n.ManagerStatus.Leader {
+			reachability = "Leader"
+		} else {
+			reachability = string(c.n.ManagerStatus.Reachability)
+		}
+	}
+	return command.PrettyPrint(reachability)
+}
+
+func (c *nodeContext) TLSStatus() string {
+	if c.info.Swarm.Cluster == nil || reflect.DeepEqual(c.info.Swarm.Cluster.TLSInfo, swarm.TLSInfo{}) || reflect.DeepEqual(c.n.Description.TLSInfo, swarm.TLSInfo{}) {
+		return "Unknown"
+	}
+	if reflect.DeepEqual(c.n.Description.TLSInfo, c.info.Swarm.Cluster.TLSInfo) {
+		return "Ready"
+	}
+	return "Needs Rotation"
+}
+
+func (c *nodeContext) EngineVersion() string {
+	return c.n.Description.Engine.EngineVersion
+}
+
+// NodeInspectWrite renders the context for a list of nodes
+func NodeInspectWrite(ctx Context, refs []string, getRef inspect.GetRefFunc) error {
+	if ctx.Format != nodeInspectPrettyTemplate {
+		return inspect.Inspect(ctx.Output, refs, string(ctx.Format), getRef)
+	}
+	render := func(format func(subContext subContext) error) error {
+		for _, ref := range refs {
+			nodeI, _, err := getRef(ref)
+			if err != nil {
+				return err
+			}
+			node, ok := nodeI.(swarm.Node)
+			if !ok {
+				return fmt.Errorf("got wrong object to inspect :%v", ok)
+			}
+			if err := format(&nodeInspectContext{Node: node}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(&nodeInspectContext{}, render)
+}
+
+type nodeInspectContext struct {
+	swarm.Node
+	subContext
+}
+
+func (ctx *nodeInspectContext) ID() string {
+	return ctx.Node.ID
+}
+
+func (ctx *nodeInspectContext) Name() string {
+	return ctx.Node.Spec.Name
+}
+
+func (ctx *nodeInspectContext) Labels() map[string]string {
+	return ctx.Node.Spec.Labels
+}
+
+func (ctx *nodeInspectContext) Hostname() string {
+	return ctx.Node.Description.Hostname
+}
+
+func (ctx *nodeInspectContext) CreatedAt() string {
+	return command.PrettyPrint(ctx.Node.CreatedAt)
+}
+
+func (ctx *nodeInspectContext) StatusState() string {
+	return command.PrettyPrint(ctx.Node.Status.State)
+}
+
+func (ctx *nodeInspectContext) HasStatusMessage() bool {
+	return ctx.Node.Status.Message != ""
+}
+
+func (ctx *nodeInspectContext) StatusMessage() string {
+	return command.PrettyPrint(ctx.Node.Status.Message)
+}
+
+func (ctx *nodeInspectContext) SpecAvailability() string {
+	return command.PrettyPrint(ctx.Node.Spec.Availability)
+}
+
+func (ctx *nodeInspectContext) HasStatusAddr() bool {
+	return ctx.Node.Status.Addr != ""
+}
+
+func (ctx *nodeInspectContext) StatusAddr() string {
+	return ctx.Node.Status.Addr
+}
+
+func (ctx *nodeInspectContext) HasManagerStatus() bool {
+	return ctx.Node.ManagerStatus != nil
+}
+
+func (ctx *nodeInspectContext) ManagerStatusAddr() string {
+	return ctx.Node.ManagerStatus.Addr
+}
+
+func (ctx *nodeInspectContext) ManagerStatusReachability() string {
+	return command.PrettyPrint(ctx.Node.ManagerStatus.Reachability)
+}
+
+func (ctx *nodeInspectContext) IsManagerStatusLeader() bool {
+	return ctx.Node.ManagerStatus.Leader
+}
+
+func (ctx *nodeInspectContext) PlatformOS() string {
+	return ctx.Node.Description.Platform.OS
+}
+
+func (ctx *nodeInspectContext) PlatformArchitecture() string {
+	return ctx.Node.Description.Platform.Architecture
+}
+
+func (ctx *nodeInspectContext) ResourceNanoCPUs() int {
+	if ctx.Node.Description.Resources.NanoCPUs == 0 {
+		return int(0)
+	}
+	return int(ctx.Node.Description.Resources.NanoCPUs) / 1e9
+}
+
+func (ctx *nodeInspectContext) ResourceMemory() string {
+	if ctx.Node.Description.Resources.MemoryBytes == 0 {
+		return ""
+	}
+	return units.BytesSize(float64(ctx.Node.Description.Resources.MemoryBytes))
+}
+
+func (ctx *nodeInspectContext) HasEnginePlugins() bool {
+	return len(ctx.Node.Description.Engine.Plugins) > 0
+}
+
+func (ctx *nodeInspectContext) EnginePlugins() map[string]string {
+	pluginMap := map[string][]string{}
+	for _, p := range ctx.Node.Description.Engine.Plugins {
+		pluginMap[p.Type] = append(pluginMap[p.Type], p.Name)
+	}
+
+	pluginNamesByType := map[string]string{}
+	for k, v := range pluginMap {
+		pluginNamesByType[k] = strings.Join(v, ", ")
+	}
+	return pluginNamesByType
+}
+
+func (ctx *nodeInspectContext) EngineLabels() map[string]string {
+	return ctx.Node.Description.Engine.Labels
+}
+
+func (ctx *nodeInspectContext) EngineVersion() string {
+	return ctx.Node.Description.Engine.EngineVersion
+}
+
+func (ctx *nodeInspectContext) HasTLSInfo() bool {
+	tlsInfo := ctx.Node.Description.TLSInfo
+	return !reflect.DeepEqual(tlsInfo, swarm.TLSInfo{})
+}
+
+func (ctx *nodeInspectContext) TLSInfoTrustRoot() string {
+	return ctx.Node.Description.TLSInfo.TrustRoot
+}
+
+func (ctx *nodeInspectContext) TLSInfoCertIssuerPublicKey() string {
+	return base64.StdEncoding.EncodeToString(ctx.Node.Description.TLSInfo.CertIssuerPublicKey)
+}
+
+func (ctx *nodeInspectContext) TLSInfoCertIssuerSubject() string {
+	return base64.StdEncoding.EncodeToString(ctx.Node.Description.TLSInfo.CertIssuerSubject)
+}
diff --git a/cli/cli/command/formatter/node_test.go b/cli/cli/command/formatter/node_test.go
new file mode 100644
index 00000000..cf9ccbde
--- /dev/null
+++ b/cli/cli/command/formatter/node_test.go
@@ -0,0 +1,348 @@
+package formatter
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNodeContext(t *testing.T) {
+	nodeID := stringid.GenerateRandomID()
+
+	var ctx nodeContext
+	cases := []struct {
+		nodeCtx  nodeContext
+		expValue string
+		call     func() string
+	}{
+		{nodeContext{
+			n: swarm.Node{ID: nodeID},
+		}, nodeID, ctx.ID},
+		{nodeContext{
+			n: swarm.Node{Description: swarm.NodeDescription{Hostname: "node_hostname"}},
+		}, "node_hostname", ctx.Hostname},
+		{nodeContext{
+			n: swarm.Node{Status: swarm.NodeStatus{State: swarm.NodeState("foo")}},
+		}, "Foo", ctx.Status},
+		{nodeContext{
+			n: swarm.Node{Spec: swarm.NodeSpec{Availability: swarm.NodeAvailability("drain")}},
+		}, "Drain", ctx.Availability},
+		{nodeContext{
+			n: swarm.Node{ManagerStatus: &swarm.ManagerStatus{Leader: true}},
+		}, "Leader", ctx.ManagerStatus},
+	}
+
+	for _, c := range cases {
+		ctx = c.nodeCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestNodeContextWrite(t *testing.T) {
+	cases := []struct {
+		context     Context
+		expected    string
+		clusterInfo swarm.ClusterInfo
+	}{
+
+		// Errors
+		{
+			context: Context{Format: "{{InvalidFunction}}"},
+			expected: `Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		{
+			context: Context{Format: "{{nil}}"},
+			expected: `Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		// Table format
+		{
+			context: Context{Format: NewNodeFormat("table", false)},
+			expected: `ID                  HOSTNAME            STATUS              AVAILABILITY        MANAGER STATUS      ENGINE VERSION
+nodeID1             foobar_baz          Foo                 Drain               Leader              18.03.0-ce
+nodeID2             foobar_bar          Bar                 Active              Reachable           1.2.3
+nodeID3             foobar_boo          Boo                 Active                                  ` + "\n", // (to preserve whitespace)
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		{
+			context: Context{Format: NewNodeFormat("table", true)},
+			expected: `nodeID1
+nodeID2
+nodeID3
+`,
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		{
+			context: Context{Format: NewNodeFormat("table {{.Hostname}}", false)},
+			expected: `HOSTNAME
+foobar_baz
+foobar_bar
+foobar_boo
+`,
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		{
+			context: Context{Format: NewNodeFormat("table {{.Hostname}}", true)},
+			expected: `HOSTNAME
+foobar_baz
+foobar_bar
+foobar_boo
+`,
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		{
+			context: Context{Format: NewNodeFormat("table {{.ID}}\t{{.Hostname}}\t{{.TLSStatus}}", false)},
+			expected: `ID                  HOSTNAME            TLS STATUS
+nodeID1             foobar_baz          Needs Rotation
+nodeID2             foobar_bar          Ready
+nodeID3             foobar_boo          Unknown
+`,
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		{ // no cluster TLS status info, TLS status for all nodes is unknown
+			context: Context{Format: NewNodeFormat("table {{.ID}}\t{{.Hostname}}\t{{.TLSStatus}}", false)},
+			expected: `ID                  HOSTNAME            TLS STATUS
+nodeID1             foobar_baz          Unknown
+nodeID2             foobar_bar          Unknown
+nodeID3             foobar_boo          Unknown
+`,
+			clusterInfo: swarm.ClusterInfo{},
+		},
+		// Raw Format
+		{
+			context: Context{Format: NewNodeFormat("raw", false)},
+			expected: `node_id: nodeID1
+hostname: foobar_baz
+status: Foo
+availability: Drain
+manager_status: Leader
+
+node_id: nodeID2
+hostname: foobar_bar
+status: Bar
+availability: Active
+manager_status: Reachable
+
+node_id: nodeID3
+hostname: foobar_boo
+status: Boo
+availability: Active
+manager_status: ` + "\n\n", // to preserve whitespace
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		{
+			context: Context{Format: NewNodeFormat("raw", true)},
+			expected: `node_id: nodeID1
+node_id: nodeID2
+node_id: nodeID3
+`,
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+		// Custom Format
+		{
+			context: Context{Format: NewNodeFormat("{{.Hostname}}  {{.TLSStatus}}", false)},
+			expected: `foobar_baz  Needs Rotation
+foobar_bar  Ready
+foobar_boo  Unknown
+`,
+			clusterInfo: swarm.ClusterInfo{TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}},
+		},
+	}
+
+	for _, testcase := range cases {
+		nodes := []swarm.Node{
+			{
+				ID: "nodeID1",
+				Description: swarm.NodeDescription{
+					Hostname: "foobar_baz",
+					TLSInfo:  swarm.TLSInfo{TrustRoot: "no"},
+					Engine:   swarm.EngineDescription{EngineVersion: "18.03.0-ce"},
+				},
+				Status:        swarm.NodeStatus{State: swarm.NodeState("foo")},
+				Spec:          swarm.NodeSpec{Availability: swarm.NodeAvailability("drain")},
+				ManagerStatus: &swarm.ManagerStatus{Leader: true},
+			},
+			{
+				ID: "nodeID2",
+				Description: swarm.NodeDescription{
+					Hostname: "foobar_bar",
+					TLSInfo:  swarm.TLSInfo{TrustRoot: "hi"},
+					Engine:   swarm.EngineDescription{EngineVersion: "1.2.3"},
+				},
+				Status: swarm.NodeStatus{State: swarm.NodeState("bar")},
+				Spec:   swarm.NodeSpec{Availability: swarm.NodeAvailability("active")},
+				ManagerStatus: &swarm.ManagerStatus{
+					Leader:       false,
+					Reachability: swarm.Reachability("Reachable"),
+				},
+			},
+			{
+				ID:          "nodeID3",
+				Description: swarm.NodeDescription{Hostname: "foobar_boo"},
+				Status:      swarm.NodeStatus{State: swarm.NodeState("boo")},
+				Spec:        swarm.NodeSpec{Availability: swarm.NodeAvailability("active")},
+			},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := NodeWrite(testcase.context, nodes, types.Info{Swarm: swarm.Info{Cluster: &testcase.clusterInfo}})
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+func TestNodeContextWriteJSON(t *testing.T) {
+	cases := []struct {
+		expected []map[string]interface{}
+		info     types.Info
+	}{
+		{
+			expected: []map[string]interface{}{
+				{"Availability": "", "Hostname": "foobar_baz", "ID": "nodeID1", "ManagerStatus": "", "Status": "", "Self": false, "TLSStatus": "Unknown", "EngineVersion": "1.2.3"},
+				{"Availability": "", "Hostname": "foobar_bar", "ID": "nodeID2", "ManagerStatus": "", "Status": "", "Self": false, "TLSStatus": "Unknown", "EngineVersion": ""},
+				{"Availability": "", "Hostname": "foobar_boo", "ID": "nodeID3", "ManagerStatus": "", "Status": "", "Self": false, "TLSStatus": "Unknown", "EngineVersion": "18.03.0-ce"},
+			},
+			info: types.Info{},
+		},
+		{
+			expected: []map[string]interface{}{
+				{"Availability": "", "Hostname": "foobar_baz", "ID": "nodeID1", "ManagerStatus": "", "Status": "", "Self": false, "TLSStatus": "Ready", "EngineVersion": "1.2.3"},
+				{"Availability": "", "Hostname": "foobar_bar", "ID": "nodeID2", "ManagerStatus": "", "Status": "", "Self": false, "TLSStatus": "Needs Rotation", "EngineVersion": ""},
+				{"Availability": "", "Hostname": "foobar_boo", "ID": "nodeID3", "ManagerStatus": "", "Status": "", "Self": false, "TLSStatus": "Unknown", "EngineVersion": "18.03.0-ce"},
+			},
+			info: types.Info{
+				Swarm: swarm.Info{
+					Cluster: &swarm.ClusterInfo{
+						TLSInfo:                swarm.TLSInfo{TrustRoot: "hi"},
+						RootRotationInProgress: true,
+					},
+				},
+			},
+		},
+	}
+
+	for _, testcase := range cases {
+		nodes := []swarm.Node{
+			{ID: "nodeID1", Description: swarm.NodeDescription{Hostname: "foobar_baz", TLSInfo: swarm.TLSInfo{TrustRoot: "hi"}, Engine: swarm.EngineDescription{EngineVersion: "1.2.3"}}},
+			{ID: "nodeID2", Description: swarm.NodeDescription{Hostname: "foobar_bar", TLSInfo: swarm.TLSInfo{TrustRoot: "no"}}},
+			{ID: "nodeID3", Description: swarm.NodeDescription{Hostname: "foobar_boo", Engine: swarm.EngineDescription{EngineVersion: "18.03.0-ce"}}},
+		}
+		out := bytes.NewBufferString("")
+		err := NodeWrite(Context{Format: "{{json .}}", Output: out}, nodes, testcase.info)
+		if err != nil {
+			t.Fatal(err)
+		}
+		for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+			msg := fmt.Sprintf("Output: line %d: %s", i, line)
+			var m map[string]interface{}
+			err := json.Unmarshal([]byte(line), &m)
+			assert.NilError(t, err, msg)
+			assert.Check(t, is.DeepEqual(testcase.expected[i], m), msg)
+		}
+	}
+}
+
+func TestNodeContextWriteJSONField(t *testing.T) {
+	nodes := []swarm.Node{
+		{ID: "nodeID1", Description: swarm.NodeDescription{Hostname: "foobar_baz"}},
+		{ID: "nodeID2", Description: swarm.NodeDescription{Hostname: "foobar_bar"}},
+	}
+	out := bytes.NewBufferString("")
+	err := NodeWrite(Context{Format: "{{json .ID}}", Output: out}, nodes, types.Info{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var s string
+		err := json.Unmarshal([]byte(line), &s)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.Equal(nodes[i].ID, s), msg)
+	}
+}
+
+func TestNodeInspectWriteContext(t *testing.T) {
+	node := swarm.Node{
+		ID: "nodeID1",
+		Description: swarm.NodeDescription{
+			Hostname: "foobar_baz",
+			TLSInfo: swarm.TLSInfo{
+				TrustRoot:           "-----BEGIN CERTIFICATE-----\ndata\n-----END CERTIFICATE-----\n",
+				CertIssuerPublicKey: []byte("pubKey"),
+				CertIssuerSubject:   []byte("subject"),
+			},
+			Platform: swarm.Platform{
+				OS:           "linux",
+				Architecture: "amd64",
+			},
+			Resources: swarm.Resources{
+				MemoryBytes: 1,
+			},
+			Engine: swarm.EngineDescription{
+				EngineVersion: "0.1.1",
+			},
+		},
+		Status: swarm.NodeStatus{
+			State: swarm.NodeState("ready"),
+			Addr:  "1.1.1.1",
+		},
+		Spec: swarm.NodeSpec{
+			Availability: swarm.NodeAvailability("drain"),
+			Role:         swarm.NodeRole("manager"),
+		},
+	}
+	out := bytes.NewBufferString("")
+	context := Context{
+		Format: NewNodeFormat("pretty", false),
+		Output: out,
+	}
+	err := NodeInspectWrite(context, []string{"nodeID1"}, func(string) (interface{}, []byte, error) {
+		return node, nil, nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	expected := `ID:			nodeID1
+Hostname:              	foobar_baz
+Joined at:             	0001-01-01 00:00:00 +0000 utc
+Status:
+ State:			Ready
+ Availability:         	Drain
+ Address:		1.1.1.1
+Platform:
+ Operating System:	linux
+ Architecture:		amd64
+Resources:
+ CPUs:			0
+ Memory:		1B
+Engine Version:		0.1.1
+TLS Info:
+ TrustRoot:
+-----BEGIN CERTIFICATE-----
+data
+-----END CERTIFICATE-----
+
+ Issuer Subject:	c3ViamVjdA==
+ Issuer Public Key:	cHViS2V5
+`
+	assert.Check(t, is.Equal(expected, out.String()))
+}
diff --git a/cli/cli/command/formatter/plugin.go b/cli/cli/command/formatter/plugin.go
new file mode 100644
index 00000000..08771149
--- /dev/null
+++ b/cli/cli/command/formatter/plugin.go
@@ -0,0 +1,94 @@
+package formatter
+
+import (
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+)
+
+const (
+	defaultPluginTableFormat = "table {{.ID}}\t{{.Name}}\t{{.Description}}\t{{.Enabled}}"
+
+	pluginIDHeader    = "ID"
+	descriptionHeader = "DESCRIPTION"
+	enabledHeader     = "ENABLED"
+)
+
+// NewPluginFormat returns a Format for rendering using a plugin Context
+func NewPluginFormat(source string, quiet bool) Format {
+	switch source {
+	case TableFormatKey:
+		if quiet {
+			return defaultQuietFormat
+		}
+		return defaultPluginTableFormat
+	case RawFormatKey:
+		if quiet {
+			return `plugin_id: {{.ID}}`
+		}
+		return `plugin_id: {{.ID}}\nname: {{.Name}}\ndescription: {{.Description}}\nenabled: {{.Enabled}}\n`
+	}
+	return Format(source)
+}
+
+// PluginWrite writes the context
+func PluginWrite(ctx Context, plugins []*types.Plugin) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, plugin := range plugins {
+			pluginCtx := &pluginContext{trunc: ctx.Trunc, p: *plugin}
+			if err := format(pluginCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	pluginCtx := pluginContext{}
+	pluginCtx.header = map[string]string{
+		"ID":              pluginIDHeader,
+		"Name":            nameHeader,
+		"Description":     descriptionHeader,
+		"Enabled":         enabledHeader,
+		"PluginReference": imageHeader,
+	}
+	return ctx.Write(&pluginCtx, render)
+}
+
+type pluginContext struct {
+	HeaderContext
+	trunc bool
+	p     types.Plugin
+}
+
+func (c *pluginContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *pluginContext) ID() string {
+	if c.trunc {
+		return stringid.TruncateID(c.p.ID)
+	}
+	return c.p.ID
+}
+
+func (c *pluginContext) Name() string {
+	return c.p.Name
+}
+
+func (c *pluginContext) Description() string {
+	desc := strings.Replace(c.p.Config.Description, "\n", "", -1)
+	desc = strings.Replace(desc, "\r", "", -1)
+	if c.trunc {
+		desc = Ellipsis(desc, 45)
+	}
+
+	return desc
+}
+
+func (c *pluginContext) Enabled() bool {
+	return c.p.Enabled
+}
+
+func (c *pluginContext) PluginReference() string {
+	return c.p.PluginReference
+}
diff --git a/cli/cli/command/formatter/plugin_test.go b/cli/cli/command/formatter/plugin_test.go
new file mode 100644
index 00000000..b8551589
--- /dev/null
+++ b/cli/cli/command/formatter/plugin_test.go
@@ -0,0 +1,183 @@
+package formatter
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestPluginContext(t *testing.T) {
+	pluginID := stringid.GenerateRandomID()
+
+	var ctx pluginContext
+	cases := []struct {
+		pluginCtx pluginContext
+		expValue  string
+		call      func() string
+	}{
+		{pluginContext{
+			p:     types.Plugin{ID: pluginID},
+			trunc: false,
+		}, pluginID, ctx.ID},
+		{pluginContext{
+			p:     types.Plugin{ID: pluginID},
+			trunc: true,
+		}, stringid.TruncateID(pluginID), ctx.ID},
+		{pluginContext{
+			p: types.Plugin{Name: "plugin_name"},
+		}, "plugin_name", ctx.Name},
+		{pluginContext{
+			p: types.Plugin{Config: types.PluginConfig{Description: "plugin_description"}},
+		}, "plugin_description", ctx.Description},
+	}
+
+	for _, c := range cases {
+		ctx = c.pluginCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestPluginContextWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table format
+		{
+			Context{Format: NewPluginFormat("table", false)},
+			`ID                  NAME                DESCRIPTION         ENABLED
+pluginID1           foobar_baz          description 1       true
+pluginID2           foobar_bar          description 2       false
+`,
+		},
+		{
+			Context{Format: NewPluginFormat("table", true)},
+			`pluginID1
+pluginID2
+`,
+		},
+		{
+			Context{Format: NewPluginFormat("table {{.Name}}", false)},
+			`NAME
+foobar_baz
+foobar_bar
+`,
+		},
+		{
+			Context{Format: NewPluginFormat("table {{.Name}}", true)},
+			`NAME
+foobar_baz
+foobar_bar
+`,
+		},
+		// Raw Format
+		{
+			Context{Format: NewPluginFormat("raw", false)},
+			`plugin_id: pluginID1
+name: foobar_baz
+description: description 1
+enabled: true
+
+plugin_id: pluginID2
+name: foobar_bar
+description: description 2
+enabled: false
+
+`,
+		},
+		{
+			Context{Format: NewPluginFormat("raw", true)},
+			`plugin_id: pluginID1
+plugin_id: pluginID2
+`,
+		},
+		// Custom Format
+		{
+			Context{Format: NewPluginFormat("{{.Name}}", false)},
+			`foobar_baz
+foobar_bar
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		plugins := []*types.Plugin{
+			{ID: "pluginID1", Name: "foobar_baz", Config: types.PluginConfig{Description: "description 1"}, Enabled: true},
+			{ID: "pluginID2", Name: "foobar_bar", Config: types.PluginConfig{Description: "description 2"}, Enabled: false},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := PluginWrite(testcase.context, plugins)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+func TestPluginContextWriteJSON(t *testing.T) {
+	plugins := []*types.Plugin{
+		{ID: "pluginID1", Name: "foobar_baz"},
+		{ID: "pluginID2", Name: "foobar_bar"},
+	}
+	expectedJSONs := []map[string]interface{}{
+		{"Description": "", "Enabled": false, "ID": "pluginID1", "Name": "foobar_baz", "PluginReference": ""},
+		{"Description": "", "Enabled": false, "ID": "pluginID2", "Name": "foobar_bar", "PluginReference": ""},
+	}
+
+	out := bytes.NewBufferString("")
+	err := PluginWrite(Context{Format: "{{json .}}", Output: out}, plugins)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		var m map[string]interface{}
+		if err := json.Unmarshal([]byte(line), &m); err != nil {
+			t.Fatal(err)
+		}
+		assert.Check(t, is.DeepEqual(expectedJSONs[i], m))
+	}
+}
+
+func TestPluginContextWriteJSONField(t *testing.T) {
+	plugins := []*types.Plugin{
+		{ID: "pluginID1", Name: "foobar_baz"},
+		{ID: "pluginID2", Name: "foobar_bar"},
+	}
+	out := bytes.NewBufferString("")
+	err := PluginWrite(Context{Format: "{{json .ID}}", Output: out}, plugins)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		var s string
+		if err := json.Unmarshal([]byte(line), &s); err != nil {
+			t.Fatal(err)
+		}
+		assert.Check(t, is.Equal(plugins[i].ID, s))
+	}
+}
diff --git a/cli/cli/command/formatter/reflect.go b/cli/cli/command/formatter/reflect.go
new file mode 100644
index 00000000..fd59404d
--- /dev/null
+++ b/cli/cli/command/formatter/reflect.go
@@ -0,0 +1,66 @@
+package formatter
+
+import (
+	"encoding/json"
+	"reflect"
+	"unicode"
+
+	"github.com/pkg/errors"
+)
+
+func marshalJSON(x interface{}) ([]byte, error) {
+	m, err := marshalMap(x)
+	if err != nil {
+		return nil, err
+	}
+	return json.Marshal(m)
+}
+
+// marshalMap marshals x to map[string]interface{}
+func marshalMap(x interface{}) (map[string]interface{}, error) {
+	val := reflect.ValueOf(x)
+	if val.Kind() != reflect.Ptr {
+		return nil, errors.Errorf("expected a pointer to a struct, got %v", val.Kind())
+	}
+	if val.IsNil() {
+		return nil, errors.Errorf("expected a pointer to a struct, got nil pointer")
+	}
+	valElem := val.Elem()
+	if valElem.Kind() != reflect.Struct {
+		return nil, errors.Errorf("expected a pointer to a struct, got a pointer to %v", valElem.Kind())
+	}
+	typ := val.Type()
+	m := make(map[string]interface{})
+	for i := 0; i < val.NumMethod(); i++ {
+		k, v, err := marshalForMethod(typ.Method(i), val.Method(i))
+		if err != nil {
+			return nil, err
+		}
+		if k != "" {
+			m[k] = v
+		}
+	}
+	return m, nil
+}
+
+var unmarshallableNames = map[string]struct{}{"FullHeader": {}}
+
+// marshalForMethod returns the map key and the map value for marshalling the method.
+// It returns ("", nil, nil) for valid but non-marshallable parameter. (e.g. "unexportedFunc()")
+func marshalForMethod(typ reflect.Method, val reflect.Value) (string, interface{}, error) {
+	if val.Kind() != reflect.Func {
+		return "", nil, errors.Errorf("expected func, got %v", val.Kind())
+	}
+	name, numIn, numOut := typ.Name, val.Type().NumIn(), val.Type().NumOut()
+	_, blackListed := unmarshallableNames[name]
+	// FIXME: In text/template, (numOut == 2) is marshallable,
+	//        if the type of the second param is error.
+	marshallable := unicode.IsUpper(rune(name[0])) && !blackListed &&
+		numIn == 0 && numOut == 1
+	if !marshallable {
+		return "", nil, nil
+	}
+	result := val.Call(make([]reflect.Value, numIn))
+	intf := result[0].Interface()
+	return name, intf, nil
+}
diff --git a/cli/cli/command/formatter/reflect_test.go b/cli/cli/command/formatter/reflect_test.go
new file mode 100644
index 00000000..ffda51b8
--- /dev/null
+++ b/cli/cli/command/formatter/reflect_test.go
@@ -0,0 +1,66 @@
+package formatter
+
+import (
+	"reflect"
+	"testing"
+)
+
+type dummy struct {
+}
+
+func (d *dummy) Func1() string {
+	return "Func1"
+}
+
+func (d *dummy) func2() string { // nolint: unused
+	return "func2(should not be marshalled)"
+}
+
+func (d *dummy) Func3() (string, int) {
+	return "Func3(should not be marshalled)", -42
+}
+
+func (d *dummy) Func4() int {
+	return 4
+}
+
+type dummyType string
+
+func (d *dummy) Func5() dummyType {
+	return dummyType("Func5")
+}
+
+func (d *dummy) FullHeader() string {
+	return "FullHeader(should not be marshalled)"
+}
+
+var dummyExpected = map[string]interface{}{
+	"Func1": "Func1",
+	"Func4": 4,
+	"Func5": dummyType("Func5"),
+}
+
+func TestMarshalMap(t *testing.T) {
+	d := dummy{}
+	m, err := marshalMap(&d)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(dummyExpected, m) {
+		t.Fatalf("expected %+v, got %+v",
+			dummyExpected, m)
+	}
+}
+
+func TestMarshalMapBad(t *testing.T) {
+	if _, err := marshalMap(nil); err == nil {
+		t.Fatal("expected an error (argument is nil)")
+	}
+	if _, err := marshalMap(dummy{}); err == nil {
+		t.Fatal("expected an error (argument is non-pointer)")
+	}
+	x := 42
+	if _, err := marshalMap(&x); err == nil {
+		t.Fatal("expected an error (argument is a pointer to non-struct)")
+	}
+}
diff --git a/cli/cli/command/formatter/search.go b/cli/cli/command/formatter/search.go
new file mode 100644
index 00000000..8b5cfc4f
--- /dev/null
+++ b/cli/cli/command/formatter/search.go
@@ -0,0 +1,103 @@
+package formatter
+
+import (
+	"strconv"
+	"strings"
+
+	registry "github.com/docker/docker/api/types/registry"
+)
+
+const (
+	defaultSearchTableFormat = "table {{.Name}}\t{{.Description}}\t{{.StarCount}}\t{{.IsOfficial}}\t{{.IsAutomated}}"
+
+	starsHeader     = "STARS"
+	officialHeader  = "OFFICIAL"
+	automatedHeader = "AUTOMATED"
+)
+
+// NewSearchFormat returns a Format for rendering using a network Context
+func NewSearchFormat(source string) Format {
+	switch source {
+	case "":
+		return defaultSearchTableFormat
+	case TableFormatKey:
+		return defaultSearchTableFormat
+	}
+	return Format(source)
+}
+
+// SearchWrite writes the context
+func SearchWrite(ctx Context, results []registry.SearchResult, auto bool, stars int) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, result := range results {
+			// --automated and -s, --stars are deprecated since Docker 1.12
+			if (auto && !result.IsAutomated) || (stars > result.StarCount) {
+				continue
+			}
+			searchCtx := &searchContext{trunc: ctx.Trunc, s: result}
+			if err := format(searchCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	searchCtx := searchContext{}
+	searchCtx.header = map[string]string{
+		"Name":        nameHeader,
+		"Description": descriptionHeader,
+		"StarCount":   starsHeader,
+		"IsOfficial":  officialHeader,
+		"IsAutomated": automatedHeader,
+	}
+	return ctx.Write(&searchCtx, render)
+}
+
+type searchContext struct {
+	HeaderContext
+	trunc bool
+	json  bool
+	s     registry.SearchResult
+}
+
+func (c *searchContext) MarshalJSON() ([]byte, error) {
+	c.json = true
+	return marshalJSON(c)
+}
+
+func (c *searchContext) Name() string {
+	return c.s.Name
+}
+
+func (c *searchContext) Description() string {
+	desc := strings.Replace(c.s.Description, "\n", " ", -1)
+	desc = strings.Replace(desc, "\r", " ", -1)
+	if c.trunc {
+		desc = Ellipsis(desc, 45)
+	}
+	return desc
+}
+
+func (c *searchContext) StarCount() string {
+	return strconv.Itoa(c.s.StarCount)
+}
+
+func (c *searchContext) formatBool(value bool) string {
+	switch {
+	case value && c.json:
+		return "true"
+	case value:
+		return "[OK]"
+	case c.json:
+		return "false"
+	default:
+		return ""
+	}
+}
+
+func (c *searchContext) IsOfficial() string {
+	return c.formatBool(c.s.IsOfficial)
+}
+
+func (c *searchContext) IsAutomated() string {
+	return c.formatBool(c.s.IsAutomated)
+}
diff --git a/cli/cli/command/formatter/search_test.go b/cli/cli/command/formatter/search_test.go
new file mode 100644
index 00000000..2e5bac0f
--- /dev/null
+++ b/cli/cli/command/formatter/search_test.go
@@ -0,0 +1,280 @@
+package formatter
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"testing"
+
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestSearchContext(t *testing.T) {
+	name := "nginx"
+	starCount := 5000
+
+	var ctx searchContext
+	cases := []struct {
+		searchCtx searchContext
+		expValue  string
+		call      func() string
+	}{
+		{searchContext{
+			s: registrytypes.SearchResult{Name: name},
+		}, name, ctx.Name},
+		{searchContext{
+			s: registrytypes.SearchResult{StarCount: starCount},
+		}, "5000", ctx.StarCount},
+		{searchContext{
+			s: registrytypes.SearchResult{IsOfficial: true},
+		}, "[OK]", ctx.IsOfficial},
+		{searchContext{
+			s: registrytypes.SearchResult{IsOfficial: false},
+		}, "", ctx.IsOfficial},
+		{searchContext{
+			s: registrytypes.SearchResult{IsAutomated: true},
+		}, "[OK]", ctx.IsAutomated},
+		{searchContext{
+			s: registrytypes.SearchResult{IsAutomated: false},
+		}, "", ctx.IsAutomated},
+	}
+
+	for _, c := range cases {
+		ctx = c.searchCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestSearchContextDescription(t *testing.T) {
+	shortDescription := "Official build of Nginx."
+	longDescription := "Automated Nginx reverse proxy for docker containers"
+	descriptionWReturns := "Automated\nNginx reverse\rproxy\rfor docker\ncontainers"
+
+	var ctx searchContext
+	cases := []struct {
+		searchCtx searchContext
+		expValue  string
+		call      func() string
+	}{
+		{searchContext{
+			s:     registrytypes.SearchResult{Description: shortDescription},
+			trunc: true,
+		}, shortDescription, ctx.Description},
+		{searchContext{
+			s:     registrytypes.SearchResult{Description: shortDescription},
+			trunc: false,
+		}, shortDescription, ctx.Description},
+		{searchContext{
+			s:     registrytypes.SearchResult{Description: longDescription},
+			trunc: false,
+		}, longDescription, ctx.Description},
+		{searchContext{
+			s:     registrytypes.SearchResult{Description: longDescription},
+			trunc: true,
+		}, Ellipsis(longDescription, 45), ctx.Description},
+		{searchContext{
+			s:     registrytypes.SearchResult{Description: descriptionWReturns},
+			trunc: false,
+		}, longDescription, ctx.Description},
+		{searchContext{
+			s:     registrytypes.SearchResult{Description: descriptionWReturns},
+			trunc: true,
+		}, Ellipsis(longDescription, 45), ctx.Description},
+	}
+
+	for _, c := range cases {
+		ctx = c.searchCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestSearchContextWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table format
+		{
+			Context{Format: NewSearchFormat("table")},
+			string(golden.Get(t, "search-context-write-table.golden")),
+		},
+		{
+			Context{Format: NewSearchFormat("table {{.Name}}")},
+			`NAME
+result1
+result2
+`,
+		},
+		// Custom Format
+		{
+			Context{Format: NewSearchFormat("{{.Name}}")},
+			`result1
+result2
+`,
+		},
+		// Custom Format with CreatedAt
+		{
+			Context{Format: NewSearchFormat("{{.Name}} {{.StarCount}}")},
+			`result1 5000
+result2 5
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		results := []registrytypes.SearchResult{
+			{Name: "result1", Description: "Official build", StarCount: 5000, IsOfficial: true, IsAutomated: false},
+			{Name: "result2", Description: "Not official", StarCount: 5, IsOfficial: false, IsAutomated: true},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := SearchWrite(testcase.context, results, false, 0)
+		if err != nil {
+			assert.Check(t, is.ErrorContains(err, testcase.expected))
+		} else {
+			assert.Check(t, is.Equal(out.String(), testcase.expected))
+		}
+	}
+}
+
+func TestSearchContextWriteAutomated(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+
+		// Table format
+		{
+			Context{Format: NewSearchFormat("table")},
+			`NAME                DESCRIPTION         STARS               OFFICIAL            AUTOMATED
+result2             Not official        5                                       [OK]
+`,
+		},
+		{
+			Context{Format: NewSearchFormat("table {{.Name}}")},
+			`NAME
+result2
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		results := []registrytypes.SearchResult{
+			{Name: "result1", Description: "Official build", StarCount: 5000, IsOfficial: true, IsAutomated: false},
+			{Name: "result2", Description: "Not official", StarCount: 5, IsOfficial: false, IsAutomated: true},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := SearchWrite(testcase.context, results, true, 0)
+		if err != nil {
+			assert.Check(t, is.ErrorContains(err, testcase.expected))
+		} else {
+			assert.Check(t, is.Equal(out.String(), testcase.expected))
+		}
+	}
+}
+
+func TestSearchContextWriteStars(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+
+		// Table format
+		{
+			Context{Format: NewSearchFormat("table")},
+			string(golden.Get(t, "search-context-write-stars-table.golden")),
+		},
+		{
+			Context{Format: NewSearchFormat("table {{.Name}}")},
+			`NAME
+result1
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		results := []registrytypes.SearchResult{
+			{Name: "result1", Description: "Official build", StarCount: 5000, IsOfficial: true, IsAutomated: false},
+			{Name: "result2", Description: "Not official", StarCount: 5, IsOfficial: false, IsAutomated: true},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := SearchWrite(testcase.context, results, false, 6)
+		if err != nil {
+			assert.Check(t, is.ErrorContains(err, testcase.expected))
+		} else {
+			assert.Check(t, is.Equal(out.String(), testcase.expected))
+		}
+	}
+}
+
+func TestSearchContextWriteJSON(t *testing.T) {
+	results := []registrytypes.SearchResult{
+		{Name: "result1", Description: "Official build", StarCount: 5000, IsOfficial: true, IsAutomated: false},
+		{Name: "result2", Description: "Not official", StarCount: 5, IsOfficial: false, IsAutomated: true},
+	}
+	expectedJSONs := []map[string]interface{}{
+		{"Name": "result1", "Description": "Official build", "StarCount": "5000", "IsOfficial": "true", "IsAutomated": "false"},
+		{"Name": "result2", "Description": "Not official", "StarCount": "5", "IsOfficial": "false", "IsAutomated": "true"},
+	}
+
+	out := bytes.NewBufferString("")
+	err := SearchWrite(Context{Format: "{{json .}}", Output: out}, results, false, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		t.Logf("Output: line %d: %s", i, line)
+		var m map[string]interface{}
+		if err := json.Unmarshal([]byte(line), &m); err != nil {
+			t.Fatal(err)
+		}
+		assert.Check(t, is.DeepEqual(m, expectedJSONs[i]))
+	}
+}
+
+func TestSearchContextWriteJSONField(t *testing.T) {
+	results := []registrytypes.SearchResult{
+		{Name: "result1", Description: "Official build", StarCount: 5000, IsOfficial: true, IsAutomated: false},
+		{Name: "result2", Description: "Not official", StarCount: 5, IsOfficial: false, IsAutomated: true},
+	}
+	out := bytes.NewBufferString("")
+	err := SearchWrite(Context{Format: "{{json .Name}}", Output: out}, results, false, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		t.Logf("Output: line %d: %s", i, line)
+		var s string
+		if err := json.Unmarshal([]byte(line), &s); err != nil {
+			t.Fatal(err)
+		}
+		assert.Check(t, is.Equal(s, results[i].Name))
+	}
+}
diff --git a/cli/cli/command/formatter/secret.go b/cli/cli/command/formatter/secret.go
new file mode 100644
index 00000000..d025cd8f
--- /dev/null
+++ b/cli/cli/command/formatter/secret.go
@@ -0,0 +1,178 @@
+package formatter
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/docker/docker/api/types/swarm"
+	units "github.com/docker/go-units"
+)
+
+const (
+	defaultSecretTableFormat           = "table {{.ID}}\t{{.Name}}\t{{.Driver}}\t{{.CreatedAt}}\t{{.UpdatedAt}}"
+	secretIDHeader                     = "ID"
+	secretCreatedHeader                = "CREATED"
+	secretUpdatedHeader                = "UPDATED"
+	secretInspectPrettyTemplate Format = `ID:              {{.ID}}
+Name:              {{.Name}}
+{{- if .Labels }}
+Labels:
+{{- range $k, $v := .Labels }}
+ - {{ $k }}{{if $v }}={{ $v }}{{ end }}
+{{- end }}{{ end }}
+Driver:            {{.Driver}}
+Created at:        {{.CreatedAt}}
+Updated at:        {{.UpdatedAt}}`
+)
+
+// NewSecretFormat returns a Format for rendering using a secret Context
+func NewSecretFormat(source string, quiet bool) Format {
+	switch source {
+	case PrettyFormatKey:
+		return secretInspectPrettyTemplate
+	case TableFormatKey:
+		if quiet {
+			return defaultQuietFormat
+		}
+		return defaultSecretTableFormat
+	}
+	return Format(source)
+}
+
+// SecretWrite writes the context
+func SecretWrite(ctx Context, secrets []swarm.Secret) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, secret := range secrets {
+			secretCtx := &secretContext{s: secret}
+			if err := format(secretCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(newSecretContext(), render)
+}
+
+func newSecretContext() *secretContext {
+	sCtx := &secretContext{}
+
+	sCtx.header = map[string]string{
+		"ID":        secretIDHeader,
+		"Name":      nameHeader,
+		"Driver":    driverHeader,
+		"CreatedAt": secretCreatedHeader,
+		"UpdatedAt": secretUpdatedHeader,
+		"Labels":    labelsHeader,
+	}
+	return sCtx
+}
+
+type secretContext struct {
+	HeaderContext
+	s swarm.Secret
+}
+
+func (c *secretContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *secretContext) ID() string {
+	return c.s.ID
+}
+
+func (c *secretContext) Name() string {
+	return c.s.Spec.Annotations.Name
+}
+
+func (c *secretContext) CreatedAt() string {
+	return units.HumanDuration(time.Now().UTC().Sub(c.s.Meta.CreatedAt)) + " ago"
+}
+
+func (c *secretContext) Driver() string {
+	if c.s.Spec.Driver == nil {
+		return ""
+	}
+	return c.s.Spec.Driver.Name
+}
+
+func (c *secretContext) UpdatedAt() string {
+	return units.HumanDuration(time.Now().UTC().Sub(c.s.Meta.UpdatedAt)) + " ago"
+}
+
+func (c *secretContext) Labels() string {
+	mapLabels := c.s.Spec.Annotations.Labels
+	if mapLabels == nil {
+		return ""
+	}
+	var joinLabels []string
+	for k, v := range mapLabels {
+		joinLabels = append(joinLabels, fmt.Sprintf("%s=%s", k, v))
+	}
+	return strings.Join(joinLabels, ",")
+}
+
+func (c *secretContext) Label(name string) string {
+	if c.s.Spec.Annotations.Labels == nil {
+		return ""
+	}
+	return c.s.Spec.Annotations.Labels[name]
+}
+
+// SecretInspectWrite renders the context for a list of secrets
+func SecretInspectWrite(ctx Context, refs []string, getRef inspect.GetRefFunc) error {
+	if ctx.Format != secretInspectPrettyTemplate {
+		return inspect.Inspect(ctx.Output, refs, string(ctx.Format), getRef)
+	}
+	render := func(format func(subContext subContext) error) error {
+		for _, ref := range refs {
+			secretI, _, err := getRef(ref)
+			if err != nil {
+				return err
+			}
+			secret, ok := secretI.(swarm.Secret)
+			if !ok {
+				return fmt.Errorf("got wrong object to inspect :%v", ok)
+			}
+			if err := format(&secretInspectContext{Secret: secret}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(&secretInspectContext{}, render)
+}
+
+type secretInspectContext struct {
+	swarm.Secret
+	subContext
+}
+
+func (ctx *secretInspectContext) ID() string {
+	return ctx.Secret.ID
+}
+
+func (ctx *secretInspectContext) Name() string {
+	return ctx.Secret.Spec.Name
+}
+
+func (ctx *secretInspectContext) Labels() map[string]string {
+	return ctx.Secret.Spec.Labels
+}
+
+func (ctx *secretInspectContext) Driver() string {
+	if ctx.Secret.Spec.Driver == nil {
+		return ""
+	}
+	return ctx.Secret.Spec.Driver.Name
+}
+
+func (ctx *secretInspectContext) CreatedAt() string {
+	return command.PrettyPrint(ctx.Secret.CreatedAt)
+}
+
+func (ctx *secretInspectContext) UpdatedAt() string {
+	return command.PrettyPrint(ctx.Secret.UpdatedAt)
+}
diff --git a/cli/cli/command/formatter/secret_test.go b/cli/cli/command/formatter/secret_test.go
new file mode 100644
index 00000000..31119786
--- /dev/null
+++ b/cli/cli/command/formatter/secret_test.go
@@ -0,0 +1,64 @@
+package formatter
+
+import (
+	"bytes"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSecretContextFormatWrite(t *testing.T) {
+	// Check default output format (verbose and non-verbose mode) for table headers
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table format
+		{Context{Format: NewSecretFormat("table", false)},
+			`ID                  NAME                DRIVER              CREATED                  UPDATED
+1                   passwords                               Less than a second ago   Less than a second ago
+2                   id_rsa                                  Less than a second ago   Less than a second ago
+`},
+		{Context{Format: NewSecretFormat("table {{.Name}}", true)},
+			`NAME
+passwords
+id_rsa
+`},
+		{Context{Format: NewSecretFormat("{{.ID}}-{{.Name}}", false)},
+			`1-passwords
+2-id_rsa
+`},
+	}
+
+	secrets := []swarm.Secret{
+		{ID: "1",
+			Meta: swarm.Meta{CreatedAt: time.Now(), UpdatedAt: time.Now()},
+			Spec: swarm.SecretSpec{Annotations: swarm.Annotations{Name: "passwords"}}},
+		{ID: "2",
+			Meta: swarm.Meta{CreatedAt: time.Now(), UpdatedAt: time.Now()},
+			Spec: swarm.SecretSpec{Annotations: swarm.Annotations{Name: "id_rsa"}}},
+	}
+	for _, testcase := range cases {
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		if err := SecretWrite(testcase.context, secrets); err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
diff --git a/cli/cli/command/formatter/service.go b/cli/cli/command/formatter/service.go
new file mode 100644
index 00000000..5dde8006
--- /dev/null
+++ b/cli/cli/command/formatter/service.go
@@ -0,0 +1,646 @@
+package formatter
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/stringid"
+	units "github.com/docker/go-units"
+	"github.com/pkg/errors"
+)
+
+const serviceInspectPrettyTemplate Format = `
+ID:		{{.ID}}
+Name:		{{.Name}}
+{{- if .Labels }}
+Labels:
+{{- range $k, $v := .Labels }}
+ {{ $k }}{{if $v }}={{ $v }}{{ end }}
+{{- end }}{{ end }}
+Service Mode:
+{{- if .IsModeGlobal }}	Global
+{{- else if .IsModeReplicated }}	Replicated
+{{- if .ModeReplicatedReplicas }}
+ Replicas:	{{ .ModeReplicatedReplicas }}
+{{- end }}{{ end }}
+{{- if .HasUpdateStatus }}
+UpdateStatus:
+ State:		{{ .UpdateStatusState }}
+{{- if .HasUpdateStatusStarted }}
+ Started:	{{ .UpdateStatusStarted }}
+{{- end }}
+{{- if .UpdateIsCompleted }}
+ Completed:	{{ .UpdateStatusCompleted }}
+{{- end }}
+ Message:	{{ .UpdateStatusMessage }}
+{{- end }}
+Placement:
+{{- if .TaskPlacementConstraints }}
+ Constraints:	{{ .TaskPlacementConstraints }}
+{{- end }}
+{{- if .TaskPlacementPreferences }}
+ Preferences:   {{ .TaskPlacementPreferences }}
+{{- end }}
+{{- if .HasUpdateConfig }}
+UpdateConfig:
+ Parallelism:	{{ .UpdateParallelism }}
+{{- if .HasUpdateDelay}}
+ Delay:		{{ .UpdateDelay }}
+{{- end }}
+ On failure:	{{ .UpdateOnFailure }}
+{{- if .HasUpdateMonitor}}
+ Monitoring Period: {{ .UpdateMonitor }}
+{{- end }}
+ Max failure ratio: {{ .UpdateMaxFailureRatio }}
+ Update order:      {{ .UpdateOrder }}
+{{- end }}
+{{- if .HasRollbackConfig }}
+RollbackConfig:
+ Parallelism:	{{ .RollbackParallelism }}
+{{- if .HasRollbackDelay}}
+ Delay:		{{ .RollbackDelay }}
+{{- end }}
+ On failure:	{{ .RollbackOnFailure }}
+{{- if .HasRollbackMonitor}}
+ Monitoring Period: {{ .RollbackMonitor }}
+{{- end }}
+ Max failure ratio: {{ .RollbackMaxFailureRatio }}
+ Rollback order:    {{ .RollbackOrder }}
+{{- end }}
+ContainerSpec:
+ Image:		{{ .ContainerImage }}
+{{- if .ContainerArgs }}
+ Args:		{{ range $arg := .ContainerArgs }}{{ $arg }} {{ end }}
+{{- end -}}
+{{- if .ContainerEnv }}
+ Env:		{{ range $env := .ContainerEnv }}{{ $env }} {{ end }}
+{{- end -}}
+{{- if .ContainerWorkDir }}
+ Dir:		{{ .ContainerWorkDir }}
+{{- end -}}
+{{- if .HasContainerInit }}
+ Init:		{{ .ContainerInit }}
+{{- end -}}
+{{- if .ContainerUser }}
+ User: {{ .ContainerUser }}
+{{- end }}
+{{- if .ContainerMounts }}
+Mounts:
+{{- end }}
+{{- range $mount := .ContainerMounts }}
+ Target:	{{ $mount.Target }}
+  Source:	{{ $mount.Source }}
+  ReadOnly:	{{ $mount.ReadOnly }}
+  Type:		{{ $mount.Type }}
+{{- end -}}
+{{- if .Configs}}
+Configs:
+{{- range $config := .Configs }}
+ Target:	{{$config.File.Name}}
+  Source:	{{$config.ConfigName}}
+{{- end }}{{ end }}
+{{- if .Secrets }}
+Secrets:
+{{- range $secret := .Secrets }}
+ Target:	{{$secret.File.Name}}
+  Source:	{{$secret.SecretName}}
+{{- end }}{{ end }}
+{{- if .HasResources }}
+Resources:
+{{- if .HasResourceReservations }}
+ Reservations:
+{{- if gt .ResourceReservationNanoCPUs 0.0 }}
+  CPU:		{{ .ResourceReservationNanoCPUs }}
+{{- end }}
+{{- if .ResourceReservationMemory }}
+  Memory:	{{ .ResourceReservationMemory }}
+{{- end }}{{ end }}
+{{- if .HasResourceLimits }}
+ Limits:
+{{- if gt .ResourceLimitsNanoCPUs 0.0 }}
+  CPU:		{{ .ResourceLimitsNanoCPUs }}
+{{- end }}
+{{- if .ResourceLimitMemory }}
+  Memory:	{{ .ResourceLimitMemory }}
+{{- end }}{{ end }}{{ end }}
+{{- if .Networks }}
+Networks:
+{{- range $network := .Networks }} {{ $network }}{{ end }} {{ end }}
+Endpoint Mode:	{{ .EndpointMode }}
+{{- if .Ports }}
+Ports:
+{{- range $port := .Ports }}
+ PublishedPort = {{ $port.PublishedPort }}
+  Protocol = {{ $port.Protocol }}
+  TargetPort = {{ $port.TargetPort }}
+  PublishMode = {{ $port.PublishMode }}
+{{- end }} {{ end -}}
+`
+
+// NewServiceFormat returns a Format for rendering using a Context
+func NewServiceFormat(source string) Format {
+	switch source {
+	case PrettyFormatKey:
+		return serviceInspectPrettyTemplate
+	default:
+		return Format(strings.TrimPrefix(source, RawFormatKey))
+	}
+}
+
+func resolveNetworks(service swarm.Service, getNetwork inspect.GetRefFunc) map[string]string {
+	networkNames := make(map[string]string)
+	for _, network := range service.Spec.TaskTemplate.Networks {
+		if resolved, _, err := getNetwork(network.Target); err == nil {
+			if resolvedNetwork, ok := resolved.(types.NetworkResource); ok {
+				networkNames[resolvedNetwork.ID] = resolvedNetwork.Name
+			}
+		}
+	}
+	return networkNames
+}
+
+// ServiceInspectWrite renders the context for a list of services
+func ServiceInspectWrite(ctx Context, refs []string, getRef, getNetwork inspect.GetRefFunc) error {
+	if ctx.Format != serviceInspectPrettyTemplate {
+		return inspect.Inspect(ctx.Output, refs, string(ctx.Format), getRef)
+	}
+	render := func(format func(subContext subContext) error) error {
+		for _, ref := range refs {
+			serviceI, _, err := getRef(ref)
+			if err != nil {
+				return err
+			}
+			service, ok := serviceI.(swarm.Service)
+			if !ok {
+				return errors.Errorf("got wrong object to inspect")
+			}
+			if err := format(&serviceInspectContext{Service: service, networkNames: resolveNetworks(service, getNetwork)}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(&serviceInspectContext{}, render)
+}
+
+type serviceInspectContext struct {
+	swarm.Service
+	subContext
+
+	// networkNames is a map from network IDs (as found in
+	// Networks[x].Target) to network names.
+	networkNames map[string]string
+}
+
+func (ctx *serviceInspectContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(ctx)
+}
+
+func (ctx *serviceInspectContext) ID() string {
+	return ctx.Service.ID
+}
+
+func (ctx *serviceInspectContext) Name() string {
+	return ctx.Service.Spec.Name
+}
+
+func (ctx *serviceInspectContext) Labels() map[string]string {
+	return ctx.Service.Spec.Labels
+}
+
+func (ctx *serviceInspectContext) Configs() []*swarm.ConfigReference {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.Configs
+}
+
+func (ctx *serviceInspectContext) Secrets() []*swarm.SecretReference {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.Secrets
+}
+
+func (ctx *serviceInspectContext) IsModeGlobal() bool {
+	return ctx.Service.Spec.Mode.Global != nil
+}
+
+func (ctx *serviceInspectContext) IsModeReplicated() bool {
+	return ctx.Service.Spec.Mode.Replicated != nil
+}
+
+func (ctx *serviceInspectContext) ModeReplicatedReplicas() *uint64 {
+	return ctx.Service.Spec.Mode.Replicated.Replicas
+}
+
+func (ctx *serviceInspectContext) HasUpdateStatus() bool {
+	return ctx.Service.UpdateStatus != nil && ctx.Service.UpdateStatus.State != ""
+}
+
+func (ctx *serviceInspectContext) UpdateStatusState() swarm.UpdateState {
+	return ctx.Service.UpdateStatus.State
+}
+
+func (ctx *serviceInspectContext) HasUpdateStatusStarted() bool {
+	return ctx.Service.UpdateStatus.StartedAt != nil
+}
+
+func (ctx *serviceInspectContext) UpdateStatusStarted() string {
+	return units.HumanDuration(time.Since(*ctx.Service.UpdateStatus.StartedAt)) + " ago"
+}
+
+func (ctx *serviceInspectContext) UpdateIsCompleted() bool {
+	return ctx.Service.UpdateStatus.State == swarm.UpdateStateCompleted && ctx.Service.UpdateStatus.CompletedAt != nil
+}
+
+func (ctx *serviceInspectContext) UpdateStatusCompleted() string {
+	return units.HumanDuration(time.Since(*ctx.Service.UpdateStatus.CompletedAt)) + " ago"
+}
+
+func (ctx *serviceInspectContext) UpdateStatusMessage() string {
+	return ctx.Service.UpdateStatus.Message
+}
+
+func (ctx *serviceInspectContext) TaskPlacementConstraints() []string {
+	if ctx.Service.Spec.TaskTemplate.Placement != nil {
+		return ctx.Service.Spec.TaskTemplate.Placement.Constraints
+	}
+	return nil
+}
+
+func (ctx *serviceInspectContext) TaskPlacementPreferences() []string {
+	if ctx.Service.Spec.TaskTemplate.Placement == nil {
+		return nil
+	}
+	var strings []string
+	for _, pref := range ctx.Service.Spec.TaskTemplate.Placement.Preferences {
+		if pref.Spread != nil {
+			strings = append(strings, "spread="+pref.Spread.SpreadDescriptor)
+		}
+	}
+	return strings
+}
+
+func (ctx *serviceInspectContext) HasUpdateConfig() bool {
+	return ctx.Service.Spec.UpdateConfig != nil
+}
+
+func (ctx *serviceInspectContext) UpdateParallelism() uint64 {
+	return ctx.Service.Spec.UpdateConfig.Parallelism
+}
+
+func (ctx *serviceInspectContext) HasUpdateDelay() bool {
+	return ctx.Service.Spec.UpdateConfig.Delay.Nanoseconds() > 0
+}
+
+func (ctx *serviceInspectContext) UpdateDelay() time.Duration {
+	return ctx.Service.Spec.UpdateConfig.Delay
+}
+
+func (ctx *serviceInspectContext) UpdateOnFailure() string {
+	return ctx.Service.Spec.UpdateConfig.FailureAction
+}
+
+func (ctx *serviceInspectContext) UpdateOrder() string {
+	return ctx.Service.Spec.UpdateConfig.Order
+}
+
+func (ctx *serviceInspectContext) HasUpdateMonitor() bool {
+	return ctx.Service.Spec.UpdateConfig.Monitor.Nanoseconds() > 0
+}
+
+func (ctx *serviceInspectContext) UpdateMonitor() time.Duration {
+	return ctx.Service.Spec.UpdateConfig.Monitor
+}
+
+func (ctx *serviceInspectContext) UpdateMaxFailureRatio() float32 {
+	return ctx.Service.Spec.UpdateConfig.MaxFailureRatio
+}
+
+func (ctx *serviceInspectContext) HasRollbackConfig() bool {
+	return ctx.Service.Spec.RollbackConfig != nil
+}
+
+func (ctx *serviceInspectContext) RollbackParallelism() uint64 {
+	return ctx.Service.Spec.RollbackConfig.Parallelism
+}
+
+func (ctx *serviceInspectContext) HasRollbackDelay() bool {
+	return ctx.Service.Spec.RollbackConfig.Delay.Nanoseconds() > 0
+}
+
+func (ctx *serviceInspectContext) RollbackDelay() time.Duration {
+	return ctx.Service.Spec.RollbackConfig.Delay
+}
+
+func (ctx *serviceInspectContext) RollbackOnFailure() string {
+	return ctx.Service.Spec.RollbackConfig.FailureAction
+}
+
+func (ctx *serviceInspectContext) HasRollbackMonitor() bool {
+	return ctx.Service.Spec.RollbackConfig.Monitor.Nanoseconds() > 0
+}
+
+func (ctx *serviceInspectContext) RollbackMonitor() time.Duration {
+	return ctx.Service.Spec.RollbackConfig.Monitor
+}
+
+func (ctx *serviceInspectContext) RollbackMaxFailureRatio() float32 {
+	return ctx.Service.Spec.RollbackConfig.MaxFailureRatio
+}
+
+func (ctx *serviceInspectContext) RollbackOrder() string {
+	return ctx.Service.Spec.RollbackConfig.Order
+}
+
+func (ctx *serviceInspectContext) ContainerImage() string {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.Image
+}
+
+func (ctx *serviceInspectContext) ContainerArgs() []string {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.Args
+}
+
+func (ctx *serviceInspectContext) ContainerEnv() []string {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.Env
+}
+
+func (ctx *serviceInspectContext) ContainerWorkDir() string {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.Dir
+}
+
+func (ctx *serviceInspectContext) ContainerUser() string {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.User
+}
+
+func (ctx *serviceInspectContext) HasContainerInit() bool {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.Init != nil
+}
+
+func (ctx *serviceInspectContext) ContainerInit() bool {
+	return *ctx.Service.Spec.TaskTemplate.ContainerSpec.Init
+}
+
+func (ctx *serviceInspectContext) ContainerMounts() []mounttypes.Mount {
+	return ctx.Service.Spec.TaskTemplate.ContainerSpec.Mounts
+}
+
+func (ctx *serviceInspectContext) HasResources() bool {
+	return ctx.Service.Spec.TaskTemplate.Resources != nil
+}
+
+func (ctx *serviceInspectContext) HasResourceReservations() bool {
+	if ctx.Service.Spec.TaskTemplate.Resources == nil || ctx.Service.Spec.TaskTemplate.Resources.Reservations == nil {
+		return false
+	}
+	return ctx.Service.Spec.TaskTemplate.Resources.Reservations.NanoCPUs > 0 || ctx.Service.Spec.TaskTemplate.Resources.Reservations.MemoryBytes > 0
+}
+
+func (ctx *serviceInspectContext) ResourceReservationNanoCPUs() float64 {
+	if ctx.Service.Spec.TaskTemplate.Resources.Reservations.NanoCPUs == 0 {
+		return float64(0)
+	}
+	return float64(ctx.Service.Spec.TaskTemplate.Resources.Reservations.NanoCPUs) / 1e9
+}
+
+func (ctx *serviceInspectContext) ResourceReservationMemory() string {
+	if ctx.Service.Spec.TaskTemplate.Resources.Reservations.MemoryBytes == 0 {
+		return ""
+	}
+	return units.BytesSize(float64(ctx.Service.Spec.TaskTemplate.Resources.Reservations.MemoryBytes))
+}
+
+func (ctx *serviceInspectContext) HasResourceLimits() bool {
+	if ctx.Service.Spec.TaskTemplate.Resources == nil || ctx.Service.Spec.TaskTemplate.Resources.Limits == nil {
+		return false
+	}
+	return ctx.Service.Spec.TaskTemplate.Resources.Limits.NanoCPUs > 0 || ctx.Service.Spec.TaskTemplate.Resources.Limits.MemoryBytes > 0
+}
+
+func (ctx *serviceInspectContext) ResourceLimitsNanoCPUs() float64 {
+	return float64(ctx.Service.Spec.TaskTemplate.Resources.Limits.NanoCPUs) / 1e9
+}
+
+func (ctx *serviceInspectContext) ResourceLimitMemory() string {
+	if ctx.Service.Spec.TaskTemplate.Resources.Limits.MemoryBytes == 0 {
+		return ""
+	}
+	return units.BytesSize(float64(ctx.Service.Spec.TaskTemplate.Resources.Limits.MemoryBytes))
+}
+
+func (ctx *serviceInspectContext) Networks() []string {
+	var out []string
+	for _, n := range ctx.Service.Spec.TaskTemplate.Networks {
+		if name, ok := ctx.networkNames[n.Target]; ok {
+			out = append(out, name)
+		} else {
+			out = append(out, n.Target)
+		}
+	}
+	return out
+}
+
+func (ctx *serviceInspectContext) EndpointMode() string {
+	if ctx.Service.Spec.EndpointSpec == nil {
+		return ""
+	}
+
+	return string(ctx.Service.Spec.EndpointSpec.Mode)
+}
+
+func (ctx *serviceInspectContext) Ports() []swarm.PortConfig {
+	return ctx.Service.Endpoint.Ports
+}
+
+const (
+	defaultServiceTableFormat = "table {{.ID}}\t{{.Name}}\t{{.Mode}}\t{{.Replicas}}\t{{.Image}}\t{{.Ports}}"
+
+	serviceIDHeader = "ID"
+	modeHeader      = "MODE"
+	replicasHeader  = "REPLICAS"
+)
+
+// NewServiceListFormat returns a Format for rendering using a service Context
+func NewServiceListFormat(source string, quiet bool) Format {
+	switch source {
+	case TableFormatKey:
+		if quiet {
+			return defaultQuietFormat
+		}
+		return defaultServiceTableFormat
+	case RawFormatKey:
+		if quiet {
+			return `id: {{.ID}}`
+		}
+		return `id: {{.ID}}\nname: {{.Name}}\nmode: {{.Mode}}\nreplicas: {{.Replicas}}\nimage: {{.Image}}\nports: {{.Ports}}\n`
+	}
+	return Format(source)
+}
+
+// ServiceListInfo stores the information about mode and replicas to be used by template
+type ServiceListInfo struct {
+	Mode     string
+	Replicas string
+}
+
+// ServiceListWrite writes the context
+func ServiceListWrite(ctx Context, services []swarm.Service, info map[string]ServiceListInfo) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, service := range services {
+			serviceCtx := &serviceContext{service: service, mode: info[service.ID].Mode, replicas: info[service.ID].Replicas}
+			if err := format(serviceCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	serviceCtx := serviceContext{}
+	serviceCtx.header = map[string]string{
+		"ID":       serviceIDHeader,
+		"Name":     nameHeader,
+		"Mode":     modeHeader,
+		"Replicas": replicasHeader,
+		"Image":    imageHeader,
+		"Ports":    portsHeader,
+	}
+	return ctx.Write(&serviceCtx, render)
+}
+
+type serviceContext struct {
+	HeaderContext
+	service  swarm.Service
+	mode     string
+	replicas string
+}
+
+func (c *serviceContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *serviceContext) ID() string {
+	return stringid.TruncateID(c.service.ID)
+}
+
+func (c *serviceContext) Name() string {
+	return c.service.Spec.Name
+}
+
+func (c *serviceContext) Mode() string {
+	return c.mode
+}
+
+func (c *serviceContext) Replicas() string {
+	return c.replicas
+}
+
+func (c *serviceContext) Image() string {
+	var image string
+	if c.service.Spec.TaskTemplate.ContainerSpec != nil {
+		image = c.service.Spec.TaskTemplate.ContainerSpec.Image
+	}
+	if ref, err := reference.ParseNormalizedNamed(image); err == nil {
+		// update image string for display, (strips any digest)
+		if nt, ok := ref.(reference.NamedTagged); ok {
+			if namedTagged, err := reference.WithTag(reference.TrimNamed(nt), nt.Tag()); err == nil {
+				image = reference.FamiliarString(namedTagged)
+			}
+		}
+	}
+
+	return image
+}
+
+type portRange struct {
+	pStart   uint32
+	pEnd     uint32
+	tStart   uint32
+	tEnd     uint32
+	protocol swarm.PortConfigProtocol
+}
+
+func (pr portRange) String() string {
+	var (
+		pub string
+		tgt string
+	)
+
+	if pr.pEnd > pr.pStart {
+		pub = fmt.Sprintf("%d-%d", pr.pStart, pr.pEnd)
+	} else {
+		pub = fmt.Sprintf("%d", pr.pStart)
+	}
+	if pr.tEnd > pr.tStart {
+		tgt = fmt.Sprintf("%d-%d", pr.tStart, pr.tEnd)
+	} else {
+		tgt = fmt.Sprintf("%d", pr.tStart)
+	}
+	return fmt.Sprintf("*:%s->%s/%s", pub, tgt, pr.protocol)
+}
+
+// Ports formats published ports on the ingress network for output.
+//
+// Where possible, ranges are grouped to produce a compact output:
+// - multiple ports mapped to a single port (80->80, 81->80); is formatted as *:80-81->80
+// - multiple consecutive ports on both sides; (80->80, 81->81) are formatted as: *:80-81->80-81
+//
+// The above should not be grouped together, i.e.:
+// - 80->80, 81->81, 82->80 should be presented as : *:80-81->80-81, *:82->80
+//
+// TODO improve:
+// - combine non-consecutive ports mapped to a single port (80->80, 81->80, 84->80, 86->80, 87->80); to be printed as *:80-81,84,86-87->80
+// - combine tcp and udp mappings if their port-mapping is exactly the same (*:80-81->80-81/tcp+udp instead of *:80-81->80-81/tcp, *:80-81->80-81/udp)
+func (c *serviceContext) Ports() string {
+	if c.service.Endpoint.Ports == nil {
+		return ""
+	}
+
+	pr := portRange{}
+	ports := []string{}
+
+	sort.Sort(byProtocolAndPublishedPort(c.service.Endpoint.Ports))
+
+	for _, p := range c.service.Endpoint.Ports {
+		if p.PublishMode == swarm.PortConfigPublishModeIngress {
+			prIsRange := pr.tEnd != pr.tStart
+			tOverlaps := p.TargetPort <= pr.tEnd
+
+			// Start a new port-range if:
+			// - the protocol is different from the current port-range
+			// - published or target port are not consecutive to the current port-range
+			// - the current port-range is a _range_, and the target port overlaps with the current range's target-ports
+			if p.Protocol != pr.protocol || p.PublishedPort-pr.pEnd > 1 || p.TargetPort-pr.tEnd > 1 || prIsRange && tOverlaps {
+				// start a new port-range, and print the previous port-range (if any)
+				if pr.pStart > 0 {
+					ports = append(ports, pr.String())
+				}
+				pr = portRange{
+					pStart:   p.PublishedPort,
+					pEnd:     p.PublishedPort,
+					tStart:   p.TargetPort,
+					tEnd:     p.TargetPort,
+					protocol: p.Protocol,
+				}
+				continue
+			}
+			pr.pEnd = p.PublishedPort
+			pr.tEnd = p.TargetPort
+		}
+	}
+	if pr.pStart > 0 {
+		ports = append(ports, pr.String())
+	}
+	return strings.Join(ports, ", ")
+}
+
+type byProtocolAndPublishedPort []swarm.PortConfig
+
+func (a byProtocolAndPublishedPort) Len() int      { return len(a) }
+func (a byProtocolAndPublishedPort) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+func (a byProtocolAndPublishedPort) Less(i, j int) bool {
+	if a[i].Protocol == a[j].Protocol {
+		return a[i].PublishedPort < a[j].PublishedPort
+	}
+	return a[i].Protocol < a[j].Protocol
+}
diff --git a/cli/cli/command/formatter/service_test.go b/cli/cli/command/formatter/service_test.go
new file mode 100644
index 00000000..243899d1
--- /dev/null
+++ b/cli/cli/command/formatter/service_test.go
@@ -0,0 +1,359 @@
+package formatter
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestServiceContextWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table format
+		{
+			Context{Format: NewServiceListFormat("table", false)},
+			`ID                  NAME                MODE                REPLICAS            IMAGE               PORTS
+id_baz              baz                 global              2/4                                     *:80->8080/tcp
+id_bar              bar                 replicated          2/4                                     *:80->8080/tcp
+`,
+		},
+		{
+			Context{Format: NewServiceListFormat("table", true)},
+			`id_baz
+id_bar
+`,
+		},
+		{
+			Context{Format: NewServiceListFormat("table {{.Name}}", false)},
+			`NAME
+baz
+bar
+`,
+		},
+		{
+			Context{Format: NewServiceListFormat("table {{.Name}}", true)},
+			`NAME
+baz
+bar
+`,
+		},
+		// Raw Format
+		{
+			Context{Format: NewServiceListFormat("raw", false)},
+			string(golden.Get(t, "service-context-write-raw.golden")),
+		},
+		{
+			Context{Format: NewServiceListFormat("raw", true)},
+			`id: id_baz
+id: id_bar
+`,
+		},
+		// Custom Format
+		{
+			Context{Format: NewServiceListFormat("{{.Name}}", false)},
+			`baz
+bar
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		services := []swarm.Service{
+			{
+				ID: "id_baz",
+				Spec: swarm.ServiceSpec{
+					Annotations: swarm.Annotations{Name: "baz"},
+				},
+				Endpoint: swarm.Endpoint{
+					Ports: []swarm.PortConfig{
+						{
+							PublishMode:   "ingress",
+							PublishedPort: 80,
+							TargetPort:    8080,
+							Protocol:      "tcp",
+						},
+					},
+				},
+			},
+			{
+				ID: "id_bar",
+				Spec: swarm.ServiceSpec{
+					Annotations: swarm.Annotations{Name: "bar"},
+				},
+				Endpoint: swarm.Endpoint{
+					Ports: []swarm.PortConfig{
+						{
+							PublishMode:   "ingress",
+							PublishedPort: 80,
+							TargetPort:    8080,
+							Protocol:      "tcp",
+						},
+					},
+				},
+			},
+		}
+		info := map[string]ServiceListInfo{
+			"id_baz": {
+				Mode:     "global",
+				Replicas: "2/4",
+			},
+			"id_bar": {
+				Mode:     "replicated",
+				Replicas: "2/4",
+			},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := ServiceListWrite(testcase.context, services, info)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+func TestServiceContextWriteJSON(t *testing.T) {
+	services := []swarm.Service{
+		{
+			ID: "id_baz",
+			Spec: swarm.ServiceSpec{
+				Annotations: swarm.Annotations{Name: "baz"},
+			},
+			Endpoint: swarm.Endpoint{
+				Ports: []swarm.PortConfig{
+					{
+						PublishMode:   "ingress",
+						PublishedPort: 80,
+						TargetPort:    8080,
+						Protocol:      "tcp",
+					},
+				},
+			},
+		},
+		{
+			ID: "id_bar",
+			Spec: swarm.ServiceSpec{
+				Annotations: swarm.Annotations{Name: "bar"},
+			},
+			Endpoint: swarm.Endpoint{
+				Ports: []swarm.PortConfig{
+					{
+						PublishMode:   "ingress",
+						PublishedPort: 80,
+						TargetPort:    8080,
+						Protocol:      "tcp",
+					},
+				},
+			},
+		},
+	}
+	info := map[string]ServiceListInfo{
+		"id_baz": {
+			Mode:     "global",
+			Replicas: "2/4",
+		},
+		"id_bar": {
+			Mode:     "replicated",
+			Replicas: "2/4",
+		},
+	}
+	expectedJSONs := []map[string]interface{}{
+		{"ID": "id_baz", "Name": "baz", "Mode": "global", "Replicas": "2/4", "Image": "", "Ports": "*:80->8080/tcp"},
+		{"ID": "id_bar", "Name": "bar", "Mode": "replicated", "Replicas": "2/4", "Image": "", "Ports": "*:80->8080/tcp"},
+	}
+
+	out := bytes.NewBufferString("")
+	err := ServiceListWrite(Context{Format: "{{json .}}", Output: out}, services, info)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var m map[string]interface{}
+		err := json.Unmarshal([]byte(line), &m)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.DeepEqual(expectedJSONs[i], m), msg)
+	}
+}
+func TestServiceContextWriteJSONField(t *testing.T) {
+	services := []swarm.Service{
+		{ID: "id_baz", Spec: swarm.ServiceSpec{Annotations: swarm.Annotations{Name: "baz"}}},
+		{ID: "id_bar", Spec: swarm.ServiceSpec{Annotations: swarm.Annotations{Name: "bar"}}},
+	}
+	info := map[string]ServiceListInfo{
+		"id_baz": {
+			Mode:     "global",
+			Replicas: "2/4",
+		},
+		"id_bar": {
+			Mode:     "replicated",
+			Replicas: "2/4",
+		},
+	}
+	out := bytes.NewBufferString("")
+	err := ServiceListWrite(Context{Format: "{{json .Name}}", Output: out}, services, info)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var s string
+		err := json.Unmarshal([]byte(line), &s)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.Equal(services[i].Spec.Name, s), msg)
+	}
+}
+
+func TestServiceContext_Ports(t *testing.T) {
+	c := serviceContext{
+		service: swarm.Service{
+			Endpoint: swarm.Endpoint{
+				Ports: []swarm.PortConfig{
+					{
+						Protocol:      "tcp",
+						TargetPort:    80,
+						PublishedPort: 81,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    80,
+						PublishedPort: 80,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    95,
+						PublishedPort: 95,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    90,
+						PublishedPort: 90,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    91,
+						PublishedPort: 91,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    92,
+						PublishedPort: 92,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    93,
+						PublishedPort: 93,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    94,
+						PublishedPort: 94,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "udp",
+						TargetPort:    95,
+						PublishedPort: 95,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "udp",
+						TargetPort:    90,
+						PublishedPort: 90,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "udp",
+						TargetPort:    96,
+						PublishedPort: 96,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "udp",
+						TargetPort:    91,
+						PublishedPort: 91,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "udp",
+						TargetPort:    92,
+						PublishedPort: 92,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "udp",
+						TargetPort:    93,
+						PublishedPort: 93,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "udp",
+						TargetPort:    94,
+						PublishedPort: 94,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    60,
+						PublishedPort: 60,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    61,
+						PublishedPort: 61,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "tcp",
+						TargetPort:    61,
+						PublishedPort: 62,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "sctp",
+						TargetPort:    97,
+						PublishedPort: 97,
+						PublishMode:   "ingress",
+					},
+					{
+						Protocol:      "sctp",
+						TargetPort:    98,
+						PublishedPort: 98,
+						PublishMode:   "ingress",
+					},
+				},
+			},
+		},
+	}
+
+	assert.Check(t, is.Equal("*:97-98->97-98/sctp, *:60-61->60-61/tcp, *:62->61/tcp, *:80-81->80/tcp, *:90-95->90-95/tcp, *:90-96->90-96/udp", c.Ports()))
+}
diff --git a/cli/cli/command/formatter/stack.go b/cli/cli/command/formatter/stack.go
new file mode 100644
index 00000000..965eaf60
--- /dev/null
+++ b/cli/cli/command/formatter/stack.go
@@ -0,0 +1,77 @@
+package formatter
+
+import (
+	"strconv"
+)
+
+const (
+	// KubernetesStackTableFormat is the default Kubernetes stack format
+	KubernetesStackTableFormat = "table {{.Name}}\t{{.Services}}\t{{.Orchestrator}}\t{{.Namespace}}"
+	// SwarmStackTableFormat is the default Swarm stack format
+	SwarmStackTableFormat = "table {{.Name}}\t{{.Services}}\t{{.Orchestrator}}"
+
+	stackServicesHeader      = "SERVICES"
+	stackOrchestrastorHeader = "ORCHESTRATOR"
+	stackNamespaceHeader     = "NAMESPACE"
+)
+
+// Stack contains deployed stack information.
+type Stack struct {
+	// Name is the name of the stack
+	Name string
+	// Services is the number of the services
+	Services int
+	// Orchestrator is the platform where the stack is deployed
+	Orchestrator string
+	// Namespace is the Kubernetes namespace assigned to the stack
+	Namespace string
+}
+
+// StackWrite writes formatted stacks using the Context
+func StackWrite(ctx Context, stacks []*Stack) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, stack := range stacks {
+			if err := format(&stackContext{s: stack}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(newStackContext(), render)
+}
+
+type stackContext struct {
+	HeaderContext
+	s *Stack
+}
+
+func newStackContext() *stackContext {
+	stackCtx := stackContext{}
+	stackCtx.header = map[string]string{
+		"Name":         nameHeader,
+		"Services":     stackServicesHeader,
+		"Orchestrator": stackOrchestrastorHeader,
+		"Namespace":    stackNamespaceHeader,
+	}
+	return &stackCtx
+}
+
+func (s *stackContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(s)
+}
+
+func (s *stackContext) Name() string {
+	return s.s.Name
+}
+
+func (s *stackContext) Services() string {
+	return strconv.Itoa(s.s.Services)
+}
+
+func (s *stackContext) Orchestrator() string {
+	return s.s.Orchestrator
+}
+
+func (s *stackContext) Namespace() string {
+	return s.s.Namespace
+}
diff --git a/cli/cli/command/formatter/stack_test.go b/cli/cli/command/formatter/stack_test.go
new file mode 100644
index 00000000..44a08406
--- /dev/null
+++ b/cli/cli/command/formatter/stack_test.go
@@ -0,0 +1,73 @@
+package formatter
+
+import (
+	"bytes"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestStackContextWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table format
+		{
+			Context{Format: Format(SwarmStackTableFormat)},
+			`NAME                SERVICES            ORCHESTRATOR
+baz                 2                   orchestrator1
+bar                 1                   orchestrator2
+`,
+		},
+		// Kubernetes table format adds Namespace column
+		{
+			Context{Format: Format(KubernetesStackTableFormat)},
+			`NAME                SERVICES            ORCHESTRATOR        NAMESPACE
+baz                 2                   orchestrator1       namespace1
+bar                 1                   orchestrator2       namespace2
+`,
+		},
+		{
+			Context{Format: Format("table {{.Name}}")},
+			`NAME
+baz
+bar
+`,
+		},
+		// Custom Format
+		{
+			Context{Format: Format("{{.Name}}")},
+			`baz
+bar
+`,
+		},
+	}
+
+	stacks := []*Stack{
+		{Name: "baz", Services: 2, Orchestrator: "orchestrator1", Namespace: "namespace1"},
+		{Name: "bar", Services: 1, Orchestrator: "orchestrator2", Namespace: "namespace2"},
+	}
+	for _, testcase := range cases {
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := StackWrite(testcase.context, stacks)
+		if err != nil {
+			assert.Check(t, is.ErrorContains(err, testcase.expected))
+		} else {
+			assert.Check(t, is.Equal(out.String(), testcase.expected))
+		}
+	}
+}
diff --git a/cli/cli/command/formatter/stats.go b/cli/cli/command/formatter/stats.go
new file mode 100644
index 00000000..0c210c6f
--- /dev/null
+++ b/cli/cli/command/formatter/stats.go
@@ -0,0 +1,224 @@
+package formatter
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/docker/docker/pkg/stringid"
+	units "github.com/docker/go-units"
+)
+
+const (
+	winOSType                  = "windows"
+	defaultStatsTableFormat    = "table {{.ID}}\t{{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.MemPerc}}\t{{.NetIO}}\t{{.BlockIO}}\t{{.PIDs}}"
+	winDefaultStatsTableFormat = "table {{.ID}}\t{{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.NetIO}}\t{{.BlockIO}}"
+
+	containerHeader = "CONTAINER"
+	cpuPercHeader   = "CPU %"
+	netIOHeader     = "NET I/O"
+	blockIOHeader   = "BLOCK I/O"
+	memPercHeader   = "MEM %"             // Used only on Linux
+	winMemUseHeader = "PRIV WORKING SET"  // Used only on Windows
+	memUseHeader    = "MEM USAGE / LIMIT" // Used only on Linux
+	pidsHeader      = "PIDS"              // Used only on Linux
+)
+
+// StatsEntry represents represents the statistics data collected from a container
+type StatsEntry struct {
+	Container        string
+	Name             string
+	ID               string
+	CPUPercentage    float64
+	Memory           float64 // On Windows this is the private working set
+	MemoryLimit      float64 // Not used on Windows
+	MemoryPercentage float64 // Not used on Windows
+	NetworkRx        float64
+	NetworkTx        float64
+	BlockRead        float64
+	BlockWrite       float64
+	PidsCurrent      uint64 // Not used on Windows
+	IsInvalid        bool
+}
+
+// ContainerStats represents an entity to store containers statistics synchronously
+type ContainerStats struct {
+	mutex sync.Mutex
+	StatsEntry
+	err error
+}
+
+// GetError returns the container statistics error.
+// This is used to determine whether the statistics are valid or not
+func (cs *ContainerStats) GetError() error {
+	cs.mutex.Lock()
+	defer cs.mutex.Unlock()
+	return cs.err
+}
+
+// SetErrorAndReset zeroes all the container statistics and store the error.
+// It is used when receiving time out error during statistics collecting to reduce lock overhead
+func (cs *ContainerStats) SetErrorAndReset(err error) {
+	cs.mutex.Lock()
+	defer cs.mutex.Unlock()
+	cs.CPUPercentage = 0
+	cs.Memory = 0
+	cs.MemoryPercentage = 0
+	cs.MemoryLimit = 0
+	cs.NetworkRx = 0
+	cs.NetworkTx = 0
+	cs.BlockRead = 0
+	cs.BlockWrite = 0
+	cs.PidsCurrent = 0
+	cs.err = err
+	cs.IsInvalid = true
+}
+
+// SetError sets container statistics error
+func (cs *ContainerStats) SetError(err error) {
+	cs.mutex.Lock()
+	defer cs.mutex.Unlock()
+	cs.err = err
+	if err != nil {
+		cs.IsInvalid = true
+	}
+}
+
+// SetStatistics set the container statistics
+func (cs *ContainerStats) SetStatistics(s StatsEntry) {
+	cs.mutex.Lock()
+	defer cs.mutex.Unlock()
+	s.Container = cs.Container
+	cs.StatsEntry = s
+}
+
+// GetStatistics returns container statistics with other meta data such as the container name
+func (cs *ContainerStats) GetStatistics() StatsEntry {
+	cs.mutex.Lock()
+	defer cs.mutex.Unlock()
+	return cs.StatsEntry
+}
+
+// NewStatsFormat returns a format for rendering an CStatsContext
+func NewStatsFormat(source, osType string) Format {
+	if source == TableFormatKey {
+		if osType == winOSType {
+			return Format(winDefaultStatsTableFormat)
+		}
+		return Format(defaultStatsTableFormat)
+	}
+	return Format(source)
+}
+
+// NewContainerStats returns a new ContainerStats entity and sets in it the given name
+func NewContainerStats(container string) *ContainerStats {
+	return &ContainerStats{StatsEntry: StatsEntry{Container: container}}
+}
+
+// ContainerStatsWrite renders the context for a list of containers statistics
+func ContainerStatsWrite(ctx Context, containerStats []StatsEntry, osType string, trunc bool) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, cstats := range containerStats {
+			containerStatsCtx := &containerStatsContext{
+				s:     cstats,
+				os:    osType,
+				trunc: trunc,
+			}
+			if err := format(containerStatsCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	memUsage := memUseHeader
+	if osType == winOSType {
+		memUsage = winMemUseHeader
+	}
+	containerStatsCtx := containerStatsContext{}
+	containerStatsCtx.header = map[string]string{
+		"Container": containerHeader,
+		"Name":      nameHeader,
+		"ID":        containerIDHeader,
+		"CPUPerc":   cpuPercHeader,
+		"MemUsage":  memUsage,
+		"MemPerc":   memPercHeader,
+		"NetIO":     netIOHeader,
+		"BlockIO":   blockIOHeader,
+		"PIDs":      pidsHeader,
+	}
+	containerStatsCtx.os = osType
+	return ctx.Write(&containerStatsCtx, render)
+}
+
+type containerStatsContext struct {
+	HeaderContext
+	s     StatsEntry
+	os    string
+	trunc bool
+}
+
+func (c *containerStatsContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *containerStatsContext) Container() string {
+	return c.s.Container
+}
+
+func (c *containerStatsContext) Name() string {
+	if len(c.s.Name) > 1 {
+		return c.s.Name[1:]
+	}
+	return "--"
+}
+
+func (c *containerStatsContext) ID() string {
+	if c.trunc {
+		return stringid.TruncateID(c.s.ID)
+	}
+	return c.s.ID
+}
+
+func (c *containerStatsContext) CPUPerc() string {
+	if c.s.IsInvalid {
+		return fmt.Sprintf("--")
+	}
+	return fmt.Sprintf("%.2f%%", c.s.CPUPercentage)
+}
+
+func (c *containerStatsContext) MemUsage() string {
+	if c.s.IsInvalid {
+		return fmt.Sprintf("-- / --")
+	}
+	if c.os == winOSType {
+		return units.BytesSize(c.s.Memory)
+	}
+	return fmt.Sprintf("%s / %s", units.BytesSize(c.s.Memory), units.BytesSize(c.s.MemoryLimit))
+}
+
+func (c *containerStatsContext) MemPerc() string {
+	if c.s.IsInvalid || c.os == winOSType {
+		return fmt.Sprintf("--")
+	}
+	return fmt.Sprintf("%.2f%%", c.s.MemoryPercentage)
+}
+
+func (c *containerStatsContext) NetIO() string {
+	if c.s.IsInvalid {
+		return fmt.Sprintf("--")
+	}
+	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.NetworkRx, 3), units.HumanSizeWithPrecision(c.s.NetworkTx, 3))
+}
+
+func (c *containerStatsContext) BlockIO() string {
+	if c.s.IsInvalid {
+		return fmt.Sprintf("--")
+	}
+	return fmt.Sprintf("%s / %s", units.HumanSizeWithPrecision(c.s.BlockRead, 3), units.HumanSizeWithPrecision(c.s.BlockWrite, 3))
+}
+
+func (c *containerStatsContext) PIDs() string {
+	if c.s.IsInvalid || c.os == winOSType {
+		return fmt.Sprintf("--")
+	}
+	return fmt.Sprintf("%d", c.s.PidsCurrent)
+}
diff --git a/cli/cli/command/formatter/stats_test.go b/cli/cli/command/formatter/stats_test.go
new file mode 100644
index 00000000..3325dd9f
--- /dev/null
+++ b/cli/cli/command/formatter/stats_test.go
@@ -0,0 +1,301 @@
+package formatter
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestContainerStatsContext(t *testing.T) {
+	containerID := stringid.GenerateRandomID()
+
+	var ctx containerStatsContext
+	tt := []struct {
+		stats     StatsEntry
+		osType    string
+		expValue  string
+		expHeader string
+		call      func() string
+	}{
+		{StatsEntry{Container: containerID}, "", containerID, containerHeader, ctx.Container},
+		{StatsEntry{CPUPercentage: 5.5}, "", "5.50%", cpuPercHeader, ctx.CPUPerc},
+		{StatsEntry{CPUPercentage: 5.5, IsInvalid: true}, "", "--", cpuPercHeader, ctx.CPUPerc},
+		{StatsEntry{NetworkRx: 0.31, NetworkTx: 12.3}, "", "0.31B / 12.3B", netIOHeader, ctx.NetIO},
+		{StatsEntry{NetworkRx: 0.31, NetworkTx: 12.3, IsInvalid: true}, "", "--", netIOHeader, ctx.NetIO},
+		{StatsEntry{BlockRead: 0.1, BlockWrite: 2.3}, "", "0.1B / 2.3B", blockIOHeader, ctx.BlockIO},
+		{StatsEntry{BlockRead: 0.1, BlockWrite: 2.3, IsInvalid: true}, "", "--", blockIOHeader, ctx.BlockIO},
+		{StatsEntry{MemoryPercentage: 10.2}, "", "10.20%", memPercHeader, ctx.MemPerc},
+		{StatsEntry{MemoryPercentage: 10.2, IsInvalid: true}, "", "--", memPercHeader, ctx.MemPerc},
+		{StatsEntry{MemoryPercentage: 10.2}, "windows", "--", memPercHeader, ctx.MemPerc},
+		{StatsEntry{Memory: 24, MemoryLimit: 30}, "", "24B / 30B", memUseHeader, ctx.MemUsage},
+		{StatsEntry{Memory: 24, MemoryLimit: 30, IsInvalid: true}, "", "-- / --", memUseHeader, ctx.MemUsage},
+		{StatsEntry{Memory: 24, MemoryLimit: 30}, "windows", "24B", winMemUseHeader, ctx.MemUsage},
+		{StatsEntry{PidsCurrent: 10}, "", "10", pidsHeader, ctx.PIDs},
+		{StatsEntry{PidsCurrent: 10, IsInvalid: true}, "", "--", pidsHeader, ctx.PIDs},
+		{StatsEntry{PidsCurrent: 10}, "windows", "--", pidsHeader, ctx.PIDs},
+	}
+
+	for _, te := range tt {
+		ctx = containerStatsContext{s: te.stats, os: te.osType}
+		if v := te.call(); v != te.expValue {
+			t.Fatalf("Expected %q, got %q", te.expValue, v)
+		}
+	}
+}
+
+func TestContainerStatsContextWrite(t *testing.T) {
+	tt := []struct {
+		context  Context
+		expected string
+	}{
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		{
+			Context{Format: "table {{.MemUsage}}"},
+			`MEM USAGE / LIMIT
+20B / 20B
+-- / --
+`,
+		},
+		{
+			Context{Format: "{{.Container}}  {{.ID}}  {{.Name}}"},
+			`container1  abcdef  foo
+container2    --
+`,
+		},
+		{
+			Context{Format: "{{.Container}}  {{.CPUPerc}}"},
+			`container1  20.00%
+container2  --
+`,
+		},
+	}
+
+	for _, te := range tt {
+		stats := []StatsEntry{
+			{
+				Container:        "container1",
+				ID:               "abcdef",
+				Name:             "/foo",
+				CPUPercentage:    20,
+				Memory:           20,
+				MemoryLimit:      20,
+				MemoryPercentage: 20,
+				NetworkRx:        20,
+				NetworkTx:        20,
+				BlockRead:        20,
+				BlockWrite:       20,
+				PidsCurrent:      2,
+				IsInvalid:        false,
+			},
+			{
+				Container:        "container2",
+				CPUPercentage:    30,
+				Memory:           30,
+				MemoryLimit:      30,
+				MemoryPercentage: 30,
+				NetworkRx:        30,
+				NetworkTx:        30,
+				BlockRead:        30,
+				BlockWrite:       30,
+				PidsCurrent:      3,
+				IsInvalid:        true,
+			},
+		}
+		var out bytes.Buffer
+		te.context.Output = &out
+		err := ContainerStatsWrite(te.context, stats, "linux", false)
+		if err != nil {
+			assert.Error(t, err, te.expected)
+		} else {
+			assert.Check(t, is.Equal(te.expected, out.String()))
+		}
+	}
+}
+
+func TestContainerStatsContextWriteWindows(t *testing.T) {
+	tt := []struct {
+		context  Context
+		expected string
+	}{
+		{
+			Context{Format: "table {{.MemUsage}}"},
+			`PRIV WORKING SET
+20B
+-- / --
+`,
+		},
+		{
+			Context{Format: "{{.Container}}  {{.CPUPerc}}"},
+			`container1  20.00%
+container2  --
+`,
+		},
+		{
+			Context{Format: "{{.Container}}  {{.MemPerc}}  {{.PIDs}}"},
+			`container1  --  --
+container2  --  --
+`,
+		},
+	}
+
+	for _, te := range tt {
+		stats := []StatsEntry{
+			{
+				Container:        "container1",
+				CPUPercentage:    20,
+				Memory:           20,
+				MemoryLimit:      20,
+				MemoryPercentage: 20,
+				NetworkRx:        20,
+				NetworkTx:        20,
+				BlockRead:        20,
+				BlockWrite:       20,
+				PidsCurrent:      2,
+				IsInvalid:        false,
+			},
+			{
+				Container:        "container2",
+				CPUPercentage:    30,
+				Memory:           30,
+				MemoryLimit:      30,
+				MemoryPercentage: 30,
+				NetworkRx:        30,
+				NetworkTx:        30,
+				BlockRead:        30,
+				BlockWrite:       30,
+				PidsCurrent:      3,
+				IsInvalid:        true,
+			},
+		}
+		var out bytes.Buffer
+		te.context.Output = &out
+		err := ContainerStatsWrite(te.context, stats, "windows", false)
+		if err != nil {
+			assert.Error(t, err, te.expected)
+		} else {
+			assert.Check(t, is.Equal(te.expected, out.String()))
+		}
+	}
+}
+
+func TestContainerStatsContextWriteWithNoStats(t *testing.T) {
+	var out bytes.Buffer
+
+	contexts := []struct {
+		context  Context
+		expected string
+	}{
+		{
+			Context{
+				Format: "{{.Container}}",
+				Output: &out,
+			},
+			"",
+		},
+		{
+			Context{
+				Format: "table {{.Container}}",
+				Output: &out,
+			},
+			"CONTAINER\n",
+		},
+		{
+			Context{
+				Format: "table {{.Container}}\t{{.CPUPerc}}",
+				Output: &out,
+			},
+			"CONTAINER           CPU %\n",
+		},
+	}
+
+	for _, context := range contexts {
+		ContainerStatsWrite(context.context, []StatsEntry{}, "linux", false)
+		assert.Check(t, is.Equal(context.expected, out.String()))
+		// Clean buffer
+		out.Reset()
+	}
+}
+
+func TestContainerStatsContextWriteWithNoStatsWindows(t *testing.T) {
+	var out bytes.Buffer
+
+	contexts := []struct {
+		context  Context
+		expected string
+	}{
+		{
+			Context{
+				Format: "{{.Container}}",
+				Output: &out,
+			},
+			"",
+		},
+		{
+			Context{
+				Format: "table {{.Container}}\t{{.MemUsage}}",
+				Output: &out,
+			},
+			"CONTAINER           PRIV WORKING SET\n",
+		},
+		{
+			Context{
+				Format: "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}",
+				Output: &out,
+			},
+			"CONTAINER           CPU %               PRIV WORKING SET\n",
+		},
+	}
+
+	for _, context := range contexts {
+		ContainerStatsWrite(context.context, []StatsEntry{}, "windows", false)
+		assert.Check(t, is.Equal(context.expected, out.String()))
+		// Clean buffer
+		out.Reset()
+	}
+}
+
+func TestContainerStatsContextWriteTrunc(t *testing.T) {
+	var out bytes.Buffer
+
+	contexts := []struct {
+		context  Context
+		trunc    bool
+		expected string
+	}{
+		{
+			Context{
+				Format: "{{.ID}}",
+				Output: &out,
+			},
+			false,
+			"b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc\n",
+		},
+		{
+			Context{
+				Format: "{{.ID}}",
+				Output: &out,
+			},
+			true,
+			"b95a83497c91\n",
+		},
+	}
+
+	for _, context := range contexts {
+		ContainerStatsWrite(context.context, []StatsEntry{{ID: "b95a83497c9161c9b444e3d70e1a9dfba0c1840d41720e146a95a08ebf938afc"}}, "linux", context.trunc)
+		assert.Check(t, is.Equal(context.expected, out.String()))
+		// Clean buffer
+		out.Reset()
+	}
+}
diff --git a/cli/cli/command/formatter/task.go b/cli/cli/command/formatter/task.go
new file mode 100644
index 00000000..6172b320
--- /dev/null
+++ b/cli/cli/command/formatter/task.go
@@ -0,0 +1,150 @@
+package formatter
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/go-units"
+)
+
+const (
+	defaultTaskTableFormat = "table {{.ID}}\t{{.Name}}\t{{.Image}}\t{{.Node}}\t{{.DesiredState}}\t{{.CurrentState}}\t{{.Error}}\t{{.Ports}}"
+
+	nodeHeader         = "NODE"
+	taskIDHeader       = "ID"
+	desiredStateHeader = "DESIRED STATE"
+	currentStateHeader = "CURRENT STATE"
+	errorHeader        = "ERROR"
+
+	maxErrLength = 30
+)
+
+// NewTaskFormat returns a Format for rendering using a task Context
+func NewTaskFormat(source string, quiet bool) Format {
+	switch source {
+	case TableFormatKey:
+		if quiet {
+			return defaultQuietFormat
+		}
+		return defaultTaskTableFormat
+	case RawFormatKey:
+		if quiet {
+			return `id: {{.ID}}`
+		}
+		return `id: {{.ID}}\nname: {{.Name}}\nimage: {{.Image}}\nnode: {{.Node}}\ndesired_state: {{.DesiredState}}\ncurrent_state: {{.CurrentState}}\nerror: {{.Error}}\nports: {{.Ports}}\n`
+	}
+	return Format(source)
+}
+
+// TaskWrite writes the context
+func TaskWrite(ctx Context, tasks []swarm.Task, names map[string]string, nodes map[string]string) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, task := range tasks {
+			taskCtx := &taskContext{trunc: ctx.Trunc, task: task, name: names[task.ID], node: nodes[task.ID]}
+			if err := format(taskCtx); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	taskCtx := taskContext{}
+	taskCtx.header = taskHeaderContext{
+		"ID":           taskIDHeader,
+		"Name":         nameHeader,
+		"Image":        imageHeader,
+		"Node":         nodeHeader,
+		"DesiredState": desiredStateHeader,
+		"CurrentState": currentStateHeader,
+		"Error":        errorHeader,
+		"Ports":        portsHeader,
+	}
+	return ctx.Write(&taskCtx, render)
+}
+
+type taskHeaderContext map[string]string
+
+type taskContext struct {
+	HeaderContext
+	trunc bool
+	task  swarm.Task
+	name  string
+	node  string
+}
+
+func (c *taskContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *taskContext) ID() string {
+	if c.trunc {
+		return stringid.TruncateID(c.task.ID)
+	}
+	return c.task.ID
+}
+
+func (c *taskContext) Name() string {
+	return c.name
+}
+
+func (c *taskContext) Image() string {
+	image := c.task.Spec.ContainerSpec.Image
+	if c.trunc {
+		ref, err := reference.ParseNormalizedNamed(image)
+		if err == nil {
+			// update image string for display, (strips any digest)
+			if nt, ok := ref.(reference.NamedTagged); ok {
+				if namedTagged, err := reference.WithTag(reference.TrimNamed(nt), nt.Tag()); err == nil {
+					image = reference.FamiliarString(namedTagged)
+				}
+			}
+		}
+	}
+	return image
+}
+
+func (c *taskContext) Node() string {
+	return c.node
+}
+
+func (c *taskContext) DesiredState() string {
+	return command.PrettyPrint(c.task.DesiredState)
+}
+
+func (c *taskContext) CurrentState() string {
+	return fmt.Sprintf("%s %s ago",
+		command.PrettyPrint(c.task.Status.State),
+		strings.ToLower(units.HumanDuration(time.Since(c.task.Status.Timestamp))),
+	)
+}
+
+func (c *taskContext) Error() string {
+	// Trim and quote the error message.
+	taskErr := c.task.Status.Err
+	if c.trunc && len(taskErr) > maxErrLength {
+		taskErr = fmt.Sprintf("%s…", taskErr[:maxErrLength-1])
+	}
+	if len(taskErr) > 0 {
+		taskErr = fmt.Sprintf("\"%s\"", taskErr)
+	}
+	return taskErr
+}
+
+func (c *taskContext) Ports() string {
+	if len(c.task.Status.PortStatus.Ports) == 0 {
+		return ""
+	}
+	ports := []string{}
+	for _, pConfig := range c.task.Status.PortStatus.Ports {
+		ports = append(ports, fmt.Sprintf("*:%d->%d/%s",
+			pConfig.PublishedPort,
+			pConfig.TargetPort,
+			pConfig.Protocol,
+		))
+	}
+	return strings.Join(ports, ",")
+}
diff --git a/cli/cli/command/formatter/task_test.go b/cli/cli/command/formatter/task_test.go
new file mode 100644
index 00000000..84bdbfeb
--- /dev/null
+++ b/cli/cli/command/formatter/task_test.go
@@ -0,0 +1,106 @@
+package formatter
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestTaskContextWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		{
+			Context{Format: NewTaskFormat("table", true)},
+			`taskID1
+taskID2
+`,
+		},
+		{
+			Context{Format: NewTaskFormat("table {{.Name}}\t{{.Node}}\t{{.Ports}}", false)},
+			string(golden.Get(t, "task-context-write-table-custom.golden")),
+		},
+		{
+			Context{Format: NewTaskFormat("table {{.Name}}", true)},
+			`NAME
+foobar_baz
+foobar_bar
+`,
+		},
+		{
+			Context{Format: NewTaskFormat("raw", true)},
+			`id: taskID1
+id: taskID2
+`,
+		},
+		{
+			Context{Format: NewTaskFormat("{{.Name}} {{.Node}}", false)},
+			`foobar_baz foo1
+foobar_bar foo2
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		tasks := []swarm.Task{
+			{ID: "taskID1"},
+			{ID: "taskID2"},
+		}
+		names := map[string]string{
+			"taskID1": "foobar_baz",
+			"taskID2": "foobar_bar",
+		}
+		nodes := map[string]string{
+			"taskID1": "foo1",
+			"taskID2": "foo2",
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := TaskWrite(testcase.context, tasks, names, nodes)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+func TestTaskContextWriteJSONField(t *testing.T) {
+	tasks := []swarm.Task{
+		{ID: "taskID1"},
+		{ID: "taskID2"},
+	}
+	names := map[string]string{
+		"taskID1": "foobar_baz",
+		"taskID2": "foobar_bar",
+	}
+	out := bytes.NewBufferString("")
+	err := TaskWrite(Context{Format: "{{json .ID}}", Output: out}, tasks, names, map[string]string{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		var s string
+		if err := json.Unmarshal([]byte(line), &s); err != nil {
+			t.Fatal(err)
+		}
+		assert.Check(t, is.Equal(tasks[i].ID, s))
+	}
+}
diff --git a/cli/cli/command/formatter/testdata/container-context-write-special-headers.golden b/cli/cli/command/formatter/testdata/container-context-write-special-headers.golden
new file mode 100644
index 00000000..3fe21c8e
--- /dev/null
+++ b/cli/cli/command/formatter/testdata/container-context-write-special-headers.golden
@@ -0,0 +1,3 @@
+CONTAINER ID        IMAGE CREATED/STATUS/  PORTS  .NAMES STATUS
+conta               "ubuntu" 24 hours ago//.FOOBAR_BAZ 
+conta               "ubuntu" 24 hours ago//.FOOBAR_BAR 
diff --git a/cli/cli/command/formatter/testdata/disk-usage-context-write-custom.golden b/cli/cli/command/formatter/testdata/disk-usage-context-write-custom.golden
new file mode 100644
index 00000000..6f2d9a9b
--- /dev/null
+++ b/cli/cli/command/formatter/testdata/disk-usage-context-write-custom.golden
@@ -0,0 +1,5 @@
+TYPE                ACTIVE
+Images              0
+Containers          0
+Local Volumes       0
+Build Cache         0
diff --git a/cli/cli/command/formatter/testdata/disk-usage-raw-format.golden b/cli/cli/command/formatter/testdata/disk-usage-raw-format.golden
new file mode 100644
index 00000000..7b9d11eb
--- /dev/null
+++ b/cli/cli/command/formatter/testdata/disk-usage-raw-format.golden
@@ -0,0 +1,24 @@
+type: Images
+total: 0
+active: 0
+size: 0B
+reclaimable: 0B
+
+type: Containers
+total: 0
+active: 0
+size: 0B
+reclaimable: 0B
+
+type: Local Volumes
+total: 0
+active: 0
+size: 0B
+reclaimable: 0B
+
+type: Build Cache
+total: 0
+active: 0
+size: 0B
+reclaimable: 0B
+
diff --git a/cli/cli/command/formatter/testdata/search-context-write-stars-table.golden b/cli/cli/command/formatter/testdata/search-context-write-stars-table.golden
new file mode 100644
index 00000000..1a66b429
--- /dev/null
+++ b/cli/cli/command/formatter/testdata/search-context-write-stars-table.golden
@@ -0,0 +1,2 @@
+NAME                DESCRIPTION         STARS               OFFICIAL            AUTOMATED
+result1             Official build      5000                [OK]                
diff --git a/cli/cli/command/formatter/testdata/search-context-write-table.golden b/cli/cli/command/formatter/testdata/search-context-write-table.golden
new file mode 100644
index 00000000..72784fd0
--- /dev/null
+++ b/cli/cli/command/formatter/testdata/search-context-write-table.golden
@@ -0,0 +1,3 @@
+NAME                DESCRIPTION         STARS               OFFICIAL            AUTOMATED
+result1             Official build      5000                [OK]                
+result2             Not official        5                                       [OK]
diff --git a/cli/cli/command/formatter/testdata/service-context-write-raw.golden b/cli/cli/command/formatter/testdata/service-context-write-raw.golden
new file mode 100644
index 00000000..d62b9a24
--- /dev/null
+++ b/cli/cli/command/formatter/testdata/service-context-write-raw.golden
@@ -0,0 +1,14 @@
+id: id_baz
+name: baz
+mode: global
+replicas: 2/4
+image: 
+ports: *:80->8080/tcp
+
+id: id_bar
+name: bar
+mode: replicated
+replicas: 2/4
+image: 
+ports: *:80->8080/tcp
+
diff --git a/cli/cli/command/formatter/testdata/task-context-write-table-custom.golden b/cli/cli/command/formatter/testdata/task-context-write-table-custom.golden
new file mode 100644
index 00000000..0f931ea9
--- /dev/null
+++ b/cli/cli/command/formatter/testdata/task-context-write-table-custom.golden
@@ -0,0 +1,3 @@
+NAME                NODE                PORTS
+foobar_baz          foo1                
+foobar_bar          foo2                
diff --git a/cli/cli/command/formatter/trust.go b/cli/cli/command/formatter/trust.go
new file mode 100644
index 00000000..c16df2e1
--- /dev/null
+++ b/cli/cli/command/formatter/trust.go
@@ -0,0 +1,150 @@
+package formatter
+
+import (
+	"sort"
+	"strings"
+
+	"github.com/docker/docker/pkg/stringid"
+)
+
+const (
+	defaultTrustTagTableFormat   = "table {{.SignedTag}}\t{{.Digest}}\t{{.Signers}}"
+	signedTagNameHeader          = "SIGNED TAG"
+	trustedDigestHeader          = "DIGEST"
+	signersHeader                = "SIGNERS"
+	defaultSignerInfoTableFormat = "table {{.Signer}}\t{{.Keys}}"
+	signerNameHeader             = "SIGNER"
+	keysHeader                   = "KEYS"
+)
+
+// SignedTagInfo represents all formatted information needed to describe a signed tag:
+// Name: name of the signed tag
+// Digest: hex encoded digest of the contents
+// Signers: list of entities who signed the tag
+type SignedTagInfo struct {
+	Name    string
+	Digest  string
+	Signers []string
+}
+
+// SignerInfo represents all formatted information needed to describe a signer:
+// Name: name of the signer role
+// Keys: the keys associated with the signer
+type SignerInfo struct {
+	Name string
+	Keys []string
+}
+
+// NewTrustTagFormat returns a Format for rendering using a trusted tag Context
+func NewTrustTagFormat() Format {
+	return defaultTrustTagTableFormat
+}
+
+// NewSignerInfoFormat returns a Format for rendering a signer role info Context
+func NewSignerInfoFormat() Format {
+	return defaultSignerInfoTableFormat
+}
+
+// TrustTagWrite writes the context
+func TrustTagWrite(ctx Context, signedTagInfoList []SignedTagInfo) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, signedTag := range signedTagInfoList {
+			if err := format(&trustTagContext{s: signedTag}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	trustTagCtx := trustTagContext{}
+	trustTagCtx.header = trustTagHeaderContext{
+		"SignedTag": signedTagNameHeader,
+		"Digest":    trustedDigestHeader,
+		"Signers":   signersHeader,
+	}
+	return ctx.Write(&trustTagCtx, render)
+}
+
+type trustTagHeaderContext map[string]string
+
+type trustTagContext struct {
+	HeaderContext
+	s SignedTagInfo
+}
+
+// SignedTag returns the name of the signed tag
+func (c *trustTagContext) SignedTag() string {
+	return c.s.Name
+}
+
+// Digest returns the hex encoded digest associated with this signed tag
+func (c *trustTagContext) Digest() string {
+	return c.s.Digest
+}
+
+// Signers returns the sorted list of entities who signed this tag
+func (c *trustTagContext) Signers() string {
+	sort.Strings(c.s.Signers)
+	return strings.Join(c.s.Signers, ", ")
+}
+
+// SignerInfoWrite writes the context
+func SignerInfoWrite(ctx Context, signerInfoList []SignerInfo) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, signerInfo := range signerInfoList {
+			if err := format(&signerInfoContext{
+				trunc: ctx.Trunc,
+				s:     signerInfo,
+			}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	signerInfoCtx := signerInfoContext{}
+	signerInfoCtx.header = signerInfoHeaderContext{
+		"Signer": signerNameHeader,
+		"Keys":   keysHeader,
+	}
+	return ctx.Write(&signerInfoCtx, render)
+}
+
+type signerInfoHeaderContext map[string]string
+
+type signerInfoContext struct {
+	HeaderContext
+	trunc bool
+	s     SignerInfo
+}
+
+// Keys returns the sorted list of keys associated with the signer
+func (c *signerInfoContext) Keys() string {
+	sort.Strings(c.s.Keys)
+	truncatedKeys := []string{}
+	if c.trunc {
+		for _, keyID := range c.s.Keys {
+			truncatedKeys = append(truncatedKeys, stringid.TruncateID(keyID))
+		}
+		return strings.Join(truncatedKeys, ", ")
+	}
+	return strings.Join(c.s.Keys, ", ")
+}
+
+// Signer returns the name of the signer
+func (c *signerInfoContext) Signer() string {
+	return c.s.Name
+}
+
+// SignerInfoList helps sort []SignerInfo by signer names
+type SignerInfoList []SignerInfo
+
+func (signerInfoComp SignerInfoList) Len() int {
+	return len(signerInfoComp)
+}
+
+func (signerInfoComp SignerInfoList) Less(i, j int) bool {
+	return signerInfoComp[i].Name < signerInfoComp[j].Name
+}
+
+func (signerInfoComp SignerInfoList) Swap(i, j int) {
+	signerInfoComp[i], signerInfoComp[j] = signerInfoComp[j], signerInfoComp[i]
+}
diff --git a/cli/cli/command/formatter/trust_test.go b/cli/cli/command/formatter/trust_test.go
new file mode 100644
index 00000000..7e1d894f
--- /dev/null
+++ b/cli/cli/command/formatter/trust_test.go
@@ -0,0 +1,239 @@
+package formatter
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestTrustTag(t *testing.T) {
+	digest := stringid.GenerateRandomID()
+	trustedTag := "tag"
+
+	var ctx trustTagContext
+
+	cases := []struct {
+		trustTagCtx trustTagContext
+		expValue    string
+		call        func() string
+	}{
+		{
+			trustTagContext{
+				s: SignedTagInfo{Name: trustedTag,
+					Digest:  digest,
+					Signers: nil,
+				},
+			},
+			digest,
+			ctx.Digest,
+		},
+		{
+			trustTagContext{
+				s: SignedTagInfo{Name: trustedTag,
+					Digest:  digest,
+					Signers: nil,
+				},
+			},
+			trustedTag,
+			ctx.SignedTag,
+		},
+		// Empty signers makes a row with empty string
+		{
+			trustTagContext{
+				s: SignedTagInfo{Name: trustedTag,
+					Digest:  digest,
+					Signers: nil,
+				},
+			},
+			"",
+			ctx.Signers,
+		},
+		{
+			trustTagContext{
+				s: SignedTagInfo{Name: trustedTag,
+					Digest:  digest,
+					Signers: []string{"alice", "bob", "claire"},
+				},
+			},
+			"alice, bob, claire",
+			ctx.Signers,
+		},
+		// alphabetic signing on Signers
+		{
+			trustTagContext{
+				s: SignedTagInfo{Name: trustedTag,
+					Digest:  digest,
+					Signers: []string{"claire", "bob", "alice"},
+				},
+			},
+			"alice, bob, claire",
+			ctx.Signers,
+		},
+	}
+
+	for _, c := range cases {
+		ctx = c.trustTagCtx
+		v := c.call()
+		if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestTrustTagContextWrite(t *testing.T) {
+
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		// Errors
+		{
+			Context{
+				Format: "{{InvalidFunction}}",
+			},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{
+				Format: "{{nil}}",
+			},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table Format
+		{
+			Context{
+				Format: NewTrustTagFormat(),
+			},
+			`SIGNED TAG          DIGEST              SIGNERS
+tag1                deadbeef            alice
+tag2                aaaaaaaa            alice, bob
+tag3                bbbbbbbb            
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		signedTags := []SignedTagInfo{
+			{Name: "tag1", Digest: "deadbeef", Signers: []string{"alice"}},
+			{Name: "tag2", Digest: "aaaaaaaa", Signers: []string{"alice", "bob"}},
+			{Name: "tag3", Digest: "bbbbbbbb", Signers: []string{}},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := TrustTagWrite(testcase.context, signedTags)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+// With no trust data, the TrustTagWrite will print an empty table:
+// it's up to the caller to decide whether or not to print this versus an error
+func TestTrustTagContextEmptyWrite(t *testing.T) {
+
+	emptyCase := struct {
+		context  Context
+		expected string
+	}{
+		Context{
+			Format: NewTrustTagFormat(),
+		},
+		`SIGNED TAG          DIGEST              SIGNERS
+`,
+	}
+
+	emptySignedTags := []SignedTagInfo{}
+	out := bytes.NewBufferString("")
+	emptyCase.context.Output = out
+	err := TrustTagWrite(emptyCase.context, emptySignedTags)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(emptyCase.expected, out.String()))
+}
+
+func TestSignerInfoContextEmptyWrite(t *testing.T) {
+	emptyCase := struct {
+		context  Context
+		expected string
+	}{
+		Context{
+			Format: NewSignerInfoFormat(),
+		},
+		`SIGNER              KEYS
+`,
+	}
+	emptySignerInfo := []SignerInfo{}
+	out := bytes.NewBufferString("")
+	emptyCase.context.Output = out
+	err := SignerInfoWrite(emptyCase.context, emptySignerInfo)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(emptyCase.expected, out.String()))
+}
+
+func TestSignerInfoContextWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+		// Errors
+		{
+			Context{
+				Format: "{{InvalidFunction}}",
+			},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{
+				Format: "{{nil}}",
+			},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table Format
+		{
+			Context{
+				Format: NewSignerInfoFormat(),
+				Trunc:  true,
+			},
+			`SIGNER              KEYS
+alice               key11, key12
+bob                 key21
+eve                 foobarbazqux, key31, key32
+`,
+		},
+		// No truncation
+		{
+			Context{
+				Format: NewSignerInfoFormat(),
+			},
+			`SIGNER              KEYS
+alice               key11, key12
+bob                 key21
+eve                 foobarbazquxquux, key31, key32
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		signerInfo := SignerInfoList{
+			{Name: "alice", Keys: []string{"key11", "key12"}},
+			{Name: "bob", Keys: []string{"key21"}},
+			{Name: "eve", Keys: []string{"key31", "key32", "foobarbazquxquux"}},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := SignerInfoWrite(testcase.context, signerInfo)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
diff --git a/cli/cli/command/formatter/volume.go b/cli/cli/command/formatter/volume.go
new file mode 100644
index 00000000..342f2fb9
--- /dev/null
+++ b/cli/cli/command/formatter/volume.go
@@ -0,0 +1,131 @@
+package formatter
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	units "github.com/docker/go-units"
+)
+
+const (
+	defaultVolumeQuietFormat = "{{.Name}}"
+	defaultVolumeTableFormat = "table {{.Driver}}\t{{.Name}}"
+
+	volumeNameHeader = "VOLUME NAME"
+	mountpointHeader = "MOUNTPOINT"
+	linksHeader      = "LINKS"
+	// Status header ?
+)
+
+// NewVolumeFormat returns a format for use with a volume Context
+func NewVolumeFormat(source string, quiet bool) Format {
+	switch source {
+	case TableFormatKey:
+		if quiet {
+			return defaultVolumeQuietFormat
+		}
+		return defaultVolumeTableFormat
+	case RawFormatKey:
+		if quiet {
+			return `name: {{.Name}}`
+		}
+		return `name: {{.Name}}\ndriver: {{.Driver}}\n`
+	}
+	return Format(source)
+}
+
+// VolumeWrite writes formatted volumes using the Context
+func VolumeWrite(ctx Context, volumes []*types.Volume) error {
+	render := func(format func(subContext subContext) error) error {
+		for _, volume := range volumes {
+			if err := format(&volumeContext{v: *volume}); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+	return ctx.Write(newVolumeContext(), render)
+}
+
+type volumeHeaderContext map[string]string
+
+func (c volumeHeaderContext) Label(name string) string {
+	n := strings.Split(name, ".")
+	r := strings.NewReplacer("-", " ", "_", " ")
+	h := r.Replace(n[len(n)-1])
+
+	return h
+}
+
+type volumeContext struct {
+	HeaderContext
+	v types.Volume
+}
+
+func newVolumeContext() *volumeContext {
+	volumeCtx := volumeContext{}
+	volumeCtx.header = volumeHeaderContext{
+		"Name":       volumeNameHeader,
+		"Driver":     driverHeader,
+		"Scope":      scopeHeader,
+		"Mountpoint": mountpointHeader,
+		"Labels":     labelsHeader,
+		"Links":      linksHeader,
+		"Size":       sizeHeader,
+	}
+	return &volumeCtx
+}
+
+func (c *volumeContext) MarshalJSON() ([]byte, error) {
+	return marshalJSON(c)
+}
+
+func (c *volumeContext) Name() string {
+	return c.v.Name
+}
+
+func (c *volumeContext) Driver() string {
+	return c.v.Driver
+}
+
+func (c *volumeContext) Scope() string {
+	return c.v.Scope
+}
+
+func (c *volumeContext) Mountpoint() string {
+	return c.v.Mountpoint
+}
+
+func (c *volumeContext) Labels() string {
+	if c.v.Labels == nil {
+		return ""
+	}
+
+	var joinLabels []string
+	for k, v := range c.v.Labels {
+		joinLabels = append(joinLabels, fmt.Sprintf("%s=%s", k, v))
+	}
+	return strings.Join(joinLabels, ",")
+}
+
+func (c *volumeContext) Label(name string) string {
+	if c.v.Labels == nil {
+		return ""
+	}
+	return c.v.Labels[name]
+}
+
+func (c *volumeContext) Links() string {
+	if c.v.UsageData == nil {
+		return "N/A"
+	}
+	return fmt.Sprintf("%d", c.v.UsageData.RefCount)
+}
+
+func (c *volumeContext) Size() string {
+	if c.v.UsageData == nil {
+		return "N/A"
+	}
+	return units.HumanSize(float64(c.v.UsageData.Size))
+}
diff --git a/cli/cli/command/formatter/volume_test.go b/cli/cli/command/formatter/volume_test.go
new file mode 100644
index 00000000..43c6061d
--- /dev/null
+++ b/cli/cli/command/formatter/volume_test.go
@@ -0,0 +1,183 @@
+package formatter
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestVolumeContext(t *testing.T) {
+	volumeName := stringid.GenerateRandomID()
+
+	var ctx volumeContext
+	cases := []struct {
+		volumeCtx volumeContext
+		expValue  string
+		call      func() string
+	}{
+		{volumeContext{
+			v: types.Volume{Name: volumeName},
+		}, volumeName, ctx.Name},
+		{volumeContext{
+			v: types.Volume{Driver: "driver_name"},
+		}, "driver_name", ctx.Driver},
+		{volumeContext{
+			v: types.Volume{Scope: "local"},
+		}, "local", ctx.Scope},
+		{volumeContext{
+			v: types.Volume{Mountpoint: "mountpoint"},
+		}, "mountpoint", ctx.Mountpoint},
+		{volumeContext{
+			v: types.Volume{},
+		}, "", ctx.Labels},
+		{volumeContext{
+			v: types.Volume{Labels: map[string]string{"label1": "value1", "label2": "value2"}},
+		}, "label1=value1,label2=value2", ctx.Labels},
+	}
+
+	for _, c := range cases {
+		ctx = c.volumeCtx
+		v := c.call()
+		if strings.Contains(v, ",") {
+			compareMultipleValues(t, v, c.expValue)
+		} else if v != c.expValue {
+			t.Fatalf("Expected %s, was %s\n", c.expValue, v)
+		}
+	}
+}
+
+func TestVolumeContextWrite(t *testing.T) {
+	cases := []struct {
+		context  Context
+		expected string
+	}{
+
+		// Errors
+		{
+			Context{Format: "{{InvalidFunction}}"},
+			`Template parsing error: template: :1: function "InvalidFunction" not defined
+`,
+		},
+		{
+			Context{Format: "{{nil}}"},
+			`Template parsing error: template: :1:2: executing "" at <nil>: nil is not a command
+`,
+		},
+		// Table format
+		{
+			Context{Format: NewVolumeFormat("table", false)},
+			`DRIVER              VOLUME NAME
+foo                 foobar_baz
+bar                 foobar_bar
+`,
+		},
+		{
+			Context{Format: NewVolumeFormat("table", true)},
+			`foobar_baz
+foobar_bar
+`,
+		},
+		{
+			Context{Format: NewVolumeFormat("table {{.Name}}", false)},
+			`VOLUME NAME
+foobar_baz
+foobar_bar
+`,
+		},
+		{
+			Context{Format: NewVolumeFormat("table {{.Name}}", true)},
+			`VOLUME NAME
+foobar_baz
+foobar_bar
+`,
+		},
+		// Raw Format
+		{
+			Context{Format: NewVolumeFormat("raw", false)},
+			`name: foobar_baz
+driver: foo
+
+name: foobar_bar
+driver: bar
+
+`,
+		},
+		{
+			Context{Format: NewVolumeFormat("raw", true)},
+			`name: foobar_baz
+name: foobar_bar
+`,
+		},
+		// Custom Format
+		{
+			Context{Format: NewVolumeFormat("{{.Name}}", false)},
+			`foobar_baz
+foobar_bar
+`,
+		},
+	}
+
+	for _, testcase := range cases {
+		volumes := []*types.Volume{
+			{Name: "foobar_baz", Driver: "foo"},
+			{Name: "foobar_bar", Driver: "bar"},
+		}
+		out := bytes.NewBufferString("")
+		testcase.context.Output = out
+		err := VolumeWrite(testcase.context, volumes)
+		if err != nil {
+			assert.Error(t, err, testcase.expected)
+		} else {
+			assert.Check(t, is.Equal(testcase.expected, out.String()))
+		}
+	}
+}
+
+func TestVolumeContextWriteJSON(t *testing.T) {
+	volumes := []*types.Volume{
+		{Driver: "foo", Name: "foobar_baz"},
+		{Driver: "bar", Name: "foobar_bar"},
+	}
+	expectedJSONs := []map[string]interface{}{
+		{"Driver": "foo", "Labels": "", "Links": "N/A", "Mountpoint": "", "Name": "foobar_baz", "Scope": "", "Size": "N/A"},
+		{"Driver": "bar", "Labels": "", "Links": "N/A", "Mountpoint": "", "Name": "foobar_bar", "Scope": "", "Size": "N/A"},
+	}
+	out := bytes.NewBufferString("")
+	err := VolumeWrite(Context{Format: "{{json .}}", Output: out}, volumes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var m map[string]interface{}
+		err := json.Unmarshal([]byte(line), &m)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.DeepEqual(expectedJSONs[i], m), msg)
+	}
+}
+
+func TestVolumeContextWriteJSONField(t *testing.T) {
+	volumes := []*types.Volume{
+		{Driver: "foo", Name: "foobar_baz"},
+		{Driver: "bar", Name: "foobar_bar"},
+	}
+	out := bytes.NewBufferString("")
+	err := VolumeWrite(Context{Format: "{{json .Name}}", Output: out}, volumes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, line := range strings.Split(strings.TrimSpace(out.String()), "\n") {
+		msg := fmt.Sprintf("Output: line %d: %s", i, line)
+		var s string
+		err := json.Unmarshal([]byte(line), &s)
+		assert.NilError(t, err, msg)
+		assert.Check(t, is.Equal(volumes[i].Name, s), msg)
+	}
+}
diff --git a/cli/cli/command/idresolver/client_test.go b/cli/cli/command/idresolver/client_test.go
new file mode 100644
index 00000000..c53cfc6a
--- /dev/null
+++ b/cli/cli/command/idresolver/client_test.go
@@ -0,0 +1,29 @@
+package idresolver
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	nodeInspectFunc    func(string) (swarm.Node, []byte, error)
+	serviceInspectFunc func(string) (swarm.Service, []byte, error)
+}
+
+func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, nodeID string) (swarm.Node, []byte, error) {
+	if cli.nodeInspectFunc != nil {
+		return cli.nodeInspectFunc(nodeID)
+	}
+	return swarm.Node{}, []byte{}, nil
+}
+
+func (cli *fakeClient) ServiceInspectWithRaw(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+	if cli.serviceInspectFunc != nil {
+		return cli.serviceInspectFunc(serviceID)
+	}
+	return swarm.Service{}, []byte{}, nil
+}
diff --git a/cli/cli/command/idresolver/idresolver.go b/cli/cli/command/idresolver/idresolver.go
new file mode 100644
index 00000000..3d1f71a0
--- /dev/null
+++ b/cli/cli/command/idresolver/idresolver.go
@@ -0,0 +1,70 @@
+package idresolver
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+)
+
+// IDResolver provides ID to Name resolution.
+type IDResolver struct {
+	client    client.APIClient
+	noResolve bool
+	cache     map[string]string
+}
+
+// New creates a new IDResolver.
+func New(client client.APIClient, noResolve bool) *IDResolver {
+	return &IDResolver{
+		client:    client,
+		noResolve: noResolve,
+		cache:     make(map[string]string),
+	}
+}
+
+func (r *IDResolver) get(ctx context.Context, t interface{}, id string) (string, error) {
+	switch t.(type) {
+	case swarm.Node:
+		node, _, err := r.client.NodeInspectWithRaw(ctx, id)
+		if err != nil {
+			return id, nil
+		}
+		if node.Spec.Annotations.Name != "" {
+			return node.Spec.Annotations.Name, nil
+		}
+		if node.Description.Hostname != "" {
+			return node.Description.Hostname, nil
+		}
+		return id, nil
+	case swarm.Service:
+		service, _, err := r.client.ServiceInspectWithRaw(ctx, id, types.ServiceInspectOptions{})
+		if err != nil {
+			return id, nil
+		}
+		return service.Spec.Annotations.Name, nil
+	default:
+		return "", errors.Errorf("unsupported type")
+	}
+
+}
+
+// Resolve will attempt to resolve an ID to a Name by querying the manager.
+// Results are stored into a cache.
+// If the `-n` flag is used in the command-line, resolution is disabled.
+func (r *IDResolver) Resolve(ctx context.Context, t interface{}, id string) (string, error) {
+	if r.noResolve {
+		return id, nil
+	}
+	if name, ok := r.cache[id]; ok {
+		return name, nil
+	}
+	name, err := r.get(ctx, t, id)
+	if err != nil {
+		return "", err
+	}
+	r.cache[id] = name
+	return name, nil
+}
diff --git a/cli/cli/command/idresolver/idresolver_test.go b/cli/cli/command/idresolver/idresolver_test.go
new file mode 100644
index 00000000..f667b106
--- /dev/null
+++ b/cli/cli/command/idresolver/idresolver_test.go
@@ -0,0 +1,146 @@
+package idresolver
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	// Import builders to get the builder function as package function
+	"context"
+
+	. "github.com/docker/cli/internal/test/builders"
+	"github.com/pkg/errors"
+)
+
+func TestResolveError(t *testing.T) {
+	cli := &fakeClient{
+		nodeInspectFunc: func(nodeID string) (swarm.Node, []byte, error) {
+			return swarm.Node{}, []byte{}, errors.Errorf("error inspecting node")
+		},
+	}
+
+	idResolver := New(cli, false)
+	_, err := idResolver.Resolve(context.Background(), struct{}{}, "nodeID")
+
+	assert.Error(t, err, "unsupported type")
+}
+
+func TestResolveWithNoResolveOption(t *testing.T) {
+	resolved := false
+	cli := &fakeClient{
+		nodeInspectFunc: func(nodeID string) (swarm.Node, []byte, error) {
+			resolved = true
+			return swarm.Node{}, []byte{}, nil
+		},
+		serviceInspectFunc: func(serviceID string) (swarm.Service, []byte, error) {
+			resolved = true
+			return swarm.Service{}, []byte{}, nil
+		},
+	}
+
+	idResolver := New(cli, true)
+	id, err := idResolver.Resolve(context.Background(), swarm.Node{}, "nodeID")
+
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("nodeID", id))
+	assert.Check(t, !resolved)
+}
+
+func TestResolveWithCache(t *testing.T) {
+	inspectCounter := 0
+	cli := &fakeClient{
+		nodeInspectFunc: func(nodeID string) (swarm.Node, []byte, error) {
+			inspectCounter++
+			return *Node(NodeName("node-foo")), []byte{}, nil
+		},
+	}
+
+	idResolver := New(cli, false)
+
+	ctx := context.Background()
+	for i := 0; i < 2; i++ {
+		id, err := idResolver.Resolve(ctx, swarm.Node{}, "nodeID")
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal("node-foo", id))
+	}
+
+	assert.Check(t, is.Equal(1, inspectCounter))
+}
+
+func TestResolveNode(t *testing.T) {
+	testCases := []struct {
+		nodeID          string
+		nodeInspectFunc func(string) (swarm.Node, []byte, error)
+		expectedID      string
+	}{
+		{
+			nodeID: "nodeID",
+			nodeInspectFunc: func(string) (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting node")
+			},
+			expectedID: "nodeID",
+		},
+		{
+			nodeID: "nodeID",
+			nodeInspectFunc: func(string) (swarm.Node, []byte, error) {
+				return *Node(NodeName("node-foo")), []byte{}, nil
+			},
+			expectedID: "node-foo",
+		},
+		{
+			nodeID: "nodeID",
+			nodeInspectFunc: func(string) (swarm.Node, []byte, error) {
+				return *Node(NodeName(""), Hostname("node-hostname")), []byte{}, nil
+			},
+			expectedID: "node-hostname",
+		},
+	}
+
+	ctx := context.Background()
+	for _, tc := range testCases {
+		cli := &fakeClient{
+			nodeInspectFunc: tc.nodeInspectFunc,
+		}
+		idResolver := New(cli, false)
+		id, err := idResolver.Resolve(ctx, swarm.Node{}, tc.nodeID)
+
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal(tc.expectedID, id))
+	}
+}
+
+func TestResolveService(t *testing.T) {
+	testCases := []struct {
+		serviceID          string
+		serviceInspectFunc func(string) (swarm.Service, []byte, error)
+		expectedID         string
+	}{
+		{
+			serviceID: "serviceID",
+			serviceInspectFunc: func(string) (swarm.Service, []byte, error) {
+				return swarm.Service{}, []byte{}, errors.Errorf("error inspecting service")
+			},
+			expectedID: "serviceID",
+		},
+		{
+			serviceID: "serviceID",
+			serviceInspectFunc: func(string) (swarm.Service, []byte, error) {
+				return *Service(ServiceName("service-foo")), []byte{}, nil
+			},
+			expectedID: "service-foo",
+		},
+	}
+
+	ctx := context.Background()
+	for _, tc := range testCases {
+		cli := &fakeClient{
+			serviceInspectFunc: tc.serviceInspectFunc,
+		}
+		idResolver := New(cli, false)
+		id, err := idResolver.Resolve(ctx, swarm.Service{}, tc.serviceID)
+
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal(tc.expectedID, id))
+	}
+}
diff --git a/cli/cli/command/image/build.go b/cli/cli/command/image/build.go
new file mode 100644
index 00000000..fc660fad
--- /dev/null
+++ b/cli/cli/command/image/build.go
@@ -0,0 +1,627 @@
+package image
+
+import (
+	"archive/tar"
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image/build"
+	"github.com/docker/cli/opts"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/docker/docker/pkg/urlutil"
+	units "github.com/docker/go-units"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+var errStdinConflict = errors.New("invalid argument: can't use stdin for both build context and dockerfile")
+
+type buildOptions struct {
+	context        string
+	dockerfileName string
+	tags           opts.ListOpts
+	labels         opts.ListOpts
+	buildArgs      opts.ListOpts
+	extraHosts     opts.ListOpts
+	ulimits        *opts.UlimitOpt
+	memory         opts.MemBytes
+	memorySwap     opts.MemSwapBytes
+	shmSize        opts.MemBytes
+	cpuShares      int64
+	cpuPeriod      int64
+	cpuQuota       int64
+	cpuSetCpus     string
+	cpuSetMems     string
+	cgroupParent   string
+	isolation      string
+	quiet          bool
+	noCache        bool
+	console        opts.NullableBool
+	rm             bool
+	forceRm        bool
+	pull           bool
+	cacheFrom      []string
+	compress       bool
+	securityOpt    []string
+	networkMode    string
+	squash         bool
+	target         string
+	imageIDFile    string
+	stream         bool
+	platform       string
+	untrusted      bool
+}
+
+// dockerfileFromStdin returns true when the user specified that the Dockerfile
+// should be read from stdin instead of a file
+func (o buildOptions) dockerfileFromStdin() bool {
+	return o.dockerfileName == "-"
+}
+
+// contextFromStdin returns true when the user specified that the build context
+// should be read from stdin
+func (o buildOptions) contextFromStdin() bool {
+	return o.context == "-"
+}
+
+func newBuildOptions() buildOptions {
+	ulimits := make(map[string]*units.Ulimit)
+	return buildOptions{
+		tags:       opts.NewListOpts(validateTag),
+		buildArgs:  opts.NewListOpts(opts.ValidateEnv),
+		ulimits:    opts.NewUlimitOpt(&ulimits),
+		labels:     opts.NewListOpts(opts.ValidateEnv),
+		extraHosts: opts.NewListOpts(opts.ValidateExtraHost),
+	}
+}
+
+// NewBuildCommand creates a new `docker build` command
+func NewBuildCommand(dockerCli command.Cli) *cobra.Command {
+	options := newBuildOptions()
+
+	cmd := &cobra.Command{
+		Use:   "build [OPTIONS] PATH | URL | -",
+		Short: "Build an image from a Dockerfile",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.context = args[0]
+			return runBuild(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.VarP(&options.tags, "tag", "t", "Name and optionally a tag in the 'name:tag' format")
+	flags.Var(&options.buildArgs, "build-arg", "Set build-time variables")
+	flags.Var(options.ulimits, "ulimit", "Ulimit options")
+	flags.StringVarP(&options.dockerfileName, "file", "f", "", "Name of the Dockerfile (Default is 'PATH/Dockerfile')")
+	flags.VarP(&options.memory, "memory", "m", "Memory limit")
+	flags.Var(&options.memorySwap, "memory-swap", "Swap limit equal to memory plus swap: '-1' to enable unlimited swap")
+	flags.Var(&options.shmSize, "shm-size", "Size of /dev/shm")
+	flags.Int64VarP(&options.cpuShares, "cpu-shares", "c", 0, "CPU shares (relative weight)")
+	flags.Int64Var(&options.cpuPeriod, "cpu-period", 0, "Limit the CPU CFS (Completely Fair Scheduler) period")
+	flags.Int64Var(&options.cpuQuota, "cpu-quota", 0, "Limit the CPU CFS (Completely Fair Scheduler) quota")
+	flags.StringVar(&options.cpuSetCpus, "cpuset-cpus", "", "CPUs in which to allow execution (0-3, 0,1)")
+	flags.StringVar(&options.cpuSetMems, "cpuset-mems", "", "MEMs in which to allow execution (0-3, 0,1)")
+	flags.StringVar(&options.cgroupParent, "cgroup-parent", "", "Optional parent cgroup for the container")
+	flags.StringVar(&options.isolation, "isolation", "", "Container isolation technology")
+	flags.Var(&options.labels, "label", "Set metadata for an image")
+	flags.BoolVar(&options.noCache, "no-cache", false, "Do not use cache when building the image")
+	flags.BoolVar(&options.rm, "rm", true, "Remove intermediate containers after a successful build")
+	flags.BoolVar(&options.forceRm, "force-rm", false, "Always remove intermediate containers")
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
+	flags.BoolVar(&options.pull, "pull", false, "Always attempt to pull a newer version of the image")
+	flags.StringSliceVar(&options.cacheFrom, "cache-from", []string{}, "Images to consider as cache sources")
+	flags.BoolVar(&options.compress, "compress", false, "Compress the build context using gzip")
+	flags.StringSliceVar(&options.securityOpt, "security-opt", []string{}, "Security options")
+	flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build")
+	flags.SetAnnotation("network", "version", []string{"1.25"})
+	flags.Var(&options.extraHosts, "add-host", "Add a custom host-to-IP mapping (host:ip)")
+	flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
+	flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
+
+	command.AddTrustVerificationFlags(flags, &options.untrusted, dockerCli.ContentTrustEnabled())
+	command.AddPlatformFlag(flags, &options.platform)
+
+	flags.BoolVar(&options.squash, "squash", false, "Squash newly built layers into a single new layer")
+	flags.SetAnnotation("squash", "experimental", nil)
+	flags.SetAnnotation("squash", "version", []string{"1.25"})
+
+	flags.BoolVar(&options.stream, "stream", false, "Stream attaches to server to negotiate build context")
+	flags.SetAnnotation("stream", "experimental", nil)
+	flags.SetAnnotation("stream", "version", []string{"1.31"})
+
+	flags.Var(&options.console, "console", "Show console output (with buildkit only) (true, false, auto)")
+	flags.SetAnnotation("console", "experimental", nil)
+	flags.SetAnnotation("console", "version", []string{"1.38"})
+	return cmd
+}
+
+// lastProgressOutput is the same as progress.Output except
+// that it only output with the last update. It is used in
+// non terminal scenarios to suppress verbose messages
+type lastProgressOutput struct {
+	output progress.Output
+}
+
+// WriteProgress formats progress information from a ProgressReader.
+func (out *lastProgressOutput) WriteProgress(prog progress.Progress) error {
+	if !prog.LastUpdate {
+		return nil
+	}
+
+	return out.output.WriteProgress(prog)
+}
+
+// nolint: gocyclo
+func runBuild(dockerCli command.Cli, options buildOptions) error {
+	if buildkitEnv := os.Getenv("DOCKER_BUILDKIT"); buildkitEnv != "" {
+		enableBuildkit, err := strconv.ParseBool(buildkitEnv)
+		if err != nil {
+			return errors.Wrap(err, "DOCKER_BUILDKIT environment variable expects boolean value")
+		}
+		if enableBuildkit {
+			return runBuildBuildKit(dockerCli, options)
+		}
+	}
+
+	var (
+		buildCtx      io.ReadCloser
+		dockerfileCtx io.ReadCloser
+		err           error
+		contextDir    string
+		tempDir       string
+		relDockerfile string
+		progBuff      io.Writer
+		buildBuff     io.Writer
+		remote        string
+	)
+
+	if options.compress && options.stream {
+		return errors.New("--compress conflicts with --stream options")
+	}
+
+	if options.dockerfileFromStdin() {
+		if options.contextFromStdin() {
+			return errStdinConflict
+		}
+		dockerfileCtx = dockerCli.In()
+	}
+
+	specifiedContext := options.context
+	progBuff = dockerCli.Out()
+	buildBuff = dockerCli.Out()
+	if options.quiet {
+		progBuff = bytes.NewBuffer(nil)
+		buildBuff = bytes.NewBuffer(nil)
+	}
+	if options.imageIDFile != "" {
+		// Avoid leaving a stale file if we eventually fail
+		if err := os.Remove(options.imageIDFile); err != nil && !os.IsNotExist(err) {
+			return errors.Wrap(err, "Removing image ID file")
+		}
+	}
+
+	switch {
+	case options.contextFromStdin():
+		// buildCtx is tar archive. if stdin was dockerfile then it is wrapped
+		buildCtx, relDockerfile, err = build.GetContextFromReader(dockerCli.In(), options.dockerfileName)
+	case isLocalDir(specifiedContext):
+		contextDir, relDockerfile, err = build.GetContextFromLocalDir(specifiedContext, options.dockerfileName)
+		if err == nil && strings.HasPrefix(relDockerfile, ".."+string(filepath.Separator)) {
+			// Dockerfile is outside of build-context; read the Dockerfile and pass it as dockerfileCtx
+			dockerfileCtx, err = os.Open(options.dockerfileName)
+			if err != nil {
+				return errors.Errorf("unable to open Dockerfile: %v", err)
+			}
+			defer dockerfileCtx.Close()
+		}
+	case urlutil.IsGitURL(specifiedContext):
+		tempDir, relDockerfile, err = build.GetContextFromGitURL(specifiedContext, options.dockerfileName)
+	case urlutil.IsURL(specifiedContext):
+		buildCtx, relDockerfile, err = build.GetContextFromURL(progBuff, specifiedContext, options.dockerfileName)
+	default:
+		return errors.Errorf("unable to prepare context: path %q not found", specifiedContext)
+	}
+
+	if err != nil {
+		if options.quiet && urlutil.IsURL(specifiedContext) {
+			fmt.Fprintln(dockerCli.Err(), progBuff)
+		}
+		return errors.Errorf("unable to prepare context: %s", err)
+	}
+
+	if tempDir != "" {
+		defer os.RemoveAll(tempDir)
+		contextDir = tempDir
+	}
+
+	// read from a directory into tar archive
+	if buildCtx == nil && !options.stream {
+		excludes, err := build.ReadDockerignore(contextDir)
+		if err != nil {
+			return err
+		}
+
+		if err := build.ValidateContextDirectory(contextDir, excludes); err != nil {
+			return errors.Errorf("error checking context: '%s'.", err)
+		}
+
+		// And canonicalize dockerfile name to a platform-independent one
+		relDockerfile, err = archive.CanonicalTarNameForPath(relDockerfile)
+		if err != nil {
+			return errors.Errorf("cannot canonicalize dockerfile path %s: %v", relDockerfile, err)
+		}
+
+		excludes = build.TrimBuildFilesFromExcludes(excludes, relDockerfile, options.dockerfileFromStdin())
+		buildCtx, err = archive.TarWithOptions(contextDir, &archive.TarOptions{
+			ExcludePatterns: excludes,
+			ChownOpts:       &idtools.IDPair{UID: 0, GID: 0},
+		})
+		if err != nil {
+			return err
+		}
+	}
+
+	// replace Dockerfile if it was added from stdin or a file outside the build-context, and there is archive context
+	if dockerfileCtx != nil && buildCtx != nil {
+		buildCtx, relDockerfile, err = build.AddDockerfileToBuildContext(dockerfileCtx, buildCtx)
+		if err != nil {
+			return err
+		}
+	}
+
+	// if streaming and Dockerfile was not from stdin then read from file
+	// to the same reader that is usually stdin
+	if options.stream && dockerfileCtx == nil {
+		dockerfileCtx, err = os.Open(relDockerfile)
+		if err != nil {
+			return errors.Wrapf(err, "failed to open %s", relDockerfile)
+		}
+		defer dockerfileCtx.Close()
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	var resolvedTags []*resolvedTag
+	if !options.untrusted {
+		translator := func(ctx context.Context, ref reference.NamedTagged) (reference.Canonical, error) {
+			return TrustedReference(ctx, dockerCli, ref, nil)
+		}
+		// if there is a tar wrapper, the dockerfile needs to be replaced inside it
+		if buildCtx != nil {
+			// Wrap the tar archive to replace the Dockerfile entry with the rewritten
+			// Dockerfile which uses trusted pulls.
+			buildCtx = replaceDockerfileForContentTrust(ctx, buildCtx, relDockerfile, translator, &resolvedTags)
+		} else if dockerfileCtx != nil {
+			// if there was not archive context still do the possible replacements in Dockerfile
+			newDockerfile, _, err := rewriteDockerfileFromForContentTrust(ctx, dockerfileCtx, translator)
+			if err != nil {
+				return err
+			}
+			dockerfileCtx = ioutil.NopCloser(bytes.NewBuffer(newDockerfile))
+		}
+	}
+
+	if options.compress {
+		buildCtx, err = build.Compress(buildCtx)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Setup an upload progress bar
+	progressOutput := streamformatter.NewProgressOutput(progBuff)
+	if !dockerCli.Out().IsTerminal() {
+		progressOutput = &lastProgressOutput{output: progressOutput}
+	}
+
+	// if up to this point nothing has set the context then we must have another
+	// way for sending it(streaming) and set the context to the Dockerfile
+	if dockerfileCtx != nil && buildCtx == nil {
+		buildCtx = dockerfileCtx
+	}
+
+	s, err := trySession(dockerCli, contextDir)
+	if err != nil {
+		return err
+	}
+
+	var body io.Reader
+	if buildCtx != nil && !options.stream {
+		body = progress.NewProgressReader(buildCtx, progressOutput, 0, "", "Sending build context to Docker daemon")
+	}
+
+	// add context stream to the session
+	if options.stream && s != nil {
+		syncDone := make(chan error) // used to signal first progress reporting completed.
+		// progress would also send errors but don't need it here as errors
+		// are handled by session.Run() and ImageBuild()
+		if err := addDirToSession(s, contextDir, progressOutput, syncDone); err != nil {
+			return err
+		}
+
+		buf := newBufferedWriter(syncDone, buildBuff)
+		defer func() {
+			select {
+			case <-buf.flushed:
+			case <-ctx.Done():
+			}
+		}()
+		buildBuff = buf
+
+		remote = clientSessionRemote
+		body = buildCtx
+	}
+
+	configFile := dockerCli.ConfigFile()
+	authConfigs, _ := configFile.GetAllCredentials()
+	buildOptions := imageBuildOptions(dockerCli, options)
+	buildOptions.Version = types.BuilderV1
+	buildOptions.Dockerfile = relDockerfile
+	buildOptions.AuthConfigs = authConfigs
+	buildOptions.RemoteContext = remote
+
+	if s != nil {
+		go func() {
+			logrus.Debugf("running session: %v", s.ID())
+			if err := s.Run(ctx, dockerCli.Client().DialSession); err != nil {
+				logrus.Error(err)
+				cancel() // cancel progress context
+			}
+		}()
+		buildOptions.SessionID = s.ID()
+	}
+
+	response, err := dockerCli.Client().ImageBuild(ctx, body, buildOptions)
+	if err != nil {
+		if options.quiet {
+			fmt.Fprintf(dockerCli.Err(), "%s", progBuff)
+		}
+		cancel()
+		return err
+	}
+	defer response.Body.Close()
+
+	imageID := ""
+	aux := func(msg jsonmessage.JSONMessage) {
+		var result types.BuildResult
+		if err := json.Unmarshal(*msg.Aux, &result); err != nil {
+			fmt.Fprintf(dockerCli.Err(), "Failed to parse aux message: %s", err)
+		} else {
+			imageID = result.ID
+		}
+	}
+
+	err = jsonmessage.DisplayJSONMessagesStream(response.Body, buildBuff, dockerCli.Out().FD(), dockerCli.Out().IsTerminal(), aux)
+	if err != nil {
+		if jerr, ok := err.(*jsonmessage.JSONError); ok {
+			// If no error code is set, default to 1
+			if jerr.Code == 0 {
+				jerr.Code = 1
+			}
+			if options.quiet {
+				fmt.Fprintf(dockerCli.Err(), "%s%s", progBuff, buildBuff)
+			}
+			return cli.StatusError{Status: jerr.Message, StatusCode: jerr.Code}
+		}
+		return err
+	}
+
+	// Windows: show error message about modified file permissions if the
+	// daemon isn't running Windows.
+	if response.OSType != "windows" && runtime.GOOS == "windows" && !options.quiet {
+		fmt.Fprintln(dockerCli.Out(), "SECURITY WARNING: You are building a Docker "+
+			"image from Windows against a non-Windows Docker host. All files and "+
+			"directories added to build context will have '-rwxr-xr-x' permissions. "+
+			"It is recommended to double check and reset permissions for sensitive "+
+			"files and directories.")
+	}
+
+	// Everything worked so if -q was provided the output from the daemon
+	// should be just the image ID and we'll print that to stdout.
+	if options.quiet {
+		imageID = fmt.Sprintf("%s", buildBuff)
+		fmt.Fprintf(dockerCli.Out(), imageID)
+	}
+
+	if options.imageIDFile != "" {
+		if imageID == "" {
+			return errors.Errorf("Server did not provide an image ID. Cannot write %s", options.imageIDFile)
+		}
+		if err := ioutil.WriteFile(options.imageIDFile, []byte(imageID), 0666); err != nil {
+			return err
+		}
+	}
+	if !options.untrusted {
+		// Since the build was successful, now we must tag any of the resolved
+		// images from the above Dockerfile rewrite.
+		for _, resolved := range resolvedTags {
+			if err := TagTrusted(ctx, dockerCli, resolved.digestRef, resolved.tagRef); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func isLocalDir(c string) bool {
+	_, err := os.Stat(c)
+	return err == nil
+}
+
+type translatorFunc func(context.Context, reference.NamedTagged) (reference.Canonical, error)
+
+// validateTag checks if the given image name can be resolved.
+func validateTag(rawRepo string) (string, error) {
+	_, err := reference.ParseNormalizedNamed(rawRepo)
+	if err != nil {
+		return "", err
+	}
+
+	return rawRepo, nil
+}
+
+var dockerfileFromLinePattern = regexp.MustCompile(`(?i)^[\s]*FROM[ \f\r\t\v]+(?P<image>[^ \f\r\t\v\n#]+)`)
+
+// resolvedTag records the repository, tag, and resolved digest reference
+// from a Dockerfile rewrite.
+type resolvedTag struct {
+	digestRef reference.Canonical
+	tagRef    reference.NamedTagged
+}
+
+// rewriteDockerfileFromForContentTrust rewrites the given Dockerfile by resolving images in
+// "FROM <image>" instructions to a digest reference. `translator` is a
+// function that takes a repository name and tag reference and returns a
+// trusted digest reference.
+// This should be called *only* when content trust is enabled
+func rewriteDockerfileFromForContentTrust(ctx context.Context, dockerfile io.Reader, translator translatorFunc) (newDockerfile []byte, resolvedTags []*resolvedTag, err error) {
+	scanner := bufio.NewScanner(dockerfile)
+	buf := bytes.NewBuffer(nil)
+
+	// Scan the lines of the Dockerfile, looking for a "FROM" line.
+	for scanner.Scan() {
+		line := scanner.Text()
+
+		matches := dockerfileFromLinePattern.FindStringSubmatch(line)
+		if matches != nil && matches[1] != api.NoBaseImageSpecifier {
+			// Replace the line with a resolved "FROM repo@digest"
+			var ref reference.Named
+			ref, err = reference.ParseNormalizedNamed(matches[1])
+			if err != nil {
+				return nil, nil, err
+			}
+			ref = reference.TagNameOnly(ref)
+			if ref, ok := ref.(reference.NamedTagged); ok {
+				trustedRef, err := translator(ctx, ref)
+				if err != nil {
+					return nil, nil, err
+				}
+
+				line = dockerfileFromLinePattern.ReplaceAllLiteralString(line, fmt.Sprintf("FROM %s", reference.FamiliarString(trustedRef)))
+				resolvedTags = append(resolvedTags, &resolvedTag{
+					digestRef: trustedRef,
+					tagRef:    ref,
+				})
+			}
+		}
+
+		_, err := fmt.Fprintln(buf, line)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	return buf.Bytes(), resolvedTags, scanner.Err()
+}
+
+// replaceDockerfileForContentTrust wraps the given input tar archive stream and
+// uses the translator to replace the Dockerfile which uses a trusted reference.
+// Returns a new tar archive stream with the replaced Dockerfile.
+func replaceDockerfileForContentTrust(ctx context.Context, inputTarStream io.ReadCloser, dockerfileName string, translator translatorFunc, resolvedTags *[]*resolvedTag) io.ReadCloser {
+	pipeReader, pipeWriter := io.Pipe()
+	go func() {
+		tarReader := tar.NewReader(inputTarStream)
+		tarWriter := tar.NewWriter(pipeWriter)
+
+		defer inputTarStream.Close()
+
+		for {
+			hdr, err := tarReader.Next()
+			if err == io.EOF {
+				// Signals end of archive.
+				tarWriter.Close()
+				pipeWriter.Close()
+				return
+			}
+			if err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+
+			content := io.Reader(tarReader)
+			if hdr.Name == dockerfileName {
+				// This entry is the Dockerfile. Since the tar archive was
+				// generated from a directory on the local filesystem, the
+				// Dockerfile will only appear once in the archive.
+				var newDockerfile []byte
+				newDockerfile, *resolvedTags, err = rewriteDockerfileFromForContentTrust(ctx, content, translator)
+				if err != nil {
+					pipeWriter.CloseWithError(err)
+					return
+				}
+				hdr.Size = int64(len(newDockerfile))
+				content = bytes.NewBuffer(newDockerfile)
+			}
+
+			if err := tarWriter.WriteHeader(hdr); err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+
+			if _, err := io.Copy(tarWriter, content); err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+		}
+	}()
+
+	return pipeReader
+}
+
+func imageBuildOptions(dockerCli command.Cli, options buildOptions) types.ImageBuildOptions {
+	configFile := dockerCli.ConfigFile()
+	return types.ImageBuildOptions{
+		Memory:         options.memory.Value(),
+		MemorySwap:     options.memorySwap.Value(),
+		Tags:           options.tags.GetAll(),
+		SuppressOutput: options.quiet,
+		NoCache:        options.noCache,
+		Remove:         options.rm,
+		ForceRemove:    options.forceRm,
+		PullParent:     options.pull,
+		Isolation:      container.Isolation(options.isolation),
+		CPUSetCPUs:     options.cpuSetCpus,
+		CPUSetMems:     options.cpuSetMems,
+		CPUShares:      options.cpuShares,
+		CPUQuota:       options.cpuQuota,
+		CPUPeriod:      options.cpuPeriod,
+		CgroupParent:   options.cgroupParent,
+		ShmSize:        options.shmSize.Value(),
+		Ulimits:        options.ulimits.GetList(),
+		BuildArgs:      configFile.ParseProxyConfig(dockerCli.Client().DaemonHost(), options.buildArgs.GetAll()),
+		Labels:         opts.ConvertKVStringsToMap(options.labels.GetAll()),
+		CacheFrom:      options.cacheFrom,
+		SecurityOpt:    options.securityOpt,
+		NetworkMode:    options.networkMode,
+		Squash:         options.squash,
+		ExtraHosts:     options.extraHosts.GetAll(),
+		Target:         options.target,
+		Platform:       options.platform,
+	}
+}
diff --git a/cli/cli/command/image/build/context.go b/cli/cli/command/image/build/context.go
new file mode 100644
index 00000000..b7170df8
--- /dev/null
+++ b/cli/cli/command/image/build/context.go
@@ -0,0 +1,425 @@
+package build
+
+import (
+	"archive/tar"
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/builder/remotecontext/git"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/pkg/errors"
+)
+
+const (
+	// DefaultDockerfileName is the Default filename with Docker commands, read by docker build
+	DefaultDockerfileName string = "Dockerfile"
+	// archiveHeaderSize is the number of bytes in an archive header
+	archiveHeaderSize = 512
+)
+
+// ValidateContextDirectory checks if all the contents of the directory
+// can be read and returns an error if some files can't be read
+// symlinks which point to non-existing files don't trigger an error
+func ValidateContextDirectory(srcPath string, excludes []string) error {
+	contextRoot, err := getContextRoot(srcPath)
+	if err != nil {
+		return err
+	}
+	return filepath.Walk(contextRoot, func(filePath string, f os.FileInfo, err error) error {
+		if err != nil {
+			if os.IsPermission(err) {
+				return errors.Errorf("can't stat '%s'", filePath)
+			}
+			if os.IsNotExist(err) {
+				return errors.Errorf("file ('%s') not found or excluded by .dockerignore", filePath)
+			}
+			return err
+		}
+
+		// skip this directory/file if it's not in the path, it won't get added to the context
+		if relFilePath, err := filepath.Rel(contextRoot, filePath); err != nil {
+			return err
+		} else if skip, err := fileutils.Matches(relFilePath, excludes); err != nil {
+			return err
+		} else if skip {
+			if f.IsDir() {
+				return filepath.SkipDir
+			}
+			return nil
+		}
+
+		// skip checking if symlinks point to non-existing files, such symlinks can be useful
+		// also skip named pipes, because they hanging on open
+		if f.Mode()&(os.ModeSymlink|os.ModeNamedPipe) != 0 {
+			return nil
+		}
+
+		if !f.IsDir() {
+			currentFile, err := os.Open(filePath)
+			if err != nil && os.IsPermission(err) {
+				return errors.Errorf("no permission to read from '%s'", filePath)
+			}
+			currentFile.Close()
+		}
+		return nil
+	})
+}
+
+// DetectArchiveReader detects whether the input stream is an archive or a
+// Dockerfile and returns a buffered version of input, safe to consume in lieu
+// of input. If an archive is detected, isArchive is set to true, and to false
+// otherwise, in which case it is safe to assume input represents the contents
+// of a Dockerfile.
+func DetectArchiveReader(input io.ReadCloser) (rc io.ReadCloser, isArchive bool, err error) {
+	buf := bufio.NewReader(input)
+
+	magic, err := buf.Peek(archiveHeaderSize)
+	if err != nil && err != io.EOF {
+		return nil, false, errors.Errorf("failed to peek context header from STDIN: %v", err)
+	}
+
+	return ioutils.NewReadCloserWrapper(buf, func() error { return input.Close() }), IsArchive(magic), nil
+}
+
+// WriteTempDockerfile writes a Dockerfile stream to a temporary file with a
+// name specified by DefaultDockerfileName and returns the path to the
+// temporary directory containing the Dockerfile.
+func WriteTempDockerfile(rc io.ReadCloser) (dockerfileDir string, err error) {
+	// err is a named return value, due to the defer call below.
+	dockerfileDir, err = ioutil.TempDir("", "docker-build-tempdockerfile-")
+	if err != nil {
+		return "", errors.Errorf("unable to create temporary context directory: %v", err)
+	}
+	defer func() {
+		if err != nil {
+			os.RemoveAll(dockerfileDir)
+		}
+	}()
+
+	f, err := os.Create(filepath.Join(dockerfileDir, DefaultDockerfileName))
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	if _, err := io.Copy(f, rc); err != nil {
+		return "", err
+	}
+	return dockerfileDir, rc.Close()
+}
+
+// GetContextFromReader will read the contents of the given reader as either a
+// Dockerfile or tar archive. Returns a tar archive used as a context and a
+// path to the Dockerfile inside the tar.
+func GetContextFromReader(rc io.ReadCloser, dockerfileName string) (out io.ReadCloser, relDockerfile string, err error) {
+	rc, isArchive, err := DetectArchiveReader(rc)
+	if err != nil {
+		return nil, "", err
+	}
+
+	if isArchive {
+		return rc, dockerfileName, nil
+	}
+
+	// Input should be read as a Dockerfile.
+
+	if dockerfileName == "-" {
+		return nil, "", errors.New("build context is not an archive")
+	}
+
+	dockerfileDir, err := WriteTempDockerfile(rc)
+	if err != nil {
+		return nil, "", err
+	}
+
+	tar, err := archive.Tar(dockerfileDir, archive.Uncompressed)
+	if err != nil {
+		return nil, "", err
+	}
+
+	return ioutils.NewReadCloserWrapper(tar, func() error {
+		err := tar.Close()
+		os.RemoveAll(dockerfileDir)
+		return err
+	}), DefaultDockerfileName, nil
+}
+
+// IsArchive checks for the magic bytes of a tar or any supported compression
+// algorithm.
+func IsArchive(header []byte) bool {
+	compression := archive.DetectCompression(header)
+	if compression != archive.Uncompressed {
+		return true
+	}
+	r := tar.NewReader(bytes.NewBuffer(header))
+	_, err := r.Next()
+	return err == nil
+}
+
+// GetContextFromGitURL uses a Git URL as context for a `docker build`. The
+// git repo is cloned into a temporary directory used as the context directory.
+// Returns the absolute path to the temporary context directory, the relative
+// path of the dockerfile in that context directory, and a non-nil error on
+// success.
+func GetContextFromGitURL(gitURL, dockerfileName string) (string, string, error) {
+	if _, err := exec.LookPath("git"); err != nil {
+		return "", "", errors.Wrapf(err, "unable to find 'git'")
+	}
+	absContextDir, err := git.Clone(gitURL)
+	if err != nil {
+		return "", "", errors.Wrapf(err, "unable to 'git clone' to temporary context directory")
+	}
+
+	absContextDir, err = ResolveAndValidateContextPath(absContextDir)
+	if err != nil {
+		return "", "", err
+	}
+	relDockerfile, err := getDockerfileRelPath(absContextDir, dockerfileName)
+	if err == nil && strings.HasPrefix(relDockerfile, ".."+string(filepath.Separator)) {
+		return "", "", errors.Errorf("the Dockerfile (%s) must be within the build context", dockerfileName)
+	}
+
+	return absContextDir, relDockerfile, err
+}
+
+// GetContextFromURL uses a remote URL as context for a `docker build`. The
+// remote resource is downloaded as either a Dockerfile or a tar archive.
+// Returns the tar archive used for the context and a path of the
+// dockerfile inside the tar.
+func GetContextFromURL(out io.Writer, remoteURL, dockerfileName string) (io.ReadCloser, string, error) {
+	response, err := getWithStatusError(remoteURL)
+	if err != nil {
+		return nil, "", errors.Errorf("unable to download remote context %s: %v", remoteURL, err)
+	}
+	progressOutput := streamformatter.NewProgressOutput(out)
+
+	// Pass the response body through a progress reader.
+	progReader := progress.NewProgressReader(response.Body, progressOutput, response.ContentLength, "", fmt.Sprintf("Downloading build context from remote url: %s", remoteURL))
+
+	return GetContextFromReader(ioutils.NewReadCloserWrapper(progReader, func() error { return response.Body.Close() }), dockerfileName)
+}
+
+// getWithStatusError does an http.Get() and returns an error if the
+// status code is 4xx or 5xx.
+func getWithStatusError(url string) (resp *http.Response, err error) {
+	if resp, err = http.Get(url); err != nil {
+		return nil, err
+	}
+	if resp.StatusCode < 400 {
+		return resp, nil
+	}
+	msg := fmt.Sprintf("failed to GET %s with status %s", url, resp.Status)
+	body, err := ioutil.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		return nil, errors.Wrapf(err, msg+": error reading body")
+	}
+	return nil, errors.Errorf(msg+": %s", bytes.TrimSpace(body))
+}
+
+// GetContextFromLocalDir uses the given local directory as context for a
+// `docker build`. Returns the absolute path to the local context directory,
+// the relative path of the dockerfile in that context directory, and a non-nil
+// error on success.
+func GetContextFromLocalDir(localDir, dockerfileName string) (string, string, error) {
+	localDir, err := ResolveAndValidateContextPath(localDir)
+	if err != nil {
+		return "", "", err
+	}
+
+	// When using a local context directory, and the Dockerfile is specified
+	// with the `-f/--file` option then it is considered relative to the
+	// current directory and not the context directory.
+	if dockerfileName != "" && dockerfileName != "-" {
+		if dockerfileName, err = filepath.Abs(dockerfileName); err != nil {
+			return "", "", errors.Errorf("unable to get absolute path to Dockerfile: %v", err)
+		}
+	}
+
+	relDockerfile, err := getDockerfileRelPath(localDir, dockerfileName)
+	return localDir, relDockerfile, err
+}
+
+// ResolveAndValidateContextPath uses the given context directory for a `docker build`
+// and returns the absolute path to the context directory.
+func ResolveAndValidateContextPath(givenContextDir string) (string, error) {
+	absContextDir, err := filepath.Abs(givenContextDir)
+	if err != nil {
+		return "", errors.Errorf("unable to get absolute context directory of given context directory %q: %v", givenContextDir, err)
+	}
+
+	// The context dir might be a symbolic link, so follow it to the actual
+	// target directory.
+	//
+	// FIXME. We use isUNC (always false on non-Windows platforms) to workaround
+	// an issue in golang. On Windows, EvalSymLinks does not work on UNC file
+	// paths (those starting with \\). This hack means that when using links
+	// on UNC paths, they will not be followed.
+	if !isUNC(absContextDir) {
+		absContextDir, err = filepath.EvalSymlinks(absContextDir)
+		if err != nil {
+			return "", errors.Errorf("unable to evaluate symlinks in context path: %v", err)
+		}
+	}
+
+	stat, err := os.Lstat(absContextDir)
+	if err != nil {
+		return "", errors.Errorf("unable to stat context directory %q: %v", absContextDir, err)
+	}
+
+	if !stat.IsDir() {
+		return "", errors.Errorf("context must be a directory: %s", absContextDir)
+	}
+	return absContextDir, err
+}
+
+// getDockerfileRelPath returns the dockerfile path relative to the context
+// directory
+func getDockerfileRelPath(absContextDir, givenDockerfile string) (string, error) {
+	var err error
+
+	if givenDockerfile == "-" {
+		return givenDockerfile, nil
+	}
+
+	absDockerfile := givenDockerfile
+	if absDockerfile == "" {
+		// No -f/--file was specified so use the default relative to the
+		// context directory.
+		absDockerfile = filepath.Join(absContextDir, DefaultDockerfileName)
+
+		// Just to be nice ;-) look for 'dockerfile' too but only
+		// use it if we found it, otherwise ignore this check
+		if _, err = os.Lstat(absDockerfile); os.IsNotExist(err) {
+			altPath := filepath.Join(absContextDir, strings.ToLower(DefaultDockerfileName))
+			if _, err = os.Lstat(altPath); err == nil {
+				absDockerfile = altPath
+			}
+		}
+	}
+
+	// If not already an absolute path, the Dockerfile path should be joined to
+	// the base directory.
+	if !filepath.IsAbs(absDockerfile) {
+		absDockerfile = filepath.Join(absContextDir, absDockerfile)
+	}
+
+	// Evaluate symlinks in the path to the Dockerfile too.
+	//
+	// FIXME. We use isUNC (always false on non-Windows platforms) to workaround
+	// an issue in golang. On Windows, EvalSymLinks does not work on UNC file
+	// paths (those starting with \\). This hack means that when using links
+	// on UNC paths, they will not be followed.
+	if !isUNC(absDockerfile) {
+		absDockerfile, err = filepath.EvalSymlinks(absDockerfile)
+		if err != nil {
+			return "", errors.Errorf("unable to evaluate symlinks in Dockerfile path: %v", err)
+
+		}
+	}
+
+	if _, err := os.Lstat(absDockerfile); err != nil {
+		if os.IsNotExist(err) {
+			return "", errors.Errorf("Cannot locate Dockerfile: %q", absDockerfile)
+		}
+		return "", errors.Errorf("unable to stat Dockerfile: %v", err)
+	}
+
+	relDockerfile, err := filepath.Rel(absContextDir, absDockerfile)
+	if err != nil {
+		return "", errors.Errorf("unable to get relative Dockerfile path: %v", err)
+	}
+
+	return relDockerfile, nil
+}
+
+// isUNC returns true if the path is UNC (one starting \\). It always returns
+// false on Linux.
+func isUNC(path string) bool {
+	return runtime.GOOS == "windows" && strings.HasPrefix(path, `\\`)
+}
+
+// AddDockerfileToBuildContext from a ReadCloser, returns a new archive and
+// the relative path to the dockerfile in the context.
+func AddDockerfileToBuildContext(dockerfileCtx io.ReadCloser, buildCtx io.ReadCloser) (io.ReadCloser, string, error) {
+	file, err := ioutil.ReadAll(dockerfileCtx)
+	dockerfileCtx.Close()
+	if err != nil {
+		return nil, "", err
+	}
+	now := time.Now()
+	hdrTmpl := &tar.Header{
+		Mode:       0600,
+		Uid:        0,
+		Gid:        0,
+		ModTime:    now,
+		Typeflag:   tar.TypeReg,
+		AccessTime: now,
+		ChangeTime: now,
+	}
+	randomName := ".dockerfile." + stringid.GenerateRandomID()[:20]
+
+	buildCtx = archive.ReplaceFileTarWrapper(buildCtx, map[string]archive.TarModifierFunc{
+		// Add the dockerfile with a random filename
+		randomName: func(_ string, h *tar.Header, content io.Reader) (*tar.Header, []byte, error) {
+			return hdrTmpl, file, nil
+		},
+		// Update .dockerignore to include the random filename
+		".dockerignore": func(_ string, h *tar.Header, content io.Reader) (*tar.Header, []byte, error) {
+			if h == nil {
+				h = hdrTmpl
+			}
+
+			b := &bytes.Buffer{}
+			if content != nil {
+				if _, err := b.ReadFrom(content); err != nil {
+					return nil, nil, err
+				}
+			} else {
+				b.WriteString(".dockerignore")
+			}
+			b.WriteString("\n" + randomName + "\n")
+			return h, b.Bytes(), nil
+		},
+	})
+	return buildCtx, randomName, nil
+}
+
+// Compress the build context for sending to the API
+func Compress(buildCtx io.ReadCloser) (io.ReadCloser, error) {
+	pipeReader, pipeWriter := io.Pipe()
+
+	go func() {
+		compressWriter, err := archive.CompressStream(pipeWriter, archive.Gzip)
+		if err != nil {
+			pipeWriter.CloseWithError(err)
+		}
+		defer buildCtx.Close()
+
+		if _, err := pools.Copy(compressWriter, buildCtx); err != nil {
+			pipeWriter.CloseWithError(
+				errors.Wrap(err, "failed to compress context"))
+			compressWriter.Close()
+			return
+		}
+		compressWriter.Close()
+		pipeWriter.Close()
+	}()
+
+	return pipeReader, nil
+}
diff --git a/cli/cli/command/image/build/context_test.go b/cli/cli/command/image/build/context_test.go
new file mode 100644
index 00000000..d74add88
--- /dev/null
+++ b/cli/cli/command/image/build/context_test.go
@@ -0,0 +1,299 @@
+package build
+
+import (
+	"archive/tar"
+	"bytes"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/pkg/archive"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+const dockerfileContents = "FROM busybox"
+
+var prepareEmpty = func(t *testing.T) (string, func()) {
+	return "", func() {}
+}
+
+var prepareNoFiles = func(t *testing.T) (string, func()) {
+	return createTestTempDir(t, "", "builder-context-test")
+}
+
+var prepareOneFile = func(t *testing.T) (string, func()) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-context-test")
+	createTestTempFile(t, contextDir, DefaultDockerfileName, dockerfileContents, 0777)
+	return contextDir, cleanup
+}
+
+func testValidateContextDirectory(t *testing.T, prepare func(t *testing.T) (string, func()), excludes []string) {
+	contextDir, cleanup := prepare(t)
+	defer cleanup()
+
+	err := ValidateContextDirectory(contextDir, excludes)
+	assert.NilError(t, err)
+}
+
+func TestGetContextFromLocalDirNoDockerfile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-context-test")
+	defer cleanup()
+
+	_, _, err := GetContextFromLocalDir(contextDir, "")
+	assert.ErrorContains(t, err, "Dockerfile")
+}
+
+func TestGetContextFromLocalDirNotExistingDir(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-context-test")
+	defer cleanup()
+
+	fakePath := filepath.Join(contextDir, "fake")
+
+	_, _, err := GetContextFromLocalDir(fakePath, "")
+	assert.ErrorContains(t, err, "fake")
+}
+
+func TestGetContextFromLocalDirNotExistingDockerfile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-context-test")
+	defer cleanup()
+
+	fakePath := filepath.Join(contextDir, "fake")
+
+	_, _, err := GetContextFromLocalDir(contextDir, fakePath)
+	assert.ErrorContains(t, err, "fake")
+}
+
+func TestGetContextFromLocalDirWithNoDirectory(t *testing.T) {
+	contextDir, dirCleanup := createTestTempDir(t, "", "builder-context-test")
+	defer dirCleanup()
+
+	createTestTempFile(t, contextDir, DefaultDockerfileName, dockerfileContents, 0777)
+
+	chdirCleanup := chdir(t, contextDir)
+	defer chdirCleanup()
+
+	absContextDir, relDockerfile, err := GetContextFromLocalDir(contextDir, "")
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(contextDir, absContextDir))
+	assert.Check(t, is.Equal(DefaultDockerfileName, relDockerfile))
+}
+
+func TestGetContextFromLocalDirWithDockerfile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-context-test")
+	defer cleanup()
+
+	createTestTempFile(t, contextDir, DefaultDockerfileName, dockerfileContents, 0777)
+
+	absContextDir, relDockerfile, err := GetContextFromLocalDir(contextDir, "")
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(contextDir, absContextDir))
+	assert.Check(t, is.Equal(DefaultDockerfileName, relDockerfile))
+}
+
+func TestGetContextFromLocalDirLocalFile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-context-test")
+	defer cleanup()
+
+	createTestTempFile(t, contextDir, DefaultDockerfileName, dockerfileContents, 0777)
+	testFilename := createTestTempFile(t, contextDir, "tmpTest", "test", 0777)
+
+	absContextDir, relDockerfile, err := GetContextFromLocalDir(testFilename, "")
+
+	if err == nil {
+		t.Fatalf("Error should not be nil")
+	}
+
+	if absContextDir != "" {
+		t.Fatalf("Absolute directory path should be empty, got: %s", absContextDir)
+	}
+
+	if relDockerfile != "" {
+		t.Fatalf("Relative path to Dockerfile should be empty, got: %s", relDockerfile)
+	}
+}
+
+func TestGetContextFromLocalDirWithCustomDockerfile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-context-test")
+	defer cleanup()
+
+	chdirCleanup := chdir(t, contextDir)
+	defer chdirCleanup()
+
+	createTestTempFile(t, contextDir, DefaultDockerfileName, dockerfileContents, 0777)
+
+	absContextDir, relDockerfile, err := GetContextFromLocalDir(contextDir, DefaultDockerfileName)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(contextDir, absContextDir))
+	assert.Check(t, is.Equal(DefaultDockerfileName, relDockerfile))
+}
+
+func TestGetContextFromReaderString(t *testing.T) {
+	tarArchive, relDockerfile, err := GetContextFromReader(ioutil.NopCloser(strings.NewReader(dockerfileContents)), "")
+
+	if err != nil {
+		t.Fatalf("Error when executing GetContextFromReader: %s", err)
+	}
+
+	tarReader := tar.NewReader(tarArchive)
+
+	_, err = tarReader.Next()
+
+	if err != nil {
+		t.Fatalf("Error when reading tar archive: %s", err)
+	}
+
+	buff := new(bytes.Buffer)
+	buff.ReadFrom(tarReader)
+	contents := buff.String()
+
+	_, err = tarReader.Next()
+
+	if err != io.EOF {
+		t.Fatalf("Tar stream too long: %s", err)
+	}
+
+	assert.NilError(t, tarArchive.Close())
+
+	if dockerfileContents != contents {
+		t.Fatalf("Uncompressed tar archive does not equal: %s, got: %s", dockerfileContents, contents)
+	}
+
+	if relDockerfile != DefaultDockerfileName {
+		t.Fatalf("Relative path not equals %s, got: %s", DefaultDockerfileName, relDockerfile)
+	}
+}
+
+func TestGetContextFromReaderTar(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-context-test")
+	defer cleanup()
+
+	createTestTempFile(t, contextDir, DefaultDockerfileName, dockerfileContents, 0777)
+
+	tarStream, err := archive.Tar(contextDir, archive.Uncompressed)
+	assert.NilError(t, err)
+
+	tarArchive, relDockerfile, err := GetContextFromReader(tarStream, DefaultDockerfileName)
+	assert.NilError(t, err)
+
+	tarReader := tar.NewReader(tarArchive)
+
+	header, err := tarReader.Next()
+	assert.NilError(t, err)
+
+	if header.Name != DefaultDockerfileName {
+		t.Fatalf("Dockerfile name should be: %s, got: %s", DefaultDockerfileName, header.Name)
+	}
+
+	buff := new(bytes.Buffer)
+	buff.ReadFrom(tarReader)
+	contents := buff.String()
+
+	_, err = tarReader.Next()
+
+	if err != io.EOF {
+		t.Fatalf("Tar stream too long: %s", err)
+	}
+
+	assert.NilError(t, tarArchive.Close())
+
+	if dockerfileContents != contents {
+		t.Fatalf("Uncompressed tar archive does not equal: %s, got: %s", dockerfileContents, contents)
+	}
+
+	if relDockerfile != DefaultDockerfileName {
+		t.Fatalf("Relative path not equals %s, got: %s", DefaultDockerfileName, relDockerfile)
+	}
+}
+
+func TestValidateContextDirectoryEmptyContext(t *testing.T) {
+	// This isn't a valid test on Windows. See https://play.golang.org/p/RR6z6jxR81.
+	// The test will ultimately end up calling filepath.Abs(""). On Windows,
+	// golang will error. On Linux, golang will return /. Due to there being
+	// drive letters on Windows, this is probably the correct behaviour for
+	// Windows.
+	if runtime.GOOS == "windows" {
+		t.Skip("Invalid test on Windows")
+	}
+	testValidateContextDirectory(t, prepareEmpty, []string{})
+}
+
+func TestValidateContextDirectoryContextWithNoFiles(t *testing.T) {
+	testValidateContextDirectory(t, prepareNoFiles, []string{})
+}
+
+func TestValidateContextDirectoryWithOneFile(t *testing.T) {
+	testValidateContextDirectory(t, prepareOneFile, []string{})
+}
+
+func TestValidateContextDirectoryWithOneFileExcludes(t *testing.T) {
+	testValidateContextDirectory(t, prepareOneFile, []string{DefaultDockerfileName})
+}
+
+// createTestTempDir creates a temporary directory for testing.
+// It returns the created path and a cleanup function which is meant to be used as deferred call.
+// When an error occurs, it terminates the test.
+func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {
+	path, err := ioutil.TempDir(dir, prefix)
+	assert.NilError(t, err)
+	return path, func() { assert.NilError(t, os.RemoveAll(path)) }
+}
+
+// createTestTempFile creates a temporary file within dir with specific contents and permissions.
+// When an error occurs, it terminates the test
+func createTestTempFile(t *testing.T, dir, filename, contents string, perm os.FileMode) string {
+	filePath := filepath.Join(dir, filename)
+	err := ioutil.WriteFile(filePath, []byte(contents), perm)
+	assert.NilError(t, err)
+	return filePath
+}
+
+// chdir changes current working directory to dir.
+// It returns a function which changes working directory back to the previous one.
+// This function is meant to be executed as a deferred call.
+// When an error occurs, it terminates the test.
+func chdir(t *testing.T, dir string) func() {
+	workingDirectory, err := os.Getwd()
+	assert.NilError(t, err)
+	assert.NilError(t, os.Chdir(dir))
+	return func() { assert.NilError(t, os.Chdir(workingDirectory)) }
+}
+
+func TestIsArchive(t *testing.T) {
+	var testcases = []struct {
+		doc      string
+		header   []byte
+		expected bool
+	}{
+		{
+			doc:      "nil is not a valid header",
+			header:   nil,
+			expected: false,
+		},
+		{
+			doc:      "invalid header bytes",
+			header:   []byte{0x00, 0x01, 0x02},
+			expected: false,
+		},
+		{
+			doc:      "header for bzip2 archive",
+			header:   []byte{0x42, 0x5A, 0x68},
+			expected: true,
+		},
+		{
+			doc:      "header for 7zip archive is not supported",
+			header:   []byte{0x50, 0x4b, 0x03, 0x04},
+			expected: false,
+		},
+	}
+	for _, testcase := range testcases {
+		assert.Check(t, is.Equal(testcase.expected, IsArchive(testcase.header)), testcase.doc)
+	}
+}
diff --git a/cli/cli/command/image/build/context_unix.go b/cli/cli/command/image/build/context_unix.go
new file mode 100644
index 00000000..cb2634f0
--- /dev/null
+++ b/cli/cli/command/image/build/context_unix.go
@@ -0,0 +1,11 @@
+// +build !windows
+
+package build
+
+import (
+	"path/filepath"
+)
+
+func getContextRoot(srcPath string) (string, error) {
+	return filepath.Join(srcPath, "."), nil
+}
diff --git a/cli/cli/command/image/build/context_windows.go b/cli/cli/command/image/build/context_windows.go
new file mode 100644
index 00000000..c577cfa7
--- /dev/null
+++ b/cli/cli/command/image/build/context_windows.go
@@ -0,0 +1,17 @@
+// +build windows
+
+package build
+
+import (
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/longpath"
+)
+
+func getContextRoot(srcPath string) (string, error) {
+	cr, err := filepath.Abs(srcPath)
+	if err != nil {
+		return "", err
+	}
+	return longpath.AddPrefix(cr), nil
+}
diff --git a/cli/cli/command/image/build/dockerignore.go b/cli/cli/command/image/build/dockerignore.go
new file mode 100644
index 00000000..497c3f24
--- /dev/null
+++ b/cli/cli/command/image/build/dockerignore.go
@@ -0,0 +1,39 @@
+package build
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/builder/dockerignore"
+	"github.com/docker/docker/pkg/fileutils"
+)
+
+// ReadDockerignore reads the .dockerignore file in the context directory and
+// returns the list of paths to exclude
+func ReadDockerignore(contextDir string) ([]string, error) {
+	var excludes []string
+
+	f, err := os.Open(filepath.Join(contextDir, ".dockerignore"))
+	switch {
+	case os.IsNotExist(err):
+		return excludes, nil
+	case err != nil:
+		return nil, err
+	}
+	defer f.Close()
+
+	return dockerignore.ReadAll(f)
+}
+
+// TrimBuildFilesFromExcludes removes the named Dockerfile and .dockerignore from
+// the list of excluded files. The daemon will remove them from the final context
+// but they must be in available in the context when passed to the API.
+func TrimBuildFilesFromExcludes(excludes []string, dockerfile string, dockerfileFromStdin bool) []string {
+	if keep, _ := fileutils.Matches(".dockerignore", excludes); keep {
+		excludes = append(excludes, "!.dockerignore")
+	}
+	if keep, _ := fileutils.Matches(dockerfile, excludes); keep && !dockerfileFromStdin {
+		excludes = append(excludes, "!"+dockerfile)
+	}
+	return excludes
+}
diff --git a/cli/cli/command/image/build_buildkit.go b/cli/cli/command/image/build_buildkit.go
new file mode 100644
index 00000000..4427bb18
--- /dev/null
+++ b/cli/cli/command/image/build_buildkit.go
@@ -0,0 +1,346 @@
+package image
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/containerd/console"
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image/build"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/urlutil"
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/session/filesync"
+	"github.com/moby/buildkit/util/appcontext"
+	"github.com/moby/buildkit/util/progress/progressui"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+	"golang.org/x/sync/errgroup"
+)
+
+const uploadRequestRemote = "upload-request"
+
+var errDockerfileConflict = errors.New("ambiguous Dockerfile source: both stdin and flag correspond to Dockerfiles")
+
+//nolint: gocyclo
+func runBuildBuildKit(dockerCli command.Cli, options buildOptions) error {
+	ctx := appcontext.Context()
+
+	s, err := trySession(dockerCli, options.context)
+	if err != nil {
+		return err
+	}
+	if s == nil {
+		return errors.Errorf("buildkit not supported by daemon")
+	}
+
+	if options.imageIDFile != "" {
+		// Avoid leaving a stale file if we eventually fail
+		if err := os.Remove(options.imageIDFile); err != nil && !os.IsNotExist(err) {
+			return errors.Wrap(err, "removing image ID file")
+		}
+	}
+
+	var (
+		remote           string
+		body             io.Reader
+		dockerfileName   = options.dockerfileName
+		dockerfileReader io.ReadCloser
+		dockerfileDir    string
+		contextDir       string
+	)
+
+	switch {
+	case options.contextFromStdin():
+		if options.dockerfileFromStdin() {
+			return errStdinConflict
+		}
+		rc, isArchive, err := build.DetectArchiveReader(os.Stdin)
+		if err != nil {
+			return err
+		}
+		if isArchive {
+			body = rc
+			remote = uploadRequestRemote
+		} else {
+			if options.dockerfileName != "" {
+				return errDockerfileConflict
+			}
+			dockerfileReader = rc
+			remote = clientSessionRemote
+			// TODO: make fssync handle empty contextdir
+			contextDir, _ = ioutil.TempDir("", "empty-dir")
+			defer os.RemoveAll(contextDir)
+		}
+	case isLocalDir(options.context):
+		contextDir = options.context
+		if options.dockerfileFromStdin() {
+			dockerfileReader = os.Stdin
+		} else if options.dockerfileName != "" {
+			dockerfileName = filepath.Base(options.dockerfileName)
+			dockerfileDir = filepath.Dir(options.dockerfileName)
+		} else {
+			dockerfileDir = options.context
+		}
+		remote = clientSessionRemote
+	case urlutil.IsGitURL(options.context):
+		remote = options.context
+	case urlutil.IsURL(options.context):
+		remote = options.context
+	default:
+		return errors.Errorf("unable to prepare context: path %q not found", options.context)
+	}
+
+	if dockerfileReader != nil {
+		dockerfileName = build.DefaultDockerfileName
+		dockerfileDir, err = build.WriteTempDockerfile(dockerfileReader)
+		if err != nil {
+			return err
+		}
+		defer os.RemoveAll(dockerfileDir)
+	}
+
+	if dockerfileDir != "" {
+		s.Allow(filesync.NewFSSyncProvider([]filesync.SyncedDir{
+			{
+				Name: "context",
+				Dir:  contextDir,
+				Map:  resetUIDAndGID,
+			},
+			{
+				Name: "dockerfile",
+				Dir:  dockerfileDir,
+			},
+		}))
+	}
+
+	s.Allow(authprovider.NewDockerAuthProvider())
+
+	eg, ctx := errgroup.WithContext(ctx)
+
+	eg.Go(func() error {
+		return s.Run(context.TODO(), dockerCli.Client().DialSession)
+	})
+
+	buildID := stringid.GenerateRandomID()
+	if body != nil {
+		eg.Go(func() error {
+			buildOptions := types.ImageBuildOptions{
+				Version: types.BuilderBuildKit,
+				BuildID: uploadRequestRemote + ":" + buildID,
+			}
+
+			response, err := dockerCli.Client().ImageBuild(context.Background(), body, buildOptions)
+			if err != nil {
+				return err
+			}
+			defer response.Body.Close()
+			return nil
+		})
+	}
+
+	eg.Go(func() error {
+		defer func() { // make sure the Status ends cleanly on build errors
+			s.Close()
+		}()
+
+		buildOptions := imageBuildOptions(dockerCli, options)
+		buildOptions.Version = types.BuilderBuildKit
+		buildOptions.Dockerfile = dockerfileName
+		//buildOptions.AuthConfigs = authConfigs   // handled by session
+		buildOptions.RemoteContext = remote
+		buildOptions.SessionID = s.ID()
+		buildOptions.BuildID = buildID
+		return doBuild(ctx, eg, dockerCli, options, buildOptions)
+	})
+
+	return eg.Wait()
+}
+
+//nolint: gocyclo
+func doBuild(ctx context.Context, eg *errgroup.Group, dockerCli command.Cli, options buildOptions, buildOptions types.ImageBuildOptions) (finalErr error) {
+	response, err := dockerCli.Client().ImageBuild(context.Background(), nil, buildOptions)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	done := make(chan struct{})
+	defer close(done)
+	eg.Go(func() error {
+		select {
+		case <-ctx.Done():
+			return dockerCli.Client().BuildCancel(context.TODO(), buildOptions.BuildID)
+		case <-done:
+		}
+		return nil
+	})
+
+	t := newTracer()
+	ssArr := []*client.SolveStatus{}
+
+	displayStatus := func(out *os.File, displayCh chan *client.SolveStatus) {
+		var c console.Console
+		// TODO: Handle interactive output in non-interactive environment.
+		consoleOpt := options.console.Value()
+		if cons, err := console.ConsoleFromFile(out); err == nil && (consoleOpt == nil || *consoleOpt) {
+			c = cons
+		}
+		// not using shared context to not disrupt display but let is finish reporting errors
+		eg.Go(func() error {
+			return progressui.DisplaySolveStatus(context.TODO(), c, out, displayCh)
+		})
+	}
+
+	if options.quiet {
+		eg.Go(func() error {
+			// TODO: make sure t.displayCh closes
+			for ss := range t.displayCh {
+				ssArr = append(ssArr, ss)
+			}
+			<-done
+			// TODO: verify that finalErr is indeed set when error occurs
+			if finalErr != nil {
+				displayCh := make(chan *client.SolveStatus)
+				go func() {
+					for _, ss := range ssArr {
+						displayCh <- ss
+					}
+					close(displayCh)
+				}()
+				displayStatus(os.Stderr, displayCh)
+			}
+			return nil
+		})
+	} else {
+		displayStatus(os.Stdout, t.displayCh)
+	}
+	defer close(t.displayCh)
+
+	buf := bytes.NewBuffer(nil)
+
+	imageID := ""
+	writeAux := func(msg jsonmessage.JSONMessage) {
+		if msg.ID == "moby.image.id" {
+			var result types.BuildResult
+			if err := json.Unmarshal(*msg.Aux, &result); err != nil {
+				fmt.Fprintf(dockerCli.Err(), "failed to parse aux message: %v", err)
+			}
+			imageID = result.ID
+			return
+		}
+		t.write(msg)
+	}
+
+	err = jsonmessage.DisplayJSONMessagesStream(response.Body, buf, dockerCli.Out().FD(), dockerCli.Out().IsTerminal(), writeAux)
+	if err != nil {
+		if jerr, ok := err.(*jsonmessage.JSONError); ok {
+			// If no error code is set, default to 1
+			if jerr.Code == 0 {
+				jerr.Code = 1
+			}
+			return cli.StatusError{Status: jerr.Message, StatusCode: jerr.Code}
+		}
+	}
+
+	// Everything worked so if -q was provided the output from the daemon
+	// should be just the image ID and we'll print that to stdout.
+	//
+	// TODO: we may want to use Aux messages with ID "moby.image.id" regardless of options.quiet (i.e. don't send HTTP param q=1)
+	// instead of assuming that output is image ID if options.quiet.
+	if options.quiet {
+		imageID = buf.String()
+		fmt.Fprint(dockerCli.Out(), imageID)
+	}
+
+	if options.imageIDFile != "" {
+		if imageID == "" {
+			return errors.Errorf("cannot write %s because server did not provide an image ID", options.imageIDFile)
+		}
+		imageID = strings.TrimSpace(imageID)
+		if err := ioutil.WriteFile(options.imageIDFile, []byte(imageID), 0666); err != nil {
+			return errors.Wrap(err, "cannot write image ID file")
+		}
+	}
+	return err
+}
+
+func resetUIDAndGID(s *fsutil.Stat) bool {
+	s.Uid = 0
+	s.Gid = 0
+	return true
+}
+
+type tracer struct {
+	displayCh chan *client.SolveStatus
+}
+
+func newTracer() *tracer {
+	return &tracer{
+		displayCh: make(chan *client.SolveStatus),
+	}
+}
+
+func (t *tracer) write(msg jsonmessage.JSONMessage) {
+	var resp controlapi.StatusResponse
+
+	if msg.ID != "moby.buildkit.trace" {
+		return
+	}
+
+	var dt []byte
+	// ignoring all messages that are not understood
+	if err := json.Unmarshal(*msg.Aux, &dt); err != nil {
+		return
+	}
+	if err := (&resp).Unmarshal(dt); err != nil {
+		return
+	}
+
+	s := client.SolveStatus{}
+	for _, v := range resp.Vertexes {
+		s.Vertexes = append(s.Vertexes, &client.Vertex{
+			Digest:    v.Digest,
+			Inputs:    v.Inputs,
+			Name:      v.Name,
+			Started:   v.Started,
+			Completed: v.Completed,
+			Error:     v.Error,
+			Cached:    v.Cached,
+		})
+	}
+	for _, v := range resp.Statuses {
+		s.Statuses = append(s.Statuses, &client.VertexStatus{
+			ID:        v.ID,
+			Vertex:    v.Vertex,
+			Name:      v.Name,
+			Total:     v.Total,
+			Current:   v.Current,
+			Timestamp: v.Timestamp,
+			Started:   v.Started,
+			Completed: v.Completed,
+		})
+	}
+	for _, v := range resp.Logs {
+		s.Logs = append(s.Logs, &client.VertexLog{
+			Vertex:    v.Vertex,
+			Stream:    int(v.Stream),
+			Data:      v.Msg,
+			Timestamp: v.Timestamp,
+		})
+	}
+
+	t.displayCh <- &s
+}
diff --git a/cli/cli/command/image/build_session.go b/cli/cli/command/image/build_session.go
new file mode 100644
index 00000000..d4cda82f
--- /dev/null
+++ b/cli/cli/command/image/build_session.go
@@ -0,0 +1,158 @@
+package image
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image/build"
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/filesync"
+	"github.com/pkg/errors"
+	"golang.org/x/time/rate"
+)
+
+const clientSessionRemote = "client-session"
+
+func isSessionSupported(dockerCli command.Cli) bool {
+	return dockerCli.ServerInfo().HasExperimental && versions.GreaterThanOrEqualTo(dockerCli.Client().ClientVersion(), "1.31")
+}
+
+func trySession(dockerCli command.Cli, contextDir string) (*session.Session, error) {
+	var s *session.Session
+	if isSessionSupported(dockerCli) {
+		sharedKey, err := getBuildSharedKey(contextDir)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get build shared key")
+		}
+		s, err = session.NewSession(context.Background(), filepath.Base(contextDir), sharedKey)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to create session")
+		}
+	}
+	return s, nil
+}
+
+func addDirToSession(session *session.Session, contextDir string, progressOutput progress.Output, done chan error) error {
+	excludes, err := build.ReadDockerignore(contextDir)
+	if err != nil {
+		return err
+	}
+
+	p := &sizeProgress{out: progressOutput, action: "Streaming build context to Docker daemon"}
+
+	workdirProvider := filesync.NewFSSyncProvider([]filesync.SyncedDir{
+		{Dir: contextDir, Excludes: excludes},
+	})
+	session.Allow(workdirProvider)
+
+	// this will be replaced on parallel build jobs. keep the current
+	// progressbar for now
+	if snpc, ok := workdirProvider.(interface {
+		SetNextProgressCallback(func(int, bool), chan error)
+	}); ok {
+		snpc.SetNextProgressCallback(p.update, done)
+	}
+
+	return nil
+}
+
+type sizeProgress struct {
+	out     progress.Output
+	action  string
+	limiter *rate.Limiter
+}
+
+func (sp *sizeProgress) update(size int, last bool) {
+	if sp.limiter == nil {
+		sp.limiter = rate.NewLimiter(rate.Every(100*time.Millisecond), 1)
+	}
+	if last || sp.limiter.Allow() {
+		sp.out.WriteProgress(progress.Progress{Action: sp.action, Current: int64(size), LastUpdate: last})
+	}
+}
+
+type bufferedWriter struct {
+	done chan error
+	io.Writer
+	buf     *bytes.Buffer
+	flushed chan struct{}
+	mu      sync.Mutex
+}
+
+func newBufferedWriter(done chan error, w io.Writer) *bufferedWriter {
+	bw := &bufferedWriter{done: done, Writer: w, buf: new(bytes.Buffer), flushed: make(chan struct{})}
+	go func() {
+		<-done
+		bw.flushBuffer()
+	}()
+	return bw
+}
+
+func (bw *bufferedWriter) Write(dt []byte) (int, error) {
+	select {
+	case <-bw.done:
+		bw.flushBuffer()
+		return bw.Writer.Write(dt)
+	default:
+		return bw.buf.Write(dt)
+	}
+}
+
+func (bw *bufferedWriter) flushBuffer() {
+	bw.mu.Lock()
+	select {
+	case <-bw.flushed:
+	default:
+		bw.Writer.Write(bw.buf.Bytes())
+		close(bw.flushed)
+	}
+	bw.mu.Unlock()
+}
+
+func (bw *bufferedWriter) String() string {
+	return fmt.Sprintf("%s", bw.Writer)
+}
+
+func getBuildSharedKey(dir string) (string, error) {
+	// build session is hash of build dir with node based randomness
+	s := sha256.Sum256([]byte(fmt.Sprintf("%s:%s", tryNodeIdentifier(), dir)))
+	return hex.EncodeToString(s[:]), nil
+}
+
+func tryNodeIdentifier() string {
+	out := cliconfig.Dir() // return config dir as default on permission error
+	if err := os.MkdirAll(cliconfig.Dir(), 0700); err == nil {
+		sessionFile := filepath.Join(cliconfig.Dir(), ".buildNodeID")
+		if _, err := os.Lstat(sessionFile); err != nil {
+			if os.IsNotExist(err) { // create a new file with stored randomness
+				b := make([]byte, 32)
+				if _, err := rand.Read(b); err != nil {
+					return out
+				}
+				if err := ioutil.WriteFile(sessionFile, []byte(hex.EncodeToString(b)), 0600); err != nil {
+					return out
+				}
+			}
+		}
+
+		dt, err := ioutil.ReadFile(sessionFile)
+		if err == nil {
+			return string(dt)
+		}
+	}
+	return out
+}
diff --git a/cli/cli/command/image/build_test.go b/cli/cli/command/image/build_test.go
new file mode 100644
index 00000000..adcacd49
--- /dev/null
+++ b/cli/cli/command/image/build_test.go
@@ -0,0 +1,216 @@
+package image
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"context"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sort"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/google/go-cmp/cmp"
+	"gotest.tools/assert"
+	"gotest.tools/fs"
+	"gotest.tools/skip"
+)
+
+func TestRunBuildDockerfileFromStdinWithCompress(t *testing.T) {
+	buffer := new(bytes.Buffer)
+	fakeBuild := newFakeBuild()
+	fakeImageBuild := func(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) {
+		tee := io.TeeReader(context, buffer)
+		gzipReader, err := gzip.NewReader(tee)
+		assert.NilError(t, err)
+		return fakeBuild.build(ctx, gzipReader, options)
+	}
+
+	cli := test.NewFakeCli(&fakeClient{imageBuildFunc: fakeImageBuild})
+	dockerfile := bytes.NewBufferString(`
+		FROM alpine:3.6
+		COPY foo /
+	`)
+	cli.SetIn(command.NewInStream(ioutil.NopCloser(dockerfile)))
+
+	dir := fs.NewDir(t, t.Name(),
+		fs.WithFile("foo", "some content"))
+	defer dir.Remove()
+
+	options := newBuildOptions()
+	options.compress = true
+	options.dockerfileName = "-"
+	options.context = dir.Path()
+	options.untrusted = true
+	assert.NilError(t, runBuild(cli, options))
+
+	expected := []string{fakeBuild.options.Dockerfile, ".dockerignore", "foo"}
+	assert.DeepEqual(t, expected, fakeBuild.filenames(t))
+
+	header := buffer.Bytes()[:10]
+	assert.Equal(t, archive.Gzip, archive.DetectCompression(header))
+}
+
+func TestRunBuildResetsUidAndGidInContext(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "root is required to chown files")
+	fakeBuild := newFakeBuild()
+	cli := test.NewFakeCli(&fakeClient{imageBuildFunc: fakeBuild.build})
+
+	dir := fs.NewDir(t, "test-build-context",
+		fs.WithFile("foo", "some content", fs.AsUser(65534, 65534)),
+		fs.WithFile("Dockerfile", `
+			FROM alpine:3.6
+			COPY foo bar /
+		`),
+	)
+	defer dir.Remove()
+
+	options := newBuildOptions()
+	options.context = dir.Path()
+	options.untrusted = true
+	assert.NilError(t, runBuild(cli, options))
+
+	headers := fakeBuild.headers(t)
+	expected := []*tar.Header{
+		{Name: "Dockerfile"},
+		{Name: "foo"},
+	}
+	var cmpTarHeaderNameAndOwner = cmp.Comparer(func(x, y tar.Header) bool {
+		return x.Name == y.Name && x.Uid == y.Uid && x.Gid == y.Gid
+	})
+	assert.DeepEqual(t, expected, headers, cmpTarHeaderNameAndOwner)
+}
+
+func TestRunBuildDockerfileOutsideContext(t *testing.T) {
+	dir := fs.NewDir(t, t.Name(),
+		fs.WithFile("data", "data file"))
+	defer dir.Remove()
+
+	// Dockerfile outside of build-context
+	df := fs.NewFile(t, t.Name(),
+		fs.WithContent(`
+FROM FOOBAR
+COPY data /data
+		`),
+	)
+	defer df.Remove()
+
+	fakeBuild := newFakeBuild()
+	cli := test.NewFakeCli(&fakeClient{imageBuildFunc: fakeBuild.build})
+
+	options := newBuildOptions()
+	options.context = dir.Path()
+	options.dockerfileName = df.Path()
+	options.untrusted = true
+	assert.NilError(t, runBuild(cli, options))
+
+	expected := []string{fakeBuild.options.Dockerfile, ".dockerignore", "data"}
+	assert.DeepEqual(t, expected, fakeBuild.filenames(t))
+}
+
+// TestRunBuildFromLocalGitHubDirNonExistingRepo tests that build contexts
+// starting with `github.com/` are special-cased, and the build command attempts
+// to clone the remote repo.
+// TODO: test "context selection" logic directly when runBuild is refactored
+// to support testing (ex: docker/cli#294)
+func TestRunBuildFromGitHubSpecialCase(t *testing.T) {
+	cmd := NewBuildCommand(test.NewFakeCli(nil))
+	// Clone a small repo that exists so git doesn't prompt for credentials
+	cmd.SetArgs([]string{"github.com/docker/for-win"})
+	cmd.SetOutput(ioutil.Discard)
+	err := cmd.Execute()
+	assert.ErrorContains(t, err, "unable to prepare context")
+	assert.ErrorContains(t, err, "docker-build-git")
+}
+
+// TestRunBuildFromLocalGitHubDirNonExistingRepo tests that a local directory
+// starting with `github.com` takes precedence over the `github.com` special
+// case.
+func TestRunBuildFromLocalGitHubDir(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "docker-build-from-local-dir-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	buildDir := filepath.Join(tmpDir, "github.com", "docker", "no-such-repository")
+	err = os.MkdirAll(buildDir, 0777)
+	assert.NilError(t, err)
+	err = ioutil.WriteFile(filepath.Join(buildDir, "Dockerfile"), []byte("FROM busybox\n"), 0644)
+	assert.NilError(t, err)
+
+	client := test.NewFakeCli(&fakeClient{})
+	cmd := NewBuildCommand(client)
+	cmd.SetArgs([]string{buildDir})
+	cmd.SetOutput(ioutil.Discard)
+	err = cmd.Execute()
+	assert.NilError(t, err)
+}
+
+func TestRunBuildWithSymlinkedContext(t *testing.T) {
+	dockerfile := `
+FROM alpine:3.6
+RUN echo hello world
+`
+
+	tmpDir := fs.NewDir(t, t.Name(),
+		fs.WithDir("context",
+			fs.WithFile("Dockerfile", dockerfile)),
+		fs.WithSymlink("context-link", "context"))
+	defer tmpDir.Remove()
+
+	fakeBuild := newFakeBuild()
+	cli := test.NewFakeCli(&fakeClient{imageBuildFunc: fakeBuild.build})
+	options := newBuildOptions()
+	options.context = tmpDir.Join("context-link")
+	options.untrusted = true
+	assert.NilError(t, runBuild(cli, options))
+
+	assert.DeepEqual(t, fakeBuild.filenames(t), []string{"Dockerfile"})
+}
+
+type fakeBuild struct {
+	context *tar.Reader
+	options types.ImageBuildOptions
+}
+
+func newFakeBuild() *fakeBuild {
+	return &fakeBuild{}
+}
+
+func (f *fakeBuild) build(_ context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) {
+	f.context = tar.NewReader(context)
+	f.options = options
+	body := new(bytes.Buffer)
+	return types.ImageBuildResponse{Body: ioutil.NopCloser(body)}, nil
+}
+
+func (f *fakeBuild) headers(t *testing.T) []*tar.Header {
+	t.Helper()
+	headers := []*tar.Header{}
+	for {
+		hdr, err := f.context.Next()
+		switch err {
+		case io.EOF:
+			return headers
+		case nil:
+			headers = append(headers, hdr)
+		default:
+			assert.NilError(t, err)
+		}
+	}
+}
+
+func (f *fakeBuild) filenames(t *testing.T) []string {
+	t.Helper()
+	names := []string{}
+	for _, header := range f.headers(t) {
+		names = append(names, header.Name)
+	}
+	sort.Strings(names)
+	return names
+}
diff --git a/cli/cli/command/image/client_test.go b/cli/cli/command/image/client_test.go
new file mode 100644
index 00000000..50e46f4e
--- /dev/null
+++ b/cli/cli/command/image/client_test.go
@@ -0,0 +1,124 @@
+package image
+
+import (
+	"context"
+	"io"
+	"io/ioutil"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	imageTagFunc     func(string, string) error
+	imageSaveFunc    func(images []string) (io.ReadCloser, error)
+	imageRemoveFunc  func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error)
+	imagePushFunc    func(ref string, options types.ImagePushOptions) (io.ReadCloser, error)
+	infoFunc         func() (types.Info, error)
+	imagePullFunc    func(ref string, options types.ImagePullOptions) (io.ReadCloser, error)
+	imagesPruneFunc  func(pruneFilter filters.Args) (types.ImagesPruneReport, error)
+	imageLoadFunc    func(input io.Reader, quiet bool) (types.ImageLoadResponse, error)
+	imageListFunc    func(options types.ImageListOptions) ([]types.ImageSummary, error)
+	imageInspectFunc func(image string) (types.ImageInspect, []byte, error)
+	imageImportFunc  func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error)
+	imageHistoryFunc func(image string) ([]image.HistoryResponseItem, error)
+	imageBuildFunc   func(context.Context, io.Reader, types.ImageBuildOptions) (types.ImageBuildResponse, error)
+}
+
+func (cli *fakeClient) ImageTag(_ context.Context, image, ref string) error {
+	if cli.imageTagFunc != nil {
+		return cli.imageTagFunc(image, ref)
+	}
+	return nil
+}
+
+func (cli *fakeClient) ImageSave(_ context.Context, images []string) (io.ReadCloser, error) {
+	if cli.imageSaveFunc != nil {
+		return cli.imageSaveFunc(images)
+	}
+	return ioutil.NopCloser(strings.NewReader("")), nil
+}
+
+func (cli *fakeClient) ImageRemove(_ context.Context, image string,
+	options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
+	if cli.imageRemoveFunc != nil {
+		return cli.imageRemoveFunc(image, options)
+	}
+	return []types.ImageDeleteResponseItem{}, nil
+}
+
+func (cli *fakeClient) ImagePush(_ context.Context, ref string, options types.ImagePushOptions) (io.ReadCloser, error) {
+	if cli.imagePushFunc != nil {
+		return cli.imagePushFunc(ref, options)
+	}
+	return ioutil.NopCloser(strings.NewReader("")), nil
+}
+
+func (cli *fakeClient) Info(_ context.Context) (types.Info, error) {
+	if cli.infoFunc != nil {
+		return cli.infoFunc()
+	}
+	return types.Info{}, nil
+}
+
+func (cli *fakeClient) ImagePull(_ context.Context, ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
+	if cli.imagePullFunc != nil {
+		cli.imagePullFunc(ref, options)
+	}
+	return ioutil.NopCloser(strings.NewReader("")), nil
+}
+
+func (cli *fakeClient) ImagesPrune(_ context.Context, pruneFilter filters.Args) (types.ImagesPruneReport, error) {
+	if cli.imagesPruneFunc != nil {
+		return cli.imagesPruneFunc(pruneFilter)
+	}
+	return types.ImagesPruneReport{}, nil
+}
+
+func (cli *fakeClient) ImageLoad(_ context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
+	if cli.imageLoadFunc != nil {
+		return cli.imageLoadFunc(input, quiet)
+	}
+	return types.ImageLoadResponse{}, nil
+}
+
+func (cli *fakeClient) ImageList(ctx context.Context, options types.ImageListOptions) ([]types.ImageSummary, error) {
+	if cli.imageListFunc != nil {
+		return cli.imageListFunc(options)
+	}
+	return []types.ImageSummary{{}}, nil
+}
+
+func (cli *fakeClient) ImageInspectWithRaw(_ context.Context, image string) (types.ImageInspect, []byte, error) {
+	if cli.imageInspectFunc != nil {
+		return cli.imageInspectFunc(image)
+	}
+	return types.ImageInspect{}, nil, nil
+}
+
+func (cli *fakeClient) ImageImport(_ context.Context, source types.ImageImportSource, ref string,
+	options types.ImageImportOptions) (io.ReadCloser, error) {
+	if cli.imageImportFunc != nil {
+		return cli.imageImportFunc(source, ref, options)
+	}
+	return ioutil.NopCloser(strings.NewReader("")), nil
+}
+
+func (cli *fakeClient) ImageHistory(_ context.Context, img string) ([]image.HistoryResponseItem, error) {
+	if cli.imageHistoryFunc != nil {
+		return cli.imageHistoryFunc(img)
+	}
+	return []image.HistoryResponseItem{{ID: img, Created: time.Now().Unix()}}, nil
+}
+
+func (cli *fakeClient) ImageBuild(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) {
+	if cli.imageBuildFunc != nil {
+		return cli.imageBuildFunc(ctx, context, options)
+	}
+	return types.ImageBuildResponse{Body: ioutil.NopCloser(strings.NewReader(""))}, nil
+}
diff --git a/cli/cli/command/image/cmd.go b/cli/cli/command/image/cmd.go
new file mode 100644
index 00000000..a12bf339
--- /dev/null
+++ b/cli/cli/command/image/cmd.go
@@ -0,0 +1,33 @@
+package image
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+)
+
+// NewImageCommand returns a cobra command for `image` subcommands
+func NewImageCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "image",
+		Short: "Manage images",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		NewBuildCommand(dockerCli),
+		NewHistoryCommand(dockerCli),
+		NewImportCommand(dockerCli),
+		NewLoadCommand(dockerCli),
+		NewPullCommand(dockerCli),
+		NewPushCommand(dockerCli),
+		NewSaveCommand(dockerCli),
+		NewTagCommand(dockerCli),
+		newListCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+		newInspectCommand(dockerCli),
+		NewPruneCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/image/history.go b/cli/cli/command/image/history.go
new file mode 100644
index 00000000..11acc93d
--- /dev/null
+++ b/cli/cli/command/image/history.go
@@ -0,0 +1,64 @@
+package image
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/spf13/cobra"
+)
+
+type historyOptions struct {
+	image string
+
+	human   bool
+	quiet   bool
+	noTrunc bool
+	format  string
+}
+
+// NewHistoryCommand creates a new `docker history` command
+func NewHistoryCommand(dockerCli command.Cli) *cobra.Command {
+	var opts historyOptions
+
+	cmd := &cobra.Command{
+		Use:   "history [OPTIONS] IMAGE",
+		Short: "Show the history of an image",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.image = args[0]
+			return runHistory(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVarP(&opts.human, "human", "H", true, "Print sizes and dates in human readable format")
+	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Only show numeric IDs")
+	flags.BoolVar(&opts.noTrunc, "no-trunc", false, "Don't truncate output")
+	flags.StringVar(&opts.format, "format", "", "Pretty-print images using a Go template")
+
+	return cmd
+}
+
+func runHistory(dockerCli command.Cli, opts historyOptions) error {
+	ctx := context.Background()
+
+	history, err := dockerCli.Client().ImageHistory(ctx, opts.image)
+	if err != nil {
+		return err
+	}
+
+	format := opts.format
+	if len(format) == 0 {
+		format = formatter.TableFormatKey
+	}
+
+	historyCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewHistoryFormat(format, opts.quiet, opts.human),
+		Trunc:  !opts.noTrunc,
+	}
+	return formatter.HistoryWrite(historyCtx, opts.human, history)
+}
diff --git a/cli/cli/command/image/history_test.go b/cli/cli/command/image/history_test.go
new file mode 100644
index 00000000..ad2beb9a
--- /dev/null
+++ b/cli/cli/command/image/history_test.go
@@ -0,0 +1,105 @@
+package image
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/image"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+	"gotest.tools/skip"
+)
+
+func TestNewHistoryCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name             string
+		args             []string
+		expectedError    string
+		imageHistoryFunc func(img string) ([]image.HistoryResponseItem, error)
+	}{
+		{
+			name:          "wrong-args",
+			args:          []string{},
+			expectedError: "requires exactly 1 argument.",
+		},
+		{
+			name:          "client-error",
+			args:          []string{"image:tag"},
+			expectedError: "something went wrong",
+			imageHistoryFunc: func(img string) ([]image.HistoryResponseItem, error) {
+				return []image.HistoryResponseItem{{}}, errors.Errorf("something went wrong")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cmd := NewHistoryCommand(test.NewFakeCli(&fakeClient{imageHistoryFunc: tc.imageHistoryFunc}))
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func notUTCTimezone() bool {
+	now := time.Now()
+	return now != now.UTC()
+}
+
+func TestNewHistoryCommandSuccess(t *testing.T) {
+	skip.If(t, notUTCTimezone, "expected output requires UTC timezone")
+	testCases := []struct {
+		name             string
+		args             []string
+		imageHistoryFunc func(img string) ([]image.HistoryResponseItem, error)
+	}{
+		{
+			name: "simple",
+			args: []string{"image:tag"},
+			imageHistoryFunc: func(img string) ([]image.HistoryResponseItem, error) {
+				return []image.HistoryResponseItem{{
+					ID:      "1234567890123456789",
+					Created: time.Now().Unix(),
+				}}, nil
+			},
+		},
+		{
+			name: "quiet",
+			args: []string{"--quiet", "image:tag"},
+		},
+		{
+			name: "non-human",
+			args: []string{"--human=false", "image:tag"},
+			imageHistoryFunc: func(img string) ([]image.HistoryResponseItem, error) {
+				return []image.HistoryResponseItem{{
+					ID:        "abcdef",
+					Created:   time.Date(2017, 1, 1, 12, 0, 3, 0, time.UTC).Unix(),
+					CreatedBy: "rose",
+					Comment:   "new history item!",
+				}}, nil
+			},
+		},
+		{
+			name: "quiet-no-trunc",
+			args: []string{"--quiet", "--no-trunc", "image:tag"},
+			imageHistoryFunc: func(img string) ([]image.HistoryResponseItem, error) {
+				return []image.HistoryResponseItem{{
+					ID:      "1234567890123456789",
+					Created: time.Now().Unix(),
+				}}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{imageHistoryFunc: tc.imageHistoryFunc})
+		cmd := NewHistoryCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.NilError(t, err)
+		actual := cli.OutBuffer().String()
+		golden.Assert(t, actual, fmt.Sprintf("history-command-success.%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/image/import.go b/cli/cli/command/image/import.go
new file mode 100644
index 00000000..cfa6a87b
--- /dev/null
+++ b/cli/cli/command/image/import.go
@@ -0,0 +1,87 @@
+package image
+
+import (
+	"context"
+	"io"
+	"os"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	dockeropts "github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/urlutil"
+	"github.com/spf13/cobra"
+)
+
+type importOptions struct {
+	source    string
+	reference string
+	changes   dockeropts.ListOpts
+	message   string
+}
+
+// NewImportCommand creates a new `docker import` command
+func NewImportCommand(dockerCli command.Cli) *cobra.Command {
+	var options importOptions
+
+	cmd := &cobra.Command{
+		Use:   "import [OPTIONS] file|URL|- [REPOSITORY[:TAG]]",
+		Short: "Import the contents from a tarball to create a filesystem image",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.source = args[0]
+			if len(args) > 1 {
+				options.reference = args[1]
+			}
+			return runImport(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	options.changes = dockeropts.NewListOpts(nil)
+	flags.VarP(&options.changes, "change", "c", "Apply Dockerfile instruction to the created image")
+	flags.StringVarP(&options.message, "message", "m", "", "Set commit message for imported image")
+
+	return cmd
+}
+
+func runImport(dockerCli command.Cli, options importOptions) error {
+	var (
+		in      io.Reader
+		srcName = options.source
+	)
+
+	if options.source == "-" {
+		in = dockerCli.In()
+	} else if !urlutil.IsURL(options.source) {
+		srcName = "-"
+		file, err := os.Open(options.source)
+		if err != nil {
+			return err
+		}
+		defer file.Close()
+		in = file
+	}
+
+	source := types.ImageImportSource{
+		Source:     in,
+		SourceName: srcName,
+	}
+
+	importOptions := types.ImageImportOptions{
+		Message: options.message,
+		Changes: options.changes.GetAll(),
+	}
+
+	clnt := dockerCli.Client()
+
+	responseBody, err := clnt.ImageImport(context.Background(), source, options.reference, importOptions)
+	if err != nil {
+		return err
+	}
+	defer responseBody.Close()
+
+	return jsonmessage.DisplayJSONMessagesToStream(responseBody, dockerCli.Out(), nil)
+}
diff --git a/cli/cli/command/image/import_test.go b/cli/cli/command/image/import_test.go
new file mode 100644
index 00000000..9e2fad61
--- /dev/null
+++ b/cli/cli/command/image/import_test.go
@@ -0,0 +1,97 @@
+package image
+
+import (
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNewImportCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		expectedError   string
+		imageImportFunc func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error)
+	}{
+		{
+			name:          "wrong-args",
+			args:          []string{},
+			expectedError: "requires at least 1 argument.",
+		},
+		{
+			name:          "import-failed",
+			args:          []string{"testdata/import-command-success.input.txt"},
+			expectedError: "something went wrong",
+			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+				return nil, errors.Errorf("something went wrong")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cmd := NewImportCommand(test.NewFakeCli(&fakeClient{imageImportFunc: tc.imageImportFunc}))
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNewImportCommandInvalidFile(t *testing.T) {
+	cmd := NewImportCommand(test.NewFakeCli(&fakeClient{}))
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"testdata/import-command-success.unexistent-file"})
+	assert.ErrorContains(t, cmd.Execute(), "testdata/import-command-success.unexistent-file")
+}
+
+func TestNewImportCommandSuccess(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		imageImportFunc func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error)
+	}{
+		{
+			name: "simple",
+			args: []string{"testdata/import-command-success.input.txt"},
+		},
+		{
+			name: "terminal-source",
+			args: []string{"-"},
+		},
+		{
+			name: "double",
+			args: []string{"-", "image:local"},
+			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+				assert.Check(t, is.Equal("image:local", ref))
+				return ioutil.NopCloser(strings.NewReader("")), nil
+			},
+		},
+		{
+			name: "message",
+			args: []string{"--message", "test message", "-"},
+			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+				assert.Check(t, is.Equal("test message", options.Message))
+				return ioutil.NopCloser(strings.NewReader("")), nil
+			},
+		},
+		{
+			name: "change",
+			args: []string{"--change", "ENV DEBUG true", "-"},
+			imageImportFunc: func(source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+				assert.Check(t, is.Equal("ENV DEBUG true", options.Changes[0]))
+				return ioutil.NopCloser(strings.NewReader("")), nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cmd := NewImportCommand(test.NewFakeCli(&fakeClient{imageImportFunc: tc.imageImportFunc}))
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.NilError(t, cmd.Execute())
+	}
+}
diff --git a/cli/cli/command/image/inspect.go b/cli/cli/command/image/inspect.go
new file mode 100644
index 00000000..2044fcaf
--- /dev/null
+++ b/cli/cli/command/image/inspect.go
@@ -0,0 +1,44 @@
+package image
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	format string
+	refs   []string
+}
+
+// newInspectCommand creates a new cobra.Command for `docker image inspect`
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] IMAGE [IMAGE...]",
+		Short: "Display detailed information on one or more images",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.refs = args
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	getRefFunc := func(ref string) (interface{}, []byte, error) {
+		return client.ImageInspectWithRaw(ctx, ref)
+	}
+	return inspect.Inspect(dockerCli.Out(), opts.refs, opts.format, getRefFunc)
+}
diff --git a/cli/cli/command/image/inspect_test.go b/cli/cli/command/image/inspect_test.go
new file mode 100644
index 00000000..d881ae0a
--- /dev/null
+++ b/cli/cli/command/image/inspect_test.go
@@ -0,0 +1,88 @@
+package image
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestNewInspectCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "wrong-args",
+			args:          []string{},
+			expectedError: "requires at least 1 argument.",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newInspectCommand(test.NewFakeCli(&fakeClient{}))
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNewInspectCommandSuccess(t *testing.T) {
+	imageInspectInvocationCount := 0
+	testCases := []struct {
+		name             string
+		args             []string
+		imageCount       int
+		imageInspectFunc func(image string) (types.ImageInspect, []byte, error)
+	}{
+		{
+			name:       "simple",
+			args:       []string{"image"},
+			imageCount: 1,
+			imageInspectFunc: func(image string) (types.ImageInspect, []byte, error) {
+				imageInspectInvocationCount++
+				assert.Check(t, is.Equal("image", image))
+				return types.ImageInspect{}, nil, nil
+			},
+		},
+		{
+			name:       "format",
+			imageCount: 1,
+			args:       []string{"--format='{{.ID}}'", "image"},
+			imageInspectFunc: func(image string) (types.ImageInspect, []byte, error) {
+				imageInspectInvocationCount++
+				return types.ImageInspect{ID: image}, nil, nil
+			},
+		},
+		{
+			name:       "simple-many",
+			args:       []string{"image1", "image2"},
+			imageCount: 2,
+			imageInspectFunc: func(image string) (types.ImageInspect, []byte, error) {
+				imageInspectInvocationCount++
+				if imageInspectInvocationCount == 1 {
+					assert.Check(t, is.Equal("image1", image))
+				} else {
+					assert.Check(t, is.Equal("image2", image))
+				}
+				return types.ImageInspect{}, nil, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		imageInspectInvocationCount = 0
+		cli := test.NewFakeCli(&fakeClient{imageInspectFunc: tc.imageInspectFunc})
+		cmd := newInspectCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.NilError(t, err)
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("inspect-command-success.%s.golden", tc.name))
+		assert.Check(t, is.Equal(imageInspectInvocationCount, tc.imageCount))
+	}
+}
diff --git a/cli/cli/command/image/list.go b/cli/cli/command/image/list.go
new file mode 100644
index 00000000..2dd9786e
--- /dev/null
+++ b/cli/cli/command/image/list.go
@@ -0,0 +1,96 @@
+package image
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type imagesOptions struct {
+	matchName string
+
+	quiet       bool
+	all         bool
+	noTrunc     bool
+	showDigests bool
+	format      string
+	filter      opts.FilterOpt
+}
+
+// NewImagesCommand creates a new `docker images` command
+func NewImagesCommand(dockerCli command.Cli) *cobra.Command {
+	options := imagesOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "images [OPTIONS] [REPOSITORY[:TAG]]",
+		Short: "List images",
+		Args:  cli.RequiresMaxArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				options.matchName = args[0]
+			}
+			return runImages(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only show numeric IDs")
+	flags.BoolVarP(&options.all, "all", "a", false, "Show all images (default hides intermediate images)")
+	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Don't truncate output")
+	flags.BoolVar(&options.showDigests, "digests", false, "Show digests")
+	flags.StringVar(&options.format, "format", "", "Pretty-print images using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+
+	return cmd
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := *NewImagesCommand(dockerCli)
+	cmd.Aliases = []string{"images", "list"}
+	cmd.Use = "ls [OPTIONS] [REPOSITORY[:TAG]]"
+	return &cmd
+}
+
+func runImages(dockerCli command.Cli, options imagesOptions) error {
+	ctx := context.Background()
+
+	filters := options.filter.Value()
+	if options.matchName != "" {
+		filters.Add("reference", options.matchName)
+	}
+
+	listOptions := types.ImageListOptions{
+		All:     options.all,
+		Filters: filters,
+	}
+
+	images, err := dockerCli.Client().ImageList(ctx, listOptions)
+	if err != nil {
+		return err
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().ImagesFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().ImagesFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	imageCtx := formatter.ImageContext{
+		Context: formatter.Context{
+			Output: dockerCli.Out(),
+			Format: formatter.NewImageFormat(format, options.quiet, options.showDigests),
+			Trunc:  !options.noTrunc,
+		},
+		Digest: options.showDigests,
+	}
+	return formatter.ImageWrite(imageCtx, images)
+}
diff --git a/cli/cli/command/image/list_test.go b/cli/cli/command/image/list_test.go
new file mode 100644
index 00000000..81394a79
--- /dev/null
+++ b/cli/cli/command/image/list_test.go
@@ -0,0 +1,98 @@
+package image
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestNewImagesCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+		imageListFunc func(options types.ImageListOptions) ([]types.ImageSummary, error)
+	}{
+		{
+			name:          "wrong-args",
+			args:          []string{"arg1", "arg2"},
+			expectedError: "requires at most 1 argument.",
+		},
+		{
+			name:          "failed-list",
+			expectedError: "something went wrong",
+			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
+				return []types.ImageSummary{{}}, errors.Errorf("something went wrong")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cmd := NewImagesCommand(test.NewFakeCli(&fakeClient{imageListFunc: tc.imageListFunc}))
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNewImagesCommandSuccess(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		imageFormat   string
+		imageListFunc func(options types.ImageListOptions) ([]types.ImageSummary, error)
+	}{
+		{
+			name: "simple",
+		},
+		{
+			name:        "format",
+			imageFormat: "raw",
+		},
+		{
+			name:        "quiet-format",
+			args:        []string{"-q"},
+			imageFormat: "table",
+		},
+		{
+			name: "match-name",
+			args: []string{"image"},
+			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
+				assert.Check(t, is.Equal("image", options.Filters.Get("reference")[0]))
+				return []types.ImageSummary{{}}, nil
+			},
+		},
+		{
+			name: "filters",
+			args: []string{"--filter", "name=value"},
+			imageListFunc: func(options types.ImageListOptions) ([]types.ImageSummary, error) {
+				assert.Check(t, is.Equal("value", options.Filters.Get("name")[0]))
+				return []types.ImageSummary{{}}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{imageListFunc: tc.imageListFunc})
+		cli.SetConfigFile(&configfile.ConfigFile{ImagesFormat: tc.imageFormat})
+		cmd := NewImagesCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.NilError(t, err)
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("list-command-success.%s.golden", tc.name))
+	}
+}
+
+func TestNewListCommandAlias(t *testing.T) {
+	cmd := newListCommand(test.NewFakeCli(&fakeClient{}))
+	assert.Check(t, cmd.HasAlias("images"))
+	assert.Check(t, cmd.HasAlias("list"))
+	assert.Check(t, !cmd.HasAlias("other"))
+}
diff --git a/cli/cli/command/image/load.go b/cli/cli/command/image/load.go
new file mode 100644
index 00000000..6809c620
--- /dev/null
+++ b/cli/cli/command/image/load.go
@@ -0,0 +1,76 @@
+package image
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type loadOptions struct {
+	input string
+	quiet bool
+}
+
+// NewLoadCommand creates a new `docker load` command
+func NewLoadCommand(dockerCli command.Cli) *cobra.Command {
+	var opts loadOptions
+
+	cmd := &cobra.Command{
+		Use:   "load [OPTIONS]",
+		Short: "Load an image from a tar archive or STDIN",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runLoad(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVarP(&opts.input, "input", "i", "", "Read from tar archive file, instead of STDIN")
+	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Suppress the load output")
+
+	return cmd
+}
+
+func runLoad(dockerCli command.Cli, opts loadOptions) error {
+
+	var input io.Reader = dockerCli.In()
+	if opts.input != "" {
+		// We use system.OpenSequential to use sequential file access on Windows, avoiding
+		// depleting the standby list un-necessarily. On Linux, this equates to a regular os.Open.
+		file, err := system.OpenSequential(opts.input)
+		if err != nil {
+			return err
+		}
+		defer file.Close()
+		input = file
+	}
+
+	// To avoid getting stuck, verify that a tar file is given either in
+	// the input flag or through stdin and if not display an error message and exit.
+	if opts.input == "" && dockerCli.In().IsTerminal() {
+		return errors.Errorf("requested load from stdin, but stdin is empty")
+	}
+
+	if !dockerCli.Out().IsTerminal() {
+		opts.quiet = true
+	}
+	response, err := dockerCli.Client().ImageLoad(context.Background(), input, opts.quiet)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	if response.Body != nil && response.JSON {
+		return jsonmessage.DisplayJSONMessagesToStream(response.Body, dockerCli.Out(), nil)
+	}
+
+	_, err = io.Copy(dockerCli.Out(), response.Body)
+	return err
+}
diff --git a/cli/cli/command/image/load_test.go b/cli/cli/command/image/load_test.go
new file mode 100644
index 00000000..5fe4344f
--- /dev/null
+++ b/cli/cli/command/image/load_test.go
@@ -0,0 +1,101 @@
+package image
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestNewLoadCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		isTerminalIn  bool
+		expectedError string
+		imageLoadFunc func(input io.Reader, quiet bool) (types.ImageLoadResponse, error)
+	}{
+		{
+			name:          "wrong-args",
+			args:          []string{"arg"},
+			expectedError: "accepts no arguments.",
+		},
+		{
+			name:          "input-to-terminal",
+			isTerminalIn:  true,
+			expectedError: "requested load from stdin, but stdin is empty",
+		},
+		{
+			name:          "pull-error",
+			expectedError: "something went wrong",
+			imageLoadFunc: func(input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
+				return types.ImageLoadResponse{}, errors.Errorf("something went wrong")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{imageLoadFunc: tc.imageLoadFunc})
+		cli.In().SetIsTerminal(tc.isTerminalIn)
+		cmd := NewLoadCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNewLoadCommandInvalidInput(t *testing.T) {
+	expectedError := "open *"
+	cmd := NewLoadCommand(test.NewFakeCli(&fakeClient{}))
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"--input", "*"})
+	err := cmd.Execute()
+	assert.ErrorContains(t, err, expectedError)
+}
+
+func TestNewLoadCommandSuccess(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		imageLoadFunc func(input io.Reader, quiet bool) (types.ImageLoadResponse, error)
+	}{
+		{
+			name: "simple",
+			imageLoadFunc: func(input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
+				return types.ImageLoadResponse{Body: ioutil.NopCloser(strings.NewReader("Success"))}, nil
+			},
+		},
+		{
+			name: "json",
+			imageLoadFunc: func(input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
+				json := "{\"ID\": \"1\"}"
+				return types.ImageLoadResponse{
+					Body: ioutil.NopCloser(strings.NewReader(json)),
+					JSON: true,
+				}, nil
+			},
+		},
+		{
+			name: "input-file",
+			args: []string{"--input", "testdata/load-command-success.input.txt"},
+			imageLoadFunc: func(input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
+				return types.ImageLoadResponse{Body: ioutil.NopCloser(strings.NewReader("Success"))}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{imageLoadFunc: tc.imageLoadFunc})
+		cmd := NewLoadCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.NilError(t, err)
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("load-command-success.%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/image/prune.go b/cli/cli/command/image/prune.go
new file mode 100644
index 00000000..ada47df3
--- /dev/null
+++ b/cli/cli/command/image/prune.go
@@ -0,0 +1,94 @@
+package image
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	units "github.com/docker/go-units"
+	"github.com/spf13/cobra"
+)
+
+type pruneOptions struct {
+	force  bool
+	all    bool
+	filter opts.FilterOpt
+}
+
+// NewPruneCommand returns a new cobra prune command for images
+func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
+	options := pruneOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "prune [OPTIONS]",
+		Short: "Remove unused images",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			spaceReclaimed, output, err := runPrune(dockerCli, options)
+			if err != nil {
+				return err
+			}
+			if output != "" {
+				fmt.Fprintln(dockerCli.Out(), output)
+			}
+			fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(spaceReclaimed)))
+			return nil
+		},
+		Annotations: map[string]string{"version": "1.25"},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
+	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused images, not just dangling ones")
+	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'until=<timestamp>')")
+
+	return cmd
+}
+
+const (
+	allImageWarning = `WARNING! This will remove all images without at least one container associated to them.
+Are you sure you want to continue?`
+	danglingWarning = `WARNING! This will remove all dangling images.
+Are you sure you want to continue?`
+)
+
+func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
+	pruneFilters := options.filter.Value()
+	pruneFilters.Add("dangling", fmt.Sprintf("%v", !options.all))
+	pruneFilters = command.PruneFilters(dockerCli, pruneFilters)
+
+	warning := danglingWarning
+	if options.all {
+		warning = allImageWarning
+	}
+	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
+		return 0, "", nil
+	}
+
+	report, err := dockerCli.Client().ImagesPrune(context.Background(), pruneFilters)
+	if err != nil {
+		return 0, "", err
+	}
+
+	if len(report.ImagesDeleted) > 0 {
+		output = "Deleted Images:\n"
+		for _, st := range report.ImagesDeleted {
+			if st.Untagged != "" {
+				output += fmt.Sprintln("untagged:", st.Untagged)
+			} else {
+				output += fmt.Sprintln("deleted:", st.Deleted)
+			}
+		}
+		spaceReclaimed = report.SpaceReclaimed
+	}
+
+	return spaceReclaimed, output, nil
+}
+
+// RunPrune calls the Image Prune API
+// This returns the amount of space reclaimed and a detailed output string
+func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
+	return runPrune(dockerCli, pruneOptions{force: true, all: all, filter: filter})
+}
diff --git a/cli/cli/command/image/prune_test.go b/cli/cli/command/image/prune_test.go
new file mode 100644
index 00000000..ca46bbf6
--- /dev/null
+++ b/cli/cli/command/image/prune_test.go
@@ -0,0 +1,94 @@
+package image
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestNewPruneCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		expectedError   string
+		imagesPruneFunc func(pruneFilter filters.Args) (types.ImagesPruneReport, error)
+	}{
+		{
+			name:          "wrong-args",
+			args:          []string{"something"},
+			expectedError: "accepts no arguments.",
+		},
+		{
+			name:          "prune-error",
+			args:          []string{"--force"},
+			expectedError: "something went wrong",
+			imagesPruneFunc: func(pruneFilter filters.Args) (types.ImagesPruneReport, error) {
+				return types.ImagesPruneReport{}, errors.Errorf("something went wrong")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cmd := NewPruneCommand(test.NewFakeCli(&fakeClient{
+			imagesPruneFunc: tc.imagesPruneFunc,
+		}))
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNewPruneCommandSuccess(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		imagesPruneFunc func(pruneFilter filters.Args) (types.ImagesPruneReport, error)
+	}{
+		{
+			name: "all",
+			args: []string{"--all"},
+			imagesPruneFunc: func(pruneFilter filters.Args) (types.ImagesPruneReport, error) {
+				assert.Check(t, is.Equal("false", pruneFilter.Get("dangling")[0]))
+				return types.ImagesPruneReport{}, nil
+			},
+		},
+		{
+			name: "force-deleted",
+			args: []string{"--force"},
+			imagesPruneFunc: func(pruneFilter filters.Args) (types.ImagesPruneReport, error) {
+				assert.Check(t, is.Equal("true", pruneFilter.Get("dangling")[0]))
+				return types.ImagesPruneReport{
+					ImagesDeleted:  []types.ImageDeleteResponseItem{{Deleted: "image1"}},
+					SpaceReclaimed: 1,
+				}, nil
+			},
+		},
+		{
+			name: "force-untagged",
+			args: []string{"--force"},
+			imagesPruneFunc: func(pruneFilter filters.Args) (types.ImagesPruneReport, error) {
+				assert.Check(t, is.Equal("true", pruneFilter.Get("dangling")[0]))
+				return types.ImagesPruneReport{
+					ImagesDeleted:  []types.ImageDeleteResponseItem{{Untagged: "image1"}},
+					SpaceReclaimed: 2,
+				}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{imagesPruneFunc: tc.imagesPruneFunc})
+		cmd := NewPruneCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.NilError(t, err)
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("prune-command-success.%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/image/pull.go b/cli/cli/command/image/pull.go
new file mode 100644
index 00000000..9ac382c3
--- /dev/null
+++ b/cli/cli/command/image/pull.go
@@ -0,0 +1,83 @@
+package image
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/trust"
+	"github.com/docker/distribution/reference"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// PullOptions defines what and how to pull
+type PullOptions struct {
+	remote    string
+	all       bool
+	platform  string
+	untrusted bool
+}
+
+// NewPullCommand creates a new `docker pull` command
+func NewPullCommand(dockerCli command.Cli) *cobra.Command {
+	var opts PullOptions
+
+	cmd := &cobra.Command{
+		Use:   "pull [OPTIONS] NAME[:TAG|@DIGEST]",
+		Short: "Pull an image or a repository from a registry",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.remote = args[0]
+			return RunPull(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVarP(&opts.all, "all-tags", "a", false, "Download all tagged images in the repository")
+
+	command.AddPlatformFlag(flags, &opts.platform)
+	command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
+
+	return cmd
+}
+
+// RunPull performs a pull against the engine based on the specified options
+func RunPull(cli command.Cli, opts PullOptions) error {
+	distributionRef, err := reference.ParseNormalizedNamed(opts.remote)
+	switch {
+	case err != nil:
+		return err
+	case opts.all && !reference.IsNameOnly(distributionRef):
+		return errors.New("tag can't be used with --all-tags/-a")
+	case !opts.all && reference.IsNameOnly(distributionRef):
+		distributionRef = reference.TagNameOnly(distributionRef)
+		if tagged, ok := distributionRef.(reference.Tagged); ok {
+			fmt.Fprintf(cli.Out(), "Using default tag: %s\n", tagged.Tag())
+		}
+	}
+
+	ctx := context.Background()
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, AuthResolver(cli), distributionRef.String())
+	if err != nil {
+		return err
+	}
+
+	// Check if reference has a digest
+	_, isCanonical := distributionRef.(reference.Canonical)
+	if !opts.untrusted && !isCanonical {
+		err = trustedPull(ctx, cli, imgRefAndAuth, opts.platform)
+	} else {
+		err = imagePullPrivileged(ctx, cli, imgRefAndAuth, opts.all, opts.platform)
+	}
+	if err != nil {
+		if strings.Contains(err.Error(), "when fetching 'plugin'") {
+			return errors.New(err.Error() + " - Use `docker plugin install`")
+		}
+		return err
+	}
+	return nil
+}
diff --git a/cli/cli/command/image/pull_test.go b/cli/cli/command/image/pull_test.go
new file mode 100644
index 00000000..c5ae7560
--- /dev/null
+++ b/cli/cli/command/image/pull_test.go
@@ -0,0 +1,121 @@
+package image
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/internal/test/notary"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestNewPullCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "wrong-args",
+			expectedError: "requires exactly 1 argument.",
+			args:          []string{},
+		},
+		{
+			name:          "invalid-name",
+			expectedError: "invalid reference format: repository name must be lowercase",
+			args:          []string{"UPPERCASE_REPO"},
+		},
+		{
+			name:          "all-tags-with-tag",
+			expectedError: "tag can't be used with --all-tags/-a",
+			args:          []string{"--all-tags", "image:tag"},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{})
+		cmd := NewPullCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNewPullCommandSuccess(t *testing.T) {
+	testCases := []struct {
+		name        string
+		args        []string
+		expectedTag string
+	}{
+		{
+			name:        "simple",
+			args:        []string{"image:tag"},
+			expectedTag: "image:tag",
+		},
+		{
+			name:        "simple-no-tag",
+			args:        []string{"image"},
+			expectedTag: "image:latest",
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			imagePullFunc: func(ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
+				assert.Check(t, is.Equal(tc.expectedTag, ref), tc.name)
+				return ioutil.NopCloser(strings.NewReader("")), nil
+			},
+		})
+		cmd := NewPullCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.NilError(t, err)
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("pull-command-success.%s.golden", tc.name))
+	}
+}
+
+func TestNewPullCommandWithContentTrustErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+		notaryFunc    test.NotaryClientFuncType
+	}{
+		{
+			name:          "offline-notary-server",
+			notaryFunc:    notary.GetOfflineNotaryRepository,
+			expectedError: "client is offline",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "uninitialized-notary-server",
+			notaryFunc:    notary.GetUninitializedNotaryRepository,
+			expectedError: "remote trust data does not exist",
+			args:          []string{"image:tag"},
+		},
+		{
+			name:          "empty-notary-server",
+			notaryFunc:    notary.GetEmptyTargetsNotaryRepository,
+			expectedError: "No valid trust data for tag",
+			args:          []string{"image:tag"},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			imagePullFunc: func(ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
+				return ioutil.NopCloser(strings.NewReader("")), fmt.Errorf("shouldn't try to pull image")
+			},
+		}, test.EnableContentTrust)
+		cli.SetNotaryClient(tc.notaryFunc)
+		cmd := NewPullCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		err := cmd.Execute()
+		assert.ErrorContains(t, err, tc.expectedError)
+	}
+}
diff --git a/cli/cli/command/image/push.go b/cli/cli/command/image/push.go
new file mode 100644
index 00000000..de6c2ec3
--- /dev/null
+++ b/cli/cli/command/image/push.go
@@ -0,0 +1,70 @@
+package image
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/registry"
+	"github.com/spf13/cobra"
+)
+
+type pushOptions struct {
+	remote    string
+	untrusted bool
+}
+
+// NewPushCommand creates a new `docker push` command
+func NewPushCommand(dockerCli command.Cli) *cobra.Command {
+	var opts pushOptions
+
+	cmd := &cobra.Command{
+		Use:   "push [OPTIONS] NAME[:TAG]",
+		Short: "Push an image or a repository to a registry",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.remote = args[0]
+			return RunPush(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
+
+	return cmd
+}
+
+// RunPush performs a push against the engine based on the specified options
+func RunPush(dockerCli command.Cli, opts pushOptions) error {
+	ref, err := reference.ParseNormalizedNamed(opts.remote)
+	if err != nil {
+		return err
+	}
+
+	// Resolve the Repository name from fqn to RepositoryInfo
+	repoInfo, err := registry.ParseRepositoryInfo(ref)
+	if err != nil {
+		return err
+	}
+
+	ctx := context.Background()
+
+	// Resolve the Auth config relevant for this server
+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)
+	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, "push")
+
+	if !opts.untrusted {
+		return TrustedPush(ctx, dockerCli, repoInfo, ref, authConfig, requestPrivilege)
+	}
+
+	responseBody, err := imagePushPrivileged(ctx, dockerCli, authConfig, ref, requestPrivilege)
+	if err != nil {
+		return err
+	}
+
+	defer responseBody.Close()
+	return jsonmessage.DisplayJSONMessagesToStream(responseBody, dockerCli.Out(), nil)
+}
diff --git a/cli/cli/command/image/push_test.go b/cli/cli/command/image/push_test.go
new file mode 100644
index 00000000..75798aaa
--- /dev/null
+++ b/cli/cli/command/image/push_test.go
@@ -0,0 +1,71 @@
+package image
+
+import (
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+func TestNewPushCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+		imagePushFunc func(ref string, options types.ImagePushOptions) (io.ReadCloser, error)
+	}{
+		{
+			name:          "wrong-args",
+			args:          []string{},
+			expectedError: "requires exactly 1 argument.",
+		},
+		{
+			name:          "invalid-name",
+			args:          []string{"UPPERCASE_REPO"},
+			expectedError: "invalid reference format: repository name must be lowercase",
+		},
+		{
+			name:          "push-failed",
+			args:          []string{"image:repo"},
+			expectedError: "Failed to push",
+			imagePushFunc: func(ref string, options types.ImagePushOptions) (io.ReadCloser, error) {
+				return ioutil.NopCloser(strings.NewReader("")), errors.Errorf("Failed to push")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{imagePushFunc: tc.imagePushFunc})
+		cmd := NewPushCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNewPushCommandSuccess(t *testing.T) {
+	testCases := []struct {
+		name string
+		args []string
+	}{
+		{
+			name: "simple",
+			args: []string{"image:tag"},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			imagePushFunc: func(ref string, options types.ImagePushOptions) (io.ReadCloser, error) {
+				return ioutil.NopCloser(strings.NewReader("")), nil
+			},
+		})
+		cmd := NewPushCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.NilError(t, cmd.Execute())
+	}
+}
diff --git a/cli/cli/command/image/remove.go b/cli/cli/command/image/remove.go
new file mode 100644
index 00000000..a4c72e44
--- /dev/null
+++ b/cli/cli/command/image/remove.go
@@ -0,0 +1,86 @@
+package image
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	apiclient "github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type removeOptions struct {
+	force   bool
+	noPrune bool
+}
+
+// NewRemoveCommand creates a new `docker remove` command
+func NewRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	var opts removeOptions
+
+	cmd := &cobra.Command{
+		Use:   "rmi [OPTIONS] IMAGE [IMAGE...]",
+		Short: "Remove one or more images",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runRemove(dockerCli, opts, args)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVarP(&opts.force, "force", "f", false, "Force removal of the image")
+	flags.BoolVar(&opts.noPrune, "no-prune", false, "Do not delete untagged parents")
+
+	return cmd
+}
+
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := *NewRemoveCommand(dockerCli)
+	cmd.Aliases = []string{"rmi", "remove"}
+	cmd.Use = "rm [OPTIONS] IMAGE [IMAGE...]"
+	return &cmd
+}
+
+func runRemove(dockerCli command.Cli, opts removeOptions, images []string) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	options := types.ImageRemoveOptions{
+		Force:         opts.force,
+		PruneChildren: !opts.noPrune,
+	}
+
+	var errs []string
+	var fatalErr = false
+	for _, img := range images {
+		dels, err := client.ImageRemove(ctx, img, options)
+		if err != nil {
+			if !apiclient.IsErrNotFound(err) {
+				fatalErr = true
+			}
+			errs = append(errs, err.Error())
+		} else {
+			for _, del := range dels {
+				if del.Deleted != "" {
+					fmt.Fprintf(dockerCli.Out(), "Deleted: %s\n", del.Deleted)
+				} else {
+					fmt.Fprintf(dockerCli.Out(), "Untagged: %s\n", del.Untagged)
+				}
+			}
+		}
+	}
+
+	if len(errs) > 0 {
+		msg := strings.Join(errs, "\n")
+		if !opts.force || fatalErr {
+			return errors.New(msg)
+		}
+		fmt.Fprintln(dockerCli.Err(), msg)
+	}
+	return nil
+}
diff --git a/cli/cli/command/image/remove_test.go b/cli/cli/command/image/remove_test.go
new file mode 100644
index 00000000..6db2e031
--- /dev/null
+++ b/cli/cli/command/image/remove_test.go
@@ -0,0 +1,134 @@
+package image
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+type notFound struct {
+	imageID string
+}
+
+func (n notFound) Error() string {
+	return fmt.Sprintf("Error: No such image: %s", n.imageID)
+}
+
+func (n notFound) NotFound() bool {
+	return true
+}
+
+func TestNewRemoveCommandAlias(t *testing.T) {
+	cmd := newRemoveCommand(test.NewFakeCli(&fakeClient{}))
+	assert.Check(t, cmd.HasAlias("rmi"))
+	assert.Check(t, cmd.HasAlias("remove"))
+	assert.Check(t, !cmd.HasAlias("other"))
+}
+
+func TestNewRemoveCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		expectedError   string
+		imageRemoveFunc func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error)
+	}{
+		{
+			name:          "wrong args",
+			expectedError: "requires at least 1 argument.",
+		},
+		{
+			name:          "ImageRemove fail with force option",
+			args:          []string{"-f", "image1"},
+			expectedError: "error removing image",
+			imageRemoveFunc: func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
+				assert.Check(t, is.Equal("image1", image))
+				return []types.ImageDeleteResponseItem{}, errors.Errorf("error removing image")
+			},
+		},
+		{
+			name:          "ImageRemove fail",
+			args:          []string{"arg1"},
+			expectedError: "error removing image",
+			imageRemoveFunc: func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
+				assert.Check(t, !options.Force)
+				assert.Check(t, options.PruneChildren)
+				return []types.ImageDeleteResponseItem{}, errors.Errorf("error removing image")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := NewRemoveCommand(test.NewFakeCli(&fakeClient{
+				imageRemoveFunc: tc.imageRemoveFunc,
+			}))
+			cmd.SetOutput(ioutil.Discard)
+			cmd.SetArgs(tc.args)
+			assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+		})
+	}
+}
+
+func TestNewRemoveCommandSuccess(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		imageRemoveFunc func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error)
+		expectedStderr  string
+	}{
+		{
+			name: "Image Deleted",
+			args: []string{"image1"},
+			imageRemoveFunc: func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
+				assert.Check(t, is.Equal("image1", image))
+				return []types.ImageDeleteResponseItem{{Deleted: image}}, nil
+			},
+		},
+		{
+			name: "Image not found with force option",
+			args: []string{"-f", "image1"},
+			imageRemoveFunc: func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
+				assert.Check(t, is.Equal("image1", image))
+				assert.Check(t, is.Equal(true, options.Force))
+				return []types.ImageDeleteResponseItem{}, notFound{"image1"}
+			},
+			expectedStderr: "Error: No such image: image1\n",
+		},
+
+		{
+			name: "Image Untagged",
+			args: []string{"image1"},
+			imageRemoveFunc: func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
+				assert.Check(t, is.Equal("image1", image))
+				return []types.ImageDeleteResponseItem{{Untagged: image}}, nil
+			},
+		},
+		{
+			name: "Image Deleted and Untagged",
+			args: []string{"image1", "image2"},
+			imageRemoveFunc: func(image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
+				if image == "image1" {
+					return []types.ImageDeleteResponseItem{{Untagged: image}}, nil
+				}
+				return []types.ImageDeleteResponseItem{{Deleted: image}}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{imageRemoveFunc: tc.imageRemoveFunc})
+			cmd := NewRemoveCommand(cli)
+			cmd.SetOutput(ioutil.Discard)
+			cmd.SetArgs(tc.args)
+			assert.NilError(t, cmd.Execute())
+			assert.Check(t, is.Equal(tc.expectedStderr, cli.ErrBuffer().String()))
+			golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("remove-command-success.%s.golden", tc.name))
+		})
+	}
+}
diff --git a/cli/cli/command/image/save.go b/cli/cli/command/image/save.go
new file mode 100644
index 00000000..ef23ca1b
--- /dev/null
+++ b/cli/cli/command/image/save.go
@@ -0,0 +1,73 @@
+package image
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type saveOptions struct {
+	images []string
+	output string
+}
+
+// NewSaveCommand creates a new `docker save` command
+func NewSaveCommand(dockerCli command.Cli) *cobra.Command {
+	var opts saveOptions
+
+	cmd := &cobra.Command{
+		Use:   "save [OPTIONS] IMAGE [IMAGE...]",
+		Short: "Save one or more images to a tar archive (streamed to STDOUT by default)",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.images = args
+			return RunSave(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVarP(&opts.output, "output", "o", "", "Write to a file, instead of STDOUT")
+
+	return cmd
+}
+
+// RunSave performs a save against the engine based on the specified options
+func RunSave(dockerCli command.Cli, opts saveOptions) error {
+	if opts.output == "" && dockerCli.Out().IsTerminal() {
+		return errors.New("cowardly refusing to save to a terminal. Use the -o flag or redirect")
+	}
+
+	if err := validateOutputPath(opts.output); err != nil {
+		return errors.Wrap(err, "failed to save image")
+	}
+
+	responseBody, err := dockerCli.Client().ImageSave(context.Background(), opts.images)
+	if err != nil {
+		return err
+	}
+	defer responseBody.Close()
+
+	if opts.output == "" {
+		_, err := io.Copy(dockerCli.Out(), responseBody)
+		return err
+	}
+
+	return command.CopyToFile(opts.output, responseBody)
+}
+
+func validateOutputPath(path string) error {
+	dir := filepath.Dir(path)
+	if dir != "" && dir != "." {
+		if _, err := os.Stat(dir); os.IsNotExist(err) {
+			return errors.Errorf("unable to validate output path: directory %q does not exist", dir)
+		}
+	}
+	return nil
+}
diff --git a/cli/cli/command/image/save_test.go b/cli/cli/command/image/save_test.go
new file mode 100644
index 00000000..d051e8cb
--- /dev/null
+++ b/cli/cli/command/image/save_test.go
@@ -0,0 +1,103 @@
+package image
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNewSaveCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		isTerminal    bool
+		expectedError string
+		imageSaveFunc func(images []string) (io.ReadCloser, error)
+	}{
+		{
+			name:          "wrong args",
+			args:          []string{},
+			expectedError: "requires at least 1 argument.",
+		},
+		{
+			name:          "output to terminal",
+			args:          []string{"output", "file", "arg1"},
+			isTerminal:    true,
+			expectedError: "cowardly refusing to save to a terminal. Use the -o flag or redirect",
+		},
+		{
+			name:          "ImageSave fail",
+			args:          []string{"arg1"},
+			isTerminal:    false,
+			expectedError: "error saving image",
+			imageSaveFunc: func(images []string) (io.ReadCloser, error) {
+				return ioutil.NopCloser(strings.NewReader("")), errors.Errorf("error saving image")
+			},
+		},
+		{
+			name:          "output directory does not exist",
+			args:          []string{"-o", "fakedir/out.tar", "arg1"},
+			expectedError: "failed to save image: unable to validate output path: directory \"fakedir\" does not exist",
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{imageSaveFunc: tc.imageSaveFunc})
+		cli.Out().SetIsTerminal(tc.isTerminal)
+		cmd := NewSaveCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNewSaveCommandSuccess(t *testing.T) {
+	testCases := []struct {
+		args          []string
+		isTerminal    bool
+		imageSaveFunc func(images []string) (io.ReadCloser, error)
+		deferredFunc  func()
+	}{
+		{
+			args:       []string{"-o", "save_tmp_file", "arg1"},
+			isTerminal: true,
+			imageSaveFunc: func(images []string) (io.ReadCloser, error) {
+				assert.Assert(t, is.Len(images, 1))
+				assert.Check(t, is.Equal("arg1", images[0]))
+				return ioutil.NopCloser(strings.NewReader("")), nil
+			},
+			deferredFunc: func() {
+				os.Remove("save_tmp_file")
+			},
+		},
+		{
+			args:       []string{"arg1", "arg2"},
+			isTerminal: false,
+			imageSaveFunc: func(images []string) (io.ReadCloser, error) {
+				assert.Assert(t, is.Len(images, 2))
+				assert.Check(t, is.Equal("arg1", images[0]))
+				assert.Check(t, is.Equal("arg2", images[1]))
+				return ioutil.NopCloser(strings.NewReader("")), nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cmd := NewSaveCommand(test.NewFakeCli(&fakeClient{
+			imageSaveFunc: func(images []string) (io.ReadCloser, error) {
+				return ioutil.NopCloser(strings.NewReader("")), nil
+			},
+		}))
+		cmd.SetOutput(ioutil.Discard)
+		cmd.SetArgs(tc.args)
+		assert.NilError(t, cmd.Execute())
+		if tc.deferredFunc != nil {
+			tc.deferredFunc()
+		}
+	}
+}
diff --git a/cli/cli/command/image/tag.go b/cli/cli/command/image/tag.go
new file mode 100644
index 00000000..39d4caaf
--- /dev/null
+++ b/cli/cli/command/image/tag.go
@@ -0,0 +1,41 @@
+package image
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+type tagOptions struct {
+	image string
+	name  string
+}
+
+// NewTagCommand creates a new `docker tag` command
+func NewTagCommand(dockerCli command.Cli) *cobra.Command {
+	var opts tagOptions
+
+	cmd := &cobra.Command{
+		Use:   "tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]",
+		Short: "Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.image = args[0]
+			opts.name = args[1]
+			return runTag(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.SetInterspersed(false)
+
+	return cmd
+}
+
+func runTag(dockerCli command.Cli, opts tagOptions) error {
+	ctx := context.Background()
+
+	return dockerCli.Client().ImageTag(ctx, opts.image, opts.name)
+}
diff --git a/cli/cli/command/image/tag_test.go b/cli/cli/command/image/tag_test.go
new file mode 100644
index 00000000..9c43f3fe
--- /dev/null
+++ b/cli/cli/command/image/tag_test.go
@@ -0,0 +1,41 @@
+package image
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCliNewTagCommandErrors(t *testing.T) {
+	testCases := [][]string{
+		{},
+		{"image1"},
+		{"image1", "image2", "image3"},
+	}
+	expectedError := "\"tag\" requires exactly 2 arguments."
+	for _, args := range testCases {
+		cmd := NewTagCommand(test.NewFakeCli(&fakeClient{}))
+		cmd.SetArgs(args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), expectedError)
+	}
+}
+
+func TestCliNewTagCommand(t *testing.T) {
+	cmd := NewTagCommand(
+		test.NewFakeCli(&fakeClient{
+			imageTagFunc: func(image string, ref string) error {
+				assert.Check(t, is.Equal("image1", image))
+				assert.Check(t, is.Equal("image2", ref))
+				return nil
+			},
+		}))
+	cmd.SetArgs([]string{"image1", "image2"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.NilError(t, cmd.Execute())
+	value, _ := cmd.Flags().GetBool("interspersed")
+	assert.Check(t, !value)
+}
diff --git a/cli/cli/command/image/testdata/history-command-success.non-human.golden b/cli/cli/command/image/testdata/history-command-success.non-human.golden
new file mode 100644
index 00000000..4a83a3d8
--- /dev/null
+++ b/cli/cli/command/image/testdata/history-command-success.non-human.golden
@@ -0,0 +1,2 @@
+IMAGE               CREATED AT             CREATED BY          SIZE                COMMENT
+abcdef              2017-01-01T12:00:03Z   rose                0                   new history item!
diff --git a/cli/cli/command/image/testdata/history-command-success.quiet-no-trunc.golden b/cli/cli/command/image/testdata/history-command-success.quiet-no-trunc.golden
new file mode 100644
index 00000000..65103f63
--- /dev/null
+++ b/cli/cli/command/image/testdata/history-command-success.quiet-no-trunc.golden
@@ -0,0 +1 @@
+1234567890123456789
diff --git a/cli/cli/command/image/testdata/history-command-success.quiet.golden b/cli/cli/command/image/testdata/history-command-success.quiet.golden
new file mode 100644
index 00000000..42c7c82c
--- /dev/null
+++ b/cli/cli/command/image/testdata/history-command-success.quiet.golden
@@ -0,0 +1 @@
+tag
diff --git a/cli/cli/command/image/testdata/history-command-success.simple.golden b/cli/cli/command/image/testdata/history-command-success.simple.golden
new file mode 100644
index 00000000..8aa59052
--- /dev/null
+++ b/cli/cli/command/image/testdata/history-command-success.simple.golden
@@ -0,0 +1,2 @@
+IMAGE               CREATED                  CREATED BY          SIZE                COMMENT
+123456789012        Less than a second ago                       0B                  
diff --git a/cli/cli/command/image/testdata/import-command-success.input.txt b/cli/cli/command/image/testdata/import-command-success.input.txt
new file mode 100644
index 00000000..7ab5949b
--- /dev/null
+++ b/cli/cli/command/image/testdata/import-command-success.input.txt
@@ -0,0 +1 @@
+file input test
\ No newline at end of file
diff --git a/cli/cli/command/image/testdata/inspect-command-success.format.golden b/cli/cli/command/image/testdata/inspect-command-success.format.golden
new file mode 100644
index 00000000..f934996b
--- /dev/null
+++ b/cli/cli/command/image/testdata/inspect-command-success.format.golden
@@ -0,0 +1 @@
+'image'
diff --git a/cli/cli/command/image/testdata/inspect-command-success.simple-many.golden b/cli/cli/command/image/testdata/inspect-command-success.simple-many.golden
new file mode 100644
index 00000000..f72c96f7
--- /dev/null
+++ b/cli/cli/command/image/testdata/inspect-command-success.simple-many.golden
@@ -0,0 +1,56 @@
+[
+    {
+        "Id": "",
+        "RepoTags": null,
+        "RepoDigests": null,
+        "Parent": "",
+        "Comment": "",
+        "Created": "",
+        "Container": "",
+        "ContainerConfig": null,
+        "DockerVersion": "",
+        "Author": "",
+        "Config": null,
+        "Architecture": "",
+        "Os": "",
+        "Size": 0,
+        "VirtualSize": 0,
+        "GraphDriver": {
+            "Data": null,
+            "Name": ""
+        },
+        "RootFS": {
+            "Type": ""
+        },
+        "Metadata": {
+            "LastTagTime": "0001-01-01T00:00:00Z"
+        }
+    },
+    {
+        "Id": "",
+        "RepoTags": null,
+        "RepoDigests": null,
+        "Parent": "",
+        "Comment": "",
+        "Created": "",
+        "Container": "",
+        "ContainerConfig": null,
+        "DockerVersion": "",
+        "Author": "",
+        "Config": null,
+        "Architecture": "",
+        "Os": "",
+        "Size": 0,
+        "VirtualSize": 0,
+        "GraphDriver": {
+            "Data": null,
+            "Name": ""
+        },
+        "RootFS": {
+            "Type": ""
+        },
+        "Metadata": {
+            "LastTagTime": "0001-01-01T00:00:00Z"
+        }
+    }
+]
diff --git a/cli/cli/command/image/testdata/inspect-command-success.simple.golden b/cli/cli/command/image/testdata/inspect-command-success.simple.golden
new file mode 100644
index 00000000..878463ff
--- /dev/null
+++ b/cli/cli/command/image/testdata/inspect-command-success.simple.golden
@@ -0,0 +1,29 @@
+[
+    {
+        "Id": "",
+        "RepoTags": null,
+        "RepoDigests": null,
+        "Parent": "",
+        "Comment": "",
+        "Created": "",
+        "Container": "",
+        "ContainerConfig": null,
+        "DockerVersion": "",
+        "Author": "",
+        "Config": null,
+        "Architecture": "",
+        "Os": "",
+        "Size": 0,
+        "VirtualSize": 0,
+        "GraphDriver": {
+            "Data": null,
+            "Name": ""
+        },
+        "RootFS": {
+            "Type": ""
+        },
+        "Metadata": {
+            "LastTagTime": "0001-01-01T00:00:00Z"
+        }
+    }
+]
diff --git a/cli/cli/command/image/testdata/list-command-success.filters.golden b/cli/cli/command/image/testdata/list-command-success.filters.golden
new file mode 100644
index 00000000..e3b8109b
--- /dev/null
+++ b/cli/cli/command/image/testdata/list-command-success.filters.golden
@@ -0,0 +1 @@
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
diff --git a/cli/cli/command/image/testdata/list-command-success.format.golden b/cli/cli/command/image/testdata/list-command-success.format.golden
new file mode 100644
index 00000000..e69de29b
diff --git a/cli/cli/command/image/testdata/list-command-success.match-name.golden b/cli/cli/command/image/testdata/list-command-success.match-name.golden
new file mode 100644
index 00000000..e3b8109b
--- /dev/null
+++ b/cli/cli/command/image/testdata/list-command-success.match-name.golden
@@ -0,0 +1 @@
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
diff --git a/cli/cli/command/image/testdata/list-command-success.quiet-format.golden b/cli/cli/command/image/testdata/list-command-success.quiet-format.golden
new file mode 100644
index 00000000..e69de29b
diff --git a/cli/cli/command/image/testdata/list-command-success.simple.golden b/cli/cli/command/image/testdata/list-command-success.simple.golden
new file mode 100644
index 00000000..e3b8109b
--- /dev/null
+++ b/cli/cli/command/image/testdata/list-command-success.simple.golden
@@ -0,0 +1 @@
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
diff --git a/cli/cli/command/image/testdata/load-command-success.input-file.golden b/cli/cli/command/image/testdata/load-command-success.input-file.golden
new file mode 100644
index 00000000..51da4200
--- /dev/null
+++ b/cli/cli/command/image/testdata/load-command-success.input-file.golden
@@ -0,0 +1 @@
+Success
\ No newline at end of file
diff --git a/cli/cli/command/image/testdata/load-command-success.input.txt b/cli/cli/command/image/testdata/load-command-success.input.txt
new file mode 100644
index 00000000..7ab5949b
--- /dev/null
+++ b/cli/cli/command/image/testdata/load-command-success.input.txt
@@ -0,0 +1 @@
+file input test
\ No newline at end of file
diff --git a/cli/cli/command/image/testdata/load-command-success.json.golden b/cli/cli/command/image/testdata/load-command-success.json.golden
new file mode 100644
index 00000000..c17f16ec
--- /dev/null
+++ b/cli/cli/command/image/testdata/load-command-success.json.golden
@@ -0,0 +1 @@
+1: 
diff --git a/cli/cli/command/image/testdata/load-command-success.simple.golden b/cli/cli/command/image/testdata/load-command-success.simple.golden
new file mode 100644
index 00000000..51da4200
--- /dev/null
+++ b/cli/cli/command/image/testdata/load-command-success.simple.golden
@@ -0,0 +1 @@
+Success
\ No newline at end of file
diff --git a/cli/cli/command/image/testdata/prune-command-success.all.golden b/cli/cli/command/image/testdata/prune-command-success.all.golden
new file mode 100644
index 00000000..4d144528
--- /dev/null
+++ b/cli/cli/command/image/testdata/prune-command-success.all.golden
@@ -0,0 +1,2 @@
+WARNING! This will remove all images without at least one container associated to them.
+Are you sure you want to continue? [y/N] Total reclaimed space: 0B
diff --git a/cli/cli/command/image/testdata/prune-command-success.force-deleted.golden b/cli/cli/command/image/testdata/prune-command-success.force-deleted.golden
new file mode 100644
index 00000000..1b6efd4a
--- /dev/null
+++ b/cli/cli/command/image/testdata/prune-command-success.force-deleted.golden
@@ -0,0 +1,4 @@
+Deleted Images:
+deleted: image1
+
+Total reclaimed space: 1B
diff --git a/cli/cli/command/image/testdata/prune-command-success.force-untagged.golden b/cli/cli/command/image/testdata/prune-command-success.force-untagged.golden
new file mode 100644
index 00000000..725468fe
--- /dev/null
+++ b/cli/cli/command/image/testdata/prune-command-success.force-untagged.golden
@@ -0,0 +1,4 @@
+Deleted Images:
+untagged: image1
+
+Total reclaimed space: 2B
diff --git a/cli/cli/command/image/testdata/pull-command-success.simple-no-tag.golden b/cli/cli/command/image/testdata/pull-command-success.simple-no-tag.golden
new file mode 100644
index 00000000..946de409
--- /dev/null
+++ b/cli/cli/command/image/testdata/pull-command-success.simple-no-tag.golden
@@ -0,0 +1 @@
+Using default tag: latest
diff --git a/cli/cli/command/image/testdata/pull-command-success.simple.golden b/cli/cli/command/image/testdata/pull-command-success.simple.golden
new file mode 100644
index 00000000..e69de29b
diff --git a/cli/cli/command/image/testdata/remove-command-success.Image Deleted and Untagged.golden b/cli/cli/command/image/testdata/remove-command-success.Image Deleted and Untagged.golden
new file mode 100644
index 00000000..94db0844
--- /dev/null
+++ b/cli/cli/command/image/testdata/remove-command-success.Image Deleted and Untagged.golden	
@@ -0,0 +1,2 @@
+Untagged: image1
+Deleted: image2
diff --git a/cli/cli/command/image/testdata/remove-command-success.Image Deleted.golden b/cli/cli/command/image/testdata/remove-command-success.Image Deleted.golden
new file mode 100644
index 00000000..445df11a
--- /dev/null
+++ b/cli/cli/command/image/testdata/remove-command-success.Image Deleted.golden	
@@ -0,0 +1 @@
+Deleted: image1
diff --git a/cli/cli/command/image/testdata/remove-command-success.Image Untagged.golden b/cli/cli/command/image/testdata/remove-command-success.Image Untagged.golden
new file mode 100644
index 00000000..ebbb4075
--- /dev/null
+++ b/cli/cli/command/image/testdata/remove-command-success.Image Untagged.golden	
@@ -0,0 +1 @@
+Untagged: image1
diff --git a/cli/cli/command/image/testdata/remove-command-success.Image not found with force option.golden b/cli/cli/command/image/testdata/remove-command-success.Image not found with force option.golden
new file mode 100644
index 00000000..e69de29b
diff --git a/cli/cli/command/image/trust.go b/cli/cli/command/image/trust.go
new file mode 100644
index 00000000..230420d8
--- /dev/null
+++ b/cli/cli/command/image/trust.go
@@ -0,0 +1,352 @@
+package image
+
+import (
+	"context"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"sort"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/trust"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/registry"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+)
+
+type target struct {
+	name   string
+	digest digest.Digest
+	size   int64
+}
+
+// TrustedPush handles content trust pushing of an image
+func TrustedPush(ctx context.Context, cli command.Cli, repoInfo *registry.RepositoryInfo, ref reference.Named, authConfig types.AuthConfig, requestPrivilege types.RequestPrivilegeFunc) error {
+	responseBody, err := imagePushPrivileged(ctx, cli, authConfig, ref, requestPrivilege)
+	if err != nil {
+		return err
+	}
+
+	defer responseBody.Close()
+
+	return PushTrustedReference(cli, repoInfo, ref, authConfig, responseBody)
+}
+
+// PushTrustedReference pushes a canonical reference to the trust server.
+// nolint: gocyclo
+func PushTrustedReference(streams command.Streams, repoInfo *registry.RepositoryInfo, ref reference.Named, authConfig types.AuthConfig, in io.Reader) error {
+	// If it is a trusted push we would like to find the target entry which match the
+	// tag provided in the function and then do an AddTarget later.
+	target := &client.Target{}
+	// Count the times of calling for handleTarget,
+	// if it is called more that once, that should be considered an error in a trusted push.
+	cnt := 0
+	handleTarget := func(msg jsonmessage.JSONMessage) {
+		cnt++
+		if cnt > 1 {
+			// handleTarget should only be called once. This will be treated as an error.
+			return
+		}
+
+		var pushResult types.PushResult
+		err := json.Unmarshal(*msg.Aux, &pushResult)
+		if err == nil && pushResult.Tag != "" {
+			if dgst, err := digest.Parse(pushResult.Digest); err == nil {
+				h, err := hex.DecodeString(dgst.Hex())
+				if err != nil {
+					target = nil
+					return
+				}
+				target.Name = pushResult.Tag
+				target.Hashes = data.Hashes{string(dgst.Algorithm()): h}
+				target.Length = int64(pushResult.Size)
+			}
+		}
+	}
+
+	var tag string
+	switch x := ref.(type) {
+	case reference.Canonical:
+		return errors.New("cannot push a digest reference")
+	case reference.NamedTagged:
+		tag = x.Tag()
+	default:
+		// We want trust signatures to always take an explicit tag,
+		// otherwise it will act as an untrusted push.
+		if err := jsonmessage.DisplayJSONMessagesToStream(in, streams.Out(), nil); err != nil {
+			return err
+		}
+		fmt.Fprintln(streams.Err(), "No tag specified, skipping trust metadata push")
+		return nil
+	}
+
+	if err := jsonmessage.DisplayJSONMessagesToStream(in, streams.Out(), handleTarget); err != nil {
+		return err
+	}
+
+	if cnt > 1 {
+		return errors.Errorf("internal error: only one call to handleTarget expected")
+	}
+
+	if target == nil {
+		return errors.Errorf("no targets found, please provide a specific tag in order to sign it")
+	}
+
+	fmt.Fprintln(streams.Out(), "Signing and pushing trust metadata")
+
+	repo, err := trust.GetNotaryRepository(streams.In(), streams.Out(), command.UserAgent(), repoInfo, &authConfig, "push", "pull")
+	if err != nil {
+		return errors.Wrap(err, "error establishing connection to trust repository")
+	}
+
+	// get the latest repository metadata so we can figure out which roles to sign
+	_, err = repo.ListTargets()
+
+	switch err.(type) {
+	case client.ErrRepoNotInitialized, client.ErrRepositoryNotExist:
+		keys := repo.GetCryptoService().ListKeys(data.CanonicalRootRole)
+		var rootKeyID string
+		// always select the first root key
+		if len(keys) > 0 {
+			sort.Strings(keys)
+			rootKeyID = keys[0]
+		} else {
+			rootPublicKey, err := repo.GetCryptoService().Create(data.CanonicalRootRole, "", data.ECDSAKey)
+			if err != nil {
+				return err
+			}
+			rootKeyID = rootPublicKey.ID()
+		}
+
+		// Initialize the notary repository with a remotely managed snapshot key
+		if err := repo.Initialize([]string{rootKeyID}, data.CanonicalSnapshotRole); err != nil {
+			return trust.NotaryError(repoInfo.Name.Name(), err)
+		}
+		fmt.Fprintf(streams.Out(), "Finished initializing %q\n", repoInfo.Name.Name())
+		err = repo.AddTarget(target, data.CanonicalTargetsRole)
+	case nil:
+		// already initialized and we have successfully downloaded the latest metadata
+		err = AddTargetToAllSignableRoles(repo, target)
+	default:
+		return trust.NotaryError(repoInfo.Name.Name(), err)
+	}
+
+	if err == nil {
+		err = repo.Publish()
+	}
+
+	if err != nil {
+		err = errors.Wrapf(err, "failed to sign %s:%s", repoInfo.Name.Name(), tag)
+		return trust.NotaryError(repoInfo.Name.Name(), err)
+	}
+
+	fmt.Fprintf(streams.Out(), "Successfully signed %s:%s\n", repoInfo.Name.Name(), tag)
+	return nil
+}
+
+// AddTargetToAllSignableRoles attempts to add the image target to all the top level delegation roles we can
+// (based on whether we have the signing key and whether the role's path allows
+// us to).
+// If there are no delegation roles, we add to the targets role.
+func AddTargetToAllSignableRoles(repo client.Repository, target *client.Target) error {
+	signableRoles, err := trust.GetSignableRoles(repo, target)
+	if err != nil {
+		return err
+	}
+
+	return repo.AddTarget(target, signableRoles...)
+}
+
+// imagePushPrivileged push the image
+func imagePushPrivileged(ctx context.Context, cli command.Cli, authConfig types.AuthConfig, ref reference.Reference, requestPrivilege types.RequestPrivilegeFunc) (io.ReadCloser, error) {
+	encodedAuth, err := command.EncodeAuthToBase64(authConfig)
+	if err != nil {
+		return nil, err
+	}
+	options := types.ImagePushOptions{
+		RegistryAuth:  encodedAuth,
+		PrivilegeFunc: requestPrivilege,
+	}
+
+	return cli.Client().ImagePush(ctx, reference.FamiliarString(ref), options)
+}
+
+// trustedPull handles content trust pulling of an image
+func trustedPull(ctx context.Context, cli command.Cli, imgRefAndAuth trust.ImageRefAndAuth, platform string) error {
+	refs, err := getTrustedPullTargets(cli, imgRefAndAuth)
+	if err != nil {
+		return err
+	}
+
+	ref := imgRefAndAuth.Reference()
+	for i, r := range refs {
+		displayTag := r.name
+		if displayTag != "" {
+			displayTag = ":" + displayTag
+		}
+		fmt.Fprintf(cli.Out(), "Pull (%d of %d): %s%s@%s\n", i+1, len(refs), reference.FamiliarName(ref), displayTag, r.digest)
+
+		trustedRef, err := reference.WithDigest(reference.TrimNamed(ref), r.digest)
+		if err != nil {
+			return err
+		}
+		updatedImgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, AuthResolver(cli), trustedRef.String())
+		if err != nil {
+			return err
+		}
+		if err := imagePullPrivileged(ctx, cli, updatedImgRefAndAuth, false, platform); err != nil {
+			return err
+		}
+
+		tagged, err := reference.WithTag(reference.TrimNamed(ref), r.name)
+		if err != nil {
+			return err
+		}
+
+		if err := TagTrusted(ctx, cli, trustedRef, tagged); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func getTrustedPullTargets(cli command.Cli, imgRefAndAuth trust.ImageRefAndAuth) ([]target, error) {
+	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, trust.ActionsPullOnly)
+	if err != nil {
+		return nil, errors.Wrap(err, "error establishing connection to trust repository")
+	}
+
+	ref := imgRefAndAuth.Reference()
+	tagged, isTagged := ref.(reference.NamedTagged)
+	if !isTagged {
+		// List all targets
+		targets, err := notaryRepo.ListTargets(trust.ReleasesRole, data.CanonicalTargetsRole)
+		if err != nil {
+			return nil, trust.NotaryError(ref.Name(), err)
+		}
+		var refs []target
+		for _, tgt := range targets {
+			t, err := convertTarget(tgt.Target)
+			if err != nil {
+				fmt.Fprintf(cli.Err(), "Skipping target for %q\n", reference.FamiliarName(ref))
+				continue
+			}
+			// Only list tags in the top level targets role or the releases delegation role - ignore
+			// all other delegation roles
+			if tgt.Role != trust.ReleasesRole && tgt.Role != data.CanonicalTargetsRole {
+				continue
+			}
+			refs = append(refs, t)
+		}
+		if len(refs) == 0 {
+			return nil, trust.NotaryError(ref.Name(), errors.Errorf("No trusted tags for %s", ref.Name()))
+		}
+		return refs, nil
+	}
+
+	t, err := notaryRepo.GetTargetByName(tagged.Tag(), trust.ReleasesRole, data.CanonicalTargetsRole)
+	if err != nil {
+		return nil, trust.NotaryError(ref.Name(), err)
+	}
+	// Only get the tag if it's in the top level targets role or the releases delegation role
+	// ignore it if it's in any other delegation roles
+	if t.Role != trust.ReleasesRole && t.Role != data.CanonicalTargetsRole {
+		return nil, trust.NotaryError(ref.Name(), errors.Errorf("No trust data for %s", tagged.Tag()))
+	}
+
+	logrus.Debugf("retrieving target for %s role", t.Role)
+	r, err := convertTarget(t.Target)
+	return []target{r}, err
+}
+
+// imagePullPrivileged pulls the image and displays it to the output
+func imagePullPrivileged(ctx context.Context, cli command.Cli, imgRefAndAuth trust.ImageRefAndAuth, all bool, platform string) error {
+	ref := reference.FamiliarString(imgRefAndAuth.Reference())
+
+	encodedAuth, err := command.EncodeAuthToBase64(*imgRefAndAuth.AuthConfig())
+	if err != nil {
+		return err
+	}
+	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(cli, imgRefAndAuth.RepoInfo().Index, "pull")
+	options := types.ImagePullOptions{
+		RegistryAuth:  encodedAuth,
+		PrivilegeFunc: requestPrivilege,
+		All:           all,
+		Platform:      platform,
+	}
+	responseBody, err := cli.Client().ImagePull(ctx, ref, options)
+	if err != nil {
+		return err
+	}
+	defer responseBody.Close()
+
+	return jsonmessage.DisplayJSONMessagesToStream(responseBody, cli.Out(), nil)
+}
+
+// TrustedReference returns the canonical trusted reference for an image reference
+func TrustedReference(ctx context.Context, cli command.Cli, ref reference.NamedTagged, rs registry.Service) (reference.Canonical, error) {
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, rs, AuthResolver(cli), ref.String())
+	if err != nil {
+		return nil, err
+	}
+
+	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, []string{"pull"})
+	if err != nil {
+		return nil, errors.Wrap(err, "error establishing connection to trust repository")
+	}
+
+	t, err := notaryRepo.GetTargetByName(ref.Tag(), trust.ReleasesRole, data.CanonicalTargetsRole)
+	if err != nil {
+		return nil, trust.NotaryError(imgRefAndAuth.RepoInfo().Name.Name(), err)
+	}
+	// Only list tags in the top level targets role or the releases delegation role - ignore
+	// all other delegation roles
+	if t.Role != trust.ReleasesRole && t.Role != data.CanonicalTargetsRole {
+		return nil, trust.NotaryError(imgRefAndAuth.RepoInfo().Name.Name(), client.ErrNoSuchTarget(ref.Tag()))
+	}
+	r, err := convertTarget(t.Target)
+	if err != nil {
+		return nil, err
+
+	}
+	return reference.WithDigest(reference.TrimNamed(ref), r.digest)
+}
+
+func convertTarget(t client.Target) (target, error) {
+	h, ok := t.Hashes["sha256"]
+	if !ok {
+		return target{}, errors.New("no valid hash, expecting sha256")
+	}
+	return target{
+		name:   t.Name,
+		digest: digest.NewDigestFromHex("sha256", hex.EncodeToString(h)),
+		size:   t.Length,
+	}, nil
+}
+
+// TagTrusted tags a trusted ref
+// nolint: interfacer
+func TagTrusted(ctx context.Context, cli command.Cli, trustedRef reference.Canonical, ref reference.NamedTagged) error {
+	// Use familiar references when interacting with client and output
+	familiarRef := reference.FamiliarString(ref)
+	trustedFamiliarRef := reference.FamiliarString(trustedRef)
+
+	fmt.Fprintf(cli.Err(), "Tagging %s as %s\n", trustedFamiliarRef, familiarRef)
+
+	return cli.Client().ImageTag(ctx, trustedFamiliarRef, familiarRef)
+}
+
+// AuthResolver returns an auth resolver function from a command.Cli
+func AuthResolver(cli command.Cli) func(ctx context.Context, index *registrytypes.IndexInfo) types.AuthConfig {
+	return func(ctx context.Context, index *registrytypes.IndexInfo) types.AuthConfig {
+		return command.ResolveAuthConfig(ctx, cli, index)
+	}
+}
diff --git a/cli/cli/command/image/trust_test.go b/cli/cli/command/image/trust_test.go
new file mode 100644
index 00000000..97585a72
--- /dev/null
+++ b/cli/cli/command/image/trust_test.go
@@ -0,0 +1,73 @@
+package image
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/trust"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/trustpinning"
+	"gotest.tools/assert"
+)
+
+func unsetENV() {
+	os.Unsetenv("DOCKER_CONTENT_TRUST")
+	os.Unsetenv("DOCKER_CONTENT_TRUST_SERVER")
+}
+
+func TestENVTrustServer(t *testing.T) {
+	defer unsetENV()
+	indexInfo := &registrytypes.IndexInfo{Name: "testserver"}
+	if err := os.Setenv("DOCKER_CONTENT_TRUST_SERVER", "https://notary-test.com:5000"); err != nil {
+		t.Fatal("Failed to set ENV variable")
+	}
+	output, err := trust.Server(indexInfo)
+	expectedStr := "https://notary-test.com:5000"
+	if err != nil || output != expectedStr {
+		t.Fatalf("Expected server to be %s, got %s", expectedStr, output)
+	}
+}
+
+func TestHTTPENVTrustServer(t *testing.T) {
+	defer unsetENV()
+	indexInfo := &registrytypes.IndexInfo{Name: "testserver"}
+	if err := os.Setenv("DOCKER_CONTENT_TRUST_SERVER", "http://notary-test.com:5000"); err != nil {
+		t.Fatal("Failed to set ENV variable")
+	}
+	_, err := trust.Server(indexInfo)
+	if err == nil {
+		t.Fatal("Expected error with invalid scheme")
+	}
+}
+
+func TestOfficialTrustServer(t *testing.T) {
+	indexInfo := &registrytypes.IndexInfo{Name: "testserver", Official: true}
+	output, err := trust.Server(indexInfo)
+	if err != nil || output != trust.NotaryServer {
+		t.Fatalf("Expected server to be %s, got %s", trust.NotaryServer, output)
+	}
+}
+
+func TestNonOfficialTrustServer(t *testing.T) {
+	indexInfo := &registrytypes.IndexInfo{Name: "testserver", Official: false}
+	output, err := trust.Server(indexInfo)
+	expectedStr := "https://" + indexInfo.Name
+	if err != nil || output != expectedStr {
+		t.Fatalf("Expected server to be %s, got %s", expectedStr, output)
+	}
+}
+
+func TestAddTargetToAllSignableRolesError(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever("password"), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+	target := client.Target{}
+	err = AddTargetToAllSignableRoles(notaryRepo, &target)
+	assert.Error(t, err, "client is offline")
+}
diff --git a/cli/cli/command/in.go b/cli/cli/command/in.go
new file mode 100644
index 00000000..54855c6d
--- /dev/null
+++ b/cli/cli/command/in.go
@@ -0,0 +1,56 @@
+package command
+
+import (
+	"errors"
+	"io"
+	"os"
+	"runtime"
+
+	"github.com/docker/docker/pkg/term"
+)
+
+// InStream is an input stream used by the DockerCli to read user input
+type InStream struct {
+	CommonStream
+	in io.ReadCloser
+}
+
+func (i *InStream) Read(p []byte) (int, error) {
+	return i.in.Read(p)
+}
+
+// Close implements the Closer interface
+func (i *InStream) Close() error {
+	return i.in.Close()
+}
+
+// SetRawTerminal sets raw mode on the input terminal
+func (i *InStream) SetRawTerminal() (err error) {
+	if os.Getenv("NORAW") != "" || !i.CommonStream.isTerminal {
+		return nil
+	}
+	i.CommonStream.state, err = term.SetRawTerminal(i.CommonStream.fd)
+	return err
+}
+
+// CheckTty checks if we are trying to attach to a container tty
+// from a non-tty client input stream, and if so, returns an error.
+func (i *InStream) CheckTty(attachStdin, ttyMode bool) error {
+	// In order to attach to a container tty, input stream for the client must
+	// be a tty itself: redirecting or piping the client standard input is
+	// incompatible with `docker run -t`, `docker exec -t` or `docker attach`.
+	if ttyMode && attachStdin && !i.isTerminal {
+		eText := "the input device is not a TTY"
+		if runtime.GOOS == "windows" {
+			return errors.New(eText + ".  If you are using mintty, try prefixing the command with 'winpty'")
+		}
+		return errors.New(eText)
+	}
+	return nil
+}
+
+// NewInStream returns a new InStream object from a ReadCloser
+func NewInStream(in io.ReadCloser) *InStream {
+	fd, isTerminal := term.GetFdInfo(in)
+	return &InStream{CommonStream: CommonStream{fd: fd, isTerminal: isTerminal}, in: in}
+}
diff --git a/cli/cli/command/inspect/inspector.go b/cli/cli/command/inspect/inspector.go
new file mode 100644
index 00000000..aef31e62
--- /dev/null
+++ b/cli/cli/command/inspect/inspector.go
@@ -0,0 +1,199 @@
+package inspect
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"strings"
+	"text/template"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/templates"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Inspector defines an interface to implement to process elements
+type Inspector interface {
+	Inspect(typedElement interface{}, rawElement []byte) error
+	Flush() error
+}
+
+// TemplateInspector uses a text template to inspect elements.
+type TemplateInspector struct {
+	outputStream io.Writer
+	buffer       *bytes.Buffer
+	tmpl         *template.Template
+}
+
+// NewTemplateInspector creates a new inspector with a template.
+func NewTemplateInspector(outputStream io.Writer, tmpl *template.Template) Inspector {
+	return &TemplateInspector{
+		outputStream: outputStream,
+		buffer:       new(bytes.Buffer),
+		tmpl:         tmpl,
+	}
+}
+
+// NewTemplateInspectorFromString creates a new TemplateInspector from a string
+// which is compiled into a template.
+func NewTemplateInspectorFromString(out io.Writer, tmplStr string) (Inspector, error) {
+	if tmplStr == "" {
+		return NewIndentedInspector(out), nil
+	}
+
+	tmpl, err := templates.Parse(tmplStr)
+	if err != nil {
+		return nil, errors.Errorf("Template parsing error: %s", err)
+	}
+	return NewTemplateInspector(out, tmpl), nil
+}
+
+// GetRefFunc is a function which used by Inspect to fetch an object from a
+// reference
+type GetRefFunc func(ref string) (interface{}, []byte, error)
+
+// Inspect fetches objects by reference using GetRefFunc and writes the json
+// representation to the output writer.
+func Inspect(out io.Writer, references []string, tmplStr string, getRef GetRefFunc) error {
+	inspector, err := NewTemplateInspectorFromString(out, tmplStr)
+	if err != nil {
+		return cli.StatusError{StatusCode: 64, Status: err.Error()}
+	}
+
+	var inspectErrs []string
+	for _, ref := range references {
+		element, raw, err := getRef(ref)
+		if err != nil {
+			inspectErrs = append(inspectErrs, err.Error())
+			continue
+		}
+
+		if err := inspector.Inspect(element, raw); err != nil {
+			inspectErrs = append(inspectErrs, err.Error())
+		}
+	}
+
+	if err := inspector.Flush(); err != nil {
+		logrus.Errorf("%s\n", err)
+	}
+
+	if len(inspectErrs) != 0 {
+		return cli.StatusError{
+			StatusCode: 1,
+			Status:     strings.Join(inspectErrs, "\n"),
+		}
+	}
+	return nil
+}
+
+// Inspect executes the inspect template.
+// It decodes the raw element into a map if the initial execution fails.
+// This allows docker cli to parse inspect structs injected with Swarm fields.
+func (i *TemplateInspector) Inspect(typedElement interface{}, rawElement []byte) error {
+	buffer := new(bytes.Buffer)
+	if err := i.tmpl.Execute(buffer, typedElement); err != nil {
+		if rawElement == nil {
+			return errors.Errorf("Template parsing error: %v", err)
+		}
+		return i.tryRawInspectFallback(rawElement)
+	}
+	i.buffer.Write(buffer.Bytes())
+	i.buffer.WriteByte('\n')
+	return nil
+}
+
+// tryRawInspectFallback executes the inspect template with a raw interface.
+// This allows docker cli to parse inspect structs injected with Swarm fields.
+func (i *TemplateInspector) tryRawInspectFallback(rawElement []byte) error {
+	var raw interface{}
+	buffer := new(bytes.Buffer)
+	rdr := bytes.NewReader(rawElement)
+	dec := json.NewDecoder(rdr)
+	dec.UseNumber()
+
+	if rawErr := dec.Decode(&raw); rawErr != nil {
+		return errors.Errorf("unable to read inspect data: %v", rawErr)
+	}
+
+	tmplMissingKey := i.tmpl.Option("missingkey=error")
+	if rawErr := tmplMissingKey.Execute(buffer, raw); rawErr != nil {
+		return errors.Errorf("Template parsing error: %v", rawErr)
+	}
+
+	i.buffer.Write(buffer.Bytes())
+	i.buffer.WriteByte('\n')
+	return nil
+}
+
+// Flush writes the result of inspecting all elements into the output stream.
+func (i *TemplateInspector) Flush() error {
+	if i.buffer.Len() == 0 {
+		_, err := io.WriteString(i.outputStream, "\n")
+		return err
+	}
+	_, err := io.Copy(i.outputStream, i.buffer)
+	return err
+}
+
+// IndentedInspector uses a buffer to stop the indented representation of an element.
+type IndentedInspector struct {
+	outputStream io.Writer
+	elements     []interface{}
+	rawElements  [][]byte
+}
+
+// NewIndentedInspector generates a new IndentedInspector.
+func NewIndentedInspector(outputStream io.Writer) Inspector {
+	return &IndentedInspector{
+		outputStream: outputStream,
+	}
+}
+
+// Inspect writes the raw element with an indented json format.
+func (i *IndentedInspector) Inspect(typedElement interface{}, rawElement []byte) error {
+	if rawElement != nil {
+		i.rawElements = append(i.rawElements, rawElement)
+	} else {
+		i.elements = append(i.elements, typedElement)
+	}
+	return nil
+}
+
+// Flush writes the result of inspecting all elements into the output stream.
+func (i *IndentedInspector) Flush() error {
+	if len(i.elements) == 0 && len(i.rawElements) == 0 {
+		_, err := io.WriteString(i.outputStream, "[]\n")
+		return err
+	}
+
+	var buffer io.Reader
+	if len(i.rawElements) > 0 {
+		bytesBuffer := new(bytes.Buffer)
+		bytesBuffer.WriteString("[")
+		for idx, r := range i.rawElements {
+			bytesBuffer.Write(r)
+			if idx < len(i.rawElements)-1 {
+				bytesBuffer.WriteString(",")
+			}
+		}
+		bytesBuffer.WriteString("]")
+		indented := new(bytes.Buffer)
+		if err := json.Indent(indented, bytesBuffer.Bytes(), "", "    "); err != nil {
+			return err
+		}
+		buffer = indented
+	} else {
+		b, err := json.MarshalIndent(i.elements, "", "    ")
+		if err != nil {
+			return err
+		}
+		buffer = bytes.NewReader(b)
+	}
+
+	if _, err := io.Copy(i.outputStream, buffer); err != nil {
+		return err
+	}
+	_, err := io.WriteString(i.outputStream, "\n")
+	return err
+}
diff --git a/cli/cli/command/inspect/inspector_test.go b/cli/cli/command/inspect/inspector_test.go
new file mode 100644
index 00000000..f4df3684
--- /dev/null
+++ b/cli/cli/command/inspect/inspector_test.go
@@ -0,0 +1,259 @@
+package inspect
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/templates"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+type testElement struct {
+	DNS string `json:"Dns"`
+}
+
+func TestTemplateInspectorDefault(t *testing.T) {
+	b := new(bytes.Buffer)
+	tmpl, err := templates.Parse("{{.DNS}}")
+	if err != nil {
+		t.Fatal(err)
+	}
+	i := NewTemplateInspector(b, tmpl)
+	if err := i.Inspect(testElement{"0.0.0.0"}, nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := i.Flush(); err != nil {
+		t.Fatal(err)
+	}
+	if b.String() != "0.0.0.0\n" {
+		t.Fatalf("Expected `0.0.0.0\\n`, got `%s`", b.String())
+	}
+}
+
+func TestTemplateInspectorEmpty(t *testing.T) {
+	b := new(bytes.Buffer)
+	tmpl, err := templates.Parse("{{.DNS}}")
+	if err != nil {
+		t.Fatal(err)
+	}
+	i := NewTemplateInspector(b, tmpl)
+
+	if err := i.Flush(); err != nil {
+		t.Fatal(err)
+	}
+	if b.String() != "\n" {
+		t.Fatalf("Expected `\\n`, got `%s`", b.String())
+	}
+}
+
+func TestTemplateInspectorTemplateError(t *testing.T) {
+	b := new(bytes.Buffer)
+	tmpl, err := templates.Parse("{{.Foo}}")
+	if err != nil {
+		t.Fatal(err)
+	}
+	i := NewTemplateInspector(b, tmpl)
+
+	err = i.Inspect(testElement{"0.0.0.0"}, nil)
+	if err == nil {
+		t.Fatal("Expected error got nil")
+	}
+
+	if !strings.HasPrefix(err.Error(), "Template parsing error") {
+		t.Fatalf("Expected template error, got %v", err)
+	}
+}
+
+func TestTemplateInspectorRawFallback(t *testing.T) {
+	b := new(bytes.Buffer)
+	tmpl, err := templates.Parse("{{.Dns}}")
+	if err != nil {
+		t.Fatal(err)
+	}
+	i := NewTemplateInspector(b, tmpl)
+	if err := i.Inspect(testElement{"0.0.0.0"}, []byte(`{"Dns": "0.0.0.0"}`)); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := i.Flush(); err != nil {
+		t.Fatal(err)
+	}
+	if b.String() != "0.0.0.0\n" {
+		t.Fatalf("Expected `0.0.0.0\\n`, got `%s`", b.String())
+	}
+}
+
+func TestTemplateInspectorRawFallbackError(t *testing.T) {
+	b := new(bytes.Buffer)
+	tmpl, err := templates.Parse("{{.Dns}}")
+	if err != nil {
+		t.Fatal(err)
+	}
+	i := NewTemplateInspector(b, tmpl)
+	err = i.Inspect(testElement{"0.0.0.0"}, []byte(`{"Foo": "0.0.0.0"}`))
+	if err == nil {
+		t.Fatal("Expected error got nil")
+	}
+
+	if !strings.HasPrefix(err.Error(), "Template parsing error") {
+		t.Fatalf("Expected template error, got %v", err)
+	}
+}
+
+func TestTemplateInspectorMultiple(t *testing.T) {
+	b := new(bytes.Buffer)
+	tmpl, err := templates.Parse("{{.DNS}}")
+	if err != nil {
+		t.Fatal(err)
+	}
+	i := NewTemplateInspector(b, tmpl)
+
+	if err := i.Inspect(testElement{"0.0.0.0"}, nil); err != nil {
+		t.Fatal(err)
+	}
+	if err := i.Inspect(testElement{"1.1.1.1"}, nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := i.Flush(); err != nil {
+		t.Fatal(err)
+	}
+	if b.String() != "0.0.0.0\n1.1.1.1\n" {
+		t.Fatalf("Expected `0.0.0.0\\n1.1.1.1\\n`, got `%s`", b.String())
+	}
+}
+
+func TestIndentedInspectorDefault(t *testing.T) {
+	b := new(bytes.Buffer)
+	i := NewIndentedInspector(b)
+	if err := i.Inspect(testElement{"0.0.0.0"}, nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := i.Flush(); err != nil {
+		t.Fatal(err)
+	}
+
+	expected := `[
+    {
+        "Dns": "0.0.0.0"
+    }
+]
+`
+	if b.String() != expected {
+		t.Fatalf("Expected `%s`, got `%s`", expected, b.String())
+	}
+}
+
+func TestIndentedInspectorMultiple(t *testing.T) {
+	b := new(bytes.Buffer)
+	i := NewIndentedInspector(b)
+	if err := i.Inspect(testElement{"0.0.0.0"}, nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := i.Inspect(testElement{"1.1.1.1"}, nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := i.Flush(); err != nil {
+		t.Fatal(err)
+	}
+
+	expected := `[
+    {
+        "Dns": "0.0.0.0"
+    },
+    {
+        "Dns": "1.1.1.1"
+    }
+]
+`
+	if b.String() != expected {
+		t.Fatalf("Expected `%s`, got `%s`", expected, b.String())
+	}
+}
+
+func TestIndentedInspectorEmpty(t *testing.T) {
+	b := new(bytes.Buffer)
+	i := NewIndentedInspector(b)
+
+	if err := i.Flush(); err != nil {
+		t.Fatal(err)
+	}
+
+	expected := "[]\n"
+	if b.String() != expected {
+		t.Fatalf("Expected `%s`, got `%s`", expected, b.String())
+	}
+}
+
+func TestIndentedInspectorRawElements(t *testing.T) {
+	b := new(bytes.Buffer)
+	i := NewIndentedInspector(b)
+	if err := i.Inspect(testElement{"0.0.0.0"}, []byte(`{"Dns": "0.0.0.0", "Node": "0"}`)); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := i.Inspect(testElement{"1.1.1.1"}, []byte(`{"Dns": "1.1.1.1", "Node": "1"}`)); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := i.Flush(); err != nil {
+		t.Fatal(err)
+	}
+
+	expected := `[
+    {
+        "Dns": "0.0.0.0",
+        "Node": "0"
+    },
+    {
+        "Dns": "1.1.1.1",
+        "Node": "1"
+    }
+]
+`
+	if b.String() != expected {
+		t.Fatalf("Expected `%s`, got `%s`", expected, b.String())
+	}
+}
+
+// moby/moby#32235
+// This test verifies that even if `tryRawInspectFallback` is called the fields containing
+// numerical values are displayed correctly.
+// For example, `docker inspect --format "{{.Id}} {{.Size}} alpine` and
+// `docker inspect --format "{{.ID}} {{.Size}} alpine" will have the same output which is
+// sha256:651aa95985aa4a17a38ffcf71f598ec461924ca96865facc2c5782ef2d2be07f 3983636
+func TestTemplateInspectorRawFallbackNumber(t *testing.T) {
+	// Using typedElem to automatically fall to tryRawInspectFallback.
+	typedElem := struct {
+		ID string `json:"Id"`
+	}{"ad3"}
+	testcases := []struct {
+		raw []byte
+		exp string
+	}{
+		{raw: []byte(`{"Id": "ad3", "Size": 53317}`), exp: "53317 ad3\n"},
+		{raw: []byte(`{"Id": "ad3", "Size": 53317.102}`), exp: "53317.102 ad3\n"},
+		{raw: []byte(`{"Id": "ad3", "Size": 53317.0}`), exp: "53317.0 ad3\n"},
+	}
+	b := new(bytes.Buffer)
+	tmpl, err := templates.Parse("{{.Size}} {{.Id}}")
+	assert.NilError(t, err)
+
+	i := NewTemplateInspector(b, tmpl)
+	for _, tc := range testcases {
+		err = i.Inspect(typedElem, tc.raw)
+		assert.NilError(t, err)
+
+		err = i.Flush()
+		assert.NilError(t, err)
+
+		assert.Check(t, is.Equal(tc.exp, b.String()))
+		b.Reset()
+	}
+}
diff --git a/cli/cli/command/manifest/annotate.go b/cli/cli/command/manifest/annotate.go
new file mode 100644
index 00000000..e6c47394
--- /dev/null
+++ b/cli/cli/command/manifest/annotate.go
@@ -0,0 +1,97 @@
+package manifest
+
+import (
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/manifest/store"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type annotateOptions struct {
+	target     string // the target manifest list name (also transaction ID)
+	image      string // the manifest to annotate within the list
+	variant    string // an architecture variant
+	os         string
+	arch       string
+	osFeatures []string
+}
+
+// NewAnnotateCommand creates a new `docker manifest annotate` command
+func newAnnotateCommand(dockerCli command.Cli) *cobra.Command {
+	var opts annotateOptions
+
+	cmd := &cobra.Command{
+		Use:   "annotate [OPTIONS] MANIFEST_LIST MANIFEST",
+		Short: "Add additional information to a local image manifest",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.target = args[0]
+			opts.image = args[1]
+			return runManifestAnnotate(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVar(&opts.os, "os", "", "Set operating system")
+	flags.StringVar(&opts.arch, "arch", "", "Set architecture")
+	flags.StringSliceVar(&opts.osFeatures, "os-features", []string{}, "Set operating system feature")
+	flags.StringVar(&opts.variant, "variant", "", "Set architecture variant")
+
+	return cmd
+}
+
+func runManifestAnnotate(dockerCli command.Cli, opts annotateOptions) error {
+	targetRef, err := normalizeReference(opts.target)
+	if err != nil {
+		return errors.Wrapf(err, "annotate: error parsing name for manifest list %s", opts.target)
+	}
+	imgRef, err := normalizeReference(opts.image)
+	if err != nil {
+		return errors.Wrapf(err, "annotate: error parsing name for manifest %s", opts.image)
+	}
+
+	manifestStore := dockerCli.ManifestStore()
+	imageManifest, err := manifestStore.Get(targetRef, imgRef)
+	switch {
+	case store.IsNotFound(err):
+		return fmt.Errorf("manifest for image %s does not exist in %s", opts.image, opts.target)
+	case err != nil:
+		return err
+	}
+
+	// Update the mf
+	if imageManifest.Descriptor.Platform == nil {
+		imageManifest.Descriptor.Platform = new(ocispec.Platform)
+	}
+	if opts.os != "" {
+		imageManifest.Descriptor.Platform.OS = opts.os
+	}
+	if opts.arch != "" {
+		imageManifest.Descriptor.Platform.Architecture = opts.arch
+	}
+	for _, osFeature := range opts.osFeatures {
+		imageManifest.Descriptor.Platform.OSFeatures = appendIfUnique(imageManifest.Descriptor.Platform.OSFeatures, osFeature)
+	}
+	if opts.variant != "" {
+		imageManifest.Descriptor.Platform.Variant = opts.variant
+	}
+
+	if !isValidOSArch(imageManifest.Descriptor.Platform.OS, imageManifest.Descriptor.Platform.Architecture) {
+		return errors.Errorf("manifest entry for image has unsupported os/arch combination: %s/%s", opts.os, opts.arch)
+	}
+	return manifestStore.Save(targetRef, imgRef, imageManifest)
+}
+
+func appendIfUnique(list []string, str string) []string {
+	for _, s := range list {
+		if s == str {
+			return list
+		}
+	}
+	return append(list, str)
+}
diff --git a/cli/cli/command/manifest/annotate_test.go b/cli/cli/command/manifest/annotate_test.go
new file mode 100644
index 00000000..e5cce8f6
--- /dev/null
+++ b/cli/cli/command/manifest/annotate_test.go
@@ -0,0 +1,77 @@
+package manifest
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestManifestAnnotateError(t *testing.T) {
+	testCases := []struct {
+		args          []string
+		expectedError string
+	}{
+		{
+			args:          []string{"too-few-arguments"},
+			expectedError: "requires exactly 2 arguments",
+		},
+		{
+			args:          []string{"th!si'sa/fa!ke/li$t/name", "example.com/alpine:3.0"},
+			expectedError: "error parsing name for manifest list",
+		},
+		{
+			args:          []string{"example.com/list:v1", "th!si'sa/fa!ke/im@ge/nam32"},
+			expectedError: "error parsing name for manifest",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(nil)
+		cmd := newAnnotateCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestManifestAnnotate(t *testing.T) {
+	store, cleanup := newTempManifestStore(t)
+	defer cleanup()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+	namedRef := ref(t, "alpine:3.0")
+	imageManifest := fullImageManifest(t, namedRef)
+	err := store.Save(ref(t, "list:v1"), namedRef, imageManifest)
+	assert.NilError(t, err)
+
+	cmd := newAnnotateCommand(cli)
+	cmd.SetArgs([]string{"example.com/list:v1", "example.com/fake:0.0"})
+	cmd.SetOutput(ioutil.Discard)
+	expectedError := "manifest for image example.com/fake:0.0 does not exist"
+	assert.ErrorContains(t, cmd.Execute(), expectedError)
+
+	cmd.SetArgs([]string{"example.com/list:v1", "example.com/alpine:3.0"})
+	cmd.Flags().Set("os", "freebsd")
+	cmd.Flags().Set("arch", "fake")
+	cmd.Flags().Set("os-features", "feature1")
+	cmd.Flags().Set("variant", "v7")
+	expectedError = "manifest entry for image has unsupported os/arch combination"
+	assert.ErrorContains(t, cmd.Execute(), expectedError)
+
+	cmd.Flags().Set("arch", "arm")
+	assert.NilError(t, cmd.Execute())
+
+	cmd = newInspectCommand(cli)
+	err = cmd.Flags().Set("verbose", "true")
+	assert.NilError(t, err)
+	cmd.SetArgs([]string{"example.com/list:v1", "example.com/alpine:3.0"})
+	assert.NilError(t, cmd.Execute())
+	actual := cli.OutBuffer()
+	expected := golden.Get(t, "inspect-annotate.golden")
+	assert.Check(t, is.Equal(string(expected), actual.String()))
+}
diff --git a/cli/cli/command/manifest/client_test.go b/cli/cli/command/manifest/client_test.go
new file mode 100644
index 00000000..07967c29
--- /dev/null
+++ b/cli/cli/command/manifest/client_test.go
@@ -0,0 +1,48 @@
+package manifest
+
+import (
+	"context"
+
+	manifesttypes "github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/cli/cli/registry/client"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/reference"
+	"github.com/opencontainers/go-digest"
+)
+
+type fakeRegistryClient struct {
+	getManifestFunc     func(ctx context.Context, ref reference.Named) (manifesttypes.ImageManifest, error)
+	getManifestListFunc func(ctx context.Context, ref reference.Named) ([]manifesttypes.ImageManifest, error)
+	mountBlobFunc       func(ctx context.Context, source reference.Canonical, target reference.Named) error
+	putManifestFunc     func(ctx context.Context, source reference.Named, mf distribution.Manifest) (digest.Digest, error)
+}
+
+func (c *fakeRegistryClient) GetManifest(ctx context.Context, ref reference.Named) (manifesttypes.ImageManifest, error) {
+	if c.getManifestFunc != nil {
+		return c.getManifestFunc(ctx, ref)
+	}
+	return manifesttypes.ImageManifest{}, nil
+}
+
+func (c *fakeRegistryClient) GetManifestList(ctx context.Context, ref reference.Named) ([]manifesttypes.ImageManifest, error) {
+	if c.getManifestListFunc != nil {
+		return c.getManifestListFunc(ctx, ref)
+	}
+	return nil, nil
+}
+
+func (c *fakeRegistryClient) MountBlob(ctx context.Context, source reference.Canonical, target reference.Named) error {
+	if c.mountBlobFunc != nil {
+		return c.mountBlobFunc(ctx, source, target)
+	}
+	return nil
+}
+
+func (c *fakeRegistryClient) PutManifest(ctx context.Context, ref reference.Named, mf distribution.Manifest) (digest.Digest, error) {
+	if c.putManifestFunc != nil {
+		return c.putManifestFunc(ctx, ref, mf)
+	}
+	return digest.Digest(""), nil
+}
+
+var _ client.RegistryClient = &fakeRegistryClient{}
diff --git a/cli/cli/command/manifest/cmd.go b/cli/cli/command/manifest/cmd.go
new file mode 100644
index 00000000..8cc4987a
--- /dev/null
+++ b/cli/cli/command/manifest/cmd.go
@@ -0,0 +1,45 @@
+package manifest
+
+import (
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+
+	"github.com/spf13/cobra"
+)
+
+// NewManifestCommand returns a cobra command for `manifest` subcommands
+func NewManifestCommand(dockerCli command.Cli) *cobra.Command {
+	// use dockerCli as command.Cli
+	cmd := &cobra.Command{
+		Use:   "manifest COMMAND",
+		Short: "Manage Docker image manifests and manifest lists",
+		Long:  manifestDescription,
+		Args:  cli.NoArgs,
+		Run: func(cmd *cobra.Command, args []string) {
+			fmt.Fprintf(dockerCli.Err(), "\n"+cmd.UsageString())
+		},
+		Annotations: map[string]string{"experimentalCLI": ""},
+	}
+	cmd.AddCommand(
+		newCreateListCommand(dockerCli),
+		newInspectCommand(dockerCli),
+		newAnnotateCommand(dockerCli),
+		newPushListCommand(dockerCli),
+	)
+	return cmd
+}
+
+var manifestDescription = `
+The **docker manifest** command has subcommands for managing image manifests and
+manifest lists. A manifest list allows you to use one name to refer to the same image
+built for multiple architectures.
+
+To see help for a subcommand, use:
+
+    docker manifest CMD --help
+
+For full details on using docker manifest lists, see the registry v2 specification.
+
+`
diff --git a/cli/cli/command/manifest/create_list.go b/cli/cli/command/manifest/create_list.go
new file mode 100644
index 00000000..f2e54dcf
--- /dev/null
+++ b/cli/cli/command/manifest/create_list.go
@@ -0,0 +1,82 @@
+package manifest
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/manifest/store"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type createOpts struct {
+	amend    bool
+	insecure bool
+}
+
+func newCreateListCommand(dockerCli command.Cli) *cobra.Command {
+	opts := createOpts{}
+
+	cmd := &cobra.Command{
+		Use:   "create MANIFEST_LIST MANIFEST [MANIFEST...]",
+		Short: "Create a local manifest list for annotating and pushing to a registry",
+		Args:  cli.RequiresMinArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return createManifestList(dockerCli, args, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.insecure, "insecure", false, "Allow communication with an insecure registry")
+	flags.BoolVarP(&opts.amend, "amend", "a", false, "Amend an existing manifest list")
+	return cmd
+}
+
+func createManifestList(dockerCli command.Cli, args []string, opts createOpts) error {
+	newRef := args[0]
+	targetRef, err := normalizeReference(newRef)
+	if err != nil {
+		return errors.Wrapf(err, "error parsing name for manifest list %s", newRef)
+	}
+
+	_, err = registry.ParseRepositoryInfo(targetRef)
+	if err != nil {
+		return errors.Wrapf(err, "error parsing repository name for manifest list %s", newRef)
+	}
+
+	manifestStore := dockerCli.ManifestStore()
+	_, err = manifestStore.GetList(targetRef)
+	switch {
+	case store.IsNotFound(err):
+		// New manifest list
+	case err != nil:
+		return err
+	case !opts.amend:
+		return errors.Errorf("refusing to amend an existing manifest list with no --amend flag")
+	}
+
+	ctx := context.Background()
+	// Now create the local manifest list transaction by looking up the manifest schemas
+	// for the constituent images:
+	manifests := args[1:]
+	for _, manifestRef := range manifests {
+		namedRef, err := normalizeReference(manifestRef)
+		if err != nil {
+			// TODO: wrap error?
+			return err
+		}
+
+		manifest, err := getManifest(ctx, dockerCli, targetRef, namedRef, opts.insecure)
+		if err != nil {
+			return err
+		}
+		if err := manifestStore.Save(targetRef, namedRef, manifest); err != nil {
+			return err
+		}
+	}
+	fmt.Fprintf(dockerCli.Out(), "Created manifest list %s\n", targetRef.String())
+	return nil
+}
diff --git a/cli/cli/command/manifest/create_test.go b/cli/cli/command/manifest/create_test.go
new file mode 100644
index 00000000..fbf0ae7b
--- /dev/null
+++ b/cli/cli/command/manifest/create_test.go
@@ -0,0 +1,116 @@
+package manifest
+
+import (
+	"context"
+	"io/ioutil"
+	"testing"
+
+	manifesttypes "github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/distribution/reference"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestManifestCreateErrors(t *testing.T) {
+	testCases := []struct {
+		args          []string
+		expectedError string
+	}{
+		{
+			args:          []string{"too-few-arguments"},
+			expectedError: "requires at least 2 arguments",
+		},
+		{
+			args:          []string{"th!si'sa/fa!ke/li$t/name", "example.com/alpine:3.0"},
+			expectedError: "error parsing name for manifest list",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(nil)
+		cmd := newCreateListCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+// create a manifest list, then overwrite it, and inspect to see if the old one is still there
+func TestManifestCreateAmend(t *testing.T) {
+	store, cleanup := newTempManifestStore(t)
+	defer cleanup()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+
+	namedRef := ref(t, "alpine:3.0")
+	imageManifest := fullImageManifest(t, namedRef)
+	err := store.Save(ref(t, "list:v1"), namedRef, imageManifest)
+	assert.NilError(t, err)
+	namedRef = ref(t, "alpine:3.1")
+	imageManifest = fullImageManifest(t, namedRef)
+	err = store.Save(ref(t, "list:v1"), namedRef, imageManifest)
+	assert.NilError(t, err)
+
+	cmd := newCreateListCommand(cli)
+	cmd.SetArgs([]string{"example.com/list:v1", "example.com/alpine:3.1"})
+	cmd.Flags().Set("amend", "true")
+	cmd.SetOutput(ioutil.Discard)
+	err = cmd.Execute()
+	assert.NilError(t, err)
+
+	// make a new cli to clear the buffers
+	cli = test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+	inspectCmd := newInspectCommand(cli)
+	inspectCmd.SetArgs([]string{"example.com/list:v1"})
+	assert.NilError(t, inspectCmd.Execute())
+	actual := cli.OutBuffer()
+	expected := golden.Get(t, "inspect-manifest-list.golden")
+	assert.Check(t, is.Equal(string(expected), actual.String()))
+}
+
+// attempt to overwrite a saved manifest and get refused
+func TestManifestCreateRefuseAmend(t *testing.T) {
+	store, cleanup := newTempManifestStore(t)
+	defer cleanup()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+	namedRef := ref(t, "alpine:3.0")
+	imageManifest := fullImageManifest(t, namedRef)
+	err := store.Save(ref(t, "list:v1"), namedRef, imageManifest)
+	assert.NilError(t, err)
+
+	cmd := newCreateListCommand(cli)
+	cmd.SetArgs([]string{"example.com/list:v1", "example.com/alpine:3.0"})
+	cmd.SetOutput(ioutil.Discard)
+	err = cmd.Execute()
+	assert.Error(t, err, "refusing to amend an existing manifest list with no --amend flag")
+}
+
+// attempt to make a manifest list without valid images
+func TestManifestCreateNoManifest(t *testing.T) {
+	store, cleanup := newTempManifestStore(t)
+	defer cleanup()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+	cli.SetRegistryClient(&fakeRegistryClient{
+		getManifestFunc: func(_ context.Context, ref reference.Named) (manifesttypes.ImageManifest, error) {
+			return manifesttypes.ImageManifest{}, errors.Errorf("No such image: %v", ref)
+		},
+		getManifestListFunc: func(ctx context.Context, ref reference.Named) ([]manifesttypes.ImageManifest, error) {
+			return nil, errors.Errorf("No such manifest: %s", ref)
+		},
+	})
+
+	cmd := newCreateListCommand(cli)
+	cmd.SetArgs([]string{"example.com/list:v1", "example.com/alpine:3.0"})
+	cmd.SetOutput(ioutil.Discard)
+	err := cmd.Execute()
+	assert.Error(t, err, "No such image: example.com/alpine:3.0")
+}
diff --git a/cli/cli/command/manifest/inspect.go b/cli/cli/command/manifest/inspect.go
new file mode 100644
index 00000000..c270ee53
--- /dev/null
+++ b/cli/cli/command/manifest/inspect.go
@@ -0,0 +1,148 @@
+package manifest
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	ref      string
+	list     string
+	verbose  bool
+	insecure bool
+}
+
+// NewInspectCommand creates a new `docker manifest inspect` command
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] [MANIFEST_LIST] MANIFEST",
+		Short: "Display an image manifest, or manifest list",
+		Args:  cli.RequiresRangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			switch len(args) {
+			case 1:
+				opts.ref = args[0]
+			case 2:
+				opts.list = args[0]
+				opts.ref = args[1]
+			}
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.insecure, "insecure", false, "Allow communication with an insecure registry")
+	flags.BoolVarP(&opts.verbose, "verbose", "v", false, "Output additional info including layers and platform")
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	namedRef, err := normalizeReference(opts.ref)
+	if err != nil {
+		return err
+	}
+
+	// If list reference is provided, display the local manifest in a list
+	if opts.list != "" {
+		listRef, err := normalizeReference(opts.list)
+		if err != nil {
+			return err
+		}
+
+		imageManifest, err := dockerCli.ManifestStore().Get(listRef, namedRef)
+		if err != nil {
+			return err
+		}
+		return printManifest(dockerCli, imageManifest, opts)
+	}
+
+	// Try a local manifest list first
+	localManifestList, err := dockerCli.ManifestStore().GetList(namedRef)
+	if err == nil {
+		return printManifestList(dockerCli, namedRef, localManifestList, opts)
+	}
+
+	// Next try a remote manifest
+	ctx := context.Background()
+	registryClient := dockerCli.RegistryClient(opts.insecure)
+	imageManifest, err := registryClient.GetManifest(ctx, namedRef)
+	if err == nil {
+		return printManifest(dockerCli, imageManifest, opts)
+	}
+
+	// Finally try a remote manifest list
+	manifestList, err := registryClient.GetManifestList(ctx, namedRef)
+	if err != nil {
+		return err
+	}
+	return printManifestList(dockerCli, namedRef, manifestList, opts)
+}
+
+func printManifest(dockerCli command.Cli, manifest types.ImageManifest, opts inspectOptions) error {
+	buffer := new(bytes.Buffer)
+	if !opts.verbose {
+		_, raw, err := manifest.Payload()
+		if err != nil {
+			return err
+		}
+		if err := json.Indent(buffer, raw, "", "\t"); err != nil {
+			return err
+		}
+		fmt.Fprintln(dockerCli.Out(), buffer.String())
+		return nil
+	}
+	jsonBytes, err := json.MarshalIndent(manifest, "", "\t")
+	if err != nil {
+		return err
+	}
+	dockerCli.Out().Write(append(jsonBytes, '\n'))
+	return nil
+}
+
+func printManifestList(dockerCli command.Cli, namedRef reference.Named, list []types.ImageManifest, opts inspectOptions) error {
+	if !opts.verbose {
+		targetRepo, err := registry.ParseRepositoryInfo(namedRef)
+		if err != nil {
+			return err
+		}
+
+		manifests := []manifestlist.ManifestDescriptor{}
+		// More than one response. This is a manifest list.
+		for _, img := range list {
+			mfd, err := buildManifestDescriptor(targetRepo, img)
+			if err != nil {
+				return errors.Wrap(err, "failed to assemble ManifestDescriptor")
+			}
+			manifests = append(manifests, mfd)
+		}
+		deserializedML, err := manifestlist.FromDescriptors(manifests)
+		if err != nil {
+			return err
+		}
+		jsonBytes, err := deserializedML.MarshalJSON()
+		if err != nil {
+			return err
+		}
+		fmt.Fprintln(dockerCli.Out(), string(jsonBytes))
+		return nil
+	}
+	jsonBytes, err := json.MarshalIndent(list, "", "\t")
+	if err != nil {
+		return err
+	}
+	dockerCli.Out().Write(append(jsonBytes, '\n'))
+	return nil
+}
diff --git a/cli/cli/command/manifest/inspect_test.go b/cli/cli/command/manifest/inspect_test.go
new file mode 100644
index 00000000..7abe06d2
--- /dev/null
+++ b/cli/cli/command/manifest/inspect_test.go
@@ -0,0 +1,146 @@
+package manifest
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/manifest/store"
+	"github.com/docker/cli/cli/manifest/types"
+	manifesttypes "github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func newTempManifestStore(t *testing.T) (store.Store, func()) {
+	tmpdir, err := ioutil.TempDir("", "test-manifest-storage")
+	assert.NilError(t, err)
+
+	return store.NewStore(tmpdir), func() { os.RemoveAll(tmpdir) }
+}
+
+func ref(t *testing.T, name string) reference.Named {
+	named, err := reference.ParseNamed("example.com/" + name)
+	assert.NilError(t, err)
+	return named
+}
+
+func fullImageManifest(t *testing.T, ref reference.Named) types.ImageManifest {
+	man, err := schema2.FromStruct(schema2.Manifest{
+		Versioned: schema2.SchemaVersion,
+		Config: distribution.Descriptor{
+			Digest:    "sha256:7328f6f8b41890597575cbaadc884e7386ae0acc53b747401ebce5cf0d624560",
+			Size:      1520,
+			MediaType: schema2.MediaTypeImageConfig,
+		},
+		Layers: []distribution.Descriptor{
+			{
+				MediaType: schema2.MediaTypeLayer,
+				Size:      1990402,
+				Digest:    "sha256:88286f41530e93dffd4b964e1db22ce4939fffa4a4c665dab8591fbab03d4926",
+			},
+		},
+	})
+	assert.NilError(t, err)
+
+	// TODO: include image data for verbose inspect
+	mt, raw, err := man.Payload()
+	assert.NilError(t, err)
+
+	desc := ocispec.Descriptor{
+		Digest:    digest.FromBytes(raw),
+		Size:      int64(len(raw)),
+		MediaType: mt,
+		Platform: &ocispec.Platform{
+			Architecture: "amd64",
+			OS:           "linux",
+		},
+	}
+
+	return types.NewImageManifest(ref, desc, man)
+}
+
+func TestInspectCommandLocalManifestNotFound(t *testing.T) {
+	store, cleanup := newTempManifestStore(t)
+	defer cleanup()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+
+	cmd := newInspectCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"example.com/list:v1", "example.com/alpine:3.0"})
+	err := cmd.Execute()
+	assert.Error(t, err, "No such manifest: example.com/alpine:3.0")
+}
+
+func TestInspectCommandNotFound(t *testing.T) {
+	store, cleanup := newTempManifestStore(t)
+	defer cleanup()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+	cli.SetRegistryClient(&fakeRegistryClient{
+		getManifestFunc: func(_ context.Context, _ reference.Named) (manifesttypes.ImageManifest, error) {
+			return manifesttypes.ImageManifest{}, errors.New("missing")
+		},
+		getManifestListFunc: func(ctx context.Context, ref reference.Named) ([]manifesttypes.ImageManifest, error) {
+			return nil, errors.Errorf("No such manifest: %s", ref)
+		},
+	})
+
+	cmd := newInspectCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"example.com/alpine:3.0"})
+	err := cmd.Execute()
+	assert.Error(t, err, "No such manifest: example.com/alpine:3.0")
+}
+
+func TestInspectCommandLocalManifest(t *testing.T) {
+	store, cleanup := newTempManifestStore(t)
+	defer cleanup()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+	namedRef := ref(t, "alpine:3.0")
+	imageManifest := fullImageManifest(t, namedRef)
+	err := store.Save(ref(t, "list:v1"), namedRef, imageManifest)
+	assert.NilError(t, err)
+
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"example.com/list:v1", "example.com/alpine:3.0"})
+	assert.NilError(t, cmd.Execute())
+	actual := cli.OutBuffer()
+	expected := golden.Get(t, "inspect-manifest.golden")
+	assert.Check(t, is.Equal(string(expected), actual.String()))
+}
+
+func TestInspectcommandRemoteManifest(t *testing.T) {
+	store, cleanup := newTempManifestStore(t)
+	defer cleanup()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+	cli.SetRegistryClient(&fakeRegistryClient{
+		getManifestFunc: func(_ context.Context, ref reference.Named) (manifesttypes.ImageManifest, error) {
+			return fullImageManifest(t, ref), nil
+		},
+	})
+
+	cmd := newInspectCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"example.com/alpine:3.0"})
+	assert.NilError(t, cmd.Execute())
+	actual := cli.OutBuffer()
+	expected := golden.Get(t, "inspect-manifest.golden")
+	assert.Check(t, is.Equal(string(expected), actual.String()))
+}
diff --git a/cli/cli/command/manifest/push.go b/cli/cli/command/manifest/push.go
new file mode 100644
index 00000000..fa734afa
--- /dev/null
+++ b/cli/cli/command/manifest/push.go
@@ -0,0 +1,281 @@
+package manifest
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/manifest/types"
+	registryclient "github.com/docker/cli/cli/registry/client"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type pushOpts struct {
+	insecure bool
+	purge    bool
+	target   string
+}
+
+type mountRequest struct {
+	ref      reference.Named
+	manifest types.ImageManifest
+}
+
+type manifestBlob struct {
+	canonical reference.Canonical
+	os        string
+}
+
+type pushRequest struct {
+	targetRef     reference.Named
+	list          *manifestlist.DeserializedManifestList
+	mountRequests []mountRequest
+	manifestBlobs []manifestBlob
+	insecure      bool
+}
+
+func newPushListCommand(dockerCli command.Cli) *cobra.Command {
+	opts := pushOpts{}
+
+	cmd := &cobra.Command{
+		Use:   "push [OPTIONS] MANIFEST_LIST",
+		Short: "Push a manifest list to a repository",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.target = args[0]
+			return runPush(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.purge, "purge", "p", false, "Remove the local manifest list after push")
+	flags.BoolVar(&opts.insecure, "insecure", false, "Allow push to an insecure registry")
+	return cmd
+}
+
+func runPush(dockerCli command.Cli, opts pushOpts) error {
+
+	targetRef, err := normalizeReference(opts.target)
+	if err != nil {
+		return err
+	}
+
+	manifests, err := dockerCli.ManifestStore().GetList(targetRef)
+	if err != nil {
+		return err
+	}
+	if len(manifests) == 0 {
+		return errors.Errorf("%s not found", targetRef)
+	}
+
+	pushRequest, err := buildPushRequest(manifests, targetRef, opts.insecure)
+	if err != nil {
+		return err
+	}
+
+	ctx := context.Background()
+	if err := pushList(ctx, dockerCli, pushRequest); err != nil {
+		return err
+	}
+	if opts.purge {
+		return dockerCli.ManifestStore().Remove(targetRef)
+	}
+	return nil
+}
+
+func buildPushRequest(manifests []types.ImageManifest, targetRef reference.Named, insecure bool) (pushRequest, error) {
+	req := pushRequest{targetRef: targetRef, insecure: insecure}
+
+	var err error
+	req.list, err = buildManifestList(manifests, targetRef)
+	if err != nil {
+		return req, err
+	}
+
+	targetRepo, err := registry.ParseRepositoryInfo(targetRef)
+	if err != nil {
+		return req, err
+	}
+	targetRepoName, err := registryclient.RepoNameForReference(targetRepo.Name)
+	if err != nil {
+		return req, err
+	}
+
+	for _, imageManifest := range manifests {
+		manifestRepoName, err := registryclient.RepoNameForReference(imageManifest.Ref)
+		if err != nil {
+			return req, err
+		}
+
+		repoName, _ := reference.WithName(manifestRepoName)
+		if repoName.Name() != targetRepoName {
+			blobs, err := buildBlobRequestList(imageManifest, repoName)
+			if err != nil {
+				return req, err
+			}
+			req.manifestBlobs = append(req.manifestBlobs, blobs...)
+
+			manifestPush, err := buildPutManifestRequest(imageManifest, targetRef)
+			if err != nil {
+				return req, err
+			}
+			req.mountRequests = append(req.mountRequests, manifestPush)
+		}
+	}
+	return req, nil
+}
+
+func buildManifestList(manifests []types.ImageManifest, targetRef reference.Named) (*manifestlist.DeserializedManifestList, error) {
+	targetRepoInfo, err := registry.ParseRepositoryInfo(targetRef)
+	if err != nil {
+		return nil, err
+	}
+
+	descriptors := []manifestlist.ManifestDescriptor{}
+	for _, imageManifest := range manifests {
+		if imageManifest.Descriptor.Platform == nil ||
+			imageManifest.Descriptor.Platform.Architecture == "" ||
+			imageManifest.Descriptor.Platform.OS == "" {
+			return nil, errors.Errorf(
+				"manifest %s must have an OS and Architecture to be pushed to a registry", imageManifest.Ref)
+		}
+		descriptor, err := buildManifestDescriptor(targetRepoInfo, imageManifest)
+		if err != nil {
+			return nil, err
+		}
+		descriptors = append(descriptors, descriptor)
+	}
+
+	return manifestlist.FromDescriptors(descriptors)
+}
+
+func buildManifestDescriptor(targetRepo *registry.RepositoryInfo, imageManifest types.ImageManifest) (manifestlist.ManifestDescriptor, error) {
+	repoInfo, err := registry.ParseRepositoryInfo(imageManifest.Ref)
+	if err != nil {
+		return manifestlist.ManifestDescriptor{}, err
+	}
+
+	manifestRepoHostname := reference.Domain(repoInfo.Name)
+	targetRepoHostname := reference.Domain(targetRepo.Name)
+	if manifestRepoHostname != targetRepoHostname {
+		return manifestlist.ManifestDescriptor{}, errors.Errorf("cannot use source images from a different registry than the target image: %s != %s", manifestRepoHostname, targetRepoHostname)
+	}
+
+	manifest := manifestlist.ManifestDescriptor{
+		Descriptor: distribution.Descriptor{
+			Digest:    imageManifest.Descriptor.Digest,
+			Size:      imageManifest.Descriptor.Size,
+			MediaType: imageManifest.Descriptor.MediaType,
+		},
+	}
+
+	platform := types.PlatformSpecFromOCI(imageManifest.Descriptor.Platform)
+	if platform != nil {
+		manifest.Platform = *platform
+	}
+
+	if err = manifest.Descriptor.Digest.Validate(); err != nil {
+		return manifestlist.ManifestDescriptor{}, errors.Wrapf(err,
+			"digest parse of image %q failed", imageManifest.Ref)
+	}
+
+	return manifest, nil
+}
+
+func buildBlobRequestList(imageManifest types.ImageManifest, repoName reference.Named) ([]manifestBlob, error) {
+	var blobReqs []manifestBlob
+
+	for _, blobDigest := range imageManifest.Blobs() {
+		canonical, err := reference.WithDigest(repoName, blobDigest)
+		if err != nil {
+			return nil, err
+		}
+		var os string
+		if imageManifest.Descriptor.Platform != nil {
+			os = imageManifest.Descriptor.Platform.OS
+		}
+		blobReqs = append(blobReqs, manifestBlob{canonical: canonical, os: os})
+	}
+	return blobReqs, nil
+}
+
+// nolint: interfacer
+func buildPutManifestRequest(imageManifest types.ImageManifest, targetRef reference.Named) (mountRequest, error) {
+	refWithoutTag, err := reference.WithName(targetRef.Name())
+	if err != nil {
+		return mountRequest{}, err
+	}
+	mountRef, err := reference.WithDigest(refWithoutTag, imageManifest.Descriptor.Digest)
+	if err != nil {
+		return mountRequest{}, err
+	}
+
+	// This indentation has to be added to ensure sha parity with the registry
+	v2ManifestBytes, err := json.MarshalIndent(imageManifest.SchemaV2Manifest, "", "   ")
+	if err != nil {
+		return mountRequest{}, err
+	}
+	// indent only the DeserializedManifest portion of this, in order to maintain parity with the registry
+	// and not alter the sha
+	var v2Manifest schema2.DeserializedManifest
+	if err = v2Manifest.UnmarshalJSON(v2ManifestBytes); err != nil {
+		return mountRequest{}, err
+	}
+	imageManifest.SchemaV2Manifest = &v2Manifest
+
+	return mountRequest{ref: mountRef, manifest: imageManifest}, err
+}
+
+func pushList(ctx context.Context, dockerCli command.Cli, req pushRequest) error {
+	rclient := dockerCli.RegistryClient(req.insecure)
+
+	if err := mountBlobs(ctx, rclient, req.targetRef, req.manifestBlobs); err != nil {
+		return err
+	}
+	if err := pushReferences(ctx, dockerCli.Out(), rclient, req.mountRequests); err != nil {
+		return err
+	}
+	dgst, err := rclient.PutManifest(ctx, req.targetRef, req.list)
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintln(dockerCli.Out(), dgst.String())
+	return nil
+}
+
+func pushReferences(ctx context.Context, out io.Writer, client registryclient.RegistryClient, mounts []mountRequest) error {
+	for _, mount := range mounts {
+		newDigest, err := client.PutManifest(ctx, mount.ref, mount.manifest)
+		if err != nil {
+			return err
+		}
+		fmt.Fprintf(out, "Pushed ref %s with digest: %s\n", mount.ref, newDigest)
+	}
+	return nil
+}
+
+func mountBlobs(ctx context.Context, client registryclient.RegistryClient, ref reference.Named, blobs []manifestBlob) error {
+	for _, blob := range blobs {
+		err := client.MountBlob(ctx, blob.canonical, ref)
+		switch err.(type) {
+		case nil:
+		case registryclient.ErrBlobCreated:
+			if blob.os != "windows" {
+				return fmt.Errorf("error mounting %s to %s", blob.canonical, ref)
+			}
+		default:
+			return err
+		}
+	}
+	return nil
+}
diff --git a/cli/cli/command/manifest/push_test.go b/cli/cli/command/manifest/push_test.go
new file mode 100644
index 00000000..3a2e9b8a
--- /dev/null
+++ b/cli/cli/command/manifest/push_test.go
@@ -0,0 +1,69 @@
+package manifest
+
+import (
+	"context"
+	"io/ioutil"
+	"testing"
+
+	manifesttypes "github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/distribution/reference"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+func newFakeRegistryClient() *fakeRegistryClient {
+	return &fakeRegistryClient{
+		getManifestFunc: func(_ context.Context, _ reference.Named) (manifesttypes.ImageManifest, error) {
+			return manifesttypes.ImageManifest{}, errors.New("")
+		},
+		getManifestListFunc: func(_ context.Context, _ reference.Named) ([]manifesttypes.ImageManifest, error) {
+			return nil, errors.Errorf("")
+		},
+	}
+}
+
+func TestManifestPushErrors(t *testing.T) {
+	testCases := []struct {
+		args          []string
+		expectedError string
+	}{
+		{
+			args:          []string{"one-arg", "extra-arg"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args:          []string{"th!si'sa/fa!ke/li$t/-name"},
+			expectedError: "invalid reference format",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(nil)
+		cmd := newPushListCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestManifestPush(t *testing.T) {
+	store, sCleanup := newTempManifestStore(t)
+	defer sCleanup()
+
+	registry := newFakeRegistryClient()
+
+	cli := test.NewFakeCli(nil)
+	cli.SetManifestStore(store)
+	cli.SetRegistryClient(registry)
+
+	namedRef := ref(t, "alpine:3.0")
+	imageManifest := fullImageManifest(t, namedRef)
+	err := store.Save(ref(t, "list:v1"), namedRef, imageManifest)
+	assert.NilError(t, err)
+
+	cmd := newPushListCommand(cli)
+	cmd.SetArgs([]string{"example.com/list:v1"})
+	err = cmd.Execute()
+	assert.NilError(t, err)
+}
diff --git a/cli/cli/command/manifest/testdata/inspect-annotate.golden b/cli/cli/command/manifest/testdata/inspect-annotate.golden
new file mode 100644
index 00000000..4d65b729
--- /dev/null
+++ b/cli/cli/command/manifest/testdata/inspect-annotate.golden
@@ -0,0 +1,32 @@
+{
+	"Ref": "example.com/alpine:3.0",
+	"Descriptor": {
+		"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+		"digest": "sha256:1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe",
+		"size": 528,
+		"platform": {
+			"architecture": "arm",
+			"os": "freebsd",
+			"os.features": [
+				"feature1"
+			],
+			"variant": "v7"
+		}
+	},
+	"SchemaV2Manifest": {
+		"schemaVersion": 2,
+		"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+		"config": {
+			"mediaType": "application/vnd.docker.container.image.v1+json",
+			"size": 1520,
+			"digest": "sha256:7328f6f8b41890597575cbaadc884e7386ae0acc53b747401ebce5cf0d624560"
+		},
+		"layers": [
+			{
+				"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+				"size": 1990402,
+				"digest": "sha256:88286f41530e93dffd4b964e1db22ce4939fffa4a4c665dab8591fbab03d4926"
+			}
+		]
+	}
+}
diff --git a/cli/cli/command/manifest/testdata/inspect-manifest-list.golden b/cli/cli/command/manifest/testdata/inspect-manifest-list.golden
new file mode 100644
index 00000000..a0c2673e
--- /dev/null
+++ b/cli/cli/command/manifest/testdata/inspect-manifest-list.golden
@@ -0,0 +1,24 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+   "manifests": [
+      {
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "size": 528,
+         "digest": "sha256:1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe",
+         "platform": {
+            "architecture": "amd64",
+            "os": "linux"
+         }
+      },
+      {
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "size": 528,
+         "digest": "sha256:1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe",
+         "platform": {
+            "architecture": "amd64",
+            "os": "linux"
+         }
+      }
+   ]
+}
diff --git a/cli/cli/command/manifest/testdata/inspect-manifest.golden b/cli/cli/command/manifest/testdata/inspect-manifest.golden
new file mode 100644
index 00000000..7089d9bd
--- /dev/null
+++ b/cli/cli/command/manifest/testdata/inspect-manifest.golden
@@ -0,0 +1,16 @@
+{
+	"schemaVersion": 2,
+	"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+	"config": {
+		"mediaType": "application/vnd.docker.container.image.v1+json",
+		"size": 1520,
+		"digest": "sha256:7328f6f8b41890597575cbaadc884e7386ae0acc53b747401ebce5cf0d624560"
+	},
+	"layers": [
+		{
+			"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+			"size": 1990402,
+			"digest": "sha256:88286f41530e93dffd4b964e1db22ce4939fffa4a4c665dab8591fbab03d4926"
+		}
+	]
+}
diff --git a/cli/cli/command/manifest/util.go b/cli/cli/command/manifest/util.go
new file mode 100644
index 00000000..8d4bd303
--- /dev/null
+++ b/cli/cli/command/manifest/util.go
@@ -0,0 +1,80 @@
+package manifest
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/manifest/store"
+	"github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/distribution/reference"
+)
+
+type osArch struct {
+	os   string
+	arch string
+}
+
+// Remove any unsupported os/arch combo
+// list of valid os/arch values (see "Optional Environment Variables" section
+// of https://golang.org/doc/install/source
+// Added linux/s390x as we know System z support already exists
+var validOSArches = map[osArch]bool{
+	{os: "darwin", arch: "386"}:      true,
+	{os: "darwin", arch: "amd64"}:    true,
+	{os: "darwin", arch: "arm"}:      true,
+	{os: "darwin", arch: "arm64"}:    true,
+	{os: "dragonfly", arch: "amd64"}: true,
+	{os: "freebsd", arch: "386"}:     true,
+	{os: "freebsd", arch: "amd64"}:   true,
+	{os: "freebsd", arch: "arm"}:     true,
+	{os: "linux", arch: "386"}:       true,
+	{os: "linux", arch: "amd64"}:     true,
+	{os: "linux", arch: "arm"}:       true,
+	{os: "linux", arch: "arm64"}:     true,
+	{os: "linux", arch: "ppc64le"}:   true,
+	{os: "linux", arch: "mips64"}:    true,
+	{os: "linux", arch: "mips64le"}:  true,
+	{os: "linux", arch: "s390x"}:     true,
+	{os: "netbsd", arch: "386"}:      true,
+	{os: "netbsd", arch: "amd64"}:    true,
+	{os: "netbsd", arch: "arm"}:      true,
+	{os: "openbsd", arch: "386"}:     true,
+	{os: "openbsd", arch: "amd64"}:   true,
+	{os: "openbsd", arch: "arm"}:     true,
+	{os: "plan9", arch: "386"}:       true,
+	{os: "plan9", arch: "amd64"}:     true,
+	{os: "solaris", arch: "amd64"}:   true,
+	{os: "windows", arch: "386"}:     true,
+	{os: "windows", arch: "amd64"}:   true,
+}
+
+func isValidOSArch(os string, arch string) bool {
+	// check for existence of this combo
+	_, ok := validOSArches[osArch{os, arch}]
+	return ok
+}
+
+func normalizeReference(ref string) (reference.Named, error) {
+	namedRef, err := reference.ParseNormalizedNamed(ref)
+	if err != nil {
+		return nil, err
+	}
+	if _, isDigested := namedRef.(reference.Canonical); !isDigested {
+		return reference.TagNameOnly(namedRef), nil
+	}
+	return namedRef, nil
+}
+
+// getManifest from the local store, and fallback to the remote registry if it
+//  doesn't exist locally
+func getManifest(ctx context.Context, dockerCli command.Cli, listRef, namedRef reference.Named, insecure bool) (types.ImageManifest, error) {
+	data, err := dockerCli.ManifestStore().Get(listRef, namedRef)
+	switch {
+	case store.IsNotFound(err):
+		return dockerCli.RegistryClient(insecure).GetManifest(ctx, namedRef)
+	case err != nil:
+		return types.ImageManifest{}, err
+	default:
+		return data, nil
+	}
+}
diff --git a/cli/cli/command/network/client_test.go b/cli/cli/command/network/client_test.go
new file mode 100644
index 00000000..33cec6e5
--- /dev/null
+++ b/cli/cli/command/network/client_test.go
@@ -0,0 +1,45 @@
+package network
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	networkCreateFunc     func(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error)
+	networkConnectFunc    func(ctx context.Context, networkID, container string, config *network.EndpointSettings) error
+	networkDisconnectFunc func(ctx context.Context, networkID, container string, force bool) error
+	networkListFunc       func(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error)
+}
+
+func (c *fakeClient) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
+	if c.networkCreateFunc != nil {
+		return c.networkCreateFunc(ctx, name, options)
+	}
+	return types.NetworkCreateResponse{}, nil
+}
+
+func (c *fakeClient) NetworkConnect(ctx context.Context, networkID, container string, config *network.EndpointSettings) error {
+	if c.networkConnectFunc != nil {
+		return c.networkConnectFunc(ctx, networkID, container, config)
+	}
+	return nil
+}
+
+func (c *fakeClient) NetworkDisconnect(ctx context.Context, networkID, container string, force bool) error {
+	if c.networkDisconnectFunc != nil {
+		return c.networkDisconnectFunc(ctx, networkID, container, force)
+	}
+	return nil
+}
+
+func (c *fakeClient) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+	if c.networkListFunc != nil {
+		return c.networkListFunc(ctx, options)
+	}
+	return []types.NetworkResource{}, nil
+}
diff --git a/cli/cli/command/network/cmd.go b/cli/cli/command/network/cmd.go
new file mode 100644
index 00000000..48edf1c4
--- /dev/null
+++ b/cli/cli/command/network/cmd.go
@@ -0,0 +1,28 @@
+package network
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+)
+
+// NewNetworkCommand returns a cobra command for `network` subcommands
+func NewNetworkCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "network",
+		Short: "Manage networks",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		newConnectCommand(dockerCli),
+		newCreateCommand(dockerCli),
+		newDisconnectCommand(dockerCli),
+		newInspectCommand(dockerCli),
+		newListCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+		NewPruneCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/network/connect.go b/cli/cli/command/network/connect.go
new file mode 100644
index 00000000..7ff055aa
--- /dev/null
+++ b/cli/cli/command/network/connect.go
@@ -0,0 +1,63 @@
+package network
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/network"
+	"github.com/spf13/cobra"
+)
+
+type connectOptions struct {
+	network      string
+	container    string
+	ipaddress    string
+	ipv6address  string
+	links        opts.ListOpts
+	aliases      []string
+	linklocalips []string
+}
+
+func newConnectCommand(dockerCli command.Cli) *cobra.Command {
+	options := connectOptions{
+		links: opts.NewListOpts(opts.ValidateLink),
+	}
+
+	cmd := &cobra.Command{
+		Use:   "connect [OPTIONS] NETWORK CONTAINER",
+		Short: "Connect a container to a network",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.network = args[0]
+			options.container = args[1]
+			return runConnect(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&options.ipaddress, "ip", "", "IPv4 address (e.g., 172.30.100.104)")
+	flags.StringVar(&options.ipv6address, "ip6", "", "IPv6 address (e.g., 2001:db8::33)")
+	flags.Var(&options.links, "link", "Add link to another container")
+	flags.StringSliceVar(&options.aliases, "alias", []string{}, "Add network-scoped alias for the container")
+	flags.StringSliceVar(&options.linklocalips, "link-local-ip", []string{}, "Add a link-local address for the container")
+
+	return cmd
+}
+
+func runConnect(dockerCli command.Cli, options connectOptions) error {
+	client := dockerCli.Client()
+
+	epConfig := &network.EndpointSettings{
+		IPAMConfig: &network.EndpointIPAMConfig{
+			IPv4Address:  options.ipaddress,
+			IPv6Address:  options.ipv6address,
+			LinkLocalIPs: options.linklocalips,
+		},
+		Links:   options.links.GetAll(),
+		Aliases: options.aliases,
+	}
+
+	return client.NetworkConnect(context.Background(), options.network, options.container, epConfig)
+}
diff --git a/cli/cli/command/network/connect_test.go b/cli/cli/command/network/connect_test.go
new file mode 100644
index 00000000..2c1d0401
--- /dev/null
+++ b/cli/cli/command/network/connect_test.go
@@ -0,0 +1,70 @@
+package network
+
+import (
+	"context"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/network"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNetworkConnectErrors(t *testing.T) {
+	testCases := []struct {
+		args               []string
+		networkConnectFunc func(ctx context.Context, networkID, container string, config *network.EndpointSettings) error
+		expectedError      string
+	}{
+		{
+			expectedError: "requires exactly 2 arguments",
+		},
+		{
+			args: []string{"toto", "titi"},
+			networkConnectFunc: func(ctx context.Context, networkID, container string, config *network.EndpointSettings) error {
+				return errors.Errorf("error connecting network")
+			},
+			expectedError: "error connecting network",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newConnectCommand(
+			test.NewFakeCli(&fakeClient{
+				networkConnectFunc: tc.networkConnectFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+
+	}
+}
+
+func TestNetworkConnectWithFlags(t *testing.T) {
+	expectedOpts := []network.IPAMConfig{
+		{
+			Subnet:     "192.168.4.0/24",
+			IPRange:    "192.168.4.0/24",
+			Gateway:    "192.168.4.1/24",
+			AuxAddress: map[string]string{},
+		},
+	}
+	cli := test.NewFakeCli(&fakeClient{
+		networkConnectFunc: func(ctx context.Context, networkID, container string, config *network.EndpointSettings) error {
+			assert.Check(t, is.DeepEqual(expectedOpts, config.IPAMConfig), "not expected driver error")
+			return nil
+		},
+	})
+	args := []string{"banana"}
+	cmd := newCreateCommand(cli)
+
+	cmd.SetArgs(args)
+	cmd.Flags().Set("driver", "foo")
+	cmd.Flags().Set("ip-range", "192.168.4.0/24")
+	cmd.Flags().Set("gateway", "192.168.4.1/24")
+	cmd.Flags().Set("subnet", "192.168.4.0/24")
+	assert.NilError(t, cmd.Execute())
+}
diff --git a/cli/cli/command/network/create.go b/cli/cli/command/network/create.go
new file mode 100644
index 00000000..a8dda0a2
--- /dev/null
+++ b/cli/cli/command/network/create.go
@@ -0,0 +1,248 @@
+package network
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type createOptions struct {
+	name       string
+	scope      string
+	driver     string
+	driverOpts opts.MapOpts
+	labels     opts.ListOpts
+	internal   bool
+	ipv6       bool
+	attachable bool
+	ingress    bool
+	configOnly bool
+	configFrom string
+
+	ipamDriver  string
+	ipamSubnet  []string
+	ipamIPRange []string
+	ipamGateway []string
+	ipamAux     opts.MapOpts
+	ipamOpt     opts.MapOpts
+}
+
+func newCreateCommand(dockerCli command.Cli) *cobra.Command {
+	options := createOptions{
+		driverOpts: *opts.NewMapOpts(nil, nil),
+		labels:     opts.NewListOpts(opts.ValidateEnv),
+		ipamAux:    *opts.NewMapOpts(nil, nil),
+		ipamOpt:    *opts.NewMapOpts(nil, nil),
+	}
+
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] NETWORK",
+		Short: "Create a network",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.name = args[0]
+			return runCreate(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&options.driver, "driver", "d", "bridge", "Driver to manage the Network")
+	flags.VarP(&options.driverOpts, "opt", "o", "Set driver specific options")
+	flags.Var(&options.labels, "label", "Set metadata on a network")
+	flags.BoolVar(&options.internal, "internal", false, "Restrict external access to the network")
+	flags.BoolVar(&options.ipv6, "ipv6", false, "Enable IPv6 networking")
+	flags.BoolVar(&options.attachable, "attachable", false, "Enable manual container attachment")
+	flags.SetAnnotation("attachable", "version", []string{"1.25"})
+	flags.BoolVar(&options.ingress, "ingress", false, "Create swarm routing-mesh network")
+	flags.SetAnnotation("ingress", "version", []string{"1.29"})
+	flags.StringVar(&options.scope, "scope", "", "Control the network's scope")
+	flags.SetAnnotation("scope", "version", []string{"1.30"})
+	flags.BoolVar(&options.configOnly, "config-only", false, "Create a configuration only network")
+	flags.SetAnnotation("config-only", "version", []string{"1.30"})
+	flags.StringVar(&options.configFrom, "config-from", "", "The network from which copying the configuration")
+	flags.SetAnnotation("config-from", "version", []string{"1.30"})
+
+	flags.StringVar(&options.ipamDriver, "ipam-driver", "default", "IP Address Management Driver")
+	flags.StringSliceVar(&options.ipamSubnet, "subnet", []string{}, "Subnet in CIDR format that represents a network segment")
+	flags.StringSliceVar(&options.ipamIPRange, "ip-range", []string{}, "Allocate container ip from a sub-range")
+	flags.StringSliceVar(&options.ipamGateway, "gateway", []string{}, "IPv4 or IPv6 Gateway for the master subnet")
+
+	flags.Var(&options.ipamAux, "aux-address", "Auxiliary IPv4 or IPv6 addresses used by Network driver")
+	flags.Var(&options.ipamOpt, "ipam-opt", "Set IPAM driver specific options")
+
+	return cmd
+}
+
+func runCreate(dockerCli command.Cli, options createOptions) error {
+	client := dockerCli.Client()
+
+	ipamCfg, err := consolidateIpam(options.ipamSubnet, options.ipamIPRange, options.ipamGateway, options.ipamAux.GetAll())
+	if err != nil {
+		return err
+	}
+
+	// Construct network create request body
+	nc := types.NetworkCreate{
+		Driver:  options.driver,
+		Options: options.driverOpts.GetAll(),
+		IPAM: &network.IPAM{
+			Driver:  options.ipamDriver,
+			Config:  ipamCfg,
+			Options: options.ipamOpt.GetAll(),
+		},
+		CheckDuplicate: true,
+		Internal:       options.internal,
+		EnableIPv6:     options.ipv6,
+		Attachable:     options.attachable,
+		Ingress:        options.ingress,
+		Scope:          options.scope,
+		ConfigOnly:     options.configOnly,
+		Labels:         opts.ConvertKVStringsToMap(options.labels.GetAll()),
+	}
+
+	if from := options.configFrom; from != "" {
+		nc.ConfigFrom = &network.ConfigReference{
+			Network: from,
+		}
+	}
+
+	resp, err := client.NetworkCreate(context.Background(), options.name, nc)
+	if err != nil {
+		return err
+	}
+	fmt.Fprintf(dockerCli.Out(), "%s\n", resp.ID)
+	return nil
+}
+
+// Consolidates the ipam configuration as a group from different related configurations
+// user can configure network with multiple non-overlapping subnets and hence it is
+// possible to correlate the various related parameters and consolidate them.
+// consolidateIpam consolidates subnets, ip-ranges, gateways and auxiliary addresses into
+// structured ipam data.
+// nolint: gocyclo
+func consolidateIpam(subnets, ranges, gateways []string, auxaddrs map[string]string) ([]network.IPAMConfig, error) {
+	if len(subnets) < len(ranges) || len(subnets) < len(gateways) {
+		return nil, errors.Errorf("every ip-range or gateway must have a corresponding subnet")
+	}
+	iData := map[string]*network.IPAMConfig{}
+
+	// Populate non-overlapping subnets into consolidation map
+	for _, s := range subnets {
+		for k := range iData {
+			ok1, err := subnetMatches(s, k)
+			if err != nil {
+				return nil, err
+			}
+			ok2, err := subnetMatches(k, s)
+			if err != nil {
+				return nil, err
+			}
+			if ok1 || ok2 {
+				return nil, errors.Errorf("multiple overlapping subnet configuration is not supported")
+			}
+		}
+		iData[s] = &network.IPAMConfig{Subnet: s, AuxAddress: map[string]string{}}
+	}
+
+	// Validate and add valid ip ranges
+	for _, r := range ranges {
+		match := false
+		for _, s := range subnets {
+			ok, err := subnetMatches(s, r)
+			if err != nil {
+				return nil, err
+			}
+			if !ok {
+				continue
+			}
+			if iData[s].IPRange != "" {
+				return nil, errors.Errorf("cannot configure multiple ranges (%s, %s) on the same subnet (%s)", r, iData[s].IPRange, s)
+			}
+			d := iData[s]
+			d.IPRange = r
+			match = true
+		}
+		if !match {
+			return nil, errors.Errorf("no matching subnet for range %s", r)
+		}
+	}
+
+	// Validate and add valid gateways
+	for _, g := range gateways {
+		match := false
+		for _, s := range subnets {
+			ok, err := subnetMatches(s, g)
+			if err != nil {
+				return nil, err
+			}
+			if !ok {
+				continue
+			}
+			if iData[s].Gateway != "" {
+				return nil, errors.Errorf("cannot configure multiple gateways (%s, %s) for the same subnet (%s)", g, iData[s].Gateway, s)
+			}
+			d := iData[s]
+			d.Gateway = g
+			match = true
+		}
+		if !match {
+			return nil, errors.Errorf("no matching subnet for gateway %s", g)
+		}
+	}
+
+	// Validate and add aux-addresses
+	for key, aa := range auxaddrs {
+		match := false
+		for _, s := range subnets {
+			ok, err := subnetMatches(s, aa)
+			if err != nil {
+				return nil, err
+			}
+			if !ok {
+				continue
+			}
+			iData[s].AuxAddress[key] = aa
+			match = true
+		}
+		if !match {
+			return nil, errors.Errorf("no matching subnet for aux-address %s", aa)
+		}
+	}
+
+	idl := []network.IPAMConfig{}
+	for _, v := range iData {
+		idl = append(idl, *v)
+	}
+	return idl, nil
+}
+
+func subnetMatches(subnet, data string) (bool, error) {
+	var (
+		ip net.IP
+	)
+
+	_, s, err := net.ParseCIDR(subnet)
+	if err != nil {
+		return false, errors.Wrap(err, "invalid subnet")
+	}
+
+	if strings.Contains(data, "/") {
+		ip, _, err = net.ParseCIDR(data)
+		if err != nil {
+			return false, err
+		}
+	} else {
+		ip = net.ParseIP(data)
+	}
+
+	return s.Contains(ip), nil
+}
diff --git a/cli/cli/command/network/create_test.go b/cli/cli/command/network/create_test.go
new file mode 100644
index 00000000..6bfa7b65
--- /dev/null
+++ b/cli/cli/command/network/create_test.go
@@ -0,0 +1,174 @@
+package network
+
+import (
+	"context"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNetworkCreateErrors(t *testing.T) {
+	testCases := []struct {
+		args              []string
+		flags             map[string]string
+		networkCreateFunc func(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error)
+		expectedError     string
+	}{
+		{
+			expectedError: "exactly 1 argument",
+		},
+		{
+			args: []string{"toto"},
+			networkCreateFunc: func(ctx context.Context, name string, createBody types.NetworkCreate) (types.NetworkCreateResponse, error) {
+				return types.NetworkCreateResponse{}, errors.Errorf("error creating network")
+			},
+			expectedError: "error creating network",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "255.255.0.0/24",
+				"gateway":  "255.0.255.0/24",
+				"subnet":   "10.1.2.0.30.50",
+			},
+			expectedError: "invalid CIDR address: 10.1.2.0.30.50",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "255.255.0.0.30/24",
+				"gateway":  "255.0.255.0/24",
+				"subnet":   "255.0.0.0/24",
+			},
+			expectedError: "invalid CIDR address: 255.255.0.0.30/24",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"gateway": "255.0.0.0/24",
+			},
+			expectedError: "every ip-range or gateway must have a corresponding subnet",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "255.0.0.0/24",
+			},
+			expectedError: "every ip-range or gateway must have a corresponding subnet",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "255.0.0.0/24",
+				"gateway":  "255.0.0.0/24",
+			},
+			expectedError: "every ip-range or gateway must have a corresponding subnet",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "255.255.0.0/24",
+				"gateway":  "255.0.255.0/24",
+				"subnet":   "10.1.2.0/23,10.1.3.248/30",
+			},
+			expectedError: "multiple overlapping subnet configuration is not supported",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "192.168.1.0/24,192.168.1.200/24",
+				"gateway":  "192.168.1.1,192.168.1.4",
+				"subnet":   "192.168.2.0/24,192.168.1.250/24",
+			},
+			expectedError: "cannot configure multiple ranges (192.168.1.200/24, 192.168.1.0/24) on the same subnet (192.168.1.250/24)",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "255.255.200.0/24,255.255.120.0/24",
+				"gateway":  "255.0.255.0/24",
+				"subnet":   "255.255.255.0/24,255.255.0.255/24",
+			},
+			expectedError: "no matching subnet for range 255.255.200.0/24",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "192.168.1.0/24",
+				"gateway":  "192.168.1.1,192.168.1.4",
+				"subnet":   "192.168.2.0/24,192.168.1.250/24",
+			},
+			expectedError: "cannot configure multiple gateways (192.168.1.4, 192.168.1.1) for the same subnet (192.168.1.250/24)",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"ip-range": "192.168.1.0/24",
+				"gateway":  "192.168.4.1,192.168.5.4",
+				"subnet":   "192.168.2.0/24,192.168.1.250/24",
+			},
+			expectedError: "no matching subnet for gateway 192.168.4.1",
+		},
+		{
+			args: []string{"toto"},
+			flags: map[string]string{
+				"gateway":     "255.255.0.0/24",
+				"subnet":      "255.255.0.0/24",
+				"aux-address": "255.255.0.30/24",
+			},
+			expectedError: "no matching subnet for aux-address",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newCreateCommand(
+			test.NewFakeCli(&fakeClient{
+				networkCreateFunc: tc.networkCreateFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			assert.NilError(t, cmd.Flags().Set(key, value))
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+
+	}
+}
+func TestNetworkCreateWithFlags(t *testing.T) {
+	expectedDriver := "foo"
+	expectedOpts := []network.IPAMConfig{
+		{
+			Subnet:     "192.168.4.0/24",
+			IPRange:    "192.168.4.0/24",
+			Gateway:    "192.168.4.1/24",
+			AuxAddress: map[string]string{},
+		},
+	}
+	cli := test.NewFakeCli(&fakeClient{
+		networkCreateFunc: func(ctx context.Context, name string, createBody types.NetworkCreate) (types.NetworkCreateResponse, error) {
+			assert.Check(t, is.Equal(expectedDriver, createBody.Driver), "not expected driver error")
+			assert.Check(t, is.DeepEqual(expectedOpts, createBody.IPAM.Config), "not expected driver error")
+			return types.NetworkCreateResponse{
+				ID: name,
+			}, nil
+		},
+	})
+	args := []string{"banana"}
+	cmd := newCreateCommand(cli)
+
+	cmd.SetArgs(args)
+	cmd.Flags().Set("driver", "foo")
+	cmd.Flags().Set("ip-range", "192.168.4.0/24")
+	cmd.Flags().Set("gateway", "192.168.4.1/24")
+	cmd.Flags().Set("subnet", "192.168.4.0/24")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("banana", strings.TrimSpace(cli.OutBuffer().String())))
+}
diff --git a/cli/cli/command/network/disconnect.go b/cli/cli/command/network/disconnect.go
new file mode 100644
index 00000000..18bf4c7b
--- /dev/null
+++ b/cli/cli/command/network/disconnect.go
@@ -0,0 +1,41 @@
+package network
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+type disconnectOptions struct {
+	network   string
+	container string
+	force     bool
+}
+
+func newDisconnectCommand(dockerCli command.Cli) *cobra.Command {
+	opts := disconnectOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "disconnect [OPTIONS] NETWORK CONTAINER",
+		Short: "Disconnect a container from a network",
+		Args:  cli.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.network = args[0]
+			opts.container = args[1]
+			return runDisconnect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.force, "force", "f", false, "Force the container to disconnect from a network")
+
+	return cmd
+}
+
+func runDisconnect(dockerCli command.Cli, opts disconnectOptions) error {
+	client := dockerCli.Client()
+
+	return client.NetworkDisconnect(context.Background(), opts.network, opts.container, opts.force)
+}
diff --git a/cli/cli/command/network/disconnect_test.go b/cli/cli/command/network/disconnect_test.go
new file mode 100644
index 00000000..9a552570
--- /dev/null
+++ b/cli/cli/command/network/disconnect_test.go
@@ -0,0 +1,41 @@
+package network
+
+import (
+	"context"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+func TestNetworkDisconnectErrors(t *testing.T) {
+	testCases := []struct {
+		args                  []string
+		networkDisconnectFunc func(ctx context.Context, networkID, container string, force bool) error
+		expectedError         string
+	}{
+		{
+			expectedError: "requires exactly 2 arguments",
+		},
+		{
+			args: []string{"toto", "titi"},
+			networkDisconnectFunc: func(ctx context.Context, networkID, container string, force bool) error {
+				return errors.Errorf("error disconnecting network")
+			},
+			expectedError: "error disconnecting network",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newDisconnectCommand(
+			test.NewFakeCli(&fakeClient{
+				networkDisconnectFunc: tc.networkDisconnectFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
diff --git a/cli/cli/command/network/inspect.go b/cli/cli/command/network/inspect.go
new file mode 100644
index 00000000..3d7543d9
--- /dev/null
+++ b/cli/cli/command/network/inspect.go
@@ -0,0 +1,48 @@
+package network
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	format  string
+	names   []string
+	verbose bool
+}
+
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] NETWORK [NETWORK...]",
+		Short: "Display detailed information on one or more networks",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.names = args
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	cmd.Flags().BoolVarP(&opts.verbose, "verbose", "v", false, "Verbose output for diagnostics")
+
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+
+	ctx := context.Background()
+
+	getNetFunc := func(name string) (interface{}, []byte, error) {
+		return client.NetworkInspectWithRaw(ctx, name, types.NetworkInspectOptions{Verbose: opts.verbose})
+	}
+
+	return inspect.Inspect(dockerCli.Out(), opts.names, opts.format, getNetFunc)
+}
diff --git a/cli/cli/command/network/list.go b/cli/cli/command/network/list.go
new file mode 100644
index 00000000..39191929
--- /dev/null
+++ b/cli/cli/command/network/list.go
@@ -0,0 +1,75 @@
+package network
+
+import (
+	"context"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type byNetworkName []types.NetworkResource
+
+func (r byNetworkName) Len() int           { return len(r) }
+func (r byNetworkName) Swap(i, j int)      { r[i], r[j] = r[j], r[i] }
+func (r byNetworkName) Less(i, j int) bool { return r[i].Name < r[j].Name }
+
+type listOptions struct {
+	quiet   bool
+	noTrunc bool
+	format  string
+	filter  opts.FilterOpt
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	options := listOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List networks",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display network IDs")
+	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Do not truncate the output")
+	flags.StringVar(&options.format, "format", "", "Pretty-print networks using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Provide filter values (e.g. 'driver=bridge')")
+
+	return cmd
+}
+
+func runList(dockerCli command.Cli, options listOptions) error {
+	client := dockerCli.Client()
+	listOptions := types.NetworkListOptions{Filters: options.filter.Value()}
+	networkResources, err := client.NetworkList(context.Background(), listOptions)
+	if err != nil {
+		return err
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().NetworksFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().NetworksFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	sort.Sort(byNetworkName(networkResources))
+
+	networksCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewNetworkFormat(format, options.quiet),
+		Trunc:  !options.noTrunc,
+	}
+	return formatter.NetworkWrite(networksCtx, networkResources)
+}
diff --git a/cli/cli/command/network/list_test.go b/cli/cli/command/network/list_test.go
new file mode 100644
index 00000000..1106315f
--- /dev/null
+++ b/cli/cli/command/network/list_test.go
@@ -0,0 +1,63 @@
+package network
+
+import (
+	"context"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	. "github.com/docker/cli/internal/test/builders"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/google/go-cmp/cmp"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestNetworkListErrors(t *testing.T) {
+	testCases := []struct {
+		networkListFunc func(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error)
+		expectedError   string
+	}{
+		{
+			networkListFunc: func(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+				return []types.NetworkResource{}, errors.Errorf("error creating network")
+			},
+			expectedError: "error creating network",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newListCommand(
+			test.NewFakeCli(&fakeClient{
+				networkListFunc: tc.networkListFunc,
+			}),
+		)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNetworkListWithFlags(t *testing.T) {
+	expectedOpts := types.NetworkListOptions{
+		Filters: filters.NewArgs(filters.Arg("image.name", "ubuntu")),
+	}
+
+	cli := test.NewFakeCli(&fakeClient{
+		networkListFunc: func(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+			assert.Check(t, is.DeepEqual(expectedOpts, options, cmp.AllowUnexported(filters.Args{})))
+			return []types.NetworkResource{*NetworkResource(NetworkResourceID("123454321"),
+				NetworkResourceName("network_1"),
+				NetworkResourceDriver("09.7.01"),
+				NetworkResourceScope("global"))}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+
+	cmd.Flags().Set("filter", "image.name=ubuntu")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, strings.TrimSpace(cli.OutBuffer().String()), "network-list.golden")
+}
diff --git a/cli/cli/command/network/prune.go b/cli/cli/command/network/prune.go
new file mode 100644
index 00000000..b00e5cd2
--- /dev/null
+++ b/cli/cli/command/network/prune.go
@@ -0,0 +1,76 @@
+package network
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/spf13/cobra"
+)
+
+type pruneOptions struct {
+	force  bool
+	filter opts.FilterOpt
+}
+
+// NewPruneCommand returns a new cobra prune command for networks
+func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
+	options := pruneOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "prune [OPTIONS]",
+		Short: "Remove all unused networks",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			output, err := runPrune(dockerCli, options)
+			if err != nil {
+				return err
+			}
+			if output != "" {
+				fmt.Fprintln(dockerCli.Out(), output)
+			}
+			return nil
+		},
+		Annotations: map[string]string{"version": "1.25"},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
+	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'until=<timestamp>')")
+
+	return cmd
+}
+
+const warning = `WARNING! This will remove all networks not used by at least one container.
+Are you sure you want to continue?`
+
+func runPrune(dockerCli command.Cli, options pruneOptions) (output string, err error) {
+	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())
+
+	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
+		return "", nil
+	}
+
+	report, err := dockerCli.Client().NetworksPrune(context.Background(), pruneFilters)
+	if err != nil {
+		return "", err
+	}
+
+	if len(report.NetworksDeleted) > 0 {
+		output = "Deleted Networks:\n"
+		for _, id := range report.NetworksDeleted {
+			output += id + "\n"
+		}
+	}
+
+	return output, nil
+}
+
+// RunPrune calls the Network Prune API
+// This returns the amount of space reclaimed and a detailed output string
+func RunPrune(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error) {
+	output, err := runPrune(dockerCli, pruneOptions{force: true, filter: filter})
+	return 0, output, err
+}
diff --git a/cli/cli/command/network/remove.go b/cli/cli/command/network/remove.go
new file mode 100644
index 00000000..66f48197
--- /dev/null
+++ b/cli/cli/command/network/remove.go
@@ -0,0 +1,53 @@
+package network
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	return &cobra.Command{
+		Use:     "rm NETWORK [NETWORK...]",
+		Aliases: []string{"remove"},
+		Short:   "Remove one or more networks",
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runRemove(dockerCli, args)
+		},
+	}
+}
+
+const ingressWarning = "WARNING! Before removing the routing-mesh network, " +
+	"make sure all the nodes in your swarm run the same docker engine version. " +
+	"Otherwise, removal may not be effective and functionality of newly create " +
+	"ingress networks will be impaired.\nAre you sure you want to continue?"
+
+func runRemove(dockerCli command.Cli, networks []string) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+	status := 0
+
+	for _, name := range networks {
+		if nw, _, err := client.NetworkInspectWithRaw(ctx, name, types.NetworkInspectOptions{}); err == nil &&
+			nw.Ingress &&
+			!command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), ingressWarning) {
+			continue
+		}
+		if err := client.NetworkRemove(ctx, name); err != nil {
+			fmt.Fprintf(dockerCli.Err(), "%s\n", err)
+			status = 1
+			continue
+		}
+		fmt.Fprintf(dockerCli.Out(), "%s\n", name)
+	}
+
+	if status != 0 {
+		return cli.StatusError{StatusCode: status}
+	}
+	return nil
+}
diff --git a/cli/cli/command/network/testdata/network-list.golden b/cli/cli/command/network/testdata/network-list.golden
new file mode 100644
index 00000000..e7765109
--- /dev/null
+++ b/cli/cli/command/network/testdata/network-list.golden
@@ -0,0 +1,2 @@
+NETWORK ID          NAME                DRIVER              SCOPE
+123454321           network_1           09.7.01             global
\ No newline at end of file
diff --git a/cli/cli/command/node/client_test.go b/cli/cli/command/node/client_test.go
new file mode 100644
index 00000000..75a128cd
--- /dev/null
+++ b/cli/cli/command/node/client_test.go
@@ -0,0 +1,69 @@
+package node
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	infoFunc        func() (types.Info, error)
+	nodeInspectFunc func() (swarm.Node, []byte, error)
+	nodeListFunc    func() ([]swarm.Node, error)
+	nodeRemoveFunc  func() error
+	nodeUpdateFunc  func(nodeID string, version swarm.Version, node swarm.NodeSpec) error
+	taskInspectFunc func(taskID string) (swarm.Task, []byte, error)
+	taskListFunc    func(options types.TaskListOptions) ([]swarm.Task, error)
+}
+
+func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+	if cli.nodeInspectFunc != nil {
+		return cli.nodeInspectFunc()
+	}
+	return swarm.Node{}, []byte{}, nil
+}
+
+func (cli *fakeClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+	if cli.nodeListFunc != nil {
+		return cli.nodeListFunc()
+	}
+	return []swarm.Node{}, nil
+}
+
+func (cli *fakeClient) NodeRemove(ctx context.Context, nodeID string, options types.NodeRemoveOptions) error {
+	if cli.nodeRemoveFunc != nil {
+		return cli.nodeRemoveFunc()
+	}
+	return nil
+}
+
+func (cli *fakeClient) NodeUpdate(ctx context.Context, nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+	if cli.nodeUpdateFunc != nil {
+		return cli.nodeUpdateFunc(nodeID, version, node)
+	}
+	return nil
+}
+
+func (cli *fakeClient) Info(ctx context.Context) (types.Info, error) {
+	if cli.infoFunc != nil {
+		return cli.infoFunc()
+	}
+	return types.Info{}, nil
+}
+
+func (cli *fakeClient) TaskInspectWithRaw(ctx context.Context, taskID string) (swarm.Task, []byte, error) {
+	if cli.taskInspectFunc != nil {
+		return cli.taskInspectFunc(taskID)
+	}
+	return swarm.Task{}, []byte{}, nil
+}
+
+func (cli *fakeClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+	if cli.taskListFunc != nil {
+		return cli.taskListFunc(options)
+	}
+	return []swarm.Task{}, nil
+}
diff --git a/cli/cli/command/node/cmd.go b/cli/cli/command/node/cmd.go
new file mode 100644
index 00000000..f96c9a6b
--- /dev/null
+++ b/cli/cli/command/node/cmd.go
@@ -0,0 +1,60 @@
+package node
+
+import (
+	"context"
+	"errors"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	apiclient "github.com/docker/docker/client"
+	"github.com/spf13/cobra"
+)
+
+// NewNodeCommand returns a cobra command for `node` subcommands
+func NewNodeCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "node",
+		Short: "Manage Swarm nodes",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{
+			"version": "1.24",
+			"swarm":   "",
+		},
+	}
+	cmd.AddCommand(
+		newDemoteCommand(dockerCli),
+		newInspectCommand(dockerCli),
+		newListCommand(dockerCli),
+		newPromoteCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+		newPsCommand(dockerCli),
+		newUpdateCommand(dockerCli),
+	)
+	return cmd
+}
+
+// Reference returns the reference of a node. The special value "self" for a node
+// reference is mapped to the current node, hence the node ID is retrieved using
+// the `/info` endpoint.
+func Reference(ctx context.Context, client apiclient.APIClient, ref string) (string, error) {
+	if ref == "self" {
+		info, err := client.Info(ctx)
+		if err != nil {
+			return "", err
+		}
+		if info.Swarm.NodeID == "" {
+			// If there's no node ID in /info, the node probably
+			// isn't a manager. Call a swarm-specific endpoint to
+			// get a more specific error message.
+			_, err = client.NodeList(ctx, types.NodeListOptions{})
+			if err != nil {
+				return "", err
+			}
+			return "", errors.New("node ID not found in /info")
+		}
+		return info.Swarm.NodeID, nil
+	}
+	return ref, nil
+}
diff --git a/cli/cli/command/node/demote.go b/cli/cli/command/node/demote.go
new file mode 100644
index 00000000..5250dfc0
--- /dev/null
+++ b/cli/cli/command/node/demote.go
@@ -0,0 +1,36 @@
+package node
+
+import (
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/spf13/cobra"
+)
+
+func newDemoteCommand(dockerCli command.Cli) *cobra.Command {
+	return &cobra.Command{
+		Use:   "demote NODE [NODE...]",
+		Short: "Demote one or more nodes from manager in the swarm",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runDemote(dockerCli, args)
+		},
+	}
+}
+
+func runDemote(dockerCli command.Cli, nodes []string) error {
+	demote := func(node *swarm.Node) error {
+		if node.Spec.Role == swarm.NodeRoleWorker {
+			fmt.Fprintf(dockerCli.Out(), "Node %s is already a worker.\n", node.ID)
+			return errNoRoleChange
+		}
+		node.Spec.Role = swarm.NodeRoleWorker
+		return nil
+	}
+	success := func(nodeID string) {
+		fmt.Fprintf(dockerCli.Out(), "Manager %s demoted in the swarm.\n", nodeID)
+	}
+	return updateNodes(dockerCli, nodes, demote, success)
+}
diff --git a/cli/cli/command/node/demote_test.go b/cli/cli/command/node/demote_test.go
new file mode 100644
index 00000000..3f18d63d
--- /dev/null
+++ b/cli/cli/command/node/demote_test.go
@@ -0,0 +1,84 @@
+package node
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+)
+
+func TestNodeDemoteErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		nodeInspectFunc func() (swarm.Node, []byte, error)
+		nodeUpdateFunc  func(nodeID string, version swarm.Version, node swarm.NodeSpec) error
+		expectedError   string
+	}{
+		{
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting the node")
+			},
+			expectedError: "error inspecting the node",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				return errors.Errorf("error updating the node")
+			},
+			expectedError: "error updating the node",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newDemoteCommand(
+			test.NewFakeCli(&fakeClient{
+				nodeInspectFunc: tc.nodeInspectFunc,
+				nodeUpdateFunc:  tc.nodeUpdateFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNodeDemoteNoChange(t *testing.T) {
+	cmd := newDemoteCommand(
+		test.NewFakeCli(&fakeClient{
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if node.Role != swarm.NodeRoleWorker {
+					return errors.Errorf("expected role worker, got %s", node.Role)
+				}
+				return nil
+			},
+		}))
+	cmd.SetArgs([]string{"nodeID"})
+	assert.NilError(t, cmd.Execute())
+}
+
+func TestNodeDemoteMultipleNode(t *testing.T) {
+	cmd := newDemoteCommand(
+		test.NewFakeCli(&fakeClient{
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager()), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if node.Role != swarm.NodeRoleWorker {
+					return errors.Errorf("expected role worker, got %s", node.Role)
+				}
+				return nil
+			},
+		}))
+	cmd.SetArgs([]string{"nodeID1", "nodeID2"})
+	assert.NilError(t, cmd.Execute())
+}
diff --git a/cli/cli/command/node/inspect.go b/cli/cli/command/node/inspect.go
new file mode 100644
index 00000000..0dcb5db9
--- /dev/null
+++ b/cli/cli/command/node/inspect.go
@@ -0,0 +1,72 @@
+package node
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	nodeIds []string
+	format  string
+	pretty  bool
+}
+
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] self|NODE [NODE...]",
+		Short: "Display detailed information on one or more nodes",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.nodeIds = args
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	flags.BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format")
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	if opts.pretty {
+		opts.format = "pretty"
+	}
+
+	getRef := func(ref string) (interface{}, []byte, error) {
+		nodeRef, err := Reference(ctx, client, ref)
+		if err != nil {
+			return nil, nil, err
+		}
+		node, _, err := client.NodeInspectWithRaw(ctx, nodeRef)
+		return node, nil, err
+	}
+	f := opts.format
+
+	// check if the user is trying to apply a template to the pretty format, which
+	// is not supported
+	if strings.HasPrefix(f, "pretty") && f != "pretty" {
+		return fmt.Errorf("Cannot supply extra formatting options to the pretty template")
+	}
+
+	nodeCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewNodeFormat(f, false),
+	}
+
+	if err := formatter.NodeInspectWrite(nodeCtx, opts.nodeIds, getRef); err != nil {
+		return cli.StatusError{StatusCode: 1, Status: err.Error()}
+	}
+	return nil
+}
diff --git a/cli/cli/command/node/inspect_test.go b/cli/cli/command/node/inspect_test.go
new file mode 100644
index 00000000..de343b0f
--- /dev/null
+++ b/cli/cli/command/node/inspect_test.go
@@ -0,0 +1,118 @@
+package node
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestNodeInspectErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		nodeInspectFunc func() (swarm.Node, []byte, error)
+		infoFunc        func() (types.Info, error)
+		expectedError   string
+	}{
+		{
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"self"},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error asking for node info")
+			},
+			expectedError: "error asking for node info",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting the node")
+			},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error asking for node info")
+			},
+			expectedError: "error inspecting the node",
+		},
+		{
+			args: []string{"self"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting the node")
+			},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{Swarm: swarm.Info{NodeID: "abc"}}, nil
+			},
+			expectedError: "error inspecting the node",
+		},
+		{
+			args: []string{"self"},
+			flags: map[string]string{
+				"pretty": "true",
+			},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error asking for node info")
+			},
+			expectedError: "error asking for node info",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newInspectCommand(
+			test.NewFakeCli(&fakeClient{
+				nodeInspectFunc: tc.nodeInspectFunc,
+				infoFunc:        tc.infoFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNodeInspectPretty(t *testing.T) {
+	testCases := []struct {
+		name            string
+		nodeInspectFunc func() (swarm.Node, []byte, error)
+	}{
+		{
+			name: "simple",
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(NodeLabels(map[string]string{
+					"lbl1": "value1",
+				})), []byte{}, nil
+			},
+		},
+		{
+			name: "manager",
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager()), []byte{}, nil
+			},
+		},
+		{
+			name: "manager-leader",
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager(Leader())), []byte{}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			nodeInspectFunc: tc.nodeInspectFunc,
+		})
+		cmd := newInspectCommand(cli)
+		cmd.SetArgs([]string{"nodeID"})
+		cmd.Flags().Set("pretty", "true")
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("node-inspect-pretty.%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/node/list.go b/cli/cli/command/node/list.go
new file mode 100644
index 00000000..d35ed0ea
--- /dev/null
+++ b/cli/cli/command/node/list.go
@@ -0,0 +1,85 @@
+package node
+
+import (
+	"context"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/spf13/cobra"
+	"vbom.ml/util/sortorder"
+)
+
+type byHostname []swarm.Node
+
+func (n byHostname) Len() int      { return len(n) }
+func (n byHostname) Swap(i, j int) { n[i], n[j] = n[j], n[i] }
+func (n byHostname) Less(i, j int) bool {
+	return sortorder.NaturalLess(n[i].Description.Hostname, n[j].Description.Hostname)
+}
+
+type listOptions struct {
+	quiet  bool
+	format string
+	filter opts.FilterOpt
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	options := listOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List nodes in the swarm",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display IDs")
+	flags.StringVar(&options.format, "format", "", "Pretty-print nodes using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+
+	return cmd
+}
+
+func runList(dockerCli command.Cli, options listOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	nodes, err := client.NodeList(
+		ctx,
+		types.NodeListOptions{Filters: options.filter.Value()})
+	if err != nil {
+		return err
+	}
+
+	info := types.Info{}
+	if len(nodes) > 0 && !options.quiet {
+		// only non-empty nodes and not quiet, should we call /info api
+		info, err = client.Info(ctx)
+		if err != nil {
+			return err
+		}
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		format = formatter.TableFormatKey
+		if len(dockerCli.ConfigFile().NodesFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().NodesFormat
+		}
+	}
+
+	nodesCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewNodeFormat(format, options.quiet),
+	}
+	sort.Sort(byHostname(nodes))
+	return formatter.NodeWrite(nodesCtx, nodes, info)
+}
diff --git a/cli/cli/command/node/list_test.go b/cli/cli/command/node/list_test.go
new file mode 100644
index 00000000..5dc11c96
--- /dev/null
+++ b/cli/cli/command/node/list_test.go
@@ -0,0 +1,141 @@
+package node
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+)
+
+func TestNodeListErrorOnAPIFailure(t *testing.T) {
+	testCases := []struct {
+		nodeListFunc  func() ([]swarm.Node, error)
+		infoFunc      func() (types.Info, error)
+		expectedError string
+	}{
+		{
+			nodeListFunc: func() ([]swarm.Node, error) {
+				return []swarm.Node{}, errors.Errorf("error listing nodes")
+			},
+			expectedError: "error listing nodes",
+		},
+		{
+			nodeListFunc: func() ([]swarm.Node, error) {
+				return []swarm.Node{
+					{
+						ID: "nodeID",
+					},
+				}, nil
+			},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error asking for node info")
+			},
+			expectedError: "error asking for node info",
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			nodeListFunc: tc.nodeListFunc,
+			infoFunc:     tc.infoFunc,
+		})
+		cmd := newListCommand(cli)
+		cmd.SetOutput(ioutil.Discard)
+		assert.Error(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNodeList(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		nodeListFunc: func() ([]swarm.Node, error) {
+			return []swarm.Node{
+				*Node(NodeID("nodeID1"), Hostname("node-2-foo"), Manager(Leader()), EngineVersion(".")),
+				*Node(NodeID("nodeID2"), Hostname("node-10-foo"), Manager(), EngineVersion("18.03.0-ce")),
+				*Node(NodeID("nodeID3"), Hostname("node-1-foo")),
+			}, nil
+		},
+		infoFunc: func() (types.Info, error) {
+			return types.Info{
+				Swarm: swarm.Info{
+					NodeID: "nodeID1",
+				},
+			}, nil
+		},
+	})
+
+	cmd := newListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "node-list-sort.golden")
+}
+
+func TestNodeListQuietShouldOnlyPrintIDs(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		nodeListFunc: func() ([]swarm.Node, error) {
+			return []swarm.Node{
+				*Node(NodeID("nodeID1")),
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("quiet", "true")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal(cli.OutBuffer().String(), "nodeID1\n"))
+}
+
+func TestNodeListDefaultFormatFromConfig(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		nodeListFunc: func() ([]swarm.Node, error) {
+			return []swarm.Node{
+				*Node(NodeID("nodeID1"), Hostname("nodeHostname1"), Manager(Leader())),
+				*Node(NodeID("nodeID2"), Hostname("nodeHostname2"), Manager()),
+				*Node(NodeID("nodeID3"), Hostname("nodeHostname3")),
+			}, nil
+		},
+		infoFunc: func() (types.Info, error) {
+			return types.Info{
+				Swarm: swarm.Info{
+					NodeID: "nodeID1",
+				},
+			}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		NodesFormat: "{{.ID}}: {{.Hostname}} {{.Status}}/{{.ManagerStatus}}",
+	})
+	cmd := newListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "node-list-format-from-config.golden")
+}
+
+func TestNodeListFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		nodeListFunc: func() ([]swarm.Node, error) {
+			return []swarm.Node{
+				*Node(NodeID("nodeID1"), Hostname("nodeHostname1"), Manager(Leader())),
+				*Node(NodeID("nodeID2"), Hostname("nodeHostname2"), Manager()),
+			}, nil
+		},
+		infoFunc: func() (types.Info, error) {
+			return types.Info{
+				Swarm: swarm.Info{
+					NodeID: "nodeID1",
+				},
+			}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		NodesFormat: "{{.ID}}: {{.Hostname}} {{.Status}}/{{.ManagerStatus}}",
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("format", "{{.Hostname}}: {{.ManagerStatus}}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "node-list-format-flag.golden")
+}
diff --git a/cli/cli/command/node/opts.go b/cli/cli/command/node/opts.go
new file mode 100644
index 00000000..e30e5de9
--- /dev/null
+++ b/cli/cli/command/node/opts.go
@@ -0,0 +1,23 @@
+package node
+
+import (
+	"github.com/docker/cli/opts"
+)
+
+type nodeOptions struct {
+	annotations
+	role         string
+	availability string
+}
+
+type annotations struct {
+	labels opts.ListOpts
+}
+
+func newNodeOptions() *nodeOptions {
+	return &nodeOptions{
+		annotations: annotations{
+			labels: opts.NewListOpts(nil),
+		},
+	}
+}
diff --git a/cli/cli/command/node/promote.go b/cli/cli/command/node/promote.go
new file mode 100644
index 00000000..4612cc13
--- /dev/null
+++ b/cli/cli/command/node/promote.go
@@ -0,0 +1,36 @@
+package node
+
+import (
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/spf13/cobra"
+)
+
+func newPromoteCommand(dockerCli command.Cli) *cobra.Command {
+	return &cobra.Command{
+		Use:   "promote NODE [NODE...]",
+		Short: "Promote one or more nodes to manager in the swarm",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runPromote(dockerCli, args)
+		},
+	}
+}
+
+func runPromote(dockerCli command.Cli, nodes []string) error {
+	promote := func(node *swarm.Node) error {
+		if node.Spec.Role == swarm.NodeRoleManager {
+			fmt.Fprintf(dockerCli.Out(), "Node %s is already a manager.\n", node.ID)
+			return errNoRoleChange
+		}
+		node.Spec.Role = swarm.NodeRoleManager
+		return nil
+	}
+	success := func(nodeID string) {
+		fmt.Fprintf(dockerCli.Out(), "Node %s promoted to a manager in the swarm.\n", nodeID)
+	}
+	return updateNodes(dockerCli, nodes, promote, success)
+}
diff --git a/cli/cli/command/node/promote_test.go b/cli/cli/command/node/promote_test.go
new file mode 100644
index 00000000..c6b53423
--- /dev/null
+++ b/cli/cli/command/node/promote_test.go
@@ -0,0 +1,84 @@
+package node
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+)
+
+func TestNodePromoteErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		nodeInspectFunc func() (swarm.Node, []byte, error)
+		nodeUpdateFunc  func(nodeID string, version swarm.Version, node swarm.NodeSpec) error
+		expectedError   string
+	}{
+		{
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting the node")
+			},
+			expectedError: "error inspecting the node",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				return errors.Errorf("error updating the node")
+			},
+			expectedError: "error updating the node",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newPromoteCommand(
+			test.NewFakeCli(&fakeClient{
+				nodeInspectFunc: tc.nodeInspectFunc,
+				nodeUpdateFunc:  tc.nodeUpdateFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNodePromoteNoChange(t *testing.T) {
+	cmd := newPromoteCommand(
+		test.NewFakeCli(&fakeClient{
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager()), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if node.Role != swarm.NodeRoleManager {
+					return errors.Errorf("expected role manager, got %s", node.Role)
+				}
+				return nil
+			},
+		}))
+	cmd.SetArgs([]string{"nodeID"})
+	assert.NilError(t, cmd.Execute())
+}
+
+func TestNodePromoteMultipleNode(t *testing.T) {
+	cmd := newPromoteCommand(
+		test.NewFakeCli(&fakeClient{
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if node.Role != swarm.NodeRoleManager {
+					return errors.Errorf("expected role manager, got %s", node.Role)
+				}
+				return nil
+			},
+		}))
+	cmd.SetArgs([]string{"nodeID1", "nodeID2"})
+	assert.NilError(t, cmd.Execute())
+}
diff --git a/cli/cli/command/node/ps.go b/cli/cli/command/node/ps.go
new file mode 100644
index 00000000..2450e6af
--- /dev/null
+++ b/cli/cli/command/node/ps.go
@@ -0,0 +1,104 @@
+package node
+
+import (
+	"context"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/idresolver"
+	"github.com/docker/cli/cli/command/task"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type psOptions struct {
+	nodeIDs   []string
+	noResolve bool
+	noTrunc   bool
+	quiet     bool
+	format    string
+	filter    opts.FilterOpt
+}
+
+func newPsCommand(dockerCli command.Cli) *cobra.Command {
+	options := psOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "ps [OPTIONS] [NODE...]",
+		Short: "List tasks running on one or more nodes, defaults to current node",
+		Args:  cli.RequiresMinArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.nodeIDs = []string{"self"}
+
+			if len(args) != 0 {
+				options.nodeIDs = args
+			}
+
+			return runPs(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Do not truncate output")
+	flags.BoolVar(&options.noResolve, "no-resolve", false, "Do not map IDs to Names")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+	flags.StringVar(&options.format, "format", "", "Pretty-print tasks using a Go template")
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display task IDs")
+
+	return cmd
+}
+
+func runPs(dockerCli command.Cli, options psOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	var (
+		errs  []string
+		tasks []swarm.Task
+	)
+
+	for _, nodeID := range options.nodeIDs {
+		nodeRef, err := Reference(ctx, client, nodeID)
+		if err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+
+		node, _, err := client.NodeInspectWithRaw(ctx, nodeRef)
+		if err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+
+		filter := options.filter.Value()
+		filter.Add("node", node.ID)
+
+		nodeTasks, err := client.TaskList(ctx, types.TaskListOptions{Filters: filter})
+		if err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+
+		tasks = append(tasks, nodeTasks...)
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		format = task.DefaultFormat(dockerCli.ConfigFile(), options.quiet)
+	}
+
+	if len(errs) == 0 || len(tasks) != 0 {
+		if err := task.Print(ctx, dockerCli, tasks, idresolver.New(client, options.noResolve), !options.noTrunc, options.quiet, format); err != nil {
+			errs = append(errs, err.Error())
+		}
+	}
+
+	if len(errs) > 0 {
+		return errors.Errorf("%s", strings.Join(errs, "\n"))
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/node/ps_test.go b/cli/cli/command/node/ps_test.go
new file mode 100644
index 00000000..ae5ed616
--- /dev/null
+++ b/cli/cli/command/node/ps_test.go
@@ -0,0 +1,128 @@
+package node
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestNodePsErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		infoFunc        func() (types.Info, error)
+		nodeInspectFunc func() (swarm.Node, []byte, error)
+		taskListFunc    func(options types.TaskListOptions) ([]swarm.Task, error)
+		taskInspectFunc func(taskID string) (swarm.Task, []byte, error)
+		expectedError   string
+	}{
+		{
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error asking for node info")
+			},
+			expectedError: "error asking for node info",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting the node")
+			},
+			expectedError: "error inspecting the node",
+		},
+		{
+			args: []string{"nodeID"},
+			taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+				return []swarm.Task{}, errors.Errorf("error returning the task list")
+			},
+			expectedError: "error returning the task list",
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			infoFunc:        tc.infoFunc,
+			nodeInspectFunc: tc.nodeInspectFunc,
+			taskInspectFunc: tc.taskInspectFunc,
+			taskListFunc:    tc.taskListFunc,
+		})
+		cmd := newPsCommand(cli)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.Error(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNodePs(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		flags           map[string]string
+		infoFunc        func() (types.Info, error)
+		nodeInspectFunc func() (swarm.Node, []byte, error)
+		taskListFunc    func(options types.TaskListOptions) ([]swarm.Task, error)
+		taskInspectFunc func(taskID string) (swarm.Task, []byte, error)
+	}{
+		{
+			name: "simple",
+			args: []string{"nodeID"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(), []byte{}, nil
+			},
+			taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+				return []swarm.Task{
+					*Task(WithStatus(Timestamp(time.Now().Add(-2*time.Hour)), PortStatus([]swarm.PortConfig{
+						{
+							TargetPort:    80,
+							PublishedPort: 80,
+							Protocol:      "tcp",
+						},
+					}))),
+				}, nil
+			},
+		},
+		{
+			name: "with-errors",
+			args: []string{"nodeID"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(), []byte{}, nil
+			},
+			taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+				return []swarm.Task{
+					*Task(TaskID("taskID1"), TaskServiceID("failure"),
+						WithStatus(Timestamp(time.Now().Add(-2*time.Hour)), StatusErr("a task error"))),
+					*Task(TaskID("taskID2"), TaskServiceID("failure"),
+						WithStatus(Timestamp(time.Now().Add(-3*time.Hour)), StatusErr("a task error"))),
+					*Task(TaskID("taskID3"), TaskServiceID("failure"),
+						WithStatus(Timestamp(time.Now().Add(-4*time.Hour)), StatusErr("a task error"))),
+				}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			infoFunc:        tc.infoFunc,
+			nodeInspectFunc: tc.nodeInspectFunc,
+			taskInspectFunc: tc.taskInspectFunc,
+			taskListFunc:    tc.taskListFunc,
+		})
+		cmd := newPsCommand(cli)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("node-ps.%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/node/remove.go b/cli/cli/command/node/remove.go
new file mode 100644
index 00000000..65e3cdc3
--- /dev/null
+++ b/cli/cli/command/node/remove.go
@@ -0,0 +1,56 @@
+package node
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type removeOptions struct {
+	force bool
+}
+
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	opts := removeOptions{}
+
+	cmd := &cobra.Command{
+		Use:     "rm [OPTIONS] NODE [NODE...]",
+		Aliases: []string{"remove"},
+		Short:   "Remove one or more nodes from the swarm",
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runRemove(dockerCli, args, opts)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.force, "force", "f", false, "Force remove a node from the swarm")
+	return cmd
+}
+
+func runRemove(dockerCli command.Cli, args []string, opts removeOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	var errs []string
+
+	for _, nodeID := range args {
+		err := client.NodeRemove(ctx, nodeID, types.NodeRemoveOptions{Force: opts.force})
+		if err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+		fmt.Fprintf(dockerCli.Out(), "%s\n", nodeID)
+	}
+
+	if len(errs) > 0 {
+		return errors.Errorf("%s", strings.Join(errs, "\n"))
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/node/remove_test.go b/cli/cli/command/node/remove_test.go
new file mode 100644
index 00000000..8ae01c7b
--- /dev/null
+++ b/cli/cli/command/node/remove_test.go
@@ -0,0 +1,44 @@
+package node
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+func TestNodeRemoveErrors(t *testing.T) {
+	testCases := []struct {
+		args           []string
+		nodeRemoveFunc func() error
+		expectedError  string
+	}{
+		{
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeRemoveFunc: func() error {
+				return errors.Errorf("error removing the node")
+			},
+			expectedError: "error removing the node",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newRemoveCommand(
+			test.NewFakeCli(&fakeClient{
+				nodeRemoveFunc: tc.nodeRemoveFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNodeRemoveMultiple(t *testing.T) {
+	cmd := newRemoveCommand(test.NewFakeCli(&fakeClient{}))
+	cmd.SetArgs([]string{"nodeID1", "nodeID2"})
+	assert.NilError(t, cmd.Execute())
+}
diff --git a/cli/cli/command/node/testdata/node-inspect-pretty.manager-leader.golden b/cli/cli/command/node/testdata/node-inspect-pretty.manager-leader.golden
new file mode 100644
index 00000000..5cd95c5b
--- /dev/null
+++ b/cli/cli/command/node/testdata/node-inspect-pretty.manager-leader.golden
@@ -0,0 +1,24 @@
+ID:			nodeID
+Name:			defaultNodeName
+Hostname:              	defaultNodeHostname
+Joined at:             	2009-11-10 23:00:00 +0000 utc
+Status:
+ State:			Ready
+ Availability:         	Active
+ Address:		127.0.0.1
+Manager Status:
+ Address:		127.0.0.1
+ Raft Status:		Reachable
+ Leader:		Yes
+Platform:
+ Operating System:	linux
+ Architecture:		x86_64
+Resources:
+ CPUs:			0
+ Memory:		20MiB
+Plugins:
+ Network:		bridge, overlay
+ Volume:		local
+Engine Version:		1.13.0
+Engine Labels:
+ - engine=label
diff --git a/cli/cli/command/node/testdata/node-inspect-pretty.manager.golden b/cli/cli/command/node/testdata/node-inspect-pretty.manager.golden
new file mode 100644
index 00000000..a6371829
--- /dev/null
+++ b/cli/cli/command/node/testdata/node-inspect-pretty.manager.golden
@@ -0,0 +1,24 @@
+ID:			nodeID
+Name:			defaultNodeName
+Hostname:              	defaultNodeHostname
+Joined at:             	2009-11-10 23:00:00 +0000 utc
+Status:
+ State:			Ready
+ Availability:         	Active
+ Address:		127.0.0.1
+Manager Status:
+ Address:		127.0.0.1
+ Raft Status:		Reachable
+ Leader:		No
+Platform:
+ Operating System:	linux
+ Architecture:		x86_64
+Resources:
+ CPUs:			0
+ Memory:		20MiB
+Plugins:
+ Network:		bridge, overlay
+ Volume:		local
+Engine Version:		1.13.0
+Engine Labels:
+ - engine=label
diff --git a/cli/cli/command/node/testdata/node-inspect-pretty.simple.golden b/cli/cli/command/node/testdata/node-inspect-pretty.simple.golden
new file mode 100644
index 00000000..8aaf9089
--- /dev/null
+++ b/cli/cli/command/node/testdata/node-inspect-pretty.simple.golden
@@ -0,0 +1,22 @@
+ID:			nodeID
+Name:			defaultNodeName
+Labels:
+ - lbl1=value1
+Hostname:              	defaultNodeHostname
+Joined at:             	2009-11-10 23:00:00 +0000 utc
+Status:
+ State:			Ready
+ Availability:         	Active
+ Address:		127.0.0.1
+Platform:
+ Operating System:	linux
+ Architecture:		x86_64
+Resources:
+ CPUs:			0
+ Memory:		20MiB
+Plugins:
+ Network:		bridge, overlay
+ Volume:		local
+Engine Version:		1.13.0
+Engine Labels:
+ - engine=label
diff --git a/cli/cli/command/node/testdata/node-list-format-flag.golden b/cli/cli/command/node/testdata/node-list-format-flag.golden
new file mode 100644
index 00000000..c898df13
--- /dev/null
+++ b/cli/cli/command/node/testdata/node-list-format-flag.golden
@@ -0,0 +1,2 @@
+nodeHostname1: Leader
+nodeHostname2: Reachable
diff --git a/cli/cli/command/node/testdata/node-list-format-from-config.golden b/cli/cli/command/node/testdata/node-list-format-from-config.golden
new file mode 100644
index 00000000..91beb4a2
--- /dev/null
+++ b/cli/cli/command/node/testdata/node-list-format-from-config.golden
@@ -0,0 +1,3 @@
+nodeID1: nodeHostname1 Ready/Leader
+nodeID2: nodeHostname2 Ready/Reachable
+nodeID3: nodeHostname3 Ready/
diff --git a/cli/cli/command/node/testdata/node-list-sort.golden b/cli/cli/command/node/testdata/node-list-sort.golden
new file mode 100644
index 00000000..ffc09c92
--- /dev/null
+++ b/cli/cli/command/node/testdata/node-list-sort.golden
@@ -0,0 +1,4 @@
+ID                  HOSTNAME            STATUS              AVAILABILITY        MANAGER STATUS      ENGINE VERSION
+nodeID3             node-1-foo          Ready               Active                                  1.13.0
+nodeID1 *           node-2-foo          Ready               Active              Leader              .
+nodeID2             node-10-foo         Ready               Active              Reachable           18.03.0-ce
diff --git a/cli/cli/command/node/testdata/node-ps.simple.golden b/cli/cli/command/node/testdata/node-ps.simple.golden
new file mode 100644
index 00000000..b1818b96
--- /dev/null
+++ b/cli/cli/command/node/testdata/node-ps.simple.golden
@@ -0,0 +1,2 @@
+ID                  NAME                          IMAGE               NODE                DESIRED STATE       CURRENT STATE       ERROR               PORTS
+taskID              rl02d5gwz6chzu7il5fhtb8be.1   myimage:mytag       defaultNodeName     Ready               Ready 2 hours ago                       *:80->80/tcp
diff --git a/cli/cli/command/node/testdata/node-ps.with-errors.golden b/cli/cli/command/node/testdata/node-ps.with-errors.golden
new file mode 100644
index 00000000..99e34931
--- /dev/null
+++ b/cli/cli/command/node/testdata/node-ps.with-errors.golden
@@ -0,0 +1,4 @@
+ID                  NAME                IMAGE               NODE                DESIRED STATE       CURRENT STATE       ERROR               PORTS
+taskID1             failure.1           myimage:mytag       defaultNodeName     Ready               Ready 2 hours ago   "a task error"      
+taskID2              \_ failure.1       myimage:mytag       defaultNodeName     Ready               Ready 3 hours ago   "a task error"      
+taskID3              \_ failure.1       myimage:mytag       defaultNodeName     Ready               Ready 4 hours ago   "a task error"      
diff --git a/cli/cli/command/node/update.go b/cli/cli/command/node/update.go
new file mode 100644
index 00000000..dbae49c6
--- /dev/null
+++ b/cli/cli/command/node/update.go
@@ -0,0 +1,120 @@
+package node
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+var (
+	errNoRoleChange = errors.New("role was already set to the requested value")
+)
+
+func newUpdateCommand(dockerCli command.Cli) *cobra.Command {
+	options := newNodeOptions()
+
+	cmd := &cobra.Command{
+		Use:   "update [OPTIONS] NODE",
+		Short: "Update a node",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runUpdate(dockerCli, cmd.Flags(), args[0])
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&options.role, flagRole, "", `Role of the node ("worker"|"manager")`)
+	flags.StringVar(&options.availability, flagAvailability, "", `Availability of the node ("active"|"pause"|"drain")`)
+	flags.Var(&options.annotations.labels, flagLabelAdd, "Add or update a node label (key=value)")
+	labelKeys := opts.NewListOpts(nil)
+	flags.Var(&labelKeys, flagLabelRemove, "Remove a node label if exists")
+	return cmd
+}
+
+func runUpdate(dockerCli command.Cli, flags *pflag.FlagSet, nodeID string) error {
+	success := func(_ string) {
+		fmt.Fprintln(dockerCli.Out(), nodeID)
+	}
+	return updateNodes(dockerCli, []string{nodeID}, mergeNodeUpdate(flags), success)
+}
+
+func updateNodes(dockerCli command.Cli, nodes []string, mergeNode func(node *swarm.Node) error, success func(nodeID string)) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	for _, nodeID := range nodes {
+		node, _, err := client.NodeInspectWithRaw(ctx, nodeID)
+		if err != nil {
+			return err
+		}
+
+		err = mergeNode(&node)
+		if err != nil {
+			if err == errNoRoleChange {
+				continue
+			}
+			return err
+		}
+		err = client.NodeUpdate(ctx, node.ID, node.Version, node.Spec)
+		if err != nil {
+			return err
+		}
+		success(nodeID)
+	}
+	return nil
+}
+
+func mergeNodeUpdate(flags *pflag.FlagSet) func(*swarm.Node) error {
+	return func(node *swarm.Node) error {
+		spec := &node.Spec
+
+		if flags.Changed(flagRole) {
+			str, err := flags.GetString(flagRole)
+			if err != nil {
+				return err
+			}
+			spec.Role = swarm.NodeRole(str)
+		}
+		if flags.Changed(flagAvailability) {
+			str, err := flags.GetString(flagAvailability)
+			if err != nil {
+				return err
+			}
+			spec.Availability = swarm.NodeAvailability(str)
+		}
+		if spec.Annotations.Labels == nil {
+			spec.Annotations.Labels = make(map[string]string)
+		}
+		if flags.Changed(flagLabelAdd) {
+			labels := flags.Lookup(flagLabelAdd).Value.(*opts.ListOpts).GetAll()
+			for k, v := range opts.ConvertKVStringsToMap(labels) {
+				spec.Annotations.Labels[k] = v
+			}
+		}
+		if flags.Changed(flagLabelRemove) {
+			keys := flags.Lookup(flagLabelRemove).Value.(*opts.ListOpts).GetAll()
+			for _, k := range keys {
+				// if a key doesn't exist, fail the command explicitly
+				if _, exists := spec.Annotations.Labels[k]; !exists {
+					return errors.Errorf("key %s doesn't exist in node's labels", k)
+				}
+				delete(spec.Annotations.Labels, k)
+			}
+		}
+		return nil
+	}
+}
+
+const (
+	flagRole         = "role"
+	flagAvailability = "availability"
+	flagLabelAdd     = "label-add"
+	flagLabelRemove  = "label-rm"
+)
diff --git a/cli/cli/command/node/update_test.go b/cli/cli/command/node/update_test.go
new file mode 100644
index 00000000..8b6ae807
--- /dev/null
+++ b/cli/cli/command/node/update_test.go
@@ -0,0 +1,169 @@
+package node
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+)
+
+func TestNodeUpdateErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		nodeInspectFunc func() (swarm.Node, []byte, error)
+		nodeUpdateFunc  func(nodeID string, version swarm.Version, node swarm.NodeSpec) error
+		expectedError   string
+	}{
+		{
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args:          []string{"node1", "node2"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting the node")
+			},
+			expectedError: "error inspecting the node",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				return errors.Errorf("error updating the node")
+			},
+			expectedError: "error updating the node",
+		},
+		{
+			args: []string{"nodeID"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(NodeLabels(map[string]string{
+					"key": "value",
+				})), []byte{}, nil
+			},
+			flags: map[string]string{
+				"label-rm": "notpresent",
+			},
+			expectedError: "key notpresent doesn't exist in node's labels",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newUpdateCommand(
+			test.NewFakeCli(&fakeClient{
+				nodeInspectFunc: tc.nodeInspectFunc,
+				nodeUpdateFunc:  tc.nodeUpdateFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNodeUpdate(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		nodeInspectFunc func() (swarm.Node, []byte, error)
+		nodeUpdateFunc  func(nodeID string, version swarm.Version, node swarm.NodeSpec) error
+	}{
+		{
+			args: []string{"nodeID"},
+			flags: map[string]string{
+				"role": "manager",
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if node.Role != swarm.NodeRoleManager {
+					return errors.Errorf("expected role manager, got %s", node.Role)
+				}
+				return nil
+			},
+		},
+		{
+			args: []string{"nodeID"},
+			flags: map[string]string{
+				"availability": "drain",
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if node.Availability != swarm.NodeAvailabilityDrain {
+					return errors.Errorf("expected drain availability, got %s", node.Availability)
+				}
+				return nil
+			},
+		},
+		{
+			args: []string{"nodeID"},
+			flags: map[string]string{
+				"label-add": "lbl",
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if _, present := node.Annotations.Labels["lbl"]; !present {
+					return errors.Errorf("expected 'lbl' label, got %v", node.Annotations.Labels)
+				}
+				return nil
+			},
+		},
+		{
+			args: []string{"nodeID"},
+			flags: map[string]string{
+				"label-add": "key=value",
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if value, present := node.Annotations.Labels["key"]; !present || value != "value" {
+					return errors.Errorf("expected 'key' label to be 'value', got %v", node.Annotations.Labels)
+				}
+				return nil
+			},
+		},
+		{
+			args: []string{"nodeID"},
+			flags: map[string]string{
+				"label-rm": "key",
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(NodeLabels(map[string]string{
+					"key": "value",
+				})), []byte{}, nil
+			},
+			nodeUpdateFunc: func(nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+				if len(node.Annotations.Labels) > 0 {
+					return errors.Errorf("expected no labels, got %v", node.Annotations.Labels)
+				}
+				return nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newUpdateCommand(
+			test.NewFakeCli(&fakeClient{
+				nodeInspectFunc: tc.nodeInspectFunc,
+				nodeUpdateFunc:  tc.nodeUpdateFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		assert.NilError(t, cmd.Execute())
+	}
+}
diff --git a/cli/cli/command/orchestrator.go b/cli/cli/command/orchestrator.go
new file mode 100644
index 00000000..5f3e4462
--- /dev/null
+++ b/cli/cli/command/orchestrator.go
@@ -0,0 +1,77 @@
+package command
+
+import (
+	"fmt"
+	"io"
+	"os"
+)
+
+// Orchestrator type acts as an enum describing supported orchestrators.
+type Orchestrator string
+
+const (
+	// OrchestratorKubernetes orchestrator
+	OrchestratorKubernetes = Orchestrator("kubernetes")
+	// OrchestratorSwarm orchestrator
+	OrchestratorSwarm = Orchestrator("swarm")
+	// OrchestratorAll orchestrator
+	OrchestratorAll   = Orchestrator("all")
+	orchestratorUnset = Orchestrator("unset")
+
+	defaultOrchestrator           = OrchestratorSwarm
+	envVarDockerStackOrchestrator = "DOCKER_STACK_ORCHESTRATOR"
+	envVarDockerOrchestrator      = "DOCKER_ORCHESTRATOR"
+)
+
+// HasKubernetes returns true if defined orchestrator has Kubernetes capabilities.
+func (o Orchestrator) HasKubernetes() bool {
+	return o == OrchestratorKubernetes || o == OrchestratorAll
+}
+
+// HasSwarm returns true if defined orchestrator has Swarm capabilities.
+func (o Orchestrator) HasSwarm() bool {
+	return o == OrchestratorSwarm || o == OrchestratorAll
+}
+
+// HasAll returns true if defined orchestrator has both Swarm and Kubernetes capabilities.
+func (o Orchestrator) HasAll() bool {
+	return o == OrchestratorAll
+}
+
+func normalize(value string) (Orchestrator, error) {
+	switch value {
+	case "kubernetes":
+		return OrchestratorKubernetes, nil
+	case "swarm":
+		return OrchestratorSwarm, nil
+	case "":
+		return orchestratorUnset, nil
+	case "all":
+		return OrchestratorAll, nil
+	default:
+		return defaultOrchestrator, fmt.Errorf("specified orchestrator %q is invalid, please use either kubernetes, swarm or all", value)
+	}
+}
+
+// GetStackOrchestrator checks DOCKER_STACK_ORCHESTRATOR environment variable and configuration file
+// orchestrator value and returns user defined Orchestrator.
+func GetStackOrchestrator(flagValue, value string, stderr io.Writer) (Orchestrator, error) {
+	// Check flag
+	if o, err := normalize(flagValue); o != orchestratorUnset {
+		return o, err
+	}
+	// Check environment variable
+	env := os.Getenv(envVarDockerStackOrchestrator)
+	if env == "" && os.Getenv(envVarDockerOrchestrator) != "" {
+		fmt.Fprintf(stderr, "WARNING: experimental environment variable %s is set. Please use %s instead\n", envVarDockerOrchestrator, envVarDockerStackOrchestrator)
+	}
+	if o, err := normalize(env); o != orchestratorUnset {
+		return o, err
+	}
+	// Check specified orchestrator
+	if o, err := normalize(value); o != orchestratorUnset {
+		return o, err
+	}
+	// Nothing set, use default orchestrator
+	return defaultOrchestrator, nil
+}
diff --git a/cli/cli/command/orchestrator_test.go b/cli/cli/command/orchestrator_test.go
new file mode 100644
index 00000000..322e8a91
--- /dev/null
+++ b/cli/cli/command/orchestrator_test.go
@@ -0,0 +1,118 @@
+package command
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/flags"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/env"
+	"gotest.tools/fs"
+)
+
+func TestOrchestratorSwitch(t *testing.T) {
+	defaultVersion := "v0.00"
+
+	var testcases = []struct {
+		doc                  string
+		configfile           string
+		envOrchestrator      string
+		flagOrchestrator     string
+		expectedOrchestrator string
+		expectedKubernetes   bool
+		expectedSwarm        bool
+	}{
+		{
+			doc: "default",
+			configfile: `{
+			}`,
+			expectedOrchestrator: "swarm",
+			expectedKubernetes:   false,
+			expectedSwarm:        true,
+		},
+		{
+			doc: "kubernetesConfigFile",
+			configfile: `{
+				"stackOrchestrator": "kubernetes"
+			}`,
+			expectedOrchestrator: "kubernetes",
+			expectedKubernetes:   true,
+			expectedSwarm:        false,
+		},
+		{
+			doc: "kubernetesEnv",
+			configfile: `{
+			}`,
+			envOrchestrator:      "kubernetes",
+			expectedOrchestrator: "kubernetes",
+			expectedKubernetes:   true,
+			expectedSwarm:        false,
+		},
+		{
+			doc: "kubernetesFlag",
+			configfile: `{
+			}`,
+			flagOrchestrator:     "kubernetes",
+			expectedOrchestrator: "kubernetes",
+			expectedKubernetes:   true,
+			expectedSwarm:        false,
+		},
+		{
+			doc: "allOrchestratorFlag",
+			configfile: `{
+			}`,
+			flagOrchestrator:     "all",
+			expectedOrchestrator: "all",
+			expectedKubernetes:   true,
+			expectedSwarm:        true,
+		},
+		{
+			doc: "envOverridesConfigFile",
+			configfile: `{
+				"stackOrchestrator": "kubernetes"
+			}`,
+			envOrchestrator:      "swarm",
+			expectedOrchestrator: "swarm",
+			expectedKubernetes:   false,
+			expectedSwarm:        true,
+		},
+		{
+			doc: "flagOverridesEnv",
+			configfile: `{
+			}`,
+			envOrchestrator:      "kubernetes",
+			flagOrchestrator:     "swarm",
+			expectedOrchestrator: "swarm",
+			expectedKubernetes:   false,
+			expectedSwarm:        true,
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			dir := fs.NewDir(t, testcase.doc, fs.WithFile("config.json", testcase.configfile))
+			defer dir.Remove()
+			apiclient := &fakeClient{
+				version: defaultVersion,
+			}
+			if testcase.envOrchestrator != "" {
+				defer env.Patch(t, "DOCKER_STACK_ORCHESTRATOR", testcase.envOrchestrator)()
+			}
+
+			cli := &DockerCli{client: apiclient, err: os.Stderr}
+			cliconfig.SetDir(dir.Path())
+			options := flags.NewClientOptions()
+			err := cli.Initialize(options)
+			assert.NilError(t, err)
+
+			orchestrator, err := GetStackOrchestrator(testcase.flagOrchestrator, cli.ConfigFile().StackOrchestrator, ioutil.Discard)
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal(testcase.expectedKubernetes, orchestrator.HasKubernetes()))
+			assert.Check(t, is.Equal(testcase.expectedSwarm, orchestrator.HasSwarm()))
+			assert.Check(t, is.Equal(testcase.expectedOrchestrator, string(orchestrator)))
+		})
+	}
+}
diff --git a/cli/cli/command/out.go b/cli/cli/command/out.go
new file mode 100644
index 00000000..89cc5d3a
--- /dev/null
+++ b/cli/cli/command/out.go
@@ -0,0 +1,50 @@
+package command
+
+import (
+	"io"
+	"os"
+
+	"github.com/docker/docker/pkg/term"
+	"github.com/sirupsen/logrus"
+)
+
+// OutStream is an output stream used by the DockerCli to write normal program
+// output.
+type OutStream struct {
+	CommonStream
+	out io.Writer
+}
+
+func (o *OutStream) Write(p []byte) (int, error) {
+	return o.out.Write(p)
+}
+
+// SetRawTerminal sets raw mode on the input terminal
+func (o *OutStream) SetRawTerminal() (err error) {
+	if os.Getenv("NORAW") != "" || !o.CommonStream.isTerminal {
+		return nil
+	}
+	o.CommonStream.state, err = term.SetRawTerminalOutput(o.CommonStream.fd)
+	return err
+}
+
+// GetTtySize returns the height and width in characters of the tty
+func (o *OutStream) GetTtySize() (uint, uint) {
+	if !o.isTerminal {
+		return 0, 0
+	}
+	ws, err := term.GetWinsize(o.fd)
+	if err != nil {
+		logrus.Debugf("Error getting size: %s", err)
+		if ws == nil {
+			return 0, 0
+		}
+	}
+	return uint(ws.Height), uint(ws.Width)
+}
+
+// NewOutStream returns a new OutStream object from a Writer
+func NewOutStream(out io.Writer) *OutStream {
+	fd, isTerminal := term.GetFdInfo(out)
+	return &OutStream{CommonStream: CommonStream{fd: fd, isTerminal: isTerminal}, out: out}
+}
diff --git a/cli/cli/command/plugin/client_test.go b/cli/cli/command/plugin/client_test.go
new file mode 100644
index 00000000..07b4a06e
--- /dev/null
+++ b/cli/cli/command/plugin/client_test.go
@@ -0,0 +1,45 @@
+package plugin
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	pluginCreateFunc  func(createContext io.Reader, createOptions types.PluginCreateOptions) error
+	pluginDisableFunc func(name string, disableOptions types.PluginDisableOptions) error
+	pluginEnableFunc  func(name string, options types.PluginEnableOptions) error
+	pluginRemoveFunc  func(name string, options types.PluginRemoveOptions) error
+}
+
+func (c *fakeClient) PluginCreate(ctx context.Context, createContext io.Reader, createOptions types.PluginCreateOptions) error {
+	if c.pluginCreateFunc != nil {
+		return c.pluginCreateFunc(createContext, createOptions)
+	}
+	return nil
+}
+
+func (c *fakeClient) PluginEnable(ctx context.Context, name string, enableOptions types.PluginEnableOptions) error {
+	if c.pluginEnableFunc != nil {
+		return c.pluginEnableFunc(name, enableOptions)
+	}
+	return nil
+}
+
+func (c *fakeClient) PluginDisable(context context.Context, name string, disableOptions types.PluginDisableOptions) error {
+	if c.pluginDisableFunc != nil {
+		return c.pluginDisableFunc(name, disableOptions)
+	}
+	return nil
+}
+
+func (c *fakeClient) PluginRemove(context context.Context, name string, removeOptions types.PluginRemoveOptions) error {
+	if c.pluginRemoveFunc != nil {
+		return c.pluginRemoveFunc(name, removeOptions)
+	}
+	return nil
+}
diff --git a/cli/cli/command/plugin/cmd.go b/cli/cli/command/plugin/cmd.go
new file mode 100644
index 00000000..2e79ab1d
--- /dev/null
+++ b/cli/cli/command/plugin/cmd.go
@@ -0,0 +1,32 @@
+package plugin
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// NewPluginCommand returns a cobra command for `plugin` subcommands
+func NewPluginCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:         "plugin",
+		Short:       "Manage plugins",
+		Args:        cli.NoArgs,
+		RunE:        command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{"version": "1.25"},
+	}
+
+	cmd.AddCommand(
+		newDisableCommand(dockerCli),
+		newEnableCommand(dockerCli),
+		newInspectCommand(dockerCli),
+		newInstallCommand(dockerCli),
+		newListCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+		newSetCommand(dockerCli),
+		newPushCommand(dockerCli),
+		newCreateCommand(dockerCli),
+		newUpgradeCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/plugin/create.go b/cli/cli/command/plugin/create.go
new file mode 100644
index 00000000..d6550eda
--- /dev/null
+++ b/cli/cli/command/plugin/create.go
@@ -0,0 +1,128 @@
+package plugin
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+// validateTag checks if the given repoName can be resolved.
+func validateTag(rawRepo string) error {
+	_, err := reference.ParseNormalizedNamed(rawRepo)
+
+	return err
+}
+
+// validateConfig ensures that a valid config.json is available in the given path
+func validateConfig(path string) error {
+	dt, err := os.Open(filepath.Join(path, "config.json"))
+	if err != nil {
+		return err
+	}
+
+	m := types.PluginConfig{}
+	err = json.NewDecoder(dt).Decode(&m)
+	dt.Close()
+
+	return err
+}
+
+// validateContextDir validates the given dir and returns abs path on success.
+func validateContextDir(contextDir string) (string, error) {
+	absContextDir, err := filepath.Abs(contextDir)
+	if err != nil {
+		return "", err
+	}
+	stat, err := os.Lstat(absContextDir)
+	if err != nil {
+		return "", err
+	}
+
+	if !stat.IsDir() {
+		return "", errors.Errorf("context must be a directory")
+	}
+
+	return absContextDir, nil
+}
+
+type pluginCreateOptions struct {
+	repoName string
+	context  string
+	compress bool
+}
+
+func newCreateCommand(dockerCli command.Cli) *cobra.Command {
+	options := pluginCreateOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] PLUGIN PLUGIN-DATA-DIR",
+		Short: "Create a plugin from a rootfs and configuration. Plugin data directory must contain config.json and rootfs directory.",
+		Args:  cli.RequiresMinArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.repoName = args[0]
+			options.context = args[1]
+			return runCreate(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVar(&options.compress, "compress", false, "Compress the context using gzip")
+
+	return cmd
+}
+
+func runCreate(dockerCli command.Cli, options pluginCreateOptions) error {
+	var (
+		createCtx io.ReadCloser
+		err       error
+	)
+
+	if err := validateTag(options.repoName); err != nil {
+		return err
+	}
+
+	absContextDir, err := validateContextDir(options.context)
+	if err != nil {
+		return err
+	}
+
+	if err := validateConfig(options.context); err != nil {
+		return err
+	}
+
+	compression := archive.Uncompressed
+	if options.compress {
+		logrus.Debugf("compression enabled")
+		compression = archive.Gzip
+	}
+
+	createCtx, err = archive.TarWithOptions(absContextDir, &archive.TarOptions{
+		Compression: compression,
+	})
+
+	if err != nil {
+		return err
+	}
+
+	ctx := context.Background()
+
+	createOptions := types.PluginCreateOptions{RepoName: options.repoName}
+	if err = dockerCli.Client().PluginCreate(ctx, createCtx, createOptions); err != nil {
+		return err
+	}
+	fmt.Fprintln(dockerCli.Out(), options.repoName)
+	return nil
+}
diff --git a/cli/cli/command/plugin/create_test.go b/cli/cli/command/plugin/create_test.go
new file mode 100644
index 00000000..bef002c0
--- /dev/null
+++ b/cli/cli/command/plugin/create_test.go
@@ -0,0 +1,123 @@
+package plugin
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"runtime"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func TestCreateErrors(t *testing.T) {
+	noSuchFile := "no such file or directory"
+	if runtime.GOOS == "windows" {
+		noSuchFile = "The system cannot find the file specified."
+	}
+	testCases := []struct {
+		args          []string
+		expectedError string
+	}{
+		{
+			args:          []string{},
+			expectedError: "requires at least 2 arguments",
+		},
+		{
+			args:          []string{"INVALID_TAG", "context-dir"},
+			expectedError: "invalid",
+		},
+		{
+			args:          []string{"plugin-foo", "nonexistent_context_dir"},
+			expectedError: noSuchFile,
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{})
+		cmd := newCreateCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestCreateErrorOnFileAsContextDir(t *testing.T) {
+	tmpFile := fs.NewFile(t, "file-as-context-dir")
+	defer tmpFile.Remove()
+
+	cli := test.NewFakeCli(&fakeClient{})
+	cmd := newCreateCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo", tmpFile.Path()})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "context must be a directory")
+}
+
+func TestCreateErrorOnContextDirWithoutConfig(t *testing.T) {
+	tmpDir := fs.NewDir(t, "plugin-create-test")
+	defer tmpDir.Remove()
+
+	cli := test.NewFakeCli(&fakeClient{})
+	cmd := newCreateCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo", tmpDir.Path()})
+	cmd.SetOutput(ioutil.Discard)
+
+	expectedErr := "config.json: no such file or directory"
+	if runtime.GOOS == "windows" {
+		expectedErr = "config.json: The system cannot find the file specified."
+	}
+	assert.ErrorContains(t, cmd.Execute(), expectedErr)
+}
+
+func TestCreateErrorOnInvalidConfig(t *testing.T) {
+	tmpDir := fs.NewDir(t, "plugin-create-test",
+		fs.WithDir("rootfs"),
+		fs.WithFile("config.json", "invalid-config-contents"))
+	defer tmpDir.Remove()
+
+	cli := test.NewFakeCli(&fakeClient{})
+	cmd := newCreateCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo", tmpDir.Path()})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "invalid")
+}
+
+func TestCreateErrorFromDaemon(t *testing.T) {
+	tmpDir := fs.NewDir(t, "plugin-create-test",
+		fs.WithDir("rootfs"),
+		fs.WithFile("config.json", `{ "Name": "plugin-foo" }`))
+	defer tmpDir.Remove()
+
+	cli := test.NewFakeCli(&fakeClient{
+		pluginCreateFunc: func(createContext io.Reader, createOptions types.PluginCreateOptions) error {
+			return fmt.Errorf("Error creating plugin")
+		},
+	})
+
+	cmd := newCreateCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo", tmpDir.Path()})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "Error creating plugin")
+}
+
+func TestCreatePlugin(t *testing.T) {
+	tmpDir := fs.NewDir(t, "plugin-create-test",
+		fs.WithDir("rootfs"),
+		fs.WithFile("config.json", `{ "Name": "plugin-foo" }`))
+	defer tmpDir.Remove()
+
+	cli := test.NewFakeCli(&fakeClient{
+		pluginCreateFunc: func(createContext io.Reader, createOptions types.PluginCreateOptions) error {
+			return nil
+		},
+	})
+
+	cmd := newCreateCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo", tmpDir.Path()})
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("plugin-foo\n", cli.OutBuffer().String()))
+}
diff --git a/cli/cli/command/plugin/disable.go b/cli/cli/command/plugin/disable.go
new file mode 100644
index 00000000..014d86b2
--- /dev/null
+++ b/cli/cli/command/plugin/disable.go
@@ -0,0 +1,36 @@
+package plugin
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+func newDisableCommand(dockerCli command.Cli) *cobra.Command {
+	var force bool
+
+	cmd := &cobra.Command{
+		Use:   "disable [OPTIONS] PLUGIN",
+		Short: "Disable a plugin",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runDisable(dockerCli, args[0], force)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&force, "force", "f", false, "Force the disable of an active plugin")
+	return cmd
+}
+
+func runDisable(dockerCli command.Cli, name string, force bool) error {
+	if err := dockerCli.Client().PluginDisable(context.Background(), name, types.PluginDisableOptions{Force: force}); err != nil {
+		return err
+	}
+	fmt.Fprintln(dockerCli.Out(), name)
+	return nil
+}
diff --git a/cli/cli/command/plugin/disable_test.go b/cli/cli/command/plugin/disable_test.go
new file mode 100644
index 00000000..c9292965
--- /dev/null
+++ b/cli/cli/command/plugin/disable_test.go
@@ -0,0 +1,58 @@
+package plugin
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestPluginDisableErrors(t *testing.T) {
+	testCases := []struct {
+		args              []string
+		expectedError     string
+		pluginDisableFunc func(name string, disableOptions types.PluginDisableOptions) error
+	}{
+		{
+			args:          []string{},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args:          []string{"too", "many", "arguments"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args:          []string{"plugin-foo"},
+			expectedError: "Error disabling plugin",
+			pluginDisableFunc: func(name string, disableOptions types.PluginDisableOptions) error {
+				return fmt.Errorf("Error disabling plugin")
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newDisableCommand(
+			test.NewFakeCli(&fakeClient{
+				pluginDisableFunc: tc.pluginDisableFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestPluginDisable(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		pluginDisableFunc: func(name string, disableOptions types.PluginDisableOptions) error {
+			return nil
+		},
+	})
+	cmd := newDisableCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo"})
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("plugin-foo\n", cli.OutBuffer().String()))
+}
diff --git a/cli/cli/command/plugin/enable.go b/cli/cli/command/plugin/enable.go
new file mode 100644
index 00000000..19df1e7b
--- /dev/null
+++ b/cli/cli/command/plugin/enable.go
@@ -0,0 +1,48 @@
+package plugin
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type enableOpts struct {
+	timeout int
+	name    string
+}
+
+func newEnableCommand(dockerCli command.Cli) *cobra.Command {
+	var opts enableOpts
+
+	cmd := &cobra.Command{
+		Use:   "enable [OPTIONS] PLUGIN",
+		Short: "Enable a plugin",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.name = args[0]
+			return runEnable(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.IntVar(&opts.timeout, "timeout", 30, "HTTP client timeout (in seconds)")
+	return cmd
+}
+
+func runEnable(dockerCli command.Cli, opts *enableOpts) error {
+	name := opts.name
+	if opts.timeout < 0 {
+		return errors.Errorf("negative timeout %d is invalid", opts.timeout)
+	}
+
+	if err := dockerCli.Client().PluginEnable(context.Background(), name, types.PluginEnableOptions{Timeout: opts.timeout}); err != nil {
+		return err
+	}
+	fmt.Fprintln(dockerCli.Out(), name)
+	return nil
+}
diff --git a/cli/cli/command/plugin/enable_test.go b/cli/cli/command/plugin/enable_test.go
new file mode 100644
index 00000000..933ff5de
--- /dev/null
+++ b/cli/cli/command/plugin/enable_test.go
@@ -0,0 +1,70 @@
+package plugin
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestPluginEnableErrors(t *testing.T) {
+	testCases := []struct {
+		args             []string
+		flags            map[string]string
+		pluginEnableFunc func(name string, options types.PluginEnableOptions) error
+		expectedError    string
+	}{
+		{
+			args:          []string{},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args:          []string{"too-many", "arguments"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args: []string{"plugin-foo"},
+			pluginEnableFunc: func(name string, options types.PluginEnableOptions) error {
+				return fmt.Errorf("failed to enable plugin")
+			},
+			expectedError: "failed to enable plugin",
+		},
+		{
+			args: []string{"plugin-foo"},
+			flags: map[string]string{
+				"timeout": "-1",
+			},
+			expectedError: "negative timeout -1 is invalid",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newEnableCommand(
+			test.NewFakeCli(&fakeClient{
+				pluginEnableFunc: tc.pluginEnableFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestPluginEnable(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		pluginEnableFunc: func(name string, options types.PluginEnableOptions) error {
+			return nil
+		},
+	})
+
+	cmd := newEnableCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo"})
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("plugin-foo\n", cli.OutBuffer().String()))
+}
diff --git a/cli/cli/command/plugin/inspect.go b/cli/cli/command/plugin/inspect.go
new file mode 100644
index 00000000..9ce49eb9
--- /dev/null
+++ b/cli/cli/command/plugin/inspect.go
@@ -0,0 +1,43 @@
+package plugin
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	pluginNames []string
+	format      string
+}
+
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] PLUGIN [PLUGIN...]",
+		Short: "Display detailed information on one or more plugins",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.pluginNames = args
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+	getRef := func(ref string) (interface{}, []byte, error) {
+		return client.PluginInspectWithRaw(ctx, ref)
+	}
+
+	return inspect.Inspect(dockerCli.Out(), opts.pluginNames, opts.format, getRef)
+}
diff --git a/cli/cli/command/plugin/install.go b/cli/cli/command/plugin/install.go
new file mode 100644
index 00000000..44e007f6
--- /dev/null
+++ b/cli/cli/command/plugin/install.go
@@ -0,0 +1,174 @@
+package plugin
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type pluginOptions struct {
+	remote          string
+	localName       string
+	grantPerms      bool
+	disable         bool
+	args            []string
+	skipRemoteCheck bool
+	untrusted       bool
+}
+
+func loadPullFlags(dockerCli command.Cli, opts *pluginOptions, flags *pflag.FlagSet) {
+	flags.BoolVar(&opts.grantPerms, "grant-all-permissions", false, "Grant all permissions necessary to run the plugin")
+	command.AddTrustVerificationFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
+}
+
+func newInstallCommand(dockerCli command.Cli) *cobra.Command {
+	var options pluginOptions
+	cmd := &cobra.Command{
+		Use:   "install [OPTIONS] PLUGIN [KEY=VALUE...]",
+		Short: "Install a plugin",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.remote = args[0]
+			if len(args) > 1 {
+				options.args = args[1:]
+			}
+			return runInstall(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	loadPullFlags(dockerCli, &options, flags)
+	flags.BoolVar(&options.disable, "disable", false, "Do not enable the plugin on install")
+	flags.StringVar(&options.localName, "alias", "", "Local name for plugin")
+	return cmd
+}
+
+type pluginRegistryService struct {
+	registry.Service
+}
+
+func (s pluginRegistryService) ResolveRepository(name reference.Named) (*registry.RepositoryInfo, error) {
+	repoInfo, err := s.Service.ResolveRepository(name)
+	if repoInfo != nil {
+		repoInfo.Class = "plugin"
+	}
+	return repoInfo, err
+}
+
+func newRegistryService() (registry.Service, error) {
+	svc, err := registry.NewService(registry.ServiceOptions{V2Only: true})
+	if err != nil {
+		return nil, err
+	}
+	return pluginRegistryService{Service: svc}, nil
+}
+
+func buildPullConfig(ctx context.Context, dockerCli command.Cli, opts pluginOptions, cmdName string) (types.PluginInstallOptions, error) {
+	// Names with both tag and digest will be treated by the daemon
+	// as a pull by digest with a local name for the tag
+	// (if no local name is provided).
+	ref, err := reference.ParseNormalizedNamed(opts.remote)
+	if err != nil {
+		return types.PluginInstallOptions{}, err
+	}
+
+	repoInfo, err := registry.ParseRepositoryInfo(ref)
+	if err != nil {
+		return types.PluginInstallOptions{}, err
+	}
+
+	remote := ref.String()
+
+	_, isCanonical := ref.(reference.Canonical)
+	if !opts.untrusted && !isCanonical {
+		ref = reference.TagNameOnly(ref)
+		nt, ok := ref.(reference.NamedTagged)
+		if !ok {
+			return types.PluginInstallOptions{}, errors.Errorf("invalid name: %s", ref.String())
+		}
+
+		ctx := context.Background()
+		svc, err := newRegistryService()
+		if err != nil {
+			return types.PluginInstallOptions{}, err
+		}
+		trusted, err := image.TrustedReference(ctx, dockerCli, nt, svc)
+		if err != nil {
+			return types.PluginInstallOptions{}, err
+		}
+		remote = reference.FamiliarString(trusted)
+	}
+
+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)
+
+	encodedAuth, err := command.EncodeAuthToBase64(authConfig)
+	if err != nil {
+		return types.PluginInstallOptions{}, err
+	}
+	registryAuthFunc := command.RegistryAuthenticationPrivilegedFunc(dockerCli, repoInfo.Index, cmdName)
+
+	options := types.PluginInstallOptions{
+		RegistryAuth:          encodedAuth,
+		RemoteRef:             remote,
+		Disabled:              opts.disable,
+		AcceptAllPermissions:  opts.grantPerms,
+		AcceptPermissionsFunc: acceptPrivileges(dockerCli, opts.remote),
+		PrivilegeFunc:         registryAuthFunc,
+		Args:                  opts.args,
+	}
+	return options, nil
+}
+
+func runInstall(dockerCli command.Cli, opts pluginOptions) error {
+	var localName string
+	if opts.localName != "" {
+		aref, err := reference.ParseNormalizedNamed(opts.localName)
+		if err != nil {
+			return err
+		}
+		if _, ok := aref.(reference.Canonical); ok {
+			return errors.Errorf("invalid name: %s", opts.localName)
+		}
+		localName = reference.FamiliarString(reference.TagNameOnly(aref))
+	}
+
+	ctx := context.Background()
+	options, err := buildPullConfig(ctx, dockerCli, opts, "plugin install")
+	if err != nil {
+		return err
+	}
+	responseBody, err := dockerCli.Client().PluginInstall(ctx, localName, options)
+	if err != nil {
+		if strings.Contains(err.Error(), "(image) when fetching") {
+			return errors.New(err.Error() + " - Use `docker image pull`")
+		}
+		return err
+	}
+	defer responseBody.Close()
+	if err := jsonmessage.DisplayJSONMessagesToStream(responseBody, dockerCli.Out(), nil); err != nil {
+		return err
+	}
+	fmt.Fprintf(dockerCli.Out(), "Installed plugin %s\n", opts.remote) // todo: return proper values from the API for this result
+	return nil
+}
+
+func acceptPrivileges(dockerCli command.Cli, name string) func(privileges types.PluginPrivileges) (bool, error) {
+	return func(privileges types.PluginPrivileges) (bool, error) {
+		fmt.Fprintf(dockerCli.Out(), "Plugin %q is requesting the following privileges:\n", name)
+		for _, privilege := range privileges {
+			fmt.Fprintf(dockerCli.Out(), " - %s: %v\n", privilege.Name, privilege.Value)
+		}
+		return command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), "Do you grant the above permissions?"), nil
+	}
+}
diff --git a/cli/cli/command/plugin/list.go b/cli/cli/command/plugin/list.go
new file mode 100644
index 00000000..efbb0ffe
--- /dev/null
+++ b/cli/cli/command/plugin/list.go
@@ -0,0 +1,64 @@
+package plugin
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/spf13/cobra"
+)
+
+type listOptions struct {
+	quiet   bool
+	noTrunc bool
+	format  string
+	filter  opts.FilterOpt
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	options := listOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Short:   "List plugins",
+		Aliases: []string{"list"},
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display plugin IDs")
+	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Don't truncate output")
+	flags.StringVar(&options.format, "format", "", "Pretty-print plugins using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Provide filter values (e.g. 'enabled=true')")
+
+	return cmd
+}
+
+func runList(dockerCli command.Cli, options listOptions) error {
+	plugins, err := dockerCli.Client().PluginList(context.Background(), options.filter.Value())
+	if err != nil {
+		return err
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().PluginsFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().PluginsFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	pluginsCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewPluginFormat(format, options.quiet),
+		Trunc:  !options.noTrunc,
+	}
+	return formatter.PluginWrite(pluginsCtx, plugins)
+}
diff --git a/cli/cli/command/plugin/push.go b/cli/cli/command/plugin/push.go
new file mode 100644
index 00000000..7df5a89d
--- /dev/null
+++ b/cli/cli/command/plugin/push.go
@@ -0,0 +1,76 @@
+package plugin
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type pushOptions struct {
+	name      string
+	untrusted bool
+}
+
+func newPushCommand(dockerCli command.Cli) *cobra.Command {
+	var opts pushOptions
+	cmd := &cobra.Command{
+		Use:   "push [OPTIONS] PLUGIN[:TAG]",
+		Short: "Push a plugin to a registry",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.name = args[0]
+			return runPush(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	command.AddTrustSigningFlags(flags, &opts.untrusted, dockerCli.ContentTrustEnabled())
+
+	return cmd
+}
+
+func runPush(dockerCli command.Cli, opts pushOptions) error {
+	named, err := reference.ParseNormalizedNamed(opts.name)
+	if err != nil {
+		return err
+	}
+	if _, ok := named.(reference.Canonical); ok {
+		return errors.Errorf("invalid name: %s", opts.name)
+	}
+
+	named = reference.TagNameOnly(named)
+
+	ctx := context.Background()
+
+	repoInfo, err := registry.ParseRepositoryInfo(named)
+	if err != nil {
+		return err
+	}
+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, repoInfo.Index)
+
+	encodedAuth, err := command.EncodeAuthToBase64(authConfig)
+	if err != nil {
+		return err
+	}
+
+	responseBody, err := dockerCli.Client().PluginPush(ctx, reference.FamiliarString(named), encodedAuth)
+	if err != nil {
+		return err
+	}
+	defer responseBody.Close()
+
+	if !opts.untrusted {
+		repoInfo.Class = "plugin"
+		return image.PushTrustedReference(dockerCli, repoInfo, named, authConfig, responseBody)
+	}
+
+	return jsonmessage.DisplayJSONMessagesToStream(responseBody, dockerCli.Out(), nil)
+}
diff --git a/cli/cli/command/plugin/remove.go b/cli/cli/command/plugin/remove.go
new file mode 100644
index 00000000..a2092bd7
--- /dev/null
+++ b/cli/cli/command/plugin/remove.go
@@ -0,0 +1,54 @@
+package plugin
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type rmOptions struct {
+	force bool
+
+	plugins []string
+}
+
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	var opts rmOptions
+
+	cmd := &cobra.Command{
+		Use:     "rm [OPTIONS] PLUGIN [PLUGIN...]",
+		Short:   "Remove one or more plugins",
+		Aliases: []string{"remove"},
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.plugins = args
+			return runRemove(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.force, "force", "f", false, "Force the removal of an active plugin")
+	return cmd
+}
+
+func runRemove(dockerCli command.Cli, opts *rmOptions) error {
+	ctx := context.Background()
+
+	var errs cli.Errors
+	for _, name := range opts.plugins {
+		if err := dockerCli.Client().PluginRemove(ctx, name, types.PluginRemoveOptions{Force: opts.force}); err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		fmt.Fprintln(dockerCli.Out(), name)
+	}
+	// Do not simplify to `return errs` because even if errs == nil, it is not a nil-error interface value.
+	if errs != nil {
+		return errs
+	}
+	return nil
+}
diff --git a/cli/cli/command/plugin/remove_test.go b/cli/cli/command/plugin/remove_test.go
new file mode 100644
index 00000000..4cfec433
--- /dev/null
+++ b/cli/cli/command/plugin/remove_test.go
@@ -0,0 +1,71 @@
+package plugin
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestRemoveErrors(t *testing.T) {
+
+	testCases := []struct {
+		args             []string
+		pluginRemoveFunc func(name string, options types.PluginRemoveOptions) error
+		expectedError    string
+	}{
+		{
+			args:          []string{},
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"plugin-foo"},
+			pluginRemoveFunc: func(name string, options types.PluginRemoveOptions) error {
+				return fmt.Errorf("Error removing plugin")
+			},
+			expectedError: "Error removing plugin",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			pluginRemoveFunc: tc.pluginRemoveFunc,
+		})
+		cmd := newRemoveCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestRemove(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		pluginRemoveFunc: func(name string, options types.PluginRemoveOptions) error {
+			return nil
+		},
+	})
+	cmd := newRemoveCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo"})
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("plugin-foo\n", cli.OutBuffer().String()))
+}
+
+func TestRemoveWithForceOption(t *testing.T) {
+	force := false
+	cli := test.NewFakeCli(&fakeClient{
+		pluginRemoveFunc: func(name string, options types.PluginRemoveOptions) error {
+			force = options.Force
+			return nil
+		},
+	})
+	cmd := newRemoveCommand(cli)
+	cmd.SetArgs([]string{"plugin-foo"})
+	cmd.Flags().Set("force", "true")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, force)
+	assert.Check(t, is.Equal("plugin-foo\n", cli.OutBuffer().String()))
+}
diff --git a/cli/cli/command/plugin/set.go b/cli/cli/command/plugin/set.go
new file mode 100644
index 00000000..724fdebf
--- /dev/null
+++ b/cli/cli/command/plugin/set.go
@@ -0,0 +1,22 @@
+package plugin
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+func newSetCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "set PLUGIN KEY=VALUE [KEY=VALUE...]",
+		Short: "Change settings for a plugin",
+		Args:  cli.RequiresMinArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return dockerCli.Client().PluginSet(context.Background(), args[0], args[1:])
+		},
+	}
+
+	return cmd
+}
diff --git a/cli/cli/command/plugin/upgrade.go b/cli/cli/command/plugin/upgrade.go
new file mode 100644
index 00000000..f5afb509
--- /dev/null
+++ b/cli/cli/command/plugin/upgrade.go
@@ -0,0 +1,90 @@
+package plugin
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+func newUpgradeCommand(dockerCli command.Cli) *cobra.Command {
+	var options pluginOptions
+	cmd := &cobra.Command{
+		Use:   "upgrade [OPTIONS] PLUGIN [REMOTE]",
+		Short: "Upgrade an existing plugin",
+		Args:  cli.RequiresRangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.localName = args[0]
+			if len(args) == 2 {
+				options.remote = args[1]
+			}
+			return runUpgrade(dockerCli, options)
+		},
+		Annotations: map[string]string{"version": "1.26"},
+	}
+
+	flags := cmd.Flags()
+	loadPullFlags(dockerCli, &options, flags)
+	flags.BoolVar(&options.skipRemoteCheck, "skip-remote-check", false, "Do not check if specified remote plugin matches existing plugin image")
+	return cmd
+}
+
+func runUpgrade(dockerCli command.Cli, opts pluginOptions) error {
+	ctx := context.Background()
+	p, _, err := dockerCli.Client().PluginInspectWithRaw(ctx, opts.localName)
+	if err != nil {
+		return errors.Errorf("error reading plugin data: %v", err)
+	}
+
+	if p.Enabled {
+		return errors.Errorf("the plugin must be disabled before upgrading")
+	}
+
+	opts.localName = p.Name
+	if opts.remote == "" {
+		opts.remote = p.PluginReference
+	}
+	remote, err := reference.ParseNormalizedNamed(opts.remote)
+	if err != nil {
+		return errors.Wrap(err, "error parsing remote upgrade image reference")
+	}
+	remote = reference.TagNameOnly(remote)
+
+	old, err := reference.ParseNormalizedNamed(p.PluginReference)
+	if err != nil {
+		return errors.Wrap(err, "error parsing current image reference")
+	}
+	old = reference.TagNameOnly(old)
+
+	fmt.Fprintf(dockerCli.Out(), "Upgrading plugin %s from %s to %s\n", p.Name, reference.FamiliarString(old), reference.FamiliarString(remote))
+	if !opts.skipRemoteCheck && remote.String() != old.String() {
+		if !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), "Plugin images do not match, are you sure?") {
+			return errors.New("canceling upgrade request")
+		}
+	}
+
+	options, err := buildPullConfig(ctx, dockerCli, opts, "plugin upgrade")
+	if err != nil {
+		return err
+	}
+
+	responseBody, err := dockerCli.Client().PluginUpgrade(ctx, opts.localName, options)
+	if err != nil {
+		if strings.Contains(err.Error(), "target is image") {
+			return errors.New(err.Error() + " - Use `docker image pull`")
+		}
+		return err
+	}
+	defer responseBody.Close()
+	if err := jsonmessage.DisplayJSONMessagesToStream(responseBody, dockerCli.Out(), nil); err != nil {
+		return err
+	}
+	fmt.Fprintf(dockerCli.Out(), "Upgraded plugin %s to %s\n", opts.localName, opts.remote) // todo: return proper values from the API for this result
+	return nil
+}
diff --git a/cli/cli/command/registry.go b/cli/cli/command/registry.go
new file mode 100644
index 00000000..084d2b60
--- /dev/null
+++ b/cli/cli/command/registry.go
@@ -0,0 +1,199 @@
+package command
+
+import (
+	"bufio"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/pkg/term"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+)
+
+// ElectAuthServer returns the default registry to use (by asking the daemon)
+func ElectAuthServer(ctx context.Context, cli Cli) string {
+	// The daemon `/info` endpoint informs us of the default registry being
+	// used. This is essential in cross-platforms environment, where for
+	// example a Linux client might be interacting with a Windows daemon, hence
+	// the default registry URL might be Windows specific.
+	serverAddress := registry.IndexServer
+	if info, err := cli.Client().Info(ctx); err != nil {
+		fmt.Fprintf(cli.Err(), "Warning: failed to get default registry endpoint from daemon (%v). Using system default: %s\n", err, serverAddress)
+	} else if info.IndexServerAddress == "" {
+		fmt.Fprintf(cli.Err(), "Warning: Empty registry endpoint from daemon. Using system default: %s\n", serverAddress)
+	} else {
+		serverAddress = info.IndexServerAddress
+	}
+	return serverAddress
+}
+
+// EncodeAuthToBase64 serializes the auth configuration as JSON base64 payload
+func EncodeAuthToBase64(authConfig types.AuthConfig) (string, error) {
+	buf, err := json.Marshal(authConfig)
+	if err != nil {
+		return "", err
+	}
+	return base64.URLEncoding.EncodeToString(buf), nil
+}
+
+// RegistryAuthenticationPrivilegedFunc returns a RequestPrivilegeFunc from the specified registry index info
+// for the given command.
+func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInfo, cmdName string) types.RequestPrivilegeFunc {
+	return func() (string, error) {
+		fmt.Fprintf(cli.Out(), "\nPlease login prior to %s:\n", cmdName)
+		indexServer := registry.GetAuthConfigKey(index)
+		isDefaultRegistry := indexServer == ElectAuthServer(context.Background(), cli)
+		authConfig, err := GetDefaultAuthConfig(cli, true, indexServer, isDefaultRegistry)
+		if err != nil {
+			fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err)
+		}
+		err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry)
+		if err != nil {
+			return "", err
+		}
+		return EncodeAuthToBase64(*authConfig)
+	}
+}
+
+// ResolveAuthConfig is like registry.ResolveAuthConfig, but if using the
+// default index, it uses the default index name for the daemon's platform,
+// not the client's platform.
+func ResolveAuthConfig(ctx context.Context, cli Cli, index *registrytypes.IndexInfo) types.AuthConfig {
+	configKey := index.Name
+	if index.Official {
+		configKey = ElectAuthServer(ctx, cli)
+	}
+
+	a, _ := cli.ConfigFile().GetAuthConfig(configKey)
+	return a
+}
+
+// GetDefaultAuthConfig gets the default auth config given a serverAddress
+// If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it
+func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) {
+	if !isDefaultRegistry {
+		serverAddress = registry.ConvertToHostname(serverAddress)
+	}
+	var authconfig types.AuthConfig
+	var err error
+	if checkCredStore {
+		authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress)
+	} else {
+		authconfig = types.AuthConfig{}
+	}
+	authconfig.ServerAddress = serverAddress
+	authconfig.IdentityToken = ""
+	return &authconfig, err
+}
+
+// ConfigureAuth handles prompting of user's username and password if needed
+func ConfigureAuth(cli Cli, flUser, flPassword string, authconfig *types.AuthConfig, isDefaultRegistry bool) error {
+	// On Windows, force the use of the regular OS stdin stream. Fixes #14336/#14210
+	if runtime.GOOS == "windows" {
+		cli.SetIn(NewInStream(os.Stdin))
+	}
+
+	// Some links documenting this:
+	// - https://code.google.com/archive/p/mintty/issues/56
+	// - https://github.com/docker/docker/issues/15272
+	// - https://mintty.github.io/ (compatibility)
+	// Linux will hit this if you attempt `cat | docker login`, and Windows
+	// will hit this if you attempt docker login from mintty where stdin
+	// is a pipe, not a character based console.
+	if flPassword == "" && !cli.In().IsTerminal() {
+		return errors.Errorf("Error: Cannot perform an interactive login from a non TTY device")
+	}
+
+	authconfig.Username = strings.TrimSpace(authconfig.Username)
+
+	if flUser = strings.TrimSpace(flUser); flUser == "" {
+		if isDefaultRegistry {
+			// if this is a default registry (docker hub), then display the following message.
+			fmt.Fprintln(cli.Out(), "Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")
+		}
+		promptWithDefault(cli.Out(), "Username", authconfig.Username)
+		flUser = readInput(cli.In(), cli.Out())
+		flUser = strings.TrimSpace(flUser)
+		if flUser == "" {
+			flUser = authconfig.Username
+		}
+	}
+	if flUser == "" {
+		return errors.Errorf("Error: Non-null Username Required")
+	}
+	if flPassword == "" {
+		oldState, err := term.SaveState(cli.In().FD())
+		if err != nil {
+			return err
+		}
+		fmt.Fprintf(cli.Out(), "Password: ")
+		term.DisableEcho(cli.In().FD(), oldState)
+
+		flPassword = readInput(cli.In(), cli.Out())
+		fmt.Fprint(cli.Out(), "\n")
+
+		term.RestoreTerminal(cli.In().FD(), oldState)
+		if flPassword == "" {
+			return errors.Errorf("Error: Password Required")
+		}
+	}
+
+	authconfig.Username = flUser
+	authconfig.Password = flPassword
+
+	return nil
+}
+
+func readInput(in io.Reader, out io.Writer) string {
+	reader := bufio.NewReader(in)
+	line, _, err := reader.ReadLine()
+	if err != nil {
+		fmt.Fprintln(out, err.Error())
+		os.Exit(1)
+	}
+	return string(line)
+}
+
+func promptWithDefault(out io.Writer, prompt string, configDefault string) {
+	if configDefault == "" {
+		fmt.Fprintf(out, "%s: ", prompt)
+	} else {
+		fmt.Fprintf(out, "%s (%s): ", prompt, configDefault)
+	}
+}
+
+// RetrieveAuthTokenFromImage retrieves an encoded auth token given a complete image
+func RetrieveAuthTokenFromImage(ctx context.Context, cli Cli, image string) (string, error) {
+	// Retrieve encoded auth token from the image reference
+	authConfig, err := resolveAuthConfigFromImage(ctx, cli, image)
+	if err != nil {
+		return "", err
+	}
+	encodedAuth, err := EncodeAuthToBase64(authConfig)
+	if err != nil {
+		return "", err
+	}
+	return encodedAuth, nil
+}
+
+// resolveAuthConfigFromImage retrieves that AuthConfig using the image string
+func resolveAuthConfigFromImage(ctx context.Context, cli Cli, image string) (types.AuthConfig, error) {
+	registryRef, err := reference.ParseNormalizedNamed(image)
+	if err != nil {
+		return types.AuthConfig{}, err
+	}
+	repoInfo, err := registry.ParseRepositoryInfo(registryRef)
+	if err != nil {
+		return types.AuthConfig{}, err
+	}
+	return ResolveAuthConfig(ctx, cli, repoInfo.Index), nil
+}
diff --git a/cli/cli/command/registry/login.go b/cli/cli/command/registry/login.go
new file mode 100644
index 00000000..7d5328d1
--- /dev/null
+++ b/cli/cli/command/registry/login.go
@@ -0,0 +1,169 @@
+package registry
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+const unencryptedWarning = `WARNING! Your password will be stored unencrypted in %s.
+Configure a credential helper to remove this warning. See
+https://docs.docker.com/engine/reference/commandline/login/#credentials-store
+`
+
+type loginOptions struct {
+	serverAddress string
+	user          string
+	password      string
+	passwordStdin bool
+}
+
+// NewLoginCommand creates a new `docker login` command
+func NewLoginCommand(dockerCli command.Cli) *cobra.Command {
+	var opts loginOptions
+
+	cmd := &cobra.Command{
+		Use:   "login [OPTIONS] [SERVER]",
+		Short: "Log in to a Docker registry",
+		Long:  "Log in to a Docker registry.\nIf no server is specified, the default is defined by the daemon.",
+		Args:  cli.RequiresMaxArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				opts.serverAddress = args[0]
+			}
+			return runLogin(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVarP(&opts.user, "username", "u", "", "Username")
+	flags.StringVarP(&opts.password, "password", "p", "", "Password")
+	flags.BoolVarP(&opts.passwordStdin, "password-stdin", "", false, "Take the password from stdin")
+
+	return cmd
+}
+
+// displayUnencryptedWarning warns the user when using an insecure credential storage.
+// After a deprecation period, user will get prompted if stdin and stderr are a terminal.
+// Otherwise, we'll assume they want it (sadly), because people may have been scripting
+// insecure logins and we don't want to break them. Maybe they'll see the warning in their
+// logs and fix things.
+func displayUnencryptedWarning(dockerCli command.Streams, filename string) error {
+	_, err := fmt.Fprintln(dockerCli.Err(), fmt.Sprintf(unencryptedWarning, filename))
+
+	return err
+}
+
+type isFileStore interface {
+	IsFileStore() bool
+	GetFilename() string
+}
+
+func verifyloginOptions(dockerCli command.Cli, opts *loginOptions) error {
+	if opts.password != "" {
+		fmt.Fprintln(dockerCli.Err(), "WARNING! Using --password via the CLI is insecure. Use --password-stdin.")
+		if opts.passwordStdin {
+			return errors.New("--password and --password-stdin are mutually exclusive")
+		}
+	}
+
+	if opts.passwordStdin {
+		if opts.user == "" {
+			return errors.New("Must provide --username with --password-stdin")
+		}
+
+		contents, err := ioutil.ReadAll(dockerCli.In())
+		if err != nil {
+			return err
+		}
+
+		opts.password = strings.TrimSuffix(string(contents), "\n")
+		opts.password = strings.TrimSuffix(opts.password, "\r")
+	}
+	return nil
+}
+
+func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocyclo
+	ctx := context.Background()
+	clnt := dockerCli.Client()
+	if err := verifyloginOptions(dockerCli, &opts); err != nil {
+		return err
+	}
+	var (
+		serverAddress string
+		authServer    = command.ElectAuthServer(ctx, dockerCli)
+	)
+	if opts.serverAddress != "" && opts.serverAddress != registry.DefaultNamespace {
+		serverAddress = opts.serverAddress
+	} else {
+		serverAddress = authServer
+	}
+
+	var err error
+	var authConfig *types.AuthConfig
+	var response registrytypes.AuthenticateOKBody
+	isDefaultRegistry := serverAddress == authServer
+	authConfig, err = command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry)
+	if err == nil && authConfig.Username != "" && authConfig.Password != "" {
+		response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig)
+	}
+	if err != nil || authConfig.Username == "" || authConfig.Password == "" {
+		err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry)
+		if err != nil {
+			return err
+		}
+
+		response, err = clnt.RegistryLogin(ctx, *authConfig)
+		if err != nil {
+			return err
+		}
+	}
+	if response.IdentityToken != "" {
+		authConfig.Password = ""
+		authConfig.IdentityToken = response.IdentityToken
+	}
+
+	creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)
+
+	store, isDefault := creds.(isFileStore)
+	if isDefault {
+		err = displayUnencryptedWarning(dockerCli, store.GetFilename())
+		if err != nil {
+			return err
+		}
+	}
+
+	if err := creds.Store(*authConfig); err != nil {
+		return errors.Errorf("Error saving credentials: %v", err)
+	}
+
+	if response.Status != "" {
+		fmt.Fprintln(dockerCli.Out(), response.Status)
+	}
+	return nil
+}
+
+func loginWithCredStoreCreds(ctx context.Context, dockerCli command.Cli, authConfig *types.AuthConfig) (registrytypes.AuthenticateOKBody, error) {
+	fmt.Fprintf(dockerCli.Out(), "Authenticating with existing credentials...\n")
+	cliClient := dockerCli.Client()
+	response, err := cliClient.RegistryLogin(ctx, *authConfig)
+	if err != nil {
+		if client.IsErrUnauthorized(err) {
+			fmt.Fprintf(dockerCli.Err(), "Stored credentials invalid or expired\n")
+		} else {
+			fmt.Fprintf(dockerCli.Err(), "Login did not succeed, error: %s\n", err)
+		}
+	}
+	return response, err
+}
diff --git a/cli/cli/command/registry/login_test.go b/cli/cli/command/registry/login_test.go
new file mode 100644
index 00000000..7e774941
--- /dev/null
+++ b/cli/cli/command/registry/login_test.go
@@ -0,0 +1,157 @@
+package registry
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/client"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+const userErr = "userunknownError"
+const testAuthErrMsg = "UNKNOWN_ERR"
+
+var testAuthErrors = map[string]error{
+	userErr: fmt.Errorf(testAuthErrMsg),
+}
+
+var expiredPassword = "I_M_EXPIRED"
+
+type fakeClient struct {
+	client.Client
+}
+
+// nolint: unparam
+func (c fakeClient) RegistryLogin(ctx context.Context, auth types.AuthConfig) (registrytypes.AuthenticateOKBody, error) {
+	if auth.Password == expiredPassword {
+		return registrytypes.AuthenticateOKBody{}, fmt.Errorf("Invalid Username or Password")
+	}
+	err := testAuthErrors[auth.Username]
+	return registrytypes.AuthenticateOKBody{}, err
+}
+
+func TestLoginWithCredStoreCreds(t *testing.T) {
+	testCases := []struct {
+		inputAuthConfig types.AuthConfig
+		expectedMsg     string
+		expectedErr     string
+	}{
+		{
+			inputAuthConfig: types.AuthConfig{},
+			expectedMsg:     "Authenticating with existing credentials...\n",
+		},
+		{
+			inputAuthConfig: types.AuthConfig{
+				Username: userErr,
+			},
+			expectedMsg: "Authenticating with existing credentials...\n",
+			expectedErr: fmt.Sprintf("Login did not succeed, error: %s\n", testAuthErrMsg),
+		},
+		// can't easily test the 401 case because client.IsErrUnauthorized(err) involving
+		// creating an error of a private type
+	}
+	ctx := context.Background()
+	for _, tc := range testCases {
+		cli := (*test.FakeCli)(test.NewFakeCli(&fakeClient{}))
+		errBuf := new(bytes.Buffer)
+		cli.SetErr(errBuf)
+		loginWithCredStoreCreds(ctx, cli, &tc.inputAuthConfig)
+		outputString := cli.OutBuffer().String()
+		assert.Check(t, is.Equal(tc.expectedMsg, outputString))
+		errorString := errBuf.String()
+		assert.Check(t, is.Equal(tc.expectedErr, errorString))
+	}
+}
+
+func TestRunLogin(t *testing.T) {
+	const storedServerAddress = "reg1"
+	const validUsername = "u1"
+	const validPassword = "p1"
+	const validPassword2 = "p2"
+
+	validAuthConfig := types.AuthConfig{
+		ServerAddress: storedServerAddress,
+		Username:      validUsername,
+		Password:      validPassword,
+	}
+	expiredAuthConfig := types.AuthConfig{
+		ServerAddress: storedServerAddress,
+		Username:      validUsername,
+		Password:      expiredPassword,
+	}
+	testCases := []struct {
+		inputLoginOption  loginOptions
+		inputStoredCred   *types.AuthConfig
+		expectedErr       string
+		expectedSavedCred types.AuthConfig
+	}{
+		{
+			inputLoginOption: loginOptions{
+				serverAddress: storedServerAddress,
+			},
+			inputStoredCred:   &validAuthConfig,
+			expectedErr:       "",
+			expectedSavedCred: validAuthConfig,
+		},
+		{
+			inputLoginOption: loginOptions{
+				serverAddress: storedServerAddress,
+			},
+			inputStoredCred: &expiredAuthConfig,
+			expectedErr:     "Error: Cannot perform an interactive login from a non TTY device",
+		},
+		{
+			inputLoginOption: loginOptions{
+				serverAddress: storedServerAddress,
+				user:          validUsername,
+				password:      validPassword2,
+			},
+			inputStoredCred: &validAuthConfig,
+			expectedErr:     "",
+			expectedSavedCred: types.AuthConfig{
+				ServerAddress: storedServerAddress,
+				Username:      validUsername,
+				Password:      validPassword2,
+			},
+		},
+		{
+			inputLoginOption: loginOptions{
+				serverAddress: storedServerAddress,
+				user:          userErr,
+				password:      validPassword,
+			},
+			inputStoredCred: &validAuthConfig,
+			expectedErr:     testAuthErrMsg,
+		},
+	}
+	for i, tc := range testCases {
+		t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {
+			tmpFile := fs.NewFile(t, "test-run-login")
+			defer tmpFile.Remove()
+			cli := test.NewFakeCli(&fakeClient{})
+			configfile := cli.ConfigFile()
+			configfile.Filename = tmpFile.Path()
+
+			if tc.inputStoredCred != nil {
+				cred := *tc.inputStoredCred
+				configfile.GetCredentialsStore(cred.ServerAddress).Store(cred)
+			}
+			loginErr := runLogin(cli, tc.inputLoginOption)
+			if tc.expectedErr != "" {
+				assert.Error(t, loginErr, tc.expectedErr)
+				return
+			}
+			assert.NilError(t, loginErr)
+			savedCred, credStoreErr := configfile.GetCredentialsStore(tc.inputStoredCred.ServerAddress).Get(tc.inputStoredCred.ServerAddress)
+			assert.Check(t, credStoreErr)
+			assert.DeepEqual(t, tc.expectedSavedCred, savedCred)
+		})
+	}
+}
diff --git a/cli/cli/command/registry/logout.go b/cli/cli/command/registry/logout.go
new file mode 100644
index 00000000..ac84139f
--- /dev/null
+++ b/cli/cli/command/registry/logout.go
@@ -0,0 +1,76 @@
+package registry
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/registry"
+	"github.com/spf13/cobra"
+)
+
+// NewLogoutCommand creates a new `docker logout` command
+func NewLogoutCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "logout [SERVER]",
+		Short: "Log out from a Docker registry",
+		Long:  "Log out from a Docker registry.\nIf no server is specified, the default is defined by the daemon.",
+		Args:  cli.RequiresMaxArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var serverAddress string
+			if len(args) > 0 {
+				serverAddress = args[0]
+			}
+			return runLogout(dockerCli, serverAddress)
+		},
+	}
+
+	return cmd
+}
+
+func runLogout(dockerCli command.Cli, serverAddress string) error {
+	ctx := context.Background()
+	var isDefaultRegistry bool
+
+	if serverAddress == "" {
+		serverAddress = command.ElectAuthServer(ctx, dockerCli)
+		isDefaultRegistry = true
+	}
+
+	var (
+		loggedIn        bool
+		regsToLogout    []string
+		hostnameAddress = serverAddress
+		regsToTry       = []string{serverAddress}
+	)
+	if !isDefaultRegistry {
+		hostnameAddress = registry.ConvertToHostname(serverAddress)
+		// the tries below are kept for backward compatibility where a user could have
+		// saved the registry in one of the following format.
+		regsToTry = append(regsToTry, hostnameAddress, "http://"+hostnameAddress, "https://"+hostnameAddress)
+	}
+
+	// check if we're logged in based on the records in the config file
+	// which means it couldn't have user/pass cause they may be in the creds store
+	for _, s := range regsToTry {
+		if _, ok := dockerCli.ConfigFile().AuthConfigs[s]; ok {
+			loggedIn = true
+			regsToLogout = append(regsToLogout, s)
+		}
+	}
+
+	if !loggedIn {
+		fmt.Fprintf(dockerCli.Out(), "Not logged in to %s\n", hostnameAddress)
+		return nil
+	}
+
+	fmt.Fprintf(dockerCli.Out(), "Removing login credentials for %s\n", hostnameAddress)
+	for _, r := range regsToLogout {
+		if err := dockerCli.ConfigFile().GetCredentialsStore(r).Erase(r); err != nil {
+			fmt.Fprintf(dockerCli.Err(), "WARNING: could not erase credentials: %v\n", err)
+		}
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/registry/search.go b/cli/cli/command/registry/search.go
new file mode 100644
index 00000000..1af6fcd5
--- /dev/null
+++ b/cli/cli/command/registry/search.go
@@ -0,0 +1,104 @@
+package registry
+
+import (
+	"context"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/registry"
+	"github.com/spf13/cobra"
+)
+
+type searchOptions struct {
+	format  string
+	term    string
+	noTrunc bool
+	limit   int
+	filter  opts.FilterOpt
+
+	// Deprecated
+	stars     uint
+	automated bool
+}
+
+// NewSearchCommand creates a new `docker search` command
+func NewSearchCommand(dockerCli command.Cli) *cobra.Command {
+	options := searchOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "search [OPTIONS] TERM",
+		Short: "Search the Docker Hub for images",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.term = args[0]
+			return runSearch(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Don't truncate output")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+	flags.IntVar(&options.limit, "limit", registry.DefaultSearchLimit, "Max number of search results")
+	flags.StringVar(&options.format, "format", "", "Pretty-print search using a Go template")
+
+	flags.BoolVar(&options.automated, "automated", false, "Only show automated builds")
+	flags.UintVarP(&options.stars, "stars", "s", 0, "Only displays with at least x stars")
+
+	flags.MarkDeprecated("automated", "use --filter=is-automated=true instead")
+	flags.MarkDeprecated("stars", "use --filter=stars=3 instead")
+
+	return cmd
+}
+
+func runSearch(dockerCli command.Cli, options searchOptions) error {
+	indexInfo, err := registry.ParseSearchIndexInfo(options.term)
+	if err != nil {
+		return err
+	}
+
+	ctx := context.Background()
+
+	authConfig := command.ResolveAuthConfig(ctx, dockerCli, indexInfo)
+	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(dockerCli, indexInfo, "search")
+
+	encodedAuth, err := command.EncodeAuthToBase64(authConfig)
+	if err != nil {
+		return err
+	}
+
+	searchOptions := types.ImageSearchOptions{
+		RegistryAuth:  encodedAuth,
+		PrivilegeFunc: requestPrivilege,
+		Filters:       options.filter.Value(),
+		Limit:         options.limit,
+	}
+
+	clnt := dockerCli.Client()
+
+	unorderedResults, err := clnt.ImageSearch(ctx, options.term, searchOptions)
+	if err != nil {
+		return err
+	}
+
+	results := searchResultsByStars(unorderedResults)
+	sort.Sort(results)
+	searchCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewSearchFormat(options.format),
+		Trunc:  !options.noTrunc,
+	}
+	return formatter.SearchWrite(searchCtx, results, options.automated, int(options.stars))
+}
+
+// searchResultsByStars sorts search results in descending order by number of stars.
+type searchResultsByStars []registrytypes.SearchResult
+
+func (r searchResultsByStars) Len() int           { return len(r) }
+func (r searchResultsByStars) Swap(i, j int)      { r[i], r[j] = r[j], r[i] }
+func (r searchResultsByStars) Less(i, j int) bool { return r[j].StarCount < r[i].StarCount }
diff --git a/cli/cli/command/registry_test.go b/cli/cli/command/registry_test.go
new file mode 100644
index 00000000..8c9f5835
--- /dev/null
+++ b/cli/cli/command/registry_test.go
@@ -0,0 +1,147 @@
+package command_test
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+
+	// Prevents a circular import with "github.com/docker/cli/internal/test"
+
+	. "github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	infoFunc func() (types.Info, error)
+}
+
+var testAuthConfigs = []types.AuthConfig{
+	{
+		ServerAddress: "https://index.docker.io/v1/",
+		Username:      "u0",
+		Password:      "p0",
+	},
+	{
+		ServerAddress: "server1.io",
+		Username:      "u1",
+		Password:      "p1",
+	},
+}
+
+func (cli *fakeClient) Info(_ context.Context) (types.Info, error) {
+	if cli.infoFunc != nil {
+		return cli.infoFunc()
+	}
+	return types.Info{}, nil
+}
+
+func TestElectAuthServer(t *testing.T) {
+	testCases := []struct {
+		expectedAuthServer string
+		expectedWarning    string
+		infoFunc           func() (types.Info, error)
+	}{
+		{
+			expectedAuthServer: "https://index.docker.io/v1/",
+			expectedWarning:    "",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{IndexServerAddress: "https://index.docker.io/v1/"}, nil
+			},
+		},
+		{
+			expectedAuthServer: "https://index.docker.io/v1/",
+			expectedWarning:    "Empty registry endpoint from daemon",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{IndexServerAddress: ""}, nil
+			},
+		},
+		{
+			expectedAuthServer: "https://foo.bar",
+			expectedWarning:    "",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{IndexServerAddress: "https://foo.bar"}, nil
+			},
+		},
+		{
+			expectedAuthServer: "https://index.docker.io/v1/",
+			expectedWarning:    "failed to get default registry endpoint from daemon",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error getting info")
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{infoFunc: tc.infoFunc})
+		server := ElectAuthServer(context.Background(), cli)
+		assert.Check(t, is.Equal(tc.expectedAuthServer, server))
+		actual := cli.ErrBuffer().String()
+		if tc.expectedWarning == "" {
+			assert.Check(t, is.Len(actual, 0))
+		} else {
+			assert.Check(t, is.Contains(actual, tc.expectedWarning))
+		}
+	}
+}
+
+func TestGetDefaultAuthConfig(t *testing.T) {
+	testCases := []struct {
+		checkCredStore     bool
+		inputServerAddress string
+		expectedErr        string
+		expectedAuthConfig types.AuthConfig
+	}{
+		{
+			checkCredStore:     false,
+			inputServerAddress: "",
+			expectedErr:        "",
+			expectedAuthConfig: types.AuthConfig{
+				ServerAddress: "",
+				Username:      "",
+				Password:      "",
+			},
+		},
+		{
+			checkCredStore:     true,
+			inputServerAddress: testAuthConfigs[0].ServerAddress,
+			expectedErr:        "",
+			expectedAuthConfig: testAuthConfigs[0],
+		},
+		{
+			checkCredStore:     true,
+			inputServerAddress: testAuthConfigs[1].ServerAddress,
+			expectedErr:        "",
+			expectedAuthConfig: testAuthConfigs[1],
+		},
+		{
+			checkCredStore:     true,
+			inputServerAddress: fmt.Sprintf("https://%s", testAuthConfigs[1].ServerAddress),
+			expectedErr:        "",
+			expectedAuthConfig: testAuthConfigs[1],
+		},
+	}
+	cli := test.NewFakeCli(&fakeClient{})
+	errBuf := new(bytes.Buffer)
+	cli.SetErr(errBuf)
+	for _, authconfig := range testAuthConfigs {
+		cli.ConfigFile().GetCredentialsStore(authconfig.ServerAddress).Store(authconfig)
+	}
+	for _, tc := range testCases {
+		serverAddress := tc.inputServerAddress
+		authconfig, err := GetDefaultAuthConfig(cli, tc.checkCredStore, serverAddress, serverAddress == "https://index.docker.io/v1/")
+		if tc.expectedErr != "" {
+			assert.Check(t, err != nil)
+			assert.Check(t, is.Equal(tc.expectedErr, err.Error()))
+		} else {
+			assert.NilError(t, err)
+			assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, *authconfig))
+		}
+	}
+}
diff --git a/cli/cli/command/secret/client_test.go b/cli/cli/command/secret/client_test.go
new file mode 100644
index 00000000..ea672fa4
--- /dev/null
+++ b/cli/cli/command/secret/client_test.go
@@ -0,0 +1,45 @@
+package secret
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	secretCreateFunc  func(swarm.SecretSpec) (types.SecretCreateResponse, error)
+	secretInspectFunc func(string) (swarm.Secret, []byte, error)
+	secretListFunc    func(types.SecretListOptions) ([]swarm.Secret, error)
+	secretRemoveFunc  func(string) error
+}
+
+func (c *fakeClient) SecretCreate(ctx context.Context, spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+	if c.secretCreateFunc != nil {
+		return c.secretCreateFunc(spec)
+	}
+	return types.SecretCreateResponse{}, nil
+}
+
+func (c *fakeClient) SecretInspectWithRaw(ctx context.Context, id string) (swarm.Secret, []byte, error) {
+	if c.secretInspectFunc != nil {
+		return c.secretInspectFunc(id)
+	}
+	return swarm.Secret{}, nil, nil
+}
+
+func (c *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+	if c.secretListFunc != nil {
+		return c.secretListFunc(options)
+	}
+	return []swarm.Secret{}, nil
+}
+
+func (c *fakeClient) SecretRemove(ctx context.Context, name string) error {
+	if c.secretRemoveFunc != nil {
+		return c.secretRemoveFunc(name)
+	}
+	return nil
+}
diff --git a/cli/cli/command/secret/cmd.go b/cli/cli/command/secret/cmd.go
new file mode 100644
index 00000000..a29d2def
--- /dev/null
+++ b/cli/cli/command/secret/cmd.go
@@ -0,0 +1,29 @@
+package secret
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+)
+
+// NewSecretCommand returns a cobra command for `secret` subcommands
+func NewSecretCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "secret",
+		Short: "Manage Docker secrets",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{
+			"version": "1.25",
+			"swarm":   "",
+		},
+	}
+	cmd.AddCommand(
+		newSecretListCommand(dockerCli),
+		newSecretCreateCommand(dockerCli),
+		newSecretInspectCommand(dockerCli),
+		newSecretRemoveCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/secret/create.go b/cli/cli/command/secret/create.go
new file mode 100644
index 00000000..1739fefa
--- /dev/null
+++ b/cli/cli/command/secret/create.go
@@ -0,0 +1,109 @@
+package secret
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type createOptions struct {
+	name           string
+	driver         string
+	templateDriver string
+	file           string
+	labels         opts.ListOpts
+}
+
+func newSecretCreateCommand(dockerCli command.Cli) *cobra.Command {
+	options := createOptions{
+		labels: opts.NewListOpts(opts.ValidateEnv),
+	}
+
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] SECRET [file|-]",
+		Short: "Create a secret from a file or STDIN as content",
+		Args:  cli.RequiresRangeArgs(1, 2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.name = args[0]
+			if len(args) == 2 {
+				options.file = args[1]
+			}
+			return runSecretCreate(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.VarP(&options.labels, "label", "l", "Secret labels")
+	flags.StringVarP(&options.driver, "driver", "d", "", "Secret driver")
+	flags.SetAnnotation("driver", "version", []string{"1.31"})
+	flags.StringVar(&options.templateDriver, "template-driver", "", "Template driver")
+	flags.SetAnnotation("driver", "version", []string{"1.37"})
+
+	return cmd
+}
+
+func runSecretCreate(dockerCli command.Cli, options createOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	if options.driver != "" && options.file != "" {
+		return errors.Errorf("When using secret driver secret data must be empty")
+	}
+
+	secretData, err := readSecretData(dockerCli.In(), options.file)
+	if err != nil {
+		return errors.Errorf("Error reading content from %q: %v", options.file, err)
+	}
+	spec := swarm.SecretSpec{
+		Annotations: swarm.Annotations{
+			Name:   options.name,
+			Labels: opts.ConvertKVStringsToMap(options.labels.GetAll()),
+		},
+		Data: secretData,
+	}
+	if options.driver != "" {
+		spec.Driver = &swarm.Driver{
+			Name: options.driver,
+		}
+	}
+	if options.templateDriver != "" {
+		spec.Templating = &swarm.Driver{
+			Name: options.templateDriver,
+		}
+	}
+	r, err := client.SecretCreate(ctx, spec)
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintln(dockerCli.Out(), r.ID)
+	return nil
+}
+
+func readSecretData(in io.ReadCloser, file string) ([]byte, error) {
+	// Read secret value from external driver
+	if file == "" {
+		return nil, nil
+	}
+	if file != "-" {
+		var err error
+		in, err = system.OpenSequential(file)
+		if err != nil {
+			return nil, err
+		}
+		defer in.Close()
+	}
+	data, err := ioutil.ReadAll(in)
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}
diff --git a/cli/cli/command/secret/create_test.go b/cli/cli/command/secret/create_test.go
new file mode 100644
index 00000000..eb9c0898
--- /dev/null
+++ b/cli/cli/command/secret/create_test.go
@@ -0,0 +1,169 @@
+package secret
+
+import (
+	"io/ioutil"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+const secretDataFile = "secret-create-with-name.golden"
+
+func TestSecretCreateErrors(t *testing.T) {
+	testCases := []struct {
+		args             []string
+		secretCreateFunc func(swarm.SecretSpec) (types.SecretCreateResponse, error)
+		expectedError    string
+	}{
+		{args: []string{"too", "many", "arguments"},
+			expectedError: "requires at least 1 and at most 2 arguments",
+		},
+		{args: []string{"create", "--driver", "driver", "-"},
+			expectedError: "secret data must be empty",
+		},
+		{
+			args: []string{"name", filepath.Join("testdata", secretDataFile)},
+			secretCreateFunc: func(secretSpec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+				return types.SecretCreateResponse{}, errors.Errorf("error creating secret")
+			},
+			expectedError: "error creating secret",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newSecretCreateCommand(
+			test.NewFakeCli(&fakeClient{
+				secretCreateFunc: tc.secretCreateFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSecretCreateWithName(t *testing.T) {
+	name := "foo"
+	data, err := ioutil.ReadFile(filepath.Join("testdata", secretDataFile))
+	assert.NilError(t, err)
+
+	expected := swarm.SecretSpec{
+		Annotations: swarm.Annotations{
+			Name:   name,
+			Labels: make(map[string]string),
+		},
+		Data: data,
+	}
+
+	cli := test.NewFakeCli(&fakeClient{
+		secretCreateFunc: func(spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+			if !reflect.DeepEqual(spec, expected) {
+				return types.SecretCreateResponse{}, errors.Errorf("expected %+v, got %+v", expected, spec)
+			}
+			return types.SecretCreateResponse{
+				ID: "ID-" + spec.Name,
+			}, nil
+		},
+	})
+
+	cmd := newSecretCreateCommand(cli)
+	cmd.SetArgs([]string{name, filepath.Join("testdata", secretDataFile)})
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("ID-"+name, strings.TrimSpace(cli.OutBuffer().String())))
+}
+
+func TestSecretCreateWithDriver(t *testing.T) {
+	expectedDriver := &swarm.Driver{
+		Name: "secret-driver",
+	}
+	name := "foo"
+
+	cli := test.NewFakeCli(&fakeClient{
+		secretCreateFunc: func(spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+			if spec.Name != name {
+				return types.SecretCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
+			}
+
+			if spec.Driver.Name != expectedDriver.Name {
+				return types.SecretCreateResponse{}, errors.Errorf("expected driver %v, got %v", expectedDriver, spec.Labels)
+			}
+
+			return types.SecretCreateResponse{
+				ID: "ID-" + spec.Name,
+			}, nil
+		},
+	})
+
+	cmd := newSecretCreateCommand(cli)
+	cmd.SetArgs([]string{name})
+	cmd.Flags().Set("driver", expectedDriver.Name)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("ID-"+name, strings.TrimSpace(cli.OutBuffer().String())))
+}
+
+func TestSecretCreateWithTemplatingDriver(t *testing.T) {
+	expectedDriver := &swarm.Driver{
+		Name: "template-driver",
+	}
+	name := "foo"
+
+	cli := test.NewFakeCli(&fakeClient{
+		secretCreateFunc: func(spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+			if spec.Name != name {
+				return types.SecretCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
+			}
+
+			if spec.Templating.Name != expectedDriver.Name {
+				return types.SecretCreateResponse{}, errors.Errorf("expected driver %v, got %v", expectedDriver, spec.Labels)
+			}
+
+			return types.SecretCreateResponse{
+				ID: "ID-" + spec.Name,
+			}, nil
+		},
+	})
+
+	cmd := newSecretCreateCommand(cli)
+	cmd.SetArgs([]string{name})
+	cmd.Flags().Set("template-driver", expectedDriver.Name)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("ID-"+name, strings.TrimSpace(cli.OutBuffer().String())))
+}
+
+func TestSecretCreateWithLabels(t *testing.T) {
+	expectedLabels := map[string]string{
+		"lbl1": "Label-foo",
+		"lbl2": "Label-bar",
+	}
+	name := "foo"
+
+	cli := test.NewFakeCli(&fakeClient{
+		secretCreateFunc: func(spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+			if spec.Name != name {
+				return types.SecretCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
+			}
+
+			if !reflect.DeepEqual(spec.Labels, expectedLabels) {
+				return types.SecretCreateResponse{}, errors.Errorf("expected labels %v, got %v", expectedLabels, spec.Labels)
+			}
+
+			return types.SecretCreateResponse{
+				ID: "ID-" + spec.Name,
+			}, nil
+		},
+	})
+
+	cmd := newSecretCreateCommand(cli)
+	cmd.SetArgs([]string{name, filepath.Join("testdata", secretDataFile)})
+	cmd.Flags().Set("label", "lbl1=Label-foo")
+	cmd.Flags().Set("label", "lbl2=Label-bar")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("ID-"+name, strings.TrimSpace(cli.OutBuffer().String())))
+}
diff --git a/cli/cli/command/secret/inspect.go b/cli/cli/command/secret/inspect.go
new file mode 100644
index 00000000..1afcb521
--- /dev/null
+++ b/cli/cli/command/secret/inspect.go
@@ -0,0 +1,65 @@
+package secret
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	names  []string
+	format string
+	pretty bool
+}
+
+func newSecretInspectCommand(dockerCli command.Cli) *cobra.Command {
+	opts := inspectOptions{}
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] SECRET [SECRET...]",
+		Short: "Display detailed information on one or more secrets",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.names = args
+			return runSecretInspect(dockerCli, opts)
+		},
+	}
+
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	cmd.Flags().BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format")
+	return cmd
+}
+
+func runSecretInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	if opts.pretty {
+		opts.format = "pretty"
+	}
+
+	getRef := func(id string) (interface{}, []byte, error) {
+		return client.SecretInspectWithRaw(ctx, id)
+	}
+	f := opts.format
+
+	// check if the user is trying to apply a template to the pretty format, which
+	// is not supported
+	if strings.HasPrefix(f, "pretty") && f != "pretty" {
+		return fmt.Errorf("Cannot supply extra formatting options to the pretty template")
+	}
+
+	secretCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewSecretFormat(f, false),
+	}
+
+	if err := formatter.SecretInspectWrite(secretCtx, opts.names, getRef); err != nil {
+		return cli.StatusError{StatusCode: 1, Status: err.Error()}
+	}
+	return nil
+}
diff --git a/cli/cli/command/secret/inspect_test.go b/cli/cli/command/secret/inspect_test.go
new file mode 100644
index 00000000..67addaea
--- /dev/null
+++ b/cli/cli/command/secret/inspect_test.go
@@ -0,0 +1,173 @@
+package secret
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestSecretInspectErrors(t *testing.T) {
+	testCases := []struct {
+		args              []string
+		flags             map[string]string
+		secretInspectFunc func(secretID string) (swarm.Secret, []byte, error)
+		expectedError     string
+	}{
+		{
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"foo"},
+			secretInspectFunc: func(secretID string) (swarm.Secret, []byte, error) {
+				return swarm.Secret{}, nil, errors.Errorf("error while inspecting the secret")
+			},
+			expectedError: "error while inspecting the secret",
+		},
+		{
+			args: []string{"foo"},
+			flags: map[string]string{
+				"format": "{{invalid format}}",
+			},
+			expectedError: "Template parsing error",
+		},
+		{
+			args: []string{"foo", "bar"},
+			secretInspectFunc: func(secretID string) (swarm.Secret, []byte, error) {
+				if secretID == "foo" {
+					return *Secret(SecretName("foo")), nil, nil
+				}
+				return swarm.Secret{}, nil, errors.Errorf("error while inspecting the secret")
+			},
+			expectedError: "error while inspecting the secret",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newSecretInspectCommand(
+			test.NewFakeCli(&fakeClient{
+				secretInspectFunc: tc.secretInspectFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSecretInspectWithoutFormat(t *testing.T) {
+	testCases := []struct {
+		name              string
+		args              []string
+		secretInspectFunc func(secretID string) (swarm.Secret, []byte, error)
+	}{
+		{
+			name: "single-secret",
+			args: []string{"foo"},
+			secretInspectFunc: func(name string) (swarm.Secret, []byte, error) {
+				if name != "foo" {
+					return swarm.Secret{}, nil, errors.Errorf("Invalid name, expected %s, got %s", "foo", name)
+				}
+				return *Secret(SecretID("ID-foo"), SecretName("foo")), nil, nil
+			},
+		},
+		{
+			name: "multiple-secrets-with-labels",
+			args: []string{"foo", "bar"},
+			secretInspectFunc: func(name string) (swarm.Secret, []byte, error) {
+				return *Secret(SecretID("ID-"+name), SecretName(name), SecretLabels(map[string]string{
+					"label1": "label-foo",
+				})), nil, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			secretInspectFunc: tc.secretInspectFunc,
+		})
+		cmd := newSecretInspectCommand(cli)
+		cmd.SetArgs(tc.args)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("secret-inspect-without-format.%s.golden", tc.name))
+	}
+}
+
+func TestSecretInspectWithFormat(t *testing.T) {
+	secretInspectFunc := func(name string) (swarm.Secret, []byte, error) {
+		return *Secret(SecretName("foo"), SecretLabels(map[string]string{
+			"label1": "label-foo",
+		})), nil, nil
+	}
+	testCases := []struct {
+		name              string
+		format            string
+		args              []string
+		secretInspectFunc func(name string) (swarm.Secret, []byte, error)
+	}{
+		{
+			name:              "simple-template",
+			format:            "{{.Spec.Name}}",
+			args:              []string{"foo"},
+			secretInspectFunc: secretInspectFunc,
+		},
+		{
+			name:              "json-template",
+			format:            "{{json .Spec.Labels}}",
+			args:              []string{"foo"},
+			secretInspectFunc: secretInspectFunc,
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			secretInspectFunc: tc.secretInspectFunc,
+		})
+		cmd := newSecretInspectCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.Flags().Set("format", tc.format)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("secret-inspect-with-format.%s.golden", tc.name))
+	}
+}
+
+func TestSecretInspectPretty(t *testing.T) {
+	testCases := []struct {
+		name              string
+		secretInspectFunc func(string) (swarm.Secret, []byte, error)
+	}{
+		{
+			name: "simple",
+			secretInspectFunc: func(id string) (swarm.Secret, []byte, error) {
+				return *Secret(
+					SecretLabels(map[string]string{
+						"lbl1": "value1",
+					}),
+					SecretID("secretID"),
+					SecretName("secretName"),
+					SecretDriver("driver"),
+					SecretCreatedAt(time.Time{}),
+					SecretUpdatedAt(time.Time{}),
+				), []byte{}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			secretInspectFunc: tc.secretInspectFunc,
+		})
+		cmd := newSecretInspectCommand(cli)
+		cmd.SetArgs([]string{"secretID"})
+		cmd.Flags().Set("pretty", "true")
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("secret-inspect-pretty.%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/secret/ls.go b/cli/cli/command/secret/ls.go
new file mode 100644
index 00000000..a778137e
--- /dev/null
+++ b/cli/cli/command/secret/ls.go
@@ -0,0 +1,76 @@
+package secret
+
+import (
+	"context"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/spf13/cobra"
+	"vbom.ml/util/sortorder"
+)
+
+type bySecretName []swarm.Secret
+
+func (r bySecretName) Len() int      { return len(r) }
+func (r bySecretName) Swap(i, j int) { r[i], r[j] = r[j], r[i] }
+func (r bySecretName) Less(i, j int) bool {
+	return sortorder.NaturalLess(r[i].Spec.Name, r[j].Spec.Name)
+}
+
+type listOptions struct {
+	quiet  bool
+	format string
+	filter opts.FilterOpt
+}
+
+func newSecretListCommand(dockerCli command.Cli) *cobra.Command {
+	options := listOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List secrets",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runSecretList(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display IDs")
+	flags.StringVarP(&options.format, "format", "", "", "Pretty-print secrets using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+
+	return cmd
+}
+
+func runSecretList(dockerCli command.Cli, options listOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	secrets, err := client.SecretList(ctx, types.SecretListOptions{Filters: options.filter.Value()})
+	if err != nil {
+		return err
+	}
+	format := options.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().SecretFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().SecretFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	sort.Sort(bySecretName(secrets))
+
+	secretCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewSecretFormat(format, options.quiet),
+	}
+	return formatter.SecretWrite(secretCtx, secrets)
+}
diff --git a/cli/cli/command/secret/ls_test.go b/cli/cli/command/secret/ls_test.go
new file mode 100644
index 00000000..e1417115
--- /dev/null
+++ b/cli/cli/command/secret/ls_test.go
@@ -0,0 +1,160 @@
+package secret
+
+import (
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestSecretListErrors(t *testing.T) {
+	testCases := []struct {
+		args           []string
+		secretListFunc func(types.SecretListOptions) ([]swarm.Secret, error)
+		expectedError  string
+	}{
+		{
+			args:          []string{"foo"},
+			expectedError: "accepts no argument",
+		},
+		{
+			secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+				return []swarm.Secret{}, errors.Errorf("error listing secrets")
+			},
+			expectedError: "error listing secrets",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newSecretListCommand(
+			test.NewFakeCli(&fakeClient{
+				secretListFunc: tc.secretListFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSecretList(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+			return []swarm.Secret{
+				*Secret(SecretID("ID-1-foo"),
+					SecretName("1-foo"),
+					SecretVersion(swarm.Version{Index: 10}),
+					SecretCreatedAt(time.Now().Add(-2*time.Hour)),
+					SecretUpdatedAt(time.Now().Add(-1*time.Hour)),
+				),
+				*Secret(SecretID("ID-10-foo"),
+					SecretName("10-foo"),
+					SecretVersion(swarm.Version{Index: 11}),
+					SecretCreatedAt(time.Now().Add(-2*time.Hour)),
+					SecretUpdatedAt(time.Now().Add(-1*time.Hour)),
+					SecretDriver("driver"),
+				),
+				*Secret(SecretID("ID-2-foo"),
+					SecretName("2-foo"),
+					SecretVersion(swarm.Version{Index: 11}),
+					SecretCreatedAt(time.Now().Add(-2*time.Hour)),
+					SecretUpdatedAt(time.Now().Add(-1*time.Hour)),
+					SecretDriver("driver"),
+				),
+			}, nil
+		},
+	})
+	cmd := newSecretListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "secret-list-sort.golden")
+}
+
+func TestSecretListWithQuietOption(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+			return []swarm.Secret{
+				*Secret(SecretID("ID-foo"), SecretName("foo")),
+				*Secret(SecretID("ID-bar"), SecretName("bar"), SecretLabels(map[string]string{
+					"label": "label-bar",
+				})),
+			}, nil
+		},
+	})
+	cmd := newSecretListCommand(cli)
+	cmd.Flags().Set("quiet", "true")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "secret-list-with-quiet-option.golden")
+}
+
+func TestSecretListWithConfigFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+			return []swarm.Secret{
+				*Secret(SecretID("ID-foo"), SecretName("foo")),
+				*Secret(SecretID("ID-bar"), SecretName("bar"), SecretLabels(map[string]string{
+					"label": "label-bar",
+				})),
+			}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		SecretFormat: "{{ .Name }} {{ .Labels }}",
+	})
+	cmd := newSecretListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "secret-list-with-config-format.golden")
+}
+
+func TestSecretListWithFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+			return []swarm.Secret{
+				*Secret(SecretID("ID-foo"), SecretName("foo")),
+				*Secret(SecretID("ID-bar"), SecretName("bar"), SecretLabels(map[string]string{
+					"label": "label-bar",
+				})),
+			}, nil
+		},
+	})
+	cmd := newSecretListCommand(cli)
+	cmd.Flags().Set("format", "{{ .Name }} {{ .Labels }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "secret-list-with-format.golden")
+}
+
+func TestSecretListWithFilter(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+			assert.Check(t, is.Equal("foo", options.Filters.Get("name")[0]), "foo")
+			assert.Check(t, is.Equal("lbl1=Label-bar", options.Filters.Get("label")[0]))
+			return []swarm.Secret{
+				*Secret(SecretID("ID-foo"),
+					SecretName("foo"),
+					SecretVersion(swarm.Version{Index: 10}),
+					SecretCreatedAt(time.Now().Add(-2*time.Hour)),
+					SecretUpdatedAt(time.Now().Add(-1*time.Hour)),
+				),
+				*Secret(SecretID("ID-bar"),
+					SecretName("bar"),
+					SecretVersion(swarm.Version{Index: 11}),
+					SecretCreatedAt(time.Now().Add(-2*time.Hour)),
+					SecretUpdatedAt(time.Now().Add(-1*time.Hour)),
+				),
+			}, nil
+		},
+	})
+	cmd := newSecretListCommand(cli)
+	cmd.Flags().Set("filter", "name=foo")
+	cmd.Flags().Set("filter", "label=lbl1=Label-bar")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "secret-list-with-filter.golden")
+}
diff --git a/cli/cli/command/secret/remove.go b/cli/cli/command/secret/remove.go
new file mode 100644
index 00000000..bdf47b77
--- /dev/null
+++ b/cli/cli/command/secret/remove.go
@@ -0,0 +1,53 @@
+package secret
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type removeOptions struct {
+	names []string
+}
+
+func newSecretRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	return &cobra.Command{
+		Use:     "rm SECRET [SECRET...]",
+		Aliases: []string{"remove"},
+		Short:   "Remove one or more secrets",
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts := removeOptions{
+				names: args,
+			}
+			return runSecretRemove(dockerCli, opts)
+		},
+	}
+}
+
+func runSecretRemove(dockerCli command.Cli, opts removeOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	var errs []string
+
+	for _, name := range opts.names {
+		if err := client.SecretRemove(ctx, name); err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+
+		fmt.Fprintln(dockerCli.Out(), name)
+	}
+
+	if len(errs) > 0 {
+		return errors.Errorf("%s", strings.Join(errs, "\n"))
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/secret/remove_test.go b/cli/cli/command/secret/remove_test.go
new file mode 100644
index 00000000..d2fc8ad0
--- /dev/null
+++ b/cli/cli/command/secret/remove_test.go
@@ -0,0 +1,79 @@
+package secret
+
+import (
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSecretRemoveErrors(t *testing.T) {
+	testCases := []struct {
+		args             []string
+		secretRemoveFunc func(string) error
+		expectedError    string
+	}{
+		{
+			args:          []string{},
+			expectedError: "requires at least 1 argument.",
+		},
+		{
+			args: []string{"foo"},
+			secretRemoveFunc: func(name string) error {
+				return errors.Errorf("error removing secret")
+			},
+			expectedError: "error removing secret",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newSecretRemoveCommand(
+			test.NewFakeCli(&fakeClient{
+				secretRemoveFunc: tc.secretRemoveFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSecretRemoveWithName(t *testing.T) {
+	names := []string{"foo", "bar"}
+	var removedSecrets []string
+	cli := test.NewFakeCli(&fakeClient{
+		secretRemoveFunc: func(name string) error {
+			removedSecrets = append(removedSecrets, name)
+			return nil
+		},
+	})
+	cmd := newSecretRemoveCommand(cli)
+	cmd.SetArgs(names)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.DeepEqual(names, strings.Split(strings.TrimSpace(cli.OutBuffer().String()), "\n")))
+	assert.Check(t, is.DeepEqual(names, removedSecrets))
+}
+
+func TestSecretRemoveContinueAfterError(t *testing.T) {
+	names := []string{"foo", "bar"}
+	var removedSecrets []string
+
+	cli := test.NewFakeCli(&fakeClient{
+		secretRemoveFunc: func(name string) error {
+			removedSecrets = append(removedSecrets, name)
+			if name == "foo" {
+				return errors.Errorf("error removing secret: %s", name)
+			}
+			return nil
+		},
+	})
+
+	cmd := newSecretRemoveCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs(names)
+	assert.Error(t, cmd.Execute(), "error removing secret: foo")
+	assert.Check(t, is.DeepEqual(names, removedSecrets))
+}
diff --git a/cli/cli/command/secret/testdata/secret-create-with-name.golden b/cli/cli/command/secret/testdata/secret-create-with-name.golden
new file mode 100644
index 00000000..788642a9
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-create-with-name.golden
@@ -0,0 +1 @@
+secret_foo_bar
diff --git a/cli/cli/command/secret/testdata/secret-inspect-pretty.simple.golden b/cli/cli/command/secret/testdata/secret-inspect-pretty.simple.golden
new file mode 100644
index 00000000..37234eff
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-inspect-pretty.simple.golden
@@ -0,0 +1,7 @@
+ID:              secretID
+Name:              secretName
+Labels:
+ - lbl1=value1
+Driver:            driver
+Created at:        0001-01-01 00:00:00 +0000 utc
+Updated at:        0001-01-01 00:00:00 +0000 utc
diff --git a/cli/cli/command/secret/testdata/secret-inspect-with-format.json-template.golden b/cli/cli/command/secret/testdata/secret-inspect-with-format.json-template.golden
new file mode 100644
index 00000000..aab678f8
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-inspect-with-format.json-template.golden
@@ -0,0 +1 @@
+{"label1":"label-foo"}
diff --git a/cli/cli/command/secret/testdata/secret-inspect-with-format.simple-template.golden b/cli/cli/command/secret/testdata/secret-inspect-with-format.simple-template.golden
new file mode 100644
index 00000000..257cc564
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-inspect-with-format.simple-template.golden
@@ -0,0 +1 @@
+foo
diff --git a/cli/cli/command/secret/testdata/secret-inspect-without-format.multiple-secrets-with-labels.golden b/cli/cli/command/secret/testdata/secret-inspect-without-format.multiple-secrets-with-labels.golden
new file mode 100644
index 00000000..b01a400c
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-inspect-without-format.multiple-secrets-with-labels.golden
@@ -0,0 +1,26 @@
+[
+    {
+        "ID": "ID-foo",
+        "Version": {},
+        "CreatedAt": "0001-01-01T00:00:00Z",
+        "UpdatedAt": "0001-01-01T00:00:00Z",
+        "Spec": {
+            "Name": "foo",
+            "Labels": {
+                "label1": "label-foo"
+            }
+        }
+    },
+    {
+        "ID": "ID-bar",
+        "Version": {},
+        "CreatedAt": "0001-01-01T00:00:00Z",
+        "UpdatedAt": "0001-01-01T00:00:00Z",
+        "Spec": {
+            "Name": "bar",
+            "Labels": {
+                "label1": "label-foo"
+            }
+        }
+    }
+]
diff --git a/cli/cli/command/secret/testdata/secret-inspect-without-format.single-secret.golden b/cli/cli/command/secret/testdata/secret-inspect-without-format.single-secret.golden
new file mode 100644
index 00000000..c4f41c10
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-inspect-without-format.single-secret.golden
@@ -0,0 +1,12 @@
+[
+    {
+        "ID": "ID-foo",
+        "Version": {},
+        "CreatedAt": "0001-01-01T00:00:00Z",
+        "UpdatedAt": "0001-01-01T00:00:00Z",
+        "Spec": {
+            "Name": "foo",
+            "Labels": null
+        }
+    }
+]
diff --git a/cli/cli/command/secret/testdata/secret-list-sort.golden b/cli/cli/command/secret/testdata/secret-list-sort.golden
new file mode 100644
index 00000000..805d26f3
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-list-sort.golden
@@ -0,0 +1,4 @@
+ID                  NAME                DRIVER              CREATED             UPDATED
+ID-1-foo            1-foo                                   2 hours ago         About an hour ago
+ID-2-foo            2-foo               driver              2 hours ago         About an hour ago
+ID-10-foo           10-foo              driver              2 hours ago         About an hour ago
diff --git a/cli/cli/command/secret/testdata/secret-list-with-config-format.golden b/cli/cli/command/secret/testdata/secret-list-with-config-format.golden
new file mode 100644
index 00000000..a64bb595
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-list-with-config-format.golden
@@ -0,0 +1,2 @@
+bar label=label-bar
+foo 
diff --git a/cli/cli/command/secret/testdata/secret-list-with-filter.golden b/cli/cli/command/secret/testdata/secret-list-with-filter.golden
new file mode 100644
index 00000000..388d2874
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-list-with-filter.golden
@@ -0,0 +1,3 @@
+ID                  NAME                DRIVER              CREATED             UPDATED
+ID-bar              bar                                     2 hours ago         About an hour ago
+ID-foo              foo                                     2 hours ago         About an hour ago
diff --git a/cli/cli/command/secret/testdata/secret-list-with-format.golden b/cli/cli/command/secret/testdata/secret-list-with-format.golden
new file mode 100644
index 00000000..a64bb595
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-list-with-format.golden
@@ -0,0 +1,2 @@
+bar label=label-bar
+foo 
diff --git a/cli/cli/command/secret/testdata/secret-list-with-quiet-option.golden b/cli/cli/command/secret/testdata/secret-list-with-quiet-option.golden
new file mode 100644
index 00000000..145fc38d
--- /dev/null
+++ b/cli/cli/command/secret/testdata/secret-list-with-quiet-option.golden
@@ -0,0 +1,2 @@
+ID-bar
+ID-foo
diff --git a/cli/cli/command/service/client_test.go b/cli/cli/command/service/client_test.go
new file mode 100644
index 00000000..8d0d592c
--- /dev/null
+++ b/cli/cli/command/service/client_test.go
@@ -0,0 +1,77 @@
+package service
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+)
+
+type fakeClient struct {
+	client.Client
+	serviceInspectWithRawFunc func(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error)
+	serviceUpdateFunc         func(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error)
+	serviceListFunc           func(context.Context, types.ServiceListOptions) ([]swarm.Service, error)
+	taskListFunc              func(context.Context, types.TaskListOptions) ([]swarm.Task, error)
+	infoFunc                  func(ctx context.Context) (types.Info, error)
+	networkInspectFunc        func(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error)
+}
+
+func (f *fakeClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+	return nil, nil
+}
+
+func (f *fakeClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+	if f.taskListFunc != nil {
+		return f.taskListFunc(ctx, options)
+	}
+	return nil, nil
+}
+
+func (f *fakeClient) ServiceInspectWithRaw(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+	if f.serviceInspectWithRawFunc != nil {
+		return f.serviceInspectWithRawFunc(ctx, serviceID, options)
+	}
+
+	return *Service(ServiceID(serviceID)), []byte{}, nil
+}
+
+func (f *fakeClient) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+	if f.serviceListFunc != nil {
+		return f.serviceListFunc(ctx, options)
+	}
+
+	return nil, nil
+}
+
+func (f *fakeClient) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+	if f.serviceUpdateFunc != nil {
+		return f.serviceUpdateFunc(ctx, serviceID, version, service, options)
+	}
+
+	return types.ServiceUpdateResponse{}, nil
+}
+
+func (f *fakeClient) Info(ctx context.Context) (types.Info, error) {
+	if f.infoFunc == nil {
+		return types.Info{}, nil
+	}
+	return f.infoFunc(ctx)
+}
+
+func (f *fakeClient) NetworkInspect(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
+	if f.networkInspectFunc != nil {
+		return f.networkInspectFunc(ctx, networkID, options)
+	}
+	return types.NetworkResource{}, nil
+}
+
+func newService(id string, name string) swarm.Service {
+	return swarm.Service{
+		ID:   id,
+		Spec: swarm.ServiceSpec{Annotations: swarm.Annotations{Name: name}},
+	}
+}
diff --git a/cli/cli/command/service/cmd.go b/cli/cli/command/service/cmd.go
new file mode 100644
index 00000000..98af9852
--- /dev/null
+++ b/cli/cli/command/service/cmd.go
@@ -0,0 +1,34 @@
+package service
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+)
+
+// NewServiceCommand returns a cobra command for `service` subcommands
+func NewServiceCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "service",
+		Short: "Manage services",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{
+			"version": "1.24",
+			"swarm":   "",
+		},
+	}
+	cmd.AddCommand(
+		newCreateCommand(dockerCli),
+		newInspectCommand(dockerCli),
+		newPsCommand(dockerCli),
+		newListCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+		newScaleCommand(dockerCli),
+		newUpdateCommand(dockerCli),
+		newLogsCommand(dockerCli),
+		newRollbackCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/service/create.go b/cli/cli/command/service/create.go
new file mode 100644
index 00000000..ec74eb43
--- /dev/null
+++ b/cli/cli/command/service/create.go
@@ -0,0 +1,137 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	cliopts "github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+func newCreateCommand(dockerCli command.Cli) *cobra.Command {
+	opts := newServiceOptions()
+
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] IMAGE [COMMAND] [ARG...]",
+		Short: "Create a new service",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.image = args[0]
+			if len(args) > 1 {
+				opts.args = args[1:]
+			}
+			return runCreate(dockerCli, cmd.Flags(), opts)
+		},
+	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.mode, flagMode, "replicated", "Service mode (replicated or global)")
+	flags.StringVar(&opts.name, flagName, "", "Service name")
+
+	addServiceFlags(flags, opts, buildServiceDefaultFlagMapping())
+
+	flags.VarP(&opts.labels, flagLabel, "l", "Service labels")
+	flags.Var(&opts.containerLabels, flagContainerLabel, "Container labels")
+	flags.VarP(&opts.env, flagEnv, "e", "Set environment variables")
+	flags.Var(&opts.envFile, flagEnvFile, "Read in a file of environment variables")
+	flags.Var(&opts.mounts, flagMount, "Attach a filesystem mount to the service")
+	flags.Var(&opts.constraints, flagConstraint, "Placement constraints")
+	flags.Var(&opts.placementPrefs, flagPlacementPref, "Add a placement preference")
+	flags.SetAnnotation(flagPlacementPref, "version", []string{"1.28"})
+	flags.Var(&opts.networks, flagNetwork, "Network attachments")
+	flags.Var(&opts.secrets, flagSecret, "Specify secrets to expose to the service")
+	flags.SetAnnotation(flagSecret, "version", []string{"1.25"})
+	flags.Var(&opts.configs, flagConfig, "Specify configurations to expose to the service")
+	flags.SetAnnotation(flagConfig, "version", []string{"1.30"})
+	flags.VarP(&opts.endpoint.publishPorts, flagPublish, "p", "Publish a port as a node port")
+	flags.Var(&opts.groups, flagGroup, "Set one or more supplementary user groups for the container")
+	flags.SetAnnotation(flagGroup, "version", []string{"1.25"})
+	flags.Var(&opts.dns, flagDNS, "Set custom DNS servers")
+	flags.SetAnnotation(flagDNS, "version", []string{"1.25"})
+	flags.Var(&opts.dnsOption, flagDNSOption, "Set DNS options")
+	flags.SetAnnotation(flagDNSOption, "version", []string{"1.25"})
+	flags.Var(&opts.dnsSearch, flagDNSSearch, "Set custom DNS search domains")
+	flags.SetAnnotation(flagDNSSearch, "version", []string{"1.25"})
+	flags.Var(&opts.hosts, flagHost, "Set one or more custom host-to-IP mappings (host:ip)")
+	flags.SetAnnotation(flagHost, "version", []string{"1.25"})
+	flags.BoolVar(&opts.init, flagInit, false, "Use an init inside each service container to forward signals and reap processes")
+	flags.SetAnnotation(flagInit, "version", []string{"1.37"})
+
+	flags.Var(cliopts.NewListOptsRef(&opts.resources.resGenericResources, ValidateSingleGenericResource), "generic-resource", "User defined resources")
+	flags.SetAnnotation(flagHostAdd, "version", []string{"1.32"})
+
+	flags.SetInterspersed(false)
+	return cmd
+}
+
+func runCreate(dockerCli command.Cli, flags *pflag.FlagSet, opts *serviceOptions) error {
+	apiClient := dockerCli.Client()
+	createOpts := types.ServiceCreateOptions{}
+
+	ctx := context.Background()
+
+	service, err := opts.ToService(ctx, apiClient, flags)
+	if err != nil {
+		return err
+	}
+
+	specifiedSecrets := opts.secrets.Value()
+	if len(specifiedSecrets) > 0 {
+		// parse and validate secrets
+		secrets, err := ParseSecrets(apiClient, specifiedSecrets)
+		if err != nil {
+			return err
+		}
+		service.TaskTemplate.ContainerSpec.Secrets = secrets
+	}
+
+	specifiedConfigs := opts.configs.Value()
+	if len(specifiedConfigs) > 0 {
+		// parse and validate configs
+		configs, err := ParseConfigs(apiClient, specifiedConfigs)
+		if err != nil {
+			return err
+		}
+		service.TaskTemplate.ContainerSpec.Configs = configs
+	}
+
+	if err := resolveServiceImageDigestContentTrust(dockerCli, &service); err != nil {
+		return err
+	}
+
+	// only send auth if flag was set
+	if opts.registryAuth {
+		// Retrieve encoded auth token from the image reference
+		encodedAuth, err := command.RetrieveAuthTokenFromImage(ctx, dockerCli, opts.image)
+		if err != nil {
+			return err
+		}
+		createOpts.EncodedRegistryAuth = encodedAuth
+	}
+
+	// query registry if flag disabling it was not set
+	if !opts.noResolveImage && versions.GreaterThanOrEqualTo(apiClient.ClientVersion(), "1.30") {
+		createOpts.QueryRegistry = true
+	}
+
+	response, err := apiClient.ServiceCreate(ctx, service, createOpts)
+	if err != nil {
+		return err
+	}
+
+	for _, warning := range response.Warnings {
+		fmt.Fprintln(dockerCli.Err(), warning)
+	}
+
+	fmt.Fprintf(dockerCli.Out(), "%s\n", response.ID)
+
+	if opts.detach || versions.LessThan(apiClient.ClientVersion(), "1.29") {
+		return nil
+	}
+
+	return waitOnService(ctx, dockerCli, response.ID, opts.quiet)
+}
diff --git a/cli/cli/command/service/generic_resource_opts.go b/cli/cli/command/service/generic_resource_opts.go
new file mode 100644
index 00000000..66385888
--- /dev/null
+++ b/cli/cli/command/service/generic_resource_opts.go
@@ -0,0 +1,105 @@
+package service
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"github.com/docker/docker/api/types/swarm"
+	swarmapi "github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/api/genericresource"
+)
+
+// GenericResource is a concept that a user can use to advertise user-defined
+// resources on a node and thus better place services based on these resources.
+// E.g: NVIDIA GPUs, Intel FPGAs, ...
+// See https://github.com/docker/swarmkit/blob/master/design/generic_resources.md
+
+// ValidateSingleGenericResource validates that a single entry in the
+// generic resource list is valid.
+// i.e 'GPU=UID1' is valid however 'GPU:UID1' or 'UID1' isn't
+func ValidateSingleGenericResource(val string) (string, error) {
+	if strings.Count(val, "=") < 1 {
+		return "", fmt.Errorf("invalid generic-resource format `%s` expected `name=value`", val)
+	}
+
+	return val, nil
+}
+
+// ParseGenericResources parses an array of Generic resourceResources
+// Requesting Named Generic Resources for a service is not supported this
+// is filtered here.
+func ParseGenericResources(value []string) ([]swarm.GenericResource, error) {
+	if len(value) == 0 {
+		return nil, nil
+	}
+
+	resources, err := genericresource.Parse(value)
+	if err != nil {
+		return nil, errors.Wrapf(err, "invalid generic resource specification")
+	}
+
+	swarmResources := genericResourcesFromGRPC(resources)
+	for _, res := range swarmResources {
+		if res.NamedResourceSpec != nil {
+			return nil, fmt.Errorf("invalid generic-resource request `%s=%s`, Named Generic Resources is not supported for service create or update", res.NamedResourceSpec.Kind, res.NamedResourceSpec.Value)
+		}
+	}
+
+	return swarmResources, nil
+}
+
+// genericResourcesFromGRPC converts a GRPC GenericResource to a GenericResource
+func genericResourcesFromGRPC(genericRes []*swarmapi.GenericResource) []swarm.GenericResource {
+	var generic []swarm.GenericResource
+	for _, res := range genericRes {
+		var current swarm.GenericResource
+
+		switch r := res.Resource.(type) {
+		case *swarmapi.GenericResource_DiscreteResourceSpec:
+			current.DiscreteResourceSpec = &swarm.DiscreteGenericResource{
+				Kind:  r.DiscreteResourceSpec.Kind,
+				Value: r.DiscreteResourceSpec.Value,
+			}
+		case *swarmapi.GenericResource_NamedResourceSpec:
+			current.NamedResourceSpec = &swarm.NamedGenericResource{
+				Kind:  r.NamedResourceSpec.Kind,
+				Value: r.NamedResourceSpec.Value,
+			}
+		}
+
+		generic = append(generic, current)
+	}
+
+	return generic
+}
+
+func buildGenericResourceMap(genericRes []swarm.GenericResource) (map[string]swarm.GenericResource, error) {
+	m := make(map[string]swarm.GenericResource)
+
+	for _, res := range genericRes {
+		if res.DiscreteResourceSpec == nil {
+			return nil, fmt.Errorf("invalid generic-resource `%+v` for service task", res)
+		}
+
+		_, ok := m[res.DiscreteResourceSpec.Kind]
+		if ok {
+			return nil, fmt.Errorf("duplicate generic-resource `%+v` for service task", res.DiscreteResourceSpec.Kind)
+		}
+
+		m[res.DiscreteResourceSpec.Kind] = res
+	}
+
+	return m, nil
+}
+
+func buildGenericResourceList(genericRes map[string]swarm.GenericResource) []swarm.GenericResource {
+	var l []swarm.GenericResource
+
+	for _, res := range genericRes {
+		l = append(l, res)
+	}
+
+	return l
+}
diff --git a/cli/cli/command/service/generic_resource_opts_test.go b/cli/cli/command/service/generic_resource_opts_test.go
new file mode 100644
index 00000000..c750f1dc
--- /dev/null
+++ b/cli/cli/command/service/generic_resource_opts_test.go
@@ -0,0 +1,23 @@
+package service
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestValidateSingleGenericResource(t *testing.T) {
+	incorrect := []string{"foo", "fooo-bar"}
+	correct := []string{"foo=bar", "bar=1", "foo=barbar"}
+
+	for _, v := range incorrect {
+		_, err := ValidateSingleGenericResource(v)
+		assert.Check(t, is.ErrorContains(err, ""))
+	}
+
+	for _, v := range correct {
+		_, err := ValidateSingleGenericResource(v)
+		assert.NilError(t, err)
+	}
+}
diff --git a/cli/cli/command/service/helpers.go b/cli/cli/command/service/helpers.go
new file mode 100644
index 00000000..eb508e85
--- /dev/null
+++ b/cli/cli/command/service/helpers.go
@@ -0,0 +1,33 @@
+package service
+
+import (
+	"context"
+	"io"
+	"io/ioutil"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/service/progress"
+	"github.com/docker/docker/pkg/jsonmessage"
+)
+
+// waitOnService waits for the service to converge. It outputs a progress bar,
+// if appropriate based on the CLI flags.
+func waitOnService(ctx context.Context, dockerCli command.Cli, serviceID string, quiet bool) error {
+	errChan := make(chan error, 1)
+	pipeReader, pipeWriter := io.Pipe()
+
+	go func() {
+		errChan <- progress.ServiceProgress(ctx, dockerCli.Client(), serviceID, pipeWriter)
+	}()
+
+	if quiet {
+		go io.Copy(ioutil.Discard, pipeReader)
+		return <-errChan
+	}
+
+	err := jsonmessage.DisplayJSONMessagesToStream(pipeReader, dockerCli.Out(), nil)
+	if err == nil {
+		err = <-errChan
+	}
+	return err
+}
diff --git a/cli/cli/command/service/inspect.go b/cli/cli/command/service/inspect.go
new file mode 100644
index 00000000..7f988fae
--- /dev/null
+++ b/cli/cli/command/service/inspect.go
@@ -0,0 +1,93 @@
+package service
+
+import (
+	"context"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/docker/api/types"
+	apiclient "github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	refs   []string
+	format string
+	pretty bool
+}
+
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] SERVICE [SERVICE...]",
+		Short: "Display detailed information on one or more services",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.refs = args
+
+			if opts.pretty && len(opts.format) > 0 {
+				return errors.Errorf("--format is incompatible with human friendly format")
+			}
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	flags.BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format")
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	if opts.pretty {
+		opts.format = "pretty"
+	}
+
+	getRef := func(ref string) (interface{}, []byte, error) {
+		// Service inspect shows defaults values in empty fields.
+		service, _, err := client.ServiceInspectWithRaw(ctx, ref, types.ServiceInspectOptions{InsertDefaults: true})
+		if err == nil || !apiclient.IsErrNotFound(err) {
+			return service, nil, err
+		}
+		return nil, nil, errors.Errorf("Error: no such service: %s", ref)
+	}
+
+	getNetwork := func(ref string) (interface{}, []byte, error) {
+		network, _, err := client.NetworkInspectWithRaw(ctx, ref, types.NetworkInspectOptions{Scope: "swarm"})
+		if err == nil || !apiclient.IsErrNotFound(err) {
+			return network, nil, err
+		}
+		return nil, nil, errors.Errorf("Error: no such network: %s", ref)
+	}
+
+	f := opts.format
+	if len(f) == 0 {
+		f = "raw"
+		if len(dockerCli.ConfigFile().ServiceInspectFormat) > 0 {
+			f = dockerCli.ConfigFile().ServiceInspectFormat
+		}
+	}
+
+	// check if the user is trying to apply a template to the pretty format, which
+	// is not supported
+	if strings.HasPrefix(f, "pretty") && f != "pretty" {
+		return errors.Errorf("Cannot supply extra formatting options to the pretty template")
+	}
+
+	serviceCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewServiceFormat(f),
+	}
+
+	if err := formatter.ServiceInspectWrite(serviceCtx, opts.refs, getRef, getNetwork); err != nil {
+		return cli.StatusError{StatusCode: 1, Status: err.Error()}
+	}
+	return nil
+}
diff --git a/cli/cli/command/service/inspect_test.go b/cli/cli/command/service/inspect_test.go
new file mode 100644
index 00000000..c27a9a88
--- /dev/null
+++ b/cli/cli/command/service/inspect_test.go
@@ -0,0 +1,160 @@
+package service
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func formatServiceInspect(t *testing.T, format formatter.Format, now time.Time) string {
+	b := new(bytes.Buffer)
+
+	endpointSpec := &swarm.EndpointSpec{
+		Mode: "vip",
+		Ports: []swarm.PortConfig{
+			{
+				Protocol:   swarm.PortConfigProtocolTCP,
+				TargetPort: 5000,
+			},
+		},
+	}
+
+	two := uint64(2)
+
+	s := swarm.Service{
+		ID: "de179gar9d0o7ltdybungplod",
+		Meta: swarm.Meta{
+			Version:   swarm.Version{Index: 315},
+			CreatedAt: now,
+			UpdatedAt: now,
+		},
+		Spec: swarm.ServiceSpec{
+			Annotations: swarm.Annotations{
+				Name:   "my_service",
+				Labels: map[string]string{"com.label": "foo"},
+			},
+			TaskTemplate: swarm.TaskSpec{
+				ContainerSpec: &swarm.ContainerSpec{
+					Image: "foo/bar@sha256:this_is_a_test",
+					Configs: []*swarm.ConfigReference{
+						{
+							ConfigID:   "mtc3i44r1awdoziy2iceg73z8",
+							ConfigName: "configtest.conf",
+							File: &swarm.ConfigReferenceFileTarget{
+								Name: "/configtest.conf",
+							},
+						},
+					},
+					Secrets: []*swarm.SecretReference{
+						{
+							SecretID:   "3hv39ehbbb4hdozo7spod9ftn",
+							SecretName: "secrettest.conf",
+							File: &swarm.SecretReferenceFileTarget{
+								Name: "/secrettest.conf",
+							},
+						},
+					},
+				},
+				Networks: []swarm.NetworkAttachmentConfig{
+					{
+						Target:  "5vpyomhb6ievnk0i0o60gcnei",
+						Aliases: []string{"web"},
+					},
+				},
+			},
+			Mode: swarm.ServiceMode{
+				Replicated: &swarm.ReplicatedService{
+					Replicas: &two,
+				},
+			},
+			EndpointSpec: endpointSpec,
+		},
+		Endpoint: swarm.Endpoint{
+			Spec: *endpointSpec,
+			Ports: []swarm.PortConfig{
+				{
+					Protocol:      swarm.PortConfigProtocolTCP,
+					TargetPort:    5000,
+					PublishedPort: 30000,
+				},
+			},
+			VirtualIPs: []swarm.EndpointVirtualIP{
+				{
+					NetworkID: "6o4107cj2jx9tihgb0jyts6pj",
+					Addr:      "10.255.0.4/16",
+				},
+			},
+		},
+		UpdateStatus: &swarm.UpdateStatus{
+			StartedAt:   &now,
+			CompletedAt: &now,
+		},
+	}
+
+	ctx := formatter.Context{
+		Output: b,
+		Format: format,
+	}
+
+	err := formatter.ServiceInspectWrite(ctx, []string{"de179gar9d0o7ltdybungplod"},
+		func(ref string) (interface{}, []byte, error) {
+			return s, nil, nil
+		},
+		func(ref string) (interface{}, []byte, error) {
+			return types.NetworkResource{
+				ID:   "5vpyomhb6ievnk0i0o60gcnei",
+				Name: "mynetwork",
+			}, nil, nil
+		},
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return b.String()
+}
+
+func TestPrettyPrintWithNoUpdateConfig(t *testing.T) {
+	s := formatServiceInspect(t, formatter.NewServiceFormat("pretty"), time.Now())
+	if strings.Contains(s, "UpdateStatus") {
+		t.Fatal("Pretty print failed before parsing UpdateStatus")
+	}
+	if !strings.Contains(s, "mynetwork") {
+		t.Fatal("network name not found in inspect output")
+	}
+}
+
+func TestJSONFormatWithNoUpdateConfig(t *testing.T) {
+	now := time.Now()
+	// s1: [{"ID":..}]
+	// s2: {"ID":..}
+	s1 := formatServiceInspect(t, formatter.NewServiceFormat(""), now)
+	s2 := formatServiceInspect(t, formatter.NewServiceFormat("{{json .}}"), now)
+	var m1Wrap []map[string]interface{}
+	if err := json.Unmarshal([]byte(s1), &m1Wrap); err != nil {
+		t.Fatal(err)
+	}
+	if len(m1Wrap) != 1 {
+		t.Fatalf("strange s1=%s", s1)
+	}
+	m1 := m1Wrap[0]
+	var m2 map[string]interface{}
+	if err := json.Unmarshal([]byte(s2), &m2); err != nil {
+		t.Fatal(err)
+	}
+	assert.Check(t, is.DeepEqual(m1, m2))
+}
+
+func TestPrettyPrintWithConfigsAndSecrets(t *testing.T) {
+	s := formatServiceInspect(t, formatter.NewServiceFormat("pretty"), time.Now())
+
+	assert.Check(t, is.Contains(s, "Configs:"), "Pretty print missing configs")
+	assert.Check(t, is.Contains(s, "Secrets:"), "Pretty print missing secrets")
+}
diff --git a/cli/cli/command/service/list.go b/cli/cli/command/service/list.go
new file mode 100644
index 00000000..db4b0376
--- /dev/null
+++ b/cli/cli/command/service/list.go
@@ -0,0 +1,139 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"sort"
+
+	"vbom.ml/util/sortorder"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/spf13/cobra"
+)
+
+type listOptions struct {
+	quiet  bool
+	format string
+	filter opts.FilterOpt
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	options := listOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List services",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display IDs")
+	flags.StringVar(&options.format, "format", "", "Pretty-print services using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+
+	return cmd
+}
+
+type byName []swarm.Service
+
+func (n byName) Len() int           { return len(n) }
+func (n byName) Swap(i, j int)      { n[i], n[j] = n[j], n[i] }
+func (n byName) Less(i, j int) bool { return sortorder.NaturalLess(n[i].Spec.Name, n[j].Spec.Name) }
+
+func runList(dockerCli command.Cli, options listOptions) error {
+	ctx := context.Background()
+	client := dockerCli.Client()
+
+	serviceFilters := options.filter.Value()
+	services, err := client.ServiceList(ctx, types.ServiceListOptions{Filters: serviceFilters})
+	if err != nil {
+		return err
+	}
+
+	sort.Sort(byName(services))
+	info := map[string]formatter.ServiceListInfo{}
+	if len(services) > 0 && !options.quiet {
+		// only non-empty services and not quiet, should we call TaskList and NodeList api
+		taskFilter := filters.NewArgs()
+		for _, service := range services {
+			taskFilter.Add("service", service.ID)
+		}
+
+		tasks, err := client.TaskList(ctx, types.TaskListOptions{Filters: taskFilter})
+		if err != nil {
+			return err
+		}
+
+		nodes, err := client.NodeList(ctx, types.NodeListOptions{})
+		if err != nil {
+			return err
+		}
+
+		info = GetServicesStatus(services, nodes, tasks)
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().ServicesFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().ServicesFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	servicesCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewServiceListFormat(format, options.quiet),
+	}
+	return formatter.ServiceListWrite(servicesCtx, services, info)
+}
+
+// GetServicesStatus returns a map of mode and replicas
+func GetServicesStatus(services []swarm.Service, nodes []swarm.Node, tasks []swarm.Task) map[string]formatter.ServiceListInfo {
+	running := map[string]int{}
+	tasksNoShutdown := map[string]int{}
+
+	activeNodes := make(map[string]struct{})
+	for _, n := range nodes {
+		if n.Status.State != swarm.NodeStateDown {
+			activeNodes[n.ID] = struct{}{}
+		}
+	}
+
+	for _, task := range tasks {
+		if task.DesiredState != swarm.TaskStateShutdown {
+			tasksNoShutdown[task.ServiceID]++
+		}
+
+		if _, nodeActive := activeNodes[task.NodeID]; nodeActive && task.Status.State == swarm.TaskStateRunning {
+			running[task.ServiceID]++
+		}
+	}
+
+	info := map[string]formatter.ServiceListInfo{}
+	for _, service := range services {
+		info[service.ID] = formatter.ServiceListInfo{}
+		if service.Spec.Mode.Replicated != nil && service.Spec.Mode.Replicated.Replicas != nil {
+			info[service.ID] = formatter.ServiceListInfo{
+				Mode:     "replicated",
+				Replicas: fmt.Sprintf("%d/%d", running[service.ID], *service.Spec.Mode.Replicated.Replicas),
+			}
+		} else if service.Spec.Mode.Global != nil {
+			info[service.ID] = formatter.ServiceListInfo{
+				Mode:     "global",
+				Replicas: fmt.Sprintf("%d/%d", running[service.ID], tasksNoShutdown[service.ID]),
+			}
+		}
+	}
+	return info
+}
diff --git a/cli/cli/command/service/list_test.go b/cli/cli/command/service/list_test.go
new file mode 100644
index 00000000..e52e7e03
--- /dev/null
+++ b/cli/cli/command/service/list_test.go
@@ -0,0 +1,28 @@
+package service
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestServiceListOrder(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				newService("a57dbe8", "service-1-foo"),
+				newService("a57dbdd", "service-10-foo"),
+				newService("aaaaaaa", "service-2-foo"),
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("format", "{{.Name}}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "service-list-sort.golden")
+}
diff --git a/cli/cli/command/service/logs.go b/cli/cli/command/service/logs.go
new file mode 100644
index 00000000..107c9d21
--- /dev/null
+++ b/cli/cli/command/service/logs.go
@@ -0,0 +1,349 @@
+package service
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/idresolver"
+	"github.com/docker/cli/service/logs"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type logsOptions struct {
+	noResolve  bool
+	noTrunc    bool
+	noTaskIDs  bool
+	follow     bool
+	since      string
+	timestamps bool
+	tail       string
+	details    bool
+	raw        bool
+
+	target string
+}
+
+func newLogsCommand(dockerCli command.Cli) *cobra.Command {
+	var opts logsOptions
+
+	cmd := &cobra.Command{
+		Use:   "logs [OPTIONS] SERVICE|TASK",
+		Short: "Fetch the logs of a service or task",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.target = args[0]
+			return runLogs(dockerCli, &opts)
+		},
+		Annotations: map[string]string{"version": "1.29"},
+	}
+
+	flags := cmd.Flags()
+	// options specific to service logs
+	flags.BoolVar(&opts.noResolve, "no-resolve", false, "Do not map IDs to Names in output")
+	flags.BoolVar(&opts.noTrunc, "no-trunc", false, "Do not truncate output")
+	flags.BoolVar(&opts.raw, "raw", false, "Do not neatly format logs")
+	flags.SetAnnotation("raw", "version", []string{"1.30"})
+	flags.BoolVar(&opts.noTaskIDs, "no-task-ids", false, "Do not include task IDs in output")
+	// options identical to container logs
+	flags.BoolVarP(&opts.follow, "follow", "f", false, "Follow log output")
+	flags.StringVar(&opts.since, "since", "", "Show logs since timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)")
+	flags.BoolVarP(&opts.timestamps, "timestamps", "t", false, "Show timestamps")
+	flags.BoolVar(&opts.details, "details", false, "Show extra details provided to logs")
+	flags.SetAnnotation("details", "version", []string{"1.30"})
+	flags.StringVar(&opts.tail, "tail", "all", "Number of lines to show from the end of the logs")
+	return cmd
+}
+
+func runLogs(dockerCli command.Cli, opts *logsOptions) error {
+	ctx := context.Background()
+
+	options := types.ContainerLogsOptions{
+		ShowStdout: true,
+		ShowStderr: true,
+		Since:      opts.since,
+		Timestamps: opts.timestamps,
+		Follow:     opts.follow,
+		Tail:       opts.tail,
+		// get the details if we request it OR if we're not doing raw mode
+		// (we need them for the context to pretty print)
+		Details: opts.details || !opts.raw,
+	}
+
+	cli := dockerCli.Client()
+
+	var (
+		maxLength    = 1
+		responseBody io.ReadCloser
+		tty          bool
+		// logfunc is used to delay the call to logs so that we can do some
+		// processing before we actually get the logs
+		logfunc func(context.Context, string, types.ContainerLogsOptions) (io.ReadCloser, error)
+	)
+
+	service, _, err := cli.ServiceInspectWithRaw(ctx, opts.target, types.ServiceInspectOptions{})
+	if err != nil {
+		// if it's any error other than service not found, it's Real
+		if !client.IsErrNotFound(err) {
+			return err
+		}
+		task, _, err := cli.TaskInspectWithRaw(ctx, opts.target)
+		if err != nil {
+			if client.IsErrNotFound(err) {
+				// if the task isn't found, rewrite the error to be clear
+				// that we looked for services AND tasks and found none
+				err = fmt.Errorf("no such task or service: %v", opts.target)
+			}
+			return err
+		}
+
+		tty = task.Spec.ContainerSpec.TTY
+		maxLength = getMaxLength(task.Slot)
+
+		// use the TaskLogs api function
+		logfunc = cli.TaskLogs
+	} else {
+		// use ServiceLogs api function
+		logfunc = cli.ServiceLogs
+		tty = service.Spec.TaskTemplate.ContainerSpec.TTY
+		if service.Spec.Mode.Replicated != nil && service.Spec.Mode.Replicated.Replicas != nil {
+			// if replicas are initialized, figure out if we need to pad them
+			replicas := *service.Spec.Mode.Replicated.Replicas
+			maxLength = getMaxLength(int(replicas))
+		}
+	}
+
+	// we can't prettify tty logs. tell the user that this is the case.
+	// this is why we assign the logs function to a variable and delay calling
+	// it. we want to check this before we make the call and checking twice in
+	// each branch is even sloppier than this CLI disaster already is
+	if tty && !opts.raw {
+		return errors.New("tty service logs only supported with --raw")
+	}
+
+	// now get the logs
+	responseBody, err = logfunc(ctx, opts.target, options)
+	if err != nil {
+		return err
+	}
+	defer responseBody.Close()
+
+	// tty logs get straight copied. they're not muxed with stdcopy
+	if tty {
+		_, err = io.Copy(dockerCli.Out(), responseBody)
+		return err
+	}
+
+	// otherwise, logs are multiplexed. if we're doing pretty printing, also
+	// create a task formatter.
+	var stdout, stderr io.Writer
+	stdout = dockerCli.Out()
+	stderr = dockerCli.Err()
+	if !opts.raw {
+		taskFormatter := newTaskFormatter(cli, opts, maxLength)
+
+		stdout = &logWriter{ctx: ctx, opts: opts, f: taskFormatter, w: stdout}
+		stderr = &logWriter{ctx: ctx, opts: opts, f: taskFormatter, w: stderr}
+	}
+
+	_, err = stdcopy.StdCopy(stdout, stderr, responseBody)
+	return err
+}
+
+// getMaxLength gets the maximum length of the number in base 10
+func getMaxLength(i int) int {
+	return len(strconv.Itoa(i))
+}
+
+type taskFormatter struct {
+	client  client.APIClient
+	opts    *logsOptions
+	padding int
+
+	r *idresolver.IDResolver
+	// cache saves a pre-cooked logContext formatted string based on a
+	// logcontext object, so we don't have to resolve names every time
+	cache map[logContext]string
+}
+
+func newTaskFormatter(client client.APIClient, opts *logsOptions, padding int) *taskFormatter {
+	return &taskFormatter{
+		client:  client,
+		opts:    opts,
+		padding: padding,
+		r:       idresolver.New(client, opts.noResolve),
+		cache:   make(map[logContext]string),
+	}
+}
+
+func (f *taskFormatter) format(ctx context.Context, logCtx logContext) (string, error) {
+	if cached, ok := f.cache[logCtx]; ok {
+		return cached, nil
+	}
+
+	nodeName, err := f.r.Resolve(ctx, swarm.Node{}, logCtx.nodeID)
+	if err != nil {
+		return "", err
+	}
+
+	serviceName, err := f.r.Resolve(ctx, swarm.Service{}, logCtx.serviceID)
+	if err != nil {
+		return "", err
+	}
+
+	task, _, err := f.client.TaskInspectWithRaw(ctx, logCtx.taskID)
+	if err != nil {
+		return "", err
+	}
+
+	taskName := fmt.Sprintf("%s.%d", serviceName, task.Slot)
+	if !f.opts.noTaskIDs {
+		if f.opts.noTrunc {
+			taskName += fmt.Sprintf(".%s", task.ID)
+		} else {
+			taskName += fmt.Sprintf(".%s", stringid.TruncateID(task.ID))
+		}
+	}
+
+	paddingCount := f.padding - getMaxLength(task.Slot)
+	padding := ""
+	if paddingCount > 0 {
+		padding = strings.Repeat(" ", paddingCount)
+	}
+	formatted := taskName + "@" + nodeName + padding
+	f.cache[logCtx] = formatted
+	return formatted, nil
+}
+
+type logWriter struct {
+	ctx  context.Context
+	opts *logsOptions
+	f    *taskFormatter
+	w    io.Writer
+}
+
+func (lw *logWriter) Write(buf []byte) (int, error) {
+	// this works but ONLY because stdcopy calls write a whole line at a time.
+	// if this ends up horribly broken or panics, check to see if stdcopy has
+	// reneged on that assumption. (@god forgive me)
+	// also this only works because the logs format is, like, barely parsable.
+	// if something changes in the logs format, this is gonna break
+
+	// there should always be at least 2 parts: details and message. if there
+	// is no timestamp, details will be first (index 0) when we split on
+	// spaces. if there is a timestamp, details will be 2nd (`index 1)
+	detailsIndex := 0
+	numParts := 2
+	if lw.opts.timestamps {
+		detailsIndex++
+		numParts++
+	}
+
+	// break up the log line into parts.
+	parts := bytes.SplitN(buf, []byte(" "), numParts)
+	if len(parts) != numParts {
+		return 0, errors.Errorf("invalid context in log message: %v", string(buf))
+	}
+	// parse the details out
+	details, err := logs.ParseLogDetails(string(parts[detailsIndex]))
+	if err != nil {
+		return 0, err
+	}
+	// and then create a context from the details
+	// this removes the context-specific details from the details map, so we
+	// can more easily print the details later
+	logCtx, err := lw.parseContext(details)
+	if err != nil {
+		return 0, err
+	}
+
+	output := []byte{}
+	// if we included timestamps, add them to the front
+	if lw.opts.timestamps {
+		output = append(output, parts[0]...)
+		output = append(output, ' ')
+	}
+	// add the context, nice and formatted
+	formatted, err := lw.f.format(lw.ctx, logCtx)
+	if err != nil {
+		return 0, err
+	}
+	output = append(output, []byte(formatted+"    | ")...)
+	// if the user asked for details, add them to be log message
+	if lw.opts.details {
+		// ugh i hate this it's basically a dupe of api/server/httputils/write_log_stream.go:stringAttrs()
+		// ok but we're gonna do it a bit different
+
+		// there are optimizations that can be made here. for starters, i'd
+		// suggest caching the details keys. then, we can maybe draw maps and
+		// slices from a pool to avoid alloc overhead on them. idk if it's
+		// worth the time yet.
+
+		// first we need a slice
+		d := make([]string, 0, len(details))
+		// then let's add all the pairs
+		for k := range details {
+			d = append(d, k+"="+details[k])
+		}
+		// then sort em
+		sort.Strings(d)
+		// then join and append
+		output = append(output, []byte(strings.Join(d, ","))...)
+		output = append(output, ' ')
+	}
+
+	// add the log message itself, finally
+	output = append(output, parts[detailsIndex+1]...)
+
+	_, err = lw.w.Write(output)
+	if err != nil {
+		return 0, err
+	}
+
+	return len(buf), nil
+}
+
+// parseContext returns a log context and REMOVES the context from the details map
+func (lw *logWriter) parseContext(details map[string]string) (logContext, error) {
+	nodeID, ok := details["com.docker.swarm.node.id"]
+	if !ok {
+		return logContext{}, errors.Errorf("missing node id in details: %v", details)
+	}
+	delete(details, "com.docker.swarm.node.id")
+
+	serviceID, ok := details["com.docker.swarm.service.id"]
+	if !ok {
+		return logContext{}, errors.Errorf("missing service id in details: %v", details)
+	}
+	delete(details, "com.docker.swarm.service.id")
+
+	taskID, ok := details["com.docker.swarm.task.id"]
+	if !ok {
+		return logContext{}, errors.Errorf("missing task id in details: %s", details)
+	}
+	delete(details, "com.docker.swarm.task.id")
+
+	return logContext{
+		nodeID:    nodeID,
+		serviceID: serviceID,
+		taskID:    taskID,
+	}, nil
+}
+
+type logContext struct {
+	nodeID    string
+	serviceID string
+	taskID    string
+}
diff --git a/cli/cli/command/service/opts.go b/cli/cli/command/service/opts.go
new file mode 100644
index 00000000..6a9591ab
--- /dev/null
+++ b/cli/cli/command/service/opts.go
@@ -0,0 +1,909 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/api/defaults"
+	shlex "github.com/flynn-archive/go-shlex"
+	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/pkg/errors"
+	"github.com/spf13/pflag"
+)
+
+type int64Value interface {
+	Value() int64
+}
+
+// Uint64Opt represents a uint64.
+type Uint64Opt struct {
+	value *uint64
+}
+
+// Set a new value on the option
+func (i *Uint64Opt) Set(s string) error {
+	v, err := strconv.ParseUint(s, 0, 64)
+	i.value = &v
+	return err
+}
+
+// Type returns the type of this option, which will be displayed in `--help` output
+func (i *Uint64Opt) Type() string {
+	return "uint"
+}
+
+// String returns a string repr of this option
+func (i *Uint64Opt) String() string {
+	if i.value != nil {
+		return fmt.Sprintf("%v", *i.value)
+	}
+	return ""
+}
+
+// Value returns the uint64
+func (i *Uint64Opt) Value() *uint64 {
+	return i.value
+}
+
+type floatValue float32
+
+func (f *floatValue) Set(s string) error {
+	v, err := strconv.ParseFloat(s, 32)
+	*f = floatValue(v)
+	return err
+}
+
+func (f *floatValue) Type() string {
+	return "float"
+}
+
+func (f *floatValue) String() string {
+	return strconv.FormatFloat(float64(*f), 'g', -1, 32)
+}
+
+func (f *floatValue) Value() float32 {
+	return float32(*f)
+}
+
+// placementPrefOpts holds a list of placement preferences.
+type placementPrefOpts struct {
+	prefs   []swarm.PlacementPreference
+	strings []string
+}
+
+func (opts *placementPrefOpts) String() string {
+	if len(opts.strings) == 0 {
+		return ""
+	}
+	return fmt.Sprintf("%v", opts.strings)
+}
+
+// Set validates the input value and adds it to the internal slices.
+// Note: in the future strategies other than "spread", may be supported,
+// as well as additional comma-separated options.
+func (opts *placementPrefOpts) Set(value string) error {
+	fields := strings.Split(value, "=")
+	if len(fields) != 2 {
+		return errors.New(`placement preference must be of the format "<strategy>=<arg>"`)
+	}
+	if fields[0] != "spread" {
+		return errors.Errorf("unsupported placement preference %s (only spread is supported)", fields[0])
+	}
+
+	opts.prefs = append(opts.prefs, swarm.PlacementPreference{
+		Spread: &swarm.SpreadOver{
+			SpreadDescriptor: fields[1],
+		},
+	})
+	opts.strings = append(opts.strings, value)
+	return nil
+}
+
+// Type returns a string name for this Option type
+func (opts *placementPrefOpts) Type() string {
+	return "pref"
+}
+
+// ShlexOpt is a flag Value which parses a string as a list of shell words
+type ShlexOpt []string
+
+// Set the value
+func (s *ShlexOpt) Set(value string) error {
+	valueSlice, err := shlex.Split(value)
+	*s = ShlexOpt(valueSlice)
+	return err
+}
+
+// Type returns the tyep of the value
+func (s *ShlexOpt) Type() string {
+	return "command"
+}
+
+func (s *ShlexOpt) String() string {
+	if len(*s) == 0 {
+		return ""
+	}
+	return fmt.Sprint(*s)
+}
+
+// Value returns the value as a string slice
+func (s *ShlexOpt) Value() []string {
+	return []string(*s)
+}
+
+type updateOptions struct {
+	parallelism     uint64
+	delay           time.Duration
+	monitor         time.Duration
+	onFailure       string
+	maxFailureRatio floatValue
+	order           string
+}
+
+func updateConfigFromDefaults(defaultUpdateConfig *api.UpdateConfig) *swarm.UpdateConfig {
+	defaultFailureAction := strings.ToLower(api.UpdateConfig_FailureAction_name[int32(defaultUpdateConfig.FailureAction)])
+	defaultMonitor, _ := gogotypes.DurationFromProto(defaultUpdateConfig.Monitor)
+	return &swarm.UpdateConfig{
+		Parallelism:     defaultUpdateConfig.Parallelism,
+		Delay:           defaultUpdateConfig.Delay,
+		Monitor:         defaultMonitor,
+		FailureAction:   defaultFailureAction,
+		MaxFailureRatio: defaultUpdateConfig.MaxFailureRatio,
+		Order:           defaultOrder(defaultUpdateConfig.Order),
+	}
+}
+
+func (opts updateOptions) updateConfig(flags *pflag.FlagSet) *swarm.UpdateConfig {
+	if !anyChanged(flags, flagUpdateParallelism, flagUpdateDelay, flagUpdateMonitor, flagUpdateFailureAction, flagUpdateMaxFailureRatio) {
+		return nil
+	}
+
+	updateConfig := updateConfigFromDefaults(defaults.Service.Update)
+
+	if flags.Changed(flagUpdateParallelism) {
+		updateConfig.Parallelism = opts.parallelism
+	}
+	if flags.Changed(flagUpdateDelay) {
+		updateConfig.Delay = opts.delay
+	}
+	if flags.Changed(flagUpdateMonitor) {
+		updateConfig.Monitor = opts.monitor
+	}
+	if flags.Changed(flagUpdateFailureAction) {
+		updateConfig.FailureAction = opts.onFailure
+	}
+	if flags.Changed(flagUpdateMaxFailureRatio) {
+		updateConfig.MaxFailureRatio = opts.maxFailureRatio.Value()
+	}
+	if flags.Changed(flagUpdateOrder) {
+		updateConfig.Order = opts.order
+	}
+
+	return updateConfig
+}
+
+func (opts updateOptions) rollbackConfig(flags *pflag.FlagSet) *swarm.UpdateConfig {
+	if !anyChanged(flags, flagRollbackParallelism, flagRollbackDelay, flagRollbackMonitor, flagRollbackFailureAction, flagRollbackMaxFailureRatio) {
+		return nil
+	}
+
+	updateConfig := updateConfigFromDefaults(defaults.Service.Rollback)
+
+	if flags.Changed(flagRollbackParallelism) {
+		updateConfig.Parallelism = opts.parallelism
+	}
+	if flags.Changed(flagRollbackDelay) {
+		updateConfig.Delay = opts.delay
+	}
+	if flags.Changed(flagRollbackMonitor) {
+		updateConfig.Monitor = opts.monitor
+	}
+	if flags.Changed(flagRollbackFailureAction) {
+		updateConfig.FailureAction = opts.onFailure
+	}
+	if flags.Changed(flagRollbackMaxFailureRatio) {
+		updateConfig.MaxFailureRatio = opts.maxFailureRatio.Value()
+	}
+	if flags.Changed(flagRollbackOrder) {
+		updateConfig.Order = opts.order
+	}
+
+	return updateConfig
+}
+
+type resourceOptions struct {
+	limitCPU            opts.NanoCPUs
+	limitMemBytes       opts.MemBytes
+	resCPU              opts.NanoCPUs
+	resMemBytes         opts.MemBytes
+	resGenericResources []string
+}
+
+func (r *resourceOptions) ToResourceRequirements() (*swarm.ResourceRequirements, error) {
+	generic, err := ParseGenericResources(r.resGenericResources)
+	if err != nil {
+		return nil, err
+	}
+
+	return &swarm.ResourceRequirements{
+		Limits: &swarm.Resources{
+			NanoCPUs:    r.limitCPU.Value(),
+			MemoryBytes: r.limitMemBytes.Value(),
+		},
+		Reservations: &swarm.Resources{
+			NanoCPUs:         r.resCPU.Value(),
+			MemoryBytes:      r.resMemBytes.Value(),
+			GenericResources: generic,
+		},
+	}, nil
+}
+
+type restartPolicyOptions struct {
+	condition   string
+	delay       opts.DurationOpt
+	maxAttempts Uint64Opt
+	window      opts.DurationOpt
+}
+
+func defaultRestartPolicy() *swarm.RestartPolicy {
+	defaultMaxAttempts := defaults.Service.Task.Restart.MaxAttempts
+	rp := &swarm.RestartPolicy{
+		MaxAttempts: &defaultMaxAttempts,
+	}
+
+	if defaults.Service.Task.Restart.Delay != nil {
+		defaultRestartDelay, _ := gogotypes.DurationFromProto(defaults.Service.Task.Restart.Delay)
+		rp.Delay = &defaultRestartDelay
+	}
+	if defaults.Service.Task.Restart.Window != nil {
+		defaultRestartWindow, _ := gogotypes.DurationFromProto(defaults.Service.Task.Restart.Window)
+		rp.Window = &defaultRestartWindow
+	}
+	rp.Condition = defaultRestartCondition()
+
+	return rp
+}
+
+func defaultRestartCondition() swarm.RestartPolicyCondition {
+	switch defaults.Service.Task.Restart.Condition {
+	case api.RestartOnNone:
+		return "none"
+	case api.RestartOnFailure:
+		return "on-failure"
+	case api.RestartOnAny:
+		return "any"
+	default:
+		return ""
+	}
+}
+
+func defaultOrder(order api.UpdateConfig_UpdateOrder) string {
+	switch order {
+	case api.UpdateConfig_STOP_FIRST:
+		return "stop-first"
+	case api.UpdateConfig_START_FIRST:
+		return "start-first"
+	default:
+		return ""
+	}
+}
+
+func (r *restartPolicyOptions) ToRestartPolicy(flags *pflag.FlagSet) *swarm.RestartPolicy {
+	if !anyChanged(flags, flagRestartDelay, flagRestartMaxAttempts, flagRestartWindow, flagRestartCondition) {
+		return nil
+	}
+
+	restartPolicy := defaultRestartPolicy()
+
+	if flags.Changed(flagRestartDelay) {
+		restartPolicy.Delay = r.delay.Value()
+	}
+	if flags.Changed(flagRestartCondition) {
+		restartPolicy.Condition = swarm.RestartPolicyCondition(r.condition)
+	}
+	if flags.Changed(flagRestartMaxAttempts) {
+		restartPolicy.MaxAttempts = r.maxAttempts.Value()
+	}
+	if flags.Changed(flagRestartWindow) {
+		restartPolicy.Window = r.window.Value()
+	}
+
+	return restartPolicy
+}
+
+type credentialSpecOpt struct {
+	value  *swarm.CredentialSpec
+	source string
+}
+
+func (c *credentialSpecOpt) Set(value string) error {
+	c.source = value
+	c.value = &swarm.CredentialSpec{}
+	switch {
+	case strings.HasPrefix(value, "file://"):
+		c.value.File = strings.TrimPrefix(value, "file://")
+	case strings.HasPrefix(value, "registry://"):
+		c.value.Registry = strings.TrimPrefix(value, "registry://")
+	default:
+		return errors.New("Invalid credential spec - value must be prefixed file:// or registry:// followed by a value")
+	}
+
+	return nil
+}
+
+func (c *credentialSpecOpt) Type() string {
+	return "credential-spec"
+}
+
+func (c *credentialSpecOpt) String() string {
+	return c.source
+}
+
+func (c *credentialSpecOpt) Value() *swarm.CredentialSpec {
+	return c.value
+}
+
+func resolveNetworkID(ctx context.Context, apiClient client.NetworkAPIClient, networkIDOrName string) (string, error) {
+	nw, err := apiClient.NetworkInspect(ctx, networkIDOrName, types.NetworkInspectOptions{Scope: "swarm"})
+	return nw.ID, err
+}
+
+func convertNetworks(networks opts.NetworkOpt) []swarm.NetworkAttachmentConfig {
+	var netAttach []swarm.NetworkAttachmentConfig
+	for _, net := range networks.Value() {
+		netAttach = append(netAttach, swarm.NetworkAttachmentConfig{
+			Target:     net.Target,
+			Aliases:    net.Aliases,
+			DriverOpts: net.DriverOpts,
+		})
+	}
+	return netAttach
+}
+
+type endpointOptions struct {
+	mode         string
+	publishPorts opts.PortOpt
+}
+
+func (e *endpointOptions) ToEndpointSpec() *swarm.EndpointSpec {
+	return &swarm.EndpointSpec{
+		Mode:  swarm.ResolutionMode(strings.ToLower(e.mode)),
+		Ports: e.publishPorts.Value(),
+	}
+}
+
+type logDriverOptions struct {
+	name string
+	opts opts.ListOpts
+}
+
+func newLogDriverOptions() logDriverOptions {
+	return logDriverOptions{opts: opts.NewListOpts(opts.ValidateEnv)}
+}
+
+func (ldo *logDriverOptions) toLogDriver() *swarm.Driver {
+	if ldo.name == "" {
+		return nil
+	}
+
+	// set the log driver only if specified.
+	return &swarm.Driver{
+		Name:    ldo.name,
+		Options: opts.ConvertKVStringsToMap(ldo.opts.GetAll()),
+	}
+}
+
+type healthCheckOptions struct {
+	cmd           string
+	interval      opts.PositiveDurationOpt
+	timeout       opts.PositiveDurationOpt
+	retries       int
+	startPeriod   opts.PositiveDurationOpt
+	noHealthcheck bool
+}
+
+func (opts *healthCheckOptions) toHealthConfig() (*container.HealthConfig, error) {
+	var healthConfig *container.HealthConfig
+	haveHealthSettings := opts.cmd != "" ||
+		opts.interval.Value() != nil ||
+		opts.timeout.Value() != nil ||
+		opts.retries != 0
+	if opts.noHealthcheck {
+		if haveHealthSettings {
+			return nil, errors.Errorf("--%s conflicts with --health-* options", flagNoHealthcheck)
+		}
+		healthConfig = &container.HealthConfig{Test: []string{"NONE"}}
+	} else if haveHealthSettings {
+		var test []string
+		if opts.cmd != "" {
+			test = []string{"CMD-SHELL", opts.cmd}
+		}
+		var interval, timeout, startPeriod time.Duration
+		if ptr := opts.interval.Value(); ptr != nil {
+			interval = *ptr
+		}
+		if ptr := opts.timeout.Value(); ptr != nil {
+			timeout = *ptr
+		}
+		if ptr := opts.startPeriod.Value(); ptr != nil {
+			startPeriod = *ptr
+		}
+		healthConfig = &container.HealthConfig{
+			Test:        test,
+			Interval:    interval,
+			Timeout:     timeout,
+			Retries:     opts.retries,
+			StartPeriod: startPeriod,
+		}
+	}
+	return healthConfig, nil
+}
+
+// convertExtraHostsToSwarmHosts converts an array of extra hosts in cli
+//     <host>:<ip>
+// into a swarmkit host format:
+//     IP_address canonical_hostname [aliases...]
+// This assumes input value (<host>:<ip>) has already been validated
+func convertExtraHostsToSwarmHosts(extraHosts []string) []string {
+	hosts := []string{}
+	for _, extraHost := range extraHosts {
+		parts := strings.SplitN(extraHost, ":", 2)
+		hosts = append(hosts, fmt.Sprintf("%s %s", parts[1], parts[0]))
+	}
+	return hosts
+}
+
+type serviceOptions struct {
+	detach bool
+	quiet  bool
+
+	name            string
+	labels          opts.ListOpts
+	containerLabels opts.ListOpts
+	image           string
+	entrypoint      ShlexOpt
+	args            []string
+	hostname        string
+	env             opts.ListOpts
+	envFile         opts.ListOpts
+	workdir         string
+	user            string
+	groups          opts.ListOpts
+	credentialSpec  credentialSpecOpt
+	init            bool
+	stopSignal      string
+	tty             bool
+	readOnly        bool
+	mounts          opts.MountOpt
+	dns             opts.ListOpts
+	dnsSearch       opts.ListOpts
+	dnsOption       opts.ListOpts
+	hosts           opts.ListOpts
+
+	resources resourceOptions
+	stopGrace opts.DurationOpt
+
+	replicas Uint64Opt
+	mode     string
+
+	restartPolicy  restartPolicyOptions
+	constraints    opts.ListOpts
+	placementPrefs placementPrefOpts
+	update         updateOptions
+	rollback       updateOptions
+	networks       opts.NetworkOpt
+	endpoint       endpointOptions
+
+	registryAuth   bool
+	noResolveImage bool
+
+	logDriver logDriverOptions
+
+	healthcheck healthCheckOptions
+	secrets     opts.SecretOpt
+	configs     opts.ConfigOpt
+
+	isolation string
+}
+
+func newServiceOptions() *serviceOptions {
+	return &serviceOptions{
+		labels:          opts.NewListOpts(opts.ValidateEnv),
+		constraints:     opts.NewListOpts(nil),
+		containerLabels: opts.NewListOpts(opts.ValidateEnv),
+		env:             opts.NewListOpts(opts.ValidateEnv),
+		envFile:         opts.NewListOpts(nil),
+		groups:          opts.NewListOpts(nil),
+		logDriver:       newLogDriverOptions(),
+		dns:             opts.NewListOpts(opts.ValidateIPAddress),
+		dnsOption:       opts.NewListOpts(nil),
+		dnsSearch:       opts.NewListOpts(opts.ValidateDNSSearch),
+		hosts:           opts.NewListOpts(opts.ValidateExtraHost),
+	}
+}
+
+func (options *serviceOptions) ToServiceMode() (swarm.ServiceMode, error) {
+	serviceMode := swarm.ServiceMode{}
+	switch options.mode {
+	case "global":
+		if options.replicas.Value() != nil {
+			return serviceMode, errors.Errorf("replicas can only be used with replicated mode")
+		}
+
+		serviceMode.Global = &swarm.GlobalService{}
+	case "replicated":
+		serviceMode.Replicated = &swarm.ReplicatedService{
+			Replicas: options.replicas.Value(),
+		}
+	default:
+		return serviceMode, errors.Errorf("Unknown mode: %s, only replicated and global supported", options.mode)
+	}
+	return serviceMode, nil
+}
+
+func (options *serviceOptions) ToStopGracePeriod(flags *pflag.FlagSet) *time.Duration {
+	if flags.Changed(flagStopGracePeriod) {
+		return options.stopGrace.Value()
+	}
+	return nil
+}
+
+func (options *serviceOptions) ToService(ctx context.Context, apiClient client.NetworkAPIClient, flags *pflag.FlagSet) (swarm.ServiceSpec, error) {
+	var service swarm.ServiceSpec
+
+	envVariables, err := opts.ReadKVEnvStrings(options.envFile.GetAll(), options.env.GetAll())
+	if err != nil {
+		return service, err
+	}
+
+	currentEnv := make([]string, 0, len(envVariables))
+	for _, env := range envVariables { // need to process each var, in order
+		k := strings.SplitN(env, "=", 2)[0]
+		for i, current := range currentEnv { // remove duplicates
+			if current == env {
+				continue // no update required, may hide this behind flag to preserve order of envVariables
+			}
+			if strings.HasPrefix(current, k+"=") {
+				currentEnv = append(currentEnv[:i], currentEnv[i+1:]...)
+			}
+		}
+		currentEnv = append(currentEnv, env)
+	}
+
+	healthConfig, err := options.healthcheck.toHealthConfig()
+	if err != nil {
+		return service, err
+	}
+
+	serviceMode, err := options.ToServiceMode()
+	if err != nil {
+		return service, err
+	}
+
+	networks := convertNetworks(options.networks)
+	for i, net := range networks {
+		nwID, err := resolveNetworkID(ctx, apiClient, net.Target)
+		if err != nil {
+			return service, err
+		}
+		networks[i].Target = nwID
+	}
+	sort.Sort(byNetworkTarget(networks))
+
+	resources, err := options.resources.ToResourceRequirements()
+	if err != nil {
+		return service, err
+	}
+
+	service = swarm.ServiceSpec{
+		Annotations: swarm.Annotations{
+			Name:   options.name,
+			Labels: opts.ConvertKVStringsToMap(options.labels.GetAll()),
+		},
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Image:      options.image,
+				Args:       options.args,
+				Command:    options.entrypoint.Value(),
+				Env:        currentEnv,
+				Hostname:   options.hostname,
+				Labels:     opts.ConvertKVStringsToMap(options.containerLabels.GetAll()),
+				Dir:        options.workdir,
+				User:       options.user,
+				Groups:     options.groups.GetAll(),
+				StopSignal: options.stopSignal,
+				TTY:        options.tty,
+				ReadOnly:   options.readOnly,
+				Mounts:     options.mounts.Value(),
+				Init:       &options.init,
+				DNSConfig: &swarm.DNSConfig{
+					Nameservers: options.dns.GetAll(),
+					Search:      options.dnsSearch.GetAll(),
+					Options:     options.dnsOption.GetAll(),
+				},
+				Hosts:           convertExtraHostsToSwarmHosts(options.hosts.GetAll()),
+				StopGracePeriod: options.ToStopGracePeriod(flags),
+				Healthcheck:     healthConfig,
+				Isolation:       container.Isolation(options.isolation),
+			},
+			Networks:      networks,
+			Resources:     resources,
+			RestartPolicy: options.restartPolicy.ToRestartPolicy(flags),
+			Placement: &swarm.Placement{
+				Constraints: options.constraints.GetAll(),
+				Preferences: options.placementPrefs.prefs,
+			},
+			LogDriver: options.logDriver.toLogDriver(),
+		},
+		Mode:           serviceMode,
+		UpdateConfig:   options.update.updateConfig(flags),
+		RollbackConfig: options.rollback.rollbackConfig(flags),
+		EndpointSpec:   options.endpoint.ToEndpointSpec(),
+	}
+
+	if options.credentialSpec.Value() != nil {
+		service.TaskTemplate.ContainerSpec.Privileges = &swarm.Privileges{
+			CredentialSpec: options.credentialSpec.Value(),
+		}
+	}
+
+	return service, nil
+}
+
+type flagDefaults map[string]interface{}
+
+func (fd flagDefaults) getUint64(flagName string) uint64 {
+	if val, ok := fd[flagName].(uint64); ok {
+		return val
+	}
+	return 0
+}
+
+func (fd flagDefaults) getString(flagName string) string {
+	if val, ok := fd[flagName].(string); ok {
+		return val
+	}
+	return ""
+}
+
+func buildServiceDefaultFlagMapping() flagDefaults {
+	defaultFlagValues := make(map[string]interface{})
+
+	defaultFlagValues[flagStopGracePeriod], _ = gogotypes.DurationFromProto(defaults.Service.Task.GetContainer().StopGracePeriod)
+	defaultFlagValues[flagRestartCondition] = `"` + defaultRestartCondition() + `"`
+	defaultFlagValues[flagRestartDelay], _ = gogotypes.DurationFromProto(defaults.Service.Task.Restart.Delay)
+
+	if defaults.Service.Task.Restart.MaxAttempts != 0 {
+		defaultFlagValues[flagRestartMaxAttempts] = defaults.Service.Task.Restart.MaxAttempts
+	}
+
+	defaultRestartWindow, _ := gogotypes.DurationFromProto(defaults.Service.Task.Restart.Window)
+	if defaultRestartWindow != 0 {
+		defaultFlagValues[flagRestartWindow] = defaultRestartWindow
+	}
+
+	defaultFlagValues[flagUpdateParallelism] = defaults.Service.Update.Parallelism
+	defaultFlagValues[flagUpdateDelay] = defaults.Service.Update.Delay
+	defaultFlagValues[flagUpdateMonitor], _ = gogotypes.DurationFromProto(defaults.Service.Update.Monitor)
+	defaultFlagValues[flagUpdateFailureAction] = `"` + strings.ToLower(api.UpdateConfig_FailureAction_name[int32(defaults.Service.Update.FailureAction)]) + `"`
+	defaultFlagValues[flagUpdateMaxFailureRatio] = defaults.Service.Update.MaxFailureRatio
+	defaultFlagValues[flagUpdateOrder] = `"` + defaultOrder(defaults.Service.Update.Order) + `"`
+
+	defaultFlagValues[flagRollbackParallelism] = defaults.Service.Rollback.Parallelism
+	defaultFlagValues[flagRollbackDelay] = defaults.Service.Rollback.Delay
+	defaultFlagValues[flagRollbackMonitor], _ = gogotypes.DurationFromProto(defaults.Service.Rollback.Monitor)
+	defaultFlagValues[flagRollbackFailureAction] = `"` + strings.ToLower(api.UpdateConfig_FailureAction_name[int32(defaults.Service.Rollback.FailureAction)]) + `"`
+	defaultFlagValues[flagRollbackMaxFailureRatio] = defaults.Service.Rollback.MaxFailureRatio
+	defaultFlagValues[flagRollbackOrder] = `"` + defaultOrder(defaults.Service.Rollback.Order) + `"`
+
+	defaultFlagValues[flagEndpointMode] = "vip"
+
+	return defaultFlagValues
+}
+
+func addDetachFlag(flags *pflag.FlagSet, detach *bool) {
+	flags.BoolVarP(detach, flagDetach, "d", false, "Exit immediately instead of waiting for the service to converge")
+	flags.SetAnnotation(flagDetach, "version", []string{"1.29"})
+}
+
+// addServiceFlags adds all flags that are common to both `create` and `update`.
+// Any flags that are not common are added separately in the individual command
+func addServiceFlags(flags *pflag.FlagSet, opts *serviceOptions, defaultFlagValues flagDefaults) {
+	flagDesc := func(flagName string, desc string) string {
+		if defaultValue, ok := defaultFlagValues[flagName]; ok {
+			return fmt.Sprintf("%s (default %v)", desc, defaultValue)
+		}
+		return desc
+	}
+
+	addDetachFlag(flags, &opts.detach)
+	flags.BoolVarP(&opts.quiet, flagQuiet, "q", false, "Suppress progress output")
+
+	flags.StringVarP(&opts.workdir, flagWorkdir, "w", "", "Working directory inside the container")
+	flags.StringVarP(&opts.user, flagUser, "u", "", "Username or UID (format: <name|uid>[:<group|gid>])")
+	flags.Var(&opts.credentialSpec, flagCredentialSpec, "Credential spec for managed service account (Windows only)")
+	flags.SetAnnotation(flagCredentialSpec, "version", []string{"1.29"})
+	flags.StringVar(&opts.hostname, flagHostname, "", "Container hostname")
+	flags.SetAnnotation(flagHostname, "version", []string{"1.25"})
+	flags.Var(&opts.entrypoint, flagEntrypoint, "Overwrite the default ENTRYPOINT of the image")
+
+	flags.Var(&opts.resources.limitCPU, flagLimitCPU, "Limit CPUs")
+	flags.Var(&opts.resources.limitMemBytes, flagLimitMemory, "Limit Memory")
+	flags.Var(&opts.resources.resCPU, flagReserveCPU, "Reserve CPUs")
+	flags.Var(&opts.resources.resMemBytes, flagReserveMemory, "Reserve Memory")
+
+	flags.Var(&opts.stopGrace, flagStopGracePeriod, flagDesc(flagStopGracePeriod, "Time to wait before force killing a container (ns|us|ms|s|m|h)"))
+	flags.Var(&opts.replicas, flagReplicas, "Number of tasks")
+
+	flags.StringVar(&opts.restartPolicy.condition, flagRestartCondition, "", flagDesc(flagRestartCondition, `Restart when condition is met ("none"|"on-failure"|"any")`))
+	flags.Var(&opts.restartPolicy.delay, flagRestartDelay, flagDesc(flagRestartDelay, "Delay between restart attempts (ns|us|ms|s|m|h)"))
+	flags.Var(&opts.restartPolicy.maxAttempts, flagRestartMaxAttempts, flagDesc(flagRestartMaxAttempts, "Maximum number of restarts before giving up"))
+
+	flags.Var(&opts.restartPolicy.window, flagRestartWindow, flagDesc(flagRestartWindow, "Window used to evaluate the restart policy (ns|us|ms|s|m|h)"))
+
+	flags.Uint64Var(&opts.update.parallelism, flagUpdateParallelism, defaultFlagValues.getUint64(flagUpdateParallelism), "Maximum number of tasks updated simultaneously (0 to update all at once)")
+	flags.DurationVar(&opts.update.delay, flagUpdateDelay, 0, flagDesc(flagUpdateDelay, "Delay between updates (ns|us|ms|s|m|h)"))
+	flags.DurationVar(&opts.update.monitor, flagUpdateMonitor, 0, flagDesc(flagUpdateMonitor, "Duration after each task update to monitor for failure (ns|us|ms|s|m|h)"))
+	flags.SetAnnotation(flagUpdateMonitor, "version", []string{"1.25"})
+	flags.StringVar(&opts.update.onFailure, flagUpdateFailureAction, "", flagDesc(flagUpdateFailureAction, `Action on update failure ("pause"|"continue"|"rollback")`))
+	flags.Var(&opts.update.maxFailureRatio, flagUpdateMaxFailureRatio, flagDesc(flagUpdateMaxFailureRatio, "Failure rate to tolerate during an update"))
+	flags.SetAnnotation(flagUpdateMaxFailureRatio, "version", []string{"1.25"})
+	flags.StringVar(&opts.update.order, flagUpdateOrder, "", flagDesc(flagUpdateOrder, `Update order ("start-first"|"stop-first")`))
+	flags.SetAnnotation(flagUpdateOrder, "version", []string{"1.29"})
+
+	flags.Uint64Var(&opts.rollback.parallelism, flagRollbackParallelism, defaultFlagValues.getUint64(flagRollbackParallelism),
+		"Maximum number of tasks rolled back simultaneously (0 to roll back all at once)")
+	flags.SetAnnotation(flagRollbackParallelism, "version", []string{"1.28"})
+	flags.DurationVar(&opts.rollback.delay, flagRollbackDelay, 0, flagDesc(flagRollbackDelay, "Delay between task rollbacks (ns|us|ms|s|m|h)"))
+	flags.SetAnnotation(flagRollbackDelay, "version", []string{"1.28"})
+	flags.DurationVar(&opts.rollback.monitor, flagRollbackMonitor, 0, flagDesc(flagRollbackMonitor, "Duration after each task rollback to monitor for failure (ns|us|ms|s|m|h)"))
+	flags.SetAnnotation(flagRollbackMonitor, "version", []string{"1.28"})
+	flags.StringVar(&opts.rollback.onFailure, flagRollbackFailureAction, "", flagDesc(flagRollbackFailureAction, `Action on rollback failure ("pause"|"continue")`))
+	flags.SetAnnotation(flagRollbackFailureAction, "version", []string{"1.28"})
+	flags.Var(&opts.rollback.maxFailureRatio, flagRollbackMaxFailureRatio, flagDesc(flagRollbackMaxFailureRatio, "Failure rate to tolerate during a rollback"))
+	flags.SetAnnotation(flagRollbackMaxFailureRatio, "version", []string{"1.28"})
+	flags.StringVar(&opts.rollback.order, flagRollbackOrder, "", flagDesc(flagRollbackOrder, `Rollback order ("start-first"|"stop-first")`))
+	flags.SetAnnotation(flagRollbackOrder, "version", []string{"1.29"})
+
+	flags.StringVar(&opts.endpoint.mode, flagEndpointMode, defaultFlagValues.getString(flagEndpointMode), "Endpoint mode (vip or dnsrr)")
+
+	flags.BoolVar(&opts.registryAuth, flagRegistryAuth, false, "Send registry authentication details to swarm agents")
+	flags.BoolVar(&opts.noResolveImage, flagNoResolveImage, false, "Do not query the registry to resolve image digest and supported platforms")
+	flags.SetAnnotation(flagNoResolveImage, "version", []string{"1.30"})
+
+	flags.StringVar(&opts.logDriver.name, flagLogDriver, "", "Logging driver for service")
+	flags.Var(&opts.logDriver.opts, flagLogOpt, "Logging driver options")
+
+	flags.StringVar(&opts.healthcheck.cmd, flagHealthCmd, "", "Command to run to check health")
+	flags.SetAnnotation(flagHealthCmd, "version", []string{"1.25"})
+	flags.Var(&opts.healthcheck.interval, flagHealthInterval, "Time between running the check (ms|s|m|h)")
+	flags.SetAnnotation(flagHealthInterval, "version", []string{"1.25"})
+	flags.Var(&opts.healthcheck.timeout, flagHealthTimeout, "Maximum time to allow one check to run (ms|s|m|h)")
+	flags.SetAnnotation(flagHealthTimeout, "version", []string{"1.25"})
+	flags.IntVar(&opts.healthcheck.retries, flagHealthRetries, 0, "Consecutive failures needed to report unhealthy")
+	flags.SetAnnotation(flagHealthRetries, "version", []string{"1.25"})
+	flags.Var(&opts.healthcheck.startPeriod, flagHealthStartPeriod, "Start period for the container to initialize before counting retries towards unstable (ms|s|m|h)")
+	flags.SetAnnotation(flagHealthStartPeriod, "version", []string{"1.29"})
+	flags.BoolVar(&opts.healthcheck.noHealthcheck, flagNoHealthcheck, false, "Disable any container-specified HEALTHCHECK")
+	flags.SetAnnotation(flagNoHealthcheck, "version", []string{"1.25"})
+
+	flags.BoolVarP(&opts.tty, flagTTY, "t", false, "Allocate a pseudo-TTY")
+	flags.SetAnnotation(flagTTY, "version", []string{"1.25"})
+
+	flags.BoolVar(&opts.readOnly, flagReadOnly, false, "Mount the container's root filesystem as read only")
+	flags.SetAnnotation(flagReadOnly, "version", []string{"1.28"})
+
+	flags.StringVar(&opts.stopSignal, flagStopSignal, "", "Signal to stop the container")
+	flags.SetAnnotation(flagStopSignal, "version", []string{"1.28"})
+	flags.StringVar(&opts.isolation, flagIsolation, "", "Service container isolation mode")
+	flags.SetAnnotation(flagIsolation, "version", []string{"1.35"})
+}
+
+const (
+	flagCredentialSpec          = "credential-spec"
+	flagPlacementPref           = "placement-pref"
+	flagPlacementPrefAdd        = "placement-pref-add"
+	flagPlacementPrefRemove     = "placement-pref-rm"
+	flagConstraint              = "constraint"
+	flagConstraintRemove        = "constraint-rm"
+	flagConstraintAdd           = "constraint-add"
+	flagContainerLabel          = "container-label"
+	flagContainerLabelRemove    = "container-label-rm"
+	flagContainerLabelAdd       = "container-label-add"
+	flagDetach                  = "detach"
+	flagDNS                     = "dns"
+	flagDNSRemove               = "dns-rm"
+	flagDNSAdd                  = "dns-add"
+	flagDNSOption               = "dns-option"
+	flagDNSOptionRemove         = "dns-option-rm"
+	flagDNSOptionAdd            = "dns-option-add"
+	flagDNSSearch               = "dns-search"
+	flagDNSSearchRemove         = "dns-search-rm"
+	flagDNSSearchAdd            = "dns-search-add"
+	flagEndpointMode            = "endpoint-mode"
+	flagEntrypoint              = "entrypoint"
+	flagEnv                     = "env"
+	flagEnvFile                 = "env-file"
+	flagEnvRemove               = "env-rm"
+	flagEnvAdd                  = "env-add"
+	flagGenericResourcesRemove  = "generic-resource-rm"
+	flagGenericResourcesAdd     = "generic-resource-add"
+	flagGroup                   = "group"
+	flagGroupAdd                = "group-add"
+	flagGroupRemove             = "group-rm"
+	flagHost                    = "host"
+	flagHostAdd                 = "host-add"
+	flagHostRemove              = "host-rm"
+	flagHostname                = "hostname"
+	flagLabel                   = "label"
+	flagLabelRemove             = "label-rm"
+	flagLabelAdd                = "label-add"
+	flagLimitCPU                = "limit-cpu"
+	flagLimitMemory             = "limit-memory"
+	flagMode                    = "mode"
+	flagMount                   = "mount"
+	flagMountRemove             = "mount-rm"
+	flagMountAdd                = "mount-add"
+	flagName                    = "name"
+	flagNetwork                 = "network"
+	flagNetworkAdd              = "network-add"
+	flagNetworkRemove           = "network-rm"
+	flagPublish                 = "publish"
+	flagPublishRemove           = "publish-rm"
+	flagPublishAdd              = "publish-add"
+	flagQuiet                   = "quiet"
+	flagReadOnly                = "read-only"
+	flagReplicas                = "replicas"
+	flagReserveCPU              = "reserve-cpu"
+	flagReserveMemory           = "reserve-memory"
+	flagRestartCondition        = "restart-condition"
+	flagRestartDelay            = "restart-delay"
+	flagRestartMaxAttempts      = "restart-max-attempts"
+	flagRestartWindow           = "restart-window"
+	flagRollback                = "rollback"
+	flagRollbackDelay           = "rollback-delay"
+	flagRollbackFailureAction   = "rollback-failure-action"
+	flagRollbackMaxFailureRatio = "rollback-max-failure-ratio"
+	flagRollbackMonitor         = "rollback-monitor"
+	flagRollbackOrder           = "rollback-order"
+	flagRollbackParallelism     = "rollback-parallelism"
+	flagInit                    = "init"
+	flagStopGracePeriod         = "stop-grace-period"
+	flagStopSignal              = "stop-signal"
+	flagTTY                     = "tty"
+	flagUpdateDelay             = "update-delay"
+	flagUpdateFailureAction     = "update-failure-action"
+	flagUpdateMaxFailureRatio   = "update-max-failure-ratio"
+	flagUpdateMonitor           = "update-monitor"
+	flagUpdateOrder             = "update-order"
+	flagUpdateParallelism       = "update-parallelism"
+	flagUser                    = "user"
+	flagWorkdir                 = "workdir"
+	flagRegistryAuth            = "with-registry-auth"
+	flagNoResolveImage          = "no-resolve-image"
+	flagLogDriver               = "log-driver"
+	flagLogOpt                  = "log-opt"
+	flagHealthCmd               = "health-cmd"
+	flagHealthInterval          = "health-interval"
+	flagHealthRetries           = "health-retries"
+	flagHealthTimeout           = "health-timeout"
+	flagHealthStartPeriod       = "health-start-period"
+	flagNoHealthcheck           = "no-healthcheck"
+	flagSecret                  = "secret"
+	flagSecretAdd               = "secret-add"
+	flagSecretRemove            = "secret-rm"
+	flagConfig                  = "config"
+	flagConfigAdd               = "config-add"
+	flagConfigRemove            = "config-rm"
+	flagIsolation               = "isolation"
+)
diff --git a/cli/cli/command/service/opts_test.go b/cli/cli/command/service/opts_test.go
new file mode 100644
index 00000000..344893f5
--- /dev/null
+++ b/cli/cli/command/service/opts_test.go
@@ -0,0 +1,226 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestMemBytesString(t *testing.T) {
+	var mem opts.MemBytes = 1048576
+	assert.Check(t, is.Equal("1MiB", mem.String()))
+}
+
+func TestMemBytesSetAndValue(t *testing.T) {
+	var mem opts.MemBytes
+	assert.NilError(t, mem.Set("5kb"))
+	assert.Check(t, is.Equal(int64(5120), mem.Value()))
+}
+
+func TestNanoCPUsString(t *testing.T) {
+	var cpus opts.NanoCPUs = 6100000000
+	assert.Check(t, is.Equal("6.100", cpus.String()))
+}
+
+func TestNanoCPUsSetAndValue(t *testing.T) {
+	var cpus opts.NanoCPUs
+	assert.NilError(t, cpus.Set("0.35"))
+	assert.Check(t, is.Equal(int64(350000000), cpus.Value()))
+}
+
+func TestUint64OptString(t *testing.T) {
+	value := uint64(2345678)
+	opt := Uint64Opt{value: &value}
+	assert.Check(t, is.Equal("2345678", opt.String()))
+
+	opt = Uint64Opt{}
+	assert.Check(t, is.Equal("", opt.String()))
+}
+
+func TestUint64OptSetAndValue(t *testing.T) {
+	var opt Uint64Opt
+	assert.NilError(t, opt.Set("14445"))
+	assert.Check(t, is.Equal(uint64(14445), *opt.Value()))
+}
+
+func TestHealthCheckOptionsToHealthConfig(t *testing.T) {
+	dur := time.Second
+	opt := healthCheckOptions{
+		cmd:         "curl",
+		interval:    opts.PositiveDurationOpt{DurationOpt: *opts.NewDurationOpt(&dur)},
+		timeout:     opts.PositiveDurationOpt{DurationOpt: *opts.NewDurationOpt(&dur)},
+		startPeriod: opts.PositiveDurationOpt{DurationOpt: *opts.NewDurationOpt(&dur)},
+		retries:     10,
+	}
+	config, err := opt.toHealthConfig()
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(&container.HealthConfig{
+		Test:        []string{"CMD-SHELL", "curl"},
+		Interval:    time.Second,
+		Timeout:     time.Second,
+		StartPeriod: time.Second,
+		Retries:     10,
+	}, config))
+}
+
+func TestHealthCheckOptionsToHealthConfigNoHealthcheck(t *testing.T) {
+	opt := healthCheckOptions{
+		noHealthcheck: true,
+	}
+	config, err := opt.toHealthConfig()
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(&container.HealthConfig{
+		Test: []string{"NONE"},
+	}, config))
+}
+
+func TestHealthCheckOptionsToHealthConfigConflict(t *testing.T) {
+	opt := healthCheckOptions{
+		cmd:           "curl",
+		noHealthcheck: true,
+	}
+	_, err := opt.toHealthConfig()
+	assert.Error(t, err, "--no-healthcheck conflicts with --health-* options")
+}
+
+func TestResourceOptionsToResourceRequirements(t *testing.T) {
+	incorrectOptions := []resourceOptions{
+		{
+			resGenericResources: []string{"foo=bar", "foo=1"},
+		},
+		{
+			resGenericResources: []string{"foo=bar", "foo=baz"},
+		},
+		{
+			resGenericResources: []string{"foo=bar"},
+		},
+		{
+			resGenericResources: []string{"foo=1", "foo=2"},
+		},
+	}
+
+	for _, opt := range incorrectOptions {
+		_, err := opt.ToResourceRequirements()
+		assert.Check(t, is.ErrorContains(err, ""))
+	}
+
+	correctOptions := []resourceOptions{
+		{
+			resGenericResources: []string{"foo=1"},
+		},
+		{
+			resGenericResources: []string{"foo=1", "bar=2"},
+		},
+	}
+
+	for _, opt := range correctOptions {
+		r, err := opt.ToResourceRequirements()
+		assert.NilError(t, err)
+		assert.Check(t, is.Len(r.Reservations.GenericResources, len(opt.resGenericResources)))
+	}
+
+}
+
+func TestToServiceNetwork(t *testing.T) {
+	nws := []types.NetworkResource{
+		{Name: "aaa-network", ID: "id555"},
+		{Name: "mmm-network", ID: "id999"},
+		{Name: "zzz-network", ID: "id111"},
+	}
+
+	client := &fakeClient{
+		networkInspectFunc: func(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
+			for _, network := range nws {
+				if network.ID == networkID || network.Name == networkID {
+					return network, nil
+				}
+			}
+			return types.NetworkResource{}, fmt.Errorf("network not found: %s", networkID)
+		},
+	}
+
+	nwo := opts.NetworkOpt{}
+	nwo.Set("zzz-network")
+	nwo.Set("mmm-network")
+	nwo.Set("aaa-network")
+
+	o := newServiceOptions()
+	o.mode = "replicated"
+	o.networks = nwo
+
+	ctx := context.Background()
+	flags := newCreateCommand(nil).Flags()
+	service, err := o.ToService(ctx, client, flags)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]swarm.NetworkAttachmentConfig{{Target: "id111"}, {Target: "id555"}, {Target: "id999"}}, service.TaskTemplate.Networks))
+}
+
+func TestToServiceUpdateRollback(t *testing.T) {
+	expected := swarm.ServiceSpec{
+		UpdateConfig: &swarm.UpdateConfig{
+			Parallelism:     23,
+			Delay:           34 * time.Second,
+			Monitor:         54321 * time.Nanosecond,
+			FailureAction:   "pause",
+			MaxFailureRatio: 0.6,
+			Order:           "stop-first",
+		},
+		RollbackConfig: &swarm.UpdateConfig{
+			Parallelism:     12,
+			Delay:           23 * time.Second,
+			Monitor:         12345 * time.Nanosecond,
+			FailureAction:   "continue",
+			MaxFailureRatio: 0.5,
+			Order:           "start-first",
+		},
+	}
+
+	// Note: in test-situation, the flags are only used to detect if an option
+	// was set; the actual value itself is read from the serviceOptions below.
+	flags := newCreateCommand(nil).Flags()
+	flags.Set("update-parallelism", "23")
+	flags.Set("update-delay", "34s")
+	flags.Set("update-monitor", "54321ns")
+	flags.Set("update-failure-action", "pause")
+	flags.Set("update-max-failure-ratio", "0.6")
+	flags.Set("update-order", "stop-first")
+
+	flags.Set("rollback-parallelism", "12")
+	flags.Set("rollback-delay", "23s")
+	flags.Set("rollback-monitor", "12345ns")
+	flags.Set("rollback-failure-action", "continue")
+	flags.Set("rollback-max-failure-ratio", "0.5")
+	flags.Set("rollback-order", "start-first")
+
+	o := newServiceOptions()
+	o.mode = "replicated"
+	o.update = updateOptions{
+		parallelism:     23,
+		delay:           34 * time.Second,
+		monitor:         54321 * time.Nanosecond,
+		onFailure:       "pause",
+		maxFailureRatio: 0.6,
+		order:           "stop-first",
+	}
+	o.rollback = updateOptions{
+		parallelism:     12,
+		delay:           23 * time.Second,
+		monitor:         12345 * time.Nanosecond,
+		onFailure:       "continue",
+		maxFailureRatio: 0.5,
+		order:           "start-first",
+	}
+
+	service, err := o.ToService(context.Background(), &fakeClient{}, flags)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(service.UpdateConfig, expected.UpdateConfig))
+	assert.Check(t, is.DeepEqual(service.RollbackConfig, expected.RollbackConfig))
+}
diff --git a/cli/cli/command/service/parse.go b/cli/cli/command/service/parse.go
new file mode 100644
index 00000000..25410707
--- /dev/null
+++ b/cli/cli/command/service/parse.go
@@ -0,0 +1,118 @@
+package service
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+)
+
+// ParseSecrets retrieves the secrets with the requested names and fills
+// secret IDs into the secret references.
+func ParseSecrets(client client.SecretAPIClient, requestedSecrets []*swarmtypes.SecretReference) ([]*swarmtypes.SecretReference, error) {
+	if len(requestedSecrets) == 0 {
+		return []*swarmtypes.SecretReference{}, nil
+	}
+
+	secretRefs := make(map[string]*swarmtypes.SecretReference)
+	ctx := context.Background()
+
+	for _, secret := range requestedSecrets {
+		if _, exists := secretRefs[secret.File.Name]; exists {
+			return nil, errors.Errorf("duplicate secret target for %s not allowed", secret.SecretName)
+		}
+		secretRef := new(swarmtypes.SecretReference)
+		*secretRef = *secret
+		secretRefs[secret.File.Name] = secretRef
+	}
+
+	args := filters.NewArgs()
+	for _, s := range secretRefs {
+		args.Add("name", s.SecretName)
+	}
+
+	secrets, err := client.SecretList(ctx, types.SecretListOptions{
+		Filters: args,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	foundSecrets := make(map[string]string)
+	for _, secret := range secrets {
+		foundSecrets[secret.Spec.Annotations.Name] = secret.ID
+	}
+
+	addedSecrets := []*swarmtypes.SecretReference{}
+
+	for _, ref := range secretRefs {
+		id, ok := foundSecrets[ref.SecretName]
+		if !ok {
+			return nil, errors.Errorf("secret not found: %s", ref.SecretName)
+		}
+
+		// set the id for the ref to properly assign in swarm
+		// since swarm needs the ID instead of the name
+		ref.SecretID = id
+		addedSecrets = append(addedSecrets, ref)
+	}
+
+	return addedSecrets, nil
+}
+
+// ParseConfigs retrieves the configs from the requested names and converts
+// them to config references to use with the spec
+func ParseConfigs(client client.ConfigAPIClient, requestedConfigs []*swarmtypes.ConfigReference) ([]*swarmtypes.ConfigReference, error) {
+	if len(requestedConfigs) == 0 {
+		return []*swarmtypes.ConfigReference{}, nil
+	}
+
+	configRefs := make(map[string]*swarmtypes.ConfigReference)
+	ctx := context.Background()
+
+	for _, config := range requestedConfigs {
+		if _, exists := configRefs[config.File.Name]; exists {
+			return nil, errors.Errorf("duplicate config target for %s not allowed", config.ConfigName)
+		}
+
+		configRef := new(swarmtypes.ConfigReference)
+		*configRef = *config
+		configRefs[config.File.Name] = configRef
+	}
+
+	args := filters.NewArgs()
+	for _, s := range configRefs {
+		args.Add("name", s.ConfigName)
+	}
+
+	configs, err := client.ConfigList(ctx, types.ConfigListOptions{
+		Filters: args,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	foundConfigs := make(map[string]string)
+	for _, config := range configs {
+		foundConfigs[config.Spec.Annotations.Name] = config.ID
+	}
+
+	addedConfigs := []*swarmtypes.ConfigReference{}
+
+	for _, ref := range configRefs {
+		id, ok := foundConfigs[ref.ConfigName]
+		if !ok {
+			return nil, errors.Errorf("config not found: %s", ref.ConfigName)
+		}
+
+		// set the id for the ref to properly assign in swarm
+		// since swarm needs the ID instead of the name
+		ref.ConfigID = id
+		addedConfigs = append(addedConfigs, ref)
+	}
+
+	return addedConfigs, nil
+}
diff --git a/cli/cli/command/service/progress/progress.go b/cli/cli/command/service/progress/progress.go
new file mode 100644
index 00000000..4b9cdd73
--- /dev/null
+++ b/cli/cli/command/service/progress/progress.go
@@ -0,0 +1,504 @@
+package progress
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/signal"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/docker/docker/pkg/stringid"
+)
+
+var (
+	numberedStates = map[swarm.TaskState]int64{
+		swarm.TaskStateNew:       1,
+		swarm.TaskStateAllocated: 2,
+		swarm.TaskStatePending:   3,
+		swarm.TaskStateAssigned:  4,
+		swarm.TaskStateAccepted:  5,
+		swarm.TaskStatePreparing: 6,
+		swarm.TaskStateReady:     7,
+		swarm.TaskStateStarting:  8,
+		swarm.TaskStateRunning:   9,
+
+		// The following states are not actually shown in progress
+		// output, but are used internally for ordering.
+		swarm.TaskStateComplete: 10,
+		swarm.TaskStateShutdown: 11,
+		swarm.TaskStateFailed:   12,
+		swarm.TaskStateRejected: 13,
+	}
+
+	longestState int
+)
+
+const (
+	maxProgress     = 9
+	maxProgressBars = 20
+)
+
+type progressUpdater interface {
+	update(service swarm.Service, tasks []swarm.Task, activeNodes map[string]struct{}, rollback bool) (bool, error)
+}
+
+func init() {
+	for state := range numberedStates {
+		if !terminalState(state) && len(state) > longestState {
+			longestState = len(state)
+		}
+	}
+}
+
+func terminalState(state swarm.TaskState) bool {
+	return numberedStates[state] > numberedStates[swarm.TaskStateRunning]
+}
+
+func stateToProgress(state swarm.TaskState, rollback bool) int64 {
+	if !rollback {
+		return numberedStates[state]
+	}
+	return numberedStates[swarm.TaskStateRunning] - numberedStates[state]
+}
+
+// ServiceProgress outputs progress information for convergence of a service.
+// nolint: gocyclo
+func ServiceProgress(ctx context.Context, client client.APIClient, serviceID string, progressWriter io.WriteCloser) error {
+	defer progressWriter.Close()
+
+	progressOut := streamformatter.NewJSONProgressOutput(progressWriter, false)
+
+	sigint := make(chan os.Signal, 1)
+	signal.Notify(sigint, os.Interrupt)
+	defer signal.Stop(sigint)
+
+	taskFilter := filters.NewArgs()
+	taskFilter.Add("service", serviceID)
+	taskFilter.Add("_up-to-date", "true")
+
+	getUpToDateTasks := func() ([]swarm.Task, error) {
+		return client.TaskList(ctx, types.TaskListOptions{Filters: taskFilter})
+	}
+
+	var (
+		updater     progressUpdater
+		converged   bool
+		convergedAt time.Time
+		monitor     = 5 * time.Second
+		rollback    bool
+	)
+
+	for {
+		service, _, err := client.ServiceInspectWithRaw(ctx, serviceID, types.ServiceInspectOptions{})
+		if err != nil {
+			return err
+		}
+
+		if service.Spec.UpdateConfig != nil && service.Spec.UpdateConfig.Monitor != 0 {
+			monitor = service.Spec.UpdateConfig.Monitor
+		}
+
+		if updater == nil {
+			updater, err = initializeUpdater(service, progressOut)
+			if err != nil {
+				return err
+			}
+		}
+
+		if service.UpdateStatus != nil {
+			switch service.UpdateStatus.State {
+			case swarm.UpdateStateUpdating:
+				rollback = false
+			case swarm.UpdateStateCompleted:
+				if !converged {
+					return nil
+				}
+			case swarm.UpdateStatePaused:
+				return fmt.Errorf("service update paused: %s", service.UpdateStatus.Message)
+			case swarm.UpdateStateRollbackStarted:
+				if !rollback && service.UpdateStatus.Message != "" {
+					progressOut.WriteProgress(progress.Progress{
+						ID:     "rollback",
+						Action: service.UpdateStatus.Message,
+					})
+				}
+				rollback = true
+			case swarm.UpdateStateRollbackPaused:
+				return fmt.Errorf("service rollback paused: %s", service.UpdateStatus.Message)
+			case swarm.UpdateStateRollbackCompleted:
+				if !converged {
+					return fmt.Errorf("service rolled back: %s", service.UpdateStatus.Message)
+				}
+			}
+		}
+		if converged && time.Since(convergedAt) >= monitor {
+			progressOut.WriteProgress(progress.Progress{
+				ID:     "verify",
+				Action: "Service converged",
+			})
+
+			return nil
+		}
+
+		tasks, err := getUpToDateTasks()
+		if err != nil {
+			return err
+		}
+
+		activeNodes, err := getActiveNodes(ctx, client)
+		if err != nil {
+			return err
+		}
+
+		converged, err = updater.update(service, tasks, activeNodes, rollback)
+		if err != nil {
+			return err
+		}
+		if converged {
+			if convergedAt.IsZero() {
+				convergedAt = time.Now()
+			}
+			wait := monitor - time.Since(convergedAt)
+			if wait >= 0 {
+				progressOut.WriteProgress(progress.Progress{
+					// Ideally this would have no ID, but
+					// the progress rendering code behaves
+					// poorly on an "action" with no ID. It
+					// returns the cursor to the beginning
+					// of the line, so the first character
+					// may be difficult to read. Then the
+					// output is overwritten by the shell
+					// prompt when the command finishes.
+					ID:     "verify",
+					Action: fmt.Sprintf("Waiting %d seconds to verify that tasks are stable...", wait/time.Second+1),
+				})
+			}
+		} else {
+			if !convergedAt.IsZero() {
+				progressOut.WriteProgress(progress.Progress{
+					ID:     "verify",
+					Action: "Detected task failure",
+				})
+			}
+			convergedAt = time.Time{}
+		}
+
+		select {
+		case <-time.After(200 * time.Millisecond):
+		case <-sigint:
+			if !converged {
+				progress.Message(progressOut, "", "Operation continuing in background.")
+				progress.Messagef(progressOut, "", "Use `docker service ps %s` to check progress.", serviceID)
+			}
+			return nil
+		}
+	}
+}
+
+func getActiveNodes(ctx context.Context, client client.APIClient) (map[string]struct{}, error) {
+	nodes, err := client.NodeList(ctx, types.NodeListOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	activeNodes := make(map[string]struct{})
+	for _, n := range nodes {
+		if n.Status.State != swarm.NodeStateDown {
+			activeNodes[n.ID] = struct{}{}
+		}
+	}
+	return activeNodes, nil
+}
+
+func initializeUpdater(service swarm.Service, progressOut progress.Output) (progressUpdater, error) {
+	if service.Spec.Mode.Replicated != nil && service.Spec.Mode.Replicated.Replicas != nil {
+		return &replicatedProgressUpdater{
+			progressOut: progressOut,
+		}, nil
+	}
+	if service.Spec.Mode.Global != nil {
+		return &globalProgressUpdater{
+			progressOut: progressOut,
+		}, nil
+	}
+	return nil, errors.New("unrecognized service mode")
+}
+
+func writeOverallProgress(progressOut progress.Output, numerator, denominator int, rollback bool) {
+	if rollback {
+		progressOut.WriteProgress(progress.Progress{
+			ID:     "overall progress",
+			Action: fmt.Sprintf("rolling back update: %d out of %d tasks", numerator, denominator),
+		})
+		return
+	}
+	progressOut.WriteProgress(progress.Progress{
+		ID:     "overall progress",
+		Action: fmt.Sprintf("%d out of %d tasks", numerator, denominator),
+	})
+}
+
+func truncError(errMsg string) string {
+	// Remove newlines from the error, which corrupt the output.
+	errMsg = strings.Replace(errMsg, "\n", " ", -1)
+
+	// Limit the length to 75 characters, so that even on narrow terminals
+	// this will not overflow to the next line.
+	if len(errMsg) > 75 {
+		errMsg = errMsg[:74] + "…"
+	}
+	return errMsg
+}
+
+type replicatedProgressUpdater struct {
+	progressOut progress.Output
+
+	// used for mapping slots to a contiguous space
+	// this also causes progress bars to appear in order
+	slotMap map[int]int
+
+	initialized bool
+	done        bool
+}
+
+func (u *replicatedProgressUpdater) update(service swarm.Service, tasks []swarm.Task, activeNodes map[string]struct{}, rollback bool) (bool, error) {
+	if service.Spec.Mode.Replicated == nil || service.Spec.Mode.Replicated.Replicas == nil {
+		return false, errors.New("no replica count")
+	}
+	replicas := *service.Spec.Mode.Replicated.Replicas
+
+	if !u.initialized {
+		u.slotMap = make(map[int]int)
+
+		// Draw progress bars in order
+		writeOverallProgress(u.progressOut, 0, int(replicas), rollback)
+
+		if replicas <= maxProgressBars {
+			for i := uint64(1); i <= replicas; i++ {
+				progress.Update(u.progressOut, fmt.Sprintf("%d/%d", i, replicas), " ")
+			}
+		}
+		u.initialized = true
+	}
+
+	tasksBySlot := u.tasksBySlot(tasks, activeNodes)
+
+	// If we had reached a converged state, check if we are still converged.
+	if u.done {
+		for _, task := range tasksBySlot {
+			if task.Status.State != swarm.TaskStateRunning {
+				u.done = false
+				break
+			}
+		}
+	}
+
+	running := uint64(0)
+
+	for _, task := range tasksBySlot {
+		mappedSlot := u.slotMap[task.Slot]
+		if mappedSlot == 0 {
+			mappedSlot = len(u.slotMap) + 1
+			u.slotMap[task.Slot] = mappedSlot
+		}
+
+		if !terminalState(task.DesiredState) && task.Status.State == swarm.TaskStateRunning {
+			running++
+		}
+
+		u.writeTaskProgress(task, mappedSlot, replicas, rollback)
+	}
+
+	if !u.done {
+		writeOverallProgress(u.progressOut, int(running), int(replicas), rollback)
+
+		if running == replicas {
+			u.done = true
+		}
+	}
+
+	return running == replicas, nil
+}
+
+func (u *replicatedProgressUpdater) tasksBySlot(tasks []swarm.Task, activeNodes map[string]struct{}) map[int]swarm.Task {
+	// If there are multiple tasks with the same slot number, favor the one
+	// with the *lowest* desired state. This can happen in restart
+	// scenarios.
+	tasksBySlot := make(map[int]swarm.Task)
+	for _, task := range tasks {
+		if numberedStates[task.DesiredState] == 0 || numberedStates[task.Status.State] == 0 {
+			continue
+		}
+		if existingTask, ok := tasksBySlot[task.Slot]; ok {
+			if numberedStates[existingTask.DesiredState] < numberedStates[task.DesiredState] {
+				continue
+			}
+			// If the desired states match, observed state breaks
+			// ties. This can happen with the "start first" service
+			// update mode.
+			if numberedStates[existingTask.DesiredState] == numberedStates[task.DesiredState] &&
+				numberedStates[existingTask.Status.State] <= numberedStates[task.Status.State] {
+				continue
+			}
+		}
+		if task.NodeID != "" {
+			if _, nodeActive := activeNodes[task.NodeID]; !nodeActive {
+				continue
+			}
+		}
+		tasksBySlot[task.Slot] = task
+	}
+
+	return tasksBySlot
+}
+
+func (u *replicatedProgressUpdater) writeTaskProgress(task swarm.Task, mappedSlot int, replicas uint64, rollback bool) {
+	if u.done || replicas > maxProgressBars || uint64(mappedSlot) > replicas {
+		return
+	}
+
+	if task.Status.Err != "" {
+		u.progressOut.WriteProgress(progress.Progress{
+			ID:     fmt.Sprintf("%d/%d", mappedSlot, replicas),
+			Action: truncError(task.Status.Err),
+		})
+		return
+	}
+
+	if !terminalState(task.DesiredState) && !terminalState(task.Status.State) {
+		u.progressOut.WriteProgress(progress.Progress{
+			ID:         fmt.Sprintf("%d/%d", mappedSlot, replicas),
+			Action:     fmt.Sprintf("%-[1]*s", longestState, task.Status.State),
+			Current:    stateToProgress(task.Status.State, rollback),
+			Total:      maxProgress,
+			HideCounts: true,
+		})
+	}
+}
+
+type globalProgressUpdater struct {
+	progressOut progress.Output
+
+	initialized bool
+	done        bool
+}
+
+func (u *globalProgressUpdater) update(service swarm.Service, tasks []swarm.Task, activeNodes map[string]struct{}, rollback bool) (bool, error) {
+	tasksByNode := u.tasksByNode(tasks)
+
+	// We don't have perfect knowledge of how many nodes meet the
+	// constraints for this service. But the orchestrator creates tasks
+	// for all eligible nodes at the same time, so we should see all those
+	// nodes represented among the up-to-date tasks.
+	nodeCount := len(tasksByNode)
+
+	if !u.initialized {
+		if nodeCount == 0 {
+			// Two possibilities: either the orchestrator hasn't created
+			// the tasks yet, or the service doesn't meet constraints for
+			// any node. Either way, we wait.
+			u.progressOut.WriteProgress(progress.Progress{
+				ID:     "overall progress",
+				Action: "waiting for new tasks",
+			})
+			return false, nil
+		}
+
+		writeOverallProgress(u.progressOut, 0, nodeCount, rollback)
+		u.initialized = true
+	}
+
+	// If we had reached a converged state, check if we are still converged.
+	if u.done {
+		for _, task := range tasksByNode {
+			if task.Status.State != swarm.TaskStateRunning {
+				u.done = false
+				break
+			}
+		}
+	}
+
+	running := 0
+
+	for _, task := range tasksByNode {
+		if _, nodeActive := activeNodes[task.NodeID]; nodeActive {
+			if !terminalState(task.DesiredState) && task.Status.State == swarm.TaskStateRunning {
+				running++
+			}
+
+			u.writeTaskProgress(task, nodeCount, rollback)
+		}
+	}
+
+	if !u.done {
+		writeOverallProgress(u.progressOut, running, nodeCount, rollback)
+
+		if running == nodeCount {
+			u.done = true
+		}
+	}
+
+	return running == nodeCount, nil
+}
+
+func (u *globalProgressUpdater) tasksByNode(tasks []swarm.Task) map[string]swarm.Task {
+	// If there are multiple tasks with the same node ID, favor the one
+	// with the *lowest* desired state. This can happen in restart
+	// scenarios.
+	tasksByNode := make(map[string]swarm.Task)
+	for _, task := range tasks {
+		if numberedStates[task.DesiredState] == 0 || numberedStates[task.Status.State] == 0 {
+			continue
+		}
+		if existingTask, ok := tasksByNode[task.NodeID]; ok {
+			if numberedStates[existingTask.DesiredState] < numberedStates[task.DesiredState] {
+				continue
+			}
+
+			// If the desired states match, observed state breaks
+			// ties. This can happen with the "start first" service
+			// update mode.
+			if numberedStates[existingTask.DesiredState] == numberedStates[task.DesiredState] &&
+				numberedStates[existingTask.Status.State] <= numberedStates[task.Status.State] {
+				continue
+			}
+
+		}
+		tasksByNode[task.NodeID] = task
+	}
+
+	return tasksByNode
+}
+
+func (u *globalProgressUpdater) writeTaskProgress(task swarm.Task, nodeCount int, rollback bool) {
+	if u.done || nodeCount > maxProgressBars {
+		return
+	}
+
+	if task.Status.Err != "" {
+		u.progressOut.WriteProgress(progress.Progress{
+			ID:     stringid.TruncateID(task.NodeID),
+			Action: truncError(task.Status.Err),
+		})
+		return
+	}
+
+	if !terminalState(task.DesiredState) && !terminalState(task.Status.State) {
+		u.progressOut.WriteProgress(progress.Progress{
+			ID:         stringid.TruncateID(task.NodeID),
+			Action:     fmt.Sprintf("%-[1]*s", longestState, task.Status.State),
+			Current:    stateToProgress(task.Status.State, rollback),
+			Total:      maxProgress,
+			HideCounts: true,
+		})
+	}
+}
diff --git a/cli/cli/command/service/progress/progress_test.go b/cli/cli/command/service/progress/progress_test.go
new file mode 100644
index 00000000..2a386d64
--- /dev/null
+++ b/cli/cli/command/service/progress/progress_test.go
@@ -0,0 +1,375 @@
+package progress
+
+import (
+	"fmt"
+	"strconv"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/progress"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+type mockProgress struct {
+	p []progress.Progress
+}
+
+func (mp *mockProgress) WriteProgress(p progress.Progress) error {
+	mp.p = append(mp.p, p)
+	return nil
+}
+
+func (mp *mockProgress) clear() {
+	mp.p = nil
+}
+
+type updaterTester struct {
+	t           *testing.T
+	updater     progressUpdater
+	p           *mockProgress
+	service     swarm.Service
+	activeNodes map[string]struct{}
+	rollback    bool
+}
+
+func (u updaterTester) testUpdater(tasks []swarm.Task, expectedConvergence bool, expectedProgress []progress.Progress) {
+	u.p.clear()
+
+	converged, err := u.updater.update(u.service, tasks, u.activeNodes, u.rollback)
+	assert.Check(u.t, err)
+	assert.Check(u.t, is.Equal(expectedConvergence, converged))
+	assert.Check(u.t, is.DeepEqual(expectedProgress, u.p.p))
+}
+
+func TestReplicatedProgressUpdaterOneReplica(t *testing.T) {
+	replicas := uint64(1)
+
+	service := swarm.Service{
+		Spec: swarm.ServiceSpec{
+			Mode: swarm.ServiceMode{
+				Replicated: &swarm.ReplicatedService{
+					Replicas: &replicas,
+				},
+			},
+		},
+	}
+
+	p := &mockProgress{}
+	updaterTester := updaterTester{
+		t: t,
+		updater: &replicatedProgressUpdater{
+			progressOut: p,
+		},
+		p:           p,
+		activeNodes: map[string]struct{}{"a": {}, "b": {}},
+		service:     service,
+	}
+
+	tasks := []swarm.Task{}
+
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+			{ID: "1/1", Action: " "},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// Task with DesiredState beyond Running is ignored
+	tasks = append(tasks,
+		swarm.Task{ID: "1",
+			NodeID:       "a",
+			DesiredState: swarm.TaskStateShutdown,
+			Status:       swarm.TaskStatus{State: swarm.TaskStateNew},
+		})
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// Task with valid DesiredState and State updates progress bar
+	tasks[0].DesiredState = swarm.TaskStateRunning
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "1/1", Action: "new      ", Current: 1, Total: 9, HideCounts: true},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// If the task exposes an error, we should show that instead of the
+	// progress bar.
+	tasks[0].Status.Err = "something is wrong"
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "1/1", Action: "something is wrong"},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// When the task reaches running, update should return true
+	tasks[0].Status.Err = ""
+	tasks[0].Status.State = swarm.TaskStateRunning
+	updaterTester.testUpdater(tasks, true,
+		[]progress.Progress{
+			{ID: "1/1", Action: "running  ", Current: 9, Total: 9, HideCounts: true},
+			{ID: "overall progress", Action: "1 out of 1 tasks"},
+		})
+
+	// If the task fails, update should return false again
+	tasks[0].Status.Err = "task failed"
+	tasks[0].Status.State = swarm.TaskStateFailed
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "1/1", Action: "task failed"},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// If the task is restarted, progress output should be shown for the
+	// replacement task, not the old task.
+	tasks[0].DesiredState = swarm.TaskStateShutdown
+	tasks = append(tasks,
+		swarm.Task{ID: "2",
+			NodeID:       "b",
+			DesiredState: swarm.TaskStateRunning,
+			Status:       swarm.TaskStatus{State: swarm.TaskStateRunning},
+		})
+	updaterTester.testUpdater(tasks, true,
+		[]progress.Progress{
+			{ID: "1/1", Action: "running  ", Current: 9, Total: 9, HideCounts: true},
+			{ID: "overall progress", Action: "1 out of 1 tasks"},
+		})
+
+	// Add a new task while the current one is still running, to simulate
+	// "start-then-stop" updates.
+	tasks = append(tasks,
+		swarm.Task{ID: "3",
+			NodeID:       "b",
+			DesiredState: swarm.TaskStateRunning,
+			Status:       swarm.TaskStatus{State: swarm.TaskStatePreparing},
+		})
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "1/1", Action: "preparing", Current: 6, Total: 9, HideCounts: true},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+}
+
+func TestReplicatedProgressUpdaterManyReplicas(t *testing.T) {
+	replicas := uint64(50)
+
+	service := swarm.Service{
+		Spec: swarm.ServiceSpec{
+			Mode: swarm.ServiceMode{
+				Replicated: &swarm.ReplicatedService{
+					Replicas: &replicas,
+				},
+			},
+		},
+	}
+
+	p := &mockProgress{}
+	updaterTester := updaterTester{
+		t: t,
+		updater: &replicatedProgressUpdater{
+			progressOut: p,
+		},
+		p:           p,
+		activeNodes: map[string]struct{}{"a": {}, "b": {}},
+		service:     service,
+	}
+
+	tasks := []swarm.Task{}
+
+	// No per-task progress bars because there are too many replicas
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "overall progress", Action: fmt.Sprintf("0 out of %d tasks", replicas)},
+			{ID: "overall progress", Action: fmt.Sprintf("0 out of %d tasks", replicas)},
+		})
+
+	for i := 0; i != int(replicas); i++ {
+		tasks = append(tasks,
+			swarm.Task{
+				ID:           strconv.Itoa(i),
+				Slot:         i + 1,
+				NodeID:       "a",
+				DesiredState: swarm.TaskStateRunning,
+				Status:       swarm.TaskStatus{State: swarm.TaskStateNew},
+			})
+
+		if i%2 == 1 {
+			tasks[i].NodeID = "b"
+		}
+		updaterTester.testUpdater(tasks, false,
+			[]progress.Progress{
+				{ID: "overall progress", Action: fmt.Sprintf("%d out of %d tasks", i, replicas)},
+			})
+
+		tasks[i].Status.State = swarm.TaskStateRunning
+		updaterTester.testUpdater(tasks, uint64(i) == replicas-1,
+			[]progress.Progress{
+				{ID: "overall progress", Action: fmt.Sprintf("%d out of %d tasks", i+1, replicas)},
+			})
+	}
+}
+
+func TestGlobalProgressUpdaterOneNode(t *testing.T) {
+	service := swarm.Service{
+		Spec: swarm.ServiceSpec{
+			Mode: swarm.ServiceMode{
+				Global: &swarm.GlobalService{},
+			},
+		},
+	}
+
+	p := &mockProgress{}
+	updaterTester := updaterTester{
+		t: t,
+		updater: &globalProgressUpdater{
+			progressOut: p,
+		},
+		p:           p,
+		activeNodes: map[string]struct{}{"a": {}, "b": {}},
+		service:     service,
+	}
+
+	tasks := []swarm.Task{}
+
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "overall progress", Action: "waiting for new tasks"},
+		})
+
+	// Task with DesiredState beyond Running is ignored
+	tasks = append(tasks,
+		swarm.Task{ID: "1",
+			NodeID:       "a",
+			DesiredState: swarm.TaskStateShutdown,
+			Status:       swarm.TaskStatus{State: swarm.TaskStateNew},
+		})
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// Task with valid DesiredState and State updates progress bar
+	tasks[0].DesiredState = swarm.TaskStateRunning
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "a", Action: "new      ", Current: 1, Total: 9, HideCounts: true},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// If the task exposes an error, we should show that instead of the
+	// progress bar.
+	tasks[0].Status.Err = "something is wrong"
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "a", Action: "something is wrong"},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// When the task reaches running, update should return true
+	tasks[0].Status.Err = ""
+	tasks[0].Status.State = swarm.TaskStateRunning
+	updaterTester.testUpdater(tasks, true,
+		[]progress.Progress{
+			{ID: "a", Action: "running  ", Current: 9, Total: 9, HideCounts: true},
+			{ID: "overall progress", Action: "1 out of 1 tasks"},
+		})
+
+	// If the task fails, update should return false again
+	tasks[0].Status.Err = "task failed"
+	tasks[0].Status.State = swarm.TaskStateFailed
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "a", Action: "task failed"},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+
+	// If the task is restarted, progress output should be shown for the
+	// replacement task, not the old task.
+	tasks[0].DesiredState = swarm.TaskStateShutdown
+	tasks = append(tasks,
+		swarm.Task{ID: "2",
+			NodeID:       "a",
+			DesiredState: swarm.TaskStateRunning,
+			Status:       swarm.TaskStatus{State: swarm.TaskStateRunning},
+		})
+	updaterTester.testUpdater(tasks, true,
+		[]progress.Progress{
+			{ID: "a", Action: "running  ", Current: 9, Total: 9, HideCounts: true},
+			{ID: "overall progress", Action: "1 out of 1 tasks"},
+		})
+
+	// Add a new task while the current one is still running, to simulate
+	// "start-then-stop" updates.
+	tasks = append(tasks,
+		swarm.Task{ID: "3",
+			NodeID:       "a",
+			DesiredState: swarm.TaskStateRunning,
+			Status:       swarm.TaskStatus{State: swarm.TaskStatePreparing},
+		})
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "a", Action: "preparing", Current: 6, Total: 9, HideCounts: true},
+			{ID: "overall progress", Action: "0 out of 1 tasks"},
+		})
+}
+
+func TestGlobalProgressUpdaterManyNodes(t *testing.T) {
+	nodes := 50
+
+	service := swarm.Service{
+		Spec: swarm.ServiceSpec{
+			Mode: swarm.ServiceMode{
+				Global: &swarm.GlobalService{},
+			},
+		},
+	}
+
+	p := &mockProgress{}
+	updaterTester := updaterTester{
+		t: t,
+		updater: &globalProgressUpdater{
+			progressOut: p,
+		},
+		p:           p,
+		activeNodes: map[string]struct{}{},
+		service:     service,
+	}
+
+	for i := 0; i != nodes; i++ {
+		updaterTester.activeNodes[strconv.Itoa(i)] = struct{}{}
+	}
+
+	tasks := []swarm.Task{}
+
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "overall progress", Action: "waiting for new tasks"},
+		})
+
+	for i := 0; i != nodes; i++ {
+		tasks = append(tasks,
+			swarm.Task{
+				ID:           "task" + strconv.Itoa(i),
+				NodeID:       strconv.Itoa(i),
+				DesiredState: swarm.TaskStateRunning,
+				Status:       swarm.TaskStatus{State: swarm.TaskStateNew},
+			})
+	}
+
+	updaterTester.testUpdater(tasks, false,
+		[]progress.Progress{
+			{ID: "overall progress", Action: fmt.Sprintf("0 out of %d tasks", nodes)},
+			{ID: "overall progress", Action: fmt.Sprintf("0 out of %d tasks", nodes)},
+		})
+
+	for i := 0; i != nodes; i++ {
+		tasks[i].Status.State = swarm.TaskStateRunning
+		updaterTester.testUpdater(tasks, i == nodes-1,
+			[]progress.Progress{
+				{ID: "overall progress", Action: fmt.Sprintf("%d out of %d tasks", i+1, nodes)},
+			})
+	}
+}
diff --git a/cli/cli/command/service/ps.go b/cli/cli/command/service/ps.go
new file mode 100644
index 00000000..0220f7e0
--- /dev/null
+++ b/cli/cli/command/service/ps.go
@@ -0,0 +1,155 @@
+package service
+
+import (
+	"context"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/idresolver"
+	"github.com/docker/cli/cli/command/node"
+	"github.com/docker/cli/cli/command/task"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type psOptions struct {
+	services  []string
+	quiet     bool
+	noResolve bool
+	noTrunc   bool
+	format    string
+	filter    opts.FilterOpt
+}
+
+func newPsCommand(dockerCli command.Cli) *cobra.Command {
+	options := psOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "ps [OPTIONS] SERVICE [SERVICE...]",
+		Short: "List the tasks of one or more services",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.services = args
+			return runPS(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display task IDs")
+	flags.BoolVar(&options.noTrunc, "no-trunc", false, "Do not truncate output")
+	flags.BoolVar(&options.noResolve, "no-resolve", false, "Do not map IDs to Names")
+	flags.StringVar(&options.format, "format", "", "Pretty-print tasks using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+
+	return cmd
+}
+
+func runPS(dockerCli command.Cli, options psOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	filter, notfound, err := createFilter(ctx, client, options)
+	if err != nil {
+		return err
+	}
+	if err := updateNodeFilter(ctx, client, filter); err != nil {
+		return err
+	}
+
+	tasks, err := client.TaskList(ctx, types.TaskListOptions{Filters: filter})
+	if err != nil {
+		return err
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		format = task.DefaultFormat(dockerCli.ConfigFile(), options.quiet)
+	}
+	if options.quiet {
+		options.noTrunc = true
+	}
+	if err := task.Print(ctx, dockerCli, tasks, idresolver.New(client, options.noResolve), !options.noTrunc, options.quiet, format); err != nil {
+		return err
+	}
+	if len(notfound) != 0 {
+		return errors.New(strings.Join(notfound, "\n"))
+	}
+	return nil
+}
+
+func createFilter(ctx context.Context, client client.APIClient, options psOptions) (filters.Args, []string, error) {
+	filter := options.filter.Value()
+
+	serviceIDFilter := filters.NewArgs()
+	serviceNameFilter := filters.NewArgs()
+	for _, service := range options.services {
+		serviceIDFilter.Add("id", service)
+		serviceNameFilter.Add("name", service)
+	}
+	serviceByIDList, err := client.ServiceList(ctx, types.ServiceListOptions{Filters: serviceIDFilter})
+	if err != nil {
+		return filter, nil, err
+	}
+	serviceByNameList, err := client.ServiceList(ctx, types.ServiceListOptions{Filters: serviceNameFilter})
+	if err != nil {
+		return filter, nil, err
+	}
+
+	var notfound []string
+	serviceCount := 0
+loop:
+	// Match services by 1. Full ID, 2. Full name, 3. ID prefix. An error is returned if the ID-prefix match is ambiguous
+	for _, service := range options.services {
+		for _, s := range serviceByIDList {
+			if s.ID == service {
+				filter.Add("service", s.ID)
+				serviceCount++
+				continue loop
+			}
+		}
+		for _, s := range serviceByNameList {
+			if s.Spec.Annotations.Name == service {
+				filter.Add("service", s.ID)
+				serviceCount++
+				continue loop
+			}
+		}
+		found := false
+		for _, s := range serviceByIDList {
+			if strings.HasPrefix(s.ID, service) {
+				if found {
+					return filter, nil, errors.New("multiple services found with provided prefix: " + service)
+				}
+				filter.Add("service", s.ID)
+				serviceCount++
+				found = true
+			}
+		}
+		if !found {
+			notfound = append(notfound, "no such service: "+service)
+		}
+	}
+	if serviceCount == 0 {
+		return filter, nil, errors.New(strings.Join(notfound, "\n"))
+	}
+	return filter, notfound, err
+}
+
+func updateNodeFilter(ctx context.Context, client client.APIClient, filter filters.Args) error {
+	if filter.Include("node") {
+		nodeFilters := filter.Get("node")
+		for _, nodeFilter := range nodeFilters {
+			nodeReference, err := node.Reference(ctx, client, nodeFilter)
+			if err != nil {
+				return err
+			}
+			filter.Del("node", nodeFilter)
+			filter.Add("node", nodeReference)
+		}
+	}
+	return nil
+}
diff --git a/cli/cli/command/service/ps_test.go b/cli/cli/command/service/ps_test.go
new file mode 100644
index 00000000..6459cfcc
--- /dev/null
+++ b/cli/cli/command/service/ps_test.go
@@ -0,0 +1,135 @@
+package service
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/google/go-cmp/cmp"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCreateFilter(t *testing.T) {
+	client := &fakeClient{
+		serviceListFunc: func(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				{ID: "idmatch"},
+				{ID: "idprefixmatch"},
+				newService("cccccccc", "namematch"),
+				newService("01010101", "notfoundprefix"),
+			}, nil
+		},
+	}
+
+	filter := opts.NewFilterOpt()
+	assert.NilError(t, filter.Set("node=somenode"))
+	options := psOptions{
+		services: []string{"idmatch", "idprefix", "namematch", "notfound"},
+		filter:   filter,
+	}
+
+	actual, notfound, err := createFilter(context.Background(), client, options)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(notfound, []string{"no such service: notfound"}))
+
+	expected := filters.NewArgs(
+		filters.Arg("service", "idmatch"),
+		filters.Arg("service", "idprefixmatch"),
+		filters.Arg("service", "cccccccc"),
+		filters.Arg("node", "somenode"),
+	)
+	assert.DeepEqual(t, expected, actual, cmpFilters)
+}
+
+func TestCreateFilterWithAmbiguousIDPrefixError(t *testing.T) {
+	client := &fakeClient{
+		serviceListFunc: func(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				{ID: "aaaone"},
+				{ID: "aaatwo"},
+			}, nil
+		},
+	}
+	options := psOptions{
+		services: []string{"aaa"},
+		filter:   opts.NewFilterOpt(),
+	}
+	_, _, err := createFilter(context.Background(), client, options)
+	assert.Error(t, err, "multiple services found with provided prefix: aaa")
+}
+
+func TestCreateFilterNoneFound(t *testing.T) {
+	client := &fakeClient{}
+	options := psOptions{
+		services: []string{"foo", "notfound"},
+		filter:   opts.NewFilterOpt(),
+	}
+	_, _, err := createFilter(context.Background(), client, options)
+	assert.Error(t, err, "no such service: foo\nno such service: notfound")
+}
+
+func TestRunPSWarnsOnNotFound(t *testing.T) {
+	client := &fakeClient{
+		serviceListFunc: func(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				{ID: "foo"},
+			}, nil
+		},
+	}
+
+	cli := test.NewFakeCli(client)
+	options := psOptions{
+		services: []string{"foo", "bar"},
+		filter:   opts.NewFilterOpt(),
+		format:   "{{.ID}}",
+	}
+	err := runPS(cli, options)
+	assert.Error(t, err, "no such service: bar")
+}
+
+func TestRunPSQuiet(t *testing.T) {
+	client := &fakeClient{
+		serviceListFunc: func(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{{ID: "foo"}}, nil
+		},
+		taskListFunc: func(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{{ID: "sxabyp0obqokwekpun4rjo0b3"}}, nil
+		},
+	}
+
+	cli := test.NewFakeCli(client)
+	err := runPS(cli, psOptions{services: []string{"foo"}, quiet: true, filter: opts.NewFilterOpt()})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("sxabyp0obqokwekpun4rjo0b3\n", cli.OutBuffer().String()))
+}
+
+func TestUpdateNodeFilter(t *testing.T) {
+	selfNodeID := "foofoo"
+	filter := filters.NewArgs(
+		filters.Arg("node", "one"),
+		filters.Arg("node", "two"),
+		filters.Arg("node", "self"),
+	)
+
+	client := &fakeClient{
+		infoFunc: func(_ context.Context) (types.Info, error) {
+			return types.Info{Swarm: swarm.Info{NodeID: selfNodeID}}, nil
+		},
+	}
+
+	updateNodeFilter(context.Background(), client, filter)
+
+	expected := filters.NewArgs(
+		filters.Arg("node", "one"),
+		filters.Arg("node", "two"),
+		filters.Arg("node", selfNodeID),
+	)
+	assert.DeepEqual(t, expected, filter, cmpFilters)
+}
+
+var cmpFilters = cmp.AllowUnexported(filters.Args{})
diff --git a/cli/cli/command/service/remove.go b/cli/cli/command/service/remove.go
new file mode 100644
index 00000000..ee810b03
--- /dev/null
+++ b/cli/cli/command/service/remove.go
@@ -0,0 +1,48 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+
+	cmd := &cobra.Command{
+		Use:     "rm SERVICE [SERVICE...]",
+		Aliases: []string{"remove"},
+		Short:   "Remove one or more services",
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runRemove(dockerCli, args)
+		},
+	}
+	cmd.Flags()
+
+	return cmd
+}
+
+func runRemove(dockerCli command.Cli, sids []string) error {
+	client := dockerCli.Client()
+
+	ctx := context.Background()
+
+	var errs []string
+	for _, sid := range sids {
+		err := client.ServiceRemove(ctx, sid)
+		if err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+		fmt.Fprintf(dockerCli.Out(), "%s\n", sid)
+	}
+	if len(errs) > 0 {
+		return errors.Errorf(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/service/rollback.go b/cli/cli/command/service/rollback.go
new file mode 100644
index 00000000..2196815c
--- /dev/null
+++ b/cli/cli/command/service/rollback.go
@@ -0,0 +1,64 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/spf13/cobra"
+)
+
+func newRollbackCommand(dockerCli command.Cli) *cobra.Command {
+	options := newServiceOptions()
+
+	cmd := &cobra.Command{
+		Use:   "rollback [OPTIONS] SERVICE",
+		Short: "Revert changes to a service's configuration",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runRollback(dockerCli, options, args[0])
+		},
+		Annotations: map[string]string{"version": "1.31"},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.quiet, flagQuiet, "q", false, "Suppress progress output")
+	addDetachFlag(flags, &options.detach)
+
+	return cmd
+}
+
+func runRollback(dockerCli command.Cli, options *serviceOptions, serviceID string) error {
+	apiClient := dockerCli.Client()
+	ctx := context.Background()
+
+	service, _, err := apiClient.ServiceInspectWithRaw(ctx, serviceID, types.ServiceInspectOptions{})
+	if err != nil {
+		return err
+	}
+
+	spec := &service.Spec
+	updateOpts := types.ServiceUpdateOptions{
+		Rollback: "previous",
+	}
+
+	response, err := apiClient.ServiceUpdate(ctx, service.ID, service.Version, *spec, updateOpts)
+	if err != nil {
+		return err
+	}
+
+	for _, warning := range response.Warnings {
+		fmt.Fprintln(dockerCli.Err(), warning)
+	}
+
+	fmt.Fprintf(dockerCli.Out(), "%s\n", serviceID)
+
+	if options.detach || versions.LessThan(apiClient.ClientVersion(), "1.29") {
+		return nil
+	}
+
+	return waitOnService(ctx, dockerCli, serviceID, options.quiet)
+}
diff --git a/cli/cli/command/service/rollback_test.go b/cli/cli/command/service/rollback_test.go
new file mode 100644
index 00000000..e61d1c20
--- /dev/null
+++ b/cli/cli/command/service/rollback_test.go
@@ -0,0 +1,104 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestRollback(t *testing.T) {
+	testCases := []struct {
+		name                 string
+		args                 []string
+		serviceUpdateFunc    func(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error)
+		expectedDockerCliErr string
+	}{
+		{
+			name: "rollback-service",
+			args: []string{"service-id"},
+		},
+		{
+			name: "rollback-service-with-warnings",
+			args: []string{"service-id"},
+			serviceUpdateFunc: func(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+				response := types.ServiceUpdateResponse{}
+
+				response.Warnings = []string{
+					"- warning 1",
+					"- warning 2",
+				}
+
+				return response, nil
+			},
+			expectedDockerCliErr: "- warning 1\n- warning 2",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			serviceUpdateFunc: tc.serviceUpdateFunc,
+		})
+		cmd := newRollbackCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.Flags().Set("quiet", "true")
+		cmd.SetOutput(ioutil.Discard)
+		assert.NilError(t, cmd.Execute())
+		assert.Check(t, is.Equal(strings.TrimSpace(cli.ErrBuffer().String()), tc.expectedDockerCliErr))
+	}
+}
+
+func TestRollbackWithErrors(t *testing.T) {
+	testCases := []struct {
+		name                      string
+		args                      []string
+		serviceInspectWithRawFunc func(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error)
+		serviceUpdateFunc         func(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error)
+		expectedError             string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "too-many-args",
+			args:          []string{"service-id-1", "service-id-2"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name: "service-does-not-exists",
+			args: []string{"service-id"},
+			serviceInspectWithRawFunc: func(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+				return swarm.Service{}, []byte{}, fmt.Errorf("no such services: %s", serviceID)
+			},
+			expectedError: "no such services: service-id",
+		},
+		{
+			name: "service-update-failed",
+			args: []string{"service-id"},
+			serviceUpdateFunc: func(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+				return types.ServiceUpdateResponse{}, fmt.Errorf("no such services: %s", serviceID)
+			},
+			expectedError: "no such services: service-id",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newRollbackCommand(
+			test.NewFakeCli(&fakeClient{
+				serviceInspectWithRawFunc: tc.serviceInspectWithRawFunc,
+				serviceUpdateFunc:         tc.serviceUpdateFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.Flags().Set("quiet", "true")
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
diff --git a/cli/cli/command/service/scale.go b/cli/cli/command/service/scale.go
new file mode 100644
index 00000000..5b656a7f
--- /dev/null
+++ b/cli/cli/command/service/scale.go
@@ -0,0 +1,122 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type scaleOptions struct {
+	detach bool
+}
+
+func newScaleCommand(dockerCli command.Cli) *cobra.Command {
+	options := &scaleOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "scale SERVICE=REPLICAS [SERVICE=REPLICAS...]",
+		Short: "Scale one or multiple replicated services",
+		Args:  scaleArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runScale(dockerCli, options, args)
+		},
+	}
+
+	flags := cmd.Flags()
+	addDetachFlag(flags, &options.detach)
+	return cmd
+}
+
+func scaleArgs(cmd *cobra.Command, args []string) error {
+	if err := cli.RequiresMinArgs(1)(cmd, args); err != nil {
+		return err
+	}
+	for _, arg := range args {
+		if parts := strings.SplitN(arg, "=", 2); len(parts) != 2 {
+			return errors.Errorf(
+				"Invalid scale specifier '%s'.\nSee '%s --help'.\n\nUsage:  %s\n\n%s",
+				arg,
+				cmd.CommandPath(),
+				cmd.UseLine(),
+				cmd.Short,
+			)
+		}
+	}
+	return nil
+}
+
+func runScale(dockerCli command.Cli, options *scaleOptions, args []string) error {
+	var errs []string
+	var serviceIDs []string
+	ctx := context.Background()
+
+	for _, arg := range args {
+		parts := strings.SplitN(arg, "=", 2)
+		serviceID, scaleStr := parts[0], parts[1]
+
+		// validate input arg scale number
+		scale, err := strconv.ParseUint(scaleStr, 10, 64)
+		if err != nil {
+			errs = append(errs, fmt.Sprintf("%s: invalid replicas value %s: %v", serviceID, scaleStr, err))
+			continue
+		}
+
+		if err := runServiceScale(ctx, dockerCli, serviceID, scale); err != nil {
+			errs = append(errs, fmt.Sprintf("%s: %v", serviceID, err))
+		} else {
+			serviceIDs = append(serviceIDs, serviceID)
+		}
+
+	}
+
+	if len(serviceIDs) > 0 {
+		if !options.detach && versions.GreaterThanOrEqualTo(dockerCli.Client().ClientVersion(), "1.29") {
+			for _, serviceID := range serviceIDs {
+				if err := waitOnService(ctx, dockerCli, serviceID, false); err != nil {
+					errs = append(errs, fmt.Sprintf("%s: %v", serviceID, err))
+				}
+			}
+		}
+	}
+
+	if len(errs) == 0 {
+		return nil
+	}
+	return errors.Errorf(strings.Join(errs, "\n"))
+}
+
+func runServiceScale(ctx context.Context, dockerCli command.Cli, serviceID string, scale uint64) error {
+	client := dockerCli.Client()
+
+	service, _, err := client.ServiceInspectWithRaw(ctx, serviceID, types.ServiceInspectOptions{})
+	if err != nil {
+		return err
+	}
+
+	serviceMode := &service.Spec.Mode
+	if serviceMode.Replicated == nil {
+		return errors.Errorf("scale can only be used with replicated mode")
+	}
+
+	serviceMode.Replicated.Replicas = &scale
+
+	response, err := client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec, types.ServiceUpdateOptions{})
+	if err != nil {
+		return err
+	}
+
+	for _, warning := range response.Warnings {
+		fmt.Fprintln(dockerCli.Err(), warning)
+	}
+
+	fmt.Fprintf(dockerCli.Out(), "%s scaled to %d\n", serviceID, scale)
+	return nil
+}
diff --git a/cli/cli/command/service/testdata/service-list-sort.golden b/cli/cli/command/service/testdata/service-list-sort.golden
new file mode 100644
index 00000000..3b0cb214
--- /dev/null
+++ b/cli/cli/command/service/testdata/service-list-sort.golden
@@ -0,0 +1,3 @@
+service-1-foo
+service-2-foo
+service-10-foo
diff --git a/cli/cli/command/service/trust.go b/cli/cli/command/service/trust.go
new file mode 100644
index 00000000..b7453ccb
--- /dev/null
+++ b/cli/cli/command/service/trust.go
@@ -0,0 +1,87 @@
+package service
+
+import (
+	"context"
+	"encoding/hex"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/trust"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/registry"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/theupdateframework/notary/tuf/data"
+)
+
+func resolveServiceImageDigestContentTrust(dockerCli command.Cli, service *swarm.ServiceSpec) error {
+	if !dockerCli.ContentTrustEnabled() {
+		// When not using content trust, digest resolution happens later when
+		// contacting the registry to retrieve image information.
+		return nil
+	}
+
+	ref, err := reference.ParseAnyReference(service.TaskTemplate.ContainerSpec.Image)
+	if err != nil {
+		return errors.Wrapf(err, "invalid reference %s", service.TaskTemplate.ContainerSpec.Image)
+	}
+
+	// If reference does not have digest (is not canonical nor image id)
+	if _, ok := ref.(reference.Digested); !ok {
+		namedRef, ok := ref.(reference.Named)
+		if !ok {
+			return errors.New("failed to resolve image digest using content trust: reference is not named")
+		}
+		namedRef = reference.TagNameOnly(namedRef)
+		taggedRef, ok := namedRef.(reference.NamedTagged)
+		if !ok {
+			return errors.New("failed to resolve image digest using content trust: reference is not tagged")
+		}
+
+		resolvedImage, err := trustedResolveDigest(context.Background(), dockerCli, taggedRef)
+		if err != nil {
+			return errors.Wrap(err, "failed to resolve image digest using content trust")
+		}
+		resolvedFamiliar := reference.FamiliarString(resolvedImage)
+		logrus.Debugf("resolved image tag to %s using content trust", resolvedFamiliar)
+		service.TaskTemplate.ContainerSpec.Image = resolvedFamiliar
+	}
+
+	return nil
+}
+
+func trustedResolveDigest(ctx context.Context, cli command.Cli, ref reference.NamedTagged) (reference.Canonical, error) {
+	repoInfo, err := registry.ParseRepositoryInfo(ref)
+	if err != nil {
+		return nil, err
+	}
+
+	authConfig := command.ResolveAuthConfig(ctx, cli, repoInfo.Index)
+
+	notaryRepo, err := trust.GetNotaryRepository(cli.In(), cli.Out(), command.UserAgent(), repoInfo, &authConfig, "pull")
+	if err != nil {
+		return nil, errors.Wrap(err, "error establishing connection to trust repository")
+	}
+
+	t, err := notaryRepo.GetTargetByName(ref.Tag(), trust.ReleasesRole, data.CanonicalTargetsRole)
+	if err != nil {
+		return nil, trust.NotaryError(repoInfo.Name.Name(), err)
+	}
+	// Only get the tag if it's in the top level targets role or the releases delegation role
+	// ignore it if it's in any other delegation roles
+	if t.Role != trust.ReleasesRole && t.Role != data.CanonicalTargetsRole {
+		return nil, trust.NotaryError(repoInfo.Name.Name(), errors.Errorf("No trust data for %s", reference.FamiliarString(ref)))
+	}
+
+	logrus.Debugf("retrieving target for %s role\n", t.Role)
+	h, ok := t.Hashes["sha256"]
+	if !ok {
+		return nil, errors.New("no valid hash, expecting sha256")
+	}
+
+	dgst := digest.NewDigestFromHex("sha256", hex.EncodeToString(h))
+
+	// Allow returning canonical reference with tag
+	return reference.WithDigest(ref, dgst)
+}
diff --git a/cli/cli/command/service/update.go b/cli/cli/command/service/update.go
new file mode 100644
index 00000000..3e380db2
--- /dev/null
+++ b/cli/cli/command/service/update.go
@@ -0,0 +1,1205 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
+	"github.com/docker/swarmkit/api/defaults"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+func newUpdateCommand(dockerCli command.Cli) *cobra.Command {
+	options := newServiceOptions()
+
+	cmd := &cobra.Command{
+		Use:   "update [OPTIONS] SERVICE",
+		Short: "Update a service",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runUpdate(dockerCli, cmd.Flags(), options, args[0])
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.String("image", "", "Service image tag")
+	flags.Var(&ShlexOpt{}, "args", "Service command args")
+	flags.Bool(flagRollback, false, "Rollback to previous specification")
+	flags.SetAnnotation(flagRollback, "version", []string{"1.25"})
+	flags.Bool("force", false, "Force update even if no changes require it")
+	flags.SetAnnotation("force", "version", []string{"1.25"})
+	addServiceFlags(flags, options, nil)
+
+	flags.Var(newListOptsVar(), flagEnvRemove, "Remove an environment variable")
+	flags.Var(newListOptsVar(), flagGroupRemove, "Remove a previously added supplementary user group from the container")
+	flags.SetAnnotation(flagGroupRemove, "version", []string{"1.25"})
+	flags.Var(newListOptsVar(), flagLabelRemove, "Remove a label by its key")
+	flags.Var(newListOptsVar(), flagContainerLabelRemove, "Remove a container label by its key")
+	flags.Var(newListOptsVar(), flagMountRemove, "Remove a mount by its target path")
+	// flags.Var(newListOptsVar().WithValidator(validatePublishRemove), flagPublishRemove, "Remove a published port by its target port")
+	flags.Var(&opts.PortOpt{}, flagPublishRemove, "Remove a published port by its target port")
+	flags.Var(newListOptsVar(), flagConstraintRemove, "Remove a constraint")
+	flags.Var(newListOptsVar(), flagDNSRemove, "Remove a custom DNS server")
+	flags.SetAnnotation(flagDNSRemove, "version", []string{"1.25"})
+	flags.Var(newListOptsVar(), flagDNSOptionRemove, "Remove a DNS option")
+	flags.SetAnnotation(flagDNSOptionRemove, "version", []string{"1.25"})
+	flags.Var(newListOptsVar(), flagDNSSearchRemove, "Remove a DNS search domain")
+	flags.SetAnnotation(flagDNSSearchRemove, "version", []string{"1.25"})
+	flags.Var(newListOptsVar(), flagHostRemove, "Remove a custom host-to-IP mapping (host:ip)")
+	flags.SetAnnotation(flagHostRemove, "version", []string{"1.25"})
+	flags.Var(&options.labels, flagLabelAdd, "Add or update a service label")
+	flags.Var(&options.containerLabels, flagContainerLabelAdd, "Add or update a container label")
+	flags.Var(&options.env, flagEnvAdd, "Add or update an environment variable")
+	flags.Var(newListOptsVar(), flagSecretRemove, "Remove a secret")
+	flags.SetAnnotation(flagSecretRemove, "version", []string{"1.25"})
+	flags.Var(&options.secrets, flagSecretAdd, "Add or update a secret on a service")
+	flags.SetAnnotation(flagSecretAdd, "version", []string{"1.25"})
+
+	flags.Var(newListOptsVar(), flagConfigRemove, "Remove a configuration file")
+	flags.SetAnnotation(flagConfigRemove, "version", []string{"1.30"})
+	flags.Var(&options.configs, flagConfigAdd, "Add or update a config file on a service")
+	flags.SetAnnotation(flagConfigAdd, "version", []string{"1.30"})
+
+	flags.Var(&options.mounts, flagMountAdd, "Add or update a mount on a service")
+	flags.Var(&options.constraints, flagConstraintAdd, "Add or update a placement constraint")
+	flags.Var(&options.placementPrefs, flagPlacementPrefAdd, "Add a placement preference")
+	flags.SetAnnotation(flagPlacementPrefAdd, "version", []string{"1.28"})
+	flags.Var(&placementPrefOpts{}, flagPlacementPrefRemove, "Remove a placement preference")
+	flags.SetAnnotation(flagPlacementPrefRemove, "version", []string{"1.28"})
+	flags.Var(&options.networks, flagNetworkAdd, "Add a network")
+	flags.SetAnnotation(flagNetworkAdd, "version", []string{"1.29"})
+	flags.Var(newListOptsVar(), flagNetworkRemove, "Remove a network")
+	flags.SetAnnotation(flagNetworkRemove, "version", []string{"1.29"})
+	flags.Var(&options.endpoint.publishPorts, flagPublishAdd, "Add or update a published port")
+	flags.Var(&options.groups, flagGroupAdd, "Add an additional supplementary user group to the container")
+	flags.SetAnnotation(flagGroupAdd, "version", []string{"1.25"})
+	flags.Var(&options.dns, flagDNSAdd, "Add or update a custom DNS server")
+	flags.SetAnnotation(flagDNSAdd, "version", []string{"1.25"})
+	flags.Var(&options.dnsOption, flagDNSOptionAdd, "Add or update a DNS option")
+	flags.SetAnnotation(flagDNSOptionAdd, "version", []string{"1.25"})
+	flags.Var(&options.dnsSearch, flagDNSSearchAdd, "Add or update a custom DNS search domain")
+	flags.SetAnnotation(flagDNSSearchAdd, "version", []string{"1.25"})
+	flags.Var(&options.hosts, flagHostAdd, "Add a custom host-to-IP mapping (host:ip)")
+	flags.SetAnnotation(flagHostAdd, "version", []string{"1.25"})
+	flags.BoolVar(&options.init, flagInit, false, "Use an init inside each service container to forward signals and reap processes")
+	flags.SetAnnotation(flagInit, "version", []string{"1.37"})
+
+	// Add needs parsing, Remove only needs the key
+	flags.Var(newListOptsVar(), flagGenericResourcesRemove, "Remove a Generic resource")
+	flags.SetAnnotation(flagHostAdd, "version", []string{"1.32"})
+	flags.Var(newListOptsVarWithValidator(ValidateSingleGenericResource), flagGenericResourcesAdd, "Add a Generic resource")
+	flags.SetAnnotation(flagHostAdd, "version", []string{"1.32"})
+
+	return cmd
+}
+
+func newListOptsVar() *opts.ListOpts {
+	return opts.NewListOptsRef(&[]string{}, nil)
+}
+
+func newListOptsVarWithValidator(validator opts.ValidatorFctType) *opts.ListOpts {
+	return opts.NewListOptsRef(&[]string{}, validator)
+}
+
+// nolint: gocyclo
+func runUpdate(dockerCli command.Cli, flags *pflag.FlagSet, options *serviceOptions, serviceID string) error {
+	apiClient := dockerCli.Client()
+	ctx := context.Background()
+
+	service, _, err := apiClient.ServiceInspectWithRaw(ctx, serviceID, types.ServiceInspectOptions{})
+	if err != nil {
+		return err
+	}
+
+	rollback, err := flags.GetBool(flagRollback)
+	if err != nil {
+		return err
+	}
+
+	// There are two ways to do user-requested rollback. The old way is
+	// client-side, but with a sufficiently recent daemon we prefer
+	// server-side, because it will honor the rollback parameters.
+	var (
+		clientSideRollback bool
+		serverSideRollback bool
+	)
+
+	spec := &service.Spec
+	if rollback {
+		// Rollback can't be combined with other flags.
+		otherFlagsPassed := false
+		flags.VisitAll(func(f *pflag.Flag) {
+			if f.Name == flagRollback || f.Name == flagDetach || f.Name == flagQuiet {
+				return
+			}
+			if flags.Changed(f.Name) {
+				otherFlagsPassed = true
+			}
+		})
+		if otherFlagsPassed {
+			return errors.New("other flags may not be combined with --rollback")
+		}
+
+		if versions.LessThan(apiClient.ClientVersion(), "1.28") {
+			clientSideRollback = true
+			spec = service.PreviousSpec
+			if spec == nil {
+				return errors.Errorf("service does not have a previous specification to roll back to")
+			}
+		} else {
+			serverSideRollback = true
+		}
+	}
+
+	updateOpts := types.ServiceUpdateOptions{}
+	if serverSideRollback {
+		updateOpts.Rollback = "previous"
+	}
+
+	err = updateService(ctx, apiClient, flags, spec)
+	if err != nil {
+		return err
+	}
+
+	if flags.Changed("image") {
+		if err := resolveServiceImageDigestContentTrust(dockerCli, spec); err != nil {
+			return err
+		}
+		if !options.noResolveImage && versions.GreaterThanOrEqualTo(apiClient.ClientVersion(), "1.30") {
+			updateOpts.QueryRegistry = true
+		}
+	}
+
+	updatedSecrets, err := getUpdatedSecrets(apiClient, flags, spec.TaskTemplate.ContainerSpec.Secrets)
+	if err != nil {
+		return err
+	}
+
+	spec.TaskTemplate.ContainerSpec.Secrets = updatedSecrets
+
+	updatedConfigs, err := getUpdatedConfigs(apiClient, flags, spec.TaskTemplate.ContainerSpec.Configs)
+	if err != nil {
+		return err
+	}
+
+	spec.TaskTemplate.ContainerSpec.Configs = updatedConfigs
+
+	// only send auth if flag was set
+	sendAuth, err := flags.GetBool(flagRegistryAuth)
+	if err != nil {
+		return err
+	}
+	if sendAuth {
+		// Retrieve encoded auth token from the image reference
+		// This would be the old image if it didn't change in this update
+		image := spec.TaskTemplate.ContainerSpec.Image
+		encodedAuth, err := command.RetrieveAuthTokenFromImage(ctx, dockerCli, image)
+		if err != nil {
+			return err
+		}
+		updateOpts.EncodedRegistryAuth = encodedAuth
+	} else if clientSideRollback {
+		updateOpts.RegistryAuthFrom = types.RegistryAuthFromPreviousSpec
+	} else {
+		updateOpts.RegistryAuthFrom = types.RegistryAuthFromSpec
+	}
+
+	response, err := apiClient.ServiceUpdate(ctx, service.ID, service.Version, *spec, updateOpts)
+	if err != nil {
+		return err
+	}
+
+	for _, warning := range response.Warnings {
+		fmt.Fprintln(dockerCli.Err(), warning)
+	}
+
+	fmt.Fprintf(dockerCli.Out(), "%s\n", serviceID)
+
+	if options.detach || versions.LessThan(apiClient.ClientVersion(), "1.29") {
+		return nil
+	}
+
+	return waitOnService(ctx, dockerCli, serviceID, options.quiet)
+}
+
+// nolint: gocyclo
+func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags *pflag.FlagSet, spec *swarm.ServiceSpec) error {
+	updateBoolPtr := func(flag string, field **bool) {
+		if flags.Changed(flag) {
+			b, _ := flags.GetBool(flag)
+			*field = &b
+		}
+	}
+	updateString := func(flag string, field *string) {
+		if flags.Changed(flag) {
+			*field, _ = flags.GetString(flag)
+		}
+	}
+
+	updateInt64Value := func(flag string, field *int64) {
+		if flags.Changed(flag) {
+			*field = flags.Lookup(flag).Value.(int64Value).Value()
+		}
+	}
+
+	updateFloatValue := func(flag string, field *float32) {
+		if flags.Changed(flag) {
+			*field = flags.Lookup(flag).Value.(*floatValue).Value()
+		}
+	}
+
+	updateDuration := func(flag string, field *time.Duration) {
+		if flags.Changed(flag) {
+			*field, _ = flags.GetDuration(flag)
+		}
+	}
+
+	updateDurationOpt := func(flag string, field **time.Duration) {
+		if flags.Changed(flag) {
+			val := *flags.Lookup(flag).Value.(*opts.DurationOpt).Value()
+			*field = &val
+		}
+	}
+
+	updateUint64 := func(flag string, field *uint64) {
+		if flags.Changed(flag) {
+			*field, _ = flags.GetUint64(flag)
+		}
+	}
+
+	updateUint64Opt := func(flag string, field **uint64) {
+		if flags.Changed(flag) {
+			val := *flags.Lookup(flag).Value.(*Uint64Opt).Value()
+			*field = &val
+		}
+	}
+
+	updateIsolation := func(flag string, field *container.Isolation) error {
+		if flags.Changed(flag) {
+			val, _ := flags.GetString(flag)
+			*field = container.Isolation(val)
+		}
+		return nil
+	}
+
+	cspec := spec.TaskTemplate.ContainerSpec
+	task := &spec.TaskTemplate
+
+	taskResources := func() *swarm.ResourceRequirements {
+		if task.Resources == nil {
+			task.Resources = &swarm.ResourceRequirements{}
+		}
+		return task.Resources
+	}
+
+	updateLabels(flags, &spec.Labels)
+	updateContainerLabels(flags, &cspec.Labels)
+	updateString("image", &cspec.Image)
+	updateStringToSlice(flags, "args", &cspec.Args)
+	updateStringToSlice(flags, flagEntrypoint, &cspec.Command)
+	updateEnvironment(flags, &cspec.Env)
+	updateString(flagWorkdir, &cspec.Dir)
+	updateString(flagUser, &cspec.User)
+	updateString(flagHostname, &cspec.Hostname)
+	updateBoolPtr(flagInit, &cspec.Init)
+	if err := updateIsolation(flagIsolation, &cspec.Isolation); err != nil {
+		return err
+	}
+	if err := updateMounts(flags, &cspec.Mounts); err != nil {
+		return err
+	}
+
+	if anyChanged(flags, flagLimitCPU, flagLimitMemory) {
+		taskResources().Limits = spec.TaskTemplate.Resources.Limits
+		updateInt64Value(flagLimitCPU, &task.Resources.Limits.NanoCPUs)
+		updateInt64Value(flagLimitMemory, &task.Resources.Limits.MemoryBytes)
+	}
+
+	if anyChanged(flags, flagReserveCPU, flagReserveMemory) {
+		taskResources().Reservations = spec.TaskTemplate.Resources.Reservations
+		updateInt64Value(flagReserveCPU, &task.Resources.Reservations.NanoCPUs)
+		updateInt64Value(flagReserveMemory, &task.Resources.Reservations.MemoryBytes)
+	}
+
+	if err := addGenericResources(flags, task); err != nil {
+		return err
+	}
+
+	if err := removeGenericResources(flags, task); err != nil {
+		return err
+	}
+
+	updateDurationOpt(flagStopGracePeriod, &cspec.StopGracePeriod)
+
+	if anyChanged(flags, flagRestartCondition, flagRestartDelay, flagRestartMaxAttempts, flagRestartWindow) {
+		if task.RestartPolicy == nil {
+			task.RestartPolicy = defaultRestartPolicy()
+		}
+		if flags.Changed(flagRestartCondition) {
+			value, _ := flags.GetString(flagRestartCondition)
+			task.RestartPolicy.Condition = swarm.RestartPolicyCondition(value)
+		}
+		updateDurationOpt(flagRestartDelay, &task.RestartPolicy.Delay)
+		updateUint64Opt(flagRestartMaxAttempts, &task.RestartPolicy.MaxAttempts)
+		updateDurationOpt(flagRestartWindow, &task.RestartPolicy.Window)
+	}
+
+	if anyChanged(flags, flagConstraintAdd, flagConstraintRemove) {
+		if task.Placement == nil {
+			task.Placement = &swarm.Placement{}
+		}
+		updatePlacementConstraints(flags, task.Placement)
+	}
+
+	if anyChanged(flags, flagPlacementPrefAdd, flagPlacementPrefRemove) {
+		if task.Placement == nil {
+			task.Placement = &swarm.Placement{}
+		}
+		updatePlacementPreferences(flags, task.Placement)
+	}
+
+	if anyChanged(flags, flagNetworkAdd, flagNetworkRemove) {
+		if err := updateNetworks(ctx, apiClient, flags, spec); err != nil {
+			return err
+		}
+	}
+
+	if err := updateReplicas(flags, &spec.Mode); err != nil {
+		return err
+	}
+
+	if anyChanged(flags, flagUpdateParallelism, flagUpdateDelay, flagUpdateMonitor, flagUpdateFailureAction, flagUpdateMaxFailureRatio, flagUpdateOrder) {
+		if spec.UpdateConfig == nil {
+			spec.UpdateConfig = updateConfigFromDefaults(defaults.Service.Update)
+		}
+		updateUint64(flagUpdateParallelism, &spec.UpdateConfig.Parallelism)
+		updateDuration(flagUpdateDelay, &spec.UpdateConfig.Delay)
+		updateDuration(flagUpdateMonitor, &spec.UpdateConfig.Monitor)
+		updateString(flagUpdateFailureAction, &spec.UpdateConfig.FailureAction)
+		updateFloatValue(flagUpdateMaxFailureRatio, &spec.UpdateConfig.MaxFailureRatio)
+		updateString(flagUpdateOrder, &spec.UpdateConfig.Order)
+	}
+
+	if anyChanged(flags, flagRollbackParallelism, flagRollbackDelay, flagRollbackMonitor, flagRollbackFailureAction, flagRollbackMaxFailureRatio, flagRollbackOrder) {
+		if spec.RollbackConfig == nil {
+			spec.RollbackConfig = updateConfigFromDefaults(defaults.Service.Rollback)
+		}
+		updateUint64(flagRollbackParallelism, &spec.RollbackConfig.Parallelism)
+		updateDuration(flagRollbackDelay, &spec.RollbackConfig.Delay)
+		updateDuration(flagRollbackMonitor, &spec.RollbackConfig.Monitor)
+		updateString(flagRollbackFailureAction, &spec.RollbackConfig.FailureAction)
+		updateFloatValue(flagRollbackMaxFailureRatio, &spec.RollbackConfig.MaxFailureRatio)
+		updateString(flagRollbackOrder, &spec.RollbackConfig.Order)
+	}
+
+	if flags.Changed(flagEndpointMode) {
+		value, _ := flags.GetString(flagEndpointMode)
+		if spec.EndpointSpec == nil {
+			spec.EndpointSpec = &swarm.EndpointSpec{}
+		}
+		spec.EndpointSpec.Mode = swarm.ResolutionMode(value)
+	}
+
+	if anyChanged(flags, flagGroupAdd, flagGroupRemove) {
+		if err := updateGroups(flags, &cspec.Groups); err != nil {
+			return err
+		}
+	}
+
+	if anyChanged(flags, flagPublishAdd, flagPublishRemove) {
+		if spec.EndpointSpec == nil {
+			spec.EndpointSpec = &swarm.EndpointSpec{}
+		}
+		if err := updatePorts(flags, &spec.EndpointSpec.Ports); err != nil {
+			return err
+		}
+	}
+
+	if anyChanged(flags, flagDNSAdd, flagDNSRemove, flagDNSOptionAdd, flagDNSOptionRemove, flagDNSSearchAdd, flagDNSSearchRemove) {
+		if cspec.DNSConfig == nil {
+			cspec.DNSConfig = &swarm.DNSConfig{}
+		}
+		if err := updateDNSConfig(flags, &cspec.DNSConfig); err != nil {
+			return err
+		}
+	}
+
+	if anyChanged(flags, flagHostAdd, flagHostRemove) {
+		if err := updateHosts(flags, &cspec.Hosts); err != nil {
+			return err
+		}
+	}
+
+	if err := updateLogDriver(flags, &spec.TaskTemplate); err != nil {
+		return err
+	}
+
+	force, err := flags.GetBool("force")
+	if err != nil {
+		return err
+	}
+
+	if force {
+		spec.TaskTemplate.ForceUpdate++
+	}
+
+	if err := updateHealthcheck(flags, cspec); err != nil {
+		return err
+	}
+
+	if flags.Changed(flagTTY) {
+		tty, err := flags.GetBool(flagTTY)
+		if err != nil {
+			return err
+		}
+		cspec.TTY = tty
+	}
+
+	if flags.Changed(flagReadOnly) {
+		readOnly, err := flags.GetBool(flagReadOnly)
+		if err != nil {
+			return err
+		}
+		cspec.ReadOnly = readOnly
+	}
+
+	updateString(flagStopSignal, &cspec.StopSignal)
+
+	return nil
+}
+
+func updateStringToSlice(flags *pflag.FlagSet, flag string, field *[]string) {
+	if !flags.Changed(flag) {
+		return
+	}
+
+	*field = flags.Lookup(flag).Value.(*ShlexOpt).Value()
+}
+
+func anyChanged(flags *pflag.FlagSet, fields ...string) bool {
+	for _, flag := range fields {
+		if flags.Changed(flag) {
+			return true
+		}
+	}
+	return false
+}
+
+func addGenericResources(flags *pflag.FlagSet, spec *swarm.TaskSpec) error {
+	if !flags.Changed(flagGenericResourcesAdd) {
+		return nil
+	}
+
+	if spec.Resources == nil {
+		spec.Resources = &swarm.ResourceRequirements{}
+	}
+
+	if spec.Resources.Reservations == nil {
+		spec.Resources.Reservations = &swarm.Resources{}
+	}
+
+	values := flags.Lookup(flagGenericResourcesAdd).Value.(*opts.ListOpts).GetAll()
+	generic, err := ParseGenericResources(values)
+	if err != nil {
+		return err
+	}
+
+	m, err := buildGenericResourceMap(spec.Resources.Reservations.GenericResources)
+	if err != nil {
+		return err
+	}
+
+	for _, toAddRes := range generic {
+		m[toAddRes.DiscreteResourceSpec.Kind] = toAddRes
+	}
+
+	spec.Resources.Reservations.GenericResources = buildGenericResourceList(m)
+
+	return nil
+}
+
+func removeGenericResources(flags *pflag.FlagSet, spec *swarm.TaskSpec) error {
+	// Can only be Discrete Resources
+	if !flags.Changed(flagGenericResourcesRemove) {
+		return nil
+	}
+
+	if spec.Resources == nil {
+		spec.Resources = &swarm.ResourceRequirements{}
+	}
+
+	if spec.Resources.Reservations == nil {
+		spec.Resources.Reservations = &swarm.Resources{}
+	}
+
+	values := flags.Lookup(flagGenericResourcesRemove).Value.(*opts.ListOpts).GetAll()
+
+	m, err := buildGenericResourceMap(spec.Resources.Reservations.GenericResources)
+	if err != nil {
+		return err
+	}
+
+	for _, toRemoveRes := range values {
+		if _, ok := m[toRemoveRes]; !ok {
+			return fmt.Errorf("could not find generic-resource `%s` to remove it", toRemoveRes)
+		}
+
+		delete(m, toRemoveRes)
+	}
+
+	spec.Resources.Reservations.GenericResources = buildGenericResourceList(m)
+	return nil
+}
+
+func updatePlacementConstraints(flags *pflag.FlagSet, placement *swarm.Placement) {
+	if flags.Changed(flagConstraintAdd) {
+		values := flags.Lookup(flagConstraintAdd).Value.(*opts.ListOpts).GetAll()
+		placement.Constraints = append(placement.Constraints, values...)
+	}
+	toRemove := buildToRemoveSet(flags, flagConstraintRemove)
+
+	newConstraints := []string{}
+	for _, constraint := range placement.Constraints {
+		if _, exists := toRemove[constraint]; !exists {
+			newConstraints = append(newConstraints, constraint)
+		}
+	}
+	// Sort so that result is predictable.
+	sort.Strings(newConstraints)
+
+	placement.Constraints = newConstraints
+}
+
+func updatePlacementPreferences(flags *pflag.FlagSet, placement *swarm.Placement) {
+	var newPrefs []swarm.PlacementPreference
+
+	if flags.Changed(flagPlacementPrefRemove) {
+		for _, existing := range placement.Preferences {
+			removed := false
+			for _, removal := range flags.Lookup(flagPlacementPrefRemove).Value.(*placementPrefOpts).prefs {
+				if removal.Spread != nil && existing.Spread != nil && removal.Spread.SpreadDescriptor == existing.Spread.SpreadDescriptor {
+					removed = true
+					break
+				}
+			}
+			if !removed {
+				newPrefs = append(newPrefs, existing)
+			}
+		}
+	} else {
+		newPrefs = placement.Preferences
+	}
+
+	if flags.Changed(flagPlacementPrefAdd) {
+		newPrefs = append(newPrefs,
+			flags.Lookup(flagPlacementPrefAdd).Value.(*placementPrefOpts).prefs...)
+	}
+
+	placement.Preferences = newPrefs
+}
+
+func updateContainerLabels(flags *pflag.FlagSet, field *map[string]string) {
+	if flags.Changed(flagContainerLabelAdd) {
+		if *field == nil {
+			*field = map[string]string{}
+		}
+
+		values := flags.Lookup(flagContainerLabelAdd).Value.(*opts.ListOpts).GetAll()
+		for key, value := range opts.ConvertKVStringsToMap(values) {
+			(*field)[key] = value
+		}
+	}
+
+	if *field != nil && flags.Changed(flagContainerLabelRemove) {
+		toRemove := flags.Lookup(flagContainerLabelRemove).Value.(*opts.ListOpts).GetAll()
+		for _, label := range toRemove {
+			delete(*field, label)
+		}
+	}
+}
+
+func updateLabels(flags *pflag.FlagSet, field *map[string]string) {
+	if flags.Changed(flagLabelAdd) {
+		if *field == nil {
+			*field = map[string]string{}
+		}
+
+		values := flags.Lookup(flagLabelAdd).Value.(*opts.ListOpts).GetAll()
+		for key, value := range opts.ConvertKVStringsToMap(values) {
+			(*field)[key] = value
+		}
+	}
+
+	if *field != nil && flags.Changed(flagLabelRemove) {
+		toRemove := flags.Lookup(flagLabelRemove).Value.(*opts.ListOpts).GetAll()
+		for _, label := range toRemove {
+			delete(*field, label)
+		}
+	}
+}
+
+func updateEnvironment(flags *pflag.FlagSet, field *[]string) {
+	if flags.Changed(flagEnvAdd) {
+		envSet := map[string]string{}
+		for _, v := range *field {
+			envSet[envKey(v)] = v
+		}
+
+		value := flags.Lookup(flagEnvAdd).Value.(*opts.ListOpts)
+		for _, v := range value.GetAll() {
+			envSet[envKey(v)] = v
+		}
+
+		*field = []string{}
+		for _, v := range envSet {
+			*field = append(*field, v)
+		}
+	}
+
+	toRemove := buildToRemoveSet(flags, flagEnvRemove)
+	*field = removeItems(*field, toRemove, envKey)
+}
+
+func getUpdatedSecrets(apiClient client.SecretAPIClient, flags *pflag.FlagSet, secrets []*swarm.SecretReference) ([]*swarm.SecretReference, error) {
+	newSecrets := []*swarm.SecretReference{}
+
+	toRemove := buildToRemoveSet(flags, flagSecretRemove)
+	for _, secret := range secrets {
+		if _, exists := toRemove[secret.SecretName]; !exists {
+			newSecrets = append(newSecrets, secret)
+		}
+	}
+
+	if flags.Changed(flagSecretAdd) {
+		values := flags.Lookup(flagSecretAdd).Value.(*opts.SecretOpt).Value()
+
+		addSecrets, err := ParseSecrets(apiClient, values)
+		if err != nil {
+			return nil, err
+		}
+		newSecrets = append(newSecrets, addSecrets...)
+	}
+
+	return newSecrets, nil
+}
+
+func getUpdatedConfigs(apiClient client.ConfigAPIClient, flags *pflag.FlagSet, configs []*swarm.ConfigReference) ([]*swarm.ConfigReference, error) {
+	newConfigs := []*swarm.ConfigReference{}
+
+	toRemove := buildToRemoveSet(flags, flagConfigRemove)
+	for _, config := range configs {
+		if _, exists := toRemove[config.ConfigName]; !exists {
+			newConfigs = append(newConfigs, config)
+		}
+	}
+
+	if flags.Changed(flagConfigAdd) {
+		values := flags.Lookup(flagConfigAdd).Value.(*opts.ConfigOpt).Value()
+
+		addConfigs, err := ParseConfigs(apiClient, values)
+		if err != nil {
+			return nil, err
+		}
+		newConfigs = append(newConfigs, addConfigs...)
+	}
+
+	return newConfigs, nil
+}
+
+func envKey(value string) string {
+	kv := strings.SplitN(value, "=", 2)
+	return kv[0]
+}
+
+func buildToRemoveSet(flags *pflag.FlagSet, flag string) map[string]struct{} {
+	var empty struct{}
+	toRemove := make(map[string]struct{})
+
+	if !flags.Changed(flag) {
+		return toRemove
+	}
+
+	toRemoveSlice := flags.Lookup(flag).Value.(*opts.ListOpts).GetAll()
+	for _, key := range toRemoveSlice {
+		toRemove[key] = empty
+	}
+	return toRemove
+}
+
+func removeItems(
+	seq []string,
+	toRemove map[string]struct{},
+	keyFunc func(string) string,
+) []string {
+	newSeq := []string{}
+	for _, item := range seq {
+		if _, exists := toRemove[keyFunc(item)]; !exists {
+			newSeq = append(newSeq, item)
+		}
+	}
+	return newSeq
+}
+
+type byMountSource []mounttypes.Mount
+
+func (m byMountSource) Len() int      { return len(m) }
+func (m byMountSource) Swap(i, j int) { m[i], m[j] = m[j], m[i] }
+func (m byMountSource) Less(i, j int) bool {
+	a, b := m[i], m[j]
+
+	if a.Source == b.Source {
+		return a.Target < b.Target
+	}
+
+	return a.Source < b.Source
+}
+
+func updateMounts(flags *pflag.FlagSet, mounts *[]mounttypes.Mount) error {
+	mountsByTarget := map[string]mounttypes.Mount{}
+
+	if flags.Changed(flagMountAdd) {
+		values := flags.Lookup(flagMountAdd).Value.(*opts.MountOpt).Value()
+		for _, mount := range values {
+			if _, ok := mountsByTarget[mount.Target]; ok {
+				return errors.Errorf("duplicate mount target")
+			}
+			mountsByTarget[mount.Target] = mount
+		}
+	}
+
+	// Add old list of mount points minus updated one.
+	for _, mount := range *mounts {
+		if _, ok := mountsByTarget[mount.Target]; !ok {
+			mountsByTarget[mount.Target] = mount
+		}
+	}
+
+	newMounts := []mounttypes.Mount{}
+
+	toRemove := buildToRemoveSet(flags, flagMountRemove)
+
+	for _, mount := range mountsByTarget {
+		if _, exists := toRemove[mount.Target]; !exists {
+			newMounts = append(newMounts, mount)
+		}
+	}
+	sort.Sort(byMountSource(newMounts))
+	*mounts = newMounts
+	return nil
+}
+
+func updateGroups(flags *pflag.FlagSet, groups *[]string) error {
+	if flags.Changed(flagGroupAdd) {
+		values := flags.Lookup(flagGroupAdd).Value.(*opts.ListOpts).GetAll()
+		*groups = append(*groups, values...)
+	}
+	toRemove := buildToRemoveSet(flags, flagGroupRemove)
+
+	newGroups := []string{}
+	for _, group := range *groups {
+		if _, exists := toRemove[group]; !exists {
+			newGroups = append(newGroups, group)
+		}
+	}
+	// Sort so that result is predictable.
+	sort.Strings(newGroups)
+
+	*groups = newGroups
+	return nil
+}
+
+func removeDuplicates(entries []string) []string {
+	hit := map[string]bool{}
+	newEntries := []string{}
+	for _, v := range entries {
+		if !hit[v] {
+			newEntries = append(newEntries, v)
+			hit[v] = true
+		}
+	}
+	return newEntries
+}
+
+func updateDNSConfig(flags *pflag.FlagSet, config **swarm.DNSConfig) error {
+	newConfig := &swarm.DNSConfig{}
+
+	nameservers := (*config).Nameservers
+	if flags.Changed(flagDNSAdd) {
+		values := flags.Lookup(flagDNSAdd).Value.(*opts.ListOpts).GetAll()
+		nameservers = append(nameservers, values...)
+	}
+	nameservers = removeDuplicates(nameservers)
+	toRemove := buildToRemoveSet(flags, flagDNSRemove)
+	for _, nameserver := range nameservers {
+		if _, exists := toRemove[nameserver]; !exists {
+			newConfig.Nameservers = append(newConfig.Nameservers, nameserver)
+
+		}
+	}
+	// Sort so that result is predictable.
+	sort.Strings(newConfig.Nameservers)
+
+	search := (*config).Search
+	if flags.Changed(flagDNSSearchAdd) {
+		values := flags.Lookup(flagDNSSearchAdd).Value.(*opts.ListOpts).GetAll()
+		search = append(search, values...)
+	}
+	search = removeDuplicates(search)
+	toRemove = buildToRemoveSet(flags, flagDNSSearchRemove)
+	for _, entry := range search {
+		if _, exists := toRemove[entry]; !exists {
+			newConfig.Search = append(newConfig.Search, entry)
+		}
+	}
+	// Sort so that result is predictable.
+	sort.Strings(newConfig.Search)
+
+	options := (*config).Options
+	if flags.Changed(flagDNSOptionAdd) {
+		values := flags.Lookup(flagDNSOptionAdd).Value.(*opts.ListOpts).GetAll()
+		options = append(options, values...)
+	}
+	options = removeDuplicates(options)
+	toRemove = buildToRemoveSet(flags, flagDNSOptionRemove)
+	for _, option := range options {
+		if _, exists := toRemove[option]; !exists {
+			newConfig.Options = append(newConfig.Options, option)
+		}
+	}
+	// Sort so that result is predictable.
+	sort.Strings(newConfig.Options)
+
+	*config = newConfig
+	return nil
+}
+
+type byPortConfig []swarm.PortConfig
+
+func (r byPortConfig) Len() int      { return len(r) }
+func (r byPortConfig) Swap(i, j int) { r[i], r[j] = r[j], r[i] }
+func (r byPortConfig) Less(i, j int) bool {
+	// We convert PortConfig into `port/protocol`, e.g., `80/tcp`
+	// In updatePorts we already filter out with map so there is duplicate entries
+	return portConfigToString(&r[i]) < portConfigToString(&r[j])
+}
+
+func portConfigToString(portConfig *swarm.PortConfig) string {
+	protocol := portConfig.Protocol
+	mode := portConfig.PublishMode
+	return fmt.Sprintf("%v:%v/%s/%s", portConfig.PublishedPort, portConfig.TargetPort, protocol, mode)
+}
+
+func updatePorts(flags *pflag.FlagSet, portConfig *[]swarm.PortConfig) error {
+	// The key of the map is `port/protocol`, e.g., `80/tcp`
+	portSet := map[string]swarm.PortConfig{}
+
+	// Build the current list of portConfig
+	for _, entry := range *portConfig {
+		if _, ok := portSet[portConfigToString(&entry)]; !ok {
+			portSet[portConfigToString(&entry)] = entry
+		}
+	}
+
+	newPorts := []swarm.PortConfig{}
+
+	// Clean current ports
+	toRemove := flags.Lookup(flagPublishRemove).Value.(*opts.PortOpt).Value()
+portLoop:
+	for _, port := range portSet {
+		for _, pConfig := range toRemove {
+			if equalProtocol(port.Protocol, pConfig.Protocol) &&
+				port.TargetPort == pConfig.TargetPort &&
+				equalPublishMode(port.PublishMode, pConfig.PublishMode) {
+				continue portLoop
+			}
+		}
+
+		newPorts = append(newPorts, port)
+	}
+
+	// Check to see if there are any conflict in flags.
+	if flags.Changed(flagPublishAdd) {
+		ports := flags.Lookup(flagPublishAdd).Value.(*opts.PortOpt).Value()
+
+		for _, port := range ports {
+			if _, ok := portSet[portConfigToString(&port)]; ok {
+				continue
+			}
+			//portSet[portConfigToString(&port)] = port
+			newPorts = append(newPorts, port)
+		}
+	}
+
+	// Sort the PortConfig to avoid unnecessary updates
+	sort.Sort(byPortConfig(newPorts))
+	*portConfig = newPorts
+	return nil
+}
+
+func equalProtocol(prot1, prot2 swarm.PortConfigProtocol) bool {
+	return prot1 == prot2 ||
+		(prot1 == swarm.PortConfigProtocol("") && prot2 == swarm.PortConfigProtocolTCP) ||
+		(prot2 == swarm.PortConfigProtocol("") && prot1 == swarm.PortConfigProtocolTCP)
+}
+
+func equalPublishMode(mode1, mode2 swarm.PortConfigPublishMode) bool {
+	return mode1 == mode2 ||
+		(mode1 == swarm.PortConfigPublishMode("") && mode2 == swarm.PortConfigPublishModeIngress) ||
+		(mode2 == swarm.PortConfigPublishMode("") && mode1 == swarm.PortConfigPublishModeIngress)
+}
+
+func updateReplicas(flags *pflag.FlagSet, serviceMode *swarm.ServiceMode) error {
+	if !flags.Changed(flagReplicas) {
+		return nil
+	}
+
+	if serviceMode == nil || serviceMode.Replicated == nil {
+		return errors.Errorf("replicas can only be used with replicated mode")
+	}
+	serviceMode.Replicated.Replicas = flags.Lookup(flagReplicas).Value.(*Uint64Opt).Value()
+	return nil
+}
+
+type hostMapping struct {
+	IPAddr string
+	Host   string
+}
+
+// updateHosts performs a diff between existing host entries, entries to be
+// removed, and entries to be added. Host entries preserve the order in which they
+// were added, as the specification mentions that in case multiple entries for a
+// host exist, the first entry should be used (by default).
+//
+// Note that, even though unsupported by the the CLI, the service specs format
+// allow entries with both a _canonical_ hostname, and one or more aliases
+// in an entry (IP-address canonical_hostname [alias ...])
+//
+// Entries can be removed by either a specific `<host-name>:<ip-address>` mapping,
+// or by `<host>` alone:
+//
+// - If both IP-address and host-name is provided, the hostname is removed only
+//   from entries that match the given IP-address.
+// - If only a host-name is provided, the hostname is removed from any entry it
+//   is part of (either as canonical host-name, or as alias).
+// - If, after removing the host-name from an entry, no host-names remain in
+//   the entry, the entry itself is removed.
+//
+// For example, the list of host-entries before processing could look like this:
+//
+//    hosts = &[]string{
+//        "127.0.0.2 host3 host1 host2 host4",
+//        "127.0.0.1 host1 host4",
+//        "127.0.0.3 host1",
+//        "127.0.0.1 host1",
+//    }
+//
+// Removing `host1` removes every occurrence:
+//
+//    hosts = &[]string{
+//        "127.0.0.2 host3 host2 host4",
+//        "127.0.0.1 host4",
+//    }
+//
+// Removing `host1:127.0.0.1` on the other hand, only remove the host if the
+// IP-address matches:
+//
+//    hosts = &[]string{
+//        "127.0.0.2 host3 host1 host2 host4",
+//        "127.0.0.1 host4",
+//        "127.0.0.3 host1",
+//    }
+func updateHosts(flags *pflag.FlagSet, hosts *[]string) error {
+	var toRemove []hostMapping
+	if flags.Changed(flagHostRemove) {
+		extraHostsToRemove := flags.Lookup(flagHostRemove).Value.(*opts.ListOpts).GetAll()
+		for _, entry := range extraHostsToRemove {
+			v := strings.SplitN(entry, ":", 2)
+			if len(v) > 1 {
+				toRemove = append(toRemove, hostMapping{IPAddr: v[1], Host: v[0]})
+			} else {
+				toRemove = append(toRemove, hostMapping{Host: v[0]})
+			}
+		}
+	}
+
+	var newHosts []string
+	for _, entry := range *hosts {
+		// Since this is in SwarmKit format, we need to find the key, which is canonical_hostname of:
+		// IP_address canonical_hostname [aliases...]
+		parts := strings.Fields(entry)
+		if len(parts) == 0 {
+			continue
+		}
+		ip := parts[0]
+		hostNames := parts[1:]
+		for _, rm := range toRemove {
+			if rm.IPAddr != "" && rm.IPAddr != ip {
+				continue
+			}
+			for i, h := range hostNames {
+				if h == rm.Host {
+					hostNames = append(hostNames[:i], hostNames[i+1:]...)
+				}
+			}
+		}
+		if len(hostNames) > 0 {
+			newHosts = append(newHosts, fmt.Sprintf("%s %s", ip, strings.Join(hostNames, " ")))
+		}
+	}
+
+	// Append new hosts (in SwarmKit format)
+	if flags.Changed(flagHostAdd) {
+		values := convertExtraHostsToSwarmHosts(flags.Lookup(flagHostAdd).Value.(*opts.ListOpts).GetAll())
+		newHosts = append(newHosts, values...)
+	}
+	*hosts = removeDuplicates(newHosts)
+	return nil
+}
+
+// updateLogDriver updates the log driver only if the log driver flag is set.
+// All options will be replaced with those provided on the command line.
+func updateLogDriver(flags *pflag.FlagSet, taskTemplate *swarm.TaskSpec) error {
+	if !flags.Changed(flagLogDriver) {
+		return nil
+	}
+
+	name, err := flags.GetString(flagLogDriver)
+	if err != nil {
+		return err
+	}
+
+	if name == "" {
+		return nil
+	}
+
+	taskTemplate.LogDriver = &swarm.Driver{
+		Name:    name,
+		Options: opts.ConvertKVStringsToMap(flags.Lookup(flagLogOpt).Value.(*opts.ListOpts).GetAll()),
+	}
+
+	return nil
+}
+
+func updateHealthcheck(flags *pflag.FlagSet, containerSpec *swarm.ContainerSpec) error {
+	if !anyChanged(flags, flagNoHealthcheck, flagHealthCmd, flagHealthInterval, flagHealthRetries, flagHealthTimeout, flagHealthStartPeriod) {
+		return nil
+	}
+	if containerSpec.Healthcheck == nil {
+		containerSpec.Healthcheck = &container.HealthConfig{}
+	}
+	noHealthcheck, err := flags.GetBool(flagNoHealthcheck)
+	if err != nil {
+		return err
+	}
+	if noHealthcheck {
+		if !anyChanged(flags, flagHealthCmd, flagHealthInterval, flagHealthRetries, flagHealthTimeout, flagHealthStartPeriod) {
+			containerSpec.Healthcheck = &container.HealthConfig{
+				Test: []string{"NONE"},
+			}
+			return nil
+		}
+		return errors.Errorf("--%s conflicts with --health-* options", flagNoHealthcheck)
+	}
+	if len(containerSpec.Healthcheck.Test) > 0 && containerSpec.Healthcheck.Test[0] == "NONE" {
+		containerSpec.Healthcheck.Test = nil
+	}
+	if flags.Changed(flagHealthInterval) {
+		val := *flags.Lookup(flagHealthInterval).Value.(*opts.PositiveDurationOpt).Value()
+		containerSpec.Healthcheck.Interval = val
+	}
+	if flags.Changed(flagHealthTimeout) {
+		val := *flags.Lookup(flagHealthTimeout).Value.(*opts.PositiveDurationOpt).Value()
+		containerSpec.Healthcheck.Timeout = val
+	}
+	if flags.Changed(flagHealthStartPeriod) {
+		val := *flags.Lookup(flagHealthStartPeriod).Value.(*opts.PositiveDurationOpt).Value()
+		containerSpec.Healthcheck.StartPeriod = val
+	}
+	if flags.Changed(flagHealthRetries) {
+		containerSpec.Healthcheck.Retries, _ = flags.GetInt(flagHealthRetries)
+	}
+	if flags.Changed(flagHealthCmd) {
+		cmd, _ := flags.GetString(flagHealthCmd)
+		if cmd != "" {
+			containerSpec.Healthcheck.Test = []string{"CMD-SHELL", cmd}
+		} else {
+			containerSpec.Healthcheck.Test = nil
+		}
+	}
+	return nil
+}
+
+type byNetworkTarget []swarm.NetworkAttachmentConfig
+
+func (m byNetworkTarget) Len() int      { return len(m) }
+func (m byNetworkTarget) Swap(i, j int) { m[i], m[j] = m[j], m[i] }
+func (m byNetworkTarget) Less(i, j int) bool {
+	return m[i].Target < m[j].Target
+}
+
+func updateNetworks(ctx context.Context, apiClient client.NetworkAPIClient, flags *pflag.FlagSet, spec *swarm.ServiceSpec) error {
+	// spec.TaskTemplate.Networks takes precedence over the deprecated
+	// spec.Networks field. If spec.Network is in use, we'll migrate those
+	// values to spec.TaskTemplate.Networks.
+	specNetworks := spec.TaskTemplate.Networks
+	if len(specNetworks) == 0 {
+		specNetworks = spec.Networks
+	}
+	spec.Networks = nil
+
+	toRemove := buildToRemoveSet(flags, flagNetworkRemove)
+	idsToRemove := make(map[string]struct{})
+	for networkIDOrName := range toRemove {
+		network, err := apiClient.NetworkInspect(ctx, networkIDOrName, types.NetworkInspectOptions{Scope: "swarm"})
+		if err != nil {
+			return err
+		}
+		idsToRemove[network.ID] = struct{}{}
+	}
+
+	existingNetworks := make(map[string]struct{})
+	var newNetworks []swarm.NetworkAttachmentConfig
+	for _, network := range specNetworks {
+		if _, exists := idsToRemove[network.Target]; exists {
+			continue
+		}
+
+		newNetworks = append(newNetworks, network)
+		existingNetworks[network.Target] = struct{}{}
+	}
+
+	if flags.Changed(flagNetworkAdd) {
+		values := flags.Lookup(flagNetworkAdd).Value.(*opts.NetworkOpt)
+		networks := convertNetworks(*values)
+		for _, network := range networks {
+			nwID, err := resolveNetworkID(ctx, apiClient, network.Target)
+			if err != nil {
+				return err
+			}
+			if _, exists := existingNetworks[nwID]; exists {
+				return errors.Errorf("service is already attached to network %s", network.Target)
+			}
+			network.Target = nwID
+			newNetworks = append(newNetworks, network)
+			existingNetworks[network.Target] = struct{}{}
+		}
+	}
+
+	sort.Sort(byNetworkTarget(newNetworks))
+
+	spec.TaskTemplate.Networks = newNetworks
+	return nil
+}
diff --git a/cli/cli/command/service/update_test.go b/cli/cli/command/service/update_test.go
new file mode 100644
index 00000000..847b6ab1
--- /dev/null
+++ b/cli/cli/command/service/update_test.go
@@ -0,0 +1,778 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestUpdateServiceArgs(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("args", "the \"new args\"")
+
+	spec := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	cspec := spec.TaskTemplate.ContainerSpec
+	cspec.Args = []string{"old", "args"}
+
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, is.DeepEqual([]string{"the", "new args"}, cspec.Args))
+}
+
+func TestUpdateLabels(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("label-add", "toadd=newlabel")
+	flags.Set("label-rm", "toremove")
+
+	labels := map[string]string{
+		"toremove": "thelabeltoremove",
+		"tokeep":   "value",
+	}
+
+	updateLabels(flags, &labels)
+	assert.Check(t, is.Len(labels, 2))
+	assert.Check(t, is.Equal("value", labels["tokeep"]))
+	assert.Check(t, is.Equal("newlabel", labels["toadd"]))
+}
+
+func TestUpdateLabelsRemoveALabelThatDoesNotExist(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("label-rm", "dne")
+
+	labels := map[string]string{"foo": "theoldlabel"}
+	updateLabels(flags, &labels)
+	assert.Check(t, is.Len(labels, 1))
+}
+
+func TestUpdatePlacementConstraints(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("constraint-add", "node=toadd")
+	flags.Set("constraint-rm", "node!=toremove")
+
+	placement := &swarm.Placement{
+		Constraints: []string{"node!=toremove", "container=tokeep"},
+	}
+
+	updatePlacementConstraints(flags, placement)
+	assert.Assert(t, is.Len(placement.Constraints, 2))
+	assert.Check(t, is.Equal("container=tokeep", placement.Constraints[0]))
+	assert.Check(t, is.Equal("node=toadd", placement.Constraints[1]))
+}
+
+func TestUpdatePlacementPrefs(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("placement-pref-add", "spread=node.labels.dc")
+	flags.Set("placement-pref-rm", "spread=node.labels.rack")
+
+	placement := &swarm.Placement{
+		Preferences: []swarm.PlacementPreference{
+			{
+				Spread: &swarm.SpreadOver{
+					SpreadDescriptor: "node.labels.rack",
+				},
+			},
+			{
+				Spread: &swarm.SpreadOver{
+					SpreadDescriptor: "node.labels.row",
+				},
+			},
+		},
+	}
+
+	updatePlacementPreferences(flags, placement)
+	assert.Assert(t, is.Len(placement.Preferences, 2))
+	assert.Check(t, is.Equal("node.labels.row", placement.Preferences[0].Spread.SpreadDescriptor))
+	assert.Check(t, is.Equal("node.labels.dc", placement.Preferences[1].Spread.SpreadDescriptor))
+}
+
+func TestUpdateEnvironment(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("env-add", "toadd=newenv")
+	flags.Set("env-rm", "toremove")
+
+	envs := []string{"toremove=theenvtoremove", "tokeep=value"}
+
+	updateEnvironment(flags, &envs)
+	assert.Assert(t, is.Len(envs, 2))
+	// Order has been removed in updateEnvironment (map)
+	sort.Strings(envs)
+	assert.Check(t, is.Equal("toadd=newenv", envs[0]))
+	assert.Check(t, is.Equal("tokeep=value", envs[1]))
+}
+
+func TestUpdateEnvironmentWithDuplicateValues(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("env-add", "foo=newenv")
+	flags.Set("env-add", "foo=dupe")
+	flags.Set("env-rm", "foo")
+
+	envs := []string{"foo=value"}
+
+	updateEnvironment(flags, &envs)
+	assert.Check(t, is.Len(envs, 0))
+}
+
+func TestUpdateEnvironmentWithDuplicateKeys(t *testing.T) {
+	// Test case for #25404
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("env-add", "A=b")
+
+	envs := []string{"A=c"}
+
+	updateEnvironment(flags, &envs)
+	assert.Assert(t, is.Len(envs, 1))
+	assert.Check(t, is.Equal("A=b", envs[0]))
+}
+
+func TestUpdateGroups(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("group-add", "wheel")
+	flags.Set("group-add", "docker")
+	flags.Set("group-rm", "root")
+	flags.Set("group-add", "foo")
+	flags.Set("group-rm", "docker")
+
+	groups := []string{"bar", "root"}
+
+	updateGroups(flags, &groups)
+	assert.Assert(t, is.Len(groups, 3))
+	assert.Check(t, is.Equal("bar", groups[0]))
+	assert.Check(t, is.Equal("foo", groups[1]))
+	assert.Check(t, is.Equal("wheel", groups[2]))
+}
+
+func TestUpdateDNSConfig(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+
+	// IPv4, with duplicates
+	flags.Set("dns-add", "1.1.1.1")
+	flags.Set("dns-add", "1.1.1.1")
+	flags.Set("dns-add", "2.2.2.2")
+	flags.Set("dns-rm", "3.3.3.3")
+	flags.Set("dns-rm", "2.2.2.2")
+	// IPv6
+	flags.Set("dns-add", "2001:db8:abc8::1")
+	// Invalid dns record
+	assert.ErrorContains(t, flags.Set("dns-add", "x.y.z.w"), "x.y.z.w is not an ip address")
+
+	// domains with duplicates
+	flags.Set("dns-search-add", "example.com")
+	flags.Set("dns-search-add", "example.com")
+	flags.Set("dns-search-add", "example.org")
+	flags.Set("dns-search-rm", "example.org")
+	// Invalid dns search domain
+	assert.ErrorContains(t, flags.Set("dns-search-add", "example$com"), "example$com is not a valid domain")
+
+	flags.Set("dns-option-add", "ndots:9")
+	flags.Set("dns-option-rm", "timeout:3")
+
+	config := &swarm.DNSConfig{
+		Nameservers: []string{"3.3.3.3", "5.5.5.5"},
+		Search:      []string{"localdomain"},
+		Options:     []string{"timeout:3"},
+	}
+
+	updateDNSConfig(flags, &config)
+
+	assert.Assert(t, is.Len(config.Nameservers, 3))
+	assert.Check(t, is.Equal("1.1.1.1", config.Nameservers[0]))
+	assert.Check(t, is.Equal("2001:db8:abc8::1", config.Nameservers[1]))
+	assert.Check(t, is.Equal("5.5.5.5", config.Nameservers[2]))
+
+	assert.Assert(t, is.Len(config.Search, 2))
+	assert.Check(t, is.Equal("example.com", config.Search[0]))
+	assert.Check(t, is.Equal("localdomain", config.Search[1]))
+
+	assert.Assert(t, is.Len(config.Options, 1))
+	assert.Check(t, is.Equal(config.Options[0], "ndots:9"))
+}
+
+func TestUpdateMounts(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("mount-add", "type=volume,source=vol2,target=/toadd")
+	flags.Set("mount-rm", "/toremove")
+
+	mounts := []mounttypes.Mount{
+		{Target: "/toremove", Source: "vol1", Type: mounttypes.TypeBind},
+		{Target: "/tokeep", Source: "vol3", Type: mounttypes.TypeBind},
+	}
+
+	updateMounts(flags, &mounts)
+	assert.Assert(t, is.Len(mounts, 2))
+	assert.Check(t, is.Equal("/toadd", mounts[0].Target))
+	assert.Check(t, is.Equal("/tokeep", mounts[1].Target))
+}
+
+func TestUpdateMountsWithDuplicateMounts(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("mount-add", "type=volume,source=vol4,target=/toadd")
+
+	mounts := []mounttypes.Mount{
+		{Target: "/tokeep1", Source: "vol1", Type: mounttypes.TypeBind},
+		{Target: "/toadd", Source: "vol2", Type: mounttypes.TypeBind},
+		{Target: "/tokeep2", Source: "vol3", Type: mounttypes.TypeBind},
+	}
+
+	updateMounts(flags, &mounts)
+	assert.Assert(t, is.Len(mounts, 3))
+	assert.Check(t, is.Equal("/tokeep1", mounts[0].Target))
+	assert.Check(t, is.Equal("/tokeep2", mounts[1].Target))
+	assert.Check(t, is.Equal("/toadd", mounts[2].Target))
+}
+
+func TestUpdatePorts(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("publish-add", "1000:1000")
+	flags.Set("publish-rm", "333/udp")
+
+	portConfigs := []swarm.PortConfig{
+		{TargetPort: 333, Protocol: swarm.PortConfigProtocolUDP},
+		{TargetPort: 555},
+	}
+
+	err := updatePorts(flags, &portConfigs)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(portConfigs, 2))
+	// Do a sort to have the order (might have changed by map)
+	targetPorts := []int{int(portConfigs[0].TargetPort), int(portConfigs[1].TargetPort)}
+	sort.Ints(targetPorts)
+	assert.Check(t, is.Equal(555, targetPorts[0]))
+	assert.Check(t, is.Equal(1000, targetPorts[1]))
+}
+
+func TestUpdatePortsDuplicate(t *testing.T) {
+	// Test case for #25375
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("publish-add", "80:80")
+
+	portConfigs := []swarm.PortConfig{
+		{
+			TargetPort:    80,
+			PublishedPort: 80,
+			Protocol:      swarm.PortConfigProtocolTCP,
+			PublishMode:   swarm.PortConfigPublishModeIngress,
+		},
+	}
+
+	err := updatePorts(flags, &portConfigs)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(portConfigs, 1))
+	assert.Check(t, is.Equal(uint32(80), portConfigs[0].TargetPort))
+}
+
+func TestUpdateHealthcheckTable(t *testing.T) {
+	type test struct {
+		flags    [][2]string
+		initial  *container.HealthConfig
+		expected *container.HealthConfig
+		err      string
+	}
+	testCases := []test{
+		{
+			flags:    [][2]string{{"no-healthcheck", "true"}},
+			initial:  &container.HealthConfig{Test: []string{"CMD-SHELL", "cmd1"}, Retries: 10},
+			expected: &container.HealthConfig{Test: []string{"NONE"}},
+		},
+		{
+			flags:    [][2]string{{"health-cmd", "cmd1"}},
+			initial:  &container.HealthConfig{Test: []string{"NONE"}},
+			expected: &container.HealthConfig{Test: []string{"CMD-SHELL", "cmd1"}},
+		},
+		{
+			flags:    [][2]string{{"health-retries", "10"}},
+			initial:  &container.HealthConfig{Test: []string{"NONE"}},
+			expected: &container.HealthConfig{Retries: 10},
+		},
+		{
+			flags:    [][2]string{{"health-retries", "10"}},
+			initial:  &container.HealthConfig{Test: []string{"CMD", "cmd1"}},
+			expected: &container.HealthConfig{Test: []string{"CMD", "cmd1"}, Retries: 10},
+		},
+		{
+			flags:    [][2]string{{"health-interval", "1m"}},
+			initial:  &container.HealthConfig{Test: []string{"CMD", "cmd1"}},
+			expected: &container.HealthConfig{Test: []string{"CMD", "cmd1"}, Interval: time.Minute},
+		},
+		{
+			flags:    [][2]string{{"health-cmd", ""}},
+			initial:  &container.HealthConfig{Test: []string{"CMD", "cmd1"}, Retries: 10},
+			expected: &container.HealthConfig{Retries: 10},
+		},
+		{
+			flags:    [][2]string{{"health-retries", "0"}},
+			initial:  &container.HealthConfig{Test: []string{"CMD", "cmd1"}, Retries: 10},
+			expected: &container.HealthConfig{Test: []string{"CMD", "cmd1"}},
+		},
+		{
+			flags:    [][2]string{{"health-start-period", "1m"}},
+			initial:  &container.HealthConfig{Test: []string{"CMD", "cmd1"}},
+			expected: &container.HealthConfig{Test: []string{"CMD", "cmd1"}, StartPeriod: time.Minute},
+		},
+		{
+			flags: [][2]string{{"health-cmd", "cmd1"}, {"no-healthcheck", "true"}},
+			err:   "--no-healthcheck conflicts with --health-* options",
+		},
+		{
+			flags: [][2]string{{"health-interval", "10m"}, {"no-healthcheck", "true"}},
+			err:   "--no-healthcheck conflicts with --health-* options",
+		},
+		{
+			flags: [][2]string{{"health-timeout", "1m"}, {"no-healthcheck", "true"}},
+			err:   "--no-healthcheck conflicts with --health-* options",
+		},
+	}
+	for i, c := range testCases {
+		flags := newUpdateCommand(nil).Flags()
+		for _, flag := range c.flags {
+			flags.Set(flag[0], flag[1])
+		}
+		cspec := &swarm.ContainerSpec{
+			Healthcheck: c.initial,
+		}
+		err := updateHealthcheck(flags, cspec)
+		if c.err != "" {
+			assert.Error(t, err, c.err)
+		} else {
+			assert.NilError(t, err)
+			if !reflect.DeepEqual(cspec.Healthcheck, c.expected) {
+				t.Errorf("incorrect result for test %d, expected health config:\n\t%#v\ngot:\n\t%#v", i, c.expected, cspec.Healthcheck)
+			}
+		}
+	}
+}
+
+func TestUpdateHosts(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("host-add", "example.net:2.2.2.2")
+	flags.Set("host-add", "ipv6.net:2001:db8:abc8::1")
+	// remove with ipv6 should work
+	flags.Set("host-rm", "example.net:2001:db8:abc8::1")
+	// just hostname should work as well
+	flags.Set("host-rm", "example.net")
+	// bad format error
+	assert.ErrorContains(t, flags.Set("host-add", "$example.com$"), `bad format for add-host: "$example.com$"`)
+
+	hosts := []string{"1.2.3.4 example.com", "4.3.2.1 example.org", "2001:db8:abc8::1 example.net"}
+	expected := []string{"1.2.3.4 example.com", "4.3.2.1 example.org", "2.2.2.2 example.net", "2001:db8:abc8::1 ipv6.net"}
+
+	err := updateHosts(flags, &hosts)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, hosts))
+}
+
+func TestUpdateHostsPreservesOrder(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("host-add", "foobar:127.0.0.2")
+	flags.Set("host-add", "foobar:127.0.0.1")
+	flags.Set("host-add", "foobar:127.0.0.3")
+
+	hosts := []string{}
+	err := updateHosts(flags, &hosts)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]string{"127.0.0.2 foobar", "127.0.0.1 foobar", "127.0.0.3 foobar"}, hosts))
+}
+
+func TestUpdateHostsReplaceEntry(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("host-add", "foobar:127.0.0.4")
+	flags.Set("host-rm", "foobar:127.0.0.2")
+
+	hosts := []string{"127.0.0.2 foobar", "127.0.0.1 foobar", "127.0.0.3 foobar"}
+
+	err := updateHosts(flags, &hosts)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]string{"127.0.0.1 foobar", "127.0.0.3 foobar", "127.0.0.4 foobar"}, hosts))
+}
+
+func TestUpdateHostsRemoveHost(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("host-rm", "host1")
+
+	hosts := []string{"127.0.0.2 host3 host1 host2 host4", "127.0.0.1 host1 host4", "127.0.0.3 host1"}
+
+	err := updateHosts(flags, &hosts)
+	assert.NilError(t, err)
+
+	// Removing host `host1` should remove the entry from each line it appears in.
+	// If there are no other hosts in the entry, the entry itself should be removed.
+	assert.Check(t, is.DeepEqual([]string{"127.0.0.2 host3 host2 host4", "127.0.0.1 host4"}, hosts))
+}
+
+func TestUpdateHostsRemoveHostIP(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("host-rm", "host1:127.0.0.1")
+
+	hosts := []string{"127.0.0.2 host3 host1 host2 host4", "127.0.0.1 host1 host4", "127.0.0.3 host1", "127.0.0.1 host1"}
+
+	err := updateHosts(flags, &hosts)
+	assert.NilError(t, err)
+
+	// Removing host `host1` should remove the entry from each line it appears in,
+	// but only if the IP-address matches. If there are no other hosts in the entry,
+	// the entry itself should be removed.
+	assert.Check(t, is.DeepEqual([]string{"127.0.0.2 host3 host1 host2 host4", "127.0.0.1 host4", "127.0.0.3 host1"}, hosts))
+}
+
+func TestUpdateHostsRemoveAll(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("host-add", "host-three:127.0.0.4")
+	flags.Set("host-add", "host-one:127.0.0.5")
+	flags.Set("host-rm", "host-one")
+
+	hosts := []string{"127.0.0.1 host-one", "127.0.0.2 host-two", "127.0.0.3 host-one"}
+
+	err := updateHosts(flags, &hosts)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]string{"127.0.0.2 host-two", "127.0.0.4 host-three", "127.0.0.5 host-one"}, hosts))
+}
+
+func TestUpdatePortsRmWithProtocol(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("publish-add", "8081:81")
+	flags.Set("publish-add", "8082:82")
+	flags.Set("publish-rm", "80")
+	flags.Set("publish-rm", "81/tcp")
+	flags.Set("publish-rm", "82/udp")
+
+	portConfigs := []swarm.PortConfig{
+		{
+			TargetPort:    80,
+			PublishedPort: 8080,
+			Protocol:      swarm.PortConfigProtocolTCP,
+			PublishMode:   swarm.PortConfigPublishModeIngress,
+		},
+	}
+
+	err := updatePorts(flags, &portConfigs)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(portConfigs, 2))
+	assert.Check(t, is.Equal(uint32(81), portConfigs[0].TargetPort))
+	assert.Check(t, is.Equal(uint32(82), portConfigs[1].TargetPort))
+}
+
+type secretAPIClientMock struct {
+	listResult []swarm.Secret
+}
+
+func (s secretAPIClientMock) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+	return s.listResult, nil
+}
+func (s secretAPIClientMock) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error) {
+	return types.SecretCreateResponse{}, nil
+}
+func (s secretAPIClientMock) SecretRemove(ctx context.Context, id string) error {
+	return nil
+}
+func (s secretAPIClientMock) SecretInspectWithRaw(ctx context.Context, name string) (swarm.Secret, []byte, error) {
+	return swarm.Secret{}, []byte{}, nil
+}
+func (s secretAPIClientMock) SecretUpdate(ctx context.Context, id string, version swarm.Version, secret swarm.SecretSpec) error {
+	return nil
+}
+
+// TestUpdateSecretUpdateInPlace tests the ability to update the "target" of an secret with "docker service update"
+// by combining "--secret-rm" and "--secret-add" for the same secret.
+func TestUpdateSecretUpdateInPlace(t *testing.T) {
+	apiClient := secretAPIClientMock{
+		listResult: []swarm.Secret{
+			{
+				ID:   "tn9qiblgnuuut11eufquw5dev",
+				Spec: swarm.SecretSpec{Annotations: swarm.Annotations{Name: "foo"}},
+			},
+		},
+	}
+
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("secret-add", "source=foo,target=foo2")
+	flags.Set("secret-rm", "foo")
+
+	secrets := []*swarm.SecretReference{
+		{
+			File: &swarm.SecretReferenceFileTarget{
+				Name: "foo",
+				UID:  "0",
+				GID:  "0",
+				Mode: 292,
+			},
+			SecretID:   "tn9qiblgnuuut11eufquw5dev",
+			SecretName: "foo",
+		},
+	}
+
+	updatedSecrets, err := getUpdatedSecrets(apiClient, flags, secrets)
+
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(updatedSecrets, 1))
+	assert.Check(t, is.Equal("tn9qiblgnuuut11eufquw5dev", updatedSecrets[0].SecretID))
+	assert.Check(t, is.Equal("foo", updatedSecrets[0].SecretName))
+	assert.Check(t, is.Equal("foo2", updatedSecrets[0].File.Name))
+}
+
+func TestUpdateReadOnly(t *testing.T) {
+	spec := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	cspec := spec.TaskTemplate.ContainerSpec
+
+	// Update with --read-only=true, changed to true
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("read-only", "true")
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, cspec.ReadOnly)
+
+	// Update without --read-only, no change
+	flags = newUpdateCommand(nil).Flags()
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, cspec.ReadOnly)
+
+	// Update with --read-only=false, changed to false
+	flags = newUpdateCommand(nil).Flags()
+	flags.Set("read-only", "false")
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, !cspec.ReadOnly)
+}
+
+func TestUpdateInit(t *testing.T) {
+	spec := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	cspec := spec.TaskTemplate.ContainerSpec
+
+	// Update with --init=true
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("init", "true")
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, is.Equal(true, *cspec.Init))
+
+	// Update without --init, no change
+	flags = newUpdateCommand(nil).Flags()
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, is.Equal(true, *cspec.Init))
+
+	// Update with --init=false
+	flags = newUpdateCommand(nil).Flags()
+	flags.Set("init", "false")
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, is.Equal(false, *cspec.Init))
+}
+
+func TestUpdateStopSignal(t *testing.T) {
+	spec := &swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	cspec := spec.TaskTemplate.ContainerSpec
+
+	// Update with --stop-signal=SIGUSR1
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("stop-signal", "SIGUSR1")
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, is.Equal("SIGUSR1", cspec.StopSignal))
+
+	// Update without --stop-signal, no change
+	flags = newUpdateCommand(nil).Flags()
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, is.Equal("SIGUSR1", cspec.StopSignal))
+
+	// Update with --stop-signal=SIGWINCH
+	flags = newUpdateCommand(nil).Flags()
+	flags.Set("stop-signal", "SIGWINCH")
+	updateService(nil, nil, flags, spec)
+	assert.Check(t, is.Equal("SIGWINCH", cspec.StopSignal))
+}
+
+func TestUpdateIsolationValid(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	err := flags.Set("isolation", "process")
+	assert.NilError(t, err)
+	spec := swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	err = updateService(context.Background(), nil, flags, &spec)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(container.IsolationProcess, spec.TaskTemplate.ContainerSpec.Isolation))
+}
+
+// TestUpdateLimitsReservations tests that limits and reservations are updated,
+// and that values are not updated are not reset to their default value
+func TestUpdateLimitsReservations(t *testing.T) {
+	spec := swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+			Resources: &swarm.ResourceRequirements{
+				Limits: &swarm.Resources{
+					NanoCPUs:    1000000000,
+					MemoryBytes: 104857600,
+				},
+				Reservations: &swarm.Resources{
+					NanoCPUs:    1000000000,
+					MemoryBytes: 104857600,
+				},
+			},
+		},
+	}
+
+	flags := newUpdateCommand(nil).Flags()
+	err := flags.Set(flagLimitCPU, "2")
+	assert.NilError(t, err)
+	err = flags.Set(flagReserveCPU, "2")
+	assert.NilError(t, err)
+	err = updateService(context.Background(), nil, flags, &spec)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(spec.TaskTemplate.Resources.Limits.NanoCPUs, int64(2000000000)))
+	assert.Check(t, is.Equal(spec.TaskTemplate.Resources.Limits.MemoryBytes, int64(104857600)))
+	assert.Check(t, is.Equal(spec.TaskTemplate.Resources.Reservations.NanoCPUs, int64(2000000000)))
+	assert.Check(t, is.Equal(spec.TaskTemplate.Resources.Reservations.MemoryBytes, int64(104857600)))
+
+	flags = newUpdateCommand(nil).Flags()
+	err = flags.Set(flagLimitMemory, "200M")
+	assert.NilError(t, err)
+	err = flags.Set(flagReserveMemory, "200M")
+	assert.NilError(t, err)
+	err = updateService(context.Background(), nil, flags, &spec)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(spec.TaskTemplate.Resources.Limits.NanoCPUs, int64(2000000000)))
+	assert.Check(t, is.Equal(spec.TaskTemplate.Resources.Limits.MemoryBytes, int64(209715200)))
+	assert.Check(t, is.Equal(spec.TaskTemplate.Resources.Reservations.NanoCPUs, int64(2000000000)))
+	assert.Check(t, is.Equal(spec.TaskTemplate.Resources.Reservations.MemoryBytes, int64(209715200)))
+}
+
+func TestUpdateIsolationInvalid(t *testing.T) {
+	// validation depends on daemon os / version so validation should be done on the daemon side
+	flags := newUpdateCommand(nil).Flags()
+	err := flags.Set("isolation", "test")
+	assert.NilError(t, err)
+	spec := swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+		},
+	}
+	err = updateService(context.Background(), nil, flags, &spec)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(container.Isolation("test"), spec.TaskTemplate.ContainerSpec.Isolation))
+}
+
+func TestAddGenericResources(t *testing.T) {
+	task := &swarm.TaskSpec{}
+	flags := newUpdateCommand(nil).Flags()
+
+	assert.Check(t, addGenericResources(flags, task))
+
+	flags.Set(flagGenericResourcesAdd, "foo=1")
+	assert.Check(t, addGenericResources(flags, task))
+	assert.Check(t, is.Len(task.Resources.Reservations.GenericResources, 1))
+
+	// Checks that foo isn't added a 2nd time
+	flags = newUpdateCommand(nil).Flags()
+	flags.Set(flagGenericResourcesAdd, "bar=1")
+	assert.Check(t, addGenericResources(flags, task))
+	assert.Check(t, is.Len(task.Resources.Reservations.GenericResources, 2))
+}
+
+func TestRemoveGenericResources(t *testing.T) {
+	task := &swarm.TaskSpec{}
+	flags := newUpdateCommand(nil).Flags()
+
+	assert.Check(t, removeGenericResources(flags, task))
+
+	flags.Set(flagGenericResourcesRemove, "foo")
+	assert.Check(t, is.ErrorContains(removeGenericResources(flags, task), ""))
+
+	flags = newUpdateCommand(nil).Flags()
+	flags.Set(flagGenericResourcesAdd, "foo=1")
+	addGenericResources(flags, task)
+	flags = newUpdateCommand(nil).Flags()
+	flags.Set(flagGenericResourcesAdd, "bar=1")
+	addGenericResources(flags, task)
+
+	flags = newUpdateCommand(nil).Flags()
+	flags.Set(flagGenericResourcesRemove, "foo")
+	assert.Check(t, removeGenericResources(flags, task))
+	assert.Check(t, is.Len(task.Resources.Reservations.GenericResources, 1))
+}
+
+func TestUpdateNetworks(t *testing.T) {
+	ctx := context.Background()
+	nws := []types.NetworkResource{
+		{Name: "aaa-network", ID: "id555"},
+		{Name: "mmm-network", ID: "id999"},
+		{Name: "zzz-network", ID: "id111"},
+	}
+
+	client := &fakeClient{
+		networkInspectFunc: func(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
+			for _, network := range nws {
+				if network.ID == networkID || network.Name == networkID {
+					return network, nil
+				}
+			}
+			return types.NetworkResource{}, fmt.Errorf("network not found: %s", networkID)
+		},
+	}
+
+	svc := swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{},
+			Networks: []swarm.NetworkAttachmentConfig{
+				{Target: "id999"},
+			},
+		},
+	}
+
+	flags := newUpdateCommand(nil).Flags()
+	err := flags.Set(flagNetworkAdd, "aaa-network")
+	assert.NilError(t, err)
+	err = updateService(ctx, client, flags, &svc)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]swarm.NetworkAttachmentConfig{{Target: "id555"}, {Target: "id999"}}, svc.TaskTemplate.Networks))
+
+	flags = newUpdateCommand(nil).Flags()
+	err = flags.Set(flagNetworkAdd, "aaa-network")
+	assert.NilError(t, err)
+	err = updateService(ctx, client, flags, &svc)
+	assert.Error(t, err, "service is already attached to network aaa-network")
+	assert.Check(t, is.DeepEqual([]swarm.NetworkAttachmentConfig{{Target: "id555"}, {Target: "id999"}}, svc.TaskTemplate.Networks))
+
+	flags = newUpdateCommand(nil).Flags()
+	err = flags.Set(flagNetworkAdd, "id555")
+	assert.NilError(t, err)
+	err = updateService(ctx, client, flags, &svc)
+	assert.Error(t, err, "service is already attached to network id555")
+	assert.Check(t, is.DeepEqual([]swarm.NetworkAttachmentConfig{{Target: "id555"}, {Target: "id999"}}, svc.TaskTemplate.Networks))
+
+	flags = newUpdateCommand(nil).Flags()
+	err = flags.Set(flagNetworkRemove, "id999")
+	assert.NilError(t, err)
+	err = updateService(ctx, client, flags, &svc)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]swarm.NetworkAttachmentConfig{{Target: "id555"}}, svc.TaskTemplate.Networks))
+
+	flags = newUpdateCommand(nil).Flags()
+	err = flags.Set(flagNetworkAdd, "mmm-network")
+	assert.NilError(t, err)
+	err = flags.Set(flagNetworkRemove, "aaa-network")
+	assert.NilError(t, err)
+	err = updateService(ctx, client, flags, &svc)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]swarm.NetworkAttachmentConfig{{Target: "id999"}}, svc.TaskTemplate.Networks))
+}
diff --git a/cli/cli/command/stack/client_test.go b/cli/cli/command/stack/client_test.go
new file mode 100644
index 00000000..c028d668
--- /dev/null
+++ b/cli/cli/command/stack/client_test.go
@@ -0,0 +1,239 @@
+package stack
+
+import (
+	"context"
+	"strings"
+
+	"github.com/docker/cli/cli/compose/convert"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+
+	version string
+
+	services []string
+	networks []string
+	secrets  []string
+	configs  []string
+
+	removedServices []string
+	removedNetworks []string
+	removedSecrets  []string
+	removedConfigs  []string
+
+	serviceListFunc    func(options types.ServiceListOptions) ([]swarm.Service, error)
+	networkListFunc    func(options types.NetworkListOptions) ([]types.NetworkResource, error)
+	secretListFunc     func(options types.SecretListOptions) ([]swarm.Secret, error)
+	configListFunc     func(options types.ConfigListOptions) ([]swarm.Config, error)
+	nodeListFunc       func(options types.NodeListOptions) ([]swarm.Node, error)
+	taskListFunc       func(options types.TaskListOptions) ([]swarm.Task, error)
+	nodeInspectWithRaw func(ref string) (swarm.Node, []byte, error)
+
+	serviceUpdateFunc func(serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error)
+
+	serviceRemoveFunc func(serviceID string) error
+	networkRemoveFunc func(networkID string) error
+	secretRemoveFunc  func(secretID string) error
+	configRemoveFunc  func(configID string) error
+}
+
+func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error) {
+	return types.Version{
+		Version:    "docker-dev",
+		APIVersion: api.DefaultVersion,
+	}, nil
+}
+
+func (cli *fakeClient) ClientVersion() string {
+	return cli.version
+}
+
+func (cli *fakeClient) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+	if cli.serviceListFunc != nil {
+		return cli.serviceListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	servicesList := []swarm.Service{}
+	for _, name := range cli.services {
+		if belongToNamespace(name, namespace) {
+			servicesList = append(servicesList, serviceFromName(name))
+		}
+	}
+	return servicesList, nil
+}
+
+func (cli *fakeClient) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+	if cli.networkListFunc != nil {
+		return cli.networkListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	networksList := []types.NetworkResource{}
+	for _, name := range cli.networks {
+		if belongToNamespace(name, namespace) {
+			networksList = append(networksList, networkFromName(name))
+		}
+	}
+	return networksList, nil
+}
+
+func (cli *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+	if cli.secretListFunc != nil {
+		return cli.secretListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	secretsList := []swarm.Secret{}
+	for _, name := range cli.secrets {
+		if belongToNamespace(name, namespace) {
+			secretsList = append(secretsList, secretFromName(name))
+		}
+	}
+	return secretsList, nil
+}
+
+func (cli *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+	if cli.configListFunc != nil {
+		return cli.configListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	configsList := []swarm.Config{}
+	for _, name := range cli.configs {
+		if belongToNamespace(name, namespace) {
+			configsList = append(configsList, configFromName(name))
+		}
+	}
+	return configsList, nil
+}
+
+func (cli *fakeClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+	if cli.taskListFunc != nil {
+		return cli.taskListFunc(options)
+	}
+	return []swarm.Task{}, nil
+}
+
+func (cli *fakeClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+	if cli.nodeListFunc != nil {
+		return cli.nodeListFunc(options)
+	}
+	return []swarm.Node{}, nil
+}
+
+func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+	if cli.nodeInspectWithRaw != nil {
+		return cli.nodeInspectWithRaw(ref)
+	}
+	return swarm.Node{}, nil, nil
+}
+
+func (cli *fakeClient) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+	if cli.serviceUpdateFunc != nil {
+		return cli.serviceUpdateFunc(serviceID, version, service, options)
+	}
+
+	return types.ServiceUpdateResponse{}, nil
+}
+
+func (cli *fakeClient) ServiceRemove(ctx context.Context, serviceID string) error {
+	if cli.serviceRemoveFunc != nil {
+		return cli.serviceRemoveFunc(serviceID)
+	}
+
+	cli.removedServices = append(cli.removedServices, serviceID)
+	return nil
+}
+
+func (cli *fakeClient) NetworkRemove(ctx context.Context, networkID string) error {
+	if cli.networkRemoveFunc != nil {
+		return cli.networkRemoveFunc(networkID)
+	}
+
+	cli.removedNetworks = append(cli.removedNetworks, networkID)
+	return nil
+}
+
+func (cli *fakeClient) SecretRemove(ctx context.Context, secretID string) error {
+	if cli.secretRemoveFunc != nil {
+		return cli.secretRemoveFunc(secretID)
+	}
+
+	cli.removedSecrets = append(cli.removedSecrets, secretID)
+	return nil
+}
+
+func (cli *fakeClient) ConfigRemove(ctx context.Context, configID string) error {
+	if cli.configRemoveFunc != nil {
+		return cli.configRemoveFunc(configID)
+	}
+
+	cli.removedConfigs = append(cli.removedConfigs, configID)
+	return nil
+}
+
+func serviceFromName(name string) swarm.Service {
+	return swarm.Service{
+		ID: "ID-" + name,
+		Spec: swarm.ServiceSpec{
+			Annotations: swarm.Annotations{Name: name},
+		},
+	}
+}
+
+func networkFromName(name string) types.NetworkResource {
+	return types.NetworkResource{
+		ID:   "ID-" + name,
+		Name: name,
+	}
+}
+
+func secretFromName(name string) swarm.Secret {
+	return swarm.Secret{
+		ID: "ID-" + name,
+		Spec: swarm.SecretSpec{
+			Annotations: swarm.Annotations{Name: name},
+		},
+	}
+}
+
+func configFromName(name string) swarm.Config {
+	return swarm.Config{
+		ID: "ID-" + name,
+		Spec: swarm.ConfigSpec{
+			Annotations: swarm.Annotations{Name: name},
+		},
+	}
+}
+
+func namespaceFromFilters(filters filters.Args) string {
+	label := filters.Get("label")[0]
+	return strings.TrimPrefix(label, convert.LabelNamespace+"=")
+}
+
+func belongToNamespace(id, namespace string) bool {
+	return strings.HasPrefix(id, namespace+"_")
+}
+
+func objectName(namespace, name string) string {
+	return namespace + "_" + name
+}
+
+func objectID(name string) string {
+	return "ID-" + name
+}
+
+func buildObjectIDs(objectNames []string) []string {
+	IDs := make([]string, len(objectNames))
+	for i, name := range objectNames {
+		IDs[i] = objectID(name)
+	}
+	return IDs
+}
diff --git a/cli/cli/command/stack/cmd.go b/cli/cli/command/stack/cmd.go
new file mode 100644
index 00000000..851ac13c
--- /dev/null
+++ b/cli/cli/command/stack/cmd.go
@@ -0,0 +1,128 @@
+package stack
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+var errUnsupportedAllOrchestrator = fmt.Errorf(`no orchestrator specified: use either "kubernetes" or "swarm"`)
+
+type commonOptions struct {
+	orchestrator command.Orchestrator
+}
+
+// NewStackCommand returns a cobra command for `stack` subcommands
+func NewStackCommand(dockerCli command.Cli) *cobra.Command {
+	var opts commonOptions
+	cmd := &cobra.Command{
+		Use:   "stack [OPTIONS]",
+		Short: "Manage Docker stacks",
+		Args:  cli.NoArgs,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			configFile := dockerCli.ConfigFile()
+			if configFile == nil {
+				configFile = cliconfig.LoadDefaultConfigFile(dockerCli.Err())
+			}
+			orchestrator, err := getOrchestrator(configFile, cmd, dockerCli.Err())
+			if err != nil {
+				return err
+			}
+			opts.orchestrator = orchestrator
+			hideOrchestrationFlags(cmd, orchestrator)
+			return checkSupportedFlag(cmd, orchestrator)
+		},
+
+		RunE: command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{
+			"version": "1.25",
+		},
+	}
+	defaultHelpFunc := cmd.HelpFunc()
+	cmd.SetHelpFunc(func(c *cobra.Command, args []string) {
+		if err := cmd.PersistentPreRunE(c, args); err != nil {
+			fmt.Fprintln(dockerCli.Err(), err)
+			return
+		}
+		hideOrchestrationFlags(c, opts.orchestrator)
+		defaultHelpFunc(c, args)
+	})
+	cmd.AddCommand(
+		newDeployCommand(dockerCli, &opts),
+		newListCommand(dockerCli, &opts),
+		newPsCommand(dockerCli, &opts),
+		newRemoveCommand(dockerCli, &opts),
+		newServicesCommand(dockerCli, &opts),
+	)
+	flags := cmd.PersistentFlags()
+	flags.String("kubeconfig", "", "Kubernetes config file")
+	flags.SetAnnotation("kubeconfig", "kubernetes", nil)
+	flags.String("orchestrator", "", "Orchestrator to use (swarm|kubernetes|all)")
+	return cmd
+}
+
+// NewTopLevelDeployCommand returns a command for `docker deploy`
+func NewTopLevelDeployCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := newDeployCommand(dockerCli, nil)
+	// Remove the aliases at the top level
+	cmd.Aliases = []string{}
+	cmd.Annotations = map[string]string{
+		"experimental": "",
+		"version":      "1.25",
+	}
+	return cmd
+}
+
+func getOrchestrator(config *configfile.ConfigFile, cmd *cobra.Command, stderr io.Writer) (command.Orchestrator, error) {
+	var orchestratorFlag string
+	if o, err := cmd.Flags().GetString("orchestrator"); err == nil {
+		orchestratorFlag = o
+	}
+	return command.GetStackOrchestrator(orchestratorFlag, config.StackOrchestrator, stderr)
+}
+
+func hideOrchestrationFlags(cmd *cobra.Command, orchestrator command.Orchestrator) {
+	cmd.Flags().VisitAll(func(f *pflag.Flag) {
+		if _, ok := f.Annotations["kubernetes"]; ok && !orchestrator.HasKubernetes() {
+			f.Hidden = true
+		}
+		if _, ok := f.Annotations["swarm"]; ok && !orchestrator.HasSwarm() {
+			f.Hidden = true
+		}
+	})
+	for _, subcmd := range cmd.Commands() {
+		hideOrchestrationFlags(subcmd, orchestrator)
+	}
+}
+
+func checkSupportedFlag(cmd *cobra.Command, orchestrator command.Orchestrator) error {
+	errs := []string{}
+	cmd.Flags().VisitAll(func(f *pflag.Flag) {
+		if !f.Changed {
+			return
+		}
+		if _, ok := f.Annotations["kubernetes"]; ok && !orchestrator.HasKubernetes() {
+			errs = append(errs, fmt.Sprintf(`"--%s" is only supported on a Docker cli with kubernetes features enabled`, f.Name))
+		}
+		if _, ok := f.Annotations["swarm"]; ok && !orchestrator.HasSwarm() {
+			errs = append(errs, fmt.Sprintf(`"--%s" is only supported on a Docker cli with swarm features enabled`, f.Name))
+		}
+	})
+	for _, subcmd := range cmd.Commands() {
+		if err := checkSupportedFlag(subcmd, orchestrator); err != nil {
+			errs = append(errs, err.Error())
+		}
+	}
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
diff --git a/cli/cli/command/stack/common.go b/cli/cli/command/stack/common.go
new file mode 100644
index 00000000..6de410da
--- /dev/null
+++ b/cli/cli/command/stack/common.go
@@ -0,0 +1,31 @@
+package stack
+
+import (
+	"fmt"
+	"strings"
+	"unicode"
+)
+
+// validateStackName checks if the provided string is a valid stack name (namespace).
+// It currently only does a rudimentary check if the string is empty, or consists
+// of only whitespace and quoting characters.
+func validateStackName(namespace string) error {
+	v := strings.TrimFunc(namespace, quotesOrWhitespace)
+	if v == "" {
+		return fmt.Errorf("invalid stack name: %q", namespace)
+	}
+	return nil
+}
+
+func validateStackNames(namespaces []string) error {
+	for _, ns := range namespaces {
+		if err := validateStackName(ns); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func quotesOrWhitespace(r rune) bool {
+	return unicode.IsSpace(r) || r == '"' || r == '\''
+}
diff --git a/cli/cli/command/stack/deploy.go b/cli/cli/command/stack/deploy.go
new file mode 100644
index 00000000..6c083eb2
--- /dev/null
+++ b/cli/cli/command/stack/deploy.go
@@ -0,0 +1,90 @@
+package stack
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/kubernetes"
+	"github.com/docker/cli/cli/command/stack/loader"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/command/stack/swarm"
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+func newDeployCommand(dockerCli command.Cli, common *commonOptions) *cobra.Command {
+	var opts options.Deploy
+
+	cmd := &cobra.Command{
+		Use:     "deploy [OPTIONS] STACK",
+		Aliases: []string{"up"},
+		Short:   "Deploy a new stack or update an existing stack",
+		Args:    cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.Namespace = args[0]
+			if err := validateStackName(opts.Namespace); err != nil {
+				return err
+			}
+
+			commonOrchestrator := command.OrchestratorSwarm // default for top-level deploy command
+			if common != nil {
+				commonOrchestrator = common.orchestrator
+			}
+
+			switch {
+			case opts.Bundlefile == "" && len(opts.Composefiles) == 0:
+				return errors.Errorf("Please specify either a bundle file (with --bundle-file) or a Compose file (with --compose-file).")
+			case opts.Bundlefile != "" && len(opts.Composefiles) != 0:
+				return errors.Errorf("You cannot specify both a bundle file and a Compose file.")
+			case opts.Bundlefile != "":
+				if commonOrchestrator != command.OrchestratorSwarm {
+					return errors.Errorf("bundle files are not supported on another orchestrator than swarm.")
+				}
+				return swarm.DeployBundle(context.Background(), dockerCli, opts)
+			}
+
+			config, err := loader.LoadComposefile(dockerCli, opts)
+			if err != nil {
+				return err
+			}
+			return RunDeploy(dockerCli, cmd.Flags(), config, commonOrchestrator, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&opts.Bundlefile, "bundle-file", "", "Path to a Distributed Application Bundle file")
+	flags.SetAnnotation("bundle-file", "experimental", nil)
+	flags.SetAnnotation("bundle-file", "swarm", nil)
+	flags.StringSliceVarP(&opts.Composefiles, "compose-file", "c", []string{}, `Path to a Compose file, or "-" to read from stdin`)
+	flags.SetAnnotation("compose-file", "version", []string{"1.25"})
+	flags.BoolVar(&opts.SendRegistryAuth, "with-registry-auth", false, "Send registry authentication details to Swarm agents")
+	flags.SetAnnotation("with-registry-auth", "swarm", nil)
+	flags.BoolVar(&opts.Prune, "prune", false, "Prune services that are no longer referenced")
+	flags.SetAnnotation("prune", "version", []string{"1.27"})
+	flags.SetAnnotation("prune", "swarm", nil)
+	flags.StringVar(&opts.ResolveImage, "resolve-image", swarm.ResolveImageAlways,
+		`Query the registry to resolve image digest and supported platforms ("`+swarm.ResolveImageAlways+`"|"`+swarm.ResolveImageChanged+`"|"`+swarm.ResolveImageNever+`")`)
+	flags.SetAnnotation("resolve-image", "version", []string{"1.30"})
+	flags.SetAnnotation("resolve-image", "swarm", nil)
+	kubernetes.AddNamespaceFlag(flags)
+	return cmd
+}
+
+// RunDeploy performs a stack deploy against the specified orchestrator
+func RunDeploy(dockerCli command.Cli, flags *pflag.FlagSet, config *composetypes.Config, commonOrchestrator command.Orchestrator, opts options.Deploy) error {
+	switch {
+	case commonOrchestrator.HasAll():
+		return errUnsupportedAllOrchestrator
+	case commonOrchestrator.HasKubernetes():
+		kli, err := kubernetes.WrapCli(dockerCli, kubernetes.NewOptions(flags, commonOrchestrator))
+		if err != nil {
+			return err
+		}
+		return kubernetes.RunDeploy(kli, opts, config)
+	default:
+		return swarm.RunDeploy(dockerCli, opts, config)
+	}
+}
diff --git a/cli/cli/command/stack/deploy_test.go b/cli/cli/command/stack/deploy_test.go
new file mode 100644
index 00000000..89dbc6e1
--- /dev/null
+++ b/cli/cli/command/stack/deploy_test.go
@@ -0,0 +1,17 @@
+package stack
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+)
+
+func TestDeployWithEmptyName(t *testing.T) {
+	cmd := newDeployCommand(test.NewFakeCli(&fakeClient{}), nil)
+	cmd.SetArgs([]string{"'   '"})
+	cmd.SetOutput(ioutil.Discard)
+
+	assert.ErrorContains(t, cmd.Execute(), `invalid stack name: "'   '"`)
+}
diff --git a/cli/cli/command/stack/kubernetes/cli.go b/cli/cli/command/stack/kubernetes/cli.go
new file mode 100644
index 00000000..bcd0b01e
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/cli.go
@@ -0,0 +1,126 @@
+package kubernetes
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/kubernetes"
+	cliv1beta1 "github.com/docker/cli/kubernetes/client/clientset/typed/compose/v1beta1"
+	flag "github.com/spf13/pflag"
+	kubeclient "k8s.io/client-go/kubernetes"
+	restclient "k8s.io/client-go/rest"
+)
+
+// KubeCli holds kubernetes specifics (client, namespace) with the command.Cli
+type KubeCli struct {
+	command.Cli
+	kubeConfig    *restclient.Config
+	kubeNamespace string
+	clientSet     *kubeclient.Clientset
+}
+
+// Options contains resolved parameters to initialize kubernetes clients
+type Options struct {
+	Namespace    string
+	Config       string
+	Orchestrator command.Orchestrator
+}
+
+// NewOptions returns an Options initialized with command line flags
+func NewOptions(flags *flag.FlagSet, orchestrator command.Orchestrator) Options {
+	opts := Options{
+		Orchestrator: orchestrator,
+	}
+	if namespace, err := flags.GetString("namespace"); err == nil {
+		opts.Namespace = namespace
+	}
+	if kubeConfig, err := flags.GetString("kubeconfig"); err == nil {
+		opts.Config = kubeConfig
+	}
+	return opts
+}
+
+// AddNamespaceFlag adds the namespace flag to the given flag set
+func AddNamespaceFlag(flags *flag.FlagSet) {
+	flags.String("namespace", "", "Kubernetes namespace to use")
+	flags.SetAnnotation("namespace", "kubernetes", nil)
+}
+
+// WrapCli wraps command.Cli with kubernetes specifics
+func WrapCli(dockerCli command.Cli, opts Options) (*KubeCli, error) {
+	cli := &KubeCli{
+		Cli: dockerCli,
+	}
+	clientConfig := kubernetes.NewKubernetesConfig(opts.Config)
+
+	cli.kubeNamespace = opts.Namespace
+	if opts.Namespace == "" {
+		configNamespace, _, err := clientConfig.Namespace()
+		if err != nil {
+			return nil, err
+		}
+		cli.kubeNamespace = configNamespace
+	}
+
+	config, err := clientConfig.ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+	cli.kubeConfig = config
+
+	clientSet, err := kubeclient.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+	cli.clientSet = clientSet
+
+	if opts.Orchestrator.HasAll() {
+		if err := cli.checkHostsMatch(); err != nil {
+			return nil, err
+		}
+	}
+	return cli, nil
+}
+
+func (c *KubeCli) composeClient() (*Factory, error) {
+	return NewFactory(c.kubeNamespace, c.kubeConfig, c.clientSet)
+}
+
+func (c *KubeCli) checkHostsMatch() error {
+	daemonEndpoint, err := url.Parse(c.Client().DaemonHost())
+	if err != nil {
+		return err
+	}
+	kubeEndpoint, err := url.Parse(c.kubeConfig.Host)
+	if err != nil {
+		return err
+	}
+	if daemonEndpoint.Hostname() == kubeEndpoint.Hostname() {
+		return nil
+	}
+	// The daemon can be local in Docker for Desktop, e.g. "npipe", "unix", ...
+	if daemonEndpoint.Scheme != "tcp" {
+		ips, err := net.LookupIP(kubeEndpoint.Hostname())
+		if err != nil {
+			return err
+		}
+		for _, ip := range ips {
+			if ip.IsLoopback() {
+				return nil
+			}
+		}
+	}
+	fmt.Fprintf(c.Err(), "WARNING: Swarm and Kubernetes hosts do not match (docker host=%s, kubernetes host=%s).\n"+
+		"         Update $DOCKER_HOST (or pass -H), or use 'kubectl config use-context' to match.\n", daemonEndpoint.Hostname(), kubeEndpoint.Hostname())
+	return nil
+}
+
+func (c *KubeCli) stacksv1beta1() (cliv1beta1.StackInterface, error) {
+	raw, err := newStackV1Beta1(c.kubeConfig, c.kubeNamespace)
+	if err != nil {
+		return nil, err
+	}
+	return raw.stacks, nil
+}
diff --git a/cli/cli/command/stack/kubernetes/client.go b/cli/cli/command/stack/kubernetes/client.go
new file mode 100644
index 00000000..5024c923
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/client.go
@@ -0,0 +1,103 @@
+package kubernetes
+
+import (
+	"github.com/docker/cli/kubernetes"
+	"github.com/pkg/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubeclient "k8s.io/client-go/kubernetes"
+	appsv1beta2 "k8s.io/client-go/kubernetes/typed/apps/v1beta2"
+	typesappsv1beta2 "k8s.io/client-go/kubernetes/typed/apps/v1beta2"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	restclient "k8s.io/client-go/rest"
+)
+
+// Factory is the kubernetes client factory
+type Factory struct {
+	namespace     string
+	config        *restclient.Config
+	coreClientSet *corev1.CoreV1Client
+	appsClientSet *appsv1beta2.AppsV1beta2Client
+	clientSet     *kubeclient.Clientset
+}
+
+// NewFactory creates a kubernetes client factory
+func NewFactory(namespace string, config *restclient.Config, clientSet *kubeclient.Clientset) (*Factory, error) {
+	coreClientSet, err := corev1.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	appsClientSet, err := appsv1beta2.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Factory{
+		namespace:     namespace,
+		config:        config,
+		coreClientSet: coreClientSet,
+		appsClientSet: appsClientSet,
+		clientSet:     clientSet,
+	}, nil
+}
+
+// ConfigMaps returns a client for kubernetes's config maps
+func (s *Factory) ConfigMaps() corev1.ConfigMapInterface {
+	return s.coreClientSet.ConfigMaps(s.namespace)
+}
+
+// Secrets returns a client for kubernetes's secrets
+func (s *Factory) Secrets() corev1.SecretInterface {
+	return s.coreClientSet.Secrets(s.namespace)
+}
+
+// Services returns a client for kubernetes's secrets
+func (s *Factory) Services() corev1.ServiceInterface {
+	return s.coreClientSet.Services(s.namespace)
+}
+
+// Pods returns a client for kubernetes's pods
+func (s *Factory) Pods() corev1.PodInterface {
+	return s.coreClientSet.Pods(s.namespace)
+}
+
+// Nodes returns a client for kubernetes's nodes
+func (s *Factory) Nodes() corev1.NodeInterface {
+	return s.coreClientSet.Nodes()
+}
+
+// ReplicationControllers returns a client for kubernetes replication controllers
+func (s *Factory) ReplicationControllers() corev1.ReplicationControllerInterface {
+	return s.coreClientSet.ReplicationControllers(s.namespace)
+}
+
+// ReplicaSets returns a client for kubernetes replace sets
+func (s *Factory) ReplicaSets() typesappsv1beta2.ReplicaSetInterface {
+	return s.appsClientSet.ReplicaSets(s.namespace)
+}
+
+// DaemonSets returns a client for kubernetes daemon sets
+func (s *Factory) DaemonSets() typesappsv1beta2.DaemonSetInterface {
+	return s.appsClientSet.DaemonSets(s.namespace)
+}
+
+// Stacks returns a client for Docker's Stack on Kubernetes
+func (s *Factory) Stacks(allNamespaces bool) (StackClient, error) {
+	version, err := kubernetes.GetStackAPIVersion(s.clientSet)
+	if err != nil {
+		return nil, err
+	}
+	namespace := s.namespace
+	if allNamespaces {
+		namespace = metav1.NamespaceAll
+	}
+
+	switch version {
+	case kubernetes.StackAPIV1Beta1:
+		return newStackV1Beta1(s.config, namespace)
+	case kubernetes.StackAPIV1Beta2:
+		return newStackV1Beta2(s.config, namespace)
+	default:
+		return nil, errors.Errorf("no supported Stack API version")
+	}
+}
diff --git a/cli/cli/command/stack/kubernetes/conversion.go b/cli/cli/command/stack/kubernetes/conversion.go
new file mode 100644
index 00000000..83986661
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/conversion.go
@@ -0,0 +1,240 @@
+package kubernetes
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/kubernetes/labels"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	appsv1beta2 "k8s.io/api/apps/v1beta2"
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+)
+
+// Pod conversion
+func podToTask(pod apiv1.Pod) swarm.Task {
+	var startTime time.Time
+	if pod.Status.StartTime != nil {
+		startTime = (*pod.Status.StartTime).Time
+	}
+	task := swarm.Task{
+		ID:     string(pod.UID),
+		NodeID: pod.Spec.NodeName,
+		Spec: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Image: getContainerImage(pod.Spec.Containers),
+			},
+		},
+		DesiredState: podPhaseToState(pod.Status.Phase),
+		Status: swarm.TaskStatus{
+			State:     podPhaseToState(pod.Status.Phase),
+			Timestamp: startTime,
+			PortStatus: swarm.PortStatus{
+				Ports: getPorts(pod.Spec.Containers),
+			},
+		},
+	}
+
+	return task
+}
+
+func podPhaseToState(phase apiv1.PodPhase) swarm.TaskState {
+	switch phase {
+	case apiv1.PodPending:
+		return swarm.TaskStatePending
+	case apiv1.PodRunning:
+		return swarm.TaskStateRunning
+	case apiv1.PodSucceeded:
+		return swarm.TaskStateComplete
+	case apiv1.PodFailed:
+		return swarm.TaskStateFailed
+	default:
+		return swarm.TaskState("unknown")
+	}
+}
+
+func toSwarmProtocol(protocol apiv1.Protocol) swarm.PortConfigProtocol {
+	switch protocol {
+	case apiv1.ProtocolTCP:
+		return swarm.PortConfigProtocolTCP
+	case apiv1.ProtocolUDP:
+		return swarm.PortConfigProtocolUDP
+	}
+	return swarm.PortConfigProtocol("unknown")
+}
+
+func fetchPods(stackName string, pods corev1.PodInterface, f filters.Args) ([]apiv1.Pod, error) {
+	services := f.Get("service")
+	// for existing script compatibility, support either <servicename> or <stackname>_<servicename> format
+	stackNamePrefix := stackName + "_"
+	for _, s := range services {
+		if strings.HasPrefix(s, stackNamePrefix) {
+			services = append(services, strings.TrimPrefix(s, stackNamePrefix))
+		}
+	}
+	listOpts := metav1.ListOptions{LabelSelector: labels.SelectorForStack(stackName, services...)}
+	var result []apiv1.Pod
+	podsList, err := pods.List(listOpts)
+	if err != nil {
+		return nil, err
+	}
+	nodes := f.Get("node")
+	for _, pod := range podsList.Items {
+		if filterPod(pod, nodes) &&
+			// name filter is done client side for matching partials
+			f.FuzzyMatch("name", stackNamePrefix+pod.Name) {
+
+			result = append(result, pod)
+		}
+	}
+	return result, nil
+}
+
+func filterPod(pod apiv1.Pod, nodes []string) bool {
+	if len(nodes) == 0 {
+		return true
+	}
+	for _, name := range nodes {
+		if pod.Spec.NodeName == name {
+			return true
+		}
+	}
+	return false
+}
+
+func getContainerImage(containers []apiv1.Container) string {
+	if len(containers) == 0 {
+		return ""
+	}
+	return containers[0].Image
+}
+
+func getPorts(containers []apiv1.Container) []swarm.PortConfig {
+	if len(containers) == 0 || len(containers[0].Ports) == 0 {
+		return nil
+	}
+	ports := make([]swarm.PortConfig, len(containers[0].Ports))
+	for i, port := range containers[0].Ports {
+		ports[i] = swarm.PortConfig{
+			PublishedPort: uint32(port.HostPort),
+			TargetPort:    uint32(port.ContainerPort),
+			Protocol:      toSwarmProtocol(port.Protocol),
+		}
+	}
+	return ports
+}
+
+type tasksBySlot []swarm.Task
+
+func (t tasksBySlot) Len() int {
+	return len(t)
+}
+
+func (t tasksBySlot) Swap(i, j int) {
+	t[i], t[j] = t[j], t[i]
+}
+
+func (t tasksBySlot) Less(i, j int) bool {
+	// Sort by slot.
+	if t[i].Slot != t[j].Slot {
+		return t[i].Slot < t[j].Slot
+	}
+
+	// If same slot, sort by most recent.
+	return t[j].Meta.CreatedAt.Before(t[i].CreatedAt)
+}
+
+const (
+	publishedServiceSuffix      = "-published"
+	publishedOnRandomPortSuffix = "-random-ports"
+)
+
+func convertToServices(replicas *appsv1beta2.ReplicaSetList, daemons *appsv1beta2.DaemonSetList, services *apiv1.ServiceList) ([]swarm.Service, map[string]formatter.ServiceListInfo, error) {
+	result := make([]swarm.Service, len(replicas.Items))
+	infos := make(map[string]formatter.ServiceListInfo, len(replicas.Items)+len(daemons.Items))
+	for i, r := range replicas.Items {
+		s, err := convertToService(r.Labels[labels.ForServiceName], services, r.Spec.Template.Spec.Containers)
+		if err != nil {
+			return nil, nil, err
+		}
+		result[i] = *s
+		infos[s.ID] = formatter.ServiceListInfo{
+			Mode:     "replicated",
+			Replicas: fmt.Sprintf("%d/%d", r.Status.AvailableReplicas, r.Status.Replicas),
+		}
+	}
+	for _, d := range daemons.Items {
+		s, err := convertToService(d.Labels[labels.ForServiceName], services, d.Spec.Template.Spec.Containers)
+		if err != nil {
+			return nil, nil, err
+		}
+		result = append(result, *s)
+		infos[s.ID] = formatter.ServiceListInfo{
+			Mode:     "global",
+			Replicas: fmt.Sprintf("%d/%d", d.Status.NumberReady, d.Status.DesiredNumberScheduled),
+		}
+	}
+	sort.Slice(result, func(i, j int) bool {
+		return result[i].ID < result[j].ID
+	})
+	return result, infos, nil
+}
+
+func convertToService(serviceName string, services *apiv1.ServiceList, containers []apiv1.Container) (*swarm.Service, error) {
+	serviceHeadless, err := findService(services, serviceName)
+	if err != nil {
+		return nil, err
+	}
+	stack, ok := serviceHeadless.Labels[labels.ForStackName]
+	if ok {
+		stack += "_"
+	}
+	uid := string(serviceHeadless.UID)
+	s := &swarm.Service{
+		ID: uid,
+		Spec: swarm.ServiceSpec{
+			Annotations: swarm.Annotations{
+				Name: stack + serviceHeadless.Name,
+			},
+			TaskTemplate: swarm.TaskSpec{
+				ContainerSpec: &swarm.ContainerSpec{
+					Image: getContainerImage(containers),
+				},
+			},
+		},
+	}
+	if serviceNodePort, err := findService(services, serviceName+publishedOnRandomPortSuffix); err == nil && serviceNodePort.Spec.Type == apiv1.ServiceTypeNodePort {
+		s.Endpoint = serviceEndpoint(serviceNodePort, swarm.PortConfigPublishModeHost)
+	}
+	if serviceLoadBalancer, err := findService(services, serviceName+publishedServiceSuffix); err == nil && serviceLoadBalancer.Spec.Type == apiv1.ServiceTypeLoadBalancer {
+		s.Endpoint = serviceEndpoint(serviceLoadBalancer, swarm.PortConfigPublishModeIngress)
+	}
+	return s, nil
+}
+
+func findService(services *apiv1.ServiceList, name string) (apiv1.Service, error) {
+	for _, s := range services.Items {
+		if s.Name == name {
+			return s, nil
+		}
+	}
+	return apiv1.Service{}, fmt.Errorf("could not find service '%s'", name)
+}
+
+func serviceEndpoint(service apiv1.Service, publishMode swarm.PortConfigPublishMode) swarm.Endpoint {
+	configs := make([]swarm.PortConfig, len(service.Spec.Ports))
+	for i, p := range service.Spec.Ports {
+		configs[i] = swarm.PortConfig{
+			PublishMode:   publishMode,
+			PublishedPort: uint32(p.Port),
+			TargetPort:    uint32(p.TargetPort.IntValue()),
+			Protocol:      toSwarmProtocol(p.Protocol),
+		}
+	}
+	return swarm.Endpoint{Ports: configs}
+}
diff --git a/cli/cli/command/stack/kubernetes/conversion_test.go b/cli/cli/command/stack/kubernetes/conversion_test.go
new file mode 100644
index 00000000..213e9ea6
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/conversion_test.go
@@ -0,0 +1,192 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/kubernetes/labels"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	appsv1beta2 "k8s.io/api/apps/v1beta2"
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apimachineryTypes "k8s.io/apimachinery/pkg/types"
+	apimachineryUtil "k8s.io/apimachinery/pkg/util/intstr"
+)
+
+func TestReplicasConversionNeedsAService(t *testing.T) {
+	replicas := appsv1beta2.ReplicaSetList{
+		Items: []appsv1beta2.ReplicaSet{makeReplicaSet("unknown", 0, 0)},
+	}
+	services := apiv1.ServiceList{}
+	_, _, err := convertToServices(&replicas, &appsv1beta2.DaemonSetList{}, &services)
+	assert.ErrorContains(t, err, "could not find service")
+}
+
+func TestKubernetesServiceToSwarmServiceConversion(t *testing.T) {
+	testCases := []struct {
+		replicas         *appsv1beta2.ReplicaSetList
+		services         *apiv1.ServiceList
+		expectedServices []swarm.Service
+		expectedListInfo map[string]formatter.ServiceListInfo
+	}{
+		// Match replicas with headless stack services
+		{
+			&appsv1beta2.ReplicaSetList{
+				Items: []appsv1beta2.ReplicaSet{
+					makeReplicaSet("service1", 2, 5),
+					makeReplicaSet("service2", 3, 3),
+				},
+			},
+			&apiv1.ServiceList{
+				Items: []apiv1.Service{
+					makeKubeService("service1", "stack", "uid1", apiv1.ServiceTypeClusterIP, nil),
+					makeKubeService("service2", "stack", "uid2", apiv1.ServiceTypeClusterIP, nil),
+					makeKubeService("service3", "other-stack", "uid2", apiv1.ServiceTypeClusterIP, nil),
+				},
+			},
+			[]swarm.Service{
+				makeSwarmService("stack_service1", "uid1", nil),
+				makeSwarmService("stack_service2", "uid2", nil),
+			},
+			map[string]formatter.ServiceListInfo{
+				"uid1": {Mode: "replicated", Replicas: "2/5"},
+				"uid2": {Mode: "replicated", Replicas: "3/3"},
+			},
+		},
+		// Headless service and LoadBalancer Service are tied to the same Swarm service
+		{
+			&appsv1beta2.ReplicaSetList{
+				Items: []appsv1beta2.ReplicaSet{
+					makeReplicaSet("service", 1, 1),
+				},
+			},
+			&apiv1.ServiceList{
+				Items: []apiv1.Service{
+					makeKubeService("service", "stack", "uid1", apiv1.ServiceTypeClusterIP, nil),
+					makeKubeService("service-published", "stack", "uid2", apiv1.ServiceTypeLoadBalancer, []apiv1.ServicePort{
+						{
+							Port:       80,
+							TargetPort: apimachineryUtil.FromInt(80),
+							Protocol:   apiv1.ProtocolTCP,
+						},
+					}),
+				},
+			},
+			[]swarm.Service{
+				makeSwarmService("stack_service", "uid1", []swarm.PortConfig{
+					{
+						PublishMode:   swarm.PortConfigPublishModeIngress,
+						PublishedPort: 80,
+						TargetPort:    80,
+						Protocol:      swarm.PortConfigProtocolTCP,
+					},
+				}),
+			},
+			map[string]formatter.ServiceListInfo{
+				"uid1": {Mode: "replicated", Replicas: "1/1"},
+			},
+		},
+		// Headless service and NodePort Service are tied to the same Swarm service
+
+		{
+			&appsv1beta2.ReplicaSetList{
+				Items: []appsv1beta2.ReplicaSet{
+					makeReplicaSet("service", 1, 1),
+				},
+			},
+			&apiv1.ServiceList{
+				Items: []apiv1.Service{
+					makeKubeService("service", "stack", "uid1", apiv1.ServiceTypeClusterIP, nil),
+					makeKubeService("service-random-ports", "stack", "uid2", apiv1.ServiceTypeNodePort, []apiv1.ServicePort{
+						{
+							Port:       35666,
+							TargetPort: apimachineryUtil.FromInt(80),
+							Protocol:   apiv1.ProtocolTCP,
+						},
+					}),
+				},
+			},
+			[]swarm.Service{
+				makeSwarmService("stack_service", "uid1", []swarm.PortConfig{
+					{
+						PublishMode:   swarm.PortConfigPublishModeHost,
+						PublishedPort: 35666,
+						TargetPort:    80,
+						Protocol:      swarm.PortConfigProtocolTCP,
+					},
+				}),
+			},
+			map[string]formatter.ServiceListInfo{
+				"uid1": {Mode: "replicated", Replicas: "1/1"},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		swarmServices, listInfo, err := convertToServices(tc.replicas, &appsv1beta2.DaemonSetList{}, tc.services)
+		assert.NilError(t, err)
+		assert.DeepEqual(t, tc.expectedServices, swarmServices)
+		assert.DeepEqual(t, tc.expectedListInfo, listInfo)
+	}
+}
+
+func makeReplicaSet(service string, available, replicas int32) appsv1beta2.ReplicaSet {
+	return appsv1beta2.ReplicaSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Labels: map[string]string{
+				labels.ForServiceName: service,
+			},
+		},
+		Spec: appsv1beta2.ReplicaSetSpec{
+			Template: apiv1.PodTemplateSpec{
+				Spec: apiv1.PodSpec{
+					Containers: []apiv1.Container{
+						{
+							Image: "image",
+						},
+					},
+				},
+			},
+		},
+		Status: appsv1beta2.ReplicaSetStatus{
+			AvailableReplicas: available,
+			Replicas:          replicas,
+		},
+	}
+}
+
+func makeKubeService(service, stack, uid string, serviceType apiv1.ServiceType, ports []apiv1.ServicePort) apiv1.Service {
+	return apiv1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Labels: map[string]string{
+				labels.ForStackName: stack,
+			},
+			Name: service,
+			UID:  apimachineryTypes.UID(uid),
+		},
+		Spec: apiv1.ServiceSpec{
+			Type:  serviceType,
+			Ports: ports,
+		},
+	}
+}
+
+func makeSwarmService(service, id string, ports []swarm.PortConfig) swarm.Service {
+	return swarm.Service{
+		ID: id,
+		Spec: swarm.ServiceSpec{
+			Annotations: swarm.Annotations{
+				Name: service,
+			},
+			TaskTemplate: swarm.TaskSpec{
+				ContainerSpec: &swarm.ContainerSpec{
+					Image: "image",
+				},
+			},
+		},
+		Endpoint: swarm.Endpoint{
+			Ports: ports,
+		},
+	}
+}
diff --git a/cli/cli/command/stack/kubernetes/convert.go b/cli/cli/command/stack/kubernetes/convert.go
new file mode 100644
index 00000000..aa63daf2
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/convert.go
@@ -0,0 +1,332 @@
+package kubernetes
+
+import (
+	"io"
+	"io/ioutil"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/docker/cli/cli/compose/loader"
+	composeTypes "github.com/docker/cli/cli/compose/types"
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/cli/kubernetes/compose/v1beta1"
+	"github.com/docker/cli/kubernetes/compose/v1beta2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func loadStackData(composefile string) (*composetypes.Config, error) {
+	parsed, err := loader.ParseYAML([]byte(composefile))
+	if err != nil {
+		return nil, err
+	}
+	return loader.Load(composetypes.ConfigDetails{
+		ConfigFiles: []composetypes.ConfigFile{
+			{
+				Config: parsed,
+			},
+		},
+	})
+}
+
+// Conversions from internal stack to different stack compose component versions.
+func stackFromV1beta1(in *v1beta1.Stack) (stack, error) {
+	cfg, err := loadStackData(in.Spec.ComposeFile)
+	if err != nil {
+		return stack{}, err
+	}
+	return stack{
+		name:        in.ObjectMeta.Name,
+		namespace:   in.ObjectMeta.Namespace,
+		composeFile: in.Spec.ComposeFile,
+		spec:        fromComposeConfig(ioutil.Discard, cfg),
+	}, nil
+}
+
+func stackToV1beta1(s stack) *v1beta1.Stack {
+	return &v1beta1.Stack{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: s.name,
+		},
+		Spec: v1beta1.StackSpec{
+			ComposeFile: s.composeFile,
+		},
+	}
+}
+
+func stackFromV1beta2(in *v1beta2.Stack) stack {
+	return stack{
+		name:      in.ObjectMeta.Name,
+		namespace: in.ObjectMeta.Namespace,
+		spec:      in.Spec,
+	}
+}
+
+func stackToV1beta2(s stack) *v1beta2.Stack {
+	return &v1beta2.Stack{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: s.name,
+		},
+		Spec: s.spec,
+	}
+}
+
+func fromComposeConfig(stderr io.Writer, c *composeTypes.Config) *v1beta2.StackSpec {
+	if c == nil {
+		return nil
+	}
+	warnUnsupportedFeatures(stderr, c)
+	serviceConfigs := make([]v1beta2.ServiceConfig, len(c.Services))
+	for i, s := range c.Services {
+		serviceConfigs[i] = fromComposeServiceConfig(s)
+	}
+	return &v1beta2.StackSpec{
+		Services: serviceConfigs,
+		Secrets:  fromComposeSecrets(c.Secrets),
+		Configs:  fromComposeConfigs(c.Configs),
+	}
+}
+
+func fromComposeSecrets(s map[string]composeTypes.SecretConfig) map[string]v1beta2.SecretConfig {
+	if s == nil {
+		return nil
+	}
+	m := map[string]v1beta2.SecretConfig{}
+	for key, value := range s {
+		m[key] = v1beta2.SecretConfig{
+			Name: value.Name,
+			File: value.File,
+			External: v1beta2.External{
+				Name:     value.External.Name,
+				External: value.External.External,
+			},
+			Labels: value.Labels,
+		}
+	}
+	return m
+}
+
+func fromComposeConfigs(s map[string]composeTypes.ConfigObjConfig) map[string]v1beta2.ConfigObjConfig {
+	if s == nil {
+		return nil
+	}
+	m := map[string]v1beta2.ConfigObjConfig{}
+	for key, value := range s {
+		m[key] = v1beta2.ConfigObjConfig{
+			Name: value.Name,
+			File: value.File,
+			External: v1beta2.External{
+				Name:     value.External.Name,
+				External: value.External.External,
+			},
+			Labels: value.Labels,
+		}
+	}
+	return m
+}
+
+func fromComposeServiceConfig(s composeTypes.ServiceConfig) v1beta2.ServiceConfig {
+	var userID *int64
+	if s.User != "" {
+		numerical, err := strconv.Atoi(s.User)
+		if err == nil {
+			unixUserID := int64(numerical)
+			userID = &unixUserID
+		}
+	}
+	return v1beta2.ServiceConfig{
+		Name:    s.Name,
+		CapAdd:  s.CapAdd,
+		CapDrop: s.CapDrop,
+		Command: s.Command,
+		Configs: fromComposeServiceConfigs(s.Configs),
+		Deploy: v1beta2.DeployConfig{
+			Mode:          s.Deploy.Mode,
+			Replicas:      s.Deploy.Replicas,
+			Labels:        s.Deploy.Labels,
+			UpdateConfig:  fromComposeUpdateConfig(s.Deploy.UpdateConfig),
+			Resources:     fromComposeResources(s.Deploy.Resources),
+			RestartPolicy: fromComposeRestartPolicy(s.Deploy.RestartPolicy),
+			Placement:     fromComposePlacement(s.Deploy.Placement),
+		},
+		Entrypoint:      s.Entrypoint,
+		Environment:     s.Environment,
+		ExtraHosts:      s.ExtraHosts,
+		Hostname:        s.Hostname,
+		HealthCheck:     fromComposeHealthcheck(s.HealthCheck),
+		Image:           s.Image,
+		Ipc:             s.Ipc,
+		Labels:          s.Labels,
+		Pid:             s.Pid,
+		Ports:           fromComposePorts(s.Ports),
+		Privileged:      s.Privileged,
+		ReadOnly:        s.ReadOnly,
+		Secrets:         fromComposeServiceSecrets(s.Secrets),
+		StdinOpen:       s.StdinOpen,
+		StopGracePeriod: s.StopGracePeriod,
+		Tmpfs:           s.Tmpfs,
+		Tty:             s.Tty,
+		User:            userID,
+		Volumes:         fromComposeServiceVolumeConfig(s.Volumes),
+		WorkingDir:      s.WorkingDir,
+	}
+}
+
+func fromComposePorts(ports []composeTypes.ServicePortConfig) []v1beta2.ServicePortConfig {
+	if ports == nil {
+		return nil
+	}
+	p := make([]v1beta2.ServicePortConfig, len(ports))
+	for i, port := range ports {
+		p[i] = v1beta2.ServicePortConfig{
+			Mode:      port.Mode,
+			Target:    port.Target,
+			Published: port.Published,
+			Protocol:  port.Protocol,
+		}
+	}
+	return p
+}
+
+func fromComposeServiceSecrets(secrets []composeTypes.ServiceSecretConfig) []v1beta2.ServiceSecretConfig {
+	if secrets == nil {
+		return nil
+	}
+	c := make([]v1beta2.ServiceSecretConfig, len(secrets))
+	for i, secret := range secrets {
+		c[i] = v1beta2.ServiceSecretConfig{
+			Source: secret.Source,
+			Target: secret.Target,
+			UID:    secret.UID,
+			Mode:   secret.Mode,
+		}
+	}
+	return c
+}
+
+func fromComposeServiceConfigs(configs []composeTypes.ServiceConfigObjConfig) []v1beta2.ServiceConfigObjConfig {
+	if configs == nil {
+		return nil
+	}
+	c := make([]v1beta2.ServiceConfigObjConfig, len(configs))
+	for i, config := range configs {
+		c[i] = v1beta2.ServiceConfigObjConfig{
+			Source: config.Source,
+			Target: config.Target,
+			UID:    config.UID,
+			Mode:   config.Mode,
+		}
+	}
+	return c
+}
+
+func fromComposeHealthcheck(h *composeTypes.HealthCheckConfig) *v1beta2.HealthCheckConfig {
+	if h == nil {
+		return nil
+	}
+	return &v1beta2.HealthCheckConfig{
+		Test:     h.Test,
+		Timeout:  h.Timeout,
+		Interval: h.Interval,
+		Retries:  h.Retries,
+	}
+}
+
+func fromComposePlacement(p composeTypes.Placement) v1beta2.Placement {
+	return v1beta2.Placement{
+		Constraints: fromComposeConstraints(p.Constraints),
+	}
+}
+
+var constraintEquals = regexp.MustCompile(`([\w\.]*)\W*(==|!=)\W*([\w\.]*)`)
+
+const (
+	swarmOs          = "node.platform.os"
+	swarmArch        = "node.platform.arch"
+	swarmHostname    = "node.hostname"
+	swarmLabelPrefix = "node.labels."
+)
+
+func fromComposeConstraints(s []string) *v1beta2.Constraints {
+	if len(s) == 0 {
+		return nil
+	}
+	constraints := &v1beta2.Constraints{}
+	for _, constraint := range s {
+		matches := constraintEquals.FindStringSubmatch(constraint)
+		if len(matches) == 4 {
+			key := matches[1]
+			operator := matches[2]
+			value := matches[3]
+			constraint := &v1beta2.Constraint{
+				Operator: operator,
+				Value:    value,
+			}
+			switch {
+			case key == swarmOs:
+				constraints.OperatingSystem = constraint
+			case key == swarmArch:
+				constraints.Architecture = constraint
+			case key == swarmHostname:
+				constraints.Hostname = constraint
+			case strings.HasPrefix(key, swarmLabelPrefix):
+				if constraints.MatchLabels == nil {
+					constraints.MatchLabels = map[string]v1beta2.Constraint{}
+				}
+				constraints.MatchLabels[strings.TrimPrefix(key, swarmLabelPrefix)] = *constraint
+			}
+		}
+	}
+	return constraints
+}
+
+func fromComposeResources(r composeTypes.Resources) v1beta2.Resources {
+	return v1beta2.Resources{
+		Limits:       fromComposeResourcesResource(r.Limits),
+		Reservations: fromComposeResourcesResource(r.Reservations),
+	}
+}
+
+func fromComposeResourcesResource(r *composeTypes.Resource) *v1beta2.Resource {
+	if r == nil {
+		return nil
+	}
+	return &v1beta2.Resource{
+		MemoryBytes: int64(r.MemoryBytes),
+		NanoCPUs:    r.NanoCPUs,
+	}
+}
+
+func fromComposeUpdateConfig(u *composeTypes.UpdateConfig) *v1beta2.UpdateConfig {
+	if u == nil {
+		return nil
+	}
+	return &v1beta2.UpdateConfig{
+		Parallelism: u.Parallelism,
+	}
+}
+
+func fromComposeRestartPolicy(r *composeTypes.RestartPolicy) *v1beta2.RestartPolicy {
+	if r == nil {
+		return nil
+	}
+	return &v1beta2.RestartPolicy{
+		Condition: r.Condition,
+	}
+}
+
+func fromComposeServiceVolumeConfig(vs []composeTypes.ServiceVolumeConfig) []v1beta2.ServiceVolumeConfig {
+	if vs == nil {
+		return nil
+	}
+	volumes := []v1beta2.ServiceVolumeConfig{}
+	for _, v := range vs {
+		volumes = append(volumes, v1beta2.ServiceVolumeConfig{
+			Type:     v.Type,
+			Source:   v.Source,
+			Target:   v.Target,
+			ReadOnly: v.ReadOnly,
+		})
+	}
+	return volumes
+}
diff --git a/cli/cli/command/stack/kubernetes/deploy.go b/cli/cli/command/stack/kubernetes/deploy.go
new file mode 100644
index 00000000..62369a81
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/deploy.go
@@ -0,0 +1,158 @@
+package kubernetes
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/options"
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/morikuni/aec"
+)
+
+// RunDeploy is the kubernetes implementation of docker stack deploy
+func RunDeploy(dockerCli *KubeCli, opts options.Deploy, cfg *composetypes.Config) error {
+	cmdOut := dockerCli.Out()
+
+	// Initialize clients
+	composeClient, err := dockerCli.composeClient()
+	if err != nil {
+		return err
+	}
+	stacks, err := composeClient.Stacks(false)
+	if err != nil {
+		return err
+	}
+
+	stack, err := stacks.FromCompose(dockerCli.Err(), opts.Namespace, cfg)
+	if err != nil {
+		return err
+	}
+
+	configMaps := composeClient.ConfigMaps()
+	secrets := composeClient.Secrets()
+	services := composeClient.Services()
+
+	if err := stacks.IsColliding(services, stack); err != nil {
+		return err
+	}
+
+	if err := stack.createFileBasedConfigMaps(configMaps); err != nil {
+		return err
+	}
+
+	if err := stack.createFileBasedSecrets(secrets); err != nil {
+		return err
+	}
+
+	if err = stacks.CreateOrUpdate(stack); err != nil {
+		return err
+	}
+
+	fmt.Fprintln(cmdOut, "Waiting for the stack to be stable and running...")
+	v1beta1Cli, err := dockerCli.stacksv1beta1()
+	if err != nil {
+		return err
+	}
+
+	pods := composeClient.Pods()
+	watcher := &deployWatcher{
+		stacks: v1beta1Cli,
+		pods:   pods,
+	}
+	statusUpdates := make(chan serviceStatus)
+	displayDone := make(chan struct{})
+	go func() {
+		defer close(displayDone)
+		display := newStatusDisplay(dockerCli.Out())
+		for status := range statusUpdates {
+			display.OnStatus(status)
+		}
+	}()
+
+	err = watcher.Watch(stack.name, stack.getServices(), statusUpdates)
+	close(statusUpdates)
+	<-displayDone
+	if err != nil {
+		return err
+	}
+	fmt.Fprintf(cmdOut, "\nStack %s is stable and running\n\n", stack.name)
+	return nil
+
+}
+
+type statusDisplay interface {
+	OnStatus(serviceStatus)
+}
+type metaServiceState string
+
+const (
+	metaServiceStateReady   = metaServiceState("Ready")
+	metaServiceStatePending = metaServiceState("Pending")
+	metaServiceStateFailed  = metaServiceState("Failed")
+)
+
+func metaStateFromStatus(status serviceStatus) metaServiceState {
+	switch {
+	case status.podsReady > 0:
+		return metaServiceStateReady
+	case status.podsPending > 0:
+		return metaServiceStatePending
+	default:
+		return metaServiceStateFailed
+	}
+}
+
+type forwardOnlyStatusDisplay struct {
+	o      *command.OutStream
+	states map[string]metaServiceState
+}
+
+func (d *forwardOnlyStatusDisplay) OnStatus(status serviceStatus) {
+	state := metaStateFromStatus(status)
+	if d.states[status.name] != state {
+		d.states[status.name] = state
+		fmt.Fprintf(d.o, "%s: %s\n", status.name, state)
+	}
+}
+
+type interactiveStatusDisplay struct {
+	o        *command.OutStream
+	statuses []serviceStatus
+}
+
+func (d *interactiveStatusDisplay) OnStatus(status serviceStatus) {
+	b := aec.EmptyBuilder
+	for ix := 0; ix < len(d.statuses); ix++ {
+		b = b.Up(1).EraseLine(aec.EraseModes.All)
+	}
+	b = b.Column(0)
+	fmt.Fprint(d.o, b.ANSI)
+	updated := false
+	for ix, s := range d.statuses {
+		if s.name == status.name {
+			d.statuses[ix] = status
+			s = status
+			updated = true
+		}
+		displayInteractiveServiceStatus(s, d.o)
+	}
+	if !updated {
+		d.statuses = append(d.statuses, status)
+		displayInteractiveServiceStatus(status, d.o)
+	}
+}
+
+func displayInteractiveServiceStatus(status serviceStatus, o io.Writer) {
+	state := metaStateFromStatus(status)
+	totalFailed := status.podsFailed + status.podsSucceeded + status.podsUnknown
+	fmt.Fprintf(o, "%[1]s: %[2]s\t\t[pod status: %[3]d/%[6]d ready, %[4]d/%[6]d pending, %[5]d/%[6]d failed]\n", status.name, state,
+		status.podsReady, status.podsPending, totalFailed, status.podsTotal)
+}
+
+func newStatusDisplay(o *command.OutStream) statusDisplay {
+	if !o.IsTerminal() {
+		return &forwardOnlyStatusDisplay{o: o, states: map[string]metaServiceState{}}
+	}
+	return &interactiveStatusDisplay{o: o}
+}
diff --git a/cli/cli/command/stack/kubernetes/list.go b/cli/cli/command/stack/kubernetes/list.go
new file mode 100644
index 00000000..f6efd050
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/list.go
@@ -0,0 +1,136 @@
+package kubernetes
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/pkg/errors"
+	core_v1 "k8s.io/api/core/v1"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// GetStacks lists the kubernetes stacks
+func GetStacks(kubeCli *KubeCli, opts options.List) ([]*formatter.Stack, error) {
+	if opts.AllNamespaces || len(opts.Namespaces) == 0 {
+		if isAllNamespacesDisabled(kubeCli.ConfigFile().Kubernetes) {
+			opts.AllNamespaces = true
+		}
+		return getStacksWithAllNamespaces(kubeCli, opts)
+	}
+	return getStacksWithNamespaces(kubeCli, opts, removeDuplicates(opts.Namespaces))
+}
+
+func isAllNamespacesDisabled(kubeCliConfig *configfile.KubernetesConfig) bool {
+	return kubeCliConfig == nil || kubeCliConfig != nil && kubeCliConfig.AllNamespaces != "disabled"
+}
+
+func getStacks(kubeCli *KubeCli, opts options.List) ([]*formatter.Stack, error) {
+	composeClient, err := kubeCli.composeClient()
+	if err != nil {
+		return nil, err
+	}
+	stackSvc, err := composeClient.Stacks(opts.AllNamespaces)
+	if err != nil {
+		return nil, err
+	}
+	stacks, err := stackSvc.List(metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	var formattedStacks []*formatter.Stack
+	for _, stack := range stacks {
+		formattedStacks = append(formattedStacks, &formatter.Stack{
+			Name:         stack.name,
+			Services:     len(stack.getServices()),
+			Orchestrator: "Kubernetes",
+			Namespace:    stack.namespace,
+		})
+	}
+	return formattedStacks, nil
+}
+
+func getStacksWithAllNamespaces(kubeCli *KubeCli, opts options.List) ([]*formatter.Stack, error) {
+	stacks, err := getStacks(kubeCli, opts)
+	if !apierrs.IsForbidden(err) {
+		return stacks, err
+	}
+	namespaces, err2 := getUserVisibleNamespaces(*kubeCli)
+	if err2 != nil {
+		return nil, errors.Wrap(err2, "failed to query user visible namespaces")
+	}
+	if namespaces == nil {
+		// UCP API not present, fall back to Kubernetes error
+		return nil, err
+	}
+	opts.AllNamespaces = false
+	return getStacksWithNamespaces(kubeCli, opts, namespaces)
+}
+
+func getUserVisibleNamespaces(dockerCli command.Cli) ([]string, error) {
+	host := dockerCli.Client().DaemonHost()
+	endpoint, err := url.Parse(host)
+	if err != nil {
+		return nil, err
+	}
+	endpoint.Scheme = "https"
+	endpoint.Path = "/kubernetesNamespaces"
+	resp, err := dockerCli.Client().HTTPClient().Get(endpoint.String())
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, errors.Wrapf(err, "received %d status and unable to read response", resp.StatusCode)
+	}
+	switch resp.StatusCode {
+	case http.StatusOK:
+		nms := &core_v1.NamespaceList{}
+		if err := json.Unmarshal(body, nms); err != nil {
+			return nil, errors.Wrapf(err, "unmarshal failed: %s", string(body))
+		}
+		namespaces := make([]string, len(nms.Items))
+		for i, namespace := range nms.Items {
+			namespaces[i] = namespace.Name
+		}
+		return namespaces, nil
+	case http.StatusNotFound:
+		// UCP API not present
+		return nil, nil
+	default:
+		return nil, fmt.Errorf("received %d status while retrieving namespaces: %s", resp.StatusCode, string(body))
+	}
+}
+
+func getStacksWithNamespaces(kubeCli *KubeCli, opts options.List, namespaces []string) ([]*formatter.Stack, error) {
+	stacks := []*formatter.Stack{}
+	for _, namespace := range namespaces {
+		kubeCli.kubeNamespace = namespace
+		ss, err := getStacks(kubeCli, opts)
+		if err != nil {
+			return nil, err
+		}
+		stacks = append(stacks, ss...)
+	}
+	return stacks, nil
+}
+
+func removeDuplicates(namespaces []string) []string {
+	found := make(map[string]bool)
+	results := namespaces[:0]
+	for _, n := range namespaces {
+		if !found[n] {
+			results = append(results, n)
+			found[n] = true
+		}
+	}
+	return results
+}
diff --git a/cli/cli/command/stack/kubernetes/ps.go b/cli/cli/command/stack/kubernetes/ps.go
new file mode 100644
index 00000000..a4ee14f6
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/ps.go
@@ -0,0 +1,112 @@
+package kubernetes
+
+import (
+	"fmt"
+	"sort"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/command/task"
+	"github.com/docker/docker/api/types/swarm"
+	apiv1 "k8s.io/api/core/v1"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+)
+
+var supportedPSFilters = map[string]bool{
+	"name":    true,
+	"service": true,
+	"node":    true,
+}
+
+// RunPS is the kubernetes implementation of docker stack ps
+func RunPS(dockerCli *KubeCli, options options.PS) error {
+	filters := options.Filter.Value()
+	if err := filters.Validate(supportedPSFilters); err != nil {
+		return err
+	}
+	client, err := dockerCli.composeClient()
+	if err != nil {
+		return err
+	}
+	stacks, err := client.Stacks(false)
+	if err != nil {
+		return err
+	}
+	stackName := options.Namespace
+	_, err = stacks.Get(stackName)
+	if apierrs.IsNotFound(err) {
+		return fmt.Errorf("nothing found in stack: %s", stackName)
+	}
+	if err != nil {
+		return err
+	}
+	pods, err := fetchPods(stackName, client.Pods(), filters)
+	if err != nil {
+		return err
+	}
+	if len(pods) == 0 {
+		return fmt.Errorf("nothing found in stack: %s", stackName)
+	}
+	return printTasks(dockerCli, options, stackName, client, pods)
+}
+
+func printTasks(dockerCli command.Cli, options options.PS, namespace string, client corev1.NodesGetter, pods []apiv1.Pod) error {
+	format := options.Format
+	if format == "" {
+		format = task.DefaultFormat(dockerCli.ConfigFile(), options.Quiet)
+	}
+
+	tasks := make([]swarm.Task, len(pods))
+	for i, pod := range pods {
+		tasks[i] = podToTask(pod)
+	}
+	sort.Stable(tasksBySlot(tasks))
+
+	names := map[string]string{}
+	nodes := map[string]string{}
+
+	n, err := listNodes(client, options.NoResolve)
+	if err != nil {
+		return err
+	}
+	for i, task := range tasks {
+		nodeValue, err := resolveNode(pods[i].Spec.NodeName, n, options.NoResolve)
+		if err != nil {
+			return err
+		}
+		names[task.ID] = fmt.Sprintf("%s_%s", namespace, pods[i].Name)
+		nodes[task.ID] = nodeValue
+	}
+
+	tasksCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewTaskFormat(format, options.Quiet),
+		Trunc:  !options.NoTrunc,
+	}
+
+	return formatter.TaskWrite(tasksCtx, tasks, names, nodes)
+}
+
+func resolveNode(name string, nodes *apiv1.NodeList, noResolve bool) (string, error) {
+	// Here we have a name and we need to resolve its identifier. To mimic swarm behavior
+	// we need to resolve to the id when noResolve is set, otherwise we return the name.
+	if noResolve {
+		for _, node := range nodes.Items {
+			if node.Name == name {
+				return string(node.UID), nil
+			}
+		}
+		return "", fmt.Errorf("could not find node '%s'", name)
+	}
+	return name, nil
+}
+
+func listNodes(client corev1.NodesGetter, noResolve bool) (*apiv1.NodeList, error) {
+	if noResolve {
+		return client.Nodes().List(metav1.ListOptions{})
+	}
+	return nil, nil
+}
diff --git a/cli/cli/command/stack/kubernetes/remove.go b/cli/cli/command/stack/kubernetes/remove.go
new file mode 100644
index 00000000..311c7597
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/remove.go
@@ -0,0 +1,27 @@
+package kubernetes
+
+import (
+	"fmt"
+
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/pkg/errors"
+)
+
+// RunRemove is the kubernetes implementation of docker stack remove
+func RunRemove(dockerCli *KubeCli, opts options.Remove) error {
+	composeClient, err := dockerCli.composeClient()
+	if err != nil {
+		return err
+	}
+	stacks, err := composeClient.Stacks(false)
+	if err != nil {
+		return err
+	}
+	for _, stack := range opts.Namespaces {
+		fmt.Fprintf(dockerCli.Out(), "Removing stack: %s\n", stack)
+		if err := stacks.Delete(stack); err != nil {
+			return errors.Wrapf(err, "Failed to remove stack %s", stack)
+		}
+	}
+	return nil
+}
diff --git a/cli/cli/command/stack/kubernetes/services.go b/cli/cli/command/stack/kubernetes/services.go
new file mode 100644
index 00000000..a2d13e56
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/services.go
@@ -0,0 +1,158 @@
+package kubernetes
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/kubernetes/labels"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	appsv1beta2 "k8s.io/api/apps/v1beta2"
+	corev1 "k8s.io/api/core/v1"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var supportedServicesFilters = map[string]bool{
+	"mode":  true,
+	"name":  true,
+	"label": true,
+}
+
+func generateSelector(labels map[string][]string) []string {
+	var result []string
+	for k, v := range labels {
+		for _, val := range v {
+			result = append(result, fmt.Sprintf("%s=%s", k, val))
+		}
+		if len(v) == 0 {
+			result = append(result, k)
+		}
+	}
+	return result
+}
+
+func parseLabelFilters(rawFilters []string) map[string][]string {
+	labels := map[string][]string{}
+	for _, rawLabel := range rawFilters {
+		v := strings.SplitN(rawLabel, "=", 2)
+		key := v[0]
+		if len(v) > 1 {
+			labels[key] = append(labels[key], v[1])
+		} else if _, ok := labels[key]; !ok {
+			labels[key] = []string{}
+		}
+	}
+	return labels
+}
+
+func generateLabelSelector(f filters.Args, stackName string) string {
+	selectors := append(generateSelector(parseLabelFilters(f.Get("label"))), labels.SelectorForStack(stackName))
+	return strings.Join(selectors, ",")
+}
+
+func getResourcesForServiceList(dockerCli *KubeCli, filters filters.Args, labelSelector string) (*appsv1beta2.ReplicaSetList, *appsv1beta2.DaemonSetList, *corev1.ServiceList, error) {
+	client, err := dockerCli.composeClient()
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	modes := filters.Get("mode")
+	replicas := &appsv1beta2.ReplicaSetList{}
+	if len(modes) == 0 || filters.ExactMatch("mode", "replicated") {
+		if replicas, err = client.ReplicaSets().List(metav1.ListOptions{LabelSelector: labelSelector}); err != nil {
+			return nil, nil, nil, err
+		}
+	}
+	daemons := &appsv1beta2.DaemonSetList{}
+	if len(modes) == 0 || filters.ExactMatch("mode", "global") {
+		if daemons, err = client.DaemonSets().List(metav1.ListOptions{LabelSelector: labelSelector}); err != nil {
+			return nil, nil, nil, err
+		}
+	}
+	services, err := client.Services().List(metav1.ListOptions{LabelSelector: labelSelector})
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return replicas, daemons, services, nil
+}
+
+// RunServices is the kubernetes implementation of docker stack services
+func RunServices(dockerCli *KubeCli, opts options.Services) error {
+	filters := opts.Filter.Value()
+	if err := filters.Validate(supportedServicesFilters); err != nil {
+		return err
+	}
+	client, err := dockerCli.composeClient()
+	if err != nil {
+		return nil
+	}
+	stacks, err := client.Stacks(false)
+	if err != nil {
+		return nil
+	}
+	stackName := opts.Namespace
+	_, err = stacks.Get(stackName)
+	if apierrs.IsNotFound(err) {
+		return fmt.Errorf("nothing found in stack: %s", stackName)
+	}
+	if err != nil {
+		return err
+	}
+
+	labelSelector := generateLabelSelector(filters, stackName)
+	replicasList, daemonsList, servicesList, err := getResourcesForServiceList(dockerCli, filters, labelSelector)
+	if err != nil {
+		return err
+	}
+
+	// Convert Replicas sets and kubernetes services to swam services and formatter informations
+	services, info, err := convertToServices(replicasList, daemonsList, servicesList)
+	if err != nil {
+		return err
+	}
+	services = filterServicesByName(services, filters.Get("name"), stackName)
+
+	if opts.Quiet {
+		info = map[string]formatter.ServiceListInfo{}
+	}
+
+	format := opts.Format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().ServicesFormat) > 0 && !opts.Quiet {
+			format = dockerCli.ConfigFile().ServicesFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	servicesCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewServiceListFormat(format, opts.Quiet),
+	}
+	return formatter.ServiceListWrite(servicesCtx, services, info)
+}
+
+func filterServicesByName(services []swarm.Service, names []string, stackName string) []swarm.Service {
+	if len(names) == 0 {
+		return services
+	}
+	prefix := stackName + "_"
+	// Accepts unprefixed service name (for compatibility with existing swarm scripts where service names are prefixed by stack names)
+	for i, n := range names {
+		if !strings.HasPrefix(n, prefix) {
+			names[i] = stackName + "_" + n
+		}
+	}
+	// Filter services
+	result := []swarm.Service{}
+	for _, s := range services {
+		for _, n := range names {
+			if strings.HasPrefix(s.Spec.Name, n) {
+				result = append(result, s)
+			}
+		}
+	}
+	return result
+}
diff --git a/cli/cli/command/stack/kubernetes/services_test.go b/cli/cli/command/stack/kubernetes/services_test.go
new file mode 100644
index 00000000..5603eeda
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/services_test.go
@@ -0,0 +1,138 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	"gotest.tools/assert/cmp"
+)
+
+func TestServiceFiltersLabelSelectorGen(t *testing.T) {
+	cases := []struct {
+		name                  string
+		stackName             string
+		filters               filters.Args
+		expectedSelectorParts []string
+	}{
+		{
+			name:      "no-filter",
+			stackName: "test",
+			filters:   filters.NewArgs(),
+			expectedSelectorParts: []string{
+				"com.docker.stack.namespace=test",
+			},
+		},
+		{
+			name:      "label present filter",
+			stackName: "test",
+			filters: filters.NewArgs(
+				filters.KeyValuePair{Key: "label", Value: "label-is-present"},
+			),
+			expectedSelectorParts: []string{
+				"com.docker.stack.namespace=test",
+				"label-is-present",
+			},
+		},
+		{
+			name:      "single value label filter",
+			stackName: "test",
+			filters: filters.NewArgs(
+				filters.KeyValuePair{Key: "label", Value: "label1=test"},
+			),
+			expectedSelectorParts: []string{
+				"com.docker.stack.namespace=test",
+				"label1=test",
+			},
+		},
+		{
+			name:      "multi value label filter",
+			stackName: "test",
+			filters: filters.NewArgs(
+				filters.KeyValuePair{Key: "label", Value: "label1=test"},
+				filters.KeyValuePair{Key: "label", Value: "label1=test2"},
+			),
+			expectedSelectorParts: []string{
+				"com.docker.stack.namespace=test",
+				"label1=test",
+				"label1=test2",
+			},
+		},
+		{
+			name:      "2 different labels filter",
+			stackName: "test",
+			filters: filters.NewArgs(
+				filters.KeyValuePair{Key: "label", Value: "label1=test"},
+				filters.KeyValuePair{Key: "label", Value: "label2=test2"},
+			),
+			expectedSelectorParts: []string{
+				"com.docker.stack.namespace=test",
+				"label1=test",
+				"label2=test2",
+			},
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			result := generateLabelSelector(c.filters, c.stackName)
+			for _, toFind := range c.expectedSelectorParts {
+				assert.Assert(t, cmp.Contains(result, toFind))
+			}
+		})
+	}
+}
+func TestServiceFiltersServiceByName(t *testing.T) {
+	cases := []struct {
+		name             string
+		filters          []string
+		services         []swarm.Service
+		expectedServices []swarm.Service
+	}{
+		{
+			name:             "no filter",
+			filters:          []string{},
+			services:         makeServices("s1", "s2"),
+			expectedServices: makeServices("s1", "s2"),
+		},
+		{
+			name:             "single-name filter",
+			filters:          []string{"s1"},
+			services:         makeServices("s1", "s2"),
+			expectedServices: makeServices("s1"),
+		},
+		{
+			name:             "filter by prefix",
+			filters:          []string{"prefix"},
+			services:         makeServices("prefix-s1", "prefix-s2", "s2"),
+			expectedServices: makeServices("prefix-s1", "prefix-s2"),
+		},
+		{
+			name:             "multi-name filter",
+			filters:          []string{"s1", "s2"},
+			services:         makeServices("s1", "s2", "s3"),
+			expectedServices: makeServices("s1", "s2"),
+		},
+		{
+			name:             "stack name prefix is valid",
+			filters:          []string{"stack_s1"},
+			services:         makeServices("s1", "s11", "s2"),
+			expectedServices: makeServices("s1", "s11"),
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			result := filterServicesByName(c.services, c.filters, "stack")
+			assert.DeepEqual(t, c.expectedServices, result)
+		})
+	}
+}
+
+func makeServices(names ...string) []swarm.Service {
+	result := make([]swarm.Service, len(names))
+	for i, n := range names {
+		result[i] = swarm.Service{Spec: swarm.ServiceSpec{Annotations: swarm.Annotations{Name: "stack_" + n}}}
+	}
+	return result
+}
diff --git a/cli/cli/command/stack/kubernetes/stack.go b/cli/cli/command/stack/kubernetes/stack.go
new file mode 100644
index 00000000..566e7729
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/stack.go
@@ -0,0 +1,107 @@
+package kubernetes
+
+import (
+	"io/ioutil"
+	"path/filepath"
+	"sort"
+
+	"github.com/docker/cli/kubernetes/compose/v1beta2"
+	"github.com/docker/cli/kubernetes/labels"
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+)
+
+// stack is the main type used by stack commands so they remain independent from kubernetes compose component version.
+type stack struct {
+	name        string
+	namespace   string
+	composeFile string
+	spec        *v1beta2.StackSpec
+}
+
+// getServices returns all the stack service names, sorted lexicographically
+func (s *stack) getServices() []string {
+	services := make([]string, len(s.spec.Services))
+	for i, service := range s.spec.Services {
+		services[i] = service.Name
+	}
+	sort.Strings(services)
+	return services
+}
+
+// createFileBasedConfigMaps creates a Kubernetes ConfigMap for each Compose global file-based config.
+func (s *stack) createFileBasedConfigMaps(configMaps corev1.ConfigMapInterface) error {
+	for name, config := range s.spec.Configs {
+		if config.File == "" {
+			continue
+		}
+
+		fileName := filepath.Base(config.File)
+		content, err := ioutil.ReadFile(config.File)
+		if err != nil {
+			return err
+		}
+
+		if _, err := configMaps.Create(toConfigMap(s.name, name, fileName, content)); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// toConfigMap converts a Compose Config to a Kube ConfigMap.
+func toConfigMap(stackName, name, key string, content []byte) *apiv1.ConfigMap {
+	return &apiv1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ConfigMap",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+			Labels: map[string]string{
+				labels.ForStackName: stackName,
+			},
+		},
+		Data: map[string]string{
+			key: string(content),
+		},
+	}
+}
+
+// createFileBasedSecrets creates a Kubernetes Secret for each Compose global file-based secret.
+func (s *stack) createFileBasedSecrets(secrets corev1.SecretInterface) error {
+	for name, secret := range s.spec.Secrets {
+		if secret.File == "" {
+			continue
+		}
+
+		fileName := filepath.Base(secret.File)
+		content, err := ioutil.ReadFile(secret.File)
+		if err != nil {
+			return err
+		}
+
+		if _, err := secrets.Create(toSecret(s.name, name, fileName, content)); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// toSecret converts a Compose Secret to a Kube Secret.
+func toSecret(stackName, name, key string, content []byte) *apiv1.Secret {
+	return &apiv1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+			Labels: map[string]string{
+				labels.ForStackName: stackName,
+			},
+		},
+		Data: map[string][]byte{
+			key: content,
+		},
+	}
+}
diff --git a/cli/cli/command/stack/kubernetes/stackclient.go b/cli/cli/command/stack/kubernetes/stackclient.go
new file mode 100644
index 00000000..b59a50d4
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/stackclient.go
@@ -0,0 +1,197 @@
+package kubernetes
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/docker/cli/cli/compose/loader"
+	"github.com/docker/cli/cli/compose/schema"
+	composetypes "github.com/docker/cli/cli/compose/types"
+	composev1beta1 "github.com/docker/cli/kubernetes/client/clientset/typed/compose/v1beta1"
+	composev1beta2 "github.com/docker/cli/kubernetes/client/clientset/typed/compose/v1beta2"
+	v1beta1types "github.com/docker/cli/kubernetes/compose/v1beta1"
+	"github.com/docker/cli/kubernetes/labels"
+	"github.com/pkg/errors"
+	yaml "gopkg.in/yaml.v2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/client-go/rest"
+)
+
+// StackClient talks to a kubernetes compose component.
+type StackClient interface {
+	CreateOrUpdate(s stack) error
+	Delete(name string) error
+	Get(name string) (stack, error)
+	List(opts metav1.ListOptions) ([]stack, error)
+	IsColliding(servicesClient corev1.ServiceInterface, s stack) error
+	FromCompose(stderr io.Writer, name string, cfg *composetypes.Config) (stack, error)
+}
+
+// stackV1Beta1 implements stackClient interface and talks to compose component v1beta1.
+type stackV1Beta1 struct {
+	stacks composev1beta1.StackInterface
+}
+
+func newStackV1Beta1(config *rest.Config, namespace string) (*stackV1Beta1, error) {
+	client, err := composev1beta1.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+	return &stackV1Beta1{stacks: client.Stacks(namespace)}, nil
+}
+
+func (s *stackV1Beta1) CreateOrUpdate(internalStack stack) error {
+	// If it already exists, update the stack
+	if stackBeta1, err := s.stacks.Get(internalStack.name, metav1.GetOptions{}); err == nil {
+		stackBeta1.Spec.ComposeFile = internalStack.composeFile
+		_, err := s.stacks.Update(stackBeta1)
+		return err
+	}
+	// Or create it
+	_, err := s.stacks.Create(stackToV1beta1(internalStack))
+	return err
+}
+
+func (s *stackV1Beta1) Delete(name string) error {
+	return s.stacks.Delete(name, &metav1.DeleteOptions{})
+}
+
+func (s *stackV1Beta1) Get(name string) (stack, error) {
+	stackBeta1, err := s.stacks.Get(name, metav1.GetOptions{})
+	if err != nil {
+		return stack{}, err
+	}
+	return stackFromV1beta1(stackBeta1)
+}
+
+func (s *stackV1Beta1) List(opts metav1.ListOptions) ([]stack, error) {
+	list, err := s.stacks.List(opts)
+	if err != nil {
+		return nil, err
+	}
+	stacks := make([]stack, len(list.Items))
+	for i := range list.Items {
+		stack, err := stackFromV1beta1(&list.Items[i])
+		if err != nil {
+			return nil, err
+		}
+		stacks[i] = stack
+	}
+	return stacks, nil
+}
+
+// IsColliding verifies that services defined in the stack collides with already deployed services
+func (s *stackV1Beta1) IsColliding(servicesClient corev1.ServiceInterface, st stack) error {
+	for _, srv := range st.getServices() {
+		if err := verify(servicesClient, st.name, srv); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// verify checks wether the service is already present in kubernetes.
+// If we find the service by name but it doesn't have our label or it has a different value
+// than the stack name for the label, we fail (i.e. it will collide)
+func verify(services corev1.ServiceInterface, stackName string, service string) error {
+	svc, err := services.Get(service, metav1.GetOptions{})
+	if err == nil {
+		if key, ok := svc.ObjectMeta.Labels[labels.ForStackName]; ok {
+			if key != stackName {
+				return fmt.Errorf("service %s already present in stack named %s", service, key)
+			}
+			return nil
+		}
+		return fmt.Errorf("service %s already present in the cluster", service)
+	}
+	return nil
+}
+
+func (s *stackV1Beta1) FromCompose(stderr io.Writer, name string, cfg *composetypes.Config) (stack, error) {
+	cfg.Version = v1beta1types.MaxComposeVersion
+	st, err := fromCompose(stderr, name, cfg)
+	if err != nil {
+		return stack{}, err
+	}
+	res, err := yaml.Marshal(cfg)
+	if err != nil {
+		return stack{}, err
+	}
+	// reload the result to check that it produced a valid 3.5 compose file
+	resparsedConfig, err := loader.ParseYAML(res)
+	if err != nil {
+		return stack{}, err
+	}
+	if err = schema.Validate(resparsedConfig, v1beta1types.MaxComposeVersion); err != nil {
+		return stack{}, errors.Wrapf(err, "the compose yaml file is invalid with v%s", v1beta1types.MaxComposeVersion)
+	}
+
+	st.composeFile = string(res)
+	return st, nil
+}
+
+// stackV1Beta2 implements stackClient interface and talks to compose component v1beta2.
+type stackV1Beta2 struct {
+	stacks composev1beta2.StackInterface
+}
+
+func newStackV1Beta2(config *rest.Config, namespace string) (*stackV1Beta2, error) {
+	client, err := composev1beta2.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+	return &stackV1Beta2{stacks: client.Stacks(namespace)}, nil
+}
+
+func (s *stackV1Beta2) CreateOrUpdate(internalStack stack) error {
+	// If it already exists, update the stack
+	if stackBeta2, err := s.stacks.Get(internalStack.name, metav1.GetOptions{}); err == nil {
+		stackBeta2.Spec = internalStack.spec
+		_, err := s.stacks.Update(stackBeta2)
+		return err
+	}
+	// Or create it
+	_, err := s.stacks.Create(stackToV1beta2(internalStack))
+	return err
+}
+
+func (s *stackV1Beta2) Delete(name string) error {
+	return s.stacks.Delete(name, &metav1.DeleteOptions{})
+}
+
+func (s *stackV1Beta2) Get(name string) (stack, error) {
+	stackBeta2, err := s.stacks.Get(name, metav1.GetOptions{})
+	if err != nil {
+		return stack{}, err
+	}
+	return stackFromV1beta2(stackBeta2), nil
+}
+
+func (s *stackV1Beta2) List(opts metav1.ListOptions) ([]stack, error) {
+	list, err := s.stacks.List(opts)
+	if err != nil {
+		return nil, err
+	}
+	stacks := make([]stack, len(list.Items))
+	for i := range list.Items {
+		stacks[i] = stackFromV1beta2(&list.Items[i])
+	}
+	return stacks, nil
+}
+
+// IsColliding is handle server side with the compose api v1beta2, so nothing to do here
+func (s *stackV1Beta2) IsColliding(servicesClient corev1.ServiceInterface, st stack) error {
+	return nil
+}
+
+func (s *stackV1Beta2) FromCompose(stderr io.Writer, name string, cfg *composetypes.Config) (stack, error) {
+	return fromCompose(stderr, name, cfg)
+}
+
+func fromCompose(stderr io.Writer, name string, cfg *composetypes.Config) (stack, error) {
+	return stack{
+		name: name,
+		spec: fromComposeConfig(stderr, cfg),
+	}, nil
+}
diff --git a/cli/cli/command/stack/kubernetes/stackclient_test.go b/cli/cli/command/stack/kubernetes/stackclient_test.go
new file mode 100644
index 00000000..8757f1c4
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/stackclient_test.go
@@ -0,0 +1,64 @@
+package kubernetes
+
+import (
+	"io/ioutil"
+	"testing"
+
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"gotest.tools/assert"
+)
+
+func TestFromCompose(t *testing.T) {
+	stackClient := &stackV1Beta1{}
+	s, err := stackClient.FromCompose(ioutil.Discard, "foo", &composetypes.Config{
+		Version:  "3.1",
+		Filename: "banana",
+		Services: []composetypes.ServiceConfig{
+			{
+				Name:  "foo",
+				Image: "foo",
+			},
+			{
+				Name:  "bar",
+				Image: "bar",
+			},
+		},
+	})
+	assert.NilError(t, err)
+	assert.Equal(t, "foo", s.name)
+	assert.Equal(t, string(`version: "3.5"
+services:
+  bar:
+    image: bar
+  foo:
+    image: foo
+networks: {}
+volumes: {}
+secrets: {}
+configs: {}
+`), s.composeFile)
+}
+
+func TestFromComposeUnsupportedVersion(t *testing.T) {
+	stackClient := &stackV1Beta1{}
+	_, err := stackClient.FromCompose(ioutil.Discard, "foo", &composetypes.Config{
+		Version:  "3.6",
+		Filename: "banana",
+		Services: []composetypes.ServiceConfig{
+			{
+				Name:  "foo",
+				Image: "foo",
+				Volumes: []composetypes.ServiceVolumeConfig{
+					{
+						Type:   "tmpfs",
+						Target: "/app",
+						Tmpfs: &composetypes.ServiceVolumeTmpfs{
+							Size: 10000,
+						},
+					},
+				},
+			},
+		},
+	})
+	assert.ErrorContains(t, err, "the compose yaml file is invalid with v3.5: services.foo.volumes.0 Additional property tmpfs is not allowed")
+}
diff --git a/cli/cli/command/stack/kubernetes/testdata/warnings.golden b/cli/cli/command/stack/kubernetes/testdata/warnings.golden
new file mode 100644
index 00000000..1ee14b0f
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/testdata/warnings.golden
@@ -0,0 +1,31 @@
+top-level network "global" is ignored
+service "front": network "private" is ignored
+service "front": update_config.delay is not supported
+service "front": update_config.failure_action is not supported
+service "front": update_config.monitor is not supported
+service "front": update_config.max_failure_ratio is not supported
+service "front": restart_policy.delay is ignored
+service "front": restart_policy.max_attempts is ignored
+service "front": restart_policy.window is ignored
+service "front": container_name is deprecated
+service "front": expose is deprecated
+service "front": build is ignored
+service "front": cgroup_parent is ignored
+service "front": devices are ignored
+service "front": domainname is ignored
+service "front": external_links are ignored
+service "front": links are ignored
+service "front": mac_address is ignored
+service "front": network_mode is ignored
+service "front": restart is ignored
+service "front": security_opt are ignored
+service "front": ulimits are ignored
+service "front": depends_on are ignored
+service "front": credential_spec is ignored
+service "front": dns are ignored
+service "front": dns_search are ignored
+service "front": env_file are ignored
+service "front": stop_signal is ignored
+service "front": logging is ignored
+service "front": volume.propagation is ignored
+service "front": volume.nocopy is ignored
diff --git a/cli/cli/command/stack/kubernetes/warnings.go b/cli/cli/command/stack/kubernetes/warnings.go
new file mode 100644
index 00000000..eb4598db
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/warnings.go
@@ -0,0 +1,145 @@
+package kubernetes
+
+import (
+	"fmt"
+	"io"
+
+	composetypes "github.com/docker/cli/cli/compose/types"
+)
+
+func warnUnsupportedFeatures(stderr io.Writer, cfg *composetypes.Config) {
+	warnForGlobalNetworks(stderr, cfg)
+	for _, s := range cfg.Services {
+		warnForServiceNetworks(stderr, s)
+		warnForUnsupportedDeploymentStrategy(stderr, s)
+		warnForUnsupportedRestartPolicy(stderr, s)
+		warnForDeprecatedProperties(stderr, s)
+		warnForUnsupportedProperties(stderr, s)
+	}
+}
+
+func warnForGlobalNetworks(stderr io.Writer, config *composetypes.Config) {
+	for network := range config.Networks {
+		fmt.Fprintf(stderr, "top-level network %q is ignored\n", network)
+	}
+}
+
+func warnServicef(stderr io.Writer, service, format string, args ...interface{}) {
+	fmt.Fprintf(stderr, "service \"%s\": %s\n", service, fmt.Sprintf(format, args...))
+}
+
+func warnForServiceNetworks(stderr io.Writer, s composetypes.ServiceConfig) {
+	for network := range s.Networks {
+		warnServicef(stderr, s.Name, "network %q is ignored", network)
+	}
+}
+
+func warnForDeprecatedProperties(stderr io.Writer, s composetypes.ServiceConfig) {
+	if s.ContainerName != "" {
+		warnServicef(stderr, s.Name, "container_name is deprecated")
+	}
+	if len(s.Expose) > 0 {
+		warnServicef(stderr, s.Name, "expose is deprecated")
+	}
+}
+
+func warnForUnsupportedDeploymentStrategy(stderr io.Writer, s composetypes.ServiceConfig) {
+	config := s.Deploy.UpdateConfig
+	if config == nil {
+		return
+	}
+	if config.Delay != 0 {
+		warnServicef(stderr, s.Name, "update_config.delay is not supported")
+	}
+	if config.FailureAction != "" {
+		warnServicef(stderr, s.Name, "update_config.failure_action is not supported")
+	}
+	if config.Monitor != 0 {
+		warnServicef(stderr, s.Name, "update_config.monitor is not supported")
+	}
+	if config.MaxFailureRatio != 0 {
+		warnServicef(stderr, s.Name, "update_config.max_failure_ratio is not supported")
+	}
+}
+
+func warnForUnsupportedRestartPolicy(stderr io.Writer, s composetypes.ServiceConfig) {
+	policy := s.Deploy.RestartPolicy
+	if policy == nil {
+		return
+	}
+
+	if policy.Delay != nil {
+		warnServicef(stderr, s.Name, "restart_policy.delay is ignored")
+	}
+	if policy.MaxAttempts != nil {
+		warnServicef(stderr, s.Name, "restart_policy.max_attempts is ignored")
+	}
+	if policy.Window != nil {
+		warnServicef(stderr, s.Name, "restart_policy.window is ignored")
+	}
+}
+
+func warnForUnsupportedProperties(stderr io.Writer, s composetypes.ServiceConfig) { // nolint: gocyclo
+	if build := s.Build; build.Context != "" || build.Dockerfile != "" || len(build.Args) > 0 || len(build.Labels) > 0 || len(build.CacheFrom) > 0 || build.Network != "" || build.Target != "" {
+		warnServicef(stderr, s.Name, "build is ignored")
+	}
+	if s.CgroupParent != "" {
+		warnServicef(stderr, s.Name, "cgroup_parent is ignored")
+	}
+	if len(s.Devices) > 0 {
+		warnServicef(stderr, s.Name, "devices are ignored")
+	}
+	if s.DomainName != "" {
+		warnServicef(stderr, s.Name, "domainname is ignored")
+	}
+	if len(s.ExternalLinks) > 0 {
+		warnServicef(stderr, s.Name, "external_links are ignored")
+	}
+	if len(s.Links) > 0 {
+		warnServicef(stderr, s.Name, "links are ignored")
+	}
+	if s.MacAddress != "" {
+		warnServicef(stderr, s.Name, "mac_address is ignored")
+	}
+	if s.NetworkMode != "" {
+		warnServicef(stderr, s.Name, "network_mode is ignored")
+	}
+	if s.Restart != "" {
+		warnServicef(stderr, s.Name, "restart is ignored")
+	}
+	if len(s.SecurityOpt) > 0 {
+		warnServicef(stderr, s.Name, "security_opt are ignored")
+	}
+	if len(s.Ulimits) > 0 {
+		warnServicef(stderr, s.Name, "ulimits are ignored")
+	}
+	if len(s.DependsOn) > 0 {
+		warnServicef(stderr, s.Name, "depends_on are ignored")
+	}
+	if s.CredentialSpec.File != "" {
+		warnServicef(stderr, s.Name, "credential_spec is ignored")
+	}
+	if len(s.DNS) > 0 {
+		warnServicef(stderr, s.Name, "dns are ignored")
+	}
+	if len(s.DNSSearch) > 0 {
+		warnServicef(stderr, s.Name, "dns_search are ignored")
+	}
+	if len(s.EnvFile) > 0 {
+		warnServicef(stderr, s.Name, "env_file are ignored")
+	}
+	if s.StopSignal != "" {
+		warnServicef(stderr, s.Name, "stop_signal is ignored")
+	}
+	if s.Logging != nil {
+		warnServicef(stderr, s.Name, "logging is ignored")
+	}
+	for _, m := range s.Volumes {
+		if m.Volume != nil && m.Volume.NoCopy {
+			warnServicef(stderr, s.Name, "volume.nocopy is ignored")
+		}
+		if m.Bind != nil && m.Bind.Propagation != "" {
+			warnServicef(stderr, s.Name, "volume.propagation is ignored")
+		}
+	}
+}
diff --git a/cli/cli/command/stack/kubernetes/warnings_test.go b/cli/cli/command/stack/kubernetes/warnings_test.go
new file mode 100644
index 00000000..bdb7bf9d
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/warnings_test.go
@@ -0,0 +1,78 @@
+package kubernetes
+
+import (
+	"bytes"
+	"testing"
+	"time"
+
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"gotest.tools/golden"
+)
+
+func TestWarnings(t *testing.T) {
+	duration := 5 * time.Second
+	attempts := uint64(3)
+	config := &composetypes.Config{
+		Version: "3.4",
+		Services: []composetypes.ServiceConfig{
+			{
+				Name: "front",
+				Build: composetypes.BuildConfig{
+					Context: "ignored",
+				},
+				ContainerName:  "ignored",
+				CgroupParent:   "ignored",
+				CredentialSpec: composetypes.CredentialSpecConfig{File: "ignored"},
+				DependsOn:      []string{"ignored"},
+				Deploy: composetypes.DeployConfig{
+					UpdateConfig: &composetypes.UpdateConfig{
+						Delay:           5 * time.Second,
+						FailureAction:   "rollback",
+						Monitor:         10 * time.Second,
+						MaxFailureRatio: 0.5,
+					},
+					RestartPolicy: &composetypes.RestartPolicy{
+						Delay:       &duration,
+						MaxAttempts: &attempts,
+						Window:      &duration,
+					},
+				},
+				Devices:       []string{"ignored"},
+				DNSSearch:     []string{"ignored"},
+				DNS:           []string{"ignored"},
+				DomainName:    "ignored",
+				EnvFile:       []string{"ignored"},
+				Expose:        []string{"80"},
+				ExternalLinks: []string{"ignored"},
+				Image:         "dockerdemos/front",
+				Links:         []string{"ignored"},
+				Logging:       &composetypes.LoggingConfig{Driver: "syslog"},
+				MacAddress:    "ignored",
+				Networks:      map[string]*composetypes.ServiceNetworkConfig{"private": {}},
+				NetworkMode:   "ignored",
+				Restart:       "ignored",
+				SecurityOpt:   []string{"ignored"},
+				StopSignal:    "ignored",
+				Ulimits:       map[string]*composetypes.UlimitsConfig{"nproc": {Hard: 65535}},
+				User:          "ignored",
+				Volumes: []composetypes.ServiceVolumeConfig{
+					{
+						Type: "bind",
+						Bind: &composetypes.ServiceVolumeBind{Propagation: "ignored"},
+					},
+					{
+						Type:   "volume",
+						Volume: &composetypes.ServiceVolumeVolume{NoCopy: true},
+					},
+				},
+			},
+		},
+		Networks: map[string]composetypes.NetworkConfig{
+			"global": {},
+		},
+	}
+	var buf bytes.Buffer
+	warnUnsupportedFeatures(&buf, config)
+	warnings := buf.String()
+	golden.Assert(t, warnings, "warnings.golden")
+}
diff --git a/cli/cli/command/stack/kubernetes/watcher.go b/cli/cli/command/stack/kubernetes/watcher.go
new file mode 100644
index 00000000..93d3358b
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/watcher.go
@@ -0,0 +1,255 @@
+package kubernetes
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	apiv1beta1 "github.com/docker/cli/kubernetes/compose/v1beta1"
+	"github.com/docker/cli/kubernetes/labels"
+	"github.com/pkg/errors"
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	runtimeutil "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+	podutils "k8s.io/kubernetes/pkg/api/v1/pod"
+)
+
+type stackListWatch interface {
+	List(opts metav1.ListOptions) (*apiv1beta1.StackList, error)
+	Watch(opts metav1.ListOptions) (watch.Interface, error)
+}
+
+type podListWatch interface {
+	List(opts metav1.ListOptions) (*apiv1.PodList, error)
+	Watch(opts metav1.ListOptions) (watch.Interface, error)
+}
+
+// DeployWatcher watches a stack deployement
+type deployWatcher struct {
+	pods   podListWatch
+	stacks stackListWatch
+}
+
+// Watch watches a stuck deployement and return a chan that will holds the state of the stack
+func (w *deployWatcher) Watch(name string, serviceNames []string, statusUpdates chan serviceStatus) error {
+	errC := make(chan error, 1)
+	defer close(errC)
+
+	handlers := runtimeutil.ErrorHandlers
+
+	// informer errors are reported using global error handlers
+	runtimeutil.ErrorHandlers = append(handlers, func(err error) {
+		errC <- err
+	})
+	defer func() {
+		runtimeutil.ErrorHandlers = handlers
+	}()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	wg := sync.WaitGroup{}
+	defer func() {
+		cancel()
+		wg.Wait()
+	}()
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		w.watchStackStatus(ctx, name, errC)
+	}()
+	go func() {
+		defer wg.Done()
+		w.waitForPods(ctx, name, serviceNames, errC, statusUpdates)
+	}()
+
+	return <-errC
+}
+
+type stackWatcher struct {
+	resultChan chan error
+	stackName  string
+}
+
+var _ cache.ResourceEventHandler = &stackWatcher{}
+
+func (sw *stackWatcher) OnAdd(obj interface{}) {
+	stack, ok := obj.(*apiv1beta1.Stack)
+	switch {
+	case !ok:
+		sw.resultChan <- errors.Errorf("stack %s has incorrect type", sw.stackName)
+	case stack.Status.Phase == apiv1beta1.StackFailure:
+		sw.resultChan <- errors.Errorf("stack %s failed with status %s: %s", sw.stackName, stack.Status.Phase, stack.Status.Message)
+	}
+}
+
+func (sw *stackWatcher) OnUpdate(oldObj, newObj interface{}) {
+	sw.OnAdd(newObj)
+}
+
+func (sw *stackWatcher) OnDelete(obj interface{}) {
+}
+
+func (w *deployWatcher) watchStackStatus(ctx context.Context, stackname string, e chan error) {
+	informer := newStackInformer(w.stacks, stackname)
+	sw := &stackWatcher{
+		resultChan: e,
+	}
+	informer.AddEventHandler(sw)
+	informer.Run(ctx.Done())
+}
+
+type serviceStatus struct {
+	name          string
+	podsPending   int
+	podsRunning   int
+	podsSucceeded int
+	podsFailed    int
+	podsUnknown   int
+	podsReady     int
+	podsTotal     int
+}
+
+type podWatcher struct {
+	stackName     string
+	services      map[string]serviceStatus
+	resultChan    chan error
+	starts        map[string]int32
+	indexer       cache.Indexer
+	statusUpdates chan serviceStatus
+}
+
+var _ cache.ResourceEventHandler = &podWatcher{}
+
+func (pw *podWatcher) handlePod(obj interface{}) {
+	pod, ok := obj.(*apiv1.Pod)
+	if !ok {
+		pw.resultChan <- errors.Errorf("Pod has incorrect type in stack %s", pw.stackName)
+		return
+	}
+	serviceName := pod.Labels[labels.ForServiceName]
+	pw.updateServiceStatus(serviceName)
+	if pw.allReady() {
+		select {
+		case pw.resultChan <- nil:
+		default:
+			// result has already been reported, just don't block
+		}
+	}
+}
+
+func (pw *podWatcher) updateServiceStatus(serviceName string) {
+	pods, _ := pw.indexer.ByIndex("byservice", serviceName)
+	status := serviceStatus{name: serviceName}
+	for _, obj := range pods {
+		if pod, ok := obj.(*apiv1.Pod); ok {
+			switch pod.Status.Phase {
+			case apiv1.PodPending:
+				status.podsPending++
+			case apiv1.PodRunning:
+				status.podsRunning++
+			case apiv1.PodSucceeded:
+				status.podsSucceeded++
+			case apiv1.PodFailed:
+				status.podsFailed++
+			case apiv1.PodUnknown:
+				status.podsUnknown++
+			}
+			if podutils.IsPodReady(pod) {
+				status.podsReady++
+			}
+		}
+	}
+	status.podsTotal = len(pods)
+	oldStatus := pw.services[serviceName]
+	if oldStatus != status {
+		pw.statusUpdates <- status
+	}
+	pw.services[serviceName] = status
+}
+
+func (pw *podWatcher) allReady() bool {
+	for _, status := range pw.services {
+		if status.podsReady == 0 {
+			return false
+		}
+	}
+	return true
+}
+
+func (pw *podWatcher) OnAdd(obj interface{}) {
+	pw.handlePod(obj)
+}
+
+func (pw *podWatcher) OnUpdate(oldObj, newObj interface{}) {
+	pw.handlePod(newObj)
+}
+
+func (pw *podWatcher) OnDelete(obj interface{}) {
+	pw.handlePod(obj)
+}
+
+func (w *deployWatcher) waitForPods(ctx context.Context, stackName string, serviceNames []string, e chan error, statusUpdates chan serviceStatus) {
+	informer := newPodInformer(w.pods, stackName, cache.Indexers{
+		"byservice": func(obj interface{}) ([]string, error) {
+			pod, ok := obj.(*apiv1.Pod)
+			if !ok {
+				return nil, errors.Errorf("Pod has incorrect type in stack %s", stackName)
+			}
+			return []string{pod.Labels[labels.ForServiceName]}, nil
+		}})
+	services := map[string]serviceStatus{}
+	for _, name := range serviceNames {
+		services[name] = serviceStatus{name: name}
+	}
+	pw := &podWatcher{
+		stackName:     stackName,
+		services:      services,
+		resultChan:    e,
+		starts:        map[string]int32{},
+		indexer:       informer.GetIndexer(),
+		statusUpdates: statusUpdates,
+	}
+	informer.AddEventHandler(pw)
+	informer.Run(ctx.Done())
+}
+
+func newPodInformer(podsClient podListWatch, stackName string, indexers cache.Indexers) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+				options.LabelSelector = labels.SelectorForStack(stackName)
+				options.IncludeUninitialized = true
+				return podsClient.List(options)
+			},
+
+			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+				options.LabelSelector = labels.SelectorForStack(stackName)
+				options.IncludeUninitialized = true
+				return podsClient.Watch(options)
+			},
+		},
+		&apiv1.Pod{},
+		time.Second*5,
+		indexers,
+	)
+}
+
+func newStackInformer(stacksClient stackListWatch, stackName string) cache.SharedInformer {
+	return cache.NewSharedInformer(
+		&cache.ListWatch{
+			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
+				options.LabelSelector = labels.SelectorForStack(stackName)
+				return stacksClient.List(options)
+			},
+
+			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
+				options.LabelSelector = labels.SelectorForStack(stackName)
+				return stacksClient.Watch(options)
+			},
+		},
+		&apiv1beta1.Stack{},
+		time.Second*5,
+	)
+}
diff --git a/cli/cli/command/stack/kubernetes/watcher_test.go b/cli/cli/command/stack/kubernetes/watcher_test.go
new file mode 100644
index 00000000..84e51ea3
--- /dev/null
+++ b/cli/cli/command/stack/kubernetes/watcher_test.go
@@ -0,0 +1,218 @@
+package kubernetes
+
+import (
+	"testing"
+
+	apiv1beta1 "github.com/docker/cli/kubernetes/compose/v1beta1"
+	composelabels "github.com/docker/cli/kubernetes/labels"
+	"gotest.tools/assert"
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apimachinery/pkg/watch"
+	k8stesting "k8s.io/client-go/testing"
+)
+
+var podsResource = apiv1.SchemeGroupVersion.WithResource("pods")
+var podKind = apiv1.SchemeGroupVersion.WithKind("Pod")
+var stacksResource = apiv1beta1.SchemeGroupVersion.WithResource("stacks")
+var stackKind = apiv1beta1.SchemeGroupVersion.WithKind("Stack")
+
+type testPodAndStackRepository struct {
+	fake *k8stesting.Fake
+}
+
+func (r *testPodAndStackRepository) stackListWatchForNamespace(ns string) *testStackListWatch {
+	return &testStackListWatch{fake: r.fake, ns: ns}
+}
+func (r *testPodAndStackRepository) podListWatchForNamespace(ns string) *testPodListWatch {
+	return &testPodListWatch{fake: r.fake, ns: ns}
+}
+
+func newTestPodAndStackRepository(initialPods []apiv1.Pod, initialStacks []apiv1beta1.Stack, podWatchHandler, stackWatchHandler k8stesting.WatchReactionFunc) *testPodAndStackRepository {
+	var scheme = runtime.NewScheme()
+	var codecs = serializer.NewCodecFactory(scheme)
+	metav1.AddToGroupVersion(scheme, schema.GroupVersion{Version: "v1"})
+	apiv1.AddToScheme(scheme)
+	apiv1beta1.AddToScheme(scheme)
+
+	o := k8stesting.NewObjectTracker(scheme, codecs.UniversalDecoder())
+	for _, obj := range initialPods {
+		if err := o.Add(&obj); err != nil {
+			panic(err)
+		}
+	}
+	for _, obj := range initialStacks {
+		if err := o.Add(&obj); err != nil {
+			panic(err)
+		}
+	}
+	fakePtr := &k8stesting.Fake{}
+	fakePtr.AddReactor("*", "*", k8stesting.ObjectReaction(o))
+	if podWatchHandler != nil {
+		fakePtr.AddWatchReactor(podsResource.Resource, podWatchHandler)
+	}
+	if stackWatchHandler != nil {
+		fakePtr.AddWatchReactor(stacksResource.Resource, stackWatchHandler)
+	}
+	fakePtr.AddWatchReactor("*", k8stesting.DefaultWatchReactor(watch.NewFake(), nil))
+	return &testPodAndStackRepository{fake: fakePtr}
+}
+
+type testStackListWatch struct {
+	fake *k8stesting.Fake
+	ns   string
+}
+
+func (s *testStackListWatch) List(opts metav1.ListOptions) (*apiv1beta1.StackList, error) {
+	obj, err := s.fake.Invokes(k8stesting.NewListAction(stacksResource, stackKind, s.ns, opts), &apiv1beta1.StackList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := k8stesting.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &apiv1beta1.StackList{}
+	for _, item := range obj.(*apiv1beta1.StackList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+func (s *testStackListWatch) Watch(opts metav1.ListOptions) (watch.Interface, error) {
+	return s.fake.InvokesWatch(k8stesting.NewWatchAction(stacksResource, s.ns, opts))
+}
+
+type testPodListWatch struct {
+	fake *k8stesting.Fake
+	ns   string
+}
+
+func (p *testPodListWatch) List(opts metav1.ListOptions) (*apiv1.PodList, error) {
+	obj, err := p.fake.Invokes(k8stesting.NewListAction(podsResource, podKind, p.ns, opts), &apiv1.PodList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := k8stesting.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &apiv1.PodList{}
+	for _, item := range obj.(*apiv1.PodList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+
+}
+func (p *testPodListWatch) Watch(opts metav1.ListOptions) (watch.Interface, error) {
+	return p.fake.InvokesWatch(k8stesting.NewWatchAction(podsResource, p.ns, opts))
+}
+
+func TestDeployWatchOk(t *testing.T) {
+	stack := apiv1beta1.Stack{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-stack", Namespace: "test-ns"},
+	}
+
+	serviceNames := []string{"svc1", "svc2"}
+	testRepo := newTestPodAndStackRepository(nil, []apiv1beta1.Stack{stack}, func(action k8stesting.Action) (handled bool, ret watch.Interface, err error) {
+		res := watch.NewFake()
+		go func() {
+			pod1 := &apiv1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test1",
+					Namespace: "test-ns",
+					Labels:    composelabels.ForService("test-stack", "svc1"),
+				},
+				Status: apiv1.PodStatus{
+					Phase: apiv1.PodRunning,
+					Conditions: []apiv1.PodCondition{
+						{
+							Type:   apiv1.PodReady,
+							Status: apiv1.ConditionTrue,
+						},
+					},
+				},
+			}
+			pod2 := &apiv1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test2",
+					Namespace: "test-ns",
+					Labels:    composelabels.ForService("test-stack", "svc2"),
+				},
+				Status: apiv1.PodStatus{
+					Phase: apiv1.PodRunning,
+					Conditions: []apiv1.PodCondition{
+						{
+							Type:   apiv1.PodReady,
+							Status: apiv1.ConditionTrue,
+						},
+					},
+				},
+			}
+			res.Add(pod1)
+			res.Add(pod2)
+		}()
+
+		return true, res, nil
+	}, nil)
+
+	testee := &deployWatcher{
+		stacks: testRepo.stackListWatchForNamespace("test-ns"),
+		pods:   testRepo.podListWatchForNamespace("test-ns"),
+	}
+
+	statusUpdates := make(chan serviceStatus)
+	go func() {
+		for range statusUpdates {
+		}
+	}()
+	defer close(statusUpdates)
+	err := testee.Watch(stack.Name, serviceNames, statusUpdates)
+	assert.NilError(t, err)
+}
+
+func TestDeployReconcileFailure(t *testing.T) {
+	stack := apiv1beta1.Stack{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-stack", Namespace: "test-ns"},
+	}
+
+	serviceNames := []string{"svc1", "svc2"}
+	testRepo := newTestPodAndStackRepository(nil, []apiv1beta1.Stack{stack}, nil, func(action k8stesting.Action) (handled bool, ret watch.Interface, err error) {
+		res := watch.NewFake()
+		go func() {
+			sfailed := stack
+			sfailed.Status = apiv1beta1.StackStatus{
+				Phase:   apiv1beta1.StackFailure,
+				Message: "test error",
+			}
+			res.Modify(&sfailed)
+		}()
+
+		return true, res, nil
+	})
+
+	testee := &deployWatcher{
+		stacks: testRepo.stackListWatchForNamespace("test-ns"),
+		pods:   testRepo.podListWatchForNamespace("test-ns"),
+	}
+
+	statusUpdates := make(chan serviceStatus)
+	go func() {
+		for range statusUpdates {
+		}
+	}()
+	defer close(statusUpdates)
+	err := testee.Watch(stack.Name, serviceNames, statusUpdates)
+	assert.ErrorContains(t, err, "Failure: test error")
+}
diff --git a/cli/cli/command/stack/list.go b/cli/cli/command/stack/list.go
new file mode 100644
index 00000000..a0aa3d1c
--- /dev/null
+++ b/cli/cli/command/stack/list.go
@@ -0,0 +1,79 @@
+package stack
+
+import (
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/command/stack/kubernetes"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/command/stack/swarm"
+	"github.com/spf13/cobra"
+	"vbom.ml/util/sortorder"
+)
+
+func newListCommand(dockerCli command.Cli, common *commonOptions) *cobra.Command {
+	opts := options.List{}
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List stacks",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(cmd, dockerCli, opts, common.orchestrator)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&opts.Format, "format", "", "Pretty-print stacks using a Go template")
+	flags.StringSliceVar(&opts.Namespaces, "namespace", []string{}, "Kubernetes namespaces to use")
+	flags.SetAnnotation("namespace", "kubernetes", nil)
+	flags.BoolVarP(&opts.AllNamespaces, "all-namespaces", "", false, "List stacks from all Kubernetes namespaces")
+	flags.SetAnnotation("all-namespaces", "kubernetes", nil)
+	return cmd
+}
+
+func runList(cmd *cobra.Command, dockerCli command.Cli, opts options.List, orchestrator command.Orchestrator) error {
+	stacks := []*formatter.Stack{}
+	if orchestrator.HasSwarm() {
+		ss, err := swarm.GetStacks(dockerCli)
+		if err != nil {
+			return err
+		}
+		stacks = append(stacks, ss...)
+	}
+	if orchestrator.HasKubernetes() {
+		kubeCli, err := kubernetes.WrapCli(dockerCli, kubernetes.NewOptions(cmd.Flags(), orchestrator))
+		if err != nil {
+			return err
+		}
+		ss, err := kubernetes.GetStacks(kubeCli, opts)
+		if err != nil {
+			return err
+		}
+		stacks = append(stacks, ss...)
+	}
+	return format(dockerCli, opts, orchestrator, stacks)
+}
+
+func format(dockerCli command.Cli, opts options.List, orchestrator command.Orchestrator, stacks []*formatter.Stack) error {
+	format := opts.Format
+	if format == "" || format == formatter.TableFormatKey {
+		format = formatter.SwarmStackTableFormat
+		if orchestrator.HasKubernetes() {
+			format = formatter.KubernetesStackTableFormat
+		}
+	}
+	stackCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.Format(format),
+	}
+	sort.Slice(stacks, func(i, j int) bool {
+		return sortorder.NaturalLess(stacks[i].Name, stacks[j].Name) ||
+			!sortorder.NaturalLess(stacks[j].Name, stacks[i].Name) &&
+				sortorder.NaturalLess(stacks[j].Namespace, stacks[i].Namespace)
+	})
+	return formatter.StackWrite(stackCtx, stacks)
+}
diff --git a/cli/cli/command/stack/list_test.go b/cli/cli/command/stack/list_test.go
new file mode 100644
index 00000000..e646fdbe
--- /dev/null
+++ b/cli/cli/command/stack/list_test.go
@@ -0,0 +1,152 @@
+package stack
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+var (
+	orchestrator = commonOptions{orchestrator: command.OrchestratorSwarm}
+)
+
+func TestListErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		serviceListFunc func(options types.ServiceListOptions) ([]swarm.Service, error)
+		expectedError   string
+	}{
+		{
+			args:          []string{"foo"},
+			expectedError: "accepts no argument",
+		},
+		{
+			flags: map[string]string{
+				"format": "{{invalid format}}",
+			},
+			expectedError: "Template parsing error",
+		},
+		{
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{}, errors.Errorf("error getting services")
+			},
+			expectedError: "error getting services",
+		},
+		{
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{*Service()}, nil
+			},
+			expectedError: "cannot get label",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newListCommand(test.NewFakeCli(&fakeClient{
+			serviceListFunc: tc.serviceListFunc,
+		}), &orchestrator)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestListWithFormat(t *testing.T) {
+	cli := test.NewFakeCli(
+		&fakeClient{
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{
+					*Service(
+						ServiceLabels(map[string]string{
+							"com.docker.stack.namespace": "service-name-foo",
+						}),
+					)}, nil
+			},
+		})
+	cmd := newListCommand(cli, &orchestrator)
+	cmd.Flags().Set("format", "{{ .Name }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-list-with-format.golden")
+}
+
+func TestListWithoutFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-foo",
+					}),
+				)}, nil
+		},
+	})
+	cmd := newListCommand(cli, &orchestrator)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-list-without-format.golden")
+}
+
+func TestListOrder(t *testing.T) {
+	usecases := []struct {
+		golden        string
+		swarmServices []swarm.Service
+	}{
+		{
+			golden: "stack-list-sort.golden",
+			swarmServices: []swarm.Service{
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-foo",
+					}),
+				),
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-bar",
+					}),
+				),
+			},
+		},
+		{
+			golden: "stack-list-sort-natural.golden",
+			swarmServices: []swarm.Service{
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-1-foo",
+					}),
+				),
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-10-foo",
+					}),
+				),
+				*Service(
+					ServiceLabels(map[string]string{
+						"com.docker.stack.namespace": "service-name-2-foo",
+					}),
+				),
+			},
+		},
+	}
+
+	for _, uc := range usecases {
+		cli := test.NewFakeCli(&fakeClient{
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return uc.swarmServices, nil
+			},
+		})
+		cmd := newListCommand(cli, &orchestrator)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), uc.golden)
+	}
+}
diff --git a/cli/cli/command/stack/loader/loader.go b/cli/cli/command/stack/loader/loader.go
new file mode 100644
index 00000000..b4790945
--- /dev/null
+++ b/cli/cli/command/stack/loader/loader.go
@@ -0,0 +1,152 @@
+package loader
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/compose/loader"
+	"github.com/docker/cli/cli/compose/schema"
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/pkg/errors"
+)
+
+// LoadComposefile parse the composefile specified in the cli and returns its Config and version.
+func LoadComposefile(dockerCli command.Cli, opts options.Deploy) (*composetypes.Config, error) {
+	configDetails, err := getConfigDetails(opts.Composefiles, dockerCli.In())
+	if err != nil {
+		return nil, err
+	}
+
+	dicts := getDictsFrom(configDetails.ConfigFiles)
+	config, err := loader.Load(configDetails)
+	if err != nil {
+		if fpe, ok := err.(*loader.ForbiddenPropertiesError); ok {
+			return nil, errors.Errorf("Compose file contains unsupported options:\n\n%s\n",
+				propertyWarnings(fpe.Properties))
+		}
+
+		return nil, err
+	}
+
+	unsupportedProperties := loader.GetUnsupportedProperties(dicts...)
+	if len(unsupportedProperties) > 0 {
+		fmt.Fprintf(dockerCli.Err(), "Ignoring unsupported options: %s\n\n",
+			strings.Join(unsupportedProperties, ", "))
+	}
+
+	deprecatedProperties := loader.GetDeprecatedProperties(dicts...)
+	if len(deprecatedProperties) > 0 {
+		fmt.Fprintf(dockerCli.Err(), "Ignoring deprecated options:\n\n%s\n\n",
+			propertyWarnings(deprecatedProperties))
+	}
+	return config, nil
+}
+
+func getDictsFrom(configFiles []composetypes.ConfigFile) []map[string]interface{} {
+	dicts := []map[string]interface{}{}
+
+	for _, configFile := range configFiles {
+		dicts = append(dicts, configFile.Config)
+	}
+
+	return dicts
+}
+
+func propertyWarnings(properties map[string]string) string {
+	var msgs []string
+	for name, description := range properties {
+		msgs = append(msgs, fmt.Sprintf("%s: %s", name, description))
+	}
+	sort.Strings(msgs)
+	return strings.Join(msgs, "\n\n")
+}
+
+func getConfigDetails(composefiles []string, stdin io.Reader) (composetypes.ConfigDetails, error) {
+	var details composetypes.ConfigDetails
+
+	if len(composefiles) == 0 {
+		return details, errors.New("no composefile(s)")
+	}
+
+	if composefiles[0] == "-" && len(composefiles) == 1 {
+		workingDir, err := os.Getwd()
+		if err != nil {
+			return details, err
+		}
+		details.WorkingDir = workingDir
+	} else {
+		absPath, err := filepath.Abs(composefiles[0])
+		if err != nil {
+			return details, err
+		}
+		details.WorkingDir = filepath.Dir(absPath)
+	}
+
+	var err error
+	details.ConfigFiles, err = loadConfigFiles(composefiles, stdin)
+	if err != nil {
+		return details, err
+	}
+	// Take the first file version (2 files can't have different version)
+	details.Version = schema.Version(details.ConfigFiles[0].Config)
+	details.Environment, err = buildEnvironment(os.Environ())
+	return details, err
+}
+
+func buildEnvironment(env []string) (map[string]string, error) {
+	result := make(map[string]string, len(env))
+	for _, s := range env {
+		// if value is empty, s is like "K=", not "K".
+		if !strings.Contains(s, "=") {
+			return result, errors.Errorf("unexpected environment %q", s)
+		}
+		kv := strings.SplitN(s, "=", 2)
+		result[kv[0]] = kv[1]
+	}
+	return result, nil
+}
+
+func loadConfigFiles(filenames []string, stdin io.Reader) ([]composetypes.ConfigFile, error) {
+	var configFiles []composetypes.ConfigFile
+
+	for _, filename := range filenames {
+		configFile, err := loadConfigFile(filename, stdin)
+		if err != nil {
+			return configFiles, err
+		}
+		configFiles = append(configFiles, *configFile)
+	}
+
+	return configFiles, nil
+}
+
+func loadConfigFile(filename string, stdin io.Reader) (*composetypes.ConfigFile, error) {
+	var bytes []byte
+	var err error
+
+	if filename == "-" {
+		bytes, err = ioutil.ReadAll(stdin)
+	} else {
+		bytes, err = ioutil.ReadFile(filename)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	config, err := loader.ParseYAML(bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return &composetypes.ConfigFile{
+		Filename: filename,
+		Config:   config,
+	}, nil
+}
diff --git a/cli/cli/command/stack/loader/loader_test.go b/cli/cli/command/stack/loader/loader_test.go
new file mode 100644
index 00000000..de524cc5
--- /dev/null
+++ b/cli/cli/command/stack/loader/loader_test.go
@@ -0,0 +1,47 @@
+package loader
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func TestGetConfigDetails(t *testing.T) {
+	content := `
+version: "3.0"
+services:
+  foo:
+    image: alpine:3.5
+`
+	file := fs.NewFile(t, "test-get-config-details", fs.WithContent(content))
+	defer file.Remove()
+
+	details, err := getConfigDetails([]string{file.Path()}, nil)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(filepath.Dir(file.Path()), details.WorkingDir))
+	assert.Assert(t, is.Len(details.ConfigFiles, 1))
+	assert.Check(t, is.Equal("3.0", details.ConfigFiles[0].Config["version"]))
+	assert.Check(t, is.Len(details.Environment, len(os.Environ())))
+}
+
+func TestGetConfigDetailsStdin(t *testing.T) {
+	content := `
+version: "3.0"
+services:
+  foo:
+    image: alpine:3.5
+`
+	details, err := getConfigDetails([]string{"-"}, strings.NewReader(content))
+	assert.NilError(t, err)
+	cwd, err := os.Getwd()
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(cwd, details.WorkingDir))
+	assert.Assert(t, is.Len(details.ConfigFiles, 1))
+	assert.Check(t, is.Equal("3.0", details.ConfigFiles[0].Config["version"]))
+	assert.Check(t, is.Len(details.Environment, len(os.Environ())))
+}
diff --git a/cli/cli/command/stack/options/opts.go b/cli/cli/command/stack/options/opts.go
new file mode 100644
index 00000000..afcecd99
--- /dev/null
+++ b/cli/cli/command/stack/options/opts.go
@@ -0,0 +1,43 @@
+package options
+
+import "github.com/docker/cli/opts"
+
+// Deploy holds docker stack deploy options
+type Deploy struct {
+	Bundlefile       string
+	Composefiles     []string
+	Namespace        string
+	ResolveImage     string
+	SendRegistryAuth bool
+	Prune            bool
+}
+
+// List holds docker stack ls options
+type List struct {
+	Format        string
+	AllNamespaces bool
+	Namespaces    []string
+}
+
+// PS holds docker stack ps options
+type PS struct {
+	Filter    opts.FilterOpt
+	NoTrunc   bool
+	Namespace string
+	NoResolve bool
+	Quiet     bool
+	Format    string
+}
+
+// Remove holds docker stack remove options
+type Remove struct {
+	Namespaces []string
+}
+
+// Services holds docker stack services options
+type Services struct {
+	Quiet     bool
+	Format    string
+	Filter    opts.FilterOpt
+	Namespace string
+}
diff --git a/cli/cli/command/stack/ps.go b/cli/cli/command/stack/ps.go
new file mode 100644
index 00000000..4d621535
--- /dev/null
+++ b/cli/cli/command/stack/ps.go
@@ -0,0 +1,48 @@
+package stack
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/kubernetes"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/command/stack/swarm"
+	cliopts "github.com/docker/cli/opts"
+	"github.com/spf13/cobra"
+)
+
+func newPsCommand(dockerCli command.Cli, common *commonOptions) *cobra.Command {
+	opts := options.PS{Filter: cliopts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "ps [OPTIONS] STACK",
+		Short: "List the tasks in the stack",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.Namespace = args[0]
+			if err := validateStackName(opts.Namespace); err != nil {
+				return err
+			}
+
+			switch {
+			case common.orchestrator.HasAll():
+				return errUnsupportedAllOrchestrator
+			case common.orchestrator.HasKubernetes():
+				kli, err := kubernetes.WrapCli(dockerCli, kubernetes.NewOptions(cmd.Flags(), common.orchestrator))
+				if err != nil {
+					return err
+				}
+				return kubernetes.RunPS(kli, opts)
+			default:
+				return swarm.RunPS(dockerCli, opts)
+			}
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.NoTrunc, "no-trunc", false, "Do not truncate output")
+	flags.BoolVar(&opts.NoResolve, "no-resolve", false, "Do not map IDs to Names")
+	flags.VarP(&opts.Filter, "filter", "f", "Filter output based on conditions provided")
+	flags.BoolVarP(&opts.Quiet, "quiet", "q", false, "Only display task IDs")
+	flags.StringVar(&opts.Format, "format", "", "Pretty-print tasks using a Go template")
+	kubernetes.AddNamespaceFlag(flags)
+	return cmd
+}
diff --git a/cli/cli/command/stack/ps_test.go b/cli/cli/command/stack/ps_test.go
new file mode 100644
index 00000000..39dd3c85
--- /dev/null
+++ b/cli/cli/command/stack/ps_test.go
@@ -0,0 +1,171 @@
+package stack
+
+import (
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestStackPsErrors(t *testing.T) {
+	testCases := []struct {
+		args          []string
+		taskListFunc  func(options types.TaskListOptions) ([]swarm.Task, error)
+		expectedError string
+	}{
+
+		{
+			args:          []string{},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args:          []string{"foo", "bar"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			args: []string{"foo"},
+			taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+				return nil, errors.Errorf("error getting tasks")
+			},
+			expectedError: "error getting tasks",
+		},
+	}
+
+	for _, tc := range testCases {
+		cmd := newPsCommand(test.NewFakeCli(&fakeClient{
+			taskListFunc: tc.taskListFunc,
+		}), &orchestrator)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestRunPSWithEmptyName(t *testing.T) {
+	cmd := newPsCommand(test.NewFakeCli(&fakeClient{}), &orchestrator)
+	cmd.SetArgs([]string{"'   '"})
+	cmd.SetOutput(ioutil.Discard)
+
+	assert.ErrorContains(t, cmd.Execute(), `invalid stack name: "'   '"`)
+}
+
+func TestStackPsEmptyStack(t *testing.T) {
+	fakeCli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{}, nil
+		},
+	})
+	cmd := newPsCommand(fakeCli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	cmd.SetOutput(ioutil.Discard)
+
+	assert.Error(t, cmd.Execute(), "nothing found in stack: foo")
+	assert.Check(t, is.Equal("", fakeCli.OutBuffer().String()))
+}
+
+func TestStackPsWithQuietOption(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(TaskID("id-foo"))}, nil
+		},
+	})
+	cmd := newPsCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("quiet", "true")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-ps-with-quiet-option.golden")
+
+}
+
+func TestStackPsWithNoTruncOption(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(TaskID("xn4cypcov06f2w8gsbaf2lst3"))}, nil
+		},
+	})
+	cmd := newPsCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("no-trunc", "true")
+	cmd.Flags().Set("format", "{{ .ID }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-ps-with-no-trunc-option.golden")
+}
+
+func TestStackPsWithNoResolveOption(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(
+				TaskNodeID("id-node-foo"),
+			)}, nil
+		},
+		nodeInspectWithRaw: func(ref string) (swarm.Node, []byte, error) {
+			return *Node(NodeName("node-name-bar")), nil, nil
+		},
+	})
+	cmd := newPsCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("no-resolve", "true")
+	cmd.Flags().Set("format", "{{ .Node }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-ps-with-no-resolve-option.golden")
+}
+
+func TestStackPsWithFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(TaskServiceID("service-id-foo"))}, nil
+		},
+	})
+	cmd := newPsCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("format", "{{ .Name }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-ps-with-format.golden")
+}
+
+func TestStackPsWithConfigFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(TaskServiceID("service-id-foo"))}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		TasksFormat: "{{ .Name }}",
+	})
+	cmd := newPsCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-ps-with-config-format.golden")
+}
+
+func TestStackPsWithoutFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+			return []swarm.Task{*Task(
+				TaskID("id-foo"),
+				TaskServiceID("service-id-foo"),
+				TaskNodeID("id-node"),
+				WithTaskSpec(TaskImage("myimage:mytag")),
+				TaskDesiredState(swarm.TaskStateReady),
+				WithStatus(TaskState(swarm.TaskStateFailed), Timestamp(time.Now().Add(-2*time.Hour))),
+			)}, nil
+		},
+		nodeInspectWithRaw: func(ref string) (swarm.Node, []byte, error) {
+			return *Node(NodeName("node-name-bar")), nil, nil
+		},
+	})
+	cmd := newPsCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-ps-without-format.golden")
+}
diff --git a/cli/cli/command/stack/remove.go b/cli/cli/command/stack/remove.go
new file mode 100644
index 00000000..737713e4
--- /dev/null
+++ b/cli/cli/command/stack/remove.go
@@ -0,0 +1,43 @@
+package stack
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/kubernetes"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/command/stack/swarm"
+	"github.com/spf13/cobra"
+)
+
+func newRemoveCommand(dockerCli command.Cli, common *commonOptions) *cobra.Command {
+	var opts options.Remove
+
+	cmd := &cobra.Command{
+		Use:     "rm [OPTIONS] STACK [STACK...]",
+		Aliases: []string{"remove", "down"},
+		Short:   "Remove one or more stacks",
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.Namespaces = args
+			if err := validateStackNames(opts.Namespaces); err != nil {
+				return err
+			}
+
+			switch {
+			case common.orchestrator.HasAll():
+				return errUnsupportedAllOrchestrator
+			case common.orchestrator.HasKubernetes():
+				kli, err := kubernetes.WrapCli(dockerCli, kubernetes.NewOptions(cmd.Flags(), common.orchestrator))
+				if err != nil {
+					return err
+				}
+				return kubernetes.RunRemove(kli, opts)
+			default:
+				return swarm.RunRemove(dockerCli, opts)
+			}
+		},
+	}
+	flags := cmd.Flags()
+	kubernetes.AddNamespaceFlag(flags)
+	return cmd
+}
diff --git a/cli/cli/command/stack/remove_test.go b/cli/cli/command/stack/remove_test.go
new file mode 100644
index 00000000..c7032d84
--- /dev/null
+++ b/cli/cli/command/stack/remove_test.go
@@ -0,0 +1,166 @@
+package stack
+
+import (
+	"errors"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func fakeClientForRemoveStackTest(version string) *fakeClient {
+	allServices := []string{
+		objectName("foo", "service1"),
+		objectName("foo", "service2"),
+		objectName("bar", "service1"),
+		objectName("bar", "service2"),
+	}
+	allNetworks := []string{
+		objectName("foo", "network1"),
+		objectName("bar", "network1"),
+	}
+	allSecrets := []string{
+		objectName("foo", "secret1"),
+		objectName("foo", "secret2"),
+		objectName("bar", "secret1"),
+	}
+	allConfigs := []string{
+		objectName("foo", "config1"),
+		objectName("foo", "config2"),
+		objectName("bar", "config1"),
+	}
+	return &fakeClient{
+		version:  version,
+		services: allServices,
+		networks: allNetworks,
+		secrets:  allSecrets,
+		configs:  allConfigs,
+	}
+}
+
+func TestRemoveWithEmptyName(t *testing.T) {
+	cmd := newRemoveCommand(test.NewFakeCli(&fakeClient{}), &orchestrator)
+	cmd.SetArgs([]string{"good", "'   '", "alsogood"})
+	cmd.SetOutput(ioutil.Discard)
+
+	assert.ErrorContains(t, cmd.Execute(), `invalid stack name: "'   '"`)
+}
+
+func TestRemoveStackVersion124DoesNotRemoveConfigsOrSecrets(t *testing.T) {
+	client := fakeClientForRemoveStackTest("1.24")
+	cmd := newRemoveCommand(test.NewFakeCli(client), &orchestrator)
+	cmd.SetArgs([]string{"foo", "bar"})
+
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.services), client.removedServices))
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.networks), client.removedNetworks))
+	assert.Check(t, is.Len(client.removedSecrets, 0))
+	assert.Check(t, is.Len(client.removedConfigs, 0))
+}
+
+func TestRemoveStackVersion125DoesNotRemoveConfigs(t *testing.T) {
+	client := fakeClientForRemoveStackTest("1.25")
+	cmd := newRemoveCommand(test.NewFakeCli(client), &orchestrator)
+	cmd.SetArgs([]string{"foo", "bar"})
+
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.services), client.removedServices))
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.networks), client.removedNetworks))
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.secrets), client.removedSecrets))
+	assert.Check(t, is.Len(client.removedConfigs, 0))
+}
+
+func TestRemoveStackVersion130RemovesEverything(t *testing.T) {
+	client := fakeClientForRemoveStackTest("1.30")
+	cmd := newRemoveCommand(test.NewFakeCli(client), &orchestrator)
+	cmd.SetArgs([]string{"foo", "bar"})
+
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.services), client.removedServices))
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.networks), client.removedNetworks))
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.secrets), client.removedSecrets))
+	assert.Check(t, is.DeepEqual(buildObjectIDs(client.configs), client.removedConfigs))
+}
+
+func TestRemoveStackSkipEmpty(t *testing.T) {
+	allServices := []string{objectName("bar", "service1"), objectName("bar", "service2")}
+	allServiceIDs := buildObjectIDs(allServices)
+
+	allNetworks := []string{objectName("bar", "network1")}
+	allNetworkIDs := buildObjectIDs(allNetworks)
+
+	allSecrets := []string{objectName("bar", "secret1")}
+	allSecretIDs := buildObjectIDs(allSecrets)
+
+	allConfigs := []string{objectName("bar", "config1")}
+	allConfigIDs := buildObjectIDs(allConfigs)
+
+	fakeClient := &fakeClient{
+		version:  "1.30",
+		services: allServices,
+		networks: allNetworks,
+		secrets:  allSecrets,
+		configs:  allConfigs,
+	}
+	fakeCli := test.NewFakeCli(fakeClient)
+	cmd := newRemoveCommand(fakeCli, &orchestrator)
+	cmd.SetArgs([]string{"foo", "bar"})
+
+	assert.NilError(t, cmd.Execute())
+	expectedList := []string{"Removing service bar_service1",
+		"Removing service bar_service2",
+		"Removing secret bar_secret1",
+		"Removing config bar_config1",
+		"Removing network bar_network1\n",
+	}
+	assert.Check(t, is.Equal(strings.Join(expectedList, "\n"), fakeCli.OutBuffer().String()))
+	assert.Check(t, is.Contains(fakeCli.ErrBuffer().String(), "Nothing found in stack: foo\n"))
+	assert.Check(t, is.DeepEqual(allServiceIDs, fakeClient.removedServices))
+	assert.Check(t, is.DeepEqual(allNetworkIDs, fakeClient.removedNetworks))
+	assert.Check(t, is.DeepEqual(allSecretIDs, fakeClient.removedSecrets))
+	assert.Check(t, is.DeepEqual(allConfigIDs, fakeClient.removedConfigs))
+}
+
+func TestRemoveContinueAfterError(t *testing.T) {
+	allServices := []string{objectName("foo", "service1"), objectName("bar", "service1")}
+	allServiceIDs := buildObjectIDs(allServices)
+
+	allNetworks := []string{objectName("foo", "network1"), objectName("bar", "network1")}
+	allNetworkIDs := buildObjectIDs(allNetworks)
+
+	allSecrets := []string{objectName("foo", "secret1"), objectName("bar", "secret1")}
+	allSecretIDs := buildObjectIDs(allSecrets)
+
+	allConfigs := []string{objectName("foo", "config1"), objectName("bar", "config1")}
+	allConfigIDs := buildObjectIDs(allConfigs)
+
+	removedServices := []string{}
+	cli := &fakeClient{
+		version:  "1.30",
+		services: allServices,
+		networks: allNetworks,
+		secrets:  allSecrets,
+		configs:  allConfigs,
+
+		serviceRemoveFunc: func(serviceID string) error {
+			removedServices = append(removedServices, serviceID)
+
+			if strings.Contains(serviceID, "foo") {
+				return errors.New("")
+			}
+			return nil
+		},
+	}
+	cmd := newRemoveCommand(test.NewFakeCli(cli), &orchestrator)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"foo", "bar"})
+
+	assert.Error(t, cmd.Execute(), "Failed to remove some resources from stack: foo")
+	assert.Check(t, is.DeepEqual(allServiceIDs, removedServices))
+	assert.Check(t, is.DeepEqual(allNetworkIDs, cli.removedNetworks))
+	assert.Check(t, is.DeepEqual(allSecretIDs, cli.removedSecrets))
+	assert.Check(t, is.DeepEqual(allConfigIDs, cli.removedConfigs))
+}
diff --git a/cli/cli/command/stack/services.go b/cli/cli/command/stack/services.go
new file mode 100644
index 00000000..ca6d42c2
--- /dev/null
+++ b/cli/cli/command/stack/services.go
@@ -0,0 +1,46 @@
+package stack
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/kubernetes"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/command/stack/swarm"
+	cliopts "github.com/docker/cli/opts"
+	"github.com/spf13/cobra"
+)
+
+func newServicesCommand(dockerCli command.Cli, common *commonOptions) *cobra.Command {
+	opts := options.Services{Filter: cliopts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "services [OPTIONS] STACK",
+		Short: "List the services in the stack",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.Namespace = args[0]
+			if err := validateStackName(opts.Namespace); err != nil {
+				return err
+			}
+
+			switch {
+			case common.orchestrator.HasAll():
+				return errUnsupportedAllOrchestrator
+			case common.orchestrator.HasKubernetes():
+				kli, err := kubernetes.WrapCli(dockerCli, kubernetes.NewOptions(cmd.Flags(), common.orchestrator))
+				if err != nil {
+					return err
+				}
+				return kubernetes.RunServices(kli, opts)
+			default:
+				return swarm.RunServices(dockerCli, opts)
+			}
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.Quiet, "quiet", "q", false, "Only display IDs")
+	flags.StringVar(&opts.Format, "format", "", "Pretty-print services using a Go template")
+	flags.VarP(&opts.Filter, "filter", "f", "Filter output based on conditions provided")
+	kubernetes.AddNamespaceFlag(flags)
+	return cmd
+}
diff --git a/cli/cli/command/stack/services_test.go b/cli/cli/command/stack/services_test.go
new file mode 100644
index 00000000..64a58b99
--- /dev/null
+++ b/cli/cli/command/stack/services_test.go
@@ -0,0 +1,170 @@
+package stack
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+func TestStackServicesErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		serviceListFunc func(options types.ServiceListOptions) ([]swarm.Service, error)
+		nodeListFunc    func(options types.NodeListOptions) ([]swarm.Node, error)
+		taskListFunc    func(options types.TaskListOptions) ([]swarm.Task, error)
+		expectedError   string
+	}{
+		{
+			args: []string{"foo"},
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return nil, errors.Errorf("error getting services")
+			},
+			expectedError: "error getting services",
+		},
+		{
+			args: []string{"foo"},
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{*Service()}, nil
+			},
+			nodeListFunc: func(options types.NodeListOptions) ([]swarm.Node, error) {
+				return nil, errors.Errorf("error getting nodes")
+			},
+			expectedError: "error getting nodes",
+		},
+		{
+			args: []string{"foo"},
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{*Service()}, nil
+			},
+			taskListFunc: func(options types.TaskListOptions) ([]swarm.Task, error) {
+				return nil, errors.Errorf("error getting tasks")
+			},
+			expectedError: "error getting tasks",
+		},
+		{
+			args: []string{"foo"},
+			flags: map[string]string{
+				"format": "{{invalid format}}",
+			},
+			serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+				return []swarm.Service{*Service()}, nil
+			},
+			expectedError: "Template parsing error",
+		},
+	}
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			serviceListFunc: tc.serviceListFunc,
+			nodeListFunc:    tc.nodeListFunc,
+			taskListFunc:    tc.taskListFunc,
+		})
+		cmd := newServicesCommand(cli, &orchestrator)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestRunServicesWithEmptyName(t *testing.T) {
+	cmd := newServicesCommand(test.NewFakeCli(&fakeClient{}), &orchestrator)
+	cmd.SetArgs([]string{"'   '"})
+	cmd.SetOutput(ioutil.Discard)
+
+	assert.ErrorContains(t, cmd.Execute(), `invalid stack name: "'   '"`)
+}
+
+func TestStackServicesEmptyServiceList(t *testing.T) {
+	fakeCli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{}, nil
+		},
+	})
+	cmd := newServicesCommand(fakeCli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("", fakeCli.OutBuffer().String()))
+	assert.Check(t, is.Equal("Nothing found in stack: foo\n", fakeCli.ErrBuffer().String()))
+}
+
+func TestStackServicesWithQuietOption(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{*Service(ServiceID("id-foo"))}, nil
+		},
+	})
+	cmd := newServicesCommand(cli, &orchestrator)
+	cmd.Flags().Set("quiet", "true")
+	cmd.SetArgs([]string{"foo"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-services-with-quiet-option.golden")
+}
+
+func TestStackServicesWithFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				*Service(ServiceName("service-name-foo")),
+			}, nil
+		},
+	})
+	cmd := newServicesCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	cmd.Flags().Set("format", "{{ .Name }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-services-with-format.golden")
+}
+
+func TestStackServicesWithConfigFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				*Service(ServiceName("service-name-foo")),
+			}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		ServicesFormat: "{{ .Name }}",
+	})
+	cmd := newServicesCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-services-with-config-format.golden")
+}
+
+func TestStackServicesWithoutFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{*Service(
+				ServiceName("name-foo"),
+				ServiceID("id-foo"),
+				ReplicatedService(2),
+				ServiceImage("busybox:latest"),
+				ServicePort(swarm.PortConfig{
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+					PublishedPort: 0,
+					TargetPort:    3232,
+					Protocol:      swarm.PortConfigProtocolTCP,
+				}),
+			)}, nil
+		},
+	})
+	cmd := newServicesCommand(cli, &orchestrator)
+	cmd.SetArgs([]string{"foo"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "stack-services-without-format.golden")
+}
diff --git a/cli/cli/command/stack/swarm/client_test.go b/cli/cli/command/stack/swarm/client_test.go
new file mode 100644
index 00000000..7f9375e9
--- /dev/null
+++ b/cli/cli/command/stack/swarm/client_test.go
@@ -0,0 +1,239 @@
+package swarm
+
+import (
+	"context"
+	"strings"
+
+	"github.com/docker/cli/cli/compose/convert"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+
+	version string
+
+	services []string
+	networks []string
+	secrets  []string
+	configs  []string
+
+	removedServices []string
+	removedNetworks []string
+	removedSecrets  []string
+	removedConfigs  []string
+
+	serviceListFunc    func(options types.ServiceListOptions) ([]swarm.Service, error)
+	networkListFunc    func(options types.NetworkListOptions) ([]types.NetworkResource, error)
+	secretListFunc     func(options types.SecretListOptions) ([]swarm.Secret, error)
+	configListFunc     func(options types.ConfigListOptions) ([]swarm.Config, error)
+	nodeListFunc       func(options types.NodeListOptions) ([]swarm.Node, error)
+	taskListFunc       func(options types.TaskListOptions) ([]swarm.Task, error)
+	nodeInspectWithRaw func(ref string) (swarm.Node, []byte, error)
+
+	serviceUpdateFunc func(serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error)
+
+	serviceRemoveFunc func(serviceID string) error
+	networkRemoveFunc func(networkID string) error
+	secretRemoveFunc  func(secretID string) error
+	configRemoveFunc  func(configID string) error
+}
+
+func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error) {
+	return types.Version{
+		Version:    "docker-dev",
+		APIVersion: api.DefaultVersion,
+	}, nil
+}
+
+func (cli *fakeClient) ClientVersion() string {
+	return cli.version
+}
+
+func (cli *fakeClient) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+	if cli.serviceListFunc != nil {
+		return cli.serviceListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	servicesList := []swarm.Service{}
+	for _, name := range cli.services {
+		if belongToNamespace(name, namespace) {
+			servicesList = append(servicesList, serviceFromName(name))
+		}
+	}
+	return servicesList, nil
+}
+
+func (cli *fakeClient) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+	if cli.networkListFunc != nil {
+		return cli.networkListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	networksList := []types.NetworkResource{}
+	for _, name := range cli.networks {
+		if belongToNamespace(name, namespace) {
+			networksList = append(networksList, networkFromName(name))
+		}
+	}
+	return networksList, nil
+}
+
+func (cli *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+	if cli.secretListFunc != nil {
+		return cli.secretListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	secretsList := []swarm.Secret{}
+	for _, name := range cli.secrets {
+		if belongToNamespace(name, namespace) {
+			secretsList = append(secretsList, secretFromName(name))
+		}
+	}
+	return secretsList, nil
+}
+
+func (cli *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+	if cli.configListFunc != nil {
+		return cli.configListFunc(options)
+	}
+
+	namespace := namespaceFromFilters(options.Filters)
+	configsList := []swarm.Config{}
+	for _, name := range cli.configs {
+		if belongToNamespace(name, namespace) {
+			configsList = append(configsList, configFromName(name))
+		}
+	}
+	return configsList, nil
+}
+
+func (cli *fakeClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+	if cli.taskListFunc != nil {
+		return cli.taskListFunc(options)
+	}
+	return []swarm.Task{}, nil
+}
+
+func (cli *fakeClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+	if cli.nodeListFunc != nil {
+		return cli.nodeListFunc(options)
+	}
+	return []swarm.Node{}, nil
+}
+
+func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+	if cli.nodeInspectWithRaw != nil {
+		return cli.nodeInspectWithRaw(ref)
+	}
+	return swarm.Node{}, nil, nil
+}
+
+func (cli *fakeClient) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+	if cli.serviceUpdateFunc != nil {
+		return cli.serviceUpdateFunc(serviceID, version, service, options)
+	}
+
+	return types.ServiceUpdateResponse{}, nil
+}
+
+func (cli *fakeClient) ServiceRemove(ctx context.Context, serviceID string) error {
+	if cli.serviceRemoveFunc != nil {
+		return cli.serviceRemoveFunc(serviceID)
+	}
+
+	cli.removedServices = append(cli.removedServices, serviceID)
+	return nil
+}
+
+func (cli *fakeClient) NetworkRemove(ctx context.Context, networkID string) error {
+	if cli.networkRemoveFunc != nil {
+		return cli.networkRemoveFunc(networkID)
+	}
+
+	cli.removedNetworks = append(cli.removedNetworks, networkID)
+	return nil
+}
+
+func (cli *fakeClient) SecretRemove(ctx context.Context, secretID string) error {
+	if cli.secretRemoveFunc != nil {
+		return cli.secretRemoveFunc(secretID)
+	}
+
+	cli.removedSecrets = append(cli.removedSecrets, secretID)
+	return nil
+}
+
+func (cli *fakeClient) ConfigRemove(ctx context.Context, configID string) error {
+	if cli.configRemoveFunc != nil {
+		return cli.configRemoveFunc(configID)
+	}
+
+	cli.removedConfigs = append(cli.removedConfigs, configID)
+	return nil
+}
+
+func serviceFromName(name string) swarm.Service {
+	return swarm.Service{
+		ID: "ID-" + name,
+		Spec: swarm.ServiceSpec{
+			Annotations: swarm.Annotations{Name: name},
+		},
+	}
+}
+
+func networkFromName(name string) types.NetworkResource {
+	return types.NetworkResource{
+		ID:   "ID-" + name,
+		Name: name,
+	}
+}
+
+func secretFromName(name string) swarm.Secret {
+	return swarm.Secret{
+		ID: "ID-" + name,
+		Spec: swarm.SecretSpec{
+			Annotations: swarm.Annotations{Name: name},
+		},
+	}
+}
+
+func configFromName(name string) swarm.Config {
+	return swarm.Config{
+		ID: "ID-" + name,
+		Spec: swarm.ConfigSpec{
+			Annotations: swarm.Annotations{Name: name},
+		},
+	}
+}
+
+func namespaceFromFilters(filters filters.Args) string {
+	label := filters.Get("label")[0]
+	return strings.TrimPrefix(label, convert.LabelNamespace+"=")
+}
+
+func belongToNamespace(id, namespace string) bool {
+	return strings.HasPrefix(id, namespace+"_")
+}
+
+func objectName(namespace, name string) string {
+	return namespace + "_" + name
+}
+
+func objectID(name string) string {
+	return "ID-" + name
+}
+
+func buildObjectIDs(objectNames []string) []string {
+	IDs := make([]string, len(objectNames))
+	for i, name := range objectNames {
+		IDs[i] = objectID(name)
+	}
+	return IDs
+}
diff --git a/cli/cli/command/stack/swarm/common.go b/cli/cli/command/stack/swarm/common.go
new file mode 100644
index 00000000..b4193df3
--- /dev/null
+++ b/cli/cli/command/stack/swarm/common.go
@@ -0,0 +1,50 @@
+package swarm
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli/compose/convert"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+func getStackFilter(namespace string) filters.Args {
+	filter := filters.NewArgs()
+	filter.Add("label", convert.LabelNamespace+"="+namespace)
+	return filter
+}
+
+func getStackServiceFilter(namespace string) filters.Args {
+	return getStackFilter(namespace)
+}
+
+func getStackFilterFromOpt(namespace string, opt opts.FilterOpt) filters.Args {
+	filter := opt.Value()
+	filter.Add("label", convert.LabelNamespace+"="+namespace)
+	return filter
+}
+
+func getAllStacksFilter() filters.Args {
+	filter := filters.NewArgs()
+	filter.Add("label", convert.LabelNamespace)
+	return filter
+}
+
+func getStackServices(ctx context.Context, apiclient client.APIClient, namespace string) ([]swarm.Service, error) {
+	return apiclient.ServiceList(ctx, types.ServiceListOptions{Filters: getStackServiceFilter(namespace)})
+}
+
+func getStackNetworks(ctx context.Context, apiclient client.APIClient, namespace string) ([]types.NetworkResource, error) {
+	return apiclient.NetworkList(ctx, types.NetworkListOptions{Filters: getStackFilter(namespace)})
+}
+
+func getStackSecrets(ctx context.Context, apiclient client.APIClient, namespace string) ([]swarm.Secret, error) {
+	return apiclient.SecretList(ctx, types.SecretListOptions{Filters: getStackFilter(namespace)})
+}
+
+func getStackConfigs(ctx context.Context, apiclient client.APIClient, namespace string) ([]swarm.Config, error) {
+	return apiclient.ConfigList(ctx, types.ConfigListOptions{Filters: getStackFilter(namespace)})
+}
diff --git a/cli/cli/command/stack/swarm/deploy.go b/cli/cli/command/stack/swarm/deploy.go
new file mode 100644
index 00000000..d11c328f
--- /dev/null
+++ b/cli/cli/command/stack/swarm/deploy.go
@@ -0,0 +1,80 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/compose/convert"
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/pkg/errors"
+)
+
+// Resolve image constants
+const (
+	defaultNetworkDriver = "overlay"
+	ResolveImageAlways   = "always"
+	ResolveImageChanged  = "changed"
+	ResolveImageNever    = "never"
+)
+
+// RunDeploy is the swarm implementation of docker stack deploy
+func RunDeploy(dockerCli command.Cli, opts options.Deploy, cfg *composetypes.Config) error {
+	ctx := context.Background()
+
+	if err := validateResolveImageFlag(dockerCli, &opts); err != nil {
+		return err
+	}
+
+	return deployCompose(ctx, dockerCli, opts, cfg)
+}
+
+// validateResolveImageFlag validates the opts.resolveImage command line option
+// and also turns image resolution off if the version is older than 1.30
+func validateResolveImageFlag(dockerCli command.Cli, opts *options.Deploy) error {
+	if opts.ResolveImage != ResolveImageAlways && opts.ResolveImage != ResolveImageChanged && opts.ResolveImage != ResolveImageNever {
+		return errors.Errorf("Invalid option %s for flag --resolve-image", opts.ResolveImage)
+	}
+	// client side image resolution should not be done when the supported
+	// server version is older than 1.30
+	if versions.LessThan(dockerCli.Client().ClientVersion(), "1.30") {
+		opts.ResolveImage = ResolveImageNever
+	}
+	return nil
+}
+
+// checkDaemonIsSwarmManager does an Info API call to verify that the daemon is
+// a swarm manager. This is necessary because we must create networks before we
+// create services, but the API call for creating a network does not return a
+// proper status code when it can't create a network in the "global" scope.
+func checkDaemonIsSwarmManager(ctx context.Context, dockerCli command.Cli) error {
+	info, err := dockerCli.Client().Info(ctx)
+	if err != nil {
+		return err
+	}
+	if !info.Swarm.ControlAvailable {
+		return errors.New("this node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again")
+	}
+	return nil
+}
+
+// pruneServices removes services that are no longer referenced in the source
+func pruneServices(ctx context.Context, dockerCli command.Cli, namespace convert.Namespace, services map[string]struct{}) {
+	client := dockerCli.Client()
+
+	oldServices, err := getStackServices(ctx, client, namespace.Name())
+	if err != nil {
+		fmt.Fprintf(dockerCli.Err(), "Failed to list services: %s\n", err)
+	}
+
+	pruneServices := []swarm.Service{}
+	for _, service := range oldServices {
+		if _, exists := services[namespace.Descope(service.Spec.Name)]; !exists {
+			pruneServices = append(pruneServices, service)
+		}
+	}
+	removeServices(ctx, dockerCli, pruneServices)
+}
diff --git a/cli/cli/command/stack/swarm/deploy_bundlefile.go b/cli/cli/command/stack/swarm/deploy_bundlefile.go
new file mode 100644
index 00000000..8db6f66b
--- /dev/null
+++ b/cli/cli/command/stack/swarm/deploy_bundlefile.go
@@ -0,0 +1,124 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/bundlefile"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/compose/convert"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+)
+
+// DeployBundle deploy a bundlefile (dab) on a swarm.
+func DeployBundle(ctx context.Context, dockerCli command.Cli, opts options.Deploy) error {
+	bundle, err := loadBundlefile(dockerCli.Err(), opts.Namespace, opts.Bundlefile)
+	if err != nil {
+		return err
+	}
+
+	if err := checkDaemonIsSwarmManager(ctx, dockerCli); err != nil {
+		return err
+	}
+
+	namespace := convert.NewNamespace(opts.Namespace)
+
+	if opts.Prune {
+		services := map[string]struct{}{}
+		for service := range bundle.Services {
+			services[service] = struct{}{}
+		}
+		pruneServices(ctx, dockerCli, namespace, services)
+	}
+
+	networks := make(map[string]types.NetworkCreate)
+	for _, service := range bundle.Services {
+		for _, networkName := range service.Networks {
+			networks[namespace.Scope(networkName)] = types.NetworkCreate{
+				Labels: convert.AddStackLabel(namespace, nil),
+			}
+		}
+	}
+
+	services := make(map[string]swarm.ServiceSpec)
+	for internalName, service := range bundle.Services {
+		name := namespace.Scope(internalName)
+
+		var ports []swarm.PortConfig
+		for _, portSpec := range service.Ports {
+			ports = append(ports, swarm.PortConfig{
+				Protocol:   swarm.PortConfigProtocol(portSpec.Protocol),
+				TargetPort: portSpec.Port,
+			})
+		}
+
+		nets := []swarm.NetworkAttachmentConfig{}
+		for _, networkName := range service.Networks {
+			nets = append(nets, swarm.NetworkAttachmentConfig{
+				Target:  namespace.Scope(networkName),
+				Aliases: []string{internalName},
+			})
+		}
+
+		serviceSpec := swarm.ServiceSpec{
+			Annotations: swarm.Annotations{
+				Name:   name,
+				Labels: convert.AddStackLabel(namespace, service.Labels),
+			},
+			TaskTemplate: swarm.TaskSpec{
+				ContainerSpec: &swarm.ContainerSpec{
+					Image:   service.Image,
+					Command: service.Command,
+					Args:    service.Args,
+					Env:     service.Env,
+					// Service Labels will not be copied to Containers
+					// automatically during the deployment so we apply
+					// it here.
+					Labels: convert.AddStackLabel(namespace, nil),
+				},
+			},
+			EndpointSpec: &swarm.EndpointSpec{
+				Ports: ports,
+			},
+			Networks: nets,
+		}
+
+		services[internalName] = serviceSpec
+	}
+
+	if err := createNetworks(ctx, dockerCli, namespace, networks); err != nil {
+		return err
+	}
+	return deployServices(ctx, dockerCli, services, namespace, opts.SendRegistryAuth, opts.ResolveImage)
+}
+
+func loadBundlefile(stderr io.Writer, namespace string, path string) (*bundlefile.Bundlefile, error) {
+	defaultPath := fmt.Sprintf("%s.dab", namespace)
+
+	if path == "" {
+		path = defaultPath
+	}
+	if _, err := os.Stat(path); err != nil {
+		return nil, errors.Errorf(
+			"Bundle %s not found. Specify the path with --file",
+			path)
+	}
+
+	fmt.Fprintf(stderr, "Loading bundle from %s\n", path)
+	reader, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer reader.Close()
+
+	bundle, err := bundlefile.LoadFile(reader)
+	if err != nil {
+		return nil, errors.Errorf("Error reading %s: %v\n", path, err)
+	}
+	return bundle, err
+}
diff --git a/cli/cli/command/stack/swarm/deploy_bundlefile_test.go b/cli/cli/command/stack/swarm/deploy_bundlefile_test.go
new file mode 100644
index 00000000..485271cb
--- /dev/null
+++ b/cli/cli/command/stack/swarm/deploy_bundlefile_test.go
@@ -0,0 +1,50 @@
+package swarm
+
+import (
+	"bytes"
+	"path/filepath"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestLoadBundlefileErrors(t *testing.T) {
+	testCases := []struct {
+		namespace     string
+		path          string
+		expectedError string
+	}{
+		{
+			namespace:     "namespace_foo",
+			expectedError: "Bundle namespace_foo.dab not found",
+		},
+		{
+			namespace:     "namespace_foo",
+			path:          "invalid_path",
+			expectedError: "Bundle invalid_path not found",
+		},
+		// FIXME: this test never working, testdata file is missing from repo
+		//{
+		//	namespace:     "namespace_foo",
+		//	path:          string(golden.Get(t, "bundlefile_with_invalid_syntax")),
+		//	expectedError: "Error reading",
+		//},
+	}
+
+	for _, tc := range testCases {
+		_, err := loadBundlefile(&bytes.Buffer{}, tc.namespace, tc.path)
+		assert.ErrorContains(t, err, tc.expectedError)
+	}
+}
+
+func TestLoadBundlefile(t *testing.T) {
+	buf := new(bytes.Buffer)
+
+	namespace := ""
+	path := filepath.Join("testdata", "bundlefile_with_two_services.dab")
+	bundleFile, err := loadBundlefile(buf, namespace, path)
+
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(bundleFile.Services), 2))
+}
diff --git a/cli/cli/command/stack/swarm/deploy_composefile.go b/cli/cli/command/stack/swarm/deploy_composefile.go
new file mode 100644
index 00000000..e4574fd9
--- /dev/null
+++ b/cli/cli/command/stack/swarm/deploy_composefile.go
@@ -0,0 +1,281 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/compose/convert"
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/swarm"
+	apiclient "github.com/docker/docker/client"
+	dockerclient "github.com/docker/docker/client"
+	"github.com/pkg/errors"
+)
+
+func deployCompose(ctx context.Context, dockerCli command.Cli, opts options.Deploy, config *composetypes.Config) error {
+	if err := checkDaemonIsSwarmManager(ctx, dockerCli); err != nil {
+		return err
+	}
+
+	namespace := convert.NewNamespace(opts.Namespace)
+
+	if opts.Prune {
+		services := map[string]struct{}{}
+		for _, service := range config.Services {
+			services[service.Name] = struct{}{}
+		}
+		pruneServices(ctx, dockerCli, namespace, services)
+	}
+
+	serviceNetworks := getServicesDeclaredNetworks(config.Services)
+	networks, externalNetworks := convert.Networks(namespace, config.Networks, serviceNetworks)
+	if err := validateExternalNetworks(ctx, dockerCli.Client(), externalNetworks); err != nil {
+		return err
+	}
+	if err := createNetworks(ctx, dockerCli, namespace, networks); err != nil {
+		return err
+	}
+
+	secrets, err := convert.Secrets(namespace, config.Secrets)
+	if err != nil {
+		return err
+	}
+	if err := createSecrets(ctx, dockerCli, secrets); err != nil {
+		return err
+	}
+
+	configs, err := convert.Configs(namespace, config.Configs)
+	if err != nil {
+		return err
+	}
+	if err := createConfigs(ctx, dockerCli, configs); err != nil {
+		return err
+	}
+
+	services, err := convert.Services(namespace, config, dockerCli.Client())
+	if err != nil {
+		return err
+	}
+	return deployServices(ctx, dockerCli, services, namespace, opts.SendRegistryAuth, opts.ResolveImage)
+}
+
+func getServicesDeclaredNetworks(serviceConfigs []composetypes.ServiceConfig) map[string]struct{} {
+	serviceNetworks := map[string]struct{}{}
+	for _, serviceConfig := range serviceConfigs {
+		if len(serviceConfig.Networks) == 0 {
+			serviceNetworks["default"] = struct{}{}
+			continue
+		}
+		for network := range serviceConfig.Networks {
+			serviceNetworks[network] = struct{}{}
+		}
+	}
+	return serviceNetworks
+}
+
+func validateExternalNetworks(
+	ctx context.Context,
+	client dockerclient.NetworkAPIClient,
+	externalNetworks []string,
+) error {
+	for _, networkName := range externalNetworks {
+		if !container.NetworkMode(networkName).IsUserDefined() {
+			// Networks that are not user defined always exist on all nodes as
+			// local-scoped networks, so there's no need to inspect them.
+			continue
+		}
+		network, err := client.NetworkInspect(ctx, networkName, types.NetworkInspectOptions{})
+		switch {
+		case dockerclient.IsErrNotFound(err):
+			return errors.Errorf("network %q is declared as external, but could not be found. You need to create a swarm-scoped network before the stack is deployed", networkName)
+		case err != nil:
+			return err
+		case network.Scope != "swarm":
+			return errors.Errorf("network %q is declared as external, but it is not in the right scope: %q instead of \"swarm\"", networkName, network.Scope)
+		}
+	}
+	return nil
+}
+
+func createSecrets(
+	ctx context.Context,
+	dockerCli command.Cli,
+	secrets []swarm.SecretSpec,
+) error {
+	client := dockerCli.Client()
+
+	for _, secretSpec := range secrets {
+		secret, _, err := client.SecretInspectWithRaw(ctx, secretSpec.Name)
+		switch {
+		case err == nil:
+			// secret already exists, then we update that
+			if err := client.SecretUpdate(ctx, secret.ID, secret.Meta.Version, secretSpec); err != nil {
+				return errors.Wrapf(err, "failed to update secret %s", secretSpec.Name)
+			}
+		case apiclient.IsErrNotFound(err):
+			// secret does not exist, then we create a new one.
+			fmt.Fprintf(dockerCli.Out(), "Creating secret %s\n", secretSpec.Name)
+			if _, err := client.SecretCreate(ctx, secretSpec); err != nil {
+				return errors.Wrapf(err, "failed to create secret %s", secretSpec.Name)
+			}
+		default:
+			return err
+		}
+	}
+	return nil
+}
+
+func createConfigs(
+	ctx context.Context,
+	dockerCli command.Cli,
+	configs []swarm.ConfigSpec,
+) error {
+	client := dockerCli.Client()
+
+	for _, configSpec := range configs {
+		config, _, err := client.ConfigInspectWithRaw(ctx, configSpec.Name)
+		switch {
+		case err == nil:
+			// config already exists, then we update that
+			if err := client.ConfigUpdate(ctx, config.ID, config.Meta.Version, configSpec); err != nil {
+				return errors.Wrapf(err, "failed to update config %s", configSpec.Name)
+			}
+		case apiclient.IsErrNotFound(err):
+			// config does not exist, then we create a new one.
+			fmt.Fprintf(dockerCli.Out(), "Creating config %s\n", configSpec.Name)
+			if _, err := client.ConfigCreate(ctx, configSpec); err != nil {
+				return errors.Wrapf(err, "failed to create config %s", configSpec.Name)
+			}
+		default:
+			return err
+		}
+	}
+	return nil
+}
+
+func createNetworks(
+	ctx context.Context,
+	dockerCli command.Cli,
+	namespace convert.Namespace,
+	networks map[string]types.NetworkCreate,
+) error {
+	client := dockerCli.Client()
+
+	existingNetworks, err := getStackNetworks(ctx, client, namespace.Name())
+	if err != nil {
+		return err
+	}
+
+	existingNetworkMap := make(map[string]types.NetworkResource)
+	for _, network := range existingNetworks {
+		existingNetworkMap[network.Name] = network
+	}
+
+	for name, createOpts := range networks {
+		if _, exists := existingNetworkMap[name]; exists {
+			continue
+		}
+
+		if createOpts.Driver == "" {
+			createOpts.Driver = defaultNetworkDriver
+		}
+
+		fmt.Fprintf(dockerCli.Out(), "Creating network %s\n", name)
+		if _, err := client.NetworkCreate(ctx, name, createOpts); err != nil {
+			return errors.Wrapf(err, "failed to create network %s", name)
+		}
+	}
+	return nil
+}
+
+func deployServices(
+	ctx context.Context,
+	dockerCli command.Cli,
+	services map[string]swarm.ServiceSpec,
+	namespace convert.Namespace,
+	sendAuth bool,
+	resolveImage string,
+) error {
+	apiClient := dockerCli.Client()
+	out := dockerCli.Out()
+
+	existingServices, err := getStackServices(ctx, apiClient, namespace.Name())
+	if err != nil {
+		return err
+	}
+
+	existingServiceMap := make(map[string]swarm.Service)
+	for _, service := range existingServices {
+		existingServiceMap[service.Spec.Name] = service
+	}
+
+	for internalName, serviceSpec := range services {
+		name := namespace.Scope(internalName)
+
+		encodedAuth := ""
+		image := serviceSpec.TaskTemplate.ContainerSpec.Image
+		if sendAuth {
+			// Retrieve encoded auth token from the image reference
+			encodedAuth, err = command.RetrieveAuthTokenFromImage(ctx, dockerCli, image)
+			if err != nil {
+				return err
+			}
+		}
+
+		if service, exists := existingServiceMap[name]; exists {
+			fmt.Fprintf(out, "Updating service %s (id: %s)\n", name, service.ID)
+
+			updateOpts := types.ServiceUpdateOptions{EncodedRegistryAuth: encodedAuth}
+
+			switch {
+			case resolveImage == ResolveImageAlways || (resolveImage == ResolveImageChanged && image != service.Spec.Labels[convert.LabelImage]):
+				// image should be updated by the server using QueryRegistry
+				updateOpts.QueryRegistry = true
+			case image == service.Spec.Labels[convert.LabelImage]:
+				// image has not changed; update the serviceSpec with the
+				// existing information that was set by QueryRegistry on the
+				// previous deploy. Otherwise this will trigger an incorrect
+				// service update.
+				serviceSpec.TaskTemplate.ContainerSpec.Image = service.Spec.TaskTemplate.ContainerSpec.Image
+			}
+
+			// Stack deploy does not have a `--force` option. Preserve existing ForceUpdate
+			// value so that tasks are not re-deployed if not updated.
+			// TODO move this to API client?
+			serviceSpec.TaskTemplate.ForceUpdate = service.Spec.TaskTemplate.ForceUpdate
+
+			response, err := apiClient.ServiceUpdate(
+				ctx,
+				service.ID,
+				service.Version,
+				serviceSpec,
+				updateOpts,
+			)
+			if err != nil {
+				return errors.Wrapf(err, "failed to update service %s", name)
+			}
+
+			for _, warning := range response.Warnings {
+				fmt.Fprintln(dockerCli.Err(), warning)
+			}
+		} else {
+			fmt.Fprintf(out, "Creating service %s\n", name)
+
+			createOpts := types.ServiceCreateOptions{EncodedRegistryAuth: encodedAuth}
+
+			// query registry if flag disabling it was not set
+			if resolveImage == ResolveImageAlways || resolveImage == ResolveImageChanged {
+				createOpts.QueryRegistry = true
+			}
+
+			if _, err := apiClient.ServiceCreate(ctx, serviceSpec, createOpts); err != nil {
+				return errors.Wrapf(err, "failed to create service %s", name)
+			}
+		}
+	}
+	return nil
+}
diff --git a/cli/cli/command/stack/swarm/deploy_composefile_test.go b/cli/cli/command/stack/swarm/deploy_composefile_test.go
new file mode 100644
index 00000000..065a4f29
--- /dev/null
+++ b/cli/cli/command/stack/swarm/deploy_composefile_test.go
@@ -0,0 +1,67 @@
+package swarm
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/cli/internal/test/network"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+type notFound struct {
+	error
+}
+
+func (n notFound) NotFound() bool {
+	return true
+}
+
+func TestValidateExternalNetworks(t *testing.T) {
+	var testcases = []struct {
+		inspectResponse types.NetworkResource
+		inspectError    error
+		expectedMsg     string
+		network         string
+	}{
+		{
+			inspectError: notFound{},
+			expectedMsg:  "could not be found. You need to create a swarm-scoped network",
+		},
+		{
+			inspectError: errors.New("Unexpected"),
+			expectedMsg:  "Unexpected",
+		},
+		// FIXME(vdemeester) that doesn't work under windows, the check needs to be smarter
+		/*
+			{
+				inspectError: errors.New("host net does not exist on swarm classic"),
+				network:      "host",
+			},
+		*/
+		{
+			network:     "user",
+			expectedMsg: "is not in the right scope",
+		},
+		{
+			network:         "user",
+			inspectResponse: types.NetworkResource{Scope: "swarm"},
+		},
+	}
+
+	for _, testcase := range testcases {
+		fakeClient := &network.FakeClient{
+			NetworkInspectFunc: func(_ context.Context, _ string, _ types.NetworkInspectOptions) (types.NetworkResource, error) {
+				return testcase.inspectResponse, testcase.inspectError
+			},
+		}
+		networks := []string{testcase.network}
+		err := validateExternalNetworks(context.Background(), fakeClient, networks)
+		if testcase.expectedMsg == "" {
+			assert.NilError(t, err)
+		} else {
+			assert.ErrorContains(t, err, testcase.expectedMsg)
+		}
+	}
+}
diff --git a/cli/cli/command/stack/swarm/deploy_test.go b/cli/cli/command/stack/swarm/deploy_test.go
new file mode 100644
index 00000000..b1df60dc
--- /dev/null
+++ b/cli/cli/command/stack/swarm/deploy_test.go
@@ -0,0 +1,110 @@
+package swarm
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/cli/cli/compose/convert"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestPruneServices(t *testing.T) {
+	ctx := context.Background()
+	namespace := convert.NewNamespace("foo")
+	services := map[string]struct{}{
+		"new":  {},
+		"keep": {},
+	}
+	client := &fakeClient{services: []string{objectName("foo", "keep"), objectName("foo", "remove")}}
+	dockerCli := test.NewFakeCli(client)
+
+	pruneServices(ctx, dockerCli, namespace, services)
+	assert.Check(t, is.DeepEqual(buildObjectIDs([]string{objectName("foo", "remove")}), client.removedServices))
+}
+
+// TestServiceUpdateResolveImageChanged tests that the service's
+// image digest, and "ForceUpdate" is preserved if the image did not change in
+// the compose file
+func TestServiceUpdateResolveImageChanged(t *testing.T) {
+	namespace := convert.NewNamespace("mystack")
+
+	var (
+		receivedOptions types.ServiceUpdateOptions
+		receivedService swarm.ServiceSpec
+	)
+
+	client := test.NewFakeCli(&fakeClient{
+		serviceListFunc: func(options types.ServiceListOptions) ([]swarm.Service, error) {
+			return []swarm.Service{
+				{
+					Spec: swarm.ServiceSpec{
+						Annotations: swarm.Annotations{
+							Name:   namespace.Name() + "_myservice",
+							Labels: map[string]string{"com.docker.stack.image": "foobar:1.2.3"},
+						},
+						TaskTemplate: swarm.TaskSpec{
+							ContainerSpec: &swarm.ContainerSpec{
+								Image: "foobar:1.2.3@sha256:deadbeef",
+							},
+							ForceUpdate: 123,
+						},
+					},
+				},
+			}, nil
+		},
+		serviceUpdateFunc: func(serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+			receivedOptions = options
+			receivedService = service
+			return types.ServiceUpdateResponse{}, nil
+		},
+	})
+
+	var testcases = []struct {
+		image                 string
+		expectedQueryRegistry bool
+		expectedImage         string
+		expectedForceUpdate   uint64
+	}{
+		// Image not changed
+		{
+			image: "foobar:1.2.3",
+			expectedQueryRegistry: false,
+			expectedImage:         "foobar:1.2.3@sha256:deadbeef",
+			expectedForceUpdate:   123,
+		},
+		// Image changed
+		{
+			image: "foobar:1.2.4",
+			expectedQueryRegistry: true,
+			expectedImage:         "foobar:1.2.4",
+			expectedForceUpdate:   123,
+		},
+	}
+
+	ctx := context.Background()
+
+	for _, testcase := range testcases {
+		t.Logf("Testing image %q", testcase.image)
+		spec := map[string]swarm.ServiceSpec{
+			"myservice": {
+				TaskTemplate: swarm.TaskSpec{
+					ContainerSpec: &swarm.ContainerSpec{
+						Image: testcase.image,
+					},
+				},
+			},
+		}
+		err := deployServices(ctx, client, spec, namespace, false, ResolveImageChanged)
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal(receivedOptions.QueryRegistry, testcase.expectedQueryRegistry))
+		assert.Check(t, is.Equal(receivedService.TaskTemplate.ContainerSpec.Image, testcase.expectedImage))
+		assert.Check(t, is.Equal(receivedService.TaskTemplate.ForceUpdate, testcase.expectedForceUpdate))
+
+		receivedService = swarm.ServiceSpec{}
+		receivedOptions = types.ServiceUpdateOptions{}
+	}
+}
diff --git a/cli/cli/command/stack/swarm/list.go b/cli/cli/command/stack/swarm/list.go
new file mode 100644
index 00000000..c0c19d0a
--- /dev/null
+++ b/cli/cli/command/stack/swarm/list.go
@@ -0,0 +1,45 @@
+package swarm
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/compose/convert"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+)
+
+// GetStacks lists the swarm stacks.
+func GetStacks(dockerCli command.Cli) ([]*formatter.Stack, error) {
+	services, err := dockerCli.Client().ServiceList(
+		context.Background(),
+		types.ServiceListOptions{Filters: getAllStacksFilter()})
+	if err != nil {
+		return nil, err
+	}
+	m := make(map[string]*formatter.Stack)
+	for _, service := range services {
+		labels := service.Spec.Labels
+		name, ok := labels[convert.LabelNamespace]
+		if !ok {
+			return nil, errors.Errorf("cannot get label %s for service %s",
+				convert.LabelNamespace, service.ID)
+		}
+		ztack, ok := m[name]
+		if !ok {
+			m[name] = &formatter.Stack{
+				Name:         name,
+				Services:     1,
+				Orchestrator: "Swarm",
+			}
+		} else {
+			ztack.Services++
+		}
+	}
+	var stacks []*formatter.Stack
+	for _, stack := range m {
+		stacks = append(stacks, stack)
+	}
+	return stacks, nil
+}
diff --git a/cli/cli/command/stack/swarm/ps.go b/cli/cli/command/stack/swarm/ps.go
new file mode 100644
index 00000000..5b28a39e
--- /dev/null
+++ b/cli/cli/command/stack/swarm/ps.go
@@ -0,0 +1,35 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/idresolver"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/cli/cli/command/task"
+	"github.com/docker/docker/api/types"
+)
+
+// RunPS is the swarm implementation of docker stack ps
+func RunPS(dockerCli command.Cli, opts options.PS) error {
+	filter := getStackFilterFromOpt(opts.Namespace, opts.Filter)
+
+	ctx := context.Background()
+	client := dockerCli.Client()
+	tasks, err := client.TaskList(ctx, types.TaskListOptions{Filters: filter})
+	if err != nil {
+		return err
+	}
+
+	if len(tasks) == 0 {
+		return fmt.Errorf("nothing found in stack: %s", opts.Namespace)
+	}
+
+	format := opts.Format
+	if len(format) == 0 {
+		format = task.DefaultFormat(dockerCli.ConfigFile(), opts.Quiet)
+	}
+
+	return task.Print(ctx, dockerCli, tasks, idresolver.New(client, opts.NoResolve), !opts.NoTrunc, opts.Quiet, format)
+}
diff --git a/cli/cli/command/stack/swarm/remove.go b/cli/cli/command/stack/swarm/remove.go
new file mode 100644
index 00000000..4dedef12
--- /dev/null
+++ b/cli/cli/command/stack/swarm/remove.go
@@ -0,0 +1,140 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/pkg/errors"
+)
+
+// RunRemove is the swarm implementation of docker stack remove
+func RunRemove(dockerCli command.Cli, opts options.Remove) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	var errs []string
+	for _, namespace := range opts.Namespaces {
+		services, err := getStackServices(ctx, client, namespace)
+		if err != nil {
+			return err
+		}
+
+		networks, err := getStackNetworks(ctx, client, namespace)
+		if err != nil {
+			return err
+		}
+
+		var secrets []swarm.Secret
+		if versions.GreaterThanOrEqualTo(client.ClientVersion(), "1.25") {
+			secrets, err = getStackSecrets(ctx, client, namespace)
+			if err != nil {
+				return err
+			}
+		}
+
+		var configs []swarm.Config
+		if versions.GreaterThanOrEqualTo(client.ClientVersion(), "1.30") {
+			configs, err = getStackConfigs(ctx, client, namespace)
+			if err != nil {
+				return err
+			}
+		}
+
+		if len(services)+len(networks)+len(secrets)+len(configs) == 0 {
+			fmt.Fprintf(dockerCli.Err(), "Nothing found in stack: %s\n", namespace)
+			continue
+		}
+
+		hasError := removeServices(ctx, dockerCli, services)
+		hasError = removeSecrets(ctx, dockerCli, secrets) || hasError
+		hasError = removeConfigs(ctx, dockerCli, configs) || hasError
+		hasError = removeNetworks(ctx, dockerCli, networks) || hasError
+
+		if hasError {
+			errs = append(errs, fmt.Sprintf("Failed to remove some resources from stack: %s", namespace))
+		}
+	}
+
+	if len(errs) > 0 {
+		return errors.Errorf(strings.Join(errs, "\n"))
+	}
+	return nil
+}
+
+func sortServiceByName(services []swarm.Service) func(i, j int) bool {
+	return func(i, j int) bool {
+		return services[i].Spec.Name < services[j].Spec.Name
+	}
+}
+
+func removeServices(
+	ctx context.Context,
+	dockerCli command.Cli,
+	services []swarm.Service,
+) bool {
+	var hasError bool
+	sort.Slice(services, sortServiceByName(services))
+	for _, service := range services {
+		fmt.Fprintf(dockerCli.Out(), "Removing service %s\n", service.Spec.Name)
+		if err := dockerCli.Client().ServiceRemove(ctx, service.ID); err != nil {
+			hasError = true
+			fmt.Fprintf(dockerCli.Err(), "Failed to remove service %s: %s", service.ID, err)
+		}
+	}
+	return hasError
+}
+
+func removeNetworks(
+	ctx context.Context,
+	dockerCli command.Cli,
+	networks []types.NetworkResource,
+) bool {
+	var hasError bool
+	for _, network := range networks {
+		fmt.Fprintf(dockerCli.Out(), "Removing network %s\n", network.Name)
+		if err := dockerCli.Client().NetworkRemove(ctx, network.ID); err != nil {
+			hasError = true
+			fmt.Fprintf(dockerCli.Err(), "Failed to remove network %s: %s", network.ID, err)
+		}
+	}
+	return hasError
+}
+
+func removeSecrets(
+	ctx context.Context,
+	dockerCli command.Cli,
+	secrets []swarm.Secret,
+) bool {
+	var hasError bool
+	for _, secret := range secrets {
+		fmt.Fprintf(dockerCli.Out(), "Removing secret %s\n", secret.Spec.Name)
+		if err := dockerCli.Client().SecretRemove(ctx, secret.ID); err != nil {
+			hasError = true
+			fmt.Fprintf(dockerCli.Err(), "Failed to remove secret %s: %s", secret.ID, err)
+		}
+	}
+	return hasError
+}
+
+func removeConfigs(
+	ctx context.Context,
+	dockerCli command.Cli,
+	configs []swarm.Config,
+) bool {
+	var hasError bool
+	for _, config := range configs {
+		fmt.Fprintf(dockerCli.Out(), "Removing config %s\n", config.Spec.Name)
+		if err := dockerCli.Client().ConfigRemove(ctx, config.ID); err != nil {
+			hasError = true
+			fmt.Fprintf(dockerCli.Err(), "Failed to remove config %s: %s", config.ID, err)
+		}
+	}
+	return hasError
+}
diff --git a/cli/cli/command/stack/swarm/services.go b/cli/cli/command/stack/swarm/services.go
new file mode 100644
index 00000000..07b990ad
--- /dev/null
+++ b/cli/cli/command/stack/swarm/services.go
@@ -0,0 +1,66 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/command/service"
+	"github.com/docker/cli/cli/command/stack/options"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// RunServices is the swarm implementation of docker stack services
+func RunServices(dockerCli command.Cli, opts options.Services) error {
+	ctx := context.Background()
+	client := dockerCli.Client()
+
+	filter := getStackFilterFromOpt(opts.Namespace, opts.Filter)
+	services, err := client.ServiceList(ctx, types.ServiceListOptions{Filters: filter})
+	if err != nil {
+		return err
+	}
+
+	// if no services in this stack, print message and exit 0
+	if len(services) == 0 {
+		fmt.Fprintf(dockerCli.Err(), "Nothing found in stack: %s\n", opts.Namespace)
+		return nil
+	}
+
+	info := map[string]formatter.ServiceListInfo{}
+	if !opts.Quiet {
+		taskFilter := filters.NewArgs()
+		for _, service := range services {
+			taskFilter.Add("service", service.ID)
+		}
+
+		tasks, err := client.TaskList(ctx, types.TaskListOptions{Filters: taskFilter})
+		if err != nil {
+			return err
+		}
+
+		nodes, err := client.NodeList(ctx, types.NodeListOptions{})
+		if err != nil {
+			return err
+		}
+
+		info = service.GetServicesStatus(services, nodes, tasks)
+	}
+
+	format := opts.Format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().ServicesFormat) > 0 && !opts.Quiet {
+			format = dockerCli.ConfigFile().ServicesFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	servicesCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewServiceListFormat(format, opts.Quiet),
+	}
+	return formatter.ServiceListWrite(servicesCtx, services, info)
+}
diff --git a/cli/cli/command/stack/swarm/testdata/bundlefile_with_two_services.dab b/cli/cli/command/stack/swarm/testdata/bundlefile_with_two_services.dab
new file mode 100644
index 00000000..ced8180d
--- /dev/null
+++ b/cli/cli/command/stack/swarm/testdata/bundlefile_with_two_services.dab
@@ -0,0 +1,29 @@
+{
+  "Services": {
+    "visualizer": {
+      "Image": "busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f",
+      "Networks": [
+        "webnet"
+      ],
+      "Ports": [
+        {
+          "Port": 8080,
+          "Protocol": "tcp"
+        }
+      ]
+    },
+    "web": {
+      "Image": "busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f",
+      "Networks": [
+        "webnet"
+      ],
+      "Ports": [
+        {
+          "Port": 80,
+          "Protocol": "tcp"
+        }
+      ]
+    }
+  },
+  "Version": "0.1"
+}
diff --git a/cli/cli/command/stack/testdata/stack-list-sort-natural.golden b/cli/cli/command/stack/testdata/stack-list-sort-natural.golden
new file mode 100644
index 00000000..3090cb9e
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-list-sort-natural.golden
@@ -0,0 +1,4 @@
+NAME                  SERVICES            ORCHESTRATOR
+service-name-1-foo    1                   Swarm
+service-name-2-foo    1                   Swarm
+service-name-10-foo   1                   Swarm
diff --git a/cli/cli/command/stack/testdata/stack-list-sort.golden b/cli/cli/command/stack/testdata/stack-list-sort.golden
new file mode 100644
index 00000000..179ae71d
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-list-sort.golden
@@ -0,0 +1,3 @@
+NAME                SERVICES            ORCHESTRATOR
+service-name-bar    1                   Swarm
+service-name-foo    1                   Swarm
diff --git a/cli/cli/command/stack/testdata/stack-list-with-format.golden b/cli/cli/command/stack/testdata/stack-list-with-format.golden
new file mode 100644
index 00000000..b53e6401
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-list-with-format.golden
@@ -0,0 +1 @@
+service-name-foo
diff --git a/cli/cli/command/stack/testdata/stack-list-without-format.golden b/cli/cli/command/stack/testdata/stack-list-without-format.golden
new file mode 100644
index 00000000..37213aaf
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-list-without-format.golden
@@ -0,0 +1,2 @@
+NAME                SERVICES            ORCHESTRATOR
+service-name-foo    1                   Swarm
diff --git a/cli/cli/command/stack/testdata/stack-ps-with-config-format.golden b/cli/cli/command/stack/testdata/stack-ps-with-config-format.golden
new file mode 100644
index 00000000..9ecebdaf
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-ps-with-config-format.golden
@@ -0,0 +1 @@
+service-id-foo.1
diff --git a/cli/cli/command/stack/testdata/stack-ps-with-format.golden b/cli/cli/command/stack/testdata/stack-ps-with-format.golden
new file mode 100644
index 00000000..9ecebdaf
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-ps-with-format.golden
@@ -0,0 +1 @@
+service-id-foo.1
diff --git a/cli/cli/command/stack/testdata/stack-ps-with-no-resolve-option.golden b/cli/cli/command/stack/testdata/stack-ps-with-no-resolve-option.golden
new file mode 100644
index 00000000..b90d743b
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-ps-with-no-resolve-option.golden
@@ -0,0 +1 @@
+id-node-foo
diff --git a/cli/cli/command/stack/testdata/stack-ps-with-no-trunc-option.golden b/cli/cli/command/stack/testdata/stack-ps-with-no-trunc-option.golden
new file mode 100644
index 00000000..8179bf4d
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-ps-with-no-trunc-option.golden
@@ -0,0 +1 @@
+xn4cypcov06f2w8gsbaf2lst3
diff --git a/cli/cli/command/stack/testdata/stack-ps-with-quiet-option.golden b/cli/cli/command/stack/testdata/stack-ps-with-quiet-option.golden
new file mode 100644
index 00000000..e2faeb60
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-ps-with-quiet-option.golden
@@ -0,0 +1 @@
+id-foo
diff --git a/cli/cli/command/stack/testdata/stack-ps-without-format.golden b/cli/cli/command/stack/testdata/stack-ps-without-format.golden
new file mode 100644
index 00000000..ceb4f841
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-ps-without-format.golden
@@ -0,0 +1,2 @@
+ID                  NAME                IMAGE               NODE                DESIRED STATE       CURRENT STATE        ERROR               PORTS
+id-foo              service-id-foo.1    myimage:mytag       node-name-bar       Ready               Failed 2 hours ago                       
diff --git a/cli/cli/command/stack/testdata/stack-services-with-config-format.golden b/cli/cli/command/stack/testdata/stack-services-with-config-format.golden
new file mode 100644
index 00000000..b53e6401
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-services-with-config-format.golden
@@ -0,0 +1 @@
+service-name-foo
diff --git a/cli/cli/command/stack/testdata/stack-services-with-format.golden b/cli/cli/command/stack/testdata/stack-services-with-format.golden
new file mode 100644
index 00000000..b53e6401
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-services-with-format.golden
@@ -0,0 +1 @@
+service-name-foo
diff --git a/cli/cli/command/stack/testdata/stack-services-with-quiet-option.golden b/cli/cli/command/stack/testdata/stack-services-with-quiet-option.golden
new file mode 100644
index 00000000..e2faeb60
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-services-with-quiet-option.golden
@@ -0,0 +1 @@
+id-foo
diff --git a/cli/cli/command/stack/testdata/stack-services-without-format.golden b/cli/cli/command/stack/testdata/stack-services-without-format.golden
new file mode 100644
index 00000000..dcca0dfa
--- /dev/null
+++ b/cli/cli/command/stack/testdata/stack-services-without-format.golden
@@ -0,0 +1,2 @@
+ID                  NAME                MODE                REPLICAS            IMAGE               PORTS
+id-foo              name-foo            replicated          0/2                 busybox:latest      *:30000->3232/tcp
diff --git a/cli/cli/command/stream.go b/cli/cli/command/stream.go
new file mode 100644
index 00000000..71a43fa2
--- /dev/null
+++ b/cli/cli/command/stream.go
@@ -0,0 +1,34 @@
+package command
+
+import (
+	"github.com/docker/docker/pkg/term"
+)
+
+// CommonStream is an input stream used by the DockerCli to read user input
+type CommonStream struct {
+	fd         uintptr
+	isTerminal bool
+	state      *term.State
+}
+
+// FD returns the file descriptor number for this stream
+func (s *CommonStream) FD() uintptr {
+	return s.fd
+}
+
+// IsTerminal returns true if this stream is connected to a terminal
+func (s *CommonStream) IsTerminal() bool {
+	return s.isTerminal
+}
+
+// RestoreTerminal restores normal mode to the terminal
+func (s *CommonStream) RestoreTerminal() {
+	if s.state != nil {
+		term.RestoreTerminal(s.fd, s.state)
+	}
+}
+
+// SetIsTerminal sets the boolean used for isTerminal
+func (s *CommonStream) SetIsTerminal(isTerminal bool) {
+	s.isTerminal = isTerminal
+}
diff --git a/cli/cli/command/swarm/ca.go b/cli/cli/command/swarm/ca.go
new file mode 100644
index 00000000..961e7e89
--- /dev/null
+++ b/cli/cli/command/swarm/ca.go
@@ -0,0 +1,141 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/swarm/progress"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type caOptions struct {
+	swarmCAOptions
+	rootCACert PEMFile
+	rootCAKey  PEMFile
+	rotate     bool
+	detach     bool
+	quiet      bool
+}
+
+func newCACommand(dockerCli command.Cli) *cobra.Command {
+	opts := caOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "ca [OPTIONS]",
+		Short: "Display and rotate the root CA",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runCA(dockerCli, cmd.Flags(), opts)
+		},
+		Annotations: map[string]string{"version": "1.30"},
+	}
+
+	flags := cmd.Flags()
+	addSwarmCAFlags(flags, &opts.swarmCAOptions)
+	flags.BoolVar(&opts.rotate, flagRotate, false, "Rotate the swarm CA - if no certificate or key are provided, new ones will be generated")
+	flags.Var(&opts.rootCACert, flagCACert, "Path to the PEM-formatted root CA certificate to use for the new cluster")
+	flags.Var(&opts.rootCAKey, flagCAKey, "Path to the PEM-formatted root CA key to use for the new cluster")
+
+	flags.BoolVarP(&opts.detach, "detach", "d", false, "Exit immediately instead of waiting for the root rotation to converge")
+	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Suppress progress output")
+	return cmd
+}
+
+func runCA(dockerCli command.Cli, flags *pflag.FlagSet, opts caOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	swarmInspect, err := client.SwarmInspect(ctx)
+	if err != nil {
+		return err
+	}
+
+	if !opts.rotate {
+		for _, f := range []string{flagCACert, flagCAKey, flagCertExpiry, flagExternalCA} {
+			if flags.Changed(f) {
+				return fmt.Errorf("`--%s` flag requires the `--rotate` flag to update the CA", f)
+			}
+		}
+		return displayTrustRoot(dockerCli.Out(), swarmInspect)
+	}
+
+	if flags.Changed(flagExternalCA) && len(opts.externalCA.Value()) > 0 && !flags.Changed(flagCACert) {
+		return fmt.Errorf(
+			"rotating to an external CA requires the `--%s` flag to specify the external CA's cert - "+
+				"to add an external CA with the current root CA certificate, use the `update` command instead", flagCACert)
+	}
+
+	if flags.Changed(flagCACert) && len(opts.externalCA.Value()) == 0 && !flags.Changed(flagCAKey) {
+		return fmt.Errorf("the --%s flag requires that a --%s flag and/or --%s flag be provided as well",
+			flagCACert, flagCAKey, flagExternalCA)
+	}
+
+	updateSwarmSpec(&swarmInspect.Spec, flags, opts)
+	if err := client.SwarmUpdate(ctx, swarmInspect.Version, swarmInspect.Spec, swarm.UpdateFlags{}); err != nil {
+		return err
+	}
+
+	if opts.detach {
+		return nil
+	}
+	return attach(ctx, dockerCli, opts)
+}
+
+func updateSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, opts caOptions) {
+	caCert := opts.rootCACert.Contents()
+	caKey := opts.rootCAKey.Contents()
+	opts.mergeSwarmSpecCAFlags(spec, flags, caCert)
+
+	spec.CAConfig.SigningCACert = caCert
+	spec.CAConfig.SigningCAKey = caKey
+
+	if caKey == "" && caCert == "" {
+		spec.CAConfig.ForceRotate++
+	}
+}
+
+func attach(ctx context.Context, dockerCli command.Cli, opts caOptions) error {
+	client := dockerCli.Client()
+	errChan := make(chan error, 1)
+	pipeReader, pipeWriter := io.Pipe()
+
+	go func() {
+		errChan <- progress.RootRotationProgress(ctx, client, pipeWriter)
+	}()
+
+	if opts.quiet {
+		go io.Copy(ioutil.Discard, pipeReader)
+		return <-errChan
+	}
+
+	err := jsonmessage.DisplayJSONMessagesToStream(pipeReader, dockerCli.Out(), nil)
+	if err == nil {
+		err = <-errChan
+	}
+	if err != nil {
+		return err
+	}
+
+	swarmInspect, err := client.SwarmInspect(ctx)
+	if err != nil {
+		return err
+	}
+	return displayTrustRoot(dockerCli.Out(), swarmInspect)
+}
+
+func displayTrustRoot(out io.Writer, info swarm.Swarm) error {
+	if info.ClusterInfo.TLSInfo.TrustRoot == "" {
+		return errors.New("No CA information available")
+	}
+	fmt.Fprintln(out, strings.TrimSpace(info.ClusterInfo.TLSInfo.TrustRoot))
+	return nil
+}
diff --git a/cli/cli/command/swarm/ca_test.go b/cli/cli/command/swarm/ca_test.go
new file mode 100644
index 00000000..d0eff116
--- /dev/null
+++ b/cli/cli/command/swarm/ca_test.go
@@ -0,0 +1,300 @@
+package swarm
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+const (
+	cert = `
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV4CCQDOqUYOWdqMdjAKBggqhkjOPQQDAzBjMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
+Y2tlcjEPMA0GA1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MCAXDTE4MDcwMjIx
+MjkxOFoYDzMwMTcxMTAyMjEyOTE4WjBjMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
+Q0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRvY2tlcjEPMA0G
+A1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEgvvZl5Vqpr1e+g5IhoU6TZHgRau+BZETVFTmqyWYajA/mooRQ1MZTozu
+s9ZZZA8tzUhIqS36gsFuyIZ4YiAlyjAKBggqhkjOPQQDAwNIADBFAiBQ7pCPQrj8
+8zaItMf0pk8j1NU5XrFqFEZICzvjzUJQBAIhAKq2gFwoTn8KH+cAAXZpAGJPmOsT
+zsBT8gBAOHhNA6/2
+-----END CERTIFICATE-----`
+	key = `
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICyheZpw70pbgO4hEuwhZTETWyTpNJmJ3TyFaWT6WTRkoAoGCCqGSM49
+AwEHoUQDQgAEgvvZl5Vqpr1e+g5IhoU6TZHgRau+BZETVFTmqyWYajA/mooRQ1MZ
+Tozus9ZZZA8tzUhIqS36gsFuyIZ4YiAlyg==
+-----END EC PRIVATE KEY-----`
+)
+
+func swarmSpecWithFullCAConfig() *swarm.Spec {
+	return &swarm.Spec{
+		CAConfig: swarm.CAConfig{
+			SigningCACert:  "cacert",
+			SigningCAKey:   "cakey",
+			ForceRotate:    1,
+			NodeCertExpiry: time.Duration(200),
+			ExternalCAs: []*swarm.ExternalCA{
+				{
+					URL:      "https://example.com/ca",
+					Protocol: swarm.ExternalCAProtocolCFSSL,
+					CACert:   "excacert",
+				},
+			},
+		},
+	}
+}
+
+func TestDisplayTrustRootNoRoot(t *testing.T) {
+	buffer := new(bytes.Buffer)
+	err := displayTrustRoot(buffer, swarm.Swarm{})
+	assert.Error(t, err, "No CA information available")
+}
+
+type invalidCATestCases struct {
+	args     []string
+	errorMsg string
+}
+
+func writeFile(data string) (string, error) {
+	tmpfile, err := ioutil.TempFile("", "testfile")
+	if err != nil {
+		return "", err
+	}
+	_, err = tmpfile.Write([]byte(data))
+	if err != nil {
+		return "", err
+	}
+	tmpfile.Close()
+	return tmpfile.Name(), nil
+}
+
+func TestDisplayTrustRootInvalidFlags(t *testing.T) {
+	// we need an actual PEMfile to test
+	tmpfile, err := writeFile(cert)
+	assert.NilError(t, err)
+	defer os.Remove(tmpfile)
+
+	errorTestCases := []invalidCATestCases{
+		{
+			args:     []string{"--ca-cert=" + tmpfile},
+			errorMsg: "flag requires the `--rotate` flag to update the CA",
+		},
+		{
+			args:     []string{"--ca-key=" + tmpfile},
+			errorMsg: "flag requires the `--rotate` flag to update the CA",
+		},
+		{ // to make sure we're not erroring because we didn't provide a CA key along with the CA cert
+			args: []string{
+				"--ca-cert=" + tmpfile,
+				"--ca-key=" + tmpfile,
+			},
+			errorMsg: "flag requires the `--rotate` flag to update the CA",
+		},
+		{
+			args:     []string{"--cert-expiry=2160h0m0s"},
+			errorMsg: "flag requires the `--rotate` flag to update the CA",
+		},
+		{
+			args:     []string{"--external-ca=protocol=cfssl,url=https://some.com/https/url"},
+			errorMsg: "flag requires the `--rotate` flag to update the CA",
+		},
+		{ // to make sure we're not erroring because we didn't provide a CA cert and external CA
+			args: []string{
+				"--ca-cert=" + tmpfile,
+				"--external-ca=protocol=cfssl,url=https://some.com/https/url",
+			},
+			errorMsg: "flag requires the `--rotate` flag to update the CA",
+		},
+		{
+			args: []string{
+				"--rotate",
+				"--external-ca=protocol=cfssl,url=https://some.com/https/url",
+			},
+			errorMsg: "rotating to an external CA requires the `--ca-cert` flag to specify the external CA's cert - " +
+				"to add an external CA with the current root CA certificate, use the `update` command instead",
+		},
+		{
+			args: []string{
+				"--rotate",
+				"--ca-cert=" + tmpfile,
+			},
+			errorMsg: "the --ca-cert flag requires that a --ca-key flag and/or --external-ca flag be provided as well",
+		},
+	}
+
+	for _, testCase := range errorTestCases {
+		cmd := newCACommand(
+			test.NewFakeCli(&fakeClient{
+				swarmInspectFunc: func() (swarm.Swarm, error) {
+					return swarm.Swarm{
+						ClusterInfo: swarm.ClusterInfo{
+							TLSInfo: swarm.TLSInfo{
+								TrustRoot: "root",
+							},
+						},
+					}, nil
+				},
+			}))
+		assert.Check(t, cmd.Flags().Parse(testCase.args))
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), testCase.errorMsg)
+	}
+}
+
+func TestDisplayTrustRoot(t *testing.T) {
+	buffer := new(bytes.Buffer)
+	trustRoot := "trustme"
+	err := displayTrustRoot(buffer, swarm.Swarm{
+		ClusterInfo: swarm.ClusterInfo{
+			TLSInfo: swarm.TLSInfo{TrustRoot: trustRoot},
+		},
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(trustRoot+"\n", buffer.String()))
+}
+
+type swarmUpdateRecorder struct {
+	spec swarm.Spec
+}
+
+func (s *swarmUpdateRecorder) swarmUpdate(sp swarm.Spec, _ swarm.UpdateFlags) error {
+	s.spec = sp
+	return nil
+}
+
+func swarmInspectFuncWithFullCAConfig() (swarm.Swarm, error) {
+	return swarm.Swarm{
+		ClusterInfo: swarm.ClusterInfo{
+			Spec: *swarmSpecWithFullCAConfig(),
+		},
+	}, nil
+}
+
+func TestUpdateSwarmSpecDefaultRotate(t *testing.T) {
+	s := &swarmUpdateRecorder{}
+	cli := test.NewFakeCli(&fakeClient{
+		swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
+		swarmUpdateFunc:  s.swarmUpdate,
+	})
+	cmd := newCACommand(cli)
+	cmd.SetArgs([]string{"--rotate", "--detach"})
+	cmd.SetOutput(cli.OutBuffer())
+	assert.NilError(t, cmd.Execute())
+
+	expected := swarmSpecWithFullCAConfig()
+	expected.CAConfig.ForceRotate = 2
+	expected.CAConfig.SigningCACert = ""
+	expected.CAConfig.SigningCAKey = ""
+	assert.Check(t, is.DeepEqual(*expected, s.spec))
+}
+
+func TestUpdateSwarmSpecCertAndKey(t *testing.T) {
+	certfile, err := writeFile(cert)
+	assert.NilError(t, err)
+	defer os.Remove(certfile)
+
+	keyfile, err := writeFile(key)
+	assert.NilError(t, err)
+	defer os.Remove(keyfile)
+
+	s := &swarmUpdateRecorder{}
+	cli := test.NewFakeCli(&fakeClient{
+		swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
+		swarmUpdateFunc:  s.swarmUpdate,
+	})
+	cmd := newCACommand(cli)
+	cmd.SetArgs([]string{
+		"--rotate",
+		"--detach",
+		"--ca-cert=" + certfile,
+		"--ca-key=" + keyfile,
+		"--cert-expiry=3m"})
+	cmd.SetOutput(cli.OutBuffer())
+	assert.NilError(t, cmd.Execute())
+
+	expected := swarmSpecWithFullCAConfig()
+	expected.CAConfig.SigningCACert = cert
+	expected.CAConfig.SigningCAKey = key
+	expected.CAConfig.NodeCertExpiry = 3 * time.Minute
+	assert.Check(t, is.DeepEqual(*expected, s.spec))
+}
+
+func TestUpdateSwarmSpecCertAndExternalCA(t *testing.T) {
+	certfile, err := writeFile(cert)
+	assert.NilError(t, err)
+	defer os.Remove(certfile)
+
+	s := &swarmUpdateRecorder{}
+	cli := test.NewFakeCli(&fakeClient{
+		swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
+		swarmUpdateFunc:  s.swarmUpdate,
+	})
+	cmd := newCACommand(cli)
+	cmd.SetArgs([]string{
+		"--rotate",
+		"--detach",
+		"--ca-cert=" + certfile,
+		"--external-ca=protocol=cfssl,url=https://some.external.ca"})
+	cmd.SetOutput(cli.OutBuffer())
+	assert.NilError(t, cmd.Execute())
+
+	expected := swarmSpecWithFullCAConfig()
+	expected.CAConfig.SigningCACert = cert
+	expected.CAConfig.SigningCAKey = ""
+	expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{
+		{
+			Protocol: swarm.ExternalCAProtocolCFSSL,
+			URL:      "https://some.external.ca",
+			CACert:   cert,
+			Options:  make(map[string]string),
+		},
+	}
+	assert.Check(t, is.DeepEqual(*expected, s.spec))
+}
+
+func TestUpdateSwarmSpecCertAndKeyAndExternalCA(t *testing.T) {
+	certfile, err := writeFile(cert)
+	assert.NilError(t, err)
+	defer os.Remove(certfile)
+
+	keyfile, err := writeFile(key)
+	assert.NilError(t, err)
+	defer os.Remove(keyfile)
+
+	s := &swarmUpdateRecorder{}
+	cli := test.NewFakeCli(&fakeClient{
+		swarmInspectFunc: swarmInspectFuncWithFullCAConfig,
+		swarmUpdateFunc:  s.swarmUpdate,
+	})
+	cmd := newCACommand(cli)
+	cmd.SetArgs([]string{
+		"--rotate",
+		"--detach",
+		"--ca-cert=" + certfile,
+		"--ca-key=" + keyfile,
+		"--external-ca=protocol=cfssl,url=https://some.external.ca"})
+	cmd.SetOutput(cli.OutBuffer())
+	assert.NilError(t, cmd.Execute())
+
+	expected := swarmSpecWithFullCAConfig()
+	expected.CAConfig.SigningCACert = cert
+	expected.CAConfig.SigningCAKey = key
+	expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{
+		{
+			Protocol: swarm.ExternalCAProtocolCFSSL,
+			URL:      "https://some.external.ca",
+			CACert:   cert,
+			Options:  make(map[string]string),
+		},
+	}
+	assert.Check(t, is.DeepEqual(*expected, s.spec))
+}
diff --git a/cli/cli/command/swarm/client_test.go b/cli/cli/command/swarm/client_test.go
new file mode 100644
index 00000000..8695c895
--- /dev/null
+++ b/cli/cli/command/swarm/client_test.go
@@ -0,0 +1,85 @@
+package swarm
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	infoFunc              func() (types.Info, error)
+	swarmInitFunc         func() (string, error)
+	swarmInspectFunc      func() (swarm.Swarm, error)
+	nodeInspectFunc       func() (swarm.Node, []byte, error)
+	swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
+	swarmJoinFunc         func() error
+	swarmLeaveFunc        func() error
+	swarmUpdateFunc       func(swarm swarm.Spec, flags swarm.UpdateFlags) error
+	swarmUnlockFunc       func(req swarm.UnlockRequest) error
+}
+
+func (cli *fakeClient) Info(ctx context.Context) (types.Info, error) {
+	if cli.infoFunc != nil {
+		return cli.infoFunc()
+	}
+	return types.Info{}, nil
+}
+
+func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+	if cli.nodeInspectFunc != nil {
+		return cli.nodeInspectFunc()
+	}
+	return swarm.Node{}, []byte{}, nil
+}
+
+func (cli *fakeClient) SwarmInit(ctx context.Context, req swarm.InitRequest) (string, error) {
+	if cli.swarmInitFunc != nil {
+		return cli.swarmInitFunc()
+	}
+	return "", nil
+}
+
+func (cli *fakeClient) SwarmInspect(ctx context.Context) (swarm.Swarm, error) {
+	if cli.swarmInspectFunc != nil {
+		return cli.swarmInspectFunc()
+	}
+	return swarm.Swarm{}, nil
+}
+
+func (cli *fakeClient) SwarmGetUnlockKey(ctx context.Context) (types.SwarmUnlockKeyResponse, error) {
+	if cli.swarmGetUnlockKeyFunc != nil {
+		return cli.swarmGetUnlockKeyFunc()
+	}
+	return types.SwarmUnlockKeyResponse{}, nil
+}
+
+func (cli *fakeClient) SwarmJoin(ctx context.Context, req swarm.JoinRequest) error {
+	if cli.swarmJoinFunc != nil {
+		return cli.swarmJoinFunc()
+	}
+	return nil
+}
+
+func (cli *fakeClient) SwarmLeave(ctx context.Context, force bool) error {
+	if cli.swarmLeaveFunc != nil {
+		return cli.swarmLeaveFunc()
+	}
+	return nil
+}
+
+func (cli *fakeClient) SwarmUpdate(ctx context.Context, version swarm.Version, swarm swarm.Spec, flags swarm.UpdateFlags) error {
+	if cli.swarmUpdateFunc != nil {
+		return cli.swarmUpdateFunc(swarm, flags)
+	}
+	return nil
+}
+
+func (cli *fakeClient) SwarmUnlock(ctx context.Context, req swarm.UnlockRequest) error {
+	if cli.swarmUnlockFunc != nil {
+		return cli.swarmUnlockFunc(req)
+	}
+	return nil
+}
diff --git a/cli/cli/command/swarm/cmd.go b/cli/cli/command/swarm/cmd.go
new file mode 100644
index 00000000..89bf5c3c
--- /dev/null
+++ b/cli/cli/command/swarm/cmd.go
@@ -0,0 +1,33 @@
+package swarm
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+)
+
+// NewSwarmCommand returns a cobra command for `swarm` subcommands
+func NewSwarmCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "swarm",
+		Short: "Manage Swarm",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{
+			"version": "1.24",
+			"swarm":   "",
+		},
+	}
+	cmd.AddCommand(
+		newInitCommand(dockerCli),
+		newJoinCommand(dockerCli),
+		newJoinTokenCommand(dockerCli),
+		newUnlockKeyCommand(dockerCli),
+		newUpdateCommand(dockerCli),
+		newLeaveCommand(dockerCli),
+		newUnlockCommand(dockerCli),
+		newCACommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/swarm/init.go b/cli/cli/command/swarm/init.go
new file mode 100644
index 00000000..d9dadd61
--- /dev/null
+++ b/cli/cli/command/swarm/init.go
@@ -0,0 +1,98 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type initOptions struct {
+	swarmOptions
+	listenAddr NodeAddrOption
+	// Not a NodeAddrOption because it has no default port.
+	advertiseAddr   string
+	dataPathAddr    string
+	forceNewCluster bool
+	availability    string
+}
+
+func newInitCommand(dockerCli command.Cli) *cobra.Command {
+	opts := initOptions{
+		listenAddr: NewListenAddrOption(),
+	}
+
+	cmd := &cobra.Command{
+		Use:   "init [OPTIONS]",
+		Short: "Initialize a swarm",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runInit(dockerCli, cmd.Flags(), opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.Var(&opts.listenAddr, flagListenAddr, "Listen address (format: <ip|interface>[:port])")
+	flags.StringVar(&opts.advertiseAddr, flagAdvertiseAddr, "", "Advertised address (format: <ip|interface>[:port])")
+	flags.StringVar(&opts.dataPathAddr, flagDataPathAddr, "", "Address or interface to use for data path traffic (format: <ip|interface>)")
+	flags.BoolVar(&opts.forceNewCluster, "force-new-cluster", false, "Force create a new cluster from current state")
+	flags.BoolVar(&opts.autolock, flagAutolock, false, "Enable manager autolocking (requiring an unlock key to start a stopped manager)")
+	flags.StringVar(&opts.availability, flagAvailability, "active", `Availability of the node ("active"|"pause"|"drain")`)
+	addSwarmFlags(flags, &opts.swarmOptions)
+	return cmd
+}
+
+func runInit(dockerCli command.Cli, flags *pflag.FlagSet, opts initOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	req := swarm.InitRequest{
+		ListenAddr:       opts.listenAddr.String(),
+		AdvertiseAddr:    opts.advertiseAddr,
+		DataPathAddr:     opts.dataPathAddr,
+		ForceNewCluster:  opts.forceNewCluster,
+		Spec:             opts.swarmOptions.ToSpec(flags),
+		AutoLockManagers: opts.swarmOptions.autolock,
+	}
+	if flags.Changed(flagAvailability) {
+		availability := swarm.NodeAvailability(strings.ToLower(opts.availability))
+		switch availability {
+		case swarm.NodeAvailabilityActive, swarm.NodeAvailabilityPause, swarm.NodeAvailabilityDrain:
+			req.Availability = availability
+		default:
+			return errors.Errorf("invalid availability %q, only active, pause and drain are supported", opts.availability)
+		}
+	}
+
+	nodeID, err := client.SwarmInit(ctx, req)
+	if err != nil {
+		if strings.Contains(err.Error(), "could not choose an IP address to advertise") || strings.Contains(err.Error(), "could not find the system's IP address") {
+			return errors.New(err.Error() + " - specify one with --advertise-addr")
+		}
+		return err
+	}
+
+	fmt.Fprintf(dockerCli.Out(), "Swarm initialized: current node (%s) is now a manager.\n\n", nodeID)
+
+	if err := printJoinCommand(ctx, dockerCli, nodeID, true, false); err != nil {
+		return err
+	}
+
+	fmt.Fprint(dockerCli.Out(), "To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.\n\n")
+
+	if req.AutoLockManagers {
+		unlockKeyResp, err := client.SwarmGetUnlockKey(ctx)
+		if err != nil {
+			return errors.Wrap(err, "could not fetch unlock key")
+		}
+		printUnlockCommand(dockerCli.Out(), unlockKeyResp.UnlockKey)
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/swarm/init_test.go b/cli/cli/command/swarm/init_test.go
new file mode 100644
index 00000000..735cc8da
--- /dev/null
+++ b/cli/cli/command/swarm/init_test.go
@@ -0,0 +1,125 @@
+package swarm
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestSwarmInitErrorOnAPIFailure(t *testing.T) {
+	testCases := []struct {
+		name                  string
+		flags                 map[string]string
+		swarmInitFunc         func() (string, error)
+		swarmInspectFunc      func() (swarm.Swarm, error)
+		swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
+		nodeInspectFunc       func() (swarm.Node, []byte, error)
+		expectedError         string
+	}{
+		{
+			name: "init-failed",
+			swarmInitFunc: func() (string, error) {
+				return "", errors.Errorf("error initializing the swarm")
+			},
+			expectedError: "error initializing the swarm",
+		},
+		{
+			name: "init-failed-with-ip-choice",
+			swarmInitFunc: func() (string, error) {
+				return "", errors.Errorf("could not choose an IP address to advertise")
+			},
+			expectedError: "could not choose an IP address to advertise - specify one with --advertise-addr",
+		},
+		{
+			name: "swarm-inspect-after-init-failed",
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return swarm.Swarm{}, errors.Errorf("error inspecting the swarm")
+			},
+			expectedError: "error inspecting the swarm",
+		},
+		{
+			name: "node-inspect-after-init-failed",
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting the node")
+			},
+			expectedError: "error inspecting the node",
+		},
+		{
+			name: "swarm-get-unlock-key-after-init-failed",
+			flags: map[string]string{
+				flagAutolock: "true",
+			},
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{}, errors.Errorf("error getting swarm unlock key")
+			},
+			expectedError: "could not fetch unlock key: error getting swarm unlock key",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newInitCommand(
+			test.NewFakeCli(&fakeClient{
+				swarmInitFunc:         tc.swarmInitFunc,
+				swarmInspectFunc:      tc.swarmInspectFunc,
+				swarmGetUnlockKeyFunc: tc.swarmGetUnlockKeyFunc,
+				nodeInspectFunc:       tc.nodeInspectFunc,
+			}))
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.Error(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSwarmInit(t *testing.T) {
+	testCases := []struct {
+		name                  string
+		flags                 map[string]string
+		swarmInitFunc         func() (string, error)
+		swarmInspectFunc      func() (swarm.Swarm, error)
+		swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
+		nodeInspectFunc       func() (swarm.Node, []byte, error)
+	}{
+		{
+			name: "init",
+			swarmInitFunc: func() (string, error) {
+				return "nodeID", nil
+			},
+		},
+		{
+			name: "init-autolock",
+			flags: map[string]string{
+				flagAutolock: "true",
+			},
+			swarmInitFunc: func() (string, error) {
+				return "nodeID", nil
+			},
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{
+					UnlockKey: "unlock-key",
+				}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			swarmInitFunc:         tc.swarmInitFunc,
+			swarmInspectFunc:      tc.swarmInspectFunc,
+			swarmGetUnlockKeyFunc: tc.swarmGetUnlockKeyFunc,
+			nodeInspectFunc:       tc.nodeInspectFunc,
+		})
+		cmd := newInitCommand(cli)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("init-%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/swarm/join.go b/cli/cli/command/swarm/join.go
new file mode 100644
index 00000000..d794000d
--- /dev/null
+++ b/cli/cli/command/swarm/join.go
@@ -0,0 +1,87 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type joinOptions struct {
+	remote     string
+	listenAddr NodeAddrOption
+	// Not a NodeAddrOption because it has no default port.
+	advertiseAddr string
+	dataPathAddr  string
+	token         string
+	availability  string
+}
+
+func newJoinCommand(dockerCli command.Cli) *cobra.Command {
+	opts := joinOptions{
+		listenAddr: NewListenAddrOption(),
+	}
+
+	cmd := &cobra.Command{
+		Use:   "join [OPTIONS] HOST:PORT",
+		Short: "Join a swarm as a node and/or manager",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.remote = args[0]
+			return runJoin(dockerCli, cmd.Flags(), opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.Var(&opts.listenAddr, flagListenAddr, "Listen address (format: <ip|interface>[:port])")
+	flags.StringVar(&opts.advertiseAddr, flagAdvertiseAddr, "", "Advertised address (format: <ip|interface>[:port])")
+	flags.StringVar(&opts.dataPathAddr, flagDataPathAddr, "", "Address or interface to use for data path traffic (format: <ip|interface>)")
+	flags.StringVar(&opts.token, flagToken, "", "Token for entry into the swarm")
+	flags.StringVar(&opts.availability, flagAvailability, "active", `Availability of the node ("active"|"pause"|"drain")`)
+	return cmd
+}
+
+func runJoin(dockerCli command.Cli, flags *pflag.FlagSet, opts joinOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	req := swarm.JoinRequest{
+		JoinToken:     opts.token,
+		ListenAddr:    opts.listenAddr.String(),
+		AdvertiseAddr: opts.advertiseAddr,
+		DataPathAddr:  opts.dataPathAddr,
+		RemoteAddrs:   []string{opts.remote},
+	}
+	if flags.Changed(flagAvailability) {
+		availability := swarm.NodeAvailability(strings.ToLower(opts.availability))
+		switch availability {
+		case swarm.NodeAvailabilityActive, swarm.NodeAvailabilityPause, swarm.NodeAvailabilityDrain:
+			req.Availability = availability
+		default:
+			return errors.Errorf("invalid availability %q, only active, pause and drain are supported", opts.availability)
+		}
+	}
+
+	err := client.SwarmJoin(ctx, req)
+	if err != nil {
+		return err
+	}
+
+	info, err := client.Info(ctx)
+	if err != nil {
+		return err
+	}
+
+	if info.Swarm.ControlAvailable {
+		fmt.Fprintln(dockerCli.Out(), "This node joined a swarm as a manager.")
+	} else {
+		fmt.Fprintln(dockerCli.Out(), "This node joined a swarm as a worker.")
+	}
+	return nil
+}
diff --git a/cli/cli/command/swarm/join_test.go b/cli/cli/command/swarm/join_test.go
new file mode 100644
index 00000000..e70d448d
--- /dev/null
+++ b/cli/cli/command/swarm/join_test.go
@@ -0,0 +1,100 @@
+package swarm
+
+import (
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSwarmJoinErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		swarmJoinFunc func() error
+		infoFunc      func() (types.Info, error)
+		expectedError string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "too-many-args",
+			args:          []string{"remote1", "remote2"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name: "join-failed",
+			args: []string{"remote"},
+			swarmJoinFunc: func() error {
+				return errors.Errorf("error joining the swarm")
+			},
+			expectedError: "error joining the swarm",
+		},
+		{
+			name: "join-failed-on-init",
+			args: []string{"remote"},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error asking for node info")
+			},
+			expectedError: "error asking for node info",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newJoinCommand(
+			test.NewFakeCli(&fakeClient{
+				swarmJoinFunc: tc.swarmJoinFunc,
+				infoFunc:      tc.infoFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSwarmJoin(t *testing.T) {
+	testCases := []struct {
+		name     string
+		infoFunc func() (types.Info, error)
+		expected string
+	}{
+		{
+			name: "join-as-manager",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{
+					Swarm: swarm.Info{
+						ControlAvailable: true,
+					},
+				}, nil
+			},
+			expected: "This node joined a swarm as a manager.",
+		},
+		{
+			name: "join-as-worker",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{
+					Swarm: swarm.Info{
+						ControlAvailable: false,
+					},
+				}, nil
+			},
+			expected: "This node joined a swarm as a worker.",
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			infoFunc: tc.infoFunc,
+		})
+		cmd := newJoinCommand(cli)
+		cmd.SetArgs([]string{"remote"})
+		assert.NilError(t, cmd.Execute())
+		assert.Check(t, is.Equal(strings.TrimSpace(cli.OutBuffer().String()), tc.expected))
+	}
+}
diff --git a/cli/cli/command/swarm/join_token.go b/cli/cli/command/swarm/join_token.go
new file mode 100644
index 00000000..f8ed93cf
--- /dev/null
+++ b/cli/cli/command/swarm/join_token.go
@@ -0,0 +1,119 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type joinTokenOptions struct {
+	role   string
+	rotate bool
+	quiet  bool
+}
+
+func newJoinTokenCommand(dockerCli command.Cli) *cobra.Command {
+	opts := joinTokenOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "join-token [OPTIONS] (worker|manager)",
+		Short: "Manage join tokens",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.role = args[0]
+			return runJoinToken(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.rotate, flagRotate, false, "Rotate join token")
+	flags.BoolVarP(&opts.quiet, flagQuiet, "q", false, "Only display token")
+
+	return cmd
+}
+
+func runJoinToken(dockerCli command.Cli, opts joinTokenOptions) error {
+	worker := opts.role == "worker"
+	manager := opts.role == "manager"
+
+	if !worker && !manager {
+		return errors.New("unknown role " + opts.role)
+	}
+
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	if opts.rotate {
+		flags := swarm.UpdateFlags{
+			RotateWorkerToken:  worker,
+			RotateManagerToken: manager,
+		}
+
+		sw, err := client.SwarmInspect(ctx)
+		if err != nil {
+			return err
+		}
+
+		if err := client.SwarmUpdate(ctx, sw.Version, sw.Spec, flags); err != nil {
+			return err
+		}
+
+		if !opts.quiet {
+			fmt.Fprintf(dockerCli.Out(), "Successfully rotated %s join token.\n\n", opts.role)
+		}
+	}
+
+	// second SwarmInspect in this function,
+	// this is necessary since SwarmUpdate after first changes the join tokens
+	sw, err := client.SwarmInspect(ctx)
+	if err != nil {
+		return err
+	}
+
+	if opts.quiet && worker {
+		fmt.Fprintln(dockerCli.Out(), sw.JoinTokens.Worker)
+		return nil
+	}
+
+	if opts.quiet && manager {
+		fmt.Fprintln(dockerCli.Out(), sw.JoinTokens.Manager)
+		return nil
+	}
+
+	info, err := client.Info(ctx)
+	if err != nil {
+		return err
+	}
+
+	return printJoinCommand(ctx, dockerCli, info.Swarm.NodeID, worker, manager)
+}
+
+func printJoinCommand(ctx context.Context, dockerCli command.Cli, nodeID string, worker bool, manager bool) error {
+	client := dockerCli.Client()
+
+	node, _, err := client.NodeInspectWithRaw(ctx, nodeID)
+	if err != nil {
+		return err
+	}
+
+	sw, err := client.SwarmInspect(ctx)
+	if err != nil {
+		return err
+	}
+
+	if node.ManagerStatus != nil {
+		if worker {
+			fmt.Fprintf(dockerCli.Out(), "To add a worker to this swarm, run the following command:\n\n    docker swarm join --token %s %s\n\n", sw.JoinTokens.Worker, node.ManagerStatus.Addr)
+		}
+		if manager {
+			fmt.Fprintf(dockerCli.Out(), "To add a manager to this swarm, run the following command:\n\n    docker swarm join --token %s %s\n\n", sw.JoinTokens.Manager, node.ManagerStatus.Addr)
+		}
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/swarm/join_token_test.go b/cli/cli/command/swarm/join_token_test.go
new file mode 100644
index 00000000..1bd7ba25
--- /dev/null
+++ b/cli/cli/command/swarm/join_token_test.go
@@ -0,0 +1,211 @@
+package swarm
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestSwarmJoinTokenErrors(t *testing.T) {
+	testCases := []struct {
+		name             string
+		args             []string
+		flags            map[string]string
+		infoFunc         func() (types.Info, error)
+		swarmInspectFunc func() (swarm.Swarm, error)
+		swarmUpdateFunc  func(swarm swarm.Spec, flags swarm.UpdateFlags) error
+		nodeInspectFunc  func() (swarm.Node, []byte, error)
+		expectedError    string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "too-many-args",
+			args:          []string{"worker", "manager"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "invalid-args",
+			args:          []string{"foo"},
+			expectedError: "unknown role foo",
+		},
+		{
+			name: "swarm-inspect-failed",
+			args: []string{"worker"},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return swarm.Swarm{}, errors.Errorf("error inspecting the swarm")
+			},
+			expectedError: "error inspecting the swarm",
+		},
+		{
+			name: "swarm-inspect-rotate-failed",
+			args: []string{"worker"},
+			flags: map[string]string{
+				flagRotate: "true",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return swarm.Swarm{}, errors.Errorf("error inspecting the swarm")
+			},
+			expectedError: "error inspecting the swarm",
+		},
+		{
+			name: "swarm-update-failed",
+			args: []string{"worker"},
+			flags: map[string]string{
+				flagRotate: "true",
+			},
+			swarmUpdateFunc: func(swarm swarm.Spec, flags swarm.UpdateFlags) error {
+				return errors.Errorf("error updating the swarm")
+			},
+			expectedError: "error updating the swarm",
+		},
+		{
+			name: "node-inspect-failed",
+			args: []string{"worker"},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return swarm.Node{}, []byte{}, errors.Errorf("error inspecting node")
+			},
+			expectedError: "error inspecting node",
+		},
+		{
+			name: "info-failed",
+			args: []string{"worker"},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{}, errors.Errorf("error asking for node info")
+			},
+			expectedError: "error asking for node info",
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			swarmInspectFunc: tc.swarmInspectFunc,
+			swarmUpdateFunc:  tc.swarmUpdateFunc,
+			infoFunc:         tc.infoFunc,
+			nodeInspectFunc:  tc.nodeInspectFunc,
+		})
+		cmd := newJoinTokenCommand(cli)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSwarmJoinToken(t *testing.T) {
+	testCases := []struct {
+		name             string
+		args             []string
+		flags            map[string]string
+		infoFunc         func() (types.Info, error)
+		swarmInspectFunc func() (swarm.Swarm, error)
+		nodeInspectFunc  func() (swarm.Node, []byte, error)
+	}{
+		{
+			name: "worker",
+			args: []string{"worker"},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{
+					Swarm: swarm.Info{
+						NodeID: "nodeID",
+					},
+				}, nil
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager()), []byte{}, nil
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(), nil
+			},
+		},
+		{
+			name: "manager",
+			args: []string{"manager"},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{
+					Swarm: swarm.Info{
+						NodeID: "nodeID",
+					},
+				}, nil
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager()), []byte{}, nil
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(), nil
+			},
+		},
+		{
+			name: "manager-rotate",
+			args: []string{"manager"},
+			flags: map[string]string{
+				flagRotate: "true",
+			},
+			infoFunc: func() (types.Info, error) {
+				return types.Info{
+					Swarm: swarm.Info{
+						NodeID: "nodeID",
+					},
+				}, nil
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager()), []byte{}, nil
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(), nil
+			},
+		},
+		{
+			name: "worker-quiet",
+			args: []string{"worker"},
+			flags: map[string]string{
+				flagQuiet: "true",
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager()), []byte{}, nil
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(), nil
+			},
+		},
+		{
+			name: "manager-quiet",
+			args: []string{"manager"},
+			flags: map[string]string{
+				flagQuiet: "true",
+			},
+			nodeInspectFunc: func() (swarm.Node, []byte, error) {
+				return *Node(Manager()), []byte{}, nil
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(), nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			swarmInspectFunc: tc.swarmInspectFunc,
+			infoFunc:         tc.infoFunc,
+			nodeInspectFunc:  tc.nodeInspectFunc,
+		})
+		cmd := newJoinTokenCommand(cli)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("jointoken-%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/swarm/leave.go b/cli/cli/command/swarm/leave.go
new file mode 100644
index 00000000..af6e0753
--- /dev/null
+++ b/cli/cli/command/swarm/leave.go
@@ -0,0 +1,43 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+type leaveOptions struct {
+	force bool
+}
+
+func newLeaveCommand(dockerCli command.Cli) *cobra.Command {
+	opts := leaveOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "leave [OPTIONS]",
+		Short: "Leave the swarm",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runLeave(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.force, "force", "f", false, "Force this node to leave the swarm, ignoring warnings")
+	return cmd
+}
+
+func runLeave(dockerCli command.Cli, opts leaveOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	if err := client.SwarmLeave(ctx, opts.force); err != nil {
+		return err
+	}
+
+	fmt.Fprintln(dockerCli.Out(), "Node left the swarm.")
+	return nil
+}
diff --git a/cli/cli/command/swarm/leave_test.go b/cli/cli/command/swarm/leave_test.go
new file mode 100644
index 00000000..91ee6e24
--- /dev/null
+++ b/cli/cli/command/swarm/leave_test.go
@@ -0,0 +1,50 @@
+package swarm
+
+import (
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSwarmLeaveErrors(t *testing.T) {
+	testCases := []struct {
+		name           string
+		args           []string
+		swarmLeaveFunc func() error
+		expectedError  string
+	}{
+		{
+			name:          "too-many-args",
+			args:          []string{"foo"},
+			expectedError: "accepts no arguments",
+		},
+		{
+			name: "leave-failed",
+			swarmLeaveFunc: func() error {
+				return errors.Errorf("error leaving the swarm")
+			},
+			expectedError: "error leaving the swarm",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newLeaveCommand(
+			test.NewFakeCli(&fakeClient{
+				swarmLeaveFunc: tc.swarmLeaveFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSwarmLeave(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cmd := newLeaveCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal("Node left the swarm.", strings.TrimSpace(cli.OutBuffer().String())))
+}
diff --git a/cli/cli/command/swarm/opts.go b/cli/cli/command/swarm/opts.go
new file mode 100644
index 00000000..b2a4de1f
--- /dev/null
+++ b/cli/cli/command/swarm/opts.go
@@ -0,0 +1,273 @@
+package swarm
+
+import (
+	"encoding/csv"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/pflag"
+)
+
+const (
+	defaultListenAddr = "0.0.0.0:2377"
+
+	flagCertExpiry          = "cert-expiry"
+	flagDispatcherHeartbeat = "dispatcher-heartbeat"
+	flagListenAddr          = "listen-addr"
+	flagAdvertiseAddr       = "advertise-addr"
+	flagDataPathAddr        = "data-path-addr"
+	flagQuiet               = "quiet"
+	flagRotate              = "rotate"
+	flagToken               = "token"
+	flagTaskHistoryLimit    = "task-history-limit"
+	flagExternalCA          = "external-ca"
+	flagMaxSnapshots        = "max-snapshots"
+	flagSnapshotInterval    = "snapshot-interval"
+	flagAutolock            = "autolock"
+	flagAvailability        = "availability"
+	flagCACert              = "ca-cert"
+	flagCAKey               = "ca-key"
+)
+
+type swarmOptions struct {
+	swarmCAOptions
+	taskHistoryLimit    int64
+	dispatcherHeartbeat time.Duration
+	maxSnapshots        uint64
+	snapshotInterval    uint64
+	autolock            bool
+}
+
+// NodeAddrOption is a pflag.Value for listening addresses
+type NodeAddrOption struct {
+	addr string
+}
+
+// String prints the representation of this flag
+func (a *NodeAddrOption) String() string {
+	return a.Value()
+}
+
+// Set the value for this flag
+func (a *NodeAddrOption) Set(value string) error {
+	addr, err := opts.ParseTCPAddr(value, a.addr)
+	if err != nil {
+		return err
+	}
+	a.addr = addr
+	return nil
+}
+
+// Type returns the type of this flag
+func (a *NodeAddrOption) Type() string {
+	return "node-addr"
+}
+
+// Value returns the value of this option as addr:port
+func (a *NodeAddrOption) Value() string {
+	return strings.TrimPrefix(a.addr, "tcp://")
+}
+
+// NewNodeAddrOption returns a new node address option
+func NewNodeAddrOption(addr string) NodeAddrOption {
+	return NodeAddrOption{addr}
+}
+
+// NewListenAddrOption returns a NodeAddrOption with default values
+func NewListenAddrOption() NodeAddrOption {
+	return NewNodeAddrOption(defaultListenAddr)
+}
+
+// ExternalCAOption is a Value type for parsing external CA specifications.
+type ExternalCAOption struct {
+	values []*swarm.ExternalCA
+}
+
+// Set parses an external CA option.
+func (m *ExternalCAOption) Set(value string) error {
+	parsed, err := parseExternalCA(value)
+	if err != nil {
+		return err
+	}
+
+	m.values = append(m.values, parsed)
+	return nil
+}
+
+// Type returns the type of this option.
+func (m *ExternalCAOption) Type() string {
+	return "external-ca"
+}
+
+// String returns a string repr of this option.
+func (m *ExternalCAOption) String() string {
+	externalCAs := []string{}
+	for _, externalCA := range m.values {
+		repr := fmt.Sprintf("%s: %s", externalCA.Protocol, externalCA.URL)
+		externalCAs = append(externalCAs, repr)
+	}
+	return strings.Join(externalCAs, ", ")
+}
+
+// Value returns the external CAs
+func (m *ExternalCAOption) Value() []*swarm.ExternalCA {
+	return m.values
+}
+
+// PEMFile represents the path to a pem-formatted file
+type PEMFile struct {
+	path, contents string
+}
+
+// Type returns the type of this option.
+func (p *PEMFile) Type() string {
+	return "pem-file"
+}
+
+// String returns the path to the pem file
+func (p *PEMFile) String() string {
+	return p.path
+}
+
+// Set parses a root rotation option
+func (p *PEMFile) Set(value string) error {
+	contents, err := ioutil.ReadFile(value)
+	if err != nil {
+		return err
+	}
+	if pemBlock, _ := pem.Decode(contents); pemBlock == nil {
+		return errors.New("file contents must be in PEM format")
+	}
+	p.contents, p.path = string(contents), value
+	return nil
+}
+
+// Contents returns the contents of the PEM file
+func (p *PEMFile) Contents() string {
+	return p.contents
+}
+
+// parseExternalCA parses an external CA specification from the command line,
+// such as protocol=cfssl,url=https://example.com.
+func parseExternalCA(caSpec string) (*swarm.ExternalCA, error) {
+	csvReader := csv.NewReader(strings.NewReader(caSpec))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return nil, err
+	}
+
+	externalCA := swarm.ExternalCA{
+		Options: make(map[string]string),
+	}
+
+	var (
+		hasProtocol bool
+		hasURL      bool
+	)
+
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+
+		if len(parts) != 2 {
+			return nil, errors.Errorf("invalid field '%s' must be a key=value pair", field)
+		}
+
+		key, value := parts[0], parts[1]
+
+		switch strings.ToLower(key) {
+		case "protocol":
+			hasProtocol = true
+			if strings.ToLower(value) == string(swarm.ExternalCAProtocolCFSSL) {
+				externalCA.Protocol = swarm.ExternalCAProtocolCFSSL
+			} else {
+				return nil, errors.Errorf("unrecognized external CA protocol %s", value)
+			}
+		case "url":
+			hasURL = true
+			externalCA.URL = value
+		case "cacert":
+			cacontents, err := ioutil.ReadFile(value)
+			if err != nil {
+				return nil, errors.Wrap(err, "unable to read CA cert for external CA")
+			}
+			if pemBlock, _ := pem.Decode(cacontents); pemBlock == nil {
+				return nil, errors.New("CA cert for external CA must be in PEM format")
+			}
+			externalCA.CACert = string(cacontents)
+		default:
+			externalCA.Options[key] = value
+		}
+	}
+
+	if !hasProtocol {
+		return nil, errors.New("the external-ca option needs a protocol= parameter")
+	}
+	if !hasURL {
+		return nil, errors.New("the external-ca option needs a url= parameter")
+	}
+
+	return &externalCA, nil
+}
+
+func addSwarmCAFlags(flags *pflag.FlagSet, opts *swarmCAOptions) {
+	flags.DurationVar(&opts.nodeCertExpiry, flagCertExpiry, 90*24*time.Hour, "Validity period for node certificates (ns|us|ms|s|m|h)")
+	flags.Var(&opts.externalCA, flagExternalCA, "Specifications of one or more certificate signing endpoints")
+}
+
+func addSwarmFlags(flags *pflag.FlagSet, opts *swarmOptions) {
+	flags.Int64Var(&opts.taskHistoryLimit, flagTaskHistoryLimit, 5, "Task history retention limit")
+	flags.DurationVar(&opts.dispatcherHeartbeat, flagDispatcherHeartbeat, 5*time.Second, "Dispatcher heartbeat period (ns|us|ms|s|m|h)")
+	flags.Uint64Var(&opts.maxSnapshots, flagMaxSnapshots, 0, "Number of additional Raft snapshots to retain")
+	flags.SetAnnotation(flagMaxSnapshots, "version", []string{"1.25"})
+	flags.Uint64Var(&opts.snapshotInterval, flagSnapshotInterval, 10000, "Number of log entries between Raft snapshots")
+	flags.SetAnnotation(flagSnapshotInterval, "version", []string{"1.25"})
+	addSwarmCAFlags(flags, &opts.swarmCAOptions)
+}
+
+func (opts *swarmOptions) mergeSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, caCert string) {
+	if flags.Changed(flagTaskHistoryLimit) {
+		spec.Orchestration.TaskHistoryRetentionLimit = &opts.taskHistoryLimit
+	}
+	if flags.Changed(flagDispatcherHeartbeat) {
+		spec.Dispatcher.HeartbeatPeriod = opts.dispatcherHeartbeat
+	}
+	if flags.Changed(flagMaxSnapshots) {
+		spec.Raft.KeepOldSnapshots = &opts.maxSnapshots
+	}
+	if flags.Changed(flagSnapshotInterval) {
+		spec.Raft.SnapshotInterval = opts.snapshotInterval
+	}
+	if flags.Changed(flagAutolock) {
+		spec.EncryptionConfig.AutoLockManagers = opts.autolock
+	}
+	opts.mergeSwarmSpecCAFlags(spec, flags, caCert)
+}
+
+type swarmCAOptions struct {
+	nodeCertExpiry time.Duration
+	externalCA     ExternalCAOption
+}
+
+func (opts *swarmCAOptions) mergeSwarmSpecCAFlags(spec *swarm.Spec, flags *pflag.FlagSet, caCert string) {
+	if flags.Changed(flagCertExpiry) {
+		spec.CAConfig.NodeCertExpiry = opts.nodeCertExpiry
+	}
+	if flags.Changed(flagExternalCA) {
+		spec.CAConfig.ExternalCAs = opts.externalCA.Value()
+		for _, ca := range spec.CAConfig.ExternalCAs {
+			ca.CACert = caCert
+		}
+	}
+}
+
+func (opts *swarmOptions) ToSpec(flags *pflag.FlagSet) swarm.Spec {
+	var spec swarm.Spec
+	opts.mergeSwarmSpec(&spec, flags, "")
+	return spec
+}
diff --git a/cli/cli/command/swarm/opts_test.go b/cli/cli/command/swarm/opts_test.go
new file mode 100644
index 00000000..6382d2a0
--- /dev/null
+++ b/cli/cli/command/swarm/opts_test.go
@@ -0,0 +1,111 @@
+package swarm
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNodeAddrOptionSetHostAndPort(t *testing.T) {
+	opt := NewNodeAddrOption("old:123")
+	addr := "newhost:5555"
+	assert.NilError(t, opt.Set(addr))
+	assert.Check(t, is.Equal(addr, opt.Value()))
+}
+
+func TestNodeAddrOptionSetHostOnly(t *testing.T) {
+	opt := NewListenAddrOption()
+	assert.NilError(t, opt.Set("newhost"))
+	assert.Check(t, is.Equal("newhost:2377", opt.Value()))
+}
+
+func TestNodeAddrOptionSetHostOnlyIPv6(t *testing.T) {
+	opt := NewListenAddrOption()
+	assert.NilError(t, opt.Set("::1"))
+	assert.Check(t, is.Equal("[::1]:2377", opt.Value()))
+}
+
+func TestNodeAddrOptionSetPortOnly(t *testing.T) {
+	opt := NewListenAddrOption()
+	assert.NilError(t, opt.Set(":4545"))
+	assert.Check(t, is.Equal("0.0.0.0:4545", opt.Value()))
+}
+
+func TestNodeAddrOptionSetInvalidFormat(t *testing.T) {
+	opt := NewListenAddrOption()
+	assert.Error(t, opt.Set("http://localhost:4545"), "Invalid proto, expected tcp: http://localhost:4545")
+}
+
+func TestExternalCAOptionErrors(t *testing.T) {
+	testCases := []struct {
+		externalCA    string
+		expectedError string
+	}{
+		{
+			externalCA:    "",
+			expectedError: "EOF",
+		},
+		{
+			externalCA:    "anything",
+			expectedError: "invalid field 'anything' must be a key=value pair",
+		},
+		{
+			externalCA:    "foo=bar",
+			expectedError: "the external-ca option needs a protocol= parameter",
+		},
+		{
+			externalCA:    "protocol=baz",
+			expectedError: "unrecognized external CA protocol baz",
+		},
+		{
+			externalCA:    "protocol=cfssl",
+			expectedError: "the external-ca option needs a url= parameter",
+		},
+	}
+	for _, tc := range testCases {
+		opt := &ExternalCAOption{}
+		assert.Error(t, opt.Set(tc.externalCA), tc.expectedError)
+	}
+}
+
+func TestExternalCAOption(t *testing.T) {
+	testCases := []struct {
+		externalCA string
+		expected   string
+	}{
+		{
+			externalCA: "protocol=cfssl,url=anything",
+			expected:   "cfssl: anything",
+		},
+		{
+			externalCA: "protocol=CFSSL,url=anything",
+			expected:   "cfssl: anything",
+		},
+		{
+			externalCA: "protocol=Cfssl,url=https://example.com",
+			expected:   "cfssl: https://example.com",
+		},
+		{
+			externalCA: "protocol=Cfssl,url=https://example.com,foo=bar",
+			expected:   "cfssl: https://example.com",
+		},
+		{
+			externalCA: "protocol=Cfssl,url=https://example.com,foo=bar,foo=baz",
+			expected:   "cfssl: https://example.com",
+		},
+	}
+	for _, tc := range testCases {
+		opt := &ExternalCAOption{}
+		assert.NilError(t, opt.Set(tc.externalCA))
+		assert.Check(t, is.Equal(tc.expected, opt.String()))
+	}
+}
+
+func TestExternalCAOptionMultiple(t *testing.T) {
+	opt := &ExternalCAOption{}
+	assert.NilError(t, opt.Set("protocol=cfssl,url=https://example.com"))
+	assert.NilError(t, opt.Set("protocol=CFSSL,url=anything"))
+	assert.Check(t, is.Len(opt.Value(), 2))
+	assert.Check(t, is.Equal("cfssl: https://example.com, cfssl: anything", opt.String()))
+}
diff --git a/cli/cli/command/swarm/progress/root_rotation.go b/cli/cli/command/swarm/progress/root_rotation.go
new file mode 100644
index 00000000..e72de1d2
--- /dev/null
+++ b/cli/cli/command/swarm/progress/root_rotation.go
@@ -0,0 +1,120 @@
+package progress
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"os/signal"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/opencontainers/go-digest"
+)
+
+const (
+	certsRotatedStr = "  rotated TLS certificates"
+	rootsRotatedStr = "  rotated CA certificates"
+	// rootsAction has a single space because rootsRotatedStr is one character shorter than certsRotatedStr.
+	// This makes sure the progress bar are aligned.
+	certsAction = ""
+	rootsAction = " "
+)
+
+// RootRotationProgress outputs progress information for convergence of a root rotation.
+func RootRotationProgress(ctx context.Context, dclient client.APIClient, progressWriter io.WriteCloser) error {
+	defer progressWriter.Close()
+
+	progressOut := streamformatter.NewJSONProgressOutput(progressWriter, false)
+
+	sigint := make(chan os.Signal, 1)
+	signal.Notify(sigint, os.Interrupt)
+	defer signal.Stop(sigint)
+
+	// draw 2 progress bars, 1 for nodes with the correct cert, 1 for nodes with the correct trust root
+	progress.Update(progressOut, "desired root digest", "")
+	progress.Update(progressOut, certsRotatedStr, certsAction)
+	progress.Update(progressOut, rootsRotatedStr, rootsAction)
+
+	var done bool
+
+	for {
+		info, err := dclient.SwarmInspect(ctx)
+		if err != nil {
+			return err
+		}
+
+		if done {
+			return nil
+		}
+
+		nodes, err := dclient.NodeList(ctx, types.NodeListOptions{})
+		if err != nil {
+			return err
+		}
+
+		done = updateProgress(progressOut, info.ClusterInfo.TLSInfo, nodes, info.ClusterInfo.RootRotationInProgress)
+
+		select {
+		case <-time.After(200 * time.Millisecond):
+		case <-sigint:
+			if !done {
+				progress.Message(progressOut, "", "Operation continuing in background.")
+				progress.Message(progressOut, "", "Use `swarmctl cluster inspect default` to check progress.")
+			}
+			return nil
+		}
+	}
+}
+
+func updateProgress(progressOut progress.Output, desiredTLSInfo swarm.TLSInfo, nodes []swarm.Node, rootRotationInProgress bool) bool {
+	// write the current desired root cert's digest, because the desired root certs might be too long
+	progressOut.WriteProgress(progress.Progress{
+		ID:     "desired root digest",
+		Action: digest.FromBytes([]byte(desiredTLSInfo.TrustRoot)).String(),
+	})
+
+	// If we had reached a converged state, check if we are still converged.
+	var certsRight, trustRootsRight int64
+	for _, n := range nodes {
+		if bytes.Equal(n.Description.TLSInfo.CertIssuerPublicKey, desiredTLSInfo.CertIssuerPublicKey) &&
+			bytes.Equal(n.Description.TLSInfo.CertIssuerSubject, desiredTLSInfo.CertIssuerSubject) {
+			certsRight++
+		}
+
+		if n.Description.TLSInfo.TrustRoot == desiredTLSInfo.TrustRoot {
+			trustRootsRight++
+		}
+	}
+
+	total := int64(len(nodes))
+	progressOut.WriteProgress(progress.Progress{
+		ID:      certsRotatedStr,
+		Action:  certsAction,
+		Current: certsRight,
+		Total:   total,
+		Units:   "nodes",
+	})
+
+	rootsProgress := progress.Progress{
+		ID:      rootsRotatedStr,
+		Action:  rootsAction,
+		Current: trustRootsRight,
+		Total:   total,
+		Units:   "nodes",
+	}
+
+	if certsRight == total && !rootRotationInProgress {
+		progressOut.WriteProgress(rootsProgress)
+		return certsRight == total && trustRootsRight == total
+	}
+
+	// we still have certs that need renewing, so display that there are zero roots rotated yet
+	rootsProgress.Current = 0
+	progressOut.WriteProgress(rootsProgress)
+	return false
+}
diff --git a/cli/cli/command/swarm/testdata/init-init-autolock.golden b/cli/cli/command/swarm/testdata/init-init-autolock.golden
new file mode 100644
index 00000000..cdd3c666
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/init-init-autolock.golden
@@ -0,0 +1,11 @@
+Swarm initialized: current node (nodeID) is now a manager.
+
+To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
+
+To unlock a swarm manager after it restarts, run the `docker swarm unlock`
+command and provide the following key:
+
+    unlock-key
+
+Please remember to store this key in a password manager, since without it you
+will not be able to restart the manager.
diff --git a/cli/cli/command/swarm/testdata/init-init.golden b/cli/cli/command/swarm/testdata/init-init.golden
new file mode 100644
index 00000000..6e82be01
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/init-init.golden
@@ -0,0 +1,4 @@
+Swarm initialized: current node (nodeID) is now a manager.
+
+To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
+
diff --git a/cli/cli/command/swarm/testdata/jointoken-manager-quiet.golden b/cli/cli/command/swarm/testdata/jointoken-manager-quiet.golden
new file mode 100644
index 00000000..0c7cfc60
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/jointoken-manager-quiet.golden
@@ -0,0 +1 @@
+manager-join-token
diff --git a/cli/cli/command/swarm/testdata/jointoken-manager-rotate.golden b/cli/cli/command/swarm/testdata/jointoken-manager-rotate.golden
new file mode 100644
index 00000000..4a978e76
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/jointoken-manager-rotate.golden
@@ -0,0 +1,6 @@
+Successfully rotated manager join token.
+
+To add a manager to this swarm, run the following command:
+
+    docker swarm join --token manager-join-token 127.0.0.1
+
diff --git a/cli/cli/command/swarm/testdata/jointoken-manager.golden b/cli/cli/command/swarm/testdata/jointoken-manager.golden
new file mode 100644
index 00000000..7bcb7337
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/jointoken-manager.golden
@@ -0,0 +1,4 @@
+To add a manager to this swarm, run the following command:
+
+    docker swarm join --token manager-join-token 127.0.0.1
+
diff --git a/cli/cli/command/swarm/testdata/jointoken-worker-quiet.golden b/cli/cli/command/swarm/testdata/jointoken-worker-quiet.golden
new file mode 100644
index 00000000..b445e191
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/jointoken-worker-quiet.golden
@@ -0,0 +1 @@
+worker-join-token
diff --git a/cli/cli/command/swarm/testdata/jointoken-worker.golden b/cli/cli/command/swarm/testdata/jointoken-worker.golden
new file mode 100644
index 00000000..e6c3ab9a
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/jointoken-worker.golden
@@ -0,0 +1,4 @@
+To add a worker to this swarm, run the following command:
+
+    docker swarm join --token worker-join-token 127.0.0.1
+
diff --git a/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-quiet.golden b/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-quiet.golden
new file mode 100644
index 00000000..ed53505e
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-quiet.golden
@@ -0,0 +1 @@
+unlock-key
diff --git a/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-rotate-quiet.golden b/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-rotate-quiet.golden
new file mode 100644
index 00000000..ed53505e
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-rotate-quiet.golden
@@ -0,0 +1 @@
+unlock-key
diff --git a/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-rotate.golden b/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-rotate.golden
new file mode 100644
index 00000000..89152b86
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/unlockkeys-unlock-key-rotate.golden
@@ -0,0 +1,9 @@
+Successfully rotated manager unlock key.
+
+To unlock a swarm manager after it restarts, run the `docker swarm unlock`
+command and provide the following key:
+
+    unlock-key
+
+Please remember to store this key in a password manager, since without it you
+will not be able to restart the manager.
diff --git a/cli/cli/command/swarm/testdata/unlockkeys-unlock-key.golden b/cli/cli/command/swarm/testdata/unlockkeys-unlock-key.golden
new file mode 100644
index 00000000..8316df47
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/unlockkeys-unlock-key.golden
@@ -0,0 +1,7 @@
+To unlock a swarm manager after it restarts, run the `docker swarm unlock`
+command and provide the following key:
+
+    unlock-key
+
+Please remember to store this key in a password manager, since without it you
+will not be able to restart the manager.
diff --git a/cli/cli/command/swarm/testdata/update-all-flags-quiet.golden b/cli/cli/command/swarm/testdata/update-all-flags-quiet.golden
new file mode 100644
index 00000000..3d195a25
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/update-all-flags-quiet.golden
@@ -0,0 +1 @@
+Swarm updated.
diff --git a/cli/cli/command/swarm/testdata/update-autolock-unlock-key.golden b/cli/cli/command/swarm/testdata/update-autolock-unlock-key.golden
new file mode 100644
index 00000000..a077b9e1
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/update-autolock-unlock-key.golden
@@ -0,0 +1,8 @@
+Swarm updated.
+To unlock a swarm manager after it restarts, run the `docker swarm unlock`
+command and provide the following key:
+
+    unlock-key
+
+Please remember to store this key in a password manager, since without it you
+will not be able to restart the manager.
diff --git a/cli/cli/command/swarm/testdata/update-noargs.golden b/cli/cli/command/swarm/testdata/update-noargs.golden
new file mode 100644
index 00000000..a2ce7589
--- /dev/null
+++ b/cli/cli/command/swarm/testdata/update-noargs.golden
@@ -0,0 +1,14 @@
+Update the swarm
+
+Usage:
+  update [OPTIONS] [flags]
+
+Flags:
+      --autolock                        Change manager autolocking setting (true|false)
+      --cert-expiry duration            Validity period for node certificates (ns|us|ms|s|m|h) (default 2160h0m0s)
+      --dispatcher-heartbeat duration   Dispatcher heartbeat period (ns|us|ms|s|m|h) (default 5s)
+      --external-ca external-ca         Specifications of one or more certificate signing endpoints
+  -h, --help                            help for update
+      --max-snapshots uint              Number of additional Raft snapshots to retain
+      --snapshot-interval uint          Number of log entries between Raft snapshots (default 10000)
+      --task-history-limit int          Task history retention limit (default 5)
diff --git a/cli/cli/command/swarm/unlock.go b/cli/cli/command/swarm/unlock.go
new file mode 100644
index 00000000..7d0dce68
--- /dev/null
+++ b/cli/cli/command/swarm/unlock.go
@@ -0,0 +1,74 @@
+package swarm
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"golang.org/x/crypto/ssh/terminal"
+)
+
+func newUnlockCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "unlock",
+		Short: "Unlock swarm",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runUnlock(dockerCli)
+		},
+	}
+
+	return cmd
+}
+
+func runUnlock(dockerCli command.Cli) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	// First see if the node is actually part of a swarm, and if it is actually locked first.
+	// If it's in any other state than locked, don't ask for the key.
+	info, err := client.Info(ctx)
+	if err != nil {
+		return err
+	}
+
+	switch info.Swarm.LocalNodeState {
+	case swarm.LocalNodeStateInactive:
+		return errors.New("Error: This node is not part of a swarm")
+	case swarm.LocalNodeStateLocked:
+		break
+	default:
+		return errors.New("Error: swarm is not locked")
+	}
+
+	key, err := readKey(dockerCli.In(), "Please enter unlock key: ")
+	if err != nil {
+		return err
+	}
+	req := swarm.UnlockRequest{
+		UnlockKey: key,
+	}
+
+	return client.SwarmUnlock(ctx, req)
+}
+
+func readKey(in *command.InStream, prompt string) (string, error) {
+	if in.IsTerminal() {
+		fmt.Print(prompt)
+		dt, err := terminal.ReadPassword(int(in.FD()))
+		fmt.Println()
+		return string(dt), err
+	}
+	key, err := bufio.NewReader(in).ReadString('\n')
+	if err == io.EOF {
+		err = nil
+	}
+	return strings.TrimSpace(key), err
+}
diff --git a/cli/cli/command/swarm/unlock_key.go b/cli/cli/command/swarm/unlock_key.go
new file mode 100644
index 00000000..be5d9ea2
--- /dev/null
+++ b/cli/cli/command/swarm/unlock_key.go
@@ -0,0 +1,89 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type unlockKeyOptions struct {
+	rotate bool
+	quiet  bool
+}
+
+func newUnlockKeyCommand(dockerCli command.Cli) *cobra.Command {
+	opts := unlockKeyOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "unlock-key [OPTIONS]",
+		Short: "Manage the unlock key",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runUnlockKey(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&opts.rotate, flagRotate, false, "Rotate unlock key")
+	flags.BoolVarP(&opts.quiet, flagQuiet, "q", false, "Only display token")
+
+	return cmd
+}
+
+func runUnlockKey(dockerCli command.Cli, opts unlockKeyOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	if opts.rotate {
+		flags := swarm.UpdateFlags{RotateManagerUnlockKey: true}
+
+		sw, err := client.SwarmInspect(ctx)
+		if err != nil {
+			return err
+		}
+
+		if !sw.Spec.EncryptionConfig.AutoLockManagers {
+			return errors.New("cannot rotate because autolock is not turned on")
+		}
+
+		if err := client.SwarmUpdate(ctx, sw.Version, sw.Spec, flags); err != nil {
+			return err
+		}
+
+		if !opts.quiet {
+			fmt.Fprintf(dockerCli.Out(), "Successfully rotated manager unlock key.\n\n")
+		}
+	}
+
+	unlockKeyResp, err := client.SwarmGetUnlockKey(ctx)
+	if err != nil {
+		return errors.Wrap(err, "could not fetch unlock key")
+	}
+
+	if unlockKeyResp.UnlockKey == "" {
+		return errors.New("no unlock key is set")
+	}
+
+	if opts.quiet {
+		fmt.Fprintln(dockerCli.Out(), unlockKeyResp.UnlockKey)
+		return nil
+	}
+
+	printUnlockCommand(dockerCli.Out(), unlockKeyResp.UnlockKey)
+	return nil
+}
+
+func printUnlockCommand(out io.Writer, unlockKey string) {
+	if len(unlockKey) > 0 {
+		fmt.Fprintf(out, "To unlock a swarm manager after it restarts, "+
+			"run the `docker swarm unlock`\ncommand and provide the following key:\n\n    %s\n\n"+
+			"Please remember to store this key in a password manager, since without it you\n"+
+			"will not be able to restart the manager.\n", unlockKey)
+	}
+}
diff --git a/cli/cli/command/swarm/unlock_key_test.go b/cli/cli/command/swarm/unlock_key_test.go
new file mode 100644
index 00000000..d28921a1
--- /dev/null
+++ b/cli/cli/command/swarm/unlock_key_test.go
@@ -0,0 +1,171 @@
+package swarm
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestSwarmUnlockKeyErrors(t *testing.T) {
+	testCases := []struct {
+		name                  string
+		args                  []string
+		flags                 map[string]string
+		swarmInspectFunc      func() (swarm.Swarm, error)
+		swarmUpdateFunc       func(swarm swarm.Spec, flags swarm.UpdateFlags) error
+		swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
+		expectedError         string
+	}{
+		{
+			name:          "too-many-args",
+			args:          []string{"foo"},
+			expectedError: "accepts no arguments",
+		},
+		{
+			name: "swarm-inspect-rotate-failed",
+			flags: map[string]string{
+				flagRotate: "true",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return swarm.Swarm{}, errors.Errorf("error inspecting the swarm")
+			},
+			expectedError: "error inspecting the swarm",
+		},
+		{
+			name: "swarm-rotate-no-autolock-failed",
+			flags: map[string]string{
+				flagRotate: "true",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(), nil
+			},
+			expectedError: "cannot rotate because autolock is not turned on",
+		},
+		{
+			name: "swarm-update-failed",
+			flags: map[string]string{
+				flagRotate: "true",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(Autolock()), nil
+			},
+			swarmUpdateFunc: func(swarm swarm.Spec, flags swarm.UpdateFlags) error {
+				return errors.Errorf("error updating the swarm")
+			},
+			expectedError: "error updating the swarm",
+		},
+		{
+			name: "swarm-get-unlock-key-failed",
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{}, errors.Errorf("error getting unlock key")
+			},
+			expectedError: "error getting unlock key",
+		},
+		{
+			name: "swarm-no-unlock-key-failed",
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{
+					UnlockKey: "",
+				}, nil
+			},
+			expectedError: "no unlock key is set",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newUnlockKeyCommand(
+			test.NewFakeCli(&fakeClient{
+				swarmInspectFunc:      tc.swarmInspectFunc,
+				swarmUpdateFunc:       tc.swarmUpdateFunc,
+				swarmGetUnlockKeyFunc: tc.swarmGetUnlockKeyFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSwarmUnlockKey(t *testing.T) {
+	testCases := []struct {
+		name                  string
+		args                  []string
+		flags                 map[string]string
+		swarmInspectFunc      func() (swarm.Swarm, error)
+		swarmUpdateFunc       func(swarm swarm.Spec, flags swarm.UpdateFlags) error
+		swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
+	}{
+		{
+			name: "unlock-key",
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{
+					UnlockKey: "unlock-key",
+				}, nil
+			},
+		},
+		{
+			name: "unlock-key-quiet",
+			flags: map[string]string{
+				flagQuiet: "true",
+			},
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{
+					UnlockKey: "unlock-key",
+				}, nil
+			},
+		},
+		{
+			name: "unlock-key-rotate",
+			flags: map[string]string{
+				flagRotate: "true",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(Autolock()), nil
+			},
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{
+					UnlockKey: "unlock-key",
+				}, nil
+			},
+		},
+		{
+			name: "unlock-key-rotate-quiet",
+			flags: map[string]string{
+				flagQuiet:  "true",
+				flagRotate: "true",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(Autolock()), nil
+			},
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{
+					UnlockKey: "unlock-key",
+				}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			swarmInspectFunc:      tc.swarmInspectFunc,
+			swarmUpdateFunc:       tc.swarmUpdateFunc,
+			swarmGetUnlockKeyFunc: tc.swarmGetUnlockKeyFunc,
+		})
+		cmd := newUnlockKeyCommand(cli)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("unlockkeys-%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/swarm/unlock_test.go b/cli/cli/command/swarm/unlock_test.go
new file mode 100644
index 00000000..8eb2ecd4
--- /dev/null
+++ b/cli/cli/command/swarm/unlock_test.go
@@ -0,0 +1,98 @@
+package swarm
+
+import (
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+func TestSwarmUnlockErrors(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		swarmUnlockFunc func(req swarm.UnlockRequest) error
+		infoFunc        func() (types.Info, error)
+		expectedError   string
+	}{
+		{
+			name:          "too-many-args",
+			args:          []string{"foo"},
+			expectedError: "accepts no arguments",
+		},
+		{
+			name: "is-not-part-of-a-swarm",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{
+					Swarm: swarm.Info{
+						LocalNodeState: swarm.LocalNodeStateInactive,
+					},
+				}, nil
+			},
+			expectedError: "This node is not part of a swarm",
+		},
+		{
+			name: "is-not-locked",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{
+					Swarm: swarm.Info{
+						LocalNodeState: swarm.LocalNodeStateActive,
+					},
+				}, nil
+			},
+			expectedError: "Error: swarm is not locked",
+		},
+		{
+			name: "unlockrequest-failed",
+			infoFunc: func() (types.Info, error) {
+				return types.Info{
+					Swarm: swarm.Info{
+						LocalNodeState: swarm.LocalNodeStateLocked,
+					},
+				}, nil
+			},
+			swarmUnlockFunc: func(req swarm.UnlockRequest) error {
+				return errors.Errorf("error unlocking the swarm")
+			},
+			expectedError: "error unlocking the swarm",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newUnlockCommand(
+			test.NewFakeCli(&fakeClient{
+				infoFunc:        tc.infoFunc,
+				swarmUnlockFunc: tc.swarmUnlockFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSwarmUnlock(t *testing.T) {
+	input := "unlockKey"
+	dockerCli := test.NewFakeCli(&fakeClient{
+		infoFunc: func() (types.Info, error) {
+			return types.Info{
+				Swarm: swarm.Info{
+					LocalNodeState: swarm.LocalNodeStateLocked,
+				},
+			}, nil
+		},
+		swarmUnlockFunc: func(req swarm.UnlockRequest) error {
+			if req.UnlockKey != input {
+				return errors.Errorf("Invalid unlock key")
+			}
+			return nil
+		},
+	})
+	dockerCli.SetIn(command.NewInStream(ioutil.NopCloser(strings.NewReader(input))))
+	cmd := newUnlockCommand(dockerCli)
+	assert.NilError(t, cmd.Execute())
+}
diff --git a/cli/cli/command/swarm/update.go b/cli/cli/command/swarm/update.go
new file mode 100644
index 00000000..6b9ad728
--- /dev/null
+++ b/cli/cli/command/swarm/update.go
@@ -0,0 +1,71 @@
+package swarm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+func newUpdateCommand(dockerCli command.Cli) *cobra.Command {
+	opts := swarmOptions{}
+
+	cmd := &cobra.Command{
+		Use:   "update [OPTIONS]",
+		Short: "Update the swarm",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runUpdate(dockerCli, cmd.Flags(), opts)
+		},
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if cmd.Flags().NFlag() == 0 {
+				return pflag.ErrHelp
+			}
+			return nil
+		},
+	}
+
+	cmd.Flags().BoolVar(&opts.autolock, flagAutolock, false, "Change manager autolocking setting (true|false)")
+	addSwarmFlags(cmd.Flags(), &opts)
+	return cmd
+}
+
+func runUpdate(dockerCli command.Cli, flags *pflag.FlagSet, opts swarmOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	var updateFlags swarm.UpdateFlags
+
+	swarmInspect, err := client.SwarmInspect(ctx)
+	if err != nil {
+		return err
+	}
+
+	prevAutoLock := swarmInspect.Spec.EncryptionConfig.AutoLockManagers
+
+	opts.mergeSwarmSpec(&swarmInspect.Spec, flags, swarmInspect.ClusterInfo.TLSInfo.TrustRoot)
+
+	curAutoLock := swarmInspect.Spec.EncryptionConfig.AutoLockManagers
+
+	err = client.SwarmUpdate(ctx, swarmInspect.Version, swarmInspect.Spec, updateFlags)
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintln(dockerCli.Out(), "Swarm updated.")
+
+	if curAutoLock && !prevAutoLock {
+		unlockKeyResp, err := client.SwarmGetUnlockKey(ctx)
+		if err != nil {
+			return errors.Wrap(err, "could not fetch unlock key")
+		}
+		printUnlockCommand(dockerCli.Out(), unlockKeyResp.UnlockKey)
+	}
+
+	return nil
+}
diff --git a/cli/cli/command/swarm/update_test.go b/cli/cli/command/swarm/update_test.go
new file mode 100644
index 00000000..20a5624a
--- /dev/null
+++ b/cli/cli/command/swarm/update_test.go
@@ -0,0 +1,185 @@
+package swarm
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestSwarmUpdateErrors(t *testing.T) {
+	testCases := []struct {
+		name                  string
+		args                  []string
+		flags                 map[string]string
+		swarmInspectFunc      func() (swarm.Swarm, error)
+		swarmUpdateFunc       func(swarm swarm.Spec, flags swarm.UpdateFlags) error
+		swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
+		expectedError         string
+	}{
+		{
+			name:          "too-many-args",
+			args:          []string{"foo"},
+			expectedError: "accepts no arguments",
+		},
+		{
+			name: "swarm-inspect-error",
+			flags: map[string]string{
+				flagTaskHistoryLimit: "10",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return swarm.Swarm{}, errors.Errorf("error inspecting the swarm")
+			},
+			expectedError: "error inspecting the swarm",
+		},
+		{
+			name: "swarm-update-error",
+			flags: map[string]string{
+				flagTaskHistoryLimit: "10",
+			},
+			swarmUpdateFunc: func(swarm swarm.Spec, flags swarm.UpdateFlags) error {
+				return errors.Errorf("error updating the swarm")
+			},
+			expectedError: "error updating the swarm",
+		},
+		{
+			name: "swarm-unlockkey-error",
+			flags: map[string]string{
+				flagAutolock: "true",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(), nil
+			},
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{}, errors.Errorf("error getting unlock key")
+			},
+			expectedError: "error getting unlock key",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newUpdateCommand(
+			test.NewFakeCli(&fakeClient{
+				swarmInspectFunc:      tc.swarmInspectFunc,
+				swarmUpdateFunc:       tc.swarmUpdateFunc,
+				swarmGetUnlockKeyFunc: tc.swarmGetUnlockKeyFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSwarmUpdate(t *testing.T) {
+	swarmInfo := Swarm()
+	swarmInfo.ClusterInfo.TLSInfo.TrustRoot = "trustroot"
+
+	testCases := []struct {
+		name                  string
+		args                  []string
+		flags                 map[string]string
+		swarmInspectFunc      func() (swarm.Swarm, error)
+		swarmUpdateFunc       func(swarm swarm.Spec, flags swarm.UpdateFlags) error
+		swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
+	}{
+		{
+			name: "noargs",
+		},
+		{
+			name: "all-flags-quiet",
+			flags: map[string]string{
+				flagTaskHistoryLimit:    "10",
+				flagDispatcherHeartbeat: "10s",
+				flagCertExpiry:          "20s",
+				flagExternalCA:          "protocol=cfssl,url=https://example.com.",
+				flagMaxSnapshots:        "10",
+				flagSnapshotInterval:    "100",
+				flagAutolock:            "true",
+				flagQuiet:               "true",
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *swarmInfo, nil
+			},
+			swarmUpdateFunc: func(swarm swarm.Spec, flags swarm.UpdateFlags) error {
+				if *swarm.Orchestration.TaskHistoryRetentionLimit != 10 {
+					return errors.Errorf("historyLimit not correctly set")
+				}
+				heartbeatDuration, err := time.ParseDuration("10s")
+				if err != nil {
+					return err
+				}
+				if swarm.Dispatcher.HeartbeatPeriod != heartbeatDuration {
+					return errors.Errorf("heartbeatPeriodLimit not correctly set")
+				}
+				certExpiryDuration, err := time.ParseDuration("20s")
+				if err != nil {
+					return err
+				}
+				if swarm.CAConfig.NodeCertExpiry != certExpiryDuration {
+					return errors.Errorf("certExpiry not correctly set")
+				}
+				if len(swarm.CAConfig.ExternalCAs) != 1 || swarm.CAConfig.ExternalCAs[0].CACert != "trustroot" {
+					return errors.Errorf("externalCA not correctly set")
+				}
+				if *swarm.Raft.KeepOldSnapshots != 10 {
+					return errors.Errorf("keepOldSnapshots not correctly set")
+				}
+				if swarm.Raft.SnapshotInterval != 100 {
+					return errors.Errorf("snapshotInterval not correctly set")
+				}
+				if !swarm.EncryptionConfig.AutoLockManagers {
+					return errors.Errorf("autolock not correctly set")
+				}
+				return nil
+			},
+		},
+		{
+			name: "autolock-unlock-key",
+			flags: map[string]string{
+				flagTaskHistoryLimit: "10",
+				flagAutolock:         "true",
+			},
+			swarmUpdateFunc: func(swarm swarm.Spec, flags swarm.UpdateFlags) error {
+				if *swarm.Orchestration.TaskHistoryRetentionLimit != 10 {
+					return errors.Errorf("historyLimit not correctly set")
+				}
+				return nil
+			},
+			swarmInspectFunc: func() (swarm.Swarm, error) {
+				return *Swarm(), nil
+			},
+			swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
+				return types.SwarmUnlockKeyResponse{
+					UnlockKey: "unlock-key",
+				}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			swarmInspectFunc:      tc.swarmInspectFunc,
+			swarmUpdateFunc:       tc.swarmUpdateFunc,
+			swarmGetUnlockKeyFunc: tc.swarmGetUnlockKeyFunc,
+		})
+		cmd := newUpdateCommand(cli)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(cli.OutBuffer())
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("update-%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/system/client_test.go b/cli/cli/command/system/client_test.go
new file mode 100644
index 00000000..20d8dc38
--- /dev/null
+++ b/cli/cli/command/system/client_test.go
@@ -0,0 +1,23 @@
+package system
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+
+	version       string
+	serverVersion func(ctx context.Context) (types.Version, error)
+}
+
+func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error) {
+	return cli.serverVersion(ctx)
+}
+
+func (cli *fakeClient) ClientVersion() string {
+	return cli.version
+}
diff --git a/cli/cli/command/system/cmd.go b/cli/cli/command/system/cmd.go
new file mode 100644
index 00000000..7b9d6819
--- /dev/null
+++ b/cli/cli/command/system/cmd.go
@@ -0,0 +1,25 @@
+package system
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// NewSystemCommand returns a cobra command for `system` subcommands
+func NewSystemCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "system",
+		Short: "Manage Docker",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		NewEventsCommand(dockerCli),
+		NewInfoCommand(dockerCli),
+		newDiskUsageCommand(dockerCli),
+		newPruneCommand(dockerCli),
+	)
+
+	return cmd
+}
diff --git a/cli/cli/command/system/df.go b/cli/cli/command/system/df.go
new file mode 100644
index 00000000..43a2d74c
--- /dev/null
+++ b/cli/cli/command/system/df.go
@@ -0,0 +1,70 @@
+package system
+
+import (
+	"context"
+	"errors"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/spf13/cobra"
+)
+
+type diskUsageOptions struct {
+	verbose bool
+	format  string
+}
+
+// newDiskUsageCommand creates a new cobra.Command for `docker df`
+func newDiskUsageCommand(dockerCli command.Cli) *cobra.Command {
+	var opts diskUsageOptions
+
+	cmd := &cobra.Command{
+		Use:   "df [OPTIONS]",
+		Short: "Show docker disk usage",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runDiskUsage(dockerCli, opts)
+		},
+		Annotations: map[string]string{"version": "1.25"},
+	}
+
+	flags := cmd.Flags()
+
+	flags.BoolVarP(&opts.verbose, "verbose", "v", false, "Show detailed information on space usage")
+	flags.StringVar(&opts.format, "format", "", "Pretty-print images using a Go template")
+
+	return cmd
+}
+
+func runDiskUsage(dockerCli command.Cli, opts diskUsageOptions) error {
+	if opts.verbose && len(opts.format) != 0 {
+		return errors.New("the verbose and the format options conflict")
+	}
+
+	du, err := dockerCli.Client().DiskUsage(context.Background())
+	if err != nil {
+		return err
+	}
+
+	format := opts.format
+	if len(format) == 0 {
+		format = formatter.TableFormatKey
+	}
+
+	duCtx := formatter.DiskUsageContext{
+		Context: formatter.Context{
+			Output: dockerCli.Out(),
+			Format: formatter.NewDiskUsageFormat(format),
+		},
+		LayersSize:  du.LayersSize,
+		BuilderSize: du.BuilderSize,
+		BuildCache:  du.BuildCache,
+		Images:      du.Images,
+		Containers:  du.Containers,
+		Volumes:     du.Volumes,
+		Verbose:     opts.verbose,
+	}
+
+	return duCtx.Write()
+}
diff --git a/cli/cli/command/system/events.go b/cli/cli/command/system/events.go
new file mode 100644
index 00000000..37de9722
--- /dev/null
+++ b/cli/cli/command/system/events.go
@@ -0,0 +1,142 @@
+package system
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"sort"
+	"strings"
+	"text/template"
+	"time"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	"github.com/docker/cli/templates"
+	"github.com/docker/docker/api/types"
+	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/spf13/cobra"
+)
+
+type eventsOptions struct {
+	since  string
+	until  string
+	filter opts.FilterOpt
+	format string
+}
+
+// NewEventsCommand creates a new cobra.Command for `docker events`
+func NewEventsCommand(dockerCli command.Cli) *cobra.Command {
+	options := eventsOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "events [OPTIONS]",
+		Short: "Get real time events from the server",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runEvents(dockerCli, &options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&options.since, "since", "", "Show all events created since timestamp")
+	flags.StringVar(&options.until, "until", "", "Stream events until this timestamp")
+	flags.VarP(&options.filter, "filter", "f", "Filter output based on conditions provided")
+	flags.StringVar(&options.format, "format", "", "Format the output using the given Go template")
+
+	return cmd
+}
+
+func runEvents(dockerCli command.Cli, options *eventsOptions) error {
+	tmpl, err := makeTemplate(options.format)
+	if err != nil {
+		return cli.StatusError{
+			StatusCode: 64,
+			Status:     "Error parsing format: " + err.Error()}
+	}
+	eventOptions := types.EventsOptions{
+		Since:   options.since,
+		Until:   options.until,
+		Filters: options.filter.Value(),
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	events, errs := dockerCli.Client().Events(ctx, eventOptions)
+	defer cancel()
+
+	out := dockerCli.Out()
+
+	for {
+		select {
+		case event := <-events:
+			if err := handleEvent(out, event, tmpl); err != nil {
+				return err
+			}
+		case err := <-errs:
+			if err == io.EOF {
+				return nil
+			}
+			return err
+		}
+	}
+}
+
+func handleEvent(out io.Writer, event eventtypes.Message, tmpl *template.Template) error {
+	if tmpl == nil {
+		return prettyPrintEvent(out, event)
+	}
+
+	return formatEvent(out, event, tmpl)
+}
+
+func makeTemplate(format string) (*template.Template, error) {
+	if format == "" {
+		return nil, nil
+	}
+	tmpl, err := templates.Parse(format)
+	if err != nil {
+		return tmpl, err
+	}
+	// we execute the template for an empty message, so as to validate
+	// a bad template like "{{.badFieldString}}"
+	return tmpl, tmpl.Execute(ioutil.Discard, &eventtypes.Message{})
+}
+
+// rfc3339NanoFixed is similar to time.RFC3339Nano, except it pads nanoseconds
+// zeros to maintain a fixed number of characters
+const rfc3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00"
+
+// prettyPrintEvent prints all types of event information.
+// Each output includes the event type, actor id, name and action.
+// Actor attributes are printed at the end if the actor has any.
+func prettyPrintEvent(out io.Writer, event eventtypes.Message) error {
+	if event.TimeNano != 0 {
+		fmt.Fprintf(out, "%s ", time.Unix(0, event.TimeNano).Format(rfc3339NanoFixed))
+	} else if event.Time != 0 {
+		fmt.Fprintf(out, "%s ", time.Unix(event.Time, 0).Format(rfc3339NanoFixed))
+	}
+
+	fmt.Fprintf(out, "%s %s %s", event.Type, event.Action, event.Actor.ID)
+
+	if len(event.Actor.Attributes) > 0 {
+		var attrs []string
+		var keys []string
+		for k := range event.Actor.Attributes {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+		for _, k := range keys {
+			v := event.Actor.Attributes[k]
+			attrs = append(attrs, fmt.Sprintf("%s=%s", k, v))
+		}
+		fmt.Fprintf(out, " (%s)", strings.Join(attrs, ", "))
+	}
+	fmt.Fprint(out, "\n")
+	return nil
+}
+
+func formatEvent(out io.Writer, event eventtypes.Message, tmpl *template.Template) error {
+	defer out.Write([]byte{'\n'})
+	return tmpl.Execute(out, event)
+}
diff --git a/cli/cli/command/system/info.go b/cli/cli/command/system/info.go
new file mode 100644
index 00000000..73aeda63
--- /dev/null
+++ b/cli/cli/command/system/info.go
@@ -0,0 +1,360 @@
+package system
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"sort"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/debug"
+	"github.com/docker/cli/templates"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/go-units"
+	"github.com/spf13/cobra"
+)
+
+type infoOptions struct {
+	format string
+}
+
+// NewInfoCommand creates a new cobra.Command for `docker info`
+func NewInfoCommand(dockerCli command.Cli) *cobra.Command {
+	var opts infoOptions
+
+	cmd := &cobra.Command{
+		Use:   "info [OPTIONS]",
+		Short: "Display system-wide information",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runInfo(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+
+	return cmd
+}
+
+func runInfo(dockerCli command.Cli, opts *infoOptions) error {
+	ctx := context.Background()
+	info, err := dockerCli.Client().Info(ctx)
+	if err != nil {
+		return err
+	}
+	if opts.format == "" {
+		return prettyPrintInfo(dockerCli, info)
+	}
+	return formatInfo(dockerCli, info, opts.format)
+}
+
+// nolint: gocyclo
+func prettyPrintInfo(dockerCli command.Cli, info types.Info) error {
+	fmt.Fprintln(dockerCli.Out(), "Containers:", info.Containers)
+	fmt.Fprintln(dockerCli.Out(), " Running:", info.ContainersRunning)
+	fmt.Fprintln(dockerCli.Out(), " Paused:", info.ContainersPaused)
+	fmt.Fprintln(dockerCli.Out(), " Stopped:", info.ContainersStopped)
+	fmt.Fprintln(dockerCli.Out(), "Images:", info.Images)
+	fprintlnNonEmpty(dockerCli.Out(), "Server Version:", info.ServerVersion)
+	fprintlnNonEmpty(dockerCli.Out(), "Storage Driver:", info.Driver)
+	if info.DriverStatus != nil {
+		for _, pair := range info.DriverStatus {
+			fmt.Fprintf(dockerCli.Out(), " %s: %s\n", pair[0], pair[1])
+		}
+	}
+	if info.SystemStatus != nil {
+		for _, pair := range info.SystemStatus {
+			fmt.Fprintf(dockerCli.Out(), "%s: %s\n", pair[0], pair[1])
+		}
+	}
+	fprintlnNonEmpty(dockerCli.Out(), "Logging Driver:", info.LoggingDriver)
+	fprintlnNonEmpty(dockerCli.Out(), "Cgroup Driver:", info.CgroupDriver)
+
+	fmt.Fprintln(dockerCli.Out(), "Plugins:")
+	fmt.Fprintln(dockerCli.Out(), " Volume:", strings.Join(info.Plugins.Volume, " "))
+	fmt.Fprintln(dockerCli.Out(), " Network:", strings.Join(info.Plugins.Network, " "))
+
+	if len(info.Plugins.Authorization) != 0 {
+		fmt.Fprintln(dockerCli.Out(), " Authorization:", strings.Join(info.Plugins.Authorization, " "))
+	}
+
+	fmt.Fprintln(dockerCli.Out(), " Log:", strings.Join(info.Plugins.Log, " "))
+
+	fmt.Fprintln(dockerCli.Out(), "Swarm:", info.Swarm.LocalNodeState)
+	printSwarmInfo(dockerCli, info)
+
+	if len(info.Runtimes) > 0 {
+		fmt.Fprint(dockerCli.Out(), "Runtimes:")
+		for name := range info.Runtimes {
+			fmt.Fprintf(dockerCli.Out(), " %s", name)
+		}
+		fmt.Fprint(dockerCli.Out(), "\n")
+		fmt.Fprintln(dockerCli.Out(), "Default Runtime:", info.DefaultRuntime)
+	}
+
+	if info.OSType == "linux" {
+		fmt.Fprintln(dockerCli.Out(), "Init Binary:", info.InitBinary)
+
+		for _, ci := range []struct {
+			Name   string
+			Commit types.Commit
+		}{
+			{"containerd", info.ContainerdCommit},
+			{"runc", info.RuncCommit},
+			{"init", info.InitCommit},
+		} {
+			fmt.Fprintf(dockerCli.Out(), "%s version: %s", ci.Name, ci.Commit.ID)
+			if ci.Commit.ID != ci.Commit.Expected {
+				fmt.Fprintf(dockerCli.Out(), " (expected: %s)", ci.Commit.Expected)
+			}
+			fmt.Fprint(dockerCli.Out(), "\n")
+		}
+		if len(info.SecurityOptions) != 0 {
+			kvs, err := types.DecodeSecurityOptions(info.SecurityOptions)
+			if err != nil {
+				return err
+			}
+			fmt.Fprintln(dockerCli.Out(), "Security Options:")
+			for _, so := range kvs {
+				fmt.Fprintln(dockerCli.Out(), " "+so.Name)
+				for _, o := range so.Options {
+					switch o.Key {
+					case "profile":
+						if o.Value != "default" {
+							fmt.Fprintln(dockerCli.Err(), "  WARNING: You're not using the default seccomp profile")
+						}
+						fmt.Fprintln(dockerCli.Out(), "  Profile:", o.Value)
+					}
+				}
+			}
+		}
+	}
+
+	// Isolation only has meaning on a Windows daemon.
+	if info.OSType == "windows" {
+		fmt.Fprintln(dockerCli.Out(), "Default Isolation:", info.Isolation)
+	}
+
+	fprintlnNonEmpty(dockerCli.Out(), "Kernel Version:", info.KernelVersion)
+	fprintlnNonEmpty(dockerCli.Out(), "Operating System:", info.OperatingSystem)
+	fprintlnNonEmpty(dockerCli.Out(), "OSType:", info.OSType)
+	fprintlnNonEmpty(dockerCli.Out(), "Architecture:", info.Architecture)
+	fmt.Fprintln(dockerCli.Out(), "CPUs:", info.NCPU)
+	fmt.Fprintln(dockerCli.Out(), "Total Memory:", units.BytesSize(float64(info.MemTotal)))
+	fprintlnNonEmpty(dockerCli.Out(), "Name:", info.Name)
+	fprintlnNonEmpty(dockerCli.Out(), "ID:", info.ID)
+	fmt.Fprintln(dockerCli.Out(), "Docker Root Dir:", info.DockerRootDir)
+	fmt.Fprintln(dockerCli.Out(), "Debug Mode (client):", debug.IsEnabled())
+	fmt.Fprintln(dockerCli.Out(), "Debug Mode (server):", info.Debug)
+
+	if info.Debug {
+		fmt.Fprintln(dockerCli.Out(), " File Descriptors:", info.NFd)
+		fmt.Fprintln(dockerCli.Out(), " Goroutines:", info.NGoroutines)
+		fmt.Fprintln(dockerCli.Out(), " System Time:", info.SystemTime)
+		fmt.Fprintln(dockerCli.Out(), " EventsListeners:", info.NEventsListener)
+	}
+
+	fprintlnNonEmpty(dockerCli.Out(), "HTTP Proxy:", info.HTTPProxy)
+	fprintlnNonEmpty(dockerCli.Out(), "HTTPS Proxy:", info.HTTPSProxy)
+	fprintlnNonEmpty(dockerCli.Out(), "No Proxy:", info.NoProxy)
+
+	if info.IndexServerAddress != "" {
+		u := dockerCli.ConfigFile().AuthConfigs[info.IndexServerAddress].Username
+		if len(u) > 0 {
+			fmt.Fprintln(dockerCli.Out(), "Username:", u)
+		}
+		fmt.Fprintln(dockerCli.Out(), "Registry:", info.IndexServerAddress)
+	}
+
+	if info.Labels != nil {
+		fmt.Fprintln(dockerCli.Out(), "Labels:")
+		for _, lbl := range info.Labels {
+			fmt.Fprintln(dockerCli.Out(), " "+lbl)
+		}
+	}
+
+	fmt.Fprintln(dockerCli.Out(), "Experimental:", info.ExperimentalBuild)
+	fprintlnNonEmpty(dockerCli.Out(), "Cluster Store:", info.ClusterStore)
+	fprintlnNonEmpty(dockerCli.Out(), "Cluster Advertise:", info.ClusterAdvertise)
+
+	if info.RegistryConfig != nil && (len(info.RegistryConfig.InsecureRegistryCIDRs) > 0 || len(info.RegistryConfig.IndexConfigs) > 0) {
+		fmt.Fprintln(dockerCli.Out(), "Insecure Registries:")
+		for _, registry := range info.RegistryConfig.IndexConfigs {
+			if !registry.Secure {
+				fmt.Fprintln(dockerCli.Out(), " "+registry.Name)
+			}
+		}
+
+		for _, registry := range info.RegistryConfig.InsecureRegistryCIDRs {
+			mask, _ := registry.Mask.Size()
+			fmt.Fprintf(dockerCli.Out(), " %s/%d\n", registry.IP.String(), mask)
+		}
+	}
+
+	if info.RegistryConfig != nil && len(info.RegistryConfig.Mirrors) > 0 {
+		fmt.Fprintln(dockerCli.Out(), "Registry Mirrors:")
+		for _, mirror := range info.RegistryConfig.Mirrors {
+			fmt.Fprintln(dockerCli.Out(), " "+mirror)
+		}
+	}
+
+	fmt.Fprintln(dockerCli.Out(), "Live Restore Enabled:", info.LiveRestoreEnabled)
+	fmt.Fprint(dockerCli.Out(), "\n")
+
+	// Only output these warnings if the server does not support these features
+	if info.OSType != "windows" {
+		printStorageDriverWarnings(dockerCli, info)
+
+		if !info.MemoryLimit {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: No memory limit support")
+		}
+		if !info.SwapLimit {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: No swap limit support")
+		}
+		if !info.KernelMemory {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: No kernel memory limit support")
+		}
+		if !info.OomKillDisable {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: No oom kill disable support")
+		}
+		if !info.CPUCfsQuota {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: No cpu cfs quota support")
+		}
+		if !info.CPUCfsPeriod {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: No cpu cfs period support")
+		}
+		if !info.CPUShares {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: No cpu shares support")
+		}
+		if !info.CPUSet {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: No cpuset support")
+		}
+		if !info.IPv4Forwarding {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: IPv4 forwarding is disabled")
+		}
+		if !info.BridgeNfIptables {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: bridge-nf-call-iptables is disabled")
+		}
+		if !info.BridgeNfIP6tables {
+			fmt.Fprintln(dockerCli.Err(), "WARNING: bridge-nf-call-ip6tables is disabled")
+		}
+	}
+
+	return nil
+}
+
+func printSwarmInfo(dockerCli command.Cli, info types.Info) {
+	if info.Swarm.LocalNodeState == swarm.LocalNodeStateInactive || info.Swarm.LocalNodeState == swarm.LocalNodeStateLocked {
+		return
+	}
+	fmt.Fprintln(dockerCli.Out(), " NodeID:", info.Swarm.NodeID)
+	if info.Swarm.Error != "" {
+		fmt.Fprintln(dockerCli.Out(), " Error:", info.Swarm.Error)
+	}
+	fmt.Fprintln(dockerCli.Out(), " Is Manager:", info.Swarm.ControlAvailable)
+	if info.Swarm.Cluster != nil && info.Swarm.ControlAvailable && info.Swarm.Error == "" && info.Swarm.LocalNodeState != swarm.LocalNodeStateError {
+		fmt.Fprintln(dockerCli.Out(), " ClusterID:", info.Swarm.Cluster.ID)
+		fmt.Fprintln(dockerCli.Out(), " Managers:", info.Swarm.Managers)
+		fmt.Fprintln(dockerCli.Out(), " Nodes:", info.Swarm.Nodes)
+		fmt.Fprintln(dockerCli.Out(), " Orchestration:")
+		taskHistoryRetentionLimit := int64(0)
+		if info.Swarm.Cluster.Spec.Orchestration.TaskHistoryRetentionLimit != nil {
+			taskHistoryRetentionLimit = *info.Swarm.Cluster.Spec.Orchestration.TaskHistoryRetentionLimit
+		}
+		fmt.Fprintln(dockerCli.Out(), "  Task History Retention Limit:", taskHistoryRetentionLimit)
+		fmt.Fprintln(dockerCli.Out(), " Raft:")
+		fmt.Fprintln(dockerCli.Out(), "  Snapshot Interval:", info.Swarm.Cluster.Spec.Raft.SnapshotInterval)
+		if info.Swarm.Cluster.Spec.Raft.KeepOldSnapshots != nil {
+			fmt.Fprintf(dockerCli.Out(), "  Number of Old Snapshots to Retain: %d\n", *info.Swarm.Cluster.Spec.Raft.KeepOldSnapshots)
+		}
+		fmt.Fprintln(dockerCli.Out(), "  Heartbeat Tick:", info.Swarm.Cluster.Spec.Raft.HeartbeatTick)
+		fmt.Fprintln(dockerCli.Out(), "  Election Tick:", info.Swarm.Cluster.Spec.Raft.ElectionTick)
+		fmt.Fprintln(dockerCli.Out(), " Dispatcher:")
+		fmt.Fprintln(dockerCli.Out(), "  Heartbeat Period:", units.HumanDuration(info.Swarm.Cluster.Spec.Dispatcher.HeartbeatPeriod))
+		fmt.Fprintln(dockerCli.Out(), " CA Configuration:")
+		fmt.Fprintln(dockerCli.Out(), "  Expiry Duration:", units.HumanDuration(info.Swarm.Cluster.Spec.CAConfig.NodeCertExpiry))
+		fmt.Fprintln(dockerCli.Out(), "  Force Rotate:", info.Swarm.Cluster.Spec.CAConfig.ForceRotate)
+		if caCert := strings.TrimSpace(info.Swarm.Cluster.Spec.CAConfig.SigningCACert); caCert != "" {
+			fmt.Fprintf(dockerCli.Out(), "  Signing CA Certificate: \n%s\n\n", caCert)
+		}
+		if len(info.Swarm.Cluster.Spec.CAConfig.ExternalCAs) > 0 {
+			fmt.Fprintln(dockerCli.Out(), "  External CAs:")
+			for _, entry := range info.Swarm.Cluster.Spec.CAConfig.ExternalCAs {
+				fmt.Fprintf(dockerCli.Out(), "    %s: %s\n", entry.Protocol, entry.URL)
+			}
+		}
+		fmt.Fprintln(dockerCli.Out(), " Autolock Managers:", info.Swarm.Cluster.Spec.EncryptionConfig.AutoLockManagers)
+		fmt.Fprintln(dockerCli.Out(), " Root Rotation In Progress:", info.Swarm.Cluster.RootRotationInProgress)
+	}
+	fmt.Fprintln(dockerCli.Out(), " Node Address:", info.Swarm.NodeAddr)
+	if len(info.Swarm.RemoteManagers) > 0 {
+		managers := []string{}
+		for _, entry := range info.Swarm.RemoteManagers {
+			managers = append(managers, entry.Addr)
+		}
+		sort.Strings(managers)
+		fmt.Fprintln(dockerCli.Out(), " Manager Addresses:")
+		for _, entry := range managers {
+			fmt.Fprintf(dockerCli.Out(), "  %s\n", entry)
+		}
+	}
+}
+
+func printStorageDriverWarnings(dockerCli command.Cli, info types.Info) {
+	if info.DriverStatus == nil {
+		return
+	}
+
+	for _, pair := range info.DriverStatus {
+		if pair[0] == "Data loop file" {
+			fmt.Fprintf(dockerCli.Err(), "WARNING: %s: usage of loopback devices is "+
+				"strongly discouraged for production use.\n         "+
+				"Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.\n", info.Driver)
+		}
+		if pair[0] == "Supports d_type" && pair[1] == "false" {
+			backingFs := getBackingFs(info)
+
+			msg := fmt.Sprintf("WARNING: %s: the backing %s filesystem is formatted without d_type support, which leads to incorrect behavior.\n", info.Driver, backingFs)
+			if backingFs == "xfs" {
+				msg += "         Reformat the filesystem with ftype=1 to enable d_type support.\n"
+			}
+			msg += "         Running without d_type support will not be supported in future releases."
+			fmt.Fprintln(dockerCli.Err(), msg)
+		}
+	}
+}
+
+func getBackingFs(info types.Info) string {
+	if info.DriverStatus == nil {
+		return ""
+	}
+
+	for _, pair := range info.DriverStatus {
+		if pair[0] == "Backing Filesystem" {
+			return pair[1]
+		}
+	}
+	return ""
+}
+
+func formatInfo(dockerCli command.Cli, info types.Info, format string) error {
+	tmpl, err := templates.Parse(format)
+	if err != nil {
+		return cli.StatusError{StatusCode: 64,
+			Status: "Template parsing error: " + err.Error()}
+	}
+	err = tmpl.Execute(dockerCli.Out(), info)
+	dockerCli.Out().Write([]byte{'\n'})
+	return err
+}
+
+func fprintlnNonEmpty(w io.Writer, label, value string) {
+	if value != "" {
+		fmt.Fprintln(w, label, value)
+	}
+}
diff --git a/cli/cli/command/system/info_test.go b/cli/cli/command/system/info_test.go
new file mode 100644
index 00000000..600e79ac
--- /dev/null
+++ b/cli/cli/command/system/info_test.go
@@ -0,0 +1,238 @@
+package system
+
+import (
+	"encoding/base64"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+// helper function that base64 decodes a string and ignores the error
+func base64Decode(val string) []byte {
+	decoded, _ := base64.StdEncoding.DecodeString(val)
+	return decoded
+}
+
+var sampleInfoNoSwarm = types.Info{
+	ID:                "EKHL:QDUU:QZ7U:MKGD:VDXK:S27Q:GIPU:24B7:R7VT:DGN6:QCSF:2UBX",
+	Containers:        0,
+	ContainersRunning: 0,
+	ContainersPaused:  0,
+	ContainersStopped: 0,
+	Images:            0,
+	Driver:            "aufs",
+	DriverStatus: [][2]string{
+		{"Root Dir", "/var/lib/docker/aufs"},
+		{"Backing Filesystem", "extfs"},
+		{"Dirs", "0"},
+		{"Dirperm1 Supported", "true"},
+	},
+	SystemStatus: nil,
+	Plugins: types.PluginsInfo{
+		Volume:        []string{"local"},
+		Network:       []string{"bridge", "host", "macvlan", "null", "overlay"},
+		Authorization: nil,
+		Log:           []string{"awslogs", "fluentd", "gcplogs", "gelf", "journald", "json-file", "logentries", "splunk", "syslog"},
+	},
+	MemoryLimit:        true,
+	SwapLimit:          true,
+	KernelMemory:       true,
+	CPUCfsPeriod:       true,
+	CPUCfsQuota:        true,
+	CPUShares:          true,
+	CPUSet:             true,
+	IPv4Forwarding:     true,
+	BridgeNfIptables:   true,
+	BridgeNfIP6tables:  true,
+	Debug:              true,
+	NFd:                33,
+	OomKillDisable:     true,
+	NGoroutines:        135,
+	SystemTime:         "2017-08-24T17:44:34.077811894Z",
+	LoggingDriver:      "json-file",
+	CgroupDriver:       "cgroupfs",
+	NEventsListener:    0,
+	KernelVersion:      "4.4.0-87-generic",
+	OperatingSystem:    "Ubuntu 16.04.3 LTS",
+	OSType:             "linux",
+	Architecture:       "x86_64",
+	IndexServerAddress: "https://index.docker.io/v1/",
+	RegistryConfig: &registry.ServiceConfig{
+		AllowNondistributableArtifactsCIDRs:     nil,
+		AllowNondistributableArtifactsHostnames: nil,
+		InsecureRegistryCIDRs: []*registry.NetIPNet{
+			{
+				IP:   net.ParseIP("127.0.0.0"),
+				Mask: net.IPv4Mask(255, 0, 0, 0),
+			},
+		},
+		IndexConfigs: map[string]*registry.IndexInfo{
+			"docker.io": {
+				Name:     "docker.io",
+				Mirrors:  nil,
+				Secure:   true,
+				Official: true,
+			},
+		},
+		Mirrors: nil,
+	},
+	NCPU:              2,
+	MemTotal:          2097356800,
+	DockerRootDir:     "/var/lib/docker",
+	HTTPProxy:         "",
+	HTTPSProxy:        "",
+	NoProxy:           "",
+	Name:              "system-sample",
+	Labels:            []string{"provider=digitalocean"},
+	ExperimentalBuild: false,
+	ServerVersion:     "17.06.1-ce",
+	ClusterStore:      "",
+	ClusterAdvertise:  "",
+	Runtimes: map[string]types.Runtime{
+		"runc": {
+			Path: "docker-runc",
+			Args: nil,
+		},
+	},
+	DefaultRuntime:     "runc",
+	Swarm:              swarm.Info{LocalNodeState: "inactive"},
+	LiveRestoreEnabled: false,
+	Isolation:          "",
+	InitBinary:         "docker-init",
+	ContainerdCommit: types.Commit{
+		ID:       "6e23458c129b551d5c9871e5174f6b1b7f6d1170",
+		Expected: "6e23458c129b551d5c9871e5174f6b1b7f6d1170",
+	},
+	RuncCommit: types.Commit{
+		ID:       "810190ceaa507aa2727d7ae6f4790c76ec150bd2",
+		Expected: "810190ceaa507aa2727d7ae6f4790c76ec150bd2",
+	},
+	InitCommit: types.Commit{
+		ID:       "949e6fa",
+		Expected: "949e6fa",
+	},
+	SecurityOptions: []string{"name=apparmor", "name=seccomp,profile=default"},
+}
+
+var sampleSwarmInfo = swarm.Info{
+	NodeID:           "qo2dfdig9mmxqkawulggepdih",
+	NodeAddr:         "165.227.107.89",
+	LocalNodeState:   "active",
+	ControlAvailable: true,
+	Error:            "",
+	RemoteManagers: []swarm.Peer{
+		{
+			NodeID: "qo2dfdig9mmxqkawulggepdih",
+			Addr:   "165.227.107.89:2377",
+		},
+	},
+	Nodes:    1,
+	Managers: 1,
+	Cluster: &swarm.ClusterInfo{
+		ID: "9vs5ygs0gguyyec4iqf2314c0",
+		Meta: swarm.Meta{
+			Version:   swarm.Version{Index: 11},
+			CreatedAt: time.Date(2017, 8, 24, 17, 34, 19, 278062352, time.UTC),
+			UpdatedAt: time.Date(2017, 8, 24, 17, 34, 42, 398815481, time.UTC),
+		},
+		Spec: swarm.Spec{
+			Annotations: swarm.Annotations{
+				Name:   "default",
+				Labels: nil,
+			},
+			Orchestration: swarm.OrchestrationConfig{
+				TaskHistoryRetentionLimit: &[]int64{5}[0],
+			},
+			Raft: swarm.RaftConfig{
+				SnapshotInterval:           10000,
+				KeepOldSnapshots:           &[]uint64{0}[0],
+				LogEntriesForSlowFollowers: 500,
+				ElectionTick:               3,
+				HeartbeatTick:              1,
+			},
+			Dispatcher: swarm.DispatcherConfig{
+				HeartbeatPeriod: 5000000000,
+			},
+			CAConfig: swarm.CAConfig{
+				NodeCertExpiry: 7776000000000000,
+			},
+			TaskDefaults: swarm.TaskDefaults{},
+			EncryptionConfig: swarm.EncryptionConfig{
+				AutoLockManagers: true,
+			},
+		},
+		TLSInfo: swarm.TLSInfo{
+			TrustRoot: `
+-----BEGIN CERTIFICATE-----
+MIIBajCCARCgAwIBAgIUaFCW5xsq8eyiJ+Pmcv3MCflMLnMwCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwODI0MTcyOTAwWhcNMzcwODE5MTcy
+OTAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABDy7NebyUJyUjWJDBUdnZoV6GBxEGKO4TZPNDwnxDxJcUdLVaB7WGa4/DLrW
+UfsVgh1JGik2VTiLuTMA1tLlNPOjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBQl16XFtaaXiUAwEuJptJlDjfKskDAKBggqhkjO
+PQQDAgNIADBFAiEAo9fTQNM5DP9bHVcTJYfl2Cay1bFu1E+lnpmN+EYJfeACIGKH
+1pCUkZ+D0IB6CiEZGWSHyLuXPM1rlP+I5KuS7sB8
+-----END CERTIFICATE-----
+`,
+			CertIssuerSubject: base64Decode("MBMxETAPBgNVBAMTCHN3YXJtLWNh"),
+			CertIssuerPublicKey: base64Decode(
+				"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPLs15vJQnJSNYkMFR2dmhXoYHEQYo7hNk80PCfEPElxR0tVoHtYZrj8MutZR+xWCHUkaKTZVOIu5MwDW0uU08w=="),
+		},
+		RootRotationInProgress: false,
+	},
+}
+
+func TestPrettyPrintInfo(t *testing.T) {
+	infoWithSwarm := sampleInfoNoSwarm
+	infoWithSwarm.Swarm = sampleSwarmInfo
+
+	infoWithWarningsLinux := sampleInfoNoSwarm
+	infoWithWarningsLinux.MemoryLimit = false
+	infoWithWarningsLinux.SwapLimit = false
+	infoWithWarningsLinux.KernelMemory = false
+	infoWithWarningsLinux.OomKillDisable = false
+	infoWithWarningsLinux.CPUCfsQuota = false
+	infoWithWarningsLinux.CPUCfsPeriod = false
+	infoWithWarningsLinux.CPUShares = false
+	infoWithWarningsLinux.CPUSet = false
+	infoWithWarningsLinux.IPv4Forwarding = false
+	infoWithWarningsLinux.BridgeNfIptables = false
+	infoWithWarningsLinux.BridgeNfIP6tables = false
+
+	for _, tc := range []struct {
+		dockerInfo     types.Info
+		expectedGolden string
+		warningsGolden string
+	}{
+		{
+			dockerInfo:     sampleInfoNoSwarm,
+			expectedGolden: "docker-info-no-swarm",
+		},
+		{
+			dockerInfo:     infoWithSwarm,
+			expectedGolden: "docker-info-with-swarm",
+		},
+		{
+			dockerInfo:     infoWithWarningsLinux,
+			expectedGolden: "docker-info-no-swarm",
+			warningsGolden: "docker-info-warnings",
+		},
+	} {
+		cli := test.NewFakeCli(&fakeClient{})
+		assert.NilError(t, prettyPrintInfo(cli, tc.dockerInfo))
+		golden.Assert(t, cli.OutBuffer().String(), tc.expectedGolden+".golden")
+		if tc.warningsGolden != "" {
+			golden.Assert(t, cli.ErrBuffer().String(), tc.warningsGolden+".golden")
+		} else {
+			assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+		}
+	}
+}
diff --git a/cli/cli/command/system/inspect.go b/cli/cli/command/system/inspect.go
new file mode 100644
index 00000000..b49b4b33
--- /dev/null
+++ b/cli/cli/command/system/inspect.go
@@ -0,0 +1,218 @@
+package system
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/docker/docker/api/types"
+	apiclient "github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	format      string
+	inspectType string
+	size        bool
+	ids         []string
+}
+
+// NewInspectCommand creates a new cobra.Command for `docker inspect`
+func NewInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] NAME|ID [NAME|ID...]",
+		Short: "Return low-level information on Docker objects",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.ids = args
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	flags.StringVar(&opts.inspectType, "type", "", "Return JSON for specified type")
+	flags.BoolVarP(&opts.size, "size", "s", false, "Display total file sizes if the type is container")
+
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	var elementSearcher inspect.GetRefFunc
+	switch opts.inspectType {
+	case "", "container", "image", "node", "network", "service", "volume", "task", "plugin", "secret":
+		elementSearcher = inspectAll(context.Background(), dockerCli, opts.size, opts.inspectType)
+	default:
+		return errors.Errorf("%q is not a valid value for --type", opts.inspectType)
+	}
+	return inspect.Inspect(dockerCli.Out(), opts.ids, opts.format, elementSearcher)
+}
+
+func inspectContainers(ctx context.Context, dockerCli command.Cli, getSize bool) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		return dockerCli.Client().ContainerInspectWithRaw(ctx, ref, getSize)
+	}
+}
+
+func inspectImages(ctx context.Context, dockerCli command.Cli) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		return dockerCli.Client().ImageInspectWithRaw(ctx, ref)
+	}
+}
+
+func inspectNetwork(ctx context.Context, dockerCli command.Cli) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		return dockerCli.Client().NetworkInspectWithRaw(ctx, ref, types.NetworkInspectOptions{})
+	}
+}
+
+func inspectNode(ctx context.Context, dockerCli command.Cli) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		return dockerCli.Client().NodeInspectWithRaw(ctx, ref)
+	}
+}
+
+func inspectService(ctx context.Context, dockerCli command.Cli) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		// Service inspect shows defaults values in empty fields.
+		return dockerCli.Client().ServiceInspectWithRaw(ctx, ref, types.ServiceInspectOptions{InsertDefaults: true})
+	}
+}
+
+func inspectTasks(ctx context.Context, dockerCli command.Cli) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		return dockerCli.Client().TaskInspectWithRaw(ctx, ref)
+	}
+}
+
+func inspectVolume(ctx context.Context, dockerCli command.Cli) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		return dockerCli.Client().VolumeInspectWithRaw(ctx, ref)
+	}
+}
+
+func inspectPlugin(ctx context.Context, dockerCli command.Cli) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		return dockerCli.Client().PluginInspectWithRaw(ctx, ref)
+	}
+}
+
+func inspectSecret(ctx context.Context, dockerCli command.Cli) inspect.GetRefFunc {
+	return func(ref string) (interface{}, []byte, error) {
+		return dockerCli.Client().SecretInspectWithRaw(ctx, ref)
+	}
+}
+
+func inspectAll(ctx context.Context, dockerCli command.Cli, getSize bool, typeConstraint string) inspect.GetRefFunc {
+	var inspectAutodetect = []struct {
+		objectType      string
+		isSizeSupported bool
+		isSwarmObject   bool
+		objectInspector func(string) (interface{}, []byte, error)
+	}{
+		{
+			objectType:      "container",
+			isSizeSupported: true,
+			objectInspector: inspectContainers(ctx, dockerCli, getSize),
+		},
+		{
+			objectType:      "image",
+			objectInspector: inspectImages(ctx, dockerCli),
+		},
+		{
+			objectType:      "network",
+			objectInspector: inspectNetwork(ctx, dockerCli),
+		},
+		{
+			objectType:      "volume",
+			objectInspector: inspectVolume(ctx, dockerCli),
+		},
+		{
+			objectType:      "service",
+			isSwarmObject:   true,
+			objectInspector: inspectService(ctx, dockerCli),
+		},
+		{
+			objectType:      "task",
+			isSwarmObject:   true,
+			objectInspector: inspectTasks(ctx, dockerCli),
+		},
+		{
+			objectType:      "node",
+			isSwarmObject:   true,
+			objectInspector: inspectNode(ctx, dockerCli),
+		},
+		{
+			objectType:      "plugin",
+			objectInspector: inspectPlugin(ctx, dockerCli),
+		},
+		{
+			objectType:      "secret",
+			isSwarmObject:   true,
+			objectInspector: inspectSecret(ctx, dockerCli),
+		},
+	}
+
+	// isSwarmManager does an Info API call to verify that the daemon is
+	// a swarm manager.
+	isSwarmManager := func() bool {
+		info, err := dockerCli.Client().Info(ctx)
+		if err != nil {
+			fmt.Fprintln(dockerCli.Err(), err)
+			return false
+		}
+		return info.Swarm.ControlAvailable
+	}
+
+	return func(ref string) (interface{}, []byte, error) {
+		const (
+			swarmSupportUnknown = iota
+			swarmSupported
+			swarmUnsupported
+		)
+
+		isSwarmSupported := swarmSupportUnknown
+
+		for _, inspectData := range inspectAutodetect {
+			if typeConstraint != "" && inspectData.objectType != typeConstraint {
+				continue
+			}
+			if typeConstraint == "" && inspectData.isSwarmObject {
+				if isSwarmSupported == swarmSupportUnknown {
+					if isSwarmManager() {
+						isSwarmSupported = swarmSupported
+					} else {
+						isSwarmSupported = swarmUnsupported
+					}
+				}
+				if isSwarmSupported == swarmUnsupported {
+					continue
+				}
+			}
+			v, raw, err := inspectData.objectInspector(ref)
+			if err != nil {
+				if typeConstraint == "" && isErrSkippable(err) {
+					continue
+				}
+				return v, raw, err
+			}
+			if getSize && !inspectData.isSizeSupported {
+				fmt.Fprintf(dockerCli.Err(), "WARNING: --size ignored for %s\n", inspectData.objectType)
+			}
+			return v, raw, err
+		}
+		return nil, nil, errors.Errorf("Error: No such object: %s", ref)
+	}
+}
+
+func isErrSkippable(err error) bool {
+	return apiclient.IsErrNotFound(err) ||
+		strings.Contains(err.Error(), "not supported") ||
+		strings.Contains(err.Error(), "invalid reference format")
+}
diff --git a/cli/cli/command/system/prune.go b/cli/cli/command/system/prune.go
new file mode 100644
index 00000000..d0369170
--- /dev/null
+++ b/cli/cli/command/system/prune.go
@@ -0,0 +1,139 @@
+package system
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"text/template"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/container"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/command/network"
+	"github.com/docker/cli/cli/command/volume"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/versions"
+	units "github.com/docker/go-units"
+	"github.com/spf13/cobra"
+)
+
+type pruneOptions struct {
+	force           bool
+	all             bool
+	pruneBuildCache bool
+	pruneVolumes    bool
+	filter          opts.FilterOpt
+}
+
+// newPruneCommand creates a new cobra.Command for `docker prune`
+func newPruneCommand(dockerCli command.Cli) *cobra.Command {
+	options := pruneOptions{filter: opts.NewFilterOpt(), pruneBuildCache: true}
+
+	cmd := &cobra.Command{
+		Use:   "prune [OPTIONS]",
+		Short: "Remove unused data",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runPrune(dockerCli, options)
+		},
+		Annotations: map[string]string{"version": "1.25"},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
+	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused images not just dangling ones")
+	flags.BoolVar(&options.pruneVolumes, "volumes", false, "Prune volumes")
+	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'label=<key>=<value>')")
+	// "filter" flag is available in 1.28 (docker 17.04) and up
+	flags.SetAnnotation("filter", "version", []string{"1.28"})
+
+	return cmd
+}
+
+const confirmationTemplate = `WARNING! This will remove:
+{{- range $_, $warning := . }}
+        - {{ $warning }}
+{{- end }}
+Are you sure you want to continue?`
+
+// runBuildCachePrune executes a prune command for build cache
+func runBuildCachePrune(dockerCli command.Cli, _ opts.FilterOpt) (uint64, string, error) {
+	report, err := dockerCli.Client().BuildCachePrune(context.Background())
+	if err != nil {
+		return 0, "", err
+	}
+	return report.SpaceReclaimed, "", nil
+}
+
+func runPrune(dockerCli command.Cli, options pruneOptions) error {
+	// TODO version this once "until" filter is supported for volumes
+	if options.pruneVolumes && options.filter.Value().Include("until") {
+		return fmt.Errorf(`ERROR: The "until" filter is not supported with "--volumes"`)
+	}
+	if versions.LessThan(dockerCli.Client().ClientVersion(), "1.31") {
+		options.pruneBuildCache = false
+	}
+	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), confirmationMessage(options)) {
+		return nil
+	}
+	imagePrune := func(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error) {
+		return image.RunPrune(dockerCli, options.all, options.filter)
+	}
+	pruneFuncs := []func(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error){
+		container.RunPrune,
+		network.RunPrune,
+	}
+	if options.pruneVolumes {
+		pruneFuncs = append(pruneFuncs, volume.RunPrune)
+	}
+	pruneFuncs = append(pruneFuncs, imagePrune)
+	if options.pruneBuildCache {
+		pruneFuncs = append(pruneFuncs, runBuildCachePrune)
+	}
+
+	var spaceReclaimed uint64
+	for _, pruneFn := range pruneFuncs {
+		spc, output, err := pruneFn(dockerCli, options.filter)
+		if err != nil {
+			return err
+		}
+		spaceReclaimed += spc
+		if output != "" {
+			fmt.Fprintln(dockerCli.Out(), output)
+		}
+	}
+
+	fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(spaceReclaimed)))
+
+	return nil
+}
+
+// confirmationMessage constructs a confirmation message that depends on the cli options.
+func confirmationMessage(options pruneOptions) string {
+	t := template.Must(template.New("confirmation message").Parse(confirmationTemplate))
+
+	warnings := []string{
+		"all stopped containers",
+		"all networks not used by at least one container",
+	}
+	if options.pruneVolumes {
+		warnings = append(warnings, "all volumes not used by at least one container")
+	}
+	if options.all {
+		warnings = append(warnings, "all images without at least one container associated to them")
+	} else {
+		warnings = append(warnings, "all dangling images")
+	}
+	if options.pruneBuildCache {
+		warnings = append(warnings, "all build cache")
+	}
+	if len(options.filter.String()) > 0 {
+		warnings = append(warnings, "Elements to be pruned will be filtered with:")
+		warnings = append(warnings, "label="+options.filter.String())
+	}
+
+	var buffer bytes.Buffer
+	t.Execute(&buffer, &warnings)
+	return buffer.String()
+}
diff --git a/cli/cli/command/system/prune_test.go b/cli/cli/command/system/prune_test.go
new file mode 100644
index 00000000..c0b5cafd
--- /dev/null
+++ b/cli/cli/command/system/prune_test.go
@@ -0,0 +1,22 @@
+package system
+
+import (
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestPrunePromptPre131DoesNotIncludeBuildCache(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{version: "1.30"})
+	cmd := newPruneCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	expected := `WARNING! This will remove:
+        - all stopped containers
+        - all networks not used by at least one container
+        - all dangling images
+Are you sure you want to continue? [y/N] `
+	assert.Check(t, is.Equal(expected, cli.OutBuffer().String()))
+
+}
diff --git a/cli/cli/command/system/testdata/docker-client-version.golden b/cli/cli/command/system/testdata/docker-client-version.golden
new file mode 100644
index 00000000..04cc88a6
--- /dev/null
+++ b/cli/cli/command/system/testdata/docker-client-version.golden
@@ -0,0 +1,44 @@
+Client:
+ Version:           18.99.5-ce
+ API version:       1.38
+ Go version:        go1.10.2
+ Git commit:        deadbeef
+ Built:             Wed May 30 22:21:05 2018
+ OS/Arch:           linux/amd64
+ Experimental:      true
+
+Server: Docker Enterprise Edition (EE) 2.0
+ Engine:
+  Version:          17.06.2-ee-15
+  API version:      1.30 (minimum version 1.12)
+  Go version:       go1.8.7
+  Git commit:       64ddfa6
+  Built:            Mon Jul  9 23:38:38 2018
+  OS/Arch:          linux/amd64
+  Experimental:     false
+ Universal Control Plane:
+  Version:          17.06.2-ee-15
+  ApiVersion:       1.30
+  Arch:             amd64
+  BuildTime:        Mon Jul  2 21:24:07 UTC 2018
+  GitCommit:        4513922
+  GoVersion:        go1.9.4
+  MinApiVersion:    1.20
+  Os:               linux
+  Version:          3.0.3-tp2
+ Kubernetes:
+  Version:          1.8+
+  buildDate:        2018-04-26T16:51:21Z
+  compiler:         gc
+  gitCommit:        8d637aedf46b9c21dde723e29c645b9f27106fa5
+  gitTreeState:     clean
+  gitVersion:       v1.8.11-docker-8d637ae
+  goVersion:        go1.8.3
+  major:            1
+  minor:            8+
+  platform:         linux/amd64
+ Calico:
+  Version:          v3.0.8
+  cni:              v2.0.6
+  kube-controllers: v2.0.5
+  node:             v3.0.8
diff --git a/cli/cli/command/system/testdata/docker-info-no-swarm.golden b/cli/cli/command/system/testdata/docker-info-no-swarm.golden
new file mode 100644
index 00000000..7a3e9667
--- /dev/null
+++ b/cli/cli/command/system/testdata/docker-info-no-swarm.golden
@@ -0,0 +1,51 @@
+Containers: 0
+ Running: 0
+ Paused: 0
+ Stopped: 0
+Images: 0
+Server Version: 17.06.1-ce
+Storage Driver: aufs
+ Root Dir: /var/lib/docker/aufs
+ Backing Filesystem: extfs
+ Dirs: 0
+ Dirperm1 Supported: true
+Logging Driver: json-file
+Cgroup Driver: cgroupfs
+Plugins:
+ Volume: local
+ Network: bridge host macvlan null overlay
+ Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
+Swarm: inactive
+Runtimes: runc
+Default Runtime: runc
+Init Binary: docker-init
+containerd version: 6e23458c129b551d5c9871e5174f6b1b7f6d1170
+runc version: 810190ceaa507aa2727d7ae6f4790c76ec150bd2
+init version: 949e6fa
+Security Options:
+ apparmor
+ seccomp
+  Profile: default
+Kernel Version: 4.4.0-87-generic
+Operating System: Ubuntu 16.04.3 LTS
+OSType: linux
+Architecture: x86_64
+CPUs: 2
+Total Memory: 1.953GiB
+Name: system-sample
+ID: EKHL:QDUU:QZ7U:MKGD:VDXK:S27Q:GIPU:24B7:R7VT:DGN6:QCSF:2UBX
+Docker Root Dir: /var/lib/docker
+Debug Mode (client): false
+Debug Mode (server): true
+ File Descriptors: 33
+ Goroutines: 135
+ System Time: 2017-08-24T17:44:34.077811894Z
+ EventsListeners: 0
+Registry: https://index.docker.io/v1/
+Labels:
+ provider=digitalocean
+Experimental: false
+Insecure Registries:
+ 127.0.0.0/8
+Live Restore Enabled: false
+
diff --git a/cli/cli/command/system/testdata/docker-info-warnings.golden b/cli/cli/command/system/testdata/docker-info-warnings.golden
new file mode 100644
index 00000000..a7a4d792
--- /dev/null
+++ b/cli/cli/command/system/testdata/docker-info-warnings.golden
@@ -0,0 +1,11 @@
+WARNING: No memory limit support
+WARNING: No swap limit support
+WARNING: No kernel memory limit support
+WARNING: No oom kill disable support
+WARNING: No cpu cfs quota support
+WARNING: No cpu cfs period support
+WARNING: No cpu shares support
+WARNING: No cpuset support
+WARNING: IPv4 forwarding is disabled
+WARNING: bridge-nf-call-iptables is disabled
+WARNING: bridge-nf-call-ip6tables is disabled
diff --git a/cli/cli/command/system/testdata/docker-info-with-swarm.golden b/cli/cli/command/system/testdata/docker-info-with-swarm.golden
new file mode 100644
index 00000000..17bb70fa
--- /dev/null
+++ b/cli/cli/command/system/testdata/docker-info-with-swarm.golden
@@ -0,0 +1,73 @@
+Containers: 0
+ Running: 0
+ Paused: 0
+ Stopped: 0
+Images: 0
+Server Version: 17.06.1-ce
+Storage Driver: aufs
+ Root Dir: /var/lib/docker/aufs
+ Backing Filesystem: extfs
+ Dirs: 0
+ Dirperm1 Supported: true
+Logging Driver: json-file
+Cgroup Driver: cgroupfs
+Plugins:
+ Volume: local
+ Network: bridge host macvlan null overlay
+ Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
+Swarm: active
+ NodeID: qo2dfdig9mmxqkawulggepdih
+ Is Manager: true
+ ClusterID: 9vs5ygs0gguyyec4iqf2314c0
+ Managers: 1
+ Nodes: 1
+ Orchestration:
+  Task History Retention Limit: 5
+ Raft:
+  Snapshot Interval: 10000
+  Number of Old Snapshots to Retain: 0
+  Heartbeat Tick: 1
+  Election Tick: 3
+ Dispatcher:
+  Heartbeat Period: 5 seconds
+ CA Configuration:
+  Expiry Duration: 3 months
+  Force Rotate: 0
+ Autolock Managers: true
+ Root Rotation In Progress: false
+ Node Address: 165.227.107.89
+ Manager Addresses:
+  165.227.107.89:2377
+Runtimes: runc
+Default Runtime: runc
+Init Binary: docker-init
+containerd version: 6e23458c129b551d5c9871e5174f6b1b7f6d1170
+runc version: 810190ceaa507aa2727d7ae6f4790c76ec150bd2
+init version: 949e6fa
+Security Options:
+ apparmor
+ seccomp
+  Profile: default
+Kernel Version: 4.4.0-87-generic
+Operating System: Ubuntu 16.04.3 LTS
+OSType: linux
+Architecture: x86_64
+CPUs: 2
+Total Memory: 1.953GiB
+Name: system-sample
+ID: EKHL:QDUU:QZ7U:MKGD:VDXK:S27Q:GIPU:24B7:R7VT:DGN6:QCSF:2UBX
+Docker Root Dir: /var/lib/docker
+Debug Mode (client): false
+Debug Mode (server): true
+ File Descriptors: 33
+ Goroutines: 135
+ System Time: 2017-08-24T17:44:34.077811894Z
+ EventsListeners: 0
+Registry: https://index.docker.io/v1/
+Labels:
+ provider=digitalocean
+Experimental: false
+Insecure Registries:
+ 127.0.0.0/8
+Live Restore Enabled: false
+
diff --git a/cli/cli/command/system/version.go b/cli/cli/command/system/version.go
new file mode 100644
index 00000000..7593b11b
--- /dev/null
+++ b/cli/cli/command/system/version.go
@@ -0,0 +1,270 @@
+package system
+
+import (
+	"context"
+	"fmt"
+	"runtime"
+	"sort"
+	"text/tabwriter"
+	"text/template"
+	"time"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/kubernetes"
+	"github.com/docker/cli/templates"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	kubernetesClient "k8s.io/client-go/kubernetes"
+)
+
+var versionTemplate = `{{with .Client -}}
+Client:{{if ne .Platform.Name ""}} {{.Platform.Name}}{{end}}
+ Version:	{{.Version}}
+ API version:	{{.APIVersion}}{{if ne .APIVersion .DefaultAPIVersion}} (downgraded from {{.DefaultAPIVersion}}){{end}}
+ Go version:	{{.GoVersion}}
+ Git commit:	{{.GitCommit}}
+ Built:	{{.BuildTime}}
+ OS/Arch:	{{.Os}}/{{.Arch}}
+ Experimental:	{{.Experimental}}
+{{- end}}
+
+{{- if .ServerOK}}{{with .Server}}
+
+Server:{{if ne .Platform.Name ""}} {{.Platform.Name}}{{end}}
+ {{- range $component := .Components}}
+ {{$component.Name}}:
+  {{- if eq $component.Name "Engine" }}
+  Version:	{{.Version}}
+  API version:	{{index .Details "ApiVersion"}} (minimum version {{index .Details "MinAPIVersion"}})
+  Go version:	{{index .Details "GoVersion"}}
+  Git commit:	{{index .Details "GitCommit"}}
+  Built:	{{index .Details "BuildTime"}}
+  OS/Arch:	{{index .Details "Os"}}/{{index .Details "Arch"}}
+  Experimental:	{{index .Details "Experimental"}}
+  {{- else }}
+  Version:	{{$component.Version}}
+  {{- $detailsOrder := getDetailsOrder $component}}
+  {{- range $key := $detailsOrder}}
+  {{$key}}:	{{index $component.Details $key}}
+   {{- end}}
+  {{- end}}
+ {{- end}}
+ {{- end}}{{- end}}`
+
+type versionOptions struct {
+	format     string
+	kubeConfig string
+}
+
+// versionInfo contains version information of both the Client, and Server
+type versionInfo struct {
+	Client clientVersion
+	Server *types.Version
+}
+
+type clientVersion struct {
+	Platform struct{ Name string } `json:",omitempty"`
+
+	Version           string
+	APIVersion        string `json:"ApiVersion"`
+	DefaultAPIVersion string `json:"DefaultAPIVersion,omitempty"`
+	GitCommit         string
+	GoVersion         string
+	Os                string
+	Arch              string
+	BuildTime         string `json:",omitempty"`
+	Experimental      bool
+}
+
+type kubernetesVersion struct {
+	Kubernetes string
+	StackAPI   string
+}
+
+// ServerOK returns true when the client could connect to the docker server
+// and parse the information received. It returns false otherwise.
+func (v versionInfo) ServerOK() bool {
+	return v.Server != nil
+}
+
+// NewVersionCommand creates a new cobra.Command for `docker version`
+func NewVersionCommand(dockerCli command.Cli) *cobra.Command {
+	var opts versionOptions
+
+	cmd := &cobra.Command{
+		Use:   "version [OPTIONS]",
+		Short: "Show the Docker version information",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runVersion(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+	flags.StringVar(&opts.kubeConfig, "kubeconfig", "", "Kubernetes config file")
+	flags.SetAnnotation("kubeconfig", "kubernetes", nil)
+
+	return cmd
+}
+
+func reformatDate(buildTime string) string {
+	t, errTime := time.Parse(time.RFC3339Nano, buildTime)
+	if errTime == nil {
+		return t.Format(time.ANSIC)
+	}
+	return buildTime
+}
+
+func runVersion(dockerCli command.Cli, opts *versionOptions) error {
+	var err error
+	tmpl, err := newVersionTemplate(opts.format)
+	if err != nil {
+		return cli.StatusError{StatusCode: 64, Status: err.Error()}
+	}
+
+	orchestrator, err := command.GetStackOrchestrator("", dockerCli.ConfigFile().StackOrchestrator, dockerCli.Err())
+	if err != nil {
+		return cli.StatusError{StatusCode: 64, Status: err.Error()}
+	}
+
+	vd := versionInfo{
+		Client: clientVersion{
+			Platform:          struct{ Name string }{cli.PlatformName},
+			Version:           cli.Version,
+			APIVersion:        dockerCli.Client().ClientVersion(),
+			DefaultAPIVersion: dockerCli.DefaultVersion(),
+			GoVersion:         runtime.Version(),
+			GitCommit:         cli.GitCommit,
+			BuildTime:         reformatDate(cli.BuildTime),
+			Os:                runtime.GOOS,
+			Arch:              runtime.GOARCH,
+			Experimental:      dockerCli.ClientInfo().HasExperimental,
+		},
+	}
+
+	sv, err := dockerCli.Client().ServerVersion(context.Background())
+	if err == nil {
+		vd.Server = &sv
+		var kubeVersion *kubernetesVersion
+		if orchestrator.HasKubernetes() {
+			kubeVersion = getKubernetesVersion(opts.kubeConfig)
+		}
+		foundEngine := false
+		foundKubernetes := false
+		for _, component := range sv.Components {
+			switch component.Name {
+			case "Engine":
+				foundEngine = true
+				buildTime, ok := component.Details["BuildTime"]
+				if ok {
+					component.Details["BuildTime"] = reformatDate(buildTime)
+				}
+			case "Kubernetes":
+				foundKubernetes = true
+				if _, ok := component.Details["StackAPI"]; !ok && kubeVersion != nil {
+					component.Details["StackAPI"] = kubeVersion.StackAPI
+				}
+			}
+		}
+
+		if !foundEngine {
+			vd.Server.Components = append(vd.Server.Components, types.ComponentVersion{
+				Name:    "Engine",
+				Version: sv.Version,
+				Details: map[string]string{
+					"ApiVersion":    sv.APIVersion,
+					"MinAPIVersion": sv.MinAPIVersion,
+					"GitCommit":     sv.GitCommit,
+					"GoVersion":     sv.GoVersion,
+					"Os":            sv.Os,
+					"Arch":          sv.Arch,
+					"BuildTime":     reformatDate(vd.Server.BuildTime),
+					"Experimental":  fmt.Sprintf("%t", sv.Experimental),
+				},
+			})
+		}
+		if !foundKubernetes && kubeVersion != nil {
+			vd.Server.Components = append(vd.Server.Components, types.ComponentVersion{
+				Name:    "Kubernetes",
+				Version: kubeVersion.Kubernetes,
+				Details: map[string]string{
+					"StackAPI": kubeVersion.StackAPI,
+				},
+			})
+		}
+	}
+	if err2 := prettyPrintVersion(dockerCli, vd, tmpl); err2 != nil && err == nil {
+		err = err2
+	}
+	return err
+}
+
+func prettyPrintVersion(dockerCli command.Cli, vd versionInfo, tmpl *template.Template) error {
+	t := tabwriter.NewWriter(dockerCli.Out(), 20, 1, 1, ' ', 0)
+	err := tmpl.Execute(t, vd)
+	t.Write([]byte("\n"))
+	t.Flush()
+	return err
+}
+
+func newVersionTemplate(templateFormat string) (*template.Template, error) {
+	if templateFormat == "" {
+		templateFormat = versionTemplate
+	}
+	tmpl := templates.New("version").Funcs(template.FuncMap{"getDetailsOrder": getDetailsOrder})
+	tmpl, err := tmpl.Parse(templateFormat)
+
+	return tmpl, errors.Wrap(err, "Template parsing error")
+}
+
+func getDetailsOrder(v types.ComponentVersion) []string {
+	out := make([]string, 0, len(v.Details))
+	for k := range v.Details {
+		out = append(out, k)
+	}
+	sort.Strings(out)
+	return out
+}
+
+func getKubernetesVersion(kubeConfig string) *kubernetesVersion {
+	version := kubernetesVersion{
+		Kubernetes: "Unknown",
+		StackAPI:   "Unknown",
+	}
+	clientConfig := kubernetes.NewKubernetesConfig(kubeConfig)
+	config, err := clientConfig.ClientConfig()
+	if err != nil {
+		logrus.Debugf("failed to get Kubernetes configuration: %s", err)
+		return &version
+	}
+	kubeClient, err := kubernetesClient.NewForConfig(config)
+	if err != nil {
+		logrus.Debugf("failed to get Kubernetes client: %s", err)
+		return &version
+	}
+	version.StackAPI = getStackVersion(kubeClient)
+	version.Kubernetes = getKubernetesServerVersion(kubeClient)
+	return &version
+}
+
+func getStackVersion(client *kubernetesClient.Clientset) string {
+	apiVersion, err := kubernetes.GetStackAPIVersion(client)
+	if err != nil {
+		logrus.Debugf("failed to get Stack API version: %s", err)
+		return "Unknown"
+	}
+	return string(apiVersion)
+}
+
+func getKubernetesServerVersion(client *kubernetesClient.Clientset) string {
+	kubeVersion, err := client.DiscoveryClient.ServerVersion()
+	if err != nil {
+		logrus.Debugf("failed to get Kubernetes server version: %s", err)
+		return "Unknown"
+	}
+	return kubeVersion.String()
+}
diff --git a/cli/cli/command/system/version_test.go b/cli/cli/command/system/version_test.go
new file mode 100644
index 00000000..0a4f47e3
--- /dev/null
+++ b/cli/cli/command/system/version_test.go
@@ -0,0 +1,113 @@
+package system
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+)
+
+func TestVersionWithoutServer(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		serverVersion: func(ctx context.Context) (types.Version, error) {
+			return types.Version{}, fmt.Errorf("no server")
+		},
+	})
+	cmd := NewVersionCommand(cli)
+	cmd.SetOutput(cli.Err())
+	assert.ErrorContains(t, cmd.Execute(), "no server")
+	out := cli.OutBuffer().String()
+	// TODO: use an assertion like e2e/image/build_test.go:assertBuildOutput()
+	// instead of contains/not contains
+	assert.Check(t, is.Contains(out, "Client:"))
+	assert.Assert(t, !strings.Contains(out, "Server:"), "actual: %s", out)
+}
+
+func TestVersionAlign(t *testing.T) {
+	vi := versionInfo{
+		Client: clientVersion{
+			Version:           "18.99.5-ce",
+			APIVersion:        "1.38",
+			DefaultAPIVersion: "1.38",
+			GitCommit:         "deadbeef",
+			GoVersion:         "go1.10.2",
+			Os:                "linux",
+			Arch:              "amd64",
+			BuildTime:         "Wed May 30 22:21:05 2018",
+			Experimental:      true,
+		},
+		Server: &types.Version{},
+	}
+
+	vi.Server.Platform.Name = "Docker Enterprise Edition (EE) 2.0"
+
+	vi.Server.Components = append(vi.Server.Components, types.ComponentVersion{
+		Name:    "Engine",
+		Version: "17.06.2-ee-15",
+		Details: map[string]string{
+			"ApiVersion":    "1.30",
+			"MinAPIVersion": "1.12",
+			"GitCommit":     "64ddfa6",
+			"GoVersion":     "go1.8.7",
+			"Os":            "linux",
+			"Arch":          "amd64",
+			"BuildTime":     "Mon Jul  9 23:38:38 2018",
+			"Experimental":  "false",
+		},
+	})
+
+	vi.Server.Components = append(vi.Server.Components, types.ComponentVersion{
+		Name:    "Universal Control Plane",
+		Version: "17.06.2-ee-15",
+		Details: map[string]string{
+			"Version":       "3.0.3-tp2",
+			"ApiVersion":    "1.30",
+			"Arch":          "amd64",
+			"BuildTime":     "Mon Jul  2 21:24:07 UTC 2018",
+			"GitCommit":     "4513922",
+			"GoVersion":     "go1.9.4",
+			"MinApiVersion": "1.20",
+			"Os":            "linux",
+		},
+	})
+
+	vi.Server.Components = append(vi.Server.Components, types.ComponentVersion{
+		Name:    "Kubernetes",
+		Version: "1.8+",
+		Details: map[string]string{
+			"buildDate":    "2018-04-26T16:51:21Z",
+			"compiler":     "gc",
+			"gitCommit":    "8d637aedf46b9c21dde723e29c645b9f27106fa5",
+			"gitTreeState": "clean",
+			"gitVersion":   "v1.8.11-docker-8d637ae",
+			"goVersion":    "go1.8.3",
+			"major":        "1",
+			"minor":        "8+",
+			"platform":     "linux/amd64",
+		},
+	})
+
+	vi.Server.Components = append(vi.Server.Components, types.ComponentVersion{
+		Name:    "Calico",
+		Version: "v3.0.8",
+		Details: map[string]string{
+			"cni":              "v2.0.6",
+			"kube-controllers": "v2.0.5",
+			"node":             "v3.0.8",
+		},
+	})
+
+	cli := test.NewFakeCli(&fakeClient{})
+	tmpl, err := newVersionTemplate("")
+	assert.NilError(t, err)
+	assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
+	assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.golden"))
+	assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+}
diff --git a/cli/cli/command/task/client_test.go b/cli/cli/command/task/client_test.go
new file mode 100644
index 00000000..9aa84977
--- /dev/null
+++ b/cli/cli/command/task/client_test.go
@@ -0,0 +1,29 @@
+package task
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.APIClient
+	nodeInspectWithRaw    func(ref string) (swarm.Node, []byte, error)
+	serviceInspectWithRaw func(ref string, options types.ServiceInspectOptions) (swarm.Service, []byte, error)
+}
+
+func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+	if cli.nodeInspectWithRaw != nil {
+		return cli.nodeInspectWithRaw(ref)
+	}
+	return swarm.Node{}, nil, nil
+}
+
+func (cli *fakeClient) ServiceInspectWithRaw(ctx context.Context, ref string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+	if cli.serviceInspectWithRaw != nil {
+		return cli.serviceInspectWithRaw(ref, options)
+	}
+	return swarm.Service{}, nil, nil
+}
diff --git a/cli/cli/command/task/print.go b/cli/cli/command/task/print.go
new file mode 100644
index 00000000..0f430e50
--- /dev/null
+++ b/cli/cli/command/task/print.go
@@ -0,0 +1,93 @@
+package task
+
+import (
+	"context"
+	"fmt"
+	"sort"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/command/idresolver"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+type tasksBySlot []swarm.Task
+
+func (t tasksBySlot) Len() int {
+	return len(t)
+}
+
+func (t tasksBySlot) Swap(i, j int) {
+	t[i], t[j] = t[j], t[i]
+}
+
+func (t tasksBySlot) Less(i, j int) bool {
+	// Sort by slot.
+	if t[i].Slot != t[j].Slot {
+		return t[i].Slot < t[j].Slot
+	}
+
+	// If same slot, sort by most recent.
+	return t[j].Meta.CreatedAt.Before(t[i].CreatedAt)
+}
+
+// Print task information in a format.
+// Besides this, command `docker node ps <node>`
+// and `docker stack ps` will call this, too.
+func Print(ctx context.Context, dockerCli command.Cli, tasks []swarm.Task, resolver *idresolver.IDResolver, trunc, quiet bool, format string) error {
+	sort.Stable(tasksBySlot(tasks))
+
+	names := map[string]string{}
+	nodes := map[string]string{}
+
+	tasksCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewTaskFormat(format, quiet),
+		Trunc:  trunc,
+	}
+
+	prevName := ""
+	for _, task := range tasks {
+		serviceName, err := resolver.Resolve(ctx, swarm.Service{}, task.ServiceID)
+		if err != nil {
+			return err
+		}
+
+		nodeValue, err := resolver.Resolve(ctx, swarm.Node{}, task.NodeID)
+		if err != nil {
+			return err
+		}
+
+		var name string
+		if task.Slot != 0 {
+			name = fmt.Sprintf("%v.%v", serviceName, task.Slot)
+		} else {
+			name = fmt.Sprintf("%v.%v", serviceName, task.NodeID)
+		}
+
+		// Indent the name if necessary
+		indentedName := name
+		if name == prevName {
+			indentedName = fmt.Sprintf(" \\_ %s", indentedName)
+		}
+		prevName = name
+
+		names[task.ID] = name
+		if tasksCtx.Format.IsTable() {
+			names[task.ID] = indentedName
+		}
+		nodes[task.ID] = nodeValue
+	}
+
+	return formatter.TaskWrite(tasksCtx, tasks, names, nodes)
+}
+
+// DefaultFormat returns the default format from the config file, or table
+// format if nothing is set in the config.
+func DefaultFormat(configFile *configfile.ConfigFile, quiet bool) string {
+	if len(configFile.TasksFormat) > 0 && !quiet {
+		return configFile.TasksFormat
+	}
+	return formatter.TableFormatKey
+}
diff --git a/cli/cli/command/task/print_test.go b/cli/cli/command/task/print_test.go
new file mode 100644
index 00000000..6fa6e586
--- /dev/null
+++ b/cli/cli/command/task/print_test.go
@@ -0,0 +1,128 @@
+package task
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/cli/command/idresolver"
+	"github.com/docker/cli/internal/test"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestTaskPrintWithQuietOption(t *testing.T) {
+	quiet := true
+	trunc := false
+	noResolve := true
+	apiClient := &fakeClient{}
+	cli := test.NewFakeCli(apiClient)
+	tasks := []swarm.Task{*Task(TaskID("id-foo"))}
+	err := Print(context.Background(), cli, tasks, idresolver.New(apiClient, noResolve), trunc, quiet, formatter.TableFormatKey)
+	assert.NilError(t, err)
+	golden.Assert(t, cli.OutBuffer().String(), "task-print-with-quiet-option.golden")
+}
+
+func TestTaskPrintWithNoTruncOption(t *testing.T) {
+	quiet := false
+	trunc := false
+	noResolve := true
+	apiClient := &fakeClient{}
+	cli := test.NewFakeCli(apiClient)
+	tasks := []swarm.Task{
+		*Task(TaskID("id-foo-yov6omdek8fg3k5stosyp2m50")),
+	}
+	err := Print(context.Background(), cli, tasks, idresolver.New(apiClient, noResolve), trunc, quiet, "{{ .ID }}")
+	assert.NilError(t, err)
+	golden.Assert(t, cli.OutBuffer().String(), "task-print-with-no-trunc-option.golden")
+}
+
+func TestTaskPrintWithGlobalService(t *testing.T) {
+	quiet := false
+	trunc := false
+	noResolve := true
+	apiClient := &fakeClient{}
+	cli := test.NewFakeCli(apiClient)
+	tasks := []swarm.Task{
+		*Task(TaskServiceID("service-id-foo"), TaskNodeID("node-id-bar"), TaskSlot(0)),
+	}
+	err := Print(context.Background(), cli, tasks, idresolver.New(apiClient, noResolve), trunc, quiet, "{{ .Name }}")
+	assert.NilError(t, err)
+	golden.Assert(t, cli.OutBuffer().String(), "task-print-with-global-service.golden")
+}
+
+func TestTaskPrintWithReplicatedService(t *testing.T) {
+	quiet := false
+	trunc := false
+	noResolve := true
+	apiClient := &fakeClient{}
+	cli := test.NewFakeCli(apiClient)
+	tasks := []swarm.Task{
+		*Task(TaskServiceID("service-id-foo"), TaskSlot(1)),
+	}
+	err := Print(context.Background(), cli, tasks, idresolver.New(apiClient, noResolve), trunc, quiet, "{{ .Name }}")
+	assert.NilError(t, err)
+	golden.Assert(t, cli.OutBuffer().String(), "task-print-with-replicated-service.golden")
+}
+
+func TestTaskPrintWithIndentation(t *testing.T) {
+	quiet := false
+	trunc := false
+	noResolve := false
+	apiClient := &fakeClient{
+		serviceInspectWithRaw: func(ref string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+			return *Service(ServiceName("service-name-foo")), nil, nil
+		},
+		nodeInspectWithRaw: func(ref string) (swarm.Node, []byte, error) {
+			return *Node(NodeName("node-name-bar")), nil, nil
+		},
+	}
+	cli := test.NewFakeCli(apiClient)
+	tasks := []swarm.Task{
+		*Task(
+			TaskID("id-foo"),
+			TaskServiceID("service-id-foo"),
+			TaskNodeID("id-node"),
+			WithTaskSpec(TaskImage("myimage:mytag")),
+			TaskDesiredState(swarm.TaskStateReady),
+			WithStatus(TaskState(swarm.TaskStateFailed), Timestamp(time.Now().Add(-2*time.Hour))),
+		),
+		*Task(
+			TaskID("id-bar"),
+			TaskServiceID("service-id-foo"),
+			TaskNodeID("id-node"),
+			WithTaskSpec(TaskImage("myimage:mytag")),
+			TaskDesiredState(swarm.TaskStateReady),
+			WithStatus(TaskState(swarm.TaskStateFailed), Timestamp(time.Now().Add(-2*time.Hour))),
+		),
+	}
+	err := Print(context.Background(), cli, tasks, idresolver.New(apiClient, noResolve), trunc, quiet, formatter.TableFormatKey)
+	assert.NilError(t, err)
+	golden.Assert(t, cli.OutBuffer().String(), "task-print-with-indentation.golden")
+}
+
+func TestTaskPrintWithResolution(t *testing.T) {
+	quiet := false
+	trunc := false
+	noResolve := false
+	apiClient := &fakeClient{
+		serviceInspectWithRaw: func(ref string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+			return *Service(ServiceName("service-name-foo")), nil, nil
+		},
+		nodeInspectWithRaw: func(ref string) (swarm.Node, []byte, error) {
+			return *Node(NodeName("node-name-bar")), nil, nil
+		},
+	}
+	cli := test.NewFakeCli(apiClient)
+	tasks := []swarm.Task{
+		*Task(TaskServiceID("service-id-foo"), TaskSlot(1)),
+	}
+	err := Print(context.Background(), cli, tasks, idresolver.New(apiClient, noResolve), trunc, quiet, "{{ .Name }} {{ .Node }}")
+	assert.NilError(t, err)
+	golden.Assert(t, cli.OutBuffer().String(), "task-print-with-resolution.golden")
+}
diff --git a/cli/cli/command/task/testdata/task-print-with-global-service.golden b/cli/cli/command/task/testdata/task-print-with-global-service.golden
new file mode 100644
index 00000000..fbc81248
--- /dev/null
+++ b/cli/cli/command/task/testdata/task-print-with-global-service.golden
@@ -0,0 +1 @@
+service-id-foo.node-id-bar
diff --git a/cli/cli/command/task/testdata/task-print-with-indentation.golden b/cli/cli/command/task/testdata/task-print-with-indentation.golden
new file mode 100644
index 00000000..8fa174a4
--- /dev/null
+++ b/cli/cli/command/task/testdata/task-print-with-indentation.golden
@@ -0,0 +1,3 @@
+ID                  NAME                     IMAGE               NODE                DESIRED STATE       CURRENT STATE        ERROR               PORTS
+id-foo              service-name-foo.1       myimage:mytag       node-name-bar       Ready               Failed 2 hours ago                       
+id-bar               \_ service-name-foo.1   myimage:mytag       node-name-bar       Ready               Failed 2 hours ago                       
diff --git a/cli/cli/command/task/testdata/task-print-with-no-trunc-option.golden b/cli/cli/command/task/testdata/task-print-with-no-trunc-option.golden
new file mode 100644
index 00000000..184d2de2
--- /dev/null
+++ b/cli/cli/command/task/testdata/task-print-with-no-trunc-option.golden
@@ -0,0 +1 @@
+id-foo-yov6omdek8fg3k5stosyp2m50
diff --git a/cli/cli/command/task/testdata/task-print-with-quiet-option.golden b/cli/cli/command/task/testdata/task-print-with-quiet-option.golden
new file mode 100644
index 00000000..e2faeb60
--- /dev/null
+++ b/cli/cli/command/task/testdata/task-print-with-quiet-option.golden
@@ -0,0 +1 @@
+id-foo
diff --git a/cli/cli/command/task/testdata/task-print-with-replicated-service.golden b/cli/cli/command/task/testdata/task-print-with-replicated-service.golden
new file mode 100644
index 00000000..9ecebdaf
--- /dev/null
+++ b/cli/cli/command/task/testdata/task-print-with-replicated-service.golden
@@ -0,0 +1 @@
+service-id-foo.1
diff --git a/cli/cli/command/task/testdata/task-print-with-resolution.golden b/cli/cli/command/task/testdata/task-print-with-resolution.golden
new file mode 100644
index 00000000..747d1af4
--- /dev/null
+++ b/cli/cli/command/task/testdata/task-print-with-resolution.golden
@@ -0,0 +1 @@
+service-name-foo.1 node-name-bar
diff --git a/cli/cli/command/trust.go b/cli/cli/command/trust.go
new file mode 100644
index 00000000..65f24085
--- /dev/null
+++ b/cli/cli/command/trust.go
@@ -0,0 +1,15 @@
+package command
+
+import (
+	"github.com/spf13/pflag"
+)
+
+// AddTrustVerificationFlags adds content trust flags to the provided flagset
+func AddTrustVerificationFlags(fs *pflag.FlagSet, v *bool, trusted bool) {
+	fs.BoolVar(v, "disable-content-trust", !trusted, "Skip image verification")
+}
+
+// AddTrustSigningFlags adds "signing" flags to the provided flagset
+func AddTrustSigningFlags(fs *pflag.FlagSet, v *bool, trusted bool) {
+	fs.BoolVar(v, "disable-content-trust", !trusted, "Skip image signing")
+}
diff --git a/cli/cli/command/trust/cmd.go b/cli/cli/command/trust/cmd.go
new file mode 100644
index 00000000..bb6ceace
--- /dev/null
+++ b/cli/cli/command/trust/cmd.go
@@ -0,0 +1,25 @@
+package trust
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// NewTrustCommand returns a cobra command for `trust` subcommands
+func NewTrustCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "trust",
+		Short: "Manage trust on Docker images",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		newRevokeCommand(dockerCli),
+		newSignCommand(dockerCli),
+		newTrustKeyCommand(dockerCli),
+		newTrustSignerCommand(dockerCli),
+		newInspectCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/trust/common.go b/cli/cli/command/trust/common.go
new file mode 100644
index 00000000..9173e6ee
--- /dev/null
+++ b/cli/cli/command/trust/common.go
@@ -0,0 +1,167 @@
+package trust
+
+import (
+	"context"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/trust"
+	"github.com/sirupsen/logrus"
+	"github.com/theupdateframework/notary"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+)
+
+// trustTagKey represents a unique signed tag and hex-encoded hash pair
+type trustTagKey struct {
+	SignedTag string
+	Digest    string
+}
+
+// trustTagRow encodes all human-consumable information for a signed tag, including signers
+type trustTagRow struct {
+	trustTagKey
+	Signers []string
+}
+
+type trustTagRowList []trustTagRow
+
+func (tagComparator trustTagRowList) Len() int {
+	return len(tagComparator)
+}
+
+func (tagComparator trustTagRowList) Less(i, j int) bool {
+	return tagComparator[i].SignedTag < tagComparator[j].SignedTag
+}
+
+func (tagComparator trustTagRowList) Swap(i, j int) {
+	tagComparator[i], tagComparator[j] = tagComparator[j], tagComparator[i]
+}
+
+// trustRepo represents consumable information about a trusted repository
+type trustRepo struct {
+	Name              string
+	SignedTags        trustTagRowList
+	Signers           []trustSigner
+	AdminstrativeKeys []trustSigner
+}
+
+// trustSigner represents a trusted signer in a trusted repository
+// a signer is defined by a name and list of trustKeys
+type trustSigner struct {
+	Name string     `json:",omitempty"`
+	Keys []trustKey `json:",omitempty"`
+}
+
+// trustKey contains information about trusted keys
+type trustKey struct {
+	ID string `json:",omitempty"`
+}
+
+// lookupTrustInfo returns processed signature and role information about a notary repository.
+// This information is to be pretty printed or serialized into a machine-readable format.
+func lookupTrustInfo(cli command.Cli, remote string) (trustTagRowList, []client.RoleWithSignatures, []data.Role, error) {
+	ctx := context.Background()
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), remote)
+	if err != nil {
+		return trustTagRowList{}, []client.RoleWithSignatures{}, []data.Role{}, err
+	}
+	tag := imgRefAndAuth.Tag()
+	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, trust.ActionsPullOnly)
+	if err != nil {
+		return trustTagRowList{}, []client.RoleWithSignatures{}, []data.Role{}, trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
+	}
+
+	if err = clearChangeList(notaryRepo); err != nil {
+		return trustTagRowList{}, []client.RoleWithSignatures{}, []data.Role{}, err
+	}
+	defer clearChangeList(notaryRepo)
+
+	// Retrieve all released signatures, match them, and pretty print them
+	allSignedTargets, err := notaryRepo.GetAllTargetMetadataByName(tag)
+	if err != nil {
+		logrus.Debug(trust.NotaryError(remote, err))
+		// print an empty table if we don't have signed targets, but have an initialized notary repo
+		if _, ok := err.(client.ErrNoSuchTarget); !ok {
+			return trustTagRowList{}, []client.RoleWithSignatures{}, []data.Role{}, fmt.Errorf("No signatures or cannot access %s", remote)
+		}
+	}
+	signatureRows := matchReleasedSignatures(allSignedTargets)
+
+	// get the administrative roles
+	adminRolesWithSigs, err := notaryRepo.ListRoles()
+	if err != nil {
+		return trustTagRowList{}, []client.RoleWithSignatures{}, []data.Role{}, fmt.Errorf("No signers for %s", remote)
+	}
+
+	// get delegation roles with the canonical key IDs
+	delegationRoles, err := notaryRepo.GetDelegationRoles()
+	if err != nil {
+		logrus.Debugf("no delegation roles found, or error fetching them for %s: %v", remote, err)
+	}
+
+	return signatureRows, adminRolesWithSigs, delegationRoles, nil
+}
+
+func formatAdminRole(roleWithSigs client.RoleWithSignatures) string {
+	adminKeyList := roleWithSigs.KeyIDs
+	sort.Strings(adminKeyList)
+
+	var role string
+	switch roleWithSigs.Name {
+	case data.CanonicalTargetsRole:
+		role = "Repository Key"
+	case data.CanonicalRootRole:
+		role = "Root Key"
+	default:
+		return ""
+	}
+	return fmt.Sprintf("%s:\t%s\n", role, strings.Join(adminKeyList, ", "))
+}
+
+func getDelegationRoleToKeyMap(rawDelegationRoles []data.Role) map[string][]string {
+	signerRoleToKeyIDs := make(map[string][]string)
+	for _, delRole := range rawDelegationRoles {
+		switch delRole.Name {
+		case trust.ReleasesRole, data.CanonicalRootRole, data.CanonicalSnapshotRole, data.CanonicalTargetsRole, data.CanonicalTimestampRole:
+			continue
+		default:
+			signerRoleToKeyIDs[notaryRoleToSigner(delRole.Name)] = delRole.KeyIDs
+		}
+	}
+	return signerRoleToKeyIDs
+}
+
+// aggregate all signers for a "released" hash+tagname pair. To be "released," the tag must have been
+// signed into the "targets" or "targets/releases" role. Output is sorted by tag name
+func matchReleasedSignatures(allTargets []client.TargetSignedStruct) trustTagRowList {
+	signatureRows := trustTagRowList{}
+	// do a first pass to get filter on tags signed into "targets" or "targets/releases"
+	releasedTargetRows := map[trustTagKey][]string{}
+	for _, tgt := range allTargets {
+		if isReleasedTarget(tgt.Role.Name) {
+			releasedKey := trustTagKey{tgt.Target.Name, hex.EncodeToString(tgt.Target.Hashes[notary.SHA256])}
+			releasedTargetRows[releasedKey] = []string{}
+		}
+	}
+
+	// now fill out all signers on released keys
+	for _, tgt := range allTargets {
+		targetKey := trustTagKey{tgt.Target.Name, hex.EncodeToString(tgt.Target.Hashes[notary.SHA256])}
+		// only considered released targets
+		if _, ok := releasedTargetRows[targetKey]; ok && !isReleasedTarget(tgt.Role.Name) {
+			releasedTargetRows[targetKey] = append(releasedTargetRows[targetKey], notaryRoleToSigner(tgt.Role.Name))
+		}
+	}
+
+	// compile the final output as a sorted slice
+	for targetKey, signers := range releasedTargetRows {
+		signatureRows = append(signatureRows, trustTagRow{targetKey, signers})
+	}
+	sort.Sort(signatureRows)
+	return signatureRows
+}
diff --git a/cli/cli/command/trust/helpers.go b/cli/cli/command/trust/helpers.go
new file mode 100644
index 00000000..b2819d2e
--- /dev/null
+++ b/cli/cli/command/trust/helpers.go
@@ -0,0 +1,47 @@
+package trust
+
+import (
+	"strings"
+
+	"github.com/docker/cli/cli/trust"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+)
+
+const releasedRoleName = "Repo Admin"
+const releasesRoleTUFName = "targets/releases"
+
+// isReleasedTarget checks if a role name is "released":
+// either targets/releases or targets TUF roles
+func isReleasedTarget(role data.RoleName) bool {
+	return role == data.CanonicalTargetsRole || role == trust.ReleasesRole
+}
+
+// notaryRoleToSigner converts TUF role name to a human-understandable signer name
+func notaryRoleToSigner(tufRole data.RoleName) string {
+	//  don't show a signer for "targets" or "targets/releases"
+	if isReleasedTarget(data.RoleName(tufRole.String())) {
+		return releasedRoleName
+	}
+	return strings.TrimPrefix(tufRole.String(), "targets/")
+}
+
+// clearChangelist clears the notary staging changelist.
+func clearChangeList(notaryRepo client.Repository) error {
+	cl, err := notaryRepo.GetChangelist()
+	if err != nil {
+		return err
+	}
+	return cl.Clear("")
+}
+
+// getOrGenerateRootKeyAndInitRepo initializes the notary repository
+// with a remotely managed snapshot key. The initialization will use
+// an existing root key if one is found, else a new one will be generated.
+func getOrGenerateRootKeyAndInitRepo(notaryRepo client.Repository) error {
+	rootKey, err := getOrGenerateNotaryKey(notaryRepo, data.CanonicalRootRole)
+	if err != nil {
+		return err
+	}
+	return notaryRepo.Initialize([]string{rootKey.ID()}, data.CanonicalSnapshotRole)
+}
diff --git a/cli/cli/command/trust/helpers_test.go b/cli/cli/command/trust/helpers_test.go
new file mode 100644
index 00000000..fab61214
--- /dev/null
+++ b/cli/cli/command/trust/helpers_test.go
@@ -0,0 +1,24 @@
+package trust
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/trustpinning"
+	"gotest.tools/assert"
+)
+
+func TestGetOrGenerateNotaryKeyAndInitRepo(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+
+	err = getOrGenerateRootKeyAndInitRepo(notaryRepo)
+	assert.Error(t, err, "client is offline")
+}
diff --git a/cli/cli/command/trust/inspect.go b/cli/cli/command/trust/inspect.go
new file mode 100644
index 00000000..9f10878a
--- /dev/null
+++ b/cli/cli/command/trust/inspect.go
@@ -0,0 +1,115 @@
+package trust
+
+import (
+	"encoding/json"
+	"fmt"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/spf13/cobra"
+	"github.com/theupdateframework/notary/tuf/data"
+)
+
+type inspectOptions struct {
+	remotes []string
+	// FIXME(n4ss): this is consistent with `docker service inspect` but we should provide
+	// a `--format` flag too. (format and pretty-print should be exclusive)
+	prettyPrint bool
+}
+
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	options := inspectOptions{}
+	cmd := &cobra.Command{
+		Use:   "inspect IMAGE[:TAG] [IMAGE[:TAG]...]",
+		Short: "Return low-level information about keys and signatures",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.remotes = args
+
+			return runInspect(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&options.prettyPrint, "pretty", false, "Print the information in a human friendly format")
+
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	if opts.prettyPrint {
+		var err error
+
+		for index, remote := range opts.remotes {
+			if err = prettyPrintTrustInfo(dockerCli, remote); err != nil {
+				return err
+			}
+
+			// Additional separator between the inspection output of each image
+			if index < len(opts.remotes)-1 {
+				fmt.Fprint(dockerCli.Out(), "\n\n")
+			}
+		}
+
+		return err
+	}
+
+	getRefFunc := func(ref string) (interface{}, []byte, error) {
+		i, err := getRepoTrustInfo(dockerCli, ref)
+		return nil, i, err
+	}
+	return inspect.Inspect(dockerCli.Out(), opts.remotes, "", getRefFunc)
+}
+
+func getRepoTrustInfo(cli command.Cli, remote string) ([]byte, error) {
+	signatureRows, adminRolesWithSigs, delegationRoles, err := lookupTrustInfo(cli, remote)
+	if err != nil {
+		return []byte{}, err
+	}
+	// process the signatures to include repo admin if signed by the base targets role
+	for idx, sig := range signatureRows {
+		if len(sig.Signers) == 0 {
+			signatureRows[idx].Signers = append(sig.Signers, releasedRoleName)
+		}
+	}
+
+	signerList, adminList := []trustSigner{}, []trustSigner{}
+
+	signerRoleToKeyIDs := getDelegationRoleToKeyMap(delegationRoles)
+
+	for signerName, signerKeys := range signerRoleToKeyIDs {
+		signerKeyList := []trustKey{}
+		for _, keyID := range signerKeys {
+			signerKeyList = append(signerKeyList, trustKey{ID: keyID})
+		}
+		signerList = append(signerList, trustSigner{signerName, signerKeyList})
+	}
+	sort.Slice(signerList, func(i, j int) bool { return signerList[i].Name > signerList[j].Name })
+
+	for _, adminRole := range adminRolesWithSigs {
+		switch adminRole.Name {
+		case data.CanonicalRootRole:
+			rootKeys := []trustKey{}
+			for _, keyID := range adminRole.KeyIDs {
+				rootKeys = append(rootKeys, trustKey{ID: keyID})
+			}
+			adminList = append(adminList, trustSigner{"Root", rootKeys})
+		case data.CanonicalTargetsRole:
+			targetKeys := []trustKey{}
+			for _, keyID := range adminRole.KeyIDs {
+				targetKeys = append(targetKeys, trustKey{ID: keyID})
+			}
+			adminList = append(adminList, trustSigner{"Repository", targetKeys})
+		}
+	}
+	sort.Slice(adminList, func(i, j int) bool { return adminList[i].Name > adminList[j].Name })
+
+	return json.Marshal(trustRepo{
+		Name:              remote,
+		SignedTags:        signatureRows,
+		Signers:           signerList,
+		AdminstrativeKeys: adminList,
+	})
+}
diff --git a/cli/cli/command/trust/inspect_pretty.go b/cli/cli/command/trust/inspect_pretty.go
new file mode 100644
index 00000000..af146d20
--- /dev/null
+++ b/cli/cli/command/trust/inspect_pretty.go
@@ -0,0 +1,90 @@
+package trust
+
+import (
+	"fmt"
+	"io"
+	"sort"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/theupdateframework/notary/client"
+)
+
+func prettyPrintTrustInfo(cli command.Cli, remote string) error {
+	signatureRows, adminRolesWithSigs, delegationRoles, err := lookupTrustInfo(cli, remote)
+	if err != nil {
+		return err
+	}
+
+	if len(signatureRows) > 0 {
+		fmt.Fprintf(cli.Out(), "\nSignatures for %s\n\n", remote)
+
+		if err := printSignatures(cli.Out(), signatureRows); err != nil {
+			return err
+		}
+	} else {
+		fmt.Fprintf(cli.Out(), "\nNo signatures for %s\n\n", remote)
+	}
+	signerRoleToKeyIDs := getDelegationRoleToKeyMap(delegationRoles)
+
+	// If we do not have additional signers, do not display
+	if len(signerRoleToKeyIDs) > 0 {
+		fmt.Fprintf(cli.Out(), "\nList of signers and their keys for %s\n\n", remote)
+		if err := printSignerInfo(cli.Out(), signerRoleToKeyIDs); err != nil {
+			return err
+		}
+	}
+
+	// This will always have the root and targets information
+	fmt.Fprintf(cli.Out(), "\nAdministrative keys for %s\n\n", remote)
+	printSortedAdminKeys(cli.Out(), adminRolesWithSigs)
+	return nil
+}
+
+func printSortedAdminKeys(out io.Writer, adminRoles []client.RoleWithSignatures) {
+	sort.Slice(adminRoles, func(i, j int) bool { return adminRoles[i].Name > adminRoles[j].Name })
+	for _, adminRole := range adminRoles {
+		if formattedAdminRole := formatAdminRole(adminRole); formattedAdminRole != "" {
+			fmt.Fprintf(out, "  %s", formattedAdminRole)
+		}
+	}
+}
+
+// pretty print with ordered rows
+func printSignatures(out io.Writer, signatureRows trustTagRowList) error {
+	trustTagCtx := formatter.Context{
+		Output: out,
+		Format: formatter.NewTrustTagFormat(),
+	}
+	// convert the formatted type before printing
+	formattedTags := []formatter.SignedTagInfo{}
+	for _, sigRow := range signatureRows {
+		formattedSigners := sigRow.Signers
+		if len(formattedSigners) == 0 {
+			formattedSigners = append(formattedSigners, fmt.Sprintf("(%s)", releasedRoleName))
+		}
+		formattedTags = append(formattedTags, formatter.SignedTagInfo{
+			Name:    sigRow.SignedTag,
+			Digest:  sigRow.Digest,
+			Signers: formattedSigners,
+		})
+	}
+	return formatter.TrustTagWrite(trustTagCtx, formattedTags)
+}
+
+func printSignerInfo(out io.Writer, roleToKeyIDs map[string][]string) error {
+	signerInfoCtx := formatter.Context{
+		Output: out,
+		Format: formatter.NewSignerInfoFormat(),
+		Trunc:  true,
+	}
+	formattedSignerInfo := formatter.SignerInfoList{}
+	for name, keyIDs := range roleToKeyIDs {
+		formattedSignerInfo = append(formattedSignerInfo, formatter.SignerInfo{
+			Name: name,
+			Keys: keyIDs,
+		})
+	}
+	sort.Sort(formattedSignerInfo)
+	return formatter.SignerInfoWrite(signerInfoCtx, formattedSignerInfo)
+}
diff --git a/cli/cli/command/trust/inspect_pretty_test.go b/cli/cli/command/trust/inspect_pretty_test.go
new file mode 100644
index 00000000..8c5141b3
--- /dev/null
+++ b/cli/cli/command/trust/inspect_pretty_test.go
@@ -0,0 +1,442 @@
+package trust
+
+import (
+	"encoding/hex"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/trust"
+	"github.com/docker/cli/internal/test"
+	notaryfake "github.com/docker/cli/internal/test/notary"
+	dockerClient "github.com/docker/docker/client"
+	"github.com/theupdateframework/notary"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+)
+
+// TODO(n4ss): remove common tests with the regular inspect command
+
+type fakeClient struct {
+	dockerClient.Client
+}
+
+func TestTrustInspectPrettyCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			name:          "sha-reference",
+			args:          []string{"870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd"},
+			expectedError: "invalid repository name",
+		},
+		{
+			name:          "invalid-img-reference",
+			args:          []string{"ALPINE"},
+			expectedError: "invalid reference format",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newInspectCommand(
+			test.NewFakeCli(&fakeClient{}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.Flags().Set("pretty", "true")
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestTrustInspectPrettyCommandOfflineErrors(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetOfflineNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"nonexistent-reg-name.io/image"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "No signatures or cannot access nonexistent-reg-name.io/image")
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetOfflineNotaryRepository)
+	cmd = newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"nonexistent-reg-name.io/image:tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "No signatures or cannot access nonexistent-reg-name.io/image")
+}
+
+func TestTrustInspectPrettyCommandUninitializedErrors(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetUninitializedNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"reg/unsigned-img"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "No signatures or cannot access reg/unsigned-img")
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetUninitializedNotaryRepository)
+	cmd = newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"reg/unsigned-img:tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "No signatures or cannot access reg/unsigned-img:tag")
+}
+
+func TestTrustInspectPrettyCommandEmptyNotaryRepoErrors(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetEmptyTargetsNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"reg/img:unsigned-tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "No signatures for reg/img:unsigned-tag"))
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "Administrative keys for reg/img"))
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetEmptyTargetsNotaryRepository)
+	cmd = newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"reg/img"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "No signatures for reg/img"))
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "Administrative keys for reg/img"))
+}
+
+func TestTrustInspectPrettyCommandFullRepoWithoutSigners(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetLoadedWithNoSignersNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"signed-repo"})
+	assert.NilError(t, cmd.Execute())
+
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-pretty-full-repo-no-signers.golden")
+}
+
+func TestTrustInspectPrettyCommandOneTagWithoutSigners(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetLoadedWithNoSignersNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"signed-repo:green"})
+	assert.NilError(t, cmd.Execute())
+
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-pretty-one-tag-no-signers.golden")
+}
+
+func TestTrustInspectPrettyCommandFullRepoWithSigners(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetLoadedNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"signed-repo"})
+	assert.NilError(t, cmd.Execute())
+
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-pretty-full-repo-with-signers.golden")
+}
+
+func TestTrustInspectPrettyCommandUnsignedTagInSignedRepo(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetLoadedNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.Flags().Set("pretty", "true")
+	cmd.SetArgs([]string{"signed-repo:unsigned"})
+	assert.NilError(t, cmd.Execute())
+
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-pretty-unsigned-tag-with-signers.golden")
+}
+
+func TestNotaryRoleToSigner(t *testing.T) {
+	assert.Check(t, is.Equal(releasedRoleName, notaryRoleToSigner(data.CanonicalTargetsRole)))
+	assert.Check(t, is.Equal(releasedRoleName, notaryRoleToSigner(trust.ReleasesRole)))
+	assert.Check(t, is.Equal("signer", notaryRoleToSigner("targets/signer")))
+	assert.Check(t, is.Equal("docker/signer", notaryRoleToSigner("targets/docker/signer")))
+
+	// It's nonsense for other base roles to have signed off on a target, but this function leaves role names intact
+	for _, role := range data.BaseRoles {
+		if role == data.CanonicalTargetsRole {
+			continue
+		}
+		assert.Check(t, is.Equal(role.String(), notaryRoleToSigner(role)))
+	}
+	assert.Check(t, is.Equal("notarole", notaryRoleToSigner(data.RoleName("notarole"))))
+}
+
+// check if a role name is "released": either targets/releases or targets TUF roles
+func TestIsReleasedTarget(t *testing.T) {
+	assert.Check(t, isReleasedTarget(trust.ReleasesRole))
+	for _, role := range data.BaseRoles {
+		assert.Check(t, is.Equal(role == data.CanonicalTargetsRole, isReleasedTarget(role)))
+	}
+	assert.Check(t, !isReleasedTarget(data.RoleName("targets/not-releases")))
+	assert.Check(t, !isReleasedTarget(data.RoleName("random")))
+	assert.Check(t, !isReleasedTarget(data.RoleName("targets/releases/subrole")))
+}
+
+// creates a mock delegation with a given name and no keys
+func mockDelegationRoleWithName(name string) data.DelegationRole {
+	baseRole := data.NewBaseRole(
+		data.RoleName(name),
+		notary.MinThreshold,
+	)
+	return data.DelegationRole{BaseRole: baseRole, Paths: []string{}}
+}
+
+func TestMatchEmptySignatures(t *testing.T) {
+	// first try empty targets
+	emptyTgts := []client.TargetSignedStruct{}
+
+	matchedSigRows := matchReleasedSignatures(emptyTgts)
+	assert.Check(t, is.Len(matchedSigRows, 0))
+}
+
+func TestMatchUnreleasedSignatures(t *testing.T) {
+	// try an "unreleased" target with 3 signatures, 0 rows will appear
+	unreleasedTgts := []client.TargetSignedStruct{}
+
+	tgt := client.Target{Name: "unreleased", Hashes: data.Hashes{notary.SHA256: []byte("hash")}}
+	for _, unreleasedRole := range []string{"targets/a", "targets/b", "targets/c"} {
+		unreleasedTgts = append(unreleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: tgt})
+	}
+
+	matchedSigRows := matchReleasedSignatures(unreleasedTgts)
+	assert.Check(t, is.Len(matchedSigRows, 0))
+}
+
+func TestMatchOneReleasedSingleSignature(t *testing.T) {
+	// now try only 1 "released" target with no additional sigs, 1 row will appear with 0 signers
+	oneReleasedTgt := []client.TargetSignedStruct{}
+
+	// make and append the "released" target to our mock input
+	releasedTgt := client.Target{Name: "released", Hashes: data.Hashes{notary.SHA256: []byte("released-hash")}}
+	oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: releasedTgt})
+
+	// make and append 3 non-released signatures on the "unreleased" target
+	unreleasedTgt := client.Target{Name: "unreleased", Hashes: data.Hashes{notary.SHA256: []byte("hash")}}
+	for _, unreleasedRole := range []string{"targets/a", "targets/b", "targets/c"} {
+		oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: unreleasedTgt})
+	}
+
+	matchedSigRows := matchReleasedSignatures(oneReleasedTgt)
+	assert.Check(t, is.Len(matchedSigRows, 1))
+
+	outputRow := matchedSigRows[0]
+	// Empty signers because "targets/releases" doesn't show up
+	assert.Check(t, is.Len(outputRow.Signers, 0))
+	assert.Check(t, is.Equal(releasedTgt.Name, outputRow.SignedTag))
+	assert.Check(t, is.Equal(hex.EncodeToString(releasedTgt.Hashes[notary.SHA256]), outputRow.Digest))
+}
+
+func TestMatchOneReleasedMultiSignature(t *testing.T) {
+	// now try only 1 "released" target with 3 additional sigs, 1 row will appear with 3 signers
+	oneReleasedTgt := []client.TargetSignedStruct{}
+
+	// make and append the "released" target to our mock input
+	releasedTgt := client.Target{Name: "released", Hashes: data.Hashes{notary.SHA256: []byte("released-hash")}}
+	oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: releasedTgt})
+
+	// make and append 3 non-released signatures on both the "released" and "unreleased" targets
+	unreleasedTgt := client.Target{Name: "unreleased", Hashes: data.Hashes{notary.SHA256: []byte("hash")}}
+	for _, unreleasedRole := range []string{"targets/a", "targets/b", "targets/c"} {
+		oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: unreleasedTgt})
+		oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: releasedTgt})
+	}
+
+	matchedSigRows := matchReleasedSignatures(oneReleasedTgt)
+	assert.Check(t, is.Len(matchedSigRows, 1))
+
+	outputRow := matchedSigRows[0]
+	// We should have three signers
+	assert.Check(t, is.DeepEqual(outputRow.Signers, []string{"a", "b", "c"}))
+	assert.Check(t, is.Equal(releasedTgt.Name, outputRow.SignedTag))
+	assert.Check(t, is.Equal(hex.EncodeToString(releasedTgt.Hashes[notary.SHA256]), outputRow.Digest))
+}
+
+func TestMatchMultiReleasedMultiSignature(t *testing.T) {
+	// now try 3 "released" targets with additional sigs to show 3 rows as follows:
+	// target-a is signed by targets/releases and targets/a - a will be the signer
+	// target-b is signed by targets/releases, targets/a, targets/b - a and b will be the signers
+	// target-c is signed by targets/releases, targets/a, targets/b, targets/c - a, b, and c will be the signers
+	multiReleasedTgts := []client.TargetSignedStruct{}
+	// make target-a, target-b, and target-c
+	targetA := client.Target{Name: "target-a", Hashes: data.Hashes{notary.SHA256: []byte("target-a-hash")}}
+	targetB := client.Target{Name: "target-b", Hashes: data.Hashes{notary.SHA256: []byte("target-b-hash")}}
+	targetC := client.Target{Name: "target-c", Hashes: data.Hashes{notary.SHA256: []byte("target-c-hash")}}
+
+	// have targets/releases "sign" on all of these targets so they are released
+	multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: targetA})
+	multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: targetB})
+	multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: targetC})
+
+	// targets/a signs off on all three targets (target-a, target-b, target-c):
+	for _, tgt := range []client.Target{targetA, targetB, targetC} {
+		multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/a"), Target: tgt})
+	}
+
+	// targets/b signs off on the final two targets (target-b, target-c):
+	for _, tgt := range []client.Target{targetB, targetC} {
+		multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/b"), Target: tgt})
+	}
+
+	// targets/c only signs off on the last target (target-c):
+	multiReleasedTgts = append(multiReleasedTgts, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/c"), Target: targetC})
+
+	matchedSigRows := matchReleasedSignatures(multiReleasedTgts)
+	assert.Check(t, is.Len(matchedSigRows, 3))
+
+	// note that the output is sorted by tag name, so we can reliably index to validate data:
+	outputTargetA := matchedSigRows[0]
+	assert.Check(t, is.DeepEqual(outputTargetA.Signers, []string{"a"}))
+	assert.Check(t, is.Equal(targetA.Name, outputTargetA.SignedTag))
+	assert.Check(t, is.Equal(hex.EncodeToString(targetA.Hashes[notary.SHA256]), outputTargetA.Digest))
+
+	outputTargetB := matchedSigRows[1]
+	assert.Check(t, is.DeepEqual(outputTargetB.Signers, []string{"a", "b"}))
+	assert.Check(t, is.Equal(targetB.Name, outputTargetB.SignedTag))
+	assert.Check(t, is.Equal(hex.EncodeToString(targetB.Hashes[notary.SHA256]), outputTargetB.Digest))
+
+	outputTargetC := matchedSigRows[2]
+	assert.Check(t, is.DeepEqual(outputTargetC.Signers, []string{"a", "b", "c"}))
+	assert.Check(t, is.Equal(targetC.Name, outputTargetC.SignedTag))
+	assert.Check(t, is.Equal(hex.EncodeToString(targetC.Hashes[notary.SHA256]), outputTargetC.Digest))
+}
+
+func TestMatchReleasedSignatureFromTargets(t *testing.T) {
+	// now try only 1 "released" target with no additional sigs, one rows will appear
+	oneReleasedTgt := []client.TargetSignedStruct{}
+	// make and append the "released" target to our mock input
+	releasedTgt := client.Target{Name: "released", Hashes: data.Hashes{notary.SHA256: []byte("released-hash")}}
+	oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(data.CanonicalTargetsRole.String()), Target: releasedTgt})
+	matchedSigRows := matchReleasedSignatures(oneReleasedTgt)
+	assert.Check(t, is.Len(matchedSigRows, 1))
+	outputRow := matchedSigRows[0]
+	// Empty signers because "targets" doesn't show up
+	assert.Check(t, is.Len(outputRow.Signers, 0))
+	assert.Check(t, is.Equal(releasedTgt.Name, outputRow.SignedTag))
+	assert.Check(t, is.Equal(hex.EncodeToString(releasedTgt.Hashes[notary.SHA256]), outputRow.Digest))
+}
+
+func TestGetSignerRolesWithKeyIDs(t *testing.T) {
+	roles := []data.Role{
+		{
+			RootRole: data.RootRole{
+				KeyIDs: []string{"key11"},
+			},
+			Name: "targets/alice",
+		},
+		{
+			RootRole: data.RootRole{
+				KeyIDs: []string{"key21", "key22"},
+			},
+			Name: "targets/releases",
+		},
+		{
+			RootRole: data.RootRole{
+				KeyIDs: []string{"key31"},
+			},
+			Name: data.CanonicalTargetsRole,
+		},
+		{
+			RootRole: data.RootRole{
+				KeyIDs: []string{"key41", "key01"},
+			},
+			Name: data.CanonicalRootRole,
+		},
+		{
+			RootRole: data.RootRole{
+				KeyIDs: []string{"key51"},
+			},
+			Name: data.CanonicalSnapshotRole,
+		},
+		{
+			RootRole: data.RootRole{
+				KeyIDs: []string{"key61"},
+			},
+			Name: data.CanonicalTimestampRole,
+		},
+		{
+			RootRole: data.RootRole{
+				KeyIDs: []string{"key71", "key72"},
+			},
+			Name: "targets/bob",
+		},
+	}
+	expectedSignerRoleToKeyIDs := map[string][]string{
+		"alice": {"key11"},
+		"bob":   {"key71", "key72"},
+	}
+
+	var roleWithSigs []client.RoleWithSignatures
+	for _, role := range roles {
+		roleWithSig := client.RoleWithSignatures{Role: role, Signatures: nil}
+		roleWithSigs = append(roleWithSigs, roleWithSig)
+	}
+	signerRoleToKeyIDs := getDelegationRoleToKeyMap(roles)
+	assert.Check(t, is.DeepEqual(expectedSignerRoleToKeyIDs, signerRoleToKeyIDs))
+}
+
+func TestFormatAdminRole(t *testing.T) {
+	aliceRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs: []string{"key11"},
+		},
+		Name: "targets/alice",
+	}
+	aliceRoleWithSigs := client.RoleWithSignatures{Role: aliceRole, Signatures: nil}
+	assert.Check(t, is.Equal("", formatAdminRole(aliceRoleWithSigs)))
+
+	releasesRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs: []string{"key11"},
+		},
+		Name: "targets/releases",
+	}
+	releasesRoleWithSigs := client.RoleWithSignatures{Role: releasesRole, Signatures: nil}
+	assert.Check(t, is.Equal("", formatAdminRole(releasesRoleWithSigs)))
+
+	timestampRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs: []string{"key11"},
+		},
+		Name: data.CanonicalTimestampRole,
+	}
+	timestampRoleWithSigs := client.RoleWithSignatures{Role: timestampRole, Signatures: nil}
+	assert.Check(t, is.Equal("", formatAdminRole(timestampRoleWithSigs)))
+
+	snapshotRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs: []string{"key11"},
+		},
+		Name: data.CanonicalSnapshotRole,
+	}
+	snapshotRoleWithSigs := client.RoleWithSignatures{Role: snapshotRole, Signatures: nil}
+	assert.Check(t, is.Equal("", formatAdminRole(snapshotRoleWithSigs)))
+
+	rootRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs: []string{"key11"},
+		},
+		Name: data.CanonicalRootRole,
+	}
+	rootRoleWithSigs := client.RoleWithSignatures{Role: rootRole, Signatures: nil}
+	assert.Check(t, is.Equal("Root Key:\tkey11\n", formatAdminRole(rootRoleWithSigs)))
+
+	targetsRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs: []string{"key99", "abc", "key11"},
+		},
+		Name: data.CanonicalTargetsRole,
+	}
+	targetsRoleWithSigs := client.RoleWithSignatures{Role: targetsRole, Signatures: nil}
+	assert.Check(t, is.Equal("Repository Key:\tabc, key11, key99\n", formatAdminRole(targetsRoleWithSigs)))
+}
diff --git a/cli/cli/command/trust/inspect_test.go b/cli/cli/command/trust/inspect_test.go
new file mode 100644
index 00000000..3cf6e0eb
--- /dev/null
+++ b/cli/cli/command/trust/inspect_test.go
@@ -0,0 +1,131 @@
+package trust
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/internal/test/notary"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestTrustInspectCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			name:          "sha-reference",
+			args:          []string{"870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd"},
+			expectedError: "invalid repository name",
+		},
+		{
+			name:          "invalid-img-reference",
+			args:          []string{"ALPINE"},
+			expectedError: "invalid reference format",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newInspectCommand(
+			test.NewFakeCli(&fakeClient{}))
+		cmd.Flags().Set("pretty", "true")
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestTrustInspectCommandOfflineErrors(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetOfflineNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"nonexistent-reg-name.io/image"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "No signatures or cannot access nonexistent-reg-name.io/image")
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetOfflineNotaryRepository)
+	cmd = newInspectCommand(cli)
+	cmd.SetArgs([]string{"nonexistent-reg-name.io/image:tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "No signatures or cannot access nonexistent-reg-name.io/image")
+}
+
+func TestTrustInspectCommandUninitializedErrors(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetUninitializedNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"reg/unsigned-img"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "No signatures or cannot access reg/unsigned-img")
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-uninitialized.golden")
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetUninitializedNotaryRepository)
+	cmd = newInspectCommand(cli)
+	cmd.SetArgs([]string{"reg/unsigned-img:tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "No signatures or cannot access reg/unsigned-img:tag")
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-uninitialized.golden")
+}
+
+func TestTrustInspectCommandEmptyNotaryRepo(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetEmptyTargetsNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"reg/img:unsigned-tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-empty-repo.golden")
+}
+
+func TestTrustInspectCommandFullRepoWithoutSigners(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetLoadedWithNoSignersNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"signed-repo"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-full-repo-no-signers.golden")
+}
+
+func TestTrustInspectCommandOneTagWithoutSigners(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetLoadedWithNoSignersNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"signed-repo:green"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-one-tag-no-signers.golden")
+}
+
+func TestTrustInspectCommandFullRepoWithSigners(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetLoadedNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"signed-repo"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-full-repo-with-signers.golden")
+}
+
+func TestTrustInspectCommandMultipleFullReposWithSigners(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetLoadedNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"signed-repo", "signed-repo"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-multiple-repos-with-signers.golden")
+}
+
+func TestTrustInspectCommandUnsignedTagInSignedRepo(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetLoadedNotaryRepository)
+	cmd := newInspectCommand(cli)
+	cmd.SetArgs([]string{"signed-repo:unsigned"})
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "trust-inspect-unsigned-tag-with-signers.golden")
+}
diff --git a/cli/cli/command/trust/key.go b/cli/cli/command/trust/key.go
new file mode 100644
index 00000000..f57b44c7
--- /dev/null
+++ b/cli/cli/command/trust/key.go
@@ -0,0 +1,22 @@
+package trust
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// newTrustKeyCommand returns a cobra command for `trust key` subcommands
+func newTrustKeyCommand(dockerCli command.Streams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "key",
+		Short: "Manage keys for signing Docker images",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		newKeyGenerateCommand(dockerCli),
+		newKeyLoadCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/trust/key_generate.go b/cli/cli/command/trust/key_generate.go
new file mode 100644
index 00000000..47223c3d
--- /dev/null
+++ b/cli/cli/command/trust/key_generate.go
@@ -0,0 +1,134 @@
+package trust
+
+import (
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/trust"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/theupdateframework/notary"
+	"github.com/theupdateframework/notary/trustmanager"
+	"github.com/theupdateframework/notary/tuf/data"
+	tufutils "github.com/theupdateframework/notary/tuf/utils"
+)
+
+type keyGenerateOptions struct {
+	name      string
+	directory string
+}
+
+func newKeyGenerateCommand(dockerCli command.Streams) *cobra.Command {
+	options := keyGenerateOptions{}
+	cmd := &cobra.Command{
+		Use:   "generate NAME",
+		Short: "Generate and load a signing key-pair",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.name = args[0]
+			return setupPassphraseAndGenerateKeys(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.StringVar(&options.directory, "dir", "", "Directory to generate key in, defaults to current directory")
+	return cmd
+}
+
+// key names can use lowercase alphanumeric + _ + - characters
+var validKeyName = regexp.MustCompile(`^[a-z0-9][a-z0-9\_\-]*$`).MatchString
+
+// validate that all of the key names are unique and are alphanumeric + _ + -
+// and that we do not already have public key files in the target dir on disk
+func validateKeyArgs(keyName string, targetDir string) error {
+	if !validKeyName(keyName) {
+		return fmt.Errorf("key name \"%s\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character", keyName)
+	}
+
+	pubKeyFileName := keyName + ".pub"
+	if _, err := os.Stat(targetDir); err != nil {
+		return fmt.Errorf("public key path does not exist: \"%s\"", targetDir)
+	}
+	targetPath := filepath.Join(targetDir, pubKeyFileName)
+	if _, err := os.Stat(targetPath); err == nil {
+		return fmt.Errorf("public key file already exists: \"%s\"", targetPath)
+	}
+	return nil
+}
+
+func setupPassphraseAndGenerateKeys(streams command.Streams, opts keyGenerateOptions) error {
+	targetDir := opts.directory
+	if targetDir == "" {
+		cwd, err := os.Getwd()
+		if err != nil {
+			return err
+		}
+		targetDir = cwd
+	}
+	return validateAndGenerateKey(streams, opts.name, targetDir)
+}
+
+func validateAndGenerateKey(streams command.Streams, keyName string, workingDir string) error {
+	freshPassRetGetter := func() notary.PassRetriever { return trust.GetPassphraseRetriever(streams.In(), streams.Out()) }
+	if err := validateKeyArgs(keyName, workingDir); err != nil {
+		return err
+	}
+	fmt.Fprintf(streams.Out(), "Generating key for %s...\n", keyName)
+	// Automatically load the private key to local storage for use
+	privKeyFileStore, err := trustmanager.NewKeyFileStore(trust.GetTrustDirectory(), freshPassRetGetter())
+	if err != nil {
+		return err
+	}
+
+	pubPEM, err := generateKeyAndOutputPubPEM(keyName, privKeyFileStore)
+	if err != nil {
+		fmt.Fprintf(streams.Out(), err.Error())
+		return errors.Wrapf(err, "failed to generate key for %s", keyName)
+	}
+
+	// Output the public key to a file in the CWD or specified dir
+	writtenPubFile, err := writePubKeyPEMToDir(pubPEM, keyName, workingDir)
+	if err != nil {
+		return err
+	}
+	fmt.Fprintf(streams.Out(), "Successfully generated and loaded private key. Corresponding public key available: %s\n", writtenPubFile)
+
+	return nil
+}
+
+func generateKeyAndOutputPubPEM(keyName string, privKeyStore trustmanager.KeyStore) (pem.Block, error) {
+	privKey, err := tufutils.GenerateKey(data.ECDSAKey)
+	if err != nil {
+		return pem.Block{}, err
+	}
+
+	privKeyStore.AddKey(trustmanager.KeyInfo{Role: data.RoleName(keyName)}, privKey)
+	if err != nil {
+		return pem.Block{}, err
+	}
+
+	pubKey := data.PublicKeyFromPrivate(privKey)
+	return pem.Block{
+		Type: "PUBLIC KEY",
+		Headers: map[string]string{
+			"role": keyName,
+		},
+		Bytes: pubKey.Public(),
+	}, nil
+}
+
+func writePubKeyPEMToDir(pubPEM pem.Block, keyName, workingDir string) (string, error) {
+	// Output the public key to a file in the CWD or specified dir
+	pubFileName := strings.Join([]string{keyName, "pub"}, ".")
+	pubFilePath := filepath.Join(workingDir, pubFileName)
+	if err := ioutil.WriteFile(pubFilePath, pem.EncodeToMemory(&pubPEM), notary.PrivNoExecPerms); err != nil {
+		return "", errors.Wrapf(err, "failed to write public key to %s", pubFilePath)
+	}
+	return pubFilePath, nil
+}
diff --git a/cli/cli/command/trust/key_generate_test.go b/cli/cli/command/trust/key_generate_test.go
new file mode 100644
index 00000000..b4c798d8
--- /dev/null
+++ b/cli/cli/command/trust/key_generate_test.go
@@ -0,0 +1,134 @@
+package trust
+
+import (
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/internal/test"
+	"github.com/theupdateframework/notary"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/trustmanager"
+	tufutils "github.com/theupdateframework/notary/tuf/utils"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestTrustKeyGenerateErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "too-many-args",
+			args:          []string{"key-1", "key-2"},
+			expectedError: "requires exactly 1 argument",
+		},
+	}
+
+	tmpDir, err := ioutil.TempDir("", "docker-key-generate-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	config.SetDir(tmpDir)
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{})
+		cmd := newKeyGenerateCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestGenerateKeySuccess(t *testing.T) {
+	pubKeyCWD, err := ioutil.TempDir("", "pub-keys-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(pubKeyCWD)
+
+	privKeyStorageDir, err := ioutil.TempDir("", "priv-keys-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(privKeyStorageDir)
+
+	passwd := "password"
+	cannedPasswordRetriever := passphrase.ConstantRetriever(passwd)
+	// generate a single key
+	keyName := "alice"
+	privKeyFileStore, err := trustmanager.NewKeyFileStore(privKeyStorageDir, cannedPasswordRetriever)
+	assert.NilError(t, err)
+
+	pubKeyPEM, err := generateKeyAndOutputPubPEM(keyName, privKeyFileStore)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(keyName, pubKeyPEM.Headers["role"]))
+	// the default GUN is empty
+	assert.Check(t, is.Equal("", pubKeyPEM.Headers["gun"]))
+	// assert public key header
+	assert.Check(t, is.Equal("PUBLIC KEY", pubKeyPEM.Type))
+
+	// check that an appropriate ~/<trust_dir>/private/<key_id>.key file exists
+	expectedPrivKeyDir := filepath.Join(privKeyStorageDir, notary.PrivDir)
+	_, err = os.Stat(expectedPrivKeyDir)
+	assert.NilError(t, err)
+
+	keyFiles, err := ioutil.ReadDir(expectedPrivKeyDir)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(keyFiles, 1))
+	privKeyFilePath := filepath.Join(expectedPrivKeyDir, keyFiles[0].Name())
+
+	// verify the key content
+	privFrom, _ := os.OpenFile(privKeyFilePath, os.O_RDONLY, notary.PrivExecPerms)
+	defer privFrom.Close()
+	fromBytes, _ := ioutil.ReadAll(privFrom)
+	privKeyPEM, _ := pem.Decode(fromBytes)
+	assert.Check(t, is.Equal(keyName, privKeyPEM.Headers["role"]))
+	// the default GUN is empty
+	assert.Check(t, is.Equal("", privKeyPEM.Headers["gun"]))
+	// assert encrypted header
+	assert.Check(t, is.Equal("ENCRYPTED PRIVATE KEY", privKeyPEM.Type))
+	// check that the passphrase matches
+	_, err = tufutils.ParsePKCS8ToTufKey(privKeyPEM.Bytes, []byte(passwd))
+	assert.NilError(t, err)
+
+	// check that the public key exists at the correct path if we use the helper:
+	returnedPath, err := writePubKeyPEMToDir(pubKeyPEM, keyName, pubKeyCWD)
+	assert.NilError(t, err)
+	expectedPubKeyPath := filepath.Join(pubKeyCWD, keyName+".pub")
+	assert.Check(t, is.Equal(returnedPath, expectedPubKeyPath))
+	_, err = os.Stat(expectedPubKeyPath)
+	assert.NilError(t, err)
+	// check that the public key is the only file output in CWD
+	cwdKeyFiles, err := ioutil.ReadDir(pubKeyCWD)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(cwdKeyFiles, 1))
+}
+
+func TestValidateKeyArgs(t *testing.T) {
+	pubKeyCWD, err := ioutil.TempDir("", "pub-keys-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(pubKeyCWD)
+
+	err = validateKeyArgs("a", pubKeyCWD)
+	assert.NilError(t, err)
+
+	err = validateKeyArgs("a/b", pubKeyCWD)
+	assert.Error(t, err, "key name \"a/b\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character")
+
+	err = validateKeyArgs("-", pubKeyCWD)
+	assert.Error(t, err, "key name \"-\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character")
+
+	assert.NilError(t, ioutil.WriteFile(filepath.Join(pubKeyCWD, "a.pub"), []byte("abc"), notary.PrivExecPerms))
+	err = validateKeyArgs("a", pubKeyCWD)
+	assert.Error(t, err, fmt.Sprintf("public key file already exists: \"%s\"", filepath.Join(pubKeyCWD, "a.pub")))
+
+	err = validateKeyArgs("a", "/random/dir/")
+	assert.Error(t, err, "public key path does not exist: \"/random/dir/\"")
+}
diff --git a/cli/cli/command/trust/key_load.go b/cli/cli/command/trust/key_load.go
new file mode 100644
index 00000000..9263cbda
--- /dev/null
+++ b/cli/cli/command/trust/key_load.go
@@ -0,0 +1,115 @@
+package trust
+
+import (
+	"bytes"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/trust"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/theupdateframework/notary"
+	"github.com/theupdateframework/notary/storage"
+	"github.com/theupdateframework/notary/trustmanager"
+	tufutils "github.com/theupdateframework/notary/tuf/utils"
+)
+
+const (
+	nonOwnerReadWriteMask = 0077
+)
+
+type keyLoadOptions struct {
+	keyName string
+}
+
+func newKeyLoadCommand(dockerCli command.Streams) *cobra.Command {
+	var options keyLoadOptions
+	cmd := &cobra.Command{
+		Use:   "load [OPTIONS] KEYFILE",
+		Short: "Load a private key file for signing",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return loadPrivKey(dockerCli, args[0], options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.StringVar(&options.keyName, "name", "signer", "Name for the loaded key")
+	return cmd
+}
+
+func loadPrivKey(streams command.Streams, keyPath string, options keyLoadOptions) error {
+	// validate the key name if provided
+	if options.keyName != "" && !validKeyName(options.keyName) {
+		return fmt.Errorf("key name \"%s\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character", options.keyName)
+	}
+	trustDir := trust.GetTrustDirectory()
+	keyFileStore, err := storage.NewPrivateKeyFileStorage(trustDir, notary.KeyExtension)
+	if err != nil {
+		return err
+	}
+	privKeyImporters := []trustmanager.Importer{keyFileStore}
+
+	fmt.Fprintf(streams.Out(), "Loading key from \"%s\"...\n", keyPath)
+
+	// Always use a fresh passphrase retriever for each import
+	passRet := trust.GetPassphraseRetriever(streams.In(), streams.Out())
+	keyBytes, err := getPrivKeyBytesFromPath(keyPath)
+	if err != nil {
+		return errors.Wrapf(err, "refusing to load key from %s", keyPath)
+	}
+	if err := loadPrivKeyBytesToStore(keyBytes, privKeyImporters, keyPath, options.keyName, passRet); err != nil {
+		return errors.Wrapf(err, "error importing key from %s", keyPath)
+	}
+	fmt.Fprintf(streams.Out(), "Successfully imported key from %s\n", keyPath)
+	return nil
+}
+
+func getPrivKeyBytesFromPath(keyPath string) ([]byte, error) {
+	fileInfo, err := os.Stat(keyPath)
+	if err != nil {
+		return nil, err
+	}
+	if fileInfo.Mode()&nonOwnerReadWriteMask != 0 {
+		return nil, fmt.Errorf("private key file %s must not be readable or writable by others", keyPath)
+	}
+
+	from, err := os.OpenFile(keyPath, os.O_RDONLY, notary.PrivExecPerms)
+	if err != nil {
+		return nil, err
+	}
+	defer from.Close()
+
+	return ioutil.ReadAll(from)
+}
+
+func loadPrivKeyBytesToStore(privKeyBytes []byte, privKeyImporters []trustmanager.Importer, keyPath, keyName string, passRet notary.PassRetriever) error {
+	var err error
+	if _, _, err = tufutils.ExtractPrivateKeyAttributes(privKeyBytes); err != nil {
+		return fmt.Errorf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer add", keyPath)
+	}
+	if privKeyBytes, err = decodePrivKeyIfNecessary(privKeyBytes, passRet); err != nil {
+		return errors.Wrapf(err, "cannot load key from provided file %s", keyPath)
+	}
+	// Make a reader, rewind the file pointer
+	return trustmanager.ImportKeys(bytes.NewReader(privKeyBytes), privKeyImporters, keyName, "", passRet)
+}
+
+func decodePrivKeyIfNecessary(privPemBytes []byte, passRet notary.PassRetriever) ([]byte, error) {
+	pemBlock, _ := pem.Decode(privPemBytes)
+	_, containsDEKInfo := pemBlock.Headers["DEK-Info"]
+	if containsDEKInfo || pemBlock.Type == "ENCRYPTED PRIVATE KEY" {
+		// if we do not have enough information to properly import, try to decrypt the key
+		if _, ok := pemBlock.Headers["path"]; !ok {
+			privKey, _, err := trustmanager.GetPasswdDecryptBytes(passRet, privPemBytes, "", "encrypted")
+			if err != nil {
+				return []byte{}, fmt.Errorf("could not decrypt key")
+			}
+			privPemBytes = privKey.Private()
+		}
+	}
+	return privPemBytes, nil
+}
diff --git a/cli/cli/command/trust/key_load_test.go b/cli/cli/command/trust/key_load_test.go
new file mode 100644
index 00000000..e0e35aab
--- /dev/null
+++ b/cli/cli/command/trust/key_load_test.go
@@ -0,0 +1,253 @@
+package trust
+
+import (
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/internal/test"
+	"github.com/theupdateframework/notary"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/storage"
+	"github.com/theupdateframework/notary/trustmanager"
+	tufutils "github.com/theupdateframework/notary/tuf/utils"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestTrustKeyLoadErrors(t *testing.T) {
+	noSuchFile := "stat iamnotakey: no such file or directory"
+	if runtime.GOOS == "windows" {
+		noSuchFile = "CreateFile iamnotakey: The system cannot find the file specified."
+	}
+	testCases := []struct {
+		name           string
+		args           []string
+		expectedError  string
+		expectedOutput string
+	}{
+		{
+			name:           "not-enough-args",
+			expectedError:  "exactly 1 argument",
+			expectedOutput: "",
+		},
+		{
+			name:           "too-many-args",
+			args:           []string{"iamnotakey", "alsonotakey"},
+			expectedError:  "exactly 1 argument",
+			expectedOutput: "",
+		},
+		{
+			name:           "not-a-key",
+			args:           []string{"iamnotakey"},
+			expectedError:  "refusing to load key from iamnotakey: " + noSuchFile,
+			expectedOutput: "Loading key from \"iamnotakey\"...\n",
+		},
+		{
+			name:           "bad-key-name",
+			args:           []string{"iamnotakey", "--name", "KEYNAME"},
+			expectedError:  "key name \"KEYNAME\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character",
+			expectedOutput: "",
+		},
+	}
+	tmpDir, err := ioutil.TempDir("", "docker-key-load-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	config.SetDir(tmpDir)
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{})
+		cmd := newKeyLoadCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+		assert.Check(t, is.Contains(cli.OutBuffer().String(), tc.expectedOutput))
+	}
+}
+
+var rsaPrivKeyFixture = []byte(`-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAs7yVMzCw8CBZPoN+QLdx3ZzbVaHnouHIKu+ynX60IZ3stpbb
+6rowu78OWON252JcYJqe++2GmdIgbBhg+mZDwhX0ZibMVztJaZFsYL+Ch/2J9KqD
+A5NtE1s/XdhYoX5hsv7W4ok9jLFXRYIMj+T4exJRlR4f4GP9p0fcqPWd9/enPnlJ
+JFTmu0DXJTZUMVS1UrXUy5t/DPXdrwyl8pM7VCqO3bqK7jqE6mWawdTkEeiku1fJ
+ydP0285uiYTbj1Q38VVhPwXzMuLbkaUgRJhCI4BcjfQIjtJLbWpS+VdhUEvtgMVx
+XJMKxCVGG69qjXyj9TjI7pxanb/bWglhovJN9wIDAQABAoIBAQCSnMsLxbUfOxPx
+RWuwOLN+NZxIvtfnastQEtSdWiRvo5Xa3zYmw5hLHa8DXRC57+cwug/jqr54LQpb
+gotg1hiBck05In7ezTK2FXTVeoJskal91bUnLpP0DSOkVnz9xszFKNF6Wr7FTEfH
+IC1FF16Fbcz0mW0hKg9X6+uYOzqPcKpQRwli5LAwhT18Alf9h4/3NCeKotiJyr2J
+xvcEH1eY2m2c/jQZurBkys7qBC3+i8LJEOW8MBQt7mxajwfbU91wtP2YoqMcoYiS
+zsPbYp7Ui2t4G9Yn+OJw+uj4RGP1Bo4nSyRxWDtg+8Zug/JYU6/s+8kVRpiGffd3
+T1GvoxUhAoGBAOnPDWG/g1xlJf65Rh71CxMs638zhYbIloU2K4Rqr05DHe7GryTS
+9hLVrwhHddK+KwfVbR8HFMPo1DC/NVbuKt8StTAadAu3HsC088gWd28nOiGAWuvH
+Bo3x/DYQGYwGFfoo4rzCOgMj6DJjXmcWEXNv3NDMoXoYpkxa0g6zZDyHAoGBAMTL
+t7EUneJT+Mm7wyL1I5bmaT/HFwqoUQB2ccBPVD8p1el62NgLdfhOa8iNlBVhMrlh
+2aTjrMlSPcjr9sCgKrLcenSWw+2qFsf4+SmV01ntB9kWes2phXpnB0ynXIcbeG05
++BLxbqDTVV0Iqh4r/dGeplyV2WyL3mTpkT3hRq8RAoGAZ93degEUICWnHWO9LN97
+Dge0joua0+ekRoVsC6VBP6k9UOfewqMdQfy/hxQH2Zk1kINVuKTyqp1yNj2bOoUP
+co3jA/2cc9/jv4QjkE26vRxWDK/ytC90T/aiLno0fyns9XbYUzaNgvuemVPfijgZ
+hIi7Nd7SFWWB6wWlr3YuH10CgYEAwh7JVa2mh8iZEjVaKTNyJbmmfDjgq6yYKkKr
+ti0KRzv3O9Xn7ERx27tPaobtWaGFLYQt8g57NCMhuv23aw8Sz1fYmwTUw60Rx7P5
+42FdF8lOAn/AJvpfJfxXIO+9v7ADPIr//3+TxqRwAdM4K4btWkaKh61wyTe26gfT
+MxzyYmECgYAnlU5zsGyiZqwoXVktkhtZrE7Qu0SoztzFb8KpvFNmMTPF1kAAYmJY
+GIhbizeGJ3h4cUdozKmt8ZWIt6uFDEYCqEA7XF4RH75dW25x86mpIPO7iRl9eisY
+IsLeMYqTIwXAwGx6Ka9v5LOL1kzcHQ2iVj6+QX+yoptSft1dYa9jOA==
+-----END RSA PRIVATE KEY-----`)
+
+const rsaPrivKeyID = "ee69e8e07a14756ad5ff0aca2336b37f86b0ac1710d1f3e94440081e080aecd7"
+
+var ecPrivKeyFixture = []byte(`-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINfxKtDH3ug7ZIQPDyeAzujCdhw36D+bf9ToPE1A7YEyoAoGCCqGSM49
+AwEHoUQDQgAEUIH9AYtrcDFzZrFJBdJZkn21d+4cH3nzy2O6Q/ct4BjOBKa+WCdR
+tPo78bA+C/7t81ADQO8Jqaj59W50rwoqDQ==
+-----END EC PRIVATE KEY-----`)
+
+const ecPrivKeyID = "46157cb0becf9c72c3219e11d4692424fef9bf4460812ccc8a71a3dfcafc7e60"
+
+var testKeys = map[string][]byte{
+	ecPrivKeyID:  ecPrivKeyFixture,
+	rsaPrivKeyID: rsaPrivKeyFixture,
+}
+
+func TestLoadKeyFromPath(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+	for keyID, keyBytes := range testKeys {
+		t.Run(fmt.Sprintf("load-key-id-%s-from-path", keyID), func(t *testing.T) {
+			testLoadKeyFromPath(t, keyID, keyBytes)
+		})
+	}
+}
+
+func testLoadKeyFromPath(t *testing.T, privKeyID string, privKeyFixture []byte) {
+	privKeyDir, err := ioutil.TempDir("", "key-load-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(privKeyDir)
+	privKeyFilepath := filepath.Join(privKeyDir, "privkey.pem")
+	assert.NilError(t, ioutil.WriteFile(privKeyFilepath, privKeyFixture, notary.PrivNoExecPerms))
+
+	keyStorageDir, err := ioutil.TempDir("", "loaded-keys-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(keyStorageDir)
+
+	passwd := "password"
+	cannedPasswordRetriever := passphrase.ConstantRetriever(passwd)
+	keyFileStore, err := storage.NewPrivateKeyFileStorage(keyStorageDir, notary.KeyExtension)
+	assert.NilError(t, err)
+	privKeyImporters := []trustmanager.Importer{keyFileStore}
+
+	// get the privKeyBytes
+	privKeyBytes, err := getPrivKeyBytesFromPath(privKeyFilepath)
+	assert.NilError(t, err)
+
+	// import the key to our keyStorageDir
+	assert.Check(t, loadPrivKeyBytesToStore(privKeyBytes, privKeyImporters, privKeyFilepath, "signer-name", cannedPasswordRetriever))
+
+	// check that the appropriate ~/<trust_dir>/private/<key_id>.key file exists
+	expectedImportKeyPath := filepath.Join(keyStorageDir, notary.PrivDir, privKeyID+"."+notary.KeyExtension)
+	_, err = os.Stat(expectedImportKeyPath)
+	assert.NilError(t, err)
+
+	// verify the key content
+	from, _ := os.OpenFile(expectedImportKeyPath, os.O_RDONLY, notary.PrivExecPerms)
+	defer from.Close()
+	fromBytes, _ := ioutil.ReadAll(from)
+	keyPEM, _ := pem.Decode(fromBytes)
+	assert.Check(t, is.Equal("signer-name", keyPEM.Headers["role"]))
+	// the default GUN is empty
+	assert.Check(t, is.Equal("", keyPEM.Headers["gun"]))
+	// assert encrypted header
+	assert.Check(t, is.Equal("ENCRYPTED PRIVATE KEY", keyPEM.Type))
+
+	decryptedKey, err := tufutils.ParsePKCS8ToTufKey(keyPEM.Bytes, []byte(passwd))
+	assert.NilError(t, err)
+	fixturePEM, _ := pem.Decode(privKeyFixture)
+	assert.Check(t, is.DeepEqual(fixturePEM.Bytes, decryptedKey.Private()))
+}
+
+func TestLoadKeyTooPermissive(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+	for keyID, keyBytes := range testKeys {
+		t.Run(fmt.Sprintf("load-key-id-%s-too-permissive", keyID), func(t *testing.T) {
+			testLoadKeyTooPermissive(t, keyBytes)
+		})
+	}
+}
+
+func testLoadKeyTooPermissive(t *testing.T, privKeyFixture []byte) {
+	privKeyDir, err := ioutil.TempDir("", "key-load-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(privKeyDir)
+	privKeyFilepath := filepath.Join(privKeyDir, "privkey477.pem")
+	assert.NilError(t, ioutil.WriteFile(privKeyFilepath, privKeyFixture, 0477))
+
+	keyStorageDir, err := ioutil.TempDir("", "loaded-keys-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(keyStorageDir)
+
+	// import the key to our keyStorageDir
+	_, err = getPrivKeyBytesFromPath(privKeyFilepath)
+	expected := fmt.Sprintf("private key file %s must not be readable or writable by others", privKeyFilepath)
+	assert.Error(t, err, expected)
+
+	privKeyFilepath = filepath.Join(privKeyDir, "privkey667.pem")
+	assert.NilError(t, ioutil.WriteFile(privKeyFilepath, privKeyFixture, 0677))
+
+	_, err = getPrivKeyBytesFromPath(privKeyFilepath)
+	expected = fmt.Sprintf("private key file %s must not be readable or writable by others", privKeyFilepath)
+	assert.Error(t, err, expected)
+
+	privKeyFilepath = filepath.Join(privKeyDir, "privkey777.pem")
+	assert.NilError(t, ioutil.WriteFile(privKeyFilepath, privKeyFixture, 0777))
+
+	_, err = getPrivKeyBytesFromPath(privKeyFilepath)
+	expected = fmt.Sprintf("private key file %s must not be readable or writable by others", privKeyFilepath)
+	assert.Error(t, err, expected)
+
+	privKeyFilepath = filepath.Join(privKeyDir, "privkey400.pem")
+	assert.NilError(t, ioutil.WriteFile(privKeyFilepath, privKeyFixture, 0400))
+
+	_, err = getPrivKeyBytesFromPath(privKeyFilepath)
+	assert.NilError(t, err)
+
+	privKeyFilepath = filepath.Join(privKeyDir, "privkey600.pem")
+	assert.NilError(t, ioutil.WriteFile(privKeyFilepath, privKeyFixture, 0600))
+
+	_, err = getPrivKeyBytesFromPath(privKeyFilepath)
+	assert.NilError(t, err)
+}
+
+var pubKeyFixture = []byte(`-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUIH9AYtrcDFzZrFJBdJZkn21d+4c
+H3nzy2O6Q/ct4BjOBKa+WCdRtPo78bA+C/7t81ADQO8Jqaj59W50rwoqDQ==
+-----END PUBLIC KEY-----`)
+
+func TestLoadPubKeyFailure(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+	pubKeyDir, err := ioutil.TempDir("", "key-load-test-pubkey-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(pubKeyDir)
+	pubKeyFilepath := filepath.Join(pubKeyDir, "pubkey.pem")
+	assert.NilError(t, ioutil.WriteFile(pubKeyFilepath, pubKeyFixture, notary.PrivNoExecPerms))
+	keyStorageDir, err := ioutil.TempDir("", "loaded-keys-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(keyStorageDir)
+
+	passwd := "password"
+	cannedPasswordRetriever := passphrase.ConstantRetriever(passwd)
+	keyFileStore, err := storage.NewPrivateKeyFileStorage(keyStorageDir, notary.KeyExtension)
+	assert.NilError(t, err)
+	privKeyImporters := []trustmanager.Importer{keyFileStore}
+
+	pubKeyBytes, err := getPrivKeyBytesFromPath(pubKeyFilepath)
+	assert.NilError(t, err)
+
+	// import the key to our keyStorageDir - it should fail
+	err = loadPrivKeyBytesToStore(pubKeyBytes, privKeyImporters, pubKeyFilepath, "signer-name", cannedPasswordRetriever)
+	expected := fmt.Sprintf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer add", pubKeyFilepath)
+	assert.Error(t, err, expected)
+}
diff --git a/cli/cli/command/trust/revoke.go b/cli/cli/command/trust/revoke.go
new file mode 100644
index 00000000..31437b03
--- /dev/null
+++ b/cli/cli/command/trust/revoke.go
@@ -0,0 +1,125 @@
+package trust
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/trust"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+)
+
+type revokeOptions struct {
+	forceYes bool
+}
+
+func newRevokeCommand(dockerCli command.Cli) *cobra.Command {
+	options := revokeOptions{}
+	cmd := &cobra.Command{
+		Use:   "revoke [OPTIONS] IMAGE[:TAG]",
+		Short: "Remove trust for an image",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return revokeTrust(dockerCli, args[0], options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.forceYes, "yes", "y", false, "Do not prompt for confirmation")
+	return cmd
+}
+
+func revokeTrust(cli command.Cli, remote string, options revokeOptions) error {
+	ctx := context.Background()
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), remote)
+	if err != nil {
+		return err
+	}
+	tag := imgRefAndAuth.Tag()
+	if imgRefAndAuth.Tag() == "" && imgRefAndAuth.Digest() != "" {
+		return fmt.Errorf("cannot use a digest reference for IMAGE:TAG")
+	}
+	if imgRefAndAuth.Tag() == "" && !options.forceYes {
+		deleteRemote := command.PromptForConfirmation(os.Stdin, cli.Out(), fmt.Sprintf("Please confirm you would like to delete all signature data for %s?", remote))
+		if !deleteRemote {
+			fmt.Fprintf(cli.Out(), "\nAborting action.\n")
+			return nil
+		}
+	}
+
+	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
+	if err != nil {
+		return err
+	}
+
+	if err = clearChangeList(notaryRepo); err != nil {
+		return err
+	}
+	defer clearChangeList(notaryRepo)
+	if err := revokeSignature(notaryRepo, tag); err != nil {
+		return errors.Wrapf(err, "could not remove signature for %s", remote)
+	}
+	fmt.Fprintf(cli.Out(), "Successfully deleted signature for %s\n", remote)
+	return nil
+}
+
+func revokeSignature(notaryRepo client.Repository, tag string) error {
+	if tag != "" {
+		// Revoke signature for the specified tag
+		if err := revokeSingleSig(notaryRepo, tag); err != nil {
+			return err
+		}
+	} else {
+		// revoke all signatures for the image, as no tag was given
+		if err := revokeAllSigs(notaryRepo); err != nil {
+			return err
+		}
+	}
+
+	//  Publish change
+	return notaryRepo.Publish()
+}
+
+func revokeSingleSig(notaryRepo client.Repository, tag string) error {
+	releasedTargetWithRole, err := notaryRepo.GetTargetByName(tag, trust.ReleasesRole, data.CanonicalTargetsRole)
+	if err != nil {
+		return err
+	}
+	releasedTarget := releasedTargetWithRole.Target
+	return getSignableRolesForTargetAndRemove(releasedTarget, notaryRepo)
+}
+
+func revokeAllSigs(notaryRepo client.Repository) error {
+	releasedTargetWithRoleList, err := notaryRepo.ListTargets(trust.ReleasesRole, data.CanonicalTargetsRole)
+	if err != nil {
+		return err
+	}
+
+	if len(releasedTargetWithRoleList) == 0 {
+		return fmt.Errorf("no signed tags to remove")
+	}
+
+	// we need all the roles that signed each released target so we can remove from all roles.
+	for _, releasedTargetWithRole := range releasedTargetWithRoleList {
+		// remove from all roles
+		if err := getSignableRolesForTargetAndRemove(releasedTargetWithRole.Target, notaryRepo); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// get all the roles that signed the target and removes it from all roles.
+func getSignableRolesForTargetAndRemove(releasedTarget client.Target, notaryRepo client.Repository) error {
+	signableRoles, err := trust.GetSignableRoles(notaryRepo, &releasedTarget)
+	if err != nil {
+		return err
+	}
+	// remove from all roles
+	return notaryRepo.RemoveTarget(releasedTarget.Name, signableRoles...)
+}
diff --git a/cli/cli/command/trust/revoke_test.go b/cli/cli/command/trust/revoke_test.go
new file mode 100644
index 00000000..b0a43876
--- /dev/null
+++ b/cli/cli/command/trust/revoke_test.go
@@ -0,0 +1,148 @@
+package trust
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/cli/internal/test/notary"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/trustpinning"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestTrustRevokeCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "too-many-args",
+			args:          []string{"remote1", "remote2"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "sha-reference",
+			args:          []string{"870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd"},
+			expectedError: "invalid repository name",
+		},
+		{
+			name:          "invalid-img-reference",
+			args:          []string{"ALPINE"},
+			expectedError: "invalid reference format",
+		},
+		{
+			name:          "digest-reference",
+			args:          []string{"ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2"},
+			expectedError: "cannot use a digest reference for IMAGE:TAG",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newRevokeCommand(
+			test.NewFakeCli(&fakeClient{}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestTrustRevokeCommandOfflineErrors(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetOfflineNotaryRepository)
+	cmd := newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] \nAborting action."))
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetOfflineNotaryRepository)
+	cmd = newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image", "-y"})
+	cmd.SetOutput(ioutil.Discard)
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetOfflineNotaryRepository)
+	cmd = newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image:tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "could not remove signature for reg-name.io/image:tag: client is offline")
+}
+
+func TestTrustRevokeCommandUninitializedErrors(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetUninitializedNotaryRepository)
+	cmd := newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] \nAborting action."))
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetUninitializedNotaryRepository)
+	cmd = newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image", "-y"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "could not remove signature for reg-name.io/image:  does not have trust data for")
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetUninitializedNotaryRepository)
+	cmd = newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image:tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "could not remove signature for reg-name.io/image:tag:  does not have trust data for")
+}
+
+func TestTrustRevokeCommandEmptyNotaryRepo(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetEmptyTargetsNotaryRepository)
+	cmd := newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "Please confirm you would like to delete all signature data for reg-name.io/image? [y/N] \nAborting action."))
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetEmptyTargetsNotaryRepository)
+	cmd = newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image", "-y"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "could not remove signature for reg-name.io/image: no signed tags to remove")
+
+	cli = test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetEmptyTargetsNotaryRepository)
+	cmd = newRevokeCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image:tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "could not remove signature for reg-name.io/image:tag: No valid trust data for tag")
+}
+
+func TestNewRevokeTrustAllSigConfirmation(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notary.GetEmptyTargetsNotaryRepository)
+	cmd := newRevokeCommand(cli)
+	cmd.SetArgs([]string{"alpine"})
+	assert.NilError(t, cmd.Execute())
+
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "Please confirm you would like to delete all signature data for alpine? [y/N] \nAborting action."))
+}
+
+func TestGetSignableRolesForTargetAndRemoveError(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever("password"), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+	target := client.Target{}
+	err = getSignableRolesForTargetAndRemove(target, notaryRepo)
+	assert.Error(t, err, "client is offline")
+}
diff --git a/cli/cli/command/trust/sign.go b/cli/cli/command/trust/sign.go
new file mode 100644
index 00000000..234a057c
--- /dev/null
+++ b/cli/cli/command/trust/sign.go
@@ -0,0 +1,247 @@
+package trust
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"path"
+	"sort"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/trust"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+)
+
+type signOptions struct {
+	local     bool
+	imageName string
+}
+
+func newSignCommand(dockerCli command.Cli) *cobra.Command {
+	options := signOptions{}
+	cmd := &cobra.Command{
+		Use:   "sign IMAGE:TAG",
+		Short: "Sign an image",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.imageName = args[0]
+			return runSignImage(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVar(&options.local, "local", false, "Sign a locally tagged image")
+	return cmd
+}
+
+func runSignImage(cli command.Cli, options signOptions) error {
+	imageName := options.imageName
+	ctx := context.Background()
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), imageName)
+	if err != nil {
+		return err
+	}
+	if err := validateTag(imgRefAndAuth); err != nil {
+		return err
+	}
+
+	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
+	if err != nil {
+		return trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
+	}
+	if err = clearChangeList(notaryRepo); err != nil {
+		return err
+	}
+	defer clearChangeList(notaryRepo)
+
+	// get the latest repository metadata so we can figure out which roles to sign
+	if _, err = notaryRepo.ListTargets(); err != nil {
+		switch err.(type) {
+		case client.ErrRepoNotInitialized, client.ErrRepositoryNotExist:
+			// before initializing a new repo, check that the image exists locally:
+			if err := checkLocalImageExistence(ctx, cli, imageName); err != nil {
+				return err
+			}
+
+			userRole := data.RoleName(path.Join(data.CanonicalTargetsRole.String(), imgRefAndAuth.AuthConfig().Username))
+			if err := initNotaryRepoWithSigners(notaryRepo, userRole); err != nil {
+				return trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
+			}
+
+			fmt.Fprintf(cli.Out(), "Created signer: %s\n", imgRefAndAuth.AuthConfig().Username)
+			fmt.Fprintf(cli.Out(), "Finished initializing signed repository for %s\n", imageName)
+		default:
+			return trust.NotaryError(imgRefAndAuth.RepoInfo().Name.Name(), err)
+		}
+	}
+	requestPrivilege := command.RegistryAuthenticationPrivilegedFunc(cli, imgRefAndAuth.RepoInfo().Index, "push")
+	target, err := createTarget(notaryRepo, imgRefAndAuth.Tag())
+	if err != nil || options.local {
+		switch err := err.(type) {
+		// If the error is nil then the local flag is set
+		case client.ErrNoSuchTarget, client.ErrRepositoryNotExist, nil:
+			// Fail fast if the image doesn't exist locally
+			if err := checkLocalImageExistence(ctx, cli, imageName); err != nil {
+				return err
+			}
+			fmt.Fprintf(cli.Err(), "Signing and pushing trust data for local image %s, may overwrite remote trust data\n", imageName)
+			return image.TrustedPush(ctx, cli, imgRefAndAuth.RepoInfo(), imgRefAndAuth.Reference(), *imgRefAndAuth.AuthConfig(), requestPrivilege)
+		default:
+			return err
+		}
+	}
+	return signAndPublishToTarget(cli.Out(), imgRefAndAuth, notaryRepo, target)
+}
+
+func signAndPublishToTarget(out io.Writer, imgRefAndAuth trust.ImageRefAndAuth, notaryRepo client.Repository, target client.Target) error {
+	tag := imgRefAndAuth.Tag()
+	fmt.Fprintf(out, "Signing and pushing trust metadata for %s\n", imgRefAndAuth.Name())
+	existingSigInfo, err := getExistingSignatureInfoForReleasedTag(notaryRepo, tag)
+	if err != nil {
+		return err
+	}
+	err = image.AddTargetToAllSignableRoles(notaryRepo, &target)
+	if err == nil {
+		prettyPrintExistingSignatureInfo(out, existingSigInfo)
+		err = notaryRepo.Publish()
+	}
+	if err != nil {
+		return errors.Wrapf(err, "failed to sign %s:%s", imgRefAndAuth.RepoInfo().Name.Name(), tag)
+	}
+	fmt.Fprintf(out, "Successfully signed %s:%s\n", imgRefAndAuth.RepoInfo().Name.Name(), tag)
+	return nil
+}
+
+func validateTag(imgRefAndAuth trust.ImageRefAndAuth) error {
+	tag := imgRefAndAuth.Tag()
+	if tag == "" {
+		if imgRefAndAuth.Digest() != "" {
+			return fmt.Errorf("cannot use a digest reference for IMAGE:TAG")
+		}
+		return fmt.Errorf("No tag specified for %s", imgRefAndAuth.Name())
+	}
+	return nil
+}
+
+func checkLocalImageExistence(ctx context.Context, cli command.Cli, imageName string) error {
+	_, _, err := cli.Client().ImageInspectWithRaw(ctx, imageName)
+	return err
+}
+
+func createTarget(notaryRepo client.Repository, tag string) (client.Target, error) {
+	target := &client.Target{}
+	var err error
+	if tag == "" {
+		return *target, fmt.Errorf("No tag specified")
+	}
+	target.Name = tag
+	target.Hashes, target.Length, err = getSignedManifestHashAndSize(notaryRepo, tag)
+	return *target, err
+}
+
+func getSignedManifestHashAndSize(notaryRepo client.Repository, tag string) (data.Hashes, int64, error) {
+	targets, err := notaryRepo.GetAllTargetMetadataByName(tag)
+	if err != nil {
+		return nil, 0, err
+	}
+	return getReleasedTargetHashAndSize(targets, tag)
+}
+
+func getReleasedTargetHashAndSize(targets []client.TargetSignedStruct, tag string) (data.Hashes, int64, error) {
+	for _, tgt := range targets {
+		if isReleasedTarget(tgt.Role.Name) {
+			return tgt.Target.Hashes, tgt.Target.Length, nil
+		}
+	}
+	return nil, 0, client.ErrNoSuchTarget(tag)
+}
+
+func getExistingSignatureInfoForReleasedTag(notaryRepo client.Repository, tag string) (trustTagRow, error) {
+	targets, err := notaryRepo.GetAllTargetMetadataByName(tag)
+	if err != nil {
+		return trustTagRow{}, err
+	}
+	releasedTargetInfoList := matchReleasedSignatures(targets)
+	if len(releasedTargetInfoList) == 0 {
+		return trustTagRow{}, nil
+	}
+	return releasedTargetInfoList[0], nil
+}
+
+func prettyPrintExistingSignatureInfo(out io.Writer, existingSigInfo trustTagRow) {
+	sort.Strings(existingSigInfo.Signers)
+	joinedSigners := strings.Join(existingSigInfo.Signers, ", ")
+	fmt.Fprintf(out, "Existing signatures for tag %s digest %s from:\n%s\n", existingSigInfo.SignedTag, existingSigInfo.Digest, joinedSigners)
+}
+
+func initNotaryRepoWithSigners(notaryRepo client.Repository, newSigner data.RoleName) error {
+	rootKey, err := getOrGenerateNotaryKey(notaryRepo, data.CanonicalRootRole)
+	if err != nil {
+		return err
+	}
+	rootKeyID := rootKey.ID()
+
+	// Initialize the notary repository with a remotely managed snapshot key
+	if err := notaryRepo.Initialize([]string{rootKeyID}, data.CanonicalSnapshotRole); err != nil {
+		return err
+	}
+
+	signerKey, err := getOrGenerateNotaryKey(notaryRepo, newSigner)
+	if err != nil {
+		return err
+	}
+	if err := addStagedSigner(notaryRepo, newSigner, []data.PublicKey{signerKey}); err != nil {
+		return errors.Wrapf(err, "could not add signer to repo: %s", strings.TrimPrefix(newSigner.String(), "targets/"))
+	}
+
+	return notaryRepo.Publish()
+}
+
+// generates an ECDSA key without a GUN for the specified role
+func getOrGenerateNotaryKey(notaryRepo client.Repository, role data.RoleName) (data.PublicKey, error) {
+	// use the signer name in the PEM headers if this is a delegation key
+	if data.IsDelegation(role) {
+		role = data.RoleName(notaryRoleToSigner(role))
+	}
+	keys := notaryRepo.GetCryptoService().ListKeys(role)
+	var err error
+	var key data.PublicKey
+	// always select the first key by ID
+	if len(keys) > 0 {
+		sort.Strings(keys)
+		keyID := keys[0]
+		privKey, _, err := notaryRepo.GetCryptoService().GetPrivateKey(keyID)
+		if err != nil {
+			return nil, err
+		}
+		key = data.PublicKeyFromPrivate(privKey)
+	} else {
+		key, err = notaryRepo.GetCryptoService().Create(role, "", data.ECDSAKey)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return key, nil
+}
+
+// stages changes to add a signer with the specified name and key(s).  Adds to targets/<name> and targets/releases
+func addStagedSigner(notaryRepo client.Repository, newSigner data.RoleName, signerKeys []data.PublicKey) error {
+	// create targets/<username>
+	if err := notaryRepo.AddDelegationRoleAndKeys(newSigner, signerKeys); err != nil {
+		return err
+	}
+	if err := notaryRepo.AddDelegationPaths(newSigner, []string{""}); err != nil {
+		return err
+	}
+
+	// create targets/releases
+	if err := notaryRepo.AddDelegationRoleAndKeys(trust.ReleasesRole, signerKeys); err != nil {
+		return err
+	}
+	return notaryRepo.AddDelegationPaths(trust.ReleasesRole, []string{""})
+}
diff --git a/cli/cli/command/trust/sign_test.go b/cli/cli/command/trust/sign_test.go
new file mode 100644
index 00000000..5a7b6b5f
--- /dev/null
+++ b/cli/cli/command/trust/sign_test.go
@@ -0,0 +1,309 @@
+package trust
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"runtime"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/trust"
+	"github.com/docker/cli/internal/test"
+	notaryfake "github.com/docker/cli/internal/test/notary"
+	"github.com/theupdateframework/notary"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/client/changelist"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/trustpinning"
+	"github.com/theupdateframework/notary/tuf/data"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+const passwd = "password"
+
+func TestTrustSignCommandErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "too-many-args",
+			args:          []string{"image", "tag"},
+			expectedError: "requires exactly 1 argument",
+		},
+		{
+			name:          "sha-reference",
+			args:          []string{"870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd"},
+			expectedError: "invalid repository name",
+		},
+		{
+			name:          "invalid-img-reference",
+			args:          []string{"ALPINE:latest"},
+			expectedError: "invalid reference format",
+		},
+		{
+			name:          "no-tag",
+			args:          []string{"reg/img"},
+			expectedError: "No tag specified for reg/img",
+		},
+		{
+			name:          "digest-reference",
+			args:          []string{"ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2"},
+			expectedError: "cannot use a digest reference for IMAGE:TAG",
+		},
+	}
+	// change to a tmpdir
+	tmpDir, err := ioutil.TempDir("", "docker-sign-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	config.SetDir(tmpDir)
+	for _, tc := range testCases {
+		cmd := newSignCommand(
+			test.NewFakeCli(&fakeClient{}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestTrustSignCommandOfflineErrors(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetOfflineNotaryRepository)
+	cmd := newSignCommand(cli)
+	cmd.SetArgs([]string{"reg-name.io/image:tag"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "client is offline")
+}
+
+func TestGetOrGenerateNotaryKey(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+
+	// repo is empty, try making a root key
+	rootKeyA, err := getOrGenerateNotaryKey(notaryRepo, data.CanonicalRootRole)
+	assert.NilError(t, err)
+	assert.Check(t, rootKeyA != nil)
+
+	// we should only have one newly generated key
+	allKeys := notaryRepo.GetCryptoService().ListAllKeys()
+	assert.Check(t, is.Len(allKeys, 1))
+	assert.Check(t, notaryRepo.GetCryptoService().GetKey(rootKeyA.ID()) != nil)
+
+	// this time we should get back the same key if we ask for another root key
+	rootKeyB, err := getOrGenerateNotaryKey(notaryRepo, data.CanonicalRootRole)
+	assert.NilError(t, err)
+	assert.Check(t, rootKeyB != nil)
+
+	// we should only have one newly generated key
+	allKeys = notaryRepo.GetCryptoService().ListAllKeys()
+	assert.Check(t, is.Len(allKeys, 1))
+	assert.Check(t, notaryRepo.GetCryptoService().GetKey(rootKeyB.ID()) != nil)
+
+	// The key we retrieved should be identical to the one we generated
+	assert.Check(t, is.DeepEqual(rootKeyA.Public(), rootKeyB.Public()))
+
+	// Now also try with a delegation key
+	releasesKey, err := getOrGenerateNotaryKey(notaryRepo, data.RoleName(trust.ReleasesRole))
+	assert.NilError(t, err)
+	assert.Check(t, releasesKey != nil)
+
+	// we should now have two keys
+	allKeys = notaryRepo.GetCryptoService().ListAllKeys()
+	assert.Check(t, is.Len(allKeys, 2))
+	assert.Check(t, notaryRepo.GetCryptoService().GetKey(releasesKey.ID()) != nil)
+	// The key we retrieved should be identical to the one we generated
+	assert.Check(t, releasesKey != rootKeyA)
+	assert.Check(t, releasesKey != rootKeyB)
+}
+
+func TestAddStageSigners(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows", "FIXME: not supported currently")
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+
+	// stage targets/user
+	userRole := data.RoleName("targets/user")
+	userKey := data.NewPublicKey("algoA", []byte("a"))
+	err = addStagedSigner(notaryRepo, userRole, []data.PublicKey{userKey})
+	assert.NilError(t, err)
+	// check the changelist for four total changes: two on targets/releases and two on targets/user
+	cl, err := notaryRepo.GetChangelist()
+	assert.NilError(t, err)
+	changeList := cl.List()
+	assert.Check(t, is.Len(changeList, 4))
+	// ordering is determinstic:
+
+	// first change is for targets/user key creation
+	newSignerKeyChange := changeList[0]
+	expectedJSON, err := json.Marshal(&changelist.TUFDelegation{
+		NewThreshold: notary.MinThreshold,
+		AddKeys:      data.KeyList([]data.PublicKey{userKey}),
+	})
+	assert.NilError(t, err)
+	expectedChange := changelist.NewTUFChange(
+		changelist.ActionCreate,
+		userRole,
+		changelist.TypeTargetsDelegation,
+		"", // no path for delegations
+		expectedJSON,
+	)
+	assert.Check(t, is.DeepEqual(expectedChange, newSignerKeyChange))
+
+	// second change is for targets/user getting all paths
+	newSignerPathsChange := changeList[1]
+	expectedJSON, err = json.Marshal(&changelist.TUFDelegation{
+		AddPaths: []string{""},
+	})
+	assert.NilError(t, err)
+	expectedChange = changelist.NewTUFChange(
+		changelist.ActionCreate,
+		userRole,
+		changelist.TypeTargetsDelegation,
+		"", // no path for delegations
+		expectedJSON,
+	)
+	assert.Check(t, is.DeepEqual(expectedChange, newSignerPathsChange))
+
+	releasesRole := data.RoleName("targets/releases")
+
+	// third change is for targets/releases key creation
+	releasesKeyChange := changeList[2]
+	expectedJSON, err = json.Marshal(&changelist.TUFDelegation{
+		NewThreshold: notary.MinThreshold,
+		AddKeys:      data.KeyList([]data.PublicKey{userKey}),
+	})
+	assert.NilError(t, err)
+	expectedChange = changelist.NewTUFChange(
+		changelist.ActionCreate,
+		releasesRole,
+		changelist.TypeTargetsDelegation,
+		"", // no path for delegations
+		expectedJSON,
+	)
+	assert.Check(t, is.DeepEqual(expectedChange, releasesKeyChange))
+
+	// fourth change is for targets/releases getting all paths
+	releasesPathsChange := changeList[3]
+	expectedJSON, err = json.Marshal(&changelist.TUFDelegation{
+		AddPaths: []string{""},
+	})
+	assert.NilError(t, err)
+	expectedChange = changelist.NewTUFChange(
+		changelist.ActionCreate,
+		releasesRole,
+		changelist.TypeTargetsDelegation,
+		"", // no path for delegations
+		expectedJSON,
+	)
+	assert.Check(t, is.DeepEqual(expectedChange, releasesPathsChange))
+}
+
+func TestGetSignedManifestHashAndSize(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+	target := &client.Target{}
+	target.Hashes, target.Length, err = getSignedManifestHashAndSize(notaryRepo, "test")
+	assert.Error(t, err, "client is offline")
+}
+
+func TestGetReleasedTargetHashAndSize(t *testing.T) {
+	oneReleasedTgt := []client.TargetSignedStruct{}
+	// make and append 3 non-released signatures on the "unreleased" target
+	unreleasedTgt := client.Target{Name: "unreleased", Hashes: data.Hashes{notary.SHA256: []byte("hash")}}
+	for _, unreleasedRole := range []string{"targets/a", "targets/b", "targets/c"} {
+		oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName(unreleasedRole), Target: unreleasedTgt})
+	}
+	_, _, err := getReleasedTargetHashAndSize(oneReleasedTgt, "unreleased")
+	assert.Error(t, err, "No valid trust data for unreleased")
+	releasedTgt := client.Target{Name: "released", Hashes: data.Hashes{notary.SHA256: []byte("released-hash")}}
+	oneReleasedTgt = append(oneReleasedTgt, client.TargetSignedStruct{Role: mockDelegationRoleWithName("targets/releases"), Target: releasedTgt})
+	hash, _, _ := getReleasedTargetHashAndSize(oneReleasedTgt, "unreleased")
+	assert.Check(t, is.DeepEqual(data.Hashes{notary.SHA256: []byte("released-hash")}, hash))
+
+}
+
+func TestCreateTarget(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+	_, err = createTarget(notaryRepo, "")
+	assert.Error(t, err, "No tag specified")
+	_, err = createTarget(notaryRepo, "1")
+	assert.Error(t, err, "client is offline")
+}
+
+func TestGetExistingSignatureInfoForReleasedTag(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+	_, err = getExistingSignatureInfoForReleasedTag(notaryRepo, "test")
+	assert.Error(t, err, "client is offline")
+}
+
+func TestPrettyPrintExistingSignatureInfo(t *testing.T) {
+	buf := bytes.NewBuffer(nil)
+	signers := []string{"Bob", "Alice", "Carol"}
+	existingSig := trustTagRow{trustTagKey{"tagName", "abc123"}, signers}
+	prettyPrintExistingSignatureInfo(buf, existingSig)
+
+	assert.Check(t, is.Contains(buf.String(), "Existing signatures for tag tagName digest abc123 from:\nAlice, Bob, Carol"))
+}
+
+func TestSignCommandChangeListIsCleanedOnError(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "docker-sign-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	config.SetDir(tmpDir)
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetLoadedNotaryRepository)
+	cmd := newSignCommand(cli)
+	cmd.SetArgs([]string{"ubuntu:latest"})
+	cmd.SetOutput(ioutil.Discard)
+
+	err = cmd.Execute()
+	assert.Assert(t, err != nil)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "docker.io/library/ubuntu", "https://localhost", nil, passphrase.ConstantRetriever(passwd), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+	cl, err := notaryRepo.GetChangelist()
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(cl.List()), 0))
+}
+
+func TestSignCommandLocalFlag(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetEmptyTargetsNotaryRepository)
+	cmd := newSignCommand(cli)
+	cmd.SetArgs([]string{"--local", "reg-name.io/image:red"})
+	cmd.SetOutput(ioutil.Discard)
+	assert.ErrorContains(t, cmd.Execute(), "error during connect: Get /images/reg-name.io/image:red/json: unsupported protocol scheme")
+
+}
diff --git a/cli/cli/command/trust/signer.go b/cli/cli/command/trust/signer.go
new file mode 100644
index 00000000..807ad6c9
--- /dev/null
+++ b/cli/cli/command/trust/signer.go
@@ -0,0 +1,22 @@
+package trust
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// newTrustSignerCommand returns a cobra command for `trust signer` subcommands
+func newTrustSignerCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "signer",
+		Short: "Manage entities who can sign Docker images",
+		Args:  cli.NoArgs,
+		RunE:  command.ShowHelp(dockerCli.Err()),
+	}
+	cmd.AddCommand(
+		newSignerAddCommand(dockerCli),
+		newSignerRemoveCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/trust/signer_add.go b/cli/cli/command/trust/signer_add.go
new file mode 100644
index 00000000..304aeec9
--- /dev/null
+++ b/cli/cli/command/trust/signer_add.go
@@ -0,0 +1,141 @@
+package trust
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"regexp"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/trust"
+	"github.com/docker/cli/opts"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+	tufutils "github.com/theupdateframework/notary/tuf/utils"
+)
+
+type signerAddOptions struct {
+	keys   opts.ListOpts
+	signer string
+	repos  []string
+}
+
+func newSignerAddCommand(dockerCli command.Cli) *cobra.Command {
+	var options signerAddOptions
+	cmd := &cobra.Command{
+		Use:   "add OPTIONS NAME REPOSITORY [REPOSITORY...] ",
+		Short: "Add a signer",
+		Args:  cli.RequiresMinArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.signer = args[0]
+			options.repos = args[1:]
+			return addSigner(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	options.keys = opts.NewListOpts(nil)
+	flags.Var(&options.keys, "key", "Path to the signer's public key file")
+	return cmd
+}
+
+var validSignerName = regexp.MustCompile(`^[a-z0-9][a-z0-9\_\-]*$`).MatchString
+
+func addSigner(cli command.Cli, options signerAddOptions) error {
+	signerName := options.signer
+	if !validSignerName(signerName) {
+		return fmt.Errorf("signer name \"%s\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character", signerName)
+	}
+	if signerName == "releases" {
+		return fmt.Errorf("releases is a reserved keyword, please use a different signer name")
+	}
+
+	if options.keys.Len() == 0 {
+		return fmt.Errorf("path to a public key must be provided using the `--key` flag")
+	}
+	signerPubKeys, err := ingestPublicKeys(options.keys.GetAll())
+	if err != nil {
+		return err
+	}
+	var errRepos []string
+	for _, repoName := range options.repos {
+		fmt.Fprintf(cli.Out(), "Adding signer \"%s\" to %s...\n", signerName, repoName)
+		if err := addSignerToRepo(cli, signerName, repoName, signerPubKeys); err != nil {
+			fmt.Fprintln(cli.Err(), err.Error()+"\n")
+			errRepos = append(errRepos, repoName)
+		} else {
+			fmt.Fprintf(cli.Out(), "Successfully added signer: %s to %s\n\n", signerName, repoName)
+		}
+	}
+	if len(errRepos) > 0 {
+		return fmt.Errorf("Failed to add signer to: %s", strings.Join(errRepos, ", "))
+	}
+	return nil
+}
+
+func addSignerToRepo(cli command.Cli, signerName string, repoName string, signerPubKeys []data.PublicKey) error {
+	ctx := context.Background()
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), repoName)
+	if err != nil {
+		return err
+	}
+
+	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
+	if err != nil {
+		return trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
+	}
+
+	if _, err = notaryRepo.ListTargets(); err != nil {
+		switch err.(type) {
+		case client.ErrRepoNotInitialized, client.ErrRepositoryNotExist:
+			fmt.Fprintf(cli.Out(), "Initializing signed repository for %s...\n", repoName)
+			if err := getOrGenerateRootKeyAndInitRepo(notaryRepo); err != nil {
+				return trust.NotaryError(repoName, err)
+			}
+			fmt.Fprintf(cli.Out(), "Successfully initialized %q\n", repoName)
+		default:
+			return trust.NotaryError(repoName, err)
+		}
+	}
+
+	newSignerRoleName := data.RoleName(path.Join(data.CanonicalTargetsRole.String(), signerName))
+
+	if err := addStagedSigner(notaryRepo, newSignerRoleName, signerPubKeys); err != nil {
+		return errors.Wrapf(err, "could not add signer to repo: %s", strings.TrimPrefix(newSignerRoleName.String(), "targets/"))
+	}
+
+	return notaryRepo.Publish()
+}
+
+func ingestPublicKeys(pubKeyPaths []string) ([]data.PublicKey, error) {
+	pubKeys := []data.PublicKey{}
+	for _, pubKeyPath := range pubKeyPaths {
+		// Read public key bytes from PEM file, limit to 1 KiB
+		pubKeyFile, err := os.OpenFile(pubKeyPath, os.O_RDONLY, 0666)
+		if err != nil {
+			return nil, errors.Wrap(err, "unable to read public key from file")
+		}
+		defer pubKeyFile.Close()
+		// limit to
+		l := io.LimitReader(pubKeyFile, 1<<20)
+		pubKeyBytes, err := ioutil.ReadAll(l)
+		if err != nil {
+			return nil, errors.Wrap(err, "unable to read public key from file")
+		}
+
+		// Parse PEM bytes into type PublicKey
+		pubKey, err := tufutils.ParsePEMPublicKey(pubKeyBytes)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not parse public key from file: %s", pubKeyPath)
+		}
+		pubKeys = append(pubKeys, pubKey)
+	}
+	return pubKeys, nil
+}
diff --git a/cli/cli/command/trust/signer_add_test.go b/cli/cli/command/trust/signer_add_test.go
new file mode 100644
index 00000000..64121e29
--- /dev/null
+++ b/cli/cli/command/trust/signer_add_test.go
@@ -0,0 +1,147 @@
+package trust
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/internal/test"
+	notaryfake "github.com/docker/cli/internal/test/notary"
+	"github.com/theupdateframework/notary"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestTrustSignerAddErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "not-enough-args",
+			expectedError: "requires at least 2 argument",
+		},
+		{
+			name:          "no-key",
+			args:          []string{"foo", "bar"},
+			expectedError: "path to a public key must be provided using the `--key` flag",
+		},
+		{
+			name:          "reserved-releases-signer-add",
+			args:          []string{"releases", "my-image", "--key", "/path/to/key"},
+			expectedError: "releases is a reserved keyword, please use a different signer name",
+		},
+		{
+			name:          "disallowed-chars",
+			args:          []string{"ali/ce", "my-image", "--key", "/path/to/key"},
+			expectedError: "signer name \"ali/ce\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character",
+		},
+		{
+			name:          "no-upper-case",
+			args:          []string{"Alice", "my-image", "--key", "/path/to/key"},
+			expectedError: "signer name \"Alice\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character",
+		},
+		{
+			name:          "start-with-letter",
+			args:          []string{"_alice", "my-image", "--key", "/path/to/key"},
+			expectedError: "signer name \"_alice\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character",
+		},
+	}
+	tmpDir, err := ioutil.TempDir("", "docker-sign-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	config.SetDir(tmpDir)
+
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{})
+		cli.SetNotaryClient(notaryfake.GetOfflineNotaryRepository)
+		cmd := newSignerAddCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestSignerAddCommandNoTargetsKey(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "docker-sign-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	config.SetDir(tmpDir)
+
+	tmpfile, err := ioutil.TempFile("", "pemfile")
+	assert.NilError(t, err)
+	defer os.Remove(tmpfile.Name())
+
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetEmptyTargetsNotaryRepository)
+	cmd := newSignerAddCommand(cli)
+	cmd.SetArgs([]string{"--key", tmpfile.Name(), "alice", "alpine", "linuxkit/alpine"})
+
+	cmd.SetOutput(ioutil.Discard)
+	assert.Error(t, cmd.Execute(), fmt.Sprintf("could not parse public key from file: %s: no valid public key found", tmpfile.Name()))
+}
+
+func TestSignerAddCommandBadKeyPath(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "docker-sign-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	config.SetDir(tmpDir)
+
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetEmptyTargetsNotaryRepository)
+	cmd := newSignerAddCommand(cli)
+	cmd.SetArgs([]string{"--key", "/path/to/key.pem", "alice", "alpine"})
+
+	cmd.SetOutput(ioutil.Discard)
+	expectedError := "unable to read public key from file: open /path/to/key.pem: no such file or directory"
+	if runtime.GOOS == "windows" {
+		expectedError = "unable to read public key from file: open /path/to/key.pem: The system cannot find the path specified."
+	}
+	assert.Error(t, cmd.Execute(), expectedError)
+}
+
+func TestSignerAddCommandInvalidRepoName(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "docker-sign-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	config.SetDir(tmpDir)
+
+	pubKeyDir, err := ioutil.TempDir("", "key-load-test-pubkey-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(pubKeyDir)
+	pubKeyFilepath := filepath.Join(pubKeyDir, "pubkey.pem")
+	assert.NilError(t, ioutil.WriteFile(pubKeyFilepath, pubKeyFixture, notary.PrivNoExecPerms))
+
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetUninitializedNotaryRepository)
+	cmd := newSignerAddCommand(cli)
+	imageName := "870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd"
+	cmd.SetArgs([]string{"--key", pubKeyFilepath, "alice", imageName})
+
+	cmd.SetOutput(ioutil.Discard)
+	assert.Error(t, cmd.Execute(), "Failed to add signer to: 870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd")
+	expectedErr := fmt.Sprintf("invalid repository name (%s), cannot specify 64-byte hexadecimal strings\n\n", imageName)
+
+	assert.Check(t, is.Equal(expectedErr, cli.ErrBuffer().String()))
+}
+
+func TestIngestPublicKeys(t *testing.T) {
+	// Call with a bad path
+	_, err := ingestPublicKeys([]string{"foo", "bar"})
+	expectedError := "unable to read public key from file: open foo: no such file or directory"
+	if runtime.GOOS == "windows" {
+		expectedError = "unable to read public key from file: open foo: The system cannot find the file specified."
+	}
+	assert.Error(t, err, expectedError)
+	// Call with real file path
+	tmpfile, err := ioutil.TempFile("", "pemfile")
+	assert.NilError(t, err)
+	defer os.Remove(tmpfile.Name())
+	_, err = ingestPublicKeys([]string{tmpfile.Name()})
+	assert.Error(t, err, fmt.Sprintf("could not parse public key from file: %s: no valid public key found", tmpfile.Name()))
+}
diff --git a/cli/cli/command/trust/signer_remove.go b/cli/cli/command/trust/signer_remove.go
new file mode 100644
index 00000000..d4e8eec4
--- /dev/null
+++ b/cli/cli/command/trust/signer_remove.go
@@ -0,0 +1,142 @@
+package trust
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/image"
+	"github.com/docker/cli/cli/trust"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+)
+
+type signerRemoveOptions struct {
+	signer   string
+	repos    []string
+	forceYes bool
+}
+
+func newSignerRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	options := signerRemoveOptions{}
+	cmd := &cobra.Command{
+		Use:   "remove [OPTIONS] NAME REPOSITORY [REPOSITORY...]",
+		Short: "Remove a signer",
+		Args:  cli.RequiresMinArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			options.signer = args[0]
+			options.repos = args[1:]
+			return removeSigner(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.forceYes, "force", "f", false, "Do not prompt for confirmation before removing the most recent signer")
+	return cmd
+}
+
+func removeSigner(cli command.Cli, options signerRemoveOptions) error {
+	var errRepos []string
+	for _, repo := range options.repos {
+		fmt.Fprintf(cli.Out(), "Removing signer \"%s\" from %s...\n", options.signer, repo)
+		if _, err := removeSingleSigner(cli, repo, options.signer, options.forceYes); err != nil {
+			fmt.Fprintln(cli.Err(), err.Error()+"\n")
+			errRepos = append(errRepos, repo)
+		}
+	}
+	if len(errRepos) > 0 {
+		return fmt.Errorf("Error removing signer from: %s", strings.Join(errRepos, ", "))
+	}
+	return nil
+}
+
+func isLastSignerForReleases(roleWithSig data.Role, allRoles []client.RoleWithSignatures) (bool, error) {
+	var releasesRoleWithSigs client.RoleWithSignatures
+	for _, role := range allRoles {
+		if role.Name == releasesRoleTUFName {
+			releasesRoleWithSigs = role
+			break
+		}
+	}
+	counter := len(releasesRoleWithSigs.Signatures)
+	if counter == 0 {
+		return false, fmt.Errorf("All signed tags are currently revoked, use docker trust sign to fix")
+	}
+	for _, signature := range releasesRoleWithSigs.Signatures {
+		for _, key := range roleWithSig.KeyIDs {
+			if signature.KeyID == key {
+				counter--
+			}
+		}
+	}
+	return counter < releasesRoleWithSigs.Threshold, nil
+}
+
+// removeSingleSigner attempts to remove a single signer and returns whether signer removal happened.
+// The signer not being removed doesn't necessarily raise an error e.g. user choosing "No" when prompted for confirmation.
+func removeSingleSigner(cli command.Cli, repoName, signerName string, forceYes bool) (bool, error) {
+	ctx := context.Background()
+	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, nil, image.AuthResolver(cli), repoName)
+	if err != nil {
+		return false, err
+	}
+
+	signerDelegation := data.RoleName("targets/" + signerName)
+	if signerDelegation == releasesRoleTUFName {
+		return false, fmt.Errorf("releases is a reserved keyword and cannot be removed")
+	}
+	notaryRepo, err := cli.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
+	if err != nil {
+		return false, trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
+	}
+	delegationRoles, err := notaryRepo.GetDelegationRoles()
+	if err != nil {
+		return false, errors.Wrapf(err, "error retrieving signers for %s", repoName)
+	}
+	var role data.Role
+	for _, delRole := range delegationRoles {
+		if delRole.Name == signerDelegation {
+			role = delRole
+			break
+		}
+	}
+	if role.Name == "" {
+		return false, fmt.Errorf("No signer %s for repository %s", signerName, repoName)
+	}
+	allRoles, err := notaryRepo.ListRoles()
+	if err != nil {
+		return false, err
+	}
+	if ok, err := isLastSignerForReleases(role, allRoles); ok && !forceYes {
+		removeSigner := command.PromptForConfirmation(os.Stdin, cli.Out(), fmt.Sprintf("The signer \"%s\" signed the last released version of %s. "+
+			"Removing this signer will make %s unpullable. "+
+			"Are you sure you want to continue?",
+			signerName, repoName, repoName,
+		))
+
+		if !removeSigner {
+			fmt.Fprintf(cli.Out(), "\nAborting action.\n")
+			return false, nil
+		}
+	} else if err != nil {
+		return false, err
+	}
+	if err = notaryRepo.RemoveDelegationKeys(releasesRoleTUFName, role.KeyIDs); err != nil {
+		return false, err
+	}
+	if err = notaryRepo.RemoveDelegationRole(signerDelegation); err != nil {
+		return false, err
+	}
+
+	if err = notaryRepo.Publish(); err != nil {
+		return false, err
+	}
+
+	fmt.Fprintf(cli.Out(), "Successfully removed %s from %s\n\n", signerName, repoName)
+
+	return true, nil
+}
diff --git a/cli/cli/command/trust/signer_remove_test.go b/cli/cli/command/trust/signer_remove_test.go
new file mode 100644
index 00000000..0feec874
--- /dev/null
+++ b/cli/cli/command/trust/signer_remove_test.go
@@ -0,0 +1,128 @@
+package trust
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	notaryfake "github.com/docker/cli/internal/test/notary"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/tuf/data"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestTrustSignerRemoveErrors(t *testing.T) {
+	testCases := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "not-enough-args-0",
+			expectedError: "requires at least 2 arguments",
+		},
+		{
+			name:          "not-enough-args-1",
+			args:          []string{"user"},
+			expectedError: "requires at least 2 arguments",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newSignerRemoveCommand(
+			test.NewFakeCli(&fakeClient{}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+	testCasesWithOutput := []struct {
+		name          string
+		args          []string
+		expectedError string
+	}{
+		{
+			name:          "not-an-image",
+			args:          []string{"user", "notanimage"},
+			expectedError: "error retrieving signers for notanimage",
+		},
+		{
+			name:          "sha-reference",
+			args:          []string{"user", "870d292919d01a0af7e7f056271dc78792c05f55f49b9b9012b6d89725bd9abd"},
+			expectedError: "invalid repository name",
+		},
+		{
+			name:          "invalid-img-reference",
+			args:          []string{"user", "ALPINE"},
+			expectedError: "invalid reference format",
+		},
+	}
+	for _, tc := range testCasesWithOutput {
+		cli := test.NewFakeCli(&fakeClient{})
+		cli.SetNotaryClient(notaryfake.GetOfflineNotaryRepository)
+		cmd := newSignerRemoveCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		cmd.Execute()
+		assert.Check(t, is.Contains(cli.ErrBuffer().String(), tc.expectedError))
+	}
+
+}
+
+func TestRemoveSingleSigner(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetLoadedNotaryRepository)
+	removed, err := removeSingleSigner(cli, "signed-repo", "test", true)
+	assert.Error(t, err, "No signer test for repository signed-repo")
+	assert.Equal(t, removed, false, "No signer should be removed")
+
+	removed, err = removeSingleSigner(cli, "signed-repo", "releases", true)
+	assert.Error(t, err, "releases is a reserved keyword and cannot be removed")
+	assert.Equal(t, removed, false, "No signer should be removed")
+}
+
+func TestRemoveMultipleSigners(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetLoadedNotaryRepository)
+	err := removeSigner(cli, signerRemoveOptions{signer: "test", repos: []string{"signed-repo", "signed-repo"}, forceYes: true})
+	assert.Error(t, err, "Error removing signer from: signed-repo, signed-repo")
+	assert.Check(t, is.Contains(cli.ErrBuffer().String(),
+		"No signer test for repository signed-repo"))
+	assert.Check(t, is.Contains(cli.OutBuffer().String(), "Removing signer \"test\" from signed-repo...\n"))
+}
+func TestRemoveLastSignerWarning(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	cli.SetNotaryClient(notaryfake.GetLoadedNotaryRepository)
+
+	err := removeSigner(cli, signerRemoveOptions{signer: "alice", repos: []string{"signed-repo"}, forceYes: false})
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(cli.OutBuffer().String(),
+		"The signer \"alice\" signed the last released version of signed-repo. "+
+			"Removing this signer will make signed-repo unpullable. "+
+			"Are you sure you want to continue? [y/N]"))
+}
+
+func TestIsLastSignerForReleases(t *testing.T) {
+	role := data.Role{}
+	releaserole := client.RoleWithSignatures{}
+	releaserole.Name = releasesRoleTUFName
+	releaserole.Threshold = 1
+	allrole := []client.RoleWithSignatures{releaserole}
+	lastsigner, _ := isLastSignerForReleases(role, allrole)
+	assert.Check(t, is.Equal(false, lastsigner))
+
+	role.KeyIDs = []string{"deadbeef"}
+	sig := data.Signature{}
+	sig.KeyID = "deadbeef"
+	releaserole.Signatures = []data.Signature{sig}
+	releaserole.Threshold = 1
+	allrole = []client.RoleWithSignatures{releaserole}
+	lastsigner, _ = isLastSignerForReleases(role, allrole)
+	assert.Check(t, is.Equal(true, lastsigner))
+
+	sig.KeyID = "8badf00d"
+	releaserole.Signatures = []data.Signature{sig}
+	releaserole.Threshold = 1
+	allrole = []client.RoleWithSignatures{releaserole}
+	lastsigner, _ = isLastSignerForReleases(role, allrole)
+	assert.Check(t, is.Equal(false, lastsigner))
+}
diff --git a/cli/cli/command/trust/testdata/trust-inspect-empty-repo.golden b/cli/cli/command/trust/testdata/trust-inspect-empty-repo.golden
new file mode 100644
index 00000000..ae6fd9c8
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-empty-repo.golden
@@ -0,0 +1,25 @@
+[
+    {
+        "Name": "reg/img:unsigned-tag",
+        "SignedTags": [],
+        "Signers": [],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "rootID"
+                    }
+                ]
+            },
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "targetsID"
+                    }
+                ]
+            }
+        ]
+    }
+]
diff --git a/cli/cli/command/trust/testdata/trust-inspect-full-repo-no-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-full-repo-no-signers.golden
new file mode 100644
index 00000000..cda9b40e
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-full-repo-no-signers.golden
@@ -0,0 +1,33 @@
+[
+    {
+        "Name": "signed-repo",
+        "SignedTags": [
+            {
+                "SignedTag": "green",
+                "Digest": "677265656e2d646967657374",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            }
+        ],
+        "Signers": [],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "rootID"
+                    }
+                ]
+            },
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "targetsID"
+                    }
+                ]
+            }
+        ]
+    }
+]
diff --git a/cli/cli/command/trust/testdata/trust-inspect-full-repo-with-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-full-repo-with-signers.golden
new file mode 100644
index 00000000..496b312b
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-full-repo-with-signers.golden
@@ -0,0 +1,65 @@
+[
+    {
+        "Name": "signed-repo",
+        "SignedTags": [
+            {
+                "SignedTag": "blue",
+                "Digest": "626c75652d646967657374",
+                "Signers": [
+                    "alice"
+                ]
+            },
+            {
+                "SignedTag": "green",
+                "Digest": "677265656e2d646967657374",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "red",
+                "Digest": "7265642d646967657374",
+                "Signers": [
+                    "alice",
+                    "bob"
+                ]
+            }
+        ],
+        "Signers": [
+            {
+                "Name": "bob",
+                "Keys": [
+                    {
+                        "ID": "B"
+                    }
+                ]
+            },
+            {
+                "Name": "alice",
+                "Keys": [
+                    {
+                        "ID": "A"
+                    }
+                ]
+            }
+        ],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "rootID"
+                    }
+                ]
+            },
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "targetsID"
+                    }
+                ]
+            }
+        ]
+    }
+]
diff --git a/cli/cli/command/trust/testdata/trust-inspect-multiple-repos-with-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-multiple-repos-with-signers.golden
new file mode 100644
index 00000000..fd87979e
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-multiple-repos-with-signers.golden
@@ -0,0 +1,128 @@
+[
+    {
+        "Name": "signed-repo",
+        "SignedTags": [
+            {
+                "SignedTag": "blue",
+                "Digest": "626c75652d646967657374",
+                "Signers": [
+                    "alice"
+                ]
+            },
+            {
+                "SignedTag": "green",
+                "Digest": "677265656e2d646967657374",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "red",
+                "Digest": "7265642d646967657374",
+                "Signers": [
+                    "alice",
+                    "bob"
+                ]
+            }
+        ],
+        "Signers": [
+            {
+                "Name": "bob",
+                "Keys": [
+                    {
+                        "ID": "B"
+                    }
+                ]
+            },
+            {
+                "Name": "alice",
+                "Keys": [
+                    {
+                        "ID": "A"
+                    }
+                ]
+            }
+        ],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "rootID"
+                    }
+                ]
+            },
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "targetsID"
+                    }
+                ]
+            }
+        ]
+    },
+    {
+        "Name": "signed-repo",
+        "SignedTags": [
+            {
+                "SignedTag": "blue",
+                "Digest": "626c75652d646967657374",
+                "Signers": [
+                    "alice"
+                ]
+            },
+            {
+                "SignedTag": "green",
+                "Digest": "677265656e2d646967657374",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "red",
+                "Digest": "7265642d646967657374",
+                "Signers": [
+                    "alice",
+                    "bob"
+                ]
+            }
+        ],
+        "Signers": [
+            {
+                "Name": "bob",
+                "Keys": [
+                    {
+                        "ID": "B"
+                    }
+                ]
+            },
+            {
+                "Name": "alice",
+                "Keys": [
+                    {
+                        "ID": "A"
+                    }
+                ]
+            }
+        ],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "rootID"
+                    }
+                ]
+            },
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "targetsID"
+                    }
+                ]
+            }
+        ]
+    }
+]
diff --git a/cli/cli/command/trust/testdata/trust-inspect-one-tag-no-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-one-tag-no-signers.golden
new file mode 100644
index 00000000..b1745d5c
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-one-tag-no-signers.golden
@@ -0,0 +1,33 @@
+[
+    {
+        "Name": "signed-repo:green",
+        "SignedTags": [
+            {
+                "SignedTag": "green",
+                "Digest": "677265656e2d646967657374",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            }
+        ],
+        "Signers": [],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "rootID"
+                    }
+                ]
+            },
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "targetsID"
+                    }
+                ]
+            }
+        ]
+    }
+]
diff --git a/cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-no-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-no-signers.golden
new file mode 100644
index 00000000..9f3ada08
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-no-signers.golden
@@ -0,0 +1,10 @@
+
+Signatures for signed-repo
+
+SIGNED TAG          DIGEST                     SIGNERS
+green               677265656e2d646967657374   (Repo Admin)
+
+Administrative keys for signed-repo
+
+  Repository Key:	targetsID
+  Root Key:	rootID
diff --git a/cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-with-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-with-signers.golden
new file mode 100644
index 00000000..49b1efd2
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-pretty-full-repo-with-signers.golden
@@ -0,0 +1,18 @@
+
+Signatures for signed-repo
+
+SIGNED TAG          DIGEST                     SIGNERS
+blue                626c75652d646967657374     alice
+green               677265656e2d646967657374   (Repo Admin)
+red                 7265642d646967657374       alice, bob
+
+List of signers and their keys for signed-repo
+
+SIGNER              KEYS
+alice               A
+bob                 B
+
+Administrative keys for signed-repo
+
+  Repository Key:	targetsID
+  Root Key:	rootID
diff --git a/cli/cli/command/trust/testdata/trust-inspect-pretty-one-tag-no-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-pretty-one-tag-no-signers.golden
new file mode 100644
index 00000000..b5857289
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-pretty-one-tag-no-signers.golden
@@ -0,0 +1,10 @@
+
+Signatures for signed-repo:green
+
+SIGNED TAG          DIGEST                     SIGNERS
+green               677265656e2d646967657374   (Repo Admin)
+
+Administrative keys for signed-repo:green
+
+  Repository Key:	targetsID
+  Root Key:	rootID
diff --git a/cli/cli/command/trust/testdata/trust-inspect-pretty-unsigned-tag-with-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-pretty-unsigned-tag-with-signers.golden
new file mode 100644
index 00000000..302a6b5e
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-pretty-unsigned-tag-with-signers.golden
@@ -0,0 +1,14 @@
+
+No signatures for signed-repo:unsigned
+
+
+List of signers and their keys for signed-repo:unsigned
+
+SIGNER              KEYS
+alice               A
+bob                 B
+
+Administrative keys for signed-repo:unsigned
+
+  Repository Key:	targetsID
+  Root Key:	rootID
diff --git a/cli/cli/command/trust/testdata/trust-inspect-uninitialized.golden b/cli/cli/command/trust/testdata/trust-inspect-uninitialized.golden
new file mode 100644
index 00000000..fe51488c
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-uninitialized.golden
@@ -0,0 +1 @@
+[]
diff --git a/cli/cli/command/trust/testdata/trust-inspect-unsigned-tag-with-signers.golden b/cli/cli/command/trust/testdata/trust-inspect-unsigned-tag-with-signers.golden
new file mode 100644
index 00000000..8c0a84eb
--- /dev/null
+++ b/cli/cli/command/trust/testdata/trust-inspect-unsigned-tag-with-signers.golden
@@ -0,0 +1,42 @@
+[
+    {
+        "Name": "signed-repo:unsigned",
+        "SignedTags": [],
+        "Signers": [
+            {
+                "Name": "bob",
+                "Keys": [
+                    {
+                        "ID": "B"
+                    }
+                ]
+            },
+            {
+                "Name": "alice",
+                "Keys": [
+                    {
+                        "ID": "A"
+                    }
+                ]
+            }
+        ],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "rootID"
+                    }
+                ]
+            },
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "targetsID"
+                    }
+                ]
+            }
+        ]
+    }
+]
diff --git a/cli/cli/command/utils.go b/cli/cli/command/utils.go
new file mode 100644
index 00000000..dc543e7d
--- /dev/null
+++ b/cli/cli/command/utils.go
@@ -0,0 +1,127 @@
+package command
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/pkg/system"
+	"github.com/spf13/pflag"
+)
+
+// CopyToFile writes the content of the reader to the specified file
+func CopyToFile(outfile string, r io.Reader) error {
+	// We use sequential file access here to avoid depleting the standby list
+	// on Windows. On Linux, this is a call directly to ioutil.TempFile
+	tmpFile, err := system.TempFileSequential(filepath.Dir(outfile), ".docker_temp_")
+	if err != nil {
+		return err
+	}
+
+	tmpPath := tmpFile.Name()
+
+	_, err = io.Copy(tmpFile, r)
+	tmpFile.Close()
+
+	if err != nil {
+		os.Remove(tmpPath)
+		return err
+	}
+
+	if err = os.Rename(tmpPath, outfile); err != nil {
+		os.Remove(tmpPath)
+		return err
+	}
+
+	return nil
+}
+
+// capitalizeFirst capitalizes the first character of string
+func capitalizeFirst(s string) string {
+	switch l := len(s); l {
+	case 0:
+		return s
+	case 1:
+		return strings.ToLower(s)
+	default:
+		return strings.ToUpper(string(s[0])) + strings.ToLower(s[1:])
+	}
+}
+
+// PrettyPrint outputs arbitrary data for human formatted output by uppercasing the first letter.
+func PrettyPrint(i interface{}) string {
+	switch t := i.(type) {
+	case nil:
+		return "None"
+	case string:
+		return capitalizeFirst(t)
+	default:
+		return capitalizeFirst(fmt.Sprintf("%s", t))
+	}
+}
+
+// PromptForConfirmation requests and checks confirmation from user.
+// This will display the provided message followed by ' [y/N] '. If
+// the user input 'y' or 'Y' it returns true other false.  If no
+// message is provided "Are you sure you want to proceed? [y/N] "
+// will be used instead.
+func PromptForConfirmation(ins io.Reader, outs io.Writer, message string) bool {
+	if message == "" {
+		message = "Are you sure you want to proceed?"
+	}
+	message += " [y/N] "
+
+	fmt.Fprintf(outs, message)
+
+	// On Windows, force the use of the regular OS stdin stream.
+	if runtime.GOOS == "windows" {
+		ins = NewInStream(os.Stdin)
+	}
+
+	reader := bufio.NewReader(ins)
+	answer, _, _ := reader.ReadLine()
+	return strings.ToLower(string(answer)) == "y"
+}
+
+// PruneFilters returns consolidated prune filters obtained from config.json and cli
+func PruneFilters(dockerCli Cli, pruneFilters filters.Args) filters.Args {
+	if dockerCli.ConfigFile() == nil {
+		return pruneFilters
+	}
+	for _, f := range dockerCli.ConfigFile().PruneFilters {
+		parts := strings.SplitN(f, "=", 2)
+		if len(parts) != 2 {
+			continue
+		}
+		if parts[0] == "label" {
+			// CLI label filter supersede config.json.
+			// If CLI label filter conflict with config.json,
+			// skip adding label! filter in config.json.
+			if pruneFilters.Include("label!") && pruneFilters.ExactMatch("label!", parts[1]) {
+				continue
+			}
+		} else if parts[0] == "label!" {
+			// CLI label! filter supersede config.json.
+			// If CLI label! filter conflict with config.json,
+			// skip adding label filter in config.json.
+			if pruneFilters.Include("label") && pruneFilters.ExactMatch("label", parts[1]) {
+				continue
+			}
+		}
+		pruneFilters.Add(parts[0], parts[1])
+	}
+
+	return pruneFilters
+}
+
+// AddPlatformFlag adds `platform` to a set of flags for API version 1.32 and later.
+func AddPlatformFlag(flags *pflag.FlagSet, target *string) {
+	flags.StringVar(target, "platform", os.Getenv("DOCKER_DEFAULT_PLATFORM"), "Set platform if server is multi-platform capable")
+	flags.SetAnnotation("platform", "version", []string{"1.32"})
+	flags.SetAnnotation("platform", "experimental", nil)
+}
diff --git a/cli/cli/command/volume/client_test.go b/cli/cli/command/volume/client_test.go
new file mode 100644
index 00000000..644cad60
--- /dev/null
+++ b/cli/cli/command/volume/client_test.go
@@ -0,0 +1,54 @@
+package volume
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	volumetypes "github.com/docker/docker/api/types/volume"
+	"github.com/docker/docker/client"
+)
+
+type fakeClient struct {
+	client.Client
+	volumeCreateFunc  func(volumetypes.VolumeCreateBody) (types.Volume, error)
+	volumeInspectFunc func(volumeID string) (types.Volume, error)
+	volumeListFunc    func(filter filters.Args) (volumetypes.VolumeListOKBody, error)
+	volumeRemoveFunc  func(volumeID string, force bool) error
+	volumePruneFunc   func(filter filters.Args) (types.VolumesPruneReport, error)
+}
+
+func (c *fakeClient) VolumeCreate(ctx context.Context, options volumetypes.VolumeCreateBody) (types.Volume, error) {
+	if c.volumeCreateFunc != nil {
+		return c.volumeCreateFunc(options)
+	}
+	return types.Volume{}, nil
+}
+
+func (c *fakeClient) VolumeInspect(ctx context.Context, volumeID string) (types.Volume, error) {
+	if c.volumeInspectFunc != nil {
+		return c.volumeInspectFunc(volumeID)
+	}
+	return types.Volume{}, nil
+}
+
+func (c *fakeClient) VolumeList(ctx context.Context, filter filters.Args) (volumetypes.VolumeListOKBody, error) {
+	if c.volumeListFunc != nil {
+		return c.volumeListFunc(filter)
+	}
+	return volumetypes.VolumeListOKBody{}, nil
+}
+
+func (c *fakeClient) VolumesPrune(ctx context.Context, filter filters.Args) (types.VolumesPruneReport, error) {
+	if c.volumePruneFunc != nil {
+		return c.volumePruneFunc(filter)
+	}
+	return types.VolumesPruneReport{}, nil
+}
+
+func (c *fakeClient) VolumeRemove(ctx context.Context, volumeID string, force bool) error {
+	if c.volumeRemoveFunc != nil {
+		return c.volumeRemoveFunc(volumeID, force)
+	}
+	return nil
+}
diff --git a/cli/cli/command/volume/cmd.go b/cli/cli/command/volume/cmd.go
new file mode 100644
index 00000000..b2a552ae
--- /dev/null
+++ b/cli/cli/command/volume/cmd.go
@@ -0,0 +1,26 @@
+package volume
+
+import (
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/spf13/cobra"
+)
+
+// NewVolumeCommand returns a cobra command for `volume` subcommands
+func NewVolumeCommand(dockerCli command.Cli) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:         "volume COMMAND",
+		Short:       "Manage volumes",
+		Args:        cli.NoArgs,
+		RunE:        command.ShowHelp(dockerCli.Err()),
+		Annotations: map[string]string{"version": "1.21"},
+	}
+	cmd.AddCommand(
+		newCreateCommand(dockerCli),
+		newInspectCommand(dockerCli),
+		newListCommand(dockerCli),
+		newRemoveCommand(dockerCli),
+		NewPruneCommand(dockerCli),
+	)
+	return cmd
+}
diff --git a/cli/cli/command/volume/create.go b/cli/cli/command/volume/create.go
new file mode 100644
index 00000000..b25ed155
--- /dev/null
+++ b/cli/cli/command/volume/create.go
@@ -0,0 +1,69 @@
+package volume
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	volumetypes "github.com/docker/docker/api/types/volume"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type createOptions struct {
+	name       string
+	driver     string
+	driverOpts opts.MapOpts
+	labels     opts.ListOpts
+}
+
+func newCreateCommand(dockerCli command.Cli) *cobra.Command {
+	options := createOptions{
+		driverOpts: *opts.NewMapOpts(nil, nil),
+		labels:     opts.NewListOpts(opts.ValidateEnv),
+	}
+
+	cmd := &cobra.Command{
+		Use:   "create [OPTIONS] [VOLUME]",
+		Short: "Create a volume",
+		Args:  cli.RequiresMaxArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) == 1 {
+				if options.name != "" {
+					return errors.Errorf("Conflicting options: either specify --name or provide positional arg, not both\n")
+				}
+				options.name = args[0]
+			}
+			return runCreate(dockerCli, options)
+		},
+	}
+	flags := cmd.Flags()
+	flags.StringVarP(&options.driver, "driver", "d", "local", "Specify volume driver name")
+	flags.StringVar(&options.name, "name", "", "Specify volume name")
+	flags.Lookup("name").Hidden = true
+	flags.VarP(&options.driverOpts, "opt", "o", "Set driver specific options")
+	flags.Var(&options.labels, "label", "Set metadata for a volume")
+
+	return cmd
+}
+
+func runCreate(dockerCli command.Cli, options createOptions) error {
+	client := dockerCli.Client()
+
+	volReq := volumetypes.VolumeCreateBody{
+		Driver:     options.driver,
+		DriverOpts: options.driverOpts.GetAll(),
+		Name:       options.name,
+		Labels:     opts.ConvertKVStringsToMap(options.labels.GetAll()),
+	}
+
+	vol, err := client.VolumeCreate(context.Background(), volReq)
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintf(dockerCli.Out(), "%s\n", vol.Name)
+	return nil
+}
diff --git a/cli/cli/command/volume/create_test.go b/cli/cli/command/volume/create_test.go
new file mode 100644
index 00000000..a0646ed1
--- /dev/null
+++ b/cli/cli/command/volume/create_test.go
@@ -0,0 +1,126 @@
+package volume
+
+import (
+	"io/ioutil"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	volumetypes "github.com/docker/docker/api/types/volume"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestVolumeCreateErrors(t *testing.T) {
+	testCases := []struct {
+		args             []string
+		flags            map[string]string
+		volumeCreateFunc func(volumetypes.VolumeCreateBody) (types.Volume, error)
+		expectedError    string
+	}{
+		{
+			args: []string{"volumeName"},
+			flags: map[string]string{
+				"name": "volumeName",
+			},
+			expectedError: "Conflicting options: either specify --name or provide positional arg, not both",
+		},
+		{
+			args:          []string{"too", "many"},
+			expectedError: "requires at most 1 argument",
+		},
+		{
+			volumeCreateFunc: func(createBody volumetypes.VolumeCreateBody) (types.Volume, error) {
+				return types.Volume{}, errors.Errorf("error creating volume")
+			},
+			expectedError: "error creating volume",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newCreateCommand(
+			test.NewFakeCli(&fakeClient{
+				volumeCreateFunc: tc.volumeCreateFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestVolumeCreateWithName(t *testing.T) {
+	name := "foo"
+	cli := test.NewFakeCli(&fakeClient{
+		volumeCreateFunc: func(body volumetypes.VolumeCreateBody) (types.Volume, error) {
+			if body.Name != name {
+				return types.Volume{}, errors.Errorf("expected name %q, got %q", name, body.Name)
+			}
+			return types.Volume{
+				Name: body.Name,
+			}, nil
+		},
+	})
+
+	buf := cli.OutBuffer()
+
+	// Test by flags
+	cmd := newCreateCommand(cli)
+	cmd.Flags().Set("name", name)
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal(name, strings.TrimSpace(buf.String())))
+
+	// Then by args
+	buf.Reset()
+	cmd = newCreateCommand(cli)
+	cmd.SetArgs([]string{name})
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal(name, strings.TrimSpace(buf.String())))
+}
+
+func TestVolumeCreateWithFlags(t *testing.T) {
+	expectedDriver := "foo"
+	expectedOpts := map[string]string{
+		"bar": "1",
+		"baz": "baz",
+	}
+	expectedLabels := map[string]string{
+		"lbl1": "v1",
+		"lbl2": "v2",
+	}
+	name := "banana"
+
+	cli := test.NewFakeCli(&fakeClient{
+		volumeCreateFunc: func(body volumetypes.VolumeCreateBody) (types.Volume, error) {
+			if body.Name != "" {
+				return types.Volume{}, errors.Errorf("expected empty name, got %q", body.Name)
+			}
+			if body.Driver != expectedDriver {
+				return types.Volume{}, errors.Errorf("expected driver %q, got %q", expectedDriver, body.Driver)
+			}
+			if !reflect.DeepEqual(body.DriverOpts, expectedOpts) {
+				return types.Volume{}, errors.Errorf("expected drivers opts %v, got %v", expectedOpts, body.DriverOpts)
+			}
+			if !reflect.DeepEqual(body.Labels, expectedLabels) {
+				return types.Volume{}, errors.Errorf("expected labels %v, got %v", expectedLabels, body.Labels)
+			}
+			return types.Volume{
+				Name: name,
+			}, nil
+		},
+	})
+
+	cmd := newCreateCommand(cli)
+	cmd.Flags().Set("driver", "foo")
+	cmd.Flags().Set("opt", "bar=1")
+	cmd.Flags().Set("opt", "baz=baz")
+	cmd.Flags().Set("label", "lbl1=v1")
+	cmd.Flags().Set("label", "lbl2=v2")
+	assert.NilError(t, cmd.Execute())
+	assert.Check(t, is.Equal(name, strings.TrimSpace(cli.OutBuffer().String())))
+}
diff --git a/cli/cli/command/volume/inspect.go b/cli/cli/command/volume/inspect.go
new file mode 100644
index 00000000..52cfb0f0
--- /dev/null
+++ b/cli/cli/command/volume/inspect.go
@@ -0,0 +1,46 @@
+package volume
+
+import (
+	"context"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/inspect"
+	"github.com/spf13/cobra"
+)
+
+type inspectOptions struct {
+	format string
+	names  []string
+}
+
+func newInspectCommand(dockerCli command.Cli) *cobra.Command {
+	var opts inspectOptions
+
+	cmd := &cobra.Command{
+		Use:   "inspect [OPTIONS] VOLUME [VOLUME...]",
+		Short: "Display detailed information on one or more volumes",
+		Args:  cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.names = args
+			return runInspect(dockerCli, opts)
+		},
+	}
+
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
+
+	return cmd
+}
+
+func runInspect(dockerCli command.Cli, opts inspectOptions) error {
+	client := dockerCli.Client()
+
+	ctx := context.Background()
+
+	getVolFunc := func(name string) (interface{}, []byte, error) {
+		i, err := client.VolumeInspect(ctx, name)
+		return i, nil, err
+	}
+
+	return inspect.Inspect(dockerCli.Out(), opts.names, opts.format, getVolFunc)
+}
diff --git a/cli/cli/command/volume/inspect_test.go b/cli/cli/command/volume/inspect_test.go
new file mode 100644
index 00000000..759042a5
--- /dev/null
+++ b/cli/cli/command/volume/inspect_test.go
@@ -0,0 +1,141 @@
+package volume
+
+import (
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestVolumeInspectErrors(t *testing.T) {
+	testCases := []struct {
+		args              []string
+		flags             map[string]string
+		volumeInspectFunc func(volumeID string) (types.Volume, error)
+		expectedError     string
+	}{
+		{
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"foo"},
+			volumeInspectFunc: func(volumeID string) (types.Volume, error) {
+				return types.Volume{}, errors.Errorf("error while inspecting the volume")
+			},
+			expectedError: "error while inspecting the volume",
+		},
+		{
+			args: []string{"foo"},
+			flags: map[string]string{
+				"format": "{{invalid format}}",
+			},
+			expectedError: "Template parsing error",
+		},
+		{
+			args: []string{"foo", "bar"},
+			volumeInspectFunc: func(volumeID string) (types.Volume, error) {
+				if volumeID == "foo" {
+					return types.Volume{
+						Name: "foo",
+					}, nil
+				}
+				return types.Volume{}, errors.Errorf("error while inspecting the volume")
+			},
+			expectedError: "error while inspecting the volume",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newInspectCommand(
+			test.NewFakeCli(&fakeClient{
+				volumeInspectFunc: tc.volumeInspectFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestVolumeInspectWithoutFormat(t *testing.T) {
+	testCases := []struct {
+		name              string
+		args              []string
+		volumeInspectFunc func(volumeID string) (types.Volume, error)
+	}{
+		{
+			name: "single-volume",
+			args: []string{"foo"},
+			volumeInspectFunc: func(volumeID string) (types.Volume, error) {
+				if volumeID != "foo" {
+					return types.Volume{}, errors.Errorf("Invalid volumeID, expected %s, got %s", "foo", volumeID)
+				}
+				return *Volume(), nil
+			},
+		},
+		{
+			name: "multiple-volume-with-labels",
+			args: []string{"foo", "bar"},
+			volumeInspectFunc: func(volumeID string) (types.Volume, error) {
+				return *Volume(VolumeName(volumeID), VolumeLabels(map[string]string{
+					"foo": "bar",
+				})), nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			volumeInspectFunc: tc.volumeInspectFunc,
+		})
+		cmd := newInspectCommand(cli)
+		cmd.SetArgs(tc.args)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("volume-inspect-without-format.%s.golden", tc.name))
+	}
+}
+
+func TestVolumeInspectWithFormat(t *testing.T) {
+	volumeInspectFunc := func(volumeID string) (types.Volume, error) {
+		return *Volume(VolumeLabels(map[string]string{
+			"foo": "bar",
+		})), nil
+	}
+	testCases := []struct {
+		name              string
+		format            string
+		args              []string
+		volumeInspectFunc func(volumeID string) (types.Volume, error)
+	}{
+		{
+			name:              "simple-template",
+			format:            "{{.Name}}",
+			args:              []string{"foo"},
+			volumeInspectFunc: volumeInspectFunc,
+		},
+		{
+			name:              "json-template",
+			format:            "{{json .Labels}}",
+			args:              []string{"foo"},
+			volumeInspectFunc: volumeInspectFunc,
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			volumeInspectFunc: tc.volumeInspectFunc,
+		})
+		cmd := newInspectCommand(cli)
+		cmd.SetArgs(tc.args)
+		cmd.Flags().Set("format", tc.format)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("volume-inspect-with-format.%s.golden", tc.name))
+	}
+}
diff --git a/cli/cli/command/volume/list.go b/cli/cli/command/volume/list.go
new file mode 100644
index 00000000..55875e01
--- /dev/null
+++ b/cli/cli/command/volume/list.go
@@ -0,0 +1,73 @@
+package volume
+
+import (
+	"context"
+	"sort"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/formatter"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/spf13/cobra"
+)
+
+type byVolumeName []*types.Volume
+
+func (r byVolumeName) Len() int      { return len(r) }
+func (r byVolumeName) Swap(i, j int) { r[i], r[j] = r[j], r[i] }
+func (r byVolumeName) Less(i, j int) bool {
+	return r[i].Name < r[j].Name
+}
+
+type listOptions struct {
+	quiet  bool
+	format string
+	filter opts.FilterOpt
+}
+
+func newListCommand(dockerCli command.Cli) *cobra.Command {
+	options := listOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:     "ls [OPTIONS]",
+		Aliases: []string{"list"},
+		Short:   "List volumes",
+		Args:    cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runList(dockerCli, options)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Only display volume names")
+	flags.StringVar(&options.format, "format", "", "Pretty-print volumes using a Go template")
+	flags.VarP(&options.filter, "filter", "f", "Provide filter values (e.g. 'dangling=true')")
+
+	return cmd
+}
+
+func runList(dockerCli command.Cli, options listOptions) error {
+	client := dockerCli.Client()
+	volumes, err := client.VolumeList(context.Background(), options.filter.Value())
+	if err != nil {
+		return err
+	}
+
+	format := options.format
+	if len(format) == 0 {
+		if len(dockerCli.ConfigFile().VolumesFormat) > 0 && !options.quiet {
+			format = dockerCli.ConfigFile().VolumesFormat
+		} else {
+			format = formatter.TableFormatKey
+		}
+	}
+
+	sort.Sort(byVolumeName(volumes.Volumes))
+
+	volumeCtx := formatter.Context{
+		Output: dockerCli.Out(),
+		Format: formatter.NewVolumeFormat(format, options.quiet),
+	}
+	return formatter.VolumeWrite(volumeCtx, volumes.Volumes)
+}
diff --git a/cli/cli/command/volume/list_test.go b/cli/cli/command/volume/list_test.go
new file mode 100644
index 00000000..62d7d956
--- /dev/null
+++ b/cli/cli/command/volume/list_test.go
@@ -0,0 +1,111 @@
+package volume
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	volumetypes "github.com/docker/docker/api/types/volume"
+	"github.com/pkg/errors"
+	// Import builders to get the builder function as package function
+	. "github.com/docker/cli/internal/test/builders"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+)
+
+func TestVolumeListErrors(t *testing.T) {
+	testCases := []struct {
+		args           []string
+		flags          map[string]string
+		volumeListFunc func(filter filters.Args) (volumetypes.VolumeListOKBody, error)
+		expectedError  string
+	}{
+		{
+			args:          []string{"foo"},
+			expectedError: "accepts no argument",
+		},
+		{
+			volumeListFunc: func(filter filters.Args) (volumetypes.VolumeListOKBody, error) {
+				return volumetypes.VolumeListOKBody{}, errors.Errorf("error listing volumes")
+			},
+			expectedError: "error listing volumes",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newListCommand(
+			test.NewFakeCli(&fakeClient{
+				volumeListFunc: tc.volumeListFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestVolumeListWithoutFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		volumeListFunc: func(filter filters.Args) (volumetypes.VolumeListOKBody, error) {
+			return volumetypes.VolumeListOKBody{
+				Volumes: []*types.Volume{
+					Volume(),
+					Volume(VolumeName("foo"), VolumeDriver("bar")),
+					Volume(VolumeName("baz"), VolumeLabels(map[string]string{
+						"foo": "bar",
+					})),
+				},
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "volume-list-without-format.golden")
+}
+
+func TestVolumeListWithConfigFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		volumeListFunc: func(filter filters.Args) (volumetypes.VolumeListOKBody, error) {
+			return volumetypes.VolumeListOKBody{
+				Volumes: []*types.Volume{
+					Volume(),
+					Volume(VolumeName("foo"), VolumeDriver("bar")),
+					Volume(VolumeName("baz"), VolumeLabels(map[string]string{
+						"foo": "bar",
+					})),
+				},
+			}, nil
+		},
+	})
+	cli.SetConfigFile(&configfile.ConfigFile{
+		VolumesFormat: "{{ .Name }} {{ .Driver }} {{ .Labels }}",
+	})
+	cmd := newListCommand(cli)
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "volume-list-with-config-format.golden")
+}
+
+func TestVolumeListWithFormat(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		volumeListFunc: func(filter filters.Args) (volumetypes.VolumeListOKBody, error) {
+			return volumetypes.VolumeListOKBody{
+				Volumes: []*types.Volume{
+					Volume(),
+					Volume(VolumeName("foo"), VolumeDriver("bar")),
+					Volume(VolumeName("baz"), VolumeLabels(map[string]string{
+						"foo": "bar",
+					})),
+				},
+			}, nil
+		},
+	})
+	cmd := newListCommand(cli)
+	cmd.Flags().Set("format", "{{ .Name }} {{ .Driver }} {{ .Labels }}")
+	assert.NilError(t, cmd.Execute())
+	golden.Assert(t, cli.OutBuffer().String(), "volume-list-with-format.golden")
+}
diff --git a/cli/cli/command/volume/prune.go b/cli/cli/command/volume/prune.go
new file mode 100644
index 00000000..012c549f
--- /dev/null
+++ b/cli/cli/command/volume/prune.go
@@ -0,0 +1,78 @@
+package volume
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/opts"
+	units "github.com/docker/go-units"
+	"github.com/spf13/cobra"
+)
+
+type pruneOptions struct {
+	force  bool
+	filter opts.FilterOpt
+}
+
+// NewPruneCommand returns a new cobra prune command for volumes
+func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
+	options := pruneOptions{filter: opts.NewFilterOpt()}
+
+	cmd := &cobra.Command{
+		Use:   "prune [OPTIONS]",
+		Short: "Remove all unused local volumes",
+		Args:  cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			spaceReclaimed, output, err := runPrune(dockerCli, options)
+			if err != nil {
+				return err
+			}
+			if output != "" {
+				fmt.Fprintln(dockerCli.Out(), output)
+			}
+			fmt.Fprintln(dockerCli.Out(), "Total reclaimed space:", units.HumanSize(float64(spaceReclaimed)))
+			return nil
+		},
+		Annotations: map[string]string{"version": "1.25"},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
+	flags.Var(&options.filter, "filter", "Provide filter values (e.g. 'label=<label>')")
+
+	return cmd
+}
+
+const warning = `WARNING! This will remove all local volumes not used by at least one container.
+Are you sure you want to continue?`
+
+func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
+	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())
+
+	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
+		return 0, "", nil
+	}
+
+	report, err := dockerCli.Client().VolumesPrune(context.Background(), pruneFilters)
+	if err != nil {
+		return 0, "", err
+	}
+
+	if len(report.VolumesDeleted) > 0 {
+		output = "Deleted Volumes:\n"
+		for _, id := range report.VolumesDeleted {
+			output += id + "\n"
+		}
+		spaceReclaimed = report.SpaceReclaimed
+	}
+
+	return spaceReclaimed, output, nil
+}
+
+// RunPrune calls the Volume Prune API
+// This returns the amount of space reclaimed and a detailed output string
+func RunPrune(dockerCli command.Cli, filter opts.FilterOpt) (uint64, string, error) {
+	return runPrune(dockerCli, pruneOptions{force: true, filter: filter})
+}
diff --git a/cli/cli/command/volume/prune_test.go b/cli/cli/command/volume/prune_test.go
new file mode 100644
index 00000000..79d4d52e
--- /dev/null
+++ b/cli/cli/command/volume/prune_test.go
@@ -0,0 +1,119 @@
+package volume
+
+import (
+	"fmt"
+	"io/ioutil"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+	"gotest.tools/skip"
+)
+
+func TestVolumePruneErrors(t *testing.T) {
+	testCases := []struct {
+		args            []string
+		flags           map[string]string
+		volumePruneFunc func(args filters.Args) (types.VolumesPruneReport, error)
+		expectedError   string
+	}{
+		{
+			args:          []string{"foo"},
+			expectedError: "accepts no argument",
+		},
+		{
+			flags: map[string]string{
+				"force": "true",
+			},
+			volumePruneFunc: func(args filters.Args) (types.VolumesPruneReport, error) {
+				return types.VolumesPruneReport{}, errors.Errorf("error pruning volumes")
+			},
+			expectedError: "error pruning volumes",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := NewPruneCommand(
+			test.NewFakeCli(&fakeClient{
+				volumePruneFunc: tc.volumePruneFunc,
+			}),
+		)
+		cmd.SetArgs(tc.args)
+		for key, value := range tc.flags {
+			cmd.Flags().Set(key, value)
+		}
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestVolumePruneForce(t *testing.T) {
+	testCases := []struct {
+		name            string
+		volumePruneFunc func(args filters.Args) (types.VolumesPruneReport, error)
+	}{
+		{
+			name: "empty",
+		},
+		{
+			name:            "deletedVolumes",
+			volumePruneFunc: simplePruneFunc,
+		},
+	}
+	for _, tc := range testCases {
+		cli := test.NewFakeCli(&fakeClient{
+			volumePruneFunc: tc.volumePruneFunc,
+		})
+		cmd := NewPruneCommand(cli)
+		cmd.Flags().Set("force", "true")
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("volume-prune.%s.golden", tc.name))
+	}
+}
+
+func TestVolumePrunePromptYes(t *testing.T) {
+	// FIXME(vdemeester) make it work..
+	skip.If(t, runtime.GOOS == "windows", "TODO: fix test on windows")
+
+	for _, input := range []string{"y", "Y"} {
+		cli := test.NewFakeCli(&fakeClient{
+			volumePruneFunc: simplePruneFunc,
+		})
+
+		cli.SetIn(command.NewInStream(ioutil.NopCloser(strings.NewReader(input))))
+		cmd := NewPruneCommand(cli)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), "volume-prune-yes.golden")
+	}
+}
+
+func TestVolumePrunePromptNo(t *testing.T) {
+	// FIXME(vdemeester) make it work..
+	skip.If(t, runtime.GOOS == "windows", "TODO: fix test on windows")
+
+	for _, input := range []string{"n", "N", "no", "anything", "really"} {
+		cli := test.NewFakeCli(&fakeClient{
+			volumePruneFunc: simplePruneFunc,
+		})
+
+		cli.SetIn(command.NewInStream(ioutil.NopCloser(strings.NewReader(input))))
+		cmd := NewPruneCommand(cli)
+		assert.NilError(t, cmd.Execute())
+		golden.Assert(t, cli.OutBuffer().String(), "volume-prune-no.golden")
+	}
+}
+
+func simplePruneFunc(args filters.Args) (types.VolumesPruneReport, error) {
+	return types.VolumesPruneReport{
+		VolumesDeleted: []string{
+			"foo", "bar", "baz",
+		},
+		SpaceReclaimed: 2000,
+	}, nil
+}
diff --git a/cli/cli/command/volume/remove.go b/cli/cli/command/volume/remove.go
new file mode 100644
index 00000000..66df3b8b
--- /dev/null
+++ b/cli/cli/command/volume/remove.go
@@ -0,0 +1,69 @@
+package volume
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+type removeOptions struct {
+	force bool
+
+	volumes []string
+}
+
+func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
+	var opts removeOptions
+
+	cmd := &cobra.Command{
+		Use:     "rm [OPTIONS] VOLUME [VOLUME...]",
+		Aliases: []string{"remove"},
+		Short:   "Remove one or more volumes",
+		Long:    removeDescription,
+		Example: removeExample,
+		Args:    cli.RequiresMinArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.volumes = args
+			return runRemove(dockerCli, &opts)
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVarP(&opts.force, "force", "f", false, "Force the removal of one or more volumes")
+	flags.SetAnnotation("force", "version", []string{"1.25"})
+	return cmd
+}
+
+func runRemove(dockerCli command.Cli, opts *removeOptions) error {
+	client := dockerCli.Client()
+	ctx := context.Background()
+
+	var errs []string
+
+	for _, name := range opts.volumes {
+		if err := client.VolumeRemove(ctx, name, opts.force); err != nil {
+			errs = append(errs, err.Error())
+			continue
+		}
+		fmt.Fprintf(dockerCli.Out(), "%s\n", name)
+	}
+
+	if len(errs) > 0 {
+		return errors.Errorf("%s", strings.Join(errs, "\n"))
+	}
+	return nil
+}
+
+var removeDescription = `
+Remove one or more volumes. You cannot remove a volume that is in use by a container.
+`
+
+var removeExample = `
+$ docker volume rm hello
+hello
+`
diff --git a/cli/cli/command/volume/remove_test.go b/cli/cli/command/volume/remove_test.go
new file mode 100644
index 00000000..789d906a
--- /dev/null
+++ b/cli/cli/command/volume/remove_test.go
@@ -0,0 +1,44 @@
+package volume
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+func TestVolumeRemoveErrors(t *testing.T) {
+	testCases := []struct {
+		args             []string
+		volumeRemoveFunc func(volumeID string, force bool) error
+		expectedError    string
+	}{
+		{
+			expectedError: "requires at least 1 argument",
+		},
+		{
+			args: []string{"nodeID"},
+			volumeRemoveFunc: func(volumeID string, force bool) error {
+				return errors.Errorf("error removing the volume")
+			},
+			expectedError: "error removing the volume",
+		},
+	}
+	for _, tc := range testCases {
+		cmd := newRemoveCommand(
+			test.NewFakeCli(&fakeClient{
+				volumeRemoveFunc: tc.volumeRemoveFunc,
+			}))
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+	}
+}
+
+func TestNodeRemoveMultiple(t *testing.T) {
+	cmd := newRemoveCommand(test.NewFakeCli(&fakeClient{}))
+	cmd.SetArgs([]string{"volume1", "volume2"})
+	assert.NilError(t, cmd.Execute())
+}
diff --git a/cli/cli/command/volume/testdata/volume-inspect-with-format.json-template.golden b/cli/cli/command/volume/testdata/volume-inspect-with-format.json-template.golden
new file mode 100644
index 00000000..2393cd01
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-inspect-with-format.json-template.golden
@@ -0,0 +1 @@
+{"foo":"bar"}
diff --git a/cli/cli/command/volume/testdata/volume-inspect-with-format.simple-template.golden b/cli/cli/command/volume/testdata/volume-inspect-with-format.simple-template.golden
new file mode 100644
index 00000000..4833bbb0
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-inspect-with-format.simple-template.golden
@@ -0,0 +1 @@
+volume
diff --git a/cli/cli/command/volume/testdata/volume-inspect-without-format.multiple-volume-with-labels.golden b/cli/cli/command/volume/testdata/volume-inspect-without-format.multiple-volume-with-labels.golden
new file mode 100644
index 00000000..19cad502
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-inspect-without-format.multiple-volume-with-labels.golden
@@ -0,0 +1,22 @@
+[
+    {
+        "Driver": "local",
+        "Labels": {
+            "foo": "bar"
+        },
+        "Mountpoint": "/data/volume",
+        "Name": "foo",
+        "Options": null,
+        "Scope": "local"
+    },
+    {
+        "Driver": "local",
+        "Labels": {
+            "foo": "bar"
+        },
+        "Mountpoint": "/data/volume",
+        "Name": "bar",
+        "Options": null,
+        "Scope": "local"
+    }
+]
diff --git a/cli/cli/command/volume/testdata/volume-inspect-without-format.single-volume.golden b/cli/cli/command/volume/testdata/volume-inspect-without-format.single-volume.golden
new file mode 100644
index 00000000..22d0c5a6
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-inspect-without-format.single-volume.golden
@@ -0,0 +1,10 @@
+[
+    {
+        "Driver": "local",
+        "Labels": null,
+        "Mountpoint": "/data/volume",
+        "Name": "volume",
+        "Options": null,
+        "Scope": "local"
+    }
+]
diff --git a/cli/cli/command/volume/testdata/volume-list-with-config-format.golden b/cli/cli/command/volume/testdata/volume-list-with-config-format.golden
new file mode 100644
index 00000000..72fa0bd4
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-list-with-config-format.golden
@@ -0,0 +1,3 @@
+baz local foo=bar
+foo bar 
+volume local 
diff --git a/cli/cli/command/volume/testdata/volume-list-with-format.golden b/cli/cli/command/volume/testdata/volume-list-with-format.golden
new file mode 100644
index 00000000..72fa0bd4
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-list-with-format.golden
@@ -0,0 +1,3 @@
+baz local foo=bar
+foo bar 
+volume local 
diff --git a/cli/cli/command/volume/testdata/volume-list-without-format.golden b/cli/cli/command/volume/testdata/volume-list-without-format.golden
new file mode 100644
index 00000000..9cf779e8
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-list-without-format.golden
@@ -0,0 +1,4 @@
+DRIVER              VOLUME NAME
+local               baz
+bar                 foo
+local               volume
diff --git a/cli/cli/command/volume/testdata/volume-prune-no.golden b/cli/cli/command/volume/testdata/volume-prune-no.golden
new file mode 100644
index 00000000..710344c3
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-prune-no.golden
@@ -0,0 +1,2 @@
+WARNING! This will remove all local volumes not used by at least one container.
+Are you sure you want to continue? [y/N] Total reclaimed space: 0B
diff --git a/cli/cli/command/volume/testdata/volume-prune-yes.golden b/cli/cli/command/volume/testdata/volume-prune-yes.golden
new file mode 100644
index 00000000..54488e2f
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-prune-yes.golden
@@ -0,0 +1,7 @@
+WARNING! This will remove all local volumes not used by at least one container.
+Are you sure you want to continue? [y/N] Deleted Volumes:
+foo
+bar
+baz
+
+Total reclaimed space: 2kB
diff --git a/cli/cli/command/volume/testdata/volume-prune.deletedVolumes.golden b/cli/cli/command/volume/testdata/volume-prune.deletedVolumes.golden
new file mode 100644
index 00000000..fbe996c7
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-prune.deletedVolumes.golden
@@ -0,0 +1,6 @@
+Deleted Volumes:
+foo
+bar
+baz
+
+Total reclaimed space: 2kB
diff --git a/cli/cli/command/volume/testdata/volume-prune.empty.golden b/cli/cli/command/volume/testdata/volume-prune.empty.golden
new file mode 100644
index 00000000..6c537e1a
--- /dev/null
+++ b/cli/cli/command/volume/testdata/volume-prune.empty.golden
@@ -0,0 +1 @@
+Total reclaimed space: 0B
diff --git a/cli/cli/compose/convert/compose.go b/cli/cli/compose/convert/compose.go
new file mode 100644
index 00000000..7b369596
--- /dev/null
+++ b/cli/cli/compose/convert/compose.go
@@ -0,0 +1,159 @@
+package convert
+
+import (
+	"io/ioutil"
+	"strings"
+
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+const (
+	// LabelNamespace is the label used to track stack resources
+	LabelNamespace = "com.docker.stack.namespace"
+)
+
+// Namespace mangles names by prepending the name
+type Namespace struct {
+	name string
+}
+
+// Scope prepends the namespace to a name
+func (n Namespace) Scope(name string) string {
+	return n.name + "_" + name
+}
+
+// Descope returns the name without the namespace prefix
+func (n Namespace) Descope(name string) string {
+	return strings.TrimPrefix(name, n.name+"_")
+}
+
+// Name returns the name of the namespace
+func (n Namespace) Name() string {
+	return n.name
+}
+
+// NewNamespace returns a new Namespace for scoping of names
+func NewNamespace(name string) Namespace {
+	return Namespace{name: name}
+}
+
+// AddStackLabel returns labels with the namespace label added
+func AddStackLabel(namespace Namespace, labels map[string]string) map[string]string {
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	labels[LabelNamespace] = namespace.name
+	return labels
+}
+
+type networkMap map[string]composetypes.NetworkConfig
+
+// Networks from the compose-file type to the engine API type
+func Networks(namespace Namespace, networks networkMap, servicesNetworks map[string]struct{}) (map[string]types.NetworkCreate, []string) {
+	if networks == nil {
+		networks = make(map[string]composetypes.NetworkConfig)
+	}
+
+	externalNetworks := []string{}
+	result := make(map[string]types.NetworkCreate)
+	for internalName := range servicesNetworks {
+		network := networks[internalName]
+		if network.External.External {
+			externalNetworks = append(externalNetworks, network.Name)
+			continue
+		}
+
+		createOpts := types.NetworkCreate{
+			Labels:     AddStackLabel(namespace, network.Labels),
+			Driver:     network.Driver,
+			Options:    network.DriverOpts,
+			Internal:   network.Internal,
+			Attachable: network.Attachable,
+		}
+
+		if network.Ipam.Driver != "" || len(network.Ipam.Config) > 0 {
+			createOpts.IPAM = &networktypes.IPAM{}
+		}
+
+		if network.Ipam.Driver != "" {
+			createOpts.IPAM.Driver = network.Ipam.Driver
+		}
+		for _, ipamConfig := range network.Ipam.Config {
+			config := networktypes.IPAMConfig{
+				Subnet: ipamConfig.Subnet,
+			}
+			createOpts.IPAM.Config = append(createOpts.IPAM.Config, config)
+		}
+
+		networkName := namespace.Scope(internalName)
+		if network.Name != "" {
+			networkName = network.Name
+		}
+		result[networkName] = createOpts
+	}
+
+	return result, externalNetworks
+}
+
+// Secrets converts secrets from the Compose type to the engine API type
+func Secrets(namespace Namespace, secrets map[string]composetypes.SecretConfig) ([]swarm.SecretSpec, error) {
+	result := []swarm.SecretSpec{}
+	for name, secret := range secrets {
+		if secret.External.External {
+			continue
+		}
+
+		obj, err := fileObjectConfig(namespace, name, composetypes.FileObjectConfig(secret))
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, swarm.SecretSpec{Annotations: obj.Annotations, Data: obj.Data})
+	}
+	return result, nil
+}
+
+// Configs converts config objects from the Compose type to the engine API type
+func Configs(namespace Namespace, configs map[string]composetypes.ConfigObjConfig) ([]swarm.ConfigSpec, error) {
+	result := []swarm.ConfigSpec{}
+	for name, config := range configs {
+		if config.External.External {
+			continue
+		}
+
+		obj, err := fileObjectConfig(namespace, name, composetypes.FileObjectConfig(config))
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, swarm.ConfigSpec{Annotations: obj.Annotations, Data: obj.Data})
+	}
+	return result, nil
+}
+
+type swarmFileObject struct {
+	Annotations swarm.Annotations
+	Data        []byte
+}
+
+func fileObjectConfig(namespace Namespace, name string, obj composetypes.FileObjectConfig) (swarmFileObject, error) {
+	data, err := ioutil.ReadFile(obj.File)
+	if err != nil {
+		return swarmFileObject{}, err
+	}
+
+	if obj.Name != "" {
+		name = obj.Name
+	} else {
+		name = namespace.Scope(name)
+	}
+
+	return swarmFileObject{
+		Annotations: swarm.Annotations{
+			Name:   name,
+			Labels: AddStackLabel(namespace, obj.Labels),
+		},
+		Data: data,
+	}, nil
+}
diff --git a/cli/cli/compose/convert/compose_test.go b/cli/cli/compose/convert/compose_test.go
new file mode 100644
index 00000000..98b2dc1c
--- /dev/null
+++ b/cli/cli/compose/convert/compose_test.go
@@ -0,0 +1,171 @@
+package convert
+
+import (
+	"testing"
+
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func TestNamespaceScope(t *testing.T) {
+	scoped := Namespace{name: "foo"}.Scope("bar")
+	assert.Check(t, is.Equal("foo_bar", scoped))
+}
+
+func TestAddStackLabel(t *testing.T) {
+	labels := map[string]string{
+		"something": "labeled",
+	}
+	actual := AddStackLabel(Namespace{name: "foo"}, labels)
+	expected := map[string]string{
+		"something":    "labeled",
+		LabelNamespace: "foo",
+	}
+	assert.Check(t, is.DeepEqual(expected, actual))
+}
+
+func TestNetworks(t *testing.T) {
+	namespace := Namespace{name: "foo"}
+	serviceNetworks := map[string]struct{}{
+		"normal":        {},
+		"outside":       {},
+		"default":       {},
+		"attachablenet": {},
+		"named":         {},
+	}
+	source := networkMap{
+		"normal": composetypes.NetworkConfig{
+			Driver: "overlay",
+			DriverOpts: map[string]string{
+				"opt": "value",
+			},
+			Ipam: composetypes.IPAMConfig{
+				Driver: "driver",
+				Config: []*composetypes.IPAMPool{
+					{
+						Subnet: "10.0.0.0",
+					},
+				},
+			},
+			Labels: map[string]string{
+				"something": "labeled",
+			},
+		},
+		"outside": composetypes.NetworkConfig{
+			External: composetypes.External{External: true},
+			Name:     "special",
+		},
+		"attachablenet": composetypes.NetworkConfig{
+			Driver:     "overlay",
+			Attachable: true,
+		},
+		"named": composetypes.NetworkConfig{
+			Name: "othername",
+		},
+	}
+	expected := map[string]types.NetworkCreate{
+		"foo_default": {
+			Labels: map[string]string{
+				LabelNamespace: "foo",
+			},
+		},
+		"foo_normal": {
+			Driver: "overlay",
+			IPAM: &network.IPAM{
+				Driver: "driver",
+				Config: []network.IPAMConfig{
+					{
+						Subnet: "10.0.0.0",
+					},
+				},
+			},
+			Options: map[string]string{
+				"opt": "value",
+			},
+			Labels: map[string]string{
+				LabelNamespace: "foo",
+				"something":    "labeled",
+			},
+		},
+		"foo_attachablenet": {
+			Driver:     "overlay",
+			Attachable: true,
+			Labels: map[string]string{
+				LabelNamespace: "foo",
+			},
+		},
+		"othername": {
+			Labels: map[string]string{LabelNamespace: "foo"},
+		},
+	}
+
+	networks, externals := Networks(namespace, source, serviceNetworks)
+	assert.DeepEqual(t, expected, networks)
+	assert.DeepEqual(t, []string{"special"}, externals)
+}
+
+func TestSecrets(t *testing.T) {
+	namespace := Namespace{name: "foo"}
+
+	secretText := "this is the first secret"
+	secretFile := fs.NewFile(t, "convert-secrets", fs.WithContent(secretText))
+	defer secretFile.Remove()
+
+	source := map[string]composetypes.SecretConfig{
+		"one": {
+			File:   secretFile.Path(),
+			Labels: map[string]string{"monster": "mash"},
+		},
+		"ext": {
+			External: composetypes.External{
+				External: true,
+			},
+		},
+	}
+
+	specs, err := Secrets(namespace, source)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(specs, 1))
+	secret := specs[0]
+	assert.Check(t, is.Equal("foo_one", secret.Name))
+	assert.Check(t, is.DeepEqual(map[string]string{
+		"monster":      "mash",
+		LabelNamespace: "foo",
+	}, secret.Labels))
+	assert.Check(t, is.DeepEqual([]byte(secretText), secret.Data))
+}
+
+func TestConfigs(t *testing.T) {
+	namespace := Namespace{name: "foo"}
+
+	configText := "this is the first config"
+	configFile := fs.NewFile(t, "convert-configs", fs.WithContent(configText))
+	defer configFile.Remove()
+
+	source := map[string]composetypes.ConfigObjConfig{
+		"one": {
+			File:   configFile.Path(),
+			Labels: map[string]string{"monster": "mash"},
+		},
+		"ext": {
+			External: composetypes.External{
+				External: true,
+			},
+		},
+	}
+
+	specs, err := Configs(namespace, source)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(specs, 1))
+	config := specs[0]
+	assert.Check(t, is.Equal("foo_one", config.Name))
+	assert.Check(t, is.DeepEqual(map[string]string{
+		"monster":      "mash",
+		LabelNamespace: "foo",
+	}, config.Labels))
+	assert.Check(t, is.DeepEqual([]byte(configText), config.Data))
+}
diff --git a/cli/cli/compose/convert/service.go b/cli/cli/compose/convert/service.go
new file mode 100644
index 00000000..08865968
--- /dev/null
+++ b/cli/cli/compose/convert/service.go
@@ -0,0 +1,615 @@
+package convert
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+	"time"
+
+	servicecli "github.com/docker/cli/cli/command/service"
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+)
+
+const (
+	defaultNetwork = "default"
+	// LabelImage is the label used to store image name provided in the compose file
+	LabelImage = "com.docker.stack.image"
+)
+
+// Services from compose-file types to engine API types
+func Services(
+	namespace Namespace,
+	config *composetypes.Config,
+	client client.CommonAPIClient,
+) (map[string]swarm.ServiceSpec, error) {
+	result := make(map[string]swarm.ServiceSpec)
+
+	services := config.Services
+	volumes := config.Volumes
+	networks := config.Networks
+
+	for _, service := range services {
+		secrets, err := convertServiceSecrets(client, namespace, service.Secrets, config.Secrets)
+		if err != nil {
+			return nil, errors.Wrapf(err, "service %s", service.Name)
+		}
+		configs, err := convertServiceConfigObjs(client, namespace, service.Configs, config.Configs)
+		if err != nil {
+			return nil, errors.Wrapf(err, "service %s", service.Name)
+		}
+
+		serviceSpec, err := Service(client.ClientVersion(), namespace, service, networks, volumes, secrets, configs)
+		if err != nil {
+			return nil, errors.Wrapf(err, "service %s", service.Name)
+		}
+		result[service.Name] = serviceSpec
+	}
+
+	return result, nil
+}
+
+// Service converts a ServiceConfig into a swarm ServiceSpec
+func Service(
+	apiVersion string,
+	namespace Namespace,
+	service composetypes.ServiceConfig,
+	networkConfigs map[string]composetypes.NetworkConfig,
+	volumes map[string]composetypes.VolumeConfig,
+	secrets []*swarm.SecretReference,
+	configs []*swarm.ConfigReference,
+) (swarm.ServiceSpec, error) {
+	name := namespace.Scope(service.Name)
+
+	endpoint, err := convertEndpointSpec(service.Deploy.EndpointMode, service.Ports)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	mode, err := convertDeployMode(service.Deploy.Mode, service.Deploy.Replicas)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	mounts, err := Volumes(service.Volumes, volumes, namespace)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	resources, err := convertResources(service.Deploy.Resources)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	restartPolicy, err := convertRestartPolicy(
+		service.Restart, service.Deploy.RestartPolicy)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	healthcheck, err := convertHealthcheck(service.HealthCheck)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	networks, err := convertServiceNetworks(service.Networks, networkConfigs, namespace, service.Name)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	dnsConfig, err := convertDNSConfig(service.DNS, service.DNSSearch)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	var privileges swarm.Privileges
+	privileges.CredentialSpec, err = convertCredentialSpec(service.CredentialSpec)
+	if err != nil {
+		return swarm.ServiceSpec{}, err
+	}
+
+	var logDriver *swarm.Driver
+	if service.Logging != nil {
+		logDriver = &swarm.Driver{
+			Name:    service.Logging.Driver,
+			Options: service.Logging.Options,
+		}
+	}
+
+	serviceSpec := swarm.ServiceSpec{
+		Annotations: swarm.Annotations{
+			Name:   name,
+			Labels: AddStackLabel(namespace, service.Deploy.Labels),
+		},
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Image:           service.Image,
+				Command:         service.Entrypoint,
+				Args:            service.Command,
+				Hostname:        service.Hostname,
+				Hosts:           convertExtraHosts(service.ExtraHosts),
+				DNSConfig:       dnsConfig,
+				Healthcheck:     healthcheck,
+				Env:             sortStrings(convertEnvironment(service.Environment)),
+				Labels:          AddStackLabel(namespace, service.Labels),
+				Dir:             service.WorkingDir,
+				User:            service.User,
+				Mounts:          mounts,
+				StopGracePeriod: service.StopGracePeriod,
+				StopSignal:      service.StopSignal,
+				TTY:             service.Tty,
+				OpenStdin:       service.StdinOpen,
+				Secrets:         secrets,
+				Configs:         configs,
+				ReadOnly:        service.ReadOnly,
+				Privileges:      &privileges,
+				Isolation:       container.Isolation(service.Isolation),
+				Init:            service.Init,
+			},
+			LogDriver:     logDriver,
+			Resources:     resources,
+			RestartPolicy: restartPolicy,
+			Placement: &swarm.Placement{
+				Constraints: service.Deploy.Placement.Constraints,
+				Preferences: getPlacementPreference(service.Deploy.Placement.Preferences),
+			},
+		},
+		EndpointSpec:   endpoint,
+		Mode:           mode,
+		UpdateConfig:   convertUpdateConfig(service.Deploy.UpdateConfig),
+		RollbackConfig: convertUpdateConfig(service.Deploy.RollbackConfig),
+	}
+
+	// add an image label to serviceSpec
+	serviceSpec.Labels[LabelImage] = service.Image
+
+	// ServiceSpec.Networks is deprecated and should not have been used by
+	// this package. It is possible to update TaskTemplate.Networks, but it
+	// is not possible to update ServiceSpec.Networks. Unfortunately, we
+	// can't unconditionally start using TaskTemplate.Networks, because that
+	// will break with older daemons that don't support migrating from
+	// ServiceSpec.Networks to TaskTemplate.Networks. So which field to use
+	// is conditional on daemon version.
+	if versions.LessThan(apiVersion, "1.29") {
+		serviceSpec.Networks = networks
+	} else {
+		serviceSpec.TaskTemplate.Networks = networks
+	}
+	return serviceSpec, nil
+}
+
+func getPlacementPreference(preferences []composetypes.PlacementPreferences) []swarm.PlacementPreference {
+	result := []swarm.PlacementPreference{}
+	for _, preference := range preferences {
+		spreadDescriptor := preference.Spread
+		result = append(result, swarm.PlacementPreference{
+			Spread: &swarm.SpreadOver{
+				SpreadDescriptor: spreadDescriptor,
+			},
+		})
+	}
+	return result
+}
+
+func sortStrings(strs []string) []string {
+	sort.Strings(strs)
+	return strs
+}
+
+type byNetworkTarget []swarm.NetworkAttachmentConfig
+
+func (a byNetworkTarget) Len() int           { return len(a) }
+func (a byNetworkTarget) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byNetworkTarget) Less(i, j int) bool { return a[i].Target < a[j].Target }
+
+func convertServiceNetworks(
+	networks map[string]*composetypes.ServiceNetworkConfig,
+	networkConfigs networkMap,
+	namespace Namespace,
+	name string,
+) ([]swarm.NetworkAttachmentConfig, error) {
+	if len(networks) == 0 {
+		networks = map[string]*composetypes.ServiceNetworkConfig{
+			defaultNetwork: {},
+		}
+	}
+
+	nets := []swarm.NetworkAttachmentConfig{}
+	for networkName, network := range networks {
+		networkConfig, ok := networkConfigs[networkName]
+		if !ok && networkName != defaultNetwork {
+			return nil, errors.Errorf("undefined network %q", networkName)
+		}
+		var aliases []string
+		if network != nil {
+			aliases = network.Aliases
+		}
+		target := namespace.Scope(networkName)
+		if networkConfig.Name != "" {
+			target = networkConfig.Name
+		}
+		netAttachConfig := swarm.NetworkAttachmentConfig{
+			Target:  target,
+			Aliases: aliases,
+		}
+		// Only add default aliases to user defined networks. Other networks do
+		// not support aliases.
+		if container.NetworkMode(target).IsUserDefined() {
+			netAttachConfig.Aliases = append(netAttachConfig.Aliases, name)
+		}
+		nets = append(nets, netAttachConfig)
+	}
+
+	sort.Sort(byNetworkTarget(nets))
+	return nets, nil
+}
+
+// TODO: fix secrets API so that SecretAPIClient is not required here
+func convertServiceSecrets(
+	client client.SecretAPIClient,
+	namespace Namespace,
+	secrets []composetypes.ServiceSecretConfig,
+	secretSpecs map[string]composetypes.SecretConfig,
+) ([]*swarm.SecretReference, error) {
+	refs := []*swarm.SecretReference{}
+
+	lookup := func(key string) (composetypes.FileObjectConfig, error) {
+		secretSpec, exists := secretSpecs[key]
+		if !exists {
+			return composetypes.FileObjectConfig{}, errors.Errorf("undefined secret %q", key)
+		}
+		return composetypes.FileObjectConfig(secretSpec), nil
+	}
+	for _, secret := range secrets {
+		obj, err := convertFileObject(namespace, composetypes.FileReferenceConfig(secret), lookup)
+		if err != nil {
+			return nil, err
+		}
+
+		file := swarm.SecretReferenceFileTarget(obj.File)
+		refs = append(refs, &swarm.SecretReference{
+			File:       &file,
+			SecretName: obj.Name,
+		})
+	}
+
+	secrs, err := servicecli.ParseSecrets(client, refs)
+	if err != nil {
+		return nil, err
+	}
+	// sort to ensure idempotence (don't restart services just because the entries are in different order)
+	sort.SliceStable(secrs, func(i, j int) bool { return secrs[i].SecretName < secrs[j].SecretName })
+	return secrs, err
+}
+
+// TODO: fix configs API so that ConfigsAPIClient is not required here
+func convertServiceConfigObjs(
+	client client.ConfigAPIClient,
+	namespace Namespace,
+	configs []composetypes.ServiceConfigObjConfig,
+	configSpecs map[string]composetypes.ConfigObjConfig,
+) ([]*swarm.ConfigReference, error) {
+	refs := []*swarm.ConfigReference{}
+
+	lookup := func(key string) (composetypes.FileObjectConfig, error) {
+		configSpec, exists := configSpecs[key]
+		if !exists {
+			return composetypes.FileObjectConfig{}, errors.Errorf("undefined config %q", key)
+		}
+		return composetypes.FileObjectConfig(configSpec), nil
+	}
+	for _, config := range configs {
+		obj, err := convertFileObject(namespace, composetypes.FileReferenceConfig(config), lookup)
+		if err != nil {
+			return nil, err
+		}
+
+		file := swarm.ConfigReferenceFileTarget(obj.File)
+		refs = append(refs, &swarm.ConfigReference{
+			File:       &file,
+			ConfigName: obj.Name,
+		})
+	}
+
+	confs, err := servicecli.ParseConfigs(client, refs)
+	if err != nil {
+		return nil, err
+	}
+	// sort to ensure idempotence (don't restart services just because the entries are in different order)
+	sort.SliceStable(confs, func(i, j int) bool { return confs[i].ConfigName < confs[j].ConfigName })
+	return confs, err
+}
+
+type swarmReferenceTarget struct {
+	Name string
+	UID  string
+	GID  string
+	Mode os.FileMode
+}
+
+type swarmReferenceObject struct {
+	File swarmReferenceTarget
+	ID   string
+	Name string
+}
+
+func convertFileObject(
+	namespace Namespace,
+	config composetypes.FileReferenceConfig,
+	lookup func(key string) (composetypes.FileObjectConfig, error),
+) (swarmReferenceObject, error) {
+	target := config.Target
+	if target == "" {
+		target = config.Source
+	}
+
+	obj, err := lookup(config.Source)
+	if err != nil {
+		return swarmReferenceObject{}, err
+	}
+
+	source := namespace.Scope(config.Source)
+	if obj.Name != "" {
+		source = obj.Name
+	}
+
+	uid := config.UID
+	gid := config.GID
+	if uid == "" {
+		uid = "0"
+	}
+	if gid == "" {
+		gid = "0"
+	}
+	mode := config.Mode
+	if mode == nil {
+		mode = uint32Ptr(0444)
+	}
+
+	return swarmReferenceObject{
+		File: swarmReferenceTarget{
+			Name: target,
+			UID:  uid,
+			GID:  gid,
+			Mode: os.FileMode(*mode),
+		},
+		Name: source,
+	}, nil
+}
+
+func uint32Ptr(value uint32) *uint32 {
+	return &value
+}
+
+// convertExtraHosts converts <host>:<ip> mappings to SwarmKit notation:
+// "IP-address hostname(s)". The original order of mappings is preserved.
+func convertExtraHosts(extraHosts composetypes.HostsList) []string {
+	hosts := []string{}
+	for _, hostIP := range extraHosts {
+		if v := strings.SplitN(hostIP, ":", 2); len(v) == 2 {
+			// Convert to SwarmKit notation: IP-address hostname(s)
+			hosts = append(hosts, fmt.Sprintf("%s %s", v[1], v[0]))
+		}
+	}
+	return hosts
+}
+
+func convertHealthcheck(healthcheck *composetypes.HealthCheckConfig) (*container.HealthConfig, error) {
+	if healthcheck == nil {
+		return nil, nil
+	}
+	var (
+		timeout, interval, startPeriod time.Duration
+		retries                        int
+	)
+	if healthcheck.Disable {
+		if len(healthcheck.Test) != 0 {
+			return nil, errors.Errorf("test and disable can't be set at the same time")
+		}
+		return &container.HealthConfig{
+			Test: []string{"NONE"},
+		}, nil
+
+	}
+	if healthcheck.Timeout != nil {
+		timeout = *healthcheck.Timeout
+	}
+	if healthcheck.Interval != nil {
+		interval = *healthcheck.Interval
+	}
+	if healthcheck.StartPeriod != nil {
+		startPeriod = *healthcheck.StartPeriod
+	}
+	if healthcheck.Retries != nil {
+		retries = int(*healthcheck.Retries)
+	}
+	return &container.HealthConfig{
+		Test:        healthcheck.Test,
+		Timeout:     timeout,
+		Interval:    interval,
+		Retries:     retries,
+		StartPeriod: startPeriod,
+	}, nil
+}
+
+func convertRestartPolicy(restart string, source *composetypes.RestartPolicy) (*swarm.RestartPolicy, error) {
+	// TODO: log if restart is being ignored
+	if source == nil {
+		policy, err := opts.ParseRestartPolicy(restart)
+		if err != nil {
+			return nil, err
+		}
+		switch {
+		case policy.IsNone():
+			return nil, nil
+		case policy.IsAlways(), policy.IsUnlessStopped():
+			return &swarm.RestartPolicy{
+				Condition: swarm.RestartPolicyConditionAny,
+			}, nil
+		case policy.IsOnFailure():
+			attempts := uint64(policy.MaximumRetryCount)
+			return &swarm.RestartPolicy{
+				Condition:   swarm.RestartPolicyConditionOnFailure,
+				MaxAttempts: &attempts,
+			}, nil
+		default:
+			return nil, errors.Errorf("unknown restart policy: %s", restart)
+		}
+	}
+	return &swarm.RestartPolicy{
+		Condition:   swarm.RestartPolicyCondition(source.Condition),
+		Delay:       source.Delay,
+		MaxAttempts: source.MaxAttempts,
+		Window:      source.Window,
+	}, nil
+}
+
+func convertUpdateConfig(source *composetypes.UpdateConfig) *swarm.UpdateConfig {
+	if source == nil {
+		return nil
+	}
+	parallel := uint64(1)
+	if source.Parallelism != nil {
+		parallel = *source.Parallelism
+	}
+	return &swarm.UpdateConfig{
+		Parallelism:     parallel,
+		Delay:           source.Delay,
+		FailureAction:   source.FailureAction,
+		Monitor:         source.Monitor,
+		MaxFailureRatio: source.MaxFailureRatio,
+		Order:           source.Order,
+	}
+}
+
+func convertResources(source composetypes.Resources) (*swarm.ResourceRequirements, error) {
+	resources := &swarm.ResourceRequirements{}
+	var err error
+	if source.Limits != nil {
+		var cpus int64
+		if source.Limits.NanoCPUs != "" {
+			cpus, err = opts.ParseCPUs(source.Limits.NanoCPUs)
+			if err != nil {
+				return nil, err
+			}
+		}
+		resources.Limits = &swarm.Resources{
+			NanoCPUs:    cpus,
+			MemoryBytes: int64(source.Limits.MemoryBytes),
+		}
+	}
+	if source.Reservations != nil {
+		var cpus int64
+		if source.Reservations.NanoCPUs != "" {
+			cpus, err = opts.ParseCPUs(source.Reservations.NanoCPUs)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		var generic []swarm.GenericResource
+		for _, res := range source.Reservations.GenericResources {
+			var r swarm.GenericResource
+
+			if res.DiscreteResourceSpec != nil {
+				r.DiscreteResourceSpec = &swarm.DiscreteGenericResource{
+					Kind:  res.DiscreteResourceSpec.Kind,
+					Value: res.DiscreteResourceSpec.Value,
+				}
+			}
+
+			generic = append(generic, r)
+		}
+
+		resources.Reservations = &swarm.Resources{
+			NanoCPUs:         cpus,
+			MemoryBytes:      int64(source.Reservations.MemoryBytes),
+			GenericResources: generic,
+		}
+	}
+	return resources, nil
+}
+
+type byPublishedPort []swarm.PortConfig
+
+func (a byPublishedPort) Len() int           { return len(a) }
+func (a byPublishedPort) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a byPublishedPort) Less(i, j int) bool { return a[i].PublishedPort < a[j].PublishedPort }
+
+func convertEndpointSpec(endpointMode string, source []composetypes.ServicePortConfig) (*swarm.EndpointSpec, error) {
+	portConfigs := []swarm.PortConfig{}
+	for _, port := range source {
+		portConfig := swarm.PortConfig{
+			Protocol:      swarm.PortConfigProtocol(port.Protocol),
+			TargetPort:    port.Target,
+			PublishedPort: port.Published,
+			PublishMode:   swarm.PortConfigPublishMode(port.Mode),
+		}
+		portConfigs = append(portConfigs, portConfig)
+	}
+
+	sort.Sort(byPublishedPort(portConfigs))
+	return &swarm.EndpointSpec{
+		Mode:  swarm.ResolutionMode(strings.ToLower(endpointMode)),
+		Ports: portConfigs,
+	}, nil
+}
+
+func convertEnvironment(source map[string]*string) []string {
+	var output []string
+
+	for name, value := range source {
+		switch value {
+		case nil:
+			output = append(output, name)
+		default:
+			output = append(output, fmt.Sprintf("%s=%s", name, *value))
+		}
+	}
+
+	return output
+}
+
+func convertDeployMode(mode string, replicas *uint64) (swarm.ServiceMode, error) {
+	serviceMode := swarm.ServiceMode{}
+
+	switch mode {
+	case "global":
+		if replicas != nil {
+			return serviceMode, errors.Errorf("replicas can only be used with replicated mode")
+		}
+		serviceMode.Global = &swarm.GlobalService{}
+	case "replicated", "":
+		serviceMode.Replicated = &swarm.ReplicatedService{Replicas: replicas}
+	default:
+		return serviceMode, errors.Errorf("Unknown mode: %s", mode)
+	}
+	return serviceMode, nil
+}
+
+func convertDNSConfig(DNS []string, DNSSearch []string) (*swarm.DNSConfig, error) {
+	if DNS != nil || DNSSearch != nil {
+		return &swarm.DNSConfig{
+			Nameservers: DNS,
+			Search:      DNSSearch,
+		}, nil
+	}
+	return nil, nil
+}
+
+func convertCredentialSpec(spec composetypes.CredentialSpecConfig) (*swarm.CredentialSpec, error) {
+	if spec.File == "" && spec.Registry == "" {
+		return nil, nil
+	}
+	if spec.File != "" && spec.Registry != "" {
+		return nil, errors.New("Invalid credential spec - must provide one of `File` or `Registry`")
+	}
+	swarmCredSpec := swarm.CredentialSpec(spec)
+	return &swarmCredSpec, nil
+}
diff --git a/cli/cli/compose/convert/service_test.go b/cli/cli/compose/convert/service_test.go
new file mode 100644
index 00000000..7e5fa4e1
--- /dev/null
+++ b/cli/cli/compose/convert/service_test.go
@@ -0,0 +1,566 @@
+package convert
+
+import (
+	"context"
+	"os"
+	"sort"
+	"strings"
+	"testing"
+	"time"
+
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConvertRestartPolicyFromNone(t *testing.T) {
+	policy, err := convertRestartPolicy("no", nil)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual((*swarm.RestartPolicy)(nil), policy))
+}
+
+func TestConvertRestartPolicyFromUnknown(t *testing.T) {
+	_, err := convertRestartPolicy("unknown", nil)
+	assert.Error(t, err, "unknown restart policy: unknown")
+}
+
+func TestConvertRestartPolicyFromAlways(t *testing.T) {
+	policy, err := convertRestartPolicy("always", nil)
+	expected := &swarm.RestartPolicy{
+		Condition: swarm.RestartPolicyConditionAny,
+	}
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, policy))
+}
+
+func TestConvertRestartPolicyFromFailure(t *testing.T) {
+	policy, err := convertRestartPolicy("on-failure:4", nil)
+	attempts := uint64(4)
+	expected := &swarm.RestartPolicy{
+		Condition:   swarm.RestartPolicyConditionOnFailure,
+		MaxAttempts: &attempts,
+	}
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, policy))
+}
+
+func strPtr(val string) *string {
+	return &val
+}
+
+func TestConvertEnvironment(t *testing.T) {
+	source := map[string]*string{
+		"foo": strPtr("bar"),
+		"key": strPtr("value"),
+	}
+	env := convertEnvironment(source)
+	sort.Strings(env)
+	assert.Check(t, is.DeepEqual([]string{"foo=bar", "key=value"}, env))
+}
+
+func TestConvertExtraHosts(t *testing.T) {
+	source := composetypes.HostsList{
+		"zulu:127.0.0.2",
+		"alpha:127.0.0.1",
+		"zulu:ff02::1",
+	}
+	assert.Check(t, is.DeepEqual([]string{"127.0.0.2 zulu", "127.0.0.1 alpha", "ff02::1 zulu"}, convertExtraHosts(source)))
+}
+
+func TestConvertResourcesFull(t *testing.T) {
+	source := composetypes.Resources{
+		Limits: &composetypes.Resource{
+			NanoCPUs:    "0.003",
+			MemoryBytes: composetypes.UnitBytes(300000000),
+		},
+		Reservations: &composetypes.Resource{
+			NanoCPUs:    "0.002",
+			MemoryBytes: composetypes.UnitBytes(200000000),
+		},
+	}
+	resources, err := convertResources(source)
+	assert.NilError(t, err)
+
+	expected := &swarm.ResourceRequirements{
+		Limits: &swarm.Resources{
+			NanoCPUs:    3000000,
+			MemoryBytes: 300000000,
+		},
+		Reservations: &swarm.Resources{
+			NanoCPUs:    2000000,
+			MemoryBytes: 200000000,
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, resources))
+}
+
+func TestConvertResourcesOnlyMemory(t *testing.T) {
+	source := composetypes.Resources{
+		Limits: &composetypes.Resource{
+			MemoryBytes: composetypes.UnitBytes(300000000),
+		},
+		Reservations: &composetypes.Resource{
+			MemoryBytes: composetypes.UnitBytes(200000000),
+		},
+	}
+	resources, err := convertResources(source)
+	assert.NilError(t, err)
+
+	expected := &swarm.ResourceRequirements{
+		Limits: &swarm.Resources{
+			MemoryBytes: 300000000,
+		},
+		Reservations: &swarm.Resources{
+			MemoryBytes: 200000000,
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, resources))
+}
+
+func TestConvertHealthcheck(t *testing.T) {
+	retries := uint64(10)
+	timeout := 30 * time.Second
+	interval := 2 * time.Millisecond
+	source := &composetypes.HealthCheckConfig{
+		Test:     []string{"EXEC", "touch", "/foo"},
+		Timeout:  &timeout,
+		Interval: &interval,
+		Retries:  &retries,
+	}
+	expected := &container.HealthConfig{
+		Test:     source.Test,
+		Timeout:  timeout,
+		Interval: interval,
+		Retries:  10,
+	}
+
+	healthcheck, err := convertHealthcheck(source)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, healthcheck))
+}
+
+func TestConvertHealthcheckDisable(t *testing.T) {
+	source := &composetypes.HealthCheckConfig{Disable: true}
+	expected := &container.HealthConfig{
+		Test: []string{"NONE"},
+	}
+
+	healthcheck, err := convertHealthcheck(source)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, healthcheck))
+}
+
+func TestConvertHealthcheckDisableWithTest(t *testing.T) {
+	source := &composetypes.HealthCheckConfig{
+		Disable: true,
+		Test:    []string{"EXEC", "touch"},
+	}
+	_, err := convertHealthcheck(source)
+	assert.Error(t, err, "test and disable can't be set at the same time")
+}
+
+func TestConvertEndpointSpec(t *testing.T) {
+	source := []composetypes.ServicePortConfig{
+		{
+			Protocol:  "udp",
+			Target:    53,
+			Published: 1053,
+			Mode:      "host",
+		},
+		{
+			Target:    8080,
+			Published: 80,
+		},
+	}
+	endpoint, err := convertEndpointSpec("vip", source)
+
+	expected := swarm.EndpointSpec{
+		Mode: swarm.ResolutionMode(strings.ToLower("vip")),
+		Ports: []swarm.PortConfig{
+			{
+				TargetPort:    8080,
+				PublishedPort: 80,
+			},
+			{
+				Protocol:      "udp",
+				TargetPort:    53,
+				PublishedPort: 1053,
+				PublishMode:   "host",
+			},
+		},
+	}
+
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, *endpoint))
+}
+
+func TestConvertServiceNetworksOnlyDefault(t *testing.T) {
+	networkConfigs := networkMap{}
+
+	configs, err := convertServiceNetworks(
+		nil, networkConfigs, NewNamespace("foo"), "service")
+
+	expected := []swarm.NetworkAttachmentConfig{
+		{
+			Target:  "foo_default",
+			Aliases: []string{"service"},
+		},
+	}
+
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, configs))
+}
+
+func TestConvertServiceNetworks(t *testing.T) {
+	networkConfigs := networkMap{
+		"front": composetypes.NetworkConfig{
+			External: composetypes.External{External: true},
+			Name:     "fronttier",
+		},
+		"back": composetypes.NetworkConfig{},
+	}
+	networks := map[string]*composetypes.ServiceNetworkConfig{
+		"front": {
+			Aliases: []string{"something"},
+		},
+		"back": {
+			Aliases: []string{"other"},
+		},
+	}
+
+	configs, err := convertServiceNetworks(
+		networks, networkConfigs, NewNamespace("foo"), "service")
+
+	expected := []swarm.NetworkAttachmentConfig{
+		{
+			Target:  "foo_back",
+			Aliases: []string{"other", "service"},
+		},
+		{
+			Target:  "fronttier",
+			Aliases: []string{"something", "service"},
+		},
+	}
+
+	sortedConfigs := byTargetSort(configs)
+	sort.Sort(&sortedConfigs)
+
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, []swarm.NetworkAttachmentConfig(sortedConfigs)))
+}
+
+func TestConvertServiceNetworksCustomDefault(t *testing.T) {
+	networkConfigs := networkMap{
+		"default": composetypes.NetworkConfig{
+			External: composetypes.External{External: true},
+			Name:     "custom",
+		},
+	}
+	networks := map[string]*composetypes.ServiceNetworkConfig{}
+
+	configs, err := convertServiceNetworks(
+		networks, networkConfigs, NewNamespace("foo"), "service")
+
+	expected := []swarm.NetworkAttachmentConfig{
+		{
+			Target:  "custom",
+			Aliases: []string{"service"},
+		},
+	}
+
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, []swarm.NetworkAttachmentConfig(configs)))
+}
+
+type byTargetSort []swarm.NetworkAttachmentConfig
+
+func (s byTargetSort) Len() int {
+	return len(s)
+}
+
+func (s byTargetSort) Less(i, j int) bool {
+	return strings.Compare(s[i].Target, s[j].Target) < 0
+}
+
+func (s byTargetSort) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+func TestConvertDNSConfigEmpty(t *testing.T) {
+	dnsConfig, err := convertDNSConfig(nil, nil)
+
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual((*swarm.DNSConfig)(nil), dnsConfig))
+}
+
+var (
+	nameservers = []string{"8.8.8.8", "9.9.9.9"}
+	search      = []string{"dc1.example.com", "dc2.example.com"}
+)
+
+func TestConvertDNSConfigAll(t *testing.T) {
+	dnsConfig, err := convertDNSConfig(nameservers, search)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(&swarm.DNSConfig{
+		Nameservers: nameservers,
+		Search:      search,
+	}, dnsConfig))
+}
+
+func TestConvertDNSConfigNameservers(t *testing.T) {
+	dnsConfig, err := convertDNSConfig(nameservers, nil)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(&swarm.DNSConfig{
+		Nameservers: nameservers,
+		Search:      nil,
+	}, dnsConfig))
+}
+
+func TestConvertDNSConfigSearch(t *testing.T) {
+	dnsConfig, err := convertDNSConfig(nil, search)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(&swarm.DNSConfig{
+		Nameservers: nil,
+		Search:      search,
+	}, dnsConfig))
+}
+
+func TestConvertCredentialSpec(t *testing.T) {
+	swarmSpec, err := convertCredentialSpec(composetypes.CredentialSpecConfig{})
+	assert.NilError(t, err)
+	assert.Check(t, is.Nil(swarmSpec))
+
+	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
+		File: "/foo",
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(swarmSpec.File, "/foo"))
+	assert.Check(t, is.Equal(swarmSpec.Registry, ""))
+
+	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
+		Registry: "foo",
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(swarmSpec.File, ""))
+	assert.Check(t, is.Equal(swarmSpec.Registry, "foo"))
+
+	swarmSpec, err = convertCredentialSpec(composetypes.CredentialSpecConfig{
+		File:     "/asdf",
+		Registry: "foo",
+	})
+	assert.Check(t, is.ErrorContains(err, ""))
+	assert.Check(t, is.Nil(swarmSpec))
+}
+
+func TestConvertUpdateConfigOrder(t *testing.T) {
+	// test default behavior
+	updateConfig := convertUpdateConfig(&composetypes.UpdateConfig{})
+	assert.Check(t, is.Equal("", updateConfig.Order))
+
+	// test start-first
+	updateConfig = convertUpdateConfig(&composetypes.UpdateConfig{
+		Order: "start-first",
+	})
+	assert.Check(t, is.Equal(updateConfig.Order, "start-first"))
+
+	// test stop-first
+	updateConfig = convertUpdateConfig(&composetypes.UpdateConfig{
+		Order: "stop-first",
+	})
+	assert.Check(t, is.Equal(updateConfig.Order, "stop-first"))
+}
+
+func TestConvertFileObject(t *testing.T) {
+	namespace := NewNamespace("testing")
+	config := composetypes.FileReferenceConfig{
+		Source: "source",
+		Target: "target",
+		UID:    "user",
+		GID:    "group",
+		Mode:   uint32Ptr(0644),
+	}
+	swarmRef, err := convertFileObject(namespace, config, lookupConfig)
+	assert.NilError(t, err)
+
+	expected := swarmReferenceObject{
+		Name: "testing_source",
+		File: swarmReferenceTarget{
+			Name: config.Target,
+			UID:  config.UID,
+			GID:  config.GID,
+			Mode: os.FileMode(0644),
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, swarmRef))
+}
+
+func lookupConfig(key string) (composetypes.FileObjectConfig, error) {
+	if key != "source" {
+		return composetypes.FileObjectConfig{}, errors.New("bad key")
+	}
+	return composetypes.FileObjectConfig{}, nil
+}
+
+func TestConvertFileObjectDefaults(t *testing.T) {
+	namespace := NewNamespace("testing")
+	config := composetypes.FileReferenceConfig{Source: "source"}
+	swarmRef, err := convertFileObject(namespace, config, lookupConfig)
+	assert.NilError(t, err)
+
+	expected := swarmReferenceObject{
+		Name: "testing_source",
+		File: swarmReferenceTarget{
+			Name: config.Source,
+			UID:  "0",
+			GID:  "0",
+			Mode: os.FileMode(0444),
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, swarmRef))
+}
+
+func TestServiceConvertsIsolation(t *testing.T) {
+	src := composetypes.ServiceConfig{
+		Isolation: "hyperv",
+	}
+	result, err := Service("1.35", Namespace{name: "foo"}, src, nil, nil, nil, nil)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(container.IsolationHyperV, result.TaskTemplate.ContainerSpec.Isolation))
+}
+
+func TestConvertServiceSecrets(t *testing.T) {
+	namespace := Namespace{name: "foo"}
+	secrets := []composetypes.ServiceSecretConfig{
+		{Source: "foo_secret"},
+		{Source: "bar_secret"},
+	}
+	secretSpecs := map[string]composetypes.SecretConfig{
+		"foo_secret": {
+			Name: "foo_secret",
+		},
+		"bar_secret": {
+			Name: "bar_secret",
+		},
+	}
+	client := &fakeClient{
+		secretListFunc: func(opts types.SecretListOptions) ([]swarm.Secret, error) {
+			assert.Check(t, is.Contains(opts.Filters.Get("name"), "foo_secret"))
+			assert.Check(t, is.Contains(opts.Filters.Get("name"), "bar_secret"))
+			return []swarm.Secret{
+				{Spec: swarm.SecretSpec{Annotations: swarm.Annotations{Name: "foo_secret"}}},
+				{Spec: swarm.SecretSpec{Annotations: swarm.Annotations{Name: "bar_secret"}}},
+			}, nil
+		},
+	}
+	refs, err := convertServiceSecrets(client, namespace, secrets, secretSpecs)
+	assert.NilError(t, err)
+	expected := []*swarm.SecretReference{
+		{
+			SecretName: "bar_secret",
+			File: &swarm.SecretReferenceFileTarget{
+				Name: "bar_secret",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+		{
+			SecretName: "foo_secret",
+			File: &swarm.SecretReferenceFileTarget{
+				Name: "foo_secret",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+	}
+	assert.DeepEqual(t, expected, refs)
+}
+
+func TestConvertServiceConfigs(t *testing.T) {
+	namespace := Namespace{name: "foo"}
+	configs := []composetypes.ServiceConfigObjConfig{
+		{Source: "foo_config"},
+		{Source: "bar_config"},
+	}
+	configSpecs := map[string]composetypes.ConfigObjConfig{
+		"foo_config": {
+			Name: "foo_config",
+		},
+		"bar_config": {
+			Name: "bar_config",
+		},
+	}
+	client := &fakeClient{
+		configListFunc: func(opts types.ConfigListOptions) ([]swarm.Config, error) {
+			assert.Check(t, is.Contains(opts.Filters.Get("name"), "foo_config"))
+			assert.Check(t, is.Contains(opts.Filters.Get("name"), "bar_config"))
+			return []swarm.Config{
+				{Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "foo_config"}}},
+				{Spec: swarm.ConfigSpec{Annotations: swarm.Annotations{Name: "bar_config"}}},
+			}, nil
+		},
+	}
+	refs, err := convertServiceConfigObjs(client, namespace, configs, configSpecs)
+	assert.NilError(t, err)
+	expected := []*swarm.ConfigReference{
+		{
+			ConfigName: "bar_config",
+			File: &swarm.ConfigReferenceFileTarget{
+				Name: "bar_config",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+		{
+			ConfigName: "foo_config",
+			File: &swarm.ConfigReferenceFileTarget{
+				Name: "foo_config",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0444,
+			},
+		},
+	}
+	assert.DeepEqual(t, expected, refs)
+}
+
+type fakeClient struct {
+	client.Client
+	secretListFunc func(types.SecretListOptions) ([]swarm.Secret, error)
+	configListFunc func(types.ConfigListOptions) ([]swarm.Config, error)
+}
+
+func (c *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+	if c.secretListFunc != nil {
+		return c.secretListFunc(options)
+	}
+	return []swarm.Secret{}, nil
+}
+
+func (c *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+	if c.configListFunc != nil {
+		return c.configListFunc(options)
+	}
+	return []swarm.Config{}, nil
+}
+
+func TestConvertUpdateConfigParallelism(t *testing.T) {
+	parallel := uint64(4)
+
+	// test default behavior
+	updateConfig := convertUpdateConfig(&composetypes.UpdateConfig{})
+	assert.Check(t, is.Equal(uint64(1), updateConfig.Parallelism))
+
+	// Non default value
+	updateConfig = convertUpdateConfig(&composetypes.UpdateConfig{
+		Parallelism: &parallel,
+	})
+	assert.Check(t, is.Equal(parallel, updateConfig.Parallelism))
+}
diff --git a/cli/cli/compose/convert/volume.go b/cli/cli/compose/convert/volume.go
new file mode 100644
index 00000000..38806d29
--- /dev/null
+++ b/cli/cli/compose/convert/volume.go
@@ -0,0 +1,140 @@
+package convert
+
+import (
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/pkg/errors"
+)
+
+type volumes map[string]composetypes.VolumeConfig
+
+// Volumes from compose-file types to engine api types
+func Volumes(serviceVolumes []composetypes.ServiceVolumeConfig, stackVolumes volumes, namespace Namespace) ([]mount.Mount, error) {
+	var mounts []mount.Mount
+
+	for _, volumeConfig := range serviceVolumes {
+		mount, err := convertVolumeToMount(volumeConfig, stackVolumes, namespace)
+		if err != nil {
+			return nil, err
+		}
+		mounts = append(mounts, mount)
+	}
+	return mounts, nil
+}
+
+func createMountFromVolume(volume composetypes.ServiceVolumeConfig) mount.Mount {
+	return mount.Mount{
+		Type:        mount.Type(volume.Type),
+		Target:      volume.Target,
+		ReadOnly:    volume.ReadOnly,
+		Source:      volume.Source,
+		Consistency: mount.Consistency(volume.Consistency),
+	}
+}
+
+func handleVolumeToMount(
+	volume composetypes.ServiceVolumeConfig,
+	stackVolumes volumes,
+	namespace Namespace,
+) (mount.Mount, error) {
+	result := createMountFromVolume(volume)
+
+	if volume.Tmpfs != nil {
+		return mount.Mount{}, errors.New("tmpfs options are incompatible with type volume")
+	}
+	if volume.Bind != nil {
+		return mount.Mount{}, errors.New("bind options are incompatible with type volume")
+	}
+	// Anonymous volumes
+	if volume.Source == "" {
+		return result, nil
+	}
+
+	stackVolume, exists := stackVolumes[volume.Source]
+	if !exists {
+		return mount.Mount{}, errors.Errorf("undefined volume %q", volume.Source)
+	}
+
+	result.Source = namespace.Scope(volume.Source)
+	result.VolumeOptions = &mount.VolumeOptions{}
+
+	if volume.Volume != nil {
+		result.VolumeOptions.NoCopy = volume.Volume.NoCopy
+	}
+
+	if stackVolume.Name != "" {
+		result.Source = stackVolume.Name
+	}
+
+	// External named volumes
+	if stackVolume.External.External {
+		return result, nil
+	}
+
+	result.VolumeOptions.Labels = AddStackLabel(namespace, stackVolume.Labels)
+	if stackVolume.Driver != "" || stackVolume.DriverOpts != nil {
+		result.VolumeOptions.DriverConfig = &mount.Driver{
+			Name:    stackVolume.Driver,
+			Options: stackVolume.DriverOpts,
+		}
+	}
+
+	return result, nil
+}
+
+func handleBindToMount(volume composetypes.ServiceVolumeConfig) (mount.Mount, error) {
+	result := createMountFromVolume(volume)
+
+	if volume.Source == "" {
+		return mount.Mount{}, errors.New("invalid bind source, source cannot be empty")
+	}
+	if volume.Volume != nil {
+		return mount.Mount{}, errors.New("volume options are incompatible with type bind")
+	}
+	if volume.Tmpfs != nil {
+		return mount.Mount{}, errors.New("tmpfs options are incompatible with type bind")
+	}
+	if volume.Bind != nil {
+		result.BindOptions = &mount.BindOptions{
+			Propagation: mount.Propagation(volume.Bind.Propagation),
+		}
+	}
+	return result, nil
+}
+
+func handleTmpfsToMount(volume composetypes.ServiceVolumeConfig) (mount.Mount, error) {
+	result := createMountFromVolume(volume)
+
+	if volume.Source != "" {
+		return mount.Mount{}, errors.New("invalid tmpfs source, source must be empty")
+	}
+	if volume.Bind != nil {
+		return mount.Mount{}, errors.New("bind options are incompatible with type tmpfs")
+	}
+	if volume.Volume != nil {
+		return mount.Mount{}, errors.New("volume options are incompatible with type tmpfs")
+	}
+	if volume.Tmpfs != nil {
+		result.TmpfsOptions = &mount.TmpfsOptions{
+			SizeBytes: volume.Tmpfs.Size,
+		}
+	}
+	return result, nil
+}
+
+func convertVolumeToMount(
+	volume composetypes.ServiceVolumeConfig,
+	stackVolumes volumes,
+	namespace Namespace,
+) (mount.Mount, error) {
+
+	switch volume.Type {
+	case "volume", "":
+		return handleVolumeToMount(volume, stackVolumes, namespace)
+	case "bind":
+		return handleBindToMount(volume)
+	case "tmpfs":
+		return handleTmpfsToMount(volume)
+	}
+	return mount.Mount{}, errors.New("volume type must be volume, bind, or tmpfs")
+}
diff --git a/cli/cli/compose/convert/volume_test.go b/cli/cli/compose/convert/volume_test.go
new file mode 100644
index 00000000..d29c3b6d
--- /dev/null
+++ b/cli/cli/compose/convert/volume_test.go
@@ -0,0 +1,345 @@
+package convert
+
+import (
+	"testing"
+
+	composetypes "github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types/mount"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConvertVolumeToMountAnonymousVolume(t *testing.T) {
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "volume",
+		Target: "/foo/bar",
+	}
+	expected := mount.Mount{
+		Type:   mount.TypeVolume,
+		Target: "/foo/bar",
+	}
+	mount, err := convertVolumeToMount(config, volumes{}, NewNamespace("foo"))
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mount))
+}
+
+func TestConvertVolumeToMountAnonymousBind(t *testing.T) {
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "bind",
+		Target: "/foo/bar",
+		Bind: &composetypes.ServiceVolumeBind{
+			Propagation: "slave",
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, NewNamespace("foo"))
+	assert.Error(t, err, "invalid bind source, source cannot be empty")
+}
+
+func TestConvertVolumeToMountUnapprovedType(t *testing.T) {
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "foo",
+		Target: "/foo/bar",
+	}
+	_, err := convertVolumeToMount(config, volumes{}, NewNamespace("foo"))
+	assert.Error(t, err, "volume type must be volume, bind, or tmpfs")
+}
+
+func TestConvertVolumeToMountConflictingOptionsBindInVolume(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "volume",
+		Source: "foo",
+		Target: "/target",
+		Bind: &composetypes.ServiceVolumeBind{
+			Propagation: "slave",
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "bind options are incompatible with type volume")
+}
+
+func TestConvertVolumeToMountConflictingOptionsTmpfsInVolume(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "volume",
+		Source: "foo",
+		Target: "/target",
+		Tmpfs: &composetypes.ServiceVolumeTmpfs{
+			Size: 1000,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "tmpfs options are incompatible with type volume")
+}
+
+func TestConvertVolumeToMountConflictingOptionsVolumeInBind(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "bind",
+		Source: "/foo",
+		Target: "/target",
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "volume options are incompatible with type bind")
+}
+
+func TestConvertVolumeToMountConflictingOptionsTmpfsInBind(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "bind",
+		Source: "/foo",
+		Target: "/target",
+		Tmpfs: &composetypes.ServiceVolumeTmpfs{
+			Size: 1000,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "tmpfs options are incompatible with type bind")
+}
+
+func TestConvertVolumeToMountConflictingOptionsBindInTmpfs(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "tmpfs",
+		Target: "/target",
+		Bind: &composetypes.ServiceVolumeBind{
+			Propagation: "slave",
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "bind options are incompatible with type tmpfs")
+}
+
+func TestConvertVolumeToMountConflictingOptionsVolumeInTmpfs(t *testing.T) {
+	namespace := NewNamespace("foo")
+
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "tmpfs",
+		Target: "/target",
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "volume options are incompatible with type tmpfs")
+}
+
+func TestConvertVolumeToMountNamedVolume(t *testing.T) {
+	stackVolumes := volumes{
+		"normal": composetypes.VolumeConfig{
+			Driver: "glusterfs",
+			DriverOpts: map[string]string{
+				"opt": "value",
+			},
+			Labels: map[string]string{
+				"something": "labeled",
+			},
+		},
+	}
+	namespace := NewNamespace("foo")
+	expected := mount.Mount{
+		Type:     mount.TypeVolume,
+		Source:   "foo_normal",
+		Target:   "/foo",
+		ReadOnly: true,
+		VolumeOptions: &mount.VolumeOptions{
+			Labels: map[string]string{
+				LabelNamespace: "foo",
+				"something":    "labeled",
+			},
+			DriverConfig: &mount.Driver{
+				Name: "glusterfs",
+				Options: map[string]string{
+					"opt": "value",
+				},
+			},
+			NoCopy: true,
+		},
+	}
+	config := composetypes.ServiceVolumeConfig{
+		Type:     "volume",
+		Source:   "normal",
+		Target:   "/foo",
+		ReadOnly: true,
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	mount, err := convertVolumeToMount(config, stackVolumes, namespace)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mount))
+}
+
+func TestConvertVolumeToMountNamedVolumeWithNameCustomizd(t *testing.T) {
+	stackVolumes := volumes{
+		"normal": composetypes.VolumeConfig{
+			Name:   "user_specified_name",
+			Driver: "vsphere",
+			DriverOpts: map[string]string{
+				"opt": "value",
+			},
+			Labels: map[string]string{
+				"something": "labeled",
+			},
+		},
+	}
+	namespace := NewNamespace("foo")
+	expected := mount.Mount{
+		Type:     mount.TypeVolume,
+		Source:   "user_specified_name",
+		Target:   "/foo",
+		ReadOnly: true,
+		VolumeOptions: &mount.VolumeOptions{
+			Labels: map[string]string{
+				LabelNamespace: "foo",
+				"something":    "labeled",
+			},
+			DriverConfig: &mount.Driver{
+				Name: "vsphere",
+				Options: map[string]string{
+					"opt": "value",
+				},
+			},
+			NoCopy: true,
+		},
+	}
+	config := composetypes.ServiceVolumeConfig{
+		Type:     "volume",
+		Source:   "normal",
+		Target:   "/foo",
+		ReadOnly: true,
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	mount, err := convertVolumeToMount(config, stackVolumes, namespace)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mount))
+}
+
+func TestConvertVolumeToMountNamedVolumeExternal(t *testing.T) {
+	stackVolumes := volumes{
+		"outside": composetypes.VolumeConfig{
+			Name:     "special",
+			External: composetypes.External{External: true},
+		},
+	}
+	namespace := NewNamespace("foo")
+	expected := mount.Mount{
+		Type:          mount.TypeVolume,
+		Source:        "special",
+		Target:        "/foo",
+		VolumeOptions: &mount.VolumeOptions{NoCopy: false},
+	}
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "volume",
+		Source: "outside",
+		Target: "/foo",
+	}
+	mount, err := convertVolumeToMount(config, stackVolumes, namespace)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mount))
+}
+
+func TestConvertVolumeToMountNamedVolumeExternalNoCopy(t *testing.T) {
+	stackVolumes := volumes{
+		"outside": composetypes.VolumeConfig{
+			Name:     "special",
+			External: composetypes.External{External: true},
+		},
+	}
+	namespace := NewNamespace("foo")
+	expected := mount.Mount{
+		Type:   mount.TypeVolume,
+		Source: "special",
+		Target: "/foo",
+		VolumeOptions: &mount.VolumeOptions{
+			NoCopy: true,
+		},
+	}
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "volume",
+		Source: "outside",
+		Target: "/foo",
+		Volume: &composetypes.ServiceVolumeVolume{
+			NoCopy: true,
+		},
+	}
+	mount, err := convertVolumeToMount(config, stackVolumes, namespace)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mount))
+}
+
+func TestConvertVolumeToMountBind(t *testing.T) {
+	stackVolumes := volumes{}
+	namespace := NewNamespace("foo")
+	expected := mount.Mount{
+		Type:        mount.TypeBind,
+		Source:      "/bar",
+		Target:      "/foo",
+		ReadOnly:    true,
+		BindOptions: &mount.BindOptions{Propagation: mount.PropagationShared},
+	}
+	config := composetypes.ServiceVolumeConfig{
+		Type:     "bind",
+		Source:   "/bar",
+		Target:   "/foo",
+		ReadOnly: true,
+		Bind:     &composetypes.ServiceVolumeBind{Propagation: "shared"},
+	}
+	mount, err := convertVolumeToMount(config, stackVolumes, namespace)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mount))
+}
+
+func TestConvertVolumeToMountVolumeDoesNotExist(t *testing.T) {
+	namespace := NewNamespace("foo")
+	config := composetypes.ServiceVolumeConfig{
+		Type:     "volume",
+		Source:   "unknown",
+		Target:   "/foo",
+		ReadOnly: true,
+	}
+	_, err := convertVolumeToMount(config, volumes{}, namespace)
+	assert.Error(t, err, "undefined volume \"unknown\"")
+}
+
+func TestConvertTmpfsToMountVolume(t *testing.T) {
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "tmpfs",
+		Target: "/foo/bar",
+		Tmpfs: &composetypes.ServiceVolumeTmpfs{
+			Size: 1000,
+		},
+	}
+	expected := mount.Mount{
+		Type:         mount.TypeTmpfs,
+		Target:       "/foo/bar",
+		TmpfsOptions: &mount.TmpfsOptions{SizeBytes: 1000},
+	}
+	mount, err := convertVolumeToMount(config, volumes{}, NewNamespace("foo"))
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, mount))
+}
+
+func TestConvertTmpfsToMountVolumeWithSource(t *testing.T) {
+	config := composetypes.ServiceVolumeConfig{
+		Type:   "tmpfs",
+		Source: "/bar",
+		Target: "/foo/bar",
+		Tmpfs: &composetypes.ServiceVolumeTmpfs{
+			Size: 1000,
+		},
+	}
+
+	_, err := convertVolumeToMount(config, volumes{}, NewNamespace("foo"))
+	assert.Error(t, err, "invalid tmpfs source, source must be empty")
+}
diff --git a/cli/cli/compose/interpolation/interpolation.go b/cli/cli/compose/interpolation/interpolation.go
new file mode 100644
index 00000000..d4f5c4a4
--- /dev/null
+++ b/cli/cli/compose/interpolation/interpolation.go
@@ -0,0 +1,163 @@
+package interpolation
+
+import (
+	"os"
+	"strings"
+
+	"github.com/docker/cli/cli/compose/template"
+	"github.com/pkg/errors"
+)
+
+// Options supported by Interpolate
+type Options struct {
+	// LookupValue from a key
+	LookupValue LookupValue
+	// TypeCastMapping maps key paths to functions to cast to a type
+	TypeCastMapping map[Path]Cast
+	// Substitution function to use
+	Substitute func(string, template.Mapping) (string, error)
+}
+
+// LookupValue is a function which maps from variable names to values.
+// Returns the value as a string and a bool indicating whether
+// the value is present, to distinguish between an empty string
+// and the absence of a value.
+type LookupValue func(key string) (string, bool)
+
+// Cast a value to a new type, or return an error if the value can't be cast
+type Cast func(value string) (interface{}, error)
+
+// Interpolate replaces variables in a string with the values from a mapping
+func Interpolate(config map[string]interface{}, opts Options) (map[string]interface{}, error) {
+	if opts.LookupValue == nil {
+		opts.LookupValue = os.LookupEnv
+	}
+	if opts.TypeCastMapping == nil {
+		opts.TypeCastMapping = make(map[Path]Cast)
+	}
+	if opts.Substitute == nil {
+		opts.Substitute = template.Substitute
+	}
+
+	out := map[string]interface{}{}
+
+	for key, value := range config {
+		interpolatedValue, err := recursiveInterpolate(value, NewPath(key), opts)
+		if err != nil {
+			return out, err
+		}
+		out[key] = interpolatedValue
+	}
+
+	return out, nil
+}
+
+func recursiveInterpolate(value interface{}, path Path, opts Options) (interface{}, error) {
+	switch value := value.(type) {
+
+	case string:
+		newValue, err := opts.Substitute(value, template.Mapping(opts.LookupValue))
+		if err != nil || newValue == value {
+			return value, newPathError(path, err)
+		}
+		caster, ok := opts.getCasterForPath(path)
+		if !ok {
+			return newValue, nil
+		}
+		casted, err := caster(newValue)
+		return casted, newPathError(path, errors.Wrap(err, "failed to cast to expected type"))
+
+	case map[string]interface{}:
+		out := map[string]interface{}{}
+		for key, elem := range value {
+			interpolatedElem, err := recursiveInterpolate(elem, path.Next(key), opts)
+			if err != nil {
+				return nil, err
+			}
+			out[key] = interpolatedElem
+		}
+		return out, nil
+
+	case []interface{}:
+		out := make([]interface{}, len(value))
+		for i, elem := range value {
+			interpolatedElem, err := recursiveInterpolate(elem, path.Next(PathMatchList), opts)
+			if err != nil {
+				return nil, err
+			}
+			out[i] = interpolatedElem
+		}
+		return out, nil
+
+	default:
+		return value, nil
+
+	}
+}
+
+func newPathError(path Path, err error) error {
+	switch err := err.(type) {
+	case nil:
+		return nil
+	case *template.InvalidTemplateError:
+		return errors.Errorf(
+			"invalid interpolation format for %s: %#v. You may need to escape any $ with another $.",
+			path, err.Template)
+	default:
+		return errors.Wrapf(err, "error while interpolating %s", path)
+	}
+}
+
+const pathSeparator = "."
+
+// PathMatchAll is a token used as part of a Path to match any key at that level
+// in the nested structure
+const PathMatchAll = "*"
+
+// PathMatchList is a token used as part of a Path to match items in a list
+const PathMatchList = "[]"
+
+// Path is a dotted path of keys to a value in a nested mapping structure. A *
+// section in a path will match any key in the mapping structure.
+type Path string
+
+// NewPath returns a new Path
+func NewPath(items ...string) Path {
+	return Path(strings.Join(items, pathSeparator))
+}
+
+// Next returns a new path by append part to the current path
+func (p Path) Next(part string) Path {
+	return Path(string(p) + pathSeparator + part)
+}
+
+func (p Path) parts() []string {
+	return strings.Split(string(p), pathSeparator)
+}
+
+func (p Path) matches(pattern Path) bool {
+	patternParts := pattern.parts()
+	parts := p.parts()
+
+	if len(patternParts) != len(parts) {
+		return false
+	}
+	for index, part := range parts {
+		switch patternParts[index] {
+		case PathMatchAll, part:
+			continue
+		default:
+			return false
+		}
+	}
+	return true
+}
+
+func (o Options) getCasterForPath(path Path) (Cast, bool) {
+	for pattern, caster := range o.TypeCastMapping {
+		if path.matches(pattern) {
+			return caster, true
+		}
+	}
+	return nil, false
+}
diff --git a/cli/cli/compose/interpolation/interpolation_test.go b/cli/cli/compose/interpolation/interpolation_test.go
new file mode 100644
index 00000000..3e76642a
--- /dev/null
+++ b/cli/cli/compose/interpolation/interpolation_test.go
@@ -0,0 +1,147 @@
+package interpolation
+
+import (
+	"testing"
+
+	"strconv"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/env"
+)
+
+var defaults = map[string]string{
+	"USER":  "jenny",
+	"FOO":   "bar",
+	"count": "5",
+}
+
+func defaultMapping(name string) (string, bool) {
+	val, ok := defaults[name]
+	return val, ok
+}
+
+func TestInterpolate(t *testing.T) {
+	services := map[string]interface{}{
+		"servicea": map[string]interface{}{
+			"image":   "example:${USER}",
+			"volumes": []interface{}{"$FOO:/target"},
+			"logging": map[string]interface{}{
+				"driver": "${FOO}",
+				"options": map[string]interface{}{
+					"user": "$USER",
+				},
+			},
+		},
+	}
+	expected := map[string]interface{}{
+		"servicea": map[string]interface{}{
+			"image":   "example:jenny",
+			"volumes": []interface{}{"bar:/target"},
+			"logging": map[string]interface{}{
+				"driver": "bar",
+				"options": map[string]interface{}{
+					"user": "jenny",
+				},
+			},
+		},
+	}
+	result, err := Interpolate(services, Options{LookupValue: defaultMapping})
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, result))
+}
+
+func TestInvalidInterpolation(t *testing.T) {
+	services := map[string]interface{}{
+		"servicea": map[string]interface{}{
+			"image": "${",
+		},
+	}
+	_, err := Interpolate(services, Options{LookupValue: defaultMapping})
+	assert.Error(t, err, `invalid interpolation format for servicea.image: "${". You may need to escape any $ with another $.`)
+}
+
+func TestInterpolateWithDefaults(t *testing.T) {
+	defer env.Patch(t, "FOO", "BARZ")()
+
+	config := map[string]interface{}{
+		"networks": map[string]interface{}{
+			"foo": "thing_${FOO}",
+		},
+	}
+	expected := map[string]interface{}{
+		"networks": map[string]interface{}{
+			"foo": "thing_BARZ",
+		},
+	}
+	result, err := Interpolate(config, Options{})
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, result))
+}
+
+func TestInterpolateWithCast(t *testing.T) {
+	config := map[string]interface{}{
+		"foo": map[string]interface{}{
+			"replicas": "$count",
+		},
+	}
+	toInt := func(value string) (interface{}, error) {
+		return strconv.Atoi(value)
+	}
+	result, err := Interpolate(config, Options{
+		LookupValue:     defaultMapping,
+		TypeCastMapping: map[Path]Cast{NewPath(PathMatchAll, "replicas"): toInt},
+	})
+	assert.NilError(t, err)
+	expected := map[string]interface{}{
+		"foo": map[string]interface{}{
+			"replicas": 5,
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, result))
+}
+
+func TestPathMatches(t *testing.T) {
+	var testcases = []struct {
+		doc      string
+		path     Path
+		pattern  Path
+		expected bool
+	}{
+		{
+			doc:     "pattern too short",
+			path:    NewPath("one", "two", "three"),
+			pattern: NewPath("one", "two"),
+		},
+		{
+			doc:     "pattern too long",
+			path:    NewPath("one", "two"),
+			pattern: NewPath("one", "two", "three"),
+		},
+		{
+			doc:     "pattern mismatch",
+			path:    NewPath("one", "three", "two"),
+			pattern: NewPath("one", "two", "three"),
+		},
+		{
+			doc:     "pattern mismatch with match-all part",
+			path:    NewPath("one", "three", "two"),
+			pattern: NewPath(PathMatchAll, "two", "three"),
+		},
+		{
+			doc:      "pattern match with match-all part",
+			path:     NewPath("one", "two", "three"),
+			pattern:  NewPath("one", "*", "three"),
+			expected: true,
+		},
+		{
+			doc:      "pattern match",
+			path:     NewPath("one", "two", "three"),
+			pattern:  NewPath("one", "two", "three"),
+			expected: true,
+		},
+	}
+	for _, testcase := range testcases {
+		assert.Check(t, is.Equal(testcase.expected, testcase.path.matches(testcase.pattern)))
+	}
+}
diff --git a/cli/cli/compose/loader/example1.env b/cli/cli/compose/loader/example1.env
new file mode 100644
index 00000000..f19ec0df
--- /dev/null
+++ b/cli/cli/compose/loader/example1.env
@@ -0,0 +1,8 @@
+# passed through
+FOO=foo_from_env_file
+
+# overridden in example2.env
+BAR=bar_from_env_file
+
+# overridden in full-example.yml
+BAZ=baz_from_env_file
diff --git a/cli/cli/compose/loader/example2.env b/cli/cli/compose/loader/example2.env
new file mode 100644
index 00000000..f47d1e61
--- /dev/null
+++ b/cli/cli/compose/loader/example2.env
@@ -0,0 +1,4 @@
+BAR=bar_from_env_file_2
+
+# overridden in configDetails.Environment
+QUX=quz_from_env_file_2
diff --git a/cli/cli/compose/loader/full-example.yml b/cli/cli/compose/loader/full-example.yml
new file mode 100644
index 00000000..2dd5799a
--- /dev/null
+++ b/cli/cli/compose/loader/full-example.yml
@@ -0,0 +1,404 @@
+version: "3.7"
+
+services:
+  foo:
+
+    build:
+      context: ./dir
+      dockerfile: Dockerfile
+      args:
+        foo: bar
+      target: foo
+      network: foo
+      cache_from:
+        - foo
+        - bar
+      labels: [FOO=BAR]
+
+
+    cap_add:
+      - ALL
+
+    cap_drop:
+      - NET_ADMIN
+      - SYS_ADMIN
+
+    cgroup_parent: m-executor-abcd
+
+    # String or list
+    command: bundle exec thin -p 3000
+    # command: ["bundle", "exec", "thin", "-p", "3000"]
+
+    configs:
+      - config1
+      - source: config2
+        target: /my_config
+        uid: '103'
+        gid: '103'
+        mode: 0440
+
+    container_name: my-web-container
+
+    depends_on:
+      - db
+      - redis
+
+    deploy:
+      mode: replicated
+      replicas: 6
+      labels: [FOO=BAR]
+      rollback_config:
+        parallelism: 3
+        delay: 10s
+        failure_action: continue
+        monitor: 60s
+        max_failure_ratio: 0.3
+        order: start-first
+      update_config:
+        parallelism: 3
+        delay: 10s
+        failure_action: continue
+        monitor: 60s
+        max_failure_ratio: 0.3
+        order: start-first
+      resources:
+        limits:
+          cpus: '0.001'
+          memory: 50M
+        reservations:
+          cpus: '0.0001'
+          memory: 20M
+          generic_resources:
+            - discrete_resource_spec:
+                kind: 'gpu'
+                value: 2
+            - discrete_resource_spec:
+                kind: 'ssd'
+                value: 1
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+        window: 120s
+      placement:
+        constraints: [node=foo]
+        preferences:
+          - spread: node.labels.az
+      endpoint_mode: dnsrr
+
+    devices:
+      - "/dev/ttyUSB0:/dev/ttyUSB0"
+
+    # String or list
+    # dns: 8.8.8.8
+    dns:
+      - 8.8.8.8
+      - 9.9.9.9
+
+    # String or list
+    # dns_search: example.com
+    dns_search:
+      - dc1.example.com
+      - dc2.example.com
+
+    domainname: foo.com
+
+    # String or list
+    # entrypoint: /code/entrypoint.sh -p 3000
+    entrypoint: ["/code/entrypoint.sh", "-p", "3000"]
+
+    # String or list
+    # env_file: .env
+    env_file:
+      - ./example1.env
+      - ./example2.env
+
+    # Mapping or list
+    # Mapping values can be strings, numbers or null
+    # Booleans are not allowed - must be quoted
+    environment:
+      BAZ: baz_from_service_def
+      QUX:
+    # environment:
+    #   - RACK_ENV=development
+    #   - SHOW=true
+    #   - SESSION_SECRET
+
+    # Items can be strings or numbers
+    expose:
+     - "3000"
+     - 8000
+
+    external_links:
+      - redis_1
+      - project_db_1:mysql
+      - project_db_1:postgresql
+
+    # Mapping or list
+    # Mapping values must be strings
+    # extra_hosts:
+    #   somehost: "162.242.195.82"
+    #   otherhost: "50.31.209.229"
+    extra_hosts:
+      - "somehost:162.242.195.82"
+      - "otherhost:50.31.209.229"
+
+    hostname: foo
+
+    healthcheck:
+      test: echo "hello world"
+      interval: 10s
+      timeout: 1s
+      retries: 5
+      start_period: 15s
+
+    # Any valid image reference - repo, tag, id, sha
+    image: redis
+    # image: ubuntu:14.04
+    # image: tutum/influxdb
+    # image: example-registry.com:4000/postgresql
+    # image: a4bc65fd
+    # image: busybox@sha256:38a203e1986cf79639cfb9b2e1d6e773de84002feea2d4eb006b52004ee8502d
+
+    ipc: host
+
+    # Mapping or list
+    # Mapping values can be strings, numbers or null
+    labels:
+      com.example.description: "Accounting webapp"
+      com.example.number: 42
+      com.example.empty-label:
+    # labels:
+    #   - "com.example.description=Accounting webapp"
+    #   - "com.example.number=42"
+    #   - "com.example.empty-label"
+
+    links:
+     - db
+     - db:database
+     - redis
+
+    logging:
+      driver: syslog
+      options:
+        syslog-address: "tcp://192.168.0.42:123"
+
+    mac_address: 02:42:ac:11:65:43
+
+    # network_mode: "bridge"
+    # network_mode: "host"
+    # network_mode: "none"
+    # Use the network mode of an arbitrary container from another service
+    # network_mode: "service:db"
+    # Use the network mode of another container, specified by name or id
+    # network_mode: "container:some-container"
+    network_mode: "container:0cfeab0f748b9a743dc3da582046357c6ef497631c1a016d28d2bf9b4f899f7b"
+
+    networks:
+      some-network:
+        aliases:
+         - alias1
+         - alias3
+      other-network:
+        ipv4_address: 172.16.238.10
+        ipv6_address: 2001:3984:3989::10
+      other-other-network:
+
+    pid: "host"
+
+    ports:
+      - 3000
+      - "3001-3005"
+      - "8000:8000"
+      - "9090-9091:8080-8081"
+      - "49100:22"
+      - "127.0.0.1:8001:8001"
+      - "127.0.0.1:5000-5010:5000-5010"
+
+    privileged: true
+
+    read_only: true
+
+    restart: always
+
+    secrets:
+      - secret1
+      - source: secret2
+        target: my_secret
+        uid: '103'
+        gid: '103'
+        mode: 0440
+
+    security_opt:
+      - label=level:s0:c100,c200
+      - label=type:svirt_apache_t
+
+    stdin_open: true
+
+    stop_grace_period: 20s
+
+    stop_signal: SIGUSR1
+
+    # String or list
+    # tmpfs: /run
+    tmpfs:
+      - /run
+      - /tmp
+
+    tty: true
+
+    ulimits:
+      # Single number or mapping with soft + hard limits
+      nproc: 65535
+      nofile:
+        soft: 20000
+        hard: 40000
+
+    user: someone
+
+    volumes:
+      # Just specify a path and let the Engine create a volume
+      - /var/lib/mysql
+      # Specify an absolute path mapping
+      - /opt/data:/var/lib/mysql
+      # Path on the host, relative to the Compose file
+      - .:/code
+      - ./static:/var/www/html
+      # User-relative path
+      - ~/configs:/etc/configs/:ro
+      # Named volume
+      - datavolume:/var/lib/mysql
+      - type: bind
+        source: ./opt
+        target: /opt
+        consistency: cached
+      - type: tmpfs
+        target: /opt
+        tmpfs:
+          size: 10000
+
+    working_dir: /code
+    x-bar: baz
+    x-foo: bar
+
+networks:
+  # Entries can be null, which specifies simply that a network
+  # called "{project name}_some-network" should be created and
+  # use the default driver
+  some-network:
+
+  other-network:
+    driver: overlay
+
+    driver_opts:
+      # Values can be strings or numbers
+      foo: "bar"
+      baz: 1
+
+    ipam:
+      driver: overlay
+      # driver_opts:
+      #   # Values can be strings or numbers
+      #   com.docker.network.enable_ipv6: "true"
+      #   com.docker.network.numeric_value: 1
+      config:
+      - subnet: 172.16.238.0/24
+        # gateway: 172.16.238.1
+      - subnet: 2001:3984:3989::/64
+        # gateway: 2001:3984:3989::1
+
+    labels:
+      foo: bar
+
+  external-network:
+    # Specifies that a pre-existing network called "external-network"
+    # can be referred to within this file as "external-network"
+    external: true
+
+  other-external-network:
+    # Specifies that a pre-existing network called "my-cool-network"
+    # can be referred to within this file as "other-external-network"
+    external:
+      name: my-cool-network
+    x-bar: baz
+    x-foo: bar
+
+volumes:
+  # Entries can be null, which specifies simply that a volume
+  # called "{project name}_some-volume" should be created and
+  # use the default driver
+  some-volume:
+
+  other-volume:
+    driver: flocker
+
+    driver_opts:
+      # Values can be strings or numbers
+      foo: "bar"
+      baz: 1
+    labels:
+      foo: bar
+
+  another-volume:
+    name: "user_specified_name"
+    driver: vsphere
+
+    driver_opts:
+      # Values can be strings or numbers
+      foo: "bar"
+      baz: 1
+
+  external-volume:
+    # Specifies that a pre-existing volume called "external-volume"
+    # can be referred to within this file as "external-volume"
+    external: true
+
+  other-external-volume:
+    # Specifies that a pre-existing volume called "my-cool-volume"
+    # can be referred to within this file as "other-external-volume"
+    # This example uses the deprecated "volume.external.name" (replaced by "volume.name")
+    external:
+      name: my-cool-volume
+
+  external-volume3:
+    # Specifies that a pre-existing volume called "this-is-volume3"
+    # can be referred to within this file as "external-volume3"
+    name: this-is-volume3
+    external: true
+    x-bar: baz
+    x-foo: bar
+
+configs:
+  config1:
+    file: ./config_data
+    labels:
+      foo: bar
+  config2:
+    external:
+      name: my_config
+  config3:
+    external: true
+  config4:
+    name: foo
+    x-bar: baz
+    x-foo: bar
+
+secrets:
+  secret1:
+    file: ./secret_data
+    labels:
+      foo: bar
+  secret2:
+    external:
+      name: my_secret
+  secret3:
+    external: true
+  secret4:
+    name: bar
+    x-bar: baz
+    x-foo: bar
+x-bar: baz
+x-foo: bar
+x-nested:
+  bar: baz
+  foo: bar
diff --git a/cli/cli/compose/loader/full-struct_test.go b/cli/cli/compose/loader/full-struct_test.go
new file mode 100644
index 00000000..4ee7798f
--- /dev/null
+++ b/cli/cli/compose/loader/full-struct_test.go
@@ -0,0 +1,889 @@
+package loader
+
+import (
+	"fmt"
+	"path/filepath"
+	"time"
+
+	"github.com/docker/cli/cli/compose/types"
+)
+
+func fullExampleConfig(workingDir, homeDir string) *types.Config {
+	return &types.Config{
+		Version:  "3.7",
+		Services: services(workingDir, homeDir),
+		Networks: networks(),
+		Volumes:  volumes(),
+		Configs:  configs(workingDir),
+		Secrets:  secrets(workingDir),
+		Extras: map[string]interface{}{
+			"x-foo": "bar",
+			"x-bar": "baz",
+			"x-nested": map[string]interface{}{
+				"foo": "bar",
+				"bar": "baz",
+			},
+		},
+	}
+}
+
+func services(workingDir, homeDir string) []types.ServiceConfig {
+	return []types.ServiceConfig{
+		{
+			Name: "foo",
+
+			Build: types.BuildConfig{
+				Context:    "./dir",
+				Dockerfile: "Dockerfile",
+				Args:       map[string]*string{"foo": strPtr("bar")},
+				Target:     "foo",
+				Network:    "foo",
+				CacheFrom:  []string{"foo", "bar"},
+				Labels:     map[string]string{"FOO": "BAR"},
+			},
+			CapAdd:       []string{"ALL"},
+			CapDrop:      []string{"NET_ADMIN", "SYS_ADMIN"},
+			CgroupParent: "m-executor-abcd",
+			Command:      []string{"bundle", "exec", "thin", "-p", "3000"},
+			Configs: []types.ServiceConfigObjConfig{
+				{
+					Source: "config1",
+				},
+				{
+					Source: "config2",
+					Target: "/my_config",
+					UID:    "103",
+					GID:    "103",
+					Mode:   uint32Ptr(0440),
+				},
+			},
+			ContainerName: "my-web-container",
+			DependsOn:     []string{"db", "redis"},
+			Deploy: types.DeployConfig{
+				Mode:     "replicated",
+				Replicas: uint64Ptr(6),
+				Labels:   map[string]string{"FOO": "BAR"},
+				RollbackConfig: &types.UpdateConfig{
+					Parallelism:     uint64Ptr(3),
+					Delay:           time.Duration(10 * time.Second),
+					FailureAction:   "continue",
+					Monitor:         time.Duration(60 * time.Second),
+					MaxFailureRatio: 0.3,
+					Order:           "start-first",
+				},
+				UpdateConfig: &types.UpdateConfig{
+					Parallelism:     uint64Ptr(3),
+					Delay:           time.Duration(10 * time.Second),
+					FailureAction:   "continue",
+					Monitor:         time.Duration(60 * time.Second),
+					MaxFailureRatio: 0.3,
+					Order:           "start-first",
+				},
+				Resources: types.Resources{
+					Limits: &types.Resource{
+						NanoCPUs:    "0.001",
+						MemoryBytes: 50 * 1024 * 1024,
+					},
+					Reservations: &types.Resource{
+						NanoCPUs:    "0.0001",
+						MemoryBytes: 20 * 1024 * 1024,
+						GenericResources: []types.GenericResource{
+							{
+								DiscreteResourceSpec: &types.DiscreteGenericResource{
+									Kind:  "gpu",
+									Value: 2,
+								},
+							},
+							{
+								DiscreteResourceSpec: &types.DiscreteGenericResource{
+									Kind:  "ssd",
+									Value: 1,
+								},
+							},
+						},
+					},
+				},
+				RestartPolicy: &types.RestartPolicy{
+					Condition:   "on-failure",
+					Delay:       durationPtr(5 * time.Second),
+					MaxAttempts: uint64Ptr(3),
+					Window:      durationPtr(2 * time.Minute),
+				},
+				Placement: types.Placement{
+					Constraints: []string{"node=foo"},
+					Preferences: []types.PlacementPreferences{
+						{
+							Spread: "node.labels.az",
+						},
+					},
+				},
+				EndpointMode: "dnsrr",
+			},
+			Devices:    []string{"/dev/ttyUSB0:/dev/ttyUSB0"},
+			DNS:        []string{"8.8.8.8", "9.9.9.9"},
+			DNSSearch:  []string{"dc1.example.com", "dc2.example.com"},
+			DomainName: "foo.com",
+			Entrypoint: []string{"/code/entrypoint.sh", "-p", "3000"},
+			Environment: map[string]*string{
+				"FOO": strPtr("foo_from_env_file"),
+				"BAR": strPtr("bar_from_env_file_2"),
+				"BAZ": strPtr("baz_from_service_def"),
+				"QUX": strPtr("qux_from_environment"),
+			},
+			EnvFile: []string{
+				"./example1.env",
+				"./example2.env",
+			},
+			Expose: []string{"3000", "8000"},
+			ExternalLinks: []string{
+				"redis_1",
+				"project_db_1:mysql",
+				"project_db_1:postgresql",
+			},
+			ExtraHosts: []string{
+				"somehost:162.242.195.82",
+				"otherhost:50.31.209.229",
+			},
+			Extras: map[string]interface{}{
+				"x-bar": "baz",
+				"x-foo": "bar",
+			},
+			HealthCheck: &types.HealthCheckConfig{
+				Test:        types.HealthCheckTest([]string{"CMD-SHELL", "echo \"hello world\""}),
+				Interval:    durationPtr(10 * time.Second),
+				Timeout:     durationPtr(1 * time.Second),
+				Retries:     uint64Ptr(5),
+				StartPeriod: durationPtr(15 * time.Second),
+			},
+			Hostname: "foo",
+			Image:    "redis",
+			Ipc:      "host",
+			Labels: map[string]string{
+				"com.example.description": "Accounting webapp",
+				"com.example.number":      "42",
+				"com.example.empty-label": "",
+			},
+			Links: []string{
+				"db",
+				"db:database",
+				"redis",
+			},
+			Logging: &types.LoggingConfig{
+				Driver: "syslog",
+				Options: map[string]string{
+					"syslog-address": "tcp://192.168.0.42:123",
+				},
+			},
+			MacAddress:  "02:42:ac:11:65:43",
+			NetworkMode: "container:0cfeab0f748b9a743dc3da582046357c6ef497631c1a016d28d2bf9b4f899f7b",
+			Networks: map[string]*types.ServiceNetworkConfig{
+				"some-network": {
+					Aliases:     []string{"alias1", "alias3"},
+					Ipv4Address: "",
+					Ipv6Address: "",
+				},
+				"other-network": {
+					Ipv4Address: "172.16.238.10",
+					Ipv6Address: "2001:3984:3989::10",
+				},
+				"other-other-network": nil,
+			},
+			Pid: "host",
+			Ports: []types.ServicePortConfig{
+				//"3000",
+				{
+					Mode:     "ingress",
+					Target:   3000,
+					Protocol: "tcp",
+				},
+				{
+					Mode:     "ingress",
+					Target:   3001,
+					Protocol: "tcp",
+				},
+				{
+					Mode:     "ingress",
+					Target:   3002,
+					Protocol: "tcp",
+				},
+				{
+					Mode:     "ingress",
+					Target:   3003,
+					Protocol: "tcp",
+				},
+				{
+					Mode:     "ingress",
+					Target:   3004,
+					Protocol: "tcp",
+				},
+				{
+					Mode:     "ingress",
+					Target:   3005,
+					Protocol: "tcp",
+				},
+				//"8000:8000",
+				{
+					Mode:      "ingress",
+					Target:    8000,
+					Published: 8000,
+					Protocol:  "tcp",
+				},
+				//"9090-9091:8080-8081",
+				{
+					Mode:      "ingress",
+					Target:    8080,
+					Published: 9090,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    8081,
+					Published: 9091,
+					Protocol:  "tcp",
+				},
+				//"49100:22",
+				{
+					Mode:      "ingress",
+					Target:    22,
+					Published: 49100,
+					Protocol:  "tcp",
+				},
+				//"127.0.0.1:8001:8001",
+				{
+					Mode:      "ingress",
+					Target:    8001,
+					Published: 8001,
+					Protocol:  "tcp",
+				},
+				//"127.0.0.1:5000-5010:5000-5010",
+				{
+					Mode:      "ingress",
+					Target:    5000,
+					Published: 5000,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5001,
+					Published: 5001,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5002,
+					Published: 5002,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5003,
+					Published: 5003,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5004,
+					Published: 5004,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5005,
+					Published: 5005,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5006,
+					Published: 5006,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5007,
+					Published: 5007,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5008,
+					Published: 5008,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5009,
+					Published: 5009,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Target:    5010,
+					Published: 5010,
+					Protocol:  "tcp",
+				},
+			},
+			Privileged: true,
+			ReadOnly:   true,
+			Restart:    "always",
+			Secrets: []types.ServiceSecretConfig{
+				{
+					Source: "secret1",
+				},
+				{
+					Source: "secret2",
+					Target: "my_secret",
+					UID:    "103",
+					GID:    "103",
+					Mode:   uint32Ptr(0440),
+				},
+			},
+			SecurityOpt: []string{
+				"label=level:s0:c100,c200",
+				"label=type:svirt_apache_t",
+			},
+			StdinOpen:       true,
+			StopSignal:      "SIGUSR1",
+			StopGracePeriod: durationPtr(time.Duration(20 * time.Second)),
+			Tmpfs:           []string{"/run", "/tmp"},
+			Tty:             true,
+			Ulimits: map[string]*types.UlimitsConfig{
+				"nproc": {
+					Single: 65535,
+				},
+				"nofile": {
+					Soft: 20000,
+					Hard: 40000,
+				},
+			},
+			User: "someone",
+			Volumes: []types.ServiceVolumeConfig{
+				{Target: "/var/lib/mysql", Type: "volume"},
+				{Source: "/opt/data", Target: "/var/lib/mysql", Type: "bind"},
+				{Source: workingDir, Target: "/code", Type: "bind"},
+				{Source: filepath.Join(workingDir, "static"), Target: "/var/www/html", Type: "bind"},
+				{Source: homeDir + "/configs", Target: "/etc/configs/", Type: "bind", ReadOnly: true},
+				{Source: "datavolume", Target: "/var/lib/mysql", Type: "volume"},
+				{Source: filepath.Join(workingDir, "opt"), Target: "/opt", Consistency: "cached", Type: "bind"},
+				{Target: "/opt", Type: "tmpfs", Tmpfs: &types.ServiceVolumeTmpfs{
+					Size: int64(10000),
+				}},
+			},
+			WorkingDir: "/code",
+		},
+	}
+}
+
+func networks() map[string]types.NetworkConfig {
+	return map[string]types.NetworkConfig{
+		"some-network": {},
+
+		"other-network": {
+			Driver: "overlay",
+			DriverOpts: map[string]string{
+				"foo": "bar",
+				"baz": "1",
+			},
+			Ipam: types.IPAMConfig{
+				Driver: "overlay",
+				Config: []*types.IPAMPool{
+					{Subnet: "172.16.238.0/24"},
+					{Subnet: "2001:3984:3989::/64"},
+				},
+			},
+			Labels: map[string]string{
+				"foo": "bar",
+			},
+		},
+
+		"external-network": {
+			Name:     "external-network",
+			External: types.External{External: true},
+		},
+
+		"other-external-network": {
+			Name:     "my-cool-network",
+			External: types.External{External: true},
+			Extras: map[string]interface{}{
+				"x-bar": "baz",
+				"x-foo": "bar",
+			},
+		},
+	}
+}
+
+func volumes() map[string]types.VolumeConfig {
+	return map[string]types.VolumeConfig{
+		"some-volume": {},
+		"other-volume": {
+			Driver: "flocker",
+			DriverOpts: map[string]string{
+				"foo": "bar",
+				"baz": "1",
+			},
+			Labels: map[string]string{
+				"foo": "bar",
+			},
+		},
+		"another-volume": {
+			Name:   "user_specified_name",
+			Driver: "vsphere",
+			DriverOpts: map[string]string{
+				"foo": "bar",
+				"baz": "1",
+			},
+		},
+		"external-volume": {
+			Name:     "external-volume",
+			External: types.External{External: true},
+		},
+		"other-external-volume": {
+			Name:     "my-cool-volume",
+			External: types.External{External: true},
+		},
+		"external-volume3": {
+			Name:     "this-is-volume3",
+			External: types.External{External: true},
+			Extras: map[string]interface{}{
+				"x-bar": "baz",
+				"x-foo": "bar",
+			},
+		},
+	}
+}
+
+func configs(workingDir string) map[string]types.ConfigObjConfig {
+	return map[string]types.ConfigObjConfig{
+		"config1": {
+			File: filepath.Join(workingDir, "config_data"),
+			Labels: map[string]string{
+				"foo": "bar",
+			},
+		},
+		"config2": {
+			Name:     "my_config",
+			External: types.External{External: true},
+		},
+		"config3": {
+			Name:     "config3",
+			External: types.External{External: true},
+		},
+		"config4": {
+			Name: "foo",
+			File: workingDir,
+			Extras: map[string]interface{}{
+				"x-bar": "baz",
+				"x-foo": "bar",
+			},
+		},
+	}
+}
+
+func secrets(workingDir string) map[string]types.SecretConfig {
+	return map[string]types.SecretConfig{
+		"secret1": {
+			File: filepath.Join(workingDir, "secret_data"),
+			Labels: map[string]string{
+				"foo": "bar",
+			},
+		},
+		"secret2": {
+			Name:     "my_secret",
+			External: types.External{External: true},
+		},
+		"secret3": {
+			Name:     "secret3",
+			External: types.External{External: true},
+		},
+		"secret4": {
+			Name: "bar",
+			File: workingDir,
+			Extras: map[string]interface{}{
+				"x-bar": "baz",
+				"x-foo": "bar",
+			},
+		},
+	}
+}
+
+func fullExampleYAML(workingDir string) string {
+	return fmt.Sprintf(`version: "3.7"
+services:
+  foo:
+    build:
+      context: ./dir
+      dockerfile: Dockerfile
+      args:
+        foo: bar
+      labels:
+        FOO: BAR
+      cache_from:
+      - foo
+      - bar
+      network: foo
+      target: foo
+    cap_add:
+    - ALL
+    cap_drop:
+    - NET_ADMIN
+    - SYS_ADMIN
+    cgroup_parent: m-executor-abcd
+    command:
+    - bundle
+    - exec
+    - thin
+    - -p
+    - "3000"
+    configs:
+    - source: config1
+    - source: config2
+      target: /my_config
+      uid: "103"
+      gid: "103"
+      mode: 288
+    container_name: my-web-container
+    depends_on:
+    - db
+    - redis
+    deploy:
+      mode: replicated
+      replicas: 6
+      labels:
+        FOO: BAR
+      update_config:
+        parallelism: 3
+        delay: 10s
+        failure_action: continue
+        monitor: 1m0s
+        max_failure_ratio: 0.3
+        order: start-first
+      rollback_config:
+        parallelism: 3
+        delay: 10s
+        failure_action: continue
+        monitor: 1m0s
+        max_failure_ratio: 0.3
+        order: start-first
+      resources:
+        limits:
+          cpus: "0.001"
+          memory: "52428800"
+        reservations:
+          cpus: "0.0001"
+          memory: "20971520"
+          generic_resources:
+          - discrete_resource_spec:
+              kind: gpu
+              value: 2
+          - discrete_resource_spec:
+              kind: ssd
+              value: 1
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+        window: 2m0s
+      placement:
+        constraints:
+        - node=foo
+        preferences:
+        - spread: node.labels.az
+      endpoint_mode: dnsrr
+    devices:
+    - /dev/ttyUSB0:/dev/ttyUSB0
+    dns:
+    - 8.8.8.8
+    - 9.9.9.9
+    dns_search:
+    - dc1.example.com
+    - dc2.example.com
+    domainname: foo.com
+    entrypoint:
+    - /code/entrypoint.sh
+    - -p
+    - "3000"
+    environment:
+      BAR: bar_from_env_file_2
+      BAZ: baz_from_service_def
+      FOO: foo_from_env_file
+      QUX: qux_from_environment
+    env_file:
+    - ./example1.env
+    - ./example2.env
+    expose:
+    - "3000"
+    - "8000"
+    external_links:
+    - redis_1
+    - project_db_1:mysql
+    - project_db_1:postgresql
+    extra_hosts:
+    - somehost:162.242.195.82
+    - otherhost:50.31.209.229
+    hostname: foo
+    healthcheck:
+      test:
+      - CMD-SHELL
+      - echo "hello world"
+      timeout: 1s
+      interval: 10s
+      retries: 5
+      start_period: 15s
+    image: redis
+    ipc: host
+    labels:
+      com.example.description: Accounting webapp
+      com.example.empty-label: ""
+      com.example.number: "42"
+    links:
+    - db
+    - db:database
+    - redis
+    logging:
+      driver: syslog
+      options:
+        syslog-address: tcp://192.168.0.42:123
+    mac_address: 02:42:ac:11:65:43
+    network_mode: container:0cfeab0f748b9a743dc3da582046357c6ef497631c1a016d28d2bf9b4f899f7b
+    networks:
+      other-network:
+        ipv4_address: 172.16.238.10
+        ipv6_address: 2001:3984:3989::10
+      other-other-network: null
+      some-network:
+        aliases:
+        - alias1
+        - alias3
+    pid: host
+    ports:
+    - mode: ingress
+      target: 3000
+      protocol: tcp
+    - mode: ingress
+      target: 3001
+      protocol: tcp
+    - mode: ingress
+      target: 3002
+      protocol: tcp
+    - mode: ingress
+      target: 3003
+      protocol: tcp
+    - mode: ingress
+      target: 3004
+      protocol: tcp
+    - mode: ingress
+      target: 3005
+      protocol: tcp
+    - mode: ingress
+      target: 8000
+      published: 8000
+      protocol: tcp
+    - mode: ingress
+      target: 8080
+      published: 9090
+      protocol: tcp
+    - mode: ingress
+      target: 8081
+      published: 9091
+      protocol: tcp
+    - mode: ingress
+      target: 22
+      published: 49100
+      protocol: tcp
+    - mode: ingress
+      target: 8001
+      published: 8001
+      protocol: tcp
+    - mode: ingress
+      target: 5000
+      published: 5000
+      protocol: tcp
+    - mode: ingress
+      target: 5001
+      published: 5001
+      protocol: tcp
+    - mode: ingress
+      target: 5002
+      published: 5002
+      protocol: tcp
+    - mode: ingress
+      target: 5003
+      published: 5003
+      protocol: tcp
+    - mode: ingress
+      target: 5004
+      published: 5004
+      protocol: tcp
+    - mode: ingress
+      target: 5005
+      published: 5005
+      protocol: tcp
+    - mode: ingress
+      target: 5006
+      published: 5006
+      protocol: tcp
+    - mode: ingress
+      target: 5007
+      published: 5007
+      protocol: tcp
+    - mode: ingress
+      target: 5008
+      published: 5008
+      protocol: tcp
+    - mode: ingress
+      target: 5009
+      published: 5009
+      protocol: tcp
+    - mode: ingress
+      target: 5010
+      published: 5010
+      protocol: tcp
+    privileged: true
+    read_only: true
+    restart: always
+    secrets:
+    - source: secret1
+    - source: secret2
+      target: my_secret
+      uid: "103"
+      gid: "103"
+      mode: 288
+    security_opt:
+    - label=level:s0:c100,c200
+    - label=type:svirt_apache_t
+    stdin_open: true
+    stop_grace_period: 20s
+    stop_signal: SIGUSR1
+    tmpfs:
+    - /run
+    - /tmp
+    tty: true
+    ulimits:
+      nofile:
+        soft: 20000
+        hard: 40000
+      nproc: 65535
+    user: someone
+    volumes:
+    - type: volume
+      target: /var/lib/mysql
+    - type: bind
+      source: /opt/data
+      target: /var/lib/mysql
+    - type: bind
+      source: /foo
+      target: /code
+    - type: bind
+      source: %s
+      target: /var/www/html
+    - type: bind
+      source: /bar/configs
+      target: /etc/configs/
+      read_only: true
+    - type: volume
+      source: datavolume
+      target: /var/lib/mysql
+    - type: bind
+      source: %s
+      target: /opt
+      consistency: cached
+    - type: tmpfs
+      target: /opt
+      tmpfs:
+        size: 10000
+    working_dir: /code
+    x-bar: baz
+    x-foo: bar
+networks:
+  external-network:
+    name: external-network
+    external: true
+  other-external-network:
+    name: my-cool-network
+    external: true
+    x-bar: baz
+    x-foo: bar
+  other-network:
+    driver: overlay
+    driver_opts:
+      baz: "1"
+      foo: bar
+    ipam:
+      driver: overlay
+      config:
+      - subnet: 172.16.238.0/24
+      - subnet: 2001:3984:3989::/64
+    labels:
+      foo: bar
+  some-network: {}
+volumes:
+  another-volume:
+    name: user_specified_name
+    driver: vsphere
+    driver_opts:
+      baz: "1"
+      foo: bar
+  external-volume:
+    name: external-volume
+    external: true
+  external-volume3:
+    name: this-is-volume3
+    external: true
+    x-bar: baz
+    x-foo: bar
+  other-external-volume:
+    name: my-cool-volume
+    external: true
+  other-volume:
+    driver: flocker
+    driver_opts:
+      baz: "1"
+      foo: bar
+    labels:
+      foo: bar
+  some-volume: {}
+secrets:
+  secret1:
+    file: %s/secret_data
+    labels:
+      foo: bar
+  secret2:
+    name: my_secret
+    external: true
+  secret3:
+    name: secret3
+    external: true
+  secret4:
+    name: bar
+    file: %s
+    x-bar: baz
+    x-foo: bar
+configs:
+  config1:
+    file: %s/config_data
+    labels:
+      foo: bar
+  config2:
+    name: my_config
+    external: true
+  config3:
+    name: config3
+    external: true
+  config4:
+    name: foo
+    file: %s
+    x-bar: baz
+    x-foo: bar
+x-bar: baz
+x-foo: bar
+x-nested:
+  bar: baz
+  foo: bar
+`,
+		filepath.Join(workingDir, "static"),
+		filepath.Join(workingDir, "opt"),
+		workingDir,
+		workingDir,
+		workingDir,
+		workingDir)
+}
diff --git a/cli/cli/compose/loader/interpolate.go b/cli/cli/compose/loader/interpolate.go
new file mode 100644
index 00000000..888d29b5
--- /dev/null
+++ b/cli/cli/compose/loader/interpolate.go
@@ -0,0 +1,69 @@
+package loader
+
+import (
+	"strconv"
+	"strings"
+
+	interp "github.com/docker/cli/cli/compose/interpolation"
+	"github.com/pkg/errors"
+)
+
+var interpolateTypeCastMapping = map[interp.Path]interp.Cast{
+	servicePath("configs", interp.PathMatchList, "mode"):             toInt,
+	servicePath("secrets", interp.PathMatchList, "mode"):             toInt,
+	servicePath("healthcheck", "retries"):                            toInt,
+	servicePath("healthcheck", "disable"):                            toBoolean,
+	servicePath("deploy", "replicas"):                                toInt,
+	servicePath("deploy", "update_config", "parallelism"):            toInt,
+	servicePath("deploy", "update_config", "max_failure_ratio"):      toFloat,
+	servicePath("deploy", "restart_policy", "max_attempts"):          toInt,
+	servicePath("ports", interp.PathMatchList, "target"):             toInt,
+	servicePath("ports", interp.PathMatchList, "published"):          toInt,
+	servicePath("ulimits", interp.PathMatchAll):                      toInt,
+	servicePath("ulimits", interp.PathMatchAll, "hard"):              toInt,
+	servicePath("ulimits", interp.PathMatchAll, "soft"):              toInt,
+	servicePath("privileged"):                                        toBoolean,
+	servicePath("read_only"):                                         toBoolean,
+	servicePath("stdin_open"):                                        toBoolean,
+	servicePath("tty"):                                               toBoolean,
+	servicePath("volumes", interp.PathMatchList, "read_only"):        toBoolean,
+	servicePath("volumes", interp.PathMatchList, "volume", "nocopy"): toBoolean,
+	iPath("networks", interp.PathMatchAll, "external"):               toBoolean,
+	iPath("networks", interp.PathMatchAll, "internal"):               toBoolean,
+	iPath("networks", interp.PathMatchAll, "attachable"):             toBoolean,
+	iPath("volumes", interp.PathMatchAll, "external"):                toBoolean,
+	iPath("secrets", interp.PathMatchAll, "external"):                toBoolean,
+	iPath("configs", interp.PathMatchAll, "external"):                toBoolean,
+}
+
+func iPath(parts ...string) interp.Path {
+	return interp.NewPath(parts...)
+}
+
+func servicePath(parts ...string) interp.Path {
+	return iPath(append([]string{"services", interp.PathMatchAll}, parts...)...)
+}
+
+func toInt(value string) (interface{}, error) {
+	return strconv.Atoi(value)
+}
+
+func toFloat(value string) (interface{}, error) {
+	return strconv.ParseFloat(value, 64)
+}
+
+// should match http://yaml.org/type/bool.html
+func toBoolean(value string) (interface{}, error) {
+	switch strings.ToLower(value) {
+	case "y", "yes", "true", "on":
+		return true, nil
+	case "n", "no", "false", "off":
+		return false, nil
+	default:
+		return nil, errors.Errorf("invalid boolean: %s", value)
+	}
+}
+
+func interpolateConfig(configDict map[string]interface{}, opts interp.Options) (map[string]interface{}, error) {
+	return interp.Interpolate(configDict, opts)
+}
diff --git a/cli/cli/compose/loader/loader.go b/cli/cli/compose/loader/loader.go
new file mode 100644
index 00000000..f11619b9
--- /dev/null
+++ b/cli/cli/compose/loader/loader.go
@@ -0,0 +1,907 @@
+package loader
+
+import (
+	"fmt"
+	"path"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"strings"
+
+	interp "github.com/docker/cli/cli/compose/interpolation"
+	"github.com/docker/cli/cli/compose/schema"
+	"github.com/docker/cli/cli/compose/template"
+	"github.com/docker/cli/cli/compose/types"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/go-connections/nat"
+	units "github.com/docker/go-units"
+	shellwords "github.com/mattn/go-shellwords"
+	"github.com/mitchellh/mapstructure"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	yaml "gopkg.in/yaml.v2"
+)
+
+// Options supported by Load
+type Options struct {
+	// Skip schema validation
+	SkipValidation bool
+	// Skip interpolation
+	SkipInterpolation bool
+	// Interpolation options
+	Interpolate *interp.Options
+}
+
+// ParseYAML reads the bytes from a file, parses the bytes into a mapping
+// structure, and returns it.
+func ParseYAML(source []byte) (map[string]interface{}, error) {
+	var cfg interface{}
+	if err := yaml.Unmarshal(source, &cfg); err != nil {
+		return nil, err
+	}
+	cfgMap, ok := cfg.(map[interface{}]interface{})
+	if !ok {
+		return nil, errors.Errorf("Top-level object must be a mapping")
+	}
+	converted, err := convertToStringKeysRecursive(cfgMap, "")
+	if err != nil {
+		return nil, err
+	}
+	return converted.(map[string]interface{}), nil
+}
+
+// Load reads a ConfigDetails and returns a fully loaded configuration
+func Load(configDetails types.ConfigDetails, options ...func(*Options)) (*types.Config, error) {
+	if len(configDetails.ConfigFiles) < 1 {
+		return nil, errors.Errorf("No files specified")
+	}
+
+	opts := &Options{
+		Interpolate: &interp.Options{
+			Substitute:      template.Substitute,
+			LookupValue:     configDetails.LookupEnv,
+			TypeCastMapping: interpolateTypeCastMapping,
+		},
+	}
+
+	for _, op := range options {
+		op(opts)
+	}
+
+	configs := []*types.Config{}
+	var err error
+
+	for _, file := range configDetails.ConfigFiles {
+		configDict := file.Config
+		version := schema.Version(configDict)
+		if configDetails.Version == "" {
+			configDetails.Version = version
+		}
+		if configDetails.Version != version {
+			return nil, errors.Errorf("version mismatched between two composefiles : %v and %v", configDetails.Version, version)
+		}
+
+		if err := validateForbidden(configDict); err != nil {
+			return nil, err
+		}
+
+		if !opts.SkipInterpolation {
+			configDict, err = interpolateConfig(configDict, *opts.Interpolate)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if !opts.SkipValidation {
+			if err := schema.Validate(configDict, configDetails.Version); err != nil {
+				return nil, err
+			}
+		}
+
+		cfg, err := loadSections(configDict, configDetails)
+		if err != nil {
+			return nil, err
+		}
+		cfg.Filename = file.Filename
+
+		configs = append(configs, cfg)
+	}
+
+	return merge(configs)
+}
+
+func validateForbidden(configDict map[string]interface{}) error {
+	servicesDict, ok := configDict["services"].(map[string]interface{})
+	if !ok {
+		return nil
+	}
+	forbidden := getProperties(servicesDict, types.ForbiddenProperties)
+	if len(forbidden) > 0 {
+		return &ForbiddenPropertiesError{Properties: forbidden}
+	}
+	return nil
+}
+
+func loadSections(config map[string]interface{}, configDetails types.ConfigDetails) (*types.Config, error) {
+	var err error
+	cfg := types.Config{
+		Version: schema.Version(config),
+	}
+
+	var loaders = []struct {
+		key string
+		fnc func(config map[string]interface{}) error
+	}{
+		{
+			key: "services",
+			fnc: func(config map[string]interface{}) error {
+				cfg.Services, err = LoadServices(config, configDetails.WorkingDir, configDetails.LookupEnv)
+				return err
+			},
+		},
+		{
+			key: "networks",
+			fnc: func(config map[string]interface{}) error {
+				cfg.Networks, err = LoadNetworks(config, configDetails.Version)
+				return err
+			},
+		},
+		{
+			key: "volumes",
+			fnc: func(config map[string]interface{}) error {
+				cfg.Volumes, err = LoadVolumes(config, configDetails.Version)
+				return err
+			},
+		},
+		{
+			key: "secrets",
+			fnc: func(config map[string]interface{}) error {
+				cfg.Secrets, err = LoadSecrets(config, configDetails)
+				return err
+			},
+		},
+		{
+			key: "configs",
+			fnc: func(config map[string]interface{}) error {
+				cfg.Configs, err = LoadConfigObjs(config, configDetails)
+				return err
+			},
+		},
+	}
+	for _, loader := range loaders {
+		if err := loader.fnc(getSection(config, loader.key)); err != nil {
+			return nil, err
+		}
+	}
+	cfg.Extras = getExtras(config)
+	return &cfg, nil
+}
+
+func getSection(config map[string]interface{}, key string) map[string]interface{} {
+	section, ok := config[key]
+	if !ok {
+		return make(map[string]interface{})
+	}
+	return section.(map[string]interface{})
+}
+
+// GetUnsupportedProperties returns the list of any unsupported properties that are
+// used in the Compose files.
+func GetUnsupportedProperties(configDicts ...map[string]interface{}) []string {
+	unsupported := map[string]bool{}
+
+	for _, configDict := range configDicts {
+		for _, service := range getServices(configDict) {
+			serviceDict := service.(map[string]interface{})
+			for _, property := range types.UnsupportedProperties {
+				if _, isSet := serviceDict[property]; isSet {
+					unsupported[property] = true
+				}
+			}
+		}
+	}
+
+	return sortedKeys(unsupported)
+}
+
+func sortedKeys(set map[string]bool) []string {
+	var keys []string
+	for key := range set {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+// GetDeprecatedProperties returns the list of any deprecated properties that
+// are used in the compose files.
+func GetDeprecatedProperties(configDicts ...map[string]interface{}) map[string]string {
+	deprecated := map[string]string{}
+
+	for _, configDict := range configDicts {
+		deprecatedProperties := getProperties(getServices(configDict), types.DeprecatedProperties)
+		for key, value := range deprecatedProperties {
+			deprecated[key] = value
+		}
+	}
+
+	return deprecated
+}
+
+func getProperties(services map[string]interface{}, propertyMap map[string]string) map[string]string {
+	output := map[string]string{}
+
+	for _, service := range services {
+		if serviceDict, ok := service.(map[string]interface{}); ok {
+			for property, description := range propertyMap {
+				if _, isSet := serviceDict[property]; isSet {
+					output[property] = description
+				}
+			}
+		}
+	}
+
+	return output
+}
+
+// ForbiddenPropertiesError is returned when there are properties in the Compose
+// file that are forbidden.
+type ForbiddenPropertiesError struct {
+	Properties map[string]string
+}
+
+func (e *ForbiddenPropertiesError) Error() string {
+	return "Configuration contains forbidden properties"
+}
+
+func getServices(configDict map[string]interface{}) map[string]interface{} {
+	if services, ok := configDict["services"]; ok {
+		if servicesDict, ok := services.(map[string]interface{}); ok {
+			return servicesDict
+		}
+	}
+
+	return map[string]interface{}{}
+}
+
+func transform(source map[string]interface{}, target interface{}) error {
+	data := mapstructure.Metadata{}
+	config := &mapstructure.DecoderConfig{
+		DecodeHook: mapstructure.ComposeDecodeHookFunc(
+			createTransformHook(),
+			mapstructure.StringToTimeDurationHookFunc()),
+		Result:   target,
+		Metadata: &data,
+	}
+	decoder, err := mapstructure.NewDecoder(config)
+	if err != nil {
+		return err
+	}
+	return decoder.Decode(source)
+}
+
+func createTransformHook() mapstructure.DecodeHookFuncType {
+	transforms := map[reflect.Type]func(interface{}) (interface{}, error){
+		reflect.TypeOf(types.External{}):                         transformExternal,
+		reflect.TypeOf(types.HealthCheckTest{}):                  transformHealthCheckTest,
+		reflect.TypeOf(types.ShellCommand{}):                     transformShellCommand,
+		reflect.TypeOf(types.StringList{}):                       transformStringList,
+		reflect.TypeOf(map[string]string{}):                      transformMapStringString,
+		reflect.TypeOf(types.UlimitsConfig{}):                    transformUlimits,
+		reflect.TypeOf(types.UnitBytes(0)):                       transformSize,
+		reflect.TypeOf([]types.ServicePortConfig{}):              transformServicePort,
+		reflect.TypeOf(types.ServiceSecretConfig{}):              transformStringSourceMap,
+		reflect.TypeOf(types.ServiceConfigObjConfig{}):           transformStringSourceMap,
+		reflect.TypeOf(types.StringOrNumberList{}):               transformStringOrNumberList,
+		reflect.TypeOf(map[string]*types.ServiceNetworkConfig{}): transformServiceNetworkMap,
+		reflect.TypeOf(types.MappingWithEquals{}):                transformMappingOrListFunc("=", true),
+		reflect.TypeOf(types.Labels{}):                           transformMappingOrListFunc("=", false),
+		reflect.TypeOf(types.MappingWithColon{}):                 transformMappingOrListFunc(":", false),
+		reflect.TypeOf(types.HostsList{}):                        transformListOrMappingFunc(":", false),
+		reflect.TypeOf(types.ServiceVolumeConfig{}):              transformServiceVolumeConfig,
+		reflect.TypeOf(types.BuildConfig{}):                      transformBuildConfig,
+	}
+
+	return func(_ reflect.Type, target reflect.Type, data interface{}) (interface{}, error) {
+		transform, ok := transforms[target]
+		if !ok {
+			return data, nil
+		}
+		return transform(data)
+	}
+}
+
+// keys needs to be converted to strings for jsonschema
+func convertToStringKeysRecursive(value interface{}, keyPrefix string) (interface{}, error) {
+	if mapping, ok := value.(map[interface{}]interface{}); ok {
+		dict := make(map[string]interface{})
+		for key, entry := range mapping {
+			str, ok := key.(string)
+			if !ok {
+				return nil, formatInvalidKeyError(keyPrefix, key)
+			}
+			var newKeyPrefix string
+			if keyPrefix == "" {
+				newKeyPrefix = str
+			} else {
+				newKeyPrefix = fmt.Sprintf("%s.%s", keyPrefix, str)
+			}
+			convertedEntry, err := convertToStringKeysRecursive(entry, newKeyPrefix)
+			if err != nil {
+				return nil, err
+			}
+			dict[str] = convertedEntry
+		}
+		return dict, nil
+	}
+	if list, ok := value.([]interface{}); ok {
+		var convertedList []interface{}
+		for index, entry := range list {
+			newKeyPrefix := fmt.Sprintf("%s[%d]", keyPrefix, index)
+			convertedEntry, err := convertToStringKeysRecursive(entry, newKeyPrefix)
+			if err != nil {
+				return nil, err
+			}
+			convertedList = append(convertedList, convertedEntry)
+		}
+		return convertedList, nil
+	}
+	return value, nil
+}
+
+func formatInvalidKeyError(keyPrefix string, key interface{}) error {
+	var location string
+	if keyPrefix == "" {
+		location = "at top level"
+	} else {
+		location = fmt.Sprintf("in %s", keyPrefix)
+	}
+	return errors.Errorf("Non-string key %s: %#v", location, key)
+}
+
+// LoadServices produces a ServiceConfig map from a compose file Dict
+// the servicesDict is not validated if directly used. Use Load() to enable validation
+func LoadServices(servicesDict map[string]interface{}, workingDir string, lookupEnv template.Mapping) ([]types.ServiceConfig, error) {
+	var services []types.ServiceConfig
+
+	for name, serviceDef := range servicesDict {
+		serviceConfig, err := LoadService(name, serviceDef.(map[string]interface{}), workingDir, lookupEnv)
+		if err != nil {
+			return nil, err
+		}
+		services = append(services, *serviceConfig)
+	}
+
+	return services, nil
+}
+
+// LoadService produces a single ServiceConfig from a compose file Dict
+// the serviceDict is not validated if directly used. Use Load() to enable validation
+func LoadService(name string, serviceDict map[string]interface{}, workingDir string, lookupEnv template.Mapping) (*types.ServiceConfig, error) {
+	serviceConfig := &types.ServiceConfig{}
+	if err := transform(serviceDict, serviceConfig); err != nil {
+		return nil, err
+	}
+	serviceConfig.Name = name
+
+	if err := resolveEnvironment(serviceConfig, workingDir, lookupEnv); err != nil {
+		return nil, err
+	}
+
+	if err := resolveVolumePaths(serviceConfig.Volumes, workingDir, lookupEnv); err != nil {
+		return nil, err
+	}
+
+	serviceConfig.Extras = getExtras(serviceDict)
+
+	return serviceConfig, nil
+}
+
+func loadExtras(name string, source map[string]interface{}) map[string]interface{} {
+	if dict, ok := source[name].(map[string]interface{}); ok {
+		return getExtras(dict)
+	}
+	return nil
+}
+
+func getExtras(dict map[string]interface{}) map[string]interface{} {
+	extras := map[string]interface{}{}
+	for key, value := range dict {
+		if strings.HasPrefix(key, "x-") {
+			extras[key] = value
+		}
+	}
+	if len(extras) == 0 {
+		return nil
+	}
+	return extras
+}
+
+func updateEnvironment(environment map[string]*string, vars map[string]*string, lookupEnv template.Mapping) {
+	for k, v := range vars {
+		interpolatedV, ok := lookupEnv(k)
+		if (v == nil || *v == "") && ok {
+			// lookupEnv is prioritized over vars
+			environment[k] = &interpolatedV
+		} else {
+			environment[k] = v
+		}
+	}
+}
+
+func resolveEnvironment(serviceConfig *types.ServiceConfig, workingDir string, lookupEnv template.Mapping) error {
+	environment := make(map[string]*string)
+
+	if len(serviceConfig.EnvFile) > 0 {
+		var envVars []string
+
+		for _, file := range serviceConfig.EnvFile {
+			filePath := absPath(workingDir, file)
+			fileVars, err := opts.ParseEnvFile(filePath)
+			if err != nil {
+				return err
+			}
+			envVars = append(envVars, fileVars...)
+		}
+		updateEnvironment(environment,
+			opts.ConvertKVStringsToMapWithNil(envVars), lookupEnv)
+	}
+
+	updateEnvironment(environment, serviceConfig.Environment, lookupEnv)
+	serviceConfig.Environment = environment
+	return nil
+}
+
+func resolveVolumePaths(volumes []types.ServiceVolumeConfig, workingDir string, lookupEnv template.Mapping) error {
+	for i, volume := range volumes {
+		if volume.Type != "bind" {
+			continue
+		}
+
+		if volume.Source == "" {
+			return errors.New(`invalid mount config for type "bind": field Source must not be empty`)
+		}
+
+		filePath := expandUser(volume.Source, lookupEnv)
+		// Check for a Unix absolute path first, to handle a Windows client
+		// with a Unix daemon. This handles a Windows client connecting to a
+		// Unix daemon. Note that this is not required for Docker for Windows
+		// when specifying a local Windows path, because Docker for Windows
+		// translates the Windows path into a valid path within the VM.
+		if !path.IsAbs(filePath) {
+			filePath = absPath(workingDir, filePath)
+		}
+		volume.Source = filePath
+		volumes[i] = volume
+	}
+	return nil
+}
+
+// TODO: make this more robust
+func expandUser(path string, lookupEnv template.Mapping) string {
+	if strings.HasPrefix(path, "~") {
+		home, ok := lookupEnv("HOME")
+		if !ok {
+			logrus.Warn("cannot expand '~', because the environment lacks HOME")
+			return path
+		}
+		return strings.Replace(path, "~", home, 1)
+	}
+	return path
+}
+
+func transformUlimits(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case int:
+		return types.UlimitsConfig{Single: value}, nil
+	case map[string]interface{}:
+		ulimit := types.UlimitsConfig{}
+		ulimit.Soft = value["soft"].(int)
+		ulimit.Hard = value["hard"].(int)
+		return ulimit, nil
+	default:
+		return data, errors.Errorf("invalid type %T for ulimits", value)
+	}
+}
+
+// LoadNetworks produces a NetworkConfig map from a compose file Dict
+// the source Dict is not validated if directly used. Use Load() to enable validation
+func LoadNetworks(source map[string]interface{}, version string) (map[string]types.NetworkConfig, error) {
+	networks := make(map[string]types.NetworkConfig)
+	err := transform(source, &networks)
+	if err != nil {
+		return networks, err
+	}
+	for name, network := range networks {
+		if !network.External.External {
+			continue
+		}
+		switch {
+		case network.External.Name != "":
+			if network.Name != "" {
+				return nil, errors.Errorf("network %s: network.external.name and network.name conflict; only use network.name", name)
+			}
+			if versions.GreaterThanOrEqualTo(version, "3.5") {
+				logrus.Warnf("network %s: network.external.name is deprecated in favor of network.name", name)
+			}
+			network.Name = network.External.Name
+			network.External.Name = ""
+		case network.Name == "":
+			network.Name = name
+		}
+		network.Extras = loadExtras(name, source)
+		networks[name] = network
+	}
+	return networks, nil
+}
+
+func externalVolumeError(volume, key string) error {
+	return errors.Errorf(
+		"conflicting parameters \"external\" and %q specified for volume %q",
+		key, volume)
+}
+
+// LoadVolumes produces a VolumeConfig map from a compose file Dict
+// the source Dict is not validated if directly used. Use Load() to enable validation
+func LoadVolumes(source map[string]interface{}, version string) (map[string]types.VolumeConfig, error) {
+	volumes := make(map[string]types.VolumeConfig)
+	if err := transform(source, &volumes); err != nil {
+		return volumes, err
+	}
+
+	for name, volume := range volumes {
+		if !volume.External.External {
+			continue
+		}
+		switch {
+		case volume.Driver != "":
+			return nil, externalVolumeError(name, "driver")
+		case len(volume.DriverOpts) > 0:
+			return nil, externalVolumeError(name, "driver_opts")
+		case len(volume.Labels) > 0:
+			return nil, externalVolumeError(name, "labels")
+		case volume.External.Name != "":
+			if volume.Name != "" {
+				return nil, errors.Errorf("volume %s: volume.external.name and volume.name conflict; only use volume.name", name)
+			}
+			if versions.GreaterThanOrEqualTo(version, "3.4") {
+				logrus.Warnf("volume %s: volume.external.name is deprecated in favor of volume.name", name)
+			}
+			volume.Name = volume.External.Name
+			volume.External.Name = ""
+		case volume.Name == "":
+			volume.Name = name
+		}
+		volume.Extras = loadExtras(name, source)
+		volumes[name] = volume
+	}
+	return volumes, nil
+}
+
+// LoadSecrets produces a SecretConfig map from a compose file Dict
+// the source Dict is not validated if directly used. Use Load() to enable validation
+func LoadSecrets(source map[string]interface{}, details types.ConfigDetails) (map[string]types.SecretConfig, error) {
+	secrets := make(map[string]types.SecretConfig)
+	if err := transform(source, &secrets); err != nil {
+		return secrets, err
+	}
+	for name, secret := range secrets {
+		obj, err := loadFileObjectConfig(name, "secret", types.FileObjectConfig(secret), details)
+		if err != nil {
+			return nil, err
+		}
+		secretConfig := types.SecretConfig(obj)
+		secretConfig.Extras = loadExtras(name, source)
+		secrets[name] = secretConfig
+	}
+	return secrets, nil
+}
+
+// LoadConfigObjs produces a ConfigObjConfig map from a compose file Dict
+// the source Dict is not validated if directly used. Use Load() to enable validation
+func LoadConfigObjs(source map[string]interface{}, details types.ConfigDetails) (map[string]types.ConfigObjConfig, error) {
+	configs := make(map[string]types.ConfigObjConfig)
+	if err := transform(source, &configs); err != nil {
+		return configs, err
+	}
+	for name, config := range configs {
+		obj, err := loadFileObjectConfig(name, "config", types.FileObjectConfig(config), details)
+		if err != nil {
+			return nil, err
+		}
+		configConfig := types.ConfigObjConfig(obj)
+		configConfig.Extras = loadExtras(name, source)
+		configs[name] = configConfig
+	}
+	return configs, nil
+}
+
+func loadFileObjectConfig(name string, objType string, obj types.FileObjectConfig, details types.ConfigDetails) (types.FileObjectConfig, error) {
+	// if "external: true"
+	if obj.External.External {
+		// handle deprecated external.name
+		if obj.External.Name != "" {
+			if obj.Name != "" {
+				return obj, errors.Errorf("%[1]s %[2]s: %[1]s.external.name and %[1]s.name conflict; only use %[1]s.name", objType, name)
+			}
+			if versions.GreaterThanOrEqualTo(details.Version, "3.5") {
+				logrus.Warnf("%[1]s %[2]s: %[1]s.external.name is deprecated in favor of %[1]s.name", objType, name)
+			}
+			obj.Name = obj.External.Name
+			obj.External.Name = ""
+		} else {
+			if obj.Name == "" {
+				obj.Name = name
+			}
+		}
+		// if not "external: true"
+	} else {
+		obj.File = absPath(details.WorkingDir, obj.File)
+	}
+
+	return obj, nil
+}
+
+func absPath(workingDir string, filePath string) string {
+	if filepath.IsAbs(filePath) {
+		return filePath
+	}
+	return filepath.Join(workingDir, filePath)
+}
+
+func transformMapStringString(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case map[string]interface{}:
+		return toMapStringString(value, false), nil
+	case map[string]string:
+		return value, nil
+	default:
+		return data, errors.Errorf("invalid type %T for map[string]string", value)
+	}
+}
+
+func transformExternal(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case bool:
+		return map[string]interface{}{"external": value}, nil
+	case map[string]interface{}:
+		return map[string]interface{}{"external": true, "name": value["name"]}, nil
+	default:
+		return data, errors.Errorf("invalid type %T for external", value)
+	}
+}
+
+func transformServicePort(data interface{}) (interface{}, error) {
+	switch entries := data.(type) {
+	case []interface{}:
+		// We process the list instead of individual items here.
+		// The reason is that one entry might be mapped to multiple ServicePortConfig.
+		// Therefore we take an input of a list and return an output of a list.
+		ports := []interface{}{}
+		for _, entry := range entries {
+			switch value := entry.(type) {
+			case int:
+				v, err := toServicePortConfigs(fmt.Sprint(value))
+				if err != nil {
+					return data, err
+				}
+				ports = append(ports, v...)
+			case string:
+				v, err := toServicePortConfigs(value)
+				if err != nil {
+					return data, err
+				}
+				ports = append(ports, v...)
+			case map[string]interface{}:
+				ports = append(ports, value)
+			default:
+				return data, errors.Errorf("invalid type %T for port", value)
+			}
+		}
+		return ports, nil
+	default:
+		return data, errors.Errorf("invalid type %T for port", entries)
+	}
+}
+
+func transformStringSourceMap(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case string:
+		return map[string]interface{}{"source": value}, nil
+	case map[string]interface{}:
+		return data, nil
+	default:
+		return data, errors.Errorf("invalid type %T for secret", value)
+	}
+}
+
+func transformBuildConfig(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case string:
+		return map[string]interface{}{"context": value}, nil
+	case map[string]interface{}:
+		return data, nil
+	default:
+		return data, errors.Errorf("invalid type %T for service build", value)
+	}
+}
+
+func transformServiceVolumeConfig(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case string:
+		return ParseVolume(value)
+	case map[string]interface{}:
+		return data, nil
+	default:
+		return data, errors.Errorf("invalid type %T for service volume", value)
+	}
+}
+
+func transformServiceNetworkMap(value interface{}) (interface{}, error) {
+	if list, ok := value.([]interface{}); ok {
+		mapValue := map[interface{}]interface{}{}
+		for _, name := range list {
+			mapValue[name] = nil
+		}
+		return mapValue, nil
+	}
+	return value, nil
+}
+
+func transformStringOrNumberList(value interface{}) (interface{}, error) {
+	list := value.([]interface{})
+	result := make([]string, len(list))
+	for i, item := range list {
+		result[i] = fmt.Sprint(item)
+	}
+	return result, nil
+}
+
+func transformStringList(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case string:
+		return []string{value}, nil
+	case []interface{}:
+		return value, nil
+	default:
+		return data, errors.Errorf("invalid type %T for string list", value)
+	}
+}
+
+func transformMappingOrListFunc(sep string, allowNil bool) func(interface{}) (interface{}, error) {
+	return func(data interface{}) (interface{}, error) {
+		return transformMappingOrList(data, sep, allowNil), nil
+	}
+}
+
+func transformListOrMappingFunc(sep string, allowNil bool) func(interface{}) (interface{}, error) {
+	return func(data interface{}) (interface{}, error) {
+		return transformListOrMapping(data, sep, allowNil), nil
+	}
+}
+
+func transformListOrMapping(listOrMapping interface{}, sep string, allowNil bool) interface{} {
+	switch value := listOrMapping.(type) {
+	case map[string]interface{}:
+		return toStringList(value, sep, allowNil)
+	case []interface{}:
+		return listOrMapping
+	}
+	panic(errors.Errorf("expected a map or a list, got %T: %#v", listOrMapping, listOrMapping))
+}
+
+func transformMappingOrList(mappingOrList interface{}, sep string, allowNil bool) interface{} {
+	switch value := mappingOrList.(type) {
+	case map[string]interface{}:
+		return toMapStringString(value, allowNil)
+	case ([]interface{}):
+		result := make(map[string]interface{})
+		for _, value := range value {
+			parts := strings.SplitN(value.(string), sep, 2)
+			key := parts[0]
+			switch {
+			case len(parts) == 1 && allowNil:
+				result[key] = nil
+			case len(parts) == 1 && !allowNil:
+				result[key] = ""
+			default:
+				result[key] = parts[1]
+			}
+		}
+		return result
+	}
+	panic(errors.Errorf("expected a map or a list, got %T: %#v", mappingOrList, mappingOrList))
+}
+
+func transformShellCommand(value interface{}) (interface{}, error) {
+	if str, ok := value.(string); ok {
+		return shellwords.Parse(str)
+	}
+	return value, nil
+}
+
+func transformHealthCheckTest(data interface{}) (interface{}, error) {
+	switch value := data.(type) {
+	case string:
+		return append([]string{"CMD-SHELL"}, value), nil
+	case []interface{}:
+		return value, nil
+	default:
+		return value, errors.Errorf("invalid type %T for healthcheck.test", value)
+	}
+}
+
+func transformSize(value interface{}) (interface{}, error) {
+	switch value := value.(type) {
+	case int:
+		return int64(value), nil
+	case string:
+		return units.RAMInBytes(value)
+	}
+	panic(errors.Errorf("invalid type for size %T", value))
+}
+
+func toServicePortConfigs(value string) ([]interface{}, error) {
+	var portConfigs []interface{}
+
+	ports, portBindings, err := nat.ParsePortSpecs([]string{value})
+	if err != nil {
+		return nil, err
+	}
+	// We need to sort the key of the ports to make sure it is consistent
+	keys := []string{}
+	for port := range ports {
+		keys = append(keys, string(port))
+	}
+	sort.Strings(keys)
+
+	for _, key := range keys {
+		// Reuse ConvertPortToPortConfig so that it is consistent
+		portConfig, err := opts.ConvertPortToPortConfig(nat.Port(key), portBindings)
+		if err != nil {
+			return nil, err
+		}
+		for _, p := range portConfig {
+			portConfigs = append(portConfigs, types.ServicePortConfig{
+				Protocol:  string(p.Protocol),
+				Target:    p.TargetPort,
+				Published: p.PublishedPort,
+				Mode:      string(p.PublishMode),
+			})
+		}
+	}
+
+	return portConfigs, nil
+}
+
+func toMapStringString(value map[string]interface{}, allowNil bool) map[string]interface{} {
+	output := make(map[string]interface{})
+	for key, value := range value {
+		output[key] = toString(value, allowNil)
+	}
+	return output
+}
+
+func toString(value interface{}, allowNil bool) interface{} {
+	switch {
+	case value != nil:
+		return fmt.Sprint(value)
+	case allowNil:
+		return nil
+	default:
+		return ""
+	}
+}
+
+func toStringList(value map[string]interface{}, separator string, allowNil bool) []string {
+	output := []string{}
+	for key, value := range value {
+		if value == nil && !allowNil {
+			continue
+		}
+		output = append(output, fmt.Sprintf("%s%s%s", key, separator, value))
+	}
+	sort.Strings(output)
+	return output
+}
diff --git a/cli/cli/compose/loader/loader_test.go b/cli/cli/compose/loader/loader_test.go
new file mode 100644
index 00000000..7b72ad76
--- /dev/null
+++ b/cli/cli/compose/loader/loader_test.go
@@ -0,0 +1,1465 @@
+package loader
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+	"reflect"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/compose/types"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/sirupsen/logrus"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func buildConfigDetails(source map[string]interface{}, env map[string]string) types.ConfigDetails {
+	workingDir, err := os.Getwd()
+	if err != nil {
+		panic(err)
+	}
+
+	return types.ConfigDetails{
+		WorkingDir: workingDir,
+		ConfigFiles: []types.ConfigFile{
+			{Filename: "filename.yml", Config: source},
+		},
+		Environment: env,
+	}
+}
+
+func loadYAML(yaml string) (*types.Config, error) {
+	return loadYAMLWithEnv(yaml, nil)
+}
+
+func loadYAMLWithEnv(yaml string, env map[string]string) (*types.Config, error) {
+	dict, err := ParseYAML([]byte(yaml))
+	if err != nil {
+		return nil, err
+	}
+
+	return Load(buildConfigDetails(dict, env))
+}
+
+var sampleYAML = `
+version: "3"
+services:
+  foo:
+    image: busybox
+    networks:
+      with_me:
+  bar:
+    image: busybox
+    environment:
+      - FOO=1
+    networks:
+      - with_ipam
+volumes:
+  hello:
+    driver: default
+    driver_opts:
+      beep: boop
+networks:
+  default:
+    driver: bridge
+    driver_opts:
+      beep: boop
+  with_ipam:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.28.0.0/16
+`
+
+var sampleDict = map[string]interface{}{
+	"version": "3",
+	"services": map[string]interface{}{
+		"foo": map[string]interface{}{
+			"image":    "busybox",
+			"networks": map[string]interface{}{"with_me": nil},
+		},
+		"bar": map[string]interface{}{
+			"image":       "busybox",
+			"environment": []interface{}{"FOO=1"},
+			"networks":    []interface{}{"with_ipam"},
+		},
+	},
+	"volumes": map[string]interface{}{
+		"hello": map[string]interface{}{
+			"driver": "default",
+			"driver_opts": map[string]interface{}{
+				"beep": "boop",
+			},
+		},
+	},
+	"networks": map[string]interface{}{
+		"default": map[string]interface{}{
+			"driver": "bridge",
+			"driver_opts": map[string]interface{}{
+				"beep": "boop",
+			},
+		},
+		"with_ipam": map[string]interface{}{
+			"ipam": map[string]interface{}{
+				"driver": "default",
+				"config": []interface{}{
+					map[string]interface{}{
+						"subnet": "172.28.0.0/16",
+					},
+				},
+			},
+		},
+	},
+}
+
+func strPtr(val string) *string {
+	return &val
+}
+
+var sampleConfig = types.Config{
+	Version: "3.0",
+	Services: []types.ServiceConfig{
+		{
+			Name:        "foo",
+			Image:       "busybox",
+			Environment: map[string]*string{},
+			Networks: map[string]*types.ServiceNetworkConfig{
+				"with_me": nil,
+			},
+		},
+		{
+			Name:        "bar",
+			Image:       "busybox",
+			Environment: map[string]*string{"FOO": strPtr("1")},
+			Networks: map[string]*types.ServiceNetworkConfig{
+				"with_ipam": nil,
+			},
+		},
+	},
+	Networks: map[string]types.NetworkConfig{
+		"default": {
+			Driver: "bridge",
+			DriverOpts: map[string]string{
+				"beep": "boop",
+			},
+		},
+		"with_ipam": {
+			Ipam: types.IPAMConfig{
+				Driver: "default",
+				Config: []*types.IPAMPool{
+					{
+						Subnet: "172.28.0.0/16",
+					},
+				},
+			},
+		},
+	},
+	Volumes: map[string]types.VolumeConfig{
+		"hello": {
+			Driver: "default",
+			DriverOpts: map[string]string{
+				"beep": "boop",
+			},
+		},
+	},
+}
+
+func TestParseYAML(t *testing.T) {
+	dict, err := ParseYAML([]byte(sampleYAML))
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(sampleDict, dict))
+}
+
+func TestLoad(t *testing.T) {
+	actual, err := Load(buildConfigDetails(sampleDict, nil))
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(sampleConfig.Version, actual.Version))
+	assert.Check(t, is.DeepEqual(serviceSort(sampleConfig.Services), serviceSort(actual.Services)))
+	assert.Check(t, is.DeepEqual(sampleConfig.Networks, actual.Networks))
+	assert.Check(t, is.DeepEqual(sampleConfig.Volumes, actual.Volumes))
+}
+
+func TestLoadExtras(t *testing.T) {
+	actual, err := loadYAML(`
+version: "3.7"
+services:
+  foo:
+    image: busybox
+    x-foo: bar`)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(actual.Services, 1))
+	service := actual.Services[0]
+	assert.Check(t, is.Equal("busybox", service.Image))
+	extras := map[string]interface{}{
+		"x-foo": "bar",
+	}
+	assert.Check(t, is.DeepEqual(extras, service.Extras))
+}
+
+func TestLoadV31(t *testing.T) {
+	actual, err := loadYAML(`
+version: "3.1"
+services:
+  foo:
+    image: busybox
+    secrets: [super]
+secrets:
+  super:
+    external: true
+`)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(actual.Services, 1))
+	assert.Check(t, is.Len(actual.Secrets, 1))
+}
+
+func TestLoadV33(t *testing.T) {
+	actual, err := loadYAML(`
+version: "3.3"
+services:
+  foo:
+    image: busybox
+    credential_spec:
+      File: "/foo"
+    configs: [super]
+configs:
+  super:
+    external: true
+`)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(actual.Services, 1))
+	assert.Check(t, is.Equal(actual.Services[0].CredentialSpec.File, "/foo"))
+	assert.Assert(t, is.Len(actual.Configs, 1))
+}
+
+func TestParseAndLoad(t *testing.T) {
+	actual, err := loadYAML(sampleYAML)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(serviceSort(sampleConfig.Services), serviceSort(actual.Services)))
+	assert.Check(t, is.DeepEqual(sampleConfig.Networks, actual.Networks))
+	assert.Check(t, is.DeepEqual(sampleConfig.Volumes, actual.Volumes))
+}
+
+func TestInvalidTopLevelObjectType(t *testing.T) {
+	_, err := loadYAML("1")
+	assert.ErrorContains(t, err, "Top-level object must be a mapping")
+
+	_, err = loadYAML("\"hello\"")
+	assert.ErrorContains(t, err, "Top-level object must be a mapping")
+
+	_, err = loadYAML("[\"hello\"]")
+	assert.ErrorContains(t, err, "Top-level object must be a mapping")
+}
+
+func TestNonStringKeys(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+123:
+  foo:
+    image: busybox
+`)
+	assert.ErrorContains(t, err, "Non-string key at top level: 123")
+
+	_, err = loadYAML(`
+version: "3"
+services:
+  foo:
+    image: busybox
+  123:
+    image: busybox
+`)
+	assert.ErrorContains(t, err, "Non-string key in services: 123")
+
+	_, err = loadYAML(`
+version: "3"
+services:
+  foo:
+    image: busybox
+networks:
+  default:
+    ipam:
+      config:
+        - 123: oh dear
+`)
+	assert.ErrorContains(t, err, "Non-string key in networks.default.ipam.config[0]: 123")
+
+	_, err = loadYAML(`
+version: "3"
+services:
+  dict-env:
+    image: busybox
+    environment:
+      1: FOO
+`)
+	assert.ErrorContains(t, err, "Non-string key in services.dict-env.environment: 1")
+}
+
+func TestSupportedVersion(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+services:
+  foo:
+    image: busybox
+`)
+	assert.NilError(t, err)
+
+	_, err = loadYAML(`
+version: "3.0"
+services:
+  foo:
+    image: busybox
+`)
+	assert.NilError(t, err)
+}
+
+func TestUnsupportedVersion(t *testing.T) {
+	_, err := loadYAML(`
+version: "2"
+services:
+  foo:
+    image: busybox
+`)
+	assert.ErrorContains(t, err, "version")
+
+	_, err = loadYAML(`
+version: "2.0"
+services:
+  foo:
+    image: busybox
+`)
+	assert.ErrorContains(t, err, "version")
+}
+
+func TestInvalidVersion(t *testing.T) {
+	_, err := loadYAML(`
+version: 3
+services:
+  foo:
+    image: busybox
+`)
+	assert.ErrorContains(t, err, "version must be a string")
+}
+
+func TestV1Unsupported(t *testing.T) {
+	_, err := loadYAML(`
+foo:
+  image: busybox
+`)
+	assert.ErrorContains(t, err, "unsupported Compose file version: 1.0")
+}
+
+func TestNonMappingObject(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+services:
+  - foo:
+      image: busybox
+`)
+	assert.ErrorContains(t, err, "services must be a mapping")
+
+	_, err = loadYAML(`
+version: "3"
+services:
+  foo: busybox
+`)
+	assert.ErrorContains(t, err, "services.foo must be a mapping")
+
+	_, err = loadYAML(`
+version: "3"
+networks:
+  - default:
+      driver: bridge
+`)
+	assert.ErrorContains(t, err, "networks must be a mapping")
+
+	_, err = loadYAML(`
+version: "3"
+networks:
+  default: bridge
+`)
+	assert.ErrorContains(t, err, "networks.default must be a mapping")
+
+	_, err = loadYAML(`
+version: "3"
+volumes:
+  - data:
+      driver: local
+`)
+	assert.ErrorContains(t, err, "volumes must be a mapping")
+
+	_, err = loadYAML(`
+version: "3"
+volumes:
+  data: local
+`)
+	assert.ErrorContains(t, err, "volumes.data must be a mapping")
+}
+
+func TestNonStringImage(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+services:
+  foo:
+    image: ["busybox", "latest"]
+`)
+	assert.ErrorContains(t, err, "services.foo.image must be a string")
+}
+
+func TestLoadWithEnvironment(t *testing.T) {
+	config, err := loadYAMLWithEnv(`
+version: "3"
+services:
+  dict-env:
+    image: busybox
+    environment:
+      FOO: "1"
+      BAR: 2
+      BAZ: 2.5
+      QUX:
+      QUUX:
+  list-env:
+    image: busybox
+    environment:
+      - FOO=1
+      - BAR=2
+      - BAZ=2.5
+      - QUX=
+      - QUUX
+`, map[string]string{"QUX": "qux"})
+	assert.NilError(t, err)
+
+	expected := types.MappingWithEquals{
+		"FOO":  strPtr("1"),
+		"BAR":  strPtr("2"),
+		"BAZ":  strPtr("2.5"),
+		"QUX":  strPtr("qux"),
+		"QUUX": nil,
+	}
+
+	assert.Check(t, is.Equal(2, len(config.Services)))
+
+	for _, service := range config.Services {
+		assert.Check(t, is.DeepEqual(expected, service.Environment))
+	}
+}
+
+func TestInvalidEnvironmentValue(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+services:
+  dict-env:
+    image: busybox
+    environment:
+      FOO: ["1"]
+`)
+	assert.ErrorContains(t, err, "services.dict-env.environment.FOO must be a string, number or null")
+}
+
+func TestInvalidEnvironmentObject(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+services:
+  dict-env:
+    image: busybox
+    environment: "FOO=1"
+`)
+	assert.ErrorContains(t, err, "services.dict-env.environment must be a mapping")
+}
+
+func TestLoadWithEnvironmentInterpolation(t *testing.T) {
+	home := "/home/foo"
+	config, err := loadYAMLWithEnv(`
+version: "3"
+services:
+  test:
+    image: busybox
+    labels:
+      - home1=$HOME
+      - home2=${HOME}
+      - nonexistent=$NONEXISTENT
+      - default=${NONEXISTENT-default}
+networks:
+  test:
+    driver: $HOME
+volumes:
+  test:
+    driver: $HOME
+`, map[string]string{
+		"HOME": home,
+		"FOO":  "foo",
+	})
+
+	assert.NilError(t, err)
+
+	expectedLabels := types.Labels{
+		"home1":       home,
+		"home2":       home,
+		"nonexistent": "",
+		"default":     "default",
+	}
+
+	assert.Check(t, is.DeepEqual(expectedLabels, config.Services[0].Labels))
+	assert.Check(t, is.Equal(home, config.Networks["test"].Driver))
+	assert.Check(t, is.Equal(home, config.Volumes["test"].Driver))
+}
+
+func TestLoadWithInterpolationCastFull(t *testing.T) {
+	dict, err := ParseYAML([]byte(`
+version: "3.4"
+services:
+  web:
+    configs:
+      - source: appconfig
+        mode: $theint
+    secrets:
+      - source: super
+        mode: $theint
+    healthcheck:
+      retries: ${theint}
+      disable: $thebool
+    deploy:
+      replicas: $theint
+      update_config:
+        parallelism: $theint
+        max_failure_ratio: $thefloat
+      restart_policy:
+        max_attempts: $theint
+    ports:
+      - $theint
+      - "34567"
+      - target: $theint
+        published: $theint
+    ulimits:
+      nproc: $theint
+      nofile:
+        hard: $theint
+        soft: $theint
+    privileged: $thebool
+    read_only: $thebool
+    stdin_open: ${thebool}
+    tty: $thebool
+    volumes:
+      - source: data
+        type: volume
+        read_only: $thebool
+        volume:
+          nocopy: $thebool
+
+configs:
+  appconfig:
+    external: $thebool
+secrets:
+  super:
+    external: $thebool
+volumes:
+  data:
+    external: $thebool
+networks:
+  front:
+    external: $thebool
+    internal: $thebool
+    attachable: $thebool
+
+`))
+	assert.NilError(t, err)
+	env := map[string]string{
+		"theint":   "555",
+		"thefloat": "3.14",
+		"thebool":  "true",
+	}
+
+	config, err := Load(buildConfigDetails(dict, env))
+	assert.NilError(t, err)
+	expected := &types.Config{
+		Filename: "filename.yml",
+		Version:  "3.4",
+		Services: []types.ServiceConfig{
+			{
+				Name: "web",
+				Configs: []types.ServiceConfigObjConfig{
+					{
+						Source: "appconfig",
+						Mode:   uint32Ptr(555),
+					},
+				},
+				Secrets: []types.ServiceSecretConfig{
+					{
+						Source: "super",
+						Mode:   uint32Ptr(555),
+					},
+				},
+				HealthCheck: &types.HealthCheckConfig{
+					Retries: uint64Ptr(555),
+					Disable: true,
+				},
+				Deploy: types.DeployConfig{
+					Replicas: uint64Ptr(555),
+					UpdateConfig: &types.UpdateConfig{
+						Parallelism:     uint64Ptr(555),
+						MaxFailureRatio: 3.14,
+					},
+					RestartPolicy: &types.RestartPolicy{
+						MaxAttempts: uint64Ptr(555),
+					},
+				},
+				Ports: []types.ServicePortConfig{
+					{Target: 555, Mode: "ingress", Protocol: "tcp"},
+					{Target: 34567, Mode: "ingress", Protocol: "tcp"},
+					{Target: 555, Published: 555},
+				},
+				Ulimits: map[string]*types.UlimitsConfig{
+					"nproc":  {Single: 555},
+					"nofile": {Hard: 555, Soft: 555},
+				},
+				Privileged: true,
+				ReadOnly:   true,
+				StdinOpen:  true,
+				Tty:        true,
+				Volumes: []types.ServiceVolumeConfig{
+					{
+						Source:   "data",
+						Type:     "volume",
+						ReadOnly: true,
+						Volume:   &types.ServiceVolumeVolume{NoCopy: true},
+					},
+				},
+				Environment: types.MappingWithEquals{},
+			},
+		},
+		Configs: map[string]types.ConfigObjConfig{
+			"appconfig": {External: types.External{External: true}, Name: "appconfig"},
+		},
+		Secrets: map[string]types.SecretConfig{
+			"super": {External: types.External{External: true}, Name: "super"},
+		},
+		Volumes: map[string]types.VolumeConfig{
+			"data": {External: types.External{External: true}, Name: "data"},
+		},
+		Networks: map[string]types.NetworkConfig{
+			"front": {
+				External:   types.External{External: true},
+				Name:       "front",
+				Internal:   true,
+				Attachable: true,
+			},
+		},
+	}
+
+	assert.Check(t, is.DeepEqual(expected, config))
+}
+
+func TestUnsupportedProperties(t *testing.T) {
+	dict, err := ParseYAML([]byte(`
+version: "3"
+services:
+  web:
+    image: web
+    build:
+     context: ./web
+    links:
+      - bar
+    pid: host
+  db:
+    image: db
+    build:
+     context: ./db
+`))
+	assert.NilError(t, err)
+
+	configDetails := buildConfigDetails(dict, nil)
+
+	_, err = Load(configDetails)
+	assert.NilError(t, err)
+
+	unsupported := GetUnsupportedProperties(dict)
+	assert.Check(t, is.DeepEqual([]string{"build", "links", "pid"}, unsupported))
+}
+
+func TestBuildProperties(t *testing.T) {
+	dict, err := ParseYAML([]byte(`
+version: "3"
+services:
+  web:
+    image: web
+    build: .
+    links:
+      - bar
+  db:
+    image: db
+    build:
+     context: ./db
+`))
+	assert.NilError(t, err)
+	configDetails := buildConfigDetails(dict, nil)
+	_, err = Load(configDetails)
+	assert.NilError(t, err)
+}
+
+func TestDeprecatedProperties(t *testing.T) {
+	dict, err := ParseYAML([]byte(`
+version: "3"
+services:
+  web:
+    image: web
+    container_name: web
+  db:
+    image: db
+    container_name: db
+    expose: ["5434"]
+`))
+	assert.NilError(t, err)
+
+	configDetails := buildConfigDetails(dict, nil)
+
+	_, err = Load(configDetails)
+	assert.NilError(t, err)
+
+	deprecated := GetDeprecatedProperties(dict)
+	assert.Check(t, is.Len(deprecated, 2))
+	assert.Check(t, is.Contains(deprecated, "container_name"))
+	assert.Check(t, is.Contains(deprecated, "expose"))
+}
+
+func TestForbiddenProperties(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+services:
+  foo:
+    image: busybox
+    volumes:
+      - /data
+    volume_driver: some-driver
+  bar:
+    extends:
+      service: foo
+`)
+
+	assert.ErrorType(t, err, reflect.TypeOf(&ForbiddenPropertiesError{}))
+
+	props := err.(*ForbiddenPropertiesError).Properties
+	assert.Check(t, is.Len(props, 2))
+	assert.Check(t, is.Contains(props, "volume_driver"))
+	assert.Check(t, is.Contains(props, "extends"))
+}
+
+func TestInvalidResource(t *testing.T) {
+	_, err := loadYAML(`
+        version: "3"
+        services:
+          foo:
+            image: busybox
+            deploy:
+              resources:
+                impossible:
+                  x: 1
+`)
+	assert.ErrorContains(t, err, "Additional property impossible is not allowed")
+}
+
+func TestInvalidExternalAndDriverCombination(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+volumes:
+  external_volume:
+    external: true
+    driver: foobar
+`)
+
+	assert.ErrorContains(t, err, "conflicting parameters \"external\" and \"driver\" specified for volume")
+	assert.ErrorContains(t, err, "external_volume")
+}
+
+func TestInvalidExternalAndDirverOptsCombination(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+volumes:
+  external_volume:
+    external: true
+    driver_opts:
+      beep: boop
+`)
+
+	assert.ErrorContains(t, err, "conflicting parameters \"external\" and \"driver_opts\" specified for volume")
+	assert.ErrorContains(t, err, "external_volume")
+}
+
+func TestInvalidExternalAndLabelsCombination(t *testing.T) {
+	_, err := loadYAML(`
+version: "3"
+volumes:
+  external_volume:
+    external: true
+    labels:
+      - beep=boop
+`)
+
+	assert.ErrorContains(t, err, "conflicting parameters \"external\" and \"labels\" specified for volume")
+	assert.ErrorContains(t, err, "external_volume")
+}
+
+func TestLoadVolumeInvalidExternalNameAndNameCombination(t *testing.T) {
+	_, err := loadYAML(`
+version: "3.4"
+volumes:
+  external_volume:
+    name: user_specified_name
+    external:
+      name:	external_name
+`)
+
+	assert.ErrorContains(t, err, "volume.external.name and volume.name conflict; only use volume.name")
+	assert.ErrorContains(t, err, "external_volume")
+}
+
+func durationPtr(value time.Duration) *time.Duration {
+	return &value
+}
+
+func uint64Ptr(value uint64) *uint64 {
+	return &value
+}
+
+func uint32Ptr(value uint32) *uint32 {
+	return &value
+}
+
+func TestFullExample(t *testing.T) {
+	bytes, err := ioutil.ReadFile("full-example.yml")
+	assert.NilError(t, err)
+
+	homeDir := "/home/foo"
+	env := map[string]string{"HOME": homeDir, "QUX": "qux_from_environment"}
+	config, err := loadYAMLWithEnv(string(bytes), env)
+	assert.NilError(t, err)
+
+	workingDir, err := os.Getwd()
+	assert.NilError(t, err)
+
+	expectedConfig := fullExampleConfig(workingDir, homeDir)
+
+	assert.Check(t, is.DeepEqual(expectedConfig.Services, config.Services))
+	assert.Check(t, is.DeepEqual(expectedConfig.Networks, config.Networks))
+	assert.Check(t, is.DeepEqual(expectedConfig.Volumes, config.Volumes))
+	assert.Check(t, is.DeepEqual(expectedConfig.Secrets, config.Secrets))
+	assert.Check(t, is.DeepEqual(expectedConfig.Configs, config.Configs))
+	assert.Check(t, is.DeepEqual(expectedConfig.Extras, config.Extras))
+}
+
+func TestLoadTmpfsVolume(t *testing.T) {
+	config, err := loadYAML(`
+version: "3.6"
+services:
+  tmpfs:
+    image: nginx:latest
+    volumes:
+      - type: tmpfs
+        target: /app
+        tmpfs:
+          size: 10000
+`)
+	assert.NilError(t, err)
+
+	expected := types.ServiceVolumeConfig{
+		Target: "/app",
+		Type:   "tmpfs",
+		Tmpfs: &types.ServiceVolumeTmpfs{
+			Size: int64(10000),
+		},
+	}
+
+	assert.Assert(t, is.Len(config.Services, 1))
+	assert.Check(t, is.Len(config.Services[0].Volumes, 1))
+	assert.Check(t, is.DeepEqual(expected, config.Services[0].Volumes[0]))
+}
+
+func TestLoadTmpfsVolumeAdditionalPropertyNotAllowed(t *testing.T) {
+	_, err := loadYAML(`
+version: "3.5"
+services:
+  tmpfs:
+    image: nginx:latest
+    volumes:
+      - type: tmpfs
+        target: /app
+        tmpfs:
+          size: 10000
+`)
+	assert.ErrorContains(t, err, "services.tmpfs.volumes.0 Additional property tmpfs is not allowed")
+}
+
+func TestLoadBindMountSourceMustNotBeEmpty(t *testing.T) {
+	_, err := loadYAML(`
+version: "3.5"
+services:
+  tmpfs:
+    image: nginx:latest
+    volumes:
+      - type: bind
+        target: /app
+`)
+	assert.Error(t, err, `invalid mount config for type "bind": field Source must not be empty`)
+}
+
+func TestLoadBindMountWithSource(t *testing.T) {
+	config, err := loadYAML(`
+version: "3.5"
+services:
+  bind:
+    image: nginx:latest
+    volumes:
+      - type: bind
+        target: /app
+        source: "."
+`)
+	assert.NilError(t, err)
+
+	workingDir, err := os.Getwd()
+	assert.NilError(t, err)
+
+	expected := types.ServiceVolumeConfig{
+		Type:   "bind",
+		Source: workingDir,
+		Target: "/app",
+	}
+
+	assert.Assert(t, is.Len(config.Services, 1))
+	assert.Check(t, is.Len(config.Services[0].Volumes, 1))
+	assert.Check(t, is.DeepEqual(expected, config.Services[0].Volumes[0]))
+}
+
+func TestLoadTmpfsVolumeSizeCanBeZero(t *testing.T) {
+	config, err := loadYAML(`
+version: "3.6"
+services:
+  tmpfs:
+    image: nginx:latest
+    volumes:
+      - type: tmpfs
+        target: /app
+        tmpfs:
+          size: 0
+`)
+	assert.NilError(t, err)
+
+	expected := types.ServiceVolumeConfig{
+		Target: "/app",
+		Type:   "tmpfs",
+		Tmpfs:  &types.ServiceVolumeTmpfs{},
+	}
+
+	assert.Assert(t, is.Len(config.Services, 1))
+	assert.Check(t, is.Len(config.Services[0].Volumes, 1))
+	assert.Check(t, is.DeepEqual(expected, config.Services[0].Volumes[0]))
+}
+
+func TestLoadTmpfsVolumeSizeMustBeGTEQZero(t *testing.T) {
+	_, err := loadYAML(`
+version: "3.6"
+services:
+  tmpfs:
+    image: nginx:latest
+    volumes:
+      - type: tmpfs
+        target: /app
+        tmpfs:
+          size: -1
+`)
+	assert.ErrorContains(t, err, "services.tmpfs.volumes.0.tmpfs.size Must be greater than or equal to 0")
+}
+
+func TestLoadTmpfsVolumeSizeMustBeInteger(t *testing.T) {
+	_, err := loadYAML(`
+version: "3.6"
+services:
+  tmpfs:
+    image: nginx:latest
+    volumes:
+      - type: tmpfs
+        target: /app
+        tmpfs:
+          size: 0.0001
+`)
+	assert.ErrorContains(t, err, "services.tmpfs.volumes.0.tmpfs.size must be a integer")
+}
+
+func serviceSort(services []types.ServiceConfig) []types.ServiceConfig {
+	sort.Sort(servicesByName(services))
+	return services
+}
+
+type servicesByName []types.ServiceConfig
+
+func (sbn servicesByName) Len() int           { return len(sbn) }
+func (sbn servicesByName) Swap(i, j int)      { sbn[i], sbn[j] = sbn[j], sbn[i] }
+func (sbn servicesByName) Less(i, j int) bool { return sbn[i].Name < sbn[j].Name }
+
+func TestLoadAttachableNetwork(t *testing.T) {
+	config, err := loadYAML(`
+version: "3.2"
+networks:
+  mynet1:
+    driver: overlay
+    attachable: true
+  mynet2:
+    driver: bridge
+`)
+	assert.NilError(t, err)
+
+	expected := map[string]types.NetworkConfig{
+		"mynet1": {
+			Driver:     "overlay",
+			Attachable: true,
+		},
+		"mynet2": {
+			Driver:     "bridge",
+			Attachable: false,
+		},
+	}
+
+	assert.Check(t, is.DeepEqual(expected, config.Networks))
+}
+
+func TestLoadExpandedPortFormat(t *testing.T) {
+	config, err := loadYAML(`
+version: "3.2"
+services:
+  web:
+    image: busybox
+    ports:
+      - "80-82:8080-8082"
+      - "90-92:8090-8092/udp"
+      - "85:8500"
+      - 8600
+      - protocol: udp
+        target: 53
+        published: 10053
+      - mode: host
+        target: 22
+        published: 10022
+`)
+	assert.NilError(t, err)
+
+	expected := []types.ServicePortConfig{
+		{
+			Mode:      "ingress",
+			Target:    8080,
+			Published: 80,
+			Protocol:  "tcp",
+		},
+		{
+			Mode:      "ingress",
+			Target:    8081,
+			Published: 81,
+			Protocol:  "tcp",
+		},
+		{
+			Mode:      "ingress",
+			Target:    8082,
+			Published: 82,
+			Protocol:  "tcp",
+		},
+		{
+			Mode:      "ingress",
+			Target:    8090,
+			Published: 90,
+			Protocol:  "udp",
+		},
+		{
+			Mode:      "ingress",
+			Target:    8091,
+			Published: 91,
+			Protocol:  "udp",
+		},
+		{
+			Mode:      "ingress",
+			Target:    8092,
+			Published: 92,
+			Protocol:  "udp",
+		},
+		{
+			Mode:      "ingress",
+			Target:    8500,
+			Published: 85,
+			Protocol:  "tcp",
+		},
+		{
+			Mode:      "ingress",
+			Target:    8600,
+			Published: 0,
+			Protocol:  "tcp",
+		},
+		{
+			Target:    53,
+			Published: 10053,
+			Protocol:  "udp",
+		},
+		{
+			Mode:      "host",
+			Target:    22,
+			Published: 10022,
+		},
+	}
+
+	assert.Check(t, is.Len(config.Services, 1))
+	assert.Check(t, is.DeepEqual(expected, config.Services[0].Ports))
+}
+
+func TestLoadExpandedMountFormat(t *testing.T) {
+	config, err := loadYAML(`
+version: "3.2"
+services:
+  web:
+    image: busybox
+    volumes:
+      - type: volume
+        source: foo
+        target: /target
+        read_only: true
+volumes:
+  foo: {}
+`)
+	assert.NilError(t, err)
+
+	expected := types.ServiceVolumeConfig{
+		Type:     "volume",
+		Source:   "foo",
+		Target:   "/target",
+		ReadOnly: true,
+	}
+
+	assert.Assert(t, is.Len(config.Services, 1))
+	assert.Check(t, is.Len(config.Services[0].Volumes, 1))
+	assert.Check(t, is.DeepEqual(expected, config.Services[0].Volumes[0]))
+}
+
+func TestLoadExtraHostsMap(t *testing.T) {
+	config, err := loadYAML(`
+version: "3.2"
+services:
+  web:
+    image: busybox
+    extra_hosts:
+      "zulu": "162.242.195.82"
+      "alpha": "50.31.209.229"
+`)
+	assert.NilError(t, err)
+
+	expected := types.HostsList{
+		"alpha:50.31.209.229",
+		"zulu:162.242.195.82",
+	}
+
+	assert.Assert(t, is.Len(config.Services, 1))
+	assert.Check(t, is.DeepEqual(expected, config.Services[0].ExtraHosts))
+}
+
+func TestLoadExtraHostsList(t *testing.T) {
+	config, err := loadYAML(`
+version: "3.2"
+services:
+  web:
+    image: busybox
+    extra_hosts:
+      - "zulu:162.242.195.82"
+      - "alpha:50.31.209.229"
+      - "zulu:ff02::1"
+`)
+	assert.NilError(t, err)
+
+	expected := types.HostsList{
+		"zulu:162.242.195.82",
+		"alpha:50.31.209.229",
+		"zulu:ff02::1",
+	}
+
+	assert.Assert(t, is.Len(config.Services, 1))
+	assert.Check(t, is.DeepEqual(expected, config.Services[0].ExtraHosts))
+}
+
+func TestLoadVolumesWarnOnDeprecatedExternalNameVersion34(t *testing.T) {
+	buf, cleanup := patchLogrus()
+	defer cleanup()
+
+	source := map[string]interface{}{
+		"foo": map[string]interface{}{
+			"external": map[string]interface{}{
+				"name": "oops",
+			},
+		},
+	}
+	volumes, err := LoadVolumes(source, "3.4")
+	assert.NilError(t, err)
+	expected := map[string]types.VolumeConfig{
+		"foo": {
+			Name:     "oops",
+			External: types.External{External: true},
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, volumes))
+	assert.Check(t, is.Contains(buf.String(), "volume.external.name is deprecated"))
+
+}
+
+func patchLogrus() (*bytes.Buffer, func()) {
+	buf := new(bytes.Buffer)
+	out := logrus.StandardLogger().Out
+	logrus.SetOutput(buf)
+	return buf, func() { logrus.SetOutput(out) }
+}
+
+func TestLoadVolumesWarnOnDeprecatedExternalNameVersion33(t *testing.T) {
+	buf, cleanup := patchLogrus()
+	defer cleanup()
+
+	source := map[string]interface{}{
+		"foo": map[string]interface{}{
+			"external": map[string]interface{}{
+				"name": "oops",
+			},
+		},
+	}
+	volumes, err := LoadVolumes(source, "3.3")
+	assert.NilError(t, err)
+	expected := map[string]types.VolumeConfig{
+		"foo": {
+			Name:     "oops",
+			External: types.External{External: true},
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, volumes))
+	assert.Check(t, is.Equal("", buf.String()))
+}
+
+func TestLoadV35(t *testing.T) {
+	actual, err := loadYAML(`
+version: "3.5"
+services:
+  foo:
+    image: busybox
+    isolation: process
+configs:
+  foo:
+    name: fooqux
+    external: true
+  bar:
+    name: barqux
+    file: ./example1.env
+secrets:
+  foo:
+    name: fooqux
+    external: true
+  bar:
+    name: barqux
+    file: ./full-example.yml
+`)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(actual.Services, 1))
+	assert.Check(t, is.Len(actual.Secrets, 2))
+	assert.Check(t, is.Len(actual.Configs, 2))
+	assert.Check(t, is.Equal("process", actual.Services[0].Isolation))
+}
+
+func TestLoadV35InvalidIsolation(t *testing.T) {
+	// validation should be done only on the daemon side
+	actual, err := loadYAML(`
+version: "3.5"
+services:
+  foo:
+    image: busybox
+    isolation: invalid
+configs:
+  super:
+    external: true
+`)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(actual.Services, 1))
+	assert.Check(t, is.Equal("invalid", actual.Services[0].Isolation))
+}
+
+func TestLoadSecretInvalidExternalNameAndNameCombination(t *testing.T) {
+	_, err := loadYAML(`
+version: "3.5"
+secrets:
+  external_secret:
+    name: user_specified_name
+    external:
+      name:	external_name
+`)
+
+	assert.ErrorContains(t, err, "secret.external.name and secret.name conflict; only use secret.name")
+	assert.ErrorContains(t, err, "external_secret")
+}
+
+func TestLoadSecretsWarnOnDeprecatedExternalNameVersion35(t *testing.T) {
+	buf, cleanup := patchLogrus()
+	defer cleanup()
+
+	source := map[string]interface{}{
+		"foo": map[string]interface{}{
+			"external": map[string]interface{}{
+				"name": "oops",
+			},
+		},
+	}
+	details := types.ConfigDetails{
+		Version: "3.5",
+	}
+	secrets, err := LoadSecrets(source, details)
+	assert.NilError(t, err)
+	expected := map[string]types.SecretConfig{
+		"foo": {
+			Name:     "oops",
+			External: types.External{External: true},
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, secrets))
+	assert.Check(t, is.Contains(buf.String(), "secret.external.name is deprecated"))
+}
+
+func TestLoadNetworksWarnOnDeprecatedExternalNameVersion35(t *testing.T) {
+	buf, cleanup := patchLogrus()
+	defer cleanup()
+
+	source := map[string]interface{}{
+		"foo": map[string]interface{}{
+			"external": map[string]interface{}{
+				"name": "oops",
+			},
+		},
+	}
+	networks, err := LoadNetworks(source, "3.5")
+	assert.NilError(t, err)
+	expected := map[string]types.NetworkConfig{
+		"foo": {
+			Name:     "oops",
+			External: types.External{External: true},
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, networks))
+	assert.Check(t, is.Contains(buf.String(), "network.external.name is deprecated"))
+
+}
+
+func TestLoadNetworksWarnOnDeprecatedExternalNameVersion34(t *testing.T) {
+	buf, cleanup := patchLogrus()
+	defer cleanup()
+
+	source := map[string]interface{}{
+		"foo": map[string]interface{}{
+			"external": map[string]interface{}{
+				"name": "oops",
+			},
+		},
+	}
+	networks, err := LoadNetworks(source, "3.4")
+	assert.NilError(t, err)
+	expected := map[string]types.NetworkConfig{
+		"foo": {
+			Name:     "oops",
+			External: types.External{External: true},
+		},
+	}
+	assert.Check(t, is.DeepEqual(expected, networks))
+	assert.Check(t, is.Equal("", buf.String()))
+}
+
+func TestLoadNetworkInvalidExternalNameAndNameCombination(t *testing.T) {
+	_, err := loadYAML(`
+version: "3.5"
+networks:
+  foo:
+    name: user_specified_name
+    external:
+      name:	external_name
+`)
+
+	assert.ErrorContains(t, err, "network.external.name and network.name conflict; only use network.name")
+	assert.ErrorContains(t, err, "foo")
+}
+
+func TestLoadNetworkWithName(t *testing.T) {
+	config, err := loadYAML(`
+version: '3.5'
+services:
+  hello-world:
+    image: redis:alpine
+    networks:
+      - network1
+      - network3
+
+networks:
+  network1:
+    name: network2
+  network3:
+`)
+	assert.NilError(t, err)
+	expected := &types.Config{
+		Filename: "filename.yml",
+		Version:  "3.5",
+		Services: types.Services{
+			{
+				Name:  "hello-world",
+				Image: "redis:alpine",
+				Networks: map[string]*types.ServiceNetworkConfig{
+					"network1": nil,
+					"network3": nil,
+				},
+			},
+		},
+		Networks: map[string]types.NetworkConfig{
+			"network1": {Name: "network2"},
+			"network3": {},
+		},
+	}
+	assert.DeepEqual(t, config, expected, cmpopts.EquateEmpty())
+}
+
+func TestLoadInit(t *testing.T) {
+	booleanTrue := true
+	booleanFalse := false
+
+	var testcases = []struct {
+		doc  string
+		yaml string
+		init *bool
+	}{
+		{
+			doc: "no init defined",
+			yaml: `
+version: '3.7'
+services:
+  foo:
+    image: alpine`,
+		},
+		{
+			doc: "has true init",
+			yaml: `
+version: '3.7'
+services:
+  foo:
+    image: alpine
+    init: true`,
+			init: &booleanTrue,
+		},
+		{
+			doc: "has false init",
+			yaml: `
+version: '3.7'
+services:
+  foo:
+    image: alpine
+    init: false`,
+			init: &booleanFalse,
+		},
+	}
+	for _, testcase := range testcases {
+		t.Run(testcase.doc, func(t *testing.T) {
+			config, err := loadYAML(testcase.yaml)
+			assert.NilError(t, err)
+			assert.Check(t, is.Len(config.Services, 1))
+			assert.Check(t, is.DeepEqual(config.Services[0].Init, testcase.init))
+		})
+	}
+}
diff --git a/cli/cli/compose/loader/merge.go b/cli/cli/compose/loader/merge.go
new file mode 100644
index 00000000..24b74ffb
--- /dev/null
+++ b/cli/cli/compose/loader/merge.go
@@ -0,0 +1,233 @@
+package loader
+
+import (
+	"reflect"
+	"sort"
+
+	"github.com/docker/cli/cli/compose/types"
+	"github.com/imdario/mergo"
+	"github.com/pkg/errors"
+)
+
+type specials struct {
+	m map[reflect.Type]func(dst, src reflect.Value) error
+}
+
+func (s *specials) Transformer(t reflect.Type) func(dst, src reflect.Value) error {
+	if fn, ok := s.m[t]; ok {
+		return fn
+	}
+	return nil
+}
+
+func merge(configs []*types.Config) (*types.Config, error) {
+	base := configs[0]
+	for _, override := range configs[1:] {
+		var err error
+		base.Services, err = mergeServices(base.Services, override.Services)
+		if err != nil {
+			return base, errors.Wrapf(err, "cannot merge services from %s", override.Filename)
+		}
+		base.Volumes, err = mergeVolumes(base.Volumes, override.Volumes)
+		if err != nil {
+			return base, errors.Wrapf(err, "cannot merge volumes from %s", override.Filename)
+		}
+		base.Networks, err = mergeNetworks(base.Networks, override.Networks)
+		if err != nil {
+			return base, errors.Wrapf(err, "cannot merge networks from %s", override.Filename)
+		}
+		base.Secrets, err = mergeSecrets(base.Secrets, override.Secrets)
+		if err != nil {
+			return base, errors.Wrapf(err, "cannot merge secrets from %s", override.Filename)
+		}
+		base.Configs, err = mergeConfigs(base.Configs, override.Configs)
+		if err != nil {
+			return base, errors.Wrapf(err, "cannot merge configs from %s", override.Filename)
+		}
+	}
+	return base, nil
+}
+
+func mergeServices(base, override []types.ServiceConfig) ([]types.ServiceConfig, error) {
+	baseServices := mapByName(base)
+	overrideServices := mapByName(override)
+	specials := &specials{
+		m: map[reflect.Type]func(dst, src reflect.Value) error{
+			reflect.TypeOf(&types.LoggingConfig{}):           safelyMerge(mergeLoggingConfig),
+			reflect.TypeOf([]types.ServicePortConfig{}):      mergeSlice(toServicePortConfigsMap, toServicePortConfigsSlice),
+			reflect.TypeOf([]types.ServiceSecretConfig{}):    mergeSlice(toServiceSecretConfigsMap, toServiceSecretConfigsSlice),
+			reflect.TypeOf([]types.ServiceConfigObjConfig{}): mergeSlice(toServiceConfigObjConfigsMap, toSServiceConfigObjConfigsSlice),
+		},
+	}
+	for name, overrideService := range overrideServices {
+		if baseService, ok := baseServices[name]; ok {
+			if err := mergo.Merge(&baseService, &overrideService, mergo.WithAppendSlice, mergo.WithOverride, mergo.WithTransformers(specials)); err != nil {
+				return base, errors.Wrapf(err, "cannot merge service %s", name)
+			}
+			baseServices[name] = baseService
+			continue
+		}
+		baseServices[name] = overrideService
+	}
+	services := []types.ServiceConfig{}
+	for _, baseService := range baseServices {
+		services = append(services, baseService)
+	}
+	sort.Slice(services, func(i, j int) bool { return services[i].Name < services[j].Name })
+	return services, nil
+}
+
+func toServiceSecretConfigsMap(s interface{}) (map[interface{}]interface{}, error) {
+	secrets, ok := s.([]types.ServiceSecretConfig)
+	if !ok {
+		return nil, errors.Errorf("not a serviceSecretConfig: %v", s)
+	}
+	m := map[interface{}]interface{}{}
+	for _, secret := range secrets {
+		m[secret.Source] = secret
+	}
+	return m, nil
+}
+
+func toServiceConfigObjConfigsMap(s interface{}) (map[interface{}]interface{}, error) {
+	secrets, ok := s.([]types.ServiceConfigObjConfig)
+	if !ok {
+		return nil, errors.Errorf("not a serviceSecretConfig: %v", s)
+	}
+	m := map[interface{}]interface{}{}
+	for _, secret := range secrets {
+		m[secret.Source] = secret
+	}
+	return m, nil
+}
+
+func toServicePortConfigsMap(s interface{}) (map[interface{}]interface{}, error) {
+	ports, ok := s.([]types.ServicePortConfig)
+	if !ok {
+		return nil, errors.Errorf("not a servicePortConfig slice: %v", s)
+	}
+	m := map[interface{}]interface{}{}
+	for _, p := range ports {
+		m[p.Published] = p
+	}
+	return m, nil
+}
+
+func toServiceSecretConfigsSlice(dst reflect.Value, m map[interface{}]interface{}) error {
+	s := []types.ServiceSecretConfig{}
+	for _, v := range m {
+		s = append(s, v.(types.ServiceSecretConfig))
+	}
+	sort.Slice(s, func(i, j int) bool { return s[i].Source < s[j].Source })
+	dst.Set(reflect.ValueOf(s))
+	return nil
+}
+
+func toSServiceConfigObjConfigsSlice(dst reflect.Value, m map[interface{}]interface{}) error {
+	s := []types.ServiceConfigObjConfig{}
+	for _, v := range m {
+		s = append(s, v.(types.ServiceConfigObjConfig))
+	}
+	sort.Slice(s, func(i, j int) bool { return s[i].Source < s[j].Source })
+	dst.Set(reflect.ValueOf(s))
+	return nil
+}
+
+func toServicePortConfigsSlice(dst reflect.Value, m map[interface{}]interface{}) error {
+	s := []types.ServicePortConfig{}
+	for _, v := range m {
+		s = append(s, v.(types.ServicePortConfig))
+	}
+	sort.Slice(s, func(i, j int) bool { return s[i].Published < s[j].Published })
+	dst.Set(reflect.ValueOf(s))
+	return nil
+}
+
+type tomapFn func(s interface{}) (map[interface{}]interface{}, error)
+type writeValueFromMapFn func(reflect.Value, map[interface{}]interface{}) error
+
+func safelyMerge(mergeFn func(dst, src reflect.Value) error) func(dst, src reflect.Value) error {
+	return func(dst, src reflect.Value) error {
+		if src.IsNil() {
+			return nil
+		}
+		if dst.IsNil() {
+			dst.Set(src)
+			return nil
+		}
+		return mergeFn(dst, src)
+	}
+}
+
+func mergeSlice(tomap tomapFn, writeValue writeValueFromMapFn) func(dst, src reflect.Value) error {
+	return func(dst, src reflect.Value) error {
+		dstMap, err := sliceToMap(tomap, dst)
+		if err != nil {
+			return err
+		}
+		srcMap, err := sliceToMap(tomap, src)
+		if err != nil {
+			return err
+		}
+		if err := mergo.Map(&dstMap, srcMap, mergo.WithOverride); err != nil {
+			return err
+		}
+		return writeValue(dst, dstMap)
+	}
+}
+
+func sliceToMap(tomap tomapFn, v reflect.Value) (map[interface{}]interface{}, error) {
+	// check if valid
+	if !v.IsValid() {
+		return nil, errors.Errorf("invalid value : %+v", v)
+	}
+	return tomap(v.Interface())
+}
+
+func mergeLoggingConfig(dst, src reflect.Value) error {
+	// Same driver, merging options
+	if getLoggingDriver(dst.Elem()) == getLoggingDriver(src.Elem()) ||
+		getLoggingDriver(dst.Elem()) == "" || getLoggingDriver(src.Elem()) == "" {
+		if getLoggingDriver(dst.Elem()) == "" {
+			dst.Elem().FieldByName("Driver").SetString(getLoggingDriver(src.Elem()))
+		}
+		dstOptions := dst.Elem().FieldByName("Options").Interface().(map[string]string)
+		srcOptions := src.Elem().FieldByName("Options").Interface().(map[string]string)
+		return mergo.Merge(&dstOptions, srcOptions, mergo.WithOverride)
+	}
+	// Different driver, override with src
+	dst.Set(src)
+	return nil
+}
+
+func getLoggingDriver(v reflect.Value) string {
+	return v.FieldByName("Driver").String()
+}
+
+func mapByName(services []types.ServiceConfig) map[string]types.ServiceConfig {
+	m := map[string]types.ServiceConfig{}
+	for _, service := range services {
+		m[service.Name] = service
+	}
+	return m
+}
+
+func mergeVolumes(base, override map[string]types.VolumeConfig) (map[string]types.VolumeConfig, error) {
+	err := mergo.Map(&base, &override, mergo.WithOverride)
+	return base, err
+}
+
+func mergeNetworks(base, override map[string]types.NetworkConfig) (map[string]types.NetworkConfig, error) {
+	err := mergo.Map(&base, &override, mergo.WithOverride)
+	return base, err
+}
+
+func mergeSecrets(base, override map[string]types.SecretConfig) (map[string]types.SecretConfig, error) {
+	err := mergo.Map(&base, &override, mergo.WithOverride)
+	return base, err
+}
+
+func mergeConfigs(base, override map[string]types.ConfigObjConfig) (map[string]types.ConfigObjConfig, error) {
+	err := mergo.Map(&base, &override, mergo.WithOverride)
+	return base, err
+}
diff --git a/cli/cli/compose/loader/merge_test.go b/cli/cli/compose/loader/merge_test.go
new file mode 100644
index 00000000..178d302d
--- /dev/null
+++ b/cli/cli/compose/loader/merge_test.go
@@ -0,0 +1,1016 @@
+package loader
+
+import (
+	"testing"
+
+	"github.com/docker/cli/cli/compose/types"
+	"gotest.tools/assert"
+)
+
+func TestLoadTwoDifferentVersion(t *testing.T) {
+	configDetails := types.ConfigDetails{
+		ConfigFiles: []types.ConfigFile{
+			{Filename: "base.yml", Config: map[string]interface{}{
+				"version": "3.1",
+			}},
+			{Filename: "override.yml", Config: map[string]interface{}{
+				"version": "3.4",
+			}},
+		},
+	}
+	_, err := Load(configDetails)
+	assert.Error(t, err, "version mismatched between two composefiles : 3.1 and 3.4")
+}
+
+func TestLoadLogging(t *testing.T) {
+	loggingCases := []struct {
+		name            string
+		loggingBase     map[string]interface{}
+		loggingOverride map[string]interface{}
+		expected        *types.LoggingConfig
+	}{
+		{
+			name: "no_override_driver",
+			loggingBase: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"driver": "json-file",
+					"options": map[string]interface{}{
+						"frequency": "2000",
+						"timeout":   "23",
+					},
+				},
+			},
+			loggingOverride: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"options": map[string]interface{}{
+						"timeout":      "360",
+						"pretty-print": "on",
+					},
+				},
+			},
+			expected: &types.LoggingConfig{
+				Driver: "json-file",
+				Options: map[string]string{
+					"frequency":    "2000",
+					"timeout":      "360",
+					"pretty-print": "on",
+				},
+			},
+		},
+		{
+			name: "override_driver",
+			loggingBase: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"driver": "json-file",
+					"options": map[string]interface{}{
+						"frequency": "2000",
+						"timeout":   "23",
+					},
+				},
+			},
+			loggingOverride: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"driver": "syslog",
+					"options": map[string]interface{}{
+						"timeout":      "360",
+						"pretty-print": "on",
+					},
+				},
+			},
+			expected: &types.LoggingConfig{
+				Driver: "syslog",
+				Options: map[string]string{
+					"timeout":      "360",
+					"pretty-print": "on",
+				},
+			},
+		},
+		{
+			name: "no_base_driver",
+			loggingBase: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"options": map[string]interface{}{
+						"frequency": "2000",
+						"timeout":   "23",
+					},
+				},
+			},
+			loggingOverride: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"driver": "json-file",
+					"options": map[string]interface{}{
+						"timeout":      "360",
+						"pretty-print": "on",
+					},
+				},
+			},
+			expected: &types.LoggingConfig{
+				Driver: "json-file",
+				Options: map[string]string{
+					"frequency":    "2000",
+					"timeout":      "360",
+					"pretty-print": "on",
+				},
+			},
+		},
+		{
+			name: "no_driver",
+			loggingBase: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"options": map[string]interface{}{
+						"frequency": "2000",
+						"timeout":   "23",
+					},
+				},
+			},
+			loggingOverride: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"options": map[string]interface{}{
+						"timeout":      "360",
+						"pretty-print": "on",
+					},
+				},
+			},
+			expected: &types.LoggingConfig{
+				Options: map[string]string{
+					"frequency":    "2000",
+					"timeout":      "360",
+					"pretty-print": "on",
+				},
+			},
+		},
+		{
+			name: "no_override_options",
+			loggingBase: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"driver": "json-file",
+					"options": map[string]interface{}{
+						"frequency": "2000",
+						"timeout":   "23",
+					},
+				},
+			},
+			loggingOverride: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"driver": "syslog",
+				},
+			},
+			expected: &types.LoggingConfig{
+				Driver: "syslog",
+			},
+		},
+		{
+			name:        "no_base",
+			loggingBase: map[string]interface{}{},
+			loggingOverride: map[string]interface{}{
+				"logging": map[string]interface{}{
+					"driver": "json-file",
+					"options": map[string]interface{}{
+						"frequency": "2000",
+					},
+				},
+			},
+			expected: &types.LoggingConfig{
+				Driver: "json-file",
+				Options: map[string]string{
+					"frequency": "2000",
+				},
+			},
+		},
+	}
+
+	for _, tc := range loggingCases {
+		t.Run(tc.name, func(t *testing.T) {
+			configDetails := types.ConfigDetails{
+				ConfigFiles: []types.ConfigFile{
+					{
+						Filename: "base.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.loggingBase,
+							},
+						},
+					},
+					{
+						Filename: "override.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.loggingOverride,
+							},
+						},
+					},
+				},
+			}
+			config, err := Load(configDetails)
+			assert.NilError(t, err)
+			assert.DeepEqual(t, &types.Config{
+				Filename: "base.yml",
+				Version:  "3.4",
+				Services: []types.ServiceConfig{
+					{
+						Name:        "foo",
+						Logging:     tc.expected,
+						Environment: types.MappingWithEquals{},
+					},
+				},
+				Networks: map[string]types.NetworkConfig{},
+				Volumes:  map[string]types.VolumeConfig{},
+				Secrets:  map[string]types.SecretConfig{},
+				Configs:  map[string]types.ConfigObjConfig{},
+			}, config)
+		})
+	}
+}
+
+func TestLoadMultipleServicePorts(t *testing.T) {
+	portsCases := []struct {
+		name         string
+		portBase     map[string]interface{}
+		portOverride map[string]interface{}
+		expected     []types.ServicePortConfig
+	}{
+		{
+			name: "no_override",
+			portBase: map[string]interface{}{
+				"ports": []interface{}{
+					"8080:80",
+				},
+			},
+			portOverride: map[string]interface{}{},
+			expected: []types.ServicePortConfig{
+				{
+					Mode:      "ingress",
+					Published: 8080,
+					Target:    80,
+					Protocol:  "tcp",
+				},
+			},
+		},
+		{
+			name: "override_different_published",
+			portBase: map[string]interface{}{
+				"ports": []interface{}{
+					"8080:80",
+				},
+			},
+			portOverride: map[string]interface{}{
+				"ports": []interface{}{
+					"8081:80",
+				},
+			},
+			expected: []types.ServicePortConfig{
+				{
+					Mode:      "ingress",
+					Published: 8080,
+					Target:    80,
+					Protocol:  "tcp",
+				},
+				{
+					Mode:      "ingress",
+					Published: 8081,
+					Target:    80,
+					Protocol:  "tcp",
+				},
+			},
+		},
+		{
+			name: "override_same_published",
+			portBase: map[string]interface{}{
+				"ports": []interface{}{
+					"8080:80",
+				},
+			},
+			portOverride: map[string]interface{}{
+				"ports": []interface{}{
+					"8080:81",
+				},
+			},
+			expected: []types.ServicePortConfig{
+				{
+					Mode:      "ingress",
+					Published: 8080,
+					Target:    81,
+					Protocol:  "tcp",
+				},
+			},
+		},
+	}
+
+	for _, tc := range portsCases {
+		t.Run(tc.name, func(t *testing.T) {
+			configDetails := types.ConfigDetails{
+				ConfigFiles: []types.ConfigFile{
+					{
+						Filename: "base.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.portBase,
+							},
+						},
+					},
+					{
+						Filename: "override.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.portOverride,
+							},
+						},
+					},
+				},
+			}
+			config, err := Load(configDetails)
+			assert.NilError(t, err)
+			assert.DeepEqual(t, &types.Config{
+				Filename: "base.yml",
+				Version:  "3.4",
+				Services: []types.ServiceConfig{
+					{
+						Name:        "foo",
+						Ports:       tc.expected,
+						Environment: types.MappingWithEquals{},
+					},
+				},
+				Networks: map[string]types.NetworkConfig{},
+				Volumes:  map[string]types.VolumeConfig{},
+				Secrets:  map[string]types.SecretConfig{},
+				Configs:  map[string]types.ConfigObjConfig{},
+			}, config)
+		})
+	}
+}
+
+func TestLoadMultipleSecretsConfig(t *testing.T) {
+	portsCases := []struct {
+		name           string
+		secretBase     map[string]interface{}
+		secretOverride map[string]interface{}
+		expected       []types.ServiceSecretConfig
+	}{
+		{
+			name: "no_override",
+			secretBase: map[string]interface{}{
+				"secrets": []interface{}{
+					"my_secret",
+				},
+			},
+			secretOverride: map[string]interface{}{},
+			expected: []types.ServiceSecretConfig{
+				{
+					Source: "my_secret",
+				},
+			},
+		},
+		{
+			name: "override_simple",
+			secretBase: map[string]interface{}{
+				"secrets": []interface{}{
+					"foo_secret",
+				},
+			},
+			secretOverride: map[string]interface{}{
+				"secrets": []interface{}{
+					"bar_secret",
+				},
+			},
+			expected: []types.ServiceSecretConfig{
+				{
+					Source: "bar_secret",
+				},
+				{
+					Source: "foo_secret",
+				},
+			},
+		},
+		{
+			name: "override_same_source",
+			secretBase: map[string]interface{}{
+				"secrets": []interface{}{
+					"foo_secret",
+					map[string]interface{}{
+						"source": "bar_secret",
+						"target": "waw_secret",
+					},
+				},
+			},
+			secretOverride: map[string]interface{}{
+				"secrets": []interface{}{
+					map[string]interface{}{
+						"source": "bar_secret",
+						"target": "bof_secret",
+					},
+					map[string]interface{}{
+						"source": "baz_secret",
+						"target": "waw_secret",
+					},
+				},
+			},
+			expected: []types.ServiceSecretConfig{
+				{
+					Source: "bar_secret",
+					Target: "bof_secret",
+				},
+				{
+					Source: "baz_secret",
+					Target: "waw_secret",
+				},
+				{
+					Source: "foo_secret",
+				},
+			},
+		},
+	}
+
+	for _, tc := range portsCases {
+		t.Run(tc.name, func(t *testing.T) {
+			configDetails := types.ConfigDetails{
+				ConfigFiles: []types.ConfigFile{
+					{
+						Filename: "base.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.secretBase,
+							},
+						},
+					},
+					{
+						Filename: "override.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.secretOverride,
+							},
+						},
+					},
+				},
+			}
+			config, err := Load(configDetails)
+			assert.NilError(t, err)
+			assert.DeepEqual(t, &types.Config{
+				Filename: "base.yml",
+				Version:  "3.4",
+				Services: []types.ServiceConfig{
+					{
+						Name:        "foo",
+						Secrets:     tc.expected,
+						Environment: types.MappingWithEquals{},
+					},
+				},
+				Networks: map[string]types.NetworkConfig{},
+				Volumes:  map[string]types.VolumeConfig{},
+				Secrets:  map[string]types.SecretConfig{},
+				Configs:  map[string]types.ConfigObjConfig{},
+			}, config)
+		})
+	}
+}
+
+func TestLoadMultipleConfigobjsConfig(t *testing.T) {
+	portsCases := []struct {
+		name           string
+		configBase     map[string]interface{}
+		configOverride map[string]interface{}
+		expected       []types.ServiceConfigObjConfig
+	}{
+		{
+			name: "no_override",
+			configBase: map[string]interface{}{
+				"configs": []interface{}{
+					"my_config",
+				},
+			},
+			configOverride: map[string]interface{}{},
+			expected: []types.ServiceConfigObjConfig{
+				{
+					Source: "my_config",
+				},
+			},
+		},
+		{
+			name: "override_simple",
+			configBase: map[string]interface{}{
+				"configs": []interface{}{
+					"foo_config",
+				},
+			},
+			configOverride: map[string]interface{}{
+				"configs": []interface{}{
+					"bar_config",
+				},
+			},
+			expected: []types.ServiceConfigObjConfig{
+				{
+					Source: "bar_config",
+				},
+				{
+					Source: "foo_config",
+				},
+			},
+		},
+		{
+			name: "override_same_source",
+			configBase: map[string]interface{}{
+				"configs": []interface{}{
+					"foo_config",
+					map[string]interface{}{
+						"source": "bar_config",
+						"target": "waw_config",
+					},
+				},
+			},
+			configOverride: map[string]interface{}{
+				"configs": []interface{}{
+					map[string]interface{}{
+						"source": "bar_config",
+						"target": "bof_config",
+					},
+					map[string]interface{}{
+						"source": "baz_config",
+						"target": "waw_config",
+					},
+				},
+			},
+			expected: []types.ServiceConfigObjConfig{
+				{
+					Source: "bar_config",
+					Target: "bof_config",
+				},
+				{
+					Source: "baz_config",
+					Target: "waw_config",
+				},
+				{
+					Source: "foo_config",
+				},
+			},
+		},
+	}
+
+	for _, tc := range portsCases {
+		t.Run(tc.name, func(t *testing.T) {
+			configDetails := types.ConfigDetails{
+				ConfigFiles: []types.ConfigFile{
+					{
+						Filename: "base.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.configBase,
+							},
+						},
+					},
+					{
+						Filename: "override.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.configOverride,
+							},
+						},
+					},
+				},
+			}
+			config, err := Load(configDetails)
+			assert.NilError(t, err)
+			assert.DeepEqual(t, &types.Config{
+				Filename: "base.yml",
+				Version:  "3.4",
+				Services: []types.ServiceConfig{
+					{
+						Name:        "foo",
+						Configs:     tc.expected,
+						Environment: types.MappingWithEquals{},
+					},
+				},
+				Networks: map[string]types.NetworkConfig{},
+				Volumes:  map[string]types.VolumeConfig{},
+				Secrets:  map[string]types.SecretConfig{},
+				Configs:  map[string]types.ConfigObjConfig{},
+			}, config)
+		})
+	}
+}
+
+func TestLoadMultipleUlimits(t *testing.T) {
+	ulimitCases := []struct {
+		name           string
+		ulimitBase     map[string]interface{}
+		ulimitOverride map[string]interface{}
+		expected       map[string]*types.UlimitsConfig
+	}{
+		{
+			name: "no_override",
+			ulimitBase: map[string]interface{}{
+				"ulimits": map[string]interface{}{
+					"noproc": 65535,
+				},
+			},
+			ulimitOverride: map[string]interface{}{},
+			expected: map[string]*types.UlimitsConfig{
+				"noproc": {
+					Single: 65535,
+				},
+			},
+		},
+		{
+			name: "override_simple",
+			ulimitBase: map[string]interface{}{
+				"ulimits": map[string]interface{}{
+					"noproc": 65535,
+				},
+			},
+			ulimitOverride: map[string]interface{}{
+				"ulimits": map[string]interface{}{
+					"noproc": 44444,
+				},
+			},
+			expected: map[string]*types.UlimitsConfig{
+				"noproc": {
+					Single: 44444,
+				},
+			},
+		},
+		{
+			name: "override_different_notation",
+			ulimitBase: map[string]interface{}{
+				"ulimits": map[string]interface{}{
+					"nofile": map[string]interface{}{
+						"soft": 11111,
+						"hard": 99999,
+					},
+					"noproc": 44444,
+				},
+			},
+			ulimitOverride: map[string]interface{}{
+				"ulimits": map[string]interface{}{
+					"nofile": 55555,
+					"noproc": map[string]interface{}{
+						"soft": 22222,
+						"hard": 33333,
+					},
+				},
+			},
+			expected: map[string]*types.UlimitsConfig{
+				"noproc": {
+					Soft: 22222,
+					Hard: 33333,
+				},
+				"nofile": {
+					Single: 55555,
+				},
+			},
+		},
+	}
+
+	for _, tc := range ulimitCases {
+		t.Run(tc.name, func(t *testing.T) {
+			configDetails := types.ConfigDetails{
+				ConfigFiles: []types.ConfigFile{
+					{
+						Filename: "base.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.ulimitBase,
+							},
+						},
+					},
+					{
+						Filename: "override.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.ulimitOverride,
+							},
+						},
+					},
+				},
+			}
+			config, err := Load(configDetails)
+			assert.NilError(t, err)
+			assert.DeepEqual(t, &types.Config{
+				Filename: "base.yml",
+				Version:  "3.4",
+				Services: []types.ServiceConfig{
+					{
+						Name:        "foo",
+						Ulimits:     tc.expected,
+						Environment: types.MappingWithEquals{},
+					},
+				},
+				Networks: map[string]types.NetworkConfig{},
+				Volumes:  map[string]types.VolumeConfig{},
+				Secrets:  map[string]types.SecretConfig{},
+				Configs:  map[string]types.ConfigObjConfig{},
+			}, config)
+		})
+	}
+}
+
+func TestLoadMultipleServiceNetworks(t *testing.T) {
+	networkCases := []struct {
+		name            string
+		networkBase     map[string]interface{}
+		networkOverride map[string]interface{}
+		expected        map[string]*types.ServiceNetworkConfig
+	}{
+		{
+			name: "no_override",
+			networkBase: map[string]interface{}{
+				"networks": []interface{}{
+					"net1",
+					"net2",
+				},
+			},
+			networkOverride: map[string]interface{}{},
+			expected: map[string]*types.ServiceNetworkConfig{
+				"net1": nil,
+				"net2": nil,
+			},
+		},
+		{
+			name: "override_simple",
+			networkBase: map[string]interface{}{
+				"networks": []interface{}{
+					"net1",
+					"net2",
+				},
+			},
+			networkOverride: map[string]interface{}{
+				"networks": []interface{}{
+					"net1",
+					"net3",
+				},
+			},
+			expected: map[string]*types.ServiceNetworkConfig{
+				"net1": nil,
+				"net2": nil,
+				"net3": nil,
+			},
+		},
+		{
+			name: "override_with_aliases",
+			networkBase: map[string]interface{}{
+				"networks": map[string]interface{}{
+					"net1": map[string]interface{}{
+						"aliases": []interface{}{
+							"alias1",
+						},
+					},
+					"net2": nil,
+				},
+			},
+			networkOverride: map[string]interface{}{
+				"networks": map[string]interface{}{
+					"net1": map[string]interface{}{
+						"aliases": []interface{}{
+							"alias2",
+							"alias3",
+						},
+					},
+					"net3": map[string]interface{}{},
+				},
+			},
+			expected: map[string]*types.ServiceNetworkConfig{
+				"net1": {
+					Aliases: []string{"alias2", "alias3"},
+				},
+				"net2": nil,
+				"net3": {},
+			},
+		},
+	}
+
+	for _, tc := range networkCases {
+		t.Run(tc.name, func(t *testing.T) {
+			configDetails := types.ConfigDetails{
+				ConfigFiles: []types.ConfigFile{
+					{
+						Filename: "base.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.networkBase,
+							},
+						},
+					},
+					{
+						Filename: "override.yml",
+						Config: map[string]interface{}{
+							"version": "3.4",
+							"services": map[string]interface{}{
+								"foo": tc.networkOverride,
+							},
+						},
+					},
+				},
+			}
+			config, err := Load(configDetails)
+			assert.NilError(t, err)
+			assert.DeepEqual(t, &types.Config{
+				Filename: "base.yml",
+				Version:  "3.4",
+				Services: []types.ServiceConfig{
+					{
+						Name:        "foo",
+						Networks:    tc.expected,
+						Environment: types.MappingWithEquals{},
+					},
+				},
+				Networks: map[string]types.NetworkConfig{},
+				Volumes:  map[string]types.VolumeConfig{},
+				Secrets:  map[string]types.SecretConfig{},
+				Configs:  map[string]types.ConfigObjConfig{},
+			}, config)
+		})
+	}
+}
+
+func TestLoadMultipleConfigs(t *testing.T) {
+	base := map[string]interface{}{
+		"version": "3.4",
+		"services": map[string]interface{}{
+			"foo": map[string]interface{}{
+				"image": "foo",
+				"build": map[string]interface{}{
+					"context":    ".",
+					"dockerfile": "bar.Dockerfile",
+				},
+				"ports": []interface{}{
+					"8080:80",
+					"9090:90",
+				},
+				"labels": []interface{}{
+					"foo=bar",
+				},
+				"cap_add": []interface{}{
+					"NET_ADMIN",
+				},
+			},
+		},
+		"volumes":  map[string]interface{}{},
+		"networks": map[string]interface{}{},
+		"secrets":  map[string]interface{}{},
+		"configs":  map[string]interface{}{},
+	}
+	override := map[string]interface{}{
+		"version": "3.4",
+		"services": map[string]interface{}{
+			"foo": map[string]interface{}{
+				"image": "baz",
+				"build": map[string]interface{}{
+					"dockerfile": "foo.Dockerfile",
+					"args": []interface{}{
+						"buildno=1",
+						"password=secret",
+					},
+				},
+				"ports": []interface{}{
+					map[string]interface{}{
+						"target":    81,
+						"published": 8080,
+					},
+				},
+				"labels": map[string]interface{}{
+					"foo": "baz",
+				},
+				"cap_add": []interface{}{
+					"SYS_ADMIN",
+				},
+			},
+			"bar": map[string]interface{}{
+				"image": "bar",
+			},
+		},
+		"volumes":  map[string]interface{}{},
+		"networks": map[string]interface{}{},
+		"secrets":  map[string]interface{}{},
+		"configs":  map[string]interface{}{},
+	}
+	configDetails := types.ConfigDetails{
+		ConfigFiles: []types.ConfigFile{
+			{Filename: "base.yml", Config: base},
+			{Filename: "override.yml", Config: override},
+		},
+	}
+	config, err := Load(configDetails)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, &types.Config{
+		Filename: "base.yml",
+		Version:  "3.4",
+		Services: []types.ServiceConfig{
+			{
+				Name:        "bar",
+				Image:       "bar",
+				Environment: types.MappingWithEquals{},
+			},
+			{
+				Name:  "foo",
+				Image: "baz",
+				Build: types.BuildConfig{
+					Context:    ".",
+					Dockerfile: "foo.Dockerfile",
+					Args: types.MappingWithEquals{
+						"buildno":  strPtr("1"),
+						"password": strPtr("secret"),
+					},
+				},
+				Ports: []types.ServicePortConfig{
+					{
+						Target:    81,
+						Published: 8080,
+					},
+					{
+						Mode:      "ingress",
+						Target:    90,
+						Published: 9090,
+						Protocol:  "tcp",
+					},
+				},
+				Labels: types.Labels{
+					"foo": "baz",
+				},
+				CapAdd:      []string{"NET_ADMIN", "SYS_ADMIN"},
+				Environment: types.MappingWithEquals{},
+			}},
+		Networks: map[string]types.NetworkConfig{},
+		Volumes:  map[string]types.VolumeConfig{},
+		Secrets:  map[string]types.SecretConfig{},
+		Configs:  map[string]types.ConfigObjConfig{},
+	}, config)
+}
+
+// Issue#972
+func TestLoadMultipleNetworks(t *testing.T) {
+	base := map[string]interface{}{
+		"version": "3.4",
+		"services": map[string]interface{}{
+			"foo": map[string]interface{}{
+				"image": "baz",
+			},
+		},
+		"volumes": map[string]interface{}{},
+		"networks": map[string]interface{}{
+			"hostnet": map[string]interface{}{
+				"driver": "overlay",
+				"ipam": map[string]interface{}{
+					"driver": "default",
+					"config": []interface{}{
+						map[string]interface{}{
+							"subnet": "10.0.0.0/20",
+						},
+					},
+				},
+			},
+		},
+		"secrets": map[string]interface{}{},
+		"configs": map[string]interface{}{},
+	}
+	override := map[string]interface{}{
+		"version":  "3.4",
+		"services": map[string]interface{}{},
+		"volumes":  map[string]interface{}{},
+		"networks": map[string]interface{}{
+			"hostnet": map[string]interface{}{
+				"external": map[string]interface{}{
+					"name": "host",
+				},
+			},
+		},
+		"secrets": map[string]interface{}{},
+		"configs": map[string]interface{}{},
+	}
+	configDetails := types.ConfigDetails{
+		ConfigFiles: []types.ConfigFile{
+			{Filename: "base.yml", Config: base},
+			{Filename: "override.yml", Config: override},
+		},
+	}
+	config, err := Load(configDetails)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, &types.Config{
+		Filename: "base.yml",
+		Version:  "3.4",
+		Services: []types.ServiceConfig{
+			{
+				Name:        "foo",
+				Image:       "baz",
+				Environment: types.MappingWithEquals{},
+			}},
+		Networks: map[string]types.NetworkConfig{
+			"hostnet": {
+				Name: "host",
+				External: types.External{
+					External: true,
+				},
+			},
+		},
+		Volumes: map[string]types.VolumeConfig{},
+		Secrets: map[string]types.SecretConfig{},
+		Configs: map[string]types.ConfigObjConfig{},
+	}, config)
+}
diff --git a/cli/cli/compose/loader/types_test.go b/cli/cli/compose/loader/types_test.go
new file mode 100644
index 00000000..0d604d8c
--- /dev/null
+++ b/cli/cli/compose/loader/types_test.go
@@ -0,0 +1,26 @@
+package loader
+
+import (
+	"testing"
+
+	yaml "gopkg.in/yaml.v2"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestMarshallConfig(t *testing.T) {
+	workingDir := "/foo"
+	homeDir := "/bar"
+	cfg := fullExampleConfig(workingDir, homeDir)
+	expected := fullExampleYAML(workingDir)
+
+	actual, err := yaml.Marshal(cfg)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(expected, string(actual)))
+
+	// Make sure the expected still
+	dict, err := ParseYAML([]byte("version: '3.7'\n" + expected))
+	assert.NilError(t, err)
+	_, err = Load(buildConfigDetails(dict, map[string]string{}))
+	assert.NilError(t, err)
+}
diff --git a/cli/cli/compose/loader/volume.go b/cli/cli/compose/loader/volume.go
new file mode 100644
index 00000000..9c2792e0
--- /dev/null
+++ b/cli/cli/compose/loader/volume.go
@@ -0,0 +1,122 @@
+package loader
+
+import (
+	"strings"
+	"unicode"
+	"unicode/utf8"
+
+	"github.com/docker/cli/cli/compose/types"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/pkg/errors"
+)
+
+const endOfSpec = rune(0)
+
+// ParseVolume parses a volume spec without any knowledge of the target platform
+func ParseVolume(spec string) (types.ServiceVolumeConfig, error) {
+	volume := types.ServiceVolumeConfig{}
+
+	switch len(spec) {
+	case 0:
+		return volume, errors.New("invalid empty volume spec")
+	case 1, 2:
+		volume.Target = spec
+		volume.Type = string(mount.TypeVolume)
+		return volume, nil
+	}
+
+	buffer := []rune{}
+	for _, char := range spec + string(endOfSpec) {
+		switch {
+		case isWindowsDrive(buffer, char):
+			buffer = append(buffer, char)
+		case char == ':' || char == endOfSpec:
+			if err := populateFieldFromBuffer(char, buffer, &volume); err != nil {
+				populateType(&volume)
+				return volume, errors.Wrapf(err, "invalid spec: %s", spec)
+			}
+			buffer = []rune{}
+		default:
+			buffer = append(buffer, char)
+		}
+	}
+
+	populateType(&volume)
+	return volume, nil
+}
+
+func isWindowsDrive(buffer []rune, char rune) bool {
+	return char == ':' && len(buffer) == 1 && unicode.IsLetter(buffer[0])
+}
+
+func populateFieldFromBuffer(char rune, buffer []rune, volume *types.ServiceVolumeConfig) error {
+	strBuffer := string(buffer)
+	switch {
+	case len(buffer) == 0:
+		return errors.New("empty section between colons")
+	// Anonymous volume
+	case volume.Source == "" && char == endOfSpec:
+		volume.Target = strBuffer
+		return nil
+	case volume.Source == "":
+		volume.Source = strBuffer
+		return nil
+	case volume.Target == "":
+		volume.Target = strBuffer
+		return nil
+	case char == ':':
+		return errors.New("too many colons")
+	}
+	for _, option := range strings.Split(strBuffer, ",") {
+		switch option {
+		case "ro":
+			volume.ReadOnly = true
+		case "rw":
+			volume.ReadOnly = false
+		case "nocopy":
+			volume.Volume = &types.ServiceVolumeVolume{NoCopy: true}
+		default:
+			if isBindOption(option) {
+				volume.Bind = &types.ServiceVolumeBind{Propagation: option}
+			}
+			// ignore unknown options
+		}
+	}
+	return nil
+}
+
+func isBindOption(option string) bool {
+	for _, propagation := range mount.Propagations {
+		if mount.Propagation(option) == propagation {
+			return true
+		}
+	}
+	return false
+}
+
+func populateType(volume *types.ServiceVolumeConfig) {
+	switch {
+	// Anonymous volume
+	case volume.Source == "":
+		volume.Type = string(mount.TypeVolume)
+	case isFilePath(volume.Source):
+		volume.Type = string(mount.TypeBind)
+	default:
+		volume.Type = string(mount.TypeVolume)
+	}
+}
+
+func isFilePath(source string) bool {
+	switch source[0] {
+	case '.', '/', '~':
+		return true
+	}
+
+	// windows named pipes
+	if strings.HasPrefix(source, `\\`) {
+		return true
+	}
+
+	first, nextIndex := utf8.DecodeRuneInString(source)
+	return isWindowsDrive([]rune{first}, rune(source[nextIndex]))
+}
diff --git a/cli/cli/compose/loader/volume_test.go b/cli/cli/compose/loader/volume_test.go
new file mode 100644
index 00000000..ebe5f6b5
--- /dev/null
+++ b/cli/cli/compose/loader/volume_test.go
@@ -0,0 +1,223 @@
+package loader
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/docker/cli/cli/compose/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestParseVolumeAnonymousVolume(t *testing.T) {
+	for _, path := range []string{"/path", "/path/foo"} {
+		volume, err := ParseVolume(path)
+		expected := types.ServiceVolumeConfig{Type: "volume", Target: path}
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(expected, volume))
+	}
+}
+
+func TestParseVolumeAnonymousVolumeWindows(t *testing.T) {
+	for _, path := range []string{"C:\\path", "Z:\\path\\foo"} {
+		volume, err := ParseVolume(path)
+		expected := types.ServiceVolumeConfig{Type: "volume", Target: path}
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(expected, volume))
+	}
+}
+
+func TestParseVolumeTooManyColons(t *testing.T) {
+	_, err := ParseVolume("/foo:/foo:ro:foo")
+	assert.Error(t, err, "invalid spec: /foo:/foo:ro:foo: too many colons")
+}
+
+func TestParseVolumeShortVolumes(t *testing.T) {
+	for _, path := range []string{".", "/a"} {
+		volume, err := ParseVolume(path)
+		expected := types.ServiceVolumeConfig{Type: "volume", Target: path}
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(expected, volume))
+	}
+}
+
+func TestParseVolumeMissingSource(t *testing.T) {
+	for _, spec := range []string{":foo", "/foo::ro"} {
+		_, err := ParseVolume(spec)
+		assert.ErrorContains(t, err, "empty section between colons")
+	}
+}
+
+func TestParseVolumeBindMount(t *testing.T) {
+	for _, path := range []string{"./foo", "~/thing", "../other", "/foo", "/home/user"} {
+		volume, err := ParseVolume(path + ":/target")
+		expected := types.ServiceVolumeConfig{
+			Type:   "bind",
+			Source: path,
+			Target: "/target",
+		}
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(expected, volume))
+	}
+}
+
+func TestParseVolumeRelativeBindMountWindows(t *testing.T) {
+	for _, path := range []string{
+		"./foo",
+		"~/thing",
+		"../other",
+		"D:\\path", "/home/user",
+	} {
+		volume, err := ParseVolume(path + ":d:\\target")
+		expected := types.ServiceVolumeConfig{
+			Type:   "bind",
+			Source: path,
+			Target: "d:\\target",
+		}
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(expected, volume))
+	}
+}
+
+func TestParseVolumeWithBindOptions(t *testing.T) {
+	volume, err := ParseVolume("/source:/target:slave")
+	expected := types.ServiceVolumeConfig{
+		Type:   "bind",
+		Source: "/source",
+		Target: "/target",
+		Bind:   &types.ServiceVolumeBind{Propagation: "slave"},
+	}
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, volume))
+}
+
+func TestParseVolumeWithBindOptionsWindows(t *testing.T) {
+	volume, err := ParseVolume("C:\\source\\foo:D:\\target:ro,rprivate")
+	expected := types.ServiceVolumeConfig{
+		Type:     "bind",
+		Source:   "C:\\source\\foo",
+		Target:   "D:\\target",
+		ReadOnly: true,
+		Bind:     &types.ServiceVolumeBind{Propagation: "rprivate"},
+	}
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, volume))
+}
+
+func TestParseVolumeWithInvalidVolumeOptions(t *testing.T) {
+	_, err := ParseVolume("name:/target:bogus")
+	assert.NilError(t, err)
+}
+
+func TestParseVolumeWithVolumeOptions(t *testing.T) {
+	volume, err := ParseVolume("name:/target:nocopy")
+	expected := types.ServiceVolumeConfig{
+		Type:   "volume",
+		Source: "name",
+		Target: "/target",
+		Volume: &types.ServiceVolumeVolume{NoCopy: true},
+	}
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, volume))
+}
+
+func TestParseVolumeWithReadOnly(t *testing.T) {
+	for _, path := range []string{"./foo", "/home/user"} {
+		volume, err := ParseVolume(path + ":/target:ro")
+		expected := types.ServiceVolumeConfig{
+			Type:     "bind",
+			Source:   path,
+			Target:   "/target",
+			ReadOnly: true,
+		}
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(expected, volume))
+	}
+}
+
+func TestParseVolumeWithRW(t *testing.T) {
+	for _, path := range []string{"./foo", "/home/user"} {
+		volume, err := ParseVolume(path + ":/target:rw")
+		expected := types.ServiceVolumeConfig{
+			Type:     "bind",
+			Source:   path,
+			Target:   "/target",
+			ReadOnly: false,
+		}
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(expected, volume))
+	}
+}
+
+func TestParseVolumeWindowsNamedPipe(t *testing.T) {
+	volume, err := ParseVolume(`\\.\pipe\docker_engine:\\.\pipe\inside`)
+	assert.NilError(t, err)
+	expected := types.ServiceVolumeConfig{
+		Type:   "bind",
+		Source: `\\.\pipe\docker_engine`,
+		Target: `\\.\pipe\inside`,
+	}
+	assert.Check(t, is.DeepEqual(expected, volume))
+}
+
+func TestIsFilePath(t *testing.T) {
+	assert.Check(t, !isFilePath("a界"))
+}
+
+// Preserve the test cases for VolumeSplitN
+func TestParseVolumeSplitCases(t *testing.T) {
+	for casenumber, x := range []struct {
+		input    string
+		n        int
+		expected []string
+	}{
+		{`C:\foo:d:`, -1, []string{`C:\foo`, `d:`}},
+		{`:C:\foo:d:`, -1, nil},
+		{`/foo:/bar:ro`, 3, []string{`/foo`, `/bar`, `ro`}},
+		{`/foo:/bar:ro`, 2, []string{`/foo`, `/bar:ro`}},
+		{`C:\foo\:/foo`, -1, []string{`C:\foo\`, `/foo`}},
+		{`d:\`, -1, []string{`d:\`}},
+		{`d:`, -1, []string{`d:`}},
+		{`d:\path`, -1, []string{`d:\path`}},
+		{`d:\path with space`, -1, []string{`d:\path with space`}},
+		{`d:\pathandmode:rw`, -1, []string{`d:\pathandmode`, `rw`}},
+
+		{`c:\:d:\`, -1, []string{`c:\`, `d:\`}},
+		{`c:\windows\:d:`, -1, []string{`c:\windows\`, `d:`}},
+		{`c:\windows:d:\s p a c e`, -1, []string{`c:\windows`, `d:\s p a c e`}},
+		{`c:\windows:d:\s p a c e:RW`, -1, []string{`c:\windows`, `d:\s p a c e`, `RW`}},
+		{`c:\program files:d:\s p a c e i n h o s t d i r`, -1, []string{`c:\program files`, `d:\s p a c e i n h o s t d i r`}},
+		{`0123456789name:d:`, -1, []string{`0123456789name`, `d:`}},
+		{`MiXeDcAsEnAmE:d:`, -1, []string{`MiXeDcAsEnAmE`, `d:`}},
+		{`name:D:`, -1, []string{`name`, `D:`}},
+		{`name:D::rW`, -1, []string{`name`, `D:`, `rW`}},
+		{`name:D::RW`, -1, []string{`name`, `D:`, `RW`}},
+
+		{`c:/:d:/forward/slashes/are/good/too`, -1, []string{`c:/`, `d:/forward/slashes/are/good/too`}},
+		{`c:\Windows`, -1, []string{`c:\Windows`}},
+		{`c:\Program Files (x86)`, -1, []string{`c:\Program Files (x86)`}},
+		{``, -1, nil},
+		{`.`, -1, []string{`.`}},
+		{`..\`, -1, []string{`..\`}},
+		{`c:\:..\`, -1, []string{`c:\`, `..\`}},
+		{`c:\:d:\:xyzzy`, -1, []string{`c:\`, `d:\`, `xyzzy`}},
+		// Cover directories with one-character name
+		{`/tmp/x/y:/foo/x/y`, -1, []string{`/tmp/x/y`, `/foo/x/y`}},
+	} {
+		parsed, _ := ParseVolume(x.input)
+
+		expected := len(x.expected) > 1
+		msg := fmt.Sprintf("Case %d: %s", casenumber, x.input)
+		assert.Check(t, is.Equal(expected, parsed.Source != ""), msg)
+	}
+}
+
+func TestParseVolumeInvalidEmptySpec(t *testing.T) {
+	_, err := ParseVolume("")
+	assert.ErrorContains(t, err, "invalid empty volume spec")
+}
+
+func TestParseVolumeInvalidSections(t *testing.T) {
+	_, err := ParseVolume("/foo::rw")
+	assert.ErrorContains(t, err, "invalid spec")
+}
diff --git a/cli/cli/compose/schema/bindata.go b/cli/cli/compose/schema/bindata.go
new file mode 100644
index 00000000..9ec4891f
--- /dev/null
+++ b/cli/cli/compose/schema/bindata.go
@@ -0,0 +1,520 @@
+// Code generated by "esc -o bindata.go -pkg schema -private -modtime=1518458244 data"; DO NOT EDIT.
+
+package schema
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/base64"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path"
+	"sync"
+	"time"
+)
+
+type _escLocalFS struct{}
+
+var _escLocal _escLocalFS
+
+type _escStaticFS struct{}
+
+var _escStatic _escStaticFS
+
+type _escDirectory struct {
+	fs   http.FileSystem
+	name string
+}
+
+type _escFile struct {
+	compressed string
+	size       int64
+	modtime    int64
+	local      string
+	isDir      bool
+
+	once sync.Once
+	data []byte
+	name string
+}
+
+func (_escLocalFS) Open(name string) (http.File, error) {
+	f, present := _escData[path.Clean(name)]
+	if !present {
+		return nil, os.ErrNotExist
+	}
+	return os.Open(f.local)
+}
+
+func (_escStaticFS) prepare(name string) (*_escFile, error) {
+	f, present := _escData[path.Clean(name)]
+	if !present {
+		return nil, os.ErrNotExist
+	}
+	var err error
+	f.once.Do(func() {
+		f.name = path.Base(name)
+		if f.size == 0 {
+			return
+		}
+		var gr *gzip.Reader
+		b64 := base64.NewDecoder(base64.StdEncoding, bytes.NewBufferString(f.compressed))
+		gr, err = gzip.NewReader(b64)
+		if err != nil {
+			return
+		}
+		f.data, err = ioutil.ReadAll(gr)
+	})
+	if err != nil {
+		return nil, err
+	}
+	return f, nil
+}
+
+func (fs _escStaticFS) Open(name string) (http.File, error) {
+	f, err := fs.prepare(name)
+	if err != nil {
+		return nil, err
+	}
+	return f.File()
+}
+
+func (dir _escDirectory) Open(name string) (http.File, error) {
+	return dir.fs.Open(dir.name + name)
+}
+
+func (f *_escFile) File() (http.File, error) {
+	type httpFile struct {
+		*bytes.Reader
+		*_escFile
+	}
+	return &httpFile{
+		Reader:   bytes.NewReader(f.data),
+		_escFile: f,
+	}, nil
+}
+
+func (f *_escFile) Close() error {
+	return nil
+}
+
+func (f *_escFile) Readdir(count int) ([]os.FileInfo, error) {
+	return nil, nil
+}
+
+func (f *_escFile) Stat() (os.FileInfo, error) {
+	return f, nil
+}
+
+func (f *_escFile) Name() string {
+	return f.name
+}
+
+func (f *_escFile) Size() int64 {
+	return f.size
+}
+
+func (f *_escFile) Mode() os.FileMode {
+	return 0
+}
+
+func (f *_escFile) ModTime() time.Time {
+	return time.Unix(f.modtime, 0)
+}
+
+func (f *_escFile) IsDir() bool {
+	return f.isDir
+}
+
+func (f *_escFile) Sys() interface{} {
+	return f
+}
+
+// _escFS returns a http.Filesystem for the embedded assets. If useLocal is true,
+// the filesystem's contents are instead used.
+func _escFS(useLocal bool) http.FileSystem {
+	if useLocal {
+		return _escLocal
+	}
+	return _escStatic
+}
+
+// _escDir returns a http.Filesystem for the embedded assets on a given prefix dir.
+// If useLocal is true, the filesystem's contents are instead used.
+func _escDir(useLocal bool, name string) http.FileSystem {
+	if useLocal {
+		return _escDirectory{fs: _escLocal, name: name}
+	}
+	return _escDirectory{fs: _escStatic, name: name}
+}
+
+// _escFSByte returns the named file from the embedded assets. If useLocal is
+// true, the filesystem's contents are instead used.
+func _escFSByte(useLocal bool, name string) ([]byte, error) {
+	if useLocal {
+		f, err := _escLocal.Open(name)
+		if err != nil {
+			return nil, err
+		}
+		b, err := ioutil.ReadAll(f)
+		_ = f.Close()
+		return b, err
+	}
+	f, err := _escStatic.prepare(name)
+	if err != nil {
+		return nil, err
+	}
+	return f.data, nil
+}
+
+// _escFSMustByte is the same as _escFSByte, but panics if name is not present.
+func _escFSMustByte(useLocal bool, name string) []byte {
+	b, err := _escFSByte(useLocal, name)
+	if err != nil {
+		panic(err)
+	}
+	return b
+}
+
+// _escFSString is the string version of _escFSByte.
+func _escFSString(useLocal bool, name string) (string, error) {
+	b, err := _escFSByte(useLocal, name)
+	return string(b), err
+}
+
+// _escFSMustString is the string version of _escFSMustByte.
+func _escFSMustString(useLocal bool, name string) string {
+	return string(_escFSMustByte(useLocal, name))
+}
+
+var _escData = map[string]*_escFile{
+
+	"/data/config_schema_v3.0.json": {
+		local:   "data/config_schema_v3.0.json",
+		size:    11063,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+xaT4/buA6/+1MYam/NzBR4xQNeb++4p93zDlxDsZlEHVlSKTmdtMh3X8iOHduRJSVx
+t8ViByiQyiTFf/qRov09SVPyVhc7qCj5mJKdMerj09NnLcVDu/oocftUIt2Yh/cfntq1N2Rl+VhpWQop
+Nmybt0/y/X8e3z9a9pbEHBRYIrn+DIVp1xC+1AzBMj+TPaBmUpBsldhnCqUCNAw0+Zha5dK0J+kWBmK1
+QSa2pFk+NhLSlGjAPSsGEnpV3zyd5T/1ZKup1IGyzbqixgCKPy51ax5/eqYP3/7/8Of7h/895g/Zu7ej
+x9a/CJt2+xI2TDDDpOj3Jz3l8fTr2G9My7Ihpny094ZyDWObBZivEl9CNvdkP8nm0/4Om8fm7CWvq2AE
+O6qfZEy7/X3xSzqjvbQtxWDvRsFRtrtc5cq2eV/1zprxUgmKy4Ndm/FHS1CBMKR3QZqSdc14OfWoFPC7
+FfE8WEzT79ODPZDTPB/9bz7g/fMZW/rnhRQGXk1jlH/r1gWyeAHcMA6xHBS32uMyzrTJJeYlKww5Ttgv
+5IXzaZqK9i9LHAJJQVVOy3JkB0WkB7JKCTNQabeJKakF+1LDbycSgzVM5ZYo1fKCtyhrlSuKNsH87ieF
+rCoqlsq6a+yI8LwUhjIBmAtahRLJnjoQpc7b+udNo03e8uuJgL4YLhqPUvgSuxVjU9vqRiaMuQaKxe5G
+fllRJmJ8B8LgQUnW5ssvlwgg9nmPJVe7AcSeoRRVdxpiAKYHecv/qqSGqWMmBg4f9aYmLgh+7gxfpUTU
+1RrQtnQjyo3Eilplu72TGaxzZN7QgUMbbFmnPOdMvCyf4vBqkOY7qY2+wsU9+w4oN7tiB8WLh31INeKW
+2sQkOavoNkykihAJp2vgN9m5qPMHYuV2a0nnMu6ic4ms+SWyPWBsAZfq3HClF3+hBiSi+xyRfnpsm0/P
+qWp+cU6yo0PE5dp4ZWJhXEMxikpFC9s3IGgdyqhTs59XspxL0AtiHYvUVxfC2/rHqNAFLxABa+bUuybL
+YlL/HHbOqAZ9W0dxIY2p/YfInHDx/tfLO8M6KzO+Rw6IOqvSHDeXIlkSOn8/tIVXrJzHigYhhgdMSTT6
+55T7duu7q71CtmcctjC+tayl5EDFCHoQaJlLwQ8RlNpQDF4oNBQ1MnPIpTKL9xl6V+WafYNxNM94fxKU
+jXgOujC31WttSiZyqUAEvaONVPkWaQG5AmSydBm4Gsa6rJHa/S/FaLYVlIccbSq1ufFiYUw43DVnFZs/
+Bw6AjagBLf67Yd8D+WdNmTCwBXQhpafr8DcdEd3GjuI4oB492jjKjXEzJJG4Oh7+NvJWJ0UyJ/1VcD5V
+I5tF1KMTUWsdbAwbGqF9TU1POphiLooXtlGyh6Bk6KuZt8yRJ3cW30RxSBqcwPqnm6HJI9N0PZm5uQ63
+zUbchzEGwSCbxOWEtiM8Af1rDg4Mq0DWxhv7ZMBEBpPZQFAHlNOYPvdB7fqLYOBiDgmC4qygOgREd1xQ
+a1VSA3n7ouoq6PdgvqJIOQfOdBWDoaQETg83lc+2m6KM1wg5LczpXVgg50glBTMSb9+yoq95t21D4jww
+s21d7N1y2IrJGgvQS4XoXOtnMqbb8cJ0BG2RpL/6B/kX9YJtSHMlOSsOS7mikKLVIyZz7kxVmze2Z6qU
+0VFH4ysTpfx6xYbLeVtxWsAEGO91tDZImTBX1/17zbqj7PeJHCgPPV34letMSShUHRwcVVBJPCzd2nTv
+ngMmdmQLlL+oSeOJyl4sF7+WhKeJWbgpZopWS52O6NkrcRbrwMzCM7eIG6OFb01E12sBJm5U5XwhHH+f
+Oc7fXu4Dve61yUxUn/vmetX7KosO8ew7i+X0b/r86SzBdSG4smW8A1xO34IEsOVE9S+0/EMS8e/Lr8nY
+a5BnlzdSX0pEz/uT4QW0V2NK5vgkbwzLvjFH4p//TjY9OdFv+YIZ/vjOU3x87+V+EGovMEJyx3TSsSb9
+xHv6XdkMqA34L74ys3aKw8XE5Pt4DNh+IZaN/DMhad9yDyAlGzbxc2F0fns2HUJ234BlbrgaD1QS+++Y
+/BUAAP//72YpJjcrAAA=
+`,
+	},
+
+	"/data/config_schema_v3.1.json": {
+		local:   "data/config_schema_v3.1.json",
+		size:    12209,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+waS4/bNvOuXyEwucW7mw9fUKC59dhTe+7CEbjSWGaWIpkh5awT+L8X1Mt6krStdIOi
+CwRwqJnhvGc45Pcojslbne6hoORjTPbGqI8PD5+1FHf16r3E/CFDujN37z881GtvyMbiscyipFLsWJ7U
+X5LD/+//d2/RaxBzVGCB5NNnSE29hvClZAgW+ZEcADWTgmw3kf2mUCpAw0CTj7FlLo47kHahR1YbZCIn
+1fKpohDHRAMeWNqj0LH65uFM/6ED24yp9pit1hU1BlD8OeWt+vzpkd59++3ur/d3v94nd9t3bwefrX4R
+dvX2GeyYYIZJ0e1POshT8+vUbUyzrAKmfLD3jnINQ5kFmK8Sn30yd2CvJHOz/4zMQ3EOkpeF14It1CsJ
+U2+/jv00pAjG77I11Kt5rN3+NoGjVmgnbA3R27ticBDec6qaC69lXXXKWtBSBorLo11b0EcNUIAwpFNB
+HJOnkvFsrFEp4A9L4rG3GMffx5msR6f6PvjfssG77wuydN9TKQy8mEoo99a1CmT6DLhjHEIxKObaoTLO
+tEkkJhlLDTmN0Cf0/P40dkX7t41mCJKUqoRm2UAOikiPZBMTZqDQ8yLGpBTsSwm/NyAGSxjTzVCq9Qnn
+KEuVKIrWwdzqJ6ksCirW8rpL5AjQvBSGMgGYCFr4HMlGHYhMJ3XBd7rRLqnx9YhAV/1XtUcmXI5dk7Gu
+bXkjI8REA8V0fyW+LCgTIboDYfCoJKv95adzBBCHpMslF6sBxIGhFEUbDSEJpkvyFv9FSQ1jxYwE7H/q
+RI3mUvBjK/gmJqIsngBtDzuA3EksqGW23TtayHUzntdXYF8GW9YpTzgTz+u7OLwYpMleaqMvUHGHvgfK
+zT7dQ/rsQO9DDbClNiFOzgqa+4FU6gPh9An4VXKuqvweWZnnFnTJ4yadS2DNz5AdAEMLuFTnhiue/Pka
+kIDucwD66b5uPh1RVf3inGxPMySma8OVkYRhDcXAKgVNbd+AoLXPo5rTTVLIbMlBJ8A6NFNfXAiv6x+D
+TOc9QHikWWLvEi8Lcf2z2TmjGvR1HcWEGlOHD4E+MYf7ixN3AXWRZniP7CF1ZqUKtzlGtpEv/n5oC69Y
+tpwrqgzRDzAl0ejXKff11jdXe4XswDjkMDy1PEnJgYpB6kGgWSIFPwZAakPRe6DQkJbIzDGRyqzeZ+h9
+kWj2DYbWPOf7htB2xNBoQnKlQZdSkj+MZxKhN1H5UxTRssQUghMJMRRzMOHw5TBs3MD5JcCTQteY8OTP
+E9FSXjnNhr4+6tRc161pkzGRSAXCGxvaSJXkSFNIFCCTs6rY9CM9K5Ha/adkNMsF5b4wM4XaXXmsNMYf
+7CVnBVsOmhmvDegA6uo/X/QdBf/MKRMGcusmU6dy9JzuljOg19xTHBrUwUcTmDszjxAFVtXhXUdFb9Mw
+sp2Fv6iYj9nYLtbT+aAqtfdYUMEI7WppO9De0H7VamHbZBsEGUNXx3TN2H10YnXNk/ug3vm7e7btmzsz
+TZ9GE9e54LbeiAd/jkEwyEZ2aRN1P5+A/jnHRoYVIEvjtH3UQyK9ubzHqD3IsU0fO6O23aXXcCFBgqA4
+S6n2JaIbxhOlyqiBpL6XvSj1O3K+okg5B850EZJDSQacHq8qn3UvTRkvERKamubq1+NzpJCCGYnXb1nQ
+l6TdtgLxdTbDpj50stBvxKvGT69lonOtX/CYdseJ6AjaZpJu8OPFX1UL9jiSKMlZelxLFakUNR8hnnOj
+q1q/sT1ToYwOCo2vTGTy6wUbrqdtxWkKo8R4q6K1QcqEubju3yrWDWW/c2RPeejg/BfuCyUhVaV3bFhA
+IfG4dmvTPrXwiNiCrVD+gubMDVQi1frHEv8seetvipmixVrRETx5J7PF2jPgcAw51ptNlE8CTNigcvY5
+QPh55rR8erkt6bWXZgtWfeya602nq22wiRdvrNbjv+rzx7OEuQPBhS3jDcmlefrkyS0N1H+p5V/iiP+c
+fzUvzbxPvCqoq4tzwLumn8Bmr22K4QSyZ5LpcMClyeCLt6g/C+jYGIPNPAYeVkjXxClyX8SMNm2U6JZ8
+xWRz/87RB7guyH9QAV1hmjdv09HhIepuesYPPBfiv4c/ee5p5RTHyfDq+3AiWz/V3A70MwKpn5v0svu2
+f55aMuPsI9DxPLh9jLlw/TGcbUX23yn6OwAA//8cyfJJsS8AAA==
+`,
+	},
+
+	"/data/config_schema_v3.2.json": {
+		local:   "data/config_schema_v3.2.json",
+		size:    13755,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+xbzW7cOBK+91MISm7xT7AbLLC57XFPM+cxFIFNVasZUyRTpNruBH73gaSWWpREkeqW
+48xgDARwqGKR9cuvWPSPTRTF7zXdQ0Hiz1G8N0Z9vr//qqW4bUbvJOb3GZKduf346b4ZexffVPNYVk2h
+UuxYnjZf0sO/7/51V01vSMxRQUUkt1+BmmYM4VvJEKrJD/EBUDMp4uRmU31TKBWgYaDjz1G1uSjqSNqB
+HlttkIk8rodfag5RFGvAA6M9Dt1W392f+d93ZDdDrr3N1uOKGAMofh/vrf785YHcfv/f7R8fb/97l94m
+H95bnyv9Iuya5TPYMcEMk6JbP+4oX06/vXQLkyyriQm31t4RrsGWWYB5kvjok7kjeyOZT+tPyGyLc5C8
+LLwWbKneSJhm+XXsp4EiGL/LNlRv5rHV8tcJvGmFnqVtKHpr1xu0wntKVVPh5dZVpyyHljJQXB6rMYc+
+GoIChIk7FURRvC0Zz4YalQJ+q1g89Aaj6Mcwk/X41N+t/7kN3n13yNJ9p1IYeDa1UPNLNyqQ9BFwxziE
+ziCY6xmVcaZNKjHNGDWT8ymhe0h3KAsvl13a7EPHLwM+I8Z+xxz6dPWTbCYYxpSolGSZpRCCSI7xTRQz
+A4We1lUUl4J9K+H/JxKDJQz5ZijV+oxzlKVKFcHKU+ftGFNZFESs5b5L5AjQvBSGMAGYClL4PLIKXxCZ
+ThvkEOpJFoMORqxqj0zMRUjDpoqRam/xYGKqgSDdXzhfFoSJEN2BMHhUkjX+8ss5AohD2iWlxWoAcWAo
+RdFGQ1im6s1/VlLDUDEDAfufOlE3U7n8oRX8JopFWWwBKzBsUe4kFqTabLv2xpHrJjyvr8C+DBU+IDzl
+TDyu7+LwbJCke6nNJYdBvAfCzZ7ugT7OTO9TWbOlNiFOzgqS+4kU9ZFwsgV+kZyrKr/HVuZ5ReryuBEE
+CgQPGbIDYCgSkOqM3KLRjw/JBMBYi/TLXYNiZ6Kq/o3zOHmZYDEes0cGEoYBCssqBaEVbkDQ2udRpzIp
+LWTmctARsQ7N1IsPwsuAaJDpvJWIRxrX9pZ4WYjrn83OGdGgL0MUI25MHT4F+sTU3P/MznVMdfIMx8ge
+Vuet1OE2tZFk44u/V4XwimXuXFFniH6AKYlGX3/cuzy4r642T50P/GbxkTZG5g6atFkeH/7IiGey1FRE
+EszBLkOYMJADOiaocsuZ3kO2ZA5KI6nkYYExWceGB4PNMLkamylkB8YhH0i8lZIDEdZBgUCyVAp+DKDU
+hqC3/NNAS2TmmEplVkeFel+kmn0HO/bOXn9ilAw2NLgYe7Xwc7ntK4WNliXS6wJnlr60k9w8cb6EeBTw
+JxO++LO6O1QmE7U+amouw9baZEykUoHwxoY2UqU5EgqpAmRyUhVWgs1KJNX6Yzaa5YJwX5iZQu0uvAQw
+xh/sJWcFcwfNhNcG4LUGq01DtBl4FpSyZyqE+QIhoDLYE1xwdNSBuXOcT5tADGS3uGp+N6eNJJP0i6DX
+cBuJE/1MB1WpvUVcTSN0GnC0T/Rq/hoZ2rJRTZ5clMdPKwXmztfO+sGIwG4KaKYNCHoMX2jLRrfES+uu
+sKqrpiJ5k2+DC53wWD218X6KKEJSqRymCRfjlQHs4KZjBra6MsyTxMfq/MoYzlnskkbp4GpwrgPYJ/V2
+TOe7kb5OIdNkO+iRTZ3L1UGCBz88QDDIBp2HFmP1oQDoX/N+3rACZGlmbb/pTYp7nVSPUXuUQ5s+dEZt
+y3iv4ULONxBZ3QkJOgwRFGeUaB/guOLSuFQZMZA2z24WQbwZbKcIEs6BM12EYKU4A06OF8HkpqFBGC8R
+UkKdWX0wo5CCGYmXL1mQ57RdtibxVTB28R5639svuOujXq9lojOmd3hMu+JIdARdpZ3uOt47f1UtGIIm
+VZKzBl2soQoqRbOPEM+50lUrv6lqo0IZHRQaT0xk8mnBgutpW3FCYZBFr1W0NkiYMIvbVNeKdQVG6BzZ
+c5Z0dP73VI7zg6rS28wpoJB4XBsHtS/pPCK2ZCuclUHdvxNVKtX61w/+Dl/iL36ZIsVa0RHcD40nD2tP
+mTxTKq93B1luBZg3uCVfMem1TxkcVn3okPhNp6sk2MTOdwTr7b8uCoZ3hlPVAzGG0H1QobEQXV6Rh0bV
+82QaOlH9k4X+Jj778/zr9ObY+9i3prr4HA944foL2OytTWE3JXomGV86zGly6avexN7GkGziz0Lsw3Su
+ZbmZv+QaLHpS4rzkKyabuw8zkGHuhdMrnbUrtIOnbTqoMzZd83f41N8R/735o4f/lZziOLoU+2E3AJpH
++4mlnwFJ816wl92TfunlMuPknwMM2w/ts3xHR9S+M9tU/142fwYAAP//CLvrnLs1AAA=
+`,
+	},
+
+	"/data/config_schema_v3.3.json": {
+		local:   "data/config_schema_v3.3.json",
+		size:    15414,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+xbUW/bPg5/z6cIvL0tbQdsOOD2do/3dPd8hWcoMpNolSWNktNmQ7/7QbbjWLZsKYm7
+dv//BgxobIoSSZH8kZJ/LpbL5L2mOyhI8mWZ7IxRX+7uvmkpbuqntxK3dzmSjbn5+PmufvYuWdlxLLdD
+qBQbts3qN9n+0+2nWzu8JjEHBZZIrr8BNfUzhO8lQ7CD75M9oGZSJOlqYd8plArQMNDJl6Vd3HLZkhwf
+dNhqg0xsk+rxc8VhuUw04J7RDod2qe/uTvzvWrJVn2tnsdVzRYwBFP8drq16/fWe3Pz4183/Pt788za7
+ST+8d15b/SJs6ulz2DDBDJOinT9pKZ+bv57biUmeV8SEO3NvCNfgyizAPEp8CMnckr2SzM38HpldcfaS
+l0XQgkeqVxKmnn4e+2mgCCa8ZWuqV9uxdvp5BK6jRkjgI9UrCVxPf53Ai6PQk7Q1RWfuaoFOPPOpyhdP
+xnXVKmtESzkoLg/22Yg+aoIChElaFSyXybpkPO9rVAr4j2Vx33m4XP7sh+4On+q982vc4O37EVna91QK
+A0+mEmp66loFkj4AbhiH2BEE6108ojLOtMkkZjmjxjuekzXwqzhQQneQbVAWQS6brJZEJ889PgPG4a3d
+9wr7L114GCaUqIzkuaNSgkgOyWqZMAOF9mt7mZSCfS/h3w2JwRL6fHOUan7GW5SlyhRBu9end0JCZVEQ
+MZcDnCNHhOYHYdbxqmaO7qt2NmdZI9IsI3zE45QBpw67tY2KskQa66V2ToJbMPH0JcvjibfnEBcyd9ct
+ymINOHBJ17OGv9OF703P+oYwAZgJUkBwHyPkIAwjPNMKqEN+tNSEZZKoqJkgbJk2ePBSnqToLiwHBSLX
+WV0DxAY4h0FbEMwaJnIxFbhrNjZ027UlvYGZBoJ0d+F4WRAmYowKwuBBSVaHsTcXn0Dss3bfnK0GEHuG
+UhTHIB2XQDvjn5TUcH1wbEbcHwVftT6dutpLNhILYhd7nHsxkoI9O6+rwK4MFvgSnnEmHubf4vBkkGQ7
+qc0lGCXZAeFmR3dAHyaGd6mc0VKbmE3OCrINEykaIrkYiyWzKr/DVm63lnRsxw2wfSQqzpHtAWMhrlSn
+ksSXWUPZPFifOaRfb+vybMKrqr84T9JnD4tQGu1JGIdzHasUhFo4i6B1aEc1DY9skPNPtANiHRupz06E
+l1VYUaYLlthBJDmGFuN3WRxyPJqdM6JBX4YoBtyY2n+O3BO+sf+YHDsydJRnfOkWYNWFqJx7F5KGQetL
+VpbKBd5urKgiRNfBlETzS2qhU5w6Jfx68mF51Dd31KCXqakmolRcRcWEga0tZfxJoFxzpneQnzMGpZFU
+8jjH8DZo4p1hor66CJspZHvGYduTeC0lByKcRIFA8kwKfoig1IZgsCuhgZbIzCGTysyOCvWuyDT7Aa7v
+nXZ9wyjtLajX4v7Tivj7tCL0QVNzGbbWJmcikwpE0De0kSrbIqGQKUAmvapwAmxeIrHzD9lothWEh9zM
+FGpzYRPAmLCzl5wVbNxpPLs2Aq/VWM0P0SbgWVTInqgQpguEiMpgR/CM1FE55mYkPy0iMZB7WF3xWzUL
+Sb30Z0Gv/jLSUfTjd6pSB4u4ikboLCK1e05df48I7dioIk8viuPNTJGx86WjfjQicE+7NNMGBD3ET7Rm
+g8OLc+uuuKqroiLbOt5GFzrxvtocyP8SUYSkUo2YJl6MFwawvU7HBGwdizCPEh9s/soZTlnskhsAvdbg
+1NF2lzR4FWD6mD10BM40WfeOMXx52SYS3IfhAYJB1jt5OGKsLhQA/Tb784YVIEszaftFZ1DSuSIQMGqH
+sm/T+855U13GBw0Xk99A5NVJSFQyRFCcUaJDgOOKpnGpcmIga26ZnAPxJrCdIkg4B850EYOVkhw4OVwE
+k+sDDcJ4iZAROhrVeyMKKZiRePmUBXnKjtNWJKEKxi3eY/u93YK7SvV6LhOdMP3IjjnOOBAdQduw07bj
+g+Nn1YIhaDIlOavRxRyqoFLU64jZOVduVbtvbG1UKKOjXOORiVw+njHhfNpWnFDoRdFrFa0NEibM2cdU
+fbUohA0gCOpFSBPlwkTJMF8vRlnc/ArdwmuNfwWSat09kHFbuvB1ypEsS1UZPPIqoJDT1zuuuOAcEvFI
+NgOiiDojbagyqeZv0oTPQdNwi4ApUswVQ6JPjRMvpHkL0aFcCzC/YXRYDS98jFj1vq1XVq2u0mgTj962
+mG/9VenU76z6aixiDKG7qHLsTAx+RRwa9Bi8Yaih+hOF/iJ79tftr+Ybi+Bd/4rq4jwecVXzDdjslU0x
+SGJeUzRUf0zxol7hnqJ1TDLskk1p8tyvI1J3GX0yzxeJLq6ZOmNfTHdle5M2SpyWfMa4f/thAr1NXcl7
+Idgzw/0Fv017hfGiva3Q/+hq3P+P4wefYFk5xWHQxf3pnljVn0+ljn56JPUF106iTbu9gtEb+b4Ps/rn
+ZccPpEaO8N0m78L+f178PwAA//9GlSx0NjwAAA==
+`,
+	},
+
+	"/data/config_schema_v3.4.json": {
+		local:   "data/config_schema_v3.4.json",
+		size:    15797,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+xbT2/bOhK/+1MYeu9WOymwxQLb2x73tHvewBVoamyzoUh2SDlxC3/3hURJ0R+KpG2l
+Sff1AQ+NpeGQM5w/vxlSPxbLZfKnpgfISfJ5mRyMUZ/v779qKdb26Z3E/X2GZGfWHz/d22d/JKtyHMvK
+IVSKHdun9k16/Nvdp7tyuCUxJwUlkdx+BWrsM4RvBUMoBz8kR0DNpEg2q0X5TqFUgIaBTj4vy8Utly1J
+86DDVhtkYp9Uj88Vh+Uy0YBHRjsc2qX+cf/C/74lWw25dhZbPVfEGEDxn/HaqtdfHsj6+z/X//24/sdd
+ut58+LP3utQvws5On8GOCWaYFO38SUt5rv86txOTLKuICe/NvSNcQ19mAeZJ4mNI5pbsjWSu53fI3Bfn
+KHmRB3ewoXojYez08+yfBopgwiZrqd7MYsvp5xHYRo2QwA3VGwlsp79N4EUjtHuNyZfndfnvueLp5We5
+dNZXCdGLeS51umLOtD5bhU5oMgPF5alauVtnliAHYZJWTctlsi0Yz4ZalwL+XbJ46DxcLn8Mw3uHT/W+
+92vaKNr3E7K076kUBp5NJZR/aqsCSR8Bd4xD7AiC1tInVMaZNqnENGPUOMdzsgV+EwdK6AHSHco8yGWX
+Wkm0k1ETwSMlNwT34NbsgHg0OuxbQ7cs/9ssHAwTSlRKsqy3DoJITslqmTADuXYLtEwKwb4V8K+axGAB
+Q74ZSjU/4z3KQqWKYOlIfmUnVOY5EXN51yVyRGh+FOd7LlvP0X3VztZb1oQ0ywgzdHh8IGKEY0YZcmWB
+NDYE+F3BSV+wLJ54fwlxLrP+ukWRbwFHLtn3rPHvzcL1ZrD7hjABmAqSQ9COETIQhhGeagW0R97slGdn
+kqiQnCDsmTZ48gelc3dhGSgQmU5tEXJ59EwyaCuSWcNEJnxZwbIp80K5tmQwMNVAkB6uHC9zwkTMpoIw
+eFKS2TD27uITiGPa2s3FagBxZChF3gTpuOzcGf+spIbbg2M94qERfNX69KavvWQnMSflYpu5FxMp2GF5
+XQV2ZShRLeEpZ+JxfhOHZ4MkPUhtrgFAyQEINwd6AProGd6l6o2W2sQYOcvJPkykaIjkaqCXzKr8Dlu5
+35ekUxY3KhwiIXeG7AgYiyKleql3XJk1lM2DBWKP9MudrQ89XlX9xXmyOTtYhNLoQMI4nNvblZzQEs4i
+aB2yqBqvp6Oc/0I7ItaxkfqqMuLy8i1q64I1fhBJTqHFeCuLQ47NtnNGNOjb6rFOcDl+irQJ19i/e8dO
+DJ3kGV+6BVh1ISrnzoVswqD1NStL1Qfe/VhRRYiugymJ5qfUQi9x6iXh28nH5dFwu6MGvU5N5YlScRUV
+Ewb2ZSnjTgLFljN9gOySMSiNpJLHOYaz+xPvDJ766ipsppAdGYf9QOKtlByI6CUKBJKlUvBTBKU2BINd
+CQ20QGZOqVRmdlSoD3mq2Xfo+96L1deMNoMFDXrsv1sRf51WhD5paq7D1tpkTKRSgQj6hjZSpXskFFIF
+yKRTFb0AmxVIyvnHbDTbC8JDbmZytbuyCWBM2NkLznI27TQOq43AaxaruSGaB55FhWxPheAvECIqgwPB
+C1JH5Zi7ify0iMRA/dPyit+qXsjGSX8R9BouYzOJftxOVehgEVfRCJ1GpHbHse+vEaF7e1SRb66K4/VM
+kbHztaN+NCLoH6Vppg0IeoqfaMtGhxeX1l1xVVdFRfY23kYXOvG+Wt8I+CmiCEmlmtiaeDFeGcAOOh0e
+2DoVYZ4kPpb5K2Po27FrriAMWoO+c/MuafAugv8MP3S+zjTZDo4xXHm5TCR4dMODML5AMMgG5xEN8uoC
+BNDvs2tvWA6yMNeCK4Lmcng2vKnUuQ7R9P99JtShHFrQQ+d0yzYNgmYSk01BZNW5S1TqRVCcUaJD8OaG
+FnWhMmIgrS/VXAIoPUhSESScA2c6j0FmSQacnK6yG3t8QhgvEFJCJ3PIYEQuBTMSr58yJ89pM21FEvBa
+66WYwdScIIrcgY2sX6x3DLWxJbRU9a9+UD9PtiViO9ndVkIFYvRc5vBSrUxYZzPjSGMIugyo7UFDcPys
+WrAhSXJmcdMcqqBS2HXEWOmNblHaaFn15croKDd8YiKTT5dH3xm0rTihMIjYtypaGyRMmIsP4IZqUQg7
+QBDUif08hZCnGJqvy6TKiuAN+qC3bv4NGLF190B2b+nCN1UnMjpVRfAwL4dc+i+u3HB3PCRiQzYDeok6
+/a2pUqnmbz+FT3g34eYHUySfK4ZEn4cnTvj0HqJDsRVxNz3fWXRYja+yTOzqQ1uJrVpdbaK3ePIeyXzr
+r4rCYc/YVT0SYwg9RBWaF+L9G+LQqHviDEM11QxRKOZiz/9HpPrV7frn2WD9iUvwM4qK6upcH3FR9R3s
+2RtvxSjRObeipvq9Fa/qFf0zxM6WjLuBPk1GX3RadJt/7TKGZI4PQvvYx3fDYOHvSQ8mrZXol3zGuH/3
+wYPwfBcSXwkazXB7w72ng+J50d7VGH7PNu3/zfjR122lnOI06lb/6J/X2S/TNj39DEjs9d5Oot10+wmT
+3yO4vnkbnhY2355NXGDoN50X5f/nxf8CAAD//0nmRVG1PQAA
+`,
+	},
+
+	"/data/config_schema_v3.5.json": {
+		local:   "data/config_schema_v3.5.json",
+		size:    16725,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+xbS4/jNhK++1cYTG7pR4DNLrBz2+Oeds/b8Ag0VZaZpkimSHnaGfi/LyRKaj0okbLV
+0z3IBAimLRUf9f6qSH3dbLfkZ8OOkFPyaUuO1upPj4+/GyXv3dMHhdljivRg73/97dE9+4ncleN4Wg5h
+Sh54lrg3yelvD39/KIc7EnvWUBKp/e/ArHuG8EfBEcrBT+QEaLiSZHe3Kd9pVBrQcjDk07bc3HbbkjQP
+OtMai1xmpHp8qWbYbokBPHHWmaHd6k+Pr/M/tmR3w1k7m62ea2otoPzveG/V689P9P7Pf93/79f7fz4k
+97tffu69LuWLcHDLp3DgkluuZLs+aSkv9V+XdmGaphUxFb21D1QY6PMswX5R+BziuSV7J57r9T0899k5
+KVHkQQ02VO/EjFt+Hf0ZYAg2bLKO6t0stlx+HYZd1Agx3FC9E8Nu+dsY3jRM+/dIPr/cl/9eqjln53Oz
+dPZXMdGLeT5x+mLOtDxbgU5IMgUt1LnauV9mjiAHaUkrpu2W7Asu0qHUlYT/lFM8dR5ut1+H4b0zT/W+
+92vaKNr3E7y075mSFl5sxdT80k4Eij0DHriA2BEUnaVPiExwYxOFScqZ9Y4XdA/iphkYZUdIDqjy4CyH
+xHFivBM1ETySc0sxg2jJmmOeGP5nT65PhEsLGSC5a8fuLoOxo8nCjjn06fK/3cYzIWFUJzRNe0xQRHou
+d8Qt5MbP35YUkv9RwL9rEosFDOdNUen1J85QFTrRFEsvnJc9YSrPqVzLNZfwESH5UZLo+Xu9RvdVu1pv
+WxPcbCOs0hMuAuEmHHBKS1cFstj4sdSPtltS8DSeOFtCnKu0v29Z5HtAchkRj5y093u38b0ZaN9SLgET
+SXMI2jFCCtJyKhKjgfXIG03NaIZExXOCkHFj8eylfOWiu7EUNMjUJK6CWR56SQptObNqmEjlXEpx05RJ
+pdwbGQxMDFBkxyvHq5xyGaNUkBbPWnEXxj5cfAJ5Slq7WSwGkCeOSuZNkI5L7Z3xL1oZuD04tom2Zvyu
+9eldX3rkoDCn5WabtTcTKdhjeV0BdnkoITEVieDyeX0ThxeLNDkqY69BT+QIVNgjOwJ7nhnepeqNVsbG
+GDnPaRYm0ixIYpSgtu6UzBFeDSfJqlrqTKuyrCSdMs1ReRIJ7FPkJ8BY9Kn0a1XlS8GhtB8sQ3uknx9c
+FTrjftVfQozhri+7Dp8MOIwDxD2t5JSVuBfBmJBF1VVBMgIHr7QjYhMb0q8qVpYXiVGqC3YSgpBzClbG
+W1kcxGzULjg1YG6r+jpR6PRbpE34xv5jduzE0Mk542u8wFRdLCuEdyO7MLp9yxJU9xF6P1ZUEaLrYFqh
+/SZF02ucekUGbvFxHTVUd9Sgtym+ZqJUXOnVdCT8A3SxF9wcIV0yBpVVTIk4x/D2mOKdYaYQuwrEaeQn
+LiAbcLxXSgCVvUSBQNNESXGOoDSWYrB9YYAVyO05UdquDh/9/ahXq2/bUf0NDTr5P3oWf52ehTkbZq/D
+1samXCZKgwz6hrFKJxlSBokG5Moril6ATQt0pcFoGsMzSUXIzWyuD1d2C6wNO3sheM6nncZjtRF4zWE1
+P0SbgWdRIXumQpgvECIqgyPFBamjcszDRH7aRGKg/pl8Nd9dvZGdl34R9BpuYzeJfvxOVZhgEVfRSJNE
+pHbP4fL3EaF7OqrId1fF8XqlyNj51lE/GhH0D+wMNxYkO8cvtOejU46ldVdc1VVR0Wy6FeOvTaJ9tb53
+8E1YkYopPaGaeDbeGMAOOh0zsHUqwnxR+Fzmr5TjnMauuegw6CHOnc53SYM3HuZvCoRO8bmh+8F5hy8v
+l4kET354EMYXCBb54OCiQV5dgADmY7b3Lc9BFfZacEXRLodnw/tQnUsXzUHBnAl1KIcW9NQ5BnNNg6CZ
+xGRTkGl1QBOVehG04IyaELy5oUVd6JRaSOqrO0sA5QyS1BSpECC4yWOQGUlB0PNVduPOWSgXBUJCWUQ7
+v9aU5Fbh9Uvm9CVplq1IAl7rvBRTmFoTZJF7sJHzi/sDR2NdCa10/asf1C+TbYnYTna3lVCBGLOWOXir
+lXWuIukitrFKcshV6CT69t7kQOUIpswIUyclH0UAHuoMJCBnSc8aJqLLmPaN2r23W7ZLM0pwh4XXMG+m
+pNtHTOS5MdSVcaes5HNtTVRo/cJlqr4sz6grSFsLymCQhW8VtLFIubSLD1WHYtEIB0CQDGbdclzczhS4
+63UOdVnlvUNv+1bl34D7veFmDrqNB4xqgL72PFqb1tbMzaeUG4ZgoV25vUC1ibeEeSsgz3XxHQzU5ERF
+EdGsvep4e6r8ixh88X5vEdJpQ7YCFo+5SRJ136GmSpRev+EavtOwC7f7uKb5WhE2+gYI8RYMHyF2Fns5
+0U/72LHzbnzLa0KrT23v4a6V1S5axZOOsd7+qzbI8JTE1y+h1lJ2jGqtLKxwb8hEo36hN1TVVD8i1YJI
+9b3b9bezwfrTseDnSRVV+GuvGywv4p73B9DrO6trlAy96qqpfqjrvdU1OH3vqG3cR5+TZPQVwU23bd5u
+Y0jm+WB7qoKZ3NTUac5g0VqI85yvmD8efplBinNXed8IYq1w78mv00GLYtPechp+bzodI5rxo69PSz7l
+eXTO87V/0u2+HN315DMgcTfoOwl7F1X4+r5JHZ6zN9+GTlz96VeHm/L/y+b/AQAA///+Z1URVUEAAA==
+`,
+	},
+
+	"/data/config_schema_v3.6.json": {
+		local:   "data/config_schema_v3.6.json",
+		size:    17007,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+xbS4/jNhK++1cYTG7pxwAbBNi57XFPu+dteASaKttMUyRTpDztDPzfF3q2RJEibaun
+O8gECKYtFR/1YNVXxdK31XpNfjbsAAUln9fkYK3+/Pj4u1Hyvnn6oHD/mCPd2ftPvz42z34id9U4nldD
+mJI7vs+aN9nxHw+/PVTDGxJ70lARqe3vwGzzDOGPkiNUg5/IEdBwJcnmblW906g0oOVgyOd1tbn1uifp
+HgymNRa53JP68bmeYb0mBvDI2WCGfqs/Pb7O/9iT3bmzDjZbP9fUWkD53+ne6tdfnuj9n/+6/9+n+38+
+ZPebX34eva7ki7Brls9hxyW3XMl+fdJTntu/zv3CNM9rYipGa++oMDDmWYL9qvA5xnNP9k48t+t7eB6z
+c1SiLKIa7KjeiZlm+WX0Z4Ah2LjJNlTvZrHV8ssw3HiNGMMd1Tsx3Cx/G8Orjmn/HsmXl/vq33M95+x8
+zSyD/dVMjHyeT5w+nxOWZy/QgCRz0EKd6p37ZdYQFCAt6cW0XpNtyUXuSl1J+E81xdPg4Xr9zXXvg3nq
+96NfYaPo3wd46d8zJS282Jqp+aUbESj2DLjjAlJHUGwsPSAywY3NFGY5Z9Y7XtAtiJtmYJQdINuhKqKz
+7LKGE+OdqPPgiZxbintIlqw5FJnhf47k+kS4tLAHJHf92M3ZGTuZLH4w3TNd/bdZeSYkjOqM5vmICYpI
+T9WOuIXC+Plbk1LyP0r4d0tisQR33hyVXn7iPapSZ5pidQrnZU+YKgoqlzqal/CRIPlJkBid93aN4at+
+tdG2AtysE6zS4y4i7ibucCpLVyWyVP9x6Tlar0nJ83Ti/SXEhcrH+5ZlsQUk5wnx5JCOfm9WvjeO9i3l
+EjCTtICoHSPkIC2nIjMa2Ii809SMZkiSPycIe24snryUr1wMN5aDBpmbrMlgLne9JIc+nVnUTeRyLqQ0
+01RBpdobcQZmBiiyw5XjVUG5TFEqSIsnrXjjxj6cfwJ5zHq7uVgMII8clSw6J50W2gfjX7QycLtz7ANt
+y/hdf6Y3Y+mRncKCVpvt1l4FQrDH8oYCHPJQQWIqMsHl8/ImDi8WaXZQxl6DnsgBqLAHdgD2PDN8SDUa
+rYxNMXJe0H2cSLMoiVGC2rZSMkd4NZwki2ppMK3a7yvSkGlO0pNEYJ8jPwKmok+lX7MqXwiOhf1oGjoi
+/fLQZKEzx6/+S4gp3PVFV/eJw2EaIB5ppaCswr0IxsQsqs0Ksgk4eKWdEJtUl35VsnJ5kpikumglIQo5
+Q7Ay3crSIGandsGpAXNb1jfwQsdfE23CN/a32bGBocE503O8yFRDLCuEdyObOLp9yxRUjxH62FfUHmJ4
+wLRC+12Splc/9YoMmsWneZSr7qRBb5N8zXiptNSrq0j4B+hyK7g5QH7JGFRWMSXSDoa3xpR+GGYSsatA
+nEZ+5AL2DsdbpQRQOQoUCDTPlBSnBEpjKUbLFwZYidyeMqXt4vDRX496tfq+HDXekFPJ/1Gz+PvULMzJ
+MHsdtjY25zJTGmT0bBirdLZHyiDTgFx5RTFysHmJTWowmcbwvaQidsxsoXdXVgusjR/2UvCChw+Nx2oT
+8FqD1fwQbQaeJbnsmQxhPkFIyAwOFC8IHfXB3AXi0yoRA43v5Ov57tqNbLz0F0EvdxubIPrxH6rSRJO4
+mkaaLCG0ey6X/xoeeqSjmnxzlR9vV0r0nW/t9ZMRwfjCznBjQbJT+kJbPrnluDTvSsu6aiq6D5di/LlJ
+8llt+w6+CytSMaUDqrmRjT6kvD0XHYYLJ6eu55zJYwsueVEW5PP6UyhjTZfMG0N7pwY0A+hDvverwucq
+succ52z5mhYQp7o617cwJI32gsz3UMT6G7ihW+cmyIdYKkPBox84xZEXgkXuXOl0mHQIncB8zIsPywtQ
+pb0WdlK0lwNXt1Ns0I7SXaHMmdCA0rWgp8EFYVNOiZpJCs4AmddXV0mgBEELzqiJAb8bivelzqmFrG1q
+ugRqz2BsTZEKAYKbIgWzkhwEPV1lN80NFOWiRMgoS7joaDUluVV4/ZIFfcm6ZWuSyKltTinmEFoTZB09
+XNTYnIv7HUdjm+KC0u2vsVM/Bws2qTX+YZGlhndmKXPw5nHLNGnpMrXkTAooVOyO/vaqraNyBFNFhNAd
+0kcRgId6DxKQs2xkDQHvMqV9o0L47ZbdhBkleJMlLGHeTMlmHyme50ZXV/kdai0U2pok1/qVy1x9vTyi
+LiBtLSgDJwrfKmhjkXJpL75udsWiEXaAIBnMHstp2j+T+i9XU9VV/vsOVf9blX8D7ve6mznoNh0wyQHG
+2vNoLaytmZ6wnBuGYKFfuW8tW6VbwrwVkOe2LBF11ORIRZlQxr7q4j+U/iUMPnu/RInptCNbAIun9Ngk
+dYK0VJnSy5ei490em3ghlGtaLOVhk3tjiDdh+Ai+s9zKQKXxY/vOu2n/W0CrT33t4a6X1SZZxcGDsdz+
+6zKIe3/kq5dQayk7JJVWLsxwb4hEk0qq11W1VD881QWe6q9u19/PBtuP6qIfbtVU8e/gbrC8hA74D6DX
+d1bXJBh61dVS/VDXe6vL6UsYqG1aR5+TZHLz5GpYNu+34ZJ5PmUPZTDBTYVuc5xFWyHOc75g/Hj4ZQYp
+zjU5vxHEWqAjzK9Tp0Sx6vu/3C9xwz6iGz/5LrfiU54m9zzfxj0AzTe1m5F8HJLm24JBwN4kJb6+r3Xd
+DoTuq9lAU9Q4O1xV/59X/w8AAP//zRo7vm9CAAA=
+`,
+	},
+
+	"/data/config_schema_v3.7.json": {
+		local:   "data/config_schema_v3.7.json",
+		size:    17777,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+xcS4/bOBK++1cYmrlNPwLsYBeb2x73tHvehiPQVNnmNEVyipTTTuD/vtDTEkWKlK1O
+dzAdIEi3VHzUg8WvHsr31Xqd/KrpAXKSfF4nB2PU58fHP7QU9/XTB4n7xwzJztx/+v2xfvZLcleOY1k5
+hEqxY/u0fpMe//bwj4dyeE1iTgpKIrn9A6ipnyH8WTCEcvBTcgTUTIpkc7cq3ymUCtAw0Mnndbm59boj
+aR/0ptUGmdgn1eNzNcN6nWjAI6O9Gbqt/vJ4mf+xI7uzZ+1ttnquiDGA4r/jvVWvvzyR+2//uv/fp/t/
+PqT3m99+Hbwu5Yuwq5fPYMcEM0yKbv2kozw3P527hUmWVcSED9beEa5hyLMA81Xic4jnjuyNeG7Wd/A8
+ZOcoeZEHNdhSvREz9fLL6E8DRTBhk62p3sxiy+WXYbj2GiGGW6o3Yrhe/jaGVy3T7j0mX17uy3/P1ZyT
+89Wz9PZXMTHweS5xunyOX56dQD2SzEBxeap27pZZTZCDMEknpvU62RaMZ7bUpYD/lFM89R6u199t996b
+p3o/+M1vFN17Dy/deyqFgRdTMTW9dC0CSZ8Bd4xD7AiCtaV7RMaZNqnENGPUOMdzsgV+0wyU0AOkO5R5
+cJZdWnOinRO1HjySc0NwD9GS1Yc81ezbQK5PCRMG9oDJXTd2c7bGjiYLH0z7TJd/NivHhAklKiVZNmCC
+IJJTuSNmINdu/tZJIdifBfy7ITFYgD1vhlItP/EeZaFSRbA8hdOyT6jMcyKWOppz+IiQ/OiSGJz3Zo3+
+q261wbY83KwjrNLhLgLuJuxwSkuXBdJY/zH3HK3XScGyeOL9HOJcZsN9iyLfAibnEfHokA5+36xcbyzt
+G8IEYCpIDkE7RshAGEZ4qhXQAXmrqQnNJFH+PEHYM23w5KS8cNHfWAYKRKbTOoKZ73qTDLpwZlE3kYmp
+K6WeprxUyr0l1sBUA0F6uHK8zAkTMUoFYfCkJKvd2LvzTyCOaWc3s8UA4shQirx10nFXe2/8i5IabneO
+3UXbMH7XnenNUHrJTmJOys22a688V7DD8voC7PNQQmLCU87E8/ImDi8GSXqQ2lyDnpIDEG4O9AD0eWJ4
+n2owWmoTY+QsJ/swkWBD97+VkgMRQyJFg/NoyYlp0ilThFdjzmRRVfamlft9Seqz31EME4n+M2RHwFiI
+KtUl9HLd0yFsEIxVB6RfHupQdeKMVj9xPsbErivYfmJxGIeaB1rJCS3BMYLWIYtqQod0hCAutCNiHev3
+r4po5keSUaoLphuCuNSHPeOtLA6HtmrnjGjQt4WGPS90/D3SJlxj/z451jPUO2d8IBiYqg94OXduZBOG
+wK8Zp6ohjB/6ispD9A+Ykmh+SGR18VMX+FAvPg62bHVHDXqdCG3CS8XFZ23awj1AFVvO9AGyOWNQGkkl
+jzsYzkRU/GGYiNauQnoK2ZFx2Fscu2AMAslSKfgpglIbgsEchwZaIDOnVCqzOMZ0J60uVt/lrIYbstL9
+H4mNv05iQ580Nddha20yJlKpQATPhjZSpXskFFIFyKRTFAMHmxVYhwajaTTbC8JDx8zkandlSsGY8GEv
+OMuZ/9A4rDYCr9VYzQ3RJuBZlMueiBCmA4SIyOBAcMbVUR3Mned+WkVioGHhvprvrtnIxkk/C3rZ29h4
+0Y/7UBU6GMRVNEKnEVe7owL9c3jogY4q8s1VfrxZKdJ3vrbXj0YEw6qeZtqAoKf4hbZsVAqZG3fFRV0V
+Fdn7UzHu2CT6rDbNCT+EFSGpVB7V3MhGd6W8PhcthvMHp7bnnIhjcyZYXuTJ5/UnX8QaL5lXhvZWDmgC
+0Pt871eJz+XNnjGcsuXzdLvGsBViZj+JlaqdaoLokwYbS6YbMkLNEkyTrVVWcuZthQE8ugFWGKEhGGRW
+fajFrn2IBfp9VlEMy0EW5lp4StDMB7h221mvt6Wtx0yZUI/StqCnXrWxTrsEzSQGj4DIqjpYFHhBUJxR
+okMA8YYkP0rOt4Q+p02P1BxQPoHGFUHCOXCm8xh0m2TAyekqy6kLWoTxAiElNKIk0uhKMCPx+iVz8pK2
+y1YkgXNbn1PMwLcmiOqesfFlfTLudwy1qdMQUjW/Dd3/2Zvaia0GXK4OlREDHybxYRL9DF0VG+ilzMGZ
+BFimDVAVsfWKJIdchrpAbk/5WypH0CVM8BUg34sAHNR7EICMpgNr8Fw5Y9pXqqLcbtk19pCc1SHmEuZN
+paj3EeN5bnR1pd8pgXiujI5yrV+ZyOTX+TBrAWkrTihY0OxWQWuDhAkzu1fBFotC2AGCoDB5LMc5o4m8
+0XIJeYVAsjcoGd2q/Bs+LnC6myk8Px4wCgyH2nNoza+tia7DjGmKYKBbuWteXMVbwrQVJM9NTivoqJMj
+4UVEDeSqrhFf7iBi8Nn5rVNIpy3ZAgFaTBdXVBtRQ5VKtXwdI9wqtAln0Zki+VIeNrqxKnEGDO/BdxZb
+4UlTv2/feTfusPRo9alLSN11stpEq9h7MJbbf5Ubs4uPriQaMYbQQ1S+bWba4wekL0fpeqdLa6g+PNoM
+j/az2//7s9XmM9Dgp4YVVfjLzRssNOKbjXeg/59EraNL2KnWhupDrT+LWq2mm556x8WfKYlHdwav+rWe
+bhs2meM/c/BFWN5N+UqV1qKNsKc5X/DeevhtAslOdfC/EgRcoN3RrVMrhbLqmhvtb9H9vqQdP/oyveRT
+nEbFye/DBpf6q/LNQD4WSf11TQ8obKICc9f36nZ7TfvduKfjbxi9rsq/59X/AwAA//+9o87pcUUAAA==
+`,
+	},
+
+	"/": {
+		isDir: true,
+		local: "",
+	},
+
+	"/data": {
+		isDir: true,
+		local: "data",
+	},
+}
diff --git a/cli/cli/compose/schema/data/config_schema_v3.0.json b/cli/cli/compose/schema/data/config_schema_v3.0.json
new file mode 100644
index 00000000..f39344cf
--- /dev/null
+++ b/cli/cli/compose/schema/data/config_schema_v3.0.json
@@ -0,0 +1,384 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "id": "config_schema_v3.0.json",
+  "type": "object",
+  "required": ["version"],
+
+  "properties": {
+    "version": {
+      "type": "string"
+    },
+
+    "services": {
+      "id": "#/properties/services",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/service"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "networks": {
+      "id": "#/properties/networks",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/network"
+        }
+      }
+    },
+
+    "volumes": {
+      "id": "#/properties/volumes",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/volume"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+
+  "additionalProperties": false,
+
+  "definitions": {
+
+    "service": {
+      "id": "#/definitions/service",
+      "type": "object",
+
+      "properties": {
+        "deploy": {"$ref": "#/definitions/deployment"},
+        "build": {
+          "oneOf": [
+            {"type": "string"},
+            {
+              "type": "object",
+              "properties": {
+                "context": {"type": "string"},
+                "dockerfile": {"type": "string"},
+                "args": {"$ref": "#/definitions/list_or_dict"}
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "cap_add": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cap_drop": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cgroup_parent": {"type": "string"},
+        "command": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "container_name": {"type": "string"},
+        "depends_on": {"$ref": "#/definitions/list_of_strings"},
+        "devices": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "dns": {"$ref": "#/definitions/string_or_list"},
+        "dns_search": {"$ref": "#/definitions/string_or_list"},
+        "domainname": {"type": "string"},
+        "entrypoint": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "env_file": {"$ref": "#/definitions/string_or_list"},
+        "environment": {"$ref": "#/definitions/list_or_dict"},
+
+        "expose": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "expose"
+          },
+          "uniqueItems": true
+        },
+
+        "external_links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "extra_hosts": {"$ref": "#/definitions/list_or_dict"},
+        "healthcheck": {"$ref": "#/definitions/healthcheck"},
+        "hostname": {"type": "string"},
+        "image": {"type": "string"},
+        "ipc": {"type": "string"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+
+        "logging": {
+            "type": "object",
+
+            "properties": {
+                "driver": {"type": "string"},
+                "options": {
+                  "type": "object",
+                  "patternProperties": {
+                    "^.+$": {"type": ["string", "number", "null"]}
+                  }
+                }
+            },
+            "additionalProperties": false
+        },
+
+        "mac_address": {"type": "string"},
+        "network_mode": {"type": "string"},
+
+        "networks": {
+          "oneOf": [
+            {"$ref": "#/definitions/list_of_strings"},
+            {
+              "type": "object",
+              "patternProperties": {
+                "^[a-zA-Z0-9._-]+$": {
+                  "oneOf": [
+                    {
+                      "type": "object",
+                      "properties": {
+                        "aliases": {"$ref": "#/definitions/list_of_strings"},
+                        "ipv4_address": {"type": "string"},
+                        "ipv6_address": {"type": "string"}
+                      },
+                      "additionalProperties": false
+                    },
+                    {"type": "null"}
+                  ]
+                }
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "pid": {"type": ["string", "null"]},
+
+        "ports": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "ports"
+          },
+          "uniqueItems": true
+        },
+
+        "privileged": {"type": "boolean"},
+        "read_only": {"type": "boolean"},
+        "restart": {"type": "string"},
+        "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "shm_size": {"type": ["number", "string"]},
+        "sysctls": {"$ref": "#/definitions/list_or_dict"},
+        "stdin_open": {"type": "boolean"},
+        "stop_grace_period": {"type": "string", "format": "duration"},
+        "stop_signal": {"type": "string"},
+        "tmpfs": {"$ref": "#/definitions/string_or_list"},
+        "tty": {"type": "boolean"},
+        "ulimits": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z]+$": {
+              "oneOf": [
+                {"type": "integer"},
+                {
+                  "type":"object",
+                  "properties": {
+                    "hard": {"type": "integer"},
+                    "soft": {"type": "integer"}
+                  },
+                  "required": ["soft", "hard"],
+                  "additionalProperties": false
+                }
+              ]
+            }
+          }
+        },
+        "user": {"type": "string"},
+        "userns_mode": {"type": "string"},
+        "volumes": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "working_dir": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "healthcheck": {
+      "id": "#/definitions/healthcheck",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "disable": {"type": "boolean"},
+        "interval": {"type": "string"},
+        "retries": {"type": "number"},
+        "test": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "timeout": {"type": "string"}
+      }
+    },
+    "deployment": {
+      "id": "#/definitions/deployment",
+      "type": ["object", "null"],
+      "properties": {
+        "mode": {"type": "string"},
+        "replicas": {"type": "integer"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "update_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"}
+          },
+          "additionalProperties": false
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {"$ref": "#/definitions/resource"},
+            "reservations": {"$ref": "#/definitions/resource"}
+          },
+          "additionalProperties": false
+        },
+        "restart_policy": {
+          "type": "object",
+          "properties": {
+            "condition": {"type": "string"},
+            "delay": {"type": "string", "format": "duration"},
+            "max_attempts": {"type": "integer"},
+            "window": {"type": "string", "format": "duration"}
+          },
+          "additionalProperties": false
+        },
+        "placement": {
+          "type": "object",
+          "properties": {
+            "constraints": {"type": "array", "items": {"type": "string"}}
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "resource": {
+      "id": "#/definitions/resource",
+      "type": "object",
+      "properties": {
+        "cpus": {"type": "string"},
+        "memory": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "network": {
+      "id": "#/definitions/network",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "ipam": {
+          "type": "object",
+          "properties": {
+            "driver": {"type": "string"},
+            "config": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "subnet": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "internal": {"type": "boolean"},
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "volume": {
+      "id": "#/definitions/volume",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "string_or_list": {
+      "oneOf": [
+        {"type": "string"},
+        {"$ref": "#/definitions/list_of_strings"}
+      ]
+    },
+
+    "list_of_strings": {
+      "type": "array",
+      "items": {"type": "string"},
+      "uniqueItems": true
+    },
+
+    "list_or_dict": {
+      "oneOf": [
+        {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": ["string", "number", "null"]
+            }
+          },
+          "additionalProperties": false
+        },
+        {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
+      ]
+    },
+
+    "constraints": {
+      "service": {
+        "id": "#/definitions/constraints/service",
+        "anyOf": [
+          {"required": ["build"]},
+          {"required": ["image"]}
+        ],
+        "properties": {
+          "build": {
+            "required": ["context"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cli/cli/compose/schema/data/config_schema_v3.1.json b/cli/cli/compose/schema/data/config_schema_v3.1.json
new file mode 100644
index 00000000..719c0fa7
--- /dev/null
+++ b/cli/cli/compose/schema/data/config_schema_v3.1.json
@@ -0,0 +1,429 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "id": "config_schema_v3.1.json",
+  "type": "object",
+  "required": ["version"],
+
+  "properties": {
+    "version": {
+      "type": "string"
+    },
+
+    "services": {
+      "id": "#/properties/services",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/service"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "networks": {
+      "id": "#/properties/networks",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/network"
+        }
+      }
+    },
+
+    "volumes": {
+      "id": "#/properties/volumes",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/volume"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "secrets": {
+      "id": "#/properties/secrets",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/secret"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+
+  "additionalProperties": false,
+
+  "definitions": {
+
+    "service": {
+      "id": "#/definitions/service",
+      "type": "object",
+
+      "properties": {
+        "deploy": {"$ref": "#/definitions/deployment"},
+        "build": {
+          "oneOf": [
+            {"type": "string"},
+            {
+              "type": "object",
+              "properties": {
+                "context": {"type": "string"},
+                "dockerfile": {"type": "string"},
+                "args": {"$ref": "#/definitions/list_or_dict"}
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "cap_add": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cap_drop": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cgroup_parent": {"type": "string"},
+        "command": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "container_name": {"type": "string"},
+        "depends_on": {"$ref": "#/definitions/list_of_strings"},
+        "devices": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "dns": {"$ref": "#/definitions/string_or_list"},
+        "dns_search": {"$ref": "#/definitions/string_or_list"},
+        "domainname": {"type": "string"},
+        "entrypoint": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "env_file": {"$ref": "#/definitions/string_or_list"},
+        "environment": {"$ref": "#/definitions/list_or_dict"},
+
+        "expose": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "expose"
+          },
+          "uniqueItems": true
+        },
+
+        "external_links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "extra_hosts": {"$ref": "#/definitions/list_or_dict"},
+        "healthcheck": {"$ref": "#/definitions/healthcheck"},
+        "hostname": {"type": "string"},
+        "image": {"type": "string"},
+        "ipc": {"type": "string"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+
+        "logging": {
+            "type": "object",
+
+            "properties": {
+                "driver": {"type": "string"},
+                "options": {
+                  "type": "object",
+                  "patternProperties": {
+                    "^.+$": {"type": ["string", "number", "null"]}
+                  }
+                }
+            },
+            "additionalProperties": false
+        },
+
+        "mac_address": {"type": "string"},
+        "network_mode": {"type": "string"},
+
+        "networks": {
+          "oneOf": [
+            {"$ref": "#/definitions/list_of_strings"},
+            {
+              "type": "object",
+              "patternProperties": {
+                "^[a-zA-Z0-9._-]+$": {
+                  "oneOf": [
+                    {
+                      "type": "object",
+                      "properties": {
+                        "aliases": {"$ref": "#/definitions/list_of_strings"},
+                        "ipv4_address": {"type": "string"},
+                        "ipv6_address": {"type": "string"}
+                      },
+                      "additionalProperties": false
+                    },
+                    {"type": "null"}
+                  ]
+                }
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "pid": {"type": ["string", "null"]},
+
+        "ports": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "ports"
+          },
+          "uniqueItems": true
+        },
+
+        "privileged": {"type": "boolean"},
+        "read_only": {"type": "boolean"},
+        "restart": {"type": "string"},
+        "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "shm_size": {"type": ["number", "string"]},
+        "secrets": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "sysctls": {"$ref": "#/definitions/list_or_dict"},
+        "stdin_open": {"type": "boolean"},
+        "stop_grace_period": {"type": "string", "format": "duration"},
+        "stop_signal": {"type": "string"},
+        "tmpfs": {"$ref": "#/definitions/string_or_list"},
+        "tty": {"type": "boolean"},
+        "ulimits": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z]+$": {
+              "oneOf": [
+                {"type": "integer"},
+                {
+                  "type":"object",
+                  "properties": {
+                    "hard": {"type": "integer"},
+                    "soft": {"type": "integer"}
+                  },
+                  "required": ["soft", "hard"],
+                  "additionalProperties": false
+                }
+              ]
+            }
+          }
+        },
+        "user": {"type": "string"},
+        "userns_mode": {"type": "string"},
+        "volumes": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "working_dir": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "healthcheck": {
+      "id": "#/definitions/healthcheck",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "disable": {"type": "boolean"},
+        "interval": {"type": "string"},
+        "retries": {"type": "number"},
+        "test": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "timeout": {"type": "string"}
+      }
+    },
+    "deployment": {
+      "id": "#/definitions/deployment",
+      "type": ["object", "null"],
+      "properties": {
+        "mode": {"type": "string"},
+        "replicas": {"type": "integer"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "update_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"}
+          },
+          "additionalProperties": false
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {"$ref": "#/definitions/resource"},
+            "reservations": {"$ref": "#/definitions/resource"}
+          },
+          "additionalProperties": false
+        },
+        "restart_policy": {
+          "type": "object",
+          "properties": {
+            "condition": {"type": "string"},
+            "delay": {"type": "string", "format": "duration"},
+            "max_attempts": {"type": "integer"},
+            "window": {"type": "string", "format": "duration"}
+          },
+          "additionalProperties": false
+        },
+        "placement": {
+          "type": "object",
+          "properties": {
+            "constraints": {"type": "array", "items": {"type": "string"}}
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "resource": {
+      "id": "#/definitions/resource",
+      "type": "object",
+      "properties": {
+        "cpus": {"type": "string"},
+        "memory": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "network": {
+      "id": "#/definitions/network",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "ipam": {
+          "type": "object",
+          "properties": {
+            "driver": {"type": "string"},
+            "config": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "subnet": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "internal": {"type": "boolean"},
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "volume": {
+      "id": "#/definitions/volume",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "secret": {
+      "id": "#/definitions/secret",
+      "type": "object",
+      "properties": {
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "string_or_list": {
+      "oneOf": [
+        {"type": "string"},
+        {"$ref": "#/definitions/list_of_strings"}
+      ]
+    },
+
+    "list_of_strings": {
+      "type": "array",
+      "items": {"type": "string"},
+      "uniqueItems": true
+    },
+
+    "list_or_dict": {
+      "oneOf": [
+        {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": ["string", "number", "null"]
+            }
+          },
+          "additionalProperties": false
+        },
+        {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
+      ]
+    },
+
+    "constraints": {
+      "service": {
+        "id": "#/definitions/constraints/service",
+        "anyOf": [
+          {"required": ["build"]},
+          {"required": ["image"]}
+        ],
+        "properties": {
+          "build": {
+            "required": ["context"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cli/cli/compose/schema/data/config_schema_v3.2.json b/cli/cli/compose/schema/data/config_schema_v3.2.json
new file mode 100644
index 00000000..6e0e0e74
--- /dev/null
+++ b/cli/cli/compose/schema/data/config_schema_v3.2.json
@@ -0,0 +1,476 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "id": "config_schema_v3.2.json",
+  "type": "object",
+  "required": ["version"],
+
+  "properties": {
+    "version": {
+      "type": "string"
+    },
+
+    "services": {
+      "id": "#/properties/services",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/service"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "networks": {
+      "id": "#/properties/networks",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/network"
+        }
+      }
+    },
+
+    "volumes": {
+      "id": "#/properties/volumes",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/volume"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "secrets": {
+      "id": "#/properties/secrets",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/secret"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+
+  "additionalProperties": false,
+
+  "definitions": {
+
+    "service": {
+      "id": "#/definitions/service",
+      "type": "object",
+
+      "properties": {
+        "deploy": {"$ref": "#/definitions/deployment"},
+        "build": {
+          "oneOf": [
+            {"type": "string"},
+            {
+              "type": "object",
+              "properties": {
+                "context": {"type": "string"},
+                "dockerfile": {"type": "string"},
+                "args": {"$ref": "#/definitions/list_or_dict"},
+                "cache_from": {"$ref": "#/definitions/list_of_strings"}
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "cap_add": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cap_drop": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cgroup_parent": {"type": "string"},
+        "command": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "container_name": {"type": "string"},
+        "depends_on": {"$ref": "#/definitions/list_of_strings"},
+        "devices": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "dns": {"$ref": "#/definitions/string_or_list"},
+        "dns_search": {"$ref": "#/definitions/string_or_list"},
+        "domainname": {"type": "string"},
+        "entrypoint": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "env_file": {"$ref": "#/definitions/string_or_list"},
+        "environment": {"$ref": "#/definitions/list_or_dict"},
+
+        "expose": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "expose"
+          },
+          "uniqueItems": true
+        },
+
+        "external_links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "extra_hosts": {"$ref": "#/definitions/list_or_dict"},
+        "healthcheck": {"$ref": "#/definitions/healthcheck"},
+        "hostname": {"type": "string"},
+        "image": {"type": "string"},
+        "ipc": {"type": "string"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+
+        "logging": {
+            "type": "object",
+
+            "properties": {
+                "driver": {"type": "string"},
+                "options": {
+                  "type": "object",
+                  "patternProperties": {
+                    "^.+$": {"type": ["string", "number", "null"]}
+                  }
+                }
+            },
+            "additionalProperties": false
+        },
+
+        "mac_address": {"type": "string"},
+        "network_mode": {"type": "string"},
+
+        "networks": {
+          "oneOf": [
+            {"$ref": "#/definitions/list_of_strings"},
+            {
+              "type": "object",
+              "patternProperties": {
+                "^[a-zA-Z0-9._-]+$": {
+                  "oneOf": [
+                    {
+                      "type": "object",
+                      "properties": {
+                        "aliases": {"$ref": "#/definitions/list_of_strings"},
+                        "ipv4_address": {"type": "string"},
+                        "ipv6_address": {"type": "string"}
+                      },
+                      "additionalProperties": false
+                    },
+                    {"type": "null"}
+                  ]
+                }
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "pid": {"type": ["string", "null"]},
+
+        "ports": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "number", "format": "ports"},
+              {"type": "string", "format": "ports"},
+              {
+                "type": "object",
+                "properties": {
+                  "mode": {"type": "string"},
+                  "target": {"type": "integer"},
+                  "published": {"type": "integer"},
+                  "protocol": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            ]
+          },
+          "uniqueItems": true
+        },
+
+        "privileged": {"type": "boolean"},
+        "read_only": {"type": "boolean"},
+        "restart": {"type": "string"},
+        "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "shm_size": {"type": ["number", "string"]},
+        "secrets": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "sysctls": {"$ref": "#/definitions/list_or_dict"},
+        "stdin_open": {"type": "boolean"},
+        "stop_grace_period": {"type": "string", "format": "duration"},
+        "stop_signal": {"type": "string"},
+        "tmpfs": {"$ref": "#/definitions/string_or_list"},
+        "tty": {"type": "boolean"},
+        "ulimits": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z]+$": {
+              "oneOf": [
+                {"type": "integer"},
+                {
+                  "type":"object",
+                  "properties": {
+                    "hard": {"type": "integer"},
+                    "soft": {"type": "integer"}
+                  },
+                  "required": ["soft", "hard"],
+                  "additionalProperties": false
+                }
+              ]
+            }
+          }
+        },
+        "user": {"type": "string"},
+        "userns_mode": {"type": "string"},
+        "volumes": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "required": ["type"],
+                "properties": {
+                  "type": {"type": "string"},
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "read_only": {"type": "boolean"},
+                  "consistency": {"type": "string"},
+                  "bind": {
+                    "type": "object",
+                    "properties": {
+                      "propagation": {"type": "string"}
+                    }
+                  },
+                  "volume": {
+                    "type": "object",
+                    "properties": {
+                      "nocopy": {"type": "boolean"}
+                    }
+                  }
+                },
+                "additionalProperties": false
+              }
+            ],
+            "uniqueItems": true
+          }
+        },
+        "working_dir": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "healthcheck": {
+      "id": "#/definitions/healthcheck",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "disable": {"type": "boolean"},
+        "interval": {"type": "string"},
+        "retries": {"type": "number"},
+        "test": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "timeout": {"type": "string"}
+      }
+    },
+    "deployment": {
+      "id": "#/definitions/deployment",
+      "type": ["object", "null"],
+      "properties": {
+        "mode": {"type": "string"},
+        "endpoint_mode": {"type": "string"},
+        "replicas": {"type": "integer"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "update_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"}
+          },
+          "additionalProperties": false
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {"$ref": "#/definitions/resource"},
+            "reservations": {"$ref": "#/definitions/resource"}
+          },
+          "additionalProperties": false
+        },
+        "restart_policy": {
+          "type": "object",
+          "properties": {
+            "condition": {"type": "string"},
+            "delay": {"type": "string", "format": "duration"},
+            "max_attempts": {"type": "integer"},
+            "window": {"type": "string", "format": "duration"}
+          },
+          "additionalProperties": false
+        },
+        "placement": {
+          "type": "object",
+          "properties": {
+            "constraints": {"type": "array", "items": {"type": "string"}}
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "resource": {
+      "id": "#/definitions/resource",
+      "type": "object",
+      "properties": {
+        "cpus": {"type": "string"},
+        "memory": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "network": {
+      "id": "#/definitions/network",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "ipam": {
+          "type": "object",
+          "properties": {
+            "driver": {"type": "string"},
+            "config": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "subnet": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "internal": {"type": "boolean"},
+        "attachable": {"type": "boolean"},
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "volume": {
+      "id": "#/definitions/volume",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "secret": {
+      "id": "#/definitions/secret",
+      "type": "object",
+      "properties": {
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "string_or_list": {
+      "oneOf": [
+        {"type": "string"},
+        {"$ref": "#/definitions/list_of_strings"}
+      ]
+    },
+
+    "list_of_strings": {
+      "type": "array",
+      "items": {"type": "string"},
+      "uniqueItems": true
+    },
+
+    "list_or_dict": {
+      "oneOf": [
+        {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": ["string", "number", "null"]
+            }
+          },
+          "additionalProperties": false
+        },
+        {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
+      ]
+    },
+
+    "constraints": {
+      "service": {
+        "id": "#/definitions/constraints/service",
+        "anyOf": [
+          {"required": ["build"]},
+          {"required": ["image"]}
+        ],
+        "properties": {
+          "build": {
+            "required": ["context"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cli/cli/compose/schema/data/config_schema_v3.3.json b/cli/cli/compose/schema/data/config_schema_v3.3.json
new file mode 100644
index 00000000..0b735cfe
--- /dev/null
+++ b/cli/cli/compose/schema/data/config_schema_v3.3.json
@@ -0,0 +1,536 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "id": "config_schema_v3.3.json",
+  "type": "object",
+  "required": ["version"],
+
+  "properties": {
+    "version": {
+      "type": "string"
+    },
+
+    "services": {
+      "id": "#/properties/services",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/service"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "networks": {
+      "id": "#/properties/networks",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/network"
+        }
+      }
+    },
+
+    "volumes": {
+      "id": "#/properties/volumes",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/volume"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "secrets": {
+      "id": "#/properties/secrets",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/secret"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "configs": {
+      "id": "#/properties/configs",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/config"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+
+  "additionalProperties": false,
+
+  "definitions": {
+
+    "service": {
+      "id": "#/definitions/service",
+      "type": "object",
+
+      "properties": {
+        "deploy": {"$ref": "#/definitions/deployment"},
+        "build": {
+          "oneOf": [
+            {"type": "string"},
+            {
+              "type": "object",
+              "properties": {
+                "context": {"type": "string"},
+                "dockerfile": {"type": "string"},
+                "args": {"$ref": "#/definitions/list_or_dict"},
+                "labels": {"$ref": "#/definitions/list_or_dict"},
+                "cache_from": {"$ref": "#/definitions/list_of_strings"}
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "cap_add": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cap_drop": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cgroup_parent": {"type": "string"},
+        "command": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "configs": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "container_name": {"type": "string"},
+        "credential_spec": {"type": "object", "properties": {
+          "file": {"type": "string"},
+          "registry": {"type": "string"}
+        }},
+        "depends_on": {"$ref": "#/definitions/list_of_strings"},
+        "devices": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "dns": {"$ref": "#/definitions/string_or_list"},
+        "dns_search": {"$ref": "#/definitions/string_or_list"},
+        "domainname": {"type": "string"},
+        "entrypoint": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "env_file": {"$ref": "#/definitions/string_or_list"},
+        "environment": {"$ref": "#/definitions/list_or_dict"},
+
+        "expose": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "expose"
+          },
+          "uniqueItems": true
+        },
+
+        "external_links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "extra_hosts": {"$ref": "#/definitions/list_or_dict"},
+        "healthcheck": {"$ref": "#/definitions/healthcheck"},
+        "hostname": {"type": "string"},
+        "image": {"type": "string"},
+        "ipc": {"type": "string"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+
+        "logging": {
+            "type": "object",
+
+            "properties": {
+                "driver": {"type": "string"},
+                "options": {
+                  "type": "object",
+                  "patternProperties": {
+                    "^.+$": {"type": ["string", "number", "null"]}
+                  }
+                }
+            },
+            "additionalProperties": false
+        },
+
+        "mac_address": {"type": "string"},
+        "network_mode": {"type": "string"},
+
+        "networks": {
+          "oneOf": [
+            {"$ref": "#/definitions/list_of_strings"},
+            {
+              "type": "object",
+              "patternProperties": {
+                "^[a-zA-Z0-9._-]+$": {
+                  "oneOf": [
+                    {
+                      "type": "object",
+                      "properties": {
+                        "aliases": {"$ref": "#/definitions/list_of_strings"},
+                        "ipv4_address": {"type": "string"},
+                        "ipv6_address": {"type": "string"}
+                      },
+                      "additionalProperties": false
+                    },
+                    {"type": "null"}
+                  ]
+                }
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "pid": {"type": ["string", "null"]},
+
+        "ports": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "number", "format": "ports"},
+              {"type": "string", "format": "ports"},
+              {
+                "type": "object",
+                "properties": {
+                  "mode": {"type": "string"},
+                  "target": {"type": "integer"},
+                  "published": {"type": "integer"},
+                  "protocol": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            ]
+          },
+          "uniqueItems": true
+        },
+
+        "privileged": {"type": "boolean"},
+        "read_only": {"type": "boolean"},
+        "restart": {"type": "string"},
+        "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "shm_size": {"type": ["number", "string"]},
+        "secrets": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "sysctls": {"$ref": "#/definitions/list_or_dict"},
+        "stdin_open": {"type": "boolean"},
+        "stop_grace_period": {"type": "string", "format": "duration"},
+        "stop_signal": {"type": "string"},
+        "tmpfs": {"$ref": "#/definitions/string_or_list"},
+        "tty": {"type": "boolean"},
+        "ulimits": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z]+$": {
+              "oneOf": [
+                {"type": "integer"},
+                {
+                  "type":"object",
+                  "properties": {
+                    "hard": {"type": "integer"},
+                    "soft": {"type": "integer"}
+                  },
+                  "required": ["soft", "hard"],
+                  "additionalProperties": false
+                }
+              ]
+            }
+          }
+        },
+        "user": {"type": "string"},
+        "userns_mode": {"type": "string"},
+        "volumes": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "required": ["type"],
+                "properties": {
+                  "type": {"type": "string"},
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "read_only": {"type": "boolean"},
+                  "consistency": {"type": "string"},
+                  "bind": {
+                    "type": "object",
+                    "properties": {
+                      "propagation": {"type": "string"}
+                    }
+                  },
+                  "volume": {
+                    "type": "object",
+                    "properties": {
+                      "nocopy": {"type": "boolean"}
+                    }
+                  }
+                },
+                "additionalProperties": false
+              }
+            ],
+            "uniqueItems": true
+          }
+        },
+        "working_dir": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "healthcheck": {
+      "id": "#/definitions/healthcheck",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "disable": {"type": "boolean"},
+        "interval": {"type": "string"},
+        "retries": {"type": "number"},
+        "test": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "timeout": {"type": "string"}
+      }
+    },
+    "deployment": {
+      "id": "#/definitions/deployment",
+      "type": ["object", "null"],
+      "properties": {
+        "mode": {"type": "string"},
+        "endpoint_mode": {"type": "string"},
+        "replicas": {"type": "integer"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "update_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"}
+          },
+          "additionalProperties": false
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {"$ref": "#/definitions/resource"},
+            "reservations": {"$ref": "#/definitions/resource"}
+          },
+          "additionalProperties": false
+        },
+        "restart_policy": {
+          "type": "object",
+          "properties": {
+            "condition": {"type": "string"},
+            "delay": {"type": "string", "format": "duration"},
+            "max_attempts": {"type": "integer"},
+            "window": {"type": "string", "format": "duration"}
+          },
+          "additionalProperties": false
+        },
+        "placement": {
+          "type": "object",
+          "properties": {
+            "constraints": {"type": "array", "items": {"type": "string"}},
+            "preferences": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "spread": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "resource": {
+      "id": "#/definitions/resource",
+      "type": "object",
+      "properties": {
+        "cpus": {"type": "string"},
+        "memory": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "network": {
+      "id": "#/definitions/network",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "ipam": {
+          "type": "object",
+          "properties": {
+            "driver": {"type": "string"},
+            "config": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "subnet": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "internal": {"type": "boolean"},
+        "attachable": {"type": "boolean"},
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "volume": {
+      "id": "#/definitions/volume",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "secret": {
+      "id": "#/definitions/secret",
+      "type": "object",
+      "properties": {
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "config": {
+      "id": "#/definitions/config",
+      "type": "object",
+      "properties": {
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "string_or_list": {
+      "oneOf": [
+        {"type": "string"},
+        {"$ref": "#/definitions/list_of_strings"}
+      ]
+    },
+
+    "list_of_strings": {
+      "type": "array",
+      "items": {"type": "string"},
+      "uniqueItems": true
+    },
+
+    "list_or_dict": {
+      "oneOf": [
+        {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": ["string", "number", "null"]
+            }
+          },
+          "additionalProperties": false
+        },
+        {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
+      ]
+    },
+
+    "constraints": {
+      "service": {
+        "id": "#/definitions/constraints/service",
+        "anyOf": [
+          {"required": ["build"]},
+          {"required": ["image"]}
+        ],
+        "properties": {
+          "build": {
+            "required": ["context"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cli/cli/compose/schema/data/config_schema_v3.4.json b/cli/cli/compose/schema/data/config_schema_v3.4.json
new file mode 100644
index 00000000..93fe821a
--- /dev/null
+++ b/cli/cli/compose/schema/data/config_schema_v3.4.json
@@ -0,0 +1,544 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "id": "config_schema_v3.4.json",
+  "type": "object",
+  "required": ["version"],
+
+  "properties": {
+    "version": {
+      "type": "string"
+    },
+
+    "services": {
+      "id": "#/properties/services",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/service"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "networks": {
+      "id": "#/properties/networks",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/network"
+        }
+      }
+    },
+
+    "volumes": {
+      "id": "#/properties/volumes",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/volume"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "secrets": {
+      "id": "#/properties/secrets",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/secret"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "configs": {
+      "id": "#/properties/configs",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/config"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+
+  "patternProperties": {"^x-": {}},
+  "additionalProperties": false,
+
+  "definitions": {
+
+    "service": {
+      "id": "#/definitions/service",
+      "type": "object",
+
+      "properties": {
+        "deploy": {"$ref": "#/definitions/deployment"},
+        "build": {
+          "oneOf": [
+            {"type": "string"},
+            {
+              "type": "object",
+              "properties": {
+                "context": {"type": "string"},
+                "dockerfile": {"type": "string"},
+                "args": {"$ref": "#/definitions/list_or_dict"},
+                "labels": {"$ref": "#/definitions/list_or_dict"},
+                "cache_from": {"$ref": "#/definitions/list_of_strings"},
+                "network": {"type": "string"},
+                "target": {"type": "string"}
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "cap_add": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cap_drop": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cgroup_parent": {"type": "string"},
+        "command": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "configs": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "container_name": {"type": "string"},
+        "credential_spec": {"type": "object", "properties": {
+          "file": {"type": "string"},
+          "registry": {"type": "string"}
+        }},
+        "depends_on": {"$ref": "#/definitions/list_of_strings"},
+        "devices": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "dns": {"$ref": "#/definitions/string_or_list"},
+        "dns_search": {"$ref": "#/definitions/string_or_list"},
+        "domainname": {"type": "string"},
+        "entrypoint": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "env_file": {"$ref": "#/definitions/string_or_list"},
+        "environment": {"$ref": "#/definitions/list_or_dict"},
+
+        "expose": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "expose"
+          },
+          "uniqueItems": true
+        },
+
+        "external_links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "extra_hosts": {"$ref": "#/definitions/list_or_dict"},
+        "healthcheck": {"$ref": "#/definitions/healthcheck"},
+        "hostname": {"type": "string"},
+        "image": {"type": "string"},
+        "ipc": {"type": "string"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+
+        "logging": {
+            "type": "object",
+
+            "properties": {
+                "driver": {"type": "string"},
+                "options": {
+                  "type": "object",
+                  "patternProperties": {
+                    "^.+$": {"type": ["string", "number", "null"]}
+                  }
+                }
+            },
+            "additionalProperties": false
+        },
+
+        "mac_address": {"type": "string"},
+        "network_mode": {"type": "string"},
+
+        "networks": {
+          "oneOf": [
+            {"$ref": "#/definitions/list_of_strings"},
+            {
+              "type": "object",
+              "patternProperties": {
+                "^[a-zA-Z0-9._-]+$": {
+                  "oneOf": [
+                    {
+                      "type": "object",
+                      "properties": {
+                        "aliases": {"$ref": "#/definitions/list_of_strings"},
+                        "ipv4_address": {"type": "string"},
+                        "ipv6_address": {"type": "string"}
+                      },
+                      "additionalProperties": false
+                    },
+                    {"type": "null"}
+                  ]
+                }
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "pid": {"type": ["string", "null"]},
+
+        "ports": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "number", "format": "ports"},
+              {"type": "string", "format": "ports"},
+              {
+                "type": "object",
+                "properties": {
+                  "mode": {"type": "string"},
+                  "target": {"type": "integer"},
+                  "published": {"type": "integer"},
+                  "protocol": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            ]
+          },
+          "uniqueItems": true
+        },
+
+        "privileged": {"type": "boolean"},
+        "read_only": {"type": "boolean"},
+        "restart": {"type": "string"},
+        "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "shm_size": {"type": ["number", "string"]},
+        "secrets": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "sysctls": {"$ref": "#/definitions/list_or_dict"},
+        "stdin_open": {"type": "boolean"},
+        "stop_grace_period": {"type": "string", "format": "duration"},
+        "stop_signal": {"type": "string"},
+        "tmpfs": {"$ref": "#/definitions/string_or_list"},
+        "tty": {"type": "boolean"},
+        "ulimits": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z]+$": {
+              "oneOf": [
+                {"type": "integer"},
+                {
+                  "type":"object",
+                  "properties": {
+                    "hard": {"type": "integer"},
+                    "soft": {"type": "integer"}
+                  },
+                  "required": ["soft", "hard"],
+                  "additionalProperties": false
+                }
+              ]
+            }
+          }
+        },
+        "user": {"type": "string"},
+        "userns_mode": {"type": "string"},
+        "volumes": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "required": ["type"],
+                "properties": {
+                  "type": {"type": "string"},
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "read_only": {"type": "boolean"},
+                  "consistency": {"type": "string"},
+                  "bind": {
+                    "type": "object",
+                    "properties": {
+                      "propagation": {"type": "string"}
+                    }
+                  },
+                  "volume": {
+                    "type": "object",
+                    "properties": {
+                      "nocopy": {"type": "boolean"}
+                    }
+                  }
+                },
+                "additionalProperties": false
+              }
+            ],
+            "uniqueItems": true
+          }
+        },
+        "working_dir": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "healthcheck": {
+      "id": "#/definitions/healthcheck",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "disable": {"type": "boolean"},
+        "interval": {"type": "string", "format": "duration"},
+        "retries": {"type": "number"},
+        "test": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "timeout": {"type": "string", "format": "duration"},
+        "start_period": {"type": "string", "format": "duration"}
+      }
+    },
+    "deployment": {
+      "id": "#/definitions/deployment",
+      "type": ["object", "null"],
+      "properties": {
+        "mode": {"type": "string"},
+        "endpoint_mode": {"type": "string"},
+        "replicas": {"type": "integer"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "update_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"},
+            "order": {"type": "string", "enum": [
+              "start-first", "stop-first"
+            ]}
+          },
+          "additionalProperties": false
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {"$ref": "#/definitions/resource"},
+            "reservations": {"$ref": "#/definitions/resource"}
+          },
+          "additionalProperties": false
+        },
+        "restart_policy": {
+          "type": "object",
+          "properties": {
+            "condition": {"type": "string"},
+            "delay": {"type": "string", "format": "duration"},
+            "max_attempts": {"type": "integer"},
+            "window": {"type": "string", "format": "duration"}
+          },
+          "additionalProperties": false
+        },
+        "placement": {
+          "type": "object",
+          "properties": {
+            "constraints": {"type": "array", "items": {"type": "string"}},
+            "preferences": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "spread": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "resource": {
+      "id": "#/definitions/resource",
+      "type": "object",
+      "properties": {
+        "cpus": {"type": "string"},
+        "memory": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "network": {
+      "id": "#/definitions/network",
+      "type": ["object", "null"],
+      "properties": {
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "ipam": {
+          "type": "object",
+          "properties": {
+            "driver": {"type": "string"},
+            "config": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "subnet": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "internal": {"type": "boolean"},
+        "attachable": {"type": "boolean"},
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "volume": {
+      "id": "#/definitions/volume",
+      "type": ["object", "null"],
+      "properties": {
+        "name": {"type": "string"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "secret": {
+      "id": "#/definitions/secret",
+      "type": "object",
+      "properties": {
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "config": {
+      "id": "#/definitions/config",
+      "type": "object",
+      "properties": {
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "string_or_list": {
+      "oneOf": [
+        {"type": "string"},
+        {"$ref": "#/definitions/list_of_strings"}
+      ]
+    },
+
+    "list_of_strings": {
+      "type": "array",
+      "items": {"type": "string"},
+      "uniqueItems": true
+    },
+
+    "list_or_dict": {
+      "oneOf": [
+        {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": ["string", "number", "null"]
+            }
+          },
+          "additionalProperties": false
+        },
+        {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
+      ]
+    },
+
+    "constraints": {
+      "service": {
+        "id": "#/definitions/constraints/service",
+        "anyOf": [
+          {"required": ["build"]},
+          {"required": ["image"]}
+        ],
+        "properties": {
+          "build": {
+            "required": ["context"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cli/cli/compose/schema/data/config_schema_v3.5.json b/cli/cli/compose/schema/data/config_schema_v3.5.json
new file mode 100644
index 00000000..4244e102
--- /dev/null
+++ b/cli/cli/compose/schema/data/config_schema_v3.5.json
@@ -0,0 +1,573 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "id": "config_schema_v3.5.json",
+  "type": "object",
+  "required": ["version"],
+
+  "properties": {
+    "version": {
+      "type": "string"
+    },
+
+    "services": {
+      "id": "#/properties/services",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/service"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "networks": {
+      "id": "#/properties/networks",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/network"
+        }
+      }
+    },
+
+    "volumes": {
+      "id": "#/properties/volumes",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/volume"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "secrets": {
+      "id": "#/properties/secrets",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/secret"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "configs": {
+      "id": "#/properties/configs",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/config"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+
+  "patternProperties": {"^x-": {}},
+  "additionalProperties": false,
+
+  "definitions": {
+
+    "service": {
+      "id": "#/definitions/service",
+      "type": "object",
+
+      "properties": {
+        "deploy": {"$ref": "#/definitions/deployment"},
+        "build": {
+          "oneOf": [
+            {"type": "string"},
+            {
+              "type": "object",
+              "properties": {
+                "context": {"type": "string"},
+                "dockerfile": {"type": "string"},
+                "args": {"$ref": "#/definitions/list_or_dict"},
+                "labels": {"$ref": "#/definitions/list_or_dict"},
+                "cache_from": {"$ref": "#/definitions/list_of_strings"},
+                "network": {"type": "string"},
+                "target": {"type": "string"},
+                "shm_size": {"type": ["integer", "string"]}
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "cap_add": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cap_drop": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cgroup_parent": {"type": "string"},
+        "command": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "configs": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "container_name": {"type": "string"},
+        "credential_spec": {"type": "object", "properties": {
+          "file": {"type": "string"},
+          "registry": {"type": "string"}
+        }},
+        "depends_on": {"$ref": "#/definitions/list_of_strings"},
+        "devices": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "dns": {"$ref": "#/definitions/string_or_list"},
+        "dns_search": {"$ref": "#/definitions/string_or_list"},
+        "domainname": {"type": "string"},
+        "entrypoint": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "env_file": {"$ref": "#/definitions/string_or_list"},
+        "environment": {"$ref": "#/definitions/list_or_dict"},
+
+        "expose": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "expose"
+          },
+          "uniqueItems": true
+        },
+
+        "external_links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "extra_hosts": {"$ref": "#/definitions/list_or_dict"},
+        "healthcheck": {"$ref": "#/definitions/healthcheck"},
+        "hostname": {"type": "string"},
+        "image": {"type": "string"},
+        "ipc": {"type": "string"},
+        "isolation": {"type": "string"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+
+        "logging": {
+            "type": "object",
+
+            "properties": {
+                "driver": {"type": "string"},
+                "options": {
+                  "type": "object",
+                  "patternProperties": {
+                    "^.+$": {"type": ["string", "number", "null"]}
+                  }
+                }
+            },
+            "additionalProperties": false
+        },
+
+        "mac_address": {"type": "string"},
+        "network_mode": {"type": "string"},
+
+        "networks": {
+          "oneOf": [
+            {"$ref": "#/definitions/list_of_strings"},
+            {
+              "type": "object",
+              "patternProperties": {
+                "^[a-zA-Z0-9._-]+$": {
+                  "oneOf": [
+                    {
+                      "type": "object",
+                      "properties": {
+                        "aliases": {"$ref": "#/definitions/list_of_strings"},
+                        "ipv4_address": {"type": "string"},
+                        "ipv6_address": {"type": "string"}
+                      },
+                      "additionalProperties": false
+                    },
+                    {"type": "null"}
+                  ]
+                }
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "pid": {"type": ["string", "null"]},
+
+        "ports": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "number", "format": "ports"},
+              {"type": "string", "format": "ports"},
+              {
+                "type": "object",
+                "properties": {
+                  "mode": {"type": "string"},
+                  "target": {"type": "integer"},
+                  "published": {"type": "integer"},
+                  "protocol": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            ]
+          },
+          "uniqueItems": true
+        },
+
+        "privileged": {"type": "boolean"},
+        "read_only": {"type": "boolean"},
+        "restart": {"type": "string"},
+        "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "shm_size": {"type": ["number", "string"]},
+        "secrets": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "sysctls": {"$ref": "#/definitions/list_or_dict"},
+        "stdin_open": {"type": "boolean"},
+        "stop_grace_period": {"type": "string", "format": "duration"},
+        "stop_signal": {"type": "string"},
+        "tmpfs": {"$ref": "#/definitions/string_or_list"},
+        "tty": {"type": "boolean"},
+        "ulimits": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z]+$": {
+              "oneOf": [
+                {"type": "integer"},
+                {
+                  "type":"object",
+                  "properties": {
+                    "hard": {"type": "integer"},
+                    "soft": {"type": "integer"}
+                  },
+                  "required": ["soft", "hard"],
+                  "additionalProperties": false
+                }
+              ]
+            }
+          }
+        },
+        "user": {"type": "string"},
+        "userns_mode": {"type": "string"},
+        "volumes": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "required": ["type"],
+                "properties": {
+                  "type": {"type": "string"},
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "read_only": {"type": "boolean"},
+                  "consistency": {"type": "string"},
+                  "bind": {
+                    "type": "object",
+                    "properties": {
+                      "propagation": {"type": "string"}
+                    }
+                  },
+                  "volume": {
+                    "type": "object",
+                    "properties": {
+                      "nocopy": {"type": "boolean"}
+                    }
+                  }
+                },
+                "additionalProperties": false
+              }
+            ],
+            "uniqueItems": true
+          }
+        },
+        "working_dir": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "healthcheck": {
+      "id": "#/definitions/healthcheck",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "disable": {"type": "boolean"},
+        "interval": {"type": "string", "format": "duration"},
+        "retries": {"type": "number"},
+        "test": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "timeout": {"type": "string", "format": "duration"},
+        "start_period": {"type": "string", "format": "duration"}
+      }
+    },
+    "deployment": {
+      "id": "#/definitions/deployment",
+      "type": ["object", "null"],
+      "properties": {
+        "mode": {"type": "string"},
+        "endpoint_mode": {"type": "string"},
+        "replicas": {"type": "integer"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "update_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"},
+            "order": {"type": "string", "enum": [
+              "start-first", "stop-first"
+            ]}
+          },
+          "additionalProperties": false
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpus": {"type": "string"},
+                "memory": {"type": "string"}
+              },
+              "additionalProperties": false
+            },
+            "reservations": {
+              "type": "object",
+              "properties": {
+                "cpus": {"type": "string"},
+                "memory": {"type": "string"},
+                "generic_resources": {"$ref": "#/definitions/generic_resources"}
+              },
+              "additionalProperties": false
+            }
+          },
+          "additionalProperties": false
+        },
+        "restart_policy": {
+          "type": "object",
+          "properties": {
+            "condition": {"type": "string"},
+            "delay": {"type": "string", "format": "duration"},
+            "max_attempts": {"type": "integer"},
+            "window": {"type": "string", "format": "duration"}
+          },
+          "additionalProperties": false
+        },
+        "placement": {
+          "type": "object",
+          "properties": {
+            "constraints": {"type": "array", "items": {"type": "string"}},
+            "preferences": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "spread": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "generic_resources": {
+      "id": "#/definitions/generic_resources",
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "discrete_resource_spec": {
+            "type": "object",
+            "properties": {
+              "kind": {"type": "string"},
+              "value": {"type": "number"}
+            },
+            "additionalProperties": false
+          }
+        },
+        "additionalProperties": false
+      }
+    },
+
+    "network": {
+      "id": "#/definitions/network",
+      "type": ["object", "null"],
+      "properties": {
+        "name": {"type": "string"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "ipam": {
+          "type": "object",
+          "properties": {
+            "driver": {"type": "string"},
+            "config": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "subnet": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "internal": {"type": "boolean"},
+        "attachable": {"type": "boolean"},
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "volume": {
+      "id": "#/definitions/volume",
+      "type": ["object", "null"],
+      "properties": {
+        "name": {"type": "string"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "secret": {
+      "id": "#/definitions/secret",
+      "type": "object",
+      "properties": {
+        "name": {"type": "string"},
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "config": {
+      "id": "#/definitions/config",
+      "type": "object",
+      "properties": {
+        "name": {"type": "string"},
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "string_or_list": {
+      "oneOf": [
+        {"type": "string"},
+        {"$ref": "#/definitions/list_of_strings"}
+      ]
+    },
+
+    "list_of_strings": {
+      "type": "array",
+      "items": {"type": "string"},
+      "uniqueItems": true
+    },
+
+    "list_or_dict": {
+      "oneOf": [
+        {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": ["string", "number", "null"]
+            }
+          },
+          "additionalProperties": false
+        },
+        {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
+      ]
+    },
+
+    "constraints": {
+      "service": {
+        "id": "#/definitions/constraints/service",
+        "anyOf": [
+          {"required": ["build"]},
+          {"required": ["image"]}
+        ],
+        "properties": {
+          "build": {
+            "required": ["context"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cli/cli/compose/schema/data/config_schema_v3.6.json b/cli/cli/compose/schema/data/config_schema_v3.6.json
new file mode 100644
index 00000000..95a552b3
--- /dev/null
+++ b/cli/cli/compose/schema/data/config_schema_v3.6.json
@@ -0,0 +1,582 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "id": "config_schema_v3.6.json",
+  "type": "object",
+  "required": ["version"],
+
+  "properties": {
+    "version": {
+      "type": "string"
+    },
+
+    "services": {
+      "id": "#/properties/services",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/service"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "networks": {
+      "id": "#/properties/networks",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/network"
+        }
+      }
+    },
+
+    "volumes": {
+      "id": "#/properties/volumes",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/volume"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "secrets": {
+      "id": "#/properties/secrets",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/secret"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "configs": {
+      "id": "#/properties/configs",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/config"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+
+  "patternProperties": {"^x-": {}},
+  "additionalProperties": false,
+
+  "definitions": {
+
+    "service": {
+      "id": "#/definitions/service",
+      "type": "object",
+
+      "properties": {
+        "deploy": {"$ref": "#/definitions/deployment"},
+        "build": {
+          "oneOf": [
+            {"type": "string"},
+            {
+              "type": "object",
+              "properties": {
+                "context": {"type": "string"},
+                "dockerfile": {"type": "string"},
+                "args": {"$ref": "#/definitions/list_or_dict"},
+                "labels": {"$ref": "#/definitions/list_or_dict"},
+                "cache_from": {"$ref": "#/definitions/list_of_strings"},
+                "network": {"type": "string"},
+                "target": {"type": "string"},
+                "shm_size": {"type": ["integer", "string"]}
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "cap_add": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cap_drop": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cgroup_parent": {"type": "string"},
+        "command": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "configs": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "container_name": {"type": "string"},
+        "credential_spec": {"type": "object", "properties": {
+          "file": {"type": "string"},
+          "registry": {"type": "string"}
+        }},
+        "depends_on": {"$ref": "#/definitions/list_of_strings"},
+        "devices": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "dns": {"$ref": "#/definitions/string_or_list"},
+        "dns_search": {"$ref": "#/definitions/string_or_list"},
+        "domainname": {"type": "string"},
+        "entrypoint": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "env_file": {"$ref": "#/definitions/string_or_list"},
+        "environment": {"$ref": "#/definitions/list_or_dict"},
+
+        "expose": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "expose"
+          },
+          "uniqueItems": true
+        },
+
+        "external_links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "extra_hosts": {"$ref": "#/definitions/list_or_dict"},
+        "healthcheck": {"$ref": "#/definitions/healthcheck"},
+        "hostname": {"type": "string"},
+        "image": {"type": "string"},
+        "ipc": {"type": "string"},
+        "isolation": {"type": "string"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+
+        "logging": {
+            "type": "object",
+
+            "properties": {
+                "driver": {"type": "string"},
+                "options": {
+                  "type": "object",
+                  "patternProperties": {
+                    "^.+$": {"type": ["string", "number", "null"]}
+                  }
+                }
+            },
+            "additionalProperties": false
+        },
+
+        "mac_address": {"type": "string"},
+        "network_mode": {"type": "string"},
+
+        "networks": {
+          "oneOf": [
+            {"$ref": "#/definitions/list_of_strings"},
+            {
+              "type": "object",
+              "patternProperties": {
+                "^[a-zA-Z0-9._-]+$": {
+                  "oneOf": [
+                    {
+                      "type": "object",
+                      "properties": {
+                        "aliases": {"$ref": "#/definitions/list_of_strings"},
+                        "ipv4_address": {"type": "string"},
+                        "ipv6_address": {"type": "string"}
+                      },
+                      "additionalProperties": false
+                    },
+                    {"type": "null"}
+                  ]
+                }
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "pid": {"type": ["string", "null"]},
+
+        "ports": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "number", "format": "ports"},
+              {"type": "string", "format": "ports"},
+              {
+                "type": "object",
+                "properties": {
+                  "mode": {"type": "string"},
+                  "target": {"type": "integer"},
+                  "published": {"type": "integer"},
+                  "protocol": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            ]
+          },
+          "uniqueItems": true
+        },
+
+        "privileged": {"type": "boolean"},
+        "read_only": {"type": "boolean"},
+        "restart": {"type": "string"},
+        "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "shm_size": {"type": ["number", "string"]},
+        "secrets": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "sysctls": {"$ref": "#/definitions/list_or_dict"},
+        "stdin_open": {"type": "boolean"},
+        "stop_grace_period": {"type": "string", "format": "duration"},
+        "stop_signal": {"type": "string"},
+        "tmpfs": {"$ref": "#/definitions/string_or_list"},
+        "tty": {"type": "boolean"},
+        "ulimits": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z]+$": {
+              "oneOf": [
+                {"type": "integer"},
+                {
+                  "type":"object",
+                  "properties": {
+                    "hard": {"type": "integer"},
+                    "soft": {"type": "integer"}
+                  },
+                  "required": ["soft", "hard"],
+                  "additionalProperties": false
+                }
+              ]
+            }
+          }
+        },
+        "user": {"type": "string"},
+        "userns_mode": {"type": "string"},
+        "volumes": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "required": ["type"],
+                "properties": {
+                  "type": {"type": "string"},
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "read_only": {"type": "boolean"},
+                  "consistency": {"type": "string"},
+                  "bind": {
+                    "type": "object",
+                    "properties": {
+                      "propagation": {"type": "string"}
+                    }
+                  },
+                  "volume": {
+                    "type": "object",
+                    "properties": {
+                      "nocopy": {"type": "boolean"}
+                    }
+                  },
+                  "tmpfs": {
+                    "type": "object",
+                    "properties": {
+                      "size": {
+                        "type": "integer",
+                        "minimum": 0
+                      }
+                    }
+                  }
+                },
+                "additionalProperties": false
+              }
+            ],
+            "uniqueItems": true
+          }
+        },
+        "working_dir": {"type": "string"}
+      },
+      "additionalProperties": false
+    },
+
+    "healthcheck": {
+      "id": "#/definitions/healthcheck",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "disable": {"type": "boolean"},
+        "interval": {"type": "string", "format": "duration"},
+        "retries": {"type": "number"},
+        "test": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "timeout": {"type": "string", "format": "duration"},
+        "start_period": {"type": "string", "format": "duration"}
+      }
+    },
+    "deployment": {
+      "id": "#/definitions/deployment",
+      "type": ["object", "null"],
+      "properties": {
+        "mode": {"type": "string"},
+        "endpoint_mode": {"type": "string"},
+        "replicas": {"type": "integer"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "update_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"},
+            "order": {"type": "string", "enum": [
+              "start-first", "stop-first"
+            ]}
+          },
+          "additionalProperties": false
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpus": {"type": "string"},
+                "memory": {"type": "string"}
+              },
+              "additionalProperties": false
+            },
+            "reservations": {
+              "type": "object",
+              "properties": {
+                "cpus": {"type": "string"},
+                "memory": {"type": "string"},
+                "generic_resources": {"$ref": "#/definitions/generic_resources"}
+              },
+              "additionalProperties": false
+            }
+          },
+          "additionalProperties": false
+        },
+        "restart_policy": {
+          "type": "object",
+          "properties": {
+            "condition": {"type": "string"},
+            "delay": {"type": "string", "format": "duration"},
+            "max_attempts": {"type": "integer"},
+            "window": {"type": "string", "format": "duration"}
+          },
+          "additionalProperties": false
+        },
+        "placement": {
+          "type": "object",
+          "properties": {
+            "constraints": {"type": "array", "items": {"type": "string"}},
+            "preferences": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "spread": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "generic_resources": {
+      "id": "#/definitions/generic_resources",
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "discrete_resource_spec": {
+            "type": "object",
+            "properties": {
+              "kind": {"type": "string"},
+              "value": {"type": "number"}
+            },
+            "additionalProperties": false
+          }
+        },
+        "additionalProperties": false
+      }
+    },
+
+    "network": {
+      "id": "#/definitions/network",
+      "type": ["object", "null"],
+      "properties": {
+        "name": {"type": "string"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "ipam": {
+          "type": "object",
+          "properties": {
+            "driver": {"type": "string"},
+            "config": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "subnet": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "internal": {"type": "boolean"},
+        "attachable": {"type": "boolean"},
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "volume": {
+      "id": "#/definitions/volume",
+      "type": ["object", "null"],
+      "properties": {
+        "name": {"type": "string"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "secret": {
+      "id": "#/definitions/secret",
+      "type": "object",
+      "properties": {
+        "name": {"type": "string"},
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "config": {
+      "id": "#/definitions/config",
+      "type": "object",
+      "properties": {
+        "name": {"type": "string"},
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "additionalProperties": false
+    },
+
+    "string_or_list": {
+      "oneOf": [
+        {"type": "string"},
+        {"$ref": "#/definitions/list_of_strings"}
+      ]
+    },
+
+    "list_of_strings": {
+      "type": "array",
+      "items": {"type": "string"},
+      "uniqueItems": true
+    },
+
+    "list_or_dict": {
+      "oneOf": [
+        {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": ["string", "number", "null"]
+            }
+          },
+          "additionalProperties": false
+        },
+        {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
+      ]
+    },
+
+    "constraints": {
+      "service": {
+        "id": "#/definitions/constraints/service",
+        "anyOf": [
+          {"required": ["build"]},
+          {"required": ["image"]}
+        ],
+        "properties": {
+          "build": {
+            "required": ["context"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cli/cli/compose/schema/data/config_schema_v3.7.json b/cli/cli/compose/schema/data/config_schema_v3.7.json
new file mode 100644
index 00000000..f1597df0
--- /dev/null
+++ b/cli/cli/compose/schema/data/config_schema_v3.7.json
@@ -0,0 +1,602 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "id": "config_schema_v3.7.json",
+  "type": "object",
+  "required": ["version"],
+
+  "properties": {
+    "version": {
+      "type": "string"
+    },
+
+    "services": {
+      "id": "#/properties/services",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/service"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "networks": {
+      "id": "#/properties/networks",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/network"
+        }
+      }
+    },
+
+    "volumes": {
+      "id": "#/properties/volumes",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/volume"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "secrets": {
+      "id": "#/properties/secrets",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/secret"
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "configs": {
+      "id": "#/properties/configs",
+      "type": "object",
+      "patternProperties": {
+        "^[a-zA-Z0-9._-]+$": {
+          "$ref": "#/definitions/config"
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+
+  "patternProperties": {"^x-": {}},
+  "additionalProperties": false,
+
+  "definitions": {
+
+    "service": {
+      "id": "#/definitions/service",
+      "type": "object",
+
+      "properties": {
+        "deploy": {"$ref": "#/definitions/deployment"},
+        "build": {
+          "oneOf": [
+            {"type": "string"},
+            {
+              "type": "object",
+              "properties": {
+                "context": {"type": "string"},
+                "dockerfile": {"type": "string"},
+                "args": {"$ref": "#/definitions/list_or_dict"},
+                "labels": {"$ref": "#/definitions/list_or_dict"},
+                "cache_from": {"$ref": "#/definitions/list_of_strings"},
+                "network": {"type": "string"},
+                "target": {"type": "string"},
+                "shm_size": {"type": ["integer", "string"]}
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "cap_add": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cap_drop": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "cgroup_parent": {"type": "string"},
+        "command": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "configs": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "container_name": {"type": "string"},
+        "credential_spec": {"type": "object", "properties": {
+          "file": {"type": "string"},
+          "registry": {"type": "string"}
+        }},
+        "depends_on": {"$ref": "#/definitions/list_of_strings"},
+        "devices": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "dns": {"$ref": "#/definitions/string_or_list"},
+        "dns_search": {"$ref": "#/definitions/string_or_list"},
+        "domainname": {"type": "string"},
+        "entrypoint": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "env_file": {"$ref": "#/definitions/string_or_list"},
+        "environment": {"$ref": "#/definitions/list_or_dict"},
+
+        "expose": {
+          "type": "array",
+          "items": {
+            "type": ["string", "number"],
+            "format": "expose"
+          },
+          "uniqueItems": true
+        },
+
+        "external_links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "extra_hosts": {"$ref": "#/definitions/list_or_dict"},
+        "healthcheck": {"$ref": "#/definitions/healthcheck"},
+        "hostname": {"type": "string"},
+        "image": {"type": "string"},
+        "init": {"type": "boolean"},
+        "ipc": {"type": "string"},
+        "isolation": {"type": "string"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "links": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+
+        "logging": {
+            "type": "object",
+
+            "properties": {
+                "driver": {"type": "string"},
+                "options": {
+                  "type": "object",
+                  "patternProperties": {
+                    "^.+$": {"type": ["string", "number", "null"]}
+                  }
+                }
+            },
+            "additionalProperties": false
+        },
+
+        "mac_address": {"type": "string"},
+        "network_mode": {"type": "string"},
+
+        "networks": {
+          "oneOf": [
+            {"$ref": "#/definitions/list_of_strings"},
+            {
+              "type": "object",
+              "patternProperties": {
+                "^[a-zA-Z0-9._-]+$": {
+                  "oneOf": [
+                    {
+                      "type": "object",
+                      "properties": {
+                        "aliases": {"$ref": "#/definitions/list_of_strings"},
+                        "ipv4_address": {"type": "string"},
+                        "ipv6_address": {"type": "string"}
+                      },
+                      "additionalProperties": false
+                    },
+                    {"type": "null"}
+                  ]
+                }
+              },
+              "additionalProperties": false
+            }
+          ]
+        },
+        "pid": {"type": ["string", "null"]},
+
+        "ports": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "number", "format": "ports"},
+              {"type": "string", "format": "ports"},
+              {
+                "type": "object",
+                "properties": {
+                  "mode": {"type": "string"},
+                  "target": {"type": "integer"},
+                  "published": {"type": "integer"},
+                  "protocol": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            ]
+          },
+          "uniqueItems": true
+        },
+
+        "privileged": {"type": "boolean"},
+        "read_only": {"type": "boolean"},
+        "restart": {"type": "string"},
+        "security_opt": {"type": "array", "items": {"type": "string"}, "uniqueItems": true},
+        "shm_size": {"type": ["number", "string"]},
+        "secrets": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "properties": {
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "uid": {"type": "string"},
+                  "gid": {"type": "string"},
+                  "mode": {"type": "number"}
+                }
+              }
+            ]
+          }
+        },
+        "sysctls": {"$ref": "#/definitions/list_or_dict"},
+        "stdin_open": {"type": "boolean"},
+        "stop_grace_period": {"type": "string", "format": "duration"},
+        "stop_signal": {"type": "string"},
+        "tmpfs": {"$ref": "#/definitions/string_or_list"},
+        "tty": {"type": "boolean"},
+        "ulimits": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z]+$": {
+              "oneOf": [
+                {"type": "integer"},
+                {
+                  "type":"object",
+                  "properties": {
+                    "hard": {"type": "integer"},
+                    "soft": {"type": "integer"}
+                  },
+                  "required": ["soft", "hard"],
+                  "additionalProperties": false
+                }
+              ]
+            }
+          }
+        },
+        "user": {"type": "string"},
+        "userns_mode": {"type": "string"},
+        "volumes": {
+          "type": "array",
+          "items": {
+            "oneOf": [
+              {"type": "string"},
+              {
+                "type": "object",
+                "required": ["type"],
+                "properties": {
+                  "type": {"type": "string"},
+                  "source": {"type": "string"},
+                  "target": {"type": "string"},
+                  "read_only": {"type": "boolean"},
+                  "consistency": {"type": "string"},
+                  "bind": {
+                    "type": "object",
+                    "properties": {
+                      "propagation": {"type": "string"}
+                    }
+                  },
+                  "volume": {
+                    "type": "object",
+                    "properties": {
+                      "nocopy": {"type": "boolean"}
+                    }
+                  },
+                  "tmpfs": {
+                    "type": "object",
+                    "properties": {
+                      "size": {
+                        "type": "integer",
+                        "minimum": 0
+                      }
+                    }
+                  }
+                },
+                "additionalProperties": false
+              }
+            ],
+            "uniqueItems": true
+          }
+        },
+        "working_dir": {"type": "string"}
+      },
+      "patternProperties": {"^x-": {}},
+      "additionalProperties": false
+    },
+
+    "healthcheck": {
+      "id": "#/definitions/healthcheck",
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "disable": {"type": "boolean"},
+        "interval": {"type": "string", "format": "duration"},
+        "retries": {"type": "number"},
+        "test": {
+          "oneOf": [
+            {"type": "string"},
+            {"type": "array", "items": {"type": "string"}}
+          ]
+        },
+        "timeout": {"type": "string", "format": "duration"},
+        "start_period": {"type": "string", "format": "duration"}
+      }
+    },
+    "deployment": {
+      "id": "#/definitions/deployment",
+      "type": ["object", "null"],
+      "properties": {
+        "mode": {"type": "string"},
+        "endpoint_mode": {"type": "string"},
+        "replicas": {"type": "integer"},
+        "labels": {"$ref": "#/definitions/list_or_dict"},
+        "rollback_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"},
+            "order": {"type": "string", "enum": [
+              "start-first", "stop-first"
+            ]}
+          },
+          "additionalProperties": false
+        },
+        "update_config": {
+          "type": "object",
+          "properties": {
+            "parallelism": {"type": "integer"},
+            "delay": {"type": "string", "format": "duration"},
+            "failure_action": {"type": "string"},
+            "monitor": {"type": "string", "format": "duration"},
+            "max_failure_ratio": {"type": "number"},
+            "order": {"type": "string", "enum": [
+              "start-first", "stop-first"
+            ]}
+          },
+          "additionalProperties": false
+        },
+        "resources": {
+          "type": "object",
+          "properties": {
+            "limits": {
+              "type": "object",
+              "properties": {
+                "cpus": {"type": "string"},
+                "memory": {"type": "string"}
+              },
+              "additionalProperties": false
+            },
+            "reservations": {
+              "type": "object",
+              "properties": {
+                "cpus": {"type": "string"},
+                "memory": {"type": "string"},
+                "generic_resources": {"$ref": "#/definitions/generic_resources"}
+              },
+              "additionalProperties": false
+            }
+          },
+          "additionalProperties": false
+        },
+        "restart_policy": {
+          "type": "object",
+          "properties": {
+            "condition": {"type": "string"},
+            "delay": {"type": "string", "format": "duration"},
+            "max_attempts": {"type": "integer"},
+            "window": {"type": "string", "format": "duration"}
+          },
+          "additionalProperties": false
+        },
+        "placement": {
+          "type": "object",
+          "properties": {
+            "constraints": {"type": "array", "items": {"type": "string"}},
+            "preferences": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "spread": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+
+    "generic_resources": {
+      "id": "#/definitions/generic_resources",
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "discrete_resource_spec": {
+            "type": "object",
+            "properties": {
+              "kind": {"type": "string"},
+              "value": {"type": "number"}
+            },
+            "additionalProperties": false
+          }
+        },
+        "additionalProperties": false
+      }
+    },
+
+    "network": {
+      "id": "#/definitions/network",
+      "type": ["object", "null"],
+      "properties": {
+        "name": {"type": "string"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "ipam": {
+          "type": "object",
+          "properties": {
+            "driver": {"type": "string"},
+            "config": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "subnet": {"type": "string"}
+                },
+                "additionalProperties": false
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "internal": {"type": "boolean"},
+        "attachable": {"type": "boolean"},
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "patternProperties": {"^x-": {}},
+      "additionalProperties": false
+    },
+
+    "volume": {
+      "id": "#/definitions/volume",
+      "type": ["object", "null"],
+      "properties": {
+        "name": {"type": "string"},
+        "driver": {"type": "string"},
+        "driver_opts": {
+          "type": "object",
+          "patternProperties": {
+            "^.+$": {"type": ["string", "number"]}
+          }
+        },
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          },
+          "additionalProperties": false
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "patternProperties": {"^x-": {}},
+      "additionalProperties": false
+    },
+
+    "secret": {
+      "id": "#/definitions/secret",
+      "type": "object",
+      "properties": {
+        "name": {"type": "string"},
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "patternProperties": {"^x-": {}},
+      "additionalProperties": false
+    },
+
+    "config": {
+      "id": "#/definitions/config",
+      "type": "object",
+      "properties": {
+        "name": {"type": "string"},
+        "file": {"type": "string"},
+        "external": {
+          "type": ["boolean", "object"],
+          "properties": {
+            "name": {"type": "string"}
+          }
+        },
+        "labels": {"$ref": "#/definitions/list_or_dict"}
+      },
+      "patternProperties": {"^x-": {}},
+      "additionalProperties": false
+    },
+
+    "string_or_list": {
+      "oneOf": [
+        {"type": "string"},
+        {"$ref": "#/definitions/list_of_strings"}
+      ]
+    },
+
+    "list_of_strings": {
+      "type": "array",
+      "items": {"type": "string"},
+      "uniqueItems": true
+    },
+
+    "list_or_dict": {
+      "oneOf": [
+        {
+          "type": "object",
+          "patternProperties": {
+            ".+": {
+              "type": ["string", "number", "null"]
+            }
+          },
+          "additionalProperties": false
+        },
+        {"type": "array", "items": {"type": "string"}, "uniqueItems": true}
+      ]
+    },
+
+    "constraints": {
+      "service": {
+        "id": "#/definitions/constraints/service",
+        "anyOf": [
+          {"required": ["build"]},
+          {"required": ["image"]}
+        ],
+        "properties": {
+          "build": {
+            "required": ["context"]
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cli/cli/compose/schema/schema.go b/cli/cli/compose/schema/schema.go
new file mode 100644
index 00000000..bbf20fb8
--- /dev/null
+++ b/cli/cli/compose/schema/schema.go
@@ -0,0 +1,168 @@
+package schema
+
+//go:generate esc -o bindata.go -pkg schema -private -modtime=1518458244 data
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/xeipuuv/gojsonschema"
+)
+
+const (
+	defaultVersion = "1.0"
+	versionField   = "version"
+)
+
+type portsFormatChecker struct{}
+
+func (checker portsFormatChecker) IsFormat(input string) bool {
+	// TODO: implement this
+	return true
+}
+
+type durationFormatChecker struct{}
+
+func (checker durationFormatChecker) IsFormat(input string) bool {
+	_, err := time.ParseDuration(input)
+	return err == nil
+}
+
+func init() {
+	gojsonschema.FormatCheckers.Add("expose", portsFormatChecker{})
+	gojsonschema.FormatCheckers.Add("ports", portsFormatChecker{})
+	gojsonschema.FormatCheckers.Add("duration", durationFormatChecker{})
+}
+
+// Version returns the version of the config, defaulting to version 1.0
+func Version(config map[string]interface{}) string {
+	version, ok := config[versionField]
+	if !ok {
+		return defaultVersion
+	}
+	return normalizeVersion(fmt.Sprintf("%v", version))
+}
+
+func normalizeVersion(version string) string {
+	switch version {
+	case "3":
+		return "3.0"
+	default:
+		return version
+	}
+}
+
+// Validate uses the jsonschema to validate the configuration
+func Validate(config map[string]interface{}, version string) error {
+	schemaData, err := _escFSByte(false, fmt.Sprintf("/data/config_schema_v%s.json", version))
+	if err != nil {
+		return errors.Errorf("unsupported Compose file version: %s", version)
+	}
+
+	schemaLoader := gojsonschema.NewStringLoader(string(schemaData))
+	dataLoader := gojsonschema.NewGoLoader(config)
+
+	result, err := gojsonschema.Validate(schemaLoader, dataLoader)
+	if err != nil {
+		return err
+	}
+
+	if !result.Valid() {
+		return toError(result)
+	}
+
+	return nil
+}
+
+func toError(result *gojsonschema.Result) error {
+	err := getMostSpecificError(result.Errors())
+	return err
+}
+
+const (
+	jsonschemaOneOf = "number_one_of"
+	jsonschemaAnyOf = "number_any_of"
+)
+
+func getDescription(err validationError) string {
+	switch err.parent.Type() {
+	case "invalid_type":
+		if expectedType, ok := err.parent.Details()["expected"].(string); ok {
+			return fmt.Sprintf("must be a %s", humanReadableType(expectedType))
+		}
+	case jsonschemaOneOf, jsonschemaAnyOf:
+		if err.child == nil {
+			return err.parent.Description()
+		}
+		return err.child.Description()
+	}
+	return err.parent.Description()
+}
+
+func humanReadableType(definition string) string {
+	if definition[0:1] == "[" {
+		allTypes := strings.Split(definition[1:len(definition)-1], ",")
+		for i, t := range allTypes {
+			allTypes[i] = humanReadableType(t)
+		}
+		return fmt.Sprintf(
+			"%s or %s",
+			strings.Join(allTypes[0:len(allTypes)-1], ", "),
+			allTypes[len(allTypes)-1],
+		)
+	}
+	if definition == "object" {
+		return "mapping"
+	}
+	if definition == "array" {
+		return "list"
+	}
+	return definition
+}
+
+type validationError struct {
+	parent gojsonschema.ResultError
+	child  gojsonschema.ResultError
+}
+
+func (err validationError) Error() string {
+	description := getDescription(err)
+	return fmt.Sprintf("%s %s", err.parent.Field(), description)
+}
+
+func getMostSpecificError(errors []gojsonschema.ResultError) validationError {
+	mostSpecificError := 0
+	for i, err := range errors {
+		if specificity(err) > specificity(errors[mostSpecificError]) {
+			mostSpecificError = i
+			continue
+		}
+
+		if specificity(err) == specificity(errors[mostSpecificError]) {
+			// Invalid type errors win in a tie-breaker for most specific field name
+			if err.Type() == "invalid_type" && errors[mostSpecificError].Type() != "invalid_type" {
+				mostSpecificError = i
+			}
+		}
+	}
+
+	if mostSpecificError+1 == len(errors) {
+		return validationError{parent: errors[mostSpecificError]}
+	}
+
+	switch errors[mostSpecificError].Type() {
+	case "number_one_of", "number_any_of":
+		return validationError{
+			parent: errors[mostSpecificError],
+			child:  errors[mostSpecificError+1],
+		}
+	default:
+		return validationError{parent: errors[mostSpecificError]}
+	}
+}
+
+func specificity(err gojsonschema.ResultError) int {
+	return len(strings.Split(err.Field(), "."))
+}
diff --git a/cli/cli/compose/schema/schema_test.go b/cli/cli/compose/schema/schema_test.go
new file mode 100644
index 00000000..6fa027e4
--- /dev/null
+++ b/cli/cli/compose/schema/schema_test.go
@@ -0,0 +1,238 @@
+package schema
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+type dict map[string]interface{}
+
+func TestValidate(t *testing.T) {
+	config := dict{
+		"version": "3.0",
+		"services": dict{
+			"foo": dict{
+				"image": "busybox",
+			},
+		},
+	}
+
+	assert.NilError(t, Validate(config, "3.0"))
+}
+
+func TestValidateUndefinedTopLevelOption(t *testing.T) {
+	config := dict{
+		"version": "3.0",
+		"helicopters": dict{
+			"foo": dict{
+				"image": "busybox",
+			},
+		},
+	}
+
+	err := Validate(config, "3.0")
+	assert.ErrorContains(t, err, "Additional property helicopters is not allowed")
+}
+
+func TestValidateAllowsXTopLevelFields(t *testing.T) {
+	config := dict{
+		"version":       "3.4",
+		"x-extra-stuff": dict{},
+	}
+
+	err := Validate(config, "3.4")
+	assert.NilError(t, err)
+}
+
+func TestValidateAllowsXFields(t *testing.T) {
+	config := dict{
+		"version": "3.7",
+		"services": dict{
+			"bar": dict{
+				"x-extra-stuff": dict{},
+			},
+		},
+		"volumes": dict{
+			"bar": dict{
+				"x-extra-stuff": dict{},
+			},
+		},
+		"networks": dict{
+			"bar": dict{
+				"x-extra-stuff": dict{},
+			},
+		},
+		"configs": dict{
+			"bar": dict{
+				"x-extra-stuff": dict{},
+			},
+		},
+		"secrets": dict{
+			"bar": dict{
+				"x-extra-stuff": dict{},
+			},
+		},
+	}
+	err := Validate(config, "3.7")
+	assert.NilError(t, err)
+}
+
+func TestValidateSecretConfigNames(t *testing.T) {
+	config := dict{
+		"version": "3.5",
+		"configs": dict{
+			"bar": dict{
+				"name": "foobar",
+			},
+		},
+		"secrets": dict{
+			"baz": dict{
+				"name": "foobaz",
+			},
+		},
+	}
+
+	err := Validate(config, "3.5")
+	assert.NilError(t, err)
+}
+
+func TestValidateInvalidVersion(t *testing.T) {
+	config := dict{
+		"version": "2.1",
+		"services": dict{
+			"foo": dict{
+				"image": "busybox",
+			},
+		},
+	}
+
+	err := Validate(config, "2.1")
+	assert.ErrorContains(t, err, "unsupported Compose file version: 2.1")
+}
+
+type array []interface{}
+
+func TestValidatePlacement(t *testing.T) {
+	config := dict{
+		"version": "3.3",
+		"services": dict{
+			"foo": dict{
+				"image": "busybox",
+				"deploy": dict{
+					"placement": dict{
+						"preferences": array{
+							dict{
+								"spread": "node.labels.az",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	assert.NilError(t, Validate(config, "3.3"))
+}
+
+func TestValidateIsolation(t *testing.T) {
+	config := dict{
+		"version": "3.5",
+		"services": dict{
+			"foo": dict{
+				"image":     "busybox",
+				"isolation": "some-isolation-value",
+			},
+		},
+	}
+	assert.NilError(t, Validate(config, "3.5"))
+}
+
+func TestValidateRollbackConfig(t *testing.T) {
+	config := dict{
+		"version": "3.4",
+		"services": dict{
+			"foo": dict{
+				"image": "busybox",
+				"deploy": dict{
+					"rollback_config": dict{
+						"parallelism": 1,
+					},
+				},
+			},
+		},
+	}
+
+	assert.NilError(t, Validate(config, "3.7"))
+}
+
+func TestValidateRollbackConfigWithOrder(t *testing.T) {
+	config := dict{
+		"version": "3.4",
+		"services": dict{
+			"foo": dict{
+				"image": "busybox",
+				"deploy": dict{
+					"rollback_config": dict{
+						"parallelism": 1,
+						"order":       "start-first",
+					},
+				},
+			},
+		},
+	}
+
+	assert.NilError(t, Validate(config, "3.7"))
+}
+
+func TestValidateRollbackConfigWithUpdateConfig(t *testing.T) {
+	config := dict{
+		"version": "3.4",
+		"services": dict{
+			"foo": dict{
+				"image": "busybox",
+				"deploy": dict{
+					"update_config": dict{
+						"parallelism": 1,
+						"order":       "start-first",
+					},
+					"rollback_config": dict{
+						"parallelism": 1,
+						"order":       "start-first",
+					},
+				},
+			},
+		},
+	}
+
+	assert.NilError(t, Validate(config, "3.7"))
+}
+
+func TestValidateRollbackConfigWithUpdateConfigFull(t *testing.T) {
+	config := dict{
+		"version": "3.4",
+		"services": dict{
+			"foo": dict{
+				"image": "busybox",
+				"deploy": dict{
+					"update_config": dict{
+						"parallelism":    1,
+						"order":          "start-first",
+						"delay":          "10s",
+						"failure_action": "pause",
+						"monitor":        "10s",
+					},
+					"rollback_config": dict{
+						"parallelism":    1,
+						"order":          "start-first",
+						"delay":          "10s",
+						"failure_action": "pause",
+						"monitor":        "10s",
+					},
+				},
+			},
+		},
+	}
+
+	assert.NilError(t, Validate(config, "3.7"))
+}
diff --git a/cli/cli/compose/template/template.go b/cli/cli/compose/template/template.go
new file mode 100644
index 00000000..be5d4560
--- /dev/null
+++ b/cli/cli/compose/template/template.go
@@ -0,0 +1,168 @@
+package template
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+var delimiter = "\\$"
+var substitution = "[_a-z][_a-z0-9]*(?::?[-?][^}]*)?"
+
+var patternString = fmt.Sprintf(
+	"%s(?i:(?P<escaped>%s)|(?P<named>%s)|{(?P<braced>%s)}|(?P<invalid>))",
+	delimiter, delimiter, substitution, substitution,
+)
+
+var pattern = regexp.MustCompile(patternString)
+
+// DefaultSubstituteFuncs contains the default SubstitueFunc used by the docker cli
+var DefaultSubstituteFuncs = []SubstituteFunc{
+	softDefault,
+	hardDefault,
+	requiredNonEmpty,
+	required,
+}
+
+// InvalidTemplateError is returned when a variable template is not in a valid
+// format
+type InvalidTemplateError struct {
+	Template string
+}
+
+func (e InvalidTemplateError) Error() string {
+	return fmt.Sprintf("Invalid template: %#v", e.Template)
+}
+
+// Mapping is a user-supplied function which maps from variable names to values.
+// Returns the value as a string and a bool indicating whether
+// the value is present, to distinguish between an empty string
+// and the absence of a value.
+type Mapping func(string) (string, bool)
+
+// SubstituteFunc is a user-supplied function that apply substitution.
+// Returns the value as a string, a bool indicating if the function could apply
+// the substitution and an error.
+type SubstituteFunc func(string, Mapping) (string, bool, error)
+
+// SubstituteWith subsitute variables in the string with their values.
+// It accepts additional substitute function.
+func SubstituteWith(template string, mapping Mapping, pattern *regexp.Regexp, subsFuncs ...SubstituteFunc) (string, error) {
+	var err error
+	result := pattern.ReplaceAllStringFunc(template, func(substring string) string {
+		matches := pattern.FindStringSubmatch(substring)
+		groups := matchGroups(matches)
+		if escaped := groups["escaped"]; escaped != "" {
+			return escaped
+		}
+
+		substitution := groups["named"]
+		if substitution == "" {
+			substitution = groups["braced"]
+		}
+
+		if substitution == "" {
+			err = &InvalidTemplateError{Template: template}
+			return ""
+		}
+
+		for _, f := range subsFuncs {
+			var (
+				value   string
+				applied bool
+			)
+			value, applied, err = f(substitution, mapping)
+			if err != nil {
+				return ""
+			}
+			if !applied {
+				continue
+			}
+			return value
+		}
+
+		value, _ := mapping(substitution)
+		return value
+	})
+
+	return result, err
+}
+
+// Substitute variables in the string with their values
+func Substitute(template string, mapping Mapping) (string, error) {
+	return SubstituteWith(template, mapping, pattern, DefaultSubstituteFuncs...)
+}
+
+// Soft default (fall back if unset or empty)
+func softDefault(substitution string, mapping Mapping) (string, bool, error) {
+	if !strings.Contains(substitution, ":-") {
+		return "", false, nil
+	}
+	name, defaultValue := partition(substitution, ":-")
+	value, ok := mapping(name)
+	if !ok || value == "" {
+		return defaultValue, true, nil
+	}
+	return value, true, nil
+}
+
+// Hard default (fall back if-and-only-if empty)
+func hardDefault(substitution string, mapping Mapping) (string, bool, error) {
+	if !strings.Contains(substitution, "-") {
+		return "", false, nil
+	}
+	name, defaultValue := partition(substitution, "-")
+	value, ok := mapping(name)
+	if !ok {
+		return defaultValue, true, nil
+	}
+	return value, true, nil
+}
+
+func requiredNonEmpty(substitution string, mapping Mapping) (string, bool, error) {
+	if !strings.Contains(substitution, ":?") {
+		return "", false, nil
+	}
+	name, errorMessage := partition(substitution, ":?")
+	value, ok := mapping(name)
+	if !ok || value == "" {
+		return "", true, &InvalidTemplateError{
+			Template: fmt.Sprintf("required variable %s is missing a value: %s", name, errorMessage),
+		}
+	}
+	return value, true, nil
+}
+
+func required(substitution string, mapping Mapping) (string, bool, error) {
+	if !strings.Contains(substitution, "?") {
+		return "", false, nil
+	}
+	name, errorMessage := partition(substitution, "?")
+	value, ok := mapping(name)
+	if !ok {
+		return "", true, &InvalidTemplateError{
+			Template: fmt.Sprintf("required variable %s is missing a value: %s", name, errorMessage),
+		}
+	}
+	return value, true, nil
+}
+
+func matchGroups(matches []string) map[string]string {
+	groups := make(map[string]string)
+	for i, name := range pattern.SubexpNames()[1:] {
+		groups[name] = matches[i+1]
+	}
+	return groups
+}
+
+// Split the string at the first occurrence of sep, and return the part before the separator,
+// and the part after the separator.
+//
+// If the separator is not found, return the string itself, followed by an empty string.
+func partition(s, sep string) (string, string) {
+	if strings.Contains(s, sep) {
+		parts := strings.SplitN(s, sep, 2)
+		return parts[0], parts[1]
+	}
+	return s, ""
+}
diff --git a/cli/cli/compose/template/template_test.go b/cli/cli/compose/template/template_test.go
new file mode 100644
index 00000000..4d2f0308
--- /dev/null
+++ b/cli/cli/compose/template/template_test.go
@@ -0,0 +1,174 @@
+package template
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var defaults = map[string]string{
+	"FOO": "first",
+	"BAR": "",
+}
+
+func defaultMapping(name string) (string, bool) {
+	val, ok := defaults[name]
+	return val, ok
+}
+
+func TestEscaped(t *testing.T) {
+	result, err := Substitute("$${foo}", defaultMapping)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("${foo}", result))
+}
+
+func TestSubstituteNoMatch(t *testing.T) {
+	result, err := Substitute("foo", defaultMapping)
+	assert.NilError(t, err)
+	assert.Equal(t, "foo", result)
+}
+
+func TestInvalid(t *testing.T) {
+	invalidTemplates := []string{
+		"${",
+		"$}",
+		"${}",
+		"${ }",
+		"${ foo}",
+		"${foo }",
+		"${foo!}",
+	}
+
+	for _, template := range invalidTemplates {
+		_, err := Substitute(template, defaultMapping)
+		assert.ErrorContains(t, err, "Invalid template")
+	}
+}
+
+func TestNoValueNoDefault(t *testing.T) {
+	for _, template := range []string{"This ${missing} var", "This ${BAR} var"} {
+		result, err := Substitute(template, defaultMapping)
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal("This  var", result))
+	}
+}
+
+func TestValueNoDefault(t *testing.T) {
+	for _, template := range []string{"This $FOO var", "This ${FOO} var"} {
+		result, err := Substitute(template, defaultMapping)
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal("This first var", result))
+	}
+}
+
+func TestNoValueWithDefault(t *testing.T) {
+	for _, template := range []string{"ok ${missing:-def}", "ok ${missing-def}"} {
+		result, err := Substitute(template, defaultMapping)
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal("ok def", result))
+	}
+}
+
+func TestEmptyValueWithSoftDefault(t *testing.T) {
+	result, err := Substitute("ok ${BAR:-def}", defaultMapping)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("ok def", result))
+}
+
+func TestEmptyValueWithHardDefault(t *testing.T) {
+	result, err := Substitute("ok ${BAR-def}", defaultMapping)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("ok ", result))
+}
+
+func TestNonAlphanumericDefault(t *testing.T) {
+	result, err := Substitute("ok ${BAR:-/non:-alphanumeric}", defaultMapping)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("ok /non:-alphanumeric", result))
+}
+
+func TestMandatoryVariableErrors(t *testing.T) {
+	testCases := []struct {
+		template      string
+		expectedError string
+	}{
+		{
+			template:      "not ok ${UNSET_VAR:?Mandatory Variable Unset}",
+			expectedError: "required variable UNSET_VAR is missing a value: Mandatory Variable Unset",
+		},
+		{
+			template:      "not ok ${BAR:?Mandatory Variable Empty}",
+			expectedError: "required variable BAR is missing a value: Mandatory Variable Empty",
+		},
+		{
+			template:      "not ok ${UNSET_VAR:?}",
+			expectedError: "required variable UNSET_VAR is missing a value",
+		},
+		{
+			template:      "not ok ${UNSET_VAR?Mandatory Variable Unset}",
+			expectedError: "required variable UNSET_VAR is missing a value: Mandatory Variable Unset",
+		},
+		{
+			template:      "not ok ${UNSET_VAR?}",
+			expectedError: "required variable UNSET_VAR is missing a value",
+		},
+	}
+
+	for _, tc := range testCases {
+		_, err := Substitute(tc.template, defaultMapping)
+		assert.ErrorContains(t, err, tc.expectedError)
+		assert.ErrorType(t, err, reflect.TypeOf(&InvalidTemplateError{}))
+	}
+}
+
+func TestDefaultsForMandatoryVariables(t *testing.T) {
+	testCases := []struct {
+		template string
+		expected string
+	}{
+		{
+			template: "ok ${FOO:?err}",
+			expected: "ok first",
+		},
+		{
+			template: "ok ${FOO?err}",
+			expected: "ok first",
+		},
+		{
+			template: "ok ${BAR?err}",
+			expected: "ok ",
+		},
+	}
+
+	for _, tc := range testCases {
+		result, err := Substitute(tc.template, defaultMapping)
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal(tc.expected, result))
+	}
+}
+
+func TestSubstituteWithCustomFunc(t *testing.T) {
+	errIsMissing := func(substitution string, mapping Mapping) (string, bool, error) {
+		value, found := mapping(substitution)
+		if !found {
+			return "", true, &InvalidTemplateError{
+				Template: fmt.Sprintf("required variable %s is missing a value", substitution),
+			}
+		}
+		return value, true, nil
+	}
+
+	result, err := SubstituteWith("ok ${FOO}", defaultMapping, pattern, errIsMissing)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("ok first", result))
+
+	result, err = SubstituteWith("ok ${BAR}", defaultMapping, pattern, errIsMissing)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("ok ", result))
+
+	_, err = SubstituteWith("ok ${NOTHERE}", defaultMapping, pattern, errIsMissing)
+	assert.Check(t, is.ErrorContains(err, "required variable"))
+}
diff --git a/cli/cli/compose/types/types.go b/cli/cli/compose/types/types.go
new file mode 100644
index 00000000..6c1a0dd7
--- /dev/null
+++ b/cli/cli/compose/types/types.go
@@ -0,0 +1,428 @@
+package types
+
+import (
+	"fmt"
+	"time"
+)
+
+// UnsupportedProperties not yet supported by this implementation of the compose file
+var UnsupportedProperties = []string{
+	"build",
+	"cap_add",
+	"cap_drop",
+	"cgroup_parent",
+	"devices",
+	"domainname",
+	"external_links",
+	"ipc",
+	"links",
+	"mac_address",
+	"network_mode",
+	"pid",
+	"privileged",
+	"restart",
+	"security_opt",
+	"shm_size",
+	"sysctls",
+	"ulimits",
+	"userns_mode",
+}
+
+// DeprecatedProperties that were removed from the v3 format, but their
+// use should not impact the behaviour of the application.
+var DeprecatedProperties = map[string]string{
+	"container_name": "Setting the container name is not supported.",
+	"expose":         "Exposing ports is unnecessary - services on the same network can access each other's containers on any port.",
+}
+
+// ForbiddenProperties that are not supported in this implementation of the
+// compose file.
+var ForbiddenProperties = map[string]string{
+	"extends":       "Support for `extends` is not implemented yet.",
+	"volume_driver": "Instead of setting the volume driver on the service, define a volume using the top-level `volumes` option and specify the driver there.",
+	"volumes_from":  "To share a volume between services, define it using the top-level `volumes` option and reference it from each service that shares it using the service-level `volumes` option.",
+	"cpu_quota":     "Set resource limits using deploy.resources",
+	"cpu_shares":    "Set resource limits using deploy.resources",
+	"cpuset":        "Set resource limits using deploy.resources",
+	"mem_limit":     "Set resource limits using deploy.resources",
+	"memswap_limit": "Set resource limits using deploy.resources",
+}
+
+// ConfigFile is a filename and the contents of the file as a Dict
+type ConfigFile struct {
+	Filename string
+	Config   map[string]interface{}
+}
+
+// ConfigDetails are the details about a group of ConfigFiles
+type ConfigDetails struct {
+	Version     string
+	WorkingDir  string
+	ConfigFiles []ConfigFile
+	Environment map[string]string
+}
+
+// LookupEnv provides a lookup function for environment variables
+func (cd ConfigDetails) LookupEnv(key string) (string, bool) {
+	v, ok := cd.Environment[key]
+	return v, ok
+}
+
+// Config is a full compose file configuration
+type Config struct {
+	Filename string `yaml:"-"`
+	Version  string
+	Services Services
+	Networks map[string]NetworkConfig
+	Volumes  map[string]VolumeConfig
+	Secrets  map[string]SecretConfig
+	Configs  map[string]ConfigObjConfig
+	Extras   map[string]interface{} `yaml:",inline"`
+}
+
+// Services is a list of ServiceConfig
+type Services []ServiceConfig
+
+// MarshalYAML makes Services implement yaml.Marshaller
+func (s Services) MarshalYAML() (interface{}, error) {
+	services := map[string]ServiceConfig{}
+	for _, service := range s {
+		services[service.Name] = service
+	}
+	return services, nil
+}
+
+// ServiceConfig is the configuration of one service
+type ServiceConfig struct {
+	Name string `yaml:"-"`
+
+	Build           BuildConfig                      `yaml:",omitempty"`
+	CapAdd          []string                         `mapstructure:"cap_add" yaml:"cap_add,omitempty"`
+	CapDrop         []string                         `mapstructure:"cap_drop" yaml:"cap_drop,omitempty"`
+	CgroupParent    string                           `mapstructure:"cgroup_parent" yaml:"cgroup_parent,omitempty"`
+	Command         ShellCommand                     `yaml:",omitempty"`
+	Configs         []ServiceConfigObjConfig         `yaml:",omitempty"`
+	ContainerName   string                           `mapstructure:"container_name" yaml:"container_name,omitempty"`
+	CredentialSpec  CredentialSpecConfig             `mapstructure:"credential_spec" yaml:"credential_spec,omitempty"`
+	DependsOn       []string                         `mapstructure:"depends_on" yaml:"depends_on,omitempty"`
+	Deploy          DeployConfig                     `yaml:",omitempty"`
+	Devices         []string                         `yaml:",omitempty"`
+	DNS             StringList                       `yaml:",omitempty"`
+	DNSSearch       StringList                       `mapstructure:"dns_search" yaml:"dns_search,omitempty"`
+	DomainName      string                           `mapstructure:"domainname" yaml:"domainname,omitempty"`
+	Entrypoint      ShellCommand                     `yaml:",omitempty"`
+	Environment     MappingWithEquals                `yaml:",omitempty"`
+	EnvFile         StringList                       `mapstructure:"env_file" yaml:"env_file,omitempty"`
+	Expose          StringOrNumberList               `yaml:",omitempty"`
+	ExternalLinks   []string                         `mapstructure:"external_links" yaml:"external_links,omitempty"`
+	ExtraHosts      HostsList                        `mapstructure:"extra_hosts" yaml:"extra_hosts,omitempty"`
+	Hostname        string                           `yaml:",omitempty"`
+	HealthCheck     *HealthCheckConfig               `yaml:",omitempty"`
+	Image           string                           `yaml:",omitempty"`
+	Init            *bool                            `yaml:",omitempty"`
+	Ipc             string                           `yaml:",omitempty"`
+	Isolation       string                           `mapstructure:"isolation" yaml:"isolation,omitempty"`
+	Labels          Labels                           `yaml:",omitempty"`
+	Links           []string                         `yaml:",omitempty"`
+	Logging         *LoggingConfig                   `yaml:",omitempty"`
+	MacAddress      string                           `mapstructure:"mac_address" yaml:"mac_address,omitempty"`
+	NetworkMode     string                           `mapstructure:"network_mode" yaml:"network_mode,omitempty"`
+	Networks        map[string]*ServiceNetworkConfig `yaml:",omitempty"`
+	Pid             string                           `yaml:",omitempty"`
+	Ports           []ServicePortConfig              `yaml:",omitempty"`
+	Privileged      bool                             `yaml:",omitempty"`
+	ReadOnly        bool                             `mapstructure:"read_only" yaml:"read_only,omitempty"`
+	Restart         string                           `yaml:",omitempty"`
+	Secrets         []ServiceSecretConfig            `yaml:",omitempty"`
+	SecurityOpt     []string                         `mapstructure:"security_opt" yaml:"security_opt,omitempty"`
+	StdinOpen       bool                             `mapstructure:"stdin_open" yaml:"stdin_open,omitempty"`
+	StopGracePeriod *time.Duration                   `mapstructure:"stop_grace_period" yaml:"stop_grace_period,omitempty"`
+	StopSignal      string                           `mapstructure:"stop_signal" yaml:"stop_signal,omitempty"`
+	Tmpfs           StringList                       `yaml:",omitempty"`
+	Tty             bool                             `mapstructure:"tty" yaml:"tty,omitempty"`
+	Ulimits         map[string]*UlimitsConfig        `yaml:",omitempty"`
+	User            string                           `yaml:",omitempty"`
+	Volumes         []ServiceVolumeConfig            `yaml:",omitempty"`
+	WorkingDir      string                           `mapstructure:"working_dir" yaml:"working_dir,omitempty"`
+
+	Extras map[string]interface{} `yaml:",inline"`
+}
+
+// BuildConfig is a type for build
+// using the same format at libcompose: https://github.com/docker/libcompose/blob/master/yaml/build.go#L12
+type BuildConfig struct {
+	Context    string            `yaml:",omitempty"`
+	Dockerfile string            `yaml:",omitempty"`
+	Args       MappingWithEquals `yaml:",omitempty"`
+	Labels     Labels            `yaml:",omitempty"`
+	CacheFrom  StringList        `mapstructure:"cache_from" yaml:"cache_from,omitempty"`
+	Network    string            `yaml:",omitempty"`
+	Target     string            `yaml:",omitempty"`
+}
+
+// ShellCommand is a string or list of string args
+type ShellCommand []string
+
+// StringList is a type for fields that can be a string or list of strings
+type StringList []string
+
+// StringOrNumberList is a type for fields that can be a list of strings or
+// numbers
+type StringOrNumberList []string
+
+// MappingWithEquals is a mapping type that can be converted from a list of
+// key[=value] strings.
+// For the key with an empty value (`key=`), the mapped value is set to a pointer to `""`.
+// For the key without value (`key`), the mapped value is set to nil.
+type MappingWithEquals map[string]*string
+
+// Labels is a mapping type for labels
+type Labels map[string]string
+
+// MappingWithColon is a mapping type that can be converted from a list of
+// 'key: value' strings
+type MappingWithColon map[string]string
+
+// HostsList is a list of colon-separated host-ip mappings
+type HostsList []string
+
+// LoggingConfig the logging configuration for a service
+type LoggingConfig struct {
+	Driver  string            `yaml:",omitempty"`
+	Options map[string]string `yaml:",omitempty"`
+}
+
+// DeployConfig the deployment configuration for a service
+type DeployConfig struct {
+	Mode           string         `yaml:",omitempty"`
+	Replicas       *uint64        `yaml:",omitempty"`
+	Labels         Labels         `yaml:",omitempty"`
+	UpdateConfig   *UpdateConfig  `mapstructure:"update_config" yaml:"update_config,omitempty"`
+	RollbackConfig *UpdateConfig  `mapstructure:"rollback_config" yaml:"rollback_config,omitempty"`
+	Resources      Resources      `yaml:",omitempty"`
+	RestartPolicy  *RestartPolicy `mapstructure:"restart_policy" yaml:"restart_policy,omitempty"`
+	Placement      Placement      `yaml:",omitempty"`
+	EndpointMode   string         `mapstructure:"endpoint_mode" yaml:"endpoint_mode,omitempty"`
+}
+
+// HealthCheckConfig the healthcheck configuration for a service
+type HealthCheckConfig struct {
+	Test        HealthCheckTest `yaml:",omitempty"`
+	Timeout     *time.Duration  `yaml:",omitempty"`
+	Interval    *time.Duration  `yaml:",omitempty"`
+	Retries     *uint64         `yaml:",omitempty"`
+	StartPeriod *time.Duration  `mapstructure:"start_period" yaml:"start_period,omitempty"`
+	Disable     bool            `yaml:",omitempty"`
+}
+
+// HealthCheckTest is the command run to test the health of a service
+type HealthCheckTest []string
+
+// UpdateConfig the service update configuration
+type UpdateConfig struct {
+	Parallelism     *uint64       `yaml:",omitempty"`
+	Delay           time.Duration `yaml:",omitempty"`
+	FailureAction   string        `mapstructure:"failure_action" yaml:"failure_action,omitempty"`
+	Monitor         time.Duration `yaml:",omitempty"`
+	MaxFailureRatio float32       `mapstructure:"max_failure_ratio" yaml:"max_failure_ratio,omitempty"`
+	Order           string        `yaml:",omitempty"`
+}
+
+// Resources the resource limits and reservations
+type Resources struct {
+	Limits       *Resource `yaml:",omitempty"`
+	Reservations *Resource `yaml:",omitempty"`
+}
+
+// Resource is a resource to be limited or reserved
+type Resource struct {
+	// TODO: types to convert from units and ratios
+	NanoCPUs         string            `mapstructure:"cpus" yaml:"cpus,omitempty"`
+	MemoryBytes      UnitBytes         `mapstructure:"memory" yaml:"memory,omitempty"`
+	GenericResources []GenericResource `mapstructure:"generic_resources" yaml:"generic_resources,omitempty"`
+}
+
+// GenericResource represents a "user defined" resource which can
+// only be an integer (e.g: SSD=3) for a service
+type GenericResource struct {
+	DiscreteResourceSpec *DiscreteGenericResource `mapstructure:"discrete_resource_spec" yaml:"discrete_resource_spec,omitempty"`
+}
+
+// DiscreteGenericResource represents a "user defined" resource which is defined
+// as an integer
+// "Kind" is used to describe the Kind of a resource (e.g: "GPU", "FPGA", "SSD", ...)
+// Value is used to count the resource (SSD=5, HDD=3, ...)
+type DiscreteGenericResource struct {
+	Kind  string
+	Value int64
+}
+
+// UnitBytes is the bytes type
+type UnitBytes int64
+
+// MarshalYAML makes UnitBytes implement yaml.Marshaller
+func (u UnitBytes) MarshalYAML() (interface{}, error) {
+	return fmt.Sprintf("%d", u), nil
+}
+
+// RestartPolicy the service restart policy
+type RestartPolicy struct {
+	Condition   string         `yaml:",omitempty"`
+	Delay       *time.Duration `yaml:",omitempty"`
+	MaxAttempts *uint64        `mapstructure:"max_attempts" yaml:"max_attempts,omitempty"`
+	Window      *time.Duration `yaml:",omitempty"`
+}
+
+// Placement constraints for the service
+type Placement struct {
+	Constraints []string               `yaml:",omitempty"`
+	Preferences []PlacementPreferences `yaml:",omitempty"`
+}
+
+// PlacementPreferences is the preferences for a service placement
+type PlacementPreferences struct {
+	Spread string `yaml:",omitempty"`
+}
+
+// ServiceNetworkConfig is the network configuration for a service
+type ServiceNetworkConfig struct {
+	Aliases     []string `yaml:",omitempty"`
+	Ipv4Address string   `mapstructure:"ipv4_address" yaml:"ipv4_address,omitempty"`
+	Ipv6Address string   `mapstructure:"ipv6_address" yaml:"ipv6_address,omitempty"`
+}
+
+// ServicePortConfig is the port configuration for a service
+type ServicePortConfig struct {
+	Mode      string `yaml:",omitempty"`
+	Target    uint32 `yaml:",omitempty"`
+	Published uint32 `yaml:",omitempty"`
+	Protocol  string `yaml:",omitempty"`
+}
+
+// ServiceVolumeConfig are references to a volume used by a service
+type ServiceVolumeConfig struct {
+	Type        string               `yaml:",omitempty"`
+	Source      string               `yaml:",omitempty"`
+	Target      string               `yaml:",omitempty"`
+	ReadOnly    bool                 `mapstructure:"read_only" yaml:"read_only,omitempty"`
+	Consistency string               `yaml:",omitempty"`
+	Bind        *ServiceVolumeBind   `yaml:",omitempty"`
+	Volume      *ServiceVolumeVolume `yaml:",omitempty"`
+	Tmpfs       *ServiceVolumeTmpfs  `yaml:",omitempty"`
+}
+
+// ServiceVolumeBind are options for a service volume of type bind
+type ServiceVolumeBind struct {
+	Propagation string `yaml:",omitempty"`
+}
+
+// ServiceVolumeVolume are options for a service volume of type volume
+type ServiceVolumeVolume struct {
+	NoCopy bool `mapstructure:"nocopy" yaml:"nocopy,omitempty"`
+}
+
+// ServiceVolumeTmpfs are options for a service volume of type tmpfs
+type ServiceVolumeTmpfs struct {
+	Size int64 `yaml:",omitempty"`
+}
+
+// FileReferenceConfig for a reference to a swarm file object
+type FileReferenceConfig struct {
+	Source string  `yaml:",omitempty"`
+	Target string  `yaml:",omitempty"`
+	UID    string  `yaml:",omitempty"`
+	GID    string  `yaml:",omitempty"`
+	Mode   *uint32 `yaml:",omitempty"`
+}
+
+// ServiceConfigObjConfig is the config obj configuration for a service
+type ServiceConfigObjConfig FileReferenceConfig
+
+// ServiceSecretConfig is the secret configuration for a service
+type ServiceSecretConfig FileReferenceConfig
+
+// UlimitsConfig the ulimit configuration
+type UlimitsConfig struct {
+	Single int `yaml:",omitempty"`
+	Soft   int `yaml:",omitempty"`
+	Hard   int `yaml:",omitempty"`
+}
+
+// MarshalYAML makes UlimitsConfig implement yaml.Marshaller
+func (u *UlimitsConfig) MarshalYAML() (interface{}, error) {
+	if u.Single != 0 {
+		return u.Single, nil
+	}
+	return u, nil
+}
+
+// NetworkConfig for a network
+type NetworkConfig struct {
+	Name       string                 `yaml:",omitempty"`
+	Driver     string                 `yaml:",omitempty"`
+	DriverOpts map[string]string      `mapstructure:"driver_opts" yaml:"driver_opts,omitempty"`
+	Ipam       IPAMConfig             `yaml:",omitempty"`
+	External   External               `yaml:",omitempty"`
+	Internal   bool                   `yaml:",omitempty"`
+	Attachable bool                   `yaml:",omitempty"`
+	Labels     Labels                 `yaml:",omitempty"`
+	Extras     map[string]interface{} `yaml:",inline"`
+}
+
+// IPAMConfig for a network
+type IPAMConfig struct {
+	Driver string      `yaml:",omitempty"`
+	Config []*IPAMPool `yaml:",omitempty"`
+}
+
+// IPAMPool for a network
+type IPAMPool struct {
+	Subnet string `yaml:",omitempty"`
+}
+
+// VolumeConfig for a volume
+type VolumeConfig struct {
+	Name       string                 `yaml:",omitempty"`
+	Driver     string                 `yaml:",omitempty"`
+	DriverOpts map[string]string      `mapstructure:"driver_opts" yaml:"driver_opts,omitempty"`
+	External   External               `yaml:",omitempty"`
+	Labels     Labels                 `yaml:",omitempty"`
+	Extras     map[string]interface{} `yaml:",inline"`
+}
+
+// External identifies a Volume or Network as a reference to a resource that is
+// not managed, and should already exist.
+// External.name is deprecated and replaced by Volume.name
+type External struct {
+	Name     string `yaml:",omitempty"`
+	External bool   `yaml:",omitempty"`
+}
+
+// MarshalYAML makes External implement yaml.Marshaller
+func (e External) MarshalYAML() (interface{}, error) {
+	if e.Name == "" {
+		return e.External, nil
+	}
+	return External{Name: e.Name}, nil
+}
+
+// CredentialSpecConfig for credential spec on Windows
+type CredentialSpecConfig struct {
+	File     string `yaml:",omitempty"`
+	Registry string `yaml:",omitempty"`
+}
+
+// FileObjectConfig is a config type for a file used by a service
+type FileObjectConfig struct {
+	Name     string                 `yaml:",omitempty"`
+	File     string                 `yaml:",omitempty"`
+	External External               `yaml:",omitempty"`
+	Labels   Labels                 `yaml:",omitempty"`
+	Extras   map[string]interface{} `yaml:",inline"`
+}
+
+// SecretConfig for a secret
+type SecretConfig FileObjectConfig
+
+// ConfigObjConfig is the config for the swarm "Config" object
+type ConfigObjConfig FileObjectConfig
diff --git a/cli/cli/config/config.go b/cli/cli/config/config.go
new file mode 100644
index 00000000..9161921a
--- /dev/null
+++ b/cli/cli/config/config.go
@@ -0,0 +1,120 @@
+package config
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/pkg/errors"
+)
+
+const (
+	// ConfigFileName is the name of config file
+	ConfigFileName = "config.json"
+	configFileDir  = ".docker"
+	oldConfigfile  = ".dockercfg"
+)
+
+var (
+	configDir = os.Getenv("DOCKER_CONFIG")
+)
+
+func init() {
+	if configDir == "" {
+		configDir = filepath.Join(homedir.Get(), configFileDir)
+	}
+}
+
+// Dir returns the directory the configuration file is stored in
+func Dir() string {
+	return configDir
+}
+
+// SetDir sets the directory the configuration file is stored in
+func SetDir(dir string) {
+	configDir = dir
+}
+
+// LegacyLoadFromReader is a convenience function that creates a ConfigFile object from
+// a non-nested reader
+func LegacyLoadFromReader(configData io.Reader) (*configfile.ConfigFile, error) {
+	configFile := configfile.ConfigFile{
+		AuthConfigs: make(map[string]types.AuthConfig),
+	}
+	err := configFile.LegacyLoadFromReader(configData)
+	return &configFile, err
+}
+
+// LoadFromReader is a convenience function that creates a ConfigFile object from
+// a reader
+func LoadFromReader(configData io.Reader) (*configfile.ConfigFile, error) {
+	configFile := configfile.ConfigFile{
+		AuthConfigs: make(map[string]types.AuthConfig),
+	}
+	err := configFile.LoadFromReader(configData)
+	return &configFile, err
+}
+
+// Load reads the configuration files in the given directory, and sets up
+// the auth config information and returns values.
+// FIXME: use the internal golang config parser
+func Load(configDir string) (*configfile.ConfigFile, error) {
+	if configDir == "" {
+		configDir = Dir()
+	}
+
+	filename := filepath.Join(configDir, ConfigFileName)
+	configFile := configfile.New(filename)
+
+	// Try happy path first - latest config file
+	if _, err := os.Stat(filename); err == nil {
+		file, err := os.Open(filename)
+		if err != nil {
+			return configFile, errors.Wrap(err, filename)
+		}
+		defer file.Close()
+		err = configFile.LoadFromReader(file)
+		if err != nil {
+			err = errors.Wrap(err, filename)
+		}
+		return configFile, err
+	} else if !os.IsNotExist(err) {
+		// if file is there but we can't stat it for any reason other
+		// than it doesn't exist then stop
+		return configFile, errors.Wrap(err, filename)
+	}
+
+	// Can't find latest config file so check for the old one
+	confFile := filepath.Join(homedir.Get(), oldConfigfile)
+	if _, err := os.Stat(confFile); err != nil {
+		return configFile, nil //missing file is not an error
+	}
+	file, err := os.Open(confFile)
+	if err != nil {
+		return configFile, errors.Wrap(err, filename)
+	}
+	defer file.Close()
+	err = configFile.LegacyLoadFromReader(file)
+	if err != nil {
+		return configFile, errors.Wrap(err, filename)
+	}
+	return configFile, nil
+}
+
+// LoadDefaultConfigFile attempts to load the default config file and returns
+// an initialized ConfigFile struct if none is found.
+func LoadDefaultConfigFile(stderr io.Writer) *configfile.ConfigFile {
+	configFile, err := Load(Dir())
+	if err != nil {
+		fmt.Fprintf(stderr, "WARNING: Error loading config file: %v\n", err)
+	}
+	if !configFile.ContainsAuth() {
+		configFile.CredentialsStore = credentials.DetectDefaultStore(configFile.CredentialsStore)
+	}
+	return configFile
+}
diff --git a/cli/cli/config/config_test.go b/cli/cli/config/config_test.go
new file mode 100644
index 00000000..11c8dd6d
--- /dev/null
+++ b/cli/cli/config/config_test.go
@@ -0,0 +1,550 @@
+package config
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func setupConfigDir(t *testing.T) (string, func()) {
+	tmpdir, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	oldDir := Dir()
+	SetDir(tmpdir)
+
+	return tmpdir, func() {
+		SetDir(oldDir)
+		os.RemoveAll(tmpdir)
+	}
+}
+
+func TestEmptyConfigDir(t *testing.T) {
+	tmpHome, cleanup := setupConfigDir(t)
+	defer cleanup()
+
+	config, err := Load("")
+	assert.NilError(t, err)
+
+	expectedConfigFilename := filepath.Join(tmpHome, ConfigFileName)
+	assert.Check(t, is.Equal(expectedConfigFilename, config.Filename))
+
+	// Now save it and make sure it shows up in new form
+	saveConfigAndValidateNewFormat(t, config, tmpHome)
+}
+
+func TestMissingFile(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	// Now save it and make sure it shows up in new form
+	saveConfigAndValidateNewFormat(t, config, tmpHome)
+}
+
+func TestSaveFileToDirs(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	tmpHome += "/.docker"
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	// Now save it and make sure it shows up in new form
+	saveConfigAndValidateNewFormat(t, config, tmpHome)
+}
+
+func TestEmptyFile(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	err = ioutil.WriteFile(fn, []byte(""), 0600)
+	assert.NilError(t, err)
+
+	_, err = Load(tmpHome)
+	assert.Equal(t, errors.Cause(err), io.EOF)
+	assert.ErrorContains(t, err, ConfigFileName)
+}
+
+func TestEmptyJSON(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	err = ioutil.WriteFile(fn, []byte("{}"), 0600)
+	assert.NilError(t, err)
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	// Now save it and make sure it shows up in new form
+	saveConfigAndValidateNewFormat(t, config, tmpHome)
+}
+
+func TestOldInvalidsAuth(t *testing.T) {
+	invalids := map[string]string{
+		`username = test`: "The Auth config file is empty",
+		`username
+password`: "Invalid Auth config file",
+		`username = test
+email`: "Invalid auth configuration file",
+	}
+
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	homeKey := homedir.Key()
+	homeVal := homedir.Get()
+
+	defer func() { os.Setenv(homeKey, homeVal) }()
+	os.Setenv(homeKey, tmpHome)
+
+	for content, expectedError := range invalids {
+		fn := filepath.Join(tmpHome, oldConfigfile)
+		err := ioutil.WriteFile(fn, []byte(content), 0600)
+		assert.NilError(t, err)
+
+		_, err = Load(tmpHome)
+		assert.ErrorContains(t, err, expectedError)
+	}
+}
+
+func TestOldValidAuth(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	homeKey := homedir.Key()
+	homeVal := homedir.Get()
+
+	defer func() { os.Setenv(homeKey, homeVal) }()
+	os.Setenv(homeKey, tmpHome)
+
+	fn := filepath.Join(tmpHome, oldConfigfile)
+	js := `username = am9lam9lOmhlbGxv
+	email = user@example.com`
+	err = ioutil.WriteFile(fn, []byte(js), 0600)
+	assert.NilError(t, err)
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	// defaultIndexserver is https://index.docker.io/v1/
+	ac := config.AuthConfigs["https://index.docker.io/v1/"]
+	if ac.Username != "joejoe" || ac.Password != "hello" {
+		t.Fatalf("Missing data from parsing:\n%q", config)
+	}
+
+	// Now save it and make sure it shows up in new form
+	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
+
+	expConfStr := `{
+	"auths": {
+		"https://index.docker.io/v1/": {
+			"auth": "am9lam9lOmhlbGxv"
+		}
+	}
+}`
+
+	assert.Check(t, is.Equal(expConfStr, configStr))
+}
+
+func TestOldJSONInvalid(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	homeKey := homedir.Key()
+	homeVal := homedir.Get()
+
+	defer func() { os.Setenv(homeKey, homeVal) }()
+	os.Setenv(homeKey, tmpHome)
+
+	fn := filepath.Join(tmpHome, oldConfigfile)
+	js := `{"https://index.docker.io/v1/":{"auth":"test","email":"user@example.com"}}`
+	if err := ioutil.WriteFile(fn, []byte(js), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	config, err := Load(tmpHome)
+	// Use Contains instead of == since the file name will change each time
+	if err == nil || !strings.Contains(err.Error(), "Invalid auth configuration file") {
+		t.Fatalf("Expected an error got : %v, %v", config, err)
+	}
+}
+
+func TestOldJSON(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	homeKey := homedir.Key()
+	homeVal := homedir.Get()
+
+	defer func() { os.Setenv(homeKey, homeVal) }()
+	os.Setenv(homeKey, tmpHome)
+
+	fn := filepath.Join(tmpHome, oldConfigfile)
+	js := `{"https://index.docker.io/v1/":{"auth":"am9lam9lOmhlbGxv","email":"user@example.com"}}`
+	if err := ioutil.WriteFile(fn, []byte(js), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	ac := config.AuthConfigs["https://index.docker.io/v1/"]
+	if ac.Username != "joejoe" || ac.Password != "hello" {
+		t.Fatalf("Missing data from parsing:\n%q", config)
+	}
+
+	// Now save it and make sure it shows up in new form
+	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
+
+	expConfStr := `{
+	"auths": {
+		"https://index.docker.io/v1/": {
+			"auth": "am9lam9lOmhlbGxv",
+			"email": "user@example.com"
+		}
+	}
+}`
+
+	if configStr != expConfStr {
+		t.Fatalf("Should have save in new form: \n'%s'\n not \n'%s'\n", configStr, expConfStr)
+	}
+}
+
+func TestNewJSON(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	js := ` { "auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv" } } }`
+	if err := ioutil.WriteFile(fn, []byte(js), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	ac := config.AuthConfigs["https://index.docker.io/v1/"]
+	if ac.Username != "joejoe" || ac.Password != "hello" {
+		t.Fatalf("Missing data from parsing:\n%q", config)
+	}
+
+	// Now save it and make sure it shows up in new form
+	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
+
+	expConfStr := `{
+	"auths": {
+		"https://index.docker.io/v1/": {
+			"auth": "am9lam9lOmhlbGxv"
+		}
+	}
+}`
+
+	if configStr != expConfStr {
+		t.Fatalf("Should have save in new form: \n%s\n not \n%s", configStr, expConfStr)
+	}
+}
+
+func TestNewJSONNoEmail(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	js := ` { "auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv" } } }`
+	if err := ioutil.WriteFile(fn, []byte(js), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	ac := config.AuthConfigs["https://index.docker.io/v1/"]
+	if ac.Username != "joejoe" || ac.Password != "hello" {
+		t.Fatalf("Missing data from parsing:\n%q", config)
+	}
+
+	// Now save it and make sure it shows up in new form
+	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
+
+	expConfStr := `{
+	"auths": {
+		"https://index.docker.io/v1/": {
+			"auth": "am9lam9lOmhlbGxv"
+		}
+	}
+}`
+
+	if configStr != expConfStr {
+		t.Fatalf("Should have save in new form: \n%s\n not \n%s", configStr, expConfStr)
+	}
+}
+
+func TestJSONWithPsFormat(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	js := `{
+		"auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv", "email": "user@example.com" } },
+		"psFormat": "table {{.ID}}\\t{{.Label \"com.docker.label.cpu\"}}"
+}`
+	if err := ioutil.WriteFile(fn, []byte(js), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	if config.PsFormat != `table {{.ID}}\t{{.Label "com.docker.label.cpu"}}` {
+		t.Fatalf("Unknown ps format: %s\n", config.PsFormat)
+	}
+
+	// Now save it and make sure it shows up in new form
+	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
+	if !strings.Contains(configStr, `"psFormat":`) ||
+		!strings.Contains(configStr, "{{.ID}}") {
+		t.Fatalf("Should have save in new form: %s", configStr)
+	}
+}
+
+func TestJSONWithCredentialStore(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	js := `{
+		"auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv", "email": "user@example.com" } },
+		"credsStore": "crazy-secure-storage"
+}`
+	if err := ioutil.WriteFile(fn, []byte(js), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	if config.CredentialsStore != "crazy-secure-storage" {
+		t.Fatalf("Unknown credential store: %s\n", config.CredentialsStore)
+	}
+
+	// Now save it and make sure it shows up in new form
+	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
+	if !strings.Contains(configStr, `"credsStore":`) ||
+		!strings.Contains(configStr, "crazy-secure-storage") {
+		t.Fatalf("Should have save in new form: %s", configStr)
+	}
+}
+
+func TestJSONWithCredentialHelpers(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	js := `{
+		"auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv", "email": "user@example.com" } },
+		"credHelpers": { "images.io": "images-io", "containers.com": "crazy-secure-storage" }
+}`
+	if err := ioutil.WriteFile(fn, []byte(js), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	config, err := Load(tmpHome)
+	assert.NilError(t, err)
+
+	if config.CredentialHelpers == nil {
+		t.Fatal("config.CredentialHelpers was nil")
+	} else if config.CredentialHelpers["images.io"] != "images-io" ||
+		config.CredentialHelpers["containers.com"] != "crazy-secure-storage" {
+		t.Fatalf("Credential helpers not deserialized properly: %v\n", config.CredentialHelpers)
+	}
+
+	// Now save it and make sure it shows up in new form
+	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
+	if !strings.Contains(configStr, `"credHelpers":`) ||
+		!strings.Contains(configStr, "images.io") ||
+		!strings.Contains(configStr, "images-io") ||
+		!strings.Contains(configStr, "containers.com") ||
+		!strings.Contains(configStr, "crazy-secure-storage") {
+		t.Fatalf("Should have save in new form: %s", configStr)
+	}
+}
+
+// Save it and make sure it shows up in new form
+func saveConfigAndValidateNewFormat(t *testing.T, config *configfile.ConfigFile, configDir string) string {
+	assert.NilError(t, config.Save())
+
+	buf, err := ioutil.ReadFile(filepath.Join(configDir, ConfigFileName))
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(string(buf), `"auths":`))
+	return string(buf)
+}
+
+func TestConfigDir(t *testing.T) {
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	if Dir() == tmpHome {
+		t.Fatalf("Expected ConfigDir to be different than %s by default, but was the same", tmpHome)
+	}
+
+	// Update configDir
+	SetDir(tmpHome)
+
+	if Dir() != tmpHome {
+		t.Fatalf("Expected ConfigDir to %s, but was %s", tmpHome, Dir())
+	}
+}
+
+func TestJSONReaderNoFile(t *testing.T) {
+	js := ` { "auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv", "email": "user@example.com" } } }`
+
+	config, err := LoadFromReader(strings.NewReader(js))
+	assert.NilError(t, err)
+
+	ac := config.AuthConfigs["https://index.docker.io/v1/"]
+	if ac.Username != "joejoe" || ac.Password != "hello" {
+		t.Fatalf("Missing data from parsing:\n%q", config)
+	}
+
+}
+
+func TestOldJSONReaderNoFile(t *testing.T) {
+	js := `{"https://index.docker.io/v1/":{"auth":"am9lam9lOmhlbGxv","email":"user@example.com"}}`
+
+	config, err := LegacyLoadFromReader(strings.NewReader(js))
+	assert.NilError(t, err)
+
+	ac := config.AuthConfigs["https://index.docker.io/v1/"]
+	if ac.Username != "joejoe" || ac.Password != "hello" {
+		t.Fatalf("Missing data from parsing:\n%q", config)
+	}
+}
+
+func TestJSONWithPsFormatNoFile(t *testing.T) {
+	js := `{
+		"auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv", "email": "user@example.com" } },
+		"psFormat": "table {{.ID}}\\t{{.Label \"com.docker.label.cpu\"}}"
+}`
+	config, err := LoadFromReader(strings.NewReader(js))
+	assert.NilError(t, err)
+
+	if config.PsFormat != `table {{.ID}}\t{{.Label "com.docker.label.cpu"}}` {
+		t.Fatalf("Unknown ps format: %s\n", config.PsFormat)
+	}
+
+}
+
+func TestJSONSaveWithNoFile(t *testing.T) {
+	js := `{
+		"auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv" } },
+		"psFormat": "table {{.ID}}\\t{{.Label \"com.docker.label.cpu\"}}"
+}`
+	config, err := LoadFromReader(strings.NewReader(js))
+	assert.NilError(t, err)
+	err = config.Save()
+	assert.ErrorContains(t, err, "with empty filename")
+
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	f, _ := os.OpenFile(fn, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	defer f.Close()
+
+	assert.NilError(t, config.SaveToWriter(f))
+	buf, err := ioutil.ReadFile(filepath.Join(tmpHome, ConfigFileName))
+	assert.NilError(t, err)
+	expConfStr := `{
+	"auths": {
+		"https://index.docker.io/v1/": {
+			"auth": "am9lam9lOmhlbGxv"
+		}
+	},
+	"psFormat": "table {{.ID}}\\t{{.Label \"com.docker.label.cpu\"}}"
+}`
+	if string(buf) != expConfStr {
+		t.Fatalf("Should have save in new form: \n%s\nnot \n%s", string(buf), expConfStr)
+	}
+}
+
+func TestLegacyJSONSaveWithNoFile(t *testing.T) {
+	js := `{"https://index.docker.io/v1/":{"auth":"am9lam9lOmhlbGxv","email":"user@example.com"}}`
+	config, err := LegacyLoadFromReader(strings.NewReader(js))
+	assert.NilError(t, err)
+	err = config.Save()
+	assert.ErrorContains(t, err, "with empty filename")
+
+	tmpHome, err := ioutil.TempDir("", "config-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpHome)
+
+	fn := filepath.Join(tmpHome, ConfigFileName)
+	f, _ := os.OpenFile(fn, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	defer f.Close()
+
+	assert.NilError(t, config.SaveToWriter(f))
+	buf, err := ioutil.ReadFile(filepath.Join(tmpHome, ConfigFileName))
+	assert.NilError(t, err)
+
+	expConfStr := `{
+	"auths": {
+		"https://index.docker.io/v1/": {
+			"auth": "am9lam9lOmhlbGxv",
+			"email": "user@example.com"
+		}
+	}
+}`
+
+	if string(buf) != expConfStr {
+		t.Fatalf("Should have save in new form: \n%s\n not \n%s", string(buf), expConfStr)
+	}
+}
+
+func TestLoadDefaultConfigFile(t *testing.T) {
+	dir, cleanup := setupConfigDir(t)
+	defer cleanup()
+	buffer := new(bytes.Buffer)
+
+	filename := filepath.Join(dir, ConfigFileName)
+	content := []byte(`{"PsFormat": "format"}`)
+	err := ioutil.WriteFile(filename, content, 0644)
+	assert.NilError(t, err)
+
+	configFile := LoadDefaultConfigFile(buffer)
+	credStore := credentials.DetectDefaultStore("")
+	expected := configfile.New(filename)
+	expected.CredentialsStore = credStore
+	expected.PsFormat = "format"
+
+	assert.Check(t, is.DeepEqual(expected, configFile))
+}
diff --git a/cli/cli/config/configfile/file.go b/cli/cli/config/configfile/file.go
new file mode 100644
index 00000000..37e1533f
--- /dev/null
+++ b/cli/cli/config/configfile/file.go
@@ -0,0 +1,335 @@
+package configfile
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+)
+
+const (
+	// This constant is only used for really old config files when the
+	// URL wasn't saved as part of the config file and it was just
+	// assumed to be this value.
+	defaultIndexServer = "https://index.docker.io/v1/"
+)
+
+// ConfigFile ~/.docker/config.json file info
+type ConfigFile struct {
+	AuthConfigs          map[string]types.AuthConfig `json:"auths"`
+	HTTPHeaders          map[string]string           `json:"HttpHeaders,omitempty"`
+	PsFormat             string                      `json:"psFormat,omitempty"`
+	ImagesFormat         string                      `json:"imagesFormat,omitempty"`
+	NetworksFormat       string                      `json:"networksFormat,omitempty"`
+	PluginsFormat        string                      `json:"pluginsFormat,omitempty"`
+	VolumesFormat        string                      `json:"volumesFormat,omitempty"`
+	StatsFormat          string                      `json:"statsFormat,omitempty"`
+	DetachKeys           string                      `json:"detachKeys,omitempty"`
+	CredentialsStore     string                      `json:"credsStore,omitempty"`
+	CredentialHelpers    map[string]string           `json:"credHelpers,omitempty"`
+	Filename             string                      `json:"-"` // Note: for internal use only
+	ServiceInspectFormat string                      `json:"serviceInspectFormat,omitempty"`
+	ServicesFormat       string                      `json:"servicesFormat,omitempty"`
+	TasksFormat          string                      `json:"tasksFormat,omitempty"`
+	SecretFormat         string                      `json:"secretFormat,omitempty"`
+	ConfigFormat         string                      `json:"configFormat,omitempty"`
+	NodesFormat          string                      `json:"nodesFormat,omitempty"`
+	PruneFilters         []string                    `json:"pruneFilters,omitempty"`
+	Proxies              map[string]ProxyConfig      `json:"proxies,omitempty"`
+	Experimental         string                      `json:"experimental,omitempty"`
+	StackOrchestrator    string                      `json:"stackOrchestrator,omitempty"`
+	Kubernetes           *KubernetesConfig           `json:"kubernetes,omitempty"`
+}
+
+// ProxyConfig contains proxy configuration settings
+type ProxyConfig struct {
+	HTTPProxy  string `json:"httpProxy,omitempty"`
+	HTTPSProxy string `json:"httpsProxy,omitempty"`
+	NoProxy    string `json:"noProxy,omitempty"`
+	FTPProxy   string `json:"ftpProxy,omitempty"`
+}
+
+// KubernetesConfig contains Kubernetes orchestrator settings
+type KubernetesConfig struct {
+	AllNamespaces string `json:"allNamespaces,omitempty"`
+}
+
+// New initializes an empty configuration file for the given filename 'fn'
+func New(fn string) *ConfigFile {
+	return &ConfigFile{
+		AuthConfigs: make(map[string]types.AuthConfig),
+		HTTPHeaders: make(map[string]string),
+		Filename:    fn,
+	}
+}
+
+// LegacyLoadFromReader reads the non-nested configuration data given and sets up the
+// auth config information with given directory and populates the receiver object
+func (configFile *ConfigFile) LegacyLoadFromReader(configData io.Reader) error {
+	b, err := ioutil.ReadAll(configData)
+	if err != nil {
+		return err
+	}
+
+	if err := json.Unmarshal(b, &configFile.AuthConfigs); err != nil {
+		arr := strings.Split(string(b), "\n")
+		if len(arr) < 2 {
+			return errors.Errorf("The Auth config file is empty")
+		}
+		authConfig := types.AuthConfig{}
+		origAuth := strings.Split(arr[0], " = ")
+		if len(origAuth) != 2 {
+			return errors.Errorf("Invalid Auth config file")
+		}
+		authConfig.Username, authConfig.Password, err = decodeAuth(origAuth[1])
+		if err != nil {
+			return err
+		}
+		authConfig.ServerAddress = defaultIndexServer
+		configFile.AuthConfigs[defaultIndexServer] = authConfig
+	} else {
+		for k, authConfig := range configFile.AuthConfigs {
+			authConfig.Username, authConfig.Password, err = decodeAuth(authConfig.Auth)
+			if err != nil {
+				return err
+			}
+			authConfig.Auth = ""
+			authConfig.ServerAddress = k
+			configFile.AuthConfigs[k] = authConfig
+		}
+	}
+	return nil
+}
+
+// LoadFromReader reads the configuration data given and sets up the auth config
+// information with given directory and populates the receiver object
+func (configFile *ConfigFile) LoadFromReader(configData io.Reader) error {
+	if err := json.NewDecoder(configData).Decode(&configFile); err != nil {
+		return err
+	}
+	var err error
+	for addr, ac := range configFile.AuthConfigs {
+		ac.Username, ac.Password, err = decodeAuth(ac.Auth)
+		if err != nil {
+			return err
+		}
+		ac.Auth = ""
+		ac.ServerAddress = addr
+		configFile.AuthConfigs[addr] = ac
+	}
+	return checkKubernetesConfiguration(configFile.Kubernetes)
+}
+
+// ContainsAuth returns whether there is authentication configured
+// in this file or not.
+func (configFile *ConfigFile) ContainsAuth() bool {
+	return configFile.CredentialsStore != "" ||
+		len(configFile.CredentialHelpers) > 0 ||
+		len(configFile.AuthConfigs) > 0
+}
+
+// GetAuthConfigs returns the mapping of repo to auth configuration
+func (configFile *ConfigFile) GetAuthConfigs() map[string]types.AuthConfig {
+	return configFile.AuthConfigs
+}
+
+// SaveToWriter encodes and writes out all the authorization information to
+// the given writer
+func (configFile *ConfigFile) SaveToWriter(writer io.Writer) error {
+	// Encode sensitive data into a new/temp struct
+	tmpAuthConfigs := make(map[string]types.AuthConfig, len(configFile.AuthConfigs))
+	for k, authConfig := range configFile.AuthConfigs {
+		authCopy := authConfig
+		// encode and save the authstring, while blanking out the original fields
+		authCopy.Auth = encodeAuth(&authCopy)
+		authCopy.Username = ""
+		authCopy.Password = ""
+		authCopy.ServerAddress = ""
+		tmpAuthConfigs[k] = authCopy
+	}
+
+	saveAuthConfigs := configFile.AuthConfigs
+	configFile.AuthConfigs = tmpAuthConfigs
+	defer func() { configFile.AuthConfigs = saveAuthConfigs }()
+
+	data, err := json.MarshalIndent(configFile, "", "\t")
+	if err != nil {
+		return err
+	}
+	_, err = writer.Write(data)
+	return err
+}
+
+// Save encodes and writes out all the authorization information
+func (configFile *ConfigFile) Save() error {
+	if configFile.Filename == "" {
+		return errors.Errorf("Can't save config with empty filename")
+	}
+
+	if err := os.MkdirAll(filepath.Dir(configFile.Filename), 0700); err != nil {
+		return err
+	}
+	f, err := os.OpenFile(configFile.Filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	return configFile.SaveToWriter(f)
+}
+
+// ParseProxyConfig computes proxy configuration by retrieving the config for the provided host and
+// then checking this against any environment variables provided to the container
+func (configFile *ConfigFile) ParseProxyConfig(host string, runOpts []string) map[string]*string {
+	var cfgKey string
+
+	if _, ok := configFile.Proxies[host]; !ok {
+		cfgKey = "default"
+	} else {
+		cfgKey = host
+	}
+
+	config := configFile.Proxies[cfgKey]
+	permitted := map[string]*string{
+		"HTTP_PROXY":  &config.HTTPProxy,
+		"HTTPS_PROXY": &config.HTTPSProxy,
+		"NO_PROXY":    &config.NoProxy,
+		"FTP_PROXY":   &config.FTPProxy,
+	}
+	m := opts.ConvertKVStringsToMapWithNil(runOpts)
+	for k := range permitted {
+		if *permitted[k] == "" {
+			continue
+		}
+		if _, ok := m[k]; !ok {
+			m[k] = permitted[k]
+		}
+		if _, ok := m[strings.ToLower(k)]; !ok {
+			m[strings.ToLower(k)] = permitted[k]
+		}
+	}
+	return m
+}
+
+// encodeAuth creates a base64 encoded string to containing authorization information
+func encodeAuth(authConfig *types.AuthConfig) string {
+	if authConfig.Username == "" && authConfig.Password == "" {
+		return ""
+	}
+
+	authStr := authConfig.Username + ":" + authConfig.Password
+	msg := []byte(authStr)
+	encoded := make([]byte, base64.StdEncoding.EncodedLen(len(msg)))
+	base64.StdEncoding.Encode(encoded, msg)
+	return string(encoded)
+}
+
+// decodeAuth decodes a base64 encoded string and returns username and password
+func decodeAuth(authStr string) (string, string, error) {
+	if authStr == "" {
+		return "", "", nil
+	}
+
+	decLen := base64.StdEncoding.DecodedLen(len(authStr))
+	decoded := make([]byte, decLen)
+	authByte := []byte(authStr)
+	n, err := base64.StdEncoding.Decode(decoded, authByte)
+	if err != nil {
+		return "", "", err
+	}
+	if n > decLen {
+		return "", "", errors.Errorf("Something went wrong decoding auth config")
+	}
+	arr := strings.SplitN(string(decoded), ":", 2)
+	if len(arr) != 2 {
+		return "", "", errors.Errorf("Invalid auth configuration file")
+	}
+	password := strings.Trim(arr[1], "\x00")
+	return arr[0], password, nil
+}
+
+// GetCredentialsStore returns a new credentials store from the settings in the
+// configuration file
+func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) credentials.Store {
+	if helper := getConfiguredCredentialStore(configFile, registryHostname); helper != "" {
+		return newNativeStore(configFile, helper)
+	}
+	return credentials.NewFileStore(configFile)
+}
+
+// var for unit testing.
+var newNativeStore = func(configFile *ConfigFile, helperSuffix string) credentials.Store {
+	return credentials.NewNativeStore(configFile, helperSuffix)
+}
+
+// GetAuthConfig for a repository from the credential store
+func (configFile *ConfigFile) GetAuthConfig(registryHostname string) (types.AuthConfig, error) {
+	return configFile.GetCredentialsStore(registryHostname).Get(registryHostname)
+}
+
+// getConfiguredCredentialStore returns the credential helper configured for the
+// given registry, the default credsStore, or the empty string if neither are
+// configured.
+func getConfiguredCredentialStore(c *ConfigFile, registryHostname string) string {
+	if c.CredentialHelpers != nil && registryHostname != "" {
+		if helper, exists := c.CredentialHelpers[registryHostname]; exists {
+			return helper
+		}
+	}
+	return c.CredentialsStore
+}
+
+// GetAllCredentials returns all of the credentials stored in all of the
+// configured credential stores.
+func (configFile *ConfigFile) GetAllCredentials() (map[string]types.AuthConfig, error) {
+	auths := make(map[string]types.AuthConfig)
+	addAll := func(from map[string]types.AuthConfig) {
+		for reg, ac := range from {
+			auths[reg] = ac
+		}
+	}
+
+	defaultStore := configFile.GetCredentialsStore("")
+	newAuths, err := defaultStore.GetAll()
+	if err != nil {
+		return nil, err
+	}
+	addAll(newAuths)
+
+	// Auth configs from a registry-specific helper should override those from the default store.
+	for registryHostname := range configFile.CredentialHelpers {
+		newAuth, err := configFile.GetAuthConfig(registryHostname)
+		if err != nil {
+			return nil, err
+		}
+		auths[registryHostname] = newAuth
+	}
+	return auths, nil
+}
+
+// GetFilename returns the file name that this config file is based on.
+func (configFile *ConfigFile) GetFilename() string {
+	return configFile.Filename
+}
+
+func checkKubernetesConfiguration(kubeConfig *KubernetesConfig) error {
+	if kubeConfig == nil {
+		return nil
+	}
+	switch kubeConfig.AllNamespaces {
+	case "":
+	case "enabled":
+	case "disabled":
+	default:
+		return fmt.Errorf("invalid 'kubernetes.allNamespaces' value, should be 'enabled' or 'disabled': %s", kubeConfig.AllNamespaces)
+	}
+	return nil
+}
diff --git a/cli/cli/config/configfile/file_test.go b/cli/cli/config/configfile/file_test.go
new file mode 100644
index 00000000..f0704cef
--- /dev/null
+++ b/cli/cli/config/configfile/file_test.go
@@ -0,0 +1,415 @@
+package configfile
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestEncodeAuth(t *testing.T) {
+	newAuthConfig := &types.AuthConfig{Username: "ken", Password: "test"}
+	authStr := encodeAuth(newAuthConfig)
+
+	expected := &types.AuthConfig{}
+	var err error
+	expected.Username, expected.Password, err = decodeAuth(authStr)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, newAuthConfig))
+}
+
+func TestProxyConfig(t *testing.T) {
+	httpProxy := "http://proxy.mycorp.com:3128"
+	httpsProxy := "https://user:password@proxy.mycorp.com:3129"
+	ftpProxy := "http://ftpproxy.mycorp.com:21"
+	noProxy := "*.intra.mycorp.com"
+	defaultProxyConfig := ProxyConfig{
+		HTTPProxy:  httpProxy,
+		HTTPSProxy: httpsProxy,
+		FTPProxy:   ftpProxy,
+		NoProxy:    noProxy,
+	}
+
+	cfg := ConfigFile{
+		Proxies: map[string]ProxyConfig{
+			"default": defaultProxyConfig,
+		},
+	}
+
+	proxyConfig := cfg.ParseProxyConfig("/var/run/docker.sock", []string{})
+	expected := map[string]*string{
+		"HTTP_PROXY":  &httpProxy,
+		"http_proxy":  &httpProxy,
+		"HTTPS_PROXY": &httpsProxy,
+		"https_proxy": &httpsProxy,
+		"FTP_PROXY":   &ftpProxy,
+		"ftp_proxy":   &ftpProxy,
+		"NO_PROXY":    &noProxy,
+		"no_proxy":    &noProxy,
+	}
+	assert.Check(t, is.DeepEqual(expected, proxyConfig))
+}
+
+func TestProxyConfigOverride(t *testing.T) {
+	httpProxy := "http://proxy.mycorp.com:3128"
+	overrideHTTPProxy := "http://proxy.example.com:3128"
+	overrideNoProxy := ""
+	httpsProxy := "https://user:password@proxy.mycorp.com:3129"
+	ftpProxy := "http://ftpproxy.mycorp.com:21"
+	noProxy := "*.intra.mycorp.com"
+	defaultProxyConfig := ProxyConfig{
+		HTTPProxy:  httpProxy,
+		HTTPSProxy: httpsProxy,
+		FTPProxy:   ftpProxy,
+		NoProxy:    noProxy,
+	}
+
+	cfg := ConfigFile{
+		Proxies: map[string]ProxyConfig{
+			"default": defaultProxyConfig,
+		},
+	}
+
+	ropts := []string{
+		fmt.Sprintf("HTTP_PROXY=%s", overrideHTTPProxy),
+		"NO_PROXY=",
+	}
+	proxyConfig := cfg.ParseProxyConfig("/var/run/docker.sock", ropts)
+	expected := map[string]*string{
+		"HTTP_PROXY":  &overrideHTTPProxy,
+		"http_proxy":  &httpProxy,
+		"HTTPS_PROXY": &httpsProxy,
+		"https_proxy": &httpsProxy,
+		"FTP_PROXY":   &ftpProxy,
+		"ftp_proxy":   &ftpProxy,
+		"NO_PROXY":    &overrideNoProxy,
+		"no_proxy":    &noProxy,
+	}
+	assert.Check(t, is.DeepEqual(expected, proxyConfig))
+}
+
+func TestProxyConfigPerHost(t *testing.T) {
+	httpProxy := "http://proxy.mycorp.com:3128"
+	httpsProxy := "https://user:password@proxy.mycorp.com:3129"
+	ftpProxy := "http://ftpproxy.mycorp.com:21"
+	noProxy := "*.intra.mycorp.com"
+
+	extHTTPProxy := "http://proxy.example.com:3128"
+	extHTTPSProxy := "https://user:password@proxy.example.com:3129"
+	extFTPProxy := "http://ftpproxy.example.com:21"
+	extNoProxy := "*.intra.example.com"
+
+	defaultProxyConfig := ProxyConfig{
+		HTTPProxy:  httpProxy,
+		HTTPSProxy: httpsProxy,
+		FTPProxy:   ftpProxy,
+		NoProxy:    noProxy,
+	}
+	externalProxyConfig := ProxyConfig{
+		HTTPProxy:  extHTTPProxy,
+		HTTPSProxy: extHTTPSProxy,
+		FTPProxy:   extFTPProxy,
+		NoProxy:    extNoProxy,
+	}
+
+	cfg := ConfigFile{
+		Proxies: map[string]ProxyConfig{
+			"default":                       defaultProxyConfig,
+			"tcp://example.docker.com:2376": externalProxyConfig,
+		},
+	}
+
+	proxyConfig := cfg.ParseProxyConfig("tcp://example.docker.com:2376", []string{})
+	expected := map[string]*string{
+		"HTTP_PROXY":  &extHTTPProxy,
+		"http_proxy":  &extHTTPProxy,
+		"HTTPS_PROXY": &extHTTPSProxy,
+		"https_proxy": &extHTTPSProxy,
+		"FTP_PROXY":   &extFTPProxy,
+		"ftp_proxy":   &extFTPProxy,
+		"NO_PROXY":    &extNoProxy,
+		"no_proxy":    &extNoProxy,
+	}
+	assert.Check(t, is.DeepEqual(expected, proxyConfig))
+}
+
+func TestConfigFile(t *testing.T) {
+	configFilename := "configFilename"
+	configFile := New(configFilename)
+
+	assert.Check(t, is.Equal(configFilename, configFile.Filename))
+}
+
+type mockNativeStore struct {
+	GetAllCallCount int
+	authConfigs     map[string]types.AuthConfig
+}
+
+func (c *mockNativeStore) Erase(registryHostname string) error {
+	delete(c.authConfigs, registryHostname)
+	return nil
+}
+
+func (c *mockNativeStore) Get(registryHostname string) (types.AuthConfig, error) {
+	return c.authConfigs[registryHostname], nil
+}
+
+func (c *mockNativeStore) GetAll() (map[string]types.AuthConfig, error) {
+	c.GetAllCallCount = c.GetAllCallCount + 1
+	return c.authConfigs, nil
+}
+
+func (c *mockNativeStore) Store(authConfig types.AuthConfig) error {
+	return nil
+}
+
+// make sure it satisfies the interface
+var _ credentials.Store = (*mockNativeStore)(nil)
+
+func NewMockNativeStore(authConfigs map[string]types.AuthConfig) credentials.Store {
+	return &mockNativeStore{authConfigs: authConfigs}
+}
+
+func TestGetAllCredentialsFileStoreOnly(t *testing.T) {
+	configFile := New("filename")
+	exampleAuth := types.AuthConfig{
+		Username: "user",
+		Password: "pass",
+	}
+	configFile.AuthConfigs["example.com/foo"] = exampleAuth
+
+	authConfigs, err := configFile.GetAllCredentials()
+	assert.NilError(t, err)
+
+	expected := make(map[string]types.AuthConfig)
+	expected["example.com/foo"] = exampleAuth
+	assert.Check(t, is.DeepEqual(expected, authConfigs))
+}
+
+func TestGetAllCredentialsCredsStore(t *testing.T) {
+	configFile := New("filename")
+	configFile.CredentialsStore = "test_creds_store"
+	testRegistryHostname := "example.com"
+	expectedAuth := types.AuthConfig{
+		Username: "user",
+		Password: "pass",
+	}
+
+	testCredsStore := NewMockNativeStore(map[string]types.AuthConfig{testRegistryHostname: expectedAuth})
+
+	tmpNewNativeStore := newNativeStore
+	defer func() { newNativeStore = tmpNewNativeStore }()
+	newNativeStore = func(configFile *ConfigFile, helperSuffix string) credentials.Store {
+		return testCredsStore
+	}
+
+	authConfigs, err := configFile.GetAllCredentials()
+	assert.NilError(t, err)
+
+	expected := make(map[string]types.AuthConfig)
+	expected[testRegistryHostname] = expectedAuth
+	assert.Check(t, is.DeepEqual(expected, authConfigs))
+	assert.Check(t, is.Equal(1, testCredsStore.(*mockNativeStore).GetAllCallCount))
+}
+
+func TestGetAllCredentialsCredHelper(t *testing.T) {
+	testCredHelperSuffix := "test_cred_helper"
+	testCredHelperRegistryHostname := "credhelper.com"
+	testExtraCredHelperRegistryHostname := "somethingweird.com"
+
+	unexpectedCredHelperAuth := types.AuthConfig{
+		Username: "file_store_user",
+		Password: "file_store_pass",
+	}
+	expectedCredHelperAuth := types.AuthConfig{
+		Username: "cred_helper_user",
+		Password: "cred_helper_pass",
+	}
+
+	configFile := New("filename")
+	configFile.CredentialHelpers = map[string]string{testCredHelperRegistryHostname: testCredHelperSuffix}
+
+	testCredHelper := NewMockNativeStore(map[string]types.AuthConfig{
+		testCredHelperRegistryHostname: expectedCredHelperAuth,
+		// Add in an extra auth entry which doesn't appear in CredentialHelpers section of the configFile.
+		// This verifies that only explicitly configured registries are being requested from the cred helpers.
+		testExtraCredHelperRegistryHostname: unexpectedCredHelperAuth,
+	})
+
+	tmpNewNativeStore := newNativeStore
+	defer func() { newNativeStore = tmpNewNativeStore }()
+	newNativeStore = func(configFile *ConfigFile, helperSuffix string) credentials.Store {
+		return testCredHelper
+	}
+
+	authConfigs, err := configFile.GetAllCredentials()
+	assert.NilError(t, err)
+
+	expected := make(map[string]types.AuthConfig)
+	expected[testCredHelperRegistryHostname] = expectedCredHelperAuth
+	assert.Check(t, is.DeepEqual(expected, authConfigs))
+	assert.Check(t, is.Equal(0, testCredHelper.(*mockNativeStore).GetAllCallCount))
+}
+
+func TestGetAllCredentialsFileStoreAndCredHelper(t *testing.T) {
+	testFileStoreRegistryHostname := "example.com"
+	testCredHelperSuffix := "test_cred_helper"
+	testCredHelperRegistryHostname := "credhelper.com"
+
+	expectedFileStoreAuth := types.AuthConfig{
+		Username: "file_store_user",
+		Password: "file_store_pass",
+	}
+	expectedCredHelperAuth := types.AuthConfig{
+		Username: "cred_helper_user",
+		Password: "cred_helper_pass",
+	}
+
+	configFile := New("filename")
+	configFile.CredentialHelpers = map[string]string{testCredHelperRegistryHostname: testCredHelperSuffix}
+	configFile.AuthConfigs[testFileStoreRegistryHostname] = expectedFileStoreAuth
+
+	testCredHelper := NewMockNativeStore(map[string]types.AuthConfig{testCredHelperRegistryHostname: expectedCredHelperAuth})
+
+	newNativeStore = func(configFile *ConfigFile, helperSuffix string) credentials.Store {
+		return testCredHelper
+	}
+
+	tmpNewNativeStore := newNativeStore
+	defer func() { newNativeStore = tmpNewNativeStore }()
+	authConfigs, err := configFile.GetAllCredentials()
+	assert.NilError(t, err)
+
+	expected := make(map[string]types.AuthConfig)
+	expected[testFileStoreRegistryHostname] = expectedFileStoreAuth
+	expected[testCredHelperRegistryHostname] = expectedCredHelperAuth
+	assert.Check(t, is.DeepEqual(expected, authConfigs))
+	assert.Check(t, is.Equal(0, testCredHelper.(*mockNativeStore).GetAllCallCount))
+}
+
+func TestGetAllCredentialsCredStoreAndCredHelper(t *testing.T) {
+	testCredStoreSuffix := "test_creds_store"
+	testCredStoreRegistryHostname := "credstore.com"
+	testCredHelperSuffix := "test_cred_helper"
+	testCredHelperRegistryHostname := "credhelper.com"
+
+	configFile := New("filename")
+	configFile.CredentialsStore = testCredStoreSuffix
+	configFile.CredentialHelpers = map[string]string{testCredHelperRegistryHostname: testCredHelperSuffix}
+
+	expectedCredStoreAuth := types.AuthConfig{
+		Username: "cred_store_user",
+		Password: "cred_store_pass",
+	}
+	expectedCredHelperAuth := types.AuthConfig{
+		Username: "cred_helper_user",
+		Password: "cred_helper_pass",
+	}
+
+	testCredHelper := NewMockNativeStore(map[string]types.AuthConfig{testCredHelperRegistryHostname: expectedCredHelperAuth})
+	testCredsStore := NewMockNativeStore(map[string]types.AuthConfig{testCredStoreRegistryHostname: expectedCredStoreAuth})
+
+	tmpNewNativeStore := newNativeStore
+	defer func() { newNativeStore = tmpNewNativeStore }()
+	newNativeStore = func(configFile *ConfigFile, helperSuffix string) credentials.Store {
+		if helperSuffix == testCredHelperSuffix {
+			return testCredHelper
+		}
+		return testCredsStore
+	}
+
+	authConfigs, err := configFile.GetAllCredentials()
+	assert.NilError(t, err)
+
+	expected := make(map[string]types.AuthConfig)
+	expected[testCredStoreRegistryHostname] = expectedCredStoreAuth
+	expected[testCredHelperRegistryHostname] = expectedCredHelperAuth
+	assert.Check(t, is.DeepEqual(expected, authConfigs))
+	assert.Check(t, is.Equal(1, testCredsStore.(*mockNativeStore).GetAllCallCount))
+	assert.Check(t, is.Equal(0, testCredHelper.(*mockNativeStore).GetAllCallCount))
+}
+
+func TestGetAllCredentialsCredHelperOverridesDefaultStore(t *testing.T) {
+	testCredStoreSuffix := "test_creds_store"
+	testCredHelperSuffix := "test_cred_helper"
+	testRegistryHostname := "example.com"
+
+	configFile := New("filename")
+	configFile.CredentialsStore = testCredStoreSuffix
+	configFile.CredentialHelpers = map[string]string{testRegistryHostname: testCredHelperSuffix}
+
+	unexpectedCredStoreAuth := types.AuthConfig{
+		Username: "cred_store_user",
+		Password: "cred_store_pass",
+	}
+	expectedCredHelperAuth := types.AuthConfig{
+		Username: "cred_helper_user",
+		Password: "cred_helper_pass",
+	}
+
+	testCredHelper := NewMockNativeStore(map[string]types.AuthConfig{testRegistryHostname: expectedCredHelperAuth})
+	testCredsStore := NewMockNativeStore(map[string]types.AuthConfig{testRegistryHostname: unexpectedCredStoreAuth})
+
+	tmpNewNativeStore := newNativeStore
+	defer func() { newNativeStore = tmpNewNativeStore }()
+	newNativeStore = func(configFile *ConfigFile, helperSuffix string) credentials.Store {
+		if helperSuffix == testCredHelperSuffix {
+			return testCredHelper
+		}
+		return testCredsStore
+	}
+
+	authConfigs, err := configFile.GetAllCredentials()
+	assert.NilError(t, err)
+
+	expected := make(map[string]types.AuthConfig)
+	expected[testRegistryHostname] = expectedCredHelperAuth
+	assert.Check(t, is.DeepEqual(expected, authConfigs))
+	assert.Check(t, is.Equal(1, testCredsStore.(*mockNativeStore).GetAllCallCount))
+	assert.Check(t, is.Equal(0, testCredHelper.(*mockNativeStore).GetAllCallCount))
+}
+
+func TestCheckKubernetesConfigurationRaiseAnErrorOnInvalidValue(t *testing.T) {
+	testCases := []struct {
+		name        string
+		config      *KubernetesConfig
+		expectError bool
+	}{
+		{
+			"no kubernetes config is valid",
+			nil,
+			false,
+		},
+		{
+			"enabled is valid",
+			&KubernetesConfig{AllNamespaces: "enabled"},
+			false,
+		},
+		{
+			"disabled is valid",
+			&KubernetesConfig{AllNamespaces: "disabled"},
+			false,
+		},
+		{
+			"empty string is valid",
+			&KubernetesConfig{AllNamespaces: ""},
+			false,
+		},
+		{
+			"other value is invalid",
+			&KubernetesConfig{AllNamespaces: "unknown"},
+			true,
+		},
+	}
+	for _, test := range testCases {
+		err := checkKubernetesConfiguration(test.config)
+		if test.expectError {
+			assert.Assert(t, err != nil, test.name)
+		} else {
+			assert.NilError(t, err, test.name)
+		}
+	}
+}
diff --git a/cli/cli/config/credentials/credentials.go b/cli/cli/config/credentials/credentials.go
new file mode 100644
index 00000000..ca874cac
--- /dev/null
+++ b/cli/cli/config/credentials/credentials.go
@@ -0,0 +1,17 @@
+package credentials
+
+import (
+	"github.com/docker/docker/api/types"
+)
+
+// Store is the interface that any credentials store must implement.
+type Store interface {
+	// Erase removes credentials from the store for a given server.
+	Erase(serverAddress string) error
+	// Get retrieves credentials from the store for a given server.
+	Get(serverAddress string) (types.AuthConfig, error)
+	// GetAll retrieves all the credentials from the store.
+	GetAll() (map[string]types.AuthConfig, error)
+	// Store saves credentials in the store.
+	Store(authConfig types.AuthConfig) error
+}
diff --git a/cli/cli/config/credentials/default_store.go b/cli/cli/config/credentials/default_store.go
new file mode 100644
index 00000000..7a760f1a
--- /dev/null
+++ b/cli/cli/config/credentials/default_store.go
@@ -0,0 +1,21 @@
+package credentials
+
+import (
+	"os/exec"
+)
+
+// DetectDefaultStore return the default credentials store for the platform if
+// the store executable is available.
+func DetectDefaultStore(store string) string {
+	platformDefault := defaultCredentialsStore()
+
+	// user defined or no default for platform
+	if store != "" || platformDefault == "" {
+		return store
+	}
+
+	if _, err := exec.LookPath(remoteCredentialsPrefix + platformDefault); err == nil {
+		return platformDefault
+	}
+	return ""
+}
diff --git a/cli/cli/config/credentials/default_store_darwin.go b/cli/cli/config/credentials/default_store_darwin.go
new file mode 100644
index 00000000..5d42dec6
--- /dev/null
+++ b/cli/cli/config/credentials/default_store_darwin.go
@@ -0,0 +1,5 @@
+package credentials
+
+func defaultCredentialsStore() string {
+	return "osxkeychain"
+}
diff --git a/cli/cli/config/credentials/default_store_linux.go b/cli/cli/config/credentials/default_store_linux.go
new file mode 100644
index 00000000..a9012c6d
--- /dev/null
+++ b/cli/cli/config/credentials/default_store_linux.go
@@ -0,0 +1,13 @@
+package credentials
+
+import (
+	"os/exec"
+)
+
+func defaultCredentialsStore() string {
+	if _, err := exec.LookPath("pass"); err == nil {
+		return "pass"
+	}
+
+	return "secretservice"
+}
diff --git a/cli/cli/config/credentials/default_store_unsupported.go b/cli/cli/config/credentials/default_store_unsupported.go
new file mode 100644
index 00000000..3028168a
--- /dev/null
+++ b/cli/cli/config/credentials/default_store_unsupported.go
@@ -0,0 +1,7 @@
+// +build !windows,!darwin,!linux
+
+package credentials
+
+func defaultCredentialsStore() string {
+	return ""
+}
diff --git a/cli/cli/config/credentials/default_store_windows.go b/cli/cli/config/credentials/default_store_windows.go
new file mode 100644
index 00000000..bb799ca6
--- /dev/null
+++ b/cli/cli/config/credentials/default_store_windows.go
@@ -0,0 +1,5 @@
+package credentials
+
+func defaultCredentialsStore() string {
+	return "wincred"
+}
diff --git a/cli/cli/config/credentials/file_store.go b/cli/cli/config/credentials/file_store.go
new file mode 100644
index 00000000..6ae68175
--- /dev/null
+++ b/cli/cli/config/credentials/file_store.go
@@ -0,0 +1,64 @@
+package credentials
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/registry"
+)
+
+type store interface {
+	Save() error
+	GetAuthConfigs() map[string]types.AuthConfig
+	GetFilename() string
+}
+
+// fileStore implements a credentials store using
+// the docker configuration file to keep the credentials in plain text.
+type fileStore struct {
+	file store
+}
+
+// NewFileStore creates a new file credentials store.
+func NewFileStore(file store) Store {
+	return &fileStore{file: file}
+}
+
+// Erase removes the given credentials from the file store.
+func (c *fileStore) Erase(serverAddress string) error {
+	delete(c.file.GetAuthConfigs(), serverAddress)
+	return c.file.Save()
+}
+
+// Get retrieves credentials for a specific server from the file store.
+func (c *fileStore) Get(serverAddress string) (types.AuthConfig, error) {
+	authConfig, ok := c.file.GetAuthConfigs()[serverAddress]
+	if !ok {
+		// Maybe they have a legacy config file, we will iterate the keys converting
+		// them to the new format and testing
+		for r, ac := range c.file.GetAuthConfigs() {
+			if serverAddress == registry.ConvertToHostname(r) {
+				return ac, nil
+			}
+		}
+
+		authConfig = types.AuthConfig{}
+	}
+	return authConfig, nil
+}
+
+func (c *fileStore) GetAll() (map[string]types.AuthConfig, error) {
+	return c.file.GetAuthConfigs(), nil
+}
+
+// Store saves the given credentials in the file store.
+func (c *fileStore) Store(authConfig types.AuthConfig) error {
+	c.file.GetAuthConfigs()[authConfig.ServerAddress] = authConfig
+	return c.file.Save()
+}
+
+func (c *fileStore) GetFilename() string {
+	return c.file.GetFilename()
+}
+
+func (c *fileStore) IsFileStore() bool {
+	return true
+}
diff --git a/cli/cli/config/credentials/file_store_test.go b/cli/cli/config/credentials/file_store_test.go
new file mode 100644
index 00000000..eb27d377
--- /dev/null
+++ b/cli/cli/config/credentials/file_store_test.go
@@ -0,0 +1,136 @@
+package credentials
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+type fakeStore struct {
+	configs map[string]types.AuthConfig
+}
+
+func (f *fakeStore) Save() error {
+	return nil
+}
+
+func (f *fakeStore) GetAuthConfigs() map[string]types.AuthConfig {
+	return f.configs
+}
+
+func (f *fakeStore) GetFilename() string {
+	return "/tmp/docker-fakestore"
+}
+
+func newStore(auths map[string]types.AuthConfig) store {
+	return &fakeStore{configs: auths}
+}
+
+func TestFileStoreAddCredentials(t *testing.T) {
+	f := newStore(make(map[string]types.AuthConfig))
+
+	s := NewFileStore(f)
+	auth := types.AuthConfig{
+		Auth:          "super_secret_token",
+		Email:         "foo@example.com",
+		ServerAddress: "https://example.com",
+	}
+	err := s.Store(auth)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(f.GetAuthConfigs(), 1))
+
+	actual, ok := f.GetAuthConfigs()["https://example.com"]
+	assert.Check(t, ok)
+	assert.Check(t, is.DeepEqual(auth, actual))
+}
+
+func TestFileStoreGet(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		"https://example.com": {
+			Auth:          "super_secret_token",
+			Email:         "foo@example.com",
+			ServerAddress: "https://example.com",
+		},
+	})
+
+	s := NewFileStore(f)
+	a, err := s.Get("https://example.com")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if a.Auth != "super_secret_token" {
+		t.Fatalf("expected auth `super_secret_token`, got %s", a.Auth)
+	}
+	if a.Email != "foo@example.com" {
+		t.Fatalf("expected email `foo@example.com`, got %s", a.Email)
+	}
+}
+
+func TestFileStoreGetAll(t *testing.T) {
+	s1 := "https://example.com"
+	s2 := "https://example2.com"
+	f := newStore(map[string]types.AuthConfig{
+		s1: {
+			Auth:          "super_secret_token",
+			Email:         "foo@example.com",
+			ServerAddress: "https://example.com",
+		},
+		s2: {
+			Auth:          "super_secret_token2",
+			Email:         "foo@example2.com",
+			ServerAddress: "https://example2.com",
+		},
+	})
+
+	s := NewFileStore(f)
+	as, err := s.GetAll()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(as) != 2 {
+		t.Fatalf("wanted 2, got %d", len(as))
+	}
+	if as[s1].Auth != "super_secret_token" {
+		t.Fatalf("expected auth `super_secret_token`, got %s", as[s1].Auth)
+	}
+	if as[s1].Email != "foo@example.com" {
+		t.Fatalf("expected email `foo@example.com`, got %s", as[s1].Email)
+	}
+	if as[s2].Auth != "super_secret_token2" {
+		t.Fatalf("expected auth `super_secret_token2`, got %s", as[s2].Auth)
+	}
+	if as[s2].Email != "foo@example2.com" {
+		t.Fatalf("expected email `foo@example2.com`, got %s", as[s2].Email)
+	}
+}
+
+func TestFileStoreErase(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		"https://example.com": {
+			Auth:          "super_secret_token",
+			Email:         "foo@example.com",
+			ServerAddress: "https://example.com",
+		},
+	})
+
+	s := NewFileStore(f)
+	err := s.Erase("https://example.com")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// file store never returns errors, check that the auth config is empty
+	a, err := s.Get("https://example.com")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if a.Auth != "" {
+		t.Fatalf("expected empty auth token, got %s", a.Auth)
+	}
+	if a.Email != "" {
+		t.Fatalf("expected empty email, got %s", a.Email)
+	}
+}
diff --git a/cli/cli/config/credentials/native_store.go b/cli/cli/config/credentials/native_store.go
new file mode 100644
index 00000000..ef3aab4a
--- /dev/null
+++ b/cli/cli/config/credentials/native_store.go
@@ -0,0 +1,143 @@
+package credentials
+
+import (
+	"github.com/docker/docker-credential-helpers/client"
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker/api/types"
+)
+
+const (
+	remoteCredentialsPrefix = "docker-credential-"
+	tokenUsername           = "<token>"
+)
+
+// nativeStore implements a credentials store
+// using native keychain to keep credentials secure.
+// It piggybacks into a file store to keep users' emails.
+type nativeStore struct {
+	programFunc client.ProgramFunc
+	fileStore   Store
+}
+
+// NewNativeStore creates a new native store that
+// uses a remote helper program to manage credentials.
+func NewNativeStore(file store, helperSuffix string) Store {
+	name := remoteCredentialsPrefix + helperSuffix
+	return &nativeStore{
+		programFunc: client.NewShellProgramFunc(name),
+		fileStore:   NewFileStore(file),
+	}
+}
+
+// Erase removes the given credentials from the native store.
+func (c *nativeStore) Erase(serverAddress string) error {
+	if err := client.Erase(c.programFunc, serverAddress); err != nil {
+		return err
+	}
+
+	// Fallback to plain text store to remove email
+	return c.fileStore.Erase(serverAddress)
+}
+
+// Get retrieves credentials for a specific server from the native store.
+func (c *nativeStore) Get(serverAddress string) (types.AuthConfig, error) {
+	// load user email if it exist or an empty auth config.
+	auth, _ := c.fileStore.Get(serverAddress)
+
+	creds, err := c.getCredentialsFromStore(serverAddress)
+	if err != nil {
+		return auth, err
+	}
+	auth.Username = creds.Username
+	auth.IdentityToken = creds.IdentityToken
+	auth.Password = creds.Password
+
+	return auth, nil
+}
+
+// GetAll retrieves all the credentials from the native store.
+func (c *nativeStore) GetAll() (map[string]types.AuthConfig, error) {
+	auths, err := c.listCredentialsInStore()
+	if err != nil {
+		return nil, err
+	}
+
+	// Emails are only stored in the file store.
+	// This call can be safely eliminated when emails are removed.
+	fileConfigs, _ := c.fileStore.GetAll()
+
+	authConfigs := make(map[string]types.AuthConfig)
+	for registry := range auths {
+		creds, err := c.getCredentialsFromStore(registry)
+		if err != nil {
+			return nil, err
+		}
+		ac := fileConfigs[registry] // might contain Email
+		ac.Username = creds.Username
+		ac.Password = creds.Password
+		ac.IdentityToken = creds.IdentityToken
+		authConfigs[registry] = ac
+	}
+
+	return authConfigs, nil
+}
+
+// Store saves the given credentials in the file store.
+func (c *nativeStore) Store(authConfig types.AuthConfig) error {
+	if err := c.storeCredentialsInStore(authConfig); err != nil {
+		return err
+	}
+	authConfig.Username = ""
+	authConfig.Password = ""
+	authConfig.IdentityToken = ""
+
+	// Fallback to old credential in plain text to save only the email
+	return c.fileStore.Store(authConfig)
+}
+
+// storeCredentialsInStore executes the command to store the credentials in the native store.
+func (c *nativeStore) storeCredentialsInStore(config types.AuthConfig) error {
+	creds := &credentials.Credentials{
+		ServerURL: config.ServerAddress,
+		Username:  config.Username,
+		Secret:    config.Password,
+	}
+
+	if config.IdentityToken != "" {
+		creds.Username = tokenUsername
+		creds.Secret = config.IdentityToken
+	}
+
+	return client.Store(c.programFunc, creds)
+}
+
+// getCredentialsFromStore executes the command to get the credentials from the native store.
+func (c *nativeStore) getCredentialsFromStore(serverAddress string) (types.AuthConfig, error) {
+	var ret types.AuthConfig
+
+	creds, err := client.Get(c.programFunc, serverAddress)
+	if err != nil {
+		if credentials.IsErrCredentialsNotFound(err) {
+			// do not return an error if the credentials are not
+			// in the keychain. Let docker ask for new credentials.
+			return ret, nil
+		}
+		return ret, err
+	}
+
+	if creds.Username == tokenUsername {
+		ret.IdentityToken = creds.Secret
+	} else {
+		ret.Password = creds.Secret
+		ret.Username = creds.Username
+	}
+
+	ret.ServerAddress = serverAddress
+	return ret, nil
+}
+
+// listCredentialsInStore returns a listing of stored credentials as a map of
+// URL -> username.
+func (c *nativeStore) listCredentialsInStore() (map[string]string, error) {
+	return client.List(c.programFunc)
+}
diff --git a/cli/cli/config/credentials/native_store_test.go b/cli/cli/config/credentials/native_store_test.go
new file mode 100644
index 00000000..88befab5
--- /dev/null
+++ b/cli/cli/config/credentials/native_store_test.go
@@ -0,0 +1,277 @@
+package credentials
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker-credential-helpers/client"
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+const (
+	validServerAddress   = "https://index.docker.io/v1"
+	validServerAddress2  = "https://example.com:5002"
+	invalidServerAddress = "https://foobar.example.com"
+	missingCredsAddress  = "https://missing.docker.io/v1"
+)
+
+var errCommandExited = errors.Errorf("exited 1")
+
+// mockCommand simulates interactions between the docker client and a remote
+// credentials helper.
+// Unit tests inject this mocked command into the remote to control execution.
+type mockCommand struct {
+	arg   string
+	input io.Reader
+}
+
+// Output returns responses from the remote credentials helper.
+// It mocks those responses based in the input in the mock.
+func (m *mockCommand) Output() ([]byte, error) {
+	in, err := ioutil.ReadAll(m.input)
+	if err != nil {
+		return nil, err
+	}
+	inS := string(in)
+
+	switch m.arg {
+	case "erase":
+		switch inS {
+		case validServerAddress:
+			return nil, nil
+		default:
+			return []byte("program failed"), errCommandExited
+		}
+	case "get":
+		switch inS {
+		case validServerAddress:
+			return []byte(`{"Username": "foo", "Secret": "bar"}`), nil
+		case validServerAddress2:
+			return []byte(`{"Username": "<token>", "Secret": "abcd1234"}`), nil
+		case missingCredsAddress:
+			return []byte(credentials.NewErrCredentialsNotFound().Error()), errCommandExited
+		case invalidServerAddress:
+			return []byte("program failed"), errCommandExited
+		}
+	case "store":
+		var c credentials.Credentials
+		err := json.NewDecoder(strings.NewReader(inS)).Decode(&c)
+		if err != nil {
+			return []byte("program failed"), errCommandExited
+		}
+		switch c.ServerURL {
+		case validServerAddress:
+			return nil, nil
+		default:
+			return []byte("program failed"), errCommandExited
+		}
+	case "list":
+		return []byte(fmt.Sprintf(`{"%s": "%s", "%s": "%s"}`, validServerAddress, "foo", validServerAddress2, "<token>")), nil
+	}
+
+	return []byte(fmt.Sprintf("unknown argument %q with %q", m.arg, inS)), errCommandExited
+}
+
+// Input sets the input to send to a remote credentials helper.
+func (m *mockCommand) Input(in io.Reader) {
+	m.input = in
+}
+
+func mockCommandFn(args ...string) client.Program {
+	return &mockCommand{
+		arg: args[0],
+	}
+}
+
+func TestNativeStoreAddCredentials(t *testing.T) {
+	f := newStore(make(map[string]types.AuthConfig))
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	auth := types.AuthConfig{
+		Username:      "foo",
+		Password:      "bar",
+		Email:         "foo@example.com",
+		ServerAddress: validServerAddress,
+	}
+	err := s.Store(auth)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(f.GetAuthConfigs(), 1))
+
+	actual, ok := f.GetAuthConfigs()[validServerAddress]
+	assert.Check(t, ok)
+	expected := types.AuthConfig{
+		Email:         auth.Email,
+		ServerAddress: auth.ServerAddress,
+	}
+	assert.Check(t, is.DeepEqual(expected, actual))
+}
+
+func TestNativeStoreAddInvalidCredentials(t *testing.T) {
+	f := newStore(make(map[string]types.AuthConfig))
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	err := s.Store(types.AuthConfig{
+		Username:      "foo",
+		Password:      "bar",
+		Email:         "foo@example.com",
+		ServerAddress: invalidServerAddress,
+	})
+	assert.ErrorContains(t, err, "program failed")
+	assert.Check(t, is.Len(f.GetAuthConfigs(), 0))
+}
+
+func TestNativeStoreGet(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		validServerAddress: {
+			Email: "foo@example.com",
+		},
+	})
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	actual, err := s.Get(validServerAddress)
+	assert.NilError(t, err)
+
+	expected := types.AuthConfig{
+		Username: "foo",
+		Password: "bar",
+		Email:    "foo@example.com",
+	}
+	assert.Check(t, is.DeepEqual(expected, actual))
+}
+
+func TestNativeStoreGetIdentityToken(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		validServerAddress2: {
+			Email: "foo@example2.com",
+		},
+	})
+
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	actual, err := s.Get(validServerAddress2)
+	assert.NilError(t, err)
+
+	expected := types.AuthConfig{
+		IdentityToken: "abcd1234",
+		Email:         "foo@example2.com",
+	}
+	assert.Check(t, is.DeepEqual(expected, actual))
+}
+
+func TestNativeStoreGetAll(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		validServerAddress: {
+			Email: "foo@example.com",
+		},
+	})
+
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	as, err := s.GetAll()
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(as, 2))
+
+	if as[validServerAddress].Username != "foo" {
+		t.Fatalf("expected username `foo` for %s, got %s", validServerAddress, as[validServerAddress].Username)
+	}
+	if as[validServerAddress].Password != "bar" {
+		t.Fatalf("expected password `bar` for %s, got %s", validServerAddress, as[validServerAddress].Password)
+	}
+	if as[validServerAddress].IdentityToken != "" {
+		t.Fatalf("expected identity to be empty for %s, got %s", validServerAddress, as[validServerAddress].IdentityToken)
+	}
+	if as[validServerAddress].Email != "foo@example.com" {
+		t.Fatalf("expected email `foo@example.com` for %s, got %s", validServerAddress, as[validServerAddress].Email)
+	}
+	if as[validServerAddress2].Username != "" {
+		t.Fatalf("expected username to be empty for %s, got %s", validServerAddress2, as[validServerAddress2].Username)
+	}
+	if as[validServerAddress2].Password != "" {
+		t.Fatalf("expected password to be empty for %s, got %s", validServerAddress2, as[validServerAddress2].Password)
+	}
+	if as[validServerAddress2].IdentityToken != "abcd1234" {
+		t.Fatalf("expected identity token `abcd1324` for %s, got %s", validServerAddress2, as[validServerAddress2].IdentityToken)
+	}
+	if as[validServerAddress2].Email != "" {
+		t.Fatalf("expected no email for %s, got %s", validServerAddress2, as[validServerAddress2].Email)
+	}
+}
+
+func TestNativeStoreGetMissingCredentials(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		validServerAddress: {
+			Email: "foo@example.com",
+		},
+	})
+
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	_, err := s.Get(missingCredsAddress)
+	assert.NilError(t, err)
+}
+
+func TestNativeStoreGetInvalidAddress(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		validServerAddress: {
+			Email: "foo@example.com",
+		},
+	})
+
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	_, err := s.Get(invalidServerAddress)
+	assert.ErrorContains(t, err, "program failed")
+}
+
+func TestNativeStoreErase(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		validServerAddress: {
+			Email: "foo@example.com",
+		},
+	})
+
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	err := s.Erase(validServerAddress)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(f.GetAuthConfigs(), 0))
+}
+
+func TestNativeStoreEraseInvalidAddress(t *testing.T) {
+	f := newStore(map[string]types.AuthConfig{
+		validServerAddress: {
+			Email: "foo@example.com",
+		},
+	})
+
+	s := &nativeStore{
+		programFunc: mockCommandFn,
+		fileStore:   NewFileStore(f),
+	}
+	err := s.Erase(invalidServerAddress)
+	assert.ErrorContains(t, err, "program failed")
+}
diff --git a/cli/cli/debug/debug.go b/cli/cli/debug/debug.go
new file mode 100644
index 00000000..b00ea63a
--- /dev/null
+++ b/cli/cli/debug/debug.go
@@ -0,0 +1,26 @@
+package debug
+
+import (
+	"os"
+
+	"github.com/sirupsen/logrus"
+)
+
+// Enable sets the DEBUG env var to true
+// and makes the logger to log at debug level.
+func Enable() {
+	os.Setenv("DEBUG", "1")
+	logrus.SetLevel(logrus.DebugLevel)
+}
+
+// Disable sets the DEBUG env var to false
+// and makes the logger to log at info level.
+func Disable() {
+	os.Setenv("DEBUG", "")
+	logrus.SetLevel(logrus.InfoLevel)
+}
+
+// IsEnabled checks whether the debug flag is set or not.
+func IsEnabled() bool {
+	return os.Getenv("DEBUG") != ""
+}
diff --git a/cli/cli/debug/debug_test.go b/cli/cli/debug/debug_test.go
new file mode 100644
index 00000000..90311528
--- /dev/null
+++ b/cli/cli/debug/debug_test.go
@@ -0,0 +1,43 @@
+package debug
+
+import (
+	"os"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+)
+
+func TestEnable(t *testing.T) {
+	defer func() {
+		os.Setenv("DEBUG", "")
+		logrus.SetLevel(logrus.InfoLevel)
+	}()
+	Enable()
+	if os.Getenv("DEBUG") != "1" {
+		t.Fatalf("expected DEBUG=1, got %s\n", os.Getenv("DEBUG"))
+	}
+	if logrus.GetLevel() != logrus.DebugLevel {
+		t.Fatalf("expected log level %v, got %v\n", logrus.DebugLevel, logrus.GetLevel())
+	}
+}
+
+func TestDisable(t *testing.T) {
+	Disable()
+	if os.Getenv("DEBUG") != "" {
+		t.Fatalf("expected DEBUG=\"\", got %s\n", os.Getenv("DEBUG"))
+	}
+	if logrus.GetLevel() != logrus.InfoLevel {
+		t.Fatalf("expected log level %v, got %v\n", logrus.InfoLevel, logrus.GetLevel())
+	}
+}
+
+func TestEnabled(t *testing.T) {
+	Enable()
+	if !IsEnabled() {
+		t.Fatal("expected debug enabled, got false")
+	}
+	Disable()
+	if IsEnabled() {
+		t.Fatal("expected debug disabled, got true")
+	}
+}
diff --git a/cli/cli/error.go b/cli/cli/error.go
new file mode 100644
index 00000000..62f62433
--- /dev/null
+++ b/cli/cli/error.go
@@ -0,0 +1,33 @@
+package cli
+
+import (
+	"fmt"
+	"strings"
+)
+
+// Errors is a list of errors.
+// Useful in a loop if you don't want to return the error right away and you want to display after the loop,
+// all the errors that happened during the loop.
+type Errors []error
+
+func (errList Errors) Error() string {
+	if len(errList) < 1 {
+		return ""
+	}
+
+	out := make([]string, len(errList))
+	for i := range errList {
+		out[i] = errList[i].Error()
+	}
+	return strings.Join(out, ", ")
+}
+
+// StatusError reports an unsuccessful exit by a command.
+type StatusError struct {
+	Status     string
+	StatusCode int
+}
+
+func (e StatusError) Error() string {
+	return fmt.Sprintf("Status: %s, Code: %d", e.Status, e.StatusCode)
+}
diff --git a/cli/cli/flags/client.go b/cli/cli/flags/client.go
new file mode 100644
index 00000000..c57879e6
--- /dev/null
+++ b/cli/cli/flags/client.go
@@ -0,0 +1,12 @@
+package flags
+
+// ClientOptions are the options used to configure the client cli
+type ClientOptions struct {
+	Common    *CommonOptions
+	ConfigDir string
+}
+
+// NewClientOptions returns a new ClientOptions
+func NewClientOptions() *ClientOptions {
+	return &ClientOptions{Common: NewCommonOptions()}
+}
diff --git a/cli/cli/flags/common.go b/cli/cli/flags/common.go
new file mode 100644
index 00000000..3834097c
--- /dev/null
+++ b/cli/cli/flags/common.go
@@ -0,0 +1,118 @@
+package flags
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/docker/cli/opts"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/pflag"
+)
+
+const (
+	// DefaultCaFile is the default filename for the CA pem file
+	DefaultCaFile = "ca.pem"
+	// DefaultKeyFile is the default filename for the key pem file
+	DefaultKeyFile = "key.pem"
+	// DefaultCertFile is the default filename for the cert pem file
+	DefaultCertFile = "cert.pem"
+	// FlagTLSVerify is the flag name for the TLS verification option
+	FlagTLSVerify = "tlsverify"
+)
+
+var (
+	dockerCertPath  = os.Getenv("DOCKER_CERT_PATH")
+	dockerTLSVerify = os.Getenv("DOCKER_TLS_VERIFY") != ""
+	dockerTLS       = os.Getenv("DOCKER_TLS") != ""
+)
+
+// CommonOptions are options common to both the client and the daemon.
+type CommonOptions struct {
+	Debug      bool
+	Hosts      []string
+	LogLevel   string
+	TLS        bool
+	TLSVerify  bool
+	TLSOptions *tlsconfig.Options
+}
+
+// NewCommonOptions returns a new CommonOptions
+func NewCommonOptions() *CommonOptions {
+	return &CommonOptions{}
+}
+
+// InstallFlags adds flags for the common options on the FlagSet
+func (commonOpts *CommonOptions) InstallFlags(flags *pflag.FlagSet) {
+	if dockerCertPath == "" {
+		dockerCertPath = cliconfig.Dir()
+	}
+
+	flags.BoolVarP(&commonOpts.Debug, "debug", "D", false, "Enable debug mode")
+	flags.StringVarP(&commonOpts.LogLevel, "log-level", "l", "info", `Set the logging level ("debug"|"info"|"warn"|"error"|"fatal")`)
+	flags.BoolVar(&commonOpts.TLS, "tls", dockerTLS, "Use TLS; implied by --tlsverify")
+	flags.BoolVar(&commonOpts.TLSVerify, FlagTLSVerify, dockerTLSVerify, "Use TLS and verify the remote")
+
+	// TODO use flag flags.String("identity"}, "i", "", "Path to libtrust key file")
+
+	commonOpts.TLSOptions = &tlsconfig.Options{
+		CAFile:   filepath.Join(dockerCertPath, DefaultCaFile),
+		CertFile: filepath.Join(dockerCertPath, DefaultCertFile),
+		KeyFile:  filepath.Join(dockerCertPath, DefaultKeyFile),
+	}
+	tlsOptions := commonOpts.TLSOptions
+	flags.Var(opts.NewQuotedString(&tlsOptions.CAFile), "tlscacert", "Trust certs signed only by this CA")
+	flags.Var(opts.NewQuotedString(&tlsOptions.CertFile), "tlscert", "Path to TLS certificate file")
+	flags.Var(opts.NewQuotedString(&tlsOptions.KeyFile), "tlskey", "Path to TLS key file")
+
+	hostOpt := opts.NewNamedListOptsRef("hosts", &commonOpts.Hosts, opts.ValidateHost)
+	flags.VarP(hostOpt, "host", "H", "Daemon socket(s) to connect to")
+}
+
+// SetDefaultOptions sets default values for options after flag parsing is
+// complete
+func (commonOpts *CommonOptions) SetDefaultOptions(flags *pflag.FlagSet) {
+	// Regardless of whether the user sets it to true or false, if they
+	// specify --tlsverify at all then we need to turn on TLS
+	// TLSVerify can be true even if not set due to DOCKER_TLS_VERIFY env var, so we need
+	// to check that here as well
+	if flags.Changed(FlagTLSVerify) || commonOpts.TLSVerify {
+		commonOpts.TLS = true
+	}
+
+	if !commonOpts.TLS {
+		commonOpts.TLSOptions = nil
+	} else {
+		tlsOptions := commonOpts.TLSOptions
+		tlsOptions.InsecureSkipVerify = !commonOpts.TLSVerify
+
+		// Reset CertFile and KeyFile to empty string if the user did not specify
+		// the respective flags and the respective default files were not found.
+		if !flags.Changed("tlscert") {
+			if _, err := os.Stat(tlsOptions.CertFile); os.IsNotExist(err) {
+				tlsOptions.CertFile = ""
+			}
+		}
+		if !flags.Changed("tlskey") {
+			if _, err := os.Stat(tlsOptions.KeyFile); os.IsNotExist(err) {
+				tlsOptions.KeyFile = ""
+			}
+		}
+	}
+}
+
+// SetLogLevel sets the logrus logging level
+func SetLogLevel(logLevel string) {
+	if logLevel != "" {
+		lvl, err := logrus.ParseLevel(logLevel)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Unable to parse logging level: %s\n", logLevel)
+			os.Exit(1)
+		}
+		logrus.SetLevel(lvl)
+	} else {
+		logrus.SetLevel(logrus.InfoLevel)
+	}
+}
diff --git a/cli/cli/flags/common_test.go b/cli/cli/flags/common_test.go
new file mode 100644
index 00000000..7150691e
--- /dev/null
+++ b/cli/cli/flags/common_test.go
@@ -0,0 +1,43 @@
+package flags
+
+import (
+	"path/filepath"
+	"testing"
+
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/spf13/pflag"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCommonOptionsInstallFlags(t *testing.T) {
+	flags := pflag.NewFlagSet("testing", pflag.ContinueOnError)
+	opts := NewCommonOptions()
+	opts.InstallFlags(flags)
+
+	err := flags.Parse([]string{
+		"--tlscacert=\"/foo/cafile\"",
+		"--tlscert=\"/foo/cert\"",
+		"--tlskey=\"/foo/key\"",
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("/foo/cafile", opts.TLSOptions.CAFile))
+	assert.Check(t, is.Equal("/foo/cert", opts.TLSOptions.CertFile))
+	assert.Check(t, is.Equal(opts.TLSOptions.KeyFile, "/foo/key"))
+}
+
+func defaultPath(filename string) string {
+	return filepath.Join(cliconfig.Dir(), filename)
+}
+
+func TestCommonOptionsInstallFlagsWithDefaults(t *testing.T) {
+	flags := pflag.NewFlagSet("testing", pflag.ContinueOnError)
+	opts := NewCommonOptions()
+	opts.InstallFlags(flags)
+
+	err := flags.Parse([]string{})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(defaultPath("ca.pem"), opts.TLSOptions.CAFile))
+	assert.Check(t, is.Equal(defaultPath("cert.pem"), opts.TLSOptions.CertFile))
+	assert.Check(t, is.Equal(defaultPath("key.pem"), opts.TLSOptions.KeyFile))
+}
diff --git a/cli/cli/manifest/store/store.go b/cli/cli/manifest/store/store.go
new file mode 100644
index 00000000..1fd0207b
--- /dev/null
+++ b/cli/cli/manifest/store/store.go
@@ -0,0 +1,180 @@
+package store
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/reference"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// Store manages local storage of image distribution manifests
+type Store interface {
+	Remove(listRef reference.Reference) error
+	Get(listRef reference.Reference, manifest reference.Reference) (types.ImageManifest, error)
+	GetList(listRef reference.Reference) ([]types.ImageManifest, error)
+	Save(listRef reference.Reference, manifest reference.Reference, image types.ImageManifest) error
+}
+
+// fsStore manages manifest files stored on the local filesystem
+type fsStore struct {
+	root string
+}
+
+// NewStore returns a new store for a local file path
+func NewStore(root string) Store {
+	return &fsStore{root: root}
+}
+
+// Remove a manifest list from local storage
+func (s *fsStore) Remove(listRef reference.Reference) error {
+	path := filepath.Join(s.root, makeFilesafeName(listRef.String()))
+	return os.RemoveAll(path)
+}
+
+// Get returns the local manifest
+func (s *fsStore) Get(listRef reference.Reference, manifest reference.Reference) (types.ImageManifest, error) {
+	filename := manifestToFilename(s.root, listRef.String(), manifest.String())
+	return s.getFromFilename(manifest, filename)
+}
+
+func (s *fsStore) getFromFilename(ref reference.Reference, filename string) (types.ImageManifest, error) {
+	bytes, err := ioutil.ReadFile(filename)
+	switch {
+	case os.IsNotExist(err):
+		return types.ImageManifest{}, newNotFoundError(ref.String())
+	case err != nil:
+		return types.ImageManifest{}, err
+	}
+	var manifestInfo struct {
+		types.ImageManifest
+
+		// Deprecated Fields, replaced by Descriptor
+		Digest   digest.Digest
+		Platform *manifestlist.PlatformSpec
+	}
+
+	if err := json.Unmarshal(bytes, &manifestInfo); err != nil {
+		return types.ImageManifest{}, err
+	}
+
+	// Compatibility with image manifests created before
+	// descriptor, newer versions omit Digest and Platform
+	if manifestInfo.Digest != "" {
+		mediaType, raw, err := manifestInfo.Payload()
+		if err != nil {
+			return types.ImageManifest{}, err
+		}
+		if dgst := digest.FromBytes(raw); dgst != manifestInfo.Digest {
+			return types.ImageManifest{}, errors.Errorf("invalid manifest file %v: image manifest digest mismatch (%v != %v)", filename, manifestInfo.Digest, dgst)
+		}
+		manifestInfo.ImageManifest.Descriptor = ocispec.Descriptor{
+			Digest:    manifestInfo.Digest,
+			Size:      int64(len(raw)),
+			MediaType: mediaType,
+			Platform:  types.OCIPlatform(manifestInfo.Platform),
+		}
+	}
+
+	return manifestInfo.ImageManifest, nil
+}
+
+// GetList returns all the local manifests for a transaction
+func (s *fsStore) GetList(listRef reference.Reference) ([]types.ImageManifest, error) {
+	filenames, err := s.listManifests(listRef.String())
+	switch {
+	case err != nil:
+		return nil, err
+	case filenames == nil:
+		return nil, newNotFoundError(listRef.String())
+	}
+
+	manifests := []types.ImageManifest{}
+	for _, filename := range filenames {
+		filename = filepath.Join(s.root, makeFilesafeName(listRef.String()), filename)
+		manifest, err := s.getFromFilename(listRef, filename)
+		if err != nil {
+			return nil, err
+		}
+		manifests = append(manifests, manifest)
+	}
+	return manifests, nil
+}
+
+// listManifests stored in a transaction
+func (s *fsStore) listManifests(transaction string) ([]string, error) {
+	transactionDir := filepath.Join(s.root, makeFilesafeName(transaction))
+	fileInfos, err := ioutil.ReadDir(transactionDir)
+	switch {
+	case os.IsNotExist(err):
+		return nil, nil
+	case err != nil:
+		return nil, err
+	}
+
+	filenames := []string{}
+	for _, info := range fileInfos {
+		filenames = append(filenames, info.Name())
+	}
+	return filenames, nil
+}
+
+// Save a manifest as part of a local manifest list
+func (s *fsStore) Save(listRef reference.Reference, manifest reference.Reference, image types.ImageManifest) error {
+	if err := s.createManifestListDirectory(listRef.String()); err != nil {
+		return err
+	}
+	filename := manifestToFilename(s.root, listRef.String(), manifest.String())
+	bytes, err := json.Marshal(image)
+	if err != nil {
+		return err
+	}
+	return ioutil.WriteFile(filename, bytes, 0644)
+}
+
+func (s *fsStore) createManifestListDirectory(transaction string) error {
+	path := filepath.Join(s.root, makeFilesafeName(transaction))
+	return os.MkdirAll(path, 0755)
+}
+
+func manifestToFilename(root, manifestList, manifest string) string {
+	return filepath.Join(root, makeFilesafeName(manifestList), makeFilesafeName(manifest))
+}
+
+func makeFilesafeName(ref string) string {
+	fileName := strings.Replace(ref, ":", "-", -1)
+	return strings.Replace(fileName, "/", "_", -1)
+}
+
+type notFoundError struct {
+	object string
+}
+
+func newNotFoundError(ref string) *notFoundError {
+	return &notFoundError{object: ref}
+}
+
+func (n *notFoundError) Error() string {
+	return fmt.Sprintf("No such manifest: %s", n.object)
+}
+
+// NotFound interface
+func (n *notFoundError) NotFound() {}
+
+// IsNotFound returns true if the error is a not found error
+func IsNotFound(err error) bool {
+	_, ok := err.(notFound)
+	return ok
+}
+
+type notFound interface {
+	NotFound()
+}
diff --git a/cli/cli/manifest/store/store_test.go b/cli/cli/manifest/store/store_test.go
new file mode 100644
index 00000000..ae56fea9
--- /dev/null
+++ b/cli/cli/manifest/store/store_test.go
@@ -0,0 +1,136 @@
+package store
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/distribution/reference"
+	"github.com/google/go-cmp/cmp"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+type fakeRef struct {
+	name string
+}
+
+func (f fakeRef) String() string {
+	return f.name
+}
+
+func (f fakeRef) Name() string {
+	return f.name
+}
+
+func ref(name string) fakeRef {
+	return fakeRef{name: name}
+}
+
+func sref(t *testing.T, name string) *types.SerializableNamed {
+	named, err := reference.ParseNamed("example.com/" + name)
+	assert.NilError(t, err)
+	return &types.SerializableNamed{Named: named}
+}
+
+func newTestStore(t *testing.T) (Store, func()) {
+	tmpdir, err := ioutil.TempDir("", "manifest-store-test")
+	assert.NilError(t, err)
+
+	return NewStore(tmpdir), func() { os.RemoveAll(tmpdir) }
+}
+
+func getFiles(t *testing.T, store Store) []os.FileInfo {
+	infos, err := ioutil.ReadDir(store.(*fsStore).root)
+	assert.NilError(t, err)
+	return infos
+}
+
+func TestStoreRemove(t *testing.T) {
+	store, cleanup := newTestStore(t)
+	defer cleanup()
+
+	listRef := ref("list")
+	data := types.ImageManifest{Ref: sref(t, "abcdef")}
+	assert.NilError(t, store.Save(listRef, ref("manifest"), data))
+	assert.Assert(t, is.Len(getFiles(t, store), 1))
+
+	assert.Check(t, store.Remove(listRef))
+	assert.Check(t, is.Len(getFiles(t, store), 0))
+}
+
+func TestStoreSaveAndGet(t *testing.T) {
+	store, cleanup := newTestStore(t)
+	defer cleanup()
+
+	listRef := ref("list")
+	data := types.ImageManifest{Ref: sref(t, "abcdef")}
+	err := store.Save(listRef, ref("exists"), data)
+	assert.NilError(t, err)
+
+	var testcases = []struct {
+		listRef     reference.Reference
+		manifestRef reference.Reference
+		expected    types.ImageManifest
+		expectedErr string
+	}{
+		{
+			listRef:     listRef,
+			manifestRef: ref("exists"),
+			expected:    data,
+		},
+		{
+			listRef:     listRef,
+			manifestRef: ref("exist:does-not"),
+			expectedErr: "No such manifest: exist:does-not",
+		},
+		{
+			listRef:     ref("list:does-not-exist"),
+			manifestRef: ref("manifest:does-not-exist"),
+			expectedErr: "No such manifest: manifest:does-not-exist",
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.manifestRef.String(), func(t *testing.T) {
+			actual, err := store.Get(testcase.listRef, testcase.manifestRef)
+			if testcase.expectedErr != "" {
+				assert.Error(t, err, testcase.expectedErr)
+				assert.Check(t, IsNotFound(err))
+				return
+			}
+			assert.NilError(t, err)
+			assert.DeepEqual(t, testcase.expected, actual, cmpReferenceNamed)
+		})
+	}
+}
+
+var cmpReferenceNamed = cmp.Transformer("namedref", func(r reference.Named) string {
+	return r.String()
+})
+
+func TestStoreGetList(t *testing.T) {
+	store, cleanup := newTestStore(t)
+	defer cleanup()
+
+	listRef := ref("list")
+	first := types.ImageManifest{Ref: sref(t, "first")}
+	assert.NilError(t, store.Save(listRef, ref("first"), first))
+	second := types.ImageManifest{Ref: sref(t, "second")}
+	assert.NilError(t, store.Save(listRef, ref("exists"), second))
+
+	list, err := store.GetList(listRef)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(list, 2))
+}
+
+func TestStoreGetListDoesNotExist(t *testing.T) {
+	store, cleanup := newTestStore(t)
+	defer cleanup()
+
+	listRef := ref("list")
+	_, err := store.GetList(listRef)
+	assert.Error(t, err, "No such manifest: list")
+	assert.Check(t, IsNotFound(err))
+}
diff --git a/cli/cli/manifest/types/types.go b/cli/cli/manifest/types/types.go
new file mode 100644
index 00000000..62f0d6cc
--- /dev/null
+++ b/cli/cli/manifest/types/types.go
@@ -0,0 +1,114 @@
+package types
+
+import (
+	"encoding/json"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// ImageManifest contains info to output for a manifest object.
+type ImageManifest struct {
+	Ref        *SerializableNamed
+	Descriptor ocispec.Descriptor
+
+	// SchemaV2Manifest is used for inspection
+	// TODO: Deprecate this and store manifest blobs
+	SchemaV2Manifest *schema2.DeserializedManifest `json:",omitempty"`
+}
+
+// OCIPlatform creates an OCI platform from a manifest list platform spec
+func OCIPlatform(ps *manifestlist.PlatformSpec) *ocispec.Platform {
+	if ps == nil {
+		return nil
+	}
+	return &ocispec.Platform{
+		Architecture: ps.Architecture,
+		OS:           ps.OS,
+		OSVersion:    ps.OSVersion,
+		OSFeatures:   ps.OSFeatures,
+		Variant:      ps.Variant,
+	}
+}
+
+// PlatformSpecFromOCI creates a platform spec from OCI platform
+func PlatformSpecFromOCI(p *ocispec.Platform) *manifestlist.PlatformSpec {
+	if p == nil {
+		return nil
+	}
+	return &manifestlist.PlatformSpec{
+		Architecture: p.Architecture,
+		OS:           p.OS,
+		OSVersion:    p.OSVersion,
+		OSFeatures:   p.OSFeatures,
+		Variant:      p.Variant,
+	}
+}
+
+// Blobs returns the digests for all the blobs referenced by this manifest
+func (i ImageManifest) Blobs() []digest.Digest {
+	digests := []digest.Digest{}
+	for _, descriptor := range i.SchemaV2Manifest.References() {
+		digests = append(digests, descriptor.Digest)
+	}
+	return digests
+}
+
+// Payload returns the media type and bytes for the manifest
+func (i ImageManifest) Payload() (string, []byte, error) {
+	// TODO: If available, read content from a content store by digest
+	switch {
+	case i.SchemaV2Manifest != nil:
+		return i.SchemaV2Manifest.Payload()
+	default:
+		return "", nil, errors.Errorf("%s has no payload", i.Ref)
+	}
+}
+
+// References implements the distribution.Manifest interface. It delegates to
+// the underlying manifest.
+func (i ImageManifest) References() []distribution.Descriptor {
+	switch {
+	case i.SchemaV2Manifest != nil:
+		return i.SchemaV2Manifest.References()
+	default:
+		return nil
+	}
+}
+
+// NewImageManifest returns a new ImageManifest object. The values for Platform
+// are initialized from those in the image
+func NewImageManifest(ref reference.Named, desc ocispec.Descriptor, manifest *schema2.DeserializedManifest) ImageManifest {
+	return ImageManifest{
+		Ref:              &SerializableNamed{Named: ref},
+		Descriptor:       desc,
+		SchemaV2Manifest: manifest,
+	}
+}
+
+// SerializableNamed is a reference.Named that can be serialzied and deserialized
+// from JSON
+type SerializableNamed struct {
+	reference.Named
+}
+
+// UnmarshalJSON loads the Named reference from JSON bytes
+func (s *SerializableNamed) UnmarshalJSON(b []byte) error {
+	var raw string
+	if err := json.Unmarshal(b, &raw); err != nil {
+		return errors.Wrapf(err, "invalid named reference bytes: %s", b)
+	}
+	var err error
+	s.Named, err = reference.ParseNamed(raw)
+	return err
+}
+
+// MarshalJSON returns the JSON bytes representation
+func (s *SerializableNamed) MarshalJSON() ([]byte, error) {
+	return json.Marshal(s.String())
+}
diff --git a/cli/cli/registry/client/client.go b/cli/cli/registry/client/client.go
new file mode 100644
index 00000000..35a11025
--- /dev/null
+++ b/cli/cli/registry/client/client.go
@@ -0,0 +1,183 @@
+package client
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+
+	manifesttypes "github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/reference"
+	distributionclient "github.com/docker/distribution/registry/client"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// RegistryClient is a client used to communicate with a Docker distribution
+// registry
+type RegistryClient interface {
+	GetManifest(ctx context.Context, ref reference.Named) (manifesttypes.ImageManifest, error)
+	GetManifestList(ctx context.Context, ref reference.Named) ([]manifesttypes.ImageManifest, error)
+	MountBlob(ctx context.Context, source reference.Canonical, target reference.Named) error
+	PutManifest(ctx context.Context, ref reference.Named, manifest distribution.Manifest) (digest.Digest, error)
+}
+
+// NewRegistryClient returns a new RegistryClient with a resolver
+func NewRegistryClient(resolver AuthConfigResolver, userAgent string, insecure bool) RegistryClient {
+	return &client{
+		authConfigResolver: resolver,
+		insecureRegistry:   insecure,
+		userAgent:          userAgent,
+	}
+}
+
+// AuthConfigResolver returns Auth Configuration for an index
+type AuthConfigResolver func(ctx context.Context, index *registrytypes.IndexInfo) types.AuthConfig
+
+// PutManifestOptions is the data sent to push a manifest
+type PutManifestOptions struct {
+	MediaType string
+	Payload   []byte
+}
+
+type client struct {
+	authConfigResolver AuthConfigResolver
+	insecureRegistry   bool
+	userAgent          string
+}
+
+// ErrBlobCreated returned when a blob mount request was created
+type ErrBlobCreated struct {
+	From   reference.Named
+	Target reference.Named
+}
+
+func (err ErrBlobCreated) Error() string {
+	return fmt.Sprintf("blob mounted from: %v to: %v",
+		err.From, err.Target)
+}
+
+// ErrHTTPProto returned if attempting to use TLS with a non-TLS registry
+type ErrHTTPProto struct {
+	OrigErr string
+}
+
+func (err ErrHTTPProto) Error() string {
+	return err.OrigErr
+}
+
+var _ RegistryClient = &client{}
+
+// MountBlob into the registry, so it can be referenced by a manifest
+func (c *client) MountBlob(ctx context.Context, sourceRef reference.Canonical, targetRef reference.Named) error {
+	repoEndpoint, err := newDefaultRepositoryEndpoint(targetRef, c.insecureRegistry)
+	if err != nil {
+		return err
+	}
+	repo, err := c.getRepositoryForReference(ctx, targetRef, repoEndpoint)
+	if err != nil {
+		return err
+	}
+	lu, err := repo.Blobs(ctx).Create(ctx, distributionclient.WithMountFrom(sourceRef))
+	switch err.(type) {
+	case distribution.ErrBlobMounted:
+		logrus.Debugf("mount of blob %s succeeded", sourceRef)
+		return nil
+	case nil:
+	default:
+		return errors.Wrapf(err, "failed to mount blob %s to %s", sourceRef, targetRef)
+	}
+	lu.Cancel(ctx)
+	logrus.Debugf("mount of blob %s created", sourceRef)
+	return ErrBlobCreated{From: sourceRef, Target: targetRef}
+}
+
+// PutManifest sends the manifest to a registry and returns the new digest
+func (c *client) PutManifest(ctx context.Context, ref reference.Named, manifest distribution.Manifest) (digest.Digest, error) {
+	repoEndpoint, err := newDefaultRepositoryEndpoint(ref, c.insecureRegistry)
+	if err != nil {
+		return digest.Digest(""), err
+	}
+
+	repo, err := c.getRepositoryForReference(ctx, ref, repoEndpoint)
+	if err != nil {
+		return digest.Digest(""), err
+	}
+
+	manifestService, err := repo.Manifests(ctx)
+	if err != nil {
+		return digest.Digest(""), err
+	}
+
+	_, opts, err := getManifestOptionsFromReference(ref)
+	if err != nil {
+		return digest.Digest(""), err
+	}
+
+	dgst, err := manifestService.Put(ctx, manifest, opts...)
+	return dgst, errors.Wrapf(err, "failed to put manifest %s", ref)
+}
+
+func (c *client) getRepositoryForReference(ctx context.Context, ref reference.Named, repoEndpoint repositoryEndpoint) (distribution.Repository, error) {
+	httpTransport, err := c.getHTTPTransportForRepoEndpoint(ctx, repoEndpoint)
+	if err != nil {
+		if strings.Contains(err.Error(), "server gave HTTP response to HTTPS client") {
+			return nil, ErrHTTPProto{OrigErr: err.Error()}
+		}
+	}
+	repoName, err := reference.WithName(repoEndpoint.Name())
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to parse repo name from %s", ref)
+	}
+	return distributionclient.NewRepository(repoName, repoEndpoint.BaseURL(), httpTransport)
+}
+
+func (c *client) getHTTPTransportForRepoEndpoint(ctx context.Context, repoEndpoint repositoryEndpoint) (http.RoundTripper, error) {
+	httpTransport, err := getHTTPTransport(
+		c.authConfigResolver(ctx, repoEndpoint.info.Index),
+		repoEndpoint.endpoint,
+		repoEndpoint.Name(),
+		c.userAgent)
+	return httpTransport, errors.Wrap(err, "failed to configure transport")
+}
+
+// GetManifest returns an ImageManifest for the reference
+func (c *client) GetManifest(ctx context.Context, ref reference.Named) (manifesttypes.ImageManifest, error) {
+	var result manifesttypes.ImageManifest
+	fetch := func(ctx context.Context, repo distribution.Repository, ref reference.Named) (bool, error) {
+		var err error
+		result, err = fetchManifest(ctx, repo, ref)
+		return result.Ref != nil, err
+	}
+
+	err := c.iterateEndpoints(ctx, ref, fetch)
+	return result, err
+}
+
+// GetManifestList returns a list of ImageManifest for the reference
+func (c *client) GetManifestList(ctx context.Context, ref reference.Named) ([]manifesttypes.ImageManifest, error) {
+	result := []manifesttypes.ImageManifest{}
+	fetch := func(ctx context.Context, repo distribution.Repository, ref reference.Named) (bool, error) {
+		var err error
+		result, err = fetchList(ctx, repo, ref)
+		return len(result) > 0, err
+	}
+
+	err := c.iterateEndpoints(ctx, ref, fetch)
+	return result, err
+}
+
+func getManifestOptionsFromReference(ref reference.Named) (digest.Digest, []distribution.ManifestServiceOption, error) {
+	if tagged, isTagged := ref.(reference.NamedTagged); isTagged {
+		tag := tagged.Tag()
+		return "", []distribution.ManifestServiceOption{distribution.WithTag(tag)}, nil
+	}
+	if digested, isDigested := ref.(reference.Canonical); isDigested {
+		return digested.Digest(), []distribution.ManifestServiceOption{}, nil
+	}
+	return "", nil, errors.Errorf("%s no tag or digest", ref)
+}
diff --git a/cli/cli/registry/client/endpoint.go b/cli/cli/registry/client/endpoint.go
new file mode 100644
index 00000000..5af00ca7
--- /dev/null
+++ b/cli/cli/registry/client/endpoint.go
@@ -0,0 +1,133 @@
+package client
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/distribution/registry/client/transport"
+	authtypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+)
+
+type repositoryEndpoint struct {
+	info     *registry.RepositoryInfo
+	endpoint registry.APIEndpoint
+}
+
+// Name returns the repository name
+func (r repositoryEndpoint) Name() string {
+	repoName := r.info.Name.Name()
+	// If endpoint does not support CanonicalName, use the RemoteName instead
+	if r.endpoint.TrimHostname {
+		repoName = reference.Path(r.info.Name)
+	}
+	return repoName
+}
+
+// BaseURL returns the endpoint url
+func (r repositoryEndpoint) BaseURL() string {
+	return r.endpoint.URL.String()
+}
+
+func newDefaultRepositoryEndpoint(ref reference.Named, insecure bool) (repositoryEndpoint, error) {
+	repoInfo, err := registry.ParseRepositoryInfo(ref)
+	if err != nil {
+		return repositoryEndpoint{}, err
+	}
+	endpoint, err := getDefaultEndpointFromRepoInfo(repoInfo)
+	if err != nil {
+		return repositoryEndpoint{}, err
+	}
+	if insecure {
+		endpoint.TLSConfig.InsecureSkipVerify = true
+	}
+	return repositoryEndpoint{info: repoInfo, endpoint: endpoint}, nil
+}
+
+func getDefaultEndpointFromRepoInfo(repoInfo *registry.RepositoryInfo) (registry.APIEndpoint, error) {
+	var err error
+
+	options := registry.ServiceOptions{}
+	registryService, err := registry.NewService(options)
+	if err != nil {
+		return registry.APIEndpoint{}, err
+	}
+	endpoints, err := registryService.LookupPushEndpoints(reference.Domain(repoInfo.Name))
+	if err != nil {
+		return registry.APIEndpoint{}, err
+	}
+	// Default to the highest priority endpoint to return
+	endpoint := endpoints[0]
+	if !repoInfo.Index.Secure {
+		for _, ep := range endpoints {
+			if ep.URL.Scheme == "http" {
+				endpoint = ep
+			}
+		}
+	}
+	return endpoint, nil
+}
+
+// getHTTPTransport builds a transport for use in communicating with a registry
+func getHTTPTransport(authConfig authtypes.AuthConfig, endpoint registry.APIEndpoint, repoName string, userAgent string) (http.RoundTripper, error) {
+	// get the http transport, this will be used in a client to upload manifest
+	base := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+		TLSClientConfig:     endpoint.TLSConfig,
+		DisableKeepAlives:   true,
+	}
+
+	modifiers := registry.Headers(userAgent, http.Header{})
+	authTransport := transport.NewTransport(base, modifiers...)
+	challengeManager, confirmedV2, err := registry.PingV2Registry(endpoint.URL, authTransport)
+	if err != nil {
+		return nil, errors.Wrap(err, "error pinging v2 registry")
+	}
+	if !confirmedV2 {
+		return nil, fmt.Errorf("unsupported registry version")
+	}
+	if authConfig.RegistryToken != "" {
+		passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
+		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
+	} else {
+		creds := registry.NewStaticCredentialStore(&authConfig)
+		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, "push", "pull")
+		basicHandler := auth.NewBasicHandler(creds)
+		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
+	}
+	return transport.NewTransport(base, modifiers...), nil
+}
+
+// RepoNameForReference returns the repository name from a reference
+func RepoNameForReference(ref reference.Named) (string, error) {
+	// insecure is fine since this only returns the name
+	repo, err := newDefaultRepositoryEndpoint(ref, false)
+	if err != nil {
+		return "", err
+	}
+	return repo.Name(), nil
+}
+
+type existingTokenHandler struct {
+	token string
+}
+
+func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))
+	return nil
+}
+
+func (th *existingTokenHandler) Scheme() string {
+	return "bearer"
+}
diff --git a/cli/cli/registry/client/fetcher.go b/cli/cli/registry/client/fetcher.go
new file mode 100644
index 00000000..66c11ce2
--- /dev/null
+++ b/cli/cli/registry/client/fetcher.go
@@ -0,0 +1,302 @@
+package client
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/distribution/registry/api/v2"
+	distclient "github.com/docker/distribution/registry/client"
+	"github.com/docker/docker/registry"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// fetchManifest pulls a manifest from a registry and returns it. An error
+// is returned if no manifest is found matching namedRef.
+func fetchManifest(ctx context.Context, repo distribution.Repository, ref reference.Named) (types.ImageManifest, error) {
+	manifest, err := getManifest(ctx, repo, ref)
+	if err != nil {
+		return types.ImageManifest{}, err
+	}
+
+	switch v := manifest.(type) {
+	// Removed Schema 1 support
+	case *schema2.DeserializedManifest:
+		imageManifest, err := pullManifestSchemaV2(ctx, ref, repo, *v)
+		if err != nil {
+			return types.ImageManifest{}, err
+		}
+		return imageManifest, nil
+	case *manifestlist.DeserializedManifestList:
+		return types.ImageManifest{}, errors.Errorf("%s is a manifest list", ref)
+	}
+	return types.ImageManifest{}, errors.Errorf("%s is not a manifest", ref)
+}
+
+func fetchList(ctx context.Context, repo distribution.Repository, ref reference.Named) ([]types.ImageManifest, error) {
+	manifest, err := getManifest(ctx, repo, ref)
+	if err != nil {
+		return nil, err
+	}
+
+	switch v := manifest.(type) {
+	case *manifestlist.DeserializedManifestList:
+		imageManifests, err := pullManifestList(ctx, ref, repo, *v)
+		if err != nil {
+			return nil, err
+		}
+		return imageManifests, nil
+	default:
+		return nil, errors.Errorf("unsupported manifest format: %v", v)
+	}
+}
+
+func getManifest(ctx context.Context, repo distribution.Repository, ref reference.Named) (distribution.Manifest, error) {
+	manSvc, err := repo.Manifests(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	dgst, opts, err := getManifestOptionsFromReference(ref)
+	if err != nil {
+		return nil, errors.Errorf("image manifest for %q does not exist", ref)
+	}
+	return manSvc.Get(ctx, dgst, opts...)
+}
+
+func pullManifestSchemaV2(ctx context.Context, ref reference.Named, repo distribution.Repository, mfst schema2.DeserializedManifest) (types.ImageManifest, error) {
+	manifestDesc, err := validateManifestDigest(ref, mfst)
+	if err != nil {
+		return types.ImageManifest{}, err
+	}
+	configJSON, err := pullManifestSchemaV2ImageConfig(ctx, mfst.Target().Digest, repo)
+	if err != nil {
+		return types.ImageManifest{}, err
+	}
+
+	if manifestDesc.Platform == nil {
+		manifestDesc.Platform = &ocispec.Platform{}
+	}
+
+	// Fill in os and architecture fields from config JSON
+	if err := json.Unmarshal(configJSON, manifestDesc.Platform); err != nil {
+		return types.ImageManifest{}, err
+	}
+
+	return types.NewImageManifest(ref, manifestDesc, &mfst), nil
+}
+
+func pullManifestSchemaV2ImageConfig(ctx context.Context, dgst digest.Digest, repo distribution.Repository) ([]byte, error) {
+	blobs := repo.Blobs(ctx)
+	configJSON, err := blobs.Get(ctx, dgst)
+	if err != nil {
+		return nil, err
+	}
+
+	verifier := dgst.Verifier()
+	if err != nil {
+		return nil, err
+	}
+	if _, err := verifier.Write(configJSON); err != nil {
+		return nil, err
+	}
+	if !verifier.Verified() {
+		return nil, errors.Errorf("image config verification failed for digest %s", dgst)
+	}
+	return configJSON, nil
+}
+
+// validateManifestDigest computes the manifest digest, and, if pulling by
+// digest, ensures that it matches the requested digest.
+func validateManifestDigest(ref reference.Named, mfst distribution.Manifest) (ocispec.Descriptor, error) {
+	mediaType, canonical, err := mfst.Payload()
+	if err != nil {
+		return ocispec.Descriptor{}, err
+	}
+	desc := ocispec.Descriptor{
+		Digest:    digest.FromBytes(canonical),
+		Size:      int64(len(canonical)),
+		MediaType: mediaType,
+	}
+
+	// If pull by digest, then verify the manifest digest.
+	if digested, isDigested := ref.(reference.Canonical); isDigested {
+		if digested.Digest() != desc.Digest {
+			err := fmt.Errorf("manifest verification failed for digest %s", digested.Digest())
+			return ocispec.Descriptor{}, err
+		}
+	}
+
+	return desc, nil
+}
+
+// pullManifestList handles "manifest lists" which point to various
+// platform-specific manifests.
+func pullManifestList(ctx context.Context, ref reference.Named, repo distribution.Repository, mfstList manifestlist.DeserializedManifestList) ([]types.ImageManifest, error) {
+	infos := []types.ImageManifest{}
+
+	if _, err := validateManifestDigest(ref, mfstList); err != nil {
+		return nil, err
+	}
+
+	for _, manifestDescriptor := range mfstList.Manifests {
+		manSvc, err := repo.Manifests(ctx)
+		if err != nil {
+			return nil, err
+		}
+		manifest, err := manSvc.Get(ctx, manifestDescriptor.Digest)
+		if err != nil {
+			return nil, err
+		}
+		v, ok := manifest.(*schema2.DeserializedManifest)
+		if !ok {
+			return nil, fmt.Errorf("unsupported manifest format: %v", v)
+		}
+
+		manifestRef, err := reference.WithDigest(ref, manifestDescriptor.Digest)
+		if err != nil {
+			return nil, err
+		}
+		imageManifest, err := pullManifestSchemaV2(ctx, manifestRef, repo, *v)
+		if err != nil {
+			return nil, err
+		}
+
+		// Replace platform from config
+		imageManifest.Descriptor.Platform = types.OCIPlatform(&manifestDescriptor.Platform)
+
+		infos = append(infos, imageManifest)
+	}
+	return infos, nil
+}
+
+func continueOnError(err error) bool {
+	switch v := err.(type) {
+	case errcode.Errors:
+		if len(v) == 0 {
+			return true
+		}
+		return continueOnError(v[0])
+	case errcode.Error:
+		e := err.(errcode.Error)
+		switch e.Code {
+		case errcode.ErrorCodeUnauthorized, v2.ErrorCodeManifestUnknown, v2.ErrorCodeNameUnknown:
+			return true
+		}
+		return false
+	case *distclient.UnexpectedHTTPResponseError:
+		return true
+	}
+	return false
+}
+
+func (c *client) iterateEndpoints(ctx context.Context, namedRef reference.Named, each func(context.Context, distribution.Repository, reference.Named) (bool, error)) error {
+	endpoints, err := allEndpoints(namedRef)
+	if err != nil {
+		return err
+	}
+
+	repoInfo, err := registry.ParseRepositoryInfo(namedRef)
+	if err != nil {
+		return err
+	}
+
+	confirmedTLSRegistries := make(map[string]bool)
+	for _, endpoint := range endpoints {
+
+		if endpoint.Version == registry.APIVersion1 {
+			logrus.Debugf("skipping v1 endpoint %s", endpoint.URL)
+			continue
+		}
+
+		if endpoint.URL.Scheme != "https" {
+			if _, confirmedTLS := confirmedTLSRegistries[endpoint.URL.Host]; confirmedTLS {
+				logrus.Debugf("skipping non-TLS endpoint %s for host/port that appears to use TLS", endpoint.URL)
+				continue
+			}
+		}
+
+		if c.insecureRegistry {
+			endpoint.TLSConfig.InsecureSkipVerify = true
+		}
+		repoEndpoint := repositoryEndpoint{endpoint: endpoint, info: repoInfo}
+		repo, err := c.getRepositoryForReference(ctx, namedRef, repoEndpoint)
+		if err != nil {
+			logrus.Debugf("error with repo endpoint %s: %s", repoEndpoint, err)
+			if _, ok := err.(ErrHTTPProto); ok {
+				continue
+			}
+			return err
+		}
+
+		if endpoint.URL.Scheme == "http" && !c.insecureRegistry {
+			logrus.Debugf("skipping non-tls registry endpoint: %s", endpoint.URL)
+			continue
+		}
+		done, err := each(ctx, repo, namedRef)
+		if err != nil {
+			if continueOnError(err) {
+				if endpoint.URL.Scheme == "https" {
+					confirmedTLSRegistries[endpoint.URL.Host] = true
+				}
+				logrus.Debugf("continuing on error (%T) %s", err, err)
+				continue
+			}
+			logrus.Debugf("not continuing on error (%T) %s", err, err)
+			return err
+		}
+		if done {
+			return nil
+		}
+	}
+	return newNotFoundError(namedRef.String())
+}
+
+// allEndpoints returns a list of endpoints ordered by priority (v2, https, v1).
+func allEndpoints(namedRef reference.Named) ([]registry.APIEndpoint, error) {
+	repoInfo, err := registry.ParseRepositoryInfo(namedRef)
+	if err != nil {
+		return nil, err
+	}
+	registryService, err := registry.NewService(registry.ServiceOptions{})
+	if err != nil {
+		return []registry.APIEndpoint{}, err
+	}
+	endpoints, err := registryService.LookupPullEndpoints(reference.Domain(repoInfo.Name))
+	logrus.Debugf("endpoints for %s: %v", namedRef, endpoints)
+	return endpoints, err
+}
+
+type notFoundError struct {
+	object string
+}
+
+func newNotFoundError(ref string) *notFoundError {
+	return &notFoundError{object: ref}
+}
+
+func (n *notFoundError) Error() string {
+	return fmt.Sprintf("no such manifest: %s", n.object)
+}
+
+// NotFound interface
+func (n *notFoundError) NotFound() {}
+
+// IsNotFound returns true if the error is a not found error
+func IsNotFound(err error) bool {
+	_, ok := err.(notFound)
+	return ok
+}
+
+type notFound interface {
+	NotFound()
+}
diff --git a/cli/cli/required.go b/cli/cli/required.go
new file mode 100644
index 00000000..33a46735
--- /dev/null
+++ b/cli/cli/required.go
@@ -0,0 +1,107 @@
+package cli
+
+import (
+	"strings"
+
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// NoArgs validates args and returns an error if there are any args
+func NoArgs(cmd *cobra.Command, args []string) error {
+	if len(args) == 0 {
+		return nil
+	}
+
+	if cmd.HasSubCommands() {
+		return errors.Errorf("\n" + strings.TrimRight(cmd.UsageString(), "\n"))
+	}
+
+	return errors.Errorf(
+		"%q accepts no arguments.\nSee '%s --help'.\n\nUsage:  %s\n\n%s",
+		cmd.CommandPath(),
+		cmd.CommandPath(),
+		cmd.UseLine(),
+		cmd.Short,
+	)
+}
+
+// RequiresMinArgs returns an error if there is not at least min args
+func RequiresMinArgs(min int) cobra.PositionalArgs {
+	return func(cmd *cobra.Command, args []string) error {
+		if len(args) >= min {
+			return nil
+		}
+		return errors.Errorf(
+			"%q requires at least %d %s.\nSee '%s --help'.\n\nUsage:  %s\n\n%s",
+			cmd.CommandPath(),
+			min,
+			pluralize("argument", min),
+			cmd.CommandPath(),
+			cmd.UseLine(),
+			cmd.Short,
+		)
+	}
+}
+
+// RequiresMaxArgs returns an error if there is not at most max args
+func RequiresMaxArgs(max int) cobra.PositionalArgs {
+	return func(cmd *cobra.Command, args []string) error {
+		if len(args) <= max {
+			return nil
+		}
+		return errors.Errorf(
+			"%q requires at most %d %s.\nSee '%s --help'.\n\nUsage:  %s\n\n%s",
+			cmd.CommandPath(),
+			max,
+			pluralize("argument", max),
+			cmd.CommandPath(),
+			cmd.UseLine(),
+			cmd.Short,
+		)
+	}
+}
+
+// RequiresRangeArgs returns an error if there is not at least min args and at most max args
+func RequiresRangeArgs(min int, max int) cobra.PositionalArgs {
+	return func(cmd *cobra.Command, args []string) error {
+		if len(args) >= min && len(args) <= max {
+			return nil
+		}
+		return errors.Errorf(
+			"%q requires at least %d and at most %d %s.\nSee '%s --help'.\n\nUsage:  %s\n\n%s",
+			cmd.CommandPath(),
+			min,
+			max,
+			pluralize("argument", max),
+			cmd.CommandPath(),
+			cmd.UseLine(),
+			cmd.Short,
+		)
+	}
+}
+
+// ExactArgs returns an error if there is not the exact number of args
+func ExactArgs(number int) cobra.PositionalArgs {
+	return func(cmd *cobra.Command, args []string) error {
+		if len(args) == number {
+			return nil
+		}
+		return errors.Errorf(
+			"%q requires exactly %d %s.\nSee '%s --help'.\n\nUsage:  %s\n\n%s",
+			cmd.CommandPath(),
+			number,
+			pluralize("argument", number),
+			cmd.CommandPath(),
+			cmd.UseLine(),
+			cmd.Short,
+		)
+	}
+}
+
+func pluralize(word string, number int) string {
+	if number == 1 {
+		return word
+	}
+	return word + "s"
+}
diff --git a/cli/cli/required_test.go b/cli/cli/required_test.go
new file mode 100644
index 00000000..df3e9a46
--- /dev/null
+++ b/cli/cli/required_test.go
@@ -0,0 +1,138 @@
+package cli
+
+import (
+	"errors"
+	"io/ioutil"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"gotest.tools/assert"
+)
+
+func TestRequiresNoArgs(t *testing.T) {
+	testCases := []testCase{
+		{
+			validateFunc:  NoArgs,
+			expectedError: "no error",
+		},
+		{
+			args:          []string{"foo"},
+			validateFunc:  NoArgs,
+			expectedError: "accepts no arguments.",
+		},
+	}
+	runTestCases(t, testCases)
+}
+
+func TestRequiresMinArgs(t *testing.T) {
+	testCases := []testCase{
+		{
+			validateFunc:  RequiresMinArgs(0),
+			expectedError: "no error",
+		},
+		{
+			validateFunc:  RequiresMinArgs(1),
+			expectedError: "at least 1 argument.",
+		},
+		{
+			args:          []string{"foo"},
+			validateFunc:  RequiresMinArgs(2),
+			expectedError: "at least 2 arguments.",
+		},
+	}
+	runTestCases(t, testCases)
+}
+
+func TestRequiresMaxArgs(t *testing.T) {
+	testCases := []testCase{
+		{
+			validateFunc:  RequiresMaxArgs(0),
+			expectedError: "no error",
+		},
+		{
+			args:          []string{"foo", "bar"},
+			validateFunc:  RequiresMaxArgs(1),
+			expectedError: "at most 1 argument.",
+		},
+		{
+			args:          []string{"foo", "bar", "baz"},
+			validateFunc:  RequiresMaxArgs(2),
+			expectedError: "at most 2 arguments.",
+		},
+	}
+	runTestCases(t, testCases)
+}
+
+func TestRequiresRangeArgs(t *testing.T) {
+	testCases := []testCase{
+		{
+			validateFunc:  RequiresRangeArgs(0, 0),
+			expectedError: "no error",
+		},
+		{
+			validateFunc:  RequiresRangeArgs(0, 1),
+			expectedError: "no error",
+		},
+		{
+			args:          []string{"foo", "bar"},
+			validateFunc:  RequiresRangeArgs(0, 1),
+			expectedError: "at most 1 argument.",
+		},
+		{
+			args:          []string{"foo", "bar", "baz"},
+			validateFunc:  RequiresRangeArgs(0, 2),
+			expectedError: "at most 2 arguments.",
+		},
+		{
+			validateFunc:  RequiresRangeArgs(1, 2),
+			expectedError: "at least 1 ",
+		},
+	}
+	runTestCases(t, testCases)
+}
+
+func TestExactArgs(t *testing.T) {
+	testCases := []testCase{
+		{
+			validateFunc:  ExactArgs(0),
+			expectedError: "no error",
+		},
+		{
+			validateFunc:  ExactArgs(1),
+			expectedError: "exactly 1 argument.",
+		},
+		{
+			validateFunc:  ExactArgs(2),
+			expectedError: "exactly 2 arguments.",
+		},
+	}
+	runTestCases(t, testCases)
+}
+
+type testCase struct {
+	args          []string
+	validateFunc  cobra.PositionalArgs
+	expectedError string
+}
+
+func runTestCases(t *testing.T, testCases []testCase) {
+	for _, tc := range testCases {
+		cmd := newDummyCommand(tc.validateFunc)
+		cmd.SetArgs(tc.args)
+		cmd.SetOutput(ioutil.Discard)
+
+		err := cmd.Execute()
+		assert.ErrorContains(t, err, tc.expectedError)
+	}
+}
+
+func newDummyCommand(validationFunc cobra.PositionalArgs) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:  "dummy",
+		Args: validationFunc,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return errors.New("no error")
+		},
+	}
+	return cmd
+}
diff --git a/cli/cli/trust/trust.go b/cli/cli/trust/trust.go
new file mode 100644
index 00000000..df11227e
--- /dev/null
+++ b/cli/cli/trust/trust.go
@@ -0,0 +1,388 @@
+package trust
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"time"
+
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/distribution/registry/client/auth/challenge"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/registry"
+	"github.com/docker/go-connections/tlsconfig"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/theupdateframework/notary"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/storage"
+	"github.com/theupdateframework/notary/trustmanager"
+	"github.com/theupdateframework/notary/trustpinning"
+	"github.com/theupdateframework/notary/tuf/data"
+	"github.com/theupdateframework/notary/tuf/signed"
+)
+
+var (
+	// ReleasesRole is the role named "releases"
+	ReleasesRole = data.RoleName(path.Join(data.CanonicalTargetsRole.String(), "releases"))
+	// ActionsPullOnly defines the actions for read-only interactions with a Notary Repository
+	ActionsPullOnly = []string{"pull"}
+	// ActionsPushAndPull defines the actions for read-write interactions with a Notary Repository
+	ActionsPushAndPull = []string{"pull", "push"}
+	// NotaryServer is the endpoint serving the Notary trust server
+	NotaryServer = "https://notary.docker.io"
+)
+
+// GetTrustDirectory returns the base trust directory name
+func GetTrustDirectory() string {
+	return filepath.Join(cliconfig.Dir(), "trust")
+}
+
+// certificateDirectory returns the directory containing
+// TLS certificates for the given server. An error is
+// returned if there was an error parsing the server string.
+func certificateDirectory(server string) (string, error) {
+	u, err := url.Parse(server)
+	if err != nil {
+		return "", err
+	}
+
+	return filepath.Join(cliconfig.Dir(), "tls", u.Host), nil
+}
+
+// Server returns the base URL for the trust server.
+func Server(index *registrytypes.IndexInfo) (string, error) {
+	if s := os.Getenv("DOCKER_CONTENT_TRUST_SERVER"); s != "" {
+		urlObj, err := url.Parse(s)
+		if err != nil || urlObj.Scheme != "https" {
+			return "", errors.Errorf("valid https URL required for trust server, got %s", s)
+		}
+
+		return s, nil
+	}
+	if index.Official {
+		return NotaryServer, nil
+	}
+	return "https://" + index.Name, nil
+}
+
+type simpleCredentialStore struct {
+	auth types.AuthConfig
+}
+
+func (scs simpleCredentialStore) Basic(u *url.URL) (string, string) {
+	return scs.auth.Username, scs.auth.Password
+}
+
+func (scs simpleCredentialStore) RefreshToken(u *url.URL, service string) string {
+	return scs.auth.IdentityToken
+}
+
+func (scs simpleCredentialStore) SetRefreshToken(*url.URL, string, string) {
+}
+
+// GetNotaryRepository returns a NotaryRepository which stores all the
+// information needed to operate on a notary repository.
+// It creates an HTTP transport providing authentication support.
+func GetNotaryRepository(in io.Reader, out io.Writer, userAgent string, repoInfo *registry.RepositoryInfo, authConfig *types.AuthConfig, actions ...string) (client.Repository, error) {
+	server, err := Server(repoInfo.Index)
+	if err != nil {
+		return nil, err
+	}
+
+	var cfg = tlsconfig.ClientDefault()
+	cfg.InsecureSkipVerify = !repoInfo.Index.Secure
+
+	// Get certificate base directory
+	certDir, err := certificateDirectory(server)
+	if err != nil {
+		return nil, err
+	}
+	logrus.Debugf("reading certificate directory: %s", certDir)
+
+	if err := registry.ReadCertsDirectory(cfg, certDir); err != nil {
+		return nil, err
+	}
+
+	base := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+		TLSClientConfig:     cfg,
+		DisableKeepAlives:   true,
+	}
+
+	// Skip configuration headers since request is not going to Docker daemon
+	modifiers := registry.Headers(userAgent, http.Header{})
+	authTransport := transport.NewTransport(base, modifiers...)
+	pingClient := &http.Client{
+		Transport: authTransport,
+		Timeout:   5 * time.Second,
+	}
+	endpointStr := server + "/v2/"
+	req, err := http.NewRequest("GET", endpointStr, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	challengeManager := challenge.NewSimpleManager()
+
+	resp, err := pingClient.Do(req)
+	if err != nil {
+		// Ignore error on ping to operate in offline mode
+		logrus.Debugf("Error pinging notary server %q: %s", endpointStr, err)
+	} else {
+		defer resp.Body.Close()
+
+		// Add response to the challenge manager to parse out
+		// authentication header and register authentication method
+		if err := challengeManager.AddResponse(resp); err != nil {
+			return nil, err
+		}
+	}
+
+	scope := auth.RepositoryScope{
+		Repository: repoInfo.Name.Name(),
+		Actions:    actions,
+		Class:      repoInfo.Class,
+	}
+	creds := simpleCredentialStore{auth: *authConfig}
+	tokenHandlerOptions := auth.TokenHandlerOptions{
+		Transport:   authTransport,
+		Credentials: creds,
+		Scopes:      []auth.Scope{scope},
+		ClientID:    registry.AuthClientID,
+	}
+	tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions)
+	basicHandler := auth.NewBasicHandler(creds)
+	modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
+	tr := transport.NewTransport(base, modifiers...)
+
+	return client.NewFileCachedRepository(
+		GetTrustDirectory(),
+		data.GUN(repoInfo.Name.Name()),
+		server,
+		tr,
+		GetPassphraseRetriever(in, out),
+		trustpinning.TrustPinConfig{})
+}
+
+// GetPassphraseRetriever returns a passphrase retriever that utilizes Content Trust env vars
+func GetPassphraseRetriever(in io.Reader, out io.Writer) notary.PassRetriever {
+	aliasMap := map[string]string{
+		"root":     "root",
+		"snapshot": "repository",
+		"targets":  "repository",
+		"default":  "repository",
+	}
+	baseRetriever := passphrase.PromptRetrieverWithInOut(in, out, aliasMap)
+	env := map[string]string{
+		"root":     os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),
+		"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
+		"targets":  os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
+		"default":  os.Getenv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"),
+	}
+
+	return func(keyName string, alias string, createNew bool, numAttempts int) (string, bool, error) {
+		if v := env[alias]; v != "" {
+			return v, numAttempts > 1, nil
+		}
+		// For non-root roles, we can also try the "default" alias if it is specified
+		if v := env["default"]; v != "" && alias != data.CanonicalRootRole.String() {
+			return v, numAttempts > 1, nil
+		}
+		return baseRetriever(keyName, alias, createNew, numAttempts)
+	}
+}
+
+// NotaryError formats an error message received from the notary service
+func NotaryError(repoName string, err error) error {
+	switch err.(type) {
+	case *json.SyntaxError:
+		logrus.Debugf("Notary syntax error: %s", err)
+		return errors.Errorf("Error: no trust data available for remote repository %s. Try running notary server and setting DOCKER_CONTENT_TRUST_SERVER to its HTTPS address?", repoName)
+	case signed.ErrExpired:
+		return errors.Errorf("Error: remote repository %s out-of-date: %v", repoName, err)
+	case trustmanager.ErrKeyNotFound:
+		return errors.Errorf("Error: signing keys for remote repository %s not found: %v", repoName, err)
+	case storage.NetworkError:
+		return errors.Errorf("Error: error contacting notary server: %v", err)
+	case storage.ErrMetaNotFound:
+		return errors.Errorf("Error: trust data missing for remote repository %s or remote repository not found: %v", repoName, err)
+	case trustpinning.ErrRootRotationFail, trustpinning.ErrValidationFail, signed.ErrInvalidKeyType:
+		return errors.Errorf("Warning: potential malicious behavior - trust data mismatch for remote repository %s: %v", repoName, err)
+	case signed.ErrNoKeys:
+		return errors.Errorf("Error: could not find signing keys for remote repository %s, or could not decrypt signing key: %v", repoName, err)
+	case signed.ErrLowVersion:
+		return errors.Errorf("Warning: potential malicious behavior - trust data version is lower than expected for remote repository %s: %v", repoName, err)
+	case signed.ErrRoleThreshold:
+		return errors.Errorf("Warning: potential malicious behavior - trust data has insufficient signatures for remote repository %s: %v", repoName, err)
+	case client.ErrRepositoryNotExist:
+		return errors.Errorf("Error: remote trust data does not exist for %s: %v", repoName, err)
+	case signed.ErrInsufficientSignatures:
+		return errors.Errorf("Error: could not produce valid signature for %s.  If Yubikey was used, was touch input provided?: %v", repoName, err)
+	}
+
+	return err
+}
+
+// GetSignableRoles returns a list of roles for which we have valid signing
+// keys, given a notary repository and a target
+func GetSignableRoles(repo client.Repository, target *client.Target) ([]data.RoleName, error) {
+	var signableRoles []data.RoleName
+
+	// translate the full key names, which includes the GUN, into just the key IDs
+	allCanonicalKeyIDs := make(map[string]struct{})
+	for fullKeyID := range repo.GetCryptoService().ListAllKeys() {
+		allCanonicalKeyIDs[path.Base(fullKeyID)] = struct{}{}
+	}
+
+	allDelegationRoles, err := repo.GetDelegationRoles()
+	if err != nil {
+		return signableRoles, err
+	}
+
+	// if there are no delegation roles, then just try to sign it into the targets role
+	if len(allDelegationRoles) == 0 {
+		signableRoles = append(signableRoles, data.CanonicalTargetsRole)
+		return signableRoles, nil
+	}
+
+	// there are delegation roles, find every delegation role we have a key for, and
+	// attempt to sign into into all those roles.
+	for _, delegationRole := range allDelegationRoles {
+		// We do not support signing any delegation role that isn't a direct child of the targets role.
+		// Also don't bother checking the keys if we can't add the target
+		// to this role due to path restrictions
+		if path.Dir(delegationRole.Name.String()) != data.CanonicalTargetsRole.String() || !delegationRole.CheckPaths(target.Name) {
+			continue
+		}
+
+		for _, canonicalKeyID := range delegationRole.KeyIDs {
+			if _, ok := allCanonicalKeyIDs[canonicalKeyID]; ok {
+				signableRoles = append(signableRoles, delegationRole.Name)
+				break
+			}
+		}
+	}
+
+	if len(signableRoles) == 0 {
+		return signableRoles, errors.Errorf("no valid signing keys for delegation roles")
+	}
+
+	return signableRoles, nil
+
+}
+
+// ImageRefAndAuth contains all reference information and the auth config for an image request
+type ImageRefAndAuth struct {
+	original   string
+	authConfig *types.AuthConfig
+	reference  reference.Named
+	repoInfo   *registry.RepositoryInfo
+	tag        string
+	digest     digest.Digest
+}
+
+// GetImageReferencesAndAuth retrieves the necessary reference and auth information for an image name
+// as an ImageRefAndAuth struct
+func GetImageReferencesAndAuth(ctx context.Context, rs registry.Service,
+	authResolver func(ctx context.Context, index *registrytypes.IndexInfo) types.AuthConfig,
+	imgName string,
+) (ImageRefAndAuth, error) {
+	ref, err := reference.ParseNormalizedNamed(imgName)
+	if err != nil {
+		return ImageRefAndAuth{}, err
+	}
+
+	// Resolve the Repository name from fqn to RepositoryInfo
+	var repoInfo *registry.RepositoryInfo
+	if rs != nil {
+		repoInfo, err = rs.ResolveRepository(ref)
+	} else {
+		repoInfo, err = registry.ParseRepositoryInfo(ref)
+	}
+
+	if err != nil {
+		return ImageRefAndAuth{}, err
+	}
+
+	authConfig := authResolver(ctx, repoInfo.Index)
+	return ImageRefAndAuth{
+		original:   imgName,
+		authConfig: &authConfig,
+		reference:  ref,
+		repoInfo:   repoInfo,
+		tag:        getTag(ref),
+		digest:     getDigest(ref),
+	}, nil
+}
+
+func getTag(ref reference.Named) string {
+	switch x := ref.(type) {
+	case reference.Canonical, reference.Digested:
+		return ""
+	case reference.NamedTagged:
+		return x.Tag()
+	default:
+		return ""
+	}
+}
+
+func getDigest(ref reference.Named) digest.Digest {
+	switch x := ref.(type) {
+	case reference.Canonical:
+		return x.Digest()
+	case reference.Digested:
+		return x.Digest()
+	default:
+		return digest.Digest("")
+	}
+}
+
+// AuthConfig returns the auth information (username, etc) for a given ImageRefAndAuth
+func (imgRefAuth *ImageRefAndAuth) AuthConfig() *types.AuthConfig {
+	return imgRefAuth.authConfig
+}
+
+// Reference returns the Image reference for a given ImageRefAndAuth
+func (imgRefAuth *ImageRefAndAuth) Reference() reference.Named {
+	return imgRefAuth.reference
+}
+
+// RepoInfo returns the repository information for a given ImageRefAndAuth
+func (imgRefAuth *ImageRefAndAuth) RepoInfo() *registry.RepositoryInfo {
+	return imgRefAuth.repoInfo
+}
+
+// Tag returns the Image tag for a given ImageRefAndAuth
+func (imgRefAuth *ImageRefAndAuth) Tag() string {
+	return imgRefAuth.tag
+}
+
+// Digest returns the Image digest for a given ImageRefAndAuth
+func (imgRefAuth *ImageRefAndAuth) Digest() digest.Digest {
+	return imgRefAuth.digest
+}
+
+// Name returns the image name used to initialize the ImageRefAndAuth
+func (imgRefAuth *ImageRefAndAuth) Name() string {
+	return imgRefAuth.original
+
+}
diff --git a/cli/cli/trust/trust_test.go b/cli/cli/trust/trust_test.go
new file mode 100644
index 00000000..b49b7ca8
--- /dev/null
+++ b/cli/cli/trust/trust_test.go
@@ -0,0 +1,61 @@
+package trust
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/distribution/reference"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/trustpinning"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestGetTag(t *testing.T) {
+	ref, err := reference.ParseNormalizedNamed("ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2")
+	assert.NilError(t, err)
+	tag := getTag(ref)
+	assert.Check(t, is.Equal("", tag))
+
+	ref, err = reference.ParseNormalizedNamed("alpine:latest")
+	assert.NilError(t, err)
+	tag = getTag(ref)
+	assert.Check(t, is.Equal(tag, "latest"))
+
+	ref, err = reference.ParseNormalizedNamed("alpine")
+	assert.NilError(t, err)
+	tag = getTag(ref)
+	assert.Check(t, is.Equal(tag, ""))
+}
+
+func TestGetDigest(t *testing.T) {
+	ref, err := reference.ParseNormalizedNamed("ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2")
+	assert.NilError(t, err)
+	d := getDigest(ref)
+	assert.Check(t, is.Equal(digest.Digest("sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2"), d))
+
+	ref, err = reference.ParseNormalizedNamed("alpine:latest")
+	assert.NilError(t, err)
+	d = getDigest(ref)
+	assert.Check(t, is.Equal(digest.Digest(""), d))
+
+	ref, err = reference.ParseNormalizedNamed("alpine")
+	assert.NilError(t, err)
+	d = getDigest(ref)
+	assert.Check(t, is.Equal(digest.Digest(""), d))
+}
+
+func TestGetSignableRolesError(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "notary-test-")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	notaryRepo, err := client.NewFileCachedRepository(tmpDir, "gun", "https://localhost", nil, passphrase.ConstantRetriever("password"), trustpinning.TrustPinConfig{})
+	assert.NilError(t, err)
+	target := client.Target{}
+	_, err = GetSignableRoles(notaryRepo, &target)
+	assert.Error(t, err, "client is offline")
+}
diff --git a/cli/cli/version.go b/cli/cli/version.go
new file mode 100644
index 00000000..c4120b95
--- /dev/null
+++ b/cli/cli/version.go
@@ -0,0 +1,10 @@
+package cli
+
+// Default build-time variable.
+// These values are overridden via ldflags
+var (
+	PlatformName = ""
+	Version      = "unknown-version"
+	GitCommit    = "unknown-commit"
+	BuildTime    = "unknown-buildtime"
+)
diff --git a/cli/cli/winresources/res_windows.go b/cli/cli/winresources/res_windows.go
new file mode 100644
index 00000000..3f755cc4
--- /dev/null
+++ b/cli/cli/winresources/res_windows.go
@@ -0,0 +1,18 @@
+/*Package winresources is used to embed Windows resources into docker.exe.
+These resources are used to provide
+
+    * Version information
+    * An icon
+    * A Windows manifest declaring Windows version support
+
+The resource object files are generated with go generate.
+The resource source files are located in scripts/winresources.
+This occurs automatically when you run scripts/build/windows.
+
+These object files are picked up automatically by go build when this package
+is included.
+
+*/
+package winresources
+
+//go:generate ../../scripts/gen/windows-resources
diff --git a/cli/cmd/docker/docker.go b/cli/cmd/docker/docker.go
new file mode 100644
index 00000000..badc1bcc
--- /dev/null
+++ b/cli/cmd/docker/docker.go
@@ -0,0 +1,378 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/docker/cli/cli"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/commands"
+	cliconfig "github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/debug"
+	cliflags "github.com/docker/cli/cli/flags"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/term"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+func newDockerCommand(dockerCli *command.DockerCli) *cobra.Command {
+	opts := cliflags.NewClientOptions()
+	var flags *pflag.FlagSet
+
+	cmd := &cobra.Command{
+		Use:              "docker [OPTIONS] COMMAND [ARG...]",
+		Short:            "A self-sufficient runtime for containers",
+		SilenceUsage:     true,
+		SilenceErrors:    true,
+		TraverseChildren: true,
+		Args:             noArgs,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			// flags must be the top-level command flags, not cmd.Flags()
+			opts.Common.SetDefaultOptions(flags)
+			dockerPreRun(opts)
+			if err := dockerCli.Initialize(opts); err != nil {
+				return err
+			}
+			return isSupported(cmd, dockerCli)
+		},
+		Version:               fmt.Sprintf("%s, build %s", cli.Version, cli.GitCommit),
+		DisableFlagsInUseLine: true,
+	}
+	cli.SetupRootCommand(cmd)
+
+	flags = cmd.Flags()
+	flags.BoolP("version", "v", false, "Print version information and quit")
+	flags.StringVar(&opts.ConfigDir, "config", cliconfig.Dir(), "Location of client config files")
+	opts.Common.InstallFlags(flags)
+
+	setFlagErrorFunc(dockerCli, cmd, flags, opts)
+
+	setHelpFunc(dockerCli, cmd, flags, opts)
+
+	cmd.SetOutput(dockerCli.Out())
+	commands.AddCommands(cmd, dockerCli)
+
+	disableFlagsInUseLine(cmd)
+	setValidateArgs(dockerCli, cmd, flags, opts)
+
+	return cmd
+}
+
+func disableFlagsInUseLine(cmd *cobra.Command) {
+	visitAll(cmd, func(ccmd *cobra.Command) {
+		// do not add a `[flags]` to the end of the usage line.
+		ccmd.DisableFlagsInUseLine = true
+	})
+}
+
+func setFlagErrorFunc(dockerCli *command.DockerCli, cmd *cobra.Command, flags *pflag.FlagSet, opts *cliflags.ClientOptions) {
+	// When invoking `docker stack --nonsense`, we need to make sure FlagErrorFunc return appropriate
+	// output if the feature is not supported.
+	// As above cli.SetupRootCommand(cmd) have already setup the FlagErrorFunc, we will add a pre-check before the FlagErrorFunc
+	// is called.
+	flagErrorFunc := cmd.FlagErrorFunc()
+	cmd.SetFlagErrorFunc(func(cmd *cobra.Command, err error) error {
+		if err := initializeDockerCli(dockerCli, flags, opts); err != nil {
+			return err
+		}
+		if err := isSupported(cmd, dockerCli); err != nil {
+			return err
+		}
+		return flagErrorFunc(cmd, err)
+	})
+}
+
+func setHelpFunc(dockerCli *command.DockerCli, cmd *cobra.Command, flags *pflag.FlagSet, opts *cliflags.ClientOptions) {
+	defaultHelpFunc := cmd.HelpFunc()
+	cmd.SetHelpFunc(func(ccmd *cobra.Command, args []string) {
+		if err := initializeDockerCli(dockerCli, flags, opts); err != nil {
+			ccmd.Println(err)
+			return
+		}
+		if err := isSupported(ccmd, dockerCli); err != nil {
+			ccmd.Println(err)
+			return
+		}
+
+		hideUnsupportedFeatures(ccmd, dockerCli)
+		defaultHelpFunc(ccmd, args)
+	})
+}
+
+func setValidateArgs(dockerCli *command.DockerCli, cmd *cobra.Command, flags *pflag.FlagSet, opts *cliflags.ClientOptions) {
+	// The Args is handled by ValidateArgs in cobra, which does not allows a pre-hook.
+	// As a result, here we replace the existing Args validation func to a wrapper,
+	// where the wrapper will check to see if the feature is supported or not.
+	// The Args validation error will only be returned if the feature is supported.
+	visitAll(cmd, func(ccmd *cobra.Command) {
+		// if there is no tags for a command or any of its parent,
+		// there is no need to wrap the Args validation.
+		if !hasTags(ccmd) {
+			return
+		}
+
+		if ccmd.Args == nil {
+			return
+		}
+
+		cmdArgs := ccmd.Args
+		ccmd.Args = func(cmd *cobra.Command, args []string) error {
+			if err := initializeDockerCli(dockerCli, flags, opts); err != nil {
+				return err
+			}
+			if err := isSupported(cmd, dockerCli); err != nil {
+				return err
+			}
+			return cmdArgs(cmd, args)
+		}
+	})
+}
+
+func initializeDockerCli(dockerCli *command.DockerCli, flags *pflag.FlagSet, opts *cliflags.ClientOptions) error {
+	if dockerCli.Client() != nil {
+		return nil
+	}
+	// when using --help, PersistentPreRun is not called, so initialization is needed.
+	// flags must be the top-level command flags, not cmd.Flags()
+	opts.Common.SetDefaultOptions(flags)
+	dockerPreRun(opts)
+	return dockerCli.Initialize(opts)
+}
+
+// visitAll will traverse all commands from the root.
+// This is different from the VisitAll of cobra.Command where only parents
+// are checked.
+func visitAll(root *cobra.Command, fn func(*cobra.Command)) {
+	for _, cmd := range root.Commands() {
+		visitAll(cmd, fn)
+	}
+	fn(root)
+}
+
+func noArgs(cmd *cobra.Command, args []string) error {
+	if len(args) == 0 {
+		return nil
+	}
+	return fmt.Errorf(
+		"docker: '%s' is not a docker command.\nSee 'docker --help'", args[0])
+}
+
+func main() {
+	// Set terminal emulation based on platform as required.
+	stdin, stdout, stderr := term.StdStreams()
+	logrus.SetOutput(stderr)
+
+	dockerCli := command.NewDockerCli(stdin, stdout, stderr, contentTrustEnabled())
+	cmd := newDockerCommand(dockerCli)
+
+	if err := cmd.Execute(); err != nil {
+		if sterr, ok := err.(cli.StatusError); ok {
+			if sterr.Status != "" {
+				fmt.Fprintln(stderr, sterr.Status)
+			}
+			// StatusError should only be used for errors, and all errors should
+			// have a non-zero exit status, so never exit with 0
+			if sterr.StatusCode == 0 {
+				os.Exit(1)
+			}
+			os.Exit(sterr.StatusCode)
+		}
+		fmt.Fprintln(stderr, err)
+		os.Exit(1)
+	}
+}
+
+func contentTrustEnabled() bool {
+	if e := os.Getenv("DOCKER_CONTENT_TRUST"); e != "" {
+		if t, err := strconv.ParseBool(e); t || err != nil {
+			// treat any other value as true
+			return true
+		}
+	}
+	return false
+}
+
+func dockerPreRun(opts *cliflags.ClientOptions) {
+	cliflags.SetLogLevel(opts.Common.LogLevel)
+
+	if opts.ConfigDir != "" {
+		cliconfig.SetDir(opts.ConfigDir)
+	}
+
+	if opts.Common.Debug {
+		debug.Enable()
+	}
+}
+
+type versionDetails interface {
+	Client() client.APIClient
+	ClientInfo() command.ClientInfo
+	ServerInfo() command.ServerInfo
+}
+
+func hideFeatureFlag(f *pflag.Flag, hasFeature bool, annotation string) {
+	if hasFeature {
+		return
+	}
+	if _, ok := f.Annotations[annotation]; ok {
+		f.Hidden = true
+	}
+}
+
+func hideFeatureSubCommand(subcmd *cobra.Command, hasFeature bool, annotation string) {
+	if hasFeature {
+		return
+	}
+	if _, ok := subcmd.Annotations[annotation]; ok {
+		subcmd.Hidden = true
+	}
+}
+
+func hideUnsupportedFeatures(cmd *cobra.Command, details versionDetails) {
+	clientVersion := details.Client().ClientVersion()
+	osType := details.ServerInfo().OSType
+	hasExperimental := details.ServerInfo().HasExperimental
+	hasExperimentalCLI := details.ClientInfo().HasExperimental
+
+	cmd.Flags().VisitAll(func(f *pflag.Flag) {
+		hideFeatureFlag(f, hasExperimental, "experimental")
+		hideFeatureFlag(f, hasExperimentalCLI, "experimentalCLI")
+		// hide flags not supported by the server
+		if !isOSTypeSupported(f, osType) || !isVersionSupported(f, clientVersion) {
+			f.Hidden = true
+		}
+		// root command shows all top-level flags
+		if cmd.Parent() != nil {
+			if commands, ok := f.Annotations["top-level"]; ok {
+				f.Hidden = !findCommand(cmd, commands)
+			}
+		}
+	})
+
+	for _, subcmd := range cmd.Commands() {
+		hideFeatureSubCommand(subcmd, hasExperimental, "experimental")
+		hideFeatureSubCommand(subcmd, hasExperimentalCLI, "experimentalCLI")
+		// hide subcommands not supported by the server
+		if subcmdVersion, ok := subcmd.Annotations["version"]; ok && versions.LessThan(clientVersion, subcmdVersion) {
+			subcmd.Hidden = true
+		}
+		if v, ok := subcmd.Annotations["ostype"]; ok && v != osType {
+			subcmd.Hidden = true
+		}
+	}
+}
+
+// Checks if a command or one of its ancestors is in the list
+func findCommand(cmd *cobra.Command, commands []string) bool {
+	if cmd == nil {
+		return false
+	}
+	for _, c := range commands {
+		if c == cmd.Name() {
+			return true
+		}
+	}
+	return findCommand(cmd.Parent(), commands)
+}
+
+func isSupported(cmd *cobra.Command, details versionDetails) error {
+	if err := areSubcommandsSupported(cmd, details); err != nil {
+		return err
+	}
+	return areFlagsSupported(cmd, details)
+}
+
+func areFlagsSupported(cmd *cobra.Command, details versionDetails) error {
+	clientVersion := details.Client().ClientVersion()
+	osType := details.ServerInfo().OSType
+	hasExperimental := details.ServerInfo().HasExperimental
+	hasExperimentalCLI := details.ClientInfo().HasExperimental
+
+	errs := []string{}
+
+	cmd.Flags().VisitAll(func(f *pflag.Flag) {
+		if f.Changed {
+			if !isVersionSupported(f, clientVersion) {
+				errs = append(errs, fmt.Sprintf("\"--%s\" requires API version %s, but the Docker daemon API version is %s", f.Name, getFlagAnnotation(f, "version"), clientVersion))
+				return
+			}
+			if !isOSTypeSupported(f, osType) {
+				errs = append(errs, fmt.Sprintf("\"--%s\" is only supported on a Docker daemon running on %s, but the Docker daemon is running on %s", f.Name, getFlagAnnotation(f, "ostype"), osType))
+				return
+			}
+			if _, ok := f.Annotations["experimental"]; ok && !hasExperimental {
+				errs = append(errs, fmt.Sprintf("\"--%s\" is only supported on a Docker daemon with experimental features enabled", f.Name))
+			}
+			if _, ok := f.Annotations["experimentalCLI"]; ok && !hasExperimentalCLI {
+				errs = append(errs, fmt.Sprintf("\"--%s\" is on a Docker cli with experimental cli features enabled", f.Name))
+			}
+		}
+	})
+	if len(errs) > 0 {
+		return errors.New(strings.Join(errs, "\n"))
+	}
+	return nil
+}
+
+// Check recursively so that, e.g., `docker stack ls` returns the same output as `docker stack`
+func areSubcommandsSupported(cmd *cobra.Command, details versionDetails) error {
+	clientVersion := details.Client().ClientVersion()
+	osType := details.ServerInfo().OSType
+	hasExperimental := details.ServerInfo().HasExperimental
+	hasExperimentalCLI := details.ClientInfo().HasExperimental
+
+	// Check recursively so that, e.g., `docker stack ls` returns the same output as `docker stack`
+	for curr := cmd; curr != nil; curr = curr.Parent() {
+		if cmdVersion, ok := curr.Annotations["version"]; ok && versions.LessThan(clientVersion, cmdVersion) {
+			return fmt.Errorf("%s requires API version %s, but the Docker daemon API version is %s", cmd.CommandPath(), cmdVersion, clientVersion)
+		}
+		if os, ok := curr.Annotations["ostype"]; ok && os != osType {
+			return fmt.Errorf("%s is only supported on a Docker daemon running on %s, but the Docker daemon is running on %s", cmd.CommandPath(), os, osType)
+		}
+		if _, ok := curr.Annotations["experimental"]; ok && !hasExperimental {
+			return fmt.Errorf("%s is only supported on a Docker daemon with experimental features enabled", cmd.CommandPath())
+		}
+		if _, ok := curr.Annotations["experimentalCLI"]; ok && !hasExperimentalCLI {
+			return fmt.Errorf("%s is only supported on a Docker cli with experimental cli features enabled", cmd.CommandPath())
+		}
+	}
+	return nil
+}
+
+func getFlagAnnotation(f *pflag.Flag, annotation string) string {
+	if value, ok := f.Annotations[annotation]; ok && len(value) == 1 {
+		return value[0]
+	}
+	return ""
+}
+
+func isVersionSupported(f *pflag.Flag, clientVersion string) bool {
+	if v := getFlagAnnotation(f, "version"); v != "" {
+		return versions.GreaterThanOrEqualTo(clientVersion, v)
+	}
+	return true
+}
+
+func isOSTypeSupported(f *pflag.Flag, osType string) bool {
+	if v := getFlagAnnotation(f, "ostype"); v != "" && osType != "" {
+		return osType == v
+	}
+	return true
+}
+
+// hasTags return true if any of the command's parents has tags
+func hasTags(cmd *cobra.Command) bool {
+	for curr := cmd; curr != nil; curr = curr.Parent() {
+		if len(curr.Annotations) > 0 {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/cli/cmd/docker/docker_test.go b/cli/cmd/docker/docker_test.go
new file mode 100644
index 00000000..92a94668
--- /dev/null
+++ b/cli/cmd/docker/docker_test.go
@@ -0,0 +1,33 @@
+package main
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/debug"
+	"github.com/sirupsen/logrus"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestClientDebugEnabled(t *testing.T) {
+	defer debug.Disable()
+
+	cmd := newDockerCommand(&command.DockerCli{})
+	cmd.Flags().Set("debug", "true")
+
+	err := cmd.PersistentPreRunE(cmd, []string{})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("1", os.Getenv("DEBUG")))
+	assert.Check(t, is.Equal(logrus.DebugLevel, logrus.GetLevel()))
+}
+
+func TestExitStatusForInvalidSubcommandWithHelpFlag(t *testing.T) {
+	discard := ioutil.Discard
+	cmd := newDockerCommand(command.NewDockerCli(os.Stdin, discard, discard, false))
+	cmd.SetArgs([]string{"help", "invalid"})
+	err := cmd.Execute()
+	assert.Error(t, err, "unknown help topic: invalid")
+}
diff --git a/cli/cmd/docker/docker_windows.go b/cli/cmd/docker/docker_windows.go
new file mode 100644
index 00000000..88ac4994
--- /dev/null
+++ b/cli/cmd/docker/docker_windows.go
@@ -0,0 +1,3 @@
+package main
+
+import _ "github.com/docker/cli/cli/winresources"
diff --git a/cli/codecov.yml b/cli/codecov.yml
new file mode 100644
index 00000000..f589c2ac
--- /dev/null
+++ b/cli/codecov.yml
@@ -0,0 +1,22 @@
+comment:
+  layout: header, changes, diff, sunburst
+coverage:
+  status:
+    patch:
+      default:
+        target: 50%
+        only_pulls: true
+    # project will give us the diff in the total code coverage between a commit
+    # and its parent
+    project:
+      default:
+        target: auto
+        threshold: "15%"
+    changes: false
+ignore:
+  - "**/internal/test"
+  - "vendor/*"
+  - "cli/compose/schema/bindata.go"
+  - "cli/command/stack/kubernetes/api/openapi"
+  - "cli/command/stack/kubernetes/api/client"
+  - ".*generated.*"
\ No newline at end of file
diff --git a/cli/contrib/completion/bash/docker b/cli/contrib/completion/bash/docker
new file mode 100644
index 00000000..62fe36e9
--- /dev/null
+++ b/cli/contrib/completion/bash/docker
@@ -0,0 +1,5159 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2016,SC2119,SC2155
+#
+# Shellcheck ignore list:
+#  - SC2016: Expressions don't expand in single quotes, use double quotes for that.
+#  - SC2119: Use foo "$@" if function's $1 should mean script's $1.
+#  - SC2155: Declare and assign separately to avoid masking return values.
+# 
+# You can find more details for each warning at the following page: 
+#    https://github.com/koalaman/shellcheck/wiki/<SCXXXX>
+#
+# bash completion file for core docker commands
+#
+# This script provides completion of:
+#  - commands and their options
+#  - container ids and names
+#  - image repos and tags
+#  - filepaths
+#
+# To enable the completions either:
+#  - place this file in /etc/bash_completion.d
+#  or
+#  - copy this file to e.g. ~/.docker-completion.sh and add the line
+#    below to your .bashrc after bash completion features are loaded
+#    . ~/.docker-completion.sh
+#
+# Configuration:
+#
+# For several commands, the amount of completions can be configured by
+# setting environment variables.
+#
+# DOCKER_COMPLETION_SHOW_CONFIG_IDS
+# DOCKER_COMPLETION_SHOW_CONTAINER_IDS
+# DOCKER_COMPLETION_SHOW_NETWORK_IDS
+# DOCKER_COMPLETION_SHOW_NODE_IDS
+# DOCKER_COMPLETION_SHOW_PLUGIN_IDS
+# DOCKER_COMPLETION_SHOW_SECRET_IDS
+# DOCKER_COMPLETION_SHOW_SERVICE_IDS
+#   "no"  - Show names only (default)
+#   "yes" - Show names and ids
+#
+# You can tailor completion for the "events", "history", "inspect", "run",
+# "rmi" and "save" commands by settings the following environment
+# variables:
+#
+# DOCKER_COMPLETION_SHOW_IMAGE_IDS
+#   "none" - Show names only (default)
+#   "non-intermediate" - Show names and ids, but omit intermediate image IDs
+#   "all" - Show names and ids, including intermediate image IDs
+#
+# DOCKER_COMPLETION_SHOW_TAGS
+#   "yes" - include tags in completion options (default)
+#   "no"  - don't include tags in completion options
+
+#
+# Note:
+# Currently, the completions will not work if the docker daemon is not
+# bound to the default communication port/socket
+# If the docker daemon is using a unix socket for communication your user
+# must have access to the socket for the completions to function correctly
+#
+# Note for developers:
+# Please arrange options sorted alphabetically by long name with the short
+# options immediately following their corresponding long form.
+# This order should be applied to lists, alternatives and code blocks.
+
+__docker_previous_extglob_setting=$(shopt -p extglob)
+shopt -s extglob
+
+__docker_q() {
+	docker ${host:+-H "$host"} ${config:+--config "$config"} 2>/dev/null "$@"
+}
+
+# __docker_configs returns a list of configs. Additional options to
+# `docker config ls` may be specified in order to filter the list, e.g.
+# `__docker_configs --filter label=stage=production`.
+# By default, only names are returned.
+# Set DOCKER_COMPLETION_SHOW_CONFIG_IDS=yes to also complete IDs.
+# An optional first option `--id|--name` may be used to limit the
+# output to the IDs or names of matching items. This setting takes
+# precedence over the environment setting.
+__docker_configs() {
+	local format
+	if [ "$1" = "--id" ] ; then
+		format='{{.ID}}'
+		shift
+	elif [ "$1" = "--name" ] ; then
+		format='{{.Name}}'
+		shift
+	elif [ "$DOCKER_COMPLETION_SHOW_CONFIG_IDS" = yes ] ; then
+		format='{{.ID}} {{.Name}}'
+	else
+		format='{{.Name}}'
+	fi
+
+	__docker_q config ls --format "$format" "$@"
+}
+
+# __docker_complete_configs applies completion of configs based on the current value
+# of `$cur` or the value of the optional first option `--cur`, if given.
+__docker_complete_configs() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_configs "$@")" -- "$current") )
+}
+
+# __docker_containers returns a list of containers. Additional options to
+# `docker ps` may be specified in order to filter the list, e.g.
+# `__docker_containers --filter status=running`
+# By default, only names are returned.
+# Set DOCKER_COMPLETION_SHOW_CONTAINER_IDS=yes to also complete IDs.
+# An optional first option `--id|--name` may be used to limit the
+# output to the IDs or names of matching items. This setting takes
+# precedence over the environment setting.
+__docker_containers() {
+	local format
+	if [ "$1" = "--id" ] ; then
+		format='{{.ID}}'
+		shift
+	elif [ "$1" = "--name" ] ; then
+		format='{{.Names}}'
+		shift
+	elif [ "${DOCKER_COMPLETION_SHOW_CONTAINER_IDS}" = yes ] ; then
+		format='{{.ID}} {{.Names}}'
+	else
+		format='{{.Names}}'
+	fi
+	__docker_q ps --format "$format" "$@"
+}
+
+# __docker_complete_containers applies completion of containers based on the current
+# value of `$cur` or the value of the optional first option `--cur`, if given.
+# Additional filters may be appended, see `__docker_containers`.
+__docker_complete_containers() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_containers "$@")" -- "$current") )
+}
+
+__docker_complete_containers_all() {
+	__docker_complete_containers "$@" --all
+}
+
+# shellcheck disable=SC2120
+__docker_complete_containers_removable() {
+	__docker_complete_containers "$@" --filter status=created --filter status=exited
+}
+
+__docker_complete_containers_running() {
+	__docker_complete_containers "$@" --filter status=running
+}
+
+# shellcheck disable=SC2120
+__docker_complete_containers_stopped() {
+	__docker_complete_containers "$@" --filter status=exited
+}
+
+# shellcheck disable=SC2120
+__docker_complete_containers_unpauseable() {
+	__docker_complete_containers "$@" --filter status=paused
+}
+
+__docker_complete_container_names() {
+	local containers=( $(__docker_q ps -aq --no-trunc) )
+	local names=( $(__docker_q inspect --format '{{.Name}}' "${containers[@]}") )
+	names=( "${names[@]#/}" ) # trim off the leading "/" from the container names
+	COMPREPLY=( $(compgen -W "${names[*]}" -- "$cur") )
+}
+
+__docker_complete_container_ids() {
+	local containers=( $(__docker_q ps -aq) )
+	COMPREPLY=( $(compgen -W "${containers[*]}" -- "$cur") )
+}
+
+# __docker_images returns a list of images. For each image, up to three representations
+# can be generated: the repository (e.g. busybox), repository:tag (e.g. busybox:latest)
+# and the ID (e.g. sha256:ee22cbbd4ea3dff63c86ba60c7691287c321e93adfc1009604eb1dde7ec88645).
+#
+# The optional arguments `--repo`, `--tag` and `--id` select the representations that
+# may be returned. Whether or not a particular representation is actually returned
+# depends on the user's customization through several environment variables:
+# - image IDs are only shown if DOCKER_COMPLETION_SHOW_IMAGE_IDS=all|non-intermediate.
+# - tags can be excluded by setting DOCKER_COMPLETION_SHOW_TAGS=no.
+# - repositories are always shown.
+#
+# In cases where an exact image specification is needed, `--force-tag` can be used.
+# It ignores DOCKER_COMPLETION_SHOW_TAGS and only lists valid repository:tag combinations,
+# avoiding repository names that would default to a potentially missing default tag.
+#
+# Additional arguments to `docker image ls` may be specified in order to filter the list,
+# e.g. `__docker_images --filter dangling=true`.
+#
+__docker_images() {
+	local repo_format='{{.Repository}}'
+	local tag_format='{{.Repository}}:{{.Tag}}'
+	local id_format='{{.ID}}'
+	local all
+	local format
+
+	if [ "$DOCKER_COMPLETION_SHOW_IMAGE_IDS" = "all" ] ; then
+		all='--all'
+	fi
+
+	while true ; do
+		case "$1" in
+			--repo)
+				format+="$repo_format\n"
+				shift
+				;;
+			--tag)
+				if [ "${DOCKER_COMPLETION_SHOW_TAGS:-yes}" = "yes" ]; then
+					format+="$tag_format\n"
+				fi
+				shift
+				;;
+			--id)
+				if [[ $DOCKER_COMPLETION_SHOW_IMAGE_IDS =~ ^(all|non-intermediate)$ ]] ; then
+					format+="$id_format\n"
+				fi
+				shift
+				;;
+			--force-tag)
+				# like `--tag` but ignores environment setting
+				format+="$tag_format\n"
+				shift
+				;;
+			*)
+				break
+				;;
+		esac
+	done
+
+	__docker_q image ls --no-trunc --format "${format%\\n}" $all "$@" | grep -v '<none>$'
+}
+
+# __docker_complete_images applies completion of images based on the current value of `$cur` or
+# the value of the optional first option `--cur`, if given.
+# See __docker_images for customization of the returned items.
+__docker_complete_images() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_images "$@")" -- "$current") )
+	__ltrim_colon_completions "$current"
+}
+
+# __docker_networks returns a list of all networks. Additional options to
+# `docker network ls` may be specified in order to filter the list, e.g.
+# `__docker_networks --filter type=custom`
+# By default, only names are returned.
+# Set DOCKER_COMPLETION_SHOW_NETWORK_IDS=yes to also complete IDs.
+# An optional first option `--id|--name` may be used to limit the
+# output to the IDs or names of matching items. This setting takes
+# precedence over the environment setting.
+__docker_networks() {
+	local format
+	if [ "$1" = "--id" ] ; then
+		format='{{.ID}}'
+		shift
+	elif [ "$1" = "--name" ] ; then
+		format='{{.Name}}'
+		shift
+	elif [ "${DOCKER_COMPLETION_SHOW_NETWORK_IDS}" = yes ] ; then
+		format='{{.ID}} {{.Name}}'
+	else
+		format='{{.Name}}'
+	fi
+	__docker_q network ls --format "$format" "$@"
+}
+
+# __docker_complete_networks applies completion of networks based on the current
+# value of `$cur` or the value of the optional first option `--cur`, if given.
+# Additional filters may be appended, see `__docker_networks`.
+__docker_complete_networks() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_networks "$@")" -- "$current") )
+}
+
+__docker_complete_containers_in_network() {
+	local containers=($(__docker_q network inspect -f '{{range $i, $c := .Containers}}{{$i}} {{$c.Name}} {{end}}' "$1"))
+	COMPREPLY=( $(compgen -W "${containers[*]}" -- "$cur") )
+}
+
+# __docker_volumes returns a list of all volumes. Additional options to
+# `docker volume ls` may be specified in order to filter the list, e.g.
+# `__docker_volumes --filter dangling=true`
+# Because volumes do not have IDs, this function does not distinguish between
+# IDs and names.
+__docker_volumes() {
+	__docker_q volume ls -q "$@"
+}
+
+# __docker_complete_volumes applies completion of volumes based on the current
+# value of `$cur` or the value of the optional first option `--cur`, if given.
+# Additional filters may be appended, see `__docker_volumes`.
+__docker_complete_volumes() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_volumes "$@")" -- "$current") )
+}
+
+# __docker_plugins_bundled returns a list of all plugins of a given type.
+# The type has to be specified with the mandatory option `--type`.
+# Valid types are: Network, Volume, Authorization.
+# Completions may be added or removed with `--add` and `--remove`
+# This function only deals with plugins that come bundled with Docker.
+# For plugins managed by `docker plugin`, see `__docker_plugins_installed`.
+__docker_plugins_bundled() {
+	local type add=() remove=()
+	while true ; do
+		case "$1" in
+			--type)
+				type="$2"
+				shift 2
+				;;
+			--add)
+				add+=("$2")
+				shift 2
+				;;
+			--remove)
+				remove+=("$2")
+				shift 2
+				;;
+			*)
+				break
+				;;
+		esac
+	done
+
+	local plugins=($(__docker_q info --format "{{range \$i, \$p := .Plugins.$type}}{{.}} {{end}}"))
+	for del in "${remove[@]}" ; do
+		plugins=(${plugins[@]/$del/})
+	done
+	echo "${plugins[@]}" "${add[@]}"
+}
+
+# __docker_complete_plugins_bundled applies completion of plugins based on the current
+# value of `$cur` or the value of the optional first option `--cur`, if given.
+# The plugin type has to be specified with the next option `--type`.
+# This function only deals with plugins that come bundled with Docker.
+# For completion of plugins managed by `docker plugin`, see
+# `__docker_complete_plugins_installed`.
+__docker_complete_plugins_bundled() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_plugins_bundled "$@")" -- "$current") )
+}
+
+# __docker_plugins_installed returns a list of all plugins that were installed with
+# the Docker plugin API.
+# By default, only names are returned.
+# Set DOCKER_COMPLETION_SHOW_PLUGIN_IDS=yes to also complete IDs.
+# Additional options to `docker plugin ls` may be specified in order to filter the list,
+# e.g. `__docker_plugins_installed --filter enabled=true`
+# For built-in pugins, see `__docker_plugins_bundled`.
+__docker_plugins_installed() {
+	local format
+	if [ "$DOCKER_COMPLETION_SHOW_PLUGIN_IDS" = yes ] ; then
+		format='{{.ID}} {{.Name}}'
+	else
+		format='{{.Name}}'
+	fi
+	__docker_q plugin ls --format "$format" "$@"
+}
+
+# __docker_complete_plugins_installed applies completion of plugins that were installed
+# with the Docker plugin API, based on the current value of `$cur` or the value of
+# the optional first option `--cur`, if given.
+# Additional filters may be appended, see `__docker_plugins_installed`.
+# For completion of built-in pugins, see `__docker_complete_plugins_bundled`.
+__docker_complete_plugins_installed() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_plugins_installed "$@")" -- "$current") )
+}
+
+__docker_runtimes() {
+	__docker_q info | sed -n 's/^Runtimes: \(.*\)/\1/p'
+}
+
+__docker_complete_runtimes() {
+	COMPREPLY=( $(compgen -W "$(__docker_runtimes)" -- "$cur") )
+}
+
+# __docker_secrets returns a list of secrets. Additional options to
+# `docker secret ls` may be specified in order to filter the list, e.g.
+# `__docker_secrets --filter label=stage=production`
+# By default, only names are returned.
+# Set DOCKER_COMPLETION_SHOW_SECRET_IDS=yes to also complete IDs.
+# An optional first option `--id|--name` may be used to limit the
+# output to the IDs or names of matching items. This setting takes
+# precedence over the environment setting.
+__docker_secrets() {
+	local format
+	if [ "$1" = "--id" ] ; then
+		format='{{.ID}}'
+		shift
+	elif [ "$1" = "--name" ] ; then
+		format='{{.Name}}'
+		shift
+	elif [ "$DOCKER_COMPLETION_SHOW_SECRET_IDS" = yes ] ; then
+		format='{{.ID}} {{.Name}}'
+	else
+		format='{{.Name}}'
+	fi
+
+	__docker_q secret ls --format "$format" "$@"
+}
+
+# __docker_complete_secrets applies completion of secrets based on the current value
+# of `$cur` or the value of the optional first option `--cur`, if given.
+__docker_complete_secrets() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_secrets "$@")" -- "$current") )
+}
+
+# __docker_stacks returns a list of all stacks.
+__docker_stacks() {
+	__docker_q stack ls | awk 'NR>1 {print $1}'
+}
+
+# __docker_complete_stacks applies completion of stacks based on the current value
+# of `$cur` or the value of the optional first option `--cur`, if given.
+__docker_complete_stacks() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_stacks "$@")" -- "$current") )
+}
+
+# __docker_nodes returns a list of all nodes. Additional options to
+# `docker node ls` may be specified in order to filter the list, e.g.
+# `__docker_nodes --filter role=manager`
+# By default, only node names are returned.
+# Set DOCKER_COMPLETION_SHOW_NODE_IDS=yes to also complete node IDs.
+# An optional first option `--id|--name` may be used to limit the
+# output to the IDs or names of matching items. This setting takes
+# precedence over the environment setting.
+# Completions may be added with `--add`, e.g. `--add self`.
+__docker_nodes() {
+	local format
+	if [ "$DOCKER_COMPLETION_SHOW_NODE_IDS" = yes ] ; then
+		format='{{.ID}} {{.Hostname}}'
+	else
+		format='{{.Hostname}}'
+	fi
+
+	local add=()
+
+	while true ; do
+		case "$1" in
+			--id)
+				format='{{.ID}}'
+				shift
+				;;
+			--name)
+				format='{{.Hostname}}'
+				shift
+				;;
+			--add)
+				add+=("$2")
+				shift 2
+				;;
+			*)
+				break
+				;;
+		esac
+	done
+
+	echo "$(__docker_q node ls --format "$format" "$@")" "${add[@]}"
+}
+
+# __docker_complete_nodes applies completion of nodes based on the current
+# value of `$cur` or the value of the optional first option `--cur`, if given.
+# Additional filters may be appended, see `__docker_nodes`.
+__docker_complete_nodes() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_nodes "$@")" -- "$current") )
+}
+
+# __docker_services returns a list of all services. Additional options to
+# `docker service ls` may be specified in order to filter the list, e.g.
+# `__docker_services --filter name=xxx`
+# By default, only node names are returned.
+# Set DOCKER_COMPLETION_SHOW_SERVICE_IDS=yes to also complete IDs.
+# An optional first option `--id|--name` may be used to limit the
+# output to the IDs or names of matching items. This setting takes
+# precedence over the environment setting.
+__docker_services() {
+	local fields='$2'  # default: service name only
+	[ "${DOCKER_COMPLETION_SHOW_SERVICE_IDS}" = yes ] && fields='$1,$2' # ID & name
+
+	if [ "$1" = "--id" ] ; then
+		fields='$1' # IDs only
+		shift
+	elif [ "$1" = "--name" ] ; then
+		fields='$2' # names only
+		shift
+	fi
+        __docker_q service ls "$@" | awk "NR>1 {print $fields}"
+}
+
+# __docker_complete_services applies completion of services based on the current
+# value of `$cur` or the value of the optional first option `--cur`, if given.
+# Additional filters may be appended, see `__docker_services`.
+__docker_complete_services() {
+	local current="$cur"
+	if [ "$1" = "--cur" ] ; then
+		current="$2"
+		shift 2
+	fi
+	COMPREPLY=( $(compgen -W "$(__docker_services "$@")" -- "$current") )
+}
+
+# __docker_tasks returns a list of all task IDs.
+__docker_tasks() {
+	__docker_q service ps --format '{{.ID}}' ""
+}
+
+# __docker_complete_services_and_tasks applies completion of services and task IDs.
+# shellcheck disable=SC2120
+__docker_complete_services_and_tasks() {
+	COMPREPLY=( $(compgen -W "$(__docker_services "$@") $(__docker_tasks)" -- "$cur") )
+}
+
+# __docker_append_to_completions appends the word passed as an argument to every
+# word in `$COMPREPLY`.
+# Normally you do this with `compgen -S` while generating the completions.
+# This function allows you to append a suffix later. It allows you to use
+# the __docker_complete_XXX functions in cases where you need a suffix.
+__docker_append_to_completions() {
+	COMPREPLY=( ${COMPREPLY[@]/%/"$1"} )
+}
+
+# __docker_daemon_is_experimental tests whether the currently configured Docker
+# daemon runs in experimental mode. If so, the function exits with 0 (true).
+# Otherwise, or if the result cannot be determined, the exit value is 1 (false).
+__docker_daemon_is_experimental() {
+	[ "$(__docker_q version -f '{{.Server.Experimental}}')" = "true" ]
+}
+
+# __docker_daemon_os_is tests whether the currently configured Docker daemon runs
+# on the operating system passed in as the first argument.
+# It does so by querying the daemon for its OS. The result is cached for the duration
+# of one invocation of bash completion so that this function can be used to test for
+# several different operating systems without additional costs.
+# Known operating systems: linux, windows.
+__docker_daemon_os_is() {
+	local expected_os="$1"
+	local actual_os=${daemon_os=$(__docker_q version -f '{{.Server.Os}}')}
+	[ "$actual_os" = "$expected_os" ]
+}
+
+# __docker_stack_orchestrator_is tests whether the client is configured to use
+# the orchestrator that is passed in as the first argument.
+__docker_stack_orchestrator_is() {
+	case "$1" in
+		kubernetes)
+			if [ -z "$stack_orchestrator_is_kubernetes" ] ; then
+				__docker_q stack ls --help | grep -qe --namespace
+				stack_orchestrator_is_kubernetes=$?
+			fi
+			return $stack_orchestrator_is_kubernetes
+			;;
+		swarm)
+			if [ -z "$stack_orchestrator_is_swarm" ] ; then
+				__docker_q stack deploy --help | grep -qe "with-registry-auth"
+				stack_orchestrator_is_swarm=$?
+			fi
+			return $stack_orchestrator_is_swarm
+			;;
+		*)
+			return 1
+			;;
+
+	esac
+}
+
+# __docker_pos_first_nonflag finds the position of the first word that is neither
+# option nor an option's argument. If there are options that require arguments,
+# you should pass a glob describing those options, e.g. "--option1|-o|--option2"
+# Use this function to restrict completions to exact positions after the argument list.
+__docker_pos_first_nonflag() {
+	local argument_flags=$1
+
+	local counter=$((${subcommand_pos:-${command_pos}} + 1))
+	while [ "$counter" -le "$cword" ]; do
+		if [ -n "$argument_flags" ] && eval "case '${words[$counter]}' in $argument_flags) true ;; *) false ;; esac"; then
+			(( counter++ ))
+			# eat "=" in case of --option=arg syntax
+			[ "${words[$counter]}" = "=" ] && (( counter++ ))
+		else
+			case "${words[$counter]}" in
+				-*)
+					;;
+				*)
+					break
+					;;
+			esac
+		fi
+
+		# Bash splits words at "=", retaining "=" as a word, examples:
+		# "--debug=false" => 3 words, "--log-opt syslog-facility=daemon" => 4 words
+		while [ "${words[$counter + 1]}" = "=" ] ; do
+			counter=$(( counter + 2))
+		done
+
+		(( counter++ ))
+	done
+
+	echo $counter
+}
+
+# __docker_map_key_of_current_option returns `key` if we are currently completing the
+# value of a map option (`key=value`) which matches the extglob given as an argument.
+# This function is needed for key-specific completions.
+__docker_map_key_of_current_option() {
+	local glob="$1"
+
+	local key glob_pos
+	if [ "$cur" = "=" ] ; then        # key= case
+		key="$prev"
+		glob_pos=$((cword - 2))
+	elif [[ $cur == *=* ]] ; then     # key=value case (OSX)
+		key=${cur%=*}
+		glob_pos=$((cword - 1))
+	elif [ "$prev" = "=" ] ; then
+		key=${words[$cword - 2]}  # key=value case
+		glob_pos=$((cword - 3))
+	else
+		return
+	fi
+
+	[ "${words[$glob_pos]}" = "=" ] && ((glob_pos--))  # --option=key=value syntax
+
+	[[ ${words[$glob_pos]} == @($glob) ]] && echo "$key"
+}
+
+# __docker_value_of_option returns the value of the first option matching `option_glob`.
+# Valid values for `option_glob` are option names like `--log-level` and globs like
+# `--log-level|-l`
+# Only positions between the command and the current word are considered.
+__docker_value_of_option() {
+	local option_extglob=$(__docker_to_extglob "$1")
+
+	local counter=$((command_pos + 1))
+	while [ "$counter" -lt "$cword" ]; do
+		case ${words[$counter]} in
+			$option_extglob )
+				echo "${words[$counter + 1]}"
+				break
+				;;
+		esac
+		(( counter++ ))
+	done
+}
+
+# __docker_to_alternatives transforms a multiline list of strings into a single line
+# string with the words separated by `|`.
+# This is used to prepare arguments to __docker_pos_first_nonflag().
+__docker_to_alternatives() {
+	local parts=( $1 )
+	local IFS='|'
+	echo "${parts[*]}"
+}
+
+# __docker_to_extglob transforms a multiline list of options into an extglob pattern
+# suitable for use in case statements.
+__docker_to_extglob() {
+	local extglob=$( __docker_to_alternatives "$1" )
+	echo "@($extglob)"
+}
+
+# __docker_subcommands processes subcommands
+# Locates the first occurrence of any of the subcommands contained in the
+# first argument. In case of a match, calls the corresponding completion
+# function and returns 0.
+# If no match is found, 1 is returned. The calling function can then
+# continue processing its completion.
+#
+# TODO if the preceding command has options that accept arguments and an
+# argument is equal ot one of the subcommands, this is falsely detected as
+# a match.
+__docker_subcommands() {
+	local subcommands="$1"
+
+	local counter=$((command_pos + 1))
+	while [ "$counter" -lt "$cword" ]; do
+		case "${words[$counter]}" in
+			$(__docker_to_extglob "$subcommands") )
+				subcommand_pos=$counter
+				local subcommand=${words[$counter]}
+				local completions_func=_docker_${command}_${subcommand//-/_}
+				declare -F "$completions_func" >/dev/null && "$completions_func"
+				return 0
+				;;
+		esac
+		(( counter++ ))
+	done
+	return 1
+}
+
+# __docker_nospace suppresses trailing whitespace
+__docker_nospace() {
+	# compopt is not available in ancient bash versions
+	type compopt &>/dev/null && compopt -o nospace
+}
+
+__docker_complete_resolved_hostname() {
+	command -v host >/dev/null 2>&1 || return
+	COMPREPLY=( $(host 2>/dev/null "${cur%:}" | awk '/has address/ {print $4}') )
+}
+
+# __docker_local_interfaces returns a list of the names and addresses of all
+# local network interfaces.
+# If `--ip-only` is passed as a first argument, only addresses are returned.
+__docker_local_interfaces() {
+	command -v ip >/dev/null 2>&1 || return
+
+	local format
+	if [ "$1" = "--ip-only" ] ; then
+		format='\1'
+		shift
+	else
+		 format='\1 \2'
+	fi
+
+	ip addr show scope global 2>/dev/null | sed -n "s| \+inet \([0-9.]\+\).* \([^ ]\+\)|$format|p"
+}
+
+# __docker_complete_local_interfaces applies completion of the names and addresses of all
+# local network interfaces based on the current value of `$cur`.
+# An additional value can be added to the possible completions with an `--add` argument.
+__docker_complete_local_interfaces() {
+	local additional_interface
+	if [ "$1" = "--add" ] ; then
+		additional_interface="$2"
+		shift 2
+	fi
+
+	COMPREPLY=( $( compgen -W "$(__docker_local_interfaces "$@") $additional_interface" -- "$cur" ) )
+}
+
+# __docker_complete_local_ips applies completion of the addresses of all local network
+# interfaces based on the current value of `$cur`.
+__docker_complete_local_ips() {
+	__docker_complete_local_interfaces --ip-only
+}
+
+# __docker_complete_capabilities_addable completes Linux capabilities which are
+# not granted by default and may be added.
+# see https://docs.docker.com/engine/reference/run/#/runtime-privilege-and-linux-capabilities
+__docker_complete_capabilities_addable() {
+	COMPREPLY=( $( compgen -W "
+		ALL
+		AUDIT_CONTROL
+		BLOCK_SUSPEND
+		DAC_READ_SEARCH
+		IPC_LOCK
+		IPC_OWNER
+		LEASE
+		LINUX_IMMUTABLE
+		MAC_ADMIN
+		MAC_OVERRIDE
+		NET_ADMIN
+		NET_BROADCAST
+		SYS_ADMIN
+		SYS_BOOT
+		SYSLOG
+		SYS_MODULE
+		SYS_NICE
+		SYS_PACCT
+		SYS_PTRACE
+		SYS_RAWIO
+		SYS_RESOURCE
+		SYS_TIME
+		SYS_TTY_CONFIG
+		WAKE_ALARM
+	" -- "$cur" ) )
+}
+
+# __docker_complete_capabilities_droppable completes Linux capability options which are
+# allowed by default and can be dropped.
+# see https://docs.docker.com/engine/reference/run/#/runtime-privilege-and-linux-capabilities
+__docker_complete_capabilities_droppable() {
+	COMPREPLY=( $( compgen -W "
+		ALL
+		AUDIT_WRITE
+		CHOWN
+		DAC_OVERRIDE
+		FOWNER
+		FSETID
+		KILL
+		MKNOD
+		NET_BIND_SERVICE
+		NET_RAW
+		SETFCAP
+		SETGID
+		SETPCAP
+		SETUID
+		SYS_CHROOT
+	" -- "$cur" ) )
+}
+
+__docker_complete_detach_keys() {
+	case "$prev" in
+		--detach-keys)
+			case "$cur" in
+				*,)
+					COMPREPLY=( $( compgen -W "${cur}ctrl-" -- "$cur" ) )
+					;;
+				*)
+					COMPREPLY=( $( compgen -W "ctrl-" -- "$cur" ) )
+					;;
+			esac
+
+			__docker_nospace
+			return
+			;;
+	esac
+	return 1
+}
+
+__docker_complete_isolation() {
+	COMPREPLY=( $( compgen -W "default hyperv process" -- "$cur" ) )
+}
+
+__docker_complete_log_drivers() {
+	COMPREPLY=( $( compgen -W "
+		awslogs
+		etwlogs
+		fluentd
+		gcplogs
+		gelf
+		journald
+		json-file
+		logentries
+		none
+		splunk
+		syslog
+	" -- "$cur" ) )
+}
+
+__docker_complete_log_options() {
+	# see repository docker/docker.github.io/engine/admin/logging/
+
+	# really global options, defined in https://github.com/moby/moby/blob/master/daemon/logger/factory.go
+	local common_options1="max-buffer-size mode"
+	# common options defined in https://github.com/moby/moby/blob/master/daemon/logger/loginfo.go
+	# but not implemented in all log drivers
+	local common_options2="env env-regex labels"
+
+	# awslogs does not implement the $common_options2.
+	local awslogs_options="$common_options1 awslogs-create-group awslogs-credentials-endpoint awslogs-datetime-format awslogs-group awslogs-multiline-pattern awslogs-region awslogs-stream tag"
+
+	local fluentd_options="$common_options1 $common_options2 fluentd-address fluentd-async-connect fluentd-buffer-limit fluentd-retry-wait fluentd-max-retries fluentd-sub-second-precision tag"
+	local gcplogs_options="$common_options1 $common_options2 gcp-log-cmd gcp-meta-id gcp-meta-name gcp-meta-zone gcp-project"
+	local gelf_options="$common_options1 $common_options2 gelf-address gelf-compression-level gelf-compression-type gelf-tcp-max-reconnect gelf-tcp-reconnect-delay tag"
+	local journald_options="$common_options1 $common_options2 tag"
+	local json_file_options="$common_options1 $common_options2 max-file max-size"
+	local logentries_options="$common_options1 $common_options2 line-only logentries-token tag"
+	local splunk_options="$common_options1 $common_options2 splunk-caname splunk-capath splunk-format splunk-gzip splunk-gzip-level splunk-index splunk-insecureskipverify splunk-source splunk-sourcetype splunk-token splunk-url splunk-verify-connection tag"
+	local syslog_options="$common_options1 $common_options2 syslog-address syslog-facility syslog-format syslog-tls-ca-cert syslog-tls-cert syslog-tls-key syslog-tls-skip-verify tag"
+
+	local all_options="$fluentd_options $gcplogs_options $gelf_options $journald_options $logentries_options $json_file_options $syslog_options $splunk_options"
+
+	case $(__docker_value_of_option --log-driver) in
+		'')
+			COMPREPLY=( $( compgen -W "$all_options" -S = -- "$cur" ) )
+			;;
+		awslogs)
+			COMPREPLY=( $( compgen -W "$awslogs_options" -S = -- "$cur" ) )
+			;;
+		fluentd)
+			COMPREPLY=( $( compgen -W "$fluentd_options" -S = -- "$cur" ) )
+			;;
+		gcplogs)
+			COMPREPLY=( $( compgen -W "$gcplogs_options" -S = -- "$cur" ) )
+			;;
+		gelf)
+			COMPREPLY=( $( compgen -W "$gelf_options" -S = -- "$cur" ) )
+			;;
+		journald)
+			COMPREPLY=( $( compgen -W "$journald_options" -S = -- "$cur" ) )
+			;;
+		json-file)
+			COMPREPLY=( $( compgen -W "$json_file_options" -S = -- "$cur" ) )
+			;;
+		logentries)
+			COMPREPLY=( $( compgen -W "$logentries_options" -S = -- "$cur" ) )
+			;;
+		syslog)
+			COMPREPLY=( $( compgen -W "$syslog_options" -S = -- "$cur" ) )
+			;;
+		splunk)
+			COMPREPLY=( $( compgen -W "$splunk_options" -S = -- "$cur" ) )
+			;;
+		*)
+			return
+			;;
+	esac
+
+	__docker_nospace
+}
+
+__docker_complete_log_driver_options() {
+	local key=$(__docker_map_key_of_current_option '--log-opt')
+	case "$key" in
+		awslogs-create-group)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+		awslogs-credentials-endpoint)
+			COMPREPLY=( $( compgen -W "/" -- "${cur##*=}" ) )
+			__docker_nospace
+			return
+			;;
+		fluentd-async-connect)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+		fluentd-sub-second-precision)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+		gelf-address)
+			COMPREPLY=( $( compgen -W "tcp udp" -S "://" -- "${cur##*=}" ) )
+			__docker_nospace
+			return
+			;;
+		gelf-compression-level)
+			COMPREPLY=( $( compgen -W "1 2 3 4 5 6 7 8 9" -- "${cur##*=}" ) )
+			return
+			;;
+		gelf-compression-type)
+			COMPREPLY=( $( compgen -W "gzip none zlib" -- "${cur##*=}" ) )
+			return
+			;;
+		line-only)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+		mode)
+			COMPREPLY=( $( compgen -W "blocking non-blocking" -- "${cur##*=}" ) )
+			return
+			;;
+		syslog-address)
+			COMPREPLY=( $( compgen -W "tcp:// tcp+tls:// udp:// unix://" -- "${cur##*=}" ) )
+			__docker_nospace
+			__ltrim_colon_completions "${cur}"
+			return
+			;;
+		syslog-facility)
+			COMPREPLY=( $( compgen -W "
+				auth
+				authpriv
+				cron
+				daemon
+				ftp
+				kern
+				local0
+				local1
+				local2
+				local3
+				local4
+				local5
+				local6
+				local7
+				lpr
+				mail
+				news
+				syslog
+				user
+				uucp
+			" -- "${cur##*=}" ) )
+			return
+			;;
+		syslog-format)
+			COMPREPLY=( $( compgen -W "rfc3164 rfc5424 rfc5424micro" -- "${cur##*=}" ) )
+			return
+			;;
+		syslog-tls-ca-cert|syslog-tls-cert|syslog-tls-key)
+			_filedir
+			return
+			;;
+		syslog-tls-skip-verify)
+			COMPREPLY=( $( compgen -W "true" -- "${cur##*=}" ) )
+			return
+			;;
+		splunk-url)
+			COMPREPLY=( $( compgen -W "http:// https://" -- "${cur##*=}" ) )
+			__docker_nospace
+			__ltrim_colon_completions "${cur}"
+			return
+			;;
+		splunk-gzip|splunk-insecureskipverify|splunk-verify-connection)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+		splunk-format)
+			COMPREPLY=( $( compgen -W "inline json raw" -- "${cur##*=}" ) )
+			return
+			;;
+	esac
+	return 1
+}
+
+__docker_complete_log_levels() {
+	COMPREPLY=( $( compgen -W "debug info warn error fatal" -- "$cur" ) )
+}
+
+__docker_complete_restart() {
+	case "$prev" in
+		--restart)
+			case "$cur" in
+				on-failure:*)
+					;;
+				*)
+					COMPREPLY=( $( compgen -W "always no on-failure on-failure: unless-stopped" -- "$cur") )
+					;;
+			esac
+			return
+			;;
+	esac
+	return 1
+}
+
+# __docker_complete_signals returns a subset of the available signals that is most likely
+# relevant in the context of docker containers
+__docker_complete_signals() {
+	local signals=(
+		SIGCONT
+		SIGHUP
+		SIGINT
+		SIGKILL
+		SIGQUIT
+		SIGSTOP
+		SIGTERM
+		SIGUSR1
+		SIGUSR2
+	)
+	COMPREPLY=( $( compgen -W "${signals[*]} ${signals[*]#SIG}" -- "$( echo "$cur" | tr '[:lower:]' '[:upper:]')" ) )
+}
+
+__docker_complete_stack_orchestrator_options() {
+	case "$prev" in
+		--kubeconfig)
+			_filedir
+			return 0
+			;;
+		--namespace)
+			return 0
+			;;
+		--orchestrator)
+			COMPREPLY=( $( compgen -W "all kubernetes swarm" -- "$cur") )
+			return 0
+			;;
+	esac
+	return 1
+}
+
+__docker_complete_user_group() {
+	if [[ $cur == *:* ]] ; then
+		COMPREPLY=( $(compgen -g -- "${cur#*:}") )
+	else
+		COMPREPLY=( $(compgen -u -S : -- "$cur") )
+		__docker_nospace
+	fi
+}
+
+_docker_docker() {
+	# global options that may appear after the docker command
+	local boolean_options="
+		$global_boolean_options
+		--help
+		--version -v
+	"
+
+	case "$prev" in
+		--config)
+			_filedir -d
+			return
+			;;
+		--log-level|-l)
+			__docker_complete_log_levels
+			return
+			;;
+		$(__docker_to_extglob "$global_options_with_args") )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "$boolean_options $global_options_with_args" -- "$cur" ) )
+			;;
+		*)
+			local counter=$( __docker_pos_first_nonflag "$(__docker_to_extglob "$global_options_with_args")" )
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_daemon_is_experimental && commands+=(${experimental_commands[*]})
+				COMPREPLY=( $( compgen -W "${commands[*]} help" -- "$cur" ) )
+			fi
+			;;
+	esac
+}
+
+_docker_attach() {
+	_docker_container_attach
+}
+
+_docker_build() {
+	_docker_image_build
+}
+
+
+_docker_checkpoint() {
+	local subcommands="
+		create
+		ls
+		rm
+	"
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_checkpoint_create() {
+	case "$prev" in
+		--checkpoint-dir)
+			_filedir -d
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--checkpoint-dir --help --leave-running" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--checkpoint-dir')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_running
+			fi
+			;;
+	esac
+}
+
+_docker_checkpoint_ls() {
+	case "$prev" in
+		--checkpoint-dir)
+			_filedir -d
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--checkpoint-dir --help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--checkpoint-dir')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_all
+			fi
+			;;
+	esac
+}
+
+_docker_checkpoint_rm() {
+	case "$prev" in
+		--checkpoint-dir)
+			_filedir -d
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--checkpoint-dir --help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--checkpoint-dir')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_all
+			elif [ "$cword" -eq "$((counter + 1))" ]; then
+				COMPREPLY=( $( compgen -W "$(__docker_q checkpoint ls "$prev" | sed 1d)" -- "$cur" ) )
+			fi
+			;;
+	esac
+}
+
+
+_docker_config() {
+	local subcommands="
+		create
+		inspect
+		ls
+		rm
+	"
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_config_create() {
+	case "$prev" in
+		--label|-l)
+			return
+			;;
+		--template-driver)
+			COMPREPLY=( $( compgen -W "golang" -- "$cur" ) )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --label -l --template-driver" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--label|-l|--template-driver')
+			if [ "$cword" -eq "$((counter + 1))" ]; then
+				_filedir
+			fi
+			;;
+	esac
+}
+
+_docker_config_inspect() {
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help --pretty" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_configs
+			;;
+	esac
+}
+
+_docker_config_list() {
+	_docker_config_ls
+}
+
+_docker_config_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		id)
+			__docker_complete_configs --cur "${cur##*=}" --id
+			return
+			;;
+		name)
+			__docker_complete_configs --cur "${cur##*=}" --name
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "id label name" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format --filter -f --help --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_config_remove() {
+	_docker_config_rm
+}
+
+_docker_config_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_configs
+			;;
+	esac
+}
+
+
+_docker_container() {
+	local subcommands="
+		attach
+		commit
+		cp
+		create
+		diff
+		exec
+		export
+		inspect
+		kill
+		logs
+		ls
+		pause
+		port
+		prune
+		rename
+		restart
+		rm
+		run
+		start
+		stats
+		stop
+		top
+		unpause
+		update
+		wait
+	"
+	local aliases="
+		list
+		ps
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_container_attach() {
+	__docker_complete_detach_keys && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--detach-keys --help --no-stdin --sig-proxy=false" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--detach-keys')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_running
+			fi
+			;;
+	esac
+}
+
+_docker_container_commit() {
+	case "$prev" in
+		--author|-a|--change|-c|--message|-m)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--author -a --change -c --help --message -m --pause=false -p=false" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--author|-a|--change|-c|--message|-m')
+
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_all
+				return
+			elif [ "$cword" -eq "$((counter + 1))" ]; then
+				__docker_complete_images --repo --tag
+				return
+			fi
+			;;
+	esac
+}
+
+_docker_container_cp() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--archive -a --follow-link -L --help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				case "$cur" in
+					*:)
+						return
+						;;
+					*)
+						# combined container and filename completion
+						_filedir
+						local files=( ${COMPREPLY[@]} )
+
+						__docker_complete_containers_all
+						COMPREPLY=( $( compgen -W "${COMPREPLY[*]}" -S ':' ) )
+						local containers=( ${COMPREPLY[@]} )
+
+						COMPREPLY=( $( compgen -W "${files[*]} ${containers[*]}" -- "$cur" ) )
+						if [[ "${COMPREPLY[*]}" = *: ]]; then
+							__docker_nospace
+						fi
+						return
+						;;
+				esac
+			fi
+			(( counter++ ))
+
+			if [ "$cword" -eq "$counter" ]; then
+				if [ -e "$prev" ]; then
+					__docker_complete_containers_all
+					COMPREPLY=( $( compgen -W "${COMPREPLY[*]}" -S ':' ) )
+					__docker_nospace
+				else
+					_filedir
+				fi
+				return
+			fi
+			;;
+	esac
+}
+
+_docker_container_create() {
+	_docker_container_run_and_create
+}
+
+_docker_container_diff() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_all
+			fi
+			;;
+	esac
+}
+
+_docker_container_exec() {
+	__docker_complete_detach_keys && return
+
+	case "$prev" in
+		--env|-e)
+			# we do not append a "=" here because "-e VARNAME" is legal syntax, too
+			COMPREPLY=( $( compgen -e -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--user|-u)
+			__docker_complete_user_group
+			return
+			;;
+		--workdir|-w)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--detach -d --detach-keys --env -e --help --interactive -i --privileged -t --tty -u --user --workdir -w" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_running
+			;;
+	esac
+}
+
+_docker_container_export() {
+	case "$prev" in
+		--output|-o)
+			_filedir
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --output -o" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_all
+			fi
+			;;
+	esac
+}
+
+_docker_container_inspect() {
+	_docker_inspect --type container
+}
+
+_docker_container_kill() {
+	case "$prev" in
+		--signal|-s)
+			__docker_complete_signals
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --signal -s" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_running
+			;;
+	esac
+}
+
+_docker_container_logs() {
+	case "$prev" in
+		--since|--tail|--until)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--details --follow -f --help --since --tail --timestamps -t --until" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--since|--tail|--until')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_all
+			fi
+			;;
+	esac
+}
+
+_docker_container_list() {
+	_docker_container_ls
+}
+
+_docker_container_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		ancestor)
+			__docker_complete_images --cur "${cur##*=}" --repo --tag --id
+			return
+			;;
+		before)
+			__docker_complete_containers_all --cur "${cur##*=}"
+			return
+			;;
+		expose|publish)
+			return
+			;;
+		id)
+			__docker_complete_containers_all --cur "${cur##*=}" --id
+			return
+			;;
+		health)
+			COMPREPLY=( $( compgen -W "healthy starting none unhealthy" -- "${cur##*=}" ) )
+			return
+			;;
+		is-task)
+			COMPREPLY=( $( compgen -W "true false" -- "${cur##*=}" ) )
+			return
+			;;
+		name)
+			__docker_complete_containers_all --cur "${cur##*=}" --name
+			return
+			;;
+		network)
+			__docker_complete_networks --cur "${cur##*=}"
+			return
+			;;
+		since)
+			__docker_complete_containers_all --cur "${cur##*=}"
+			return
+			;;
+		status)
+			COMPREPLY=( $( compgen -W "created dead exited paused restarting running removing" -- "${cur##*=}" ) )
+			return
+			;;
+		volume)
+			__docker_complete_volumes --cur "${cur##*=}"
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "ancestor before exited expose health id is-task label name network publish since status volume" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format|--last|-n)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--all -a --filter -f --format --help --last -n --latest -l --no-trunc --quiet -q --size -s" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_container_pause() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_running
+			;;
+	esac
+}
+
+_docker_container_port() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_all
+			fi
+			;;
+	esac
+}
+
+_docker_container_prune() {
+	case "$prev" in
+		--filter)
+			COMPREPLY=( $( compgen -W "label label! until" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --filter --help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_container_ps() {
+	_docker_container_ls
+}
+
+_docker_container_rename() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_all
+			fi
+			;;
+	esac
+}
+
+_docker_container_restart() {
+	case "$prev" in
+		--time|-t)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --time -t" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_all
+			;;
+	esac
+}
+
+_docker_container_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --help --link -l --volumes -v" -- "$cur" ) )
+			;;
+		*)
+			for arg in "${COMP_WORDS[@]}"; do
+				case "$arg" in
+					--force|-f)
+						__docker_complete_containers_all
+						return
+						;;
+				esac
+			done
+			__docker_complete_containers_removable
+			;;
+	esac
+}
+
+_docker_container_run() {
+	_docker_container_run_and_create
+}
+
+# _docker_container_run_and_create is the combined completion for `_docker_container_run`
+# and `_docker_container_create`
+_docker_container_run_and_create() {
+	local options_with_args="
+		--add-host
+		--attach -a
+		--blkio-weight
+		--blkio-weight-device
+		--cap-add
+		--cap-drop
+		--cgroup-parent
+		--cidfile
+		--cpu-period
+		--cpu-quota
+		--cpu-rt-period
+		--cpu-rt-runtime
+		--cpuset-cpus
+		--cpus
+		--cpuset-mems
+		--cpu-shares -c
+		--device
+		--device-cgroup-rule
+		--device-read-bps
+		--device-read-iops
+		--device-write-bps
+		--device-write-iops
+		--dns
+		--dns-option
+		--dns-search
+		--entrypoint
+		--env -e
+		--env-file
+		--expose
+		--group-add
+		--health-cmd
+		--health-interval
+		--health-retries
+		--health-start-period
+		--health-timeout
+		--hostname -h
+		--ip
+		--ip6
+		--ipc
+		--kernel-memory
+		--label-file
+		--label -l
+		--link
+		--link-local-ip
+		--log-driver
+		--log-opt
+		--mac-address
+		--memory -m
+		--memory-swap
+		--memory-swappiness
+		--memory-reservation
+		--mount
+		--name
+		--network
+		--network-alias
+		--oom-score-adj
+		--pid
+		--pids-limit
+		--publish -p
+		--restart
+		--runtime
+		--security-opt
+		--shm-size
+		--stop-signal
+		--stop-timeout
+		--storage-opt
+		--tmpfs
+		--sysctl
+		--ulimit
+		--user -u
+		--userns
+		--uts
+		--volume-driver
+		--volumes-from
+		--volume -v
+		--workdir -w
+	"
+	__docker_daemon_os_is windows && options_with_args+="
+		--cpu-count
+		--cpu-percent
+		--io-maxbandwidth
+		--io-maxiops
+		--isolation
+	"
+	__docker_daemon_is_experimental && options_with_args+="
+		--platform
+	"
+
+	local boolean_options="
+		--disable-content-trust=false
+		--help
+		--init
+		--interactive -i
+		--no-healthcheck
+		--oom-kill-disable
+		--privileged
+		--publish-all -P
+		--read-only
+		--tty -t
+	"
+
+	if [ "$command" = "run" ] || [ "$subcommand" = "run" ] ; then
+		options_with_args="$options_with_args
+			--detach-keys
+		"
+		boolean_options="$boolean_options
+			--detach -d
+			--rm
+			--sig-proxy=false
+		"
+		__docker_complete_detach_keys && return
+	fi
+
+	local all_options="$options_with_args $boolean_options"
+
+
+	__docker_complete_log_driver_options && return
+	__docker_complete_restart && return
+
+	local key=$(__docker_map_key_of_current_option '--security-opt')
+	case "$key" in
+		label)
+			[[ $cur == *: ]] && return
+			COMPREPLY=( $( compgen -W "user: role: type: level: disable" -- "${cur##*=}") )
+			if [ "${COMPREPLY[*]}" != "disable" ] ; then
+				__docker_nospace
+			fi
+			return
+			;;
+		seccomp)
+			local cur=${cur##*=}
+			_filedir
+			COMPREPLY+=( $( compgen -W "unconfined" -- "$cur" ) )
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--add-host)
+			case "$cur" in
+				*:)
+					__docker_complete_resolved_hostname
+					return
+					;;
+			esac
+			;;
+		--attach|-a)
+			COMPREPLY=( $( compgen -W 'stdin stdout stderr' -- "$cur" ) )
+			return
+			;;
+		--cap-add)
+			__docker_complete_capabilities_addable
+			return
+			;;
+		--cap-drop)
+			__docker_complete_capabilities_droppable
+			return
+			;;
+		--cidfile|--env-file|--label-file)
+			_filedir
+			return
+			;;
+		--device|--tmpfs|--volume|-v)
+			case "$cur" in
+				*:*)
+					# TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine)
+					;;
+				'')
+					COMPREPLY=( $( compgen -W '/' -- "$cur" ) )
+					__docker_nospace
+					;;
+				/*)
+					_filedir
+					__docker_nospace
+					;;
+			esac
+			return
+			;;
+		--env|-e)
+			# we do not append a "=" here because "-e VARNAME" is legal syntax, too
+			COMPREPLY=( $( compgen -e -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--ipc)
+			case "$cur" in
+				*:*)
+					cur="${cur#*:}"
+					__docker_complete_containers_running
+					;;
+				*)
+					COMPREPLY=( $( compgen -W 'none host private shareable container:' -- "$cur" ) )
+					if [ "${COMPREPLY[*]}" = "container:" ]; then
+						__docker_nospace
+					fi
+					;;
+			esac
+			return
+			;;
+		--isolation)
+			if __docker_daemon_os_is windows ; then
+				__docker_complete_isolation
+				return
+			fi
+			;;
+		--link)
+			case "$cur" in
+				*:*)
+					;;
+				*)
+					__docker_complete_containers_running
+					COMPREPLY=( $( compgen -W "${COMPREPLY[*]}" -S ':' ) )
+					__docker_nospace
+					;;
+			esac
+			return
+			;;
+		--log-driver)
+			__docker_complete_log_drivers
+			return
+			;;
+		--log-opt)
+			__docker_complete_log_options
+			return
+			;;
+		--network)
+			case "$cur" in
+				container:*)
+					__docker_complete_containers_all --cur "${cur#*:}"
+					;;
+				*)
+					COMPREPLY=( $( compgen -W "$(__docker_plugins_bundled --type Network) $(__docker_networks) container:" -- "$cur") )
+					if [ "${COMPREPLY[*]}" = "container:" ] ; then
+						__docker_nospace
+					fi
+					;;
+			esac
+			return
+			;;
+		--pid)
+			case "$cur" in
+				*:*)
+					__docker_complete_containers_running --cur "${cur#*:}"
+					;;
+				*)
+					COMPREPLY=( $( compgen -W 'host container:' -- "$cur" ) )
+					if [ "${COMPREPLY[*]}" = "container:" ]; then
+						__docker_nospace
+					fi
+					;;
+			esac
+			return
+			;;
+		--runtime)
+			__docker_complete_runtimes
+			return
+			;;
+		--security-opt)
+			COMPREPLY=( $( compgen -W "apparmor= label= no-new-privileges seccomp=" -- "$cur") )
+			if [ "${COMPREPLY[*]}" != "no-new-privileges" ] ; then
+				__docker_nospace
+			fi
+			return
+			;;
+		--stop-signal)
+			__docker_complete_signals
+			return
+			;;
+		--storage-opt)
+			COMPREPLY=( $( compgen -W "size" -S = -- "$cur") )
+			__docker_nospace
+			return
+			;;
+		--user|-u)
+			__docker_complete_user_group
+			return
+			;;
+		--userns)
+			COMPREPLY=( $( compgen -W "host" -- "$cur" ) )
+			return
+			;;
+		--volume-driver)
+			__docker_complete_plugins_bundled --type Volume
+			return
+			;;
+		--volumes-from)
+			__docker_complete_containers_all
+			return
+			;;
+		$(__docker_to_extglob "$options_with_args") )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "$all_options" -- "$cur" ) )
+			;;
+		*)
+			local counter=$( __docker_pos_first_nonflag "$( __docker_to_alternatives "$options_with_args" )" )
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_images --repo --tag --id
+			fi
+			;;
+	esac
+}
+
+_docker_container_start() {
+	__docker_complete_detach_keys && return
+	case "$prev" in
+		--checkpoint)
+			if __docker_daemon_is_experimental ; then
+				return
+			fi
+			;;
+		--checkpoint-dir)
+			if __docker_daemon_is_experimental ; then
+				_filedir -d
+				return
+			fi
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			local options="--attach -a --detach-keys --help --interactive -i"
+			__docker_daemon_is_experimental && options+=" --checkpoint --checkpoint-dir"
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_stopped
+			;;
+	esac
+}
+
+_docker_container_stats() {
+	case "$prev" in
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--all -a --format --help --no-stream --no-trunc" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_running
+			;;
+	esac
+}
+
+_docker_container_stop() {
+	case "$prev" in
+		--time|-t)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --time -t" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_running
+			;;
+	esac
+}
+
+_docker_container_top() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_running
+			fi
+			;;
+	esac
+}
+
+_docker_container_unpause() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_containers_unpauseable
+			fi
+			;;
+	esac
+}
+
+_docker_container_update() {
+	local options_with_args="
+		--blkio-weight
+		--cpu-period
+		--cpu-quota
+		--cpu-rt-period
+		--cpu-rt-runtime
+		--cpus
+		--cpuset-cpus
+		--cpuset-mems
+		--cpu-shares -c
+		--kernel-memory
+		--memory -m
+		--memory-reservation
+		--memory-swap
+		--restart
+	"
+
+	local boolean_options="
+		--help
+	"
+
+	local all_options="$options_with_args $boolean_options"
+
+	__docker_complete_restart && return
+
+	case "$prev" in
+		$(__docker_to_extglob "$options_with_args") )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "$all_options" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_all
+			;;
+	esac
+}
+
+_docker_container_wait() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_containers_all
+			;;
+	esac
+}
+
+
+_docker_commit() {
+	_docker_container_commit
+}
+
+_docker_cp() {
+	_docker_container_cp
+}
+
+_docker_create() {
+	_docker_container_create
+}
+
+_docker_daemon() {
+	local boolean_options="
+		$global_boolean_options
+		--experimental
+		--help
+		--icc=false
+		--init
+		--ip-forward=false
+		--ip-masq=false
+		--iptables=false
+		--ipv6
+		--live-restore
+		--no-new-privileges
+		--raw-logs
+		--selinux-enabled
+		--userland-proxy=false
+		--version -v
+	"
+	local options_with_args="
+		$global_options_with_args
+		--add-runtime
+		--allow-nondistributable-artifacts
+		--api-cors-header
+		--authorization-plugin
+		--bip
+		--bridge -b
+		--cgroup-parent
+		--cluster-advertise
+		--cluster-store
+		--cluster-store-opt
+		--config-file
+		--containerd
+		--cpu-rt-period
+		--cpu-rt-runtime
+		--data-root
+		--default-address-pool
+		--default-gateway
+		--default-gateway-v6
+		--default-runtime
+		--default-shm-size
+		--default-ulimit
+		--dns
+		--dns-search
+		--dns-opt
+		--exec-opt
+		--exec-root
+		--fixed-cidr
+		--fixed-cidr-v6
+		--group -G
+		--init-path
+		--insecure-registry
+		--ip
+		--label
+		--log-driver
+		--log-opt
+		--max-concurrent-downloads
+		--max-concurrent-uploads
+		--metrics-addr
+		--mtu
+		--network-control-plane-mtu
+		--node-generic-resource
+		--oom-score-adjust
+		--pidfile -p
+		--registry-mirror
+		--seccomp-profile
+		--shutdown-timeout
+		--storage-driver -s
+		--storage-opt
+		--swarm-default-advertise-addr
+		--userland-proxy-path
+		--userns-remap
+	"
+
+	__docker_complete_log_driver_options && return
+
+ 	key=$(__docker_map_key_of_current_option '--cluster-store-opt')
+ 	case "$key" in
+ 		kv.*file)
+			cur=${cur##*=}
+ 			_filedir
+ 			return
+ 			;;
+ 	esac
+
+ 	local key=$(__docker_map_key_of_current_option '--storage-opt')
+ 	case "$key" in
+ 		dm.blkdiscard|dm.override_udev_sync_check|dm.use_deferred_removal|dm.use_deferred_deletion)
+ 			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+ 			return
+ 			;;
+		dm.directlvm_device|dm.thinpooldev)
+			cur=${cur##*=}
+			_filedir
+			return
+			;;
+		dm.fs)
+			COMPREPLY=( $( compgen -W "ext4 xfs" -- "${cur##*=}" ) )
+			return
+			;;
+		dm.libdm_log_level)
+			COMPREPLY=( $( compgen -W "2 3 4 5 6 7" -- "${cur##*=}" ) )
+			return
+			;;
+ 	esac
+
+	case "$prev" in
+		--authorization-plugin)
+			__docker_complete_plugins_bundled --type Authorization
+			return
+			;;
+		--cluster-store)
+			COMPREPLY=( $( compgen -W "consul etcd zk" -S "://" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--cluster-store-opt)
+			COMPREPLY=( $( compgen -W "discovery.heartbeat discovery.ttl kv.cacertfile kv.certfile kv.keyfile kv.path" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--config-file|--containerd|--init-path|--pidfile|-p|--tlscacert|--tlscert|--tlskey|--userland-proxy-path)
+			_filedir
+			return
+			;;
+		--exec-root|--data-root)
+			_filedir -d
+			return
+			;;
+		--log-driver)
+			__docker_complete_log_drivers
+			return
+			;;
+		--storage-driver|-s)
+			COMPREPLY=( $( compgen -W "aufs btrfs devicemapper overlay overlay2 vfs zfs" -- "$(echo "$cur" | tr '[:upper:]' '[:lower:]')" ) )
+			return
+			;;
+		--storage-opt)
+			local btrfs_options="btrfs.min_space"
+			local devicemapper_options="
+				dm.basesize
+				dm.blkdiscard
+				dm.blocksize
+				dm.directlvm_device
+				dm.fs
+				dm.libdm_log_level
+				dm.loopdatasize
+				dm.loopmetadatasize
+				dm.min_free_space
+				dm.mkfsarg
+				dm.mountopt
+				dm.override_udev_sync_check
+				dm.thinpooldev
+				dm.thinp_autoextend_percent
+				dm.thinp_autoextend_threshold
+				dm.thinp_metapercent
+				dm.thinp_percent
+				dm.use_deferred_deletion
+				dm.use_deferred_removal
+			"
+			local overlay2_options="overlay2.size"
+			local zfs_options="zfs.fsname"
+
+			local all_options="$btrfs_options $devicemapper_options $overlay2_options $zfs_options"
+
+			case $(__docker_value_of_option '--storage-driver|-s') in
+				'')
+					COMPREPLY=( $( compgen -W "$all_options" -S = -- "$cur" ) )
+					;;
+				btrfs)
+					COMPREPLY=( $( compgen -W "$btrfs_options" -S = -- "$cur" ) )
+					;;
+				devicemapper)
+					COMPREPLY=( $( compgen -W "$devicemapper_options" -S = -- "$cur" ) )
+					;;
+				overlay2)
+					COMPREPLY=( $( compgen -W "$overlay2_options" -S = -- "$cur" ) )
+					;;
+				zfs)
+					COMPREPLY=( $( compgen -W "$zfs_options" -S = -- "$cur" ) )
+					;;
+				*)
+					return
+					;;
+			esac
+			__docker_nospace
+			return
+			;;
+		--log-level|-l)
+			__docker_complete_log_levels
+			return
+			;;
+		--log-opt)
+			__docker_complete_log_options
+			return
+			;;
+		--metrics-addr)
+			__docker_complete_local_ips
+			__docker_append_to_completions ":"
+			__docker_nospace
+			return
+			;;
+		--seccomp-profile)
+			_filedir json
+			return
+			;;
+		--swarm-default-advertise-addr)
+			__docker_complete_local_interfaces
+			return
+			;;
+		--userns-remap)
+			__docker_complete_user_group
+			return
+			;;
+		$(__docker_to_extglob "$options_with_args") )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "$boolean_options $options_with_args" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_deploy() {
+	__docker_daemon_is_experimental && _docker_stack_deploy
+}
+
+_docker_diff() {
+	_docker_container_diff
+}
+
+_docker_events() {
+	_docker_system_events
+}
+
+_docker_exec() {
+	_docker_container_exec
+}
+
+_docker_export() {
+	_docker_container_export
+}
+
+_docker_help() {
+	local counter=$(__docker_pos_first_nonflag)
+	if [ "$cword" -eq "$counter" ]; then
+		COMPREPLY=( $( compgen -W "${commands[*]}" -- "$cur" ) )
+	fi
+}
+
+_docker_history() {
+	_docker_image_history
+}
+
+
+_docker_image() {
+	local subcommands="
+		build
+		history
+		import
+		inspect
+		load
+		ls
+		prune
+		pull
+		push
+		rm
+		save
+		tag
+	"
+	local aliases="
+		images
+		list
+		remove
+		rmi
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_image_build() {
+	local options_with_args="
+		--add-host
+		--build-arg
+		--cache-from
+		--cgroup-parent
+		--cpuset-cpus
+		--cpuset-mems
+		--cpu-shares -c
+		--cpu-period
+		--cpu-quota
+		--file -f
+		--iidfile
+		--label
+		--memory -m
+		--memory-swap
+		--network
+		--shm-size
+		--tag -t
+		--target
+		--ulimit
+	"
+	__docker_daemon_os_is windows && options_with_args+="
+		--isolation
+	"
+
+	local boolean_options="
+		--compress
+		--disable-content-trust=false
+		--force-rm
+		--help
+		--no-cache
+		--pull
+		--quiet -q
+		--rm
+	"
+	if __docker_daemon_is_experimental ; then
+		options_with_args+="
+			--platform
+		"
+		boolean_options+="
+			--squash
+			--stream
+		"
+	fi
+
+	local all_options="$options_with_args $boolean_options"
+
+	case "$prev" in
+		--add-host)
+			case "$cur" in
+				*:)
+					__docker_complete_resolved_hostname
+					return
+					;;
+			esac
+			;;
+		--build-arg)
+			COMPREPLY=( $( compgen -e -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--cache-from)
+			__docker_complete_images --repo --tag --id
+			return
+			;;
+		--file|-f|--iidfile)
+			_filedir
+			return
+			;;
+		--isolation)
+			if __docker_daemon_os_is windows ; then
+				__docker_complete_isolation
+				return
+			fi
+			;;
+		--network)
+			case "$cur" in
+				container:*)
+					__docker_complete_containers_all --cur "${cur#*:}"
+					;;
+				*)
+					COMPREPLY=( $( compgen -W "$(__docker_plugins_bundled --type Network) $(__docker_networks) container:" -- "$cur") )
+					if [ "${COMPREPLY[*]}" = "container:" ] ; then
+						__docker_nospace
+					fi
+					;;
+			esac
+			return
+			;;
+		--tag|-t)
+			__docker_complete_images --repo --tag
+			return
+			;;
+		--target)
+			local context_pos=$( __docker_pos_first_nonflag "$( __docker_to_alternatives "$options_with_args" )" )
+			local context="${words[$context_pos]}"
+			context="${context:-.}"
+
+			local file="$( __docker_value_of_option '--file|f' )"
+			local default_file="${context%/}/Dockerfile"
+			local dockerfile="${file:-$default_file}"
+
+			local targets="$( sed -n 's/^FROM .\+ AS \(.\+\)/\1/p' "$dockerfile" 2>/dev/null )"
+			COMPREPLY=( $( compgen -W "$targets" -- "$cur" ) )
+			return
+			;;
+		$(__docker_to_extglob "$options_with_args") )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "$all_options" -- "$cur" ) )
+			;;
+		*)
+			local counter=$( __docker_pos_first_nonflag "$( __docker_to_alternatives "$options_with_args" )" )
+			if [ "$cword" -eq "$counter" ]; then
+				_filedir -d
+			fi
+			;;
+	esac
+}
+
+_docker_image_history() {
+	case "$prev" in
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format --help --human=false -H=false --no-trunc --quiet -q" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--format')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_images --force-tag --id
+			fi
+			;;
+	esac
+}
+
+_docker_image_images() {
+	_docker_image_ls
+}
+
+_docker_image_import() {
+	case "$prev" in
+		--change|-c|--message|-m)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--change -c --help --message -m" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--change|-c|--message|-m')
+			if [ "$cword" -eq "$counter" ]; then
+				_filedir
+				return
+			elif [ "$cword" -eq "$((counter + 1))" ]; then
+				__docker_complete_images --repo --tag
+				return
+			fi
+			;;
+	esac
+}
+
+_docker_image_inspect() {
+	_docker_inspect --type image
+}
+
+_docker_image_load() {
+	case "$prev" in
+		--input|-i|"<")
+			_filedir
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --input -i --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_image_list() {
+	_docker_image_ls
+}
+
+_docker_image_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		before|since)
+			__docker_complete_images --cur "${cur##*=}" --force-tag --id
+			return
+			;;
+		dangling)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+		label)
+			return
+			;;
+		reference)
+			__docker_complete_images --cur "${cur##*=}" --repo --tag
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "before dangling label reference since" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+                --format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--all -a --digests --filter -f --format --help --no-trunc --quiet -q" -- "$cur" ) )
+			;;
+		=)
+			return
+			;;
+		*)
+			__docker_complete_images --repo --tag
+			;;
+	esac
+}
+
+_docker_image_prune() {
+	case "$prev" in
+		--filter)
+			COMPREPLY=( $( compgen -W "label label! until" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--all -a --force -f --filter --help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_image_pull() {
+	case "$prev" in
+		--platform)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			local options="--all-tags -a --disable-content-trust=false --help"
+			__docker_daemon_is_experimental && options+=" --platform"
+
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag --platform)
+			if [ "$cword" -eq "$counter" ]; then
+				for arg in "${COMP_WORDS[@]}"; do
+					case "$arg" in
+						--all-tags|-a)
+							__docker_complete_images --repo
+							return
+							;;
+					esac
+				done
+				__docker_complete_images --repo --tag
+			fi
+			;;
+	esac
+}
+
+_docker_image_push() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--disable-content-trust=false --help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_images --repo --tag
+			fi
+			;;
+	esac
+}
+
+_docker_image_remove() {
+	_docker_image_rm
+}
+
+_docker_image_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --help --no-prune" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_images --force-tag --id
+			;;
+	esac
+}
+
+_docker_image_rmi() {
+	_docker_image_rm
+}
+
+_docker_image_save() {
+	case "$prev" in
+		--output|-o|">")
+			_filedir
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --output -o" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_images --repo --tag --id
+			;;
+	esac
+}
+
+_docker_image_tag() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_images --force-tag --id
+				return
+			elif [ "$cword" -eq "$((counter + 1))" ]; then
+				__docker_complete_images --repo --tag
+				return
+			fi
+			;;
+	esac
+}
+
+
+_docker_images() {
+	_docker_image_ls
+}
+
+_docker_import() {
+	_docker_image_import
+}
+
+_docker_info() {
+	_docker_system_info
+}
+
+_docker_inspect() {
+	local preselected_type
+	local type
+
+	if [ "$1" = "--type" ] ; then
+		preselected_type=yes
+		type="$2"
+	else
+		type=$(__docker_value_of_option --type)
+	fi
+
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+		--type)
+			if [ -z "$preselected_type" ] ; then
+				COMPREPLY=( $( compgen -W "container image network node plugin secret service volume" -- "$cur" ) )
+				return
+			fi
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			local options="--format -f --help --size -s"
+			if [ -z "$preselected_type" ] ; then
+				options+=" --type"
+			fi
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+		*)
+			case "$type" in
+				'')
+					COMPREPLY=( $( compgen -W "
+						$(__docker_containers --all)
+						$(__docker_images --force-tag --id)
+						$(__docker_networks)
+						$(__docker_nodes)
+						$(__docker_plugins_installed)
+						$(__docker_secrets)
+						$(__docker_services)
+						$(__docker_volumes)
+					" -- "$cur" ) )
+					__ltrim_colon_completions "$cur"
+					;;
+				container)
+					__docker_complete_containers_all
+					;;
+				image)
+					__docker_complete_images --force-tag --id
+					;;
+				network)
+					__docker_complete_networks
+					;;
+				node)
+					__docker_complete_nodes
+					;;
+				plugin)
+					__docker_complete_plugins_installed
+					;;
+				secret)
+					__docker_complete_secrets
+					;;
+				service)
+					__docker_complete_services
+					;;
+				volume)
+					__docker_complete_volumes
+					;;
+			esac
+	esac
+}
+
+_docker_kill() {
+	_docker_container_kill
+}
+
+_docker_load() {
+	_docker_image_load
+}
+
+_docker_login() {
+	case "$prev" in
+		--password|-p|--username|-u)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --password -p --password-stdin --username -u" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_logout() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_logs() {
+	_docker_container_logs
+}
+
+_docker_network_connect() {
+	local options_with_args="
+		--alias
+		--ip
+		--ip6
+		--link
+		--link-local-ip
+	"
+
+	local boolean_options="
+		--help
+	"
+
+	case "$prev" in
+		--link)
+			case "$cur" in
+				*:*)
+					;;
+				*)
+					__docker_complete_containers_running
+					COMPREPLY=( $( compgen -W "${COMPREPLY[*]}" -S ':' ) )
+					__docker_nospace
+					;;
+			esac
+			return
+			;;
+		$(__docker_to_extglob "$options_with_args") )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "$boolean_options $options_with_args" -- "$cur" ) )
+			;;
+		*)
+			local counter=$( __docker_pos_first_nonflag "$( __docker_to_alternatives "$options_with_args" )" )
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_networks
+			elif [ "$cword" -eq "$((counter + 1))" ]; then
+				__docker_complete_containers_all
+			fi
+			;;
+	esac
+}
+
+_docker_network_create() {
+	case "$prev" in
+		--aux-address|--gateway|--ip-range|--ipam-opt|--ipv6|--opt|-o|--subnet)
+			return
+			;;
+		--config-from)
+			__docker_complete_networks
+			return
+			;;
+		--driver|-d)
+			# remove drivers that allow one instance only, add drivers missing in `docker info`
+			__docker_complete_plugins_bundled --type Network --remove host --remove null --add macvlan
+			return
+			;;
+		--ipam-driver)
+			COMPREPLY=( $( compgen -W "default" -- "$cur" ) )
+			return
+			;;
+		--label)
+			return
+			;;
+		--scope)
+			COMPREPLY=( $( compgen -W "local swarm" -- "$cur" ) )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--attachable --aux-address --config-from --config-only --driver -d --gateway --help --ingress --internal --ip-range --ipam-driver --ipam-opt --ipv6 --label --opt -o --scope --subnet" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_network_disconnect() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_networks
+			elif [ "$cword" -eq "$((counter + 1))" ]; then
+				__docker_complete_containers_in_network "$prev"
+			fi
+			;;
+	esac
+}
+
+_docker_network_inspect() {
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help --verbose" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_networks
+	esac
+}
+
+_docker_network_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		driver)
+			__docker_complete_plugins_bundled --cur "${cur##*=}" --type Network --add macvlan
+			return
+			;;
+		id)
+			__docker_complete_networks --cur "${cur##*=}" --id
+			return
+			;;
+		name)
+			__docker_complete_networks --cur "${cur##*=}" --name
+			return
+			;;
+		scope)
+			COMPREPLY=( $( compgen -W "global local swarm" -- "${cur##*=}" ) )
+			return
+			;;
+		type)
+			COMPREPLY=( $( compgen -W "builtin custom" -- "${cur##*=}" ) )
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "driver id label name scope type" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --format --help --no-trunc --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_network_prune() {
+	case "$prev" in
+		--filter)
+			COMPREPLY=( $( compgen -W "label label! until" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --filter --help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_network_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_networks --filter type=custom
+	esac
+}
+
+_docker_network() {
+	local subcommands="
+		connect
+		create
+		disconnect
+		inspect
+		ls
+		prune
+		rm
+	"
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_service() {
+	local subcommands="
+		create
+		inspect
+		logs
+		ls
+		rm
+		rollback
+		scale
+		ps
+		update
+	"
+
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_service_create() {
+	_docker_service_update_and_create
+}
+
+_docker_service_inspect() {
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help --pretty" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_services
+	esac
+}
+
+_docker_service_logs() {
+	case "$prev" in
+		--since|--tail)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--details --follow -f --help --no-resolve --no-task-ids --no-trunc --raw --since --tail --timestamps -t" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--since|--tail')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_services_and_tasks
+			fi
+			;;
+	esac
+}
+
+_docker_service_list() {
+	_docker_service_ls
+}
+
+_docker_service_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		id)
+			__docker_complete_services --cur "${cur##*=}" --id
+			return
+			;;
+		mode)
+			COMPREPLY=( $( compgen -W "global replicated" -- "${cur##*=}" ) )
+			return
+			;;
+		name)
+			__docker_complete_services --cur "${cur##*=}" --name
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -W "id label mode name" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --format --help --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_service_remove() {
+	_docker_service_rm
+}
+
+_docker_service_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_services
+	esac
+}
+
+_docker_service_rollback() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--detach -d --help --quit -q" -- "$cur" ) )
+			;;
+		*)
+			local counter=$( __docker_pos_first_nonflag )
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_services
+			fi
+			;;
+	esac
+}
+
+_docker_service_scale() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--detach -d --help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_services
+			__docker_append_to_completions "="
+			__docker_nospace
+			;;
+	esac
+}
+
+_docker_service_ps() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		desired-state)
+			COMPREPLY=( $( compgen -W "accepted running shutdown" -- "${cur##*=}" ) )
+			return
+			;;
+		name)
+			__docker_complete_services --cur "${cur##*=}" --name
+			return
+			;;
+		node)
+			__docker_complete_nodes --cur "${cur##*=}" --add self
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -W "desired-state id name node" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --format --help --no-resolve --no-trunc --quiet -q" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_services
+			;;
+	esac
+}
+
+_docker_service_update() {
+	_docker_service_update_and_create
+}
+
+# _docker_service_update_and_create is the combined completion for `docker service create`
+# and `docker service update`
+_docker_service_update_and_create() {
+	local options_with_args="
+		--endpoint-mode
+		--entrypoint
+		--force
+		--health-cmd
+		--health-interval
+		--health-retries
+		--health-start-period
+		--health-timeout
+		--hostname
+		--isolation
+		--limit-cpu
+		--limit-memory
+		--log-driver
+		--log-opt
+		--replicas
+		--reserve-cpu
+		--reserve-memory
+		--restart-condition
+		--restart-delay
+		--restart-max-attempts
+		--restart-window
+		--rollback-delay
+		--rollback-failure-action
+		--rollback-max-failure-ratio
+		--rollback-monitor
+		--rollback-order
+		--rollback-parallelism
+		--stop-grace-period
+		--stop-signal
+		--update-delay
+		--update-failure-action
+		--update-max-failure-ratio
+		--update-monitor
+		--update-order
+		--update-parallelism
+		--user -u
+		--workdir -w
+	"
+	__docker_daemon_os_is windows && options_with_args+="
+		--credential-spec
+	"
+
+	local boolean_options="
+		--detach -d
+		--help
+		--init
+		--no-healthcheck
+		--read-only
+		--tty -t
+		--with-registry-auth
+	"
+
+	__docker_complete_log_driver_options && return
+
+	if [ "$subcommand" = "create" ] ; then
+		options_with_args="$options_with_args
+			--config
+			--constraint
+			--container-label
+			--dns
+			--dns-option
+			--dns-search
+			--env -e
+			--env-file
+			--generic-resource
+			--group
+			--host
+			--label -l
+			--mode
+			--mount
+			--name
+			--network
+			--placement-pref
+			--publish -p
+			--secret
+		"
+
+		case "$prev" in
+			--env-file)
+				_filedir
+				return
+				;;
+			--mode)
+				COMPREPLY=( $( compgen -W "global replicated" -- "$cur" ) )
+				return
+				;;
+		esac
+	fi
+	if [ "$subcommand" = "update" ] ; then
+		options_with_args="$options_with_args
+			--args
+			--config-add
+			--config-rm
+			--constraint-add
+			--constraint-rm
+			--container-label-add
+			--container-label-rm
+			--dns-add
+			--dns-option-add
+			--dns-option-rm
+			--dns-rm
+			--dns-search-add
+			--dns-search-rm
+			--env-add
+			--env-rm
+			--generic-resource-add
+			--generic-resource-rm
+			--group-add
+			--group-rm
+			--host-add
+			--host-rm
+			--image
+			--label-add
+			--label-rm
+			--mount-add
+			--mount-rm
+			--network-add
+			--network-rm
+			--placement-pref-add
+			--placement-pref-rm
+			--publish-add
+			--publish-rm
+			--rollback
+			--secret-add
+			--secret-rm
+		"
+
+		case "$prev" in
+			--env-rm)
+				COMPREPLY=( $( compgen -e -- "$cur" ) )
+				return
+				;;
+			--image)
+				__docker_complete_images --repo --tag --id
+				return
+				;;
+		esac
+	fi
+
+	local strategy=$(__docker_map_key_of_current_option '--placement-pref|--placement-pref-add|--placement-pref-rm')
+	case "$strategy" in
+		spread)
+			COMPREPLY=( $( compgen -W "engine.labels node.labels" -S . -- "${cur##*=}" ) )
+			__docker_nospace
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--config|--config-add|--config-rm)
+			__docker_complete_configs
+			return
+			;;
+		--endpoint-mode)
+			COMPREPLY=( $( compgen -W "dnsrr vip" -- "$cur" ) )
+			return
+			;;
+		--env|-e|--env-add)
+			# we do not append a "=" here because "-e VARNAME" is legal systax, too
+			COMPREPLY=( $( compgen -e -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--group|--group-add|--group-rm)
+			COMPREPLY=( $(compgen -g -- "$cur") )
+			return
+			;;
+		--host|--host-add|--host-rm)
+			case "$cur" in
+				*:)
+					__docker_complete_resolved_hostname
+					return
+					;;
+			esac
+			;;
+		--isolation)
+			__docker_complete_isolation
+			return
+			;;
+		--log-driver)
+			__docker_complete_log_drivers
+			return
+			;;
+		--log-opt)
+			__docker_complete_log_options
+			return
+			;;
+		--network|--network-add|--network-rm)
+			__docker_complete_networks
+			return
+			;;
+		--placement-pref|--placement-pref-add|--placement-pref-rm)
+			COMPREPLY=( $( compgen -W "spread" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--restart-condition)
+			COMPREPLY=( $( compgen -W "any none on-failure" -- "$cur" ) )
+			return
+			;;
+		--rollback-failure-action)
+			COMPREPLY=( $( compgen -W "continue pause" -- "$cur" ) )
+			return
+			;;
+		--secret|--secret-add|--secret-rm)
+			__docker_complete_secrets
+			return
+			;;
+		--stop-signal)
+			__docker_complete_signals
+			return
+			;;
+		--update-failure-action)
+			COMPREPLY=( $( compgen -W "continue pause rollback" -- "$cur" ) )
+			return
+			;;
+		--update-order|--rollback-order)
+			COMPREPLY=( $( compgen -W "start-first stop-first" -- "$cur" ) )
+			return
+			;;
+		--user|-u)
+			__docker_complete_user_group
+			return
+			;;
+		$(__docker_to_extglob "$options_with_args") )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "$boolean_options $options_with_args" -- "$cur" ) )
+			;;
+		*)
+			local counter=$( __docker_pos_first_nonflag "$( __docker_to_alternatives "$options_with_args" )" )
+			if [ "$subcommand" = "update" ] ; then
+				if [ "$cword" -eq "$counter" ]; then
+					__docker_complete_services
+				fi
+			else
+				if [ "$cword" -eq "$counter" ]; then
+					__docker_complete_images --repo --tag --id
+				fi
+			fi
+			;;
+	esac
+}
+
+_docker_swarm() {
+	local subcommands="
+		ca
+		init
+		join
+		join-token
+		leave
+		unlock
+		unlock-key
+		update
+	"
+	__docker_subcommands "$subcommands" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_swarm_ca() {
+	case "$prev" in
+		--ca-cert|--ca-key)
+			_filedir
+			return
+			;;
+		--cert-expiry|--external-ca)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--ca-cert --ca-key --cert-expiry --detach -d --external-ca --help --quiet -q --rotate" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_swarm_init() {
+	case "$prev" in
+		--advertise-addr)
+			if [[ $cur == *: ]] ; then
+				COMPREPLY=( $( compgen -W "2377" -- "${cur##*:}" ) )
+			else
+				__docker_complete_local_interfaces
+				__docker_nospace
+			fi
+			return
+			;;
+		--availability)
+			COMPREPLY=( $( compgen -W "active drain pause" -- "$cur" ) )
+			return
+			;;
+		--cert-expiry|--dispatcher-heartbeat|--external-ca|--max-snapshots|--snapshot-interval|--task-history-limit)
+			return
+			;;
+		--data-path-addr)
+			__docker_complete_local_interfaces
+			return
+			;;
+		--listen-addr)
+			if [[ $cur == *: ]] ; then
+				COMPREPLY=( $( compgen -W "2377" -- "${cur##*:}" ) )
+			else
+				__docker_complete_local_interfaces --add 0.0.0.0
+				__docker_nospace
+			fi
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--advertise-addr --autolock --availability --cert-expiry --data-path-addr --dispatcher-heartbeat --external-ca --force-new-cluster --help --listen-addr --max-snapshots --snapshot-interval --task-history-limit" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_swarm_join() {
+	case "$prev" in
+		--advertise-addr)
+			if [[ $cur == *: ]] ; then
+				COMPREPLY=( $( compgen -W "2377" -- "${cur##*:}" ) )
+			else
+				__docker_complete_local_interfaces
+				__docker_nospace
+			fi
+			return
+			;;
+		--availability)
+			COMPREPLY=( $( compgen -W "active drain pause" -- "$cur" ) )
+			return
+			;;
+		--data-path-addr)
+			__docker_complete_local_interfaces
+			return
+			;;
+		--listen-addr)
+			if [[ $cur == *: ]] ; then
+				COMPREPLY=( $( compgen -W "2377" -- "${cur##*:}" ) )
+			else
+				__docker_complete_local_interfaces --add 0.0.0.0
+				__docker_nospace
+			fi
+			return
+			;;
+		--token)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--advertise-addr --availability --data-path-addr --help --listen-addr --token" -- "$cur" ) )
+			;;
+		*:)
+			COMPREPLY=( $( compgen -W "2377" -- "${cur##*:}" ) )
+			;;
+	esac
+}
+
+_docker_swarm_join_token() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --quiet -q --rotate" -- "$cur" ) )
+			;;
+		*)
+			local counter=$( __docker_pos_first_nonflag )
+			if [ "$cword" -eq "$counter" ]; then
+				COMPREPLY=( $( compgen -W "manager worker" -- "$cur" ) )
+			fi
+			;;
+	esac
+}
+
+_docker_swarm_leave() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_swarm_unlock() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_swarm_unlock_key() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --quiet -q --rotate" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_swarm_update() {
+	case "$prev" in
+		--cert-expiry|--dispatcher-heartbeat|--external-ca|--max-snapshots|--snapshot-interval|--task-history-limit)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--autolock --cert-expiry --dispatcher-heartbeat --external-ca --help --max-snapshots --snapshot-interval --task-history-limit" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_node() {
+	local subcommands="
+		demote
+		inspect
+		ls
+		promote
+		rm
+		ps
+		update
+	"
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_node_demote() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_nodes --filter role=manager
+	esac
+}
+
+_docker_node_inspect() {
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help --pretty" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_nodes --add self
+	esac
+}
+
+_docker_node_list() {
+	_docker_node_ls
+}
+
+_docker_node_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		id)
+			__docker_complete_nodes --cur "${cur##*=}" --id
+			return
+			;;
+		membership)
+			COMPREPLY=( $( compgen -W "accepted pending" -- "${cur##*=}" ) )
+			return
+			;;
+		name)
+			__docker_complete_nodes --cur "${cur##*=}" --name
+			return
+			;;
+		role)
+			COMPREPLY=( $( compgen -W "manager worker" -- "${cur##*=}" ) )
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -W "id label membership name role" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --format --help --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_node_promote() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_nodes --filter role=worker
+	esac
+}
+
+_docker_node_remove() {
+	_docker_node_rm
+}
+
+_docker_node_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_nodes
+	esac
+}
+
+_docker_node_ps() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		desired-state)
+			COMPREPLY=( $( compgen -W "accepted running shutdown" -- "${cur##*=}" ) )
+			return
+			;;
+		name)
+			__docker_complete_services --cur "${cur##*=}" --name
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -W "desired-state id label name" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --format --help --no-resolve --no-trunc --quiet -q" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_nodes --add self
+			;;
+	esac
+}
+
+_docker_node_update() {
+	case "$prev" in
+		--availability)
+			COMPREPLY=( $( compgen -W "active drain pause" -- "$cur" ) )
+			return
+			;;
+		--role)
+			COMPREPLY=( $( compgen -W "manager worker" -- "$cur" ) )
+			return
+			;;
+		--label-add|--label-rm)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--availability --help --label-add --label-rm --role" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--availability|--label-add|--label-rm|--role')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_nodes
+			fi
+			;;
+	esac
+}
+
+_docker_pause() {
+	_docker_container_pause
+}
+
+_docker_plugin() {
+	local subcommands="
+		create
+		disable
+		enable
+		inspect
+		install
+		ls
+		push
+		rm
+		set
+		upgrade
+	"
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_plugin_create() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--compress --help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				# reponame
+				return
+			elif [ "$cword" -eq  "$((counter + 1))" ]; then
+				_filedir -d
+			fi
+			;;
+	esac
+}
+
+_docker_plugin_disable() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_plugins_installed --filter enabled=true
+			fi
+			;;
+	esac
+}
+
+_docker_plugin_enable() {
+	case "$prev" in
+		--timeout)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --timeout" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--timeout')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_plugins_installed --filter enabled=false
+			fi
+			;;
+	esac
+}
+
+_docker_plugin_inspect() {
+	case "$prev" in
+		--format|f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_plugins_installed
+			;;
+	esac
+}
+
+_docker_plugin_install() {
+	case "$prev" in
+		--alias)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--alias --disable --disable-content-trust=false --grant-all-permissions --help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_plugin_list() {
+	_docker_plugin_ls
+}
+
+_docker_plugin_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		capability)
+			COMPREPLY=( $( compgen -W "authz ipamdriver logdriver metricscollector networkdriver volumedriver" -- "${cur##*=}" ) )
+			return
+			;;
+		enabled)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "capability enabled" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --format --help --no-trunc --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_plugin_push() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_plugins_installed
+			fi
+			;;
+	esac
+}
+
+_docker_plugin_remove() {
+	_docker_plugin_rm
+}
+
+_docker_plugin_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_plugins_installed
+			;;
+	esac
+}
+
+_docker_plugin_set() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_plugins_installed
+			fi
+			;;
+	esac
+}
+
+_docker_plugin_upgrade() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--disable-content-trust --grant-all-permissions --help --skip-remote-check" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_plugins_installed
+				__ltrim_colon_completions "$cur"
+			elif [ "$cword" -eq  "$((counter + 1))" ]; then
+				local plugin_images="$(__docker_plugins_installed)"
+				COMPREPLY=( $(compgen -S : -W "${plugin_images%:*}" -- "$cur") )
+				__docker_nospace
+			fi
+			;;
+	esac
+}
+
+
+_docker_port() {
+	_docker_container_port
+}
+
+_docker_ps() {
+	_docker_container_ls
+}
+
+_docker_pull() {
+	_docker_image_pull
+}
+
+_docker_push() {
+	_docker_image_push
+}
+
+_docker_rename() {
+	_docker_container_rename
+}
+
+_docker_restart() {
+	_docker_container_restart
+}
+
+_docker_rm() {
+	_docker_container_rm
+}
+
+_docker_rmi() {
+	_docker_image_rm
+}
+
+_docker_run() {
+	_docker_container_run
+}
+
+_docker_save() {
+	_docker_image_save
+}
+
+
+_docker_secret() {
+	local subcommands="
+		create
+		inspect
+		ls
+		rm
+	"
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_secret_create() {
+	case "$prev" in
+		--driver|-d|--label|-l)
+			return
+			;;
+		--template-driver)
+			COMPREPLY=( $( compgen -W "golang" -- "$cur" ) )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--driver -d --help --label -l --template-driver" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--driver|-d|--label|-l|--template-driver')
+			if [ "$cword" -eq "$((counter + 1))" ]; then
+				_filedir
+			fi
+			;;
+	esac
+}
+
+_docker_secret_inspect() {
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help --pretty" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_secrets
+			;;
+	esac
+}
+
+_docker_secret_list() {
+	_docker_secret_ls
+}
+
+_docker_secret_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		id)
+			__docker_complete_secrets --cur "${cur##*=}" --id
+			return
+			;;
+		name)
+			__docker_complete_secrets --cur "${cur##*=}" --name
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "id label name" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format --filter -f --help --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_secret_remove() {
+	_docker_secret_rm
+}
+
+_docker_secret_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_secrets
+			;;
+	esac
+}
+
+
+
+_docker_search() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		is-automated)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+		is-official)
+			COMPREPLY=( $( compgen -W "false true" -- "${cur##*=}" ) )
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "is-automated is-official stars" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format|--limit)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --format --help --limit --no-trunc" -- "$cur" ) )
+			;;
+	esac
+}
+
+
+_docker_stack() {
+	local subcommands="
+		deploy
+		ls
+		ps
+		rm
+		services
+	"
+	local aliases="
+		down
+		list
+		remove
+		up
+	"
+
+	__docker_complete_stack_orchestrator_options && return
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			local options="--help --orchestrator"
+			__docker_stack_orchestrator_is kubernetes && options+=" --kubeconfig"
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_stack_deploy() {
+	__docker_complete_stack_orchestrator_options && return
+
+	case "$prev" in
+		--bundle-file)
+			_filedir dab
+			return
+			;;
+		--compose-file|-c)
+			_filedir yml
+			return
+			;;
+		--resolve-image)
+			COMPREPLY=( $( compgen -W "always changed never" -- "$cur" ) )
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			local options="--compose-file -c --help --orchestrator"
+			__docker_daemon_is_experimental && __docker_stack_orchestrator_is swarm && options+=" --bundle-file"
+			__docker_stack_orchestrator_is kubernetes && options+=" --kubeconfig --namespace"
+			__docker_stack_orchestrator_is swarm && options+=" --prune --resolve-image --with-registry-auth"
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--bundle-file|--compose-file|-c|--kubeconfig|--namespace|--orchestrator|--resolve-image')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_stacks
+			fi
+			;;
+	esac
+}
+
+_docker_stack_down() {
+	_docker_stack_rm
+}
+
+_docker_stack_list() {
+	_docker_stack_ls
+}
+
+_docker_stack_ls() {
+	__docker_complete_stack_orchestrator_options && return
+
+	case "$prev" in
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			local options="--format --help --orchestrator"
+			__docker_stack_orchestrator_is kubernetes && options+=" --all-namespaces --kubeconfig --namespace"
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_stack_ps() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		desired-state)
+			COMPREPLY=( $( compgen -W "accepted running shutdown" -- "${cur##*=}" ) )
+			return
+			;;
+		id)
+			__docker_complete_stacks --cur "${cur##*=}" --id
+			return
+			;;
+		name)
+			__docker_complete_stacks --cur "${cur##*=}" --name
+			return
+			;;
+	esac
+
+	__docker_complete_stack_orchestrator_options && return
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "id name desired-state" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			local options="--filter -f --format --help --no-resolve --no-trunc --orchestrator --quiet -q"
+			__docker_stack_orchestrator_is kubernetes && options+=" --all-namespaces --kubeconfig --namespace"
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--all-namespaces|--filter|-f|--format|--kubeconfig|--namespace')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_stacks
+			fi
+			;;
+	esac
+}
+
+_docker_stack_remove() {
+	_docker_stack_rm
+}
+
+_docker_stack_rm() {
+	__docker_complete_stack_orchestrator_options && return
+
+	case "$cur" in
+		-*)
+			local options="--help --orchestrator"
+			__docker_stack_orchestrator_is kubernetes && options+=" --kubeconfig --namespace"
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_stacks
+			;;
+	esac
+}
+
+_docker_stack_services() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		id)
+			__docker_complete_services --cur "${cur##*=}" --id
+			return
+			;;
+		label)
+			return
+			;;
+		name)
+			__docker_complete_services --cur "${cur##*=}" --name
+			return
+			;;
+	esac
+
+	__docker_complete_stack_orchestrator_options && return
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "id label name" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			local options="--filter -f --format --help --orchestrator --quiet -q"
+			__docker_stack_orchestrator_is kubernetes && options+=" --kubeconfig --namespace"
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag '--filter|-f|--format|--kubeconfig|--namespace|--orchestrator')
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_stacks
+			fi
+			;;
+	esac
+}
+
+_docker_stack_up() {
+	_docker_stack_deploy
+}
+
+
+_docker_start() {
+	_docker_container_start
+}
+
+_docker_stats() {
+	_docker_container_stats
+}
+
+_docker_stop() {
+	_docker_container_stop
+}
+
+
+_docker_system() {
+	local subcommands="
+		df
+		events
+		info
+		prune
+	"
+	__docker_subcommands "$subcommands" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_system_df() {
+	case "$prev" in
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format --help --verbose -v" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_system_events() {
+	local key=$(__docker_map_key_of_current_option '-f|--filter')
+	case "$key" in
+		container)
+			__docker_complete_containers_all --cur "${cur##*=}"
+			return
+			;;
+		daemon)
+			local name=$(__docker_q info | sed -n 's/^\(ID\|Name\): //p')
+			COMPREPLY=( $( compgen -W "$name" -- "${cur##*=}" ) )
+			return
+			;;
+		event)
+			COMPREPLY=( $( compgen -W "
+				attach
+				commit
+				connect
+				copy
+				create
+				delete
+				destroy
+				detach
+				die
+				disable
+				disconnect
+				enable
+				exec_create
+				exec_detach
+				exec_die
+				exec_start
+				export
+				health_status
+				import
+				install
+				kill
+				load
+				mount
+				oom
+				pause
+				pull
+				push
+				reload
+				remove
+				rename
+				resize
+				restart
+				save
+				start
+				stop
+				tag
+				top
+				unmount
+				unpause
+				untag
+				update
+			" -- "${cur##*=}" ) )
+			return
+			;;
+		image)
+			__docker_complete_images --cur "${cur##*=}" --repo --tag
+			return
+			;;
+		network)
+			__docker_complete_networks --cur "${cur##*=}"
+			return
+			;;
+		scope)
+			COMPREPLY=( $( compgen -W "local swarm" -- "${cur##*=}" ) )
+			return
+			;;
+		type)
+			COMPREPLY=( $( compgen -W "config container daemon image network plugin secret service volume" -- "${cur##*=}" ) )
+			return
+			;;
+		volume)
+			__docker_complete_volumes --cur "${cur##*=}"
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "container daemon event image label network scope type volume" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--since|--until)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --help --since --until --format" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_system_info() {
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_system_prune() {
+	case "$prev" in
+		--filter)
+			COMPREPLY=( $( compgen -W "label label! until" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--all -a --force -f --filter --help --volumes" -- "$cur" ) )
+			;;
+	esac
+}
+
+
+_docker_tag() {
+	_docker_image_tag
+}
+
+
+_docker_trust() {
+	local subcommands="
+		inspect
+		revoke
+		sign
+	"
+	__docker_subcommands "$subcommands" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_trust_inspect() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --pretty" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_images --repo --tag
+			fi
+			;;
+	esac
+}
+
+_docker_trust_revoke() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --yes -y" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_images --repo --tag
+			fi
+			;;
+	esac
+}
+
+_docker_trust_sign() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help --local" -- "$cur" ) )
+			;;
+		*)
+			local counter=$(__docker_pos_first_nonflag)
+			if [ "$cword" -eq "$counter" ]; then
+				__docker_complete_images --force-tag --id
+			fi
+			;;
+	esac
+}
+
+
+_docker_unpause() {
+	_docker_container_unpause
+}
+
+_docker_update() {
+	_docker_container_update
+}
+
+_docker_top() {
+	_docker_container_top
+}
+
+_docker_version() {
+	__docker_complete_stack_orchestrator_options && return
+
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			local options="--format -f --help"
+			__docker_stack_orchestrator_is kubernetes && options+=" --kubeconfig"
+			COMPREPLY=( $( compgen -W "$options" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_volume_create() {
+	case "$prev" in
+		--driver|-d)
+			__docker_complete_plugins_bundled --type Volume
+			return
+			;;
+		--label|--opt|-o)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--driver -d --help --label --opt -o" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_volume_inspect() {
+	case "$prev" in
+		--format|-f)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--format -f --help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_volumes
+			;;
+	esac
+}
+
+_docker_volume_list() {
+	_docker_volume_ls
+}
+
+_docker_volume_ls() {
+	local key=$(__docker_map_key_of_current_option '--filter|-f')
+	case "$key" in
+		dangling)
+			COMPREPLY=( $( compgen -W "true false" -- "${cur##*=}" ) )
+			return
+			;;
+		driver)
+			__docker_complete_plugins_bundled --cur "${cur##*=}" --type Volume
+			return
+			;;
+		name)
+			__docker_complete_volumes --cur "${cur##*=}"
+			return
+			;;
+	esac
+
+	case "$prev" in
+		--filter|-f)
+			COMPREPLY=( $( compgen -S = -W "dangling driver label name" -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+		--format)
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter -f --format --help --quiet -q" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_volume_prune() {
+	case "$prev" in
+		--filter)
+			COMPREPLY=( $( compgen -W "label label!" -S = -- "$cur" ) )
+			__docker_nospace
+			return
+			;;
+	esac
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--filter --force -f --help" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_volume_remove() {
+	_docker_volume_rm
+}
+
+_docker_volume_rm() {
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--force -f --help" -- "$cur" ) )
+			;;
+		*)
+			__docker_complete_volumes
+			;;
+	esac
+}
+
+_docker_volume() {
+	local subcommands="
+		create
+		inspect
+		ls
+		prune
+		rm
+	"
+	local aliases="
+		list
+		remove
+	"
+	__docker_subcommands "$subcommands $aliases" && return
+
+	case "$cur" in
+		-*)
+			COMPREPLY=( $( compgen -W "--help" -- "$cur" ) )
+			;;
+		*)
+			COMPREPLY=( $( compgen -W "$subcommands" -- "$cur" ) )
+			;;
+	esac
+}
+
+_docker_wait() {
+	_docker_container_wait
+}
+
+_docker() {
+	local previous_extglob_setting=$(shopt -p extglob)
+	shopt -s extglob
+
+	local management_commands=(
+		config
+		container
+		image
+		network
+		node
+		plugin
+		secret
+		service
+		stack
+		swarm
+		system
+		trust
+		volume
+	)
+
+	local top_level_commands=(
+		build
+		login
+		logout
+		run
+		search
+		version
+	)
+
+	local legacy_commands=(
+		attach
+		commit
+		cp
+		create
+		diff
+		events
+		exec
+		export
+		history
+		images
+		import
+		info
+		inspect
+		kill
+		load
+		logs
+		pause
+		port
+		ps
+		pull
+		push
+		rename
+		restart
+		rm
+		rmi
+		save
+		start
+		stats
+		stop
+		tag
+		top
+		unpause
+		update
+		wait
+	)
+
+	local experimental_commands=(
+		checkpoint
+		deploy
+	)
+
+	local commands=(${management_commands[*]} ${top_level_commands[*]})
+	[ -z "$DOCKER_HIDE_LEGACY_COMMANDS" ] && commands+=(${legacy_commands[*]})
+
+	# These options are valid as global options for all client commands
+	# and valid as command options for `docker daemon`
+	local global_boolean_options="
+		--debug -D
+		--tls
+		--tlsverify
+	"
+	local global_options_with_args="
+		--config
+		--host -H
+		--log-level -l
+		--tlscacert
+		--tlscert
+		--tlskey
+	"
+
+	local host config daemon_os
+
+	# variables to cache client info, populated on demand for performance reasons
+	local stack_orchestrator_is_kubernetes stack_orchestrator_is_swarm
+
+	COMPREPLY=()
+	local cur prev words cword
+	_get_comp_words_by_ref -n : cur prev words cword
+
+	local command='docker' command_pos=0 subcommand_pos
+	local counter=1
+	while [ "$counter" -lt "$cword" ]; do
+		case "${words[$counter]}" in
+			# save host so that completion can use custom daemon
+			--host|-H)
+				(( counter++ ))
+				host="${words[$counter]}"
+				;;
+			# save config so that completion can use custom configuration directories
+			--config)
+				(( counter++ ))
+				config="${words[$counter]}"
+				;;
+			$(__docker_to_extglob "$global_options_with_args") )
+				(( counter++ ))
+				;;
+			-*)
+				;;
+			=)
+				(( counter++ ))
+				;;
+			*)
+				command="${words[$counter]}"
+				command_pos=$counter
+				break
+				;;
+		esac
+		(( counter++ ))
+	done
+
+	local binary="${words[0]}"
+	if [[ $binary == ?(*/)dockerd ]] ; then
+		# for the dockerd binary, we reuse completion of `docker daemon`.
+		# dockerd does not have subcommands and global options.
+		command=daemon
+		command_pos=0
+	fi
+
+	local completions_func=_docker_${command//-/_}
+	declare -F $completions_func >/dev/null && $completions_func
+
+	eval "$previous_extglob_setting"
+	return 0
+}
+
+eval "$__docker_previous_extglob_setting"
+unset __docker_previous_extglob_setting
+
+complete -F _docker docker docker.exe dockerd dockerd.exe
diff --git a/cli/contrib/completion/fish/docker.fish b/cli/contrib/completion/fish/docker.fish
new file mode 100644
index 00000000..53c19e9c
--- /dev/null
+++ b/cli/contrib/completion/fish/docker.fish
@@ -0,0 +1,564 @@
+# docker.fish - docker completions for fish shell
+#
+# This file is generated by gen_docker_fish_completions.py from:
+# https://github.com/barnybug/docker-fish-completion
+#
+# To install the completions:
+# mkdir -p ~/.config/fish/completions
+# cp docker.fish ~/.config/fish/completions
+#
+# Completion supported:
+# - parameters
+# - commands
+# - containers
+# - images
+# - repositories
+
+function __fish_docker_no_subcommand --description 'Test if docker has yet to be given the subcommand'
+    for i in (commandline -opc)
+        if contains -- $i attach build commit cp create diff events exec export history images import info inspect kill load login logout logs pause port ps pull push rename restart rm rmi run save search start stop tag top trust unpause version wait stats
+            return 1
+        end
+    end
+    return 0
+end
+
+function __fish_print_docker_containers --description 'Print a list of docker containers' -a select
+    switch $select
+        case running
+            docker ps -a --no-trunc --filter status=running --format "{{.ID}}\n{{.Names}}" | tr ',' '\n'
+        case stopped
+            docker ps -a --no-trunc --filter status=exited --format "{{.ID}}\n{{.Names}}" | tr ',' '\n'
+        case all
+            docker ps -a --no-trunc --format "{{.ID}}\n{{.Names}}" | tr ',' '\n'
+    end
+end
+
+function __fish_docker_no_subcommand_trust --description 'Test if docker has yet to be given the trust subcommand'
+    if __fish_seen_subcommand_from trust
+        for i in (commandline -opc)
+            if contains -- $i inspect key revoke sign signer
+                return 1
+            end
+        end
+        return 0
+    end
+    return 1
+end
+
+function __fish_docker_subcommand_path --description 'Test if command has all arguments in any order'
+    set -l cmd (commandline -poc)
+    set -e cmd[1]
+    for sub in $argv
+        if not contains -- $sub $cmd
+            return 1
+        end
+    end
+    return 0
+end
+
+function __fish_docker_subcommand_path_without --description 'Test if command has all arguments in any order'
+    set -l cmd (commandline -poc)
+    set -e cmd[1]
+    for sub in $argv
+        if contains -- $sub $cmd
+            return 1
+        end
+    end
+    return 0
+end
+
+function __fish_print_docker_images --description 'Print a list of docker images'
+    docker images --format "{{.Repository}}:{{.Tag}}" | command grep -v '<none>'
+end
+
+function __fish_print_docker_repositories --description 'Print a list of docker repositories'
+    docker images --format "{{.Repository}}" | command grep -v '<none>' | command sort | command uniq
+end
+
+# common options
+complete -c docker -f -n '__fish_docker_no_subcommand' -l api-cors-header -d "Set CORS headers in the Engine API. Default is cors disabled"
+complete -c docker -f -n '__fish_docker_no_subcommand' -s b -l bridge -d 'Attach containers to a pre-existing network bridge'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l bip -d "Use this CIDR notation address for the network bridge's IP, not compatible with -b"
+complete -c docker -f -n '__fish_docker_no_subcommand' -s D -l debug -d 'Enable debug mode'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s d -l daemon -d 'Enable daemon mode'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l dns -d 'Force Docker to use specific DNS servers'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l dns-opt -d 'Force Docker to use specific DNS options'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l dns-search -d 'Force Docker to use specific DNS search domains'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l exec-opt -d 'Set runtime execution options'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l fixed-cidr -d 'IPv4 subnet for fixed IPs (e.g. 10.20.0.0/16)'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l fixed-cidr-v6 -d 'IPv6 subnet for fixed IPs (e.g.: 2001:a02b/48)'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s G -l group -d 'Group to assign the unix socket specified by -H when running in daemon mode'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s g -l graph -d 'Path to use as the root of the Docker runtime'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s H -l host -d 'The socket(s) to bind to in daemon mode or connect to in client mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s h -l help -d 'Print usage'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l icc -d 'Allow unrestricted inter-container and Docker daemon host communication'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l insecure-registry -d 'Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback) (e.g., localhost:5000 or 10.20.0.0/16)'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l ip -d 'Default IP address to use when binding container ports'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l ip-forward -d 'Enable net.ipv4.ip_forward and IPv6 forwarding if --fixed-cidr-v6 is defined. IPv6 forwarding may interfere with your existing IPv6 configuration when using Router Advertisement.'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l ip-masq -d "Enable IP masquerading for bridge's IP range"
+complete -c docker -f -n '__fish_docker_no_subcommand' -l iptables -d "Enable Docker's addition of iptables rules"
+complete -c docker -f -n '__fish_docker_no_subcommand' -l ipv6 -d 'Enable IPv6 networking'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s l -l log-level -d 'Set the logging level ("debug", "info", "warn", "error", "fatal")'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l label -d 'Set key=value labels to the daemon (displayed in `docker info`)'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l mtu -d 'Set the containers network MTU'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s p -l pidfile -d 'Path to use for daemon PID file'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l registry-mirror -d 'Specify a preferred Docker registry mirror'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s s -l storage-driver -d 'Force the Docker runtime to use a specific storage driver'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l selinux-enabled -d 'Enable selinux support. SELinux does not presently support the BTRFS storage driver'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l storage-opt -d 'Set storage driver options'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l tls -d 'Use TLS; implied by --tlsverify'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l tlscacert -d 'Trust only remotes providing a certificate signed by the CA given here'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l tlscert -d 'Path to TLS certificate file'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l tlskey -d 'Path to TLS key file'
+complete -c docker -f -n '__fish_docker_no_subcommand' -l tlsverify -d 'Use TLS and verify the remote (daemon: verify client, client: verify daemon)'
+complete -c docker -f -n '__fish_docker_no_subcommand' -s v -l version -d 'Print version information and quit'
+
+# subcommands
+# attach
+complete -c docker -f -n '__fish_docker_no_subcommand' -a attach -d 'Attach local standard input, output, and error streams to a running container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from attach' -l detach-keys -d 'Override the key sequence for detaching a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from attach' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from attach' -l no-stdin -d 'Do not attach STDIN'
+complete -c docker -A -f -n '__fish_seen_subcommand_from attach' -l sig-proxy -d 'Proxy all received signals to the process'
+complete -c docker -A -f -n '__fish_seen_subcommand_from attach' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# build
+complete -c docker -f -n '__fish_docker_no_subcommand' -a build -d 'Build an image from a Dockerfile'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l add-host -d 'Add a custom host-to-IP mapping (host:ip)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l build-arg -d 'Set build-time variables'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l cache-from -d 'Images to consider as cache sources'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l cgroup-parent -d 'Optional parent cgroup for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l compress -d 'Compress the build context using gzip'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l cpu-period -d 'Limit the CPU CFS (Completely Fair Scheduler) period'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l cpu-quota -d 'Limit the CPU CFS (Completely Fair Scheduler) quota'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -s c -l cpu-shares -d 'CPU shares (relative weight)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l cpuset-cpus -d 'CPUs in which to allow execution (0-3, 0,1)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l cpuset-mems -d 'MEMs in which to allow execution (0-3, 0,1)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l disable-content-trust -d 'Skip image verification'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -s f -l file -d "Name of the Dockerfile (Default is ‘PATH/Dockerfile’)"
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l force-rm -d 'Always remove intermediate containers'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l iddfile -d 'Write the image ID to the file'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l isolation -d 'Container isolation technology'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l label -d 'Set metadata for an image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -s m -l memory -d 'Memory limit'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l memory-swap -d 'Swap limit equal to memory plus swap: ‘-1’ to enable unlimited swap'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l network -d 'Set the networking mode for the RUN instructions during build'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l no-cache -d 'Do not use cache when building the image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l pull -d 'Always attempt to pull a newer version of the image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -s q -l quiet -d 'Suppress the build output and print image ID on success'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l rm -d 'Remove intermediate containers after a successful build'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l security-opt -d 'Security options'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l shm-size -d 'Size of /dev/shm'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -s t -l tag -d 'Name and optionally a tag in the ‘name:tag’ format'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l target -d 'Set the target build stage to build'
+complete -c docker -A -f -n '__fish_seen_subcommand_from build' -l ulimit -d 'Ulimit options'
+
+# commit
+complete -c docker -f -n '__fish_docker_no_subcommand' -a commit -d "Create a new image from a container's changes"
+complete -c docker -A -f -n '__fish_seen_subcommand_from commit' -s a -l author -d 'Author (e.g., "John Hannibal Smith <hannibal@a-team.com>")'
+complete -c docker -A -f -n '__fish_seen_subcommand_from commit' -s c -l change -d 'Apply Dockerfile instruction to the created image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from commit' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from commit' -s m -l message -d 'Commit message'
+complete -c docker -A -f -n '__fish_seen_subcommand_from commit' -s p -l pause -d 'Pause container during commit'
+complete -c docker -A -f -n '__fish_seen_subcommand_from commit' -a '(__fish_print_docker_containers all)' -d "Container"
+
+# cp
+complete -c docker -f -n '__fish_docker_no_subcommand' -a cp -d "Copy files/folders between a container and the local filesystem"
+complete -c docker -A -f -n '__fish_seen_subcommand_from cp' -s a -l archive -d 'Archive mode (copy all uid/gid information)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from cp' -s L -l follow-link -d 'Always follow symbol link in SRC_PATH'
+complete -c docker -A -f -n '__fish_seen_subcommand_from cp' -l help -d 'Print usage'
+
+# create
+complete -c docker -f -n '__fish_docker_no_subcommand' -a create -d 'Create a new container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l add-host -d 'Add a custom host-to-IP mapping (host:ip)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s a -l attach -d 'Attach to STDIN, STDOUT or STDERR.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l blkio-weight -d 'Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l blkio-weight-device -d 'Block IO weight (relative device weight)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cap-add -d 'Add Linux capabilities'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cap-drop -d 'Drop Linux capabilities'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cgroup-parent -d 'Optional parent cgroup for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cidfile -d 'Write the container ID to the file'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpu-count -d 'CPU count (Windows only)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpu-percent -d 'CPU percent (Windows only)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpu-period -d 'Limit CPU CFS (Completely Fair Scheduler) period'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpu-quota -d 'Limit CPU CFS (Completely Fair Scheduler) quota'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpu-rt-period -d 'Limit CPU real-time period in microseconds'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpu-rt-runtime -d 'Limit CPU real-time runtime in microseconds'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpu-shares -d 'CPU shares (relative weight)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpus -d 'Number of CPUs'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpuset-cpus -d 'CPUs in which to allow execution (0-3, 0,1)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l cpuset-mems -d 'MEMs in which to allow execution (0-3, 0,1)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l device -d 'Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l device-cgroup-rule -d 'Add a rule to the cgroup allowed devices list'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l device-read-bps -d 'Limit read rate (bytes per second) from a device'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l device-read-iops -d 'Limit read rate (IO per second) from a device'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l device-write-bps -d 'Limit write rate (bytes per second) to a device'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l device-write-iops -d 'Limit write rate (IO per second) to a device'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l disable-content-trust -d 'Skip image verification'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l dns -d 'Set custom DNS servers'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l dns-opt -d 'Set DNS options'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l dns-option -d 'Set DNS options'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l dns-search -d 'Set custom DNS search domains'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s e -l env -d 'Set environment variables'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l env-file -d 'Read in a line delimited file of environment variables'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l expose -d 'Expose a port or a range of ports'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to join'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l health-cmd -d 'Command to run to check health'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l health-interval -d 'Time between running the check (ms|s|m|h) (default 0s)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l health-retries -d 'Consecutive failures needed to report unhealthy'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l health-start-period -d 'Start period for the container to initialize before starting health-retries countdown (ms|s|m|h) (default 0s)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l health-timeout -d 'Maximum time to allow one check to run (ms|s|m|h) (default 0s)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s h -l hostname -d 'Container host name'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l init -d 'Run an init inside the container that forwards signals and reaps processes'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s i -l interactive -d 'Keep STDIN open even if not attached'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l io-maxbandwidth -d 'Maximum IO bandwidth limit for the system drive (Windows only)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l io-maxiops -d 'Maximum IOps limit for the system drive (Windows only)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l ip -d 'IPv4 address (e.g., 172.30.100.104)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l ip6 -d 'IPv6 address (e.g., 2001:db8::33)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l ipc -d 'IPC mode to use'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l isolation -d 'Container isolation technology'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l kernel-memory -d 'Kernel memory limit'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s l -l label -d 'Set meta data on a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l label-file -d 'Read in a line delimited file of labels'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l link -d 'Add link to another container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l link-local-ip -d 'Container IPv4/IPv6 link-local addresses'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l log-driver -d 'Logging driver for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l log-opt -d 'Log driver options'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l mac-address -d 'Container MAC address (e.g., 92:d0:c6:0a:29:33)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s m -l memory -d 'Memory limit'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l memory-reservation -d 'Memory soft limit'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l memory-swap -d 'Swap limit equal to memory plus swap: ‘-1’ to enable unlimited swap'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l memory-swappiness -d 'Tune container memory swappiness (0 to 100)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l mount -d 'Attach a filesystem mount to the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l name -d 'Assign a name to the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s net -l network -d 'Connect a container to a network'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s net-alias -l network-alias -d 'Add network-scoped alias for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l no-healthcheck -d 'Disable any container-specified HEALTHCHECK'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l oom-kill-disable -d 'Disable OOM Killer'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l oom-score-adj -d 'Tune host’s OOM preferences (-1000 to 1000)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l pid -d 'PID namespace to use'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l pids-limit -d 'Tune container pids limit (set -1 for unlimited  )'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l privileged -d 'Give extended privileges to this container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s p -l publish -d "Publish a container’s port(s) to the host"
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s P -l publish-all -d 'Publish all exposed ports to random ports'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l read-only -d "Mount the container's root filesystem as read only"
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l restart -d 'Restart policy to apply when a container exits'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l rm -d 'Automatically remove the container when it exits'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l runtime -d 'Runtime to use for this container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l security-opt -d 'Security Options'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l shm-size -d 'Size of /dev/shm'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l stop-signal -d 'Signal to stop a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l stop-timeout -d 'Timeout (in seconds) to stop a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l storage-opt -d 'Storage driver options for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l sysctl -d 'Sysctl options'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l tmpfs -d 'Mount a tmpfs directory'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s t -l tty -d 'Allocate a pseudo-TTY'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l ulimit -d 'Ulimit options'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s u -l user -d '  Username or UID (format: <name|uid>[:<group|gid>])'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l userns -d 'User namespace to use'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l uts -d 'UTS namespace to use'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s v -l volume -d 'Bind mount a volume'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l volume-driver -d 'Optional volume driver for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l volumes-from -d 'Mount volumes from the specified container(s)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s w -l workdir -d 'Working directory inside the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -a '(__fish_print_docker_images)' -d "Image"
+
+# diff
+complete -c docker -f -n '__fish_docker_no_subcommand' -a diff -d "Inspect changes on a container's filesystem"
+complete -c docker -A -f -n '__fish_seen_subcommand_from diff' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from diff' -a '(__fish_print_docker_containers all)' -d "Container"
+
+# events
+complete -c docker -f -n '__fish_docker_no_subcommand' -a events -d 'Get real time events from the server'
+complete -c docker -A -f -n '__fish_seen_subcommand_from events' -s f -l filter -d "Filter output based on conditions provided"
+complete -c docker -A -f -n '__fish_seen_subcommand_from events' -l format -d 'Format the output using the given Go template'
+complete -c docker -A -f -n '__fish_seen_subcommand_from events' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from events' -l since -d 'Show all events created since timestamp'
+complete -c docker -A -f -n '__fish_seen_subcommand_from events' -l until -d 'Stream events until this timestamp'
+
+# exec
+complete -c docker -f -n '__fish_docker_no_subcommand' -a exec -d 'Run a command in a running container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -s d -l detach -d 'Detached mode: run command in the background'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -l detach-keys -d 'Override the key sequence for detaching a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -s e -l env -d 'Set environment variables'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -s i -l interactive -d 'Keep STDIN open even if not attached'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -l privileged -d 'Give extended privileges to the command'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -s t -l tty -d 'Allocate a pseudo-TTY'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -s u -l user -d 'Username or UID (format: <name|uid>[:<group|gid>])'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -s w -l workdir -d 'Working directory inside the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from exec' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# export
+complete -c docker -f -n '__fish_docker_no_subcommand' -a export -d 'Stream the contents of a container as a tar archive'
+complete -c docker -A -f -n '__fish_seen_subcommand_from export' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from export' -s o -l output -d 'Write to a file, instead of STDOUT'
+complete -c docker -A -f -n '__fish_seen_subcommand_from export' -a '(__fish_print_docker_containers all)' -d "Container"
+
+# history
+complete -c docker -f -n '__fish_docker_no_subcommand' -a history -d 'Show the history of an image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from history' -l format -d 'Pretty-print images using a Go template'
+complete -c docker -A -f -n '__fish_seen_subcommand_from history' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from history' -s H -l human -d 'Print sizes and dates in human readable format'
+complete -c docker -A -f -n '__fish_seen_subcommand_from history' -l no-trunc -d "Don't truncate output"
+complete -c docker -A -f -n '__fish_seen_subcommand_from history' -s q -l quiet -d 'Only show numeric IDs'
+complete -c docker -A -f -n '__fish_seen_subcommand_from history' -a '(__fish_print_docker_images)' -d "Image"
+
+# images
+complete -c docker -f -n '__fish_docker_no_subcommand' -a images -d 'List images'
+complete -c docker -A -f -n '__fish_seen_subcommand_from images' -s a -l all -d 'Show all images (default hides intermediate images)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from images' -l digests -d 'Show digests'
+complete -c docker -A -f -n '__fish_seen_subcommand_from images' -s f -l filter -d 'Filter output based on conditions provided'
+complete -c docker -A -f -n '__fish_seen_subcommand_from images' -l format -d 'Pretty-print images using a Go template'
+complete -c docker -A -f -n '__fish_seen_subcommand_from images' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from images' -l no-trunc -d "Don't truncate output"
+complete -c docker -A -f -n '__fish_seen_subcommand_from images' -s q -l quiet -d 'Only show numeric IDs'
+complete -c docker -A -f -n '__fish_seen_subcommand_from images' -a '(__fish_print_docker_repositories)' -d "Repository"
+
+# import
+complete -c docker -f -n '__fish_docker_no_subcommand' -a import -d 'Create a new filesystem image from the contents of a tarball'
+complete -c docker -A -f -n '__fish_seen_subcommand_from import' -s c -l change -d 'Apply Dockerfile instruction to the created image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from import' -s m -l message -d 'Set commit message for imported image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from import' -l help -d 'Print usage'
+
+# info
+complete -c docker -f -n '__fish_docker_no_subcommand' -a info -d 'Display system-wide information'
+complete -c docker -A -f -n '__fish_seen_subcommand_from info' -s f -l format  -d 'Format the output using the given go template'
+complete -c docker -A -f -n '__fish_seen_subcommand_from info' -l help -d 'Print usage'
+
+# inspect
+complete -c docker -f -n '__fish_docker_no_subcommand' -a inspect -d 'Return low-level information on a container or image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from inspect' -s f -l format -d 'Format the output using the given go template.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from inspect' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from inspect' -s s -l size -d 'Display total file sizes if the type is container.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from inspect' -l type -d 'Return JSON for specified type'
+complete -c docker -A -f -n '__fish_seen_subcommand_from inspect' -a '(__fish_print_docker_images)' -d "Image"
+complete -c docker -A -f -n '__fish_seen_subcommand_from inspect' -a '(__fish_print_docker_containers all)' -d "Container"
+
+# kill
+complete -c docker -f -n '__fish_docker_no_subcommand' -a kill -d 'Kill a running container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from kill' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from kill' -s s -l signal -d 'Signal to send to the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from kill' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# load
+complete -c docker -f -n '__fish_docker_no_subcommand' -a load -d 'Load an image from a tar archive'
+complete -c docker -A -f -n '__fish_seen_subcommand_from load' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from load' -s i -l input -d 'Read from a tar archive file, instead of STDIN'
+complete -c docker -A -f -n '__fish_seen_subcommand_from load' -s q -l quiet -d 'Suppress the load output'
+
+# login
+complete -c docker -f -n '__fish_docker_no_subcommand' -a login -d 'Log in to a Docker registry server'
+complete -c docker -A -f -n '__fish_seen_subcommand_from login' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from login' -s p -l password -d 'Password'
+complete -c docker -A -f -n '__fish_seen_subcommand_from login' -l password-stdin -d 'Take the password from stdin'
+complete -c docker -A -f -n '__fish_seen_subcommand_from login' -s u -l username -d 'Username'
+
+# logout
+complete -c docker -f -n '__fish_docker_no_subcommand' -a logout -d 'Log out from a Docker registry server'
+
+# logs
+complete -c docker -f -n '__fish_docker_no_subcommand' -a logs -d 'Fetch the logs of a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from logs' -s f -l follow -d 'Follow log output'
+complete -c docker -A -f -n '__fish_seen_subcommand_from logs' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from logs' -s t -l timestamps -d 'Show timestamps'
+complete -c docker -A -f -n '__fish_seen_subcommand_from logs' -l since -d 'Show logs since timestamp'
+complete -c docker -A -f -n '__fish_seen_subcommand_from logs' -l tail -d 'Output the specified number of lines at the end of logs (defaults to all logs)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from logs' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# port
+complete -c docker -f -n '__fish_docker_no_subcommand' -a port -d 'Lookup the public-facing port that is NAT-ed to PRIVATE_PORT'
+complete -c docker -A -f -n '__fish_seen_subcommand_from port' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from port' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# pause
+complete -c docker -f -n '__fish_docker_no_subcommand' -a pause -d 'Pause all processes within a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from pause' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# ps
+complete -c docker -f -n '__fish_docker_no_subcommand' -a ps -d 'List containers'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -s a -l all -d 'Show all containers. Only running containers are shown by default.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -l before -d 'Show only container created before Id or Name, include non-running ones.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -s f -l filter -d 'Provide filter values. Valid filters:'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -s l -l latest -d 'Show only the latest created container, include non-running ones.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -s n -d 'Show n last created containers, include non-running ones.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -l no-trunc -d "Don't truncate output"
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -s q -l quiet -d 'Only display numeric IDs'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -s s -l size -d 'Display total file sizes'
+complete -c docker -A -f -n '__fish_seen_subcommand_from ps' -l since -d 'Show only containers created since Id or Name, include non-running ones.'
+
+# pull
+complete -c docker -f -n '__fish_docker_no_subcommand' -a pull -d 'Pull an image or a repository from a Docker registry server'
+complete -c docker -A -f -n '__fish_seen_subcommand_from pull' -s a -l all-tags -d 'Download all tagged images in the repository'
+complete -c docker -A -f -n '__fish_seen_subcommand_from pull' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from pull' -a '(__fish_print_docker_images)' -d "Image"
+complete -c docker -A -f -n '__fish_seen_subcommand_from pull' -a '(__fish_print_docker_repositories)' -d "Repository"
+
+# push
+complete -c docker -f -n '__fish_docker_no_subcommand' -a push -d 'Push an image or a repository to a Docker registry server'
+complete -c docker -A -f -n '__fish_seen_subcommand_from push' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from push' -a '(__fish_print_docker_images)' -d "Image"
+complete -c docker -A -f -n '__fish_seen_subcommand_from push' -a '(__fish_print_docker_repositories)' -d "Repository"
+
+# rename
+complete -c docker -f -n '__fish_docker_no_subcommand' -a rename -d 'Rename an existing container'
+
+# restart
+complete -c docker -f -n '__fish_docker_no_subcommand' -a restart -d 'Restart a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from restart' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from restart' -s t -l time -d 'Number of seconds to try to stop for before killing the container. Once killed it will then be restarted. Default is 10 seconds.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from restart' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# rm
+complete -c docker -f -n '__fish_docker_no_subcommand' -a rm -d 'Remove one or more containers'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rm' -s f -l force -d 'Force the removal of a running container (uses SIGKILL)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rm' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rm' -s l -l link -d 'Remove the specified link and not the underlying container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rm' -s v -l volumes -d 'Remove the volumes associated with the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rm' -a '(__fish_print_docker_containers stopped)' -d "Container"
+complete -c docker -A -f -n '__fish_seen_subcommand_from rm' -s f -l force -a '(__fish_print_docker_containers all)' -d "Container"
+
+# rmi
+complete -c docker -f -n '__fish_docker_no_subcommand' -a rmi -d 'Remove one or more images'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rmi' -s f -l force -d 'Force removal of the image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rmi' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rmi' -l no-prune -d 'Do not delete untagged parents'
+complete -c docker -A -f -n '__fish_seen_subcommand_from rmi' -a '(__fish_print_docker_images)' -d "Image"
+
+# run
+complete -c docker -f -n '__fish_docker_no_subcommand' -a run -d 'Run a command in a new container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s a -l attach -d 'Attach to STDIN, STDOUT or STDERR.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l add-host -d 'Add a custom host-to-IP mapping (host:ip)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s c -l cpu-shares -d 'CPU shares (relative weight)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l cap-add -d 'Add Linux capabilities'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l cap-drop -d 'Drop Linux capabilities'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l cidfile -d 'Write the container ID to the file'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l cpuset -d 'CPUs in which to allow execution (0-3, 0,1)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s d -l detach -d 'Detached mode: run the container in the background and print the new container ID'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l device -d 'Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l device-cgroup-rule -d 'Add a rule to the cgroup allowed devices list (e.g. --device-cgroup-rule="c 13:37 rwm")'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l dns -d 'Set custom DNS servers'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l dns-opt -d "Set custom DNS options (Use --dns-opt='' if you don't wish to set options)"
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l dns-search -d "Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain)"
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s e -l env -d 'Set environment variables'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l entrypoint -d 'Overwrite the default ENTRYPOINT of the image'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l env-file -d 'Read in a line delimited file of environment variables'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l expose -d 'Expose a port or a range of ports (e.g. --expose=3300-3310) from the container without publishing it to your host'
+complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l group-add -d 'Add additional groups to run as'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s h -l hostname -d 'Container host name'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s i -l interactive -d 'Keep STDIN open even if not attached'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l ipc -d 'Default is to create a private IPC namespace (POSIX SysV IPC) for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l link -d 'Add link to another container in the form of <name|id>:alias'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s m -l memory -d 'Memory limit (format: <number>[<unit>], where unit = b, k, m or g)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l mac-address -d 'Container MAC address (e.g., 92:d0:c6:0a:29:33)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l memory-swap -d "Total memory usage (memory + swap), set '-1' to disable swap (format: <number>[<unit>], where unit = b, k, m or g)"
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l mount -d 'Attach a filesystem mount to the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l name -d 'Assign a name to the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l net -d 'Set the Network mode for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s P -l publish-all -d 'Publish all exposed ports to random ports on the host interfaces'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s p -l publish -d "Publish a container's port to the host"
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l pid -d 'Default is to create a private PID namespace for the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l privileged -d 'Give extended privileges to this container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l read-only -d "Mount the container's root filesystem as read only"
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l restart -d 'Restart policy to apply when a container exits (no, on-failure[:max-retry], always)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l rm -d 'Automatically remove the container when it exits (incompatible with -d)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l security-opt -d 'Security Options'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l sig-proxy -d 'Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l stop-signal -d 'Signal to kill a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s t -l tty -d 'Allocate a pseudo-TTY'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s u -l user -d 'Username or UID'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l tmpfs -d 'Mount tmpfs on a directory'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s v -l volume -d 'Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l volumes-from -d 'Mount volumes from the specified container(s)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s w -l workdir -d 'Working directory inside the container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from run' -a '(__fish_print_docker_images)' -d "Image"
+
+# save
+complete -c docker -f -n '__fish_docker_no_subcommand' -a save -d 'Save an image to a tar archive'
+complete -c docker -A -f -n '__fish_seen_subcommand_from save' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from save' -s o -l output -d 'Write to an file, instead of STDOUT'
+complete -c docker -A -f -n '__fish_seen_subcommand_from save' -a '(__fish_print_docker_images)' -d "Image"
+
+# search
+complete -c docker -f -n '__fish_docker_no_subcommand' -a search -d 'Search for an image on the registry (defaults to the Docker Hub)'
+complete -c docker -A -f -n '__fish_seen_subcommand_from search' -l automated -d 'Only show automated builds'
+complete -c docker -A -f -n '__fish_seen_subcommand_from search' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from search' -l no-trunc -d "Don't truncate output"
+complete -c docker -A -f -n '__fish_seen_subcommand_from search' -s s -l stars -d 'Only displays with at least x stars'
+
+# start
+complete -c docker -f -n '__fish_docker_no_subcommand' -a start -d 'Start a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from start' -s a -l attach -d "Attach container's STDOUT and STDERR and forward all signals to the process"
+complete -c docker -A -f -n '__fish_seen_subcommand_from start' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from start' -s i -l interactive -d "Attach container's STDIN"
+complete -c docker -A -f -n '__fish_seen_subcommand_from start' -a '(__fish_print_docker_containers stopped)' -d "Container"
+
+# stats
+complete -c docker -f -n '__fish_docker_no_subcommand' -a stats -d "Display a live stream of one or more containers' resource usage statistics"
+complete -c docker -A -f -n '__fish_seen_subcommand_from stats' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from stats' -l no-stream -d 'Disable streaming stats and only pull the first result'
+complete -c docker -A -f -n '__fish_seen_subcommand_from stats' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# stop
+complete -c docker -f -n '__fish_docker_no_subcommand' -a stop -d 'Stop a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from stop' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from stop' -s t -l time -d 'Number of seconds to wait for the container to stop before killing it. Default is 10 seconds.'
+complete -c docker -A -f -n '__fish_seen_subcommand_from stop' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# tag
+complete -c docker -f -n '__fish_docker_no_subcommand' -a tag -d 'Tag an image into a repository'
+complete -c docker -A -f -n '__fish_seen_subcommand_from tag' -s f -l force -d 'Force'
+complete -c docker -A -f -n '__fish_seen_subcommand_from tag' -l help -d 'Print usage'
+
+# top
+complete -c docker -f -n '__fish_docker_no_subcommand' -a top -d 'Lookup the running processes of a container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from top' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from top' -a '(__fish_print_docker_containers running)' -d "Container"
+
+#trust
+complete -c docker -f -n '__fish_docker_no_subcommand' -a trust -d 'Manage trust on Docker images'
+complete -c docker -A -f -n '__fish_seen_subcommand_from trust' -l help -d 'Print usage'
+
+#trust inspect
+complete -c docker -A -f -n '__fish_docker_no_subcommand_trust' -a inspect -d 'Return low-level information about keys and signatures'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust inspect' -l pretty -d 'Print the information in a human friendly format'
+
+#trust key
+complete -c docker -A -f -n '__fish_docker_no_subcommand_trust' -a key -d 'Manage keys for signing Docker images'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust key; and __fish_docker_subcommand_path_without generate load' -a generate -d 'Generate and load a signing key-pair'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust key load' -l dir -d 'Directory to generate key in, defaults to current directory'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust key; and __fish_docker_subcommand_path_without generate load' -a load -d 'Load a private key file for signing'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust key load' -l name -d 'Name for the loaded key (default "signer")'
+
+#trust revoke
+complete -c docker -A -f -n '__fish_docker_no_subcommand_trust' -a revoke -d 'Remove trust for an image'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust revoke' -s y -l yes -d 'Do not prompt for confirmation'
+
+#trust sign
+complete -c docker -A -f -n '__fish_docker_no_subcommand_trust' -a sign -d 'Sign an image'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust sign' -l local -d 'Sign a locally tagged image'
+
+#trust signer
+complete -c docker -A -f -n '__fish_docker_no_subcommand_trust' -a signer -d 'Manage entities who can sign Docker images'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust signer; and __fish_docker_subcommand_path_without add remove' -a add -d 'Add a signer'
+complete -c docker -A -f -n '__fish_docker_subcommand_path trust signer; and __fish_docker_subcommand_path_without add remove' -a remove -d 'remove a signer'
+
+# unpause
+complete -c docker -f -n '__fish_docker_no_subcommand' -a unpause -d 'Unpause a paused container'
+complete -c docker -A -f -n '__fish_seen_subcommand_from unpause' -a '(__fish_print_docker_containers running)' -d "Container"
+
+# version
+complete -c docker -f -n '__fish_docker_no_subcommand' -a version -d 'Show the Docker version information'
+complete -c docker -A -f -n '__fish_seen_subcommand_from version' -s f -l format  -d 'Format the output using the given go template'
+complete -c docker -A -f -n '__fish_seen_subcommand_from version' -l help -d 'Print usage'
+
+# wait
+complete -c docker -f -n '__fish_docker_no_subcommand' -a wait -d 'Block until a container stops, then print its exit code'
+complete -c docker -A -f -n '__fish_seen_subcommand_from wait' -l help -d 'Print usage'
+complete -c docker -A -f -n '__fish_seen_subcommand_from wait' -a '(__fish_print_docker_containers running)' -d "Container"
diff --git a/cli/contrib/completion/powershell/readme.txt b/cli/contrib/completion/powershell/readme.txt
new file mode 100644
index 00000000..daa82d8f
--- /dev/null
+++ b/cli/contrib/completion/powershell/readme.txt
@@ -0,0 +1,2 @@
+See https://github.com/matt9ucci/DockerCompletion
+or https://github.com/samneirinck/posh-docker
diff --git a/cli/contrib/completion/zsh/REVIEWERS b/cli/contrib/completion/zsh/REVIEWERS
new file mode 100644
index 00000000..03ee2dde
--- /dev/null
+++ b/cli/contrib/completion/zsh/REVIEWERS
@@ -0,0 +1,2 @@
+Tianon Gravi <admwiggin@gmail.com> (@tianon)
+Jessie Frazelle <jess@docker.com> (@jfrazelle)
diff --git a/cli/contrib/completion/zsh/_docker b/cli/contrib/completion/zsh/_docker
new file mode 100644
index 00000000..06519e94
--- /dev/null
+++ b/cli/contrib/completion/zsh/_docker
@@ -0,0 +1,3032 @@
+#compdef docker dockerd
+#
+# zsh completion for docker (http://docker.com)
+#
+# version:  0.3.0
+# github:   https://github.com/felixr/docker-zsh-completion
+#
+# contributors:
+#   - Felix Riedel
+#   - Steve Durrheimer
+#   - Vincent Bernat
+#
+# license:
+#
+# Copyright (c) 2013, Felix Riedel
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of the <organization> nor the
+#       names of its contributors may be used to endorse or promote products
+#       derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+# Short-option stacking can be enabled with:
+#  zstyle ':completion:*:*:docker:*' option-stacking yes
+#  zstyle ':completion:*:*:docker-*:*' option-stacking yes
+__docker_arguments() {
+    if zstyle -t ":completion:${curcontext}:" option-stacking; then
+        print -- -s
+    fi
+}
+
+__docker_get_containers() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    local kind type line s
+    declare -a running stopped lines args names
+
+    kind=$1; shift
+    type=$1; shift
+    [[ $kind = (stopped|all) ]] && args=($args -a)
+
+    lines=(${(f)${:-"$(_call_program commands docker $docker_options ps --format 'table' --no-trunc $args)"$'\n'}})
+
+    # Parse header line to find columns
+    local i=1 j=1 k header=${lines[1]}
+    declare -A begin end
+    while (( j < ${#header} - 1 )); do
+        i=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 1 ))
+        j=$(( i + ${${header[$i,-1]}[(i)  ]} - 1 ))
+        k=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 2 ))
+        begin[${header[$i,$((j-1))]}]=$i
+        end[${header[$i,$((j-1))]}]=$k
+    done
+    end[${header[$i,$((j-1))]}]=-1 # Last column, should go to the end of the line
+    lines=(${lines[2,-1]})
+
+    # Container ID
+    if [[ $type = (ids|all) ]]; then
+        for line in $lines; do
+            s="${${line[${begin[CONTAINER ID]},${end[CONTAINER ID]}]%% ##}[0,12]}"
+            s="$s:${(l:15:: :::)${${line[${begin[CREATED]},${end[CREATED]}]/ ago/}%% ##}}"
+            s="$s, ${${${line[${begin[IMAGE]},${end[IMAGE]}]}/:/\\:}%% ##}"
+            if [[ ${line[${begin[STATUS]},${end[STATUS]}]} = (Exit*|Created*) ]]; then
+                stopped=($stopped $s)
+            else
+                running=($running $s)
+            fi
+        done
+    fi
+
+    # Names: we only display the one without slash. All other names
+    # are generated and may clutter the completion. However, with
+    # Swarm, all names may be prefixed by the swarm node name.
+    if [[ $type = (names|all) ]]; then
+        for line in $lines; do
+            names=(${(ps:,:)${${line[${begin[NAMES]},${end[NAMES]}]}%% *}})
+            # First step: find a common prefix and strip it (swarm node case)
+            (( ${#${(u)names%%/*}} == 1 )) && names=${names#${names[1]%%/*}/}
+            # Second step: only keep the first name without a /
+            s=${${names:#*/*}[1]}
+            # If no name, well give up.
+            (( $#s != 0 )) || continue
+            s="$s:${(l:15:: :::)${${line[${begin[CREATED]},${end[CREATED]}]/ ago/}%% ##}}"
+            s="$s, ${${${line[${begin[IMAGE]},${end[IMAGE]}]}/:/\\:}%% ##}"
+            if [[ ${line[${begin[STATUS]},${end[STATUS]}]} = (Exit*|Created*) ]]; then
+                stopped=($stopped $s)
+            else
+                running=($running $s)
+            fi
+        done
+    fi
+
+    [[ $kind = (running|all) ]] && _describe -t containers-running "running containers" running "$@" && ret=0
+    [[ $kind = (stopped|all) ]] && _describe -t containers-stopped "stopped containers" stopped "$@" && ret=0
+    return ret
+}
+
+__docker_complete_stopped_containers() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_get_containers stopped all "$@"
+}
+
+__docker_complete_running_containers() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_get_containers running all "$@"
+}
+
+__docker_complete_containers() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_get_containers all all "$@"
+}
+
+__docker_complete_containers_ids() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_get_containers all ids "$@"
+}
+
+__docker_complete_containers_names() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_get_containers all names "$@"
+}
+
+__docker_complete_info_plugins() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    emulate -L zsh
+    setopt extendedglob
+    local -a plugins
+    plugins=(${(ps: :)${(M)${(f)${${"$(_call_program commands docker $docker_options info)"##*$'\n'Plugins:}%%$'\n'^ *}}:# $1: *}## $1: })
+    _describe -t plugins "$1 plugins" plugins && ret=0
+    return ret
+}
+
+__docker_complete_images() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    declare -a images
+    images=(${${${(f)${:-"$(_call_program commands docker $docker_options images)"$'\n'}}[2,-1]}/(#b)([^ ]##) ##([^ ]##) ##([^ ]##)*/${match[3]}:${(r:15:: :::)match[2]} in ${match[1]}})
+    _describe -t docker-images "images" images && ret=0
+    __docker_complete_repositories_with_tags && ret=0
+    return ret
+}
+
+__docker_complete_repositories() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    declare -a repos
+    repos=(${${${(f)${:-"$(_call_program commands docker $docker_options images)"$'\n'}}%% *}[2,-1]})
+    repos=(${repos#<none>})
+    _describe -t docker-repos "repositories" repos && ret=0
+    return ret
+}
+
+__docker_complete_repositories_with_tags() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    declare -a repos onlyrepos matched
+    declare m
+    repos=(${${${${(f)${:-"$(_call_program commands docker $docker_options images)"$'\n'}}[2,-1]}/ ##/:::}%% *})
+    repos=(${${repos%:::<none>}#<none>})
+    # Check if we have a prefix-match for the current prefix.
+    onlyrepos=(${repos%::*})
+    for m in $onlyrepos; do
+        [[ ${PREFIX##${~~m}} != ${PREFIX} ]] && {
+            # Yes, complete with tags
+            repos=(${${repos/:::/:}/:/\\:})
+            _describe -t docker-repos-with-tags "repositories with tags" repos && ret=0
+            return ret
+        }
+    done
+    # No, only complete repositories
+    onlyrepos=(${${repos%:::*}/:/\\:})
+    _describe -t docker-repos "repositories" onlyrepos -qS : && ret=0
+
+    return ret
+}
+
+__docker_search() {
+    [[ $PREFIX = -* ]] && return 1
+    local cache_policy
+    zstyle -s ":completion:${curcontext}:" cache-policy cache_policy
+    if [[ -z "$cache_policy" ]]; then
+        zstyle ":completion:${curcontext}:" cache-policy __docker_caching_policy
+    fi
+
+    local searchterm cachename
+    searchterm="${words[$CURRENT]%/}"
+    cachename=_docker-search-$searchterm
+
+    local expl
+    local -a result
+    if ( [[ ${(P)+cachename} -eq 0 ]] || _cache_invalid ${cachename#_} ) \
+        && ! _retrieve_cache ${cachename#_}; then
+        _message "Searching for ${searchterm}..."
+        result=(${${${(f)${:-"$(_call_program commands docker $docker_options search $searchterm)"$'\n'}}%% *}[2,-1]})
+        _store_cache ${cachename#_} result
+    fi
+    _wanted dockersearch expl 'available images' compadd -a result
+}
+
+__docker_get_log_options() {
+    [[ $PREFIX = -* ]] && return 1
+
+    integer ret=1
+    local log_driver=${opt_args[--log-driver]:-"all"}
+    local -a common_options common_options2 awslogs_options fluentd_options gelf_options journald_options json_file_options logentries_options syslog_options splunk_options
+
+    common_options=("max-buffer-size" "mode")
+    common_options2=("env" "env-regex" "labels")
+    awslogs_options=($common_options "awslogs-create-group" "awslogs-datetime-format" "awslogs-group" "awslogs-multiline-pattern" "awslogs-region" "awslogs-stream" "tag")
+    fluentd_options=($common_options $common_options2 "fluentd-address" "fluentd-async-connect" "fluentd-buffer-limit" "fluentd-retry-wait" "fluentd-max-retries" "fluentd-sub-second-precision" "tag")
+    gcplogs_options=($common_options $common_options2 "gcp-log-cmd" "gcp-meta-id" "gcp-meta-name" "gcp-meta-zone" "gcp-project")
+    gelf_options=($common_options $common_options2 "gelf-address" "gelf-compression-level" "gelf-compression-type" "tag")
+    journald_options=($common_options $common_options2 "tag")
+    json_file_options=($common_options $common_options2 "max-file" "max-size")
+    logentries_options=($common_options $common_options2 "logentries-token" "tag")
+    syslog_options=($common_options $common_options2 "syslog-address" "syslog-facility" "syslog-format" "syslog-tls-ca-cert" "syslog-tls-cert" "syslog-tls-key" "syslog-tls-skip-verify" "tag")
+    splunk_options=($common_options $common_options2 "splunk-caname" "splunk-capath" "splunk-format" "splunk-gzip" "splunk-gzip-level" "splunk-index" "splunk-insecureskipverify" "splunk-source" "splunk-sourcetype" "splunk-token" "splunk-url" "splunk-verify-connection" "tag")
+
+    [[ $log_driver = (awslogs|all) ]] && _describe -t awslogs-options "awslogs options" awslogs_options "$@" && ret=0
+    [[ $log_driver = (fluentd|all) ]] && _describe -t fluentd-options "fluentd options" fluentd_options "$@" && ret=0
+    [[ $log_driver = (gcplogs|all) ]] && _describe -t gcplogs-options "gcplogs options" gcplogs_options "$@" && ret=0
+    [[ $log_driver = (gelf|all) ]] && _describe -t gelf-options "gelf options" gelf_options "$@" && ret=0
+    [[ $log_driver = (journald|all) ]] && _describe -t journald-options "journald options" journald_options "$@" && ret=0
+    [[ $log_driver = (json-file|all) ]] && _describe -t json-file-options "json-file options" json_file_options "$@" && ret=0
+    [[ $log_driver = (logentries|all) ]] && _describe -t logentries-options "logentries options" logentries_options "$@" && ret=0
+    [[ $log_driver = (syslog|all) ]] && _describe -t syslog-options "syslog options" syslog_options "$@" && ret=0
+    [[ $log_driver = (splunk|all) ]] && _describe -t splunk-options "splunk options" splunk_options "$@" && ret=0
+
+    return ret
+}
+
+__docker_complete_log_drivers() {
+    [[ $PREFIX = -*  ]] && return 1
+    integer ret=1
+    drivers=(awslogs etwlogs fluentd gcplogs gelf journald json-file none splunk syslog)
+    _describe -t log-drivers "log drivers" drivers && ret=0
+    return ret
+}
+
+__docker_complete_log_options() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (syslog-format)
+                local opts=('rfc3164' 'rfc5424' 'rfc5424micro')
+                _describe -t syslog-format-opts "syslog format options" opts && ret=0
+                ;;
+            (mode)
+                local opts=('blocking' 'non-blocking')
+                _describe -t mode-opts "mode options" opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        __docker_get_log_options -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_complete_detach_keys() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    compset -P "*,"
+    keys=(${:-{a-z}})
+    ctrl_keys=(${:-ctrl-{{a-z},{@,'[','\\','^',']',_}}})
+    _describe -t detach_keys "[a-z]" keys -qS "," && ret=0
+    _describe -t detach_keys-ctrl "'ctrl-' + 'a-z @ [ \\\\ ] ^ _'" ctrl_keys -qS "," && ret=0
+}
+
+__docker_complete_pid() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    local -a opts vopts
+
+    opts=('host')
+    vopts=('container')
+
+    if compset -P '*:'; then
+        case "${${words[-1]%:*}#*=}" in
+            (container)
+                __docker_complete_running_containers && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        _describe -t pid-value-opts "PID Options with value" vopts -qS ":" && ret=0
+        _describe -t pid-opts "PID Options" opts && ret=0
+    fi
+
+    return ret
+}
+
+__docker_complete_runtimes() {
+    [[ $PREFIX = -*  ]] && return 1
+    integer ret=1
+
+    emulate -L zsh
+    setopt extendedglob
+    local -a runtimes_opts
+    runtimes_opts=(${(ps: :)${(f)${${"$(_call_program commands docker $docker_options info)"##*$'\n'Runtimes: }%%$'\n'^ *}}})
+    _describe -t runtimes-opts "runtimes options" runtimes_opts && ret=0
+}
+
+__docker_complete_ps_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (ancestor)
+                __docker_complete_images && ret=0
+                ;;
+            (before|since)
+                __docker_complete_containers && ret=0
+                ;;
+            (health)
+                health_opts=('healthy' 'none' 'starting' 'unhealthy')
+                _describe -t health-filter-opts "health filter options" health_opts && ret=0
+                ;;
+            (id)
+                __docker_complete_containers_ids && ret=0
+                ;;
+            (is-task)
+                _describe -t boolean-filter-opts "filter options" boolean_opts && ret=0
+                ;;
+            (name)
+                __docker_complete_containers_names && ret=0
+                ;;
+            (network)
+                __docker_complete_networks && ret=0
+                ;;
+            (status)
+                status_opts=('created' 'dead' 'exited' 'paused' 'restarting' 'running' 'removing')
+                _describe -t status-filter-opts "status filter options" status_opts && ret=0
+                ;;
+            (volume)
+                __docker_complete_volumes && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('ancestor' 'before' 'exited' 'expose' 'health' 'id' 'label' 'name' 'network' 'publish' 'since' 'status' 'volume')
+        _describe -t filter-opts "Filter Options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_complete_search_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    declare -a boolean_opts opts
+
+    boolean_opts=('true' 'false')
+    opts=('is-automated' 'is-official' 'stars')
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (is-automated|is-official)
+                _describe -t boolean-filter-opts "filter options" boolean_opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_complete_images_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    declare -a boolean_opts opts
+
+    boolean_opts=('true' 'false')
+    opts=('before' 'dangling' 'label' 'reference' 'since')
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (before|reference|since)
+                __docker_complete_images && ret=0
+                ;;
+            (dangling)
+                _describe -t boolean-filter-opts "filter options" boolean_opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        _describe -t filter-opts "Filter Options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_complete_events_filter() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    declare -a opts
+
+    opts=('container' 'daemon' 'event' 'image' 'label' 'network' 'scope' 'type' 'volume')
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (container)
+                __docker_complete_containers && ret=0
+                ;;
+            (daemon)
+                emulate -L zsh
+                setopt extendedglob
+                local -a daemon_opts
+                daemon_opts=(
+                    ${(f)${${"$(_call_program commands docker $docker_options info)"##*$'\n'Name: }%%$'\n'^ *}}
+                    ${${(f)${${"$(_call_program commands docker $docker_options info)"##*$'\n'ID: }%%$'\n'^ *}}//:/\\:}
+                )
+                _describe -t daemon-filter-opts "daemon filter options" daemon_opts && ret=0
+                ;;
+            (event)
+                local -a event_opts
+                event_opts=('attach' 'commit' 'connect' 'copy' 'create' 'delete' 'destroy' 'detach' 'die' 'disable' 'disconnect' 'enable' 'exec_create' 'exec_detach'
+                'exec_start' 'export' 'health_status' 'import' 'install' 'kill' 'load'  'mount' 'oom' 'pause' 'pull' 'push' 'reload' 'remove' 'rename' 'resize'
+                'restart' 'save' 'start' 'stop' 'tag' 'top' 'unmount' 'unpause' 'untag' 'update')
+                _describe -t event-filter-opts "event filter options" event_opts && ret=0
+                ;;
+            (image)
+                __docker_complete_images && ret=0
+                ;;
+            (network)
+                __docker_complete_networks && ret=0
+                ;;
+            (scope)
+                local -a scope_opts
+                scope_opts=('local' 'swarm')
+                _describe -t scope-filter-opts "scope filter options" scope_opts && ret=0
+                ;;
+            (type)
+                local -a type_opts
+                type_opts=('container' 'daemon' 'image' 'network' 'volume')
+                _describe -t type-filter-opts "type filter options" type_opts && ret=0
+                ;;
+            (volume)
+                __docker_complete_volumes && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_complete_prune_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    declare -a opts
+
+    opts=('until')
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+# BO checkpoint
+
+__docker_checkpoint_commands() {
+    local -a _docker_checkpoint_subcommands
+    _docker_checkpoint_subcommands=(
+        "create:Create a checkpoint from a running container"
+        "ls:List checkpoints for a container"
+        "rm:Remove a checkpoint"
+    )
+    _describe -t docker-checkpoint-commands "docker checkpoint command" _docker_checkpoint_subcommands
+}
+
+__docker_checkpoint_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (create)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--checkpoint-dir=[Use a custom checkpoint storage directory]:dir:_directories" \
+                "($help)--leave-running[Leave the container running after checkpoint]" \
+                "($help -)1:container:__docker_complete_running_containers" \
+                "($help -)2:checkpoint: " && ret=0
+            ;;
+        (ls|list)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--checkpoint-dir=[Use a custom checkpoint storage directory]:dir:_directories" \
+                "($help -)1:container:__docker_complete_containers" && ret=0
+            ;;
+        (rm|remove)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--checkpoint-dir=[Use a custom checkpoint storage directory]:dir:_directories" \
+                "($help -)1:container:__docker_complete_containers" \
+                "($help -)2:checkpoint: " && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_checkpoint_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO checkpoint
+
+# BO container
+
+__docker_container_commands() {
+    local -a _docker_container_subcommands
+    _docker_container_subcommands=(
+        "attach:Attach to a running container"
+        "commit:Create a new image from a container's changes"
+        "cp:Copy files/folders between a container and the local filesystem"
+        "create:Create a new container"
+        "diff:Inspect changes on a container's filesystem"
+        "exec:Run a command in a running container"
+        "export:Export a container's filesystem as a tar archive"
+        "inspect:Display detailed information on one or more containers"
+        "kill:Kill one or more running containers"
+        "logs:Fetch the logs of a container"
+        "ls:List containers"
+        "pause:Pause all processes within one or more containers"
+        "port:List port mappings or a specific mapping for the container"
+        "prune:Remove all stopped containers"
+        "rename:Rename a container"
+        "restart:Restart one or more containers"
+        "rm:Remove one or more containers"
+        "run:Run a command in a new container"
+        "start:Start one or more stopped containers"
+        "stats:Display a live stream of container(s) resource usage statistics"
+        "stop:Stop one or more running containers"
+        "top:Display the running processes of a container"
+        "unpause:Unpause all processes within one or more containers"
+        "update:Update configuration of one or more containers"
+        "wait:Block until one or more containers stop, then print their exit codes"
+    )
+    _describe -t docker-container-commands "docker container command" _docker_container_subcommands
+}
+
+__docker_container_subcommand() {
+    local -a _command_args opts_help opts_attach_exec_run_start opts_create_run opts_create_run_update
+    local expl help="--help"
+    integer ret=1
+
+    opts_attach_exec_run_start=(
+        "($help)--detach-keys=[Escape key sequence used to detach a container]:sequence:__docker_complete_detach_keys"
+    )
+    opts_create_run=(
+        "($help -a --attach)"{-a=,--attach=}"[Attach to stdin, stdout or stderr]:device:(STDIN STDOUT STDERR)"
+        "($help)*--add-host=[Add a custom host-to-IP mapping]:host\:ip mapping: "
+        "($help)*--blkio-weight-device=[Block IO (relative device weight)]:device:Block IO weight: "
+        "($help)*--cap-add=[Add Linux capabilities]:capability: "
+        "($help)*--cap-drop=[Drop Linux capabilities]:capability: "
+        "($help)--cgroup-parent=[Parent cgroup for the container]:cgroup: "
+        "($help)--cidfile=[Write the container ID to the file]:CID file:_files"
+        "($help)--cpus=[Number of CPUs (default 0.000)]:cpus: "
+        "($help)*--device=[Add a host device to the container]:device:_files"
+        "($help)*--device-cgroup-rule=[Add a rule to the cgroup allowed devices list]:device:cgroup: "
+        "($help)*--device-read-bps=[Limit the read rate (bytes per second) from a device]:device:IO rate: "
+        "($help)*--device-read-iops=[Limit the read rate (IO per second) from a device]:device:IO rate: "
+        "($help)*--device-write-bps=[Limit the write rate (bytes per second) to a device]:device:IO rate: "
+        "($help)*--device-write-iops=[Limit the write rate (IO per second) to a device]:device:IO rate: "
+        "($help)--disable-content-trust[Skip image verification]"
+        "($help)*--dns=[Custom DNS servers]:DNS server: "
+        "($help)*--dns-option=[Custom DNS options]:DNS option: "
+        "($help)*--dns-search=[Custom DNS search domains]:DNS domains: "
+        "($help)*"{-e=,--env=}"[Environment variables]:environment variable: "
+        "($help)--entrypoint=[Overwrite the default entrypoint of the image]:entry point: "
+        "($help)*--env-file=[Read environment variables from a file]:environment file:_files"
+        "($help)*--expose=[Expose a port from the container without publishing it]: "
+        "($help)*--group=[Set one or more supplementary user groups for the container]:group:_groups"
+        "($help -h --hostname)"{-h=,--hostname=}"[Container host name]:hostname:_hosts"
+        "($help -i --interactive)"{-i,--interactive}"[Keep stdin open even if not attached]"
+        "($help)--init[Run an init inside the container that forwards signals and reaps processes]"
+        "($help)--ip=[IPv4 address]:IPv4: "
+        "($help)--ip6=[IPv6 address]:IPv6: "
+        "($help)--ipc=[IPC namespace to use]:IPC namespace: "
+        "($help)--isolation=[Container isolation technology]:isolation:(default hyperv process)"
+        "($help)*--link=[Add link to another container]:link:->link"
+        "($help)*--link-local-ip=[Container IPv4/IPv6 link-local addresses]:IPv4/IPv6: "
+        "($help)*"{-l=,--label=}"[Container metadata]:label: "
+        "($help)--log-driver=[Default driver for container logs]:logging driver:__docker_complete_log_drivers"
+        "($help)*--log-opt=[Log driver specific options]:log driver options:__docker_complete_log_options"
+        "($help)--mac-address=[Container MAC address]:MAC address: "
+        "($help)*--mount=[Attach a filesystem mount to the container]:mount: "
+        "($help)--name=[Container name]:name: "
+        "($help)--network=[Connect a container to a network]:network mode:(bridge none container host)"
+        "($help)*--network-alias=[Add network-scoped alias for the container]:alias: "
+        "($help)--oom-kill-disable[Disable OOM Killer]"
+        "($help)--oom-score-adj[Tune the host's OOM preferences for containers (accepts -1000 to 1000)]"
+        "($help)--pids-limit[Tune container pids limit (set -1 for unlimited)]"
+        "($help -P --publish-all)"{-P,--publish-all}"[Publish all exposed ports]"
+        "($help)*"{-p=,--publish=}"[Expose a container's port to the host]:port:_ports"
+        "($help)--pid=[PID namespace to use]:PID namespace:__docker_complete_pid"
+        "($help)--privileged[Give extended privileges to this container]"
+        "($help)--read-only[Mount the container's root filesystem as read only]"
+        "($help)*--security-opt=[Security options]:security option: "
+        "($help)*--shm-size=[Size of '/dev/shm' (format is '<number><unit>')]:shm size: "
+        "($help)--stop-signal=[Signal to kill a container]:signal:_signals"
+        "($help)--stop-timeout=[Timeout (in seconds) to stop a container]:time: "
+        "($help)*--sysctl=-[sysctl options]:sysctl: "
+        "($help -t --tty)"{-t,--tty}"[Allocate a pseudo-tty]"
+        "($help -u --user)"{-u=,--user=}"[Username or UID]:user:_users"
+        "($help)*--ulimit=[ulimit options]:ulimit: "
+        "($help)--userns=[Container user namespace]:user namespace:(host)"
+        "($help)--tmpfs[mount tmpfs]"
+        "($help)*-v[Bind mount a volume]:volume: "
+        "($help)--volume-driver=[Optional volume driver for the container]:volume driver:(local)"
+        "($help)*--volumes-from=[Mount volumes from the specified container]:volume: "
+        "($help -w --workdir)"{-w=,--workdir=}"[Working directory inside the container]:directory:_directories"
+    )
+    opts_create_run_update=(
+        "($help)--blkio-weight=[Block IO (relative weight), between 10 and 1000]:Block IO weight:(10 100 500 1000)"
+        "($help -c --cpu-shares)"{-c=,--cpu-shares=}"[CPU shares (relative weight)]:CPU shares:(0 10 100 200 500 800 1000)"
+        "($help)--cpu-period=[Limit the CPU CFS (Completely Fair Scheduler) period]:CPU period: "
+        "($help)--cpu-quota=[Limit the CPU CFS (Completely Fair Scheduler) quota]:CPU quota: "
+        "($help)--cpu-rt-period=[Limit the CPU real-time period]:CPU real-time period in microseconds: "
+        "($help)--cpu-rt-runtime=[Limit the CPU real-time runtime]:CPU real-time runtime in microseconds: "
+        "($help)--cpuset-cpus=[CPUs in which to allow execution]:CPUs: "
+        "($help)--cpuset-mems=[MEMs in which to allow execution]:MEMs: "
+        "($help)--kernel-memory=[Kernel memory limit in bytes]:Memory limit: "
+        "($help -m --memory)"{-m=,--memory=}"[Memory limit]:Memory limit: "
+        "($help)--memory-reservation=[Memory soft limit]:Memory limit: "
+        "($help)--memory-swap=[Total memory limit with swap]:Memory limit: "
+        "($help)--restart=[Restart policy]:restart policy:(no on-failure always unless-stopped)"
+    )
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (attach)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                $opts_attach_exec_run_start \
+                "($help)--no-stdin[Do not attach stdin]" \
+                "($help)--sig-proxy[Proxy all received signals to the process (non-TTY mode only)]" \
+                "($help -):containers:__docker_complete_running_containers" && ret=0
+            ;;
+        (commit)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --author)"{-a=,--author=}"[Author]:author: " \
+                "($help)*"{-c=,--change=}"[Apply Dockerfile instruction to the created image]:Dockerfile:_files" \
+                "($help -m --message)"{-m=,--message=}"[Commit message]:message: " \
+                "($help -p --pause)"{-p,--pause}"[Pause container during commit]" \
+                "($help -):container:__docker_complete_containers" \
+                "($help -): :__docker_complete_repositories_with_tags" && ret=0
+            ;;
+        (cp)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -L --follow-link)"{-L,--follow-link}"[Always follow symbol link]" \
+                "($help -)1:container:->container" \
+                "($help -)2:hostpath:_files" && ret=0
+            case $state in
+                (container)
+                    if compset -P "*:"; then
+                        _files && ret=0
+                    else
+                        __docker_complete_containers -qS ":" && ret=0
+                    fi
+                    ;;
+            esac
+            ;;
+        (create)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                $opts_create_run \
+                $opts_create_run_update \
+                "($help -): :__docker_complete_images" \
+                "($help -):command: _command_names -e" \
+                "($help -)*::arguments: _normal" && ret=0
+            case $state in
+                (link)
+                    if compset -P "*:"; then
+                        _wanted alias expl "Alias" compadd -E "" && ret=0
+                    else
+                        __docker_complete_running_containers -qS ":" && ret=0
+                    fi
+                    ;;
+            esac
+            ;;
+        (diff)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)*:containers:__docker_complete_containers" && ret=0
+            ;;
+        (exec)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                $opts_attach_exec_run_start \
+                "($help -d --detach)"{-d,--detach}"[Detached mode: leave the container running in the background]" \
+                "($help)*"{-e=,--env=}"[Set environment variables]:environment variable: " \
+                "($help -i --interactive)"{-i,--interactive}"[Keep stdin open even if not attached]" \
+                "($help)--privileged[Give extended Linux capabilities to the command]" \
+                "($help -t --tty)"{-t,--tty}"[Allocate a pseudo-tty]" \
+                "($help -u --user)"{-u=,--user=}"[Username or UID]:user:_users" \
+                "($help -w --workdir)"{-w=,--workdir=}"[Working directory inside the container]:directory:_directories" \
+                "($help -):containers:__docker_complete_running_containers" \
+                "($help -)*::command:->anycommand" && ret=0
+            case $state in
+                (anycommand)
+                    shift 1 words
+                    (( CURRENT-- ))
+                    _normal && ret=0
+                    ;;
+            esac
+            ;;
+        (export)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -o --output)"{-o=,--output=}"[Write to a file, instead of stdout]:output file:_files" \
+                "($help -)*:containers:__docker_complete_containers" && ret=0
+            ;;
+        (inspect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " \
+                "($help -s --size)"{-s,--size}"[Display total file sizes]" \
+                "($help -)*:containers:__docker_complete_containers" && ret=0
+            ;;
+        (kill)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -s --signal)"{-s=,--signal=}"[Signal to send]:signal:_signals" \
+                "($help -)*:containers:__docker_complete_running_containers" && ret=0
+            ;;
+        (logs)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--details[Show extra details provided to logs]" \
+                "($help -f --follow)"{-f,--follow}"[Follow log output]" \
+                "($help -s --since)"{-s=,--since=}"[Show logs since this timestamp]:timestamp: " \
+                "($help -t --timestamps)"{-t,--timestamps}"[Show timestamps]" \
+                "($help)--tail=[Output the last K lines]:lines:(1 10 20 50 all)" \
+                "($help -)*:containers:__docker_complete_containers" && ret=0
+            ;;
+        (ls|list)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --all)"{-a,--all}"[Show all containers]" \
+                "($help)--before=[Show only container created before...]:containers:__docker_complete_containers" \
+                "($help)*"{-f=,--filter=}"[Filter values]:filter:__docker_complete_ps_filters" \
+                "($help)--format=[Pretty-print containers using a Go template]:template: " \
+                "($help -l --latest)"{-l,--latest}"[Show only the latest created container]" \
+                "($help -n --last)"{-n=,--last=}"[Show n last created containers (includes all states)]:n:(1 5 10 25 50)" \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help -q --quiet)"{-q,--quiet}"[Only show numeric IDs]" \
+                "($help -s --size)"{-s,--size}"[Display total file sizes]" \
+                "($help)--since=[Show only containers created since...]:containers:__docker_complete_containers" && ret=0
+            ;;
+        (pause|unpause)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)*:containers:__docker_complete_running_containers" && ret=0
+            ;;
+        (port)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)1:containers:__docker_complete_running_containers" \
+                "($help -)2:port:_ports" && ret=0
+            ;;
+        (prune)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*--filter=[Filter values]:filter:__docker_complete_prune_filters" \
+                "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" && ret=0
+            ;;
+        (rename)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -):old name:__docker_complete_containers" \
+                "($help -):new name: " && ret=0
+            ;;
+        (restart)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -t --time)"{-t=,--time=}"[Number of seconds to try to stop for before killing the container]:seconds to before killing:(1 5 10 30 60)" \
+                "($help -)*:containers:__docker_complete_containers_ids" && ret=0
+            ;;
+        (rm)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --force)"{-f,--force}"[Force removal]" \
+                "($help -l --link)"{-l,--link}"[Remove the specified link and not the underlying container]" \
+                "($help -v --volumes)"{-v,--volumes}"[Remove the volumes associated to the container]" \
+                "($help -)*:containers:->values" && ret=0
+            case $state in
+                (values)
+                    if [[ ${words[(r)-f]} == -f || ${words[(r)--force]} == --force ]]; then
+                        __docker_complete_containers && ret=0
+                    else
+                        __docker_complete_stopped_containers && ret=0
+                    fi
+                    ;;
+            esac
+            ;;
+        (run)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                $opts_create_run \
+                $opts_create_run_update \
+                $opts_attach_exec_run_start \
+                "($help -d --detach)"{-d,--detach}"[Detached mode: leave the container running in the background]" \
+                "($help)--health-cmd=[Command to run to check health]:command: " \
+                "($help)--health-interval=[Time between running the check]:time: " \
+                "($help)--health-retries=[Consecutive failures needed to report unhealthy]:retries:(1 2 3 4 5)" \
+                "($help)--health-timeout=[Maximum time to allow one check to run]:time: " \
+                "($help)--no-healthcheck[Disable any container-specified HEALTHCHECK]" \
+                "($help)--rm[Remove intermediate containers when it exits]" \
+                "($help)--runtime=[Name of the runtime to be used for that container]:runtime:__docker_complete_runtimes" \
+                "($help)--sig-proxy[Proxy all received signals to the process (non-TTY mode only)]" \
+                "($help)--storage-opt=[Storage driver options for the container]:storage options:->storage-opt" \
+                "($help -): :__docker_complete_images" \
+                "($help -):command: _command_names -e" \
+                "($help -)*::arguments: _normal" && ret=0
+            case $state in
+                (link)
+                    if compset -P "*:"; then
+                        _wanted alias expl "Alias" compadd -E "" && ret=0
+                    else
+                        __docker_complete_running_containers -qS ":" && ret=0
+                    fi
+                    ;;
+                (storage-opt)
+                    if compset -P "*="; then
+                        _message "value" && ret=0
+                    else
+                        opts=('size')
+                        _describe -t filter-opts "storage options" opts -qS "=" && ret=0
+                    fi
+                    ;;
+            esac
+            ;;
+        (start)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                $opts_attach_exec_run_start \
+                "($help -a --attach)"{-a,--attach}"[Attach container's stdout/stderr and forward all signals]" \
+                "($help -i --interactive)"{-i,--interactive}"[Attach container's stdin]" \
+                "($help -)*:containers:__docker_complete_stopped_containers" && ret=0
+            ;;
+        (stats)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --all)"{-a,--all}"[Show all containers (default shows just running)]" \
+                "($help)--format=[Pretty-print images using a Go template]:template: " \
+                "($help)--no-stream[Disable streaming stats and only pull the first result]" \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help -)*:containers:__docker_complete_running_containers" && ret=0
+            ;;
+        (stop)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -t --time)"{-t=,--time=}"[Number of seconds to try to stop for before killing the container]:seconds to before killing:(1 5 10 30 60)" \
+                "($help -)*:containers:__docker_complete_running_containers" && ret=0
+            ;;
+        (top)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)1:containers:__docker_complete_running_containers" \
+                "($help -)*:: :->ps-arguments" && ret=0
+            case $state in
+                (ps-arguments)
+                    _ps && ret=0
+                    ;;
+            esac
+            ;;
+        (update)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                $opts_create_run_update \
+                "($help -)*: :->values" && ret=0
+            case $state in
+                (values)
+                    if [[ ${words[(r)--kernel-memory*]} = (--kernel-memory*) ]]; then
+                        __docker_complete_stopped_containers && ret=0
+                    else
+                        __docker_complete_containers && ret=0
+                    fi
+                    ;;
+            esac
+            ;;
+        (wait)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)*:containers:__docker_complete_running_containers" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_container_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO container
+
+# BO image
+
+__docker_image_commands() {
+    local -a _docker_image_subcommands
+    _docker_image_subcommands=(
+        "build:Build an image from a Dockerfile"
+        "history:Show the history of an image"
+        "import:Import the contents from a tarball to create a filesystem image"
+        "inspect:Display detailed information on one or more images"
+        "load:Load an image from a tar archive or STDIN"
+        "ls:List images"
+        "prune:Remove unused images"
+        "pull:Pull an image or a repository from a registry"
+        "push:Push an image or a repository to a registry"
+        "rm:Remove one or more images"
+        "save:Save one or more images to a tar archive (streamed to STDOUT by default)"
+        "tag:Tag an image into a repository"
+    )
+    _describe -t docker-image-commands "docker image command" _docker_image_subcommands
+}
+
+__docker_image_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (build)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*--add-host=[Add a custom host-to-IP mapping]:host\:ip mapping: " \
+                "($help)*--build-arg=[Build-time variables]:<varname>=<value>: " \
+                "($help)*--cache-from=[Images to consider as cache sources]: :__docker_complete_repositories_with_tags" \
+                "($help -c --cpu-shares)"{-c=,--cpu-shares=}"[CPU shares (relative weight)]:CPU shares:(0 10 100 200 500 800 1000)" \
+                "($help)--cgroup-parent=[Parent cgroup for the container]:cgroup: " \
+                "($help)--compress[Compress the build context using gzip]" \
+                "($help)--cpu-period=[Limit the CPU CFS (Completely Fair Scheduler) period]:CPU period: " \
+                "($help)--cpu-quota=[Limit the CPU CFS (Completely Fair Scheduler) quota]:CPU quota: " \
+                "($help)--cpu-rt-period=[Limit the CPU real-time period]:CPU real-time period in microseconds: " \
+                "($help)--cpu-rt-runtime=[Limit the CPU real-time runtime]:CPU real-time runtime in microseconds: " \
+                "($help)--cpuset-cpus=[CPUs in which to allow execution]:CPUs: " \
+                "($help)--cpuset-mems=[MEMs in which to allow execution]:MEMs: " \
+                "($help)--disable-content-trust[Skip image verification]" \
+                "($help -f --file)"{-f=,--file=}"[Name of the Dockerfile]:Dockerfile:_files" \
+                "($help)--force-rm[Always remove intermediate containers]" \
+                "($help)--isolation=[Container isolation technology]:isolation:(default hyperv process)" \
+                "($help)*--label=[Set metadata for an image]:label=value: " \
+                "($help -m --memory)"{-m=,--memory=}"[Memory limit]:Memory limit: " \
+                "($help)--memory-swap=[Total memory limit with swap]:Memory limit: " \
+                "($help)--network=[Connect a container to a network]:network mode:(bridge none container host)" \
+                "($help)--no-cache[Do not use cache when building the image]" \
+                "($help)--pull[Attempt to pull a newer version of the image]" \
+                "($help -q --quiet)"{-q,--quiet}"[Suppress verbose build output]" \
+                "($help)--rm[Remove intermediate containers after a successful build]" \
+                "($help)*--shm-size=[Size of '/dev/shm' (format is '<number><unit>')]:shm size: " \
+                "($help)--squash[Squash newly built layers into a single new layer]" \
+                "($help -t --tag)*"{-t=,--tag=}"[Repository, name and tag for the image]: :__docker_complete_repositories_with_tags" \
+                "($help)*--ulimit=[ulimit options]:ulimit: " \
+                "($help)--userns=[Container user namespace]:user namespace:(host)" \
+                "($help -):path or URL:_directories" && ret=0
+            ;;
+        (history)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -H --human)"{-H,--human}"[Print sizes and dates in human readable format]" \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help -q --quiet)"{-q,--quiet}"[Only show numeric IDs]" \
+                "($help -)*: :__docker_complete_images" && ret=0
+            ;;
+        (import)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*"{-c=,--change=}"[Apply Dockerfile instruction to the created image]:Dockerfile:_files" \
+                "($help -m --message)"{-m=,--message=}"[Commit message for imported image]:message: " \
+                "($help -):URL:(- http:// file://)" \
+                "($help -): :__docker_complete_repositories_with_tags" && ret=0
+            ;;
+        (inspect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " \
+                "($help -)*:images:__docker_complete_images" && ret=0
+            ;;
+        (load)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -i --input)"{-i=,--input=}"[Read from tar archive file]:archive file:_files -g \"*.((tar|TAR)(.gz|.GZ|.Z|.bz2|.lzma|.xz|)|(tbz|tgz|txz))(-.)\"" \
+                "($help -q --quiet)"{-q,--quiet}"[Suppress the load output]" && ret=0
+            ;;
+        (ls|list)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --all)"{-a,--all}"[Show all images]" \
+                "($help)--digests[Show digests]" \
+                "($help)*"{-f=,--filter=}"[Filter values]:filter:__docker_complete_images_filters" \
+                "($help)--format=[Pretty-print images using a Go template]:template: " \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help -q --quiet)"{-q,--quiet}"[Only show numeric IDs]" \
+                "($help -): :__docker_complete_repositories" && ret=0
+            ;;
+        (prune)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --all)"{-a,--all}"[Remove all unused images, not just dangling ones]" \
+                "($help)*--filter=[Filter values]:filter:__docker_complete_prune_filters" \
+                "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" && ret=0
+            ;;
+        (pull)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --all-tags)"{-a,--all-tags}"[Download all tagged images]" \
+                "($help)--disable-content-trust[Skip image verification]" \
+                "($help -):name:__docker_search" && ret=0
+            ;;
+        (push)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--disable-content-trust[Skip image signing]" \
+                "($help -): :__docker_complete_images" && ret=0
+            ;;
+        (rm)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --force)"{-f,--force}"[Force removal]" \
+                "($help)--no-prune[Do not delete untagged parents]" \
+                "($help -)*: :__docker_complete_images" && ret=0
+            ;;
+        (save)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -o --output)"{-o=,--output=}"[Write to file]:file:_files" \
+                "($help -)*: :__docker_complete_images" && ret=0
+            ;;
+        (tag)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -):source:__docker_complete_images"\
+                "($help -):destination:__docker_complete_repositories_with_tags" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_container_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO image
+
+# BO network
+
+__docker_network_complete_ls_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (driver)
+                __docker_complete_info_plugins Network && ret=0
+                ;;
+            (id)
+                __docker_complete_networks_ids && ret=0
+                ;;
+            (name)
+                __docker_complete_networks_names && ret=0
+                ;;
+            (scope)
+                opts=('global' 'local' 'swarm')
+                _describe -t scope-filter-opts "Scope filter options" opts && ret=0
+                ;;
+            (type)
+                opts=('builtin' 'custom')
+                _describe -t type-filter-opts "Type filter options" opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('driver' 'id' 'label' 'name' 'scope' 'type')
+        _describe -t filter-opts "Filter Options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_get_networks() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    local line s
+    declare -a lines networks
+
+    type=$1; shift
+
+    lines=(${(f)${:-"$(_call_program commands docker $docker_options network ls)"$'\n'}})
+
+    # Parse header line to find columns
+    local i=1 j=1 k header=${lines[1]}
+    declare -A begin end
+    while (( j < ${#header} - 1 )); do
+        i=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 1 ))
+        j=$(( i + ${${header[$i,-1]}[(i)  ]} - 1 ))
+        k=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 2 ))
+        begin[${header[$i,$((j-1))]}]=$i
+        end[${header[$i,$((j-1))]}]=$k
+    done
+    end[${header[$i,$((j-1))]}]=-1
+    lines=(${lines[2,-1]})
+
+    # Network ID
+    if [[ $type = (ids|all) ]]; then
+        for line in $lines; do
+            s="${line[${begin[NETWORK ID]},${end[NETWORK ID]}]%% ##}"
+            s="$s:${(l:7:: :::)${${line[${begin[DRIVER]},${end[DRIVER]}]}%% ##}}"
+            s="$s, ${${line[${begin[SCOPE]},${end[SCOPE]}]}%% ##}"
+            networks=($networks $s)
+        done
+    fi
+
+    # Names
+    if [[ $type = (names|all) ]]; then
+        for line in $lines; do
+            s="${line[${begin[NAME]},${end[NAME]}]%% ##}"
+            s="$s:${(l:7:: :::)${${line[${begin[DRIVER]},${end[DRIVER]}]}%% ##}}"
+            s="$s, ${${line[${begin[SCOPE]},${end[SCOPE]}]}%% ##}"
+            networks=($networks $s)
+        done
+    fi
+
+    _describe -t networks-list "networks" networks "$@" && ret=0
+    return ret
+}
+
+__docker_complete_networks() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_get_networks all "$@"
+}
+
+__docker_complete_networks_ids() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_get_networks ids "$@"
+}
+
+__docker_complete_networks_names() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_get_networks names "$@"
+}
+
+__docker_network_commands() {
+    local -a _docker_network_subcommands
+    _docker_network_subcommands=(
+        "connect:Connect a container to a network"
+        "create:Creates a new network with a name specified by the user"
+        "disconnect:Disconnects a container from a network"
+        "inspect:Displays detailed information on a network"
+        "ls:Lists all the networks created by the user"
+        "prune:Remove all unused networks"
+        "rm:Deletes one or more networks"
+    )
+    _describe -t docker-network-commands "docker network command" _docker_network_subcommands
+}
+
+__docker_network_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (connect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*--alias=[Add network-scoped alias for the container]:alias: " \
+                "($help)--ip=[IPv4 address]:IPv4: " \
+                "($help)--ip6=[IPv6 address]:IPv6: " \
+                "($help)*--link=[Add a link to another container]:link:->link" \
+                "($help)*--link-local-ip=[Add a link-local address for the container]:IPv4/IPv6: " \
+                "($help -)1:network:__docker_complete_networks" \
+                "($help -)2:containers:__docker_complete_containers" && ret=0
+
+            case $state in
+                (link)
+                    if compset -P "*:"; then
+                        _wanted alias expl "Alias" compadd -E "" && ret=0
+                    else
+                        __docker_complete_running_containers -qS ":" && ret=0
+                    fi
+                    ;;
+            esac
+            ;;
+        (create)
+            _arguments $(__docker_arguments) -A '-*' \
+                $opts_help \
+                "($help)--attachable[Enable manual container attachment]" \
+                "($help)*--aux-address[Auxiliary IPv4 or IPv6 addresses used by network driver]:key=IP: " \
+                "($help -d --driver)"{-d=,--driver=}"[Driver to manage the Network]:driver:(null host bridge overlay)" \
+                "($help)*--gateway=[IPv4 or IPv6 Gateway for the master subnet]:IP: " \
+                "($help)--internal[Restricts external access to the network]" \
+                "($help)*--ip-range=[Allocate container ip from a sub-range]:IP/mask: " \
+                "($help)--ipam-driver=[IP Address Management Driver]:driver:(default)" \
+                "($help)*--ipam-opt=[Custom IPAM plugin options]:opt=value: " \
+                "($help)--ipv6[Enable IPv6 networking]" \
+                "($help)*--label=[Set metadata on a network]:label=value: " \
+                "($help)*"{-o=,--opt=}"[Driver specific options]:opt=value: " \
+                "($help)*--subnet=[Subnet in CIDR format that represents a network segment]:IP/mask: " \
+                "($help -)1:Network Name: " && ret=0
+            ;;
+        (disconnect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)1:network:__docker_complete_networks" \
+                "($help -)2:containers:__docker_complete_containers" && ret=0
+            ;;
+        (inspect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " \
+                "($help)--verbose[Show detailed information]" \
+                "($help -)*:network:__docker_complete_networks" && ret=0
+            ;;
+        (ls)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--no-trunc[Do not truncate the output]" \
+                "($help)*"{-f=,--filter=}"[Provide filter values]:filter:__docker_network_complete_ls_filters" \
+                "($help)--format=[Pretty-print networks using a Go template]:template: " \
+                "($help -q --quiet)"{-q,--quiet}"[Only display numeric IDs]" && ret=0
+            ;;
+        (prune)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*--filter=[Filter values]:filter:__docker_complete_prune_filters" \
+                "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" && ret=0
+            ;;
+        (rm)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)*:network:__docker_complete_networks" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_network_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO network
+
+# BO node
+
+__docker_node_complete_ls_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (id)
+                __docker_complete_nodes_ids && ret=0
+                ;;
+            (membership)
+                membership_opts=('accepted' 'pending' 'rejected')
+                _describe -t membership-opts "membership options" membership_opts && ret=0
+                ;;
+            (name)
+                __docker_complete_nodes_names && ret=0
+                ;;
+            (role)
+                role_opts=('manager' 'worker')
+                _describe -t role-opts "role options" role_opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('id' 'label' 'membership' 'name' 'role')
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_node_complete_ps_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (desired-state)
+                state_opts=('accepted' 'running' 'shutdown')
+                _describe -t state-opts "desired state options" state_opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('desired-state' 'id' 'label' 'name')
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_nodes() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    local line s
+    declare -a lines nodes args
+
+    type=$1; shift
+    filter=$1; shift
+    [[ $filter != "none" ]] && args=("-f $filter")
+
+    lines=(${(f)${:-"$(_call_program commands docker $docker_options node ls $args)"$'\n'}})
+    # Parse header line to find columns
+    local i=1 j=1 k header=${lines[1]}
+    declare -A begin end
+    while (( j < ${#header} - 1 )); do
+        i=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 1 ))
+        j=$(( i + ${${header[$i,-1]}[(i)  ]} - 1 ))
+        k=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 2 ))
+        begin[${header[$i,$((j-1))]}]=$i
+        end[${header[$i,$((j-1))]}]=$k
+    done
+    end[${header[$i,$((j-1))]}]=-1
+    lines=(${lines[2,-1]})
+
+    # Node ID
+    if [[ $type = (ids|all) ]]; then
+        for line in $lines; do
+            s="${line[${begin[ID]},${end[ID]}]%% ##}"
+            nodes=($nodes $s)
+        done
+    fi
+
+    # Names
+    if [[ $type = (names|all) ]]; then
+        for line in $lines; do
+            s="${line[${begin[HOSTNAME]},${end[HOSTNAME]}]%% ##}"
+            nodes=($nodes $s)
+        done
+    fi
+
+    _describe -t nodes-list "nodes" nodes "$@" && ret=0
+    return ret
+}
+
+__docker_complete_nodes() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_nodes all none "$@"
+}
+
+__docker_complete_nodes_ids() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_nodes ids none "$@"
+}
+
+__docker_complete_nodes_names() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_nodes names none "$@"
+}
+
+__docker_complete_pending_nodes() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_nodes all "membership=pending" "$@"
+}
+
+__docker_complete_manager_nodes() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_nodes all "role=manager" "$@"
+}
+
+__docker_complete_worker_nodes() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_nodes all "role=worker" "$@"
+}
+
+__docker_node_commands() {
+    local -a _docker_node_subcommands
+    _docker_node_subcommands=(
+        "demote:Demote a node as manager in the swarm"
+        "inspect:Display detailed information on one or more nodes"
+        "ls:List nodes in the swarm"
+        "promote:Promote a node as manager in the swarm"
+        "rm:Remove one or more nodes from the swarm"
+        "ps:List tasks running on one or more nodes, defaults to current node"
+        "update:Update a node"
+    )
+    _describe -t docker-node-commands "docker node command" _docker_node_subcommands
+}
+
+__docker_node_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (rm|remove)
+             _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --force)"{-f,--force}"[Force remove a node from the swarm]" \
+                "($help -)*:node:__docker_complete_pending_nodes" && ret=0
+            ;;
+        (demote)
+             _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)*:node:__docker_complete_manager_nodes" && ret=0
+            ;;
+        (inspect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " \
+                "($help)--pretty[Print the information in a human friendly format]" \
+                "($help -)*:node:__docker_complete_nodes" && ret=0
+            ;;
+        (ls|list)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*"{-f=,--filter=}"[Provide filter values]:filter:__docker_node_complete_ls_filters" \
+                "($help -q --quiet)"{-q,--quiet}"[Only display IDs]" && ret=0
+            ;;
+        (promote)
+             _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)*:node:__docker_complete_worker_nodes" && ret=0
+            ;;
+        (ps)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --all)"{-a,--all}"[Display all instances]" \
+                "($help)*"{-f=,--filter=}"[Provide filter values]:filter:__docker_node_complete_ps_filters" \
+                "($help)--format=[Format the output using the given go template]:template: " \
+                "($help)--no-resolve[Do not map IDs to Names]" \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help -q --quiet)"{-q,--quiet}"[Only display IDs]" \
+                "($help -)*:node:__docker_complete_nodes" && ret=0
+            ;;
+        (update)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--availability=[Availability of the node]:availability:(active pause drain)" \
+                "($help)*--label-add=[Add or update a node label]:key=value: " \
+                "($help)*--label-rm=[Remove a node label if exists]:label: " \
+                "($help)--role=[Role of the node]:role:(manager worker)" \
+                "($help -)1:node:__docker_complete_nodes" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_node_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO node
+
+# BO plugin
+
+__docker_plugin_complete_ls_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (capability)
+                opts=('authz' 'ipamdriver' 'logdriver' 'metricscollector' 'networkdriver' 'volumedriver')
+                _describe -t capability-opts "capability options" opts && ret=0
+                ;;
+            (enabled)
+                opts=('false' 'true')
+                _describe -t enabled-opts "enabled options" opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('capability' 'enabled')
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_plugins() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    local line s
+    declare -a lines plugins args
+
+    filter=$1; shift
+    [[ $filter != "none" ]] && args=("-f $filter")
+
+    lines=(${(f)${:-"$(_call_program commands docker $docker_options plugin ls $args)"$'\n'}})
+
+    # Parse header line to find columns
+    local i=1 j=1 k header=${lines[1]}
+    declare -A begin end
+    while (( j < ${#header} - 1 )); do
+        i=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 1 ))
+        j=$(( i + ${${header[$i,-1]}[(i)  ]} - 1 ))
+        k=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 2 ))
+        begin[${header[$i,$((j-1))]}]=$i
+        end[${header[$i,$((j-1))]}]=$k
+    done
+    end[${header[$i,$((j-1))]}]=-1
+    lines=(${lines[2,-1]})
+
+    # Name
+    for line in $lines; do
+        s="${line[${begin[NAME]},${end[NAME]}]%% ##}"
+        s="$s:${(l:7:: :::)${${line[${begin[TAG]},${end[TAG]}]}%% ##}}"
+        plugins=($plugins $s)
+    done
+
+    _describe -t plugins-list "plugins" plugins "$@" && ret=0
+    return ret
+}
+
+__docker_complete_plugins() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_plugins none "$@"
+}
+
+__docker_complete_enabled_plugins() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_plugins enabled=true "$@"
+}
+
+__docker_complete_disabled_plugins() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_plugins enabled=false "$@"
+}
+
+__docker_plugin_commands() {
+    local -a _docker_plugin_subcommands
+    _docker_plugin_subcommands=(
+        "disable:Disable a plugin"
+        "enable:Enable a plugin"
+        "inspect:Return low-level information about a plugin"
+        "install:Install a plugin"
+        "ls:List plugins"
+        "push:Push a plugin"
+        "rm:Remove a plugin"
+        "set:Change settings for a plugin"
+        "upgrade:Upgrade an existing plugin"
+    )
+    _describe -t docker-plugin-commands "docker plugin command" _docker_plugin_subcommands
+}
+
+__docker_plugin_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (disable)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --force)"{-f,--force}"[Force the disable of an active plugin]" \
+                "($help -)1:plugin:__docker_complete_enabled_plugins" && ret=0
+            ;;
+        (enable)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--timeout=[HTTP client timeout (in seconds)]:timeout: " \
+                "($help -)1:plugin:__docker_complete_disabled_plugins" && ret=0
+            ;;
+        (inspect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given Go template]:template: " \
+                "($help -)*:plugin:__docker_complete_plugins" && ret=0
+            ;;
+        (install)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--alias=[Local name for plugin]:alias: " \
+                "($help)--disable[Do not enable the plugin on install]" \
+                "($help)--disable-content-trust[Skip image verification (default true)]" \
+                "($help)--grant-all-permissions[Grant all permissions necessary to run the plugin]" \
+                "($help -)1:plugin:__docker_complete_plugins" \
+                "($help -)*:key=value: " && ret=0
+            ;;
+        (ls|list)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*"{-f=,--filter=}"[Filter output based on conditions provided]:filter:__docker_plugin_complete_ls_filters" \
+                "($help --format)--format=[Format the output using the given Go template]:template: " \
+                "($help)--no-trunc[Don't truncate output]" \
+                "($help -q --quiet)"{-q,--quiet}"[Only display IDs]" && ret=0
+            ;;
+        (push)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--disable-content-trust[Skip image verification (default true)]" \
+                "($help -)1:plugin:__docker_complete_plugins" && ret=0
+            ;;
+        (rm|remove)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --force)"{-f,--force}"[Force the removal of an active plugin]" \
+                "($help -)*:plugin:__docker_complete_plugins" && ret=0
+            ;;
+        (set)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)1:plugin:__docker_complete_plugins" \
+                "($help -)*:key=value: " && ret=0
+            ;;
+        (upgrade)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--disable-content-trust[Skip image verification (default true)]" \
+                "($help)--grant-all-permissions[Grant all permissions necessary to run the plugin]" \
+                "($help)--skip-remote-check[Do not check if specified remote plugin matches existing plugin image]" \
+                "($help -)1:plugin:__docker_complete_plugins" \
+                "($help -):remote: " && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_plugin_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO plugin
+
+# BO secret
+
+__docker_secrets() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    local line s
+    declare -a lines secrets
+
+    type=$1; shift
+
+    lines=(${(f)${:-"$(_call_program commands docker $docker_options secret ls)"$'\n'}})
+
+    # Parse header line to find columns
+    local i=1 j=1 k header=${lines[1]}
+    declare -A begin end
+    while (( j < ${#header} - 1 )); do
+        i=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 1 ))
+        j=$(( i + ${${header[$i,-1]}[(i)  ]} - 1 ))
+        k=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 2 ))
+        begin[${header[$i,$((j-1))]}]=$i
+        end[${header[$i,$((j-1))]}]=$k
+    done
+    end[${header[$i,$((j-1))]}]=-1
+    lines=(${lines[2,-1]})
+
+    # ID
+    if [[ $type = (ids|all) ]]; then
+        for line in $lines; do
+            s="${line[${begin[ID]},${end[ID]}]%% ##}"
+            secrets=($secrets $s)
+        done
+    fi
+
+    # Names
+    if [[ $type = (names|all) ]]; then
+        for line in $lines; do
+            s="${line[${begin[NAME]},${end[NAME]}]%% ##}"
+            secrets=($secrets $s)
+        done
+    fi
+
+    _describe -t secrets-list "secrets" secrets "$@" && ret=0
+    return ret
+}
+
+__docker_complete_secrets() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_secrets all "$@"
+}
+
+__docker_secret_commands() {
+    local -a _docker_secret_subcommands
+    _docker_secret_subcommands=(
+        "create:Create a secret using stdin as content"
+        "inspect:Display detailed information on one or more secrets"
+        "ls:List secrets"
+        "rm:Remove one or more secrets"
+    )
+    _describe -t docker-secret-commands "docker secret command" _docker_secret_subcommands
+}
+
+__docker_secret_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (create)
+            _arguments $(__docker_arguments) -A '-*' \
+                $opts_help \
+                "($help)*"{-l=,--label=}"[Secret labels]:label: " \
+                "($help -):secret: " && ret=0
+            ;;
+        (inspect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given Go template]:template: " \
+                "($help -)*:secret:__docker_complete_secrets" && ret=0
+            ;;
+        (ls|list)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--format=[Format the output using the given go template]:template: " \
+                "($help -q --quiet)"{-q,--quiet}"[Only display IDs]" && ret=0
+            ;;
+        (rm|remove)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)*:secret:__docker_complete_secrets" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_secret_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO secret
+
+# BO service
+
+__docker_service_complete_ls_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (id)
+                __docker_complete_services_ids && ret=0
+                ;;
+            (mode)
+                opts=('global' 'replicated')
+                _describe -t mode-opts "mode options" opts && ret=0
+                ;;
+            (name)
+                __docker_complete_services_names && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('id' 'label' 'mode' 'name')
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_service_complete_ps_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (desired-state)
+                state_opts=('accepted' 'running' 'shutdown')
+                _describe -t state-opts "desired state options" state_opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('desired-state' 'id' 'label' 'name')
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_service_complete_placement_pref() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (spread)
+                opts=('engine.labels' 'node.labels')
+                _describe -t spread-opts "spread options" opts -qS "." && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('spread')
+        _describe -t pref-opts "placement pref options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_services() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    local line s
+    declare -a lines services
+
+    type=$1; shift
+
+    lines=(${(f)${:-"$(_call_program commands docker $docker_options service ls)"$'\n'}})
+
+    # Parse header line to find columns
+    local i=1 j=1 k header=${lines[1]}
+    declare -A begin end
+    while (( j < ${#header} - 1 )); do
+        i=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 1 ))
+        j=$(( i + ${${header[$i,-1]}[(i)  ]} - 1 ))
+        k=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 2 ))
+        begin[${header[$i,$((j-1))]}]=$i
+        end[${header[$i,$((j-1))]}]=$k
+    done
+    end[${header[$i,$((j-1))]}]=-1
+    lines=(${lines[2,-1]})
+
+    # Service ID
+    if [[ $type = (ids|all) ]]; then
+        for line in $lines; do
+            s="${line[${begin[ID]},${end[ID]}]%% ##}"
+            s="$s:${(l:7:: :::)${${line[${begin[IMAGE]},${end[IMAGE]}]}%% ##}}"
+            services=($services $s)
+        done
+    fi
+
+    # Names
+    if [[ $type = (names|all) ]]; then
+        for line in $lines; do
+            s="${line[${begin[NAME]},${end[NAME]}]%% ##}"
+            s="$s:${(l:7:: :::)${${line[${begin[IMAGE]},${end[IMAGE]}]}%% ##}}"
+            services=($services $s)
+        done
+    fi
+
+    _describe -t services-list "services" services "$@" && ret=0
+    return ret
+}
+
+__docker_complete_services() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_services all "$@"
+}
+
+__docker_complete_services_ids() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_services ids "$@"
+}
+
+__docker_complete_services_names() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_services names "$@"
+}
+
+__docker_service_commands() {
+    local -a _docker_service_subcommands
+    _docker_service_subcommands=(
+        "create:Create a new service"
+        "inspect:Display detailed information on one or more services"
+        "logs:Fetch the logs of a service or task"
+        "ls:List services"
+        "rm:Remove one or more services"
+        "rollback:Revert changes to a service's configuration"
+        "scale:Scale one or multiple replicated services"
+        "ps:List the tasks of a service"
+        "update:Update a service"
+    )
+    _describe -t docker-service-commands "docker service command" _docker_service_subcommands
+}
+
+__docker_service_subcommand() {
+    local -a _command_args opts_help opts_create_update
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+    opts_create_update=(
+        "($help)*--constraint=[Placement constraints]:constraint: "
+        "($help)--endpoint-mode=[Placement constraints]:mode:(dnsrr vip)"
+        "($help)*"{-e=,--env=}"[Set environment variables]:env: "
+        "($help)--health-cmd=[Command to run to check health]:command: "
+        "($help)--health-interval=[Time between running the check]:time: "
+        "($help)--health-retries=[Consecutive failures needed to report unhealthy]:retries:(1 2 3 4 5)"
+        "($help)--health-timeout=[Maximum time to allow one check to run]:time: "
+        "($help)--hostname=[Service container hostname]:hostname: " \
+        "($help)--isolation=[Service container isolation mode]:isolation:(default process hyperv)" \
+        "($help)*--label=[Service labels]:label: "
+        "($help)--limit-cpu=[Limit CPUs]:value: "
+        "($help)--limit-memory=[Limit Memory]:value: "
+        "($help)--log-driver=[Logging driver for service]:logging driver:__docker_complete_log_drivers"
+        "($help)*--log-opt=[Logging driver options]:log driver options:__docker_complete_log_options"
+        "($help)*--mount=[Attach a filesystem mount to the service]:mount: "
+        "($help)*--network=[Network attachments]:network: "
+        "($help)--no-healthcheck[Disable any container-specified HEALTHCHECK]"
+        "($help)--read-only[Mount the container's root filesystem as read only]"
+        "($help)--replicas=[Number of tasks]:replicas: "
+        "($help)--reserve-cpu=[Reserve CPUs]:value: "
+        "($help)--reserve-memory=[Reserve Memory]:value: "
+        "($help)--restart-condition=[Restart when condition is met]:mode:(any none on-failure)"
+        "($help)--restart-delay=[Delay between restart attempts]:delay: "
+        "($help)--restart-max-attempts=[Maximum number of restarts before giving up]:max-attempts: "
+        "($help)--restart-window=[Window used to evaluate the restart policy]:duration: "
+        "($help)--rollback-delay=[Delay between task rollbacks]:duration: "
+        "($help)--rollback-failure-action=[Action on rollback failure]:action:(continue pause)"
+        "($help)--rollback-max-failure-ratio=[Failure rate to tolerate during a rollback]:failure rate: "
+        "($help)--rollback-monitor=[Duration after each task rollback to monitor for failure]:duration: "
+        "($help)--rollback-parallelism=[Maximum number of tasks rolled back simultaneously]:number: "
+        "($help)*--secret=[Specify secrets to expose to the service]:secret:__docker_complete_secrets"
+        "($help)--stop-grace-period=[Time to wait before force killing a container]:grace period: "
+        "($help)--stop-signal=[Signal to stop the container]:signal:_signals"
+        "($help -t --tty)"{-t,--tty}"[Allocate a pseudo-TTY]"
+        "($help)--update-delay=[Delay between updates]:delay: "
+        "($help)--update-failure-action=[Action on update failure]:mode:(continue pause rollback)"
+        "($help)--update-max-failure-ratio=[Failure rate to tolerate during an update]:fraction: "
+        "($help)--update-monitor=[Duration after each task update to monitor for failure]:window: "
+        "($help)--update-parallelism=[Maximum number of tasks updated simultaneously]:number: "
+        "($help -u --user)"{-u=,--user=}"[Username or UID]:user:_users"
+        "($help)--with-registry-auth[Send registry authentication details to swarm agents]"
+        "($help -w --workdir)"{-w=,--workdir=}"[Working directory inside the container]:directory:_directories"
+    )
+
+    case "$words[1]" in
+        (create)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                $opts_create_update \
+                "($help)*--container-label=[Container labels]:label: " \
+                "($help)*--dns=[Set custom DNS servers]:DNS: " \
+                "($help)*--dns-option=[Set DNS options]:DNS option: " \
+                "($help)*--dns-search=[Set custom DNS search domains]:DNS search: " \
+                "($help)*--env-file=[Read environment variables from a file]:environment file:_files" \
+                "($help)--mode=[Service Mode]:mode:(global replicated)" \
+                "($help)--name=[Service name]:name: " \
+                "($help)*--placement-pref=[Add a placement preference]:pref:__docker_service_complete_placement_pref" \
+                "($help)*"{-p=,--publish=}"[Publish a port as a node port]:port: " \
+                "($help -): :__docker_complete_images" \
+                "($help -):command: _command_names -e" \
+                "($help -)*::arguments: _normal" && ret=0
+            ;;
+        (inspect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " \
+                "($help)--pretty[Print the information in a human friendly format]" \
+                "($help -)*:service:__docker_complete_services" && ret=0
+            ;;
+        (logs)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --follow)"{-f,--follow}"[Follow log output]" \
+                "($help)--no-resolve[Do not map IDs to Names]" \
+                "($help)--no-task-ids[Do not include task IDs]" \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help)--since=[Show logs since timestamp]:timestamp: " \
+                "($help)--tail=[Number of lines to show from the end of the logs]:lines:(1 10 20 50 all)" \
+                "($help -t --timestamps)"{-t,--timestamps}"[Show timestamps]" \
+                "($help -)1:service:__docker_complete_services" && ret=0
+            ;;
+        (ls|list)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*"{-f=,--filter=}"[Filter output based on conditions provided]:filter:__docker_service_complete_ls_filters" \
+                "($help)--format=[Pretty-print services using a Go template]:template: " \
+                "($help -q --quiet)"{-q,--quiet}"[Only display IDs]" && ret=0
+            ;;
+        (rm|remove)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -)*:service:__docker_complete_services" && ret=0
+            ;;
+        (rollback)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -d --detach)"{-d=false,--detach=false}"[Disable detached mode]" \
+                "($help -q --quiet)"{-q,--quiet}"[Suppress progress output]" \
+                "($help -)*:service:__docker_complete_services" && ret=0
+            ;;
+        (scale)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -d --detach)"{-d=false,--detach=false}"[Disable detached mode]" \
+                "($help -)*:service:->values" && ret=0
+            case $state in
+                (values)
+                    if compset -P '*='; then
+                        _message 'replicas' && ret=0
+                    else
+                        __docker_complete_services -qS "="
+                    fi
+                    ;;
+            esac
+            ;;
+        (ps)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*"{-f=,--filter=}"[Provide filter values]:filter:__docker_service_complete_ps_filters" \
+                "($help)--format=[Format the output using the given go template]:template: " \
+                "($help)--no-resolve[Do not map IDs to Names]" \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help -q --quiet)"{-q,--quiet}"[Only display task IDs]" \
+                "($help -)*:service:__docker_complete_services" && ret=0
+            ;;
+        (update)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                $opts_create_update \
+                "($help)--arg=[Service command args]:arguments: _normal" \
+                "($help)*--container-label-add=[Add or update container labels]:label: " \
+                "($help)*--container-label-rm=[Remove a container label by its key]:label: " \
+                "($help)*--dns-add=[Add or update custom DNS servers]:DNS: " \
+                "($help)*--dns-rm=[Remove custom DNS servers]:DNS: " \
+                "($help)*--dns-option-add=[Add or update DNS options]:DNS option: " \
+                "($help)*--dns-option-rm=[Remove DNS options]:DNS option: " \
+                "($help)*--dns-search-add=[Add or update custom DNS search domains]:DNS search: " \
+                "($help)*--dns-search-rm=[Remove DNS search domains]:DNS search: " \
+                "($help)--force[Force update]" \
+                "($help)*--group-add=[Add additional supplementary user groups to the container]:group:_groups" \
+                "($help)*--group-rm=[Remove previously added supplementary user groups from the container]:group:_groups" \
+                "($help)--image=[Service image tag]:image:__docker_complete_repositories" \
+                "($help)*--placement-pref-add=[Add a placement preference]:pref:__docker_service_complete_placement_pref" \
+                "($help)*--placement-pref-rm=[Remove a placement preference]:pref:__docker_service_complete_placement_pref" \
+                "($help)*--publish-add=[Add or update a port]:port: " \
+                "($help)*--publish-rm=[Remove a port(target-port mandatory)]:port: " \
+                "($help)--rollback[Rollback to previous specification]" \
+                "($help -)1:service:__docker_complete_services" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_service_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO service
+
+# BO stack
+
+__docker_stack_complete_ps_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (desired-state)
+                state_opts=('accepted' 'running' 'shutdown')
+                _describe -t state-opts "desired state options" state_opts && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('desired-state' 'id' 'name')
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_stack_complete_services_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('id' 'label' 'name')
+        _describe -t filter-opts "filter options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_stacks() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    local line s
+    declare -a lines stacks
+
+    lines=(${(f)${:-"$(_call_program commands docker $docker_options stack ls)"$'\n'}})
+
+    # Parse header line to find columns
+    local i=1 j=1 k header=${lines[1]}
+    declare -A begin end
+    while (( j < ${#header} - 1 )); do
+        i=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 1 ))
+        j=$(( i + ${${header[$i,-1]}[(i)  ]} - 1 ))
+        k=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 2 ))
+        begin[${header[$i,$((j-1))]}]=$i
+        end[${header[$i,$((j-1))]}]=$k
+    done
+    end[${header[$i,$((j-1))]}]=-1
+    lines=(${lines[2,-1]})
+
+    # Service NAME
+    for line in $lines; do
+        s="${line[${begin[NAME]},${end[NAME]}]%% ##}"
+        stacks=($stacks $s)
+    done
+
+    _describe -t stacks-list "stacks" stacks "$@" && ret=0
+    return ret
+}
+
+__docker_complete_stacks() {
+    [[ $PREFIX = -* ]] && return 1
+    __docker_stacks "$@"
+}
+
+__docker_stack_commands() {
+    local -a _docker_stack_subcommands
+    _docker_stack_subcommands=(
+        "deploy:Deploy a new stack or update an existing stack"
+        "ls:List stacks"
+        "ps:List the tasks in the stack"
+        "rm:Remove the stack"
+        "services:List the services in the stack"
+    )
+    _describe -t docker-stack-commands "docker stack command" _docker_stack_subcommands
+}
+
+__docker_stack_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (deploy|up)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--bundle-file=[Path to a Distributed Application Bundle file]:dab:_files -g \"*.dab\"" \
+                "($help -c --compose-file)"{-c=,--compose-file=}"[Path to a Compose file, or '-' to read from stdin]:compose file:_files -g \"*.(yml|yaml)\"" \
+                "($help)--with-registry-auth[Send registry authentication details to Swarm agents]" \
+                "($help -):stack:__docker_complete_stacks" && ret=0
+            ;;
+        (ls|list)
+            _arguments $(__docker_arguments) \
+                $opts_help && ret=0
+            ;;
+        (ps)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --all)"{-a,--all}"[Display all tasks]" \
+                "($help)*"{-f=,--filter=}"[Filter output based on conditions provided]:filter:__docker_stack_complete_ps_filters" \
+                "($help)--format=[Format the output using the given go template]:template: " \
+                "($help)--no-resolve[Do not map IDs to Names]" \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help -q --quiet)"{-q,--quiet}"[Only display task IDs]" \
+                "($help -):stack:__docker_complete_stacks" && ret=0
+            ;;
+        (rm|remove|down)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -):stack:__docker_complete_stacks" && ret=0
+            ;;
+        (services)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*"{-f=,--filter=}"[Filter output based on conditions provided]:filter:__docker_stack_complete_services_filters" \
+                "($help)--format=[Pretty-print services using a Go template]:template: " \
+                "($help -q --quiet)"{-q,--quiet}"[Only display IDs]" \
+                "($help -):stack:__docker_complete_stacks" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_stack_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO stack
+
+# BO swarm
+
+__docker_swarm_commands() {
+    local -a _docker_swarm_subcommands
+    _docker_swarm_subcommands=(
+        "init:Initialize a swarm"
+        "join:Join a swarm as a node and/or manager"
+        "join-token:Manage join tokens"
+        "leave:Leave a swarm"
+        "unlock:Unlock swarm"
+        "unlock-key:Manage the unlock key"
+        "update:Update the swarm"
+    )
+    _describe -t docker-swarm-commands "docker swarm command" _docker_swarm_subcommands
+}
+
+__docker_swarm_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (init)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--advertise-addr=[Advertised address]:ip\:port: " \
+                "($help)--data-path-addr=[Data path IP or interface]:ip " \
+                "($help)--autolock[Enable manager autolocking]" \
+                "($help)--availability=[Availability of the node]:availability:(active drain pause)" \
+                "($help)--cert-expiry=[Validity period for node certificates]:duration: " \
+                "($help)--dispatcher-heartbeat=[Dispatcher heartbeat period]:duration: " \
+                "($help)*--external-ca=[Specifications of one or more certificate signing endpoints]:endpoint: " \
+                "($help)--force-new-cluster[Force create a new cluster from current state]" \
+                "($help)--listen-addr=[Listen address]:ip\:port: " \
+                "($help)--max-snapshots[Number of additional Raft snapshots to retain]" \
+                "($help)--snapshot-interval[Number of log entries between Raft snapshots]" \
+                "($help)--task-history-limit=[Task history retention limit]:limit: " && ret=0
+            ;;
+        (join)
+            _arguments $(__docker_arguments) -A '-*' \
+                $opts_help \
+                "($help)--advertise-addr=[Advertised address]:ip\:port: " \
+                "($help)--data-path-addr=[Data path IP or interface]:ip " \
+                "($help)--availability=[Availability of the node]:availability:(active drain pause)" \
+                "($help)--listen-addr=[Listen address]:ip\:port: " \
+                "($help)--token=[Token for entry into the swarm]:secret: " \
+                "($help -):host\:port: " && ret=0
+            ;;
+        (join-token)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -q --quiet)"{-q,--quiet}"[Only display token]" \
+                "($help)--rotate[Rotate join token]" \
+                "($help -):role:(manager worker)" && ret=0
+            ;;
+        (leave)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --force)"{-f,--force}"[Force this node to leave the swarm, ignoring warnings]" && ret=0
+            ;;
+        (unlock)
+            _arguments $(__docker_arguments) \
+                $opts_help && ret=0
+            ;;
+        (unlock-key)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -q --quiet)"{-q,--quiet}"[Only display token]" \
+                "($help)--rotate[Rotate unlock token]" && ret=0
+            ;;
+        (update)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)--autolock[Enable manager autolocking]" \
+                "($help)--cert-expiry=[Validity period for node certificates]:duration: " \
+                "($help)--dispatcher-heartbeat=[Dispatcher heartbeat period]:duration: " \
+                "($help)*--external-ca=[Specifications of one or more certificate signing endpoints]:endpoint: " \
+                "($help)--max-snapshots[Number of additional Raft snapshots to retain]" \
+                "($help)--snapshot-interval[Number of log entries between Raft snapshots]" \
+                "($help)--task-history-limit=[Task history retention limit]:limit: " && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_network_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO swarm
+
+# BO system
+
+__docker_system_commands() {
+    local -a _docker_system_subcommands
+    _docker_system_subcommands=(
+        "df:Show docker filesystem usage"
+        "events:Get real time events from the server"
+        "info:Display system-wide information"
+        "prune:Remove unused data"
+    )
+    _describe -t docker-system-commands "docker system command" _docker_system_subcommands
+}
+
+__docker_system_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (df)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -v --verbose)"{-v,--verbose}"[Show detailed information on space usage]" && ret=0
+            ;;
+        (events)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*"{-f=,--filter=}"[Filter values]:filter:__docker_complete_events_filter" \
+                "($help)--since=[Events created since this timestamp]:timestamp: " \
+                "($help)--until=[Events created until this timestamp]:timestamp: " \
+                "($help)--format=[Format the output using the given go template]:template: " && ret=0
+            ;;
+        (info)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " && ret=0
+            ;;
+        (prune)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -a --all)"{-a,--all}"[Remove all unused data, not just dangling ones]" \
+                "($help)*--filter=[Filter values]:filter:__docker_complete_prune_filters" \
+                "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" \
+                "($help)--volumes=[Remove all unused volumes]" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_volume_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO system
+
+# BO volume
+
+__docker_volume_complete_ls_filters() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+
+    if compset -P '*='; then
+        case "${${words[-1]%=*}#*=}" in
+            (dangling)
+                dangling_opts=('true' 'false')
+                _describe -t dangling-filter-opts "Dangling Filter Options" dangling_opts && ret=0
+                ;;
+            (driver)
+                __docker_complete_info_plugins Volume && ret=0
+                ;;
+            (name)
+                __docker_complete_volumes && ret=0
+                ;;
+            *)
+                _message 'value' && ret=0
+                ;;
+        esac
+    else
+        opts=('dangling' 'driver' 'label' 'name')
+        _describe -t filter-opts "Filter Options" opts -qS "=" && ret=0
+    fi
+
+    return ret
+}
+
+__docker_complete_volumes() {
+    [[ $PREFIX = -* ]] && return 1
+    integer ret=1
+    declare -a lines volumes
+
+    lines=(${(f)${:-"$(_call_program commands docker $docker_options volume ls)"$'\n'}})
+
+    # Parse header line to find columns
+    local i=1 j=1 k header=${lines[1]}
+    declare -A begin end
+    while (( j < ${#header} - 1 )); do
+        i=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 1 ))
+        j=$(( i + ${${header[$i,-1]}[(i)  ]} - 1 ))
+        k=$(( j + ${${header[$j,-1]}[(i)[^ ]]} - 2 ))
+        begin[${header[$i,$((j-1))]}]=$i
+        end[${header[$i,$((j-1))]}]=$k
+    done
+    end[${header[$i,$((j-1))]}]=-1
+    lines=(${lines[2,-1]})
+
+    # Names
+    local line s
+    for line in $lines; do
+        s="${line[${begin[VOLUME NAME]},${end[VOLUME NAME]}]%% ##}"
+        s="$s:${(l:7:: :::)${${line[${begin[DRIVER]},${end[DRIVER]}]}%% ##}}"
+        volumes=($volumes $s)
+    done
+
+    _describe -t volumes-list "volumes" volumes && ret=0
+    return ret
+}
+
+__docker_volume_commands() {
+    local -a _docker_volume_subcommands
+    _docker_volume_subcommands=(
+        "create:Create a volume"
+        "inspect:Display detailed information on one or more volumes"
+        "ls:List volumes"
+        "prune:Remove all unused volumes"
+        "rm:Remove one or more volumes"
+    )
+    _describe -t docker-volume-commands "docker volume command" _docker_volume_subcommands
+}
+
+__docker_volume_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (create)
+            _arguments $(__docker_arguments) -A '-*' \
+                $opts_help \
+                "($help -d --driver)"{-d=,--driver=}"[Volume driver name]:Driver name:(local)" \
+                "($help)*--label=[Set metadata for a volume]:label=value: " \
+                "($help)*"{-o=,--opt=}"[Driver specific options]:Driver option: " \
+                "($help -)1:Volume name: " && ret=0
+            ;;
+        (inspect)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " \
+                "($help -)1:volume:__docker_complete_volumes" && ret=0
+            ;;
+        (ls)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*"{-f=,--filter=}"[Provide filter values]:filter:__docker_volume_complete_ls_filters" \
+                "($help)--format=[Pretty-print volumes using a Go template]:template: " \
+                "($help -q --quiet)"{-q,--quiet}"[Only display volume names]" && ret=0
+            ;;
+        (prune)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" && ret=0
+            ;;
+        (rm)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --force)"{-f,--force}"[Force the removal of one or more volumes]" \
+                "($help -):volume:__docker_complete_volumes" && ret=0
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_volume_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+# EO volume
+
+__docker_caching_policy() {
+  oldp=( "$1"(Nmh+1) )     # 1 hour
+  (( $#oldp ))
+}
+
+__docker_commands() {
+    local cache_policy
+    integer force_invalidation=0
+
+    zstyle -s ":completion:${curcontext}:" cache-policy cache_policy
+    if [[ -z "$cache_policy" ]]; then
+        zstyle ":completion:${curcontext}:" cache-policy __docker_caching_policy
+    fi
+
+    if ( (( ! ${+_docker_hide_legacy_commands} )) || _cache_invalid docker_hide_legacy_commands ) \
+       && ! _retrieve_cache docker_hide_legacy_commands;
+    then
+        _docker_hide_legacy_commands="${DOCKER_HIDE_LEGACY_COMMANDS}"
+        _store_cache docker_hide_legacy_commands _docker_hide_legacy_commands
+    fi
+
+    if [[ "${_docker_hide_legacy_commands}" != "${DOCKER_HIDE_LEGACY_COMMANDS}" ]]; then
+        force_invalidation=1
+        _docker_hide_legacy_commands="${DOCKER_HIDE_LEGACY_COMMANDS}"
+        _store_cache docker_hide_legacy_commands _docker_hide_legacy_commands
+    fi
+
+    if ( [[ ${+_docker_subcommands} -eq 0 ]] || _cache_invalid docker_subcommands ) \
+        && ! _retrieve_cache docker_subcommands || [[ ${force_invalidation} -eq 1 ]];
+    then
+        local -a lines
+        lines=(${(f)"$(_call_program commands docker 2>&1)"})
+        _docker_subcommands=(${${${(M)${lines[$((${lines[(i)*Commands:]} + 1)),-1]}:# *}## #}/ ##/:})
+        _docker_subcommands=($_docker_subcommands 'daemon:Enable daemon mode' 'help:Show help for a command')
+        (( $#_docker_subcommands > 2 )) && _store_cache docker_subcommands _docker_subcommands
+    fi
+    _describe -t docker-commands "docker command" _docker_subcommands
+}
+
+__docker_subcommand() {
+    local -a _command_args opts_help
+    local expl help="--help"
+    integer ret=1
+
+    opts_help=("(: -)--help[Print usage]")
+
+    case "$words[1]" in
+        (attach|commit|cp|create|diff|exec|export|kill|logs|pause|unpause|port|rename|restart|rm|run|start|stats|stop|top|update|wait)
+            __docker_container_subcommand && ret=0
+            ;;
+        (build|history|import|load|pull|push|save|tag)
+            __docker_image_subcommand && ret=0
+            ;;
+        (checkpoint)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_checkpoint_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_checkpoint_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (container)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_container_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_container_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (daemon)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help)*--add-runtime=[Register an additional OCI compatible runtime]:runtime:__docker_complete_runtimes" \
+                "($help)*--allow-nondistributable-artifacts=[Push nondistributable artifacts to specified registries]:registry: " \
+                "($help)--api-cors-header=[CORS headers in the Engine API]:CORS headers: " \
+                "($help)*--authorization-plugin=[Authorization plugins to load]" \
+                "($help -b --bridge)"{-b=,--bridge=}"[Attach containers to a network bridge]:bridge:_net_interfaces" \
+                "($help)--bip=[Network bridge IP]:IP address: " \
+                "($help)--cgroup-parent=[Parent cgroup for all containers]:cgroup: " \
+                "($help)--cluster-advertise=[Address or interface name to advertise]:Instance to advertise (host\:port): " \
+                "($help)--cluster-store=[URL of the distributed storage backend]:Cluster Store:->cluster-store" \
+                "($help)*--cluster-store-opt=[Cluster store options]:Cluster options:->cluster-store-options" \
+                "($help)--config-file=[Path to daemon configuration file]:Config File:_files" \
+                "($help)--containerd=[Path to containerd socket]:socket:_files -g \"*.sock\"" \
+                "($help)--data-root=[Root directory of persisted Docker data]:path:_directories" \
+                "($help -D --debug)"{-D,--debug}"[Enable debug mode]" \
+                "($help)--default-gateway[Container default gateway IPv4 address]:IPv4 address: " \
+                "($help)--default-gateway-v6[Container default gateway IPv6 address]:IPv6 address: " \
+                "($help)--default-shm-size=[Default shm size for containers]:size:" \
+                "($help)*--default-ulimit=[Default ulimits for containers]:ulimit: " \
+                "($help)*--dns=[DNS server to use]:DNS: " \
+                "($help)*--dns-opt=[DNS options to use]:DNS option: " \
+                "($help)*--dns-search=[DNS search domains to use]:DNS search: " \
+                "($help)*--exec-opt=[Runtime execution options]:runtime execution options: " \
+                "($help)--exec-root=[Root directory for execution state files]:path:_directories" \
+                "($help)--experimental[Enable experimental features]" \
+                "($help)--fixed-cidr=[IPv4 subnet for fixed IPs]:IPv4 subnet: " \
+                "($help)--fixed-cidr-v6=[IPv6 subnet for fixed IPs]:IPv6 subnet: " \
+                "($help -G --group)"{-G=,--group=}"[Group for the unix socket]:group:_groups" \
+                "($help -H --host)"{-H=,--host=}"[tcp://host:port to bind/connect to]:host: " \
+                "($help)--icc[Enable inter-container communication]" \
+                "($help)--init[Run an init inside containers to forward signals and reap processes]" \
+                "($help)--init-path=[Path to the docker-init binary]:docker-init binary:_files" \
+                "($help)*--insecure-registry=[Enable insecure registry communication]:registry: " \
+                "($help)--ip=[Default IP when binding container ports]" \
+                "($help)--ip-forward[Enable net.ipv4.ip_forward]" \
+                "($help)--ip-masq[Enable IP masquerading]" \
+                "($help)--iptables[Enable addition of iptables rules]" \
+                "($help)--ipv6[Enable IPv6 networking]" \
+                "($help -l --log-level)"{-l=,--log-level=}"[Logging level]:level:(debug info warn error fatal)" \
+                "($help)*--label=[Key=value labels]:label: " \
+                "($help)--live-restore[Enable live restore of docker when containers are still running]" \
+                "($help)--log-driver=[Default driver for container logs]:logging driver:__docker_complete_log_drivers" \
+                "($help)*--log-opt=[Default log driver options for containers]:log driver options:__docker_complete_log_options" \
+                "($help)--max-concurrent-downloads[Set the max concurrent downloads for each pull]" \
+                "($help)--max-concurrent-uploads[Set the max concurrent uploads for each push]" \
+                "($help)--mtu=[Network MTU]:mtu:(0 576 1420 1500 9000)" \
+                "($help)--oom-score-adjust=[Set the oom_score_adj for the daemon]:oom-score:(-500)" \
+                "($help -p --pidfile)"{-p=,--pidfile=}"[Path to use for daemon PID file]:PID file:_files" \
+                "($help)--raw-logs[Full timestamps without ANSI coloring]" \
+                "($help)*--registry-mirror=[Preferred Docker registry mirror]:registry mirror: " \
+                "($help)--seccomp-profile=[Path to seccomp profile]:path:_files -g \"*.json\"" \
+                "($help -s --storage-driver)"{-s=,--storage-driver=}"[Storage driver to use]:driver:(aufs btrfs devicemapper overlay overlay2 vfs zfs)" \
+                "($help)--selinux-enabled[Enable selinux support]" \
+                "($help)--shutdown-timeout=[Set the shutdown timeout value in seconds]:time: " \
+                "($help)*--storage-opt=[Storage driver options]:storage driver options: " \
+                "($help)--tls[Use TLS]" \
+                "($help)--tlscacert=[Trust certs signed only by this CA]:PEM file:_files -g \"*.(pem|crt)\"" \
+                "($help)--tlscert=[Path to TLS certificate file]:PEM file:_files -g \"*.(pem|crt)\"" \
+                "($help)--tlskey=[Path to TLS key file]:Key file:_files -g \"*.(pem|key)\"" \
+                "($help)--tlsverify[Use TLS and verify the remote]" \
+                "($help)--userns-remap=[User/Group setting for user namespaces]:user\:group:->users-groups" \
+                "($help)--userland-proxy[Use userland proxy for loopback traffic]" \
+                "($help)--userland-proxy-path=[Path to the userland proxy binary]:binary:_files" && ret=0
+
+            case $state in
+                (cluster-store)
+                    if compset -P '*://'; then
+                        _message 'host:port' && ret=0
+                    else
+                        store=('consul' 'etcd' 'zk')
+                        _describe -t cluster-store "Cluster Store" store -qS "://" && ret=0
+                    fi
+                    ;;
+                (cluster-store-options)
+                    if compset -P '*='; then
+                        _files && ret=0
+                    else
+                        opts=('discovery.heartbeat' 'discovery.ttl' 'kv.cacertfile' 'kv.certfile' 'kv.keyfile' 'kv.path')
+                        _describe -t cluster-store-opts "Cluster Store Options" opts -qS "=" && ret=0
+                    fi
+                    ;;
+                (users-groups)
+                    if compset -P '*:'; then
+                        _groups && ret=0
+                    else
+                        _describe -t userns-default "default Docker user management" '(default)' && ret=0
+                        _users && ret=0
+                    fi
+                    ;;
+            esac
+            ;;
+        (events|info)
+            __docker_system_subcommand && ret=0
+            ;;
+        (image)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_image_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_image_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (images)
+            words[1]='ls'
+            __docker_image_subcommand && ret=0
+            ;;
+        (inspect)
+            local state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " \
+                "($help -s --size)"{-s,--size}"[Display total file sizes if the type is container]" \
+                "($help)--type=[Return JSON for specified type]:type:(container image network node plugin service volume)" \
+                "($help -)*: :->values" && ret=0
+
+            case $state in
+                (values)
+                    if [[ ${words[(r)--type=container]} == --type=container ]]; then
+                        __docker_complete_containers && ret=0
+                    elif [[ ${words[(r)--type=image]} == --type=image ]]; then
+                        __docker_complete_images && ret=0
+                    elif [[ ${words[(r)--type=network]} == --type=network ]]; then
+                        __docker_complete_networks && ret=0
+                    elif [[ ${words[(r)--type=node]} == --type=node ]]; then
+                        __docker_complete_nodes && ret=0
+                    elif [[ ${words[(r)--type=plugin]} == --type=plugin ]]; then
+                        __docker_complete_plugins && ret=0
+                    elif [[ ${words[(r)--type=service]} == --type=secrets ]]; then
+                        __docker_complete_secrets && ret=0
+                    elif [[ ${words[(r)--type=service]} == --type=service ]]; then
+                        __docker_complete_services && ret=0
+                    elif [[ ${words[(r)--type=volume]} == --type=volume ]]; then
+                        __docker_complete_volumes && ret=0
+                    else
+                        __docker_complete_containers
+                        __docker_complete_images
+                        __docker_complete_networks
+                        __docker_complete_nodes
+                        __docker_complete_plugins
+                        __docker_complete_secrets
+                        __docker_complete_services
+                        __docker_complete_volumes && ret=0
+                    fi
+                    ;;
+            esac
+            ;;
+        (login)
+            _arguments $(__docker_arguments) -A '-*' \
+                $opts_help \
+                "($help -p --password)"{-p=,--password=}"[Password]:password: " \
+                "($help)--password-stdin[Read password from stdin]" \
+                "($help -u --user)"{-u=,--user=}"[Username]:username: " \
+                "($help -)1:server: " && ret=0
+            ;;
+        (logout)
+            _arguments $(__docker_arguments) -A '-*' \
+                $opts_help \
+                "($help -)1:server: " && ret=0
+            ;;
+        (network)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_network_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_network_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (node)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_node_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_node_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (plugin)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_plugin_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_plugin_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (ps)
+            words[1]='ls'
+            __docker_container_subcommand && ret=0
+            ;;
+        (rmi)
+            words[1]='rm'
+            __docker_image_subcommand && ret=0
+            ;;
+        (search)
+            _arguments $(__docker_arguments) -A '-*' \
+                $opts_help \
+                "($help)*"{-f=,--filter=}"[Filter values]:filter:__docker_complete_search_filters" \
+                "($help)--limit=[Maximum returned search results]:limit:(1 5 10 25 50)" \
+                "($help)--no-trunc[Do not truncate output]" \
+                "($help -):term: " && ret=0
+            ;;
+        (secret)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_secret_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_secret_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (service)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_service_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_service_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (stack)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_stack_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_stack_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (swarm)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_swarm_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_swarm_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (system)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_system_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_system_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (version)
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -f --format)"{-f=,--format=}"[Format the output using the given go template]:template: " && ret=0
+            ;;
+        (volume)
+            local curcontext="$curcontext" state
+            _arguments $(__docker_arguments) \
+                $opts_help \
+                "($help -): :->command" \
+                "($help -)*:: :->option-or-argument" && ret=0
+
+            case $state in
+                (command)
+                    __docker_volume_commands && ret=0
+                    ;;
+                (option-or-argument)
+                    curcontext=${curcontext%:*:*}:docker-${words[-1]}:
+                    __docker_volume_subcommand && ret=0
+                    ;;
+            esac
+            ;;
+        (help)
+            _arguments $(__docker_arguments) ":subcommand:__docker_commands" && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+_docker() {
+    # Support for subservices, which allows for `compdef _docker docker-shell=_docker_containers`.
+    # Based on /usr/share/zsh/functions/Completion/Unix/_git without support for `ret`.
+    if [[ $service != docker ]]; then
+        _call_function - _$service
+        return
+    fi
+
+    local curcontext="$curcontext" state line help="-h --help"
+    integer ret=1
+    typeset -A opt_args
+
+    _arguments $(__docker_arguments) -C \
+        "(: -)"{-h,--help}"[Print usage]" \
+        "($help)--config[Location of client config files]:path:_directories" \
+        "($help -D --debug)"{-D,--debug}"[Enable debug mode]" \
+        "($help -H --host)"{-H=,--host=}"[tcp://host:port to bind/connect to]:host: " \
+        "($help -l --log-level)"{-l=,--log-level=}"[Logging level]:level:(debug info warn error fatal)" \
+        "($help)--tls[Use TLS]" \
+        "($help)--tlscacert=[Trust certs signed only by this CA]:PEM file:_files -g "*.(pem|crt)"" \
+        "($help)--tlscert=[Path to TLS certificate file]:PEM file:_files -g "*.(pem|crt)"" \
+        "($help)--tlskey=[Path to TLS key file]:Key file:_files -g "*.(pem|key)"" \
+        "($help)--tlsverify[Use TLS and verify the remote]" \
+        "($help)--userland-proxy[Use userland proxy for loopback traffic]" \
+        "($help -v --version)"{-v,--version}"[Print version information and quit]" \
+        "($help -): :->command" \
+        "($help -)*:: :->option-or-argument" && ret=0
+
+    local host=${opt_args[-H]}${opt_args[--host]}
+    local config=${opt_args[--config]}
+    local docker_options="${host:+--host $host} ${config:+--config $config}"
+
+    case $state in
+        (command)
+            __docker_commands && ret=0
+            ;;
+        (option-or-argument)
+            curcontext=${curcontext%:*:*}:docker-$words[1]:
+            __docker_subcommand && ret=0
+            ;;
+    esac
+
+    return ret
+}
+
+_dockerd() {
+    integer ret=1
+    words[1]='daemon'
+    __docker_subcommand && ret=0
+    return ret
+}
+
+_docker "$@"
+
+# Local Variables:
+# mode: Shell-Script
+# sh-indentation: 4
+# indent-tabs-mode: nil
+# sh-basic-offset: 4
+# End:
+# vim: ft=zsh sw=4 ts=4 et
diff --git a/cli/docker.Makefile b/cli/docker.Makefile
new file mode 100644
index 00000000..dc52fc65
--- /dev/null
+++ b/cli/docker.Makefile
@@ -0,0 +1,123 @@
+#
+# github.com/docker/cli
+#
+# Makefile for developing using Docker
+#
+
+DEV_DOCKER_IMAGE_NAME = docker-cli-dev$(IMAGE_TAG)
+BINARY_NATIVE_IMAGE_NAME = docker-cli-native$(IMAGE_TAG)
+LINTER_IMAGE_NAME = docker-cli-lint$(IMAGE_TAG)
+CROSS_IMAGE_NAME = docker-cli-cross$(IMAGE_TAG)
+VALIDATE_IMAGE_NAME = docker-cli-shell-validate$(IMAGE_TAG)
+E2E_IMAGE_NAME = docker-cli-e2e$(IMAGE_TAG)
+MOUNTS = -v "$(CURDIR)":/go/src/github.com/docker/cli
+VERSION = $(shell cat VERSION)
+ENVVARS = -e VERSION=$(VERSION) -e GITCOMMIT -e PLATFORM
+
+# build docker image (dockerfiles/Dockerfile.build)
+.PHONY: build_docker_image
+build_docker_image:
+	docker build ${DOCKER_BUILD_ARGS} -t $(DEV_DOCKER_IMAGE_NAME) -f ./dockerfiles/Dockerfile.dev .
+
+# build docker image having the linting tools (dockerfiles/Dockerfile.lint)
+.PHONY: build_linter_image
+build_linter_image:
+	docker build ${DOCKER_BUILD_ARGS} -t $(LINTER_IMAGE_NAME) -f ./dockerfiles/Dockerfile.lint .
+
+.PHONY: build_cross_image
+build_cross_image:
+	docker build ${DOCKER_BUILD_ARGS} -t $(CROSS_IMAGE_NAME) -f ./dockerfiles/Dockerfile.cross .
+
+.PHONY: build_shell_validate_image
+build_shell_validate_image:
+	docker build -t $(VALIDATE_IMAGE_NAME) -f ./dockerfiles/Dockerfile.shellcheck .
+
+.PHONY: build_binary_native_image
+build_binary_native_image:
+	docker build -t $(BINARY_NATIVE_IMAGE_NAME) -f ./dockerfiles/Dockerfile.binary-native .
+
+.PHONY: build_e2e_image
+build_e2e_image:
+	docker build -t $(E2E_IMAGE_NAME) --build-arg VERSION=$(VERSION) --build-arg GITCOMMIT=$(GITCOMMIT) -f ./dockerfiles/Dockerfile.e2e .
+
+
+# build executable using a container
+binary: build_binary_native_image
+	docker run --rm $(ENVVARS) $(MOUNTS) $(BINARY_NATIVE_IMAGE_NAME)
+
+build: binary
+
+
+# clean build artifacts using a container
+.PHONY: clean
+clean: build_docker_image
+	docker run --rm $(ENVVARS) $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make clean
+
+# run go test
+.PHONY: test-unit
+test-unit: build_docker_image
+	docker run --rm $(ENVVARS) $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make test-unit
+
+.PHONY: test
+test: test-unit test-e2e
+
+# build the CLI for multiple architectures using a container
+.PHONY: cross
+cross: build_cross_image
+	docker run --rm $(ENVVARS) $(MOUNTS) $(CROSS_IMAGE_NAME) make cross
+
+.PHONY: binary-windows
+binary-windows: build_cross_image
+	docker run --rm $(ENVVARS) $(MOUNTS) $(CROSS_IMAGE_NAME) make $@
+
+.PHONY: binary-osx
+binary-osx: build_cross_image
+	docker run --rm $(ENVVARS) $(MOUNTS) $(CROSS_IMAGE_NAME) make $@
+
+.PHONY: watch
+watch: build_docker_image
+	docker run --rm $(ENVVARS) $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make watch
+
+# start container in interactive mode for in-container development
+.PHONY: dev
+dev: build_docker_image
+	docker run -ti $(ENVVARS) $(MOUNTS) \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		$(DEV_DOCKER_IMAGE_NAME) ash
+
+shell: dev
+
+# run linters in a container
+.PHONY: lint
+lint: build_linter_image
+	docker run -ti $(ENVVARS) $(MOUNTS) $(LINTER_IMAGE_NAME)
+
+# download dependencies (vendor/) listed in vendor.conf, using a container
+.PHONY: vendor
+vendor: build_docker_image vendor.conf
+	docker run -ti --rm $(ENVVARS) $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make vendor
+
+dynbinary: build_cross_image
+	docker run -ti --rm $(ENVVARS) $(MOUNTS) $(CROSS_IMAGE_NAME) make dynbinary
+
+.PHONY: authors
+authors: ## generate AUTHORS file from git history
+	docker run -ti --rm $(ENVVARS) $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make authors
+
+## generate man pages from go source and markdown
+.PHONY: manpages
+manpages: build_docker_image
+	docker run -ti --rm $(ENVVARS) $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make manpages
+
+## Generate documentation YAML files consumed by docs repo
+.PHONY: yamldocs
+yamldocs: build_docker_image
+	docker run -ti --rm $(ENVVARS) $(MOUNTS) $(DEV_DOCKER_IMAGE_NAME) make yamldocs
+
+.PHONY: shellcheck
+shellcheck: build_shell_validate_image
+	docker run -ti --rm $(ENVVARS) $(MOUNTS) $(VALIDATE_IMAGE_NAME) make shellcheck
+
+.PHONY: test-e2e
+test-e2e: build_e2e_image
+	docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $(E2E_IMAGE_NAME)
diff --git a/cli/dockerfiles/Dockerfile.binary-native b/cli/dockerfiles/Dockerfile.binary-native
new file mode 100644
index 00000000..d6fdf533
--- /dev/null
+++ b/cli/dockerfiles/Dockerfile.binary-native
@@ -0,0 +1,8 @@
+FROM    golang:1.10.3-alpine
+
+RUN     apk add -U git bash coreutils gcc musl-dev
+
+ENV     CGO_ENABLED=0 \
+        DISABLE_WARN_OUTSIDE_CONTAINER=1
+WORKDIR /go/src/github.com/docker/cli
+CMD     ./scripts/build/binary
diff --git a/cli/dockerfiles/Dockerfile.cross b/cli/dockerfiles/Dockerfile.cross
new file mode 100644
index 00000000..40a01b88
--- /dev/null
+++ b/cli/dockerfiles/Dockerfile.cross
@@ -0,0 +1,3 @@
+FROM    dockercore/golang-cross:1.10.3@sha256:7671b4ed357fda50124e5679d36c4c3206ded4d43f1d2e0ff3d120a1e2bf94d7
+ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
+WORKDIR /go/src/github.com/docker/cli
diff --git a/cli/dockerfiles/Dockerfile.dev b/cli/dockerfiles/Dockerfile.dev
new file mode 100644
index 00000000..1b87ad5b
--- /dev/null
+++ b/cli/dockerfiles/Dockerfile.dev
@@ -0,0 +1,24 @@
+
+FROM    golang:1.10.3-alpine
+
+RUN     apk add -U git make bash coreutils ca-certificates curl
+
+ARG     VNDR_SHA=1fc68ee0c852556a9ed53cbde16247033f104111
+RUN     go get -d github.com/LK4D4/vndr && \
+        cd /go/src/github.com/LK4D4/vndr && \
+        git checkout -q "$VNDR_SHA" && \
+        go build -v -o /usr/bin/vndr . && \
+        rm -rf /go/src/* /go/pkg/* /go/bin/*
+
+ARG     ESC_SHA=58d9cde84f237ecdd89bd7f61c2de2853f4c5c6e
+RUN     go get -d github.com/mjibson/esc && \
+        cd /go/src/github.com/mjibson/esc && \
+        git checkout -q "$ESC_SHA" && \
+        go build -v -o /usr/bin/esc . && \
+        rm -rf /go/src/* /go/pkg/* /go/bin/*
+
+ENV     CGO_ENABLED=0 \
+        PATH=$PATH:/go/src/github.com/docker/cli/build \
+        DISABLE_WARN_OUTSIDE_CONTAINER=1
+WORKDIR /go/src/github.com/docker/cli
+CMD     sh
diff --git a/cli/dockerfiles/Dockerfile.e2e b/cli/dockerfiles/Dockerfile.e2e
new file mode 100644
index 00000000..167bbf0e
--- /dev/null
+++ b/cli/dockerfiles/Dockerfile.e2e
@@ -0,0 +1,34 @@
+ARG GO_VERSION=1.10.3
+# Use Debian based image as docker-compose requires glibc.
+FROM golang:${GO_VERSION}
+
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    curl \
+    openssl \
+    && rm -rf /var/lib/apt/lists/*
+
+ARG COMPOSE_VERSION=1.21.2
+RUN curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose \
+    && chmod +x /usr/local/bin/docker-compose
+
+ARG NOTARY_VERSION=v0.6.1
+RUN curl -Ls https://github.com/theupdateframework/notary/releases/download/${NOTARY_VERSION}/notary-Linux-amd64 -o /usr/local/bin/notary \
+    && chmod +x /usr/local/bin/notary
+
+ENV CGO_ENABLED=0 \
+    DISABLE_WARN_OUTSIDE_CONTAINER=1 \
+    PATH=/go/src/github.com/docker/cli/build:$PATH
+WORKDIR /go/src/github.com/docker/cli
+
+# Trust notary CA cert.
+COPY e2e/testdata/notary/root-ca.cert /usr/share/ca-certificates/notary.cert
+RUN echo 'notary.cert' >> /etc/ca-certificates.conf && update-ca-certificates
+
+COPY . .
+ARG VERSION
+ARG GITCOMMIT
+ENV VERSION=${VERSION} GITCOMMIT=${GITCOMMIT}
+RUN ./scripts/build/binary
+
+CMD ./scripts/test/e2e/entry
diff --git a/cli/dockerfiles/Dockerfile.lint b/cli/dockerfiles/Dockerfile.lint
new file mode 100644
index 00000000..9726eecb
--- /dev/null
+++ b/cli/dockerfiles/Dockerfile.lint
@@ -0,0 +1,24 @@
+FROM    golang:1.10.3-alpine
+
+RUN     apk add -U git
+
+ARG     GOMETALINTER_SHA=7f9672e7ea538b8682e83395d50b12f09bb17b91
+RUN     go get -d github.com/alecthomas/gometalinter && \
+        cd /go/src/github.com/alecthomas/gometalinter && \
+        git checkout -q "$GOMETALINTER_SHA" && \
+        go build -v -o /usr/local/bin/gometalinter . && \ 
+        gometalinter --install && \
+        rm -rf /go/src/* /go/pkg/*
+
+ARG     NAKEDRET_SHA=3ddb495a6d63bc9041ba843e7d651cf92639d8cb
+RUN     go get -d github.com/alexkohler/nakedret && \
+        cd /go/src/github.com/alexkohler/nakedret && \
+        git checkout -q "$NAKEDRET_SHA" && \
+        go build -v -o /usr/local/bin/nakedret . && \
+        rm -rf /go/src/* /go/pkg/*
+
+WORKDIR /go/src/github.com/docker/cli
+ENV     CGO_ENABLED=0
+ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
+ENTRYPOINT ["/usr/local/bin/gometalinter"]
+CMD     ["--config=gometalinter.json", "./..."]
diff --git a/cli/dockerfiles/Dockerfile.shellcheck b/cli/dockerfiles/Dockerfile.shellcheck
new file mode 100644
index 00000000..43112b31
--- /dev/null
+++ b/cli/dockerfiles/Dockerfile.shellcheck
@@ -0,0 +1,9 @@
+FROM    debian:stretch-slim
+
+RUN     apt-get update && \
+        apt-get -y install make shellcheck && \
+        apt-get clean
+
+WORKDIR /go/src/github.com/docker/cli
+ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
+CMD     bash
diff --git a/cli/docs/README.md b/cli/docs/README.md
new file mode 100644
index 00000000..a161b890
--- /dev/null
+++ b/cli/docs/README.md
@@ -0,0 +1,30 @@
+# The non-reference docs have been moved!
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+The documentation for Docker Engine has been merged into
+[the general documentation repo](https://github.com/docker/docker.github.io).
+
+See the [README](https://github.com/docker/docker.github.io/blob/master/README.md)
+for instructions on contributing to and building the documentation.
+
+If you'd like to edit the current published version of the Engine docs,
+do it in the master branch here:
+https://github.com/docker/docker.github.io/tree/master/engine
+
+If you need to document the functionality of an upcoming Engine release,
+use the `vnext-engine` branch:
+https://github.com/docker/docker.github.io/tree/vnext-engine/engine
+
+The reference docs have been left in docker/docker (this repo), which remains
+the place to edit them.
+
+The docs in the general repo are open-source and we appreciate
+your feedback and pull requests!
diff --git a/cli/docs/deprecated.md b/cli/docs/deprecated.md
new file mode 100644
index 00000000..75514a0f
--- /dev/null
+++ b/cli/docs/deprecated.md
@@ -0,0 +1,356 @@
+---
+aliases: ["/engine/misc/deprecated/"]
+description: "Deprecated Features."
+keywords: "docker, documentation, about, technology, deprecate"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Deprecated Engine Features
+
+The following list of features are deprecated in Engine.
+To learn more about Docker Engine's deprecation policy,
+see [Feature Deprecation Policy](https://docs.docker.com/engine/#feature-deprecation-policy).
+
+### Reserved namespaces in engine labels
+
+**Deprecated in Release: v18.06.0**
+
+The namespaces `com.docker.*`, `io.docker.*`, and `org.dockerproject.*` in engine labels
+were always documented to be reserved, but there was never any enforcement.
+
+Usage of these namespaces will now cause a warning in the engine logs to discourage their
+use, and will error instead in 18.12 and above.
+
+### Asynchronous `service create` and `service update`
+
+**Deprecated In Release: v17.05.0**
+
+**Disabled by default in release: [v17.10](https://github.com/docker/docker-ce/releases/tag/v17.10.0-ce)**
+
+Docker 17.05.0 added an optional `--detach=false` option to make the
+`docker service create` and `docker service update` work synchronously. This
+option will be enabled by default in Docker 17.10, at which point the `--detach`
+flag can be used to use the previous (asynchronous) behavior.
+
+The default for this option will also be changed accordingly for `docker service rollback`
+and `docker service scale` in Docker 17.10.
+
+### `-g` and `--graph` flags on `dockerd`
+
+**Deprecated In Release: v17.05.0**
+
+The `-g` or `--graph` flag for the `dockerd` or `docker daemon` command was
+used to indicate the directory in which to store persistent data and resource
+configuration and has been replaced with the more descriptive `--data-root`
+flag.
+
+These flags were added before Docker 1.0, so will not be _removed_, only
+_hidden_, to discourage their use.
+
+### Top-level network properties in NetworkSettings
+
+**Deprecated In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+**Target For Removal In Release: v17.12**
+
+When inspecting a container, `NetworkSettings` contains top-level information
+about the default ("bridge") network;
+
+`EndpointID`, `Gateway`, `GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`,
+`IPPrefixLen`, `IPv6Gateway`, and `MacAddress`.
+
+These properties are deprecated in favor of per-network properties in
+`NetworkSettings.Networks`. These properties were already "deprecated" in
+docker 1.9, but kept around for backward compatibility.
+
+Refer to [#17538](https://github.com/docker/docker/pull/17538) for further
+information.
+
+### `filter` param for `/images/json` endpoint
+**Deprecated In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+**Target For Removal In Release: v17.12**
+
+The `filter` param to filter the list of image by reference (name or name:tag) is now implemented as a regular filter, named `reference`.
+
+### `repository:shortid` image references
+**Deprecated In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+**Removed In Release: v17.12**
+
+The `repository:shortid` syntax for referencing images is very little used,
+collides with tag references, and can be confused with digest references.
+
+Support for the `repository:shortid` notation to reference images was removed
+in Docker 17.12.
+
+### `docker daemon` subcommand
+**Deprecated In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+**Removed In Release: v17.12**
+
+The daemon is moved to a separate binary (`dockerd`), and should be used instead.
+
+### Duplicate keys with conflicting values in engine labels
+**Deprecated In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+**Removed In Release: v17.12**
+
+When setting duplicate keys with conflicting values, an error will be produced, and the daemon
+will fail to start.
+
+### `MAINTAINER` in Dockerfile
+**Deprecated In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+`MAINTAINER` was an early very limited form of `LABEL` which should be used instead.
+
+### API calls without a version
+**Deprecated In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+**Target For Removal In Release: v17.12**
+
+API versions should be supplied to all API calls to ensure compatibility with
+future Engine versions. Instead of just requesting, for example, the URL
+`/containers/json`, you must now request `/v1.25/containers/json`.
+
+### Backing filesystem without `d_type` support for overlay/overlay2
+**Deprecated In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+**Removed In Release: v17.12**
+
+The overlay and overlay2 storage driver does not work as expected if the backing
+filesystem does not support `d_type`. For example, XFS does not support `d_type`
+if it is formatted with the `ftype=0` option.
+
+Starting with Docker 17.12, new installations will not support running overlay2 on
+a backing filesystem without `d_type` support. For existing installations that upgrade
+to 17.12, a warning will be printed.
+
+Please also refer to [#27358](https://github.com/docker/docker/issues/27358) for
+further information.
+
+### Three arguments form in `docker import`
+**Deprecated In Release: [v0.6.7](https://github.com/docker/docker/releases/tag/v0.6.7)**
+
+**Removed In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+The `docker import` command format `file|URL|- [REPOSITORY [TAG]]` is deprecated since November 2013. It's no more supported.
+
+### `-h` shorthand for `--help`
+
+**Deprecated In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+**Target For Removal In Release: v17.09**
+
+The shorthand (`-h`) is less common than `--help` on Linux and cannot be used
+on all subcommands (due to it conflicting with, e.g. `-h` / `--hostname` on
+`docker create`). For this reason, the `-h` shorthand was not printed in the
+"usage" output of subcommands, nor documented, and is now marked "deprecated".
+
+### `-e` and `--email` flags on `docker login`
+**Deprecated In Release: [v1.11.0](https://github.com/docker/docker/releases/tag/v1.11.0)**
+
+**Removed In Release: [v17.06](https://github.com/docker/docker-ce/releases/tag/v17.06.0-ce)**
+
+The docker login command is removing the ability to automatically register for an account with the target registry if the given username doesn't exist. Due to this change, the email flag is no longer required, and will be deprecated.
+
+### Separator (`:`) of `--security-opt` flag on `docker run`
+**Deprecated In Release: [v1.11.0](https://github.com/docker/docker/releases/tag/v1.11.0)**
+
+**Target For Removal In Release: v17.06**
+
+The flag `--security-opt` doesn't use the colon separator(`:`) anymore to divide keys and values, it uses the equal symbol(`=`) for consistency with other similar flags, like `--storage-opt`.
+
+### `/containers/(id or name)/copy` endpoint
+
+**Deprecated In Release: [v1.8.0](https://github.com/docker/docker/releases/tag/v1.8.0)**
+
+**Removed In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+The endpoint `/containers/(id or name)/copy` is deprecated in favor of `/containers/(id or name)/archive`.
+
+### Ambiguous event fields in API
+**Deprecated In Release: [v1.10.0](https://github.com/docker/docker/releases/tag/v1.10.0)**
+
+The fields `ID`, `Status` and `From` in the events API have been deprecated in favor of a more rich structure.
+See the events API documentation for the new format.
+
+### `-f` flag on `docker tag`
+**Deprecated In Release: [v1.10.0](https://github.com/docker/docker/releases/tag/v1.10.0)**
+
+**Removed In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+To make tagging consistent across the various `docker` commands, the `-f` flag on the `docker tag` command is deprecated. It is not longer necessary to specify `-f` to move a tag from one image to another. Nor will `docker` generate an error if the `-f` flag is missing and the specified tag is already in use.
+
+### HostConfig at API container start
+**Deprecated In Release: [v1.10.0](https://github.com/docker/docker/releases/tag/v1.10.0)**
+
+**Removed In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+Passing an `HostConfig` to `POST /containers/{name}/start` is deprecated in favor of
+defining it at container creation (`POST /containers/create`).
+
+### `--before` and `--since` flags on `docker ps`
+
+**Deprecated In Release: [v1.10.0](https://github.com/docker/docker/releases/tag/v1.10.0)**
+
+**Removed In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+The `docker ps --before` and `docker ps --since` options are deprecated.
+Use `docker ps --filter=before=...` and `docker ps --filter=since=...` instead.
+
+### `--automated` and `--stars` flags on `docker search`
+
+**Deprecated in Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+**Target For Removal In Release: v17.09**
+
+The `docker search --automated` and `docker search --stars` options are deprecated.
+Use `docker search --filter=is-automated=...` and `docker search --filter=stars=...` instead.
+
+### Driver Specific Log Tags
+**Deprecated In Release: [v1.9.0](https://github.com/docker/docker/releases/tag/v1.9.0)**
+
+**Removed In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+Log tags are now generated in a standard way across different logging drivers.
+Because of which, the driver specific log tag options `syslog-tag`, `gelf-tag` and
+`fluentd-tag` have been deprecated in favor of the generic `tag` option.
+
+```bash
+{% raw %}
+docker --log-driver=syslog --log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}"
+{% endraw %}
+```
+
+### LXC built-in exec driver
+**Deprecated In Release: [v1.8.0](https://github.com/docker/docker/releases/tag/v1.8.0)**
+
+**Removed In Release: [v1.10.0](https://github.com/docker/docker/releases/tag/v1.10.0)**
+
+The built-in LXC execution driver, the lxc-conf flag, and API fields have been removed.
+
+### Old Command Line Options
+**Deprecated In Release: [v1.8.0](https://github.com/docker/docker/releases/tag/v1.8.0)**
+
+**Removed In Release: [v1.10.0](https://github.com/docker/docker/releases/tag/v1.10.0)**
+
+The flags `-d` and `--daemon` are deprecated in favor of the `daemon` subcommand:
+
+    docker daemon -H ...
+
+The following single-dash (`-opt`) variant of certain command line options
+are deprecated and replaced with double-dash options (`--opt`):
+
+    docker attach -nostdin
+    docker attach -sig-proxy
+    docker build -no-cache
+    docker build -rm
+    docker commit -author
+    docker commit -run
+    docker events -since
+    docker history -notrunc
+    docker images -notrunc
+    docker inspect -format
+    docker ps -beforeId
+    docker ps -notrunc
+    docker ps -sinceId
+    docker rm -link
+    docker run -cidfile
+    docker run -dns
+    docker run -entrypoint
+    docker run -expose
+    docker run -link
+    docker run -lxc-conf
+    docker run -n
+    docker run -privileged
+    docker run -volumes-from
+    docker search -notrunc
+    docker search -stars
+    docker search -t
+    docker search -trusted
+    docker tag -force
+
+The following double-dash options are deprecated and have no replacement:
+
+    docker run --cpuset
+    docker run --networking
+    docker ps --since-id
+    docker ps --before-id
+    docker search --trusted
+
+**Deprecated In Release: [v1.5.0](https://github.com/docker/docker/releases/tag/v1.5.0)**
+
+**Removed In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+The single-dash (`-help`) was removed, in favor of the double-dash `--help`
+
+    docker -help
+    docker [COMMAND] -help
+
+### `--run` flag on docker commit
+
+**Deprecated In Release: [v0.10.0](https://github.com/docker/docker/releases/tag/v0.10.0)**
+
+**Removed In Release: [v1.13.0](https://github.com/docker/docker/releases/tag/v1.13.0)**
+
+The flag `--run` of the docker commit (and its short version `-run`) were deprecated in favor
+of the `--changes` flag that allows to pass `Dockerfile` commands.
+
+
+### Interacting with V1 registries
+
+**Disabled By Default In Release: v17.06**
+
+**Removed In Release: v17.12**
+
+Version 1.8.3 added a flag (`--disable-legacy-registry=false`) which prevents the
+docker daemon from `pull`, `push`, and `login` operations against v1
+registries.  Though enabled by default, this signals the intent to deprecate
+the v1 protocol.
+
+Support for the v1 protocol to the public registry was removed in 1.13. Any
+mirror configurations using v1 should be updated to use a
+[v2 registry mirror](https://docs.docker.com/registry/recipes/mirror/).
+
+Starting with Docker 17.12, support for V1 registries has been removed, and the
+`--disable-legacy-registry` flag can no longer be used, and `dockerd` will fail to
+start when set.
+
+### `--disable-legacy-registry` override daemon option
+
+**Disabled In Release: v17.12**
+
+**Target For Removal In Release: v18.03**
+
+The `--disable-legacy-registry` flag was disabled in Docker 17.12 and will print
+an error when used. For this error to be printed, the flag itself is still present,
+but hidden. The flag will be removed in Docker 18.03.
+
+
+### Docker Content Trust ENV passphrase variables name change
+**Deprecated In Release: [v1.9.0](https://github.com/docker/docker/releases/tag/v1.9.0)**
+
+**Removed In Release: [v1.12.0](https://github.com/docker/docker/releases/tag/v1.12.0)**
+
+Since 1.9, Docker Content Trust Offline key has been renamed to Root key and the Tagging key has been renamed to Repository key. Due to this renaming, we're also changing the corresponding environment variables
+
+- DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE is now named DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE
+- DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE is now named DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE
+
+### `--api-enable-cors` flag on dockerd
+
+**Deprecated In Release: [v1.6.0](https://github.com/docker/docker/releases/tag/v1.6.0)**
+
+**Removed In Release: [v17.09](https://github.com/docker/docker-ce/releases/tag/v17.09.0-ce)**
+
+The flag `--api-enable-cors` is deprecated since v1.6.0. Use the flag
+`--api-cors-header` instead.
diff --git a/cli/docs/extend/EBS_volume.md b/cli/docs/extend/EBS_volume.md
new file mode 100644
index 00000000..14e13a27
--- /dev/null
+++ b/cli/docs/extend/EBS_volume.md
@@ -0,0 +1,165 @@
+---
+description: Volume plugin for Amazon EBS
+keywords: "API, Usage, plugins, documentation, developer, amazon, ebs, rexray, volume"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Volume plugin for Amazon EBS
+
+## A proof-of-concept Rexray plugin
+
+In this example, a simple Rexray plugin will be created for the purposes of using
+it on an Amazon EC2 instance with EBS. It is not meant to be a complete Rexray plugin.
+
+The example source is available at [https://github.com/tiborvass/rexray-plugin](https://github.com/tiborvass/rexray-plugin).
+
+To learn more about Rexray: [https://github.com/codedellemc/rexray](https://github.com/codedellemc/rexray)
+
+## 1. Make a Docker image
+
+The following is the Dockerfile used to containerize rexray.
+
+```Dockerfile
+FROM debian:jessie
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates
+RUN wget https://dl.bintray.com/emccode/rexray/stable/0.6.4/rexray-Linux-x86_64-0.6.4.tar.gz -O rexray.tar.gz && tar -xvzf rexray.tar.gz -C /usr/bin && rm rexray.tar.gz
+RUN mkdir -p /run/docker/plugins /var/lib/libstorage/volumes
+ENTRYPOINT ["rexray"]
+CMD ["--help"]
+```
+
+To build it you can run `image=$(cat Dockerfile | docker build -q -)` and `$image`
+will reference the containerized rexray image.
+
+## 2. Extract rootfs
+
+```sh
+$ TMPDIR=/tmp/rexray  # for the purpose of this example
+$  # create container without running it, to extract the rootfs from image
+$ docker create --name rexray "$image"
+$  # save the rootfs to a tar archive
+$ docker export -o $TMPDIR/rexray.tar rexray
+$  # extract rootfs from tar archive to a rootfs folder
+$ ( mkdir -p $TMPDIR/rootfs; cd $TMPDIR/rootfs; tar xf ../rexray.tar )
+```
+
+## 3. Add plugin configuration
+
+We have to put the following JSON to `$TMPDIR/config.json`:
+
+```json
+{
+      "Args": {
+        "Description": "",
+        "Name": "",
+        "Settable": null,
+        "Value": null
+      },
+      "Description": "A proof-of-concept EBS plugin (using rexray) for Docker",
+      "Documentation": "https://github.com/tiborvass/rexray-plugin",
+      "Entrypoint": [
+        "/usr/bin/rexray", "service", "start", "-f"
+      ],
+      "Env": [
+        {
+          "Description": "",
+          "Name": "REXRAY_SERVICE",
+          "Settable": [
+            "value"
+          ],
+          "Value": "ebs"
+        },
+        {
+          "Description": "",
+          "Name": "EBS_ACCESSKEY",
+          "Settable": [
+            "value"
+          ],
+          "Value": ""
+        },
+        {
+          "Description": "",
+          "Name": "EBS_SECRETKEY",
+          "Settable": [
+            "value"
+          ],
+          "Value": ""
+        }
+      ],
+      "Interface": {
+        "Socket": "rexray.sock",
+        "Types": [
+          "docker.volumedriver/1.0"
+        ]
+      },
+      "Linux": {
+        "AllowAllDevices": true,
+        "Capabilities": ["CAP_SYS_ADMIN"],
+        "Devices": null
+      },
+      "Mounts": [
+        {
+          "Source": "/dev",
+          "Destination": "/dev",
+          "Type": "bind",
+          "Options": ["rbind"]
+        }
+      ],
+      "Network": {
+        "Type": "host"
+      },
+      "PropagatedMount": "/var/lib/libstorage/volumes",
+      "User": {},
+      "WorkDir": ""
+}
+```
+
+Please note a couple of points:
+- `PropagatedMount` is needed so that the docker daemon can see mounts done by the
+rexray plugin from within the container, otherwise the docker daemon is not able
+to mount a docker volume.
+- The rexray plugin needs dynamic access to host devices. For that reason, we
+have to give it access to all devices under `/dev` and set `AllowAllDevices` to
+true for proper access.
+- The user of this simple plugin can change only 3 settings: `REXRAY_SERVICE`,
+`EBS_ACCESSKEY` and `EBS_SECRETKEY`. This is because of the reduced scope of this
+plugin. Ideally other rexray parameters could also be set.
+
+## 4. Create plugin
+
+`docker plugin create tiborvass/rexray-plugin "$TMPDIR"` will create the plugin.
+
+```sh
+$ docker plugin ls
+ID                  NAME                             DESCRIPTION                         ENABLED
+2475a4bd0ca5        tiborvass/rexray-plugin:latest   A rexray volume plugin for Docker   false
+```
+
+## 5. Test plugin
+
+```sh
+$ docker plugin set tiborvass/rexray-plugin EBS_ACCESSKEY=$AWS_ACCESSKEY EBS_SECRETKEY=$AWS_SECRETKEY`
+$ docker plugin enable tiborvass/rexray-plugin
+$ docker volume create -d tiborvass/rexray-plugin my-ebs-volume
+$ docker volume ls
+DRIVER                              VOLUME NAME
+tiborvass/rexray-plugin:latest      my-ebs-volume
+$ docker run --rm -v my-ebs-volume:/volume busybox sh -c 'echo bye > /volume/hi'
+$ docker run --rm -v my-ebs-volume:/volume busybox cat /volume/hi
+bye
+```
+
+## 6. Push plugin
+
+First, ensure you are logged in with `docker login`. Then you can run:
+`docker plugin push tiborvass/rexray-plugin` to push it like a regular docker
+image to a registry, to make it available for others to install via
+`docker plugin install tiborvass/rexray-plugin EBS_ACCESSKEY=$AWS_ACCESSKEY EBS_SECRETKEY=$AWS_SECRETKEY`.
diff --git a/cli/docs/extend/config.md b/cli/docs/extend/config.md
new file mode 100644
index 00000000..e68af3bf
--- /dev/null
+++ b/cli/docs/extend/config.md
@@ -0,0 +1,237 @@
+---
+description: "How develop and use a plugin with the managed plugin system"
+keywords: "API, Usage, plugins, documentation, developer"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+
+# Plugin Config Version 1 of Plugin V2
+
+This document outlines the format of the V0 plugin configuration. The plugin
+config described herein was introduced in the Docker daemon in the [v1.12.0
+release](https://github.com/docker/docker/commit/f37117045c5398fd3dca8016ea8ca0cb47e7312b).
+
+Plugin configs describe the various constituents of a docker plugin. Plugin
+configs can be serialized to JSON format with the following media types:
+
+Config Type  | Media Type
+------------- | -------------
+config  | "application/vnd.docker.plugin.v1+json"
+
+
+## *Config* Field Descriptions
+
+Config provides the base accessible fields for working with V0 plugin format
+ in the registry.
+
+- **`description`** *string*
+
+	description of the plugin
+
+- **`documentation`** *string*
+
+  	link to the documentation about the plugin
+
+- **`interface`** *PluginInterface*
+
+   interface implemented by the plugins, struct consisting of the following fields
+
+    - **`types`** *string array*
+
+      types indicate what interface(s) the plugin currently implements.
+
+      currently supported:
+
+        - **docker.volumedriver/1.0**
+
+        - **docker.networkdriver/1.0**
+
+        - **docker.ipamdriver/1.0**
+
+        - **docker.authz/1.0**
+
+        - **docker.logdriver/1.0**
+
+        - **docker.metricscollector/1.0**
+
+    - **`socket`** *string*
+
+      socket is the name of the socket the engine should use to communicate with the plugins.
+      the socket will be created in `/run/docker/plugins`.
+
+
+- **`entrypoint`** *string array*
+
+   entrypoint of the plugin, see [`ENTRYPOINT`](../reference/builder.md#entrypoint)
+
+- **`workdir`** *string*
+
+   workdir of the plugin, see [`WORKDIR`](../reference/builder.md#workdir)
+
+- **`network`** *PluginNetwork*
+
+   network of the plugin, struct consisting of the following fields
+
+    - **`type`** *string*
+
+      network type.
+
+      currently supported:
+
+      	- **bridge**
+      	- **host**
+      	- **none**
+
+- **`mounts`** *PluginMount array*
+
+   mount of the plugin, struct consisting of the following fields, see [`MOUNTS`](https://github.com/opencontainers/runtime-spec/blob/master/config.md#mounts)
+
+    - **`name`** *string*
+
+	  name of the mount.
+
+    - **`description`** *string*
+
+      description of the mount.
+
+    - **`source`** *string*
+
+	  source of the mount.
+
+    - **`destination`** *string*
+
+	  destination of the mount.
+
+    - **`type`** *string*
+
+      mount type.
+
+    - **`options`** *string array*
+
+	  options of the mount.
+
+- **`ipchost`** *boolean*
+   Access to host ipc namespace.
+- **`pidhost`** *boolean*
+   Access to host pid namespace.
+
+- **`propagatedMount`** *string*
+
+   path to be mounted as rshared, so that mounts under that path are visible to docker. This is useful for volume plugins.
+   This path will be bind-mounted outside of the plugin rootfs so it's contents
+   are preserved on upgrade.
+
+- **`env`** *PluginEnv array*
+
+   env of the plugin, struct consisting of the following fields
+
+    - **`name`** *string*
+
+	  name of the env.
+
+    - **`description`** *string*
+
+      description of the env.
+
+    - **`value`** *string*
+
+	  value of the env.
+
+- **`args`** *PluginArgs*
+
+   args of the plugin, struct consisting of the following fields
+
+    - **`name`** *string*
+
+	  name of the args.
+
+    - **`description`** *string*
+
+      description of the args.
+
+    - **`value`** *string array*
+
+	  values of the args.
+
+- **`linux`** *PluginLinux*
+
+    - **`capabilities`** *string array*
+
+       capabilities of the plugin (*Linux only*), see list [`here`](https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md#security)
+
+    - **`allowAllDevices`** *boolean*
+
+	   If `/dev` is bind mounted from the host, and allowAllDevices is set to true, the plugin will have `rwm` access to all devices on the host.
+
+    - **`devices`** *PluginDevice array*
+
+       device of the plugin, (*Linux only*), struct consisting of the following fields, see [`DEVICES`](https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#devices)
+
+         - **`name`** *string*
+
+	       name of the device.
+
+         - **`description`** *string*
+
+           description of the device.
+
+         - **`path`** *string*
+
+           path of the device.
+
+## Example Config
+
+*Example showing the 'tiborvass/sample-volume-plugin' plugin config.*
+
+```json
+{
+            "Args": {
+                "Description": "",
+                "Name": "",
+                "Settable": null,
+                "Value": null
+            },
+            "Description": "A sample volume plugin for Docker",
+            "Documentation": "https://docs.docker.com/engine/extend/plugins/",
+            "Entrypoint": [
+                "/usr/bin/sample-volume-plugin",
+                "/data"
+            ],
+            "Env": [
+                {
+                    "Description": "",
+                    "Name": "DEBUG",
+                    "Settable": [
+                        "value"
+                    ],
+                    "Value": "0"
+                }
+            ],
+            "Interface": {
+                "Socket": "plugin.sock",
+                "Types": [
+                    "docker.volumedriver/1.0"
+                ]
+            },
+            "Linux": {
+                "Capabilities": null,
+                "AllowAllDevices": false,
+                "Devices": null
+            },
+            "Mounts": null,
+            "Network": {
+                "Type": ""
+            },
+            "PropagatedMount": "/data",
+            "User": {},
+            "Workdir": ""
+}
+```
diff --git a/cli/docs/extend/images/authz_additional_info.png b/cli/docs/extend/images/authz_additional_info.png
new file mode 100644
index 0000000000000000000000000000000000000000..1a6a6d01d2048fcb975b7d2b025cdfabd4c4f5f3
GIT binary patch
literal 45916
zcmd43bx@UE)He)x5RM?JfJle5lt_rQlp>N6($cM@(x9NyQUU^sbT>#NA)(SC4bm-w
zNPg=w?&o>uo%!bb^P4&MJ;U}~wXeO`TEAH5*`3>RXU|Zc!N9;cs~|6<ih+T}1pn3I
zo`#Wg@va9L7<3p4GLq_Un5(bRV@d=2ZOKETU$&#%S(zAqe$qNe&woJ*U1jH=&@Hae
zb0bLRen-@;yH91BSDr^+dN+E$YW~%&SHdS>?8mEj#}{hMznYINBu?&oe6G$A5M8Mr
ztp2%?yOZk~NktGSO(E}t`um}Kj_Q>uvLRE#Vv_j#d5(dNzJ`Sk$N2q`=ttiPm#IZt
z{P`34KQ{W{zd!!}_0JMA*zHq|{>*G_?Q1M*>9<th%AhUB-<Ns(9Ct;J@^ReFkFp&t
z7alliAvd@Zw>Dh#VM&LRcFg<aC|iG|*mOIGa((8&m^4S!bD;Bl+`wM`(x<jbkL{5D
zoV&`!W}mXfeoj0tpb~Oupkki?X_98ptgBl&dmLMT*iu=)Hc@+R*|T%p^U|^`a}Xx+
zd8Uat{dzAw0$MT7&RFi)Z{P02C0<l4I=ZfPzme{(aertzQk<43<jAnTOulp`!rZXA
zK(G3eQo_|}?)pR3{Cibz#oXl2vEHF8#J7!MkJ-N=T6Tleu|hjmiS=Rcjhu3~P0jp!
z+UGYMg!)4^HoQ-&NtgxgC!*?)cM6I<4|XkHk#9YS<<h;BbGN`n*Dg<|?A_y^>&rSx
zqV8j@3jHsWhM6dpm8o)fUw9v_7<@n2sL#1iD7KdpOnpr=U%!@JyZC-ld^Fc=n`(Vf
zM)_vzcntLu*&9zJ`cVqiE^F_shw^Vnd;OY=O}q7q&(Hq!q}M^-d*1oauSeN#GtfA#
zk7;ij$t%$jUG;sZpjTY`IUxJC_u*EcN>L!KmzLE~zAaVT!R<_nr_a?GDsE&_@Fi0)
zP6ZiKT(Jn3mgzU2sByQuS+|h%I9TZ5=Z4@6OjFa=YRMOo=jYgFK8Dl#&*oRJKRBG@
z_I8}AvEDoSIXO@!_2i5&pJ~T8x6MWzY6I`1vQ&e5FZPXG?Gj3b_pTduQ9oglMuoy&
zCkj8zwnkoMpS!nhmFGdZ$xQRJ(B*-gYj@1vJ1tQaX2DAceSOW9(*3ISU{|5!cH?dv
zt+%?PzS}hR?0d05y!T=k_|2RWuepBSI^6zp?fH3*`3A?ij%ezK^Ig0h-Pc%@lbn96
zj`T%{dwa>naB5Q#iXRr5w1rX=e8P0zWwDv48NsZ6LB_Q#pDb3(sGKAk`rdg(gp5-w
zoc&h>qa4-vd*_GWI%B^?2tPE_xU{U2DtlIg`{84{qUgQ#VN{3O#X6@YRZ|m~C5;oz
z&gl<<*Df2><)&uZ(j6Yn&FAaieo{^4_T0Wj_Aoi_AbG-jDJ?cpaXVJIGlomUYtLZ3
z(8xd4X{mSFTTob7doH8%1DPk$TFmvwE<2JshbOe6Zrwd;H_7GJ$Ev7d(LNOY{*f`%
z`*=I~_U=>zZNAGodH(rc8>fqld3JaPHqKth<<Xb9&)L4|9Mm-!bEdsP?Y%dRvs3?6
z%>O{E%xZw@1v&Si_61$<jYe54!E2i9{POF{w0$jm)&`kX2cr}5Rng{w`MN?CB%izV
zws)E3KPQV9*oiF0xqTe3aaS{S{IRIQEb&7;&0V*~&2a~#&vg2YN}6J{x}c^g?pA}0
z&i1K0;z5oRw35axF|cMXM^k^@r4oK1<h8%VVp?9{tz|%X5%)E`rR-w5L8lADu)K9r
zRo)^i_x2Dmj^I8leuLLP<-%>gmMUD=>Y9uD`AKSVZ);YO=~aOVtu2P{+n;3-nzPj=
zq^!!r-LRq5JxbRW?`9|`52jQ4bsHROR#xT2suU(rD{t+Dw9#JN`J^&**M3L3o1ONk
zTgD);yZhJ9VvqEIL@bVD@X41emc5x_p?8b#E6Dj`VXKRb5&m!w+Q%cmOmXgT&T7cZ
zNWHl<b!1Uw<@W?fL`T=<cH)(D-O}K3@pK&WJm(yM(c>&&e>YFZ^qct{jSbU-k)lV*
zTNPn%C^&YXL{>-d4t5<?aaX3`tr)?6ovibureJPd_&_M`1lxPiankeWh1XlJ%#(Q8
zC*C_-JBvZY<h2>*X^Y{~RrhF+$*>*De@*=J<apyGShORCYh`aSHH-@G&q+P=PNNWQ
zFx}P=Sx`=?WnVVmHJ8=QW&#>BezPuz6q>?|e%P3k1dY-sr|Py^FNW@{3|+gd_x@e}
z!J}b1>N=H074qPY#Tp0x?nch=&9Fk3H65ID0(Di(d&jsWN6G;>XZP$z%RlkjjR`Rl
z2ESk2{L!a;alv{ZdrqswEQGy8JxjIK{o!M+kd08K6j68qcEbTZ5%ouF_MvQQ=|Wb6
zxt59cJ#U}n$J5In&e=ansD5+-yLx2noWZ2qVUgodzFz3hN$<(b6*cASb9>)AxzE0_
ziw^U$cx$tX>V&N)a=aDhok?jyQ#tWYfs{G!OQP^><-vOO*^6h$FRu>QKCYN;4Y^2g
zNK1cN3^p(y>!OFpj$HLFUMfR6wSn#Qi@bsIUVMLBJhk(|dIn>kJkO<;zhqI?Wc*4&
zJhWzeT)+L3#)e|btZms-c6)1}?M~GB1E;#i2Nho@%;t|puZ_{+cV=axNydA|Y*z+y
z78*j()BRa$trh76)FMKX-Gq*~q(>oWhX|JDhKbt8A$#>ly9x1pjRM=Jx;t>6o!2Fx
z5;8pGf7565aesejr6Xyh{$v8P(U@SiElhC6`+Gaf{7nLHnyW<4B4bq#<veF)^mre<
zJw<ayD3Ca!#Qe*0AHmpRsr+}j@I#m!E34MSJnUDNyV2|#s_rHoXMS1E&-Y*l6HM3C
zJw<8GGKR2R_1)w&sH-W)@x;01BvHLY%sTu6hsp0(@>km9;|J0cNy}-r55^xow;zzj
zB^tk6P=EYhjaTzm9BuqY?aw4NeIcI7;7>IW<n4zsR5DLBmz1A1Fmx(x8VEg-8v5Y8
zlE>vyRQ6T#jTPRI$fAio%&1dy5V6QJO8T~s7rs(4oNw&7KK${cDNFc4aJ^?&w&$A}
zyRzC(u>4)C=<rA1*v1?+?W8M4v->$OU%YA)UgN&aZl6f&wI>PDEp@kOIUS;FE6x^?
z-S~TE@uMFv@6~x|6VQleex4pjn|8)%9PFvRce0GGcVzIP<|v<f&F(tsS;20)GMI;j
z(|E7yLDm{9i0D~6j7x5}9(=j}lVWHypS+e5hoA`;0{%;w(`?V&kKIF#SYwTClXr@Y
zZ!Gm^y;LvI*CXTB=R9>9pD1^HXtjq1S1ybu8n#%bC+FPfSngyMl&03W^N?PvBi+_(
z5*&97vHIivoQ^cO&)c5N(ogZfckzFrU^Z09wcc!@-GaCu@0uBURMexU-S{0-&HjyQ
znqsTz_G8Pgs|z0^J_My62;2^MX<fK;b#!C>q&M>p(Y1UV|1#mYa@@C+>{(TpmwMCq
z*VVL^o*2&2thSTo{AB(%Yfp>US|?G3GddBmn40vpX~&~qbEGRlP`R-8G&d&9L4wXY
zo=TDXwwWbtI-?AIzaUaK;g=cYSEh}ucNJZKPN24>hglm+{pZ@|Q)qMd6VK~9Y&Txh
zxFdM<mj6&qGI)yLY4Of0aql_^CbH(V{evE)a<Y5ovfa*pT78l)u6qXC9v}XitC;lS
zPySwcvi(K8v*e4|%8&fGA4`3BVp_$oFMaZM%CEW}UT^Iq(Zg_hD7V%16L*{m*I>9@
z&)XYnrlw-9@T%2^Jh$YqysOeWL}geGVU|=Hzw^FO8RDbcbMkHx822u;FTZf2CbH-i
zGVAc*Z25%Qfl*F=#)y|*hC~HSRFUv-Ic_O|2z6cQEC2bl`Y4?$oP=%O4V(u^+{Lys
z;2HC`w0C$WLo2ZTvz&H-n55=)nWX<|D|IH5*5HoYH9rlz;&`8a8YwXs+}%pQd&pRQ
zAbPwv8_92ed#6>LN$BBxaK!BmNLw-+l)BqW1cYkTc9V5^6ZI)!MP<f#GqD_ZZ`U2~
zTaQ#d%m}97l?n-+T8qUcV!8f!_goa|bHn_=>ccZ+oEC{LKW79oZM>U8E(-R)DA}A5
zIV7#!Y{DysP}?Z|9s(#k-jRgl<3)$#L-$&18|7p%+f|b`E02t3Nt!rp&N|7e(+?*d
zS@J!$Dw;l(t=^$NDDKe}Zv5V!C|uIET04?<5Sh_DJx^&<TRZSc?R9RFtLeqyPZO&<
z17w<OF65JUFKBKwu6GnZN-pYc!z$yZSZ^#9+;ig?rLK2KdXY`nb3R8iFCL#(>>h1L
zIK8w?y%dESx5y$JrRU*tPJv>**U>kBLa{q)bVNdrhM~;VGxiEHj57X`bX_E?XaEb7
zrHgQm*88w0j=eV`Z`iN+((Oc6H?Hq3FUYaWy|!A&t-ikVI@)KyDf({b!<WOb%=)v7
z52TA)#EsraJyF+mqb|El&Z4TSin3Sz!7^2L?3Q}D304(1>7`rYa<rc6SvE&&60Vy~
zPw+0<@1eX8O;!r+C&e;$8{KoZob}hsHQl8Omn=DMwNG7)ARx*vG5gdT_;&P*&~#hq
zc{{KB<Xfz;uqxzOLn=B3Yy!nk%o_)<MLF+8#a7)8GLcL8bans3xSC$xnE&-Tqa87m
zw6G^lV#+R$MeN&lckkyEY?l);@qAB<)#uZ13c$HrpkLcBFJENb67>alX3Equj=e#2
zyz3Re>5s*p@5culoxvCQQO2n0c9vvy-EUjNCSmPwZ@jp_|6^%6dUe^alQ!6R(TBXG
zanhva`S}hxspKJD2x4WU6xZWK-HX4AOVmNFs_xuP=!CCq6=6sw3z6|nFs-=$?#5)n
z3xaksMm}7_zDh?ENnuEQC0A_kC$+UDFztMr8+V;Ne|^S?j3%yFssUFqS<Ewv&Yz+&
z!Q5Hr{B*r{ZmVF1zy?ke=?ocWswPF%MFFcQlIpmj<GEOaet}#3G28|d_o56AG^>6^
zTLv&bd8wSDQPeSDcf`>B=s?lDqWnxib+rg=vg(@!U$m>fXf2t%DOMg`+8DH3TPqmP
zntAd`Z&0bVZbBMM*{tT{t;fA4ujrZ}y=3cuOZ$>gq1EE6!69<5_R+waj!O*==1ts)
z!J3Zw;UW_P&N;q?XP%rlTkv`c?Y(&8&+DEhq)B8qcqpuem3wO0u<q&6c@E9Y&g0w^
zjB5|OIrIw$FgdKdI&GcZ-D2^?gj(@3Yp~ri#Wx#HJ<W5w8}M1J{uFkO8wBRG;wrbT
zw|#uK^)6`^TYPc&U8p=$q7y9=$x_R>EjwPC_vi)r*fh42NZj=S&#j7%PinPJBl)_@
zTY1AlqP2Oeg&l1*Bq(kUr?ZcqVCsLqPoOoP`YPkyJBrxCbNb0`FP4dNAC&3V^RO?N
zwdv~a8C#d-N%fG~Wg8}bZyg_#+o^u#B<1>(m*c15>#&u<4$oFA+7e@f%t~Ebd;W(8
zKQG^PnHDYogo}<M5q$;FR!RCw?e`9j<-mEK=e}&`JU(33uc`d5=kt<Y^N}GtM$UDo
z26=S43lAj*i{{~JxtEue`aj}m)>WRypKNR|HTv+B{qp?mqo3<}UUF>%+W3}v!+a0E
z$^ZKHQn}wkCW7Hcl=MX^MWZhZ$=>-k{ktgy_O&}Pl)S$7vQN&OZ_e#<t}!g1@{Ndx
z3K3VoozVQ!;d{Px*3u6J1(TeO-5j#vJWZG`n{tvm!K#*%v_jp+kIrB|%yv*et+pw1
zOnCiAc>E=-heL(}b=HqOsc@BV32<o@O5{;BSzYeOJ3@2#bzj{~K>x_V&wbFhQ`mPk
z(E}?lLnGg1h1_>=^sY#CnFih1^?@EJAk=68m1rJlv9504ugKVTv9?!s*%wJhmCbUf
z*4%5`c+lXD^&xOxgJnxq++b%9iqdGhhC<`^NapCmKFdNBxfhdwRX<VJE53ic2@_hz
zcEp~EqrLc8dg`_7gbE|6kkw>e?IUm8Lm{%u_bi0U2D8)xEB_HOGbkY`631^n91a87
z8ok*X92KA66`tuMj-!0&X{7yw)2#guL-S0kK~s$B8P;{3oo2j+!2$zrH*-7>olOS*
zy&S{+(_(^?-Y3^v<Vz_7=OTfok?<px&m@jS*;{KS|0R8FZu&4XmD^HM%Kl}1o=N-o
zF*$yX7huLDp+i2SBq?-7wtd|^fBqzqr@}hN^sH|%m+dbtG#rD0{meGu>C=cmOpwG3
zQ3{<xV!4@;!XIj>p&Z33Z!>!3O7P!{k_2L4E6kJ%SS$X$XgRZlr15C_8>7F(Q@9Wu
zL6VWDt@ih#g<QTq-fIXz1!QhM`n=`6QL1dn^LF;BSpS7D$=uN#cS98pEKBA6PoI6K
z@bXf*Tw|Tt!KLC_-=f|jTS7jW)2BJ*k%S2}i)m1o;Z-v%e;mRXt@BLDUi(=dyCdeR
z6?S?Lqbq3{QQaGnk&(ty;e`b)@)^ZhuZsGIY@hRdGsEVTH*8Ol^p~<D;y>q0_iVr?
zg7^pCZpg5WWZ(yS^2_&v(6b{$#&2KQSl{Q|aUPYzFEaW;kLJB&Cijm}GkgtG<!p9K
z^4|cFF-#`?>5kR^Sh!qLnC{QPZ2t{N-GUd=Eb)r^9}DN>495(<;>G?qAQ1$#TmS`Y
z3FF^aMpAg&$FEt0KmGR$M5Yjz7xPRc(J51x|Cqf&I7Z97_1u30^p_+gNsLpvLjTc$
z4I-FlNLISy{QeElHN#tx!jBsH`=T+>S}gG1USClAyUsDt0deqVgM9g}{e5qAm@6n7
zHu<`f<Ht(_IkD=wS}Mi&+Zlu(&PM^s(E+(@?(^$wx65pL-#ueuW^OOD9_s()vi3D=
zmXzhTPzzpLqu`_mW5QM2GjfAn+x4i{Q0knoq_(-@mc8#HfXq>Z*Et8!H3A_dzTLp0
zXX!4rR2x{JdAwQ_KDV}>)B~GG<MS(ibB`E^xzw{K5+~x7qoGhT&CRW!;B56}D091S
z&qtp=OZm|c8!xfLxi&*Y4}V&cX=8x?N`m&22#NPR^R~j)K_Nr>kCkLYsn~!tMUxzU
zID~`?)S3%I<mGA=Nda2EwA6cJ=m$K5A`}9@>z0%L7>-U<3~m&gnk-Nb>Afk*2&C{j
z+PTZDD!#wSs9kCifmD7m-|yci*_6RBuz+1$P)Fo>{A=OCw~xfBC+>=~D;})t7l5`*
z9(p`EWZ=yuXg3xPsb1uj$?-|!lhF$MPADYjXixS6_g6<Nl%En%FGoGaVIs1`DyO7(
z-~J>xXYYNGFy{GlT+s(Xa^FYHlhMcRn}pjL;ztUac{<G8b$f5+ZUbr$2WWT`Xb90(
zbPKjef+KYv`bJ&XhwHxez^_?dIm4)$AZQ<hASQ&DX<h+Hp9T|K?7E@<^O<`Lij&0W
zV~h0TsRrNW6OX}MZL){*)Ys4b3<ien%bs|{iQlija$8+y*^XFlZqNN6j(iP=C;nFq
zyndxoYTv7{dwu_7xFpY8zXLNS>38b`5xJzDXF`2!QRwD2UHjU!02xKa=l!|beOYEu
z;l(P8AE_%%-bxl5pA}aIj`ZD~H&T8^o=^8K`KS~(`r~xMZvEB~&9R(LIVoVa#&E+B
zYX8V<u6E4wJf?@!fwb8wqw>-AWmG{w5TevdW&vSNzX3oh;G`6^<Fx%+8Uc@+O-x@;
z@`RNHRs_}sxsl=dtn2m@qE*f-G5Z-E$>R08&F<g75qCY4`edTmrsp8Y?LOUv?T)aa
zK&x4?l1iT(?eDyVm3Gb4x9VQdD_}>JM4T2==C%0EKXbOXxBE?NQonauV^<dY^-d(9
z0B`>O$xeayQs<a#TtiMloz+-SPoUE<l==vhdbVs<myU*WXL&%a&r2k9LT8C_QQTr<
zFi$r}6!7KcFtPp2c&R2Hp?#F>;++Y`Fi{4g(R_qA@UzcjR*bqcc_)IUZh+>ROBY*q
zy=N~QF`*xWk5`HH&}Ga1%!sKIT3d&y2FwaV8|7m%irNpJn3lwcRpy4MG}n!Z?2QJw
z<whLZC|EE}=6bi2MA?)@w*uaK-+nEk!G1S?l|MunYyAc8V)eRTy>q|i&y7iLz4uNk
zKYMLPiqX9%K#+Fie=W0Kv6y*OU}hlL&9oY7i+biY^@00?t`8|=^9`sIYHsl7Pq$)7
zV$%C39OH4<q=Zf%Y&D!B#65oX39}9z6t=e5lZxFZzo}s{QB$=#TqJ!12={8Il|iMo
zS>He-b=(V27l|5_2yK4>Q%hlsT9CZ8Wu(6LCXhyTEffbo{e+HbiZ;c6Kn!ckPb`v6
z?b0hD$G1>JOY{5)5mT-A@)UO4Oo@LaWAI^9$U}GYta_kyAb|qRxas$A?W)=8Y)hjR
z1wejDrYj{}0tTsm>Zu*U@ehTE9_u)A7^#f7)Yn|pbwyW+d0L1pHW!jGRjMD%Df;qr
zc`S6_-Qqdf9ksts_QI0+)?MTG*nXPcD&ON8K0O()cFifd@q*0x;lNk6A9{!O9*0|P
zR#6vsTGiPT9rZTK)*qM|xXLm6eip{UXP|h8tM@TkT>Pmh6@-JrsHM~}vFu*G+D95`
z)}!TlB4S>Ll_Klo)fFOM5CC3(*DEr9A~Kn!#xm;x#P2{=M$)4Wp}^P37J9t_kK^bC
z1oHA2;OLNtZ@!`hM(>QwDT^`6g*xHWhz=)bdbI${9XuoIb?8>G_4vo)o0+_ORjMu4
zW0ggWKp1WT0uW9EO19{^x!vrY9}x(%KQ~%vB;5wwc`#qH_p!UP7jOivRr8+`avmal
zk0Ze~&}CE>Xdf-o&(=hXSu&k5X6aue4`35}`Sin}ZiSujne*)5J|<nSmY!6zo2Xf0
zy_4d@2y90vvYAHa9-Z`%gI?o05Mv=uEjrHcbWwb7%0KjG?B%7!P^bd3M2`;_#4j$~
zbJh3U(Kw$W8$uZh7_v&=WpDokp&9nY+he#APF-cJ9BkjwBA>|*1!Y8am(GCtP6p(s
z>}^8PO&_r}huXW=1oJ0KGA^zs0(@v=7OEo_+=p@f(+<OC0jNn4-rUeRi#KOBuePao
z>$#3IQw$2?cv!axE;8SY$?PH876@*NJN5K7F;DadLuIT-8jTRVqJ85cKL~!M6tEJy
z5Zpt8y7h_<^;M3C-IxFoBSf0r@ds8MfI-UC3y!BV)bfDUw>-+2Zqqdl!CQmz`b9xI
zbv4wy_3BGA%IQ&{zchyp&z)s7#NE_DD$8Y#M?aXT$PA<LWDlGg7CHP@f?m~ys+e+O
z`4n{arrlJ_%k9}Je0{|-lG3^HBc2#VQ9}@JdL+@MTXA%oOSqQ|1(?XF4NFPXu8O4G
zrg*a}SXgjyll^$+hU;4HGnT<-lVRe|&)j~>vtrG!11!xxR^i>5q1;?2*`qS_B0Z52
ziQ?2&-N??XQ<$1=frpO0toOhw2XbWg?8Al6?Xc|LH8V}z^-G(@rC655)u8n)z{E-{
z_=L%D5tGB0Xet5Ygyq&+C7#<PL3+Yeo8fxkyyrWUWG6Z9y@xsuhLp`zn?5b)E>1i_
zE%Z190HY^tiuWess_j>GgE*q4&FK$M;~HWw4;@cO^?29cdR2dC`h`KA$1l_g3sGy_
zXZ)*%a~F>by1W=flsQ$qPw@5=GxDtUhKH_4Jg?s_CuVZU^`nEF8fKVRo8e>6O`+77
zSY3cIiGkYlsR1UNCRKVQ!9T;BN;$N2zH}^%0JHYn-N~-0jIG|A+*z)Ji*qBJ^u2^0
z<1xOw#L90+hH#T<8n;T%NFB&F(za3!vwXVJR6?jy?eXhDwD6(O7<SOtg1UXhUka7g
zG+n}6R(jjro*K!4;v|Q<JYSzi7#MiD$_pYpui$34J5I>}x68u?<v<l_*M;%uwz~CD
zMdQSh5IW!OLC69FkL7BhJ~631+8yNs8sGhBXQ;M3Qgd+6h2Q(wqrlOf*9AS*8cd9x
z>(Y1*U6=Mo+~~*b7w_W|O1lEpwC6ek*li+0V@pI!Vptc6@7?XQcw8#f8bmLBA8oi#
z#+bc#l`z9($cOu;gKDcf9hD&Qj~|INj(wK*u+zk7pL0!wU<D2#n_qZ5kU`nreNR`8
zt9a{4kDd<&_r1!(>YJi+SkIA+K7TWikoNLM&35Q_vNnge)(uKj8>bq?aR)yioT0#K
z5!A$`zV)fHZv1?X$z~qz@oBBMmduOZsvMRSf}$uM@sOn}xjYgVO*&2)qr9Xj%mi_Q
zW9S#{Ur(<x&Og}k0^Fo=(o$hFJoPnfQw)u&p$exjM*VO)yDqs|<Zzb4`9pRl?846K
zjk+9E;qle5K(3hO<*D@r{ClH1ZDqwRy4lkkm?wm|EAln=?UN!iFPN4qK`&O<@Qdq9
zjmWzE9fdxO^|4LV;WhOaEHwU1yYYN)tBv+GCHiJxVJ^uAL1Uz@$L!8|o?HU+D>c#$
z&R4JnkB^TIIzeze^m-OvC3^kJ#?q*d@a3N$q%jy!f(yJRt*pss4p%Y!Tx4Yo_;5Jc
zJX#Y(F8=cZ%thbrXRE~*O!RENS3VKg-D;oO5Q_?ZI?wZX*Jg*({)hKngL4l>*8`I<
z5<?x88={h3j9s~~H-dfDuE>i2V7=&Nk7qR9^hDO_2fwRYbK?a6X8AH?0mWa<MpxSU
z4&w2prAlY*sd<_Gvn~fSG`4Hv>@6GZNBN>Whzo%vz;8*=nP&8}XQ$w6!Siw;ZP<`+
z*gE&&ty{?yC}tZu`mN3$qm7%FYI+21hEwdWQk1ue<41`n_GA5;$Eqfp;;c6NM7bk&
z#w$mlFwg^s(EfUTSOj*k&9p9gVhX*)rcZ+vJL<<p4_*IL9O-t2*%;fSduA_;OlwNJ
z4oNZ{c8HaUc&tt}9zh9_6I*KZgkWFLiyvEX$8f@RI_p-_&)XQGZx-)TWbL?!`_MIX
zc67_SJ-eW(@#X}df=A+YpuEJjCi0IOJgCQC8k_`Vjp?k)3U}3Wbjqx<vTT)y@)9dl
z<vb)Cj>x!Un#tu4m5t{jkG=h0UOt6(V=zo0CZPzLcJa8`e2Qjb(rs8m#xUU2q|WAJ
z60PO=_BY*n%y?v+nO@{LsoX>iZiSMK6&5{GXV<DP#yiJ`tq8kC&bHjGbT@k5(AO(E
z<RnTEjG>9UNQ?DBP`ifhyr5f+I)3We%3n)92{igaPb0467W&o`dy%5KLz}{`G!>m+
zpm!o}8jvf!p07LhuKr;CS|gu9|0z!r-CP%+J8XCJ6Rk;T0$*XE(0=--SF(hTT=Z*l
z@jY?Xyol)Bo?v)=$GZ8RS0m^kCTY3b9sBW@ZZCGCp?&YhKC%<iH)k}LgX&%^$@4Uv
zu&s~m8HuklYE`)gc6iN`UPDE0UX79HYVj9pc;|aA_Kv0TtF=s()P8o>Lt}pFRpOwu
z-51QdCIu`gGhWSVqpvrWm6z@n`jMo{QW%|SAw0kA;XhJ*f|BMIwX_wGB1vNByZaj#
z`pOeEuoCIFW7HEr^hqX{`tbDZr;I9PtlKD?Iq8}E7YP4=U*qQ(6UEPm_zZh6C&K(9
zNcN%((-@nBex1$d)!?PPNDMHTxUowL`7+%x+K^J_<PH-V%hcHxEy-s$u(d2npP6=S
zDGPg9%S)2f+jhnyuvJ0^-EgwDl##5N97NXDG~<WiDL?b}f;RduU=6Z`vlfkel_vc~
zz3>feg?m>RIsRexA|=4%<)dMPFaOdV_kiwr_QLEw^IynLR}Rp++2x?;(Z6%z!8sj!
zf^$)S5qtAhK;y%9;yTKIc>qUAIOpZ~i0Hq7-FFxP<D+YGD}N~zy34q5&Kvy2B!BTb
z(I{YX<LV=e>;KM)?VI9t&wg{N(Gk-(8kY<6a3<r!G_GxW7Z(FcHjIX==!f^GI<g2m
z;@Bt6ItF2#vJP45k&F#2IF$UFO;E^wgR;CAxDzd2Z2-gP_{-zZj+fge9M007@FYLa
zInr9asd+I4usKp7=d?4>h)*2o6iSf3DLCE9s=5EDa3?tW2WD7!bMGnA_!VHxc@M(F
zqCcaqZ4rhl*PPyEJ}9-R`B`SDP*QOEX801Ll8+cu#HG*Q|06n7iGenH62S7`00T19
zz0KM*{}CPRFp*i|oB!r9T;d&KNQxKg{EzvNzX8XbCrSE``3SlKb1hG5?*1Rqkp)xv
zPO6FYzkvv3vMpyg!~P>W&ciY4@^1gbeDuO>Gbkm_{l|Q~V~~)HJcCvq4rxfc8T$>;
zl?(ri-9J1?KsYQJT%-LC07UnS0RyV{Y;rV%xOZnkx6F!JK|#Sz94f<e215}F>9<}b
z_L_fA)Q)`l(iCdEtd7tpq<h3=dets1ep#gvzi)|70-hVw5ASX<5E&id@E8ECTdX%l
z^3*Jac*Xk4`*Q2u)e%_{(Jp#<c#AA;VYEXk#%7OUFs>;2DMI~Wpi#0gGdy-iH=_mZ
z_1QFY<M!`&#whWbby-l6v#ZN{=nXx6H48l2ZP{Q7dJtM(0v=gmZFK>^KqR+;*b+bq
zK*rMPw_j(^0KF;yVBs^@TxV=7zygY`p*&p{jcoM@QTOliz<s;}yu|0SswF8#F)k@A
zV)z4Ri0DpvwdfZA5)gEeusCjlj+X|Maj{7oK{Twss}J^nSRz^|iHV4T-JexI^8)5E
zV6+4ZMk__^KKA_*ka7xjFnxI}dzmz70s^XiRDxDVN;)B}Vl%vToNcvoI$d`$&W!S^
zO<eqU;YU9*OYO#WfDU0_`26}MfT7Mv=9^=tOHS)EEiY)c0~#c0h&WkpCx!#5*xBHF
zN@E{1UbcwukjHO=!u0w(ep@35XH5}Y+f2WywN2Qk%{VD{3|cKP>y8q{<8Gs!Euh*q
z48W${3r`u-E-^#PYKvmuA~t$=AHYr|z4Yk|eD{OiDJSb^Yv!?o6D!)XFTEY8pm*R<
z@;fBv5m5zNN?Dt70sI?tyvoC_-@hpcoB<$DgWxTRcQTAltHUa+if<*8OyNZ`iTFA_
zBcSWu;Z}VY1aw+Y)-cduBGiF1hTvPWT0W)5`f)OWsAujxxBk5~8d0}9q14wdIW!GS
z@2-tnEuZdV0fae_F;I@!UE1bP-D;zA>nzc)eZ=Rweox@}_Wnu%hwkK~6)q5fUkK*}
zt#TXG-P0+xpx2SO@$L?p)bD^rM@9dv?>2^aaItCUnPxw6V-y9QJ`tS|yGAw>u(5(-
zaUG59)VV)?{j5J(lR4WbglpM*m~jpKJAIY;)T*^}Xcqn9_{hk&>AoPgaDu^!KW5*m
zI{4OyniA7aGG;{~RT8uAuHPZ}7VNxRJe3EuSQPXPR*7iROSsM0C>#&P)-c+FL%Gk1
z!l|<Sh+I#hG7L^8MO@+lwzt49vbGKW+Fs}cc5y(!-W|ZBws0G)0I=D#zfBL}3Gw$t
z3GL2MPRNlwbC~Nm|AzG$$};A6j6Y$Nko+!AHg>>`nVaOBx&{PNnqi}#D)_Fl4C?C;
ztun94*Sif?adZjWp(@x+vQ(vHU_x*3=mltqSr6u_<d``0=q5S*c=C|5!zV>j*uktt
zOe&1#`aAEFV?MC6I8!|nKgS%A(#3~FyD4u}B-NwH6Yqr?JNy1jl?T8dT@Ze7e{A3r
z!TF|aD$a!gZr2ijCEu@8BG&^{D23Lnl1X;cB-;7(-k}Q%WFY|J#bC(E`!Rp~;i%-p
z$m}>?lS_pT_X&YeH=N09@%%bE?gm=(BJbY-l_b%`d2qB|y@ARRq>xfhfhq_~ZpdvO
zPo>y#R(8iL$}Qh~@iETB->d!vmnoP|A@=g?M`z!AYf-#FsggSEa4S&zoBxT_Sj^!(
zeyGWrt;cNmOj98~89jt+W6xtN_3AuEbjfP|2n$3QnET-<j1UEq7d~W+T9z*Xsx@be
zTHiz#6fp!-68dh=OIOixEx2Bjfxdsjo+!NgrVr6ot(ch4BZMquG+~_149SGI)Oxz*
zNm3}DG1<o4Ku*y_J7mH_hj|z49AmzW+bv{hnx%m_a+BW-%`4k*n7v2A|9bwn2+{?D
z#<P+1)ahxuZeWLJU9FoU#Q$z^2W8mc*U6KV?qGqTha^8;p}W<*48qY{MTnl+d)k%b
zxOakw^KMuWLM`zY5jvt`%&z|vI$Gg|ZN`MIg#67UBu^lMy)7+G-l=g~icA!7?)Wn7
zdjn7I!t_V}!mqsNe<wBxIyegJ4cRG6eUGghjRk!OVH1;^r&nFR`nBw4ny|x^PX}Ya
z_$BkpvmYZEvxB!6zUUVB2|N(`?!@Ka_9u-^!=fb-D_80K1+k0|=*gv#l8hSgD#fe{
zJ>Jbt+w+yV8XEzTADo=e?th9G2+s|^GX1gdW8$?xColpkpTwm(f*a%J-OeaB#)8`2
zcuw8&TM$0XD2hPz7GQ8(`zkPd4`jdlz`6CND_s=!+%I)n?pHAToM?G3`KoPv6uX8Z
z#Dq(bI${yx)VkVrBL-L(1>jxNJbr!WGik+lreWl$dN3E+lPY%;?jy~j=dG*=I4_vK
zR@ieRu297n#IM01+YYo()MY&#voA@u!$n|mj5Ywbs`@d|iNyUM?j{*{?nL+J>E3-X
z-^B)Q%a_kcS)PBGCbD;-eDWah&-!72iDmE;E`D+g*hx^q8C}PnV-f!%B9<SRVl*RJ
zXl^!4Tr-tJq$f=Lm=*N0T91RZisDB*R@#*gZ|>E&sUS@7S;{MS#8`;%pi)&EidcuO
z50||#Qs-H{I##7tw>N_)Nu_K`_o?dP!aE4?y>Fy(%IXapv6hAkk`FgO5GsmF_(*)C
zn}FE_nd1hSeO3j&K$2v;mh3izHYJ>4B;=|T9m!hx%=KqY+=o>z^Yme}Vx#{fNJUmr
zr=HCC9s~2584(~6LcwbsV5t5UOg&cbrV%&Hgqg_wk3<S!AXU%P(b(Tz<DgLL!8H94
z#tf{7YK|t?NVRK0-8Yv5g!xZ*m^$$johC1KUeOd#RedK<{Oi|3@*F~s8si#gNcdts
zINWora9?^!BnjHLI#u`rNCzxXz=T7BTVh>~KYtAhko@H*SBf@~z;KR3^A_D=xy^`i
zf5PwOWXOWGw0a-k7M+A4D>oIO1J-Ls{#!2$OQ)gozWVu<E05<imju&dIIoE;!lP3`
zo>Ia#vXTu1F(W7Iq9;E6Tj{T*mWVjC-@Ufm{ET$D(Xvh}Pe;HR_u@3Ue?$nlCO_8x
zoXA;T>f8lSUG~zYhe>f>O&^~TXs)e-)D%o5tjbbxM7D-CT@Ju=>1$ce73;xUz;C6<
zB(H^J_`<SBON037*x#?UzuzNA3$6)|x9L}Sbo{=6Z#;SumHj+W*l+h#W8Db-xyijF
z^d??o5L&Zs@e9-&A#4}z-QCzvP0kc8w^H%U_}TAdlFL52YCn<N+?=hEgGdpw>dNj?
zagBGIsSGoO^M2`wu1n+laRu}P`Ng!!xI9_!Evgyq%z#M}WCZmc@0eSD`s|w!%V2~c
z#UY}R+B0OwCVUIEkpjT>=!eU|9Q0rLeE4fSIxO%r9wS|xj&J1_86@X7b<VR1SDQb<
zmWnQD1*>W;v)YhoH0FX%P(u4lmK+rdp-Qj<-a&HTXY-CI1*IiJb(GiT(Q@0Dz$3bS
zDgkCATZ}^3@Aam+`@(D2cfh@htp&H?I*>i3{RAZ?7dJXgjwY8Ba*8LCQ!=>x%2ABC
zo1{RcFgI9H1O<YW2Vq04KM0*}%o7}@As~Vf>Yk5j1nm;V=3MZSBS9+a{J(SQn61aQ
zg0iXMJ`SOx(5I$ycnPW@&k;vl(xYWIjnkSFh;C)okE*+*wd6m=rW_nVr;N*e>l31y
zeII-HB`a(sUFK_>6=QI`<h$Pq&PNZIN!UZFX|$!6Zj}P8COSLBH@A-^)ngSt$kXZX
zlXzGZo};Xjz~54UzpOmU39RQrA$^XiObe3)J;d6?Y`Svs6tWM8A$~v8)A4f&mq4K#
zz^i2cyIrE;G6a^@UXoHqJKP5MxIfvdffD3W>l%s#R1Jv_h2?PJn<1eZ`QP<Ycs!&5
zt4pHNSeV2<6pc6A{x)6wr}fgE$K;X)0V{Gjo?5xV8|B4>k3?lda#$BGmguj<B`9O1
zV2mrk@ur>qKkuxW$ye(fBSx*=xX6z56JGRdS-_>u%$UcO`uDDKaGXbD6|u`+zE?@-
zW=ZDd5b^t7SEXRx|30r8%2*>9338xE(IMRiPzki0dq@dsnP?Ioa;Dl-yPAin!Fs4D
z{!$E;mJz?#N+z(a(2*d#bIRXH;sYm=`{)d@5{uCk)TEc#F}>48KtH$f$H}n-e?9{e
zIqM@66BBJNj#}U%lWGAE6_2W5nqu*V?cMo(uCq2YoT<THb6?>_4^mPzh{M^o!bnXb
zd?Zt3o{=EI7|azf97F%+szyMH=ulcU7FNt#-glyyEM`l-!h9LgLkc6y?YcsY3xiS|
zC801Ffz%dky__tU(RZSnO-qVZVNit*2C)}8`Rd@C&37LcUxmRQ<Z$YBPJz$JptgUp
z2n-S<Y0>c;CyzebLWQJY$D|gyL%Kwmn<j-=cNQwlpvb7GsDK<nj^9N`BNP|t7`ncf
zK6scxB&Yu{0M_vB+%039zkC3lFAo$B=u_%u3cr^J@}@&zp$X^*|JQm$bQ)&K$fx7?
z^uiT=P`U8XMXfK2{?-~ks3r+0N$~HyV*Z^m0OR=xz%hevyjTAXNKn9D4ZvhC`GZ~n
z6BhyqY^LOHz4Xs1fO`s{E{}w13_R<f&mbJ5HQO@$-+&P^S*J6*BH_)@punBOlyUoY
zaUgFgz~crESo8&MZV{+eNxFY%w-sWu%xQdzl+P7b1B$R1#=I0`IN9p*8DBz?ESv^5
z>JlavmQJWt)S{{JSfBxf3%W?2W2;#*qM1bDh5|OQP(<7)s4LijB-R8w**>n9vlgxW
zXt@#qRVt(=c=zE0mESwS$w;!IW;QD~|B@7PLD!NMFcO?XW&<<VdyME~f?xrXo;;DV
z1Q6AgP`vZ(Om+FzMDuP))j-TB`w;~D`#;ymMV=RpSJ)>*tA#R{n7D)=d<zGkR<>IR
zr9dRuqi_EDK4;n*d_nfmd1X)mJkU(gs?nRP&A-(B#vkdE2`7|wy%S16anvY)idws@
z45pC(FJM<$*Z!&-M_YpD`kotm@`3_g4{#bxj|dHqOrA;rZXJj^ldkc@93*6;GFmJn
zplGs1anY`rsYD=9#2y{|#FLQ$H{QS^zK0;srz^nt3(P%)CJCh137=X-9rhRtQjY=S
zP}$kLGzP5q^?9_fzbKv7?L;B^ft<UszNc`qe}F2e#()$<F-g}Si_BT>H0TOXtV#=;
zi4hsTIfGa*G&H*cQ8ow!Ci^78DBmE68B8`cTK~&`De6ujz)L(?txaD-bjND}>lnkR
z7PW?R#IlOzcH`^-fx+APR31vOG^>H^-U@qzS5Pe?t_gPaOuCP>n1l-=&dY8cy+ZX?
z1MFe$O?600SBV2V>&G}=6VwcSe<N}?eJ&Pa6c^5DG*}SbP{_34qrFBXZ;r!g0U^=H
z9_z;Qa}j{7MQ(J(3*_`UvJ!w9G&5a{=ZW88Et*(Qe`}^?U>$4$bKv{KV!8L*QJZeZ
z<EdI|q2j4y3+Zdt$wsW<3fiwi6zujaz&mK93Lz%-;+?#TiAY%baV2Nm3`VE&sO)!_
z`~+w{sj|7!Yo{FWz3ESr1R=hhq6xp!WR%n`jAIJm63U`Dn(?qua?qcWs97!%BoXBS
zzK*PP3!V_Qst2YDFXzSm%b-t7y-)h%&1>%-b&}q$E);+Q5o!2pR;aKW??0yuZj2~{
z=k@2e%={}J)Qq_P`fjRGGe29vb=)fbnoaRAt;NlSrGf2Ybp_EHqb~(R_uCtIWt8Sk
z0cb2o%tp-Q$gSBnj*|%R8f5kaLt<}-h-(UkY_<!LWE?|0zj^2bo7W(QB9*M(cFY2l
z9|Nb{HzsO<EFlxH4OlwA%GgjuKC~%D5&*Kll-Kbu^RkWowuG}29b0C}))%IQ2Hyts
z2~MYUiZUudOo}YkCPOz1WA4c}^tiw#Q!O-<%u-2x+FxK`@RX1?Uvs*l-ULdTj*)X-
zYy#GU>N0c;z=JWwU2bAehQBihcq<pVl!f-2gvm@Lx>KlxN{ngWfFr)Q-rM^E)Dt4D
z*L0`8Enjvk`MoM0-n}jKStTmKpM5*{iZ4@O5>tp%J2B_~M$)L8rYc+VKAvo)dCxV3
zwLa$<tdo5mQ(M>t18N5>-8t~sDthv^ey&V7-Sjbhm(9o^r08^7RTD9Z3l<5TZvZ`p
zcuc-tb*rtXuqsJ~QUcNWR62zqGc#rg#}XLa?jO`uMRB+kH}xrCAuuBgp<kzTfDDzc
zoV@<yF*k+C0t?S+iXt~~g|u_~h<#g2#(ax90&&Io8Aj|;tEzR6rY_OqKo0p)giR00
zGuwb`v?NNXI;J;|$X|SZsY`+@h#49lkifIe0+HJnm!vy14|vB=!z|9{C_f}eiAvA^
zj^O2VDJ{5@V^%NbQ;5kBj~A+S5eemnasZ88Y|ekZkJL2hb%K8*Z^(PR#vf$gD8wLN
zm2E}+{wgheb=MM4hlC0O>C_&t0FqE-LNHq7`@2h~{*UApL6>4cO8cx>>ohtb0jiuz
zG`}~J=5SB>Mn#>Qwu<NRF^y4SY#>j)arQbMl6HI>&;ioHZjVQFregR^c~IHvSq#vE
zggAfb<7|u>xa8!)LubMC`<hQNyfBhzAM-TWbL&C>q=?HZE4UqkZs7zOvz=p73Hb8%
zAM_^mg`NRL#M&??L&SWJDd`c`mwya>6j~yRQ>Rp3n|R}GfFD!G>yVbe|KuZxwMnah
zQjwCJ$s^yS{F^w3eIyuyNY0R4bh;A%FD=&LHdnJw7aJH{_Zj+oO}aBE!~la-(GXRx
zMeCQ_XlsMb0_h<w20KlLb&&_Wna(`9(LYDb#7ICG$KH6_4xWf?kzFW|!I&_hzF_hT
zg{{C@L1T-&UBCmnSl~k-@eqCDM#}VqeyhJ%^q*3|M8pe=i&*-T-yiY?{x1rJ!IsR^
zg@1RY_%BC4S6%91i}7O;8PjG*o~)V57xFI~%S|DjnU~N^sBrss421u-dwQ#O4r^b_
zX05P8#B12(58pHk{mK5%8-QM&12uiwpE-kw3BL0Z{9!Ne;Gz?+KfW4J)gr42E4}A-
zDbxl&kQ(UhCu&r4wRm?BQEH0Z66s+@C;;F+6+nG|2M(f0Mmd64BF@<!I|FwS&t>~7
z{tUWf0C)oh=u|$W!ItC-lGwnbfY%&K@UZ|oa;(~||0dsM60c`&-6@i)l@3PjV7-EL
zcgJOQczQej^IiM#k>#vg@3g^127L`Tz^cOt{K89UmHG$)U*k2e4(hZBQkv*}D9RA6
z9Z3COtaDeQu$uYBpSouvEA5Rn!;z<HlExsM1``Q7{lR9TY=huq++ZZxrc)z)0AhLq
zI3|m9?WD?uX%db=vQX$tR~qoAJ^(E+9GL2M=<}o_=hjzWqP${}a>yEUS&tpz57eZI
zPT!2-R3Y34kE1-|Dgw7$wvGMJ7%|W28DdP`@o4w|mA?(Gp*D#=yZ-%3GF~YSlBJDT
z{$}a;lHe6jxMe$i&EKv~shcS<(~(@dS9c%}%c9Lb#WRDqn(xeVUq%=u+eoEjD&oLI
zhk(nc^Dm^ovn778%HL?w`GUKSwes}VA5x$g(r}}7Zy^4KxA_`>83lMcH7^b~e>T}$
zAS^IKBa2EZIV;t!+j}#Lh2m7(8zV^_&AKWakkK=*VaduZ_h-#Usx5zzScwqHXcm%|
zjHFoW()mrn$>SP!V5>1*b6r>WVx&lG==T#o2YfZP6csQ?9UcnQv?5OO;RI^p^LGI9
zw?}itA`AhLC+WM6!Cydv1SNt|wLt&+t81?Lxq8)_A)$uZ3*dlK9dWBRyWCb&V7sGv
zDP8$F8JE@VOQs!Bjv`lS4Mk2j>L&RPTU}<P`S~k-(9K3;@Y(M-ErU^aagXb~J*L=s
zTyV&RpS^fh=the=fvg&xEFDi5CL<lv=JjarZnk>6Wi(o*ac#6BnxCsfSwSHJ`p8)w
zd-HS!1;!s7?K_($R9j=8Imbh8x@xUUFC-d`P%9bnZyT@NhD^w;6o2ATQ18B-9{*md
z^(*}VaK!k#>V(7DYkc@hKGcANBp6GcBb$%tEEa(B=-S6W*%vfL3wg6$E_43+=LPuw
z`Pv393gvMXOqkqID#burXT!O>=Xbw7@&-Z($QmF<9{IpP@xyCClyd_ar+GW=Be~<W
z%!@3_)yLKIImZ(n0VlW~hEv?9bYr;<>~OhouiP^F^on0jxExMvFhDxz-q{zM2Su~`
z>ZVwv3>s|Ty}h|CzXNj|hO87%nP1?QfDf=3FN0Ajao>>g^bnZYGd&cNJiaUZn(`;?
zzk;t>oNG|856$Up*mz`7V0Xgxvas9RobIi9Xg;U@+yoah(Vvucw^nak!`a@{xP^$y
z%!osCx4}FeRxkU_pf}LTnK>Z6`3$J15Z)(qT*?OJGi}@ZKR39c>fJVdG<Hw<!D4%U
zWtQslbHnv5pyr_K;A20z`%@Grk)c5`#tW5HMY{01=azmbH>QAhdOS`3rtJ>BA(}xI
zyEC{7rH@ED|9Ra>cmVuRuvSX{!(~KVSocgxxxRD8A`1n`XHbuy(3c|ie4V7Oe>AT=
z9R>ttObHW`{}5g`f&;mf=l|L2nScO46N!<+i~gHq!X+#q<p#vCJp50)#Pxv$iqRbx
z@cUZG<w^lKN_D=h`cHO5A(#)t;?^G>23aOLSRTAO7Vdn4zY~Wg*0a5mpS<ISj`u~e
z6{rL*<^29;BheJ$3bu5Zr9X26TY@2)@1JTMF3}B_@RR+Bk38P*j~{sPNjN3b|D+-$
zl_Ts$H|{IU|L(jHIR><bKS=`qFA1h~G$lPheEZJ_7kUB|3Q@2Asp#@_2<n$)ynp(?
zWBx<Re`ItJC=t2WBB1NvjmXn!!7+^__y6hWbiOGtWvGzw3y{qId{8&x7%jhBkRFN1
z5R+LXn310_+nYgWfuT4YzH3dYbIu&~V6KB1Y=KG|IhT~;Kl)&v>i-3{XSCPu_;?2F
znVA(4zV;}#mumY!W8Hl4pg32*Rzzc@$l)#M-AF1gNC(UI5VB?q92uOqAo@H%0eQ)j
zOc=x*$$G@12<f2J<ZxxEpc5L_SOK_gQv{L&-2^MD`R2`H8eS#C`L0(F_BM@nmLMEo
zvFL6PngD@)?|nXpI9PZXscGi_OR+1gyd?mBa_{OwMrEsgv=dn|@u<_fMqUs4Eeklc
zi)G*^D3(j)OG%p->pTybfaRr`HSda3Ndljx`}7lX(bj2fk|2aX+UkwWmAggS@B!eK
z@$ySZ4vqfuw0|YvXu&oJV2MZzAyl_Wt{zkg&hw(!T_4wlT|^JFsj&r{mI;XM7{Cok
zhgt9*D4Q=q>yrmQ{vB*fgzdg?%_a9yrty88xkaBI+I!LxBkSLtgsAu|y6M=!_Vw*c
zvH_^Ftk55R#}bHLM&OTQz%$Ioo4zezk92TAH5&tbb~|9vbE$$8Zqgv0b0Q%F8UWNL
zJb&tC>6B%|4`4{>dmlM7{<>@6$qYC=8fN{BkW!+MieZ?>CE2G8SeOHKo{xV)Op3Zr
zfqCKjqf)Sot3e)M2MkOelqr6+r2M_W`{*VT6@h@)&~_`vA*W{@g5DXVrM60F{iVbh
zu{^n}fbkP~x(*cRRPSVky37o9-hg#<UTt|gAke%L3)KWxiGFngM1&4xO+O1Aa@-I_
zH3>VB%pWgc{VmqOE253&@h$XIfV>JYW!RIeTitr#kVOPt7@NDSJBy(4G!U+5E`I@^
zKo&7JE}3Wz4gpoB7?BvHdQx28AcCL^u0}9r>;|4^`zWD%RRzle{z=h6!e$K++x4!E
zx&u4+{iTe7(la)XK)W!7xXA9cJ^u+1KWFy%p(&QiJlDNS2T7$io5?!8XVH&0YVRtI
z8^vcCw>($ml(M0MWXt=&{0sjVQAQ9iqQRxf?ieJ5&qP#!1iAvQ&PO+%U^L^_EmfcX
zAH<IngdJQsb&8fG>YDW+=Z?cqb+Ysz9@|0?724r9Iq)y=$@FF@7s!$!YJ}Tn!5^@n
z(v17PaZ&!Yh_k4vWuifuRdk!E(Ik-61O6_cbATOz!k1!;#qiwBsC|7j4vkv_n+VMm
zt`6%oMXF#Sbt*j$A&vT53_lD8^iB;tdH)Zz(9#qkDfQ4OnQ4m0<`X6OT@$7A)W<jK
zRwb{iL2GB)9GWDE1q&qWjKTYQZxu0&oBJx}8E!n!3=AES@b);{wRJSo)_)2`Oyl>F
zHWj~43U~sIbE3InP;SU_IK}^wByJ@eer=@ch+;DlbNbr$1LyzX2;y%0=5692lDV4x
zI)NdJ&8fQ&8`Mdq;;)?i%74;BOYK0w$O>qCo)?G8<ee0bcidv-M7h}sQLs~r$Iw*R
z^-LCzU<!G<B#3X#4_Auqh#6B_K7tv8K{LJDZz@a$kcDfkXp+C1q|a2QdRAm#2N^E0
z=$`n=;X{F1<Imr~5Z_@SEq*vn>l-bG`@67kYiQE+*v1hIdI{=y))L;HhedUl>9VKZ
zC7TjT#VA&KXn=Q6e9FdA;?`&SxMY&epN`<L2uDhGNI2+iTolSi$w%#Kxg8B9IUZ`2
zLDtW7;6GlWqaNGuR2`W^9TX5T8BHv6U^^`aFYD|Zg8$Ta%{|Ws`%_SGA*BbSVqB}w
z$!S^A|E0UnQ1Tf2;9QYa%zavJJDTk=-Hb<!tvl(yK+XL0-u8F1dh0QXu%jZJo&MCT
zzA+!1m<(MZnz`81e>Jzp+G3E!xR7IB7;geql~uGNaCAtYFQ3PrL)jUeV`^xfSLZOE
zviBWe#3dp|T;?1ag&jBqMOxIe9Kb9X&!PV>UEa^trSfzXnwCl^NarjCTD#gM??K!X
z+(+QTpQ~C(QllNJso`}Dxwu#)zMGOn6bSp{3!>W>3x-+?TlKU0wjDrTn5~S-)nUSo
zJBSqIjl?+7^h>MN!b}Ca0ew8rH)VsDq3tmvJXYx_z5agXvOpR3!d-9ws)GH5r(5!L
z@yK>l+ULAxhIS)m<kiih;6KdDNK)O{_BoLg#o;V^x>>>?JM#)>g{&S@@JxlRb_ox0
zgB5;m`m^#=)^XY7{3FKgmnRGlyib05^O}@sNN+8>?X5MmJ@G}&yvDdY()<{&#EYJ#
z5Twau_hk)AF~(LmRBj#8tdgq#0<0l7#-BP+`e?{$o|^C)EiqTlX{Sg=y+y1;R*TvW
zxg<XPmo#6wU8Gk)(MD?7*2@&>9)vR~dTM_e1_~-+*j{>&t_ig{fqUqeub)IYJ);da
zgx`7uz!V!zP4+R=rghCZ=IQjVL%^#f&!9|TD7(5ssfu-unZBjH3u+LOL>TmQ#n2QN
zg2Bcu6Dy>sK<bn$XgdYO3&o7-XTpaJ@&NSZZJfG{Mk)HdWxDg=*6&Wc6Cm=Nk|eO`
z8B%U21QnYg<UUjQ9XJ6=c9r&s1E~)yc(Bl}yj{P$AZJ41dSe1?9OrDYh?sv1FA`Y)
zZ!Gwq0_A`7p1-9N9X?#42}6KVTmQY20wlNdA#ZIpE(s533tQkLv#<vRPP4sw#IwDb
z7u;vO-XAB}*A=N70;)CzzZLr@NPX%wkVIS(<lvWw5D!&WK5)~wk%r`Dk4$9*yFvrp
ziomGDLqN2F#;C#kWR@hirX1V9LKD#=*dlMtDIG$gS3DZ}+7uwBBF))lQC|R5bF~<N
z`rnmweN;7G{zfP&@bP+;9Q-EL>JRXhg-YZ)uMYF7YM2WDsnJf5rp(m*LW>>-sKJA4
zcE4H|+l=rDyR60;jYHAVFZc^G;)R7D^3uQ#e*;X}3+*MZgde6mdP2TJ`ecyq3a5<;
zJ+R+c-g^vPmUDoH5YGDIg2x)C-g|ZM&agrAR0RBV1_;S|s9i&u(`^W#9zuQ)NqqvO
z$26$jA_c591^8wyzsbhZq6wgUiiOm5AsHx5dE^%Y)+#1rAOu;fRsJdDgNS^ch}i>M
z_9P7fghCdgty;;i{uUue69L^i24HZT=4Woc2|odF9}ED!nJSFTMB$6jD-;DkkfM)p
zI!I~p1dqJqrLtJocYle-%ri1AkkGSaPuHAB_4ro)Kh(W>IMjdpH_SAav5rwuqQTgg
z$WmFyzGlr96{2s6P?jOvNTTdZDN9*eM4}``HKG*SktoKRJ(N<!bG|2C*LDBy-~BxI
z@f^<|_j4Rw-{ZI@rdd9p_j#VL?F5Za`YDlc)9m!TJb6eoIvYMe{v3V*%R3LVVOa#&
zTlP|8^zPv;!Bc1BIfMpwIEKw2>_BV1fEka{0G!w;_A6|>^ePesiA=o}cnETh1WUiM
zx!6w!fTSf7W}~v;&9meRze8{p*%`4pEM@bS{qHJ4AEwqqZC|MAy>r+JNzCX}f@w@n
z!$DRZJS&QUu~*+5F+)XafL?HR&j;QgJ!-Sc^j`)q*3sDkBMBXjwbDco3vTm#d|+We
zB0iukk$?i~Fsr1En%#B0u?GQ1G2Zw--}D&mAa|1~9JF45ELV)wYCo;E0$InWy|)L=
zk~|xvaKD*ju}d)hyPMb_0-~6VK~7e)!Tr0Kc$*0l=7Q@zu=^WgS>_laK5d#jry3)2
zd~~6|eR>bN%9b0hca!!{(hD^}h!*zkjS0&;-CoR<?exA_nL@bo*^SBWH$Skl^9h6U
zL=Lq<u`KrDBQb|a)}k4kARI#>z}@JR($N#)Kly=wmjvo%PU`xNflI%Y#~nejihwyS
zFzMIaN_`6VB1xTjWtx`wLVEH}vt0*x=1g^d4)HgzQ<vSJv;rFC@bj0)q3>&yHE(%(
ziKV>;A5+8W^+`|NhZ^l;A_Z+f)Q8<hZ4(R;m#-vhJ$e6G*&$|3<QQ#jVjcbv&zAa`
z*p2ggdw_5scv(`baVlMSfxF=@yZ$5);DHXhj`1+uA(?R3rQb7^&`n(7X-h#USvJ^_
z&7kEZ!L{W0veX$DD@s{71IYZlN)aIZ#TpDg`Os{1^6a2r{h~YuBS=R(pYa|g*;u}l
z02e$5wW8LQhLccGWt%_1eNx7^aUmPN?k9d1Opj9FsvLsYr?p)y>7n2)9pwM=<yaUh
zZ(xO7pJe=(JV!4}LTQfal<oVNF`@0HkMD{?lo_O{tyS~H*fM>#E5H5*!SOAk$Dok?
z%IfQZX75_5XjZ=rt)D+?J!<8_SK*q-kyJj}`=H035G?Yt27<C2?O8yXx2x}^_D)`-
zj5Sx}mGoajnuH9*47_9Gc`_?f5H_-*;jKS|Hm&3YDE|YFrs#OGD+NHnQU@Zq(YOL%
zwkf`0Z?f3;*mUESclA5pN$l=<>KZwC`Q}sCx=Nh_TtHltiqKwBYOO>XOi(dbehjQ<
zmxD1JkLVd&f6PX_KQ`iLN0V!$%VtzV*jZpOx3TdOA<gW=;Kd{6wdxoQyR#JS#~+6@
z{VY?HDV#@MAXGeZ^D6_HPK)^mTFTkBcqdbuKW29lW%t|3P~#*9-;YCDF+HJz4jy6V
z+k%PN=aN0Lxi`6PKy~8Z(g8_aQ;{I^!6ik$sQn3lY5CYDMFl-gPdJND^Tj-!7#xcb
zI<_Z;HIwWHH&f!oi1+YgBjVX7&)_mbZT?#r*aG@J9-;%={XF3M-d>hzqu3d_2Irk?
z*gBnOH|XW|zmEcVeUF48V3m1zUFn?B$n1G3s<Rl)`_U>%0j#F@!myhbU7Kae?sh&V
zN@)hrz%-PRw$B&B<m&U=iWShmL0n6k!~&E-Eh!=0ECmJd)O>i!7X6s|U*lzVK;f7Q
zykO|LX<Oj4j`Hv%5f(O6;oNiynf^Ey+;RYr+Z79%_8*YoB6ieZfS*r1Ek*@l_bo^@
z16A`|V}Nm^IOCf^W^&qSj#4@f$N_2*DP5Ck!V130qwwsaCM{h2Cz*^uUZ*+%JUSi+
z4<bS3z*%_kqq+j)J4eDAKGv551F7)f(jA$@hVYYN=qLYqNf=Cvami}(n0J<7{A-$U
z9aM@RU{2I0pUHq5Tf#is#hURq8{lu!3cZX;M2zh%D2GLVK#odNsOMrz#!}4tutf8}
znvVYiX!`&A1|{3&k02aQL1$16dL|3(Uu8qUzfXmaT<}u2aw{+eW_ETNvnc3im8_pS
zSdqEYBxRFr$VJ`g-Z8CJo5lc2b6Bdr{OSU97Ov1vl<NSSZ}%^5{^FtH4We+&!(m83
zld<Xx_YZ$M3=a}OO~$n$ts8m2LqRXK23?>R1bQ6>q2UKeS3_oY03D<N1U(B`NY6lJ
zKMa2846tUJgYcJS7PQ;aV8?fufKJLbRuTm7b`Z}+?Rvxf^S?;cuUVLC{?Ay%OxP3<
z9B)?<gCUTBXUI7z{uk7Mp=6AJ{sJl7Z3B@Q8pc<UcE=xlx7u)2%76?aSKYGqMJ)b2
zcq-jx*?0r6S_`5|2p51J?kvQDwenkQiGtKW9cF$xKBZ$LmODbH^HjmIh|J*M1>~KH
z$S01x^$@&r?XB9u*JQXK5N?$XO8L@KQJA=c$dwR(sej$+rs5hlo?YI6<hBd|=Gk%u
z`VORa9)>&DX4u{5szaIM9C9O0fJ7o2I{SN)pOqP?SqwKSJe9VOy$Qw}Ko)UDXGRpk
zH^7=(fZx_@?FVR>)a;NFxYW6-h_Dg$ThN+VBT2_VG<0#XZ_Wzri?9vg9ze-wJ|$k@
zwnI{PHCgIm_-C`BIc$MD8tV-JkzH~Qe8eW`h{21o_f~9pdOn00L+3wXn-5x}=MY<$
zElsT*e^Y#_#NwP4BKT00i;Tm;5R~V)Fp%^6=;VFg^@1BFV7i7%CZUSY;Y9CaHEN=J
zho<E{_tV&7jv1i_X_hOhZH1KCfpPrfLLh-gEXEfgUsYCEB!IyrsO>yDL)SwcY<F`z
zhYm!D5R&$yKv#$=m4jy1p;$a;{3pa4?o#iqIN$na5ih1uvNP8a`kdkxY1^VWof|cP
zssw59Jkdj8OzrEgT=MKc2DtwRK=Rz%If{+($HGs`t<}n5W4uOW9+H-RYAQ1GN!qoh
z90YPt5AAC5)p<B9PH*6e<_47DKUju^@7xztKwX7%Y#QZ#>!HTG$;UPd5)UqnZ_uJt
zB7ghNDF(mMqtmn&o4JG7XUL29J*dK7irR*sobzA$bl+4}F2miWj_&N+tW{@rKwIGO
zju>#{$=yRq*XzH&)HElfK_W33K$li%y0APIGb~76MN3~>jDoLh#!^JIuQLSph&MP3
zIDBaYpFr`Zoa+q_?;c*>N`2J&N_Ryb5GJG^eAc(J96G$O=-vK}9K2q_5yBIc+3J(2
z_$8{6`N@#|jH9v+^iEY47F}&TNpbW-HL#&dY!ZoH3JjaR_qm<zol<R0K)?R5#T-Nh
zwXkiDxOBw>v3G!_o&yZT9Gb?<AR<P-qYXL{wI~GPMnZ#fgiF8?2;cDO>rsn-b4g3f
zw<?@nN3l}4EROyzmg$Y^KQA|lYwl|{Zra|{a9t+JO3#;($HPzue$%k3b6(4;NpFnF
z-hkQ)gXy-nidcFbrcYoyeSBu7k(bl>IC76q*z5TXUf$y2!|BPbqx;`T2JhvNW>8-4
zDfzRT8=nUQ<v2J0eqUK=QIprn#|Kp-B9-!=Lg^%9LPXPED#pL&A+VpNY5({r4)vSA
zK61TW0=@oBXbFATm+K{#J{rFG-S2azmKb8nrGZ396pL6d9FC!+a_GF_f;r31!ngR)
znpOsr?ko;7xAS4;?!$+nbD>D+FdCQt(1B4%Ov<s|FaFN7aNjc`U(!y41|QT~X2CB~
zr0BXB-9JLLN=`V%>Z-9*2`-o_Nn@ssa=w*s<Nr%*l0lY7tx4*}_`y?b`)~0bQU&de
z0((Gqvcd(bag!L;d7U@~bd?uQO1$|iV%#JOU;gWq95H;E=MY$L5MT@_aA`Zp@2}*%
zbB4FNfIL`zQ?1=6sZ4w8QaV(thG-nQv&RjPs|bdm(#_^vYc~E7%rW!Rvv#7sz!tZl
z(vhB(<t3!$ywe`0oB3NcpyGB0FO}bZA#PE`M!?K%m`Oj2T_VNolid3-;@*1*Kw5ZV
zu6szCLH9410L--<=qV4}PnNW;zT?fk3ZRi!ei^tbA_owH1R%sXRsy=0HK#MMe#aei
zp?&{rPLO0`h6fLNIf7S<=m`*jSo{T+C*ttnD#1wH2oDzN<$FI}2M^ZzSTVYPbMzp#
z;K@?~cyPhTx)Y5AbLiJ!<w-o1VOB67s17e*&p1W0;S_P6-TKu~oXHmCbQuRb4n!ih
z|KFqv-IA#&j`2;I{;zO}|BbT0)dICUj6eS;N)~(g0TMk2uz_lJ{>}@k>C9_buYCof
zL<V%DcQ1lk>GaKsXCwgotj1P@RX{m9zRUY7!!Ni1LePOT_?wyJO@tf(DK_auI70%>
znE1j;&&Ybe9`)JaJ>uuJkJqFh0W`)uts0P*l+C&o#Q_YZOcYXCaPo_%lOy>4m!iUr
z|8GTwvJV^k(;y%cDZM44mzUnc!1)0np8FvX#R5%JSv>@^A;KGg$m3q4uM1;U+5gi3
zQF#d5U*j9!dVD(wvTM8B2X@NruD-Sky_8lQm*ovB(wUyz#WII{E2iuvoMwt`z%$Yu
zu`qATLyHi63&-0FV})iu=P+~JGX}e11uDmn2O_^ux*#*gWZ$EGFbv2?|9W?^1k$vD
zf!YYT;l81&W)XWa68JJuhbMt0im@UB13ClypL_2eHNstdk-M!GhC<Zco4cci2T3UW
zAN{WJ{a9;z8Ct`8h_}X_2GsT$AW>e6-={FH(*U8UJ;;`_7D*ij*2H#r?Bz=+MfYy}
zL$W#o(ag!dMn&@A*h(jY&BxT{zy=cD0|T+z4&oew4zD*agvM!9`}gftdK}9eVQMoC
zE;($md;tbH3Ol56_z#X^%YXDNyY`|8L~+zgrh_3rVZFFU9}0e&(x-nL@34SW?n_NZ
zke-<ROs@bXGR@^ucWRKGY0<3eaGF^FZ#HqK9-c3(+Wzx~WCi17G#CI07!XI=yE|i^
z$jna#>VaLP4Umfz8#c>R^o9gBt+^kPhCv^oFLbH{ej^LsMd_inkyC#xd-lpmh$zlT
z%We6=5F##DuT%Z21=w@{+O>ddPp-xD;02%`#wX+ejW+hq=gc4gh#NlRolc?Q3Is>(
z?WtGi>OYizP3&ARt{NZ~&x>D!YeHICXMeqJYm6<4X>%&{gS&4r4X`llY=SSJu)T3S
z0F0SbY3d1uxt(Tae3q}s@{C3#pQw1{6lzaF?O<cpe-Tq?4=#@nV8MH7<)^GYWFZ|U
z_bNBvip8j($rtR4Oa(^qCz-DLK90>k5A(;uf5;SDs^FR}HV;5alXRh2Hiawp^cAWt
zw<XSFAKUgqFef_THZD{kKS6hmU)ful$9f$V(2it<_J)}xZpeT6sna#AcQWXlQ^~7C
zwvWehO*8)qE0l!G!iL{F3My|DA1$jD0+5G+_$#abIg;CAT@0TwVhe`t=OFsRe*FE-
zEdjC$0COVG)6eTPnRU!%{z}4Y*qjsir<!1%*^Myrjvd>Zbbfq1Hh!X1z?#{LR?uRw
z(K;l&Wy{;occlBj?JRkIyWWOidUW*8(ZaTl17U!cnbY^^LJDH8i}5kfWTr*CZ?0Ue
zp`wPB_gP<7CvN=Ke(v6~px)b}xX2F6_{AzR6r-xw=6`&@OT<ei=G!9&+2oC@grPL|
zsNuL7eE|)$=$L=@{x?cPAw{G#Jj(U$*53MPQu@8)i~qz(>*;zEVcsWS?R550==R~n
zP;d;H;aVI+X2=aP!(aIdzc$@P6bsbq<D74FP!*^olQnBVwbZRIYb-$>MF>Qc&})!G
z0%(E*!@|NyXByp0k`I+`54t=<g7jD~#*?&Z*ZF@)&}<lHsJAj+Fh~Xkk=}hnAezTb
zUSb&4D+nuXtlylm!{{8;x1gW5gBZ`812RJ>?yuva7W#Hct1=`yOQIk%{9^6)RFt_6
z!HR!hVt@e=)Uve~o^lHooOVG{h&FX$ZjdgRdSUwU;=Oxo&OR&WzcG!v2w)4Xeq%yO
z6EESsczeJF&7khbFbm9-D8jjh1U~U0xJ2Go?KimxlaJwXITka+z}tUQ4=cC))fZ+{
z)7OK(@cWcN_1`>0F)OAbFNhbu{?YU_fg>Yfn;Pd|#r<)9kTn`K8R1wGA1q>TtZF@|
z*YF9|(uKrCbCugRe+n+4QkM$9t+;q6I{MN{^xEJLo(}`Z5!zFMR$1h?$iWPORMXRs
zR-!)KIehNj9UEc5gin*cGI|~8qXeaFpiORAJP6=S{&h+1@Na2Am8*69w8;mF#yYc+
zztR?Et4nZ9#im}xTj}X<CRn$J{adT?w~P6g?1X}9XCl|CpwjT<U(dU(OzuhJRQUG3
zb=~$t?<2tsgQDb)Ml6lw`bTv4L2No2Eqf@xx*<<}R}?V)PP1s?L-|m^gAw&&qSZ9a
z_}P)bfe?>YIlT=~;dJtoF@0=w_9sIqwuw+1K7So$OoxA;ltE0lsZY+oU5pOHp-`N}
z_q{*-lx3Pi!k4v4n`)`cY=Q9*{?rm^{&_HR8SgzlrRGxOdwvtjJZo9y6wKX%Mqlee
zLGyL{5yXut0rYhaC;-#{!e!*#6fH*CJmZ}=<WOuO^rFuhYDNCd+XKk(|0IB}I18|b
zIa~mj0XskXb!4Z*GRPM@eu5kR8U^_k_Z5ph;};vtcG{bchyv98BkjSkhZpka0gC7U
zJYD=0xD-2z{gjxB%^(vl0~RpI?73f!*c$q+<3Em|aJJn(t`8%^ey)6fxyJIe*zc7s
zcP)04=Q7SE4M`I{o|k!TXHKlRCbj7(r9jNxk+zx0k&xh}U4-SsWfXfEG2_G%u+Q}}
zVoH{E`+m6|({7B*|8zcoY|LN#)nw4Mitq{h2k-i#CT>il=&VS}#L<=I-{|$B#609@
zLNN4a9Tk;*ZjR;7qU&UL*;v8|f4LTP6B9f=cE_l(B(+1g714E2xt-aK0yR_yaO|@t
zB4G^P>L6b{2T>YDaovmfd5ey@d+43yoxUC&6J{~<A^HH45e%PH{sJ1291@9S3NDi&
zFuQGqIZlF1bW5|5s__T?0w{7MfJPy(^SNb-l8KH8D^VOr!+UdXYv|nw7{(>s)FFaK
zL@@r;iJdu0dfrb?ZpI9PiZ#|l(z>P)brCr1#<Kv$$RK11aXv_IpK|#1CF<#1>I2l7
zAc+leJ$*;4J2JU4OqKH!SI58Cyt*S?P<zQ*>B$d}jN5$#C~AZfoqTvhX_b{;#>Olc
z#@uhn#QZTIT_2x}ig(mrgEq3a{}5U*kS$OMa1KFOSOF<Wku>Gb$DW5JMGa4Y@q2r{
z7fLnE{|+VaMiJg_!dHpo{T}<H2*zK8Tp-EoB$(JikyC<YGPLmZEk~x}z`VOGloM%0
zor1{kE)vo~Q3)#Tcc42<t%(HHQmn_?re4~S1Oaw6iurnl-6V>ZW<8<H35CytQIeny
z3cs~lJJyNt2W*D%njmwnr$@&x_h*l=z)V~ymRHLly8p#P_qEpz^$4<a<qRd9yfITR
zA6G-ulP9HTl<IkEYX?&{;{+BUK~v+-b#V0R{MaE(_hu3JXHUV)_+W}vQ0(^CGP1Jf
z;K0AC_$}c$)lbkW9E^s$G?hpLa^5KPv8|ZD<<wpMtB{LOYUE!d`bh2^w4-Gn8E}7H
z_t?U<ZR{05IV`=LT>Lx1&a2eU0usnJV2*Z0_I^Lq)7Cd#dx_`U<sIu}?3(H?TyKS>
zkkh%@=m?8Z!@0{UD#p(Q(d>(KDW7oz+tcuOsr`J%Gy(_WUPX>9Ime%B-1GR!yE_qF
z=Z0S7zTXqltlq_K%@e<exR;(i6P%<Y7$`X+^DII5jTknp`bMuWgj+x9%Tt=X4YlG)
zIe?|H8;pOQQ1^H?0`|+;&}Z%xoPoA`eooG{$=RA$ZmD;@s~hD<(gcR%Wo_ZW)|y~2
zm7IJuBjLtP3a&M~LKkbF4V>sd31Q~82y28B(SCL<D1@`1)48_5?G}_?KXvR$noeZ6
zT04f%%Sw8UfznJn(Rp2<n7DD0jliK}I`6&RM*GKTmAHDb1nUOQAz&PbFLX?4U@VmD
z*tcX0L7>FOfq)mIFVrpl<GJBqs)BSIr>5AZrlxD#g(%3WeYqRUe9Acs4r^IvB>3n!
zFm&?V8Ur=w_}aPZR~_os6A4cmY}VJCxI?%)L`e%-|2**^KbF)L=c0qoT)6Tnf=Y&i
z7w8*kTzqae{lT<+ZOk5JPS(9lZb|4ZDDW$Dul#%!jq*_gx=(IZicpUH6%-r@FZK>_
z$R?3_Tkn@^&9~dzf%I2x2uWXt&y%&-VvRC0@Lp#M3z0q6WefXq(9T}pMjNilWk`g|
zme%*>rg#dnHtM0pPH^g&1NNAePigoB8KBsz?Kv`W^Puf3^UL`V=k34f=J&Na<riL1
zi!$TxEl}&p%I~>bKmDzs*#<+-litkb{DXlBTSc~dnKFTKB!ome_B`dmkr(PxpWU9!
zoZwc(nN8bp@#-be?AP$&58>=<_!eX7?)fm*l-Ii;Eo|@5H{rHpaUuk%cDL2i%zPY=
zRug5LVBe+kE!Bac9VN%kQBKB^gQR7>^H)ng8B-_`!}h?#xf}|T&j?<Ga%zJ;WxK01
z0g%LNx2+i60<}^qMy4`dC+_6uYjl2|L<9By*PPXV=6}%Pqx9bqDW=@Nrh$H>8r>95
zRsT~L(_&sA1b7MS{`IeCU=yO24Ys^qH7pV;cOXFfB9kxUONC#HLq5TPQI_sMjR^pZ
zU^?;q${+J$RVPXfAkx^1PyT%lc76=S3CE9%V<4cbubbTflfJy`t&*WtrX_Z}*Z$ZB
zqt)hzNPUegk=&u3e<Ptu?$C31{{Q_a_$=rr1@_|WA4h>p#L7=AXf&-Gq<K4)w`h6~
zaKO>zhrWrLi4Oq;b}cGGQ=tM3p+I9W4=By7t2Bh3E&(ZWtM;_Ur<2F|!4p@5wDP@_
zL2eXbnWq)D)yx={NVyCQ4oZM7!44J)AqGP*UKA<`q?=y3wzaYV#%L5;THFRcyJv8l
z2~W78GOY+-^Tc;y1zvj$%<G)?t+D={wSj{r;H5+si!jhkps)uWIqm<sC~tt29m@hO
z7w7>b;HKN<4P37)S{8<C@dOwjvLFT(@um@-4G0PBhinbf(qh8;-3h>_f)hf)E0Ava
z31V$wiy9eVh;oi82pK|CAYNra0YC$5^K*&{&mdT0cPRuD&c)JH-ok<+mj~f@=0Ie1
z#~c=UDMH7U4JGwC46Y^68lbkx|H-k<@X;E<HSJtdeDJ^me~e(&*H0St;waXrwst!*
z6a-CmJA`S0!*uM<SKyMwQSfTZ2`E*FTCugY#Z;}a#%W0cvyq96>wqo+5uk3>9C#8?
zllw56l=p;IYbCKCR0i4qywWY%dCLZy7AQwUty>=L8eqm?E+Tx2g7-g5rU7}?B!gCS
zNdVa4<7fr?O>a;c`gB@>w6_GvZSy?Xo0AvYl(-T2<ZkrrpQ5XExY)b)BwgYp8hh^F
z&oWR5Av7u0KsyXUo4QtME(=9H0bH<_;*8`EFr#LGo7L3Qvq%HmsGd`053M2+HLD)^
z=&bYmo4pK#r>=$KXkYaaNK|*^BU(S9bU|n@jA6^s(L_hAfocV=Hx((Q!D8VSx}&on
zr>Dh!pw;~v8wMhbbjD9uZWno%*uOy!xZ1O)W%P6;;qrVYiWlCo)5F4)7>u(?T1x!^
zm+s7?b>}3wZj8p2)|sNr;UaziQ_s4<f3i3D*UKE`Vh|l{PVoa`NuZ7=c?U6oiWN&^
z(kAhBmHOJvz_Va4Dj!DIrvO}^$LF`X3Nc}Fep5fF)?4s0S*~Zq^hEQ~)3~i!2s4>6
zHxHFd^L#n#Ax5<!Jj>U-8y*)e?dSf9MCXNHk3Oip1(#q7>LM>768377G#q1Tro>%X
zlnVuFD;|e==xLTDX`(`p(r20K_-So?T3K?El250lyQ0wf#4ZSDUreEwUWgb20w!n%
zZ|{L~3LgX?p`J+_hgdeS%O&6CdmxGi&jAk>UV5n^9uE&T1xW~j0{>6U`!tiIe<Y~a
zI=>jyAoTVde9!uQY}G^z7|spJQnzq$mx!X9-EOH|D}x;j=VpGMu1GdOyaN|=$@)W`
z`#C|Q1~=FpBi9e6j2B0O7e{{U<w7Eg;Uz5pRFP!_R;CIZ`xmc^MZ7Nl(k;fXz*{0R
zufP*7G@rS*S^;9Pv8YI}+qnFZH=wpD8b!Bn^?G(`FK?<-lZla$8TfuKgRS)z#KEkL
zDu=$tAuz8udL{Did;~1o%K&jXVv>A6-FKKDgB$qM$gnZvgs09(x?AYQD*lAEeM8V8
zAsM_2fbry#rsn2W$gOCsYd)BNg6S8mS9y4J^tC9uMfYn8{E^m`o6u@vNzkv`fs+);
z$sr@j06gFdU~bAl$>ML$ATkR4<Q6HLcC_bH;669%qkaM2@q+51qIx;--)5kpW)S{b
zOnMPEFr)*oYymBT7kIDcK>lJ5n4W~Xx??XyUzrFa&8oii|9F^6vxTl8`<6Nqp(BF}
zS{69y{Pi)2ZP3Zn;%WoVH;LMBQU1ZC4#()8;l%u#A<)`c27<FV6U9{^Ui%Z*)h~$n
zL?IwRJRy1eyF;5DweH*l*bepl*_-p;=;GBhI!f(Lz&%>w^z%<BK$<zW$iB3o@+Pan
zwp8u!IRr_i^#WGxX#lL61CiOTp|}7lopg9L=KA`v-$1}W1qmaMRQ-G15Qh#r*-Q|s
zwZO!KEkfE6^8f^>p=k<K#J95)TpbIdejQS4iaAP*h2Zw$x&5Qkl9I-W`LM9E6@*6K
zfXbp^s)i?P1%3h1tT}5K31pYOzz8}Y!JAbAI(BoWhGX;_DJ9*fIWjK@2!vZt!j~dd
z(9OcT?ibSlkEa(ra|SfU6iqc}LkNr!Ls}s)Pg=l}XP-0tjHuaWbrc%_j-k>8Fd?Ig
zGEPa`(9IU2u)F%T(Y@cxkXz+Ni(x+U<K&<*WrcWfHezkUUO0*1P6d-I>B?TPSKhrp
z>S+(+K5uvmwD}X11*ZwDGvFN#X3RjK)y{+{{XN3muT0=bMVhu2{@CP|g=XD$9m>9M
z8lH|K5i@$!ZCC??+RFYS4v!PNE}O3lzMG;+q3lbm<Zae-zElo7B(6`5=%W3Sb1n6-
zSIOrq=&R%bLdXD=SK2@3rbdS6VK=utSxuQR+ecC%-A6*FVi#gBAu_w=dlSF)GdRo3
zdClgw8RlM9PX)N}38$Vaa2lw#RR{uhU`EfUjv88~-(4##Jf)I)chLU$=KAoNOM3Ns
zX)!V{4gS1uDfGU3QPR^!yM`+W@P+?*0f{<y_tEd2VNyyFF`OHknvl*u?X=DkjA5~b
zLiyi}xSPd9XY8aPtz#IvV`PMX;1aoCICKGa3y9O7Gz3<RL9^hq@Vx#3Kpj46GQp%L
zj(bAv=EC=1Z4G>{n4ry7d_Gfd^H&|~*52+U(d_|{lyG$}YiY4>#j!w+au)Voib0J2
z?5^_tnq44<=&L%CeG(=bWXZe?itV`$r+sE{8Qt*Im;%hKl9{>ZX<F@f1;uaRqO>s(
z?%D>CQ5$rl>V3N^^>A2<(cH+3GM*EQb!g<O^ZBh8Ag_3EnM4s*QiYMo<o*8MX}=8u
zvk<ZWLWZ+mO;C|zm$22zMd#V4FMA5<<1K@L-SqMV*1dAg?e}|J*#&H5_IoA+Q^AZz
zC7#&aOfl1sjy}}nnMp0ks&C1B4~o`%QNQoAfWjJ%)(}y5SH0LAF1M!sWHOW2DIQ^L
z0jn^by^vZJij90M7fWHaRCoY^MnoRw(60e2;?LF!>})zjq`ke^Ua?104XXlnAqO5$
zOOT)z4oEJ^u-WhT*y1)@%Nc+CAzDznUcx4LVSnnjklq&R4ZIhOf4in=uQ?5~A3b-<
z1(V;6_)dIK65XY#CjuNFvM(`>Zs`TDqpCN276!>BwCSA8JsgB49(PCX1101nas++g
zR2N?fiur|-edW72`?^JZF_rAlcE3S*9&{re^4vowgd(7>Ma|1;i6*$x%6Ygv==yI!
z12R8*mDu)FZwF+z-y_&0JctRs3i{BN9zue~QdP5%rvGpZTfL>ABRP+|UJLKKEV<8(
z@8Yq+r`*FE^dNY0%^Tcuh*<*51@LI@xzHK{fSz*<dE=T#O?(AVd#@h|0ofqwv1`i+
zOD?%2&mw0}oak1puZoc*)pUoG`0dax*-)(SglHh!i5{ez!+UYtJ_h|3bdvf|s@%e3
zLkzi?n>Hx_fhmE=jcwB1+qM(47e`J4kIkFIBGZ3h*xHLs7Y&Z;@*feUdhxwhsRZ~c
zy?ihXk3O-k^U!yMOh?veyJM>b&0eYw$82a|n5$`zp+3uh3{%zCV$XS!;2@$NALID-
z-HFB%q#LL=QGw<{^M_7PfhWdst@uIJUbVO%tc({!u0_Mlxq?f=XT{welrgU<qnl3n
zD}=VZaVI1oBOKqS2fl8V?9MJpbX+6S5{qbuV>x;M_z)k#NU)Hc#MYJ1)H|8<V}oc+
zhpe*rs7n3kQ8-+7>3c!DI=;sw<cmcO=+}u6>;c{W3*T52s@SQ}VRH87o#Cv%s_IT-
zvaZv=^&7-D$jpnN#PAcr&`0ZgvdJ;P2WxnHTIu~Egc*Gz(5ZXBpZ0oH@M&VXy%)zk
z*M0b=8FZ-jbv~U8O}!aRV;LmNHbcyc_zVD9tzZ|c=lSsMOW#T~TL1&2H>F82KTTUO
zY=RU(OCo?h>j7&5A+`6Wc$JM6=u0Bsg11Hz66UQ|p#t1xo7MFb>yEtf7?@Z|bW@j0
zd!Q5Qx_tEmjJecy$elrmnn@Gkl5}EMg?A%#19qTtG?QKPPjI>kDE{YuWhnr`U<zFo
zsq|HznlX|2wsazGq{<BSLI3K{CXu2K3S;->=e|<tOUEX`v(RjA5eayzG;qG^w(ubQ
zS%CP8CTsULE6hW7a+cD6y|Df?S0p?Z{yDvv7O{WzPD`M+8Q8pK<lnJ680gA~WbgFV
zUm;`uziP>(O_v6reEiqb>Y;ER>@|6Y0iPi-MXtx?S<fSkz6+^Hi0ER(>{@Szkr7RU
z4(&Vyjzk)v&JCPdWi^Azk71ck;Gzr!iY|1g>O;dv4~hW2)@A4ofYHrZ93Nq26jzj5
z?9PASC;9-8=@_B_%B;a)a2bf}lzEU6oxb_IyX2M5Vq4%xs4&^YLlBLM3hqDs+t8<5
z!U0dPtD()@lvs&Hv3+3g+jS8+E`f#@o&dYTx_ygx)J7seVwD9=K`V5S-thbyX9gDm
z`a{yZG0=%26*tPz%)SXN9RntJxSnNsLDg({8<zp{1w&RqCJO9<Zp|B55T8CkvydzR
zDD<1AXy5|3!5r`t94UI;pyP%P)B@TP7WHHi?cGz2fioiD|F%S9AW)lWD31)SUi^Oi
zI<I$;HgM?c!hfDnZ{%l@)M&7uhaf?zI;+r4!5@|+nKk(nYK{$l2qCaLVW4!U1EjU%
z{3%X<ctQC!EJs-cJ^`hCtuPN%cC`w>;PgcaD?1_<D&6Wrb|UFLf}^1$YJq^c%kXiS
z#~GTKw8C4-#>XU#LX_YyME+zS2Z%d3y$`5X*l6bf#6%g^7(#bRqM~}e$G>PJqqN3D
zXwwP&{KeQOkkLB~FgjXQL{$Jpz^>61qK#&p`#@T?>-_YjFYM~<36b;`?;a>k?j1*c
zeD>6Z!M^3Q^^1?8<d^|6o#83_H7!Pho%BVwfv~eUo#eg;Q@iGrNyCy}gvlj)R0l=Y
zN8k-&!>>Y)%gil`xu96=RWC>k7>`|mNLdT;gIorM=i4%;E$5XyVr3`bTW{Ha6vPck
z(REO{s5Nphd0V@fVjEmO<tU9I@eEKXa_J|wmhCDn8aUvdX@y@uvzrzV(DyUAHXd|B
z#JX5&$oSUGuiSeJx^uEL)Jzgehf1Ik<uC-`$q-#^rekI`;zjJpeH!4Q9<9{IHyYQE
zPbdJrLuqX~ED^DQ>*Il={WTlWJ1f9JA4TE2Nti9{IzZ24qdh&`Pf&IwI3gvHNC4i#
za~SbA4U1jsj1Y~lC4Z`=2`KDtPv_-y)`iw}ztG(H+I8zBAhF@=?u*+rgLf=POcY9R
zZ42|+Z#Uk)>33;QUMNhVXr<d}g34M&*9%OieC0nysup1FjG2^0U{;<f!&9Wv@Qt=t
zEH~&Wm0Q6p%mkVDb+StqqM;jRxD-DoCMNofV#AcRg1%2m-55XqR}0{hn4IizN~{7S
zFbXgS0!kFEBKK3C<u<dP$I~ZDb^Jp#9EJ`U@m_VW<r3q-85o&9zrk;?$Miz+ZnKe#
z;2w~*Ez;ilTt5C(I@uY2=@d!+KGiraW}clsz3Fx!!iO;y)_L0tvCUw0W2q8Ncts1~
z7|^A6(C}<$gZ1&_@Dy2>^d`;W6SxeY^0*+jO&?1;rsCPeE^**n;Pk@>9iLxVWx*nF
z*$)s&S?B4X#T9>h8QMizJ~hCBz4^CZEwQ?rEwNv`sbIatriW&%WD$ZRl&Z(qHNi&Z
ze2OXF4W$WyRwN6hO~W%WoPQwh)w5ANKyw!s2=dJZU~G4%Ler!WS2Gd6egLaiKNIJk
z!zK`wkOSbl1q6z<n{56(-QybBJ89@bsc8jy$j5bMhV3W=^1v^5V?u1`e43;Ac#x~h
z)@^oKB>qjjoSK+JT-wBqAy-&l5|a*#YeWOJOO?x#_>jT$>T*`7=9Mq{3GN}>P3G6$
z!Bkg#V5<JxTZ=;VCpUlXITb;VeC#Ws9npBKV@qD!CRXgIDDH&SB{cCDidRB3>f#mW
zQ!g(Jy|=VBoBJ^PYzCd{BEQLUaHi`UGVz{hOtUAEZcFP0DD&f-6Pf<`;9Pq5;9+O{
z!s;~S;c><xncT)6$7D~3xEp%mQOY#ut9P`o-iZxRod{Yr@;mf#beR&$E)9TX<(S_u
zWCYyF3`vhczJc?s=gf#WEO@TV51b^4%H4)w0Cvh;)F|Cit9B=(;~q4wbSJPAp}=GD
zl4qdi5&>&@?TJ<Kn_25BNvI@1GbA^^-jC5)@M7CM<F<VI%9NPfh{6M$LwS=K%r`^|
z8b_#jrp%zkqUA_KPE<i@pq1lGJy_d_XlMCO4^;-kqzVu2jO|NDs01NA-4AtK63kzV
z2mEj`$tlvPiR#Gr1z#QLIjjA8I%j(~)>WUMO7g`-@R)i1*y0Lp3%(GGPy%YfPW!qL
zzlN_CIps!lI8Mi3bi*Cgx%K0d-5dk~q8sBy%i-Cp1@&_8!cYnWOO^iDL&b?Sp!d+o
zN)Ql`f*?bssj5yfmc%>1&U7-^X&W3}+rY9@%v~@ZL9!@A5u`eI%B4NH67Rg!+|3Y<
z!8iPaFD4ZBvKC=Q_~j(wbNar~?{B9dfDx>yx&=~zz%iQ&^rQ%QalkpdWC3_NUtaua
zwbIk$V;qo(Aot}EW8y;}$5v)IMBwQz23F@Y!W(Gcu~9#V1vY2|T?75r)3JA;BHIzY
zTu<-eNQ`abcwi{B+Og2qP$4dt<H~aQFUofLNp<_QxIO1y6IWY?%FXa)F3#_8Wh5HH
z3-Ex}nlyPoj`dGNlos<Fz@x64uReIL{sy}yd><a~B~%m8>v)_=j_2BtcOcLU0tsf~
z=}^w&t~OM+*rD&YV~^@t^h5d<bXeVt;)Kdx{b#cvTOD5&(uy=55dycE(YsFz|97(h
z1+xW|5W~O$-2w~T4#3l4!J9?+w^32Fswqimn-xT`%FoWuBFmuOG9XK3W2Kc8K;O+@
zBas<+S|stB8in<Ma+)GI3smA;Ax{1dr@iZ}@c`V2D66<bMIAX-j$KrAimtn@wj)>s
zHZcP@L%LZ%cN*!%fti%@fB5rCadJU->LAJ%gl2;QKtWpD5G2WFA=mhR?K^zmkKeMt
z`{H`v8%MRgkUw}_+*zhLMy#E|4j|Ff0L^1q2N@Lg9N6B?z+Nx}*|wP|3yt#-fW;C3
z#K1~J<wKq2=kHT)LZAwS9*M$Pdluf0c_Kjq)qWIOh`a(|ue1O-ESo(sCB<<|TBFeh
zfp0Krm%f6Z#cr;5d-+Kxw4|-(@ppise(sTKc>wb*!5ghZ2aA?Dc$~6n<i*!Kp;M>2
z?gLLB9`FHlXzT6*FZ~?$rIWw_BGMBGk?E<vV1?+fIN$l<Ko^mF!`3E2CHENa-7S)=
zxo{q$Mv*F(mUqknR@)TVLx-0P<DTI8t=@K<hhAk$r7D8~BKS3wa&BKuNVwj;0(mh>
zFr;d%+YZH|7z{X10mDcF=iv6KML_71Ae;G9j!xu#J^_Kx)o9U$F;EuC06qyRD=R;R
z1~D1hr;QLX6+HB{=2iOGO%^BDOxMq73vhP?09PjKHb;I-w*?VpqwC^);6i69=xUy7
zeyJb4liWMmK3p5MIPUa*sc`q_wB+DwaRqcLP}BHnX`Jz<&<bB3Ft)m=qX0s>kXvPt
z?(6e=6*0LQ$*BGG?OeZe>;Y!Wem}U{O5EXsPJ*JUp`|Fe9%Wu3Z5gZqxE>#Vpe?8H
zG=mrpbLqM8QNwn<mf?)gXq<;!^()uK7h&^9ckRmhSQq;0u+W1KrL9%t+fMnGcOR<;
z;W6AgWTq-1LA%+rGgj+LR_naIBiAr6*G`Fi>|Dn#K#PR{J?>DXe!;7jy@U9UA-KzA
zbJov8CYK|3HaU+ZDS6!^39vu=4<kqRfs#P6Wz4nbv|!3md*WlIpkNTzya^`iu;@3t
zF6Ji%xahsEys934``u;1)*EjPJntzMH=w)Iof`vGbtXc>=#JRKkIS~AQct{~?k9`l
zSdbhWxhF7gux4-p*{Wo|v;w=ZEA2C!Kv{Ib9Y;%uR%@yV(gI=q$+U0#<&XD#KI43J
zqJ3D5eI8sh=7ypbSAgUhxbgef_RzlG?*126q24ZsgtSSH;|kpjx^TT1lQnz1<KC#B
z-fAkW257OQ?PiK(<rm=Iko?I3xe4H;acWdLH~_cqFi_W7;I=kLHftmVgyz94SN#U^
z8zChi`;0tT65AjI3B)I$Hx8PueI=mIbq|71>vsy^RHBqNoxJ4wCs<($4uC=d>*r3I
zS|7$rwaR?0Ptezu3Ff+KDt}KnI07yq(p`2D*m=eDN}_<>Q55cobz%*y=i*{QL{}RI
zL)-0=W#8mZ`97YVEZn(z;Jd59k*Yosp#CR$2u{^>rv0XmtDFupfF9J11DO-o=*B!Q
z6K;yZW<2>b!oq(^7op}t6Y(#wpUMP$01j`u{;&9plokQc{`{Y2$ZKR&4j91=;fyB}
zT^LSv^i<?IG^}3~PW>xoBe3J4rDmdfDX+dnGUmAy?eo8WhMFL*<W7r8ILt5P#SKs2
zIV!cA5pb&~74xG{$w-75-Xx3JQ2udWK2+yOXPA2JS`9IUVl=@FoAiGk{Of6X;J10!
zB7*YIA9l2l<^N|t0lmjwN<RyXsL8%PH7`m}!jNRw1N5KFi1$@XBnqfhfHK<?qAg^F
zp-Ke+Y=$yXwZ68gAU=ZiA?7TYN%2)sGsS8Se^5do2W$m73xH*-kbk`>ECDzNL%8Jg
z1elU7A|mP`)ZYQc?1EfoeWOyzDx2WI+W8eOe$WyGXSu+pk@IkX?$76hkGd1t`#(J_
z9`-P&Lr?7C<1+IC1PpoKCO_D72q?;@YRx4;tZnB%mzz_BGvng0Xgf=uZuDMAF%n1B
z4!~p!5Mp`3k#{`_(sf!POVAt60-xXT8qr>tLoivs(m?Up#3i_v;-WXd(dUE!?6Iz@
z;*;_`d8J6h3obTO7;zj5(d-LJrJSC|^=S4r1B9OCCrprX$aS|DPchzo_lN>A5%*@m
zC}su&2Ez7_j=hyY(msG!U7;hGzCoFWPP397KH4)uYhQ3hgE6MIcpvaa3qnFz&VJ#0
zAyXGXwqyp1uM()dErX~I-Mo_zVSbPjG@ivaF_VYV$BT-Ju%2uMgqa(TH!h$EvsENJ
zP$Na|fB5ta$!F4`633@Il>WmJZwDv4C|YMr;Kkz?(CV=#Cn&eEm=TzltX#kxDG%?>
z;r7wpHNG-H$2i^&K?DitgzW~r047*VvTCo@$8>_E)^lpPc;16dlQ*u|_eg|w{pE)^
zym(br6=v23-c9pWNO+ioSb-L3QMER90J@BpmeLxJf`14}Ls6s?0014zf;A0E`H1ZT
ze=eeE<{*OK9J-Ve({wSB)?psF#}32sP~{l?rdvsztUR}(iLDY7EDGE?6NQXoF!T-I
zZ>{37W*^W~a%DBp#uFLmtJmY%94oF@>~_Fb?6SnoA>`ALhdTP~5QnQirqm+Fb11q#
zdZGW+%8goikAp^1mY<AZx{M>N3)eJ^zuI2`gLDgMkP2^`Lv!$?qClDrs|Y#k1eiK8
zn%O%!bYSTRUF85beA?fU7Ubsgfx~OabSPs!HEh$PVOK?%F3B@iG#SPjsB3YX(yU=E
zJMX#C(SuO#Qkun;>*5lz`esb84(kz>U}{3arw-w#L*myl*K56W9ca8?|EB+8JCW%P
zz?zO?G?h;C2S%=qu{2=t%dcDs7rHeD44QM7x%i}oJ9sXRLh|k+#=TX+Bu1HZc4F(s
zO+FaP(a|EKGbMoZz=zH6bIe&69c_kKIIt2%jn&2O;K0_HQbf8_cpEg;)C8oJe)FmI
zDN81>!%AbfP$qaC`uJT_Z$Ds`Alnjb^5j8RO#8D+<fm`AJ3yk?cySAKVr+xU`uGoB
z*Ud!C0b9Z)u|KDE*J*fTH}2;qb4!A42qf}CZ9dM75O7084kt`Hs>|*Ihce7U!q>-L
zwxCz&jFz^0*QLatl7pP`)sf<Vixd9u0Z8est~I`}ccgyN+#j4>-==z;{F;5a>eV_w
zU4;v6;IJ+Sa$LNd1+gI#E+9e0bXl$tv@_@r(G49CmH$Xu7sx{(h0{gIpf-mHhfNcJ
zKp|9c>|*5i^Mkc;%*g2>zwVCU@vN7R{r?t-!%#6qCkr4A47mk6q<{&{0Hs`WI4re&
z@;=J%{*HY>OnXDqh~&9wv**i!1)cw9dKiWsXo-M>?}2t#0#=>a{p4;;131nC;!8=8
zI>9jJ0L9gf0u+$C;;%6WC7vQ{LG1pt|Cm6iJ5iX)V!)<)lmBi&_+2n=aQ<Mbrl!Nm
zr9ZXV{SfBO*&3agr+xQ>Eil@9ZbL_p(j}$j0{a!fiT|#KTtQBNTgRAt7&Z_$_`QL}
z^J$<~eFoV7Fnq9R*$3Lyh0;}!`53B$lNd=uV>eh_%i@>}4Iwb4{U2bvuYUx8rCk4Q
zk4Dyeps_})RB%ZkjWq-IxE@G#WbX+^yMod1fjj*lEHK6u!rw~b??OOaf7L^f{#@Jo
z>B9#Q3*Ma?GXC?8OaOLdXh<{$Kd<1--s3C3e`K35?`8S@{{$DBCp-W#aRyTSfb|$T
zZqUMx7L8*gNpm?!CItD>io26WkM@E5=?**fE9eQ(7WwR2X&^WVJEU*J_a=LURecQW
zLG9YmWdlo_(7E{j7myJ{Z>;u6KKj$~lv~igix3jhp&|VgTF7m9ZsZR}D8+RQtKqR7
z+bB~@D~|BjH+;VbfrAtXWZe-qSF+Lg&Ej<LgR=M|N^4bu$9D|}hE3eKyXzh((<_jo
z$lHjlP`^<_&n-_UayQWvD$4b3W&Y)xL3m!p9Tt50^yv)fWlIY;ThE8xwm;XndI3)m
zD(?{AczOXX-#Mknr&f<B>qp&8v$1i4DKK}k$9e>VKq`-%MWnAE2I|F8No!428W8F6
zR%rr_1|ZkU?&@+5mL9Mt1`P}hc+HP@+}}Q*+%LLM|2e|Ag03f^ss(?}lH7Ylg>Hj<
zwG+fXqHRw%z=8}8d2LX_5;lP#VQo`9QD;q~Ou|Zx(;5SP=T4m7HHciciDj*lgS+n>
zOhTpm@k(cM&I7#n99$DwId7WpEq-?dxbsu?6Td(I3Sc4@ytpUNR;=u}?v=x$XtdgB
z!}fqnr{9saUVtQXm*sPCi6i7L_R?F_(*Q*6P|gu+m#(zP+NjJPb8`C|y?VI%GEsbl
zp8?qyVRmc=TM7uVG1?uc_A|QeBY(t)l{{3{_=2m4gmZt_fT+JP_Pj7GiMC}fukCrN
zlw9^t6RY&nfzM-1mVGDj4U-$O@46+<zmh<3QMDv<L0RYIHceN*GEt#$<H?BYx2OKR
zg?>w#dMsA&LV=ce|3|&*zgeG?WSY7%i4xB`unFdx!K!_1T!Qq#&7mKynUuvTvgP@2
z!P0)>m%FBBm6t2J)@Y39N$#}Y^Ma|Zl@bK#8wGrv(D<T%2T#G&{0x4Q#A~S=EYNnn
zY9QreBDS9IH8r+(E&x<)2o74o`tlpZUZoDq4pRC~|J<>0S$vT1&x?frQYGDm^e_RG
zFcBlOOV*-i8FU>yE+gd*J1gDRO33IQa>g*835c%?F;iF^lU)|}m#XLAm56CuF*R#R
zWMkWmTl}X?Ry9LpBCg9Zjj6~b3rmn?xOf=d_)Kcd4HlfuA=|e#ey%Ielo`YhdX;1v
zJ85w^9AzDV#et<Q&3%0}*zA6OeWlysdRV*Tgh}gupMYAD)|bbp$Kb(pApSC$d}o<?
zRMDlXuT6a$q#eM}=+nFQY-@T{#pSj4g<p1LZN1fUui$OS?%@S5T|qy%9MIY+i|X6J
zah$ER7fLkga&<_9Va@sB@~^{*sj2T@Bwq6`%ePp5+#GgFYNM-On&Gc|BmRB&MpC~W
z>$vk^xx#hK?Z;g|#}^lU^<r7SKEKj179#h^{we@J<Ms4=e0j&jyDo2x7e&Ib5H)6*
zi=TIsmAY&2a`_V>W2Bzuw64p=h@E7780`N*+3EkN`LBz^7l`R5N#Pd<R*^jNb^x+)
zpL+{eZwrz;Km3OJ*g^Ho)v@a_;xo7Z;PLyL0-KAh@@6Kt&#!*L_?HO#z888>X!R@X
zii66%Q{%#m)wzrsfO?9T4-9%%Ybi|<e#7_e8(+!Q--rXIIwN3OxchGytvUpxd1j^@
zP+6V+h<T{`9{ciIef5o1;-JyU4N}ehyP%}sk|@ve9JrMsSRj=R%#4MlWfGb=Ky>O2
z)Ai9Wz1mU*Xn_p0jL)FvbbJTUsB9kXX&>f%+5+S&O3!JKzTmxVL<bqP)9*x`&Wn$J
zPx*sFRZ<4}LbPZ!4d#?|0US1u418Amj`x5!#bi%SZz~3*=6V5)Jd5R5q18%RS@U~^
zK7Aa@`E~iw6<vlz6a|Sxs45vrI(OZi@W1}<B~wMoh<`BCivzZLB)o9bt>20pJ%MKG
zMaw7>JOs_t=$l6%5bPX^&H$)^ku3sBCySt<gFE-ZP*DwAe9@Z0<<j3r<auY#kbx0L
zs{qFZ^Q4fJ6oe5jiS5wQJOh^fGEm)7+0WZZ^hBm32a$Z~NW$4I`xH?a*Wl9Epro5q
z)P)z<K*;(Y)S9j}&wwx`K__iBlCu(BIS6enQdhY=ihA%1B}<{yuB-cD7AW0GEY~8z
zn3T1$_-G{)utr(tThS{~KY>?cS@BvpRSH^6lx~m4&D1==HPL>S3@8VwVIX1+RjKH`
zK+bC2`jLO({iEf}^|mvnexRj!xUziw9x!`^o6*ZZucAx^9uck4W%nZz%(^)8&_L0r
zoBMR<qjf-$rfX5Fdz=`hqVsE1ym^IrS)lDAQ~?=fl<<bu%w;l<tZd!{OY8ciUkw1r
zh^)YvRF0@^_9~Y<{eyjK5`!-%k-OLl38|2y?SxB&L&6*?RQ_&9sI4xLh`RCN`R##4
z&CvxA@L>im8_SW%E6*gEwtRr3UX+f8lC|fHH-1n!FkyFw1~D)a;4LywbAPt*&RW-D
zZ%_O6zP@nc+kH@EhTr^zbiE-en~13$9}b6`>)N0C9OZSJNSm>-Nb^URt-)@MJ&nsP
z`;Mg6AY>cAC<~3<5x&o`-Bd}ELoHQQIQ03a+95=og1z}HkbW{wl5Q(#Km~Yz$2w}2
zTf%vm@r+P}h1$~#u*9qsmi5s-UAKpg9Ycvy1vX^~!3{Z+Xv=-*SIul3%FavK?3rhv
z0rRm1piV_@u-m@r<Yn--`gB=;e$%&{C%!%UH9(w;eGca#e<0mtbL1{=(FX36V;B*Q
z_8-s0Q`wtp4r_qIi(a9osA%=6u*mXb2Phcd${e<PWp?#MZH5?TyMM@+UIh?y@GY$r
z^McrM;Ct+pOfRNab4iizTvD=hfOg_-u?cVRG|~7vn0Jvf<f0$g+LF*3zu!?QfS<RV
z+w$eB;4#)EMX~;m!RIo%jUy+ax4aC)^7vg<XslxgVfHSY42RJ!SUvFfjgfoP<o!J-
zEBQ#jVpD6m{Be3ocmcSLew=+##jDGOUyI+m@MZ;8f!^rkTeJmhdV}um9ir;YKWDXJ
zSxtiy!E+s&h5-!N<#G{pm1dTfyIO1M4app$jcYez7Ty@_TSjtW9sL<%`~uzKFc{&+
zL*3k!me@q83rzV-+9t%k0Vxm>rHA$$Lz5y<`!FyCZ5u&BCh;PH6%E=cUF$zm$3YdO
zTnahD5uiUtVmIV}(psRO*y`~Z8#Y>a3adLhl9hGrZQjLJ8F8jB>~;WsbZk@nZYt<$
zdc?fNpVe>*SbLU+>V*8pd#BI*gw=Z!RlB+5JZcGz3i#?@#?J?tkA$GS8$Sh5TjxGl
z_IrHq%t|tpE150Zx|0icVF&Locixvf|M|YAta|qWl1d`YjIS0vK1XV`&~lca4v;>h
zb3LUla4=p28odyo-*CD6Jb<`0pGeTES`A0R;sl@L0GSB)^i&@zuF(doOp2egGu%eq
zy}++Ge}@d;Qa_N61^IHe>tFi7+EP)Hr2^{#_k(EC?D>TfEtry>@&LylQ;UYL(%~W4
zWv)lSy<!Y%*(7LXUyjwnHE}IsM2Dwo$6H8fb2tLiOEPq>JI2uhn~v{r((kCb<NLwR
zZxLSark=_f;5@EP0giFh_s8eFpiNn^C&@qdaahiV9aQpt0OL5?Jt+=>#PQ2Jk#Lqz
zNa!$3#xJ)+SDU$~;*oCnXYk=w{386mnt8R4>r->^c)K!4Kd;{wLW>5xwZL_q;#a|m
z)>5|EgEMFlD4>cu?tLq|P-C1{q#!py-CZT)aIV|?V2SDOE@)4@d0RSgey3AYoq9lH
zRk}^6;!($i6F;N*&wu*8tifT{ps)1u;@X@>1MWt4Azs|HM!#coP&HY?Fn7Q7wSfM|
zn7a>m^jEA4eU1G0z4)&>6puDsg*}ODSm~q`vvwIBpyU=Z*Yp0A8lY0FSQ}kq<3#yO
zh6==IPUqNz=D1z9rqSUhZ2B2)7ps>v4LGv}T!o*sJ)b?zTLuS|to1AKjke>dVVhr>
zsU*`C8jr<qP@gGkSQ8)Td>QsuTsvlT+&b2S`M^C|&sF~Vo2C^aDi1dA^|r*2%Uhu~
zPUpH5f9*fsmZRJ<fqBKLGxKrA^&=A#;j@{c-Y#dFcx)jFnG0~98g>~<LWE2n`i-Wv
zWUGVxTJ2^#wccl%%g)W644E!Zlp1MjoJyb@Y8{6hwf#R(zrS)#Fg$Q4B?RZmqx3K_
zS}Y%yxfKa?++9wmJvk$zg#+nHN9j$_brg4Q*;_BIySz|L$fWGWT}csd=ty3B?HIO-
z)s+3Ax>SNMsST^I?~56@s8l_u*dL}Tctn5GiJw}kTL!lmWKNG>j>uiVNsv`p%FSK5
zDgGZ(QHrWyDabpmp6DMmG&1@W+8AdEm_TR(?qkrsg3VSezk^l09~M4N-Uk>Sc0~&R
zRPd$cp~r38miC<=Gz>bQQ*voV;G4R2Uxi=)z3IeVLw>wMda*QF_6#VZ>?7UB&1;WS
zx3TP>en{|KlZIb|mMKu$c)b0s3YG)4Sl(Vp9X@)HeN^VruV${mjawdk%LqS^Tu_iK
zC>Gi9KJxs>V@;U{zYq7n6WL^an;7J~cEF=8@pH*}<AAfGJ`mz{iNj>msXDA}UD($H
z>!kXRM4Q(fvYpr+uj4cy(j+eWkfm3h5*7L6Q-3YUlENe1Vih$d`hGPWnI0IUs|DTt
zv?o&Q{U_V1<{CIq*?Zvw&J3SU*rpd7T@FLJb#K(79~wF9zh^jh*4807_kI1xLwhg_
z9`Pp3xA!O+#@4CkS<ghF8>Z#c-a>sAwZk0LVD{Q~GIw6_btMdG<Qn%BKT+0-w=A__
zYP>shZQzKAUULO*n+3bwQyU^?Tl%+|yzjMR``uVB_lhL=YYDM1-vofuQSS#;`km_r
zGr!{XA8I{<&Jmw}9d7-6MBr|Ej2Iq9rNPT+-5FR=t{n`l<=?{})ikTcv~<FKy8b3s
zKziC)G)PHx@K=yiTS~(oz5#9}BZv`MG5ftEKJ0`6)8IQnt46Lh-<0FEh{kv+?6$fc
z4X*JeUo=jHrQ}R>w4yzvpSMik@;EUO76(hx`uk(x^^<wu)3>oJudl%E-PU#*t+I-M
zs$|YIQ5WXstL)$;6?#)8VCr!G`-}csmp9Iez))LhmHb&j;!bjHx}gwM>+pS<#F6T4
za}V=Bk}=VI?75d5xjxWw<$_<EZ;M4O^s`;HdfcvRS=MyhKxue=X#GRN$8mP!Mis2v
z1DS>X708YdU-|tdI&%pxdMvVA?aSB^THd+V22m!y*v+4zY?kG4)Q2#cv5613ZI!Z=
zi5SjyYM0dJ-j?$@;ogx4T!qP@#l*8%YW&DIXsk<{DT7O)$wtbb2anQm#8JUVIKjDh
zdXp7*=;xK$Psjf-IR0Vgp+X6yZ+%P`{(QbpbRcW_0R2#hwf210>BJM;n%{lBuqhsU
zP_)#qDUB=sKHW$^?S@rCN8^kPKSXZe)kO$`r={+Q8Dm3b1I`aH>n`xo;FhOw+?6hn
z-wq4g_e~w0Z2rXaF*m_@AE<|ZRZ)9HR+Ma(+3hS|=5tQ!>sL-9XZu%aiqiy5WQN79
zettnmi*v@ezk*ZmHJ(^Yc2{3Vcq#PphG@(>gKaquF|&RjKRmvXbn5K+&6suN$C~)D
z6hC4ubk1S(Y3gmS8-6B-UZI<4OT4O^*(G)NxKs?yCeLZ6J$z9+hDd8{d2K>T*l@t1
ze+jwQx_Q!Lq73EJ%G^!I{8{76`V*<wIv#i1m-)0`D~zwvp8D}movvRKHzvw|*4^wQ
zc_5mga_-xTP;Ah7QyM?DayE@duI&jtm%yo2^eC{3nh<kpO{fCpBKFGtFb?UU_s@`F
z|HlAr5hEJQDYP~M*o~~iefftw_w1<X!JDP9?dxymG{6>I8M!CYJU_%o<6{0Tru6ao
zfLZARwb|ea-H(=f(Q4sM<C-^gvqmnVCZYa(Q%b<vy>Am}j=rZ}8*y~*D4GiV{WSF(
zG{RCjBWFVBc}?36Xp*mG$-BIr$5*hOXTst#3RovfHGT)})hg%ujE`R;l4sbN>*p}`
z_my`g^eJe!7q*&@`NyZ&Q)@d{I13)m>hfJ1vK9)Q_S{b3nu$K$=Ud;!+iJSJ6vEaL
zb#}in=Fp7l*`b^>oPk?;cUlG4XgqE41vcvX0log@7nYsk?w6NuXWZ!2<j?p=`9PgV
zmj$o&n4QuI!d`Jo4raDUf6o!~hhfVlanNLO%ki28TzF>pXK=JT!BkJCkk$+sx8VZ!
znu2Un)qi9wZaW`)nIJ)`6^0iy#JbC1C@r!gtubb76devNi3FJjOOph?ul#Nb9ZDN>
zWno&iV^NVqHd*R3sTdFZ?;=x6D;oc4<r9QV4yAXJYFA`TbcUb#i2`}}UBQ(x#g>{g
z&H6)sUHz-X=SjJ|7`swDN$h@l@?XyIFjA0&ti1WVJ0yV}25-JM$-ay%C<K7Rwz9-K
zi>aM|@eV^6yb}|Sc!~cVqyO6Q{^nwcAuFq4kT{?%e`fQ4u{3{2bv{Ja6$yP{|2sy5
zVwQ0D$L1S<J+cW%)y4PenK4345VUg#25;xOm4koxu^3{hYah7zL!-vWOigB&XRe=p
zr<6on-}2V(B(2h;vB`Ypz1DlX;p&8E=H($3CSFpts<O%HZE|cHnKBeCs9!hNKR)3+
z2ZWwC*b?>1sYYzMG~`JEodj=)nv5a<8mIZXA2OBY0ibcsi<3~t<f*xe1Aqz48mNti
zf7&*#eh4wx2>4iLnG@>%^G9My3rQ}2vgXj6;DwJ?hbi#iP!Kry(pDXOf4+|yv^0{9
zIQ>`kL}1qeNMe=TA>qGc(H<jEA*X}v^5laXh3Yc^5eR5CVu1v-INbx^^ID(V^80jI
z5{K*3xc`#ER1lOrJACtjBs5qY**HFX|I;GEo0Zpg;a5L@Q&wj73{aRz4VsD!n8%0^
zoW$JFS3xD=uesg3m9$Z<B^|9kw!7ow(EJM!$jcxRB8*0)a4hdO_4)ZM3gn<+lU2<~
zJd7k@D4r7p6Yol&ZF#h0H`R)wQ6(i?V4U5w*qkgR1s>9MZgI9>fNc|AjL3cfQ~JDl
zEP(ab`+4e5nerZA`rhO3(}lLUr_8lAigk_Nh|vD13M00RV|mV{6d+lHlN4vbqA~~L
z5=xI2gE{IPOc}0U=60)Z1$(R$04@&q7Ic9A7<7IwnhRMKjwlU6u(_#8S`+4-@n?^~
zomc8~vp|;fGv{`+L48UWA}j_#*SpyiELSDa&HB{c-5T5j`(g@zu?C00=m$zDap<^h
zLoVr5@00TXeeLV0zyC+Tdn93WJ_q(yY2G&g+HFC*Do;r^E7oI^S2h3E82D6FP#>5A
zmZbvdX?VmnG`efSZ`J+%|LW=5<DpFVIAK>t#}G@+>|$LSDvMH*M402Y);0B6m&r6(
zOGtyQXz7r0-PW|pamiM0p;;wLE-4c!!Z2j<Ns>`*RGLDa?_=BZufNRuK9~3Rz2bW8
zC8z^O)}pW?*Kxh3KzMO?Z^%GZJ|F5WHdIPXu*Vsbg-86=etI#yr9ruu0U0`f-=7w2
zP`^wlo6<2Nmn}j7y9qe>UMOffC5TtdKql9{JERjBmbxpW-w)!G)fm8cI$#tUhPDkC
zzRkPPanr<skV)L%ee+50<TK&)NXI}e+^MbQ7eT(3*CL1|TKp1|rv`@o&0od8c4q_E
zX#*vj0gd=75{5Z{gI5{;SAS(5A8(V5lr<*CcY5t2gx?)8&#r?xu~70qIHflZoZ19s
zr=f(Ei9@Qp*ET$?jbPHlKnw^)XqKG;^ST;n(MIAdyYdlpUHQ7pGVzy?Jy*yP*CNt;
zw0RbHdl*L97LqYHgJApBteI|GrLt&co<#g_&YgfG4N)>n>Gvcwf|F#>Zx(&z`3|0{
zZqR#Qvb_>@RhpF|@jf$%XgG~-G=f3I6hKs!69b|aJ|fz<GnBnnKCe!Oer^<5C-G}a
z_|sk1&JnLLgQ$W0I<*`yTTO~S0{kG^ubU&a7sVCT>7<NBf}hZrK(7hBt#GBwXVAQV
zoxfW%dSk}xO6OH{8#@Nno3IJCg#9DtD(BL(VhYfV#6N<6sSPUIzT{EbZxH?u2XB>4
z`NA{EW<T=9#!*pV24HWZG#Kzb7-zG-_ehvMdp{R*MJr#kSm>P%InF45)F=1ab5LSj
zx{P#jvh=3LSNFFviTg1jV(}?stXeK&81e)*EHZ<20Jp}CMN~Dl^R@4OR9Ao|bIy5Y
zNkFxr<%Z@#Qan#A>y7W8&?b7C4!x}+adaz$ERA9q8j#WQW%uDKeSKjjT7V5>4+8D~
z(thm1Yv7u*)74ERfLIu_Ej@`xdH_~TkvPE>+gKseg`^n?Uk*zyewgPdDeSTGw_clq
zidYf_TYC%a0M8X`pK@Vz#bN||CvsOzG3ws#prLQD>r&CJwl<47{Oa-0RjukHVFG?t
zEtq~k-W20mbutk=L-fEw2{37;x=lQpq>7s-GwFmh3Ax%SFVKIx>-V4c_Z~%@T<pbp
zL(gEl`2#x&PY?8-cb?QZ)9QArB%x0*jqOch`a0SXE_mN4g!18Y;C~EM=(<0=7ZX=Q
z$u)4GGwPQpBgZvAYyKpk34GH)xd$}g8@46U?wOPZG&PRjT>12H(Ar-^1rWx0h24RG
zuk%>N1VUWeAqNqf8i5RR(cVLQWJ-#FiO7(IDPec&W32xLYdE#~k0|LzoE%0w<4eBH
z>*r@qwN)+Wh#yxR4!>USLZ`GO%Q9bxo2>#k70Y}-6j{bD=j&0|QkmwOL=b|oAh(8W
zO-sKmA+&oFxpHaMrsz7TetoTE?%=e5B;mCRuWsI#s<Xe+_NrX5UCFtj<ORi0VV`8l
zRhys^hpGXhT5-zO5-Aswq%E*f=K-N)_AJZqa(@{>aWwddqf<35JW`wB)bF*lR(kHd
zr{0cl*g^LN2;55T)RwVGffVR7uf#H>u}~i$70ATCZR|+#k$UG|=!z4jFU`rAHG!KU
zGraC@f4k2+i^7tKICDe;8DR}X?zI_XByEr9`N6c$nTIulE;th&8>Xr(YkE}AG6)Z?
zoH%*qn#B||OTCwK2;Ogv(vVHN`nbX+LU8TjWTmFxt3%_TeM1=ve6c~kzqFLW-B*8#
zcaAF<Q~G41Uidl^h6}Z^RH+^L!0g%32s7oZ#o>wfkFgwXZGW1RGpju9QRbniV`ViW
z0?9ptTbPE)Ya@x>JMn=10T_{?+Z$YzOu)Ap#6SCd6sG<Yt=86tfmT$d#4*=fXC;O-
zn<nHYcyhHr<6zgg+Ej|NSVM#lh@;EqeeJMI@PouK;9+L7M?NWC_#H=WsM>^1fo!<_
zB2Y%N?(aan&;GDAkVB>QAu3kpzc`no)wZ4u-yp~a*kLP|vkwTi+^?>=rngg%ACD3x
zic~IdFfnn@*SwRp2m{T|7;#ZQB#Gi6jmC}x19J$y&;TPCm6ON`vz_hF5=B^DZHT%K
z9O@66i*ixgCY?-$mL`V}L&<E7zVhxFgk(aWmL+9mT(@iLKWT=w^%tz4{5V|4KeL`)
zrDHImi9Cl8VL4AlhV&WK_#bd9Zv2@QLrGevEe|ovxN6asgoQZngG6e}?O;6Wf30lb
zWw-#t^RDrw>ZTPrcaA(z=ROO7Q-|c+sM)0r8bgQ39r~*htA345(yYnR5`czI#;WUf
zbz5I5a~<hm767)Ru`<U7aKMzVVh+XBXti8ay-cy`lz)UKuo^xxl)Xy|;*)n<nSY_E
z-9tUBuqXAgYqrF&*YDwt<tlySSR-BQBZh%2ojaXG!lM!g?N7%a&7oiK8Ee+9_c;Cc
zoleAnQeCUy6Dv63yxi@VJpqc3Y^aPO0D;FUBW}DowfYIf9=Ys1KXnb;z=49`PalUK
zJgJ~Xty+1d$kx^#(sl|o_c-`iZSUvu10Cjf^?eVe#QZHGw^NnwY;1Wwjf1v5x@+4S
zNS{2vyBiNrt4?`-d${7Uu#?W2f=_aD(3a`2$t+7bDfj=s=>FFHQKnr#|ErraZ()Ct
Ol5(_nwX52}O8Ou06wbc@

literal 0
HcmV?d00001

diff --git a/cli/docs/extend/images/authz_allow.png b/cli/docs/extend/images/authz_allow.png
new file mode 100644
index 0000000000000000000000000000000000000000..f42108040bbbf9facb9fff0c320428323f061e10
GIT binary patch
literal 33505
zcmdSB1yEIg6hBBjN;;%dQfW}S1ZgBh8UaD1rBg{Mr4a;_loDxCN>UIMkWxZGLZm?&
zY4%+8xBK7!?9S}Y&d%)4ym98ryZ65PjdRW?&V8h<sZ4l|_8b}-8lkGnwHs(?=!a-%
z7${t9_@7Pd)kZWlW;E4nS8w{DuV&z+QYapF$h!54s}ZTqYky*%4!-sX<D5^X3w^|o
zM-``f1k>n=q!g+ci8JxciMc^7!KkZ>@vJuSY|M72eJ0*RBf^rxl2wv9?-oiI(lUN6
zFTW}e7?N}zG8p>)$&@ceomwRb_4h-s%3R0l@IfsB4KM!BhYN$k&kUDM4g>j2Tfh;H
zC||MCpF=t1Z<znz`CEiJX5i^|7Q4~wJIlIdrgiZnUQ2`dul<j_Y95^J)il#sGm5#i
ztQoR-9queyB{h4mPpVK{oD{p(7OSl{oU+#RLqU&kTa^~QT5E7$eAn?@qppemwR=-d
zy!ezn0`@)|(^tRMxffPuCB=|)YN}M-{hVjr{nYK(L|xt;>lOD;t;3&{XH}UwaPy)c
z8F$#SHy>}Q*9Dx^o2<#69lQG;Z+3qFK~_~|J8;3M>4C4MCgG9zOY@PkTYBQ(s%(fI
zd{4!$4aQdJC#H>uqm_$~U)H-unBT8V;e7}Hxr~4PB?0TMq(oj5kvgBv7d;u021+rs
z>~>!YVoC%_c}jH)HAA%CJk(o_6v27QB#zNAf1z_slYPL`xp4U0`{6HzTHRxB9foKK
z=|qwivI5PV%p3jmP7nG5JGzTZYVLJ3>{VKIPQ==Lex}Dze6uL=aYXm&+YvM2L8+tF
zs^!|6gN^&Ye|^fn`Y=x=;le9-ojNz`nk5t~IjJ?3<L5Nt!aVg9&8`&w^4^oRnyH>o
zd3weAucUs$)B9aCYpBgreWGMPTv9aX`@GP!&MjX@w()N3Hl3Zv{`_<2uV1gVhG4OK
zE`LpARVFIZEsX6+6ISNb={#}WxEtZ>MzTBPz}PQ-v^!!xH)LR*EFX66Vy4Aqs}2J9
z>VO)|qLe8DGO<Vp?i>-6as|I>ZH39bS|!itj*|`F#IXAkVzVyWC6cZ?&Caw%Y;ATj
zsSmx<W4G#vPQ0Xd=~D`S)*HJoN_*>5OzTOK-oHM|o^BGi9-cRKuXCHbu|}X3V<Q%L
z+OV_wP4^rHS9Y1GX<+01-<0jo6)eZN`@K|q-a1$F#_tIhE>tVv)>6}}T5L?W@{#If
z(FotI^;#RVUKO?NXEw`t=e1@}fA+iiY|Tqb{VC6~;fKfP^&WgFxE}MSp5Vdyw<=|Z
z^`YVv*M=MUY8}<$Yp<=lC%SwN=2999+QjF&Q@n3A_zb8_y|z|Q7IB~NDbq+3qFL}<
z8NQzHyE|kMBj)tw@p<lOu_}gnr@X79wXV6`Fq|@9w6bJw<*P?N6qWq?h%bdZ_0T@^
zqHcjl@<m;xZ*z82TXWr>!!pg7rBp&2*6+%F(#dTz!igB{D^8XQvk30Ps<&+?rWfmv
zT>t*A=CRgOp0pL18l{FB!i?dGGC#VJ?%z{^&gou9drk&1v{#~qJS9#DB|XLb58tdL
zC^K$8tJcnuFN3AIlvidk&Yg;kS2-d68-EYK0Lh3TvBFCwkJ5rDLp_!T>&ncV%ZQTs
zZjJ4?N_nlOiq~;d=S;oxE-$v}%j}4oJX&vFH?F!Hv(gbmcS-9+A%dxAXX(qkjyR_E
z!@Y6mTY(4N=F#rYM4j&?$=VIFvC1gN(w7Au&oY&1$)0@GD>c5tI+<>EHp&v1r)=!u
zDB?7hx3$Bew9uR3&TClFvSxLf5V$j-OsILqVff~pJoVkr&*sLO{NFjWN0Nr~*5@XX
z;5d7=v{<Y-%;Qylt8vbHwJ=&~MfkjbNrek#%>Q$?+sk~j_3KguQ-Hv#5(7!V!5kGU
z(c0n87cIJ>i+Zn;B*Ir(&1?O3UvVowrnux3LBwFXSn=YanD5pdDha%gR1D}0lfDZK
zxjhn|%e74qIff?d+k#_<K0V>o+p@{>*Uwj!S#SKE>CpX@w+xo@yLjw_YNv618wXtJ
zADDLK7Gvy!BQgZ|1^&^GUD^auTsyILU1xfCI%63+hz()=MPo8O*a#+#W8!wlRa$hN
ze5sQg-LQdaM|Af#?Pc3|*Tu=k`+Oc!8<@DahpwK*&no+!ot{XH?ZU{@u^OhkPq(0Z
z_8eRNhAl+5v>VPZIM}%vqa(i6&gn2*QkE5X`c3S3HcqzwZeQlw){ev?>8)?Ctz+Jt
zitWE<9X)*J8*qBCp!AKHN#?T83#$}u+yb*E$KU6f95Z0$7L2YCO(b2^joy=cey1mO
z!1L_XpGqRHKBFi1fwSk8!Z4pQlN!xi3M%jJ|Gq~hfiWM?Z!VK8Dy0w6Q<#X?=ym&0
z#chQVhw{b(DKsiRQx|rvOw)X)siwvRBD(rE{MHd))VNve8+FU_6N~ZA(!_~MY4qL!
z$vfvdObHutiCyOv?J^|2MG~(+7a`1$vXV8Wd+RVF^19=NT;n;$np2i^ad#zn0Gqcl
zZ&KZd(cNc#h=PbxJ9h}?kEP=d#-=K*B0Sb7Z!u_QO4apbN}H%X<*{Sq*DZ+lSRK`Q
zb+hQg_CjAulmAf{)9D6|c))S3nmarqt5XG?YU#RFob+9aN4^f9$=yHWg}DrI3wpkn
zAP$Y86FoQV>NxgBb?t03E|B8Qr_awt=iaS1J%Qj#Gh{#6P*=I;gz0`7Cv*5x;*IBu
zzFmKIu!TQfQ{~gPp2gK~RUyO}^V`BUy^eRjy->tAg6$JcFMi|m_co%Q6V~ayn<ZEK
zvml5R`IwSV1)en~L`>r5HIj|<1)Ci`vSV_RZO*tFRQxMrAXbU@*JNX{{_qMePtrDJ
z#Way@z&_~?K_){`9xh#g?Pqk$xa>eNe)A?r`i={neHO9r+~yuH+<xoAZ<d#Zd%PI@
zX}$TZ?8faJizgh{Cwg19u}`;Bnm<0}HHr4&S$>c60>z@{sABJ5+0sLQS*uS(xNu;6
z=9PivGHQTP(yL^m)>T2;MHOFq3_EJPqJo^^ozr;r#ch@!=ehO2>TMpz#P<F85S6c<
z!q=gY-k;O%8QT|xj(KOkCvC9a)1l65?O8&^FCH3FMmj^ZBFs}~DXQXStGh%JeDQl~
zj_)i6?3r5~Qx48lvm9c#_hbvcY>qdf$j+jyrz9lD+@x}N`vdhSbjvXV*gS($mmt7n
z?oKl_GOc>czettzzQ?LQadDbPGeg4q+HJ)*HZ5vPa+vK5vRi&^usS7uw?B)1*Hl)<
zdrzDYp^VNwQAx|B5k<-SYLMe5XAOb0SE8}GyQJ@(HE+@MT{Vr2<>6B9G$HF7B3A5;
zdr!X>8)z+$l$ZYybsS~(YftaDH8Wt$Oml8N(cfDeFZ?wsr!1lnPOvO+?JPgVjLh^4
z)II}+A7Ln>ogA4Nls3m!^48ibYiq^k@Dw_`wlTGWY*b!0CJz3a<32x^sY#UBiyH5v
z4^@+^)n_Z_XRq#2ZE0M-^O5Arix0flsJ~4sYn@SF;8kkOS4+N8xc058liL6JwqR5S
zW5)A1ocat-Eyj!bC8_k%em7&L1?mTWX?lniXlB^o!E)UoxGO0Y=lg4Rn5%Y;bi;yF
zm^;G@M#XLGr|R3IF7EP=6}Q`VSUer*yn19O=eICt;=dl!cA)A=9UDVF$q0Iec>jb{
zq+fHh_t_Qo^AY3IYAJlYB=@COW>(6ZMara|FD%>5<|srY6*K8x?UVkU-mp7tviy*U
zu>duFrDZLDQTx3@yr{F;?oDM=a-WXSUn+b?udiMIp6%pXoLT4ieY4*>m*A&Sjy%?G
ze1S!lRzi}Op!xkVM&~Km0L}*jy-g5E_nhAOJT<R%xf&zmiYEJPKVfUnDyZ&Sq?8hm
zPmpFDqx8i5%PF5(LK<nmH?&I@0b?ct-UQP$Es+FqZDF=Jbbh<b?B&g;^|W>~%8cVa
zEyP<V5JdI7U=d%DU}~L@+sS&c^{7iLE9!n-XB<<x_mF5Nc@R?|L%`t@C;Md!vAaFg
z?AT)AI;ljDW=I|#+8^!I_!3FP`z>u_oM>uf2&i@Xf3JU-C+TKOCor-}tutG%!ZlIv
zsqSkLPt+HmDrEgQiAzVGh)KrLV^SbFZ=5>!h*<Vm`-I7&iH<??4ezhwk(o4`Oj0Rz
zboZ@~+vaD7DbI#mX^A~TAWgk0Gbx#AIn$|NnOJ+VrmAtY=zg$<hEZ*<`SBbzN-37!
zu0%UvF4-X3r!Ph^ijroDG4R;cllnL3td~&Zd!s-qUgNJ}M+=qZ>$#nHh9644EIOCy
zD+!cKh)mT)TlvjNG<mixZ^kl6c64hknB=RSA4%pm@Ni4<o!f*#vu|G^bmndwe`7Z*
z9C!;EY*S)JDHrL@c5<b$3yP0xThQ!w8dv-j#k#gTTc0zCaU!|KGOSwMXVy-ptma{9
z3jetO2OJa5QERi$L`~!z8vXP2@VV7fQ$~aLz_I<q2bzVY?ax!SLz)p#3D>=SE6z~8
zd6tLytLtMjcgjdZr9IO~Fj4CpgNn7pR0k$6_5yzo|9z)GjPzV@Ih*SSt*eg#BQ(aw
z{*KXkY{nL$*Y1+ih8cvVp2~DROQzAnj5wE){&)2v4)>rS?fXSs_irwB&y+bg&+U?<
z8;I#QS%pa|X&TaFQE_GJhYJaq$C3uHVJIcKeE(r|U=c#K*OCb}0NuR@CAcG63>pLx
zwqHd@{jj<vV0RQBKjO?3cq|k*wkst~ge@T(_vRrEF=fMSj!v#pqHJJ5tEHmUP=)Jk
zM^|Z_P6JWuY{!+eRvac3NX<iEez|<lT`g}q>{?rjOFinuWz6-GN+ubRqO6?xMbOYl
zI&#%gzII%3JSlZ=U}0<g6qT4$Zh2;3f&CBi$ze?5x?Ee2IXC+cKen*IZXvQ$(SP_4
zPBxHc_utQbFGj|Uj(l8j(a$w1&?XN3J!D3AhVM_l6o~x~eaZ*Pug8bqx$@uj=-~UJ
zm!et!oXw0LL6Y4sna5&8`0sifO7Q*vH*X)DG<gB@QL#>L_}3y`&iFiyC%708ZdKcj
z24t-P_X)YrYwYqJESf0blPRFBhjku}E0Fp~hlW@>E|7Mu2<oeH7%w)T?3viXfS0)8
zJ2cMz_|aY_e+D?_(};N>FH{*s+^lyQ88K>qC9<ni3gs;9l4N>4PBvBWm+m+x+UExs
zNYH^wOnQ4Z02fzoagDYsnY*wI-;8e0@oGvpJ493bw9N)a`EVf);d8sY)K5qhL)~{O
z$F@pD|6q7I4H&h~Yr<8Df2XZdEl8fJn77aG$sd5<jzT}@uW?zJTlEj7Cn<(0`Txhs
z>gP^=eSbGMmty`@$hu1fFg-g!s~hjUoFIQbmU^(?UwWHX^d8TrMD`~D?OyIfx%}$H
zeWAB5AHTB~0?wV;j+mK`&wNi)S~h0d^zOfi+2!=z`kBb0fPGQtMd&f0<EKmk`@s#C
zNpeuPeD&Py5$+3(4yrj@(JwVFa^t&IpJXBa)_zE+Owa$b-w`8}(Ouo+S7LXHZsaG@
zi@T{b`t9D?Tm5!#&hPYB9RtCPCR?DEf~`o^7IXZdmF%l`B%9uozRK9dj6A@?;7Rjs
znFpTedHtHWXj1K%08jJrg<=$&b=TsvCbu~?yRkP#5B9#<EHeqdnzqc|fRaZYfV19p
z*Nlk<UtOd;9Xfb^#o=ksb5SkhH@2jhY=(;0(J~GI(!6YKd8JqU6IOA@l^0)7M+}e8
zR$v_+o%kc@X%5CQk>fh8=yuPD7?G6Eh8&-H6VG!IryE(U%CR4zmYV3DA;Lq+x7=Vo
zB$nBiJB51mV{V+xtI(59robeK)5aTd!BGv6>0Ud26I%LG7}r;SJyXi4H&dFs&V6Ao
zje`QGzv}l6U+4w%`I(HCsnb2tIq6^=>+Si^Ti?B>J`EKc=oM}NoJ@g<=>mMynAKyb
zOeTjzY&lwPF1y<-27s1rM3~}igema2(zW!5-<80zH+H$#nr;@|7|c~B7QO#@M6CA!
z2!*5?``zWCL<vv(U>vk&rv!q8L+O}18J3ki-MG@%PTGiNZ(=mwZo@9pFMVcmpW@O@
zm8QdG?zs+xDConN0XUNgB}4H2l-6&k>7hqaQBO`!j=D=tYQ7TZR5|pFrQ!9Y3Mv3Z
zF9>D)avzXS-4^QE7ehNbhOf<MC+l69n|*<&x<WR+^zps`ixY=SO}c?KNWx*wej=X~
z*<8qiK{MyblN)aSU^8r@Inexs^=DUdH}_L0+41MA`m4emrc5?O3O&}wuK3Qzh~^nq
zT6W#SrgAAaYy1hbe$U8)ktie7Jm5fatj4)~zH=~No%4$QSCZNt4<A5Tb753w+V2e2
zgAU$g1stj}&3lL9A$3tl9A_B|1JsS284{j1ewju`GGoK2>U@!vh&d&ir)}MRxEBBm
zOfM5QP$DoParT$c%k)jjH@I>d3bO)?`ycHR0J<WHo<2v#SEA(bk({*w;6*Jv;m$J;
z$&1)t{nbam*Hgj?>CT-hw=MxdHVf+?c_1Pszd!Y%4mbGN+^T)5@xJ#^lOgAgs=L>X
zV6TR>_hrfQBc<D6%yWU;AxYc@e68+1cpKwkK`Y%RxNl+)CvuhJ)Bvdut>5a1romcZ
zlJe31w)^vm*7BVn2lu;H2IQ=Y3A=F{DR1=LKf*VBfHlyYCEMJ5r$g{qSmEWs)t0!W
z;_{|fdxABm?c`dxr|6&2-J4b7)}d}ZS3oX6HBn+D{0*oEHDJgLfH9033y*Kniy*>K
z@W7ppIOlXQ?%Yh{6pE#nx*SZkSX7vKV~t3s<uVD1*8QCX>V8bNZjb|;)7Tp!uT{gP
z;nL?VjgKAj?tQO!JKlG_f)(aK$Y)r>&|<3*fv|?jm-Ox&?{D6CW2>|Dt*S7I@0Kx#
zW;$2kej5`?_WeA`$18T4O!(u}pIJQ?`>*;dTqB*f*L1}Fc}B}n4`uy1N_5K;k}}T7
zpUtPc{8=9?{m^yQUEbvi7vkW_Xl=Mnw*+Hes+J4JFpI^e3R}S+SqJEvv_P@j@rH_$
z)bEthuRCodSM(BPoIATvq=hy^eLM^}!N4sbLkTZ^K_-2<VZ6q<cpKSVdwrSG#e46(
z*UR=~_op#y9;EOXz4#&NwQAd5<M{2yhsOOMQA+e8$o4ruRb`{adK$&wr0oj9Qs{^L
zTT=V#oY&m(4<Np+K8}jQXS0*DgSAm07Ds!f%lQySsK^5_o8A)b75krnnA02}ncZ9X
zoF!|XFI?lwRhEEFNc-}^%1HUT-~L99&OCQ{!;2p^_rBY=LrBy3;17%{++F5mNB8{M
zS6wZd%~sPV9jdCMxSmI060$efVB3~8_-@xjdiXhb_WSp*@9uNG8RN+i8Ad)tQGLht
zIaOMG*nE0e{DZJVV*jvtcugCY<p>~e54Vw8*V&tlfhQ~GF=Bl&HIsho`9;QWU#;|J
zNM=Ud!n-vKEC1$*8?4A%6*R3?nwdxSB+j0WL$8uw;~XppNeq?UGWj42b*jYJ+`;`<
z;;CnW@uTC;c?qgyBJW*K*jnkwGwstzrIl1&%6~jf)W#}t{E*bb8YgwZW&IhZk`eVL
z5L0q7lb<`MuL$7OE|5$Q+Ej3$H-;P>?yhvnX?(WuFnDXPC;CvZUO8xmo~3dGS7~!z
zyV6qeZIn;#Lr<U8%FeGGN(Z<ujS$UEWAdi!MI)Mz=lHvXD}k1s3m0LUy>cK+yU}6s
zL0U?9;}x?-qZ05$H}5YGoSyaKey7xLY<rl8DdmToX-4f&pQ*+p&|w@BhELUDVpslU
z=02eEE_F05bQ$W~R;aj(SfK;C%J}m=Psm(w$SE(kVPcOo61^mE$PC6diwjPCtyI4_
znS0kV=tyy9?EQ;N6Ov4igX#v5r54CnJ1vd*tFbekZ@$1~W<@(sg|xA#X;)U{T5#(#
z)V+z?nPGiilj@sC24$uRz$BP?4!Sf;-y66VBzd0Y<_PZmBhm`nuk`)CiY*!FxTyvm
zhh(+;jaX9r7+;7|ABvbq%sZu1b&upxy4ALQMt>i+L?Y#k88!KywCgGF%2QsH6i{-T
z*!U_Q0816}1gAF~6>6eSCF2E%IRq9z0lPhItW-#%tEEa<Yl1b><jZKb@Cd8_&~M1K
zsY!Z;ta~JvUrGOQO?1CiC0^)he~v=Pk+wh9&QHO^&h)$T=<emXsaAn!C%^qUl=(;K
zAKY4PqC|VvH|OPnyJ)hqLrgN?3VGjiw+G9gj&0c1mSxB(ZPcONz~(YbT+*J{zOifR
zNTx+&u=vKaV`4&&MM{3N5-$O*U%c50HBRFqSBTfvd~W>ki0Bn2_LpArDf!fLi0<Pu
zeO<$LjkK5Uiha_QNrdO5>cKGa@n&@aZYG!W=499G?qbYi&siSU9mD?Dz#Vx`HOS_4
z%C;#p`LiKBW5dy}cLAT4%{crHVWICle~PoFjwV|`jc&CoX*x$;Iqmn}_M|-Uq}Xlg
zDZjbdcg5fjN`|3%3VG$Eqmk2f^=9L_k{KH=g6*6^MIt^+0*CD(N_|1W7?g6BW7zn;
zBs(`B@BLVGmy*<#kfE5Wtzp971sXD&awq(PR-iA+SowQvyTvCHIpxddO%EoC1baJB
z@LN+?XvJKz5f-adBdohic)FAHch`>>9sc=vShe2--pk`)@cH!>F5P}BrG%T>_n}m~
z6?GDKzDHbxju9i(r2Wk~ec{}gnZxjpRt(stb@OQJL?Mj9VcWEVDaAG1H(zF#nMaG=
zez@QndcTx(qn|5$AN6LOv6(!zZI58%=d@<{!S+ITs-V@)1+6$47Ry?8O&sSq%{@or
z43Si4sXFrQrBrj}LLsug9Y|c%*K%TEea9KFdnCSz;GVpyH2N&ansT<)Gmdlew&wZY
z5<vWS67t;RZ(UQb{moEQeLM82cF_Iv_#Q5Sr3;HpvM<XU_nv8F$w*J*7^HT8;WIXu
zwsJSV7ZHI51k=m5a6(=8VV?&=A!gZO4xi{<O!}WYHx<3uS-UsWpwwf%;^bkmY3kK8
zWVM+ruJK&ty7V%|Nb`bev-qu&dsbIjPn`v&bE!W1y>4;GtC%Ls^<1lKl@unK@6B*v
z>wG)yB*9;FHsTYq05SdLFjni)^hz3YI19@dJetdAt1e74VjiNe=qt$rLm#F!FrLy3
zVDe{1M~M6EjLkf4Q()hSi?T7aYNa=I_EG!Fne~9o#UXovn2J`v2_bV&<XZfrqUakf
zcqUXe_!+%eEE1-G3I2NWl|Bq>g6Aq{DA#hGQFQ3cqgGs0lqk#UzE0=&^SHJ51l(HR
zOV(~whS0b_p`L5?d=&95l}U=M3^ok=jJ2HdUb2Ci4)J>HV}H{rA2Z2-$R}?6wdFz?
zBym_yw)cI`j!*jJZ8u5iT-w{5TsTo<wa!ybml%KG4;vECTx?f8Y3}%XK?-NFe@Qc+
ze=kn<wDwu}j;B=WzQuB6uV4WArnUe<=0@N{Nt&HA6eX3ASX7X;(oV~{8g8X4B$_3c
zKg5Z()3CbjOmFfyOqBg_U`eVe0Q?^3cTc7Pi^K;P+ph{}TmwEc=U=kU2R<FQhb}Qj
zhA`3BKKB1^HtWmyn_L;KIAOP2THsaNlckN^=m-e((M&uH8wz1Kb1mBs&;K^;3-;!i
zzRm6<PDc5Yg^@ue)a4fI7-OIFamBB(x9TpE49md|WK)JlF+_3zex$W#nj-7<D4BQG
z?lxsFa#H?a5wW$==#v|DmE>hCj~S;EEPXgdxwbXz%f5SNT#hN%dBeQCsmb+w_$8FC
zvZ;Bh1P10Y|BUx}{;#bf@&e7}Ij^%0LQ~{~q|liK73HSMeC;hCM-{oR_IQ1aXIU=8
zZ3vEU4M53%56J253%FKlBlt_ZbtfXTpr7(b8K;l<G%4N({1A^O)r0xnClr2Xk|O{s
z&eA^c{(<$uE+j!C7&V+$W|Q<4!&o^1Cx`R4_auXY^5+*BTAt|r;SSWvTXff4qJ$_f
z&z=TEuL|14y?esEHP1P3RDa<zAIQ{)K{|pg2>u<-LYtU5WLGoXk1iB}+w&N9bRDTo
z5ZMMk-g|`}Hfgq|=%5PnH?u0L0((&_@bJkY+eOw)M>?Q)YOd=JX#e9Ha5K@uWPI*Q
z{YPy$Dg?<pKQDNZ^N$Q6kpdjO(c^>tPdFb9M+=)2xvr>yTpYQ+5B#X<v`vD4*Q+1|
zZo}!><M714QoGy+0Pj}eS(<;>v!DZYef+X)j1R+qUV!t2?0<=n;AuSV#fLT>!vFCk
zB5-cC-6dMJf4Y1td3HZeU$o6%4L?4}372gtU&PhbwYrFlFoqtzfuVcOO|eYwDTNS*
zLIhE=_L=#%AFk1MyQ$JlEu$6Di%2$i_AM$JLW>k2kCXtx#a_NQG0MlG4orlTRq?m}
zwegzng6q$FbYjP<XWvpdVoDwSd~yS7GYhTlXOl}K4@cB+NNMm#bV<Y-I0)x<7vBa^
zM{4XuPHM`BHuV7Q;mDooRZq03^(amkvpj#=cz9_<!R7Lg!uef_EIccDtswWE9Gfos
zf1}qT1W)+X?i{WBzbDM$l*=KO)}2@Rcl?w^E~iFAx1Z#{>5_)&SWFXA{%^PmV7RTH
zg@peb61hbfLWRC0@qfb~WR0u6$oqxja_B!U3Vwk+lV3qk!oOo4WWLi1vRVF{Z$FsN
zeqrm_|K^JZ=BxWM7U8DiG-#A=Gw-p?BWSe#{JiN1SPR7I+Du)~t`zf_)(V(a`xKi^
zHTmm3DAq4!1J2$|7D|wW&{)<dAV=3{WbxgSC<4}r$Gl0(?3-6)OOy^s)Xq4%cC5(q
zGK_`mSzd>-mO|WjEAMb;aX?{tsMuz8HaQEAVPq&x#OawU<25q*scI(^@%wuvnwHPk
zyMYMp(Eqzc^jTrF45NO2Oi(yS$@5YM)as<mc7xPMzT5N3p|LB=sb7+LjBY^r&F1}U
zA^{VJXpybscLJ+2n@w-}ARxF;>EcxysRCE?9Y!m1?sPxBu9kd>{RyX*$RJ=;V=w~n
zgQXz_7Kqx>-kSCP#!SeA=@>b2i58P!D_pK|lT05yPP6;zpyGW3j`eG~x%u9&@5Q}#
z-|OF+Hu&gBc&)ya5SK6y_{&kDfahbPE{xA#{#x|Jt+cJNOcp>op3&)~P{>9sov3Cq
zPVgS3fPHV$#V3di!Q2b5`^F@yC&sFNrt$ZrZrK@PfT-$|;l{)!0KikG0!YIe$dk#}
z9#QYWqR}Tc;3~(sh?_3yt%=BWCx^Sb3;f1!R34oHe)<X8id(lZy(9vXl&gE5AZy|U
z@}q9=P=B|4V}IIG%DCJQYEQ5-8dJ|e?gY3P&NW~(VHBJbcs*6`S)8YtVLTad<fNK>
zDf#A0?W=x!s}}(cCIQEz0*DjqfYsu%d9gmPxe@Iq2)x^AoU4-HJJ_P7m+(*l%)~)*
zW*bVxAc6ZqhW4is2VT5fEp8rxK}XMsWbpC9wmJaz38K3n<6E6%DI~2rWA*r4Y6laV
zWrIiN&I7;U#3&nJ+M6!UYAE%x4H)7ie5QLl7+B{PZFj*~;9BFqO*FBEd%9JEm@k0a
z@MW0v|9#7P1=MUVL>IL=pRfjiNgdc4MQ@D@H@NUwAQA-&kWEL*M7!jsU73HUp2WpM
zG9!15vHFE>5E=`=Np*>7qu<beOMaZ*k>SDFdf?f3slCerE1TA7R`(K!%^j|d@xA7m
zh7WK}K;6nN!2I#!2iQpXI(R+D_*lOPI6HoOt@ub<dG9v%=T(RU7l0jRBJJ6`gkm)=
z>16`3MeYsD&(ta=sBoWUHG3>2()v#Un<9W=R&y`o6|)3Y>ZMdL&KSpw0!@o(_7d~_
zeUN;M75yWKnVy1wpm+(hcDphr2<wqp_|Xz8DL_(oiX)ZyyGRsHV3x~?Ls>sh4j$Su
zWUlpCx`E{Jo2ABjh(-r{;%4!dV4#fmFVnXwMBAreE783YDi(OSR2X81S#oGzX&GkB
z8~5;Zs~tm;XIX(}kt>^?=Y5-qJVeQ#;H`N=%BuA8MCCYVR5?Vb8`4@ND)<hc^ds6w
zgD-A&#Iq>;1U^CtTt{3+)2o)1YD_hsmm*F_>#8%qpf)a9ROVz>Exf(6F#I-its%2y
zghTU9B&#21^`#XE>h#|t2-t-$z%|Jr4koo!86J@cL`naWvG|idB}pUG##g|f!fyEa
zGl?GtkP>7({q92Mk+ASrhE7g2%WM|QiIC_@;)Ef{x&y9}n{n<jA}&vz%`q~!fA5vz
z@p8h|*^xg|d;aiUCSaS63o0L|H%p3$I08QMi#es#ADh_I3oYV)>Q``LDlee(ZW;P!
zT~Iv7{Y>RKlDk?sAu4NKmXgDG!8m3G8j8lB|Gfvn-pfI7j7|_^K0(TCtL=~d%!>_z
zmR0e<d<A*-#|Q>Nd}PQ-;PFD`s;G}hvOkU&mfBu~t??dC#}l@EOwHONen9QuqMw4I
z*94_t1N-i72y6c<J?`1Mz1ECRUy;ylaUJ5eLp6TsW3pg~et1-qig+?nkZ5u7;nIc`
zLb~tB;L>mBY=KS>;)gGr-=Y2+*5xpWV2OCkvA#a{F9}RXL13mzqmF5Ioeejwbzv!a
zORP*Y^HI2jBvl-V+}9$ZijdD{y#+<RKg!u;ywXZpTTvEr=j*_;0MA}9VclfR33wD$
z7Y(+VBB3&~M%tu|%tvhrg*G%3FyhSUl4RNa<CQ~X6$ilNZGE6J|ESL2$OeWcRpz%x
zGZ5w9DTm(fGX-Hz{0>AoV6(&7k||=Pp4=hP;y^AC1$ux<9*evk_B~Q=FlRMv_e#D7
zQ<}K@e00JI1o^MHhd^>DnF2kIgzi5YI(W_yD?@=snk9XfnClA)UgMiWcYC;Qz4J;2
zXIPOH4iSAk1S+*^$8UMS$O?h4<vg*L+;EAJ^<sa{4KUzb)Xola&9tE*S%ii62_)=-
z-Y}dO;9^U>sLO#U$N*73S6I!w54+S1Ola{jkoG(;mF0c!jaOf{A1MQy$DITaNxFbn
z{4nSCNLDgNzV0fLU`3!9sPV=06ApYIiidE)zCRO`5#ji$mdruB$!j0iMG9b8)xi*u
z+kh_7nkjw%4v;}x0AJMsyz+r2kPIx7dahDTo>`-xy(ZIz<H`H$MYCe-um#<g2H6qc
z-|Bdc)^OP^Zk5?$f^_$}uJd+-d5_*WPnkIZOJ;(Iyi@+aGsvuQB_)VeYP{FYzE#|Q
z*pnqY<($c>nXc_6^LxU*i!o1`v7U9dTl1FppX3(w9qN#^$q>dp1vFv?i9Dq_F;vd+
zYE|FYk0Y#hE$<#;6Ou*0fRs?I)B%3NsLh?)nyCO2u!*rlV2_6<Ij3|ck?mMQ{t<Wz
zsnh*gxBZRV{vTI<Bl42VoRvTNR(rz{P|!mkWdcu+-N3}?yIfRwlM^!|a-z<?8}fAH
zd_L<y9T&J&egsKDa^&$p+DnEEw#>F{DBz{}?6T?*{=(?Y6CrE0i-r~1*|~45yD4)g
zCy@O|h;h*>_gST`dh~pyPnpZid!_st#?Hlkq>v`HnGB*EHxJrhjt6m}F7T|09@5Zt
zycWgsze&h^U18c2{Dfg3)@ZN$oj@#2Cu7@gg<_)U)@Y<B4)r5WF!Ef|FL}9~7QeR8
zmu2vUXkJQ?FgT%!sCDdMtDC=jy7l4i($h1gci9SWEI*v{1^zo9T#-V4JGMh<uNyWm
z$3yM?2`mm;Lh>tjf=qhA*~JdjdA^&Il}DVGscHJNl<<5KRg`pJtkbr<NVGO4UaEH|
zE>rQ`?!w|gZurWiIb%~-%S-a&jnC+e7}4@N{5~8a&XXnA{6N%0lmgbGa;brtR?`OY
z7R~Ltc`MBcB~E<DfvX3nN9$NCm(A|4UE$PE_JnA>fe4&fk8kBNhr8H_0*850G26+&
zRQq)k6C#EZVn;N-De8adG1r?V?q2XrVZ^f|l7Y|5gZ4OV{`2!<oeN6gi<i@7{Ea_{
zAtdUQ-EwNVPz4uBM)>AzCwDnI<^1l-h}OoKVSC~A=lXSff{!~TLXcYh`#bNG`ELc+
z>GYU<BrG_G@evNC9&%=OhNec4Vyt0dh1*<LwsWJ$1>)gHD9d07WLHb0N%`k*OJgd%
zHDn;x(M;jXcmUbWK9o2`YNF22x?BM=*;iX<u*gYtt%%OAj+7X&LIO{g^4(H_beIq6
zRLEsou6*fp0*v5gG!$+W*st*U8?u!)^<LdfpfZ1;lN_A9j~JL}=dAdcxX(x*%sonw
z+`1Nl&38!2Ypk+9**MhcsLSIt`wP>@xBuWaEIJpN;5%iZ9O4Wu7JxVH&(~(m>oEj<
zPtbGedK-G>T<si*126Rp<(7*hx;wb9f69SK&4kNdz=9q@+Cq!3Q6m6>SS$-3@W82u
zHc?Ir!!SEyXrBNANiPHv?*O{0a8iyS#W>`D*euRN$S;0_T6006M?Qe`$e=@|9|Eb1
z2C_`At@7}D3>5R04>cj?pUV6ZTvo00s)?hzT+}g0Mvgi-J$+W0nZa<z0dj`3)v!Ph
zYL#QFB^Z#rZy(%Z`T^Wxp+?YwS_#98!gt!R(eJI_Rc-140f#@~dRpCyXOQG_TL5bH
z(w5H^e#WmMR1AWDA42)>6$y|(jg*_GKu%Ccw94X#Z9(Bi0B#JU;TKsF%Db0np~c00
zSoV|TZFu<Ehf4lnYcBuJr^MwCGQ*tL@u9wwzZz6_q^*62QBaYYB&DW&WL^oALVpBy
zojHJu!pTDeh>y0ZtwQkK7uTQ`W8dHzZbE@yku8dfe^2s7T(Gy|w;FUialCeF^!i^`
zC9Ou^^T=Bq0#hKyf+nctcee+|Aqe$e1J1tN(leQcn#L|1m8^0y;wE#Ug<9Z?ankN1
zYV^nc?b=n$P+_t`uHr;z)M7_}EM1NyuVO&9CXHdXS#x;WtGrX!V0&9WgPdCMJS&;_
zJe>GaMTiMb)Q0axJmcDqGQu!kwW37h)`Y24g>hCF!H;>(jUIUd$!gVJW(`uJ3p3mq
zlP+2BF&}!Q^xt_5gHgN0dsPytM-cQ*0CRUcsEg-6JbDR^_3iM+{^TE6C%2&zAjZ6T
z_pgdBhoO()Q8o2`BKXb72Nx5n3F>Si^?%0|=ir`t#vxuXjmSri8t`WuS~4<a$Z?P!
z9G4D~z4?!CcrOQIhW)Z9@gE*7fl%U{{4|>ZS)}kG!3I1kAZPs)4rW+fW;+P$TxR5b
zglx*#rnTX@BSd(Lt(`Ey1elCa_`<Kj6f#)jY<_+U>LFDSUq-YNE-13)%zi|qta}TE
zVCc60`jQ0-ia3L6h6|Ywwp7102R1Wk<j1gC{0DYf(7iEq3p5e{`n}Qua}LV+!<QrA
zJW~KfP5}J7n~swZ+7B$XJ}AM(Pe$jDz;j$(nH-+@KRlom?*AzeUF}%{Vdx@c!9>KJ
z9gK<NK{k8zF@ZHv*hUjT#JfAa=|&tHso8^997nZ5lH~xCS|Z|?Su!X$;|1q*3X~G+
zV6@JMq$c!W-{q>zhEg^?!*pqjAS!8%R|_l@Cr7_i9vp0`Ld!rNuuZQab$e>A442M<
z);b6U+R&$ggTuo;n}^MA$KMuW;>x!G*Z()cv8k;6;0>8Gj<|m-5UL$=eIk-c7~7&P
z=Ke_xrO$|z3i{=__BycSbUhEMbJY-S_&s^QYd7$4$IchzR_m4^bcns@m&V=}^MDuG
z<mo+E*vh}tI3<WaVlo6nbpo(aFVDO=VEGsvRu?z3gl%FQb_Uh&`C`ADEvFCM%b^!$
z@^Cy31L5jWvd4;zgcKG-q{UqpHj*qfr5fteXR<EE5fX14Ml`2MTX5WWxV!;MW0VJ#
z2NhvNuR<8V1o{5y|5RCYwLc=a1_BZCgx%FsT#`oPxAq5JgOTRdj%j^Tx2J#$Pac^D
zxkJctR3MluLSmo0Gs}OB=rc|xK_EIK-s47Dc_~UfjEk%~xPS1C7Bf^JHwrXpYA|Vp
z?zoH-f9Qo;E*YP`%;V>}*0iT@*tzpJo`VH01tbStO5$b2YdQBmg02w+O$lRvDt@yG
zr>O=^Z}E_3sg<uqtipGDw9O*Cr~D1R9nM5BAtLc-BX&QN@o8jKmO`#DHLkDI>Cze=
zM_!>MU?U-fVX@V=Nn<0qijlg`r}N^PHv9hySI5=7ai!V=AaQM)?z$|ba2seQa-PLi
zZ2(rae}?9}6y^a~&Qf8t9=ro}o-0quPQU@eWe^BPprMAq?DLy{SBUra{B^yCdGbi!
zmpC6}NN#A5^I>>=kBH*gW=F>%u?5?%afU3EC&9J~9|dh>?Z0wekqv|z^U7fplt?^g
z4Teyy723!2VilY#(8?;K{P{UuTo<u>#vXLL0|Zy202eh61XP1BI4)IIbm;hGt^~io
zu$J6<r%%Kv^|D&}Y`?12T>Nx(n}@aEpLfq=7Dp|5NnRBqh}yHBC=|UCntT8MMM#Tc
z?gbM;k;NEV@u@+HVUB+HY<9C$r5tJ0p*FU}IWC;2jf$B5QWH_%wYMX8pcJrY>Z5P@
zA?4hfMR?k^X_Hmsh7prHilg>;N&Y%>n!1*8n1l`foGAE95o0a^qtvLp{s4s}+4S3=
z%|jLcQ0~4~#!l|kgYB5ri8@`gz?0oP8_IC{hPwTkjDGjMhRpY98ActfEu{WZY|#*1
zEAY`v$Pw$qnq}GRC#?5PuB5O==l4s#pfSQDi@c8Evrk+=u}b-7bk+z9mccz(1}@}x
zPh(jHpjV(~p|ef8yDyO1BJ`w#&N;p_upBRtO17PGgbWie^f{VyIlk!a`E@Z2{^nz$
zk^5q0dTqKa&h9()Y&}B}%Lix@S^-ajL^0?G{&TwFvZ6OKmxF2JHcyz*la@e;<i6~G
zf;<Y(Heun()&*SYj;I&?o%>iV%fN75i$znEaVs$zJcDnZb%vPyiRU616bBVK)*X0A
z3Pg*HKr#<=5sGU|mHp%P6Nvs<6n;`ENH!p2mP^n=BO#8+fJC?&X@sN`9`gRUcQMx3
zCHFl5VB~gZ<-?7{Qqjz6x`%d&?pZv)8AIGtsj4ub0SW1d6gT4I(S6*w6I}7O9}uCt
z%Wl1618d0B5)$Q|r;e1gib#%W!kf;|JvMxZK3TH?T><J~4*dzvp(Z-s$I4tgI-z|p
z{$|J3>&(Dr4nnhv9$xWd>9EPk5$e)E*p)0&2r@57@=53QDeeO?!B0Z@7fV|NVx(r(
zyc*SATnqHC{O2&FWVX<&EbKR#{*jG`j0qHI%od833u~Uewbh3Be^O~M7YWj#<2coH
z3;3f6HGXhz@qowobR$CcBNza_$13_o$TQjf;EDT_IU(#L^o>vTRY0mghLGl`tzi@A
z4^eR*s4$tqb|c2W`PT~fjs1|?#^(7F=AHE1-$N47f1iLE_As~*vq_Dx{-yE_MJVc{
z2xk8)4Tyv3MDKlsBzv4!(ZO=A@yb}R{-4=b!OerBoR_E#L-4_WmYoK^6qYwANUon=
zmcJy<Q=&MO;}Rr9e!^&E3vj_de|~zh{Lthb^A5O$ldEj{#$Hkmi|)c44U68m2CTm=
z2koDlBbXerVgv<`p|(GgF@4&`fVle!ZV<PhA4w4n8|hB~PZAF}VB_Ihs%v9!5x-o>
z4nh|?cPcyrTZcA77<3k?R$6{QW#BTzn}fnQRBHV%r4}prRG9()&kllYBA7;s%$u85
zzrPc0wURJDS^KPSZv7)2Y+U$eG|#2)dm(N$1RRGGGnFk9tYcFz_Sd>vc@i8oZS5Gu
zA(kj06!YQU2#cLj%HDkOe_LodENHGUhUqQ&#H80+R4Cs2?=0#BA0ZiZYr?(n6Zl~6
zoE{$tc`RzPn<1V6j_c33THC>CSCtQG|Bs;zaL|x1*uZqRzv5HzB|*m3x=t$RLd9d4
zjoJa=3kdrB(nxvMrSU02=PM%P=Ul@}C%dGebqVQs6S8PQ3oZq6Lr=t~`wM-_s2>lI
z!Jd}DAh7Z`?j(w<cRT4W@{X`wjzm^fqEa?|H&M_^X}6VLTInrtH_5QdX=#1~Gas`G
z*_<Dm_jE8aq35i~wC?rJ+PFdf+2Kk#)?~1Z{~>N{j&22L@K;_Vsdd`59LSMs34L&-
zBNiczbTOS${1)<Af%mc=i}3_>A{sH(I%2Dvo;?D+Rtn>fU;8IND(r{eDPwJKRP?;V
z(5txw-Q(}=!>j?C!!bGiCN)mBG{}--dyHnf?vlI?M8@ZCtDA&WRpN;IZB5<-8WQYf
z^7gdS#aP6Mb<yUvi*B%g0<i)C?7$o6R#(RLA&ev#2yYZ>GNcJwg_oGt-H4f=*~$XP
zVOPhLpu70IlT&fC(2Np45IqN%k-oq2CSRO;zNkQ7jt+fy8vSqcPc}>bt7+x0p+OtX
zaD8)-xI^gsF#PU%&y|V9_xW)Hvey{jI}uS=${sG}s@(+cW2JhT-tq`)fw#CMbIzj`
zR{>b&Uuy=a*|i23yP10&1g#9onmR5klksybzxC$9?D(T@d8U`&pe!9BoCVjwfcKRG
zTWA=6>3HrDR!q|}y2;yH;W?Dwrz0m{5Gqvtsq)EC;Cf;Oa#%lVi#c=y0|Cj*J*ni)
z(6<%MBy09-s=1tU{&tzP|KZMHgRlD>FE!B6(^8R_=KGYP9rL-UvwqY}JpZ8OCX?yj
z=$<!E&fy_9`S!M<RnRVOh3Dpv4@x-L3``o<!2jLi{rDU}{wvO|?GzjN>H_GItZX~k
z(I=wt<E|lcLQK!W0^}_p0slubq3WRW8+_;Oyc;aZ*a;GS@%*y6&kWW9P(?|SjNIe@
z6ZXd9_n`r&gvat%Ro?J685E_fVMDl6U?<tDSIt7MIOvpzt@<T9ozFt;hh7!&41C&$
zMzx{uC`0!OAW^I?wV7w)eS4fT+^{$1AY|Dd8LAPtyb0vA4ym5-dlRww7)THtAS4hu
zU+ww6iSpqUZ+gUP+}duc<wDij(&wcz2KC>>X~c)Hfphw{{IQF<Lx((nk`;{e1q8~V
zf8+ra{RdsWP=qd{T*b_}zt|@<8Eu$KV1u-_0sHUYRayp6i}l_f+ppdJW`RmzbD35Q
z&{qD*Yqo%IltuZumH#546~Jbd0az8Mf4?2e0igc>#>x9F>4wc1hJg^?$4M)?S9F|k
zhI6oW7a7JXN+<!D3FB>qiS#;-xC}ooJ8~Jcp8R_oHWF(nE4W0_qW&d{U>9I&BcAYW
z|6yHWGPwYgD%YVKO8v<&Xn3JdAYZ3@r2X}2LmiL?$6bUiKmKJB=5%<FnY`|X|Bk!h
zSmz$vzmy3$4;XP`&Rg@>|2(%Gh7LSwoEv6^&%exs3-r3b*piU*zhlV0kaOvRKKzx{
z;^oAkHfU2#@%`^O38@t((0DRYt8&@UJQ`w<`)jna?ehfKfM4zd0*mw==Oy)qX?cOT
z$n}nS(orQ^)Bh6@UD?$723WV27{JhkILNo9@DNY(V=8{W^@i<OB$Pr>nN4e7IR#I4
z9?-#v_x+;L>%3?NN&OAJT`+=lL8uuLAMFFl1)}B1$6Vm;5WBrq79EVYDhQZbw6dAk
zF*b1>Cu#-F(lb~A1~N<g?ZhiH`d-TnIJ5&&U5l)w_YpZ~-v2@3Ks@4?ohMBJvgK}#
z0<cAz%tSzk+ABA$y8xEQrvP6$46(@}ZvNFDISVcX2jR;71g4lt+gOrq3@oFFJco#t
zJ!{ati<q-R#C-#A1BH#CoU4aGgsaYVB@ex1U_Agf>m!7?uZsbYc?Y3j7Wdi628m2h
zzs&R^xOd}0?mFns?1bS8LC6FQ$|s3IvKS=3g)!FzpEdh#7nGd1Y5wO0px`q#ber$F
z2uWU_bq7e?BLx;<YEr;3UZ3A8qjU%`<_X2c8@Ljr)ZeT^&A}=7?Ty_N5R^@gs~wlT
z7?Ej71PL?ia)8ux6a`2#fCAkJNNc}B5BMK~6qsyb8So6)H+?r(91s+Pu3QrY%BoE^
z_zqn<f%*7kVD6u<zd2H*tDNb#e3AVS)a)1i?{sE~@Ys-AbcrBMA)4If#m8J#mMt(5
zP)53eA`znneEA%NZK|*12DZ?^PA~JoaGJE%dp#4O*g?3sc&pw+r?AC8?)))~-V*{E
zAr)W%es1^4rhsS(gt6iS>uy-&!Pk)57=u=e1^s$U(S^9f+kA{=etkg$eo(krgDRdG
z5$zv6AvhH~wC!@BFbYCNsf<eKw(B^f(iSe%DhBR*DxC;<VvKQ7;W>jlYw#$`^qmA{
z?q6Wcvax#qp$zk0f&v$mlw=MJ#G8|^t)nJAj}RjC7;N)Orq3?hwX1$%RQgbR6@!ww
zg|rciHke~HF6fKmWB{*x6ztmv&;fIFq0NVE<0=|=XJvgRt2R>*HEdXmivS8uUWwaA
zGvKm$IM6HyExZ?wmy<^U6_C%!o31Uv$Qhi6JYN`NUyLdSShf?PVme|NSn*v+MYXHp
zXdvvT8!V=vFTyN%Y~g6Pem~0Ta0fa}KV!BPA>88Zh)N*X1W5y~SR2rMGiZqdCQrGt
z#_)MRJ;a1{h$oYE0#8w7Y;u)aB&5h%Hw=PZixDG7zN#K%={!}PJI6-CjRe%e!4jKM
zT<z7i@TW8oFGAsaGANQXEa2gM36T?%;lx+G3hx}1<)Rwb2nt(apZ>40H-Q7KateBM
z^P;SMk$5=`v2T)-mXSHQoiu1v7|#EHMtLFE1gci>;tr7idgY`aim&PBsjvV;{{&g6
z(C%iD?3KfC#*S2>G%^or4H#LKqT@@9s?<Q!x&tnSSJ&4k>SnL-vLexzSs$-GuRpgE
zSac4MAd+C&cR@{o`e6>1b?D#qDKW#ZE*2fD0Q1;?1@_wNpGRgR!NU;b-Vt~E86Sd$
z--Q@@5f>Q}0MDJj#Kz>mlhEpqL<o??K4nV3qZNmS52KyPO{moeVT9%gxu9KK1DYo?
zyjMpBuTFyDwFzADnp;0Vu_7(p(KNzJmu|jfh7I);sE-jYtMO{5R}Z0I<bMdE?mr(6
zECV%@Oo(-kA|A4J7ZgCz?w{$P%8v)X^~(V#sPb<rD>3~xP|B{xHsLp4C3`gjJt607
zko^V&G6#x7J?*_I*e5AS9|7{d39wJNNQN_*dzKkizR<{!(96fMc|$CLFY&d+NcV1U
zdXe|RpJY_c89%sp1y=`a`n@xFI>;W}!Mhq#0hm}G2^4RMSu$h;n-G8nKZOmtWNvf@
z9&al9&ZpV10lL^4wTc5@h`~?j0}1JEfi~f!c(7jFf;__suhOWJg2HgCQ1(Q%?pXq{
z1Qi5igC)VRpx^1a<gU;&Q3tXH!W$q>EF>3kZJ`DJyM4?SY}OYjXP^RKLlZgDD!puI
zk+)JFE$5^d99$3<bZBV+rES)3h%%N_kS6)H0LW1Q)2Kd-m%hKS1+TSGgPd`vKl|z+
zxN5Gv8nM$%7n`Z-1w%m!*wML8k=6%5E!4!dS5I2XU>QnqmrsGAIuW{W%R5V`@tn^~
zJg#kK%236I&^3BNE=TmOH*k(gsVtZNDRW5Mk!f?lEj&J@S$OY3GQ3_y6^ObyxVgTK
zRo*06?9)JerLAM#f)<l132f)!$<Aj%@GJ3^)>AJ8S;&?2-<Ep`2!r;PWjkJua*JR(
zPOFj`QqgYC%Yw`J?bZeGJt+T`oB?uNypb14+sJWKiMg5*Qpy~IigD6<R7Ul<Nn?M}
zRb^lWH7|Vw#fEvdGj601bsW<hUoHVeuW@OooXwqone4+NgcS^D3<-C`su}(~fRL@1
zPkZBb1buR*H?J1r$`cpV645}yv3v--{%bGvkZ6~AUISdI*0lcvA4$b*p!3BP%qWG+
z$>sF{;4ob|+`%Dc#5LWQu&r#V!!;BDe~7>jS%CV8^sHR$ylQpr)kEK3G-f#I3pAit
z7Z$MeYywYu<6UqPX=JIyy4>KQRpIugKEKBcfecHc%m+Q451fvQg$pcOTtQZ{zjL-+
zTz*LlUkc&4Q(%!Db`3}3j00ytcjWc07PvS-<(%MYy9L7YBPnq5dkJQEL5<25EZ5UJ
za9`+Q5Fe0rbq%hLP(*Bfv&s4dJ0^L<k|GO4K~LI=Y?!|D(HOfpQHRVFt*GckK}8Fq
zkIE@lvA=5wU8OvilT65bs05ryUI|SIX<2kKNd^{%6m!ObQgS5uVMQ>|Gu#{Xh1J}D
zH<@<M@)EkPu*-s#&Ru5t^|#t|*WQzFLIX8d-xv2jX->%9uY-p!gINtIB1`>6!39Fs
z_C*@}8qlvfscBZij7VI1oGdG8l{QoPJ9tfDH=Xa<w%oxJ6`<_A8ZAH^8+N-j6yA!#
zWpEsdM}AW#wT(&KE$>+h5eL&m2=@J%#1AhC?~MUFUQ~CgolF`neL8y3jZ^(1R~Q&H
zJ>uHw0V6ySwwnu3<-EK|$@8@Rg=~q<{_%F-kd#P)WICgE;8&Uv2GCZ5w(;6a`mOF!
z7Oz&yGh86niFj#ok8uWk3`r1RU(FgyMOdX`c4A1Dyzj(y0dJK3kjP*wgM`a;OLiGG
zBy;{~y-64ASsbVrCYQ-IlngWC9w2x~f+KZ2T=WHK$6b;nkA*@ik?}kT!fCkR!f(ZZ
z*+90~j-n&`@pzZG#(7Gg)%R!2`Qyc&;J^}8$y>t;i>oC!Q+C;cQ#s;$!py}YBEUBB
zGI<gpj+f7Mqed5UL|c4ED4-V-RzNVoI-Rs~(GO+h#*DJ`0&$TZ#Kl6gmLJ-G<Rf@Q
z?Zu3#j*{D<coqye|9e4+{wmsqsT>6y<*#AMh?a?sKB>GO?RAHjM^0`kq0(>H9^X)b
z9QKOJv@EFB3(0aAEX>)8GJ-Xj;n_ZS|L9FJaDD$5GoUI(2O0fb+ajUmX&06)6|8tB
zbRI^S0sg!;YX9b&5NefcD=5O7bh;7ae<yF=zF=XHfI}n|9T|n)=5brVgsg%Z^r#QC
zq4T2;gEABuwLID#5;m9bK%_!n0N5hg9Anf*Lf-QH+-4IdPeWCAx)jN@G%mPKbTD8~
zKG@|8CCR-F4jl|iwwCb~o>8vLpT<y#am|OEKJ<%0WK`6)C)cG-AFORyk@*lImSdvl
z4K68vV5S7qDv2PXSLEEis(B%3<oh8$r0s2Qu^*kxtImzPPbv7#q<&ae$wAay1W2Wv
zBCB4*5-d9Dqp+cNJFx5scI<e?-OFhJIUb?Jl-Jw!tux-MAsi&qj98>sOu10kruHli
zsaisyYN4P=Q|=*E$&k46L1x}K<2(oYeZ*5!_1*R@78E$V{kWGwrewYfzX?Suh>o|<
zAy@hPbGR~0O377F-D145&x^qS)ws?Mc#uV+!}q9d@8}C2qk1fvP6rJ!5PXM1Fsc}L
z0ULTV>dk14{ZN;)1S1=Q=~a+tNEGRIllser(wl4PBXCIus;oUbZex3L43hiEz?1#I
zDiZ#ynEr~}a5Ll+EC2;(1p1{a<cA`kVmLO*XSc=q53+(UK!!j&js4%T;s2>l+M>Y>
z9?jRFLAoc6K?_eM!g)E(#(0CEw0(%A9X1d8G$2HW*N)-+KdRu^yaST-X4hR5(ATSQ
z-%d@Fssc(5c<t5y<Z^|Y>lT?rSuupG%d-uj-f`zRk5`wbOW)V$oB=Q`7Y#*sr{Tk@
z`eC+sc%>9#S~-N*%IFN{samZre12{KXFFJH8oa)vN&`K+zy>N4(Tin2p`L=b1|@*u
zQw`if?C_o?q1*3K$z`|O!V}@WTgY2{kg_b_yUuj5IWQ1$Yap&7cs~a}APYSxGbA}c
z*NPXNdY}tgn>9{)FO`5=K+c8e{r>=SgRdimYo`li0|R2c2L44g7y~O0df(jEC#5|n
z417P5?{3~Lywu;v^pz%)Twnk_GZ_jY&Uy`Jde6yY4s>o36+0|eTTDE$47ozhjGqS!
zS>DAQs8V>d);-spiQrU_0X6G(AgirkS%H7mp~C$MRu(r9ri#oO>vxui)b&dYS!7T5
zbEUR>gw-ZM!o7%3$)k;d@A?Zk(Zdoj@y^{}8Rlir1WM~ER5dE4#&45cMC}HzAr%`^
z#Fm&hn`KNv>!d2Y<bZ4$e*Yg{79=<f6U4DoApY8>?^jg=RA<Ffjo$!$>Xz>ku#tIg
z>L~|WKLxh(TbVeA)@k$R7ci%UmGcsX%6tiZ(sEYz(dFs;236(`JPVMMDh?hVY->jV
zM}Q}Vv2PK}I0tW9(VITMab7?#DB%Q%<YcbKlf7}|bzVi<IU&fax}c%*<(34L3bZp!
z|NOJYKRufe?qMu+y773cTj>6tBl{S_$!6gEG=i6zz2!p}Swd^=;Gz@x&qUQc2R&y!
zg&7ik?GGNN{4dpgbx>9NyEot_50XlVgtQ0>qJVTtsDN}y3W79<bc=*EsDvOb7&L-P
zN=c_EN`rus64LNKU(w%t@65e-=H8k2&b(*NKl_}`UTg2Q*7tdyPkjr7@ziprLzKfn
zg?on#t@E-7zDZisz1vRq0sN+t%k7L6?_}u5sN`>%g0}m%;Xd40h(E4rL?|o01jPQJ
z9HBRTe7Bo#q1o+6|LJeBPyb-4NOlaVU~$0E({7obO4A)<`oc-~UKfm_Ec60}z7q|E
zEF@Nc<x<`D?)&roTbR{X&uDlT#$H7F$LC#2YBQ{KD*{yGiK+el_X{DEX>;NeA9R@r
z??quvcY{KgTmzft8jEpcC14E!a$dqnYt10)mPWOCY7~;;2!__k8W5*RE!=CGGzOq7
zu<mv)T+^>kc>$mC2(p5{&-V-F5bnCuL=*f&>HTn~OSwFta^A9BIOkgTC8^qYY-!WB
zhIssd>D;?leSu-gXfX7|y&7Dhh(mq~=sH>65;BTHaqMu>B4J+`&~Hl(!JPUq8pKRW
zyc>~Q_7xxbY9g--84Q0Oz<w|Txf-v8iFD`?zlfslgz^8`W6EE?fN)tCiZ%C<>OFJ{
zQ)PD-^bnj<Zu8OO$W?0uuDU3ral}S?A}juTS>eIu4704pR68%<EH`cgSZK$Y+q@KO
zEihvqMi7g{edDbL8m}N&=^<b=tuTt=J|HY&X4oN9YTyC5%69Iy=|%CO6`flAp5_Ue
z@S*X=;Is_qZirR-4%ukiv#XWfJ7>C{rhNFPi#-A8`Enc0nW;V%3C%MHj=?xo^gr?<
z(24M>vo?-k0+Y!(qT91Ma+wY9Oc6DRvS@7pZ!6>!RLm+5Jm|3+UB~2;7={-MJ%k~5
ze@EnT?Sq_8>`P9A^GyAb01=8(x~HGi`;$4@i9vzQo|O2I6_ATUSWDc>&+BFXIynf7
zwrLv)k+)5mp!F4;NDjYXjLDC>=XKn_bY?#Qa>!n*xiQY(zDqA}3{rRsYU-H^54LRS
zgt%a^T3p65jlw4w*Tqym!ZB;o2nAJ?il|5`Z6;<pUPzSrkv}F@y7tq8n_^4cOe|2J
z$2{ycXykEx2sEB+D8Ay_h`Sf8AW6P_QSZ}(mE~v#Z$|N$7!a&GM2Z{SOgx85huf(%
zIfgS!KUpR5C<p`rm8>A-M}RBE<~i(=53A;amE6ogt1+JL<qn2YoI|KOW%hO}Q_r2q
zTjOVm15_#<AU&gkv|iiMpI#fVrPBkg@fa4)F?ak6867Wv%Rzg+-~+8Gc_mf`zC7v`
zeg<V%q|99R9Q<)Er6u@ue;VxM(#ae#eT21?88w)5s}Uyu_t%U8-lF*NaUB`zhkUz?
z&*6aVK*Qd59;U2@qtCkKPhR>5%45iJoOCL8haJFyvZ2o}3h3rr2M96K!yBw0LD?W9
zC4WU7B%V>BOM|{J;9(;?weVqXEMC9@WCLAPY+M%*5+*h?yWsMwTko*mCR5Z}GBA@C
zH4{jv`Tza;2#=U1thHsd0y4CD*IXV8)ou`|vy!3zB46yH3%K-e-B3vGrEP_X`O|Ba
zQ>cYRe@TR4zE}+JN_W&{{rxUU8}dyE&A16GP%O9Z`EnHywS9vx7qH}j3m4+Ud85N~
zfotKf7{^X%SG2lL$iewPMUoHC<2@1|D8Fq_MkmF5l?iE#UcBvt-~zYFVPG>^YzQBe
z{98?wWC#JWEJC1Ko;Xa_+JC()HX%yJ0(W6}E?2ki(L!fR;3o-M=PdX&f2jZaiq7;O
zl=H#Yw#ofq%`U##!mJ<xj(rz8ny@dB-}Zy^W^246AkXZxva^1>Cj@Lb5qbnXVGD4u
zA5RTQ-xr(*L6Hgq=oZN#o6tU>`A+rr*W_2Br&mG80!nK<l=hVk1?o3~0l69B!rRX!
zI@^FrBc>PDfB}d7-@q~bZ>oO~?0666%~7@3SLX=CmL6V5*#s<%58O*QkA0vcLNJWe
z){42m16Uq3;Ir8PZHNcSq{2XfQ32*T)QebgZx3Xh0Sk|8=mg-_NZs6<CUpcAL=^q>
z2W5$cytEGhMsaqDu7*==K;YhU>T=0>rg&s`d5XAOaksS><z^$@3ARCiXls+cy*h>3
zfRBTNmF^`7A%`U<`ySo8j9BGI#*_po`g!<Y5Z2=O0stYfHmUwD`V2_F)RF^B_Q-SE
z5g~2jdv$^M?|`2-P0M*{T0yw1M<h7@xmAMiQyc+aT(t~9GY0Tx7xNF%Qr^+xDygFR
z0BOI7gUG6R=^@Bz=-&?^XE6ZHsAHQ0h{f^&Z+M5G1MN@>wxLLrNwyAwU~gf`|IP&o
zpkIrm0`cBJ2Ff__d2wfet;>gbt^yX>S&!v0|Cr8EK9(L|K~dXlHi-xO8#S6KD7)_1
zPl)Au2c6sGingyeL$wQ9B<A)uMmO~3eeeG860M=Ut=+X&H{a*NIO2268Sy;+A(Vb|
z^!Y2GF3WS@LQ*Y+HqCQt<VJt_16K4e(ENL1^`g?>R>0P*Ka!N;ClM+3&?IP?q5<=Q
z`BgK%4JpaE=zN>oza^BHy$a=_bg#?wzg|I-P%XK)`*HM%mi;q@7-<G^ui5fQ)Cb6}
zB<Jra^jhemm4OT!CxI^5df2Fz{}VYRb#Q~0&G`z^V;@-A9)6Ii=rEaR2wj=YjN&SH
zg<Bl=!QPz;(D$R<7aknhEjj@k)w9kaK9A4dh!@#`NEYqa?jnz%5lDIXwfyyQ=c&-s
zl!+!plh7VywAJoP2$SvqShBd+OhP5H{XA1bM65XU!&&(?^160u^z7Fr{TouX@B^`-
zA6N{yOwdSx*bhkXJh!nls{PL@?`Y)K4&3Z#?CYRe{WwtyILMh($lYViaMHQw1GN>O
zN0Y4&VpUH`hw`Y;JZN-AqkIbGOZ{1h-Pn9lBi{A3yvAd*q)*>)JaRHbeCS@H1X}ZS
z60j~WIuzCXY@)lJEo!g~Sg00bc$VW!;J8+N4>o*bA;j(vm8ywiMtAp?d>^Bv8(_P6
zpy7)K<)IREXj9;biiQq>h$`p!IYR?LJ6Mr-4xY*_(MM$L6(f}D>?0(>ej-@BJpPRV
zWP2!Uw{hpWgu!yPwDkJ2`LlxE_q0!mDYwVDYl+;=MhMPu0L*2B>uebq0gnZ!GIhJx
zfJP-7rP&-Lv9cZ)xI`eT^)<7^q>-%iZuZ<r7?1LA>kL}jWucKdh0|hlxWp>dhQah}
z->8*-?XW(aVu2)un1s|t=n-x{ra*R}-$UITj7Rzf*DT5Z6pecz5f;D6nfUj$P86VY
z9=6gC{(LUeO>`WYmhivF@qpI@)|7g(e|X1Jz{Zi%Dp~w}J-|}CGyCcjd+Bd+#4ZJz
z{ym@IE7pSU*FLAt7M(_+5Vk1e(>iy|`@wurKi@d_5)SVdNI3S&8WdW@kj{xO^S}yW
z@#r41fFlZ6^Cn&SbHqBB5C6aT|4f$&5#9>?COaVS4lJ;GkstS+>7?hgf5$dK0>i2X
z;#|X?2F3ZU6Ao2->!W4O{d@Lf7+CoR1QVzLaIAm}_HKL(-tEVMOiGH-L3~Sb9f<)=
z07!doiN?7NgVpn2bq#bq@!%v1Yx@@a-(pgSsyqe%H<?tCJF{f}n@noB7PNBn=MrB<
znq2UOVfZwZimCQQbz#@VmzQTjT=h#o3W8d%^km2l_Zl;@?4jX2?AU1#Lxs=Ry@XfA
zR(<Rc-u<T3X0UfbbP+Xnz;cUQ?YapNa^mPsK`PD!4YNaD7sOSf5MQ=dG7B%Ld;MPT
zYQi$i9DvX%XO)j)K<c39n%f;o7vms+PwCY}0XQ#3*Zb9#*0f*g$)&qyHqlck2t#As
zOM5<;hQpX@3xsNy?&HaVM`j4;`dNT9ej;&@7sQIdqH+1Di|v2Pq|W@8OzLzSig5pz
zW86;)F{wnR|8JSpUl$+7fX8_Yh>bgH&}2pkwa}SrgwwGaV}p=VKaJcnV2?oP#?-<m
z=F$Xs{;2_-Ja-->c#Ie{uWE&vm9}2bB~=IqZABq5m<^D1yW#9_#1XuT@z62uT%bME
zN2|be3dhX{i;DI9|5ZDPJi;<uo;bJce{O$vIf31egypx+v!M7;6S@o{(A=+$yKffZ
zQ<f?`N~F^{cn{^Odb9i%k*vnZ(MU;b7c0qxS=J~=Bn_Y=tk7lnKY4%QcLlx(m|$-D
zt-8DH(GWHiR+T~*{W?yP7~xW?W+l(l*(8fdc~quhXdz>Ow=O%F=krPXnKH5*?YJH5
z7XeFx?U37r;S(6nUjvr-dVu<l0iix3LfsTAsfu7mr&jauzgmF)(5qL`x@ZFO4^n<(
z3r3Mc#F6VRS4R>oA36|SFtTz@_Q--PmZ^mOh^R>7Ree}l|7D6~R>3kwMwI`tZQ-~s
zkgS?OAkm!L0Q375WNjDKx;4pTIU@dF7~7F_7yb<qgP(x&^%nG_zvYg7;NZ*CE=Vn^
zf#`n4*$M$~=;E5(|Lqj;Qu+O%sKuX#4Ky#N^)vs8mEF3p<G<q|SSDHj)9`D0fHS~t
z_;$6|7Ar^$)oOgaQAQYuJwEfbM4t+*grqqng>#3PrJJDO4{#;}kdGab4IY8~l)&Z$
z<Q5CxUmaVZ5x$eF@j~kw<i|6?)c4yhIa%E*lbRbPD5B}VEAzXgjXlH~l|L}z22$gp
z>L}GmuoNIG+i<N+H*m5uRMf5X1iO$(6@R4$tO|xDa9YJ^UWsH7;}WzViHC;x3Rv%N
z0)n&xDcr66U80!{VgPW#l!?PuNH&A0n=W{lW;Jj{YV=`1TebmC*l(?WYUo<hg&1IW
zTTu27B2#COHLa@mxOBvZz0un{iYSq=Fx#{->~<21=dXG3He{J^?MqI9xa@U3mCJ{^
ztq=#<bIfF0fREkV^`HTY{RFnzv6m7F5~MDcpYl^`S^P++XRj}Ut_Rl;+X!17mu3*S
zVNDl@|G*fp;SL0`VZ<_6B3VJpLCLcsJc^<cZ8Ij9k?RkXo)0Y_LyWx(L-Z}Auz8F5
zoOJ|4XH98b4`2T*5T3vE8Ac8wBNGHgTv7ov{e7dUFip#^k!?Yf*-TlunHvz*atPdE
zFD|O$S2T`m1v@bN`r;I{okjh-=)VBF^&)7}IH|=AR*>U>ApkiJzU};R9B8U>V;VRO
z@I!t9BacZ51PRU$%k_vo@b}X=D!h<^0)mL_+eEe6zcIVz-!rfRlem8Zl?TrXL_LP8
zG+pLPkOAqktSVI|*ypu9fA{5^zx#5@`65-aEjy4sj^zXsxPI@Id($05)rSEV6+zc8
z)cFpgNMr$YFdu&FA}q2VVHI#sm}$Rt_0}_esUc+42bzh6tR&yF<bzCu>BZV)|BqXl
z@&~@2w{Vus9ya})u^82xzbH+R-bmFb7cLc}Z+ZUW{kvTJ>T&UjRJSdUab+{}a6%na
z(`C-W9h5HCxDa2K|IKN7)w9XHYGd7K$@}2bf$!+(>ejOFW9LrK&W$G<-kt89&Ykq>
zB#sih%Yj@g@B{oaJ;HZzw8R6Nmyhj{dDtiQ{Z|bvEOPE18>8z6W*a5%HTh>UdQl)x
zE?o6K<$wt4AA-HB%-{Gm^eTV5$yt|uar{sAsJAfM@AFn6<L%<xxwA;>*cn)FWCHBG
z@GVel-iE-{>{{A<aOEO>@j9*_KRsq-leewjkyL3^m=UOb^~E<c3{`mY)gnuk>IZcg
zM&+?ennm{z%Ck?$dnaAcuf~KObHVJB%r~<W5c+yuWeJAZ7nAgtgLyxB%CBHcj_dQ7
zC7wJcTDdTep*iMQo}Ct-`0eUR?AOm4ip*P^2{EmAx?*;JhRqx{){?vgn9Du&Z@7mP
z#A!4;)DE8-OpK)Q^lTB{$<+_Ky1FKFV3XZ9S^C)&is9vmy0IC+3YsdV+57TRrY*(r
z7gI<5YdJl}O0TrOhs#xXj3Pu9D@Be7b@Evh{<U6ZW7v`AhUrh1ZGuehDV_3Hz`R`5
z$l|U1EsboEW#V;S`|N%6Yc3dAMZXF!-+WFy9rU}!_QUM5lhMeLI($Bp(mJxl-mrGq
z?Z+lcrX3UG3TPEiOlDa<yar=}{<Wt)u(FCb-qG@j{r;u=Z?cgo$VIiL6{`%ew|E`y
zAG4{*R2arUHrzU*l6&>RpTookNv0ha<ErD@2@emynMXPO*Wu>H5<Mw#+ZkG4C6FU~
zwJ9)D>H(a664D+Ii1aIFj2{?q*Il8i^H|V`2T@<^=FiF1g+<4r(rk^Fg089hWw+VD
z>FR3K`qR<Jp7au)Gq)+(7j-+@tw9Fo<i{EjPbZH$qk#=1bIPGkuCv{z*jB9gLtnY6
zYxck#cw@x(z*|v8rM$64yC!eo(L_+x-C%mwJ+-y1DzS#PPjuon<sA0zlVTh1#F}<?
zcPYf1!x*qC;tWiaq_~#e7!??b*;3okg<8>tDj)ZK?hf~6wb=cII>C7Vs~?tr(I|v4
zQ*2(^PSX-?JJf5E5#wmA)#cuLbZF^gO2g#N9?|>BEpUj^@e-)^;Af`lDjoj5eiUgL
zq?U~(pHY7S{Th>`9AmhL#p%Nd2}j8<Og!y)m+7IB6BCGa+?)4DV)h}AN5F~Awe6=R
z`rv=zz>;cQ+vln`rR}P>Eb?x=dky5RfwIWL1^8tjBfl>ctfW^KkXw4r%E}7jDzU3Z
zAazp=ItI_z4xvIwY5|+u2$C!EcbH*Nl=v%^{-QnC*3-`v0PD$uGUe2FO|S(jS<9I;
zjPRY=w1o+%2pbWSxf{YPEHY0^0EEfyvI3h`pO$U%(e<4VEK!zv>0gB2Qv(ar8h@Gv
znzh(ZhMqiMovTKxYy`bUTiTZLq6RJ07;tdKW;oW5Dea;Nbg(Arg!4V0?fKveK^afI
ze<gxDPZE;txsc;A09VCs0Mc+yYa2KQi5~2(ZZoH9IAFWEf#)C_dI&wW(m0?dk*d9P
zRS<YYl;k=EiVb2cLaH7L$y+{PR}iL20QEfT;g#u%OeXf$C#zr|6rYBrJ}4qnAm37h
z0p4cNx!iF`$Z0BM7xWb8;lbT22M3z_m_L4T<2WH<gEUj#<u%A7iT6F&8AUyb<~&fZ
zF@W3{Et{sr7&*1Dtt`G<YK73<@<MYuev5D$NK}B39!7z1MnQ<>)uY~3cx-i#-JzM@
zHFq6D6^~Nx9vk_b1{v&t@;EGe*+6g>LkrOz<9^WyrSi5G!g+3=1<F(4)3>$BDu}9o
zmhw96*N^>AAequ!K^UdJebq&MpJCgRj^bNWlx14p%XRo_6%Ho;xLBjFE8{D-Q>V=n
z12$h~U0+lEfjr<`vyefd0I?G#ADcl=!vg@2Hvc|=LG=Qgz@^*(T9K1?No_?CTgPR4
zW9b~2Itq{wbNf{LD4WIiA&jB-y5^<HaDI&*Gmj+*?NPguCUW&WeP*D?ryH($xD&6+
zM`G1g#4hH{mw_cUzk2)jC9lmwJzmqWDRm|v6>l8(*f_-#wnBD8LM^SWz0~PIsh%oA
z8LhlegHm~}?xeH!Kk0?gg{f4}#Tb|e^WG4%k3l@_4QLBvcnI6;)8m$5rfI$S$slvp
z4AFTI&Y@x4TjI30{;BQh!R{@wpmW&MeUKwzZNDlQMF{+G?Uq}{QC&1u?tWMCRdYUj
zSymMfNT=@ajC4)=O?{WUeN;!aZ@4_n(S5FQ+6r1JWwzS>Fahib6sa4*61!3m%i9W<
z-l&csAFyd*J((n$@x9H-sKJ1yFYG09M74xJ?xMbMXY{~uIWhngaLLkK?;TbL3kk-D
z<qQ<Kmo8r3Egy1vFmP^HHtC`@JA_`FXiP}#t;HF5E|hIYctWW}!5G&kD~^nP#g*D2
zVk>&o(=-fphk@&`%XZZnkZv>W1H65~2wK9jx`rJwbI&{7S^ZMIoE|R}_?GAu$GmW}
zy$5t}$q`Kt)wdDLMUdc#=b&`e^^?wX(14Ox`q|YDoqIpIQPj*pd6mQXYz6S-NWgJ)
z`*F>#oX6U1db27k@5l5&$xD|o%jwcL_Q61-OkbByq%Ky7Q)V};H%G68-6yHqo$$4c
z!k$j*8J2C9WlzQmM8hh=YK%LrSsDW}uU2UPT!@HlkFx7*k{DmGfccFFf#pbjIQ7K2
zGY0&gS742pf*9p!SZ@f$-`j;|Uwd1RKTebB{(<peQ+_XqBB-|iiF)X_s>{K4FrDCV
zNN$p*i%BU0dwOBsjIYWsk1b)iC$S{(ULm>kkPhs5Ww<xI<U>7S=k>U|y4wc@ewIDS
z7)tmRK$*VbNyBCSx>;2tb~mXd9a4E0o`T?$MCOh&M5k0x*uo`mYHM%rcLQB?&nlR=
zzHjlA4`s~2GvEFQHPq`K0QjfOL1i1T1~sKq{<ty3p?g%pG|{;ZX5{Z>kj*OcX;*kT
z`IXUD7+VTF(#as3X{NZ4!wV_|&CdE@(kPm0&>WsXU*|+V9E6>Rr^5?okiiMKJc{*i
z<~~OW^g@EfwT<Gov-|*JxTHd;l2KJPXgp^00QO%00uSkeL46%;EwttVpmWOH&r(GW
zwX-C<`4TmKGCjq`#aH1*yaw^;;oeJNVzq%q$Q}@C8}#@@_-)Xc*rNnP_rRiu4ohXP
zf?=vm1Y~`1%mP6Fq|1<*^Tc{25c>$8Wddl6lHmKh*(Y1tdO@J_mq%b`vx>eIQhs&B
zc_&)cy#2$6?p>xEXE@b8Jl-1GLsm<bP35S1TixD1lS8h3R-D3F5{e!lr<j!Zh@=ZF
z9^tXZhK;clHJH>_2^6_%*<rPnb5!BQyc3?l>A0*dR^z|$*EdcLtj$tURK^(ybO#M#
zk`#*J{REqs*w8l3GT`)GVtr<d$#g3>a2pTu2%F=@*9U`PK7(mIssHzNNFwWtId*l!
z?#;sMul?r{+wg++i+7amiqKIVvoS}~HsY6DWSiD^U|+AfzQ|uu&C5#!hD(J^y8d#c
z6J_r|?-XjhucN8PfZJZYu5aXi{StWoJ}O~d!QMBy7eOwXbBqZ@&1CI~GnWek2uV5$
z{p#-6<C+J2<kvFs41cKMbWh}sb-w{|q2aL{9wAMWg-XVNH$Cm`SH0gD2W$`xjF>4?
zJF8o6YCYF_b(?hkQ}t(6qWCFRByzTK`S`~9me>Ihhf~0`3@D!%_-Yo)j+xd7F|x(1
zHjoKLyv0q?CeXr@<SigRph(!1A^i2Aw)Dt!+VDcRcetCBU7S`-{mDft&a+p8jcbky
zRk2BTLhEhQBJEGjsXBJA4hP3}`0dB*y)+JPbG-V}&3F`xbr?J`cs!4nn%^PfTaVYT
zyM4UWdqcGH8YM~h>#8r-<33g9gifBs&76t(91$78C4|TJKz+la6MRCsJFa<_(K)FH
z<6J=2UIbG}y-8r^<GDu;5n@k{q=}r3QX#>9SK8_0$4lz7G3+{*`p;cjR<8>$naf-f
z`vfTR`A>8(oAZ#2i{`&tBHTSX^j=`g_rz>>6{ID31h}uL29OLxCi?T$?)1f(>7<2j
z_rAh~7Q<i_yj^_bI{%A&NlWAtM;XOMCwfhi@7nn++?PoA3NsERauMra{mdY9U2()(
zF>`jj8%d;Y2r?@6Oqy?ksF#IQY%N-Jb1aa&<qHbm1>J2F%_Bke$5`SJzFWUTpW_s+
z)1Atzw*>nBq&r;_2VOViuy3&loziWY69^EMt{hnxka*ok_z(3rS)7F1fe%SCRfH~h
z;2yyhLeaY<x5z{un!XYeh%DzfFWC9{plr{f-x_Hv*0y6TvM!kNWG)z+79LaTCKm&3
zkj(Hz*)jI$3t<e-H&6-#Xrc0Mab49itZOE>Ht)$T%D<3Q+kT&%N|=nd$J4bhu>3H1
zS1s4Ap<3r>gUROxvf3f$9L=$gaN+yk>693JXn4Q9#T}pzq4#Gij;MHQ9d)i^49B*H
z#*vwH<nFz)0WzBta+hNKE`FU9@xNqKP#YWgkQgFOVj)6SO~m)^8X?<#Hb*UK+m!iN
zq;vwQM)O0VTX)(EGSw5QJv|!qE)!>{Hi1*(sVeK8*q1?b_mV54doi(1w4^zn^KQYH
zG+(;xgYdW5zj1|v+vxolS8m&S0-mJWN+Nvvmj&yQ`#+`jpi-VKs9aHMr_-)@dh1&0
zxJT1sp{O!3Hm9qXD%umrdEm1+ttowJ_oJZzb1Areo*EXn4O0wW9_o7CJX>pO1gX3A
zTdh1`885bT3H!B_GUpon&kw$nCw`8YdNc`t@X$3j!VxksEw$qj+)Sp8hJi-7u7^tc
z+RV3KRZS$RNE2Vfq{H}rfpFqx!?Qr0HiACU98u$SKj*aLn`ca(KZuneWbFuHa4X_x
zm>%n~4%Q_}RvK$;WEgNr2>gEZovawxSouETdF=D1*R8I@W(~chnD%nZsaf25M-GlE
zx2b<{IBI~rn)SFH`Q9}DQN<DI(_c{Ht_e!q?Mzmk-^?|0!Nn}#u}}+*)ZHT`wP?R)
z8js({CQ#yNFB+Q*&q#FP`7{=Y`!E`=#An#C9Q|BC&p0vk5|?zNeb<4W#5UJc=YYAY
zM78vD1K!D^H%GOk(<0GcX0tAwMuqn!?rD?Hz_;yZ=7zl8L1lBHUoasQDa+h{$Jn**
z)(UyM)uEq{5eITq3hJ~Nj}i(|tF2J`XF<^Lnf82|kCKk>`;IX>a^4F6&=c5fIG~eH
z(Misw@eu_qZgd2fVG%J99jO`waxO1aFn;TthVY2>vR>nT&dsq}jgxln5rPa|&X=)9
zKKzREG}Z`C`M!L;$%3DTelpM;myydR{zx0C=;C;ne@&uahthI$%vf~r+^nQD#mCDw
zK9x0_g=j~+fNys=@xQS8j6>LN?VFj@xrq19<TtqfA-nrVSBUd&v$TzAphwdh@iCD{
zeWsqa-1ZHnB-K0vQ?`Ar3!b)nSlvaX3m1pZeR*X>p+ehJ&Fg}}b9=meqmi+{j*m5U
z>4nkOE#XkM===0oPAdeQ6(=uuv`pe0=Xf|sLVI3TTW;(enVMRZ-{|^`t4E&vg)OJ>
z<6H^*g?+~af_2t0XYje1eRlnslI`q#27R1lmfVK2PV_K#QAHij_7qZBTK{mXG*wpW
zkImt{nJ;b|dhGs$lz{c)NpJD77G?kyq9xTRYxD2wWDo~iyj*Jjz~KB#Ck4Z{G{Sc-
z@1OVWjaOmrw9p{_9mATZf;H{1BOgDu8GeJV=m#N5+j3>sgKvI$Dtu*1l5$V=)*FWq
z=pmU;P>Vl%pU$q^_l;6WjQV}7nOXIm=Ly#jF&B!Er!c+lw$uCt2Gs7u>sF29{D0$Z
ze^RDpL_MW7L+6J+uazt<LnZOK>E%CkA(IbG)<5~p{$}ke(8BA}>YDAGe;CgO6*z4l
zi}1hcJ*Q>hwfXZf+P?w2n}n)8&0XPqe;7|DNQdotc2$!v^KklRC6j=OdNYylZ`yAb
zvA@CIb<|QlyDF8~Q_1326KNja@(zDRv6>tu@i#1OBrVjH{~$Dw4z-N(59DOFVh=XD
zse#4jh*^Zjpn)y5HXhh1ZpinzGDewjCxh^U?H3K?)oU~R%-~f=Gb_7m6D5V4XeP&~
zVa)y4Gnz#KOzAT<TfTz7XT||%Cgjg2^yjO>8@RSLp7TsU{DZ$tumW<x!Hf6TrK-UU
zmqw|qvGNd)ik5r=IK(8TY3$DjMk~Q<^}N>!+MsrbXDM`^QC7TiB@X0*Sq3Ak!u819
zWIQa2Bqy!5U<h$fiSXJG<=Xbr&gLdVCy^!Y57TTbs9~}|c9>_B5N8lzVC(N0yV}`&
z2v<z0<EXAhiLNM!^V}Grdcd+>`K{v_KuEHu9D3xaTR{5pM3t777B%TJUNFHs!8{T+
zI{pOzq)5m`Z_EKSQr}=ne?-BiqyS)WHjJi_b601hSPjBZj{-=!LZN_zVDfZ6fM+z$
zx$}~I+R*Y4NM|l>WMo%abetG2u7JRf+rOGdsS2l;&>jOFqp$&vQ?GM!vm>9{_T4Wg
z^Ph{<z_V4y|K+vq3rCv(1Z*0(eAHBfsqE6+%aW<|V20vy=9~ygfb3$|*6v)Rt^sG3
z^MuE>4U~!oQq?n)5GiCW4&dATJ=lP^tkkkcx=-2@I~YXqb9;bZoeAbhb(2<>*t>(m
zjSQpWb9i>Zk5Ov3+zy*tY9XsAaE5(eWA2<a4;9ue>pzbw41vs&88Hi>;d&vLi5zJF
zt3)Kld5uR!siHfW$%<fY?o-zt@R_YTLzIF#1p26h<)H+Uj;ii{wJlE+S*)nvr0@KP
zX<&`K0Qk5ZIAII;DW{>Mzes)KPR#eO<pu0-%$iAdgE-W|Ov(?jrzOz2sApb2+6Pjo
zsv7W(t7pg(@`Fcr6?XJVgf2Y+aF9d*LFV=ptZrFYBmt9=48wC0=xP&SDzVZFIWh?0
zxZ-r*^=N@5nf{b2uQWPc1xlc#0jQiA=5x^FT<&UZJrAG?KipgVpk@|C;^Wg0FY7)Y
zM7`#dRcbo|`ww}*Zp<h6Ayr2m00s_wuwC_5PL9Bio2B$a-W$WyFr#0DlrjO(V^n_!
zudetEXgqU3Y%~3KE}#E}c7XtjbwDYU;1_r_g4pz&Ag44EAaf`#Ueo^tbK{AV1^VTk
z;6Cctc&XC^lF@!YIY>k+<(W9u^W!?d(|nD>P;EA3B;~;1n#7(kF?2pk(8!JTcvZ4^
z6s%0j!q{G)JB22Rok0Vj$)Fkr7|8`V?cPew0>fdH3H4lKmw1N9?d6u=gr6GXMxU^z
z&Hr<p>n2L|QNjuH0gY<s9;7sV1!r%Aq|~((;g3%|e&kuePvgPpC=Oe+R8jNTHn_MF
zMb}0Mj?8klS%!)0ZENMB-5iuhp1MsC_Q69WChrx$3eBt2B2vUm!^X<mK_^1npc{9V
z9!amT<!F303(6Wh2Jf}&FoK?%xdiw(AF9o%HL#D+7Ym=gb?q5(;Xp$<2|(9pd`d6a
z4&G`{7;o@5EhnO;M)*M=?7UgUn8%QUiKLgE5CE4D66ckG^^W7jifWo9b`_O<bu_`u
z>?``98dz!+rP4sz-~>n0h2UJ|yt@5G3@|T*xn29kD-R9|CCI9twHC4;H|uCd8~Rv$
z1i0gpqA{5ZL|$$I!iAh?9>Ym}j=j0pSuQTv4^>>h*3HW|X$1PVY;dwU0R*Q6?qQ6D
zdxA}U_R*+2SIvxDYn4!7UZqVJ%iiTHaQnecp?sd#B-4k9_pvqzT46?A8mgI2vR<RH
zm{)L@H?SW8LHtWA;ZS;!ToBj|`Rpt}6e<luaGa2c2<`oI0>>8V00Sy@-%Q0`L7Ra6
z((r}bZ1IWwl|DS#t(R%aLo=YMzMEson@yh2VC%I*7y1?M$%`p{$|4<j)bY4WwUEUN
z_NV6_!zob;Thhi{9{6me@I1%*V~MA#P65uT`OT;Cxc034BE$*zMRD)n%il}eq3^u0
zud^ES@L{&|5?qONk+%#0UJe%9kBW;mHGd`&K22s&Un#i%WC@a^%|Y&V9^fuoaC;$N
zen$3D5*Y2vT7KB4O9wr1=AK(6>Mf<<@lJMiO$xC-czcN^$OG@a?3J(6b$buiqzR`N
zdk7_ik1UJ>v>A_pU-wg@ZXTCDi@xnES-|_0k!>|O__lavyp=AG0Z>V+%sG2jyXC%R
z@%l%&ts_b=x1`;KCv|V{LgiIBfde;k9AJRC8NqQ>`w;jl3jtVX5vsrP-BpNV+zh`c
z3&mvnKg4F71ySRygix%BRf7K3OL#IB_t9Y5Npx}p03HqiG_->usp~%Bdy{*SJ(i`V
zd|`5KqFt>J5;vc&)A;6A7sJen%RyQh+4l88JB=Y;09dSm#au*cY#HxanWfdI7uqVT
z)v!cz<clnI%8~mYVb^*8-WkB!Hkg9*!@h7yhR>U%d}wdKlabCsrkIgUd)hA7Gv-GR
zoj8S{4z4PdYf3tc4&3Ut`Xi;L!mjMtZojd6Md>lvr{j7vw~)9lQfNXsRd43;>{xPe
zn0UWi{7|Pi_*@-;PnNxXeI0PR?EuAE!5%p{aWOIJEuSxa1fuzQ;4pX|uK`xtA#t+e
z$tf%>95+Q-DUE|Im8u$`d{bubv(QiX^NkWeyU@NWe}%3y3@Ud2EtAND4#Cm(>G0qk
z2b_6GoZA+uRV3+*xXU1_w=J;b5K?j;0?E|D^e85`olqdJ`*Rnr2Tgw;Y<iM0O<zs0
zT!plD*fTJ&{1__jNcN2MfzaI_1cKlKa|r-@@k<o^5=YuTocRRO7`lJ?FIO0WX}aT?
zOOt+$PZiJo&_@=z#lSGPqwFumBh3|fp&C&YOLqD(74(n<uzEDdfm=3l{29(OIfcqC
z>65~fr-k={zlyfOERWx(D8w-jvNrt5Zvf@F-*aRyT&H&wM4sOv8lGzq$i7_aN|&5s
zMhmxh^_PglegVeNKCSZ$kn_3blSB-R>#&UVv`A-_l3PNn^<$l6MqKDYUGgZ`m7xQ`
zOkqiN>E9w9`Pn7DWAl0^rnlUk^x15Txac;BmD0j0prYX^J83azNASWTaKV`5Srt5`
zb74o4UCT3q9}BnQ&Rh{<yt_0qjMU3dt+dT*=NKL9$Wj=EI@0TL3A1N2vuU5t#~c$&
zrOacfvOPml4%dZK-Ql!Rb!FY{BW{y2PO$|SWW%jyyCe@gFhv!txhXKAzg*o{e5(8O
ze8|>ap^7rAz9z+=u$5>3_f$}T34aRks0DIq;19X9bq`AmyVmsx-HtJ33JiH40FuiB
z1<_X4y*Fp@surD_qlyljW##kOZj)w-lW9_cS-^rh0SNkI@t)w2L%m|Bu9IkL&dyXW
t{`B9d77A&<oSl2d<{5vR!;_eOd{&v=U-aocSFzw9MLA{Jd}-r={{#N!1+)MF

literal 0
HcmV?d00001

diff --git a/cli/docs/extend/images/authz_chunked.png b/cli/docs/extend/images/authz_chunked.png
new file mode 100644
index 0000000000000000000000000000000000000000..5bde2c71f9f4d8d58653be61d02d0354b999ef0c
GIT binary patch
literal 33168
zcmd43byQW|*FOq)Xc1`v3F(p)5hN9)ySqhDkd%-PL8KcANkKqBq#Hy;QjijmkOrkY
zfAh%myx;eC?;UsCG2VN}xMRQ{=bU}^S$nOu=bWFI`=yGKG#(BG4hjkio~(?d8VU;P
zGW>U7VZb{!qJ#((6j~HnNeK-%)Zb~CNyMLr_wfZ6Ib^eZ5npA9(WRnkv0@}@nx)!0
zf;6vg_@mLt5TeTB#2`4yzqU$=OGYp4&il*s(vl-A8W)XAhMxBQR#^XS*Y~7vrzzd4
z(rM_O@zCBorxj;c-pDVr1Wbgqs26`<2xQjoykxnG9fk7u&zDY|u_r<tjp6U#6-IH!
zKi^(t>Rh~JfX_t#|MQt`Kc<<P8G~+_#frf5y(djpZxxc&sQOX_N~UIKCUkS<NEqeY
z!^p$UraZS5v#&hg`~A|X$-zHB+vxcp{%j@8E7xTlWyi~{%{!bne|;|Pm@Rof%jR~t
zHD6}_C8Ao%>G$S()49>g@OyT0UJI2b91^yU{%mO~_LA@D+atkfKe<wk5+5Z*$_c&J
zPjsP2B@pyJsTMvz*&Zm;<r9PfN%Gb>Ek+0*|Ngl3r)sM6y?)go{-yGX8YgKBFP2-_
z2zgq|Qs%AtB|4S&di={1H6IH!_J04!E_5skC-eLKima<Zv#@?oYOMYIr0=`~#!}o?
ztXY^4M!_#<H`RD^`FmbudBGh$qe-&V5n+vi-p8?}GK0m2cUvM~BIx{@dr}1Oc;0xd
zu)b5xe(|A)<QQwC(S%06&M~WQoHIuBu=yq?nYkYtI)lr~U<|$V75+E3pH2#w@a>-1
zjFnr*=Weu9K9y<lM@Ju@?~ISt{rJ#5Eizm^Pl=WNj&`v@XUwB-8GcENDdvXLR?-<Y
zd4U~HXD9B5<5OpE4I-1c0)?ONuf=m3*5=oY73qFFil*J;tiC07v_#LUUs;qRpQxlF
z)-BOWcsXwEXC3qX;4AULG~PNqg*qRyI1H-4tvcVt{Dtee$bExyPi$}0yqzE0)WqOq
zq_a=#oFkdfO3OV@Huk}7+cAq&$F&K;<sTpO=K9_k+g~o*U;C+FIwinZ`Mw`>%478=
z{WzJCo5a_gWBKico}t?o2MZ}rb96qK$ua2^3I!E#iMefviyqDqy)&pOqm7``EYOJI
zG8VP|QI`9Ayh@pjtK#v9mRQ5=oAZ;rm>T6bq8^E6WS762tUR_@`AGPrjxp!Ft!n*z
z)%aZP+)B`CLF1ggT6_AuSvaZx*Oxqe!Og~u)tRx}U{+c`@6#i9Ny*d3lP&qC#ax-_
zdsKa~%#jYBFs}5$cj}ZQE5bXD3*E`>H4PrSYKyrF$ph*I8mtv-&;P(q2;1&U6`W;N
z$q+B9=d<XT{+i5}Hx}uVHt9BtH#_mO&UN)?y7=)dd*6IlqR8h^628uFF5O8y*?DsD
zY&Jd#9J*nSm)=h_dX1}peAuINxODO$?3$@Tfo0o=FVxSw*ZJACinx2%VHY~|K5aUE
z`1=cv#eGo{HVy8*)sq0**hC|buN~*DLAcZ>p~S3NdyMi4-F&WV2K4K&CERhyIG?1J
ztOi@cei30-PQTR~{#2im?6nq!fZgvZj-O<&`5(WHu<A|y5zDI1G&_OZ7Y6r!B*GrC
zjk8+tb?Nx%bMDP}|Gi$tN&0^8-Szz0O;ZYOFU6&Lty%R4p2y0bN1}mnE2bDzPiqw$
z2o9Z>Z*2a#uT;mi<WcP|D=*YBqx&U-YG}z&`uXbo8=o_B_TaPA<1Uz&ct(D!-s>c)
z$D3bhC>IYuMyyXYl`M>!_?^KUyxu2nvnMZ!m?>5}j_1C{+E8vw7iyOzNWCIuWgqVC
z_+>Ire(O=x$<b<w9JP+|<KZHnxkLCKUd^nYA9{n=@iP~SqD7bttkD)CKa1ij!IJZ{
z{idzuyf>Y$Q(nwI=f_jw_toDj@C*~x5^`K}IxGEcihZ^>{?ulFW9Cz??RaH7YiU^o
z)!ny81Jf-5maD_>ZM;d8u~Y9j+%x&QWKryNZ~W*JzL<tqUGH`PzG&3$>WDmqt6k2D
z`e%P$ZyhMSz9sttkCKV2>7;Corl8StcSW=R^e8vcNUfgJpqlpkTSfIJw2^lAJ97Gh
zRHE>PMRe#s2fwQomqZ)Vrr9@S$_X?1JG}=AX+oMWG1spbqrZXuR^WBKzn-XV<o@~U
zRD`I71ruG%@YmvF|C%Qw#dYq1gxWuQ63W+Qrd-FL$ewR?admp|>N~N>>#O9-C*BSn
z&bFJ|KU{o6c}yehHZ7aTnMT3$srA9pcApqt7yd9W$L%x|mq*FJOLGFEF)bH6qVLD!
zb{!7n%IjV4YxFu6E~SfB=1y>K^gIl6DluxXnfv(U2d{Df2A=TKhTQ~H-Q;9EDxtwU
z`;!gNF+TEIc3wLsvXRB?YJMWyw9$(D;I6omlaS9@J+u4P+=?5_X-}}Q$n!moW7CH0
zGi>X}C6^T`&D+CxEcD7OUM`1x$-XH+xErf1x+(M`TxEAYTRM`0w?%ET+97)}QtV7+
zetoQ>%W1xogiE*abWeZwL?Qr#{L8OT#AKf}jp@z5%XxNj@Ap-o<*6!o9(jL_VI;wH
z+t?6$OEhY&e0^-I+3yne%6$jjftEAnQ5WNHyH49Ne&!Na`Zf-57UaB$9+XkzpFKU}
zif7Z5+qmm>RL-GOD*kM3f;C0psTL`5Z|kE$V~?GF>F}SWg9I+&hYa1?H%zHWvDA8A
z^P_L83Q1JLeMxD#box@aoe_V<b$NhM6Tu<k6nAH#Bb4-}jm{4($5cV52OIZWPZ$;)
zT_C={n<ir!dZ+&74&t!}-~G7~DppR6M$6_)8S1%m@jC^2XFK1O{oQpKcCfpDt|Hhe
zu)Qt~t7P5_Y8@M98Shr>A}MGLJBnvje{i<_=DefQb{x@S5^~?|Wb?~VwpLO}Uku|b
zQu=9LQH7rE-+n8rB^hmT1ls2>m8ZU(QwmG#Jv)h94y-0?3tDpbaHH7pAr3v3GH@wd
zg<!d`#~AM%B{Kb)%sB1}l~9`y<(h(VqJaO4X^$Xwb!NopX-wBgTXSbt<lS61T3l3w
zWIV2#T)~l0iGS)p@Pd7)m^e{bz;1#&)PJ={K;pq4oPCjplfwdpzxmibwgvr$y#fYq
z@x8z7Rq~x<_e}f}lb0|j#*wg3m)|8!Hf@18{21>*tW_+NZ9KE@?k3ab3*-@%4}L62
zyh&ix@FEZR2D@7>Pbn>otjNS9Xqx||`3l!noBpgI($DK~wO)K1+Qw5(rD;jLzgEOH
zmybQfFDG+{Y$`5zC2|?>;n02ji2qrWxo!=&ao1_J(#Lj2i{kbmrBlD#G8*x%2UQ`%
z?ZP+DtdS8`4l5_eVYW=}Vb`zDc=iuUpHtJ*SUF)oe>EpwTxTS|rivNcy}OmB{Uw|-
zL4mgG&Q*D*ngtJ&s2m~;ZNIId#iWv<<D!H|<}BA3+(g?Ws2-=LL+mxDdiwE`Z_5;Z
z`X#<t`*ME7_W<mh7A(iSoh+(ZfuW4z*D>f~O%-RCQ5eeQM~V&2@q8<uc#zY)J)&sX
zd0#TQUZ<cy?yyVaboa~9eh-(O#MG9ekQVxJW?YZ^_>bUU1+j+v=u<~EE-7+j3klMt
zanB4J&yH4Cm`=O-`tqd}c0z=Um8fMHgwwOmRX07PCnQ~jJP%3<RNn3fdAv;V^`>Go
z`thjIVLF<=ewi&P&?9-92mf}$P5p<$S>{)$ahQy~A{sZ%$A#@j8=hCqcn>c!J;PqL
zZ}vr9QDvIrH*3Q(mqRJ}Flas79`2!elVJLLp*Gjy?~i?hJ1^2~ZK*pDTioJU+wP-R
zER99oHZpJ`B*jVnt5weNC~vc9?XC=|D`e<&d&&LTIV7TaE1K9|P_pjO0PE>Y?Uw)x
zs^Xn=@1Fl%N~0@j+y|*V<}W6RxywJ|laph9FdOl@5t3!#fD>Qd)AJ-<`Llk^j-tav
zwL?~Xq;5@nm0LAtv`O;*Qvdy*gBcl{d)$Uvp4$rDho#S=RPrE%cP_s1;S8~e>{49T
zf7^>mO1$tOGs-l`EF=57Q=dql_H0Gq=eOU*&NlJ+F>&UfM$`^}A*%CS$_ySX$4H--
z^1n-@MMp?Cv@5)WFLsjgR&ts#Nz|)WZ6Tj8%XKqMIK~hzKPSTrN@9BHi0i7BI;Yr{
z#_fe7GnV%(L>JU}xWX5sTBPtDdEzrMpZd*(aeWs*)cJ$&LJpUGt>Z=u?oJz#GS=I1
z?$S@^-H>jwB1~<HExyLs{45sD;eGXm#xSpKlI)kN#ZLOlLViv4ie1Fol|4ag$$703
zqn{y?UI#P5;Z_fKxBEf@8-30j*(R@Jhsx+V4fIdztT_J}<Hx5<<k7S}yD_FN?L9{F
zlPXL&WNEk$kuu-H*K}ZNT>0cj`2lKTmEF&+Uk`h6S0PH@F6QU^-Z!ukaF&!N>ZK>*
zx|+f~*S_69y1p)G{Tu&<pJ1)N^aQ<7ljq?U+tc#nXnN_mkn_`ZACVfz`7N8fH_5W5
z34Ro*dyeZFFV;z>*IsUr92AZb96Q{f^4YJwHRvVC#Ke?fpeM?ar<n4vgNUV;lDRGT
zou*fK>q${t-esrr%Wu!y^47DBD{RMa(^f&T<-W0omiB8r*#G6)mA6XIev&zhOw{Kv
z+HN1<a^BamE`2g%*J^OnKhxw!_;o?G_!rGM)q8|7++vlMU8KvC4Rts>Ep@Nncy7t=
zJ}5leU1etIk~9pcZNagbYHYCRN>HrX-PB^Qo^`&e!@aKEenN}(!o)9u(@?Kr7pK^3
z&>D($qo+NgCC!g8=fdl0aktRLBy}(;g^8zld2;=%;-XCyo6}w)3aRa$xk+q16l}Xm
zJB_I&@|L@sVCGo`|5hMJshsL0eWdU&5{VMT_BQjN7kQsKJq0!OH8<L;JHfs+55g(F
zj#WG!N-d}PVD={z|GN$uW(|Fu<=<)ONxQ2p!jD#R`RvQId&_sKN9Jv<)8{J8bw^RX
zT%);$`#~mMuNJmrOalpfNGyKdlSjcJ4#nq`sMjNu6K57CeBo{_tVQyMEM;l6h5?l@
zL;<ayYjniU6VWA_P~2_3v((@I{GEP<O>X-4wuyt2!|m{9p8Ds>FA*}$A_zC*(vtVq
zvg2O{;sxL9e7LvK?=LR#*uJ5q0k`lq@(`-Ohoq@rZpRHwmZ9}Sa5uf|P!r~KIz4jP
zJ-E6+$}<(}sxuozY#+cEje=brjIxfqSHXYN`dEjT`5(|+8jq4)XZ!hUw~Q|W`PVFp
zrZKSh!9wXDkZi(^%4V(az{~gV@sTL;<z5`gME_vyQ8{0^F|E|@u)p8-Mf|20XSAh}
zUy%F<bXO8)#8i?n^U?nU(T}lI;EG}dVLV8X?)x5*pYwnF^L_{)^umWduhpvT4E2Ld
zAD&B_9Bj;-R}o}BJ|HBW{2BiAC$AKfA9K3fJ+G-Bavqf*NvNoCUx;&`awK_XZKfjF
zm)9GQm7ruN4OfV%SK{H}A;goTn2I}vDtHL<PRw;S^bi5moff$FKflZQ(YyJe3s(W*
z|HtaByg|il6Gl9_)1zG{k|KLeQaK?CLXJl}1beX^PZT4+&})|%g{!+&I;DoV`J?-p
z94AYWs(OVu4XFOCFS`Es`otNCGGZd;hO>WP%%`fNubfapN@D!Qe1urQY)4Oc#HIb6
zKH36o6<KMQ?J~!UqoWnz=otOTve>_~CCQJ<ww!Ngq!n>-bPV!n$5qv5f7iw@pGlmN
zYN)5H^I~o#dEsaoJCRPMze{m-2xdCF)?HWd;%FJ<(O=(7|B(H=@L8`>;+-`FxY(sH
zj{XWq)7R{>+`YIA4di94ELhH8Y!kX<U;6l+V#B%|{VF>(fOWEOL>piNrB(*t(SOfV
zPQ=8gcH6WY%#S|eK25vpI(SBA?5S$|M&$YMYQ4%6&-2s$GWYET6^kC>)2r9`ZQ^Xk
z;oIb0fLY{UTqe(P+x)dv)pV+etj7*&V(RFUn?Lr67LFa)ET(^aPjPnU3dLk`XN}vY
zS?WBn1mjBq3ujApqRvYy@rg~1ubiOpV-$3pi$ZRTh2FGP&EoZjp4E(S%9(nrF_y~5
zWpc|oukWEYou3`^J{je132x5J>38=zKXv_4<COR0XRRhAX{J|XTnTZkv06L)kB4O-
z1<%7E)Om$onwNK}73uH*eDy70I_eIm6qsu|KP{nX>q+L5Zai9Hw+7Ck+}vL3lzY^u
z$-9A~sKl^NODSF0y4>p?>gZ;Z{s%LuuIJy7n96m1GX9qJfZI#!wYobSkTg4?D4Ux)
zKdU;T67|%<xN?2T1y5i?u~{`?N9_Di`EV&aGDjhqSB@2lQ?_<TjB$m8h1O>y#W(@<
zMhQ%L@|hGWrrcKSO%<dE%I1n&1QjOt*j~lTpN>TLHpS_R5hHc#%Wgc7fat_dcVZ1{
z9HsEq&JJert;Z|hUl(#_SqpP}F^g^T4P9!u>Z$SW`E39fl3h=}oUbvz@ig0!*tx%5
zV%e1-Cy~gZtLCw@G{aa@v;ONf0BtRIpW*lV%<t6mNOdNweS-LcR@2FQg{0JVBUA@e
zI%vEPGS!MxZrjEHB=d0K)G5s<GN@6jX@nY-qLkjM=e6e6LJzxr0B=n&iZDCesskm)
zVl^(S3AI0J^7i`mzXNe23j>dfX)hmvxhk%IqV%2zBOHFZvh3u1x5P&lD2D*T3e!(7
z2C}4ZYh2gUx2_{xq7|7p)2)d*u3FAsQ{0<RH10e--q*zJi)T-qT6x%)Zpd8~(9bk6
za~9Kd7!QcK6IqwA>Xqj^inVBtLCsZTKjW`WniT8re-1OA>#{m*Q_Nym>#X+ip`za_
zg*>S3Wsr!SX`z>=3f5^`?1(#2Rwl#e{Hz_1@KiRh;rYH?-LpS&g~X(|b_ei%&F{=d
z*Bio=eI$(UjU!<mTOX|ISH3>s?1^=I^DLj{!ho%G?<4CLlR<$rF&`rnQ{XRTbk#eE
zNJoJ!Yf!?g^zkqxZlQei(d&3m7SJT(JUIUxNWD|G58~TZ8>Q3dL?d+Q+fBIgbwEuN
z{JgrZQmA$FN2%%kREEB^yUey@<*NH1zQ!`k|0uJZt#9{4TT_-<5;#*Ubr~F?7Ic&x
zt9n|pW=+obkl5fHur7Oz&0v0}GSSrYx8q02sI8gou&R34X6YkrH|}8J>}Lj3mkIUU
zdEukRqRZksae^dsD#B~#R)z|3&pvcxZ>QX$=^~(ifMu|ewC;I!xM<mzF0wM%n|4<o
zHo%~e-HE-IL=7LK2<k-Gw_<^(lefljCGI7$`7tkiWqzaKg(BdskS$(g)~lX(ut&z?
zypvdN{k`*Ga~AFxPP7rmBYB{j=0-o5+u&fHURhJ@j{l@LuneE8y;Ea61Pll?72Uu`
zD`oe&XlaYiI94@aRa?S`Q~j6UENs)eQ)%5AkmqX1Nl@{XvF~HL1ylD*Vt8x53mx@w
z$V&+^KmX&IU>Y=1+(hBGy3+;iDDwEfE*VWP0wTs7oP_LsEJ)F0xFoQY2qc)gk?bI)
zx;U2GcEjRf*AK<hZsSv`ioV!p1~l{G#yECu&ZPGAI@k4f_U~5d?hg!IkN0d{47(C;
z4($OWIQR^hzo9+k4PWA!cvJuFUX|_m@aPnfu@&pEe{b)ZT0(7P;{!7oeroJ}m^&um
zvZ7)B#*qEl#|ru4g9SbaYsv}=3Z7iJZf70Q^d#Fn=Isb!Ow3y6<*Z))M$a0d61Yp!
zA?~_+pKMB(tder*Wc2b?RZ*SJzspNkI~*=Cp4y&nxs=^KV(er1XR6XR<-<C#Alk=B
zhS8ixi%Icy&YsxeTx|Q<!H)85mShoP+`A>6j7D{Bs%iZzP}j`B6;Yoyd96>1D6dV_
zh(KW2GpM$2VZS?d>??Y3yxznfVUnkwac<aCrS)DfeRZT{^}7fWlY)wS{n1KcyXaIr
z@Lq*ZY}&=Yk@WMrsj`8WEAYw%kq^6*`Y$C%d#=vay~o|u{<6@M!tNebqLi<mCgd`B
z277MxCpGNU1(UO;=C5aK0S}m7>R?Nq%Ld+ws2k)-xWz$OePdI`-w?Y$-aea*(?Dk$
zgP&RFR%tOQr$K(v!)+d&)dhqr8R5jVLN9X$y$yu$w}GDrF^Wn6!9K^vFQmX;dzcfr
zN2b%appkhGz2fDmeZ|TSgy#ZHoe>%P$HjUTa=JqHt|{Lkn!C;uAi3JOS0kR?c&9{@
zc#_XPeMjX&C;W9q59+@$S^XamIiJ0!uce?SPn*7Ze{0ufX?6pRZkoht@fGRKP?G-l
zeV-g#1F<`Wf`cMxIP`UT?LX0nQ{C0#mQGCy%rm`ef*VOV@lz;MX@dnLW#U_(zh!jX
zBI6$?g}1L~btS4pukHj`W&e>$I<NCOt~|=~8y^#x`C-$oZ<dZhrI&}~t4j)U&w@WI
zrhYv{6dO0K4cP%BqdpE$KLMg;VGC(`UOT;)jJ+n^k0E1jpU^-PX{T0NVr+sXnWU#u
zPtYfRoe@srp=gUNJnZorsE=69`ru>3c$utBP-5A{24!7A+*gZ5ZFwNKp)6=iF`7=Q
zs6|*w$l+IDritm*gUWF22R?W^Jpo?V7=d{v-ch|g$c+~}8kk4*Ew5+0S4bH#x8j|@
zkFIw#%t&#pn^Ak$y2(85mOoQQ4nDOoiyH=yO6wAZmcYWFUvf#tlC7y*m^7YOH=M(S
zdstPNuMihKY)n{{RTdZX&V9<8wC}Z;<~q2&d-OrDjrkE{{y2Z;DdV>cUe1!J%AHG6
zD67@D-6bjN<@?H)%K(oQ6ok2(`d|kX{TZ(+bl3LzLiAA?zsz&{+o|Nb^b^#Dt{DQq
zJkDY_3Il<M-PgLLWn3m->aHYyICvH7XZ2;u+h<<tx!AV074w=?Sj+>HcHo!>o%*%p
zDAG>OPn*t}12FLufQHlM9ikTtYqaW1w{_>le}IWP!ENeJ*GaKvsYAS^Um9cVwW~SL
zc~iSMHFQE61rP19Gmfi|Uzkjz>VzJ(h+AOdS4C`fl?~sPmHR4bPg}*QCESu)#qEh>
z(zU)B5qO2Kqe!n;nZLBEBGA|yR9Ak7qJDR)ypw)ZXhni1j2y1-6F|$uyKP=q7^bf=
zhP%JHasNffQh&ClGlPM6BenpaF!RgaP%E5SIeYz<*M3{U`s4dIEkion^QoK?+$5Pq
zWzRpgEmEXYdY~maeJV#}J?@{hC%Z2}kAZ5Z=HwrYE~_t-`I~FOan}QsDNW-SQds1k
z$HeJ1QmtKH6LIB*l>2DiKaQB(9$dw4GHF307qCmEh_Wuk$H9tJT%KF!|InDaTeGSA
z>wR#NSi2`LhR2K>*ZoqLz~}&>wb2jsTJhY?{nXhym^GiG5!Z?CV7LlQGQ4oVFWgl7
zeBX}C#7!7AvSRwjL*X;TW0qos00Wxh#*^HVp>WD+{ih9#d{(`ekAf~OY?ZU~eS0+I
z$vJXg86}ilpa+n4fuLT!5veRDRi<$=5jBtd{!iB-&Qlo;mg847PZ}cpSSF>zYpfB(
z$={*W%`_r<d5%6+W4rC%Um1}hbn?`!;2!3aqhW%+So$S=t+KtqX_8i%?ZrL;C27jz
zlm)rp=bV$?2T;)!>X7N2`c1ByV3~cFgDbmB`5m!wn>I?3xoz5HESR+n>rQ(N#_f8C
z%TB%5WIy!;C8AE#5U#IE*^?RQy7Be3y(9{F8`givKrN&Z*qZF4FTp89X=L>3hzte`
z3%r`Bt5KC6yEeOFMdKXl8I&yxM48`qQW-f^-0qv)pk2Bu2XijDL!XJ?QYIdCZDKMc
z|8pu;5qCBEW){JA7yZ2<W3(H-E|I9qt0hgvMn(P|_B$^1c@zTUZNfy?^A(uar8h{%
zh|~EC&*fQU>rD`z8@~u72eSVh?JQ^S-FNW6v9RkE|H$mzm1iE~6;%L-$T!@!atMJo
z9-QAc4}M1~Q}LL5_QL0~^mhn2$CT_|ZHy4V^R|O_`kFjN^>lh5I%;n4Bk2j}OdV5f
zbB*x*y<ZN&;(kJBQHx(=r5iA>YYD~i*=<}iy=^@pS#$5S=KIO~Y#n}dteXV79fSQl
z3=iQ?`$Bfi=_py|yO`J}E;HfA)tkShXiMcB)CaHy=<C}MlVp<5=o3)a1HRxgZ}gKQ
zB2C3G{ADs%xb&!}812%<&JMDtquB>9of64Q9^G?KWKnJ1kIA2W5%XXmk^#M-$omte
z5x4)|Ck^yCUh2ZO$3dHqDBs?(KmTTDmZl9?zFRMV@w}D>LoZ8gEdH0e^bVy$wlC_L
zwEcS97m?Bk;y2Ip4Y&B-1QN)+V6Gx^WQ|it<5HAyD6VDF8@)m!Y9RG%w(y}sv^4GL
z9`0U!2mRF=!dYxg1@cEDjm6mM8Gf#)=~#C~wX(JqyJJqjyiU*NuzsxS9(Ms6uc2*_
zPV;DX-%lYjyB)PMQu1`N#|4wfelWE>Kv4A-5*&tHLvz!=My)C3doz9Ng;cnpjqoxW
zx~(^nZktADuD_aWUHOczEg`Mn5+e#(*_jG1n!{$oU15m;6g^3|;MwR8OSzPjuT^D(
z6Xo^pm;dVp5RgY=UcV?Jaf2@QlKL#~8(d-NfpI8{Irl>olP?f%lz1y(TIN)$5@1V^
zs=i+o@CR2|jUHZrSaCFLW^u+e`)Bnr|L_g>fPWCmaZ48bhmT-L1svP@V^i+$*HH<v
zSOEn`{jyy6htG(z2gHqS^@aTc_R7%a0MPxP4S-gaW;EpGOYC>{-NIYg(~pIzBbm3@
zf3;GCUE{gue@bI@x2`l`RAc^Nhc6{GEdNQ2JE0pU`lyU7QV^jLdpek}niIkSB*Uv~
zx|gtP&A(hZ+;2LkTC#6jk8JZMF<#=g8I1DSUC}in{qyIE?jh}!+RQfyzm}~ylcQuy
z3{_9=mIP-8R)Vnm#YPPjB%xd}M|5YK8?T1jymy;!QvUgqI(pXS9i!vF)|l=zux95o
zoc?$6np@z~sV43ahhMz>2`_*CJS!5pU}gefCGJ)`uuxpQtb><zb*H+|FD4cf2!Utz
zvnqc#3@xfF@}=wX$GwYbz5?XJpXv6@M;9;GkT2Kvto~d~`gNc+##+Mf_g|0+6Tpd#
z{ruB6cCiQUBmu(|KpC9nPE_rETAM27Gx?mk3VA4PC~|X1%mN#vNqSR{xX{8gw-7{Z
z8y~2*8NoT>?E_qKX`9RS<Q&D6;ngGO<pEi!VJwFVG(U7k1X3MDeF8a-PC}zo2FY?%
zUIlInJ^M6S;f<)FQtF*dZxN3jBxTS#+Mb6xD^$#Q^y?K@*lNafMvk%PrWBMVVWNy?
z35lGBq1SX-S&$PmDglGP5_+Qp$wI4Th@<XyflQqv8{0nG3k7hSi@_@k(Gtm*guK8_
z?Ardhgn4C2J#2pFQ!pb4$O8?}UB9LZepE;o*0nbR2*;pb`9!VELN@uf?Q4g#T9?%v
zfaftH&!1UORDUS9`>6+XC1VGsk?&pCwQGy5^1kLWep_wKryJOVkhx`x4Qg^gm@l*H
zqjph*vT+Wiw1G-neSUEs-US@wcqMt@eqgYfc=l(E)%BLaz)=+(A0>AwSJ1Q-p-CNA
z*o1h@4^_M4TnB-lneAw4X4x+uvdd(rAm_%{oq)2x)r!m20gz`NfYCsWla+3@eP$C!
z!=7Q?vzsRADn}ic<W7G7_=v<@%i~ogwceob$~l0MMY;CbpOtv4{M&1j4U`2%$y~_s
zAf({_Wl`9BgD51_$~wf<F8}#Xvrr37{<>JVZ1x0TPpqO%aqKl0ox$-++gSMhE??A3
z3}9?fYxHzSIwb%#OCiacNa3vzS|0|Te(*S4iOc=q1GWLw?Lg1P-Zb^$qm}?n%ejtd
zw9jc8%b+F`vaRG~^*O?R6sKk6VZieXruL8lx_e&J4fv<}%0Hvm#JuYrDL<WtoxG3x
z$XR02;%~DH(9-c}$66vIMak#vFwgP%r(M{d-VORUUy-mcRM<}XvQvI#>w{(M1eZu$
zh1jESw2Z4zTC+geC}2fWxr-FsVwn^r@i|(xxN+%_5v~dATTH}OvG3u}U!Py$5<lX`
zp}3RrEjl9*KrK{y20Y&O0rW!G2^N}8_fp72s+*%@n9rx|TmVzeR$n<P>m>4XjB){C
zyfcWJh=?B04=;7yfFpVG3sa>2E~olE>&m4kq!MThS6@MF<Y1V{#BL6iBtC$vLB}DJ
zyXG_q{Eq5&KN**ihSoZi`siAV?ctO|x!0~WH;6hdD3A!>1_RKKI@c1Rhw+Or*BU5e
znfHSkypDD{=dY068IHax9Bl4pBxJA*?9V+ZD$X&EV4#u{;YQ{nu%kp=tq3=%1Sf}l
zy0CkW<9w%DiIE7nkU~Pw+C4V`H*1QMEz}fhy)P&ZGE2K<9n(A%v9vW*s9l)<<a&80
zQHwK{_<eGfEf!2va~<iGf!tU1yTkfhU|cBtV}F{Nb%o42;XWF}v^;IHv@+=t^~<b3
zaDR2d2`ooTO;t767d6rQr`-(Xo1#9u6SgbU8Se{mcp$zk3)<`z9&9?V{`k#oXY2la
zMNxi?I->hCI^vOPT}HI76rue!V84U;u|7N8M*W!eAm{F1+B-1D_c3+L5&S-Sf2%?!
z{l=(yB)0$8tTaC2UEtrc(`O>~YF`vraa+OinqXBwkcCaE)-c9<jYT*Z@r!Qyt})ff
zq43|7hJ9n2f)S4$e?90Sou3IdqAbP*h1{so5!gnPkF)N`_<8jyT54>B0I$*XLo_`J
z`qsNrp~Q9%T52I&2KvE@UZedOvP5g5_026$@M3&OE;k>W?>wJY9G!}!r$a7Eyo~?|
z+-j!m<{2h<&+ZpTBtk|Ug7z>&H3O;`B0u9)e1;Q-TMEZrp|l|-eu?NVK@FEYWaYz-
z61PCozrXjgcWy9zt9N&r75RCC<Ap9VUW<!EK1J={@EynY+#S+xWwEQ;M;m^Fh)IAk
z3~X5~Ln=VONCne`a44tsBdyqrN@NS90BNHXRkMqXk_gfGne2V$oYx~I#)(iGGtUiV
zlweDdXLj%{;cQAGk1CCZEfvn4_IfDgX(Q`_&36#CXt)R-59Z%E-ut6Ia$UqjW8QQh
zld;<}RoGoE-T^ogx3A039a*+^ZU&71oy{vSikXbmKufR>=_Bn+%VQOVVUz-#MllAp
z&a6g@%ySk_<Vf;32$xI_q5)w{yn`ak)-B$}zY#PL#^8L-lvzsEEi50bS6gSt>s@f`
z&hIRLe{n4spGGTT6)5j8uW$<f7}e|tvi~g(Cxe9P;E80Oa%2d;LZWb9o6rTzSY8Cx
z9eZ(#TaPjte;ED~{>Sifg~6f23nK74y@~=bgiTfVR$XQp0ixt9*x`mMN>AW()?{AG
zm@KJRod7#bJ3c(>r;9fRf<*HSLJrv=eX(%W(<x3c#YJ=ImdU&%WVARr*!;EW)+VQv
ztx}AXV8oLks|J(1RliCRb}s`->OT0NIF!Xs%N0`Z@UReMd;_ltBa+e5s&0G)v{c#S
z5za#(!Ym-I^7@>4)_`;8){{|{bhlsF{K0tWLT(!-F4sp48$2{Qjp|t-Q^f)M*$J93
zViCc1X~dw>Q#ajfPuKcqZH3;OyROAMD?{?$N6XB)Dw%Pa2M&|zBF`-#o|ORr>=KTo
z5i6d1^8Iai4CW#|z6cgJLtgRS#J?+Phg?Y}>h`US`YY7J`9-G0xQzQhtlqG`;>$F<
zOeLgY(twl_b#t1|jtV!micv3N$P{S2%YjUZWC8t#-V=4U*Si5xo(llPap~I)ua5OC
zz%``RO+0TRgn9bvK?b!{72ElCe+&4}F7VX6!@#<RGS{1?58s*<;A$Yc6aXwD>y?g=
zW}ia`@|0<kK}8ppqIwmX3RW`B-B$kS4f$l=Tw)d#aqf;EwJwFKPm$ApCstg}Dpcy-
zZ(0;~3O}PD91`BL0C{q)Whjl!e)E+y?>>&txZ?uJB7CCB#~5j;npm=byt)IdH_pVQ
zkc8lB9Gw)7`^L22<W8ON^SvT9riFk=k-em`z_28%V0763j_*`5{R^xN%3zX}YF2vO
zTV3#R_45uof4tWhAiw=2sc~Xcz8n{W59tv@GT0DwEPs!Fu%VrEn_;EJu8u;vxy)kg
zEd1gYc+Q}{dg+Mysi2*UiRnSlr>rp*dl?TS^3{b5cAXb34BdR6${uJ`o>2)pw%NPt
z&lBWd)_ESXcbi#fq4Z3J%MAgveHQWWP!e{Ar<3*V@1SfkL3ip~KnV7XypEKb6~d4)
zdDZe6=st7@Y_LUX-O`G8q4R?f#t0$oS{<Q^g*~bm7*bc>hEei)+uxsEsCVCf_%)I1
z4Gv0*pwnANKj1?3d&pNOOjtkN#0z>F|N547RuP|$g~|cY%W6(dkmf$rDp28SV4#g=
zY=HKmZuy=*r0D5XqrbAWnGez@diVM;-$IY;@6j8e%T#oK1ev2ibc0)5sXH=~T0~FC
zWra8|wcia5ZHt?$3F=Tcv2?O<VI5{ddpgJz%$1>dye$K5_1RDT`Cqa;VHt!9^eYsD
zah7-jw+%8v7KYzJR`2XQI+%^z<!qAgRxL4ZGD_ewMp|K_fmcK_*cKg8H@y1<)-P*d
z7%Zw#V<`kYp}PA_W7rAIOmo2fYFX0$s)MShv$lPLpRPL^Z65m-xw{!RTGcbSYjR=W
zD^>|#6<0$XgI&=tks<BTiv%(YFCWwOx$}O}&w|`oh&3zo`fivjqr1c?wxoPhYpO7{
z{QW1Wv8RZv+&81jF9b2}`zAPZ$GKfWR*Y@LCZYaF#n~MoLfQyZTnM674yDB+<me%k
zF!t1N>5CQEjG=UBSl`V57BztY+mu)Yjik{WuKM}|o9KPrYLokK!H3ixlkg&=#Qm|w
zC1#~=C?N0UsB3U9zs&sdShg7-^?k<EpSAOg`P<J-MJcuikO%aFto*0`cBUkO0__0t
zEfxAQN`lG%{R25#LXul5CHhrLUPTP|KBzw-46#8wX?}ndHOV;9q6;!M-IeN}T%s{F
zy%@9}n2d?!h)of6ni8{jrw@z-8pp%?f_Xtcy@OP_x5okrrLLmZs}ZSAL=!V$ByZa7
zL-8UDL3B|10Ueg06eFrOK}OxUW=~J&m?G^p0f!7_tFfE%+=n+pk3kHH`726`6u~}e
zF=%%J2on<mxr5Np>O;Ro2Gq-C&dX}@@?+>zr7t7eEpEy*`yrOro|$B;<aFHdRrWy=
z$X<&=jyZ30U<#t|L8Yvw7wRaKfMW1PV=%&&8s`BT0a8%TN{MW}8-zkqp|0oe7$xqE
z%=N{47Pc`_C?qa~tycXES94+Ivdc|%-{;&AmrA=eq05FX3DW-ZBU{~J_ODnfs?6jb
zqzY)N(r~(!*Ks6{XsGY=(`a!mk$ivwEKc<Jv$%;FL`J@V?bw_>D=RgK_pwNbSmVN?
z-$vw{h1?3Xe*al`<g$vR-9Rq4S#$RV<n%=lBJq0WoEsH#FTh_QpgrdhRK9;;C7}!p
z3@R{Y*5%^s3|GzIw{Ku{|Na-RXTpUL$wiD@h}==)A;|1?jr$|>KZL>mU;ut?{~}J&
zO>!Pg!VqrwZGvGFVu3Pji+?dEAu_FtdL8ATLJm#@_2lqW<YeO$;fRAp%xzme&@Xc3
znL#g(0~GU_?JnUnfcN+J{*04hXQ@3P1iM9i`TIM`<k$@9%}_AR16{W=k}Zwjl32d8
z2T`7(cvjD!tMQ<<`U=h!xg(@+5Ln42b-IV{z?_Ff$NR_lroj~a$@y9@(~N<JtW(g?
zaq^A92*s%Q`d0h1$$EE2I0<6gol!0>3hMMus7B@hupJSbyB}<rBCXcW>yw7OR=pgt
z%*tAe{Exngmsxf(f$ulY`ukh*MdUpMv55J{N2^2t0`h<&Ea58rJ*Uyd1%+CWpp#|X
zIGs9D8tLc(A{VJ4%L0M%SI>J5(7XdmryOtt+xTW}<CT}kv=m%tKRnsQ))3u~{m<}e
zvC#gERj98$s?OPc3SXBnNZwG-xW%lHl+hXBxSMG5{$XdFY{YdzI+Y?Yv}tGwFZj=7
zfd#kJG4YL%i=2_$3_AH8`wV13A>_KoflJ1@lbAcw_;{oky_-mm#$Eg+I1aSfGz%C&
zA=Mn=GOE{MT?5~NELZ^>w!+q5XbNg=WnSl_xh&^AR`34NXg&t<1PCVEyJ`<*(1sBv
znyqrT&Zk2w?^f6h$(g*I4HmSHyKCNl*^i%^rKRD@D-Xb=F+wgj<lH8{IdbuGorzpr
z;LMF<Re#$7QwlO8HNjjYB1jXYUvXWEW9=dx0&e9FS1|cozK07@c@S}(RVDu!Gqg#}
zeRq5$x<R{yD0~yD_kDW64vqCsZ`2{|a~&c#@Wth5yi+q`w(N*%c|0BwzB&7ay^3d|
zuVYG1aCHlZlp|j&lIku~p7I+~MC~%NN?@xJFz7qnUL2_#DuXiBXnX;$Iw`tnt4P19
zxcfD~yzVjZ4QgfH;A0zT^m^{3g>5v#s}pa|_=ZzwyMNpRJ5kJk>#A6@B-%5ihbNY4
zn+_F|p!viO@cb+z0kIHaoIO&^p)1Ht&CG`xrR-|JBXa{OnbCdg+@%-H>dH04(TNuj
z)!{EhbzB|3nOl0-WhG}~7W6!=?THqxHaQIB)z>-9zF;%j-i$}*RaZS$o2jINSXdcA
zw@vHELjNsCmWTvh^x1D6zt$ka_UpSzJm!O*JJ41VKlJ?k%uBb{`Q4L=YE^>fW|XyE
z&`%4dKfvzo0z>r>PoZ!Xlpb*t|ADL{xBi8!6xN?!;2~?fLYFBqt&7WlN`6*Zk@a?U
zoQ7&m{=dS})z1j-#nAs}F!qu72PH7FPuoa4AA%66sd4*?-uz1wAw)*zWfu3i0AHRW
zdY9z^sY&SQID}GQ=yp1*G;MN|1!DkmM;@|&nG%II2aRej9z=}$j)kI`qr*YPr(pa<
zq&K0|^wV`t*3YjP(0*&5kLZP9e96{43gS3-Ww`Zt%KP~J?}-}qN%zIHZ^Tz44NhyC
zXHdU64gO}{^!=)CPLRP!g^TTqEI`vx7Czr~UYge7u~xlXX-%iZ&9)r!m={L@jlq}f
zV>90RTn-6;`dur!{}$8fctK<?akcogyWCF0G469ROH*7_HzbBe%zuPMgv}6#LenDm
zH|^66K#kchR9(+}kP<sA!!2Mt@^Ml~ne(TVZ$f$9SV{#WaI-|HRKi;2kNUaeJIu0>
zu<BMN+bTH6qH+-B{tJ{HG3Df0S@z(0dh|fcAIc9_z^Q2ig#9-#<DH$$=^q29F^z(z
z@$Jf^Ko%lDIiXI9xS<=UgfbNHp6n-)G5Oq>h&|GWr;vH?Df!|E&4n21L;QW5l1>8Y
zqV$!oH+sI|ArB4VH;AbG*qq25LyL;oa94cbz>IR83p*6W_#q)NQ~F;w+ZlG?Jqi5=
z+RshI6O=Y+04-x_d`?u=@|37nvg)_;82<zXP$JXT^kuXI@f$w9Ccdtp&w(Y_0$0IT
zxE(%?N#y5z3QY;R$X${Ye#ES5GSI*hH#(y=2q|`0pXDzp79~E4Ew1VVc)DQ1p3R1B
zxm183_ks}*kwi<1yi%3*HYTDi{a*4#R*VT0uO{J-caFKmhYRzHOxYS}Ga7@Q2zIsS
z*z-((-@?N6b6V{Eip()gOznmB09m^rMnTwOD|<R6T4Mgp7OZ(vF^3n4S(4EYIA`p1
z!#*H<ijI)m^=N;c=5dqZUC2IkUp+6#+pHLIfQINz;;eCUubl?`@}0!~$?Ob&nMOMl
zQsuvnGI2CN!26hVpH43_doi;;*c1f;KgKvft;oB>k%XiL2p`abErl%#yG7vu$TB4x
zK)44MOtB3J@SYHqb^I}5$c?%3g0K(PnHDve-~brfIb;$I{^Ii=mi7}v_!9?c%ZbY&
zfpe>!aHRfo?te*IcCd#}%PT@4js`}y<Ntz=t^5yc#_FX3GVrLAR1WN7>+vyt;0YtX
zsi(n>@(ueCnLS0kHU0tZLV;Y)(9@y}+$b}ca$_Jtb^)CICH!`KNZzLmgN<ke;;+)i
zj}D+n<pFOYtwg*wgDjd>ZY0g(c|h;JGatPYm!~PBSN`Y**b<^ZD(-|z!KKpFP)#<N
zL;&}%b?_KloJTQ<TVfg`81244I#%v;Bw^cCi8MaFRip%GTo$tL0@|W7iIGiI^MH#r
zJFl$57Kk@$@c0V&o&jRE`p8VmkEBGy@<-8^sfBfFhB7(eH}m7BAbREkupIycm}cb=
zk57d_7tUuK-P3sYl|febnIJNY>1IDPT>$q*78{9q?#B04KY$yLA0=7fX*$@Shf*y^
zhu`IVdhr?^x!Zlc5CE|mfzH(cUiZ`MR6xmdJt-qBInt5TompqdHa5s_a))mri?V4I
zu>iNIy6AJdJAzht(jzcMd_CYE(tuKy4=MD98~Or}z=I!PmgNETSpuPALw)_}FMms~
zjcEzsZgR>TRqxDUJ9l60wUX)zExQ!|vg*0WRtLR*EqzNU_!cXbl|Bd%=|zqT2KnH}
zJ0B!}{L3%N+(NA`oH3dNs`GX53x3?HB0&-k9TnSqrlhQDZJsi=un`RGsU{W{c7XGf
z9WK(H|A!N<h_F3*fltE;?P78N@V`(p@^^;5Nbv-!fQ_=ye8I7MRZpvscgCaljabtm
zFRNBj(nzKIrQ#<Hg~CL1g*9O+CEMZVnM~a$e*+N$!A%zCDy`4h-A{+Ke%-d4SaM;T
zm@ci&%*b@^!A@`l>L>0Vhhc5Gwlg0wvQO+C+OW#mTg8+);9=!VT~`KWYYNW6*~ggD
zWDfcEHkoD7W8KWaOYy+jjOnb|RyTv;i2ZBqc}b5u@X7Og((OV^U2MvTDf9wNiy=pH
z{}=8-3C>A=AMYTe3YLH$1cOdUq#7vXao390!EA;b$F|^GVo*c(#{1|UlBz(DHnkIk
z<r{#UZJ7&2iIzPTG2OzeFW}S%bwkxpzk_U%P6f}-u1KHiRpFYJrI{#&(@K(0a1mf*
zehivx<;|yJ|3y1%D#uyH1BdYzIwU`Q+8&UN5$2SEq`lqN)>fVIw#e)bcByet?6bLq
z_$Y5W|K`<ZRw#qhN!Yaz!ZY78?{92-K!2%iDwyP+DMLq|FjNP7#B3TJe4YpPec-zo
z+=M9JuU_}e)};t^nsg|cC`bNGHjJw`d3z}XYatBSe6t?fK9I`qeZ%9)=j-mU^A^8G
z-3Z77E-4)Zhl16pry1rC+I`+1#PX{oS6i%4HWW~UTX7e>oo(vS659tJEKNJ4Qwwto
zs<g@P(A%mEmcejyzpXI&VK9HVH&b?rvlj2+I2&>w$Ij$1kW&SIQ0dMz03r>@Gtzc7
zU5#=glcvx;(#kw<>}6*A54F?7PjF4#&^AD_orz%!Dr;C;Q!3E1toau`VFH@EgK~kq
zA+9r!pgwSACUH-Y{~ME|9-+A*I9?OoTz+I{ID8=k(q;jml6Kx!bwjQ=t=}Ugfa`hR
zRr^oUx&>zpu@l9)i0W5+khrqOMOWbB=n&-5{XNn%7l|n=8JX0pI9DJ1{k^OGa5R1G
zA&c<e93g&-Xu3-w>*CvfA&gOjZ)C!B>{XfW#5>3FvlIfSfAtV?;1J&N^nRU<xNDUm
zLo)t9*<}=|AwJCLzOX`r?;KjaZOLR8;5&bD=WSrDE6G_t{_8uhL;BADE4fAaBFAlu
z(fRu#i^()|0@QmJZ6W&4#F_8`r;*~vd-v~UA!`Mw8~(redD_=l^@j^7{>n_=V2U;x
zLbeZ$`7HKQ@svDIYr}&Dkc2Byx^?fNI9k8#Gyushpn&8cbX$VEqhD8cI23VR3Fcx3
zPjXX+_8k_Ig-4o`-QjeWP^yDqwVWaOqtUAlv@_{4i?4J@SP1X|w=vQHY->oqvh&h7
zl79kJd(C~gKvNzZv9?c~f<Pe%lzZI(#gmK)B>5ZNBIUZupj3k8_XYsGguFN2dQ3{G
z*R1@$MA9U}7L@~Q?;O+>NamKD$1D)3s{#o}2ev+K_aA)<uK#)gkj=<I3UR{mYJUx8
zK!(UdHk{=MV2<)lfwii8SD`ynN_fE?>2#GBmIAKo02L3}WXjfsOkq}UyqJ;#D&>G*
zkAYN$-K!kW7OzpHqpI6gngM5KqZF{y(AtG@L4!8uUjjFtT^kvdk*?jZ2{%(T_k<sy
z6(gyoS|+QYPZB6NLNV{}>GVU#UDUlG99bkY49KyQHyv1N#zx4UvS3@Q?`^rw@f#e>
za?sg^xP+oJSX#ucUCe=Ol|@R;$d37v)oLhC#a#uCK_XTXXI}!J{Eu|kJG_CE9&lDz
z20~!FH8x+pe5tzKrNt}$jz+{|a5WB8WElYPnzs%BlW@UVHTr)+g%A(MYc<y25NOn7
zpR3MdV4rZI>J9wHW-y`mlhOVrj*1Q#-_GyeO>m@du7W7~d#cG;<%{?`;4hK9wjZN6
zgm<KZ7k0s7=5YFTQAYoQkK-?s^LD5!i!eg^s6lp}Qv)It|KTWxT@4b>-&(mUMf?`a
zBkq<7zKQWhY%NE?jTS%?HwK5<>U1X=KZv_MF{jcA9KV)WYT)YTBQlOhIbUde40=>&
zg@Jwa8%3zKPkt7GTWgc?>P;MqU4Uh-%`2a7z9*v2zQ<-%U#(W|Ax69oNo)7*2rt;G
z9k&-0&5dE}FsS9BhsoIo!4?EQ5^IL{vFp_kCiFiMq~<qeX&sRYl9Ilv8YZFmAa7Q+
zHJ(tZ0}COxBr0lcU3Lb6Zcq;W)e(BxsLSh(4;{JufTnn-U09ol@;LopzR^(mKSZ2f
z-_Kg=1bNiU;IRQK#md0g$FY};;;yb{*jpajMB;6HMs0ADcxXGB%tL&;cOR&%TL#I6
zudswS+lVv<Ic=V5#Uol};qBCNU9CaFjI4;Ux0at}Xk{U$GP8P<QY#|z^RwUa>yi=L
zV?czlD!-H)0<zek>OfQx2KJpmnDP4*{$`T+sB9}s*7C!Fh!~`pr&fj16)A_Nrz&kZ
zufqyc`mankcN<M*5cayGeub_v#41Yop>eEO-DqDfR2G}RPsaFvg;A@dt#Vn_vL48J
z2_pJ^Xi;W>PU31X?+;Y}0)OBNUm&teb&v7cJhX7I^})tvxXo@2{U7jr2e$r0Nk@zW
zw0^MrmK1OUh(|u`LEGio`s7Vyh8+6>VGd|y9LOvvH$T|V+_MJT0g^U@(w7MyY!L-f
zPafo93+Ts3E&gSfN1*fZVYu-Agp(Xck@<Ai_ZUX`97v#!5H=fL$^ShWG0d)5kHh|&
zp*sXb%cXCb15G|YteORJ#9;MBJ~PA5vJ$K|C57;u4LVR%qr=Gg<iIO151Z2wXfjKJ
z6cXRcC#HU%JSZWQX}s6d+*<5=YGBoS08z-sL<M39Quz`JY(XQIhcY1txIkXpv0Jl*
zESZ3-kjh~W+`5Dvt-(*gIf8sLggi7SSVGUM&DCFA#-6w}K#L<E&(QK^6(S@TJkmqe
zGK-pJ^{4ApJhFz&jud4BbV7W3ItOB&JSh7N@(CPjS(4b~fJcNLYWfszspM;(;$5Xv
zgGkOe4#nA^39ju&yPrbVll3*8$A78{Y%%dD7!G*;7UAl!JI;rA!FP0f>=9h6BN*S7
zM?YkLP%f$8Y^UV)*m>0OF2O!|ZLC5bq5$UZ*H);8o>T2t`9(HoUyiGAT{nXEfdCG@
z@{T(sodrO&Ii4Ii=+-@Zul81Duyk$n_aFGe&>@snT9&PflhA_UzTU7uh`BKHHW-su
z1-$1mjx#jSTA-Wgw-sa-ppDwO`QOYU(SP8%B5{m3mLV-jY>EgV?Fbi!hni%sV6R`o
zV1&*h?GcQECQWy(T>-?=V{`@Bbu7TmsRfX*EC6L$=yLhGk^4N!XR1pX;$J72(b6v9
z=2baJ?{xktJRFi~$j1mk&qE?Sx@6TbL0)G9NpnK4K6}?D_}nXmjcI-l6(*Kdnht3d
zYAJ#&mV?hKPaR4*%(L(*S_{wznAj8k4^m<-@l0(H<2aObvY_=*m}o$YXh+|a9B4*y
zQh1isEK^7!2rBTn&))wc6q%mGWkKT(q!yP9>4ieP`I4W|y<rf@3J#|MC|yfDD!jN-
zUjFyZF<?Kh91A!=Ylxu27ukt2dnzO{%yxtzapB;YKzchMk!cT9W5a}u;tCqn+4FzW
z+f{@finy*suIGOqm?SH~-5U*0L0DBR$$fTdHBF^g2>IBK_;*#NFI&fMHEC`A17+sf
zg6pn}RZp2py@57+9AcIXE^Ybh>Gx`I`wf{Edd{?`^FL0Y;AjrzgbtbRWWFyQ@aU3q
z;Cfv%luD~JN4>hf++N9zZ93AAw_?oeRp+|#SV1AobL%T}==Zzp_1PGFCKy3fPwq`+
zWL-%h?Sm4nG{v_tzFg~@{g2n`@Z5mGlU306y6c9HsvTzIG_e@%;!R%Cn|kXpS0@E1
zmWCl8yy90;NZ-KYiuagm{0P%^7t--y{p|&ho@FR=7J776;kgCs$3<Hr;4dfUGBUs;
z<-X(hYjyBlERSzXYMncGz@Z(>IVAa)CBjksph$k0<6bXi>yuM*qSiTw2VTToZ#vm}
zWfp|m3X<ed?T@UzhF(`nuYl08M4T#!{;g8Y6>>sR{um&f1GLFT%bK1%g(u_0wYD_k
ziynxxD!&iB#7|u0fMD-Q6;$u}(Th|k{V;^4T*W5(u#5uAp2O`qWD2^eS$npm%9%=Q
z(teP^P5nw@mKNAzZ1U9G<1Kn&T8C!E<Z?L02fzWa@82;P&>6w@vjkB;0V<QPf!IXI
z;zo|zARyybN2s7#_x$}9ea6DAqPd+OqV16b(`J+(+(9#se;gYTJxU1`x=OwV)E5>%
zsy3T7JNkRSSqFB+-I<z4-FXS@+DhmurZf?s<1;#ttsQi)XRa7GcvO^w2wvP(A7M_5
zl8d{~>;Hv&y}|p`Ll;^|AlOTz-vgtKGDN#94h@|_B4#Cx{z0rsUNO75_z!(AG#is<
zAG8T|wq#tgyb1jK`_(5`ck$3eq|-7=fql%FYw;AqV77k@s*;As{@Q!*BOxF8i{ay5
z!jN>Mzp;e3y*uVK{oIawTw}0B<(DAT5zmNZ7B<sZD(VoJbHVQV-RoB<Z!7e0wes$`
zINVnt%P6hjpYDC(*a-f?#DU6+D2DFtH)_F{r~x-5M^lb92}8eTQ7QSJw$0$p*>4(H
z%3_*J+^uh5F(M?&kb<ha`Il_7CBh&(hd}dshyOF(l#jJ988S%t%}|n%c!4$!q4t8;
ziFrQU%5_%mY$C<M@YAfB@RvVKq$-0UWa8!j*n~oTAIIH7ivbV9iYuqyr}@-!rWQsl
z9lSAa0V)NQ8?rG-_k|f&b^Fh7>Ex>$=HAXMJkxIPpJOjg^VE+9f#3>7hHNvx9K}_F
zXn85B&Nbpw_s8hrjctGV$V{ebHb%T8jls+{wf+<_66c-Dn~xu$DKSn9F^0d$$a-eu
z>RfD~@vYaEQtkm-ze01o90i`76jjg9vB_FhiSe%38psL=W!T3QA^G_M>nwI6u{dMz
zZ}xe_`to5_>&a$gmuEeD;G}|+NARr##pSg@9MaZBg)k_|>F-t<Tv)$dm%XgpRgIOQ
zobi+!nPSA%KzlrUCH%Bqb_hL9pYu4-Y5YY@w68w0q|eRORsM^o{6e7SrgBhx;CBHN
zCqUX9yLq$6134q$QM``Cm={zul1?Rs;7xk7;lC9iUJ;wXt0qD@Poa(U{CKf0gHYAp
z*j9|R{mi=qH{14*@gD;YqtF|fUS!iS(y3F(76yz2(u_U~ssJ5WYgPV)MwWPPv|zTD
zWJo#6t3M+QQGy>t9dns!4H|%EIT!jVV4kjnLC5QLDX4mYZv0WS9jd-#fywVd`tvnG
zM$%y(dnDy{3wAMNZYJoNA^m-hq$a;Bi@Cf$_&aa&069;ceWB;8v#_L*4f&KP2rcsO
z)N*s|XIi($9+zNqd<3Q6&5+-+6PV$g5R2|4Riv;5rkhw`|Jh$1K(AbT%~)9wI)q>?
zB*gkpU6RT{2YoOqmja;Gxf77W;El_q;3%R6K_(Uoq)zCS3zN@y(g}nQc<-X1*p{co
zr74^5PFAmVUFQT^BmvT5p+rcNr>WuI|Cz(oNY2OX^nkX9T)UsOThQjz37R6_D`zlX
zAt`W(x3A(@RPX(->b^Uk%f9cMpFNVj_g>keNcP@QRz}F?M~F~<_Ff@Mg~$$tl#!KP
zl$}k=3`N7J=X2;hulu~N`?~Juy6@NPc|Ff_{&$|8bo`FraeTk;&wG74li4bh%tvNR
z<*8jwZ{S44m=qf-_29=dgrBH+1^1=^^fw8p=0Z5c0ss(cf~JBXmnDD<pxnIwN$v`*
z6(Z$gxIu?Iyg=nX(>URr0Mm`2TNxCYbt*J{h9)m0ld}8J0*s`VKxFZpJ=hB0qy7L+
z!ltDC$@*)%rGhw)8`BLJPP&h?!+0p6ANe?p5@|Fmha9fJIeu4uX89LE(D3E=6MU_v
z+31@pZyLYN1cf#J1*hyH5y<}nr{LmH@T-to1L)$VuTk`TKLNa}sX+jn7(Zh3dVbRI
zu%h=#=?jiQ8zI~0-izwsYt3XVM?jhJGatuVAQ`=W9DEr_)DbIg!zu!Lv{RuxYd>NP
z+Y@2n6|>-#`Q;}W6<It4!!|bz=xH$HHTC%r#mfOyG=A>u;&=*JsmjccYvD-8*67J{
z3;q~*tX5Qd)1numK6e98{qDu3m&96kPuG&tiz%9i0uy`-_-MhxdYC{Rd+OZA^o<|t
z3ef*|5DO9AXTVM)SSVJ)VTw^#u-T3TZvlEv&^biD_Od;u?AzyUdw`;_+)xU}Sj*ha
z$ET;)Y&nOO`5{6<NzH?|%@4j{G!?ojty2$n_)hC7@AjxNhS5^5=Yd}y-tLmx)cAY6
z;$=&j{zM;M2}8$K53~HLldmd;&iJoq<v>lwv)*};uH&Dsn!N!-bt-7#%Y7r1A^~M4
zRklig<AOHz)sQPL#3!lBhbKYs%7=dO#}JRMV9Z@+DW($k<oBQbT%CAr<$dMP^GoJE
zC0~Yhx*5So3!N3Q3p+@8S1W0jk{uVu67KOZ79KW+zW6)u&M`q(8^I}1RtV{^F9^9*
z<jy~qE&`>w_{W9*i+c~@LkX0TYflNbQfh<=nf^=MBCUYJ*k`Rt7lBzUTgJYEPbX7%
z<4Nx~P&AAi1H7fp6jNxZZIFr{Y*MS~53Qsh8uAV(#5aVFJAnPbOZZg3TzT)4w4oe=
z(Hr2P<LN@0Ow8;;tDu0amMos}%j%ZY@+nu+lLtJ=CEswU2j3?<Gp<!x0giyPVst|Q
zw5kcR6Mvcp<xo$6dA<F?X~TOKL<FwfW{ZU9ZzH~{k|X4Dh5$h><)?8gl_r`FzfP`-
zeaN;GUo_(6zrk<UzpwlV-UH(FIY3_-Jjp*iJjC}tY&3Xeh<>=8S1=dX<-}xn*v6CS
zcbDAEACj&UPrdHzf_#C5QQx;p6KaQ-XK{5}DNr|>K1M*;ti1S*L^gcVlw;@U-#sR1
zN2n$|)FlfnTIuT;d?S<LX5VLefO<txk4)a4C$<O&6Iau<VPa3iKY<Jf7ID{twxI*K
zt&J&Op`)R9%i>*~2h*6Nb(c7K=-bF3hF1HmZ%8~}*rwSErm_d9ytzj#U`u{%XlG=Q
zBWt8~jw^uV&HGmFvS9J9#2CNya3z9Xi^hOzi?KkiRVHHc<kL!aSC<EsdcuGBlIrJ<
zZ+BCn>b9O}BM;Kb9X@>0m@ReXK_<?D+K*Vec{LOc1U!#!6g%ars<Fh7enb4bX^Ilb
zo2oASIy(7{;$HDTra`|c`JrYO)hyx}^8rO&SBEt<VfY#xvEPi})zPL!WV;l4(qgmX
z9wxe6c_DGX-H%d?%J!`I(A>3PqWa!6vd*w1QN??kBB+|;>5-Z86GYt7*kk-Isx$<T
zb8kMUFuU$RF&M`vj&<a^g0V<ICHvXU&z(;iym@YXdR6~u-dp_MqCXW0ziYn-*SovF
zF^C$1L9n#|Xzt3<Rm}V7Til$Z#4X47$ht$u8=At6?BeX=xK@jwIv?l~eiuJ`I-MTf
zINF5kyG3uk-u4@<a3e<Nn1GMcG=BUI=XO3;&`9l3{^3^+ElZcOH8zTVuA}Dl(`4|?
zWL-G}k!(ijTDlZtSlqjk={L`OjFjY_dhjz4sY)W)Rf?a+PwJ{$(3(1)hp52^;Frne
zvBv~m*z@zrnjh5f>IynPt&?BVL%n97bLC0o9gKU&@JdM_M_us+YS_ich!udyRdQH?
z)FoAn?!1^>PkQKdVv#dc0n^-ibiG;-OxP3s+{nOZO6TkOY@O;ijPm3FwlFjE@|oYr
zg)<4*nGR_Nyx$rtngnQvr!`V*TEF>jZ-noD)Wd(|d`me(L6$W;u=N&d-Q-1TDtAwH
zB1{>S0J>Ot?<^bb78U?&Nxx6o;Pd&tR>ns_IFxrXq+EwJK^e?g4(2=+j#%6Oj!ChA
zE}?7)l<U{JRbP7Pu+R~kYNdy?ejJ&;aHQ5D1X2jkmGJ}hV-x=llKBB+3_@MFVj)d3
zKgM4CEKL6fT@@dtwgrHH5A6dQVSfb+X|A|n6Ji=g#v%x*fm^`AY5`<gf`SPuv&(Y+
z>s!xV|FhMZ4{=D-Zo`hAaHZCf<ezw)WzAJt<pXl@@evmlAcPVXdSR)5@F?9<B+58p
zd0xVyJ2&0%U%{B|#0?0yXhH2BH{>XcLC%3uKUt7!SJ50QVIB=vSYBWa*)c*aM9Z5#
zu!3Af>Px`qno7x|-3`3~;2nV(Hd?u2)hm=d6)IEtCxGb5$G3F81Gh&D5x!^Qo;VHk
zBCQP~n0$R0{*kqK?C6CkIbvH-M{LWbf62B09Lxmvy9a5xQiw$K@XE!XCxLz}?Nu~K
zT1Ub8)D8abgmZc25TFr6sCGbif{w&$$JST}Ht#_-#9gTUv^C|WHh>-OebcuYs`tla
z&d6h7fYrE_UiJ-?r{3qJ>7vw3jl_mYhVC$7r$G*iabo7VpN<$gMxtX5&(nd_f?eh_
zVze&hYdlV$j&S!EnTnB3ab%W!xspa~8q%c0pbm(c{eZ^DLa;)*vfvPq`lPVo1Awq?
z0U*Ip>E0jGwuU8hG$!f7)31grV{aC7`eHp=DUHuS1SpWv2H{&(^>Eij;Ofq2E>^zy
z=^EIqFb*vnjvno$73V8%LkWo{n{lQ*wM_XU7+p&ak!F*B68$lb13t_s(;X?+Fpa@h
zhr+YOgM$jh!)`uo_yO}-52_k-!2E2!4uv%7km41LAI`ad?@MIP^mD(Pa51IWxbo!1
zTn^B$l<y-jkR{$;KWy_Gx22Z2;AIAbL2ZP!gKpU`gt*+T{}9?XZGgl(LI(;3najZX
zT5BRyKl$aq@Go-z6aMAV&cDgO*g3ui`_?g9TQxc`AqYs_^#bSe2$q`Hga3kkF>aju
z1I&!(Ri%oNw;w-;dt-lcHoZ&Hrt;P@lgaRHe8g2h&kM^XEX`JRA55SfL;BZg!0KN-
zYZW}FWF2XgV=Z~64pPO=R!~{>xAK~GvW4uVw!9ljoyls50tx&uyn&Go(<0u#dwU2t
zjQ%^-qc?eU9)2}n3R>tO5&)*3QP>uZdO22dj?W$o=fczf;9*{-5j=(t2boOf4=l+3
z>GB$94XLL|TfAj+-KbnlG4v&=C;CSFV;R03?E01vs;@^jv6Fz5>j~@6YY`X^VkNWZ
zL&-&PD1ZG`iesdBF(GWhTNvXbIKywYh%N%<<xe8!H=OymiI{hnc3w?hofNd`msZhg
zrAZz**|ry{!?<>uqiP-4X~aO2EoK)6ET39WxEpyozPY$Y!n0uhfHDWudl@;+ftQ*Y
z&XUrzGd&cmaZFaC$H#HD?2c*<#geaIJ>)s^di?>+N(w5dYocbrk+)k+b1yz>B+|*1
zLNOAHpE+JgDHWt`Ej6ijmS%`>LtT%D)vZ95E=4SDx-W%<tnH28z;EIRhD><XSZN4N
z|A<*3cxExsM)ki7XAlkTNYx3s`=SsySD(EPk=Qt#jj7~2QQcQIPKC<b+&HXlvBb!W
z%OtgSfMT_IC$U;j%_DaXk}`_)MBHD#>!(LmZ=q=-|0HS5^{Pm{hj#Tu6z46MR6W`o
zu$B@uvT|D<oB&|+h)$kxk7?+`bw`EhHEvtpmg|=uw(fqXL}&1@B;c{wgv!reM6y|B
zP3D%Any#ovMsH&T$sCmU{J5$Px;g)^GBn$--2_(+{fm|dEQOqRc#fnOgk}?PX(`Aj
z^Sc!{b5N4|;HihXBqdr9drZJZ3K#s^4G*p?<%juuP8v#3#=sI{^48f<aMk(K=-1Ii
z;&;~f`azUu4?sOKeX9tdF<8TUE!$)evTCDuaC4MeMzk6Aa%pNMZ-*PpCL(6Gq4)Xn
z@DhJwpS#ABcsVNn<c+5jEP4YLooZMisF3g@G?x~Km9b;<K2TD>RAhO|XM!(h@??4f
z?!Upoc)GZZ{*m2UK$JJDn?|-rd=B<g$ZjQR=zwkC6w!OZlx%q4DH!@wk&+s9GVu7A
z+UUa!991n^Ed&-BlR)cdK0MXtS`X9{9YE=cea&YqDeJqO5;yu9Tou$p=XGH%per%W
zn}Uxc0+@@%K}FQ6-jMO6J3kVK1`)UiY27IzhW0!j5?WzG3A%fkCb&Njz8JWSmS;mJ
zm?ikXxPgvL2fCsMX5KVy?%%ctZ?Ll_QKfc+BX4Qsf=ve4S-{wJSP1?j<9f7R;70A3
z1F%KVn@(0~^)J<-*=JX}WG`6ORkeVDPmoJJAq7!{e;)iuTuZpA_WmC=BISP!_x1oy
zQ{X=F7}Zz(U#dh`8vam;dZ4Uo7%F)Teg6p$qjsYx=wA{sCc~va@d+tL)cN#tQa~ru
zg8gDC+v#2^;?xHI{#B9pQU4q>0(qfK8WMgjQAiJ(RbznBY5#TlwH%q502TFQ){WX5
ze+hsM7m0ryxWDN)HQNakuqgw-8@OH`+qL7HgPqJ<Fx?a=fF*!YkNr0+3U%{}?WPw4
zXCT;D_NB__ZP%Y(0N9z!dn4{JYcKx=xloq(!N%W%G+bKB8#aRjohpDPml@1nLjQnX
zfZmEXP5>Jd)&B;-WPtZZjWzH+g%;QZyo+I}{tPwfUE^ObR<BYufAqO?M7Khm+d>sB
z8Kp+g{};?c<{LM5{YWXI<Ht5jLh@u|+lowourBXhM@or482W|r9DjLijlP%K1vrsE
zZQ;fW|D1Cv!Ka6tHa79&;@5u-SBR-gPBnq)(3Q%ktxz5c%B4d?2~d6!`Q?CDKoHQl
z+@ED<wR%KdjLdfLRMG@c*e>0nsslm8WoD^13FwxM$Oy!hYR8ML33t%ovN%!QUQ2R8
zvfOkw;?4nFU6Vgom2MFjmAV1Og92~dfZ5gOce)E9#k}6($tqPlkJ~mj*Vf0y!Piye
zlhJ-LiEV1LDjzD`x$uao2XB?}SZ$pz0a|pm%Cs46KkyfL0$|DBf#iY&K0h=Q{ZnxW
zT49kZ-VN<)oNY{M{tteL5?z}%O8oBIhmA=r$a@=osr;Fbfqvkka%Fz+GF%;IqAx?I
zTVFD}hdCa+(O@GgzsRzZ_{`00ZG7}>ec84VA#=M`<tb22dm9<t&H$`;y$@={7^o0O
zD1`Elur$6H+V2j5WY%WXXHnoPg#+2$z=2`kV>e@mY~3H^tE>UoE@dlXW$UB;>|f6a
z=6M+!SyC*B1BqowiLOW^JFkSJF!d5iQDYmSH<3Pc?Rnc-s2|ErFFN0bVI&!qMfH#u
z<EkM!YUyvx%fYjU=(Fuh#~i=G|6A6c<rMW&9(3`-gS-gwO_FC8b?zk}ZUO64DjeAF
zwMg;UHVv-aE$VHU5bJ&Kh+UFfQloy#wiBQVJI*$TNI-NSocQr+1Y_*{$8c!+8|+2c
zh-U=N5&6yQUVxPdxON25q?k~cEvZR^4_-2Sx7JbH(1}12vGbgB+B__5coj_fpeU^x
z3CYtX{ul;yUxFowt2l3FMHJ@_UOvHmhEH4Y#OeU*SbW~UCX0_Ue2y073Ly1d0>^6~
zIN~x;rEu)P@L$xRfMG&J3{sW~6zc)(<jr-7Wyy9B^O#oDx_s1cCT1^62&r^DmpaFC
z+Sl;2tpZCp75`T-Flxg}GGbu!(aYsGe8R8<uv4;qZUwtbK>s4aO^_?{I*>%wI&Vt<
zqMW$vRU)$P<6mmB23R21c-tm|XL;b|28x=)<5>MzUJj(}J{8ueSU3|(j(xgug<^|-
z*-Q7%e#Q^xM>j*WvG!xL@y8Z*T1+#2m4%nTqn3WW(F>*Z^L;Anrh(Gu0^%Z(e?gJ9
zW{5HJv+SMF^TUL}zhiEOl$s2^{dd!4?u{f0{kY=Q>31x-i<f-NUaz_`rtu7@LB|z+
z|4t1``R8g-3%k}|)u3C58f5YpHK_aV)S&I8|0l6V(SODo30MkMsVUr?tUr~z*f~5F
zYTTf4W<Y^*{udv#J9_&I)m>TsgyZ?F3x8-}VLis^nsWY(Y^RKG<Yjlq-G^m^>GZd)
zz*y>1V%_w7Z_mtG+xAf&ckYWB>I)3+AL|LX>uE5*W@r2qHB5cy=LwW`3ZglibT+Y7
z_+!O=l`{xA)hJM%VVsN^BK)RG*Nl`m^E5Y`v^QC}+3#WzX>}ibY={p0=s2DEN@U&h
z(;2?NO}%GcAMONRar)FG>E>}(va9{>qS^Gu>xw=<dt7>K^-v153$B@FgYOsbc?RTP
zZE>d<uxa0ZntE;}bM&wD*tgU}BWrYI*y!%TpTf_y+@-MP`2X`)v<O7*06OXbib@!m
z94;g>_88F4!NEZX>^^F6U=3vp6F{=9{l4nzYU&wKK&~}|PM7AJ6fh1H?>OY0xy&RD
zxCj%NPo=%1-Kh8pCb?g+kVTIHjwL2pVNWv$7HCa<G9O1=Mrl{o4PY7U8%*2BpE5Bs
z>ux>^`u6DMH^jNP7G5gK*g(c05fQ+!)}VPGd|0WHPWnc`>WG7lpL<i9c`{A)-S)g`
zQntUaf2m!@>ugtI>;pJ$A_mAWA^{#E7vC8G8!@oS#RL5m*WImI4FSwlk?FM)dr$$b
z22^neDB3GHS9qDHn}i`<L<ieju511PSb$Z5M@ZuJ2K|5n;3hdts#mYl8$-kE#7vbP
zj^5}P^qzW7)#ueVRbY)TPF5Hf#!ZMj17P745z$8?y;|bCA#@awK_dqUMFp$qgBK83
zivjboxEAYm&1pi}5$$V(xk?MbbyI>dk0&n}x<(LB3XyMs?+jdEJg|XraAeGs!%@Mj
zs+t;+mzUQ~mvsuvMBRMp3~O+9v?DI4=z5H#&f-Xb0otO3SrvjcZ#Do>i%&@*_Xf?Y
zFF`hPh$~c!4%ZwukCmW1;`ZuseeTI#SHV$g!KQk4_*bpx^le;UP$oOTc$ikuxYryn
z4}>23#sCbMk<ro7Exk;OV`T*wq%Sx3o_;pekfW}t!hW3Pbb7=Z=m4sS@;YY)0!+2*
zh@f$Z!QIm%4jQk)aoG)>IH8Q`0=w*3ue4uWKkR_M3@!lY>fskxOPcmaeZf-C3F;Pi
zf!$XSA9!6Ra%wxXq^|#1x>fVp=CMO;z+$3IxuC19ZLaf3X+}(PGT$qVY4&=0OqZ@4
z_6qw+eXbr(PEJ*2Wt86*s8mc9o{%5Jb(hQXP-gK=NSL_5dgdB8bojd&fk)Q(tkO}t
zt2eN7+`_gu!$Mzxi0eG|h-D%U@wm-g-}k_#$<Bw&OdNPRLRszPqCHjsF$><Vtfatf
zZJ|9vRc{#k0&%+y+Vag(Y9U%uq}-L~ORV;TM?EW|%R0{ca6>2!L`6j@sHs&~uNI5H
zIh#Aux<3>0?INb9nBx$*T$E5bI8olX63bVk8X(l3RxtW?fIHjjJGO^EpssCDp$LPa
z+ZDe51Y+@XUoD-@wn8{XyKj5Z32lI{>|8_ZZ0p$A1&F}C;Y<T>2rVFkB5!2d&If}!
z?U!XL+hA1QEIpUoTJdM==e}CL%Y&FsDFXuo%mIvJ1wLR~)#0IvvcK%Q=EO*@e{E4p
z*@8%EJn$7oPB=RnFuRvXHf?k=wK8oROZY4}Z`B8?c=o@4Ck!^b78XLa;(Z9kpm-)*
zRae0ZWWs#PCn60A7UqMj<(rIQD-|WY`fw~63!kfI4NP3MU&C&a>+%eCeBa+c$JWwv
zT#`6K$o*bi+N2Hp;2Rr>%l-V<_cvtTK)Vq3$nRR$4uBp#5#iSfc6r^G%uWaZ6?(fE
zYB9baew$T$ldq-*Z<-o_pqG%nR0SRo58vX9`Ow+jm5V=E%bW*;Hk&jq5Gs-nKdDQT
zo)zIW2S$+`Z5D1ox<`aN1(T$1Gp%4?mU(VzC$5g(g5G5@N^fASh(o@-l1c2~6(u~x
zKlA}uSdgLGWQPiCzcZiZlyJp$)v0rJ)5PwrIwdOJeBTHvPOGIdy}iAAE-}KF{R7rV
zejAuwR!#{D#vx^|`U5ZqYPZQqNTju?C@a@&!31V#27OXBVpHW7wQ+6m=$AxlsHz%{
z!<tts7BoH1WEqqp^eh-$%)I-%YqzG{d54ne#lytdBrhlQNX0BqJ(DbiI%&K@5>nE1
z#Nq`@oNk&I5b^2yvol|pMX|B5JD$SSCm}9w6y#)PMjr|1zvz&-y{i$3gyw2}lJ-}i
zHVRD5&f1U|=>Hm)D4gqj_w~uii#~B_DJkqgatk#zHWuvFEiNt=K7IOhXKO137F?~i
z*Jx(LRInVdGh^;@o|}EtHU^KNx`syCdoTrVcW_BbnUF{}5*<HYBn6MxP1qo!-n=!Q
zy?Z9;<gO7sda)AWq-ze}%dIb!C$+Y=ny_w}Mx6ff<A+gwa&j_pW|aNIHl<$|*{iF)
z4eisym^60oQ&V@XK*O*$qYz~=M>S8YHSVT%@f%o0g>&&osLo57T|8k?6LbF6o^1K(
zF0LOPp(~pAqlRMOu)_6&EMk%&{PQ-*gKiv9UaDj$6YjntYIbG~RypmR7<91(4ZL1S
zp4HFsl`5VAy=JkZI9*W$%SDPh;(jk!80jjE`bo5bFW->25}Jv^eGv}+RAadk(>hkV
zpy~DoMn(p;!AuNkEu$c-g`#X@n}0L(nEwj!E%U8UVmo{9{719A#p6Pj<vDp#1W0ph
zi+T=an<u^Oxbg#Bzo(qTM2u=~0@6E@Zq)&ISFAS`crU)HzCd2eDSK$^Rda^$>x--`
z`aS2|x|7`N6;aca{*1oPYT#Todg^P+CXDY5AC>*|>C;*bwa#zC?g3LR3V*Bq%@gZI
zotX;cCK>EOyL96QN@)LKD&9QyfZT9fuShSv;e}2@Cmco7<CEph2CJK?11$SRlx>C_
zYedQf53zHyu?S9R3_>|(M#PB-glPUHnXQozc2zg%K}NOLX|*jcsoI>K=*mYl7E}l|
zm2{S!vG({zs6xe4IiY*#Zqq}<$n58gqc2(ZvrC@KovR-rbdl9l)I_4$w#V}Y+SVD%
zJjXYLDc0lJ$J4>?>nw5V^1W*kBe8m?%2vL7K3vmK^mt($PP*O<siM5YUDrwG1FCd#
zlMPq58{*O>H3c-rLLui^TY5K9U;WNJ3;NZ;?FJmEiQ{-=A_cEGymq_|W!2x)BTBR~
zIgXDQn8*f`*osE0<K8~4^HZuDDQtaWsY$b$ZZ%>j+<D-TJ0VW%xgPRqW*}i?f}tI@
zwsvuQpfYMi-{qvJ^ZkPSMF+&sRDm;kb*c37^{fzBdnVm2l6;TjirHRTA`*2gzEz#C
zINK(8N=hnyxDdiy>;oaPgDutSZ^}N2@^f_$##?4+=&|NGYU|-rQA^pH?Y5S@P7zCu
zref8lM<<~Ko`k)PE0&L<Vy5v-7W(ShULwrS9?Gn{(K^I@9M*8&5VL-IE?u%OOMOnl
zaqT(e*hLg?tM-uy9~k^^H*)2nB)Ca0k0WiZXCgBRU4_aovmfM*o|G>nwVueTZND6Q
zLZXLbx0Rdkc#)qxs_I#*F!rWJjm+>%^1&^o(Ay>kgH@r!#678pYQL=gY@n`wwa<(q
zpEN3jILK2;c8X6r)!5HoIP}$MN-hJ2?*JsmmmuV5Q%TgWhGVtW38-}@#Y%UW7wWyH
zDPnEAP8uY^d#!T83g2xlMvZK>9<;+>CPY-sh2nb#+yt^bDE&oQd_Ng|%J6CO{R>FU
zk~`Ec2vt{W>m^xt)=t_XHa9Bb0nyj<jE|m+V_n~VNw)w%sAjJP`*1&9aA?@w^nT_h
zOEMO&B>pRC7*9#0?dl6lAEMaHxL5V^{iN56LiSpoUgXnw`X$HmzkU$q!APcdZ4YYm
zm$Nj3NuugJLQY?8h(5>Ctd}L2-u}>zrTRXz{tYu8Aw9y^KL}pkKWn3tbn@io585kF
z<A;tn_^v27i<s@+IX$K%6m!?Jyn<_ZLX1jr5=-Nx+Ey!OBD$xR9DO@O%C<e$zUq`c
z?=fjQGMpBI*e}=Sr|?W^^*<nT!3e+oNwN&;Mp1A-s<J5z=PWm7Ww&9!%*>YV#S2q;
z2Na=mvb(G0w%IhHzdj-6p?jtoMwuy$29-m`kuHvIf4~-@5RrkG(~<i%O5=pPzgeWx
ziI{NpooEf&(id4_SY<)Fn(b|E%eFKDQ4cB?b6iR51SY85SMR=NCi^H<BOvAWp;?De
zi&+d6jNT%YUwPvX4Z}2%Drl6-`0lYtXYCgkv!<#pb#d$H?daNBfaP6cAUn=LKfq@-
zhDfOM40CV9%VW(10sUpoWE!%(V~Q;<=ii2stZJ3Bv+vAp#3<2)(Fob~mwJ1O*2!i0
z42$CjLIvD1GrIgOM~--lebfYGWsD;k&lNE&+SB6?XfYdNFt~!I=O!gdzieOWr3k%R
zzNdsLe~w<D!?$L}4Ko$M=TW0iK*tc(h;FS%iQ>Et@4`@he?u#q%)v~hl=5INUNCu{
zCj2AtuXuG<d92I#>)VFt+8V%|A7wtZ$DqtuP{*BJT7G)|7(qhrp>1iXVP~B-vrs~X
zhnTnRfuZZAmqLZJj~)lvKQ7wKD-qgz(8PbrPxS?c0grx;sdYS-?OV$k{!{kFO}zub
z?keoZfV)qlY3u1MuWJ-BUGk=L2Yp-r-uLgOlDuOoEyzZCca3B2IZr1UK^AGctIY_m
zoOABQP~JAyv*+`_KYZVN*d>2Wzc%fpjY*Q@?-{cSAKRIvN{`0h`An-5&Ty_0PKem7
zoH$C~@uvT!oO<U3EUp&9dQz0^2~tbbdE5BINi(B%^~Ad(<b!)RyR9A?m(=767o2lx
zzfucBYD)-3C<J#6NtnI8ds+MkTQIb&GnJS6vi9@$UEMmB_eK_8c^yr+E%Ssem4%?V
z?|j_4wN1hthc#KiLM$rj^!u`GaosgwwA~o@*8gMFRd2~7tV;3cZ|u+cJ?n;2RI$J~
z48e+1e~icU*wLIV%J1^FB(D7Jhx}oLo=jr-=<w(7g};f!CAzJz|8GAu2{W^YoPW;E
zKYuTpA0_;M=wgg_gv`Dd((tOcFr&Wr$RCJ5<3&Lm$&=E#sn_RQJ7RU&ZGj3%ovsKU
z(iAAP97_@EA{0aY{u206<)8fDL@i#D{Nq2Ih0C0Nk@zg?=+DJaBFIOh^N<xe3Evs~
zROmhz+>XP^EVu68zho{SxrP7pUvZKX4Ivkd${olx*m6Y=-}HclPCj(RnasnJNa+ct
zIIS~Svc(VK_TdUYIeNs{YdKS3=%Zj|6#<?v!-AvAvgw?!aPhQuYr+xB0kj4_HsK1i
zf7k1USUaf&@Eo3g^YN-A$}>t4e&8i2)wLFQ1O)M*dAJUMF9;5&&7}USU(__WlvsO^
zdI0K8K3HWrL7&fullJn#T(JPj5G^wi%esUG`7>wKfZgnX`k9*V;Dm_<e*-ZgZ{t-^
z<t=h}W{?&W!0=R%Z{{==f30{ya1ofxl-}<U@nAgLq|Jc&@LkCC5Il#f;CNYP!C)}y
z8sY~~dZG$KK;*4kx4I!=O%J6kaT0w@v2gH;08kb&qK}M>j4Z5G{JsI;k9hIotR0*q
zcp2k^1Z;I~K(5^g&KO#V{E1=)vO{GXj^^TI2HOn}BvE*km6iFYm<>$7L6paEa_%nD
zt_N}od2@5K30dRu-3tznSWFrHq@yRnoS_QJsVdB!nm5U5X?ZW%+Y6MPSfZ3|xD$Ky
zI0vy0LacrQ!ZDXJva<NEyzk~fN`oL<u4{)h(1PZg`BmS^%-`(?*L}dka2!poJmeUr
z;EXtkTs<ZwA>qmd2;S<&)D6+4Zph5^A{G+FwF0xW@j<nHmjj%U`W`rgCE)iR0|M%I
zK7URF7C0~9N~8UyOAc`Op#u_jf{S%fRmI&_W*r0)cV&96%()|m!o+&lJ?VvD5X7Zp
z#(*v<@yyH1OFzTGp#)WB*7$gMJ#boCFSsasAW_!??p?#iQ!}OO;9X9KuPzgYz6@4Y
zR*MO+@hCcKSo!)&?S@0Rv>VRTL1Kcv$l=4F&J6~^t#O1&#W9+U<vsWX-ot3^2#T8n
z3~~YrFf#?@u{wtXD{cP1WYrqf?AU$CVD`ZG-V6DVUdTpi+8Q-o^IMG%h%NLl2x~lW
zB9oaz(ytRWF6S1AbhpdJ3_PE0Y16*Fw(|qw<BTJ)@CzYu)CXm!gDuA~=i%(4XAqZK
zumrayg8C^5zv?=fIlJ{?l-N-7;1^;fAzTHns}Bg2A*|yZO;B=h;yQ><5-L%olx;i`
z62{FCo%#${PMs_dxVT7Gr!n<{=wNFuL_TllKH)Anv3&t$hrDJJ8t^bdj!k=@JNX(Y
z{Fd=HRkoNM8822Ml`Hk&LOeL@7(Hl8McR}CBw8l8V2Tss<A-LDq&fuU^sZSyb|Bi#
zhFk2qoz=}iyaEOq*X_)J(&v?6MDN4NE05qo0f6Q|JUkSbv66EowVugp_dsmyLqq2j
zg1;N~MM*$2a%NkarHGi_otn2cTN%hrNl*lpMAgbFM;1J_@NN^7sMs_HaKNFRTCSeO
zXe68lRwAb{-zdDNb<Ci5a+*58tSe1x*4WY26%PrcczBbH>y4Eb^Pn`Ofb50u3T25$
zUgk?1Q0r9T2UOu@QiY5NuE~VqmD>x)2Aqn2=3Tz<esNJn(0teZlWQzIZg8Q}Ck^-W
zLlh0g>7Xw$ASlRf8w@xPf{L%d%3ujR)@KbCwuKV$pg>qTSl@tSNE`xph;OdV5zu%(
zJdNq7kU~UNbv$PRiT-L3BX>2&Ad>7h0QV`P_&#S%?9Ykzb`?oC#Y4|h7Srp<E1Rnn
z9%BH^lc^8p`5coh9JR`CTtFDP)@S#~O0!?tB0S9tmPPhLLfg4;axhH^5q*Gw%pjID
zC~}PKb~jAJtDA;a`aC^OQBqQNk2ZqYJH-FFC>(DTla%x@h_oP1tQCucwC+7T{Bf{y
z!~^w6K|#R*UU^aI>f{pM#wUx7jg32T5y+9sGxlq@I50(=ItQi`yYi_Q4o{1VNqi+M
zsP3@LP`ZJ4)*jbV8dsK=WcfIdkaY0sa5ko}1~4w<_7;CE+B?=JylwKs#InTc+^+Ok
z5_AR{Ppr6-$$aObZ&n$>3$sYAT~fa0&wQ?U8~N_n!xRk-Q^p@Vk`TGbQqRLW9dZd~
z<b0q^-^s1t)we(R+{yS89yD6BX?yeuqkP=M))k`3=$)`dpw}4p7rT;&RB`k#1D{C+
z0vN}~N~9B_puLyAOi`z?`kLysMuRsX;|^CCDkF6f7WC)s<Ak>_tms~>rbO~NFbdqu
z#C>g!u6o?j0A!WPS8%ww1@1bIp(4rAw78jr<-rg-$OlI?w?oEOTO6YW2Ik-sOcC{`
z9(N2`S=)Pmc=txE>C{veqsGM@k0>oGm{Lo;7(PE<H9wd0<=D}_>#sNmZ~c2!Ts{^x
zB<c=C2?rk+&E-vBv~1WJ(^TmLJGn}elC+&KUv5H2Oe$=hnNT5-4!lH%`UE)+4o(ll
zIxuaIVL$i`j9t-pV35-;(&^h&akMuR69|sip4g7EzX(~x<%?A=q82s$v5WKz^Hrlj
zi9g<K&m&0+=>6mdPq|#qQ))dh7em}CiM5sOtIIIW<}7H~s&cTNzPdDF7ZhEo1b34M
z4bDD=iA$yvJ119Q(@7Z`1*1`qof{OrNdOCNamuz#{R~uTsUG62P}qP(DOlvgEC<hS
zX;e+eklA!dNXQaYMM<&NYtVOF$#GiGKJA~UWn(i~!heVkQ@J~T3!6aB(5Ej_eqC05
zaQiI4vnoCmy{~wvP*|=~7RQ9-MMXudK$o>yyJNo~(Ay0)hN+>j&hZ6W3U#qb7q^u$
zCh3x=A@U3*Uom7yh7?KX6R-mzTw_7ezpb7RWmRccrJ3K%jpJ5&^DL9U0BX~`&fVO{
zB%JOmB-he9?kraJ9^1Kl9t#VbPfJzF#8X={{H%Nz69@syHHsJ%CE3L|_)WI~VQATs
z5j+8deTq|qV1u=0I}_t>*aLRvCD@qXLuPXMZtoh~%u+WAskk>LoQ_wA-Cp?}rGdSl
z3}3-E>y-`XarpH9^KE!-)b+5g=mgZZuQ563JbTOjz*NUmzvB-uW{6vL{2H_-IDGV9
zj?alXwcdyBBqk&r)E<HKutX{nA0g4Hka54M4>76T%SZYS5qap-Q^7RoWnwZ}Sf&%R
zWWDp9;V3n#^iR8Vn5G7s8%$`TBUq(bOW3l;WI2z2oK;v^MMVvqsmsGpp^oOEh3*cG
zliyR;W6gg9+c|{T=da2c*`tmAfMoR8XHdTgjE9x7LPN4EvEUyqHGS1b%C=$u3#2zz
AiU0rr

literal 0
HcmV?d00001

diff --git a/cli/docs/extend/images/authz_connection_hijack.png b/cli/docs/extend/images/authz_connection_hijack.png
new file mode 100644
index 0000000000000000000000000000000000000000..f13a2987b28d70f81bda7096a54ec479f20b2690
GIT binary patch
literal 38780
zcmdRWcQlrN{5QHQWZa>Wd6P|cLS$x-WJmTWTSjDrtVC8;86`53k(E6|W|FMz>~$kq
z;dx*6UFY}5^T%_Z^PKaX<9p8c+}-zeeXh@Vzu&L%z8+mylP4ymBE-SLAy!n7y@7*+
zrw0GA;-7#|9MZp9<KSR$6lJBfJaCs&PQEAqu-8&2vsSZhL~%Vg^fLv8?EPq#7i^)S
zjd7eF*JP#qmF1(JFxG@>Nu8EL$=dljUBrC8qOcZqwAp>oGp5>Y6`LFzYZtTam6~jq
zl(O->Yv}U0x4<Kp3PbLf(KrNAfB)?;MRi&evS4t@{`tF(VoUb8@Xt4*{L<iqU#Jfj
zOp<ti|4lY~`Joj4{`<uwIr*KHjpf3>S0Q8_JNEaN@t7u9aS2%^r1;MNd*kcE>vaFz
z5`!y2a9wzpAnfBm*HrLpe6;=dC}A)=ihhkB)vv3_{WAtU3bpE!|9-z-9X{|4FysIC
zNnSWjiBAaQ9qex>ynipe^-RF}iRHnK42757b01?{H@w+Mb#iW8>t~h;CXy?v@!A#|
zE;Mf?No$QjeRCr6Kf|fhR%So)ZE^ao@hDl4(_ChP5&vrOXw|)at|5biD%S<G?=BPd
zxM{mgLQ*4T_7NN1$s)0X%O2tcflqOQG!>kSd0{MB<if7=QDVE_V?USN(G+o>3haB+
zu?K4qm?#;BPH3G{z`Q2VdZVK%dT%w4(xM~&;%j~3(skto?zsLpx&}HtpZ9wV4(NS%
zOkdSl_2f85QNz5RfcZRj{IUXOfuO{3+z6X~jm2MKO~P^O!D_`Eiie6I%FhvxCU>(d
zl$|lO9+v)9us$IL8z$#QX3X+XvGUuSr51<3b{*b+Dq^_vIU~C6=+MB(bLI@YUf~Oq
zI`7?$jrCUgs?65z-dFN*<!sj7$uZowM00ctQWK{Wrf!)y*BgW@N-w%BeqrA#?1<w`
z$WTu+>bIWjPD!8EerNH~Oyl8BNWO6$H|*flr<}TKpI@tT-lk7%*fg_D^WJ#G!72ZQ
zhC|$g_&mRCzG1~wyx1q9<Im`VQp7xO-2XApu)8^z@Fho6IhyfWhHin;;(G&2+2%BN
zv(S9?w5u(dUC%G;7716T)oi8JVsZxOf31u;j#g&w;SxE~>*nccoaHfEc7Ig9x8!xA
zC@7Ur?a=r2^(cw(Q4WjYp<?Sui}t6A>vF~pgM|&Q@z0qiFnHWl1j6Bxb-o9NjOj+j
z);(o;w>G|i?BD%X;X*xk+2Px~QXEH|^V@Ejx}Im3Iuu5Vt<~eWuZ2<M^INuO+xOVQ
z80|A8e1E-vBk7N~zM+<OwFY^@Md7m2nvHf&x#6@2hx+vHo>%B@`*f#Vnd303ey<Vi
zU>;0#-cUPNOQTi5y4&vQlKu2>sck;hC7b3B`MJy9J5J@w@I%jnI~@r;Yob1TCDB)r
zc{-f$eU;xBbjsjsmPtcE{ss9bly2+gDG^kc-gT;PzbrqLky8BFayzs&*edw2^5}5?
z;!^G18Kr3s$E~$*6~)dg#t#lGGf2M+%<!079DdPMKR+{>+VJLfZ~CI1p<%M^Shc4d
z?RzOawF{Dwu@7ar-jJo$_o++Rch>d_tYCd%l|3GfdrT8ocy7Ml`wIKk@X`gFFWDM$
zqMSURS4PTb;3@FbyCSGBTm0Htm)j$~x>G+WHwF`;u^&pVUu+e@rT<QLVufHf5A$GY
z^Q(d5M|jMf#m!GLq#xn85qrO|O{8))KKAu}C2mVPaYRP1)g=zJ>PhIXBvy>}WvM6J
z>3f|sjr~43tQgCp*q^K2Uu5jNdo9)Hr+%sZ;k4uPAD0eahlDInG(229q!hdzWj9u>
zFZYCoJ<-{72W#qo@7nXa74PlQdvPa~jkkY}ICfOJEoI0)BHN3a@yZ_5J9~I^@@Qw8
zG)dSw-Fttfe53Ic52a$3T8fR`$;#7h*6qeEscwE*d6pgV8w17<ax|NQiDTVYhCNxP
zuM!A{`1L)dS(3rCij4i~?csIVE7|v8OLt4P{}(Z}V5x4p-O#%ehMSkSNF{!K687C*
zy`?)`a;N{Yu}8Yez145d4PFmL>)%-X%>A{|!P9bi&cq}6dT_zs3pLogx-*SUu0NOc
zUmaGtuiTxaz5)kz`srmyqYEoRr_P0Y$MYDk=E5<31LuUh<g`w%7JJ;;v8zvCt+Yf?
z2M>_Utd7+fq!0%3apN-`<Y;CYevDz(+=AJR$Pc@}*83_%l*BRJK@+n=BVZL?NoT+N
zqfdQw<L7LVqK%M49PdhE5**oPVV9+^7pJe*&ZT;VPme9Gbxl*WS#zLUtRgixXS;~U
zZj(l!lGXegCcAqJ^Bx_?RUwdHj>wuEdD{_mRDM(phX&uM^$Bh4wZ~^a{#+TcoNkF|
z=k(XYTIdbcY>(N}1YbT?Jc{lK^dP1z<1u{yqRjS7Hbdx2Z*b)qZo@$~8G7~3Dwq%-
z>z-8YYxVn<sVN~IugpG#ogZVXx=$nFYlscd&NtNeTy))IQGJGQG<=;!jH>Y2CEHwK
zULTSo3w*BCk@5o3z(h(HYNt=tjvw^qGRJ)~j~24hzORl}afs}lU$+{bun%}yH+lRR
z>4TA+P5kfTU+k*;i4W3=jV}ApH@$jxeREsjOk2%&{c|27rErK99XC=?G|G^sif%Q9
z`Afdhd7EM0`efatK4neBFl6Eek%mc|oI(3j_TxN6Cz+J3#Q9f54yZ_J6VF=BzOY8A
zc~J#Y1cwJ$)-Jm2ZdkrzBTDk5TFeev7wbvdE~RYdE8gMH>K(b6ZA$Mym}+&^ef672
zPv6uV)zou4N|AoP_V`vmiEe+LyY47(!Fc7%!0`<_8=<kqS&{RS<E=MM?pJlMzOPHm
zkz8f2+BiW%lO4RktLQI>r^ak@z~pRWug^n<mBuMjC8ieAN++O0cgDzkBc+>yCDPXQ
zBv-@w4eHN!CPnnk^`u=c+iF?p%i6NKKIYTU3R_lAMCX)X<FTp8q>-8PS;u*fSBnlC
z`0H`oW9vPiJvnN0=5$_waqjLarSX}|O_Svbl1AHZ1q^USxl<*bC_D}0%$;31{24zs
zur7I3^O0$I4=akCX#4A6k-3j{#GE1~4{DIcu(Y6)k8$wQx6oZ3Jau`8yH^i)rrY~o
z){xiIwTvysz%e+3da}7gKq7X%1maK+KGi^L%pNT%`+=swxX*UV{lR&Dz94E&<9+kn
z2_p2xIEJ;}6;!nk=T1s(plvBP0!-ORQt|Dvvt7v|nrlic!=(``8N=__YWKtQ1`3QF
z?aYtic8Poae9Er*I(zb~<nW`VF1%)X$B4ec_YDfoY8aT_^UvRu+70oa=QZ)8;4w0!
zrMv3=o{z#_t<|2)i4f9u)(_NDG#j4Y(X|oBx&y1`x^U{tY9$!nQ*<d`$G6o|L~}B*
zCT?qEw+_rhZZ~pF9EuqpTx=b8y;bF|t=Ri|Z)>R|gx;4eQED*#+NlS{*B4x`V!0UP
zPB0RT?=V~~6<=>Aw;?w}1v7jWbz8&_R%TFh8ZD?h%<VS4U8<FH!{!S6k;&JzC$@Ws
z`)mE^i((c6R-I@uk6w~a*QWb&h44(5ic0*K68X$6jt&nX9#+K;>gn*}o;-G-a=dZS
zFa@fEoXH>e#ysU|TMFsF9)A_>XHFn2em`aFu{hqWzT08`bYPMrsTkIe?@E?JG-FF8
z?|mPZPRS~t{W3h8)QG?&8LPfxEH-~->ceC1PBrQI*xjJ>R`=z!3$6NhHR(Gu`j*BL
zmmY3C#x@q^=@&09dim7d-^!)F>|!)XCw{-g`Jxp~ne9OL+k@F3aU9xrO?}wy{rO1*
z59lBKnru%J$g=d|eT8kMfAB@y`S@owLu-d~WqcjzS$mzEH;VbFrix6hURz5nGU;p=
zmG2pJ<(~Q>a0cIeGfz}p`3w=KR`!d*X@RN-N4}#JwXuG$@IOs|*Hi2WJ1&jW#7Sus
za1y`iMCgGOhPRsJf?W7@eTM8k*o;I>1{W@x*$CMWGmTcdX%;UQ-rcznDVDBtIp3f>
zKbl*M`u0ftMS~2P5R#ZnwmO%X9%<+Eg}*-bLPOp-81t>5c25awUk8c7X3M^L`GqP3
zkGlrfsAW<ho@xr5om`O;!OojlF?^MfzJ7I)jDu7EUB<6pn?3EvLbb<Fj|5}f@^Awg
zv^R;~BAfCP9g#U>&*x0#sxILYo3y?`z5d?S#8iBL!TZ_#pL(<~;cpl5f+t8GvYwI2
z7bJ6H^cQXuX4MIIW5gxHs^O%cXvCM%*?B}PHc@KoiE0)xedI5Bw&}~jrua{ML7OiM
zSNE3%`klNNc-19C#i{K02nNX~?xG;q#iM8xO@7Sxwm5p0I*i_Y`!Z1P&GA!bDH|qd
zjjQijT+quYB(LXKhYBmcN8-q^|G4tK!~{otujBf-WKI~|`^hwe?0IAaJB)=;uiW{X
zmo!lCN|a<ud1{Q6iooN7-{h@Mo4(*jIB#?dzE*j&;*u3&>M2=Iv5Cpzsj+@~?`*zB
zZKIc^(4*AoL>s)qTeSeYAmjGk`>dibd=nWS318}b(G;%I$(RB4_aOO;){m*AJu&~F
z3_mG9y5D8>-@rzpJ{2b@R-8VS`Cnx75I*q_K#K6c{!G*%<p0m>G=7w9ApRGL6tYTA
zTJ(fiEB<?B41Drp;>5p*2*%^|Zmy~LKUYS-aN@u2^zdJ#wG1$6Xme8k-z)RtXYiIu
zzt?yrN1UVmMh9Ox{B3$LG4)vkVs{VQb6k2Dm)XwfyEE+~)vxnXFXOo_eu+LoOyzNf
z_LK7%Dek11*(tn+YWj=s<{0Qvjf}~)2R{w&4433Y=B~R+<NsJ2H)cyFljdH?*Dtk+
z^Zq$xeWTc_D}ysog!MeGck0yCQ~*n|hXj+p?g!bHhFW@ayqi(f=g&?C3jJ6b;AvAe
zb;saL%DSAz^?2q~x0!lRr*6l9I-!I49Je9%az&48HN7{Z86Gtr{M0^dik$~VIsN@O
z5ozqdOM)Orb;fV7)PJKz9!Le%ev_vEd_aap@TX$n{=YLf5d^Drj#o_O??sZtONF0_
zJ#tF>cQUJCdN=TbL;kZUvG6n2)2siv|2aUFM)g?Uf7i)_41UJc=<}cZOT!L0MM=l<
z?;sH{nkxHV{onf=;a?Z_#BFN&&ma*<8;igFpZlMJr{yv6Nc?w@Vg#}&PJ4jHW_IV&
z5}<NYsB~Rmf<=XeP)*`95B^r;HSqR;m`X4TFm8qKL8a(et~O`sgQ;eMa#zKo&Cz?~
zAEEY(Wwf0=KZAlAIA>M!Th(41mp;EDz?7$K8q%p=t0KES4-Uy^C<etGQB*>9*{hFP
zQ#~3DV*DZv4(e>+AacxgCJ9{K^xByWiSW`MFV<ND)U4sDKRT_D#&4<gF;%<@0Gs@5
z*Yi1@{JA5S@>r>F1T!v-q5W1mQcO{dp`JmPI78C`ifRUv&~k7mC=;-Hzdt<OcO0tq
zsY1$gC|$V`)JwtMII>)7JD~JRE&`Am`y#!hUPBQ!l=*tKhco;27k;@Ct49EcIw0J?
ztYzv<xuScP+mKE5nc$<rpG8yt<n;-)ZcATtcp?B)RM3drZGJD0*RxWmi<&;t{t$M?
z{%Fk?O8UE-v#N?IqNN6xy0(SY0O-kgr;2j|GAg|frGq+DNb~N*_Y^QW1hNsW3n}-;
zqPNGq)B#@8F+WAh`Q7E>9u&QT_j@{TtdxGm-OL}Wqa&PsP#1NqPq#Ab<{KLIp{7x_
zFFo(q1w`{~hF-+usreDJakJ5-;!YpSE>dg$+TC32Xaby+0oncCy|uBy0J7<~K_<cP
zJyuEwz8obc30Si{Q{X)`t^pL+QWLh{|I23RT_%}orczuCRH{||1KyF-&m3!a<vca(
zcBW1#0#2=$2|5~jS#n*RReFde{tTsmHd+m>2t`ajnHaT@T~x02n@SBfK>B$%OO=R6
zRG$lVEuFlm9M2WQs!rEXcrpUT7>!e%gU}|v2YVlZh3J3COg7RW${Jn|@stYyoOUCD
zDIstYFE{F0xym!@2m_Ajk9I;fqI@<!vc|A$veXg2HLj~Ix!o)60Ki<#&i58YhOD<5
ziogP8O@4;Z^yl)>-Tj~TTez^RvMlcb?V-x+@Whdgvb~u9P0`Y+bKGqbN4x6mI(dnA
zFPPuXfJ*=F-j6%wT)bnXy<2l>50st@*?$rC2H=z_7eR%mTVD2r_DVaT)VJ=Z9|t+_
zkNfVcrp;a<Kn2xPJ64;Dg=2?4mATBR-5IZ~p{i}T>@H?#+n<{mT;xV|K-X3i*>ik#
z8aD46F(`-FA|(#rQ;9ZzB3yOzxT`T{9x2YU^KSYM;6E}CO2RW78Px=B<aD7>-B&Pg
zZ5PkFYY;8JaJ;uN%)GVOPyTBSH|y9*5<S9Gj_Z<Gy{QLe`9ZszM}%}aFc&$8*OEtN
zNX3}|uV$)Gv8ty&1(GTEXf&2pJs#rpZgopC&QYxC`?|c&aiK-q?X__pT2a^QN38-D
zZJ77IJ*nckMzACUADcHt8uoi7$pxr27?MkPrM^X_Fx)=N$YxyY?fx;`Wrr1S@>oOA
zgQ<e*jj&;PyU)i+#V|V)&x!e16e71Ln?g<nlb&|j_#Ug?4l}3q8E6S*c)%}0bS6%w
zGETh;m_!sdl74$Wj#D?>ixjt(@?G%uR<t~w#<l?6JIe0h2`RhqGRZZcP_A$L2!{l_
z9**xVR1^FAZQFtTizi9xv}6``h)mm#7wKZp-o64fm=?e!7PVwHKoxON$|)>-&a_<o
z0<4tMnFg6IyF>4<oeSos)MG4zn(E@2V+=|rlsA>Kk;%jJgrghq!nHYW$~Rzs2a4C4
zvyUfbiI~k3iKp})B>lMW|KSmEb8lV&cT_G+J;?CQ`27O_D+O{~pB#u>E@Y2x9#w01
zSJS`EmR;x5rBp$wrA_DqWj85(ceL75;Drjr6KA(kh&*51E*g|+?YBnK>+U1f-2Phi
z<`aWjh&j5gBc-<1G>(uVMSpe*^iZ}I7TNT3xK+zX(zUDuK7V80_gYop$#L5YgLV(K
z3-r3J=Rdv7KRnn!N!$>6`ofn3*j|()Vn80Ie}1c1B%S#NjtM6>clTBksl@wR<+pno
z<GQ`qPE3zI_|Yq`jRZ2cQHbztn==W<I<4h)LuNEyaK`$Jw#Ofg3kOF4|B*8tDYg;n
zEEd)C%vpm`C}8wKLpP}^Qf_mqr;6o=pBJe7aa3$j?oa{yYX)JmmVPYsIiSRjwijX_
z937NT5w{FiAJlz5zybkN!F{VTBese~CGo|E$NGnJ5$36IfYyVRG%M~}4s0zAh^tq5
zk4{4d(%8O>@K@OaoyDrD`<3W7LPEA*Rr*iv+Q>YIl#%m90$YD<udriN<fTZWgoJ|K
zR^50T(`jl&=Od<cQ9jQ*S{}(*`*TesiMdo<O+=(bxDdznc$ZCuybW3|Z-01vj&m($
zm!|rr)x#00U<NTNg1{KR)R(U7Q`fY)f)giwvJETV8C;t12{6qjivQ$AZ^Tjz+0Mu2
zTr1zNS1V&)YueAT(ha;{-re7_*;1vKakKK83_AC8Zuw0??Tse2S(jgV2azYLgAz4P
z_ApfY@-|l?MeA19Pq~A&unBup9cr=U;R(eM&-(;hp5bT{MpCn)crJZ1N0t<|kZl5T
z7B-%<V)`Bp$55o?!Dv$m2WOgTm|J)^smMbnUVgZqB2+@~iujOfP5y!6HQ!2XcLyn%
zMBWl^0#ATxk-H`@5g+A1{w+;<8=?wNs;|D%%lIwz>;8Q@849Osa>lkKD8#~VGoh96
z;8flCu;5h)G>y#>WGbMA>e%=qw^9qWP7*b-7MhIihZg&r-VGkYGM@}idcfN}gIPt(
z+}8<q8|3W_rKH=O>!^-ca=l`{Ui>=fbZ}kg2?oDO^*r+s%yLHIJIjtr%TrQM#XL7W
zj5(s`v6D@~^9|=Td#<{6%pcV`J*#t_>TrHSBZAuImlX<rMsAxJ5#}{c)0(l_EPKJH
zZqa;fOnii_WBb)*x!${C9D(EkD28O;ql0@5_Zh~B#@i-Rq?ZGEWWrAp@hJi1EgSg0
zQ)VXQNYC$xyD)28p^DeQ^df=r)6u8X@;?^e6y%n6{<upSI@;GLJN}BGX1m7c&iV|&
zS2{jNfm~M=#;MZImY(4UcO)@924yNMnC`ZAOjNnUXzr9pUN`G(;@P%T&-r~tdU+M<
zse%d9z;oleDjfOLKxeIx@r$lCS1%nGduygT$zCezpiQ?X&&kp2$pwSPI}L{`{j2>u
za<v`w;r{qhywt-J9}OI9EJt4Ljo{T5btMV33SCr>@$18%m_(5hTa}yMCK}IP7xBNm
z@Zp@XmW=RBM}ls##OYsQFZAqR)^2OaC(bR4+@e32L8V&W^v1(K?{|-8>@;f7i>mfI
zBZj`I1m7=s;icw^<(C1EFijsZ$~8R$LjUQ=t9#kcgvrCjRyMHZ5jP8`l}qEK2Isn-
z4=hqdeqck=Ii)7Om`7nao%qeJPkx*OeOUGLw$CP-0=Fc*&wuOLc}*l0%plU!-@->t
zGX4X7Ie`7Ef8wF!$-BgTF_IV*`nf*?XQxhM&EuEcp)AdFrt>X!*xbgF5Dfd8k4we<
zD(N7?MHhld{Kbjg-TIpnyj%{-kJTkf`zDX*&HTiOQ{_6f3`=fDBh1C4J1eyQZ1rS#
z!+E~Bt;G_q!;)j`kBLL&rM<~y@3Vbv-z<;Vc^4t%Fj98WC>A4HdQxaikuFppPvbPr
zlb51-_)i9j^AtBXdnBsd*j~RiyD9k9sPP8Q&g+#9-etdfrM!nz3n`5f8&`ey+JFrB
zWmMQ@m`YcP{Yl)K96!Q@#>Wk17JDHVPWjTz7b_skOUoPH6FS5jv9~o~tQ+!U14q$w
z?Rm%7k)8C1<JvNL<N^L&KYQirbJD)n&kYOcv?p`xl%F<<Jd&q;(oe1-rf+hKO9jX8
zvZB}7b%WGG1iOB8=FtmcX8L(_#<yZJ$vRbIJstbR)4;YTTOms5m;Hs{Dc)v+0-AvS
zQidmIWJUx5j-b!bu?iA$hFl0H7_XhkZ!xpk3GpAdk;b`f_*u{X=R?w~Sc?fa`tga0
zn=M395L4egP@()<A98Bk3hk5><!GLLj!0_G_G_NT(inE6WWZs9fCq))ceOhub_we@
zMa|EmD9JX-@JRn9uQwgGi^_k3@?8@VbF+K>DgT#*TxxfW6nJx1eRxzgjCj2#J$Gjk
z`puFPqeFTw`Z^MmmNn;H`~J4`w(t`i+aKc9tL{gSF@}X~%)(|xN}aB<^xG>Vy0jsQ
zxVFu)o`lbv59_2uQDO$@wwoDV=EiStUOJ;Tx#Ep!J$C0pt=+@}@v}TF33lENyqX#h
zSkTLA7jRWE9Aav>iGnX+S16=W0^C^O4*gs4$D6UwRTEDvUG&pF##aX-g2BNmZM8mH
z#pC*<fg(`A{hvbO48D2Sl-qZX)l2*B$cHdcIQF^M-0GQT!of?l&v>v*VRSO@TSN%W
z*~q}{6QnryJFSsHJd@5J!bO{RC(CJyb}+suYTPN|Cp=Vz8I{{^K4RnRFZL!w=usV{
zFKBo2CTRt-Fxg7+TnnBA+t<Ftu;aYUn)7;?uIt*G{&e1&s8yQHRR7E`l{4`V>v_2k
ztrr=%Q*_Oaj2DDC@ZErg@@n;=<~o%T@xG2%i|E7-*QBREJ!Oj!SJa$b;bM<>vNDF`
zjc!ooeKe6No6wgoB4tkt>a)vbK_t{dDqXWQqORHYqN%Pd{wCYTg_|xcrER%qtX`PC
z*CbV595yc#s&>K-9-lrL>sI^7bM7FP@_s{wkd2sHLqmh%AEDDM0;k$W@AV01RV$f1
zOdiyevrXTgIOA!MPg6`Ew9Wnju1rxlItMK`E+q;FZe>n*N_Uc5Y0C&E=~AehoUY~y
z10Z@$!}=ZjA0!HR37c@JaYu!>G52TU+lWU}iTdZlX2|ghE*0RP!zIjeingx!^VKI9
zzrjz|X+AnNG#U&#jlBq3pI<ed`A39JmIXwsSkqAXk9sWp3=s9Js*t#Uv|%SQz__ei
zCzhoD#>Nx30W3dRrPF!xH|(uf1hAg`g*xxl->}>76)+znm0o%x|G;k6(=VLv-f%4B
z{s&P%VF4cC|IUC+_oK(5YP&*3#3>K?$<NsMUWH*pXN+f1XgwrI=E0)^4~f9+&Gf>=
zjQ8}f(3&wq?A>RAk7nn06p8@QwZoy#gai_O!*T(b<K{1y&T>@Rj|lDVEfu^f%Zc7O
zPf#KNLJc>Rn<PK@JAU-~O6UoR`aLXqyV^VZw->-k;<#TE{~g{n`3^jfPw|p^VrtPp
zOhWRjohI=<gs#{($GW4i>LdlXFZs&hEe+kSqsM!7TH?}L){crtvp%vsd50$U|11xU
z3M@}UN>lDX4glfDusp?k4@(*TrY@X#VR=s8BYE?W&_2Nh%hSC``Zf5U<!ONBq4_3~
z2Ric~rpB)rHkHU52|en6mggkUS$Cc03T^&bo^D21p8wMUspV;}0HJvo(1M<=(1`Ny
z&4ZSLfyBHh2E~~X@av-lmxm{aGaScj7d?QcVuG@ILmP^zbvL@C48_=%mA#TXeM%sc
zS^!L2Z+{YaY-ha>koS<z7I5)#phUe9JkM_t1*+Z$Wye{XHH%P^7bGCBs%YIg{C14Z
z1jyLWKr$j^hec<i#&6^gyqLjI?P?tLWrsEd*Fj)&sd{qd&r`3$_`Z1t+Bvp_pT7&j
z<JRI>4Z@SO4vv@EKi?58;M{{`bbdg}RZ_UrreEm^y+nSjZ09~83Hzn{AhLNL?#|6X
zQCq5d?jq|!#Ys@MxnOIZ3+)Do(gqAbCNRpME8T4MAs<r{R(UZ4!?ytiVh3kI^%O#2
z{AL`#!Re{k#2=!oK6adt;yRCq8g}CIzURhwjj>}jj&4S}Uy{{93AAjBVz_&-=eC8@
zf9J=3t<OFaXttl<8eIPPls#4@RZKq<h}Tq$u4meSBA7vk9r!r&n5Q;sW2Qs7%x)+H
zSV$21sb{W9UB$+~q_MXmJw-RB<5_9Q4Tm7@d)IT_yR)6_fNA1ruefJ(-7LAykfoj$
z55g&XZ}#S;x}GEf`LHvbEC3HL(U*;0b(-))j0Hvy4%~p;jQ{4fR>SW!At`msq%s0a
z)@b{1<0KI!MkjCL8c-RzQ~p2DY|k1%K+ZI*xSPx6RO!9@PJ_o$Eb0Xe_jBEY2N&LY
zHhnAC*{%lz!3<Kf`5d-TJ1QjcTV^;-Hg0@Y=J{A?+JwUUW;gpQZ}klRDh%}_z(Uj7
z@R2_Y$^vJBg|gvWvlCgcd?%0C)0od#bQ-T|00((MYx_ihgHtzzjpJq~#|S;D&;}?|
z-rJurm%iNlF|ToFth$2iJZ0?yNbvPllO5bf)$^CsLn*%FGB^WSm!p*vQ~h(;mZKw6
zIe~-k(t|_qh2hdSmVBC7YT8p>8yQ^<F!>z*#Xuf0vmj(y+frNf1sjDQ{kq0+;2%%`
zMb&b$F-T6$N(U5iP3b#3*hw4VQvr@3PPe~#=#BYxxK;4rBk06WaUO1;v}!#zCm%t@
zoFeMR-%ey<zW;M2cMN29*XoW55i0TfuGQ0fe*HBuVxD&qM)<jh+<kn(KPSHa0YL^P
zG=sr!C%%==tMj4@k-+g0UZ#g9>6Y8$IAgBdb4U_#d0lTi)5R-@-_r+l4L4x?8+2zg
z-d=wh0Q!K;qcC8S43!eN-v)a-kr+Ki(5yjx%Q}z^_q)jPX1;%nU2Gs)>juosq|bj;
za%K4E!S;9ua2O^}&$P8XcdX5ckr7O%2g-&O!BBLi09&(N)Wx@+ssNvL(V&Zvt`d|w
zg-2w}PbmXF!LSmj$PPfwj$>7BHIiymNfy?aF>gI)R1N#3D(+kxiJ0p|$o(Dj!*84u
zSMGdfDqpTY9zeED7=c7RvlKA&kd5N*Zp>)Pu+A>?Sy0$fOZZk(Z8Uy5zfn%EQn?&(
z{8Vn&!;_@#Mdq!jCbi+!ZxyeCm$BEo(<JJy=8Zi*$Fo}IIMyp;?Cxony*wQ$p<`53
zK6YQZ|IE4)<;I3(HtXVv{NahN;*H=5%I-T&Lc!FfQi6@s$JI4nN(cQg-Fi~*U3^Ce
zl*gwC&tNJW8n?e%rB2-Xax|2+sW5lwhf_K&smorVoq5|P1cr8ldG=I{;AyPAL%GB@
z;SS@^Zae(?kWc-LpS+*^-py!R)UW+YdRr~V>>3Y`##4A2(~-BO`!MfJ&~gw0<2L7d
zsCkGcO?Bu{&A^M!$l*2J<6U8vE-VwG9kfqirEAOP41Ul1D`b$4NOOT1-?hdyb@tvZ
zmgZQY&@(+AH29AY60T%I>L!u$0)JuT4s&wr(x;a)qF1(7*{NJpX1h~3HD9ZoCfc5)
z3dQfDwwL3I8xrKaLO1(^U`WoJ!t4WY^}-z}3}YcCaF}NH?79^ArCGf#XsSxBux8fk
zT6nLDq=8;Fzee_9uff+oSjKt-e)nZPfBeQKIzDytmT--ARmvyQonL^`?Jqe(D(!Dr
z9J#^`fD%vHq(1!w)~jEnN{m62SFH5jnvr4xcM27EGa2DvFoPuBTw!W#Rs(s!Nl`KN
zVP3&tN(PT2%nLNp0Wd$=49d-miNsP1l+T(vWl9K|T<k~6w3{5UOj2lXAZRv#uX)BJ
zP{zPLSt0Frsagfi$woQ=%J7X3;iieCd1%fPFL8^f{Wpz$w&E-?bsB|Ta$ywgTE+}m
z+NM-=CE97eu6*3r09Xuh<<l0inNzlBQ$#OLHM6A(64yeV*US&K8Re=E(KN=y2e>f~
zp<JMMIA*P|6Ad<BX#*-i{CQDL75cm}oS(9pWXgp1$1#Q?t1hZb)Wmbk8-bssqC}?d
zW2&!{1T+>AKTHJTI+9Fg(QhHr=oR6T@SUb-dT3%uF52t*h$Vne3lf}QwUp>ZF#*b}
zUQ>@)zjR(j1zdoo|H(&wdc_Y1ru4NX7b)uej)~5=`1ZF~va)MqHF5L)a|A|}U;&ck
zx9-j}YesvJB9D##M81OH5|K+fv0ga=9g7N~B+k_*y8@_1eeNA;F@y6TV$YnRgQ79?
z5}q?RZ8Dkd#qHvn#IF%aH#~$}E2W4`l5lH6t+PE%SZIRVup0vt{{AKb=af$g`dqBm
z#n%a$`1EuBRU`)~+3VfbXANG#Geo>k!!n6W7ABQyNJ%GwZL@0@TNg<Gh!v+qc}N_8
z$hfJXg!e<3nfcZ%tri}3593SVtk+P8IO9AMefJhv&zwT_oEPIphZNn$-gvoU)oby=
zKb4h}Lkub<G$$l_v&^hlFH#bRg8NH~jBfA}JvL>OBRnP1NF8J<z@_OIBx&BodyKTm
z*xgnlDJk(otcb~Ya`2y%7=aSjntP=?DI|AYaLNEkpU0@e`K-$_exi6&d@?ajLt|{~
z9vJx2IsA*SiBIC@Pk%q@CPsseWfFvf>mFX}y85bhh5YZ+AP+@e<W)p4=vU#Ah~Xz7
zkfp_Stjo-L*j!YYvs=EKPJ%-%i+q&@FWi~GVS)wRf)7w7w;PG%4`L+_Z++B4avgdI
z9*ME)NY9H5Uj(=K_SD)y5RJqsCR{Rn0oZxG_i!Gw`YSL>_EIR;e5eEwmFYNqobjSv
zOc6s!a9!}4Y1TVMxDYPXfrOOjc`*Ki7vRfYKHX<w_v#^H=WOGv-=mmK)8nI^g<-(1
zrh$tjF5MMMMB!cdl&3E+eQyD;DkcZf$S`{daxqSOcZ~_Hg$EJ=MR)2cjvH3U{38`9
z<NHlLH!}R=xM8oaU$;6BmyQNuj{U~{uq_z%ANdgf3S7VN9xmrU@-3Pj`DtdBUQgla
z_pS>u$)au?iXG}<{4tC@OhNUXzweBP+*y*fD6E0uQ`J4kM~@%Jf}X<tf(TMFH#o6w
z4A2NWNzR;JrZ2se;QYPqv~~;7(8qGKtfw;C`ihBuD~ghNfLOvx=^}f78dbTgTJ@w}
zgyJ*KdAjAe>?F7{aWmBw%v{bxbWZ^8Q+e;l0(nfFv+9lScPzSpYssM+P<`+XuNQr_
zQ_0~03t{!{?DKc73pYgEmlOR>#%q1rn_QrLo7RIe*y4Lz^k=Y$h=6Ud#CAZ<sx#3v
zIZf0pm*V10Eq>4vQm)*K2U0l4rRv^V{Qa#(#jkn#ncxuN_t|rGqe;yLk6s%<olKkl
z+!%=mzSE*T{1}g$<qj7?+R_+kl+gjn`C}sAD+*2>m8*O67hcgp39hjVnL~AE{H4rE
zsVm+y72w{>fw*ANovaV2n|-=9@*K#&?puO{Gry(pW`G+I#eV78>_N)U^x9s%@!rYQ
zbGfMXJHnE@*+uJ%xXeC<$>em5tDT2RA|C27joPC_Fa4VPrCfT2l2AvnL10e+yGwQ=
zTj(=DT{)ZYSHT|%#pZcLU0nWFp;`NDLs^Q-(Q@LM%Uri2R79Ded)at_)$uc!IT1DP
zX`BD`07{ukC{5cyLAU5lzgFf+C+e!uUksr=_o_mqSPAbB9raOnB>YB6a={i3n;DCY
zE|a<b3-pL~+dvi>50xbTYo1nQVJ1*Y<MF5uy|av)n+30fpw0jtSb{QCl5TKlWn;we
z|3G_WmAtfT)}LvMmH|nQ1)jY>i)&m0ycG?fXs3#!Sf}Els7@DChpHnMYMC~~P$Ek$
zs}GLZ?>p<$@tzA0(YBWDPc>+wtRVwr0`TE?nN>-VO*xg33Oa=5O5>$ytWq>%5Cz+H
zNsQQK$1%H-=hVpQo_H)tXiVUdiegN`saD0G<<`oM>ZKqGY4F+vU6ZP{lbW*Zoj~Y$
zd+-RxkCZ!hG(0@nkH!RlFBt`;lz3>t2cO0MV=QX|Y@Wqi9oyurYS|~NcfUiCR^YB7
z-)!HY`4kl93OFTNSA6;pU~z2{dy`p%X(u0jK6_gnv9+EDI;8g7`r7<C{LV|ZUy=GX
z6A%QFz?s!(jXiau;LPWt=A8*Seb1(TLGdy_fTC&xmMZrpmq!|QalEcBY)NVtP0LH0
z6=?5ba!HKska8-1!oSf@_+Ys1K^>o#bwWrv|HPRFt}De250CQ@3?J_qdae5W={%y?
z!k}6e7B8yfD>U;b5pM|^+g?2vF@k<;a;jk)D0cj*Z^#*pP_=vxC13!6XZAM9q?BTO
zNkfyJ#gD9MTBJ&1T<eW!D!N2Sj!&ySH*+y-ppNEDR>7vtreqo=^LWaeapJU<HBbUN
zMnoRmn8qh`;<;vz01ukqOA?)XON7di2~>q*)Uy=Lb~tQXpa}Z@mvzBApR-?zc_g7j
zN`W;%jJEcvh$yw<&q}f-Tip*1;7kApSC`I55TIQng$sa3I8m*2O>n~m8SGy^ks*9m
zoJgW6JuzaVbDh2q+Z3M*y;XT8sOb5E7Zox|-I?C^HB<TAOa$d6o2OSTcAq3>A%F*}
zEhaGa-2lBO=T=o25uMl|f6eZTa(>?BkdvYTJsRa%X}&i-lQ^_<nR>)F!#R!#tRTAh
zOpr7eh1Ji7>KTF_vW-B=<|xBh7S-SWZOeR3E_-u#hUzGEERwOv3NN7NHqM|;@3|2r
zgC?E$jQEV=IyK*?i+1S`@nt)#QG7;v>9|EUCD_xU@%!xFDE+%Pz^}ueLm=>g4C5b)
z@uR#%RPY%=xAjke!=R;2MT&*<c=(j9c2|C*ltGBL?_M>zz;>5n@WXij{!sQ9#GBjm
z*UJ1+G%7ghh$2gp&+v!rID`Yek#<HCav4eiC!OH2^6%?oZX&^7S^XU?(*!TxO~G3=
z_xnvR73Y&oJx9;U{^qr=KwNfr^#J|~BZXpA6?_?;s1cIn_Schw(MLXH4u*=yf_{`v
z5b<m3G0zuLmXqI1jF3F5iQ2hP$Jak<$3?(&(O=<=Dwt!?T-BlUzONCU#*Y?kQOomK
z8u;IF6r;A_t!fVqki9QJRrVBO^X{k-3#7MDRTx9j(3;&P0#qE1Z$7Gcj*%Tr<JRJM
z9<ZVj1m7IrdExBqiO_=~sYNz%{g#$HC-pVFm&_AAXk9}?!`qyenp9Rjpkb&3$8rIR
z{{%3i4`$4=BkQ$85A$|ZG;tPwjrY6f0NiX=OU_ekk66*%JTMDR6u2b)BDq)e&Xa|z
z-~|z$i2;>b88$OxF>c-^B)9*kg~LQ0r^$#y{bx8h#uP9cz)oEArGIyvX@U}uLjB1C
zp-v!t{0Qcq`Lv#uGG39A-xRx!SLzCj{~-9LD5wuQbz&qH2(F6-QCvO+H^*my;h`I?
zG?>uJD7I9yobn+ZvQS!NO8N%u*a-rY{m!a0@FX5b%wCdYurrhx3p?T76Lly|s*v5F
zBn=W3(Py9*NKdC8!Y6YQ!VLw_84UYBTL#%~NFl-mUy}|<3i^xv`v2}blAqCkmpXU&
zt@Gj0*I}+d$TS{<|DD7{F)N?de`ldsolY%y8{@P8Q@i!~C0iC}XXp3=#%p1r1)FV5
zV7GA?$Wnc-1IB*_sDhs8x--#a8`V@U50`S1<+h8)NNRz<DlE*w;(`K32){FtPlkm4
zYMv2j^hm0v+=rGKa^ty6nILzyy(dXO)`<Am?*7_wPGK?|1DgXipPS`1MGO^k`eb<C
z5i_ALpx#;ca3cg(0nvGW1=yw$2cTNQc&K7UZvBV98mjRsS2L?#10T=b?`;gA;m1N=
z{s{42yYhcjIu{Pk8GAFpu1^5-r6O34GN3Ntzx!R`FA59$dXk37(qLxcZbgQ1oiE}s
z{s@+pFK-QW-IoVn=HKZ}4@$o3a}!vEEZJAx10z+pXqVfI-lUzOcbwT2{_pNd50nIs
zrT;oraNiGG7?a|#D1H*C$k`hhk31ry6cFm$f0IX9V7qA_2^wT1;vu0DR3P4>6~C|b
z?6M;_xJsTP<qL3(mg`d=bo47}t31}z2gDefqfQ3)KO$$%04v1?WRaXD5RG%2zktIi
z6U-P6o+m2Jb)Vcixc(%GG%!8I{@eTBRl%NUziEV4uYIg1g`5^_ZT)jIUsKA9gI|GB
z^lv5PX%>F@4LnGM)jDHDG7qt0_CxQk!5x^7ogj(=6SNW>^9-;)@VhN)>4TN}Dfg|L
zQ4&OqQ=qu~jL&rTo@tLW+LS#|OBKthz6nsODx8u}8gn<m-hF1UUwuGk(?6@LdxGzk
z$GZ#7E^4e%jSFWi4&aEHg-F(V??SP}??8++(~S7?y0=8q7X(-Hx(5GRLB(<xK<A6i
zCiHjQT^{6<;;kyXa&I-8;R@07nVvLbdYv_>pzn=bUNi9^vP!UqcBk+EVO+L=P>my@
z6-_Kw!j|Pfyd~nk)py+X>izLmTA4)r7Wr^0us}rs<CC#Pxdcpe)NQ=ba~vA!vXZ-!
z77dv2_V|lSLb1dF1XBy3TSi_M44JF~?5+6D;>Zm<Ug@Sxe2S6hH$@UKsWAX?x(z~M
zTqx|<SgK*9TPp1NMmdAKTOns_zHb7LvCaqEtA}5Xue|Ws2%+c`j>ZXDOdjOSBZr7@
zP9W&;O|Pq#`igs=Bua{sVfGH3B#znz@J+Q}aRm#NewkfTo^hQ~>2Wh+nTJ4o-@u(h
zJfBeB=eoFiIt-U6J_?8CHYKF4aAFAVFC>=n6YDk=XB|v1_GS0_xvVjg`e1p{1lb;9
z9oT!uk6B4Zc9p{yk`Y@YyLiKWBnYB#o3Ve0287<r0q4b+{96VmNa^ydMi~xoHv}B#
zxJ~V>2}f9aC15Z~@J@_LBD#1FFvTmYrpb(3srZTVQ6lYrSZNV_!d9U?unK+7Ql~!;
zmB(=FGhO_%<@{BmgK_4%5^wJQ5|>;5&cpuNh0I?#fo{V6##<V#1k<Kqgu1i<KMhIl
znK#mS-3;|Tp+3eYXX)b4e|qdOoTc__2r<HyIgWFKpW0?hKskUWFZjoVcpsm7by^IL
zXfY87<kEn!*d!#eN_r4rx^uy_G5J>3FSBox0>jHf$_aU-aLRh}cQ!D@)9WOc35~Y8
zDQ5bX3tGgIpwfu-3URyOkI%qsKP*^2{-DW;$oR+-hx8L-SKHV*@@ia-5B6xRfx>_l
zF-5Db(td^A6j%>CrAN3Pf8mXjZXZXB;s8OBTEopWrMZvy$nb@bVW~dd{iDmER3uM^
zp5xTvny~f61<wm?M7BG{T)z>lzXt&IDW$3PPguWW$k{E_)MG~eCG-p)g=*2~zTQ4H
z!mRlP<ub^iekjH;oNJo0Zs$1nk051vaQ;bHfywY`TXb<f1`;75nSzzfZ#89t9yg5T
zNSH590J(6nu^#8|3*W@so6}A&^S9H}LJ-g5s^v721nc!tkT)^O;&XXdP3`e6)F0<P
zHvQoXGI5f4k1$ab=^q_5x@5KD5?BHx0l~~b*FqG)OJ>G%)<#N^u>$)+rC>LQq2v4c
zb<B{}CO6>JC3sA?5PL4>WPJx>7x#ym1yiO|Sh%m*#lJkV7)E?1^;E-WLiV|fR1s5;
z8rc~gWOQQw5~dhKaGLu7_h|>cQWet>zSiy2_Utcrw`4O~(pyt7jFm7ewBoqF#_!35
zS>wX%WlIJ8zeHzY|Mxx8@nxTTOx;DDcH1v{_vd+-ChYJKs~!MBMd*qc<+zzHOMpZ?
zc%W+_U(C33$GF2~a?15||GKo3us`I4Q(wQfL*G&LGxvqh*Ty`iBRpC!EWm;?ZJk|G
z`aSECcqFU{(b3TH{92`xS$J%D>WuSW*MP~vLcQ}HH?ZojaUjqQB2(;TelfMbe$IqO
z`@?Da2uKaDlI1g*rtr0!kwvwCet>&gA(kbAP)Dww-w5nOaZu8=E%v`T)*kZ6haA%N
zec7JG%~9#ogsczP_=tbYd6Kf^J3yU%2kgHXl!Ha9LG+9P;4bf4m8`Q1)_u{pN>T-+
zL7JbU`DOkLH0yL5NMZ=ctU*vdID?~?1`0ZWg|-AzBIbfT$->vS&yluE7WGsvARXdh
zPL!aX==cJd?0CQod}*m_tyZ&<6DZpod3t>QY<<DMV4PX6rxG}{m0qi-<*Q8&Lt0b>
zz|IWqs5i<TZVeTghxE9J8Xq`l>pEIaJ>#j}k#0}m;Q`DY3!YE_JN5_(lG}x?_4h9W
z*L$|h;C6i0tt<c0ojyX+buH7_R-2@7yVZW;&jB1f?WdOrnvMxRX*%8sb%MZ8NLp@E
zMOX$fYeI{OHNp<?LxU#s31E;}A;fFpp+-O+j7=5yY6lU8=^T%d)<8cvqCe~+&5m&Q
zj9?Ul3FvousE_|m)bCch^-G%!bwg>t^yhZIl8;n^%UDj-`v+7)hnIeT1Bd!%QDB)l
zSS6JxKuj>MbYHRQ=Fcr-PfpLhGDP`j1vv5E8kEOFRg`_sEP28WkzanJ+p!w2do!MU
zV5>rssS-L9;U9GJ*pQ-b0ihcFw{yXF9N>c1Hz>2yNX-HPhS1l@qTUa8(eOXn{futV
znbJxBJ;3*t&7r5;sRJ7|=pE<6+db{(E7R>9EzROqL7qJ|O!BaN0m=St?1v80Bc~;@
z=EbBZDN+vFb^gq4BECsBv5YxnYb|G0?4F6jM>{atXjP&45YaE~#(oG1Etz2mgGBKt
zSQBHQ5*6{lzM#3{u3~RaUw|Zm=nL{0I&W_x9m*YW!s5yaWW1p$(jFR25lAo}`|4K8
zN#0}yjL~IdmcOci`Iib+V&pe;UC#FwcEvTldU<Z>#GiRHzze<D=$JWl-ptno!7Q-E
zRm>mIbk&+@RkXC#L-_?T$7?WVLUHI&+>S9qRGom&8izm-eTV(2Bnxt@B60EPduN&c
zu0=y&W;(B(AF0eo%Z;@o{W;UbU8Xzm>D?Hvp$7*n;8VLH6W^wH(tTv+5ssJRisUV~
zn(#2W$rIvg8iP4@WPeUzBS8rW1wU7-Nrd11?FATp6VS}SHIWI*T#4j7=Jh<3cKps$
zvK8R-#9XH-Qi2T<3r2rVN2F`+_<&Rf=I}Pu3hzKKJd+&Z9euW8o-)0uY*fVfZ6PQ5
zx@u^zwAi`DO6XOSK}#!`&EJJw%^~Rxj@aB3wjOSEV>eZ>$D4(0C8zfTDk`-e;{H8n
z{;1P_)&w#(XmYeLpnzxyB01-R$DJII8sO^!&@=JB+v6^G8p26W$pe?`-MQ|Iu(8hm
znplB~EfY2$hcNX%noBs?#KvwUWwRfril0vg?LU{zX|=)d`VGKZ4&~4?#M?R)5IS@d
zI)?dN?<8auR8Glz@Bdi10CoC?_ExAk{oLn=&rXj7X1o<{$%0N%3<wsg!vTp`2xQrC
zedQQSrfF`j1b$Peq?>xxSw|AoO4PxO85B1>yKrzVQuF;PP5d7t0fPOU5gs_dL(lZj
z&H$Fd>GVWi<-hh9CbSt|Xiqxx6C821N7Jou{>m3nt%gEGCvp>d{&z%YiV_Cs`Ty=a
zhByMwzdU|}>?pru_!HYbAR!RK5MI9M<VTXVA1Wps=fT9~kDvI>Pr-`;iv1d8{>>;R
z*Pze~BaHlWLXjH554ik4ZB_q#O9!SWFB?nwdxyeTfWrrT_wN6r3;B`aK^+_qZ8E#7
zRcqgFKo77wE%f|XCYFzqIfnqQH$#XByMdx9c<M<;r<LJLN#b5*t}DaZaInth+Y}nY
zuHc2oCOqbPRuT5h5DIBMfhd!JG`7TZ-{JrgbMuYVe^Okg#m5+a-(Mci6^3`A2lXQq
z?%H&NJt<epf2@oQv~9i&p^E{wkaGVUQVJn73%1DmBNJKxCFJmpQrjM0iSW)9+Cd4=
zadSnA|4j78Hk`aVa&P_<Lk`kmVLze+C-%bQvlnB))87H<ECU3EcMhYXajp5cs=h-|
zerMWrq7<l8kzELx2*Y}{!vqf=Bm<h#p8g2e$0KMK#0`B79q@9*4-xizt?q~$dS5l|
z7l(?o5JDT>XJHNGel*g!{TV(%Qb=~S5?1iiozJpg3yce@)sc1vSEzBIvEu@`?h}BI
zM4UEEU}AJ1+63}SG8BM(5We7J27f&!oL&n1R5Fj}+{U$BNZ5rg9R&#dPfvnL!n5p_
z_r`Zc_M0Wy22{&U<l3b++KQ=S6_QUIHc_Nn04Zmd3hLq!b_qD{(fnx=xcClo@knuH
z7XNIP7uWjWA78yrp_G1p<zBw`-a?krcggvQesF-CDX<v0j{g>b^n2zZV2B|}%6By)
zj(SV*OxVO5Ay5%%a$sD9f<4RW?yDABGJGCnRW_^_n9y;kbPd6muQ1O5?=hoAfQ#TY
z0xmxadHcX82gk4PER~0<?iJLV1Ce@hsKO-+@#q5Gk-^>IL~DigQm6s!;Xy3E-q1>g
z2rKM2GD6GkJd<JnH6y$dQSygq$rAEVo!&rS87}hRSux_V3}7ujLRc49Kfe#%zD5Ma
z)4a_mUw(O`%d;iTXc%cpGI1wBd}rbz$1K6ZZP>lt3{j0D+NP>-@)=Vk1s}8g=mHU9
zx%4q_#%p3_!g{5rY%iN5uafYUcy3zNEd5LsvcC!K0b$NukkH6fo08?4-~|w;)%@tP
z@Yf`D(oo6LnBi-&n!?3&$k|{963*z5D+QGvfMXSG`jbYSNuxK#4h4~e7-+zu`bmT}
zJi_0378YrUt#SZU>@^IOZHrlU-kH;$Wd9lq(brJJ<&He?+LPif;f42UY&JsAV^Ao_
zuPnfWDg-1aF%zId01*c?MOQ>gs*u;`@pFAi1h+@xY<&v|F|rb{IP+`fWl<<;=@-yH
zO`*=f&?OBI-U$75?8!g$g$QKN<A!CiEnOEv4mlls-$TIz;qmx@D<qSN8~~6Y3=WUj
zKCjR%z;;ZM>lFSeEgW$59V9gJsHlKmie`h0NIv2dhwa9MP+NgUX0(bJX@cA96fgU&
zOMeT6|G9YLA7&BV$(3{t373HgqcHfX*aV?k(CWX*;m{Khq<cR-wmbHBSd~;jb}~xf
z)IW~A|IK$EF(bVJF(3qdxDgACCqxjSz$w%;KKFM$yA%tNu0t1Ip%Sj+0R44TmmRne
zZ4sfFKwD#j7GwTy^9u-(w+o~fLgc;l4e7jS`g8@3qipFu6c~?e^ua1;2@V^MNRyeQ
zY{GT3KQ+J$1UXW*W32?uTZlxwcM9(#E$h6G71ta`%2c%-fStNg=j+q(&<9rbo!7R*
z!l#!HOQ5^r?8Tekzxw^={OA~Q{^9(}U3*K8@e#;@3qf707&`H64e9g5B8V!aexn?;
z4m_3V2m0#9bw6%s0lW`RHK`j}YWB<UCLeitI(8`j)1my81&l=u<wrOLw2~OzUtm5D
z;=*m`Ok0cY0tm#5m4Hh)i!%EX$Lsc2uQ2CNe1K4vDCu!$q|)upmppw<Fez}g*}`i}
zrtVgJulGOJzPSaj2T_KzfoLKd-B;Gy-aAicfI~ipQ<vLw>20}|kblN#xntS}&CA+h
zDj-b3FsNl|^)cpJFeyDZ5F&9fk;*{X&3t`pfY)&BwC7Cw8MmZc&!LqhJ-;XZ;&Y4y
z{`IE=|IunOR^po_=96!YDv6OMXCyI5_)|<4NPizNLEe?oH2po^ZoKvu68V2SwrpzQ
zEi>!D?Mb3l5_zSFC*ydG$Gny7)2`f8gLY0fggAtk0NnKbwJz@ojYV-gP)3Jr+&w`0
z9FXR7f&$hw?;DUTSdk7kL(n2`xzRL*qV*8&6sV+jP+b|ezqv$;?JpP0i5$L;&{gd7
z2MwO>tO=f}3nVszKy>?8s{xi!X8cT0^L~q!&6HwyvBMW{Rcc|hpnvq$aL7whdx-Pz
zEaBPErjsQK@9UaAhFHQuYd#Ac2-(oMM>bHam!m6~4rZ_cOv>>pp3cA6iBr#c<YT47
z$*V7c(M>D8esizq>b{ESll$AN7h$ypgYhOk12F#g-awz=qTyd!C<jkUk4ukume3pR
zH?PNvB0b*1^KtU@gOurZgMjI+bM%K3ix2rR%h%zhC|;vChDzC?cMd3KI_75}Drd`5
zR-4xb^BtH@zA<u$BkCntb^JE>``BV|Ps3oH&rO(q&enJ(`yE}W4500e*p<YUppfbz
zUO_jYG5lGtQ3v;7>jU3Qc9K@JjV(7nBDc}|<PANqYr0hkn~;9(@iX-t9}nXaOR!Yh
zOAj{ie#;_mov{3TR^g@(@fe@rZJ|Fh>pjk6tt-QU)!-R;8$5Mg!XpndCrtrSN}ca^
zNKnE3g=*=8C;Q&8c2BnRf}fr008J!R9I>+$_LSZR&f5mh1%Jg7-ck~sEaK7*8*=(g
zcp{@mKquaD={NA+n;XzuYtS3mi8ipLi)kzZE`cz34C!<Xe%BeaI$k$!ojUu&-@z6)
z_&u}zte?G4=jv#_D!{HdnEp0UR8e?NkeMA;{0B?kITaS>%1b|)yc*(>KF7}R!vlx~
zNkK$(k#v-Mc3YZUGedy^kbX40I_DO&ZZJGJ*h(N16b_zPMtW?CXP9w9Fjy+h9ad-+
zEO#6~i_)$`oRLp*z+7NMX$P-n;=rLUQU<Ub4*{P!gRL&#f4&Jl4HhJ=dZDR^>kb&$
zi6v*0g)n|}W2~VXsDTSO^uhJsL<hio76&~Hs`%CHpee>2k12rj^*h4i{xo9>V;Pl2
z3109!za-Sq6e#JaQrF6ttekBsGzdV`67Y?Z3I>OkE(z?U?CM0_Qq?Auxd2i=BWYOa
zwr6d=jLKIq8h=?952Z#qpQJLeA9!t@>M6&eo1bSz%IHCxda3!Ispm;Oh}vLmy~=O%
zg{?f-?7hGju5TRZK-#b@jHJa`NU*0>G2Jugf1U2_BJiEz)21&@fu`x)V0K<Z(@SFV
z;SJV3G$~T`HuI;88QnT#cLk=xsfy1=tN3keGHn~#eMzBXmDm@F5m)sUivFlj?}+z9
zY&Rl|05Vj1IHWmx+Atgw$5a*xZfi2KP$j&ZVhn?6zy01t(taJMcY6C^H*Y4j+Xy$!
zT~mS4sNqb31@sPBXpit63EuqfYCnYa+<2%7iiRZ+F7ZXGdv{xe?~r*%3gNjM6QY-%
zCO$ge+Y+_{c`Vcyc^BEM$f83MJk#~47l1Q<CHRq`TM5_yWI^CA)qH=tf)kZ3^_Rs5
zi(Ylf$1L95NFnoE&`ZXfw-3w0G2y%Oh3v)cu;F~mCdlu<5NhlslM7iGs{pY>D;4;D
z^p>2<5`dfh)5kCIlRfp9Uo(@2yk9!|V&zj};2RZiApN5xo0uuo2~e#aj4=p7>Q2oG
zPQoY@lwV}H+K;njEgF;+foq&k(|r`${w@X?M^qr{*WTMo@VlxYZZLKb$jEd)B<a(G
zHUq4{1-+R1=Vvb7{PMH9e90pj#psWt(_LP5RBk`Q0xuAYf(;}u?V=|iLOyZu9ZM3{
zxHx%q?yx6<_KFVSS+4owAYTI3s^eJi_<9s_w?BXXtGX|brm_v+MO&F?g%UDT*(4zu
zGM6b+nk3RdN`pdV42dX|iYUrFHcK*34J0BeLzF~@C}cR-qw<~e$M4Ux&N|<+zO~YB
z@ArN7^FH@|U-xxgcZVw-n95f`2%gMz)RYZgcL@56puA{1MECT^<7<!nq2p?HF?K9!
z%7NV)Yyb?r_Py}K+W4M6j2s?rcbppL=P6=w#Ixg>LU@c$D>noQ&uk7Vw4s90q%+(^
zqp{nqvy{Gbwn?nw#S3GKYn_(zZIk%c6OF$m0?MA=?c|?}`Ezl|Rg_~(=~n=Ihhx5&
zoZuP<9+Y%<kJbU+cNE$ccM+(B{d71&7&-&Dxq#Yv5z1nTTWOt7N5K&Hzqw($wb0{k
zYc>!AciF|24QsjA1fWI<)yO+x-7IlO8jAC+(|IWV-QN*9RXj<{KgDl;;fIKt>NOqS
zGjt`~DxPDF|7kf0TMwsPK>)p=fvD7{+;?kmOWmok+25);&tEr7Aa0N}8?3`b5+`H)
z9MwiAM6`n*H3hFHYuj;xj<!PiY=-<(&#_B*f@_i@)CIC-C|U1u=2au}&+)I{{@{=_
zWcEzkKVH1N1=P&)s1jhy;$XyId>b9vxQ^!#z|_4I0|0<qh0R1->bD}h+FH7Kk=ge6
zW?|vWL%Ls}C>X(;G2e+59eg%3xp`(d!p8vb3Gslus!ID@#%Rx=6Ik^XRydps8n^1^
zeSWi9?x`3y*F{tH37w+JK3TUKU|CHMhxWa^X87y-2jVQ?G!O@4zSA#{0bQLFBp`|K
zM8#zi$qpw45Az3yw(<5~hR@8wwg*`UE)e-L$%o=)kvdI%+dXUUY}Hu+`M%b2*b4TD
zYwi-Ud3yDsSBDnt7NXvxfwe0%SWJzjdg)tmqwde5UG`W$)%<oSa4cQ6<!Y&~%HB9M
z>vf-1ust*3SQDpmH?fFY!pO|ABVyN%j%oJ}zeScC65P8OOFVZKp&JO%9On?F4Tm@X
zm6qY3O$*~0TWL)=mN8f>Ugy0I>JX{@EZemkJ8Z|%rh9RPzA#))8iIIhxo*a?Rte>w
zsMkYteiUfFZ-2B8oSYH7O6KMXLhk|w46cmM(-YhOu(EVGT_^Ue@Sp8ElYHXw$-$2U
zPR-fzvPj*s0o6Z7+0!Wi8rC=P!4EgLLr)-6C+|@C2;~)`m+Tc;WW(8$W8a>fndn&}
zI)Gh~-tbkm!y8p?<%H|uUeyVUU|{WOCly^<EybIE6PKgb+24cD!cYDjY;PyVPg|js
z-3eyYDKu>rZ8_l#=!Rp#QeJy<iLJZVu6Cq(%}6&$yZX3Qs#(bx(t#()%`;zxFW=C5
z-@bzBJ}6fEn~{%o5#tTnT?HqyQ8yN#iTbtnlKA;P=46-pM88ew{C2tbwDqhx(QD@R
z0R_`e6j(<qDk{>ZIYsqSy|87wWOhEveI8W;W>VvZDC~zN-_K*Y-CdH37JJj&sa}s~
zG#h=~0z^^Aw#(prJOO7etyVzUH8BIQu%2K^$(xzUZ*o>X(PQAwXXGP0`c4RC&S=m-
zC>)sliY|dnJGlJs=|5J_o|C-ciiGj`U8dEhN*&v?cdA$o;s_`p+r&*SaTYySp211<
zqtm8Px_={LnBmedtUc(Uto^vQS2S*cv+P|w!8PE_7f@U#ur#|6Tr4~~XBV*iS~#*C
zqF1Z8YKzM#L$eEJ-vH#2p_{zgGwA*0ia@D`a-kRDb~S1oNv<g4Vps5XfjiVr^jDSg
z>q{BgT^Isk2KNZbLsG-11dZj^xd_db)r$_|3(Z<Sqo=p$eZ9+%6sAe7!OhAr|9nx+
z*0s>lHzTE!HsUzwcZw!26ExZh9qT?jCxsSRijP!h=sjf5>0FyzR_}O_=?u<aHqz`?
zH+YM<vFa>-1=^R%z-|zB7<2Ij2{`t$hO9m^F$ED=-%jE-$+62ISly*D^&*!*i%(C?
z)-FcL?s#=?Px16zmu9_}Ymkp-gMF9b<OXOZ=00k5alWVbb(^1}>0Y1`WN?q$#O{vq
zT~GL#G>IH39B55E%Uz_X+1n+!@%i<u?+Emfo<#&6mz;;k@Tp6yMuQeB+S!jWJ#fvJ
zNdj70pvq&ikn!+eQ=92z364}(rdBh-pv4@_ejW9ALbg^Y*sZz%hQwxKiJ4o2UoELy
zdPTxm0J_rMma2sgAxve)ssjMFnm8z{b$q`PU$g$I=PQ}mx?jb&9nghKK%<iXrwy#n
z%gSD8ob~HeX3-GICcPOaWk&5y%!^l=9h8^l)b{h99KBc;%>LY$c0ps^USgj{2#`V5
zksRMr68o`>nX)Hvo;Hnr);KwVeXB<VByTHho}GCby3G^rL_H9OT*SkYekgZihTL6e
z>~n31HSIz&{Pv8qm3dP$9xQ`BVEmfdK#sot=hVV9<K5>w71n>8xz`C<mQx7ZAi72k
zx-CTxeB9P~_PU}U2&3_VTU$8y9oF}|$20qyaa0@c4|sS^h`w?*0Q@mS9KubJ{m4E2
zx6&LZElocvC&M+@js2x~&aKvv%+3BlZh(6bx)y1lVoN?9RL<EyDJ=B}9S@lr<iG=0
z6(xSkGuH^c@&AfHuDv8W(@o^ddE&%jEKh-WG#JIJTHV(A7_z3MpK9b>r7gg|HbiO^
zEyxMW0>1@|(ru!F+S#5H$~bE}Frp>FVT}$;G-^Z3zPDMj<4?8AZA5GrPKPPW$ZCg0
zTo}xAPO`m5_ciN9_NvK;A@zq{PTFgy5Dy@Sa{sTV1wH(7)?rOVd}gNdLE%L!EsH5G
zh~uupnx%q?;l<7_o=fv=JC(})M2Z;i?kQQA;JnJUY}dNWbD7~ek&bqY)(9>fSO=3q
zn+VJcXLVP!8$bE|Aj1l!>o>Nz0gL>x=kRHcVis*RVU%oHMNOiKe15MP*xr^B7Z$p@
za-1toO)XV}LmjQada5C+iB4G{*?E*Sha1a&1Hj;zihF@>LeuCE{x$pDqgOwe5S9;w
zX&`-V1{lXodQ}@}^7;ovm~uE93Q--Wn|y5T-E7x-|2EQ(O=25|60<t)!ZXs{WmL_V
z=9p2H4{CWz7gxrMTgwJG?{&E}n-;JlC`2J2k$z1%8kFcHyXJ05ztM|oommtmw#Le6
z=dQC%9A}m*v~yGWi=I;gd^H?`Rc%XF58&hrYhk3YUC#ogsBb4!W?^Njm5j92`?Oyy
ztX-3$J0yES#O%G{XZ9t#b_+&*lCAs-Fu37L>bQ8cpXPR1Z4TwGAP$W{J4ecD(duP>
z<G?1(hk-os9ur|(q*VftbL%_d#dm;fWMlI_;Sdc}mKNOc1A4H>91%gqXFx1my{Ssm
z<88_61n_hVMo^<pvL3b01=O4FEvTP-wU@>tnNTof!5EQ=9S6PI+OOH#<zB(!0qT!@
zXXfwCi-f$)juHxY=;PA+1&2RB=<67Q1o-XQM{CLjKA^nL#${yeEpk8oO;YevV23N8
zeJ#hAz#_F%-{T%LIkiQxO0ag^^(%I!G&*q6)aEPTMe1v>U(jMc85YIHw(g4K$9=Ak
zt}cA|5^~kOcS;7#I2aTw89y>6e2&m84lu9F_md)2-r6NvnX&vqY9Bqntx8(CDvpCE
zLr9Y_@7cwZy@^f9J=NZa_&QfdCkc({`BPoS%XGIIYxLfCZK#?sq057xwDjWBAD$^$
zC{I+KOY_$kHtXcMcT=@|H}qo0gwq5j%tgFGn%yo6t%KA8zYo?Lts%nZE5m{lhltWD
z>r=p(L++)!O5OC@EQ^Bl%}kO77SohR3fKqE2{t%>1udBqi><h*Ss%zP0JfO-{T9K+
z_BzGu_N^27$S5yj)5}?sb0f&=-Xc~3v5;TIEbGf7JH8m4ppk2EILSsA#`($bESt!K
zQWpeiORJ&9as63m$UUBC==!3B4`C%efm8|3@wUqV`D?%dpEiDVVlJVTqSKnK;iVMV
z^E&!~nN-RocO;14-1Dr<k%JpOmfd1p(;|HBqtC4Ov(U=XGlKU9n(2XQa&Dy2Nb$d|
zKXkiFD4_lp>HlaZb1|e>Nt=sM%#W<P=E|zWeMUWSUJJ~z6eSW}@BYv`D8{7!VwO50
ze!f9{FKFA&Ir{1H4g1rtX)k~Kylu>8%qGW5*EDL~rg^TyYhz*I&g3QLVTZ*&?nrUC
zrmXfQp0n-`D+Le%H-mvPdg&{#ZL@j6>X$h_y@66>e|w+L8Hbk&qRZz+93k#>w2YD&
zZm}zF_(m**0%#vgg?*cMV&}oXg-VDD9Sd8;<JJ2E=6iHpo3H_HcDoDC1FbJmz=r;R
z`x@aX%0JcfR^sSqK%&qvsS)7d+>-&{&8}~13Mg&D+lamIKjO!yn3sg(Db~S`2Hzjb
zhh{b7|3uDoJF5X<$EO0wRHQo_VJoKsi))k8Q)HQkt^-MEPmLuc{pkOZm|2kh`Gol9
z%h9O4s?l3_L;<6EZn)@3yE*|NPkei8jGmGhN%g;?oh}LTd<>q&8u$}gc|s^MJvkPI
zu)hgF=WT@AeAu(QeFrLg2|1F-^jPz4gw$j37_Y_e=$nfl9R45!>@gat2y>qznr?1v
z%_U2Tk#-vN!QEg6!mN5FX~KVb8WXJcdU=LtI-Sc*;>)3azjI3NGjPYd+M$r8+*gPr
z<06q2Hk^(elk{T{uP^dGy*4_iQ*jy!m|d41EbOu?4P;C&L|wb%vKtJUi4vy2{n>6|
z;lAdaoWfnO(lReQ4;_xVw)bwY;j=4k3vC!LlUfJ$U-$iH+chJFFg4{8MZUr1UQP78
zfbnCHk)^4D87qri{vz@N>6;XGfqvATeV+b7p8vQ2<0vd0fhZG^VfwLw+Bp)arvUG!
zVm<p>#p8!y=e%VSEz5A1!{}AOuQ0US)*&9cEQaDFTK4dXv*Ss2JHEZmqF*js$nh!g
z7(PsTXuHQ67S_@q_Z*)uCN6R;d{j;IJ4VvHGM16B>XM=jEF?5eHM4mdr{asBpRXTD
z-^GxJxM7R1ouXq#q|^xLGIbCUq(55SXt?xM33H$-@wfl^{X<6I_pCysXP#LpuhxhR
zo^%;aF?uNv;)&ky(2Ff<{K}6w{cymn$bDnuNKiS@#<&?6elVBqC{bbw(29dI_9F@R
zU|=cxcNhVVYnu2gxNRKb52_ym(j7}$7px`TQ^QsHCkM9oxDa?B7J<#xOKcVI+W9hU
ze8-_dm?jN-7W^L4IjFt;pNggR^8T%+@utFqo(7y{VaOFsuU<>q{|-IOTka!)rPCoI
zkt^(-YD4E3<a7+e3)29b((YnB!p<U3<g&b!80YoSS`jBf`Z&>coMQ|@J;GGd{0n*!
zxwy=q?<3)U7VsR^;NT)nPdpFb`Wx2=(GRHE83by29O-%2^d?LAeEi;;ncvg=M=d!{
zQ(5koaBcsL<hyC?T2ib0G_72S<cq^P^%~$5o&yizV&jfXS)AGib39Rxw8{&D8Fcp|
zpfL%24GUjN-e&i42R<P1C!B0pwRg0<4YK==`b)a=Y)d-wDg$(9n$|L?1>5*Z9)d1=
z(}}O&GCvN~-p!C4*%;RdGE-*0RmlKfW!zfl%Uq|4>6hEauJY)E+hV^aE;e2EV2xJi
zJ{{5w3ps2rj>EQ8i$>dp!De@!{aNJxI{<vH1TJwIkUO(~oBSu%-yF-8A3(8oKkHlQ
zyOVrDb3#&<LZnJEbzDKegw3d8&B=z`Uz;+nc>Z@OrL8uoO&``;SD2tcH+<P&#!`;w
zoKO4eIq5g~)QA8c)8(3vmU2?Mc6w6V?i93s=+ig9zH`M7o-Tgsb4O4{FTSIBdyR4_
zmPSK#nATw%EyEpDeUBN_#-+87ccW<Fe9>@vtZA#ZMWV6vq=&r;om~9#2cM?*N|YfX
zDc%r#TYK`?;9&FJ8_QG7Mwy<^0bNwCaWH)7Kdw#@*kEch!2kAnD2~KGvQ=R}sTIDu
z8uE?3d*5_1`i;P37kXVu$zN>W^bmIKfTkXP#u(fgYjfsn&%)d@7AueEIz9QYigh^f
z^f{PvOBDAo#Jyjixs*|dfp+EhYQh}Nq;BQ5ue~nvHVvo5M-!0CmHn{=F7z(6_9qk%
z`|AW#-FWN&_$(au@|r+XR|oMgh!><cPIe9TH`&XLmm3J16Pcz{UB%(2(sA|=2j3l=
z>omy%M<o<kM!2d*Yq}PO&9N(mJ1J7vxL#e@8gvD1O!tYqC&-HtXnBm~n|ro2*)gT0
z_L(Tnd4$B7YR(ph{&21pxTNU?Xm|MP5W`&9h4P{$cTa%p&z)Q)jt@jcz!}w^mr?j?
znuka{(Oql!;T?t0_%x=50+Khy)V||g+jL>MBsa_9KU_{730g!3FWtoprh>XqV0Wjb
z+_-do-4VSP;rg9C^1CYL9#N9YjB*%&H$b48wNjVLxzAdRz7IIW_%CbWp$$m^p*USt
zKh*t}YiR0@u$aF#zka<de8=w?aG9bv>o%LWmIO@vfFZQPknl?14^%J_3E<pkaE9;<
zm-jH-8vN*Ro~$Z<iiasUDy4CZM}au_r0G6RihQq$WAH!-g*@W<KpZ#7qH*=ing80p
z<$Qn0q8+u@#%5dBvs0x*vse>i;*MWhrhCgbq&qH&PNs83EiZkbbD&k2@2Mq`!nf$?
zJPl=p{Y%9enL`+)m<)Jy{JAJ%Wn8~~iVEINZ74IU>pwhr*tBkI-QD#cc3GvEJhj^3
zUC?J~oZaU15h7N|?|NOD<6ZrNqPVyFss2mC0y%rZQ}2*7b4~Bm5lYcqRr&4j{gbpo
z+czkRo#V!zZ(?o%gy|IH=q`4;{Y||{W+0+jR<nq~^iS^fURM~co?1r!3)SP#0WYFb
z(MRXAD?2n_NqVDikVPnLt^a&Nnqdcky~_mc)mV8nxU&)BG)P-*oYE`u%OYu5Q>cd&
z)BjldMpEhEUV`3sXzDW<*wqrB2z7N^NHRoz{~EkPat0(sB&Sz^m%}@3y2hN{yNMXY
zKx0oSMV>{Qw*bUAM|UDuC1xhn+7rHoNT1Tgf0CjP4X|{nZb5~;Av`jc28i;K*lCx+
zv0NDb=Ga(@#x8D)&p6bO+N>nDA%?_v2E_xBUU>BJrOs4eS+n1SU*%Xb=_$`qcfj}n
z<g=@X)l$D#$iQ^hL)VG!la$T|^Twz@n`SW`HI{f|#+GJ)UB45c5tI+BsDW(Dl!Zym
zC6W`+TE!u@v1XqFWM&8gZBNM}p=k7#Wknr;_G2X$6R!@!O3pp%K!~IuauS6wQN+Of
zMvs3pNd`TBe3sruRU_>E8S6|Nk#T08FFB?AcHKOUH{sqX(QRAgwT(Xl8A23VyaoWt
zqeTKIZ!VwdV^11FfP)K<^gBTLUDn{{T-ER?!dbuGZUfk<LXpPU_S05x9yf<^_=gm~
zU=z9h`%-y%Ip6EoufJ#TIqT3VadvF5=Qar4Lg9Lo;J+aOT4Xx_;;*ZLZBA-W($O>V
zkvQW>=vf;+k*wiW71WZJIkq1%bP?a2Av|b{1;KU89V7mnM+s*pYm|?F4wH9&yE4fp
z&))VZKoctVwq53~CvU3(PIE3@>I@0+n@3PlO2%8oNxp7hR8%1G;03X#XqrH-d1J*#
z?_ax;pd1dens!t7>Z?z)ko@#=UHiSvq?jAqFAVO_JvnBa&~kiKC7QSI?hOmKSN9L5
z{h4OuYfPaw1*PSI8ZQ0p4tUa=kzW=jF9GHo|0zWieCV&d!9Rd%F^}x2ty@Nfl54%)
zK;KgF98FcNOy!!fcW`K8SbV1p3T+X@<0vG;8PY{)CdkTLAN_pnMb-A^^2?0d_>PuI
zU1W>R)|t-iJ7SU%@g~_&l%%p2XZ-pO+)la7y*eQ-o%zb;TQ~kZP3I(N+E*Ce-bSDK
zNLvb75G-<PWu@;7q1}`kCSlZbwG0RvAu>2!`v!dd=cM<2<l(hwIK^0~)<&E^Z(*^Q
zN(C~0`%Vs8Ht8pREV%-@((x@f9I|A+!niCXD0^y0z$)U|wQwrME^=E_dy;R$0_FBa
z=~%QgIx3S~`f<xXs9FB8^%B0#cmjN8WUeW3<(;EpThf8)$Y`e!(HHV(4`lJ(NLlIh
zkB-Zh%%*`O>ZC|`7`59bVaID0^cu7a${C%Z9>1N*6}@Z^bc^$>cIFmHJ}_Ff<kfqk
zNv~W!RW!8psP$O$#FY2;rm{_@KKXH8;i4uchXwool(3Oq6l#8;^nGZ)wqymCMYo}D
zXcE%%<oE?kk7{UsSAx+M3G_bW>pH0dc+h*```U|`HCJ$eu;mC(9Wn~(-F@dP9l<W0
zQpl_hZp*dvBc@0Nrv{f(SKIW+H(icZ=zJgU%X=m^DDa1BSSk{!^lyHB5z-GeMQk?E
zedRZ}VUeR>a#bewn5O|XFu6qM>@Ky>DS7_F5)u;qCsInqBDpB;5y_OEYH3mVX-0Sr
zdZ~-w-fFjlme0t>c+sbq=R|I|@_MtiDd_0y2ajfcv5e<F%}o6JNooQ$rWmb&$%R9U
zWpw9zi8^$nM~~TOm`VP9iGd!S_@?NN(S0i>j+IMa?1-HMFXj@15r%r#&_bpC;s2G-
zhB&ELl*ligFQ2<P6FYf4TwV$Mjf60OxP&8G$KOHeUnuaa7S$}19%+qRJMWBcK(6Z?
zrRvapOu49!ckaHg;ymxw9%(@Lo@UMb1r@7MMvov$i#l~#Bi6ic&Ci_UQz0>$DLxXY
zcuzaMCQUV1k<#?%*2&$g<5ON8fjQFr-E-idE^FYhoHx@io}e61R(TelD)R4^e6?}g
z#|*U1{xk0X!kyUJJ*9LjX#R59NN^Kj)mr;E*85W8Oc4`*w1o)F2Sw#T8dk~w`xnF}
zHiTVkU}+hBsP$gW<|k;MW_%kS9=2Eixv88RFm$dsmjBT83!(Umk{A2QZq2SnWqcdN
z1HxlUzAUg3y>ek*-1R2<-jz_%2p2NWdHiEfdmtMojE7^W3L<6hfkH~?rhx3Vp?;G^
zw~wQYnha=^xJ8IB_(C2V^tVbx@1jgsz)@VM!j2U(kHD5_bf~*zC~VIFguK$qEgsS^
zG7XI|PKbE25Jn|h-%i0CjTmI9jZ}-0=yDar&9G%E=IG~0z`N%PibffJbV9C>cm#w)
zbru{@GAykDf{a8*DlO8z5qw$EQ-sf|qe#nVjDUTTH2@*I7BKv6FmlsPh-?uLH?!BZ
z%u;Y*Zex^*|0v<j<3`f9h=(cST-E}la9b~-XlBy+>xU-~iFX7sh9?IzN;v~?`7_Jc
z5T*B7vTh>vD}#t#dYHt+@Mybxq>oGVD>c{G<q(^zaAD#an}5zUPFV!G!sw=e<6$~Y
zNC_HncvEYsBY~W$M3O`3C1?mX<T>c)c&ULhVXy)F)tnGoX}5CM>%Bn*xXZ%S=;q5C
z8+H`I=iRZpxV~ifi4*rmw&tfxv1FkR_7qovUmDL!8?&rZlz8z3amZ?LMyrrCNcp$G
zzB;9|TQ^)%EV2Mw|MqI1%O-T$VjX%(jI8uY(t!HuM9I9C8)!^T*5F)UnR+U*9<9iC
zAh+3-_n|GCkLDLYl!&8!O`9D{P6%4}lDS6&hXTSK15%#>Np*0lFo<1l#@S&Wi?5$&
z;j1o#;sMHgC&il|I-UonskHmPPDZLl@JsI`wJ&_z{GV}ISM3R94{De@kGVuN9;g%>
zaBoC55>v<BAdf^-IaqW1m(-1f&{`Vrdp%s@-b-{hcyiBCZ{Jz)fJajboIiy#qi%fK
zVE8qs*d_ppxP%(dBb!hK-z&cSn#RX&ApC;SwOsne(#XCjUkipu9}XO2+TRC?;s3rO
z!oD$kY&KMJa&1+Vl*QlKY57{XEq3L@Ny;JMXSaD+g#OvLN=>>FhHhx(r=yK?PlQSO
zHLk$3cE9@WPA*qYKky@-1G8DBA9t@k;(Yqcbg>0~EiE=Gn3SeqfWjg-m?ovKztcck
zjN>&WH=Ska+I>K{ZmHys;GFp`i4$hp<pqkTP>utQshr^{JbwtS=27HnO0LT{EOw+E
zP<x!IwM`I@c^fuj0V|^%R!QtEO?XOjy@M@|;1qIpjV``*MvNl}uRgmcX^SIX9f?;n
zF>-SQ>=lc~s{^?lJn?H+VO;;R?dMc4X~uHZS6alTo6a#>JCv{y4{Mh)<H}BQ`400e
zS+YOHpmwg!Wl4_rra4CIGCJxFK5`@$vtn;OzRA07(R>u(!I3GgOTEkS?>DsTIB;n}
z)_Vo#4^eX*nJGLaF9>h<&(C{J9IH#W%QL!FLvQ^eL1R{lktosTy6A%_QFL^5C#Gf5
zUZR{2js&UIv#0KFc`^Oqoy*xDbbrrv<!EvmD}_ZhLN<7f;6u|JaQ^u7nooLxOv$y<
zwz&so$ItFISj8yB5yt|M_}>_g&(ULW+prZat9kwM6H5;oprV-ix5bCxlwg~>ze4X)
zs-(+p)r+s>SVZO-IX>=ANC_rg6YmMX9G-`hKL=z9@s`M0P7q!$XcUGZl<tKfSmx;-
zJ|w^#((qp)+li2Laa36yg?l~>RPw6{8-xt^0G?LsobyzoIsguZ^Jj75n?Ocx%Vi^b
z6c6KQCL=+l(eYQC>`fvzj=VytYSlX4Q(x1Vx;5q&-!E4pQYrKPsgMz3E}TSV+ag)w
zMAQYIKl{JNurJ&QaI!G_od;dO!LIUiPE0wVxu4NZfW952g~TGZWs&f)BXhC-=ei<*
zzVa1m%eCW*qu=AukzL>dPQWoRjL7^*g+O8<L|9D_BGe$&wVL@`%EWXYM_*9ItuLBP
z14-OWruyC62Wr)V%co|hJjCB5+(3>!w!_r+Pa}Xq2s`sqi#7Ecwe+Sw^^(+TtNdrv
zKii1uQBFRgpX3~0ZvwTP45kxoxdpUKj6^9gjG6Va=;)1D?Yj>GV4TbB(0aFQfS-v0
z&OS18WCXy@bExzh87v9G4M+L0D#4EdX{6a-yGWbG?K)<OY6hb&lyzXaNZc0B?5bxJ
z)nlOgcC^zABAr$zr>4TC1u?(Sj-zjk3X0lT>qD{#j<<L~#BWa6DL(Gp<NhW7l+1$C
zFuFH8PA)PED5(w<p_{N?7`6Hd8OAsSvpmG#Eo;5+d;-Tg?M^?HejWJMYyC+tU-t2l
zr(>5%lo3DcpsIK7gfHg_xF<Ls!e|%s-PQ@p8lYu=5oqY6Ng70j=u|6b=3(vWq%!q)
z`F3OZxZa&?Jy5F1p?!eT5ny@8=xROJY&?_RVmhy|??t~4`&m3@15uTS&(zg2c<0n|
zfz}0j#yPf68>9If?6(ggMnofwW@HW}_-mn#lqW-i7N@Aoui|@=cvq%wlWC5>`yZQM
zj?0w7FKbHknWS?R!|z1zzaXugSwtKZkJZoM;fuxwey{8|$fY+!4PQ7b7RI&b$%19y
zX!d_c(jryHTx3O*J18<U)LhkqO`8$)_x88s)%G@!R6l0_?G%k|g@00f4qJ+HS9I~u
zTd$)v?Ucl;EZacr>3RI+Mij(@(i*oQL$)ErY!dd-*C19<^snB5Vs{xjL<Vb`(#K0_
zGX|)vi}a82ZE58{1OCYf3|rEjT~`W$7Bg8Ey(5uk|D<M*h^g>~1vQ`k03UusA{>r^
z9Zi`jn>QK=sIO(;@&*TfNnd(wEMK0&wG|hQLl`X9@;~79EeUKoK~3iCm$WO=@4sSl
z?xLRWv~<IEwXtvK)q__#-%3hqx~m?mhf+?jchFrnNm_^VzoEArpRsw)*8AEx(hCWw
z`UlgTH~f2G7FSSuKk;n*WM7wHr)9c-;pVFGMiJlX>wK4jX{M^cnTk>?m5w22>oPqg
z+zhOA`#XSsZNH%Wx=NZ7Y1Fleu2r%kCdT15dBb87puBv?*H@g;0K_r8{o{8z!5q>b
zocnon9j7%%+e19UiZ?cbut_#Hfrm(f&Q+hUc!LX9_P2N_K1()y?v{gU;v9TYf2#%G
z^CWxHacFSgL{Z%LPwTJ*aUr@|FL^lH!1cwyrsEzXTrZb^=~7cej*`s3pQK5*M~D1+
zDRZR-%xk!AQ`i4X<29A>E_=0QOWf`MD+n}D5PU!4@D|;wKLMs#0+)J-&QN~-4gZU~
z|8BDd9}#6NEd8JH@iYl;&%(F;)ji`(y^j0HXB4aWvoQGoqXdMTUk~M-=W7o;ZhSaI
z0)M5t_(#9E4X#JZ=;`ZAianNXIQ;(678KYr7i~^$RTP%J*pJFjY<*XV3^vBCYi*n{
zx(V9Fch#dg9QlGcS9S`XdM_d(#w-yuJb&q89R_rSiUvD0;nc$-;mYCsYxF>VTZL`S
zCR6Xi2x+G%DuV{J@E%%)kBQLkU>I7SM=yGI%Gh`M+%A#Zj2-;XKzs)mz|ufBc(3vX
z(ELRhk2|agy9f5a2^c(Gm3?_8Vv&343iU6AMba5jS`v(??!5+dC)iHyy=yk-5;V8o
zl3WPx<<>V%<}dGp7y{_UmmBA{*4*;P8DM3(cbrw7-%`pb9wqgam}CAcVOL<;Ob+q(
z&3P4)H^W_`h<mrvGIai1JV)8ss`CDDMbfQX{fiAfB<SAve4v!k1`}Z_<S&a3Y~<zI
zOr!CbhnpLtnQbRpgy69*#!2b#k2oi#-gP(d9__wkW?f|)R8m9hrHq$n8(wTh{2*?_
zF6<wZdrJ!$B{`NZ%}^>ab~l+-X%U(_-q}>o(DFe@TQ(-`1x49v|D6(t`NRhE=y0oa
zY)OB28F`ejeWR`}jF>N_4T}A7tIWz_^LHvty9T$qPe5(HOcthP#;vaGpw8c^FXaXH
z-qnLc|J!V^m1OVvmP!5h@l@n|AW{6kyP!v}TwC)U&#PeyrFoH;2jPa2nh`xwIWYdB
zklJ|MJkXRLgXGQ7%d4>9BOqS4GYDHbCu)uosWLJv<6|LrjIMCIgVbiFq1)c%bL#!k
zV31sN5tv11r@m+qJ<{rw;y(Hn_3)`_l0!3vTguQs=lAa-;;|z01sJnd4|pkcZ??K6
zjQvuvFJ};czFSCt5(-5~2|b8WHH1FPa*laFt9!b_Ma{70OJKN@MRYi&p;b!OO1DJH
z6ZNmSgoGYTnOP9`;cUoGs?p(eL_<0sGkOT(1I<)HlP%m=hz1kB2AM@P=Df?8*>}*9
zU;<=XYWnpoTpFdGO^uxQG>nCkloZzuH?@OvvxIm}m1zq{vvxi<f2s&A$4)XY#Z<`f
z(Y@K8+)uyLx8HZV-2Q~jEZqsKNMwi|x9>cT5beS>9K#%}ZBI^SO|~JwB#zOx9tg5E
z#>HzzO%Tj5(dT!&`OS^=j#2}d^-Ct1Fda5{zmv4#h|=eV$LFiQMrcnHscIC$_aY+)
zeagprFa2lzk(>E1>UKcEZJl(P@9|Ekx2HhJCGgzXi0fFN6>)LsZ+j@0pQz*RvWHss
zh!2F!$qQG}jlXoRW!QTRiI3-`%w)zy4x}Nq2hjeDBelNm<h9?*BVIpVu5(g!gF1)g
zTqO*=MRzR}k{ge&5dT)5&!tz)8^j%!Oe~T4)nGM6l36(>v}$7@ugy641jCZ49pRS&
ztIrK7Zw>IHlwPFKvq(xxnzJp($lNhI#wt&<FXf!*d<J#b#%$&{akU^`7L5#EUCH7;
ztNEttHvEbc5c!Stj`RjZctJ=%?g2$@52{<Iz*WgcO5$C|OC=)rtgPf+Tne<L2bg5v
z!WUQM652mkL$qu6aoG{6*xDaUre5wM>MC2WVO?pf^k@OS%EoH&7Q3M+wOv7NXHWVD
zDql?Sa!-SoW&7cLft@MJ*Z1}&y5l1eK2zH9rAwH9{KQ4PevOQ52Lp?sYU2-T>C>BK
zNN$oLz;c>gc%<L`k<x*BO=E{|ij!+ZyoG+zPY%NaTjgyFm4;>sx1o-fW#Zm_Xkmb?
zo_2>#{=R?Fg^N4qv}7gEFB};MS(09q1uJfm#29&wGX#nmPjS{U+aI+&w2}wffUInW
zV-Tf%L&u4s4y|WFy23ufVK!as89g{RP85}fSfYty^}Dn#8>r3*D2a>2&%mnO0}9#3
zQ@@~eA$C(*KVrE%*7MU&Ki|!8|AOiu*oedvs_(QKY7GA=;`HE2yc|@oj;l+y2yHm9
z;xoSLC?%tgb$fX`6q!YP0Y=^1^!Z%b6$Ta|zMbP-v(3+DZolfh4%Wb`lJFyJL-Jal
zUZ7Q*Q@t4y$e8UK<g-={`a<581fISyOjE|8#IkxJS8fzd(fDh9xm^X_Ur)OZRYb4V
z+kIW};H^naEQ@^=RI;F*Pmrti*PgvM2lvCjA2Y6mkykD@N=Y1qw89MZ<m5XIN7?t(
z(id&zTUFl)5~BH2Pd9>1C*uHW$l0y&_*?c9QXvr53Da_?&m6T+_n8PWR`I!PbO%1%
zBpJp<F<K?A6gc8dzhDB0GLQ1@vK*diM!hO{oD1dJ7)jd8@V_}ky)gECZ!yc66>~0P
zP?5Ko9x7dZ)92>w8K@qdD(S{571zbJdO!OzZMe^8RKKF4In0t_1>b0%9O^`NZG%cY
z&|G3*Yh0FT2Rde1M6%-_uro^g0ptGkAINq+YIb2NK*2`{>gvYOVo!G_0`e~cY{Z2m
z``5STy5rvHA@#K)C+>Z`ui5Xzp@9b3OFe(vH4jAi;5E^wfg<^CG*rz;V!q>kEWg5u
z>@d!6e$t@bTJ-q%m-G{#i=6e_$yBsUZJ3Yn3180*1#sMwvwd)g-*863XwghsEOl#_
z5&e3fCyXK0nz@hVcqoW>7JvVFcgOPdlhDj1!PQF-oL`n{?~^ECMFC3bA$JW&W5Sbj
zX!`q`i=e7(DJ-!G)@<KeAP8=&^Ug=ET9WI~I7{7&ai#6YU;eT~zhA}}#Emf2;_U}S
zZG;lQUg&#{(6TmhjsKB&uR1r8nZ6eEcy6<I_xY+qI<tFM4nls>A#72_ML(tk%4dpx
zZ`gRrHFDXsBx9e>UhA!4%AGDt-muxEJ8dmyVmG428t$YH>|t}?QF;A0A=vj`QejKl
z{@HhrGsUP=K2mcNSG{aBT4Fh&6+CP7gdnf&yuDB_frDxl6xmV~u|?u|Do9DH6>dhe
zy=I^qyM=6#q8QyLZZS{4I;6i^cEhtzdhM|X5bv!W*n8pA)1R}7)a@a>ZhR``sX}y9
zA5hw+w^~H#P5ZF@zL1;FDjKJ1Cni{OD%z~dA&7?AqvJe=2u!tEH+(%Y9*05p0u`kO
zi)W~Gft(UXA}hj#G;BMLM@Rd{G}|Z#a&9+j`s%B?=YdFL@eH3#+K}m$f^Q=(UBTWP
zsNKx_ZTdg#)%Rtu#71j04wqin?)x;MW4*tM>w8yKGC@=*-E{h_e=z3)#$+*~3Qg@g
zA%yxYX%43CCbZH@wV$U;tpyok)wOan2FvOe(w<-Qf>ut2!Db?u=Gn4wLHkX0yNlHi
z#qJAakC>QI5E4zu-Y@pixs_TvdPSv}qj*&EXI=pJ$zy>q3ToTDlI0dq&G$de&*?yr
zGt9TaU4G0(TTaUd^U8Ls4j+qyPoLKApo`&YpOY76>gl$x`z?R)s?CAq-x)=Vd*3`<
zeeu1}0{LUl-L~?XxN-${-h=sj$r%wpx{uXVRr>aGcC_lt8HToaB4jO)sA>yUp%m26
zsU%<jF%nDZ7fXD&qJDSpkf<l7b2QoR^IXp|{{3K?&ac<yKc_Y2R+Z@akA>JI@>;b@
za?Wi3Tzq=KN6}6g_9SNU#dX!Yef<gn;q+8}l2ey%zUS93tNlyTTTtC)=vgU)sNQhE
zMDmJuG`m(ljC`FRHIlY&X!MJ7=tXm%=INNKncj%d^*N7AUHwJ7U=N@1(<NUa&XxOu
zz}ihj`Aj%*t9DpETh$Tnf}H>IL4HFz6H(t_ZoLD!1*{eh?n#y2{;!k4O309oLtUKF
zl;C>itVJf9^oL(JMg0f+RI(z@sFYMIlnqci6ntMF4ZBcW@^M|qSuVDT*gIzzDEi+}
zZAuDLjmSBgp3^pb?&<9g<&XCcTHJT7WV>puurVu1sb$!FK(07f4uIA(DckdAblKE6
zYKl5Icmz4#e$(&f&URlp$Nq!<*BO8NP?-77R9;tLQ822R_^x!J$<_T$Ks&=_8%eR=
zrK%zxv6m@a8)=I8WAjU$#7B1-xs@F7_gQ}D@C(|cbOz5rVU^!Sk9T_S#P~?J-S#>Z
z)$xx)E#DT=UT;%)Z=z}Xrt>$ux@HlrXt+(9GO$+<pe@nzS^D~RJa){qf>YC$5l2q<
z-ea67ms2VhVw^FgHdxr_6q<btx#H3Yf^GOiD@MJP<$h0BU0Sl@vaf7hnY>l7U`gi_
zzYPb81~6w~MZVR_^OYYrw=mHhX)U3<BiLbc&fCmOKV?XF20qHQJ~KZOBG(;Sb0sBZ
zHQm$B*f-cdxS>j}<z@)Q*6JGL{3|E})Uea#%W}geZ(p%BzcTuhrsmzRmyX{Y3VS<F
zHFbQW?6*5Ujx?;v)VZVR=U9wF%K1hI<(5ys8Q$c1iiFBB_n$vYPs3;2AbNg$m1!VQ
z@y4iS-X#e;Hkv=n8G6o2&is)j6}>izPk*X~ww&N_5|rl+mNp5iE!nnf(RiM{({(?J
z7vm%Qa>kg_SDiz9O52tMW#nBID54JSFm~;zj8r^%-FtTWmp4B}t!nAApv!r5djWa%
zoo9R_@aXZ7(t_aU<%Qu|aunrwL|)5*(`668`o1g<p`qCAJ<z^5tkI6bbEMivj8>bG
z-7u3$w|LrjowKsPLoJ(ZbVr-t76v0LyW^XF==s+){aRqD8}8qEc7J`MmeU%O%<3}l
z^X)sz0#-?%=A@T-!`j?w7yh6s^-0qyPL?HyHZfjk$>fq1d|fG5IOJcz=CClc)AX}*
zi`dw2rqx`0@BIBT!$&py2Z6@*m~cv|i!^ha>lYsCc(VNZl277Gf3aH2^qr=A^_@j5
z@z3p-oS=L(*%M+{LBD)C^(56kaGm_rKJLpU3y;|~X}(ARd}#LUbnxqyd}L->Rx;^P
z_m#EhK2q^XbjbWztmiv^tBhw;qT>_4ksqpzzBJZLzY49dNL_I9d!;tpb$$C$%q$Ze
zs)z`elkW=UbsPFoc0|Sght?E>(z5cSf^q^3Sb_WMMG5X^(?ezK{sW85*xx&km)A=3
zSt8Dly(~S>dEb#qv$to$FR@qfL!PvFEB~83YIJTE)0sO=ZCZ8$OWLn`hHieosqa_J
z&m{kw*}t6=O-FY;*|@PUWaey|J+=60;1~Kcc6?O~j2?$uZfo=?U(w__nX~EOm>o5F
zW1jS`mzL5Ihb-uyINr?5%X3=0-^eJ;QB_Yh%J;*-{)cM&&6(x0a_M;A#CvWxcaCUk
z<vUvz5-+F`o7p4L6E!U<J=$OM?HZ@#X;(9*IXp%)nX@=m;6a+-?kJVwtsFP;RDFJ~
zcEOb{d-!PR(8;}Hf68JmLz*XN95Mt}E-Rfe=kxHd<F>XcJD@Nqb)$Mk>`PsOx}?f)
z<DDyX{Q|j*N6EypmDJMgpEg<HXSHm$UEykz6x-?i*<cmwX7lrE&;L-lTq(5ULFzN(
zpZe-JnYJ+Mb0<bbC0!4${SS6Hhgw|n{zA8Z5EPfIB5LsqhnLIDO;ebI9mMdSag73v
zXXjyu*SI2;0*_Sq+WY~Fe4|i{A2WA0TQXma<HInG?DNfI^EikJdPFsbSz5d1(Sc>g
z00;hWT~M;|D#sz`Miw!QH~`0l-iM{rP*_#9)w<%H(4h+cqow`dBRCgP&+%SRU@0@W
z#j@|eA?q;ME>0^5Ik0cuThXAH4Xe<fXh7yF{Q2S30s^O_xJLG0qeRSZ5!UXcSu)GN
zMZo)@_p{>K)tGtmer^C(e7%(Uoc%vpJx%aOJ9#)?zSuP1KySf2M+x#s|7q3>>oQ;{
z!=_xn5yUNv<U-fg-2)HXFGF>?+ltIh2yFwsqV(~m3-$3qQKHxUHvRohG)FkA!OBKq
zWeMfWb+5BJA>Ee0YhoBWpF92iD9v<k-%dsQ@(|1BGFB$n@*38x>NzHyCJh~NyFilk
zk-H6vVj7%{zj&b^PPDao>*G^=pRsR@iReb56GJ32qz8&JD+-*j=Kvm_>YRZlMP@ZB
zAYu;i7$&`vXVCLChpVz*p6@Y;62G5gCYJvn8gln&lkr;DK9>$M^?l85_nF;gd`eKw
zy<W6VO)%)Z^~jjwCvcR=XomDK+((Am_7394K>$B8H~V|x4-*e4kxoS4J|xx(%OS#a
ztEu<`dX1WgcS;|bm4FV&IeR!i?DJa=sqIK|JLoHlC@gC>`p}XtM#eaZOR{XllL4>V
z1X@v}o9xws?{Isxb_q}r^62IyO)Ww}`|3Ah<|CNdx+Udxg7te?I<Eu;<|0U88JrJ6
zpdzSF?KQrqlxJ2|e?egrI&`O%R8RJ&%AA5Lk|@NudVp-gLFvtKCKH>6AuU~cGUdl@
z{&cTym~~u!jjl5)8No`3Cc{pDe_X|<cp#Dsgg?WnqICH1GCH7*R*C$_85E|<Ud$E?
zMWOoSBHRKUfY(<N0V1iVtD%cNigCfbN5p?4+tJIjuLuJfU}-SBkP<qsX?sQ3OJOHy
z`7Sb}437FSMU(G06}_D%1|9ixve$<sQ|gC)pNi(tUYPPVv|w%<B<eDvM?Mx-;?pe)
zV-97Vh8i{;#@0*8Nc4*UHzE#`I;B9AOrb~@Qk$LnQ3+kB(;?U{r-Ix!+~N?CcC72u
zr*QBEmcl=ZilWxh3&t#Z=)r_N`ChQOLI{?JH5)h7FN8pVNyei2DGIuU7kr2=8DEng
zwqiIGe;;Yi6N%=SE)Q3xV9W}i*}Gi}SEGri07gN|UVrIVYkvgxon3KI`RdmnbI9RN
zJsNhR<L1XO2upScK7Ozr*Fb%c?X(@N4+oGC`b1pztL_fF+2^-N9%?kX-9JNohvDq3
z`U%~-zMITt2WO@xZj8flrxbeE0KY{u@G%L)bGQ^>#+Kn~i0YVlml!FHTnk^x(2J=;
zRpSi%l<A{#gc``KBmG|xT=Nm_+L!7G&l}1|OSxy??N8uO@ESR%V3zr4<<3V#N+0$x
z989V^q%5d$=Dj;~d0`+lc+{Q?4_`}KYi>xp6Ef6~e{B#qRSR?8U3L(wabw(0!R-T#
zHTr56Xd5o2J{pHOK>#@LmSO9GUe2Lke!LG+s|t`R5QL6zH46ptKqh62TgoxqjEGwP
z<&z{i%pXN+g6`Oj<;(Z}eG>Ckjx<`nLc5Y6e@>xnZ%k2FUILS{_1dc?j;WqRIb)oJ
zio8ygPHqCm3ReiJkZ6pvzkOX3M<&)e$qa(k;8e?Kv1uHhOV{o}JBXTA6q5!yjLP<e
zN<<#YR4%(Geuu#=6?^}hNy8WGgpzLO4`gH*XMnWqJ$AY~RZw%UfDgd0a*fe??LNLY
z*4720IXU0Kg11!IP&%V71!+H#Y}^5`2L`6aPNgFsS3<>XDP6yn3>>L9CbEg=cnZeS
zCh^GL`=S<W6wfjChStSi9gLu-`!_AN2=;5;@}(J%HJ-aW-2}LmT+&GYs~CVnGC0hA
z1>4wVpGL+8MJ*C1>>h(+Z^{tWf6qNkm2zAOWwiAMMc@fZ%eN1GdChL{<jvKCLFrZC
z;Y1HM01R_^m3;v|bu#evGOKcb^pz%wowm8-`n{u{^tJ(N#5h0$Je1PV$V6joh>3sA
z!eHRV2lM*Y;Dotx{7^v0Qelf=yOI0f_g$@KF5{pLn~L#!WS1X9li(BiMXvZ4qaH7d
z@+b~CRXq4Rc;u27neJxWu76kU!x7h2xLebQG3xA=yE9I%1TOh1TRrPhN!`nbEW4KQ
znW_e+FKKwAveV-4E{N6y;YWP+Y7;<+0+sEcA?<~w73rUtW(}Bp;hg%VB{ecw@NIR8
z6yI`pGK0m(^-!g`=Z~@}xM~lF%wmVe3@_3j0ZLPgVlF!17jfnMO7#zXeaS9gzSe(K
z$}||{q&{uOmX2;5pEsQO?$?XNdd07<m(&Xb+O-0s5r2yLEl`R}4XA;8!KH?2ptUy&
z_kGx~M3=%$SIi|EDfetDe~#9x-kMlk&8=4ldQw--!m?T!O4Pxa=G}2t>nHC#><Zc<
z+gR~_A2k!4(WJ@CIhm2KHbk9K`_mqC754)OCZoScxvS4CQIl3wMrM-=*Ei>rDFGJp
zQ^!v*=&F0=rCVn?A+EHyz$R-L4O;;af8>d@rTjobG=h?B@F3(%{Me3)wjMpayy&BQ
z_DE8y4v&kK>|SKjFcifkvGmoCwN8y@jwSj|FsZP8)fp0O;fV(}`Wau`gU&-a(;@yf
z%>`vzJA&ccQJiX%cT4rG*ZBII*-{#q<f*wHcBE@lzYq2J4{k>TfYo(|O!GSu@%Cl^
zC&kl05B0=8h3jEY^ae1}M8P0lzM<oHpyy9emB!eU^+EOOiMi3L;)Os_AfQLRI@4zh
zC6}m#M5XA0sz*U~O&3De{aOWAh@9P9Jp-hdeb};pe4^ysa*>;!BJA;Hys9(sRKlz+
z?&1Irb}PZ5p{lj*cKZvkGt!%mepc9c(FX`>5=w&F1E82iZ11@fe|ju{E#qBBCQBLd
z^R>P3is;<f^-(<-m|#d@l7Gx0F%Xp_w>K@^e_UD4;r<OJb&hAidy>G)t>qWYXeWxz
z9Cz7??Y}gGxVs%HY(dG6*#r9|&IKlIsx~!x*Wm2MXU8TvLKtkkXSbia+ZkweAa%*&
z1;zYDczP<a8`EkVGgjrLvwM_qREott+Ect@d`+Bx&FI!svSo}tHusZ`wC8s{@R>bR
z!LxJZOWhH>wIbGSB4T<uQhQkr9tb`6H(M1hWw1-QLnbjjOEXAQor>vj{eaTnGzPN)
z-PS&R0`H5u`vw~lBP^01sC|Q<&RqCE!(bO9<kg<LMN+9^XTgay0{=DKciyUzCOXKq
zwMp0Z`rXRE86^kC7Psx$5dt5}%`n-%ZFX~`)32YfSx~dPVG!D3xl8Q6(!6Q5Sfm(T
mT>54%^?mbAvk)=5*+m~(^y9Z}eSVb&{~79<=wxrS^Z#E_0V5ay

literal 0
HcmV?d00001

diff --git a/cli/docs/extend/images/authz_deny.png b/cli/docs/extend/images/authz_deny.png
new file mode 100644
index 0000000000000000000000000000000000000000..fa4a48584abb3db280b8226d18888cb0539de89d
GIT binary patch
literal 27099
zcmdSBbySsY*Dnf)5~8$(2q@hlA|NS9OM`Tygn}SQH&QM-Rir~Y1VN-Fln`m8B_*Xh
z_Po{i+k1awpYz`y<D4;kp21)(*1FbxU)P+!nkz&_N#+tRB`z8o+9f$zDK#`S^j7%K
z8T$hKMr?ce01b^6O-@Qe!v%fiEmk5)%kC~dt;ttGe{%^;5(e2=de&5_Vjm1cQq0=a
zrh6pCKItzLnA2~l`uT)n-ym{4FHv@bRsu6BDL(0$XSd#&-pLMLAMx`?&zWi#T%UjX
z<ZzN#t^8mhH<?eKg@J^K7X9zP`?MT_k!U!7{~dc{XrRtg&UefDU?Ts--;w{o`S){!
zv`=Wy1^*m+ag0CzTE2+>`w4>|{)(SmnBm_`vP$p%`-!N8Fx9lYaf;>N>#OjT;s1Lx
zpD;Aij7t}k<^H~tPiU0qzn?H4W4<GQ!tEme_kG~CSI+%=Q)4>u7EAvq-JEXGqk>Gi
z80oWdry&CguGZU=9&|Q?1@>}#Eo4UJn`31bFJBtT>(^}eDrlWvy=|))!rnq0)XyxV
z#^yfhxo7oI=l#R`)<md;Cd?bT-dWtQOTLAN^2EJa=*?2toJ%m$%^I$D$}iBX{8p{>
z?Q5OqQKswG{N}J(#MdY~ndle|sWyh7U|Z2E$(U+M4Nq8->25k+U*8!r>iF^gk--?F
zax(is{sU)wh4z*t!Dr@;e&^*vC^rS(87+K!>m>T|*}`QjuL*%nbHTg1a*WjRn8Wo=
zWjY>LLPL9)(!XCw<h2O>HuYiDHb(!WgPf^pdgtp~3ew?JEU$PiaG%WQCb|V(zJ}?Y
z%kfh!ynnvoSW?pGgpE&M@-1tQn&kaqg+nZS>R1}DeTg8;v8qzxgV~tF<L$-1&4C9-
z<3#Tj5;zB|$C5?d^^c#;cjlg~)g9TchO_i17<v7`?aR|-Tm5Y%@_VGhhSz1?m_;=`
zK&y3c>{&#|c2Qh#Feh32>)UpQAunIX$j7lRR*`Y)mte)jbLcG{N6trxoib-BB*ddA
zZpyEYR5%GJ+i<<S!cn&LXi$GV0^7{IC6v@HugbC~J^H%jg|9J85&iiOlplUevhuU^
zwxbe``y5Io?%DO4!|<WfTOo#8x1DIymQbr?V?L)P4fis`?jA1g*WVJjQp~?4=`@V0
ze|jYqPA$SZ{>eGv#=TI>R^!uR?-PY7+XV6U;q3cY^EtGN4WB4W4;CBQ9h_{XoH=eh
ztFLn1%Jx`q#B%suyN5d{-It@x^#YfaD6`&m>*3y%!@;J7>)yEYd7IT=M#et;E$=1`
z?yB0w1c`ZGG>Pf$zE3SMExNbhRo3>?6_-FIR)da!hNf6b>g@hoA<dJ`4z59`4Cydi
zmIrX3InL_OPDfkBWWuRNis537)WV+A(vHCjuRqy+v+Moy1sVI<r{8s>LX|;p#k}hj
zsJlh>lG>gItLLgQ#3d$LzVKctZF3x6`SCvg@sBc{jcUim^v~N%104=GEp)4%rp-O%
z3Ob=Oq3ww0P^aKEe~Kq&(N1#h8yS}J+;_q_HQ)ZB^_tZWqZ$XBb50+}Ix3ADF=EPR
zHr9WB&VyS}+0UjB&(3N$Q8RLFLHaVa@H<;rmtK><PN`{2zwbFLMHNz63iup0SqJTG
z#oAU=nMU<q@kV#=`n^m!YN<cn;bJSOy=EU?w{i5lUQd<NpgPlfAa9QRw03XeeN$lG
z#FvK2x)&vKiwoIAzS~^HL2a?uX<1?}J=>6K5Eh@Ap6-XU;uLvjtx8giyf;%WV|V4p
z3=s!GOO^eM^gyk<^YZnZmfvZ2PWC4ApDlb_<m-|o!hhHK>SjK^*s)5XVXdyn+3}WE
z(iIL}?Slv!u?dH6*imk9_XgT%ybJO)^B;a3{rm>&La&TVK+DSpWwDdYzU|D&a4Ny{
zy5miS1hFIk&2M*pmkSIO8R#v%3|fAa;+Z{Ippy}ZPh%U`Qlq^;J(WwvY@E7Nu@#U$
zQf?JfwD7AZqmWlZ?kL*(bSp(`e`z3}tp>X@Swt_6U8mQflC4#%P}j<NI{~g=UW)gr
z&ZVpTiV_n3o}(Y06tbUVnSrXnaZf*83Wx1dQlco_MH8o))=Ok!M=gteIht^X9R*J}
zBD|SvI)BbtH3i_{&fPmm6$m?C5IgI!eOmmWIQj5!x!7s+HQD)otFzM+A(wYcVa+G2
zdf0Dby~165cexC#P8E2dX0im1+{&o18Pdh~eZD%PlWbSJ6F(P@_0|AG6%~BjVOExn
zL)d)9)LRyA{qSb>^VQdW>8+n}Lchp<beJo@O6~aOwjKYsrS>?sL2MlR508JOpRC}c
z@J06<aP5?mNTN5|2s1=8L+YWv<%yjg_iawpd477$V;1N@Gw`}c9S&7N$%KGF9NqWB
z5m%*T;UDcs^IdPQDA!=S5;IfW+zi@$AJM>5#><W}6@I>wDF24P@VWQ#Mw>x2Ki54K
z#z)_hdc1t&dqhX{>b+`}&aK+C_k41;OAsFCS~q>vboYm`W5_AS0hC-)k{knEQr67R
z{=O_Xj~BY$<WSzWEim*tun=j&bE-YJs3*6&02k&CQ*ux;+7P+AarKD$mDXPuyq?p=
zhF`m*+bDLjtzJ{5J(MPtt5;bR$A|Jk#W8<~7QcK=h~E43AV*Y2yWkZ?;|TSx31#C5
z>eFza^WL*+!%xo(9al#*-E;20(R$dKc-^8SzQQko%gAt~(vC|rUn`EQZvXD#_9ETz
zLZ$O>!)x=0JIh+b;>yu_lcA(+x;my|{p-z#uWmPvOuxGM$T3p4!g|q3pP1UlwsO+z
z)5rcc*gV*S>$Jnu{uQiS36YVh<BdP}CcTFicD+wyOVx9fv`F61KQUT<zo*HTx|->-
zG3~JM*4a8Cj_rXwlp#!;p8}@iKfcYtiT4x39;AE!sM|Jc`&ULpJG=@PoiysZO+;Fe
zv)WO7{fY3$lMal}F_DC+n$};w3o&`@ENMP*wZ7ZH-5S%-Z~>n{Saz(%z=TnTaLUAj
zj9Dhw^;fchebZ*3Z_uaVak#&WYpa_+^(}q==cuWS9p>6eS1*1}4WjWHW}x477lo6$
zxz#PEx5mBFK!XZNRg7W%T3CE^!Q*pZZP!@Gqua)QJt3bOroJ+J?KggD!#)iCBoV*y
zeyFYLKwY}VQoQuZ=!g4PLz>&#^rX2-Sv3gAtz3y~NIKu%d5~({g~hmD_ChqQ9#DXK
zwsHz*p<d+&L+r?8*QlrRclvjftS9dt?bGe<mQ3DZEE@0XJ27wCAQ!@r^L7g;QdCXh
zt!tRJ3u;T2rgQmD-uQX)OW4)h&8Rh$9<7X#JnVpDEeG;}st!2Q>`cn|j@o30Y$|~+
zDzAGaKRsWatr#+V77|W&ky)Pk9!lE;9oI&an?t88^YU`O5+_cz0exlN?sEr)k!1_0
zJnY`ujGr!k*c@ii`|x<sqTcIddj%u5_=rYYe{I^1qU)VKR9s%W3E>W*L2Z>!Im=#Q
zs-gwDx1Wq;7A9;&Com{nxrXPt`|43L;kJ?cIF!A$XuKwqSj$5f=H<6Zb#r!N%C=_?
zzMo%45=;g2&}-K+S*J*^_GAR{%Q;8zn13M<F>UH6%^q5x;>ITlXnB_h5JPChuKwg<
z*xJhCaGXEI$&Zs05iXTfpIBB+`RBhUI1*V~u2#GX_4iBWvx<(>I62%YeD=(gE6Dzt
zkm)FTw(9j^swa;urjMchm3g0ec|uuNrVw&`w^1gox{FmW;_WQ}*FehzL%5Ouf-qmi
zwL94|+Agw^8<J3%7<S1Bsx))eTG|^G-%<vho*Z3_wV7*=+Zl|=Tnl-D;c>Dv<aBn|
z=!H+A=i%h+qSsidSrEHnjkfY<v5jV8Ki;4CTw?d%@W-Wi9m*vTa_J>L=g=-mJ-tgj
zLc@hV&u|f!qHo?(=J81h+oAE$o$qxP#qVoVevFTItLJ-vOz<E224M5;kAP+@e3AEL
z`1p6nekI#77hIHJndYFldiu#}dA_W5_qX?%o^%)`gUhGZ!`DouY-%WBo=ZX9pC!JY
zXXUC{_uF0@*Q*~FTW>gbNJT?0UOifAH}tjQ$>^Zkpl^1>I*sRclu~zd%V`C)uJ8Iw
zbh}p5=+?7<m%iga;r2K?+1ois>ZQUe9o=-DVacZbk(g-!|Knk9k;8j$W~kJIhKGI?
z^_O}R+k_5Zd|CS<QMa|4-7t2-{kO=tR^sJ*LUN>v%eNj6t1S2?@L&&$l|JZA(64b(
zjhH9AY>^~jpB~GiF3o+&$Hkx6dV4jbXXeiDnv5gi!R7T{|L4th(sU8Ro52BP6T21n
zy$|DA9;CMQFB$p9-+cHvXreAia2N+g&eK%Zzx?BU&UnY1$G0RwErG;UNhpt*dtMX@
zV$T9t#CEx+M^?<FT(nPLanEC46bl}|+f$c-=ha$9EJIgP^mwxFgk$lQW4=~l9ux~J
zzfXy!DMC)|4!4<-3nWI%t!5JIzUJsv+Pb|I52L(QP%^A!{NZL|tv_HU&7oqWp&za@
z(2RpgEIn6+O$IE<l!aGMcb`2T^}SV+TP)Z_Ijqe~nXl38pJiL;abSxR;Zm|DH6BJ^
zf$Gb?|4i;IBSMr{?ofDSPxy89aKv!6$?SB?%l3()-KPR=wPy4hJAoD@wRm-h@#Cxm
zlV0IMm?QOywXTX382V<4KOfvU>Ytj45L-*UGl2?I#bdwB;~7H8h`K__XPH_b>}Pcw
zMKJZ->L<;WH!kPet_o()u2s!kCbJQ1>lAS@KE#VpD?w{vK7WBIG1<R@ezU=iMmmz^
zI{7tIw@Vq!+>Kbhs>wLSjM{y93*9M|b*!-@mvc3Z3Q{<X>hvqwMo5h68iSuK_GVR&
zj~|#`!l#o$;cjGIE59l2n&=kLcyTFN-}ibf53QelOr_UyG8x|Ub&)B?`>$nxHob5X
z+P~W)i7%3wqr)T5=XXnJ`*-Dpn}YF}KNmw<L`J>$(P|~9kpr$~?YULG>=j>XI27k~
zziD4exo~(}i>=!&1`TJQ5$)cS!SFY?Y_j8Ge{17OU_>eS*r1|DpR)_%1fb9cZ<$a%
zTN@LsEo?I1-tJR=qfRYHYmM`?nY`kDM`)CIFHXbv*1D9-ECcUUB>^7I^=Pv%3i2@G
z1kj)t@dO&ZDUqU&T*55j3=>JyUhwy89tv9@P1g3$h!ig;h8i}am$*ashfiV$qZyrH
zG_^GRWrICRKB52nqoiiyRpg0(m@DlFjtY;o`^EQOf1ivFL=+F3>>PX`AfQrr&{<n8
z?MwzE{yv!&02BI8Q{z9B*w>OtyoG#~qw_H8&yz8w;C*QI@f82?QG!({7#X!Mbj1EX
z*$12cVCdF5+r<70CwWV3JPO`so2J>{q{>n*ht_6BamF<3_kvIBu<0xD59P(wPGXJ=
zHIBbCrUhpIINDies`FxuIhOn^nx(dr6XqHB!n1+w`k^}=0ZQ~2$BFE&LcHnr&U&~x
zcdpKJ;dPJF9VSKVL0?yQCIZy%MQO?j1-VH}#)i|Gv1)xY$A^+Mf7e7#4<Eok>>KOf
zPb)y2YWn}*2MOXsH-?P7;}(+LmD&@yxBx4~QwciAj#oQbOgD!(Y|Y<Kc<A;kEeNxo
z?K$wb)rk*J^gKOhzYr!oO{>xdl*X?2ft^Gy$L00sz)O8&4ZX)%fY{2+zuvHDkBtJ*
zul3={X#Dh?X<)9*)XyNALC>F2GSoP_*M-M#a_D{NKcEux8ha$_wA5dEn6sFZ9PW>W
zKWOE;G=!ZZ>gk5iSYasqyk@O<2_EAqES$*_HL_nHX%f7=Ml3geMX4g7_o&<Zlx|~V
z<1olAjl9QR8OZJOU||eG5C9W10S%8DwN)5T=h7{geSOP@F~wsugwssGUQtO$K7o_t
z-peZka;YNUQpC6rIO@f6u=2ip7T{EZ42>tBpbob!CPBl?IRJIVMv7!yhU{3EsY(v-
zslB8@xz8uNuWh*fE(W?(WLV2ear2=gOLnc%=b6^9s}9r6I0uV4Dch4p2A^iTZcjRf
ze11vJm>SJ|<GVp)9QwHn%$a(nruQmr$AuD__f|)9*6Po^R?nI)a%p=(&mFK$;56v9
z%~5)*7KBfub=!8Vq$yz99GH^O<i<=JmWZqO@F6i{q~E1$LK;JlX1_#LN&#Ye9U2kw
zz^XS>74D=Ke4qsmlV1enzQ*N7+`Ug(cS=k?J9?7~JWUn7Ov(3!<=y0((q5-ogh=+5
ztfJ!f9S&u5nF#8_K9&bXNkY%&QJ1F+jp!Pp85A@E@hCI^ZV#kM202pgJqpdK@%tIC
z*3Ftz7Fc#BFh{|%W^yyG+VkkSE1+Zq)|ELfs^w}GzV29-2hKY?YF9tdmp9WEk?=VP
z|I_}Pmq2agLAp8L=My_c(D17U`0wUYesO!tOR^S4_47<l*+k)(*-CF&fiXpcMzrK^
zyE*&S?FtiBM<_2+y$xOGNJW}X;BV;NcUQbfE97Drd#jynKEg$yzJ5f?BI~<ffJ^j+
zfS#Ct#0;*R!^xr3_{Xiej)l@ZP>HS-P)s!zkQiRJBURqo1xgg<eReddmZ!lY(&Crf
zL}utBK}1Y!K-8d%6}x2QeZl~UqRP-e7}Oac6FAwvC`A0(>{nM_R4901+BFT2b5E$c
zuT0k0?@USPQTzZ>>-g)tgmQ(&mq-aQ+2w)!oSfSG<j?RjIle1Rjer{T_91Y;Osl?Z
zH*2y!W8(-imI4W}{V9LH1U6?uAZ|7L(=XL(T<j%&L_Vyv9iRQ4Cdnyr^29wsR@KdS
zcdW+sJ)iBE_V=^Khuz5{)TBXuZeu`ocRYQo2)x%Q3U~kmYF4rgey|xT;t)Gt_g8L*
z+Z)G}>~dF3tTp@^oAbC+Lbt#!nhU4+_Z;DndM7@6X8@(w?mX}BjxNx7k2`HQUagss
z|FG*dV`7z9{xB8?U#=Gse`pUgb-}1BF}bh!S5i*>VLk2+{M*bVS4mi@LqS>U9n!v9
zpqddlm0fmmu%CdsZEwO|dBSa(<Am0BqUPh{u_{%p)v=H79hds$QY5b<lF=b!Ne*$?
zLe<yCm8KULuUsToAM-vtapRjTF_G*d!`CR-5l=ID+b)~>1f3!D!<Sf=7!<XLE^zuA
zAhZyc-vi)m@q40nbM4dbC1DfH7Zu7i2UmYo+NEd|>S~G}uS>E3YjFHMVSu0qircnH
zW6qPFeprbH$5!s{`<5bYmV}!T-p7(OX^ynSjEdjeGLN?wk{cDe5%H7z(Dw=YAwg_A
zkj!iEn{`c&c2{@shzwmiFXo$J;!^|N=qb7vO0qF^HIev`<ZuOql$`>yrP^l;O1?dj
zNAFwJ+gJRP-(~vgsV#W;i-^7DG7_y7eY&$W;1fDqNBtcHwYQfCDXtrQdOk3OhzSbS
zTk~CgYpbJ`m1AAHZGFmOPd@(qbBIhnIsdl(c&9Ky8$H^78eh-52~!Qz$cBfp5JV!&
zE0Z2uVb865GeZpBk3nixB=9_*e#zx1aHqq#{2uUD$LdRzd@8r?CdxNK`^tH4^wA+}
zZm`Dn+3Id17LB&8z`_1ZM1?yPbB;ank%`b)RLtMnQQWk%JfsOHRui^ttWISc<+Ib{
zgB{(ZBcarzlSjRu4=LKQilmd)C_dN0wp$we_>8fN^5#R7QU>g~_%}y#pr|+{y8o_y
zU{L4rV_ffGX$S<up_AJnE#q1QRt<eU88M&E4M)1doJ6&>N=~)Yvh^P2Eo<^ebEgHo
zR4aRU818PT+9C8a^du)t6fHRU?@Vr*Hvd9XH{i~=9N!>xNxd9l_r{dpImr!-Gq>OZ
zEcK*~<7cRSGM2~kV;R&YGh21uUC{}{Q12y|8-vAgT5`Ju7_$;b_kU<$?%~wT)96Wf
z+D7sr3RHw8b<~aPiC6SWjD5Xq+BEVElD$t|MK(`1+Guu2(#E+4N2%#Nv@=c1Bcg;b
zZ8|}f?R#P=9rOHQqfn40^Fs!dG5>{W(X!j8i55*L^ufE2x|2O$GUVX|%_Q=eZ8MY5
zsUDkP1`*!KcDW9BhN$3xLB?1_%=^@1yplW48q=u>6<1HR?D^eDDGe{7+MW9Gt<T9f
z$om_r&bgEMU)O#HyFa?lgqvZBbNDE@g17U`EcCl<2oXbPuITGGr1*Q<2_Wr#<aPz6
zb9)C`DbmD-xbTO62N&KVP;`>;8@Qsq<<~&o!ReCg2UPVQO{sLClcnNEH=>o7EqvUA
zeJiU^#AIr;ZQL{VxkaqVgn#icgw-~4JK(&~c&F0Hpu=3_xY#?sIUOo~wD-F*meSB`
ze6))p?X0$c#OUz`Mlz_`5@#(hiL=jQ*sk(F{(drE7jD@bz>~I^(b~26%P>KE*<VRt
ztyknR3Eh>3G;-&a;p@Zsv-B=+T7D7P+^fU1(Ir^<e3j2K((Gx?;*XZxb9X3?hi9aZ
z1P2vp=jU654B^c0OsH*boG+N8Y%xn@sNhI4jP~eaPb4giaZ1<8Xm!gqF#Wi?(R<T*
zO+W11vPUu|mk1E0-et?=<CvL;hHhhh+@4>m%&t)^rzDa#C`NL9!fd`O=#Yun8;l{5
zR9#rO#tjRciR0_DYt)yAO2@E7He@eVmZ+k%&5_gN0iviODV@+hv=1W+XsvkU+zo6u
zx3XVUjzckazoei%iMdYOgne-^EwQ@Ul3+Ek$2fvoWZO|MOFpjr78l+nV;^JstWgY$
zfGWL|*PDq6*E=;-P9xCbNx47!^;|;5kDcc#<aTK47sOMfeJC{AiI*s_#zoaCLN4?8
zy03{6Y@Tv^eeT}v_&})OTqZ8|d-N_kY#Q$(nYgN7Q1~KCRdxY3V$mE-IFdx&N44e`
zM767)mSOrkimS07Px^{VRU)s`neOERxs7;~6K~=%){XgxIP^-HK`lZ!*)b*uSn-LW
z0cy=|9N9ls{8WXSYgU8GI93i`Z-Iun>;<cApPDcn-n;N|>)W0Cv58`@tu)5`wf&!w
zbzW|$-h0Va7YUossGjy!&n4=^VN;XlzJ+t+qYVL<W`m0jO+*Nm{arTXLr&UH2MKQ)
zyqf`_W}8c7$l6)(l_S{^`woVQnTLO_hN6>kA+GzB*U{>2GHveMz*nNX)Ta5E(u{SO
zeNVY58>rd$dKjotT=mCgim!NEes?wO9(QUa_l>5BJkCs!q?k70bNr=JJ0IA+D}l1V
zFw)7%E$F>kF;pJ&LzJ-nL&?IEZyTmB>^w{h2?NQV9{}OndDQT|du)hx^{43~m9#<?
z6Zbt^RM*&YL~SZ}UX$hb&I?oT!y<u5>ooS9CdYF|yLV5$e*$uN`3H)IUxQZl?=>T7
z-|p+lD8`xMQf63_pQG^QI2V7FIZBfDu{26NkZaQT5}{pDVtb>s!5C^^i4M=4+rXbo
z(__0w#*4Uhlq=i7xHca2Njo>it+bix`vk3+a;`D=KGJe8>3~r&@rdkF20k<4`)>hJ
zSET!0Mqj9skX)w@F4=sM>bV||CwWydw`l}_nVnqKSQqEb@6|Wik^@(&xv5W0NM4c^
zfK{~=aj7Al^aOkIv{{l}@Mu%moUBKQ+gQTgY`%5$1g$0D{+@AA*M7-m=})_heKMaU
zb$q!7pN^A0aQIEZo?&brnn1lZJ%<T>f647@%U3aiJ@KVrGFf4}bzg#-FEfU|S;Zgm
zjTNOr&@kl2g^BV+xQE|-c>42h?OCoyt{SUZD~c5WT%KXA8}u!?N{@2`o)J+;6SV#K
z?!|^~iwv5e=+~0v%SPSE1EJCy8YAbx?W5qaJ!=yhvL#TkJrma9&D8`QW>tpI-Gcf_
zRzIu1|9LQl+c&mxW$$kFZhcjifM%VC>kE;j<hm%g^(l#gTy-W*a0te=K=4!n(xC-z
z+xMgLb<cs5qdmQQa<+Pjo;GY+1tq=BUuVC@IDND)zgXveaJ<#cRxVf<;tIzppUlWZ
z)mwRpn)CaI%C`IMuG}MB<W`AgGe_yNc3?`hex2C>C8WBWuHd6L5fKr|E^T`8Y}cCy
zzpu4Yi*aK;_~cUkC~26^5V0mk1bz<|zEPNzqDVSj*Y`>ET3x)_AmkI|z1B^FiIW+Q
zs9rm*@6ji(c+E!1@I8pFu%Btw3SaAHWxA}?O~aN(pPVX8(v8{MAjoof)h<pB^*VON
zlr>!J@d*yG`u7_JWsR2g#+igB!%cNnB_pkl<*)ep&j+@MNcWK2E5GLZDv+}jb<#%R
zJzT&eL>48AFna<D%#t8Ny|10WKfhKp^Q7)gl{h!kY(`Fuoqwy9d%igx;qX4n82i?j
zKEyN%5FD}bI5fYeW1mSQSv6|jctw6LlM-DiE1S}70d?|fdYuXN?DDqU6O2DAi5j6w
z=kR9dGEtxq)rjCw*e4=pUo+{)?9h0>Lr1mL1-u(q1NH5(T31`j<z?kWjeNA5yK=PT
zt7IrXk1Mh0>G5bs5zqP@!g^j^^89O~n?|CMn&I&a<^NR^rWC<c|L+g>T-#XsPZr?+
z^@;!2AEeb0yE9O1B(@N{NbG<yOXJXNl7fCDK75<-BDpVS^zkw!*r<lh8qPn;EDnPt
zX@G_Yvux!T*DX~PL^V&^+@liSXrSRW5B9fn6gUDoqyn`oI+cG~cWjo1e_%S*A@<Sp
z`-8)%r4;iPayio0bGrabiD+nO<XXZP%Ql(pO{)+5)m(SeQjJkxrK(!VW4gY{{}VMp
z&~dyW>HJsmNJJEm|4%%)XHF>Kyp}|D=Q+EM6*n)UHf3HwXO*Vu2b#|U7EB!jiC1oh
za*F6kEjUJg_*dKy*}!Gr-;}ul{=P#94H+3zh4n!6`HNS^qMhjl`U`Z_`RyjCaPC=9
zAYqAy7Z9Ad7@ldMm?WUO`+KtZ3_vI&zVNz_Q|-ep%8fZYhZE=ug)S<rDk!K%almHZ
z&=Niqwx5=2j*UD2C#3=Um-L-5`s9VLF*2c7IP%WQ9(Ez(KzY%{E9}g5$M-+%K84lA
zHTq*MPevhe3LMjG&LG!A3?dHH0(mfNEmnq0{hoqX5|6|bfCHO@VX3vxpb#$$sDa*j
zZLGII=cX%odKSYaCVr0Gy|o?(Wu#X!O!g&`dNt&6ygCY1((XnB(XjfS>WfgWHmmXK
z3VKFHd4#<v_{MQ7Bd3NI16zgXut)ZqkmGmtw~1?f-jm*EwKP02)R>{xoryd`V$6KX
zeyTcv`px&&#xX1gGv$aybX!KKv%NtId6#2~Pc6(`s9O<@7(^gHv%J0I91k71S3R23
z79g*aB5~*yD{*^jK?kWktwL7Mquqgxh0a$QadWUA=fG{Tmm?+v8M?kD?DC(g!-;8o
zF~Kk3nIN~D8&E@o(EYJz-5>R_X3~KlMROVmz3qQ-kt|c(7lYTTm%i~`pB%T-%cvPB
zwG5Jhc$=+P?S7?#O&7m5{;31}ZiHVuv|V$??hP_7-v^c>z+m;UJ4I}gr)#3ty`v{X
zX6Icw$UwXR4dmVo*6$TWh#tzSh$;%I|G7Y8e=g7sc+2?BxsFc(ozV<0JDj*Vr9mml
zq35Xx*{)@giZKF}V|x)^a1Ka1hS_yGP;9=d=OqrZt7Qh;54J(}<&*v>7x#VKjrfPq
zuFRMEbKNxV7&o993_4G^$_PDQu~crKIT$R|%X(03h{z|bG7$m4WHIO?Ut=D-w<vcJ
zwW>^L7qh8nqr|NaGDv(c$dh2SJV?8HUeNQfd?$!SOS__pclUSw+4Jimi<-d{b8xx3
zHg5;soahZGC2Yr?3tar+b#f>Nno<D=WwyRn`iB_Mc9z%*oH+G9bk2WPN6x#fC+M}g
zlNTgd(6euv)CyVmGy6vSPk(+r^CgOI=WrUtr=4Gym)(I|#03OkzU7ML!3)e*e3gFb
zDPj-4;eXQWHPNeI=kbw$`p3s-IY^#FdBOB0&bRB_;(j!{H-)}}#^Xe(5v~;QO9?(5
zC1}3t{%+Wt0TnEGesu@)S8MrQq4dcEr=MG`oE+53=Z=4M%O;*bw6WR(POl?NYNzPw
zzF8w5XMriS?RSN8KNmUflhZc_W4Vf#-k>2LpQ3{6P3C$qmte8K{_}8TktQyKn4%i0
zTjmvCzIJxzEG-;0+R5vZfnPu<qZbtwJ@4=m#ctdZT6k@q?mUZ*b$OdjaqWCGgY@gf
z-CGv~6GOv%ix!)F$Ql_ML`n3MOJgZzP^JANCi)M;sXkZPYx5BWBgp`s!Kt762CQvQ
zZLh_LVVVYscPeHz4P!3b#`ZJ$bk8EiL-b-(u0~2QdBa8Mjc&e@T*a8C4{2teRE}qh
z#m&cE5K#|6!}DVPa}<g&O{IAzJom;AN0Wb!5R__gqA<xgbZ1N3Td}bw4YQEEm$)^-
z6s4K9%A;gz9P%tnc6E^p>2yeG3`m4_7>s_?^$c5u<*+Rz4Yu=LWzgHVQLp^*F*HI&
z(R$uM1-J)lem1l1!+9ki`JT7f#ZU;<-oT$)SBm2;C})v>4(rZ~5hn+s8*ipHWH9}e
z(P4=<2B+?FyBh!iDQb}Wzu3GF=CX$f(t#d|a5A(2e$C~Z_@j*+^e)$1%V3dC`Ct5#
zi^G<|pyCNM%a?L}^^PQ?##cv#DEKK{IKl}ZcF{jcHu0yho(l;~>VJ)iKab{q_W|!V
z#;h&;1>b_oEMX|0B(84=(yYXZ;CM2kzYf{#Rp7$$8hHpby!C6bS=Z}Z76286Rsi8T
zQiA!j$5vGDyW&bE@Kk)k{&3sMJHs81ER;{=p_I&@ZGR6IAs67i*vs&W|H*6Nt<Ia9
zr$@iBV%tNAnJ{ouVjFgaL4c$)@;b;e{~FD}BBx`2H!3?$;BOUGL{?FH9lZEwEC$u(
zNTwu8@Y(zq&`S$qK@Z82v4r%(hcRlmU)L%4A19XEj_ZQFm<8347kWpB_gIy^TA8`r
z*Vni59oNQmpbcc7K+U}YEnu*oL8nMx@D;a--}5%vn;=zgf;}k*Cm|C+v6k?jaO!u6
zlrbR))}E)SP%}T?yd(ZT#G)9$xXslJ2h(_Y+hO5bVc+lJ(u`E<x?cSX>$v_xy$24n
zUyx`;92CKeUWV;@f`y8%cM&V*r<8b$4<rKep<tY^$i8LWuY$;8Rv#>T?(Y1aoRs&5
z`ynsY50NzX%Iy1Z^5BCmEn}R=eFyc&Fa=!KNuiY(Wzk%vB!M)r0J7oQWq_QU2L@*b
z?iKcT6JAG8oFE5LVb#Z|nJG)S11Fu8xENaZ63F(fJUpr(ENXWp^322wBaL`Vz-cM=
z8{LB<eQVIVg}NZ@lMnqPACy_moL3Nei;IjjjzfB$b$cv}Vc*y%=VB!@q=9uo)Z<qf
z3PMbe1f80wPkm`#U`9*&crpuao8IA+LCLu&{HU_efQBm>aY%6Tg3K^dS@b|Eq98gl
zDICe^H8L08eSzyX3waptug3>l|LHQaAc$u{8lxBTRE@uSu{T?V9!=D^W&sf@1LbdK
zZexGkc@igEt5h_Uuhh26VNPDefnC3<<S~e<l>CpGp*zNbB(4BL+8pFasQY-s$t~g`
z<nm1XH4+PiT%in@jplxq_2TUz!Pqo%-sG!8;PinSf1}ax<_Gc3064$1nEMA&^t9A>
zo)>tnlX4l3g@!G*1K#)|c6OlL(dFf5b<YmN!h#-{7NUXwfGd-n-V&P|1=&sPY>hDS
z>y&Z{oNqx+?$dV@M*1|MmZfQD5H^-=VhNYC6Q{wDC<L;0Z>aCV56~|1a(q`qOm$r*
z>pbJtQ|F|lj1F`|g1+Kp=b31{IJE~0p#6c7XI4(u=S&y&3&0UlpvIqITKJiCG=V3?
z2sf>Q`~^lm5;iN&m*BaZD_)|M$fC~ZX?t70k@*WvWA%0E$W}j6`w~%{IZLDZ?bvvA
zYL(CuwTg?<sV<RbA_R0s1!ShHglaiT*Vx{vzjl$3m6a`N`iWo^wGv|qvP#Q(ANxMo
zhQ()y4Fu(&kG&(7g?Lr-(TOZ=9`;k#TMhG|Xl$E8mDu@mG4z6W;`A{*-vZ#a+B=o&
zPo!=_<gc*dUsEe{XbL7!PgW_L$ONq5M)|D&ovQ9vYGH_~@LAoUlL_Cxa{owh4xNtn
z@u<&@ws$0f0&uoTk1<Kc(!TJxwOBrx?|cP7kn*G3PTmk7xbhjx{!v7R7gUA_>7-?$
zCws)-)IBG>J8Z@a$-G6_-{o3SJ2!maF#!5D?lYA-uW;YF@g2@!hKi}Zz5OPrkjsSh
zv7I277w*V5FZX7>tbv#augCt=J#+n{()oS(Fdc||eIA!26470khKji$jPgN2K$%R*
z)mZm=Px?Jxn?d$Mv=p}`77_UZ-HJS6=ukrVs4F~v#|H~3JG%7jX4jRhOwEJ&HZXix
z`oI&@INd4sUKCTdcu86bRjM5h_x3MAt)))4XmLIQ*>j^AmhXZqg&N4G|I&@$9ONfW
z!D!h}GSX~Bk5=BhS(6?au&^l5>K>}JtC`u-HW1Psq2mNZiUWc&2a))Cr>`7Tc1)xN
zm4xt$K+d^A_cs8#$DBwC8rvBP_0NgB>?txB+}M6;#4iw=+3!B|wPC4OhF@^RS>`(u
zlp!WewONyh4jp0z*bJ(cKjIgqB#Y_Qi*=o5XO`kp4?<rs!K<;stC<W?v7>HdNW-Hz
zm?<3>of{8t3{tQ_8H|#ImvtCn%~r5}5DM-eiu_86><bH4cu!gfDEZP#dM%IT=rmcT
z`#i-?_cKnJ-8=cI*_1E{W#JDou5!eOQsv4MJ~0<%49Cwy@Z^mkG_f1hf=@`FF@%|C
z1xEzW=;h`=C=UPl-0X!MZ7;MwX}62g_6H`OxRP&Vb<~?>er}*Uc_=$W(zFaxrqEp+
zNh%5Qr7?Qsd?w|?zC91y*A+Zz))aUER_tRnuoSHZ^5V9C^+=vI$qOXh9_eVc%L21L
zsK^T%Z#aj#5~D8`jmP)p;8O71j=4Q}DQ*hkL^c#+T6#QVBd!j>@jcjDSf-J0wY#VG
z2LNZm2hAq2nkVK)e>|1rfJc6n4$uXC4BQ`HbY3@092LR9crJCgnpJUVq%(zzzla`U
zzN7kFAfZh~6zl*OSaqVIM@@va&C*J4&>yoY1^#lsl2Bn^4CDD6Hj@XM&!3*t$Ot?A
zak?T`CML?E`8N->n3r&-D~~-9t?w{>gD0x=#~Pu54RhN$tjk{@fqJ8wnq3%fuL}_b
z8H7h)WNk{IwQu-hQLht*PW(Yn0)R{!UhzNyLVyAZ02tJCtHl8Fp?okgkRXD<&DOtJ
z{a{mMnPXK2lz*Q*1qJKeqgF8ck#498N&-*l)dbCdS&1b008^dh{(l1wp~y|MpDDBc
z`($4PC?!#tA#VyehzAzIY^$#o_V>vM*73b*hWD3RGb10lC9ESaN<0<w+uJ)#ZQ<80
z@=<<{5!XOAZQi`O1)eWhrR`wWbY(etfD@kyE%LA$nszkfeaZ-L2KiV5qf=RW^=w7X
z4G8{bLJ9=gCv4raLb*EcvmZ~?2u6o?mPLzyM_|=87Ge|$1~HRTEXZ8T^|s^Hi$=@b
zL*T&>8l7e*BX}Y1ax5;18R%C?Phym9rczE4Amp*IkdUL*fU6>TFMcsl#8=pLQx@vS
zjuC`<8KAQaI)OLTl2D(UDxwb+)M9<A5ea<5kN*$sR!ARgat7$<YX7hesTaU1HOOaw
zeS4>p&t_1O+WXiZ!Ai8(P|u?x2vLDQu_Pvvf!uxt5rh><mLCs4^S^M(99~FB2~2+m
zKn;)&EjGectX7h-vsjOhsN8g&o{1G3|DS8m7V?E~)vsJ7Md#P`09HgZ=ls$Uqv{(z
zZdZ)42ITGef7H5Hiod#L)hiXDRr(=laT4N*OS!`!6Uu{kfVlawF-*$x0D<N@xS%;@
zz8nRNb*(QT{T`)C5`@yDV1LR(cXT=i5NK%u|5J3GfAvVe7jL^sPjsR^$YaH0{l=6W
z#OJwy?d{CoyG<m^4?D%2&K%>XJX!`5DsaU+aUSnOxy_Ig_jEJOAbHep7|OuRP-1HA
z=a3F(dr(Aj{A=^7UCniH84^H-SAf=M0WcCtIDVW7zk|6bnMw~Vb0#)(P83wpHa^ul
z@Zy$K7a^Ey{_A@h2E&!d8^|Sk<v=b<&f*>oM0t_$c3cLNkfQ>p?`ZTJw3!(3Dk5fp
zEU{ch6Im`gW#;xDFSoWpQhO(sKAS(P?)D4IO;AY_MPX2&m`cb|)|lOV7UB<X@}zyQ
z!4l>9cBozLXq8}dbUvHw`b2L5q^uPo&mUopg-4#+aR?c4S=jTdatsG!v5m;3dBn@_
z(OGds$VCc!BMJiO!K&qJCNB3e<e(8IYB-=|FwW?FcB*+T+A*8Y{f7dRDX1_@F}DG;
zoaA*1T^#tdR;|#ReNz858NBaBE4@q$yhk-zI5Rh5ognSyurYnFkp7O-Qf7|f)<Spj
z5XVVja3!xxN1NUOBteSb-}Xpq_fzGcT}biHc5w8Q+M_3)(y)&1;kkiBpMoYWTw-|b
zmUXQ7SBVXiE_=YEZk`+a8#8W>&Va98-El6Wr>Fm=n1<qUx&s*EiO)^XLq{YIu)7sM
z4;n%RVK<z02GFeBgvk1m1%evTaJ+`Qu@4|1V-EZHaO@=I-)hFT)}1cR*~Zf4XnOXf
z*ViLBilOBxJpl%Wwxqwr_y1FWH<bK*I0^23xhmcuN4{o$wgS4vF2IG0+4d%+pFnwk
zavxXO&Z>zPM_TyHIpAy!zb-69f_?l2HZwaYT0=v_TR3J^%F~5-6Pp`aqRI#R4jB&H
z5Vi6plFjH$7f<D(V?K_&E;;+R#nVV+g|DWYvT|Ige%KI($ENl8GdB$jwtz1hU4eG#
zU63@GYTfrPb3e57pGo!tzeS(7@f}&K+{3OY&oAfkxiA0&n4y)B$6}g>p$!T`Lg#Dn
zJARpP!X8CJRaweODXE*Kk@S&5nCqo}vP7R8P?-+z3x3}7QP2H3K+WEDhP_`VPtQ!W
z9)y-NbCTA~y@n|ex1<y>WFm=%f9o{LH%D};%Mi^b3<CDX!`o(8=r@tpZTP0N87lT=
z%#{lQmnD8FVu(V4Jd|oigI`98Hx!X{VWHhf8)G-yN8)Yu{3ant*Ps{ABB$lPuqO}N
zG8?s9G|+6&`&ypbrF~(eAvK$=piltyd0h<X^$KnpEtGfMJjED*3z?Xm&Z?_M)i_px
zio)5jfL4uX@5|^3u3@g*??C2CJH`8DxNhl{pLe0x=<E8;L1S8f)1a;_!T<-PPwdNz
zGyMg6bTMR+IH8TOmZl&yFAMr%Jzn4v@4O?3j0~oY_PMn`Jk|+y7G`ZFk@<!PRK6(+
ztuDR~bY`z7ET}qx7hb(Z26yDF=44yQ!=0Hsq>%nbpNiuFS_w-LRWA9DgTMW;DZb$x
zzA!CIA^h(1hdU+4f4duPWN&*^Xw*sg-*&cwlbPv|X^MBW)_?)m0veu=xI9bSXfOy1
zf7)zQ92)zJ@hk}EY<{7O_%d8-mIdMZwTZ8F*`|v8cNzcmS9$_m3}otTwmoh+KJ(`X
z_dQ#kIuAk884kx^|DI5R*&0FfTl;oaEVRSc9x*{`NRM6?Y5hAF7c7Ld@1e{Bg1_w>
z!Dfs>)H8pVg!#4s0zca_)BedNDL88XxqhZ^#6h>x7v-e>pQ>;(e<DGD9pqigK#V2G
zTrrB)K%Lr~G9&Fe5^Oz<KcevZRG{hO(GP`Gq8^EkezH@|A;c1j9P63?g&BC{X_b?O
z)ygeZPaeSipb&N`0YwZEQExy<E4s#YOMa-xfB}3jw}^4*6`9b84`t#Ay#Tiz4&Cvw
z0~JHJ^x<C?pA}cs7`lxNUR1KivOQ2@R7^~*H4Zs|=#zZf-52ymbsmT_gOFHdv6v!3
zH`aXh<ly(_Ux~nAi=O@VRu9R&A@L<Vn3x%&5bHUAK^hSvR)cJE_-Y3-oR$Zp6BC&s
zZIS?D$7^%-ZP}K@^r}}BfSSq)e0a&BI~s?Q%AfO#x=eCyci2RT;A&5b%QTLl*Kw7{
zMhh9DM=S=NAQ=NB<A-};;pW56NF+i9No!i5xdR*Pab(BjTL5D$rW$<R+OOc^()0&5
zfoB(tBy<jUSM#@a=NCdg))uHdWX{hK{$EvPl|d+%%e*e~eQWXkZcuY%*iJyUYroko
zY^KcH@-3HK9q-o78|XyAju`t-8ldzoi52je_Va-}%mRURO$galFGfMi_>_6BBVh=a
z%kyyC0Vcv^A!O*d|GVx;iTluFF)IPnOC=o|Yd>Av9|&yXH4}Eb+z1l$S?+slytZQk
z63Gx|8KC<D38^oj^X^z)e&xRP9(UonX?tkR#^>(j&7|9Q$z%3y*A8=12(D$c2stfP
zWjQWes4d&u$g}*u+mg81`3lrI@c^O*4d!f4WcXl+l*jsWY>ELyPO`bu8sy{It@e6{
zK&9`?5K;U(G6$KacmxCf6PFLEhW4+5?Sm*;FeAkT$0-gd>0-}~Y-6#bm78x-x5eB=
zcb}<i*}0nPz6XhD*HZ02Jy;HUu%f)qs%yYuQcA$ZTPE4c;Pc(WEcx&tTalu8r}6bw
zWY#4*GIEOOih2RL!CjWSJwMLVH9@Rhoh=P!fvU7E?h1}q*-KtMp*;in2TANzL^oI7
z<+<brlPL!L%3g5sDj!+AeN%RKLvZdRyqsRP5>Kt$kb$$@Ncq|A56D1NvYK>L>(f@f
z*WAVqd06e%?G~hbFO&sL6-}l(p|;TSW0za?Nk3m3%ME*)D!|=N#bX+9`hjV1TPa19
z1LiN&^y|G0u1*^lazh*KO}}?hgc51VwA8T#B$J3zT`6I5?B_^$rByWXZi`^u)uq{m
zmsOR*rFFr#)CzLa3qZfFAQ3er;jR$=uO4lnJiEYg-^c=Fr;H-H-J98=@5m$f_g%oI
zt0#YFwXLCw+3HS0BrD`AeiT`}Ak~VZ7yv=&+Qo9vdpfV@!T6_+2>|dc>!G5;vPa!T
zz!{4`tVxI1TkeVX!5o<;=oPC-Nw@{Xn{5K<cs3Gr2Nfv`mxMXhZFeQNNdIH{Ox@|>
zavq3TtPpR@gGa5wNfx5+b=rJSbUGQ5QzkSQ!i-4mJD^|ZSofsA0ROz25(Yz*o<P(Q
zcdk20@cq*FG=I0H+#GhX96rxDrv@K%+!}jFBBRwgl5UzkKI~XlO2P9tTaJZA`LEK@
zr1*X0&7UP`(2&P-?3$%D)u+M4Se5ip+DEhAY7HhEl`~e1)g@}*oz}3nhLNeibr)L!
z>aNKTc6O4#b=Mjhak7qjREIPRf;7w$1Nzr5=vpmp4F>=5A7l6fbUHK4zx>A%;Xhr4
z9o7HR;0Vt$Hb?!d`CWi^GCn%#-2VGyAB4c5P(ZDb-je<bNElxw=d$#l4o1KY=-DTV
z2jlNT_z<!;KWH%y&&0Ul^V@FvYX0#>?+eAXySm~}uF4vF9WWB;;wiu?D=;C}$F!dj
zi6-;khoKw)I3iH`Q%%ij{t`u6^s8X+UByfO+giYJraSu6_n`F+L)RHGUXT6P`e42r
z>+f1+|1ZsV)BWjS1t}LH$@~_Yrvl6ma{_aFxe{8s4Yz;=PzujI`<w4oi1)#HumE+X
z4C$>kE~Vl+0Lvciu8m(^DtHCLyLc=CT(Rgt^INA8;>p6UnJ~uc03inj2r14XacGzp
z{)$ALF7^OJ%7pNNo78_)>D|%yk0JmIsv}b~Na&Y@MNLY`d5s-<Tnv=nuf)p2CRx5Q
z(CFIXRO^o=aVBk!RoEmTVF)M&tU#U;L_H6y^kIHU3pqb=?l8}l36r_JZrhfs@*(c}
z0TmaQ&QSx~i$<V5oE2ImCs}iLdZhNz!QyL*SUr-v3Z2%Fp56IBG{*3SE_`%I$rkF&
zLqB}K3OcxcU1o)7`G2wi9y)CXW#%Coc^Yz`DnaB%<_zs>HUf8_vA*1$6(hpFg-&`7
z-1B1CEM(_yg(b6wPW|}J4je@lPQ4ROB#)W&pX|wPeLPA&*>T80kDNfO$}?{CTLNuc
z3uvAuoLDs=MXHltM}>zl*-N^)+Lsei4P(>tii#TGFls^HQ~^Gvg2cDMv=~|hm~r3Y
zYjjI>9fSHC|4LzSesi}x=HebWdI7U>`gjVj?N|o{yk~B_#KfPo4|qtN`xr3%VFyhu
z&k2vM`>WwXsa{C5bms_Kpa#^30Wd{kD|tB~5)ZSrYS+ZP^bMe#rWM?O&DUe)wso!>
zMlIffyLau%5b$g@5EoP-;r9S^M{5xBm%weX2HwvKPtWr{J2mW>R+FG1t2>O0__ZBw
zf-#XIs)`X9%Ckw?J1Tieo(GBdK$qeqeWr#&#<jEpv4w#VX+p9&!3D|QfZ_TsOLiUY
zc5j)5LZP<30i>{ZemqLCDhA2jKxC(1oiTAJqf$7`VH76Rls=!hfvcAX6VaTD5#&5~
z#~~^lZ^~zHfRTGvOpavfYa1@<4;AV?I^Pw?mT(9${2B*eF+*IW6o0TC&$At?GHKbH
z4?0$%!6x|)cT_WuRnt)jR9p?vT`PMV<&aFB>2_-egI~l&JI^mN8g6X@zN2?VZde@B
z6DVT9%_LR)^j5@OOIh$RX1CO=ZM*z>lWE}wfC9I}Z_Ty#Gl9nP1K8R8VGY3xAV42(
z=H?_v!(ClssYj%F@TC>Gi)Fkwn;nY{I(NW-L0qNhT%NUdlcF760TonZO2z@0a&LCe
zw3Ny$Iv&38xw^Dah=S7?ldGQ7jwDF?Z9sCFd+R(wsQA)tOCd$HHrX2HM$^B20_(@&
z^w?G8lE+j7I*VaVmFDH7SZ39`M(%7c6)+7W#e<<z1!A+uToOgkAb~M~M{ix=+IT$l
z3p$11ZkB3>v=IB?C5RBx!ld$tX+}my+}I4AqcY(!B|tRvFmAC4TM4(_wAb<C^Ny@a
z;WTDim^!czc~q1p3{fZjV`FX1IrHX#TSIb!Zfta@S76G}!9j_8NycT(fO7?QP81+5
zfkTr^8(<Ul*knSip|=ILNx10USH;?;O<C{0VC`&bT}i;Mq4gyoOx?I2+`#)|il~I`
zo^aCJS%BPrJ=oG3+`3jnMQ?#WNnNd=y)69(h9%-*`BoXPVPh>}9Rn128(luO@ia(P
z3BsaTl0laTvGLHo_J3mifN!B79rTJ$5(YJ%?vC>s3He|Hwj~U;@tQVc`<miryRgjw
zUC)AeUo{onyFt1g2$D5^yj>5;Wt)6sa<oQStc+D?<-Zbe$$5RrPzm2Z7<ul*Jq#9d
zWmDi@?ktyWh!SU4WOx?Fv#I-|PBfq*542a6;%ANH#~-h1n1uE01B6n#nu`ny0Os#F
zkA|m<0D_V_tyFRJ0hsoDA&lDS0{T+04xL@~+y%UnBC&&6;<s3+=PP~{H_5{VLe!HV
z-roSjTPW}77S)4)@MB05Y^MrQax7O|o9@Y4QEmtH6hQcTjc|a?D0l?p2whF?lLp@8
z7JxC;GF@m1N}u1*;Kk`y+7=>SA&dhRyKVnUbK6@hg!7&=!>L^&4l2BoMb~Rh6OKwS
z1_#}W)O8B{j_m!a)nsW|FnejEGX_ya5&vxUZ9eT-4VI;R-$e<>`*w6K@E2JwZ@j=(
z+JrfKy-`v{Nn_ooFlyw+XEo;H$mru_SdcRDtXo8jR`I@Bz*vS1eg}sjQ#L*W)1}t1
z`xr^`VO`H7f_2^1Ls<;aYqU)aHo;#TaKAjh)z*fY?6E25{K)VQ0b&$Ry!mMI`NEUq
z_n>y@)Vftn7%dUJ_(mUT3L<xm>AP2|shA~$n37lRY(jmrU-hqZyZHW;h0y!l$A#oi
z46h)WGdV4d^$3HMO)K{2=O6{>sXLTUK{+}fU-x|3cwu<^y6<-)kc2D`cz5WDumiI!
zh~7UeXTCvjj_samzwS?UQl+dwWxW!5TTE(?b%`ejzvdqsn1&JJi~i9gjGai5BgK6H
z-<-p2onnzO1`E*bkZ2U+kL@3+1`nu*@@?THqVcb*3tm8lA)qH(4!Zd(GzyV&P}e0p
z5^}*M8G{bLp~dKka}z@&++>iJ{W6Y}Afh<iO<Cqr$C;Iv(=SV4{6t*;<I!M-V;b~N
z4gtiXXyVsl>d)60k*fJsv&qyjqy?uFW?|%+y0<1#0N}u5qNxNs)A!?a)q^VG`{yqm
zyIuH?(L&d1Ol;xCa`&&=E*n*oh=cqAB3KvhK78``OJ_U)PHdwG{}JNFF-q^j0zQnq
zsrU;U*Cjwb!J<VbAOSWtUjalFwEGRL@2Q-Kv9l>9WO2ae3^B%ver7#kQcR=;1JVg6
zil1YWLEmTH?+^Y%p`~mZQu6)d*$MSvge{Z*H+J2dqfC>q4CQ&r^Et5GIH(h{h&qkX
z?8<ZFGdBthAZ$hV#r=D#gag7)d@;_?7FJF~BWY#U2Sw~aWfEXkOI!7y7mviT7LCM%
z?gmZWUNZFD(PV*`wXvkfKN(u|guobHP_0n+7NTM!m<WPB%wYWw+9$B<+<-RIyT+kg
z9=W?Z+5y^a+DTG-y2!zwNy!_&KB4F#Fun!3mo42ss0-EmkG@9V^MomFPTSp=kgH<-
zmHfca^&SHwV;+3_M793e?x-Cr@E;_owFF$y8n$rW)1OV&$NL-YB5OeASLE{Hn^N?0
zcIMyMS?|Gi{<RFIT^>~RJn*X|kzu{nAMa(}3O<u2W!F}zJ=q-<N`Z@=3t#&34%mqn
zEcSoH2nooXmC$`VuP<U?L$hALE)mq?1S&*7%t80Vgt?}^e$s1U*D{3Tf$R`3AHx{7
z1S3&HWmOvABVL~MEqh^_6A(S6Z4jMB3;ZUEW2`~AGp)dLm!*1AN(BWeJvD)mGqBLJ
zTq)*0n6+Jw7y?D|0et0ylgS+@%T5q2&<pKpcEZVw&HCHx5yI2~<55CvmhfXg@?9ig
z+9KS`_T!8>7!gZ7GBg9HD&JtisxStv`Dd8!dQl9`rsN5&O3m_6@dIS=V-ZCqsHRzL
zI4+OH1as28p*?y!`ZxCNe@;+)NtwW!ufv-C{K?P>f)8%Bf&(M>{$ZE!<u%azb90zi
zlM}C0D1e8#l3-c{9yu#y^&B@o@4)OD`)%Suho^TM`<a^yY(UiM!bPuyJMbSu@21=5
zG695IId>4gvIm)YL*SfxF@zLjk!YCmzwWO1hW|dJQqsGvBDJj0Br$J8<*sS<$3VYt
z>nxhV+{gBx_5M8_O^M=)Y|<GdT!uBjN<&g*q5aPEbPF_D4{**?w$oj|-nhm9lSEfC
zt^W4tD}dNp|F!#cCZyfZz|C|zfFVTIcXYAl;7^15z=(YJgp63hb+65@Om1Q25D5?(
z2SD(PF7^P_i-MY`ejX}Zb{6&_4HuCUjBSR&W8*QSz>?mD<Uqu<!c?PA5WFS&rW`gI
zl9KQ>>4L3n{;%m4CVEI;rbR;;U8WIb2MpGGKm`svn<(lz9HAna&&)F5qF30fz$O#j
zn|Fp7&sP`)<45yD?*^<5o$1!$qvT{zrjXuFtvdZErS5Qv4bjydLu%s~d{}vyk&2Va
z>5G<aK*#^?h>~uQq_i&Z7WPp}t)KRT@}nQ!04AMn-mWA4^tH}2zM-c`SSHWl(}(tC
zkxzzL&AK$GN5U^E7M`H&K$gmRYclJ1TxmCHd%gpvRe3K+a&IGv%cg2Gs3jUOmq$8?
z6E(D4TwiqQkxB~qH2HAHmicN9;CqP-L738=140r9p^qJ~Y<J+h4&ZVqwHd(B5!9cg
zb|{M0KgzQ5jOyzE7epd-MDwYbvWgKd4t)^Xk&45wmgi%9@4S}s=D#n9!go-B*Mx%L
z&dbUuQ@m7J{>KH6Oi#99P_?wzy8m62@xQkEkty-vLwEWF)5mR(XhK(am6cY_tXT)%
zs3~4<)(&-F>St-3=!D>m<xC3Dl6I&qc06jK42%VAQ0g5CgDGaNYWp`G_J94(SpE8z
zV@0lZX*wQ_sQ$=@Cv1rS1y`>FzN)I6^zknTi*`f}h;%@*Y|}qi75q#Xme?XJx7reH
zVUm*c$$%-6-!@GY?__QTYwimm(AseFkJ+T6&KO2&O*tIeL`1>2FnHd#27AJ6Ap3Vc
zQq#gH9iu<00QwnDGs+Y*8jIS+r@iN_t}*hD^bmt-D$kStBA3dnEaiPK@~f%azKQB6
zTFJRz&S%ErfBK6c22U<|PrF7q&(M&L3G%D;m*SnQ(%;h@w(}#n|7gk0B)*ASC`+ph
zDzm%+9i6}LDTBdNOfGSuolvYx>Tj>2^`-ZgO1fGiIqK@+`Pk=JvO|nPZEv8puDwBY
z>LtO6C!wq@&32qu<{{H^$L)asQQddHQ~AgLm&|0oDcdm$;n<<<B(lnubx=l<?X6>z
ztYh!&y;s>QTU!d*LK(^4gwONteO=$b;QPbp^MjwxIoEYN_v?PWo{xDLURdqz`QJXt
zp2?&xJ{*U)b^d)@Ix&7J#r1sFx2rJh{1~<z{qHahK+^b&$|<P-$PG?}-1xu#DvFPG
zuJZNCRiu~;)J0Qa>rZ?@2S<b9`W+1SKLIqMDG`>sV=W94gNDuZ_TzeHtdh>%myNm6
z!xbjH(9K19>kCiDJfxaM#j8YpLB9kz`%)PWksp8_6TqOI@6niS{)@_Ee<s+?%mb1W
z0eZxmdus4eH<`XD*1Z(Si@TMb*d7)a&VBC)bi1E%DArl1nQ4l6{Se<boUC1!%^>j{
zZcQnmwP{G(ZPBNw_4Y7(7V}TQ{|lc7uwsHN6#JxM^n_kJ4Ie;MDL@1xRP~c)ez)*8
zn*ny);j$D^wz!&b9ab^-mlDt>_YrsatJ|K)UVidtOY>N36E6ELh>mDL#5Rv;qYerv
zVbJw~Gw-m+6(~Swz;mT$oVCOq4c4oT3oMm;C-7+gguhteACfG_j>Mz@+_G_Lq(vj8
zEvJAfR1pp!Nunjh9Per<JKiL%F})zhPoW8h0UZz<T~xe4sQv|B$8RS{-OA5zHMZI-
z?%;!5affZdZGZi5jTWyOw+8t93bueO@cJCL7hEoDj>j_sc-PGv>hqqef>2#i3|wgf
z*b)*XU95KC-<YC)PVP@dtaL=cK~|_m0qVnEFe0VTWyuGo1stxdy7nW6r|VJO-HNZj
zZqhiyTy{Mj4w+(bIWD564#n``ekvmQ>3p~+;89oZbMh_lc*jfkglDJB`KlfFQIvK@
z%q+__?P5sCBq7J;=0d*!f;531Xl$vV;nh=XgYGry^6Nf-JS4sLtHNJ5BBUt|j5~s4
z$|U4xai5T~h|0FZ5~SGWgQ%{fmi5&cWejNNvAp`|rSba8wgvDLm03G=R+n*q1xN_|
zi|GKz1bpTW(7dbq_fo+G2F*x`h}ul`(kv!`CZxXv<$pn5*gRJnzPBq#&r13YkZM>;
zU)=cjNym$`EFY2|?QmwyuK-ueaeA`%Iv<WxY#4!d5ON#9sNcltUrWwC^!nsb6|q9J
z5>oxAQ&Fp(qkjqu=_gPMUy=++dtUUg`u;I*$=w}!?d!YT5m+bu5?qx_K>ubudLPXe
z=o5_$7Mh-^g7b9BMp^0YwJ=Uy{|NM&3Y@z;gXn^eb`}9GgFqj!+Y<=ruR8x85qb)`
zPCjt=0WaA;A{-tVJdFbm$9K^&Ioo(EjZo=l3k8T-r-2`VOp>}vUbxc$sCfAZ&x!41
zLd3xG_gHP|6YVm4-~f#fw4E7`3`Lq!8_#@va6t2|HZ7wwoqnH%uv3=iQ)=I3o7vT=
zRwEdfi!v_*;->AMhBF+k4`;f%pp&m&HN|}!tz*u|G`aVr4C=S82;%w2@`5v=9+SxW
z<SzF$ZXGEaPZ%33tFIa4Dv@=lKfF{{%qA5HPV$VFonfOxc`!J-AR-z0Sfh*e(qM6%
zOt1ok?J2g^F`8Tq{Z4U#qj1*oT@);609tX!rp>(T`3nJ-B7<drg|6!fF>>R0cWCTm
zz@|tqjje&?>#al>>21Pco_UXGGYA-c+DUxgF4JR6{3Y->#bBuOf}IC3_ChqE8PSCh
z6{!&vCwvOQ=KZg`yXynk$N}~rtf%|IG73v_h_)A{a<I@Z9hj8i&~~7N**-Upx6Q_#
z0P*V^R-v_>fE<?TIa}6~FX{CWvq%9h$uSA1;hF6a7v$RJ*&anWCPRTiPcWz8<+ANr
zM-;}75=q}vA*j#$bU^6oa~;+o*84kb8E0wVdP`@)9Cn?#Ohf?&_L9nJ2<a!eB0X=D
z@Hja%rq)IlX8MddcfEyRb!itgR!utpdtaa$k8`e@weI8@Ngi?Au!Y)vFr^LfA=dqs
zL5PR6?(Tz=AQ^SI4~3zNj_!#aHsR3lwB!m&-Yk$pY=0s(Rx52_h<#rUI_ua<AcaiT
zgd^f<wA*`5#(00#zowOzho0+iQf$UF2uAeM00PnySh75?o<xbwgX*$eE3xM$w|CT^
z7rY}9PhlJ(F)8xg8#cTlU`x~-#jHNir9(zTnooQ$4rbY9L1-bUY=V?bbN%K}CG7DP
zM-D(@(!RUkR2g?v`?gz~84PsA?*m;UvNQlJ4y}UgS@6@lW5b6MBWv{dyW4-Nsa1Ma
zxDPdj!~W5`*JafmGH|w_38Tc!=kLZ)U;}W;y+bt1M6jt{c>%tF!Q7k8tV;Rr9r5J&
z+GW+~-mx{%KN$!L@`Pd=;9^WZW44Jqbgpm~+xy?k0nW2HM_?wB=P?KD%!7q=w-f~V
z>%hr%JRDi9(<}uoZ`dCQf%}U`q1mjgURr6tO1Z~|mBWpAIC&fhn(@!LD=QxY+{jDs
zez-%|@%Tcw_XCGNLhql^pDPRclp%d|QB~(3@;)KU-o<;|N;&&o#N-@`Y8whj_m;ty
zYGgas2Uv(E2lJ~##J`@=^ZH&MKFWHXra+H&+mjl3^j!LuV3EHQ(Jq?sX4O2b{>$E7
zm^*_eReMx+50g*(XtHCdFW*Vl_7)ZAWm&C8!}@bEM_OH%mcc9a4xCmMW-L|HR7Q5F
z<X-{!rTkU%1pY#aChJ-R5N`^Tv52^^{5jcqhjZjoxGkovaCCeeN*Ak#ca=8Gv0u<0
zpDph&c!rw)pgv!GH#<P}<y{Y;W14^V(E5WU@4zG0@~5djRaN2Cv$*#4$Si>rly3%{
zgkR!PJLS>`6*}vv*_(MFkHk{p>+OituLG^<>S3bvhP*t_5pE?uznem<;Qy}Df2*>7
zEqvheaF`d#a1ClCSRA~#ecwI4z6#eSau?pO?u*!UDNB<3@G;!21)llk*8KT7QiJzm
zVSR$CkBlT*IS*bK3Ub`%T2_3e6tSb#-0eI*mv6l~(a1nFd>}<)ibd3oZv#>XTzwx~
zwi^n~52Ky>t_u&#3i0}-pv>G!{?<o61ua^QnoaTr1x>qOzlmV;%-cz6rV7hO3hZnQ
z!xQsdy6QK`({ljQaLZLC*LCFh5O(}7hn(#CR`cql4$ZI`?=d81w2^$5e@1n&?52=g
z=m2VrEVqM28oRhu2NbcbohcndJ8+nH>IvQvJJrjG{S*?onOvL&ED;|s<~czwBOQMu
zsp)<5AJ2+i=wLo~txKU7beb@ez<CNrjws-DrNQE{oom44E%B4V4sP1HKD(;2{!$P8
z)0(EPq#}68rDm)HP4Pa2ilatSx<GP*fI{+jp~CH+DGsxMVtO23mZQ+aUnjLp264~|
zxBNixfI{)ZM{4CXWr}b&YBjE|O$t6CT9W*bo%?F9MhS9VL!ORPJTw~F5?cT^a`+fO
zmodJhwY6%E3@K=Q!7bz~`n9NmsG1Nm`^<iBYY@_9gT>e8BQKoGD79VP(-~6OPt;WJ
zPr~?y%B-~$iy9`{m`$KQN;od(uxh&72XyX)*5wwRWWzWksU=Ex{LbEeLha(@U+wp4
zciVv=aX?pLw8%ufe@l1kk>J$4ND5{!qJGi_tGTLDbdV2u2=iyybgKW#K}xYyVf{_d
z5oOt6;qERQ@Z4cPl4Y(0(#>6{Nio4VpN!d6+H$?}W{<Zw?;lT_>p4HY-+iCsg23-h
z&@6uS`(<Y~R_cy*^?Z@UB|2(i!Y1fa8^5u7%7e{*AS;Ee-I|dNIEa@4xyRD{CY*a2
z9oFL+K8LpUB7OtqUwy1gQS#R}>La0KkVaH#NRUt%&xnvu{4RU2+z5`&{{obsF|bb=
z3nc_bG&Rs~q$|<A!88$?mFz=}<)16KdNZ}=b}T<oJk#6B^Edl?Qc*aP*v%{9&hnT+
zgjsFvM>8m~-etE+C*k176>Zd!=5li@NKu;qB$Yq<&QJgRTC!G9E$gtMU`~4t^|k47
zarNL5ephp;KV94x1q`G;cL!M+{ciCdQnek21{*l<{(Sldos*7f57_Pf5K(`0HjE^7
zwSzo$!yFu-h*IVr{1VTsY^I5~;>VPTfl|jC8Ug9~p7$g`7Y*&ihR6A$R{aO51fo5r
zzMo_Bi0Ny^Q#Es8ZBGuNK8qjQ^psP_6H_H_58Z9pQz!z?*8%-r7w9@&$m7Ae75C(T
zu;hq^W3N@dh;`Sr6$&6q6ho=80(vp*w{(C49s*2aQsS^n)wnj)DT5wFIB@g~GIT(W
zCcBF05$vC6pSO+c{|(21qiaE~E50C_m3SR&p7)fH_U70Dkb!7n2us&g4vb3{Aq7hr
z+PEQW&vxdh1gX&oi=C(wJQ~(3GceB&jRQ~3vh$qHC9l&>Fy!moxOn}u1xrvL`cHFC
zGAg8vv+NzBQscM&wzLR7?AyB)107xCxVXMK;2GR9ZyUIrf*X<hx4fd++f?z&sT(+H
z9}Ibg`-W@3MD=Z?z+<V#X{y{vJgF^ISmJo5@r=;%*jI5sw=)!{6PY~3)XL1jZd5Es
zSf6X-{{tQ_n+k3_aNL$NO=jw9Fr{V4>M5v5$v@@JAj$K0(b^WDx*A6(#xvTZ!}PbI
zsvzr@!Nb4-pAKb?&Z;19C-d5fB^wd@$LBAEd*X70W;3Ap(n({8<0wkxq{`6J70v!P
z&5aT!#!zt7#imRLi{<woO6AE16847n30|Spv%{Hx2)*^!ik*qSKE&{tE6@qGt8eim
zMC`Uf?@gYu*CBHvLWIg<pctr&ZGWOa66u-Iq+4KGj2pub_<JR_l8Qzr2Bw{f!d^uz
zMv3c}uNX{p6_F$sTP@#~7)(9xYotY*EAw7N$udKaK(XFgtKV^QfAjtOeB9?0`OogM
zE)@J^$Q5Bc1U?BNu~ERf(>-?8OZlt*w}U(3fAx$04~|(l+CFKhNaOv;#QyHOY`yF6
zXiJjF@d7&ctP68U@Rt9Y@_{;eex^{1jD+PsDneOK5qu3~|Nngr&uIN23q>kpTm=}a
z>Z-oPMJq@)YeAK~Nev>mJ%Iw_+Y%SWa^5NS(B1pk(}@@`{H*a{vyFxEP8E_@(nMLM
z)A+GFDiW_<%>Pn6DF0|`KMUXx9hJ9261pWVa0!W4(z%K4Fst(ezxeXkH&C3BIX(4r
zN#Pl=;Ud2g;3jSTiHXOkt_=T1T0+OE#vgUo4hrZiMgShdF8~nFcbJ9)_#JH$C%`ki
zl_W7cJp@qzlAqdSg&<Zu$m&@aqSqjl%r9$Z3-2~T;y17tU>Tg>M6(UM{s17n?fL`2
zQ`z?KuL+LZiESx_$iskC!!8WK7|q<r=>b(0NSp)7^PRth=7Z>isHy2!r7XCVJD{Ao
zHA%3@c#VWD%Oo`U9Aj-qs<N%XDrO}w3C<3?py@jMRHO#JFz5u29C5y#05><l1RdOH
zpb6svO4$ADVEdxUcX!mf$v%1kd>U*p1IK{gx9p6P9h?rScNaDPFu+(3Stb?O0WX97
z0NXtQ(|aQf(vdIXokMeA@hgh@1I=C1$Kt8>Z3Z^UtMIm8(6O(LSpS~%%bvDi0Zr;w
zbv54H68G*dg>JA%Ukf6}ARGV;U_#T;YO^jdrEamIp`mvab%4tr1kHO8$WmRny*glQ
zuSHT^y727}=G+P&got|i;oe#$yr}^3Yah4fd&5AA7z&0U_gf3tOU!;uH2vbN9OBp9
zQfg9qPR?BN-maoG-{GAptf};2*jU{r5rH!oVlXDiPaTv1e*~AMj))pR!I=WlON}E>
z)$#b_w_KSzfQR&9f$BpWeAPRI88LC+2T4X_FA(OyQUs)z8@^Hk9YIAJ$xvm!PZB7F
z);klo-y`>ch*DS2kTUG)=_y7!*^gLdybKD1uvuilV=arQYwrPu<V`z;9sVkKEfCMh
zBT#|P^TB*4GkGZ{w9<W$;9y$TVWJ%&2}%GnT~`<EsWoS@X^g&1o0~4vuY$sZNiQ1s
z3Z(S>xGIPmDe*&O-3oOWl!pL4ZQqngo|(9JU_>ruvq9PBv5}L2A8(1Y`oSQzeUmoK
z3C_aAQ?Oi=3tN3CT9?ZN3JW2<4*_-5$j%~E%+bLeMyHiKG$cqsHqm(_pUykqfu$2n
z^!4v#AbO@-`$*S2V!vns91Z-ZaOaIbrb%k^q8yCDcjKu#n!SkAf+lxxS`;B%jY%tZ
z=$$n@4<&GfA09%k<BRt^2ziOJrWq5obFh^8e9d5i3K%zh4m)?thK7cTh>Rf*F+3l)
z*5)R(pK7!?9YMpH4j{Q92tt(GaNle?{Wi7JqOcdV!SVWCuZ3_Nd)Q~3jYaI;N3muR
ze7Kj@nA<03d3rh{Bh(%lQ1V>M;}*v8$c7Q}Dg{0^#AIJst?&POG*MwYabr!KaV@Q|
zVIhOH-}}?T#GaH(#)8Pyj|U}3M$K7@^K=Jk=t^pTvoJY(`*IIY&wmyc7A$;yGZpNi
zWrLlP_%1Q+Ovm9NHYPT9Gxs=WChS{eW25AGmxm7@7GGUwlco+0Nlj%m7fvb47)@*_
zE-TBsYbU`}5RFps*{>d7>HO&&IyGe)laYa@ymE_p<;EoDF?$(~60NGMOB-~wZ@Ts<
zFVnvN{d?^pR9?uAKgug5E{@}a)vK|o(NUF$&uDiZ_l?+$Gm{f7=_DNU81P*jn4T7B
zF|Cxiaf8D+GAb(Qqg5`8hklt}sh>UH(9n>Don5%Y(*3)4v!)oAencj-k`60+W+o;U
zJpVv7cKn3-sg&7{BO^UMn{-M_%7h69y)RCAK1k8WM`p-w<?}1j^n6R5?0ACE_BF*b
zsboyktE*_quHj+5F`A2)F4<};$V7;@XRa3B;xoN5H9gJqZ$oQqIkU#ki3#J4%}s@e
zk4^a;e^CyyiF<f>aR2dnZD3+TyS24t;q0u%#Kc6*G1)$|wG}t?MNCXgw>4_#)JTCV
zJjSQar1T%lnSHi)?qQM7R(Yv3ipK$M1_2WsX;+v;r-JM1t~oh7D|lqfuH$<B?FWC&
z?Gd^uU4P0{NjvQ;Zr19?clGM*jO$Pr+0*$&>viMrOop?yq{o*Jp5Kep4{aAv%Brru
zx9=t6j6*&AzOcBcTvk~bUQlqw%}RDsQ}<6HWz@;+tcAZe-?f^~PKCp>PWWbGpPvlt
z>+6>shKG|nucChaURi;CjfDL(E-H$2yNiUfkeOpr;&QfZMj!PB!bastQgKa9%}2}{
z%zR3Rjnn_?r|qw<t@X^!<&F{HUy9bjxh5qh#;)}D_x~~|UwM>IiT8{b6H46q{d<;;
ztu0$$FZnsH+i5;#W@ba?j%iqnJZ*=^W!GBWaI2NUj2h|5;qD*TJ9s1|Q>MyoOq?c5
z<qZv^iIwqv`0<jGk|6Ie;NN3W&8?!MqB!`yDRY(R3*n|E-^Su?bWKZ(adBy>c0fm#
zGZtGCpOC<_va*u*+(m(mj7+iUsfWj1Ch}lmQBlPee>uNRSJWpISBMwAGWQ#8h9yGD
z;+&j-j3B0;o12@LHp#~150@4fv%L6~g-{|+Ed9!|<K%c3!u#g#J-)^`sUW)<k<6R1
zwsk;L7WZvgtcJN!=SSq^lX|=~_~*Ind+TgnaHOQ9ie4K>$BNjL^mJWeVPTyc(VpE>
z&CShA$8x?kN%8T~>1u5xK?+i2J<8T)jo$_bxh*X%OUUEz5e*pKuCbfum!4pcAs!`D
zljrPAi?JqBA=#{VH^*^KQ@U;@DSqGM@QWZ%y+V5J-@#k&HFsUEr+1@=WH?xk>+9>o
z-v4ATd?1_>a{1j468QZMLIQgHNLvi%J88@VEcV4USqa6*0U{zIB_!CUfu+^eNP}$D
zmLC&d9q)}xHEX|rbL*8Ryph2~X{f7v+kX4nU+23(m(7a%Ha~CWY%D1$d0ttF4?fAo
zM9$mJ#L3(|sev=DGg+qVnC)(ntHT>DDlJttG&0Jy7B-?UGr$o%->*6odqE~k&O%a&
zBfWaQVu5ah32wSi{kCIsTiX>i|M1brdhNXgMzov0zwdOmH$*1Bj8l|jM^Wt)QMK>U
z=<DfmI~-7G2+YSv3*cw>EV-7fbai#n_)Jes=qyv$qFivHO`FbB)MrEGI@!-8@;UeK
z-^Abla@yPbeBDE;bH$yD@5)%Hs$R)OGQ&hzP@H%qerHBX_QyUfE*32=FaI+-I=cNW
z7>mVHV|IJB<Fj=vaStd${r+BqG7A3zx0wG$BMn`+B4j<{sP-wGgT(o&`xQChN1M*5
M+|p32P{0KI54=tH{r~^~

literal 0
HcmV?d00001

diff --git a/cli/docs/extend/index.md b/cli/docs/extend/index.md
new file mode 100644
index 00000000..4e8cae98
--- /dev/null
+++ b/cli/docs/extend/index.md
@@ -0,0 +1,263 @@
+---
+description: Develop and use a plugin with the managed plugin system
+keywords: "API, Usage, plugins, documentation, developer"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Docker Engine managed plugin system
+
+* [Installing and using a plugin](index.md#installing-and-using-a-plugin)
+* [Developing a plugin](index.md#developing-a-plugin)
+* [Debugging plugins](index.md#debugging-plugins)
+
+Docker Engine's plugin system allows you to install, start, stop, and remove
+plugins using Docker Engine.
+
+For information about the legacy plugin system available in Docker Engine 1.12
+and earlier, see [Understand legacy Docker Engine plugins](legacy_plugins.md).
+
+> **Note**: Docker Engine managed plugins are currently not supported
+on Windows daemons.
+
+## Installing and using a plugin
+
+Plugins are distributed as Docker images and can be hosted on Docker Hub or on
+a private registry.
+
+To install a plugin, use the `docker plugin install` command, which pulls the
+plugin from Docker Hub or your private registry, prompts you to grant
+permissions or capabilities if necessary, and enables the plugin.
+
+To check the status of installed plugins, use the `docker plugin ls` command.
+Plugins that start successfully are listed as enabled in the output.
+
+After a plugin is installed, you can use it as an option for another Docker
+operation, such as creating a volume.
+
+In the following example, you install the `sshfs` plugin, verify that it is
+enabled, and use it to create a volume.
+
+> **Note**: This example is intended for instructional purposes only. Once the volume is created, your SSH password to the remote host will be exposed as plaintext when inspecting the volume. You should delete the volume as soon as you are done with the example.
+
+1.  Install the `sshfs` plugin.
+
+    ```bash
+    $ docker plugin install vieux/sshfs
+
+    Plugin "vieux/sshfs" is requesting the following privileges:
+    - network: [host]
+    - capabilities: [CAP_SYS_ADMIN]
+    Do you grant the above permissions? [y/N] y
+
+    vieux/sshfs
+    ```
+
+    The plugin requests 2 privileges:
+
+    - It needs access to the `host` network.
+    - It needs the `CAP_SYS_ADMIN` capability, which allows the plugin to run
+    the `mount` command.
+
+2.  Check that the plugin is enabled in the output of `docker plugin ls`.
+
+    ```bash
+    $ docker plugin ls
+
+    ID                    NAME                  TAG                 DESCRIPTION                   ENABLED
+    69553ca1d789          vieux/sshfs           latest              the `sshfs` plugin            true
+    ```
+
+3.  Create a volume using the plugin.
+    This example mounts the `/remote` directory on host `1.2.3.4` into a
+    volume named `sshvolume`.
+
+    This volume can now be mounted into containers.
+
+    ```bash
+    $ docker volume create \
+      -d vieux/sshfs \
+      --name sshvolume \
+      -o sshcmd=user@1.2.3.4:/remote \
+      -o password=$(cat file_containing_password_for_remote_host)
+
+    sshvolume
+    ```
+4.  Verify that the volume was created successfully.
+
+    ```bash
+    $ docker volume ls
+
+    DRIVER              NAME
+    vieux/sshfs         sshvolume
+    ```
+
+5.  Start a container that uses the volume `sshvolume`.
+
+    ```bash
+    $ docker run --rm -v sshvolume:/data busybox ls /data
+
+    <content of /remote on machine 1.2.3.4>
+    ```
+
+6.  Remove the volume `sshvolume`
+    ```bash
+    docker volume rm sshvolume
+
+    sshvolume
+    ```
+To disable a plugin, use the `docker plugin disable` command. To completely
+remove it, use the `docker plugin remove` command. For other available
+commands and options, see the
+[command line reference](../reference/commandline/index.md).
+
+
+## Developing a plugin
+
+#### The rootfs directory
+The `rootfs` directory represents the root filesystem of the plugin. In this
+example, it was created from a Dockerfile:
+
+>**Note:** The `/run/docker/plugins` directory is mandatory inside of the
+plugin's filesystem for docker to communicate with the plugin.
+
+```bash
+$ git clone https://github.com/vieux/docker-volume-sshfs
+$ cd docker-volume-sshfs
+$ docker build -t rootfsimage .
+$ id=$(docker create rootfsimage true) # id was cd851ce43a403 when the image was created
+$ sudo mkdir -p myplugin/rootfs
+$ sudo docker export "$id" | sudo tar -x -C myplugin/rootfs
+$ docker rm -vf "$id"
+$ docker rmi rootfsimage
+```
+
+#### The config.json file
+
+The `config.json` file describes the plugin. See the [plugins config reference](config.md).
+
+Consider the following `config.json` file.
+
+```json
+{
+	"description": "sshFS plugin for Docker",
+	"documentation": "https://docs.docker.com/engine/extend/plugins/",
+	"entrypoint": ["/docker-volume-sshfs"],
+	"network": {
+		   "type": "host"
+		   },
+	"interface" : {
+		   "types": ["docker.volumedriver/1.0"],
+		   "socket": "sshfs.sock"
+	},
+	"linux": {
+		"capabilities": ["CAP_SYS_ADMIN"]
+	}
+}
+```
+
+This plugin is a volume driver. It requires a `host` network and the
+`CAP_SYS_ADMIN` capability. It depends upon the `/docker-volume-sshfs`
+entrypoint and uses the `/run/docker/plugins/sshfs.sock` socket to communicate
+with Docker Engine. This plugin has no runtime parameters.
+
+#### Creating the plugin
+
+A new plugin can be created by running
+`docker plugin create <plugin-name> ./path/to/plugin/data` where the plugin
+data contains a plugin configuration file `config.json` and a root filesystem
+in subdirectory `rootfs`.
+
+After that the plugin `<plugin-name>` will show up in `docker plugin ls`.
+Plugins can be pushed to remote registries with
+`docker plugin push <plugin-name>`.
+
+
+## Debugging plugins
+
+Stdout of a plugin is redirected to dockerd logs. Such entries have a
+`plugin=<ID>` suffix. Here are a few examples of commands for pluginID
+`f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62` and their
+corresponding log entries in the docker daemon logs.
+
+```bash
+$ docker plugin install tiborvass/sample-volume-plugin
+
+INFO[0036] Starting...       Found 0 volumes on startup  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+```
+
+```bash
+$ docker volume create -d tiborvass/sample-volume-plugin samplevol
+
+INFO[0193] Create Called...  Ensuring directory /data/samplevol exists on host...  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+INFO[0193] open /var/lib/docker/plugin-data/local-persist.json: no such file or directory  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+INFO[0193]                   Created volume samplevol with mountpoint /data/samplevol  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+INFO[0193] Path Called...    Returned path /data/samplevol  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+```
+
+```bash
+$ docker run -v samplevol:/tmp busybox sh
+
+INFO[0421] Get Called...     Found samplevol                plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+INFO[0421] Mount Called...   Mounted samplevol              plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+INFO[0421] Path Called...    Returned path /data/samplevol  plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+INFO[0421] Unmount Called... Unmounted samplevol            plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62
+```
+
+#### Using docker-runc to obtain logfiles and shell into the plugin.
+
+`docker-runc`, the default docker container runtime can be used for debugging
+plugins. This is specifically useful to collect plugin logs if they are
+redirected to a file.
+
+```bash
+$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins list
+
+ID                                                                 PID         STATUS      BUNDLE                                                                                                                                       CREATED                          OWNER
+93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25   15806       running     /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby-plugins/93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25   2018-02-08T21:40:08.621358213Z   root
+9b4606d84e06b56df84fadf054a21374b247941c94ce405b0a261499d689d9c9   14992       running     /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby-plugins/9b4606d84e06b56df84fadf054a21374b247941c94ce405b0a261499d689d9c9   2018-02-08T21:35:12.321325872Z   root
+c5bb4b90941efcaccca999439ed06d6a6affdde7081bb34dc84126b57b3e793d   14984       running     /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby-plugins/c5bb4b90941efcaccca999439ed06d6a6affdde7081bb34dc84126b57b3e793d   2018-02-08T21:35:12.321288966Z   root
+```
+
+```bash
+$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 cat /var/log/plugin.log
+```
+
+If the plugin has a built-in shell, then exec into the plugin can be done as
+follows:
+```bash
+$ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec -t 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 sh
+```
+
+#### Using curl to debug plugin socket issues.
+
+To verify if the plugin API socket that the docker daemon communicates with
+is responsive, use curl. In this example, we will make API calls from the
+docker host to volume and network plugins using curl 7.47.0 to ensure that
+the plugin is listening on the said socket. For a well functioning plugin,
+these basic requests should work. Note that plugin sockets are available on the host under `/var/run/docker/plugins/<pluginID>`
+
+
+```bash
+curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/e8a37ba56fc879c991f7d7921901723c64df6b42b87e6a0b055771ecf8477a6d/plugin.sock http:/VolumeDriver.List
+
+{"Mountpoint":"","Err":"","Volumes":[{"Name":"myvol1","Mountpoint":"/data/myvol1"},{"Name":"myvol2","Mountpoint":"/data/myvol2"}],"Volume":null}
+```
+
+```bash
+curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/45e00a7ce6185d6e365904c8bcf62eb724b1fe307e0d4e7ecc9f6c1eb7bcdb70/plugin.sock http:/NetworkDriver.GetCapabilities
+
+{"Scope":"local"}
+```
+When using curl 7.5 and above, the URL should be of the form
+`http://hostname/APICall`, where `hostname` is the valid hostname where the
+plugin is installed and `APICall` is the call to the plugin API.
+
+For example, `http://localhost/VolumeDriver.List`
diff --git a/cli/docs/extend/legacy_plugins.md b/cli/docs/extend/legacy_plugins.md
new file mode 100644
index 00000000..0fd6d116
--- /dev/null
+++ b/cli/docs/extend/legacy_plugins.md
@@ -0,0 +1,104 @@
+---
+redirect_from:
+- "/engine/extend/plugins/"
+description: "How to add additional functionality to Docker with plugins extensions"
+keywords: "Examples, Usage, plugins, docker, documentation, user guide"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Use Docker Engine plugins
+
+This document describes the Docker Engine plugins generally available in Docker
+Engine. To view information on plugins managed by Docker,
+refer to [Docker Engine plugin system](index.md).
+
+You can extend the capabilities of the Docker Engine by loading third-party
+plugins. This page explains the types of plugins and provides links to several
+volume and network plugins for Docker.
+
+## Types of plugins
+
+Plugins extend Docker's functionality. They come in specific types.  For
+example, a [volume plugin](plugins_volume.md) might enable Docker
+volumes to persist across multiple Docker hosts and a
+[network plugin](plugins_network.md) might provide network plumbing.
+
+Currently Docker supports authorization, volume and network driver plugins. In the future it
+will support additional plugin types.
+
+## Installing a plugin
+
+Follow the instructions in the plugin's documentation.
+
+## Finding a plugin
+
+The sections below provide an inexhaustive overview of available plugins.
+
+<style>
+#DocumentationText  tr td:first-child { white-space: nowrap;}
+</style>
+
+### Network plugins
+
+| Plugin                                                                             | Description                                                                                                                                                                                                                                                                                                                                            |
+|:-----------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Contiv Networking](https://github.com/contiv/netplugin)                           | An open source network plugin to provide infrastructure and security policies for a multi-tenant micro services deployment, while providing an integration to physical network for non-container workload. Contiv Networking implements the remote driver and IPAM APIs available in Docker 1.9 onwards.                                               |
+| [Kuryr Network Plugin](https://github.com/openstack/kuryr)                         | A network plugin is developed as part of the OpenStack Kuryr project and implements the Docker networking (libnetwork) remote driver API by utilizing Neutron, the OpenStack networking service. It includes an IPAM driver as well.                                                                                                                   |
+| [Weave Network Plugin](https://www.weave.works/docs/net/latest/introducing-weave/) | A network plugin that creates a virtual network that connects your Docker containers - across multiple hosts or clouds and enables automatic discovery of applications. Weave networks are resilient, partition tolerant, secure and work in partially connected networks, and other adverse environments - all configured with delightful simplicity. |
+
+### Volume plugins
+
+| Plugin                                                                                             | Description                                                                                                                                                                                                                                                                                                   |
+|:---------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Azure File Storage plugin](https://github.com/Azure/azurefile-dockervolumedriver)                 | Lets you mount Microsoft [Azure File Storage](https://azure.microsoft.com/blog/azure-file-storage-now-generally-available/) shares to Docker containers as volumes using the SMB 3.0 protocol. [Learn more](https://azure.microsoft.com/blog/persistent-docker-volumes-with-azure-file-storage/).             |
+| [BeeGFS Volume Plugin](https://github.com/RedCoolBeans/docker-volume-beegfs)                       | An open source volume plugin to create persistent volumes in a BeeGFS parallel file system.                                                                                                                                                                                                                   |
+| [Blockbridge plugin](https://github.com/blockbridge/blockbridge-docker-volume)                     | A volume plugin that provides access to an extensible set of container-based persistent storage options. It supports single and multi-host Docker environments with features that include tenant isolation, automated provisioning, encryption, secure deletion, snapshots and QoS.                           |
+| [Contiv Volume Plugin](https://github.com/contiv/volplugin)                                        | An open source volume plugin that provides multi-tenant, persistent, distributed storage with intent based consumption. It has support for Ceph and NFS.                                                                                                                                                      |
+| [Convoy plugin](https://github.com/rancher/convoy)                                                 | A volume plugin for a variety of storage back-ends including device mapper and NFS. It's a simple standalone executable written in Go and provides the framework to support vendor-specific extensions such as snapshots, backups and restore.                                                                |
+| [DigitalOcean Block Storage plugin](https://github.com/omallo/docker-volume-plugin-dostorage)      | Integrates DigitalOcean's [block storage solution](https://www.digitalocean.com/products/storage/) into the Docker ecosystem by automatically attaching a given block storage volume to a DigitalOcean droplet and making the contents of the volume available to Docker containers running on that droplet.  |
+| [DRBD plugin](https://www.drbd.org/en/supported-projects/docker)                                   | A volume plugin that provides highly available storage replicated by [DRBD](https://www.drbd.org). Data written to the docker volume is replicated in a cluster of DRBD nodes.                                                                                                                                |
+| [Flocker plugin](https://github.com/ScatterHQ/flocker)                                             | A volume plugin that provides multi-host portable volumes for Docker, enabling you to run databases and other stateful containers and move them around across a cluster of machines.                                                                                                                          |
+| [Fuxi Volume Plugin](https://github.com/openstack/fuxi)                                            | A volume plugin that is developed as part of the OpenStack Kuryr project and implements the Docker volume plugin API by utilizing Cinder, the OpenStack block storage service.                                                                                                                                |
+| [gce-docker plugin](https://github.com/mcuadros/gce-docker)                                        | A volume plugin able to attach, format and mount Google Compute [persistent-disks](https://cloud.google.com/compute/docs/disks/persistent-disks).                                                                                                                                                             |
+| [GlusterFS plugin](https://github.com/calavera/docker-volume-glusterfs)                            | A volume plugin that provides multi-host volumes management for Docker using GlusterFS.                                                                                                                                                                                                                       |
+| [Horcrux Volume Plugin](https://github.com/muthu-r/horcrux)                                        | A volume plugin that allows on-demand, version controlled access to your data. Horcrux is an open-source plugin, written in Go, and supports SCP, [Minio](https://www.minio.io) and Amazon S3.                                                                                                                |
+| [HPE 3Par Volume Plugin](https://github.com/hpe-storage/python-hpedockerplugin/)                   | A volume plugin that supports HPE 3Par and StoreVirtual iSCSI storage arrays.                                                                                                                                                                                                                                 |
+| [Infinit volume plugin](https://infinit.sh/documentation/docker/volume-plugin)                     | A volume plugin that makes it easy to mount and manage Infinit volumes using Docker.                                                                                                                                                                                                                          |
+| [IPFS Volume Plugin](http://github.com/vdemeester/docker-volume-ipfs)                              | An open source volume plugin that allows using an [ipfs](https://ipfs.io/) filesystem as a volume.                                                                                                                                                                                                            |
+| [Keywhiz plugin](https://github.com/calavera/docker-volume-keywhiz)                                | A plugin that provides credentials and secret management using Keywhiz as a central repository.                                                                                                                                                                                                               |
+| [Local Persist Plugin](https://github.com/CWSpear/local-persist)                                   | A volume plugin that extends the default `local` driver's functionality by allowing you specify a mountpoint anywhere on the host, which enables the files to *always persist*, even if the volume is removed via `docker volume rm`.                                                                         |
+| [NetApp Plugin](https://github.com/NetApp/netappdvp) (nDVP)                                        | A volume plugin that provides direct integration with the Docker ecosystem for the NetApp storage portfolio. The nDVP package supports the provisioning and management of storage resources from the storage platform to Docker hosts, with a robust framework for adding additional platforms in the future. |
+| [Netshare plugin](https://github.com/ContainX/docker-volume-netshare)                              | A volume plugin that provides volume management for NFS 3/4, AWS EFS and CIFS file systems.                                                                                                                                                                                                                   |
+| [Nimble Storage Volume Plugin](https://connect.nimblestorage.com/community/app-integration/docker) | A volume plug-in that integrates with Nimble Storage Unified Flash Fabric arrays. The plug-in abstracts array volume capabilities to the Docker administrator to allow self-provisioning of secure multi-tenant volumes and clones.                                                                           |
+| [OpenStorage Plugin](https://github.com/libopenstorage/openstorage)                                | A cluster-aware volume plugin that provides volume management for file and block storage solutions.  It implements a vendor neutral specification for implementing extensions such as CoS, encryption, and snapshots. It has example drivers based on FUSE, NFS, NBD and EBS to name a few.                   |
+| [Portworx Volume Plugin](https://github.com/portworx/px-dev)                                       | A volume plugin that turns any server into a scale-out converged compute/storage node, providing container granular storage and highly available volumes across any node, using a shared-nothing storage backend that works with any docker scheduler.                                                        |
+| [Quobyte Volume Plugin](https://github.com/quobyte/docker-volume)                                  | A volume plugin that connects Docker to [Quobyte](http://www.quobyte.com/containers)'s data center file system, a general-purpose scalable and fault-tolerant storage platform.                                                                                                                               |
+| [REX-Ray plugin](https://github.com/emccode/rexray)                                                | A volume plugin which is written in Go and provides advanced storage functionality for many platforms including VirtualBox, EC2, Google Compute Engine, OpenStack, and EMC.                                                                                                                                   |
+| [Virtuozzo Storage and Ploop plugin](https://github.com/virtuozzo/docker-volume-ploop)             | A volume plugin with support for Virtuozzo Storage distributed cloud file system as well as ploop devices.                                                                                                                                                                                                    |
+| [VMware vSphere Storage Plugin](https://github.com/vmware/docker-volume-vsphere)                   | Docker Volume Driver for vSphere enables customers to address persistent storage requirements for Docker containers in vSphere environments.                                                                                                                                                                  |
+
+### Authorization plugins
+
+| Plugin                                                               | Description                                                                                                                                                                                                                                                                                                                          |
+|:---------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Casbin AuthZ Plugin](https://github.com/casbin/casbin-authz-plugin) | An authorization plugin based on [Casbin](https://github.com/casbin/casbin), which supports access control models like ACL, RBAC, ABAC. The access control model can be customized. The policy can be persisted into file or DB.                                                                                                     |
+| [HBM plugin](https://github.com/kassisol/hbm)                        | An authorization plugin that prevents from executing commands with certains parameters.                                                                                                                                                                                                                                              |
+| [Twistlock AuthZ Broker](https://github.com/twistlock/authz)         | A basic extendable authorization plugin that runs directly on the host or inside a container. This plugin allows you to define user policies that it evaluates during authorization. Basic authorization is provided if Docker daemon is started with the --tlsverify flag (username is extracted from the certificate common name). |
+
+## Troubleshooting a plugin
+
+If you are having problems with Docker after loading a plugin, ask the authors
+of the plugin for help. The Docker team may not be able to assist you.
+
+## Writing a plugin
+
+If you are interested in writing a plugin for Docker, or seeing how they work
+under the hood, see the [docker plugins reference](plugin_api.md).
diff --git a/cli/docs/extend/plugin_api.md b/cli/docs/extend/plugin_api.md
new file mode 100644
index 00000000..2a317f95
--- /dev/null
+++ b/cli/docs/extend/plugin_api.md
@@ -0,0 +1,195 @@
+---
+description: "How to write Docker plugins extensions "
+keywords: "API, Usage, plugins, documentation, developer"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Docker Plugin API
+
+Docker plugins are out-of-process extensions which add capabilities to the
+Docker Engine.
+
+This document describes the Docker Engine plugin API. To view information on
+plugins managed by Docker Engine, refer to [Docker Engine plugin system](index.md).
+
+This page is intended for people who want to develop their own Docker plugin.
+If you just want to learn about or use Docker plugins, look
+[here](legacy_plugins.md).
+
+## What plugins are
+
+A plugin is a process running on the same or a different host as the docker daemon,
+which registers itself by placing a file on the same docker host in one of the plugin
+directories described in [Plugin discovery](#plugin-discovery).
+
+Plugins have human-readable names, which are short, lowercase strings. For
+example, `flocker` or `weave`.
+
+Plugins can run inside or outside containers. Currently running them outside
+containers is recommended.
+
+## Plugin discovery
+
+Docker discovers plugins by looking for them in the plugin directory whenever a
+user or container tries to use one by name.
+
+There are three types of files which can be put in the plugin directory.
+
+* `.sock` files are UNIX domain sockets.
+* `.spec` files are text files containing a URL, such as `unix:///other.sock` or `tcp://localhost:8080`.
+* `.json` files are text files containing a full json specification for the plugin.
+
+Plugins with UNIX domain socket files must run on the same docker host, whereas
+plugins with spec or json files can run on a different host if a remote URL is specified.
+
+UNIX domain socket files must be located under `/run/docker/plugins`, whereas
+spec files can be located either under `/etc/docker/plugins` or `/usr/lib/docker/plugins`.
+
+The name of the file (excluding the extension) determines the plugin name.
+
+For example, the `flocker` plugin might create a UNIX socket at
+`/run/docker/plugins/flocker.sock`.
+
+You can define each plugin into a separated subdirectory if you want to isolate definitions from each other.
+For example, you can create the `flocker` socket under `/run/docker/plugins/flocker/flocker.sock` and only
+mount `/run/docker/plugins/flocker` inside the `flocker` container.
+
+Docker always searches for unix sockets in `/run/docker/plugins` first. It checks for spec or json files under
+`/etc/docker/plugins` and `/usr/lib/docker/plugins` if the socket doesn't exist. The directory scan stops as
+soon as it finds the first plugin definition with the given name.
+
+### JSON specification
+
+This is the JSON format for a plugin:
+
+```json
+{
+  "Name": "plugin-example",
+  "Addr": "https://example.com/docker/plugin",
+  "TLSConfig": {
+    "InsecureSkipVerify": false,
+    "CAFile": "/usr/shared/docker/certs/example-ca.pem",
+    "CertFile": "/usr/shared/docker/certs/example-cert.pem",
+    "KeyFile": "/usr/shared/docker/certs/example-key.pem"
+  }
+}
+```
+
+The `TLSConfig` field is optional and TLS will only be verified if this configuration is present.
+
+## Plugin lifecycle
+
+Plugins should be started before Docker, and stopped after Docker.  For
+example, when packaging a plugin for a platform which supports `systemd`, you
+might use [`systemd` dependencies](
+http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=) to
+manage startup and shutdown order.
+
+When upgrading a plugin, you should first stop the Docker daemon, upgrade the
+plugin, then start Docker again.
+
+## Plugin activation
+
+When a plugin is first referred to -- either by a user referring to it by name
+(e.g.  `docker run --volume-driver=foo`) or a container already configured to
+use a plugin being started -- Docker looks for the named plugin in the plugin
+directory and activates it with a handshake. See Handshake API below.
+
+Plugins are *not* activated automatically at Docker daemon startup. Rather,
+they are activated only lazily, or on-demand, when they are needed.
+
+## Systemd socket activation
+
+Plugins may also be socket activated by `systemd`. The official [Plugins helpers](https://github.com/docker/go-plugins-helpers)
+natively supports socket activation. In order for a plugin to be socket activated it needs
+a `service` file and a `socket` file.
+
+The `service` file (for example `/lib/systemd/system/your-plugin.service`):
+
+```
+[Unit]
+Description=Your plugin
+Before=docker.service
+After=network.target your-plugin.socket
+Requires=your-plugin.socket docker.service
+
+[Service]
+ExecStart=/usr/lib/docker/your-plugin
+
+[Install]
+WantedBy=multi-user.target
+```
+The `socket` file (for example `/lib/systemd/system/your-plugin.socket`):
+
+```
+[Unit]
+Description=Your plugin
+
+[Socket]
+ListenStream=/run/docker/plugins/your-plugin.sock
+
+[Install]
+WantedBy=sockets.target
+```
+
+This will allow plugins to be actually started when the Docker daemon connects to
+the sockets they're listening on (for instance the first time the daemon uses them
+or if one of the plugin goes down accidentally).
+
+## API design
+
+The Plugin API is RPC-style JSON over HTTP, much like webhooks.
+
+Requests flow *from* the Docker daemon *to* the plugin.  So the plugin needs to
+implement an HTTP server and bind this to the UNIX socket mentioned in the
+"plugin discovery" section.
+
+All requests are HTTP `POST` requests.
+
+The API is versioned via an Accept header, which currently is always set to
+`application/vnd.docker.plugins.v1+json`.
+
+## Handshake API
+
+Plugins are activated via the following "handshake" API call.
+
+### /Plugin.Activate
+
+**Request:** empty body
+
+**Response:**
+```
+{
+    "Implements": ["VolumeDriver"]
+}
+```
+
+Responds with a list of Docker subsystems which this plugin implements.
+After activation, the plugin will then be sent events from this subsystem.
+
+Possible values are:
+
+* [`authz`](plugins_authorization.md)
+* [`NetworkDriver`](plugins_network.md)
+* [`VolumeDriver`](plugins_volume.md)
+
+
+## Plugin retries
+
+Attempts to call a method on a plugin are retried with an exponential backoff
+for up to 30 seconds. This may help when packaging plugins as containers, since
+it gives plugin containers a chance to start up before failing any user
+containers which depend on them.
+
+## Plugins helpers
+
+To ease plugins development, we're providing an `sdk` for each kind of plugins
+currently supported by Docker at [docker/go-plugins-helpers](https://github.com/docker/go-plugins-helpers).
diff --git a/cli/docs/extend/plugins_authorization.md b/cli/docs/extend/plugins_authorization.md
new file mode 100644
index 00000000..d7aa66cd
--- /dev/null
+++ b/cli/docs/extend/plugins_authorization.md
@@ -0,0 +1,259 @@
+---
+description: "How to create authorization plugins to manage access control to your Docker daemon."
+keywords: "security, authorization, authentication, docker, documentation, plugin, extend"
+redirect_from:
+- "/engine/extend/authorization/"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Access authorization plugin
+
+This document describes the Docker Engine plugins generally available in Docker
+Engine. To view information on plugins managed by Docker Engine,
+refer to [Docker Engine plugin system](index.md).
+
+Docker's out-of-the-box authorization model is all or nothing. Any user with
+permission to access the Docker daemon can run any Docker client command. The
+same is true for callers using Docker's Engine API to contact the daemon. If you
+require greater access control, you can create authorization plugins and add
+them to your Docker daemon configuration. Using an authorization plugin, a
+Docker administrator can configure granular access policies for managing access
+to the Docker daemon.
+
+Anyone with the appropriate skills can develop an authorization plugin. These
+skills, at their most basic, are knowledge of Docker, understanding of REST, and
+sound programming knowledge. This document describes the architecture, state,
+and methods information available to an authorization plugin developer.
+
+## Basic principles
+
+Docker's [plugin infrastructure](plugin_api.md) enables
+extending Docker by loading, removing and communicating with
+third-party components using a generic API. The access authorization subsystem
+was built using this mechanism.
+
+Using this subsystem, you don't need to rebuild the Docker daemon to add an
+authorization plugin.  You can add a plugin to an installed Docker daemon. You do
+need to restart the Docker daemon to add a new plugin.
+
+An authorization plugin approves or denies requests to the Docker daemon based
+on both the current authentication context and the command context. The
+authentication context contains all user details and the authentication method.
+The command context contains all the relevant request data.
+
+Authorization plugins must follow the rules described in [Docker Plugin API](plugin_api.md).
+Each plugin must reside within directories described under the
+[Plugin discovery](plugin_api.md#plugin-discovery) section.
+
+**Note**: the abbreviations `AuthZ` and `AuthN` mean authorization and authentication
+respectively.
+
+## Default user authorization mechanism
+
+If TLS is enabled in the [Docker daemon](https://docs.docker.com/engine/security/https/), the default user authorization flow extracts the user details from the certificate subject name.
+That is, the `User` field is set to the client certificate subject common name, and the `AuthenticationMethod` field is set to `TLS`.
+
+## Basic architecture
+
+You are responsible for registering your plugin as part of the Docker daemon
+startup. You can install multiple plugins and chain them together. This chain
+can be ordered. Each request to the daemon passes in order through the chain.
+Only when all the plugins grant access to the resource, is the access granted.
+
+When an HTTP request is made to the Docker daemon through the CLI or via the
+Engine API, the authentication subsystem passes the request to the installed
+authentication plugin(s). The request contains the user (caller) and command
+context. The plugin is responsible for deciding whether to allow or deny the
+request.
+
+The sequence diagrams below depict an allow and deny authorization flow:
+
+![Authorization Allow flow](images/authz_allow.png)
+
+![Authorization Deny flow](images/authz_deny.png)
+
+Each request sent to the plugin includes the authenticated user, the HTTP
+headers, and the request/response body. Only the user name and the
+authentication method used are passed to the plugin. Most importantly, no user
+credentials or tokens are passed. Finally, not all request/response bodies
+are sent to the authorization plugin. Only those request/response bodies where
+the `Content-Type` is either `text/*` or `application/json` are sent.
+
+For commands that can potentially hijack the HTTP connection (`HTTP
+Upgrade`), such as `exec`, the authorization plugin is only called for the
+initial HTTP requests. Once the plugin approves the command, authorization is
+not applied to the rest of the flow. Specifically, the streaming data is not
+passed to the authorization plugins. For commands that return chunked HTTP
+response, such as `logs` and `events`, only the HTTP request is sent to the
+authorization plugins.
+
+During request/response processing, some authorization flows might
+need to do additional queries to the Docker daemon. To complete such flows,
+plugins can call the daemon API similar to a regular user. To enable these
+additional queries, the plugin must provide the means for an administrator to
+configure proper authentication and security policies.
+
+## Docker client flows
+
+To enable and configure the authorization plugin, the plugin developer must
+support the Docker client interactions detailed in this section.
+
+### Setting up Docker daemon
+
+Enable the authorization plugin with a dedicated command line flag in the
+`--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID`
+value. This value can be the plugin’s socket or a path to a specification file.
+Authorization plugins can be loaded without restarting the daemon. Refer
+to the [`dockerd` documentation](../reference/commandline/dockerd.md#configuration-reloading) for more information.
+
+```bash
+$ dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
+```
+
+Docker's authorization subsystem supports multiple `--authorization-plugin` parameters.
+
+### Calling authorized command (allow)
+
+```bash
+$ docker pull centos
+...
+f1b10cd84249: Pull complete
+...
+```
+
+### Calling unauthorized command (deny)
+
+```bash
+$ docker pull centos
+...
+docker: Error response from daemon: authorization denied by plugin PLUGIN_NAME: volumes are not allowed.
+```
+
+### Error from plugins
+
+```bash
+$ docker pull centos
+...
+docker: Error response from daemon: plugin PLUGIN_NAME failed with error: AuthZPlugin.AuthZReq: Cannot connect to the Docker daemon. Is the docker daemon running on this host?.
+```
+
+## API schema and implementation
+
+In addition to Docker's standard plugin registration method, each plugin
+should implement the following two methods:
+
+* `/AuthZPlugin.AuthZReq` This authorize request method is called before the Docker daemon processes the client request.
+
+* `/AuthZPlugin.AuthZRes` This authorize response method is called before the response is returned from Docker daemon to the client.
+
+#### /AuthZPlugin.AuthZReq
+
+**Request**:
+
+```json
+{
+    "User":              "The user identification",
+    "UserAuthNMethod":   "The authentication method used",
+    "RequestMethod":     "The HTTP method",
+    "RequestURI":        "The HTTP request URI",
+    "RequestBody":       "Byte array containing the raw HTTP request body",
+    "RequestHeader":     "Byte array containing the raw HTTP request header as a map[string][]string "
+}
+```
+
+**Response**:
+
+```json
+{
+    "Allow": "Determined whether the user is allowed or not",
+    "Msg":   "The authorization message",
+    "Err":   "The error message if things go wrong"
+}
+```
+#### /AuthZPlugin.AuthZRes
+
+**Request**:
+
+```json
+{
+    "User":              "The user identification",
+    "UserAuthNMethod":   "The authentication method used",
+    "RequestMethod":     "The HTTP method",
+    "RequestURI":        "The HTTP request URI",
+    "RequestBody":       "Byte array containing the raw HTTP request body",
+    "RequestHeader":     "Byte array containing the raw HTTP request header as a map[string][]string",
+    "ResponseBody":      "Byte array containing the raw HTTP response body",
+    "ResponseHeader":    "Byte array containing the raw HTTP response header as a map[string][]string",
+    "ResponseStatusCode":"Response status code"
+}
+```
+
+**Response**:
+
+```json
+{
+   "Allow":              "Determined whether the user is allowed or not",
+   "Msg":                "The authorization message",
+   "Err":                "The error message if things go wrong"
+}
+```
+
+### Request authorization
+
+Each plugin must support two request authorization messages formats, one from the daemon to the plugin and then from the plugin to the daemon. The tables below detail the content expected in each message.
+
+#### Daemon -> Plugin
+
+Name                   | Type              | Description
+-----------------------|-------------------|-------------------------------------------------------
+User                   | string            | The user identification
+Authentication method  | string            | The authentication method used
+Request method         | enum              | The HTTP method (GET/DELETE/POST)
+Request URI            | string            | The HTTP request URI including API version (e.g., v.1.17/containers/json)
+Request headers        | map[string]string | Request headers as key value pairs (without the authorization header)
+Request body           | []byte            | Raw request body
+
+
+#### Plugin -> Daemon
+
+Name    | Type   | Description
+--------|--------|----------------------------------------------------------------------------------
+Allow   | bool   | Boolean value indicating whether the request is allowed or denied
+Msg     | string | Authorization message (will be returned to the client in case the access is denied)
+Err     | string | Error message (will be returned to the client in case the plugin encounter an error. The string value supplied may appear in logs, so should not include confidential information)
+
+### Response authorization
+
+The plugin must support two authorization messages formats, one from the daemon to the plugin and then from the plugin to the daemon. The tables below detail the content expected in each message.
+
+#### Daemon -> Plugin
+
+
+Name                    | Type              | Description
+----------------------- |------------------ |----------------------------------------------------
+User                    | string            | The user identification
+Authentication method   | string            | The authentication method used
+Request method          | string            | The HTTP method (GET/DELETE/POST)
+Request URI             | string            | The HTTP request URI including API version (e.g., v.1.17/containers/json)
+Request headers         | map[string]string | Request headers as key value pairs (without the authorization header)
+Request body            | []byte            | Raw request body
+Response status code    | int               | Status code from the docker daemon
+Response headers        | map[string]string | Response headers as key value pairs
+Response body           | []byte            | Raw docker daemon response body
+
+
+#### Plugin -> Daemon
+
+Name    | Type   | Description
+--------|--------|----------------------------------------------------------------------------------
+Allow   | bool   | Boolean value indicating whether the response is allowed or denied
+Msg     | string | Authorization message (will be returned to the client in case the access is denied)
+Err     | string | Error message (will be returned to the client in case the plugin encounter an error. The string value supplied may appear in logs, so should not include confidential information)
diff --git a/cli/docs/extend/plugins_graphdriver.md b/cli/docs/extend/plugins_graphdriver.md
new file mode 100644
index 00000000..d8d4531d
--- /dev/null
+++ b/cli/docs/extend/plugins_graphdriver.md
@@ -0,0 +1,403 @@
+---
+description: "How to manage image and container filesystems with external plugins"
+keywords: "Examples, Usage, storage, image, docker, data, graph, plugin, api"
+advisory: experimental
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Graphdriver plugins
+
+## Changelog
+
+### 1.13.0
+
+- Support v2 plugins
+
+# Docker graph driver plugins
+
+Docker graph driver plugins enable admins to use an external/out-of-process
+graph driver for use with Docker engine. This is an alternative to using the
+built-in storage drivers, such as aufs/overlay/devicemapper/btrfs.
+
+You need to install and enable the plugin and then restart the Docker daemon
+before using the plugin. See the following example for the correct ordering
+of steps.
+
+```
+$ docker plugin install cpuguy83/docker-overlay2-graphdriver-plugin # this command also enables the driver
+<output suppressed>
+$ pkill dockerd
+$ dockerd --experimental -s cpuguy83/docker-overlay2-graphdriver-plugin
+```
+
+# Write a graph driver plugin
+
+See the [plugin documentation](https://docs.docker.com/engine/extend/) for detailed information
+on the underlying plugin protocol.
+
+
+## Graph Driver plugin protocol
+
+If a plugin registers itself as a `GraphDriver` when activated, then it is
+expected to provide the rootfs for containers as well as image layer storage.
+
+### /GraphDriver.Init
+
+**Request**:
+```json
+{
+  "Home": "/graph/home/path",
+  "Opts": [],
+  "UIDMaps": [],
+  "GIDMaps": []
+}
+```
+
+Initialize the graph driver plugin with a home directory and array of options.
+These are passed through from the user, but the plugin is not required to parse
+or honor them.
+
+The request also includes a list of UID and GID mappings, structed as follows:
+```json
+{
+  "ContainerID": 0,
+  "HostID": 0,
+  "Size": 0
+}
+```
+
+**Response**:
+```json
+{
+  "Err": ""
+}
+```
+
+Respond with a non-empty string error if an error occurred.
+
+
+### /GraphDriver.Capabilities
+
+**Request**:
+```json
+{}
+```
+
+Get behavioral characteristics of the graph driver. If a plugin does not handle
+this request, the engine will use default values for all capabilities.
+
+**Response**:
+```json
+{
+  "ReproducesExactDiffs": false,
+}
+```
+
+Respond with values of capabilities:
+
+* **ReproducesExactDiffs** Defaults to false. Flags that this driver is capable
+of reproducing exactly equivalent diffs for read-only filesystem layers.
+
+
+### /GraphDriver.Create
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187",
+  "Parent": "2cd9c322cb78a55e8212aa3ea8425a4180236d7106938ec921d0935a4b8ca142",
+  "MountLabel": "",
+  "StorageOpt": {}
+}
+```
+
+Create a new, empty, read-only filesystem layer with the specified
+`ID`, `Parent` and `MountLabel`. If `Parent` is an empty string, there is no
+parent layer. `StorageOpt` is map of strings which indicate storage options.
+
+**Response**:
+```json
+{
+  "Err": ""
+}
+```
+
+Respond with a non-empty string error if an error occurred.
+
+### /GraphDriver.CreateReadWrite
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187",
+  "Parent": "2cd9c322cb78a55e8212aa3ea8425a4180236d7106938ec921d0935a4b8ca142",
+  "MountLabel": "",
+  "StorageOpt": {}
+}
+```
+
+Similar to `/GraphDriver.Create` but creates a read-write filesystem layer.
+
+### /GraphDriver.Remove
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187"
+}
+```
+
+Remove the filesystem layer with this given `ID`.
+
+**Response**:
+```json
+{
+  "Err": ""
+}
+```
+
+Respond with a non-empty string error if an error occurred.
+
+### /GraphDriver.Get
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187",
+  "MountLabel": ""
+}
+```
+
+Get the mountpoint for the layered filesystem referred to by the given `ID`.
+
+**Response**:
+```json
+{
+  "Dir": "/var/mygraph/46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187",
+  "Err": ""
+}
+```
+
+Respond with the absolute path to the mounted layered filesystem.
+Respond with a non-empty string error if an error occurred.
+
+### /GraphDriver.Put
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187"
+}
+```
+
+Release the system resources for the specified `ID`, such as unmounting the
+filesystem layer.
+
+**Response**:
+```json
+{
+  "Err": ""
+}
+```
+
+Respond with a non-empty string error if an error occurred.
+
+### /GraphDriver.Exists
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187"
+}
+```
+
+Determine if a filesystem layer with the specified `ID` exists.
+
+**Response**:
+```json
+{
+  "Exists": true
+}
+```
+
+Respond with a boolean for whether or not the filesystem layer with the specified
+`ID` exists.
+
+### /GraphDriver.Status
+
+**Request**:
+```json
+{}
+```
+
+Get low-level diagnostic information about the graph driver.
+
+**Response**:
+```json
+{
+  "Status": [[]]
+}
+```
+
+Respond with a 2-D array with key/value pairs for the underlying status
+information.
+
+
+### /GraphDriver.GetMetadata
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187"
+}
+```
+
+Get low-level diagnostic information about the layered filesystem with the
+with the specified `ID`
+
+**Response**:
+```json
+{
+  "Metadata": {},
+  "Err": ""
+}
+```
+
+Respond with a set of key/value pairs containing the low-level diagnostic
+information about the layered filesystem.
+Respond with a non-empty string error if an error occurred.
+
+### /GraphDriver.Cleanup
+
+**Request**:
+```json
+{}
+```
+
+Perform necessary tasks to release resources help by the plugin, such as
+unmounting all the layered file systems.
+
+**Response**:
+```json
+{
+  "Err": ""
+}
+```
+
+Respond with a non-empty string error if an error occurred.
+
+
+### /GraphDriver.Diff
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187",
+  "Parent": "2cd9c322cb78a55e8212aa3ea8425a4180236d7106938ec921d0935a4b8ca142"
+}
+```
+
+Get an archive of the changes between the filesystem layers specified by the `ID`
+and `Parent`. `Parent` may be an empty string, in which case there is no parent.
+
+**Response**:
+```
+{% raw %}
+{{ TAR STREAM }}
+{% endraw %}
+```
+
+### /GraphDriver.Changes
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187",
+  "Parent": "2cd9c322cb78a55e8212aa3ea8425a4180236d7106938ec921d0935a4b8ca142"
+}
+```
+
+Get a list of changes between the filesystem layers specified by the `ID` and
+`Parent`. If `Parent` is an empty string, there is no parent.
+
+**Response**:
+```json
+{
+  "Changes": [{}],
+  "Err": ""
+}
+```
+
+Respond with a list of changes. The structure of a change is:
+```json
+  "Path": "/some/path",
+  "Kind": 0,
+```
+
+Where the `Path` is the filesystem path within the layered filesystem that is
+changed and `Kind` is an integer specifying the type of change that occurred:
+
+- 0 - Modified
+- 1 - Added
+- 2 - Deleted
+
+Respond with a non-empty string error if an error occurred.
+
+### /GraphDriver.ApplyDiff
+
+**Request**:
+```
+{% raw %}
+{{ TAR STREAM }}
+{% endraw %}
+```
+
+Extract the changeset from the given diff into the layer with the specified `ID`
+and `Parent`
+
+**Query Parameters**:
+
+- id (required)- the `ID` of the new filesystem layer to extract the diff to
+- parent (required)- the `Parent` of the given `ID`
+
+**Response**:
+```json
+{
+  "Size": 512366,
+  "Err": ""
+}
+```
+
+Respond with the size of the new layer in bytes.
+Respond with a non-empty string error if an error occurred.
+
+### /GraphDriver.DiffSize
+
+**Request**:
+```json
+{
+  "ID": "46fe8644f2572fd1e505364f7581e0c9dbc7f14640bd1fb6ce97714fb6fc5187",
+  "Parent": "2cd9c322cb78a55e8212aa3ea8425a4180236d7106938ec921d0935a4b8ca142"
+}
+```
+
+Calculate the changes between the specified `ID`
+
+**Response**:
+```json
+{
+  "Size": 512366,
+  "Err": ""
+}
+```
+
+Respond with the size changes between the specified `ID` and `Parent`
+Respond with a non-empty string error if an error occurred.
diff --git a/cli/docs/extend/plugins_logging.md b/cli/docs/extend/plugins_logging.md
new file mode 100644
index 00000000..fbfd2197
--- /dev/null
+++ b/cli/docs/extend/plugins_logging.md
@@ -0,0 +1,219 @@
+---
+description: "Log driver plugins."
+keywords: "Examples, Usage, plugins, docker, documentation, user guide, logging"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Docker log driver plugins
+
+This document describes logging driver plugins for Docker.
+
+Logging drivers enables users to forward container logs to another service for
+processing. Docker includes several logging drivers as built-ins, however can
+never hope to support all use-cases with built-in drivers. Plugins allow Docker
+to support a wide range of logging services without requiring to embed client
+libraries for these services in the main Docker codebase. See the
+[plugin documentation](legacy_plugins.md) for more information.
+
+## Create a logging plugin
+
+The main interface for logging plugins uses the same JSON+HTTP RPC protocol used
+by other plugin types. See the
+[example](https://github.com/cpuguy83/docker-log-driver-test) plugin for a
+reference implementation of a logging plugin. The example wraps the built-in
+`jsonfilelog` log driver.
+
+## LogDriver protocol
+
+Logging plugins must register as a `LogDriver` during plugin activation. Once
+activated users can specify the plugin as a log driver.
+
+There are two HTTP endpoints that logging plugins must implement:
+
+### `/LogDriver.StartLogging`
+
+Signals to the plugin that a container is starting that the plugin should start
+receiving logs for.
+
+Logs will be streamed over the defined file in the request. On Linux this file
+is a FIFO. Logging plugins are not currently supported on Windows.
+
+**Request**:
+```json
+{
+		"File": "/path/to/file/stream",
+		"Info": {
+			"ContainerID": "123456"
+		}
+}
+```
+
+`File` is the path to the log stream that needs to be consumed. Each call to
+`StartLogging` should provide a different file path, even if it's a container
+that the plugin has already received logs for prior. The file is created by
+docker with a randomly generated name.
+
+`Info` is details about the container that's being logged. This is fairly
+free-form, but is defined by the following struct definition:
+
+```go
+type Info struct {
+	Config              map[string]string
+	ContainerID         string
+	ContainerName       string
+	ContainerEntrypoint string
+	ContainerArgs       []string
+	ContainerImageID    string
+	ContainerImageName  string
+	ContainerCreated    time.Time
+	ContainerEnv        []string
+	ContainerLabels     map[string]string
+	LogPath             string
+	DaemonName          string
+}
+```
+
+
+`ContainerID` will always be supplied with this struct, but other fields may be
+empty or missing.
+
+**Response**
+```json
+{
+	"Err": ""
+}
+```
+
+If an error occurred during this request, add an error message to the `Err` field
+in the response. If no error then you can either send an empty response (`{}`)
+or an empty value for the `Err` field.
+
+The driver should at this point be consuming log messages from the passed in file.
+If messages are unconsumed, it may cause the container to block while trying to
+write to its stdio streams.
+
+Log stream messages are encoded as protocol buffers. The protobuf definitions are
+in the
+[docker repository](https://github.com/docker/docker/blob/master/api/types/plugins/logdriver/entry.proto).
+
+Since protocol buffers are not self-delimited you must decode them from the stream
+using the following stream format:
+
+```
+[size][message]
+```
+
+Where `size` is a 4-byte big endian binary encoded uint32. `size` in this case
+defines the size of the next message. `message` is the actual log entry.
+
+A reference golang implementation of a stream encoder/decoder can be found
+[here](https://github.com/docker/docker/blob/master/api/types/plugins/logdriver/io.go)
+
+### `/LogDriver.StopLogging`
+
+Signals to the plugin to stop collecting logs from the defined file.
+Once a response is received, the file will be removed by Docker. You must make
+sure to collect all logs on the stream before responding to this request or risk
+losing log data.
+
+Requests on this endpoint does not mean that the container has been removed
+only that it has stopped.
+
+**Request**:
+```json
+{
+		"File": "/path/to/file/stream"
+}
+```
+
+**Response**:
+```json
+{
+	"Err": ""
+}
+```
+
+If an error occurred during this request, add an error message to the `Err` field
+in the response. If no error then you can either send an empty response (`{}`)
+or an empty value for the `Err` field.
+
+## Optional endpoints
+
+Logging plugins can implement two extra logging endpoints:
+
+### `/LogDriver.Capabilities`
+
+Defines the capabilities of the log driver. You must implement this endpoint for
+Docker to be able to take advantage of any of the defined capabilities.
+
+**Request**:
+```json
+{}
+```
+
+**Response**:
+```json
+{
+	"ReadLogs": true
+}
+```
+
+Supported capabilities:
+
+- `ReadLogs` - this tells Docker that the plugin is capable of reading back logs
+to clients. Plugins that report that they support `ReadLogs` must implement the
+`/LogDriver.ReadLogs` endpoint
+
+### `/LogDriver.ReadLogs`
+
+Reads back logs to the client. This is used when `docker logs <container>` is
+called.
+
+In order for Docker to use this endpoint, the plugin must specify as much when
+`/LogDriver.Capabilities` is called.
+
+
+**Request**:
+```json
+{
+	"ReadConfig": {},
+	"Info": {
+		"ContainerID": "123456"
+	}
+}
+```
+
+`ReadConfig` is the list of options for reading, it is defined with the following
+golang struct:
+
+```go
+type ReadConfig struct {
+	Since  time.Time
+	Tail   int
+	Follow bool
+}
+```
+
+- `Since` defines the oldest log that should be sent.
+- `Tail` defines the number of lines to read (e.g. like the command `tail -n 10`)
+- `Follow` signals that the client wants to stay attached to receive new log messages
+as they come in once the existing logs have been read.
+
+`Info` is the same type defined in `/LogDriver.StartLogging`. It should be used
+to determine what set of logs to read.
+
+**Response**:
+```
+{% raw %}{{ log stream }}{% endraw %}
+```
+
+The response should be the encoded log message using the same format as the
+messages that the plugin consumed from Docker.
diff --git a/cli/docs/extend/plugins_metrics.md b/cli/docs/extend/plugins_metrics.md
new file mode 100644
index 00000000..c29aeef9
--- /dev/null
+++ b/cli/docs/extend/plugins_metrics.md
@@ -0,0 +1,84 @@
+---
+description: "Metrics plugins."
+keywords: "Examples, Usage, plugins, docker, documentation, user guide, metrics"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Docker metrics collector plugins
+
+Docker exposes internal metrics based on the prometheus format. Metrics plugins
+enable accessing these metrics in a consistent way by providing a Unix
+socket at a predefined path where the plugin can scrape the metrics.
+
+> **Note**: that while the plugin interface for metrics is non-experimental, the naming
+of the metrics and metric labels is still considered experimental and may change
+in a future version.
+
+## Creating a metrics plugin
+
+You must currently set `PropagatedMount` in the plugin `config.json` to
+`/run/docker`. This allows the plugin to receive updated mounts
+(the bind-mounted socket) from Docker after the plugin is already configured.
+
+## MetricsCollector protocol
+
+Metrics plugins must register as implementing the`MetricsCollector` interface
+in `config.json`.
+
+On Unix platforms, the socket is located at `/run/docker/metrics.sock` in the
+plugin's rootfs.
+
+`MetricsCollector` must implement two endpoints:
+
+### `MetricsCollector.StartMetrics`
+
+Signals to the plugin that the metrics socket is now available for scraping
+
+**Request**
+```json
+{}
+```
+
+The request has no playload.
+
+**Response**
+```json
+{
+	"Err": ""
+}
+```
+
+If an error occurred during this request, add an error message to the `Err` field
+in the response. If no error then you can either send an empty response (`{}`)
+or an empty value for the `Err` field. Errors will only be logged.
+
+### `MetricsCollector.StopMetrics`
+
+Signals to the plugin that the metrics socket is no longer available.
+This may happen when the daemon is shutting down.
+
+**Request**
+```json
+{}
+```
+
+The request has no playload.
+
+**Response**
+```json
+{
+	"Err": ""
+}
+```
+
+If an error occurred during this request, add an error message to the `Err` field
+in the response. If no error then you can either send an empty response (`{}`)
+or an empty value for the `Err` field. Errors will only be logged.
diff --git a/cli/docs/extend/plugins_network.md b/cli/docs/extend/plugins_network.md
new file mode 100644
index 00000000..66302c5c
--- /dev/null
+++ b/cli/docs/extend/plugins_network.md
@@ -0,0 +1,78 @@
+---
+description: "Network driver plugins."
+keywords: "Examples, Usage, plugins, docker, documentation, user guide"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Docker network driver plugins
+
+This document describes Docker Engine network driver plugins generally
+available in Docker Engine. To view information on plugins
+managed by Docker Engine, refer to [Docker Engine plugin system](index.md).
+
+Docker Engine network plugins enable Engine deployments to be extended to
+support a wide range of networking technologies, such as VXLAN, IPVLAN, MACVLAN
+or something completely different. Network driver plugins are supported via the
+LibNetwork project. Each plugin is implemented as a  "remote driver" for
+LibNetwork, which shares plugin infrastructure with Engine. Effectively, network
+driver plugins are activated in the same way as other plugins, and use the same
+kind of protocol.
+
+## Network plugins and swarm mode
+
+[Legacy plugins](legacy_plugins.md) do not work in swarm mode. However,
+plugins written using the [v2 plugin system](index.md) do work in swarm mode, as
+long as they are installed on each swarm worker node.
+
+## Use network driver plugins
+
+The means of installing and running a network driver plugin depend on the
+particular plugin. So, be sure to install your plugin according to the
+instructions obtained from the plugin developer.
+
+Once running however, network driver plugins are used just like the built-in
+network drivers: by being mentioned as a driver in network-oriented Docker
+commands. For example,
+
+    $ docker network create --driver weave mynet
+
+Some network driver plugins are listed in [plugins](legacy_plugins.md)
+
+The `mynet` network is now owned by `weave`, so subsequent commands
+referring to that network will be sent to the plugin,
+
+    $ docker run --network=mynet busybox top
+
+
+## Find network plugins
+
+Network plugins are written by third parties, and are published by those
+third parties, either on
+[Docker Store](https://store.docker.com/search?category=network&q=&type=plugin)
+or on the third party's site.
+
+## Write a network plugin
+
+Network plugins implement the [Docker plugin
+API](plugin_api.md) and the network plugin protocol
+
+## Network plugin protocol
+
+The network driver protocol, in addition to the plugin activation call, is
+documented as part of libnetwork:
+[https://github.com/docker/libnetwork/blob/master/docs/remote.md](https://github.com/docker/libnetwork/blob/master/docs/remote.md).
+
+## Related Information
+
+To interact with the Docker maintainers and other interested users, see the IRC channel `#docker-network`.
+
+-  [Docker networks feature overview](https://docs.docker.com/engine/userguide/networking/)
+-  The [LibNetwork](https://github.com/docker/libnetwork) project
diff --git a/cli/docs/extend/plugins_services.md b/cli/docs/extend/plugins_services.md
new file mode 100644
index 00000000..cd94d11c
--- /dev/null
+++ b/cli/docs/extend/plugins_services.md
@@ -0,0 +1,185 @@
+---
+keywords: "API, Usage, plugins, documentation, developer"
+title: Plugins and Services
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Using Volume and Network plugins in Docker services
+
+In swarm mode, it is possible to create a service that allows for attaching
+to networks or mounting volumes that are backed by plugins. Swarm schedules
+services based on plugin availability on a node.
+
+
+### Volume plugins
+
+In this example, a volume plugin is installed on a swarm worker and a volume
+is created using the plugin. In the manager, a service is created with the
+relevant mount options. It can be observed that the service is scheduled to
+run on the worker node with the said volume plugin and volume. Note that,
+node1 is the manager and node2 is the worker.
+
+1.  Prepare manager. In node 1:
+
+    ```bash
+    $ docker swarm init
+    Swarm initialized: current node (dxn1zf6l61qsb1josjja83ngz) is now a manager.
+    ```
+
+2. Join swarm, install plugin and create volume on worker. In node 2:
+
+    ```bash
+    $ docker swarm join \
+    --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c \
+    192.168.99.100:2377
+    ```
+
+    ```bash
+    $ docker plugin install tiborvass/sample-volume-plugin
+    latest: Pulling from tiborvass/sample-volume-plugin
+    eb9c16fbdc53: Download complete
+    Digest: sha256:00b42de88f3a3e0342e7b35fa62394b0a9ceb54d37f4c50be5d3167899994639
+    Status: Downloaded newer image for tiborvass/sample-volume-plugin:latest
+    Installed plugin tiborvass/sample-volume-plugin
+    ```
+
+    ```bash
+    $ docker volume create -d tiborvass/sample-volume-plugin --name pluginVol
+    ```
+
+3. Create a service using the plugin and volume. In node1:
+
+    ```bash
+    $ docker service create --name my-service --mount type=volume,volume-driver=tiborvass/sample-volume-plugin,source=pluginVol,destination=/tmp busybox top
+
+    $ docker service ls
+    z1sj8bb8jnfn  my-service   replicated  1/1       busybox:latest
+    ```
+    docker service ls shows service 1 instance of service running.
+
+4. Observe the task getting scheduled in node 2:
+
+    ```bash
+    {% raw %}
+    $ docker ps --format '{{.ID}}\t {{.Status}} {{.Names}} {{.Command}}'
+    83fc1e842599     Up 2 days my-service.1.9jn59qzn7nbc3m0zt1hij12xs "top"
+    {% endraw %}
+    ```
+
+### Network plugins
+
+In this example, a global scope network plugin is installed on both the
+swarm manager and worker. A service is created with replicated instances
+using the installed plugin. We will observe how the availability of the
+plugin determines network creation and container scheduling.
+
+Note that node1 is the manager and node2 is the worker.
+
+
+1. Install a global scoped network plugin on both manager and worker. On node1
+   and node2:
+
+    ```bash
+    $ docker plugin install bboreham/weave2
+    Plugin "bboreham/weave2" is requesting the following privileges:
+    - network: [host]
+    - capabilities: [CAP_SYS_ADMIN CAP_NET_ADMIN]
+    Do you grant the above permissions? [y/N] y
+    latest: Pulling from bboreham/weave2
+    7718f575adf7: Download complete
+    Digest: sha256:2780330cc15644b60809637ee8bd68b4c85c893d973cb17f2981aabfadfb6d72
+    Status: Downloaded newer image for bboreham/weave2:latest
+    Installed plugin bboreham/weave2
+    ```
+
+2. Create a network using plugin on manager. On node1:
+
+    ```bash
+    $ docker network create --driver=bboreham/weave2:latest globalnet
+
+    $ docker network ls
+    NETWORK ID          NAME                DRIVER                   SCOPE
+    qlj7ueteg6ly        globalnet           bboreham/weave2:latest   swarm
+    ```
+
+3. Create a service on the manager and have replicas set to 8. Observe that
+containers get scheduled on both manager and worker.
+
+    On node 1:
+
+    ```bash
+    $ docker service create --network globalnet --name myservice --replicas=8 mrjana/simpleweb simpleweb
+w90drnfzw85nygbie9kb89vpa
+    ```
+
+    ```bash
+    $ docker ps
+    CONTAINER ID        IMAGE                                                                                      COMMAND             CREATED             STATUS              PORTS               NAMES
+    87520965206a        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         5 seconds ago       Up 4 seconds                            myservice.4.ytdzpktmwor82zjxkh118uf1v
+    15e24de0f7aa        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         5 seconds ago       Up 4 seconds                            myservice.2.kh7a9n3iauq759q9mtxyfs9hp
+    c8c8f0144cdc        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         5 seconds ago       Up 4 seconds                            myservice.6.sjhpj5gr3xt33e3u2jycoj195
+    2e8e4b2c5c08        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         5 seconds ago       Up 4 seconds                            myservice.8.2z29zowsghx66u2velublwmrh
+    ```
+
+    On node 2:
+
+    ```bash
+    $ docker ps
+    CONTAINER ID        IMAGE                                                                                      COMMAND             CREATED             STATUS                  PORTS               NAMES
+    53c0ae7c1dae        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         2 seconds ago       Up Less than a second                       myservice.7.x44tvvdm3iwkt9kif35f7ykz1
+    9b56c627fee0        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         2 seconds ago       Up Less than a second                       myservice.1.x7n1rm6lltw5gja3ueikze57q
+    d4f5927ba52c        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         2 seconds ago       Up 1 second                                 myservice.5.i97bfo9uc6oe42lymafs9rz6k
+    478c0d395bd7        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         2 seconds ago       Up Less than a second                       myservice.3.yr7nkffa48lff1vrl2r1m1ucs
+    ```
+
+4. Scale down the number of instances. On node1:
+
+    ```bash
+    $ docker service scale myservice=0
+    myservice scaled to 0
+    ```
+
+5. Disable and uninstall the plugin on the worker. On node2:
+
+    ```bash
+    $ docker plugin rm -f bboreham/weave2
+    bboreham/weave2
+    ```
+
+6. Scale up the number of instances again. Observe that all containers are
+scheduled on the master and not on the worker, because the plugin is not available on the worker anymore.
+
+    On node 1:
+
+    ```bash
+    $ docker service scale myservice=8
+    myservice scaled to 8
+    ```
+
+    ```bash
+    $ docker ps
+    CONTAINER ID        IMAGE                                                                                      COMMAND             CREATED             STATUS              PORTS               NAMES
+    cf4b0ec2415e        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 36 seconds                           myservice.3.r7p5o208jmlzpcbm2ytl3q6n1
+    57c64a6a2b88        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 36 seconds                           myservice.4.dwoezsbb02ccstkhlqjy2xe7h
+    3ac68cc4e7b8        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 35 seconds                           myservice.5.zx4ezdrm2nwxzkrwnxthv0284
+    006c3cb318fc        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 36 seconds                           myservice.8.q0e3umt19y3h3gzo1ty336k5r
+    dd2ffebde435        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 36 seconds                           myservice.7.a77y3u22prjipnrjg7vzpv3ba
+    a86c74d8b84b        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 36 seconds                           myservice.6.z9nbn14bagitwol1biveeygl7
+    2846a7850ba0        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 37 seconds                           myservice.2.ypufz2eh9fyhppgb89g8wtj76
+    e2ec01efcd8a        mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4   "simpleweb"         39 seconds ago      Up 38 seconds                           myservice.1.8w7c4ttzr6zcb9sjsqyhwp3yl
+    ```
+
+    On node 2:
+
+    ```bash
+    $ docker ps
+    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+    ```
diff --git a/cli/docs/extend/plugins_volume.md b/cli/docs/extend/plugins_volume.md
new file mode 100644
index 00000000..b9a71390
--- /dev/null
+++ b/cli/docs/extend/plugins_volume.md
@@ -0,0 +1,359 @@
+---
+description: "How to manage data with external volume plugins"
+keywords: "Examples, Usage, volume, docker, data, volumes, plugin, api"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Docker volume plugins
+
+Docker Engine volume plugins enable Engine deployments to be integrated with
+external storage systems such as Amazon EBS, and enable data volumes to persist
+beyond the lifetime of a single Docker host. See the
+[plugin documentation](legacy_plugins.md) for more information.
+
+## Changelog
+
+### 1.13.0
+
+- If used as part of the v2 plugin architecture, mountpoints that are part of
+  paths returned by the plugin must be mounted under the directory specified by
+  `PropagatedMount` in the plugin configuration
+  ([#26398](https://github.com/docker/docker/pull/26398))
+
+### 1.12.0
+
+- Add `Status` field to `VolumeDriver.Get` response
+  ([#21006](https://github.com/docker/docker/pull/21006#))
+- Add `VolumeDriver.Capabilities` to get capabilities of the volume driver
+  ([#22077](https://github.com/docker/docker/pull/22077))
+
+### 1.10.0
+
+- Add `VolumeDriver.Get` which gets the details about the volume
+  ([#16534](https://github.com/docker/docker/pull/16534))
+- Add `VolumeDriver.List` which lists all volumes owned by the driver
+  ([#16534](https://github.com/docker/docker/pull/16534))
+
+### 1.8.0
+
+- Initial support for volume driver plugins
+  ([#14659](https://github.com/docker/docker/pull/14659))
+
+## Command-line changes
+
+To give a container access to a volume, use the `--volume` and `--volume-driver`
+flags on the `docker container run` command.  The `--volume` (or `-v`) flag
+accepts a volume name and path on the host, and the `--volume-driver` flag
+accepts a driver type.
+
+```bash
+$ docker volume create --driver=flocker volumename
+
+$ docker container run -it --volume volumename:/data busybox sh
+```
+
+### `--volume`
+
+The `--volume` (or `-v`) flag takes a value that is in the format
+`<volume_name>:<mountpoint>`. The two parts of the value are
+separated by a colon (`:`) character.
+
+- The volume name is a human-readable name for the volume, and cannot begin with
+  a `/` character. It is referred to as `volume_name` in the rest of this topic.
+- The `Mountpoint` is the path on the host (v1) or in the plugin (v2) where the
+  volume has been made available.
+
+### `volumedriver`
+
+Specifying a `volumedriver` in conjunction with a `volumename` allows you to
+use plugins such as [Flocker](https://github.com/ScatterHQ/flocker) to manage
+volumes external to a single host, such as those on EBS.
+
+## Create a VolumeDriver
+
+The container creation endpoint (`/containers/create`) accepts a `VolumeDriver`
+field of type `string` allowing to specify the name of the driver. If not
+specified, it defaults to `"local"` (the default driver for local volumes).
+
+## Volume plugin protocol
+
+If a plugin registers itself as a `VolumeDriver` when activated, it must
+provide the Docker Daemon with writeable paths on the host filesystem. The Docker
+daemon provides these paths to containers to consume. The Docker daemon makes
+the volumes available by bind-mounting the provided paths into the containers.
+
+> **Note**: Volume plugins should *not* write data to the `/var/lib/docker/`
+> directory, including `/var/lib/docker/volumes`. The `/var/lib/docker/`
+> directory is reserved for Docker.
+
+### `/VolumeDriver.Create`
+
+**Request**:
+```json
+{
+    "Name": "volume_name",
+    "Opts": {}
+}
+```
+
+Instruct the plugin that the user wants to create a volume, given a user
+specified volume name. The plugin does not need to actually manifest the
+volume on the filesystem yet (until `Mount` is called).
+`Opts` is a map of driver specific options passed through from the user request.
+
+**Response**:
+```json
+{
+    "Err": ""
+}
+```
+
+Respond with a string error if an error occurred.
+
+### `/VolumeDriver.Remove`
+
+**Request**:
+```json
+{
+    "Name": "volume_name"
+}
+```
+
+Delete the specified volume from disk. This request is issued when a user
+invokes `docker rm -v` to remove volumes associated with a container.
+
+**Response**:
+```json
+{
+    "Err": ""
+}
+```
+
+Respond with a string error if an error occurred.
+
+### `/VolumeDriver.Mount`
+
+**Request**:
+```json
+{
+    "Name": "volume_name",
+    "ID": "b87d7442095999a92b65b3d9691e697b61713829cc0ffd1bb72e4ccd51aa4d6c"
+}
+```
+
+Docker requires the plugin to provide a volume, given a user specified volume
+name. `Mount` is called once per container start. If the same `volume_name` is requested
+more than once, the plugin may need to keep track of each new mount request and provision
+at the first mount request and deprovision at the last corresponding unmount request.
+
+`ID` is a unique ID for the caller that is requesting the mount.
+
+**Response**:
+
+- **v1**:
+
+  ```json
+  {
+      "Mountpoint": "/path/to/directory/on/host",
+      "Err": ""
+  }
+  ```
+
+- **v2**:
+
+  ```json
+  {
+      "Mountpoint": "/path/under/PropagatedMount",
+      "Err": ""
+  }
+  ```
+
+`Mountpoint` is the path on the host (v1) or in the plugin (v2) where the volume
+has been made available.
+
+`Err` is either empty or contains an error string.
+
+### `/VolumeDriver.Path`
+
+**Request**:
+
+```json
+{
+    "Name": "volume_name"
+}
+```
+
+Request the path to the volume with the given `volume_name`.
+
+**Response**:
+
+- **v1**:
+
+  ```json
+  {
+      "Mountpoint": "/path/to/directory/on/host",
+      "Err": ""
+  }
+  ```
+
+- **v2**:
+
+  ```json
+  {
+      "Mountpoint": "/path/under/PropagatedMount",
+      "Err": ""
+  }
+  ```
+
+Respond with the path on the host (v1) or inside the plugin (v2) where the
+volume has been made available, and/or a string error if an error occurred.
+
+`Mountpoint` is optional. However, the plugin may be queried again later if one
+is not provided.
+
+### `/VolumeDriver.Unmount`
+
+**Request**:
+```json
+{
+    "Name": "volume_name",
+    "ID": "b87d7442095999a92b65b3d9691e697b61713829cc0ffd1bb72e4ccd51aa4d6c"
+}
+```
+
+Docker is no longer using the named volume. `Unmount` is called once per
+container stop. Plugin may deduce that it is safe to deprovision the volume at
+this point.
+
+`ID` is a unique ID for the caller that is requesting the mount.
+
+**Response**:
+```json
+{
+    "Err": ""
+}
+```
+
+Respond with a string error if an error occurred.
+
+
+### `/VolumeDriver.Get`
+
+**Request**:
+```json
+{
+    "Name": "volume_name"
+}
+```
+
+Get info about `volume_name`.
+
+
+**Response**:
+
+- **v1**:
+
+  ```json
+  {
+    "Volume": {
+      "Name": "volume_name",
+      "Mountpoint": "/path/to/directory/on/host",
+      "Status": {}
+    },
+    "Err": ""
+  }
+  ```
+
+- **v2**:
+
+  ```json
+  {
+    "Volume": {
+      "Name": "volume_name",
+      "Mountpoint": "/path/under/PropagatedMount",
+      "Status": {}
+    },
+    "Err": ""
+  }
+  ```
+
+Respond with a string error if an error occurred. `Mountpoint` and `Status` are
+optional.
+
+
+### /VolumeDriver.List
+
+**Request**:
+```json
+{}
+```
+
+Get the list of volumes registered with the plugin.
+
+**Response**:
+
+- **v1**:
+
+  ```json
+  {
+    "Volumes": [
+      {
+        "Name": "volume_name",
+        "Mountpoint": "/path/to/directory/on/host"
+      }
+    ],
+    "Err": ""
+  }
+  ```
+
+- **v2**:
+
+  ```json
+  {
+    "Volumes": [
+      {
+        "Name": "volume_name",
+        "Mountpoint": "/path/under/PropagatedMount"
+      }
+    ],
+    "Err": ""
+  }
+  ```
+
+
+Respond with a string error if an error occurred. `Mountpoint` is optional.
+
+### /VolumeDriver.Capabilities
+
+**Request**:
+```json
+{}
+```
+
+Get the list of capabilities the driver supports.
+
+The driver is not required to implement `Capabilities`. If it is not
+implemented, the default values are used.
+
+**Response**:
+```json
+{
+  "Capabilities": {
+    "Scope": "global"
+  }
+}
+```
+
+Supported scopes are `global` and `local`. Any other value in `Scope` will be
+ignored, and `local` is used. `Scope` allows cluster managers to handle the
+volume in different ways. For instance, a scope of `global`, signals to the
+cluster manager that it only needs to create the volume once instead of on each
+Docker host. More capabilities may be added in the future.
diff --git a/cli/docs/reference/builder.md b/cli/docs/reference/builder.md
new file mode 100644
index 00000000..fbf71cd4
--- /dev/null
+++ b/cli/docs/reference/builder.md
@@ -0,0 +1,1983 @@
+---
+description: "Dockerfiles use a simple DSL which allows you to automate the steps you would normally manually take to create an image."
+keywords: "builder, docker, Dockerfile, automation, image creation"
+redirect_from:
+- /reference/builder/
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Dockerfile reference
+
+Docker can build images automatically by reading the instructions from a
+`Dockerfile`. A `Dockerfile` is a text document that contains all the commands a
+user could call on the command line to assemble an image. Using `docker build`
+users can create an automated build that executes several command-line
+instructions in succession.
+
+This page describes the commands you can use in a `Dockerfile`. When you are
+done reading this page, refer to the [`Dockerfile` Best
+Practices](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/) for a tip-oriented guide.
+
+## Usage
+
+The [`docker build`](commandline/build.md) command builds an image from
+a `Dockerfile` and a *context*. The build's context is the set of files at a
+specified location `PATH` or `URL`. The `PATH` is a directory on your local
+filesystem. The `URL` is a Git repository location.
+
+A context is processed recursively. So, a `PATH` includes any subdirectories and
+the `URL` includes the repository and its submodules. This example shows a
+build command that uses the current directory as context:
+
+    $ docker build .
+    Sending build context to Docker daemon  6.51 MB
+    ...
+
+The build is run by the Docker daemon, not by the CLI. The first thing a build
+process does is send the entire context (recursively) to the daemon.  In most
+cases, it's best to start with an empty directory as context and keep your
+Dockerfile in that directory. Add only the files needed for building the
+Dockerfile.
+
+>**Warning**: Do not use your root directory, `/`, as the `PATH` as it causes
+>the build to transfer the entire contents of your hard drive to the Docker
+>daemon.
+
+To use a file in the build context, the `Dockerfile` refers to the file specified
+in an instruction, for example,  a `COPY` instruction. To increase the build's
+performance, exclude files and directories by adding a `.dockerignore` file to
+the context directory.  For information about how to [create a `.dockerignore`
+file](#dockerignore-file) see the documentation on this page.
+
+Traditionally, the `Dockerfile` is called `Dockerfile` and located in the root
+of the context. You use the `-f` flag with `docker build` to point to a Dockerfile
+anywhere in your file system.
+
+    $ docker build -f /path/to/a/Dockerfile .
+
+You can specify a repository and tag at which to save the new image if
+the build succeeds:
+
+    $ docker build -t shykes/myapp .
+
+To tag the image into multiple repositories after the build,
+add multiple `-t` parameters when you run the `build` command:
+
+    $ docker build -t shykes/myapp:1.0.2 -t shykes/myapp:latest .
+
+Before the Docker daemon runs the instructions in the `Dockerfile`, it performs
+a preliminary validation of the `Dockerfile` and returns an error if the syntax is incorrect:
+
+    $ docker build -t test/myapp .
+    Sending build context to Docker daemon 2.048 kB
+    Error response from daemon: Unknown instruction: RUNCMD
+
+The Docker daemon runs the instructions in the `Dockerfile` one-by-one,
+committing the result of each instruction
+to a new image if necessary, before finally outputting the ID of your
+new image. The Docker daemon will automatically clean up the context you
+sent.
+
+Note that each instruction is run independently, and causes a new image
+to be created - so `RUN cd /tmp` will not have any effect on the next
+instructions.
+
+Whenever possible, Docker will re-use the intermediate images (cache),
+to accelerate the `docker build` process significantly. This is indicated by
+the `Using cache` message in the console output.
+(For more information, see the [Build cache section](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#build-cache) in the
+`Dockerfile` best practices guide):
+
+    $ docker build -t svendowideit/ambassador .
+    Sending build context to Docker daemon 15.36 kB
+    Step 1/4 : FROM alpine:3.2
+     ---> 31f630c65071
+    Step 2/4 : MAINTAINER SvenDowideit@home.org.au
+     ---> Using cache
+     ---> 2a1c91448f5f
+    Step 3/4 : RUN apk update &&      apk add socat &&        rm -r /var/cache/
+     ---> Using cache
+     ---> 21ed6e7fbb73
+    Step 4/4 : CMD env | grep _TCP= | (sed 's/.*_PORT_\([0-9]*\)_TCP=tcp:\/\/\(.*\):\(.*\)/socat -t 100000000 TCP4-LISTEN:\1,fork,reuseaddr TCP4:\2:\3 \&/' && echo wait) | sh
+     ---> Using cache
+     ---> 7ea8aef582cc
+    Successfully built 7ea8aef582cc
+
+Build cache is only used from images that have a local parent chain. This means
+that these images were created by previous builds or the whole chain of images
+was loaded with `docker load`. If you wish to use build cache of a specific
+image you can specify it with `--cache-from` option. Images specified with
+`--cache-from` do not need to have a parent chain and may be pulled from other
+registries.
+
+When you're done with your build, you're ready to look into [*Pushing a
+repository to its registry*](https://docs.docker.com/engine/tutorials/dockerrepos/#/contributing-to-docker-hub).
+
+## Format
+
+Here is the format of the `Dockerfile`:
+
+```Dockerfile
+# Comment
+INSTRUCTION arguments
+```
+
+The instruction is not case-sensitive. However, convention is for them to
+be UPPERCASE to distinguish them from arguments more easily.
+
+
+Docker runs instructions in a `Dockerfile` in order. A `Dockerfile` **must
+start with a \`FROM\` instruction**. The `FROM` instruction specifies the [*Base
+Image*](glossary.md#base-image) from which you are building. `FROM` may only be
+preceded by one or more `ARG` instructions, which declare arguments that are used
+in `FROM` lines in the `Dockerfile`.
+
+Docker treats lines that *begin* with `#` as a comment, unless the line is
+a valid [parser directive](#parser-directives). A `#` marker anywhere
+else in a line is treated as an argument. This allows statements like:
+
+```Dockerfile
+# Comment
+RUN echo 'we are running some # of cool things'
+```
+
+Line continuation characters are not supported in comments.
+
+## Parser directives
+
+Parser directives are optional, and affect the way in which subsequent lines
+in a `Dockerfile` are handled. Parser directives do not add layers to the build,
+and will not be shown as a build step. Parser directives are written as a
+special type of comment in the form `# directive=value`. A single directive
+may only be used once.
+
+Once a comment, empty line or builder instruction has been processed, Docker
+no longer looks for parser directives. Instead it treats anything formatted
+as a parser directive as a comment and does not attempt to validate if it might
+be a parser directive. Therefore, all parser directives must be at the very
+top of a `Dockerfile`.
+
+Parser directives are not case-sensitive. However, convention is for them to
+be lowercase. Convention is also to include a blank line following any
+parser directives. Line continuation characters are not supported in parser
+directives.
+
+Due to these rules, the following examples are all invalid:
+
+Invalid due to line continuation:
+
+```Dockerfile
+# direc \
+tive=value
+```
+
+Invalid due to appearing twice:
+
+```Dockerfile
+# directive=value1
+# directive=value2
+
+FROM ImageName
+```
+
+Treated as a comment due to appearing after a builder instruction:
+
+```Dockerfile
+FROM ImageName
+# directive=value
+```
+
+Treated as a comment due to appearing after a comment which is not a parser
+directive:
+
+```Dockerfile
+# About my dockerfile
+# directive=value
+FROM ImageName
+```
+
+The unknown directive is treated as a comment due to not being recognized. In
+addition, the known directive is treated as a comment due to appearing after
+a comment which is not a parser directive.
+
+```Dockerfile
+# unknowndirective=value
+# knowndirective=value
+```
+
+Non line-breaking whitespace is permitted in a parser directive. Hence, the
+following lines are all treated identically:
+
+```Dockerfile
+#directive=value
+# directive =value
+#	directive= value
+# directive = value
+#	  dIrEcTiVe=value
+```
+
+The following parser directive is supported:
+
+* `escape`
+
+## escape
+
+    # escape=\ (backslash)
+
+Or
+
+    # escape=` (backtick)
+
+The `escape` directive sets the character used to escape characters in a
+`Dockerfile`. If not specified, the default escape character is `\`.
+
+The escape character is used both to escape characters in a line, and to
+escape a newline. This allows a `Dockerfile` instruction to
+span multiple lines. Note that regardless of whether the `escape` parser
+directive is included in a `Dockerfile`, *escaping is not performed in
+a `RUN` command, except at the end of a line.*
+
+Setting the escape character to `` ` `` is especially useful on
+`Windows`, where `\` is the directory path separator. `` ` `` is consistent
+with [Windows PowerShell](https://technet.microsoft.com/en-us/library/hh847755.aspx).
+
+Consider the following example which would fail in a non-obvious way on
+`Windows`. The second `\` at the end of the second line would be interpreted as an
+escape for the newline, instead of a target of the escape from the first `\`.
+Similarly, the `\` at the end of the third line would, assuming it was actually
+handled as an instruction, cause it be treated as a line continuation. The result
+of this dockerfile is that second and third lines are considered a single
+instruction:
+
+```Dockerfile
+FROM microsoft/nanoserver
+COPY testfile.txt c:\\
+RUN dir c:\
+```
+
+Results in:
+
+    PS C:\John> docker build -t cmd .
+    Sending build context to Docker daemon 3.072 kB
+    Step 1/2 : FROM microsoft/nanoserver
+     ---> 22738ff49c6d
+    Step 2/2 : COPY testfile.txt c:\RUN dir c:
+    GetFileAttributesEx c:RUN: The system cannot find the file specified.
+    PS C:\John>
+
+One solution to the above would be to use `/` as the target of both the `COPY`
+instruction, and `dir`. However, this syntax is, at best, confusing as it is not
+natural for paths on `Windows`, and at worst, error prone as not all commands on
+`Windows` support `/` as the path separator.
+
+By adding the `escape` parser directive, the following `Dockerfile` succeeds as
+expected with the use of natural platform semantics for file paths on `Windows`:
+
+    # escape=`
+
+    FROM microsoft/nanoserver
+    COPY testfile.txt c:\
+    RUN dir c:\
+
+Results in:
+
+    PS C:\John> docker build -t succeeds --no-cache=true .
+    Sending build context to Docker daemon 3.072 kB
+    Step 1/3 : FROM microsoft/nanoserver
+     ---> 22738ff49c6d
+    Step 2/3 : COPY testfile.txt c:\
+     ---> 96655de338de
+    Removing intermediate container 4db9acbb1682
+    Step 3/3 : RUN dir c:\
+     ---> Running in a2c157f842f5
+     Volume in drive C has no label.
+     Volume Serial Number is 7E6D-E0F7
+
+     Directory of c:\
+
+    10/05/2016  05:04 PM             1,894 License.txt
+    10/05/2016  02:22 PM    <DIR>          Program Files
+    10/05/2016  02:14 PM    <DIR>          Program Files (x86)
+    10/28/2016  11:18 AM                62 testfile.txt
+    10/28/2016  11:20 AM    <DIR>          Users
+    10/28/2016  11:20 AM    <DIR>          Windows
+               2 File(s)          1,956 bytes
+               4 Dir(s)  21,259,096,064 bytes free
+     ---> 01c7f3bef04f
+    Removing intermediate container a2c157f842f5
+    Successfully built 01c7f3bef04f
+    PS C:\John>
+
+## Environment replacement
+
+Environment variables (declared with [the `ENV` statement](#env)) can also be
+used in certain instructions as variables to be interpreted by the
+`Dockerfile`. Escapes are also handled for including variable-like syntax
+into a statement literally.
+
+Environment variables are notated in the `Dockerfile` either with
+`$variable_name` or `${variable_name}`. They are treated equivalently and the
+brace syntax is typically used to address issues with variable names with no
+whitespace, like `${foo}_bar`.
+
+The `${variable_name}` syntax also supports a few of the standard `bash`
+modifiers as specified below:
+
+* `${variable:-word}` indicates that if `variable` is set then the result
+  will be that value. If `variable` is not set then `word` will be the result.
+* `${variable:+word}` indicates that if `variable` is set then `word` will be
+  the result, otherwise the result is the empty string.
+
+In all cases, `word` can be any string, including additional environment
+variables.
+
+Escaping is possible by adding a `\` before the variable: `\$foo` or `\${foo}`,
+for example, will translate to `$foo` and `${foo}` literals respectively.
+
+Example (parsed representation is displayed after the `#`):
+
+    FROM busybox
+    ENV foo /bar
+    WORKDIR ${foo}   # WORKDIR /bar
+    ADD . $foo       # ADD . /bar
+    COPY \$foo /quux # COPY $foo /quux
+
+Environment variables are supported by the following list of instructions in
+the `Dockerfile`:
+
+* `ADD`
+* `COPY`
+* `ENV`
+* `EXPOSE`
+* `FROM`
+* `LABEL`
+* `STOPSIGNAL`
+* `USER`
+* `VOLUME`
+* `WORKDIR`
+
+as well as:
+
+* `ONBUILD` (when combined with one of the supported instructions above)
+
+> **Note**:
+> prior to 1.4, `ONBUILD` instructions did **NOT** support environment
+> variable, even when combined with any of the instructions listed above.
+
+Environment variable substitution will use the same value for each variable
+throughout the entire instruction. In other words, in this example:
+
+    ENV abc=hello
+    ENV abc=bye def=$abc
+    ENV ghi=$abc
+
+will result in `def` having a value of `hello`, not `bye`. However,
+`ghi` will have a value of `bye` because it is not part of the same instruction
+that set `abc` to `bye`.
+
+## .dockerignore file
+
+Before the docker CLI sends the context to the docker daemon, it looks
+for a file named `.dockerignore` in the root directory of the context.
+If this file exists, the CLI modifies the context to exclude files and
+directories that match patterns in it.  This helps to avoid
+unnecessarily sending large or sensitive files and directories to the
+daemon and potentially adding them to images using `ADD` or `COPY`.
+
+The CLI interprets the `.dockerignore` file as a newline-separated
+list of patterns similar to the file globs of Unix shells.  For the
+purposes of matching, the root of the context is considered to be both
+the working and the root directory.  For example, the patterns
+`/foo/bar` and `foo/bar` both exclude a file or directory named `bar`
+in the `foo` subdirectory of `PATH` or in the root of the git
+repository located at `URL`.  Neither excludes anything else.
+
+If a line in `.dockerignore` file starts with `#` in column 1, then this line is
+considered as a comment and is ignored before interpreted by the CLI.
+
+Here is an example `.dockerignore` file:
+
+```
+# comment
+*/temp*
+*/*/temp*
+temp?
+```
+
+This file causes the following build behavior:
+
+| Rule        | Behavior                                                                                                                                                                                                       |
+|:------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `# comment` | Ignored.                                                                                                                                                                                                       |
+| `*/temp*`   | Exclude files and directories whose names start with `temp` in any immediate subdirectory of the root.  For example, the plain file `/somedir/temporary.txt` is excluded, as is the directory `/somedir/temp`. |
+| `*/*/temp*` | Exclude files and directories starting with `temp` from any subdirectory that is two levels below the root. For example, `/somedir/subdir/temporary.txt` is excluded.                                          |
+| `temp?`     | Exclude files and directories in the root directory whose names are a one-character extension of `temp`.  For example, `/tempa` and `/tempb` are excluded.                                                     |
+
+
+Matching is done using Go's
+[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules.  A
+preprocessing step removes leading and trailing whitespace and
+eliminates `.` and `..` elements using Go's
+[filepath.Clean](http://golang.org/pkg/path/filepath/#Clean).  Lines
+that are blank after preprocessing are ignored.
+
+Beyond Go's filepath.Match rules, Docker also supports a special
+wildcard string `**` that matches any number of directories (including
+zero). For example, `**/*.go` will exclude all files that end with `.go`
+that are found in all directories, including the root of the build context.
+
+Lines starting with `!` (exclamation mark) can be used to make exceptions
+to exclusions.  The following is an example `.dockerignore` file that
+uses this mechanism:
+
+```
+    *.md
+    !README.md
+```
+
+All markdown files *except* `README.md` are excluded from the context.
+
+The placement of `!` exception rules influences the behavior: the last
+line of the `.dockerignore` that matches a particular file determines
+whether it is included or excluded.  Consider the following example:
+
+```
+    *.md
+    !README*.md
+    README-secret.md
+```
+
+No markdown files are included in the context except README files other than
+`README-secret.md`.
+
+Now consider this example:
+
+```
+    *.md
+    README-secret.md
+    !README*.md
+```
+
+All of the README files are included.  The middle line has no effect because
+`!README*.md` matches `README-secret.md` and comes last.
+
+You can even use the `.dockerignore` file to exclude the `Dockerfile`
+and `.dockerignore` files.  These files are still sent to the daemon
+because it needs them to do its job.  But the `ADD` and `COPY` instructions
+do not copy them to the image.
+
+Finally, you may want to specify which files to include in the
+context, rather than which to exclude. To achieve this, specify `*` as
+the first pattern, followed by one or more `!` exception patterns.
+
+**Note**: For historical reasons, the pattern `.` is ignored.
+
+## FROM
+
+    FROM <image> [AS <name>]
+
+Or
+
+    FROM <image>[:<tag>] [AS <name>]
+
+Or
+
+    FROM <image>[@<digest>] [AS <name>]
+
+The `FROM` instruction initializes a new build stage and sets the
+[*Base Image*](glossary.md#base-image) for subsequent instructions. As such, a
+valid `Dockerfile` must start with a `FROM` instruction. The image can be
+any valid image – it is especially easy to start by **pulling an image** from
+the [*Public Repositories*](https://docs.docker.com/engine/tutorials/dockerrepos/).
+
+- `ARG` is the only instruction that may precede `FROM` in the `Dockerfile`.
+  See [Understand how ARG and FROM interact](#understand-how-arg-and-from-interact).
+
+- `FROM` can appear multiple times within a single `Dockerfile` to
+  create multiple images or use one build stage as a dependency for another.
+  Simply make a note of the last image ID output by the commit before each new
+  `FROM` instruction. Each `FROM` instruction clears any state created by previous
+  instructions.
+
+- Optionally a name can be given to a new build stage by adding `AS name` to the
+  `FROM` instruction. The name can be used in subsequent `FROM` and
+  `COPY --from=<name|index>` instructions to refer to the image built in this stage.
+
+- The `tag` or `digest` values are optional. If you omit either of them, the
+  builder assumes a `latest` tag by default. The builder returns an error if it
+  cannot find the `tag` value.
+
+### Understand how ARG and FROM interact
+
+`FROM` instructions support variables that are declared by any `ARG`
+instructions that occur before the first `FROM`.
+
+```Dockerfile
+ARG  CODE_VERSION=latest
+FROM base:${CODE_VERSION}
+CMD  /code/run-app
+
+FROM extras:${CODE_VERSION}
+CMD  /code/run-extras
+```
+
+An `ARG` declared before a `FROM` is outside of a build stage, so it
+can't be used in any instruction after a `FROM`. To use the default value of
+an `ARG` declared before the first `FROM` use an `ARG` instruction without
+a value inside of a build stage:
+
+```Dockerfile
+ARG VERSION=latest
+FROM busybox:$VERSION
+ARG VERSION
+RUN echo $VERSION > image_version
+```
+
+## RUN
+
+RUN has 2 forms:
+
+- `RUN <command>` (*shell* form, the command is run in a shell, which by
+default is `/bin/sh -c` on Linux or `cmd /S /C` on Windows)
+- `RUN ["executable", "param1", "param2"]` (*exec* form)
+
+The `RUN` instruction will execute any commands in a new layer on top of the
+current image and commit the results. The resulting committed image will be
+used for the next step in the `Dockerfile`.
+
+Layering `RUN` instructions and generating commits conforms to the core
+concepts of Docker where commits are cheap and containers can be created from
+any point in an image's history, much like source control.
+
+The *exec* form makes it possible to avoid shell string munging, and to `RUN`
+commands using a base image that does not contain the specified shell executable.
+
+The default shell for the *shell* form can be changed using the `SHELL`
+command.
+
+In the *shell* form you can use a `\` (backslash) to continue a single
+RUN instruction onto the next line. For example, consider these two lines:
+
+```
+RUN /bin/bash -c 'source $HOME/.bashrc; \
+echo $HOME'
+```
+Together they are equivalent to this single line:
+
+```
+RUN /bin/bash -c 'source $HOME/.bashrc; echo $HOME'
+```
+
+> **Note**:
+> To use a different shell, other than '/bin/sh', use the *exec* form
+> passing in the desired shell. For example,
+> `RUN ["/bin/bash", "-c", "echo hello"]`
+
+> **Note**:
+> The *exec* form is parsed as a JSON array, which means that
+> you must use double-quotes (") around words not single-quotes (').
+
+> **Note**:
+> Unlike the *shell* form, the *exec* form does not invoke a command shell.
+> This means that normal shell processing does not happen. For example,
+> `RUN [ "echo", "$HOME" ]` will not do variable substitution on `$HOME`.
+> If you want shell processing then either use the *shell* form or execute
+> a shell directly, for example: `RUN [ "sh", "-c", "echo $HOME" ]`.
+> When using the exec form and executing a shell directly, as in the case for
+> the shell form, it is the shell that is doing the environment variable
+> expansion, not docker.
+>
+> **Note**:
+> In the *JSON* form, it is necessary to escape backslashes. This is
+> particularly relevant on Windows where the backslash is the path separator.
+> The following line would otherwise be treated as *shell* form due to not
+> being valid JSON, and fail in an unexpected way:
+> `RUN ["c:\windows\system32\tasklist.exe"]`
+> The correct syntax for this example is:
+> `RUN ["c:\\windows\\system32\\tasklist.exe"]`
+
+The cache for `RUN` instructions isn't invalidated automatically during
+the next build. The cache for an instruction like
+`RUN apt-get dist-upgrade -y` will be reused during the next build. The
+cache for `RUN` instructions can be invalidated by using the `--no-cache`
+flag, for example `docker build --no-cache`.
+
+See the [`Dockerfile` Best Practices
+guide](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#/build-cache) for more information.
+
+The cache for `RUN` instructions can be invalidated by `ADD` instructions. See
+[below](#add) for details.
+
+### Known issues (RUN)
+
+- [Issue 783](https://github.com/docker/docker/issues/783) is about file
+  permissions problems that can occur when using the AUFS file system. You
+  might notice it during an attempt to `rm` a file, for example.
+
+  For systems that have recent aufs version (i.e., `dirperm1` mount option can
+  be set), docker will attempt to fix the issue automatically by mounting
+  the layers with `dirperm1` option. More details on `dirperm1` option can be
+  found at [`aufs` man page](https://github.com/sfjro/aufs3-linux/tree/aufs3.18/Documentation/filesystems/aufs)
+
+  If your system doesn't have support for `dirperm1`, the issue describes a workaround.
+
+## CMD
+
+The `CMD` instruction has three forms:
+
+- `CMD ["executable","param1","param2"]` (*exec* form, this is the preferred form)
+- `CMD ["param1","param2"]` (as *default parameters to ENTRYPOINT*)
+- `CMD command param1 param2` (*shell* form)
+
+There can only be one `CMD` instruction in a `Dockerfile`. If you list more than one `CMD`
+then only the last `CMD` will take effect.
+
+**The main purpose of a `CMD` is to provide defaults for an executing
+container.** These defaults can include an executable, or they can omit
+the executable, in which case you must specify an `ENTRYPOINT`
+instruction as well.
+
+> **Note**:
+> If `CMD` is used to provide default arguments for the `ENTRYPOINT`
+> instruction, both the `CMD` and `ENTRYPOINT` instructions should be specified
+> with the JSON array format.
+
+> **Note**:
+> The *exec* form is parsed as a JSON array, which means that
+> you must use double-quotes (") around words not single-quotes (').
+
+> **Note**:
+> Unlike the *shell* form, the *exec* form does not invoke a command shell.
+> This means that normal shell processing does not happen. For example,
+> `CMD [ "echo", "$HOME" ]` will not do variable substitution on `$HOME`.
+> If you want shell processing then either use the *shell* form or execute
+> a shell directly, for example: `CMD [ "sh", "-c", "echo $HOME" ]`.
+> When using the exec form and executing a shell directly, as in the case for
+> the shell form, it is the shell that is doing the environment variable
+> expansion, not docker.
+
+When used in the shell or exec formats, the `CMD` instruction sets the command
+to be executed when running the image.
+
+If you use the *shell* form of the `CMD`, then the `<command>` will execute in
+`/bin/sh -c`:
+
+    FROM ubuntu
+    CMD echo "This is a test." | wc -
+
+If you want to **run your** `<command>` **without a shell** then you must
+express the command as a JSON array and give the full path to the executable.
+**This array form is the preferred format of `CMD`.** Any additional parameters
+must be individually expressed as strings in the array:
+
+    FROM ubuntu
+    CMD ["/usr/bin/wc","--help"]
+
+If you would like your container to run the same executable every time, then
+you should consider using `ENTRYPOINT` in combination with `CMD`. See
+[*ENTRYPOINT*](#entrypoint).
+
+If the user specifies arguments to `docker run` then they will override the
+default specified in `CMD`.
+
+> **Note**:
+> Don't confuse `RUN` with `CMD`. `RUN` actually runs a command and commits
+> the result; `CMD` does not execute anything at build time, but specifies
+> the intended command for the image.
+
+## LABEL
+
+    LABEL <key>=<value> <key>=<value> <key>=<value> ...
+
+The `LABEL` instruction adds metadata to an image. A `LABEL` is a
+key-value pair. To include spaces within a `LABEL` value, use quotes and
+backslashes as you would in command-line parsing. A few usage examples:
+
+    LABEL "com.example.vendor"="ACME Incorporated"
+    LABEL com.example.label-with-value="foo"
+    LABEL version="1.0"
+    LABEL description="This text illustrates \
+    that label-values can span multiple lines."
+
+An image can have more than one label. You can specify multiple labels on a
+single line. Prior to Docker 1.10, this decreased the size of the final image,
+but this is no longer the case. You may still choose to specify multiple labels
+in a single instruction, in one of the following two ways:
+
+```none
+LABEL multi.label1="value1" multi.label2="value2" other="value3"
+```
+
+```none
+LABEL multi.label1="value1" \
+      multi.label2="value2" \
+      other="value3"
+```
+
+Labels included in base or parent images (images in the `FROM` line) are
+inherited by your image. If a label already exists but with a different value,
+the most-recently-applied value overrides any previously-set value.
+
+To view an image's labels, use the `docker inspect` command.
+
+    "Labels": {
+        "com.example.vendor": "ACME Incorporated"
+        "com.example.label-with-value": "foo",
+        "version": "1.0",
+        "description": "This text illustrates that label-values can span multiple lines.",
+        "multi.label1": "value1",
+        "multi.label2": "value2",
+        "other": "value3"
+    },
+
+## MAINTAINER (deprecated)
+
+    MAINTAINER <name>
+
+The `MAINTAINER` instruction sets the *Author* field of the generated images.
+The `LABEL` instruction is a much more flexible version of this and you should use
+it instead, as it enables setting any metadata you require, and can be viewed
+easily, for example with `docker inspect`. To set a label corresponding to the
+`MAINTAINER` field you could use:
+
+    LABEL maintainer="SvenDowideit@home.org.au"
+
+This will then be visible from `docker inspect` with the other labels.
+
+## EXPOSE
+
+    EXPOSE <port> [<port>/<protocol>...]
+
+The `EXPOSE` instruction informs Docker that the container listens on the
+specified network ports at runtime. You can specify whether the port listens on
+TCP or UDP, and the default is TCP if the protocol is not specified.
+
+The `EXPOSE` instruction does not actually publish the port. It functions as a
+type of documentation between the person who builds the image and the person who
+runs the container, about which ports are intended to be published. To actually
+publish the port when running the container, use the `-p` flag on `docker run`
+to publish and map one or more ports, or the `-P` flag to publish all exposed
+ports and map them to high-order ports.
+
+By default, `EXPOSE` assumes TCP. You can also specify UDP:
+
+```Dockerfile
+EXPOSE 80/udp
+```
+
+To expose on both TCP and UDP, include two lines:
+
+```Dockerfile
+EXPOSE 80/tcp
+EXPOSE 80/udp
+```
+
+In this case, if you use `-P` with `docker run`, the port will be exposed once
+for TCP and once for UDP. Remember that `-P` uses an ephemeral high-ordered host
+port on the host, so the port will not be the same for TCP and UDP.
+
+Regardless of the `EXPOSE` settings, you can override them at runtime by using
+the `-p` flag. For example
+
+```bash
+docker run -p 80:80/tcp -p 80:80/udp ...
+```
+
+To set up port redirection on the host system, see [using the -P
+flag](run.md#expose-incoming-ports). The `docker network` command supports
+creating networks for communication among containers without the need to
+expose or publish specific ports, because the containers connected to the
+network can communicate with each other over any port. For detailed information,
+see the
+[overview of this feature](https://docs.docker.com/engine/userguide/networking/)).
+
+## ENV
+
+    ENV <key> <value>
+    ENV <key>=<value> ...
+
+The `ENV` instruction sets the environment variable `<key>` to the value
+`<value>`. This value will be in the environment for all subsequent instructions
+in the build stage and can be [replaced inline](#environment-replacement) in
+many as well.
+
+The `ENV` instruction has two forms. The first form, `ENV <key> <value>`,
+will set a single variable to a value. The entire string after the first
+space will be treated as the `<value>` - including whitespace characters. The
+value will be interpreted for other environment variables, so quote characters
+will be removed if they are not escaped.
+
+The second form, `ENV <key>=<value> ...`, allows for multiple variables to
+be set at one time. Notice that the second form uses the equals sign (=)
+in the syntax, while the first form does not. Like command line parsing,
+quotes and backslashes can be used to include spaces within values.
+
+For example:
+
+    ENV myName="John Doe" myDog=Rex\ The\ Dog \
+        myCat=fluffy
+
+and
+
+    ENV myName John Doe
+    ENV myDog Rex The Dog
+    ENV myCat fluffy
+
+will yield the same net results in the final image.
+
+The environment variables set using `ENV` will persist when a container is run
+from the resulting image. You can view the values using `docker inspect`, and
+change them using `docker run --env <key>=<value>`.
+
+> **Note**:
+> Environment persistence can cause unexpected side effects. For example,
+> setting `ENV DEBIAN_FRONTEND noninteractive` may confuse apt-get
+> users on a Debian-based image. To set a value for a single command, use
+> `RUN <key>=<value> <command>`.
+
+## ADD
+
+ADD has two forms:
+
+- `ADD [--chown=<user>:<group>] <src>... <dest>`
+- `ADD [--chown=<user>:<group>] ["<src>",... "<dest>"]` (this form is required for paths containing
+whitespace)
+
+> **Note**:
+> The `--chown` feature is only supported on Dockerfiles used to build Linux containers,
+> and will not work on Windows containers. Since user and group ownership concepts do
+> not translate between Linux and Windows, the use of `/etc/passwd` and `/etc/group` for
+> translating user and group names to IDs restricts this feature to only be viable
+> for Linux OS-based containers.
+
+The `ADD` instruction copies new files, directories or remote file URLs from `<src>`
+and adds them to the filesystem of the image at the path `<dest>`.
+
+Multiple `<src>` resources may be specified but if they are files or
+directories, their paths are interpreted as relative to the source of
+the context of the build.
+
+Each `<src>` may contain wildcards and matching will be done using Go's
+[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules. For example:
+
+    ADD hom* /mydir/        # adds all files starting with "hom"
+    ADD hom?.txt /mydir/    # ? is replaced with any single character, e.g., "home.txt"
+
+The `<dest>` is an absolute path, or a path relative to `WORKDIR`, into which
+the source will be copied inside the destination container.
+
+    ADD test relativeDir/          # adds "test" to `WORKDIR`/relativeDir/
+    ADD test /absoluteDir/         # adds "test" to /absoluteDir/
+
+When adding files or directories that contain special characters (such as `[`
+and `]`), you need to escape those paths following the Golang rules to prevent
+them from being treated as a matching pattern. For example, to add a file
+named `arr[0].txt`, use the following;
+
+    ADD arr[[]0].txt /mydir/    # copy a file named "arr[0].txt" to /mydir/
+
+
+All new files and directories are created with a UID and GID of 0, unless the
+optional `--chown` flag specifies a given username, groupname, or UID/GID
+combination to request specific ownership of the content added. The
+format of the `--chown` flag allows for either username and groupname strings
+or direct integer UID and GID in any combination. Providing a username without
+groupname or a UID without GID will use the same numeric UID as the GID. If a
+username or groupname is provided, the container's root filesystem
+`/etc/passwd` and `/etc/group` files will be used to perform the translation
+from name to integer UID or GID respectively. The following examples show
+valid definitions for the `--chown` flag:
+
+    ADD --chown=55:mygroup files* /somedir/
+    ADD --chown=bin files* /somedir/
+    ADD --chown=1 files* /somedir/
+    ADD --chown=10:11 files* /somedir/
+
+If the container root filesystem does not contain either `/etc/passwd` or
+`/etc/group` files and either user or group names are used in the `--chown`
+flag, the build will fail on the `ADD` operation. Using numeric IDs requires
+no lookup and will not depend on container root filesystem content.
+
+In the case where `<src>` is a remote file URL, the destination will
+have permissions of 600. If the remote file being retrieved has an HTTP
+`Last-Modified` header, the timestamp from that header will be used
+to set the `mtime` on the destination file. However, like any other file
+processed during an `ADD`, `mtime` will not be included in the determination
+of whether or not the file has changed and the cache should be updated.
+
+> **Note**:
+> If you build by passing a `Dockerfile` through STDIN (`docker
+> build - < somefile`), there is no build context, so the `Dockerfile`
+> can only contain a URL based `ADD` instruction. You can also pass a
+> compressed archive through STDIN: (`docker build - < archive.tar.gz`),
+> the `Dockerfile` at the root of the archive and the rest of the
+> archive will be used as the context of the build.
+
+> **Note**:
+> If your URL files are protected using authentication, you
+> will need to use `RUN wget`, `RUN curl` or use another tool from
+> within the container as the `ADD` instruction does not support
+> authentication.
+
+> **Note**:
+> The first encountered `ADD` instruction will invalidate the cache for all
+> following instructions from the Dockerfile if the contents of `<src>` have
+> changed. This includes invalidating the cache for `RUN` instructions.
+> See the [`Dockerfile` Best Practices
+guide](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#/build-cache) for more information.
+
+
+`ADD` obeys the following rules:
+
+- The `<src>` path must be inside the *context* of the build;
+  you cannot `ADD ../something /something`, because the first step of a
+  `docker build` is to send the context directory (and subdirectories) to the
+  docker daemon.
+
+- If `<src>` is a URL and `<dest>` does not end with a trailing slash, then a
+  file is downloaded from the URL and copied to `<dest>`.
+
+- If `<src>` is a URL and `<dest>` does end with a trailing slash, then the
+  filename is inferred from the URL and the file is downloaded to
+  `<dest>/<filename>`. For instance, `ADD http://example.com/foobar /` would
+  create the file `/foobar`. The URL must have a nontrivial path so that an
+  appropriate filename can be discovered in this case (`http://example.com`
+  will not work).
+
+- If `<src>` is a directory, the entire contents of the directory are copied,
+  including filesystem metadata.
+
+> **Note**:
+> The directory itself is not copied, just its contents.
+
+- If `<src>` is a *local* tar archive in a recognized compression format
+  (identity, gzip, bzip2 or xz) then it is unpacked as a directory. Resources
+  from *remote* URLs are **not** decompressed. When a directory is copied or
+  unpacked, it has the same behavior as `tar -x`, the result is the union of:
+
+    1. Whatever existed at the destination path and
+    2. The contents of the source tree, with conflicts resolved in favor
+       of "2." on a file-by-file basis.
+
+  > **Note**:
+  > Whether a file is identified as a recognized compression format or not
+  > is done solely based on the contents of the file, not the name of the file.
+  > For example, if an empty file happens to end with `.tar.gz` this will not
+  > be recognized as a compressed file and **will not** generate any kind of
+  > decompression error message, rather the file will simply be copied to the
+  > destination.
+
+- If `<src>` is any other kind of file, it is copied individually along with
+  its metadata. In this case, if `<dest>` ends with a trailing slash `/`, it
+  will be considered a directory and the contents of `<src>` will be written
+  at `<dest>/base(<src>)`.
+
+- If multiple `<src>` resources are specified, either directly or due to the
+  use of a wildcard, then `<dest>` must be a directory, and it must end with
+  a slash `/`.
+
+- If `<dest>` does not end with a trailing slash, it will be considered a
+  regular file and the contents of `<src>` will be written at `<dest>`.
+
+- If `<dest>` doesn't exist, it is created along with all missing directories
+  in its path.
+
+## COPY
+
+COPY has two forms:
+
+- `COPY [--chown=<user>:<group>] <src>... <dest>`
+- `COPY [--chown=<user>:<group>] ["<src>",... "<dest>"]` (this form is required for paths containing
+whitespace)
+
+> **Note**:
+> The `--chown` feature is only supported on Dockerfiles used to build Linux containers,
+> and will not work on Windows containers. Since user and group ownership concepts do
+> not translate between Linux and Windows, the use of `/etc/passwd` and `/etc/group` for
+> translating user and group names to IDs restricts this feature to only be viable for
+> Linux OS-based containers.
+
+The `COPY` instruction copies new files or directories from `<src>`
+and adds them to the filesystem of the container at the path `<dest>`.
+
+Multiple `<src>` resources may be specified but the paths of files and
+directories will be interpreted as relative to the source of the context
+of the build.
+
+Each `<src>` may contain wildcards and matching will be done using Go's
+[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules. For example:
+
+    COPY hom* /mydir/        # adds all files starting with "hom"
+    COPY hom?.txt /mydir/    # ? is replaced with any single character, e.g., "home.txt"
+
+The `<dest>` is an absolute path, or a path relative to `WORKDIR`, into which
+the source will be copied inside the destination container.
+
+    COPY test relativeDir/   # adds "test" to `WORKDIR`/relativeDir/
+    COPY test /absoluteDir/  # adds "test" to /absoluteDir/
+
+
+When copying files or directories that contain special characters (such as `[`
+and `]`), you need to escape those paths following the Golang rules to prevent
+them from being treated as a matching pattern. For example, to copy a file
+named `arr[0].txt`, use the following;
+
+    COPY arr[[]0].txt /mydir/    # copy a file named "arr[0].txt" to /mydir/
+
+All new files and directories are created with a UID and GID of 0, unless the
+optional `--chown` flag specifies a given username, groupname, or UID/GID
+combination to request specific ownership of the copied content. The
+format of the `--chown` flag allows for either username and groupname strings
+or direct integer UID and GID in any combination. Providing a username without
+groupname or a UID without GID will use the same numeric UID as the GID. If a
+username or groupname is provided, the container's root filesystem
+`/etc/passwd` and `/etc/group` files will be used to perform the translation
+from name to integer UID or GID respectively. The following examples show
+valid definitions for the `--chown` flag:
+
+    COPY --chown=55:mygroup files* /somedir/
+    COPY --chown=bin files* /somedir/
+    COPY --chown=1 files* /somedir/
+    COPY --chown=10:11 files* /somedir/
+
+If the container root filesystem does not contain either `/etc/passwd` or
+`/etc/group` files and either user or group names are used in the `--chown`
+flag, the build will fail on the `COPY` operation. Using numeric IDs requires
+no lookup and will not depend on container root filesystem content.
+
+> **Note**:
+> If you build using STDIN (`docker build - < somefile`), there is no
+> build context, so `COPY` can't be used.
+
+Optionally `COPY` accepts a flag `--from=<name|index>` that can be used to set
+the source location to a previous build stage (created with `FROM .. AS <name>`)
+that will be used instead of a build context sent by the user. The flag also
+accepts a numeric index assigned for all previous build stages started with
+`FROM` instruction. In case a build stage with a specified name can't be found an
+image with the same name is attempted to be used instead.
+
+`COPY` obeys the following rules:
+
+- The `<src>` path must be inside the *context* of the build;
+  you cannot `COPY ../something /something`, because the first step of a
+  `docker build` is to send the context directory (and subdirectories) to the
+  docker daemon.
+
+- If `<src>` is a directory, the entire contents of the directory are copied,
+  including filesystem metadata.
+
+> **Note**:
+> The directory itself is not copied, just its contents.
+
+- If `<src>` is any other kind of file, it is copied individually along with
+  its metadata. In this case, if `<dest>` ends with a trailing slash `/`, it
+  will be considered a directory and the contents of `<src>` will be written
+  at `<dest>/base(<src>)`.
+
+- If multiple `<src>` resources are specified, either directly or due to the
+  use of a wildcard, then `<dest>` must be a directory, and it must end with
+  a slash `/`.
+
+- If `<dest>` does not end with a trailing slash, it will be considered a
+  regular file and the contents of `<src>` will be written at `<dest>`.
+
+- If `<dest>` doesn't exist, it is created along with all missing directories
+  in its path.
+
+## ENTRYPOINT
+
+ENTRYPOINT has two forms:
+
+- `ENTRYPOINT ["executable", "param1", "param2"]`
+  (*exec* form, preferred)
+- `ENTRYPOINT command param1 param2`
+  (*shell* form)
+
+An `ENTRYPOINT` allows you to configure a container that will run as an executable.
+
+For example, the following will start nginx with its default content, listening
+on port 80:
+
+    docker run -i -t --rm -p 80:80 nginx
+
+Command line arguments to `docker run <image>` will be appended after all
+elements in an *exec* form `ENTRYPOINT`, and will override all elements specified
+using `CMD`.
+This allows arguments to be passed to the entry point, i.e., `docker run <image> -d`
+will pass the `-d` argument to the entry point.
+You can override the `ENTRYPOINT` instruction using the `docker run --entrypoint`
+flag.
+
+The *shell* form prevents any `CMD` or `run` command line arguments from being
+used, but has the disadvantage that your `ENTRYPOINT` will be started as a
+subcommand of `/bin/sh -c`, which does not pass signals.
+This means that the executable will not be the container's `PID 1` - and
+will _not_ receive Unix signals - so your executable will not receive a
+`SIGTERM` from `docker stop <container>`.
+
+Only the last `ENTRYPOINT` instruction in the `Dockerfile` will have an effect.
+
+### Exec form ENTRYPOINT example
+
+You can use the *exec* form of `ENTRYPOINT` to set fairly stable default commands
+and arguments and then use either form of `CMD` to set additional defaults that
+are more likely to be changed.
+
+    FROM ubuntu
+    ENTRYPOINT ["top", "-b"]
+    CMD ["-c"]
+
+When you run the container, you can see that `top` is the only process:
+
+    $ docker run -it --rm --name test  top -H
+    top - 08:25:00 up  7:27,  0 users,  load average: 0.00, 0.01, 0.05
+    Threads:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+    %Cpu(s):  0.1 us,  0.1 sy,  0.0 ni, 99.7 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
+    KiB Mem:   2056668 total,  1616832 used,   439836 free,    99352 buffers
+    KiB Swap:  1441840 total,        0 used,  1441840 free.  1324440 cached Mem
+
+      PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
+        1 root      20   0   19744   2336   2080 R  0.0  0.1   0:00.04 top
+
+To examine the result further, you can use `docker exec`:
+
+    $ docker exec -it test ps aux
+    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
+    root         1  2.6  0.1  19752  2352 ?        Ss+  08:24   0:00 top -b -H
+    root         7  0.0  0.1  15572  2164 ?        R+   08:25   0:00 ps aux
+
+And you can gracefully request `top` to shut down using `docker stop test`.
+
+The following `Dockerfile` shows using the `ENTRYPOINT` to run Apache in the
+foreground (i.e., as `PID 1`):
+
+```
+FROM debian:stable
+RUN apt-get update && apt-get install -y --force-yes apache2
+EXPOSE 80 443
+VOLUME ["/var/www", "/var/log/apache2", "/etc/apache2"]
+ENTRYPOINT ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
+```
+
+If you need to write a starter script for a single executable, you can ensure that
+the final executable receives the Unix signals by using `exec` and `gosu`
+commands:
+
+```bash
+#!/usr/bin/env bash
+set -e
+
+if [ "$1" = 'postgres' ]; then
+    chown -R postgres "$PGDATA"
+
+    if [ -z "$(ls -A "$PGDATA")" ]; then
+        gosu postgres initdb
+    fi
+
+    exec gosu postgres "$@"
+fi
+
+exec "$@"
+```
+
+Lastly, if you need to do some extra cleanup (or communicate with other containers)
+on shutdown, or are co-ordinating more than one executable, you may need to ensure
+that the `ENTRYPOINT` script receives the Unix signals, passes them on, and then
+does some more work:
+
+```
+#!/bin/sh
+# Note: I've written this using sh so it works in the busybox container too
+
+# USE the trap if you need to also do manual cleanup after the service is stopped,
+#     or need to start multiple services in the one container
+trap "echo TRAPed signal" HUP INT QUIT TERM
+
+# start service in background here
+/usr/sbin/apachectl start
+
+echo "[hit enter key to exit] or run 'docker stop <container>'"
+read
+
+# stop service and clean up here
+echo "stopping apache"
+/usr/sbin/apachectl stop
+
+echo "exited $0"
+```
+
+If you run this image with `docker run -it --rm -p 80:80 --name test apache`,
+you can then examine the container's processes with `docker exec`, or `docker top`,
+and then ask the script to stop Apache:
+
+```bash
+$ docker exec -it test ps aux
+USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
+root         1  0.1  0.0   4448   692 ?        Ss+  00:42   0:00 /bin/sh /run.sh 123 cmd cmd2
+root        19  0.0  0.2  71304  4440 ?        Ss   00:42   0:00 /usr/sbin/apache2 -k start
+www-data    20  0.2  0.2 360468  6004 ?        Sl   00:42   0:00 /usr/sbin/apache2 -k start
+www-data    21  0.2  0.2 360468  6000 ?        Sl   00:42   0:00 /usr/sbin/apache2 -k start
+root        81  0.0  0.1  15572  2140 ?        R+   00:44   0:00 ps aux
+$ docker top test
+PID                 USER                COMMAND
+10035               root                {run.sh} /bin/sh /run.sh 123 cmd cmd2
+10054               root                /usr/sbin/apache2 -k start
+10055               33                  /usr/sbin/apache2 -k start
+10056               33                  /usr/sbin/apache2 -k start
+$ /usr/bin/time docker stop test
+test
+real	0m 0.27s
+user	0m 0.03s
+sys	0m 0.03s
+```
+
+> **Note:** you can override the `ENTRYPOINT` setting using `--entrypoint`,
+> but this can only set the binary to *exec* (no `sh -c` will be used).
+
+> **Note**:
+> The *exec* form is parsed as a JSON array, which means that
+> you must use double-quotes (") around words not single-quotes (').
+
+> **Note**:
+> Unlike the *shell* form, the *exec* form does not invoke a command shell.
+> This means that normal shell processing does not happen. For example,
+> `ENTRYPOINT [ "echo", "$HOME" ]` will not do variable substitution on `$HOME`.
+> If you want shell processing then either use the *shell* form or execute
+> a shell directly, for example: `ENTRYPOINT [ "sh", "-c", "echo $HOME" ]`.
+> When using the exec form and executing a shell directly, as in the case for
+> the shell form, it is the shell that is doing the environment variable
+> expansion, not docker.
+
+### Shell form ENTRYPOINT example
+
+You can specify a plain string for the `ENTRYPOINT` and it will execute in `/bin/sh -c`.
+This form will use shell processing to substitute shell environment variables,
+and will ignore any `CMD` or `docker run` command line arguments.
+To ensure that `docker stop` will signal any long running `ENTRYPOINT` executable
+correctly, you need to remember to start it with `exec`:
+
+    FROM ubuntu
+    ENTRYPOINT exec top -b
+
+When you run this image, you'll see the single `PID 1` process:
+
+    $ docker run -it --rm --name test top
+    Mem: 1704520K used, 352148K free, 0K shrd, 0K buff, 140368121167873K cached
+    CPU:   5% usr   0% sys   0% nic  94% idle   0% io   0% irq   0% sirq
+    Load average: 0.08 0.03 0.05 2/98 6
+      PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
+        1     0 root     R     3164   0%   0% top -b
+
+Which will exit cleanly on `docker stop`:
+
+    $ /usr/bin/time docker stop test
+    test
+    real	0m 0.20s
+    user	0m 0.02s
+    sys	0m 0.04s
+
+If you forget to add `exec` to the beginning of your `ENTRYPOINT`:
+
+    FROM ubuntu
+    ENTRYPOINT top -b
+    CMD --ignored-param1
+
+You can then run it (giving it a name for the next step):
+
+    $ docker run -it --name test top --ignored-param2
+    Mem: 1704184K used, 352484K free, 0K shrd, 0K buff, 140621524238337K cached
+    CPU:   9% usr   2% sys   0% nic  88% idle   0% io   0% irq   0% sirq
+    Load average: 0.01 0.02 0.05 2/101 7
+      PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
+        1     0 root     S     3168   0%   0% /bin/sh -c top -b cmd cmd2
+        7     1 root     R     3164   0%   0% top -b
+
+You can see from the output of `top` that the specified `ENTRYPOINT` is not `PID 1`.
+
+If you then run `docker stop test`, the container will not exit cleanly - the
+`stop` command will be forced to send a `SIGKILL` after the timeout:
+
+    $ docker exec -it test ps aux
+    PID   USER     COMMAND
+        1 root     /bin/sh -c top -b cmd cmd2
+        7 root     top -b
+        8 root     ps aux
+    $ /usr/bin/time docker stop test
+    test
+    real	0m 10.19s
+    user	0m 0.04s
+    sys	0m 0.03s
+
+### Understand how CMD and ENTRYPOINT interact
+
+Both `CMD` and `ENTRYPOINT` instructions define what command gets executed when running a container.
+There are few rules that describe their co-operation.
+
+1. Dockerfile should specify at least one of `CMD` or `ENTRYPOINT` commands.
+
+2. `ENTRYPOINT` should be defined when using the container as an executable.
+
+3. `CMD` should be used as a way of defining default arguments for an `ENTRYPOINT` command
+or for executing an ad-hoc command in a container.
+
+4. `CMD` will be overridden when running the container with alternative arguments.
+
+The table below shows what command is executed for different `ENTRYPOINT` / `CMD` combinations:
+
+|                                | No ENTRYPOINT              | ENTRYPOINT exec_entry p1_entry | ENTRYPOINT ["exec_entry", "p1_entry"]          |
+|:-------------------------------|:---------------------------|:-------------------------------|:-----------------------------------------------|
+| **No CMD**                     | *error, not allowed*       | /bin/sh -c exec_entry p1_entry | exec_entry p1_entry                            |
+| **CMD ["exec_cmd", "p1_cmd"]** | exec_cmd p1_cmd            | /bin/sh -c exec_entry p1_entry | exec_entry p1_entry exec_cmd p1_cmd            |
+| **CMD ["p1_cmd", "p2_cmd"]**   | p1_cmd p2_cmd              | /bin/sh -c exec_entry p1_entry | exec_entry p1_entry p1_cmd p2_cmd              |
+| **CMD exec_cmd p1_cmd**        | /bin/sh -c exec_cmd p1_cmd | /bin/sh -c exec_entry p1_entry | exec_entry p1_entry /bin/sh -c exec_cmd p1_cmd |
+
+## VOLUME
+
+    VOLUME ["/data"]
+
+The `VOLUME` instruction creates a mount point with the specified name
+and marks it as holding externally mounted volumes from native host or other
+containers. The value can be a JSON array, `VOLUME ["/var/log/"]`, or a plain
+string with multiple arguments, such as `VOLUME /var/log` or `VOLUME /var/log
+/var/db`. For more information/examples and mounting instructions via the
+Docker client, refer to
+[*Share Directories via Volumes*](https://docs.docker.com/engine/tutorials/dockervolumes/#/mount-a-host-directory-as-a-data-volume)
+documentation.
+
+The `docker run` command initializes the newly created volume with any data
+that exists at the specified location within the base image. For example,
+consider the following Dockerfile snippet:
+
+    FROM ubuntu
+    RUN mkdir /myvol
+    RUN echo "hello world" > /myvol/greeting
+    VOLUME /myvol
+
+This Dockerfile results in an image that causes `docker run` to
+create a new mount point at `/myvol` and copy the  `greeting` file
+into the newly created volume.
+
+### Notes about specifying volumes
+
+Keep the following things in mind about volumes in the `Dockerfile`.
+
+- **Volumes on Windows-based containers**: When using Windows-based containers,
+  the destination of a volume inside the container must be one of:
+
+  - a non-existing or empty directory
+  - a drive other than `C:`
+
+- **Changing the volume from within the Dockerfile**: If any build steps change the
+  data within the volume after it has been declared, those changes will be discarded.
+
+- **JSON formatting**: The list is parsed as a JSON array.
+  You must enclose words with double quotes (`"`)rather than single quotes (`'`).
+
+- **The host directory is declared at container run-time**: The host directory
+  (the mountpoint) is, by its nature, host-dependent. This is to preserve image
+  portability, since a given host directory can't be guaranteed to be available
+  on all hosts. For this reason, you can't mount a host directory from
+  within the Dockerfile. The `VOLUME` instruction does not support specifying a `host-dir`
+  parameter.  You must specify the mountpoint when you create or run the container.
+
+## USER
+
+    USER <user>[:<group>]
+or
+    USER <UID>[:<GID>]
+
+The `USER` instruction sets the user name (or UID) and optionally the user
+group (or GID) to use when running the image and for any `RUN`, `CMD` and
+`ENTRYPOINT` instructions that follow it in the `Dockerfile`.
+
+> **Warning**:
+> When the user doesn't have a primary group then the image (or the next
+> instructions) will be run with the `root` group.
+
+> On Windows, the user must be created first if it's not a built-in account.
+> This can be done with the `net user` command called as part of a Dockerfile.
+
+```Dockerfile
+    FROM microsoft/windowsservercore
+    # Create Windows user in the container
+    RUN net user /add patrick
+    # Set it for subsequent commands
+    USER patrick
+```
+
+
+## WORKDIR
+
+    WORKDIR /path/to/workdir
+
+The `WORKDIR` instruction sets the working directory for any `RUN`, `CMD`,
+`ENTRYPOINT`, `COPY` and `ADD` instructions that follow it in the `Dockerfile`.
+If the `WORKDIR` doesn't exist, it will be created even if it's not used in any
+subsequent `Dockerfile` instruction.
+
+The `WORKDIR` instruction can be used multiple times in a `Dockerfile`. If a
+relative path is provided, it will be relative to the path of the previous
+`WORKDIR` instruction. For example:
+
+    WORKDIR /a
+    WORKDIR b
+    WORKDIR c
+    RUN pwd
+
+The output of the final `pwd` command in this `Dockerfile` would be
+`/a/b/c`.
+
+The `WORKDIR` instruction can resolve environment variables previously set using
+`ENV`. You can only use environment variables explicitly set in the `Dockerfile`.
+For example:
+
+    ENV DIRPATH /path
+    WORKDIR $DIRPATH/$DIRNAME
+    RUN pwd
+
+The output of the final `pwd` command in this `Dockerfile` would be
+`/path/$DIRNAME`
+
+## ARG
+
+    ARG <name>[=<default value>]
+
+The `ARG` instruction defines a variable that users can pass at build-time to
+the builder with the `docker build` command using the `--build-arg <varname>=<value>`
+flag. If a user specifies a build argument that was not
+defined in the Dockerfile, the build outputs a warning.
+
+```
+[Warning] One or more build-args [foo] were not consumed.
+```
+
+A Dockerfile may include one or more `ARG` instructions. For example,
+the following is a valid Dockerfile:
+
+```
+FROM busybox
+ARG user1
+ARG buildno
+...
+```
+
+> **Warning:** It is not recommended to use build-time variables for
+>  passing secrets like github keys, user credentials etc. Build-time variable
+>  values are visible to any user of the image with the `docker history` command.
+
+### Default values
+
+An `ARG` instruction can optionally include a default value:
+
+```
+FROM busybox
+ARG user1=someuser
+ARG buildno=1
+...
+```
+
+If an `ARG` instruction has a default value and if there is no value passed
+at build-time, the builder uses the default.
+
+### Scope
+
+An `ARG` variable definition comes into effect from the line on which it is
+defined in the `Dockerfile` not from the argument's use on the command-line or
+elsewhere.  For example, consider this Dockerfile:
+
+```
+1 FROM busybox
+2 USER ${user:-some_user}
+3 ARG user
+4 USER $user
+...
+```
+A user builds this file by calling:
+
+```
+$ docker build --build-arg user=what_user .
+```
+
+The `USER` at line 2 evaluates to `some_user` as the `user` variable is defined on the
+subsequent line 3. The `USER` at line 4 evaluates to `what_user` as `user` is
+defined and the `what_user` value was passed on the command line. Prior to its definition by an
+`ARG` instruction, any use of a variable results in an empty string.
+
+An `ARG` instruction goes out of scope at the end of the build
+stage where it was defined. To use an arg in multiple stages, each stage must
+include the `ARG` instruction.
+
+```
+FROM busybox
+ARG SETTINGS
+RUN ./run/setup $SETTINGS
+
+FROM busybox
+ARG SETTINGS
+RUN ./run/other $SETTINGS
+```
+
+### Using ARG variables
+
+You can use an `ARG` or an `ENV` instruction to specify variables that are
+available to the `RUN` instruction. Environment variables defined using the
+`ENV` instruction always override an `ARG` instruction of the same name. Consider
+this Dockerfile with an `ENV` and `ARG` instruction.
+
+```
+1 FROM ubuntu
+2 ARG CONT_IMG_VER
+3 ENV CONT_IMG_VER v1.0.0
+4 RUN echo $CONT_IMG_VER
+```
+Then, assume this image is built with this command:
+
+```
+$ docker build --build-arg CONT_IMG_VER=v2.0.1 .
+```
+
+In this case, the `RUN` instruction uses `v1.0.0` instead of the `ARG` setting
+passed by the user:`v2.0.1` This behavior is similar to a shell
+script where a locally scoped variable overrides the variables passed as
+arguments or inherited from environment, from its point of definition.
+
+Using the example above but a different `ENV` specification you can create more
+useful interactions between `ARG` and `ENV` instructions:
+
+```
+1 FROM ubuntu
+2 ARG CONT_IMG_VER
+3 ENV CONT_IMG_VER ${CONT_IMG_VER:-v1.0.0}
+4 RUN echo $CONT_IMG_VER
+```
+
+Unlike an `ARG` instruction, `ENV` values are always persisted in the built
+image. Consider a docker build without the `--build-arg` flag:
+
+```
+$ docker build .
+```
+
+Using this Dockerfile example, `CONT_IMG_VER` is still persisted in the image but
+its value would be `v1.0.0` as it is the default set in line 3 by the `ENV` instruction.
+
+The variable expansion technique in this example allows you to pass arguments
+from the command line and persist them in the final image by leveraging the
+`ENV` instruction. Variable expansion is only supported for [a limited set of
+Dockerfile instructions.](#environment-replacement)
+
+### Predefined ARGs
+
+Docker has a set of predefined `ARG` variables that you can use without a
+corresponding `ARG` instruction in the Dockerfile.
+
+* `HTTP_PROXY`
+* `http_proxy`
+* `HTTPS_PROXY`
+* `https_proxy`
+* `FTP_PROXY`
+* `ftp_proxy`
+* `NO_PROXY`
+* `no_proxy`
+
+To use these, simply pass them on the command line using the flag:
+
+```
+--build-arg <varname>=<value>
+```
+
+By default, these pre-defined variables are excluded from the output of
+`docker history`. Excluding them reduces the risk of accidentally leaking
+sensitive authentication information in an `HTTP_PROXY` variable.
+
+For example, consider building the following Dockerfile using
+`--build-arg HTTP_PROXY=http://user:pass@proxy.lon.example.com`
+
+``` Dockerfile
+FROM ubuntu
+RUN echo "Hello World"
+```
+
+In this case, the value of the `HTTP_PROXY` variable is not available in the
+`docker history` and is not cached. If you were to change location, and your
+proxy server changed to `http://user:pass@proxy.sfo.example.com`, a subsequent
+build does not result in a cache miss.
+
+If you need to override this behaviour then you may do so by adding an `ARG`
+statement in the Dockerfile as follows:
+
+``` Dockerfile
+FROM ubuntu
+ARG HTTP_PROXY
+RUN echo "Hello World"
+```
+
+When building this Dockerfile, the `HTTP_PROXY` is preserved in the
+`docker history`, and changing its value invalidates the build cache.
+
+### Impact on build caching
+
+`ARG` variables are not persisted into the built image as `ENV` variables are.
+However, `ARG` variables do impact the build cache in similar ways. If a
+Dockerfile defines an `ARG` variable whose value is different from a previous
+build, then a "cache miss" occurs upon its first usage, not its definition. In
+particular, all `RUN` instructions following an `ARG` instruction use the `ARG`
+variable implicitly (as an environment variable), thus can cause a cache miss.
+All predefined `ARG` variables are exempt from caching unless there is a
+matching `ARG` statement in the `Dockerfile`.
+
+For example, consider these two Dockerfile:
+
+```
+1 FROM ubuntu
+2 ARG CONT_IMG_VER
+3 RUN echo $CONT_IMG_VER
+```
+
+```
+1 FROM ubuntu
+2 ARG CONT_IMG_VER
+3 RUN echo hello
+```
+
+If you specify `--build-arg CONT_IMG_VER=<value>` on the command line, in both
+cases, the specification on line 2 does not cause a cache miss; line 3 does
+cause a cache miss.`ARG CONT_IMG_VER` causes the RUN line to be identified
+as the same as running `CONT_IMG_VER=<value>` echo hello, so if the `<value>`
+changes, we get a cache miss.
+
+Consider another example under the same command line:
+
+```
+1 FROM ubuntu
+2 ARG CONT_IMG_VER
+3 ENV CONT_IMG_VER $CONT_IMG_VER
+4 RUN echo $CONT_IMG_VER
+```
+In this example, the cache miss occurs on line 3. The miss happens because
+the variable's value in the `ENV` references the `ARG` variable and that
+variable is changed through the command line. In this example, the `ENV`
+command causes the image to include the value.
+
+If an `ENV` instruction overrides an `ARG` instruction of the same name, like
+this Dockerfile:
+
+```
+1 FROM ubuntu
+2 ARG CONT_IMG_VER
+3 ENV CONT_IMG_VER hello
+4 RUN echo $CONT_IMG_VER
+```
+
+Line 3 does not cause a cache miss because the value of `CONT_IMG_VER` is a
+constant (`hello`). As a result, the environment variables and values used on
+the `RUN` (line 4) doesn't change between builds.
+
+## ONBUILD
+
+    ONBUILD [INSTRUCTION]
+
+The `ONBUILD` instruction adds to the image a *trigger* instruction to
+be executed at a later time, when the image is used as the base for
+another build. The trigger will be executed in the context of the
+downstream build, as if it had been inserted immediately after the
+`FROM` instruction in the downstream `Dockerfile`.
+
+Any build instruction can be registered as a trigger.
+
+This is useful if you are building an image which will be used as a base
+to build other images, for example an application build environment or a
+daemon which may be customized with user-specific configuration.
+
+For example, if your image is a reusable Python application builder, it
+will require application source code to be added in a particular
+directory, and it might require a build script to be called *after*
+that. You can't just call `ADD` and `RUN` now, because you don't yet
+have access to the application source code, and it will be different for
+each application build. You could simply provide application developers
+with a boilerplate `Dockerfile` to copy-paste into their application, but
+that is inefficient, error-prone and difficult to update because it
+mixes with application-specific code.
+
+The solution is to use `ONBUILD` to register advance instructions to
+run later, during the next build stage.
+
+Here's how it works:
+
+1. When it encounters an `ONBUILD` instruction, the builder adds a
+   trigger to the metadata of the image being built. The instruction
+   does not otherwise affect the current build.
+2. At the end of the build, a list of all triggers is stored in the
+   image manifest, under the key `OnBuild`. They can be inspected with
+   the `docker inspect` command.
+3. Later the image may be used as a base for a new build, using the
+   `FROM` instruction. As part of processing the `FROM` instruction,
+   the downstream builder looks for `ONBUILD` triggers, and executes
+   them in the same order they were registered. If any of the triggers
+   fail, the `FROM` instruction is aborted which in turn causes the
+   build to fail. If all triggers succeed, the `FROM` instruction
+   completes and the build continues as usual.
+4. Triggers are cleared from the final image after being executed. In
+   other words they are not inherited by "grand-children" builds.
+
+For example you might add something like this:
+
+    [...]
+    ONBUILD ADD . /app/src
+    ONBUILD RUN /usr/local/bin/python-build --dir /app/src
+    [...]
+
+> **Warning**: Chaining `ONBUILD` instructions using `ONBUILD ONBUILD` isn't allowed.
+
+> **Warning**: The `ONBUILD` instruction may not trigger `FROM` or `MAINTAINER` instructions.
+
+## STOPSIGNAL
+
+    STOPSIGNAL signal
+
+The `STOPSIGNAL` instruction sets the system call signal that will be sent to the container to exit.
+This signal can be a valid unsigned number that matches a position in the kernel's syscall table, for instance 9,
+or a signal name in the format SIGNAME, for instance SIGKILL.
+
+## HEALTHCHECK
+
+The `HEALTHCHECK` instruction has two forms:
+
+* `HEALTHCHECK [OPTIONS] CMD command` (check container health by running a command inside the container)
+* `HEALTHCHECK NONE` (disable any healthcheck inherited from the base image)
+
+The `HEALTHCHECK` instruction tells Docker how to test a container to check that
+it is still working. This can detect cases such as a web server that is stuck in
+an infinite loop and unable to handle new connections, even though the server
+process is still running.
+
+When a container has a healthcheck specified, it has a _health status_ in
+addition to its normal status. This status is initially `starting`. Whenever a
+health check passes, it becomes `healthy` (whatever state it was previously in).
+After a certain number of consecutive failures, it becomes `unhealthy`.
+
+The options that can appear before `CMD` are:
+
+* `--interval=DURATION` (default: `30s`)
+* `--timeout=DURATION` (default: `30s`)
+* `--start-period=DURATION` (default: `0s`)
+* `--retries=N` (default: `3`)
+
+The health check will first run **interval** seconds after the container is
+started, and then again **interval** seconds after each previous check completes.
+
+If a single run of the check takes longer than **timeout** seconds then the check
+is considered to have failed.
+
+It takes **retries** consecutive failures of the health check for the container
+to be considered `unhealthy`.
+
+**start period** provides initialization time for containers that need time to bootstrap.
+Probe failure during that period will not be counted towards the maximum number of retries.
+However, if a health check succeeds during the start period, the container is considered
+started and all consecutive failures will be counted towards the maximum number of retries.
+
+There can only be one `HEALTHCHECK` instruction in a Dockerfile. If you list
+more than one then only the last `HEALTHCHECK` will take effect.
+
+The command after the `CMD` keyword can be either a shell command (e.g. `HEALTHCHECK
+CMD /bin/check-running`) or an _exec_ array (as with other Dockerfile commands;
+see e.g. `ENTRYPOINT` for details).
+
+The command's exit status indicates the health status of the container.
+The possible values are:
+
+- 0: success - the container is healthy and ready for use
+- 1: unhealthy - the container is not working correctly
+- 2: reserved - do not use this exit code
+
+For example, to check every five minutes or so that a web-server is able to
+serve the site's main page within three seconds:
+
+    HEALTHCHECK --interval=5m --timeout=3s \
+      CMD curl -f http://localhost/ || exit 1
+
+To help debug failing probes, any output text (UTF-8 encoded) that the command writes
+on stdout or stderr will be stored in the health status and can be queried with
+`docker inspect`. Such output should be kept short (only the first 4096 bytes
+are stored currently).
+
+When the health status of a container changes, a `health_status` event is
+generated with the new status.
+
+The `HEALTHCHECK` feature was added in Docker 1.12.
+
+
+## SHELL
+
+    SHELL ["executable", "parameters"]
+
+The `SHELL` instruction allows the default shell used for the *shell* form of
+commands to be overridden. The default shell on Linux is `["/bin/sh", "-c"]`, and on
+Windows is `["cmd", "/S", "/C"]`. The `SHELL` instruction *must* be written in JSON
+form in a Dockerfile.
+
+The `SHELL` instruction is particularly useful on Windows where there are
+two commonly used and quite different native shells: `cmd` and `powershell`, as
+well as alternate shells available including `sh`.
+
+The `SHELL` instruction can appear multiple times. Each `SHELL` instruction overrides
+all previous `SHELL` instructions, and affects all subsequent instructions. For example:
+
+    FROM microsoft/windowsservercore
+
+    # Executed as cmd /S /C echo default
+    RUN echo default
+
+    # Executed as cmd /S /C powershell -command Write-Host default
+    RUN powershell -command Write-Host default
+
+    # Executed as powershell -command Write-Host hello
+    SHELL ["powershell", "-command"]
+    RUN Write-Host hello
+
+    # Executed as cmd /S /C echo hello
+    SHELL ["cmd", "/S", "/C"]
+    RUN echo hello
+
+The following instructions can be affected by the `SHELL` instruction when the
+*shell* form of them is used in a Dockerfile: `RUN`, `CMD` and `ENTRYPOINT`.
+
+The following example is a common pattern found on Windows which can be
+streamlined by using the `SHELL` instruction:
+
+    ...
+    RUN powershell -command Execute-MyCmdlet -param1 "c:\foo.txt"
+    ...
+
+The command invoked by docker will be:
+
+    cmd /S /C powershell -command Execute-MyCmdlet -param1 "c:\foo.txt"
+
+This is inefficient for two reasons. First, there is an un-necessary cmd.exe command
+processor (aka shell) being invoked. Second, each `RUN` instruction in the *shell*
+form requires an extra `powershell -command` prefixing the command.
+
+To make this more efficient, one of two mechanisms can be employed. One is to
+use the JSON form of the RUN command such as:
+
+    ...
+    RUN ["powershell", "-command", "Execute-MyCmdlet", "-param1 \"c:\\foo.txt\""]
+    ...
+
+While the JSON form is unambiguous and does not use the un-necessary cmd.exe,
+it does require more verbosity through double-quoting and escaping. The alternate
+mechanism is to use the `SHELL` instruction and the *shell* form,
+making a more natural syntax for Windows users, especially when combined with
+the `escape` parser directive:
+
+    # escape=`
+
+    FROM microsoft/nanoserver
+    SHELL ["powershell","-command"]
+    RUN New-Item -ItemType Directory C:\Example
+    ADD Execute-MyCmdlet.ps1 c:\example\
+    RUN c:\example\Execute-MyCmdlet -sample 'hello world'
+
+Resulting in:
+
+    PS E:\docker\build\shell> docker build -t shell .
+    Sending build context to Docker daemon 4.096 kB
+    Step 1/5 : FROM microsoft/nanoserver
+     ---> 22738ff49c6d
+    Step 2/5 : SHELL powershell -command
+     ---> Running in 6fcdb6855ae2
+     ---> 6331462d4300
+    Removing intermediate container 6fcdb6855ae2
+    Step 3/5 : RUN New-Item -ItemType Directory C:\Example
+     ---> Running in d0eef8386e97
+
+
+        Directory: C:\
+
+
+    Mode                LastWriteTime         Length Name
+    ----                -------------         ------ ----
+    d-----       10/28/2016  11:26 AM                Example
+
+
+     ---> 3f2fbf1395d9
+    Removing intermediate container d0eef8386e97
+    Step 4/5 : ADD Execute-MyCmdlet.ps1 c:\example\
+     ---> a955b2621c31
+    Removing intermediate container b825593d39fc
+    Step 5/5 : RUN c:\example\Execute-MyCmdlet 'hello world'
+     ---> Running in be6d8e63fe75
+    hello world
+     ---> 8e559e9bf424
+    Removing intermediate container be6d8e63fe75
+    Successfully built 8e559e9bf424
+    PS E:\docker\build\shell>
+
+The `SHELL` instruction could also be used to modify the way in which
+a shell operates. For example, using `SHELL cmd /S /C /V:ON|OFF` on Windows, delayed
+environment variable expansion semantics could be modified.
+
+The `SHELL` instruction can also be used on Linux should an alternate shell be
+required such as `zsh`, `csh`, `tcsh` and others.
+
+The `SHELL` feature was added in Docker 1.12.
+
+## Dockerfile examples
+
+Below you can see some examples of Dockerfile syntax. If you're interested in
+something more realistic, take a look at the list of [Dockerization examples](https://docs.docker.com/engine/examples/).
+
+```
+# Nginx
+#
+# VERSION               0.0.1
+
+FROM      ubuntu
+LABEL Description="This image is used to start the foobar executable" Vendor="ACME Products" Version="1.0"
+RUN apt-get update && apt-get install -y inotify-tools nginx apache2 openssh-server
+```
+
+```
+# Firefox over VNC
+#
+# VERSION               0.3
+
+FROM ubuntu
+
+# Install vnc, xvfb in order to create a 'fake' display and firefox
+RUN apt-get update && apt-get install -y x11vnc xvfb firefox
+RUN mkdir ~/.vnc
+# Setup a password
+RUN x11vnc -storepasswd 1234 ~/.vnc/passwd
+# Autostart firefox (might not be the best way, but it does the trick)
+RUN bash -c 'echo "firefox" >> /.bashrc'
+
+EXPOSE 5900
+CMD    ["x11vnc", "-forever", "-usepw", "-create"]
+```
+
+```
+# Multiple images example
+#
+# VERSION               0.1
+
+FROM ubuntu
+RUN echo foo > bar
+# Will output something like ===> 907ad6c2736f
+
+FROM ubuntu
+RUN echo moo > oink
+# Will output something like ===> 695d7793cbe4
+
+# You'll now have two images, 907ad6c2736f with /bar, and 695d7793cbe4 with
+# /oink.
+```
diff --git a/cli/docs/reference/commandline/attach.md b/cli/docs/reference/commandline/attach.md
new file mode 100644
index 00000000..58286ad8
--- /dev/null
+++ b/cli/docs/reference/commandline/attach.md
@@ -0,0 +1,160 @@
+---
+title: "attach"
+description: "The attach command description and usage"
+keywords: "attach, running, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# attach
+
+```markdown
+Usage: docker attach [OPTIONS] CONTAINER
+
+Attach local standard input, output, and error streams to a running container
+
+Options:
+      --detach-keys string   Override the key sequence for detaching a container
+      --help                 Print usage
+      --no-stdin             Do not attach STDIN
+      --sig-proxy            Proxy all received signals to the process (default true)
+```
+
+## Description
+
+Use `docker attach` to attach your terminal's standard input, output, and error
+(or any combination of the three) to a running container using the container's
+ID or name. This allows you to view its ongoing output or to control it
+interactively, as though the commands were running directly in your terminal.
+
+> **Note:**
+> The `attach` command will display the output of the `ENTRYPOINT/CMD` process.  This
+> can appear as if the attach command is hung when in fact the process may simply
+> not be interacting with the terminal at that time.
+
+You can attach to the same contained process multiple times simultaneously,
+from different sessions on the Docker host.
+
+To stop a container, use `CTRL-c`. This key sequence sends `SIGKILL` to the
+container. If `--sig-proxy` is true (the default),`CTRL-c` sends a `SIGINT` to
+the container. You can detach from a container and leave it running using the
+ `CTRL-p CTRL-q` key sequence.
+
+> **Note:**
+> A process running as PID 1 inside a container is treated specially by
+> Linux: it ignores any signal with the default action. So, the process
+> will not terminate on `SIGINT` or `SIGTERM` unless it is coded to do
+> so.
+
+It is forbidden to redirect the standard input of a `docker attach` command
+while attaching to a tty-enabled container (i.e.: launched with `-t`).
+
+While a client is connected to container's stdio using `docker attach`, Docker
+uses a ~1MB memory buffer to maximize the throughput of the application. If
+this buffer is filled, the speed of the API connection will start to have an
+effect on the process output writing speed. This is similar to other
+applications like SSH. Because of this, it is not recommended to run
+performance critical applications that generate a lot of output in the
+foreground over a slow client connection. Instead, users should use the
+`docker logs` command to get access to the logs.
+
+### Override the detach sequence
+
+If you want, you can configure an override the Docker key sequence for detach.
+This is useful if the Docker default sequence conflicts with key sequence you
+use for other applications. There are two ways to define your own detach key
+sequence, as a per-container override or as a configuration property on  your
+entire configuration.
+
+To override the sequence for an individual container, use the
+`--detach-keys="<sequence>"` flag with the `docker attach` command. The format of
+the `<sequence>` is either a letter [a-Z], or the `ctrl-` combined with any of
+the following:
+
+* `a-z` (a single lowercase alpha character )
+* `@` (at sign)
+* `[` (left bracket)
+* `\\` (two backward slashes)
+*  `_` (underscore)
+* `^` (caret)
+
+These `a`, `ctrl-a`, `X`, or `ctrl-\\` values are all examples of valid key
+sequences. To configure a different configuration default key sequence for all
+containers, see [**Configuration file** section](cli.md#configuration-files).
+
+## Examples
+
+### Attach to and detach from a running container
+
+```bash
+$ docker run -d --name topdemo ubuntu /usr/bin/top -b
+
+$ docker attach topdemo
+
+top - 02:05:52 up  3:05,  0 users,  load average: 0.01, 0.02, 0.05
+Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+Cpu(s):  0.1%us,  0.2%sy,  0.0%ni, 99.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
+Mem:    373572k total,   355560k used,    18012k free,    27872k buffers
+Swap:   786428k total,        0k used,   786428k free,   221740k cached
+
+PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
+ 1 root      20   0 17200 1116  912 R    0  0.3   0:00.03 top
+
+ top - 02:05:55 up  3:05,  0 users,  load average: 0.01, 0.02, 0.05
+ Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+ Cpu(s):  0.0%us,  0.2%sy,  0.0%ni, 99.8%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
+ Mem:    373572k total,   355244k used,    18328k free,    27872k buffers
+ Swap:   786428k total,        0k used,   786428k free,   221776k cached
+
+   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
+       1 root      20   0 17208 1144  932 R    0  0.3   0:00.03 top
+
+
+ top - 02:05:58 up  3:06,  0 users,  load average: 0.01, 0.02, 0.05
+ Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+ Cpu(s):  0.2%us,  0.3%sy,  0.0%ni, 99.5%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
+ Mem:    373572k total,   355780k used,    17792k free,    27880k buffers
+ Swap:   786428k total,        0k used,   786428k free,   221776k cached
+
+ PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
+      1 root      20   0 17208 1144  932 R    0  0.3   0:00.03 top
+^C$
+
+$ echo $?
+0
+$ docker ps -a | grep topdemo
+
+7998ac8581f9        ubuntu:14.04        "/usr/bin/top -b"   38 seconds ago      Exited (0) 21 seconds ago                          topdemo
+```
+
+### Get the exit code of the container's command
+
+And in this second example, you can see the exit code returned by the `bash`
+process is returned by the `docker attach` command to its caller too:
+
+```bash
+    $ docker run --name test -d -it debian
+
+    275c44472aebd77c926d4527885bb09f2f6db21d878c75f0a1c212c03d3bcfab
+
+    $ docker attach test
+
+    root@f38c87f2a42d:/# exit 13
+
+    exit
+
+    $ echo $?
+
+    13
+
+    $ docker ps -a | grep test
+
+    275c44472aeb        debian:7            "/bin/bash"         26 seconds ago      Exited (13) 17 seconds ago                         test
+```
diff --git a/cli/docs/reference/commandline/build.md b/cli/docs/reference/commandline/build.md
new file mode 100644
index 00000000..531a0c82
--- /dev/null
+++ b/cli/docs/reference/commandline/build.md
@@ -0,0 +1,611 @@
+---
+title: "build"
+description: "The build command description and usage"
+keywords: "build, docker, image"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# build
+
+```markdown
+Usage:  docker build [OPTIONS] PATH | URL | -
+
+Build an image from a Dockerfile
+
+Options:
+      --add-host value          Add a custom host-to-IP mapping (host:ip) (default [])
+      --build-arg value         Set build-time variables (default [])
+      --cache-from value        Images to consider as cache sources (default [])
+      --cgroup-parent string    Optional parent cgroup for the container
+      --compress                Compress the build context using gzip
+      --cpu-period int          Limit the CPU CFS (Completely Fair Scheduler) period
+      --cpu-quota int           Limit the CPU CFS (Completely Fair Scheduler) quota
+  -c, --cpu-shares int          CPU shares (relative weight)
+      --cpuset-cpus string      CPUs in which to allow execution (0-3, 0,1)
+      --cpuset-mems string      MEMs in which to allow execution (0-3, 0,1)
+      --disable-content-trust   Skip image verification (default true)
+  -f, --file string             Name of the Dockerfile (Default is 'PATH/Dockerfile')
+      --force-rm                Always remove intermediate containers
+      --help                    Print usage
+      --iidfile string          Write the image ID to the file
+      --isolation string        Container isolation technology
+      --label value             Set metadata for an image (default [])
+  -m, --memory string           Memory limit
+      --memory-swap string      Swap limit equal to memory plus swap: '-1' to enable unlimited swap
+      --network string          Set the networking mode for the RUN instructions during build
+                                'bridge': use default Docker bridge
+                                'none': no networking
+                                'container:<name|id>': reuse another container's network stack
+                                'host': use the Docker host network stack
+                                '<network-name>|<network-id>': connect to a user-defined network
+      --no-cache                Do not use cache when building the image
+      --pull                    Always attempt to pull a newer version of the image
+  -q, --quiet                   Suppress the build output and print image ID on success
+      --rm                      Remove intermediate containers after a successful build (default true)
+      --security-opt value      Security Options (default [])
+      --shm-size bytes          Size of /dev/shm
+                                The format is `<number><unit>`. `number` must be greater than `0`.
+                                Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes),
+                                or `g` (gigabytes). If you omit the unit, the system uses bytes.
+      --squash                  Squash newly built layers into a single new layer (**Experimental Only**)
+  -t, --tag value               Name and optionally a tag in the 'name:tag' format (default [])
+      --target string           Set the target build stage to build.
+      --ulimit value            Ulimit options (default [])
+```
+
+## Description
+
+The `docker build` command builds Docker images from a Dockerfile and a
+"context". A build's context is the set of files located in the specified
+`PATH` or `URL`. The build process can refer to any of the files in the
+context. For example, your build can use a [*COPY*](../builder.md#copy)
+instruction to reference a file in the context.
+
+The `URL` parameter can refer to three kinds of resources: Git repositories,
+pre-packaged tarball contexts and plain text files.
+
+### Git repositories
+
+When the `URL` parameter points to the location of a Git repository, the
+repository acts as the build context. The system recursively fetches the
+repository and its submodules. The commit history is not preserved. A
+repository is first pulled into a temporary directory on your local host. After
+that succeeds, the directory is sent to the Docker daemon as the context.
+Local copy gives you the ability to access private repositories using local
+user credentials, VPN's, and so forth.
+
+> **Note:**
+> If the `URL` parameter contains a fragment the system will recursively clone
+> the repository and its submodules using a `git clone --recursive` command.
+
+Git URLs accept context configuration in their fragment section, separated by a
+colon `:`.  The first part represents the reference that Git will check out,
+and can be either a branch, a tag, or a remote reference. The second part
+represents a subdirectory inside the repository that will be used as a build
+context.
+
+For example, run this command to use a directory called `docker` in the branch
+`container`:
+
+```bash
+$ docker build https://github.com/docker/rootfs.git#container:docker
+```
+
+The following table represents all the valid suffixes with their build
+contexts:
+
+Build Syntax Suffix             | Commit Used           | Build Context Used
+--------------------------------|-----------------------|-------------------
+`myrepo.git`                    | `refs/heads/master`   | `/`
+`myrepo.git#mytag`              | `refs/tags/mytag`     | `/`
+`myrepo.git#mybranch`           | `refs/heads/mybranch` | `/`
+`myrepo.git#pull/42/head`       | `refs/pull/42/head`   | `/`
+`myrepo.git#:myfolder`          | `refs/heads/master`   | `/myfolder`
+`myrepo.git#master:myfolder`    | `refs/heads/master`   | `/myfolder`
+`myrepo.git#mytag:myfolder`     | `refs/tags/mytag`     | `/myfolder`
+`myrepo.git#mybranch:myfolder`  | `refs/heads/mybranch` | `/myfolder`
+
+
+### Tarball contexts
+
+If you pass an URL to a remote tarball, the URL itself is sent to the daemon:
+
+```bash
+$ docker build http://server/context.tar.gz
+```
+
+The download operation will be performed on the host the Docker daemon is
+running on, which is not necessarily the same host from which the build command
+is being issued. The Docker daemon will fetch `context.tar.gz` and use it as the
+build context. Tarball contexts must be tar archives conforming to the standard
+`tar` UNIX format and can be compressed with any one of the 'xz', 'bzip2',
+'gzip' or 'identity' (no compression) formats.
+
+### Text files
+
+Instead of specifying a context, you can pass a single `Dockerfile` in the
+`URL` or pipe the file in via `STDIN`. To pipe a `Dockerfile` from `STDIN`:
+
+```bash
+$ docker build - < Dockerfile
+```
+
+With Powershell on Windows, you can run:
+
+```powershell
+Get-Content Dockerfile | docker build -
+```
+
+If you use `STDIN` or specify a `URL` pointing to a plain text file, the system
+places the contents into a file called `Dockerfile`, and any `-f`, `--file`
+option is ignored. In this scenario, there is no context.
+
+By default the `docker build` command will look for a `Dockerfile` at the root
+of the build context. The `-f`, `--file`, option lets you specify the path to
+an alternative file to use instead. This is useful in cases where the same set
+of files are used for multiple builds. The path must be to a file within the
+build context. If a relative path is specified then it is interpreted as
+relative to the root of the context.
+
+In most cases, it's best to put each Dockerfile in an empty directory. Then,
+add to that directory only the files needed for building the Dockerfile. To
+increase the build's performance, you can exclude files and directories by
+adding a `.dockerignore` file to that directory as well. For information on
+creating one, see the [.dockerignore file](../builder.md#dockerignore-file).
+
+If the Docker client loses connection to the daemon, the build is canceled.
+This happens if you interrupt the Docker client with `CTRL-c` or if the Docker
+client is killed for any reason. If the build initiated a pull which is still
+running at the time the build is cancelled, the pull is cancelled as well.
+
+## Return code
+
+On a successful build, a return code of success `0` will be returned.  When the
+build fails, a non-zero failure code will be returned.
+
+There should be informational output of the reason for failure output to
+`STDERR`:
+
+```bash
+$ docker build -t fail .
+
+Sending build context to Docker daemon 2.048 kB
+Sending build context to Docker daemon
+Step 1/3 : FROM busybox
+ ---> 4986bf8c1536
+Step 2/3 : RUN exit 13
+ ---> Running in e26670ec7a0a
+INFO[0000] The command [/bin/sh -c exit 13] returned a non-zero code: 13
+$ echo $?
+1
+```
+
+See also:
+
+[*Dockerfile Reference*](../builder.md).
+
+## Examples
+
+### Build with PATH
+
+```bash
+$ docker build .
+
+Uploading context 10240 bytes
+Step 1/3 : FROM busybox
+Pulling repository busybox
+ ---> e9aa60c60128MB/2.284 MB (100%) endpoint: https://cdn-registry-1.docker.io/v1/
+Step 2/3 : RUN ls -lh /
+ ---> Running in 9c9e81692ae9
+total 24
+drwxr-xr-x    2 root     root        4.0K Mar 12  2013 bin
+drwxr-xr-x    5 root     root        4.0K Oct 19 00:19 dev
+drwxr-xr-x    2 root     root        4.0K Oct 19 00:19 etc
+drwxr-xr-x    2 root     root        4.0K Nov 15 23:34 lib
+lrwxrwxrwx    1 root     root           3 Mar 12  2013 lib64 -> lib
+dr-xr-xr-x  116 root     root           0 Nov 15 23:34 proc
+lrwxrwxrwx    1 root     root           3 Mar 12  2013 sbin -> bin
+dr-xr-xr-x   13 root     root           0 Nov 15 23:34 sys
+drwxr-xr-x    2 root     root        4.0K Mar 12  2013 tmp
+drwxr-xr-x    2 root     root        4.0K Nov 15 23:34 usr
+ ---> b35f4035db3f
+Step 3/3 : CMD echo Hello world
+ ---> Running in 02071fceb21b
+ ---> f52f38b7823e
+Successfully built f52f38b7823e
+Removing intermediate container 9c9e81692ae9
+Removing intermediate container 02071fceb21b
+```
+
+This example specifies that the `PATH` is `.`, and so all the files in the
+local directory get `tar`d and sent to the Docker daemon. The `PATH` specifies
+where to find the files for the "context" of the build on the Docker daemon.
+Remember that the daemon could be running on a remote machine and that no
+parsing of the Dockerfile happens at the client side (where you're running
+`docker build`). That means that *all* the files at `PATH` get sent, not just
+the ones listed to [*ADD*](../builder.md#add) in the Dockerfile.
+
+The transfer of context from the local machine to the Docker daemon is what the
+`docker` client means when you see the "Sending build context" message.
+
+If you wish to keep the intermediate containers after the build is complete,
+you must use `--rm=false`. This does not affect the build cache.
+
+### Build with URL
+
+```bash
+$ docker build github.com/creack/docker-firefox
+```
+
+This will clone the GitHub repository and use the cloned repository as context.
+The Dockerfile at the root of the repository is used as Dockerfile. You can
+specify an arbitrary Git repository by using the `git://` or `git@` scheme.
+
+```bash
+$ docker build -f ctx/Dockerfile http://server/ctx.tar.gz
+
+Downloading context: http://server/ctx.tar.gz [===================>]    240 B/240 B
+Step 1/3 : FROM busybox
+ ---> 8c2e06607696
+Step 2/3 : ADD ctx/container.cfg /
+ ---> e7829950cee3
+Removing intermediate container b35224abf821
+Step 3/3 : CMD /bin/ls
+ ---> Running in fbc63d321d73
+ ---> 3286931702ad
+Removing intermediate container fbc63d321d73
+Successfully built 377c409b35e4
+```
+
+This sends the URL `http://server/ctx.tar.gz` to the Docker daemon, which
+downloads and extracts the referenced tarball. The `-f ctx/Dockerfile`
+parameter specifies a path inside `ctx.tar.gz` to the `Dockerfile` that is used
+to build the image. Any `ADD` commands in that `Dockerfile` that refers to local
+paths must be relative to the root of the contents inside `ctx.tar.gz`. In the
+example above, the tarball contains a directory `ctx/`, so the `ADD
+ctx/container.cfg /` operation works as expected.
+
+### Build with -
+
+```bash
+$ docker build - < Dockerfile
+```
+
+This will read a Dockerfile from `STDIN` without context. Due to the lack of a
+context, no contents of any local directory will be sent to the Docker daemon.
+Since there is no context, a Dockerfile `ADD` only works if it refers to a
+remote URL.
+
+```bash
+$ docker build - < context.tar.gz
+```
+
+This will build an image for a compressed context read from `STDIN`.  Supported
+formats are: bzip2, gzip and xz.
+
+### Use a .dockerignore file
+
+```bash
+$ docker build .
+
+Uploading context 18.829 MB
+Uploading context
+Step 1/2 : FROM busybox
+ ---> 769b9341d937
+Step 2/2 : CMD echo Hello world
+ ---> Using cache
+ ---> 99cc1ad10469
+Successfully built 99cc1ad10469
+$ echo ".git" > .dockerignore
+$ docker build .
+Uploading context  6.76 MB
+Uploading context
+Step 1/2 : FROM busybox
+ ---> 769b9341d937
+Step 2/2 : CMD echo Hello world
+ ---> Using cache
+ ---> 99cc1ad10469
+Successfully built 99cc1ad10469
+```
+
+This example shows the use of the `.dockerignore` file to exclude the `.git`
+directory from the context. Its effect can be seen in the changed size of the
+uploaded context. The builder reference contains detailed information on
+[creating a .dockerignore file](../builder.md#dockerignore-file)
+
+### Tag an image (-t)
+
+```bash
+$ docker build -t vieux/apache:2.0 .
+```
+
+This will build like the previous example, but it will then tag the resulting
+image. The repository name will be `vieux/apache` and the tag will be `2.0`.
+[Read more about valid tags](tag.md).
+
+You can apply multiple tags to an image. For example, you can apply the `latest`
+tag to a newly built image and add another tag that references a specific
+version.
+For example, to tag an image both as `whenry/fedora-jboss:latest` and
+`whenry/fedora-jboss:v2.1`, use the following:
+
+```bash
+$ docker build -t whenry/fedora-jboss:latest -t whenry/fedora-jboss:v2.1 .
+```
+
+### Specify a Dockerfile (-f)
+
+```bash
+$ docker build -f Dockerfile.debug .
+```
+
+This will use a file called `Dockerfile.debug` for the build instructions
+instead of `Dockerfile`.
+
+```bash
+$ curl example.com/remote/Dockerfile | docker build -f - .
+```
+
+The above command will use the current directory as the build context and read
+a Dockerfile from stdin.
+
+```bash
+$ docker build -f dockerfiles/Dockerfile.debug -t myapp_debug .
+$ docker build -f dockerfiles/Dockerfile.prod  -t myapp_prod .
+```
+
+The above commands will build the current build context (as specified by the
+`.`) twice, once using a debug version of a `Dockerfile` and once using a
+production version.
+
+```bash
+$ cd /home/me/myapp/some/dir/really/deep
+$ docker build -f /home/me/myapp/dockerfiles/debug /home/me/myapp
+$ docker build -f ../../../../dockerfiles/debug /home/me/myapp
+```
+
+These two `docker build` commands do the exact same thing. They both use the
+contents of the `debug` file instead of looking for a `Dockerfile` and will use
+`/home/me/myapp` as the root of the build context. Note that `debug` is in the
+directory structure of the build context, regardless of how you refer to it on
+the command line.
+
+> **Note:**
+> `docker build` will return a `no such file or directory` error if the
+> file or directory does not exist in the uploaded context. This may
+> happen if there is no context, or if you specify a file that is
+> elsewhere on the Host system. The context is limited to the current
+> directory (and its children) for security reasons, and to ensure
+> repeatable builds on remote Docker hosts. This is also the reason why
+> `ADD ../file` will not work.
+
+### Use a custom parent cgroup (--cgroup-parent)
+
+When `docker build` is run with the `--cgroup-parent` option the containers
+used in the build will be run with the [corresponding `docker run`
+flag](../run.md#specifying-custom-cgroups).
+
+### Set ulimits in container (--ulimit)
+
+Using the `--ulimit` option with `docker build` will cause each build step's
+container to be started using those [`--ulimit`
+flag values](./run.md#set-ulimits-in-container-ulimit).
+
+### Set build-time variables (--build-arg)
+
+You can use `ENV` instructions in a Dockerfile to define variable
+values. These values persist in the built image. However, often
+persistence is not what you want. Users want to specify variables differently
+depending on which host they build an image on.
+
+A good example is `http_proxy` or source versions for pulling intermediate
+files. The `ARG` instruction lets Dockerfile authors define values that users
+can set at build-time using the  `--build-arg` flag:
+
+```bash
+$ docker build --build-arg HTTP_PROXY=http://10.20.30.2:1234 --build-arg FTP_PROXY=http://40.50.60.5:4567 .
+```
+
+This flag allows you to pass the build-time variables that are
+accessed like regular environment variables in the `RUN` instruction of the
+Dockerfile. Also, these values don't persist in the intermediate or final images
+like `ENV` values do.   You must add `--build-arg` for each build argument.  
+
+Using this flag will not alter the output you see when the `ARG` lines from the
+Dockerfile are echoed during the build process.
+
+For detailed information on using `ARG` and `ENV` instructions, see the
+[Dockerfile reference](../builder.md).
+
+You may also use the `--build-arg` flag without a value, in which case the value
+from the local environment will be propagated into the Docker container being
+built:
+
+```bash
+$ export HTTP_PROXY=http://10.20.30.2:1234
+$ docker build --build-arg HTTP_PROXY .
+```
+
+This is similar to how `docker run -e` works. Refer to the [`docker run` documentation](https://docs.docker.com/engine/reference/commandline/run/#set-environment-variables--e---env---env-file)
+for more information.
+
+### Optional security options (--security-opt)
+
+This flag is only supported on a daemon running on Windows, and only supports
+the `credentialspec` option. The `credentialspec` must be in the format
+`file://spec.txt` or `registry://keyname`.
+
+### Specify isolation technology for container (--isolation)
+
+This option is useful in situations where you are running Docker containers on
+Windows. The `--isolation=<value>` option sets a container's isolation
+technology. On Linux, the only supported is the `default` option which uses
+Linux namespaces. On Microsoft Windows, you can specify these values:
+
+
+| Value     | Description                                                                                                                                                   |
+|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `default` | Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value.  |
+| `process` | Namespace isolation only.                                                                                                                                     |
+| `hyperv`  | Hyper-V hypervisor partition-based isolation.                                                                                                                 |
+
+Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`.
+
+### Add entries to container hosts file (--add-host)
+
+You can add other hosts into a container's `/etc/hosts` file by using one or
+more `--add-host` flags. This example adds a static address for a host named
+`docker`:
+
+    $ docker build --add-host=docker:10.180.0.1 .
+
+### Specifying target build stage (--target)
+
+When building a Dockerfile with multiple build stages, `--target` can be used to
+specify an intermediate build stage by name as a final stage for the resulting
+image. Commands after the target stage will be skipped.
+
+```Dockerfile
+FROM debian AS build-env
+...
+
+FROM alpine AS production-env
+...
+```
+
+```bash
+$ docker build -t mybuildimage --target build-env .
+```
+
+### Squash an image's layers (--squash) (experimental)
+
+#### Overview
+
+Once the image is built, squash the new layers into a new image with a single
+new layer. Squashing does not destroy any existing image, rather it creates a new
+image with the content of the squashed layers. This effectively makes it look
+like all `Dockerfile` commands were created with a single layer. The build
+cache is preserved with this method.
+
+The `--squash` option is an experimental feature, and should not be considered
+stable.
+
+
+Squashing layers can be beneficial if your Dockerfile produces multiple layers
+modifying the same files, for example, file that are created in one step, and
+removed in another step. For other use-cases, squashing images may actually have
+a negative impact on performance; when pulling an image consisting of multiple
+layers, layers can be pulled in parallel, and allows sharing layers between
+images (saving space).
+
+For most use cases, multi-stage are a better alternative, as they give more
+fine-grained control over your build, and can take advantage of future
+optimizations in the builder. Refer to the [use multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/)
+section in the userguide for more information.
+
+
+#### Known limitations
+
+The `--squash` option has a number of known limitations:
+
+- When squashing layers, the resulting image cannot take advantage of layer
+  sharing with other images, and may use significantly more space. Sharing the
+  base image is still supported.
+- When using this option you may see significantly more space used due to
+  storing two copies of the image, one for the build cache with all the cache
+  layers in tact, and one for the squashed version.
+- While squashing layers may produce smaller images, it may have a negative
+  impact on performance, as a single layer takes longer to extract, and
+  downloading a single layer cannot be parallelized.
+- When attempting to squash an image that does not make changes to the
+  filesystem (for example, the Dockerfile only contains `ENV` instructions),
+  the squash step will fail (see [issue #33823](https://github.com/moby/moby/issues/33823)
+
+#### Prerequisites
+
+The example on this page is using experimental mode in Docker 1.13.
+
+Experimental mode can be enabled by using the `--experimental` flag when starting the Docker daemon or setting `experimental: true` in the `daemon.json` configuration file.
+
+By default, experimental mode is disabled. To see the current configuration, use the `docker version` command.
+
+```none
+Server:
+ Version:      1.13.1
+ API version:  1.26 (minimum version 1.12)
+ Go version:   go1.7.5
+ Git commit:   092cba3
+ Built:        Wed Feb  8 06:35:24 2017
+ OS/Arch:      linux/amd64
+ Experimental: false
+
+ [...]
+```
+
+To enable experimental mode, users need to restart the docker daemon with the experimental flag enabled.
+
+#### Enable Docker experimental
+
+Experimental features are now included in the standard Docker binaries as of version 1.13.0. For enabling experimental features, you need to start the Docker daemon with `--experimental` flag. You can also enable the daemon flag via /etc/docker/daemon.json. e.g.
+
+```json
+{
+    "experimental": true
+}
+```
+
+Then make sure the experimental flag is enabled:
+
+```bash
+$ docker version -f '{{.Server.Experimental}}'
+true
+```
+
+#### Build an image with `--squash` argument
+
+The following is an example of docker build with `--squash` argument
+
+```Dockerfile
+FROM busybox
+RUN echo hello > /hello
+RUN echo world >> /hello
+RUN touch remove_me /remove_me
+ENV HELLO world
+RUN rm /remove_me
+```
+
+An image named `test` is built with `--squash` argument.
+
+```bash
+$ docker build --squash -t test .
+
+[...]
+```
+
+If everything is right, the history will look like this:
+
+```bash
+$ docker history test
+
+IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
+4e10cb5b4cac        3 seconds ago                                                       12 B                merge sha256:88a7b0112a41826885df0e7072698006ee8f621c6ab99fca7fe9151d7b599702 to sha256:47bcc53f74dc94b1920f0b34f6036096526296767650f223433fe65c35f149eb
+<missing>           5 minutes ago       /bin/sh -c rm /remove_me                        0 B
+<missing>           5 minutes ago       /bin/sh -c #(nop) ENV HELLO=world               0 B
+<missing>           5 minutes ago       /bin/sh -c touch remove_me /remove_me           0 B
+<missing>           5 minutes ago       /bin/sh -c echo world >> /hello                 0 B
+<missing>           6 minutes ago       /bin/sh -c echo hello > /hello                  0 B
+<missing>           7 weeks ago         /bin/sh -c #(nop) CMD ["sh"]                    0 B
+<missing>           7 weeks ago         /bin/sh -c #(nop) ADD file:47ca6e777c36a4cfff   1.113 MB
+```
+
+We could find that all layer's name is `<missing>`, and there is a new layer with COMMENT `merge`.
+
+Test the image, check for `/remove_me` being gone, make sure `hello\nworld` is in `/hello`, make sure the `HELLO` envvar's value is `world`.
diff --git a/cli/docs/reference/commandline/cli.md b/cli/docs/reference/commandline/cli.md
new file mode 100644
index 00000000..eaf60cc6
--- /dev/null
+++ b/cli/docs/reference/commandline/cli.md
@@ -0,0 +1,328 @@
+---
+title: "Use the Docker command line"
+description: "Docker's CLI command description and usage"
+keywords: "Docker, Docker documentation, CLI, command line"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# docker
+
+To list available commands, either run `docker` with no parameters
+or execute `docker help`:
+
+```bash
+$ docker
+Usage: docker [OPTIONS] COMMAND [ARG...]
+       docker [ --help | -v | --version ]
+
+A self-sufficient runtime for containers.
+
+Options:
+      --config string      Location of client config files (default "/root/.docker")
+  -D, --debug              Enable debug mode
+      --help               Print usage
+  -H, --host value         Daemon socket(s) to connect to (default [])
+  -l, --log-level string   Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info")
+      --tls                Use TLS; implied by --tlsverify
+      --tlscacert string   Trust certs signed only by this CA (default "/root/.docker/ca.pem")
+      --tlscert string     Path to TLS certificate file (default "/root/.docker/cert.pem")
+      --tlskey string      Path to TLS key file (default "/root/.docker/key.pem")
+      --tlsverify          Use TLS and verify the remote
+  -v, --version            Print version information and quit
+
+Commands:
+    attach    Attach to a running container
+    # […]
+```
+
+## Description
+
+Depending on your Docker system configuration, you may be required to preface
+each `docker` command with `sudo`. To avoid having to use `sudo` with the
+`docker` command, your system administrator can create a Unix group called
+`docker` and add users to it.
+
+For more information about installing Docker or `sudo` configuration, refer to
+the [installation](https://docs.docker.com/install/) instructions for your operating system.
+
+### Environment variables
+
+For easy reference, the following list of environment variables are supported
+by the `docker` command line:
+
+* `DOCKER_API_VERSION` The API version to use (e.g. `1.19`)
+* `DOCKER_CONFIG` The location of your client configuration files.
+* `DOCKER_CERT_PATH` The location of your authentication keys.
+* `DOCKER_CLI_EXPERIMENTAL` Enable experimental features for the cli (e.g. `enabled` or `disabled`)
+* `DOCKER_DRIVER` The graph driver to use.
+* `DOCKER_HOST` Daemon socket to connect to.
+* `DOCKER_NOWARN_KERNEL_VERSION` Prevent warnings that your Linux kernel is
+  unsuitable for Docker.
+* `DOCKER_RAMDISK` If set this will disable 'pivot_root'.
+* `DOCKER_STACK_ORCHESTRATOR` Configure the default orchestrator to use when using `docker stack` management commands.
+* `DOCKER_TLS` When set Docker uses TLS.
+* `DOCKER_TLS_VERIFY` When set Docker uses TLS and verifies the remote.
+* `DOCKER_CONTENT_TRUST` When set Docker uses notary to sign and verify images.
+  Equates to `--disable-content-trust=false` for build, create, pull, push, run.
+* `DOCKER_CONTENT_TRUST_SERVER` The URL of the Notary server to use. This defaults
+  to the same URL as the registry.
+* `DOCKER_HIDE_LEGACY_COMMANDS` When set, Docker hides "legacy" top-level commands (such as `docker rm`, and
+  `docker pull`) in `docker help` output, and only `Management commands` per object-type (e.g., `docker container`) are
+  printed. This may become the default in a future release, at which point this environment-variable is removed.
+* `DOCKER_TMPDIR` Location for temporary Docker files.
+
+Because Docker is developed using Go, you can also use any environment
+variables used by the Go runtime. In particular, you may find these useful:
+
+* `HTTP_PROXY`
+* `HTTPS_PROXY`
+* `NO_PROXY`
+
+These Go environment variables are case-insensitive. See the
+[Go specification](http://golang.org/pkg/net/http/) for details on these
+variables.
+
+### Configuration files
+
+By default, the Docker command line stores its configuration files in a
+directory called `.docker` within your `$HOME` directory. However, you can
+specify a different location via the `DOCKER_CONFIG` environment variable
+or the `--config` command line option. If both are specified, then the
+`--config` option overrides the `DOCKER_CONFIG` environment variable.
+For example:
+
+    docker --config ~/testconfigs/ ps
+
+Instructs Docker to use the configuration files in your `~/testconfigs/`
+directory when running the `ps` command.
+
+Docker manages most of the files in the configuration directory
+and you should not modify them. However, you *can modify* the
+`config.json` file to control certain aspects of how the `docker`
+command behaves.
+
+Currently, you can modify the `docker` command behavior using environment
+variables or command-line options. You can also use options within
+`config.json` to modify some of the same behavior. When using these
+mechanisms, you must keep in mind the order of precedence among them. Command
+line options override environment variables and environment variables override
+properties you specify in a `config.json` file.
+
+The `config.json` file stores a JSON encoding of several properties:
+
+The property `HttpHeaders` specifies a set of headers to include in all messages
+sent from the Docker client to the daemon. Docker does not try to interpret or
+understand these header; it simply puts them into the messages. Docker does
+not allow these headers to change any headers it sets for itself.
+
+The property `psFormat` specifies the default format for `docker ps` output.
+When the `--format` flag is not provided with the `docker ps` command,
+Docker's client uses this property. If this property is not set, the client
+falls back to the default table format. For a list of supported formatting
+directives, see the
+[**Formatting** section in the `docker ps` documentation](ps.md)
+
+The property `imagesFormat` specifies the default format for `docker images` output.
+When the `--format` flag is not provided with the `docker images` command,
+Docker's client uses this property. If this property is not set, the client
+falls back to the default table format. For a list of supported formatting
+directives, see the [**Formatting** section in the `docker images` documentation](images.md)
+
+The property `pluginsFormat` specifies the default format for `docker plugin ls` output.
+When the `--format` flag is not provided with the `docker plugin ls` command,
+Docker's client uses this property. If this property is not set, the client
+falls back to the default table format. For a list of supported formatting
+directives, see the [**Formatting** section in the `docker plugin ls` documentation](plugin_ls.md)
+
+The property `servicesFormat` specifies the default format for `docker
+service ls` output. When the `--format` flag is not provided with the
+`docker service ls` command, Docker's client uses this property. If this
+property is not set, the client falls back to the default json format. For a
+list of supported formatting directives, see the
+[**Formatting** section in the `docker service ls` documentation](service_ls.md)
+
+The property `serviceInspectFormat` specifies the default format for `docker
+service inspect` output. When the `--format` flag is not provided with the
+`docker service inspect` command, Docker's client uses this property. If this
+property is not set, the client falls back to the default json format. For a
+list of supported formatting directives, see the
+[**Formatting** section in the `docker service inspect` documentation](service_inspect.md)
+
+The property `statsFormat` specifies the default format for `docker
+stats` output. When the `--format` flag is not provided with the
+`docker stats` command, Docker's client uses this property. If this
+property is not set, the client falls back to the default table
+format. For a list of supported formatting directives, see
+[**Formatting** section in the `docker stats` documentation](stats.md)
+
+The property `secretFormat` specifies the default format for `docker
+secret ls` output. When the `--format` flag is not provided with the
+`docker secret ls` command, Docker's client uses this property. If this
+property is not set, the client falls back to the default table
+format. For a list of supported formatting directives, see
+[**Formatting** section in the `docker secret ls` documentation](secret_ls.md)
+
+
+The property `nodesFormat` specifies the default format for `docker node ls` output.
+When the `--format` flag is not provided with the `docker node ls` command,
+Docker's client uses the value of `nodesFormat`. If the value of `nodesFormat` is not set,
+the client uses the default table format. For a list of supported formatting
+directives, see the [**Formatting** section in the `docker node ls` documentation](node_ls.md)
+
+The property `configFormat` specifies the default format for `docker
+config ls` output. When the `--format` flag is not provided with the
+`docker config ls` command, Docker's client uses this property. If this
+property is not set, the client falls back to the default table
+format. For a list of supported formatting directives, see
+[**Formatting** section in the `docker config ls` documentation](config_ls.md)
+
+The property `credsStore` specifies an external binary to serve as the default
+credential store. When this property is set, `docker login` will attempt to
+store credentials in the binary specified by `docker-credential-<value>` which
+is visible on `$PATH`. If this property is not set, credentials will be stored
+in the `auths` property of the config. For more information, see the
+[**Credentials store** section in the `docker login` documentation](login.md#credentials-store)
+
+The property `credHelpers` specifies a set of credential helpers to use
+preferentially over `credsStore` or `auths` when storing and retrieving
+credentials for specific registries. If this property is set, the binary
+`docker-credential-<value>` will be used when storing or retrieving credentials
+for a specific registry. For more information, see the
+[**Credential helpers** section in the `docker login` documentation](login.md#credential-helpers)
+
+The property `stackOrchestrator` specifies the default orchestrator to use when
+running `docker stack` management commands. Valid values are `"swarm"`,
+`"kubernetes"`, and `"all"`. This property can be overridden with the
+`DOCKER_STACK_ORCHESTRATOR` environment variable, or the `--orchestrator` flag.
+
+Once attached to a container, users detach from it and leave it running using
+the using `CTRL-p CTRL-q` key sequence. This detach key sequence is customizable
+using the `detachKeys` property. Specify a `<sequence>` value for the
+property. The format of the `<sequence>` is a comma-separated list of either
+a letter [a-Z], or the `ctrl-` combined with any of the following:
+
+* `a-z` (a single lowercase alpha character )
+* `@` (at sign)
+* `[` (left bracket)
+* `\\` (two backward slashes)
+*  `_` (underscore)
+* `^` (caret)
+
+Your customization applies to all containers started in with your Docker client.
+Users can override your custom or the default key sequence on a per-container
+basis. To do this, the user specifies the `--detach-keys` flag with the `docker
+attach`, `docker exec`, `docker run` or `docker start` command.
+
+Following is a sample `config.json` file:
+
+```json
+{% raw %}
+{
+  "HttpHeaders": {
+    "MyHeader": "MyValue"
+  },
+  "psFormat": "table {{.ID}}\\t{{.Image}}\\t{{.Command}}\\t{{.Labels}}",
+  "imagesFormat": "table {{.ID}}\\t{{.Repository}}\\t{{.Tag}}\\t{{.CreatedAt}}",
+  "pluginsFormat": "table {{.ID}}\t{{.Name}}\t{{.Enabled}}",
+  "statsFormat": "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}",
+  "servicesFormat": "table {{.ID}}\t{{.Name}}\t{{.Mode}}",
+  "secretFormat": "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}",
+  "configFormat": "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}\t{{.UpdatedAt}}",
+  "serviceInspectFormat": "pretty",
+  "nodesFormat": "table {{.ID}}\t{{.Hostname}}\t{{.Availability}}",
+  "detachKeys": "ctrl-e,e",
+  "credsStore": "secretservice",
+  "credHelpers": {
+    "awesomereg.example.org": "hip-star",
+    "unicorn.example.com": "vcbait"
+  },
+  "stackOrchestrator": "kubernetes"
+}
+{% endraw %}
+```
+
+### Notary
+
+If using your own notary server and a self-signed certificate or an internal
+Certificate Authority, you need to place the certificate at
+`tls/<registry_url>/ca.crt` in your docker config directory.
+
+Alternatively you can trust the certificate globally by adding it to your system's
+list of root Certificate Authorities.
+
+## Examples
+
+### Display help text
+
+To list the help on any command just execute the command, followed by the
+`--help` option.
+
+    $ docker run --help
+
+    Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
+
+    Run a command in a new container
+
+    Options:
+          --add-host value             Add a custom host-to-IP mapping (host:ip) (default [])
+      -a, --attach value               Attach to STDIN, STDOUT or STDERR (default [])
+    ...
+
+### Option types
+
+Single character command line options can be combined, so rather than
+typing `docker run -i -t --name test busybox sh`,
+you can write `docker run -it --name test busybox sh`.
+
+#### Boolean
+
+Boolean options take the form `-d=false`. The value you see in the help text is
+the default value which is set if you do **not** specify that flag. If you
+specify a Boolean flag without a value, this will set the flag to `true`,
+irrespective of the default value.
+
+For example, running `docker run -d` will set the value to `true`, so your
+container **will** run in "detached" mode, in the background.
+
+Options which default to `true` (e.g., `docker build --rm=true`) can only be
+set to the non-default value by explicitly setting them to `false`:
+
+```bash
+$ docker build --rm=false .
+```
+
+#### Multi
+
+You can specify options like `-a=[]` multiple times in a single command line,
+for example in these commands:
+
+```bash
+$ docker run -a stdin -a stdout -i -t ubuntu /bin/bash
+
+$ docker run -a stdin -a stdout -a stderr ubuntu /bin/ls
+```
+
+Sometimes, multiple options can call for a more complex value string as for
+`-v`:
+
+```bash
+$ docker run -v /host:/container example/mysql
+```
+
+> **Note**: Do not use the `-t` and `-a stderr` options together due to
+> limitations in the `pty` implementation. All `stderr` in `pty` mode
+> simply goes to `stdout`.
+
+#### Strings and Integers
+
+Options like `--name=""` expect a string, and they
+can only be specified once. Options like `-c=0`
+expect an integer, and they can only be specified once.
diff --git a/cli/docs/reference/commandline/commit.md b/cli/docs/reference/commandline/commit.md
new file mode 100644
index 00000000..ceab1b36
--- /dev/null
+++ b/cli/docs/reference/commandline/commit.md
@@ -0,0 +1,117 @@
+---
+title: "commit"
+description: "The commit command description and usage"
+keywords: "commit, file, changes"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# commit
+
+```markdown
+Usage:  docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
+
+Create a new image from a container's changes
+
+Options:
+  -a, --author string    Author (e.g., "John Hannibal Smith <hannibal@a-team.com>")
+  -c, --change value     Apply Dockerfile instruction to the created image (default [])
+      --help             Print usage
+  -m, --message string   Commit message
+  -p, --pause            Pause container during commit (default true)
+```
+
+## Description
+
+It can be useful to commit a container's file changes or settings into a new
+image. This allows you to debug a container by running an interactive shell, or to
+export a working dataset to another server. Generally, it is better to use
+Dockerfiles to manage your images in a documented and maintainable way.
+[Read more about valid image names and tags](tag.md).
+
+The commit operation will not include any data contained in
+volumes mounted inside the container.
+
+By default, the container being committed and its processes will be paused
+while the image is committed. This reduces the likelihood of encountering data
+corruption during the process of creating the commit.  If this behavior is
+undesired, set the `--pause` option to false.
+
+The `--change` option will apply `Dockerfile` instructions to the image that is
+created.  Supported `Dockerfile` instructions:
+`CMD`|`ENTRYPOINT`|`ENV`|`EXPOSE`|`LABEL`|`ONBUILD`|`USER`|`VOLUME`|`WORKDIR`
+
+## Examples
+
+### Commit a container
+
+```bash
+$ docker ps
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES
+c3f279d17e0a        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
+197387f1b436        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
+
+$ docker commit c3f279d17e0a  svendowideit/testimage:version3
+
+f5283438590d
+
+$ docker images
+
+REPOSITORY                        TAG                 ID                  CREATED             SIZE
+svendowideit/testimage            version3            f5283438590d        16 seconds ago      335.7 MB
+```
+
+### Commit a container with new configurations
+
+```bash
+$ docker ps
+
+CONTAINER ID       IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES
+c3f279d17e0a        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
+197387f1b436        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
+
+$ docker inspect -f "{{ .Config.Env }}" c3f279d17e0a
+
+[HOME=/ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin]
+
+$ docker commit --change "ENV DEBUG true" c3f279d17e0a  svendowideit/testimage:version3
+
+f5283438590d
+
+$ docker inspect -f "{{ .Config.Env }}" f5283438590d
+
+[HOME=/ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin DEBUG=true]
+```
+
+### Commit a container with new `CMD` and `EXPOSE` instructions
+
+```bash
+$ docker ps
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS              NAMES
+c3f279d17e0a        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            desperate_dubinsky
+197387f1b436        ubuntu:12.04        /bin/bash           7 days ago          Up 25 hours                            focused_hamilton
+
+$ docker commit --change='CMD ["apachectl", "-DFOREGROUND"]' -c "EXPOSE 80" c3f279d17e0a  svendowideit/testimage:version4
+
+f5283438590d
+
+$ docker run -d svendowideit/testimage:version4
+
+89373736e2e7f00bc149bd783073ac43d0507da250e999f3f1036e0db60817c0
+
+$ docker ps
+
+CONTAINER ID        IMAGE               COMMAND                 CREATED             STATUS              PORTS              NAMES
+89373736e2e7        testimage:version4  "apachectl -DFOREGROU"  3 seconds ago       Up 2 seconds        80/tcp             distracted_fermat
+c3f279d17e0a        ubuntu:12.04        /bin/bash               7 days ago          Up 25 hours                            desperate_dubinsky
+197387f1b436        ubuntu:12.04        /bin/bash               7 days ago          Up 25 hours                            focused_hamilton
+```
diff --git a/cli/docs/reference/commandline/container.md b/cli/docs/reference/commandline/container.md
new file mode 100644
index 00000000..951af0b2
--- /dev/null
+++ b/cli/docs/reference/commandline/container.md
@@ -0,0 +1,61 @@
+
+---
+title: "container"
+description: "The container command description and usage"
+keywords: "container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# container
+
+```markdown
+Usage:  docker container COMMAND
+
+Manage containers
+
+Options:
+      --help   Print usage
+
+Commands:
+  attach      Attach to a running container
+  commit      Create a new image from a container's changes
+  cp          Copy files/folders between a container and the local filesystem
+  create      Create a new container
+  diff        Inspect changes to files or directories on a container's filesystem
+  exec        Run a command in a running container
+  export      Export a container's filesystem as a tar archive
+  inspect     Display detailed information on one or more containers
+  kill        Kill one or more running containers
+  logs        Fetch the logs of a container
+  ls          List containers
+  pause       Pause all processes within one or more containers
+  port        List port mappings or a specific mapping for the container
+  prune       Remove all stopped containers
+  rename      Rename a container
+  restart     Restart one or more containers
+  rm          Remove one or more containers
+  run         Run a command in a new container
+  start       Start one or more stopped containers
+  stats       Display a live stream of container(s) resource usage statistics
+  stop        Stop one or more running containers
+  top         Display the running processes of a container
+  unpause     Unpause all processes within one or more containers
+  update      Update configuration of one or more containers
+  wait        Block until one or more containers stop, then print their exit codes
+
+Run 'docker container COMMAND --help' for more information on a command.
+
+```
+
+## Description
+
+Manage containers.
+
diff --git a/cli/docs/reference/commandline/container_prune.md b/cli/docs/reference/commandline/container_prune.md
new file mode 100644
index 00000000..d99a9f85
--- /dev/null
+++ b/cli/docs/reference/commandline/container_prune.md
@@ -0,0 +1,126 @@
+---
+title: "container prune"
+description: "Remove all stopped containers"
+keywords: container, prune, delete, remove
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# container prune
+
+```markdown
+Usage:	docker container prune [OPTIONS]
+
+Remove all stopped containers
+
+Options:
+Options:
+      --filter filter   Provide filter values (e.g. 'until=<timestamp>')
+  -f, --force           Do not prompt for confirmation
+      --help            Print usage
+```
+
+## Description
+
+Removes all stopped containers.
+
+## Examples
+
+### Prune containers
+
+```bash
+$ docker container prune
+WARNING! This will remove all stopped containers.
+Are you sure you want to continue? [y/N] y
+Deleted Containers:
+4a7f7eebae0f63178aff7eb0aa39cd3f0627a203ab2df258c1a00b456cf20063
+f98f9c2aa1eaf727e4ec9c0283bc7d4aa4762fbdba7f26191f26c97f64090360
+
+Total reclaimed space: 212 B
+```
+
+### Filtering
+
+The filtering flag (`--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* until (`<timestamp>`) - only remove containers created before given timestamp
+* label (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) - only remove containers with (or without, in case `label!=...` is used) the specified labels.
+
+The `until` filter can be Unix timestamps, date formatted
+timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
+relative to the daemon machine’s time. Supported formats for date
+formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the daemon will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long.
+
+The `label` filter accepts two formats. One is the `label=...` (`label=<key>` or `label=<key>=<value>`),
+which removes containers with the specified labels. The other
+format is the `label!=...` (`label!=<key>` or `label!=<key>=<value>`), which removes
+containers without the specified labels.
+
+The following removes containers created more than 5 minutes ago:
+
+```bash
+$ docker ps -a --format 'table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.CreatedAt}}\t{{.Status}}'
+
+CONTAINER ID        IMAGE               COMMAND             CREATED AT                      STATUS
+61b9efa71024        busybox             "sh"                2017-01-04 13:23:33 -0800 PST   Exited (0) 41 seconds ago
+53a9bc23a516        busybox             "sh"                2017-01-04 13:11:59 -0800 PST   Exited (0) 12 minutes ago
+
+$ docker container prune --force --filter "until=5m"
+
+Deleted Containers:
+53a9bc23a5168b6caa2bfbefddf1b30f93c7ad57f3dec271fd32707497cb9369
+
+Total reclaimed space: 25 B
+
+$ docker ps -a --format 'table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.CreatedAt}}\t{{.Status}}'
+
+CONTAINER ID        IMAGE               COMMAND             CREATED AT                      STATUS
+61b9efa71024        busybox             "sh"                2017-01-04 13:23:33 -0800 PST   Exited (0) 44 seconds ago
+```
+
+The following removes containers created before `2017-01-04T13:10:00`:
+
+```bash
+$ docker ps -a --format 'table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.CreatedAt}}\t{{.Status}}'
+
+CONTAINER ID        IMAGE               COMMAND             CREATED AT                      STATUS
+53a9bc23a516        busybox             "sh"                2017-01-04 13:11:59 -0800 PST   Exited (0) 7 minutes ago
+4a75091a6d61        busybox             "sh"                2017-01-04 13:09:53 -0800 PST   Exited (0) 9 minutes ago
+
+$ docker container prune --force --filter "until=2017-01-04T13:10:00"
+
+Deleted Containers:
+4a75091a6d618526fcd8b33ccd6e5928ca2a64415466f768a6180004b0c72c6c
+
+Total reclaimed space: 27 B
+
+$ docker ps -a --format 'table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.CreatedAt}}\t{{.Status}}'
+
+CONTAINER ID        IMAGE               COMMAND             CREATED AT                      STATUS
+53a9bc23a516        busybox             "sh"                2017-01-04 13:11:59 -0800 PST   Exited (0) 9 minutes ago
+```
+
+## Related commands
+
+* [system df](system_df.md)
+* [volume prune](volume_prune.md)
+* [image prune](image_prune.md)
+* [network prune](network_prune.md)
+* [system prune](system_prune.md)
diff --git a/cli/docs/reference/commandline/cp.md b/cli/docs/reference/commandline/cp.md
new file mode 100644
index 00000000..e59b9c2e
--- /dev/null
+++ b/cli/docs/reference/commandline/cp.md
@@ -0,0 +1,118 @@
+---
+title: "cp"
+description: "The cp command description and usage"
+keywords: "copy, container, files, folders"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# cp
+
+```markdown
+Usage:  docker cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-
+        docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH
+
+Copy files/folders between a container and the local filesystem
+
+Use '-' as the source to read a tar archive from stdin
+and extract it to a directory destination in a container.
+Use '-' as the destination to stream a tar archive of a
+container source to stdout.
+
+Options:
+  -L, --follow-link   Always follow symbol link in SRC_PATH
+  -a, --archive       Archive mode (copy all uid/gid information)
+      --help          Print usage
+```
+
+## Description
+
+The `docker cp` utility copies the contents of `SRC_PATH` to the `DEST_PATH`.
+You can copy from the container's file system to the local machine or the
+reverse, from the local filesystem to the container. If `-` is specified for
+either the `SRC_PATH` or `DEST_PATH`, you can also stream a tar archive from
+`STDIN` or to `STDOUT`. The `CONTAINER` can be a running or stopped container.
+The `SRC_PATH` or `DEST_PATH` can be a file or directory.
+
+The `docker cp` command assumes container paths are relative to the container's
+`/` (root) directory. This means supplying the initial forward slash is optional;
+The command sees `compassionate_darwin:/tmp/foo/myfile.txt` and
+`compassionate_darwin:tmp/foo/myfile.txt` as identical. Local machine paths can
+be an absolute or relative value. The command interprets a local machine's
+relative paths as relative to the current working directory where `docker cp` is
+run.
+
+The `cp` command behaves like the Unix `cp -a` command in that directories are
+copied recursively with permissions preserved if possible. Ownership is set to
+the user and primary group at the destination. For example, files copied to a
+container are created with `UID:GID` of the root user. Files copied to the local
+machine are created with the `UID:GID` of the user which invoked the `docker cp`
+command. However, if you specify the `-a` option, `docker cp` sets the ownership
+to the user and primary group at the source.
+If you specify the `-L` option, `docker cp` follows any symbolic link
+in the `SRC_PATH`.  `docker cp` does *not* create parent directories for
+`DEST_PATH` if they do not exist.
+
+Assuming a path separator of `/`, a first argument of `SRC_PATH` and second
+argument of `DEST_PATH`, the behavior is as follows:
+
+- `SRC_PATH` specifies a file
+    - `DEST_PATH` does not exist
+        - the file is saved to a file created at `DEST_PATH`
+    - `DEST_PATH` does not exist and ends with `/`
+        - Error condition: the destination directory must exist.
+    - `DEST_PATH` exists and is a file
+        - the destination is overwritten with the source file's contents
+    - `DEST_PATH` exists and is a directory
+        - the file is copied into this directory using the basename from
+          `SRC_PATH`
+- `SRC_PATH` specifies a directory
+    - `DEST_PATH` does not exist
+        - `DEST_PATH` is created as a directory and the *contents* of the source
+           directory are copied into this directory
+    - `DEST_PATH` exists and is a file
+        - Error condition: cannot copy a directory to a file
+    - `DEST_PATH` exists and is a directory
+        - `SRC_PATH` does not end with `/.` (that is: _slash_ followed by _dot_)
+            - the source directory is copied into this directory
+        - `SRC_PATH` does end with `/.` (that is: _slash_ followed by _dot_)
+            - the *content* of the source directory is copied into this
+              directory
+
+The command requires `SRC_PATH` and `DEST_PATH` to exist according to the above
+rules. If `SRC_PATH` is local and is a symbolic link, the symbolic link, not
+the target, is copied by default. To copy the link target and not the link, specify
+the `-L` option.
+
+A colon (`:`) is used as a delimiter between `CONTAINER` and its path. You can
+also use `:` when specifying paths to a `SRC_PATH` or `DEST_PATH` on a local
+machine, for example  `file:name.txt`. If you use a `:` in a local machine path,
+you must be explicit with a relative or absolute path, for example:
+
+    `/path/to/file:name.txt` or `./file:name.txt`
+
+It is not possible to copy certain system files such as resources under
+`/proc`, `/sys`, `/dev`, [tmpfs](run.md#mount-tmpfs-tmpfs), and mounts created by
+the user in the container. However, you can still copy such files by manually
+running `tar` in `docker exec`. Both of the following examples do the same thing
+in different ways (consider `SRC_PATH` and `DEST_PATH` are directories):
+
+```bash
+$ docker exec CONTAINER tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | tar Cxf DEST_PATH -
+```
+
+```bash
+$ tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | docker exec -i CONTAINER tar Cxf DEST_PATH -
+```
+
+Using `-` as the `SRC_PATH` streams the contents of `STDIN` as a tar archive.
+The command extracts the content of the tar to the `DEST_PATH` in container's
+filesystem. In this case, `DEST_PATH` must specify a directory. Using `-` as
+the `DEST_PATH` streams the contents of the resource as a tar archive to `STDOUT`.
diff --git a/cli/docs/reference/commandline/create.md b/cli/docs/reference/commandline/create.md
new file mode 100644
index 00000000..446d5d81
--- /dev/null
+++ b/cli/docs/reference/commandline/create.md
@@ -0,0 +1,260 @@
+---
+title: "create"
+description: "The create command description and usage"
+keywords: "docker, create, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# create
+
+Creates a new container.
+
+```markdown
+Usage:  docker create [OPTIONS] IMAGE [COMMAND] [ARG...]
+
+Create a new container
+
+Options:
+      --add-host value                Add a custom host-to-IP mapping (host:ip) (default [])
+  -a, --attach value                  Attach to STDIN, STDOUT or STDERR (default [])
+      --blkio-weight value            Block IO (relative weight), between 10 and 1000
+      --blkio-weight-device value     Block IO weight (relative device weight) (default [])
+      --cap-add value                 Add Linux capabilities (default [])
+      --cap-drop value                Drop Linux capabilities (default [])
+      --cgroup-parent string          Optional parent cgroup for the container
+      --cidfile string                Write the container ID to the file
+      --cpu-count int                 The number of CPUs available for execution by the container.
+                                      Windows daemon only. On Windows Server containers, this is
+                                      approximated as a percentage of total CPU usage.
+      --cpu-percent int               CPU percent (Windows only)
+      --cpu-period int                Limit CPU CFS (Completely Fair Scheduler) period
+      --cpu-quota int                 Limit CPU CFS (Completely Fair Scheduler) quota
+  -c, --cpu-shares int                CPU shares (relative weight)
+      --cpus NanoCPUs                 Number of CPUs (default 0.000)
+      --cpu-rt-period int             Limit the CPU real-time period in microseconds
+      --cpu-rt-runtime int            Limit the CPU real-time runtime in microseconds
+      --cpuset-cpus string            CPUs in which to allow execution (0-3, 0,1)
+      --cpuset-mems string            MEMs in which to allow execution (0-3, 0,1)
+      --device value                  Add a host device to the container (default [])
+      --device-cgroup-rule value      Add a rule to the cgroup allowed devices list
+      --device-read-bps value         Limit read rate (bytes per second) from a device (default [])
+      --device-read-iops value        Limit read rate (IO per second) from a device (default [])
+      --device-write-bps value        Limit write rate (bytes per second) to a device (default [])
+      --device-write-iops value       Limit write rate (IO per second) to a device (default [])
+      --disable-content-trust         Skip image verification (default true)
+      --dns value                     Set custom DNS servers (default [])
+      --dns-option value              Set DNS options (default [])
+      --dns-search value              Set custom DNS search domains (default [])
+      --entrypoint string             Overwrite the default ENTRYPOINT of the image
+  -e, --env value                     Set environment variables (default [])
+      --env-file value                Read in a file of environment variables (default [])
+      --expose value                  Expose a port or a range of ports (default [])
+      --group-add value               Add additional groups to join (default [])
+      --health-cmd string             Command to run to check health
+      --health-interval duration      Time between running the check (ns|us|ms|s|m|h) (default 0s)
+      --health-retries int            Consecutive failures needed to report unhealthy
+      --health-timeout duration       Maximum time to allow one check to run (ns|us|ms|s|m|h) (default 0s)
+      --health-start-period duration  Start period for the container to initialize before counting retries towards unstable (ns|us|ms|s|m|h) (default 0s)
+      --help                          Print usage
+  -h, --hostname string               Container host name
+      --init                          Run an init inside the container that forwards signals and reaps processes
+  -i, --interactive                   Keep STDIN open even if not attached
+      --io-maxbandwidth string        Maximum IO bandwidth limit for the system drive (Windows only)
+      --io-maxiops uint               Maximum IOps limit for the system drive (Windows only)
+      --ip string                     IPv4 address (e.g., 172.30.100.104)
+      --ip6 string                    IPv6 address (e.g., 2001:db8::33)
+      --ipc string                    IPC namespace to use
+      --isolation string              Container isolation technology
+      --kernel-memory string          Kernel memory limit
+  -l, --label value                   Set meta data on a container (default [])
+      --label-file value              Read in a line delimited file of labels (default [])
+      --link value                    Add link to another container (default [])
+      --link-local-ip value           Container IPv4/IPv6 link-local addresses (default [])
+      --log-driver string             Logging driver for the container
+      --log-opt value                 Log driver options (default [])
+      --mac-address string            Container MAC address (e.g., 92:d0:c6:0a:29:33)
+  -m, --memory string                 Memory limit
+      --memory-reservation string     Memory soft limit
+      --memory-swap string            Swap limit equal to memory plus swap: '-1' to enable unlimited swap
+      --memory-swappiness int         Tune container memory swappiness (0 to 100) (default -1)
+      --mount value                   Attach a filesytem mount to the container (default [])
+      --name string                   Assign a name to the container
+      --network-alias value           Add network-scoped alias for the container (default [])
+      --network string                Connect a container to a network (default "default")
+                                      'bridge': create a network stack on the default Docker bridge
+                                      'none': no networking
+                                      'container:<name|id>': reuse another container's network stack
+                                      'host': use the Docker host network stack
+                                      '<network-name>|<network-id>': connect to a user-defined network
+      --no-healthcheck                Disable any container-specified HEALTHCHECK
+      --oom-kill-disable              Disable OOM Killer
+      --oom-score-adj int             Tune host's OOM preferences (-1000 to 1000)
+      --pid string                    PID namespace to use
+      --pids-limit int                Tune container pids limit (set -1 for unlimited), kernel >= 4.3
+      --privileged                    Give extended privileges to this container
+  -p, --publish value                 Publish a container's port(s) to the host (default [])
+  -P, --publish-all                   Publish all exposed ports to random ports
+      --read-only                     Mount the container's root filesystem as read only
+      --restart string                Restart policy to apply when a container exits (default "no")
+                                      Possible values are: no, on-failure[:max-retry], always, unless-stopped
+      --rm                            Automatically remove the container when it exits
+      --runtime string                Runtime to use for this container
+      --security-opt value            Security Options (default [])
+      --shm-size bytes                Size of /dev/shm
+                                      The format is `<number><unit>`. `number` must be greater than `0`.
+                                      Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes),
+                                      or `g` (gigabytes). If you omit the unit, the system uses bytes.
+      --stop-signal string            Signal to stop a container (default "SIGTERM")
+      --stop-timeout=10               Timeout (in seconds) to stop a container
+      --storage-opt value             Storage driver options for the container (default [])
+      --sysctl value                  Sysctl options (default map[])
+      --tmpfs value                   Mount a tmpfs directory (default [])
+  -t, --tty                           Allocate a pseudo-TTY
+      --ulimit value                  Ulimit options (default [])
+  -u, --user string                   Username or UID (format: <name|uid>[:<group|gid>])
+      --userns string                 User namespace to use
+                                      'host': Use the Docker host user namespace
+                                      '': Use the Docker daemon user namespace specified by `--userns-remap` option.
+      --uts string                    UTS namespace to use
+  -v, --volume value                  Bind mount a volume (default []). The format
+                                      is `[host-src:]container-dest[:<options>]`.
+                                      The comma-delimited `options` are [rw|ro],
+                                      [z|Z], [[r]shared|[r]slave|[r]private],
+                                      [delegated|cached|consistent], and
+                                      [nocopy]. The 'host-src' is an absolute path
+                                      or a name value.
+      --volume-driver string          Optional volume driver for the container
+      --volumes-from value            Mount volumes from the specified container(s) (default [])
+  -w, --workdir string                Working directory inside the container
+```
+## Description
+
+The `docker create` command creates a writeable container layer over the
+specified image and prepares it for running the specified command.  The
+container ID is then printed to `STDOUT`.  This is similar to `docker run -d`
+except the container is never started.  You can then use the
+`docker start <container_id>` command to start the container at any point.
+
+This is useful when you want to set up a container configuration ahead of time
+so that it is ready to start when you need it. The initial status of the
+new container is `created`.
+
+Please see the [run command](run.md) section and the [Docker run reference](../run.md) for more details.
+
+## Examples
+
+### Create and start a container
+
+```bash
+$ docker create -t -i fedora bash
+
+6d8af538ec541dd581ebc2a24153a28329acb5268abe5ef868c1f1a261221752
+
+$ docker start -a -i 6d8af538ec5
+
+bash-4.2#
+```
+
+### Initialize volumes
+
+As of v1.4.0 container volumes are initialized during the `docker create` phase
+(i.e., `docker run` too). For example, this allows you to `create` the `data`
+volume container, and then use it from another container:
+
+```bash
+$ docker create -v /data --name data ubuntu
+
+240633dfbb98128fa77473d3d9018f6123b99c454b3251427ae190a7d951ad57
+
+$ docker run --rm --volumes-from data ubuntu ls -la /data
+
+total 8
+drwxr-xr-x  2 root root 4096 Dec  5 04:10 .
+drwxr-xr-x 48 root root 4096 Dec  5 04:11 ..
+```
+
+Similarly, `create` a host directory bind mounted volume container, which can
+then be used from the subsequent container:
+
+```bash
+$ docker create -v /home/docker:/docker --name docker ubuntu
+
+9aa88c08f319cd1e4515c3c46b0de7cc9aa75e878357b1e96f91e2c773029f03
+
+$ docker run --rm --volumes-from docker ubuntu ls -la /docker
+
+total 20
+drwxr-sr-x  5 1000 staff  180 Dec  5 04:00 .
+drwxr-xr-x 48 root root  4096 Dec  5 04:13 ..
+-rw-rw-r--  1 1000 staff 3833 Dec  5 04:01 .ash_history
+-rw-r--r--  1 1000 staff  446 Nov 28 11:51 .ashrc
+-rw-r--r--  1 1000 staff   25 Dec  5 04:00 .gitconfig
+drwxr-sr-x  3 1000 staff   60 Dec  1 03:28 .local
+-rw-r--r--  1 1000 staff  920 Nov 28 11:51 .profile
+drwx--S---  2 1000 staff  460 Dec  5 00:51 .ssh
+drwxr-xr-x 32 1000 staff 1140 Dec  5 04:01 docker
+```
+
+
+Set storage driver options per container.
+
+```bash
+$ docker create -it --storage-opt size=120G fedora /bin/bash
+```
+
+This (size) will allow to set the container rootfs size to 120G at creation time.
+This option is only available for the `devicemapper`, `btrfs`, `overlay2`,
+`windowsfilter` and `zfs` graph drivers.
+For the `devicemapper`, `btrfs`, `windowsfilter` and `zfs` graph drivers,
+user cannot pass a size less than the Default BaseFS Size.
+For the `overlay2` storage driver, the size option is only available if the
+backing fs is `xfs` and mounted with the `pquota` mount option.
+Under these conditions, user can pass any size less than the backing fs size.
+
+### Specify isolation technology for container (--isolation)
+
+This option is useful in situations where you are running Docker containers on
+Windows. The `--isolation=<value>` option sets a container's isolation
+technology. On Linux, the only supported is the `default` option which uses
+Linux namespaces. On Microsoft Windows, you can specify these values:
+
+
+| Value     | Description                                                                                                                                                   |
+|-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `default` | Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value if the
+daemon is running on Windows server, or `hyperv` if running on Windows client.  |
+| `process` | Namespace isolation only.                                                                                                                                     |
+| `hyperv`   | Hyper-V hypervisor partition-based isolation.                                                                                                                  |
+
+Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`.
+
+### Dealing with dynamically created devices (--device-cgroup-rule)
+
+Devices available to a container are assigned at creation time. The
+assigned devices will both be added to the cgroup.allow file and
+created into the container once it is run. This poses a problem when
+a new device needs to be added to running container.
+
+One of the solution is to add a more permissive rule to a container
+allowing it access to a wider range of devices. For example, supposing
+our container needs access to a character device with major `42` and
+any number of minor number (added as new devices appear), the
+following rule would be added:
+
+```
+docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image
+```
+
+Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 <minor>`
+the required device when it is added.
+
+NOTE: initially present devices still need to be explicitely added to
+the create/run command
diff --git a/cli/docs/reference/commandline/deploy.md b/cli/docs/reference/commandline/deploy.md
new file mode 100644
index 00000000..e31a3858
--- /dev/null
+++ b/cli/docs/reference/commandline/deploy.md
@@ -0,0 +1,111 @@
+---
+title: "deploy"
+description: "The deploy command description and usage"
+keywords: "stack, deploy"
+advisory: "experimental"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# deploy (experimental)
+
+An alias for `stack deploy`.
+
+```markdown
+Usage:  docker deploy [OPTIONS] STACK
+
+Deploy a new stack or update an existing stack
+
+Aliases:
+  deploy, up
+
+Options:
+      --bundle-file string    Path to a Distributed Application Bundle file
+      --compose-file string   Path to a Compose file, or "-" to read from stdin
+      --help                  Print usage
+      --prune                 Prune services that are no longer referenced
+      --with-registry-auth    Send registry authentication details to Swarm agents
+```
+
+## Description
+
+Create and update a stack from a `compose` or a `dab` file on the swarm. This command
+has to be run targeting a manager node.
+
+## Examples
+
+### Compose file
+
+The `deploy` command supports compose file version `3.0` and above.
+
+```bash
+$ docker stack deploy --compose-file docker-compose.yml vossibility
+
+Ignoring unsupported options: links
+
+Creating network vossibility_vossibility
+Creating network vossibility_default
+Creating service vossibility_nsqd
+Creating service vossibility_logstash
+Creating service vossibility_elasticsearch
+Creating service vossibility_kibana
+Creating service vossibility_ghollector
+Creating service vossibility_lookupd
+```
+
+You can verify that the services were correctly created
+
+```bash
+$ docker service ls
+
+ID            NAME                               MODE        REPLICAS  IMAGE
+29bv0vnlm903  vossibility_lookupd                replicated  1/1       nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4awt47624qwh  vossibility_nsqd                   replicated  1/1       nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4tjx9biia6fs  vossibility_elasticsearch          replicated  1/1       elasticsearch@sha256:12ac7c6af55d001f71800b83ba91a04f716e58d82e748fa6e5a7359eed2301aa
+7563uuzr9eys  vossibility_kibana                 replicated  1/1       kibana@sha256:6995a2d25709a62694a937b8a529ff36da92ebee74bafd7bf00e6caf6db2eb03
+9gc5m4met4he  vossibility_logstash               replicated  1/1       logstash@sha256:2dc8bddd1bb4a5a34e8ebaf73749f6413c101b2edef6617f2f7713926d2141fe
+axqh55ipl40h  vossibility_vossibility-collector  replicated  1/1       icecrime/vossibility-collector@sha256:f03f2977203ba6253988c18d04061c5ec7aab46bca9dfd89a9a1fa4500989fba
+```
+
+### DAB file
+
+```bash
+$ docker stack deploy --bundle-file vossibility-stack.dab vossibility
+
+Loading bundle from vossibility-stack.dab
+Creating service vossibility_elasticsearch
+Creating service vossibility_kibana
+Creating service vossibility_logstash
+Creating service vossibility_lookupd
+Creating service vossibility_nsqd
+Creating service vossibility_vossibility-collector
+```
+
+You can verify that the services were correctly created:
+
+```bash
+$ docker service ls
+
+ID            NAME                               MODE        REPLICAS  IMAGE
+29bv0vnlm903  vossibility_lookupd                replicated  1/1       nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4awt47624qwh  vossibility_nsqd                   replicated  1/1       nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4tjx9biia6fs  vossibility_elasticsearch          replicated  1/1       elasticsearch@sha256:12ac7c6af55d001f71800b83ba91a04f716e58d82e748fa6e5a7359eed2301aa
+7563uuzr9eys  vossibility_kibana                 replicated  1/1       kibana@sha256:6995a2d25709a62694a937b8a529ff36da92ebee74bafd7bf00e6caf6db2eb03
+9gc5m4met4he  vossibility_logstash               replicated  1/1       logstash@sha256:2dc8bddd1bb4a5a34e8ebaf73749f6413c101b2edef6617f2f7713926d2141fe
+axqh55ipl40h  vossibility_vossibility-collector  replicated  1/1       icecrime/vossibility-collector@sha256:f03f2977203ba6253988c18d04061c5ec7aab46bca9dfd89a9a1fa4500989fba
+```
+
+## Related commands
+
+* [stack deploy](stack_deploy.md)
+* [stack ls](stack_ls.md)
+* [stack ps](stack_ps.md)
+* [stack rm](stack_rm.md)
+* [stack services](stack_services.md)
diff --git a/cli/docs/reference/commandline/diff.md b/cli/docs/reference/commandline/diff.md
new file mode 100644
index 00000000..fa5ac22a
--- /dev/null
+++ b/cli/docs/reference/commandline/diff.md
@@ -0,0 +1,67 @@
+---
+title: "diff"
+description: "The diff command description and usage"
+keywords: "list, changed, files, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# diff
+
+```markdown
+Usage:  docker diff CONTAINER
+
+Inspect changes to files or directories on a container's filesystem
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+List the changed files and directories in a container᾿s filesystem since the
+container was created. Three different types of change are tracked:
+
+| Symbol | Description                     |
+|--------|---------------------------------|
+| `A`    | A file or directory was added   |
+| `D`    | A file or directory was deleted |
+| `C`    | A file or directory was changed |
+
+You can use the full or shortened container ID or the container name set using
+`docker run --name` option.
+
+## Examples
+
+Inspect the changes to an `nginx` container:
+
+```bash
+$ docker diff 1fdfd1f54c1b
+
+C /dev
+C /dev/console
+C /dev/core
+C /dev/stdout
+C /dev/fd
+C /dev/ptmx
+C /dev/stderr
+C /dev/stdin
+C /run
+A /run/nginx.pid
+C /var/lib/nginx/tmp
+A /var/lib/nginx/tmp/client_body
+A /var/lib/nginx/tmp/fastcgi
+A /var/lib/nginx/tmp/proxy
+A /var/lib/nginx/tmp/scgi
+A /var/lib/nginx/tmp/uwsgi
+C /var/log/nginx
+A /var/log/nginx/access.log
+A /var/log/nginx/error.log
+```
diff --git a/cli/docs/reference/commandline/dockerd.md b/cli/docs/reference/commandline/dockerd.md
new file mode 100644
index 00000000..1afc27e8
--- /dev/null
+++ b/cli/docs/reference/commandline/dockerd.md
@@ -0,0 +1,1514 @@
+---
+title: "dockerd"
+aliases: ["/engine/reference/commandline/daemon/"]
+description: "The daemon command description and usage"
+keywords: "container, daemon, runtime"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# daemon
+
+```markdown
+Usage:	dockerd COMMAND
+
+A self-sufficient runtime for containers.
+
+Options:
+      --add-runtime runtime                   Register an additional OCI compatible runtime (default [])
+      --allow-nondistributable-artifacts list Push nondistributable artifacts to specified registries (default [])
+      --api-cors-header string                Set CORS headers in the Engine API
+      --authorization-plugin list             Authorization plugins to load (default [])
+      --bip string                            Specify network bridge IP
+  -b, --bridge string                         Attach containers to a network bridge
+      --cgroup-parent string                  Set parent cgroup for all containers
+      --cluster-advertise string              Address or interface name to advertise
+      --cluster-store string                  URL of the distributed storage backend
+      --cluster-store-opt map                 Set cluster store options (default map[])
+      --config-file string                    Daemon configuration file (default "/etc/docker/daemon.json")
+      --containerd string                     Path to containerd socket
+      --cpu-rt-period int                     Limit the CPU real-time period in microseconds
+      --cpu-rt-runtime int                    Limit the CPU real-time runtime in microseconds
+      --data-root string                      Root directory of persistent Docker state (default "/var/lib/docker")
+  -D, --debug                                 Enable debug mode
+      --default-gateway ip                    Container default gateway IPv4 address
+      --default-gateway-v6 ip                 Container default gateway IPv6 address
+      --default-address-pool                  Set the default address pool for local node networks
+      --default-runtime string                Default OCI runtime for containers (default "runc")
+      --default-ulimit ulimit                 Default ulimits for containers (default [])
+      --dns list                              DNS server to use (default [])
+      --dns-opt list                          DNS options to use (default [])
+      --dns-search list                       DNS search domains to use (default [])
+      --exec-opt list                         Runtime execution options (default [])
+      --exec-root string                      Root directory for execution state files (default "/var/run/docker")
+      --experimental                          Enable experimental features
+      --fixed-cidr string                     IPv4 subnet for fixed IPs
+      --fixed-cidr-v6 string                  IPv6 subnet for fixed IPs
+  -G, --group string                          Group for the unix socket (default "docker")
+      --help                                  Print usage
+  -H, --host list                             Daemon socket(s) to connect to (default [])
+      --icc                                   Enable inter-container communication (default true)
+      --init                                  Run an init in the container to forward signals and reap processes
+      --init-path string                      Path to the docker-init binary
+      --insecure-registry list                Enable insecure registry communication (default [])
+      --ip ip                                 Default IP when binding container ports (default 0.0.0.0)
+      --ip-forward                            Enable net.ipv4.ip_forward (default true)
+      --ip-masq                               Enable IP masquerading (default true)
+      --iptables                              Enable addition of iptables rules (default true)
+      --ipv6                                  Enable IPv6 networking
+      --label list                            Set key=value labels to the daemon (default [])
+      --live-restore                          Enable live restore of docker when containers are still running
+      --log-driver string                     Default driver for container logs (default "json-file")
+  -l, --log-level string                      Set the logging level ("debug", "info", "warn", "error", "fatal") (default "info")
+      --log-opt map                           Default log driver options for containers (default map[])
+      --max-concurrent-downloads int          Set the max concurrent downloads for each pull (default 3)
+      --max-concurrent-uploads int            Set the max concurrent uploads for each push (default 5)
+      --metrics-addr string                   Set default address and port to serve the metrics api on
+      --mtu int                               Set the containers network MTU
+      --node-generic-resources list           Advertise user-defined resource
+      --no-new-privileges                     Set no-new-privileges by default for new containers
+      --oom-score-adjust int                  Set the oom_score_adj for the daemon (default -500)
+  -p, --pidfile string                        Path to use for daemon PID file (default "/var/run/docker.pid")
+      --raw-logs                              Full timestamps without ANSI coloring
+      --registry-mirror list                  Preferred Docker registry mirror (default [])
+      --seccomp-profile string                Path to seccomp profile
+      --selinux-enabled                       Enable selinux support
+      --shutdown-timeout int                  Set the default shutdown timeout (default 15)
+  -s, --storage-driver string                 Storage driver to use
+      --storage-opt list                      Storage driver options (default [])
+      --swarm-default-advertise-addr string   Set default address or interface for swarm advertised address
+      --tls                                   Use TLS; implied by --tlsverify
+      --tlscacert string                      Trust certs signed only by this CA (default "~/.docker/ca.pem")
+      --tlscert string                        Path to TLS certificate file (default "~/.docker/cert.pem")
+      --tlskey string                         Path to TLS key file (default ~/.docker/key.pem")
+      --tlsverify                             Use TLS and verify the remote
+      --userland-proxy                        Use userland proxy for loopback traffic (default true)
+      --userland-proxy-path string            Path to the userland proxy binary
+      --userns-remap string                   User/Group setting for user namespaces
+  -v, --version                               Print version information and quit
+```
+
+Options with [] may be specified multiple times.
+
+## Description
+
+`dockerd` is the persistent process that manages containers. Docker
+uses different binaries for the daemon and client. To run the daemon you
+type `dockerd`.
+
+To run the daemon with debug output, use `dockerd -D` or add `"debug": true` to
+the `daemon.json` file.
+
+> **Note**: In Docker 1.13 and higher, enable experimental features by starting
+> `dockerd` with the `--experimental` flag or adding `"experimental": true` to the
+> `daemon.json` file. In earlier Docker versions, a different build was required
+> to enable experimental features.
+
+## Examples
+
+### Daemon socket option
+
+The Docker daemon can listen for [Docker Engine API](../api/)
+requests via three different types of Socket: `unix`, `tcp`, and `fd`.
+
+By default, a `unix` domain socket (or IPC socket) is created at
+`/var/run/docker.sock`, requiring either `root` permission, or `docker` group
+membership.
+
+If you need to access the Docker daemon remotely, you need to enable the `tcp`
+Socket. Beware that the default setup provides un-encrypted and
+un-authenticated direct access to the Docker daemon - and should be secured
+either using the [built in HTTPS encrypted socket](https://docs.docker.com/engine/security/https/), or by
+putting a secure web proxy in front of it. You can listen on port `2375` on all
+network interfaces with `-H tcp://0.0.0.0:2375`, or on a particular network
+interface using its IP address: `-H tcp://192.168.59.103:2375`. It is
+conventional to use port `2375` for un-encrypted, and port `2376` for encrypted
+communication with the daemon.
+
+> **Note**: If you're using an HTTPS encrypted socket, keep in mind that only
+> TLS1.0 and greater are supported. Protocols SSLv3 and under are not
+> supported anymore for security reasons.
+
+On Systemd based systems, you can communicate with the daemon via
+[Systemd socket activation](http://0pointer.de/blog/projects/socket-activation.html),
+use `dockerd -H fd://`. Using `fd://` will work perfectly for most setups but
+you can also specify individual sockets: `dockerd -H fd://3`. If the
+specified socket activated files aren't found, then Docker will exit. You can
+find examples of using Systemd socket activation with Docker and Systemd in the
+[Docker source tree](https://github.com/docker/docker/tree/master/contrib/init/systemd/).
+
+You can configure the Docker daemon to listen to multiple sockets at the same
+time using multiple `-H` options:
+
+```bash
+# listen using the default unix socket, and on 2 specific IP addresses on this host.
+
+$ sudo dockerd -H unix:///var/run/docker.sock -H tcp://192.168.59.106 -H tcp://10.10.10.2
+```
+
+The Docker client will honor the `DOCKER_HOST` environment variable to set the
+`-H` flag for the client. Use **one** of the following commands:
+
+```bash
+$ docker -H tcp://0.0.0.0:2375 ps
+```
+
+```bash
+$ export DOCKER_HOST="tcp://0.0.0.0:2375"
+
+$ docker ps
+```
+
+Setting the `DOCKER_TLS_VERIFY` environment variable to any value other than
+the empty string is equivalent to setting the `--tlsverify` flag. The following
+are equivalent:
+
+```bash
+$ docker --tlsverify ps
+# or
+$ export DOCKER_TLS_VERIFY=1
+$ docker ps
+```
+
+The Docker client will honor the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`
+environment variables (or the lowercase versions thereof). `HTTPS_PROXY` takes
+precedence over `HTTP_PROXY`.
+
+#### Bind Docker to another host/port or a Unix socket
+
+> **Warning**:
+> Changing the default `docker` daemon binding to a
+> TCP port or Unix *docker* user group will increase your security risks
+> by allowing non-root users to gain *root* access on the host. Make sure
+> you control access to `docker`. If you are binding
+> to a TCP port, anyone with access to that port has full Docker access;
+> so it is not advisable on an open network.
+
+With `-H` it is possible to make the Docker daemon to listen on a
+specific IP and port. By default, it will listen on
+`unix:///var/run/docker.sock` to allow only local connections by the
+*root* user. You *could* set it to `0.0.0.0:2375` or a specific host IP
+to give access to everybody, but that is **not recommended** because
+then it is trivial for someone to gain root access to the host where the
+daemon is running.
+
+Similarly, the Docker client can use `-H` to connect to a custom port.
+The Docker client will default to connecting to `unix:///var/run/docker.sock`
+on Linux, and `tcp://127.0.0.1:2376` on Windows.
+
+`-H` accepts host and port assignment in the following format:
+
+    tcp://[host]:[port][path] or unix://path
+
+For example:
+
+-   `tcp://` -> TCP connection to `127.0.0.1` on either port `2376` when TLS encryption
+    is on, or port `2375` when communication is in plain text.
+-   `tcp://host:2375` -> TCP connection on
+    host:2375
+-   `tcp://host:2375/path` -> TCP connection on
+    host:2375 and prepend path to all requests
+-   `unix://path/to/socket` -> Unix socket located
+    at `path/to/socket`
+
+`-H`, when empty, will default to the same value as
+when no `-H` was passed in.
+
+`-H` also accepts short form for TCP bindings: `host:` or `host:port` or `:port`
+
+Run Docker in daemon mode:
+
+```bash
+$ sudo <path to>/dockerd -H 0.0.0.0:5555 &
+```
+
+Download an `ubuntu` image:
+
+```bash
+$ docker -H :5555 pull ubuntu
+```
+
+You can use multiple `-H`, for example, if you want to listen on both
+TCP and a Unix socket
+
+```bash
+# Run docker in daemon mode
+$ sudo <path to>/dockerd -H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock &
+# Download an ubuntu image, use default Unix socket
+$ docker pull ubuntu
+# OR use the TCP port
+$ docker -H tcp://127.0.0.1:2375 pull ubuntu
+```
+
+### Daemon storage-driver
+
+On Linux, the Docker daemon has support for several different image layer storage
+drivers: `aufs`, `devicemapper`, `btrfs`, `zfs`, `overlay` and `overlay2`.
+
+The `aufs` driver is the oldest, but is based on a Linux kernel patch-set that
+is unlikely to be merged into the main kernel. These are also known to cause
+some serious kernel crashes. However `aufs` allows containers to share
+executable and shared library memory, so is a useful choice when running
+thousands of containers with the same program or libraries.
+
+The `devicemapper` driver uses thin provisioning and Copy on Write (CoW)
+snapshots. For each devicemapper graph location – typically
+`/var/lib/docker/devicemapper` – a thin pool is created based on two block
+devices, one for data and one for metadata. By default, these block devices
+are created automatically by using loopback mounts of automatically created
+sparse files. Refer to [Devicemapper options](#devicemapper-options) below
+for a way how to customize this setup.
+[~jpetazzo/Resizing Docker containers with the Device Mapper plugin](http://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/)
+article explains how to tune your existing setup without the use of options.
+
+The `btrfs` driver is very fast for `docker build` - but like `devicemapper`
+does not share executable memory between devices. Use
+`dockerd -s btrfs -g /mnt/btrfs_partition`.
+
+The `zfs` driver is probably not as fast as `btrfs` but has a longer track record
+on stability. Thanks to `Single Copy ARC` shared blocks between clones will be
+cached only once. Use `dockerd -s zfs`. To select a different zfs filesystem
+set `zfs.fsname` option as described in [ZFS options](#zfs-options).
+
+The `overlay` is a very fast union filesystem. It is now merged in the main
+Linux kernel as of [3.18.0](https://lkml.org/lkml/2014/10/26/137). `overlay`
+also supports page cache sharing, this means multiple containers accessing
+the same file can share a single page cache entry (or entries), it makes
+`overlay` as efficient with memory as `aufs` driver. Call
+`dockerd -s overlay` to use it.
+
+> **Note**: As promising as `overlay` is, the feature is still quite young and
+> should not be used in production. Most notably, using `overlay` can cause
+> excessive inode consumption (especially as the number of images grows), as
+> well as > being incompatible with the use of RPMs.
+
+The `overlay2` uses the same fast union filesystem but takes advantage of
+[additional features](https://lkml.org/lkml/2015/2/11/106) added in Linux
+kernel 4.0 to avoid excessive inode consumption. Call `dockerd -s overlay2`
+to use it.
+
+> **Note**: Both `overlay` and `overlay2` are currently unsupported on `btrfs`
+> or any Copy on Write filesystem and should only be used over `ext4` partitions.
+
+On Windows, the Docker daemon supports a single image layer storage driver
+depending on the image platform: `windowsfilter` for Windows images, and
+`lcow` for Linux containers on Windows.
+
+### Options per storage driver
+
+Particular storage-driver can be configured with options specified with
+`--storage-opt` flags. Options for `devicemapper` are prefixed with `dm`,
+options for `zfs` start with `zfs`, options for `btrfs` start with `btrfs`
+and options for `lcow` start with `lcow`.
+
+#### Devicemapper options
+
+This is an example of the configuration file for devicemapper on Linux:
+
+```json
+{
+  "storage-driver": "devicemapper",
+  "storage-opts": [
+    "dm.thinpooldev=/dev/mapper/thin-pool",
+    "dm.use_deferred_deletion=true",
+    "dm.use_deferred_removal=true"
+  ]
+}
+```
+
+##### `dm.thinpooldev`
+
+Specifies a custom block storage device to use for the thin pool.
+
+If using a block device for device mapper storage, it is best to use `lvm`
+to create and manage the thin-pool volume. This volume is then handed to Docker
+to exclusively create snapshot volumes needed for images and containers.
+
+Managing the thin-pool outside of Engine makes for the most feature-rich
+method of having Docker utilize device mapper thin provisioning as the
+backing storage for Docker containers. The highlights of the lvm-based
+thin-pool management feature include: automatic or interactive thin-pool
+resize support, dynamically changing thin-pool features, automatic thinp
+metadata checking when lvm activates the thin-pool, etc.
+
+As a fallback if no thin pool is provided, loopback files are
+created. Loopback is very slow, but can be used without any
+pre-configuration of storage. It is strongly recommended that you do
+not use loopback in production. Ensure your Engine daemon has a
+`--storage-opt dm.thinpooldev` argument provided.
+
+###### Example:
+
+```bash
+$ sudo dockerd --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
+```
+
+##### `dm.directlvm_device`
+
+As an alternative to providing a thin pool as above, Docker can setup a block
+device for you.
+
+###### Example:
+
+```bash
+$ sudo dockerd --storage-opt dm.directlvm_device=/dev/xvdf
+```
+
+##### `dm.thinp_percent`
+
+Sets the percentage of passed in block device to use for storage.
+
+###### Example:
+
+```bash
+$ sudo dockerd --storage-opt dm.thinp_percent=95
+```
+
+##### `dm.thinp_metapercent`
+
+Sets the percentage of the passed in block device to use for metadata storage.
+
+###### Example:
+
+```bash
+$ sudo dockerd --storage-opt dm.thinp_metapercent=1
+```
+
+##### `dm.thinp_autoextend_threshold`
+
+Sets the value of the percentage of space used before `lvm` attempts to
+autoextend the available space [100 = disabled]
+
+###### Example:
+
+```bash
+$ sudo dockerd --storage-opt dm.thinp_autoextend_threshold=80
+```
+
+##### `dm.thinp_autoextend_percent`
+
+Sets the value percentage value to increase the thin pool by when `lvm`
+attempts to autoextend the available space [100 = disabled]
+
+###### Example:
+
+```bash
+$ sudo dockerd --storage-opt dm.thinp_autoextend_percent=20
+```
+
+
+##### `dm.basesize`
+
+Specifies the size to use when creating the base device, which limits the
+size of images and containers. The default value is 10G. Note, thin devices
+are inherently "sparse", so a 10G device which is mostly empty doesn't use
+10 GB of space on the pool. However, the filesystem will use more space for
+the empty case the larger the device is.
+
+The base device size can be increased at daemon restart which will allow
+all future images and containers (based on those new images) to be of the
+new base device size.
+
+###### Examples
+
+```bash
+$ sudo dockerd --storage-opt dm.basesize=50G
+```
+
+This will increase the base device size to 50G. The Docker daemon will throw an
+error if existing base device size is larger than 50G. A user can use
+this option to expand the base device size however shrinking is not permitted.
+
+This value affects the system-wide "base" empty filesystem
+that may already be initialized and inherited by pulled images. Typically,
+a change to this value requires additional steps to take effect:
+
+ ```bash
+$ sudo service docker stop
+
+$ sudo rm -rf /var/lib/docker
+
+$ sudo service docker start
+```
+
+
+##### `dm.loopdatasize`
+
+> **Note**: This option configures devicemapper loopback, which should not
+> be used in production.
+
+Specifies the size to use when creating the loopback file for the
+"data" device which is used for the thin pool. The default size is
+100G. The file is sparse, so it will not initially take up this
+much space.
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt dm.loopdatasize=200G
+```
+
+##### `dm.loopmetadatasize`
+
+> **Note**: This option configures devicemapper loopback, which should not
+> be used in production.
+
+Specifies the size to use when creating the loopback file for the
+"metadata" device which is used for the thin pool. The default size
+is 2G. The file is sparse, so it will not initially take up
+this much space.
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt dm.loopmetadatasize=4G
+```
+
+##### `dm.fs`
+
+Specifies the filesystem type to use for the base device. The supported
+options are "ext4" and "xfs". The default is "xfs"
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt dm.fs=ext4
+```
+
+##### `dm.mkfsarg`
+
+Specifies extra mkfs arguments to be used when creating the base device.
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"
+```
+
+##### `dm.mountopt`
+
+Specifies extra mount options used when mounting the thin devices.
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt dm.mountopt=nodiscard
+```
+
+##### `dm.datadev`
+
+(Deprecated, use `dm.thinpooldev`)
+
+Specifies a custom blockdevice to use for data for the thin pool.
+
+If using a block device for device mapper storage, ideally both `datadev` and
+`metadatadev` should be specified to completely avoid using the loopback
+device.
+
+###### Example
+
+```bash
+$ sudo dockerd \
+      --storage-opt dm.datadev=/dev/sdb1 \
+      --storage-opt dm.metadatadev=/dev/sdc1
+```
+
+##### `dm.metadatadev`
+
+(Deprecated, use `dm.thinpooldev`)
+
+Specifies a custom blockdevice to use for metadata for the thin pool.
+
+For best performance the metadata should be on a different spindle than the
+data, or even better on an SSD.
+
+If setting up a new metadata pool it is required to be valid. This can be
+achieved by zeroing the first 4k to indicate empty metadata, like this:
+
+```bash
+$ dd if=/dev/zero of=$metadata_dev bs=4096 count=1
+```
+
+###### Example
+
+```bash
+$ sudo dockerd \
+      --storage-opt dm.datadev=/dev/sdb1 \
+      --storage-opt dm.metadatadev=/dev/sdc1
+```
+
+##### `dm.blocksize`
+
+Specifies a custom blocksize to use for the thin pool. The default
+blocksize is 64K.
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt dm.blocksize=512K
+```
+
+##### `dm.blkdiscard`
+
+Enables or disables the use of `blkdiscard` when removing devicemapper
+devices. This is enabled by default (only) if using loopback devices and is
+required to resparsify the loopback file on image/container removal.
+
+Disabling this on loopback can lead to *much* faster container removal
+times, but will make the space used in `/var/lib/docker` directory not be
+returned to the system for other use when containers are removed.
+
+###### Examples
+
+```bash
+$ sudo dockerd --storage-opt dm.blkdiscard=false
+```
+
+##### `dm.override_udev_sync_check`
+
+Overrides the `udev` synchronization checks between `devicemapper` and `udev`.
+`udev` is the device manager for the Linux kernel.
+
+To view the `udev` sync support of a Docker daemon that is using the
+`devicemapper` driver, run:
+
+```bash
+$ docker info
+[...]
+Udev Sync Supported: true
+[...]
+```
+
+When `udev` sync support is `true`, then `devicemapper` and udev can
+coordinate the activation and deactivation of devices for containers.
+
+When `udev` sync support is `false`, a race condition occurs between
+the`devicemapper` and `udev` during create and cleanup. The race condition
+results in errors and failures. (For information on these failures, see
+[docker#4036](https://github.com/docker/docker/issues/4036))
+
+To allow the `docker` daemon to start, regardless of `udev` sync not being
+supported, set `dm.override_udev_sync_check` to true:
+
+```bash
+$ sudo dockerd --storage-opt dm.override_udev_sync_check=true
+```
+
+When this value is `true`, the  `devicemapper` continues and simply warns
+you the errors are happening.
+
+> **Note**: The ideal is to pursue a `docker` daemon and environment that does
+> support synchronizing with `udev`. For further discussion on this
+> topic, see [docker#4036](https://github.com/docker/docker/issues/4036).
+> Otherwise, set this flag for migrating existing Docker daemons to
+> a daemon with a supported environment.
+
+##### `dm.use_deferred_removal`
+
+Enables use of deferred device removal if `libdm` and the kernel driver
+support the mechanism.
+
+Deferred device removal means that if device is busy when devices are
+being removed/deactivated, then a deferred removal is scheduled on
+device. And devices automatically go away when last user of the device
+exits.
+
+For example, when a container exits, its associated thin device is removed.
+If that device has leaked into some other mount namespace and can't be
+removed, the container exit still succeeds and this option causes the
+system to schedule the device for deferred removal. It does not wait in a
+loop trying to remove a busy device.
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt dm.use_deferred_removal=true
+```
+
+##### `dm.use_deferred_deletion`
+
+Enables use of deferred device deletion for thin pool devices. By default,
+thin pool device deletion is synchronous. Before a container is deleted,
+the Docker daemon removes any associated devices. If the storage driver
+can not remove a device, the container deletion fails and daemon returns.
+
+```none
+Error deleting container: Error response from daemon: Cannot destroy container
+```
+
+To avoid this failure, enable both deferred device deletion and deferred
+device removal on the daemon.
+
+```bash
+$ sudo dockerd \
+      --storage-opt dm.use_deferred_deletion=true \
+      --storage-opt dm.use_deferred_removal=true
+```
+
+With these two options enabled, if a device is busy when the driver is
+deleting a container, the driver marks the device as deleted. Later, when
+the device isn't in use, the driver deletes it.
+
+In general it should be safe to enable this option by default. It will help
+when unintentional leaking of mount point happens across multiple mount
+namespaces.
+
+##### `dm.min_free_space`
+
+Specifies the min free space percent in a thin pool require for new device
+creation to succeed. This check applies to both free data space as well
+as free metadata space. Valid values are from 0% - 99%. Value 0% disables
+free space checking logic. If user does not specify a value for this option,
+the Engine uses a default value of 10%.
+
+Whenever a new a thin pool device is created (during `docker pull` or during
+container creation), the Engine checks if the minimum free space is
+available. If sufficient space is unavailable, then device creation fails
+and any relevant `docker` operation fails.
+
+To recover from this error, you must create more free space in the thin pool
+to recover from the error. You can create free space by deleting some images
+and containers from the thin pool. You can also add more storage to the thin
+pool.
+
+To add more space to a LVM (logical volume management) thin pool, just add
+more storage to the volume group container thin pool; this should automatically
+resolve any errors. If your configuration uses loop devices, then stop the
+Engine daemon, grow the size of loop files and restart the daemon to resolve
+the issue.
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt dm.min_free_space=10%
+```
+
+##### `dm.xfs_nospace_max_retries`
+
+Specifies the maximum number of retries XFS should attempt to complete
+IO when ENOSPC (no space) error is returned by underlying storage device.
+
+By default XFS retries infinitely for IO to finish and this can result
+in unkillable process. To change this behavior one can set
+xfs_nospace_max_retries to say 0 and XFS will not retry IO after getting
+ENOSPC and will shutdown filesystem.
+
+###### Example
+
+```bash
+$ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
+```
+
+##### `dm.libdm_log_level`
+
+Specifies the maxmimum `libdm` log level that will be forwarded to the
+`dockerd` log (as specified by `--log-level`). This option is primarily
+intended for debugging problems involving `libdm`. Using values other than the
+defaults may cause false-positive warnings to be logged.
+
+Values specified must fall within the range of valid `libdm` log levels. At the
+time of writing, the following is the list of `libdm` log levels as well as
+their corresponding levels when output by `dockerd`.
+
+| `libdm` Level | Value | `--log-level` |
+| ------------- | -----:| ------------- |
+| `_LOG_FATAL`  |     2 | error         |
+| `_LOG_ERR`    |     3 | error         |
+| `_LOG_WARN`   |     4 | warn          |
+| `_LOG_NOTICE` |     5 | info          |
+| `_LOG_INFO`   |     6 | info          |
+| `_LOG_DEBUG`  |     7 | debug         |
+
+###### Example
+
+```bash
+$ sudo dockerd \
+      --log-level debug \
+      --storage-opt dm.libdm_log_level=7
+```
+
+#### ZFS options
+
+##### `zfs.fsname`
+
+Set zfs filesystem under which docker will create its own datasets.
+By default docker will pick up the zfs filesystem where docker graph
+(`/var/lib/docker`) is located.
+
+###### Example
+
+```bash
+$ sudo dockerd -s zfs --storage-opt zfs.fsname=zroot/docker
+```
+
+#### Btrfs options
+
+##### `btrfs.min_space`
+
+Specifies the minimum size to use when creating the subvolume which is used
+for containers. If user uses disk quota for btrfs when creating or running
+a container with **--storage-opt size** option, docker should ensure the
+**size** cannot be smaller than **btrfs.min_space**.
+
+###### Example
+
+```bash
+$ sudo dockerd -s btrfs --storage-opt btrfs.min_space=10G
+```
+
+#### Overlay2 options
+
+##### `overlay2.override_kernel_check`
+
+Overrides the Linux kernel version check allowing overlay2. Support for
+specifying multiple lower directories needed by overlay2 was added to the
+Linux kernel in 4.0.0. However, some older kernel versions may be patched
+to add multiple lower directory support for OverlayFS. This option should
+only be used after verifying this support exists in the kernel. Applying
+this option on a kernel without this support will cause failures on mount.
+
+##### `overlay2.size`
+
+Sets the default max size of the container. It is supported only when the
+backing fs is `xfs` and mounted with `pquota` mount option. Under these
+conditions the user can pass any size less then the backing fs size.
+
+###### Example
+
+```bash
+$ sudo dockerd -s overlay2 --storage-opt overlay2.size=1G
+```
+
+
+#### Windowsfilter options
+
+##### `size`
+
+Specifies the size to use when creating the sandbox which is used for containers.
+Defaults to 20G.
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt size=40G
+```
+
+#### LCOW (Linux Containers on Windows) options
+
+##### `lcow.globalmode`
+
+Specifies whether the daemon instantiates utility VM instances as required 
+(recommended and default if omitted), or uses single global utility VM (better
+performance, but has security implications and not recommended for production
+deployments).
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt lcow.globalmode=false
+```
+
+##### `lcow.kirdpath`
+
+Specifies the folder path to the location of a pair of kernel and initrd files
+used for booting a utility VM. Defaults to `%ProgramFiles%\Linux Containers`.
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt lcow.kirdpath=c:\path\to\files
+```
+
+##### `lcow.kernel`
+
+Specifies the filename of a kernel file located in the `lcow.kirdpath` path.
+Defaults to `bootx64.efi`.
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt lcow.kernel=kernel.efi
+```
+
+##### `lcow.initrd`
+
+Specifies the filename of an initrd file located in the `lcow.kirdpath` path.
+Defaults to `initrd.img`.
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt lcow.initrd=myinitrd.img
+```
+
+##### `lcow.bootparameters`
+
+Specifies additional boot parameters for booting utility VMs when in kernel/
+initrd mode. Ignored if the utility VM is booting from VHD. These settings
+are kernel specific.
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt "lcow.bootparameters='option=value'"
+```
+
+##### `lcow.vhdx`
+
+Specifies a custom VHDX to boot a utility VM, as an alternate to kernel
+and initrd booting. Defaults to `uvm.vhdx` under `lcow.kirdpath`.
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt lcow.vhdx=custom.vhdx
+```
+
+##### `lcow.timeout`
+
+Specifies the timeout for utility VM operations in seconds. Defaults
+to 300.
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt lcow.timeout=240
+```
+
+##### `lcow.sandboxsize`
+
+Specifies the size in GB to use when creating the sandbox which is used for
+containers. Defaults to 20. Cannot be less than 20.
+
+###### Example
+
+```PowerShell
+C:\> dockerd --storage-opt lcow.sandboxsize=40
+```
+
+### Docker runtime execution options
+
+The Docker daemon relies on a
+[OCI](https://github.com/opencontainers/runtime-spec) compliant runtime
+(invoked via the `containerd` daemon) as its interface to the Linux
+kernel `namespaces`, `cgroups`, and `SELinux`.
+
+By default, the Docker daemon automatically starts `containerd`. If you want to
+control `containerd` startup, manually start `containerd` and pass the path to
+the `containerd` socket using the `--containerd` flag. For example:
+
+```bash
+$ sudo dockerd --containerd /var/run/dev/docker-containerd.sock
+```
+
+Runtimes can be registered with the daemon either via the
+configuration file or using the `--add-runtime` command line argument.
+
+The following is an example adding 2 runtimes via the configuration:
+
+```json
+{
+	"default-runtime": "runc",
+	"runtimes": {
+		"runc": {
+			"path": "runc"
+		},
+		"custom": {
+			"path": "/usr/local/bin/my-runc-replacement",
+			"runtimeArgs": [
+				"--debug"
+			]
+		}
+	}
+}
+```
+
+This is the same example via the command line:
+
+```bash
+$ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
+```
+
+> **Note**: Defining runtime arguments via the command line is not supported.
+
+#### Options for the runtime
+
+You can configure the runtime using options specified
+with the `--exec-opt` flag. All the flag's options have the `native` prefix. A
+single `native.cgroupdriver` option is available.
+
+The `native.cgroupdriver` option specifies the management of the container's
+cgroups. You can only specify `cgroupfs` or `systemd`. If you specify
+`systemd` and it is not available, the system errors out. If you omit the
+`native.cgroupdriver` option,` cgroupfs` is used.
+
+This example sets the `cgroupdriver` to `systemd`:
+
+```bash
+$ sudo dockerd --exec-opt native.cgroupdriver=systemd
+```
+
+Setting this option applies to all containers the daemon launches.
+
+Also Windows Container makes use of `--exec-opt` for special purpose. Docker user
+can specify default container isolation technology with this, for example:
+
+```console
+> dockerd --exec-opt isolation=hyperv
+```
+
+Will make `hyperv` the default isolation technology on Windows. If no isolation
+value is specified on daemon start, on Windows client, the default is
+`hyperv`, and on Windows server, the default is `process`.
+
+### Daemon DNS options
+
+To set the DNS server for all Docker containers, use:
+
+```bash
+$ sudo dockerd --dns 8.8.8.8
+```
+
+To set the DNS search domain for all Docker containers, use:
+
+```bash
+$ sudo dockerd --dns-search example.com
+```
+
+### Allow push of nondistributable artifacts
+
+Some images (e.g., Windows base images) contain artifacts whose distribution is
+restricted by license. When these images are pushed to a registry, restricted
+artifacts are not included.
+
+To override this behavior for specific registries, use the
+`--allow-nondistributable-artifacts` option in one of the following forms:
+
+* `--allow-nondistributable-artifacts myregistry:5000` tells the Docker daemon
+  to push nondistributable artifacts to myregistry:5000.
+* `--allow-nondistributable-artifacts 10.1.0.0/16` tells the Docker daemon to
+  push nondistributable artifacts to all registries whose resolved IP address
+  is within the subnet described by the CIDR syntax.
+
+This option can be used multiple times.
+
+This option is useful when pushing images containing nondistributable artifacts
+to a registry on an air-gapped network so hosts on that network can pull the
+images without connecting to another server.
+
+> **Warning**: Nondistributable artifacts typically have restrictions on how
+> and where they can be distributed and shared. Only use this feature to push
+> artifacts to private registries and ensure that you are in compliance with
+> any terms that cover redistributing nondistributable artifacts.
+
+### Insecure registries
+
+Docker considers a private registry either secure or insecure. In the rest of
+this section, *registry* is used for *private registry*, and `myregistry:5000`
+is a placeholder example for a private registry.
+
+A secure registry uses TLS and a copy of its CA certificate is placed on the
+Docker host at `/etc/docker/certs.d/myregistry:5000/ca.crt`. An insecure
+registry is either not using TLS (i.e., listening on plain text HTTP), or is
+using TLS with a CA certificate not known by the Docker daemon. The latter can
+happen when the certificate was not found under
+`/etc/docker/certs.d/myregistry:5000/`, or if the certificate verification
+failed (i.e., wrong CA).
+
+By default, Docker assumes all, but local (see local registries below),
+registries are secure. Communicating with an insecure registry is not possible
+if Docker assumes that registry is secure. In order to communicate with an
+insecure registry, the Docker daemon requires `--insecure-registry` in one of
+the following two forms:
+
+* `--insecure-registry myregistry:5000` tells the Docker daemon that
+  myregistry:5000 should be considered insecure.
+* `--insecure-registry 10.1.0.0/16` tells the Docker daemon that all registries
+  whose domain resolve to an IP address is part of the subnet described by the
+  CIDR syntax, should be considered insecure.
+
+The flag can be used multiple times to allow multiple registries to be marked
+as insecure.
+
+If an insecure registry is not marked as insecure, `docker pull`,
+`docker push`, and `docker search` will result in an error message prompting
+the user to either secure or pass the `--insecure-registry` flag to the Docker
+daemon as described above.
+
+Local registries, whose IP address falls in the 127.0.0.0/8 range, are
+automatically marked as insecure as of Docker 1.3.2. It is not recommended to
+rely on this, as it may change in the future.
+
+Enabling `--insecure-registry`, i.e., allowing un-encrypted and/or untrusted
+communication, can be useful when running a local registry.  However,
+because its use creates security vulnerabilities it should ONLY be enabled for
+testing purposes.  For increased security, users should add their CA to their
+system's list of trusted CAs instead of enabling `--insecure-registry`.
+
+#### Legacy Registries
+
+Starting with Docker 17.12, operations against registries supporting only the 
+legacy v1 protocol are no longer supported. Specifically, the daemon will not
+attempt `push`, `pull` and `login` to v1 registries. The exception to this is
+`search` which can still be performed on v1 registries.
+
+The `disable-legacy-registry` configuration option has been removed and, when
+used, will produce an error on daemon startup.
+
+
+### Running a Docker daemon behind an HTTPS_PROXY
+
+When running inside a LAN that uses an `HTTPS` proxy, the Docker Hub
+certificates will be replaced by the proxy's certificates. These certificates
+need to be added to your Docker host's configuration:
+
+1. Install the `ca-certificates` package for your distribution
+2. Ask your network admin for the proxy's CA certificate and append them to
+   `/etc/pki/tls/certs/ca-bundle.crt`
+3. Then start your Docker daemon with `HTTPS_PROXY=http://username:password@proxy:port/ dockerd`.
+   The `username:` and `password@` are optional - and are only needed if your
+   proxy is set up to require authentication.
+
+This will only add the proxy and authentication to the Docker daemon's requests -
+your `docker build`s and running containers will need extra configuration to
+use the proxy
+
+### Default `ulimit` settings
+
+`--default-ulimit` allows you to set the default `ulimit` options to use for
+all containers. It takes the same options as `--ulimit` for `docker run`. If
+these defaults are not set, `ulimit` settings will be inherited, if not set on
+`docker run`, from the Docker daemon. Any `--ulimit` options passed to
+`docker run` will overwrite these defaults.
+
+Be careful setting `nproc` with the `ulimit` flag as `nproc` is designed by Linux to
+set the maximum number of processes available to a user, not to a container. For details
+please check the [run](run.md) reference.
+
+### Node discovery
+
+The `--cluster-advertise` option specifies the `host:port` or `interface:port`
+combination that this particular daemon instance should use when advertising
+itself to the cluster. The daemon is reached by remote hosts through this value.
+If you  specify an interface, make sure it includes the IP address of the actual
+Docker host. For Engine installation created through `docker-machine`, the
+interface is typically `eth1`.
+
+The daemon uses [libkv](https://github.com/docker/libkv/) to advertise
+the node within the cluster. Some key-value backends support mutual
+TLS. To configure the client TLS settings used by the daemon can be configured
+using the `--cluster-store-opt` flag, specifying the paths to PEM encoded
+files. For example:
+
+```bash
+$ sudo dockerd \
+    --cluster-advertise 192.168.1.2:2376 \
+    --cluster-store etcd://192.168.1.2:2379 \
+    --cluster-store-opt kv.cacertfile=/path/to/ca.pem \
+    --cluster-store-opt kv.certfile=/path/to/cert.pem \
+    --cluster-store-opt kv.keyfile=/path/to/key.pem
+```
+
+The currently supported cluster store options are:
+
+| Option                | Description                                                                                                                                                                                                                   |
+|:----------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `discovery.heartbeat` | Specifies the heartbeat timer in seconds which is used by the daemon as a `keepalive` mechanism to make sure discovery module treats the node as alive in the cluster. If not configured, the default value is 20 seconds.    |
+| `discovery.ttl`       | Specifies the TTL (time-to-live) in seconds which is used by the discovery module to timeout a node if a valid heartbeat is not received within the configured ttl value. If not configured, the default value is 60 seconds. |
+| `kv.cacertfile`       | Specifies the path to a local file with PEM encoded CA certificates to trust.                                                                                                                                                 |
+| `kv.certfile`         | Specifies the path to a local file with a PEM encoded certificate. This certificate is used as the client cert for communication with the Key/Value store.                                                                    |
+| `kv.keyfile`          | Specifies the path to a local file with a PEM encoded private key. This private key is used as the client key for communication with the Key/Value store.                                                                     |
+| `kv.path`             | Specifies the path in the Key/Value store. If not configured, the default value is 'docker/nodes'.                                                                                                                            |
+
+### Access authorization
+
+Docker's access authorization can be extended by authorization plugins that your
+organization can purchase or build themselves. You can install one or more
+authorization plugins when you start the Docker `daemon` using the
+`--authorization-plugin=PLUGIN_ID` option.
+
+```bash
+$ sudo dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
+```
+
+The `PLUGIN_ID` value is either the plugin's name or a path to its specification
+file. The plugin's implementation determines whether you can specify a name or
+path. Consult with your Docker administrator to get information about the
+plugins available to you.
+
+Once a plugin is installed, requests made to the `daemon` through the
+command line or Docker's Engine API are allowed or denied by the plugin.
+If you have multiple plugins installed, each plugin, in order, must
+allow the request for it to complete.
+
+For information about how to create an authorization plugin, see [authorization
+plugin](../../extend/plugins_authorization.md) section in the Docker extend section of this documentation.
+
+
+### Daemon user namespace options
+
+The Linux kernel
+[user namespace support](http://man7.org/linux/man-pages/man7/user_namespaces.7.html)
+provides additional security by enabling a process, and therefore a container,
+to have a unique range of user and group IDs which are outside the traditional
+user and group range utilized by the host system. Potentially the most important
+security improvement is that, by default, container processes running as the
+`root` user will have expected administrative privilege (with some restrictions)
+inside the container but will effectively be mapped to an unprivileged `uid` on
+the host.
+
+For details about how to use this feature, as well as limitations, see
+[Isolate containers with a user namespace](https://docs.docker.com/engine/security/userns-remap/).
+
+### Miscellaneous options
+
+IP masquerading uses address translation to allow containers without a public
+IP to talk to other machines on the Internet. This may interfere with some
+network topologies and can be disabled with `--ip-masq=false`.
+
+Docker supports softlinks for the Docker data directory (`/var/lib/docker`) and
+for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be
+set like this:
+
+    DOCKER_TMPDIR=/mnt/disk2/tmp /usr/local/bin/dockerd -D -g /var/lib/docker -H unix:// > /var/lib/docker-machine/docker.log 2>&1
+    # or
+    export DOCKER_TMPDIR=/mnt/disk2/tmp
+    /usr/local/bin/dockerd -D -g /var/lib/docker -H unix:// > /var/lib/docker-machine/docker.log 2>&1
+
+#### Default cgroup parent
+
+The `--cgroup-parent` option allows you to set the default cgroup parent
+to use for containers. If this option is not set, it defaults to `/docker` for
+fs cgroup driver and `system.slice` for systemd cgroup driver.
+
+If the cgroup has a leading forward slash (`/`), the cgroup is created
+under the root cgroup, otherwise the cgroup is created under the daemon
+cgroup.
+
+Assuming the daemon is running in cgroup `daemoncgroup`,
+`--cgroup-parent=/foobar` creates a cgroup in
+`/sys/fs/cgroup/memory/foobar`, whereas using `--cgroup-parent=foobar`
+creates the cgroup in `/sys/fs/cgroup/memory/daemoncgroup/foobar`
+
+The systemd cgroup driver has different rules for `--cgroup-parent`. Systemd
+represents hierarchy by slice and the name of the slice encodes the location in
+the tree. So `--cgroup-parent` for systemd cgroups should be a slice name. A
+name can consist of a dash-separated series of names, which describes the path
+to the slice from the root slice. For example, `--cgroup-parent=user-a-b.slice`
+means the memory cgroup for the container is created in
+`/sys/fs/cgroup/memory/user.slice/user-a.slice/user-a-b.slice/docker-<id>.scope`.
+
+This setting can also be set per container, using the `--cgroup-parent`
+option on `docker create` and `docker run`, and takes precedence over
+the `--cgroup-parent` option on the daemon.
+
+#### Daemon metrics
+
+The `--metrics-addr` option takes a tcp address to serve the metrics API.
+This feature is still experimental, therefore, the daemon must be running in experimental
+mode for this feature to work.
+
+To serve the metrics API on localhost:1337 you would specify `--metrics-addr 127.0.0.1:1337`
+allowing you to make requests on the API at `127.0.0.1:1337/metrics` to receive metrics in the
+[prometheus](https://prometheus.io/docs/instrumenting/exposition_formats/) format.
+
+If you are running a prometheus server you can add this address to your scrape configs
+to have prometheus collect metrics on Docker.  For more information
+on prometheus you can view the website [here](https://prometheus.io/).
+
+```none
+scrape_configs:
+  - job_name: 'docker'
+    static_configs:
+      - targets: ['127.0.0.1:1337']
+```
+
+Please note that this feature is still marked as experimental as metrics and metric
+names could change while this feature is still in experimental.  Please provide
+feedback on what you would like to see collected in the API.
+
+#### Node Generic Resources
+
+The `--node-generic-resources` option takes a list of key-value
+pair (`key=value`) that allows you to advertise user defined resources
+in a swarm cluster.
+
+The current expected use case is to advertise NVIDIA GPUs so that services
+requesting `NVIDIA-GPU=[0-16]` can land on a node that has enough GPUs for
+the task to run.
+
+Example of usage:
+```json
+{
+	"node-generic-resources": ["NVIDIA-GPU=UUID1", "NVIDIA-GPU=UUID2"]
+}
+```
+
+### Daemon configuration file
+
+The `--config-file` option allows you to set any configuration option
+for the daemon in a JSON format. This file uses the same flag names as keys,
+except for flags that allow several entries, where it uses the plural
+of the flag name, e.g., `labels` for the `label` flag.
+
+The options set in the configuration file must not conflict with options set
+via flags. The docker daemon fails to start if an option is duplicated between
+the file and the flags, regardless their value. We do this to avoid
+silently ignore changes introduced in configuration reloads.
+For example, the daemon fails to start if you set daemon labels
+in the configuration file and also set daemon labels via the `--label` flag.
+Options that are not present in the file are ignored when the daemon starts.
+
+##### On Linux
+
+The default location of the configuration file on Linux is
+`/etc/docker/daemon.json`. The `--config-file` flag can be used to specify a
+ non-default location.
+
+This is a full example of the allowed configuration options on Linux:
+
+```json
+{
+	"authorization-plugins": [],
+	"data-root": "",
+	"dns": [],
+	"dns-opts": [],
+	"dns-search": [],
+	"exec-opts": [],
+	"exec-root": "",
+	"experimental": false,
+	"storage-driver": "",
+	"storage-opts": [],
+	"labels": [],
+	"live-restore": true,
+	"log-driver": "",
+	"log-opts": {},
+	"mtu": 0,
+	"pidfile": "",
+	"cluster-store": "",
+	"cluster-store-opts": {},
+	"cluster-advertise": "",
+	"max-concurrent-downloads": 3,
+	"max-concurrent-uploads": 5,
+	"default-shm-size": "64M",
+	"shutdown-timeout": 15,
+	"debug": true,
+	"hosts": [],
+	"log-level": "",
+	"tls": true,
+	"tlsverify": true,
+	"tlscacert": "",
+	"tlscert": "",
+	"tlskey": "",
+	"swarm-default-advertise-addr": "",
+	"api-cors-header": "",
+	"selinux-enabled": false,
+	"userns-remap": "",
+	"group": "",
+	"cgroup-parent": "",
+	"default-ulimits": {},
+	"init": false,
+	"init-path": "/usr/libexec/docker-init",
+	"ipv6": false,
+	"iptables": false,
+	"ip-forward": false,
+	"ip-masq": false,
+	"userland-proxy": false,
+	"userland-proxy-path": "/usr/libexec/docker-proxy",
+	"ip": "0.0.0.0",
+	"bridge": "",
+	"bip": "",
+	"fixed-cidr": "",
+	"fixed-cidr-v6": "",
+	"default-gateway": "",
+	"default-gateway-v6": "",
+	"icc": false,
+	"raw-logs": false,
+	"allow-nondistributable-artifacts": [],
+	"registry-mirrors": [],
+	"seccomp-profile": "",
+	"insecure-registries": [],
+	"no-new-privileges": false,
+	"default-runtime": "runc",
+	"oom-score-adjust": -500,
+	"node-generic-resources": ["NVIDIA-GPU=UUID1", "NVIDIA-GPU=UUID2"],
+	"runtimes": {
+		"cc-runtime": {
+			"path": "/usr/bin/cc-runtime"
+		},
+		"custom": {
+			"path": "/usr/local/bin/my-runc-replacement",
+			"runtimeArgs": [
+				"--debug"
+			]
+		}
+	},
+	"default-address-pools":[{"base":"172.80.0.0/16","size":24},
+	{"base":"172.90.0.0/16","size":24}]
+}
+```
+
+> **Note:** You cannot set options in `daemon.json` that have already been set on
+> daemon startup as a flag.
+> On systems that use `systemd` to start the Docker daemon, `-H` is already set, so
+> you cannot use the `hosts` key in `daemon.json` to add listening addresses.
+> See https://docs.docker.com/engine/admin/systemd/#custom-docker-daemon-options for how
+> to accomplish this task with a systemd drop-in file.
+
+##### On Windows
+
+The default location of the configuration file on Windows is
+ `%programdata%\docker\config\daemon.json`. The `--config-file` flag can be
+ used to specify a non-default location.
+
+This is a full example of the allowed configuration options on Windows:
+
+```json
+{
+    "authorization-plugins": [],
+    "data-root": "",
+    "dns": [],
+    "dns-opts": [],
+    "dns-search": [],
+    "exec-opts": [],
+    "experimental": false,
+    "storage-driver": "",
+    "storage-opts": [],
+    "labels": [],
+    "log-driver": "",
+    "mtu": 0,
+    "pidfile": "",
+    "cluster-store": "",
+    "cluster-advertise": "",
+    "max-concurrent-downloads": 3,
+    "max-concurrent-uploads": 5,
+    "shutdown-timeout": 15,
+    "debug": true,
+    "hosts": [],
+    "log-level": "",
+    "tlsverify": true,
+    "tlscacert": "",
+    "tlscert": "",
+    "tlskey": "",
+    "swarm-default-advertise-addr": "",
+    "group": "",
+    "default-ulimits": {},
+    "bridge": "",
+    "fixed-cidr": "",
+    "raw-logs": false,
+    "allow-nondistributable-artifacts": [],
+    "registry-mirrors": [],
+    "insecure-registries": []
+}
+```
+
+#### Configuration reload behavior
+
+Some options can be reconfigured when the daemon is running without requiring
+to restart the process. We use the `SIGHUP` signal in Linux to reload, and a global event
+in Windows with the key `Global\docker-daemon-config-$PID`. The options can
+be modified in the configuration file but still will check for conflicts with
+the provided flags. The daemon fails to reconfigure itself
+if there are conflicts, but it won't stop execution.
+
+The list of currently supported options that can be reconfigured is this:
+
+- `debug`: it changes the daemon to debug mode when set to true.
+- `cluster-store`: it reloads the discovery store with the new address.
+- `cluster-store-opts`: it uses the new options to reload the discovery store.
+- `cluster-advertise`: it modifies the address advertised after reloading.
+- `labels`: it replaces the daemon labels with a new set of labels.
+- `live-restore`: Enables [keeping containers alive during daemon downtime](https://docs.docker.com/config/containers/live-restore/).
+- `max-concurrent-downloads`: it updates the max concurrent downloads for each pull.
+- `max-concurrent-uploads`: it updates the max concurrent uploads for each push.
+- `default-runtime`: it updates the runtime to be used if not is
+  specified at container creation. It defaults to "default" which is
+  the runtime shipped with the official docker packages.
+- `runtimes`: it updates the list of available OCI runtimes that can
+  be used to run containers.
+- `authorization-plugin`: specifies the authorization plugins to use.
+- `allow-nondistributable-artifacts`: Replaces the set of registries to which the daemon will push nondistributable artifacts with a new set of registries.
+- `insecure-registries`: it replaces the daemon insecure registries with a new set of insecure registries. If some existing insecure registries in daemon's configuration are not in newly reloaded insecure resgitries, these existing ones will be removed from daemon's config.
+- `registry-mirrors`: it replaces the daemon registry mirrors with a new set of registry mirrors. If some existing registry mirrors in daemon's configuration are not in newly reloaded registry mirrors, these existing ones will be removed from daemon's config.
+- `shutdown-timeout`: it replaces the daemon's existing configuration timeout with a new timeout for shutting down all containers.
+
+Updating and reloading the cluster configurations such as `--cluster-store`,
+`--cluster-advertise` and `--cluster-store-opts` will take effect only if
+these configurations were not previously configured. If `--cluster-store`
+has been provided in flags and `cluster-advertise` not, `cluster-advertise`
+can be added in the configuration file without accompanied by `--cluster-store`.
+Configuration reload will log a warning message if it detects a change in
+previously configured cluster configurations.
+
+
+### Run multiple daemons
+
+> **Note:** Running multiple daemons on a single host is considered as "experimental". The user should be aware of
+> unsolved problems. This solution may not work properly in some cases. Solutions are currently under development
+> and will be delivered in the near future.
+
+This section describes how to run multiple Docker daemons on a single host. To
+run multiple daemons, you must configure each daemon so that it does not
+conflict with other daemons on the same host. You can set these options either
+by providing them as flags, or by using a [daemon configuration file](#daemon-configuration-file).
+
+The following daemon options must be configured for each daemon:
+
+```none
+-b, --bridge=                          Attach containers to a network bridge
+--exec-root=/var/run/docker            Root of the Docker execdriver
+--data-root=/var/lib/docker            Root of persisted Docker data
+-p, --pidfile=/var/run/docker.pid      Path to use for daemon PID file
+-H, --host=[]                          Daemon socket(s) to connect to
+--iptables=true                        Enable addition of iptables rules
+--config-file=/etc/docker/daemon.json  Daemon configuration file
+--tlscacert="~/.docker/ca.pem"         Trust certs signed only by this CA
+--tlscert="~/.docker/cert.pem"         Path to TLS certificate file
+--tlskey="~/.docker/key.pem"           Path to TLS key file
+```
+
+When your daemons use different values for these flags, you can run them on the same host without any problems.
+It is very important to properly understand the meaning of those options and to use them correctly.
+
+- The `-b, --bridge=` flag is set to `docker0` as default bridge network. It is created automatically when you install Docker.
+If you are not using the default, you must create and configure the bridge manually or just set it to 'none': `--bridge=none`
+- `--exec-root` is the path where the container state is stored. The default value is `/var/run/docker`. Specify the path for
+your running daemon here.
+- `--data-root` is the path where persisted data such as images, volumes, and
+cluster state are stored. The default value is `/var/lib/docker`. To avoid any
+conflict with other daemons, set this parameter separately for each daemon.
+- `-p, --pidfile=/var/run/docker.pid` is the path where the process ID of the daemon is stored. Specify the path for your
+pid file here.
+- `--host=[]` specifies where the Docker daemon will listen for client connections. If unspecified, it defaults to `/var/run/docker.sock`.
+-  `--iptables=false` prevents the Docker daemon from adding iptables rules. If
+multiple daemons manage iptables rules, they may overwrite rules set by another
+daemon. Be aware that disabling this option requires you to manually add
+iptables rules to expose container ports. If you prevent Docker from adding
+iptables rules, Docker will also not add IP masquerading rules, even if you set
+`--ip-masq` to `true`. Without IP masquerading rules, Docker containers will not be
+able to connect to external hosts or the internet when using network other than
+default bridge.
+- `--config-file=/etc/docker/daemon.json` is the path where configuration file is stored. You can use it instead of
+daemon flags. Specify the path for each daemon.
+- `--tls*` Docker daemon supports `--tlsverify` mode that enforces encrypted and authenticated remote connections.
+The `--tls*` options enable use of specific certificates for individual daemons.
+
+Example script for a separate “bootstrap” instance of the Docker daemon without network:
+
+```bash
+$ sudo dockerd \
+        -H unix:///var/run/docker-bootstrap.sock \
+        -p /var/run/docker-bootstrap.pid \
+        --iptables=false \
+        --ip-masq=false \
+        --bridge=none \
+        --data-root=/var/lib/docker-bootstrap \
+        --exec-root=/var/run/docker-bootstrap
+```
diff --git a/cli/docs/reference/commandline/events.md b/cli/docs/reference/commandline/events.md
new file mode 100644
index 00000000..5c450aa0
--- /dev/null
+++ b/cli/docs/reference/commandline/events.md
@@ -0,0 +1,413 @@
+---
+title: "events"
+description: "The events command description and usage"
+keywords: "events, container, report"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# events
+
+```markdown
+Usage:  docker events [OPTIONS]
+
+Get real time events from the server
+
+Options:
+  -f, --filter value   Filter output based on conditions provided (default [])
+      --format string  Format the output using the given Go template
+      --help           Print usage
+      --since string   Show all events created since timestamp
+      --until string   Stream events until this timestamp
+```
+
+## Description
+
+Use `docker events` to get real-time events from the server. These events differ
+per Docker object type.
+
+### Object types
+
+#### Containers
+
+Docker containers report the following events:
+
+- `attach`
+- `commit`
+- `copy`
+- `create`
+- `destroy`
+- `detach`
+- `die`
+- `exec_create`
+- `exec_detach`
+- `exec_die`
+- `exec_start`
+- `export`
+- `health_status`
+- `kill`
+- `oom`
+- `pause`
+- `rename`
+- `resize`
+- `restart`
+- `start`
+- `stop`
+- `top`
+- `unpause`
+- `update`
+
+#### Images
+
+Docker images report the following events:
+
+- `delete`
+- `import`
+- `load`
+- `pull`
+- `push`
+- `save`
+- `tag`
+- `untag`
+
+#### Plugins
+
+Docker plugins report the following events:
+
+- `enable`
+- `disable`
+- `install`
+- `remove`
+
+#### Volumes
+
+Docker volumes report the following events:
+
+- `create`
+- `destroy`
+- `mount`
+- `unmount`
+
+#### Networks
+
+Docker networks report the following events:
+
+- `create`
+- `connect`
+- `destroy`
+- `disconnect`
+- `remove`
+
+#### Daemons
+
+Docker daemons report the following events:
+
+- `reload`
+
+#### Services
+
+Docker services report the following events:
+
+- `create`
+- `remove`
+- `update`
+
+#### Nodes
+
+Docker nodes report the following events:
+
+- `create`
+- `remove`
+- `update`
+
+#### Secrets
+
+Docker secrets report the following events:
+
+- `create`
+- `remove`
+- `update`
+
+#### Configs
+
+Docker configs report the following events:
+
+- `create`
+- `remove`
+- `update`
+
+### Limiting, filtering, and formatting the output
+
+#### Limit events by time
+
+The `--since` and `--until` parameters can be Unix timestamps, date formatted
+timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
+relative to the client machine’s time. If you do not provide the `--since` option,
+the command returns only new and/or live events.  Supported formats for date
+formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the client will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long.
+
+#### Filtering
+
+The filtering flag (`-f` or `--filter`) format is of "key=value". If you would
+like to use multiple filters, pass multiple flags (e.g.,
+`--filter "foo=bar" --filter "bif=baz"`)
+
+Using the same filter multiple times will be handled as a *OR*; for example
+`--filter container=588a23dac085 --filter container=a8f7720b8c22` will display
+events for container 588a23dac085 *OR* container a8f7720b8c22
+
+Using multiple filters will be handled as a *AND*; for example
+`--filter container=588a23dac085 --filter event=start` will display events for
+container container 588a23dac085 *AND* the event type is *start*
+
+The currently supported filters are:
+
+* config (`config=<name or id>`)
+* container (`container=<name or id>`)
+* daemon (`daemon=<name or id>`)
+* event (`event=<event action>`)
+* image (`image=<repository or tag>`)
+* label (`label=<key>` or `label=<key>=<value>`)
+* network (`network=<name or id>`)
+* node (`node=<id>`)
+* plugin (`plugin=<name or id>`)
+* scope (`scope=<local or swarm>`)
+* secret (`secret=<name or id>`)
+* service (`service=<name or id>`)
+* type (`type=<container or image or volume or network or daemon or plugin or service or node or secret or config>`)
+* volume (`volume=<name>`)
+
+#### Format
+
+If a format (`--format`) is specified, the given template will be executed
+instead of the default
+format. Go's [text/template](http://golang.org/pkg/text/template/) package
+describes all the details of the format.
+
+If a format is set to `{{json .}}`, the events are streamed as valid JSON
+Lines. For information about JSON Lines, please refer to http://jsonlines.org/ .
+
+## Examples
+
+### Basic example
+
+You'll need two shells for this example.
+
+**Shell 1: Listening for events:**
+
+```bash
+$ docker events
+```
+
+**Shell 2: Start and Stop containers:**
+
+```bash
+$ docker create --name test alpine:latest top
+$ docker start test
+$ docker stop test
+```
+
+**Shell 1: (Again .. now showing events):**
+
+```none
+2017-01-05T00:35:58.859401177+08:00 container create 0fdb48addc82871eb34eb23a847cfd033dedd1a0a37bef2e6d9eb3870fc7ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1f5ceda09d4300f3a846f0acfaa9a8bb0d89e775eb744c5acecd60e0529e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+```
+
+To exit the `docker events` command, use `CTRL+C`.
+
+### Filter events by time
+
+You can filter the output by an absolute timestamp or relative time on the host
+machine, using the following different time syntaxes:
+
+```bash
+$ docker events --since 1483283804
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker events --since '2017-01-05'
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker events --since '2013-09-03T15:49:29'
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker events --since '10m'
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker events --since '2017-01-05T00:35:30' --until '2017-01-05T00:36:05'
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+```
+
+### Filter events by criteria
+
+The following commands show several different ways to filter the `docker event`
+output.
+
+```bash
+$ docker events --filter 'event=stop'
+
+2017-01-05T00:40:22.880175420+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:41:17.888104182+08:00 container stop 2a8f...4e78 (image=alpine, name=kickass_brattain)
+
+$ docker events --filter 'image=alpine'
+
+2017-01-05T00:41:55.784240236+08:00 container create d9cd...4d70 (image=alpine, name=happy_meitner)
+2017-01-05T00:41:55.913156783+08:00 container start d9cd...4d70 (image=alpine, name=happy_meitner)
+2017-01-05T00:42:01.106875249+08:00 container kill d9cd...4d70 (image=alpine, name=happy_meitner, signal=15)
+2017-01-05T00:42:11.111934041+08:00 container kill d9cd...4d70 (image=alpine, name=happy_meitner, signal=9)
+2017-01-05T00:42:11.119578204+08:00 container die d9cd...4d70 (exitCode=137, image=alpine, name=happy_meitner)
+2017-01-05T00:42:11.173276611+08:00 container stop d9cd...4d70 (image=alpine, name=happy_meitner)
+
+$ docker events --filter 'container=test'
+
+2017-01-05T00:43:00.139719934+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:43:09.259951086+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:43:09.270102715+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:43:09.312556440+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker events --filter 'container=test' --filter 'container=d9cdb1525ea8'
+
+2017-01-05T00:44:11.517071981+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:44:17.685870901+08:00 container start d9cd...4d70 (image=alpine, name=happy_meitner)
+2017-01-05T00:44:29.757658470+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=9)
+2017-01-05T00:44:29.767718510+08:00 container die 0fdb...ff37 (exitCode=137, image=alpine:latest, name=test)
+2017-01-05T00:44:29.815798344+08:00 container destroy 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker events --filter 'container=test' --filter 'event=stop'
+
+2017-01-05T00:46:13.664099505+08:00 container stop a9d1...e130 (image=alpine, name=test)
+
+$ docker events --filter 'type=volume'
+
+2015-12-23T21:05:28.136212689Z volume create test-event-volume-local (driver=local)
+2015-12-23T21:05:28.383462717Z volume mount test-event-volume-local (read/write=true, container=562f...5025, destination=/foo, driver=local, propagation=rprivate)
+2015-12-23T21:05:28.650314265Z volume unmount test-event-volume-local (container=562f...5025, driver=local)
+2015-12-23T21:05:28.716218405Z volume destroy test-event-volume-local (driver=local)
+
+$ docker events --filter 'type=network'
+
+2015-12-23T21:38:24.705709133Z network create 8b11...2c5b (name=test-event-network-local, type=bridge)
+2015-12-23T21:38:25.119625123Z network connect 8b11...2c5b (name=test-event-network-local, container=b4be...c54e, type=bridge)
+
+$ docker events --filter 'container=container_1' --filter 'container=container_2'
+
+2014-09-03T15:49:29.999999999Z07:00 container die 4386fb97867d (image=ubuntu-1:14.04)
+2014-05-10T17:42:14.999999999Z07:00 container stop 4386fb97867d (image=ubuntu-1:14.04)
+2014-05-10T17:42:14.999999999Z07:00 container die 7805c1d35632 (imager=redis:2.8)
+2014-09-03T15:49:29.999999999Z07:00 container stop 7805c1d35632 (image=redis:2.8)
+
+$ docker events --filter 'type=volume'
+
+2015-12-23T21:05:28.136212689Z volume create test-event-volume-local (driver=local)
+2015-12-23T21:05:28.383462717Z volume mount test-event-volume-local (read/write=true, container=562fe10671e9273da25eed36cdce26159085ac7ee6707105fd534866340a5025, destination=/foo, driver=local, propagation=rprivate)
+2015-12-23T21:05:28.650314265Z volume unmount test-event-volume-local (container=562fe10671e9273da25eed36cdce26159085ac7ee6707105fd534866340a5025, driver=local)
+2015-12-23T21:05:28.716218405Z volume destroy test-event-volume-local (driver=local)
+
+$ docker events --filter 'type=network'
+
+2015-12-23T21:38:24.705709133Z network create 8b111217944ba0ba844a65b13efcd57dc494932ee2527577758f939315ba2c5b (name=test-event-network-local, type=bridge)
+2015-12-23T21:38:25.119625123Z network connect 8b111217944ba0ba844a65b13efcd57dc494932ee2527577758f939315ba2c5b (name=test-event-network-local, container=b4be644031a3d90b400f88ab3d4bdf4dc23adb250e696b6328b85441abe2c54e, type=bridge)
+
+$ docker events --filter 'type=plugin'
+
+2016-07-25T17:30:14.825557616Z plugin pull ec7b87f2ce84330fe076e666f17dfc049d2d7ae0b8190763de94e1f2d105993f (name=tiborvass/sample-volume-plugin:latest)
+2016-07-25T17:30:14.888127370Z plugin enable ec7b87f2ce84330fe076e666f17dfc049d2d7ae0b8190763de94e1f2d105993f (name=tiborvass/sample-volume-plugin:latest)
+
+$ docker events -f type=service
+
+2017-07-12T06:34:07.999446625Z service create wj64st89fzgchxnhiqpn8p4oj (name=reverent_albattani)
+2017-07-12T06:34:21.405496207Z service remove wj64st89fzgchxnhiqpn8p4oj (name=reverent_albattani)
+
+$ docker events -f type=node
+
+2017-07-12T06:21:51.951586759Z node update 3xyz5ttp1a253q74z1thwywk9 (name=ip-172-31-23-42, state.new=ready, state.old=unknown)
+
+$ docker events -f type=secret
+
+2017-07-12T06:32:13.915704367Z secret create s8o6tmlnndrgzbmdilyy5ymju (name=new_secret)
+2017-07-12T06:32:37.052647783Z secret remove s8o6tmlnndrgzbmdilyy5ymju (name=new_secret)
+
+$  docker events -f type=config
+2017-07-12T06:44:13.349037127Z config create u96zlvzdfsyb9sg4mhyxfh3rl (name=abc)
+2017-07-12T06:44:36.327694184Z config remove u96zlvzdfsyb9sg4mhyxfh3rl (name=abc)
+
+$ docker events --filter 'scope=swarm'
+
+2017-07-10T07:46:50.250024503Z service create m8qcxu8081woyof7w3jaax6gk (name=affectionate_wilson)
+2017-07-10T07:47:31.093797134Z secret create 6g5pufzsv438p9tbvl9j94od4 (name=new_secret)
+```
+
+### Format the output
+
+```bash
+$ docker events --filter 'type=container' --format 'Type={{.Type}}  Status={{.Status}}  ID={{.ID}}'
+
+Type=container  Status=create  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=attach  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=start  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=resize  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=die  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=destroy  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+```
+
+#### Format as JSON
+
+```none
+    $ docker events --format '{{json .}}'
+
+    {"status":"create","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+    {"status":"attach","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+    {"Type":"network","Action":"connect","Actor":{"ID":"1b50a5bf755f6021dfa78e..
+    {"status":"start","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f42..
+    {"status":"resize","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+```
diff --git a/cli/docs/reference/commandline/exec.md b/cli/docs/reference/commandline/exec.md
new file mode 100644
index 00000000..35072dad
--- /dev/null
+++ b/cli/docs/reference/commandline/exec.md
@@ -0,0 +1,125 @@
+---
+title: "exec"
+description: "The exec command description and usage"
+keywords: "command, container, run, execute"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# exec
+
+```markdown
+Usage:  docker exec [OPTIONS] CONTAINER COMMAND [ARG...]
+
+Run a command in a running container
+
+Options:
+  -d, --detach         Detached mode: run command in the background
+      --detach-keys    Override the key sequence for detaching a container
+  -e, --env=[]         Set environment variables
+      --help           Print usage
+  -i, --interactive    Keep STDIN open even if not attached
+      --privileged     Give extended privileges to the command
+  -t, --tty            Allocate a pseudo-TTY
+  -u, --user           Username or UID (format: <name|uid>[:<group|gid>])
+  -w, --workdir        Working directory inside the container  
+```
+
+## Description
+
+The `docker exec` command runs a new command in a running container.
+
+The command started using `docker exec` only runs while the container's primary
+process (`PID 1`) is running, and it is not restarted if the container is
+restarted.
+
+COMMAND will run in the default directory of the container. If the
+underlying image has a custom directory specified with the WORKDIR directive
+in its Dockerfile, this will be used instead.
+
+COMMAND should be an executable, a chained or a quoted command
+will not work. Example: `docker exec -ti my_container "echo a && echo b"` will
+not work, but `docker exec -ti my_container sh -c "echo a && echo b"` will.
+
+## Examples
+
+### Run `docker exec` on a running container
+
+First, start a container.
+
+```bash
+$ docker run --name ubuntu_bash --rm -i -t ubuntu bash
+```
+
+This will create a container named `ubuntu_bash` and start a Bash session.
+
+Next, execute a command on the container.
+
+```bash
+$ docker exec -d ubuntu_bash touch /tmp/execWorks
+```
+
+This will create a new file `/tmp/execWorks` inside the running container
+`ubuntu_bash`, in the background.
+
+Next, execute an interactive `bash` shell on the container.
+
+```bash
+$ docker exec -it ubuntu_bash bash
+```
+
+This will create a new Bash session in the container `ubuntu_bash`.
+
+Next, set an environment variable in the current bash session.
+
+```bash
+$ docker exec -it -e VAR=1 ubuntu_bash bash
+```
+
+This will create a new Bash session in the container `ubuntu_bash` with environment 
+variable `$VAR` set to "1". Note that this environment variable will only be valid 
+on the current Bash session.
+
+By default `docker exec` command runs in the same working directory set when container was created.
+
+```bash
+$ docker exec -it ubuntu_bash pwd
+/
+```
+
+You can select working directory for the command to execute into
+
+```bash
+$ docker exec -it -w /root ubuntu_bash pwd
+/root
+```
+
+
+### Try to run `docker exec` on a paused container
+
+If the container is paused, then the `docker exec` command will fail with an error:
+
+```bash
+$ docker pause test
+
+test
+
+$ docker ps
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                   PORTS               NAMES
+1ae3b36715d2        ubuntu:latest       "bash"              17 seconds ago      Up 16 seconds (Paused)                       test
+
+$ docker exec test ls
+
+FATA[0000] Error response from daemon: Container test is paused, unpause the container before exec
+
+$ echo $?
+1
+```
diff --git a/cli/docs/reference/commandline/export.md b/cli/docs/reference/commandline/export.md
new file mode 100644
index 00000000..88663e4f
--- /dev/null
+++ b/cli/docs/reference/commandline/export.md
@@ -0,0 +1,48 @@
+---
+title: "export"
+description: "The export command description and usage"
+keywords: "export, file, system, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# export
+
+```markdown
+Usage:  docker export [OPTIONS] CONTAINER
+
+Export a container's filesystem as a tar archive
+
+Options:
+      --help            Print usage
+  -o, --output string   Write to a file, instead of STDOUT
+```
+
+## Description
+
+The `docker export` command does not export the contents of volumes associated
+with the container. If a volume is mounted on top of an existing directory in
+the container, `docker export` will export the contents of the *underlying*
+directory, not the contents of the volume.
+
+Refer to [Backup, restore, or migrate data volumes](https://docs.docker.com/v17.03/engine/tutorials/dockervolumes/#backup-restore-or-migrate-data-volumes)
+in the user guide for examples on exporting data in a volume.
+
+## Examples
+
+Each of these commands has the same result.
+
+```bash
+$ docker export red_panda > latest.tar
+```
+
+```bash
+$ docker export --output="latest.tar" red_panda
+```
diff --git a/cli/docs/reference/commandline/history.md b/cli/docs/reference/commandline/history.md
new file mode 100644
index 00000000..20cf8f5e
--- /dev/null
+++ b/cli/docs/reference/commandline/history.md
@@ -0,0 +1,87 @@
+---
+title: "history"
+description: "The history command description and usage"
+keywords: "docker, image, history"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# history
+
+```markdown
+Usage:  docker history [OPTIONS] IMAGE
+
+Show the history of an image
+
+Options:
+      --format string   Pretty-print images using a Go template
+      --help            Print usage
+  -H, --human           Print sizes and dates in human readable format (default true)
+      --no-trunc        Don't truncate output
+  -q, --quiet           Only show numeric IDs
+```
+
+
+## Examples
+
+To see how the `docker:latest` image was built:
+
+```bash
+$ docker history docker
+
+IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
+3e23a5875458        8 days ago          /bin/sh -c #(nop) ENV LC_ALL=C.UTF-8            0 B
+8578938dd170        8 days ago          /bin/sh -c dpkg-reconfigure locales &&    loc   1.245 MB
+be51b77efb42        8 days ago          /bin/sh -c apt-get update && apt-get install    338.3 MB
+4b137612be55        6 weeks ago         /bin/sh -c #(nop) ADD jessie.tar.xz in /        121 MB
+750d58736b4b        6 weeks ago         /bin/sh -c #(nop) MAINTAINER Tianon Gravi <ad   0 B
+511136ea3c5a        9 months ago                                                        0 B                 Imported from -
+```
+
+To see how the `docker:apache` image was added to a container's base image:
+
+```bash
+$ docker history docker:scm
+IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
+2ac9d1098bf1        3 months ago        /bin/bash                                       241.4 MB            Added Apache to Fedora base image
+88b42ffd1f7c        5 months ago        /bin/sh -c #(nop) ADD file:1fd8d7f9f6557cafc7   373.7 MB
+c69cab00d6ef        5 months ago        /bin/sh -c #(nop) MAINTAINER Lokesh Mandvekar   0 B
+511136ea3c5a        19 months ago                                                       0 B                 Imported from -
+```
+
+### Format the output
+
+The formatting option (`--format`) will pretty-prints history output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+| Placeholder     | Description |
+| --------------- | ----------- |
+| `.ID`           | Image ID    |
+| `.CreatedSince` | Elapsed time since the image was created if `--human=true`, otherwise timestamp of when image was created |
+| `.CreatedAt`    | Timestamp of when image was created |
+| `.CreatedBy`    | Command that was used to create the image |
+| `.Size`         | Image disk size |
+| `.Comment`      | Comment for image |
+
+When using the `--format` option, the `history` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, will include column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID` and `CreatedSince` entries separated by a colon for the `busybox` image:
+
+```bash
+$ docker history --format "{{.ID}}: {{.CreatedSince}}" busybox
+
+f6e427c148a7: 4 weeks ago
+<missing>: 4 weeks ago
+```
diff --git a/cli/docs/reference/commandline/image.md b/cli/docs/reference/commandline/image.md
new file mode 100644
index 00000000..1be96c72
--- /dev/null
+++ b/cli/docs/reference/commandline/image.md
@@ -0,0 +1,47 @@
+
+---
+title: "image"
+description: "The image command description and usage"
+keywords: "image"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# image
+
+```markdown
+Usage:  docker image COMMAND
+
+Manage images
+
+Options:
+      --help   Print usage
+
+Commands:
+  build       Build an image from a Dockerfile
+  history     Show the history of an image
+  import      Import the contents from a tarball to create a filesystem image
+  inspect     Display detailed information on one or more images
+  load        Load an image from a tar archive or STDIN
+  ls          List images
+  prune       Remove unused images
+  pull        Pull an image or a repository from a registry
+  push        Push an image or a repository to a registry
+  rm          Remove one or more images
+  save        Save one or more images to a tar archive (streamed to STDOUT by default)
+  tag         Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
+
+Run 'docker image COMMAND --help' for more information on a command.
+
+```
+
+## Description
+
+Manage images.
diff --git a/cli/docs/reference/commandline/image_prune.md b/cli/docs/reference/commandline/image_prune.md
new file mode 100644
index 00000000..da0520b5
--- /dev/null
+++ b/cli/docs/reference/commandline/image_prune.md
@@ -0,0 +1,213 @@
+---
+title: "image prune"
+description: "Remove all stopped images"
+keywords: "image, prune, delete, remove"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# image prune
+
+```markdown
+Usage:	docker image prune [OPTIONS]
+
+Remove unused images
+
+Options:
+  -a, --all             Remove all unused images, not just dangling ones
+      --filter filter   Provide filter values (e.g. 'until=<timestamp>')
+  -f, --force           Do not prompt for confirmation
+      --help            Print usage
+```
+
+## Description
+
+Remove all dangling images. If `-a` is specified, will also remove all images not referenced by any container.
+
+## Examples
+
+Example output:
+
+```bash
+$ docker image prune -a
+
+WARNING! This will remove all images without at least one container associated to them.
+Are you sure you want to continue? [y/N] y
+Deleted Images:
+untagged: alpine:latest
+untagged: alpine@sha256:3dcdb92d7432d56604d4545cbd324b14e647b313626d99b889d0626de158f73a
+deleted: sha256:4e38e38c8ce0b8d9041a9c4fefe786631d1416225e13b0bfe8cfa2321aec4bba
+deleted: sha256:4fe15f8d0ae69e169824f25f1d4da3015a48feeeeebb265cd2e328e15c6a869f
+untagged: alpine:3.3
+untagged: alpine@sha256:4fa633f4feff6a8f02acfc7424efd5cb3e76686ed3218abf4ca0fa4a2a358423
+untagged: my-jq:latest
+deleted: sha256:ae67841be6d008a374eff7c2a974cde3934ffe9536a7dc7ce589585eddd83aff
+deleted: sha256:34f6f1261650bc341eb122313372adc4512b4fceddc2a7ecbb84f0958ce5ad65
+deleted: sha256:cf4194e8d8db1cb2d117df33f2c75c0369c3a26d96725efb978cc69e046b87e7
+untagged: my-curl:latest
+deleted: sha256:b2789dd875bf427de7f9f6ae001940073b3201409b14aba7e5db71f408b8569e
+deleted: sha256:96daac0cb203226438989926fc34dd024f365a9a8616b93e168d303cfe4cb5e9
+deleted: sha256:5cbd97a14241c9cd83250d6b6fc0649833c4a3e84099b968dd4ba403e609945e
+deleted: sha256:a0971c4015c1e898c60bf95781c6730a05b5d8a2ae6827f53837e6c9d38efdec
+deleted: sha256:d8359ca3b681cc5396a4e790088441673ed3ce90ebc04de388bfcd31a0716b06
+deleted: sha256:83fc9ba8fb70e1da31dfcc3c88d093831dbd4be38b34af998df37e8ac538260c
+deleted: sha256:ae7041a4cc625a9c8e6955452f7afe602b401f662671cea3613f08f3d9343b35
+deleted: sha256:35e0f43a37755b832f0bbea91a2360b025ee351d7309dae0d9737bc96b6d0809
+deleted: sha256:0af941dd29f00e4510195dd00b19671bc591e29d1495630e7e0f7c44c1e6a8c0
+deleted: sha256:9fc896fc2013da84f84e45b3096053eb084417b42e6b35ea0cce5a3529705eac
+deleted: sha256:47cf20d8c26c46fff71be614d9f54997edacfe8d46d51769706e5aba94b16f2b
+deleted: sha256:2c675ee9ed53425e31a13e3390bf3f539bf8637000e4bcfbb85ee03ef4d910a1
+
+Total reclaimed space: 16.43 MB
+```
+
+### Filtering
+
+The filtering flag (`--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* until (`<timestamp>`) - only remove images created before given timestamp
+* label (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) - only remove images with (or without, in case `label!=...` is used) the specified labels.
+
+The `until` filter can be Unix timestamps, date formatted
+timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
+relative to the daemon machine’s time. Supported formats for date
+formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the daemon will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long.
+
+The `label` filter accepts two formats. One is the `label=...` (`label=<key>` or `label=<key>=<value>`),
+which removes images with the specified labels. The other
+format is the `label!=...` (`label!=<key>` or `label!=<key>=<value>`), which removes
+images without the specified labels.
+
+> **Predicting what will be removed**
+>
+> If you are using positive filtering (testing for the existence of a label or
+> that a label has a specific value), you can use `docker image ls` with the
+> same filtering syntax to see which images match your filter.
+>
+> However, if you are using negative filtering (testing for the absence of a
+> label or that a label does *not* have a specific value), this type of filter
+> does not work with `docker image ls` so you cannot easily predict which images
+> will be removed. In addition, the confirmation prompt for `docker image prune`
+> always warns that *all* dangling images will be removed, even if you are using
+> `--filter`.
+
+The following removes images created before `2017-01-04T00:00:00`:
+
+```bash
+$ docker images --format 'table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedAt}}\t{{.Size}}'
+REPOSITORY          TAG                 IMAGE ID            CREATED AT                      SIZE
+foo                 latest              2f287ac753da        2017-01-04 13:42:23 -0800 PST   3.98 MB
+alpine              latest              88e169ea8f46        2016-12-27 10:17:25 -0800 PST   3.98 MB
+busybox             latest              e02e811dd08f        2016-10-07 14:03:58 -0700 PDT   1.09 MB
+
+$ docker image prune -a --force --filter "until=2017-01-04T00:00:00"
+
+Deleted Images:
+untagged: alpine:latest
+untagged: alpine@sha256:dfbd4a3a8ebca874ebd2474f044a0b33600d4523d03b0df76e5c5986cb02d7e8
+untagged: busybox:latest
+untagged: busybox@sha256:29f5d56d12684887bdfa50dcd29fc31eea4aaf4ad3bec43daf19026a7ce69912
+deleted: sha256:e02e811dd08fd49e7f6032625495118e63f597eb150403d02e3238af1df240ba
+deleted: sha256:e88b3f82283bc59d5e0df427c824e9f95557e661fcb0ea15fb0fb6f97760f9d9
+
+Total reclaimed space: 1.093 MB
+
+$ docker images --format 'table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedAt}}\t{{.Size}}'
+
+REPOSITORY          TAG                 IMAGE ID            CREATED AT                      SIZE
+foo                 latest              2f287ac753da        2017-01-04 13:42:23 -0800 PST   3.98 MB
+```
+
+The following removes images created more than 10 days (`240h`) ago:
+
+```bash
+$ docker images
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+foo                 latest              2f287ac753da        14 seconds ago      3.98 MB
+alpine              latest              88e169ea8f46        8 days ago          3.98 MB
+debian              jessie              7b0a06c805e8        2 months ago        123 MB
+busybox             latest              e02e811dd08f        2 months ago        1.09 MB
+golang              1.7.0               138c2e655421        4 months ago        670 MB
+
+$ docker image prune -a --force --filter "until=240h"
+
+Deleted Images:
+untagged: golang:1.7.0
+untagged: golang@sha256:6765038c2b8f407fd6e3ecea043b44580c229ccfa2a13f6d85866cf2b4a9628e
+deleted: sha256:138c2e6554219de65614d88c15521bfb2da674cbb0bf840de161f89ff4264b96
+deleted: sha256:ec353c2e1a673f456c4b78906d0d77f9d9456cfb5229b78c6a960bfb7496b76a
+deleted: sha256:fe22765feaf3907526b4921c73ea6643ff9e334497c9b7e177972cf22f68ee93
+deleted: sha256:ff845959c80148421a5c3ae11cc0e6c115f950c89bc949646be55ed18d6a2912
+deleted: sha256:a4320831346648c03db64149eafc83092e2b34ab50ca6e8c13112388f25899a7
+deleted: sha256:4c76020202ee1d9709e703b7c6de367b325139e74eebd6b55b30a63c196abaf3
+deleted: sha256:d7afd92fb07236c8a2045715a86b7d5f0066cef025018cd3ca9a45498c51d1d6
+deleted: sha256:9e63c5bce4585dd7038d830a1f1f4e44cb1a1515b00e620ac718e934b484c938
+untagged: debian:jessie
+untagged: debian@sha256:c1af755d300d0c65bb1194d24bce561d70c98a54fb5ce5b1693beb4f7988272f
+deleted: sha256:7b0a06c805e8f23807fb8856621c60851727e85c7bcb751012c813f122734c8d
+deleted: sha256:f96222d75c5563900bc4dd852179b720a0885de8f7a0619ba0ac76e92542bbc8
+
+Total reclaimed space: 792.6 MB
+
+$ docker images
+
+REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
+foo                 latest              2f287ac753da        About a minute ago   3.98 MB
+alpine              latest              88e169ea8f46        8 days ago           3.98 MB
+busybox             latest              e02e811dd08f        2 months ago         1.09 MB
+```
+
+The following example removes images with the label `deprecated`:
+
+```bash
+$ docker image prune --filter="label=deprecated"
+```
+
+The following example removes images with the label `maintainer` set to `john`:
+
+```bash
+$ docker image prune --filter="label=maintainer=john"
+```
+
+This example removes images which have no `maintainer` label:
+
+```bash
+$ docker image prune --filter="label!=maintainer"
+```
+
+This example removes images which have a maintainer label not set to `john`:
+
+```bash
+$ docker image prune --filter="label!=maintainer=john"
+```
+
+> **Note**: You are prompted for confirmation before the `prune` removes
+> anything, but you are not shown a list of what will potentially be removed.
+> In addition, `docker image ls` does not support negative filtering, so it
+> difficult to predict what images will actually be removed.
+
+## Related commands
+
+* [system df](system_df.md)
+* [container prune](container_prune.md)
+* [volume prune](volume_prune.md)
+* [network prune](network_prune.md)
+* [system prune](system_prune.md)
diff --git a/cli/docs/reference/commandline/images.md b/cli/docs/reference/commandline/images.md
new file mode 100644
index 00000000..40642751
--- /dev/null
+++ b/cli/docs/reference/commandline/images.md
@@ -0,0 +1,343 @@
+---
+title: "images"
+description: "The images command description and usage"
+keywords: "list, docker, images"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# images
+
+```markdown
+Usage:  docker images [OPTIONS] [REPOSITORY[:TAG]]
+
+List images
+
+Options:
+  -a, --all             Show all images (default hides intermediate images)
+      --digests         Show digests
+  -f, --filter value    Filter output based on conditions provided (default [])
+                        - dangling=(true|false)
+                        - label=<key> or label=<key>=<value>
+                        - before=(<image-name>[:tag]|<image-id>|<image@digest>)
+                        - since=(<image-name>[:tag]|<image-id>|<image@digest>)
+                        - reference=(pattern of an image reference)
+      --format string   Pretty-print images using a Go template
+      --help            Print usage
+      --no-trunc        Don't truncate output
+  -q, --quiet           Only show numeric IDs
+```
+
+## Description
+
+The default `docker images` will show all top level
+images, their repository and tags, and their size.
+
+Docker images have intermediate layers that increase reusability,
+decrease disk usage, and speed up `docker build` by
+allowing each step to be cached. These intermediate layers are not shown
+by default.
+
+The `SIZE` is the cumulative space taken up by the image and all
+its parent images. This is also the disk space used by the contents of the
+Tar file created when you `docker save` an image.
+
+An image will be listed more than once if it has multiple repository names
+or tags. This single image (identifiable by its matching `IMAGE ID`)
+uses up the `SIZE` listed only once.
+
+## Examples
+
+### List the most recently created images
+
+```bash
+$ docker images
+
+REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
+<none>                    <none>              77af4d6b9913        19 hours ago        1.089 GB
+committ                   latest              b6fa739cedf5        19 hours ago        1.089 GB
+<none>                    <none>              78a85c484f71        19 hours ago        1.089 GB
+docker                    latest              30557a29d5ab        20 hours ago        1.089 GB
+<none>                    <none>              5ed6274db6ce        24 hours ago        1.089 GB
+postgres                  9                   746b819f315e        4 days ago          213.4 MB
+postgres                  9.3                 746b819f315e        4 days ago          213.4 MB
+postgres                  9.3.5               746b819f315e        4 days ago          213.4 MB
+postgres                  latest              746b819f315e        4 days ago          213.4 MB
+```
+
+### List images by name and tag
+
+The `docker images` command takes an optional `[REPOSITORY[:TAG]]` argument
+that restricts the list to images that match the argument. If you specify
+`REPOSITORY`but no `TAG`, the `docker images` command lists all images in the
+given repository.
+
+For example, to list all images in the "java" repository, run this command :
+
+```bash
+$ docker images java
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+java                8                   308e519aac60        6 days ago          824.5 MB
+java                7                   493d82594c15        3 months ago        656.3 MB
+java                latest              2711b1d6f3aa        5 months ago        603.9 MB
+```
+
+The `[REPOSITORY[:TAG]]` value must be an "exact match". This means that, for example,
+`docker images jav` does not match the image `java`.
+
+If both `REPOSITORY` and `TAG` are provided, only images matching that
+repository and tag are listed.  To find all local images in the "java"
+repository with tag "8" you can use:
+
+```bash
+$ docker images java:8
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+java                8                   308e519aac60        6 days ago          824.5 MB
+```
+
+If nothing matches `REPOSITORY[:TAG]`, the list is empty.
+
+```bash
+$ docker images java:0
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+```
+
+### List the full length image IDs
+
+```bash
+$ docker images --no-trunc
+
+REPOSITORY                    TAG                 IMAGE ID                                                                  CREATED             SIZE
+<none>                        <none>              sha256:77af4d6b9913e693e8d0b4b294fa62ade6054e6b2f1ffb617ac955dd63fb0182   19 hours ago        1.089 GB
+committest                    latest              sha256:b6fa739cedf5ea12a620a439402b6004d057da800f91c7524b5086a5e4749c9f   19 hours ago        1.089 GB
+<none>                        <none>              sha256:78a85c484f71509adeaace20e72e941f6bdd2b25b4c75da8693efd9f61a37921   19 hours ago        1.089 GB
+docker                        latest              sha256:30557a29d5abc51e5f1d5b472e79b7e296f595abcf19fe6b9199dbbc809c6ff4   20 hours ago        1.089 GB
+<none>                        <none>              sha256:0124422dd9f9cf7ef15c0617cda3931ee68346455441d66ab8bdc5b05e9fdce5   20 hours ago        1.089 GB
+<none>                        <none>              sha256:18ad6fad340262ac2a636efd98a6d1f0ea775ae3d45240d3418466495a19a81b   22 hours ago        1.082 GB
+<none>                        <none>              sha256:f9f1e26352f0a3ba6a0ff68167559f64f3e21ff7ada60366e2d44a04befd1d3a   23 hours ago        1.089 GB
+tryout                        latest              sha256:2629d1fa0b81b222fca63371ca16cbf6a0772d07759ff80e8d1369b926940074   23 hours ago        131.5 MB
+<none>                        <none>              sha256:5ed6274db6ceb2397844896966ea239290555e74ef307030ebb01ff91b1914df   24 hours ago        1.089 GB
+```
+
+### List image digests
+
+Images that use the v2 or later format have a content-addressable identifier
+called a `digest`. As long as the input used to generate the image is
+unchanged, the digest value is predictable. To list image digest values, use
+the `--digests` flag:
+
+```bash
+$ docker images --digests
+REPOSITORY                         TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
+localhost:5000/test/busybox        <none>              sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf   4986bf8c1536        9 weeks ago         2.43 MB
+```
+
+When pushing or pulling to a 2.0 registry, the `push` or `pull` command
+output includes the image digest. You can `pull` using a digest value. You can
+also reference by digest in `create`, `run`, and `rmi` commands, as well as the
+`FROM` image reference in a Dockerfile.
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* dangling (boolean - true or false)
+* label (`label=<key>` or `label=<key>=<value>`)
+* before (`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`) - filter images created before given id or references
+* since (`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`) - filter images created since given id or references
+* reference (pattern of an image reference) - filter images whose reference matches the specified pattern
+
+#### Show untagged images (dangling)
+
+```bash
+$ docker images --filter "dangling=true"
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+<none>              <none>              8abc22fbb042        4 weeks ago         0 B
+<none>              <none>              48e5f45168b9        4 weeks ago         2.489 MB
+<none>              <none>              bf747efa0e2f        4 weeks ago         0 B
+<none>              <none>              980fe10e5736        12 weeks ago        101.4 MB
+<none>              <none>              dea752e4e117        12 weeks ago        101.4 MB
+<none>              <none>              511136ea3c5a        8 months ago        0 B
+```
+
+This will display untagged images that are the leaves of the images tree (not
+intermediary layers). These images occur when a new build of an image takes the
+`repo:tag` away from the image ID, leaving it as `<none>:<none>` or untagged.
+A warning will be issued if trying to remove an image when a container is presently
+using it. By having this flag it allows for batch cleanup.
+
+You can use this in conjunction with `docker rmi ...`:
+
+```bash
+$ docker rmi $(docker images -f "dangling=true" -q)
+
+8abc22fbb042
+48e5f45168b9
+bf747efa0e2f
+980fe10e5736
+dea752e4e117
+511136ea3c5a
+```
+
+> **Note**: Docker warns you if any containers exist that are using these
+> untagged images.
+
+
+#### Show images with a given label
+
+The `label` filter matches images based on the presence of a `label` alone or a `label` and a
+value.
+
+The following filter matches images with the `com.example.version` label regardless of its value.
+
+```bash
+$ docker images --filter "label=com.example.version"
+
+REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
+match-me-1          latest              eeae25ada2aa        About a minute ago   188.3 MB
+match-me-2          latest              dea752e4e117        About a minute ago   188.3 MB
+```
+
+The following filter matches images with the `com.example.version` label with the `1.0` value.
+
+```bash
+$ docker images --filter "label=com.example.version=1.0"
+
+REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
+match-me            latest              511136ea3c5a        About a minute ago   188.3 MB
+```
+
+In this example, with the `0.1` value, it returns an empty set because no matches were found.
+
+```bash
+$ docker images --filter "label=com.example.version=0.1"
+REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
+```
+
+#### Filter images by time
+
+The `before` filter shows only images created before the image with
+given id or reference. For example, having these images:
+
+```bash
+$ docker images
+
+REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
+image1              latest              eeae25ada2aa        4 minutes ago        188.3 MB
+image2              latest              dea752e4e117        9 minutes ago        188.3 MB
+image3              latest              511136ea3c5a        25 minutes ago       188.3 MB
+```
+
+Filtering with `before` would give:
+
+```bash
+$ docker images --filter "before=image1"
+
+REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
+image2              latest              dea752e4e117        9 minutes ago        188.3 MB
+image3              latest              511136ea3c5a        25 minutes ago       188.3 MB
+```
+
+Filtering with `since` would give:
+
+```bash
+$ docker images --filter "since=image3"
+REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
+image1              latest              eeae25ada2aa        4 minutes ago        188.3 MB
+image2              latest              dea752e4e117        9 minutes ago        188.3 MB
+```
+
+#### Filter images by reference
+
+The `reference` filter shows only images whose reference matches
+the specified pattern.
+
+```bash
+$ docker images
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+busybox             latest              e02e811dd08f        5 weeks ago         1.09 MB
+busybox             uclibc              e02e811dd08f        5 weeks ago         1.09 MB
+busybox             musl                733eb3059dce        5 weeks ago         1.21 MB
+busybox             glibc               21c16b6787c6        5 weeks ago         4.19 MB
+```
+
+Filtering with `reference` would give:
+
+```bash
+$ docker images --filter=reference='busy*:*libc'
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+busybox             uclibc              e02e811dd08f        5 weeks ago         1.09 MB
+busybox             glibc               21c16b6787c6        5 weeks ago         4.19 MB
+```
+
+### Format the output
+
+The formatting option (`--format`) will pretty print container output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+| Placeholder | Description|
+| ---- | ---- |
+| `.ID` | Image ID |
+| `.Repository` | Image repository |
+| `.Tag` | Image tag |
+| `.Digest` | Image digest |
+| `.CreatedSince` | Elapsed time since the image was created |
+| `.CreatedAt` | Time when the image was created |
+| `.Size` | Image disk size |
+
+When using the `--format` option, the `image` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, will include column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID` and `Repository` entries separated by a colon for all images:
+
+```bash
+$ docker images --format "{{.ID}}: {{.Repository}}"
+
+77af4d6b9913: <none>
+b6fa739cedf5: committ
+78a85c484f71: <none>
+30557a29d5ab: docker
+5ed6274db6ce: <none>
+746b819f315e: postgres
+746b819f315e: postgres
+746b819f315e: postgres
+746b819f315e: postgres
+```
+
+To list all images with their repository and tag in a table format you
+can use:
+
+```bash
+$ docker images --format "table {{.ID}}\t{{.Repository}}\t{{.Tag}}"
+
+IMAGE ID            REPOSITORY                TAG
+77af4d6b9913        <none>                    <none>
+b6fa739cedf5        committ                   latest
+78a85c484f71        <none>                    <none>
+30557a29d5ab        docker                    latest
+5ed6274db6ce        <none>                    <none>
+746b819f315e        postgres                  9
+746b819f315e        postgres                  9.3
+746b819f315e        postgres                  9.3.5
+746b819f315e        postgres                  latest
+```
diff --git a/cli/docs/reference/commandline/import.md b/cli/docs/reference/commandline/import.md
new file mode 100644
index 00000000..c520ef63
--- /dev/null
+++ b/cli/docs/reference/commandline/import.md
@@ -0,0 +1,89 @@
+---
+title: "import"
+description: "The import command description and usage"
+keywords: "import, file, system, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# import
+
+```markdown
+Usage:  docker import [OPTIONS] file|URL|- [REPOSITORY[:TAG]]
+
+Import the contents from a tarball to create a filesystem image
+
+Options:
+  -c, --change value     Apply Dockerfile instruction to the created image (default [])
+      --help             Print usage
+  -m, --message string   Set commit message for imported image
+```
+
+## Description
+
+You can specify a `URL` or `-` (dash) to take data directly from `STDIN`. The
+`URL` can point to an archive (.tar, .tar.gz, .tgz, .bzip, .tar.xz, or .txz)
+containing a filesystem or to an individual file on the Docker host.  If you
+specify an archive, Docker untars it in the container relative to the `/`
+(root). If you specify an individual file, you must specify the full path within
+the host. To import from a remote location, specify a `URI` that begins with the
+`http://` or `https://` protocol.
+
+The `--change` option will apply `Dockerfile` instructions to the image
+that is created.
+Supported `Dockerfile` instructions:
+`CMD`|`ENTRYPOINT`|`ENV`|`EXPOSE`|`ONBUILD`|`USER`|`VOLUME`|`WORKDIR`
+
+## Examples
+
+### Import from a remote location
+
+This will create a new untagged image.
+
+```bash
+$ docker import http://example.com/exampleimage.tgz
+```
+
+### Import from a local file
+
+- Import to docker via pipe and `STDIN`.
+
+  ```bash
+  $ cat exampleimage.tgz | docker import - exampleimagelocal:new
+  ```
+
+- Import with a commit message.
+
+  ```bash
+  $ cat exampleimage.tgz | docker import --message "New image imported from tarball" - exampleimagelocal:new
+  ```
+
+- Import to docker from a local archive.
+
+  ```bash
+    $ docker import /path/to/exampleimage.tgz
+  ```
+
+### Import from a local directory
+
+```bash
+$ sudo tar -c . | docker import - exampleimagedir
+```
+
+### Import from a local directory with new configurations
+
+```bash
+$ sudo tar -c . | docker import --change "ENV DEBUG true" - exampleimagedir
+```
+
+Note the `sudo` in this example – you must preserve
+the ownership of the files (especially root ownership) during the
+archiving with tar. If you are not root (or the sudo command) when you
+tar, then the ownerships might not get preserved.
diff --git a/cli/docs/reference/commandline/index.md b/cli/docs/reference/commandline/index.md
new file mode 100644
index 00000000..ddfdbb99
--- /dev/null
+++ b/cli/docs/reference/commandline/index.md
@@ -0,0 +1,184 @@
+---
+title: "Docker commands"
+description: "Docker's CLI command description and usage"
+keywords: "Docker, Docker documentation, CLI, command line"
+identifier: "smn_cli_guide"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# The Docker commands
+
+This section contains reference information on using Docker's command line
+client. Each command has a reference page along with samples. If you are
+unfamiliar with the command line, you should start by reading about how to [Use
+the Docker command line](cli.md).
+
+You start the Docker daemon with the command line. How you start the daemon
+affects your Docker containers. For that reason you should also make sure to
+read the [`dockerd`](dockerd.md) reference page.
+
+## Commands by object
+
+### Docker management commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [dockerd](dockerd.md) | Launch the Docker daemon                             |
+| [info](info.md) | Display system-wide information                            |
+| [inspect](inspect.md)| Return low-level information on a container or image  |
+| [version](version.md) | Show the Docker version information                  |
+
+
+### Image commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [build](build.md) |  Build an image from a Dockerfile                        |
+| [commit](commit.md) | Create a new image from a container's changes          |
+| [history](history.md) | Show the history of an image                         |
+| [images](images.md) | List images                                            |
+| [import](import.md) | Import the contents from a tarball to create a filesystem image |
+| [load](load.md) | Load an image from a tar archive or STDIN                  |
+| [image prune](image_prune.md) | Remove unused images                         |
+| [rmi](rmi.md) | Remove one or more images                                    |
+| [save](save.md) | Save images to a tar archive                               |
+| [tag](tag.md) | Tag an image into a repository                               |
+
+### Container commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [attach](attach.md) | Attach to a running container                          |
+| [container prune](container_prune.md) | Remove all stopped containers        |
+| [cp](cp.md) | Copy files/folders from a container to a HOSTDIR or to STDOUT  |
+| [create](create.md) | Create a new container                                 |
+| [diff](diff.md) | Inspect changes on a container's filesystem                |
+| [events](events.md) | Get real time events from the server                   |
+| [exec](exec.md) | Run a command in a running container                       |
+| [export](export.md) | Export a container's filesystem as a tar archive       |
+| [kill](kill.md) | Kill a running container                                   |
+| [logs](logs.md) | Fetch the logs of a container                              |
+| [pause](pause.md) | Pause all processes within a container                   |
+| [port](port.md) | List port mappings or a specific mapping for the container |
+| [ps](ps.md) | List containers                                                |
+| [rename](rename.md) | Rename a container                                     |
+| [restart](restart.md) | Restart a running container                          |
+| [rm](rm.md) | Remove one or more containers                                  |
+| [run](run.md) | Run a command in a new container                             |
+| [start](start.md) | Start one or more stopped containers                     |
+| [stats](stats.md) | Display a live stream of container(s) resource usage  statistics |
+| [stop](stop.md) | Stop a running container                                   |
+| [top](top.md) | Display the running processes of a container                 |
+| [unpause](unpause.md) | Unpause all processes within a container             |
+| [update](update.md) | Update configuration of one or more containers         |
+| [wait](wait.md) | Block until a container stops, then print its exit code    |
+
+### Hub and registry commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [login](login.md) | Register or log in to a Docker registry                  |
+| [logout](logout.md) | Log out from a Docker registry                         |
+| [pull](pull.md) | Pull an image or a repository from a Docker registry       |
+| [push](push.md) | Push an image or a repository to a Docker registry         |
+| [search](search.md) | Search the Docker Hub for images                       |
+
+### Network and connectivity commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [network connect](network_connect.md) | Connect a container to a network     |
+| [network create](network_create.md) | Create a new network                   |
+| [network disconnect](network_disconnect.md) | Disconnect a container from a network |
+| [network inspect](network_inspect.md) | Display information about a network  |
+| [network ls](network_ls.md) | Lists all the networks the Engine `daemon` knows about |
+| [network prune](network_prune.md) | Remove all unused networks               |
+| [network rm](network_rm.md) | Removes one or more networks                   |
+
+### Shared data volume commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [volume create](volume_create.md) | Creates a new volume where containers can consume and store data |
+| [volume inspect](volume_inspect.md) | Display information about a volume     |
+| [volume ls](volume_ls.md) | Lists all the volumes Docker knows about         |
+| [volume prune](volume_prune.md) | Remove all unused local volumes            |
+| [volume rm](volume_rm.md) | Remove one or more volumes                       |
+
+### Swarm node commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [node demote](node_demote.md) | Demotes an existing manager so that it is no longer a manager |
+| [node inspect](node_inspect.md) | Inspect a node in the swarm                |
+| [node ls](node_ls.md) | List nodes in the swarm                              |
+| [node promote](node_promote.md) | Promote a node that is pending a promotion to manager |
+| [node ps](node_ps.md) | List tasks running on one or more nodes                         |
+| [node rm](node_rm.md) | Remove one or more nodes from the swarm                         |
+| [node update](node_update.md) | Update attributes for a node                 |
+
+### Swarm management commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [swarm init](swarm_init.md) | Initialize a swarm                             |
+| [swarm join](swarm_join.md) | Join a swarm as a manager node or worker node  |
+| [swarm leave](swarm_leave.md) | Remove the current node from the swarm       |
+| [swarm join-token](swarm_join_token.md) | Display or rotate join tokens      |
+| [swarm unlock](swarm_unlock.md) | Unlock swarm                               |
+| [swarm unlock-key](swarm_unlock_key.md) | Manage the unlock key              |
+| [swarm update](swarm_update.md) | Update attributes of a swarm               |
+
+### Swarm service commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [service create](service_create.md) | Create a new service                   |
+| [service inspect](service_inspect.md) | Inspect a service                    |
+| [service logs](service_logs.md)  | Fetch the logs of a service or task       |
+| [service ls](service_ls.md) | List services in the swarm                     |
+| [service ps](service_ps.md) | List the tasks of a service              |
+| [service rm](service_rm.md) | Remove a service from the swarm                |
+| [service scale](service_scale.md) | Set the number of replicas for the desired state of the service |
+| [service update](service_update.md)  | Update the attributes of a service    |
+
+### Swarm secret commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [secret create](secret_create.md) | Create a secret from a file or STDIN as content |
+| [secret inspect](service_inspect.md) | Inspect the specified secret          |
+| [secret ls](secret_ls.md) | List secrets in the swarm                        |
+| [secret rm](secret_rm.md) | Remove the specified secrets from the swarm      |
+
+### Swarm stack commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [stack deploy](stack_deploy.md) | Deploy a new stack or update an existing stack |
+| [stack ls](stack_ls.md) | List stacks in the swarm                           |
+| [stack ps](stack_ps.md) | List the tasks in the stack                        |
+| [stack rm](stack_rm.md) | Remove the stack from the swarm                    |
+| [stack services](stack_services.md) | List the services in the stack         |
+
+### Plugin commands
+
+| Command | Description                                                        |
+|:--------|:-------------------------------------------------------------------|
+| [plugin create](plugin_create.md) | Create a plugin from a rootfs and configuration |
+| [plugin disable](plugin_disable.md) | Disable a plugin                       |
+| [plugin enable](plugin_enable.md)  | Enable a plugin                         |
+| [plugin inspect](plugin_inspect.md) | Display detailed information on a plugin |
+| [plugin install](plugin_install.md) | Install a plugin                       |
+| [plugin ls](plugin_ls.md) | List plugins                                     |
+| [plugin push](plugin_push.md) | Push a plugin to a registry                  |
+| [plugin rm](plugin_rm.md) | Remove a plugin                                  |
+| [plugin set](plugin_set.md)  | Change settings for a plugin                  |
diff --git a/cli/docs/reference/commandline/info.md b/cli/docs/reference/commandline/info.md
new file mode 100644
index 00000000..87f47076
--- /dev/null
+++ b/cli/docs/reference/commandline/info.md
@@ -0,0 +1,245 @@
+---
+title: "info"
+description: "The info command description and usage"
+keywords: "display, docker, information"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# info
+
+```markdown
+Usage:  docker info [OPTIONS]
+
+Display system-wide information
+
+Options:
+  -f, --format string   Format the output using the given Go template
+      --help            Print usage
+```
+
+## Description
+
+This command displays system wide information regarding the Docker installation.
+Information displayed includes the kernel version, number of containers and images.
+The number of images shown is the number of unique images. The same image tagged
+under different names is counted only once.
+
+If a format is specified, the given template will be executed instead of the
+default format. Go's [text/template](http://golang.org/pkg/text/template/) package
+describes all the details of the format.
+
+Depending on the storage driver in use, additional information can be shown, such
+as pool name, data file, metadata file, data space used, total data space, metadata
+space used, and total metadata space.
+
+The data file is where the images are stored and the metadata file is where the
+meta data regarding those images are stored. When run for the first time Docker
+allocates a certain amount of data space and meta data space from the space
+available on the volume where `/var/lib/docker` is mounted.
+
+## Examples
+
+### Show output
+
+The example below shows the output for a daemon running on Red Hat Enterprise Linux,
+using the `devicemapper` storage driver. As can be seen in the output, additional
+information about the `devicemapper` storage driver is shown:
+
+```bash
+$ docker info
+
+Containers: 14
+ Running: 3
+ Paused: 1
+ Stopped: 10
+Images: 52
+Server Version: 1.10.3
+Storage Driver: devicemapper
+ Pool Name: docker-202:2-25583803-pool
+ Pool Blocksize: 65.54 kB
+ Base Device Size: 10.74 GB
+ Backing Filesystem: xfs
+ Data file: /dev/loop0
+ Metadata file: /dev/loop1
+ Data Space Used: 1.68 GB
+ Data Space Total: 107.4 GB
+ Data Space Available: 7.548 GB
+ Metadata Space Used: 2.322 MB
+ Metadata Space Total: 2.147 GB
+ Metadata Space Available: 2.145 GB
+ Udev Sync Supported: true
+ Deferred Removal Enabled: false
+ Deferred Deletion Enabled: false
+ Deferred Deleted Device Count: 0
+ Data loop file: /var/lib/docker/devicemapper/devicemapper/data
+ Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
+ Library Version: 1.02.107-RHEL7 (2015-12-01)
+Execution Driver: native-0.2
+Logging Driver: json-file
+Plugins:
+ Volume: local
+ Network: null host bridge
+Kernel Version: 3.10.0-327.el7.x86_64
+Operating System: Red Hat Enterprise Linux Server 7.2 (Maipo)
+OSType: linux
+Architecture: x86_64
+CPUs: 1
+Total Memory: 991.7 MiB
+Name: ip-172-30-0-91.ec2.internal
+ID: I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S
+Docker Root Dir: /var/lib/docker
+Debug mode (client): false
+Debug mode (server): false
+Username: gordontheturtle
+Registry: https://index.docker.io/v1/
+Insecure registries:
+ myinsecurehost:5000
+ 127.0.0.0/8
+```
+
+### Show debugging output
+
+Here is a sample output for a daemon running on Ubuntu, using the overlay2
+storage driver and a node that is part of a 2-node swarm:
+
+```bash
+$ docker -D info
+
+Containers: 14
+ Running: 3
+ Paused: 1
+ Stopped: 10
+Images: 52
+Server Version: 1.13.0
+Storage Driver: overlay2
+ Backing Filesystem: extfs
+ Supports d_type: true
+ Native Overlay Diff: false
+Logging Driver: json-file
+Cgroup Driver: cgroupfs
+Plugins:
+ Volume: local
+ Network: bridge host macvlan null overlay
+Swarm: active
+ NodeID: rdjq45w1op418waxlairloqbm
+ Is Manager: true
+ ClusterID: te8kdyw33n36fqiz74bfjeixd
+ Managers: 1
+ Nodes: 2
+ Orchestration:
+  Task History Retention Limit: 5
+ Raft:
+  Snapshot Interval: 10000
+  Number of Old Snapshots to Retain: 0
+  Heartbeat Tick: 1
+  Election Tick: 3
+ Dispatcher:
+  Heartbeat Period: 5 seconds
+ CA Configuration:
+  Expiry Duration: 3 months
+ Root Rotation In Progress: false
+ Node Address: 172.16.66.128 172.16.66.129
+ Manager Addresses:
+  172.16.66.128:2477
+Runtimes: runc
+Default Runtime: runc
+Init Binary: docker-init
+containerd version: 8517738ba4b82aff5662c97ca4627e7e4d03b531
+runc version: ac031b5bf1cc92239461125f4c1ffb760522bbf2
+init version: N/A (expected: v0.13.0)
+Security Options:
+ apparmor
+ seccomp
+  Profile: default
+Kernel Version: 4.4.0-31-generic
+Operating System: Ubuntu 16.04.1 LTS
+OSType: linux
+Architecture: x86_64
+CPUs: 2
+Total Memory: 1.937 GiB
+Name: ubuntu
+ID: H52R:7ZR6:EIIA:76JG:ORIY:BVKF:GSFU:HNPG:B5MK:APSC:SZ3Q:N326
+Docker Root Dir: /var/lib/docker
+Debug Mode (client): true
+Debug Mode (server): true
+ File Descriptors: 30
+ Goroutines: 123
+ System Time: 2016-11-12T17:24:37.955404361-08:00
+ EventsListeners: 0
+Http Proxy: http://test:test@proxy.example.com:8080
+Https Proxy: https://test:test@proxy.example.com:8080
+No Proxy: localhost,127.0.0.1,docker-registry.somecorporation.com
+Registry: https://index.docker.io/v1/
+WARNING: No swap limit support
+Labels:
+ storage=ssd
+ staging=true
+Experimental: false
+Insecure Registries:
+ 127.0.0.0/8
+Registry Mirrors:
+  http://192.168.1.2/
+  http://registry-mirror.example.com:5000/
+Live Restore Enabled: false
+```
+
+The global `-D` option causes all `docker` commands to output debug information.
+
+### Format the output
+
+You can also specify the output format:
+
+```bash
+$ docker info --format '{{json .}}'
+
+{"ID":"I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S","Containers":14, ...}
+```
+
+### Run `docker info` on Windows
+
+Here is a sample output for a daemon running on Windows Server 2016:
+
+```none
+E:\docker>docker info
+
+Containers: 1
+ Running: 0
+ Paused: 0
+ Stopped: 1
+Images: 17
+Server Version: 1.13.0
+Storage Driver: windowsfilter
+ Windows:
+Logging Driver: json-file
+Plugins:
+ Volume: local
+ Network: nat null overlay
+Swarm: inactive
+Default Isolation: process
+Kernel Version: 10.0 14393 (14393.206.amd64fre.rs1_release.160912-1937)
+Operating System: Windows Server 2016 Datacenter
+OSType: windows
+Architecture: x86_64
+CPUs: 8
+Total Memory: 3.999 GiB
+Name: WIN-V0V70C0LU5P
+ID: NYMS:B5VK:UMSL:FVDZ:EWB5:FKVK:LPFL:FJMQ:H6FT:BZJ6:L2TD:XH62
+Docker Root Dir: C:\control
+Debug Mode (client): false
+Debug Mode (server): false
+Registry: https://index.docker.io/v1/
+Insecure Registries:
+ 127.0.0.0/8
+Registry Mirrors:
+  http://192.168.1.2/
+  http://registry-mirror.example.com:5000/
+Live Restore Enabled: false
+```
diff --git a/cli/docs/reference/commandline/inspect.md b/cli/docs/reference/commandline/inspect.md
new file mode 100644
index 00000000..d6507983
--- /dev/null
+++ b/cli/docs/reference/commandline/inspect.md
@@ -0,0 +1,122 @@
+---
+title: "inspect"
+description: "The inspect command description and usage"
+keywords: "inspect, container, json"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# inspect
+
+```markdown
+Usage:  docker inspect [OPTIONS] NAME|ID [NAME|ID...]
+
+Return low-level information on Docker object(s) (e.g. container, image, volume,
+network, node, service, or task) identified by name or ID
+
+Options:
+  -f, --format       Format the output using the given Go template
+      --help         Print usage
+  -s, --size         Display total file sizes if the type is container
+      --type         Return JSON for specified type
+```
+
+## Description
+
+Docker inspect provides detailed information on constructs controlled by Docker.
+
+By default, `docker inspect` will render results in a JSON array.
+
+## Request a custom response format (--format)
+
+If a format is specified, the given template will be executed for each result.
+
+Go's [text/template](http://golang.org/pkg/text/template/) package
+describes all the details of the format.
+
+## Specify target type (--type)
+
+`--type container|image|node|network|secret|service|volume|task|plugin`
+
+The `docker inspect` command matches any type of object by either ID or name.
+In some cases multiple type of objects (for example, a container and a volume)
+exist with the same name, making the result ambiguous.
+
+To restrict `docker inspect` to a specific type of object, use the `--type`
+option.
+
+The following example inspects a _volume_ named "myvolume"
+
+```bash
+$ docker inspect --type=volume myvolume
+```
+
+## Examples
+
+### Get an instance's IP address
+
+For the most part, you can pick out any field from the JSON in a fairly
+straightforward manner.
+
+```bash
+$ docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $INSTANCE_ID
+```
+
+### Get an instance's MAC address
+
+```bash
+$ docker inspect --format='{{range .NetworkSettings.Networks}}{{.MacAddress}}{{end}}' $INSTANCE_ID
+```
+
+### Get an instance's log path
+
+```bash
+$ docker inspect --format='{{.LogPath}}' $INSTANCE_ID
+```
+
+### Get an instance's image name
+
+```bash
+$ docker inspect --format='{{.Config.Image}}' $INSTANCE_ID
+```
+
+### List all port bindings
+
+You can loop over arrays and maps in the results to produce simple text
+output:
+
+```bash
+$ docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}} {{$p}} -> {{(index $conf 0).HostPort}} {{end}}' $INSTANCE_ID
+```
+
+### Find a specific port mapping
+
+The `.Field` syntax doesn't work when the field name begins with a
+number, but the template language's `index` function does. The
+`.NetworkSettings.Ports` section contains a map of the internal port
+mappings to a list of external address/port objects. To grab just the
+numeric public port, you use `index` to find the specific port map, and
+then `index` 0 contains the first object inside of that. Then we ask for
+the `HostPort` field to get the public address.
+
+```bash
+$ docker inspect --format='{{(index (index .NetworkSettings.Ports "8787/tcp") 0).HostPort}}' $INSTANCE_ID
+```
+
+### Get a subsection in JSON format
+
+If you request a field which is itself a structure containing other
+fields, by default you get a Go-style dump of the inner values.
+Docker adds a template function, `json`, which can be applied to get
+results in JSON format.
+
+```bash
+$ docker inspect --format='{{json .Config}}' $INSTANCE_ID
+```
diff --git a/cli/docs/reference/commandline/kill.md b/cli/docs/reference/commandline/kill.md
new file mode 100644
index 00000000..ba77185b
--- /dev/null
+++ b/cli/docs/reference/commandline/kill.md
@@ -0,0 +1,71 @@
+---
+title: "kill"
+description: "The kill command description and usage"
+keywords: "container, kill, signal"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# kill
+
+```markdown
+Usage:  docker kill [OPTIONS] CONTAINER [CONTAINER...]
+
+Kill one or more running containers
+
+Options:
+      --help            Print usage
+  -s, --signal string   Signal to send to the container (default "KILL")
+```
+
+## Description
+
+The `docker kill` subcommand kills one or more containers. The main process
+inside the container is sent `SIGKILL` signal (default), or the signal that is
+specified with the `--signal` option. You can kill a container using the
+container's ID, ID-prefix, or name.
+
+> **Note**: `ENTRYPOINT` and `CMD` in the *shell* form run as a subcommand of
+> `/bin/sh -c`, which does not pass signals. This means that the executable is
+> not the container’s PID 1 and does not receive Unix signals.
+
+## Examples
+
+
+### Send a KILL signal  to a container
+
+The following example sends the default `KILL` signal to the container named
+`my_container`:
+
+```bash
+$ docker kill my_container
+```
+
+### Send a custom signal  to a container
+
+The following example sends a `SIGHUP` signal to the container named
+`my_container`:
+
+```bash
+$ docker kill --signal=SIGHUP  my_container
+```
+
+
+You can specify a custom signal either by _name_, or _number_. The `SIG` prefix
+is optional, so the following examples are equivalent:
+
+```bash
+$ docker kill --signal=SIGHUP my_container
+$ docker kill --signal=HUP my_container
+$ docker kill --signal=1 my_container
+```
+
+Refer to the [`signal(7)`](http://man7.org/linux/man-pages/man7/signal.7.html)
+man-page for a list of standard Linux signals.
diff --git a/cli/docs/reference/commandline/load.md b/cli/docs/reference/commandline/load.md
new file mode 100644
index 00000000..2bb99b87
--- /dev/null
+++ b/cli/docs/reference/commandline/load.md
@@ -0,0 +1,63 @@
+---
+title: "load"
+description: "The load command description and usage"
+keywords: "stdin, tarred, repository"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# load
+
+```markdown
+Usage:  docker load [OPTIONS]
+
+Load an image or repository from a tar archive (even if compressed with gzip,
+bzip2, or xz) from a file or STDIN.
+
+Options:
+      --help           Print usage
+  -i, --input string   Read from tar archive file, instead of STDIN.
+                       The tarball may be compressed with gzip, bzip, or xz
+  -q, --quiet          Suppress the load output but still outputs the imported images
+```
+## Description
+
+Load an image or repository from a tar archive (even if compressed with gzip,
+bzip2, or xz) from a file or STDIN. It restores both images and tags.
+
+## Examples
+
+```bash
+$ docker image ls
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+
+$ docker load < busybox.tar.gz
+
+Loaded image: busybox:latest
+$ docker images
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+busybox             latest              769b9341d937        7 weeks ago         2.489 MB
+
+$ docker load --input fedora.tar
+
+Loaded image: fedora:rawhide
+
+Loaded image: fedora:20
+
+$ docker images
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+busybox             latest              769b9341d937        7 weeks ago         2.489 MB
+fedora              rawhide             0d20aec6529d        7 weeks ago         387 MB
+fedora              20                  58394af37342        7 weeks ago         385.5 MB
+fedora              heisenbug           58394af37342        7 weeks ago         385.5 MB
+fedora              latest              58394af37342        7 weeks ago         385.5 MB
+```
diff --git a/cli/docs/reference/commandline/login.md b/cli/docs/reference/commandline/login.md
new file mode 100644
index 00000000..3ebeec3d
--- /dev/null
+++ b/cli/docs/reference/commandline/login.md
@@ -0,0 +1,184 @@
+---
+title: "login"
+description: "The login command description and usage"
+keywords: "registry, login, image"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# login
+
+```markdown
+Usage:  docker login [OPTIONS] [SERVER]
+
+Log in to a Docker registry.
+If no server is specified, the default is defined by the daemon.
+
+Options:
+      --help                    Print usage
+  -p, --password       string   Password
+      --password-stdin          Read password from stdin
+  -u, --username       string   Username
+```
+
+## Description
+
+Login to a registry.
+
+### Login to a self-hosted registry
+
+If you want to login to a self-hosted registry you can specify this by
+adding the server name.
+
+```bash
+$ docker login localhost:8080
+```
+
+### Provide a password using STDIN
+
+To run the `docker login` command non-interactively, you can set the
+`--password-stdin` flag to provide a password through `STDIN`. Using
+`STDIN` prevents the password from ending up in the shell's history,
+or log-files.
+
+The following example reads a password from a file, and passes it to the
+`docker login` command using `STDIN`:
+
+```bash
+$ cat ~/my_password.txt | docker login --username foo --password-stdin
+```
+
+### Privileged user requirement
+
+`docker login` requires user to use `sudo` or be `root`, except when:
+
+1.  connecting to a remote daemon, such as a `docker-machine` provisioned `docker engine`.
+2.  user is added to the `docker` group.  This will impact the security of your system; the `docker` group is `root` equivalent.  See [Docker Daemon Attack Surface](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface) for details.
+
+You can log into any public or private repository for which you have
+credentials.  When you log in, the command stores credentials in
+`$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on
+Windows, via the procedure described below.
+
+### Credentials store
+
+The Docker Engine can keep user credentials in an external credentials store,
+such as the native keychain of the operating system. Using an external store
+is more secure than storing credentials in the Docker configuration file.
+
+To use a credentials store, you need an external helper program to interact
+with a specific keychain or external store. Docker requires the helper
+program to be in the client's host `$PATH`.
+
+This is the list of currently available credentials helpers and where
+you can download them from:
+
+- D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases
+- Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases
+- Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases
+- [pass](https://www.passwordstore.org/): https://github.com/docker/docker-credential-helpers/releases
+
+You need to specify the credentials store in `$HOME/.docker/config.json`
+to tell the docker engine to use it. The value of the config property should be
+the suffix of the program to use (i.e. everything after `docker-credential-`).
+For example, to use `docker-credential-osxkeychain`:
+
+```json
+{
+	"credsStore": "osxkeychain"
+}
+```
+
+If you are currently logged in, run `docker logout` to remove
+the credentials from the file and run `docker login` again.
+
+### Default behavior
+
+By default, Docker looks for the native binary on each of the platforms, i.e.
+"osxkeychain" on macOS, "wincred" on windows, and "pass" on Linux. A special
+case is that on Linux, Docker will fall back to the "secretservice" binary if
+it cannot find the "pass" binary. If none of these binaries are present, it
+stores the credentials (i.e. password) in base64 encoding in the config files
+described above.
+
+### Credential helper protocol
+
+Credential helpers can be any program or script that follows a very simple protocol.
+This protocol is heavily inspired by Git, but it differs in the information shared.
+
+The helpers always use the first argument in the command to identify the action.
+There are only three possible values for that argument: `store`, `get`, and `erase`.
+
+The `store` command takes a JSON payload from the standard input. That payload carries
+the server address, to identify the credential, the user name, and either a password
+or an identity token.
+
+```json
+{
+	"ServerURL": "https://index.docker.io/v1",
+	"Username": "david",
+	"Secret": "passw0rd1"
+}
+```
+
+If the secret being stored is an identity token, the Username should be set to
+`<token>`.
+
+The `store` command can write error messages to `STDOUT` that the docker engine
+will show if there was an issue.
+
+The `get` command takes a string payload from the standard input. That payload carries
+the server address that the docker engine needs credentials for. This is
+an example of that payload: `https://index.docker.io/v1`.
+
+The `get` command writes a JSON payload to `STDOUT`. Docker reads the user name
+and password from this payload:
+
+```json
+{
+	"Username": "david",
+	"Secret": "passw0rd1"
+}
+```
+
+The `erase` command takes a string payload from `STDIN`. That payload carries
+the server address that the docker engine wants to remove credentials for. This is
+an example of that payload: `https://index.docker.io/v1`.
+
+The `erase` command can write error messages to `STDOUT` that the docker engine
+will show if there was an issue.
+
+### Credential helpers
+
+Credential helpers are similar to the credential store above, but act as the
+designated programs to handle credentials for *specific registries*. The default
+credential store (`credsStore` or the config file itself) will not be used for
+operations concerning credentials of the specified registries.
+
+### Logging out
+
+If you are currently logged in, run `docker logout` to remove
+the credentials from the default store.
+
+Credential helpers are specified in a similar way to `credsStore`, but
+allow for multiple helpers to be configured at a time. Keys specify the
+registry domain, and values specify the suffix of the program to use
+(i.e. everything after `docker-credential-`).
+For example:
+
+```json
+{
+  "credHelpers": {
+    "registry.example.com": "registryhelper",
+    "awesomereg.example.org": "hip-star",
+    "unicorn.example.io": "vcbait"
+  }
+}
+```
diff --git a/cli/docs/reference/commandline/logout.md b/cli/docs/reference/commandline/logout.md
new file mode 100644
index 00000000..f930fe7b
--- /dev/null
+++ b/cli/docs/reference/commandline/logout.md
@@ -0,0 +1,32 @@
+---
+title: "logout"
+description: "The logout command description and usage"
+keywords: "logout, docker, registry"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# logout
+
+```markdown
+Usage:  docker logout [SERVER]
+
+Log out from a Docker registry.
+If no server is specified, the default is defined by the daemon.
+
+Options:
+      --help   Print usage
+```
+
+## Examples
+
+```bash
+$ docker logout localhost:8080
+```
diff --git a/cli/docs/reference/commandline/logs.md b/cli/docs/reference/commandline/logs.md
new file mode 100644
index 00000000..dc624d8b
--- /dev/null
+++ b/cli/docs/reference/commandline/logs.md
@@ -0,0 +1,85 @@
+---
+title: "logs"
+description: "The logs command description and usage"
+keywords: "logs, retrieve, docker"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# logs
+
+```markdown
+Usage:  docker logs [OPTIONS] CONTAINER
+
+Fetch the logs of a container
+
+Options:
+      --details        Show extra details provided to logs
+  -f, --follow         Follow log output
+      --help           Print usage
+      --since string   Show logs since timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)
+      --until string   Show logs before timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)
+      --tail string    Number of lines to show from the end of the logs (default "all")
+  -t, --timestamps     Show timestamps
+```
+
+## Description
+
+The `docker logs` command batch-retrieves logs present at the time of execution.
+
+> **Note**: this command is only functional for containers that are started with
+> the `json-file` or `journald` logging driver.
+
+For more information about selecting and configuring logging drivers, refer to
+[Configure logging drivers](https://docs.docker.com/config/containers/logging/configure/).
+
+The `docker logs --follow` command will continue streaming the new output from
+the container's `STDOUT` and `STDERR`.
+
+Passing a negative number or a non-integer to `--tail` is invalid and the
+value is set to `all` in that case.
+
+The `docker logs --timestamps` command will add an [RFC3339Nano timestamp](https://golang.org/pkg/time/#pkg-constants)
+, for example `2014-09-16T06:17:46.000000000Z`, to each
+log entry. To ensure that the timestamps are aligned the
+nano-second part of the timestamp will be padded with zero when necessary.
+
+The `docker logs --details` command will add on extra attributes, such as
+environment variables and labels, provided to `--log-opt` when creating the
+container.
+
+The `--since` option shows only the container logs generated after
+a given date. You can specify the date as an RFC 3339 date, a UNIX
+timestamp, or a Go duration string (e.g. `1m30s`, `3h`). Besides RFC3339 date
+format you may also use RFC3339Nano, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the client will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp. When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long. You can combine the
+`--since` option with either or both of the `--follow` or `--tail` options.
+
+## Examples
+
+### Retrieve logs until a specific point in time
+
+In order to retrieve logs before a specific point in time, run:
+
+```bash
+$ docker run --name test -d busybox sh -c "while true; do $(echo date); sleep 1; done"
+$ date
+Tue 14 Nov 2017 16:40:00 CET
+$ docker logs -f --until=2s
+Tue 14 Nov 2017 16:40:00 CET
+Tue 14 Nov 2017 16:40:01 CET
+Tue 14 Nov 2017 16:40:02 CET
+```
\ No newline at end of file
diff --git a/cli/docs/reference/commandline/manifest.md b/cli/docs/reference/commandline/manifest.md
new file mode 100644
index 00000000..ce31a30d
--- /dev/null
+++ b/cli/docs/reference/commandline/manifest.md
@@ -0,0 +1,274 @@
+---
+title: "manifest"
+description: "The manifest command description and usage"
+keywords: "docker, manifest"
+---
+
+<!-- This file is maintained within the docker/cli Github
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+```markdown
+Usage:  docker manifest COMMAND
+
+Manage Docker image manifests and manifest lists
+
+Options:
+      --help   Print usage
+
+Commands:
+  annotate    Add additional information to a local image manifest
+  create      Create a local manifest list for annotating and pushing to a registry
+  inspect     Display an image manifest, or manifest list
+  push        Push a manifest list to a repository
+
+```
+
+## Description
+
+The `docker manifest` command by itself performs no action. In order to operate
+on a manifest or manifest list, one of the subcommands must be used.
+
+A single manifest is information about an image, such as layers, size, and digest.
+The docker manifest command also gives users additional information such as the os
+and architecture an image was built for.
+
+A manifest list is a list of image layers that is created by specifying one or
+more (ideally more than one) image names. It can then be used in the same way as
+an image name in `docker pull` and `docker run` commands, for example.
+
+Ideally a manifest list is created from images that are identical in function for
+different os/arch combinations. For this reason, manifest lists are often referred to as
+"multi-arch images". However, a user could create a manifest list that points
+to two images -- one for windows on amd64, and one for darwin on amd64.
+
+### manifest inspect
+
+```
+manifest inspect --help
+
+Usage:  docker manifest inspect [OPTIONS] [MANIFEST_LIST] MANIFEST
+
+Display an image manifest, or manifest list
+
+Options:
+      --help       Print usage
+      --insecure   Allow communication with an insecure registry
+  -v, --verbose    Output additional info including layers and platform
+```
+
+### manifest create 
+
+```bash
+Usage:  docker manifest create MANIFEST_LIST MANIFEST [MANIFEST...]
+
+Create a local manifest list for annotating and pushing to a registry
+
+Options:
+  -a, --amend      Amend an existing manifest list
+      --insecure   Allow communication with an insecure registry
+      --help       Print usage
+```
+
+### manifest annotate
+```bash
+Usage:  docker manifest annotate [OPTIONS] MANIFEST_LIST MANIFEST
+
+Add additional information to a local image manifest
+
+Options:
+      --arch string               Set architecture
+      --help                      Print usage
+      --os string                 Set operating system
+      --os-features stringSlice   Set operating system feature
+      --variant string            Set architecture variant
+
+```
+
+### manifest push
+```bash
+Usage:  docker manifest push [OPTIONS] MANIFEST_LIST
+
+Push a manifest list to a repository
+
+Options:
+      --help       Print usage
+      --insecure   Allow push to an insecure registry
+  -p, --purge      Remove the local manifest list after push
+```
+
+### Working with insecure registries
+
+The manifest command interacts solely with a Docker registry. Because of this, it has no way to query the engine for the list of allowed insecure registries. To allow the CLI to interact with an insecure registry, some `docker manifest` commands have an `--insecure` flag. For each transaction, such as a `create`, which queries a registry, the `--insecure` flag must be specified. This flag tells the CLI that this registry call may ignore security concerns like missing or self-signed certificates. Likewise, on a `manifest push` to an insecure registry, the `--insecure` flag must be specified. If this is not used with an insecure registry, the manifest command fails to find a registry that meets the default requirements.
+
+## Examples
+
+### Inspect an image's manifest object
+ 
+```bash
+$ docker manifest inspect hello-world
+{
+        "schemaVersion": 2,
+        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+        "config": {
+                "mediaType": "application/vnd.docker.container.image.v1+json",
+                "size": 1520,
+                "digest": "sha256:1815c82652c03bfd8644afda26fb184f2ed891d921b20a0703b46768f9755c57"
+        },
+        "layers": [
+                {
+                        "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                        "size": 972,
+                        "digest": "sha256:b04784fba78d739b526e27edc02a5a8cd07b1052e9283f5fc155828f4b614c28"
+                }
+        ]
+}
+```
+
+### Inspect an image's manifest and get the os/arch info
+
+The `docker manifest inspect` command takes an optional `--verbose` flag
+that gives you the image's name (Ref), and architecture and os (Platform).
+
+Just as with other docker commands that take image names, you can refer to an image with or
+without a tag, or by digest (e.g. hello-world@sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f).
+
+Here is an example of inspecting an image's manifest with the `--verbose` flag:
+
+```bash
+$ docker manifest inspect --verbose hello-world
+{
+        "Ref": "docker.io/library/hello-world:latest",
+        "Digest": "sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f",
+        "SchemaV2Manifest": {
+                "schemaVersion": 2,
+                "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+                "config": {
+                        "mediaType": "application/vnd.docker.container.image.v1+json",
+                        "size": 1520,
+                        "digest": "sha256:1815c82652c03bfd8644afda26fb184f2ed891d921b20a0703b46768f9755c57"
+                },
+                "layers": [
+                        {
+                                "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+                                "size": 972,
+                                "digest": "sha256:b04784fba78d739b526e27edc02a5a8cd07b1052e9283f5fc155828f4b614c28"
+                        }
+                ]
+        },
+        "Platform": {
+                "architecture": "amd64",
+                "os": "linux"
+        }
+}
+```
+
+### Create and push a manifest list
+
+To create a manifest list, you first `create` the manifest list locally by specifying the constituent images you would
+like to have included in your manifest list. Keep in mind that this is pushed to a registry, so if you want to push
+to a registry other than the docker registry, you need to create your manifest list with the registry name or IP and port.
+This is similar to tagging an image and pushing it to a foreign registry.
+
+After you have created your local copy of the manifest list, you may optionally
+`annotate` it. Annotations allowed are the architecture and operating system (overriding the image's current values),
+os features, and an archictecure variant. 
+
+Finally, you need to `push` your manifest list to the desired registry. Below are descriptions of these three commands,
+and an example putting them all together.
+
+```bash
+$ docker manifest create 45.55.81.106:5000/coolapp:v1 \
+    45.55.81.106:5000/coolapp-ppc64le-linux:v1 \
+    45.55.81.106:5000/coolapp-arm-linux:v1 \
+    45.55.81.106:5000/coolapp-amd64-linux:v1 \
+    45.55.81.106:5000/coolapp-amd64-windows:v1
+Created manifest list 45.55.81.106:5000/coolapp:v1
+```
+
+```bash
+$ docker manifest annotate 45.55.81.106:5000/coolapp:v1 45.55.81.106:5000/coolapp-arm-linux --arch arm
+```
+
+```bash
+$ docker manifest push 45.55.81.106:5000/coolapp:v1
+Pushed manifest 45.55.81.106:5000/coolapp@sha256:9701edc932223a66e49dd6c894a11db8c2cf4eccd1414f1ec105a623bf16b426 with digest: sha256:f67dcc5fc786f04f0743abfe0ee5dae9bd8caf8efa6c8144f7f2a43889dc513b
+Pushed manifest 45.55.81.106:5000/coolapp@sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f with digest: sha256:b64ca0b60356a30971f098c92200b1271257f100a55b351e6bbe985638352f3a
+Pushed manifest 45.55.81.106:5000/coolapp@sha256:39dc41c658cf25f33681a41310372f02728925a54aac3598310bfb1770615fc9 with digest: sha256:df436846483aff62bad830b730a0d3b77731bcf98ba5e470a8bbb8e9e346e4e8
+Pushed manifest 45.55.81.106:5000/coolapp@sha256:f91b1145cd4ac800b28122313ae9e88ac340bb3f1e3a4cd3e59a3648650f3275 with digest: sha256:5bb8e50aa2edd408bdf3ddf61efb7338ff34a07b762992c9432f1c02fc0e5e62
+sha256:050b213d49d7673ba35014f21454c573dcbec75254a08f4a7c34f66a47c06aba
+
+```
+
+### Inspect a manifest list
+
+```bash
+$ docker manifest inspect coolapp:v1
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
+   "manifests": [
+      {
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "size": 424,
+         "digest": "sha256:f67dcc5fc786f04f0743abfe0ee5dae9bd8caf8efa6c8144f7f2a43889dc513b",
+         "platform": {
+            "architecture": "arm",
+            "os": "linux"
+         }
+      },
+      {
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "size": 424,
+         "digest": "sha256:b64ca0b60356a30971f098c92200b1271257f100a55b351e6bbe985638352f3a",
+         "platform": {
+            "architecture": "amd64",
+            "os": "linux"
+         }
+      },
+      {
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "size": 425,
+         "digest": "sha256:df436846483aff62bad830b730a0d3b77731bcf98ba5e470a8bbb8e9e346e4e8",
+         "platform": {
+            "architecture": "ppc64le",
+            "os": "linux"
+         }
+      },
+      {
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "size": 425,
+         "digest": "sha256:5bb8e50aa2edd408bdf3ddf61efb7338ff34a07b762992c9432f1c02fc0e5e62",
+         "platform": {
+            "architecture": "s390x",
+            "os": "linux"
+         }
+      }
+   ]
+}
+```
+
+### Push to an insecure registry
+
+Here is an example of creating and pushing a manifest list using a known insecure registry.
+
+```
+$ docker manifest create --insecure myprivateregistry.mycompany.com/repo/image:1.0 \
+    myprivateregistry.mycompany.com/repo/image-linux-ppc64le:1.0 \
+    myprivateregistry.mycompany.com/repo/image-linux-s390x:1.0 \
+    myprivateregistry.mycompany.com/repo/image-linux-arm:1.0 \
+    myprivateregistry.mycompany.com/repo/image-linux-armhf:1.0 \
+    myprivateregistry.mycompany.com/repo/image-windows-amd64:1.0 \
+    myprivateregistry.mycompany.com/repo/image-linux-amd64:1.0
+```
+```
+$ docker manifest push --insecure myprivateregistry.mycompany.com/repo/image:tag
+```
+
+Note that the `--insecure` flag is not required to annotate a manifest list, since annotations are to a locally-stored copy of a manifest list. You may also skip the `--insecure` flag if you are performaing a `docker manifest inspect` on a locally-stored manifest list. Be sure to keep in mind that locally-stored manifest lists are never used by the engine on a `docker pull`.
+
diff --git a/cli/docs/reference/commandline/network.md b/cli/docs/reference/commandline/network.md
new file mode 100644
index 00000000..bf95c8a0
--- /dev/null
+++ b/cli/docs/reference/commandline/network.md
@@ -0,0 +1,51 @@
+---
+title: "network"
+description: "The network command description and usage"
+keywords: "network"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# network
+
+```markdown
+Usage:  docker network COMMAND
+
+Manage networks
+
+Options:
+      --help   Print usage
+
+Commands:
+  connect     Connect a container to a network
+  create      Create a network
+  disconnect  Disconnect a container from a network
+  inspect     Display detailed information on one or more networks
+  ls          List networks
+  prune       Remove all unused networks
+  rm          Remove one or more networks
+
+Run 'docker network COMMAND --help' for more information on a command.
+```
+
+## Description
+
+Manage networks. You can use subcommands to create, inspect, list, remove,
+prune, connect, and disconnect networks.
+
+## Related commands
+
+* [network create](network_create.md)
+* [network inspect](network_inspect.md)
+* [network list](network_list.md)
+* [network rm](network_rm.md)
+* [network prune](network_prune.md)
+* [network connect](network_connect.md)
+* [network disconnect](network_disconnect.md)
diff --git a/cli/docs/reference/commandline/network_connect.md b/cli/docs/reference/commandline/network_connect.md
new file mode 100644
index 00000000..bf3ab379
--- /dev/null
+++ b/cli/docs/reference/commandline/network_connect.md
@@ -0,0 +1,117 @@
+---
+title: "network connect"
+description: "The network connect command description and usage"
+keywords: "network, connect, user-defined"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# network connect
+
+```markdown
+Usage:  docker network connect [OPTIONS] NETWORK CONTAINER
+
+Connect a container to a network
+
+Options:
+      --alias value           Add network-scoped alias for the container (default [])
+      --help                  Print usage
+      --ip string             IPv4 address (e.g., 172.30.100.104)
+      --ip6 string            IPv6 address (e.g., 2001:db8::33)
+      --link value            Add link to another container (default [])
+      --link-local-ip value   Add a link-local address for the container (default [])
+```
+
+## Description
+
+Connects a container to a network. You can connect a container by name
+or by ID. Once connected, the container can communicate with other containers in
+the same network.
+
+## Examples
+
+### Connect a running container to a network
+
+```bash
+$ docker network connect multi-host-network container1
+```
+
+### Connect a container to a network when it starts
+
+You can also use the `docker run --network=<network-name>` option to start a container and immediately connect it to a network.
+
+```bash
+$ docker run -itd --network=multi-host-network busybox
+```
+
+### Specify the IP address a container will use on a given network
+
+You can specify the IP address you want to be assigned to the container's interface.
+
+```bash
+$ docker network connect --ip 10.10.36.122 multi-host-network container2
+```
+
+### Use the legacy `--link` option
+
+You can use `--link` option to link another container with a preferred alias
+
+```bash
+$ docker network connect --link container1:c1 multi-host-network container2
+```
+
+### Create a network alias for a container
+
+`--alias` option can be used to resolve the container by another name in the network
+being connected to.
+
+```bash
+$ docker network connect --alias db --alias mysql multi-host-network container2
+```
+
+### Network implications of stopping, pausing, or restarting containers
+
+You can pause, restart, and stop containers that are connected to a network.
+A container connects to its configured networks when it runs.
+
+If specified, the container's IP address(es) is reapplied when a stopped
+container is restarted. If the IP address is no longer available, the container
+fails to start. One way to guarantee that the IP address is available is
+to specify an `--ip-range` when creating the network, and choose the static IP
+address(es) from outside that range. This ensures that the IP address is not
+given to another container while this container is not on the network.
+
+```bash
+$ docker network create --subnet 172.20.0.0/16 --ip-range 172.20.240.0/20 multi-host-network
+```
+
+```bash
+$ docker network connect --ip 172.20.128.2 multi-host-network container2
+```
+
+To verify the container is connected, use the `docker network inspect` command. Use `docker network disconnect` to remove a container from the network.
+
+Once connected in network, containers can communicate using only another
+container's IP address or name. For `overlay` networks or custom plugins that
+support multi-host connectivity, containers connected to the same multi-host
+network but launched from different Engines can also communicate in this way.
+
+You can connect a container to one or more networks. The networks need not be the same type. For example, you can connect a single container bridge and overlay networks.
+
+## Related commands
+
+* [network inspect](network_inspect.md)
+* [network create](network_create.md)
+* [network disconnect](network_disconnect.md)
+* [network ls](network_ls.md)
+* [network rm](network_rm.md)
+* [network prune](network_prune.md)
+* [Understand Docker container networks](https://docs.docker.com/network/)
+* [Work with networks](https://docs.docker.com/network/bridge/)
diff --git a/cli/docs/reference/commandline/network_create.md b/cli/docs/reference/commandline/network_create.md
new file mode 100644
index 00000000..57172310
--- /dev/null
+++ b/cli/docs/reference/commandline/network_create.md
@@ -0,0 +1,240 @@
+---
+title: "network create"
+description: "The network create command description and usage"
+keywords: "network, create"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# network create
+
+```markdown
+Usage:	docker network create [OPTIONS] NETWORK
+
+Create a network
+
+Options:
+      --attachable           Enable manual container attachment
+      --ingress              Specify the network provides the routing-mesh
+      --aux-address value    Auxiliary IPv4 or IPv6 addresses used by Network
+                             driver (default map[])
+  -d, --driver string        Driver to manage the Network (default "bridge")
+      --gateway value        IPv4 or IPv6 Gateway for the master subnet (default [])
+      --help                 Print usage
+      --internal             Restrict external access to the network
+      --ip-range value       Allocate container ip from a sub-range (default [])
+      --ipam-driver string   IP Address Management Driver (default "default")
+      --ipam-opt value       Set IPAM driver specific options (default map[])
+      --ipv6                 Enable IPv6 networking
+      --label value          Set metadata on a network (default [])
+  -o, --opt value            Set driver specific options (default map[])
+      --subnet value         Subnet in CIDR format that represents a
+                             network segment (default [])
+      --scope value          Promote a network to swarm scope (value = [ local | swarm ])
+      --config-only          Creates a configuration only network
+      --config-from          The name of the network from which copying the configuration
+```
+
+## Description
+
+Creates a new network. The `DRIVER` accepts `bridge` or `overlay` which are the
+built-in network drivers. If you have installed a third party or your own custom
+network driver you can specify that `DRIVER` here also. If you don't specify the
+`--driver` option, the command automatically creates a `bridge` network for you.
+When you install Docker Engine it creates a `bridge` network automatically. This
+network corresponds to the `docker0` bridge that Engine has traditionally relied
+on. When you launch a new container with  `docker run` it automatically connects to
+this bridge network. You cannot remove this default bridge network, but you can
+create new ones using the `network create` command.
+
+```bash
+$ docker network create -d bridge my-bridge-network
+```
+
+Bridge networks are isolated networks on a single Engine installation. If you
+want to create a network that spans multiple Docker hosts each running an
+Engine, you must create an `overlay` network. Unlike `bridge` networks, overlay
+networks require some pre-existing conditions before you can create one. These
+conditions are:
+
+* Access to a key-value store. Engine supports Consul, Etcd, and ZooKeeper (Distributed store) key-value stores.
+* A cluster of hosts with connectivity to the key-value store.
+* A properly configured Engine `daemon` on each host in the cluster.
+
+The `dockerd` options that support the `overlay` network are:
+
+* `--cluster-store`
+* `--cluster-store-opt`
+* `--cluster-advertise`
+
+To read more about these options and how to configure them, see ["*Get started
+with multi-host network*"](https://docs.docker.com/engine/userguide/networking/get-started-overlay).
+
+While not required, it is a good idea to install Docker Swarm to
+manage the cluster that makes up your network. Swarm provides sophisticated
+discovery and server management tools that can assist your implementation.
+
+Once you have prepared the `overlay` network prerequisites you simply choose a
+Docker host in the cluster and issue the following to create the network:
+
+```bash
+$ docker network create -d overlay my-multihost-network
+```
+
+Network names must be unique. The Docker daemon attempts to identify naming
+conflicts but this is not guaranteed. It is the user's responsibility to avoid
+name conflicts.
+
+### Overlay network limitations
+
+You should create overlay networks with `/24` blocks (the default), which limits
+you to 256 IP addresses, when you create networks using the default VIP-based
+endpoint-mode. This recommendation addresses
+[limitations with swarm mode](https://github.com/moby/moby/issues/30820). If you
+need more than 256 IP addresses, do not increase the IP block size. You can
+either use `dnsrr` endpoint mode with an external load balancer, or use multiple
+smaller overlay networks. See
+[Configure service discovery](https://docs.docker.com/engine/swarm/networking/#configure-service-discovery)
+for more information about different endpoint modes.
+
+## Examples
+
+### Connect containers
+
+When you start a container, use the `--network` flag to connect it to a network.
+This example adds the `busybox` container to the `mynet` network:
+
+```bash
+$ docker run -itd --network=mynet busybox
+```
+
+If you want to add a container to a network after the container is already
+running, use the `docker network connect` subcommand.
+
+You can connect multiple containers to the same network. Once connected, the
+containers can communicate using only another container's IP address or name.
+For `overlay` networks or custom plugins that support multi-host connectivity,
+containers connected to the same multi-host network but launched from different
+Engines can also communicate in this way.
+
+You can disconnect a container from a network using the `docker network
+disconnect` command.
+
+### Specify advanced options
+
+When you create a network, Engine creates a non-overlapping subnetwork for the
+network by default. This subnetwork is not a subdivision of an existing
+network. It is purely for ip-addressing purposes. You can override this default
+and specify subnetwork values directly using the `--subnet` option. On a
+`bridge` network you can only create a single subnet:
+
+```bash
+$ docker network create --driver=bridge --subnet=192.168.0.0/16 br0
+```
+
+Additionally, you also specify the `--gateway` `--ip-range` and `--aux-address`
+options.
+
+```bash
+$ docker network create \
+  --driver=bridge \
+  --subnet=172.28.0.0/16 \
+  --ip-range=172.28.5.0/24 \
+  --gateway=172.28.5.254 \
+  br0
+```
+
+If you omit the `--gateway` flag the Engine selects one for you from inside a
+preferred pool. For `overlay` networks and for network driver plugins that
+support it you can create multiple subnetworks. This example uses two `/25`
+subnet mask to adhere to the current guidance of not having more than 256 IPs in
+a single overlay network. Each of the subnetworks has 126 usable addresses.
+
+```bash
+$ docker network create -d overlay \
+  --subnet=192.168.1.0/25 \
+  --subnet=192.170.2.0/25 \
+  --gateway=192.168.1.100 \
+  --gateway=192.170.2.100 \
+  --aux-address="my-router=192.168.1.5" --aux-address="my-switch=192.168.1.6" \
+  --aux-address="my-printer=192.170.1.5" --aux-address="my-nas=192.170.1.6" \
+  my-multihost-network
+```
+
+Be sure that your subnetworks do not overlap. If they do, the network create
+fails and Engine returns an error.
+
+### Bridge driver options
+
+When creating a custom network, the default network driver (i.e. `bridge`) has
+additional options that can be passed. The following are those options and the
+equivalent docker daemon flags used for docker0 bridge:
+
+| Option                                           | Equivalent  | Description                                           |
+|--------------------------------------------------|-------------|-------------------------------------------------------|
+| `com.docker.network.bridge.name`                 | -           | bridge name to be used when creating the Linux bridge |
+| `com.docker.network.bridge.enable_ip_masquerade` | `--ip-masq` | Enable IP masquerading                                |
+| `com.docker.network.bridge.enable_icc`           | `--icc`     | Enable or Disable Inter Container Connectivity        |
+| `com.docker.network.bridge.host_binding_ipv4`    | `--ip`      | Default IP when binding container ports               |
+| `com.docker.network.driver.mtu`                  | `--mtu`     | Set the containers network MTU                        |
+
+The following arguments can be passed to `docker network create` for any
+network driver, again with their approximate equivalents to `docker daemon`.
+
+| Argument     | Equivalent     | Description                                |
+|--------------|----------------|--------------------------------------------|
+| `--gateway`  | -              | IPv4 or IPv6 Gateway for the master subnet |
+| `--ip-range` | `--fixed-cidr` | Allocate IPs from a range                  |
+| `--internal` | -              | Restrict external access to the network   |
+| `--ipv6`     | `--ipv6`       | Enable IPv6 networking                     |
+| `--subnet`   | `--bip`        | Subnet for network                         |
+
+For example, let's use `-o` or `--opt` options to specify an IP address binding
+when publishing ports:
+
+```bash
+$ docker network create \
+    -o "com.docker.network.bridge.host_binding_ipv4"="172.19.0.1" \
+    simple-network
+```
+
+### Network internal mode
+
+By default, when you connect a container to an `overlay` network, Docker also
+connects a bridge network to it to provide external connectivity. If you want
+to create an externally isolated `overlay` network, you can specify the
+`--internal` option.
+
+### Network ingress mode
+
+You can create the network which will be used to provide the routing-mesh in the
+swarm cluster. You do so by specifying `--ingress` when creating the network. Only
+one ingress network can be created at the time. The network can be removed only
+if no services depend on it. Any option available when creating an overlay network
+is also available when creating the ingress network, besides the `--attachable` option.
+
+```bash
+$ docker network create -d overlay \
+  --subnet=10.11.0.0/16 \
+  --ingress \
+  --opt com.docker.network.driver.mtu=9216 \
+  --opt encrypted=true \
+  my-ingress-network
+```
+
+## Related commands
+
+* [network inspect](network_inspect.md)
+* [network connect](network_connect.md)
+* [network disconnect](network_disconnect.md)
+* [network ls](network_ls.md)
+* [network rm](network_rm.md)
+* [network prune](network_prune.md)
+* [Understand Docker container networks](https://docs.docker.com/engine/userguide/networking/)
diff --git a/cli/docs/reference/commandline/network_disconnect.md b/cli/docs/reference/commandline/network_disconnect.md
new file mode 100644
index 00000000..5af001d9
--- /dev/null
+++ b/cli/docs/reference/commandline/network_disconnect.md
@@ -0,0 +1,48 @@
+---
+title: "network disconnect"
+description: "The network disconnect command description and usage"
+keywords: "network, disconnect, user-defined"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# network disconnect
+
+```markdown
+Usage:  docker network disconnect [OPTIONS] NETWORK CONTAINER
+
+Disconnect a container from a network
+
+Options:
+  -f, --force   Force the container to disconnect from a network
+      --help    Print usage
+```
+
+## Description
+
+Disconnects a container from a network. The container must be running to
+disconnect it from the network.
+
+## Examples
+
+```bash
+  $ docker network disconnect multi-host-network container1
+```
+
+
+## Related commands
+
+* [network inspect](network_inspect.md)
+* [network connect](network_connect.md)
+* [network create](network_create.md)
+* [network ls](network_ls.md)
+* [network rm](network_rm.md)
+* [network prune](network_prune.md)
+* [Understand Docker container networks](https://docs.docker.com/engine/userguide/networking/)
diff --git a/cli/docs/reference/commandline/network_inspect.md b/cli/docs/reference/commandline/network_inspect.md
new file mode 100644
index 00000000..467c1d24
--- /dev/null
+++ b/cli/docs/reference/commandline/network_inspect.md
@@ -0,0 +1,307 @@
+---
+title: "network inspect"
+description: "The network inspect command description and usage"
+keywords: "network, inspect, user-defined"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# network inspect
+
+```markdown
+Usage:  docker network inspect [OPTIONS] NETWORK [NETWORK...]
+
+Display detailed information on one or more networks
+
+Options:
+  -f, --format string   Format the output using the given Go template
+      --help            Print usage
+```
+
+## Description
+
+Returns information about one or more networks. By default, this command renders
+all results in a JSON object.
+
+## Examples
+
+## Inspect the `bridge` network
+
+Connect two containers to the default `bridge` network:
+
+```bash
+$ sudo docker run -itd --name=container1 busybox
+f2870c98fd504370fb86e59f32cd0753b1ac9b69b7d80566ffc7192a82b3ed27
+
+$ sudo docker run -itd --name=container2 busybox
+bda12f8922785d1f160be70736f26c1e331ab8aaf8ed8d56728508f2e2fd4727
+```
+
+The `network inspect` command shows the containers, by id, in its
+results. For networks backed by multi-host network driver, such as Overlay,
+this command also shows the container endpoints in other hosts in the
+cluster. These endpoints are represented as "ep-{endpoint-id}" in the output.
+However, for swarm mode networks, only the endpoints that are local to the
+node are shown.
+
+You can specify an alternate format to execute a given
+template for each result. Go's
+[text/template](http://golang.org/pkg/text/template/) package describes all the
+details of the format.
+
+```none
+$ sudo docker network inspect bridge
+
+[
+    {
+        "Name": "bridge",
+        "Id": "b2b1a2cba717161d984383fd68218cf70bbbd17d328496885f7c921333228b0f",
+        "Created": "2016-10-19T04:33:30.360899459Z",
+        "Scope": "local",
+        "Driver": "bridge",
+        "IPAM": {
+            "Driver": "default",
+            "Config": [
+                {
+                    "Subnet": "172.17.42.1/16",
+                    "Gateway": "172.17.42.1"
+                }
+            ]
+        },
+        "Internal": false,
+        "Containers": {
+            "bda12f8922785d1f160be70736f26c1e331ab8aaf8ed8d56728508f2e2fd4727": {
+                "Name": "container2",
+                "EndpointID": "0aebb8fcd2b282abe1365979536f21ee4ceaf3ed56177c628eae9f706e00e019",
+                "MacAddress": "02:42:ac:11:00:02",
+                "IPv4Address": "172.17.0.2/16",
+                "IPv6Address": ""
+            },
+            "f2870c98fd504370fb86e59f32cd0753b1ac9b69b7d80566ffc7192a82b3ed27": {
+                "Name": "container1",
+                "EndpointID": "a00676d9c91a96bbe5bcfb34f705387a33d7cc365bac1a29e4e9728df92d10ad",
+                "MacAddress": "02:42:ac:11:00:01",
+                "IPv4Address": "172.17.0.1/16",
+                "IPv6Address": ""
+            }
+        },
+        "Options": {
+            "com.docker.network.bridge.default_bridge": "true",
+            "com.docker.network.bridge.enable_icc": "true",
+            "com.docker.network.bridge.enable_ip_masquerade": "true",
+            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+            "com.docker.network.bridge.name": "docker0",
+            "com.docker.network.driver.mtu": "1500"
+        },
+        "Labels": {}
+    }
+]
+```
+
+### Inspect a user-defined network
+
+Create and inspect a user-defined network:
+
+```bash
+$ docker network create simple-network
+
+69568e6336d8c96bbf57869030919f7c69524f71183b44d80948bd3927c87f6a
+```
+
+```none
+$ docker network inspect simple-network
+
+[
+    {
+        "Name": "simple-network",
+        "Id": "69568e6336d8c96bbf57869030919f7c69524f71183b44d80948bd3927c87f6a",
+        "Created": "2016-10-19T04:33:30.360899459Z",
+        "Scope": "local",
+        "Driver": "bridge",
+        "IPAM": {
+            "Driver": "default",
+            "Config": [
+                {
+                    "Subnet": "172.22.0.0/16",
+                    "Gateway": "172.22.0.1"
+                }
+            ]
+        },
+        "Containers": {},
+        "Options": {},
+        "Labels": {}
+    }
+]
+```
+
+### Inspect the `ingress` network
+
+For swarm mode overlay networks `network inspect` also shows the IP address and node name
+of the peers. Peers are the nodes in the swarm cluster which have at least one task attached
+to the network. Node name is of the format `<hostname>-<unique ID>`.
+
+```none
+$ docker network inspect ingress
+
+[
+    {
+        "Name": "ingress",
+        "Id": "j0izitrut30h975vk4m1u5kk3",
+        "Created": "2016-11-08T06:49:59.803387552Z",
+        "Scope": "swarm",
+        "Driver": "overlay",
+        "EnableIPv6": false,
+        "IPAM": {
+            "Driver": "default",
+            "Options": null,
+            "Config": [
+                {
+                    "Subnet": "10.255.0.0/16",
+                    "Gateway": "10.255.0.1"
+                }
+            ]
+        },
+        "Internal": false,
+        "Attachable": false,
+        "Containers": {
+            "ingress-sbox": {
+                "Name": "ingress-endpoint",
+                "EndpointID": "40e002d27b7e5d75f60bc72199d8cae3344e1896abec5eddae9743755fe09115",
+                "MacAddress": "02:42:0a:ff:00:03",
+                "IPv4Address": "10.255.0.3/16",
+                "IPv6Address": ""
+            }
+        },
+        "Options": {
+            "com.docker.network.driver.overlay.vxlanid_list": "256"
+        },
+        "Labels": {},
+        "Peers": [
+            {
+                "Name": "net-1-1d22adfe4d5c",
+                "IP": "192.168.33.11"
+            },
+            {
+                "Name": "net-2-d55d838b34af",
+                "IP": "192.168.33.12"
+            },
+            {
+                "Name": "net-3-8473f8140bd9",
+                "IP": "192.168.33.13"
+            }
+        ]
+    }
+]
+```
+
+### Using `verbose` option for `network inspect`
+
+`docker network inspect --verbose` for swarm mode overlay networks shows service-specific
+details such as the service's VIP and port mappings. It also shows IPs of service tasks,
+and the IPs of the nodes where the tasks are running.
+
+Following is an example output for an overlay network `ov1` that has one service `s1`
+attached to. service `s1` in this case has three replicas.
+
+```bash
+$ docker network inspect --verbose ov1
+[
+    {
+        "Name": "ov1",
+        "Id": "ybmyjvao9vtzy3oorxbssj13b",
+        "Created": "2017-03-13T17:04:39.776106792Z",
+        "Scope": "swarm",
+        "Driver": "overlay",
+        "EnableIPv6": false,
+        "IPAM": {
+            "Driver": "default",
+            "Options": null,
+            "Config": [
+                {
+                    "Subnet": "10.0.0.0/24",
+                    "Gateway": "10.0.0.1"
+                }
+            ]
+        },
+        "Internal": false,
+        "Attachable": false,
+        "Containers": {
+            "020403bd88a15f60747fd25d1ad5fa1272eb740e8a97fc547d8ad07b2f721c5e": {
+                "Name": "s1.1.pjn2ik0sfgkfzed3h0s00gs9o",
+                "EndpointID": "ad16946f416562d658f3bb30b9830d73ad91ccf6feae44411269cd0ff674714e",
+                "MacAddress": "02:42:0a:00:00:04",
+                "IPv4Address": "10.0.0.4/24",
+                "IPv6Address": ""
+            }
+        },
+        "Options": {
+            "com.docker.network.driver.overlay.vxlanid_list": "4097"
+        },
+        "Labels": {},
+        "Peers": [
+            {
+                "Name": "net-3-5d3cfd30a58c",
+                "IP": "192.168.33.13"
+            },
+            {
+                "Name": "net-1-6ecbc0040a73",
+                "IP": "192.168.33.11"
+            },
+            {
+                "Name": "net-2-fb80208efd75",
+                "IP": "192.168.33.12"
+            }
+        ],
+        "Services": {
+            "s1": {
+                "VIP": "10.0.0.2",
+                "Ports": [],
+                "LocalLBIndex": 257,
+                "Tasks": [
+                    {
+                        "Name": "s1.2.q4hcq2aiiml25ubtrtg4q1txt",
+                        "EndpointID": "040879b027e55fb658e8b60ae3b87c6cdac7d291e86a190a3b5ac6567b26511a",
+                        "EndpointIP": "10.0.0.5",
+                        "Info": {
+                            "Host IP": "192.168.33.11"
+                        }
+                    },
+                    {
+                        "Name": "s1.3.yawl4cgkp7imkfx469kn9j6lm",
+                        "EndpointID": "106edff9f120efe44068b834e1cddb5b39dd4a3af70211378b2f7a9e562bbad8",
+                        "EndpointIP": "10.0.0.3",
+                        "Info": {
+                            "Host IP": "192.168.33.12"
+                        }
+                    },
+                    {
+                        "Name": "s1.1.pjn2ik0sfgkfzed3h0s00gs9o",
+                        "EndpointID": "ad16946f416562d658f3bb30b9830d73ad91ccf6feae44411269cd0ff674714e",
+                        "EndpointIP": "10.0.0.4",
+                        "Info": {
+                            "Host IP": "192.168.33.13"
+                        }
+                    }
+                ]
+            }
+        }
+    }
+]
+```
+
+## Related commands
+
+* [network disconnect ](network_disconnect.md)
+* [network connect](network_connect.md)
+* [network create](network_create.md)
+* [network ls](network_ls.md)
+* [network rm](network_rm.md)
+* [network prune](network_prune.md)
+* [Understand Docker container networks](https://docs.docker.com/engine/userguide/networking/)
diff --git a/cli/docs/reference/commandline/network_ls.md b/cli/docs/reference/commandline/network_ls.md
new file mode 100644
index 00000000..6279d32e
--- /dev/null
+++ b/cli/docs/reference/commandline/network_ls.md
@@ -0,0 +1,250 @@
+---
+title: "network ls"
+description: "The network ls command description and usage"
+keywords: "network, list, user-defined"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# docker network ls
+
+```markdown
+Usage:  docker network ls [OPTIONS]
+
+List networks
+
+Aliases:
+  ls, list
+
+Options:
+  -f, --filter filter   Provide filter values (e.g. 'driver=bridge')
+      --format string   Pretty-print networks using a Go template
+      --help            Print usage
+      --no-trunc        Do not truncate the output
+  -q, --quiet           Only display network IDs
+```
+
+## Description
+
+Lists all the networks the Engine `daemon` knows about. This includes the
+networks that span across multiple hosts in a cluster.
+
+## Examples
+
+### List all networks
+
+```bash
+$ sudo docker network ls
+NETWORK ID          NAME                DRIVER          SCOPE
+7fca4eb8c647        bridge              bridge          local
+9f904ee27bf5        none                null            local
+cf03ee007fb4        host                host            local
+78b03ee04fc4        multi-host          overlay         swarm
+```
+
+Use the `--no-trunc` option to display the full network id:
+
+```bash
+$ docker network ls --no-trunc
+NETWORK ID                                                         NAME                DRIVER           SCOPE
+18a2866682b85619a026c81b98a5e375bd33e1b0936a26cc497c283d27bae9b3   none                null             local
+c288470c46f6c8949c5f7e5099b5b7947b07eabe8d9a27d79a9cbf111adcbf47   host                host             local
+7b369448dccbf865d397c8d2be0cda7cf7edc6b0945f77d2529912ae917a0185   bridge              bridge           local
+95e74588f40db048e86320c6526440c504650a1ff3e9f7d60a497c4d2163e5bd   foo                 bridge           local
+63d1ff1f77b07ca51070a8c227e962238358bd310bde1529cf62e6c307ade161   dev                 bridge           local
+```
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there
+is more than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`).
+Multiple filter flags are combined as an `OR` filter. For example,
+`-f type=custom -f type=builtin` returns both `custom` and `builtin` networks.
+
+The currently supported filters are:
+
+* driver
+* id (network's id)
+* label (`label=<key>` or `label=<key>=<value>`)
+* name (network's name)
+* scope (`swarm|global|local`)
+* type (`custom|builtin`)
+
+#### Driver
+
+The `driver` filter matches networks based on their driver.
+
+The following example matches networks with the `bridge` driver:
+
+```bash
+$ docker network ls --filter driver=bridge
+NETWORK ID          NAME                DRIVER            SCOPE
+db9db329f835        test1               bridge            local
+f6e212da9dfd        test2               bridge            local
+```
+
+#### ID
+
+The `id` filter matches on all or part of a network's ID.
+
+The following filter matches all networks with an ID containing the
+`63d1ff1f77b0...` string.
+
+```bash
+$ docker network ls --filter id=63d1ff1f77b07ca51070a8c227e962238358bd310bde1529cf62e6c307ade161
+NETWORK ID          NAME                DRIVER           SCOPE
+63d1ff1f77b0        dev                 bridge           local
+```
+
+You can also filter for a substring in an ID as this shows:
+
+```bash
+$ docker network ls --filter id=95e74588f40d
+NETWORK ID          NAME                DRIVER          SCOPE
+95e74588f40d        foo                 bridge          local
+
+$ docker network ls --filter id=95e
+NETWORK ID          NAME                DRIVER          SCOPE
+95e74588f40d        foo                 bridge          local
+```
+
+#### Label
+
+The `label` filter matches networks based on the presence of a `label` alone or a `label` and a
+value.
+
+The following filter matches networks with the `usage` label regardless of its value.
+
+```bash
+$ docker network ls -f "label=usage"
+NETWORK ID          NAME                DRIVER         SCOPE
+db9db329f835        test1               bridge         local
+f6e212da9dfd        test2               bridge         local
+```
+
+The following filter matches networks with the `usage` label with the `prod` value.
+
+```bash
+$ docker network ls -f "label=usage=prod"
+NETWORK ID          NAME                DRIVER        SCOPE
+f6e212da9dfd        test2               bridge        local
+```
+
+#### Name
+
+The `name` filter matches on all or part of a network's name.
+
+The following filter matches all networks with a name containing the `foobar` string.
+
+```bash
+$ docker network ls --filter name=foobar
+NETWORK ID          NAME                DRIVER       SCOPE
+06e7eef0a170        foobar              bridge       local
+```
+
+You can also filter for a substring in a name as this shows:
+
+```bash
+$ docker network ls --filter name=foo
+NETWORK ID          NAME                DRIVER       SCOPE
+95e74588f40d        foo                 bridge       local
+06e7eef0a170        foobar              bridge       local
+```
+
+#### Scope
+
+The `scope` filter matches networks based on their scope.
+
+The following example matches networks with the `swarm` scope:
+
+```bash
+$ docker network ls --filter scope=swarm
+NETWORK ID          NAME                DRIVER              SCOPE
+xbtm0v4f1lfh        ingress             overlay             swarm
+ic6r88twuu92        swarmnet            overlay             swarm
+```
+
+The following example matches networks with the `local` scope:
+
+```bash
+$ docker network ls --filter scope=local
+NETWORK ID          NAME                DRIVER              SCOPE
+e85227439ac7        bridge              bridge              local
+0ca0e19443ed        host                host                local
+ca13cc149a36        localnet            bridge              local
+f9e115d2de35        none                null                local
+```
+
+#### Type
+
+The `type` filter supports two values; `builtin` displays predefined networks
+(`bridge`, `none`, `host`), whereas `custom` displays user defined networks.
+
+The following filter matches all user defined networks:
+
+```bash
+$ docker network ls --filter type=custom
+NETWORK ID          NAME                DRIVER       SCOPE
+95e74588f40d        foo                 bridge       local  
+63d1ff1f77b0        dev                 bridge       local
+```
+
+By having this flag it allows for batch cleanup. For example, use this filter
+to delete all user defined networks:
+
+```bash
+$ docker network rm `docker network ls --filter type=custom -q`
+```
+
+A warning will be issued when trying to remove a network that has containers
+attached.
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints networks output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder  | Description
+-------------|------------------------------------------------------------------------------------------
+`.ID`        | Network ID
+`.Name`      | Network name
+`.Driver`    | Network driver
+`.Scope`     | Network scope (local, global)
+`.IPv6`      | Whether IPv6 is enabled on the network or not.
+`.Internal`  | Whether the network is internal or not.
+`.Labels`    | All labels assigned to the network.
+`.Label`     | Value of a specific label for this network. For example `{{.Label "project.version"}}`
+`.CreatedAt` | Time when the network was created
+
+When using the `--format` option, the `network ls` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID` and `Driver` entries separated by a colon for all networks:
+
+```bash
+$ docker network ls --format "{{.ID}}: {{.Driver}}"
+afaaab448eb2: bridge
+d1584f8dc718: host
+391df270dc66: null
+```
+
+## Related commands
+
+* [network disconnect ](network_disconnect.md)
+* [network connect](network_connect.md)
+* [network create](network_create.md)
+* [network inspect](network_inspect.md)
+* [network rm](network_rm.md)
+* [network prune](network_prune.md)
+* [Understand Docker container networks](https://docs.docker.com/engine/userguide/networking/)
diff --git a/cli/docs/reference/commandline/network_prune.md b/cli/docs/reference/commandline/network_prune.md
new file mode 100644
index 00000000..37a9a6d7
--- /dev/null
+++ b/cli/docs/reference/commandline/network_prune.md
@@ -0,0 +1,104 @@
+---
+title: "network prune"
+description: "Remove unused networks"
+keywords: "network, prune, delete"
+---
+
+# network prune
+
+```markdown
+Usage:	docker network prune [OPTIONS]
+
+Remove all unused networks
+
+Options:
+      --filter filter   Provide filter values (e.g. 'until=<timestamp>')
+  -f, --force           Do not prompt for confirmation
+      --help            Print usage
+```
+
+## Description
+
+Remove all unused networks. Unused networks are those which are not referenced
+by any containers.
+
+## Examples
+
+```bash
+$ docker network prune
+
+WARNING! This will remove all networks not used by at least one container.
+Are you sure you want to continue? [y/N] y
+Deleted Networks:
+n1
+n2
+```
+
+### Filtering
+
+The filtering flag (`--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* until (`<timestamp>`) - only remove networks created before given timestamp
+* label (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) - only remove networks with (or without, in case `label!=...` is used) the specified labels.
+
+The `until` filter can be Unix timestamps, date formatted
+timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
+relative to the daemon machine’s time. Supported formats for date
+formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the daemon will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long.
+
+The `label` filter accepts two formats. One is the `label=...` (`label=<key>` or `label=<key>=<value>`),
+which removes networks with the specified labels. The other
+format is the `label!=...` (`label!=<key>` or `label!=<key>=<value>`), which removes
+networks without the specified labels.
+
+The following removes networks created more than 5 minutes ago. Note that
+system networks such as `bridge`, `host`, and `none` will never be pruned:
+
+```none
+$ docker network ls
+
+NETWORK ID          NAME                DRIVER              SCOPE
+7430df902d7a        bridge              bridge              local
+ea92373fd499        foo-1-day-ago       bridge              local
+ab53663ed3c7        foo-1-min-ago       bridge              local
+97b91972bc3b        host                host                local
+f949d337b1f5        none                null                local
+
+$ docker network prune --force --filter until=5m
+
+Deleted Networks:
+foo-1-day-ago
+
+$ docker network ls
+
+NETWORK ID          NAME                DRIVER              SCOPE
+7430df902d7a        bridge              bridge              local
+ab53663ed3c7        foo-1-min-ago       bridge              local
+97b91972bc3b        host                host                local
+f949d337b1f5        none                null                local
+```
+
+## Related commands
+
+* [network disconnect ](network_disconnect.md)
+* [network connect](network_connect.md)
+* [network create](network_create.md)
+* [network ls](network_ls.md)
+* [network inspect](network_inspect.md)
+* [network rm](network_rm.md)
+* [Understand Docker container networks](https://docs.docker.com/engine/userguide/networking/)
+* [system df](system_df.md)
+* [container prune](container_prune.md)
+* [image prune](image_prune.md)
+* [volume prune](volume_prune.md)
+* [system prune](system_prune.md)
diff --git a/cli/docs/reference/commandline/network_rm.md b/cli/docs/reference/commandline/network_rm.md
new file mode 100644
index 00000000..648c290e
--- /dev/null
+++ b/cli/docs/reference/commandline/network_rm.md
@@ -0,0 +1,68 @@
+---
+title: "network rm"
+description: "the network rm command description and usage"
+keywords: "network, rm, user-defined"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# network rm
+
+```markdown
+Usage:  docker network rm NETWORK [NETWORK...]
+
+Remove one or more networks
+
+Aliases:
+  rm, remove
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+Removes one or more networks by name or identifier. To remove a network,
+you must first disconnect any containers connected to it.
+
+## Examples
+
+### Remove a network
+
+To remove the network named 'my-network':
+
+```bash
+  $ docker network rm my-network
+```
+
+### Remove multiple networks
+
+To delete multiple networks in a single `docker network rm` command, provide
+multiple network names or ids. The following example deletes a network with id
+`3695c422697f` and a network named `my-network`:
+
+```bash
+  $ docker network rm 3695c422697f my-network
+```
+
+When you specify multiple networks, the command attempts to delete each in turn.
+If the deletion of one network fails, the command continues to the next on the
+list and tries to delete that. The command reports success or failure for each
+deletion.
+
+## Related commands
+
+* [network disconnect ](network_disconnect.md)
+* [network connect](network_connect.md)
+* [network create](network_create.md)
+* [network ls](network_ls.md)
+* [network inspect](network_inspect.md)
+* [network prune](network_prune.md)
+* [Understand Docker container networks](https://docs.docker.com/engine/userguide/networking/)
diff --git a/cli/docs/reference/commandline/node.md b/cli/docs/reference/commandline/node.md
new file mode 100644
index 00000000..48efe518
--- /dev/null
+++ b/cli/docs/reference/commandline/node.md
@@ -0,0 +1,42 @@
+
+---
+title: "node"
+description: "The node command description and usage"
+keywords: "node"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# node
+
+```markdown
+Usage:  docker node COMMAND
+
+Manage Swarm nodes
+
+Options:
+      --help   Print usage
+
+Commands:
+  demote      Demote one or more nodes from manager in the swarm
+  inspect     Display detailed information on one or more nodes
+  ls          List nodes in the swarm
+  promote     Promote one or more nodes to manager in the swarm
+  ps          List tasks running on one or more nodes, defaults to current node
+  rm          Remove one or more nodes from the swarm
+  update      Update a node
+
+Run 'docker node COMMAND --help' for more information on a command.
+```
+
+## Description
+
+Manage nodes.
+
diff --git a/cli/docs/reference/commandline/node_demote.md b/cli/docs/reference/commandline/node_demote.md
new file mode 100644
index 00000000..e978fa7f
--- /dev/null
+++ b/cli/docs/reference/commandline/node_demote.md
@@ -0,0 +1,47 @@
+---
+title: "node demote"
+description: "The node demote command description and usage"
+keywords: "node, demote"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# node demote
+
+```markdown
+Usage:  docker node demote NODE [NODE...]
+
+Demote one or more nodes from manager in the swarm
+
+Options:
+      --help   Print usage
+
+```
+
+## Description
+
+Demotes an existing manager so that it is no longer a manager. This command
+targets a docker engine that is a manager in the swarm.
+
+
+## Examples
+
+```bash
+$ docker node demote <node name>
+```
+
+## Related commands
+
+* [node inspect](node_inspect.md)
+* [node ls](node_ls.md)
+* [node promote](node_promote.md)
+* [node ps](node_ps.md)
+* [node rm](node_rm.md)
+* [node update](node_update.md)
diff --git a/cli/docs/reference/commandline/node_inspect.md b/cli/docs/reference/commandline/node_inspect.md
new file mode 100644
index 00000000..e72d0ed1
--- /dev/null
+++ b/cli/docs/reference/commandline/node_inspect.md
@@ -0,0 +1,167 @@
+---
+title: "node inspect"
+description: "The node inspect command description and usage"
+keywords: "node, inspect"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# node inspect
+
+```markdown
+Usage:  docker node inspect [OPTIONS] self|NODE [NODE...]
+
+Display detailed information on one or more nodes
+
+Options:
+  -f, --format string   Format the output using the given Go template
+      --help            Print usage
+      --pretty          Print the information in a human friendly format
+```
+
+## Description
+
+Returns information about a node. By default, this command renders all results
+in a JSON array. You can specify an alternate format to execute a
+given template for each result. Go's
+[text/template](http://golang.org/pkg/text/template/) package describes all the
+details of the format.
+
+## Examples
+
+### Inspect a node
+
+```none
+$ docker node inspect swarm-manager
+
+[
+{
+    "ID": "e216jshn25ckzbvmwlnh5jr3g",
+    "Version": {
+        "Index": 10
+    },
+    "CreatedAt": "2017-05-16T22:52:44.9910662Z",
+    "UpdatedAt": "2017-05-16T22:52:45.230878043Z",
+    "Spec": {
+        "Role": "manager",
+        "Availability": "active"
+    },
+    "Description": {
+        "Hostname": "swarm-manager",
+        "Platform": {
+            "Architecture": "x86_64",
+            "OS": "linux"
+        },
+        "Resources": {
+            "NanoCPUs": 1000000000,
+            "MemoryBytes": 1039843328
+        },
+        "Engine": {
+            "EngineVersion": "17.06.0-ce",
+            "Plugins": [
+                {
+                    "Type": "Volume",
+                    "Name": "local"
+                },
+                {
+                    "Type": "Network",
+                    "Name": "overlay"
+                },
+                {
+                    "Type": "Network",
+                    "Name": "null"
+                },
+                {
+                    "Type": "Network",
+                    "Name": "host"
+                },
+                {
+                    "Type": "Network",
+                    "Name": "bridge"
+                },
+                {
+                    "Type": "Network",
+                    "Name": "overlay"
+                }
+            ]
+        },
+        "TLSInfo": {
+            "TrustRoot": "-----BEGIN CERTIFICATE-----\nMIIBazCCARCgAwIBAgIUOzgqU4tA2q5Yv1HnkzhSIwGyIBswCgYIKoZIzj0EAwIw\nEzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAyMDAyNDAwWhcNMzcwNDI3MDAy\nNDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABMbiAmET+HZyve35ujrnL2kOLBEQhFDZ5MhxAuYs96n796sFlfxTxC1lM/2g\nAh8DI34pm3JmHgZxeBPKUURJHKWjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB\nAf8EBTADAQH/MB0GA1UdDgQWBBS3sjTJOcXdkls6WSY2rTx1KIJueTAKBggqhkjO\nPQQDAgNJADBGAiEAoeVWkaXgSUAucQmZ3Yhmx22N/cq1EPBgYHOBZmHt0NkCIQC3\nzONcJ/+WA21OXtb+vcijpUOXtNjyHfcox0N8wsLDqQ==\n-----END CERTIFICATE-----\n",
+            "CertIssuerSubject": "MBMxETAPBgNVBAMTCHN3YXJtLWNh",
+            "CertIssuerPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExuICYRP4dnK97fm6OucvaQ4sERCEUNnkyHEC5iz3qfv3qwWV/FPELWUz/aACHwMjfimbcmYeBnF4E8pRREkcpQ=="
+        }
+    },
+    "Status": {
+        "State": "ready",
+        "Addr": "168.0.32.137"
+    },
+    "ManagerStatus": {
+        "Leader": true,
+        "Reachability": "reachable",
+        "Addr": "168.0.32.137:2377"
+    }
+}
+]
+```
+
+### Specify an output format
+
+```none
+$ docker node inspect --format '{{ .ManagerStatus.Leader }}' self
+
+false
+
+$ docker node inspect --pretty self
+ID:                     e216jshn25ckzbvmwlnh5jr3g
+Hostname:               swarm-manager
+Joined at:              2017-05-16 22:52:44.9910662 +0000 utc
+Status:
+ State:                 Ready
+ Availability:          Active
+ Address:               172.17.0.2
+Manager Status:
+ Address:               172.17.0.2:2377
+ Raft Status:           Reachable
+ Leader:                Yes
+Platform:
+ Operating System:      linux
+ Architecture:          x86_64
+Resources:
+ CPUs:                  4
+ Memory:                7.704 GiB
+Plugins:
+  Network:              overlay, bridge, null, host, overlay
+  Volume:               local
+Engine Version:         17.06.0-ce
+TLS Info:
+ TrustRoot:
+-----BEGIN CERTIFICATE-----
+MIIBazCCARCgAwIBAgIUOzgqU4tA2q5Yv1HnkzhSIwGyIBswCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAyMDAyNDAwWhcNMzcwNDI3MDAy
+NDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABMbiAmET+HZyve35ujrnL2kOLBEQhFDZ5MhxAuYs96n796sFlfxTxC1lM/2g
+Ah8DI34pm3JmHgZxeBPKUURJHKWjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBS3sjTJOcXdkls6WSY2rTx1KIJueTAKBggqhkjO
+PQQDAgNJADBGAiEAoeVWkaXgSUAucQmZ3Yhmx22N/cq1EPBgYHOBZmHt0NkCIQC3
+zONcJ/+WA21OXtb+vcijpUOXtNjyHfcox0N8wsLDqQ==
+-----END CERTIFICATE-----
+
+ Issuer Public Key:	MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExuICYRP4dnK97fm6OucvaQ4sERCEUNnkyHEC5iz3qfv3qwWV/FPELWUz/aACHwMjfimbcmYeBnF4E8pRREkcpQ==
+ Issuer Subject:	MBMxETAPBgNVBAMTCHN3YXJtLWNh
+```
+
+## Related commands
+
+* [node demote](node_demote.md)
+* [node ls](node_ls.md)
+* [node promote](node_promote.md)
+* [node ps](node_ps.md)
+* [node rm](node_rm.md)
+* [node update](node_update.md)
diff --git a/cli/docs/reference/commandline/node_ls.md b/cli/docs/reference/commandline/node_ls.md
new file mode 100644
index 00000000..50335449
--- /dev/null
+++ b/cli/docs/reference/commandline/node_ls.md
@@ -0,0 +1,172 @@
+---
+title: "node ls"
+description: "The node ls command description and usage"
+keywords: "node, list"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# node ls
+
+```markdown
+Usage:  docker node ls [OPTIONS]
+
+List nodes in the swarm
+
+Aliases:
+  ls, list
+
+Options:
+  -f, --filter filter   Filter output based on conditions provided
+      --format string   Pretty-print nodes using a Go template
+      --help            Print usage
+  -q, --quiet           Only display IDs
+```
+
+## Description
+
+Lists all the nodes that the Docker Swarm manager knows about. You can filter
+using the `-f` or `--filter` flag. Refer to the [filtering](#filtering) section
+for more information about available filter options.
+
+## Examples
+
+```bash
+$ docker node ls
+
+ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATUS
+1bcef6utixb0l0ca7gxuivsj0    swarm-worker2   Ready   Active
+38ciaotwjuritcdtn9npbnkuz    swarm-worker1   Ready   Active
+e216jshn25ckzbvmwlnh5jr3g *  swarm-manager1  Ready   Active        Leader
+```
+> **Note**:
+> In the above example output, there is a hidden column of `.Self` that indicates if the
+> node is the same node as the current docker daemon. A `*` (e.g., `e216jshn25ckzbvmwlnh5jr3g *`)
+> means this node is the current docker daemon.
+
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* [id](node_ls.md#id)
+* [label](node_ls.md#label)
+* [membership](node_ls.md#membership)
+* [name](node_ls.md#name)
+* [role](node_ls.md#role)
+
+#### id
+
+The `id` filter matches all or part of a node's id.
+
+```bash
+$ docker node ls -f id=1
+
+ID                         HOSTNAME       STATUS  AVAILABILITY  MANAGER STATUS
+1bcef6utixb0l0ca7gxuivsj0  swarm-worker2  Ready   Active
+```
+
+#### label
+
+The `label` filter matches nodes based on engine labels and on the presence of a `label` alone or a `label` and a value. Node labels are currently not used for filtering.
+
+The following filter matches nodes with the `foo` label regardless of its value.
+
+```bash
+$ docker node ls -f "label=foo"
+
+ID                         HOSTNAME       STATUS  AVAILABILITY  MANAGER STATUS
+1bcef6utixb0l0ca7gxuivsj0  swarm-worker2  Ready   Active
+```
+
+#### membership
+
+The `membership` filter matches nodes based on the presence of a `membership` and a value
+`accepted` or `pending`.
+
+The following filter matches nodes with the `membership` of `accepted`.
+
+```bash
+$ docker node ls -f "membership=accepted"
+
+ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATUS
+1bcef6utixb0l0ca7gxuivsj0    swarm-worker2   Ready   Active
+38ciaotwjuritcdtn9npbnkuz    swarm-worker1   Ready   Active
+```
+
+#### name
+
+The `name` filter matches on all or part of a node hostname.
+
+The following filter matches the nodes with a name equal to `swarm-master` string.
+
+```bash
+$ docker node ls -f name=swarm-manager1
+
+ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATUS
+e216jshn25ckzbvmwlnh5jr3g *  swarm-manager1  Ready   Active        Leader
+```
+
+#### role
+
+The `role` filter matches nodes based on the presence of a `role` and a value `worker` or `manager`.
+
+The following filter matches nodes with the `manager` role.
+
+```bash
+$ docker node ls -f "role=manager"
+
+ID                           HOSTNAME        STATUS  AVAILABILITY  MANAGER STATUS
+e216jshn25ckzbvmwlnh5jr3g *  swarm-manager1  Ready   Active        Leader
+```
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints nodes output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder      | Description
+-----------------|------------------------------------------------------------------------------------------
+`.ID`            | Node ID
+`.Self`          | Node of the daemon (`true/false`, `true`indicates that the node is the same as current docker daemon)
+`.Hostname`      | Node hostname
+`.Status`        | Node status
+`.Availability`  | Node availability ("active", "pause", or "drain")
+`.ManagerStatus` | Manager status of the node
+`.TLSStatus`     | TLS status of the node ("Ready", or "Needs Rotation" has TLS certificate signed by an old CA)
+`.EngineVersion` | Engine version
+
+When using the `--format` option, the `node ls` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID`, `Hostname`, and `TLS Status` entries separated by a colon for all nodes:
+
+```bash
+$ docker node ls --format "{{.ID}}: {{.Hostname}} {{.TLSStatus}}"
+e216jshn25ckzbvmwlnh5jr3g: swarm-manager1 Ready
+35o6tiywb700jesrt3dmllaza: swarm-worker1 Needs Rotation  
+```
+
+
+## Related commands
+
+* [node demote](node_demote.md)
+* [node inspect](node_inspect.md)
+* [node promote](node_promote.md)
+* [node ps](node_ps.md)
+* [node rm](node_rm.md)
+* [node update](node_update.md)
diff --git a/cli/docs/reference/commandline/node_promote.md b/cli/docs/reference/commandline/node_promote.md
new file mode 100644
index 00000000..666b762d
--- /dev/null
+++ b/cli/docs/reference/commandline/node_promote.md
@@ -0,0 +1,45 @@
+---
+title: "node promote"
+description: "The node promote command description and usage"
+keywords: "node, promote"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# node promote
+
+```markdown
+Usage:  docker node promote NODE [NODE...]
+
+Promote one or more nodes to manager in the swarm
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+Promotes a node to manager. This command targets a docker engine that is a
+manager in the swarm.
+
+## Examples
+
+```bash
+$ docker node promote <node name>
+```
+
+## Related commands
+
+* [node demote](node_demote.md)
+* [node inspect](node_inspect.md)
+* [node ls](node_ls.md)
+* [node ps](node_ps.md)
+* [node rm](node_rm.md)
+* [node update](node_update.md)
diff --git a/cli/docs/reference/commandline/node_ps.md b/cli/docs/reference/commandline/node_ps.md
new file mode 100644
index 00000000..30d37f08
--- /dev/null
+++ b/cli/docs/reference/commandline/node_ps.md
@@ -0,0 +1,148 @@
+---
+title: "node ps"
+description: "The node ps command description and usage"
+keywords: node, tasks, ps
+aliases: ["/engine/reference/commandline/node_tasks/"]
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# node ps
+
+```markdown
+Usage:  docker node ps [OPTIONS] [NODE...]
+
+List tasks running on one or more nodes, defaults to current node.
+
+Options:
+  -f, --filter filter   Filter output based on conditions provided
+      --format string   Pretty-print tasks using a Go template
+      --help            Print usage
+      --no-resolve      Do not map IDs to Names
+      --no-trunc        Do not truncate output
+  -q, --quiet           Only display task IDs
+```
+
+## Description
+
+Lists all the tasks on a Node that Docker knows about. You can filter using the `-f` or `--filter` flag. Refer to the [filtering](#filtering) section for more information about available filter options.
+
+## Examples
+
+```bash
+$ docker node ps swarm-manager1
+NAME                                IMAGE        NODE            DESIRED STATE  CURRENT STATE
+redis.1.7q92v0nr1hcgts2amcjyqg3pq   redis:3.0.6  swarm-manager1  Running        Running 5 hours
+redis.6.b465edgho06e318egmgjbqo4o   redis:3.0.6  swarm-manager1  Running        Running 29 seconds
+redis.7.bg8c07zzg87di2mufeq51a2qp   redis:3.0.6  swarm-manager1  Running        Running 5 seconds
+redis.9.dkkual96p4bb3s6b10r7coxxt   redis:3.0.6  swarm-manager1  Running        Running 5 seconds
+redis.10.0tgctg8h8cech4w0k0gwrmr23  redis:3.0.6  swarm-manager1  Running        Running 5 seconds
+```
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* [name](#name)
+* [id](#id)
+* [label](#label)
+* [desired-state](#desired-state)
+
+#### name
+
+The `name` filter matches on all or part of a task's name.
+
+The following filter matches all tasks with a name containing the `redis` string.
+
+```bash
+$ docker node ps -f name=redis swarm-manager1
+
+NAME                                IMAGE        NODE            DESIRED STATE  CURRENT STATE
+redis.1.7q92v0nr1hcgts2amcjyqg3pq   redis:3.0.6  swarm-manager1  Running        Running 5 hours
+redis.6.b465edgho06e318egmgjbqo4o   redis:3.0.6  swarm-manager1  Running        Running 29 seconds
+redis.7.bg8c07zzg87di2mufeq51a2qp   redis:3.0.6  swarm-manager1  Running        Running 5 seconds
+redis.9.dkkual96p4bb3s6b10r7coxxt   redis:3.0.6  swarm-manager1  Running        Running 5 seconds
+redis.10.0tgctg8h8cech4w0k0gwrmr23  redis:3.0.6  swarm-manager1  Running        Running 5 seconds
+```
+
+#### id
+
+The `id` filter matches a task's id.
+
+```bash
+$ docker node ps -f id=bg8c07zzg87di2mufeq51a2qp swarm-manager1
+
+NAME                                IMAGE        NODE            DESIRED STATE  CURRENT STATE
+redis.7.bg8c07zzg87di2mufeq51a2qp   redis:3.0.6  swarm-manager1  Running        Running 5 seconds
+```
+
+#### label
+
+The `label` filter matches tasks based on the presence of a `label` alone or a `label` and a
+value.
+
+The following filter matches tasks with the `usage` label regardless of its value.
+
+```bash
+$ docker node ps -f "label=usage"
+
+NAME                               IMAGE        NODE            DESIRED STATE  CURRENT STATE
+redis.6.b465edgho06e318egmgjbqo4o  redis:3.0.6  swarm-manager1  Running        Running 10 minutes
+redis.7.bg8c07zzg87di2mufeq51a2qp  redis:3.0.6  swarm-manager1  Running        Running 9 minutes
+```
+
+
+#### desired-state
+
+The `desired-state` filter can take the values `running`, `shutdown`, or `accepted`.
+
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints tasks output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder     | Description
+----------------|------------------------------------------------------------------------------------------
+`.Name`         | Task name
+`.Image`        | Task image
+`.Node`         | Node ID
+`.DesiredState` | Desired state of the task (`running`, `shutdown`, or `accepted`)
+`.CurrentState` | Current state of the task
+`.Error`        | Error
+`.Ports`        | Task published ports
+
+When using the `--format` option, the `node ps` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`Name` and `Image` entries separated by a colon for all tasks:
+
+```bash
+$ docker node ps --format "{{.Name}}: {{.Image}}"
+top.1: busybox
+top.2: busybox
+top.3: busybox
+```
+
+## Related commands
+
+* [node demote](node_demote.md)
+* [node inspect](node_inspect.md)
+* [node ls](node_ls.md)
+* [node promote](node_promote.md)
+* [node rm](node_rm.md)
+* [node update](node_update.md)
diff --git a/cli/docs/reference/commandline/node_rm.md b/cli/docs/reference/commandline/node_rm.md
new file mode 100644
index 00000000..545b0910
--- /dev/null
+++ b/cli/docs/reference/commandline/node_rm.md
@@ -0,0 +1,80 @@
+---
+title: "node rm"
+description: "The node rm command description and usage"
+keywords: "node, remove"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# node rm
+
+```markdown
+Usage:	docker node rm [OPTIONS] NODE [NODE...]
+
+Remove one or more nodes from the swarm
+
+Aliases:
+  rm, remove
+
+Options:
+  -f, --force   Force remove a node from the swarm
+      --help    Print usage
+```
+
+## Description
+
+When run from a manager node, removes the specified nodes from a swarm.
+
+
+## Examples
+
+### Remove a stopped node from the swarm
+
+```bash
+$ docker node rm swarm-node-02
+
+Node swarm-node-02 removed from swarm
+```
+### Attempt to remove a running node from a swarm
+
+Removes the specified nodes from the swarm, but only if the nodes are in the
+down state. If you attempt to remove an active node you will receive an error:
+
+```non
+$ docker node rm swarm-node-03
+
+Error response from daemon: rpc error: code = 9 desc = node swarm-node-03 is not
+down and can't be removed
+```
+
+### Forcibly remove an inaccessible node from a swarm
+
+If you lose access to a worker node or need to shut it down because it has been
+compromised or is not behaving as expected, you can use the `--force` option.
+This may cause transient errors or interruptions, depending on the type of task
+being run on the node.
+
+```bash
+$ docker node rm --force swarm-node-03
+
+Node swarm-node-03 removed from swarm
+```
+
+A manager node must be demoted to a worker node (using `docker node demote`)
+before you can remove it from the swarm.
+
+## Related commands
+
+* [node demote](node_demote.md)
+* [node inspect](node_inspect.md)
+* [node ls](node_ls.md)
+* [node promote](node_promote.md)
+* [node ps](node_ps.md)
+* [node update](node_update.md)
diff --git a/cli/docs/reference/commandline/node_update.md b/cli/docs/reference/commandline/node_update.md
new file mode 100644
index 00000000..61e0e16a
--- /dev/null
+++ b/cli/docs/reference/commandline/node_update.md
@@ -0,0 +1,77 @@
+---
+title: "node update"
+description: "The node update command description and usage"
+keywords: "resources, update, dynamically"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# update
+
+```markdown
+Usage:  docker node update [OPTIONS] NODE
+
+Update a node
+
+Options:
+      --availability string   Availability of the node ("active"|"pause"|"drain")
+      --help                  Print usage
+      --label-add value       Add or update a node label (key=value) (default [])
+      --label-rm value        Remove a node label if exists (default [])
+      --role string           Role of the node ("worker"|"manager")
+```
+
+## Description
+
+Update metadata about a node, such as its availability, labels, or roles.
+
+## Examples
+
+### Add label metadata to a node
+
+Add metadata to a swarm node using node labels. You can specify a node label as
+a key with an empty value:
+
+``` bash
+$ docker node update --label-add foo worker1
+```
+
+To add multiple labels to a node, pass the `--label-add` flag for each label:
+
+```bash
+$ docker node update --label-add foo --label-add bar worker1
+```
+
+When you [create a service](service_create.md),
+you can use node labels as a constraint. A constraint limits the nodes where the
+scheduler deploys tasks for a service.
+
+For example, to add a `type` label to identify nodes where the scheduler should
+deploy message queue service tasks:
+
+``` bash
+$ docker node update --label-add type=queue worker1
+```
+
+The labels you set for nodes using `docker node update` apply only to the node
+entity within the swarm. Do not confuse them with the docker daemon labels for
+[dockerd](https://docs.docker.com/engine/userguide/labels-custom-metadata/#daemon-labels).
+
+For more information about labels, refer to [apply custom
+metadata](https://docs.docker.com/engine/userguide/labels-custom-metadata/).
+
+## Related commands
+
+* [node demote](node_demote.md)
+* [node inspect](node_inspect.md)
+* [node ls](node_ls.md)
+* [node promote](node_promote.md)
+* [node ps](node_ps.md)
+* [node rm](node_rm.md)
diff --git a/cli/docs/reference/commandline/pause.md b/cli/docs/reference/commandline/pause.md
new file mode 100644
index 00000000..91eb0a33
--- /dev/null
+++ b/cli/docs/reference/commandline/pause.md
@@ -0,0 +1,48 @@
+---
+title: "pause"
+description: "The pause command description and usage"
+keywords: "cgroups, container, suspend, SIGSTOP"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# pause
+
+```markdown
+Usage:  docker pause CONTAINER [CONTAINER...]
+
+Pause all processes within one or more containers
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+The `docker pause` command suspends all processes in the specified containers.
+On Linux, this uses the cgroups freezer. Traditionally, when suspending a process
+the `SIGSTOP` signal is used, which is observable by the process being suspended.
+With the cgroups freezer the process is unaware, and unable to capture,
+that it is being suspended, and subsequently resumed. On Windows, only Hyper-V
+containers can be paused.
+
+See the
+[cgroups freezer documentation](https://www.kernel.org/doc/Documentation/cgroup-v1/freezer-subsystem.txt)
+for further details.
+
+## Examples
+
+```bash
+$ docker pause my_container
+```
+
+## Related commands
+
+* [unpause](unpause.md)
diff --git a/cli/docs/reference/commandline/plugin.md b/cli/docs/reference/commandline/plugin.md
new file mode 100644
index 00000000..9b488d69
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin.md
@@ -0,0 +1,44 @@
+---
+title: "plugin"
+description: "The plugin command description and usage"
+keywords: "plugin"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin
+
+```markdown
+Usage:  docker plugin COMMAND
+
+Manage plugins
+
+Options:
+      --help   Print usage
+
+Commands:
+  create      Create a plugin from a rootfs and configuration. Plugin data directory must contain config.json and rootfs directory.
+  disable     Disable a plugin
+  enable      Enable a plugin
+  inspect     Display detailed information on one or more plugins
+  install     Install a plugin
+  ls          List plugins
+  push        Push a plugin to a registry
+  rm          Remove one or more plugins
+  set         Change settings for a plugin
+  upgrade     Upgrade an existing plugin
+
+Run 'docker plugin COMMAND --help' for more information on a command.
+
+```
+
+## Description
+
+Manage plugins.
diff --git a/cli/docs/reference/commandline/plugin_create.md b/cli/docs/reference/commandline/plugin_create.md
new file mode 100644
index 00000000..c0785375
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_create.md
@@ -0,0 +1,66 @@
+---
+title: "plugin create"
+description: "the plugin create command description and usage"
+keywords: "plugin, create"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin create
+
+```markdown
+Usage:  docker plugin create [OPTIONS] PLUGIN PLUGIN-DATA-DIR
+
+Create a plugin from a rootfs and configuration. Plugin data directory must contain config.json and rootfs directory.
+
+Options:
+      --compress   Compress the context using gzip
+      --help       Print usage
+```
+
+## Description
+
+Creates a plugin. Before creating the plugin, prepare the plugin's root filesystem as well as
+[the config.json](../../extend/config.md)
+
+## Examples
+
+The following example shows how to create a sample `plugin`.
+
+```bash
+$ ls -ls /home/pluginDir
+
+total 4
+4 -rw-r--r--  1 root root 431 Nov  7 01:40 config.json
+0 drwxr-xr-x 19 root root 420 Nov  7 01:40 rootfs
+
+$ docker plugin create plugin /home/pluginDir
+
+plugin
+
+$ docker plugin ls
+
+ID                  NAME                TAG                 DESCRIPTION                  ENABLED
+672d8144ec02        plugin              latest              A sample plugin for Docker   false
+```
+
+The plugin can subsequently be enabled for local use or pushed to the public registry.
+
+## Related commands
+
+* [plugin disable](plugin_disable.md)
+* [plugin enable](plugin_enable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin install](plugin_install.md)
+* [plugin ls](plugin_ls.md)
+* [plugin push](plugin_push.md)
+* [plugin rm](plugin_rm.md)
+* [plugin set](plugin_set.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_disable.md b/cli/docs/reference/commandline/plugin_disable.md
new file mode 100644
index 00000000..83d2e68e
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_disable.md
@@ -0,0 +1,69 @@
+---
+title: "plugin disable"
+description: "the plugin disable command description and usage"
+keywords: "plugin, disable"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin disable
+
+```markdown
+Usage:  docker plugin disable [OPTIONS] PLUGIN
+
+Disable a plugin
+
+Options:
+  -f, --force   Force the disable of an active plugin
+      --help    Print usage
+```
+
+## Description
+
+Disables a plugin. The plugin must be installed before it can be disabled,
+see [`docker plugin install`](plugin_install.md). Without the `-f` option,
+a plugin that has references (e.g., volumes, networks) cannot be disabled.
+
+## Examples
+
+The following example shows that the `sample-volume-plugin` plugin is installed
+and enabled:
+
+```bash
+$ docker plugin ls
+
+ID                  NAME                             TAG                 DESCRIPTION                ENABLED
+69553ca1d123        tiborvass/sample-volume-plugin   latest              A test plugin for Docker   true
+```
+
+To disable the plugin, use the following command:
+
+```bash
+$ docker plugin disable tiborvass/sample-volume-plugin
+
+tiborvass/sample-volume-plugin
+
+$ docker plugin ls
+
+ID                  NAME                             TAG                 DESCRIPTION                ENABLED
+69553ca1d123        tiborvass/sample-volume-plugin   latest              A test plugin for Docker   false
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin enable](plugin_enable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin install](plugin_install.md)
+* [plugin ls](plugin_ls.md)
+* [plugin push](plugin_push.md)
+* [plugin rm](plugin_rm.md)
+* [plugin set](plugin_set.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_enable.md b/cli/docs/reference/commandline/plugin_enable.md
new file mode 100644
index 00000000..b8319968
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_enable.md
@@ -0,0 +1,68 @@
+---
+title: "plugin enable"
+description: "the plugin enable command description and usage"
+keywords: "plugin, enable"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin enable
+
+```markdown
+Usage:  docker plugin enable [OPTIONS] PLUGIN
+
+Enable a plugin
+
+Options:
+      --help          Print usage
+      --timeout int   HTTP client timeout (in seconds)
+```
+
+## Description
+
+Enables a plugin. The plugin must be installed before it can be enabled,
+see [`docker plugin install`](plugin_install.md).
+
+## Examples
+
+The following example shows that the `sample-volume-plugin` plugin is installed,
+but disabled:
+
+```bash
+$ docker plugin ls
+
+ID                  NAME                             TAG                 DESCRIPTION                ENABLED
+69553ca1d123        tiborvass/sample-volume-plugin   latest              A test plugin for Docker   false
+```
+
+To enable the plugin, use the following command:
+
+```bash
+$ docker plugin enable tiborvass/sample-volume-plugin
+
+tiborvass/sample-volume-plugin
+
+$ docker plugin ls
+
+ID                  NAME                             TAG                 DESCRIPTION                ENABLED
+69553ca1d123        tiborvass/sample-volume-plugin   latest              A test plugin for Docker   true
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin disable](plugin_disable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin install](plugin_install.md)
+* [plugin ls](plugin_ls.md)
+* [plugin push](plugin_push.md)
+* [plugin rm](plugin_rm.md)
+* [plugin set](plugin_set.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_inspect.md b/cli/docs/reference/commandline/plugin_inspect.md
new file mode 100644
index 00000000..c8bbab75
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_inspect.md
@@ -0,0 +1,166 @@
+---
+title: "plugin inspect"
+description: "The plugin inspect command description and usage"
+keywords: "plugin, inspect"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin inspect
+
+```markdown
+Usage:	docker plugin inspect [OPTIONS] PLUGIN [PLUGIN...]
+
+Display detailed information on one or more plugins
+
+Options:
+  -f, --format string   Format the output using the given Go template
+      --help            Print usage
+```
+
+## Description
+
+Returns information about a plugin. By default, this command renders all results
+in a JSON array.
+
+## Examples
+
+
+```none
+$ docker plugin inspect tiborvass/sample-volume-plugin:latest
+
+{
+  "Id": "8c74c978c434745c3ade82f1bc0acf38d04990eaf494fa507c16d9f1daa99c21",
+  "Name": "tiborvass/sample-volume-plugin:latest",
+  "PluginReference": "tiborvas/sample-volume-plugin:latest",
+  "Enabled": true,
+  "Config": {
+    "Mounts": [
+      {
+        "Name": "",
+        "Description": "",
+        "Settable": null,
+        "Source": "/data",
+        "Destination": "/data",
+        "Type": "bind",
+        "Options": [
+          "shared",
+          "rbind"
+        ]
+      },
+      {
+        "Name": "",
+        "Description": "",
+        "Settable": null,
+        "Source": null,
+        "Destination": "/foobar",
+        "Type": "tmpfs",
+        "Options": null
+      }
+    ],
+    "Env": [
+      "DEBUG=1"
+    ],
+    "Args": null,
+    "Devices": null
+  },
+  "Manifest": {
+    "ManifestVersion": "v0",
+    "Description": "A test plugin for Docker",
+    "Documentation": "https://docs.docker.com/engine/extend/plugins/",
+    "Interface": {
+      "Types": [
+        "docker.volumedriver/1.0"
+      ],
+      "Socket": "plugins.sock"
+    },
+    "Entrypoint": [
+      "plugin-sample-volume-plugin",
+      "/data"
+    ],
+    "Workdir": "",
+    "User": {
+    },
+    "Network": {
+      "Type": "host"
+    },
+    "Capabilities": null,
+    "Mounts": [
+      {
+        "Name": "",
+        "Description": "",
+        "Settable": null,
+        "Source": "/data",
+        "Destination": "/data",
+        "Type": "bind",
+        "Options": [
+          "shared",
+          "rbind"
+        ]
+      },
+      {
+        "Name": "",
+        "Description": "",
+        "Settable": null,
+        "Source": null,
+        "Destination": "/foobar",
+        "Type": "tmpfs",
+        "Options": null
+      }
+    ],
+    "Devices": [
+      {
+        "Name": "device",
+        "Description": "a host device to mount",
+        "Settable": null,
+        "Path": "/dev/cpu_dma_latency"
+      }
+    ],
+    "Env": [
+      {
+        "Name": "DEBUG",
+        "Description": "If set, prints debug messages",
+        "Settable": null,
+        "Value": "1"
+      }
+    ],
+    "Args": {
+      "Name": "args",
+      "Description": "command line arguments",
+      "Settable": null,
+      "Value": [
+
+      ]
+    }
+  }
+}
+```
+
+(output formatted for readability)
+
+### Formatting the output
+
+```bash
+$ docker plugin inspect -f '{{.Id}}' tiborvass/sample-volume-plugin:latest
+
+8c74c978c434745c3ade82f1bc0acf38d04990eaf494fa507c16d9f1daa99c21
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin enable](plugin_enable.md)
+* [plugin disable](plugin_disable.md)
+* [plugin install](plugin_install.md)
+* [plugin ls](plugin_ls.md)
+* [plugin push](plugin_push.md)
+* [plugin rm](plugin_rm.md)
+* [plugin set](plugin_set.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_install.md b/cli/docs/reference/commandline/plugin_install.md
new file mode 100644
index 00000000..a0c92c52
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_install.md
@@ -0,0 +1,75 @@
+---
+title: "plugin install"
+description: "the plugin install command description and usage"
+keywords: "plugin, install"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin install
+
+```markdown
+Usage:  docker plugin install [OPTIONS] PLUGIN [KEY=VALUE...]
+
+Install a plugin
+
+Options:
+      --alias string            Local name for plugin
+      --disable                 Do not enable the plugin on install
+      --disable-content-trust   Skip image verification (default true)
+      --grant-all-permissions   Grant all permissions necessary to run the plugin
+      --help                    Print usage
+```
+
+## Description
+
+Installs and enables a plugin. Docker looks first for the plugin on your Docker
+host. If the plugin does not exist locally, then the plugin is pulled from
+the registry. Note that the minimum required registry version to distribute
+plugins is 2.3.0
+
+## Examples
+
+The following example installs `vieus/sshfs` plugin and [sets](plugin_set.md) its
+`DEBUG` environment variable to `1`. To install, `pull` the plugin from Docker
+Hub and prompt the user to accept the list of privileges that the plugin needs,
+set the plugin's parameters and enable the plugin.
+
+```bash
+$ docker plugin install vieux/sshfs DEBUG=1
+
+Plugin "vieux/sshfs" is requesting the following privileges:
+ - network: [host]
+ - device: [/dev/fuse]
+ - capabilities: [CAP_SYS_ADMIN]
+Do you grant the above permissions? [y/N] y
+vieux/sshfs
+```
+
+After the plugin is installed, it appears in the list of plugins:
+
+```bash
+$ docker plugin ls
+
+ID                  NAME                  TAG                 DESCRIPTION                ENABLED
+69553ca1d123        vieux/sshfs           latest              sshFS plugin for Docker    true
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin disable](plugin_disable.md)
+* [plugin enable](plugin_enable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin ls](plugin_ls.md)
+* [plugin push](plugin_push.md)
+* [plugin rm](plugin_rm.md)
+* [plugin set](plugin_set.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_ls.md b/cli/docs/reference/commandline/plugin_ls.md
new file mode 100644
index 00000000..1f893737
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_ls.md
@@ -0,0 +1,118 @@
+---
+title: "plugin ls"
+description: "The plugin ls command description and usage"
+keywords: "plugin, list"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin ls
+
+```markdown
+Usage:  docker plugin ls [OPTIONS]
+
+List plugins
+
+Aliases:
+  ls, list
+
+Options:
+  -f, --filter filter   Provide filter values (e.g. 'enabled=true')
+      --format string   Pretty-print plugins using a Go template
+      --help            Print usage
+      --no-trunc        Don't truncate output
+  -q, --quiet           Only display plugin IDs
+```
+
+## Description
+
+Lists all the plugins that are currently installed. You can install plugins
+using the [`docker plugin install`](plugin_install.md) command.
+You can also filter using the `-f` or `--filter` flag.
+Refer to the [filtering](#filtering) section for more information about available filter options.
+
+## Examples
+
+```bash
+$ docker plugin ls
+
+ID                  NAME                             TAG                 DESCRIPTION                ENABLED
+69553ca1d123        tiborvass/sample-volume-plugin   latest              A test plugin for Docker   true
+```
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* enabled (boolean - true or false, 0 or 1)
+* capability (string - currently `volumedriver`, `networkdriver`, `ipamdriver`, `logdriver`, `metricscollector`, or `authz`)
+
+#### enabled
+
+The `enabled` filter matches on plugins enabled or disabled.
+
+#### capability
+
+The `capability` filter matches on plugin capabilities. One plugin
+might have multiple capabilities. Currently `volumedriver`, `networkdriver`,
+`ipamdriver`, `logdriver`, `metricscollector`, and `authz` are supported capabilities.
+
+```bash
+$ docker plugin install --disable vieux/sshfs
+
+Installed plugin vieux/sshfs
+
+$ docker plugin ls --filter enabled=true
+
+NAME                  TAG                 DESCRIPTION                ENABLED
+```
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints plugins output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder    | Description
+---------------|------------------------------------------------------------------------------------------
+`.ID`              | Plugin ID
+`.Name`            | Plugin name
+`.Description`     | Plugin description
+`.Enabled`         | Whether plugin is enabled or not
+`.PluginReference` | The reference used to push/pull from a registry
+
+When using the `--format` option, the `plugin ls` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID` and `Name` entries separated by a colon for all plugins:
+
+```bash
+$ docker plugin ls --format "{{.ID}}: {{.Name}}"
+
+4be01827a72e: vieux/sshfs:latest
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin disable](plugin_disable.md)
+* [plugin enable](plugin_enable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin install](plugin_install.md)
+* [plugin push](plugin_push.md)
+* [plugin rm](plugin_rm.md)
+* [plugin set](plugin_set.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_push.md b/cli/docs/reference/commandline/plugin_push.md
new file mode 100644
index 00000000..50fa14c4
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_push.md
@@ -0,0 +1,57 @@
+---
+title: "plugin push"
+description: "the plugin push command description and usage"
+keywords: "plugin, push"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+```markdown
+Usage:	docker plugin push [OPTIONS] PLUGIN[:TAG]
+
+Push a plugin to a registry
+
+Options:
+      --disable-content-trust   Skip image signing (default true)
+      --help                    Print usage
+```
+
+## Description
+
+After you have created a plugin using `docker plugin create` and the plugin is
+ready for distribution, use `docker plugin push` to share your images to Docker
+Hub or a self-hosted registry.
+
+Registry credentials are managed by [docker login](login.md).
+
+## Examples
+
+The following example shows how to push a sample `user/plugin`.
+
+```bash
+$ docker plugin ls
+
+ID                  NAME                  TAG                 DESCRIPTION                ENABLED
+69553ca1d456        user/plugin           latest              A sample plugin for Docker false
+
+$ docker plugin push user/plugin
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin disable](plugin_disable.md)
+* [plugin enable](plugin_enable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin install](plugin_install.md)
+* [plugin ls](plugin_ls.md)
+* [plugin rm](plugin_rm.md)
+* [plugin set](plugin_set.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_rm.md b/cli/docs/reference/commandline/plugin_rm.md
new file mode 100644
index 00000000..1970a431
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_rm.md
@@ -0,0 +1,63 @@
+---
+title: "plugin rm"
+description: "the plugin rm command description and usage"
+keywords: "plugin, rm"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin rm
+
+```markdown
+Usage:  docker plugin rm [OPTIONS] PLUGIN [PLUGIN...]
+
+Remove one or more plugins
+
+Aliases:
+  rm, remove
+
+Options:
+      -f, --force  Force the removal of an active plugin
+          --help   Print usage
+```
+
+## Description
+
+Removes a plugin. You cannot remove a plugin if it is enabled, you must disable
+a plugin using the [`docker plugin disable`](plugin_disable.md) before removing
+it (or use --force, use of force is not recommended, since it can affect
+functioning of running containers using the plugin).
+
+## Examples
+
+The following example disables and removes the `sample-volume-plugin:latest`
+plugin:
+
+```bash
+$ docker plugin disable tiborvass/sample-volume-plugin
+
+tiborvass/sample-volume-plugin
+
+$ docker plugin rm tiborvass/sample-volume-plugin:latest
+
+tiborvass/sample-volume-plugin
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin disable](plugin_disable.md)
+* [plugin enable](plugin_enable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin install](plugin_install.md)
+* [plugin ls](plugin_ls.md)
+* [plugin push](plugin_push.md)
+* [plugin set](plugin_set.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_set.md b/cli/docs/reference/commandline/plugin_set.md
new file mode 100644
index 00000000..5ee991e7
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_set.md
@@ -0,0 +1,172 @@
+---
+title: "plugin set"
+description: "the plugin set command description and usage"
+keywords: "plugin, set"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin set
+
+```markdown
+Usage:  docker plugin set PLUGIN KEY=VALUE [KEY=VALUE...]
+
+Change settings for a plugin
+
+Options:
+      --help                    Print usage
+```
+
+## Description
+
+Change settings for a plugin. The plugin must be disabled.
+
+The settings currently supported are:
+ * env variables
+ * source of mounts
+ * path of devices
+ * args
+
+## What is settable ?
+
+Look at the plugin manifest, it's easy to see what fields are settable,
+by looking at the `Settable` field.
+
+Here is an extract of a plugin manifest:
+
+```
+{
+        "config": {
+            ...
+            "args": {
+                "name": "myargs",
+                "settable": ["value"],
+                "value": ["foo", "bar"]
+            },
+            "env": [
+                {
+                    "name": "DEBUG",
+                    "settable": ["value"],
+                    "value": "0"
+                },
+                {
+                    "name": "LOGGING",
+                    "value": "1"
+                }
+            ],
+	    "devices": [
+                {
+                    "name": "mydevice",
+                    "path": "/dev/foo",
+                    "settable": ["path"]
+                }
+            ],
+	    "mounts": [
+                {
+                    "destination": "/baz",
+                    "name": "mymount",
+                    "options": ["rbind"],
+                    "settable": ["source"],
+                    "source": "/foo",
+                    "type": "bind"
+                }
+            ],
+	    ...
+	 }
+}
+```
+
+In this example, we can see that the `value` of the `DEBUG` environment variable is settable,
+the `source` of the `mymount` mount is also settable. Same for the `path` of `mydevice` and `value` of `myargs`.
+
+On the contrary, the `LOGGING` environment variable doesn't have any settable field, which implies that user cannot tweak it.
+
+## Examples
+
+### Change an environment variable
+
+The following example change the env variable `DEBUG` on the
+`sample-volume-plugin` plugin.
+
+```bash
+$ docker plugin inspect -f {{.Settings.Env}} tiborvass/sample-volume-plugin
+[DEBUG=0]
+
+$ docker plugin set tiborvass/sample-volume-plugin DEBUG=1
+
+$ docker plugin inspect -f {{.Settings.Env}} tiborvass/sample-volume-plugin
+[DEBUG=1]
+```
+
+### Change the source of a mount
+
+The following example change the source of the `mymount` mount on
+the `myplugin` plugin.
+
+```bash
+$ docker plugin inspect -f '{{with $mount := index .Settings.Mounts 0}}{{$mount.Source}}{{end}}' myplugin
+/foo
+
+$ docker plugins set myplugin mymount.source=/bar
+
+$ docker plugin inspect -f '{{with $mount := index .Settings.Mounts 0}}{{$mount.Source}}{{end}}' myplugin
+/bar
+```
+
+> **Note**: Since only `source` is settable in `mymount`,
+> `docker plugins set mymount=/bar myplugin` would work too.
+
+### Change a device path
+
+The following example change the path of the `mydevice` device on
+the `myplugin` plugin.
+
+```bash
+$ docker plugin inspect -f '{{with $device := index .Settings.Devices 0}}{{$device.Path}}{{end}}' myplugin
+
+/dev/foo
+
+$ docker plugins set myplugin mydevice.path=/dev/bar
+
+$ docker plugin inspect -f '{{with $device := index .Settings.Devices 0}}{{$device.Path}}{{end}}' myplugin
+
+/dev/bar
+```
+
+> **Note**: Since only `path` is settable in `mydevice`,
+> `docker plugins set mydevice=/dev/bar myplugin` would work too.
+
+### Change the source of the arguments
+
+The following example change the value of the args on the `myplugin` plugin.
+
+```bash
+$ docker plugin inspect -f '{{.Settings.Args}}' myplugin
+
+["foo", "bar"]
+
+$ docker plugins set myplugin myargs="foo bar baz"
+
+$ docker plugin inspect -f '{{.Settings.Args}}' myplugin
+
+["foo", "bar", "baz"]
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin disable](plugin_disable.md)
+* [plugin enable](plugin_enable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin install](plugin_install.md)
+* [plugin ls](plugin_ls.md)
+* [plugin push](plugin_push.md)
+* [plugin rm](plugin_rm.md)
+* [plugin upgrade](plugin_upgrade.md)
diff --git a/cli/docs/reference/commandline/plugin_upgrade.md b/cli/docs/reference/commandline/plugin_upgrade.md
new file mode 100644
index 00000000..bb2d2ec7
--- /dev/null
+++ b/cli/docs/reference/commandline/plugin_upgrade.md
@@ -0,0 +1,100 @@
+---
+title: "plugin upgrade"
+description: "the plugin upgrade command description and usage"
+keywords: "plugin, upgrade"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# plugin upgrade
+
+```markdown
+Usage:  docker plugin upgrade [OPTIONS] PLUGIN [REMOTE]
+
+Upgrade a plugin
+
+Options:
+      --disable-content-trust   Skip image verification (default true)
+      --grant-all-permissions   Grant all permissions necessary to run the plugin
+      --help                    Print usage
+      --skip-remote-check       Do not check if specified remote plugin matches existing plugin image
+```
+
+## Description
+
+Upgrades an existing plugin to the specified remote plugin image. If no remote
+is specified, Docker will re-pull the current image and use the updated version.
+All existing references to the plugin will continue to work.
+The plugin must be disabled before running the upgrade.
+
+## Examples
+
+The following example installs `vieus/sshfs` plugin, uses it to create and use
+a volume, then upgrades the plugin.
+
+```bash
+$ docker plugin install vieux/sshfs DEBUG=1
+
+Plugin "vieux/sshfs:next" is requesting the following privileges:
+ - network: [host]
+ - device: [/dev/fuse]
+ - capabilities: [CAP_SYS_ADMIN]
+Do you grant the above permissions? [y/N] y
+vieux/sshfs:next
+
+$ docker volume create -d vieux/sshfs:next -o sshcmd=root@1.2.3.4:/tmp/shared -o password=XXX sshvolume
+
+sshvolume
+
+$ docker run -it -v sshvolume:/data alpine sh -c "touch /data/hello"
+
+$ docker plugin disable -f vieux/sshfs:next
+
+viex/sshfs:next
+
+# Here docker volume ls doesn't show 'sshfsvolume', since the plugin is disabled
+$ docker volume ls
+
+DRIVER              VOLUME NAME
+
+$ docker plugin upgrade vieux/sshfs:next vieux/sshfs:next
+
+Plugin "vieux/sshfs:next" is requesting the following privileges:
+ - network: [host]
+ - device: [/dev/fuse]
+ - capabilities: [CAP_SYS_ADMIN]
+Do you grant the above permissions? [y/N] y
+Upgrade plugin vieux/sshfs:next to vieux/sshfs:next
+
+$ docker plugin enable vieux/sshfs:next
+
+viex/sshfs:next
+
+$ docker volume ls
+
+DRIVER              VOLUME NAME
+viuex/sshfs:next    sshvolume
+
+$ docker run -it -v sshvolume:/data alpine sh -c "ls /data"
+
+hello
+```
+
+## Related commands
+
+* [plugin create](plugin_create.md)
+* [plugin disable](plugin_disable.md)
+* [plugin enable](plugin_enable.md)
+* [plugin inspect](plugin_inspect.md)
+* [plugin install](plugin_install.md)
+* [plugin ls](plugin_ls.md)
+* [plugin push](plugin_push.md)
+* [plugin rm](plugin_rm.md)
+* [plugin set](plugin_set.md)
diff --git a/cli/docs/reference/commandline/port.md b/cli/docs/reference/commandline/port.md
new file mode 100644
index 00000000..48d0208e
--- /dev/null
+++ b/cli/docs/reference/commandline/port.md
@@ -0,0 +1,47 @@
+---
+title: "port"
+description: "The port command description and usage"
+keywords: "port, mapping, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# port
+
+```markdown
+Usage:  docker port CONTAINER [PRIVATE_PORT[/PROTO]]
+
+List port mappings or a specific mapping for the container
+
+Options:
+      --help   Print usage
+```
+
+## Examples
+
+### Show all mapped ports
+
+You can find out all the ports mapped by not specifying a `PRIVATE_PORT`, or
+just a specific mapping:
+
+```bash
+$ docker ps
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                                            NAMES
+b650456536c7        busybox:latest      top                 54 minutes ago      Up 54 minutes       0.0.0.0:1234->9876/tcp, 0.0.0.0:4321->7890/tcp   test
+$ docker port test
+7890/tcp -> 0.0.0.0:4321
+9876/tcp -> 0.0.0.0:1234
+$ docker port test 7890/tcp
+0.0.0.0:4321
+$ docker port test 7890/udp
+2014/06/24 11:53:36 Error: No public port '7890/udp' published for test
+$ docker port test 7890
+0.0.0.0:4321
+```
diff --git a/cli/docs/reference/commandline/ps.md b/cli/docs/reference/commandline/ps.md
new file mode 100644
index 00000000..e073c059
--- /dev/null
+++ b/cli/docs/reference/commandline/ps.md
@@ -0,0 +1,434 @@
+---
+title: "ps"
+description: "The ps command description and usage"
+keywords: "container, running, list"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# ps
+
+```markdown
+Usage: docker ps [OPTIONS]
+
+List containers
+
+Options:
+  -a, --all             Show all containers (default shows just running)
+  -f, --filter value    Filter output based on conditions provided (default [])
+                        - ancestor=(<image-name>[:tag]|<image-id>|<image@digest>)
+                          containers created from an image or a descendant.
+                        - before=(<container-name>|<container-id>)
+                        - expose=(<port>[/<proto>]|<startport-endport>/[<proto>])
+                        - exited=<int> an exit code of <int>
+                        - health=(starting|healthy|unhealthy|none)
+                        - id=<ID> a container's ID
+                        - isolation=(`default`|`process`|`hyperv`) (Windows daemon only)
+                        - is-task=(true|false)
+                        - label=<key> or label=<key>=<value>
+                        - name=<string> a container's name
+                        - network=(<network-id>|<network-name>)
+                        - publish=(<port>[/<proto>]|<startport-endport>/[<proto>])
+                        - since=(<container-name>|<container-id>)
+                        - status=(created|restarting|removing|running|paused|exited)
+                        - volume=(<volume name>|<mount point destination>)
+      --format string   Pretty-print containers using a Go template
+      --help            Print usage
+  -n, --last int        Show n last created containers (includes all states) (default -1)
+  -l, --latest          Show the latest created container (includes all states)
+      --no-trunc        Don't truncate output
+  -q, --quiet           Only display numeric IDs
+  -s, --size            Display total file sizes
+```
+
+## Examples
+
+### Prevent truncating output
+
+Running `docker ps --no-trunc` showing 2 linked containers.
+
+```bash
+$ docker ps
+
+CONTAINER ID        IMAGE                        COMMAND                CREATED              STATUS              PORTS               NAMES
+4c01db0b339c        ubuntu:12.04                 bash                   17 seconds ago       Up 16 seconds       3300-3310/tcp       webapp
+d7886598dbe2        crosbymichael/redis:latest   /redis-server --dir    33 minutes ago       Up 33 minutes       6379/tcp            redis,webapp/db
+```
+
+### Show both running and stopped containers
+
+The `docker ps` command only shows running containers by default. To see all
+containers, use the `-a` (or `--all`) flag:
+
+```bash
+$ docker ps -a
+```
+
+`docker ps` groups exposed ports into a single range if possible. E.g., a
+container that exposes TCP ports `100, 101, 102` displays `100-102/tcp` in
+the `PORTS` column.
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there is more
+than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+| Filter                | Description                                                                                                                          |
+|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------|
+| `id`                  | Container's ID                                                                                                                       |
+| `name`                | Container's name                                                                                                                     |
+| `label`               | An arbitrary string representing either a key or a key-value pair. Expressed as `<key>` or `<key>=<value>`                           |
+| `exited`              | An integer representing the container's exit code. Only useful with `--all`.                                                         |
+| `status`              | One of `created`, `restarting`, `running`, `removing`, `paused`, `exited`, or `dead`                                                 |
+| `ancestor`            | Filters containers which share a given image as an ancestor. Expressed as `<image-name>[:<tag>]`,  `<image id>`, or `<image@digest>` |
+| `before` or `since`   | Filters containers created before or after a given container ID or name                                                              |
+| `volume`              | Filters running containers which have mounted a given volume or bind mount.                                                          |
+| `network`             | Filters running containers connected to a given network.                                                                             |
+| `publish` or `expose` | Filters containers which publish or expose a given port. Expressed as `<port>[/<proto>]` or `<startport-endport>/[<proto>]`          |
+| `health`              | Filters containers based on their healthcheck status. One of `starting`, `healthy`, `unhealthy` or `none`.                           |
+| `isolation`           | Windows daemon only. One of `default`, `process`, or `hyperv`.                                                                       |
+| `is-task`             | Filters containers that are a "task" for a service. Boolean option (`true` or `false`)                                               |
+
+
+#### label
+
+The `label` filter matches containers based on the presence of a `label` alone or a `label` and a
+value.
+
+The following filter matches containers with the `color` label regardless of its value.
+
+```bash
+$ docker ps --filter "label=color"
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+673394ef1d4c        busybox             "top"               47 seconds ago      Up 45 seconds                           nostalgic_shockley
+d85756f57265        busybox             "top"               52 seconds ago      Up 51 seconds                           high_albattani
+```
+
+The following filter matches containers with the `color` label with the `blue` value.
+
+```bash
+$ docker ps --filter "label=color=blue"
+
+CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
+d85756f57265        busybox             "top"               About a minute ago   Up About a minute                       high_albattani
+```
+
+#### name
+
+The `name` filter matches on all or part of a container's name.
+
+The following filter matches all containers with a name containing the `nostalgic_stallman` string.
+
+```bash
+$ docker ps --filter "name=nostalgic_stallman"
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+9b6247364a03        busybox             "top"               2 minutes ago       Up 2 minutes                            nostalgic_stallman
+```
+
+You can also filter for a substring in a name as this shows:
+
+```bash
+$ docker ps --filter "name=nostalgic"
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+715ebfcee040        busybox             "top"               3 seconds ago       Up 1 second                             i_am_nostalgic
+9b6247364a03        busybox             "top"               7 minutes ago       Up 7 minutes                            nostalgic_stallman
+673394ef1d4c        busybox             "top"               38 minutes ago      Up 38 minutes                           nostalgic_shockley
+```
+
+#### exited
+
+The `exited` filter matches containers by exist status code. For example, to
+filter for containers that have exited successfully:
+
+```bash
+$ docker ps -a --filter 'exited=0'
+
+CONTAINER ID        IMAGE             COMMAND                CREATED             STATUS                   PORTS                      NAMES
+ea09c3c82f6e        registry:latest   /srv/run.sh            2 weeks ago         Exited (0) 2 weeks ago   127.0.0.1:5000->5000/tcp   desperate_leakey
+106ea823fe4e        fedora:latest     /bin/sh -c 'bash -l'   2 weeks ago         Exited (0) 2 weeks ago                              determined_albattani
+48ee228c9464        fedora:20         bash                   2 weeks ago         Exited (0) 2 weeks ago                              tender_torvalds
+```
+
+#### Filter by exit signal
+
+You can use a filter to locate containers that exited with status of `137`
+meaning a `SIGKILL(9)` killed them.
+
+```none
+$ docker ps -a --filter 'exited=137'
+
+CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS                       PORTS               NAMES
+b3e1c0ed5bfe        ubuntu:latest       "sleep 1000"           12 seconds ago      Exited (137) 5 seconds ago                       grave_kowalevski
+a2eb5558d669        redis:latest        "/entrypoint.sh redi   2 hours ago         Exited (137) 2 hours ago                         sharp_lalande
+```
+
+Any of these events result in a `137` status:
+
+* the `init` process of the container is killed manually
+* `docker kill` kills the container
+* Docker daemon restarts which kills all running containers
+
+#### status
+
+The `status` filter matches containers by status. You can filter using
+`created`, `restarting`, `running`, `removing`, `paused`, `exited` and `dead`. For example,
+to filter for `running` containers:
+
+```bash
+$ docker ps --filter status=running
+
+CONTAINER ID        IMAGE                  COMMAND             CREATED             STATUS              PORTS               NAMES
+715ebfcee040        busybox                "top"               16 minutes ago      Up 16 minutes                           i_am_nostalgic
+d5c976d3c462        busybox                "top"               23 minutes ago      Up 23 minutes                           top
+9b6247364a03        busybox                "top"               24 minutes ago      Up 24 minutes                           nostalgic_stallman
+```
+
+To filter for `paused` containers:
+
+```bash
+$ docker ps --filter status=paused
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                      PORTS               NAMES
+673394ef1d4c        busybox             "top"               About an hour ago   Up About an hour (Paused)                       nostalgic_shockley
+```
+
+#### ancestor
+
+The `ancestor` filter matches containers based on its image or a descendant of
+it. The filter supports the following image representation:
+
+- `image`
+- `image:tag`
+- `image:tag@digest`
+- `short-id`
+- `full-id`
+
+If you don't specify a `tag`, the `latest` tag is used. For example, to filter
+for containers that use the latest `ubuntu` image:
+
+```bash
+$ docker ps --filter ancestor=ubuntu
+
+CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
+919e1179bdb8        ubuntu-c1           "top"               About a minute ago   Up About a minute                       admiring_lovelace
+5d1e4a540723        ubuntu-c2           "top"               About a minute ago   Up About a minute                       admiring_sammet
+82a598284012        ubuntu              "top"               3 minutes ago        Up 3 minutes                            sleepy_bose
+bab2a34ba363        ubuntu              "top"               3 minutes ago        Up 3 minutes                            focused_yonath
+```
+
+Match containers based on the `ubuntu-c1` image which, in this case, is a child
+of `ubuntu`:
+
+```bash
+$ docker ps --filter ancestor=ubuntu-c1
+
+CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
+919e1179bdb8        ubuntu-c1           "top"               About a minute ago   Up About a minute                       admiring_lovelace
+```
+
+Match containers based on the `ubuntu` version `12.04.5` image:
+
+```bash
+$ docker ps --filter ancestor=ubuntu:12.04.5
+
+CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
+82a598284012        ubuntu:12.04.5      "top"               3 minutes ago        Up 3 minutes                            sleepy_bose
+```
+
+The following matches containers based on the layer `d0e008c6cf02` or an image
+that have this layer in its layer stack.
+
+```bash
+$ docker ps --filter ancestor=d0e008c6cf02
+
+CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
+82a598284012        ubuntu:12.04.5      "top"               3 minutes ago        Up 3 minutes                            sleepy_bose
+```
+
+#### Create time
+
+##### before
+
+The `before` filter shows only containers created before the container with
+given id or name. For example, having these containers created:
+
+```bash
+$ docker ps
+
+CONTAINER ID        IMAGE       COMMAND       CREATED              STATUS              PORTS              NAMES
+9c3527ed70ce        busybox     "top"         14 seconds ago       Up 15 seconds                          desperate_dubinsky
+4aace5031105        busybox     "top"         48 seconds ago       Up 49 seconds                          focused_hamilton
+6e63f6ff38b0        busybox     "top"         About a minute ago   Up About a minute                      distracted_fermat
+```
+
+Filtering with `before` would give:
+
+```bash
+$ docker ps -f before=9c3527ed70ce
+
+CONTAINER ID        IMAGE       COMMAND       CREATED              STATUS              PORTS              NAMES
+4aace5031105        busybox     "top"         About a minute ago   Up About a minute                      focused_hamilton
+6e63f6ff38b0        busybox     "top"         About a minute ago   Up About a minute                      distracted_fermat
+```
+
+##### since
+
+The `since` filter shows only containers created since the container with given
+id or name. For example, with the same containers as in `before` filter:
+
+```bash
+$ docker ps -f since=6e63f6ff38b0
+
+CONTAINER ID        IMAGE       COMMAND       CREATED             STATUS              PORTS               NAMES
+9c3527ed70ce        busybox     "top"         10 minutes ago      Up 10 minutes                           desperate_dubinsky
+4aace5031105        busybox     "top"         10 minutes ago      Up 10 minutes                           focused_hamilton
+```
+
+#### volume
+
+The `volume` filter shows only containers that mount a specific volume or have
+a volume mounted in a specific path:
+
+```bash
+$ docker ps --filter volume=remote-volume --format "table {{.ID}}\t{{.Mounts}}"
+CONTAINER ID        MOUNTS
+9c3527ed70ce        remote-volume
+
+$ docker ps --filter volume=/data --format "table {{.ID}}\t{{.Mounts}}"
+CONTAINER ID        MOUNTS
+9c3527ed70ce        remote-volume
+```
+
+#### network
+
+The `network` filter shows only containers that are connected to a network with
+a given name or id.
+
+The following filter matches all containers that are connected to a network
+with a name containing `net1`.
+
+```bash
+$ docker run -d --net=net1 --name=test1 ubuntu top
+$ docker run -d --net=net2 --name=test2 ubuntu top
+
+$ docker ps --filter network=net1
+
+CONTAINER ID        IMAGE       COMMAND       CREATED             STATUS              PORTS               NAMES
+9d4893ed80fe        ubuntu      "top"         10 minutes ago      Up 10 minutes                           test1
+```
+
+The network filter matches on both the network's name and id. The following
+example shows all containers that are attached to the `net1` network, using
+the network id as a filter;
+
+```bash
+$ docker network inspect --format "{{.ID}}" net1
+
+8c0b4110ae930dbe26b258de9bc34a03f98056ed6f27f991d32919bfe401d7c5
+
+$ docker ps --filter network=8c0b4110ae930dbe26b258de9bc34a03f98056ed6f27f991d32919bfe401d7c5
+
+CONTAINER ID        IMAGE       COMMAND       CREATED             STATUS              PORTS               NAMES
+9d4893ed80fe        ubuntu      "top"         10 minutes ago      Up 10 minutes                           test1
+```
+
+#### publish and expose
+
+The `publish` and `expose` filters show only containers that have published or exposed port with a given port
+number, port range, and/or protocol. The default protocol is `tcp` when not specified.
+
+The following filter matches all containers that have published port of 80:
+
+```bash
+$ docker run -d --publish=80 busybox top
+$ docker run -d --expose=8080 busybox top
+
+$ docker ps -a
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                   NAMES
+9833437217a5        busybox             "top"               5 seconds ago       Up 4 seconds        8080/tcp                dreamy_mccarthy
+fc7e477723b7        busybox             "top"               50 seconds ago      Up 50 seconds       0.0.0.0:32768->80/tcp   admiring_roentgen
+
+$ docker ps --filter publish=80
+
+CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS                   NAMES
+fc7e477723b7        busybox             "top"               About a minute ago   Up About a minute   0.0.0.0:32768->80/tcp   admiring_roentgen
+```
+
+The following filter matches all containers that have exposed TCP port in the range of `8000-8080`:
+```bash
+$ docker ps --filter expose=8000-8080/tcp
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+9833437217a5        busybox             "top"               21 seconds ago      Up 19 seconds       8080/tcp            dreamy_mccarthy
+```
+
+The following filter matches all containers that have exposed UDP port `80`:
+```bash
+$ docker ps --filter publish=80/udp
+
+CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+```
+
+### Formatting
+
+The formatting option (`--format`) pretty-prints container output using a Go
+template.
+
+Valid placeholders for the Go template are listed below:
+
+| Placeholder   | Description                                                                                     |
+|:--------------|:------------------------------------------------------------------------------------------------|
+| `.ID`         | Container ID                                                                                    |
+| `.Image`      | Image ID                                                                                        |
+| `.Command`    | Quoted command                                                                                  |
+| `.CreatedAt`  | Time when the container was created.                                                            |
+| `.RunningFor` | Elapsed time since the container was started.                                                   |
+| `.Ports`      | Exposed ports.                                                                                  |
+| `.Status`     | Container status.                                                                               |
+| `.Size`       | Container disk size.                                                                            |
+| `.Names`      | Container names.                                                                                |
+| `.Labels`     | All labels assigned to the container.                                                           |
+| `.Label`      | Value of a specific label for this container. For example `'{{.Label "com.docker.swarm.cpu"}}'` |
+| `.Mounts`     | Names of the volumes mounted in this container.                                                 |
+| `.Networks`   | Names of the networks attached to this container.                                               |
+
+When using the `--format` option, the `ps` command will either output the data
+exactly as the template declares or, when using the `table` directive, includes
+column headers as well.
+
+The following example uses a template without headers and outputs the `ID` and
+`Command` entries separated by a colon for all running containers:
+
+```bash
+$ docker ps --format "{{.ID}}: {{.Command}}"
+
+a87ecb4f327c: /bin/sh -c #(nop) MA
+01946d9d34d8: /bin/sh -c #(nop) MA
+c1d3b0166030: /bin/sh -c yum -y up
+41d50ecd2f57: /bin/sh -c #(nop) MA
+```
+
+To list all running containers with their labels in a table format you can use:
+
+```bash
+$ docker ps --format "table {{.ID}}\t{{.Labels}}"
+
+CONTAINER ID        LABELS
+a87ecb4f327c        com.docker.swarm.node=ubuntu,com.docker.swarm.storage=ssd
+01946d9d34d8
+c1d3b0166030        com.docker.swarm.node=debian,com.docker.swarm.cpu=6
+41d50ecd2f57        com.docker.swarm.node=fedora,com.docker.swarm.cpu=3,com.docker.swarm.storage=ssd
+```
\ No newline at end of file
diff --git a/cli/docs/reference/commandline/pull.md b/cli/docs/reference/commandline/pull.md
new file mode 100644
index 00000000..6487b2e0
--- /dev/null
+++ b/cli/docs/reference/commandline/pull.md
@@ -0,0 +1,254 @@
+---
+title: "pull"
+description: "The pull command description and usage"
+keywords: "pull, image, hub, docker"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# pull
+
+```markdown
+Usage:  docker pull [OPTIONS] NAME[:TAG|@DIGEST]
+
+Pull an image or a repository from a registry
+
+Options:
+  -a, --all-tags                Download all tagged images in the repository
+      --disable-content-trust   Skip image verification (default true)
+      --help                    Print usage
+```
+
+## Description
+
+Most of your images will be created on top of a base image from the
+[Docker Hub](https://hub.docker.com) registry.
+
+[Docker Hub](https://hub.docker.com) contains many pre-built images that you
+can `pull` and try without needing to define and configure your own.
+
+To download a particular image, or set of images (i.e., a repository),
+use `docker pull`.
+
+### Proxy configuration
+
+If you are behind an HTTP proxy server, for example in corporate settings,
+before open a connect to registry, you may need to configure the Docker
+daemon's proxy settings, using the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`
+environment variables. To set these environment variables on a host using
+`systemd`, refer to the [control and configure Docker with systemd](https://docs.docker.com/engine/admin/systemd/#http-proxy)
+for variables configuration.
+
+### Concurrent downloads
+
+By default the Docker daemon will pull three layers of an image at a time.
+If you are on a low bandwidth connection this may cause timeout issues and you may want to lower
+this via the `--max-concurrent-downloads` daemon option. See the
+[daemon documentation](dockerd.md) for more details.
+
+## Examples
+
+### Pull an image from Docker Hub
+
+To download a particular image, or set of images (i.e., a repository), use
+`docker pull`. If no tag is provided, Docker Engine uses the `:latest` tag as a
+default. This command pulls the `debian:latest` image:
+
+```bash
+$ docker pull debian
+
+Using default tag: latest
+latest: Pulling from library/debian
+fdd5d7827f33: Pull complete
+a3ed95caeb02: Pull complete
+Digest: sha256:e7d38b3517548a1c71e41bffe9c8ae6d6d29546ce46bf62159837aad072c90aa
+Status: Downloaded newer image for debian:latest
+```
+
+Docker images can consist of multiple layers. In the example above, the image
+consists of two layers; `fdd5d7827f33` and `a3ed95caeb02`.
+
+Layers can be reused by images. For example, the `debian:jessie` image shares
+both layers with `debian:latest`. Pulling the `debian:jessie` image therefore
+only pulls its metadata, but not its layers, because all layers are already
+present locally:
+
+```bash
+$ docker pull debian:jessie
+
+jessie: Pulling from library/debian
+fdd5d7827f33: Already exists
+a3ed95caeb02: Already exists
+Digest: sha256:a9c958be96d7d40df920e7041608f2f017af81800ca5ad23e327bc402626b58e
+Status: Downloaded newer image for debian:jessie
+```
+
+To see which images are present locally, use the [`docker images`](images.md)
+command:
+
+```bash
+$ docker images
+
+REPOSITORY   TAG      IMAGE ID        CREATED      SIZE
+debian       jessie   f50f9524513f    5 days ago   125.1 MB
+debian       latest   f50f9524513f    5 days ago   125.1 MB
+```
+
+Docker uses a content-addressable image store, and the image ID is a SHA256
+digest covering the image's configuration and layers. In the example above,
+`debian:jessie` and `debian:latest` have the same image ID because they are
+actually the *same* image tagged with different names. Because they are the
+same image, their layers are stored only once and do not consume extra disk
+space.
+
+For more information about images, layers, and the content-addressable store,
+refer to [understand images, containers, and storage drivers](https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/).
+
+
+### Pull an image by digest (immutable identifier)
+
+So far, you've pulled images by their name (and "tag"). Using names and tags is
+a convenient way to work with images. When using tags, you can `docker pull` an
+image again to make sure you have the most up-to-date version of that image.
+For example, `docker pull ubuntu:14.04` pulls the latest version of the Ubuntu
+14.04 image.
+
+In some cases you don't want images to be updated to newer versions, but prefer
+to use a fixed version of an image. Docker enables you to pull an image by its
+*digest*. When pulling an image by digest, you specify *exactly* which version
+of an image to pull. Doing so, allows you to "pin" an image to that version,
+and guarantee that the image you're using is always the same.
+
+To know the digest of an image, pull the image first. Let's pull the latest
+`ubuntu:14.04` image from Docker Hub:
+
+```bash
+$ docker pull ubuntu:14.04
+
+14.04: Pulling from library/ubuntu
+5a132a7e7af1: Pull complete
+fd2731e4c50c: Pull complete
+28a2f68d1120: Pull complete
+a3ed95caeb02: Pull complete
+Digest: sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+Status: Downloaded newer image for ubuntu:14.04
+```
+
+Docker prints the digest of the image after the pull has finished. In the example
+above, the digest of the image is:
+
+    sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+
+Docker also prints the digest of an image when *pushing* to a registry. This
+may be useful if you want to pin to a version of the image you just pushed.
+
+A digest takes the place of the tag when pulling an image, for example, to
+pull the above image by digest, run the following command:
+
+```bash
+$ docker pull ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+
+sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2: Pulling from library/ubuntu
+5a132a7e7af1: Already exists
+fd2731e4c50c: Already exists
+28a2f68d1120: Already exists
+a3ed95caeb02: Already exists
+Digest: sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+Status: Downloaded newer image for ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+```
+
+Digest can also be used in the `FROM` of a Dockerfile, for example:
+
+```Dockerfile
+FROM ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+MAINTAINER some maintainer <maintainer@example.com>
+```
+
+> **Note**: Using this feature "pins" an image to a specific version in time.
+> Docker will therefore not pull updated versions of an image, which may include
+> security updates. If you want to pull an updated image, you need to change the
+> digest accordingly.
+
+
+### Pull from a different registry
+
+By default, `docker pull` pulls images from [Docker Hub](https://hub.docker.com). It is also possible to
+manually specify the path of a registry to pull from. For example, if you have
+set up a local registry, you can specify its path to pull from it. A registry
+path is similar to a URL, but does not contain a protocol specifier (`https://`).
+
+The following command pulls the `testing/test-image` image from a local registry
+listening on port 5000 (`myregistry.local:5000`):
+
+```bash
+$ docker pull myregistry.local:5000/testing/test-image
+```
+
+Registry credentials are managed by [docker login](login.md).
+
+Docker uses the `https://` protocol to communicate with a registry, unless the
+registry is allowed to be accessed over an insecure connection. Refer to the
+[insecure registries](dockerd.md#insecure-registries) section for more information.
+
+
+### Pull a repository with multiple images
+
+By default, `docker pull` pulls a *single* image from the registry. A repository
+can contain multiple images. To pull all images from a repository, provide the
+`-a` (or `--all-tags`) option when using `docker pull`.
+
+This command pulls all images from the `fedora` repository:
+
+```bash
+$ docker pull --all-tags fedora
+
+Pulling repository fedora
+ad57ef8d78d7: Download complete
+105182bb5e8b: Download complete
+511136ea3c5a: Download complete
+73bd853d2ea5: Download complete
+....
+
+Status: Downloaded newer image for fedora
+```
+
+After the pull has completed use the `docker images` command to see the
+images that were pulled. The example below shows all the `fedora` images
+that are present locally:
+
+```bash
+$ docker images fedora
+
+REPOSITORY   TAG         IMAGE ID        CREATED      SIZE
+fedora       rawhide     ad57ef8d78d7    5 days ago   359.3 MB
+fedora       20          105182bb5e8b    5 days ago   372.7 MB
+fedora       heisenbug   105182bb5e8b    5 days ago   372.7 MB
+fedora       latest      105182bb5e8b    5 days ago   372.7 MB
+```
+
+### Cancel a pull
+
+Killing the `docker pull` process, for example by pressing `CTRL-c` while it is
+running in a terminal, will terminate the pull operation.
+
+```bash
+$ docker pull fedora
+
+Using default tag: latest
+latest: Pulling from library/fedora
+a3ed95caeb02: Pulling fs layer
+236608c7b546: Pulling fs layer
+^C
+```
+
+> **Note**: Technically, the Engine terminates a pull operation when the
+> connection between the Docker Engine daemon and the Docker Engine client
+> initiating the pull is lost. If the connection with the Engine daemon is
+> lost for other reasons than a manual interaction, the pull is also aborted.
diff --git a/cli/docs/reference/commandline/push.md b/cli/docs/reference/commandline/push.md
new file mode 100644
index 00000000..36ff3196
--- /dev/null
+++ b/cli/docs/reference/commandline/push.md
@@ -0,0 +1,82 @@
+---
+title: "push"
+description: "The push command description and usage"
+keywords: "share, push, image"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# push
+
+```markdown
+Usage:  docker push [OPTIONS] NAME[:TAG]
+
+Push an image or a repository to a registry
+
+Options:
+      --disable-content-trust   Skip image signing (default true)
+      --help                    Print usage
+```
+
+## Description
+
+Use `docker push` to share your images to the [Docker Hub](https://hub.docker.com)
+registry or to a self-hosted one.
+
+Refer to the [`docker tag`](tag.md) reference for more information about valid
+image and tag names.
+
+Killing the `docker push` process, for example by pressing `CTRL-c` while it is
+running in a terminal, terminates the push operation.
+
+Progress bars are shown during docker push, which show the uncompressed size. The 
+actual amount of data that's pushed will be compressed before sending, so the uploaded
+ size will not be reflected by the progress bar. 
+
+Registry credentials are managed by [docker login](login.md).
+
+### Concurrent uploads
+
+By default the Docker daemon will push five layers of an image at a time.
+If you are on a low bandwidth connection this may cause timeout issues and you may want to lower
+this via the `--max-concurrent-uploads` daemon option. See the
+[daemon documentation](dockerd.md) for more details.
+
+## Examples
+
+### Push a new image to a registry
+
+First save the new image by finding the container ID (using [`docker ps`](ps.md))
+and then committing it to a new image name.  Note that only `a-z0-9-_.` are
+allowed when naming images:
+
+```bash
+$ docker commit c16378f943fe rhel-httpd
+```
+
+Now, push the image to the registry using the image ID. In this example the
+registry is on host named `registry-host` and listening on port `5000`. To do
+this, tag the image with the host name or IP address, and the port of the
+registry:
+
+```bash
+$ docker tag rhel-httpd registry-host:5000/myadmin/rhel-httpd
+
+$ docker push registry-host:5000/myadmin/rhel-httpd
+```
+
+Check that this worked by running:
+
+```bash
+$ docker images
+```
+
+You should see both `rhel-httpd` and `registry-host:5000/myadmin/rhel-httpd`
+listed.
diff --git a/cli/docs/reference/commandline/rename.md b/cli/docs/reference/commandline/rename.md
new file mode 100644
index 00000000..61050991
--- /dev/null
+++ b/cli/docs/reference/commandline/rename.md
@@ -0,0 +1,35 @@
+---
+title: "rename"
+description: "The rename command description and usage"
+keywords: "rename, docker, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# rename
+
+```markdown
+Usage:  docker rename CONTAINER NEW_NAME
+
+Rename a container
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+The `docker rename` command renames a container.
+
+## Examples
+
+```bash
+$ docker rename my_container my_new_container
+```
diff --git a/cli/docs/reference/commandline/restart.md b/cli/docs/reference/commandline/restart.md
new file mode 100644
index 00000000..fe5b56e3
--- /dev/null
+++ b/cli/docs/reference/commandline/restart.md
@@ -0,0 +1,32 @@
+---
+title: "restart"
+description: "The restart command description and usage"
+keywords: "restart, container, Docker"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# restart
+
+```markdown
+Usage:  docker restart [OPTIONS] CONTAINER [CONTAINER...]
+
+Restart one or more containers
+
+Options:
+      --help       Print usage
+  -t, --time int   Seconds to wait for stop before killing the container (default 10)
+```
+
+## Examples
+
+```bash
+$ docker restart my_container
+```
diff --git a/cli/docs/reference/commandline/rm.md b/cli/docs/reference/commandline/rm.md
new file mode 100644
index 00000000..402cb93a
--- /dev/null
+++ b/cli/docs/reference/commandline/rm.md
@@ -0,0 +1,100 @@
+---
+title: "rm"
+description: "The rm command description and usage"
+keywords: "remove, Docker, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# rm
+
+```markdown
+Usage:  docker rm [OPTIONS] CONTAINER [CONTAINER...]
+
+Remove one or more containers
+
+Options:
+  -f, --force     Force the removal of a running container (uses SIGKILL)
+      --help      Print usage
+  -l, --link      Remove the specified link
+  -v, --volumes   Remove the volumes associated with the container
+```
+
+## Examples
+
+### Remove a container
+
+This will remove the container referenced under the link
+`/redis`.
+
+```bash
+$ docker rm /redis
+
+/redis
+```
+
+### Remove a link specified with `--link` on the default bridge network
+
+This will remove the underlying link between `/webapp` and the `/redis`
+containers on the default bridge network, removing all network communication
+between the two containers. This does not apply when `--link` is used with
+user-specified networks.
+
+```bash
+$ docker rm --link /webapp/redis
+
+/webapp/redis
+```
+
+### Force-remove a running container
+
+This command will force-remove a running container.
+
+```bash
+$ docker rm --force redis
+
+redis
+```
+
+The main process inside the container referenced under the link `redis` will receive
+`SIGKILL`, then the container will be removed.
+
+### Remove all stopped containers
+
+```bash
+$ docker rm $(docker ps -a -q)
+```
+
+This command will delete all stopped containers. The command
+`docker ps -a -q` will return all existing container IDs and pass them to
+the `rm` command which will delete them. Any running containers will not be
+deleted.
+
+### Remove a container and its volumes
+
+```bash
+$ docker rm -v redis
+redis
+```
+
+This command will remove the container and any volumes associated with it.
+Note that if a volume was specified with a name, it will not be removed.
+
+### Remove a container and selectively remove volumes
+
+```bash
+$ docker create -v awesome:/foo -v /bar --name hello redis
+hello
+$ docker rm -v hello
+```
+
+In this example, the volume for `/foo` will remain intact, but the volume for
+`/bar` will be removed. The same behavior holds for volumes inherited with
+`--volumes-from`.
diff --git a/cli/docs/reference/commandline/rmi.md b/cli/docs/reference/commandline/rmi.md
new file mode 100644
index 00000000..98ca29a2
--- /dev/null
+++ b/cli/docs/reference/commandline/rmi.md
@@ -0,0 +1,105 @@
+---
+title: "rmi"
+description: "The rmi command description and usage"
+keywords: "remove, image, Docker"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# rmi
+
+```markdown
+Usage:  docker rmi [OPTIONS] IMAGE [IMAGE...]
+
+Remove one or more images
+
+Options:
+  -f, --force      Force removal of the image
+      --help       Print usage
+      --no-prune   Do not delete untagged parents
+```
+
+## Examples
+
+You can remove an image using its short or long ID, its tag, or its digest. If
+an image has one or more tags referencing it, you must remove all of them before
+the image is removed. Digest references are removed automatically when an image
+is removed by tag.
+
+```bash
+$ docker images
+
+REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
+test1                     latest              fd484f19954f        23 seconds ago      7 B (virtual 4.964 MB)
+test                      latest              fd484f19954f        23 seconds ago      7 B (virtual 4.964 MB)
+test2                     latest              fd484f19954f        23 seconds ago      7 B (virtual 4.964 MB)
+
+$ docker rmi fd484f19954f
+
+Error: Conflict, cannot delete image fd484f19954f because it is tagged in multiple repositories, use -f to force
+2013/12/11 05:47:16 Error: failed to remove one or more images
+
+$ docker rmi test1
+
+Untagged: test1:latest
+
+$ docker rmi test2
+
+Untagged: test2:latest
+
+
+$ docker images
+
+REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
+test                      latest              fd484f19954f        23 seconds ago      7 B (virtual 4.964 MB)
+
+$ docker rmi test
+
+Untagged: test:latest
+Deleted: fd484f19954f4920da7ff372b5067f5b7ddb2fd3830cecd17b96ea9e286ba5b8
+```
+
+If you use the `-f` flag and specify the image's short or long ID, then this
+command untags and removes all images that match the specified ID.
+
+```bash
+$ docker images
+
+REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
+test1                     latest              fd484f19954f        23 seconds ago      7 B (virtual 4.964 MB)
+test                      latest              fd484f19954f        23 seconds ago      7 B (virtual 4.964 MB)
+test2                     latest              fd484f19954f        23 seconds ago      7 B (virtual 4.964 MB)
+
+$ docker rmi -f fd484f19954f
+
+Untagged: test1:latest
+Untagged: test:latest
+Untagged: test2:latest
+Deleted: fd484f19954f4920da7ff372b5067f5b7ddb2fd3830cecd17b96ea9e286ba5b8
+```
+
+An image pulled by digest has no tag associated with it:
+
+```bash
+$ docker images --digests
+
+REPOSITORY                     TAG       DIGEST                                                                    IMAGE ID        CREATED         SIZE
+localhost:5000/test/busybox    <none>    sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf   4986bf8c1536    9 weeks ago     2.43 MB
+```
+
+To remove an image using its digest:
+
+```bash
+$ docker rmi localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf
+Untagged: localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf
+Deleted: 4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125
+Deleted: ea13149945cb6b1e746bf28032f02e9b5a793523481a0a18645fc77ad53c4ea2
+Deleted: df7546f9f060a2268024c8a230d8639878585defcc1bc6f79d2728a13957871b
+```
diff --git a/cli/docs/reference/commandline/run.md b/cli/docs/reference/commandline/run.md
new file mode 100644
index 00000000..71d6c634
--- /dev/null
+++ b/cli/docs/reference/commandline/run.md
@@ -0,0 +1,816 @@
+---
+title: "run"
+description: "The run command description and usage"
+keywords: "run, command, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# run
+
+```markdown
+Usage:  docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
+
+Run a command in a new container
+
+Options:
+      --add-host value                Add a custom host-to-IP mapping (host:ip) (default [])
+  -a, --attach value                  Attach to STDIN, STDOUT or STDERR (default [])
+      --blkio-weight value            Block IO (relative weight), between 10 and 1000
+      --blkio-weight-device value     Block IO weight (relative device weight) (default [])
+      --cap-add value                 Add Linux capabilities (default [])
+      --cap-drop value                Drop Linux capabilities (default [])
+      --cgroup-parent string          Optional parent cgroup for the container
+      --cidfile string                Write the container ID to the file
+      --cpu-count int                 The number of CPUs available for execution by the container.
+                                      Windows daemon only. On Windows Server containers, this is
+                                      approximated as a percentage of total CPU usage.
+      --cpu-percent int               Limit percentage of CPU available for execution
+                                      by the container. Windows daemon only.
+                                      The processor resource controls are mutually
+                                      exclusive, the order of precedence is CPUCount
+                                      first, then CPUShares, and CPUPercent last.
+      --cpu-period int                Limit CPU CFS (Completely Fair Scheduler) period
+      --cpu-quota int                 Limit CPU CFS (Completely Fair Scheduler) quota
+  -c, --cpu-shares int                CPU shares (relative weight)
+      --cpus NanoCPUs                 Number of CPUs (default 0.000)
+      --cpu-rt-period int             Limit the CPU real-time period in microseconds
+      --cpu-rt-runtime int            Limit the CPU real-time runtime in microseconds
+      --cpuset-cpus string            CPUs in which to allow execution (0-3, 0,1)
+      --cpuset-mems string            MEMs in which to allow execution (0-3, 0,1)
+  -d, --detach                        Run container in background and print container ID
+      --detach-keys string            Override the key sequence for detaching a container
+      --device value                  Add a host device to the container (default [])
+      --device-cgroup-rule value      Add a rule to the cgroup allowed devices list
+      --device-read-bps value         Limit read rate (bytes per second) from a device (default [])
+      --device-read-iops value        Limit read rate (IO per second) from a device (default [])
+      --device-write-bps value        Limit write rate (bytes per second) to a device (default [])
+      --device-write-iops value       Limit write rate (IO per second) to a device (default [])
+      --disable-content-trust         Skip image verification (default true)
+      --dns value                     Set custom DNS servers (default [])
+      --dns-option value              Set DNS options (default [])
+      --dns-search value              Set custom DNS search domains (default [])
+      --entrypoint string             Overwrite the default ENTRYPOINT of the image
+  -e, --env value                     Set environment variables (default [])
+      --env-file value                Read in a file of environment variables (default [])
+      --expose value                  Expose a port or a range of ports (default [])
+      --group-add value               Add additional groups to join (default [])
+      --health-cmd string             Command to run to check health
+      --health-interval duration      Time between running the check (ns|us|ms|s|m|h) (default 0s)
+      --health-retries int            Consecutive failures needed to report unhealthy
+      --health-timeout duration       Maximum time to allow one check to run (ns|us|ms|s|m|h) (default 0s)
+      --health-start-period duration  Start period for the container to initialize before counting retries towards unstable (ns|us|ms|s|m|h) (default 0s)
+      --help                          Print usage
+  -h, --hostname string               Container host name
+      --init                          Run an init inside the container that forwards signals and reaps processes
+  -i, --interactive                   Keep STDIN open even if not attached
+      --io-maxbandwidth string        Maximum IO bandwidth limit for the system drive (Windows only)
+                                      (Windows only). The format is `<number><unit>`.
+                                      Unit is optional and can be `b` (bytes per second),
+                                      `k` (kilobytes per second), `m` (megabytes per second),
+                                      or `g` (gigabytes per second). If you omit the unit,
+                                      the system uses bytes per second.
+                                      --io-maxbandwidth and --io-maxiops are mutually exclusive options.
+      --io-maxiops uint               Maximum IOps limit for the system drive (Windows only)
+      --ip string                     IPv4 address (e.g., 172.30.100.104)
+      --ip6 string                    IPv6 address (e.g., 2001:db8::33)
+      --ipc string                    IPC namespace to use
+      --isolation string              Container isolation technology
+      --kernel-memory string          Kernel memory limit
+  -l, --label value                   Set meta data on a container (default [])
+      --label-file value              Read in a line delimited file of labels (default [])
+      --link value                    Add link to another container (default [])
+      --link-local-ip value           Container IPv4/IPv6 link-local addresses (default [])
+      --log-driver string             Logging driver for the container
+      --log-opt value                 Log driver options (default [])
+      --mac-address string            Container MAC address (e.g., 92:d0:c6:0a:29:33)
+  -m, --memory string                 Memory limit
+      --memory-reservation string     Memory soft limit
+      --memory-swap string            Swap limit equal to memory plus swap: '-1' to enable unlimited swap
+      --memory-swappiness int         Tune container memory swappiness (0 to 100) (default -1)
+      --mount value                   Attach a filesystem mount to the container (default [])
+      --name string                   Assign a name to the container
+      --network-alias value           Add network-scoped alias for the container (default [])
+      --network string                Connect a container to a network
+                                      'bridge': create a network stack on the default Docker bridge
+                                      'none': no networking
+                                      'container:<name|id>': reuse another container's network stack
+                                      'host': use the Docker host network stack
+                                      '<network-name>|<network-id>': connect to a user-defined network
+      --no-healthcheck                Disable any container-specified HEALTHCHECK
+      --oom-kill-disable              Disable OOM Killer
+      --oom-score-adj int             Tune host's OOM preferences (-1000 to 1000)
+      --pid string                    PID namespace to use
+      --pids-limit int                Tune container pids limit (set -1 for unlimited)
+      --privileged                    Give extended privileges to this container
+  -p, --publish value                 Publish a container's port(s) to the host (default [])
+  -P, --publish-all                   Publish all exposed ports to random ports
+      --read-only                     Mount the container's root filesystem as read only
+      --restart string                Restart policy to apply when a container exits (default "no")
+                                      Possible values are : no, on-failure[:max-retry], always, unless-stopped
+      --rm                            Automatically remove the container when it exits
+      --runtime string                Runtime to use for this container
+      --security-opt value            Security Options (default [])
+      --shm-size bytes                Size of /dev/shm
+                                      The format is `<number><unit>`. `number` must be greater than `0`.
+                                      Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes),
+                                      or `g` (gigabytes). If you omit the unit, the system uses bytes.
+      --sig-proxy                     Proxy received signals to the process (default true)
+      --stop-signal string            Signal to stop a container (default "SIGTERM")
+      --stop-timeout=10               Timeout (in seconds) to stop a container
+      --storage-opt value             Storage driver options for the container (default [])
+      --sysctl value                  Sysctl options (default map[])
+      --tmpfs value                   Mount a tmpfs directory (default [])
+  -t, --tty                           Allocate a pseudo-TTY
+      --ulimit value                  Ulimit options (default [])
+  -u, --user string                   Username or UID (format: <name|uid>[:<group|gid>])
+      --userns string                 User namespace to use
+                                      'host': Use the Docker host user namespace
+                                      '': Use the Docker daemon user namespace specified by `--userns-remap` option.
+      --uts string                    UTS namespace to use
+  -v, --volume value                  Bind mount a volume (default []). The format
+                                      is `[host-src:]container-dest[:<options>]`.
+                                      The comma-delimited `options` are [rw|ro],
+                                      [z|Z], [[r]shared|[r]slave|[r]private],
+                                      [delegated|cached|consistent], and
+                                      [nocopy]. The 'host-src' is an absolute path
+                                      or a name value.
+      --volume-driver string          Optional volume driver for the container
+      --volumes-from value            Mount volumes from the specified container(s) (default [])
+  -w, --workdir string                Working directory inside the container
+```
+
+## Description
+
+The `docker run` command first `creates` a writeable container layer over the
+specified image, and then `starts` it using the specified command. That is,
+`docker run` is equivalent to the API `/containers/create` then
+`/containers/(id)/start`. A stopped container can be restarted with all its
+previous changes intact using `docker start`. See `docker ps -a` to view a list
+of all containers.
+
+The `docker run` command can be used in combination with `docker commit` to
+[*change the command that a container runs*](commit.md). There is additional detailed information about `docker run` in the [Docker run reference](../run.md).
+
+For information on connecting a container to a network, see the ["*Docker network overview*"](https://docs.docker.com/engine/userguide/networking/).
+
+## Examples
+
+### Assign name and allocate pseudo-TTY (--name, -it)
+
+```bash
+$ docker run --name test -it debian
+
+root@d6c0fe130dba:/# exit 13
+$ echo $?
+13
+$ docker ps -a | grep test
+d6c0fe130dba        debian:7            "/bin/bash"         26 seconds ago      Exited (13) 17 seconds ago                         test
+```
+
+This example runs a container named `test` using the `debian:latest`
+image. The `-it` instructs Docker to allocate a pseudo-TTY connected to
+the container's stdin; creating an interactive `bash` shell in the container.
+In the example, the `bash` shell is quit by entering
+`exit 13`. This exit code is passed on to the caller of
+`docker run`, and is recorded in the `test` container's metadata.
+
+### Capture container ID (--cidfile)
+
+```bash
+$ docker run --cidfile /tmp/docker_test.cid ubuntu echo "test"
+```
+
+This will create a container and print `test` to the console. The `cidfile`
+flag makes Docker attempt to create a new file and write the container ID to it.
+If the file exists already, Docker will return an error. Docker will close this
+file when `docker run` exits.
+
+### Full container capabilities (--privileged)
+
+```bash
+$ docker run -t -i --rm ubuntu bash
+root@bc338942ef20:/# mount -t tmpfs none /mnt
+mount: permission denied
+```
+
+This will *not* work, because by default, most potentially dangerous kernel
+capabilities are dropped; including `cap_sys_admin` (which is required to mount
+filesystems). However, the `--privileged` flag will allow it to run:
+
+```bash
+$ docker run -t -i --privileged ubuntu bash
+root@50e3f57e16e6:/# mount -t tmpfs none /mnt
+root@50e3f57e16e6:/# df -h
+Filesystem      Size  Used Avail Use% Mounted on
+none            1.9G     0  1.9G   0% /mnt
+```
+
+The `--privileged` flag gives *all* capabilities to the container, and it also
+lifts all the limitations enforced by the `device` cgroup controller. In other
+words, the container can then do almost everything that the host can do. This
+flag exists to allow special use-cases, like running Docker within Docker.
+
+### Set working directory (-w)
+
+```bash
+$ docker  run -w /path/to/dir/ -i -t  ubuntu pwd
+```
+
+The `-w` lets the command being executed inside directory given, here
+`/path/to/dir/`. If the path does not exist it is created inside the container.
+
+### Set storage driver options per container
+
+```bash
+$ docker run -it --storage-opt size=120G fedora /bin/bash
+```
+
+This (size) will allow to set the container rootfs size to 120G at creation time.
+This option is only available for the `devicemapper`, `btrfs`, `overlay2`,
+`windowsfilter` and `zfs` graph drivers.
+For the `devicemapper`, `btrfs`, `windowsfilter` and `zfs` graph drivers,
+user cannot pass a size less than the Default BaseFS Size.
+For the `overlay2` storage driver, the size option is only available if the
+backing fs is `xfs` and mounted with the `pquota` mount option.
+Under these conditions, user can pass any size less than the backing fs size.
+
+### Mount tmpfs (--tmpfs)
+
+```bash
+$ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image
+```
+
+The `--tmpfs` flag mounts an empty tmpfs into the container with the `rw`,
+`noexec`, `nosuid`, `size=65536k` options.
+
+### Mount volume (-v, --read-only)
+
+```bash
+$ docker  run  -v `pwd`:`pwd` -w `pwd` -i -t  ubuntu pwd
+```
+
+The `-v` flag mounts the current working directory into the container. The `-w`
+lets the command being executed inside the current working directory, by
+changing into the directory to the value returned by `pwd`. So this
+combination executes the command using the container, but inside the
+current working directory.
+
+```bash
+$ docker run -v /doesnt/exist:/foo -w /foo -i -t ubuntu bash
+```
+
+When the host directory of a bind-mounted volume doesn't exist, Docker
+will automatically create this directory on the host for you. In the
+example above, Docker will create the `/doesnt/exist`
+folder before starting your container.
+
+```bash
+$ docker run --read-only -v /icanwrite busybox touch /icanwrite/here
+```
+
+Volumes can be used in combination with `--read-only` to control where
+a container writes files. The `--read-only` flag mounts the container's root
+filesystem as read only prohibiting writes to locations other than the
+specified volumes for the container.
+
+```bash
+$ docker run -t -i -v /var/run/docker.sock:/var/run/docker.sock -v /path/to/static-docker-binary:/usr/bin/docker busybox sh
+```
+
+By bind-mounting the docker unix socket and statically linked docker
+binary (refer to [get the linux binary](
+https://docs.docker.com/engine/installation/binaries/#/get-the-linux-binary)),
+you give the container the full access to create and manipulate the host's
+Docker daemon.
+
+On Windows, the paths must be specified using Windows-style semantics.
+
+```powershell
+PS C:\> docker run -v c:\foo:c:\dest microsoft/nanoserver cmd /s /c type c:\dest\somefile.txt
+Contents of file
+
+PS C:\> docker run -v c:\foo:d: microsoft/nanoserver cmd /s /c type d:\somefile.txt
+Contents of file
+```
+
+The following examples will fail when using Windows-based containers, as the
+destination of a volume or bind mount inside the container must be one of:
+a non-existing or empty directory; or a drive other than C:. Further, the source
+of a bind mount must be a local directory, not a file.
+
+```powershell
+net use z: \\remotemachine\share
+docker run -v z:\foo:c:\dest ...
+docker run -v \\uncpath\to\directory:c:\dest ...
+docker run -v c:\foo\somefile.txt:c:\dest ...
+docker run -v c:\foo:c: ...
+docker run -v c:\foo:c:\existing-directory-with-contents ...
+```
+
+For in-depth information about volumes, refer to [manage data in containers](https://docs.docker.com/engine/tutorials/dockervolumes/)
+
+
+### Add bind mounts or volumes using the --mount flag
+
+The `--mount` flag allows you to mount volumes, host-directories and `tmpfs`
+mounts in a container.
+
+The `--mount` flag supports most options that are supported by the `-v` or the
+`--volume` flag, but uses a different syntax. For in-depth information on the
+`--mount` flag, and a comparison between `--volume` and `--mount`, refer to
+the [service create command reference](service_create.md#add-bind-mounts-or-volumes).
+
+Even though there is no plan to deprecate `--volume`, usage of `--mount` is recommended.
+
+Examples:
+
+```bash
+$ docker run --read-only --mount type=volume,target=/icanwrite busybox touch /icanwrite/here
+```
+
+```bash
+$ docker run -t -i --mount type=bind,src=/data,dst=/data busybox sh
+```
+
+### Publish or expose port (-p, --expose)
+
+```bash
+$ docker run -p 127.0.0.1:80:8080/tcp ubuntu bash
+```
+
+This binds port `8080` of the container to TCP port `80` on `127.0.0.1` of the host
+machine. You can also specify `udp` and `sctp` ports.
+The [Docker User Guide](https://docs.docker.com/engine/userguide/networking/default_network/dockerlinks/)
+explains in detail how to manipulate ports in Docker.
+
+```bash
+$ docker run --expose 80 ubuntu bash
+```
+
+This exposes port `80` of the container without publishing the port to the host
+system's interfaces.
+
+### Set environment variables (-e, --env, --env-file)
+
+```bash
+$ docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list ubuntu bash
+```
+
+Use the `-e`, `--env`, and `--env-file` flags to set simple (non-array)
+environment variables in the container you're running, or overwrite variables
+that are defined in the Dockerfile of the image you're running.
+
+You can define the variable and its value when running the container:
+
+```bash
+$ docker run --env VAR1=value1 --env VAR2=value2 ubuntu env | grep VAR
+VAR1=value1
+VAR2=value2
+```
+
+You can also use variables that you've exported to your local environment:
+
+```bash
+export VAR1=value1
+export VAR2=value2
+
+$ docker run --env VAR1 --env VAR2 ubuntu env | grep VAR
+VAR1=value1
+VAR2=value2
+```
+
+When running the command, the Docker CLI client checks the value the variable
+has in your local environment and passes it to the container.
+If no `=` is provided and that variable is not exported in your local
+environment, the variable won't be set in the container.
+
+You can also load the environment variables from a file. This file should use
+the syntax `<variable>=value` (which sets the variable to the given value) or
+`<variable>` (which takes the value from the local environment), and `#` for comments.
+
+```bash
+$ cat env.list
+# This is a comment
+VAR1=value1
+VAR2=value2
+USER
+
+$ docker run --env-file env.list ubuntu env | grep VAR
+VAR1=value1
+VAR2=value2
+USER=denis
+```
+
+### Set metadata on container (-l, --label, --label-file)
+
+A label is a `key=value` pair that applies metadata to a container. To label a container with two labels:
+
+```bash
+$ docker run -l my-label --label com.example.foo=bar ubuntu bash
+```
+
+The `my-label` key doesn't specify a value so the label defaults to an empty
+string(`""`). To add multiple labels, repeat the label flag (`-l` or `--label`).
+
+The `key=value` must be unique to avoid overwriting the label value. If you
+specify labels with identical keys but different values, each subsequent value
+overwrites the previous. Docker uses the last `key=value` you supply.
+
+Use the `--label-file` flag to load multiple labels from a file. Delimit each
+label in the file with an EOL mark. The example below loads labels from a
+labels file in the current directory:
+
+```bash
+$ docker run --label-file ./labels ubuntu bash
+```
+
+The label-file format is similar to the format for loading environment
+variables. (Unlike environment variables, labels are not visible to processes
+running inside a container.) The following example illustrates a label-file
+format:
+
+```none
+com.example.label1="a label"
+
+# this is a comment
+com.example.label2=another\ label
+com.example.label3
+```
+
+You can load multiple label-files by supplying multiple  `--label-file` flags.
+
+For additional information on working with labels, see [*Labels - custom
+metadata in Docker*](https://docs.docker.com/engine/userguide/labels-custom-metadata/) in the Docker User
+Guide.
+
+### Connect a container to a network (--network)
+
+When you start a container use the `--network` flag to connect it to a network.
+This adds the `busybox` container to the `my-net` network.
+
+```bash
+$ docker run -itd --network=my-net busybox
+```
+
+You can also choose the IP addresses for the container with `--ip` and `--ip6`
+flags when you start the container on a user-defined network.
+
+```bash
+$ docker run -itd --network=my-net --ip=10.10.9.75 busybox
+```
+
+If you want to add a running container to a network use the `docker network connect` subcommand.
+
+You can connect multiple containers to the same network. Once connected, the
+containers can communicate easily need only another container's IP address
+or name. For `overlay` networks or custom plugins that support multi-host
+connectivity, containers connected to the same multi-host network but launched
+from different Engines can also communicate in this way.
+
+> **Note**: Service discovery is unavailable on the default bridge network.
+> Containers can communicate via their IP addresses by default. To communicate
+> by name, they must be linked.
+
+You can disconnect a container from a network using the `docker network
+disconnect` command.
+
+### Mount volumes from container (--volumes-from)
+
+```bash
+$ docker run --volumes-from 777f7dc92da7 --volumes-from ba8c0c54f0f2:ro -i -t ubuntu pwd
+```
+
+The `--volumes-from` flag mounts all the defined volumes from the referenced
+containers. Containers can be specified by repetitions of the `--volumes-from`
+argument. The container ID may be optionally suffixed with `:ro` or `:rw` to
+mount the volumes in read-only or read-write mode, respectively. By default,
+the volumes are mounted in the same mode (read write or read only) as
+the reference container.
+
+Labeling systems like SELinux require that proper labels are placed on volume
+content mounted into a container. Without a label, the security system might
+prevent the processes running inside the container from using the content. By
+default, Docker does not change the labels set by the OS.
+
+To change the label in the container context, you can add either of two suffixes
+`:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file
+objects on the shared volumes. The `z` option tells Docker that two containers
+share the volume content. As a result, Docker labels the content with a shared
+content label. Shared volume labels allow all containers to read/write content.
+The `Z` option tells Docker to label the content with a private unshared label.
+Only the current container can use a private volume.
+
+### Attach to STDIN/STDOUT/STDERR (-a)
+
+The `-a` flag tells `docker run` to bind to the container's `STDIN`, `STDOUT`
+or `STDERR`. This makes it possible to manipulate the output and input as
+needed.
+
+```bash
+$ echo "test" | docker run -i -a stdin ubuntu cat -
+```
+
+This pipes data into a container and prints the container's ID by attaching
+only to the container's `STDIN`.
+
+```bash
+$ docker run -a stderr ubuntu echo test
+```
+
+This isn't going to print anything unless there's an error because we've
+only attached to the `STDERR` of the container. The container's logs
+still store what's been written to `STDERR` and `STDOUT`.
+
+```bash
+$ cat somefile | docker run -i -a stdin mybuilder dobuild
+```
+
+This is how piping a file into a container could be done for a build.
+The container's ID will be printed after the build is done and the build
+logs could be retrieved using `docker logs`. This is
+useful if you need to pipe a file or something else into a container and
+retrieve the container's ID once the container has finished running.
+
+### Add host device to container (--device)
+
+```bash
+$ docker run --device=/dev/sdc:/dev/xvdc \
+             --device=/dev/sdd --device=/dev/zero:/dev/nulo \
+             -i -t \
+             ubuntu ls -l /dev/{xvdc,sdd,nulo}
+
+brw-rw---- 1 root disk 8, 2 Feb  9 16:05 /dev/xvdc
+brw-rw---- 1 root disk 8, 3 Feb  9 16:05 /dev/sdd
+crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/nulo
+```
+
+It is often necessary to directly expose devices to a container. The `--device`
+option enables that. For example, a specific block storage device or loop
+device or audio device can be added to an otherwise unprivileged container
+(without the `--privileged` flag) and have the application directly access it.
+
+By default, the container will be able to `read`, `write` and `mknod` these devices.
+This can be overridden using a third `:rwm` set of options to each `--device`
+flag:
+
+```bash
+$ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk  /dev/xvdc
+
+Command (m for help): q
+$ docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk  /dev/xvdc
+You will not be able to write the partition table.
+
+Command (m for help): q
+
+$ docker run --device=/dev/sda:/dev/xvdc:rw --rm -it ubuntu fdisk  /dev/xvdc
+
+Command (m for help): q
+
+$ docker run --device=/dev/sda:/dev/xvdc:m --rm -it ubuntu fdisk  /dev/xvdc
+fdisk: unable to open /dev/xvdc: Operation not permitted
+```
+
+> **Note**: `--device` cannot be safely used with ephemeral devices. Block devices
+> that may be removed should not be added to untrusted containers with
+> `--device`.
+
+### Restart policies (--restart)
+
+Use Docker's `--restart` to specify a container's *restart policy*. A restart
+policy controls whether the Docker daemon restarts a container after exit.
+Docker supports the following restart policies:
+
+| Policy                     | Result                                                                                                                                                                                                                                                           |
+|:---------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `no`                       | Do not automatically restart the container when it exits. This is the default.                                                                                                                                                                                   |
+| `on-failure[:max-retries]` | Restart only if the container exits with a non-zero exit status. Optionally, limit the number of restart retries the Docker daemon attempts.                                                                                                                     |
+| `unless-stopped`           | Restart the container unless it is explicitly stopped or Docker itself is stopped or restarted.                                                                                                                                                                  |
+| `always`                   | Always restart the container regardless of the exit status. When you specify always, the Docker daemon will try to restart the container indefinitely. The container will also always start on daemon startup, regardless of the current state of the container. |
+
+```bash
+$ docker run --restart=always redis
+```
+
+This will run the `redis` container with a restart policy of **always**
+so that if the container exits, Docker will restart it.
+
+More detailed information on restart policies can be found in the
+[Restart Policies (--restart)](../run.md#restart-policies---restart)
+section of the Docker run reference page.
+
+### Add entries to container hosts file (--add-host)
+
+You can add other hosts into a container's `/etc/hosts` file by using one or
+more `--add-host` flags. This example adds a static address for a host named
+`docker`:
+
+```bash
+$ docker run --add-host=docker:10.180.0.1 --rm -it debian
+
+root@f38c87f2a42d:/# ping docker
+PING docker (10.180.0.1): 48 data bytes
+56 bytes from 10.180.0.1: icmp_seq=0 ttl=254 time=7.600 ms
+56 bytes from 10.180.0.1: icmp_seq=1 ttl=254 time=30.705 ms
+^C--- docker ping statistics ---
+2 packets transmitted, 2 packets received, 0% packet loss
+round-trip min/avg/max/stddev = 7.600/19.152/30.705/11.553 ms
+```
+
+Sometimes you need to connect to the Docker host from within your
+container. To enable this, pass the Docker host's IP address to
+the container using the `--add-host` flag. To find the host's address,
+use the `ip addr show` command.
+
+The flags you pass to `ip addr show` depend on whether you are
+using IPv4 or IPv6 networking in your containers. Use the following
+flags for IPv4 address retrieval for a network device named `eth0`:
+
+```bash
+$ HOSTIP=`ip -4 addr show scope global dev eth0 | grep inet | awk '{print \$2}' | cut -d / -f 1`
+$ docker run  --add-host=docker:${HOSTIP} --rm -it debian
+```
+
+For IPv6 use the `-6` flag instead of the `-4` flag. For other network
+devices, replace `eth0` with the correct device name (for example `docker0`
+for the bridge device).
+
+### Set ulimits in container (--ulimit)
+
+Since setting `ulimit` settings in a container requires extra privileges not
+available in the default container, you can set these using the `--ulimit` flag.
+`--ulimit` is specified with a soft and hard limit as such:
+`<type>=<soft limit>[:<hard limit>]`, for example:
+
+```bash
+$ docker run --ulimit nofile=1024:1024 --rm debian sh -c "ulimit -n"
+1024
+```
+
+> **Note**: If you do not provide a `hard limit`, the `soft limit` will be used
+> for both values. If no `ulimits` are set, they will be inherited from
+> the default `ulimits` set on the daemon.  `as` option is disabled now.
+> In other words, the following script is not supported:
+>
+> ```bash
+> $ docker run -it --ulimit as=1024 fedora /bin/bash`
+> ```
+
+The values are sent to the appropriate `syscall` as they are set.
+Docker doesn't perform any byte conversion. Take this into account when setting the values.
+
+#### For `nproc` usage
+
+Be careful setting `nproc` with the `ulimit` flag as `nproc` is designed by Linux to set the
+maximum number of processes available to a user, not to a container.  For example, start four
+containers with `daemon` user:
+
+```bash
+$ docker run -d -u daemon --ulimit nproc=3 busybox top
+
+$ docker run -d -u daemon --ulimit nproc=3 busybox top
+
+$ docker run -d -u daemon --ulimit nproc=3 busybox top
+
+$ docker run -d -u daemon --ulimit nproc=3 busybox top
+```
+
+The 4th container fails and reports "[8] System error: resource temporarily unavailable" error.
+This fails because the caller set `nproc=3` resulting in the first three containers using up
+the three processes quota set for the `daemon` user.
+
+### Stop container with signal (--stop-signal)
+
+The `--stop-signal` flag sets the system call signal that will be sent to the container to exit.
+This signal can be a valid unsigned number that matches a position in the kernel's syscall table, for instance 9,
+or a signal name in the format SIGNAME, for instance SIGKILL.
+
+### Optional security options (--security-opt)
+
+On Windows, this flag can be used to specify the `credentialspec` option.
+The `credentialspec` must be in the format `file://spec.txt` or `registry://keyname`.
+
+### Stop container with timeout (--stop-timeout)
+
+The `--stop-timeout` flag sets the timeout (in seconds) that a pre-defined (see `--stop-signal`) system call
+signal that will be sent to the container to exit. After timeout elapses the container will be killed with SIGKILL.
+
+### Specify isolation technology for container (--isolation)
+
+This option is useful in situations where you are running Docker containers on
+Windows. The `--isolation <value>` option sets a container's isolation technology.
+On Linux, the only supported is the `default` option which uses
+Linux namespaces. These two commands are equivalent on Linux:
+
+```bash
+$ docker run -d busybox top
+$ docker run -d --isolation default busybox top
+```
+
+On Windows, `--isolation` can take one of these values:
+
+
+| Value     | Description                                                                                |
+|:----------|:-------------------------------------------------------------------------------------------|
+| `default` | Use the value specified by the Docker daemon's `--exec-opt` or system default (see below). |
+| `process` | Shared-kernel namespace isolation (not supported on Windows client operating systems).     |
+| `hyperv`  | Hyper-V hypervisor partition-based isolation.                                              |
+
+The default isolation on Windows server operating systems is `process`. The default (and only supported)
+isolation on Windows client operating systems is `hyperv`. An attempt to start a container on a client
+operating system with `--isolation process` will fail.
+
+On Windows server, assuming the default configuration, these commands are equivalent
+and result in `process` isolation:
+
+```PowerShell
+PS C:\> docker run -d microsoft/nanoserver powershell echo process
+PS C:\> docker run -d --isolation default microsoft/nanoserver powershell echo process
+PS C:\> docker run -d --isolation process microsoft/nanoserver powershell echo process
+```
+
+If you have set the `--exec-opt isolation=hyperv` option on the Docker `daemon`, or
+are running against a Windows client-based daemon, these commands are equivalent and
+result in `hyperv` isolation:
+
+```PowerShell
+PS C:\> docker run -d microsoft/nanoserver powershell echo hyperv
+PS C:\> docker run -d --isolation default microsoft/nanoserver powershell echo hyperv
+PS C:\> docker run -d --isolation hyperv microsoft/nanoserver powershell echo hyperv
+```
+
+### Specify hard limits on memory available to containers (-m, --memory)
+
+These parameters always set an upper limit on the memory available to the container. On Linux, this
+is set on the cgroup and applications in a container can query it at `/sys/fs/cgroup/memory/memory.limit_in_bytes`.
+
+On Windows, this will affect containers differently depending on what type of isolation is used.
+
+- With `process` isolation, Windows will report the full memory of the host system, not the limit to applications running inside the container
+
+    ```powershell
+    PS C:\> docker run -it -m 2GB --isolation=process microsoft/nanoserver powershell Get-ComputerInfo *memory*
+
+    CsTotalPhysicalMemory      : 17064509440
+    CsPhyicallyInstalledMemory : 16777216
+    OsTotalVisibleMemorySize   : 16664560
+    OsFreePhysicalMemory       : 14646720
+    OsTotalVirtualMemorySize   : 19154928
+    OsFreeVirtualMemory        : 17197440
+    OsInUseVirtualMemory       : 1957488
+    OsMaxProcessMemorySize     : 137438953344
+    ```
+
+- With `hyperv` isolation, Windows will create a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory."
+
+    ```powershell
+    PS C:\> docker run -it -m 2GB --isolation=hyperv microsoft/nanoserver powershell Get-ComputerInfo *memory*
+
+    CsTotalPhysicalMemory      : 2683355136
+    CsPhyicallyInstalledMemory :
+    OsTotalVisibleMemorySize   : 2620464
+    OsFreePhysicalMemory       : 2306552
+    OsTotalVirtualMemorySize   : 2620464
+    OsFreeVirtualMemory        : 2356692
+    OsInUseVirtualMemory       : 263772
+    OsMaxProcessMemorySize     : 137438953344
+    ```
+
+
+### Configure namespaced kernel parameters (sysctls) at runtime
+
+The `--sysctl` sets namespaced kernel parameters (sysctls) in the
+container. For example, to turn on IP forwarding in the containers
+network namespace, run this command:
+
+```bash
+$ docker run --sysctl net.ipv4.ip_forward=1 someimage
+```
+
+> **Note**: Not all sysctls are namespaced. Docker does not support changing sysctls
+> inside of a container that also modify the host system. As the kernel
+> evolves we expect to see more sysctls become namespaced.
+
+#### Currently supported sysctls
+
+- `IPC Namespace`:
+
+  ```none
+  kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
+  Sysctls beginning with fs.mqueue.*
+  ```
+
+  If you use the `--ipc=host` option these sysctls will not be allowed.
+
+- `Network Namespace`:
+
+  Sysctls beginning with net.*
+
+  If you use the `--network=host` option using these sysctls will not be allowed.
diff --git a/cli/docs/reference/commandline/save.md b/cli/docs/reference/commandline/save.md
new file mode 100644
index 00000000..166ee755
--- /dev/null
+++ b/cli/docs/reference/commandline/save.md
@@ -0,0 +1,62 @@
+---
+title: "save"
+description: "The save command description and usage"
+keywords: "tarred, repository, backup"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# save
+
+```markdown
+Usage:  docker save [OPTIONS] IMAGE [IMAGE...]
+
+Save one or more images to a tar archive (streamed to STDOUT by default)
+
+Options:
+      --help            Print usage
+  -o, --output string   Write to a file, instead of STDOUT
+```
+
+## Description
+
+Produces a tarred repository to the standard output stream.
+Contains all parent layers, and all tags + versions, or specified `repo:tag`, for
+each argument provided.
+
+## Examples
+
+### Create a backup that can then be used with `docker load`.
+
+```bash
+$ docker save busybox > busybox.tar
+
+$ ls -sh busybox.tar
+
+2.7M busybox.tar
+
+$ docker save --output busybox.tar busybox
+
+$ ls -sh busybox.tar
+
+2.7M busybox.tar
+
+$ docker save -o fedora-all.tar fedora
+
+$ docker save -o fedora-latest.tar fedora:latest
+```
+
+### Cherry-pick particular tags
+
+You can even cherry-pick particular tags of an image repository.
+
+```bash
+$ docker save -o ubuntu.tar ubuntu:lucid ubuntu:saucy
+```
diff --git a/cli/docs/reference/commandline/search.md b/cli/docs/reference/commandline/search.md
new file mode 100644
index 00000000..65f2d314
--- /dev/null
+++ b/cli/docs/reference/commandline/search.md
@@ -0,0 +1,202 @@
+---
+title: "search"
+description: "The search command description and usage"
+keywords: "search, hub, images"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# search
+
+```markdown
+Usage:  docker search [OPTIONS] TERM
+
+Search the Docker Hub for images
+
+Options:
+  -f, --filter value   Filter output based on conditions provided (default [])
+                       - is-automated=(true|false)
+                       - is-official=(true|false)
+                       - stars=<number> - image has at least 'number' stars
+      --format string  Pretty-print images using a Go template
+      --help           Print usage
+      --limit int      Max number of search results (default 25)
+      --no-trunc       Don't truncate output
+```
+
+## Description
+
+Search [Docker Hub](https://hub.docker.com) for images
+
+See [*Find Public Images on Docker Hub*](https://docs.docker.com/engine/tutorials/dockerrepos/#searching-for-images) for
+more details on finding shared images from the command line.
+
+> **Note**: Search queries return a maximum of 25 results.
+
+## Examples
+
+### Search images by name
+
+This example displays images with a name containing 'busybox':
+
+```none
+$ docker search busybox
+
+NAME                             DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
+busybox                          Busybox base image.                             316       [OK]       
+progrium/busybox                                                                 50                   [OK]
+radial/busyboxplus               Full-chain, Internet enabled, busybox made...   8                    [OK]
+odise/busybox-python                                                             2                    [OK]
+azukiapp/busybox                 This image is meant to be used as the base...   2                    [OK]
+ofayau/busybox-jvm               Prepare busybox to install a 32 bits JVM.       1                    [OK]
+shingonoide/archlinux-busybox    Arch Linux, a lightweight and flexible Lin...   1                    [OK]
+odise/busybox-curl                                                               1                    [OK]
+ofayau/busybox-libc32            Busybox with 32 bits (and 64 bits) libs         1                    [OK]
+peelsky/zulu-openjdk-busybox                                                     1                    [OK]
+skomma/busybox-data              Docker image suitable for data volume cont...   1                    [OK]
+elektritter/busybox-teamspeak    Lightweight teamspeak3 container based on...    1                    [OK]
+socketplane/busybox                                                              1                    [OK]
+oveits/docker-nginx-busybox      This is a tiny NginX docker image based on...   0                    [OK]
+ggtools/busybox-ubuntu           Busybox ubuntu version with extra goodies       0                    [OK]
+nikfoundas/busybox-confd         Minimal busybox based distribution of confd     0                    [OK]
+openshift/busybox-http-app                                                       0                    [OK]
+jllopis/busybox                                                                  0                    [OK]
+swyckoff/busybox                                                                 0                    [OK]
+powellquiring/busybox                                                            0                    [OK]
+williamyeh/busybox-sh            Docker image for BusyBox's sh                   0                    [OK]
+simplexsys/busybox-cli-powered   Docker busybox images, with a few often us...   0                    [OK]
+fhisamoto/busybox-java           Busybox java                                    0                    [OK]
+scottabernethy/busybox                                                           0                    [OK]
+marclop/busybox-solr
+```
+
+### Display non-truncated description (--no-trunc)
+
+This example displays images with a name containing 'busybox',
+at least 3 stars and the description isn't truncated in the output:
+
+```bash
+$ docker search --stars=3 --no-trunc busybox
+NAME                 DESCRIPTION                                                                               STARS     OFFICIAL   AUTOMATED
+busybox              Busybox base image.                                                                       325       [OK]       
+progrium/busybox                                                                                               50                   [OK]
+radial/busyboxplus   Full-chain, Internet enabled, busybox made from scratch. Comes in git and cURL flavors.   8                    [OK]
+```
+
+### Limit search results (--limit)
+
+The flag `--limit` is the maximum number of results returned by a search. This value could
+be in the range between 1 and 100. The default value of `--limit` is 25.
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there is more
+than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* stars (int - number of stars the image has)
+* is-automated (boolean - true or false) - is the image automated or not
+* is-official (boolean - true or false) - is the image official or not
+
+#### stars
+
+This example displays images with a name containing 'busybox' and at
+least 3 stars:
+
+```bash
+$ docker search --filter stars=3 busybox
+
+NAME                 DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
+busybox              Busybox base image.                             325       [OK]       
+progrium/busybox                                                     50                   [OK]
+radial/busyboxplus   Full-chain, Internet enabled, busybox made...   8                    [OK]
+```
+
+#### is-automated
+
+This example displays images with a name containing 'busybox'
+and are automated builds:
+
+```bash
+$ docker search --filter is-automated busybox
+
+NAME                 DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
+progrium/busybox                                                     50                   [OK]
+radial/busyboxplus   Full-chain, Internet enabled, busybox made...   8                    [OK]
+```
+
+#### is-official
+
+This example displays images with a name containing 'busybox', at least
+3 stars and are official builds:
+
+```bash
+$ docker search --filter "is-official=true" --filter "stars=3" busybox
+
+NAME                 DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
+progrium/busybox                                                     50                   [OK]
+radial/busyboxplus   Full-chain, Internet enabled, busybox made...   8                    [OK]
+```
+
+### Format the output
+
+The formatting option (`--format`) pretty-prints search output
+using a Go template.
+
+Valid placeholders for the Go template are:
+
+| Placeholder    | Description                       |
+| -------------- | --------------------------------- |
+| `.Name`        | Image Name                        |
+| `.Description` | Image description                 |
+| `.StarCount`   | Number of stars for the image     |
+| `.IsOfficial`  | "OK" if image is official         |
+| `.IsAutomated` | "OK" if image build was automated |
+
+When you use the `--format` option, the `search` command will
+output the data exactly as the template declares. If you use the
+`table` directive, column headers are included as well.
+
+The following example uses a template without headers and outputs the
+`Name` and `StarCount` entries separated by a colon for all images:
+
+```bash
+{% raw %}
+$ docker search --format "{{.Name}}: {{.StarCount}}" nginx
+
+nginx: 5441
+jwilder/nginx-proxy: 953
+richarvey/nginx-php-fpm: 353
+million12/nginx-php: 75
+webdevops/php-nginx: 70
+h3nrik/nginx-ldap: 35
+bitnami/nginx: 23
+evild/alpine-nginx: 14
+million12/nginx: 9
+maxexcloo/nginx: 7
+{% endraw %}
+```
+
+This example outputs a table format:
+
+```bash
+{% raw %}
+$ docker search --format "table {{.Name}}\t{{.IsAutomated}}\t{{.IsOfficial}}" nginx
+
+NAME                                     AUTOMATED           OFFICIAL
+nginx                                                        [OK]
+jwilder/nginx-proxy                      [OK]                
+richarvey/nginx-php-fpm                  [OK]                
+jrcs/letsencrypt-nginx-proxy-companion   [OK]                
+million12/nginx-php                      [OK]                
+webdevops/php-nginx                      [OK]                
+{% endraw %}
+```
diff --git a/cli/docs/reference/commandline/secret.md b/cli/docs/reference/commandline/secret.md
new file mode 100644
index 00000000..aaa8eb30
--- /dev/null
+++ b/cli/docs/reference/commandline/secret.md
@@ -0,0 +1,45 @@
+---
+title: "secret"
+description: "The secret command description and usage"
+keywords: "secret"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# secret
+
+```markdown
+Usage:  docker secret COMMAND
+
+Manage Docker secrets
+
+Options:
+      --help   Print usage
+
+Commands:
+  create      Create a secret from a file or STDIN as content
+  inspect     Display detailed information on one or more secrets
+  ls          List secrets
+  rm          Remove one or more secrets
+
+Run 'docker secret COMMAND --help' for more information on a command.
+
+```
+
+## Description
+
+Manage secrets.
+
+## Related commands
+
+* [secret create](secret_create.md)
+* [secret inspect](secret_inspect.md)
+* [secret list](secret_list.md)
+* [secret rm](secret_rm.md)
diff --git a/cli/docs/reference/commandline/secret_create.md b/cli/docs/reference/commandline/secret_create.md
new file mode 100644
index 00000000..66fc78f9
--- /dev/null
+++ b/cli/docs/reference/commandline/secret_create.md
@@ -0,0 +1,99 @@
+---
+title: "secret create"
+description: "The secret create command description and usage"
+keywords: ["secret, create"]
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# secret create
+
+```Markdown
+Usage:	docker secret create [OPTIONS] SECRET [file|-]
+
+Create a secret from a file or STDIN as content
+
+Options:
+  -l, --label list               Secret labels
+      --template-driver string   Template driver
+```
+
+## Description
+
+Creates a secret using standard input or from a file for the secret content. You must run this command on a manager node.
+
+For detailed information about using secrets, refer to [manage sensitive data with Docker secrets](https://docs.docker.com/engine/swarm/secrets/).
+
+## Examples
+
+### Create a secret
+
+```bash
+$ printf <secret> | docker secret create my_secret -
+
+onakdyv307se2tl7nl20anokv
+
+$ docker secret ls
+
+ID                          NAME                CREATED             UPDATED
+onakdyv307se2tl7nl20anokv   my_secret           6 seconds ago       6 seconds ago
+```
+
+### Create a secret with a file
+
+```bash
+$ docker secret create my_secret ./secret.json
+
+dg426haahpi5ezmkkj5kyl3sn
+
+$ docker secret ls
+
+ID                          NAME                CREATED             UPDATED
+dg426haahpi5ezmkkj5kyl3sn   my_secret           7 seconds ago       7 seconds ago
+```
+
+### Create a secret with labels
+
+```bash
+$ docker secret create --label env=dev \
+                       --label rev=20170324 \
+                       my_secret ./secret.json
+
+eo7jnzguqgtpdah3cm5srfb97
+```
+
+```none
+$ docker secret inspect my_secret
+
+[
+    {
+        "ID": "eo7jnzguqgtpdah3cm5srfb97",
+        "Version": {
+            "Index": 17
+        },
+        "CreatedAt": "2017-03-24T08:15:09.735271783Z",
+        "UpdatedAt": "2017-03-24T08:15:09.735271783Z",
+        "Spec": {
+            "Name": "my_secret",
+            "Labels": {
+                "env": "dev",
+                "rev": "20170324"
+            }
+        }
+    }
+]
+```
+
+
+## Related commands
+
+* [secret inspect](secret_inspect.md)
+* [secret ls](secret_ls.md)
+* [secret rm](secret_rm.md)
diff --git a/cli/docs/reference/commandline/secret_inspect.md b/cli/docs/reference/commandline/secret_inspect.md
new file mode 100644
index 00000000..349e28e6
--- /dev/null
+++ b/cli/docs/reference/commandline/secret_inspect.md
@@ -0,0 +1,95 @@
+---
+title: "secret inspect"
+description: "The secret inspect command description and usage"
+keywords: ["secret, inspect"]
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# secret inspect
+
+```Markdown
+Usage:  docker secret inspect [OPTIONS] SECRET [SECRET...]
+
+Display detailed information on one or more secrets
+
+Options:
+  -f, --format string   Format the output using the given Go template
+      --help            Print usage
+```
+
+## Description
+
+Inspects the specified secret. This command has to be run targeting a manager
+node.
+
+By default, this renders all results in a JSON array. If a format is specified,
+the given template will be executed for each result.
+
+Go's [text/template](http://golang.org/pkg/text/template/) package
+describes all the details of the format.
+
+For detailed information about using secrets, refer to [manage sensitive data with Docker secrets](https://docs.docker.com/engine/swarm/secrets/).
+
+## Examples
+
+### Inspect a secret by name or ID
+
+You can inspect a secret, either by its *name*, or *ID*
+
+For example, given the following secret:
+
+```bash
+$ docker secret ls
+
+ID                          NAME                CREATED             UPDATED
+eo7jnzguqgtpdah3cm5srfb97   my_secret           3 minutes ago       3 minutes ago
+```
+
+```none
+$ docker secret inspect secret.json
+
+[
+    {
+        "ID": "eo7jnzguqgtpdah3cm5srfb97",
+        "Version": {
+            "Index": 17
+        },
+        "CreatedAt": "2017-03-24T08:15:09.735271783Z",
+        "UpdatedAt": "2017-03-24T08:15:09.735271783Z",
+        "Spec": {
+            "Name": "my_secret",
+            "Labels": {
+                "env": "dev",
+                "rev": "20170324"
+            }
+        }
+    }
+]
+```
+
+### Formatting
+
+You can use the --format option to obtain specific information about a
+secret. The following example command outputs the creation time of the
+secret.
+
+```bash
+$ docker secret inspect --format='{{.CreatedAt}}' eo7jnzguqgtpdah3cm5srfb97
+
+2017-03-24 08:15:09.735271783 +0000 UTC
+```
+
+
+## Related commands
+
+* [secret create](secret_create.md)
+* [secret ls](secret_ls.md)
+* [secret rm](secret_rm.md)
diff --git a/cli/docs/reference/commandline/secret_ls.md b/cli/docs/reference/commandline/secret_ls.md
new file mode 100644
index 00000000..5fed7732
--- /dev/null
+++ b/cli/docs/reference/commandline/secret_ls.md
@@ -0,0 +1,157 @@
+---
+title: "secret ls"
+description: "The secret ls command description and usage"
+keywords: ["secret, ls"]
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# secret ls
+
+```Markdown
+Usage:	docker secret ls [OPTIONS]
+
+List secrets
+
+Aliases:
+  ls, list
+
+Options:
+  -f, --filter filter   Filter output based on conditions provided
+      --format string   Pretty-print secrets using a Go template
+      --help            Print usage
+  -q, --quiet           Only display IDs
+```
+
+## Description
+
+Run this command on a manager node to list the secrets in the swarm.
+
+For detailed information about using secrets, refer to [manage sensitive data with Docker secrets](https://docs.docker.com/engine/swarm/secrets/).
+
+## Examples
+
+```bash
+$ docker secret ls
+
+ID                          NAME                        CREATED             UPDATED
+6697bflskwj1998km1gnnjr38   q5s5570vtvnimefos1fyeo2u2   6 weeks ago         6 weeks ago
+9u9hk4br2ej0wgngkga6rp4hq   my_secret                   5 weeks ago         5 weeks ago
+mem02h8n73mybpgqjf0kfi1n0   test_secret                 3 seconds ago       3 seconds ago
+```
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* [id](secret_ls.md#id) (secret's ID)
+* [label](secret_ls.md#label) (`label=<key>` or `label=<key>=<value>`)
+* [name](secret_ls.md#name) (secret's name)
+
+#### id
+
+The `id` filter matches all or prefix of a secret's id.
+
+```bash
+$ docker secret ls -f "id=6697bflskwj1998km1gnnjr38"
+
+ID                          NAME                        CREATED             UPDATED
+6697bflskwj1998km1gnnjr38   q5s5570vtvnimefos1fyeo2u2   6 weeks ago         6 weeks ago
+```
+
+#### label
+
+The `label` filter matches secrets based on the presence of a `label` alone or
+a `label` and a value.
+
+The following filter matches all secrets with a `project` label regardless of
+its value:
+
+```bash
+$ docker secret ls --filter label=project
+
+ID                          NAME                        CREATED             UPDATED
+mem02h8n73mybpgqjf0kfi1n0   test_secret                 About an hour ago   About an hour ago
+```
+
+The following filter matches only services with the `project` label with the
+`project-a` value.
+
+```bash
+$ docker service ls --filter label=project=test
+
+ID                          NAME                        CREATED             UPDATED
+mem02h8n73mybpgqjf0kfi1n0   test_secret                 About an hour ago   About an hour ago
+```
+
+#### name
+
+The `name` filter matches on all or prefix of a secret's name.
+
+The following filter matches secret with a name containing a prefix of `test`.
+
+```bash
+$ docker secret ls --filter name=test_secret
+
+ID                          NAME                        CREATED             UPDATED
+mem02h8n73mybpgqjf0kfi1n0   test_secret                 About an hour ago   About an hour ago
+```
+
+### Format the output
+
+The formatting option (`--format`) pretty prints secrets output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+| Placeholder  | Description                                                                          |
+| ------------ | ------------------------------------------------------------------------------------ |
+| `.ID`        | Secret ID                                                                            |
+| `.Name`      | Secret name                                                                          |
+| `.CreatedAt` | Time when the secret was created                                                     |
+| `.UpdatedAt` | Time when the secret was updated                                                     |
+| `.Labels`    | All labels assigned to the secret                                                    |
+| `.Label`     | Value of a specific label for this secret. For example `{{.Label "secret.ssh.key"}}` |
+
+When using the `--format` option, the `secret ls` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, will include column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID` and `Name` entries separated by a colon for all images:
+
+```bash
+$ docker secret ls --format "{{.ID}}: {{.Name}}"
+
+77af4d6b9913: secret-1
+b6fa739cedf5: secret-2
+78a85c484f71: secret-3
+```
+
+To list all secrets with their name and created date in a table format you
+can use:
+
+```bash
+$ docker secret ls --format "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}"
+
+ID                  NAME                      CREATED
+77af4d6b9913        secret-1                  5 minutes ago
+b6fa739cedf5        secret-2                  3 hours ago
+78a85c484f71        secret-3                  10 days ago
+```
+
+## Related commands
+
+* [secret create](secret_create.md)
+* [secret inspect](secret_inspect.md)
+* [secret rm](secret_rm.md)
diff --git a/cli/docs/reference/commandline/secret_rm.md b/cli/docs/reference/commandline/secret_rm.md
new file mode 100644
index 00000000..3fc90a2d
--- /dev/null
+++ b/cli/docs/reference/commandline/secret_rm.md
@@ -0,0 +1,54 @@
+---
+title: "secret rm"
+description: "The secret rm command description and usage"
+keywords: ["secret, rm"]
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# secret rm
+
+```Markdown
+Usage:	docker secret rm SECRET [SECRET...]
+
+Remove one or more secrets
+
+Aliases:
+  rm, remove
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+Removes the specified secrets from the swarm. This command has to be run
+targeting a manager node.
+
+For detailed information about using secrets, refer to [manage sensitive data with Docker secrets](https://docs.docker.com/engine/swarm/secrets/).
+
+## Examples
+
+This example removes a secret:
+
+```bash
+$ docker secret rm secret.json
+sapth4csdo5b6wz2p5uimh5xg
+```
+
+> **Warning**: Unlike `docker rm`, this command does not ask for confirmation
+> before removing a secret.
+
+
+## Related commands
+
+* [secret create](secret_create.md)
+* [secret inspect](secret_inspect.md)
+* [secret ls](secret_ls.md)
diff --git a/cli/docs/reference/commandline/service.md b/cli/docs/reference/commandline/service.md
new file mode 100644
index 00000000..a6803046
--- /dev/null
+++ b/cli/docs/reference/commandline/service.md
@@ -0,0 +1,42 @@
+---
+title: "service"
+description: "The service command description and usage"
+keywords: "service"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service
+
+```markdown
+Usage:  docker service COMMAND
+
+Manage services
+
+Options:
+      --help   Print usage
+
+Commands:
+  create      Create a new service
+  inspect     Display detailed information on one or more services
+  logs        Fetch the logs of a service or task
+  ls          List services
+  ps          List the tasks of one or more services
+  rm          Remove one or more services
+  scale       Scale one or multiple replicated services
+  update      Update a service
+
+Run 'docker service COMMAND --help' for more information on a command.
+```
+
+## Description
+
+Manage services.
+
diff --git a/cli/docs/reference/commandline/service_create.md b/cli/docs/reference/commandline/service_create.md
new file mode 100644
index 00000000..8fdb5297
--- /dev/null
+++ b/cli/docs/reference/commandline/service_create.md
@@ -0,0 +1,964 @@
+---
+title: "service create"
+description: "The service create command description and usage"
+keywords: "service, create"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service create
+
+```Markdown
+Usage:  docker service create [OPTIONS] IMAGE [COMMAND] [ARG...]
+
+Create a new service
+
+Options:
+      --config config                      Specify configurations to expose to the service
+      --constraint list                    Placement constraints
+      --container-label list               Container labels
+      --credential-spec credential-spec    Credential spec for managed service account (Windows only)
+  -d, --detach                             Exit immediately instead of waiting for the service to converge (default true)
+      --dns list                           Set custom DNS servers
+      --dns-option list                    Set DNS options
+      --dns-search list                    Set custom DNS search domains
+      --endpoint-mode string               Endpoint mode (vip or dnsrr) (default "vip")
+      --entrypoint command                 Overwrite the default ENTRYPOINT of the image
+  -e, --env list                           Set environment variables
+      --env-file list                      Read in a file of environment variables
+      --generic-resource list              User defined resources request
+      --group list                         Set one or more supplementary user groups for the container
+      --health-cmd string                  Command to run to check health
+      --health-interval duration           Time between running the check (ms|s|m|h)
+      --health-retries int                 Consecutive failures needed to report unhealthy
+      --health-start-period duration       Start period for the container to initialize before counting retries towards unstable (ms|s|m|h)
+      --health-timeout duration            Maximum time to allow one check to run (ms|s|m|h)
+      --help                               Print usage
+      --host list                          Set one or more custom host-to-IP mappings (host:ip)
+      --hostname string                    Container hostname
+      --init bool                          Use an init inside each service container to forward signals and reap processes
+      --isolation string                   Service container isolation mode
+  -l, --label list                         Service labels
+      --limit-cpu decimal                  Limit CPUs
+      --limit-memory bytes                 Limit Memory
+      --log-driver string                  Logging driver for service
+      --log-opt list                       Logging driver options
+      --mode string                        Service mode (replicated or global) (default "replicated")
+      --mount mount                        Attach a filesystem mount to the service
+      --name string                        Service name
+      --network network                    Network attachments
+      --no-healthcheck                     Disable any container-specified HEALTHCHECK
+      --no-resolve-image                   Do not query the registry to resolve image digest and supported platforms
+      --placement-pref pref                Add a placement preference
+  -p, --publish port                       Publish a port as a node port
+  -q, --quiet                              Suppress progress output
+      --read-only                          Mount the container's root filesystem as read only
+      --replicas uint                      Number of tasks
+      --reserve-cpu decimal                Reserve CPUs
+      --reserve-memory bytes               Reserve Memory
+      --restart-condition string           Restart when condition is met ("none"|"on-failure"|"any") (default "any")
+      --restart-delay duration             Delay between restart attempts (ns|us|ms|s|m|h) (default 5s)
+      --restart-max-attempts uint          Maximum number of restarts before giving up
+      --restart-window duration            Window used to evaluate the restart policy (ns|us|ms|s|m|h)
+      --rollback-delay duration            Delay between task rollbacks (ns|us|ms|s|m|h) (default 0s)
+      --rollback-failure-action string     Action on rollback failure ("pause"|"continue") (default "pause")
+      --rollback-max-failure-ratio float   Failure rate to tolerate during a rollback (default 0)
+      --rollback-monitor duration          Duration after each task rollback to monitor for failure (ns|us|ms|s|m|h) (default 5s)
+      --rollback-order string              Rollback order ("start-first"|"stop-first") (default "stop-first")
+      --rollback-parallelism uint          Maximum number of tasks rolled back simultaneously (0 to roll back all at once) (default 1)
+      --secret secret                      Specify secrets to expose to the service
+      --stop-grace-period duration         Time to wait before force killing a container (ns|us|ms|s|m|h) (default 10s)
+      --stop-signal string                 Signal to stop the container
+  -t, --tty                                Allocate a pseudo-TTY
+      --update-delay duration              Delay between updates (ns|us|ms|s|m|h) (default 0s)
+      --update-failure-action string       Action on update failure ("pause"|"continue"|"rollback") (default "pause")
+      --update-max-failure-ratio float     Failure rate to tolerate during an update (default 0)
+      --update-monitor duration            Duration after each task update to monitor for failure (ns|us|ms|s|m|h) (default 5s)
+      --update-order string                Update order ("start-first"|"stop-first") (default "stop-first")
+      --update-parallelism uint            Maximum number of tasks updated simultaneously (0 to update all at once) (default 1)
+  -u, --user string                        Username or UID (format: <name|uid>[:<group|gid>])
+      --with-registry-auth                 Send registry authentication details to swarm agents
+  -w, --workdir string                     Working directory inside the container
+```
+
+## Description
+
+Creates a service as described by the specified parameters. You must run this
+command on a manager node.
+
+## Examples
+
+### Create a service
+
+```bash
+$ docker service create --name redis redis:3.0.6
+
+dmu1ept4cxcfe8k8lhtux3ro3
+
+$ docker service create --mode global --name redis2 redis:3.0.6
+
+a8q9dasaafudfs8q8w32udass
+
+$ docker service ls
+
+ID            NAME    MODE        REPLICAS  IMAGE
+dmu1ept4cxcf  redis   replicated  1/1       redis:3.0.6
+a8q9dasaafud  redis2  global      1/1       redis:3.0.6
+```
+
+#### Create a service using an image on a private registry
+
+If your image is available on a private registry which requires login, use the
+`--with-registry-auth` flag with `docker service create`, after logging in. If
+your image is stored on `registry.example.com`, which is a private registry, use
+a command like the following:
+
+```bash
+$ docker login registry.example.com
+
+$ docker service  create \
+  --with-registry-auth \
+  --name my_service \
+  registry.example.com/acme/my_image:latest
+```
+
+This passes the login token from your local client to the swarm nodes where the
+service is deployed, using the encrypted WAL logs. With this information, the
+nodes are able to log into the registry and pull the image.
+
+### Create a service with 5 replica tasks (--replicas)
+
+Use the `--replicas` flag to set the number of replica tasks for a replicated
+service. The following command creates a `redis` service with `5` replica tasks:
+
+```bash
+$ docker service create --name redis --replicas=5 redis:3.0.6
+
+4cdgfyky7ozwh3htjfw0d12qv
+```
+
+The above command sets the *desired* number of tasks for the service. Even
+though the command returns immediately, actual scaling of the service may take
+some time. The `REPLICAS` column shows both the *actual* and *desired* number
+of replica tasks for the service.
+
+In the following example the desired state is  `5` replicas, but the current
+number of `RUNNING` tasks is `3`:
+
+```bash
+$ docker service ls
+
+ID            NAME   MODE        REPLICAS  IMAGE
+4cdgfyky7ozw  redis  replicated  3/5       redis:3.0.7
+```
+
+Once all the tasks are created and `RUNNING`, the actual number of tasks is
+equal to the desired number:
+
+```bash
+$ docker service ls
+
+ID            NAME   MODE        REPLICAS  IMAGE
+4cdgfyky7ozw  redis  replicated  5/5       redis:3.0.7
+```
+
+### Create a service with secrets
+
+Use the `--secret` flag to give a container access to a
+[secret](secret_create.md).
+
+Create a service specifying a secret:
+
+```bash
+$ docker service create --name redis --secret secret.json redis:3.0.6
+
+4cdgfyky7ozwh3htjfw0d12qv
+```
+
+Create a service specifying the secret, target, user/group ID, and mode:
+
+```bash
+$ docker service create --name redis \
+    --secret source=ssh-key,target=ssh \
+    --secret source=app-key,target=app,uid=1000,gid=1001,mode=0400 \
+    redis:3.0.6
+
+4cdgfyky7ozwh3htjfw0d12qv
+```
+
+To grant a service access to multiple secrets, use multiple `--secret` flags.
+
+Secrets are located in `/run/secrets` in the container.  If no target is
+specified, the name of the secret will be used as the in memory file in the
+container.  If a target is specified, that will be the filename.  In the
+example above, two files will be created: `/run/secrets/ssh` and
+`/run/secrets/app` for each of the secret targets specified.
+
+### Create a service with a rolling update policy
+
+```bash
+$ docker service create \
+  --replicas 10 \
+  --name redis \
+  --update-delay 10s \
+  --update-parallelism 2 \
+  redis:3.0.6
+```
+
+When you run a [service update](service_update.md), the scheduler updates a
+maximum of 2 tasks at a time, with `10s` between updates. For more information,
+refer to the [rolling updates
+tutorial](https://docs.docker.com/engine/swarm/swarm-tutorial/rolling-update/).
+
+### Set environment variables (-e, --env)
+
+This sets an environmental variable for all tasks in a service. For example:
+
+```bash
+$ docker service create \
+  --name redis_2 \
+  --replicas 5 \
+  --env MYVAR=foo \
+  redis:3.0.6
+```
+
+To specify multiple environment variables, specify multiple `--env` flags, each
+with a separate key-value pair.
+
+```bash
+$ docker service create \
+  --name redis_2 \
+  --replicas 5 \
+  --env MYVAR=foo \
+  --env MYVAR2=bar \
+  redis:3.0.6
+```
+
+### Create a service with specific hostname (--hostname)
+
+This option sets the docker service containers hostname to a specific string.
+For example:
+
+```bash
+$ docker service create --name redis --hostname myredis redis:3.0.6
+```
+
+### Set metadata on a service (-l, --label)
+
+A label is a `key=value` pair that applies metadata to a service. To label a
+service with two labels:
+
+```bash
+$ docker service create \
+  --name redis_2 \
+  --label com.example.foo="bar"
+  --label bar=baz \
+  redis:3.0.6
+```
+
+For more information about labels, refer to [apply custom
+metadata](https://docs.docker.com/engine/userguide/labels-custom-metadata/).
+
+### Add bind mounts, volumes or memory filesystems
+
+Docker supports three different kinds of mounts, which allow containers to read
+from or write to files or directories, either on the host operating system, or
+on memory filesystems. These types are _data volumes_ (often referred to simply
+as volumes), _bind mounts_, and _tmpfs_.
+
+A **bind mount** makes a file or directory on the host available to the
+container it is mounted within. A bind mount may be either read-only or
+read-write. For example, a container might share its host's DNS information by
+means of a bind mount of the host's `/etc/resolv.conf` or a container might
+write logs to its host's `/var/log/myContainerLogs` directory. If you use
+bind mounts and your host and containers have different notions of permissions,
+access controls, or other such details, you will run into portability issues.
+
+A **named volume** is a mechanism for decoupling persistent data needed by your
+container from the image used to create the container and from the host machine.
+Named volumes are created and managed by Docker, and a named volume persists
+even when no container is currently using it. Data in named volumes can be
+shared between a container and the host machine, as well as between multiple
+containers. Docker uses a _volume driver_ to create, manage, and mount volumes.
+You can back up or restore volumes using Docker commands.
+
+A **tmpfs** mounts a tmpfs inside a container for volatile data.
+
+Consider a situation where your image starts a lightweight web server. You could
+use that image as a base image, copy in your website's HTML files, and package
+that into another image. Each time your website changed, you'd need to update
+the new image and redeploy all of the containers serving your website. A better
+solution is to store the website in a named volume which is attached to each of
+your web server containers when they start. To update the website, you just
+update the named volume.
+
+For more information about named volumes, see
+[Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/).
+
+The following table describes options which apply to both bind mounts and named
+volumes in a service:
+
+<table>
+  <tr>
+    <th>Option</th>
+    <th>Required</th>
+    <th>Description</th>
+  </tr>
+  <tr>
+    <td><b>types</b></td>
+    <td></td>
+    <td>
+      <p>The type of mount, can be either <tt>volume</tt>, <tt>bind</tt>, or <tt>tmpfs</tt>. Defaults to <tt>volume</tt> if no type is specified.
+      <ul>
+        <li><tt>volume</tt>: mounts a <a href="https://docs.docker.com/engine/reference/commandline/volume_create/">managed volume</a>
+        into the container.</li> <li><tt>bind</tt>:
+        bind-mounts a directory or file from the host into the container.</li>
+        <li><tt>tmpfs</tt>: mount a tmpfs in the container</li>
+      </ul></p>
+    </td>
+  </tr>
+  <tr>
+    <td><b>src</b> or <b>source</b></td>
+    <td>for <tt>type=bind</tt> only></td>
+    <td>
+      <ul>
+        <li>
+         <tt>type=volume</tt>: <tt>src</tt> is an optional way to specify the name of the volume (for example, <tt>src=my-volume</tt>).
+          If the named volume does not exist, it is automatically created. If no <tt>src</tt> is specified, the volume is
+          assigned a random name which is guaranteed to be unique on the host, but may not be unique cluster-wide.
+          A randomly-named volume has the same lifecycle as its container and is destroyed when the <i>container</i>
+          is destroyed (which is upon <tt>service update</tt>, or when scaling or re-balancing the service)
+        </li>
+        <li>
+          <tt>type=bind</tt>: <tt>src</tt> is required, and specifies an absolute path to the file or directory to bind-mount
+          (for example, <tt>src=/path/on/host/</tt>). An error is produced if the file or directory does not exist.
+        </li>
+        <li>
+          <tt>type=tmpfs</tt>: <tt>src</tt> is not supported.
+        </li>
+      </ul>
+    </td>
+  </tr>
+  <tr>
+    <td><p><b>dst</b> or <b>destination</b> or <b>target</b></p></td>
+    <td>yes</td>
+    <td>
+      <p>Mount path inside the container, for example <tt>/some/path/in/container/</tt>.
+      If the path does not exist in the container's filesystem, the Engine creates
+      a directory at the specified location before mounting the volume or bind mount.</p>
+    </td>
+  </tr>
+  <tr>
+    <td><p><b>readonly</b> or <b>ro</b></p></td>
+    <td></td>
+    <td>
+      <p>The Engine mounts binds and volumes <tt>read-write</tt> unless <tt>readonly</tt> option
+      is given when mounting the bind or volume.
+      <ul>
+        <li><tt>true</tt> or <tt>1</tt> or no value: Mounts the bind or volume read-only.</li>
+        <li><tt>false</tt> or <tt>0</tt>: Mounts the bind or volume read-write.</li>
+      </ul></p>
+    </td>
+  </tr>
+  <tr>
+    <td><b>consistency</b></td>
+    <td></td>
+    <td>
+      <p>The consistency requirements for the mount; one of
+         <ul>
+           <li><tt>default</tt>: Equivalent to <tt>consistent</tt>.</li>
+           <li><tt>consistent</tt>: Full consistency.  The container runtime and the host maintain an identical view of the mount at all times.</li>
+           <li><tt>cached</tt>: The host's view of the mount is authoritative.  There may be delays before updates made on the host are visible within a container.</li>
+           <li><tt>delegated</tt>: The container runtime's view of the mount is authoritative.  There may be delays before updates made in a container are visible on the host.</li>
+        </ul>
+     </p>
+    </td>
+  </tr>
+</table>
+
+#### Bind Propagation
+
+Bind propagation refers to whether or not mounts created within a given
+bind mount or named volume can be propagated to replicas of that mount. Consider
+a mount point `/mnt`, which is also mounted on `/tmp`. The propation settings
+control whether a mount on `/tmp/a` would also be available on `/mnt/a`. Each
+propagation setting has a recursive counterpoint. In the case of recursion,
+consider that `/tmp/a` is also mounted as `/foo`. The propagation settings
+control whether `/mnt/a` and/or `/tmp/a` would exist.
+
+The `bind-propagation` option defaults to `rprivate` for both bind mounts and
+volume mounts, and is only configurable for bind mounts. In other words, named
+volumes do not support bind propagation.
+
+- **`shared`**: Sub-mounts of the original mount are exposed to replica mounts,
+                and sub-mounts of replica mounts are also propagated to the
+                original mount.
+- **`slave`**: similar to a shared mount, but only in one direction. If the
+               original mount exposes a sub-mount, the replica mount can see it.
+               However, if the replica mount exposes a sub-mount, the original
+               mount cannot see it.
+- **`private`**: The mount is private. Sub-mounts within it are not exposed to
+                 replica mounts, and sub-mounts of replica mounts are not
+                 exposed to the original mount.
+- **`rshared`**: The same as shared, but the propagation also extends to and from
+                 mount points nested within any of the original or replica mount
+                 points.
+- **`rslave`**: The same as `slave`, but the propagation also extends to and from
+                 mount points nested within any of the original or replica mount
+                 points.
+- **`rprivate`**: The default. The same as `private`, meaning that no mount points
+                  anywhere within the original or replica mount points propagate
+                  in either direction.
+
+For more information about bind propagation, see the
+[Linux kernel documentation for shared subtree](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt).
+
+#### Options for Named Volumes
+
+The following options can only be used for named volumes (`type=volume`):
+
+
+<table>
+  <tr>
+    <th>Option</th>
+    <th>Description</th>
+  </tr>
+  <tr>
+    <td><b>volume-driver</b></td>
+    <td>
+      <p>Name of the volume-driver plugin to use for the volume. Defaults to
+      <tt>"local"</tt>, to use the local volume driver to create the volume if the
+      volume does not exist.</p>
+    </td>
+  </tr>
+  <tr>
+    <td><b>volume-label</b></td>
+    <td>
+      One or more custom metadata ("labels") to apply to the volume upon
+      creation. For example,
+      <tt>volume-label=mylabel=hello-world,my-other-label=hello-mars</tt>. For more
+      information about labels, refer to
+      <a href="https://docs.docker.com/engine/userguide/labels-custom-metadata/">apply custom metadata</a>.
+    </td>
+  </tr>
+  <tr>
+    <td><b>volume-nocopy</b></td>
+    <td>
+      By default, if you attach an empty volume to a container, and files or
+      directories already existed at the mount-path in the container (<tt>dst</tt>),
+      the Engine copies those files and directories into the volume, allowing
+      the host to access them. Set <tt>volume-nocopy</tt> to disable copying files
+      from the container's filesystem to the volume and mount the empty volume.<br />
+
+      A value is optional:
+
+      <ul>
+        <li><tt>true</tt> or <tt>1</tt>: Default if you do not provide a value. Disables copying.</li>
+        <li><tt>false</tt> or <tt>0</tt>: Enables copying.</li>
+      </ul>
+    </td>
+  </tr>
+  <tr>
+    <td><b>volume-opt</b></td>
+    <td>
+      Options specific to a given volume driver, which will be passed to the
+      driver when creating the volume. Options are provided as a comma-separated
+      list of key/value pairs, for example,
+      <tt>volume-opt=some-option=some-value,volume-opt=some-other-option=some-other-value</tt>.
+      For available options for a given driver, refer to that driver's
+      documentation.
+    </td>
+  </tr>
+</table>
+
+
+#### Options for tmpfs
+
+The following options can only be used for tmpfs mounts (`type=tmpfs`);
+
+
+<table>
+  <tr>
+    <th>Option</th>
+    <th>Description</th>
+  </tr>
+  <tr>
+    <td><b>tmpfs-size</b></td>
+    <td>Size of the tmpfs mount in bytes. Unlimited by default in Linux.</td>
+  </tr>
+  <tr>
+    <td><b>tmpfs-mode</b></td>
+    <td>File mode of the tmpfs in octal. (e.g. <tt>"700"</tt> or <tt>"0700"</tt>.) Defaults to <tt>"1777"</tt> in Linux.</td>
+  </tr>
+</table>
+
+
+#### Differences between "--mount" and "--volume"
+
+The `--mount` flag supports most options that are supported by the `-v`
+or `--volume` flag for `docker run`, with some important exceptions:
+
+- The `--mount` flag allows you to specify a volume driver and volume driver
+  options *per volume*, without creating the volumes in advance. In contrast,
+  `docker run` allows you to specify a single volume driver which is shared
+  by all volumes, using the `--volume-driver` flag.
+
+- The `--mount` flag allows you to specify custom metadata ("labels") for a volume,
+  before the volume is created.
+
+- When you use `--mount` with `type=bind`, the host-path must refer to an *existing*
+  path on the host. The path will not be created for you and the service will fail
+  with an error if the path does not exist.
+
+- The `--mount` flag does not allow you to relabel a volume with `Z` or `z` flags,
+  which are used for `selinux` labeling.
+
+#### Create a service using a named volume
+
+The following example creates a service that uses a named volume:
+
+```bash
+$ docker service create \
+  --name my-service \
+  --replicas 3 \
+  --mount type=volume,source=my-volume,destination=/path/in/container,volume-label="color=red",volume-label="shape=round" \
+  nginx:alpine
+```
+
+For each replica of the service, the engine requests a volume named "my-volume"
+from the default ("local") volume driver where the task is deployed. If the
+volume does not exist, the engine creates a new volume and applies the "color"
+and "shape" labels.
+
+When the task is started, the volume is mounted on `/path/in/container/` inside
+the container.
+
+Be aware that the default ("local") volume is a locally scoped volume driver.
+This means that depending on where a task is deployed, either that task gets a
+*new* volume named "my-volume", or shares the same "my-volume" with other tasks
+of the same service. Multiple containers writing to a single shared volume can
+cause data corruption if the software running inside the container is not
+designed to handle concurrent processes writing to the same location. Also take
+into account that containers can be re-scheduled by the Swarm orchestrator and
+be deployed on a different node.
+
+#### Create a service that uses an anonymous volume
+
+The following command creates a service with three replicas with an anonymous
+volume on `/path/in/container`:
+
+```bash
+$ docker service create \
+  --name my-service \
+  --replicas 3 \
+  --mount type=volume,destination=/path/in/container \
+  nginx:alpine
+```
+
+In this example, no name (`source`) is specified for the volume, so a new volume
+is created for each task. This guarantees that each task gets its own volume,
+and volumes are not shared between tasks. Anonymous volumes are removed after
+the task using them is complete.
+
+#### Create a service that uses a bind-mounted host directory
+
+The following example bind-mounts a host directory at `/path/in/container` in
+the containers backing the service:
+
+```bash
+$ docker service create \
+  --name my-service \
+  --mount type=bind,source=/path/on/host,destination=/path/in/container \
+  nginx:alpine
+```
+
+### Set service mode (--mode)
+
+The service mode determines whether this is a _replicated_ service or a _global_
+service. A replicated service runs as many tasks as specified, while a global
+service runs on each active node in the swarm.
+
+The following command creates a global service:
+
+```bash
+$ docker service create \
+ --name redis_2 \
+ --mode global \
+ redis:3.0.6
+```
+
+### Specify service constraints (--constraint)
+
+You can limit the set of nodes where a task can be scheduled by defining
+constraint expressions. Multiple constraints find nodes that satisfy every
+expression (AND match). Constraints can match node or Docker Engine labels as
+follows:
+
+
+<table>
+  <tr>
+    <th>node attribute</th>
+    <th>matches</th>
+    <th>example</th>
+  </tr>
+  <tr>
+    <td><tt>node.id</tt></td>
+    <td>Node ID</td>
+    <td><tt>node.id==2ivku8v2gvtg4</tt></td>
+  </tr>
+  <tr>
+    <td><tt>node.hostname</tt></td>
+    <td>Node hostname</td>
+    <td><tt>node.hostname!=node-2</tt></td>
+  </tr>
+  <tr>
+    <td><tt>node.role</tt></td>
+    <td>Node role</td>
+    <td><tt>node.role==manager</tt></td>
+  </tr>
+  <tr>
+    <td><tt>node.labels</tt></td>
+    <td>user defined node labels</td>
+    <td><tt>node.labels.security==high</tt></td>
+  </tr>
+  <tr>
+    <td><tt>engine.labels</tt></td>
+    <td>Docker Engine's labels</td>
+    <td><tt>engine.labels.operatingsystem==ubuntu 14.04</tt></td>
+  </tr>
+</table>
+
+
+`engine.labels` apply to Docker Engine labels like operating system,
+drivers, etc. Swarm administrators add `node.labels` for operational purposes by
+using the [`docker node update`](node_update.md) command.
+
+For example, the following limits tasks for the redis service to nodes where the
+node type label equals queue:
+
+```bash
+$ docker service create \
+  --name redis_2 \
+  --constraint 'node.labels.type == queue' \
+  redis:3.0.6
+```
+
+### Specify service placement preferences (--placement-pref)
+
+You can set up the service to divide tasks evenly over different categories of
+nodes. One example of where this can be useful is to balance tasks over a set
+of datacenters or availability zones. The example below illustrates this:
+
+```bash
+$ docker service create \
+  --replicas 9 \
+  --name redis_2 \
+  --placement-pref 'spread=node.labels.datacenter' \
+  redis:3.0.6
+```
+
+This uses `--placement-pref` with a `spread` strategy (currently the only
+supported strategy) to spread tasks evenly over the values of the `datacenter`
+node label. In this example, we assume that every node has a `datacenter` node
+label attached to it. If there are three different values of this label among
+nodes in the swarm, one third of the tasks will be placed on the nodes
+associated with each value. This is true even if there are more nodes with one
+value than another. For example, consider the following set of nodes:
+
+- Three nodes with `node.labels.datacenter=east`
+- Two nodes with `node.labels.datacenter=south`
+- One node with `node.labels.datacenter=west`
+
+Since we are spreading over the values of the `datacenter` label and the
+service has 9 replicas, 3 replicas will end up in each datacenter. There are
+three nodes associated with the value `east`, so each one will get one of the
+three replicas reserved for this value. There are two nodes with the value
+`south`, and the three replicas for this value will be divided between them,
+with one receiving two replicas and another receiving just one. Finally, `west`
+has a single node that will get all three replicas reserved for `west`.
+
+If the nodes in one category (for example, those with
+`node.labels.datacenter=south`) can't handle their fair share of tasks due to
+constraints or resource limitations, the extra tasks will be assigned to other
+nodes instead, if possible.
+
+Both engine labels and node labels are supported by placement preferences. The
+example above uses a node label, because the label is referenced with
+`node.labels.datacenter`. To spread over the values of an engine label, use
+`--placement-pref spread=engine.labels.<labelname>`.
+
+It is possible to add multiple placement preferences to a service. This
+establishes a hierarchy of preferences, so that tasks are first divided over
+one category, and then further divided over additional categories. One example
+of where this may be useful is dividing tasks fairly between datacenters, and
+then splitting the tasks within each datacenter over a choice of racks. To add
+multiple placement preferences, specify the `--placement-pref` flag multiple
+times. The order is significant, and the placement preferences will be applied
+in the order given when making scheduling decisions.
+
+The following example sets up a service with multiple placement preferences.
+Tasks are spread first over the various datacenters, and then over racks
+(as indicated by the respective labels):
+
+```bash
+$ docker service create \
+  --replicas 9 \
+  --name redis_2 \
+  --placement-pref 'spread=node.labels.datacenter' \
+  --placement-pref 'spread=node.labels.rack' \
+  redis:3.0.6
+```
+
+When updating a service with `docker service update`, `--placement-pref-add`
+appends a new placement preference after all existing placement preferences.
+`--placement-pref-rm` removes an existing placement preference that matches the
+argument.
+
+### Attach a service to an existing network (--network)
+
+You can use overlay networks to connect one or more services within the swarm.
+
+First, create an overlay network on a manager node the docker network create
+command:
+
+```bash
+$ docker network create --driver overlay my-network
+
+etjpu59cykrptrgw0z0hk5snf
+```
+
+After you create an overlay network in swarm mode, all manager nodes have
+access to the network.
+
+When you create a service and pass the `--network` flag to attach the service to
+the overlay network:
+
+```bash
+$ docker service create \
+  --replicas 3 \
+  --network my-network \
+  --name my-web \
+  nginx
+
+716thylsndqma81j6kkkb5aus
+```
+
+The swarm extends my-network to each node running the service.
+
+Containers on the same network can access each other using
+[service discovery](https://docs.docker.com/engine/swarm/networking/#use-swarm-mode-service-discovery).
+
+Long form syntax of `--network` allows to specify list of aliases and driver options:  
+`--network name=my-network,alias=web1,driver-opt=field1=value1`
+
+### Publish service ports externally to the swarm (-p, --publish)
+
+You can publish service ports to make them available externally to the swarm
+using the `--publish` flag. The `--publish` flag can take two different styles
+of arguments. The short version is positional, and allows you to specify the
+published port and target port separated by a colon.
+
+```bash
+$ docker service create --name my_web --replicas 3 --publish 8080:80 nginx
+```
+
+There is also a long format, which is easier to read and allows you to specify
+more options. The long format is preferred. You cannot specify the service's
+mode when using the short format. Here is an example of using the long format
+for the same service as above:
+
+```bash
+$ docker service create --name my_web --replicas 3 --publish published=8080,target=80 nginx
+```
+
+The options you can specify are:
+
+<table>
+<thead>
+<tr>
+  <th>Option</th>
+  <th>Short syntax</th>
+  <th>Long syntax</th>
+  <th>Description</th>
+</tr>
+</thead>
+<tr>
+  <td>published and target port</td>
+  <td><tt>--publish 8080:80</tt></td>
+  <td><tt>--publish published=8080,target=80</tt></td>
+  <td><p>
+    The target port within the container and the port to map it to on the
+    nodes, using the routing mesh (<tt>ingress</tt>) or host-level networking.
+    More options are available, later in this table. The key-value syntax is
+    preferred, because it is somewhat self-documenting.
+  </p></td>
+</tr>
+<tr>
+  <td>mode</td>
+  <td>Not possible to set using short syntax.</td>
+  <td><tt>--publish published=8080,target=80,mode=host</tt></td>
+  <td><p>
+    The mode to use for binding the port, either <tt>ingress</tt> or <tt>host</tt>.
+    Defaults to <tt>ingress</tt> to use the routing mesh.
+  </p></td>
+</tr>
+<tr>
+  <td>protocol</td>
+  <td><tt>--publish 8080:80/tcp</tt></td>
+  <td><tt>--publish published=8080,target=80,protocol=tcp</tt></td>
+  <td><p>
+    The protocol to use, <tt>tcp</tt> , <tt>udp</tt>, or <tt>sctp</tt>. Defaults to
+    <tt>tcp</tt>. To bind a port for both protocols, specify the <tt>-p</tt> or
+    <tt>--publish</tt> flag twice.
+  </p></td>
+</tr>
+</table>
+
+When you publish a service port using `ingress` mode, the swarm routing mesh
+makes the service accessible at the published port on every node regardless if
+there is a task for the service running on the node. If you use `host` mode,
+the port is only bound on nodes where the service is running, and a given port
+on a node can only be bound once. You can only set the publication mode using
+the long syntax. For more information refer to
+[Use swarm mode routing mesh](https://docs.docker.com/engine/swarm/ingress/).
+
+### Provide credential specs for managed service accounts (Windows only)
+
+This option is only used for services using Windows containers. The
+`--credential-spec` must be in the format `file://<filename>` or
+`registry://<value-name>`.
+
+When using the `file://<filename>` format, the referenced file must be
+present in the `CredentialSpecs` subdirectory in the docker data directory,
+which defaults to `C:\ProgramData\Docker\` on Windows. For example,
+specifying `file://spec.json` loads `C:\ProgramData\Docker\CredentialSpecs\spec.json`.
+
+When using the `registry://<value-name>` format, the credential spec is
+read from the Windows registry on the daemon's host. The specified
+registry value must be located in:
+
+    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Containers\CredentialSpecs
+
+
+### Create services using templates
+
+You can use templates for some flags of `service create`, using the syntax
+provided by the Go's [text/template](http://golang.org/pkg/text/template/) package.
+
+The supported flags are the following :
+
+- `--hostname`
+- `--mount`
+- `--env`
+
+Valid placeholders for the Go template are listed below:
+
+
+<table>
+  <tr>
+    <th>Placeholder</th>
+    <th>Description</th>
+  </tr>
+  <tr>
+    <td><tt>.Service.ID</tt></td>
+    <td>Service ID</td>
+  </tr>
+  <tr>
+    <td><tt>.Service.Name</tt></td>
+    <td>Service name</td>
+  </tr>
+  <tr>
+    <td><tt>.Service.Labels</tt></td>
+    <td>Service labels</td>
+  </tr>
+  <tr>
+    <td><tt>.Node.ID</tt></td>
+    <td>Node ID</td>
+  </tr>
+  <tr>
+    <td><tt>.Node.Hostname</tt></td>
+    <td>Node Hostname</td>
+  </tr>
+  <tr>
+    <td><tt>.Task.ID</tt></td>
+    <td>Task ID</td>
+  </tr>
+  <tr>
+    <td><tt>.Task.Name</tt></td>
+    <td>Task name</td>
+  </tr>
+  <tr>
+    <td><tt>.Task.Slot</tt></td>
+    <td>Task slot</td>
+  </tr>
+</table>
+
+
+#### Template example
+
+In this example, we are going to set the template of the created containers based on the
+service's name, the node's ID and hostname where it sits.
+
+```bash
+$ docker service create --name hosttempl \
+                        --hostname="{{.Node.Hostname}}-{{.Node.ID}}-{{.Service.Name}}"\
+                         busybox top
+
+va8ew30grofhjoychbr6iot8c
+
+$ docker service ps va8ew30grofhjoychbr6iot8c
+
+ID            NAME         IMAGE                                                                                   NODE          DESIRED STATE  CURRENT STATE               ERROR  PORTS
+wo41w8hg8qan  hosttempl.1  busybox:latest@sha256:29f5d56d12684887bdfa50dcd29fc31eea4aaf4ad3bec43daf19026a7ce69912  2e7a8a9c4da2  Running        Running about a minute ago
+
+$ docker inspect --format="{{.Config.Hostname}}" 2e7a8a9c4da2-wo41w8hg8qanxwjwsg4kxpprj-hosttempl
+
+x3ti0erg11rjpg64m75kej2mz-hosttempl
+```
+
+### Specify isolation mode (Windows)
+
+By default, tasks scheduled on Windows nodes are run using the default isolation mode
+configured for this particular node. To force a specific isolation mode, you can use
+the `--isolation` flag:
+
+```bash
+$ docker service create --name myservice --isolation=process microsoft/nanoserver
+```
+
+Supported isolation modes on Windows are:
+- `default`: use default settings specified on the node running the task
+- `process`: use process isolation (Windows server only)
+- `hyperv`: use Hyper-V isolation
+
+### Create services requesting Generic Resources
+
+You can narrow the kind of nodes your task can land on through the using the
+`--generic-resource` flag (if the nodes advertise these resources):
+
+```bash
+$ docker service create --name cuda \
+                        --generic-resource "NVIDIA-GPU=2" \
+                        --generic-resource "SSD=1" \
+                        nvidia/cuda
+```
+
+## Related commands
+
+* [service inspect](service_inspect.md)
+* [service logs](service_logs.md)
+* [service ls](service_ls.md)
+* [service ps](service_ps.md)
+* [service rm](service_rm.md)
+* [service rollback](service_rollback.md)
+* [service scale](service_scale.md)
+* [service update](service_update.md)
+
+<style>table tr > td:first-child { white-space: nowrap;}</style>
diff --git a/cli/docs/reference/commandline/service_inspect.md b/cli/docs/reference/commandline/service_inspect.md
new file mode 100644
index 00000000..1149b7dd
--- /dev/null
+++ b/cli/docs/reference/commandline/service_inspect.md
@@ -0,0 +1,171 @@
+---
+title: "service inspect"
+description: "The service inspect command description and usage"
+keywords: "service, inspect"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service inspect
+
+```Markdown
+Usage:  docker service inspect [OPTIONS] SERVICE [SERVICE...]
+
+Display detailed information on one or more services
+
+Options:
+  -f, --format string   Format the output using the given Go template
+      --help            Print usage
+      --pretty          Print the information in a human friendly format
+```
+
+## Description
+
+Inspects the specified service. This command has to be run targeting a manager
+node.
+
+By default, this renders all results in a JSON array. If a format is specified,
+the given template will be executed for each result.
+
+Go's [text/template](http://golang.org/pkg/text/template/) package
+describes all the details of the format.
+
+## Examples
+
+### Inspect a service by name or ID
+
+You can inspect a service, either by its *name*, or *ID*
+
+For example, given the following service;
+
+```bash
+$ docker service ls
+ID            NAME   MODE        REPLICAS  IMAGE
+dmu1ept4cxcf  redis  replicated  3/3       redis:3.0.6
+```
+
+Both `docker service inspect redis`, and `docker service inspect dmu1ept4cxcf`
+produce the same result:
+
+```none
+$ docker service inspect redis
+
+[
+    {
+        "ID": "dmu1ept4cxcfe8k8lhtux3ro3",
+        "Version": {
+            "Index": 12
+        },
+        "CreatedAt": "2016-06-17T18:44:02.558012087Z",
+        "UpdatedAt": "2016-06-17T18:44:02.558012087Z",
+        "Spec": {
+            "Name": "redis",
+            "TaskTemplate": {
+                "ContainerSpec": {
+                    "Image": "redis:3.0.6"
+                },
+                "Resources": {
+                    "Limits": {},
+                    "Reservations": {}
+                },
+                "RestartPolicy": {
+                    "Condition": "any",
+                    "MaxAttempts": 0
+                },
+                "Placement": {}
+            },
+            "Mode": {
+                "Replicated": {
+                    "Replicas": 1
+                }
+            },
+            "UpdateConfig": {},
+            "EndpointSpec": {
+                "Mode": "vip"
+            }
+        },
+        "Endpoint": {
+            "Spec": {}
+        }
+    }
+]
+```
+
+```bash
+$ docker service inspect dmu1ept4cxcf
+
+[
+    {
+        "ID": "dmu1ept4cxcfe8k8lhtux3ro3",
+        "Version": {
+            "Index": 12
+        },
+        ...
+    }
+]
+```
+
+### Formatting
+
+You can print the inspect output in a human-readable format instead of the default
+JSON output, by using the `--pretty` option:
+
+```bash
+$ docker service inspect --pretty frontend
+
+ID:		c8wgl7q4ndfd52ni6qftkvnnp
+Name:		frontend
+Labels:
+ - org.example.projectname=demo-app
+Service Mode:	REPLICATED
+ Replicas:		5
+Placement:
+UpdateConfig:
+ Parallelism:	0
+ On failure:	pause
+ Max failure ratio:	0
+ContainerSpec:
+ Image:		nginx:alpine
+Resources:
+Networks:	net1
+Endpoint Mode:  vip
+Ports:
+ PublishedPort = 4443
+  Protocol = tcp
+  TargetPort = 443
+  PublishMode = ingress
+```
+
+You can also use `--format pretty` for the same effect.
+
+
+#### Find the number of tasks running as part of a service
+
+The `--format` option can be used to obtain specific information about a
+service. For example, the following command outputs the number of replicas
+of the "redis" service.
+
+```bash
+$ docker service inspect --format='{{.Spec.Mode.Replicated.Replicas}}' redis
+
+10
+```
+
+
+## Related commands
+
+* [service create](service_create.md)
+* [service logs](service_logs.md)
+* [service ls](service_ls.md)
+* [service ps](service_ps.md)
+* [service rm](service_rm.md)
+* [service rollback](service_rollback.md)
+* [service scale](service_scale.md)
+* [service update](service_update.md)
diff --git a/cli/docs/reference/commandline/service_logs.md b/cli/docs/reference/commandline/service_logs.md
new file mode 100644
index 00000000..560090a1
--- /dev/null
+++ b/cli/docs/reference/commandline/service_logs.md
@@ -0,0 +1,86 @@
+---
+title: "service logs"
+description: "The service logs command description and usage"
+keywords: "service, task, logs"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service logs
+
+```Markdown
+Usage:  docker service logs [OPTIONS] SERVICE|TASK
+
+Fetch the logs of a service or task
+
+Options:
+  -f, --follow         Follow log output
+      --help           Print usage
+      --no-resolve     Do not map IDs to Names in output
+      --no-task-ids    Do not include task IDs in output
+      --no-trunc        Do not truncate output
+      --since string   Show logs since timestamp
+      --tail string    Number of lines to show from the end of the logs (default "all")
+  -t, --timestamps     Show timestamps
+```
+
+## Description
+
+The `docker service logs` command batch-retrieves logs present at the time of execution.
+
+The `docker service logs` command can be used with either the name or ID of a
+service, or with the ID of a task. If a service is passed, it will display logs
+for all of the containers in that service. If a task is passed, it will only
+display logs from that particular task.
+
+> **Note**: This command is only functional for services that are started with
+> the `json-file` or `journald` logging driver.
+
+For more information about selecting and configuring logging drivers, refer to
+[Configure logging drivers](https://docs.docker.com/engine/admin/logging/overview/).
+
+The `docker service logs --follow` command will continue streaming the new output from
+the service's `STDOUT` and `STDERR`.
+
+Passing a negative number or a non-integer to `--tail` is invalid and the
+value is set to `all` in that case.
+
+The `docker service logs --timestamps` command will add an [RFC3339Nano timestamp](https://golang.org/pkg/time/#pkg-constants)
+, for example `2014-09-16T06:17:46.000000000Z`, to each
+log entry. To ensure that the timestamps are aligned the
+nano-second part of the timestamp will be padded with zero when necessary.
+
+The `docker service logs --details` command will add on extra attributes, such as
+environment variables and labels, provided to `--log-opt` when creating the
+service.
+
+The `--since` option shows only the service logs generated after
+a given date. You can specify the date as an RFC 3339 date, a UNIX
+timestamp, or a Go duration string (e.g. `1m30s`, `3h`). Besides RFC3339 date
+format you may also use RFC3339Nano, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the client will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp. When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long. You can combine the
+`--since` option with either or both of the `--follow` or `--tail` options.
+
+## Related commands
+
+* [service create](service_create.md)
+* [service inspect](service_inspect.md)
+* [service ls](service_ls.md)
+* [service ps](service_ps.md)
+* [service rm](service_rm.md)
+* [service rollback](service_rollback.md)
+* [service scale](service_scale.md)
+* [service update](service_update.md)
diff --git a/cli/docs/reference/commandline/service_ls.md b/cli/docs/reference/commandline/service_ls.md
new file mode 100644
index 00000000..95346759
--- /dev/null
+++ b/cli/docs/reference/commandline/service_ls.md
@@ -0,0 +1,165 @@
+---
+title: "service ls"
+description: "The service ls command description and usage"
+keywords: "service, ls"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service ls
+
+```Markdown
+Usage:	docker service ls [OPTIONS]
+
+List services
+
+Aliases:
+  ls, list
+
+Options:
+  -f, --filter filter   Filter output based on conditions provided
+      --format string   Pretty-print services using a Go template
+      --help            Print usage
+  -q, --quiet           Only display IDs
+```
+
+## Description
+
+This command when run targeting a manager, lists services are running in the
+swarm.
+
+## Examples
+
+On a manager node:
+
+```bash
+$ docker service ls
+
+ID            NAME      MODE        REPLICAS    IMAGE
+c8wgl7q4ndfd  frontend  replicated  5/5         nginx:alpine
+dmu1ept4cxcf  redis     replicated  3/3         redis:3.0.6
+iwe3278osahj  mongo     global      7/7         mongo:3.3
+```
+
+The `REPLICAS` column shows both the *actual* and *desired* number of tasks for
+the service.
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* [id](service_ls.md#id)
+* [label](service_ls.md#label)
+* [mode](service_ls.md#mode)
+* [name](service_ls.md#name)
+
+#### id
+
+The `id` filter matches all or part of a service's id.
+
+```bash
+$ docker service ls -f "id=0bcjw"
+ID            NAME   MODE        REPLICAS  IMAGE
+0bcjwfh8ychr  redis  replicated  1/1       redis:3.0.6
+```
+
+#### label
+
+The `label` filter matches services based on the presence of a `label` alone or
+a `label` and a value.
+
+The following filter matches all services with a `project` label regardless of
+its value:
+
+```bash
+$ docker service ls --filter label=project
+ID            NAME       MODE        REPLICAS  IMAGE
+01sl1rp6nj5u  frontend2  replicated  1/1       nginx:alpine
+36xvvwwauej0  frontend   replicated  5/5       nginx:alpine
+74nzcxxjv6fq  backend    replicated  3/3       redis:3.0.6
+```
+
+The following filter matches only services with the `project` label with the
+`project-a` value.
+
+```bash
+$ docker service ls --filter label=project=project-a
+ID            NAME      MODE        REPLICAS  IMAGE
+36xvvwwauej0  frontend  replicated  5/5       nginx:alpine
+74nzcxxjv6fq  backend   replicated  3/3       redis:3.0.6
+```
+
+#### mode
+
+The `mode` filter matches on the mode (either `replicated` or `global`) of a service.
+
+The following filter matches only `global` services.
+
+```bash
+$ docker service ls --filter mode=global
+ID                  NAME                MODE                REPLICAS            IMAGE
+w7y0v2yrn620        top                 global              1/1                 busybox
+```
+
+#### name
+
+The `name` filter matches on all or part of a service's name.
+
+The following filter matches services with a name containing `redis`.
+
+```bash
+$ docker service ls --filter name=redis
+ID            NAME   MODE        REPLICAS  IMAGE
+0bcjwfh8ychr  redis  replicated  1/1       redis:3.0.6
+```
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints services output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder | Description
+------------|------------------------------------------------------------------------------------------
+`.ID`       | Service ID
+`.Name`     | Service name
+`.Mode`     | Service mode (replicated, global)
+`.Replicas` | Service replicas
+`.Image`    | Service image
+`.Ports`    | Service ports published in ingress mode
+
+When using the `--format` option, the `service ls` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID`, `Mode`, and `Replicas` entries separated by a colon for all services:
+
+```bash
+$ docker service ls --format "{{.ID}}: {{.Mode}} {{.Replicas}}"
+
+0zmvwuiu3vue: replicated 10/10
+fm6uf97exkul: global 5/5
+```
+
+## Related commands
+
+* [service create](service_create.md)
+* [service inspect](service_inspect.md)
+* [service logs](service_logs.md)
+* [service ps](service_ps.md)
+* [service rm](service_rm.md)
+* [service rollback](service_rollback.md)
+* [service scale](service_scale.md)
+* [service update](service_update.md)
diff --git a/cli/docs/reference/commandline/service_ps.md b/cli/docs/reference/commandline/service_ps.md
new file mode 100644
index 00000000..4a9ebc44
--- /dev/null
+++ b/cli/docs/reference/commandline/service_ps.md
@@ -0,0 +1,195 @@
+---
+title: "service ps"
+description: "The service ps command description and usage"
+keywords: "service, tasks, ps"
+aliases: ["/engine/reference/commandline/service_tasks/"]
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service ps
+
+```Markdown
+Usage:  docker service ps [OPTIONS] SERVICE [SERVICE...]
+
+List the tasks of one or more services
+
+Options:
+  -f, --filter filter   Filter output based on conditions provided
+      --format string   Pretty-print tasks using a Go template
+      --help            Print usage
+      --no-resolve      Do not map IDs to Names
+      --no-trunc        Do not truncate output
+  -q, --quiet           Only display task IDs
+```
+
+## Description
+
+Lists the tasks that are running as part of the specified services. This command
+has to be run targeting a manager node.
+
+## Examples
+
+### List the tasks that are part of a service
+
+The following command shows all the tasks that are part of the `redis` service:
+
+```bash
+$ docker service ps redis
+
+ID             NAME      IMAGE        NODE      DESIRED STATE  CURRENT STATE          ERROR  PORTS
+0qihejybwf1x   redis.1   redis:3.0.5  manager1  Running        Running 8 seconds
+bk658fpbex0d   redis.2   redis:3.0.5  worker2   Running        Running 9 seconds
+5ls5s5fldaqg   redis.3   redis:3.0.5  worker1   Running        Running 9 seconds
+8ryt076polmc   redis.4   redis:3.0.5  worker1   Running        Running 9 seconds
+1x0v8yomsncd   redis.5   redis:3.0.5  manager1  Running        Running 8 seconds
+71v7je3el7rr   redis.6   redis:3.0.5  worker2   Running        Running 9 seconds
+4l3zm9b7tfr7   redis.7   redis:3.0.5  worker2   Running        Running 9 seconds
+9tfpyixiy2i7   redis.8   redis:3.0.5  worker1   Running        Running 9 seconds
+3w1wu13yupln   redis.9   redis:3.0.5  manager1  Running        Running 8 seconds
+8eaxrb2fqpbn   redis.10  redis:3.0.5  manager1  Running        Running 8 seconds
+```
+
+In addition to _running_ tasks, the output also shows the task history. For
+example, after updating the service to use the `redis:3.0.6` image, the output
+may look like this:
+
+```bash
+$ docker service ps redis
+
+ID            NAME         IMAGE        NODE      DESIRED STATE  CURRENT STATE                   ERROR  PORTS
+50qe8lfnxaxk  redis.1      redis:3.0.6  manager1  Running        Running 6 seconds ago
+ky2re9oz86r9   \_ redis.1  redis:3.0.5  manager1  Shutdown       Shutdown 8 seconds ago
+3s46te2nzl4i  redis.2      redis:3.0.6  worker2   Running        Running less than a second ago
+nvjljf7rmor4   \_ redis.2  redis:3.0.6  worker2   Shutdown       Rejected 23 seconds ago        "No such image: redis@sha256:6…"
+vtiuz2fpc0yb   \_ redis.2  redis:3.0.5  worker2   Shutdown       Shutdown 1 second ago
+jnarweeha8x4  redis.3      redis:3.0.6  worker1   Running        Running 3 seconds ago
+vs448yca2nz4   \_ redis.3  redis:3.0.5  worker1   Shutdown       Shutdown 4 seconds ago
+jf1i992619ir  redis.4      redis:3.0.6  worker1   Running        Running 10 seconds ago
+blkttv7zs8ee   \_ redis.4  redis:3.0.5  worker1   Shutdown       Shutdown 11 seconds ago
+```
+
+The number of items in the task history is determined by the
+`--task-history-limit` option that was set when initializing the swarm. You can
+change the task history retention limit using the
+[`docker swarm update`](swarm_update.md) command.
+
+When deploying a service, docker resolves the digest for the service's
+image, and pins the service to that digest. The digest is not shown by
+default, but is printed if `--no-trunc` is used. The `--no-trunc` option
+also shows the non-truncated task ID, and error-messages, as can be seen below;
+
+```bash
+$ docker service ps --no-trunc redis
+
+ID                          NAME         IMAGE                                                                                NODE      DESIRED STATE  CURRENT STATE            ERROR                                                                                           PORTS
+50qe8lfnxaxksi9w2a704wkp7   redis.1      redis:3.0.6@sha256:6a692a76c2081888b589e26e6ec835743119fe453d67ecf03df7de5b73d69842  manager1  Running        Running 5 minutes ago
+ky2re9oz86r9556i2szb8a8af   \_ redis.1   redis:3.0.5@sha256:f8829e00d95672c48c60f468329d6693c4bdd28d1f057e755f8ba8b40008682e  worker2   Shutdown       Shutdown 5 minutes ago
+bk658fpbex0d57cqcwoe3jthu   redis.2      redis:3.0.6@sha256:6a692a76c2081888b589e26e6ec835743119fe453d67ecf03df7de5b73d69842  worker2   Running        Running 5 seconds
+nvjljf7rmor4htv7l8rwcx7i7   \_ redis.2   redis:3.0.6@sha256:6a692a76c2081888b589e26e6ec835743119fe453d67ecf03df7de5b73d69842  worker2   Shutdown       Rejected 5 minutes ago   "No such image: redis@sha256:6a692a76c2081888b589e26e6ec835743119fe453d67ecf03df7de5b73d69842"
+```
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there
+is more than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`).
+Multiple filter flags are combined as an `OR` filter. For example,
+`-f name=redis.1 -f name=redis.7` returns both `redis.1` and `redis.7` tasks.
+
+The currently supported filters are:
+
+* [id](#id)
+* [name](#name)
+* [node](#node)
+* [desired-state](#desired-state)
+
+
+#### id
+
+The `id` filter matches on all or a prefix of a task's ID.
+
+```bash
+$ docker service ps -f "id=8" redis
+
+ID             NAME      IMAGE        NODE      DESIRED STATE  CURRENT STATE      ERROR  PORTS
+8ryt076polmc   redis.4   redis:3.0.6  worker1   Running        Running 9 seconds
+8eaxrb2fqpbn   redis.10  redis:3.0.6  manager1  Running        Running 8 seconds
+```
+
+#### name
+
+The `name` filter matches on task names.
+
+```bash
+$ docker service ps -f "name=redis.1" redis
+ID            NAME     IMAGE        NODE      DESIRED STATE  CURRENT STATE      ERROR  PORTS
+qihejybwf1x5  redis.1  redis:3.0.6  manager1  Running        Running 8 seconds
+```
+
+
+#### node
+
+The `node` filter matches on a node name or a node ID.
+
+```bash
+$ docker service ps -f "node=manager1" redis
+ID            NAME      IMAGE        NODE      DESIRED STATE  CURRENT STATE      ERROR  PORTS
+0qihejybwf1x  redis.1   redis:3.0.6  manager1  Running        Running 8 seconds
+1x0v8yomsncd  redis.5   redis:3.0.6  manager1  Running        Running 8 seconds
+3w1wu13yupln  redis.9   redis:3.0.6  manager1  Running        Running 8 seconds
+8eaxrb2fqpbn  redis.10  redis:3.0.6  manager1  Running        Running 8 seconds
+```
+
+#### desired-state
+
+The `desired-state` filter can take the values `running`, `shutdown`, or `accepted`.
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints tasks output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder     | Description
+----------------|------------------------------------------------------------------------------------------
+`.ID`           | Task ID
+`.Name`         | Task name
+`.Image`        | Task image
+`.Node`         | Node ID
+`.DesiredState` | Desired state of the task (`running`, `shutdown`, or `accepted`)
+`.CurrentState` | Current state of the task
+`.Error`        | Error
+`.Ports`        | Task published ports
+
+When using the `--format` option, the `service ps` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`Name` and `Image` entries separated by a colon for all tasks:
+
+```bash
+$ docker service ps --format "{{.Name}}: {{.Image}}" top
+top.1: busybox
+top.2: busybox
+top.3: busybox
+```
+
+## Related commands
+
+* [service create](service_create.md)
+* [service inspect](service_inspect.md)
+* [service logs](service_logs.md)
+* [service ls](service_ls.md)
+* [service rm](service_rm.md)
+* [service rollback](service_rollback.md)
+* [service scale](service_scale.md)
+* [service update](service_update.md)
diff --git a/cli/docs/reference/commandline/service_rm.md b/cli/docs/reference/commandline/service_rm.md
new file mode 100644
index 00000000..a5d5d524
--- /dev/null
+++ b/cli/docs/reference/commandline/service_rm.md
@@ -0,0 +1,61 @@
+---
+title: "service rm"
+description: "The service rm command description and usage"
+keywords: "service, rm"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service rm
+
+```Markdown
+Usage:	docker service rm SERVICE [SERVICE...]
+
+Remove one or more services
+
+Aliases:
+  rm, remove
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+Removes the specified services from the swarm. This command has to be run
+targeting a manager node.
+
+## Examples
+
+Remove the `redis` service:
+
+```bash
+$ docker service rm redis
+
+redis
+
+$ docker service ls
+
+ID  NAME  MODE  REPLICAS  IMAGE
+```
+
+> **Warning**: Unlike `docker rm`, this command does not ask for confirmation
+> before removing a running service.
+
+## Related commands
+
+* [service create](service_create.md)
+* [service inspect](service_inspect.md)
+* [service logs](service_logs.md)
+* [service ls](service_ls.md)
+* [service ps](service_ps.md)
+* [service rollback](service_rollback.md)
+* [service scale](service_scale.md)
+* [service update](service_update.md)
diff --git a/cli/docs/reference/commandline/service_rollback.md b/cli/docs/reference/commandline/service_rollback.md
new file mode 100644
index 00000000..927fd4ac
--- /dev/null
+++ b/cli/docs/reference/commandline/service_rollback.md
@@ -0,0 +1,94 @@
+---
+title: "service rollback"
+description: "The service rollback command description and usage"
+keywords: "service, rollback"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service rollback
+
+```markdown
+Usage:	docker service rollback SERVICE
+
+Revert changes to a service's configuration
+
+Options:
+  -d, --detach       Exit immediately instead of waiting for the service to converge (default true)
+      --help         Print usage
+  -q, --quiet        Suppress progress output
+```
+
+## Description
+
+Roll back a specified service to its previous version from the swarm. This command must be run
+targeting a manager node.
+
+## Examples
+
+### Roll back to the previous version of a service
+
+Use the `docker service rollback` command to roll back to the previous version
+of a service. After executing this command, the service is reverted to the
+configuration that was in place before the most recent `docker service update`
+command.
+
+The following example creates a service with a single replica, updates the
+service to use three replicas, and then rolls back the service to the
+previous version, having one replica.
+
+Create a service with a single replica:
+
+```bash
+$ docker service create --name my-service -p 8080:80 nginx:alpine
+```
+
+Confirm that the service is running with a single replica:
+
+```bash
+$ docker service ls
+
+ID                  NAME                MODE                REPLICAS            IMAGE               PORTS
+xbw728mf6q0d        my-service          replicated          1/1                 nginx:alpine        *:8080->80/tcp
+```
+
+Update the service to use three replicas:
+
+```bash
+$ docker service update --replicas=3 my-service
+
+$ docker service ls
+
+ID                  NAME                MODE                REPLICAS            IMAGE               PORTS
+xbw728mf6q0d        my-service          replicated          3/3                 nginx:alpine        *:8080->80/tcp
+```
+
+Now roll back the service to its previous version, and confirm it is
+running a single replica again:
+
+```bash
+$ docker service rollback my-service
+
+$ docker service ls
+
+ID                  NAME                MODE                REPLICAS            IMAGE               PORTS
+xbw728mf6q0d        my-service          replicated          1/1                 nginx:alpine        *:8080->80/tcp
+```
+
+## Related commands
+
+* [service create](service_create.md)
+* [service inspect](service_inspect.md)
+* [service logs](service_logs.md)
+* [service ls](service_ls.md)
+* [service ps](service_ps.md)
+* [service rm](service_rm.md)
+* [service scale](service_scale.md)
+* [service update](service_update.md)
diff --git a/cli/docs/reference/commandline/service_scale.md b/cli/docs/reference/commandline/service_scale.md
new file mode 100644
index 00000000..1cd51241
--- /dev/null
+++ b/cli/docs/reference/commandline/service_scale.md
@@ -0,0 +1,106 @@
+---
+title: "service scale"
+description: "The service scale command description and usage"
+keywords: "service, scale"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service scale
+
+```markdown
+Usage:  docker service scale [OPTIONS] SERVICE=REPLICAS [SERVICE=REPLICAS...]
+
+Scale one or multiple replicated services
+
+Options:
+  -d, --detach                             Exit immediately instead of waiting for the service to converge (default true)
+      --help   Print usage
+```
+
+## Description
+
+The scale command enables you to scale one or more replicated services either up
+or down to the desired number of replicas. This command cannot be applied on
+services which are global mode. The command will return immediately, but the
+actual scaling of the service may take some time. To stop all replicas of a
+service while keeping the service active in the swarm you can set the scale to 0.
+
+## Examples
+
+### Scale a single service
+
+The following command scales the "frontend" service to 50 tasks.
+
+```bash
+$ docker service scale frontend=50
+
+frontend scaled to 50
+```
+
+The following command tries to scale a global service to 10 tasks and returns an error.
+
+```bash
+$ docker service create --mode global --name backend backend:latest
+
+b4g08uwuairexjub6ome6usqh
+
+$ docker service scale backend=10
+
+backend: scale can only be used with replicated mode
+```
+
+Directly afterwards, run `docker service ls`, to see the actual number of
+replicas.
+
+```bash
+$ docker service ls --filter name=frontend
+
+ID            NAME      MODE        REPLICAS  IMAGE
+3pr5mlvu3fh9  frontend  replicated  15/50     nginx:alpine
+```
+
+You can also scale a service using the [`docker service update`](service_update.md)
+command. The following commands are equivalent:
+
+```bash
+$ docker service scale frontend=50
+$ docker service update --replicas=50 frontend
+```
+
+### Scale multiple services
+
+The `docker service scale` command allows you to set the desired number of
+tasks for multiple services at once. The following example scales both the
+backend and frontend services:
+
+```bash
+$ docker service scale backend=3 frontend=5
+
+backend scaled to 3
+frontend scaled to 5
+
+$ docker service ls
+
+ID            NAME      MODE        REPLICAS  IMAGE
+3pr5mlvu3fh9  frontend  replicated  5/5       nginx:alpine
+74nzcxxjv6fq  backend   replicated  3/3       redis:3.0.6
+```
+
+## Related commands
+
+* [service create](service_create.md)
+* [service inspect](service_inspect.md)
+* [service logs](service_logs.md)
+* [service ls](service_ls.md)
+* [service rm](service_rm.md)
+* [service rollback](service_rollback.md)
+* [service ps](service_ps.md)
+* [service update](service_update.md)
diff --git a/cli/docs/reference/commandline/service_update.md b/cli/docs/reference/commandline/service_update.md
new file mode 100644
index 00000000..f3d70495
--- /dev/null
+++ b/cli/docs/reference/commandline/service_update.md
@@ -0,0 +1,311 @@
+---
+title: "service update"
+description: "The service update command description and usage"
+keywords: "service, update"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# service update
+
+```Markdown
+Usage:  docker service update [OPTIONS] SERVICE
+
+Update a service
+
+Options:
+      --args command                       Service command args
+      --config-add config                  Add or update a config file on a service
+      --config-rm list                     Remove a configuration file
+      --constraint-add list                Add or update a placement constraint
+      --constraint-rm list                 Remove a constraint
+      --container-label-add list           Add or update a container label
+      --container-label-rm list            Remove a container label by its key
+      --credential-spec credential-spec    Credential spec for managed service account (Windows only)
+  -d, --detach                             Exit immediately instead of waiting for the service to converge (default true)
+      --dns-add list                       Add or update a custom DNS server
+      --dns-option-add list                Add or update a DNS option
+      --dns-option-rm list                 Remove a DNS option
+      --dns-rm list                        Remove a custom DNS server
+      --dns-search-add list                Add or update a custom DNS search domain
+      --dns-search-rm list                 Remove a DNS search domain
+      --endpoint-mode string               Endpoint mode (vip or dnsrr)
+      --entrypoint command                 Overwrite the default ENTRYPOINT of the image
+      --env-add list                       Add or update an environment variable
+      --env-rm list                        Remove an environment variable
+      --force                              Force update even if no changes require it
+      --generic-resource-add list          Add an additional generic resource to the service's resources requirements
+      --generic-resource-rm list           Remove a previously added generic resource to the service's resources requirements
+      --group-add list                     Add an additional supplementary user group to the container
+      --group-rm list                      Remove a previously added supplementary user group from the container
+      --health-cmd string                  Command to run to check health
+      --health-interval duration           Time between running the check (ms|s|m|h)
+      --health-retries int                 Consecutive failures needed to report unhealthy
+      --health-start-period duration       Start period for the container to initialize before counting retries towards unstable (ms|s|m|h)
+      --health-timeout duration            Maximum time to allow one check to run (ms|s|m|h)
+      --help                               Print usage
+      --host-add list                      Add a custom host-to-IP mapping (host:ip)
+      --host-rm list                       Remove a custom host-to-IP mapping (host:ip)
+      --hostname string                    Container hostname
+      --init bool                          Use an init inside each service container to forward signals and reap processes
+      --image string                       Service image tag
+      --isolation string                   Service container isolation mode
+      --label-add list                     Add or update a service label
+      --label-rm list                      Remove a label by its key
+      --limit-cpu decimal                  Limit CPUs
+      --limit-memory bytes                 Limit Memory
+      --log-driver string                  Logging driver for service
+      --log-opt list                       Logging driver options
+      --mount-add mount                    Add or update a mount on a service
+      --mount-rm list                      Remove a mount by its target path
+      --network-add network                Add a network
+      --network-rm list                    Remove a network
+      --no-healthcheck                     Disable any container-specified HEALTHCHECK
+      --no-resolve-image                   Do not query the registry to resolve image digest and supported platforms
+      --placement-pref-add pref            Add a placement preference
+      --placement-pref-rm pref             Remove a placement preference
+      --publish-add port                   Add or update a published port
+      --publish-rm port                    Remove a published port by its target port
+  -q, --quiet                              Suppress progress output
+      --read-only                          Mount the container's root filesystem as read only
+      --replicas uint                      Number of tasks
+      --reserve-cpu decimal                Reserve CPUs
+      --reserve-memory bytes               Reserve Memory
+      --restart-condition string           Restart when condition is met ("none"|"on-failure"|"any")
+      --restart-delay duration             Delay between restart attempts (ns|us|ms|s|m|h)
+      --restart-max-attempts uint          Maximum number of restarts before giving up
+      --restart-window duration            Window used to evaluate the restart policy (ns|us|ms|s|m|h)
+      --rollback                           Rollback to previous specification
+      --rollback-delay duration            Delay between task rollbacks (ns|us|ms|s|m|h)
+      --rollback-failure-action string     Action on rollback failure ("pause"|"continue")
+      --rollback-max-failure-ratio float   Failure rate to tolerate during a rollback
+      --rollback-monitor duration          Duration after each task rollback to monitor for failure (ns|us|ms|s|m|h)
+      --rollback-order string              Rollback order ("start-first"|"stop-first")
+      --rollback-parallelism uint          Maximum number of tasks rolled back simultaneously (0 to roll back all at once)
+      --secret-add secret                  Add or update a secret on a service
+      --secret-rm list                     Remove a secret
+      --stop-grace-period duration         Time to wait before force killing a container (ns|us|ms|s|m|h)
+      --stop-signal string                 Signal to stop the container
+  -t, --tty                                Allocate a pseudo-TTY
+      --update-delay duration              Delay between updates (ns|us|ms|s|m|h)
+      --update-failure-action string       Action on update failure ("pause"|"continue"|"rollback")
+      --update-max-failure-ratio float     Failure rate to tolerate during an update
+      --update-monitor duration            Duration after each task update to monitor for failure (ns|us|ms|s|m|h)
+      --update-order string                Update order ("start-first"|"stop-first")
+      --update-parallelism uint            Maximum number of tasks updated simultaneously (0 to update all at once)
+  -u, --user string                        Username or UID (format: <name|uid>[:<group|gid>])
+      --with-registry-auth                 Send registry authentication details to swarm agents
+  -w, --workdir string                     Working directory inside the container
+```
+
+## Description
+
+Updates a service as described by the specified parameters. This command has to be run targeting a manager node.
+The parameters are the same as [`docker service create`](service_create.md). Please look at the description there
+for further information.
+
+Normally, updating a service will only cause the service's tasks to be replaced with new ones if a change to the
+service requires recreating the tasks for it to take effect. For example, only changing the
+`--update-parallelism` setting will not recreate the tasks, because the individual tasks are not affected by this
+setting. However, the `--force` flag will cause the tasks to be recreated anyway. This can be used to perform a
+rolling restart without any changes to the service parameters.
+
+## Examples
+
+### Update a service
+
+```bash
+$ docker service update --limit-cpu 2 redis
+```
+
+### Perform a rolling restart with no parameter changes
+
+```bash
+$ docker service update --force --update-parallelism 1 --update-delay 30s redis
+```
+
+In this example, the `--force` flag causes the service's tasks to be shut down
+and replaced with new ones even though none of the other parameters would
+normally cause that to happen. The `--update-parallelism 1` setting ensures
+that only one task is replaced at a time (this is the default behavior). The
+`--update-delay 30s` setting introduces a 30 second delay between tasks, so
+that the rolling restart happens gradually.
+
+### Add or remove mounts
+
+Use the `--mount-add` or `--mount-rm` options add or remove a service's bind mounts
+or volumes.
+
+The following example creates a service which mounts the `test-data` volume to
+`/somewhere`. The next step updates the service to also mount the `other-volume`
+volume to `/somewhere-else`volume, The last step unmounts the `/somewhere` mount
+point, effectively removing the `test-data` volume. Each command returns the
+service name.
+
+- The `--mount-add` flag takes the same parameters as the `--mount` flag on
+  `service create`. Refer to the [volumes and
+  bind mounts](service_create.md#volumes-and-bind-mounts-mount) section in the
+  `service create` reference for details.
+
+- The `--mount-rm` flag takes the `target` path of the mount.
+
+```bash
+$ docker service create \
+    --name=myservice \
+    --mount \
+      type=volume,source=test-data,target=/somewhere \
+    nginx:alpine \
+    myservice
+
+myservice
+
+$ docker service update \
+    --mount-add \
+      type=volume,source=other-volume,target=/somewhere-else \
+    myservice
+
+myservice
+
+$ docker service update --mount-rm /somewhere myservice
+
+myservice
+```
+
+### Add or remove published service ports
+
+Use the `--publish-add` or `--publish-rm` flags to add or remove a published
+port for a service. You can use the short or long syntax discussed in the
+[docker service create](service_create/#publish-service-ports-externally-to-the-swarm)
+reference.
+
+The following example adds a published service port to an existing service.
+
+```bash
+$ docker service update \
+  --publish-add published=8080,target=80 \
+  myservice
+```
+
+### Add or remove network
+
+Use the `--network-add` or `--network-rm` flags to add or remove a network for
+a service. You can use the short or long syntax discussed in the
+[docker service create](service_create/#attach-a-service-to-an-existing-network-network)
+reference.
+
+The following example adds a new alias name to an existing service already connected to network my-network:
+
+```bash
+$ docker service update \
+  --network-rm my-network \
+  --network-add name=my-network,alias=web1 \
+  myservice
+```
+
+### Roll back to the previous version of a service
+
+Use the `--rollback` option to roll back to the previous version of the service.
+
+This will revert the service to the configuration that was in place before the most recent `docker service update` command.
+
+The following example updates the number of replicas for the service from 4 to 5, and then rolls back to the previous configuration.
+
+```bash
+$ docker service update --replicas=5 web
+
+web
+
+$ docker service ls
+
+ID            NAME  MODE        REPLICAS  IMAGE
+80bvrzp6vxf3  web   replicated  0/5       nginx:alpine
+
+```
+Roll back the `web` service...
+
+```bash
+$ docker service update --rollback web
+
+web
+
+$ docker service ls
+
+ID            NAME  MODE        REPLICAS  IMAGE
+80bvrzp6vxf3  web   replicated  0/4       nginx:alpine
+
+```
+
+Other options can be combined with `--rollback` as well, for example, `--update-delay 0s` to execute the rollback without a delay between tasks:
+
+```bash
+$ docker service update \
+  --rollback \
+  --update-delay 0s
+  web
+
+web
+
+```
+
+Services can also be set up to roll back to the previous version automatically
+when an update fails. To set up a service for automatic rollback, use
+`--update-failure-action=rollback`. A rollback will be triggered if the fraction
+of the tasks which failed to update successfully exceeds the value given with
+`--update-max-failure-ratio`.
+
+The rate, parallelism, and other parameters of a rollback operation are
+determined by the values passed with the following flags:
+
+- `--rollback-delay`
+- `--rollback-failure-action`
+- `--rollback-max-failure-ratio`
+- `--rollback-monitor`
+- `--rollback-parallelism`
+
+For example, a service set up with `--update-parallelism 1 --rollback-parallelism 3`
+will update one task at a time during a normal update, but during a rollback, 3
+tasks at a time will get rolled back. These rollback parameters are respected both
+during automatic rollbacks and for rollbacks initiated manually using `--rollback`.
+
+### Add or remove secrets
+
+Use the `--secret-add` or `--secret-rm` options add or remove a service's
+secrets.
+
+The following example adds a secret named `ssh-2` and removes `ssh-1`:
+
+```bash
+$ docker service update \
+    --secret-add source=ssh-2,target=ssh-2 \
+    --secret-rm ssh-1 \
+    myservice
+```
+
+### Update services using templates
+
+Some flags of `service update` support the use of templating.
+See [`service create`](./service_create.md#templating) for the reference.
+
+
+### Specify isolation mode (Windows)
+
+`service update` supports the same `--isolation` flag as `service create`
+See [`service create`](./service_create.md) for the reference.
+
+## Related commands
+
+* [service create](service_create.md)
+* [service inspect](service_inspect.md)
+* [service logs](service_logs.md)
+* [service ls](service_ls.md)
+* [service ps](service_ps.md)
+* [service rm](service_rm.md)
+* [service rollback](service_rollback.md)
+* [service scale](service_scale.md)
diff --git a/cli/docs/reference/commandline/stack.md b/cli/docs/reference/commandline/stack.md
new file mode 100644
index 00000000..cdb5f3ff
--- /dev/null
+++ b/cli/docs/reference/commandline/stack.md
@@ -0,0 +1,41 @@
+---
+title: "stack"
+description: "The stack command description and usage"
+keywords: "stack"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# stack
+
+```markdown
+Usage:  docker stack [OPTIONS] COMMAND
+
+Manage Docker stacks
+
+Options:
+      --help                  Print usage
+      --kubeconfig string     Kubernetes config file
+      --orchestrator string   Orchestrator to use (swarm|kubernetes|all)
+
+Commands:
+  deploy      Deploy a new stack or update an existing stack
+  ls          List stacks
+  ps          List the tasks in the stack
+  rm          Remove one or more stacks
+  services    List the services in the stack
+
+Run 'docker stack COMMAND --help' for more information on a command.
+```
+
+## Description
+
+Manage stacks.
+
diff --git a/cli/docs/reference/commandline/stack_deploy.md b/cli/docs/reference/commandline/stack_deploy.md
new file mode 100644
index 00000000..9542973a
--- /dev/null
+++ b/cli/docs/reference/commandline/stack_deploy.md
@@ -0,0 +1,148 @@
+---
+title: "stack deploy"
+description: "The stack deploy command description and usage"
+keywords: "stack, deploy, up"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# stack deploy
+
+```markdown
+Usage:  docker stack deploy [OPTIONS] STACK
+
+Deploy a new stack or update an existing stack
+
+Aliases:
+  deploy, up
+
+Options:
+      --bundle-file string    Path to a Distributed Application Bundle file
+  -c, --compose-file strings  Path to a Compose file, or "-" to read from stdin
+      --help                  Print usage
+      --kubeconfig string     Kubernetes config file
+      --namespace string      Kubernetes namespace to use
+      --orchestrator string   Orchestrator to use (swarm|kubernetes|all)
+      --prune                 Prune services that are no longer referenced
+      --resolve-image string  Query the registry to resolve image digest and supported platforms
+                              ("always"|"changed"|"never") (default "always")
+      --with-registry-auth    Send registry authentication details to Swarm agents
+```
+
+## Description
+
+Create and update a stack from a `compose` or a `dab` file on the swarm. This command
+has to be run targeting a manager node.
+
+## Examples
+
+### Compose file
+
+The `deploy` command supports compose file version `3.0` and above.
+
+```bash
+$ docker stack deploy --compose-file docker-compose.yml vossibility
+
+Ignoring unsupported options: links
+
+Creating network vossibility_vossibility
+Creating network vossibility_default
+Creating service vossibility_nsqd
+Creating service vossibility_logstash
+Creating service vossibility_elasticsearch
+Creating service vossibility_kibana
+Creating service vossibility_ghollector
+Creating service vossibility_lookupd
+```
+
+The Compose file can also be provided as standard input with `--compose-file -`:
+
+```bash
+$ cat docker-compose.yml | docker stack deploy --compose-file - vossibility
+
+Ignoring unsupported options: links
+
+Creating network vossibility_vossibility
+Creating network vossibility_default
+Creating service vossibility_nsqd
+Creating service vossibility_logstash
+Creating service vossibility_elasticsearch
+Creating service vossibility_kibana
+Creating service vossibility_ghollector
+Creating service vossibility_lookupd
+```
+
+If your configuration is split between multiple Compose files, e.g. a base
+configuration and environment-specific overrides, you can provide multiple
+`--compose-file` flags.
+
+```bash
+$ docker stack deploy --compose-file docker-compose.yml -c docker-compose.prod.yml vossibility
+
+Ignoring unsupported options: links
+
+Creating network vossibility_vossibility
+Creating network vossibility_default
+Creating service vossibility_nsqd
+Creating service vossibility_logstash
+Creating service vossibility_elasticsearch
+Creating service vossibility_kibana
+Creating service vossibility_ghollector
+Creating service vossibility_lookupd
+```
+
+You can verify that the services were correctly created:
+
+```bash
+$ docker service ls
+
+ID            NAME                               MODE        REPLICAS  IMAGE
+29bv0vnlm903  vossibility_lookupd                replicated  1/1       nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4awt47624qwh  vossibility_nsqd                   replicated  1/1       nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4tjx9biia6fs  vossibility_elasticsearch          replicated  1/1       elasticsearch@sha256:12ac7c6af55d001f71800b83ba91a04f716e58d82e748fa6e5a7359eed2301aa
+7563uuzr9eys  vossibility_kibana                 replicated  1/1       kibana@sha256:6995a2d25709a62694a937b8a529ff36da92ebee74bafd7bf00e6caf6db2eb03
+9gc5m4met4he  vossibility_logstash               replicated  1/1       logstash@sha256:2dc8bddd1bb4a5a34e8ebaf73749f6413c101b2edef6617f2f7713926d2141fe
+axqh55ipl40h  vossibility_vossibility-collector  replicated  1/1       icecrime/vossibility-collector@sha256:f03f2977203ba6253988c18d04061c5ec7aab46bca9dfd89a9a1fa4500989fba
+```
+
+### DAB file
+
+```bash
+$ docker stack deploy --bundle-file vossibility-stack.dab vossibility
+
+Loading bundle from vossibility-stack.dab
+Creating service vossibility_elasticsearch
+Creating service vossibility_kibana
+Creating service vossibility_logstash
+Creating service vossibility_lookupd
+Creating service vossibility_nsqd
+Creating service vossibility_vossibility-collector
+```
+
+You can verify that the services were correctly created:
+
+```bash
+$ docker service ls
+
+ID            NAME                               MODE        REPLICAS  IMAGE
+29bv0vnlm903  vossibility_lookupd                replicated  1/1       nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4awt47624qwh  vossibility_nsqd                   replicated  1/1       nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4tjx9biia6fs  vossibility_elasticsearch          replicated  1/1       elasticsearch@sha256:12ac7c6af55d001f71800b83ba91a04f716e58d82e748fa6e5a7359eed2301aa
+7563uuzr9eys  vossibility_kibana                 replicated  1/1       kibana@sha256:6995a2d25709a62694a937b8a529ff36da92ebee74bafd7bf00e6caf6db2eb03
+9gc5m4met4he  vossibility_logstash               replicated  1/1       logstash@sha256:2dc8bddd1bb4a5a34e8ebaf73749f6413c101b2edef6617f2f7713926d2141fe
+axqh55ipl40h  vossibility_vossibility-collector  replicated  1/1       icecrime/vossibility-collector@sha256:f03f2977203ba6253988c18d04061c5ec7aab46bca9dfd89a9a1fa4500989fba
+```
+
+## Related commands
+
+* [stack ls](stack_ls.md)
+* [stack ps](stack_ps.md)
+* [stack rm](stack_rm.md)
+* [stack services](stack_services.md)
diff --git a/cli/docs/reference/commandline/stack_ls.md b/cli/docs/reference/commandline/stack_ls.md
new file mode 100644
index 00000000..dd0857eb
--- /dev/null
+++ b/cli/docs/reference/commandline/stack_ls.md
@@ -0,0 +1,81 @@
+---
+title: "stack ls"
+description: "The stack ls command description and usage"
+keywords: "stack, ls"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# stack ls
+
+```markdown
+Usage:	docker stack ls [OPTIONS]
+
+List stacks
+
+Aliases:
+  ls, list
+
+Options:
+      --help                  Print usage
+      --format string         Pretty-print stacks using a Go template
+      --kubeconfig string     Kubernetes config file
+      --namespace string      Kubernetes namespace to use
+      --orchestrator string   Orchestrator to use (swarm|kubernetes|all)
+```
+
+## Description
+
+Lists the stacks.
+
+## Examples
+
+The following command shows all stacks and some additional information:
+
+```bash
+$ docker stack ls
+
+ID                 SERVICES            ORCHESTRATOR
+myapp              2                   Kubernetes
+vossibility-stack  6                   Swarm
+```
+
+### Formatting
+
+The formatting option (`--format`) pretty-prints stacks using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+| Placeholder     | Description        |
+| --------------- | ------------------ |
+| `.Name`         | Stack name         |
+| `.Services`     | Number of services |
+| `.Orchestrator` | Orchestrator name  |
+| `.Namespace`    | Namespace          |
+
+When using the `--format` option, the `stack ls` command either outputs
+the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`Name` and `Services` entries separated by a colon for all stacks:
+
+```bash
+$ docker stack ls --format "{{.Name}}: {{.Services}}"
+web-server: 1
+web-cache: 4
+```
+
+## Related commands
+
+* [stack deploy](stack_deploy.md)
+* [stack ps](stack_ps.md)
+* [stack rm](stack_rm.md)
+* [stack services](stack_services.md)
diff --git a/cli/docs/reference/commandline/stack_ps.md b/cli/docs/reference/commandline/stack_ps.md
new file mode 100644
index 00000000..bf25c722
--- /dev/null
+++ b/cli/docs/reference/commandline/stack_ps.md
@@ -0,0 +1,233 @@
+---
+title: "stack ps"
+description: "The stack ps command description and usage"
+keywords: "stack, ps"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# stack ps
+
+```markdown
+Usage:  docker stack ps [OPTIONS] STACK
+
+List the tasks in the stack
+
+Options:
+  -f, --filter filter         Filter output based on conditions provided
+      --format string         Pretty-print tasks using a Go template
+      --help                  Print usage
+      --kubeconfig string     Kubernetes config file
+      --namespace string      Kubernetes namespace to use
+      --no-resolve            Do not map IDs to Names
+      --no-trunc              Do not truncate output
+      --orchestrator string   Orchestrator to use (swarm|kubernetes|all)
+  -q, --quiet                 Only display task IDs
+```
+
+## Description
+
+Lists the tasks that are running as part of the specified stack. This
+command has to be run targeting a manager node.
+
+## Examples
+
+### List the tasks that are part of a stack
+
+The following command shows all the tasks that are part of the `voting` stack:
+
+```bash
+$ docker stack ps voting
+ID                  NAME                  IMAGE                                          NODE   DESIRED STATE  CURRENT STATE          ERROR  PORTS
+xim5bcqtgk1b        voting_worker.1       dockersamples/examplevotingapp_worker:latest   node2  Running        Running 2 minutes ago
+q7yik0ks1in6        voting_result.1       dockersamples/examplevotingapp_result:before   node1  Running        Running 2 minutes ago
+rx5yo0866nfx        voting_vote.1         dockersamples/examplevotingapp_vote:before     node3  Running        Running 2 minutes ago
+tz6j82jnwrx7        voting_db.1           postgres:9.4                                   node1  Running        Running 2 minutes ago
+w48spazhbmxc        voting_redis.1        redis:alpine                                   node2  Running        Running 3 minutes ago
+6jj1m02freg1        voting_visualizer.1   dockersamples/visualizer:stable                node1  Running        Running 2 minutes ago
+kqgdmededccb        voting_vote.2         dockersamples/examplevotingapp_vote:before     node2  Running        Running 2 minutes ago
+t72q3z038jeh        voting_redis.2        redis:alpine                                   node3  Running        Running 3 minutes ago
+```
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there
+is more than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`).
+Multiple filter flags are combined as an `OR` filter. For example,
+`-f name=redis.1 -f name=redis.7` returns both `redis.1` and `redis.7` tasks.
+
+The currently supported filters are:
+
+* [id](#id)
+* [name](#name)
+* [node](#node)
+* [desired-state](#desired-state)
+
+#### id
+
+The `id` filter matches on all or a prefix of a task's ID.
+
+```bash
+$ docker stack ps -f "id=t" voting
+ID                  NAME                IMAGE               NODE         DESIRED STATE       CURRENTSTATE            ERROR  PORTS
+tz6j82jnwrx7        voting_db.1         postgres:9.4        node1        Running             Running 14 minutes ago
+t72q3z038jeh        voting_redis.2      redis:alpine        node3        Running             Running 14 minutes ago
+```
+
+#### name
+
+The `name` filter matches on task names.
+
+```bash
+$ docker stack ps -f "name=voting_redis" voting
+ID                  NAME                IMAGE               NODE         DESIRED STATE       CURRENTSTATE            ERROR  PORTS
+w48spazhbmxc        voting_redis.1      redis:alpine        node2        Running             Running 17 minutes ago
+t72q3z038jeh        voting_redis.2      redis:alpine        node3        Running             Running 17 minutes ago
+```
+
+#### node
+
+The `node` filter matches on a node name or a node ID.
+
+```bash
+$ docker stack ps -f "node=node1" voting
+ID                  NAME                  IMAGE                                          NODE   DESIRED STATE  CURRENT STATE          ERROR  PORTS
+q7yik0ks1in6        voting_result.1       dockersamples/examplevotingapp_result:before   node1  Running        Running 18 minutes ago
+tz6j82jnwrx7        voting_db.1           postgres:9.4                                   node1  Running        Running 18 minutes ago
+6jj1m02freg1        voting_visualizer.1   dockersamples/visualizer:stable                node1  Running        Running 18 minutes ago
+```
+
+#### desired-state
+
+The `desired-state` filter can take the values `running`, `shutdown`, or `accepted`.
+
+```bash
+$ docker stack ps -f "desired-state=running" voting
+ID                  NAME                  IMAGE                                          NODE   DESIRED STATE  CURRENT STATE           ERROR  PORTS
+xim5bcqtgk1b        voting_worker.1       dockersamples/examplevotingapp_worker:latest   node2  Running        Running 21 minutes ago
+q7yik0ks1in6        voting_result.1       dockersamples/examplevotingapp_result:before   node1  Running        Running 21 minutes ago
+rx5yo0866nfx        voting_vote.1         dockersamples/examplevotingapp_vote:before     node3  Running        Running 21 minutes ago
+tz6j82jnwrx7        voting_db.1           postgres:9.4                                   node1  Running        Running 21 minutes ago
+w48spazhbmxc        voting_redis.1        redis:alpine                                   node2  Running        Running 21 minutes ago
+6jj1m02freg1        voting_visualizer.1   dockersamples/visualizer:stable                node1  Running        Running 21 minutes ago
+kqgdmededccb        voting_vote.2         dockersamples/examplevotingapp_vote:before     node2  Running        Running 21 minutes ago
+t72q3z038jeh        voting_redis.2        redis:alpine                                   node3  Running        Running 21 minutes ago
+```
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints tasks output using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder     | Description
+----------------|------------------------------------------------------------------------------------------
+`.ID`           | Task ID
+`.Name`         | Task name
+`.Image`        | Task image
+`.Node`         | Node ID
+`.DesiredState` | Desired state of the task (`running`, `shutdown`, or `accepted`)
+`.CurrentState` | Current state of the task
+`.Error`        | Error
+`.Ports`        | Task published ports
+
+When using the `--format` option, the `stack ps` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`Name` and `Image` entries separated by a colon for all tasks:
+
+```bash
+$ docker stack ps --format "{{.Name}}: {{.Image}}" voting
+voting_worker.1: dockersamples/examplevotingapp_worker:latest
+voting_result.1: dockersamples/examplevotingapp_result:before
+voting_vote.1: dockersamples/examplevotingapp_vote:before
+voting_db.1: postgres:9.4
+voting_redis.1: redis:alpine
+voting_visualizer.1: dockersamples/visualizer:stable
+voting_vote.2: dockersamples/examplevotingapp_vote:before
+voting_redis.2: redis:alpine
+```
+
+### Do not map IDs to Names
+
+The `--no-resolve` option shows IDs for task name, without mapping IDs to Names.
+
+```bash
+$ docker stack ps --no-resolve voting
+ID                  NAME                          IMAGE                                          NODE                        DESIRED STATE  CURRENT STATE            ERROR  PORTS
+xim5bcqtgk1b        10z9fjfqzsxnezo4hb81p8mqg.1   dockersamples/examplevotingapp_worker:latest   qaqt4nrzo775jrx6detglho01   Running        Running 30 minutes ago
+q7yik0ks1in6        hbxltua1na7mgqjnidldv5m65.1   dockersamples/examplevotingapp_result:before   mxpaef1tlh23s052erw88a4w5   Running        Running 30 minutes ago
+rx5yo0866nfx        qyprtqw1g5nrki557i974ou1d.1   dockersamples/examplevotingapp_vote:before     kanqcxfajd1r16wlnqcblobmm   Running        Running 31 minutes ago
+tz6j82jnwrx7        122f0xxngg17z52be7xspa72x.1   postgres:9.4                                   mxpaef1tlh23s052erw88a4w5   Running        Running 31 minutes ago
+w48spazhbmxc        tg61x8myx563ueo3urmn1ic6m.1   redis:alpine                                   qaqt4nrzo775jrx6detglho01   Running        Running 31 minutes ago
+6jj1m02freg1        8cqlyi444kzd3panjb7edh26v.1   dockersamples/visualizer:stable                mxpaef1tlh23s052erw88a4w5   Running        Running 31 minutes ago
+kqgdmededccb        qyprtqw1g5nrki557i974ou1d.2   dockersamples/examplevotingapp_vote:before     qaqt4nrzo775jrx6detglho01   Running        Running 31 minutes ago
+t72q3z038jeh        tg61x8myx563ueo3urmn1ic6m.2   redis:alpine                                   kanqcxfajd1r16wlnqcblobmm   Running        Running 31 minutes ago
+```
+
+### Do not truncate output
+
+When deploying a service, docker resolves the digest for the service's
+image, and pins the service to that digest. The digest is not shown by
+default, but is printed if `--no-trunc` is used. The `--no-trunc` option
+also shows the non-truncated task IDs, and error-messages, as can be seen below:
+
+```bash
+$ docker stack ps --no-trunc voting
+ID                          NAME                  IMAGE                                                                                                                 NODE   DESIRED STATE  CURREN STATE           ERROR  PORTS
+xim5bcqtgk1bxqz91jzo4a1s5   voting_worker.1       dockersamples/examplevotingapp_worker:latest@sha256:3e4ddf59c15f432280a2c0679c4fc5a2ee5a797023c8ef0d3baf7b1385e9fed   node2  Running        Runnin 32 minutes ago
+q7yik0ks1in6kv32gg6y6yjf7   voting_result.1       dockersamples/examplevotingapp_result:before@sha256:83b56996e930c292a6ae5187fda84dd6568a19d97cdb933720be15c757b7463   node1  Running        Runnin 32 minutes ago
+rx5yo0866nfxc58zf4irsss6n   voting_vote.1         dockersamples/examplevotingapp_vote:before@sha256:8e64b182c87de902f2b72321c89b4af4e2b942d76d0b772532ff27ec4c6ebf6     node3  Running        Runnin 32 minutes ago
+tz6j82jnwrx7n2offljp3mn03   voting_db.1           postgres:9.4@sha256:6046af499eae34d2074c0b53f9a8b404716d415e4a03e68bc1d2f8064f2b027                                   node1  Running        Runnin 32 minutes ago
+w48spazhbmxcmbjfi54gs7x90   voting_redis.1        redis:alpine@sha256:9cd405cd1ec1410eaab064a1383d0d8854d1ef74a54e1e4a92fb4ec7bdc3ee7                                   node2  Running        Runnin 32 minutes ago
+6jj1m02freg1n3z9n1evrzsbl   voting_visualizer.1   dockersamples/visualizer:stable@sha256:f924ad66c8e94b10baaf7bdb9cd491ef4e982a1d048a56a17e02bf5945401e5                node1  Running        Runnin 32 minutes ago
+kqgdmededccbhz2wuc0e9hx7g   voting_vote.2         dockersamples/examplevotingapp_vote:before@sha256:8e64b182c87de902f2b72321c89b4af4e2b942d76d0b772532ff27ec4c6ebf6     node2  Running        Runnin 32 minutes ago
+t72q3z038jehe1wbh9gdum076   voting_redis.2        redis:alpine@sha256:9cd405cd1ec1410eaab064a1383d0d8854d1ef74a54e1e4a92fb4ec7bdc3ee7                                   node3  Running        Runnin 32 minutes ago
+```
+
+### Only display task IDs
+
+The `-q ` or `--quiet` option only shows IDs of the tasks in the stack.
+This example outputs all task IDs of the "voting" stack;
+
+```bash
+$ docker stack ps -q voting
+xim5bcqtgk1b
+q7yik0ks1in6
+rx5yo0866nfx
+tz6j82jnwrx7
+w48spazhbmxc
+6jj1m02freg1
+kqgdmededccb
+t72q3z038jeh
+```
+
+This option can be used to perform batch operations. For example, you can use
+the task IDs as input for other commands, such as `docker inspect`. The
+following example inspects all tasks of the "voting" stack;
+
+```bash
+$ docker inspect $(docker stack ps -q voting)
+
+[
+    {
+        "ID": "xim5bcqtgk1b1gk0krq1",
+        "Version": {
+(...)
+```
+
+## Related commands
+
+* [stack deploy](stack_deploy.md)
+* [stack ls](stack_ls.md)
+* [stack rm](stack_rm.md)
+* [stack services](stack_services.md)
diff --git a/cli/docs/reference/commandline/stack_rm.md b/cli/docs/reference/commandline/stack_rm.md
new file mode 100644
index 00000000..b9d48a34
--- /dev/null
+++ b/cli/docs/reference/commandline/stack_rm.md
@@ -0,0 +1,81 @@
+---
+title: "stack rm"
+description: "The stack rm command description and usage"
+keywords: "stack, rm, remove, down"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# stack rm
+
+```markdown
+Usage:  docker stack rm [OPTIONS] STACK [STACK...]
+
+Remove one or more stacks
+
+Aliases:
+  rm, remove, down
+
+Options:
+      --help                  Print usage
+      --kubeconfig string     Kubernetes config file
+      --namespace string      Kubernetes namespace to use
+      --orchestrator string   Orchestrator to use (swarm|kubernetes|all)
+```
+
+## Description
+
+Remove the stack from the swarm. This command has to be run targeting
+a manager node.
+
+## Examples
+
+### Remove a stack
+
+This will remove the stack with the name `myapp`. Services, networks, and secrets associated with the stack will be removed.
+
+```bash
+$ docker stack rm myapp
+
+Removing service myapp_redis
+Removing service myapp_web
+Removing service myapp_lb
+Removing network myapp_default
+Removing network myapp_frontend
+```
+
+### Remove multiple stacks
+
+This will remove all the specified stacks, `myapp` and `vossibility`. Services, networks, and secrets associated with all the specified stacks will be removed.
+
+```bash
+$ docker stack rm myapp vossibility
+
+Removing service myapp_redis
+Removing service myapp_web
+Removing service myapp_lb
+Removing network myapp_default
+Removing network myapp_frontend
+Removing service vossibility_nsqd
+Removing service vossibility_logstash
+Removing service vossibility_elasticsearch
+Removing service vossibility_kibana
+Removing service vossibility_ghollector
+Removing service vossibility_lookupd
+Removing network vossibility_default
+Removing network vossibility_vossibility
+```
+
+## Related commands
+
+* [stack deploy](stack_deploy.md)
+* [stack ls](stack_ls.md)
+* [stack ps](stack_ps.md)
+* [stack services](stack_services.md)
diff --git a/cli/docs/reference/commandline/stack_services.md b/cli/docs/reference/commandline/stack_services.md
new file mode 100644
index 00000000..2f60df42
--- /dev/null
+++ b/cli/docs/reference/commandline/stack_services.md
@@ -0,0 +1,122 @@
+---
+title: "stack services"
+description: "The stack services command description and usage"
+keywords: "stack, services"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# stack services
+
+```markdown
+Usage:	docker stack services [OPTIONS] STACK
+
+List the services in the stack
+
+Options:
+  -f, --filter filter         Filter output based on conditions provided
+      --format string         Pretty-print services using a Go template
+      --help                  Print usage
+      --kubeconfig string     Kubernetes config file
+      --namespace string      Kubernetes namespace to use
+      --orchestrator string   Orchestrator to use (swarm|kubernetes|all)
+  -q, --quiet                 Only display IDs
+```
+
+## Description
+
+Lists the services that are running as part of the specified stack. This
+command has to be run targeting a manager node.
+
+## Examples
+
+The following command shows all services in the `myapp` stack:
+
+```bash
+$ docker stack services myapp
+
+ID            NAME            REPLICAS  IMAGE                                                                          COMMAND
+7be5ei6sqeye  myapp_web       1/1       nginx@sha256:23f809e7fd5952e7d5be065b4d3643fbbceccd349d537b62a123ef2201bc886f
+dn7m7nhhfb9y  myapp_db        1/1       mysql@sha256:a9a5b559f8821fe73d58c3606c812d1c044868d42c63817fa5125fd9d8b7b539
+```
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there
+is more than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`).
+Multiple filter flags are combined as an `OR` filter.
+
+The following command shows both the `web` and `db` services:
+
+```bash
+$ docker stack services --filter name=myapp_web --filter name=myapp_db myapp
+
+ID            NAME            REPLICAS  IMAGE                                                                          COMMAND
+7be5ei6sqeye  myapp_web       1/1       nginx@sha256:23f809e7fd5952e7d5be065b4d3643fbbceccd349d537b62a123ef2201bc886f
+dn7m7nhhfb9y  myapp_db        1/1       mysql@sha256:a9a5b559f8821fe73d58c3606c812d1c044868d42c63817fa5125fd9d8b7b539
+```
+
+The currently supported filters are:
+
+* id / ID (`--filter id=7be5ei6sqeye`, or `--filter ID=7be5ei6sqeye`)
+  * Swarm: supported
+  * Kubernetes: not supported
+* label (`--filter label=key=value`)
+  * Swarm: supported
+  * Kubernetes: supported
+* mode (`--filter mode=replicated`, or `--filter mode=global`)
+  * Swarm: not supported
+  * Kubernetes: supported
+* name (`--filter name=myapp_web`)
+  * Swarm: supported
+  * Kubernetes: supported
+* node (`--filter node=mynode`)
+  * Swarm: not supported
+  * Kubernetes: supported
+* service (`--filter service=web`)
+  * Swarm: not supported
+  * Kubernetes: supported
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints services output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder | Description
+------------|------------------------------------------------------------------------------------------
+`.ID`       | Service ID
+`.Name`     | Service name
+`.Mode`     | Service mode (replicated, global)
+`.Replicas` | Service replicas
+`.Image`    | Service image
+
+When using the `--format` option, the `stack services` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID`, `Mode`, and `Replicas` entries separated by a colon for all services:
+
+```bash
+$ docker stack services --format "{{.ID}}: {{.Mode}} {{.Replicas}}"
+
+0zmvwuiu3vue: replicated 10/10
+fm6uf97exkul: global 5/5
+```
+
+
+## Related commands
+
+* [stack deploy](stack_deploy.md)
+* [stack ls](stack_ls.md)
+* [stack ps](stack_ps.md)
+* [stack rm](stack_rm.md)
diff --git a/cli/docs/reference/commandline/start.md b/cli/docs/reference/commandline/start.md
new file mode 100644
index 00000000..4f5cb595
--- /dev/null
+++ b/cli/docs/reference/commandline/start.md
@@ -0,0 +1,34 @@
+---
+title: "start"
+description: "The start command description and usage"
+keywords: "Start, container, stopped"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# start
+
+```markdown
+Usage:  docker start [OPTIONS] CONTAINER [CONTAINER...]
+
+Start one or more stopped containers
+
+Options:
+  -a, --attach               Attach STDOUT/STDERR and forward signals
+      --detach-keys string   Override the key sequence for detaching a container
+      --help                 Print usage
+  -i, --interactive          Attach container's STDIN
+```
+
+## Examples
+
+```bash
+$ docker start my_container
+```
diff --git a/cli/docs/reference/commandline/stats.md b/cli/docs/reference/commandline/stats.md
new file mode 100644
index 00000000..702e99a9
--- /dev/null
+++ b/cli/docs/reference/commandline/stats.md
@@ -0,0 +1,175 @@
+---
+title: "stats"
+description: "The stats command description and usage"
+keywords: "container, resource, statistics"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# stats
+
+```markdown
+Usage:  docker stats [OPTIONS] [CONTAINER...]
+
+Display a live stream of container(s) resource usage statistics
+
+Options:
+  -a, --all             Show all containers (default shows just running)
+      --format string   Pretty-print images using a Go template
+      --help            Print usage
+      --no-stream       Disable streaming stats and only pull the first result
+      --no-trunc        Don't truncate output
+```
+
+## Description
+
+The `docker stats` command returns a live data stream for running containers. To limit data to one or more specific containers, specify a list of container names or ids separated by a space. You can specify a stopped container but stopped containers do not return any data.
+
+If you want more detailed information about a container's resource usage, use the `/containers/(id)/stats` API endpoint.
+
+> **Note**: On Linux, the Docker CLI reports memory usage by subtracting page cache usage from the total memory usage. The API does not perform such a calculation but rather provides the total memory usage and the amount from the page cache so that clients can use the data as needed.
+
+> **Note**: The `PIDS` column contains the number of processes and kernel threads created by that container. Threads is the term used by Linux kernel. Other equivalent terms are "lightweight process" or "kernel task", etc. A large number in the `PIDS` column combined with a small number of processes (as reported by `ps` or `top`) may indicate that something in the container is creating many threads.
+
+## Examples
+
+Running `docker stats` on all running containers against a Linux daemon.
+
+```bash
+$ docker stats
+
+CONTAINER ID        NAME                                    CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
+b95a83497c91        awesome_brattain                        0.28%               5.629MiB / 1.952GiB   0.28%               916B / 0B           147kB / 0B          9
+67b2525d8ad1        foobar                                  0.00%               1.727MiB / 1.952GiB   0.09%               2.48kB / 0B         4.11MB / 0B         2
+e5c383697914        test-1951.1.kay7x1lh1twk9c0oig50sd5tr   0.00%               196KiB / 1.952GiB     0.01%               71.2kB / 0B         770kB / 0B          1
+4bda148efbc0        random.1.vnc8on831idyr42slu578u3cr      0.00%               1.672MiB / 1.952GiB   0.08%               110kB / 0B          578kB / 0B          2
+```
+
+If you don't [specify a format string using `--format`](#formatting), the
+following columns are shown.
+
+| Column name               | Description                                                                                   |
+|---------------------------|-----------------------------------------------------------------------------------------------|
+| `CONTAINER ID` and `Name` | the ID and name of the container                                                              |
+| `CPU %` and `MEM %`       | the percentage of the host's CPU and memory the container is using                            |
+| `MEM USAGE / LIMIT`       | the total memory the container is using, and the total amount of memory it is allowed to use  |
+| `NET I/O`                 | The amount of data the container has sent and received over its network interface             |
+| `BLOCK I/O`               | The amount of data the container has read to and written from block devices on the host       |
+| `PIDs`                    | the number of processes or threads the container has created                                  |
+
+Running `docker stats` on multiple containers by name and id against a Linux daemon.
+
+```bash
+$ docker stats awesome_brattain 67b2525d8ad1
+
+CONTAINER ID        NAME                CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
+b95a83497c91        awesome_brattain    0.28%               5.629MiB / 1.952GiB   0.28%               916B / 0B           147kB / 0B          9
+67b2525d8ad1        foobar              0.00%               1.727MiB / 1.952GiB   0.09%               2.48kB / 0B         4.11MB / 0B         2
+```
+
+Running `docker stats` with customized format on all (Running and Stopped) containers.
+
+```bash
+$ docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" fervent_panini 5acfcb1b4fd1 drunk_visvesvaraya big_heisenberg
+
+CONTAINER                CPU %               MEM USAGE / LIMIT
+fervent_panini           0.00%               56KiB / 15.57GiB
+5acfcb1b4fd1             0.07%               32.86MiB / 15.57GiB
+drunk_visvesvaraya       0.00%               0B / 0B
+big_heisenberg           0.00%               0B / 0B
+```
+
+`drunk_visvesvaraya` and `big_heisenberg` are stopped containers in the above example.
+
+Running `docker stats` on all running containers against a Windows daemon.
+
+```powershell
+PS E:\> docker stats
+CONTAINER ID        CPU %               PRIV WORKING SET    NET I/O             BLOCK I/O
+09d3bb5b1604        6.61%               38.21 MiB           17.1 kB / 7.73 kB   10.7 MB / 3.57 MB
+9db7aa4d986d        9.19%               38.26 MiB           15.2 kB / 7.65 kB   10.6 MB / 3.3 MB
+3f214c61ad1d        0.00%               28.64 MiB           64 kB / 6.84 kB     4.42 MB / 6.93 MB
+```
+
+Running `docker stats` on multiple containers by name and id against a Windows daemon.
+
+```powershell
+PS E:\> docker ps -a
+CONTAINER ID        NAME                IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+3f214c61ad1d        awesome_brattain    nanoserver          "cmd"               2 minutes ago       Up 2 minutes                            big_minsky
+9db7aa4d986d        mad_wilson          windowsservercore   "cmd"               2 minutes ago       Up 2 minutes                            mad_wilson
+09d3bb5b1604        fervent_panini      windowsservercore   "cmd"               2 minutes ago       Up 2 minutes                            affectionate_easley
+
+PS E:\> docker stats 3f214c61ad1d mad_wilson
+CONTAINER ID        NAME                CPU %               PRIV WORKING SET    NET I/O             BLOCK I/O
+3f214c61ad1d        awesome_brattain    0.00%               46.25 MiB           76.3 kB / 7.92 kB   10.3 MB / 14.7 MB
+9db7aa4d986d        mad_wilson          9.59%               40.09 MiB           27.6 kB / 8.81 kB   17 MB / 20.1 MB
+```
+
+### Formatting
+
+The formatting option (`--format`) pretty prints container output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder  | Description
+------------ | --------------------------------------------
+`.Container` | Container name or ID (user input)
+`.Name`      | Container name
+`.ID`        | Container ID
+`.CPUPerc`   | CPU percentage
+`.MemUsage`  | Memory usage
+`.NetIO`     | Network IO
+`.BlockIO`   | Block IO
+`.MemPerc`   | Memory percentage (Not available on Windows)
+`.PIDs`      | Number of PIDs (Not available on Windows)
+
+
+When using the `--format` option, the `stats` command either
+outputs the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`Container` and `CPUPerc` entries separated by a colon for all images:
+
+```bash
+$ docker stats --format "{{.Container}}: {{.CPUPerc}}"
+
+09d3bb5b1604: 6.61%
+9db7aa4d986d: 9.19%
+3f214c61ad1d: 0.00%
+```
+
+To list all containers statistics with their name, CPU percentage and memory
+usage in a table format you can use:
+
+```bash
+$ docker stats --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}"
+
+CONTAINER           CPU %               PRIV WORKING SET
+1285939c1fd3        0.07%               796 KiB / 64 MiB
+9c76f7834ae2        0.07%               2.746 MiB / 64 MiB
+d1ea048f04e4        0.03%               4.583 MiB / 64 MiB
+```
+
+The default format is as follows:
+
+On Linux:
+
+    "table {{.ID}}\t{{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.MemPerc}}\t{{.NetIO}}\t{{.BlockIO}}\t{{.PIDs}}"
+
+On Windows:
+
+    "table {{.ID}}\t{{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.NetIO}}\t{{.BlockIO}}"
+
+
+> **Note**: On Docker 17.09 and older, the `{{.Container}}` column was used, in
+> stead of `{{.ID}}\t{{.Name}}`.
diff --git a/cli/docs/reference/commandline/stop.md b/cli/docs/reference/commandline/stop.md
new file mode 100644
index 00000000..7f0d1d88
--- /dev/null
+++ b/cli/docs/reference/commandline/stop.md
@@ -0,0 +1,37 @@
+---
+title: "stop"
+description: "The stop command description and usage"
+keywords: "stop, SIGKILL, SIGTERM"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# stop
+
+```markdown
+Usage:  docker stop [OPTIONS] CONTAINER [CONTAINER...]
+
+Stop one or more running containers
+
+Options:
+      --help       Print usage
+  -t, --time int   Seconds to wait for stop before killing it (default 10)
+```
+
+## Description
+
+The main process inside the container will receive `SIGTERM`, and after a grace
+period, `SIGKILL`.
+
+## Examples
+
+```bash
+$ docker stop my_container
+```
diff --git a/cli/docs/reference/commandline/swarm.md b/cli/docs/reference/commandline/swarm.md
new file mode 100644
index 00000000..91c3bce0
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm.md
@@ -0,0 +1,41 @@
+---
+title: "swarm"
+description: "The swarm command description and usage"
+keywords: "swarm"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm
+
+```markdown
+Usage:  docker swarm COMMAND
+
+Manage Swarm
+
+Options:
+      --help   Print usage
+
+Commands:
+  ca          Manage root CA
+  init        Initialize a swarm
+  join        Join a swarm as a node and/or manager
+  join-token  Manage join tokens
+  leave       Leave the swarm
+  unlock      Unlock swarm
+  unlock-key  Manage the unlock key
+  update      Update the swarm
+
+Run 'docker swarm COMMAND --help' for more information on a command.
+```
+
+## Description
+
+Manage the swarm.
diff --git a/cli/docs/reference/commandline/swarm_ca.md b/cli/docs/reference/commandline/swarm_ca.md
new file mode 100644
index 00000000..18c7ad2e
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm_ca.md
@@ -0,0 +1,122 @@
+---
+title: "swarm ca"
+description: "The swarm ca command description and usage"
+keywords: "swarm, ca"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm ca
+
+```markdown
+Usage:	docker swarm ca [OPTIONS]
+
+Manage root CA
+
+Options:
+      --ca-cert pem-file          Path to the PEM-formatted root CA certificate to use for the new cluster
+      --ca-key pem-file           Path to the PEM-formatted root CA key to use for the new cluster
+      --cert-expiry duration      Validity period for node certificates (ns|us|ms|s|m|h) (default 2160h0m0s)
+  -d, --detach                    Exit immediately instead of waiting for the root rotation to converge
+      --external-ca external-ca   Specifications of one or more certificate signing endpoints
+      --help                      Print usage
+  -q, --quiet                     Suppress progress output
+      --rotate                    Rotate the swarm CA - if no certificate or key are provided, new ones will be generated
+```
+
+## Description
+
+View or rotate the current swarm CA certificate. This command must target a manager node.
+
+## Examples
+
+Run the `docker swarm ca` command without any options to view the current root CA certificate
+in PEM format.
+
+```bash
+$ docker swarm ca
+-----BEGIN CERTIFICATE-----
+MIIBazCCARCgAwIBAgIUJPzo67QC7g8Ebg2ansjkZ8CbmaswCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAzMTcxMDAwWhcNMzcwNDI4MTcx
+MDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABKL6/C0sihYEb935wVPRA8MqzPLn3jzou0OJRXHsCLcVExigrMdgmLCC+Va4
++sJ+SLVO1eQbvLHH8uuDdF/QOU6jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBSfUy5bjUnBAx/B0GkOBKp91XvxzjAKBggqhkjO
+PQQDAgNJADBGAiEAnbvh0puOS5R/qvy1PMHY1iksYKh2acsGLtL/jAIvO4ACIQCi
+lIwQqLkJ48SQqCjG1DBTSBsHmMSRT+6mE2My+Z3GKA==
+-----END CERTIFICATE-----
+```
+
+Pass the `--rotate` flag (and optionally a `--ca-cert`, along with a `--ca-key` or
+`--external-ca` parameter flag), in order to rotate the current swarm root CA.
+
+```
+$ docker swarm ca --rotate
+desired root digest: sha256:05da740cf2577a25224c53019e2cce99bcc5ba09664ad6bb2a9425d9ebd1b53e
+  rotated TLS certificates:  [=========================>                         ] 1/2 nodes
+  rotated CA certificates:   [>                                                  ] 0/2 nodes
+```
+
+Once the rotation os finished (all the progress bars have completed) the now-current
+CA certificate will be printed:
+
+```
+$ docker swarm ca --rotate
+desired root digest: sha256:05da740cf2577a25224c53019e2cce99bcc5ba09664ad6bb2a9425d9ebd1b53e
+  rotated TLS certificates:  [==================================================>] 2/2 nodes
+  rotated CA certificates:   [==================================================>] 2/2 nodes
+-----BEGIN CERTIFICATE-----
+MIIBazCCARCgAwIBAgIUFynG04h5Rrl4lKyA4/E65tYKg8IwCgYIKoZIzj0EAwIw
+EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTE2MDAxMDAwWhcNMzcwNTExMDAx
+MDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABC2DuNrIETP7C7lfiEPk39tWaaU0I2RumUP4fX4+3m+87j0DU0CsemUaaOG6
++PxHhGu2VXQ4c9pctPHgf7vWeVajQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBSEL02z6mCI3SmMDmITMr12qCRY2jAKBggqhkjO
+PQQDAgNJADBGAiEA263Eb52+825EeNQZM0AME+aoH1319Zp9/J5ijILW+6ACIQCg
+gyg5u9Iliel99l7SuMhNeLkrU7fXs+Of1nTyyM73ig==
+-----END CERTIFICATE-----
+```
+
+### `--rotate`
+
+Root CA Rotation is recommended if one or more of the swarm managers have been
+compromised, so that those managers can no longer connect to or be trusted by
+any other node in the cluster.
+
+Alternately, root CA rotation can be used to give control of the swarm CA
+to an external CA, or to take control back from an external CA.
+
+The `--rotate` flag does not require any parameters to do a rotation, but you can
+optionally specify a certificate and key, or a certificate and external CA URL,
+and those will be used instead of an automatically-generated certificate/key pair.
+
+Because the root CA key should be kept secret, if provided it will not be visible
+when viewing swarm any information via the CLI or API.
+
+The root CA rotation will not be completed until all registered nodes have
+rotated their TLS certificates.  If the rotation is not completing within a
+reasonable amount of time, try running
+`docker node ls --format '{{.ID}} {{.Hostname}} {{.Status}} {{.TLSStatus}}'` to
+see if any nodes are down or otherwise unable to rotate TLS certificates.
+
+
+### `--detach`
+
+Initiate the root CA rotation, but do not wait for the completion of or display the
+progress of the rotation.
+
+## Related commands
+
+* [swarm init](swarm_init.md)
+* [swarm join](swarm_join.md)
+* [swarm join-token](swarm_join_token.md)
+* [swarm leave](swarm_leave.md)
+* [swarm unlock](swarm_unlock.md)
+* [swarm unlock-key](swarm_unlock_key.md)
diff --git a/cli/docs/reference/commandline/swarm_init.md b/cli/docs/reference/commandline/swarm_init.md
new file mode 100644
index 00000000..6b051930
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm_init.md
@@ -0,0 +1,168 @@
+---
+title: "swarm init"
+description: "The swarm init command description and usage"
+keywords: "swarm, init"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm init
+
+```markdown
+Usage:  docker swarm init [OPTIONS]
+
+Initialize a swarm
+
+Options:
+      --advertise-addr string           Advertised address (format: <ip|interface>[:port])
+      --autolock                        Enable manager autolocking (requiring an unlock key to start a stopped manager)
+      --availability string             Availability of the node ("active"|"pause"|"drain") (default "active")
+      --cert-expiry duration            Validity period for node certificates (ns|us|ms|s|m|h) (default 2160h0m0s)
+      --data-path-addr string           Address or interface to use for data path traffic (format: <ip|interface>)
+      --dispatcher-heartbeat duration   Dispatcher heartbeat period (ns|us|ms|s|m|h) (default 5s)
+      --external-ca external-ca         Specifications of one or more certificate signing endpoints
+      --force-new-cluster               Force create a new cluster from current state
+      --help                            Print usage
+      --listen-addr node-addr           Listen address (format: <ip|interface>[:port]) (default 0.0.0.0:2377)
+      --max-snapshots uint              Number of additional Raft snapshots to retain
+      --snapshot-interval uint          Number of log entries between Raft snapshots (default 10000)
+      --task-history-limit int          Task history retention limit (default 5)
+```
+
+## Description
+
+Initialize a swarm. The docker engine targeted by this command becomes a manager
+in the newly created single-node swarm.
+
+## Examples
+
+```bash
+$ docker swarm init --advertise-addr 192.168.99.121
+Swarm initialized: current node (bvz81updecsj6wjz393c09vti) is now a manager.
+
+To add a worker to this swarm, run the following command:
+
+    docker swarm join \
+    --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx \
+    172.17.0.2:2377
+
+To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
+```
+
+`docker swarm init` generates two random tokens, a worker token and a manager token. When you join
+a new node to the swarm, the node joins as a worker or manager node based upon the token you pass
+to [swarm join](swarm_join.md).
+
+After you create the swarm, you can display or rotate the token using
+[swarm join-token](swarm_join_token.md).
+
+### `--autolock`
+
+This flag enables automatic locking of managers with an encryption key. The
+private keys and data stored by all managers will be protected by the
+encryption key printed in the output, and will not be accessible without it.
+Thus, it is very important to store this key in order to activate a manager
+after it restarts. The key can be passed to `docker swarm unlock` to reactivate
+the manager. Autolock can be disabled by running
+`docker swarm update --autolock=false`. After disabling it, the encryption key
+is no longer required to start the manager, and it will start up on its own
+without user intervention.
+
+### `--cert-expiry`
+
+This flag sets the validity period for node certificates.
+
+### `--dispatcher-heartbeat`
+
+This flag sets the frequency with which nodes are told to use as a
+period to report their health.
+
+### `--external-ca`
+
+This flag sets up the swarm to use an external CA to issue node certificates. The value takes
+the form `protocol=X,url=Y`. The value for `protocol` specifies what protocol should be used
+to send signing requests to the external CA. Currently, the only supported value is `cfssl`.
+The URL specifies the endpoint where signing requests should be submitted.
+
+### `--force-new-cluster`
+
+This flag forces an existing node that was part of a quorum that was lost to restart as a single node Manager without losing its data.
+
+### `--listen-addr`
+
+The node listens for inbound swarm manager traffic on this address. The default is to listen on
+0.0.0.0:2377. It is also possible to specify a network interface to listen on that interface's
+address; for example `--listen-addr eth0:2377`.
+
+Specifying a port is optional. If the value is a bare IP address or interface
+name, the default port 2377 will be used.
+
+### `--advertise-addr`
+
+This flag specifies the address that will be advertised to other members of the
+swarm for API access and overlay networking. If unspecified, Docker will check
+if the system has a single IP address, and use that IP address with the
+listening port (see `--listen-addr`). If the system has multiple IP addresses,
+`--advertise-addr` must be specified so that the correct address is chosen for
+inter-manager communication and overlay networking.
+
+It is also possible to specify a network interface to advertise that interface's address;
+for example `--advertise-addr eth0:2377`.
+
+Specifying a port is optional. If the value is a bare IP address or interface
+name, the default port 2377 will be used.
+
+### `--data-path-addr`
+
+This flag specifies the address that global scope network drivers will publish towards
+other nodes in order to reach the containers running on this node.
+Using this parameter it is then possible to separate the container's data traffic from the
+management traffic of the cluster.
+If unspecified, Docker will use the same IP address or interface that is used for the
+advertise address.
+
+### `--task-history-limit`
+
+This flag sets up task history retention limit.
+
+### `--max-snapshots`
+
+This flag sets the number of old Raft snapshots to retain in addition to the
+current Raft snapshots. By default, no old snapshots are retained. This option
+may be used for debugging, or to store old snapshots of the swarm state for
+disaster recovery purposes.
+
+### `--snapshot-interval`
+
+This flag specifies how many log entries to allow in between Raft snapshots.
+Setting this to a higher number will trigger snapshots less frequently.
+Snapshots compact the Raft log and allow for more efficient transfer of the
+state to new managers. However, there is a performance cost to taking snapshots
+frequently.
+
+### `--availability`
+
+This flag specifies the availability of the node at the time the node joins a master.
+Possible availability values are `active`, `pause`, or `drain`.
+
+This flag is useful in certain situations. For example, a cluster may want to have
+dedicated manager nodes that are not served as worker nodes. This could be achieved
+by passing `--availability=drain` to `docker swarm init`.
+
+
+## Related commands
+
+* [swarm ca](swarm_ca.md)
+* [swarm join](swarm_join.md)
+* [swarm join-token](swarm_join_token.md)
+* [swarm leave](swarm_leave.md)
+* [swarm unlock](swarm_unlock.md)
+* [swarm unlock-key](swarm_unlock_key.md)
+* [swarm update](swarm_update.md)
diff --git a/cli/docs/reference/commandline/swarm_join.md b/cli/docs/reference/commandline/swarm_join.md
new file mode 100644
index 00000000..44f45721
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm_join.md
@@ -0,0 +1,133 @@
+---
+title: "swarm join"
+description: "The swarm join command description and usage"
+keywords: "swarm, join"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm join
+
+```markdown
+Usage:  docker swarm join [OPTIONS] HOST:PORT
+
+Join a swarm as a node and/or manager
+
+Options:
+      --advertise-addr string   Advertised address (format: <ip|interface>[:port])
+      --availability string     Availability of the node ("active"|"pause"|"drain") (default "active")
+      --data-path-addr string   Address or interface to use for data path traffic (format: <ip|interface>)
+      --help                    Print usage
+      --listen-addr node-addr   Listen address (format: <ip|interface>[:port]) (default 0.0.0.0:2377)
+      --token string            Token for entry into the swarm
+```
+
+## Description
+
+Join a node to a swarm. The node joins as a manager node or worker node based upon the token you
+pass with the `--token` flag. If you pass a manager token, the node joins as a manager. If you
+pass a worker token, the node joins as a worker.
+
+## Examples
+
+### Join a node to swarm as a manager
+
+The example below demonstrates joining a manager node using a manager token.
+
+```bash
+$ docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 192.168.99.121:2377
+This node joined a swarm as a manager.
+$ docker node ls
+ID                           HOSTNAME  STATUS  AVAILABILITY  MANAGER STATUS
+dkp8vy1dq1kxleu9g4u78tlag *  manager2  Ready   Active        Reachable
+dvfxp4zseq4s0rih1selh0d20    manager1  Ready   Active        Leader
+```
+
+A cluster should only have 3-7 managers at most, because a majority of managers must be available
+for the cluster to function. Nodes that aren't meant to participate in this management quorum
+should join as workers instead. Managers should be stable hosts that have static IP addresses.
+
+### Join a node to swarm as a worker
+
+The example below demonstrates joining a worker node using a worker token.
+
+```bash
+$ docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx 192.168.99.121:2377
+This node joined a swarm as a worker.
+$ docker node ls
+ID                           HOSTNAME  STATUS  AVAILABILITY  MANAGER STATUS
+7ln70fl22uw2dvjn2ft53m3q5    worker2   Ready   Active
+dkp8vy1dq1kxleu9g4u78tlag    worker1   Ready   Active        Reachable
+dvfxp4zseq4s0rih1selh0d20 *  manager1  Ready   Active        Leader
+```
+
+### `--listen-addr value`
+
+If the node is a manager, it will listen for inbound swarm manager traffic on this
+address. The default is to listen on 0.0.0.0:2377. It is also possible to specify a
+network interface to listen on that interface's address; for example `--listen-addr eth0:2377`.
+
+Specifying a port is optional. If the value is a bare IP address, or interface
+name, the default port 2377 will be used.
+
+This flag is generally not necessary when joining an existing swarm.
+
+### `--advertise-addr value`
+
+This flag specifies the address that will be advertised to other members of the
+swarm for API access. If unspecified, Docker will check if the system has a
+single IP address, and use that IP address with the listening port (see
+`--listen-addr`). If the system has multiple IP addresses, `--advertise-addr`
+must be specified so that the correct address is chosen for inter-manager
+communication and overlay networking.
+
+It is also possible to specify a network interface to advertise that interface's address;
+for example `--advertise-addr eth0:2377`.
+
+Specifying a port is optional. If the value is a bare IP address, or interface
+name, the default port 2377 will be used.
+
+This flag is generally not necessary when joining an existing swarm. If
+you're joining new nodes through a load balancer, you should use this flag to
+ensure the node advertises its IP address and not the IP address of the load
+balancer.
+
+### `--data-path-addr`
+
+This flag specifies the address that global scope network drivers will publish towards
+other nodes in order to reach the containers running on this node.
+Using this parameter it is then possible to separate the container's data traffic from the
+management traffic of the cluster.
+If unspecified, Docker will use the same IP address or interface that is used for the
+advertise address.
+
+### `--token string`
+
+Secret value required for nodes to join the swarm
+
+### `--availability`
+
+This flag specifies the availability of the node at the time the node joins a master.
+Possible availability values are `active`, `pause`, or `drain`.
+
+This flag is useful in certain situations. For example, a cluster may want to have
+dedicated manager nodes that are not served as worker nodes. This could be achieved
+by passing `--availability=drain` to `docker swarm join`.
+
+
+## Related commands
+
+* [swarm ca](swarm_ca.md)
+* [swarm init](swarm_init.md)
+* [swarm join-token](swarm_join_token.md)
+* [swarm leave](swarm_leave.md)
+* [swarm unlock](swarm_unlock.md)
+* [swarm unlock-key](swarm_unlock_key.md)
+* [swarm update](swarm_update.md)
diff --git a/cli/docs/reference/commandline/swarm_join_token.md b/cli/docs/reference/commandline/swarm_join_token.md
new file mode 100644
index 00000000..3786ebf2
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm_join_token.md
@@ -0,0 +1,115 @@
+---
+title: "swarm join-token"
+description: "The swarm join-token command description and usage"
+keywords: "swarm, join-token"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm join-token
+
+```markdown
+Usage:	docker swarm join-token [OPTIONS] (worker|manager)
+
+Manage join tokens
+
+Options:
+      --help     Print usage
+  -q, --quiet    Only display token
+      --rotate   Rotate join token
+```
+
+## Description
+
+Join tokens are secrets that allow a node to join the swarm. There are two
+different join tokens available, one for the worker role and one for the manager
+role. You pass the token using the `--token` flag when you run
+[swarm join](swarm_join.md). Nodes use the join token only when they join the
+swarm.
+
+## Examples
+
+You can view or rotate the join tokens using `swarm join-token`.
+
+As a convenience, you can pass `worker` or `manager` as an argument to
+`join-token` to print the full `docker swarm join` command to join a new node to
+the swarm:
+
+```bash
+$ docker swarm join-token worker
+To add a worker to this swarm, run the following command:
+
+    docker swarm join \
+    --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx \
+    172.17.0.2:2377
+
+$ docker swarm join-token manager
+To add a manager to this swarm, run the following command:
+
+    docker swarm join \
+    --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 \
+    172.17.0.2:2377
+```
+
+Use the `--rotate` flag to generate a new join token for the specified role:
+
+```bash
+$ docker swarm join-token --rotate worker
+Successfully rotated worker join token.
+
+To add a worker to this swarm, run the following command:
+
+    docker swarm join \
+    --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-b30ljddcqhef9b9v4rs7mel7t \
+    172.17.0.2:2377
+```
+
+After using `--rotate`, only the new token will be valid for joining with the specified role.
+
+The `-q` (or `--quiet`) flag only prints the token:
+
+```bash
+$ docker swarm join-token -q worker
+
+SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-b30ljddcqhef9b9v4rs7mel7t
+```
+
+### `--rotate`
+
+Because tokens allow new nodes to join the swarm, you should keep them secret.
+Be particularly careful with manager tokens since they allow new manager nodes
+to join the swarm. A rogue manager has the potential to disrupt the operation of
+your swarm.
+
+Rotate your swarm's join token if a token gets checked-in to version control,
+stolen, or a node is compromised. You may also want to periodically rotate the
+token to ensure any unknown token leaks do not allow a rogue node to join
+the swarm.
+
+To rotate the join token and print the newly generated token, run
+`docker swarm join-token --rotate` and pass the role: `manager` or `worker`.
+
+Rotating a join-token means that no new nodes will be able to join the swarm
+using the old token. Rotation does not affect existing nodes in the swarm
+because the join token is only used for authorizing new nodes joining the swarm.
+
+### `--quiet`
+
+Only print the token. Do not print a complete command for joining.
+
+## Related commands
+
+* [swarm ca](swarm_ca.md)
+* [swarm init](swarm_init.md)
+* [swarm join](swarm_join.md)
+* [swarm leave](swarm_leave.md)
+* [swarm unlock](swarm_unlock.md)
+* [swarm unlock-key](swarm_unlock_key.md)
+* [swarm update](swarm_update.md)
diff --git a/cli/docs/reference/commandline/swarm_leave.md b/cli/docs/reference/commandline/swarm_leave.md
new file mode 100644
index 00000000..d0469e78
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm_leave.md
@@ -0,0 +1,72 @@
+---
+title: "swarm leave"
+description: "The swarm leave command description and usage"
+keywords: "swarm, leave"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm leave
+
+```markdown
+Usage:	docker swarm leave [OPTIONS]
+
+Leave the swarm
+
+Options:
+  -f, --force   Force this node to leave the swarm, ignoring warnings
+      --help    Print usage
+```
+
+## Description
+
+When you run this command on a worker, that worker leaves the swarm.
+
+You can use the `--force` option on a manager to remove it from the swarm.
+However, this does not reconfigure the swarm to ensure that there are enough
+managers to maintain a quorum in the swarm. The safe way to remove a manager
+from a swarm is to demote it to a worker and then direct it to leave the quorum
+without using `--force`. Only use `--force` in situations where the swarm will
+no longer be used after the manager leaves, such as in a single-node swarm.
+
+## Examples
+
+Consider the following swarm, as seen from the manager:
+
+```bash
+$ docker node ls
+ID                           HOSTNAME  STATUS  AVAILABILITY  MANAGER STATUS
+7ln70fl22uw2dvjn2ft53m3q5    worker2   Ready   Active
+dkp8vy1dq1kxleu9g4u78tlag    worker1   Ready   Active
+dvfxp4zseq4s0rih1selh0d20 *  manager1  Ready   Active        Leader
+```
+
+To remove `worker2`, issue the following command from `worker2` itself:
+
+```bash
+$ docker swarm leave
+Node left the default swarm.
+```
+
+The node will still appear in the node list, and marked as `down`. It no longer
+affects swarm operation, but a long list of `down` nodes can clutter the node
+list. To remove an inactive node from the list, use the [`node rm`](node_rm.md)
+command.
+
+## Related commands
+
+* [swarm ca](swarm_ca.md)
+* [node rm](node_rm.md)
+* [swarm init](swarm_init.md)
+* [swarm join](swarm_join.md)
+* [swarm join-token](swarm_join_token.md)
+* [swarm unlock](swarm_unlock.md)
+* [swarm unlock-key](swarm_unlock_key.md)
+* [swarm update](swarm_update.md)
diff --git a/cli/docs/reference/commandline/swarm_unlock.md b/cli/docs/reference/commandline/swarm_unlock.md
new file mode 100644
index 00000000..7b00c49a
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm_unlock.md
@@ -0,0 +1,49 @@
+---
+title: "swarm unlock"
+description: "The swarm unlock command description and usage"
+keywords: "swarm, unlock"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm unlock
+
+```markdown
+Usage:	docker swarm unlock
+
+Unlock swarm
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+Unlocks a locked manager using a user-supplied unlock key. This command must be
+used to reactivate a manager after its Docker daemon restarts if the autolock
+setting is turned on. The unlock key is printed at the time when autolock is
+enabled, and is also available from the `docker swarm unlock-key` command.
+
+## Examples
+
+```bash
+$ docker swarm unlock
+Please enter unlock key:
+```
+
+## Related commands
+
+* [swarm ca](swarm_ca.md)
+* [swarm init](swarm_init.md)
+* [swarm join](swarm_join.md)
+* [swarm join-token](swarm_join_token.md)
+* [swarm leave](swarm_leave.md)
+* [swarm unlock-key](swarm_unlock_key.md)
+* [swarm update](swarm_update.md)
diff --git a/cli/docs/reference/commandline/swarm_unlock_key.md b/cli/docs/reference/commandline/swarm_unlock_key.md
new file mode 100644
index 00000000..a6267221
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm_unlock_key.md
@@ -0,0 +1,92 @@
+---
+title: "swarm unlock-key"
+description: "The swarm unlock-keycommand description and usage"
+keywords: "swarm, unlock-key"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm unlock-key
+
+```markdown
+Usage:	docker swarm unlock-key [OPTIONS]
+
+Manage the unlock key
+
+Options:
+      --help     Print usage
+  -q, --quiet    Only display token
+      --rotate   Rotate unlock key
+```
+
+## Description
+
+An unlock key is a secret key needed to unlock a manager after its Docker daemon
+restarts. These keys are only used when the autolock feature is enabled for the
+swarm.
+
+You can view or rotate the unlock key using `swarm unlock-key`. To view the key,
+run the `docker swarm unlock-key` command without any arguments:
+
+## Examples
+
+```bash
+$ docker swarm unlock-key
+
+To unlock a swarm manager after it restarts, run the `docker swarm unlock`
+command and provide the following key:
+
+    SWMKEY-1-fySn8TY4w5lKcWcJPIpKufejh9hxx5KYwx6XZigx3Q4
+
+Please remember to store this key in a password manager, since without it you
+will not be able to restart the manager.
+```
+
+Use the `--rotate` flag to rotate the unlock key to a new, randomly-generated
+key:
+
+```bash
+$ docker swarm unlock-key --rotate
+Successfully rotated manager unlock key.
+
+To unlock a swarm manager after it restarts, run the `docker swarm unlock`
+command and provide the following key:
+
+    SWMKEY-1-7c37Cc8654o6p38HnroywCi19pllOnGtbdZEgtKxZu8
+
+Please remember to store this key in a password manager, since without it you
+will not be able to restart the manager.
+```
+
+The `-q` (or `--quiet`) flag only prints the key:
+
+```bash
+$ docker swarm unlock-key -q
+SWMKEY-1-7c37Cc8654o6p38HnroywCi19pllOnGtbdZEgtKxZu8
+```
+
+### `--rotate`
+
+This flag rotates the unlock key, replacing it with a new randomly-generated
+key. The old unlock key will no longer be accepted.
+
+### `--quiet`
+
+Only print the unlock key, without instructions.
+
+## Related commands
+
+* [swarm ca](swarm_ca.md)
+* [swarm init](swarm_init.md)
+* [swarm join](swarm_join.md)
+* [swarm join-token](swarm_join_token.md)
+* [swarm leave](swarm_leave.md)
+* [swarm unlock](swarm_unlock.md)
+* [swarm update](swarm_update.md)
diff --git a/cli/docs/reference/commandline/swarm_update.md b/cli/docs/reference/commandline/swarm_update.md
new file mode 100644
index 00000000..9caea3c7
--- /dev/null
+++ b/cli/docs/reference/commandline/swarm_update.md
@@ -0,0 +1,52 @@
+---
+title: "swarm update"
+description: "The swarm update command description and usage"
+keywords: "swarm, update"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# swarm update
+
+```markdown
+Usage:  docker swarm update [OPTIONS]
+
+Update the swarm
+
+Options:
+      --autolock                        Change manager autolocking setting (true|false)
+      --cert-expiry duration            Validity period for node certificates (ns|us|ms|s|m|h) (default 2160h0m0s)
+      --dispatcher-heartbeat duration   Dispatcher heartbeat period (ns|us|ms|s|m|h) (default 5s)
+      --external-ca external-ca         Specifications of one or more certificate signing endpoints
+      --help                            Print usage
+      --max-snapshots uint              Number of additional Raft snapshots to retain
+      --snapshot-interval uint          Number of log entries between Raft snapshots (default 10000)
+      --task-history-limit int          Task history retention limit (default 5)
+```
+
+## Description
+
+Updates a swarm with new parameter values. This command must target a manager node.
+
+## Examples
+
+```bash
+$ docker swarm update --cert-expiry 720h
+```
+
+## Related commands
+
+* [swarm ca](swarm_ca.md)
+* [swarm init](swarm_init.md)
+* [swarm join](swarm_join.md)
+* [swarm join-token](swarm_join_token.md)
+* [swarm leave](swarm_leave.md)
+* [swarm unlock](swarm_unlock.md)
+* [swarm unlock-key](swarm_unlock_key.md)
diff --git a/cli/docs/reference/commandline/system.md b/cli/docs/reference/commandline/system.md
new file mode 100644
index 00000000..2ccc6f7f
--- /dev/null
+++ b/cli/docs/reference/commandline/system.md
@@ -0,0 +1,37 @@
+---
+title: "system"
+description: "The system command description and usage"
+keywords: "system"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# system
+
+```markdown
+Usage:  docker system COMMAND
+
+Manage Docker
+
+Options:
+      --help   Print usage
+
+Commands:
+  df          Show docker disk usage
+  events      Get real time events from the server
+  info        Display system-wide information
+  prune       Remove unused data
+
+Run 'docker system COMMAND --help' for more information on a command.
+```
+
+## Description
+
+Manage Docker.
diff --git a/cli/docs/reference/commandline/system_df.md b/cli/docs/reference/commandline/system_df.md
new file mode 100644
index 00000000..4641ad6d
--- /dev/null
+++ b/cli/docs/reference/commandline/system_df.md
@@ -0,0 +1,140 @@
+---
+title: "system df"
+description: "The system df command description and usage"
+keywords: "system, data, usage, disk"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# system df
+
+```markdown
+Usage:	docker system df [OPTIONS]
+
+Show docker filesystem usage
+
+Options:
+      --format string   Pretty-print images using a Go template
+      --help            Print usage
+  -v, --verbose         Show detailed information on space usage
+```
+
+## Description
+
+The `docker system df` command displays information regarding the
+amount of disk space used by the docker daemon.
+
+## Examples
+
+By default the command will just show a summary of the data used:
+
+```bash
+$ docker system df
+
+TYPE                TOTAL               ACTIVE              SIZE                RECLAIMABLE
+Images              5                   2                   16.43 MB            11.63 MB (70%)
+Containers          2                   0                   212 B               212 B (100%)
+Local Volumes       2                   1                   36 B                0 B (0%)
+```
+
+A more detailed view can be requested using the `-v, --verbose` flag:
+
+```bash
+$ docker system df -v
+
+Images space usage:
+
+REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE                SHARED SIZE         UNIQUE SIZE         CONTAINERS
+my-curl             latest              b2789dd875bf        6 minutes ago       11 MB               11 MB               5 B                 0
+my-jq               latest              ae67841be6d0        6 minutes ago       9.623 MB            8.991 MB            632.1 kB            0
+<none>              <none>              a0971c4015c1        6 minutes ago       11 MB               11 MB               0 B                 0
+alpine              latest              4e38e38c8ce0        9 weeks ago         4.799 MB            0 B                 4.799 MB            1
+alpine              3.3                 47cf20d8c26c        9 weeks ago         4.797 MB            4.797 MB            0 B                 1
+
+Containers space usage:
+
+CONTAINER ID        IMAGE               COMMAND             LOCAL VOLUMES       SIZE                CREATED             STATUS                      NAMES
+4a7f7eebae0f        alpine:latest       "sh"                1                   0 B                 16 minutes ago      Exited (0) 5 minutes ago    hopeful_yalow
+f98f9c2aa1ea        alpine:3.3          "sh"                1                   212 B               16 minutes ago      Exited (0) 48 seconds ago   anon-vol
+
+Local Volumes space usage:
+
+NAME                                                               LINKS               SIZE
+07c7bdf3e34ab76d921894c2b834f073721fccfbbcba792aa7648e3a7a664c2e   2                   36 B
+my-named-vol                                                       0                   0 B
+```
+
+* `SHARED SIZE` is the amount of space that an image shares with another one (i.e. their common data)
+* `UNIQUE SIZE` is the amount of space that is only used by a given image
+* `SIZE` is the virtual size of the image, it is the sum of `SHARED SIZE` and `UNIQUE SIZE`
+
+> **Note**: Network information is not shown because it doesn't consume the disk
+> space.
+
+## Performance
+
+The `system df` command can be very resource-intensive. It traverses the
+filesystem of every image, container, and volume in the system. You should be
+careful running this command in systems with lots of images, containers, or
+volumes or in systems where some images, containers, or volumes have very large
+filesystems with many files. You should also be careful not to run this command
+in systems where performance is critical.
+
+## Format the output
+
+The formatting option (`--format`) pretty prints the disk usage output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+| Placeholder    | Description                                |
+| -------------- | ------------------------------------------ |
+| `.Type`        | `Images`, `Containers` and `Local Volumes` |
+| `.TotalCount`  | Total number of items                      |
+| `.Active`      | Number of active items                     |
+| `.Size`        | Available size                             |
+| `.Reclaimable` | Reclaimable size                           |
+
+When using the `--format` option, the `system df` command outputs
+the data exactly as the template declares or, when using the
+`table` directive, will include column headers as well.
+
+The following example uses a template without headers and outputs the
+`Type` and `TotalCount` entries separated by a colon:
+
+```bash
+$ docker system df --format "{{.Type}}: {{.TotalCount}}"
+
+Images: 2
+Containers: 4
+Local Volumes: 1
+```
+
+To list the disk usage with size and reclaimable size in a table format you
+can use:
+
+```bash
+$ docker system df --format "table {{.Type}}\t{{.Size}}\t{{.Reclaimable}}"
+
+TYPE                SIZE                RECLAIMABLE
+Images              2.547 GB            2.342 GB (91%)
+Containers          0 B                 0 B
+Local Volumes       150.3 MB            150.3 MB (100%)
+<Paste>
+```
+
+**Note** the format option is meaningless when verbose is true.
+
+## Related commands
+* [system prune](system_prune.md)
+* [container prune](container_prune.md)
+* [volume prune](volume_prune.md)
+* [image prune](image_prune.md)
+* [network prune](network_prune.md)
diff --git a/cli/docs/reference/commandline/system_events.md b/cli/docs/reference/commandline/system_events.md
new file mode 100644
index 00000000..847bc68a
--- /dev/null
+++ b/cli/docs/reference/commandline/system_events.md
@@ -0,0 +1,345 @@
+---
+title: "system events"
+description: "The system events command description and usage"
+keywords: "system, events, container, report"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# system events
+
+```markdown
+Usage:  docker system events [OPTIONS]
+
+Get real time events from the server
+
+Options:
+  -f, --filter value   Filter output based on conditions provided (default [])
+      --format string  Format the output using the given Go template
+      --help           Print usage
+      --since string   Show all events created since timestamp
+      --until string   Stream events until this timestamp
+```
+
+## Description
+
+Use `docker system events` to get real-time events from the server. These
+events differ per Docker object type.
+
+### Object types
+
+#### Containers
+
+Docker containers report the following events:
+
+- `attach`
+- `commit`
+- `copy`
+- `create`
+- `destroy`
+- `detach`
+- `die`
+- `exec_create`
+- `exec_detach`
+- `exec_start`
+- `export`
+- `health_status`
+- `kill`
+- `oom`
+- `pause`
+- `rename`
+- `resize`
+- `restart`
+- `start`
+- `stop`
+- `top`
+- `unpause`
+- `update`
+
+#### Images
+
+Docker images report the following events:
+
+- `delete`
+- `import`
+- `load`
+- `pull`
+- `push`
+- `save`
+- `tag`
+- `untag`
+
+#### Plugins
+
+Docker plugins report the following events:
+
+- `install`
+- `enable`
+- `disable`
+- `remove`
+
+#### Volumes
+
+Docker volumes report the following events:
+
+- `create`
+- `mount`
+- `unmount`
+- `destroy`
+
+#### Networks
+
+Docker networks report the following events:
+
+- `create`
+- `connect`
+- `disconnect`
+- `destroy`
+
+#### Daemons
+
+Docker daemons report the following events:
+
+- `reload`
+
+### Limiting, filtering, and formatting the output
+
+#### Limit events by time
+
+The `--since` and `--until` parameters can be Unix timestamps, date formatted
+timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
+relative to the client machine’s time. If you do not provide the `--since` option,
+the command returns only new and/or live events.  Supported formats for date
+formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the client will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long.
+
+#### Filtering
+
+The filtering flag (`-f` or `--filter`) format is of "key=value". If you would
+like to use multiple filters, pass multiple flags (e.g.,
+`--filter "foo=bar" --filter "bif=baz"`)
+
+Using the same filter multiple times will be handled as a *OR*; for example
+`--filter container=588a23dac085 --filter container=a8f7720b8c22` will display
+events for container 588a23dac085 *OR* container a8f7720b8c22
+
+Using multiple filters will be handled as a *AND*; for example
+`--filter container=588a23dac085 --filter event=start` will display events for
+container container 588a23dac085 *AND* the event type is *start*
+
+The currently supported filters are:
+
+* container (`container=<name or id>`)
+* daemon (`daemon=<name or id>`)
+* event (`event=<event action>`)
+* image (`image=<tag or id>`)
+* label (`label=<key>` or `label=<key>=<value>`)
+* network (`network=<name or id>`)
+* plugin (`plugin=<name or id>`)
+* type (`type=<container or image or volume or network or daemon or plugin>`)
+* volume (`volume=<name or id>`)
+
+#### Format
+
+If a format (`--format`) is specified, the given template will be executed
+instead of the default
+format. Go's [text/template](http://golang.org/pkg/text/template/) package
+describes all the details of the format.
+
+If a format is set to `{{json .}}`, the events are streamed as valid JSON
+Lines. For information about JSON Lines, please refer to http://jsonlines.org/ .
+
+## Examples
+
+### Basic example
+
+You'll need two shells for this example.
+
+**Shell 1: Listening for events:**
+
+```bash
+$ docker system events
+```
+
+**Shell 2: Start and Stop containers:**
+
+```bash
+$ docker create --name test alpine:latest top
+$ docker start test
+$ docker stop test
+```
+
+**Shell 1: (Again .. now showing events):**
+
+```none
+2017-01-05T00:35:58.859401177+08:00 container create 0fdb48addc82871eb34eb23a847cfd033dedd1a0a37bef2e6d9eb3870fc7ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1f5ceda09d4300f3a846f0acfaa9a8bb0d89e775eb744c5acecd60e0529e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+```
+
+To exit the `docker system events` command, use `CTRL+C`.
+
+### Filter events by time
+
+You can filter the output by an absolute timestamp or relative time on the host
+machine, using the following different time syntaxes:
+
+```bash
+$ docker system events --since 1483283804
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker system events --since '2017-01-05'
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker system events --since '2013-09-03T15:49:29'
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker system events --since '10m'
+2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local)
+2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test)
+2017-01-05T00:36:04.703631903+08:00 network connect e2e1...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:04.795031609+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:36:09.830268747+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:36:09.840186338+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:36:09.880113663+08:00 network disconnect e2e...29e2 (container=0fdb...ff37, name=bridge, type=bridge)
+2017-01-05T00:36:09.890214053+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+```
+
+### Filter events by criteria
+
+The following commands show several different ways to filter the `docker event`
+output.
+
+```bash
+$ docker system events --filter 'event=stop'
+
+2017-01-05T00:40:22.880175420+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:41:17.888104182+08:00 container stop 2a8f...4e78 (image=alpine, name=kickass_brattain)
+
+$ docker system events --filter 'image=alpine'
+
+2017-01-05T00:41:55.784240236+08:00 container create d9cd...4d70 (image=alpine, name=happy_meitner)
+2017-01-05T00:41:55.913156783+08:00 container start d9cd...4d70 (image=alpine, name=happy_meitner)
+2017-01-05T00:42:01.106875249+08:00 container kill d9cd...4d70 (image=alpine, name=happy_meitner, signal=15)
+2017-01-05T00:42:11.111934041+08:00 container kill d9cd...4d70 (image=alpine, name=happy_meitner, signal=9)
+2017-01-05T00:42:11.119578204+08:00 container die d9cd...4d70 (exitCode=137, image=alpine, name=happy_meitner)
+2017-01-05T00:42:11.173276611+08:00 container stop d9cd...4d70 (image=alpine, name=happy_meitner)
+
+$ docker system events --filter 'container=test'
+
+2017-01-05T00:43:00.139719934+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:43:09.259951086+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=15)
+2017-01-05T00:43:09.270102715+08:00 container die 0fdb...ff37 (exitCode=143, image=alpine:latest, name=test)
+2017-01-05T00:43:09.312556440+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker system events --filter 'container=test' --filter 'container=d9cdb1525ea8'
+
+2017-01-05T00:44:11.517071981+08:00 container start 0fdb...ff37 (image=alpine:latest, name=test)
+2017-01-05T00:44:17.685870901+08:00 container start d9cd...4d70 (image=alpine, name=happy_meitner)
+2017-01-05T00:44:29.757658470+08:00 container kill 0fdb...ff37 (image=alpine:latest, name=test, signal=9)
+2017-01-05T00:44:29.767718510+08:00 container die 0fdb...ff37 (exitCode=137, image=alpine:latest, name=test)
+2017-01-05T00:44:29.815798344+08:00 container destroy 0fdb...ff37 (image=alpine:latest, name=test)
+
+$ docker system events --filter 'container=test' --filter 'event=stop'
+
+2017-01-05T00:46:13.664099505+08:00 container stop a9d1...e130 (image=alpine, name=test)
+
+$ docker system events --filter 'type=volume'
+
+2015-12-23T21:05:28.136212689Z volume create test-event-volume-local (driver=local)
+2015-12-23T21:05:28.383462717Z volume mount test-event-volume-local (read/write=true, container=562f...5025, destination=/foo, driver=local, propagation=rprivate)
+2015-12-23T21:05:28.650314265Z volume unmount test-event-volume-local (container=562f...5025, driver=local)
+2015-12-23T21:05:28.716218405Z volume destroy test-event-volume-local (driver=local)
+
+$ docker system events --filter 'type=network'
+
+2015-12-23T21:38:24.705709133Z network create 8b11...2c5b (name=test-event-network-local, type=bridge)
+2015-12-23T21:38:25.119625123Z network connect 8b11...2c5b (name=test-event-network-local, container=b4be...c54e, type=bridge)
+
+$ docker system events --filter 'container=container_1' --filter 'container=container_2'
+
+2014-09-03T15:49:29.999999999Z07:00 container die 4386fb97867d (image=ubuntu-1:14.04)
+2014-05-10T17:42:14.999999999Z07:00 container stop 4386fb97867d (image=ubuntu-1:14.04)
+2014-05-10T17:42:14.999999999Z07:00 container die 7805c1d35632 (imager=redis:2.8)
+2014-09-03T15:49:29.999999999Z07:00 container stop 7805c1d35632 (image=redis:2.8)
+
+$ docker system events --filter 'type=volume'
+
+2015-12-23T21:05:28.136212689Z volume create test-event-volume-local (driver=local)
+2015-12-23T21:05:28.383462717Z volume mount test-event-volume-local (read/write=true, container=562fe10671e9273da25eed36cdce26159085ac7ee6707105fd534866340a5025, destination=/foo, driver=local, propagation=rprivate)
+2015-12-23T21:05:28.650314265Z volume unmount test-event-volume-local (container=562fe10671e9273da25eed36cdce26159085ac7ee6707105fd534866340a5025, driver=local)
+2015-12-23T21:05:28.716218405Z volume destroy test-event-volume-local (driver=local)
+
+$ docker system events --filter 'type=network'
+
+2015-12-23T21:38:24.705709133Z network create 8b111217944ba0ba844a65b13efcd57dc494932ee2527577758f939315ba2c5b (name=test-event-network-local, type=bridge)
+2015-12-23T21:38:25.119625123Z network connect 8b111217944ba0ba844a65b13efcd57dc494932ee2527577758f939315ba2c5b (name=test-event-network-local, container=b4be644031a3d90b400f88ab3d4bdf4dc23adb250e696b6328b85441abe2c54e, type=bridge)
+
+$ docker system events --filter 'type=plugin'
+
+2016-07-25T17:30:14.825557616Z plugin pull ec7b87f2ce84330fe076e666f17dfc049d2d7ae0b8190763de94e1f2d105993f (name=tiborvass/sample-volume-plugin:latest)
+2016-07-25T17:30:14.888127370Z plugin enable ec7b87f2ce84330fe076e666f17dfc049d2d7ae0b8190763de94e1f2d105993f (name=tiborvass/sample-volume-plugin:latest)
+```
+
+### Format the output
+
+```bash
+$ docker system events --filter 'type=container' --format 'Type={{.Type}}  Status={{.Status}}  ID={{.ID}}'
+
+Type=container  Status=create  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=attach  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=start  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=resize  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=die  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+Type=container  Status=destroy  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+```
+
+#### Format as JSON
+
+```none
+    $ docker system events --format '{{json .}}'
+
+    {"status":"create","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+    {"status":"attach","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+    {"Type":"network","Action":"connect","Actor":{"ID":"1b50a5bf755f6021dfa78e..
+    {"status":"start","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f42..
+    {"status":"resize","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+```
diff --git a/cli/docs/reference/commandline/system_prune.md b/cli/docs/reference/commandline/system_prune.md
new file mode 100644
index 00000000..db31ef2a
--- /dev/null
+++ b/cli/docs/reference/commandline/system_prune.md
@@ -0,0 +1,155 @@
+---
+title: "system prune"
+description: "Remove unused data"
+keywords: "system, prune, delete, remove"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# system prune
+
+```markdown
+Usage:	docker system prune [OPTIONS]
+
+Remove unused data
+
+Options:
+  -a, --all             Remove all unused images not just dangling ones
+      --filter filter   Provide filter values (e.g. 'label=<key>=<value>')
+  -f, --force           Do not prompt for confirmation
+      --help            Print usage
+      --volumes         Prune volumes
+```
+
+## Description
+
+Remove all unused containers, networks, images (both dangling and unreferenced),
+and optionally, volumes.
+
+## Examples
+
+```bash
+$ docker system prune
+
+WARNING! This will remove:
+        - all stopped containers
+        - all networks not used by at least one container
+        - all dangling images
+        - all build cache
+Are you sure you want to continue? [y/N] y
+
+Deleted Containers:
+f44f9b81948b3919590d5f79a680d8378f1139b41952e219830a33027c80c867
+792776e68ac9d75bce4092bc1b5cc17b779bc926ab04f4185aec9bf1c0d4641f
+
+Deleted Networks:
+network1
+network2
+
+Deleted Images:
+untagged: hello-world@sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f
+deleted: sha256:1815c82652c03bfd8644afda26fb184f2ed891d921b20a0703b46768f9755c57
+deleted: sha256:45761469c965421a92a69cc50e92c01e0cfa94fe026cdd1233445ea00e96289a
+
+Total reclaimed space: 1.84kB
+```
+
+By default, volumes are not removed to prevent important data from being
+deleted if there is currently no container using the volume. Use the `--volumes`
+flag when running the command to prune volumes as well:
+
+```bash
+$ docker system prune -a --volumes
+
+WARNING! This will remove:
+        - all stopped containers
+        - all networks not used by at least one container
+        - all volumes not used by at least one container
+        - all images without at least one container associated to them
+        - all build cache
+Are you sure you want to continue? [y/N] y
+
+Deleted Containers:
+0998aa37185a1a7036b0e12cf1ac1b6442dcfa30a5c9650a42ed5010046f195b
+73958bfb884fa81fa4cc6baf61055667e940ea2357b4036acbbe25a60f442a4d
+
+Deleted Networks:
+my-network-a
+my-network-b
+
+Deleted Volumes:
+named-vol
+
+Deleted Images:
+untagged: my-curl:latest
+deleted: sha256:7d88582121f2a29031d92017754d62a0d1a215c97e8f0106c586546e7404447d
+deleted: sha256:dd14a93d83593d4024152f85d7c63f76aaa4e73e228377ba1d130ef5149f4d8b
+untagged: alpine:3.3
+deleted: sha256:695f3d04125db3266d4ab7bbb3c6b23aa4293923e762aa2562c54f49a28f009f
+untagged: alpine:latest
+deleted: sha256:ee4603260daafe1a8c2f3b78fd760922918ab2441cbb2853ed5c439e59c52f96
+deleted: sha256:9007f5987db353ec398a223bc5a135c5a9601798ba20a1abba537ea2f8ac765f
+deleted: sha256:71fa90c8f04769c9721459d5aa0936db640b92c8c91c9b589b54abd412d120ab
+deleted: sha256:bb1c3357b3c30ece26e6604aea7d2ec0ace4166ff34c3616701279c22444c0f3
+untagged: my-jq:latest
+deleted: sha256:6e66d724542af9bc4c4abf4a909791d7260b6d0110d8e220708b09e4ee1322e1
+deleted: sha256:07b3fa89d4b17009eb3988dfc592c7d30ab3ba52d2007832dffcf6d40e3eda7f
+deleted: sha256:3a88a5c81eb5c283e72db2dbc6d65cbfd8e80b6c89bb6e714cfaaa0eed99c548
+
+Total reclaimed space: 13.5 MB
+```
+
+> **Note**: The `--volumes` option was added in Docker 17.06.1. Older versions
+> of Docker prune volumes by default, along with other Docker objects. On older
+> versions, run `docker container prune`, `docker network prune`, and
+> `docker image prune` separately to remove unused containers, networks, and
+> images, without removing volumes.
+
+
+### Filtering
+
+The filtering flag (`--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* until (`<timestamp>`) - only remove containers, images, and networks created before given timestamp
+* label (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) - only remove containers, images, networks, and volumes with (or without, in case `label!=...` is used) the specified labels.
+
+The `until` filter can be Unix timestamps, date formatted
+timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
+relative to the daemon machine’s time. Supported formats for date
+formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the daemon will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long.
+
+The `label` filter accepts two formats. One is the `label=...` (`label=<key>` or `label=<key>=<value>`),
+which removes containers, images, networks, and volumes with the specified labels. The other
+format is the `label!=...` (`label!=<key>` or `label!=<key>=<value>`), which removes
+containers, images, networks, and volumes without the specified labels.
+
+## Related commands
+
+* [volume create](volume_create.md)
+* [volume ls](volume_ls.md)
+* [volume inspect](volume_inspect.md)
+* [volume rm](volume_rm.md)
+* [volume prune](volume_prune.md)
+* [Understand Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/)
+* [system df](system_df.md)
+* [container prune](container_prune.md)
+* [image prune](image_prune.md)
+* [network prune](network_prune.md)
+* [system prune](system_prune.md)
diff --git a/cli/docs/reference/commandline/tag.md b/cli/docs/reference/commandline/tag.md
new file mode 100644
index 00000000..44dc864b
--- /dev/null
+++ b/cli/docs/reference/commandline/tag.md
@@ -0,0 +1,84 @@
+---
+title: "tag"
+description: "The tag command description and usage"
+keywords: "tag, name, image"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# tag
+
+```markdown
+Usage:  docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
+
+Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+An image name is made up of slash-separated name components, optionally prefixed
+by a registry hostname. The hostname must comply with standard DNS rules, but
+may not contain underscores. If a hostname is present, it may optionally be
+followed by a port number in the format `:8080`. If not present, the command
+uses Docker's public registry located at `registry-1.docker.io` by default. Name
+components may contain lowercase letters, digits and separators. A separator
+is defined as a period, one or two underscores, or one or more dashes. A name
+component may not start or end with a separator.
+
+A tag name must be valid ASCII and may contain lowercase and uppercase letters,
+digits, underscores, periods and dashes. A tag name may not start with a
+period or a dash and may contain a maximum of 128 characters.
+
+You can group your images together using names and tags, and then upload them
+to [*Share Images via Repositories*](https://docs.docker.com/engine/tutorials/dockerrepos/#/contributing-to-docker-hub).
+
+## Examples
+
+### Tag an image referenced by ID
+
+To tag a local image with ID "0e5574283393" into the "fedora" repository with
+"version1.0":
+
+```bash
+$ docker tag 0e5574283393 fedora/httpd:version1.0
+```
+
+### Tag an image referenced by Name
+
+To tag a local image with name "httpd" into the "fedora" repository with
+"version1.0":
+
+```bash
+$ docker tag httpd fedora/httpd:version1.0
+```
+
+Note that since the tag name is not specified, the alias is created for an
+existing local version `httpd:latest`.
+
+### Tag an image referenced by Name and Tag
+
+To tag a local image with name "httpd" and tag "test" into the "fedora"
+repository with "version1.0.test":
+
+```bash
+$ docker tag httpd:test fedora/httpd:version1.0.test
+```
+
+### Tag an image for a private repository
+
+To push an image to a private registry and not the central Docker
+registry you must tag it with the registry hostname and port (if needed).
+
+```bash
+$ docker tag 0e5574283393 myregistryhost:5000/fedora/httpd:version1.0
+```
diff --git a/cli/docs/reference/commandline/top.md b/cli/docs/reference/commandline/top.md
new file mode 100644
index 00000000..baf74698
--- /dev/null
+++ b/cli/docs/reference/commandline/top.md
@@ -0,0 +1,25 @@
+---
+title: "top"
+description: "The top command description and usage"
+keywords: "container, running, processes"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# top
+
+```markdown
+Usage:  docker top CONTAINER [ps OPTIONS]
+
+Display the running processes of a container
+
+Options:
+      --help   Print usage
+```
diff --git a/cli/docs/reference/commandline/trust_inspect.md b/cli/docs/reference/commandline/trust_inspect.md
new file mode 100644
index 00000000..4d1663d7
--- /dev/null
+++ b/cli/docs/reference/commandline/trust_inspect.md
@@ -0,0 +1,470 @@
+---
+title: "trust inspect"
+description: "The inspect command description and usage"
+keywords: "inspect, notary, trust"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# trust inspect
+
+```markdown
+Usage:  docker trust inspect IMAGE[:TAG] [IMAGE[:TAG]...]
+
+Return low-level information about keys and signatures
+
+Options:
+      --help            Print usage
+      --pretty          Print the information in a human friendly format
+```
+
+## Description
+
+`docker trust inspect` provides low-level JSON information on signed repositories.
+This includes all image tags that are signed, who signed them, and who can sign
+new tags.
+
+## Examples
+
+### Get low-level details about signatures for a single image tag
+
+Use the `docker trust inspect` to get trust information about an image. The
+following example prints trust information for the `alpine:latest` image:
+
+```bash
+$ docker trust inspect alpine:latest
+[
+  {
+    "Name": "alpine:latest",
+    "SignedTags": [
+      {
+        "SignedTag": "latest",
+        "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+        "Signers": [
+          "Repo Admin"
+        ]
+      }
+    ],
+    "Signers": [],
+    "AdminstrativeKeys": [
+      {
+        "Name": "Repository",
+        "Keys": [
+            {
+                "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
+            }
+        ]
+      },
+      {
+        "Name": "Root",
+        "Keys": [
+            {
+                "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
+            }
+        ]
+      }
+    ]
+  }
+]
+```
+
+The `SignedTags` key will list the `SignedTag` name, its `Digest`,
+and the `Signers` responsible for the signature.
+
+`AdministrativeKeys` will list the `Repository` and `Root` keys.
+
+If signers are set up for the repository via other `docker trust`
+commands, `docker trust inspect` includes a `Signers` key:
+
+```bash
+$ docker trust inspect my-image:purple
+[
+  {
+    "Name": "my-image:purple",
+    "SignedTags": [
+      {
+        "SignedTag": "purple",
+        "Digest": "941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557",
+        "Signers": [
+          "alice",
+          "bob",
+          "carol"
+        ]
+      }
+    ],
+    "Signers": [
+      {
+        "Name": "alice",
+        "Keys": [
+            {
+                "ID": "04dd031411ed671ae1e12f47ddc8646d98f135090b01e54c3561e843084484a3"
+            },
+            {
+                "ID": "6a11e4898a4014d400332ab0e096308c844584ff70943cdd1d6628d577f45fd8"
+            }
+        ]
+      },
+      {
+        "Name": "bob",
+        "Keys": [
+            {
+                "ID": "433e245c656ae9733cdcc504bfa560f90950104442c4528c9616daa45824ccba"
+            }
+        ]
+      },
+      {
+        "Name": "carol",
+        "Keys": [
+            {
+                "ID": "d32fa8b5ca08273a2880f455fcb318da3dc80aeae1a30610815140deef8f30d9"
+            },
+            {
+                "ID": "9a8bbec6ba2af88a5fad6047d428d17e6d05dbdd03d15b4fc8a9a0e8049cd606"
+            }
+        ]
+      }
+    ],
+    "AdminstrativeKeys": [
+      {
+        "Name": "Repository",
+        "Keys": [
+            {
+                "ID": "27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44"
+            }
+        ]
+      },
+      {
+        "Name": "Root",
+        "Keys": [
+            {
+                "ID": "40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f"
+            }
+        ]
+      }
+    ]
+  }
+]
+```
+
+If the image tag is unsigned or unavailable, `docker trust inspect` does not
+display any signed tags.
+
+```bash
+$ docker trust inspect unsigned-img
+No signatures or cannot access unsigned-img
+```
+
+However, if other tags are signed in the same image repository,
+`docker trust inspect` reports relevant key information:
+
+```bash
+$ docker trust inspect alpine:unsigned
+[
+  {
+    "Name": "alpine:unsigned",
+    "Signers": [],
+    "AdminstrativeKeys": [
+      {
+        "Name": "Repository",
+        "Keys": [
+            {
+                "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
+            }
+        ]
+      },
+      {
+        "Name": "Root",
+        "Keys": [
+            {
+                "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
+            }
+        ]
+      }
+    ]
+  }
+]
+```
+
+### Get details about signatures for all image tags in a repository
+
+If no tag is specified, `docker trust inspect` will report details for all
+signed tags in the repository:
+
+```bash
+$ docker trust inspect alpine
+[
+    {
+        "Name": "alpine",
+        "SignedTags": [
+            {
+                "SignedTag": "3.5",
+                "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "3.6",
+                "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "edge",
+                "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "latest",
+                "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            }
+        ],
+        "Signers": [],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
+                    }
+                ]
+            },
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
+                    }
+                ]
+            }
+        ]
+    }
+]
+```
+
+
+### Get details about signatures for multiple images
+
+`docker trust inspect` can take multiple repositories and images as arguments,
+and reports the results in an ordered list:
+
+```bash
+$ docker trust inspect alpine notary
+[
+    {
+        "Name": "alpine",
+        "SignedTags": [
+            {
+                "SignedTag": "3.5",
+                "Digest": "b007a354427e1880de9cdba533e8e57382b7f2853a68a478a17d447b302c219c",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "3.6",
+                "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "edge",
+                "Digest": "23e7d843e63a3eee29b6b8cfcd10e23dd1ef28f47251a985606a31040bf8e096",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "integ-test-base",
+                "Digest": "3952dc48dcc4136ccdde37fbef7e250346538a55a0366e3fccc683336377e372",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "latest",
+                "Digest": "d6bfc3baf615dc9618209a8d607ba2a8103d9c8a405b3bd8741d88b4bef36478",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            }
+        ],
+        "Signers": [],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd"
+                    }
+                ]
+            },
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce"
+                    }
+                ]
+            }
+        ]
+    },
+    {
+        "Name": "notary",
+        "SignedTags": [
+            {
+                "SignedTag": "server",
+                "Digest": "71f64ab718a3331dee103bc5afc6bc492914738ce37c2d2f127a8133714ecf5c",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            },
+            {
+                "SignedTag": "signer",
+                "Digest": "a6122d79b1e74f70b5dd933b18a6d1f99329a4728011079f06b245205f158fe8",
+                "Signers": [
+                    "Repo Admin"
+                ]
+            }
+        ],
+        "Signers": [],
+        "AdminstrativeKeys": [
+            {
+                "Name": "Root",
+                "Keys": [
+                    {
+                        "ID": "8cdcdef5bd039f4ab5a029126951b5985eebf57cabdcdc4d21f5b3be8bb4ce92"
+                    }
+                ]
+            },
+            {
+                "Name": "Repository",
+                "Keys": [
+                    {
+                        "ID": "85bfd031017722f950d480a721f845a2944db26a3dc084040a70f1b0d9bbb3df"
+                    }
+                ]
+            }
+        ]
+    }
+]
+```
+
+### Formatting
+
+You can print the inspect output in a human-readable format instead of the default
+JSON output, by using the `--pretty` option:
+
+### Get details about signatures for a single image tag
+
+```bash
+$ docker trust inspect --pretty alpine:latest
+
+SIGNED TAG          DIGEST                                                             SIGNERS
+latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+
+Administrative keys for alpine:latest:
+Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+The `SIGNED TAG` is the signed image tag with a unique content-addressable
+`DIGEST`. `SIGNERS` lists all entities who have signed.
+
+The administrative keys listed specify the root key of trust, as well as
+the administrative repository key. These keys are responsible for modifying
+signers, and rotating keys for the signed repository.
+
+If signers are set up for the repository via other `docker trust` commands,
+`docker trust inspect --pretty` displays them appropriately as a `SIGNER`
+and specify their `KEYS`:
+
+```bash
+$ docker trust inspect --pretty my-image:purple
+SIGNED TAG          DIGEST                                                              SIGNERS
+purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               47caae5b3e61, a85aab9d20a4
+bob                 034370bcbd77, 82a66673242c
+carol               b6f9f8e1aab0
+
+Administrative keys for my-image:
+Repository Key:	27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
+Root Key:	40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
+```
+
+However, if other tags are signed in the same image repository,
+`docker trust inspect` reports relevant key information.
+
+```bash
+$ docker trust inspect --pretty alpine:unsigned
+
+No signatures for alpine:unsigned
+
+
+Administrative keys for alpine:unsigned:
+Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+### Get details about signatures for all image tags in a repository
+
+```bash
+$ docker trust inspect --pretty alpine
+SIGNED TAG          DIGEST                                                             SIGNERS
+2.6                 9ace551613070689a12857d62c30ef0daa9a376107ec0fff0e34786cedb3399b   (Repo Admin)
+2.7                 9f08005dff552038f0ad2f46b8e65ff3d25641747d3912e3ea8da6785046561a   (Repo Admin)
+3.1                 d9477888b78e8c6392e0be8b2e73f8c67e2894ff9d4b8e467d1488fcceec21c8   (Repo Admin)
+3.2                 19826d59171c2eb7e90ce52bfd822993bef6a6fe3ae6bb4a49f8c1d0a01e99c7   (Repo Admin)
+3.3                 8fd4b76819e1e5baac82bd0a3d03abfe3906e034cc5ee32100d12aaaf3956dc7   (Repo Admin)
+3.4                 833ad81ace8277324f3ca8c91c02bdcf1d13988d8ecf8a3f97ecdd69d0390ce9   (Repo Admin)
+3.5                 af2a5bd2f8de8fc1ecabf1c76611cdc6a5f1ada1a2bdd7d3816e121b70300308   (Repo Admin)
+3.6                 1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+edge                79d50d15bd7ea48ea00cf3dd343b0e740c1afaa8e899bee475236ef338e1b53b   (Repo Admin)
+latest              1072e499f3f655a032e88542330cf75b02e7bdf673278f701d7ba61629ee3ebe   (Repo Admin)
+
+Administrative keys for alpine:
+Repository Key:	5a46c9aaa82ff150bb7305a2d17d0c521c2d784246807b2dc611f436a69041fd
+Root Key:	a2489bcac7a79aa67b19b96c4a3bf0c675ffdf00c6d2fabe1a5df1115e80adce
+```
+
+Here's an example with signers that are set up by `docker trust` commands:
+
+```bash
+$ docker trust inspect --pretty my-image
+SIGNED TAG          DIGEST                                                              SIGNERS
+red                 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943    alice
+blue                f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197    alice, bob
+green               cae8fedc840f90c8057e1c24637d11865743ab1e61a972c1c9da06ec2de9a139    alice, bob
+yellow              9cc65fc3126790e683d1b92f307a71f48f75fa7dd47a7b03145a123eaf0b45ba    carol
+purple              941d3dba358621ce3c41ef67b47cf80f701ff80cdf46b5cc86587eaebfe45557    alice, bob, carol
+orange              d6c271baa6d271bcc24ef1cbd65abf39123c17d2e83455bdab545a1a9093fc1c    alice
+
+List of signers and their keys for my-image:
+
+SIGNER              KEYS
+alice               47caae5b3e61, a85aab9d20a4
+bob                 034370bcbd77, 82a66673242c
+carol               b6f9f8e1aab0
+
+Administrative keys for my-image:
+Repository Key:	27df2c8187e7543345c2e0bf3a1262e0bc63a72754e9a7395eac3f747ec23a44
+Root Key:	40b66ccc8b176be8c7d365a17f3e046d1c3494e053dd57cfeacfe2e19c4f8e8f
+```
diff --git a/cli/docs/reference/commandline/trust_key_generate.md b/cli/docs/reference/commandline/trust_key_generate.md
new file mode 100644
index 00000000..f026b98a
--- /dev/null
+++ b/cli/docs/reference/commandline/trust_key_generate.md
@@ -0,0 +1,67 @@
+---
+title: "key generate"
+description: "The key generate command description and usage"
+keywords: "key, notary, trust"
+---
+
+<!-- This file is maintained within the docker/cli Github
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# trust key generate
+
+```markdown
+Usage:  docker trust key generate NAME
+
+Generate and load a signing key-pair
+
+Options:
+      --dir string   Directory to generate key in, defaults to current directory
+      --help         Print usage
+```
+
+## Description
+
+`docker trust key generate` generates a key-pair to be used with signing,
+ and loads the private key into the local docker trust keystore.
+
+## Examples
+
+### Generate a key-pair
+
+```bash
+$ docker trust key generate alice
+
+Generating key for alice...
+Enter passphrase for new alice key with ID 17acf3c:
+Repeat passphrase for new alice key with ID 17acf3c:
+Successfully generated and loaded private key. Corresponding public key available: alice.pub
+$ ls
+alice.pub
+
+```
+
+The private signing key is encrypted by the passphrase and loaded into the docker trust keystore.
+All passphrase requests to sign with the key will be referred to by the provided `NAME`.
+
+The public key component `alice.pub` will be available in the current working directory, and can
+be used directly by `docker trust signer add`.
+
+Provide the `--dir` argument to specify a directory to generate the key in:
+
+```bash
+$ docker trust key generate alice --dir /foo
+
+Generating key for alice...
+Enter passphrase for new alice key with ID 17acf3c:
+Repeat passphrase for new alice key with ID 17acf3c:
+Successfully generated and loaded private key. Corresponding public key available: alice.pub
+$ ls /foo
+alice.pub
+
+```
diff --git a/cli/docs/reference/commandline/trust_key_load.md b/cli/docs/reference/commandline/trust_key_load.md
new file mode 100644
index 00000000..15047431
--- /dev/null
+++ b/cli/docs/reference/commandline/trust_key_load.md
@@ -0,0 +1,57 @@
+---
+title: "key load"
+description: "The key load command description and usage"
+keywords: "key, notary, trust"
+---
+
+<!-- This file is maintained within the docker/cli Github
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# trust key load
+
+```markdown
+Usage:	docker trust key load [OPTIONS] KEYFILE
+
+Load a private key file for signing
+
+Options:
+      --help          Print usage
+      --name string   Name for the loaded key (default "signer")
+```
+
+## Description
+
+`docker trust key load` adds private keys to the local docker trust keystore. To add a signer to a repository use `docker trust signer add`.
+
+## Examples
+
+### Load a single private key
+
+For a private key `alice.pem` with permissions `-rw-------`
+
+```bash
+$ docker trust key load alice.pem
+
+Loading key from "alice.pem"...
+Enter passphrase for new signer key with ID f8097df: 
+Repeat passphrase for new signer key with ID f8097df: 
+Successfully imported key from alice.pem
+
+```
+to specify a name use the `--name` flag
+
+```bash
+$ docker trust key load --name alice-key alice.pem
+
+Loading key from "alice.pem"...
+Enter passphrase for new alice-key key with ID f8097df: 
+Repeat passphrase for new alice-key key with ID f8097df: 
+Successfully imported key from alice.pem
+
+```
diff --git a/cli/docs/reference/commandline/trust_revoke.md b/cli/docs/reference/commandline/trust_revoke.md
new file mode 100644
index 00000000..799d6639
--- /dev/null
+++ b/cli/docs/reference/commandline/trust_revoke.md
@@ -0,0 +1,130 @@
+---
+title: "trust revoke"
+description: "The revoke command description and usage"
+keywords: "revoke, notary, trust"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# trust revoke
+
+```markdown
+Usage:  docker trust revoke [OPTIONS] IMAGE[:TAG]
+
+Remove trust for an image
+
+Options:
+      --help   Print usage
+  -y, --yes    Do not prompt for confirmation
+```
+
+## Description
+
+`docker trust revoke` removes signatures from tags in signed repositories.
+
+## Examples
+
+### Revoke signatures from a signed tag
+
+Here's an example of a repo with two signed tags:
+
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                              SIGNERS
+red                 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943    alice
+blue                f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197    alice, bob
+
+List of signers and their keys for example/trust-demo:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+When `alice`, one of the signers, runs `docker trust revoke`:
+
+```bash
+$ docker trust revoke example/trust-demo:red
+Enter passphrase for delegation key with ID 27d42a8:
+Successfully deleted signature for example/trust-demo:red
+```
+
+After revocation, the tag is removed from the list of released tags:
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                              SIGNERS
+blue                f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197    alice, bob
+
+List of signers and their keys for example/trust-demo:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+### Revoke signatures on all tags in a repository
+
+When no tag is specified, `docker trust` revokes all signatures that you have a signing key for.
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                              SIGNERS
+red                 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943    alice
+blue                f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197    alice, bob
+
+List of signers and their keys for example/trust-demo:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+When `alice`, one of the signers, runs `docker trust revoke`:
+
+```bash
+$ docker trust revoke example/trust-demo
+Please confirm you would like to delete all signature data for example/trust-demo? [y/N] y
+Enter passphrase for delegation key with ID 27d42a8:
+Successfully deleted signature for example/trust-demo
+```
+
+All tags that have `alice`'s signature on them are removed from the list of released tags:
+
+```bash
+$ docker trust view example/trust-demo
+
+No signatures for example/trust-demo
+
+
+List of signers and their keys for example/trust-demo:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
diff --git a/cli/docs/reference/commandline/trust_sign.md b/cli/docs/reference/commandline/trust_sign.md
new file mode 100644
index 00000000..0d422041
--- /dev/null
+++ b/cli/docs/reference/commandline/trust_sign.md
@@ -0,0 +1,184 @@
+---
+title: "trust sign"
+description: "The sign command description and usage"
+keywords: "sign, notary, trust"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# trust sign
+
+```markdown
+Usage:  docker trust sign [OPTIONS] IMAGE:TAG
+
+Sign an image
+
+Options:
+      --help    print usage
+      --local   force the signing of a local image
+
+```
+
+## Description
+
+`docker trust sign` adds signatures to tags to create signed repositories.
+
+## Examples
+
+### Sign a tag as a repo admin
+
+Given an image:
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41   (Repo Admin)
+
+Administrative keys for example/trust-demo:
+Repository Key:	36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942
+Root Key:	246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b
+```
+
+Sign a new tag with `docker trust sign`:
+
+```bash
+$ docker trust sign example/trust-demo:v2
+Signing and pushing trust metadata for example/trust-demo:v2
+The push refers to a repository [docker.io/example/trust-demo]
+eed4e566104a: Layer already exists
+77edfb6d1e3c: Layer already exists
+c69f806905c2: Layer already exists
+582f327616f1: Layer already exists
+a3fbb648f0bd: Layer already exists
+5eac2de68a97: Layer already exists
+8d4d1ab5ff74: Layer already exists
+v2: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787
+Signing and pushing trust metadata
+Enter passphrase for repository key with ID 36d4c36:
+Successfully signed docker.io/example/trust-demo:v2
+```
+
+`docker trust view` lists the new signature:
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  c24134c079c35e698060beabe110bb83ab285d0d978de7d92fed2c8c83570a41   (Repo Admin)
+v2                  8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56   (Repo Admin)
+
+Administrative keys for example/trust-demo:
+Repository Key:	36d4c3601102fa7c5712a343c03b94469e5835fb27c191b529c06fd19c14a942
+Root Key:	246d360f7c53a9021ee7d4259e3c5692f3f1f7ad4737b1ea8c7b8da741ad980b
+```
+
+### Sign a tag as a signer
+
+Given an image:
+
+```bash
+$ docker trust view example/trust-demo
+
+No signatures for example/trust-demo
+
+
+List of signers and their keys for example/trust-demo:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+Sign a new tag with `docker trust sign`:
+
+```bash
+$ docker trust sign example/trust-demo:v1
+Signing and pushing trust metadata for example/trust-demo:v1
+The push refers to a repository [docker.io/example/trust-demo]
+26b126eb8632: Layer already exists
+220d34b5f6c9: Layer already exists
+8a5132998025: Layer already exists
+aca233ed29c3: Layer already exists
+e5d2f035d7a4: Layer already exists
+v1: digest: sha256:74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4 size: 1357
+Signing and pushing trust metadata
+Enter passphrase for delegation key with ID 27d42a8:
+Successfully signed docker.io/example/trust-demo:v1
+```
+
+`docker trust view` lists the new signature:
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   alice
+
+List of signers and their keys for example/trust-demo:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+## Initialize a new repo and sign a tag
+
+When signing an image on a repo for the first time, `docker trust sign` sets up new keys before signing the image.
+
+```bash
+$ docker trust view example/trust-demo
+No signatures or cannot access example/trust-demo
+```
+
+```bash
+$ docker trust sign example/trust-demo:v1
+Signing and pushing trust metadata for example/trust-demo:v1
+Enter passphrase for root key with ID 36cac18:
+Enter passphrase for new repository key with ID 731396b:
+Repeat passphrase for new repository key with ID 731396b:
+Enter passphrase for new alice key with ID 6d52b29:
+Repeat passphrase for new alice key with ID 6d52b29:
+Created signer: alice
+Finished initializing "docker.io/example/trust-demo"
+The push refers to a repository [docker.io/example/trust-demo]
+eed4e566104a: Layer already exists
+77edfb6d1e3c: Layer already exists
+c69f806905c2: Layer already exists
+582f327616f1: Layer already exists
+a3fbb648f0bd: Layer already exists
+5eac2de68a97: Layer already exists
+8d4d1ab5ff74: Layer already exists
+v1: digest: sha256:8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56 size: 1787
+Signing and pushing trust metadata
+Enter passphrase for alice key with ID 6d52b29:
+Successfully signed docker.io/example/trust-demo:v1
+```
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  8f6f460abf0436922df7eb06d28b3cdf733d2cac1a185456c26debbff0839c56   alice
+
+List of signers and their keys for example/trust-demo:
+
+SIGNER              KEYS
+alice               6d52b29d940f
+
+Administrative keys for example/trust-demo:
+Repository Key:	731396b65eac3ef5ec01406801bdfb70feb40c17808d2222427c18046eb63beb
+Root Key:	70d174714bd1461f6c58cb3ef39087c8fdc7633bb11a98af844fd9a04e208103
+```
+
diff --git a/cli/docs/reference/commandline/trust_signer_add.md b/cli/docs/reference/commandline/trust_signer_add.md
new file mode 100644
index 00000000..f9ae03b3
--- /dev/null
+++ b/cli/docs/reference/commandline/trust_signer_add.md
@@ -0,0 +1,211 @@
+---
+title: "signer add"
+description: "The signer add command description and usage"
+keywords: "signer, notary, trust"
+---
+
+<!-- This file is maintained within the docker/cli Github
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# trust signer add
+
+```markdown
+Usage:	docker trust signer add [OPTIONS] NAME REPOSITORY [REPOSITORY...]
+
+Add a signer
+
+Options:
+      --help       Print usage
+  -k, --key list   Path to the signer's public key file
+```
+
+## Description
+
+`docker trust signer add` adds signers to signed repositories.
+
+## Examples
+
+### Add a signer to a repo
+
+To add a new signer, `alice`, to this repository: 
+
+```bash
+$ docker trust view example/trust-demo
+
+No signatures for example/trust-demo
+
+
+List of signers and their keys:
+
+SIGNER              KEYS
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	642692c14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+Add `alice` with `docker trust signer add`:
+
+```bash
+$ docker trust signer add alice example/trust-demo --key alice.crt
+  Adding signer "alice" to example/trust-demo...
+  Enter passphrase for repository key with ID 642692c: 
+  Successfully added signer: alice to example/trust-demo
+```
+
+`docker trust view` now lists `alice` as a valid signer:
+
+```bash
+$ docker trust view example/trust-demo
+
+No signatures for example/trust-demo
+
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	642692c14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+## Initialize a new repo and add a signer
+
+When adding a signer on a repo for the first time, `docker trust signer add` sets up a new repo if it doesn't exist.
+
+```bash
+$ docker trust view example/trust-demo
+No signatures or cannot access example/trust-demo
+```
+
+```bash
+$ docker trust signer add alice example/trust-demo --key alice.crt
+ Initializing signed repository for example/trust-demo...
+ Enter passphrase for root key with ID 748121c: 
+ Enter passphrase for new repository key with ID 95b9e55: 
+ Repeat passphrase for new repository key with ID 95b9e55: 
+ Successfully initialized "example/trust-demo"
+ 
+ Adding signer "alice" to example/trust-demo...
+ Successfully added signer: alice to example/trust-demo
+```
+
+```bash
+$ docker trust view example/trust-demo
+
+No signatures for example/trust-demo
+
+
+SIGNED TAG          DIGEST                                                             SIGNERS
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               6d52b29d940f
+
+Administrative keys for example/trust-demo:
+Repository Key:	95b9e5565eac3ef5ec01406801bdfb70feb40c17808d2222427c18046eb63beb
+Root Key:	748121c14bd1461f6c58cb3ef39087c8fdc7633bb11a98af844fd9a04e208103
+```
+
+## Add a signer to multiple repos
+To add a signer, `alice`, to multiple repositories: 
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   bob
+
+List of signers and their keys:
+
+SIGNER              KEYS
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+```bash
+$ docker trust view example/trust-demo2
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   bob
+
+List of signers and their keys:
+
+SIGNER              KEYS
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo2:
+Repository Key:	ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+Add `alice` to both repositories with a single `docker trust signer add` command:
+
+```bash
+$ docker trust signer add alice example/trust-demo example/trust-demo2 --key alice.crt
+Adding signer "alice" to example/trust-demo...
+Enter passphrase for repository key with ID 95b9e55: 
+Successfully added signer: alice to example/trust-demo
+
+Adding signer "alice" to example/trust-demo2...
+Enter passphrase for repository key with ID ece554f: 
+Successfully added signer: alice to example/trust-demo2
+```
+`docker trust view` now lists `alice` as a valid signer of both `example/trust-demo` and `example/trust-demo2`:
+
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   bob
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	95b9e5514c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+```bash
+$ docker trust view example/trust-demo2
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   bob
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo2:
+Repository Key:	ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+
+`docker trust signer add` adds signers to repositories on a best effort basis, so it will continue to add the signer to subsequent repositories if one attempt fails:
+
+```bash
+$ docker trust signer add alice example/unauthorized example/authorized --key alice.crt
+Adding signer "alice" to example/unauthorized...
+you are not authorized to perform this operation: server returned 401.
+
+Adding signer "alice" to example/authorized...
+Enter passphrase for repository key with ID c6772a0: 
+Successfully added signer: alice to example/authorized
+
+Failed to add signer to: example/unauthorized
+```
diff --git a/cli/docs/reference/commandline/trust_signer_remove.md b/cli/docs/reference/commandline/trust_signer_remove.md
new file mode 100644
index 00000000..e496db9d
--- /dev/null
+++ b/cli/docs/reference/commandline/trust_signer_remove.md
@@ -0,0 +1,172 @@
+---
+title: "signer remove"
+description: "The signer remove command description and usage"
+keywords: "signer, notary, trust"
+---
+
+<!-- This file is maintained within the docker/cli Github
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# trust signer remove
+
+```markdown
+Usage:	docker trust signer remove [OPTIONS] NAME REPOSITORY [REPOSITORY...]
+
+Remove a signer
+
+Options:
+  -f, --force   Do not prompt for confirmation before removing the most recent signer
+  --help        Print usage
+```
+
+## Description
+
+`docker trust signer remove` removes signers from signed repositories.
+
+## Examples
+
+### Remove a signer from a repo
+
+To remove an existing signer, `alice`, from this repository: 
+
+```bash
+$ docker trust view example/trust-demo
+
+No signatures for example/trust-demo
+
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+Remove `alice` with `docker trust signer remove`:
+
+```bash
+$ docker trust signer remove alice example/trust-demo
+  Removing signer "alice" from image example/trust-demo...
+  Enter passphrase for repository key with ID 642692c: 
+  Successfully removed alice from example/trust-demo
+
+```
+
+`docker trust view` now does not list `alice` as a valid signer:
+
+```bash
+$ docker trust view example/trust-demo
+
+No signatures for example/trust-demo
+
+
+List of signers and their keys:
+
+SIGNER              KEYS
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+### Remove a signer from multiple repos
+
+To remove an existing signer, `alice`, from multiple repositories: 
+
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   alice, bob
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	95b9e5514c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+```bash
+$ docker trust view example/trust-demo2
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   alice, bob
+
+List of signers and their keys:
+
+SIGNER              KEYS
+alice               05e87edcaecb
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo2:
+Repository Key:	ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+Remove `alice` from both images with a single `docker trust signer remove` command:
+
+```bash
+$ docker trust signer remove alice example/trust-demo example/trust-demo2
+Removing signer "alice" from image example/trust-demo...
+Enter passphrase for repository key with ID 95b9e55: 
+Successfully removed alice from example/trust-demo
+
+Removing signer "alice" from image example/trust-demo2...
+Enter passphrase for repository key with ID ece554f: 
+Successfully removed alice from example/trust-demo2
+```
+`docker trust view` no longer lists `alice` as a valid signer of either `example/trust-demo` or `example/trust-demo2`:
+```bash
+$ docker trust view example/trust-demo
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   bob
+
+List of signers and their keys:
+
+SIGNER              KEYS
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo:
+Repository Key:	ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+```bash
+$ docker trust view example/trust-demo2
+SIGNED TAG          DIGEST                                                             SIGNERS
+v1                  74d4bfa917d55d53c7df3d2ab20a8d926874d61c3da5ef6de15dd2654fc467c4   bob
+
+List of signers and their keys:
+
+SIGNER              KEYS
+bob                 5600f5ab76a2
+
+Administrative keys for example/trust-demo2:
+Repository Key:	ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268
+Root Key:	3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
+```
+
+`docker trust signer remove` removes signers to repositories on a best effort basis, so it will continue to remove the signer from subsequent repositories if one attempt fails:
+
+```bash
+$ docker trust signer remove alice example/unauthorized example/authorized
+Removing signer "alice" from image example/unauthorized...
+No signer alice for image example/unauthorized
+
+Removing signer "alice" from image example/authorized...
+Enter passphrase for repository key with ID c6772a0: 
+Successfully removed alice from example/authorized
+
+Error removing signer from: example/unauthorized
+```
+
diff --git a/cli/docs/reference/commandline/unpause.md b/cli/docs/reference/commandline/unpause.md
new file mode 100644
index 00000000..90ce3910
--- /dev/null
+++ b/cli/docs/reference/commandline/unpause.md
@@ -0,0 +1,45 @@
+---
+title: "unpause"
+description: "The unpause command description and usage"
+keywords: "cgroups, suspend, container"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# unpause
+
+```markdown
+Usage:  docker unpause CONTAINER [CONTAINER...]
+
+Unpause all processes within one or more containers
+
+Options:
+      --help   Print usage
+```
+
+## Description
+
+The `docker unpause` command un-suspends all processes in the specified containers.
+On Linux, it does this using the cgroups freezer.
+
+See the
+[cgroups freezer documentation](https://www.kernel.org/doc/Documentation/cgroup-v1/freezer-subsystem.txt)
+for further details.
+
+## Examples
+
+```bash
+$ docker unpause my_container
+my_container
+```
+
+## Related commands
+
+* [pause](pause.md)
diff --git a/cli/docs/reference/commandline/update.md b/cli/docs/reference/commandline/update.md
new file mode 100644
index 00000000..50a6bb79
--- /dev/null
+++ b/cli/docs/reference/commandline/update.md
@@ -0,0 +1,127 @@
+---
+title: "update"
+description: "The update command description and usage"
+keywords: "resources, update, dynamically"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## update
+
+```markdown
+Usage:  docker update [OPTIONS] CONTAINER [CONTAINER...]
+
+Update configuration of one or more containers
+
+Options:
+      --blkio-weight uint16         Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
+      --cpu-period int              Limit CPU CFS (Completely Fair Scheduler) period
+      --cpu-quota int               Limit CPU CFS (Completely Fair Scheduler) quota
+      --cpu-rt-period int           Limit the CPU real-time period in microseconds
+      --cpu-rt-runtime int          Limit the CPU real-time runtime in microseconds
+  -c, --cpu-shares int              CPU shares (relative weight)
+      --cpus decimal                Number of CPUs (default 0.000)
+      --cpuset-cpus string          CPUs in which to allow execution (0-3, 0,1)
+      --cpuset-mems string          MEMs in which to allow execution (0-3, 0,1)
+      --help                        Print usage
+      --kernel-memory string        Kernel memory limit
+  -m, --memory string               Memory limit
+      --memory-reservation string   Memory soft limit
+      --memory-swap string          Swap limit equal to memory plus swap: '-1' to enable unlimited swap
+      --restart string              Restart policy to apply when a container exits
+```
+
+## Description
+
+The `docker update` command dynamically updates container configuration.
+You can use this command to prevent containers from consuming too many
+resources from their Docker host.  With a single command, you can place
+limits on a single container or on many. To specify more than one container,
+provide space-separated list of container names or IDs.
+
+With the exception of the `--kernel-memory` option, you can specify these
+options on a running or a stopped container. On kernel version older than
+4.6, you can only update `--kernel-memory` on a stopped container or on
+a running container with kernel memory initialized.
+
+> **Warning**: The `docker update` and `docker container update` commands are
+> not supported for Windows containers.
+{: .warning }
+
+## Examples
+
+The following sections illustrate ways to use this command.
+
+### Update a container's cpu-shares
+
+To limit a container's cpu-shares to 512, first identify the container
+name or ID. You can use `docker ps` to find these values. You can also
+use the ID returned from the `docker run` command.  Then, do the following:
+
+```bash
+$ docker update --cpu-shares 512 abebf7571666
+```
+
+### Update a container with cpu-shares and memory
+
+To update multiple resource configurations for multiple containers:
+
+```bash
+$ docker update --cpu-shares 512 -m 300M abebf7571666 hopeful_morse
+```
+
+### Update a container's kernel memory constraints
+
+You can update a container's kernel memory limit using the `--kernel-memory`
+option. On kernel version older than 4.6, this option can be updated on a
+running container only if the container was started with `--kernel-memory`.
+If the container was started *without* `--kernel-memory` you need to stop
+the container before updating kernel memory.
+
+For example, if you started a container with this command:
+
+```bash
+$ docker run -dit --name test --kernel-memory 50M ubuntu bash
+```
+
+You can update kernel memory while the container is running:
+
+```bash
+$ docker update --kernel-memory 80M test
+```
+
+If you started a container *without* kernel memory initialized:
+
+```bash
+$ docker run -dit --name test2 --memory 300M ubuntu bash
+```
+
+Update kernel memory of running container `test2` will fail. You need to stop
+the container before updating the `--kernel-memory` setting. The next time you
+start it, the container uses the new value.
+
+Kernel version newer than (include) 4.6 does not have this limitation, you
+can use `--kernel-memory` the same way as other options.
+
+### Update a container's restart policy
+
+You can change a container's restart policy on a running container. The new
+restart policy takes effect instantly after you run `docker update` on a
+container.
+
+To update restart policy for one or more containers:
+
+```bash
+$ docker update --restart=on-failure:3 abebf7571666 hopeful_morse
+```
+
+Note that if the container is started with "--rm" flag, you cannot update the restart
+policy for it. The `AutoRemove` and `RestartPolicy` are mutually exclusive for the
+container.
diff --git a/cli/docs/reference/commandline/version.md b/cli/docs/reference/commandline/version.md
new file mode 100644
index 00000000..c138052b
--- /dev/null
+++ b/cli/docs/reference/commandline/version.md
@@ -0,0 +1,75 @@
+---
+title: "version"
+description: "The version command description and usage"
+keywords: "version, architecture, api"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# version
+
+```markdown
+Usage:  docker version [OPTIONS]
+
+Show the Docker version information
+
+Options:
+  -f, --format string       Format the output using the given Go template
+      --help                Print usage
+      --kubeconfig string   Kubernetes config file
+```
+
+## Description
+
+By default, this will render all version information in an easy to read
+layout. If a format is specified, the given template will be executed instead.
+
+Go's [text/template](http://golang.org/pkg/text/template/) package
+describes all the details of the format.
+
+## Examples
+
+### Default output
+
+```bash
+$ docker version
+
+Client:
+Version:      1.8.0
+API version:  1.20
+Go version:   go1.4.2
+Git commit:   f5bae0a
+Built:        Tue Jun 23 17:56:00 UTC 2015
+OS/Arch:      linux/amd64
+
+Server:
+Version:      1.8.0
+API version:  1.20
+Go version:   go1.4.2
+Git commit:   f5bae0a
+Built:        Tue Jun 23 17:56:00 UTC 2015
+OS/Arch:      linux/amd64
+```
+
+### Get the server version
+
+```bash
+$ docker version --format '{{.Server.Version}}'
+
+1.8.0
+```
+
+### Dump raw JSON data
+
+```bash
+$ docker version --format '{{json .}}'
+
+{"Client":{"Version":"1.8.0","ApiVersion":"1.20","GitCommit":"f5bae0a","GoVersion":"go1.4.2","Os":"linux","Arch":"amd64","BuildTime":"Tue Jun 23 17:56:00 UTC 2015"},"ServerOK":true,"Server":{"Version":"1.8.0","ApiVersion":"1.20","GitCommit":"f5bae0a","GoVersion":"go1.4.2","Os":"linux","Arch":"amd64","KernelVersion":"3.13.2-gentoo","BuildTime":"Tue Jun 23 17:56:00 UTC 2015"}}
+```
diff --git a/cli/docs/reference/commandline/volume.md b/cli/docs/reference/commandline/volume.md
new file mode 100644
index 00000000..a49fc5e7
--- /dev/null
+++ b/cli/docs/reference/commandline/volume.md
@@ -0,0 +1,48 @@
+---
+title: "volume"
+description: "The volume command description and usage"
+keywords: "volume"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# volume
+
+```markdown
+Usage:  docker volume COMMAND
+
+Manage volumes
+
+Options:
+      --help   Print usage
+
+Commands:
+  create      Create a volume
+  inspect     Display detailed information on one or more volumes
+  ls          List volumes
+  prune       Remove all unused local volumes
+  rm          Remove one or more volumes
+
+Run 'docker volume COMMAND --help' for more information on a command.
+```
+
+## Description
+
+Manage volumes. You can use subcommands to create, inspect, list, remove, or
+prune volumes.
+
+## Related commands
+
+* [volume create](volume_create.md)
+* [volume inspect](volume_inspect.md)
+* [volume list](volume_list.md)
+* [volume rm](volume_rm.md)
+* [volume prune](volume_prune.md)
+* [Understand Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/)
diff --git a/cli/docs/reference/commandline/volume_create.md b/cli/docs/reference/commandline/volume_create.md
new file mode 100644
index 00000000..226eec78
--- /dev/null
+++ b/cli/docs/reference/commandline/volume_create.md
@@ -0,0 +1,125 @@
+---
+title: "volume create"
+description: "The volume create command description and usage"
+keywords: "volume, create"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# volume create
+
+```markdown
+Usage:  docker volume create [OPTIONS] [VOLUME]
+
+Create a volume
+
+Options:
+  -d, --driver string   Specify volume driver name (default "local")
+      --help            Print usage
+      --label value     Set metadata for a volume (default [])
+  -o, --opt value       Set driver specific options (default map[])
+```
+
+## Description
+
+Creates a new volume that containers can consume and store data in. If a name is
+not specified, Docker generates a random name.
+
+## Examples
+
+Create a volume and then configure the container to use it:
+
+```bash
+$ docker volume create hello
+
+hello
+
+$ docker run -d -v hello:/world busybox ls /world
+```
+
+The mount is created inside the container's `/world` directory. Docker does not
+support relative paths for mount points inside the container.
+
+Multiple containers can use the same volume in the same time period. This is
+useful if two containers need access to shared data. For example, if one
+container writes and the other reads the data.
+
+Volume names must be unique among drivers. This means you cannot use the same
+volume name with two different drivers. If you attempt this `docker` returns an
+error:
+
+```none
+A volume named  "hello"  already exists with the "some-other" driver. Choose a different volume name.
+```
+
+If you specify a volume name already in use on the current driver, Docker
+assumes you want to re-use the existing volume and does not return an error.
+
+### Driver-specific options
+
+Some volume drivers may take options to customize the volume creation. Use the
+`-o` or `--opt` flags to pass driver options:
+
+```bash
+$ docker volume create --driver fake \
+    --opt tardis=blue \
+    --opt timey=wimey \
+    foo
+```
+
+These options are passed directly to the volume driver. Options for
+different volume drivers may do different things (or nothing at all).
+
+The built-in `local` driver on Windows does not support any options.
+
+The built-in `local` driver on Linux accepts options similar to the linux
+`mount` command. You can provide multiple options by passing the `--opt` flag
+multiple times. Some `mount` options (such as the `o` option) can take a
+comma-separated list of options. Complete list of available mount options can be
+found [here](http://man7.org/linux/man-pages/man8/mount.8.html).
+
+For example, the following creates a `tmpfs` volume called `foo` with a size of
+100 megabyte and `uid` of 1000.
+
+```bash
+$ docker volume create --driver local \
+    --opt type=tmpfs \
+    --opt device=tmpfs \
+    --opt o=size=100m,uid=1000 \
+    foo
+```
+
+Another example that uses `btrfs`:
+
+```bash
+$ docker volume create --driver local \
+    --opt type=btrfs \
+    --opt device=/dev/sda2 \
+    foo
+```
+
+Another example that uses `nfs` to mount the `/path/to/dir` in `rw` mode from
+`192.168.1.1`:
+
+```bash
+$ docker volume create --driver local \
+    --opt type=nfs \
+    --opt o=addr=192.168.1.1,rw \
+    --opt device=:/path/to/dir \
+    foo
+```
+
+## Related commands
+
+* [volume inspect](volume_inspect.md)
+* [volume ls](volume_ls.md)
+* [volume rm](volume_rm.md)
+* [volume prune](volume_prune.md)
+* [Understand Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/)
diff --git a/cli/docs/reference/commandline/volume_inspect.md b/cli/docs/reference/commandline/volume_inspect.md
new file mode 100644
index 00000000..b5debc59
--- /dev/null
+++ b/cli/docs/reference/commandline/volume_inspect.md
@@ -0,0 +1,61 @@
+---
+title: "volume inspect"
+description: "The volume inspect command description and usage"
+keywords: "volume, inspect"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# volume inspect
+
+```markdown
+Usage:  docker volume inspect [OPTIONS] VOLUME [VOLUME...]
+
+Display detailed information on one or more volumes
+
+Options:
+  -f, --format string   Format the output using the given Go template
+      --help            Print usage
+```
+
+## Description
+
+Returns information about a volume. By default, this command renders all results
+in a JSON array. You can specify an alternate format to execute a
+given template for each result. Go's
+[text/template](http://golang.org/pkg/text/template/) package describes all the
+details of the format.
+
+## Examples
+
+```bash
+$ docker volume create
+85bffb0677236974f93955d8ecc4df55ef5070117b0e53333cc1b443777be24d
+$ docker volume inspect 85bffb0677236974f93955d8ecc4df55ef5070117b0e53333cc1b443777be24d
+[
+  {
+      "Name": "85bffb0677236974f93955d8ecc4df55ef5070117b0e53333cc1b443777be24d",
+      "Driver": "local",
+      "Mountpoint": "/var/lib/docker/volumes/85bffb0677236974f93955d8ecc4df55ef5070117b0e53333cc1b443777be24d/_data",
+      "Status": null
+  }
+]
+
+$ docker volume inspect --format '{{ .Mountpoint }}' 85bffb0677236974f93955d8ecc4df55ef5070117b0e53333cc1b443777be24d
+/var/lib/docker/volumes/85bffb0677236974f93955d8ecc4df55ef5070117b0e53333cc1b443777be24d/_data
+```
+
+## Related commands
+
+* [volume create](volume_create.md)
+* [volume ls](volume_ls.md)
+* [volume rm](volume_rm.md)
+* [volume prune](volume_prune.md)
+* [Understand Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/)
diff --git a/cli/docs/reference/commandline/volume_ls.md b/cli/docs/reference/commandline/volume_ls.md
new file mode 100644
index 00000000..53a526a0
--- /dev/null
+++ b/cli/docs/reference/commandline/volume_ls.md
@@ -0,0 +1,199 @@
+---
+title: "volume ls"
+description: "The volume ls command description and usage"
+keywords: "volume, list"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# volume ls
+
+```markdown
+Usage:  docker volume ls [OPTIONS]
+
+List volumes
+
+Aliases:
+  ls, list
+
+Options:
+  -f, --filter value   Provide filter values (e.g. 'dangling=true') (default [])
+                       - dangling=<boolean> a volume if referenced or not
+                       - driver=<string> a volume's driver name
+                       - label=<key> or label=<key>=<value>
+                       - name=<string> a volume's name
+      --format string  Pretty-print volumes using a Go template
+      --help           Print usage
+  -q, --quiet          Only display volume names
+```
+
+## Description
+
+List all the volumes known to Docker. You can filter using the `-f` or
+`--filter` flag. Refer to the [filtering](#filtering) section for more
+information about available filter options.
+
+## Examples
+
+### Create a volume
+```bash
+$ docker volume create rosemary
+
+rosemary
+
+$ docker volume create tyler
+
+tyler
+
+$ docker volume ls
+
+DRIVER              VOLUME NAME
+local               rosemary
+local               tyler
+```
+
+### Filtering
+
+The filtering flag (`-f` or `--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* dangling (boolean - true or false, 0 or 1)
+* driver (a volume driver's name)
+* label (`label=<key>` or `label=<key>=<value>`)
+* name (a volume's name)
+
+#### dangling
+
+The `dangling` filter matches on all volumes not referenced by any containers
+
+```bash
+$ docker run -d  -v tyler:/tmpwork  busybox
+
+f86a7dd02898067079c99ceacd810149060a70528eff3754d0b0f1a93bd0af18
+$ docker volume ls -f dangling=true
+DRIVER              VOLUME NAME
+local               rosemary
+```
+
+#### driver
+
+The `driver` filter matches volumes based on their driver.
+
+The following example matches volumes that are created with the `local` driver:
+
+```bash
+$ docker volume ls -f driver=local
+
+DRIVER              VOLUME NAME
+local               rosemary
+local               tyler
+```
+
+#### label
+
+The `label` filter matches volumes based on the presence of a `label` alone or
+a `label` and a value.
+
+First, let's create some volumes to illustrate this;
+
+```bash
+$ docker volume create the-doctor --label is-timelord=yes
+
+the-doctor
+$ docker volume create daleks --label is-timelord=no
+
+daleks
+```
+
+The following example filter matches volumes with the `is-timelord` label
+regardless of its value.
+
+```bash
+$ docker volume ls --filter label=is-timelord
+
+DRIVER              VOLUME NAME
+local               daleks
+local               the-doctor
+```
+
+As the above example demonstrates, both volumes with `is-timelord=yes`, and
+`is-timelord=no` are returned.
+
+Filtering on both `key` *and* `value` of the label, produces the expected result:
+
+```bash
+$ docker volume ls --filter label=is-timelord=yes
+
+DRIVER              VOLUME NAME
+local               the-doctor
+```
+
+Specifying multiple label filter produces an "and" search; all conditions
+should be met;
+
+```bash
+$ docker volume ls --filter label=is-timelord=yes --filter label=is-timelord=no
+
+DRIVER              VOLUME NAME
+```
+
+#### name
+
+The `name` filter matches on all or part of a volume's name.
+
+The following filter matches all volumes with a name containing the `rose` string.
+
+```bash
+$ docker volume ls -f name=rose
+
+DRIVER              VOLUME NAME
+local               rosemary
+```
+
+### Formatting
+
+The formatting options (`--format`) pretty-prints volumes output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+Placeholder   | Description
+--------------|------------------------------------------------------------------------------------------
+`.Name`       | Volume name
+`.Driver`     | Volume driver
+`.Scope`      | Volume scope (local, global)
+`.Mountpoint` | The mount point of the volume on the host
+`.Labels`     | All labels assigned to the volume
+`.Label`      | Value of a specific label for this volume. For example `{{.Label "project.version"}}`
+
+When using the `--format` option, the `volume ls` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, includes column headers as well.
+
+The following example uses a template without headers and outputs the
+`Name` and `Driver` entries separated by a colon for all volumes:
+
+```bash
+$ docker volume ls --format "{{.Name}}: {{.Driver}}"
+
+vol1: local
+vol2: local
+vol3: local
+```
+
+## Related commands
+
+* [volume create](volume_create.md)
+* [volume inspect](volume_inspect.md)
+* [volume rm](volume_rm.md)
+* [volume prune](volume_prune.md)
+* [Understand Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/)
diff --git a/cli/docs/reference/commandline/volume_prune.md b/cli/docs/reference/commandline/volume_prune.md
new file mode 100644
index 00000000..8d002381
--- /dev/null
+++ b/cli/docs/reference/commandline/volume_prune.md
@@ -0,0 +1,73 @@
+---
+title: "volume prune"
+description: "Remove unused local volumes"
+keywords: "volume, prune, delete"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# volume prune
+
+```markdown
+Usage:	docker volume prune [OPTIONS]
+
+Remove all unused local volumes
+
+Options:
+      --filter filter   Provide filter values (e.g. 'label=<label>')
+  -f, --force           Do not prompt for confirmation
+      --help            Print usage
+```
+
+## Description
+
+Remove all unused local volumes. Unused local volumes are those which are not referenced by any containers
+
+## Examples
+
+```bash
+$ docker volume prune
+
+WARNING! This will remove all local volumes not used by at least one container.
+Are you sure you want to continue? [y/N] y
+Deleted Volumes:
+07c7bdf3e34ab76d921894c2b834f073721fccfbbcba792aa7648e3a7a664c2e
+my-named-vol
+
+Total reclaimed space: 36 B
+```
+
+## Filtering
+
+The filtering flag (`--filter`) format is of "key=value". If there is more
+than one filter, then pass multiple flags (e.g., `--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* label (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) - only remove volumes with (or without, in case `label!=...` is used) the specified labels.
+
+The `label` filter accepts two formats. One is the `label=...` (`label=<key>` or `label=<key>=<value>`),
+which removes volumes with the specified labels. The other
+format is the `label!=...` (`label!=<key>` or `label!=<key>=<value>`), which removes
+volumes without the specified labels.
+
+
+## Related commands
+
+* [volume create](volume_create.md)
+* [volume ls](volume_ls.md)
+* [volume inspect](volume_inspect.md)
+* [volume rm](volume_rm.md)
+* [Understand Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/)
+* [system df](system_df.md)
+* [container prune](container_prune.md)
+* [image prune](image_prune.md)
+* [network prune](network_prune.md)
+* [system prune](system_prune.md)
diff --git a/cli/docs/reference/commandline/volume_rm.md b/cli/docs/reference/commandline/volume_rm.md
new file mode 100644
index 00000000..d3d19f36
--- /dev/null
+++ b/cli/docs/reference/commandline/volume_rm.md
@@ -0,0 +1,48 @@
+---
+title: "volume rm"
+description: "the volume rm command description and usage"
+keywords: "volume, rm"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# volume rm
+
+```markdown
+Usage:  docker volume rm [OPTIONS] VOLUME [VOLUME...]
+
+Remove one or more volumes
+
+Aliases:
+  rm, remove
+
+Options:
+  -f, --force  Force the removal of one or more volumes
+      --help   Print usage
+```
+
+## Description
+
+Remove one or more volumes. You cannot remove a volume that is in use by a container.
+
+## Examples
+
+```bash
+  $ docker volume rm hello
+  hello
+```
+
+## Related commands
+
+* [volume create](volume_create.md)
+* [volume inspect](volume_inspect.md)
+* [volume ls](volume_ls.md)
+* [volume prune](volume_prune.md)
+* [Understand Data Volumes](https://docs.docker.com/engine/tutorials/dockervolumes/)
diff --git a/cli/docs/reference/commandline/wait.md b/cli/docs/reference/commandline/wait.md
new file mode 100644
index 00000000..e1bede9e
--- /dev/null
+++ b/cli/docs/reference/commandline/wait.md
@@ -0,0 +1,58 @@
+---
+title: "wait"
+description: "The wait command description and usage"
+keywords: "container, stop, wait"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# wait
+
+```markdown
+Usage:  docker wait CONTAINER [CONTAINER...]
+
+Block until one or more containers stop, then print their exit codes
+
+Options:
+      --help        Print usage
+```
+
+> **Note**: `docker wait` returns `0` when run against a container which had
+> already exited before the `docker wait` command was run.
+
+## Examples
+
+Start a container in the background.
+
+```bash
+$ docker run -dit --name=my_container ubuntu bash
+```
+
+Run `docker wait`, which should block until the container exits.
+
+```bash
+$ docker wait my_container
+```
+
+In another terminal, stop the first container. The `docker wait` command above
+returns the exit code.
+
+```bash
+$ docker stop my_container
+```
+
+This is the same `docker wait` command from above, but it now exits, returning
+`0`.
+
+```bash
+$ docker wait my_container
+
+0
+```
diff --git a/cli/docs/reference/glossary.md b/cli/docs/reference/glossary.md
new file mode 100644
index 00000000..84963f38
--- /dev/null
+++ b/cli/docs/reference/glossary.md
@@ -0,0 +1,373 @@
+---
+description: "Glossary of terms used around Docker"
+keywords: "glossary, docker, terms, definitions"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Glossary
+
+A list of terms used around the Docker project.
+
+## aufs
+
+aufs (advanced multi layered unification filesystem) is a Linux [filesystem](#filesystem) that
+Docker supports as a storage backend. It implements the
+[union mount](http://en.wikipedia.org/wiki/Union_mount) for Linux file systems.
+
+## base image
+
+An image that has no parent is a **base image**.
+
+## boot2docker
+
+[boot2docker](http://boot2docker.io/) is a lightweight Linux distribution made
+specifically to run Docker containers. The boot2docker management tool for Mac and Windows was deprecated and replaced by [`docker-machine`](#machine) which you can install with the Docker Toolbox.
+
+## bridge
+
+In terms of generic networking, a bridge is a Link Layer device which forwards
+traffic between network segments. A bridge can be a hardware device or a
+software device running within a host machine's kernel.
+
+In terms of Docker, a bridge network uses a software bridge which allows
+containers connected to the same bridge network to communicate, while providing
+isolation from containers which are not connected to that bridge network.
+The Docker bridge driver automatically installs rules in the host machine so
+that containers on different bridge networks cannot communicate directly with
+each other.
+
+The default bridge network, which is also named `bridge`, behaves differently
+from user-defined bridge networks. Containers connected to the default `bridge`
+network can communicate with each other across the bridge by IP address but
+cannot resolve each other's container name to an IP address unless they are
+explicitly linked using the `--link` flag to `docker run`.
+
+For more information about Docker networking, see
+[Understand container communication](https://docs.docker.com/engine/userguide/networking/default_network/container-communication/).
+
+## btrfs
+
+btrfs (B-tree file system) is a Linux [filesystem](#filesystem) that Docker
+supports as a storage backend. It is a [copy-on-write](http://en.wikipedia.org/wiki/Copy-on-write)
+filesystem.
+
+## build
+
+build is the process of building Docker images using a [Dockerfile](#dockerfile).
+The build uses a Dockerfile and a "context". The context is the set of files in the
+directory in which the image is built.
+
+## cgroups
+
+cgroups is a Linux kernel feature that limits, accounts for, and isolates
+the resource usage (CPU, memory, disk I/O, network, etc.) of a collection
+of processes. Docker relies on cgroups to control and isolate resource limits.
+
+*Also known as : control groups*
+
+## Compose
+
+[Compose](https://github.com/docker/compose) is a tool for defining and
+running complex applications with Docker. With compose, you define a
+multi-container application in a single file, then spin your
+application up in a single command which does everything that needs to
+be done to get it running.
+
+*Also known as : docker-compose, fig*
+
+## copy-on-write
+
+Docker uses a
+[copy-on-write](https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/#/the-copy-on-write-strategy)
+technique and a [union file system](#union-file-system) for both images and
+containers to optimize resources and speed performance. Multiple copies of an
+entity share the same instance and each one makes only specific changes to its
+unique layer.
+
+Multiple containers can share access to the same image, and make
+container-specific changes on a writable layer which is deleted when
+the container is removed. This speeds up container start times and performance.
+
+Images are essentially layers of filesystems typically predicated on a base
+image under a writable layer, and built up with layers of differences from the
+base image. This minimizes the footprint of the image and enables shared
+development.
+
+For more about copy-on-write in the context of Docker, see [Understand images,
+containers, and storage
+drivers](https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/).
+
+## container
+
+A container is a runtime instance of a [docker image](#image).
+
+A Docker container consists of
+
+- A Docker image
+- Execution environment
+- A standard set of instructions
+
+The concept is borrowed from Shipping Containers, which define a standard to ship
+goods globally. Docker defines a standard to ship software.
+
+## data volume
+
+A data volume is a specially-designated directory within one or more containers
+that bypasses the Union File System. Data volumes are designed to persist data,
+independent of the container's life cycle. Docker therefore never automatically
+delete volumes when you remove a container, nor will it "garbage collect"
+volumes that are no longer referenced by a container.
+
+
+## Docker
+
+The term Docker can refer to
+
+- The Docker project as a whole, which is a platform for developers and sysadmins to
+develop, ship, and run applications
+- The docker daemon process running on the host which manages images and containers
+
+
+## Docker for Mac
+
+[Docker for Mac](https://docs.docker.com/docker-for-mac/) is an easy-to-install,
+lightweight Docker development environment designed specifically for the Mac. A
+native Mac application, Docker for Mac uses the macOS Hypervisor framework,
+networking, and filesystem. It's the best solution if you want to build, debug,
+test, package, and ship Dockerized applications on a Mac. Docker for Mac
+supersedes [Docker Toolbox](#toolbox) as state-of-the-art Docker on macOS.
+
+
+## Docker for Windows
+
+[Docker for Windows](https://docs.docker.com/docker-for-windows/) is an
+easy-to-install, lightweight Docker development environment designed
+specifically for Windows 10 systems that support Microsoft Hyper-V
+(Professional, Enterprise and Education). Docker for Windows uses Hyper-V for
+virtualization, and runs as a native Windows app. It works with Windows Server
+2016, and gives you the ability to set up and run Windows containers as well as
+the standard Linux containers, with an option to switch between the two. Docker
+for Windows is the best solution if you want to build, debug, test, package, and
+ship Dockerized applications from Windows machines. Docker for Windows
+supersedes [Docker Toolbox](#toolbox) as state-of-the-art Docker on Windows.
+
+## Docker Hub
+
+The [Docker Hub](https://hub.docker.com/) is a centralized resource for working with
+Docker and its components. It provides the following services:
+
+- Docker image hosting
+- User authentication
+- Automated image builds and work-flow tools such as build triggers and web hooks
+- Integration with GitHub and Bitbucket
+
+
+## Dockerfile
+
+A Dockerfile is a text document that contains all the commands you would
+normally execute manually in order to build a Docker image. Docker can
+build images automatically by reading the instructions from a Dockerfile.
+
+## filesystem
+
+A file system is the method an operating system uses to name files
+and assign them locations for efficient storage and retrieval.
+
+Examples :
+
+- Linux : ext4, aufs, btrfs, zfs
+- Windows : NTFS
+- macOS : HFS+
+
+## image
+
+Docker images are the basis of [containers](#container). An Image is an
+ordered collection of root filesystem changes and the corresponding
+execution parameters for use within a container runtime. An image typically
+contains a union of layered filesystems stacked on top of each other. An image
+does not have state and it never changes.
+
+## libcontainer
+
+libcontainer provides a native Go implementation for creating containers with
+namespaces, cgroups, capabilities, and filesystem access controls. It allows
+you to manage the lifecycle of the container performing additional operations
+after the container is created.
+
+## libnetwork
+
+libnetwork provides a native Go implementation for creating and managing container
+network namespaces and other network resources. It manage the networking lifecycle
+of the container performing additional operations after the container is created.
+
+## link
+
+links provide a legacy interface to connect Docker containers running on the
+same host to each other without exposing the hosts' network ports. Use the
+Docker networks feature instead.
+
+## Machine
+
+[Machine](https://github.com/docker/machine) is a Docker tool which
+makes it really easy to create Docker hosts on  your computer, on
+cloud providers and inside your own data center. It creates servers,
+installs Docker on them, then configures the Docker client to talk to them.
+
+*Also known as : docker-machine*
+
+## node
+
+A [node](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/) is a physical or virtual
+machine running an instance of the Docker Engine in swarm mode.
+
+**Manager nodes** perform swarm management and orchestration duties. By default
+manager nodes are also worker nodes.
+
+**Worker nodes** execute tasks.
+
+## overlay network driver
+
+Overlay network driver provides out of the box multi-host network connectivity
+for docker containers in a cluster.
+
+## overlay storage driver
+
+OverlayFS is a [filesystem](#filesystem) service for Linux which implements a
+[union mount](http://en.wikipedia.org/wiki/Union_mount) for other file systems.
+It is supported by the Docker daemon as a storage driver.
+
+## registry
+
+A Registry is a hosted service containing [repositories](#repository) of [images](#image)
+which responds to the Registry API.
+
+The default registry can be accessed using a browser at [Docker Hub](#docker-hub)
+or using the `docker search` command.
+
+## repository
+
+A repository is a set of Docker images. A repository can be shared by pushing it
+to a [registry](#registry) server. The different images in the repository can be
+labeled using [tags](#tag).
+
+Here is an example of the shared [nginx repository](https://hub.docker.com/_/nginx/)
+and its [tags](https://hub.docker.com/r/library/nginx/tags/)
+
+
+## service
+
+A [service](https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/) is the definition of how
+you want to run your application containers in a swarm. At the most basic level
+a service  defines which container image to run in the swarm and which commands
+to run in the container. For orchestration purposes, the service defines the
+"desired state", meaning how many containers to run as tasks and constraints for
+deploying the containers.
+
+Frequently a service is a microservice within the context of some larger
+application. Examples of services might include an HTTP server, a database, or
+any other type of executable program that you wish to run in a distributed
+environment.
+
+## service discovery
+
+Swarm mode [service discovery](https://docs.docker.com/engine/swarm/networking/#use-swarm-mode-service-discovery) is a DNS component
+internal to the swarm that automatically assigns each service on an overlay
+network in the swarm a VIP and DNS entry. Containers on the network share DNS
+mappings for the service via gossip so any container on the network can access
+the service via its service name.
+
+You don’t need to expose service-specific ports to make the service available to
+other services on the same overlay network. The swarm’s internal load balancer
+automatically distributes requests to the service VIP among the active tasks.
+
+## swarm
+
+A [swarm](https://docs.docker.com/engine/swarm/) is a cluster of one or more Docker Engines running in [swarm mode](#swarm-mode).
+
+## Docker Swarm
+
+Do not confuse [Docker Swarm](https://github.com/docker/swarm) with the [swarm mode](#swarm-mode) features in Docker Engine.
+
+Docker Swarm is the name of a standalone native clustering tool for Docker.
+Docker Swarm pools together several Docker hosts and exposes them as a single
+virtual Docker host. It serves the standard Docker API, so any tool that already
+works with Docker can now transparently scale up to multiple hosts.
+
+*Also known as : docker-swarm*
+
+## swarm mode
+
+[Swarm mode](https://docs.docker.com/engine/swarm/) refers to cluster management and orchestration
+features embedded in Docker Engine. When you initialize a new swarm (cluster) or
+join nodes to a swarm, the Docker Engine runs in swarm mode.
+
+## tag
+
+A tag is a label applied to a Docker image in a [repository](#repository).
+tags are how various images in a repository are distinguished from each other.
+
+*Note : This label is not related to the key=value labels set for docker daemon*
+
+## task
+
+A [task](https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/#/tasks-and-scheduling) is the
+atomic unit of scheduling within a swarm. A task carries a Docker container and
+the commands to run inside the container. Manager nodes assign tasks to worker
+nodes according to the number of replicas set in the service scale.
+
+The diagram below illustrates the relationship of services to tasks and
+containers.
+
+![services diagram](https://docs.docker.com/engine/swarm/images/services-diagram.png)
+
+## Toolbox
+
+[Docker Toolbox](https://docs.docker.com/toolbox/overview/) is a legacy
+installer for Mac and Windows users. It uses Oracle VirtualBox for
+virtualization.
+
+For Macs running OS X El Capitan 10.11 and newer macOS releases, [Docker for
+Mac](https://docs.docker.com/docker-for-mac/) is the better solution.
+
+For Windows 10 systems that support Microsoft Hyper-V (Professional, Enterprise
+and Education), [Docker for
+Windows](https://docs.docker.com/docker-for-windows/) is the better solution.
+
+## Union file system
+
+Union file systems implement a [union
+mount](https://en.wikipedia.org/wiki/Union_mount) and operate by creating
+layers. Docker uses union file systems in conjunction with
+[copy-on-write](#copy-on-write) techniques to provide the building blocks for
+containers, making them very lightweight and fast.
+
+For more on Docker and union file systems, see [Docker and AUFS in
+practice](https://docs.docker.com/engine/userguide/storagedriver/aufs-driver/),
+[Docker and Btrfs in
+practice](https://docs.docker.com/engine/userguide/storagedriver/btrfs-driver/),
+and [Docker and OverlayFS in
+practice](https://docs.docker.com/engine/userguide/storagedriver/overlayfs-driver/)
+
+Example implementations of union file systems are
+[UnionFS](https://en.wikipedia.org/wiki/UnionFS),
+[AUFS](https://en.wikipedia.org/wiki/Aufs), and
+[Btrfs](https://btrfs.wiki.kernel.org/index.php/Main_Page).
+
+## virtual machine
+
+A virtual machine is a program that emulates a complete computer and imitates dedicated hardware.
+It shares physical hardware resources with other users but isolates the operating system. The
+end user has the same experience on a Virtual Machine as they would have on dedicated hardware.
+
+Compared to containers, a virtual machine is heavier to run, provides more isolation,
+gets its own set of resources and does minimal sharing.
+
+*Also known as : VM*
diff --git a/cli/docs/reference/index.md b/cli/docs/reference/index.md
new file mode 100644
index 00000000..54d180dc
--- /dev/null
+++ b/cli/docs/reference/index.md
@@ -0,0 +1,20 @@
+---
+description: "Docker Engine reference"
+keywords: "Engine"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Engine reference
+
+* [Dockerfile reference](builder.md)
+* [Docker run reference](run.md)
+* [Command line reference](commandline/index.md)
+* [API Reference](https://docs.docker.com/engine/api/)
diff --git a/cli/docs/reference/run.md b/cli/docs/reference/run.md
new file mode 100644
index 00000000..521e41de
--- /dev/null
+++ b/cli/docs/reference/run.md
@@ -0,0 +1,1615 @@
+---
+description: "Configure containers at runtime"
+keywords: "docker, run, configure, runtime"
+---
+
+<!-- This file is maintained within the docker/cli GitHub
+     repository at https://github.com/docker/cli/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+# Docker run reference
+
+Docker runs processes in isolated containers. A container is a process
+which runs on a host. The host may be local or remote. When an operator
+executes `docker run`, the container process that runs is isolated in
+that it has its own file system, its own networking, and its own
+isolated process tree separate from the host.
+
+This page details how to use the `docker run` command to define the
+container's resources at runtime.
+
+## General form
+
+The basic `docker run` command takes this form:
+
+    $ docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]
+
+The `docker run` command must specify an [*IMAGE*](glossary.md#image)
+to derive the container from. An image developer can define image
+defaults related to:
+
+ * detached or foreground running
+ * container identification
+ * network settings
+ * runtime constraints on CPU and memory
+
+With the `docker run [OPTIONS]` an operator can add to or override the
+image defaults set by a developer. And, additionally, operators can
+override nearly all the defaults set by the Docker runtime itself. The
+operator's ability to override image and Docker runtime defaults is why
+[*run*](commandline/run.md) has more options than any
+other `docker` command.
+
+To learn how to interpret the types of `[OPTIONS]`, see [*Option
+types*](commandline/cli.md#option-types).
+
+> **Note**: Depending on your Docker system configuration, you may be
+> required to preface the `docker run` command with `sudo`. To avoid
+> having to use `sudo` with the `docker` command, your system
+> administrator can create a Unix group called `docker` and add users to
+> it. For more information about this configuration, refer to the Docker
+> installation documentation for your operating system.
+
+
+## Operator exclusive options
+
+Only the operator (the person executing `docker run`) can set the
+following options.
+
+ - [Detached vs foreground](#detached-vs-foreground)
+     - [Detached (-d)](#detached--d)
+     - [Foreground](#foreground)
+ - [Container identification](#container-identification)
+     - [Name (--name)](#name---name)
+     - [PID equivalent](#pid-equivalent)
+ - [IPC settings (--ipc)](#ipc-settings---ipc)
+ - [Network settings](#network-settings)
+ - [Restart policies (--restart)](#restart-policies---restart)
+ - [Clean up (--rm)](#clean-up---rm)
+ - [Runtime constraints on resources](#runtime-constraints-on-resources)
+ - [Runtime privilege and Linux capabilities](#runtime-privilege-and-linux-capabilities)
+
+## Detached vs foreground
+
+When starting a Docker container, you must first decide if you want to
+run the container in the background in a "detached" mode or in the
+default foreground mode:
+
+    -d=false: Detached mode: Run container in the background, print new container id
+
+### Detached (-d)
+
+To start a container in detached mode, you use `-d=true` or just `-d` option. By
+design, containers started in detached mode exit when the root process used to
+run the container exits, unless you also specify the `--rm` option. If you use
+`-d` with `--rm`, the container is removed when it exits **or** when the daemon
+exits, whichever happens first.
+
+Do not pass a `service x start` command to a detached container. For example, this
+command attempts to start the `nginx` service.
+
+    $ docker run -d -p 80:80 my_image service nginx start
+
+This succeeds in starting the `nginx` service inside the container. However, it
+fails the detached container paradigm in that, the root process (`service nginx
+start`) returns and the detached container stops as designed. As a result, the
+`nginx` service is started but could not be used. Instead, to start a process
+such as the `nginx` web server do the following:
+
+    $ docker run -d -p 80:80 my_image nginx -g 'daemon off;'
+
+To do input/output with a detached container use network connections or shared
+volumes. These are required because the container is no longer listening to the
+command line where `docker run` was run.
+
+To reattach to a detached container, use `docker`
+[*attach*](commandline/attach.md) command.
+
+### Foreground
+
+In foreground mode (the default when `-d` is not specified), `docker
+run` can start the process in the container and attach the console to
+the process's standard input, output, and standard error. It can even
+pretend to be a TTY (this is what most command line executables expect)
+and pass along signals. All of that is configurable:
+
+    -a=[]           : Attach to `STDIN`, `STDOUT` and/or `STDERR`
+    -t              : Allocate a pseudo-tty
+    --sig-proxy=true: Proxy all received signals to the process (non-TTY mode only)
+    -i              : Keep STDIN open even if not attached
+
+If you do not specify `-a` then Docker will [attach to both stdout and stderr
+]( https://github.com/docker/docker/blob/4118e0c9eebda2412a09ae66e90c34b85fae3275/runconfig/opts/parse.go#L267).
+You can specify to which of the three standard streams (`STDIN`, `STDOUT`,
+`STDERR`) you'd like to connect instead, as in:
+
+    $ docker run -a stdin -a stdout -i -t ubuntu /bin/bash
+
+For interactive processes (like a shell), you must use `-i -t` together in
+order to allocate a tty for the container process. `-i -t` is often written `-it`
+as you'll see in later examples.  Specifying `-t` is forbidden when the client
+is receiving its standard input from a pipe, as in:
+
+    $ echo test | docker run -i busybox cat
+
+>**Note**: A process running as PID 1 inside a container is treated
+>specially by Linux: it ignores any signal with the default action.
+>So, the process will not terminate on `SIGINT` or `SIGTERM` unless it is
+>coded to do so.
+
+## Container identification
+
+### Name (--name)
+
+The operator can identify a container in three ways:
+
+| Identifier type       | Example value                                                      |
+|:----------------------|:-------------------------------------------------------------------|
+| UUID long identifier  | "f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778" |
+| UUID short identifier | "f78375b1c487"                                                     |
+| Name                  | "evil_ptolemy"                                                     |
+
+The UUID identifiers come from the Docker daemon. If you do not assign a
+container name with the `--name` option, then the daemon generates a random
+string name for you. Defining a `name` can be a handy way to add meaning to a
+container. If you specify a `name`, you can use it  when referencing the
+container within a Docker network. This works for both background and foreground
+Docker containers.
+
+> **Note**: Containers on the default bridge network must be linked to
+> communicate by name.
+
+### PID equivalent
+
+Finally, to help with automation, you can have Docker write the
+container ID out to a file of your choosing. This is similar to how some
+programs might write out their process ID to a file (you've seen them as
+PID files):
+
+    --cidfile="": Write the container ID to the file
+
+### Image[:tag]
+
+While not strictly a means of identifying a container, you can specify a version of an
+image you'd like to run the container with by adding `image[:tag]` to the command. For
+example, `docker run ubuntu:14.04`.
+
+### Image[@digest]
+
+Images using the v2 or later image format have a content-addressable identifier
+called a digest. As long as the input used to generate the image is unchanged,
+the digest value is predictable and referenceable.
+
+The following example runs a container from the `alpine` image with the
+`sha256:9cacb71397b640eca97488cf08582ae4e4068513101088e9f96c9814bfda95e0` digest:
+
+    $ docker run alpine@sha256:9cacb71397b640eca97488cf08582ae4e4068513101088e9f96c9814bfda95e0 date
+
+## PID settings (--pid)
+
+    --pid=""  : Set the PID (Process) Namespace mode for the container,
+                 'container:<name|id>': joins another container's PID namespace
+                 'host': use the host's PID namespace inside the container
+
+By default, all containers have the PID namespace enabled.
+
+PID namespace provides separation of processes. The PID Namespace removes the
+view of the system processes, and allows process ids to be reused including
+pid 1.
+
+In certain cases you want your container to share the host's process namespace,
+basically allowing processes within the container to see all of the processes
+on the system.  For example, you could build a container with debugging tools
+like `strace` or `gdb`, but want to use these tools when debugging processes
+within the container.
+
+### Example: run htop inside a container
+
+Create this Dockerfile:
+
+```
+FROM alpine:latest
+RUN apk add --update htop && rm -rf /var/cache/apk/*
+CMD ["htop"]
+```
+
+Build the Dockerfile and tag the image as `myhtop`:
+
+```bash
+$ docker build -t myhtop .
+```
+
+Use the following command to run `htop` inside a container:
+
+```
+$ docker run -it --rm --pid=host myhtop
+```
+
+Joining another container's pid namespace can be used for debugging that container.
+
+### Example
+
+Start a container running a redis server:
+
+```bash
+$ docker run --name my-redis -d redis
+```
+
+Debug the redis container by running another container that has strace in it:
+
+```bash
+$ docker run -it --pid=container:my-redis my_strace_docker_image bash
+$ strace -p 1
+```
+
+## UTS settings (--uts)
+
+    --uts=""  : Set the UTS namespace mode for the container,
+           'host': use the host's UTS namespace inside the container
+
+The UTS namespace is for setting the hostname and the domain that is visible
+to running processes in that namespace.  By default, all containers, including
+those with `--network=host`, have their own UTS namespace.  The `host` setting will
+result in the container using the same UTS namespace as the host.  Note that
+`--hostname` is invalid in `host` UTS mode.
+
+You may wish to share the UTS namespace with the host if you would like the
+hostname of the container to change as the hostname of the host changes.  A
+more advanced use case would be changing the host's hostname from a container.
+
+## IPC settings (--ipc)
+
+    --ipc="MODE"  : Set the IPC mode for the container
+
+The following values are accepted:
+
+| Value                      | Description                                                                       |
+|:---------------------------|:----------------------------------------------------------------------------------|
+| ""                         | Use daemon's default.                                                             |
+| "none"                     | Own private IPC namespace, with /dev/shm not mounted.                             |
+| "private"                  | Own private IPC namespace.                                                        |
+| "shareable"                | Own private IPC namespace, with a possibility to share it with other containers.  |
+| "container:<_name-or-ID_>" | Join another ("shareable") container's IPC namespace.                             |
+| "host"                     | Use the host system's IPC namespace.                                              |
+
+If not specified, daemon default is used, which can either be `"private"`
+or `"shareable"`, depending on the daemon version and configuration.
+
+IPC (POSIX/SysV IPC) namespace provides separation of named shared memory
+segments, semaphores and message queues.
+
+Shared memory segments are used to accelerate inter-process communication at
+memory speed, rather than through pipes or through the network stack. Shared
+memory is commonly used by databases and custom-built (typically C/OpenMPI,
+C++/using boost libraries) high performance applications for scientific
+computing and financial services industries. If these types of applications
+are broken into multiple containers, you might need to share the IPC mechanisms
+of the containers, using `"shareable"` mode for the main (i.e. "donor")
+container, and `"container:<donor-name-or-ID>"` for other containers.
+
+## Network settings
+
+    --dns=[]           : Set custom dns servers for the container
+    --network="bridge" : Connect a container to a network
+                          'bridge': create a network stack on the default Docker bridge
+                          'none': no networking
+                          'container:<name|id>': reuse another container's network stack
+                          'host': use the Docker host network stack
+                          '<network-name>|<network-id>': connect to a user-defined network
+    --network-alias=[] : Add network-scoped alias for the container
+    --add-host=""      : Add a line to /etc/hosts (host:IP)
+    --mac-address=""   : Sets the container's Ethernet device's MAC address
+    --ip=""            : Sets the container's Ethernet device's IPv4 address
+    --ip6=""           : Sets the container's Ethernet device's IPv6 address
+    --link-local-ip=[] : Sets one or more container's Ethernet device's link local IPv4/IPv6 addresses
+
+By default, all containers have networking enabled and they can make any
+outgoing connections. The operator can completely disable networking
+with `docker run --network none` which disables all incoming and outgoing
+networking. In cases like this, you would perform I/O through files or
+`STDIN` and `STDOUT` only.
+
+Publishing ports and linking to other containers only works with the default (bridge). The linking feature is a legacy feature. You should always prefer using Docker network drivers over linking.
+
+Your container will use the same DNS servers as the host by default, but
+you can override this with `--dns`.
+
+By default, the MAC address is generated using the IP address allocated to the
+container. You can set the container's MAC address explicitly by providing a
+MAC address via the `--mac-address` parameter (format:`12:34:56:78:9a:bc`).Be
+aware that Docker does not check if manually specified MAC addresses are unique.
+
+Supported networks :
+
+<table>
+  <thead>
+    <tr>
+      <th class="no-wrap">Network</th>
+      <th>Description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td class="no-wrap"><strong>none</strong></td>
+      <td>
+        No networking in the container.
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap"><strong>bridge</strong> (default)</td>
+      <td>
+        Connect the container to the bridge via veth interfaces.
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap"><strong>host</strong></td>
+      <td>
+        Use the host's network stack inside the container.
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap"><strong>container</strong>:&lt;name|id&gt;</td>
+      <td>
+        Use the network stack of another container, specified via
+        its <i>name</i> or <i>id</i>.
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap"><strong>NETWORK</strong></td>
+      <td>
+        Connects the container to a user created network (using <code>docker network create</code> command)
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+#### Network: none
+
+With the network is `none` a container will not have
+access to any external routes.  The container will still have a
+`loopback` interface enabled in the container but it does not have any
+routes to external traffic.
+
+#### Network: bridge
+
+With the network set to `bridge` a container will use docker's
+default networking setup.  A bridge is setup on the host, commonly named
+`docker0`, and a pair of `veth` interfaces will be created for the
+container.  One side of the `veth` pair will remain on the host attached
+to the bridge while the other side of the pair will be placed inside the
+container's namespaces in addition to the `loopback` interface.  An IP
+address will be allocated for containers on the bridge's network and
+traffic will be routed though this bridge to the container.
+
+Containers can communicate via their IP addresses by default. To communicate by
+name, they must be linked.
+
+#### Network: host
+
+With the network set to `host` a container will share the host's
+network stack and all interfaces from the host will be available to the
+container.  The container's hostname will match the hostname on the host
+system. Note that `--mac-address` is invalid in `host` netmode. Even in `host`
+network mode a container has its own UTS namespace by default. As such
+`--hostname` is allowed in `host` network mode and will only change the
+hostname inside the container.
+Similar to `--hostname`, the `--add-host`, `--dns`, `--dns-search`, and
+`--dns-option` options can be used in `host` network mode. These options update
+`/etc/hosts` or `/etc/resolv.conf` inside the container. No change are made to
+`/etc/hosts` and `/etc/resolv.conf` on the host.
+
+Compared to the default `bridge` mode, the `host` mode gives *significantly*
+better networking performance since it uses the host's native networking stack
+whereas the bridge has to go through one level of virtualization through the
+docker daemon. It is recommended to run containers in this mode when their
+networking performance is critical, for example, a production Load Balancer
+or a High Performance Web Server.
+
+> **Note**: `--network="host"` gives the container full access to local system
+> services such as D-bus and is therefore considered insecure.
+
+#### Network: container
+
+With the network set to `container` a container will share the
+network stack of another container.  The other container's name must be
+provided in the format of `--network container:<name|id>`. Note that `--add-host`
+`--hostname` `--dns` `--dns-search` `--dns-option` and `--mac-address` are
+invalid in `container` netmode, and `--publish` `--publish-all` `--expose` are
+also invalid in `container` netmode.
+
+Example running a Redis container with Redis binding to `localhost` then
+running the `redis-cli` command and connecting to the Redis server over the
+`localhost` interface.
+
+    $ docker run -d --name redis example/redis --bind 127.0.0.1
+    $ # use the redis container's network stack to access localhost
+    $ docker run --rm -it --network container:redis example/redis-cli -h 127.0.0.1
+
+#### User-defined network
+
+You can create a network using a Docker network driver or an external network
+driver plugin. You can connect multiple containers to the same network. Once
+connected to a user-defined network, the containers can communicate easily using
+only another container's IP address or name.
+
+For `overlay` networks or custom plugins that support multi-host connectivity,
+containers connected to the same multi-host network but launched from different
+Engines can also communicate in this way.
+
+The following example creates a network using the built-in `bridge` network
+driver and running a container in the created network
+
+```
+$ docker network create -d bridge my-net
+$ docker run --network=my-net -itd --name=container3 busybox
+```
+
+### Managing /etc/hosts
+
+Your container will have lines in `/etc/hosts` which define the hostname of the
+container itself as well as `localhost` and a few other common things. The
+`--add-host` flag can be used to add additional lines to `/etc/hosts`.
+
+    $ docker run -it --add-host db-static:86.75.30.9 ubuntu cat /etc/hosts
+    172.17.0.22     09d03f76bf2c
+    fe00::0         ip6-localnet
+    ff00::0         ip6-mcastprefix
+    ff02::1         ip6-allnodes
+    ff02::2         ip6-allrouters
+    127.0.0.1       localhost
+    ::1	            localhost ip6-localhost ip6-loopback
+    86.75.30.9      db-static
+
+If a container is connected to the default bridge network and `linked`
+with other containers, then the container's `/etc/hosts` file is updated
+with the linked container's name.
+
+> **Note** Since Docker may live update the container’s `/etc/hosts` file, there
+may be situations when processes inside the container can end up reading an
+empty or incomplete `/etc/hosts` file. In most cases, retrying the read again
+should fix the problem.
+
+## Restart policies (--restart)
+
+Using the `--restart` flag on Docker run you can specify a restart policy for
+how a container should or should not be restarted on exit.
+
+When a restart policy is active on a container, it will be shown as either `Up`
+or `Restarting` in [`docker ps`](commandline/ps.md). It can also be
+useful to use [`docker events`](commandline/events.md) to see the
+restart policy in effect.
+
+Docker supports the following restart policies:
+
+<table>
+  <thead>
+    <tr>
+      <th>Policy</th>
+      <th>Result</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td><strong>no</strong></td>
+      <td>
+        Do not automatically restart the container when it exits. This is the
+        default.
+      </td>
+    </tr>
+    <tr>
+      <td>
+        <span style="white-space: nowrap">
+          <strong>on-failure</strong>[:max-retries]
+        </span>
+      </td>
+      <td>
+        Restart only if the container exits with a non-zero exit status.
+        Optionally, limit the number of restart retries the Docker
+        daemon attempts.
+      </td>
+    </tr>
+    <tr>
+      <td><strong>always</strong></td>
+      <td>
+        Always restart the container regardless of the exit status.
+        When you specify always, the Docker daemon will try to restart
+        the container indefinitely. The container will also always start
+        on daemon startup, regardless of the current state of the container.
+      </td>
+    </tr>
+    <tr>
+      <td><strong>unless-stopped</strong></td>
+      <td>
+        Always restart the container regardless of the exit status,
+        including on daemon startup, except if the container was put
+        into a stopped state before the Docker daemon was stopped.
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+An ever increasing delay (double the previous delay, starting at 100
+milliseconds) is added before each restart to prevent flooding the server.
+This means the daemon will wait for 100 ms, then 200 ms, 400, 800, 1600,
+and so on until either the `on-failure` limit is hit, or when you `docker stop`
+or `docker rm -f` the container.
+
+If a container is successfully restarted (the container is started and runs
+for at least 10 seconds), the delay is reset to its default value of 100 ms.
+
+You can specify the maximum amount of times Docker will try to restart the
+container when using the **on-failure** policy.  The default is that Docker
+will try forever to restart the container. The number of (attempted) restarts
+for a container can be obtained via [`docker inspect`](commandline/inspect.md). For example, to get the number of restarts
+for container "my-container";
+
+    {% raw %}
+    $ docker inspect -f "{{ .RestartCount }}" my-container
+    # 2
+    {% endraw %}
+
+Or, to get the last time the container was (re)started;
+
+    {% raw %}
+    $ docker inspect -f "{{ .State.StartedAt }}" my-container
+    # 2015-03-04T23:47:07.691840179Z
+    {% endraw %}
+
+
+Combining `--restart` (restart policy) with the `--rm` (clean up) flag results
+in an error. On container restart, attached clients are disconnected. See the
+examples on using the [`--rm` (clean up)](#clean-up-rm) flag later in this page.
+
+### Examples
+
+    $ docker run --restart=always redis
+
+This will run the `redis` container with a restart policy of **always**
+so that if the container exits, Docker will restart it.
+
+    $ docker run --restart=on-failure:10 redis
+
+This will run the `redis` container with a restart policy of **on-failure**
+and a maximum restart count of 10.  If the `redis` container exits with a
+non-zero exit status more than 10 times in a row Docker will abort trying to
+restart the container. Providing a maximum restart limit is only valid for the
+**on-failure** policy.
+
+## Exit Status
+
+The exit code from `docker run` gives information about why the container
+failed to run or why it exited.  When `docker run` exits with a non-zero code,
+the exit codes follow the `chroot` standard, see below:
+
+**_125_** if the error is with Docker daemon **_itself_**
+
+    $ docker run --foo busybox; echo $?
+    # flag provided but not defined: --foo
+      See 'docker run --help'.
+      125
+
+**_126_** if the **_contained command_** cannot be invoked
+
+    $ docker run busybox /etc; echo $?
+    # docker: Error response from daemon: Container command '/etc' could not be invoked.
+      126
+
+**_127_** if the **_contained command_** cannot be found
+
+    $ docker run busybox foo; echo $?
+    # docker: Error response from daemon: Container command 'foo' not found or does not exist.
+      127
+
+**_Exit code_** of **_contained command_** otherwise
+
+    $ docker run busybox /bin/sh -c 'exit 3'; echo $?
+    # 3
+
+## Clean up (--rm)
+
+By default a container's file system persists even after the container
+exits. This makes debugging a lot easier (since you can inspect the
+final state) and you retain all your data by default. But if you are
+running short-term **foreground** processes, these container file
+systems can really pile up. If instead you'd like Docker to
+**automatically clean up the container and remove the file system when
+the container exits**, you can add the `--rm` flag:
+
+    --rm=false: Automatically remove the container when it exits
+
+> **Note**: When you set the `--rm` flag, Docker also removes the anonymous volumes
+associated with the container when the container is removed. This is similar
+to running `docker rm -v my-container`. Only volumes that are specified without a
+name are removed. For example, with
+`docker run --rm -v /foo -v awesome:/bar busybox top`, the volume for `/foo` will be removed,
+but the volume for `/bar` will not. Volumes inherited via `--volumes-from` will be removed
+with the same logic -- if the original volume was specified with a name it will **not** be removed.
+
+## Security configuration
+    --security-opt="label=user:USER"     : Set the label user for the container
+    --security-opt="label=role:ROLE"     : Set the label role for the container
+    --security-opt="label=type:TYPE"     : Set the label type for the container
+    --security-opt="label=level:LEVEL"   : Set the label level for the container
+    --security-opt="label=disable"       : Turn off label confinement for the container
+    --security-opt="apparmor=PROFILE"    : Set the apparmor profile to be applied to the container
+    --security-opt="no-new-privileges:true|false"   : Disable/enable container processes from gaining new privileges
+    --security-opt="seccomp=unconfined"  : Turn off seccomp confinement for the container
+    --security-opt="seccomp=profile.json": White listed syscalls seccomp Json file to be used as a seccomp filter
+
+
+You can override the default labeling scheme for each container by specifying
+the `--security-opt` flag. Specifying the level in the following command
+allows you to share the same content between containers.
+
+    $ docker run --security-opt label=level:s0:c100,c200 -it fedora bash
+
+> **Note**: Automatic translation of MLS labels is not currently supported.
+
+To disable the security labeling for this container versus running with the
+`--privileged` flag, use the following command:
+
+    $ docker run --security-opt label=disable -it fedora bash
+
+If you want a tighter security policy on the processes within a container,
+you can specify an alternate type for the container. You could run a container
+that is only allowed to listen on Apache ports by executing the following
+command:
+
+    $ docker run --security-opt label=type:svirt_apache_t -it centos bash
+
+> **Note**: You would have to write policy defining a `svirt_apache_t` type.
+
+If you want to prevent your container processes from gaining additional
+privileges, you can execute the following command:
+
+    $ docker run --security-opt no-new-privileges -it centos bash
+
+This means that commands that raise privileges such as `su` or `sudo` will no longer work.
+It also causes any seccomp filters to be applied later, after privileges have been dropped
+which may mean you can have a more restrictive set of filters.
+For more details, see the [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).
+
+## Specify an init process
+
+You can use the `--init` flag to indicate that an init process should be used as
+the PID 1 in the container. Specifying an init process ensures the usual
+responsibilities of an init system, such as reaping zombie processes, are
+performed inside the created container.
+
+The default init process used is the first `docker-init` executable found in the
+system path of the Docker daemon process. This `docker-init` binary, included in
+the default installation, is backed by [tini](https://github.com/krallin/tini).
+
+## Specify custom cgroups
+
+Using the `--cgroup-parent` flag, you can pass a specific cgroup to run a
+container in. This allows you to create and manage cgroups on their own. You can
+define custom resources for those cgroups and put containers under a common
+parent group.
+
+## Runtime constraints on resources
+
+The operator can also adjust the performance parameters of the
+container:
+
+| Option                     | Description                                                                                                                                                                                                                                                                              |
+|:---------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-m`, `--memory=""`        | Memory limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. Minimum is 4M.                                                                                                                                                        |
+| `--memory-swap=""`         | Total memory limit (memory + swap, format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`.                                                                                                                                                  |
+| `--memory-reservation=""`  | Memory soft limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`.                                                                                                                                                                  |
+| `--kernel-memory=""`       | Kernel memory limit (format: `<number>[<unit>]`). Number is a positive integer. Unit can be one of `b`, `k`, `m`, or `g`. Minimum is 4M.                                                                                                                                                 |
+| `-c`, `--cpu-shares=0`     | CPU shares (relative weight)                                                                                                                                                                                                                                                             |
+| `--cpus=0.000`             | Number of CPUs. Number is a fractional number. 0.000 means no limit.                                                                                                                                                                                                                     |
+| `--cpu-period=0`           | Limit the CPU CFS (Completely Fair Scheduler) period                                                                                                                                                                                                                                     |
+| `--cpuset-cpus=""`         | CPUs in which to allow execution (0-3, 0,1)                                                                                                                                                                                                                                              |
+| `--cpuset-mems=""`         | Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.                                                                                                                                                                                              |
+| `--cpu-quota=0`            | Limit the CPU CFS (Completely Fair Scheduler) quota                                                                                                                                                                                                                                      |
+| `--cpu-rt-period=0`        | Limit the CPU real-time period. In microseconds. Requires parent cgroups be set and cannot be higher than parent. Also check rtprio ulimits.                                                                                                                                             |
+| `--cpu-rt-runtime=0`       | Limit the CPU real-time runtime. In microseconds. Requires parent cgroups be set and cannot be higher than parent. Also check rtprio ulimits.                                                                                                                                            |
+| `--blkio-weight=0`         | Block IO weight (relative weight) accepts a weight value between 10 and 1000.                                                                                                                                                                                                            |
+| `--blkio-weight-device=""` | Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`)                                                                                                                                                                                                                   |
+| `--device-read-bps=""`     | Limit read rate from a device (format: `<device-path>:<number>[<unit>]`). Number is a positive integer. Unit can be one of `kb`, `mb`, or `gb`.                                                                                                                                          |
+| `--device-write-bps=""`    | Limit write rate to a device (format: `<device-path>:<number>[<unit>]`). Number is a positive integer. Unit can be one of `kb`, `mb`, or `gb`.                                                                                                                                           |
+| `--device-read-iops="" `   | Limit read rate (IO per second) from a device (format: `<device-path>:<number>`). Number is a positive integer.                                                                                                                                                                          |
+| `--device-write-iops="" `  | Limit write rate (IO per second) to a device (format: `<device-path>:<number>`). Number is a positive integer.                                                                                                                                                                           |
+| `--oom-kill-disable=false` | Whether to disable OOM Killer for the container or not.                                                                                                                                                                                                                                  |
+| `--oom-score-adj=0`        | Tune container's OOM preferences (-1000 to 1000)                                                                                                                                                                                                                                         |
+| `--memory-swappiness=""`   | Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.                                                                                                                                                                                                     |
+| `--shm-size=""`            | Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. |
+
+### User memory constraints
+
+We have four ways to set user memory usage:
+
+<table>
+  <thead>
+    <tr>
+      <th>Option</th>
+      <th>Result</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td class="no-wrap">
+          <strong>memory=inf, memory-swap=inf</strong> (default)
+      </td>
+      <td>
+        There is no memory limit for the container. The container can use
+        as much memory as needed.
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap"><strong>memory=L&lt;inf, memory-swap=inf</strong></td>
+      <td>
+        (specify memory and set memory-swap as <code>-1</code>) The container is
+        not allowed to use more than L bytes of memory, but can use as much swap
+        as is needed (if the host supports swap memory).
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap"><strong>memory=L&lt;inf, memory-swap=2*L</strong></td>
+      <td>
+        (specify memory without memory-swap) The container is not allowed to
+        use more than L bytes of memory, swap <i>plus</i> memory usage is double
+        of that.
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap">
+          <strong>memory=L&lt;inf, memory-swap=S&lt;inf, L&lt;=S</strong>
+      </td>
+      <td>
+        (specify both memory and memory-swap) The container is not allowed to
+        use more than L bytes of memory, swap <i>plus</i> memory usage is limited
+        by S.
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+Examples:
+
+    $ docker run -it ubuntu:14.04 /bin/bash
+
+We set nothing about memory, this means the processes in the container can use
+as much memory and swap memory as they need.
+
+    $ docker run -it -m 300M --memory-swap -1 ubuntu:14.04 /bin/bash
+
+We set memory limit and disabled swap memory limit, this means the processes in
+the container can use 300M memory and as much swap memory as they need (if the
+host supports swap memory).
+
+    $ docker run -it -m 300M ubuntu:14.04 /bin/bash
+
+We set memory limit only, this means the processes in the container can use
+300M memory and 300M swap memory, by default, the total virtual memory size
+(--memory-swap) will be set as double of memory, in this case, memory + swap
+would be 2*300M, so processes can use 300M swap memory as well.
+
+    $ docker run -it -m 300M --memory-swap 1G ubuntu:14.04 /bin/bash
+
+We set both memory and swap memory, so the processes in the container can use
+300M memory and 700M swap memory.
+
+Memory reservation is a kind of memory soft limit that allows for greater
+sharing of memory. Under normal circumstances, containers can use as much of
+the memory as needed and are constrained only by the hard limits set with the
+`-m`/`--memory` option. When memory reservation is set, Docker detects memory
+contention or low memory and forces containers to restrict their consumption to
+a reservation limit.
+
+Always set the memory reservation value below the hard limit, otherwise the hard
+limit takes precedence. A reservation of 0 is the same as setting no
+reservation. By default (without reservation set), memory reservation is the
+same as the hard memory limit.
+
+Memory reservation is a soft-limit feature and does not guarantee the limit
+won't be exceeded. Instead, the feature attempts to ensure that, when memory is
+heavily contended for, memory is allocated based on the reservation hints/setup.
+
+The following example limits the memory (`-m`) to 500M and sets the memory
+reservation to 200M.
+
+```bash
+$ docker run -it -m 500M --memory-reservation 200M ubuntu:14.04 /bin/bash
+```
+
+Under this configuration, when the container consumes memory more than 200M and
+less than 500M, the next system memory reclaim attempts to shrink container
+memory below 200M.
+
+The following example set memory reservation to 1G without a hard memory limit.
+
+```bash
+$ docker run -it --memory-reservation 1G ubuntu:14.04 /bin/bash
+```
+
+The container can use as much memory as it needs. The memory reservation setting
+ensures the container doesn't consume too much memory for long time, because
+every memory reclaim shrinks the container's consumption to the reservation.
+
+By default, kernel kills processes in a container if an out-of-memory (OOM)
+error occurs. To change this behaviour, use the `--oom-kill-disable` option.
+Only disable the OOM killer on containers where you have also set the
+`-m/--memory` option. If the `-m` flag is not set, this can result in the host
+running out of memory and require killing the host's system processes to free
+memory.
+
+The following example limits the memory to 100M and disables the OOM killer for
+this container:
+
+    $ docker run -it -m 100M --oom-kill-disable ubuntu:14.04 /bin/bash
+
+The following example, illustrates a dangerous way to use the flag:
+
+    $ docker run -it --oom-kill-disable ubuntu:14.04 /bin/bash
+
+The container has unlimited memory which can cause the host to run out memory
+and require killing system processes to free memory. The `--oom-score-adj`
+parameter can be changed to select the priority of which containers will
+be killed when the system is out of memory, with negative scores making them
+less likely to be killed, and positive scores more likely.
+
+### Kernel memory constraints
+
+Kernel memory is fundamentally different than user memory as kernel memory can't
+be swapped out. The inability to swap makes it possible for the container to
+block system services by consuming too much kernel memory. Kernel memory includes：
+
+ - stack pages
+ - slab pages
+ - sockets memory pressure
+ - tcp memory pressure
+
+You can setup kernel memory limit to constrain these kinds of memory. For example,
+every process consumes some stack pages. By limiting kernel memory, you can
+prevent new processes from being created when the kernel memory usage is too high.
+
+Kernel memory is never completely independent of user memory. Instead, you limit
+kernel memory in the context of the user memory limit. Assume "U" is the user memory
+limit and "K" the kernel limit. There are three possible ways to set limits:
+
+<table>
+  <thead>
+    <tr>
+      <th>Option</th>
+      <th>Result</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td class="no-wrap"><strong>U != 0, K = inf</strong> (default)</td>
+      <td>
+        This is the standard memory limitation mechanism already present before using
+        kernel memory. Kernel memory is completely ignored.
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap"><strong>U != 0, K &lt; U</strong></td>
+      <td>
+        Kernel memory is a subset of the user memory. This setup is useful in
+        deployments where the total amount of memory per-cgroup is overcommitted.
+        Overcommitting kernel memory limits is definitely not recommended, since the
+        box can still run out of non-reclaimable memory.
+        In this case, you can configure K so that the sum of all groups is
+        never greater than the total memory. Then, freely set U at the expense of
+        the system's service quality.
+      </td>
+    </tr>
+    <tr>
+      <td class="no-wrap"><strong>U != 0, K &gt; U</strong></td>
+      <td>
+        Since kernel memory charges are also fed to the user counter and reclamation
+        is triggered for the container for both kinds of memory. This configuration
+        gives the admin a unified view of memory. It is also useful for people
+        who just want to track kernel memory usage.
+      </td>
+    </tr>
+  </tbody>
+</table>
+
+Examples:
+
+    $ docker run -it -m 500M --kernel-memory 50M ubuntu:14.04 /bin/bash
+
+We set memory and kernel memory, so the processes in the container can use
+500M memory in total, in this 500M memory, it can be 50M kernel memory tops.
+
+    $ docker run -it --kernel-memory 50M ubuntu:14.04 /bin/bash
+
+We set kernel memory without **-m**, so the processes in the container can
+use as much memory as they want, but they can only use 50M kernel memory.
+
+### Swappiness constraint
+
+By default, a container's kernel can swap out a percentage of anonymous pages.
+To set this percentage for a container, specify a `--memory-swappiness` value
+between 0 and 100. A value of 0 turns off anonymous page swapping. A value of
+100 sets all anonymous pages as swappable. By default, if you are not using
+`--memory-swappiness`, memory swappiness value will be inherited from the parent.
+
+For example, you can set:
+
+    $ docker run -it --memory-swappiness=0 ubuntu:14.04 /bin/bash
+
+Setting the `--memory-swappiness` option is helpful when you want to retain the
+container's working set and to avoid swapping performance penalties.
+
+### CPU share constraint
+
+By default, all containers get the same proportion of CPU cycles. This proportion
+can be modified by changing the container's CPU share weighting relative
+to the weighting of all other running containers.
+
+To modify the proportion from the default of 1024, use the `-c` or `--cpu-shares`
+flag to set the weighting to 2 or higher. If 0 is set, the system will ignore the
+value and use the default of 1024.
+
+The proportion will only apply when CPU-intensive processes are running.
+When tasks in one container are idle, other containers can use the
+left-over CPU time. The actual amount of CPU time will vary depending on
+the number of containers running on the system.
+
+For example, consider three containers, one has a cpu-share of 1024 and
+two others have a cpu-share setting of 512. When processes in all three
+containers attempt to use 100% of CPU, the first container would receive
+50% of the total CPU time. If you add a fourth container with a cpu-share
+of 1024, the first container only gets 33% of the CPU. The remaining containers
+receive 16.5%, 16.5% and 33% of the CPU.
+
+On a multi-core system, the shares of CPU time are distributed over all CPU
+cores. Even if a container is limited to less than 100% of CPU time, it can
+use 100% of each individual CPU core.
+
+For example, consider a system with more than three cores. If you start one
+container `{C0}` with `-c=512` running one process, and another container
+`{C1}` with `-c=1024` running two processes, this can result in the following
+division of CPU shares:
+
+    PID    container	CPU	CPU share
+    100    {C0}		0	100% of CPU0
+    101    {C1}		1	100% of CPU1
+    102    {C1}		2	100% of CPU2
+
+### CPU period constraint
+
+The default CPU CFS (Completely Fair Scheduler) period is 100ms. We can use
+`--cpu-period` to set the period of CPUs to limit the container's CPU usage.
+And usually `--cpu-period` should work with `--cpu-quota`.
+
+Examples:
+
+    $ docker run -it --cpu-period=50000 --cpu-quota=25000 ubuntu:14.04 /bin/bash
+
+If there is 1 CPU, this means the container can get 50% CPU worth of run-time every 50ms.
+
+In addition to use `--cpu-period` and `--cpu-quota` for setting CPU period constraints,
+it is possible to specify `--cpus` with a float number to achieve the same purpose.
+For example, if there is 1 CPU, then `--cpus=0.5` will achieve the same result as
+setting `--cpu-period=50000` and `--cpu-quota=25000` (50% CPU).
+
+The default value for `--cpus` is `0.000`, which means there is no limit.
+
+For more information, see the [CFS documentation on bandwidth limiting](https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt).
+
+### Cpuset constraint
+
+We can set cpus in which to allow execution for containers.
+
+Examples:
+
+    $ docker run -it --cpuset-cpus="1,3" ubuntu:14.04 /bin/bash
+
+This means processes in container can be executed on cpu 1 and cpu 3.
+
+    $ docker run -it --cpuset-cpus="0-2" ubuntu:14.04 /bin/bash
+
+This means processes in container can be executed on cpu 0, cpu 1 and cpu 2.
+
+We can set mems in which to allow execution for containers. Only effective
+on NUMA systems.
+
+Examples:
+
+    $ docker run -it --cpuset-mems="1,3" ubuntu:14.04 /bin/bash
+
+This example restricts the processes in the container to only use memory from
+memory nodes 1 and 3.
+
+    $ docker run -it --cpuset-mems="0-2" ubuntu:14.04 /bin/bash
+
+This example restricts the processes in the container to only use memory from
+memory nodes 0, 1 and 2.
+
+### CPU quota constraint
+
+The `--cpu-quota` flag limits the container's CPU usage. The default 0 value
+allows the container to take 100% of a CPU resource (1 CPU). The CFS (Completely Fair
+Scheduler) handles resource allocation for executing processes and is default
+Linux Scheduler used by the kernel. Set this value to 50000 to limit the container
+to 50% of a CPU resource. For multiple CPUs, adjust the `--cpu-quota` as necessary.
+For more information, see the [CFS documentation on bandwidth limiting](https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt).
+
+### Block IO bandwidth (Blkio) constraint
+
+By default, all containers get the same proportion of block IO bandwidth
+(blkio). This proportion is 500. To modify this proportion, change the
+container's blkio weight relative to the weighting of all other running
+containers using the `--blkio-weight` flag.
+
+> **Note:** The blkio weight setting is only available for direct IO. Buffered IO
+> is not currently supported.
+
+The `--blkio-weight` flag can set the weighting to a value between 10 to 1000.
+For example, the commands below create two containers with different blkio
+weight:
+
+    $ docker run -it --name c1 --blkio-weight 300 ubuntu:14.04 /bin/bash
+    $ docker run -it --name c2 --blkio-weight 600 ubuntu:14.04 /bin/bash
+
+If you do block IO in the two containers at the same time, by, for example:
+
+    $ time dd if=/mnt/zerofile of=test.out bs=1M count=1024 oflag=direct
+
+You'll find that the proportion of time is the same as the proportion of blkio
+weights of the two containers.
+
+The `--blkio-weight-device="DEVICE_NAME:WEIGHT"` flag sets a specific device weight.
+The `DEVICE_NAME:WEIGHT` is a string containing a colon-separated device name and weight.
+For example, to set `/dev/sda` device weight to `200`:
+
+    $ docker run -it \
+        --blkio-weight-device "/dev/sda:200" \
+        ubuntu
+
+If you specify both the `--blkio-weight` and `--blkio-weight-device`, Docker
+uses the `--blkio-weight` as the default weight and uses `--blkio-weight-device`
+to override this default with a new value on a specific device.
+The following example uses a default weight of `300` and overrides this default
+on `/dev/sda` setting that weight to `200`:
+
+    $ docker run -it \
+        --blkio-weight 300 \
+        --blkio-weight-device "/dev/sda:200" \
+        ubuntu
+
+The `--device-read-bps` flag limits the read rate (bytes per second) from a device.
+For example, this command creates a container and limits the read rate to `1mb`
+per second from `/dev/sda`:
+
+    $ docker run -it --device-read-bps /dev/sda:1mb ubuntu
+
+The `--device-write-bps` flag limits the write rate (bytes per second)to a device.
+For example, this command creates a container and limits the write rate to `1mb`
+per second for `/dev/sda`:
+
+    $ docker run -it --device-write-bps /dev/sda:1mb ubuntu
+
+Both flags take limits in the `<device-path>:<limit>[unit]` format. Both read
+and write rates must be a positive integer. You can specify the rate in `kb`
+(kilobytes), `mb` (megabytes), or `gb` (gigabytes).
+
+The `--device-read-iops` flag limits read rate (IO per second) from a device.
+For example, this command creates a container and limits the read rate to
+`1000` IO per second from `/dev/sda`:
+
+    $ docker run -ti --device-read-iops /dev/sda:1000 ubuntu
+
+The `--device-write-iops` flag limits write rate (IO per second) to a device.
+For example, this command creates a container and limits the write rate to
+`1000` IO per second to `/dev/sda`:
+
+    $ docker run -ti --device-write-iops /dev/sda:1000 ubuntu
+
+Both flags take limits in the `<device-path>:<limit>` format. Both read and
+write rates must be a positive integer.
+
+## Additional groups
+    --group-add: Add additional groups to run as
+
+By default, the docker container process runs with the supplementary groups looked
+up for the specified user. If one wants to add more to that list of groups, then
+one can use this flag:
+
+    $ docker run --rm --group-add audio --group-add nogroup --group-add 777 busybox id
+    uid=0(root) gid=0(root) groups=10(wheel),29(audio),99(nogroup),777
+
+## Runtime privilege and Linux capabilities
+
+    --cap-add: Add Linux capabilities
+    --cap-drop: Drop Linux capabilities
+    --privileged=false: Give extended privileges to this container
+    --device=[]: Allows you to run devices inside the container without the --privileged flag.
+
+By default, Docker containers are "unprivileged" and cannot, for
+example, run a Docker daemon inside a Docker container. This is because
+by default a container is not allowed to access any devices, but a
+"privileged" container is given access to all devices (see
+the documentation on [cgroups devices](https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt)).
+
+When the operator executes `docker run --privileged`, Docker will enable
+access to all devices on the host as well as set some configuration
+in AppArmor or SELinux to allow the container nearly all the same access to the
+host as processes running outside containers on the host. Additional
+information about running with `--privileged` is available on the
+[Docker Blog](http://blog.docker.com/2013/09/docker-can-now-run-within-docker/).
+
+If you want to limit access to a specific device or devices you can use
+the `--device` flag. It allows you to specify one or more devices that
+will be accessible within the container.
+
+    $ docker run --device=/dev/snd:/dev/snd ...
+
+By default, the container will be able to `read`, `write`, and `mknod` these devices.
+This can be overridden using a third `:rwm` set of options to each `--device` flag:
+
+    $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk  /dev/xvdc
+
+    Command (m for help): q
+    $ docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk  /dev/xvdc
+    You will not be able to write the partition table.
+
+    Command (m for help): q
+
+    $ docker run --device=/dev/sda:/dev/xvdc:w --rm -it ubuntu fdisk  /dev/xvdc
+        crash....
+
+    $ docker run --device=/dev/sda:/dev/xvdc:m --rm -it ubuntu fdisk  /dev/xvdc
+    fdisk: unable to open /dev/xvdc: Operation not permitted
+
+In addition to `--privileged`, the operator can have fine grain control over the
+capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default
+list of capabilities that are kept. The following table lists the Linux capability
+options which are allowed by default and can be dropped.
+
+| Capability Key   | Capability Description                                                                                                        |
+|:-----------------|:------------------------------------------------------------------------------------------------------------------------------|
+| SETPCAP          | Modify process capabilities.                                                                                                  |
+| MKNOD            | Create special files using mknod(2).                                                                                          |
+| AUDIT_WRITE      | Write records to kernel auditing log.                                                                                         |
+| CHOWN            | Make arbitrary changes to file UIDs and GIDs (see chown(2)).                                                                  |
+| NET_RAW          | Use RAW and PACKET sockets.                                                                                                   |
+| DAC_OVERRIDE     | Bypass file read, write, and execute permission checks.                                                                       |
+| FOWNER           | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
+| FSETID           | Don't clear set-user-ID and set-group-ID permission bits when a file is modified.                                             |
+| KILL             | Bypass permission checks for sending signals.                                                                                 |
+| SETGID           | Make arbitrary manipulations of process GIDs and supplementary GID list.                                                      |
+| SETUID           | Make arbitrary manipulations of process UIDs.                                                                                 |
+| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024).                                              |
+| SYS_CHROOT       | Use chroot(2), change root directory.                                                                                         |
+| SETFCAP          | Set file capabilities.                                                                                                        |
+
+The next table shows the capabilities which are not granted by default and may be added.
+
+| Capability Key  | Capability Description                                                                                          |
+|:----------------|:----------------------------------------------------------------------------------------------------------------|
+| SYS_MODULE      | Load and unload kernel modules.                                                                                 |
+| SYS_RAWIO       | Perform I/O port operations (iopl(2) and ioperm(2)).                                                            |
+| SYS_PACCT       | Use acct(2), switch process accounting on or off.                                                               |
+| SYS_ADMIN       | Perform a range of system administration operations.                                                            |
+| SYS_NICE        | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.           |
+| SYS_RESOURCE    | Override resource Limits.                                                                                       |
+| SYS_TIME        | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.                      |
+| SYS_TTY_CONFIG  | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.                             |
+| AUDIT_CONTROL   | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
+| MAC_ADMIN       | Allow MAC configuration or state changes. Implemented for the Smack LSM.                                        |
+| MAC_OVERRIDE    | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).                 |
+| NET_ADMIN       | Perform various network-related operations.                                                                     |
+| SYSLOG          | Perform privileged syslog(2) operations.                                                                        |
+| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks.                            |
+| LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.                                                          |
+| NET_BROADCAST   | Make socket broadcasts, and listen to multicasts.                                                               |
+| IPC_LOCK        | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).                                                        |
+| IPC_OWNER       | Bypass permission checks for operations on System V IPC objects.                                                |
+| SYS_PTRACE      | Trace arbitrary processes using ptrace(2).                                                                      |
+| SYS_BOOT        | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.                              |
+| LEASE           | Establish leases on arbitrary files (see fcntl(2)).                                                             |
+| WAKE_ALARM      | Trigger something that will wake up the system.                                                                 |
+| BLOCK_SUSPEND   | Employ features that can block system suspend.                                                                  |
+
+Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
+
+Both flags support the value `ALL`, so if the
+operator wants to have all capabilities but `MKNOD` they could use:
+
+    $ docker run --cap-add=ALL --cap-drop=MKNOD ...
+
+For interacting with the network stack, instead of using `--privileged` they
+should use `--cap-add=NET_ADMIN` to modify the network interfaces.
+
+    $ docker run -it --rm  ubuntu:14.04 ip link add dummy0 type dummy
+    RTNETLINK answers: Operation not permitted
+    $ docker run -it --rm --cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy
+
+To mount a FUSE based filesystem, you need to combine both `--cap-add` and
+`--device`:
+
+    $ docker run --rm -it --cap-add SYS_ADMIN sshfs sshfs sven@10.10.10.20:/home/sven /mnt
+    fuse: failed to open /dev/fuse: Operation not permitted
+    $ docker run --rm -it --device /dev/fuse sshfs sshfs sven@10.10.10.20:/home/sven /mnt
+    fusermount: mount failed: Operation not permitted
+    $ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse sshfs
+    # sshfs sven@10.10.10.20:/home/sven /mnt
+    The authenticity of host '10.10.10.20 (10.10.10.20)' can't be established.
+    ECDSA key fingerprint is 25:34:85:75:25:b0:17:46:05:19:04:93:b5:dd:5f:c6.
+    Are you sure you want to continue connecting (yes/no)? yes
+    sven@10.10.10.20's password:
+    root@30aa0cfaf1b5:/# ls -la /mnt/src/docker
+    total 1516
+    drwxrwxr-x 1 1000 1000   4096 Dec  4 06:08 .
+    drwxrwxr-x 1 1000 1000   4096 Dec  4 11:46 ..
+    -rw-rw-r-- 1 1000 1000     16 Oct  8 00:09 .dockerignore
+    -rwxrwxr-x 1 1000 1000    464 Oct  8 00:09 .drone.yml
+    drwxrwxr-x 1 1000 1000   4096 Dec  4 06:11 .git
+    -rw-rw-r-- 1 1000 1000    461 Dec  4 06:08 .gitignore
+    ....
+
+The default seccomp profile will adjust to the selected capabilities, in order to allow
+use of facilities allowed by the capabilities, so you should not have to adjust this,
+since Docker 1.12. In Docker 1.10 and 1.11 this did not happen and it may be necessary
+to use a custom seccomp profile or use `--security-opt seccomp=unconfined` when adding
+capabilities.
+
+## Logging drivers (--log-driver)
+
+The container can have a different logging driver than the Docker daemon. Use
+the `--log-driver=VALUE` with the `docker run` command to configure the
+container's logging driver. The following options are supported:
+
+| Driver      | Description                                                                                                                   |
+|:------------|:------------------------------------------------------------------------------------------------------------------------------|
+| `none`      | Disables any logging for the container. `docker logs` won't be available with this driver.                                    |
+| `json-file` | Default logging driver for Docker. Writes JSON messages to file.  No logging options are supported for this driver.           |
+| `syslog`    | Syslog logging driver for Docker. Writes log messages to syslog.                                                              |
+| `journald`  | Journald logging driver for Docker. Writes log messages to `journald`.                                                        |
+| `gelf`      | Graylog Extended Log Format (GELF) logging driver for Docker. Writes log messages to a GELF endpoint likeGraylog or Logstash. |
+| `fluentd`   | Fluentd logging driver for Docker. Writes log messages to `fluentd` (forward input).                                          |
+| `awslogs`   | Amazon CloudWatch Logs logging driver for Docker. Writes log messages to Amazon CloudWatch Logs                               |
+| `splunk`    | Splunk logging driver for Docker. Writes log messages to `splunk` using Event Http Collector.                                 |
+
+The `docker logs` command is available only for the `json-file` and `journald`
+logging drivers.  For detailed information on working with logging drivers, see
+[Configure logging drivers](https://docs.docker.com/config/containers/logging/configure/).
+
+
+## Overriding Dockerfile image defaults
+
+When a developer builds an image from a [*Dockerfile*](builder.md)
+or when she commits it, the developer can set a number of default parameters
+that take effect when the image starts up as a container.
+
+Four of the Dockerfile commands cannot be overridden at runtime: `FROM`,
+`MAINTAINER`, `RUN`, and `ADD`. Everything else has a corresponding override
+in `docker run`. We'll go through what the developer might have set in each
+Dockerfile instruction and how the operator can override that setting.
+
+ - [CMD (Default Command or Options)](#cmd-default-command-or-options)
+ - [ENTRYPOINT (Default Command to Execute at Runtime)](
+    #entrypoint-default-command-to-execute-at-runtime)
+ - [EXPOSE (Incoming Ports)](#expose-incoming-ports)
+ - [ENV (Environment Variables)](#env-environment-variables)
+ - [HEALTHCHECK](#healthcheck)
+ - [VOLUME (Shared Filesystems)](#volume-shared-filesystems)
+ - [USER](#user)
+ - [WORKDIR](#workdir)
+
+### CMD (default command or options)
+
+Recall the optional `COMMAND` in the Docker
+commandline:
+
+    $ docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]
+
+This command is optional because the person who created the `IMAGE` may
+have already provided a default `COMMAND` using the Dockerfile `CMD`
+instruction. As the operator (the person running a container from the
+image), you can override that `CMD` instruction just by specifying a new
+`COMMAND`.
+
+If the image also specifies an `ENTRYPOINT` then the `CMD` or `COMMAND`
+get appended as arguments to the `ENTRYPOINT`.
+
+### ENTRYPOINT (default command to execute at runtime)
+
+    --entrypoint="": Overwrite the default entrypoint set by the image
+
+The `ENTRYPOINT` of an image is similar to a `COMMAND` because it
+specifies what executable to run when the container starts, but it is
+(purposely) more difficult to override. The `ENTRYPOINT` gives a
+container its default nature or behavior, so that when you set an
+`ENTRYPOINT` you can run the container *as if it were that binary*,
+complete with default options, and you can pass in more options via the
+`COMMAND`. But, sometimes an operator may want to run something else
+inside the container, so you can override the default `ENTRYPOINT` at
+runtime by using a string to specify the new `ENTRYPOINT`. Here is an
+example of how to run a shell in a container that has been set up to
+automatically run something else (like `/usr/bin/redis-server`):
+
+    $ docker run -it --entrypoint /bin/bash example/redis
+
+or two examples of how to pass more parameters to that ENTRYPOINT:
+
+    $ docker run -it --entrypoint /bin/bash example/redis -c ls -l
+    $ docker run -it --entrypoint /usr/bin/redis-cli example/redis --help
+
+You can reset a containers entrypoint by passing an empty string, for example:
+
+    $ docker run -it --entrypoint="" mysql bash
+
+> **Note**: Passing `--entrypoint` will clear out any default command set on the
+> image (i.e. any `CMD` instruction in the Dockerfile used to build it).
+
+### EXPOSE (incoming ports)
+
+The following `run` command options work with container networking:
+
+    --expose=[]: Expose a port or a range of ports inside the container.
+                 These are additional to those exposed by the `EXPOSE` instruction
+    -P         : Publish all exposed ports to the host interfaces
+    -p=[]      : Publish a container᾿s port or a range of ports to the host
+                   format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
+                   Both hostPort and containerPort can be specified as a
+                   range of ports. When specifying ranges for both, the
+                   number of container ports in the range must match the
+                   number of host ports in the range, for example:
+                       -p 1234-1236:1234-1236/tcp
+
+                   When specifying a range for hostPort only, the
+                   containerPort must not be a range.  In this case the
+                   container port is published somewhere within the
+                   specified hostPort range. (e.g., `-p 1234-1236:1234/tcp`)
+
+                   (use 'docker port' to see the actual mapping)
+
+    --link=""  : Add link to another container (<name or id>:alias or <name or id>)
+
+With the exception of the `EXPOSE` directive, an image developer hasn't
+got much control over networking. The `EXPOSE` instruction defines the
+initial incoming ports that provide services. These ports are available
+to processes inside the container. An operator can use the `--expose`
+option to add to the exposed ports.
+
+To expose a container's internal port, an operator can start the
+container with the `-P` or `-p` flag. The exposed port is accessible on
+the host and the ports are available to any client that can reach the
+host.
+
+The `-P` option publishes all the ports to the host interfaces. Docker
+binds each exposed port to a random port on the host. The range of
+ports are within an *ephemeral port range* defined by
+`/proc/sys/net/ipv4/ip_local_port_range`. Use the `-p` flag to
+explicitly map a single port or range of ports.
+
+The port number inside the container (where the service listens) does
+not need to match the port number exposed on the outside of the
+container (where clients connect). For example, inside the container an
+HTTP service is listening on port 80 (and so the image developer
+specifies `EXPOSE 80` in the Dockerfile). At runtime, the port might be
+bound to 42800 on the host. To find the mapping between the host ports
+and the exposed ports, use `docker port`.
+
+If the operator uses `--link` when starting a new client container in the
+default bridge network, then the client container can access the exposed
+port via a private networking interface.
+If `--link` is used when starting a container in a user-defined network as
+described in [*Networking overview*](https://docs.docker.com/network/),
+it will provide a named alias for the container being linked to.
+
+### ENV (environment variables)
+
+Docker automatically sets some environment variables when creating a Linux
+container. Docker does not set any environment variables when creating a Windows
+container.
+
+The following environment variables are set for Linux containers:
+
+| Variable   | Value                                                                                                |
+|:-----------|:-----------------------------------------------------------------------------------------------------|
+| `HOME`     | Set based on the value of `USER`                                                                     |
+| `HOSTNAME` | The hostname associated with the container                                                           |
+| `PATH`     | Includes popular directories, such as `/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin` |
+| `TERM`     | `xterm` if the container is allocated a pseudo-TTY                                                   |
+
+
+Additionally, the operator can **set any environment variable** in the
+container by using one or more `-e` flags, even overriding those mentioned
+above, or already defined by the developer with a Dockerfile `ENV`. If the
+operator names an environment variable without specifying a value, then the
+current value of the named variable is propagated into the container's environment:
+
+```bash
+$ export today=Wednesday
+$ docker run -e "deep=purple" -e today --rm alpine env
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+HOSTNAME=d2219b854598
+deep=purple
+today=Wednesday
+HOME=/root
+```
+
+```PowerShell
+PS C:\> docker run --rm -e "foo=bar" microsoft/nanoserver cmd /s /c set
+ALLUSERSPROFILE=C:\ProgramData
+APPDATA=C:\Users\ContainerAdministrator\AppData\Roaming
+CommonProgramFiles=C:\Program Files\Common Files
+CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
+CommonProgramW6432=C:\Program Files\Common Files
+COMPUTERNAME=C2FAEFCC8253
+ComSpec=C:\Windows\system32\cmd.exe
+foo=bar
+LOCALAPPDATA=C:\Users\ContainerAdministrator\AppData\Local
+NUMBER_OF_PROCESSORS=8
+OS=Windows_NT
+Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\ContainerAdministrator\AppData\Local\Microsoft\WindowsApps
+PATHEXT=.COM;.EXE;.BAT;.CMD
+PROCESSOR_ARCHITECTURE=AMD64
+PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 62 Stepping 4, GenuineIntel
+PROCESSOR_LEVEL=6
+PROCESSOR_REVISION=3e04
+ProgramData=C:\ProgramData
+ProgramFiles=C:\Program Files
+ProgramFiles(x86)=C:\Program Files (x86)
+ProgramW6432=C:\Program Files
+PROMPT=$P$G
+PUBLIC=C:\Users\Public
+SystemDrive=C:
+SystemRoot=C:\Windows
+TEMP=C:\Users\ContainerAdministrator\AppData\Local\Temp
+TMP=C:\Users\ContainerAdministrator\AppData\Local\Temp
+USERDOMAIN=User Manager
+USERNAME=ContainerAdministrator
+USERPROFILE=C:\Users\ContainerAdministrator
+windir=C:\Windows
+```
+
+Similarly the operator can set the **HOSTNAME** (Linux) or **COMPUTERNAME** (Windows) with `-h`.
+
+### HEALTHCHECK
+
+```
+  --health-cmd            Command to run to check health
+  --health-interval       Time between running the check
+  --health-retries        Consecutive failures needed to report unhealthy
+  --health-timeout        Maximum time to allow one check to run
+  --health-start-period   Start period for the container to initialize before starting health-retries countdown
+  --no-healthcheck        Disable any container-specified HEALTHCHECK
+```
+
+Example:
+
+    {% raw %}
+    $ docker run --name=test -d \
+        --health-cmd='stat /etc/passwd || exit 1' \
+        --health-interval=2s \
+        busybox sleep 1d
+    $ sleep 2; docker inspect --format='{{.State.Health.Status}}' test
+    healthy
+    $ docker exec test rm /etc/passwd
+    $ sleep 2; docker inspect --format='{{json .State.Health}}' test
+    {
+      "Status": "unhealthy",
+      "FailingStreak": 3,
+      "Log": [
+        {
+          "Start": "2016-05-25T17:22:04.635478668Z",
+          "End": "2016-05-25T17:22:04.7272552Z",
+          "ExitCode": 0,
+          "Output": "  File: /etc/passwd\n  Size: 334       \tBlocks: 8          IO Block: 4096   regular file\nDevice: 32h/50d\tInode: 12          Links: 1\nAccess: (0664/-rw-rw-r--)  Uid: (    0/    root)   Gid: (    0/    root)\nAccess: 2015-12-05 22:05:32.000000000\nModify: 2015..."
+        },
+        {
+          "Start": "2016-05-25T17:22:06.732900633Z",
+          "End": "2016-05-25T17:22:06.822168935Z",
+          "ExitCode": 0,
+          "Output": "  File: /etc/passwd\n  Size: 334       \tBlocks: 8          IO Block: 4096   regular file\nDevice: 32h/50d\tInode: 12          Links: 1\nAccess: (0664/-rw-rw-r--)  Uid: (    0/    root)   Gid: (    0/    root)\nAccess: 2015-12-05 22:05:32.000000000\nModify: 2015..."
+        },
+        {
+          "Start": "2016-05-25T17:22:08.823956535Z",
+          "End": "2016-05-25T17:22:08.897359124Z",
+          "ExitCode": 1,
+          "Output": "stat: can't stat '/etc/passwd': No such file or directory\n"
+        },
+        {
+          "Start": "2016-05-25T17:22:10.898802931Z",
+          "End": "2016-05-25T17:22:10.969631866Z",
+          "ExitCode": 1,
+          "Output": "stat: can't stat '/etc/passwd': No such file or directory\n"
+        },
+        {
+          "Start": "2016-05-25T17:22:12.971033523Z",
+          "End": "2016-05-25T17:22:13.082015516Z",
+          "ExitCode": 1,
+          "Output": "stat: can't stat '/etc/passwd': No such file or directory\n"
+        }
+      ]
+    }
+    {% endraw %}
+
+The health status is also displayed in the `docker ps` output.
+
+### TMPFS (mount tmpfs filesystems)
+
+```bash
+--tmpfs=[]: Create a tmpfs mount with: container-dir[:<options>],
+            where the options are identical to the Linux
+            'mount -t tmpfs -o' command.
+```
+
+The example below mounts an empty tmpfs into the container with the `rw`,
+`noexec`, `nosuid`, and `size=65536k` options.
+
+    $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image
+
+### VOLUME (shared filesystems)
+
+    -v, --volume=[host-src:]container-dest[:<options>]: Bind mount a volume.
+    The comma-delimited `options` are [rw|ro], [z|Z],
+    [[r]shared|[r]slave|[r]private], and [nocopy].
+    The 'host-src' is an absolute path or a name value.
+
+    If neither 'rw' or 'ro' is specified then the volume is mounted in
+    read-write mode.
+
+    The `nocopy` modes is used to disable automatic copying requested volume
+    path in the container to the volume storage location.
+    For named volumes, `copy` is the default mode. Copy modes are not supported
+    for bind-mounted volumes.
+
+    --volumes-from="": Mount all volumes from the given container(s)
+
+> **Note**:
+> When using systemd to manage the Docker daemon's start and stop, in the systemd
+> unit file there is an option to control mount propagation for the Docker daemon
+> itself, called `MountFlags`. The value of this setting may cause Docker to not
+> see mount propagation changes made on the mount point. For example, if this value
+> is `slave`, you may not be able to use the `shared` or `rshared` propagation on
+> a volume.
+
+The volumes commands are complex enough to have their own documentation
+in section [*Use volumes*](https://docs.docker.com/storage/volumes/). A developer can define
+one or more `VOLUME`'s associated with an image, but only the operator
+can give access from one container to another (or from a container to a
+volume mounted on the host).
+
+The `container-dest` must always be an absolute path such as `/src/docs`.
+The `host-src` can either be an absolute path or a `name` value. If you
+supply an absolute path for the `host-dir`, Docker bind-mounts to the path
+you specify. If you supply a `name`, Docker creates a named volume by that `name`.
+
+A `name` value must start with an alphanumeric character,
+followed by `a-z0-9`, `_` (underscore), `.` (period) or `-` (hyphen).
+An absolute path starts with a `/` (forward slash).
+
+For example, you can specify either `/foo` or `foo` for a `host-src` value.
+If you supply the `/foo` value, Docker creates a bind mount. If you supply
+the `foo` specification, Docker creates a named volume.
+
+### USER
+
+`root` (id = 0) is the default user within a container. The image developer can
+create additional users. Those users are accessible by name.  When passing a numeric
+ID, the user does not have to exist in the container.
+
+The developer can set a default user to run the first process with the
+Dockerfile `USER` instruction. When starting a container, the operator can override
+the `USER` instruction by passing the `-u` option.
+
+    -u="", --user="": Sets the username or UID used and optionally the groupname or GID for the specified command.
+
+    The followings examples are all valid:
+    --user=[ user | user:group | uid | uid:gid | user:gid | uid:group ]
+
+> **Note:** if you pass a numeric uid, it must be in the range of 0-2147483647.
+
+### WORKDIR
+
+The default working directory for running binaries within a container is the
+root directory (`/`), but the developer can set a different default with the
+Dockerfile `WORKDIR` command. The operator can override this with:
+
+    -w="": Working directory inside the container
diff --git a/cli/docs/yaml/Dockerfile b/cli/docs/yaml/Dockerfile
new file mode 100644
index 00000000..059b97a9
--- /dev/null
+++ b/cli/docs/yaml/Dockerfile
@@ -0,0 +1,4 @@
+FROM scratch
+COPY docs /docs
+# CMD cannot be nil so we set it to empty string
+CMD  [""]
diff --git a/cli/docs/yaml/generate.go b/cli/docs/yaml/generate.go
new file mode 100644
index 00000000..3603c97c
--- /dev/null
+++ b/cli/docs/yaml/generate.go
@@ -0,0 +1,86 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/commands"
+	"github.com/docker/docker/pkg/term"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+const descriptionSourcePath = "docs/reference/commandline/"
+
+func generateCliYaml(opts *options) error {
+	stdin, stdout, stderr := term.StdStreams()
+	dockerCli := command.NewDockerCli(stdin, stdout, stderr, false)
+	cmd := &cobra.Command{Use: "docker"}
+	commands.AddCommands(cmd, dockerCli)
+	source := filepath.Join(opts.source, descriptionSourcePath)
+	if err := loadLongDescription(cmd, source); err != nil {
+		return err
+	}
+
+	cmd.DisableAutoGenTag = true
+	return GenYamlTree(cmd, opts.target)
+}
+
+func loadLongDescription(cmd *cobra.Command, path ...string) error {
+	for _, cmd := range cmd.Commands() {
+		if cmd.Name() == "" {
+			continue
+		}
+		fullpath := filepath.Join(path[0], strings.Join(append(path[1:], cmd.Name()), "_")+".md")
+
+		if cmd.HasSubCommands() {
+			loadLongDescription(cmd, path[0], cmd.Name())
+		}
+
+		if _, err := os.Stat(fullpath); err != nil {
+			log.Printf("WARN: %s does not exist, skipping\n", fullpath)
+			continue
+		}
+
+		content, err := ioutil.ReadFile(fullpath)
+		if err != nil {
+			return err
+		}
+		description, examples := parseMDContent(string(content))
+		cmd.Long = description
+		cmd.Example = examples
+	}
+	return nil
+}
+
+type options struct {
+	source string
+	target string
+}
+
+func parseArgs() (*options, error) {
+	opts := &options{}
+	cwd, _ := os.Getwd()
+	flags := pflag.NewFlagSet(os.Args[0], pflag.ContinueOnError)
+	flags.StringVar(&opts.source, "root", cwd, "Path to project root")
+	flags.StringVar(&opts.target, "target", "/tmp", "Target path for generated yaml files")
+	err := flags.Parse(os.Args[1:])
+	return opts, err
+}
+
+func main() {
+	opts, err := parseArgs()
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err.Error())
+	}
+	fmt.Printf("Project root: %s\n", opts.source)
+	fmt.Printf("Generating yaml files into %s\n", opts.target)
+	if err := generateCliYaml(opts); err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to generate yaml files: %s\n", err.Error())
+	}
+}
diff --git a/cli/docs/yaml/yaml.go b/cli/docs/yaml/yaml.go
new file mode 100644
index 00000000..82c90973
--- /dev/null
+++ b/cli/docs/yaml/yaml.go
@@ -0,0 +1,270 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	yaml "gopkg.in/yaml.v2"
+)
+
+type cmdOption struct {
+	Option          string
+	Shorthand       string `yaml:",omitempty"`
+	ValueType       string `yaml:"value_type,omitempty"`
+	DefaultValue    string `yaml:"default_value,omitempty"`
+	Description     string `yaml:",omitempty"`
+	Deprecated      bool
+	MinAPIVersion   string `yaml:"min_api_version,omitempty"`
+	Experimental    bool
+	ExperimentalCLI bool
+	Kubernetes      bool
+	Swarm           bool
+	OSType          string `yaml:"os_type,omitempty"`
+}
+
+type cmdDoc struct {
+	Name             string      `yaml:"command"`
+	SeeAlso          []string    `yaml:"parent,omitempty"`
+	Version          string      `yaml:"engine_version,omitempty"`
+	Aliases          string      `yaml:",omitempty"`
+	Short            string      `yaml:",omitempty"`
+	Long             string      `yaml:",omitempty"`
+	Usage            string      `yaml:",omitempty"`
+	Pname            string      `yaml:",omitempty"`
+	Plink            string      `yaml:",omitempty"`
+	Cname            []string    `yaml:",omitempty"`
+	Clink            []string    `yaml:",omitempty"`
+	Options          []cmdOption `yaml:",omitempty"`
+	InheritedOptions []cmdOption `yaml:"inherited_options,omitempty"`
+	Example          string      `yaml:"examples,omitempty"`
+	Deprecated       bool
+	MinAPIVersion    string `yaml:"min_api_version,omitempty"`
+	Experimental     bool
+	ExperimentalCLI  bool
+	Kubernetes       bool
+	Swarm            bool
+	OSType           string `yaml:"os_type,omitempty"`
+}
+
+// GenYamlTree creates yaml structured ref files
+func GenYamlTree(cmd *cobra.Command, dir string) error {
+	emptyStr := func(s string) string { return "" }
+	return GenYamlTreeCustom(cmd, dir, emptyStr)
+}
+
+// GenYamlTreeCustom creates yaml structured ref files
+func GenYamlTreeCustom(cmd *cobra.Command, dir string, filePrepender func(string) string) error {
+	for _, c := range cmd.Commands() {
+		if !c.IsAvailableCommand() || c.IsAdditionalHelpTopicCommand() {
+			continue
+		}
+		if err := GenYamlTreeCustom(c, dir, filePrepender); err != nil {
+			return err
+		}
+	}
+
+	basename := strings.Replace(cmd.CommandPath(), " ", "_", -1) + ".yaml"
+	filename := filepath.Join(dir, basename)
+	f, err := os.Create(filename)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	if _, err := io.WriteString(f, filePrepender(filename)); err != nil {
+		return err
+	}
+	return GenYamlCustom(cmd, f)
+}
+
+// GenYamlCustom creates custom yaml output
+// nolint: gocyclo
+func GenYamlCustom(cmd *cobra.Command, w io.Writer) error {
+	cliDoc := cmdDoc{}
+	cliDoc.Name = cmd.CommandPath()
+
+	cliDoc.Aliases = strings.Join(cmd.Aliases, ", ")
+	cliDoc.Short = cmd.Short
+	cliDoc.Long = cmd.Long
+	if len(cliDoc.Long) == 0 {
+		cliDoc.Long = cliDoc.Short
+	}
+
+	if cmd.Runnable() {
+		cliDoc.Usage = cmd.UseLine()
+	}
+
+	if len(cmd.Example) > 0 {
+		cliDoc.Example = cmd.Example
+	}
+	if len(cmd.Deprecated) > 0 {
+		cliDoc.Deprecated = true
+	}
+	// Check recursively so that, e.g., `docker stack ls` returns the same output as `docker stack`
+	for curr := cmd; curr != nil; curr = curr.Parent() {
+		if v, ok := curr.Annotations["version"]; ok && cliDoc.MinAPIVersion == "" {
+			cliDoc.MinAPIVersion = v
+		}
+		if _, ok := curr.Annotations["experimental"]; ok && !cliDoc.Experimental {
+			cliDoc.Experimental = true
+		}
+		if _, ok := curr.Annotations["experimentalCLI"]; ok && !cliDoc.ExperimentalCLI {
+			cliDoc.ExperimentalCLI = true
+		}
+		if _, ok := curr.Annotations["kubernetes"]; ok && !cliDoc.Kubernetes {
+			cliDoc.Kubernetes = true
+		}
+		if _, ok := curr.Annotations["swarm"]; ok && !cliDoc.Swarm {
+			cliDoc.Swarm = true
+		}
+		if os, ok := curr.Annotations["ostype"]; ok && cliDoc.OSType == "" {
+			cliDoc.OSType = os
+		}
+	}
+
+	flags := cmd.NonInheritedFlags()
+	if flags.HasFlags() {
+		cliDoc.Options = genFlagResult(flags)
+	}
+	flags = cmd.InheritedFlags()
+	if flags.HasFlags() {
+		cliDoc.InheritedOptions = genFlagResult(flags)
+	}
+
+	if hasSeeAlso(cmd) {
+		if cmd.HasParent() {
+			parent := cmd.Parent()
+			cliDoc.Pname = parent.CommandPath()
+			link := cliDoc.Pname + ".yaml"
+			cliDoc.Plink = strings.Replace(link, " ", "_", -1)
+			cmd.VisitParents(func(c *cobra.Command) {
+				if c.DisableAutoGenTag {
+					cmd.DisableAutoGenTag = c.DisableAutoGenTag
+				}
+			})
+		}
+
+		children := cmd.Commands()
+		sort.Sort(byName(children))
+
+		for _, child := range children {
+			if !child.IsAvailableCommand() || child.IsAdditionalHelpTopicCommand() {
+				continue
+			}
+			currentChild := cliDoc.Name + " " + child.Name()
+			cliDoc.Cname = append(cliDoc.Cname, cliDoc.Name+" "+child.Name())
+			link := currentChild + ".yaml"
+			cliDoc.Clink = append(cliDoc.Clink, strings.Replace(link, " ", "_", -1))
+		}
+	}
+
+	final, err := yaml.Marshal(&cliDoc)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	if _, err := fmt.Fprintln(w, string(final)); err != nil {
+		return err
+	}
+	return nil
+}
+
+func genFlagResult(flags *pflag.FlagSet) []cmdOption {
+	var (
+		result []cmdOption
+		opt    cmdOption
+	)
+
+	flags.VisitAll(func(flag *pflag.Flag) {
+		opt = cmdOption{
+			Option:       flag.Name,
+			ValueType:    flag.Value.Type(),
+			DefaultValue: forceMultiLine(flag.DefValue),
+			Description:  forceMultiLine(flag.Usage),
+			Deprecated:   len(flag.Deprecated) > 0,
+		}
+
+		// Todo, when we mark a shorthand is deprecated, but specify an empty message.
+		// The flag.ShorthandDeprecated is empty as the shorthand is deprecated.
+		// Using len(flag.ShorthandDeprecated) > 0 can't handle this, others are ok.
+		if !(len(flag.ShorthandDeprecated) > 0) && len(flag.Shorthand) > 0 {
+			opt.Shorthand = flag.Shorthand
+		}
+		if _, ok := flag.Annotations["experimental"]; ok {
+			opt.Experimental = true
+		}
+		if v, ok := flag.Annotations["version"]; ok {
+			opt.MinAPIVersion = v[0]
+		}
+		if _, ok := flag.Annotations["experimentalCLI"]; ok {
+			opt.ExperimentalCLI = true
+		}
+		if _, ok := flag.Annotations["kubernetes"]; ok {
+			opt.Kubernetes = true
+		}
+		if _, ok := flag.Annotations["swarm"]; ok {
+			opt.Swarm = true
+		}
+
+		// Note that the annotation can have multiple ostypes set, however, multiple
+		// values are currently not used (and unlikely will).
+		//
+		// To simplify usage of the os_type property in the YAML, and for consistency
+		// with the same property for commands, we're only using the first ostype that's set.
+		if ostypes, ok := flag.Annotations["ostype"]; ok && len(opt.OSType) == 0 && len(ostypes) > 0 {
+			opt.OSType = ostypes[0]
+		}
+
+		result = append(result, opt)
+	})
+
+	return result
+}
+
+// Temporary workaround for yaml lib generating incorrect yaml with long strings
+// that do not contain \n.
+func forceMultiLine(s string) string {
+	if len(s) > 60 && !strings.Contains(s, "\n") {
+		s = s + "\n"
+	}
+	return s
+}
+
+// Small duplication for cobra utils
+func hasSeeAlso(cmd *cobra.Command) bool {
+	if cmd.HasParent() {
+		return true
+	}
+	for _, c := range cmd.Commands() {
+		if !c.IsAvailableCommand() || c.IsAdditionalHelpTopicCommand() {
+			continue
+		}
+		return true
+	}
+	return false
+}
+
+func parseMDContent(mdString string) (description string, examples string) {
+	parsedContent := strings.Split(mdString, "\n## ")
+	for _, s := range parsedContent {
+		if strings.Index(s, "Description") == 0 {
+			description = strings.TrimSpace(strings.TrimPrefix(s, "Description"))
+		}
+		if strings.Index(s, "Examples") == 0 {
+			examples = strings.TrimSpace(strings.TrimPrefix(s, "Examples"))
+		}
+	}
+	return description, examples
+}
+
+type byName []*cobra.Command
+
+func (s byName) Len() int           { return len(s) }
+func (s byName) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+func (s byName) Less(i, j int) bool { return s[i].Name() < s[j].Name() }
diff --git a/cli/e2e/compose-env.yaml b/cli/e2e/compose-env.yaml
new file mode 100644
index 00000000..76eda15a
--- /dev/null
+++ b/cli/e2e/compose-env.yaml
@@ -0,0 +1,18 @@
+version: '2.1'
+
+services:
+  registry:
+    image: 'registry:2'
+
+  engine:
+      image: 'docker:${TEST_ENGINE_VERSION:-edge-dind}'
+      privileged: true
+      command: ['--insecure-registry=registry:5000']
+
+  notary-server:
+      build:
+        context: ./testdata
+        dockerfile: Dockerfile.notary-server
+      ports:
+        - 4443:4443
+      command: ['notary-server', '-config=/fixtures/notary-config.json']
diff --git a/cli/e2e/container/attach_test.go b/cli/e2e/container/attach_test.go
new file mode 100644
index 00000000..3be6c2ae
--- /dev/null
+++ b/cli/e2e/container/attach_test.go
@@ -0,0 +1,31 @@
+package container
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"gotest.tools/icmd"
+)
+
+func TestAttachExitCode(t *testing.T) {
+	containerID := runBackgroundContainsWithExitCode(t, 21)
+
+	result := icmd.RunCmd(
+		icmd.Command("docker", "attach", containerID),
+		withStdinNewline)
+
+	result.Assert(t, icmd.Expected{ExitCode: 21})
+}
+
+func runBackgroundContainsWithExitCode(t *testing.T, exitcode int) string {
+	result := icmd.RunCommand("docker", "run", "-d", "-i", "--rm", fixtures.AlpineImage,
+		"sh", "-c", fmt.Sprintf("read; exit %d", exitcode))
+	result.Assert(t, icmd.Success)
+	return strings.TrimSpace(result.Stdout())
+}
+
+func withStdinNewline(cmd *icmd.Cmd) {
+	cmd.Stdin = strings.NewReader("\n")
+}
diff --git a/cli/e2e/container/create_test.go b/cli/e2e/container/create_test.go
new file mode 100644
index 00000000..97338086
--- /dev/null
+++ b/cli/e2e/container/create_test.go
@@ -0,0 +1,35 @@
+package container
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/internal/test/environment"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+func TestCreateWithContentTrust(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-create", "latest")
+
+	defer func() {
+		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
+	}()
+
+	result := icmd.RunCmd(
+		icmd.Command("docker", "create", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Expected{
+		Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
+	})
+}
+
+// FIXME(vdemeester) TestTrustedCreateFromBadTrustServer needs to be backport too (see https://github.com/moby/moby/pull/36515/files#diff-4b1e56bb77ac16f2ccf956fc24cf0a82L331)
diff --git a/cli/e2e/container/kill_test.go b/cli/e2e/container/kill_test.go
new file mode 100644
index 00000000..d4e71591
--- /dev/null
+++ b/cli/e2e/container/kill_test.go
@@ -0,0 +1,50 @@
+package container
+
+import (
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"gotest.tools/icmd"
+	"gotest.tools/poll"
+)
+
+func TestKillContainer(t *testing.T) {
+	containerID := runBackgroundTop(t)
+
+	// Kill with SIGTERM should kill the process
+	result := icmd.RunCmd(
+		icmd.Command("docker", "kill", "-s", "SIGTERM", containerID),
+	)
+
+	result.Assert(t, icmd.Success)
+	poll.WaitOn(t, containerStatus(t, containerID, "exited"), poll.WithDelay(100*time.Millisecond), poll.WithTimeout(5*time.Second))
+
+	// Kill on a stop container should return an error
+	result = icmd.RunCmd(
+		icmd.Command("docker", "kill", containerID),
+	)
+	result.Assert(t, icmd.Expected{
+		ExitCode: 1,
+		Err:      "is not running",
+	})
+}
+
+func runBackgroundTop(t *testing.T) string {
+	result := icmd.RunCommand("docker", "run", "-d", fixtures.AlpineImage, "top")
+	result.Assert(t, icmd.Success)
+	return strings.TrimSpace(result.Stdout())
+}
+
+func containerStatus(t *testing.T, containerID, status string) func(poll.LogT) poll.Result {
+	return func(poll.LogT) poll.Result {
+		result := icmd.RunCommand("docker", "inspect", "-f", "{{ .State.Status }}", containerID)
+		result.Assert(t, icmd.Success)
+		actual := strings.TrimSpace(result.Stdout())
+		if actual == status {
+			return poll.Success()
+		}
+		return poll.Continue("expected status %s != %s", status, actual)
+	}
+}
diff --git a/cli/e2e/container/main_test.go b/cli/e2e/container/main_test.go
new file mode 100644
index 00000000..4363c438
--- /dev/null
+++ b/cli/e2e/container/main_test.go
@@ -0,0 +1,17 @@
+package container
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+)
+
+func TestMain(m *testing.M) {
+	if err := environment.Setup(); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+	os.Exit(m.Run())
+}
diff --git a/cli/e2e/container/run_test.go b/cli/e2e/container/run_test.go
new file mode 100644
index 00000000..68a3e400
--- /dev/null
+++ b/cli/e2e/container/run_test.go
@@ -0,0 +1,61 @@
+package container
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/internal/test/environment"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/golden"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+const registryPrefix = "registry:5000"
+
+func TestRunAttachedFromRemoteImageAndRemove(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	image := createRemoteImage(t)
+
+	result := icmd.RunCommand("docker", "run", "--rm", image,
+		"echo", "this", "is", "output")
+
+	result.Assert(t, icmd.Success)
+	assert.Check(t, is.Equal("this is output\n", result.Stdout()))
+	golden.Assert(t, result.Stderr(), "run-attached-from-remote-and-remove.golden")
+}
+
+func TestRunWithContentTrust(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-run", "latest")
+
+	defer func() {
+		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
+	}()
+
+	result := icmd.RunCmd(
+		icmd.Command("docker", "run", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Expected{
+		Err: fmt.Sprintf("Tagging %s@sha", image[:len(image)-7]),
+	})
+}
+
+// TODO: create this with registry API instead of engine API
+func createRemoteImage(t *testing.T) string {
+	image := "registry:5000/alpine:test-run-pulls"
+	icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "push", image).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "rmi", image).Assert(t, icmd.Success)
+	return image
+}
diff --git a/cli/e2e/container/testdata/run-attached-from-remote-and-remove.golden b/cli/e2e/container/testdata/run-attached-from-remote-and-remove.golden
new file mode 100644
index 00000000..15e3430c
--- /dev/null
+++ b/cli/e2e/container/testdata/run-attached-from-remote-and-remove.golden
@@ -0,0 +1,4 @@
+Unable to find image 'registry:5000/alpine:test-run-pulls' locally
+test-run-pulls: Pulling from alpine
+Digest: sha256:641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d
+Status: Downloaded newer image for registry:5000/alpine:test-run-pulls
diff --git a/cli/e2e/image/build_test.go b/cli/e2e/image/build_test.go
new file mode 100644
index 00000000..7d89a6f3
--- /dev/null
+++ b/cli/e2e/image/build_test.go
@@ -0,0 +1,110 @@
+package image
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/internal/test/environment"
+	"github.com/docker/cli/internal/test/output"
+	"gotest.tools/fs"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+func TestBuildFromContextDirectoryWithTag(t *testing.T) {
+	dir := fs.NewDir(t, "test-build-context-dir",
+		fs.WithFile("run", "echo running", fs.WithMode(0755)),
+		fs.WithDir("data", fs.WithFile("one", "1111")),
+		fs.WithFile("Dockerfile", fmt.Sprintf(`
+	FROM %s
+	COPY run /usr/bin/run
+	RUN run
+	COPY data /data
+		`, fixtures.AlpineImage)))
+	defer dir.Remove()
+
+	result := icmd.RunCmd(
+		icmd.Command("docker", "build", "-t", "myimage", "."),
+		withWorkingDir(dir))
+	defer icmd.RunCommand("docker", "image", "rm", "myimage")
+
+	result.Assert(t, icmd.Expected{Err: icmd.None})
+	output.Assert(t, result.Stdout(), map[int]func(string) error{
+		0:  output.Prefix("Sending build context to Docker daemon"),
+		1:  output.Suffix("Step 1/4 : FROM registry:5000/alpine:3.6"),
+		3:  output.Suffix("Step 2/4 : COPY run /usr/bin/run"),
+		5:  output.Suffix("Step 3/4 : RUN run"),
+		7:  output.Suffix("running"),
+		8:  output.Contains("Removing intermediate container"),
+		10: output.Suffix("Step 4/4 : COPY data /data"),
+		12: output.Contains("Successfully built "),
+		13: output.Suffix("Successfully tagged myimage:latest"),
+	})
+}
+
+func TestTrustedBuild(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	image1 := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-build1", "latest")
+	image2 := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-build2", "latest")
+
+	buildDir := fs.NewDir(t, "test-trusted-build-context-dir",
+		fs.WithFile("Dockerfile", fmt.Sprintf(`
+	FROM %s as build-base
+	RUN echo ok > /foo
+	FROM %s
+	COPY --from=build-base foo bar
+		`, image1, image2)))
+	defer buildDir.Remove()
+
+	result := icmd.RunCmd(
+		icmd.Command("docker", "build", "-t", "myimage", "."),
+		withWorkingDir(buildDir),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+
+	result.Assert(t, icmd.Expected{
+		Out: fmt.Sprintf("FROM %s@sha", image1[:len(image1)-7]),
+		Err: fmt.Sprintf("Tagging %s@sha", image1[:len(image1)-7]),
+	})
+	result.Assert(t, icmd.Expected{
+		Out: fmt.Sprintf("FROM %s@sha", image2[:len(image2)-7]),
+	})
+}
+
+func TestTrustedBuildUntrustedImage(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	buildDir := fs.NewDir(t, "test-trusted-build-context-dir",
+		fs.WithFile("Dockerfile", fmt.Sprintf(`
+	FROM %s
+	RUN []
+		`, fixtures.AlpineImage)))
+	defer buildDir.Remove()
+
+	result := icmd.RunCmd(
+		icmd.Command("docker", "build", "-t", "myimage", "."),
+		withWorkingDir(buildDir),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+
+	result.Assert(t, icmd.Expected{
+		ExitCode: 1,
+		Err:      "does not have trust data for",
+	})
+}
+
+func withWorkingDir(dir *fs.Dir) func(*icmd.Cmd) {
+	return func(cmd *icmd.Cmd) {
+		cmd.Dir = dir.Path()
+	}
+}
diff --git a/cli/e2e/image/main_test.go b/cli/e2e/image/main_test.go
new file mode 100644
index 00000000..4638467a
--- /dev/null
+++ b/cli/e2e/image/main_test.go
@@ -0,0 +1,17 @@
+package image
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+)
+
+func TestMain(m *testing.M) {
+	if err := environment.Setup(); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+	os.Exit(m.Run())
+}
diff --git a/cli/e2e/image/pull_test.go b/cli/e2e/image/pull_test.go
new file mode 100644
index 00000000..625ccd59
--- /dev/null
+++ b/cli/e2e/image/pull_test.go
@@ -0,0 +1,71 @@
+package image
+
+import (
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/internal/test/environment"
+	"gotest.tools/golden"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+const registryPrefix = "registry:5000"
+
+func TestPullWithContentTrust(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-pull", "latest")
+	defer func() {
+		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
+	}()
+
+	result := icmd.RunCmd(icmd.Command("docker", "pull", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Success)
+	golden.Assert(t, result.Stderr(), "pull-with-content-trust-err.golden")
+	golden.Assert(t, result.Stdout(), "pull-with-content-trust.golden")
+}
+
+func TestPullWithContentTrustUsesCacheWhenNotaryUnavailable(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	image := fixtures.CreateMaskedTrustedRemoteImage(t, registryPrefix, "trust-pull-unreachable", "latest")
+	defer func() {
+		icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
+	}()
+	result := icmd.RunCmd(icmd.Command("docker", "pull", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotaryServer("https://invalidnotaryserver"),
+	)
+	result.Assert(t, icmd.Expected{
+		ExitCode: 1,
+		Err:      "error contacting notary server",
+	})
+
+	// Do valid trusted pull to warm cache
+	result = icmd.RunCmd(icmd.Command("docker", "pull", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Success)
+	result = icmd.RunCommand("docker", "rmi", image)
+	result.Assert(t, icmd.Success)
+
+	// Try pull again with invalid notary server, should use cache
+	result = icmd.RunCmd(icmd.Command("docker", "pull", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotaryServer("https://invalidnotaryserver"),
+	)
+	result.Assert(t, icmd.Success)
+}
diff --git a/cli/e2e/image/push_test.go b/cli/e2e/image/push_test.go
new file mode 100644
index 00000000..91dbc1cb
--- /dev/null
+++ b/cli/e2e/image/push_test.go
@@ -0,0 +1,392 @@
+package image
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/internal/test/environment"
+	"github.com/docker/cli/internal/test/output"
+	"gotest.tools/assert"
+	"gotest.tools/fs"
+	"gotest.tools/golden"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+const (
+	notary = "/usr/local/bin/notary"
+
+	pubkey1  = "./testdata/notary/delgkey1.crt"
+	privkey1 = "./testdata/notary/delgkey1.key"
+	pubkey2  = "./testdata/notary/delgkey2.crt"
+	privkey2 = "./testdata/notary/delgkey2.key"
+	pubkey3  = "./testdata/notary/delgkey3.crt"
+	privkey3 = "./testdata/notary/delgkey3.key"
+	pubkey4  = "./testdata/notary/delgkey4.crt"
+	privkey4 = "./testdata/notary/delgkey4.key"
+)
+
+func TestPushWithContentTrust(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	image := createImage(t, registryPrefix, "trust-push", "latest")
+
+	result := icmd.RunCmd(icmd.Command("docker", "push", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+		fixtures.WithPassphrase("foo", "bar"),
+	)
+	result.Assert(t, icmd.Success)
+	golden.Assert(t, result.Stderr(), "push-with-content-trust-err.golden")
+	output.Assert(t, result.Stdout(), map[int]func(string) error{
+		0: output.Equals("The push refers to repository [registry:5000/trust-push]"),
+		1: output.Equals("5bef08742407: Preparing"),
+		3: output.Equals("latest: digest: sha256:641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d size: 528"),
+		4: output.Equals("Signing and pushing trust metadata"),
+		5: output.Equals(`Finished initializing "registry:5000/trust-push"`),
+		6: output.Equals("Successfully signed registry:5000/trust-push:latest"),
+	})
+}
+
+func TestPushWithContentTrustUnreachableServer(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	image := createImage(t, registryPrefix, "trust-push-unreachable", "latest")
+
+	result := icmd.RunCmd(icmd.Command("docker", "push", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotaryServer("https://invalidnotaryserver"),
+	)
+	result.Assert(t, icmd.Expected{
+		ExitCode: 1,
+		Err:      "error contacting notary server",
+	})
+}
+
+func TestPushWithContentTrustExistingTag(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	image := createImage(t, registryPrefix, "trust-push-existing", "latest")
+
+	result := icmd.RunCmd(icmd.Command("docker", "push", image))
+	result.Assert(t, icmd.Success)
+
+	result = icmd.RunCmd(icmd.Command("docker", "push", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+		fixtures.WithPassphrase("foo", "bar"),
+	)
+	result.Assert(t, icmd.Expected{
+		Out: "Signing and pushing trust metadata",
+	})
+
+	// Re-push
+	result = icmd.RunCmd(icmd.Command("docker", "push", image),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+		fixtures.WithPassphrase("foo", "bar"),
+	)
+	result.Assert(t, icmd.Expected{
+		Out: "Signing and pushing trust metadata",
+	})
+}
+
+func TestPushWithContentTrustReleasesDelegationOnly(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	role := "targets/releases"
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	copyPrivateKey(t, dir.Join("trust", "private"), privkey1)
+	notaryDir := setupNotaryConfig(t, dir)
+	defer notaryDir.Remove()
+	homeDir := fs.NewDir(t, "push_test_home")
+	defer notaryDir.Remove()
+
+	baseRef := fmt.Sprintf("%s/%s", registryPrefix, "trust-push-releases-delegation")
+	targetRef := fmt.Sprintf("%s:%s", baseRef, "latest")
+
+	// Init repository
+	notaryInit(t, notaryDir, homeDir, baseRef)
+	// Add delegation key (public key)
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, role, pubkey1)
+	// Publish it
+	notaryPublish(t, notaryDir, homeDir, baseRef)
+	// Import private key
+	notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, role, privkey1)
+
+	// Tag & push with content trust
+	icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, targetRef).Assert(t, icmd.Success)
+	result := icmd.RunCmd(icmd.Command("docker", "push", targetRef),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+		fixtures.WithPassphrase("foo", "foo"),
+	)
+	result.Assert(t, icmd.Expected{
+		Out: "Signing and pushing trust metadata",
+	})
+
+	targetsInRole := notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, role)
+	assert.Assert(t, targetsInRole["latest"] == role, "%v", targetsInRole)
+	targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets")
+	assert.Assert(t, targetsInRole["latest"] != "targets", "%v", targetsInRole)
+
+	result = icmd.RunCmd(icmd.Command("docker", "pull", targetRef),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Success)
+}
+
+func TestPushWithContentTrustSignsAllFirstLevelRolesWeHaveKeysFor(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	copyPrivateKey(t, dir.Join("trust", "private"), privkey1)
+	copyPrivateKey(t, dir.Join("trust", "private"), privkey2)
+	copyPrivateKey(t, dir.Join("trust", "private"), privkey3)
+	notaryDir := setupNotaryConfig(t, dir)
+	defer notaryDir.Remove()
+	homeDir := fs.NewDir(t, "push_test_home")
+	defer notaryDir.Remove()
+
+	baseRef := fmt.Sprintf("%s/%s", registryPrefix, "trust-push-releases-first-roles")
+	targetRef := fmt.Sprintf("%s:%s", baseRef, "latest")
+
+	// Init repository
+	notaryInit(t, notaryDir, homeDir, baseRef)
+	// Add delegation key (public key)
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role1", pubkey1)
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role2", pubkey2)
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role3", pubkey3)
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role1/subrole", pubkey3)
+	// Import private key
+	notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role1", privkey1)
+	notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role2", privkey2)
+	notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role1/subrole", privkey3)
+	// Publish it
+	notaryPublish(t, notaryDir, homeDir, baseRef)
+
+	// Tag & push with content trust
+	icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, targetRef).Assert(t, icmd.Success)
+	result := icmd.RunCmd(icmd.Command("docker", "push", targetRef),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+		fixtures.WithPassphrase("foo", "foo"),
+	)
+	result.Assert(t, icmd.Expected{
+		Out: "Signing and pushing trust metadata",
+	})
+
+	// check to make sure that the target has been added to targets/role1 and targets/role2, and
+	// not targets (because there are delegations) or targets/role3 (due to missing key) or
+	// targets/role1/subrole (due to it being a second level delegation)
+	targetsInRole := notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets/role1")
+	assert.Assert(t, targetsInRole["latest"] == "targets/role1", "%v", targetsInRole)
+	targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets/role2")
+	assert.Assert(t, targetsInRole["latest"] == "targets/role2", "%v", targetsInRole)
+	targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets")
+	assert.Assert(t, targetsInRole["latest"] != "targets", "%v", targetsInRole)
+
+	assert.NilError(t, os.RemoveAll(filepath.Join(dir.Join("trust"))))
+	// Try to pull, should fail because non of these are the release role
+	// FIXME(vdemeester) should be unit test
+	result = icmd.RunCmd(icmd.Command("docker", "pull", targetRef),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Expected{
+		ExitCode: 1,
+	})
+}
+
+func TestPushWithContentTrustSignsForRolesWithKeysAndValidPaths(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	copyPrivateKey(t, dir.Join("trust", "private"), privkey1)
+	copyPrivateKey(t, dir.Join("trust", "private"), privkey2)
+	copyPrivateKey(t, dir.Join("trust", "private"), privkey3)
+	copyPrivateKey(t, dir.Join("trust", "private"), privkey4)
+	notaryDir := setupNotaryConfig(t, dir)
+	defer notaryDir.Remove()
+	homeDir := fs.NewDir(t, "push_test_home")
+	defer notaryDir.Remove()
+
+	baseRef := fmt.Sprintf("%s/%s", registryPrefix, "trust-push-releases-keys-valid-paths")
+	targetRef := fmt.Sprintf("%s:%s", baseRef, "latest")
+
+	// Init repository
+	notaryInit(t, notaryDir, homeDir, baseRef)
+	// Add delegation key (public key)
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role1", pubkey1, "l", "z")
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role2", pubkey2, "x", "y")
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role3", pubkey3, "latest")
+	notaryAddDelegation(t, notaryDir, homeDir, baseRef, "targets/role4", pubkey4, "latest")
+	// Import private keys (except 3rd key)
+	notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role1", privkey1)
+	notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role2", privkey2)
+	notaryImportPrivateKey(t, notaryDir, homeDir, baseRef, "targets/role4", privkey4)
+	// Publish it
+	notaryPublish(t, notaryDir, homeDir, baseRef)
+
+	// Tag & push with content trust
+	icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, targetRef).Assert(t, icmd.Success)
+	result := icmd.RunCmd(icmd.Command("docker", "push", targetRef),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+		fixtures.WithPassphrase("foo", "foo"),
+	)
+	result.Assert(t, icmd.Expected{
+		Out: "Signing and pushing trust metadata",
+	})
+
+	// check to make sure that the target has been added to targets/role1 and targets/role4, and
+	// not targets (because there are delegations) or targets/role2 (due to path restrictions) or
+	// targets/role3 (due to missing key)
+	targetsInRole := notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets/role1")
+	assert.Assert(t, targetsInRole["latest"] == "targets/role1", "%v", targetsInRole)
+	targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets/role4")
+	assert.Assert(t, targetsInRole["latest"] == "targets/role4", "%v", targetsInRole)
+	targetsInRole = notaryListTargetsInRole(t, notaryDir, homeDir, baseRef, "targets")
+	assert.Assert(t, targetsInRole["latest"] != "targets", "%v", targetsInRole)
+
+	assert.NilError(t, os.RemoveAll(filepath.Join(dir.Join("trust"))))
+	// Try to pull, should fail because non of these are the release role
+	// FIXME(vdemeester) should be unit test
+	result = icmd.RunCmd(icmd.Command("docker", "pull", targetRef),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Expected{
+		ExitCode: 1,
+	})
+}
+
+func createImage(t *testing.T, registryPrefix, repo, tag string) string {
+	image := fmt.Sprintf("%s/%s:%s", registryPrefix, repo, tag)
+	icmd.RunCommand("docker", "pull", fixtures.AlpineImage).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, image).Assert(t, icmd.Success)
+	return image
+}
+
+func withNotaryPassphrase(pwd string) func(*icmd.Cmd) {
+	return func(c *icmd.Cmd) {
+		c.Env = append(c.Env, []string{
+			fmt.Sprintf("NOTARY_ROOT_PASSPHRASE=%s", pwd),
+			fmt.Sprintf("NOTARY_TARGETS_PASSPHRASE=%s", pwd),
+			fmt.Sprintf("NOTARY_SNAPSHOT_PASSPHRASE=%s", pwd),
+			fmt.Sprintf("NOTARY_DELEGATION_PASSPHRASE=%s", pwd),
+		}...)
+	}
+}
+
+func notaryImportPrivateKey(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef, role, privkey string) {
+	icmd.RunCmd(
+		icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "key", "import", privkey, "-g", baseRef, "-r", role),
+		withNotaryPassphrase("foo"),
+		fixtures.WithHome(homeDir.Path()),
+	).Assert(t, icmd.Success)
+}
+
+func notaryPublish(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef string) {
+	icmd.RunCmd(
+		icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "publish", baseRef),
+		withNotaryPassphrase("foo"),
+		fixtures.WithHome(homeDir.Path()),
+	).Assert(t, icmd.Success)
+}
+
+func notaryAddDelegation(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef, role, pubkey string, paths ...string) {
+	pathsArg := "--all-paths"
+	if len(paths) > 0 {
+		pathsArg = "--paths=" + strings.Join(paths, ",")
+	}
+	icmd.RunCmd(
+		icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "delegation", "add", baseRef, role, pubkey, pathsArg),
+		withNotaryPassphrase("foo"),
+		fixtures.WithHome(homeDir.Path()),
+	).Assert(t, icmd.Success)
+}
+
+func notaryInit(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef string) {
+	icmd.RunCmd(
+		icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "init", baseRef),
+		withNotaryPassphrase("foo"),
+		fixtures.WithHome(homeDir.Path()),
+	).Assert(t, icmd.Success)
+}
+
+func notaryListTargetsInRole(t *testing.T, notaryDir, homeDir *fs.Dir, baseRef, role string) map[string]string {
+	result := icmd.RunCmd(
+		icmd.Command(notary, "-c", notaryDir.Join("client-config.json"), "list", baseRef, "-r", role),
+		fixtures.WithHome(homeDir.Path()),
+	)
+	out := result.Combined()
+
+	// should look something like:
+	//    NAME                                 DIGEST                                SIZE (BYTES)    ROLE
+	// ------------------------------------------------------------------------------------------------------
+	//   latest   24a36bbc059b1345b7e8be0df20f1b23caa3602e85d42fff7ecd9d0bd255de56   1377           targets
+
+	targets := make(map[string]string)
+
+	// no target
+	lines := strings.Split(strings.TrimSpace(out), "\n")
+	if len(lines) == 1 && strings.Contains(out, "No targets present in this repository.") {
+		return targets
+	}
+
+	// otherwise, there is at least one target
+	assert.Assert(t, len(lines) >= 3, "output is %s", out)
+
+	for _, line := range lines[2:] {
+		tokens := strings.Fields(line)
+		assert.Assert(t, len(tokens) == 4)
+		targets[tokens[0]] = tokens[3]
+	}
+
+	return targets
+}
+
+func setupNotaryConfig(t *testing.T, dockerConfigDir fs.Dir) *fs.Dir {
+	return fs.NewDir(t, "notary_test", fs.WithMode(0700),
+		fs.WithFile("client-config.json", fmt.Sprintf(`
+{
+	"trust_dir": "%s",
+	"remote_server": {
+		"url": "%s"
+	}
+}`, dockerConfigDir.Join("trust"), fixtures.NotaryURL)),
+	)
+}
+
+func copyPrivateKey(t *testing.T, dir, source string) {
+	icmd.RunCommand("/bin/cp", source, dir).Assert(t, icmd.Success)
+}
diff --git a/cli/e2e/image/testdata/notary/delgkey1.crt b/cli/e2e/image/testdata/notary/delgkey1.crt
new file mode 100644
index 00000000..2218f23c
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/delgkey1.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIJAP2EcMN2UXPcMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ8wDQYD
+VQQKEwZEb2NrZXIxEzARBgNVBAMTCmRlbGVnYXRpb24wHhcNMTYwOTI4MTc0ODQ4
+WhcNMjYwNjI4MTc0ODQ4WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
+BgNVBAcTDFNhbkZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMRMwEQYDVQQDEwpk
+ZWxlZ2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgewhaYs
+Ke5s2AM7xxKrT4A6n7hW17qSnBjonCcPcwTFmYqIOdxWjYITgJuHrTwB4ZhBqWS7
+tTsUUu6hWLMeB7Uo5/GEQAAZspKkT9G/rNKF9lbWK9PPhGGkeR01c/Q932m92Hsn
+fCQ0Pp/OzD3nVTh0v9HKk+PObNMOCcqG87eYs4ylPRxs0RrE/rP+bEGssKQSbeCZ
+wazDnO+kiatVgKQZ2CK23iFdRE1z2rzqVDeaFWdvBqrRdWnkOZClhlLgEQ5nK2yV
+B6tSqOiI3MmHyHzIkGOQJp2/s7Pe0ckEkzsjTsJW8oKHlBBl6pRxHIKzNN4VFbeB
+vvYvrogrDrC/owIDAQABo1QwUjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFoHfukRa6qGk1ncON64Z
+ASKlZdkwDQYJKoZIhvcNAQELBQADggEBAEq9Adpd03CPmpbRtTAJGAkjjLFr60sV
+2r+/l/m9R31ZCN9ymM9nxToQ8zfMdeAh/nnPcErziil2gDVqXueCNDkRj09tmDIE
+Q1Oc92uyNZNgcECow77cKZCTZSTku+qsJrYaykH5vSnia8ltcKj8inJedIcpBR+p
+608HEQvF0Eg5eaLPJwH48BCb0Gqdri1dJgrNnqptz7MDr8M+u7tHVulbAd3YxLlq
+JH1W2bkVUx6esbn/MUE5HL5iTuOYREEINvBSmLdmmFkampmCnCB/bDEyJeL9bAkt
+ZPIi0UNSnqFKLSP1Vf8AGLXt6iO7+1OGvtsDXEEYdXVOMsSXZtUuT7A=
+-----END CERTIFICATE-----
diff --git a/cli/e2e/image/testdata/notary/delgkey1.key b/cli/e2e/image/testdata/notary/delgkey1.key
new file mode 100644
index 00000000..cb37efc9
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/delgkey1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvgewhaYsKe5s2AM7xxKrT4A6n7hW17qSnBjonCcPcwTFmYqI
+OdxWjYITgJuHrTwB4ZhBqWS7tTsUUu6hWLMeB7Uo5/GEQAAZspKkT9G/rNKF9lbW
+K9PPhGGkeR01c/Q932m92HsnfCQ0Pp/OzD3nVTh0v9HKk+PObNMOCcqG87eYs4yl
+PRxs0RrE/rP+bEGssKQSbeCZwazDnO+kiatVgKQZ2CK23iFdRE1z2rzqVDeaFWdv
+BqrRdWnkOZClhlLgEQ5nK2yVB6tSqOiI3MmHyHzIkGOQJp2/s7Pe0ckEkzsjTsJW
+8oKHlBBl6pRxHIKzNN4VFbeBvvYvrogrDrC/owIDAQABAoIBAB/o8KZwsgfUhqh7
+WoViSCwQb0e0z7hoFwhpUl4uXPTGf1v6HEgDDPG0PwwgkdbwNaypQZVtWevj4NTQ
+R326jjdjH1xbfQa2PZpz722L3jDqJR6plEtFxRoIv3KrCffPsrgabIu2mnnJJpDB
+ixtW5cq0sT4ov2i4H0i85CWWwbSY/G/MHsvCuK9PhoCj9uToVqrf1KrAESE5q4fh
+mPSYUL99KVnj7SZkUz+79rc8sLLPVks3szZACMlm1n05ZTj/d6Nd2ZZUO45DllIj
+1XJghfWmnChrB/P/KYXgQ3Y9BofIAw1ra2y3wOZeqRFNsbmojcGldfdtN/iQzhEj
+uk4ThokCgYEA9FTmv36N8qSPWuqX/KzkixDQ8WrDGohcB54kK98Wx4ijXx3i38SY
+tFjO8YUS9GVo1+UgmRjZbzVX7xeum6+TdBBwOjNOxEQ4tzwiQBWDdGpli8BccdJ2
+OOIVxSslWhiUWfpYloXVetrR88iHbT882g795pbonDaJdXSLnij4UW8CgYEAxxrr
+QFpsmOEZvI/yPSOGdG7A1RIsCeH+cEOf4cKghs7+aCtAHlIweztNOrqirl3oKI1r
+I0zQl46WsaW8S/y99v9lmmnZbWwqLa4vIu0NWs0zaZdzKZw3xljMhgp4Ge69hHa2
+utCtAxcX+7q/yLlHoTiYwKdxX54iLkheCB8csw0CgYEAleEG820kkjXUIodJ2JwO
+Tihwo8dEC6CeI6YktizRgnEVFqH0rCOjMO5Rc+KX8AfNOrK5PnD54LguSuKSH7qi
+j04OKgWTSd43lF90+y63RtCFnibQDpp2HwrBJAQFk7EEP/XMJfnPLN/SbuMSADgM
+kg8kPTFRW5Iw3DYz9z9WpE0CgYAkn6/8Q2XMbUOFqti9JEa8Lg8sYk5VdwuNbPMA
+3QMYKQUk9ieyLB4c3Nik3+XCuyVUKEc31A5egmz3umu7cn8i6vGuiJ/k/8t2YZ7s
+Bry5Ihu95Yzab5DW3Eiqs0xKQN79ebS9AluAwQO5Wy2h52rknfuDHIm/M+BHsSoS
+xl5KFQKBgQCokCsYuX1z2GojHw369/R2aX3ovCGuHqy4k7fWxUrpHTHvth2+qNPr
+84qLJ9rLWoZE5sUiZ5YdwCgW877EdfkT+v4aaBX79ixso5VdqgJ/PdnoNntah/Vq
+njQiW1skn6/P5V/eyimN2n0VsyBr/zMDEtYTRP/Tb1zi/njFLQkZEA==
+-----END RSA PRIVATE KEY-----
diff --git a/cli/e2e/image/testdata/notary/delgkey2.crt b/cli/e2e/image/testdata/notary/delgkey2.crt
new file mode 100644
index 00000000..bec08479
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/delgkey2.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIJAIq8naKlYAQfMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ8wDQYD
+VQQKEwZEb2NrZXIxEzARBgNVBAMTCmRlbGVnYXRpb24wHhcNMTYwOTI4MTc0ODQ4
+WhcNMjYwNjI4MTc0ODQ4WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
+BgNVBAcTDFNhbkZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMRMwEQYDVQQDEwpk
+ZWxlZ2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyY2EWYTW
+5VHipw08t675upmD6a+akiuZ1z+XpuOxZCgjZ0aHfoOe8wGKg3Ohz7UCBdD5Mob/
+L/qvRlsCaqPHGZKIyyX1HDO4mpuQQFBhYxt+ZAO3AaawEUOw2rwwMDEjLnDDTSZM
+z8jxCMvsJjBDqgb8g3z+AmjducQ/OH6llldgHIBY8ioRbROCL2PGgqywWq2fThav
+c70YMxtKviBGDNCouYeQ8JMK/PuLwPNDXNQAagFHVARXiUv/ILHk7ImYnSGJUcuk
+JTUGN2MBnpY0eakg7i+4za8sjjqOdn+2I6aVzlGJDSiRP72nkg/cE4BqMl9FrMwK
+9iS8xa9yMDLUvwIDAQABo1QwUjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUvQzzFmh3Sv3HcdExY3wx
+/1u6JLAwDQYJKoZIhvcNAQELBQADggEBAJcmDme2Xj/HPUPwaN/EyCmjhY73EiHO
+x6Pm16tscg5JGn5A+u3CZ1DmxUYl8Hp6MaW/sWzdtL0oKJg76pynadCWh5EacFR8
+u+2GV/IcN9mSX6JQzvrqbjSqo5/FehqBD+W5h3euwwApWA3STAadYeyEfmdOA3SQ
+W1vzrA1y7i8qgTqeJ7UX1sEAXlIhBK2zPYaMB+en+ZOiPyNxJYj6IDdGdD2paC9L
+6H9wKC+GAUTSdCWp89HP7ETSXEGr94AXkrwU+qNsiN+OyK8ke0EMngEPh5IQoplw
+/7zEZCth3oKxvR1/4S5LmTVaHI2ZlbU4q9bnY72G4tw8YQr2gcBGo4w=
+-----END CERTIFICATE-----
diff --git a/cli/e2e/image/testdata/notary/delgkey2.key b/cli/e2e/image/testdata/notary/delgkey2.key
new file mode 100644
index 00000000..5ccabe90
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/delgkey2.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAyY2EWYTW5VHipw08t675upmD6a+akiuZ1z+XpuOxZCgjZ0aH
+foOe8wGKg3Ohz7UCBdD5Mob/L/qvRlsCaqPHGZKIyyX1HDO4mpuQQFBhYxt+ZAO3
+AaawEUOw2rwwMDEjLnDDTSZMz8jxCMvsJjBDqgb8g3z+AmjducQ/OH6llldgHIBY
+8ioRbROCL2PGgqywWq2fThavc70YMxtKviBGDNCouYeQ8JMK/PuLwPNDXNQAagFH
+VARXiUv/ILHk7ImYnSGJUcukJTUGN2MBnpY0eakg7i+4za8sjjqOdn+2I6aVzlGJ
+DSiRP72nkg/cE4BqMl9FrMwK9iS8xa9yMDLUvwIDAQABAoIBAHmffvzx7ydESWwa
+zcfdu26BkptiTvjjfJrqEd4wSewxWGPKqJqMXE8xX99A2KTZClZuKuH1mmnecQQY
+iRXGrK9ewFMuHYGeKEiLlPlqR8ohXhyGLVm+t0JDwaXMp5t9G0i73O5iLTm5fNGd
+FGxa9YnVW20Q8MqNczbVGH1D1zInhxzzOyFzBd4bBBJ8PdrUdyLpd7+RxY2ghnbT
+p9ZANR2vk5zmDLJgZx72n/u+miJWuhY6p0v3Vq4z/HHgdhf+K6vpDdzTcYlA0rO4
+c/c+RKED3ZadGUD5QoLsmEN0e3FVSMPN1kt4ZRTqWfH8f2X4mLz33aBryTjktP6+
+1rX6ThECgYEA74wc1Tq23B5R0/GaMm1AK3Ko2zzTD8wK7NSCElh2dls02B+GzrEB
+aE3A2GMQSuzb+EA0zkipwANBaqs3ZemH5G1pu4hstQsXCMd4jAJn0TmTXlplXBCf
+PSc8ZUU6XcJENRr9Q7O9/TGlgahX+z0ndxYx/CMCsSu7XsMg4IZsbAcCgYEA12Vb
+wKOVG15GGp7pMshr+2rQfVimARUP4gf3JnQmenktI4PfdnMW3a4L3DEHfLhIerwT
+6lRp/NpxSADmuT4h1UO1l2lc+gmTVPw0Vbl6VwHpgS5Kfu4ZyM6n3S66f/dE4nu7
+hQF9yZz7vn5Agghak4p6a1wC1gdMzR1tvxFzk4kCgYByBMTskWfcWeok8Yitm+bB
+R3Ar+kWT7VD97SCETusD5uG+RTNLSmEbHnc+B9kHcLo67YS0800pAeOvPBPARGnU
+RmffRU5I1iB+o0MzkSmNItSMQoagTaEd4IEUyuC/I+qHRHNsOC+kRm86ycAm67LP
+MhdUpe1wGxqyPjp15EXTHQKBgDKzFu+3EWfJvvKRKQ7dAh3BvKVkcl6a2Iw5l8Ej
+YdM+JpPPfI/i8yTmzL/dgoem0Nii4IUtrWzo9fUe0TAVId2S/HFRSaNJEbbVTnRH
+HjbQqmfPv5U08jjD+9siHp/0UfCFc1QRT8xe+RqTmReCY9+KntoaZEiAm2FEZgqt
+TukRAoGAf7QqbTP5/UH1KSkX89F5qy/6GS3pw6TLj9Ufm/l/NO8Um8gag6YhEKWR
+7HpkpCqjfWj8Av8ESR9cqddPGrbdqXFm9z7dCjlAd5T3Q3h/h+v+JzLQWbsI6WOb
+SsOSWNyE006ZZdIiFwO6GfxpLI24sVtYKgyob6Q71oxSqfnrnT0=
+-----END RSA PRIVATE KEY-----
diff --git a/cli/e2e/image/testdata/notary/delgkey3.crt b/cli/e2e/image/testdata/notary/delgkey3.crt
new file mode 100644
index 00000000..f434b45f
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/delgkey3.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIJAKHt/jxiWqMtMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ8wDQYD
+VQQKEwZEb2NrZXIxEzARBgNVBAMTCmRlbGVnYXRpb24wHhcNMTYwOTI4MTc0ODQ5
+WhcNMjYwNjI4MTc0ODQ5WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
+BgNVBAcTDFNhbkZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMRMwEQYDVQQDEwpk
+ZWxlZ2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqfbJk2Dk
+C9FJVjV2+Q2CQrJphG3vFc1Qlu9jgVA5RhGmF9jJzetsclsV/95nBhinIGcSmPQA
+l318G7Bz/cG/6O2n5+hj+S1+YOvQweReZj3d4kCeS86SOyLNTpMD9gsF0S8nR1RN
+h0jD4t1vxAVeGD1o61U8/k0O5eDoeOfOSWZagKk5PhyrMZgNip4IrG46umCkFlrw
+zMMcgQdwTQXywPqkr/LmYpqT1WpMlzHYTQEY8rKorIJQbPtHVYdr4UxYnNmk6fbU
+biEP1DQlwjBWcFTsDLqXKP/K+e3O0/e/hMB0y7Tj9fZ7Viw0t5IKXZPsxMhwknUT
+9vmPzIJO6NiniwIDAQABo1QwUjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUdTXRP1EzxQ+UDZSoheVo
+Mobud1cwDQYJKoZIhvcNAQELBQADggEBADV9asTWWdbmpkeRuKyi0xGho39ONK88
+xxkFlco766BVgemo/rGQj3oPuw6M6SzHFoJ6JUPjmLiAQDIGEU/2/b6LcOuLjP+4
+YejCcDTY3lSW/HMNoAmzr2foo/LngNGfe/qhVFUqV7GjFT9+XzFFBfIZ1cQiL2ed
+kc8rgQxFPwWXFCSwaENWeFnMDugkd+7xanoAHq8GsJpg5fTruDTmJkUqC2RNiMLn
+WM7QaqW7+lmUnMnc1IBoz0hFhgoiadWM/1RQxx51zTVw6Au1koIm4ZXu5a+/WyC8
+K1+HyUbc0AVaDaRBpRSOR9aHRwLGh6WQ4aUZQNyJroc999qfYrDEEV8=
+-----END CERTIFICATE-----
diff --git a/cli/e2e/image/testdata/notary/delgkey3.key b/cli/e2e/image/testdata/notary/delgkey3.key
new file mode 100644
index 00000000..a61d18cc
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/delgkey3.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAqfbJk2DkC9FJVjV2+Q2CQrJphG3vFc1Qlu9jgVA5RhGmF9jJ
+zetsclsV/95nBhinIGcSmPQAl318G7Bz/cG/6O2n5+hj+S1+YOvQweReZj3d4kCe
+S86SOyLNTpMD9gsF0S8nR1RNh0jD4t1vxAVeGD1o61U8/k0O5eDoeOfOSWZagKk5
+PhyrMZgNip4IrG46umCkFlrwzMMcgQdwTQXywPqkr/LmYpqT1WpMlzHYTQEY8rKo
+rIJQbPtHVYdr4UxYnNmk6fbUbiEP1DQlwjBWcFTsDLqXKP/K+e3O0/e/hMB0y7Tj
+9fZ7Viw0t5IKXZPsxMhwknUT9vmPzIJO6NiniwIDAQABAoIBAQCAr/ed3A2umO7T
+FDYZik3nXBiiiW4t7r+nGGgZ3/kNgY1lnuHlROxehXLZwbX1mrLnyML/BjhwezV9
+7ZNVPd6laVPpNj6DyxtWHRZ5yARlm1Al39E7CpQTrF0QsiWcpGnqIa62xjDRTpnq
+askV/Q5qggyvqmE9FnFCQpEiAjlhvp7F0kVHVJm9s3MK3zSyR0UTZ3cpYus2Jr2z
+OotHgAMHq5Hgb3dvxOeE2xRMeYAVDujbkNzXm2SddAtiRdLhWDh7JIr3zXhp0HyN
+4rLOyhlgz00oIGeDt/C0q3fRmghr3iZOG+7m2sUx0FD1Ru1dI9v2A+jYmIVNW6+x
+YJk5PzxJAoGBANDj7AGdcHSci/LDBPoTTUiz3uucAd27/IJma/iy8mdbVfOAb0Fy
+PRSPvoozlpZyOxg2J4eH/o4QxQR4lVKtnLKZLNHK2tg3LarwyBX1LiI3vVlB+DT1
+AmV8i5bJAckDhqFeEH5qdWZFi03oZsSXWEqX5iMYCrdK5lTZggcrFZeHAoGBANBL
+fkk3knAdcVfTYpmHx18GBi2AsCWTd20KD49YBdbVy0Y2Jaa1EJAmGWpTUKdYx40R
+H5CuGgcAviXQz3bugdTU1I3tAclBtpJNU7JkhuE+Epz0CM/6WERJrE0YxcGQA5ui
+6fOguFyiXD1/85jrDBOKy74aoS7lYz9r/a6eqmjdAoGBAJpm/nmrIAZx+Ff2ouUe
+A1Ar9Ch/Zjm5zEmu3zwzOU4AiyWz14iuoktifNq2iyalRNz+mnVpplToPFizsNwu
+C9dPtXtU0DJlhtIFrD/evLz6KnGhe4/ZUm4lgyBvb2xfuNHqL5Lhqelwmil6EQxb
+Oh3Y7XkfOjyFln89TwlxZUJdAoGAJRMa4kta7EvBTeGZLjyltvsqhFTghX+vBSCC
+ToBbYbbiHJgssXSPAylU4sD7nR3HPwuqM6VZip+OOMrm8oNXZpuPTce+xqTEq1vK
+JvmPrG3RAFDLdMFZjqYSXhKnuGE60yv3Ol8EEbDwfB3XLQPBPYU56Jdy0xcPSE2f
+dMJXEJ0CgYEAisZw0nXw6lFeYecu642EGuU0wv1O9i21p7eho9QwOcsoTl4Q9l+M
+M8iBv+qTHO+D19l4JbkGvy2H2diKoYduUFACcuiFYs8fjrT+4Z6DyOQAQGAf6Ylw
+BFbU15k6KbA9v4mZDfd1tY9x62L/XO55ZxYG+J+q0e26tEThgD8cEog=
+-----END RSA PRIVATE KEY-----
diff --git a/cli/e2e/image/testdata/notary/delgkey4.crt b/cli/e2e/image/testdata/notary/delgkey4.crt
new file mode 100644
index 00000000..c8cbe46b
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/delgkey4.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIJANae++ZkUEWMMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ8wDQYD
+VQQKEwZEb2NrZXIxEzARBgNVBAMTCmRlbGVnYXRpb24wHhcNMTYwOTI4MTc0ODQ5
+WhcNMjYwNjI4MTc0ODQ5WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTAT
+BgNVBAcTDFNhbkZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMRMwEQYDVQQDEwpk
+ZWxlZ2F0aW9uMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqULAjgba
+Y2I10WfqdmYnPfEqEe6iMDbzcgECb2xKafXcI4ltkQj1iO4zBTs0Ft9EzXFc5ZBh
+pTjZrL6vrIa0y/CH2BiIHBJ0wRHx/40HXp4DSj3HZpVOlEMI3npRfBGNIBllUaRN
+PWG7zL7DcKMIepBfPXyjBsxzH3yNiISq0W5hSiy+ImhSo3aipJUHHcp9Z9NgvpNC
+3QvnxsGKRnECmDRDlxkq+FQu9Iqs/HWFYWgyfcsw+YTrWZq3qVnnqUouHO//c9PG
+Ry3sZSDU97MwvkjvWys1e01Xvd3AbHx08YAsxih58i/OBKe81eD9NuZDP2KrjTxI
+5xkXKhj6DV2NnQIDAQABo1QwUjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF
+oDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUDt95hiqbQvi0KcvZGAUu
+VisnztQwDQYJKoZIhvcNAQELBQADggEBAGi7qHai7MWbfeu6SlXhzIP3AIMa8TMi
+lp/+mvPUFPswIVqYJ71MAN8uA7CTH3z50a2vYupGeOEtZqVJeRf+xgOEpwycncxp
+Qz6wc6TWPVIoT5q1Hqxw1RD2MyKL+Y+QBDYwFxFkthpDMlX48I9frcqoJUWFxBF2
+lnRr/cE7BbPE3sMbXV3wGPlH7+eUf+CgzXJo2HB6THzagyEgNrDiz/0rCQa1ipFd
+mNU3D/U6BFGmJNxhvSOtXX9escg8yjr05YwwzokHS2K4jE0ZuJPBd50C/Rvo3Mf4
+0h7/2Q95e7d42zPe9WYPu2F8KTWsf4r+6ddhKrKhYzXIcTAfHIOiO+U=
+-----END CERTIFICATE-----
diff --git a/cli/e2e/image/testdata/notary/delgkey4.key b/cli/e2e/image/testdata/notary/delgkey4.key
new file mode 100644
index 00000000..f473cc49
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/delgkey4.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAqULAjgbaY2I10WfqdmYnPfEqEe6iMDbzcgECb2xKafXcI4lt
+kQj1iO4zBTs0Ft9EzXFc5ZBhpTjZrL6vrIa0y/CH2BiIHBJ0wRHx/40HXp4DSj3H
+ZpVOlEMI3npRfBGNIBllUaRNPWG7zL7DcKMIepBfPXyjBsxzH3yNiISq0W5hSiy+
+ImhSo3aipJUHHcp9Z9NgvpNC3QvnxsGKRnECmDRDlxkq+FQu9Iqs/HWFYWgyfcsw
++YTrWZq3qVnnqUouHO//c9PGRy3sZSDU97MwvkjvWys1e01Xvd3AbHx08YAsxih5
+8i/OBKe81eD9NuZDP2KrjTxI5xkXKhj6DV2NnQIDAQABAoIBAGK0ZKnuYSiXux60
+5MvK4pOCsa/nY3mOcgVHhW4IzpRgJdIrcFOlz9ncXrBsSAIWjX7o3u2Ydvjs4DOW
+t8d6frB3QiDInYcRVDjLCD6otWV97Bk9Ua0G4N4hAWkMF7ysV4oihS1JDSoAdo39
+qOdki6s9yeyHZGKwk2oHLlowU5TxQMBA8DHmxqBII1HTm+8xRz45bcEqRXydYSUn
+P1JuSU9jFqdylxU+Nrq6ehslMQ3y7qNWQyiLGxu6EmR+vgrzSU0s3iAOqCHthaOS
+VBBXPL3DNEYUS+0QGnGrACuJhanOMBfdiO6Orelx6ZzWZm38PNGv0yBt0WCM+8/A
+TtQNGkECgYEA1LqR6AH9XikUQ0+rM4526BgVuYqtjw21h4Lj9alaA+YTQntBBJOv
+iAcUpnJiV4T8jzAMLeqpK8R/rbxRnK5S9jOV2gr+puk4L6tH46cgahBUESDigDp8
+6vK8ur6ubBcXNPh3AT6rsPj+Ph2EU3raqiYdouvCdga/OCYZb+jr6UkCgYEAy7Cr
+l8WssI/8/ORcQ4MFJFNyfz/Y2beNXyLd1PX0H+wRSiGcKzeUuTHNtzFFpMbrK/nx
+ZOPCT2ROdHsBHzp1L+WquCb0fyMVSiYiXBU+VCFDbUU5tBr3ycTc7VwuFPENOiha
+IdlWgew/aW110FQHIaqe9g+htRe+mXe++faZtbUCgYB/MSJmNzJX53XvHSZ/CBJ+
+iVAMBSfq3caJRLCqRNzGcf1YBbwFUYxlZ95n+wJj0+byckcF+UW3HqE8rtmZNf3y
+qTtTCLnj8JQgpGeybU4LPMIXD7N9+fqQvBwuCC7gABpnGJyHCQK9KNNTLnDdPRqb
+G3ki3ZYC3dvdZaJV8E2FyQKBgQCMa5Mf4kqWvezueo+QizZ0QILibqWUEhIH0AWV
+1qkhiKCytlDvCjYhJdBnxjP40Jk3i+t6XfmKud/MNTAk0ywOhQoYQeKz8v+uSnPN
+f2ekn/nXzq1lGGJSWsDjcXTjQvqXaVIZm7cjgjaE+80IfaUc9H75qvUT3vaq3f5u
+XC7DMQKBgQDMAzCCpWlEPbZoFMl6F49+7jG0/TiqM/WRUSQnNtufPMbrR9Je4QM1
+L1UCANCPaHFOncKYer15NfIV1ctt5MZKImevDsUaQO8CUlO+dzd5H8KvHw9E29gA
+B22v8k3jIjsYeRL+UJ/sBnWHgxdAe/NEM+TdlP2oP9D1gTifutPqAg==
+-----END RSA PRIVATE KEY-----
diff --git a/cli/e2e/image/testdata/notary/gen.sh b/cli/e2e/image/testdata/notary/gen.sh
new file mode 100755
index 00000000..8d6381ce
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/gen.sh
@@ -0,0 +1,18 @@
+for selfsigned in delgkey1 delgkey2 delgkey3 delgkey4; do
+        subj='/C=US/ST=CA/L=SanFrancisco/O=Docker/CN=delegation'
+
+        openssl genrsa -out "${selfsigned}.key" 2048
+        openssl req -new -key "${selfsigned}.key" -out "${selfsigned}.csr" -sha256 -subj "${subj}"
+        cat > "${selfsigned}.cnf" <<EOL
+[selfsigned]
+basicConstraints = critical,CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage=codeSigning
+subjectKeyIdentifier=hash
+EOL
+
+        openssl x509 -req -days 3560 -in "${selfsigned}.csr" -signkey "${selfsigned}.key" -sha256 \
+                -out "${selfsigned}.crt" -extfile "${selfsigned}.cnf" -extensions selfsigned
+
+        rm "${selfsigned}.cnf" "${selfsigned}.csr"
+done
diff --git a/cli/e2e/image/testdata/notary/localhost.cert b/cli/e2e/image/testdata/notary/localhost.cert
new file mode 100644
index 00000000..d1233a1b
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/localhost.cert
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfOgAwIBAgIQTOoFF+ypXwgdXnXHuCTvYDALBgkqhkiG9w0BAQswJjER
+MA8GA1UEChMIUXVpY2tUTFMxETAPBgNVBAMTCFF1aWNrVExTMB4XDTE1MDcxNzE5
+NDg1M1oXDTE4MDcwMTE5NDg1M1owJzERMA8GA1UEChMIUXVpY2tUTFMxEjAQBgNV
+BAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDO
+qvTBAi0ApXLfe90ApJkdkRGwF838Qzt1UFSxomu5fHRV6l3FjX5XCVHiFQ4w3ROh
+dMOu9NahfGLJv9VvWU2MV3YoY9Y7lIXpKwnK1v064wuls4nPh13BUWKQKofcY/e2
+qaSPd6/qmSRc/kJUvOI9jZMSX6ZRPu9K4PCqm2CivlbLq9UYuo1AbRGfuqHRvTxg
+mQG7WQCzGSvSjuSg5qX3TEh0HckTczJG9ODULNRWNE7ld0W4sfv4VF8R7Uc/G7LO
+8QwLCZ9TIl3gYMPCrhUL3Q6z9Jnn1SQS4mhDnPi6ugRYO1X8k3jjdxV9C2sXwUvN
+OZI1rLEWl9TJNA7ZXtMCAwEAAaM2MDQwDgYDVR0PAQH/BAQDAgCgMAwGA1UdEwEB
+/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAsGCSqGSIb3DQEBCwOCAQEAH6iq
+kM2+UMukGDLEQKHHiauioWJlHDlLXv76bJiNfjSz94B/2XOQMb9PT04//tnGUyPK
+K8Dx7RoxSodU6T5VRiz/A36mLOvt2t3bcL/1nHf9sAOHcexGtnCbQbW91V7RKfIL
+sjiLNFDkQ9VfVNY+ynQptZoyH1sy07+dplfkIiPzRs5WuVAnEGsX3r6BrhgUITzi
+g1B4kpmGZIohP4m6ZEBY5xuo/NQ0+GhjAENQMU38GpuoMyFS0i0dGcbx8weqnI/B
+Er/qa0+GE/rBnWY8TiRow8dzpneSFQnUZpJ4EwD9IoOIDHo7k2Nbz2P50HMiCXZf
+4RqzctVssRlrRVnO5w==
+-----END CERTIFICATE-----
diff --git a/cli/e2e/image/testdata/notary/localhost.key b/cli/e2e/image/testdata/notary/localhost.key
new file mode 100644
index 00000000..d7778359
--- /dev/null
+++ b/cli/e2e/image/testdata/notary/localhost.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAwM6q9MECLQClct973QCkmR2REbAXzfxDO3VQVLGia7l8dFXq
+XcWNflcJUeIVDjDdE6F0w6701qF8Ysm/1W9ZTYxXdihj1juUhekrCcrW/TrjC6Wz
+ic+HXcFRYpAqh9xj97appI93r+qZJFz+QlS84j2NkxJfplE+70rg8KqbYKK+Vsur
+1Ri6jUBtEZ+6odG9PGCZAbtZALMZK9KO5KDmpfdMSHQdyRNzMkb04NQs1FY0TuV3
+Rbix+/hUXxHtRz8bss7xDAsJn1MiXeBgw8KuFQvdDrP0mefVJBLiaEOc+Lq6BFg7
+VfyTeON3FX0LaxfBS805kjWssRaX1Mk0Dtle0wIDAQABAoIBAHbuhNHZROhRn70O
+Ui9vOBki/dt1ThnH5AkHQngb4t6kWjrAzILvW2p1cdBKr0ZDqftz+rzCbVD/5+Rg
+Iq8bsnB9g23lWEBMHD/GJsAxmRA3hNooamk11IBmwTcVSsbnkdq5mEdkICYphjHC
+Ey0DbEf6RBxWlx3WvAWLoNmTw6iFaOCH8IyLavPpe7kLbZc219oNUw2qjCnCXCZE
+/NuViADHJBPN8r7g1gmyclJmTumdUK6oHgXEMMPe43vhReGcgcReK9QZjnTcIXPM
+4oJOraw+BtoZXVvvIPnC+5ntoLFOzjIzM0kaveReZbdgffqF4zy2vRfCHhWssanc
+7a0xR4ECgYEA3Xuvcqy5Xw+v/jVCO0VZj++Z7apA78dY4tWsPx5/0DUTTziTlXkC
+ADduEbwX6HgZ/iLvA9j4C3Z4mO8qByby/6UoBU8NEe+PQt6fT7S+dKSP4uy5ZxVM
+i5opkEyrJsMbve9Jrlj4bk5CICsydrZ+SBFHnpNGjbduGQick5LORWECgYEA3trt
+gepteDGiUYmnnBgjbYtcD11RvpKC8Z/QwGnzN5vk4eBu8r7DkMcLN+SiHjAovlJo
+r5j3EbF8sla1zBf/yySdQZFqUGcwtw7MaAKCLdhQl5WsViNMIx6p2OJapu0dzbv2
+KTXrnoRCafcH92k0dUX1ahE9eyc8KX6VhbWwXLMCgYATGCCuEDoC+gVAMzM8jOQF
+xrBMjwr+IP+GvskUv/pg5tJ9V/FRR5dmkWDJ4p9lCUWkZTqZ6FCqHFKVTLkg2LjG
+VWS34HLOAwskxrCRXJG22KEW/TWWr31j46yFpjZzJwrzOvftMfpo+BI3V8IH/f+x
+EtxLzYKdoRy6x8VH67YgwQKBgHor2vjV45142FuK83AHa6SqOZXSuvWWrGJ6Ep7p
+doSN2jRaLXi2S9AaznOdy6JxFGUCGJHrcccpXgsGrjNtFLXxJKTFa1sYtwQkALsk
+ZOltJQF09D1krGC0driHntrUMvqOiKye+sS0DRS6cIuaCUAhUiELwoC5SaoV0zKy
+IDUxAoGAOK8Xq+3/sqe79vTpw25RXl+nkAmOAeKjqf3Kh6jbnBhr81rmefyKXB9a
+uj0b980tzUnliwA5cCOsyxfN2vASvMnJxFE721QZI04arlcPFHcFqCtmNnUYTcLp
+0hgn/yLZptcoxpy+eTBu3eNsxz1Bu/Tx/198+2Wr3MbtGpLNIcA=
+-----END RSA PRIVATE KEY-----
diff --git a/cli/e2e/image/testdata/pull-with-content-trust-err.golden b/cli/e2e/image/testdata/pull-with-content-trust-err.golden
new file mode 100644
index 00000000..4b9707cb
--- /dev/null
+++ b/cli/e2e/image/testdata/pull-with-content-trust-err.golden
@@ -0,0 +1 @@
+Tagging registry:5000/trust-pull@sha256:641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d as registry:5000/trust-pull:latest
diff --git a/cli/e2e/image/testdata/pull-with-content-trust.golden b/cli/e2e/image/testdata/pull-with-content-trust.golden
new file mode 100644
index 00000000..ea30b56d
--- /dev/null
+++ b/cli/e2e/image/testdata/pull-with-content-trust.golden
@@ -0,0 +1,4 @@
+Pull (1 of 1): registry:5000/trust-pull:latest@sha256:641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d
+sha256:641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d: Pulling from trust-pull
+Digest: sha256:641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d
+Status: Downloaded newer image for registry:5000/trust-pull@sha256:641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d
diff --git a/cli/e2e/image/testdata/push-with-content-trust-err.golden b/cli/e2e/image/testdata/push-with-content-trust-err.golden
new file mode 100644
index 00000000..e69de29b
diff --git a/cli/e2e/internal/fixtures/fixtures.go b/cli/e2e/internal/fixtures/fixtures.go
new file mode 100644
index 00000000..99343f65
--- /dev/null
+++ b/cli/e2e/internal/fixtures/fixtures.go
@@ -0,0 +1,126 @@
+package fixtures
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"gotest.tools/fs"
+	"gotest.tools/icmd"
+)
+
+const (
+	//NotaryURL is the location of the notary server
+	NotaryURL = "https://notary-server:4443"
+	//AlpineImage is an image in the test registry
+	AlpineImage = "registry:5000/alpine:3.6"
+	//AlpineSha is the sha of the alpine image
+	AlpineSha = "641b95ddb2ea9dc2af1a0113b6b348ebc20872ba615204fbe12148e98fd6f23d"
+	//BusyboxImage is an image in the test registry
+	BusyboxImage = "registry:5000/busybox:1.27.2"
+	//BusyboxSha is the sha of the busybox image
+	BusyboxSha = "030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af"
+)
+
+//SetupConfigFile creates a config.json file for testing
+func SetupConfigFile(t *testing.T) fs.Dir {
+	t.Helper()
+	dir := fs.NewDir(t, "trust_test", fs.WithMode(0700), fs.WithFile("config.json", `
+	{
+		"auths": {
+			"registry:5000": {
+				"auth": "ZWlhaXM6cGFzc3dvcmQK"
+			},
+			"https://notary-server:4443": {
+				"auth": "ZWlhaXM6cGFzc3dvcmQK"
+			}
+		},
+		"experimental": "enabled"
+	}
+	`), fs.WithDir("trust", fs.WithDir("private")))
+	return *dir
+}
+
+//WithConfig sets an environment variable for the docker config location
+func WithConfig(dir string) func(cmd *icmd.Cmd) {
+	return func(cmd *icmd.Cmd) {
+		env := append(os.Environ(),
+			"DOCKER_CONFIG="+dir,
+		)
+		cmd.Env = append(cmd.Env, env...)
+	}
+}
+
+//WithPassphrase sets environment variables for passphrases
+func WithPassphrase(rootPwd, repositoryPwd string) func(cmd *icmd.Cmd) {
+	return func(cmd *icmd.Cmd) {
+		env := append(os.Environ(),
+			"DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE="+rootPwd,
+			"DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE="+repositoryPwd,
+		)
+		cmd.Env = append(cmd.Env, env...)
+	}
+}
+
+//WithTrust sets DOCKER_CONTENT_TRUST to 1
+func WithTrust(cmd *icmd.Cmd) {
+	env := append(os.Environ(),
+		"DOCKER_CONTENT_TRUST=1",
+	)
+	cmd.Env = append(cmd.Env, env...)
+}
+
+//WithNotary sets the location of the notary server
+func WithNotary(cmd *icmd.Cmd) {
+	env := append(os.Environ(),
+		"DOCKER_CONTENT_TRUST_SERVER="+NotaryURL,
+	)
+	cmd.Env = append(cmd.Env, env...)
+}
+
+//WithHome sets the HOME environment variable
+func WithHome(path string) func(*icmd.Cmd) {
+	return func(cmd *icmd.Cmd) {
+		cmd.Env = append(cmd.Env, "HOME="+path)
+	}
+}
+
+//WithNotaryServer sets the location of the notary server
+func WithNotaryServer(notaryURL string) func(*icmd.Cmd) {
+	return func(cmd *icmd.Cmd) {
+		env := append(os.Environ(),
+			"DOCKER_CONTENT_TRUST_SERVER="+notaryURL,
+		)
+		cmd.Env = append(cmd.Env, env...)
+	}
+}
+
+// CreateMaskedTrustedRemoteImage creates a remote image that is signed with
+// content trust, then pushes a different untrusted image at the same tag.
+func CreateMaskedTrustedRemoteImage(t *testing.T, registryPrefix, repo, tag string) string {
+	t.Helper()
+	image := createTrustedRemoteImage(t, registryPrefix, repo, tag)
+	createNamedUnsignedImageFromBusyBox(t, image)
+	return image
+}
+
+func createTrustedRemoteImage(t *testing.T, registryPrefix, repo, tag string) string {
+	t.Helper()
+	image := fmt.Sprintf("%s/%s:%s", registryPrefix, repo, tag)
+	icmd.RunCommand("docker", "image", "pull", AlpineImage).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "image", "tag", AlpineImage, image).Assert(t, icmd.Success)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "image", "push", image),
+		WithPassphrase("root_password", "repo_password"), WithTrust, WithNotary)
+	result.Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
+	return image
+}
+
+func createNamedUnsignedImageFromBusyBox(t *testing.T, image string) {
+	t.Helper()
+	icmd.RunCommand("docker", "image", "pull", BusyboxImage).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "image", "tag", BusyboxImage, image).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "image", "push", image).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "image", "rm", image).Assert(t, icmd.Success)
+}
diff --git a/cli/e2e/plugin/basic/basic.go b/cli/e2e/plugin/basic/basic.go
new file mode 100644
index 00000000..89227282
--- /dev/null
+++ b/cli/e2e/plugin/basic/basic.go
@@ -0,0 +1,34 @@
+package main
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+)
+
+func main() {
+	p, err := filepath.Abs(filepath.Join("run", "docker", "plugins"))
+	if err != nil {
+		panic(err)
+	}
+	if err := os.MkdirAll(p, 0755); err != nil {
+		panic(err)
+	}
+	l, err := net.Listen("unix", filepath.Join(p, "basic.sock"))
+	if err != nil {
+		panic(err)
+	}
+
+	mux := http.NewServeMux()
+	server := http.Server{
+		Addr:    l.Addr().String(),
+		Handler: http.NewServeMux(),
+	}
+	mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1.1+json")
+		fmt.Println(w, `{"Implements": ["dummy"]}`)
+	})
+	server.Serve(l)
+}
diff --git a/cli/e2e/plugin/main_test.go b/cli/e2e/plugin/main_test.go
new file mode 100644
index 00000000..8cb31a23
--- /dev/null
+++ b/cli/e2e/plugin/main_test.go
@@ -0,0 +1,17 @@
+package plugin
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+)
+
+func TestMain(m *testing.M) {
+	if err := environment.Setup(); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+	os.Exit(m.Run())
+}
diff --git a/cli/e2e/plugin/trust_test.go b/cli/e2e/plugin/trust_test.go
new file mode 100644
index 00000000..8dc3cad8
--- /dev/null
+++ b/cli/e2e/plugin/trust_test.go
@@ -0,0 +1,114 @@
+package plugin
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/internal/test/environment"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	"gotest.tools/fs"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+const registryPrefix = "registry:5000"
+
+func TestInstallWithContentTrust(t *testing.T) {
+	skip.If(t, environment.SkipPluginTests())
+
+	pluginName := fmt.Sprintf("%s/plugin-content-trust", registryPrefix)
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+
+	pluginDir := preparePluginDir(t)
+	defer pluginDir.Remove()
+
+	icmd.RunCommand("docker", "plugin", "create", pluginName, pluginDir.Path()).Assert(t, icmd.Success)
+	result := icmd.RunCmd(icmd.Command("docker", "plugin", "push", pluginName),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+		fixtures.WithPassphrase("foo", "bar"),
+	)
+	result.Assert(t, icmd.Expected{
+		Out: "Signing and pushing trust metadata",
+	})
+
+	icmd.RunCommand("docker", "plugin", "rm", "-f", pluginName).Assert(t, icmd.Success)
+
+	result = icmd.RunCmd(icmd.Command("docker", "plugin", "install", "--grant-all-permissions", pluginName),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Expected{
+		Out: fmt.Sprintf("Status: Downloaded newer image for %s@sha", pluginName),
+	})
+}
+
+func TestInstallWithContentTrustUntrusted(t *testing.T) {
+	skip.If(t, environment.SkipPluginTests())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+
+	result := icmd.RunCmd(icmd.Command("docker", "plugin", "install", "--grant-all-permissions", "tiborvass/sample-volume-plugin:latest"),
+		fixtures.WithConfig(dir.Path()),
+		fixtures.WithTrust,
+		fixtures.WithNotary,
+	)
+	result.Assert(t, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Error: remote trust data does not exist",
+	})
+}
+
+func preparePluginDir(t *testing.T) *fs.Dir {
+	p := &types.PluginConfig{
+		Interface: types.PluginConfigInterface{
+			Socket: "basic.sock",
+			Types:  []types.PluginInterfaceType{{Capability: "docker.dummy/1.0"}},
+		},
+		Entrypoint: []string{"/basic"},
+	}
+	configJSON, err := json.Marshal(p)
+	assert.NilError(t, err)
+
+	binPath, err := ensureBasicPluginBin()
+	assert.NilError(t, err)
+
+	dir := fs.NewDir(t, "plugin_test",
+		fs.WithFile("config.json", string(configJSON), fs.WithMode(0644)),
+		fs.WithDir("rootfs", fs.WithMode(0755)),
+	)
+	icmd.RunCommand("/bin/cp", binPath, dir.Join("rootfs", p.Entrypoint[0])).Assert(t, icmd.Success)
+	return dir
+}
+
+func ensureBasicPluginBin() (string, error) {
+	name := "docker-basic-plugin"
+	p, err := exec.LookPath(name)
+	if err == nil {
+		return p, nil
+	}
+
+	goBin, err := exec.LookPath("/usr/local/go/bin/go")
+	if err != nil {
+		return "", err
+	}
+	installPath := filepath.Join(os.Getenv("GOPATH"), "bin", name)
+	cmd := exec.Command(goBin, "build", "-o", installPath, "./basic")
+	cmd.Env = append(cmd.Env, "CGO_ENABLED=0")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return "", errors.Wrapf(err, "error building basic plugin bin: %s", string(out))
+	}
+	return installPath, nil
+}
diff --git a/cli/e2e/stack/deploy_test.go b/cli/e2e/stack/deploy_test.go
new file mode 100644
index 00000000..959405c6
--- /dev/null
+++ b/cli/e2e/stack/deploy_test.go
@@ -0,0 +1,44 @@
+package stack
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+	"gotest.tools/assert"
+	"gotest.tools/golden"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+func TestDeployWithNamedResources(t *testing.T) {
+	t.Run("Swarm", func(t *testing.T) {
+		testDeployWithNamedResources(t, "swarm")
+	})
+	t.Run("Kubernetes", func(t *testing.T) {
+		// FIXME(chris-crone): currently does not work with compose for kubernetes.
+		t.Skip("FIXME(chris-crone): currently does not work with compose for kubernetes.")
+		skip.If(t, !environment.KubernetesEnabled())
+
+		testDeployWithNamedResources(t, "kubernetes")
+	})
+}
+
+func testDeployWithNamedResources(t *testing.T, orchestrator string) {
+	stackname := fmt.Sprintf("test-stack-deploy-with-names-%s", orchestrator)
+	composefile := golden.Path("stack-with-named-resources.yml")
+
+	result := icmd.RunCommand("docker", "stack", "deploy",
+		"-c", composefile, stackname, "--orchestrator", orchestrator)
+	defer icmd.RunCommand("docker", "stack", "rm",
+		"--orchestrator", orchestrator, stackname)
+
+	result.Assert(t, icmd.Success)
+	stdout := strings.Split(result.Stdout(), "\n")
+	expected := strings.Split(string(golden.Get(t, fmt.Sprintf("stack-deploy-with-names-%s.golden", orchestrator))), "\n")
+	sort.Strings(stdout)
+	sort.Strings(expected)
+	assert.DeepEqual(t, stdout, expected)
+}
diff --git a/cli/e2e/stack/help_test.go b/cli/e2e/stack/help_test.go
new file mode 100644
index 00000000..e356fcae
--- /dev/null
+++ b/cli/e2e/stack/help_test.go
@@ -0,0 +1,24 @@
+package stack
+
+import (
+	"fmt"
+	"testing"
+
+	"gotest.tools/golden"
+	"gotest.tools/icmd"
+)
+
+func TestStackDeployHelp(t *testing.T) {
+	t.Run("Swarm", func(t *testing.T) {
+		testStackDeployHelp(t, "swarm")
+	})
+	t.Run("Kubernetes", func(t *testing.T) {
+		testStackDeployHelp(t, "kubernetes")
+	})
+}
+
+func testStackDeployHelp(t *testing.T, orchestrator string) {
+	result := icmd.RunCommand("docker", "stack", "deploy", "--orchestrator", orchestrator, "--help")
+	result.Assert(t, icmd.Success)
+	golden.Assert(t, result.Stdout(), fmt.Sprintf("stack-deploy-help-%s.golden", orchestrator))
+}
diff --git a/cli/e2e/stack/main_test.go b/cli/e2e/stack/main_test.go
new file mode 100644
index 00000000..0d36e45b
--- /dev/null
+++ b/cli/e2e/stack/main_test.go
@@ -0,0 +1,17 @@
+package stack
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+)
+
+func TestMain(m *testing.M) {
+	if err := environment.Setup(); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+	os.Exit(m.Run())
+}
diff --git a/cli/e2e/stack/remove_test.go b/cli/e2e/stack/remove_test.go
new file mode 100644
index 00000000..6c5f5798
--- /dev/null
+++ b/cli/e2e/stack/remove_test.go
@@ -0,0 +1,85 @@
+package stack
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+	"gotest.tools/golden"
+	"gotest.tools/icmd"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+var pollSettings = environment.DefaultPollSettings
+
+func TestRemove(t *testing.T) {
+	t.Run("Swarm", func(t *testing.T) {
+		testRemove(t, "swarm")
+	})
+	t.Run("Kubernetes", func(t *testing.T) {
+		skip.If(t, !environment.KubernetesEnabled())
+
+		testRemove(t, "kubernetes")
+	})
+}
+
+func testRemove(t *testing.T, orchestrator string) {
+	stackname := "test-stack-remove-" + orchestrator
+	deployFullStack(t, orchestrator, stackname)
+	defer cleanupFullStack(t, orchestrator, stackname)
+	result := icmd.RunCommand("docker", "stack", "rm",
+		stackname, "--orchestrator", orchestrator)
+	result.Assert(t, icmd.Expected{Err: icmd.None})
+	golden.Assert(t, result.Stdout(),
+		fmt.Sprintf("stack-remove-%s-success.golden", orchestrator))
+}
+
+func deployFullStack(t *testing.T, orchestrator, stackname string) {
+	// TODO: this stack should have full options not minimal options
+	result := icmd.RunCommand("docker", "stack", "deploy",
+		"--compose-file=./testdata/full-stack.yml", stackname, "--orchestrator", orchestrator)
+	result.Assert(t, icmd.Success)
+
+	poll.WaitOn(t, taskCount(orchestrator, stackname, 2), pollSettings)
+}
+
+func cleanupFullStack(t *testing.T, orchestrator, stackname string) {
+	// FIXME(vdemeester) we shouldn't have to do that. it is hidding a race on docker stack rm
+	poll.WaitOn(t, stackRm(orchestrator, stackname), pollSettings)
+	poll.WaitOn(t, taskCount(orchestrator, stackname, 0), pollSettings)
+}
+
+func stackRm(orchestrator, stackname string) func(t poll.LogT) poll.Result {
+	return func(poll.LogT) poll.Result {
+		result := icmd.RunCommand("docker", "stack", "rm", stackname, "--orchestrator", orchestrator)
+		if result.Error != nil {
+			if strings.Contains(result.Stderr(), "not found") {
+				return poll.Success()
+			}
+			return poll.Continue("docker stack rm %s failed : %v", stackname, result.Error)
+		}
+		return poll.Success()
+	}
+}
+
+func taskCount(orchestrator, stackname string, expected int) func(t poll.LogT) poll.Result {
+	return func(poll.LogT) poll.Result {
+		args := []string{"stack", "ps", stackname, "--orchestrator", orchestrator}
+		// FIXME(chris-crone): remove when we support filtering by desired-state on kubernetes
+		if orchestrator == "swarm" {
+			args = append(args, "-f=desired-state=running")
+		}
+		result := icmd.RunCommand("docker", args...)
+		count := lines(result.Stdout()) - 1
+		if count == expected {
+			return poll.Success()
+		}
+		return poll.Continue("task count is %d waiting for %d", count, expected)
+	}
+}
+
+func lines(out string) int {
+	return len(strings.Split(strings.TrimSpace(out), "\n"))
+}
diff --git a/cli/e2e/stack/testdata/data b/cli/e2e/stack/testdata/data
new file mode 100644
index 00000000..8a56f6d8
--- /dev/null
+++ b/cli/e2e/stack/testdata/data
@@ -0,0 +1 @@
+A file with some text
diff --git a/cli/e2e/stack/testdata/full-stack.yml b/cli/e2e/stack/testdata/full-stack.yml
new file mode 100644
index 00000000..8c4d06f8
--- /dev/null
+++ b/cli/e2e/stack/testdata/full-stack.yml
@@ -0,0 +1,9 @@
+version: '3.3'
+
+services:
+  one:
+    image: registry:5000/alpine:3.6
+    command: top
+  two:
+    image: registry:5000/alpine:3.6
+    command: top
diff --git a/cli/e2e/stack/testdata/stack-deploy-help-kubernetes.golden b/cli/e2e/stack/testdata/stack-deploy-help-kubernetes.golden
new file mode 100644
index 00000000..a0d6080a
--- /dev/null
+++ b/cli/e2e/stack/testdata/stack-deploy-help-kubernetes.golden
@@ -0,0 +1,14 @@
+
+Usage:	docker stack deploy [OPTIONS] STACK
+
+Deploy a new stack or update an existing stack
+
+Aliases:
+  deploy, up
+
+Options:
+  -c, --compose-file strings   Path to a Compose file, or "-" to read
+                               from stdin
+      --kubeconfig string      Kubernetes config file
+      --namespace string       Kubernetes namespace to use
+      --orchestrator string    Orchestrator to use (swarm|kubernetes|all)
diff --git a/cli/e2e/stack/testdata/stack-deploy-help-swarm.golden b/cli/e2e/stack/testdata/stack-deploy-help-swarm.golden
new file mode 100644
index 00000000..5532dc01
--- /dev/null
+++ b/cli/e2e/stack/testdata/stack-deploy-help-swarm.golden
@@ -0,0 +1,19 @@
+
+Usage:	docker stack deploy [OPTIONS] STACK
+
+Deploy a new stack or update an existing stack
+
+Aliases:
+  deploy, up
+
+Options:
+      --bundle-file string     Path to a Distributed Application Bundle file
+  -c, --compose-file strings   Path to a Compose file, or "-" to read
+                               from stdin
+      --orchestrator string    Orchestrator to use (swarm|kubernetes|all)
+      --prune                  Prune services that are no longer referenced
+      --resolve-image string   Query the registry to resolve image digest
+                               and supported platforms
+                               ("always"|"changed"|"never") (default "always")
+      --with-registry-auth     Send registry authentication details to
+                               Swarm agents
diff --git a/cli/e2e/stack/testdata/stack-deploy-with-names-kubernetes.golden b/cli/e2e/stack/testdata/stack-deploy-with-names-kubernetes.golden
new file mode 100644
index 00000000..f97dd682
--- /dev/null
+++ b/cli/e2e/stack/testdata/stack-deploy-with-names-kubernetes.golden
@@ -0,0 +1,7 @@
+Creating network test-stack-deploy-with-names_network2
+Creating network named-network
+Creating secret named-secret
+Creating secret test-stack-deploy-with-names_secret2
+Creating config test-stack-deploy-with-names_config2
+Creating config named-config
+Creating service test-stack-deploy-with-names_web
diff --git a/cli/e2e/stack/testdata/stack-deploy-with-names-swarm.golden b/cli/e2e/stack/testdata/stack-deploy-with-names-swarm.golden
new file mode 100644
index 00000000..c7f421ba
--- /dev/null
+++ b/cli/e2e/stack/testdata/stack-deploy-with-names-swarm.golden
@@ -0,0 +1,7 @@
+Creating network test-stack-deploy-with-names-swarm_network2
+Creating network named-network
+Creating secret named-secret
+Creating secret test-stack-deploy-with-names-swarm_secret2
+Creating config test-stack-deploy-with-names-swarm_config2
+Creating config named-config
+Creating service test-stack-deploy-with-names-swarm_web
diff --git a/cli/e2e/stack/testdata/stack-deploy-with-names.golden b/cli/e2e/stack/testdata/stack-deploy-with-names.golden
new file mode 100644
index 00000000..f97dd682
--- /dev/null
+++ b/cli/e2e/stack/testdata/stack-deploy-with-names.golden
@@ -0,0 +1,7 @@
+Creating network test-stack-deploy-with-names_network2
+Creating network named-network
+Creating secret named-secret
+Creating secret test-stack-deploy-with-names_secret2
+Creating config test-stack-deploy-with-names_config2
+Creating config named-config
+Creating service test-stack-deploy-with-names_web
diff --git a/cli/e2e/stack/testdata/stack-remove-kubernetes-success.golden b/cli/e2e/stack/testdata/stack-remove-kubernetes-success.golden
new file mode 100644
index 00000000..3c136713
--- /dev/null
+++ b/cli/e2e/stack/testdata/stack-remove-kubernetes-success.golden
@@ -0,0 +1 @@
+Removing stack: test-stack-remove-kubernetes
diff --git a/cli/e2e/stack/testdata/stack-remove-swarm-success.golden b/cli/e2e/stack/testdata/stack-remove-swarm-success.golden
new file mode 100644
index 00000000..db77e8dc
--- /dev/null
+++ b/cli/e2e/stack/testdata/stack-remove-swarm-success.golden
@@ -0,0 +1,3 @@
+Removing service test-stack-remove-swarm_one
+Removing service test-stack-remove-swarm_two
+Removing network test-stack-remove-swarm_default
diff --git a/cli/e2e/stack/testdata/stack-with-named-resources.yml b/cli/e2e/stack/testdata/stack-with-named-resources.yml
new file mode 100644
index 00000000..f7a04b21
--- /dev/null
+++ b/cli/e2e/stack/testdata/stack-with-named-resources.yml
@@ -0,0 +1,30 @@
+version: '3.5'
+services:
+  web:
+    image: registry:5000/alpine:3.6
+    command: top
+    networks: [network1, network2]
+    volumes: [volume1, volume2]
+    secrets: [secret1, secret2]
+    configs: [config1, config2]
+
+networks:
+  network1:
+    name: named-network
+  network2:
+volumes:
+  volume1:
+    name: named-volume
+  volume2:
+secrets:
+  secret1:
+    name: named-secret
+    file: ./data
+  secret2:
+    file: ./data
+configs:
+  config1:
+    name: named-config
+    file: ./data
+  config2:
+    file: ./data
diff --git a/cli/e2e/system/inspect_test.go b/cli/e2e/system/inspect_test.go
new file mode 100644
index 00000000..2b329597
--- /dev/null
+++ b/cli/e2e/system/inspect_test.go
@@ -0,0 +1,18 @@
+package system
+
+import (
+	"testing"
+
+	"gotest.tools/icmd"
+)
+
+// TestInspectInvalidReference migrated from moby/integration-cli
+func TestInspectInvalidReference(t *testing.T) {
+	// This test should work on both Windows and Linux
+	result := icmd.RunCmd(icmd.Command("docker", "inspect", "FooBar"))
+	result.Assert(t, icmd.Expected{
+		Out:      "[]",
+		Err:      "Error: No such object: FooBar",
+		ExitCode: 1,
+	})
+}
diff --git a/cli/e2e/system/main_test.go b/cli/e2e/system/main_test.go
new file mode 100644
index 00000000..b154d1a1
--- /dev/null
+++ b/cli/e2e/system/main_test.go
@@ -0,0 +1,17 @@
+package system
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+)
+
+func TestMain(m *testing.M) {
+	if err := environment.Setup(); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+	os.Exit(m.Run())
+}
diff --git a/cli/e2e/testdata/Dockerfile.notary-server b/cli/e2e/testdata/Dockerfile.notary-server
new file mode 100644
index 00000000..d013d9ef
--- /dev/null
+++ b/cli/e2e/testdata/Dockerfile.notary-server
@@ -0,0 +1,4 @@
+ARG NOTARY_VERSION=0.5.0
+FROM notary:server-${NOTARY_VERSION}
+
+COPY ./notary/ /fixtures/
diff --git a/cli/e2e/testdata/notary/notary-config.json b/cli/e2e/testdata/notary/notary-config.json
new file mode 100644
index 00000000..a4aed592
--- /dev/null
+++ b/cli/e2e/testdata/notary/notary-config.json
@@ -0,0 +1,19 @@
+{
+    "server": {
+        "http_addr": "notary-server:4443",
+        "tls_key_file": "./notary-server.key",
+        "tls_cert_file": "./notary-server.cert"
+    },
+    "trust_service": {
+        "type": "local",
+        "hostname": "",
+        "port": "",
+        "key_algorithm": "ed25519"
+    },
+    "logging": {
+        "level": "debug"
+    },
+    "storage": {
+        "backend": "memory"
+    }
+}
diff --git a/cli/e2e/testdata/notary/notary-server.cert b/cli/e2e/testdata/notary/notary-server.cert
new file mode 100644
index 00000000..7ec83c82
--- /dev/null
+++ b/cli/e2e/testdata/notary/notary-server.cert
@@ -0,0 +1,64 @@
+-----BEGIN CERTIFICATE-----
+MIIFKjCCAxKgAwIBAgIJAMyOpNbHzq7KMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0G
+A1UECgwGRG9ja2VyMScwJQYDVQQDDB5Ob3RhcnkgSW50ZXJtZWRpYXRlIFRlc3Rp
+bmcgQ0EwHhcNMTgwMzA3MDk0MjAxWhcNMjAwMzI2MDk0MjAxWjBbMQswCQYDVQQG
+EwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNV
+BAoMBkRvY2tlcjEWMBQGA1UEAwwNbm90YXJ5LXNlcnZlcjCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKjbeflOtVrOv0IOeJGKfi5LHH3Di0O2nlZu8AIT
+SJbDZPSXoYc+cprpoEWYncbFFC3C94z5xBW5vcAqMhLs50ml5ADl86umcLl2C/mX
+8NuZnlIevMCb0mBiavDtSPV3J5DqOk+trgKEXs9g4hyh5Onh5Y5InPO1lDJ+2cEt
+VGBMhhddfWRVlV9ZUWxPYVCTt6L0bD9SeyXJVB0dnFhr3xICayhDlhlvcjXVOTUs
+ewJLo/L2nq0ve93Jb2smKio27ZGE79bCGqJK213/FNqfAlGUPkhYTfYJTcgjhS1p
+lmtgN6KZF6RVXvOrCBMEDM2yZq1mEPWjoT0tn0MkWErDANcCAwEAAaOB3zCB3DAf
+BgNVHSMEGDAWgBSIZiRbIhk/26DjfXrjiqS2UiRgEjAMBgNVHRMBAf8EAjAAMB0G
+A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwXQYD
+VR0RBFYwVIINbm90YXJ5LXNlcnZlcoIMbm90YXJ5c2VydmVyghJldmlsLW5vdGFy
+eS1zZXJ2ZXKCEGV2aWxub3RhcnlzZXJ2ZXKCCWxvY2FsaG9zdIcEfwAAATAdBgNV
+HQ4EFgQUFBwKiXKF7LSjRFMuKIYC1pGFQi4wDQYJKoZIhvcNAQELBQADggIBACE6
+Y+XRchaN7B8+z+4qXxNTTPT5WZYWU4IMddPLWPcSj9U+XFBz19nObrZLAf6Z3Te7
+6BlcVfEdIRMNCspcjX6RZjeC0iJAaDKo+SdqoajKpEwph9R4OP2I4mwcpf/oMG7p
+IsNyzeA7427ignwQ+XfwSElJ5BeTUSPgkYujrTZDxRfCA01t0X0tpzv/3o4dfoZ0
+QKA+2djJagrjU82kTneWRktn6+G+zQuZdupcwUEPvlH3YdEgH22W0m0mavnJMYI/
+J/J4rmanvknLnjCmChEdpwCORL+G84Hu9hdy0WSbvQzQ9puGyukWJO/71Z0fhis2
+DuLIt2esRJoKyrnaCDA+EFJ0JkzozZfS2BcRe3UL9awnwa/iKlUcs/u4bhKu9gwL
+F2dXtYPJzyr3PUdPGT4FixTpVZG37BvUSy2IH97qxgK9vn1FGTLDqQlSwCLXvrzr
+g2Zz7+JpF2SK3yR1G/IYmAFa37vmbBjW7dZp2JepTMelpblxiTthH1jPN7Lf3uvd
+tDe2ZLxTNOVpymDupUqOEXanvcTAkRD3ye3/yhWaXQ44lxVJqG+FNdjQCKcARHWH
+H1Otd12QzOsHytUSe7n4zsT06Seyt9huq4g6h0EcuVZaJbi43u5mJtn9yZiZOLF+
+dJsYWaDeSXDnyaFl1tHwcF1tqvguI41E63QqrM0N
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIJAJtU26dE8lzfMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0G
+A1UECgwGRG9ja2VyMRowGAYDVQQDDBFOb3RhcnkgVGVzdGluZyBDQTAeFw0xODAz
+MDcwOTQyMDFaFw0yODAzMDQwOTQyMDFaMGwxCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UECgwGRG9ja2VyMScw
+JQYDVQQDDB5Ob3RhcnkgSW50ZXJtZWRpYXRlIFRlc3RpbmcgQ0EwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQCoajVV4POf3mp4c6UocppePIvfCYDHEjeY
+YT9nH4Wdidq0VxungyRHXsB4UMfH+tnUiTo2PolVLBAi6mZr/0Me+ZOE12PjUipC
+z2oVfJobuPLebEYcWETZUzGV7VCvyYSgCtnguBh4ju2D/WSWKwqjfq8vcQ/1NFfL
+y9JONHS43XpGx8GfFB6jce69BygyPgyPiA3qzisykIvt7lf26XVTO86fA2ZoEB8o
+dNosC/D8zqRuhIOF+dbywJfqAFvmcGwoq/RWyaoRbiVzzVRg7Elj6dFp2cajFZdR
+yH+R3V/WKYGpC0NnCVZwl/XvjnF0QryEhr6adk8bg9U1q4xq6EZ0DlIXCyCsWvZs
+fu2nfldSb6z/P7TEyVpzmZR01RsyYloO7ImQ4qBYpXAAG8z0dhh7dyoT1+Ec0SbR
+c7ovJQBEZ4U7+nDDeQIbM4MknatgBfgIkJVpVZ6XyFbmg0yFaeowtd+DPIi9ziFK
+nOpRbuzDqD6vAbiM+qPexvAhICTlC56cdp9+Lf42WTABK6Xj1IIfKd+EQDAy8pI3
+LZOvmMpJPFNQszf3AsEzQ4fQJ8OjCp6XJ1owmC249gkJhvt8Mm0Yd8Z3hNtuoE/y
+lnqIXq5Mj98UBhAJtTshRdrexEDXi6oYUTbmJG9hpM2HU17l9x0U00hcyc17RSXo
++Zz/joD3GwIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFDLFEe9lgSHt+7ZKtFGvLFg6
+nAQNMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+AQUFBwMCMA4GA1UdDwEB/wQEAwIBRjAdBgNVHQ4EFgQUiGYkWyIZP9ug431644qk
+tlIkYBIwDQYJKoZIhvcNAQELBQADggIBAIahDV/j3+f9YhzNdAm16A4Tq63wH7mt
+XtGa+iK3klxfVJmcyCNFvjsLf0XvegxgKZU61R++29kYeQekzXsNETGxhny4scp9
+dWO0Wpa2J+TmXUTgB6JDl71W+CctiihIIvdRM1ue28OoXcgmvl94tReA/bA2zx76
+TBCzH6q/lEGMKZTfbV/O8RY+Lidt/PSCr1bPk5GT3F1a68hNyz1PuEAT5XpMcVbe
+FTBXZU1aEM/owJDCBjNmyUW0bE7KZU/rEE73jJqb4WEvFeMtw47EMvNKl+OXAPyg
+Jv9pybiSUL44z4KlW6kYe0Tt6bK4NAJ1iYq6PwCyHqSpU1YHSey7RxdsUsbH+hZn
++8hA98M6v/jTl79byrgoVCi6LXEnM/Hmm6cubWwMDM1VhQBW9VqH/ICEMlSjFSi/
+0EDMGQNSxvJlXoyaEwyTCaMgrXeSW4oEsFfdTMYa1C5Y6ILHI/vakfdf5c32UOzb
+7KoULNfz/TAnoL+4riPmO2LhN4aQh3siZFHzoHTAkpx1KVOi11bpfn5zNxbGxsP8
+tRUfk+DddqvCqmkTliVQQBbS9zjY9oDBUbOqLs2vj8k/PtpDf5+YmHQ0XonPLUxt
+kAU/BfZ8PL3eqcWVYT6QTGG+v1OmztzgG5fPlFwUYf4qN+ICp368p3VRwuaLAy5g
+EIL7P2RDzU63
+-----END CERTIFICATE-----
diff --git a/cli/e2e/testdata/notary/notary-server.key b/cli/e2e/testdata/notary/notary-server.key
new file mode 100644
index 00000000..871d41f6
--- /dev/null
+++ b/cli/e2e/testdata/notary/notary-server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCo23n5TrVazr9C
+DniRin4uSxx9w4tDtp5WbvACE0iWw2T0l6GHPnKa6aBFmJ3GxRQtwveM+cQVub3A
+KjIS7OdJpeQA5fOrpnC5dgv5l/DbmZ5SHrzAm9JgYmrw7Uj1dyeQ6jpPra4ChF7P
+YOIcoeTp4eWOSJzztZQyftnBLVRgTIYXXX1kVZVfWVFsT2FQk7ei9Gw/UnslyVQd
+HZxYa98SAmsoQ5YZb3I11Tk1LHsCS6Py9p6tL3vdyW9rJioqNu2RhO/WwhqiSttd
+/xTanwJRlD5IWE32CU3II4UtaZZrYDeimRekVV7zqwgTBAzNsmatZhD1o6E9LZ9D
+JFhKwwDXAgMBAAECggEAbqa0PV0IlqMYze6xr53zpd5uozM61XqcM8Oq35FHZhRQ
+2b9riDax3zXtYu3pplGLMZmrouQhTKNU5tI/0gsQXUCqMrR9gyQkhkQHAN5CZYU7
+LFEcG5OAvsx/i7XSs5gLg3kaERCdEOUxQ/AW+/BTE7iGN0D6KPH6VUSu6VoNCrTK
+PmYvgta7hwebnvo65/OAc4inp9C19FUkhcNbaCKduWBgUt348+IzVEw9H8+PrdVZ
+dYGfVXAsDFY3zz0ThUbaZ52XS1pCCQ1Df9bQnTgqJNc+u1xQHLYAageKS83uAbtS
+nYjBFFuxeRR2FA1n8echCWQV+16Kqq31U1E2yLfWcQKBgQDSoT73pO9h/yN5myqu
+XxhAC+Ndas0DTl4pmVPpybpenJerba/0KCfYpcSFHAdkXZ1DYL7U+9uh5NRul09f
+WdjayFjn0vv63rwX+PGi1yPHTIv5kLvjYXJtaxzxSzQivYMPmD/7QX4tEsUkpJ8k
+90vMSS/C5ieWbpFwWVvEjFbqHQKBgQDNOsTq6USE3R8p4lj9Ror/waUuWVdzZnm3
+uZGJw3WzvzaXmqLSfVHntUnD8TPHgk3WZxDhrF73POMADkl9IN/JPI150/Uo6YJo
+qYGoZr0mmnEZxVCkwODz5C9icnyjklcRdIRM6eljhFMQDVEacDkptsntHUyIdQZc
+L2eLNUfEgwKBgHxy7UNg3lemag110rgIU8mzvHj7m3oymYw2nc/qcwVnvG17d5Tp
+DPICr6R+NRfl//9JcDdjQBfdnm5hVHJgIbLS4UTH8j390GDRo+O0/dzJq4KfM4Rb
+lUJ1ITqoVnuYQZG7QUJxJd330yedZLJwswZWz7N2TTmixqf9BC2TRd85AoGAN+Qh
+bLhKaMSvkACMq61ifXSHP7AlGNB3pYlsEVCh5WnVvEPow9pNTAUbKbmumE7sU8+N
+0WfYFQ0H5SP+74zcZTmQbfVDdvjhAw/mt64DJVg6JQKPi87bdJBYNz9mokVgYOiS
+fz/Ux71pwZ1e0QxvBOU66NBp31+/c6uVT1wbR3ECgYAdye1+UPpS9Dn89g6Ks0kv
+UaFKykXu7vY2uxiNqhmWzze4iq5wmIHmEwc6+rVMluXQPAME7Iya3mBmto9AHQ/n
+/ka+fGoaUgAojCLZW5DZcelIETw+Dk+95vyyAUsWfAvn4nKo4/rkBXcSHlvgElzq
+SorPiBWYosFB6jqUTXew2w==
+-----END PRIVATE KEY-----
diff --git a/cli/e2e/testdata/notary/root-ca.cert b/cli/e2e/testdata/notary/root-ca.cert
new file mode 100644
index 00000000..474c6934
--- /dev/null
+++ b/cli/e2e/testdata/notary/root-ca.cert
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFhjCCA26gAwIBAgIJAMruCvHIncnwMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0G
+A1UECgwGRG9ja2VyMRowGAYDVQQDDBFOb3RhcnkgVGVzdGluZyBDQTAeFw0xODAz
+MDcwOTQyMDFaFw0yODAzMDQwOTQyMDFaMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQI
+DAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEPMA0GA1UECgwGRG9ja2VyMRow
+GAYDVQQDDBFOb3RhcnkgVGVzdGluZyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
+ADCCAgoCggIBAL6okGWkuBefYLyybKhArkttwjznr0Wqew47JSpVzUzX6O+5gqwi
+knttFU3pAG3K4N00vVncYforxKRIfFnldUag+70ga3wBX7Cb+YcjbsrCueJqaAs/
+Fe32yeg5icGLD5ndKiJXjswUZdW1rjIV9wBomh/4TLn6m4e64Ggrb5G+660yRHgQ
+rlHBPFxMTB6nQptDsrZdyVMjcIiKXfacT/hz/ghSqQyYyFUyjz3dY8g1YEbyHK84
+zfxRGuSaSRnn5GnmvDG3Nw56vlrJFWwyFbIBfT4dVuEvXKDtPyDwh00S9eQ8htrq
+i00NjnmSf3ouM/RkXr/+ROBYKMp0jWcmgK7nPr3mi33O9z41pZ2gQEpGJHRzGke2
+StpvFOCxonB/aNQqx+GTZkYBl2kQgE7YEQJ5xt73nCZqIOYhU4rbz8XrGdsCYn/1
+7YYWRjYS5JkqKXSotJdsUQLw/9rYRHoJMjKaXe9d81oFpR4onGOqA74CwCeyKK26
+L1/ywSwgcdOZi8dkXxmGHFQiR7Fwd2ntKxRd7Vm2gloYlHj6lFFQdg8fo/DZYXZ1
+xjWAm/CCZQPs1qneVdRcF6YUt53xk65YN/GIV59zqqc7nCXPfiGLauwEW2lnfrQf
+WQrL6NtI71qL3vz0eCQp1NhYU4Ddo+gPCeVNzhtjkK5V538d+gTmhaZzAgMBAAGj
+RTBDMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgFGMB0GA1UdDgQW
+BBQyxRHvZYEh7fu2SrRRryxYOpwEDTANBgkqhkiG9w0BAQsFAAOCAgEAId82/czt
+JDGMjdY62c36fU1USWy28vL0w8sZsOmgC1iWEwCD5PqC77aVRoJ4T/zKdrLE+jrv
+2fdcePzbNhj0kzfbAQZ69c1Abyo+Z/EaVpzWj2qYFN9UQoN5+64xAFVjXVQSQBS6
+DXl2ggEyIc7IfnkCE7x0t5ClDtZUKpBuDIMzu5cLmf2/uhHiJsbtToRfqDRO9l6h
+3XZ3dSaEVeV6CozNWywaNXl6F8Ep8xrh8V/LL6sT/EGtxhuFx5qmSenZQTZJcIbt
+Qf0DsB1aTe2v10i9c3Ulc8H23ALYb93HqEXq+SeOkVHn+7MWMrfuYKd/OugfTqOz
+ByGkraIP5GvZbVANnrg8hW+5+4eiRgIiDXhQgFQKNmVKDOSYtHZpe6yMiMfAtlIV
+WDSfA899X/JkjdK/RK6W5eFIzV9jSbfUuaYmdwCHkR1v5bLAVLnMHT34sTnQi/3O
+Op1FuuZIzeH4LHfSm34XQa25w+p5JZkhYHr8diJfIaU5rcXieFMUkRGkazpHdbul
+EvDKlB/VbNTeAxFM/cF6ico7vtNcL04eZexQxDCm5MK008/abBj6e0NmFFs408uX
+ii5imQtK/8pumA2+84HhWkAiNRYxe/vqim1l6IDl1Ss5p8r2Y+3/8c0QTJrkbq6n
+Kq+PFV31ZYMnY6ZeGY8LdIJ/L7/2xndikJE=
+-----END CERTIFICATE-----
diff --git a/cli/e2e/trust/main_test.go b/cli/e2e/trust/main_test.go
new file mode 100644
index 00000000..5881adcd
--- /dev/null
+++ b/cli/e2e/trust/main_test.go
@@ -0,0 +1,17 @@
+package trust
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/cli/internal/test/environment"
+)
+
+func TestMain(m *testing.M) {
+	if err := environment.Setup(); err != nil {
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+	os.Exit(m.Run())
+}
diff --git a/cli/e2e/trust/revoke_test.go b/cli/e2e/trust/revoke_test.go
new file mode 100644
index 00000000..85b1cdc0
--- /dev/null
+++ b/cli/e2e/trust/revoke_test.go
@@ -0,0 +1,71 @@
+package trust
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/internal/test/environment"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+const (
+	revokeImage = "registry:5000/revoke:v1"
+	revokeRepo  = "registry:5000/revokerepo"
+)
+
+func TestRevokeImage(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	setupTrustedImagesForRevoke(t, dir)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "trust", "revoke", revokeImage),
+		fixtures.WithPassphrase("root_password", "repo_password"),
+		fixtures.WithNotary, fixtures.WithConfig(dir.Path()))
+	result.Assert(t, icmd.Success)
+	assert.Check(t, is.Contains(result.Stdout(), "Successfully deleted signature for registry:5000/revoke:v1"))
+}
+
+func TestRevokeRepo(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	setupTrustedImagesForRevokeRepo(t, dir)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "trust", "revoke", revokeRepo, "-y"),
+		fixtures.WithPassphrase("root_password", "repo_password"),
+		fixtures.WithNotary, fixtures.WithConfig(dir.Path()))
+	result.Assert(t, icmd.Success)
+	assert.Check(t, is.Contains(result.Stdout(), "Successfully deleted signature for registry:5000/revoke"))
+}
+
+func setupTrustedImagesForRevoke(t *testing.T, dir fs.Dir) {
+	icmd.RunCmd(icmd.Command("docker", "pull", fixtures.AlpineImage)).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, revokeImage).Assert(t, icmd.Success)
+	icmd.RunCmd(
+		icmd.Command("docker", "-D", "trust", "sign", revokeImage),
+		fixtures.WithPassphrase("root_password", "repo_password"),
+		fixtures.WithConfig(dir.Path()), fixtures.WithNotary).Assert(t, icmd.Success)
+}
+
+func setupTrustedImagesForRevokeRepo(t *testing.T, dir fs.Dir) {
+	icmd.RunCmd(icmd.Command("docker", "pull", fixtures.AlpineImage)).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, fmt.Sprintf("%s:v1", revokeRepo)).Assert(t, icmd.Success)
+	icmd.RunCmd(
+		icmd.Command("docker", "-D", "trust", "sign", fmt.Sprintf("%s:v1", revokeRepo)),
+		fixtures.WithPassphrase("root_password", "repo_password"),
+		fixtures.WithConfig(dir.Path()), fixtures.WithNotary).Assert(t, icmd.Success)
+	icmd.RunCmd(icmd.Command("docker", "pull", fixtures.BusyboxImage)).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.BusyboxImage, fmt.Sprintf("%s:v2", revokeRepo)).Assert(t, icmd.Success)
+	icmd.RunCmd(
+		icmd.Command("docker", "-D", "trust", "sign", fmt.Sprintf("%s:v2", revokeRepo)),
+		fixtures.WithPassphrase("root_password", "repo_password"),
+		fixtures.WithConfig(dir.Path()), fixtures.WithNotary).Assert(t, icmd.Success)
+}
diff --git a/cli/e2e/trust/sign_test.go b/cli/e2e/trust/sign_test.go
new file mode 100644
index 00000000..ffa320e9
--- /dev/null
+++ b/cli/e2e/trust/sign_test.go
@@ -0,0 +1,62 @@
+package trust
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/docker/cli/e2e/internal/fixtures"
+	"github.com/docker/cli/internal/test/environment"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+	"gotest.tools/icmd"
+	"gotest.tools/skip"
+)
+
+const (
+	localImage = "registry:5000/signlocal:v1"
+	signImage  = "registry:5000/sign:v1"
+)
+
+func TestSignLocalImage(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	icmd.RunCmd(icmd.Command("docker", "pull", fixtures.AlpineImage)).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, signImage).Assert(t, icmd.Success)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "trust", "sign", signImage),
+		fixtures.WithPassphrase("root_password", "repo_password"),
+		fixtures.WithConfig(dir.Path()), fixtures.WithNotary)
+	result.Assert(t, icmd.Success)
+	assert.Check(t, is.Contains(result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", fixtures.AlpineSha)))
+
+}
+
+func TestSignWithLocalFlag(t *testing.T) {
+	skip.If(t, environment.RemoteDaemon())
+
+	dir := fixtures.SetupConfigFile(t)
+	defer dir.Remove()
+	setupTrustedImageForOverwrite(t, dir)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "trust", "sign", "--local", localImage),
+		fixtures.WithPassphrase("root_password", "repo_password"),
+		fixtures.WithConfig(dir.Path()), fixtures.WithNotary)
+	result.Assert(t, icmd.Success)
+	assert.Check(t, is.Contains(result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", fixtures.BusyboxSha)))
+}
+
+func setupTrustedImageForOverwrite(t *testing.T, dir fs.Dir) {
+	icmd.RunCmd(icmd.Command("docker", "pull", fixtures.AlpineImage)).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.AlpineImage, localImage).Assert(t, icmd.Success)
+	result := icmd.RunCmd(
+		icmd.Command("docker", "-D", "trust", "sign", localImage),
+		fixtures.WithPassphrase("root_password", "repo_password"),
+		fixtures.WithConfig(dir.Path()), fixtures.WithNotary)
+	result.Assert(t, icmd.Success)
+	assert.Check(t, is.Contains(result.Stdout(), fmt.Sprintf("v1: digest: sha256:%s", fixtures.AlpineSha)))
+	icmd.RunCmd(icmd.Command("docker", "pull", fixtures.BusyboxImage)).Assert(t, icmd.Success)
+	icmd.RunCommand("docker", "tag", fixtures.BusyboxImage, localImage).Assert(t, icmd.Success)
+}
diff --git a/cli/experimental/README.md b/cli/experimental/README.md
new file mode 100644
index 00000000..63e676e3
--- /dev/null
+++ b/cli/experimental/README.md
@@ -0,0 +1,53 @@
+# Docker Experimental Features
+
+This page contains a list of features in the Docker engine which are
+experimental. Experimental features are **not** ready for production. They are
+provided for test and evaluation in your sandbox environments.
+
+The information below describes each feature and the GitHub pull requests and
+issues associated with it. If necessary, links are provided to additional
+documentation on an issue.  As an active Docker user and community member,
+please feel free to provide any feedback on these features you wish.
+
+## Use Docker experimental
+
+Experimental features are now included in the standard Docker binaries as of
+version 1.13.0.
+To enable experimental features, start the Docker daemon with the
+`--experimental` flag or enable the daemon flag in the
+`/etc/docker/daemon.json` configuration file:
+
+```json
+{
+    "experimental": true
+}
+```
+
+You can check to see if experimental features are enabled on a running daemon
+using the following command:
+
+```bash
+$ docker version -f '{{.Server.Experimental}}'
+true
+```
+
+## Current experimental features
+
+Docker service logs command to view logs for a Docker service. This is needed in Swarm mode.
+Option to squash image layers to the base image after successful builds.
+Checkpoint and restore support for Containers.
+Metrics (Prometheus) output for basic container, image, and daemon operations.
+
+ * The top-level [docker deploy](../docs/reference/commandline/deploy.md) command. The
+   `docker stack deploy` command is **not** experimental.
+ * [External graphdriver plugins](../docs/extend/plugins_graphdriver.md)
+ * [Ipvlan Network Drivers](vlan-networks.md)
+ * [Distributed Application Bundles](docker-stacks-and-bundles.md)
+ * [Checkpoint & Restore](checkpoint-restore.md)
+ * [Docker build with --squash argument](../docs/reference/commandline/build.md#squash-an-images-layers---squash-experimental-only)
+
+## How to comment on an experimental feature
+
+Each feature's documentation includes a list of proposal pull requests or PRs associated with the feature. If you want to comment on or suggest a change to a feature, please add it to the existing feature PR.
+
+Issues or problems with a feature? Inquire for help on the `#docker` IRC channel or on the [Docker Google group](https://groups.google.com/forum/#!forum/docker-user).
diff --git a/cli/experimental/checkpoint-restore.md b/cli/experimental/checkpoint-restore.md
new file mode 100644
index 00000000..7e609b60
--- /dev/null
+++ b/cli/experimental/checkpoint-restore.md
@@ -0,0 +1,88 @@
+# Docker Checkpoint & Restore
+
+Checkpoint & Restore is a new feature that allows you to freeze a running
+container by checkpointing it, which turns its state into a collection of files
+on disk. Later, the container can be restored from the point it was frozen.
+
+This is accomplished using a tool called [CRIU](http://criu.org), which is an
+external dependency of this feature. A good overview of the history of
+checkpoint and restore in Docker is available in this
+[Kubernetes blog post](http://blog.kubernetes.io/2015/07/how-did-quake-demo-from-dockercon-work.html).
+
+## Installing CRIU
+
+If you use a Debian system, you can add the CRIU PPA and install with apt-get
+[from the criu launchpad](https://launchpad.net/~criu/+archive/ubuntu/ppa).
+
+Alternatively, you can [build CRIU from source](http://criu.org/Installation).
+
+You need at least version 2.0 of CRIU to run checkpoint/restore in Docker.
+
+## Use cases for checkpoint & restore
+
+This feature is currently focused on single-host use cases for checkpoint and
+restore. Here are a few:
+
+- Restarting the host machine without stopping/starting containers
+- Speeding up the start time of slow start applications
+- "Rewinding" processes to an earlier point in time
+- "Forensic debugging" of running processes
+
+Another primary use case of checkpoint & restore outside of Docker is the live
+migration of a server from one machine to another. This is possible with the
+current implementation, but not currently a priority (and so the workflow is
+not optimized for the task).
+
+## Using checkpoint & restore
+
+A new top level command `docker checkpoint` is introduced, with three subcommands:
+- `create` (creates a new checkpoint)
+- `ls` (lists existing checkpoints)
+- `rm` (deletes an existing checkpoint)
+
+Additionally, a `--checkpoint` flag is added to the container start command.
+
+The options for checkpoint create:
+
+    Usage:  docker checkpoint create [OPTIONS] CONTAINER CHECKPOINT
+
+    Create a checkpoint from a running container
+
+      --leave-running=false    Leave the container running after checkpoint
+      --checkpoint-dir         Use a custom checkpoint storage directory
+
+And to restore a container:
+
+    Usage:  docker start --checkpoint CHECKPOINT_ID [OTHER OPTIONS] CONTAINER
+
+
+A simple example of using checkpoint & restore on a container:
+
+    $ docker run --security-opt=seccomp:unconfined --name cr -d busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
+    > abc0123
+
+    $ docker checkpoint create cr checkpoint1
+
+    # <later>
+    $ docker start --checkpoint checkpoint1 cr
+    > abc0123
+
+This process just logs an incrementing counter to stdout. If you `docker logs`
+in between running/checkpoint/restoring you should see that the counter
+increases while the process is running, stops while it's checkpointed, and
+resumes from the point it left off once you restore.
+
+## Current limitation
+
+seccomp is only supported by CRIU in very up to date kernels.
+
+External terminal (i.e. `docker run -t ..`) is not supported at the moment.
+If you try to create a checkpoint for a container with an external terminal, 
+it would fail:
+
+    $ docker checkpoint create cr checkpoint1
+    Error response from daemon: Cannot checkpoint container c1: rpc error: code = 2 desc = exit status 1: "criu failed: type NOTIFY errno 0\nlog file: /var/lib/docker/containers/eb62ebdbf237ce1a8736d2ae3c7d88601fc0a50235b0ba767b559a1f3c5a600b/checkpoints/checkpoint1/criu.work/dump.log\n"
+    
+    $ cat /var/lib/docker/containers/eb62ebdbf237ce1a8736d2ae3c7d88601fc0a50235b0ba767b559a1f3c5a600b/checkpoints/checkpoint1/criu.work/dump.log
+    Error (mount.c:740): mnt: 126:./dev/console doesn't have a proper root mount
+
diff --git a/cli/experimental/docker-stacks-and-bundles.md b/cli/experimental/docker-stacks-and-bundles.md
new file mode 100644
index 00000000..1271af67
--- /dev/null
+++ b/cli/experimental/docker-stacks-and-bundles.md
@@ -0,0 +1,202 @@
+# Docker Stacks and Distributed Application Bundles
+
+## Overview
+
+Docker Stacks and Distributed Application Bundles are experimental features
+introduced in Docker 1.12 and Docker Compose 1.8, alongside the concept of
+swarm mode, and Nodes and Services in the Engine API.
+
+A Dockerfile can be built into an image, and containers can be created from
+that image. Similarly, a docker-compose.yml can be built into a **distributed
+application bundle**, and **stacks** can be created from that bundle. In that
+sense, the bundle is a multi-services distributable image format.
+
+As of Docker 1.12 and Compose 1.8, the features are experimental. Neither
+Docker Engine nor the Docker Registry supports distribution of bundles.
+
+## Producing a bundle
+
+The easiest way to produce a bundle is to generate it using `docker-compose`
+from an existing `docker-compose.yml`. Of course, that's just *one* possible way
+to proceed, in the same way that `docker build` isn't the only way to produce a
+Docker image.
+
+From `docker-compose`:
+
+```bash
+$ docker-compose bundle
+WARNING: Unsupported key 'network_mode' in services.nsqd - ignoring
+WARNING: Unsupported key 'links' in services.nsqd - ignoring
+WARNING: Unsupported key 'volumes' in services.nsqd - ignoring
+[...]
+Wrote bundle to vossibility-stack.dab
+```
+
+## Creating a stack from a bundle
+
+A stack is created using the `docker deploy` command:
+
+```bash
+$ docker deploy --help
+Usage:  docker deploy [OPTIONS] STACK
+
+Deploy a new stack or update an existing stack
+
+Aliases:
+  deploy, up
+
+Options:
+      --bundle-file string    Path to a Distributed Application Bundle file
+  -c, --compose-file string   Path to a Compose file
+      --help                  Print usage
+      --with-registry-auth    Send registry authentication details to Swarm agents
+
+```
+
+Let's deploy the stack created before:
+
+```bash
+$ docker deploy --bundle-file vossibility-stack.dab vossibility-stack
+Loading bundle from vossibility-stack.dab
+Creating service vossibility-stack_elasticsearch
+Creating service vossibility-stack_kibana
+Creating service vossibility-stack_logstash
+Creating service vossibility-stack_lookupd
+Creating service vossibility-stack_nsqd
+Creating service vossibility-stack_vossibility-collector
+```
+
+We can verify that services were correctly created:
+
+```bash
+$ docker service ls
+ID            NAME                                     MODE         REPLICAS    IMAGE
+29bv0vnlm903  vossibility-stack_lookupd                replicated   1/1         nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4awt47624qwh  vossibility-stack_nsqd                   replicated   1/1         nsqio/nsq@sha256:eeba05599f31eba418e96e71e0984c3dc96963ceb66924dd37a47bf7ce18a662
+4tjx9biia6fs  vossibility-stack_elasticsearch          replicated   1/1         elasticsearch@sha256:12ac7c6af55d001f71800b83ba91a04f716e58d82e748fa6e5a7359eed2301aa
+7563uuzr9eys  vossibility-stack_kibana                 replicated   1/1         kibana@sha256:6995a2d25709a62694a937b8a529ff36da92ebee74bafd7bf00e6caf6db2eb03
+9gc5m4met4he  vossibility-stack_logstash               replicated   1/1         logstash@sha256:2dc8bddd1bb4a5a34e8ebaf73749f6413c101b2edef6617f2f7713926d2141fe
+axqh55ipl40h  vossibility-stack_vossibility-collector  replicated   1/1         icecrime/vossibility-collector@sha256:f03f2977203ba6253988c18d04061c5ec7aab46bca9dfd89a9a1fa4500989fba
+```
+
+## Managing stacks
+
+Stacks are managed using the `docker stack` command:
+
+```bash
+# docker stack --help
+
+Usage:  docker stack COMMAND
+
+Manage Docker stacks
+
+Options:
+      --help   Print usage
+
+Commands:
+  deploy      Deploy a new stack or update an existing stack
+  ls          List stacks
+  ps          List the tasks in the stack
+  rm          Remove the stack
+  services    List the services in the stack
+
+Run 'docker stack COMMAND --help' for more information on a command.
+```
+
+## Bundle file format
+
+Distributed application bundles are described in a JSON format. When bundles
+are persisted as files, the file extension is `.dab` (Docker 1.12RC2 tools use
+`.dsb` for the file extension—this will be updated in the next release client).
+
+A bundle has two top-level fields: `version` and `services`. The version used
+by Docker 1.12 and later tools is `0.1`.
+
+`services` in the bundle are the services that comprise the app. They
+correspond to the new `Service` object introduced in the 1.12 Docker Engine API.
+
+A service has the following fields:
+
+<dl>
+    <dt>
+        Image (required) <code>string</code>
+    </dt>
+    <dd>
+        The image that the service will run. Docker images should be referenced
+        with full content hash to fully specify the deployment artifact for the
+        service. Example:
+        <code>postgres@sha256:f76245b04ddbcebab5bb6c28e76947f49222c99fec4aadb0bb
+        1c24821a 9e83ef</code>
+    </dd>
+    <dt>
+        Command <code>[]string</code>
+    </dt>
+    <dd>
+        Command to run in service containers.
+    </dd>
+    <dt>
+        Args <code>[]string</code>
+    </dt>
+    <dd>
+        Arguments passed to the service containers.
+    </dd>
+    <dt>
+        Env <code>[]string</code>
+    </dt>
+    <dd>
+        Environment variables.
+    </dd>
+    <dt>
+        Labels <code>map[string]string</code>
+    </dt>
+    <dd>
+        Labels used for setting meta data on services.
+    </dd>
+    <dt>
+        Ports <code>[]Port</code>
+    </dt>
+    <dd>
+        Service ports (composed of <code>Port</code> (<code>int</code>) and
+        <code>Protocol</code> (<code>string</code>). A service description can
+        only specify the container port to be exposed. These ports can be
+        mapped on runtime hosts at the operator's discretion.
+    </dd>
+    <dt>
+        WorkingDir <code>string</code>
+    </dt>
+    <dd>
+        Working directory inside the service containers.
+    </dd>
+    <dt>
+        User <code>string</code>
+    </dt>
+    <dd>
+        Username or UID (format: <code>&lt;name|uid&gt;[:&lt;group|gid&gt;]</code>).
+    </dd>
+    <dt>
+        Networks <code>[]string</code>
+    </dt>
+    <dd>
+        Networks that the service containers should be connected to. An entity
+        deploying a bundle should create networks as needed.
+    </dd>
+</dl>
+
+The following is an example of bundlefile with two services:
+
+```json
+{
+	"Version": "0.1",
+	"Services": {
+		"redis": {
+			"Image": "redis@sha256:4b24131101fa0117bcaa18ac37055fffd9176aa1a240392bb8ea85e0be50f2ce",
+			"Networks": ["default"]
+		},
+		"web": {
+			"Image": "dockercloud/hello-world@sha256:fe79a2cfbd17eefc344fb8419420808df95a1e22d93b7f621a7399fd1e9dca1d",
+			"Networks": ["default"],
+			"User": "web"
+		}
+	}
+}
+```
diff --git a/cli/experimental/images/ipvlan-l3.gliffy b/cli/experimental/images/ipvlan-l3.gliffy
new file mode 100644
index 00000000..bf0512af
--- /dev/null
+++ b/cli/experimental/images/ipvlan-l3.gliffy
@@ -0,0 +1 @@
+{"contentType":"application/gliffy+json","version":"1.3","stage":{"background":"#FFFFFF","width":447,"height":422,"nodeIndex":326,"autoFit":true,"exportBorder":false,"gridOn":true,"snapToGrid":false,"drawingGuidesOn":false,"pageBreaksOn":false,"printGridOn":false,"printPaper":"LETTER","printShrinkToFit":false,"printPortrait":true,"maxWidth":5000,"maxHeight":5000,"themeData":{"uid":"com.gliffy.theme.beach_day","name":"Beach Day","shape":{"primary":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"#AEE4F4","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#004257"}},"secondary":{"strokeWidth":2,"strokeColor":"#CDB25E","fillColor":"#EACF81","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#332D1A"}},"tertiary":{"strokeWidth":2,"strokeColor":"#FFBE00","fillColor":"#FFF1CB","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#000000"}},"highlight":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"#00A4DA","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#ffffff"}}},"line":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"none","arrowType":2,"interpolationType":"quadratic","cornerRadius":0,"text":{"color":"#002248"}},"text":{"color":"#002248"},"stage":{"color":"#FFFFFF"}},"viewportType":"default","fitBB":{"min":{"x":9,"y":10.461511948529278},"max":{"x":447,"y":421.5}},"printModel":{"pageSize":"a4","portrait":false,"fitToOnePage":false,"displayPageBreaks":false},"objects":[{"x":12.0,"y":200.0,"rotation":0.0,"id":276,"width":434.00000000000006,"height":197.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":10,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#434343","fillColor":"#c5e4fc","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.93,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":275.0,"y":8.93295288085936,"rotation":0.0,"id":269,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":14,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":272,"py":0.5,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":290,"py":1.0,"px":0.7071067811865476}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[82.0,295.5670471191406],[-4.628896294384617,211.06704711914062]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":285.0,"y":18.93295288085936,"rotation":0.0,"id":268,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":15,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":316,"py":0.5,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":290,"py":0.9999999999999996,"px":0.29289321881345254}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-204.0,285.5670471191406],[-100.37110370561533,201.06704711914062]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":8.0,"y":203.5,"rotation":0.0,"id":267,"width":116.0,"height":16.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":16,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;font-family:Arial;\">Docker Host</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":10.0,"y":28.93295288085936,"rotation":0.0,"id":278,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":17,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":290,"py":0.5,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":246,"py":0.5,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[217.5,167.06704711914062],[219.11774189711457,53.02855906766992]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":57.51435447730654,"y":10.461511948529278,"rotation":0.0,"id":246,"width":343.20677483961606,"height":143.0,"uid":"com.gliffy.shape.cisco.cisco_v1.storage.cloud","order":18,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.cisco.cisco_v1.storage.cloud","strokeWidth":2.0,"strokeColor":"#333333","fillColor":"#434343","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":106.0,"y":55.19999694824217,"rotation":0.0,"id":262,"width":262.0,"height":75.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":22,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:13px;\">Unless notified about the container networks, the physical network does not have a route to their subnets</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;font-weight:bold;\">Who has 10.16.20.0/24?</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;font-weight:bold;\">Who has 10.1.20.0/24?</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":7.0,"y":403.5,"rotation":0.0,"id":282,"width":442.0,"height":18.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":23,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:16px;font-style:italic;\">Containers can be on different subnets and reach each other</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":106.0,"y":252.5,"rotation":0.0,"id":288,"width":238.0,"height":22.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":24,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:20px;font-weight:bold;\">&nbsp;Ipvlan&nbsp;</span><span style=\"font-size:20px;font-weight:bold;\">L3 Mode</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":124.0,"y":172.0,"rotation":0.0,"id":290,"width":207.0,"height":48.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":25,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#cccccc","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":1.0,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":3.568965517241383,"y":0.0,"rotation":0.0,"id":291,"width":199.86206896551747,"height":42.0,"uid":null,"order":27,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-weight:bold;\">Eth0</span></p><p style=\"text-align:center;\"><span style=\"font-weight:bold;\">192.168.50.10/24</span></p><p style=\"text-align:center;\"><span style=\"\">Parent interface acts as a <span style=\"font-weight:bold;\">Router</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":29.0,"y":358.1999969482422,"rotation":0.0,"id":304,"width":390.99999999999994,"height":32.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":29,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;\">All containers can ping each other <span style=\"font-weight:bold;\">without</span> a router if </span></p><p style=\"text-align:center;\"><span style=\"font-size:14px;\">they share the <span style=\"font-weight:bold;\">same</span> parent interface (<span style=\"font-style:italic;\">example eth0)</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":24.0,"y":276.0,"rotation":0.0,"id":320,"width":134.0,"height":77.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":48,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":0.0,"rotation":0.0,"id":316,"width":114.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":44,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.97,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[{"x":2.279999999999999,"y":0.0,"rotation":0.0,"id":317,"width":109.44000000000001,"height":43.0,"uid":null,"order":47,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Container(s)</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">Eth0&nbsp;</span></span></p><p style=\"text-align:center;\"><span style=\"font-weight:bold;\">172.16.20.x/24</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":10.0,"y":10.0,"rotation":0.0,"id":318,"width":114.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":42,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.97,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":20.0,"y":20.0,"rotation":0.0,"id":319,"width":114.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":40,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.97,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":300.0,"y":276.0,"rotation":0.0,"id":321,"width":134.0,"height":77.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":49,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":0.0,"rotation":0.0,"id":272,"width":114.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":35,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.97,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[{"x":2.279999999999999,"y":0.0,"rotation":0.0,"id":273,"width":109.44000000000001,"height":44.0,"uid":null,"order":38,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Container(s)</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">Eth0 <span style=\"font-weight:bold;\">10.1.20.x/24</span></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":10.0,"y":10.0,"rotation":0.0,"id":310,"width":114.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":33,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.97,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":20.0,"y":20.0,"rotation":0.0,"id":312,"width":114.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":31,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.97,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":368.0,"y":85.93295288085938,"rotation":0.0,"id":322,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":50,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#434343","fillColor":"none","dashStyle":"4.0,4.0","startArrow":2,"endArrow":2,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-191.0,222.06704711914062],[-80.9272967534639,222.06704711914062]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":167.0,"y":25.499999999999986,"rotation":0.0,"id":323,"width":135.0,"height":32.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":51,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;font-weight:bold;font-family:Arial;\">Physical Network</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"layers":[{"guid":"9wom3rMkTrb3","order":0,"name":"Layer 0","active":true,"locked":false,"visible":true,"nodeIndex":53}],"shapeStyles":{},"lineStyles":{"global":{"fill":"none","stroke":"#434343","strokeWidth":2,"dashStyle":"4.0,4.0","startArrow":2,"endArrow":2,"orthoMode":2}},"textStyles":{"global":{"face":"Arial","size":"13px","color":"#000000"}}},"metadata":{"title":"untitled","revision":0,"exportBorder":false,"loadPosition":"default","libraries":["com.gliffy.libraries.basic.basic_v1.default","com.gliffy.libraries.flowchart.flowchart_v1.default","com.gliffy.libraries.swimlanes.swimlanes_v1.default","com.gliffy.libraries.images","com.gliffy.libraries.network.network_v4.home","com.gliffy.libraries.network.network_v4.business","com.gliffy.libraries.network.network_v4.rack","com.gliffy.libraries.network.network_v3.home","com.gliffy.libraries.network.network_v3.business","com.gliffy.libraries.network.network_v3.rack"],"lastSerialized":1458117032939,"analyticsProduct":"Confluence"},"embeddedResources":{"index":0,"resources":[]}}
\ No newline at end of file
diff --git a/cli/experimental/images/ipvlan-l3.png b/cli/experimental/images/ipvlan-l3.png
new file mode 100644
index 0000000000000000000000000000000000000000..3227a83ca1541ec68e06b0aa105e22fdf5ae9e6f
GIT binary patch
literal 18260
zcmaI6Wl$YmumyT>5AG1$-Q67ydXV7m8r<F89fE6chd^+5cXto&JidG1eLr8-Oil0J
zyL<KO-qSTTGZ9J(Qb_Q4@Bjb+Nk&>+1pok>`#RfTA-*)bij0K-0C<NIP*vjd^E0-f
zUa{)_OFwe(CRcecDj_Xbb|qJNCj<c8&80JaO#p;GA157KPNwcZhxcCq0EW@6aa{nQ
zXY&pKQ0O^$E9sdkSbytWx)?dQkx!oTl>)TQ9yW|^N><!|ejK<4CWMXLBu-qFM(fIz
zo%EKt0sue)Qi`^NHz`HU?mwvj+T_pYRRBPn3;>XfP5?S3O{d6!$!B8y2koK&0EoKg
z14FAa8wP53UX5(L=%bDVL&q0#^aP6T-8%nWjl|N@0|HYEm_x>-zYG8X+2Wz0n@<Hz
zLnhyDfS4D6!6<3&E9@`;z^o)p-Y&Ckc&yPNe-Yhy(1;$8Gk516m7^ci3P$S;5KSCC
zI0A5`_!f7iO9P(Pet&+xj?Vm@94HR$KC$r%?ddL+iyx@X{<+i~8xd%q^k+jTaZ)aK
zvn)`gSQqfOIy|UmacFIXik=w-2V?8vA?0@)m`<@sK&XbX&B0jy`$1EL5m&Aodkh1>
zzI=J7-uZdIPqutrz|x1Ai?3;VhTlje(*-0XDKBVe#9*5bMa}EV0b?Ns0MG@0Ui2`_
zyA_7pwKNt+WmVFd);j7*KV7ZM<o+Q8#nNc|#25f5yp~#=09+Z@sR=$>KpvgIJVpRB
zk%B`-b-EM-07kw-z$Bs2hOsF>sATd?h@Xx{3=r`1M{l@jXOa<zuoU2XG=qYHlRQ&R
zZ$Fqx?ZHBSNlqldt_c7j2XH76uqg{DD#$X)b$BpyGTLc-2kT3k0z!wtN#%w3h34nx
zy1Tm*lag#~tzTbWgM)*!bFy{y^h!!fPEXIq$Hx!$cE!ZR9v<%1)zp2web%<Onwy(z
z8|qx#oWv!i`$xwjqob~_E|rv&s;a7_Wn@iFP5<58ynTMIt}Fu;ls-T2?ms?9HkKv_
zdd@#TH(ozsvp;zN0C80raS>H_z4MhL$3kWlz_!oll8RW<v_zB7J<BE9P_%6#KGjid
zmp&pyA8UtJFk~EkWC8X694XeoQ1(F&Djql)tyz&qpED?iIdT-n4$>h!Q%ROqdsGnb
z(TIUiKA{RJOZ(q_NwQH7TH06B6ls}!%=IAY1^)X7pr@=O1Q$j*e|F|%#TA_w-Y;kC
z)_`zJ#`9NCCW{OdMugwWB?QLTkvyi0WxiQ_#T0~ZQXY15j6v3s1PYv2ei$9RP7duU
zqHT!9#~0bi?!lGe=?X6%oIH~_-Z`^`G@SyH#Q}0r7>^JBu!Keq-(wCBenOz|2O&fP
z%g(=xOm2N&(JGPhAZ&+bB(oa!l?)rZAHYn!%X6=Q?12*Z=-5I<(n;+L6OzT~%aEvO
z<a=+DL?V5)BxKJ9sVWA|kD*q>gv8_ogMJaz{p`T;w{DzN-7~1pVqIlvWlRHg>_wsK
z+@e+a#w-GRB!9D%P4X!uI$n1QEJo%7!P9sat=Yi+8?`ar93aXXi7MWN=hA*yn@Ikk
z4&`q8r987}hlINhTR;^mdxMx-+>@>TP$>)3LgwW~Dq;mQ#%#p8{3(LFu9AB9%YwlX
zX^Jt4C~j&qDj?O8cx?i0hwDmDi>9@%F0a|XWrlKxLu-fY0YY#dF;{(Xz#B^()XVp~
zA+#qOWF3Pblb9U2Xb05_fp~})<nWJo!}=m$ewxl*l#$3RE2%y}(SaY<nhxU8Udubv
zy?T2j`mNSgA`$-y9OQgW3{3m}$0^0+T0DFG+^wLIxfYhLAEtv!`I`L4%xVNxW=|ru
z%tg@^4nG9Lxxz1tAH;o~8@R0Q?zByO4E6^3KLjydDKxH^BTvNIcfO_4{~EMf>4vZ#
zE$5YiKsXBY*+b>07f3O)+SciM@ArFu`gqLyfO499UTM3S_#0RA)ci8kaC()t{CdH{
zUsheO{k`w`&G72YZ?(N1(zlZBufdwTu4o5M#we0nv6WmAo=8Wu(MTcf4Y?&QG)0oU
znn9uhM0uu(8;#a5mXez3LPqk*Z#>J&vJ<;CvtdznTbY7$yAnJkFbEtY;(+bo<^Jk(
zA>&D(D;*-QXyd%8x~=Fqj7_gcZx1elO`pe&sgB2$F=5#a<a1NbtxRZjbIG<wiX%GI
zgwvJ9_g^+S0~5?}<Q?5yAvC6}&#GqB3XK}veu6xZwQG9HCqKrzU7oklaTP2o?ZGNe
zq>F7~q%`{`%x&~7&!Hn|YE;!;Q?f*HvOpP-Tm=35u|Ah?>^r<otknH%e&;dG`u_R?
zS7o@K0wh)nnmJc?m<6u{Z}2VUJXLZQQtwnfD;ROPFhAP=;s3hBem}~M>xk9yuVL1k
zkP^ZRJesL>xg0b!OlMvo;<!@dHQm0&(dRSQ%EP)PD{i~MYcA#J*sg`j7OFF<KBM!g
zb}OowU4qz#bZ5-X1eGO9wLhkmvA?k-7xwl1Ac_{(7M5+RUD`Vome^yW&7-qBPV#Rj
z$*7)l*A+0r*K?AkxZ9nCV?iWiL13rc7vehi*qy!MGG{i{v+zco)7cQ3$EY)~<0<76
z1Y7fR-wz1-7vO0w=BIg(D!43Q5F$Io!hH_4X5fqyWO!F17dPs(pduU7r9u_lM(*%S
z1rN(()Di?70}+)BhKxA%DeOQ2j!G4W9g*h;gM~=NKM$PzS7b*{DjA67)~^?KxrLkN
z5tDr!2mqUdSltl1EG$Zreo(7zo*_L2xt2i5G3;_5xN!dcMn^gB^HSe9s4U=4fSY2U
zFG>5~)DutD19qHL%dXWPo&|3$Fk!83qR$Kc!-p}nmF?BkD*xxZZfVH1jrnX&-rzd4
zB9>wgQ1hSXV;Ch*6{l5Ws3&5^Z!QG)EfD;%2R=$vYzyZBIc4%=<%&9Uj*)QAJ~z^(
z<G-!}^9%+bqaoO?{FE;SVL^^oUiSEZNDxz%Pbot}JjkVuk&H>Fc<x8C2cgW6D@^op
z^oRlp-E(%;peLum@c0e1=^^-2n@3?%QewaR*C<$PFu&~fNNXc3=ce$s`cs(D*iY0i
z8)R^8iJj_Nc?3O=oP2}1`mz76co)zh5`H{auSPgO`uYgA91H)->F@R^!oic!@aLO^
zn?UzwRe>!I+wm%NXK&$s=!@y=yA~n?K4GTE9nLwYxBrB5XVLJwnD6h{Z+i<B7s0)#
zYB=x`jq==;8p2%PtngC}s3~t4UWj*+BT5?A-CH>xERd5+Q0=_af_Z{pPmwPMNNVo=
z^rA8x<0ts<5;8ZH)PoX%ne?R%?CbFx1>|Ft)?W5U-c9Y~dz5En8}m-QISYB@`4mY4
zW9t(O60{?YD}w}=snv7$F%1kM6P(L@8S?sxGEPWj|6uQpuv}y$PXwx<oY-j#TT*`p
z4wroIvf^#tRa^?wRulOIMYy!*p3FygOub*7os$}KT!RgbT_2#F@oQW4$H<9yb_rNV
z9^f7$JAecLUMsFIGP^D>izk|Yb$<Z1G*<W^%Nbqi21e21ye<1)*3HR!lI$+q{P!ot
zm20@$c~e;wJ-rKgs!D#5V`Uk4<}xAdEOGkwpp}=G{=lf2t!rkoEfTDsY)E(-7#t8X
zjU2dq`{Rf*HmYio#AEyZ`OP1KC1Y-JZkwOB02|Er7NSXn1YxEVIRLMh`PlaTy_eD7
z-mgYS+znR;AW(X7Z$W^Kg#&XG5q?RoHPd)_CUQa-jMWPs#YznoUywB$s(_bVf`Mji
zK*E<l!egPgWjb2V4T?^Z`}CH*+g+YemOVCev<hf{%nf)?pZk7>fH2j)Be<57<|=?)
z7=toefVrv94SujOJ#Sg}yqaIWaY&Y??*6k$VyYbK8$AKc3jb%HTNw$Jb39d2mjxM@
z=d=|(v4Gd_E2cLLyx|}PT6r4s!8}pN-omk<Gfk2wUr%+7D276}+0xsoV9mCbY);sv
z>Wg$xi>=)Dcr#<%ZPVn6f(SlFy~AHLY}=vShNZvs(>Pq`tkJX`n-95d-;rIln`$j|
z`F``ctP$Lp%wj`vVKk<J_t(zrrlC}yP_6Ih|H6=0ljbK}2+rQ0X(zAe?QC@{l*aDp
z5KL>AJffxJ%mR%E**F(o4QG1_%i2C!cB_M0?~vd%-A{K#TYrfuY6jxF_V7z1G^W^5
zTkPJ+SUdJ+k0#}#=jb4>-k?DVlkLplLG^rRCC{vgKNjI2DZP{(l3auvN}-9e*HX3E
zY|ZkKA5d6X?|Deh9z~GQ@vQf=zMECF6<l>tFx~Cf96uRL2Dyr0O3vRLGz;L)IUN?B
zsq%W<pC!LaC(m)w2#b3bSl;y&zF2aXGF8TBgB%m3@X_=>e9EPv;iZn;9Zw!hi<h>W
zLd0HaeQ0<FUe(RH-g+(w5cPgLPlq~1o+|ONuZ?B$-e=cGL1l_!i%ePWZDo5Pcpg;B
z<y<H!C{#^jxFb{)Gp!CI>6T&$dp7q5FmKY2{BO06lC!TZ_Ri!ge{a&lmz7vGuv+$C
zbi2UsYwN#=!F=TImu$daixwP`59?9biqDER2Aw-gPW8$CFsdmt!!B>PT5w#|C)r}_
z2;_M;_b&-|Y=^zpH(i*;wxxzVY?Or(o&kELz~rcAsz}r4i~dI~HKcqu<IGhzhIt$Y
zF%ky}hAmQ5OPQNsM?RC6lIue{6v0l_P+K}=fY22_6zcgV6vDxKGcTSd4Cu026kOJ(
zP5UG^F`g)LyC};lC({Yqp6Ok{tOx@mY*tY@@wm>_#{jl=wi@s6Il?Ufv3kf$F~w?T
zXS0y$z?7NWvchoB$7{tI#Ro0uTOhEjvHzIfn}xQ_e1hz7neMVY0$xKoF~@7A9Z6Uv
zjoS!uqN>pUm?DoL+82J7uGh=@Y{gT@)8l)~nTHM}BDEce8f#*F&?`G>1XN}0*gkzG
zYab%K;%OL+gr5|jq|5GB`|;AA>;DplY!-@Wne1udl)5|VjAOAF3mu&HBp4$r3eWWu
zGbk%;Co*CYpfqG1SCJ$%SuWA1I_p-mXg+p95oO_zl%Vn>hFagYp4ls4X0;sVKXL|A
z{9GC$LuGOv_`^xGS2dPKM`&)S#B4DZIY<uV`xYic!tdVcnIq*aL~y<^vSJRO#KU?<
z-1i;i@<gFwI9;#=7J~DAK{4k|1ViaJ=#9>EPdjfYgGbCPpwzemhxK>YV6e{jy>o1q
zL2V0HFsggj|2)H%xFm=oCa1Iz;*$uC=POKh$r;s;^A6XJ@FF^4mVHxM=l$Bm<w-)}
z;MLk#2+ygrfh<m_b1Z5EVcRgjuP!`0cK_)f$o!!&f3(hv7SVQPmt?Ne)(CHI&|j`v
z*biIe<uL}PYQo@hYKA4#DiNwGWZdW$B?<Y1+qEXCq=WTp500NJ4ymG^D~fAZk3!j^
zOfYZu0tJ3z$>B7biWn!)HR#8Sen(!Q7)C~Ladc&k82OJh<ypK6lo||%k$VwA$^QmN
ziNKR6WH#Pl$y+k(pg}Z0*tlSWV{d8FSU^`2)T|-IPg`HWg7AmQ5RV43IY5a5cG~cZ
zt^y^CrWv8hkNngBap+7ODkbZ31EVbLG%l0DW#;kA8Cbki9Z+vJ1AidOyg57mN2xl9
z(`!JEln$?<+fR<FIR0_l95b&^G$)&da_n~yB3+`(Hf<Si9s~=&O5zp-O`eRS)&4{_
z3+7%m@J|Y)?PZ#{I(z8fDTB<prd6EhpW}$YK@mrd0G#hMD@-s@>>_J?`mN<))e<ll
z2j7LQ-U*r!&_~2cUZv3`+8eb#O-L^s-mb`c#YJoQAmKCS&=OhPM}kEs35mw^`}8xr
zxhdgETW%)oGaPV-E}z0RbuW{CdYCyF4+v>YFWR$j6;7-lu|#i}e*ftl`m>F$2P~R$
zHbl2-&`;>f%_-Duu(o5oF#7o8cgir@y3)Tbnrqf)bYz%&RCY36ECGEAl%NaqW=Z(<
znTQ{!!A<XYN2J;XPLRWkCN9ShY`9|74kf$OHrxZ#>7)0jX3!%h`PeC$J1#=EG>{YX
zf7soO!SffH(yI~zflPj>oQCo@t-lf&W_Z92tQ&ZvF0L$8@B-K(#Ts_P^WjPyv0c~-
z^`vN@8u~lK9P`oGLASHezt;*GG*p)HXp+nMY<n~Jf7;N+C5za|tB3Iv%UA-BOb9ZO
zq>@%4K|HK%qF7io#l|7}S_i&*S7nhUsDyo3PDMlyrL`O?WgU7i!5kUL%_&l&#LbkI
zec7`)NhjISeE>!LAyZl@GiVcMQl9)C{q3fOo4?KQB5WK?^6s`oooI@N)<sGsmyK}N
z_4s|wH`2KMOC~PqAi@Re3aOtKoY|u^U)bndioG<T^P`}G_<Gre)>o8jP^LKL3hoE+
zf2>c?7s=!J#GA#Bh7D}hhj=I)B!AA^aDSP$wKz9iHAqj~_0J=vviS8#3ET+ThUMYT
zu+U#iGfvpVV2rZ+^kxq3EvtV|=*j&3jf|iG5|z7<n;l<)g}ubFgQMZ<8Q-MMPZvY$
zZBI4jk1=G4arD5V`gJhJz}|3b>@YE1rCg~eLD;>eYV0^CU4A3-FcXaU4u!CqR>5Hl
zd6qua$)>X~Mo4r8?m$#l&>lrw+J|9rK_+EaV|k5i+CJw&@{6QIb9UcoXT-@`LqPX=
z@2LgNU;N_jmXq4$R9!<jII)5I9nd%BITj)6g1_1}WhcW=qEMJs3>QMHq>S<kii(PY
z-%-sOnFO0cFzb_C%J%N5nv9E`-t9h);MQ+)&))FQk9kAh50C%-^NJ&n#z)m*tUol4
zOv)evKk|gB2*KW`QlQK0(eq<woDGR$EnbM6>?1x%Y5foxeE*GN+gB0nym~A+YzVc9
zU;Eua>iH+B215L3o(BG*_|J$>^?I<$Ih^ZSZyAk`Z(hG^$j>pG>YAN9X-AWrU2TtR
zy?oms@-**ya<3-)vVM0v^AHg&4w5HV!?=1k$Qyxe-u6<-NFj9hq`v|6kt#j{|E{9_
z5mekudG@#+N6?+Y0vt8yEfdyhoD&9CN=ba8bf<ljuZdiZO$)f4Yds6cwDGjIX{p%R
zR_8fh6ATM#RT_XF-@jZgUds`sCQLoY_-@(f)fY3AVm!g<zxv~I8jfT=)EmpC%YEzo
zW@>U>rH|CGFbFw$K|t&85e9*)7!M`NgD<&I4y=aaT$oI`wC|^b5mEAEkDqraetCI@
z-+g*2Xo<5lR;PBwMnSn1%pzOnWL-(ZL&Iw(wL0CAAk_YhgLL`<(V!oE+=6=Cq$Q8}
zEmZ3n?!2)Zfrt;EIlv{tLhb<7ooMUl(oJEccYX#@?z4vb9Fl(L`x=o-4NV0TQlv)f
z_fz9`q{Lo`NhyWhg{gMIl)3%f&fl6e49qG)NS)IJFh~T3otpcK(}T#uIuQPS51t-!
z3wF8b-KGC1rEQC79hVisWmDd*0kueu3I~dvL7>}j>@O;qcE^#3$%N4j3VJzuZ$n;s
z%ZjphD|29+=ZGDyJL3a?L$ek3D}8+cDS|6VooLE%{DIgSYfX3A?K=ZFltvHJTz~oD
zG`L-6cY|6tTYckE3K)(x;F%tbyne&%i3pus>yR1YWX^;>1bc-AB_ESPd00(M2c#!h
zQ?E1L?8xmUSjDM5IPe2HM<726F*gMwG8Cpx(*808RW#Hdz0fRYWP<)+7;AL_d=b@d
zR>CkiFt3y5YSHER+rM5oUi+zEBt$$EFf_3^V&p5e{{1kZ^1)paM(iYxRPCknIPGuq
zMVh#Ym|YQu<8SVpX-77=!cuiq7Q&L(v~EhF{tGM%Au_474&ZX`qAZqOO%j#<g}wJf
zl-ITmnmd1>sI#6crI0s6gy-PogU(m^H|vAak_JK;TY^q>7aM_&(BRmQCRV)If8U`d
z(#A2~)7(WLxgH8sWhf&*$6UF%8e1J?M4emU)3>jx+4)9mDI(yRdj8!bzoeR^@}&&W
z8{XG7N90j6?hg{g$l=u2#ZJW6C8)4)hT4P<7vM62l55*lO4Xwf+gJql&_Zow2(yrW
zWXZ@x%QKs>ISd}n{-$<?o21gW_=k<@XzV#ifw+>$%X!<om6(W=WiV{E&3lk^*m|1;
zoY*I9V{sabSWnOW2`9$6NW*4g1E+#!j1DcziAucBa*1sgzczxcab$iQwNBt_X4e*v
zKgY&sI6TN}N{Ne4lTn8Yz0&)L_*5Zcs0Y&0`nHeW_WY9m^(1EpoN5gQBREUOW#ue3
z88pK%L5RI&hi(|2;2ZfJ3w0B=PVoKza|amWZHkJHNgiL04z$VlG9$==W7yiZb|KLp
zp4c%wOvP_wkpfZJ!q?N}7z~F-#~c%|aRw1<8=Qvn2o(zP=H4*wOc?0JXBqovXxr_V
zaN{+6WvU1raV5TvhPM<aOGMbrB^G4G*(Nxk+4+|reML3C8zLdg;4l@vt=N&B)^J#o
zH`Hc$Ing<`0HpBQKe=(hIVuK*BdEg3cJ|sXZWF}f0Eh-N&Z|wd=dFT2iAz+-q;#Kj
z!ldC!&;uWY0mGi{(@W~|Q)s+eCFqJ|c-bGncuQF0mD0BTt1YBwJ7`Acy<_l8lyGm*
zKnGg?ni|y$;R9ATZVDRuH6<0vZXictn}2cJ9@X8*D;OK>Jktd{Zh)2hlLlbZgOH?E
zBTgBxF*YAQ6uK;4Z)c8hb-)H%|2@<g@}AXUsH-`@9oC-#Ei`>s$Bde$U`^#=GHBGz
zCI0QztR>93kKu{T-Xq#iY*_%N3aL7i5p0W`x3?zBe7W@e>AZ0m@{ftO<%^T3<3sxZ
zH}`TDzmjQywsB6-R0+MQf~477*(IqvA@DkQ4<VsP7f$SH9K%9$(A{Q-?Tt+|3yP)^
z^JvyG6<RH^FVy<-MxJ<KIr@*WE#A0Vs;bDC6@`atWZjSJoO~0Kc;rpU*~*S`JbL$4
zJoYd$a{VLMfgDveq+H8=+izD1?3;-0;H^#0{Z9P}vQ$rya0`Jo@VTKa^j6o&EQvOP
z_mAYMT&-H8yg}OO>)|zsR|RG4lCU62or*MyO^jX->0X$1T2hUkIC#y*XSfYWY%=xE
zjuW;-ifb}QEQVGzFmGhmF`TVaiKE%G)T&KHVj%ohxT-9Bt0&u^O3Ej*luP(^yms7S
zOlW>GUo&d)6`7&g(NG7lSN;LQ>-1?J9heLiODulF<0$vH2Ko!`w9$nZ4=$#<x#T0m
zCs@Us5wit?A_n7jSJ}~O4C^t5e6&{Dn;({p(0`<Z%&ma$Vj?o>O|e<vHMCtLSVYB0
z>AS^G53K{9f1SzpXVlAG{i-8;oMhzcstd1R;i$4q{(g5JYjl;B-E>j5?8o_3$B@{1
z9Ghdc!YH9HjFl@-p35w5K-!5-2onQ;j8y_zS@m$uJA?m??<0ZPQkp~gBl^A5TDG?j
z>`m11Dl_rq8sJN^*ik~>_F590nK<58GJl8t6r#GxLD3K<Uw-0uT_}Cn8iBuFMaj8t
zdL2owtnYX)^y+#&D~Tcr_UAeeg)>dbgo!5<6A>rU08s!-5mi+rT-1Lfs+3qYIZz-)
zcm|_FsVog%T{Z9rP?%EyZ;qYAx9mh~XwX8t`)^^#NczBLsoWkv+A@FW)r~QmOz4k0
zqM-`k>IFKf*~FtfJ;Ql0!<3hRd7HzRMp?qd)03t<XGi72SeXk^&sCm^G-;)h8DL_s
z;>DRo<+@63DwPP$yWrD}@S$~xxJ1zN+vzE@*%OxZUWp`mZKMoZiq^yniF^$sROaAF
ztYBOQ5|TB~pOHCO$@^%13XwMcMp>b&PRk%T_JK;tLaJX7o0i>|ywKDkMc*;ZM<*H1
zmVBrLEaRm?0N;gc37I}}%kW6f;#;<{_DAj0I_bHHJ0#=&$2mVEPn#^?q!Q9ckfgX9
zP%3_Ur~@ifD|Mi#To~j{kJSLz*YfnV$c}jA#Ds2TB?CfxduQiO?diuVsJbd6F_5O{
zDVbIEmL2cxqCxdAp_T89V^8_gWXgj6X;(j%%sQVdXDd?&rdbwHK!s?wP{P+3vB=1w
zo)2c)9&56^${ZZAUh?YU;Mm5&lAI)zv+MfCz%>VL5WGl><^OgrzsQX45!U>7m4B^U
zr;mCfa+_~EI%T@<@@IN{`6B!zT%%-mJ{<6qlSt|Q=U-kmpvrVjv-N5ZKy8YhoSH4$
zZZo+v&13fqqkV06z#%gZXRMnIWcgy^!92-1k!~z2Zm6HOT1^AhO~CP;WQ~^xiB9<S
zQO}K#=_Z3`mrTWMg%8yB3$KfNO~erMTi{F_SW5}U1KpWf6Hzxb87UH-*O{~<$W6EM
zDUZC2!)Vpl-GWv=2j5mEL!`w@pU>4Ur#J9jM?w@ilch`WKCRsASC>?DCfOaa`ep&u
zN&XkzuJDr#I~N-Qe77>Ob?0Qx9avkA#8@Jsw4X~&k<Xj#98$-)+!?p?s$GxY4yMiL
z3|Q8Rt-_nFSTSy=v6m$c`DQQX@gBw!{QoB{6QtkI$pnoS>r3Jd2+civvp;#?43FNl
zS9uG$1$mH#!-K`EWU{f&`wc*dDzcrjB=ktkE^|dimZ$K`6UB50%H80{eo0tsqLmEN
zVAhq+mblRz+x520I3^1vI(e)c40TY9{Y!ODmq}-~m+~^{C@~j3`yP`XT}Lv*LrGMR
z=FOzdYrIH;P^(>kh7>Ks>3+XGUreeR?9=*R1cn=Kg5t(3cqwX4F0mG998NYSJYNK~
zn!zPCoRa<Gju&Ep>ecBNzCtRzy8K-^sZR}uw}W|XmlCUlpf=V}11|M3J|<r_y2nYl
zF#I19=Xn=bRU*ciwV{2zIyKoF^k?Ir96ZM69regSI@1TBYZYSAiOt|hMbHUM$#}*{
zi5ydjy-9!?%Ut7~9*b$<n^}`{hM=+6$Xx*uKqcymoUPuVwB$Wlb-S`K$seLPI&oC+
z7tMV`UR;OIYZ#4}db`rnenf9JWxzQL+w!$|9Es!$k^~(b;h<?JK?(9<bF*Dvo10x%
z5e7k_Q%Kio1_VXIO;LSKiw8KWOqy-xiWHD)KatK#(vD^vmkUDkZ_tU&x^ey>&SfE`
z*&G!j*JH{+vfw2?oAdT9(|YaOUYERd`gXo<G*KtQ-$nL56109I8T;o*{~}6h-C=Xd
zv>hy>oi}$?I4Twz9=K@=OENOvUu+jtfs7rmT}Pfc`gbFw0>?M_G$M0*YhDffOcykB
zSUeyro(Z$65FVG3E@<;H@a!vt7qH2B6hVoJ__2H<=3lf?<;0P2Q*ExWQ=C%dZ$FmO
z@~j^uP4GIH>?F~Uz0p1|7v5S)rSqIg4&-itkqf`#ZdGNsZ~rk<BDGN#prE)(-gOn-
zS?PDSBP1xJzwHOu-T$#~f1~`?oF;6K{OYA$x@hCtL_W70U9fFBtLuOHO|q)0qj1v3
zutBlQkmozn_l>*p$MfSgoo{Mejn_19oQuxL+X}`WXEcb*=12X`_`VjL9XMyel0D{7
zU2&clVO>RzUkHoSrL;#GAnAdNu~H*ZU%~H^n&XFZpJLmpos&nv5$Ir?`ak;-z@v=W
z11=VBE>@YanO6!+`;2-t;7omez=@^Rx&iLv8u(W4zd;>=rqZ)<JudH+zD~LrJO8Z&
z+|whdMzb`rg^nE)dDz(X&;S-Q=E{5pA0|DU2qOnHe|WIRsv-Y#(bsKfFwn$NpnNhK
zD3`~DK+US6m2C?dgHrRFW(MsmH-hH8wHV;wI4D6RSw3MW(b9PS0EvD9Gg@<@7e8RR
zWf0j9zwMZyG)=0S=&TQRqALUC=-DKE!9!0W>O;q}7tY#RowJqfzsqj+eb#%PvYZE*
z@vCHaR4TT%LW)K${^f^GA{f6|vdnLIFD6Q@{;SIb{2JW{?nTNM_9~O^jW8ezEo~v-
zq$ORU$H?>Gswm;)uhT*wJFL0U5brTnl4;poes2Rx<JnTRNB1stP5TG0wpKQXF{}a^
ze4bJ85FK~?MT>UQ*};>2o+swK-xXFGWH7|Yvj5j+X2zTGhw!g@4>Jt#o<r&6(k_l)
zXoE#wIU@$|(GRkoziN8IIibVUi5Kt#aaq1Ko%tGhc2**NXH0iLIIR|{D&UO?<Z}Iu
zs%yd<4y;<_ovSh}T7%ZDs@l2M<oe<KH$hcktcro`V;87tR!KeAic6e?mK@jy9}geC
zJRo&V`JPB3b=wB;8C7Rvag`qaq8}lPlhjM1)zp-5#H*k8eUXMx=_1zX7}b>uOz@UE
zZA;qQ2x6`(ZJ{R_=Rh<lHh*;rSI)m>B9!5SE2|TG=Nssc!4(zW++6latl&==sNAlf
znZp)cO|xFX&E++jiwoWu$E-B!@v_Pc^!dLSr_a3mvSzs0>t+_cDuXP^349L&*oG+_
zJx1Onro!7kZz7MdE4pcFqtjs+?VtDvB}*y<;Wxstw>x%}K7Y(yR5rRB&@;SN1eOy`
z+o8s4q6>d&4ocSLT$QtVXjXrSBYQyT*C}5g-k&x{R}g)m0u)?-)POVAN?Pj*F-w;N
zAGtt<nmI_aYekJ(^O~Yt-D}X+ED5)OjUiwzSrPhcoMrKZufZi3b(r<=IZ=9jYRy5A
zgTB(U(1w#4B*e-LHx&3kj59Cnu$$*jY(>pdZni+MLW(hq>_C4CvWRXTQ{B4IQZ};t
zfCj7(Xt~%y8XVYU)<nqcs;sCe+H71)uwIb_yh&-s_#jV9b_J+@Tp7S5ro_O+;$(Cq
z*iP=glvO$Xmp4)dJB${3Q*vk^{L(D7onl76G#$!ixiZkRC{-&m3Szm*cz)QB8L<!N
z1ELJYy@|NT`O{O8c%7av<&5Fai4Qmuw3sX=1dWe>JZDS?#t7JK=@^t_oIjpOq7f@w
z;`p`C26J;3jE#E&7UUdR$$7tB83jcabI@LoQb~`h2GVOxeloh*Uh70KJZOXIt#Lsd
zI}m>ETK!y7A{nYF)bd7VjkTqz=nlPo${!xY;d%~37Vem@V5w|a(c-lkrfA7IudAY(
zo*8q*XzqbdOG67Z-QdmrO+FgYE+6(~5IRj9&IpNF;%Vo8f@JzD^SxT`%g-Fs`gkTh
zutYedybNXt1dEgw01vV(#leHm=fo;8&#vHoz$YtPHo;Uf%p_*V5Z9dyg$JREiCNB5
zA<VIbKp%1jhu)NV(HVHAnq7%DFbVQpLeK)ygF_3-3jI$;CIo{+Ir3%GbMf$glWHMb
zHE2u1&4EON5b_O8%Tj_*euDlvY)4XF%#<-NyrYRhD1kClg$RCpZ(3t$2s}Z}C*gd>
zEO^oEVHdHWj%rt9em85-_mr>9sYRDkP5+LAM=L>>TlOCy!8dviR3$H@IkA%SqrL#4
z8vDx+B?7`b^L4S?8>SCWA6Gx3&(Fw~*VjrS@w?Z_*P35<u4lcNKgCfoOTyS+<MMZM
zI&YsXNyB&D$Ft<b#8$1aXzb8YZ8=dqnbCBOXQv(F{R<#1Ed@}7du5V^fyCe0S(I5K
z|M_D_6nJivuk$-3^*fLyBrSaqbzNOLOImb{4MLEg6Rc)<@YyFm@2@>4tSs&07D(zM
z8aU4Z5@MaWMHD<u&kn_f+k{nz=7M00E7J$vEk96{#7cUYU_ONAI7u;&YM&Cr+u=Ae
zY2XL)+kxl;ndJ)K<{Qk0=O6RH(jYo(IkF@PjmOyyK~p&uBN)o&+5>C_iNzTO4t#|f
zl=2Iiop^~f*_>Buw0WVxpstXzI*OxmW(1Z436J9twion_%fJg(1_d5q*Yc#3d{nld
z-I9UUN0XOkID$A?sM%`HC3X@!Sw`y8w&nA;ak)zInSarJ&Vje8IBPZYs>AHd2f`B=
zzgX`{Yd@gzyU-?Nau}u8%*BLSlm}EDH)0J!7l1p4dcINO*vb@s`eqsBqg?7DNEt7>
z-|kGbxW~A6t1fU%xyD<pfy5>^5y;|cHmcJ%ip?&$)kYP}u0JYJ{KV(A`DJ{pE3yt4
zM4ilIClq;rW6|wQE#coE#<94s;WMDS2+A^Ie~|u6gfpy#8Q{Vui5|Gf;a5yW;(sb@
zwJ`7nYOpMf6&<HP_*90;p5bPCK`0g?i8DND9@V&Nq$U}RJ_j;HB686E$qxnIX9#@5
z^G@e%_lmXdR%LB1kWfo&X;CK>8Hp5E6euxzALT1kdd?LTJ7IWO2o1ehJ{q>;*00~!
z3yo>y5#01Qe-M!v&xyCJZ9(CfyG=xyPtJ`|YShOw){!epHxtNc$4`?y@Urm_H>1`z
z^z2KF;odTo(a=dPUlNK}8CKQ*#viT#BTUVyDD4ETA%}MNa(NY9qcCRg2CW;%FzU9b
z`Qf}OTbjCfLZN+%u^tu{=G3;{sQ86gE@*LW9yz1n91stI+B7??%F7(KXjah_0%M<x
zRftMio>70w0uw~z4S2K#R-)Ts+r|rV(f=UjY4RAu;`m}7^e3b&LuKoUR{77?`+abD
z(a%KcmnY=K_NEL{o^^kw&M~4H--%=mLBL8$yGMPB^4VqzN2Z|$y*ll<(b=jN;Ru9M
zmT1ZMGzg!^QcR_#<b(wZP;)Q4N|5D<N=T2N4^v+L7zUm?{)}rzj-f_Ug<G7kED6YE
znpmz2s6m|Vbz`uRqIDzS5MB%|ZI#QTu_&!OuPIh4>J85JW}m%S{w4tpau3Bh+2cu1
zyLR~C>qvZd-@Jw`!eB+Z!73nlPyb?=J~3Y&1TDbY=@ndKmcoIgmLr?LjVeuJGP>qp
zs`eGyyeE0mw<*W*jMK4zfQ(S3AU1)>G>D&MB!ZN&-1BGhLmA~6uRkr)AdrRPXLs1-
zb8xym-<h1uYG;{If(;SVC+bA=la(lhQLvP;;vvPsV~E?_X`jF;O4qZnQM^$UyMVDg
z7ae8Ih8C+AN>7@HLbi!xlaHq6#B~DfhD$Cax~r!r@4H&H%%O0YP-No3YXxj;+naW{
zJmtSD9W(Q7GuA6dspe?Pn*J#0wR0Jh7Fj=v_sW1%MOypm+r?<;jdLDqFs({EGc!~!
z9N5)K>F)8ez&r)?JrSA#@&a2l^f(pyK$rGuny#z%6zK9)ewBy_?DBrd(?)hZNt%J=
zz^^4WD)MkHtAoc~V;BT2i7sg9zOCD6Ez+gvUZTPklb56&U6qU*L(2-}ulpI<bS~}#
zxRl(bptJS2qpiP{Su+#Am#aAKrJB<jHP*Cl*GL@(6hin8GU8QpBebfU5kldvvmf@F
z(aJxIwjP<}KO9OQZamcxE6rWfC-!Pzo>Z!XS^rYQ83bmQzLzP!)w)4f*^(&}n7_KG
z03c8?QdQc;z!FqMf2)MxO_M4in9ZT-L(0j;QeeL})>bzB38xLHt%at5)dlaG7e+s(
z>AXiz&-FY7f0c19!qsLZwaC(>iL)VU#OtIAJNmRAO#SSwpM>!E5l>=t6>ezI*ML}s
zZGOF;(bK&!1R%=ZOpd@P7(jOLI{NDtx`ENh<`35g$@+)bZq_-uOAoyhN`5}WikFcT
zhnc0;p#I2~1wrr913&d&GE}WVc8(Sw>wqUSu4gG0|C(Yn;@*TI;9F*{pW!DvA%#|E
z8Cz9z+zhlfA_}_0@7SnCg<qe4A2BAluk?$4unz+f0%I$WBFY+UV{uL!qFzf+s5uJZ
zXe|pSRhQ}ztv4jZZ>6xF!+qB3n$ypPypaL;e|{zyvFx*a$Kb>1g5n-WDa`yB;gL<7
z6StQ}cPUw*DSsrE=m*qW(7p)iGRJU+(GMRLN!Nwj_g)Zh?JV$VJ}p03ACgN*oj7J5
zBYojC@=|y}3_cvQoErfwactWc6*g^*giL3!&b)#Q!XhyCVA4^qeSq$t4I)^sKJ1;1
zC4N@1Xd?e*ME_1d`*#l+b`wtCo&gJ(q8M^^E|P=MH4n84Fb*u5ed}b6=0U(;EDbp)
z^P`+cR+Zf{k*0uiHnPgHni7>G$q=^^rXT+~H#JT{Q~q<Fpjghj;4J1VCJZLr0|ZrS
z^Mdq5j`t*&<ciFBp-(Gni&=WmJ6&N~r0vb!uJM1xk+%9GkkcwNr(EzG&Zp!n;Z~WA
zz3gv$+;MQbgj_t1rjFjMKT}?qHqc*yXKFMO%8NxvB|fkIL+?`bpN+QRxlOp)-B_UG
z&n+HVq-^3E8rIGqm^6_Ulo!k{sSrDfB!`ocP_bxpo>C{TlwCzWuQgW-8S4M*NTTEr
zaT`Y=a!jhHTVn1OGkuXyR_IUWRF(nnuiNskz$zj!Bs7!M(?6Q0`a}>Y!4N}@9hg@Q
zWPxXd#T}1_x1s4b?k*Y`mTD=H)T3V;MdCg1a;MACU;odjaHt{IfJK<$H}$H|D8k}3
zA-`O%5$BH+y@R*kl1ZLwvdS17mdTd)IfZ0;dIg{m7p*hu4bPiL?@a;_>aSnxDn?pr
z5|IVfBMZz(Pn_o!Z10Wgm_8SLU6S~ww0m>ET0TG}Di|*Es|LI)lR^JPh%+88%5lX?
zCL3k%mf}<#N1R!bUGCpgo}M;Vi@yjb6qH%dLW712_cHCbSK19Cu>eI+erErHh-O-H
zG^XT_)Pj|m=zE=gEsZy>Kp6#==aSJ3aFyH%jm-~nl@tkt*#ljYXjmw=k@SR04BgTU
zy&ZggKYC^cIr-hxZ$_A|^OyBi>GAd2ThZXS$6yAwshKJEcH~NWWYl$}*RZEF%p!4O
z6k|tsWrOX#mFZn4DbHooDZkrb00sQ%{f~wox^)j<U5}RarXEcx0w#HYKPkYCpYy&`
zGZ(v5$zxBIT%R6<uxHQ+&2Wzy;le%Dhliuu=)lbh0?t|MhE)(J2{*=YN4*idnz_a+
z>(PRYv0yB&kX3Fk0)l2z=?#x*m~FXEGfqXoN?@|qa^2Ng$%=Rhy1@K2>B#_6Sf~uG
zv?Wpzy38r~U4*S;-jD#v$nbg<Rtbc~DQ=g!tWh+{!GHILnc)LiLHcidBy2{3r4|AD
zSkH*Rwx6~sqM)nkjh3O7ZF9<tXbnamdy5c!GvaohyUa~me<uT<QJ(VbOY2Pn>~)Ds
z-V1jS38MSa$3U!PWOv>AG!KB-3!SVD2~@J&Hm$GJ606ezHEt5R!^dP*Sue2R5LlI2
z1-LyCs3tiKBP~1~b7XB;$r2_FqN=cl0N%;V9|aaY?B|!eYOM0-ZbpIf8n<-@TIxp9
z^7c-33NeU<43x4ZFdk1!;pIA|A}N-~J>BmGIIg$RP_gtk#`@VJN5h?>C0I{^b3N~1
zL}T7Y_*AY`dvMB{*^gQSaJ{(MhhL$y<HdkWH=PZz`&$MmaB*bp6lSmHM@1Pa<3sFw
zWmVIU(%9)RfMArfz~b%`X|y<TEMt{abr1o1Cj9><$292A*UFozBZM3~(;sZPVTPX`
z;ztmP1_t8Lp6k=iJq^y+;yra(H3?$I`wt!P&D$Rqaw9m~zrI7yN>tnfofCm)94zL<
z{8-Whkl46_vzx--yXbF#KUFaL+AsF%slVT0W>T-qm6{TrH%TU1R#Dz#&sIqI^kc9q
zw;ri=0GpQBmuLj!F)rno96#NBMH7K1mIV&TBdM=`PwA8(&&;y*v!;cQ2^g}>|7IK&
z57obBP%K%COCx4G=d{oLt^#C||MTFtmskAJG=zLftXu-gq5R2!)-dyNzsq;AhpJ*K
ztAu{Ph1kAg!;d3$9)mK%N>LoaJ6GW~tMF$LmgWBjvKBQoRUp>PGL|Yg#ahkBU^EbI
zCN=B-|3LY1ADW^>m0j6H>nhiv@Dh%uM4VmO^uIyU<p`1rQ0Bi@dYWqx^fhV+t}X2o
z9ZpU|8xV&ZzAFBh*QHH?<c}6~rR3%r-$tX9D9sk|@byYuyNv^nNtD^LJRc$d=w!<M
zABprsSMdL&ci{g@<R3ZO|ECkM`aj)<`~Rz3<PgM8>Y7_l5?Qaz;Qx~5a&@|NyX?l;
zPWS{aMqby)>DCc<GrZ4r!K^`=Sdx=auy7<1B!flpF$rj7ND?+{(s>pg25VM8%gPd{
z`i70!YNM^ddIOqTtT0OkHEjp@<;h0ZO4uM;keT|rp-APLsivz)9fl6|zTY{|<3`r2
zp2t(8iifGA!(nH(*QDE|&z9Gt;4Rep%U|4mZ@RU#qedH3g)#NR|G8wRR*hT!yYb=O
zXDa<S6$YMiDixs38S<}fM#OQ=oRb_UD!i~sLQu=5$>#S{z1Os6_P4%Hl<$e#142Zt
zoR|#2%+LVsMg}7bni>hQ{pP8=FrVA45RMiq8$yvnSL*tL1$I(QfS%M(yfP@iS1AWP
z2lIKKPNAM=3+>*#(-?K6gtfuQnxk1THy7?{9n%Sd!kIXmuYZMOhTWt37B?yU#B7r?
z=G^ACYZRx!PSFSS6<Q7I=~y9{F;BCg()qh1|MmxG)se;-wTan-+!kZ|ro_g>NzhE#
z@p9cd3|MUYhbKhOR>}1xDRPICg~677VMF>KM{yOwwG8jd7oE(Rq;LFL?168HD!j6u
z)d2J5o;$D6xnA0_@ZFBP_J%DqW3f8XN|uy@{jn%Mm#`VpCJ@E4D1=!QIe1d?Yy(Xc
z^!Zww#2ur07i<<=5|fSP_Bw?qoU{lGBg;fMyhdq<vlR<b)xHAU1%un!3%A~H)8&(Q
z>l2A=R4Z6;84N?>%8R+{`C(sL!izbn-3vm$vn0B+f&fsN`3e9f{dyAlRtYQ)7R&;f
zo*r*1v&TM6$SXV;|8_Its9kt?6T)TK)NxUS7*1tdO>{+`#NYijV*`DvbsCLSv@;ES
zH;(!Dz+Rc`LkCBnZ4O6IIJ}Ij(-iK0oG7sxy3yt99q~GzzL(svlWZs2^>>VrPdQPH
zpw8bvR!qC&;aIhf*u`*>;K?rINRW6-(G<<#iDN{W6j1z+D--bGVOxfI!Jd?*GG<lW
z(^R`*tJ<L47Ql-B1|d1|@^8MmaOaeuLXJ+C#nqe0Pg<&~C1x8*^f@1Rp5MoC@mOEP
z^cg*Bdjc>@HGRC=q%kZm^;YZa#SvWfyxZylM?9sygkg0xe-)JN$i~3j4=>q5^3lW_
zeKCy?#k?>FCGd`ycvAk$(@B1A?dg~tl1$5R1!P?();c;9SYAsr{G;+cQT<F(_#7X}
z4NhwIO<|q(q-9|RInTgX;baxazU{I9#gFY<{uz$TBM<|+dwxp!MqFA9S10H%wZV1Q
zq|v&k1kzmD*cfn%s=@9K&PSuxa(L0@V{qz3>l-icPs#uf4>R)!KaO&u-5@<9+Qyv2
zgSmcVgp&RhF-Lx9Fr;BoSG%pcxS#E*M)5{$Z{6oiIA)0^`2@ahw9T$?)zep6<8@sN
znFvBk8>g@0XERfv;dVO*95Bl7SXK=9|5Ku%R?vlcUbP+!ABR<d%B839m&7d9?5vTr
zl6Iu6hb)DJaByx+b(J?l#I<4i=?PcSQS0mS!^vaSM}tJHkY8pVBfCQOPAQRyZuEg*
zyxcyN$@V$&w05^~+m7&!r72r32S3~G7ak_I;MNK+Mp%LmggXafHrBdrkbR~H?^)Q(
zyW376m>6X`x9tPsM28o9NPb&|y<*Vh|BxTP&W`MwosXwnC$;YCxBRwUUIQMF@s0~s
zhMr9cE`1N-j~Lsn*x)W&h%1}OK~Y+-(!IdT4LCYMTgSTKNuLwG#SnV9B^0$o^I-&d
zEB_4%Tdej+$XUsazv3nMegSFWg}`zr!-Z`38hLMM_dx=fr$EHXl+Cl~p&_<g4p%-7
zZpKHaMg3<|0@%&}>DwluAB{H~tZkx<-hN;&4CCl5*aJQc2qi7WNiE_EbCV{|Mw%gm
zU7(B4SKd`!FkvTDi?}!5)_zC(qda#I8p9I+@`^e~n(dK-F%=;)_Ij+JIAnVYBo#AE
zNAEvV=szD{AkJY6Lx)#1qa`-2sL7jZM=%W?9RDQ>&TH~rjkqF_X4+h>?2S;6q0mfD
z^sL&_!jNx%G<!BpDNFYj;o40H(N92qadq^6+U>MnaAQ=w%3-sXl8aH5+3HF9b5pfq
z`C~s?RAg5YSprv)0CvY*>~1o<h!^TCqo{1gnz^cIdG(@INlq+}H~T*tC_kqutFX9V
zvf{J~C&B?6!kAG_Up-bfGp`fY5}TxW{DO@(Usc1JV@`5tyr-01`o{mjt(<|HkmKZN
zPpU5gci-K6ML9bWzRd!QgbeviG<xGtQr=F74l3qpF$RvyKc%=-V%bslCqHk1ag^bp
z-9#_WX=0ms6hwJl>@y6xaU!E9r=hAU!;bt7L&#uJloz7o;bTLQ@hOT*7iQmj=<}S*
z8JH^4bM=<Yo+eDEgI8@tZ^NZR8Icd-R7dTIY|H24n>LI<x}#}9=<$rG)g=oswC$lk
zF_+nA>55#zrwlHaIVwK?_g})Rp;Gqjc}(SeJz3?Xs4&({VfvzRl&J?ISrJ82m~9yD
z>~4Nb<zVqXQd#AuU}T(q?SE<7JEU>So$qEyF5}p|!AiOZ%uKV{J9q|X2bSTwfkBzp
zq@9pkm!7bCcfIRk{sSE0^%U1zxsv*Ssptc7=_tObJsm;QyfBLU=(xs`m9BukN|8_5
zDia)iupL;<!BQSR3QNN5_)kd^0foYp)(=bT>TlV(JjUiPiS7yqG^P9VU>Z)u3~nGf
zJfmNSh;oc(4-Dc>)wXKuuyG=r%n$~OT>B|)nB1$>&&LFm%^LaVf6XBk55vOp;n-8V
z>~ICg?cJg8EbAoN-fZZs=`1NYH3}ehhPQ!Ln*2A@%HG&rjQc`)(xNoq7iQoiaZ+Si
zGzvHwmCjc<&A1_3Yk-f;*XT~KcR)C3pG75L<ma%-&XG_j3?eA9VhLU_Z(n<)+`;mg
zWh4W2Usc#)VPV}^1^eTj3ONVJF#~7zW_=;_37yG|CP@REL^RYywzZOcrNao-pkjnj
z!RGAoBi1?pTXaA2eC{4MM^rqu_%qCX2Z*+SRTMV*?Pl0wq+C?_gR4PUhqOhg%0Xdj
z4-<^(Cmu}eL*Iy)J}!n@4d$O|yYcKqIfsgU;AFW!N<}3>YWD6m0WWRX51~AhcsY-c
zMZP`DQqzpvRmFOpWF~^ljzWxa*@(`&NY$)-{hv)RI(nzPk-Mo451`P@ZA#P|fP&@t
z)DqqQR_11mtPm=ESM~X`jTKE3+#*^Gp#Y^+09xTH<mOWVos+tPh3?5;q-$f`vIIkI
zS5+8x!KHhdOkhKXSi+fAo-RD?L6m%7^`&LII8Bp(=t6@2O(uNAU{E$fQAJNn=?Nk2
zu!M|3uj$+C2C-FO$2ckZ<Sp&pHJ>7FK_C;2m19OdMvPe^Yl;wp5*t!ch-YkD&-ho1
zoI$$7#aIZ&^zJ6!%H*Mli>CcaOPqULQHg^k@gW?ykRae@*v7Pgex5B&-!puyro;E5
zY&Jon-MYCOT?u`(BMS?~j|v=NWq~uFdkSaO%D=@dMP3g^v}IxWy7g)Ic^Y6xu13EJ
zQe!HY>%j;7gWQ(FocLV?%oPxptEmq0?EvU$c^&wU+C?xIm$A~h7kXzIycIepNR_u_
zgWyon(Q5ODq@muYEd-&I^w)hdKjn+uAzpj8DyF@x(J~4M9iIpkp0n6r<rJln7wzqS
z<~jvo7uM}j-{?eDqZGcoymI?Ab#*~4=h-*F%3S@!iY!CJk)I(-WF_03hb$NzkF4PM
zBLR27B1HpB0am#~-e2@<yuIe_sop^r<<^6|RYv#y&rotz&ENWi`60nA$I9Bb0nCMq
z7TD^v=8`rhZ&G@JdTq{MNTn8)_^-=H+C=Mcem^Dd5q^BruetbreU7djG0y*vxZ}1p
zSh3;z;<?AVCZgUvhF^2R?Nis)>l&Y8Yx*8SSX#4b&t6MtY-+vi9=BG05!BwEc7Z~-
zwyE}!zIs(w>9rhNTYsThyfMG|@#yNaw|o)$E^=r<r|sa^cVYawRJgWu$%X<Et1sa4
zI)efz+<qvp9KsEU#I{@K@w}M75J8meDYuroT5tV-0!s$8`2b*lj!_VXVlV&){;gCT
zRM1Tn1Q!QKhtA?Eb{5=TPf#3s1Xo4G3-lfidV($$x_As}9kR4M(@sjhA++R${GmUm
zlu}A5rIb?J<dM=3NYdx0*r;#=;MlEb8vb@Lrp6rXNT$^Z^3}r=5EO+hLL=SHL-s7<
zE9K8Z!>u~97`Wc|aHmuv!iaz7SWsgge3Egn&R07)Tuf1jRb-a#<{^6)!Iko7oP}F*
z5qbk6nqWmGVs}aGMvZ0X*-M<z&sTfsQ&B89vtTz5S+jh3WxLKZ&cZFZH|bW`8dniT
z2kxhrx0_{6w@?#haX$rE!GtV{(qKplA+3qERN6?I)uKd#F+f{zLz+@bKrv|xEeNFq
z0zt(FtgTX@2oO<`Sp29#NXmQk?a%PuJIvV~p1^}%;B{y2x%ZqiZ+2%2q}o+{-TtWb
zC#HIX==*PsDX%Wh1+-PDE`@aB(CyWb9u38&x^%`R3`0Y@eng-%+w^(-@IKLNR)kF*
zGRD=RNTR%)`<QZz1|4iTYKL{Rt3->Rl*X$|8@IltFJ|Pi=u_WzBTutdTTz@j6Px<>
zRukMQ8@8y;1k?ixEt2%P0fzVT^6{HB+G;v)8DLlftHq^IZ5iWC8_#_|>+)Xd>fMlc
z;(Cqf=lgW3+Cz`tctK_Z>NE{H>Jp|pMqk|xi@gdByYsc&=n}0Z+(%R2(W`~Lt3#2*
zdO)S$L#m*I&Vt&*3g+r9qUoeTgFTe{V@Mw!^`IMhn)SsvQR~5k?4`*B+$kH@C`@oT
z^?*W)WPNUc;oVkIw{?*Th9yufNTJ#;w8;{Et#hP)hb|j48~$`KLQ{uLKA1PNdX#k<
z(+KCy2%UF{`eT9G$<iUi1&p~<9Jd`$X<O8x8wU@jo7}e5!Ke1HjNw-IXhNv-!7*d_
z;ZwIpo@NavO8(`{#DU{BDH~eUZUU|Wg%$~)8(?^Ew~-Zw)fX*kiFTp0z0=%b_i;Vw
zk7ZX)C&SdK*8x2~>Q8o_{c?l4O<%FsCHO0FZD;3$pxX@V^{hd(@nW=ppxbSrX-xTP
zf;x2L;6X(&575D<-fqX{Yio&&E(^7;I6r*q*2vQ=0a1JgYZq|GDH~b@6C7|2D6~lU
z+yKKnr(q)l%wK&q;8Lj836t@i+I{)(hYKStSUg|)ZJ|`qi&y<|X*}8{jd!DS15KBh
zB^$@01$&gwg+zmiwP3$wtvXkvvkQ}nV$easpaxc=p}#dNmRc{}{P3w;qjt?w3{is9
z47h<swG=tLr@rE#(4uLd8&<hD(y);ch9!tu3sR6cArl#+&%XZhn5@<-+IyZiOUxIq
zQlY%OmUPhZm-cxT#+eQY-az}idr$wqP#wDz^V$Dr63xj$q4jJ&diFBvP-M@R{#Y^S
zpeh{oAg~f0Jge?>pG_4^#1EeuBTuswLsYekDWh|x0=UyQqzEP?oci}16k0UxbHl3h
z?pe+V!|JPnl*A{(m@!7^EVqp0py&{)@-kH#;Zb?Z(@DN2vu}y6{$!TAk(gyT^Og#B
z`wr8ag5jhwiW#8?s6&y>o^3Kmu@@a=7StDkwX+j?01LIg5PA627<rl{AWFX#E8GR#
zX&YSRnSg6Rp+(a^H>^7Ep5=@%tiBpZNqnCfvqrQ)xzWwjG|=Qqn)&cF$z9^S{JzWk
zygtOc>)O{ulgSEIT!PtXW3x-|6&0188+vC6-}sqN!(1=wP-M3dZT;KB^3g#8)WF)=
zE*kxj=p)0_dYh7mPmPhMIW}#g^0gBeSEUQMQ#P~+CM2BtIR}Ln4WAoUop;YhMi^FK
z4WuLrW2V5#Q9LPo<;s`*X(l$q#a?lxckao*-sZ`F`1gxXUL*vn|I-_`hu2&{L?`X-
z;)?wF-w_kJIuuFtP2CKb;{Y8rKn<*o&lvkFyJPAOG06{~8Y5q`n1QJ19_!f*I$PXn
z8(P$60_wLN6k0TVZdi5RErEhF!?60Q#idZKjM*dF-HnZnJ^Kk!-{<kZKj}dMY#Y{h
z_jqAYm!^yT4*tl;W}yCG%@Ab~2Yx@l8bvUXR*%|rHNf!x9586{r~hj=4haAN000F2
ne{FFFBpv_&000000000$(4un~up*x$00000NkvXXu0mjfxSuby

literal 0
HcmV?d00001

diff --git a/cli/experimental/images/ipvlan-l3.svg b/cli/experimental/images/ipvlan-l3.svg
new file mode 100644
index 00000000..6ed14308
--- /dev/null
+++ b/cli/experimental/images/ipvlan-l3.svg
@@ -0,0 +1 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="467" height="441.5"><style xmlns="http://www.w3.org/1999/xhtml"></style><defs/><g transform="translate(0,0)"><g><rect fill="#FFFFFF" stroke="none" x="0" y="0" width="467" height="441.5"/></g><g transform="translate(0,0) matrix(1,0,0,1,12,200)"><g><g transform="translate(0,0) scale(4.340000000000001,1.97)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.23041474654377878,0.5076142131979695)"><path fill="#c5e4fc" stroke="none" d="M 10 0 L 424.00000000000006 0 Q 434.00000000000006 0 434.00000000000006 10 L 434.00000000000006 187 Q 434.00000000000006 197 424.00000000000006 197 L 10 197 Q 0 197 0 187 L 0 10 Q 0 0 10 0 Z" opacity="0.93"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 424.00000000000006 0 Q 434.00000000000006 0 434.00000000000006 10 L 434.00000000000006 187 Q 434.00000000000006 197 424.00000000000006 197 L 10 197 Q 0 197 0 187 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" stroke-width="2" opacity="0.93"/></g></g></g></g></g><g transform="matrix(1,0,0,1,265.8711037056154,215.5)"><g transform="translate(0,0)"><g transform="translate(-275,-8.93295288085936) translate(9.128896294384617,-206.56704711914062) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 357 304.5 L 270.3711037056154 220" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,76.5,215.5)"><g transform="translate(0,0)"><g transform="translate(-285,-18.93295288085936) translate(208.5,-196.56704711914062) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 81 304.5 L 184.62889629438467 220" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,10,204)"><g transform="translate(18,0) matrix(1,0,0,1,0,0) translate(-18,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="113" height="16" fill-opacity="0"/></g></g><g transform="translate(18,0) matrix(1,0,0,1,0,0) translate(-18,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="113" height="16" fill-opacity="0"/></g></g><g transform="translate(18,0) matrix(1,0,0,1,0,0) translate(-18,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="18" y="0" width="79" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="18" y="14">Docker</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="66" y="14">Host</text></g></g><g transform="matrix(1,0,0,1,223,77.46151194852928)"><g transform="translate(0,0)"><g transform="translate(-10,-28.93295288085936) translate(-213,-48.52855906766992) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 227.5 196 L 229.11774189711457 81.96151194852928" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,57.51435447730654,10.461511948529278)"><g><g transform="translate(0,0) scale(3.4320505881432197,2.464785030240155) translate(0.00001348378,-0.001498589)"><g><g><path fill="#FFFFFF" stroke="#434343" d="M 33.84 5.912 C 16.263 2.403 6.986 11.405 8.451 19.186 L 8.57 19.61 C -5.128 21.942 -1.537 38.106 5.033 38.106 L 5.679 38.085 C 4.026 45.68 20.032 53.41 28.958 49.548 L 29.531 48.92 C 32.713 55.752 44.02 56.893 55.201 57.177 C 64.89 57.425 70.546 56.658 74.702 52.411 L 75.341 52.599 C 90.852 53.845 97.915 43.133 94.526 35.442 L 95.36 35.207 C 100.648 33.808 101.258 21.602 92.187 19.797 L 92.361 19.325 C 96.299 11.385 87.011 3.896 74.124 5.303 L 73.23 4.837 C 64.003 -3.517 37.449 -2.157 34.373 6.108 L 33.84 5.912 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,108,55)"><g transform="translate(146,210) matrix(1,0,0,1,0,0) translate(-146,-210)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="259" height="75" fill-opacity="0"/></g></g><g transform="translate(146,210) matrix(1,0,0,1,0,0) translate(-146,-210)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="259" height="45" fill-opacity="0"/></g></g><g transform="translate(146,210) matrix(1,0,0,1,0,0) translate(-146,-210)"><g><rect fill="rgb(0,0,0)" stroke="none" x="29" y="0" width="231" height="45" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="29" y="13">Unless</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="73" y="13">notified</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="118" y="13">about</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="154" y="13">the</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="176" y="13">container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="14" y="28">networks</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="66" y="28">,</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="73" y="28">the</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="95" y="28">physical</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="146" y="28">network</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="195" y="28">does</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="227" y="28">not</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="47" y="43">have</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="79" y="43">a</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="90" y="43">route</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="123" y="43">to</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="137" y="43">their</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="166" y="43">subnets</text></g><g transform="translate(146,210) matrix(1,0,0,1,0,0) translate(-146,-210)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="45" width="259" height="15" fill-opacity="0"/></g></g><g transform="translate(146,210) matrix(1,0,0,1,0,0) translate(-146,-210)"><g><rect fill="rgb(0,0,0)" stroke="none" x="57" y="45" width="147" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="57" y="58">Who</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="89" y="58">has</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="115" y="58">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="129" y="58">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="133" y="58">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="147" y="58">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="151" y="58">20</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="165" y="58">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="169" y="58">0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="176" y="58">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="180" y="58">24</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="194" y="58">?</text></g><g transform="translate(146,210) matrix(1,0,0,1,0,0) translate(-146,-210)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="60" width="259" height="15" fill-opacity="0"/></g></g><g transform="translate(146,210) matrix(1,0,0,1,0,0) translate(-146,-210)"><g><rect fill="rgb(0,0,0)" stroke="none" x="60" y="60" width="139" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="60" y="73">Who</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="92" y="73">has</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="118" y="73">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="133" y="73">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="136" y="73">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="144" y="73">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="147" y="73">20</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="162" y="73">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="165" y="73">0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="172" y="73">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="176" y="73">24</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="191" y="73">?</text></g></g><g transform="matrix(1,0,0,1,9,404)"><g transform="translate(4,0) matrix(1,0,0,1,0,0) translate(-4,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="439" height="18" fill-opacity="0"/></g></g><g transform="translate(4,0) matrix(1,0,0,1,0,0) translate(-4,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="439" height="18" fill-opacity="0"/></g></g><g transform="translate(4,0) matrix(1,0,0,1,0,0) translate(-4,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="4" y="0" width="431" height="17" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="4" y="15">Containers</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="86" y="15">can</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="116" y="15">be</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="139" y="15">on</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="161" y="15">different</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="223" y="15">subnets</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="284" y="15">and</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="315" y="15">reach</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="359" y="15">each</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="398" y="15">other</text></g></g><g transform="matrix(1,0,0,1,108,253)"><g transform="translate(153,0) matrix(1,0,0,1,0,0) translate(-153,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="235" height="22" fill-opacity="0"/></g></g><g transform="translate(153,0) matrix(1,0,0,1,0,0) translate(-153,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="235" height="22" fill-opacity="0"/></g></g><g transform="translate(153,0) matrix(1,0,0,1,0,0) translate(-153,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="42" y="0" width="70" height="22" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="48" y="19">Ipvlan</text></g><g transform="translate(153,0) matrix(1,0,0,1,0,0) translate(-153,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="111" y="0" width="82" height="22" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="111" y="19">L3</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="140" y="19">Mode</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,124,172)"><g transform="translate(4,4) scale(1.002415458937198,1.0104166666666667)"><g><g transform="translate(0,0) scale(2.07,0.48)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.48309178743961356,2.0833333333333335)"><path fill="#000000" stroke="none" d="M 10 0 L 196.99999999999997 0 Q 206.99999999999997 0 206.99999999999997 10 L 206.99999999999997 38 Q 206.99999999999997 48 196.99999999999997 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 196.99999999999997 0 Q 206.99999999999997 0 206.99999999999997 10 L 206.99999999999997 38 Q 206.99999999999997 48 196.99999999999997 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(2.07,0.48)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.48309178743961356,2.0833333333333335)"><path fill="#cccccc" stroke="none" d="M 10 0 L 196.99999999999997 0 Q 206.99999999999997 0 206.99999999999997 10 L 206.99999999999997 38 Q 206.99999999999997 48 196.99999999999997 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 196.99999999999997 0 Q 206.99999999999997 0 206.99999999999997 10 L 206.99999999999997 38 Q 206.99999999999997 48 196.99999999999997 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="matrix(1,0,0,1,136,175)"><g transform="translate(271,112) matrix(1,0,0,1,0,0) translate(-271,-112)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="185" height="42" fill-opacity="0"/></g></g><g transform="translate(271,112) matrix(1,0,0,1,0,0) translate(-271,-112)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="185" height="14" fill-opacity="0"/></g></g><g transform="translate(271,112) matrix(1,0,0,1,0,0) translate(-271,-112)"><g><rect fill="rgb(0,0,0)" stroke="none" x="79" y="0" width="27" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="79" y="12">Eth0</text></g><g transform="translate(271,112) matrix(1,0,0,1,0,0) translate(-271,-112)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="185" height="14" fill-opacity="0"/></g></g><g transform="translate(271,112) matrix(1,0,0,1,0,0) translate(-271,-112)"><g><rect fill="rgb(0,0,0)" stroke="none" x="46" y="14" width="95" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="46" y="26">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="66" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="69" y="26">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="89" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="92" y="26">50</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="106" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="109" y="26">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="122" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="126" y="26">24</text></g><g transform="translate(271,112) matrix(1,0,0,1,0,0) translate(-271,-112)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="28" width="185" height="14" fill-opacity="0"/></g></g><g transform="translate(271,112) matrix(1,0,0,1,0,0) translate(-271,-112)"><g><rect fill="rgb(0,0,0)" stroke="none" x="3" y="28" width="179" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="3" y="40">Parent</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="42" y="40">interface</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="91" y="40">acts</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="117" y="40">as</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="133" y="40">a</text></g><g transform="translate(271,112) matrix(1,0,0,1,0,0) translate(-271,-112)"><g><rect fill="rgb(0,0,0)" stroke="none" x="143" y="28" width="40" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="143" y="40">Router</text></g></g><g transform="matrix(1,0,0,1,31,358)"><g transform="translate(698,64) matrix(1,0,0,1,0,0) translate(-698,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="388" height="32" fill-opacity="0"/></g></g><g transform="translate(698,64) matrix(1,0,0,1,0,0) translate(-698,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="388" height="16" fill-opacity="0"/></g></g><g transform="translate(698,64) matrix(1,0,0,1,0,0) translate(-698,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="30" y="0" width="328" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="30" y="14">All</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="50" y="14">containers</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="118" y="14">can</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="145" y="14">ping</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="175" y="14">each</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="209" y="14">other</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="299" y="14">a</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="310" y="14">router</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="351" y="14">if</text></g><g transform="translate(698,64) matrix(1,0,0,1,0,0) translate(-698,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="245" y="0" width="50" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="245" y="14">without</text></g><g transform="translate(698,64) matrix(1,0,0,1,0,0) translate(-698,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="16" width="388" height="16" fill-opacity="0"/></g></g><g transform="translate(698,64) matrix(1,0,0,1,0,0) translate(-698,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="31" y="16" width="328" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="31" y="30">they</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="61" y="30">share</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="100" y="30">the</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="163" y="30">parent</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="206" y="30">interface</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="260" y="30"> (</text></g><g transform="translate(698,64) matrix(1,0,0,1,0,0) translate(-698,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="123" y="16" width="36" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="123" y="30">same</text></g><g transform="translate(698,64) matrix(1,0,0,1,0,0) translate(-698,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="269" y="16" width="90" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="269" y="30">example</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="326" y="30">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="353" y="30">)</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,320,296)"><g><g transform="translate(0,0) scale(1.14,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.8771929824561404,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,310,286)"><g><g transform="translate(0,0) scale(1.14,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.8771929824561404,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,300,276)"><g><g transform="translate(0,0) scale(1.14,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.8771929824561404,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="matrix(1,0,0,1,310,283)"><g transform="translate(93,71) matrix(1,0,0,1,0,0) translate(-93,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="94" height="44" fill-opacity="0"/></g></g><g transform="translate(93,71) matrix(1,0,0,1,0,0) translate(-93,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="94" height="14" fill-opacity="0"/></g></g><g transform="translate(93,71) matrix(1,0,0,1,0,0) translate(-93,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="67" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="14" y="12">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="66" y="12">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="70" y="12">s</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="76" y="12">)</text></g><g transform="translate(93,71) matrix(1,0,0,1,0,0) translate(-93,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="94" height="30" fill-opacity="0"/></g></g><g transform="translate(93,71) matrix(1,0,0,1,0,0) translate(-93,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="34" y="14" width="73" height="30" fill-opacity="0"/></g></g><g transform="translate(93,71) matrix(1,0,0,1,0,0) translate(-93,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="34" y="14" width="73" height="30" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="34" y="27">Eth0</text></g><g transform="translate(93,71) matrix(1,0,0,1,0,0) translate(-93,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="11" y="29" width="73" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="11" y="42">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="26" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="29" y="42">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="36" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="40" y="42">20</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="54" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="58" y="42">x</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="65" y="42">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="69" y="42">24</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,44,296)"><g><g transform="translate(0,0) scale(1.14,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.8771929824561404,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,34,286)"><g><g transform="translate(0,0) scale(1.14,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.8771929824561404,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,24,276)"><g><g transform="translate(0,0) scale(1.14,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.8771929824561404,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 103.99999999999999 0 Q 113.99999999999999 0 113.99999999999999 10 L 113.99999999999999 46.99999999999999 Q 113.99999999999999 56.99999999999999 103.99999999999999 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="matrix(1,0,0,1,34,283)"><g transform="translate(85,100) matrix(1,0,0,1,0,0) translate(-85,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="94" height="43" fill-opacity="0"/></g></g><g transform="translate(85,100) matrix(1,0,0,1,0,0) translate(-85,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="94" height="14" fill-opacity="0"/></g></g><g transform="translate(85,100) matrix(1,0,0,1,0,0) translate(-85,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="67" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="14" y="12">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="66" y="12">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="70" y="12">s</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="76" y="12">)</text></g><g transform="translate(85,100) matrix(1,0,0,1,0,0) translate(-85,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="94" height="15" fill-opacity="0"/></g></g><g transform="translate(85,100) matrix(1,0,0,1,0,0) translate(-85,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="32" y="14" width="31" height="15" fill-opacity="0"/></g></g><g transform="translate(85,100) matrix(1,0,0,1,0,0) translate(-85,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="32" y="14" width="31" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="32" y="27">Eth0</text></g><g transform="translate(85,100) matrix(1,0,0,1,0,0) translate(-85,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="29" width="94" height="14" fill-opacity="0"/></g></g><g transform="translate(85,100) matrix(1,0,0,1,0,0) translate(-85,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="7" y="29" width="81" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="7" y="41">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="27" y="41">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="31" y="41">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="44" y="41">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="47" y="41">20</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="61" y="41">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="64" y="41">x</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="71" y="41">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="74" y="41">24</text></g></g><g transform="matrix(1,0,0,1,147,278)"><image width="170" height="60" preserveAspectRatio="none" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAKoAAAA8CAYAAAD2SSHcAAADKElEQVR4Ae3ZPWgTYRzH8SYx4gu4CG5CDAkoOAkdsiYh6GwzqEMHB1FwUREaEU7roE5KwUm6uAihc8krMUtwc3QwAREUqRIXI2he/F0xEGgSr2fvTb6B48Jzz+vn+ee5uycLC3wQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEEAAAQQQQAABBBBAAAEEEAi6QCjoA/BR/wNlGfER3MyuZDKZxXg8/iKZTL5ut9tfZmbkgmWBXC53LBaLVRKJxLtOp/PeckGPMu7zqF1LzQrz5GAweKDM5y0VINNuBVLD4bChhWAzHA4XKpXKm91W4FZ+XwaqAvS4AtTQsSyIQKz6bk2YQ+2cU8CezWazL3W+W6/X2w61Y7taXwWqftlHNZKCAvSazgdsj4qCdgRCo9HoQigUWkqn08+j0ehqqVT6ZKciJ8r4IlC1gh5WcN7QAG/pOOLEQKnTskBUwXq13+8va+F4qnl53Gg0vlku7VDGsEP1Wqo2n8/v1+3mujC2VOC+DoLUkpwrmQ6plZVIJLKlgL2dSqUOutLqjEY82aIwDCPcbDYv6Zd7T/06MaNvO5KFdqpcLr81LwhvtCPDREKtVps7NsrP95ugHH/9aM6XVtp1rbD9caJbZ09XVLcGSTvBF5i76jg9PPPW3+12r+gh/pHa+uutZXJFdbpv/3v95j6qHrk+WxinuXre6fV6a61W64eF/I5k8fRlqlgs/tSo1oS2zsuUI/P7L5X2VNg3L1OeBupYUc+d3/V9Vc+Nz3Qu6GB7aozj/vmX7nBsT81z1wvQV12/qRX2iVZYQ9/Z8J8HtrfXRnpZ8u2Gvy9fprTCflDQXtYz6WnNxcbezge1TREw/0I9U61WL/rxXymzv7649U+B2076sxW1pEeCRSU8nJWPdNsCLQXoiv7jf2W7BgpOFfB0l2Jqj4KbiGVw546eI4AAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCCCAAAIIIIAAAggggAACCGwL/AYbB9txUIt6ngAAAABJRU5ErkJggg==" transform="translate(0,0)"/></g><g transform="matrix(1,0,0,1,169,33)"><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="132" height="32" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="132" height="16" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="8" y="0" width="116" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="8" y="14">Physical</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="69" y="14">Network</text></g></g></g></svg>
\ No newline at end of file
diff --git a/cli/experimental/images/ipvlan_l2_simple.gliffy b/cli/experimental/images/ipvlan_l2_simple.gliffy
new file mode 100644
index 00000000..41b0475d
--- /dev/null
+++ b/cli/experimental/images/ipvlan_l2_simple.gliffy
@@ -0,0 +1 @@
+{"contentType":"application/gliffy+json","version":"1.3","stage":{"background":"#ffffff","width":323,"height":292,"nodeIndex":211,"autoFit":true,"exportBorder":false,"gridOn":true,"snapToGrid":false,"drawingGuidesOn":false,"pageBreaksOn":false,"printGridOn":false,"printPaper":"LETTER","printShrinkToFit":false,"printPortrait":true,"maxWidth":5000,"maxHeight":5000,"themeData":null,"viewportType":"default","fitBB":{"min":{"x":16,"y":21.51999694824218},"max":{"x":323,"y":291.5}},"printModel":{"pageSize":"a4","portrait":false,"fitToOnePage":false,"displayPageBreaks":false},"objects":[{"x":241.0,"y":36.0,"rotation":0.0,"id":199,"width":73.00000000000003,"height":40.150000000000006,"uid":"com.gliffy.shape.network.network_v4.business.router","order":41,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.network.network_v4.business.router","strokeWidth":1.0,"strokeColor":"#000000","fillColor":"#3966A0","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":85.0,"y":50.0,"rotation":0.0,"id":150,"width":211.0,"height":31.0,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":37,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":6.0,"strokeColor":"#999999","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":10.0,"controlPath":[[3.1159999999999997,6.359996948242184],[85.55799999999999,6.359996948242184],[85.55799999999999,62.0],[84.0,62.0]],"lockSegments":{"1":true},"ortho":true}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":22.803646598905374,"y":21.51999694824218,"rotation":0.0,"id":134,"width":64.31235340109463,"height":90.0,"uid":"com.gliffy.shape.cisco.cisco_v1.servers.standard_host","order":43,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.cisco.cisco_v1.servers.standard_host","strokeWidth":2.0,"strokeColor":"#333333","fillColor":"#3d85c6","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":87.0,"y":24.199996948242188,"rotation":0.0,"id":187,"width":105.0,"height":28.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":39,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:left;\"><span style=\"\">eth0 192.168.1.0/24</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":147.0,"y":50.0,"rotation":0.0,"id":196,"width":211.0,"height":31.0,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":40,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":199,"py":0.5,"px":0.0}}},"graphic":{"type":"Line","Line":{"strokeWidth":6.0,"strokeColor":"#999999","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-82.00001598011289,6.075000000000003],[94.0,6.075000000000003]],"lockSegments":{"1":true},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":220.0,"y":79.19999694824219,"rotation":0.0,"id":207,"width":105.0,"height":28.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":42,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Network Router</span></p><p style=\"text-align:center;\"><span style=\"\">192.168.1.1/24</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":27.38636363636374,"y":108.14285409109937,"rotation":0.0,"id":129,"width":262.0,"height":124.0,"uid":"com.gliffy.shape.iphone.iphone_ios7.icons_glyphs.glyph_cloud","order":44,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.iphone.iphone_ios7.icons_glyphs.glyph_cloud","strokeWidth":1.0,"strokeColor":"#000000","fillColor":"#929292","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":33.0,"y":157.96785409109907,"rotation":0.0,"id":114,"width":150.0,"height":60.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":16,"lockAspectRatio":false,"lockShape":false,"children":[{"x":44.0,"y":2.9951060358893704,"rotation":0.0,"id":95,"width":62.0,"height":36.17618270799329,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":4,"lockAspectRatio":false,"lockShape":false,"children":[{"x":29.139999999999997,"y":3.2300163132136848,"rotation":0.0,"id":96,"width":3.719999999999998,"height":29.7161500815659,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":13,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":99,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":99,"py":1.0,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[1.8599999999999994,-1.2920065252854727],[1.8599999999999994,31.0081566068514]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":51.46,"y":3.2300163132136848,"rotation":0.0,"id":97,"width":1.2156862745098034,"height":31.008156606851365,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":10,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-1.4193795664340882,-1.292006525285804],[-1.4193795664340882,31.008156606851536]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":9.919999999999993,"y":1.5073409461663854,"rotation":0.0,"id":98,"width":1.239999999999999,"height":31.008156606851365,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":7,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[2.0393795664339223,0.4306688417619762],[2.0393795664339223,32.73083197389853]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":1.9380097879282103,"rotation":0.0,"id":99,"width":62.0,"height":32.300163132136866,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":2,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#6fa8dc","fillColor":"#3d85c6","gradient":true,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":38.326264274062034,"rotation":0.0,"id":112,"width":150.0,"height":28.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":15,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-family:Arial;font-size:12px;\"><span style=\"\">container1</span></span></p><p style=\"text-align:center;\"><span style=\"font-family:Arial;font-size:12px;\"><span style=\"\">192.168.1.2/24</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":124.0,"y":157.96785409109907,"rotation":0.0,"id":115,"width":150.0,"height":58.99999999999999,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":33,"lockAspectRatio":false,"lockShape":false,"children":[{"x":44.0,"y":2.94518760195788,"rotation":0.0,"id":116,"width":62.0,"height":35.573246329526725,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":21,"lockAspectRatio":false,"lockShape":false,"children":[{"x":29.139999999999997,"y":3.1761827079934557,"rotation":0.0,"id":117,"width":3.719999999999998,"height":29.220880913539798,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":30,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":120,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":120,"py":1.0,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[1.8600000000000136,-1.2704730831974018],[1.8600000000000136,30.49135399673719]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":51.46,"y":3.1761827079934557,"rotation":0.0,"id":118,"width":1.2156862745098034,"height":30.49135399673717,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":27,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-1.4193795664340882,-1.2704730831977067],[-1.4193795664340882,30.491353996737335]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":9.919999999999993,"y":1.482218597063612,"rotation":0.0,"id":119,"width":1.239999999999999,"height":30.49135399673717,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":24,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[2.0393795664339223,0.42349102773260977],[2.0393795664339223,32.185318107666895]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":1.9057096247960732,"rotation":0.0,"id":120,"width":62.0,"height":31.76182707993458,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":19,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#6fa8dc","fillColor":"#3d85c6","gradient":true,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":36.36247960848299,"rotation":0.0,"id":121,"width":150.0,"height":30.183360522022674,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":32,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-family:Arial;font-size:12px;\"><span style=\"\">container2</span></span></p><p style=\"text-align:center;\"><span style=\"\">192.168.1.3/24</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":102.0,"y":130.1999969482422,"rotation":0.0,"id":130,"width":150.0,"height":14.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":34,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">pub_net (eth0)</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":93.0,"y":92.69999694824219,"rotation":0.0,"id":140,"width":150.0,"height":14.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":35,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"text-decoration:none;font-family:Arial;font-size:12px;\"><span style=\"text-decoration:none;\"><br /></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":14.0,"y":114.19999694824219,"rotation":0.0,"id":142,"width":78.0,"height":14.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":36,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-family:Arial;font-size:12px;\"><span style=\"\">Docker Host</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":71.0,"y":235.5,"rotation":0.0,"id":184,"width":196.0,"height":56.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":38,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:left;\"><span style=\"\">docker network create -d ipvlan \\</span></p><p style=\"text-align:left;\"><span style=\"\">&nbsp; &nbsp; --subnet&#61;192.168.1.0/24 \\</span></p><p style=\"text-align:left;\"><span style=\"\">&nbsp; &nbsp; --gateway&#61;192.168.1.1 \\</span></p><p style=\"text-align:left;\"><span style=\"\">&nbsp; &nbsp; -o parent&#61;eth0 pub_net</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"layers":[{"guid":"9wom3rMkTrb3","order":0,"name":"Layer 0","active":true,"locked":false,"visible":true,"nodeIndex":45}],"shapeStyles":{},"lineStyles":{"global":{"stroke":"#999999","strokeWidth":6,"orthoMode":1}},"textStyles":{"global":{"bold":true,"face":"Arial","size":"12px","color":"#000000"}}},"metadata":{"title":"untitled","revision":0,"exportBorder":false,"loadPosition":"default","libraries":["com.gliffy.libraries.network.network_v4.home","com.gliffy.libraries.network.network_v4.business","com.gliffy.libraries.network.network_v4.rack","com.gliffy.libraries.network.network_v3.home","com.gliffy.libraries.network.network_v3.business","com.gliffy.libraries.network.network_v3.rack"],"lastSerialized":1457584497063,"analyticsProduct":"Confluence"},"embeddedResources":{"index":0,"resources":[]}}
\ No newline at end of file
diff --git a/cli/experimental/images/ipvlan_l2_simple.png b/cli/experimental/images/ipvlan_l2_simple.png
new file mode 100644
index 0000000000000000000000000000000000000000..e489a446ddd255ce9360445f0f895acad31ae214
GIT binary patch
literal 20145
zcmcF}Wm_BX)-MEt1b26e7k77e*Wy;ZSn&jRC|X>LyHhN<TY(mBad$6z`0wXDd++lB
z&I_(9Ozv50-9MX2GEwTPa%do85DW|qnu5HvCJYR$-rFA^65#E~m(o-`7#P*h3epnV
zpO=qwV)StI$cL{mb}$xCS|;uNS|05hZB0+S_|_V0OLSX#TNZdvZc|%+3f%IDW>z@S
ze8i0cV6p4QB~YT4VUhO25)Fd;Y4*<v%@Sc7{)~q5!>1#ZpvVXQxpL@g=es)ECJoB_
zyXF_<{ZZ+Qd~qMX23VTO0}Ci$EJ^VH|K+bA>SiF`)Q`u6!a+qr=091`>~XaCToMYq
z%#PZ)GO53SJ}8O9N}r9aMcoYQQM|NynYTCxUG1+$oqx-f<NJi-b$L@ha6h1}*YmbG
z5)i`(pSvh@IqY-+lsiM*`L#}~z7};G?6hZ32J4cB^vgF~ixykMY?fPq$8%eA+A`}9
zpS0`v;x=lue46@KHRbwBBiR;C@=*-1DGEUQgIWWoAjbAAVuP1?wxjkIzwj=nzgjn&
zGODdorQ2(rX;~T;+x`m!`2LKX@bPGB2pCbbg;R6*>Fj)QU^!q?7qhN(_vcsMC~IKT
z)i*HpeMViZn9ole+tgKap0V#v_U+Fc?`5d5fT!ue0mC!l_V&Quf=75Qy*au+MC7l-
zeCh8?un+IInI*_z|7wZv5M{;bNI>`**5&%Eq!%q41!ycdM<b4Tv-p_4$<r2s?eSoE
zn{T8$QfHoT_V#K$(ASa{Y+FqmHcQ)70f3*U4w8Q8AbH~%`#EcGj?Qe&u>7^OH0GJf
z#?QYSMbkM*`&<<-gdC^9X2vA8C(zKOe-NE(1VgZ#JZJHk3m!Y(6RbSS8hww*G5t`t
zSz6qUA{66ryN~oW1Yk&=qIz5u1wRcy@S@AmY|BSPjXc*BJL9{2X~VRI07TaD;6-ut
zO0EEWC8%$xX;5lmLA}upP)&ZthyU*FAaF+2&rpG)o9xT_1osxTGeRG+9>^thtqc?{
zB|`lf3d;R$sPp%6>)a0*^ngtwg*NIi3KA{J4B||mL4-1puMng1JxKL(fVHc34DX*n
z$GN^|;Y&9sgHA+;==1OdA9bj879%e!v#`T}*Y}NN%|r=!#L|g;Fs26;L82C|Cajit
zRyHwNo;V|V;drzYKZ6;1f-QgFA_$;vTvnDT1l_U}#f@x47rw<B$_x)mGUlcmGxTzx
zoMYFZtYLtSnC!hA+99<ZriM+WP6DL^^pWh&NPKMkR;dBJx=j$evXjQm?b*2I)VMCG
zirYSKLBM4(c%uIE3m2BeLJGr?v=E)815A#ys%E1Cgpol0ouo52HL?s=f0LXzlO4#6
zEx)4v&aGsM8lb+CkTa-~S||fg+Lb*J+P7#hkp)N`0t&ap9y@Xuc)#mIC)uv(NK8iI
z_raUAnn_-gb^R>W^oEo)$P5ogQUi1B(|g0`n?TBSX{|gNu|)%Tz)QCSI{btITmE5X
zNJYEcoVGIdrxZV+3Q!)X3`=`{dEO=?rBf>?%E4V>a6Ko+8Q(Ehs-3|UsW2|LwY<G>
z+ud(#h@OLgnDwq)Eh9VIH_-+@=<j#f4Xat#<(_@xQctlmo}u^VT3`lo!<WNUImPLg
z&X$|)B8S_Tfvy$D9^dM=?RlLU2!l8-WwkO@6uP!a;Qk;r&8`G2pSy?B=wCMUpRewg
zJ2aJdgwH{~t*8P34KM>cg?)vhTqZfZ&O$WOrJU|rz+4cMZ+(EHf1j|RU<p}eM?C4q
zM*1xnX(3(cEgV!JWz(l-TXT6y618(_Y4lJcDmoOb)-{_Eg6JZ5XL?MEOY0Ww)tAuB
zU~R@-PpgNgdTG#DznU&K!HDsRh4jL{*6hxf6%>rYkwMbbK@;q_D?O0qC2uIm({e-I
z8Prm-->~Qq|HP9=?zdH`wQB(L%j2k&?KJRsCxEXwun<bEA)Y!Y?z=ag5ry;qaG_r;
zTr0$4K5Pt<pZG(Xn^ajk$(mz#xGqm`*A<{(&(_;kOuI#%L)xaGP1@_mPBng!$Y+!#
zoKDfWO^DD*^&t)T6B#p9`#HExs@8&ijMOO*S7cN(w71S^zGMmO<^cU!8uBig)Ax?g
zC4~};L3GJc)VJfKJA6*v%}U`{HmjS-F9;r@XF|be!Z5h}P=&?4tn>nL_6PvKP~^+s
z<&JOFVhBJhSqz^b7&WD#NSrR&MVv3O8~oHrJbjrXzJwAg*4_ET`TVUoJ^ikQjL{Xe
z-=sBrf4LS2v3wi0yuHo<a_^m6reVTF5-!1{5;hU_QrN~y#YL6<>6hj_#qMRXfTAOI
ze{9uYtqWbo{thk+^c)|}@Po(6y8YSRB+y{)=V7TaS&R&4*F8cy_%1@N^=(e*U(-$?
z3?!%Y1~uN?g)IV5b{jGs9sc|2dHu1YQm9%BCMlWo<$WExAKkf?I+RS&iUIm{3O#EK
zEu`=PP8HK%HGMLXD;bI+(KWnv)qXt%-ta;fv$<H0rU{@g!3FoP_OfkP;Yj=6UiX$x
zxVRzsh^{wrNkhJ2{Rk|+!>DFD+$YNxdAN<|(kIJaV_WS+13kS|OHuZHDuqsV&rZti
zUC4?bAHu=keS>z6VY;2p2m&XfvjA*E`;9KVeQxFmagN6l(U{T^Yo%hId!GuUa<5a(
zKPX0X@MV%47lw9uad*W|r@m-`{|G#P9W26`izdRAr`AHA*v3j1r5OCgxr`LJ4MT|k
zj4m`@Dz8*9m+owX19@VE>8dLS5daXSA%mqb#i2xcg3%&X(;4rn(=4juVbn(M`Ac!4
zW)IBabKS1NDvIV>*k8^Mm%!{8AWDL|=?UO6&BN0l?&sKhk3f!D>DvWlFBf*=xOF)*
z2@cX7J^$vdnUS?XYe$2n7AXREUHE*A?#iK>f((Gr7@K)8Sa#|VW-K}qpd=1~C)knR
z`5g<zQZK<;zjSBZk6_H-=NKQF#NEdRP)hmxx<Mo&IgMX%F>jXOlRNJ|z{xF1@TC!z
z3@>;Tnqyqf<zq^rcaR}0p|+n(=~iXd(2E?qg-%{_Tfv{0!2QwTCB8kI?vdNeMRHMx
zL4pqdYRy^oJB~ItX-$oG|26a1NrpzljL`=ELx75@Hh0uj(cnOmKC0_7rHeA=rW^XE
z3=#d8eijm?vc_zybQn@B4c+96rXGg0%k_a#X)6^aSJ*WZ?J>8cqhVntIkzbKfy$56
zU2=7{wMW01Y&g5H*3ZL$kUfu!2AeS&)CguhTh@1&?Bh!oabyfQL*4o2(_MPuQ{LV=
zJPhY!>4H5oQ8E(!#5FgBH^4ubK>RqsF8^#&HvQwhRnft(#0Mv?9n|xKCgI1SFH602
z5uNdVl_7?Ly6rHeSt40E+YcE$OtSthv8%?maN&iQ9@Jo=T&gN!Tuh)STa6r4xSm(v
zZwEiOaD42XeYh*Evi6&DpJfo4A7BL@0T{k;5#&_y&{jrgt$F@PXUQait4|7=NGqWr
zZZb|OWde0>UmILF8dqDNsuvVWNPRXVCc0TaU;NbAh~}GnIeY5Pm@JOyWbvbu6|C7u
z?lbg9IfZbu@3RA+h8ZhJ9mrw-S1aGe3|9e!it+SxhjfY>U-<Jry_Ot?B@!SF`$Lie
zjM}+roV7G#iAp9AQD97>eqB(J*|H>+GfIU@R@oDe;$GFfr7B9f*qPUV;w0wJ!K2l4
zL+-mP_AThKY}3b--xlc+*k)zhw$WQgEU5uUKjyQ1Kd}8;K^)zRv3)kIxS;OP3b?tx
zmQV6<2m^^#S5{VbbdZQOdVj0z=?Rka5sm=h@i_5k-)(<~3m55nG1GA}LcpxobsQ|>
za=8E0Q%HQQ|2TNJTadKBAU#bP&g8J1SeO;zrDx*YJ)4dJgkt$qL?98@-V`fywjh{w
zBwX&kEHmfuE3U7qa~8&n!Qh%Dw9+K)S+A)6o+yBMp@6rW_$A!C8>W#jL;TU+zPzjq
zDNOQFuPizy=Hf_ENojn1{6dMDnK_}xcwu3|>HUU{)_VC3;;j8w%gGO1z?Y{$0l~&_
z#K1HFOsEf1jJpA7`&imyiA@azrS|;gHabV5SV#S}5guvgs~@}DeY>p~I%QtZvP@~z
zi)m?8s8Ptx&5e*evkY{V;IT4Y0BDvKB3O|dP>Na#r>>iw`EKA9f-_l0%=^;e(eRZ)
zyg?Ci*ApjlmrH&U^!c&w?r6>i<lj(=(CCJ0UIM=ImlNPnf=r{&lTh9deuv}V(;|16
z)HFLPKv_H-p4nnU<iHhtHxUEyM$jQ;?t=hA6f4Ez%w*Mn(Jq|ln5GVC(13TuEs@xW
z^IKyvf%0MiV0>QBg?awNMRPA-k6>6!2H^gFr}v6~yYXSp(yqS&SKLpp4OR~pXGlE_
zU`GQP#!S18EqK(-@A5PADxELAUL}%+Ly0!))v7)6QH<X>ks2X5SMl8<)Bszh0%V2Z
z;BC0huqcb&C-Py48><`jO2tEQn5Ua}^p!TfrkKnOs_;ngt!<5jejKx-+QQapMFJ&1
zbNSZ2gRsD?gvy><vgN;2gxUkT0zB#&DA9O%c+4-V%F671fflBkPD!{3*IHdD@X^P0
zqbn*aTS==-&~E_WYz@IM{p_YAKT)jmZa=3kLaW|MZ3D~gv4FcyD8Cs=2?;S}E;a{a
z>Ql>J8@#)FoJed*f4y>@Q!s?b`DvIz*}Dkqsuv^8*I@9ZB2<oq;2c`*_d&q-yuK=J
z&8lCmbdBZ8$plnzg*1{GqIBqONasA;2CgmMX#~!&YVBp#@t(MvCSgk{HBb+#T8>T=
zAb$NWB<c^dCE7_bO{SJ7D#FPbya4I$?(XutyS={FhUC9_!@^=ywiGEQ?3JAK4+s~E
zB$f{&iSVp^&B;!)ueH9=n!th$+`pc6(R@>EB-#D-oLX-%JMi{+Ddbu9&1GbyJlxx1
z$YD4LfWX=M*$k>D<E*DLD%2Y;+gjasLDJwWNr#wgBO5#<I@{9%IdGTwhO$1?7|fk-
zHlc<~3F?G-&&pajZOkJs4&U3?CyA&9g9E#mceN#ket)nRBubh~HlUiD*DZiqZ1w@B
zct1(?d3zE<xsgo851h~AgciVTP#?eE*diJ!O2ZaHV`f)ZNo5huL6lWU1zI^Oke^#X
zafsjrARp>`@s>q};wwm3lwVnpv|ublV+h!=f&V0w?V~cLakqc_$8RwGp;IL=-RF=K
z!NAqiqcbuLEf^&a{i{2vkeOq*Tsd*rP{OB)7@odm@@}%w+9)9I;;hmAplO7ENj{QW
z;6DvW0!WT7QknJoaG~6=x;TPafUk#sm3y(?mwQpmWd+_C{^5nDJy*yzUjU%>2h)(~
z*Kh1S4EZoM90XwM<Ex99w}~JvSZQ!2rKPQUrZ6Wyj`#(li!9k>3vL0|ou>rmGG?ET
zgX|!bKwsE4S&$YCY^UATu&W*qP#s6+)a0KT9yMSfnmV}r-lwEFoDCP!Z$M-IYo~=U
z8fGZ+!k>F{4*iN;KK`^LfH#Yw>cd~Zy$f7X`qwhvij1sXj7}3@wyyA|S`|&7K`b(&
zxAVXZb;x}yc&3k7FG;=SFKn+b;GX#iHlR!Mb<(d(w-ltOf#99%8z26EXvGBb8t~te
zygyMBv7J)+z54NBrDqA_kBxI6*606e^AGNCRoDNjuX_hk9FXNMe?+Fo!ue-Ph)X2E
zh!^W$FZWnU@53-4&O08qkbfO{`_TCI@d20869L$?f+|MATFsrI{`cXjhzaymVS8D>
zr9WQze(CSI$CrOrIYph}=KjS0&F}hc)Wd&F|4b;%<lvRpCBlF=pgM&?ywC+72iSrG
zWRZ!Kwy=LcqP}Ann*OyhS6}p<!-S6whfcIBwZp!eerKZk#O@>_`M>l6DPhEn6E|+L
zN@t|Jz;X@%ErOVse<CpCM}Co~0j*!yH|sNf|FK|9KoKRq<9kEmC;u-*3=3d}H*%OW
zd2ku<G#SG9smi|(vgibA^;{md@*8+MWJFK6xfx4F(;_8B$5^O>oV8I`e*Dn*5Q!p8
zJ}36X%CP>2Xpcsc(?w4UtS4ze{6Lp&_jA$X=p*BYb6AMOQU|(lEMwJj5W}%TiQWHT
z)w6&M6iN6=UEIVDJhoVNQr4`|*Ono`Q|R9bo+#k=cDuuv<;9zyrvI#+tR3E0BVWvH
z%dT_lGJg}S_qDA=@k76|Vxh1AlPrJ6k}s)%M!ohCM)Xxh$@ekabu{OR)!KRk!?|jt
z8aRxF$41X5TPih=n1_GaY=6yYtgV{Uf&V+{4P*ZI+TU$9oO4#;nUeP3?Sxtmf3{{@
z&>^7e$7gI)CsI1ZXAGjWKuKk!@!D4h^kH{|9$q&HBt8hm4n3u<4s?ohe_=H6bc_aB
zevAb4dM@=pylfrh(sNV)BeXtThE|Z)=32VDF7_BMbkHy=`fqU{W6ZM8`*BNW4!i_u
zEk(LhK5d=t_F`;eH!$EVUjqLG4Cvm>)cKRw8CBuM!RG6)k>ks|p=<(zC;xdvu^_DW
zFL{cSf!ffrn0taGV9##G73eaHR%qiSS!=UeO#fv0am}Et7aB{;bJ6UrA(8LLd(&{9
zK)aP7WLT`L#vLA7F>>d8D<gTJD67<kWn8@7I6zW~i>^XAW4`{)^YEOA+A;(%7$$dS
zZQJwMI!iaVB6Xy>zC)JB<6`?HsA2Y~38QJ<y6~4d%tm6snzPb?cRWhNcu%F3@3aM)
zJ>)3&WmTE#+anjCS2E;_+ImC^n_=1)h4ZpPV`CxkusY!ON})B=qUH=k+r!BXxp}C>
zrkyKz1oukDrpyGd6%NBCxAI18pR-9}K5?$_P!6q`wGhf%0;7$cS2eK&6d-4e!Eu-A
zk>n(XBmw7KLK$m~@|0Z5EVN^Hzv<Wg&eNPYC*k*S`nJ`3EFKV)e`###`+clL&#q+C
zSRm$(5%YGY?4~E@0nqbwe(BJ#tSQ;)iU*uQ5f7|9kXzf5hK(lkrykESX{@-cD#fUB
zS{>0Jhdcl2WQZ#HAuhuF)t(RQgpL}N_&+fb^^ceT??2-7<1H*5jSQ~#&KD4C5{$G=
z<uYLt3msf2?p8X+39w~8DJO@1FE<XLzeWpc5(2U>OvfmmYmL*=<nl|*zh`4*%h?_?
zsIRi&wG2HlpxRU#(RQ9~q}Gc<(?;#6&!JO%pOHWdvVp_s3Y#wLTR!xMg+K4)acv&;
zxIH8|s>Y>G$@dW&XRe%X(Tr?V(4`Qg12wS$S+vr-bXx7c*%JW?U`Jy=W)9*;w{7$2
zT;rd3&aqgp?X-P$=Hu2h=prcY9F27Z$kbDFP6{8=3Xgw6ZPwDYv?Wdp|3$FmOU|hc
z7KdHdy7#w0^v-MFpaC<?wBWL@;Zvk<v&P@Sc{10B=n^5Hl0$mcia&E2Io}WB{%!%@
z;?fu@p8wi=Kg2T5a`=w$8V>Dpf-4#S>Aq*ki#VP0-GQ74fxD-O6(_kQ?&m;UXrn(o
zCUE&Xn;CJ*ik(a@iUuW8UHwf83FWmFLGDS{;@0<PT$)p7QC2$FR6B}=Yi7kxK0^6{
zbNaL&#6nl|KLE0bnr6kzQhCyuO#N?H-d(MAu|1dSs_#gYAdjI=@Fq{S>r8H<a-||K
z{xRL9b|U<pZLfa?)<O(td?{%EskEc*6TzCc8K#Fk-4-iJl0apBPH75pBrEzYvYwCK
zfxR#zikfFSph5+AQ5!_ckn+#Gf=PfEb1Gx_O>B$82C8)HuIFb3Hp*5;5Ik96T10b`
zb2&BzJo;l%NOnCeh|qw5RW-jZLfMOLE5n~P)zv2@(LMaF94+WNVeJ-69Cu$Ev{;fh
zsYjfCnowV@Ob`*1GM33*IJSTbjW6Pf04`SaNSqrmuIG4Qj%znm3R{))PhSWRQ_ZF4
zvll{b)YoSQg+jscrQn^()>581-UU_{sp&XlK+s=l*}3^(=7nqC6B}u)tmng`;*<+n
z_-N~_&oYlR!J0pt>G7gloP0Z;;p4($=a=hAQkK7dh_zJ;EYX;jGTn#dOV`^;*Ad|o
zlG4L_umI<IYE9D=q(g9mxIN(OL|bJEX;Qo&>G2wCu;izsB%VF~;yLXM=qEBV%Pz`S
z=g59bi!L;7w<5z}mclTkS%e4q@14v}eCr4WJK+i0akU^DT{@0)XP9(IxN<3T>7UNm
zCav!keM_a&3b_KN>5;cu*@}Q*VCCpemqNjby1Ke0B_(~h`v(UCK`)(Bg#qv+rBIh!
zmFEqphtk2#bDo~Y`r}zVRnNlpSdCIME|f!hm<~-+Jk@a}H#-|u%k1uSjWAY_wop9c
zgbn}*FWp6kZ8kJC{O)m}`4!N>k`Nas@b)IX#`?{(7QI+rs~!@pr<K9a`+NRffav`?
zTpr-@_CyMO|9rhS<nQ0Vn&lqP4>y&1wNq15zuVllrgDT(P*7rGViL$jB*pruuz<_K
z0PmisOiXnin)?MkQ=)JVKE8+zao#MM@pRgQ=es|zrKP7O&F*`utB)7M6bZ4hvGMU1
z(FOV}oI|8PyxwjBwPL@nqLr-N_2{~YF1F?To;5-*FMPZ^Q&Uz(MMceT_7<}(aCf^u
zH+Plz<$29W`s20$=60K<*0H*2@)2gg)wILwWP3E(@Amj0(5)|a>tbtoRtqMI^oMRK
zOgT;H#Zwpx0Xn(xV%JTR_u218+v(rk0V{8l%V*Vec%M<PBTiOzkcA=xS!B%$Xa6})
zf{XC`^Hq_Cr;GAeHt6T>+FG{cQB(|!JOOuvYTUU9eM%@NtStWi59a9L*_U#y(wTk=
zVq(S8xvs7*LTCA;>xpSHQqoYj0k$`+Vaj#P4^BtE&{R(yp8e^eK*LA|nhn3*wK}hT
zx6Y)q!Q@>;rx5k$=i-8s1*5O`aVaxwelRq(vjxou)@8&f3Us}LQ%+q?Hs^iGs4$aa
zVB>L$+tF$m%J#zgFhvn?t>HZfU}U$iJrYbq&T)~}j~&>${OcbSB<4#r`52X|B>j%R
znD-k@g32sV<rn2Un!(OSEJGN`-Sf}MA~3vnW(l|&Y!toY7_jyR#!P|K+9WdBO_5x}
z=Bv3u+SO)LXD2FkHoqHy?TJoA4izAYL8|$vVRo`>E93hq_#;OIMGZd{5$Q@5O>&HQ
zXQFmLg(XiaKLu8j&pb1pW^Y^>oPnX>7>XNYI3T02dH0|NM?Sd-7WgsOxfo|BUP*a^
zBjOuV5ALp`!Ny5+`21R^*U7Ty@gfJe@JdUoAr#w};~Whx`IIiy8a>vR^vCOx(Bq$y
z8m{=gS_9L$yY!RRCs9T*CoOt|<?k)wX?$0jcFVH`?6W?Vx_@g@ee97jv*A~Ng!XAV
zaZ1XjQbi@3fldVpGG|e(%AM(zI&y?>PAw_iIks}Q+})fbPp%f`ZgY>^pZH7ng!fK-
zx=Ycjz*gKXS8iBjCOwU*c#>3bDk1qFgH@_;KP9EZ35O;9(Pj%JXVL?GA(r9tVM0;R
za5aZTmlt$vV!%hIB#j$3``A&QGfgwAPj;bS90*qxaa$h6{_rDg(4R>)v+QheLY<A5
z=1mQ{WvvvyU*0JANhE1-$aP!eKfUw!ua6f#Pb-GNqX+8pENI3AXnpwpT6ss=B`&x8
z3&l^?;&8f#KiXG!5l1$C-~3~?l@=IIEm(UIN5i7;4fQmN@b-_+FmCj)KsR>_E+Ka_
z-6snacjq5DjabrSK6mQE+iU+BGsdcuSEa>H!<L41MS4AH{UdmSu!*~fWVV%m5D1Hi
z^C#dg$8yF-my!f$ZNb{ut%F&+t~1o8{4%H`1aR$dqz}Q2l2uO(gCoLUO=`fCFs?%C
zY*O3V+z?F<rfan85DS!nP(5EC%&FwK@=rM2LCND0&OPh|mmrVee7fQMfLq|PRa?Yt
zH-qe!dc&qohX6rj%yDYiC<Ib4y|@1xE=*JOM}H9gn$bH&tFm)7j^xduG?1>iGIf&|
zVpmg-+ohv(!SUjtG4T-JPa>kb;aXDTE?=FK*M56aZV48ALB@%Uex+TWH0*Niu~4oW
zE9M!ll(ArCUrzjT4aU+Ke@$hKOVS9xSyollOVI&!)3Kp}@#rpo+={8+wHGCPvT7{f
ziWU+YzG;?Z(hFv^GF$VL`>1wgMP}+kl^z$5IwQ9gd6lq4ElVh!3!=YW?u<pRzixn4
zPJZ{#`j+0pJHm3)f8?Vz&Qea)6uL*b4hz==-Zgp%9|tCuxwGqXO2s|^Hs*uZ*hf}I
zBNxf+M*3}e06r(};B$iWA0NihuiM!W9ON)!jFAxwiLkwK_|M-Gv`h#F>qWIR1P-e(
zb)gatU4<;f>yivtJ8oxX$nXPGIl-Fnt)@fk_<EX4*Aao-R^>Qh*&>x?BCZmc6*e&L
zvn(^Zw1Bq<YAm9g?c4RFN3Rw@2{@YK7seNLglE8)%Z?R97y@}f6$$S?D4{>Set$}g
zt*LS4?z@3<u<PbmV~n~Ys>gcXqX;1IOalflV2z{VA@zV0q$huVbnVb3w-5V-+>SX7
zoSflMeMmetKwEl!)5L+0Uw9fFH*gq}`JeJlSUgB{;#lZV8^|0&-ME)EW5O55YC`yU
zrT54aHU)3xU|Sx-BO>tpAk~<G^2SWp1=BrdIA=?FBg`@KL8w^9o~3c>+R|ZI!X-W=
z^ms^J!H)EUq!h%=GYApE@S_IU>r7JN_&V#k?>iffLNkL3Qld5wx)zHgw}(@Hbm6M*
zDt_}n**q&ANsPL^mDbEmOCf^9>OfZTN#QJkhD2pcVHQT{6y&#iQJ)~87{ozoMaFAV
zDE$e*T#Vpt^WCi6TpJLG0->Nb(My1MopnZt3l@|4`X&sK`dK8OEm+Cp#2Uah`AMW-
z{ltLZAOZo=dE5A!7b)fBj3N>(JhYbH<OeKyHhS(8${@qR=wOM=RCe6O+4r>H-_xEj
zN6TjP7-^jmqS7?CGg%HVtNL^4P#VCnlWzn-^<cyt@!`*#M^@C_vV+>L<aW0c@CPNu
z%>k=l$A6z=4j^45p4T~3+I`9+`Lv6&q~9~b_$*mQ(C}9|#gX4wiJwgPo*<f0RO!N?
zk^0xJ@%ttHNVQqbm`m}Th&yk_pDQ?u+c&LxZO7s*t(rHD-0ZsI5nWkSCV9vx`;E`y
z)hqJ%5c|X&6wY?_6Cn2`&myY^z!AmE(lPbXUujA+Q}ip7Vvo9qm{CfqtKjNX4`ts_
zBd(pMwB13q!{`+$qxQ#*-yuY`go$HT@LWk3GQF}+Mjy<`_Xr7@^Id<9?|kYrp;xa9
z29s|c)%M6TYQS*X1d@FaZ%yuyMjjAVs1olF&(6UScxTGrwy3Y$cd#x)h2vg&Jw{!V
zCfl(k>+dTayt5UI(TBJ$+Cs~|9X15|%tnViju(nQj?B<662bBTB=}y08IzTJz>OZ{
zC2({rJG8g2!VH6@1lRRL{kJaJyEa|%z5}q}ps~2gz`_rCF&+8P`=vpnj02dRf{-f*
zAWVPv@u#MWFrGI$auVGqhsaj*Afsk&;mFCk6Nfp7bhmxgU7k?f&5-h(shpAJRBUPF
z!n{VBk#T)rNc%mQ(xBrD7wNRNJNos{Prguh@{Q4h_1+$J<#t_hlkH{WBK+BnqYm&F
ztEm<OhF(>eGwHO?Y~_7q$H%TR(T>v#Z!!=cDEr~*dAhej`#KPXbG+U7ce)1F0Wpk%
z#MJL%Q--q<1%?f5iW6es)<pF^(adR=Dx>zSf}Wc1!wru<EcsFGBmGFZ7qgxJ?YhVL
zrfJ!>l=8Lt7kgc+y$wF+9F*%lM?_pYL=&$l<@(Jjj(eKT3F9X?J*6ewX-py#=Jj=R
zRoB3|4!1=*$7g3!bfmToCHH8EU|zR)vuYp-O^6A?sSp9)7cDfN(vaXFh(TAr=K>pG
z{un#VO8zO%8-Y%j)7#Pg!%UYhIL=%3F)QhJ(Cw1#wz1)+86ED&F7?L0*Fa)iBbY#Q
z0=mBEg7f!CVF*dp#GQ&%1IA*lR-(}sfmkjlC<2sCoiK8hmNQ|x;8Ee<qG_c5V=1CD
zBm)^&<H9KZD>;{vbmNR!LF()|Q{2H#_Z2_Yr%IC!-mQeT5^&)h1kVxk$D14MjjG%5
zD|JkP)&V1EJ|Mu^csd)~N*cUel8v1quPe6$HF_Lg*%Sbm4(!10x@%zbM>?LKuxOPG
za)`l>#Paa<N^kma`V!ebJ~LF=s2&q)0Bu(S^Q*UY<O+I@aUfwgtQeoOeM0@-3v%V^
zc?UZy;hm!k^9!z@vI&(|HMdmqTu2as%mv8LY*<eR75T|~^}`yx=kva#cYxTd4bKdo
z9r6z0bO$|+fYrEdozSBWFR|X6R4j0nW1q9`H9EbuwWma))DTwnMOipXVonAYkz0ox
zF(keTz)3CW{>$?h;7oZOWg&(fO>i2tUhm)o;R&{!sb07Hc?m$@ikH|kfCWHU*tE$)
z(Z1gw@{OZ>Ru@9Zu?3nHT*uP7qkbm|#ULDl)YJh&Q3;b>){z&-;?C6d^kMJm(ON?x
zFB=^7+wl;15wcx2{hf36edl#1i#3G!WKuX}-{n&T*uGCz9@o%;WD+yrgmFGxHO$@O
z+}}Z++mB!OP2kERCjPqZ>BABZxB;jrr<26pWzK7ZUR$fJ52_FOUhN&+QqGGrz)U|m
z?AVyaV=+Ts$=HLWM0Zxh(JX<@Rf3-nGFnT6UZy4vrF@be8V=Q8GQ4dPbwp7Lkvth>
zJm)5+G>giI&LJ^k^;6HsYFbHo^lYEcf2dV6(jGTbMyp3?YPafBW#b#Q!nW9*7Msi1
zd&Mt9L74E0uLO`yL8xZkwvhWSsulJVhA#Jm(^(Kzvgz@t=*8vzTrFvk^B+=$03WZj
zRV^d>MBBTm2c}5s`2yU9Xh(=4<YY_F>T<PvX}Hz@{<<Yf=W$Qra2(}qO62b)e_u##
zFoPtSqDJ*di5As83U`-qG_Mp_KWp9M!0d=V1ka=E?&+y>7frJ6VfLy$Ci+BtQdTU3
zd5l&taN}ZRG2w%1x92AITl1^?!BSp|fRA%u_!5E+EB|Lp%ni+E!0%0xi;}t+RGiD7
zzM`~SCP}>2?eKYF%NCiZ#2`R}{&q)<dnsx^;#~4%xzo2gjxdV<;iYhhqH;T`B8N%t
zk0*_Fs2=@MhBtuOjA_6`$*>wSIp{Asy>C$kZO}yMLs^^;#GzKbS7(k36!uf06Z#|e
zx*tAU%1811d|yg?vlD08PR~m&Vb{?O`WG9`)JFNb>-`xHoJ$#1dh#AmT5pVvS0`e8
z>ITWWXd_kNEv<qy5VKm*ovSi(bLm9a^dV3UrqoPTSpJvy_%YRd58Lx%)(u<xPc%nz
z8Dpn{UXbGMV}G%``yrYM%Y%u3_sJ@p%>sRCPku)X1vCz>><^yk41wTBFa|~A9uTMi
zGU*kw3ArXIqqp_#5x){d+Yk1qFh0@VSj$}sC+k}c&tCnz(%Zyl+>H!4t&;l-v^QbC
zuFL~^61eSn)YEj;n4T$AMMx<)t19B@yDtn=DE<bB``b&31Nel@bpz`yYD(xWKFCO>
z%d$cD$+cFO%Ok5&N3t2i|DZg6WO<d~OeocoF!}i3qS;XEP8zL5!;{oBZQ;|7tPOS!
z%Qwt)QeX~Ud)ERtcfcJIH<iKdW7aTG^45f#1a=k6VidNT-?M8w?gg4r$?5ZsW2M76
zwEXy%<{!N|6uBoj5=wm_%em6Qlqr*9d;=NK40xP-O&tB%ZxFa*`Guy3Jd3`Z4UT33
zWG+uZm~r!;g%y~R+Dq9MY~r>(;4Z1R8zUarsw+Gl|DCZ^F!6Ku917<Wr|{MK@)tQ8
zIlF;30F5lt@Dm(`gpd9$MBqo@ZSIG}(cN$mRXLlH1K#D#!)$egZ2+DJGyI!THq#M*
z@f&=jOID~Piqx`!m{mc^eBswe>=nRUrDaQC;((|5bk3#EuDg(C8dM8zi#N?!^DD*J
zl8^t#L-=KQk)_=!qeF097**xENI4nB-Hrk&-+2EcV;|mD$>718qhD&d!sVi^%Z;`e
zG->sKZb)9jCZ&4z41z82_sbDph9hBScaTc3ZkzSzw6`LH{Bs@7xCLDQO%m)8o1RsJ
zb5OG+`3JF<zcVZf0a2u7x+5VDaz5w(7rdP%KpEza&d4G_3As}*7VjLQl+J2^t^RBC
zFju@9YD8h0Hkx@?a_Yx;G4oJA0(q-pAjU2Awylo9*QS4m!`sI0w}#WLH+4tC;SAok
zUZYDj;kN&#bZ5IVOdVbgs&OUT3egE0M=o7)6w-ydK_(*$WE{*Uy!-yVp2X3^0Ij?3
z6f?{stmOH0o->uX&5Ys8_5YA#4=lqhulntMDjTMpJWudYSN1Q&zLa5VGdCzO(VnNW
zSaxrcLSi)I@azIDV_5_V5eU<<DD9ZfJ8(3S&qTb>Vxka##r?>5(^|}#>ROKt{QnCU
z#DwD6gpTc4zz+kj!7D{9vADZx**ku@&1Dh^<KH&Rs*nu+!?I59p#)GRjl)x?N>v<n
z#@t-?;bcj`yFVG&<MeU%-pwVz5UcY_nNrp??em*jyZeE3rN3PB-(V4vz8cf@MB4_|
zeK(}q=+b&ip}&S<?8Ra|k5&I(=S5HrV|GUzB&`%&Ue0I<?39phouE(}0J3D^-A~r{
zjBcl&X_JVA5XOBi?tV(>au4`aBsh2fM1-u+iJnet#27HXt0=yjrZf_2bdD{3u0wb1
ztk`VS+>C=nKm@mGQN$~|q%BT9IpW2_ma-laOSD1cW5eAtM<Rz1qg@VTE^VIikzhfG
zTPA4c#jyHISgBeEN!1q{k6ho%RXJZZF_B>xF~NX`&b=y?39O5!V)yk*YUvpXP;-ot
zp3XYt^|@o@^!JC(;w8$X7uU!_Z=<VK(&}C{LBwt*NqDki^^Ue1UEpyB@Fx=;fIU^b
z0^E<Hp9}QuE^Q+dygLa{vho%Y@*5p;d#HE7cE{~nS)0a-`W(A>qk~1gPZ_p6SY63<
z-Z5cBjpCHm^%bGrd+%^>m%+Ey)TNbp+o(t3zs8x?f#xPncu37YNd~SIgFY{F$8W22
zn^@u9pNUw1c~;Dzdg*pQQ$76{{X5R@-U$9#<Y1<;@!w;5>HuGkriW#`A~*vshU#7Z
zbX?V($VC4>nR04uLJ&LfcFwx^-=S1yC`I<M5@YlEA@y*&W64aevYZ(P8)fOV5Vmg6
z(_YOMwb9MQwaiAn%d5>^&Pp_{2#NRj@w>_V9;u9fSNUga6heP+mrf=TB-R7JO=w;_
zzhdVV@Tl{l`|E@v3Cb6ExgFu)!Jyi|OIFapuhNF#6S5o(-b!p*-wyr3Tyio({~$l}
zCz;NR(U(s$EppiT?MsvYrl-}?CGz-ZDaMC3b5zLNM5r=nx8v2iA;wK^*>I+KRKe()
zWhSc+azN<Ymxs~{^|bs-cy+Syr0!h$D%qlvYTE0jTEo&_S94)5&V(KJx!m<ivmI;S
zch+U#13v#(h3^%ByLfV(B^9-1;_a5|xi=o)t5Fp5u%agXiy*HM@srJ;dQ31Q{yN#>
zyPPrUXx~AJsk34(T885<rwmcY1Zw!Y&hi&DUgK%@Z<yNza#iQITKv+JiOdhd{YcPS
zQvnSpP^5nRixZZ5q=mGqqNbvC?cA?M{$%qxJIm*OG`KbzQv#83p4Iue1ON_D$D{AO
zU3Lhm0W3NGbd!d%$9^b>e&2hgYseccc`*+-?2Fs#S0gLlUqdpWCf|boccW!7GQ1_U
z1hr32NThsRGG|^}I9g3ZV`!FqLnZ&=MGDWXc*bqPGU>~RG@&tG{`9m5j5X}-$;xnR
zmnNj+^|Q9sFA?5$3zKMy`n*BVzZ5X97##Ra_#bP$Y3}qPuP6F=Sq?)Vt-(CIC#KN5
z<CJ6D67|1E64i!%d#(V81PBz@0Waj>(x3Za=uloqyq%ZFXC%?{ssH{aK~3Y@`6R#R
zc2?ovyuPvGP5Yu|rRO4gj#eo#R1@Hs^j3a%b`<YuShq^e<Z2)G--{o#fG}+6WF2td
zYcR?{?4`?Y4U~*<BH9q06`e08?FTotwPZUs-8NUWZ-Cs;r1_hX-d7-Dc_d1{F{^{u
z_H3YIr6+5I_UUF<;f=rwn-Etn)8+&48!by{fVZ^xQvs8;$)L*bu|Kn34*uLBziV=-
zgQ2tj(<umRX=nE7*U$J%8m}E1#5Z>{^LD8YSpL5a1YQWfnB1zrI5^1aRgrX1`-0#0
z@?^eE6Xy1xNP27H6A|AoYiVf-R{@9*dAE)G7C(U(6IfqN9@gP6?&3Tx)8$M{_t#kc
z_+1c1>W}{0E_+58F~{^6s>XFT*GEU1VgdYWvmGYU{#7ak&gr7u8~<MW*2c_9a}asr
z3kg4-Sqa!qC+&9yG|mV;=6D!G*|^R(CF^e~#tx%zs}hAHLI9Unz`yNW0WyBQruy=H
zepegdd4vAaL?QO|ZJfYs@H>kCQpQaqsE#~pGnDU-zx%p2coe&^WxpC^{J8yg>iUcB
z%<DcxSY~=??FY#BpR5=`_kA<+8{xl%Ip`aLzPr5Y>7KQjsT?Bq<mK<Lb*m}W5Ir9r
zYW!EO*y5ShlX`Jz;DftR5mbTtyC!act4QBUfZpJ)^ljIllh?5|-I<`*7v$*NxDMc7
z!a@G?|INR*<Z@lPEuuzo&MdBMuz0@L$wGPad}@O7MRAD9#YoD3%vc40ava<b5}2ki
z%>dlr`&9xqW?QAb=F-~Fo>p?tUcAn#FZ%z<i)qq_;h^dNR+R{zYb(!mdX1m|Ww^fi
z8j6ehwX=gM|B#Zp<H^<Vf1K!!XBG@@fGOAhxUMZe$32LA3^!+lhe-l(d%AUs&=c|7
z&edMhJ9Z`&>HfHa75l%zM<BM(b;#(w;(5OvpRv4ujM$No{gwyk6ghuk9szg-A-IR`
zf_x8njzOnwvuWCp-<43m<x-_(Vr(V&<B<KfU-ACbb{mWJmS|Bs2wjP)X`a2_A06!&
zN_e^nCp78s2|rR}PNjyG9=vwL966w8gT9t98tRH8JPUkDKnQkguGcoJSS_lcy4Pgh
zL$SV!;qhRcI>}?u=B`eQLBl``W8T#~K}l2*i);+X6tjk1<S^W33n3>od`E<g`OqIz
z14#9^;Ae*qF3?wS05jz+iuD(KHRP)vXD*G1klUP1JV~#Ay5@d|Vy?rt;F03K==tO0
zT7~9lC^gYqyK|AQaw~&jahr8`NP#><<XoPYQ_R4p>Y=KV3#P-k7eqGT4vqwhBlo65
ztTaME%Y#Jh8FkdQJSCx#Hr{%JIXeBPR7JPYBK2Jl#-%6PY5G~ph}q1Wt?czkwS`X{
zyc6%}J&qC-5yAmc{s#k1o`37J4Xe|z&0j{^Wbsn}T(zBQ-+Ay@YOPaH42kKAZQ&~o
zB;#$xe&4N1i)V@I25-gNut0?(nZyyoHsN*cK3%6vsLeQdDv^v`n3=ihh{qwe2X-y+
z|FzN;nV|12mLS?6gb7Nm;H%};AHZnUJYw6~Ak#~YsV!^wU)p9i(c;2-41MTa>HF@U
zb|^cRS!3_pl~O{)sndA!Gs>b5d+xKweeuF;Mp*FzY9WX{^~bLnFzN&Eyo??MJ1CIW
z)+_Lb4_dgOBTwXzsqGPs-Rn1hlBQSq#x(L?H}XiEh<^&NuH^7bVU_2$<BI&!-qG(~
z)(4qM#|{_>c%Lf=rdmp3Ika3ZNCpvIcWJ>I;p2pp4KJ*Y$bb5iMrlIp-YpUQ-XPY<
zVsD;u#DWo`$DmhnSi+;|o5sRg<yWUr(Tfykz_v?-z%8^2{z4{^2zP)@!Gfk;sgohM
zZlC<=M;(FSc>Y-d$gV<!*pw&Ekkg8BStzXRIm&##QR9g1JqcOd%o3$9$B0I^zbo^r
ztOj>u&8I6~imjCdd2~-T-1k59YaGA&iaH<IOFU*9iBL4p^JKnHSCT<_H))(C6|%mS
zAV#i^#~<*}v<Xk1jsH)#91u+7*I3kM%qcyz`5LI597=Cf1rNTW(NWtF6mhXhh|DpM
zdTa^MZfLZdedv{>Ii)8SWJp6&U?3zxQ1yobk<|N-nQ1@dcLG>1g#7Lk$$dV7a4riS
zs>4Lzu_K-6tmmAPPXBEKlk0x^yd4W-isCyB$!GCO@vaYg+0aDT@fI)NvHW!XA7(0O
zL!G1qYjm@LGk1*sHw$`UO3h00EEth@TUG(p5`PLNevikg7>4$TVq+^&&`#B<Wmw9A
z-6YBZ`0~`)P8$PA7E+R%+3eL3b=|<2NCwq)o~8UVm2J_2wl3kL(!8;zr5a!tze0I-
z+~jm%ydJ7KdfubYwIVCG6-`RcUG4T}buy}4M$8GlWi(18Ya5dpZHUyY#oEqglLe`0
zGXWdcqMKS%kbvKnJl_4PV(2X`_3&tFY}GoKx&&J{%&Wwim_qr7SdCa~rA%FwD;-K*
zoSpNiY0DmNw09uoaI0Lg7oDRq5WjSmt!lWN3P~<kiAS?1?04OGqo<{KBGTSpdjsjE
zTQI))fV1vL*2j1T)z5o5-rKo@wne&?0;)Cev}SdVmi=&PYBMoxQ1pi<9~56Fi6qV8
zPDb_VrP|HW(oZ8BIC-Vn=u5Q%XeNB9)rRFnr0L0@@iOr$Gcc=b+CM1MUw`DtV$MJ_
zQyYtRIPpIb-)uX-yrvcIQin~lkhc6##R(44hDEF^>Yx^9O}}Dq{44<MS_gc`yv|Wj
zMB!qbP|S4yR*jxS8KLG%o>aJB916HfW>L&MNk!s)l$m9J4V|-Yjd2Usct1c*rDSyF
z8J#b$#-xF7lKcFs$@;E6d{7&<h0s+w5Ap5C$r3+i9r4JeB?BOmFFg6O^I!OXTH#&i
zXkmL+%+*F&D}H1Z&U-V{22O72yz*dtam;lHCk;f`MMg`23JottrphLI2Q59BzaUL5
zw13h)*6OCjkxN^A=-bxL7xHM!_<lufUP0^_IN6sBGRjPper7oTVo)1|uPhpdt?N4J
z2t3vR@{K^*mz;^If#k|-%>ZWkLp|c*1^iFZew;q;1E<o;39q+T?6tk*7)|fiD8Y{7
zx+V|K+|BOM1-VU%UmU6O;?do4Rd$co2ml`(1x}?A7Gu}@F~kPsDxmFiXfj$+#|pnT
zPqNdrW>8r39VGtvpq1!O;q59g-EM_5M5wJ&jy95n3e11Bjc+k%xM~pQm4C;D9XpYL
z^zkQhvUO1=+S^a~@*MMXU(6^8QQ_}bWszEHHs2mlU?DB$hnTbZNvl_Y^{5tmf_kW7
z7>PD>P|{RpgiOT=f`4xi$L>O{N~$sp?L&)Phg>H%Xj+-b>4(QIgl*oh9FvxZmlx=I
z?Uki9PNg&Gs%X*JS7fAzIUEVc6U@EnG7n{XI+SSSojGM>U>dA9yO$6a4*Qq)&8XB>
z$9LT%ZlUkovhbG!Uf2Z$$|El>$JtN>f#bCMWUTop5^VCCKN_#;98u-Qzf(q>r4UR1
z)mHJyRTTa0HPtjfHZt6Qf|2~O>#xC)uqyq*lkW7O<dtVcqj8!!vcm@<?`SHr`kHPU
zGu@c+GyE<XBS0}Idzy&g1o`VkH)pI@9b0MsEA#+>&$F*$B8HKnQsSnoiO(MJPDNmW
zXXV$3TkYN3qkZ^lu&f#%#gN|Is@cV|tbrAx*TBWamFItnJT*?UKUf#?q0kh{_H=*W
zMvb5p%Y}uYRt_-5e|rc5D<n9YSv@)`3R##08+%O+$0m+F;?a~n>AlW+XY=FgYW5nV
z>+tU`KO&)l9xAHYuw(I(rp4zVZ}y6}XE1c$hJEF$M<2&Q_O+Oso6}t`2_5js+?WD;
z2r)vtP-X%_iA*!^>!RCJD-O_vypBKbr0Nk$?P00TaXSz<god{M4N6rE8yU4}4A$n0
zI6)v{Y_e3YfKuDTwzh8KbT&#5jA&U|V4Db~1zSF)Rbe<N77pb9J~``o6;(31l#KSN
zq;0=~y1WN%A}Zqx`(E2UVu@Ek3xo5#$)Q!RT*y%$!0#G05^woav>~|=(@*#;%gqky
z)Kv8hX8FE<x&v~iUp0Xbz~YaIZpHHQ9%vrI38Vr)a`UKl^3@8C1T7(9lIGL7B6cm*
zR2Mr?S53NPbIPdqL!ytzjj}kJz%*3-;>Zk=v#vYx1k_F;t1kd@(keVNT3UEMf2P#U
zF6jI`E?gig`BmUU)wh~r5DN}_3Up*M3WuI>+1#B_7woHJL1}Jnk*es@^USNzTNT6h
z=N*c+xTK_H1voS`R2vo<8Mz#Qjg74dq@_*6QQmr8>aZ{|@;n*4lisAb2Xuq!(0CZ_
z8L6>kG~}feh>PX5aj|@XUnFyL^RNvxjD?G7i1(r%X=}EP+FUn+7js!$&YIhfY64CL
z+x_xRsL06Jpg37^hzPr8pZ)Bn0j;c*=7V>`l&+-kJR5&>hr>I(3VUj_csveGTCSez
z+>Hf?&@i5<GXFY!=P#D{F}v2^2oB3WqWlbpB7NR_>4Kzz=u6QP4Ri(O_@<u-iybFT
zZgG#hyhbbz2}c^ep3qGL9tTg@e#BF2IH}70Ot&{n)a~EUZ78Hh?j5a@IojFQVh($;
zG1n%%gVpTgl~~PR@PDn1DWX-P#_K8Fywrg5#$Q#)PdF#Xlgb)d=JcvI`fe|qZr}g?
z^?KiGuCHEh#DVXYf>9zL!|>6zhQ!8OaJDk%W&G^rh0qe!RwFTGZb6|Z){|6HO0lno
z_-RWgnH#>kQU5)Ji7Uw7c6qY3>+@5cQRFwJ2K0Dw!cyeL>YX(Nr5|aggseJoPnQuW
zDDtcLf^<)D=Pg+$MNK0Xi^&eIAH{5QF@yBZM-9N{0YuD#P3x*TOs;~3nh6m6$*cK&
z&9K`5=9>)tP3wb6L&t9E<%yNzpm3W|7i+tg0*{Z^^801*SFx1uj}8YFwj1h(xR|yq
zON-+tRS6c7<ipCN^0f*jZPEVDooTP@&Y@0D+#8}}d?UPi*TL;r#_itR=<59-RtD+|
zS6ZwBoWuzIR+b94mS|^sx2C4L7W7<tL}yP?tX)fP`+faGt=CHX<;n+P-^J-&HnVHZ
z>#x|2wb)VLnsd>Q@*h%W$Bn^|rEM_dJI@MY?Rurq&YY3?@QR>cztxq`qR!X0xEi4w
z1ZH~?=0G?)ieKqxuZV*f+I}y}$6xV0Je30Pr)gnefX97=q&%OuV%=mp1MKOt=g&RO
z2u>v>)?;mT%BC)(P;@fXhB)GgTsF(7&G@ieJ^uJETKAkNks!L=(bSMeNNPk>kb7-q
zeae=F{aU2IYS<WM?dbcIT<!Opwml!~{X^e4pA%_Sb()iqT4mexCVFIY|I6XMvA(!d
z8hTx#SJVf)eSZ7&an%cF1GC<Kex>GMu2pM6I_Z&kq&C!k?3|$J<*npK@v>=4TXEw4
zKNc2K^j-Zy!zaxrc~Aw{e9_h3<#nD-;w&7&qRXGLZTf3mxkdLSoNw1N`tL1@3c<xR
z0r)m5Iq(Jvnf&s86`6?Sh*MF{-X9HM5_@e}%@W(H{mT7*7n{s*#AI7n__XBg>8#oY
zg3t3_PY>%}g;8+#FC)t02H^-fe#REeOti3|FnBq;+rDZ{R?qhT1-F_jwfOlv<Fijk
z9NQbZNi;RHTin7XJ>2xTZ+-Q5bkc}5Rj=YJ(kfT^WMiLmwaxlXw1X~SQaIquj6l%#
z$*_!JtuSpLwk-+y{UxD^G+S|wX#FH@m=|OA?iNC_?F#$Skc56=*8ShUUFGT6h_%h3
zDuW+X(^+h<PDi=CQM<mEe^{Bd0*>cD`<ugFa_OMUcTZXAQeItByq+J{iS+>-^2oBB
zED1w>$or-H8^9bPN(hqe@J4%M4Nws{27yY|*jxlrE)++tg3=2+JbzZ2Ht-15TzK2(
zEq@uGva_@>V@*r=f#R=^#tFA#S;+~JCLezy#kdhPvTm=@ZAard>^n4z6qqcAIr~g_
z#zlSVwb9|mvC)lKK8gH<45w_q2$fRdOU>ZG%?fwY1k)=DIMr@iid2LJV%i*cvHJxC
zeK-iiNwsjoCc9#5IW<UL=P$0NqZ3>hHip{oDWoEzKd$WoG{m^-&B@+J*vHuEXhEED
z?|T86vw&w*or*ZAt83}swy@B_|5L@4heN@2@iB<TmL<#>+lyphifqZgWQiDiWG7T8
z`#xoC*(Qx8WNT!X$Yh%g4GmdJV;}n(2H8S=qxX;R`|h9TxxahQIrp63xzBT+=WO=Q
zvv&xkTVy$y2nDO7>hr(8kj?NYZD5}*E(}&iqqr>BZQ{l-<4a|ZLzRzN`e|QDzCgw6
zfaMiSn!lqWoAY!Rog+XkrjUS?%ah~rWqZN{^AZWtEs-h$=E$*ep^NvYb}u!eHgLjl
z{IRL(gGx$XK1gG!i_vv3rw?jw(0%yz+=9LHr{&*^N*uX82v}xIFilM3EqE#Ex_W4P
z42NiqPMkynkB`8mg*LM~Cd9L8X8-v#;clUNVMJsUFLrmG$>g@t-Q(RLtt>j0<I`h>
zz!E`aE|&d;%2fEwG`Y7S27mk{%Ej!}8I$ADwDz)&CvepPARixJ0j*klw1HqLiaLz*
zu$|mTqo7W7AJ})o+B`9L53V0O$*IzmZ68%Dbp~8kk>pQmK-R>Fo7=$|wW=)mcnNEX
z>TF#uy8Y$~Vt(ohZd9CJ)b6o**~|?SuF4B4ul}C80!~_3Ujr2*?{(!fjSjobZm&5~
zJC1vPed|ZaULhXuN^`*yK0CYn=B#1w6>oKqS+kdSOOWb9dlLjuw&-)R@h#9y)D{gU
zW0NLSpF6K|)Xljy0ay}!EaWCFnNqC{*3O+N1Jeq-gekxBj6F!KmdH&0^>9H?hFgTG
z!;ODkzV#q=_^Q11$Kr{;nJ>lfyp7DnmQWJ=N#oqo2t;QslVI5Ji2?o}na>QCp@T#V
zE69-}5-}t<H3K`$JO^hesmw6S%ITsT)kyp39{do3P8CR9a3K4Y@z5QajOWcn#6hQ3
zH68j)Tmm024m*AWr7v6m@vdqJP;wdCf9f<^+K{A`U-V-!rhs-@P{ZfBF+nBm7tr2i
zY2|1Ns?^UBitrFBqGn0~Z}_L3H}DS^7omMhG7uZGCe%$*TJ3$ppK2mjkxGU#W{dX~
ziwmEv$^~Io0fx86%_}9%TvJ+bbg=aKcdANhC9v4U{(?A2U?s}!sbEL*Y%si8;4#gZ
z=Ke31dFVxF%YoXZKf3fe(SxXFk<vt%h78?LNit7o77o)b)ZGYv)U>T9hPod_#wgw&
zDk*mX;;kBl4Sl)0bO;`w!1Fxbnt752v~PYN%)Z7$>I2P~==T<39(;w5N9(v3WIkmW
zd59mlO}#Lz&mZF5o_1Saa?i;A;~6E|(~rvlZV)Bw-t^v_H)E4eu@!t>dDZS+`FE+t
z_OhJ-jR9Z>_-<<CN7BhinWaFJksUgtAFNlY<Vgj)Q3z$V@7~bA>A32giG6D81%G&(
zRCAgWi$9i+g-%x_`00^VV7b7zsW-YV`Mf#*1REgaT+!4Ryu^By*bsYkwdcq|pf!iV
z7am3P(0ku(1#X-A4OHIQ%8M^b*rV=_67D2WU1vD4y8B3Z;o;8#LIj7kG+5-x&K+O3
zH8!NdfWP}KlT;&Xo@HjyAn=hiLrmu_sm$A_6N5@p#^a@7n11aWHs$hT3#-@?FCB(x
zj8Fn3swk#Zk7YotnXl<$P~Is{!cRoT1jX-4l}(eC$BWIS?URCy<K(Xp=<Qu}8Sik!
zo0qc!GULPlhVMDcl|*@G7cQeB1dU?cpI5n;Nd|n)Bvw#MPU1!P3QJ?F^UD=;GpTJ*
z55Xgw?g}-zkmmGaSnF)6##XaUvx7O4I4(bS=SJZY*tJxH^L0pBt))@7E%caP0P-Ta
zw3b`5lN&{i%q-T^hf=J%+C#8YT!W9W3YLfJ4+c~&Q^%&W>WfF|LZ0+a#fAJ;i6MTs
z2Q&}r{8_BXkVcz<19BRgEN<RpD{^4}Z8ythh411n4LHx5_FA}y$$fvv_L<gh-`<qY
z<b`bb^X&X?s=6;hGSagnQ}K`lKlp?aT640IU}iH?_<{#iZ1t?qn8r9+>IV<a-)NKr
ztl{!Rb}Y&J21-Fvb4abvryK()#c3kP2b1R=b{&^7(k<k(i20Yi)YQ}%LMV%qOeT+O
z4gg8~RY=nA_9M(}Lu351{}*D|289#0F4mk$BQUd9&ZL`FduMz3N0wwI*TfTdZCl5B
zS%`+W1r6R1I_va!gijFWnCY-Bx#u+7b)Q`=x%`JOZ2MwnEzZDEQPo6d3R%V|B0`f>
zybHBb4)gL)Qb>;N-i`i#D{k_u!9|eNiNu5H{mf|@1K-<eT@8!zx4uIP@XAi>jqn0m
z_1xEkjfz@j{&L|h$U?(v-m&(p9$rsHu892_Yc2@g($tEoe`6EoQ80uiFcnrRsHFuy
z`1ekO+)nk8FdibDWB0x45%^w@{$!WtkT?5q2BTnh$-mH!+%}X~bkijH$PS0M#oC{z
z==v~Ms~TwhA(`apZZqTa^2DIJDLIAx$V$KB_v~)yQX5);1Eyok`VkvmFiBqhFRpy%
zQ+4Z)?GGtpYFvk_8>Ug;x0HbJex+umjl!_4SRf0HzQDKBpa9(RJ*FuoYoE3(inCc#
z+%Knz9vYVG|FBj$8gf7a-ZB?oA0gaoJD9=T1sXeV`z^%Z8i9Q9pKNqgU9p`Ja$QY+
z2kj<YqnG$CEZT8A9iF+L#QLdUI;8!~3hi263QOJ58s=kLdE3=TYzh6dbiohQdk)Ue
zNvU7cv|TDJcP4^P|KyeMb!$(U<SheO{x>`#6k|MRtzno5!Xe0|Y8Wd}EsBX|!aA1;
zo+O^W9QW8a#8Il?W+-QS8wfADdFkCioB-boKcPGHGDjrlkY(!|=G#L47oLntB&ad8
zdJfh%-H!`F)_%Rya`|T9Acr2<t$VVZ@grJR41|m)eNh#1XXAUYK6G!6($2Kj1wK~k
z<ReSAdIlbH6~m(Sv1W8nBsKEZk|iXhKM+wELu7n8@VN!--1|mul?$->w}sk15+(1H
z=E^P#LrFjL-*YYN|3Fhy><nzbYnMidOUW{=|KOv^m90onA)c?gZVq;g03j=CRCaWe
zk@IX8Dhgn3q$aeHN3CS|+ib^zZ3t<Jj7G&Y-=s`EdZu37%BXNphxH`NiP6@9E&NrA
zr4t+3L6~5Petqh4gIaDO=RJGQIJqZm{Qhx!u^#)dK}1rFXKZkVSQm`Oy8{A!`rWH<
zgd-8v$h#;iu8l{Vaoc&5Db*px?NT_)oIpC0gYoChaL(!X%2%nhyQ<Yi?S<<A4aK~p
zgsFD=YrR~b2T^RAP>)7EA|UOxZ=LwLZUJ;8NyHp6N@5M+40)g1xpq)1b#0CaR41Yb
znbX*_ismgYzu4FFOfY%r63M%p>N!iTh`6uuiW@<z!F$1qJa6jcz$swX6e-8Ot0AL?
z^PBqG&MzJRI|$o=4Ikl<x7J@_1OzXXCO0(QX@6PH$XlqzJv@Ku*^Q!X(d+(oX+Nii
zLP!nd_WmL%rGLDlBKEL=EawY2=(4HPBqqko1udh4)fzM-c~aS{Z?u3`mVuPlP-rq-
zKUzx!)$cvE`u%0@m!pbLeR^M2f4Q0kIDlCF$n>4^gZJk#F1v$8X!JDx;5x(B1aw^B
ziv!@%#~}@6r?BJH8Am7P9M|}3rsl54Y<X-K1Hg}Ya&6UmfE0fy57T+RJPo880B&)1
zs!>zxNO@cn5>3Ln`d!;SwRHE21Tk^1x~Pgs*EnrW>_iT99xEcEPiiYM8oqJ9GBrt|
zbUs@Lx-}L7tKmRY<X4o=sca8KlHcr_)=||K$j6&At0&r$;-8jo%)P<X(cDVl{7%Gi
zE$Wx;K&R(8bR5ERK$|PRfH~Z@mDd+MF{W(A)8J_%_|~r+=t@RHL{}w*4X2NmBPn!7
zr=%N_QHYT-^UqCZ*yEA;J-2C##o;J_O#}krNyWnQf9V)<;-vamk}_BhAlpL<gQ$Z3
ssRP`l!UAJx0So|6fF!^M@IL~5s^e<Lud0h|ZD$BWT~nPJt-Epm0prRoN&o-=

literal 0
HcmV?d00001

diff --git a/cli/experimental/images/ipvlan_l2_simple.svg b/cli/experimental/images/ipvlan_l2_simple.svg
new file mode 100644
index 00000000..48097dc8
--- /dev/null
+++ b/cli/experimental/images/ipvlan_l2_simple.svg
@@ -0,0 +1 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="343" height="311.5"><style xmlns="http://www.w3.org/1999/xhtml"></style><defs><linearGradient id="tFoWDamkeRwJ" x1="0px" x2="0px" y1="100px" y2="-50px" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#3d85c6"/><stop offset="1" stop-color="#FFFFFF"/></linearGradient><linearGradient id="rNGNyECMdeKI" x1="0px" x2="0px" y1="100px" y2="-50px" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#3d85c6"/><stop offset="1" stop-color="#FFFFFF"/></linearGradient></defs><g transform="translate(0,0)"><g><rect fill="#ffffff" stroke="none" x="0" y="0" width="343" height="311.5"/></g><g transform="translate(0,0) matrix(1,0,0,1,77,162.90096991491666)"><g><g transform="translate(0,0) scale(0.62,0.32300163132136867)"><g><path fill="url(#tFoWDamkeRwJ)" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(1.6129032258064517,3.0959595959596116)"><path fill="none" stroke="none" d="M 0 0 L 62 0 Q 62 0 62 0 L 62 32.300163132136866 Q 62 32.300163132136866 62 32.300163132136866 L 0 32.300163132136866 Q 0 32.300163132136866 0 32.300163132136866 L 0 0 Q 0 0 0 0 Z"/><path fill="url(#tFoWDamkeRwJ)" stroke="#6fa8dc" d="M 0 0 M 0 0 L 62 0 Q 62 0 62 0 L 62 32.300163132136866 Q 62 32.300163132136866 62 32.300163132136866 L 0 32.300163132136866 Q 0 32.300163132136866 0 32.300163132136866 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,84.45937956643391,158.4009699149168)"><g transform="translate(0,0)"><g transform="translate(-86.91999999999999,-162.47030107315481) translate(2.4606204335660777,4.069331158238015) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 88.95937956643391 162.9009699149168 L 88.95937956643391 195.20113304705336" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,122.54062043356592,158.40096991491632)"><g transform="translate(0,0)"><g transform="translate(-128.46,-164.19297644020213) translate(5.919379566434088,5.792006525285814) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 127.04062043356592 162.90096991491632 L 127.04062043356592 195.20113304705367" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,103.5,158.40096991491666)"><g transform="translate(0,0)"><g transform="translate(-106.14,-164.19297644020213) translate(2.6400000000000006,5.792006525285473) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 108 162.90096991491666 L 108 195.20113304705353" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,35,196)"><g transform="translate(156,42) matrix(1,0,0,1,0,0) translate(-156,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="147" height="28" fill-opacity="0"/></g></g><g transform="translate(156,42) matrix(1,0,0,1,0,0) translate(-156,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="147" height="14" fill-opacity="0"/></g></g><g transform="translate(156,42) matrix(1,0,0,1,0,0) translate(-156,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="45" y="0" width="57" height="14" fill-opacity="0"/></g></g><g transform="translate(156,42) matrix(1,0,0,1,0,0) translate(-156,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="45" y="0" width="57" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="45" y="12">container1</text></g><g transform="translate(156,42) matrix(1,0,0,1,0,0) translate(-156,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="147" height="14" fill-opacity="0"/></g></g><g transform="translate(156,42) matrix(1,0,0,1,0,0) translate(-156,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="14" width="81" height="14" fill-opacity="0"/></g></g><g transform="translate(156,42) matrix(1,0,0,1,0,0) translate(-156,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="14" width="81" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="33" y="26">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="53" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="26">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="77" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="80" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="87" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="90" y="26">2</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="97" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="100" y="26">24</text></g></g><g transform="translate(0,0) matrix(1,0,0,1,168,162.818751317853)"><g><g transform="translate(0,0) scale(0.62,0.3176182707993458)"><g><path fill="url(#rNGNyECMdeKI)" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(1.6129032258064517,3.148433487416555)"><path fill="none" stroke="none" d="M 0 0 L 62 0 Q 62 0 62 0 L 62 31.76182707993458 Q 62 31.76182707993458 62 31.76182707993458 L 0 31.76182707993458 Q 0 31.76182707993458 0 31.76182707993458 L 0 0 Q 0 0 0 0 Z"/><path fill="url(#rNGNyECMdeKI)" stroke="#6fa8dc" d="M 0 0 M 0 0 L 62 0 Q 62 0 62 0 L 62 31.76182707993458 Q 62 31.76182707993458 62 31.76182707993458 L 0 31.76182707993458 Q 0 31.76182707993458 0 31.76182707993458 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,175.4593795664339,158.31875131785318)"><g transform="translate(0,0)"><g transform="translate(-177.92,-162.39526029012058) translate(2.4606204335660777,4.076508972267391) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 179.9593795664339 162.81875131785318 L 179.9593795664339 194.58057839778746" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,213.54062043356592,158.3187513178527)"><g transform="translate(0,0)"><g transform="translate(-219.46,-164.08922440105042) translate(5.919379566434088,5.7704730831977145) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 218.04062043356592 162.8187513178527 L 218.04062043356592 194.58057839778775" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,194.5,158.318751317853)"><g transform="translate(0,0)"><g transform="translate(-197.14,-164.08922440105042) translate(2.6399999999999864,5.770473083197402) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 199 162.818751317853 L 199 194.5805783977876" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,126,195)"><g transform="translate(123,28) matrix(1,0,0,1,0,0) translate(-123,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="147" height="30" fill-opacity="0"/></g></g><g transform="translate(123,28) matrix(1,0,0,1,0,0) translate(-123,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="147" height="14" fill-opacity="0"/></g></g><g transform="translate(123,28) matrix(1,0,0,1,0,0) translate(-123,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="45" y="0" width="57" height="14" fill-opacity="0"/></g></g><g transform="translate(123,28) matrix(1,0,0,1,0,0) translate(-123,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="45" y="0" width="57" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="45" y="12">container2</text></g><g transform="translate(123,28) matrix(1,0,0,1,0,0) translate(-123,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="147" height="14" fill-opacity="0"/></g></g><g transform="translate(123,28) matrix(1,0,0,1,0,0) translate(-123,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="14" width="81" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="33" y="26">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="53" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="26">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="77" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="80" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="87" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="90" y="26">3</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="97" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="100" y="26">24</text></g></g><g transform="matrix(1,0,0,1,104,130)"><g transform="translate(34,0) matrix(1,0,0,1,0,0) translate(-34,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="147" height="14" fill-opacity="0"/></g></g><g transform="translate(34,0) matrix(1,0,0,1,0,0) translate(-34,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="147" height="14" fill-opacity="0"/></g></g><g transform="translate(34,0) matrix(1,0,0,1,0,0) translate(-34,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="34" y="0" width="79" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="34" y="12">pub_net</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="78" y="12"> (</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="85" y="12">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="109" y="12">)</text></g></g><g transform="matrix(1,0,0,1,95,100)"><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="147" height="14" fill-opacity="0"/></g></g><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g/></g><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g><rect fill="rgb(0,0,0)" stroke="none" x="74" y="-7" width="1" height="14" fill-opacity="0"/></g></g><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g><rect fill="rgb(0,0,0)" stroke="none" x="74" y="-7" width="1" height="14" fill-opacity="0"/></g></g><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="1" height="14" fill-opacity="0"/></g></g></g><g transform="matrix(1,0,0,1,16,114)"><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="75" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="75" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="4" y="0" width="67" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="4" y="0" width="67" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="4" y="12">Docker</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="46" y="12">Host</text></g></g><g transform="matrix(1,0,0,1,81.616,49.859996948242184)"><g transform="translate(0,0)"><g transform="translate(-85,-50) translate(3.3840000000000003,0.1400030517578159) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#999999" d="M 88.116 56.359996948242184 L 160.558 56.359996948242184 Q 170.558 56.359996948242184 170.558 66.35999694824218 L 170.558 102 Q 170.558 112 169.779 112 L 169 112" stroke-miterlimit="10" stroke-width="6"/></g></g></g></g><g transform="matrix(1,0,0,1,73,236)"><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="193" height="56" fill-opacity="0"/></g></g><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="193" height="14" fill-opacity="0"/></g></g><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="174" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="0" y="12">docker</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="39" y="12">network</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="85" y="12">create</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="118" y="12"> -</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="125" y="12">d</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="135" y="12">ipvlan</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="167" y="12"> \</text></g><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="193" height="14" fill-opacity="0"/></g></g><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="152" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="13" y="26">--</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="21" y="26">subnet</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="26">=</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="64" y="26">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="84" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="88" y="26">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="108" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="111" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="118" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="121" y="26">0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="128" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="131" y="26">24</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="144" y="26"> \</text></g><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="28" width="193" height="14" fill-opacity="0"/></g></g><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="28" width="144" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="13" y="40">--</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="21" y="40">gateway</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="66" y="40">=</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="73" y="40">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="93" y="40">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="96" y="40">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="116" y="40">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="120" y="40">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="126" y="40">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="130" y="40">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="136" y="40"> \</text></g><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="42" width="193" height="14" fill-opacity="0"/></g></g><g transform="translate(0,168) matrix(1,0,0,1,0,0) translate(0,-168)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="42" width="139" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="13" y="54">-</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="17" y="54">o</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="27" y="54">parent</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="61" y="54">=</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="68" y="54">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="95" y="54">pub_net</text></g></g><g transform="matrix(1,0,0,1,89,24)"><g transform="translate(0,0) matrix(1,0,0,1,0,0) translate(0,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="102" height="28" fill-opacity="0"/></g></g><g transform="translate(0,0) matrix(1,0,0,1,0,0) translate(0,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="102" height="28" fill-opacity="0"/></g></g><g transform="translate(0,0) matrix(1,0,0,1,0,0) translate(0,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="81" height="28" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="0" y="12">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="0" y="26">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="20" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="23" y="26">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="43" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="47" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="53" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="26">0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="63" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="67" y="26">24</text></g></g><g transform="matrix(1,0,0,1,58.49998401988711,49.575)"><g transform="translate(0,0)"><g transform="translate(-147,-50) translate(88.50001598011289,0.42499999999999716) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#999999" d="M 64.99998401988711 56.075 L 241 56.075" stroke-miterlimit="10" stroke-width="6"/></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,241,36)"><g><g transform="translate(0,0) scale(0.6083333333333336,0.6104050109462419)"><g><g><path fill="#3966A0" stroke="rgb(0,0,0)" d="M 102.635 0 C 93.815 0 86.371 6.797 85.395 15.43 L 4.554 15.43 C 2.043 15.431 0 17.473 0 19.984 L 0 53.338 C 0 55.849 2.043 57.892 4.554 57.892 L 8.016 57.892 L 8.016 65.776 L 96.471 65.776 L 96.471 57.892 L 99.672 57.892 C 102.184 57.892 104.227 55.849 104.227 53.338 L 104.227 34.655 C 107.211 34.382 109.971 33.334 112.331 31.735 L 112.331 31.735 C 112.785 31.428 113.223 31.1 113.643 30.753 C 113.655 30.744 113.665 30.734 113.676 30.725 C 114.093 30.38 114.492 30.017 114.875 29.635 C 114.875 29.635 114.887 29.623 114.893 29.617 C 118.039 26.471 120 22.143 120 17.365 C 120 7.79 112.21 0 102.635 0 Z" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 102.688 3.191 C 94.836 3.191 88.45 9.579 88.45 17.43 C 88.45 25.281 94.838 31.669 102.688 31.669 C 110.54 31.669 116.926 25.281 116.926 17.43 C 116.926 9.579 110.539 3.191 102.688 3.191 Z M 97.377 20.901 C 97.118 20.901 96.859 20.802 96.662 20.605 C 96.267 20.21 96.267 19.569 96.662 19.174 L 97.412 18.424 L 91.228 18.424 C 90.669 18.424 90.216 17.971 90.216 17.412 C 90.216 16.853 90.67 16.4 91.229 16.4 L 97.414 16.4 L 96.699 15.686 C 96.303 15.291 96.303 14.65 96.699 14.255 C 97.095 13.86 97.735 13.86 98.13 14.255 L 100.571 16.696 C 100.665 16.79 100.739 16.902 100.791 17.026 C 100.894 17.273 100.894 17.552 100.791 17.799 C 100.739 17.924 100.665 18.036 100.571 18.129 L 98.093 20.605 C 97.895 20.802 97.637 20.901 97.377 20.901 Z M 105.863 25.522 L 103.422 27.963 C 103.225 28.161 102.965 28.259 102.707 28.259 C 102.698 28.259 102.689 28.254 102.68 28.254 C 102.671 28.254 102.663 28.259 102.655 28.259 C 102.305 28.259 102.012 28.07 101.83 27.801 L 99.515 25.484 C 99.119 25.089 99.119 24.448 99.515 24.053 C 99.91 23.658 100.55 23.658 100.945 24.053 L 101.644 24.752 L 101.644 9.174 L 100.945 9.873 C 100.748 10.071 100.488 10.169 100.23 10.169 C 99.97 10.169 99.711 10.07 99.515 9.873 C 99.119 9.478 99.119 8.837 99.515 8.442 L 101.954 6 C 102.35 5.605 102.988 5.605 103.385 6 L 105.864 8.478 C 106.26 8.873 106.26 9.514 105.864 9.909 C 105.667 10.107 105.408 10.205 105.149 10.205 C 104.889 10.205 104.63 10.106 104.434 9.909 L 103.667 9.143 L 103.667 24.857 L 104.434 24.091 C 104.829 23.696 105.468 23.696 105.864 24.091 C 106.258 24.486 106.258 25.126 105.863 25.522 Z M 114.148 18.46 L 107.964 18.46 L 108.677 19.174 C 109.073 19.569 109.073 20.21 108.677 20.605 C 108.48 20.803 108.22 20.901 107.961 20.901 C 107.702 20.901 107.442 20.802 107.246 20.605 L 104.808 18.165 C 104.713 18.072 104.64 17.959 104.587 17.835 C 104.485 17.588 104.485 17.309 104.587 17.062 C 104.64 16.937 104.713 16.825 104.808 16.732 L 107.284 14.255 C 107.68 13.86 108.32 13.86 108.715 14.255 C 109.11 14.65 109.11 15.291 108.715 15.686 L 107.964 16.437 L 114.149 16.437 C 114.708 16.437 115.161 16.89 115.161 17.449 C 115.16 18.008 114.707 18.46 114.148 18.46 Z" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 80.533 36.476 A 3.247 3.247 0 1 0 80.53299837650013 36.47924699945883 Z" opacity="0.5" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 9.278 35.006 L 20.39 35.006 L 20.39 24 L 9.278 24 L 9.278 35.006 Z M 10.929 25.567 L 18.819 25.567 L 18.819 31.173 L 16.536 31.173 L 16.536 33.456 L 13.213 33.456 L 13.213 31.173 L 10.93 31.173 L 10.929 25.567 L 10.929 25.567 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 24.253 35.015 L 35.365 35.015 L 35.365 24.009 L 24.253 24.009 L 24.253 35.015 Z M 25.904 25.576 L 33.794 25.576 L 33.794 31.182 L 31.51 31.182 L 31.51 33.465 L 28.187 33.465 L 28.187 31.182 L 25.904 31.182 L 25.904 25.576 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 50.3 24.009 L 39.188 24.009 L 39.188 35.014 L 50.3 35.014 L 50.3 24.009 Z M 48.729 31.173 L 46.446 31.173 L 46.446 33.456 L 43.123 33.456 L 43.123 31.173 L 40.84 31.173 L 40.84 25.567 L 48.73 25.567 L 48.729 31.173 L 48.729 31.173 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 54.123 35.023 L 65.234 35.023 L 65.234 24.018 L 54.123 24.018 L 54.123 35.023 Z M 55.774 25.567 L 63.664 25.567 L 63.664 31.173 L 61.38 31.173 L 61.38 33.456 L 58.057 33.456 L 58.057 31.173 L 55.774 31.173 L 55.774 25.567 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 9.278 49.95 L 20.39 49.95 L 20.39 38.944 L 9.278 38.944 L 9.278 49.95 Z M 10.929 40.502 L 18.819 40.502 L 18.819 46.108 L 16.536 46.108 L 16.536 48.391 L 13.213 48.391 L 13.213 46.108 L 10.93 46.108 L 10.929 40.502 L 10.929 40.502 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 24.253 49.958 L 35.365 49.958 L 35.365 38.953 L 24.253 38.953 L 24.253 49.958 Z M 25.904 40.52 L 33.794 40.52 L 33.794 46.126 L 31.51 46.126 L 31.51 48.408 L 28.187 48.408 L 28.187 46.126 L 25.904 46.126 L 25.904 40.52 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 39.228 49.966 L 50.34 49.966 L 50.34 38.962 L 39.228 38.962 L 39.228 49.966 Z M 40.839 40.511 L 48.729 40.511 L 48.729 46.117 L 46.446 46.117 L 46.446 48.4 L 43.123 48.4 L 43.123 46.117 L 40.84 46.117 L 40.839 40.511 L 40.839 40.511 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 54.123 49.966 L 65.234 49.966 L 65.234 38.962 L 54.123 38.962 L 54.123 49.966 Z M 55.774 40.511 L 63.664 40.511 L 63.664 46.117 L 61.38 46.117 L 61.38 48.4 L 58.057 48.4 L 58.057 46.117 L 55.774 46.117 L 55.774 40.511 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 11.504 57.898 L 92.919 57.898 Q 92.919 57.898 92.919 57.898 L 92.919 62.69 Q 92.919 62.69 92.919 62.69 L 11.504 62.69 Q 11.504 62.69 11.504 62.69 L 11.504 57.898 Q 11.504 57.898 11.504 57.898 Z" opacity="0.7" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 85.525 18.936 L 5.082 18.936 C 4.255 18.936 3.582 19.609 3.582 20.436 L 3.582 53.397 C 3.582 54.224 4.255 54.897 5.082 54.897 L 11.504 54.897 L 92.919 54.897 L 99.082 54.897 C 99.909 54.897 100.582 54.224 100.582 53.397 L 100.582 34.526 C 92.561 33.543 86.232 27.039 85.525 18.936 Z M 20.389 49.95 L 9.278 49.95 L 9.278 38.944 L 20.39 38.944 L 20.389 49.95 L 20.389 49.95 Z M 20.389 35.006 L 9.278 35.006 L 9.278 24 L 20.39 24 L 20.389 35.006 L 20.389 35.006 Z M 35.365 49.958 L 24.253 49.958 L 24.253 38.953 L 35.365 38.953 L 35.365 49.958 Z M 35.365 35.015 L 24.253 35.015 L 24.253 24.009 L 35.365 24.009 L 35.365 35.015 Z M 39.188 24.009 L 50.3 24.009 L 50.3 35.014 L 39.188 35.014 L 39.188 24.009 Z M 50.34 49.966 L 39.228 49.966 L 39.228 38.962 L 50.34 38.962 L 50.34 49.966 Z M 65.234 49.966 L 54.123 49.966 L 54.123 38.962 L 65.234 38.962 L 65.234 49.966 Z M 65.234 35.023 L 54.123 35.023 L 54.123 24.018 L 65.234 24.018 L 65.234 35.023 Z M 77.286 39.723 C 75.493 39.723 74.039 38.269 74.039 36.476 C 74.039 34.683 75.493 33.229 77.286 33.229 C 79.079 33.229 80.533 34.683 80.533 36.476 C 80.533 38.269 79.08 39.723 77.286 39.723 Z M 89.541 39.723 C 87.748 39.723 86.294 38.269 86.294 36.476 C 86.294 34.683 87.748 33.229 89.541 33.229 C 91.334 33.229 92.788 34.683 92.788 36.476 C 92.787 38.269 91.334 39.723 89.541 39.723 Z" opacity="0.93" stroke-opacity="0" stroke-miterlimit="10"/></g></g></g></g></g><g transform="matrix(1,0,0,1,222,79)"><g transform="translate(20,28) matrix(1,0,0,1,0,0) translate(-20,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="102" height="28" fill-opacity="0"/></g></g><g transform="translate(20,28) matrix(1,0,0,1,0,0) translate(-20,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="102" height="14" fill-opacity="0"/></g></g><g transform="translate(20,28) matrix(1,0,0,1,0,0) translate(-20,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="9" y="0" width="84" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="9" y="12">Network</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="12">Router</text></g><g transform="translate(20,28) matrix(1,0,0,1,0,0) translate(-20,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="102" height="14" fill-opacity="0"/></g></g><g transform="translate(20,28) matrix(1,0,0,1,0,0) translate(-20,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="11" y="14" width="82" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="11" y="26">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="31" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="34" y="26">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="54" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="58" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="64" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="68" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="74" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="78" y="26">24</text></g></g><g transform="translate(0,0) matrix(1,0,0,1,22.803646598905374,21.51999694824218)"><g><g transform="translate(0,0) scale(0.9127109745695561,0.9)"><g><g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 52.371 16.22 L -1.393 16.22 L -1.393 99.52 L 52.371 99.52" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 52.371 99.52 L 69.07 82.82 L 69.07 -0.48 L 19.98 -0.48 L -1.393 16.22 L 52.371 16.22 L 52.371 99.52 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="rgb(0,0,0)" stroke="#FFFFFF" d="M 52.371 16.22 L 69.07 -0.48" fill-opacity="0" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="rgb(0,0,0)" stroke="#FFFFFF" d="M 25.3 16.22 L 25.3 99.52" fill-opacity="0" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="rgb(0,0,0)" stroke="#FFFFFF" d="M 26.149 16.22 L 44.316 -0.48" fill-opacity="0" stroke-miterlimit="10" stroke-width="1.3594"/></g></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 3.263 23.823 L 21.317 23.823 Q 21.317 23.823 21.317 23.823 L 21.317 34.868 Q 21.317 34.868 21.317 34.868 L 3.263 34.868 Q 3.263 34.868 3.263 34.868 L 3.263 23.823 Q 3.263 23.823 3.263 23.823 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 29.156 23.823 L 47.207 23.823 Q 47.207 23.823 47.207 23.823 L 47.207 34.868 Q 47.207 34.868 47.207 34.868 L 29.156 34.868 Q 29.156 34.868 29.156 34.868 L 29.156 23.823 Q 29.156 23.823 29.156 23.823 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 3.263 64.604 L 21.317 64.604 Q 21.317 64.604 21.317 64.604 L 21.317 75.648 Q 21.317 75.648 21.317 75.648 L 3.263 75.648 Q 3.263 75.648 3.263 75.648 L 3.263 64.604 Q 3.263 64.604 3.263 64.604 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 29.156 64.604 L 47.207 64.604 Q 47.207 64.604 47.207 64.604 L 47.207 75.648 Q 47.207 75.648 47.207 75.648 L 29.156 75.648 Q 29.156 75.648 29.156 75.648 L 29.156 64.604 Q 29.156 64.604 29.156 64.604 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 3.263 82.445 L 21.317 82.445 Q 21.317 82.445 21.317 82.445 L 21.317 93.49 Q 21.317 93.49 21.317 93.49 L 3.263 93.49 Q 3.263 93.49 3.263 93.49 L 3.263 82.445 Q 3.263 82.445 3.263 82.445 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 29.156 82.445 L 47.207 82.445 Q 47.207 82.445 47.207 82.445 L 47.207 93.49 Q 47.207 93.49 47.207 93.49 L 29.156 93.49 Q 29.156 93.49 29.156 93.49 L 29.156 82.445 Q 29.156 82.445 29.156 82.445 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,27.38636363636374,108.14285409109937)"><g><g transform="translate(0,0) scale(3.742857142857143,2.8181818181818183)"><g><g><g><path fill="#929292" stroke="rgb(0,0,0)" d="M 58.97 19.094 C 58.977 18.895 59 18.7 59 18.5 C 59 8.283 50.717 0 40.5 0 C 33.11 0 26.751 4.344 23.787 10.607 C 22.275 9.593 20.458 9 18.5 9 C 13.5 9 9.41 12.866 9.037 17.771 C 3.778 19.616 0 24.61 0 30.5 C 0 37.787 5.778 43.71 13 43.975 L 13 44 L 58 44 L 58 43.975 C 64.671 43.71 70 38.235 70 31.5 C 70 25.095 65.18 19.822 58.97 19.094 Z M 58 41.975 L 58 42 L 13 42 L 13 41.975 C 6.883 41.711 2 36.683 2 30.5 C 2 24.994 5.872 20.398 11.039 19.271 C 11.013 19.017 11 18.76 11 18.5 C 11 14.357 14.358 11 18.5 11 C 21.017 11 23.239 12.244 24.6 14.146 C 26.512 7.15 32.897 2 40.5 2 C 49.613 2 57 9.388 57 18.5 C 57 19.353 56.914 20.183 56.79 21 L 58 21 L 58 21.025 C 63.565 21.288 68 25.87 68 31.5 C 68 37.13 63.565 41.712 58 41.975 Z" stroke-opacity="0" stroke-miterlimit="10"/></g></g></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/cli/experimental/images/macvlan-bridge-ipvlan-l2.gliffy b/cli/experimental/images/macvlan-bridge-ipvlan-l2.gliffy
new file mode 100644
index 00000000..eceec778
--- /dev/null
+++ b/cli/experimental/images/macvlan-bridge-ipvlan-l2.gliffy
@@ -0,0 +1 @@
+{"contentType":"application/gliffy+json","version":"1.3","stage":{"background":"#FFFFFF","width":541,"height":352,"nodeIndex":290,"autoFit":true,"exportBorder":false,"gridOn":true,"snapToGrid":false,"drawingGuidesOn":false,"pageBreaksOn":false,"printGridOn":false,"printPaper":"LETTER","printShrinkToFit":false,"printPortrait":true,"maxWidth":5000,"maxHeight":5000,"themeData":{"uid":"com.gliffy.theme.beach_day","name":"Beach Day","shape":{"primary":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"#AEE4F4","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#004257"}},"secondary":{"strokeWidth":2,"strokeColor":"#CDB25E","fillColor":"#EACF81","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#332D1A"}},"tertiary":{"strokeWidth":2,"strokeColor":"#FFBE00","fillColor":"#FFF1CB","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#000000"}},"highlight":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"#00A4DA","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#ffffff"}}},"line":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"none","arrowType":2,"interpolationType":"quadratic","cornerRadius":0,"text":{"color":"#002248"}},"text":{"color":"#002248"},"stage":{"color":"#FFFFFF"}},"viewportType":"default","fitBB":{"min":{"x":2,"y":6.5},"max":{"x":541,"y":334.5}},"printModel":{"pageSize":"a4","portrait":false,"fitToOnePage":false,"displayPageBreaks":false},"objects":[{"x":2.0,"y":6.5,"rotation":0.0,"id":288,"width":541.0,"height":22.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":31,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:20px;font-weight:bold;\">Macvlan Bridge Mode &amp; Ipvlan L2 Mode</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":8.0,"y":177.0,"rotation":0.0,"id":234,"width":252.0,"height":129.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":0,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#434343","fillColor":"#c5e4fc","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.93,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":16.0,"y":240.0,"rotation":0.0,"id":225,"width":111.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":1,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.73,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":2.2199999999999993,"y":0.0,"rotation":0.0,"id":235,"width":106.56,"height":45.0,"uid":null,"order":"auto","lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">Container #1</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">eth0</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">172.16.1.10/24</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":138.0,"y":240.0,"rotation":0.0,"id":237,"width":111.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":4,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.73,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":2.2199999999999993,"y":0.0,"rotation":0.0,"id":238,"width":106.56,"height":44.0,"uid":null,"order":6,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Container #2</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">eth0 172.16.1.11/24</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":40.0,"y":-26.067047119140625,"rotation":0.0,"id":258,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":7,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":237,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":241,"py":1.0,"px":0.7071067811865476}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[153.5,266.0670471191406],[117.36753236814712,224.06704711914062]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":50.0,"y":-16.067047119140625,"rotation":0.0,"id":259,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":8,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":225,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":241,"py":0.9999999999999996,"px":0.29289321881345254}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[21.5,256.0670471191406],[62.632467631852876,214.0670471191406]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":60.0,"y":-6.067047119140625,"rotation":0.0,"id":260,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":9,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":241,"py":0.5,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":246,"py":0.5,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[75.0,180.06704711914062],[215.32345076546227,90.06897143333742]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":3.0,"y":184.5,"rotation":0.0,"id":261,"width":79.0,"height":32.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":10,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;font-family:Arial;\">Docker </span></p><p style=\"text-align:center;\"><span style=\"font-size:12px;font-family:Arial;\"><span style=\"font-size:14px;\">Host #1</span><span style=\"text-decoration:none;\"><br /></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":283.0,"y":177.0,"rotation":0.0,"id":276,"width":252.0,"height":129.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":11,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#434343","fillColor":"#c5e4fc","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.93,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":291.0,"y":240.0,"rotation":0.0,"id":274,"width":111.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":12,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.73,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":2.2199999999999993,"y":0.0,"rotation":0.0,"id":275,"width":106.56,"height":45.0,"uid":null,"order":14,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">Container #3</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">eth0</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">172.16.1.12/24</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":413.0,"y":240.0,"rotation":0.0,"id":272,"width":111.0,"height":57.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":15,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.73,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":2.2199999999999993,"y":0.0,"rotation":0.0,"id":273,"width":106.56,"height":44.0,"uid":null,"order":17,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Container #4</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">eth0 <span style=\"\">172.16.1.13/24</span></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":315.0,"y":-26.067047119140625,"rotation":0.0,"id":269,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":18,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":272,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":270,"py":1.0,"px":0.7071067811865476}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[153.5,266.0670471191406],[117.36753236814712,224.06704711914062]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":325.0,"y":-16.067047119140625,"rotation":0.0,"id":268,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":19,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":274,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":270,"py":0.9999999999999996,"px":0.29289321881345254}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[21.5,256.0670471191406],[62.632467631852876,214.0670471191406]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":278.0,"y":184.5,"rotation":0.0,"id":267,"width":79.0,"height":32.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":20,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;font-family:Arial;\">Docker </span></p><p style=\"text-align:center;\"><span style=\"font-size:12px;font-family:Arial;\"><span style=\"font-size:14px;\">Host #2</span><span style=\"text-decoration:none;\"><br /></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":70.0,"y":3.932952880859375,"rotation":0.0,"id":278,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":21,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":270,"py":0.5,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":246,"py":0.5,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[340.0,170.06704711914062],[205.32345076546227,80.06897143333742]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":167.32131882292583,"y":39.0019243141968,"rotation":0.0,"id":246,"width":216.0042638850729,"height":90.0,"uid":"com.gliffy.shape.cisco.cisco_v1.storage.cloud","order":22,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.cisco.cisco_v1.storage.cloud","strokeWidth":2.0,"strokeColor":"#333333","fillColor":"#434343","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":356.0,"y":150.0,"rotation":0.0,"id":270,"width":108.0,"height":48.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":23,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#cccccc","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":1.0,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":1.8620689655172418,"y":0.0,"rotation":0.0,"id":271,"width":104.27586206896557,"height":42.0,"uid":null,"order":25,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:12px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\"><span style=\"font-style:italic;\">(Host)</span><span style=\"font-weight:bold;\"><span style=\"\"> eth0</span></span><br /></span></span></p><p style=\"text-align:center;\"><span style=\"font-size:12px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">172.16.1.253/24</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:12px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">(IP Optional)</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":81.0,"y":150.0,"rotation":0.0,"id":241,"width":108.0,"height":48.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":26,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#cccccc","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":1.0,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":1.8620689655172415,"y":0.0,"rotation":0.0,"id":242,"width":104.27586206896555,"height":42.0,"uid":null,"order":28,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:12px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\"><span style=\"\"><span style=\"font-style:italic;\">(Host)</span></span><span style=\"font-weight:bold;\"> eth0</span><br /></span></span></p><p style=\"text-align:center;\"><span style=\"font-size:12px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">172.16.1.254/24</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:12px;font-style:italic;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">(IP Optional)</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":224.0,"y":64.19999694824219,"rotation":0.0,"id":262,"width":120.00000000000001,"height":32.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":29,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;\">Network Gateway</span></p><p style=\"text-align:center;\"><span style=\"font-size:14px;\"><span style=\"\">172.16.1.1</span><span style=\"\">/24</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":307.5,"rotation":0.0,"id":282,"width":541.0,"height":36.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":30,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:16px;font-style:italic;\">Containers Attached Directly to Parent Interface. No Bridge Used (Docker0)</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"layers":[{"guid":"9wom3rMkTrb3","order":0,"name":"Layer 0","active":true,"locked":false,"visible":true,"nodeIndex":32}],"shapeStyles":{},"lineStyles":{"global":{"fill":"none","stroke":"#000000","strokeWidth":1,"orthoMode":2}},"textStyles":{"global":{"italic":true,"face":"Arial","size":"20px","color":"#000000","bold":false}}},"metadata":{"title":"untitled","revision":0,"exportBorder":false,"loadPosition":"default","libraries":["com.gliffy.libraries.basic.basic_v1.default","com.gliffy.libraries.flowchart.flowchart_v1.default","com.gliffy.libraries.swimlanes.swimlanes_v1.default","com.gliffy.libraries.images","com.gliffy.libraries.network.network_v4.home","com.gliffy.libraries.network.network_v4.business","com.gliffy.libraries.network.network_v4.rack","com.gliffy.libraries.network.network_v3.home","com.gliffy.libraries.network.network_v3.business","com.gliffy.libraries.network.network_v3.rack"],"lastSerialized":1458124258706,"analyticsProduct":"Confluence"},"embeddedResources":{"index":0,"resources":[]}}
\ No newline at end of file
diff --git a/cli/experimental/images/macvlan-bridge-ipvlan-l2.png b/cli/experimental/images/macvlan-bridge-ipvlan-l2.png
new file mode 100644
index 0000000000000000000000000000000000000000..13aa4f212d9db346f307dfbe111fd657406bb943
GIT binary patch
literal 14527
zcmZ8|1yEek(&pf9gS!px9wfL7?(XjHfe_r?o!}4%?(Xgc5AMNT154iS`)haSR-Kye
z`MUe-K7G$Qb?Z)ql7bWpA^{=*06>uji>m+tkZb?|gb6&<hlW+m8}dU@s3fN*@&5j<
zq@*OLpcGqBXWxFWU%oTC|2i=-VNrLgW913~5Rm=80{|##mG5Xpg}%REvj6~zlNSvQ
z4P)2uLIA+U`@3fDf`0kR^Yb$o2yk+83IG`D6|^V-03FNcLxY3EdrykRI|V(HlvFfX
zHGOCX4fC10$v@iilmM*$!?t#|6BGRkib^3NAzyucQd3iE#(wvXPsGH<wjTUFIyis;
zNC5!fIKmfO<_^kx=bzRq^^*&cQPFSbGcf@G2DdH%Q{?;O!uIQXPj}D4uZ4*0N<9Ez
za;Q`^d{8suo142^X#Z(dO|_Z1X<qZ_`*G*!`WQes>FFcu<jJxhrMkuIzt>iA2}u9|
zCuqei$M4-5nwr`%i3Np4vgR^5xmi?p#UH=*mV3XyA4*G0x3#x92gWff1cLwoYwwVe
zXz=#-mVViE$?s==*J21!?}^c7DO)2a0KlX5gh}1OzpT$YG814}Y}0%tmN+Aryb)z3
zsT@@gAoG`$lpO2IFpREFRt13lD?iI9=-GG+2moqFC%hy9I;nj{27uocPT1D10075u
zO@yRFl7errMnFEDh#5#PPuh?-x?z&dII=d^&poRym>Ga5A8o_}h!g_|nSE(VHt%mQ
zPqw6czuO|90az5wa0^O8kUNShYVM8{SpWbzzUn>s&g!NPQdUl24Wmw9x|Dc7tCD5i
z`~h`8htZ7%KLEg;77+f;xPQ6_tOjVPO#d7)KeD-x!mCj40<f;x*HaN48J<f>sbB>#
zBGK_J+`o&7iG6fe=KSsD<t2d4T1nqBM3<(*U-D`^$v|IUOolcvxv<og{jf9m{qF{V
zM!kRQ?*8r;0H8N<@q53UNbTOFXJs#ovh=E6e}8{+lx5-M;k(-C-`hf+0|2;|q{T(l
zybMmKc~C=yktJqV-m9n~h2UHa5W^vr$r8ka&dX2x6sLD6J~;gQkX;Kn!>W0j8+4tQ
zhH*-^spHNug`oyE=L)?pv{pax=*n0-F0Ov#MtGq;M)d`C_0|)mHCU--2WMp&h)U&P
zcQv?6T)kMcBJ6c$fMY%x)hr|An5WbgL#Op*Pvno^B*6%cGQulpIp?=Ppr)&ez$$6D
z*}MDmX)#sm4Bby&%JvaxP;wzHM8DFF^FHjHwaXuDtd)8S?sxf2d3U>RT&%lJ$$CKm
zXh*C8HSbv=U%Mg`XBgyBD%Rl}U!)etqPnI`2p{fA6T+dIgA+kT$S=YKz6gfU{%qvb
z7e`jpjWyGn%7K-x9`5=yt$bko+n7@#7IU)OAp}+uF5#D0@BlvI_$(!08p3V=l>$Z3
zlwFz4CPzXyYS1KhRVa3_pd_SxNF|)OT`e>lX_!!Pr15$;eD}>yYE?otTcpveS87|&
ztkT$vjWL34w}3#Tgw7O^gpwUU2|(|iPy<+_ncLzhsmGAV&thM_)Q|PylCK^T0QjcK
zo)J4y05vSxJZF_EhzlM^A^oT4R?8<G6M^_$aXZXP8N32kW;%91A?(u_r^r}lT*Iq8
z?tJd=7Du=h09)L5Xv{1n#k3IV&rn*<zl-2`;{Dp-jHa&86GqdELLLfzO;-I9U~|~?
z5=jB<tJeAoKpd^Ak~DuFVi6hbI;ZmED)Yfv1vtdox95TlDb3im5cVP`SlKVmO>Dmr
zwcQDogw_q@WZCF0mOTbPNpjBRXO@O@nrbl<A+ZraSol(+aGTP1_RQ>2Vm<J#!q+^n
z3d{y$J`4)_&jY2h37}6yL-HjN+W(%AJr*e`xaU6NlxZ>8jTFDVV77`yjlsDjtincO
zM(x$`)?EVqN$)d!m{}ZTC)2AeEw+vI>c6fF??;Ax1Z*Js`7TrxV1fJvHlbX1<ZVE^
zvzh-eT)YS)pMC+&$w?+4FS1UqG+z?8PH#Yrg#-5Dnm#EvIaIo4+I-3gQrLh=rbp9S
z@Z@GPVOI7pWeUdk{{4Nb@n0l>Hp{=wWxaUkp%r;hrW+LO`2E=(bg%#N+RzoYBK2xv
zWVjjX{L3{G28PiMMhX<0`Xnn1r`@t})K`Pv)@qv4v=R5^9oiqikp-o-UU|L*Ja?lK
z^~t|nwjE>6J~DcyXdjyY;MzpznqdRM$Q^AYD;i&eSwO;!ow^Zq%U0@9iokAYuN1=0
zgjyk@V*PUkjr8X{l@-*_=Ov5&jCwY{A}H~ahq|QDLtcg)p;~3h3no~JY%&`*vC&7^
z>eEyEgAH<kPsM^TYU*-BztuiG7vUG8)j~k-5?c4*t0v~qaZpQhd6|vxaD>MBKM!|f
zS^386lj~YFezTObA2o}<E#KfZ0CP8~4&~k7$;-*<IRs94x#}CpjRUpA3;BO<M`~C`
zr+v(UoAh&{0^U0~Xc8|gQ!tu;0uM2*1oX$W2O;+$hzkLj#nhl<JA{m3+(gmCglh_%
zlYXs?d(sF-vsOMJFyznpGs-2!Z3BS@!$ol9<juyE<RU}QVM>(5mchyM-Ly|toT6%F
z7)_9n2@5gyTM>li#2#N+?(o9x8uvAM9D;G%>ym)K>fPrXn@mRJ#**k+lXkp*hum|c
zq-1Zrm(C;xkw(JwzZP&ka;|2lw+qcoTme=rp;XgC*aTN#3s+cEC11-J3o1v9<G?^W
z(Xazj>za4Xx~HF`t_^?MsU8C-VhCW<=qT-s%dTMDFKtR?Shvc)nrj6n%d3#Y_z&7J
zrn*Ns22|<_(Wc?fCoX+yTbklb3JVSk{~bMgl-KmFC;*#;@%qQDYeOJCLe=MOv&Hw+
zO<(DH8U2Dk^4Basq;cIAD+E;=;f42~rYU3FLb!|Erq<KO%5xNcdv#1IhVsxa6*48L
zdjhtGILMJ%LW^JPB6s$m3GB|~*bi1I{7+)T!Y4Q+-zQ!qpV53gZ`YcfVF9m6u*t&c
zj1hL&(Diaq!L7u`i7;YjIS^2_gXSTk%;AO3NbrGZ7(5f=Srk5ak?wtSX`IX&-^JG4
zS2Uo%j<DKU`|lUyv41a%GoDG--A&Cs9FTuYzM>sXR$WU_m&VGuc)+^xQrq)=I)A(>
z3eq>1S5EZYn<s4&`uT7&?R#bTgzt~dcN0UX=iu=2sDbq@DNXSUwNSg@=gr4!&Tl^*
zFUlUet>b3qc&FEHe!-=MDnrX#aNvg?bf)@<WjC1Ptv;-I#XhcNiG683I)1u|x3-E=
zozr3sL>Gl85B?bP<6YHD_N=&cfdll0*f672)(R19dd$J@@N{w_z&pMbh5kL5@`Ex&
zq&SW}KA<5D|7<)1kw7ZCF3_b&b?Vo#7D!g(=aw2`run#=*WBbN><XC|V<BvRv4YN@
zHd^cG@xDdhAUdtOk*p&5W_27A+>sO)(Bc-=a0u}hBb$_t3wwW`DS%BKn1z*%{>8}Z
zL^-J*dwD-znMzHcwswYp;Xpdcs)spLD?%v%r%!Wm!3~J%y9`r<BjxA;8f|J24N*oJ
zv?SlT0h#d4kcR5fBxI}6{$kWE;L*mW_WKzvTxA*sv7%>y3lbe=yhWi&noL(O{~pRZ
zhF-BaAUy|z^c;yWqTyz(=2#Mc0q>nyb_n^oYH%fyF}#B$-F>b^teXvT)0d6kkIl7z
zQ=IXU)dXF)oEt1lrWK3f;E~veRry023<DeME}L5OcAHP0s)a`!{xjnwNO&+zYKvZs
zh?=Pjd$eSzFI>3TD7pUIQMkKk268myK!minxp;_<Fl|K0FLKL7@j%3A?qLu{Zjf8P
z5?MmqU|$)MIgkwnjH%)V+}0m~3{$YYrZ0lS=LOc1QzG-R%eTejn9cBMcR^=t&&4B%
zg5gxGLPzoA$?1vH&A>1w?wPwNBgq62c=52H1bC>GzD#Q>{GypZ?a<n$^9figfppXt
zVvDSxzTV6H=n~HqaXmb~y(BOUdug&ttO#>N*$R=IJf2|D>8XPCX4HG|$i585Vy$kj
zUPg%fSbO5#DUq8|zNayBaW7VF15SxZv&K*w+A#k{w8(fy)U>_#_1o@Auj^W&Une};
z!^!7CPCY#K0Ror^@yBz@1Feq3mD}7}P^iKOFdu5vpq6F2Z#Bit=d8$Z`euV38G8rO
zB&WfNKOFBuhr`6eZ{NF{ZqA;<;Qf)La@{W<e%_H$Fg&hL?egud`S%r+)Ba}lQ0+W&
z%9GGU-!I(Uhtg^5Zq0+trS#*YO`FcYG8jhNo)XJ?DM}>*9qQfT7^7`OhJW}>P`~cZ
z@Aq?>q)ssj-FYN)y!}~!-kvXw;uyXs3MKs5u$hG1m-zLw?*(o`Qm(S*-J+QMkN4Jg
z6;Hd1JBg|2SF7D)zDmEt{alPVl1Q!U=7!5sAuK9pu3&{O8%QegU0`;e=}Zw*tcuQK
zl*FhPZvLrri8@W>1H{>pXNY6T@o_2e=8Q~!I2tu175a>nKu5raW~Tk-<nbql&A&n_
zs=@GuK>FR|1mS`}&asn<@r2JsIP(WHGM-CCu+3#EB7cL+5tY`ZAC|;K@PjgQ^CrJS
zoSZig&6L68RPw{CZ-?UHBgAtxF`Dskz;p21CwWf^(x7qD@U#L(@t4Nxgj>hvbDw9k
zt3Q+;dfN^3`G1g+vFLwE2QT@C-=ed<<Zj#uu4mtuCfcoS7D!F$eS3OM!nC{~$&ja@
z-Y`3JOhb+33M)_*mcPg!-Me__{l*@fe$SQocBau%{~C9~(pyM-y|uJUo+a)ETV_B}
z(#Xq{W8IVd_%xQU3b-L54(~WLDrmK~VlWwURFGIhgj~OI<|Q%4xsRTlPdI{&Nmrfe
zlAP;aC+M7!YN&1B5AueBh1CYBm~S(PBQuI)xSG5!)@#PjcJfa9IXbNJf8us!+?c#t
ztQW!)Vqc5IYx}%=Ws!L0ckb&%z9IA|zdvnI|54GJjqY_sTg_v8-)3@C7gn;72q@}c
zl1U=l^E-SLZq+b>i+abt)eg^w7Ps@X*{}DCI9dEmxnBdP?5w=jgEL$wSKvEO?o+=B
zAu-?zTrBEeJhd2}5X_u+Z^)DiK6uoSR3ioj=sln8YafL*F2>HC{uYyJ79u`EIP<&e
z6`zxVV?9zZ_D562P*iO}qr8B)=!DgeJn`m3Mvj%H!uzVap&K>BWMMSDnb5@_=F9ig
zXe8{!h78pn3x>z|{vI#MP{epUyBej~V@|07?X~qOiZGKRjrdTPIE=(W@XENha4pF4
z;5*zkK$WHn@-RQ|+-rFI2QL4H9+Yc!J%Z6{l-`Lz!__pVRA15BgkdZe+(Vbr^E)of
zX0dK&SY)66l>%;Q$HT#tZ<{Bhb-`WMe7z+ziQeg_WX|EWqwZuk-F6Ip^JEv~#OK$n
z&Of6syLejdEuP3#uXY$)Q@OQMCH&*2te)CT)M0!+LukO&^`p@=1stEB_#-plM$TQg
zcY1eJTr<{l?u{B)rf8(+UpF2ee5yT3R+n#*g6dD!6;9um24)Q?LJ8Fn(6FBcZ}jow
zhEs)_aHuQS@2l*sGA}zWHt!U0lEesoHXiTw+Sf8X6>tuHBJr}iexg64;e+~ag-l91
zY|rjCS*AZ@vBB+dsp^VPWSn$cc}9_%Jz%l<`5EOwNkTB`eE^SyJj{+e9{&6uDnZ~A
z%D9hp#9&k1*!F1tdf`<IRig??4w{A__?2eGnd~Qptj`Juu$*Ffzt}EOw1WP<!amGM
zMAy{*v(r|)F%He|3}G2x0t8k5Sg;plY|>3>as2E$d3<3Yn<$uFObQLoyccw((!rC9
zYeaSDtk!>Zm_wn!lsf#f$`*oV?BsMVi}*D<UCeoQA4{BCz~%z)ua$5+f`VT7()f(&
zPcdnZn9L$w-w5L0`t?7kk3iI6{;*H*CA~eDl}~Tn_O3G=&1}&*oAIPG@#SZ+UqI#z
z{;=<#Q-XOsMvLSEMZ^#lX;qVLxW*6IbIn{BkqJy11+2&GwOPPFSiMG?*VrgUQ)fN%
zds)dej5$B{nep5FE~p|)znu}ZJ7O~O8-}Hcd_huSg~jgjb<%T7YjnaHP``!1-d8+=
zf%x$FGiy2QP<U++MNPasGO7&S=gjR^WV9dgkQ3~@G!>-9)_AODWr@>A&1j1%`d`A(
zs0rEAdW(%IiXg0?EGB5<iFGn<xe{2Cv>N*?tcR*z;&JvOLELo7%Tf}W@Ybq7Kz%Rq
z6nkUtzzR)UX1h`NaO7jeGrov$#v-IAnB0bRQIUX2`0{Gwog!&=c7_y;QuU<I6mkYw
zMLPLK^pQIB|4t#3l1V|yHB_~1CO#Ns-4t1S7?7xQJtMrpU3@$`FdaN^9dDNm1$B}^
z3nw(TBs$`;l3G&m4+ri)-Y$7ZiG}ox{_|uQbiokYL@=wqY0jMd_-ILgc_i^vI6L(Y
zkcb+}AR^LHk%MJarKgbHKBt4wW|?p$i4pO){aVQ@jEBiHltd=O{7lbaS0D{ljc&=8
z*vBi>!-7!Ma+P9i0)hk)ZK+qvNG=QPW?#5)*a1&e&L2}m$S6=*ltishAM!VI?EpdD
zywb>>t45Z2STvPvvBq^@y>_qPLM>lG$1Q)z=~BH$?j={S3{dmK_k9>;)L%{{TUDPa
zE45wz^Ur#>q$P>ggIiADPbU12Kd8c;L%!=RG6<T%ny8l>bg{4s+Kn^8Q?HEtswg1)
zcd|>y>)-E_XP#=c8J%U6Mz3hgppg$K7FNBVL*7C3ZLPGG(L78oB3e=SoW~I)9C!J}
z=->~^wYhKN1m7HTUJPfDs5-T|sAGBiV0lU==$dyfsppC(Yt4*mlB{^~$I2bqo?c2h
z7Uy^>Ozjw)MUGvGG3>2KX)$l~kH`2CgG>>@pDPPgK_P+&UkAC=s8#6Mer(h0wH!Cr
zXIs=*Xl|3i;LCGp)sL?*BhihRWcFsRo2k?jVq|mAS;N|TNUNI_&B=Ymnn&JH;jx-z
z4rVsW6wwp8XtM~jh7F0H(XJ<4;N+m^U@ZC-cy04xxXx)x7%#ZTVPZMykUT$O^K1=U
z`!h2KO}~dT=oL{PR?OA|zsK65?L!@!%(97#Pg)mX9?Ut9yhG&INaWTnLpqPl9JHc6
zi8_z$=O(}O=?J0(|Mf@*mvz!;a%!6_D>=UuUk}!`TVO^1AI3zVf64vdmz|x=oRnXu
z9;%rlRn+Q1u=vrEN-3PU+yUK*(JI03^_FnCF=oz0J%ih_OeWAje;9v(zR1jM``$Ba
z^JzWMh09%K_V*oG%mQuOdeLX#u-sW9^`r#mcpU;!xQ^1&e4cJZeLghq{aecTN%ZM2
zul|C=+zHK{r@seq7ySZB(zH!28AGO2ovnCCOz;L<FraI5u7>YBwS~;V8c;x%i0CI*
zAIx_N?q-;{IEV-{?MRVi?C?G}Uk?*mh=?@tE?;65a`46D4_8Doa~rRC<Ep<gYs1g}
zSmr&d2=gM!PKe(c`H17aq|IbqAOah9bp*3_<#f?_vT2x{cY(6v?5JqhJ_lS2;+|@9
zm-jqm33Q4}Fj>+Q_+WYG^dy2hDRGv7A*swCIzA1X;dlV0jQk+;#o~)8RkzCo)X2~5
zT9#uaH)daTwGqG_phR;`H%P-NoLRzGtf)bX(n^vzjgcOfm*bN1<om+Pes2{sgZY;V
z=Gi#90!<FL)j}eM2(MqbkrZB-IPu`5WBmZs3QK>?o58bbj^z3><X@gnF1Y4VUyiZ3
z72^;q`DxdroMK4(KeG=AEbD6~ANvo;Qm8w8RoFURb$y|`aFK;;Ul!TX{L(#9eaWJg
z=7pSf_;%tWwymLz_0E$65iuaJO?2&ZubM0POh(F0uilZhRx5|%O%HXXO5WL`=G$|V
z?Y`qDU?aREOTjiB6UyDqrS%v6OoUT6lj**cyRNw3!#5}iqNPZ)TSATr<7szddld8C
z`1{Lc5fl(2;?*)bV51h*Y!jy^HvGIxyns`On{l;GhXDYv#X$Knl6n-=A4Hz#j}`}v
ze@q-1@6W|QS5X&Yq8CccxsUYgUM^mT0Bt4si*u9QqLD{(E&G3p>%oj4>6w27DAOwo
z02PHPSmM5cwh+L3+s1800uZBzH=G>8aRz8_t)s>*Ql841o0)|z?FY^lIyX1f54?!)
zSEJ0x?T$+%xe*ljKw>O&8jKsxwqyu`Q8O0@4_=9d+u5X@mOQk)pPc$!aUA`8mYX!)
zfOz=0Pe7i``NPIA%L4GKntifOVp6#Ga{b?`&a?aP(PQ{VC=Jft50aYd65m)4CqNYH
zFQO5WL}#Y!$2Y6}9Lk`W&49O5W}b+2IEJH(ORn}*XNA?3otDk+EOL&+T*7HBP8kTw
z-pKN+-If1XXoE%!lgRl$@Ka4JIr5DokH0Qv$K4*JXSsNCYj>0v*|}_$nkG!{?Wc~{
zK3FA!{bj<Zs*7l@4k0R*deW%X_5Z$fZ`_YLkUYpy=yj&+3lxxUIE!vrdi?b9q7EC_
zl8sE9OM1LneqRgXg5!O>j<yUvd{t?9c@R+UP<MTvsNzDK-iuETJH%sBd}jg8|2ddz
z{`Qwaatx5V1u?lEWMNzyIxx(4QZ78`6Q{5Ydy0nzfFb+i&lpb7-zrs#D=c$ZL{hxM
z#o8Hq#84LZ8xB&Ey;qy15Zyb190$bEtM(!cjX)iL$y)&hEr$ik*qby^46RG}3zGsJ
z1~U(KFEuby2cC2wuuK_payJuF45es6N*JL;6JcN&o`l*Z02Mv^E&)$P1hSw-4~_!N
z+Uv|hTyj!H4-2@T>S>H%h}{LbUu45)Q~FcN0!6<sx8uYqmBUw}&xMzev%^_STElBl
zD!Fo$K>nHgm4Iw#L(FB;$W#-{%?d5cv=Rz6?8jU=fJ2Qjy8M>%cca~=!gFPIR3H1L
z_^kb54*k6U;_t?~&xMb3BF{Vy^(UC_Hu+A07ek~*CfaMEeSsqsf%?c{zi*}SM#iYX
zuZ>ZStoiJKIJUXr!fGdZyCwhHAaTQ>)Xb!gZ(iZ`7WiuO%OV98e>)4(I^w*-HBT4t
znmyx>Mp>FLg03DLCGD4RQf*>-#a6}N@5wOq93=<zK!3>F7qkT2#B7<Fu>kI>yt>8#
zB!@iOF+roqrTO2_M4HX;ay4qd>c+!+N;+#$9|8QI2dF6)F2~<nJX?qs1g-}3FfQWd
z#0xYgSIt2r2dt@wQbDf?y>T*Q>qQ+6G+Wi5e$0g~XyMHq)YIIKnBwI!+uG~KC!al$
zks=8q28*I7c?28|K?bGtEl0&8EPigeE~7#&S`nNQ0NI>1hYu(TEN7K*g-vpg-lS>I
z8Fzw^YL5vOjr0mMOtY8Oeh<%kvWP778^aj(!bsne5r&3^r~X~@7Z?1NVTvI}_q`rP
zJs9~!`s?6@pNL_A6Wl%O@06BA6o=rbO~b%EjxmP}<g{=Z?Q~Ae2!gmlC4mWJJ(8Ol
zYo{eheobS#s_0L(+MiScqoXx;e@hI0jh5fVmXd3!Z%&~G*%`32nlOeB`+`=!Xhq;n
z&=&8(2L-!*YBE8y6b-TJy0yYil7^(FSDghGDd4E6;Kv3dx&kGmYdCEvfQ^hAb<&ER
zWtSoabBY_}`U3LALwL;f!d!K^?pns}?r%irbo?|}lKW4Ji|fO(n<mte2v7#^a*D`V
zC^2{y=KS$S@5UIr0JS?-q!g^E^hSpC$YToN0V#4!qXPm1@p3RWQSmDZ&c~B42Lj+%
z0SuBd6?&Y6J%^lWm-j_GCDGkH0U^ISp*<6M7scp+iiew|bf+VAqtv{QlJYzuQ&GR8
zlu3_G89NQ6$AK_Xl8Ne9H%V8)17(e^z^{`yx^d~B!ct6U1-e2|R^v@D>hCoqqR-|_
zr>cCM`X2a5baf8vb8~Gz+QCN>E2);k_?SB;s~qb@$rpC%z$rxBnRK(1_y<RK9Z$68
zg!ij8yHy?{p8v2C=nql-ab_1hWu@mJrX7!k#b*--Rlnf_P^<=@ZgCy`FkYNE>9n#A
zCz*VzEuc_Pbo|-eFjz5ZOh{_9V2=KMCPCnapii}m8g-Y^jJ7x}GxVx=?3b1o4E3I<
znrH>vhCjpkE(~-a-Iu}K>D8Je3s{jxJwyDN{0Y%Sbtz;XB+MXesZtt|rJAd~C*6Ho
z-NxKAMv0X0hy%-#Q}2DgA#u>N7wQZJ(s6j9-wDL+6ONCSH(B4sSRaB$I~?x1wts~)
zkGDi;{s#ee3-nW3LK_f-LvX8}d*pL?6#8Gvu5-Z>gI*$sWRITZq+c%QL?tw5aP0X0
z!<?Yg0MhD@_5dJDn?#>&BqKR}Q|Obd1fdhZ;duMAoFsV#^N!ekgs-vcabBzi##5iK
zL}9GCcTG!`Slc4pn{RVmw`r_p@kTEcU}j&x@??KYs$Je!sot|G#jD!Qfbg0S?KA#k
z$9<U9Lh*!+N1xZYm1Zy%o*5%f8i!0;>Go1HR*HKnb_xU6BQ|!jRH2zv!;kcbtwYw$
ze$+TSB-*0A3vR_+zu4<H>=qkTM6`5Cgc?Vu4jsKI-$#d0fxCO^MXy@cG1fxjuF4>m
z6!S<({3=7jvd@<j`?b!ON(wJT&L3+A{ZY*cfK@=Nso;54ZX@~+Q=y&BLAsZjvE1Qc
zqc{6s4;Xb8LL(Q5eOz;8rWLPug7N|i^(663u(UZEm=qRp5rVmYE}e9Nf;28J=TFja
z@s1gapGm<6g*>pfmrfbgf@r*_Vwqke#<R&`m%3rPWdfm66CcZ`KoqL5{v#5ar5&Jr
zSjO8mTtSfWp6GgZHE(z{nwn(JU4!#AN^oFf0jGr7^<NwUMa<TmsTh@oRq@<<`%Xi=
zdvnp$ji!3|uu)m$o*M;<C(Q<A;AyXz`qpqXOp8nC8sq0_IZj&Jrq-0vXwng7N-xPE
zvn|yLZ1>ardA%Vy0VjD~J6DDnd{S1ULdnZ$*wLO+JZ>1-Ix#p1Jr2he#-T!q!N3^$
zUJe2fRJsZJR%AeN9$%uSZZbx`7^72XtZY(SWFi%XQyIEIKN%Qsx)xwbs7wUsL^Q1v
zpi=nbP&y8NOudX>ROIJ!0ah(!D0s!ZSeMMS$qlLOCx=LL06gZbb0uRF1WW25G(}^>
zp5Y2t`;BSP(%bntPe-X95<RKm#m3SL4A?|rVkW)aw~`>^n^4`m!1}hsigEO&hgmK6
z&`Ro8_ubx4-3;UYhrLOaB`QTAP{ay-2@C1p*-g?;RoR#ByCwE8gs|GS7V_$ODB`DL
z+|;!3FLDB2iIJC!Qjoy5fu2D>A&ko&wOPyem{;z}XHV_JB=i>-zEv)FJRZ-R-56uW
z545gHmb)K_2oktDAcsALslbZZr-(B!J9t@+PBoSO@>7S13s?L&iWaLF*x!h7q_;4f
zJIbR{d$}b|Lc$xpp5+b?w!*wwz0_dZhAt!v+sW`?JeV4MkczII8dJQwj`eE3>2p4O
zpn{rLFnDQ6x3#Qj)$+Oo&EqZ<hzW~krc<%$BhcW%T=}Kz9<|B7;k=r$)pPw(;4zOF
zxWtkizG3^Z(nO4gmK&@&zzu<LMN(g-n`$8asdw-#7rnl^tv5!fnci08>wOw?2A(0@
zcA<P7hXv6`UJ4R+z=WAR-+-`IhUt*UKR0&RgKj^~i-5bwoKzl4ZK4SOKq!zOBvR8G
zrZJ-ff5}FlVb8xk#pO(Gdd4j=wSFGzIbkhH%U6;d4x*{GDMT6?0Uu$0AUkm5CNZ7s
zU0=5*lS@AxGOrt{9O4yX1fuSyYSO~>hkIXw+!OGU$IZk1gW1{6=SmEzf|TPGB;b|D
zF41;e6fMG{rgD#DzG@F!8KK=N(bAOvGdX;FN>2>FH9!az41IQb-um`tM077kN8F(Z
zL^MAVhzx$C2D*U`d}xuVE@^?!1A9MKLNRuHM?q`s2*5%xx&SAilY5#F$Nv_@`IKmp
zG(aC_f^4l8ULVp&BB3LNU|LKlzHLn*2a-J+0vd2Mg~+ASk#PR$K4I&OHx`1oN#faz
z`*$VoB;y;}k0$bu9nuB~mcwGn1P*+M6cfLGr=ea+f=B+E4^1K=nuXV%Mr;cl_Wbiv
z&d6YDw(po{zw6X55sMY#@iKd6lEf!Wn`;7kab*PJD0*o^4d8t3s+9=Hum8DTX3AhA
z_06{v%|{N9N{FW#${m&MQoIVOvkV(51eXC#0~LM=5@7u^C6|fz2Jj`kAb(dX_#i27
zGEv_#;O3JaQdc>gh$j(vn7?HF`{f&^J)W!y7D6suwU{C8hfj3S(C<4pMw~-}gYQZ^
zURcu65fH=!<xwR{kZ}|dpV|0C;k0Sd7(W6;2(f(*Mm>M|V~;sq2(F2!jgGl?^q5$N
z7RC!Nm?U>bV1RRqKu&_$8-rrXrZm|_MKv;~G$XEkc4xNA^ttN|8m?xZu!mjyVxc!}
zeEZo2C;h>CP4_3hH>32dNgKl`5N)ha8C6OTv|X=mWKjUgajgaXYZ3~Q6Y2@f^Wgd?
zo|&AZAJdrhG?%A-m_@j-8L$d?81^xCLAXzhm`b}v9Ruf)+QT|IyzF<a`aiW>_=5?y
z=N&=@r0yCij?ilEV0y>W(28Vxp_K_!2fGHC84)1GYU7z*pkc+#Wbs({D6E*B^RMaB
ze<QOr;9`T7$<y8#a`0pJ%KxN<_2x3Ug$6Hl@mCyfA6j~1cN+(jeEXFrK-n9su03EH
zUj{lj=3E#kh;@G6p>xKss0$w^QwC2&<!O~A<T}58**{^~RgL`sj?f%%wWBe2E$tu1
z9gcR>O)%_t`WD3vA^Z(eI<MlrGt|(?m7u@b{*}<@#O5;a*UEe?5@z)1O#7WQN?eew
zyR&PT`v~f^GpG?puyq}{QwTc>PFu(1Q6;bEh-g1RPhxnF(2%5k#Q-qljI=o>a_qYk
z<+tmM$tR|f`10+gfIs{}jaq$k*|Il21CKzP=t4;Ug1OtfC`aWe2brsB_3TbweLorr
ztC)1^ju>mN!AVKCR33|V`0*$Cf#=e&n1;ik&?eY{Iib4IR*48kTaZU(rD;c4C5ZZZ
zTZacIC&w&1!I3h+DER3s?c8J>|1zm)LEsn<9N=p+l9EWL{x$GL2vjN&Jtmfpg^_WC
zznrtLo9+v<vKK~5kPz`it%9G=$ypxMDWLu(Mf`0A!}o{BC_lxQ_m=yY^b~mSJcUc4
zw*)Jdb;1_>K9RiSWAjF}fAOzhsdyo&*1-zlqvjD$l2mL_54}2p43AD%9T0<@W)&#3
z#UGCezvUT<MoerC)_IB`g`aj&rLHT)pCQ)~pKiJBsUDwz&4a7zo-*zg80tgjoo4?y
z+)`uf1&uj3>+2p;$x+Au<?P^_R$af6u<TYO1)IL1&W<%<BLS27FITnr6ThEf-q3^h
zuJk6^dB4Z$+vG>|{RMutiUZ^LR*TQ|M2YOo;G1)^t(#LWOG0^E#41e8Q+dG>KHf{j
z(&ex6wRRV1VDqAchNU>gyAzRq;Ye{F)Gx+?^uT9PZ~EyKpFABJVY?1~m7Y`FONk%Z
zl~znQs~}Jk5XpLW=Abgc3Ayk`w#meW`fdtUx|CiqyMjK|F{<sSZK9F7RbKmmpzA%B
z{wi#vo4zewa2bw>!8{MlrSG0paNqRKi`_CEB$gv3l})i{pa#+EtuMxyrJoV?qH2gx
z#Fd_6mkmxV8s*S_MZZD@s%PIo3qaXatLN-fb_CzRW_PQ}Bfs}J!A$m2zZhxTn)->L
zsHp1|;{Iv~hBL$T_+mfdw%Pmi$=!fhu_{5$<d(8^wP)`Lb}?%2>@dp_LS=MV9vSib
zdk0r2#aFq9@9e|%yU2B;v;OK{vtfc6D(Q!X*&}JkT=|)Jx5g^YUpA<_0!==F_YvSC
zhZ%NyH3ZW}@8L-_3ecQ+0ChqO>wO{tMrX}@Oc_WrLO{O~2hb@^f>c~K-oqS}7Uk$U
z#EWGQ0p)gVzS0KVCqjoLM3#cwVLwe_&*K)I;XSmQjIjz3wE*OOr~?$4bIkI>JZk$b
z6je`e(bCX7P|~cg2yDo@F8}K%dYBogh?({;m>I$d&Q?;i>DP!Ubtu}faaLPUh{@lo
zO~FNJiQi&XH7p@CJ1F{6jB|fsew*aSCe+XbNO1tqd6+?Hd3f?cS<%`nO>aNJawh-x
z6`ORk;Roh>l!i&FrC&=GDPUpi7&OdcwROM+!wFRzu`8Ibv4d}^hZxA;2rt>O640n%
zlAQm8q+_d$nbvu=Hj4SWs)51*^Itv9hhE6`%CcgQ>a3(q|G$oD*g9eqNpmV|yLAv2
z*)E1Ec4w>YbYUZM2QIk<ecb9wbOX3$^+O1aJI0#K<Bz0~9e0tatAXB$4*!n_-Phk{
z4xVe)!m7Py+5dx_$9Zq4{TAq}Qcm_?8suyyOP$ObtSYP@tE4?XsHEELS*8Tj8ff}I
zSHFhYr_bNSBtxnsYdmR5L>wIRDLS$}*9b$_IQoNjK6{B<bD4J~Xf!d|gO}a#P2=)^
zYf4hYg;kHB1BlOlpYIvrX6_`g5g`voI<0oBom<d1TXKJQLL*VuQO<BQOR<;51q$l-
zEsHVSq=0^X+)5alX7K($CF9pv;HAct$gvcHBfa81*IYNwGR)Bw&U-0k80c?eD(mcz
zMf*x+@qCcYNvp6EMs{2E6Y@`UzHgA&s=-SIGM)a4BmT$Kea%)kJx|)h(EPmpySTN)
z2UqnbCjAetbRe{!0y_-SW#kFN9EJ(KXV>o&DWQ>0Ab)aUQY7r{{mM1LH$Oj%c$f3R
z|39dgc~fFAC-6?OORoi4qN*Vxgc4=h<BJjoeV^=xJ({L$J;yNzz3V2ER<efL0im|}
z+FVGmqNYSam4L3aC`tq(N!JV}TgV`#NMv$5;iE!Q$C`n`_zlPU`RX`Ne_q9Pg!2C}
z3l3IHW4pf`v!g=b0wH?!O*~A{%hp&W5*#^f65DRrJK7ofmH6CV9WanN6k`^aP4Lu>
zH5DTu<T0C`=BGT#01?5-!2TuAirxy1Qr9B`oF@#GZl^CwSoAw0i}pgNxf9dk;or29
z<R=2zzj=yesN<wO4W)dPNFMy?W)Au@R{t?AALW(aKePqM2E;<nZ%g?$9b_qCpw&6}
zOxaFN7g3v&thye<n7^F|)+u46tVrstG;xw|&$Fl{l>M7ktaxzc)R>$M8qXJV?G1a+
zB0sjDRYae&;f{b-tR)B$3{U+^S`a#x424s2LzRp>Y+x*nj3w*qM=mb>`u}X+kJLyx
z)QW~mNo)*JUdX@{$MIRqy0^FYUwdh6^eq1jx)NmbM&~ayj>5J79RX;+p5!qn4bQ6y
z#r#Ju`&w_MKdygy`?s2L;XOu?mmp50&ezvidk6PGkk_7=KhAoF*CD6tJtsIb_I<F@
zPTLR<^sP>Fm=?WH7%Ma=0B*ym!dx2?0>78N{O28Bpwzl(6Glg@L?$@6e1h{vf2(&>
zfLS^tEIwlVOG7tY<8a%n{Z3KZF>@TXv7NlIMbljec{@?&Bo-$^DNWqOxjhpUS^H@@
z4~%>te!18=rad+@AYT96it|I^Ex+efi{^ZPFS7B~RG6aW)Ji7rr?f&oG=fO{n3qPZ
zJv3x%eRMgpR*zLYI&>SK<=<sVqD%g$&M^`cVBc0t8tS~eCN>mr69(iSvYK8s$FUc&
z6hi1M83a5IC^#T^TAP^6h=5HP4u0wx%(?|A6cNP(kA&fQ=a>_bZ&ju#hYMJ2MZ+Ta
z=kQrr<Av`4-VP|NW<SxoJHfZKKocRttci$Y)VkMfX(-XQl#%TeWx2bci{s)h^gbgD
zNW59FhO0B-MCVEPz~*j~*bfeF|0M(IJ%4$4laAF<mZ2+7R{5U+@h?Q4pTv`2?%Pkz
zytnUPEiI)0s0LuS#jO*7^dGr4nr(^wgBo*I`KIQG(IX0&?|!^?lQv9MINkP&JXxai
z&*;*7t8-U+QzYia_C`soV+xGF=WuzprEU4_2NL%Id++po;#eD=cZuP$^UHgH!P6zM
zlMBS@r`rZTQKpcGp1D^XIn~tFX*k^>ME4>eT(IOvyw(;>pJN)zo|}mYD5da8dZsG9
zhsxe`z)PX3Dk)wERe&D<TJ!dDA!E>f1#Dvq>_(Qe9on_(!M%gOwL&UXyt$D<_+0*s
zR0pSzf!inHI`x6m`U<U%9)sK;NW3O0-b?YkG4bECkEl{hr=S6d%B{SN+gv=%cRQJ^
z^W|;B^^s90f+XYGL2S&42mP!xQF?^m$)eet>m5rWqYpFJ`m-s2()EC7#vw-NwO%%S
zqfilAIDIR9t^nG%P|jIDc5=#|-76N`S`|er9~;XV5WDkWLq#b@8BEg1x9W!Sqs_5K
zX=`iM*e0y_ic(O_&Eee(Dm;qKW)Q?Qixu)48y9AIwbq4^a70RI@f5HpOXRsEZzH~q
zP4Qmj`1q(;u?U!6@IUY$zMOj>=02=i{E(8H&GJKWGG?H5adxAHJ(QUrgcta-;lTtM
zRR~k6@>)#hIl~zkk}LO8-6Qg_uG^zszJi&r%8?N$HjaCN5lo3!SH<pp>yfQ70=+b#
zOxL=>nj&y8X|N(~L?;`##Rn^iN-p<E@b}~~2?8x3a*SFUi$JkHC3vAe^CIYdt2gV5
z%(ZQpXXiGKy<R4JA#;hE(-+naJQq&LhV6^Dd@+jJ-s^{2Y*+089H@G=I(-D%+(D9N
z%d8W|-~5O43Z`r_g9gyOp~m~7*$AS2uQ>tZJQS?c!>8lTGs_+X=dT^5P?n}n+2L#a
zUs*jURphV4i|TREJ~Ms1k++gtIk9ajG5$^+t|HIsv>u^5gLUT|p9R>y*ryP_WYu`q
zsp}F9+Tpr3HKN1g!RJMZ@nudS7n?38t-ZXAV)`Ri>Pt(nY$Y(+1mgc;$+fvjetR+W
zMP_IqI=4Lavlg&LAiN2pvudu*{US2{=Bi6HmI46##PG(ApBA{FhNvPuzzr+Ye(5Bp
z_L0@k`;Yg{el>`=KIhtMLE;{o1~K56jI1O<T9jLV)}^J)RqYRHAyo+cp)OdLH0|0N
zL=`Ou=UlMe8iaH?-M(No6UZh0bX2nMs~v67GA0N!jQRb<S8R@l6rUDa5$lUN&Cr|?
z>ovZXti9<pw2<-X-1Sxjc)t8>jb(_;x^TuT@~5;G*9l$MryM<n(e!lXC^W3xUW`8~
zYH}^eR%EQZ33a*fta7XfM;_R@*^(PhTvR4e0i_M&g=kdYuk0G9a{^?kCh305NkrJn
z=?+KYC&71G!kg$*G~Tx%d{UUQc(S`iZT|LpW_z?p!qIZ$CvYq6^Af9N>11#KG35vk
zS8d*DH9pjk%@Q=rEmkhnIX!58nvVm>iBqK#W-5xaN}dn!AJJiCf~9axN;nYqhG=gP
zc%}Fgm!~%_zRmj|_PVORyi;Ff7R6!haSbw9Q^TIq73@~(Y=O+?2yufyU?8Il$*X^P
z%{^)ywABSH4}GUzm5wTcegzBYo^7LUWglP(O6Mz=DG+FkrqjN6t>xZ*H8HJ;Mbd>l
z_-q&4!O&wW=v&8d0^`{Q{SDM<+^xkd{x~@yDC{3F@6tvTq#VWJ2$%LmG6ylERpe^D
zxisET>(V3OLq)Qq!iv{wX`|bOLs~iEW<FW8t$dmP{Lt7;>Oo8xGIWz#$AwT~IUmWw
z)peI#IXY*+DdppYxvBrhG!re;d5F?{J^%nW60d_0Bh^mdN)&F7JSW31pqcCsH&8!&
zhOZ=6#S6o7;VsAF(zRMX(268A_qxfBd|kM;ZXd1^_X{!Y%^Ms>Ih(>S=7in-eAb@#
z^ELrCZ{4$hnY!yL34+;iqoXxkT4DUy1vzvxg?P<IAQ|dA`G_>hb`KE$j_QKC`c#~;
zKCpMB@o`1e%Vvw^sZTg56izHBnX~4j{|6UAmAOm|U7#y=nIW@Legy1i7_SJatl08a
zk$?1K_l5n*Hy%$Gl81IhM}+Drny|$ilDH)itON+p4vlUR_poRp$>~_kyk@FjDPF@j
zICF)Ej7P?xD~sn>@;4fB6bq(qKpxFmLu)QHDAIrE2xXqYr8C=Y(n6K|jhZdlEK$8D
z<CpnYWWr*%x~W6W_Mx(SJWBEjnjR*4h?4#SvS=}kAkS1dF?TS*GA(DWi7ilL+NLX|
z%fS<$%5=x;1U^{QY7~g;pB*zgx2tLRLHTC@;9H-_*g;igZ&LJAZ0dlhGR7L-h)Uny
zyu=4@-LoVG0@;)UtlWab>Ouxtb+)##;ij4SwWJvpQF5c#X6X^EvXwn1#}Ki0-R-0D
zC;$_4aqjQqjG$>p&mOzWK`xa1m|+sJSf4K|<(<q-r4>f3PWta)P%=9SbQwF;u2rq7
zAbx+Q{KKP}X*IO99wIEIE0cnMwgpk`cCS)A#t&-5n9^mOSK{^5kEPU+pwUorG+n8i
zEDr*KIbiMJ*C4d5hy53%nNhC^W#}H)y#ZVR)M9ai2J8JDlfO1)6Pwa%Na=l>jPR~D
zWN{*vLsbbD4dTsfEGmV3M#B#Le1IOYXL(x2!24ah0wi4l$dMH)e}51&`xQ%(_tfh&
z=hfPOrYt*i3XBZ6$8E7dd2HSIomjl@)@s~qgc~P_p1m6jVG|?bj=5*%X#IL67V*O9
zVZsCxlu+AjnRg8nO%no#Y7K9lPK%Xmaq_I2LwBS-nZ{XNYIb$~7-}Zi$F3v0Xk&Za
z8?p}5XBw;Fe@wwB7%CY=6C~Kzv%|p9#5S{9OQ9irqHWy`h{?pnMC{x_6Dn8lKCU)o
z2^89UU)i2LnMV3tE<ZS9a<uQu7K(ShNifpAT?H)F`d3SGYLrS@+w!m&6RIYUBW?SR
z>_qNa)4O&Gf1c}K`=M)9HK?SCq!?=iR%cUcsuf2ijz`^(uDkDNi?s-lBIv@iG01iz
zm7=VyiKc`~djzZ<)D!kSKu&JVd23;0IaEf88fYH$&<6rML5|+!-z4p>1w&UPVQ;|k
zs@J0zQ=a9#Mg7q;>{{txEtygSrz<trC$+~WrBR8$mzV5+<mRKwi(KfA-}2GD!~EwT
cTK|R~xYw@a%hL$)?SGQAgo1dLs8Qhm0&7~1d;kCd

literal 0
HcmV?d00001

diff --git a/cli/experimental/images/macvlan-bridge-ipvlan-l2.svg b/cli/experimental/images/macvlan-bridge-ipvlan-l2.svg
new file mode 100644
index 00000000..757871e3
--- /dev/null
+++ b/cli/experimental/images/macvlan-bridge-ipvlan-l2.svg
@@ -0,0 +1 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="561" height="354.5"><style xmlns="http://www.w3.org/1999/xhtml"></style><defs/><g transform="translate(0,0)"><g><rect fill="#FFFFFF" stroke="none" x="0" y="0" width="561" height="354.5"/></g><g transform="translate(0,0) matrix(1,0,0,1,8,177)"><g><g transform="translate(0,0) scale(2.52,1.29)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.3968253968253968,0.7751937984496123)"><path fill="#c5e4fc" stroke="none" d="M 10 0 L 242 0 Q 252 0 252 10 L 252 119 Q 252 129 242 129 L 10 129 Q 0 129 0 119 L 0 10 Q 0 0 10 0 Z" opacity="0.93"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 242 0 Q 252 0 252 10 L 252 119 Q 252 129 242 129 L 10 129 Q 0 129 0 119 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" stroke-width="2" opacity="0.93"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,16,240)"><g transform="translate(4,4) scale(1.0045045045045045,1.0087719298245614)"><g><g transform="translate(0,0) scale(1.11,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9009009009009008,1.7543859649122808)"><path fill="#000000" stroke="none" d="M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.11,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9009009009009008,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.73"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.73"/></g></g></g></g></g><g transform="matrix(1,0,0,1,26,246)"><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="92" height="45" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="92" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="9" y="0" width="75" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="9" y="0" width="75" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="9" y="13">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="65" y="13"> #</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="76" y="13">1</text></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="15" width="92" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="15" width="26" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="15" width="26" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="33" y="28">eth0</text></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="30" width="92" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="30" width="88" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="30" width="88" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="2" y="43">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="24" y="43">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="28" y="43">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="42" y="43">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="46" y="43">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="53" y="43">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="57" y="43">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="71" y="43">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="75" y="43">24</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,138,240)"><g transform="translate(4,4) scale(1.0045045045045045,1.0087719298245614)"><g><g transform="translate(0,0) scale(1.11,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9009009009009008,1.7543859649122808)"><path fill="#000000" stroke="none" d="M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.11,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9009009009009008,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.73"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.73"/></g></g></g></g></g><g transform="matrix(1,0,0,1,148,247)"><g transform="translate(77,42) matrix(1,0,0,1,0,0) translate(-77,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="92" height="44" fill-opacity="0"/></g></g><g transform="translate(77,42) matrix(1,0,0,1,0,0) translate(-77,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="92" height="14" fill-opacity="0"/></g></g><g transform="translate(77,42) matrix(1,0,0,1,0,0) translate(-77,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="11" y="0" width="70" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="11" y="12">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="63" y="12"> #</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="73" y="12">2</text></g><g transform="translate(77,42) matrix(1,0,0,1,0,0) translate(-77,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="92" height="30" fill-opacity="0"/></g></g><g transform="translate(77,42) matrix(1,0,0,1,0,0) translate(-77,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="14" width="87" height="30" fill-opacity="0"/></g></g><g transform="translate(77,42) matrix(1,0,0,1,0,0) translate(-77,-42)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="14" width="87" height="30" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="33" y="27">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="3" y="42">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="25" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="28" y="42">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="43" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="46" y="42">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="53" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="57" y="42">11</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="71" y="42">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="74" y="42">24</text></g></g><g transform="matrix(1,0,0,1,152.86753236814712,193.5)"><g transform="translate(0,0)"><g transform="translate(-40,26.067047119140625) translate(-112.86753236814712,-219.56704711914062) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 193.5 240 L 157.36753236814712 198" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,67,193.49999999999997)"><g transform="translate(0,0)"><g transform="translate(-50,16.067047119140625) translate(-17,-209.5670471191406) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 71.5 240 L 112.63246763185288 197.99999999999997" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,130.5,79.5019243141968)"><g transform="translate(0,0)"><g transform="translate(-60,6.067047119140625) translate(-70.5,-85.56897143333742) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 135 174 L 275.32345076546227 84.0019243141968" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,5,185)"><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="76" height="32" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="76" height="16" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="16" y="0" width="46" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="16" y="14">Docker</text></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="16" width="76" height="16" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="16" width="50" height="14" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="16" width="50" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="14" y="30">Host</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="43" y="30"> #</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="54" y="30">1</text></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="62" y="18" width="1" height="14" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="16" width="1" height="14" fill-opacity="0"/></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,283,177)"><g><g transform="translate(0,0) scale(2.52,1.29)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.3968253968253968,0.7751937984496123)"><path fill="#c5e4fc" stroke="none" d="M 10 0 L 242 0 Q 252 0 252 10 L 252 119 Q 252 129 242 129 L 10 129 Q 0 129 0 119 L 0 10 Q 0 0 10 0 Z" opacity="0.93"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 242 0 Q 252 0 252 10 L 252 119 Q 252 129 242 129 L 10 129 Q 0 129 0 119 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" stroke-width="2" opacity="0.93"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,291,240)"><g transform="translate(4,4) scale(1.0045045045045045,1.0087719298245614)"><g><g transform="translate(0,0) scale(1.11,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9009009009009008,1.7543859649122808)"><path fill="#000000" stroke="none" d="M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.11,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9009009009009008,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.73"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.73"/></g></g></g></g></g><g transform="matrix(1,0,0,1,301,246)"><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="92" height="45" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="92" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="9" y="0" width="75" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="9" y="0" width="75" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="9" y="13">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="65" y="13"> #</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="76" y="13">3</text></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="15" width="92" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="15" width="26" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="15" width="26" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="33" y="28">eth0</text></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="30" width="92" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="30" width="88" height="15" fill-opacity="0"/></g></g><g transform="translate(88,135) matrix(1,0,0,1,0,0) translate(-88,-135)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="30" width="88" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="2" y="43">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="24" y="43">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="28" y="43">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="42" y="43">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="46" y="43">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="53" y="43">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="57" y="43">12</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="71" y="43">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="75" y="43">24</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,413,240)"><g transform="translate(4,4) scale(1.0045045045045045,1.0087719298245614)"><g><g transform="translate(0,0) scale(1.11,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9009009009009008,1.7543859649122808)"><path fill="#000000" stroke="none" d="M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.11,0.57)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9009009009009008,1.7543859649122808)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" opacity="0.73"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 101.00000000000001 0 Q 111.00000000000001 0 111.00000000000001 10 L 111.00000000000001 46.99999999999999 Q 111.00000000000001 56.99999999999999 101.00000000000001 56.99999999999999 L 10 56.99999999999999 Q 0 56.99999999999999 0 46.99999999999999 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.73"/></g></g></g></g></g><g transform="matrix(1,0,0,1,423,247)"><g transform="translate(79,71) matrix(1,0,0,1,0,0) translate(-79,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="92" height="44" fill-opacity="0"/></g></g><g transform="translate(79,71) matrix(1,0,0,1,0,0) translate(-79,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="92" height="14" fill-opacity="0"/></g></g><g transform="translate(79,71) matrix(1,0,0,1,0,0) translate(-79,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="11" y="0" width="70" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="11" y="12">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="63" y="12"> #</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="73" y="12">4</text></g><g transform="translate(79,71) matrix(1,0,0,1,0,0) translate(-79,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="92" height="30" fill-opacity="0"/></g></g><g transform="translate(79,71) matrix(1,0,0,1,0,0) translate(-79,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="14" width="88" height="30" fill-opacity="0"/></g></g><g transform="translate(79,71) matrix(1,0,0,1,0,0) translate(-79,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="33" y="14" width="88" height="30" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="33" y="27">eth0</text></g><g transform="translate(79,71) matrix(1,0,0,1,0,0) translate(-79,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="29" width="88" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="2" y="42">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="24" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="28" y="42">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="42" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="46" y="42">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="53" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="57" y="42">13</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="71" y="42">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="75" y="42">24</text></g></g><g transform="matrix(1,0,0,1,427.8675323681471,193.5)"><g transform="translate(0,0)"><g transform="translate(-315,26.067047119140625) translate(-112.86753236814712,-219.56704711914062) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 468.5 240 L 432.3675323681471 198" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,342,193.49999999999997)"><g transform="translate(0,0)"><g transform="translate(-325,16.067047119140625) translate(-17,-209.5670471191406) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 346.5 240 L 387.6324676318529 197.99999999999997" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,280,185)"><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="76" height="32" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="76" height="16" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="16" y="0" width="46" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="16" y="14">Docker</text></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="16" width="76" height="16" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="16" width="50" height="14" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="16" width="50" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="14" y="30">Host</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="43" y="30"> #</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="54" y="30">2</text></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="62" y="18" width="1" height="14" fill-opacity="0"/></g></g><g transform="translate(106,82) matrix(1,0,0,1,0,0) translate(-106,-82)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="16" width="1" height="14" fill-opacity="0"/></g></g></g><g transform="matrix(1,0,0,1,270.82345076546227,79.5019243141968)"><g transform="translate(0,0)"><g transform="translate(-70,-3.932952880859375) translate(-200.82345076546227,-75.56897143333742) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 410 174 L 275.32345076546227 84.0019243141968" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,167.32131882292583,39.0019243141968)"><g><g transform="translate(0,0) scale(2.1600318386915354,1.5512633057455518) translate(0.00001348378,-0.001498589)"><g><g><path fill="#FFFFFF" stroke="#434343" d="M 33.84 5.912 C 16.263 2.403 6.986 11.405 8.451 19.186 L 8.57 19.61 C -5.128 21.942 -1.537 38.106 5.033 38.106 L 5.679 38.085 C 4.026 45.68 20.032 53.41 28.958 49.548 L 29.531 48.92 C 32.713 55.752 44.02 56.893 55.201 57.177 C 64.89 57.425 70.546 56.658 74.702 52.411 L 75.341 52.599 C 90.852 53.845 97.915 43.133 94.526 35.442 L 95.36 35.207 C 100.648 33.808 101.258 21.602 92.187 19.797 L 92.361 19.325 C 96.299 11.385 87.011 3.896 74.124 5.303 L 73.23 4.837 C 64.003 -3.517 37.449 -2.157 34.373 6.108 L 33.84 5.912 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,356,150)"><g transform="translate(4,4) scale(1.0046296296296295,1.0104166666666667)"><g><g transform="translate(0,0) scale(1.08,0.48)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9259259259259258,2.0833333333333335)"><path fill="#000000" stroke="none" d="M 10 0 L 98 0 Q 108 0 108 10 L 108 38 Q 108 48 98 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 98 0 Q 108 0 108 10 L 108 38 Q 108 48 98 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.08,0.48)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9259259259259258,2.0833333333333335)"><path fill="#cccccc" stroke="none" d="M 10 0 L 98 0 Q 108 0 108 10 L 108 38 Q 108 48 98 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 98 0 Q 108 0 108 10 L 108 38 Q 108 48 98 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="matrix(1,0,0,1,366,153)"><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="89" height="42" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="89" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="61" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="61" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="33" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="14" y="12">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="18" y="12">Host</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="43" y="12">)</text></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="47" y="0" width="29" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="47" y="0" width="29" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="50" y="12">eth0</text></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="1" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="89" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="14" width="88" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="14" width="88" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="1" y="26">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="21" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="25" y="26">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="38" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="41" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="48" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="51" y="26">253</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="71" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="75" y="26">24</text></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="28" width="89" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="11" y="28" width="68" height="14" fill-opacity="0"/></g></g><g transform="translate(160,126) matrix(1,0,0,1,0,0) translate(-160,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="11" y="28" width="68" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="11" y="40">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="15" y="40">IP</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="30" y="40">Optional</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="74" y="40">)</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,81,150)"><g transform="translate(4,4) scale(1.0046296296296295,1.0104166666666667)"><g><g transform="translate(0,0) scale(1.08,0.48)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9259259259259258,2.0833333333333335)"><path fill="#000000" stroke="none" d="M 10 0 L 98 0 Q 108 0 108 10 L 108 38 Q 108 48 98 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 98 0 Q 108 0 108 10 L 108 38 Q 108 48 98 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.08,0.48)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9259259259259258,2.0833333333333335)"><path fill="#cccccc" stroke="none" d="M 10 0 L 98 0 Q 108 0 108 10 L 108 38 Q 108 48 98 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 98 0 Q 108 0 108 10 L 108 38 Q 108 48 98 48 L 10 48 Q 0 48 0 38 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="matrix(1,0,0,1,91,153)"><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="89" height="42" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="89" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="61" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="61" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="33" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="0" width="33" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="14" y="12">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="18" y="12">Host</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="43" y="12">)</text></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="47" y="0" width="29" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="50" y="12">eth0</text></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="1" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="89" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="14" width="88" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="14" width="88" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="1" y="26">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="21" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="25" y="26">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="38" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="41" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="48" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="51" y="26">254</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="71" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="75" y="26">24</text></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="28" width="89" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="11" y="28" width="68" height="14" fill-opacity="0"/></g></g><g transform="translate(127,126) matrix(1,0,0,1,0,0) translate(-127,-126)"><g><rect fill="rgb(0,0,0)" stroke="none" x="11" y="28" width="68" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="11" y="40">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="15" y="40">IP</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="30" y="40">Optional</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="italic" font-weight="normal" text-decoration="" line-height="14px" x="74" y="40">)</text></g></g><g transform="matrix(1,0,0,1,226,64)"><g transform="translate(117,64) matrix(1,0,0,1,0,0) translate(-117,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="117" height="32" fill-opacity="0"/></g></g><g transform="translate(117,64) matrix(1,0,0,1,0,0) translate(-117,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="117" height="16" fill-opacity="0"/></g></g><g transform="translate(117,64) matrix(1,0,0,1,0,0) translate(-117,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="3" y="0" width="111" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="3" y="14">Network</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="58" y="14">Gateway</text></g><g transform="translate(117,64) matrix(1,0,0,1,0,0) translate(-117,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="16" width="117" height="16" fill-opacity="0"/></g></g><g transform="translate(117,64) matrix(1,0,0,1,0,0) translate(-117,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="16" y="16" width="87" height="16" fill-opacity="0"/></g></g><g transform="translate(117,64) matrix(1,0,0,1,0,0) translate(-117,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="16" y="16" width="67" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="16" y="30">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="39" y="30">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="43" y="30">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="59" y="30">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="62" y="30">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="70" y="30">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="74" y="30">1</text></g><g transform="translate(117,64) matrix(1,0,0,1,0,0) translate(-117,-64)"><g><rect fill="rgb(0,0,0)" stroke="none" x="82" y="16" width="21" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="82" y="30">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="86" y="30">24</text></g></g><g transform="matrix(1,0,0,1,2,317)"><g transform="translate(1,0) matrix(1,0,0,1,0,0) translate(-1,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="538" height="36" fill-opacity="0"/></g></g><g transform="translate(1,0) matrix(1,0,0,1,0,0) translate(-1,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="538" height="18" fill-opacity="0"/></g></g><g transform="translate(1,0) matrix(1,0,0,1,0,0) translate(-1,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="0" width="536" height="17" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="1" y="15">Containers</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="83" y="15">Attached</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="151" y="15">Directly</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="209" y="15">to</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="226" y="15">Parent</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="278" y="15">Interface</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="340" y="15">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="349" y="15">No</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="374" y="15">Bridge</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="425" y="15">Used</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="462" y="15"> (</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="472" y="15">Docker0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="16px" font-style="italic" font-weight="normal" text-decoration="" line-height="18.5px" x="531" y="15">)</text></g></g><g transform="matrix(1,0,0,1,4,7)"><g transform="translate(81,0) matrix(1,0,0,1,0,0) translate(-81,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="538" height="22" fill-opacity="0"/></g></g><g transform="translate(81,0) matrix(1,0,0,1,0,0) translate(-81,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="538" height="22" fill-opacity="0"/></g></g><g transform="translate(81,0) matrix(1,0,0,1,0,0) translate(-81,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="81" y="0" width="376" height="22" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="81" y="19">Macvlan</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="166" y="19">Bridge</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="235" y="19">Mode</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="287" y="19"> &amp;</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="312" y="19">Ipvlan</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="376" y="19">L2</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="405" y="19">Mode</text></g></g></g></svg>
\ No newline at end of file
diff --git a/cli/experimental/images/multi_tenant_8021q_vlans.gliffy b/cli/experimental/images/multi_tenant_8021q_vlans.gliffy
new file mode 100644
index 00000000..40eed172
--- /dev/null
+++ b/cli/experimental/images/multi_tenant_8021q_vlans.gliffy
@@ -0,0 +1 @@
+{"contentType":"application/gliffy+json","version":"1.3","stage":{"background":"#ffffff","width":389,"height":213,"nodeIndex":276,"autoFit":true,"exportBorder":false,"gridOn":true,"snapToGrid":false,"drawingGuidesOn":false,"pageBreaksOn":false,"printGridOn":false,"printPaper":"LETTER","printShrinkToFit":false,"printPortrait":true,"maxWidth":5000,"maxHeight":5000,"themeData":null,"viewportType":"default","fitBB":{"min":{"x":5,"y":6.6999969482421875},"max":{"x":389,"y":212.14285409109937}},"printModel":{"pageSize":"a4","portrait":false,"fitToOnePage":false,"displayPageBreaks":false},"objects":[{"x":64.0,"y":36.0,"rotation":0.0,"id":216,"width":211.0,"height":31.0,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":10,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":5.0,"strokeColor":"#e69138","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":10.0,"controlPath":[[-12.0,33.0],[84.0,33.0],[84.0,86.0],[120.0,86.0]],"lockSegments":{"1":true},"ortho":true}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":190.0,"y":32.0,"rotation":0.0,"id":254,"width":211.0,"height":31.0,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":11,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":5.0,"strokeColor":"#f1c232","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":10.0,"controlPath":[[-142.0,16.0],[54.0,16.0],[54.0,115.0],[87.0,115.0]],"lockSegments":{"1":true},"ortho":true}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":133.38636363636374,"y":108.14285409109937,"rotation":0.0,"id":226,"width":123.00000000000001,"height":104.0,"uid":"com.gliffy.shape.iphone.iphone_ios7.icons_glyphs.glyph_cloud","order":12,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.iphone.iphone_ios7.icons_glyphs.glyph_cloud","strokeWidth":1.0,"strokeColor":"#000000","fillColor":"#999999","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":15.147567221510933,"y":139.96785409109907,"rotation":0.0,"id":115,"width":107.40845070422536,"height":49.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":29,"lockAspectRatio":false,"lockShape":false,"children":[{"x":31.506478873239438,"y":2.4460032626429853,"rotation":0.0,"id":116,"width":44.395492957746484,"height":29.54388254486117,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":17,"lockAspectRatio":false,"lockShape":false,"children":[{"x":20.86588169014084,"y":2.637846655791175,"rotation":0.0,"id":117,"width":2.663729577464789,"height":24.268189233278818,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":26,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":120,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":120,"py":1.0,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[1.3318647887324033,-1.055138662316466],[1.3318647887324033,25.3233278955953]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":36.84825915492961,"y":2.637846655791175,"rotation":0.0,"id":118,"width":1.0000000000000002,"height":25.323327895595277,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":23,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-0.8875219090985048,-1.0551386623167391],[-0.8875219090985048,25.323327895595412]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":7.103278873239435,"y":1.230995106035881,"rotation":0.0,"id":119,"width":1.0000000000000002,"height":25.323327895595277,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":20,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[1.2752008616871728,0.3517128874389471],[1.2752008616871728,26.73017944535047]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":1.5827079934747048,"rotation":0.0,"id":120,"width":44.395492957746484,"height":26.378466557911768,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":15,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#6fa8dc","fillColor":"#3d85c6","gradient":true,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":37.199347471451986,"rotation":0.0,"id":121,"width":107.40845070422536,"height":28.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":28,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-family:Arial;font-size:12px;\"><span style=\"\">container1 - vlan10</span></span></p><p style=\"text-align:center;\"><span style=\"\">192.168.1.2/24</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":68.0,"y":82.69999694824219,"rotation":0.0,"id":140,"width":150.0,"height":14.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":30,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"text-decoration:none;font-family:Arial;font-size:12px;\"><span style=\"text-decoration:none;\"><br /></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":71.0,"y":4.1999969482421875,"rotation":0.0,"id":187,"width":108.99999999999999,"height":19.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":31,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">eth0 - 802.1q trunk</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":282.0,"y":8.0,"rotation":0.0,"id":199,"width":73.00000000000003,"height":40.150000000000006,"uid":"com.gliffy.shape.network.network_v4.business.router","order":32,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.network.network_v4.business.router","strokeWidth":1.0,"strokeColor":"#000000","fillColor":"#3966A0","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":62.0,"y":55.0,"rotation":0.0,"id":210,"width":211.0,"height":31.0,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":34,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":5.0,"strokeColor":"#e06666","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":10.0,"controlPath":[[-8.0,11.0],[-8.0,34.0],[26.0,34.0],[26.0,57.0]],"lockSegments":{},"ortho":true}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":12.805718530101615,"y":11.940280333547719,"rotation":0.0,"id":134,"width":59.31028146989837,"height":83.0,"uid":"com.gliffy.shape.cisco.cisco_v1.servers.standard_host","order":35,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.cisco.cisco_v1.servers.standard_host","strokeWidth":2.0,"strokeColor":"#333333","fillColor":"#3d85c6","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":64.0,"y":73.19999694824219,"rotation":0.0,"id":211,"width":60.0,"height":14.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":36,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">eth0.10</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":65.0,"y":52.19999694824219,"rotation":0.0,"id":212,"width":60.0,"height":14.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":37,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">eth0.20</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":7.386363636363733,"y":108.14285409109937,"rotation":0.0,"id":219,"width":123.00000000000001,"height":104.0,"uid":"com.gliffy.shape.iphone.iphone_ios7.icons_glyphs.glyph_cloud","order":38,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.iphone.iphone_ios7.icons_glyphs.glyph_cloud","strokeWidth":1.0,"strokeColor":"#000000","fillColor":"#999999","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":139.1475672215109,"y":139.96785409109907,"rotation":0.0,"id":227,"width":107.40845070422536,"height":49.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":55,"lockAspectRatio":false,"lockShape":false,"children":[{"x":31.506478873239438,"y":2.4460032626429853,"rotation":0.0,"id":228,"width":44.395492957746484,"height":29.54388254486117,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":43,"lockAspectRatio":false,"lockShape":false,"children":[{"x":20.86588169014084,"y":2.637846655791175,"rotation":0.0,"id":229,"width":2.663729577464789,"height":24.268189233278818,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":52,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":232,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":232,"py":1.0,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[1.3318647887323891,-1.055138662316466],[1.3318647887323891,25.3233278955953]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":36.84825915492961,"y":2.637846655791175,"rotation":0.0,"id":230,"width":1.0000000000000002,"height":25.323327895595277,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":49,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-0.8875219090985048,-1.0551386623167391],[-0.8875219090985048,25.323327895595412]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":7.103278873239435,"y":1.230995106035881,"rotation":0.0,"id":231,"width":1.0000000000000002,"height":25.323327895595277,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":46,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[1.2752008616871728,0.3517128874389471],[1.2752008616871728,26.73017944535047]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":1.5827079934747048,"rotation":0.0,"id":232,"width":44.395492957746484,"height":26.378466557911768,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":41,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#6fa8dc","fillColor":"#3d85c6","gradient":true,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":37.199347471451986,"rotation":0.0,"id":233,"width":107.40845070422536,"height":28.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":54,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-family:Arial;font-size:12px;\"><span style=\"\">container2 - vlan20</span></span></p><p style=\"text-align:center;\"><span style=\"\">172.16.1.2/24</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":259.38636363636374,"y":108.14285409109937,"rotation":0.0,"id":248,"width":123.00000000000001,"height":104.0,"uid":"com.gliffy.shape.iphone.iphone_ios7.icons_glyphs.glyph_cloud","order":56,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.iphone.iphone_ios7.icons_glyphs.glyph_cloud","strokeWidth":1.0,"strokeColor":"#000000","fillColor":"#999999","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":265.14756722151094,"y":139.96785409109907,"rotation":0.0,"id":241,"width":107.40845070422536,"height":49.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":73,"lockAspectRatio":false,"lockShape":false,"children":[{"x":31.506478873239438,"y":2.4460032626429853,"rotation":0.0,"id":242,"width":44.395492957746484,"height":29.54388254486117,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":61,"lockAspectRatio":false,"lockShape":false,"children":[{"x":20.86588169014084,"y":2.637846655791175,"rotation":0.0,"id":243,"width":2.663729577464789,"height":24.268189233278818,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":70,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":246,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":246,"py":1.0,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[1.3318647887323891,-1.055138662316466],[1.3318647887323891,25.3233278955953]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":36.84825915492961,"y":2.637846655791175,"rotation":0.0,"id":244,"width":1.0000000000000002,"height":25.323327895595277,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":67,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-0.8875219090985048,-1.0551386623167391],[-0.8875219090985048,25.323327895595412]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":7.103278873239435,"y":1.230995106035881,"rotation":0.0,"id":245,"width":1.0000000000000002,"height":25.323327895595277,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":64,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#0b5394","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[1.2752008616871728,0.3517128874389471],[1.2752008616871728,26.73017944535047]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":1.5827079934747048,"rotation":0.0,"id":246,"width":44.395492957746484,"height":26.378466557911768,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":59,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#6fa8dc","fillColor":"#3d85c6","gradient":true,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":37.199347471451986,"rotation":0.0,"id":247,"width":107.40845070422536,"height":28.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":72,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-family:Arial;font-size:12px;\"><span style=\"\">container3 - vlan30</span></span></p><p style=\"text-align:center;\"><span style=\"\">10.1.1.2/16</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":65.0,"y":31.199996948242188,"rotation":0.0,"id":253,"width":60.0,"height":14.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":74,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">eth0.30</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":44.49612211422149,"y":17.874999999999943,"rotation":0.0,"id":266,"width":275.00609168449375,"height":15.70000000000006,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":75,"lockAspectRatio":false,"lockShape":false,"children":[{"x":68.50387788577851,"y":43.12500000000006,"rotation":0.0,"id":258,"width":211.0,"height":31.0,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":9,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#999999","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-64.00387788577851,-31.924999999999997],[197.00221379871527,-31.925000000000153]],"lockSegments":{"1":true},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":68.50387788577851,"y":38.55333333333314,"rotation":0.0,"id":262,"width":211.0,"height":33.06666666666631,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":7,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#999999","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-64.00387788577851,-34.053333333332965],[197.00221379871527,-34.05333333333314]],"lockSegments":{"1":true},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":70.50387788577851,"y":40.7533333333331,"rotation":0.0,"id":261,"width":211.0,"height":33.06666666666631,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":5,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#e06666","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-64.00387788577851,-34.053333333332965],[197.00221379871527,-34.05333333333314]],"lockSegments":{"1":true},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":70.50387788577851,"y":42.88666666666643,"rotation":0.0,"id":260,"width":211.0,"height":33.06666666666631,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":3,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#e69138","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-64.00387788577851,-34.053333333332965],[197.00221379871527,-34.05333333333314]],"lockSegments":{"1":true},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":73.50387788577851,"y":43.95333333333309,"rotation":0.0,"id":259,"width":211.0,"height":33.06666666666631,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":1,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":2.0,"strokeColor":"#ffe599","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-64.00387788577851,-34.053333333332965],[197.00221379871527,-34.05333333333314]],"lockSegments":{"1":true},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":248.0,"y":51.19999694824219,"rotation":0.0,"id":207,"width":143.0,"height":70.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":33,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:left;\"><span style=\"\">Network Router (gateway)</span></p><p style=\"text-align:left;\"><span style=\"\">vlan10 - 192.168.1.1/24</span></p><p style=\"text-align:left;\"><span style=\"\">vlan20 -&nbsp;</span><span style=\"\">172.16.1.1/24</span></p><p style=\"text-align:left;\"><span style=\"\">vlan30 -&nbsp;</span><span style=\"\">10.1.1.1/16</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":3.0,"y":88.19999694824219,"rotation":0.0,"id":272,"width":77.99999999999999,"height":28.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":76,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Docker Host</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"layers":[{"guid":"9wom3rMkTrb3","order":0,"name":"Layer 0","active":true,"locked":false,"visible":true,"nodeIndex":80}],"shapeStyles":{},"lineStyles":{"global":{"stroke":"#e06666","strokeWidth":2,"orthoMode":1}},"textStyles":{"global":{"bold":true,"face":"Arial","size":"12px","color":"#000000"}}},"metadata":{"title":"untitled","revision":0,"exportBorder":false,"loadPosition":"default","libraries":["com.gliffy.libraries.network.network_v4.home","com.gliffy.libraries.network.network_v4.business","com.gliffy.libraries.network.network_v4.rack","com.gliffy.libraries.network.network_v3.home","com.gliffy.libraries.network.network_v3.business","com.gliffy.libraries.network.network_v3.rack"],"lastSerialized":1457586821719,"analyticsProduct":"Confluence"},"embeddedResources":{"index":0,"resources":[]}}
\ No newline at end of file
diff --git a/cli/experimental/images/multi_tenant_8021q_vlans.png b/cli/experimental/images/multi_tenant_8021q_vlans.png
new file mode 100644
index 0000000000000000000000000000000000000000..a38633cdbc23014364bfc611d650b2a17dc72ae0
GIT binary patch
literal 17879
zcmYhg1yEbx7cE?9f#O<Ri#r5&cQ2aa5?orK6sNd*3GM|76br?zxCCi&*Wgy1pkMm?
zfA7tk%w+D&k-gU1`|Q2Xz0um5O4u0W7%yJDz*bR~fA``AQYPYg?=>>wA2N=k^5TU;
zo{GGTp7-KW?!7UgA^9LY@*H}Cd+%K1(B{(ASh93{t=X3Dy466wQ~@&Pj=v%}BW_Tv
zbkUAB&>_O7chr-9U4T!T_5s~WI_wo`Hxeo-?Y#yLmK@UoPhtsg``T`mL=N9B!-bsW
zgx|Q&gpY0y13~m9EY?WzZE_R{@hs0lpRCMaMHVgp79Xn2Ku{Ma|No98>dQ?kYv>Nv
zsWm8Z-;KC6HhR6Lr!Ve<Fe}R@Pi+tuF^+?+Y74*XRSsIJN3)F`kTl>Nd|tr%VOY^m
zkwVRr&<8Req~^;ok(4~qc8%?}ztG$_^;BLz`tzB2Oc({;nbWga)0iI=_!KOa4M-C_
ztTazF`Hr*|1=0#(;FjKu?@{<00=iad-;Dj0b?Kb28_=j{!D5U#_8Zd^0xL57Wr;kV
zW7Yogi>A0O_xXi?B{b%JsyPNb<9T4@0^Ua9m{`f@Ovrp&86MOYtf<tR@NiIOcWMno
zhN{m_EhXqVi<mquEb2~-ElnIq8GWRDBCq4%V9dx~Jos1&&|(=IISb*#Rv3c4AvIAK
zR3mpn_3_8~S|#p>-^It+zxU^_2T1@9mNroUAc=~sP<&MwscFUeQ~U<|7u8-^w-37_
z?-JEMYVoHK&{lO$cTS!yzsMU2rqz<^>|956zA~~i8KsrX0scsyr~V=kQBHaJzO|cU
zTzmPi`1-h;toXlFvEO)Dhttdt&?@q>Kd)2Vquk7t1{Yd_oSwgUmj1whTCDfD33ck9
z8RJU_(H9rX_0l_CkUw=EALt!#nWmXQAB_t;pO30$=Q^sZZaP`|Lj;nj;8ja2!7oV8
z60r=%w|IV$d3b~n<=QD^cSzQ7Vpm-Q+IaizNe1w?1stu&`ijkMd>wcd20ZSXmE!1I
zI8Z;Z4{&eE;orfX6?=uD-Zc^jXFe|_NhE{gSt~z1m@cv{#2Ot7Dt%%N{W=MM*IAB6
zO*h~mm)cFI9OyBP>x`Y6Vxo^NBYlu5a$oT%!`QXsCSLEni?ZE5>9IAgThC|y@b=K)
zup@H_BIEF_%5Ob&C2gXbHMgR~wd38|>Y>X)pg^&S(#@Qp{`5}_L)TAjPNKc3{R_Im
zSTx*!+wnGYZWnBY3_>`pJ=Dj!#FUC~K^{-G#oe3eQeR|JSmIRTf|KTmOp)u~kKwNy
ztr$AvQVd!r-YN-dJzN1!UqQ7M4I_mGlQj}eH&TSJxxDcg!oN~+fq?KYq*czb)8De<
z@bw6WQp{wZ*NveGzgX|D9yD6qy=^=-BQVoy8O4?}f=3qpAOvaoMw*+Mnf-ufYlTmy
zHG6OWpo!J2Z1iIa<Z@Tv?CnW9=_<GwyZLN&r2hczx_W*$LUmM6sk$uEIjc_(8a|rK
zYnaKf@=lUsoW~;U{hKP;KQxfMo9)L(&7ZIik-xS4g!VTQ6<p`e@r_A0MIiI#WGJxI
zUpEt^ZqY%?#MsmbGDphpT=oh)m)!Y#_p-!;&qOWAvu4E*Q1pc?roO7|&-Q%(VrCDZ
zoo}e)*qN}lsF$bs=zvPptK=Bo;M>~O*@BFdJ2=tR+=&$w0&?W~!n&Tou+fz?XbS5x
z?)E3!mMk5G5K4sx%>E`#WAZ0sl3d^Q$J@mmV$t>0g4BG4_>bM64d8oB1<Qq|rlQTj
z(p9Y2V<rGK!f=JRi9mQAB<)i&jdm^8bLqWLz6i?m=Wvx_c6A0`OMl<-&K--y)~ltJ
z^xEs1>YJ65SI|}XnodMBgWbaKzxJQI_?a(SC6hSaSC6PjS3Sys<~Kr(di<~axaTe)
za%Hw;r*#TBwCP%3Uo~;Q*)Af+HL~`&f5kcw9!*fzA8$9hki&vnbf2gx1HBGmr|LM$
z`@(Q`VlT9|BD@v0Osq%F*-}u*{5BzxKyc2M9V4oaBegp$`47kKyy)DwQ~J0LHDgA<
zWb{EidaHNwHT|vMa~t-2Gd1GWO{<a<|DIdEOF7tVSc2%5=7N6j9$x&x*H&`}TL#BD
zbw2Na+3%EpzAe+FB(K}Kzxp(|D~Ni}Qx{-K^)fRHq@FT}G!Z&%;ejSiEsX^6^-ePf
zk3>fiz5JM=PAwnfkh0g9Ip9Y|WhQKM@UhRN&zPk@N8r}r7J%{fLmcR1XAlPz_PNfc
zN|&SLZ2SxtKn_ed>cZM?j3(z@Qm?d4)VR4vJw<<s4iZZ+iwClXc0QMoo{_17k0n2j
zW$DMrj#iL`IHYERUbhQtyDP2r;Wd`56H9~hOk*LP9mq%C#ItPDr8b%Gt!$3X^$fmy
ziO)=E2`I`~<ri5~V$);3&8{5z<=fX5g)FZ_JXJvvPgj4;5%>`8@OM1x#Ov9;B4#0E
z4CVXs=_V=k1>gaGm2iPJZer)vq&w7Rk~oroQIV1gDlmHf{dclgvQ{qtxXoV)uLOSo
zX<U76(RbTRN$MIS4$FoO%vkxV1_g&w1BFmGy&8oSKrkCqk@Zm<9iMbm(!_@{js2Pk
z0OnjIFXUmXgH8N^bmsOKA8V+BEzNu?i%(am%mPS#1FM*80P}QMfp@xTo%pMbrr4g>
z`CSXah0|4bZk|}UxVTK^cZ*IjP{%t|mFVyB<L@4ho*}=1zK=NKSz!QSgIm{@{wvGy
z^$^a+++G7FYhaD=<=Pe8={k)i|0D6TMe3A|HJQQPMP-QdpmrpkZBcVICc|XBY+qla
zXS7`nlvcOy$oG3mNy%6FEU&7?%)uRdiH?`iwxf0rbQkVMbUd2m)H>Da8>G@=YnA?}
zgD-#oF`fg9bI3JQN;mG<yp)UR{4jg4b01~jzf+80un_ph(w>X!GD)EonafCDf15VB
z)D+V|i~tOxT6z3HYWbn_=c%>V)#cXDDJOGk<nxp;P=+C@AL>&}<QT>$O{_XS^I7lH
zZEVp1(PsD0r`Rw<G@8z(4`9s3*=ao+yVPWjdf*Q<YoiDe)75R%lEMgq-1fLqqeJ4i
z8gNGJgHrJC0RCK7H~B%*N~e>_kove#YX1(JL{n_7*`<A@wR^5zb17JW)o{FnEGcK}
z!&l=>@jA$u>0>>W$>ND>KqKq}Ht`T13M%;lh2>dyc6VNPYTEIH1cr}Y<x<;34myXC
zw4&fxqr=G}DR?`Lf4wK#kc7tSdMBk9UV?3%!CoP^N6ZH5?Y()GjQ?Q+j0~E>|Ey8a
zfu>QWO3t&dD+t;#Tx*{x3<nj^<qcYnR@`0J$~xZ@fPJ!bXVcBxx|2tzOO)>V3SpLH
znu1t~d;FK-b@fQC*lQb(x=k21XO9pwH<b@_z5s}W;L-?{Be<gu#>19Lwo9W8IV#p?
z)@G&1;m!p8%7LJ(odTd%R+6>fYmz}chCuq(_Lj@nv-j4-x4~*4?9!r|4BSn}f|#r}
z757FHa_Ywi5}df-E^S<|xZt8dV3W^5h}cR~{!AaF(d@Kv{RC)ZGv(Z<uSSpqs>Lcp
z>sU1pq%7n3Sj+l@fW>QXStG|drHMNll$Zv(q8sCI+I7Mt_aIJ2_zUE0RA#$Sksm8*
zLS{KD)hPk)JS<899bTtfq+w`e_-!V{Oi_1@LNp>r$i|;qZ}Bt(@>wcUfsK!QZ^9x9
z_e;2Q>_<A+vk9QBzVeiS!EW_|Ssx113~TU;J?F-IuN`lE-H86c*|6AA=@(WD*0w;0
zfHFm}B~5){qv*3Y6WId)5+qJt06K24{Qj6F(4p`mJC{V;0D=|dDq#{#zjh&*Cqu?m
zkF_n)lD3C3U&oXQVzE|@V&a&uFKy;<ay&FJ+!TGjt~Mj8HGNUkads6p@jBHlEBrKq
z`Rsxj{5Z~0S#?D<A)<<ijO(ii;ronVnUi1dGhXP%@q!Br8o?G}Ag;vc>Fo&8N^H-8
zA7?b&6>{I6&U#vRSdcO|)ETV+wGWAZjIbLuHj?RRL+P;Y)3ybw&ihi0u9rr6AKMkd
zba9PkWo4O&L+UclrXF?+$x&-~LB=;Ky?qN<xairQTdBZCy0y0i4vztH{GB_PHy7u3
zxO8H}PjKHR$qoaSbt6>cSMUjAX|ZzJY{J+s)~5OZUeu}bcM`9>7?7d0=Zy6~Y5~94
zHqI<N^6QS)oX&l10niUrC{LrpE4MR+<eU-0F>Z;oY`_Syah{NYlV+)xxLbXQR{atN
zIkMpwHgL#z4=J50!Dc?&wXv>)7$HMBt7CZu2jv^_Kczn7(1g|>M9{YL<zN{aSiSm@
zyx`Gpgh>w$Z^$q18?$l*f4Wg2Z`&Fwa|Jt$vzDtSl(R}P5tzI;DyAEYm=!kN>vXVM
zxLuUebn3b{#i>s;%+;=b+%mbjhkDqg&Ov{*dEWQmfOm%?<lBendccz(_A?;pLKj0$
z&x`R!U`mcu4^_4lYsaxf*0u8k5~E61!<e~ndqs{ZDsxnD`4-gX-(M7nFBo(H%Sd%s
zB~I^W8kE22y|BhW(yES4Wjarrzil>U3FWGbGg9R6i{sE`9>gklS7l4J#-RNg@sMFv
zFyxqk_j_}|yMn6^V6`9&O%fuBY+4vDglCVl03$43_eIrxG5UqsL_NYGr@W}du2sAA
zJIPSItk%GGA%bI~tWpaAC_?AG>x01TfDf<?Bo%}bnhDXPZOd{O?*R?1$4t8XG`7B6
z<b$nv2(V{XAj2chxE*YfvV^o1?^-O4{3@|<fVwT&NLzy6pRnTnA1a7vBYHVP&479)
ztA$aEOi_{2^z@I#stM7mp3(Vp?>NEe%T!jTL)_W>F}(oo@^*Zr>gIt#{R1VDuD*$^
zS|^}(ASNZ!>3VV@mM#QKDN4F}YVQpcARb++%x$%xZut*r`?qmc*7{NQu*dPp?ZHdC
zGK#U56sz=K8-&)azkSK-oU`JM1VP{p1EX(}lUClsuKt+=C$BH(#vn=zgRmJ9#<W1P
zyYCn8HNVxuBxdcYM-5c4KxHpMOkG4}n1%oJR?`M=2+kevW|i8|9JQC)EUY;jmWlST
zlWmI{UH^q;jO3(L*3XuwS`R>-%GE7dn}3|Q3kb|bt{!lG9d=<F@%r`_lJvY?co<*E
zjAGL)_|nq#c9EN7D8)Q%-1^C2m-nh(J(u!=cYE-wky8%W*Ch9yio)<93Ezu8-FnOW
zJUoin<1e}@9QQ6jMY{}Tt)%sRT0-x|o0cH}{JbcX<NIb6NQq!9FXkMRglp69EkDdw
z7iK8OK@Uz={uuVkb-jP2BRsv*7%?TYjb^Q?u!LQl%WC0g-4ET1T&eC2*HdW=A>icF
zdhScP!jO%;3j8_&aZ$v*7%YL#;q=<k7PusBp{4bQX2=%&=DECU6)-uMVb5XQyzOkz
zeI?IlWBnG44;>;{czRtFkMoHc2TCv-1?mGp<b?|TXQRBCAN(*4^=jsIGlphoS^ou(
z4Z2ImDsC@*sO4nwWzhBbwUX;r=hhAGSpd!NFqf&wcFRSQ<5+OOpU!z&8D~5e3_Eie
zc4)Kh)>})8NX4wIBz#d+Vuzl-*M#%(@81e)fgR>XUs^{(<dwu1#G^$WG>gVPM6U<Q
zR_(8c+P13~##VefX=&YuGqbm2XvVj0n2nh3p8Bts)+(l(DS}W<9~k&K+l1SKw#(lu
z*Q$>W<B7_N&ig$-wM`VL1^L+UuXjII{Tr!O-}`}I)qF9vw)N4VL~B|$ph8<epTLqO
z)*{m)^LKlKXWFXI_Lj%Rc!hHKHl#i*0B;F{@6QoiqOE4q42>*HV=EHlZO`8neF-+F
z(hW;?u>OfdAFfaBd=)8hlv6)C$zs8c*(;jvPyJ+{nks%9>~hZ{=w=++HL-<t+CH!)
zM<<n?ZtXrAx9h79>^rG8)8P>9tK$gml8CJrcltW;q!$snXiI{NYh0I8LFyWkilaW;
z@n(xXY**z11v*RJ#^7q5{uOjWhH>_QU#F&-eDbtO;{!f6^+>2y56M>*gcftib<W(C
z+k<iQ88rQFZ_EQsQZ9cK(p-O1$n&)kngT7T;El_fmedILGYO=#WwJsl%B7j$a2lxv
z$d5RFGBXdPJnKx#jV#t+)gpOJgVup>0;aqY@-M!r#9+Q~ykQjU9PcrZfBmixm0dA|
zhBYEv-$N4$8B4%5A5C%1tN>`RDQ5z++>P}43Hn@7$|t>C^=!&3$le`FvShp=u8k#7
zN{MeDNG_)7ywzuBI{@ej5#4bW-sm=1J7#Xb2>~6(o2GPgJ9sxse2D6Aj52kP@q9j*
z@+i(ceOU6>SH_<DVl>J~3H_eldKBhBK9+Tm{KgRYTmH-MquX>Ta8?Xf#F{aE;)lhj
z5!JBC9m4*o$!R`{J7JY@D{}dsTJ`%eJTtIh&n1BGbQ*d@tGTHdjH%$z>l+@Sj*-d`
zymFLDSD)iZNZ@Bf+=#r<lcdZG;iwgGd^JH5S{X*C79y4MClugVo!K*&U=sd;M}9t=
zfB1o+m}camYDnisF`4-Ar#-0?J_~B!OZ^ZbUwraD3A~Xv#;Mq{2R*bt5b~l0|8hvn
zvdSyyEM;35x?iij?5n7G#xiA|0ud>`t+hi<eU{Gx@9~vgO5lHn>lrAJDn<wje|;U+
zHC*`6fUZRqLe)Qf(6d78PDj^HleXYxGnr1N15!!ivMS9RC32h8R-GWZN@s1&e(Cx8
zwlvVsXGfFPMFuV~0U&NHig8hPRYD2bOy^}VJj!?zN;0+_x1?oV54XyY#c6)og7jG~
zU%1dpk3Sx3A<of@-Pet%Tp!N3tp1*vXM|kFEGs|V0R~5Bay9y+PX8z}-2~*O<qpCy
z1YPP((weduHO|g6s?$X?SVVw0t<rOty4(5kKp%!QKT2sh3~MM1*H1@)So8#UN?xod
zF{UzSN(O2>eHKuurwiYSXq=pOt$0OS#H6qBhAhQK{u_xbl*gJZZGdYFlkn>Ys&Qn(
zYVG5UZw}feXdn&wr!XSdi8}R6Tw|RQ&9Ym6-uHE*0$l}4C*OkIBu??oL7hw<z;2Wy
zgUeMG<mPgkZizp3*jtbDFDuZnaXsutN(xT>dL)IoSBB*R8Npahnzhc4b!tgvLS2o2
zTBl>?8SUah1<R?_lJPC8o~R{%d8?hi4$5R~ULz#{kIk57N}L4?CrZqdo(#_4G4v!%
zisxL&FsLhk1xKT@mYSu5=(6q;9S47<kY2~tf`A)Z8{cWMAXa^I(B|4V{1G_SysmpB
z{BJ6sK62)0X8nv(=zXE6yWFsb0-7on+5hH)4jj`%7W>Zwob3#$ik~fqlk!&e$)ydh
zHnA*+)`U5<P=r)xJ>eU8uTZPe!Brw&=-=HbvV(@BX#&|0+KYgLt&BlwC_xy0skCzX
znZLO9skp03F}sKHN+&)nN#%<2>#Mvd_*H#E+^iZv0DQ~xx=X$91zn~-pRjz7ygbO<
z@;e~+QgB-%6w|9zCs><WlM(P$o|J*Y44Bqg_}dVGX&kIwB*<#35PmVlwBky}j!JmQ
zJ=NYWK^w2z8-G5X|N9AI%zC7r)6A-E(QpMgF}Pg$-WyZ6{Lu1xvE-*%ievzV?-U-}
z+uOI_R^*VXbfI@4>}dzzLO@ROrm{h(z|W}+I28RQh#bHKL><u(#4b|RND~O>C$FP(
zysKRD(zYLRc|*-ixJb>w_BK*rh{@oK(-X?@sUctdRn{kr-XU2h2^J)?hId$t!WyO>
zkMc9?-*Rb*8+%?u0eP$@UB)8jSZ2YU-3L|$(|n7;y!wvKFW0i--cL^O>lgj7YbrWb
z42H0h71M5^Gv$0#*&=2<>CG;7au&oY_jAvE{5hMchsalPrjTvNNmS+#DMY^ataq+u
z3rh$K|HZ)8_jZGcj5@$k@_U8PMk%!8B&=#ZhPQySrAbD#o`r@v!d!yVh6f+hE*Q^d
zI*5Hfp8Q*dpT~zCS+a+aeg}pQuvOqft9ANcf;zSFSI{u;Kd4vJZkfm_%vo&75ekrq
z8C{%Xw`uX^w@f-Jh6Ney?6W-R=wQxrwrmlkqBft+F-p4~MF(Jw0uUxr|3$#GLfkXd
z^SCZBT{q~*+D1`bAPO`LvG0K0Lh;%i+&qAj9I~?fSOA5Dwo+$2xa9|i+5vB8uRlCP
zI-J}J#@zBkU2d*+PdctPS7)>Do0@R0rM`#1f@+2vJud)l$+T@PD*v9}e{SPgYKcW-
zdM;)b+%>wc?Cyk|eY!m0Gu}DPsXxA(d$QOq;oitTot7=Gi^IO=<TOto;(uQ;BE-C`
zy)yzQa<(nEjpWY<oH0$Jrb)*B-BdsDE}c5uj!x76NkyW*ea*){L`-D+3)o5^jSH2m
zL}5D8$Yuxug@8JiPEXn|Z$ll+h{;1iqk~q>6@UhT@?39)uPx-1J`Os4e9@z2rmQrg
zpVTmE^QR4wVm04w=`l`?oI})yow?Z+nMs(KTZDBIVxrWM(TB-70AfEliWk0edWuNq
z_uDOmr36-nH!}F9_7QLpa)<@`J!fhipPE#LgRRNjnI@;9douW>DUQ!fr5uM@a(H4G
zK2~B?@qIt5Skh2=qiPEWWOmA@M9yMzDaXgasOsE%6N50@Iz>@nbiA%E{RMOnWo)$e
z5~j|PX&ZuHp`C1p5(1^&=o=e`OTUHQB1m@wMWfeb9}O`1bzVGtEy32|Cgd=#b&<OH
zT!iK#482vLbtW5&pe_J|BzEv3ZS7(x`v3ld!1F;eqk8JVO;Q{AC{7fbS^MK1U0KOg
z-~iYQz;s^Unfvp7QZ$x=!GgH4ua9hwCBLa*G&A0N?TmgqIn$IXm~bV^ohcD>f{Oy+
z6*O<2DB!v2`F=S2`Res_Pl3Zi|3a=|UUfKXeVj(wImSB)Iui?yL*B?2;5va-VS|iq
z939WEAZONQ1po}Iz<7-Jdp0f$4-8xRD7?_AwqIY5<>L@CGj4tkx~4$NWc<ZjY^Gy=
zE?5eRysn(#a2I+734-_nvSYm0dn%^}3!%?=nq^>)%sPt&N~qvk=b27kYF#3R=f3R6
zjhe(b)T6Z)GfZq-;9;tOnuk{Lp&c%8)(+<n*TxRm1J?q$`MoOtty646itJB3njrzb
zR>7g^HwInMm-Q+&W52CNV53x6^5E`lg_B7PDr0AP<G#xJAAhp~>kyIFh-025+IhOK
zYF&SH_mR<v$!NeS==1%ZE+DZ!H(wlx$vJhC-?PQ3@xs{gLYxnLl_AFy$Y}#SJnlcr
zON*?oBHdQW`LfBN;Ef~+DRqsaZsY|~P=%;B^tdjr_80+J#Rnl(eLJJ#Nityl>T$qg
zLSFMAkW+789n3H<O`%s2uSo}ep=j82ioKAK%`V0RZ-5YR9AcP0Xyt)UB_7fLI5jQ{
z+ma!tE%twj12s=jB7c04?cmr-rt>3{Ef@PhS>F}E5GQ@`t6lu(_iaVfcU`p(Nentf
zA)7yK1krNUjpj0rN<jMZ3{v@7J}eQ2RypC<sH}APDnj{$6IK=y6vcZD?=5105oIwT
zn)^xi=SzRc^mTcS*(UIMI4I!L0_D^EJY_Iw3x#WcyaDL3o)X%za%lc6M{VcV742BK
z!BNRhGE^-3Myl(_93?U{;Q%+pt$#10?B@p@Dm2(W)=cR17#d08Kn0-GT;O#>!h4!U
z-re*S;|zDfG~im$Vcird>%{i*a2RwKR<Dm$_HeB}<JQ2FFW)z4vlPQYA@xD!*(CcD
z8W*d%cbwhA3B|;mEdA)c-3}gm^a9C`3K=t!N{YZ*<V{}HsM@HjHcfCmP4l;)>ao_B
z>B|cbi7kId^Ck5$qXpDyd~)snpTS>Wb||4{PrjTCM%T%6?i}}#Zk;XD*SlI~FyJ-w
zGo-~ChiAPO89IyC9CnpbE%gC?RBQ`~8rguj5h$5edOsCl;4b(M@<uXuH8pkh2$w!g
zY%HA~ClEH<2t(}&x&hsQjTkzA0P5(y`6z&81KP!P^EZ_DWjco~kU8370e&^Sw<sI8
zn;KlOmZqA*00cA4C~n=_{BVutJ&n=f_}PcYK>?wze*w<Lg79>p(B21On@kQuRuP$T
zcaphyj@XJnKaL+G6ptvpT1FCA@qE~5g&_1)<V=X<z13@Q)i}WG<Lv<m6>^5Knek^z
z<E@bwR{-G7g>K+{*rErU0tCTxq|A?-;pFu;j5Ftg^x<7WW`G0L{>LLYFBcqMn;;eh
z1^`+c@er_h3g<T;c?SOeXXJA~sYNuM(KVeBD&|YGF5m1gN1n>HM<(|+o-T9<AQlz2
zgs!bu!jfc_+#N7e-Uy?AfQBGiq}k7Y+p`_nVogDp#kn*O>#*bNSnd<ER!=F7vv>+L
zQcN&90+Bz!+c@fD0ARjHi=Jb#m)9RKg4+w&iQ!!)kgIhDg1em?gld-MPfY@D{wURG
zGO4*N*h%?q^@QU#HX`bu*1$VSGAiRJ-T;6!$o>U^F!hhUR9<pu2K&GVwYd5oNLQU%
zWWqI_vDX%&t^3~dGPPHHi3{qT^mwEi&1GIlYy9#4vdm5V{wQ?C6ye5H-rvl{6aVza
z>QqYnry0u2Gv-`SHK|j5pYZb;ubgZ3QGOtNlN&<tc;|jSM31G;?lvd+?9<-CX~cwx
zfm<8rn+4gpt<-Lu!q^0=gzeOi{wXMSnd}47YH@t^5&PVubKu1S>%6+S$qx&Zl25mP
znzw_lw_}Ifntm^_qAaj1&60F^f2p$oa{2>i*Hi0=dGq5wn(+25p4ZKS`M@&0gkY9q
zeZL!S^N0lhz41uR$Ka(gx1jru8vpG@>qMC;NNm0F+I=2kgMUp$ew;w<(L#Dn$?4kT
z-zn~Ex0OZs2JQv7|HhF0i#Rt7Fgh4L*BmS%d^;MRFLUu>`<Oy%_-WTrX!z-1X`*H&
zxW~VC4Q1g#9x8bwLTx9M@2C0SWqcHJ6!$vG_k(s~WiE-?I`F!>l*)nwkyn|PxnDuY
zGpO}ul99p=s+#_DQ*_U0xa_;JpA|~y!=yR5YJeW#L7)!K#S$Ke*a{m*tlh$Kx*4J}
zOOjz$Gn?T@4R~cVH&YKYTU$!5FjVGmcU(u@x#WPr`pK=`D(^U?Oi#*VInO7J6-;$|
z=M8R^$6tnW=Ke5VdzPGloQtjD|J#ZA)~0~NvxAfmcih(CQCX5K_F|t2_{ibWB^~-G
zI4%f<VGpCH@*^o!D;QL?I&>_nIrD>g?+q$~yTO{oSoY&%qqirY5sjACfNXvo8zz<p
zW9mU{EA=3=we)|eKqn-<h>b*{Hq>az{aEwl^vuL-ETW!AsvC0U0rmZ$_<6OOxU4rH
z6u*cCCrj%CbZzu?LCU+fGt1_K0=ic0aiH8Tv(d}mzpAB)%@%6-6<T=zOFbc=9%k!8
zEya^(8o%8q;{HzqAD^Qxwd}0}_xk7iN_l7a_i<hFCjHL)lCH~L&cO0T*E-V-TG2uT
z`3CKr^qV6A!LNVNVzRN!Z3}*hZ4P0NayNZNLQH89ybra|vgJM+AI-BI+`kVP$2}UY
zO`piz^&4;B&AB19va$+W&05f4*HZj-gMP+6GLdpb0yuZEUxwOT#VI4(H;py_>`Lyn
zd;=aEyurlO2oEI|CPfQU*p&b-f0^7f+aySv?;0IYmhE8@&azM@s(W+tZ9c5e4!{sX
zfiaPRB-x>31b(-@*OX3SfPO={;5>XR!!5^M3})_?`eW3RYLFL4dn&gCRlddq!UZp3
zAO=>+?ALa2%k{;xr<nRUXeu=s9$zWOjtJ?1PNOLcoL#&G!&(~h?atPEdY;ooMa9MI
zF0Z&T|L*(UbiLe-Bc9#&67%!x?i#XH6HhdYFjM5zig-CII*=t%B#{??jgR322-#jL
zI0Z4>D-8Kl++6_#b$F=O!pn7J1$t#B@!$C5)BfdlU5HN(yJrQ%j!dq}rfM(a$o8fv
zTp~yzd4j8p6OX6R;`GAwKclI1Fc=V2d+jG|XGUoRj0-i(!+O4<BjZ4RiaoDqxJOA2
z^QZ8QN&onTynT`N!FI3QZwRz@4aHin{}sl_H9kL+^;%$)w0;mdRv79|L7yxlNnri_
zlplDh+EFz(=Ami)W*T3-<^6{6HS{;ses}l_<_h@LB(+lJ@rSVgW9#9WG44NGU;Qa2
z+S024;Cfo8G!U;DihV^+kGGfjgUgGF-JBh7VQQCM+RprD&)>aQ6eJQWJVRWoER@>i
z1n>F0IMxw9Tw>{kK1i)xicm&1#D5gu{o<ibV^hx<hv2F+k-9<WC#F4|DsvpLXV-<d
zyY&0d10?>>fIFIqAt;KD8L+_HrIBbg;wPdL84HblQ)C+~sF<?MjcAr1Bm?5&my~h(
zmIgXkoLRd?BM^>>=()-`U*es#QL*>k3l!ZIIv@K;?LQ#Ty`{4Un&{&BHwE!4CHY8s
zb9=V6y1JT|m)G4blMWT&;|nz-W<B2nCBIEHyUrQjIzxOyU2E|uYi(_<t^L~*j;T&d
z7C*plSUn8_HJmO-n>C)pfM6;rDh2LXBA-h@)ttSbpP#BK2EA@3v!))k_<TcvnC}8c
z>I4*8zu-(cSeUL5Bkr5o$S)*>_9hh!9tbP63Ei-@-I*%W`U5q{cz|E*9v&Qg5%&dt
z8!AqBkj06l=i^H)WY~-BjUhDa&H65JxDC=MS2hEuZ%EK2A?7il=<>wG#%6A#1e`7}
zo5c3NGd9MIpFdt|q97+9fkL^>J9E;~(sFV}If_$KQp(F&<9&f+WOeBp)6DcfK(mM&
ze>?<be7v|n(tbU+tn~C-cUOl9PI&8BWKMfWM`3JOM&0G*<%!f1n+;{d2C4JVftZ`O
z|6BS2v6P+dd*c_}XAbE3Im(!ht}dY-!&a5Y?s!9E<2m`%D80cEDAaDvBqLM)e6j=U
z6rKb_P*wizV*B8EyeP02cwuSp<u&WrAZrR(ZT+}4@bDmBL&iBehQru#{088pEc4$o
zpJ>Fg>6w+b&jHPHL|?21Nq6=$)R_j15nrFPD&Eh<Z<(3a^HJ<FDJ8YbbNBk0i6R`*
z@G3PUU@<8s2E*R?`@}+U6R2I^z(CP!FRpoq2^CGNi>{H+?w}3v;%(RKEj$S!Mmq<B
z(IrY%q_-xm9*<|c{_)IxpOWRfh6qKz!<1h=4<k;!B!PTc&u6z|TRf+620q%!lpoKD
z5X5|d2!t$7?(XlzIq{-CfBt;IcDT_SDalu1iKQ&2Q=j|;x4UbaYlV5OHN#UD6XxJU
zwtC?{T%7(VXEP^1pL=I%W~RR;Dk37HuX1VKEvnHGCAJdR*Rp~fXuf$U64ARzr_~Sr
zn`bCZ-4U1I=;%nAY;i)<6>@NT8ky{N_Eq*cDRbAP`cP^8&pSqLb}@=d)^ojf1TGW=
zuDwy*%gkJ?v!NjzhLx@$bKNNM;+5*d$YJ{zRg=C4TI5VM%m4OPr0(G0(9qICd@hXL
z6;g5pN&P^^55gwB`9sbgRWKHhJBqdJyXfNrVPqfmezre`PZKHj!qWT@RALZRSPem-
z5^p>^3k%wi;p4v4Z<gcyG<iwwR_E>=Si@6@b5-guorPcC*_oI4o%WW^tQ)ge-JewU
zoM=ex0>Ge^j5r+xnPav+yv)pKieCIzX%!U}w>)7m)}-_ukaFHzgi{wn7|G+5d1`x{
zr0MDDe;+en1TZl%d6)d(P0|sYq|2Usd$A8zE|HZaJf;mTq1MY{WzY(4=jWC?_Z)ui
z@>{sQ6=vuSQ-CWdD5!~KaGABg4jtowUSD0oe{hF#+VlZ6_-BZIr3cSO`wR8M!;{5P
z&L`WkhATD9p3M{ij5184NkCuY_wR=axPKtim(fa;f|ateva@{@{tu8YWZ2ay=;maF
z@I8Y{2+_`OGnrC+00CB2FlwY`K?fuLs|<{990C|AWwK^5>2yB&!-s3o^|_v60eW*D
zIjtPRgt>3DR2cA-q_psKZU(LJb|M7&gXFocbeWR(9K=jXv^Lt>+AmBjhJYXLEZjwN
z+nG?T)i-~9YWJt}VS|-;lcg9Ywm)@XEfNnH|K<+Qy|wV4V^-iM73T;2p2BISVy&?R
z+1aH=A{%|~ffA*ZDM)@p;7A)n;Gi}8<&9~TNoV)C((aRbW?*bgQDa%hL7|zz%%BzP
zuZ%##mOR&z{*e+*!tvud{eI$Xe0+SIGM?-7tqIz>evMhj2x3da=m*aUR&H)TZ=~T$
zd9w*K#Vqo7<w<k#>GbmxG5D`KfMypV%*cRFuFp1Th#7&c_utafC6s0V@hnSEh6l=z
zyt|W)LV6<EssEdm-mH`6henTpIB^Mz>2R*F7WzlgwF660sK-1E$zj*x_n>RjMHUIn
zT8DC98iDbqIji4HQ0M-xXPE&3r(Lq+XgHPm=VWNyYhSJuNN)-bXyYYA4KX}?A-WZN
zb>rEFp@zUGz?aO1<wi}bI!MMtwb6Wg`}J_8Ql1Cp#X;80gQw*{G;D^pMvgm_g%)c&
z302kAz`Sv;V+!_{duj4ik+~r-X&NFhhQl5Dm9zY_U@qv{zuLu5(e5w%vu*q1>V9cg
zUQ<9y0QWk|6g3&X#u-3#Q6+3YbxzWQ4Ypf`Hc&YieLT8y*|r}!5T0qtpq1Oc+OD4C
ziyrZ5{q-B}`y>Zb62pg))goLh&hEpb72S9zFOnb6KRi8D{r<8C1+?2<DT%nzRLm#;
zAqzbA^7Kri!LhV3%iBvW8_6jdcsNwp=}P*QLk!=~<Fl{~1XZ<dr0X`i<j^DS<c0%V
zjWdRl-QL%?eR#A3kFhpJrOsui%UBVfU(kwvAB85QiPtWZ6Q>7}e0s3aI$1Q*m6Z`|
z$9mVvQ^)P17IbJq=TXIen<kc#b?R)jdS7w$&N_dh+_dFpdzOm>tF%@*UeafK^jUZM
zY%xzfxFw$W;#g%ScC@RLJViv{{DLp_=ziV&AZ?_bDw%!_85R^+K&$c+cC`b7;gf^!
zdkf+K++yzA!7U(VlTN^zS(Dh!w$apvnxHq?H_9PLvkrmBv6taxYGR@0E&bY$Jxn`^
z=%9sJCCM_P>1ycq+bfLYH{4p6!&4Tkb*@^gP_cSk(^iE<pR`{O6|6)aF|geh$<Mtt
z(-#o8$xV8tJkt)&fUPHF&ZK`Lv`e4;MlD~F>z7E+LhakO54^8zbDujJO_*>BO_v$z
zj4LH+Ds`DR|4;;TMfm!oSDjZ-&`<v2(z)H~YLkTyS7l<=gESDL>LOgx+g|WEv+_0b
z`B9yb=ef5Ik~F%XVxI9y;y5N!Nll=ggAuL{8xrbj76_0td5R|R>l;2Cfzn=3!d;Tg
zH0#m>fYa6$rzGjzU3HJ%hU1Bn!%yO6*k-7#&+0A@tKgsc{ck9_A!uFh7yJE-kH^XH
zthZn0>y9|4+em&Hl=vTnhm_+q(-x^$JEaDWqgv>riK>>G`411%0U!7Q<kBTr`acpG
z;6M8fVDSO)_p~+a+@ZJT!uJ%Zi;r{Ld6$clAK`CrW*4<Q3cPS_ntGtL+q%|UpPRl_
zt)&Nz`ZM3A1&ILRJ@@L<me7_M>NTNZop)^vXVh`0e*yCO;tD%bx59ow#0oplpi`6f
zY~gW~ldgiAr6oZJSpww3S40G^TrRSUENHG~msvj@=<sAdIzzv>;JJ-b1j`ZSji?Ee
zLTl2nAyhWMHZ3iUzksZ{!}?{2zVfqu5>Y~5@~9WF(^_a;b~E&z=QvCjw|5WNejE?;
z{%reMvCHi`dto8d?R}82^=I3&WL#s(LB292YEg%0BERP|DVnt?s>gftiWB$s=Nbvd
z=SUbyI<#ttj~x{S{u2T!Q2RFLG*^wk1i9**7zqh7h@5Gl>9xo#|6N~n$3bb;6VgFN
zUzJ8^$nWgB*Ikyg?flq8)>h{1cvk?-rpolPY!0(GM!SOzXP)Y2)R$YiF3cd026Zgt
zC$-2(vYvx-rJwe<ujC@c1B{te2s{Bgk*TApl#?fmFZ0uW%FkG$c$}PtH&|netFZxv
z`@-OUqKZcBdGF1-3aiob-FGyBZQKjlIZ9G9^2rV)Ol0^!b-oU#@|o|8+=RL0_q2=Y
zkJ=pxBaND`!nB5#Y4fq*5ASHr;nM)xAj{WDWo}UE@P>v4#x<gO@635{6?|{%ChPed
zj#}mXM@+{-B5&ty(+^STK8(k>y9N*bz{jirO3CfZV~CgeytlXU)Ef;V1Vt6J?s=q7
z=djU<1Y;vHrhH(A>JE~{)8;^F*eLe7O7b%gL#p|Ep;tpwO&~;P>{6;M#4_XfS--bT
zEYZIdr}5mCRMMM&O}DlQ6Ni^>a7I$R%&KRyH7)Pr_G{OY?<N|b*Yn(+oH04KQ_<_6
zn5kVe#%KiIGKC6xIU@J-A&W}8d?<bs-{Rm)NSW}6Ui3@~SSn+_@mapwWHv%q)L69{
zW6tkFS1--8hCH}}y<!jOjk7!PF`%vL;R40Gd>5)>8+e3}RjDg&&Hhxi12ACsFKf`f
z7oYv-$yT{+T$4%p1=MQOd3No39a3SnDEYVOLS7{rc{wd@iSWE>-p@m$%r#o02ziO%
zxSH&+4z<duw10*jFW~;<@v_z^J7ha(1vWN~&f!Aumc13Ic1}e2N(*eK#hJ>!y~N?Q
zoNX(k9_6Cxns2M!L<l_Hloj-M(e)xL^zfiJi^bR_%(?o9D`(^<&bb<M<^q{q@jM@g
z^qzK6yU!yTcCI2gqxr^uEOZ{B{t%c4+W<H6x!qLqKLDy#H8pb&FXmG-cYQtqtd6;s
zf<RkJ=`(aq-w4fkl*T}-w*~*~mtMeLE^KRYoD(-sZ0bJUX#m?MswJBppA|HSg1sz%
ze0#-?xF=+&Y!D%WOX|WtaE#ugvR?9aNt{nzkH3c14l3McsO#jbaWb>>{r^m_I8Tcf
zb}|n5Q3iXZAGJYRPf|ojKYn^}?zDp~9{^7qdg++dm&hou72(25PwkVg{v+vvH1|(V
zZTY~N<{za>gyBEcYJXDDYhUqd5=9N`TIFpYkmjC}Wv0L1QF^n3MhFlZVwMZM8>jvG
zc8j=_#^<gP%cUpbTXi)~{RDER7s;HNSsnKeocdMF_^e&BWJ8II+$lsbcP*`=PRv+i
z-t79%hik!mm=?ei9g|Jp??RX`Mx=SnP%GjUi+SJ_g3@6wef+8l)ysu;n$oCpc?1^=
zr;!DZ%A6Ow$LE9sb>DgaDeevn1;A16ClmhZUAZw+BJO|7GvJ0_=j9@hPU0u26PbDX
zQwosiGyh(|WsVhbh7B7VSM#^2+bq^7=g9m=hABYDPgecGAu$(OENNcD;k)pY6W93}
z{o=)u5!DB6WD$7xgnuu7CS28A_MgzhT{@DDctf8{@&8fwUBv4B?w2@UQwv)(U58s+
z>L-e-FMaZbnb<Zr9L!KLBSQOW>5scP*iU^!5_+F|`*or!y+O<p9^4K|6wpy_`zpE7
z>+GPRrl6W9d9hq!*i@F(^6WPi+`|1oe#XHM#V8H?3VEHJp-9MA2BWM&*oupsHc!G$
zIl7T+C&KU#W><18`npZ12wP^0?we&E%f*<E=6=j!TJR%LV4D`#BTL)m52hIPwp*Qd
zm&yeRLU&<WiU@PM^ye999_(eVE^2Qs%&T1PRz2rZp*S|_dA)r9-21dG41ZYMclc*q
zPHZ#Sq}3CBTpI#{&!j_c@(d$KtC%B=D`|$xb2jZm<<z|cJ=Rx6PITZ6H7AaPW&XC<
z_Me4><#SDY9E*M>ei&)MOq5yfCnX@Y`f~9Nw$Hcb<?d}3lc{CGDW$WOj(kz?jS%?T
z5D7b?HzP!-dvq}&W%!vyM=LwRt9uQ8l;Uyl_uSa!H!B6$6uy~Vg$SqAqp_QZ!lPuk
zfNoR%K$*YejOFi>W(91%)zevdoylqjmA@%P2At{~42)X&EiW?+*+-4v4Ycp!@dWvw
zDgBqLm`<rhYHSZ0b@ycvG@YEC<x4h%adOKFSK3GZV$A_Rc?YT;zHHIIu`|@<at%h%
z^y)p!e<*bBYtLde*4oh3WD$K>+2=~Fdb&CFawyt!AknMLEA8XK%Aupv%7<ebFH(<I
zbxO5axt~RU<u&(Fw(a~*_s_ZSU_#Vg%vJvq^IvRP3C9;Ni}YMF8{R(L-xz($_}Kz7
z(wqr!)01r4e}yP@+;dd-!$*+F-P!g%;b<*53<KC^O+5Q-J4dELq<<WEHDfq*Ncj4w
zT}vL}+D(ISpMH<)X<qX{yo|&K0R|h_B(0c-yDbc#iCDK1w12@nn}vU*qyA$h=R8*T
z^QZFOdI~M+vZFHKo33TNF9@EFV}EES*!)-~_{y8H^UtF}XkB7s0<E>KBaJv3dUU~F
zDnhkLRK0fs$mi3UOTj*Aqy7ON6&X^UKXq(73j#;3Um*(6a7w=Eb&`O@KbAb|FG5l5
z@1^u!`!0@ondd;Z;zY&k>0abQ{OZ~A%;vBnGk7d#l4-^k?+a$ESC=ES;2A|LIw+sG
zov|H??43x6y?*(tHMoJ0&o49co4MN#Rz<e8YQ*vYJ8DEb;nDv}&)crMy+qqI2@B9@
z_WP+X;-8FB#gr@?pNk7uen7PHg4*P$0_z&#t3O8kcD`yE1z;f(@Pq1em+>_Y6vX6e
z-(5!8HguEgP@N24RWa6d`e#;0fe(FSLq%B<J0npg3(-1|oj)VN?2f6xsnoFjCBVFS
zo;Or&vm?+h{rY?FSC?b@of({oi}uUwe;H@Ezv{0bhFe0-k!Yxv$j9S4n$AwU2gm?f
z+k{gQ4Dfrd`tE)_jonarc*^cXneL((aIuYM$7J=N!?Ioe3W~P=z8|R`=cm<L0e52w
z@gv7*zMHKUgtba#wjT2zb>x^b6%W3e2L;B^-)861&F4|)pMSa)fA5d%70C71M6))P
z@6i^+GmhDfM`)-_;NQtQtm#tp>BTTUxJM5ND88t#K~=eB4*1M?e{-tjjU*7!-i@fI
z1OK@F9K%`!K$E_XgkzH6ncXhYx+T$6AO;}g<C<UVj>M<%e&Bg)$WXxf1q8@o*ynQp
zYOfb;D0%56T7))UhDk!_V{bZDXuC|Hatfm5`Sk|heaUkQ4+GhwK!Ady$P(q>(9pkb
zXk=u>^>o|eHA?VUb+Q?^S-X9b&=9V~`K1fl4;eWigu`zNPn6y5&tIe;*}Ov(ut@TM
zQG6T}*(ppat0YdXMG1(TCjEyY5rKi}HS#1o;&8mf4~Y}wxFj4D1pp`?RzP^Q*`u1^
z+7CH=y)dE^(W%v>rJTa3etdjF^$1sc`vS!2@rb?<RVRzd`0>P}6)hsEi*@mn$*rsZ
z*JfPQrK6anuKW4(vrA?lGMd2=a|$k6h-LJAAtTMlC75cSiZj&6P7!sI%c0aCFCn&_
zaw0M}v%sR}WI`hFLD>DRdboJN4l-IZz@+>2#LXSmU)?JFXaW!aQqmm<)w~WAnW$&8
zO06QprL)YG)PHgvYRjT^Cx2nrbs!rfMl1Wtp(E@8wGf-nc%bO#NzDYpej0D?x4Vl5
z>m<B*$*#;{Ep$cZ6A?e0F5ga^eS>)%{(S?aP5eP~xF_48ah}6gc{lcH2I-?<dfSkV
zSMBikh`Owphd;M69D6*#WkZo~rY>jlkMGVt+md@3Yx}V)kSbG6R&v++l4&6SN}?GZ
zRdZTx5P5hf?(j7jkpe_LZf8E*#8~F#!JL+s`~$ggf;}>kXtlZ;G5`Fg%3Njq=b<&l
zU>uvr=7(hE?<{hSeL-8xBbhI9>Yytcel^R1t$?rf&cX~r`L^i=o=O^IOom_Dd{qUJ
zail2X-MQHDJkJBL`vp2MOTG)`p?pgp>l(&y%MI_{_LSQNCk`w3YSyDK0DjbJ@_kjH
z;~sf4NKJJ26B_xmzpX--4KG(+W{l;!bSMkmne469Ugk|SEIl8^SpJSU<M1Es0a(BN
zZ_D~2#@BtFX^YjV<=}?`2#9B&ObVw$8tK(X4YXy+YpfjJwtnxQcmO0igBO=W%CX;3
zl7y8<LRO+{pQMdKSc2_38gH?;KGf`+4h>@$a*kq(bN30OYWo%wjL35S$m2|v-vCEV
z9;fQiEDv%U61L=z%FBOS5sN7^W_wf@xm}`e6~Qx(V3xYgj5KlI_KNU67`+1Y1GMbU
zJCM?69K(%tleG#o%!G9113xSRR8o@6+FDyr)PDtYxdf^ND7r|>3+m2t;eOlHAbwrs
zbw8)tp{`?#N>Hy>Vw#I7(z02B0<w%%MR&<u=Px{*?)XSOZrq-1)`gu_GJkyJ8B@mk
zW*pp7a7}m#<$<B`d34u!YElO8HT9Wfv*!6MrYI4d)}UB@9X_;E)qGmYV_%w_oHV!7
zZwDPcDkz-Li;ccek?m4)DAzMr`MC({zrAnlpHM(iffp3JmS1wk*^NMFaGqkrk$JA!
z3pog`p||#7n4upwSZX9`&faerXJE&i;#5MWSo6%vFZtqmh)b$jczV7EOsRT!@GZ_F
z$pwDkBMDGovM(g#3Jj6-$W=cZok|hs;Q%c8ryLlkigCPSs>x^N^}%SwYLlWp@+i|)
zatj!bQnjjCdTV?pg>rnxS44WT0OEQfm>^wgO2=?0i6_}Y_~e$TTEI%|SPD1@R>bq<
zg2`!ar%7_C%Kl<)qLZQSw{jsf^Jc+~V#S-%V{$ng&!1vV3q-tD?feCew$g(`diU5!
zW=HzyUb<kxyGO-|lb{xj_v>}&!#!sNpq;x+tBf*c`0eX-_G$KL-Wq=;r!YaE6?I+d
zJP4<l*AeM^lsj%JT%~tIF3@JiS!umjv6P-b9o#fapRuDiGix0<C46n=VBTWmd6!>v
zYwZ20rc)i-xvV)D@&Z76bEK3vf9%rU&<65}(H%_@)zH<-)#%-2Dn595eqv$TAnBkM
z^?WTC_!ofY$wQ{V_+6uP$VBR2BBM`Sg;4ED@K2Etf1mSu{D-HS(;C?LO{??a92!_V
z^fEQ&{q6@vX}el^h4NG4kf=6kDcv)sPjqb5d5K=xaT0#lv=c#($wC>ad^E@~Mm@Gg
z*#Dobs?9oLE`6UK;Mo!1-gn+^VhULP-@Na-+)QVz4a;9j(o@sY!kuLImJ|A44rgn`
zIu*tSH};M!Wk)1otS&LGhX;^ipQFMHRsVIpn(Nv(l(f-B@=!QB7Ef`Ftz2%qq+RF(
z?YerZIHz%hxh0M{&AUy=+ar(f#0%E`)axho@(%&|?>IU;FY$xcE`O<uQKa$+sVq)~
zzIJ*(E+j4W9*MkAHz4H!L({qG8&_6VR8pCDX}s788#K<PY&}ZF-Es+EuOD78E5!?6
z+||Ky_EXDFRZvV*TJJ^)_rD_hR5W6B$uY;pt(HJzjQq#a6Sv?jFLjudYC0!g9tC_w
z7b7-IBC#5IFYct5*@%XIG?Kewpga=Q+{572`o)$9P4tdC?*+Q_IvM?Ee;oJ6yQ^=*
zsTU+gCOo8JEk+!NhPH%6;o(TVr|D86j{LeNLf{O(fb*~7<?FmDb9Q~1(q*(ihY<}`
zvhphsu7b*4<NH(mMfemgZx?`5d2Sc!MACAAAphVkMhMIKALW|YL6Iv-Y%DA{e~a|*
zGkR$En_i3@+0FF_#xgh4(G=NX5uuC!iIYJ-mw)&p2h(N}>dt=|Q8V#;qCF^rc~|!;
z$03QC1fa!sN2;rnk3x_e@|#I(4czUYba3DZ(ZWR-w~yzV%!jn<PyDkDnR<~rV|9>S
zI=|~Z2r@9^K6cOV9SQpw{wF37N%lAT=kQO~$#=au6eB#p?KtpWTcCmd!iM34ElUM`
zT%NWTfA6=o639Q!#xt%X%4G|l@4IemhMEa^QItX%L_qY$Ma<64;qt#U2v=WU9$EjA
z9y*uPxeXDO#I3#AAZpSPWa_)nnPJ12t%$=BrW6EHBz%c#iB`PC#H;UpUmx|IqEa}R
z7rrqO^$_=QQo2H5f<Aq>_61(&4qg)TW+Ir<fhHTaanqYmDX{s2LhV;3fsZ@g<+qSQ
zWwZR~PpbL<dJC0z3JNH7P>nFGPhZ{~x<SPL$dzneyl{hR?~0$a_EF#$rpY<oZJlNZ
z8$nv<xTQzAo%Ey(K0yD!xtqls9Juk+E1{e{$@BHS_urLgynXvt1?c<kxbB#OkQ<GM
z-uK%pW*v#tpVnaP`ss+%D^J$`iF@oOzn)?Ss!LlQTZD*QFg&wc@$&p5?SBv2%@h2h
zwjOA8`sq7S?>4OK4gEcN(vBVXo1T=ck8fCUp6g%z?@m#P*^>KMXZd7=E>JyreSU^X
zm&dee)0)ofFnxNm&F9I#?R$;Wa-}&AZ>SGmSY7Xaa?bw=^DkUntS0V%@Z1ESqs_;8
zB%Kt!IXVxTp73@|usNa7{M#zezDcJxbX|GuADdvInV)}7{OoD<@}Bi=_79OW>$m?g
z`@eA2+2Y#lhUZV79p>-|Dl~EXVb}it@|S0quN(C$Xw0z|zW3|pzC7=e*S+%Ht15O}
z@PGbzli_EFo6LXr8F5J6UioSE_0JD~Z_+CHU^$2X`F*{(<?sKmSmm^ksr^n<Z0cK+
zl4IM<TJ=I68>@yrtv}nS5&!vBR_42NAzV-A%y8Q(dUenH`-^_q-7HNxz5MeY)8FOa
zr*FOXrR@Ixx_i}SR>BV~r~Y)<rM~jVv&S{_cfSi>K1J1J{=R9QKWpYm{_9*M9=UPf
z#iNJjFFzo6UDuJ@{{7O=r)w`>J9m0ZzP{XlyB||7|J(VuaDhQ-V3hUo-W%6agW2V_
zWJdk46ezQe-oO8ud;g7vb(?Rxn7;qL{e#Wx+}mI`=<ofT8a?~oyT|Q&)0Z1F&I_K!
zzp#2zSGwJ)?~x^Um-A(wUA{gw$!KOu{*K+dZ?gujy)I}ZzUos&P@SmmxrI^Dk0)LT
zx-m1c+f3bXzTD^eCqBQN!SA<|<Gaj0|I4%e<4@}d++}motqWfM$hu(SB4@n~g|)S7
zD|F5z%YEj|p4mTd>qZ5}=ncW#H{L8@?Uj_5D>q|nKA5%jk{U=wX7<eUmoHB)y=b*+
zVympo#u&Z!!-?P6{)X#_bsr7`sSteGdRB0&^3;W1YmOIuORiS$Kex10KFV3w)caSd
z+3cIA4f-q3{NEq-Y{|J-7pBNATo)f3tNAzVam}p8(0M#k5f}GeiAsr@wJ`0NT=_cL
zxggc<Yf~4#V2ZeGZS>;6)2FF{BBqTqj@vwYd~H*~w%fp*k;|sH>+@1|w*I$?a-V1P
zd+48%X}y>+<)EMxODP*S$b{vqQy*sV>MiBYSk->?!91O=^h+_kcTZn8ykpo_c_!IT
zX|G7RN!Ox^y1HxWv*+<xt-N;K>ip+-<y)cFGcf#T+sebx5XHvepv%mVCCR`*4);S`
b9iz+s-oKmmO1OaswlH|Q`njxgN@xNAR!440

literal 0
HcmV?d00001

diff --git a/cli/experimental/images/multi_tenant_8021q_vlans.svg b/cli/experimental/images/multi_tenant_8021q_vlans.svg
new file mode 100644
index 00000000..5c6c6070
--- /dev/null
+++ b/cli/experimental/images/multi_tenant_8021q_vlans.svg
@@ -0,0 +1 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="409" height="232.14285409109937"><style xmlns="http://www.w3.org/1999/xhtml"></style><defs><linearGradient id="RKkzpzQhZTCk" x1="0px" x2="0px" y1="100px" y2="-50px" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#3d85c6"/><stop offset="1" stop-color="#FFFFFF"/></linearGradient><linearGradient id="SeALyqvahCFZ" x1="0px" x2="0px" y1="100px" y2="-50px" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#3d85c6"/><stop offset="1" stop-color="#FFFFFF"/></linearGradient><linearGradient id="KIKSmddbxdCC" x1="0px" x2="0px" y1="100px" y2="-50px" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#3d85c6"/><stop offset="1" stop-color="#FFFFFF"/></linearGradient></defs><g transform="translate(0,0)"><g><rect fill="#ffffff" stroke="none" x="0" y="0" width="409" height="232.14285409109937"/></g><g transform="matrix(1,0,0,1,49.49612211422149,23.274999999999892)"><g transform="translate(0,0)"><g transform="translate(-118,-61.828333333333035) translate(68.50387788577851,38.55333333333314) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#ffe599" d="M 53.99612211422149 27.77500000000007 L 315.0022137987153 27.774999999999892" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,46.49612211422149,22.20833333333323)"><g transform="translate(0,0)"><g transform="translate(-115,-60.76166666666637) translate(68.50387788577851,38.55333333333314) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#e69138" d="M 50.99612211422149 26.708333333333407 L 312.0022137987153 26.70833333333323" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,46.49612211422149,20.074999999999903)"><g transform="translate(0,0)"><g transform="translate(-115,-58.628333333333046) translate(68.50387788577851,38.55333333333314) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#e06666" d="M 50.99612211422149 24.57500000000008 L 312.0022137987153 24.574999999999903" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,44.49612211422149,17.874999999999943)"><g transform="translate(0,0)"><g transform="translate(-113,-56.428333333333086) translate(68.50387788577851,38.55333333333314) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#999999" d="M 48.99612211422149 22.37500000000012 L 310.0022137987153 22.374999999999943" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,44.49612211422149,24.574999999999847)"><g transform="translate(0,0)"><g transform="translate(-113,-61) translate(68.50387788577851,36.42500000000015) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#999999" d="M 48.99612211422149 29.075000000000003 L 310.0022137987153 29.074999999999847" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,46,63)"><g transform="translate(0,0)"><g transform="translate(-64,-36) translate(18,-27) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#e69138" d="M 52 69 L 138 69 Q 148 69 148 79 L 148 112 Q 148 122 158 122 L 184 122" stroke-miterlimit="10" stroke-width="5"/></g></g></g></g><g transform="matrix(1,0,0,1,42,42)"><g transform="translate(0,0)"><g transform="translate(-190,-32) translate(148,-10) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#f1c232" d="M 48 48 L 234 48 Q 244 48 244 58 L 244 137 Q 244 147 254 147 L 277 147" stroke-miterlimit="10" stroke-width="5"/></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,133.38636363636374,108.14285409109937)"><g><g transform="translate(0,0) scale(1.7571428571428573,2.3636363636363638)"><g><g><g><path fill="#999999" stroke="rgb(0,0,0)" d="M 58.97 19.094 C 58.977 18.895 59 18.7 59 18.5 C 59 8.283 50.717 0 40.5 0 C 33.11 0 26.751 4.344 23.787 10.607 C 22.275 9.593 20.458 9 18.5 9 C 13.5 9 9.41 12.866 9.037 17.771 C 3.778 19.616 0 24.61 0 30.5 C 0 37.787 5.778 43.71 13 43.975 L 13 44 L 58 44 L 58 43.975 C 64.671 43.71 70 38.235 70 31.5 C 70 25.095 65.18 19.822 58.97 19.094 Z M 58 41.975 L 58 42 L 13 42 L 13 41.975 C 6.883 41.711 2 36.683 2 30.5 C 2 24.994 5.872 20.398 11.039 19.271 C 11.013 19.017 11 18.76 11 18.5 C 11 14.357 14.358 11 18.5 11 C 21.017 11 23.239 12.244 24.6 14.146 C 26.512 7.15 32.897 2 40.5 2 C 49.613 2 57 9.388 57 18.5 C 57 19.353 56.914 20.183 56.79 21 L 58 21 L 58 21.025 C 63.565 21.288 68 25.87 68 31.5 C 68 37.13 63.565 41.712 58 41.975 Z" stroke-opacity="0" stroke-miterlimit="10"/></g></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,46.65404609475037,143.99656534721677)"><g><g transform="translate(0,0) scale(0.44395492957746485,0.26378466557911767)"><g><path fill="url(#RKkzpzQhZTCk)" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.2524809014999616,3.790970933828097)"><path fill="none" stroke="none" d="M 0 0 L 44.395492957746484 0 Q 44.395492957746484 0 44.395492957746484 0 L 44.395492957746484 26.378466557911768 Q 44.395492957746484 26.378466557911768 44.395492957746484 26.378466557911768 L 0 26.378466557911768 Q 0 26.378466557911768 0 26.378466557911768 L 0 0 Q 0 0 0 0 Z"/><path fill="url(#RKkzpzQhZTCk)" stroke="#6fa8dc" d="M 0 0 M 0 0 L 44.395492957746484 0 Q 44.395492957746484 0 44.395492957746484 0 L 44.395492957746484 26.378466557911768 Q 44.395492957746484 26.378466557911768 44.395492957746484 26.378466557911768 L 0 26.378466557911768 Q 0 26.378466557911768 0 26.378466557911768 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,50.53252582967698,139.4965653472169)"><g transform="translate(0,0)"><g transform="translate(-53.7573249679898,-143.64485245977795) translate(3.224799138312825,4.148287112561064) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 55.03252582967698 143.9965653472169 L 55.03252582967698 170.37503190512842" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,78.11478334058147,139.4965653472165)"><g transform="translate(0,0)"><g transform="translate(-83.50230524967998,-145.05170400953324) translate(5.38752190909851,5.55513866231675) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 82.61478334058147 143.9965653472165 L 82.61478334058147 170.37503190512865" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,64.35179257362361,139.49656534721677)"><g transform="translate(0,0)"><g transform="translate(-67.51992778489121,-145.05170400953324) translate(3.1681352112675967,5.555138662316466) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 68.85179257362361 143.99656534721677 L 68.85179257362361 170.37503190512854" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,17,177)"><g transform="translate(14,28) matrix(1,0,0,1,0,0) translate(-14,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="104" height="28" fill-opacity="0"/></g></g><g transform="translate(14,28) matrix(1,0,0,1,0,0) translate(-14,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="104" height="14" fill-opacity="0"/></g></g><g transform="translate(14,28) matrix(1,0,0,1,0,0) translate(-14,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="0" width="103" height="14" fill-opacity="0"/></g></g><g transform="translate(14,28) matrix(1,0,0,1,0,0) translate(-14,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="0" width="103" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="1" y="12">container1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="12"> -</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="68" y="12">vlan10</text></g><g transform="translate(14,28) matrix(1,0,0,1,0,0) translate(-14,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="104" height="14" fill-opacity="0"/></g></g><g transform="translate(14,28) matrix(1,0,0,1,0,0) translate(-14,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="12" y="14" width="81" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="12" y="26">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="32" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="36" y="26">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="56" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="59" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="66" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="69" y="26">2</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="76" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="79" y="26">24</text></g></g><g transform="matrix(1,0,0,1,70,90)"><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="147" height="14" fill-opacity="0"/></g></g><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g/></g><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g><rect fill="rgb(0,0,0)" stroke="none" x="74" y="-7" width="1" height="14" fill-opacity="0"/></g></g><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g><rect fill="rgb(0,0,0)" stroke="none" x="74" y="-7" width="1" height="14" fill-opacity="0"/></g></g><g transform="translate(148,-14) matrix(1,0,0,1,0,0) translate(-148,14)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="1" height="14" fill-opacity="0"/></g></g></g><g transform="matrix(1,0,0,1,73,7)"><g transform="translate(3,0) matrix(1,0,0,1,0,0) translate(-3,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="106" height="19" fill-opacity="0"/></g></g><g transform="translate(3,0) matrix(1,0,0,1,0,0) translate(-3,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="106" height="14" fill-opacity="0"/></g></g><g transform="translate(3,0) matrix(1,0,0,1,0,0) translate(-3,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="3" y="0" width="102" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="3" y="12">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="26" y="12"> -</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="37" y="12">802</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="60" y="12">1q</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="77" y="12">trunk</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,282,8)"><g><g transform="translate(0,0) scale(0.6083333333333336,0.6104050109462419)"><g><g><path fill="#3966A0" stroke="rgb(0,0,0)" d="M 102.635 0 C 93.815 0 86.371 6.797 85.395 15.43 L 4.554 15.43 C 2.043 15.431 0 17.473 0 19.984 L 0 53.338 C 0 55.849 2.043 57.892 4.554 57.892 L 8.016 57.892 L 8.016 65.776 L 96.471 65.776 L 96.471 57.892 L 99.672 57.892 C 102.184 57.892 104.227 55.849 104.227 53.338 L 104.227 34.655 C 107.211 34.382 109.971 33.334 112.331 31.735 L 112.331 31.735 C 112.785 31.428 113.223 31.1 113.643 30.753 C 113.655 30.744 113.665 30.734 113.676 30.725 C 114.093 30.38 114.492 30.017 114.875 29.635 C 114.875 29.635 114.887 29.623 114.893 29.617 C 118.039 26.471 120 22.143 120 17.365 C 120 7.79 112.21 0 102.635 0 Z" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 102.688 3.191 C 94.836 3.191 88.45 9.579 88.45 17.43 C 88.45 25.281 94.838 31.669 102.688 31.669 C 110.54 31.669 116.926 25.281 116.926 17.43 C 116.926 9.579 110.539 3.191 102.688 3.191 Z M 97.377 20.901 C 97.118 20.901 96.859 20.802 96.662 20.605 C 96.267 20.21 96.267 19.569 96.662 19.174 L 97.412 18.424 L 91.228 18.424 C 90.669 18.424 90.216 17.971 90.216 17.412 C 90.216 16.853 90.67 16.4 91.229 16.4 L 97.414 16.4 L 96.699 15.686 C 96.303 15.291 96.303 14.65 96.699 14.255 C 97.095 13.86 97.735 13.86 98.13 14.255 L 100.571 16.696 C 100.665 16.79 100.739 16.902 100.791 17.026 C 100.894 17.273 100.894 17.552 100.791 17.799 C 100.739 17.924 100.665 18.036 100.571 18.129 L 98.093 20.605 C 97.895 20.802 97.637 20.901 97.377 20.901 Z M 105.863 25.522 L 103.422 27.963 C 103.225 28.161 102.965 28.259 102.707 28.259 C 102.698 28.259 102.689 28.254 102.68 28.254 C 102.671 28.254 102.663 28.259 102.655 28.259 C 102.305 28.259 102.012 28.07 101.83 27.801 L 99.515 25.484 C 99.119 25.089 99.119 24.448 99.515 24.053 C 99.91 23.658 100.55 23.658 100.945 24.053 L 101.644 24.752 L 101.644 9.174 L 100.945 9.873 C 100.748 10.071 100.488 10.169 100.23 10.169 C 99.97 10.169 99.711 10.07 99.515 9.873 C 99.119 9.478 99.119 8.837 99.515 8.442 L 101.954 6 C 102.35 5.605 102.988 5.605 103.385 6 L 105.864 8.478 C 106.26 8.873 106.26 9.514 105.864 9.909 C 105.667 10.107 105.408 10.205 105.149 10.205 C 104.889 10.205 104.63 10.106 104.434 9.909 L 103.667 9.143 L 103.667 24.857 L 104.434 24.091 C 104.829 23.696 105.468 23.696 105.864 24.091 C 106.258 24.486 106.258 25.126 105.863 25.522 Z M 114.148 18.46 L 107.964 18.46 L 108.677 19.174 C 109.073 19.569 109.073 20.21 108.677 20.605 C 108.48 20.803 108.22 20.901 107.961 20.901 C 107.702 20.901 107.442 20.802 107.246 20.605 L 104.808 18.165 C 104.713 18.072 104.64 17.959 104.587 17.835 C 104.485 17.588 104.485 17.309 104.587 17.062 C 104.64 16.937 104.713 16.825 104.808 16.732 L 107.284 14.255 C 107.68 13.86 108.32 13.86 108.715 14.255 C 109.11 14.65 109.11 15.291 108.715 15.686 L 107.964 16.437 L 114.149 16.437 C 114.708 16.437 115.161 16.89 115.161 17.449 C 115.16 18.008 114.707 18.46 114.148 18.46 Z" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 80.533 36.476 A 3.247 3.247 0 1 0 80.53299837650013 36.47924699945883 Z" opacity="0.5" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 9.278 35.006 L 20.39 35.006 L 20.39 24 L 9.278 24 L 9.278 35.006 Z M 10.929 25.567 L 18.819 25.567 L 18.819 31.173 L 16.536 31.173 L 16.536 33.456 L 13.213 33.456 L 13.213 31.173 L 10.93 31.173 L 10.929 25.567 L 10.929 25.567 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 24.253 35.015 L 35.365 35.015 L 35.365 24.009 L 24.253 24.009 L 24.253 35.015 Z M 25.904 25.576 L 33.794 25.576 L 33.794 31.182 L 31.51 31.182 L 31.51 33.465 L 28.187 33.465 L 28.187 31.182 L 25.904 31.182 L 25.904 25.576 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 50.3 24.009 L 39.188 24.009 L 39.188 35.014 L 50.3 35.014 L 50.3 24.009 Z M 48.729 31.173 L 46.446 31.173 L 46.446 33.456 L 43.123 33.456 L 43.123 31.173 L 40.84 31.173 L 40.84 25.567 L 48.73 25.567 L 48.729 31.173 L 48.729 31.173 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 54.123 35.023 L 65.234 35.023 L 65.234 24.018 L 54.123 24.018 L 54.123 35.023 Z M 55.774 25.567 L 63.664 25.567 L 63.664 31.173 L 61.38 31.173 L 61.38 33.456 L 58.057 33.456 L 58.057 31.173 L 55.774 31.173 L 55.774 25.567 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 9.278 49.95 L 20.39 49.95 L 20.39 38.944 L 9.278 38.944 L 9.278 49.95 Z M 10.929 40.502 L 18.819 40.502 L 18.819 46.108 L 16.536 46.108 L 16.536 48.391 L 13.213 48.391 L 13.213 46.108 L 10.93 46.108 L 10.929 40.502 L 10.929 40.502 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 24.253 49.958 L 35.365 49.958 L 35.365 38.953 L 24.253 38.953 L 24.253 49.958 Z M 25.904 40.52 L 33.794 40.52 L 33.794 46.126 L 31.51 46.126 L 31.51 48.408 L 28.187 48.408 L 28.187 46.126 L 25.904 46.126 L 25.904 40.52 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 39.228 49.966 L 50.34 49.966 L 50.34 38.962 L 39.228 38.962 L 39.228 49.966 Z M 40.839 40.511 L 48.729 40.511 L 48.729 46.117 L 46.446 46.117 L 46.446 48.4 L 43.123 48.4 L 43.123 46.117 L 40.84 46.117 L 40.839 40.511 L 40.839 40.511 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 54.123 49.966 L 65.234 49.966 L 65.234 38.962 L 54.123 38.962 L 54.123 49.966 Z M 55.774 40.511 L 63.664 40.511 L 63.664 46.117 L 61.38 46.117 L 61.38 48.4 L 58.057 48.4 L 58.057 46.117 L 55.774 46.117 L 55.774 40.511 Z" opacity="0.65" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 11.504 57.898 L 92.919 57.898 Q 92.919 57.898 92.919 57.898 L 92.919 62.69 Q 92.919 62.69 92.919 62.69 L 11.504 62.69 Q 11.504 62.69 11.504 62.69 L 11.504 57.898 Q 11.504 57.898 11.504 57.898 Z" opacity="0.7" stroke-opacity="0" stroke-miterlimit="10"/></g><g><path fill="#FFFFFF" stroke="rgb(0,0,0)" d="M 85.525 18.936 L 5.082 18.936 C 4.255 18.936 3.582 19.609 3.582 20.436 L 3.582 53.397 C 3.582 54.224 4.255 54.897 5.082 54.897 L 11.504 54.897 L 92.919 54.897 L 99.082 54.897 C 99.909 54.897 100.582 54.224 100.582 53.397 L 100.582 34.526 C 92.561 33.543 86.232 27.039 85.525 18.936 Z M 20.389 49.95 L 9.278 49.95 L 9.278 38.944 L 20.39 38.944 L 20.389 49.95 L 20.389 49.95 Z M 20.389 35.006 L 9.278 35.006 L 9.278 24 L 20.39 24 L 20.389 35.006 L 20.389 35.006 Z M 35.365 49.958 L 24.253 49.958 L 24.253 38.953 L 35.365 38.953 L 35.365 49.958 Z M 35.365 35.015 L 24.253 35.015 L 24.253 24.009 L 35.365 24.009 L 35.365 35.015 Z M 39.188 24.009 L 50.3 24.009 L 50.3 35.014 L 39.188 35.014 L 39.188 24.009 Z M 50.34 49.966 L 39.228 49.966 L 39.228 38.962 L 50.34 38.962 L 50.34 49.966 Z M 65.234 49.966 L 54.123 49.966 L 54.123 38.962 L 65.234 38.962 L 65.234 49.966 Z M 65.234 35.023 L 54.123 35.023 L 54.123 24.018 L 65.234 24.018 L 65.234 35.023 Z M 77.286 39.723 C 75.493 39.723 74.039 38.269 74.039 36.476 C 74.039 34.683 75.493 33.229 77.286 33.229 C 79.079 33.229 80.533 34.683 80.533 36.476 C 80.533 38.269 79.08 39.723 77.286 39.723 Z M 89.541 39.723 C 87.748 39.723 86.294 38.269 86.294 36.476 C 86.294 34.683 87.748 33.229 89.541 33.229 C 91.334 33.229 92.788 34.683 92.788 36.476 C 92.787 38.269 91.334 39.723 89.541 39.723 Z" opacity="0.93" stroke-opacity="0" stroke-miterlimit="10"/></g></g></g></g></g><g transform="matrix(1,0,0,1,250,51)"><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="140" height="70" fill-opacity="0"/></g></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="140" height="14" fill-opacity="0"/></g></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="140" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="0" y="12">Network</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="47" y="12">Router</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="83" y="12"> (</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="91" y="12">gateway</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="135" y="12">)</text></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="140" height="14" fill-opacity="0"/></g></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="127" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="0" y="26">vlan10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="35" y="26"> -</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="46" y="26">192</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="66" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="69" y="26">168</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="89" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="93" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="99" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="103" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="109" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="113" y="26">24</text></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="28" width="140" height="14" fill-opacity="0"/></g></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="28" width="47" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="0" y="40">vlan20</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="35" y="40"> -&#160;</text></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="46" y="28" width="74" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="46" y="40">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="66" y="40">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="69" y="40">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="83" y="40">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="86" y="40">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="93" y="40">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="96" y="40">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="103" y="40">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="106" y="40">24</text></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="42" width="140" height="14" fill-opacity="0"/></g></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="42" width="47" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="0" y="54">vlan30</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="35" y="54"> -&#160;</text></g><g transform="translate(92,238) matrix(1,0,0,1,0,0) translate(-92,-238)"><g><rect fill="rgb(0,0,0)" stroke="none" x="46" y="42" width="61" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="46" y="54">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="59" y="54">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="63" y="54">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="69" y="54">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="73" y="54">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="79" y="54">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="83" y="54">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="89" y="54">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="93" y="54">16</text></g></g><g transform="matrix(1,0,0,1,48,60)"><g transform="translate(0,0)"><g transform="translate(-62,-55) translate(14,-5) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#e06666" d="M 54 66 L 54 79 Q 54 89 64 89 L 78 89 Q 88 89 88 99 L 88 112" stroke-miterlimit="10" stroke-width="5"/></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,12.805718530101615,11.940280333547719)"><g><g transform="translate(0,0) scale(0.8417223432141461,0.83)"><g><g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 52.371 16.22 L -1.393 16.22 L -1.393 99.52 L 52.371 99.52" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 52.371 99.52 L 69.07 82.82 L 69.07 -0.48 L 19.98 -0.48 L -1.393 16.22 L 52.371 16.22 L 52.371 99.52 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="rgb(0,0,0)" stroke="#FFFFFF" d="M 52.371 16.22 L 69.07 -0.48" fill-opacity="0" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="rgb(0,0,0)" stroke="#FFFFFF" d="M 25.3 16.22 L 25.3 99.52" fill-opacity="0" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="rgb(0,0,0)" stroke="#FFFFFF" d="M 26.149 16.22 L 44.316 -0.48" fill-opacity="0" stroke-miterlimit="10" stroke-width="1.3594"/></g></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 3.263 23.823 L 21.317 23.823 Q 21.317 23.823 21.317 23.823 L 21.317 34.868 Q 21.317 34.868 21.317 34.868 L 3.263 34.868 Q 3.263 34.868 3.263 34.868 L 3.263 23.823 Q 3.263 23.823 3.263 23.823 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 29.156 23.823 L 47.207 23.823 Q 47.207 23.823 47.207 23.823 L 47.207 34.868 Q 47.207 34.868 47.207 34.868 L 29.156 34.868 Q 29.156 34.868 29.156 34.868 L 29.156 23.823 Q 29.156 23.823 29.156 23.823 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 3.263 64.604 L 21.317 64.604 Q 21.317 64.604 21.317 64.604 L 21.317 75.648 Q 21.317 75.648 21.317 75.648 L 3.263 75.648 Q 3.263 75.648 3.263 75.648 L 3.263 64.604 Q 3.263 64.604 3.263 64.604 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 29.156 64.604 L 47.207 64.604 Q 47.207 64.604 47.207 64.604 L 47.207 75.648 Q 47.207 75.648 47.207 75.648 L 29.156 75.648 Q 29.156 75.648 29.156 75.648 L 29.156 64.604 Q 29.156 64.604 29.156 64.604 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 3.263 82.445 L 21.317 82.445 Q 21.317 82.445 21.317 82.445 L 21.317 93.49 Q 21.317 93.49 21.317 93.49 L 3.263 93.49 Q 3.263 93.49 3.263 93.49 L 3.263 82.445 Q 3.263 82.445 3.263 82.445 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g><g><path fill="#3d85c6" stroke="#FFFFFF" d="M 29.156 82.445 L 47.207 82.445 Q 47.207 82.445 47.207 82.445 L 47.207 93.49 Q 47.207 93.49 47.207 93.49 L 29.156 93.49 Q 29.156 93.49 29.156 93.49 L 29.156 82.445 Q 29.156 82.445 29.156 82.445 Z" stroke-miterlimit="10" stroke-width="1.3594"/></g></g></g></g></g><g transform="matrix(1,0,0,1,66,73)"><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="57" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="57" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="8" y="0" width="41" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="8" y="12">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="32" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="35" y="12">10</text></g></g><g transform="matrix(1,0,0,1,67,52)"><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="57" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="57" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="8" y="0" width="41" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="8" y="12">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="32" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="35" y="12">20</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,7.386363636363733,108.14285409109937)"><g><g transform="translate(0,0) scale(1.7571428571428573,2.3636363636363638)"><g><g><g><path fill="#999999" stroke="rgb(0,0,0)" d="M 58.97 19.094 C 58.977 18.895 59 18.7 59 18.5 C 59 8.283 50.717 0 40.5 0 C 33.11 0 26.751 4.344 23.787 10.607 C 22.275 9.593 20.458 9 18.5 9 C 13.5 9 9.41 12.866 9.037 17.771 C 3.778 19.616 0 24.61 0 30.5 C 0 37.787 5.778 43.71 13 43.975 L 13 44 L 58 44 L 58 43.975 C 64.671 43.71 70 38.235 70 31.5 C 70 25.095 65.18 19.822 58.97 19.094 Z M 58 41.975 L 58 42 L 13 42 L 13 41.975 C 6.883 41.711 2 36.683 2 30.5 C 2 24.994 5.872 20.398 11.039 19.271 C 11.013 19.017 11 18.76 11 18.5 C 11 14.357 14.358 11 18.5 11 C 21.017 11 23.239 12.244 24.6 14.146 C 26.512 7.15 32.897 2 40.5 2 C 49.613 2 57 9.388 57 18.5 C 57 19.353 56.914 20.183 56.79 21 L 58 21 L 58 21.025 C 63.565 21.288 68 25.87 68 31.5 C 68 37.13 63.565 41.712 58 41.975 Z" stroke-opacity="0" stroke-miterlimit="10"/></g></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,170.65404609475036,143.99656534721677)"><g><g transform="translate(0,0) scale(0.44395492957746485,0.26378466557911767)"><g><path fill="url(#SeALyqvahCFZ)" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.2524809014999616,3.790970933828097)"><path fill="none" stroke="none" d="M 0 0 L 44.395492957746484 0 Q 44.395492957746484 0 44.395492957746484 0 L 44.395492957746484 26.378466557911768 Q 44.395492957746484 26.378466557911768 44.395492957746484 26.378466557911768 L 0 26.378466557911768 Q 0 26.378466557911768 0 26.378466557911768 L 0 0 Q 0 0 0 0 Z"/><path fill="url(#SeALyqvahCFZ)" stroke="#6fa8dc" d="M 0 0 M 0 0 L 44.395492957746484 0 Q 44.395492957746484 0 44.395492957746484 0 L 44.395492957746484 26.378466557911768 Q 44.395492957746484 26.378466557911768 44.395492957746484 26.378466557911768 L 0 26.378466557911768 Q 0 26.378466557911768 0 26.378466557911768 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,174.53252582967698,139.4965653472169)"><g transform="translate(0,0)"><g transform="translate(-177.7573249679898,-143.64485245977795) translate(3.224799138312818,4.148287112561064) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 179.03252582967698 143.9965653472169 L 179.03252582967698 170.37503190512842" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,202.11478334058148,139.4965653472165)"><g transform="translate(0,0)"><g transform="translate(-207.50230524967998,-145.05170400953324) translate(5.387521909098496,5.55513866231675) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 206.61478334058148 143.9965653472165 L 206.61478334058148 170.37503190512865" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,188.35179257362358,139.49656534721677)"><g transform="translate(0,0)"><g transform="translate(-191.5199277848912,-145.05170400953324) translate(3.168135211267611,5.555138662316466) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 192.85179257362358 143.99656534721677 L 192.85179257362358 170.37503190512854" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,141,177)"><g transform="translate(18,28) matrix(1,0,0,1,0,0) translate(-18,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="104" height="28" fill-opacity="0"/></g></g><g transform="translate(18,28) matrix(1,0,0,1,0,0) translate(-18,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="104" height="14" fill-opacity="0"/></g></g><g transform="translate(18,28) matrix(1,0,0,1,0,0) translate(-18,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="0" width="103" height="14" fill-opacity="0"/></g></g><g transform="translate(18,28) matrix(1,0,0,1,0,0) translate(-18,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="0" width="103" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="1" y="12">container2</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="12"> -</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="68" y="12">vlan20</text></g><g transform="translate(18,28) matrix(1,0,0,1,0,0) translate(-18,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="104" height="14" fill-opacity="0"/></g></g><g transform="translate(18,28) matrix(1,0,0,1,0,0) translate(-18,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="16" y="14" width="74" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="16" y="26">172</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="36" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="39" y="26">16</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="52" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="56" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="62" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="66" y="26">2</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="72" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="76" y="26">24</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,259.38636363636374,108.14285409109937)"><g><g transform="translate(0,0) scale(1.7571428571428573,2.3636363636363638)"><g><g><g><path fill="#999999" stroke="rgb(0,0,0)" d="M 58.97 19.094 C 58.977 18.895 59 18.7 59 18.5 C 59 8.283 50.717 0 40.5 0 C 33.11 0 26.751 4.344 23.787 10.607 C 22.275 9.593 20.458 9 18.5 9 C 13.5 9 9.41 12.866 9.037 17.771 C 3.778 19.616 0 24.61 0 30.5 C 0 37.787 5.778 43.71 13 43.975 L 13 44 L 58 44 L 58 43.975 C 64.671 43.71 70 38.235 70 31.5 C 70 25.095 65.18 19.822 58.97 19.094 Z M 58 41.975 L 58 42 L 13 42 L 13 41.975 C 6.883 41.711 2 36.683 2 30.5 C 2 24.994 5.872 20.398 11.039 19.271 C 11.013 19.017 11 18.76 11 18.5 C 11 14.357 14.358 11 18.5 11 C 21.017 11 23.239 12.244 24.6 14.146 C 26.512 7.15 32.897 2 40.5 2 C 49.613 2 57 9.388 57 18.5 C 57 19.353 56.914 20.183 56.79 21 L 58 21 L 58 21.025 C 63.565 21.288 68 25.87 68 31.5 C 68 37.13 63.565 41.712 58 41.975 Z" stroke-opacity="0" stroke-miterlimit="10"/></g></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,296.65404609475036,143.99656534721677)"><g><g transform="translate(0,0) scale(0.44395492957746485,0.26378466557911767)"><g><path fill="url(#KIKSmddbxdCC)" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.2524809014999616,3.790970933828097)"><path fill="none" stroke="none" d="M 0 0 L 44.395492957746484 0 Q 44.395492957746484 0 44.395492957746484 0 L 44.395492957746484 26.378466557911768 Q 44.395492957746484 26.378466557911768 44.395492957746484 26.378466557911768 L 0 26.378466557911768 Q 0 26.378466557911768 0 26.378466557911768 L 0 0 Q 0 0 0 0 Z"/><path fill="url(#KIKSmddbxdCC)" stroke="#6fa8dc" d="M 0 0 M 0 0 L 44.395492957746484 0 Q 44.395492957746484 0 44.395492957746484 0 L 44.395492957746484 26.378466557911768 Q 44.395492957746484 26.378466557911768 44.395492957746484 26.378466557911768 L 0 26.378466557911768 Q 0 26.378466557911768 0 26.378466557911768 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,300.53252582967696,139.4965653472169)"><g transform="translate(0,0)"><g transform="translate(-303.7573249679898,-143.64485245977795) translate(3.2247991383128465,4.148287112561064) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 305.03252582967696 143.9965653472169 L 305.03252582967696 170.37503190512842" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,328.1147833405815,139.4965653472165)"><g transform="translate(0,0)"><g transform="translate(-333.50230524968,-145.05170400953324) translate(5.387521909098496,5.55513866231675) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 332.6147833405815 143.9965653472165 L 332.6147833405815 170.37503190512865" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,314.3517925736236,139.49656534721677)"><g transform="translate(0,0)"><g transform="translate(-317.5199277848912,-145.05170400953324) translate(3.168135211267611,5.555138662316466) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#0b5394" d="M 318.8517925736236 143.99656534721677 L 318.8517925736236 170.37503190512854" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g><g transform="matrix(1,0,0,1,267,177)"><g transform="translate(24,28) matrix(1,0,0,1,0,0) translate(-24,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="104" height="28" fill-opacity="0"/></g></g><g transform="translate(24,28) matrix(1,0,0,1,0,0) translate(-24,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="104" height="14" fill-opacity="0"/></g></g><g transform="translate(24,28) matrix(1,0,0,1,0,0) translate(-24,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="0" width="103" height="14" fill-opacity="0"/></g></g><g transform="translate(24,28) matrix(1,0,0,1,0,0) translate(-24,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="1" y="0" width="103" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="1" y="12">container3</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="57" y="12"> -</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="68" y="12">vlan30</text></g><g transform="translate(24,28) matrix(1,0,0,1,0,0) translate(-24,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="104" height="14" fill-opacity="0"/></g></g><g transform="translate(24,28) matrix(1,0,0,1,0,0) translate(-24,-28)"><g><rect fill="rgb(0,0,0)" stroke="none" x="22" y="14" width="61" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="22" y="26">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="36" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="39" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="46" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="49" y="26">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="56" y="26">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="59" y="26">2</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="66" y="26">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="69" y="26">16</text></g></g><g transform="matrix(1,0,0,1,67,31)"><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="57" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="57" height="14" fill-opacity="0"/></g></g><g transform="translate(8,0) matrix(1,0,0,1,0,0) translate(-8,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="8" y="0" width="41" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="8" y="12">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="32" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="35" y="12">30</text></g></g><g transform="matrix(1,0,0,1,5,95)"><g transform="translate(4,0) matrix(1,0,0,1,0,0) translate(-4,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="75" height="28" fill-opacity="0"/></g></g><g transform="translate(4,0) matrix(1,0,0,1,0,0) translate(-4,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="75" height="14" fill-opacity="0"/></g></g><g transform="translate(4,0) matrix(1,0,0,1,0,0) translate(-4,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="4" y="0" width="67" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="4" y="12">Docker</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="46" y="12">Host</text></g></g></g></svg>
\ No newline at end of file
diff --git a/cli/experimental/images/vlans-deeper-look.gliffy b/cli/experimental/images/vlans-deeper-look.gliffy
new file mode 100644
index 00000000..4d9f2761
--- /dev/null
+++ b/cli/experimental/images/vlans-deeper-look.gliffy
@@ -0,0 +1 @@
+{"contentType":"application/gliffy+json","version":"1.3","stage":{"background":"#FFFFFF","width":566,"height":581,"nodeIndex":500,"autoFit":true,"exportBorder":false,"gridOn":true,"snapToGrid":false,"drawingGuidesOn":false,"pageBreaksOn":false,"printGridOn":false,"printPaper":"LETTER","printShrinkToFit":false,"printPortrait":true,"maxWidth":5000,"maxHeight":5000,"themeData":{"uid":"com.gliffy.theme.beach_day","name":"Beach Day","shape":{"primary":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"#AEE4F4","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#004257"}},"secondary":{"strokeWidth":2,"strokeColor":"#CDB25E","fillColor":"#EACF81","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#332D1A"}},"tertiary":{"strokeWidth":2,"strokeColor":"#FFBE00","fillColor":"#FFF1CB","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#000000"}},"highlight":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"#00A4DA","gradient":false,"dropShadow":false,"opacity":1,"text":{"color":"#ffffff"}}},"line":{"strokeWidth":2,"strokeColor":"#00A4DA","fillColor":"none","arrowType":2,"interpolationType":"quadratic","cornerRadius":0,"text":{"color":"#002248"}},"text":{"color":"#002248"},"stage":{"color":"#FFFFFF"}},"viewportType":"default","fitBB":{"min":{"x":-3,"y":-1.0100878848684474},"max":{"x":566,"y":581}},"printModel":{"pageSize":"a4","portrait":false,"fitToOnePage":false,"displayPageBreaks":false},"objects":[{"x":-5.0,"y":-1.0100878848684474,"rotation":0.0,"id":499,"width":569.0,"height":582.0100878848684,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":103,"lockAspectRatio":false,"lockShape":false,"children":[{"x":374.0,"y":44.510087884868476,"rotation":0.0,"id":497,"width":145.0,"height":32.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":101,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;\"><span style=\"font-weight:bold;\">Network &amp;&nbsp;</span></span><span style=\"font-size:14px;\"><span style=\"font-weight:bold;\">other </span></span></p><p style=\"text-align:center;\"><span style=\"font-size:14px;\"><span style=\"font-weight:bold;\">Docker Hosts</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":157.40277777777783,"y":108.18042331083174,"rotation":0.0,"id":492,"width":121.19444444444446,"height":256.03113588084784,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":99,"lockAspectRatio":false,"lockShape":false,"children":[{"x":-126.13675213675185,"y":31.971494223140525,"rotation":180.0,"id":453,"width":11.1452323717951,"height":61.19357171974171,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":57,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":6.0,"strokeColor":"#38761d","fillColor":"#38761d","dashStyle":"1.0,1.0","startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":10.0,"controlPath":[[-121.4915197649562,-156.36606993796556],[-121.49151976495622,-99.52846483047983],[-229.68596420939843,-99.52846483047591],[-229.68596420939843,-34.22088765589871]],"lockSegments":{"1":true},"ortho":true}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":289.82598824786317,"y":137.23816896148608,"rotation":180.0,"id":454,"width":11.1452323717951,"height":61.19357171974171,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":55,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":6.0,"strokeColor":"#38761d","fillColor":"#38761d","dashStyle":"1.0,1.0","startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":10.0,"controlPath":[[291.05455395299924,191.93174068122784],[291.05455395299924,106.06051735724502],[186.27677617521402,106.06051735724502],[186.27677617521402,69.78655839914467]],"lockSegments":{},"ortho":true}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":372.0,"y":332.0100878848684,"rotation":0.0,"id":490,"width":144.0,"height":60.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":97,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":9.5,"rotation":0.0,"id":365,"width":141.0,"height":40.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":98,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\">&nbsp;Parent: <span style=\"font-weight:bold;\">eth0.30</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\">VLAN: <span style=\"font-weight:bold;\">30</span></span></p><p style=\"text-align:center;\"></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":0.0,"rotation":0.0,"id":342,"width":144.0,"height":60.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":96,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#eb6c6c","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.99,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":52.0,"y":332.0100878848684,"rotation":0.0,"id":489,"width":144.0,"height":60.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":92,"lockAspectRatio":false,"lockShape":false,"children":[{"x":1.0,"y":10.5,"rotation":0.0,"id":367,"width":138.0,"height":40.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":93,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\"><span style=\"\">Parent</span>: <span style=\"font-weight:bold;\">eth0.10</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\">VLAN ID</span><span style=\"font-size:18px;font-family:Arial;\">:</span><span style=\"font-size:18px;font-weight:bold;font-family:Arial;\"> <span style=\"\">10</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":0.0,"rotation":0.0,"id":340,"width":144.0,"height":60.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":91,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#5fcc5a","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.99,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":289.40277777777794,"y":126.43727235088903,"rotation":0.0,"id":486,"width":121.19444444444446,"height":250.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":88,"lockAspectRatio":false,"lockShape":false,"children":[{"x":236.18596420940128,"y":158.89044937932732,"rotation":0.0,"id":449,"width":11.1452323717951,"height":59.50782702798556,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":53,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":6.0,"strokeColor":"#cc0000","fillColor":"#cc0000","dashStyle":"1.0,1.0","startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":10.0,"controlPath":[[-121.49151976495682,-152.05853787273531],[-121.49151976495682,-81.64750068755309],[-229.68596420940125,-81.64750068755139],[-229.68596420940125,-33.27817949077674]],"lockSegments":{},"ortho":true}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":-179.77677617521388,"y":56.523633779319084,"rotation":0.0,"id":450,"width":11.1452323717951,"height":59.50782702798556,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":51,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":6.0,"strokeColor":"#cc0000","fillColor":"#cc0000","dashStyle":"1.0,1.0","startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":10.0,"controlPath":[[291.0545539529992,186.6444547140887],[291.0545539529992,117.79470574474337],[186.276776175214,117.79470574474337],[186.276776175214,67.8640963321146]],"lockSegments":{"1":true},"ortho":true}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":447.0,"y":150.01008788486848,"rotation":0.0,"id":472,"width":46.99999999999994,"height":27.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":87,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":0.0,"rotation":0.0,"id":473,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":86,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":5.485490196078445,"y":5.153846153846132,"rotation":0.0,"id":474,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":84,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":9.901960784313701,"y":9.0,"rotation":0.0,"id":475,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":82,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":368.0,"y":101.71008483311067,"rotation":0.0,"id":477,"width":140.0,"height":56.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":80,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:12px;font-family:Arial;\">Gateway&nbsp;</span><span style=\"font-weight:bold;\">10.1.30.1</span></p><p style=\"text-align:center;\"><span style=\"text-decoration:none;font-weight:bold;\">&nbsp;</span><span style=\"\">&nbsp;and other&nbsp;</span><span style=\"\">containers on the same VLAN/</span><span style=\"\">subnet</span></p><p style=\"text-align:center;\"><span style=\"text-decoration:none;\">&nbsp;</span></p><p style=\"text-align:center;\"></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":350.51767083236393,"y":87.47159983339776,"rotation":0.0,"id":478,"width":175.20345848455912,"height":73.0,"uid":"com.gliffy.shape.cisco.cisco_v1.storage.cloud","order":79,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.cisco.cisco_v1.storage.cloud","strokeWidth":2.0,"strokeColor":"#333333","fillColor":"#cc0000","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":94.0,"y":155.01008788486848,"rotation":0.0,"id":463,"width":46.99999999999994,"height":27.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":78,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":0.0,"rotation":0.0,"id":464,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":77,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":5.485490196078445,"y":5.153846153846132,"rotation":0.0,"id":465,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":75,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":9.901960784313701,"y":9.0,"rotation":0.0,"id":466,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":73,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":80.0,"y":109.71008483311067,"rotation":0.0,"id":468,"width":140.0,"height":56.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":71,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:12px;font-family:Arial;\">Gateway&nbsp;</span><span style=\"font-weight:bold;\">10.1.10.1</span></p><p style=\"text-align:center;\"><span style=\"text-decoration:none;font-weight:bold;\">&nbsp;</span><span style=\"\">&nbsp;and other&nbsp;</span><span style=\"\">containers on the same VLAN/</span><span style=\"\">subnet</span></p><p style=\"text-align:center;\"><span style=\"text-decoration:none;\">&nbsp;</span></p><p style=\"text-align:center;\"></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":62.51767083236396,"y":95.47159983339776,"rotation":0.0,"id":469,"width":175.20345848455912,"height":73.0,"uid":"com.gliffy.shape.cisco.cisco_v1.storage.cloud","order":70,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.cisco.cisco_v1.storage.cloud","strokeWidth":2.0,"strokeColor":"#333333","fillColor":"#38761d","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":341.0,"y":40.010087884868476,"rotation":0.0,"id":460,"width":46.99999999999994,"height":27.0,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":69,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":0.0,"rotation":0.0,"id":417,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":68,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":5.485490196078445,"y":5.153846153846132,"rotation":0.0,"id":418,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":66,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":9.901960784313701,"y":9.0,"rotation":0.0,"id":419,"width":37.09803921568625,"height":18.000000000000004,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","order":64,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#666666","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":198.51767083236396,"y":41.471599833397754,"rotation":0.0,"id":459,"width":175.20345848455912,"height":79.73848499971291,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":62,"lockAspectRatio":false,"lockShape":false,"children":[{"x":17.482329167636067,"y":14.23848499971291,"rotation":0.0,"id":458,"width":140.0,"height":56.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":61,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:12px;font-family:Arial;\">Gateway&nbsp;</span><span style=\"font-weight:bold;\">10.1.20.1</span></p><p style=\"text-align:center;\"><span style=\"text-decoration:none;font-weight:bold;\">&nbsp;</span><span style=\"\">&nbsp;and other&nbsp;</span><span style=\"\">containers on the same VLAN/</span><span style=\"\">subnet</span></p><p style=\"text-align:center;\"><span style=\"text-decoration:none;\">&nbsp;</span></p><p style=\"text-align:center;\"></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":0.0,"rotation":0.0,"id":330,"width":175.20345848455912,"height":73.0,"uid":"com.gliffy.shape.cisco.cisco_v1.storage.cloud","order":59,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.cisco.cisco_v1.storage.cloud","strokeWidth":2.0,"strokeColor":"#333333","fillColor":"#ff9900","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":279.0,"y":129.01008788486848,"rotation":0.0,"id":440,"width":5.0,"height":227.0,"uid":"com.gliffy.shape.basic.basic_v1.default.line","order":49,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":6.0,"strokeColor":"#ff9900","fillColor":"#ff9900","dashStyle":"1.0,1.0","startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[4.000000000000057,-25.08952732449731],[4.000000000000114,176.01117206537933]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":56.0,"y":503.0913886978766,"rotation":0.0,"id":386,"width":135.0,"height":20.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":48,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\">Frontend</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":62.0,"y":420.0100878848684,"rotation":0.0,"id":381,"width":120.0,"height":74.18803418803415,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":41,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":0.0,"rotation":0.0,"id":382,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":44,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":2.0417910447761187,"y":0.0,"rotation":0.0,"id":383,"width":98.00597014925374,"height":44.0,"uid":null,"order":47,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Container(s)</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">Eth0 <span style=\"font-weight:bold;\">10.1.10.0/24</span></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":8.955223880597016,"y":9.634809634809635,"rotation":0.0,"id":384,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":42,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":17.910447761194032,"y":19.26961926961927,"rotation":0.0,"id":385,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":40,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":382.0,"y":420.0100878848684,"rotation":0.0,"id":376,"width":120.0,"height":74.18803418803415,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":31,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":0.0,"rotation":0.0,"id":377,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":34,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":2.0417910447761187,"y":0.0,"rotation":0.0,"id":378,"width":98.00597014925374,"height":44.0,"uid":null,"order":37,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Container(s)</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">Eth0 <span style=\"font-weight:bold;\">10.1.30.0/24</span></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":8.955223880597016,"y":9.634809634809635,"rotation":0.0,"id":379,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":32,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":17.910447761194032,"y":19.26961926961927,"rotation":0.0,"id":380,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":30,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":214.0,"y":503.0100878848685,"rotation":0.0,"id":374,"width":135.0,"height":20.162601626016258,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":27,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\">Backend</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":376.0,"y":502.0100878848684,"rotation":0.0,"id":373,"width":135.0,"height":20.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":26,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\">Credit Cards</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":627.0,"y":99.94304076572786,"rotation":0.0,"id":364,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":25,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":363,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":342,"py":1.0,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":1.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-183.0,310.0670471191406],[-183.0,292.0670471191406]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":372.0,"y":410.0100878848684,"rotation":0.0,"id":363,"width":144.0,"height":117.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":24,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#eb6c6c","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.99,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":218.0,"y":341.5100878848684,"rotation":0.0,"id":366,"width":132.0,"height":40.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":23,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\">Parent: <span style=\"font-weight:bold;\">eth0.20</span></span></p><p style=\"text-align:center;\"><span style=\"font-size:18px;font-family:Arial;\">VLAN ID: <span style=\"font-weight:bold;\">20</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":297.0,"y":89.94304076572786,"rotation":0.0,"id":356,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":22,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":353,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":343,"py":1.0,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":1.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[-13.0,320.0670471191406],[-13.0,302.0670471191406]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":222.0,"y":420.0100878848684,"rotation":0.0,"id":348,"width":120.0,"height":74.18803418803415,"uid":"com.gliffy.shape.basic.basic_v1.default.group","order":21,"lockAspectRatio":false,"lockShape":false,"children":[{"x":0.0,"y":0.0,"rotation":0.0,"id":349,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":17,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[{"x":2.0417910447761187,"y":0.0,"rotation":0.0,"id":350,"width":98.00597014925374,"height":44.0,"uid":null,"order":20,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":8,"paddingRight":8,"paddingBottom":8,"paddingLeft":8,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"\">Container(s)</span></p><p style=\"text-align:center;\"><span style=\"font-size:13px;text-decoration:none;font-family:Arial;\"><span style=\"text-decoration:none;\">Eth0 <span style=\"font-weight:bold;\">10.1.20.0/24</span></span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":8.955223880597016,"y":9.634809634809635,"rotation":0.0,"id":351,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":15,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":17.910447761194032,"y":19.26961926961927,"rotation":0.0,"id":352,"width":102.08955223880598,"height":54.91841491841488,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":13,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#4cacf5","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.97,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":212.0,"y":410.0100878848684,"rotation":0.0,"id":353,"width":144.0,"height":119.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":11,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#fca13f","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.99,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":212.0,"y":332.0100878848684,"rotation":0.0,"id":343,"width":144.0,"height":60.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":10,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#fca13f","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.99,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":203.0,"y":307.5100878848684,"rotation":0.0,"id":333,"width":160.0,"height":22.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":9,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:20px;font-family:Arial;\"><span style=\"font-weight:bold;\">eth0</span>&nbsp;Interface</span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":303.0,"y":240.51008788486845,"rotation":0.0,"id":323,"width":261.0,"height":48.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":8,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;font-weight:bold;font-family:Arial;\">802.1Q Trunk - </span><span style=\"font-size:14px;font-family:Arial;\"><span style=\"font-style:italic;\">can be a single Ethernet link or Multiple Bonded Ethernet links</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":36.0,"y":291.0100878848684,"rotation":0.0,"id":290,"width":497.0,"height":80.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":7,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#cccccc","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":1.0,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":0.0,"y":543.5100878848684,"rotation":0.0,"id":282,"width":569.0,"height":32.0,"uid":"com.gliffy.shape.basic.basic_v1.default.text","order":6,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Text","Text":{"overflow":"none","paddingTop":2,"paddingRight":2,"paddingBottom":2,"paddingLeft":2,"outerPaddingTop":6,"outerPaddingRight":6,"outerPaddingBottom":2,"outerPaddingLeft":6,"type":"fixed","lineTValue":null,"linePerpValue":null,"cardinalityType":null,"html":"<p style=\"text-align:center;\"><span style=\"font-size:14px;\"><span style=\"font-weight:bold;\">Docker Host</span></span><span style=\"font-size:14px;font-style:italic;\">: Frontend, Backend &amp; Credit Card App Tiers are&nbsp;<span style=\"font-weight:bold;\">Isolated</span></span><span style=\"font-size:14px;\">&nbsp;but can still communicate inside <span style=\"font-weight:bold;\">parent</span> interface or any other Docker hosts using the <span style=\"font-weight:bold;\">VLAN ID</span></span></p>","tid":null,"valign":"middle","vposition":"none","hposition":"none"}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":-33.0,"y":79.94304076572786,"rotation":0.0,"id":269,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":5,"lockAspectRatio":false,"lockShape":false,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":345,"py":0.0,"px":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":340,"py":1.0,"px":0.5}}},"graphic":{"type":"Line","Line":{"strokeWidth":1.0,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[157.0,330.0670471191406],[157.0,312.0670471191406]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":52.0,"y":410.0100878848684,"rotation":0.0,"id":345,"width":144.0,"height":119.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":4,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":1.0,"strokeColor":"#434343","fillColor":"#5fcc5a","gradient":false,"dashStyle":null,"dropShadow":true,"state":0,"opacity":0.99,"shadowX":4.0,"shadowY":4.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":20.0,"y":323.0100878848684,"rotation":0.0,"id":276,"width":531.0,"height":259.0,"uid":"com.gliffy.shape.basic.basic_v1.default.round_rectangle","order":3,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":2.0,"strokeColor":"#434343","fillColor":"#c5e4fc","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":0.93,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":19.609892022503004,"y":20.27621073737908,"rotation":355.62347411485274,"id":246,"width":540.0106597126834,"height":225.00000000000003,"uid":"com.gliffy.shape.cisco.cisco_v1.storage.cloud","order":2,"lockAspectRatio":true,"lockShape":false,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.cisco.cisco_v1.storage.cloud","strokeWidth":2.0,"strokeColor":"#333333","fillColor":"#999999","gradient":false,"dashStyle":null,"dropShadow":false,"state":0,"opacity":1.0,"shadowX":0.0,"shadowY":0.0}},"linkMap":[],"children":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":1.0,"y":99.94304076572786,"rotation":0.0,"id":394,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":1,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":3.0,"strokeColor":"#666666","fillColor":"#999999","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[261.0,233.5670471191406],[261.0,108.05111187584177]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"},{"x":44.0,"y":90.94304076572786,"rotation":0.0,"id":481,"width":100.0,"height":100.0,"uid":"com.gliffy.shape.uml.uml_v2.sequence.anchor_line","order":0,"lockAspectRatio":false,"lockShape":false,"graphic":{"type":"Line","Line":{"strokeWidth":3.0,"strokeColor":"#666666","fillColor":"#999999","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","interpolationType":"linear","cornerRadius":null,"controlPath":[[261.0,233.56704711914062],[261.0,108.05111187584174]],"lockSegments":{},"ortho":false}},"linkMap":[],"hidden":false,"layerId":"9wom3rMkTrb3"}],"hidden":false,"layerId":"9wom3rMkTrb3"}],"layers":[{"guid":"9wom3rMkTrb3","order":0,"name":"Layer 0","active":true,"locked":false,"visible":true,"nodeIndex":104}],"shapeStyles":{},"lineStyles":{"global":{"fill":"#999999","stroke":"#38761d","strokeWidth":3,"dashStyle":"1.0,1.0","orthoMode":2}},"textStyles":{"global":{"bold":true,"face":"Arial","size":"14px","color":"#000000"}}},"metadata":{"title":"untitled","revision":0,"exportBorder":false,"loadPosition":"default","libraries":["com.gliffy.libraries.basic.basic_v1.default","com.gliffy.libraries.flowchart.flowchart_v1.default","com.gliffy.libraries.swimlanes.swimlanes_v1.default","com.gliffy.libraries.images","com.gliffy.libraries.network.network_v4.home","com.gliffy.libraries.network.network_v4.business","com.gliffy.libraries.network.network_v4.rack","com.gliffy.libraries.network.network_v3.home","com.gliffy.libraries.network.network_v3.business","com.gliffy.libraries.network.network_v3.rack"],"lastSerialized":1458117295143,"analyticsProduct":"Confluence"},"embeddedResources":{"index":0,"resources":[]}}
\ No newline at end of file
diff --git a/cli/experimental/images/vlans-deeper-look.png b/cli/experimental/images/vlans-deeper-look.png
new file mode 100644
index 0000000000000000000000000000000000000000..32d95f600e1d0f028e5a354584d7b3eac1639e35
GIT binary patch
literal 38837
zcmV(?K-a&CP)<h;3K|Lk000e1NJLTq00EEy00Ei^0{{R37W(Cw0008tP)t-s`}_O;
z{{H*>`~Uy{|NsBV<^9ae%>V!XU&~tip+HNj^66}A$mRQ)nVITrYtHNc(eD3Esqa*>
z`kbAd%gf76to6~-(lK|cWX@pB=>GHa@o3Xzg_^4Ws!jc*N5S0jld8K^uJzT`)$ek1
zjEs!W&(7fC;Fgw^`k+76^8b5_oPvUbLqS5dw6u?pkKFqIl9H1A{QJh>@4UUdh>3~o
zZf_bI8wCUeRju;(_xAs-RR8+*@o{lbulell>t$<pN1EBV(c~*ze50hIqPxz<0|8vM
z`%9C_jGwVjcVFh{<}p1-GKIfSV|9?Fw*B<%##>t)3<s>OtT%C;^muqGbEMhb*uuoa
zthc;2H8U@1m?bADOrYYNL_*Bw_Ge{V*N8X=7YhCG-9?x^NsPS9$HfQ|DjO?231S5M
zlL5N}0aL3>H+?Qtsp(QsPhQMaGY|=~Zwi2)wv~;4X@!<Qi#bJiNce;R<ct|Seyf9R
zPa02hF>Z;naVZ8!1Fgf;UA<XBC>c;zXuVure|>tOWE~Z8pARn$o3h1ObAbNj!%u^*
z_5J^CTT#Z>-^Nl<{-!W<+HSAO-u~F8IZIryPE6BPOvND_pf4@y_4@7P*??SStj416
zXk>tnp?7p^5>${_Fg7T04AS7|-0SlB;o#|%K{jY`-gbA9fN4Oe^_8!W{kmp&I5<C!
z%xrpy;@Qq-R5HBE&}org&cCz@F>V+<Qw|$Y9(BIK)VQ*rio$gr7mF11&CFF22iwiN
zE@e90YHEgKG5yJgFq-FbA{fNErCGKufTVR<$V|b6KF&Nk>7}GvKNhH!eJfrZ;)8=#
zpwqakn3Tfhgs;~cM<7#nn}SJ8E;MGj<o&48@Gyqh++bU0g|6<nx80PJpLsw_vR8yj
z5OJBq(PLwstFil`4pCr>>e#%;Zg8JfS<R=U(X)x_qEw}aV-z)zIYfxgoLb(+pm>z4
zvp_CT_#;99000DZQchF9>dx@GGiCe$0F;4AL_t(|USeQi8bn|eFfcF!*t2>a$5|-4
zqi+-{DqATiEeu5j0zpGVL+6shegeP$D|}pn2ahA~{O#-}nH(wBHO4^h(YZg#^A+KN
z|9(9^qXjyfdTZ6k`BKNgy1XfuI#}PWcKuvVT6W&stlrk;s=3{#zPlN!uhga2huH31
zr`8S1DKDn%eDlluV%M`h{dz*^`D*Y05VF|C*xY@XF0?m}R`!QiLc3?IW1l)P+Mkbp
zJBq5g|83EGj)%%QDk1j+RInXOmzz<@tvi4Bp-w>P4brX&x2%xY?$pi^;{7l%Hg?BD
zJ55Fi5fg+k(=;FYt{WK}yeAHAS9uWfbzKxoYd3T=I6sC4b7@Z&KojH&aBl%8i9-}-
z?#F>Rt(WB<gnS;$Ssn31H;EWHJtY>XR7!D<-vZ}KCSI)MO^Bvvo}kYO<v~c51z~++
zqER3MDmiWv@M|<@RBQ7z6GN$_Du}7`pA26Qg*d_vA~alrBC;UXuI2!xAVTHvl#niP
z1qGcY#9z^ZfflQ9m`0+XuLJ1X`;anI6LvH~X3wtO3LMDH0g%L-CY%$wndZ4Y^oK(`
z=L8>P2n|+wT0-Tfup(p2GARf>`j9s%Aww&IJlPEu;7F=CZlaivP(gV@h;xvwx6ru^
zBi^&_U_fL%zq?{Zo@g+g&zw9$)^C)i6B$@iaQqn!=86J%h^FnBcY0rpJJ~^##7rU?
z7Lv=t9CnGVe@zLhxET65jbUYDjyRLi6sJMZk+@VyPOp6Q@%}}Vp)&zXOA9BNYAhHk
zPJdsifqsfY+%N|TiD4C?WD`w0`Wlr`!dH43t^GJfZmHyz6Tx(urgN<GeqhjX_HElA
zkKLGCOyV^9K_N>IZIt%KOUYC`PTk=3+Npo2+fSsJMp3%#W~E`ov*Wx}10c*&ublvv
zD(EoR5fj}jA^9-=5MTTQ=@$bRPJd^w>3lD^m1R$=xB^95O1JfLE$*m=hd7#awnFfI
zD#V+HQuQK@#*E(m9aYYO(j{^!UfN2$gQhf?l2RVc(U;ow-jcc=gjz}}MQNDWSs4iZ
z4QaYAlx(tTHvtlGHaP&VI~l3qsOa7lf(Ee)RZ5I*lP$iT6L-Wka{_sTCNl%-ybxkS
z{t@#Gc&aLK(%N8{yDNnZLN0Vz8e5P4MVCgHiRyGxA)0AEbR!!|!|8N_D?jwJu5Tw3
zv9+~D;>yZq8tz6Ry2T}RC@Mi5{|t`x9rOAf6MZ*DzETR8mK$;(g!pI|I=C40hySKR
ze=5<`MRq%#)fm!_O{IO!P!_lD_6gA)x8?gNGkhtFBlKPW4et}<k5C%Qg_6+e8z;nx
zA`i<a{~mv%|Eah7mp0No4)Dc?0}5PYEev*RLo!*qN!HnfnU0~e+veDou{LB1(YZNJ
z8k&f}Nm&b_ZjTb#gF2=nO#qUE^CT`MC3{Bk>=M9$5q~;`woA^t;vy%i+#cf9f8d^Z
zV~m<xsn+g(N``r@GtcMwJm0tH@dd)+ujOR2oNqaY(ULDGld}AEIB;MgkSo-{v5bsJ
zw>=iGPKnzl@IPxpFdq)BZwWkg2s*;a^6+|hOh<P&-Zl2uTat2kPfUQ2<<B?1JqS0J
zBFE=9P(-~&?^h0+!%qF=2|>!Q3PzYLXneSv>ksi2fn>g0Y58;cav6&vtV5QuTJq=C
zm1`|!Ie<(`5OwqQ=`#o6@>%<_hB!pK!*EQz0`XHN1fd_*ht{k7BmmmSpz(ib^o7go
zvDk1~Mz#4W4|l7#>`DgLB;>vop=0fFoTu5Qd+vVz2o=M3%K<Xx>1b(Ft6j^Pl02_e
zl{{XD%7=@n;Xj!N;e0IiK{D(!jjy)Rf4VBDuw4Ei7W+k#G9GTKLCEPl<I9zc+_8o`
zysmfb#9QAtA^YqptAtQEf>P#(xND$UOIFwfcCX<MDC3Y~x67)<mc#OJ?8Bt5w&=`<
zQ6SlZWs)qH)n^;$Y7uh(v)2zu{auwGrM|yOxBfl&$8yFH%ZJicpNcp_l`x{zJJ@!&
zX58J)){`ZqHX9U6@S%FlgT-OP*=l`~K`p2+Z{c=Jp9;w3ykWOZ>m6$eA6lTk<a*4&
zY)wM0eSUd4#9<zw7<~f8)EFr6ImTcwjBDtnB=w}t^My6y@di{OWU=Xt@bA}#Xk>6?
zgGW%3QCeQ%P;l6+V8SQoKg7*AoY$P$a9HtgvB@6pmUVF)iW8rrDph5@wFx<Wrc$X4
zZ~%+UQ%uTlQA8Mn`QSxQI^aqB+SB+r3n&tCjZBXfJP80aG3^h&Qopqz3_+l8dUB!1
z<4ORU!gmr=k%tN3bVh7`;{6(RiU{GVs7;?7vL|<~Cr;h&U5YWT*#yd@BRPyMMOhA0
zum`>{db^Oj>2+;FE)9P6>}*CMg!%4=uCb!zbdotnVpiV-AAKL4T%m(quY4lYl}fqj
z2MGl5-=OqBRY*~y>1&w<X22P3WtJfqb#@JHGR$A`MZ&K!;&q{uC&cKqEMF%$j0p+V
zr5v@~hDlIJ@~gmPX+<El0N3noFd7lU=VGzE>@%HY6K^{g9{oQ;E)2eSb|VAO+d9(K
znF`IM3iN7;?&#}(NjHAfHg&sFm`Ne$)6im&zB&c~;R)vU7ZJP{zPm)O(CJ(%G|@`_
zYbg-lD8(BKw=a@_!JTqz%I8m>5Tr`O>har@O6%@vI;zdK2%d;FL}KuoSH)^6Q{Cwz
zL-j6;_Y`3)_Q3L3mo>wUjwvgG(9OdT(niiOZK0W{lV05nlJh~)DN5H%*s^Si;B15<
zb9*}hfEJ^Zx!~<505ZJ{Z|IME+o*|tSZNK!C6T^fkj{e&tM03~0G+r(C@$o(xb?gN
z9;Wc9<h7~OXX`>7`{T7&#BxS%6_vYV<p3b`mP>n(y4fATDF0B?+~=n+AAl-Crqe~{
z%h1errt?WDcztsr+A$OTr_5A5ajcMwusFR&?*O2!=%Ym@`UoH#U-HaG6TPjIaZHGa
z6;kMYSdgCRjpDMY0pcm{q!q$N1cx$CSu|xRGV#0YBu`L>?AU16ZaLOnhAI#o7)=aj
z*ny!Q*IH?{Ckx#8?cCfif43i(22Da1Q|Z9$bb3Bcw|<hDi4NtKIDF{aqM6irpSYu3
zU+EeH$V@Oy|7ZmOy@@kj-@!bS631a{35r2Fn%$(Y=zo@UYvENrpc5p7C0!29Y8Y%_
zGE^?!s@5lCeN;UXew^wYP~A<ReXNQ)Q=cQ-@PpWzRd4U<00bpbyiR;0-UN(N&k!Kw
zxwo@3P#N5h%8SbeAv_7dg#Z=WdAzAh;A1`nfUJ=*yy1W&fwL#n9#}{49AJ=<tny-6
zk_Rpe$ljg>wt+R8#?q{fS=7nJA%xwpdbZ}wzdF4J{#GU!eEC=lwfh8mJTOLdHt~K-
zHWP0m{A=mbCxP~KAzShbll6&=hXSgXxtf`{H@Xc->AY(IzQ1oT#&b)((IJ3&iN;%?
zd_HdHHy8Hd(uFeyA;%AoI%c{3ETEH72v_g-x*g{95SNuZ(jpk72qal`BHVKY+3UFC
zr=8n{(Y2Av$e)U<f9pD*YZ__pYwaI<nF1h$iH*|eKek#E2nsfF4G`j>C@rkYcOL?J
z*((j{Z@c{L^uaI)LAwnP0#sFp($DS>gN=~hjOmRhtX|cKIJgraL`@Jl%=Ew8A0gSJ
zJI``ViTrjG(m&)|9KBg^^eu5Nd%Q8%*3er_`9Dg}J4VL69b2yeW96zs$Wj6Te3%db
zR1_cn;f{QF5&$w9AqcqfTZ0GT&S1q<2m*p6Nw%u3d0sbLhVFSDfFmjMRE=Ip+6>1R
zz3XMs2vEqFFoR8q#X}P6=_4#hK$;2JLx`_uhawioSFZnOgZI~uPEM^6v(71TRqp91
z-rE$frUB#MUv4hET3Mnv76RfL#iJ>@LjC^NCHhK$gH1yrl+|t@|I4+5aA_AI^O7Wq
zkH7@#9Y{bGIx+WKVj4^YyiX4JTHfI>2zlqr5eSz-hubDJ7%MA|1fNoMidEZm1SRJ{
zPF$Pa`J=?;#``XQbuY2iPdKk6#Wn2vi(hCB^qlRbrC)8vCn4bMcr%@yprvU+qASE~
z8*GYZTlwzIJv$I{XH7!rN1g>7OV|ZZ8c;#-P`QDGryUAHM;aA8E==z?&jD6~X(}R2
zCLrJvCfS$FI5#Eio!x*5IU$8mR*P3xhg;C+P90&vj#+gY9?r{q?#g&vS;z?W)<kBA
zo9{>iM<OeW?AU!MiCX6;tq^Fp18YwMW#@<nw$M;#r3$z~Ls<yanaxCv-@32j!PBP?
zlwAY2HaJruA44Jf;`^XTZ?FYXWX8Yxw3qQ_7M#*D+s8;Z0cNA_Qw!0=JS_$r*^#L8
z`IQ_a^#q-C(;kJWeYV-ny=#S#g3Ybl4i`@yOG;8n%;wAT|9Jb_pEj~I-!Dfwigb}i
za>R!cGlMMK%z#b1VvDG{q_PqdDP0Ka#v|GIS{o}hO^0wJtA*LL<n0TJuSXEZ_C^T`
zvO!ohM!`yu4S2hSwXE}^u~0)C<n9J$HGyb41h#|Fg!}`0PL)mh1!73ZK5E)_)j76P
zzk1H|oZs_ey7c71Xw$B@UT`!aIYIb4X#07Kr@1|$pajSz5N!B-@>?QxW_ssJ;I+wf
z`Air1{-P!F#py`Xm=^(ZM(w!#Z^5U_#LgA==@nyFINs3sqCuwj7k+88Xw)l+k89MS
zyhb6ahh8S9z_G}kt6x3f=>ve+ck>4!AX!ox2KU7d9;mP=vT~9uJS1sI@{4NgG6;Uz
z>S{vAoM+B#B0voGfpBC14_dhrCSH6Od)fk0SHimvtF0&b<!#<>ZKx`|K`eq%SA1l*
zm(nS;S@qBn;CQ4T;X%K{3h}DF(zGD+4gyA)A5<NR4CP<p&xECbG*s)JUJ3gUVRhM`
zw&{>}-JEG?d~>li9VJ`{5Nt!d;KdirW4FckZTRs>=Hm0@mtB#lrUBEul8{DW9ntGP
zDs{q|a@M0l4vtB<S6_Wfm-_g@03b1M0-3~Hyh5=6#AQ1g#tQ(!0!R@QI)^I(SOSm~
z;|=P=fK!plR!A`v<`4iR2q0{!#W6%am=Jk%clObcxYcTHY6MBO&3XaMP1>y0HC@D{
zf$-UEBUHqIbs(hnf{5Civf7${gufuC%paVxAtKV+2qejwkeYh=$D~fo2nZ}%tRBZD
z559WEmwai?b<<&b;c)bE5xcb-fS|+S9(!R;s6)+xq}$L!yO49rMH~)!+U_{LHEMUK
zFZLuIo=r{Tmcu@9Dd-4Q#I1Ix-ti;enAp{=X}9`$KI8J>s|OI22!-ir{3swvqW@C_
zI!My^H9-hN2=R|#@k<8Z69gl?k_6_+#d<N&13wNRa&0bHTuB~VkdeOi)sxaM%vbnb
z5m$A3B(9dbS^#)+PCnWaA9)jP3;9>xrUv|f?+k;Ky3**J^e6tYYoCtP=)=hi$x&zZ
z?mcCw=lh#6tNmuuI-)rX(4F3s8vU#~wVJ=kKl$oYc<9>hqYo3g#R{#3B!yA%_yK{H
zqWP#%$W-9C1me}azw|ig^tcu2Pj)wSn_%|>06TpkQFW>>q2tm$lTl~%MCA7XCjJ4)
zL=^DnQYP<fV{0I3(7O|TyDfBP`cL;{9(x~%`vzJ8NUnJ4se565s1T6f&}FW5VYb~n
zhLqN$lP0}LD#=hhsFI~VhK4A!c<4<G_{e}jkZcG?T!z5zNZeZKszMra&-}C{elya_
zM;ccyD67mXVF*%IztiQLc5bFByorja-!%~Qc{;bNIA`PcU9ohen$!B7t6robjjx{?
z#`@KHfIvY*KANyvtyIo~iz`_2xY=HL4i5_jj!z)A>38;7vh)>tZB<~al}qRiJy>Jv
z>X@LX&d+81F;87JQ4v4~Gj(-r$`cJIHDvshvoYzBd1O6XI$GoBJ$16wG>zT_O@=9t
z#}W_oHD0)PyK}!mE9J)%ov0vEnS$1+B#spjwkC^*js(Xl@YjNqRa)Fel0sWaAXd7P
z40=W3BM=ZwZV6$$_&gp)0*V3zA#|n0V<<ERPsUe4cp#+)HrY@Zf9QDRkz@O8eO<2h
zDl14)WNpmxEm@RN@saQVcO*)&h)pOrvy8w4_xUuBL&b-A3kZ*JLJ~q=i7Tv(75P~o
z_4*1W_1;`o;Zc}XLA{1L_U1G6ufKXlgMA=@1>od@6h(0fX;{e?9Ujm;lYfGUv#SqC
z01wv$6H?sx+}zqClDWC@agKtAz9kq{rA3Hv=OEd)PT|O076j&84h02{U-(-^%n1ZR
zm2#xatavm4#trFC3{TMK2fW=6;`QE`Cuh00E)<5-q|ZZe+~E&#S8>6$rMq|kbzxy}
zup=jfgM$kT|9W>~ZJZ<Dbsr0|mjhC>SEry=et6L*1f;lN)z>f|rA&c8`PJ21clz&0
zi~7!h(V&_3(s3h>l?P3&1f?;K1vMtQuGLFxHW&c<n{I<`Lt+`f!8XcM<8Pb;>qFjn
zRAro|D=9|4<u<i?d7WvRjLG~E<tXGn5802Cba^InZgD}t;r#i9mrLu5qO31Hx;uDY
zL}p@bu6&}gaF%3IIIkv4IVs5xw;^VQNbOgCq{0#UiIB%DxxYKBiH4|kY}+lfUIN_X
zWqWJJz2i<dxh{sRKP3L)X$}A|^_C7*?{;B8ozp|V59-x@i$j5o)~<C|ZjQwryw&rx
zZ|h3vJCj|u+LLbD14Igh9o(ywTYQPH`T95(j)Vo2F+R2~pmleBjyhbQQ^u0rRcjS(
z<c9)6niS;{C=S-!^6hi*AsSU0{En8kA$@Tl_`WA%XdC?za4YvV0x?s@o$ln-l<vZ0
zRSIbb*uELF|F3NfNb*MOjUR&>a<xLsL{2&C8u>alIn;mCn^MG=fpf*JRCg+C^E~a7
z`LTNlOK*_Hg^rGerSVd{^7;R@2@J~JHS%!XmsQ3rO|Cdaejp$!MU5D)f3L(^2uV_?
z@`mqpQt)lNH+i=@SqHvv^+c7%vw)Vzr@nqs8}}p{`Ay2wGP%)a3<E%i)OxV}91Tz3
z(?kY>Re{%MMuJhQGBZ$%XcR;LO^~XMUw}0$QDtU2-j%mR-pT=zEm)+{O+UA`wuVhM
zO@q0Gj=`ll@w^1WKAoB2_~KoJ+}hlnFqfjqcXiby_A2)*9|(v>FB6Dlc$8dUl2DmZ
zN1fsO^E3ba@83N8=Gq_U=kE{e+A7Tq-0#k$k!h!;(5+_^{8Qg+x6E+~X-JnZ>e`Gn
zgj)Jnsl-Uat+*M$mIEcFZCj(!4eMFJjmm1noG+UBxqr$y+UL7D>gKI=qkX%}aLDPq
z;FykI`K{z=OLQh2pIiLfpdi>Th;qK;?p*mYYw<j{Hi+lt=1w4B1gH*(U5JR(t3C)2
zLZ%fs0QLwiD$F&ZYwg{=4Gj%8o9(A(-+c4zC-elpyxiM<%~LVUP!c3XVG-f0x1Caf
zSeR}z`7sl((NT=XqBOI#oMc&AXBrdJ!n}aDSS<2NFMu(#iUf?x943{fQvl5vqm>$q
zml=a*B8H;hgf6@X{ioSj2syquaXxz~?@p{Qu1_q8(43z;!a^{<Hi70YE@4~+WR@1k
z4_f;*deO4W2ms$75ObDDKD5iL8n!>XY`gy1|D7M6RhpSxR|-O<oJ9)r$LqG<?uYjK
zI2sR20*4>H(F~>)#l>-M0$sj^yG!FVO_SmhM3U$^wYUThFQO{tCXcV*9hA&ZiBKk~
zOyPY2fuK!*Rnc}pANArFvop5thcmP9V1(J(`}Swu4G-s4d2_`|gsV^Zy?2sU4Jii=
z7Vib|8S$~;^5hQX{*z{6+%b#AJsRv-Sf8UmtT|o5rd1Sf4FNs4c))6tWjqvS0N+<b
zNKO5|Z;_9L)b^g8@9q9<m?29#A`~8=*kMom<)7vmG*{}D$33}<AtCn$AAdI>ct>0r
z*A_a?uaAQqZb*)&M~7(ZA9Zv*BKKcCv{Fgsdjdik1wfD?g2knklzDd8D66jveKr%S
z)5?sd+2QNm*JsNF$#NH3b^lrKGmmHHvl&ml%s4!YqXs;N<iQ=DhDB*Y+%aI0h5QK(
z;Ntm?mvaSW*Jb$-n3r5C-6_%=6jalp_n+7o5oi%rq+b5sfDp!<O@{?_ne6a9T6nrI
z_x9SXNNl~mmwUUryRR{acZ=DXhiEQ}N85TYceg*Z&(AXGlKoDs{pWd(qXD2fj_>~z
zM-}1GA&_bpvbdf^8b|`Lj_=^I?T_IHXy@W!$NIh}7%@_!(2?&Ah^z<@{K(wDZtL!T
z=oucKHJe$6q8QeU)Mfbo%rH2L5DbAEf2#0Y&%^Fs>mO$U?7#ErRk2aVEhMkR=lw_j
z@to3RysV8{?C4m61?M7e_w8(f#X;F#b*<pFqfZ<j4P)Qj5%uz}sK5Xuqs7w}JI;^q
z_l0x8b{X-38luQsvdH0wm%C@~n~BoNAJ9e}GG^`d?%wN4tQP&augq_5UA_A1H>k5r
zKk|(3&__>C<pkk*^lljA-#y`lb?a`Ce$c+=>9qAUC0D_u;}crW0v1pNWW21LB?uw@
zLOah~h}}@za6L}Yhf5uJ^}ndK=>}^TF2J?fiU5J!V8_zFcTlC6K&NGnno26UYGQ(s
zTrx~Ez1{O>2+G!FmZ#r~=TfsX-QD-eoUg#~JV!$)+G4~%!hQT9c+iI-Hs-3JVPd`e
zE7So+9KMJ*8ZeKn-@11R5OOx6zR`-3usmvqdFoQ4iy1oMQxEvGWMmnD<mlzTOjBUA
zQ^>CW0$1wDWA5l*{xgACOWJO=7HbH((6Jx|5lVA@u}yxzR8lfqd9t_Y4L|Jt=h*`z
z|L{O({h*<+z}S=XKOsa)=HtsNn)@Ok@j1y+-h-CpQSSED-(fk4`qZEvLEN78UhlZe
z6&S?rh&LFDR%*<XBQa<EJGrkb(GxkRjH-0XA!nEQ@qgl)A9Z!6$vaw&eVN!5Kc2sR
zrS>m>O}GQ-WNJS^?gIFZ6-No+k(Vr(uVdLo56+`onEC)$r>x9AlMpEkES*F*`bpeM
zpv>xptk5mNUhLZkz7&wHflFN6XWZF{w3sVW?o-Cb*yyHH-Ln<agr@7%0u4qYK)&^g
z8TVTV5Wt&2;zq+?GXk%lDFI~d{Q0^4b5%?V8Mf*c@<=gtsWF4ngb)=WMFNKr9<Z>^
z(9B3PivD2sO-Mjw2T>xJ1kOLpJ}riKxV?K8>?f$<#;3SphG1Aw3ly=@11AYD^fY^L
z5)C;i+KbZg?fBZ=Vs3<7S)JY<(2tJ!mSa=KfiY(b^&iXI4WFc&Rin?hF5bq|QQ_y-
z4Qqoxb1ndOFUr#f-fDds3fXL3LG_OyQ3wbG;|s{B)1XwKNDazxF#M<*0tuDHSf7nQ
z%EYu`^RogxAYfLkcI#~b(a98gkUoXni>MLK?@sT2`9&ub3}O@?On&)iZn9xD0I)&q
zD~^ZFch3}qBvG^dPY^2DFzm_ItVjn?8#8)8b)@Ik7X<QZu?Xq3!O%!m81#KyO<&4k
z2*cFbpb?-n7ya~>SeyeDJuszi0m+d72-Y&0=OFGggn7F=%-7upZOcV~tO>N%;`n}m
zC<H(>N7WEYr8DaFQe)wox)VUSRt3ZuOg9HW>O#<|Z>64|W9s#{lRZS{S6jD}`npzG
zfU5`qm^iZ<e!S`WE`aM~FYD2)*o`wkZd*;bq#|ZL(^&kKhuhm#03N*FVPnttkK;Bb
z2%TGdlI`@@&mX{o&pkpHX<=z@jyt?B$W6Tk?;$7*k7HO1i~9j`R1Lw0SPQNll$tl|
z^;(&Q1k5+x!v)JP7ik1>qbgpLTJ`T#*`t}!R5bbJ59#X6MtanDd-q?wfQ+RF#{Tld
z8(SCvP7{jan7QTYkN^8?=4mH@!ML>qkXZqca+x4Jf}>yLXh<xuoT)-g`Q62Fa$m)R
z5-|n~=rg`GP;RFV;Q_wh+yvV2l-dxzXhYx;mMlhBBmFo5?)7Z4m>B}6M76ii763v=
z`asGNjnza3#!~)KgLBmHtZ-;OOi~fr)K%>W7yI=p2ILEY0FOig5_<G!1PFE_0cY(4
zMRFhS_hI?6lB-ug<qq#Qtex+8#2uK800Bu#u3okZH=h}SQnU(+DPk};21^NOSjY*{
zT$NH$74=8(vIxswmV{QJz+mM1V?c9z_x%DuV8ZQZGSSCXF}FXn;b>ti0^c{BvMvYz
z-ni@LM!yw6$b2{U_zy3>3ny7Xx}vlt47e|!zxmd5qc3Oyysa1z^EIS~Sjq$PYaSd{
z#s>xG>R_%aovRORQ@x{SOl(>hoWc*~g}RGBv_RMjX&-VZKq#fuTvJh_QL<$2g!w*V
zH;}z8T(ewm=V<kRMblP)#u4$<xxKrNfW41%jl6IGpBOkzt&SyawmyEU8fjD&-}D3E
znx1pM26y0%+RHnNm#mp?L>QalF#|HOAD6);>Z;kAx~c$|LAos@dHcDi(V>vO2gE!h
z0bZ*J13KergegxoP%7$rBCCOzUSHWZmaIo)O3<kYC-oa`H8R0J@mwHM&iX*1TCNp-
zYGpQqhd5*^sX5nv7A;yDvs7Wr&Z~QSe+u0nHWw|zq^gnyP;O?thzC-g@B)&61O*7C
zirH#v6rp5D$f7|^0R0gpOW_B=sR%%X0W8i9Cui@^KkKz!pDkB;^#HlP^kKI@<NHt<
z5F|sUCZ}y=v^8T*G>ifGOLNTt%I=<O4mlWg)zHY+<=QYzSY?}Ohivq0WI!?MjD`~<
zPIuz$i-Cxb@zpv*uI8O4WBq9W;_3=}$WiN)>QEr2X%+$8Cu77!9tsdbSD&jt*Xmd@
zf47F{5{v3cOchLwc)@!KsnT8VF1Kz$8VNisAdBabf|N*5W?XeDKw6jR1Q9>rCQpNb
z#*}}^-yb<)+ZejpW&lX3-vY+j2{NB2T0vSfO~z#r0|KOnPn&OyIH%CAa;kYF3}9jt
zZ1sNa-7Ns*Z$+#xqZL!CP8^DUR~hv=I5bTDnc4R4d8Rn^62gL<&!QL)6gMUL@w>tY
z@o(=)p`(f&?Diuu$K?UxN;M?W#0)uW!HzDmOu77ko^0f-t(iu{*p}<mm2k2(xrqVU
zq!X@M()n|umD|bmF@NvewWrSxO$VLk8)t(FLzvgZZu}X5gxb6P)3SHFNJG|3YC**w
zlVvqTDp{*nn9RAWmcwI)dPgWNc!JC|`3uSq&Q21kVE$Bj4h2F$&UAmnmL%|&Cu88j
z8d3_#_JBqm>H@#CCLK=e7yxhF5qCH}(2M{H`)Y?aFd!iA&^t0d#Q>YefHY69)JCjz
z7?8-=PSoQJUD|R~7=8v|%U3&zEXejUcD1CHvS7(#D+K$jw;Wif4kS5|D*=%e*a--T
zYx`}TX_W3ksN?}an-jI@G^bR7U3W%nW-&qm$e2}lkP5)q7$8}>D(Jfnn6_}Rm1Kn+
zky8w<QUzi-X#|atlN5e4NvP}H^W=fRLA(#S(|;5jvR3+LWTi#LGPqnJXz^3niLwL$
zqhv{%B{|)+mu7_fO&36aVL(ujp(+`|B4=5Op-6@#+bjWwLX*eD-NG0;Mlg9q(nQC?
zIDo}5bzHq(X33IDq_hf6u{sTRx0_4x*tuud?^qpOUPN1Wk$`s$T)Dk%%UJE|(@96j
z?fu2Ji3VA%ri5C3A^6mx*5Byl)t&)k3$J!JHS!LFBd)eOJ&w--fEl&AF43eu7bw_{
zTz^;9{he3RKBT-rM2C~$e^|Kn^93swk;^(!9-?5UvR=fazKty5mU`#OQb07P5<@$U
zTMD^4@J8<i+xG&QsQK-#C!Fs4B^sal;YBqCwya@!X7cpbx%lHt+cM+WxJl`VT<HJo
zbmr$bZl%l7#qPLUvAa3h!;fC?<X6M_hO7G_1K{zvy%4N*;Kc*(lR64>8@ilflaA!c
z{^0|d&;A#-xEo)?#M$3yX+FY3FwvODDytz(O}&UmWl4?;HG_78C4#HW>e82jMx`6<
zR#4#02uRkNTarfacJ+$E81e5QHQrhUWZdB8&S{+9U85<yWv^+jX^F`KyVd`Hz*rHw
zKn6pOIxpZSe+66vx4EG_K;UfqL$)~arxXx)$elX<w~oP*T{9UBmjUvWAAs>Tr7$em
z=LNxOFHp*XYHwp0WAle+$!sy~(sBOoA}KjKsw^Ig((o;wAZbW`!ccv&G93s=e?w1V
z3e|{v%uhRgH@#rj+WJ_JmL%k}e7@6c8Ddv((BNsOJ>+^G+H70#Zfheg+usF8U4P!H
z3uKnJ2ikT*BUE}Lg;+=WadUbq)W=)L3RcSN@6wQd^wS|vIB;m8UUm#3E{n_S1{vB&
zwBV9BmKEt#3Xm!m;HI1`fu7=}d&l4f>ClTtJbdR2N?vWa4PCV$^OjI~Ndi*d^ag`N
z39J_oDw2+Lf~;T$enPrKD7h)yg8W@=`b9vb5~&)A@+w-gO0Nr@(i%;sFs}<F75W|s
zU`nqI(>2CvkeudabsMCH#XP%yghe~sF-GH!RmL}1)Vf#G6SPpV9x|ghDo??fLMwC{
zbLyv)e$Eug%WIiA*r;Qnd7kGWIJ7`&QOv>Jv$CAk?X;=?51COnRRh3B9OuT;YPAvB
zJ-gK%NUJf25M2E&AG-bjdN3vGaaMukja6@?icFh4Q_D#imHBzs=0Ibu>e`svQOo?t
zfH#jDcu518`!Ug6M=QONIYiN?`QXJ3;#>9FexQ=D@JU`i7TkMI7Vc0WnKwUgsB~g)
zqTotEaEyZUa8be(l)97Y(wn?G=Bvusevj;3%PCf)jCdkHZm$OGTW?H9ngakj8snpZ
zKVd*Jj@W7-ZrXX9HWJZ<L+4LcP>G+nmpM=0&gcBl<E~`Gbf!8#@nmog2bJ116?*;N
zZ)IwTLlo=~Sq9R$-(Uz>6qPDjoTY3{xL2ep8O4HwpkUa(!HVMa1<H&<#q;3Ug?yBs
zapF{_`e;|%RGrLl3D6mP^hBb5NT0a0+sT=XqZ`hy006sP&M5fPSpeu41I`;i#5WkV
zx^?S0=`qyCO=PNNy9dZR6KA=h$*9TaPc;?+LTdCFjT{^`77`o+5Q{#?K<+0HIiT&c
zC6^IWg^`54s!UM;ASv;;L!cNy6ed9Qit>u%gcl%hzO;S%?Ao*L>%-K$eM%gPI%*9O
zSj$T}0j{XCnzQ;{ElGO-Y#EqU!(UE^)SgRk{=n5%kNPv1`r)2hFVTPB)J><Xm#FQ5
z%moy|-PpPPT9$0kxOJn?->BnLJuhzaL$2kZdo0~7VZYSzk`sCe$Z}k*@f352DqIK%
zu~WICG$&i)F`mt`WPYtHGacK6(!xXHlcewx!tB$S<22wR5p<hDz)w{H+EoQ&D`9%&
zSK=HHRD^S?gpTkg@1B0lAl`&1$M(K@_38l!jwm$RkId!JiPstZoGcIvg<7%O7^-3u
z9(|1|ob01?WATtdAmmdQ0GTn=)ofJbSg&pxsglL?Nzmijpqw7V?X8eU=1q-p8kN&<
zfr^I$dlqUzOvjVwelF8wrVd%BUYS*pgRMVx|EJ#e8Dq`t9wOUUjP9C>Fqx`Hz90x1
zwSEL^Yfx5iG}WD^jrI6n=;{PX6hXvaF@ED_fOcIOo16T7f7C3~vTf*}z}xkT-}1(q
zk-(OABe30YTH2(xKQkXQ{Vq8_dG0TS`SE{JvWL=9QD9+2Qo02t>nA>uMlE#+?t@en
zVm@5269`CC83n;I``N>vdV7bZ&Qb%KhMP|}l2((o2f!E2&W)rY<48AoE*c!4<7&;{
z0+2Cy)5~`dAb{REJJd)e9LurEPhM+XBcW+$53lCbH+}!;w?)<U_6zpTWRv9cGS|C@
zKN27iBeFD}w~s5sk3sle*-bd#x`4l`*N}(o<iLo%w)Cnpe*AFzHI-CKz7ceTH?oAy
zgd^jx)doNBtVea@q`@Do{U^H&H>%=q_B{UUE(Rp{<;@#kGqUiI!4(Mk(`bjDILi<5
zbzwdf?*j1^hs+mcy9$C-^JV)k-+G@V3qT<^eee<Y5r6p@3V1xCa+^zig%l(_1RzR<
z<YMhBrME2vF|E=7zOTrvsxs4nY&(%2coB_-oGsku*;wt0!ff>8sA$7YR4p4Os6_LL
zRMQFB>HdrAV3bWNeSb*z^t*Y3Kj}!0(D4<!Ij##fOGFkSe$??AbxCmc!TFbSB?%AQ
zco`D<ASp4r>k=NA1<7W-A5uevd~8`=*)}Hdes@kqu$2yNf}N3=qr!0(N7@u!>8}&k
zP$vQ;xw-4s4}@__pt=X_S`DEMM-Ko#?fugr;ZAi1AJ?w*C7M^%oX_BUz7?f1T34;T
zg;O`?*^qWQ_=p09dbaaRi*xjzaUkLNOH9#!_^;d0YpBY7iI&15S(_j`q)``H6MY*5
z<yGW*&N4x>oCOR6f*QQ?(``D6Y{OJG$x;*xVw$iR`J(`3K5@dV5?Up)6rj-%Kwwv;
z?Gy`DZ6~}O3keES-B3QZx2>G-zJ`h3k0~gF5pjPVFCR@zEUmAtElo^Jpw|=d9Un`X
zW5InT#z+-ksFd^(E;G#Um3l$|qz3naFAqqrL`o|M@V}Y69?wRyI1b@~MW@@A0eX^z
zlE_G%%#De)Bgx)e2wgX+UO9J{BhF^AdLfn^t~R%VJDlFpVJW2=iUu-V=(!vrAt_qe
zN}zRE!2JXJUS=kn?R#&2bjI3GTZHK}olm~s&wJnZ{b8q8a;r8}IbRDiNq5rsJpjK7
z;Gq+GaM2$8cyP2g*T-b<I{m{{-u#^7H@?4>BV$W4TwZ59KsUS|@bjfVNTrPm0$|^K
zW>%5oAWi}JW)0P>d1;;m%%Azo-XE%?l~82BUetd>qV5eqIMiGHpvr%NAH#ahiCJlm
z6Oub7LhSC3U=x(S-UX#U>Ik<bMbgg+?+2`b6Jigg0;@W;l>T=F3OpGQP=~c1=OHi4
zi+LVGZAl-E-|;+OeHhA#OAsRZMwq=?_&1$S{{e9|nsf-Q@If?Y*0BLQLf%z%E;}Lw
z@M@)AKkKO}z^*+b<Nqk<VVo>9!XEE$q8uFn8#vLqnpT<**u42UzeNZRvHbP^{{9=(
zriMr~FjE_%4hR7OAjK9jd$IzjL@KZx@JVm0OGbN5a40jkSB^k|A%O!`e_<awK}Wbg
zg6j;%<HNw=V1(lI{r=u$4ADVt%ckrs(+JsaB$F$rhU=x*`o}gL5n@!3tQTB#t7R3b
zQo3kl7)HduGTmpw9b5*-r=-?Jeb|(p{cavha`4<HY7cszk=_Dj3<Z7$<dA;7{`==F
zl@Nx>ZL%y!yK`Y3vk=>T2=$<sR;j@js+9NFT?;LrI(n?UrpdCbXqpy{x1ia5^`pwV
z698Wc=_5i+)!_0->?flmB-c~?nPq5%tTM%yjfVwV5>g_FYY6>-s^Dm+jyJxNA5#cf
z`0sJ`x#S=$A@^$a;c$3StJP4s`_rbvdwtU03Bl`1QL#K)jJ-LbT8JnXi(>mHT1MJN
z%-HHVA|z}a7lvKF|1gb^a$|ux*#zW}!(8jm-bKBFh8V}1O;uB5mUG1h8UP{yUkN$t
z_xl4tZZn5z2u4UIcS?Etd?b$TL#Tv+0B>Z|MFYSuLdwj8ott|Fjw4wK>S)Gl%_rYL
zy<qSB_)xO-XaD#r>Hu}`6X-j)kToF;g^<~l$++xfrw+`*=SVz79eL!Qkn?J{{YC55
z?s~JSs!$`8DMA|R(Ddr_%31Bx;de+c=I3`3HNtZm5FK`HV)11!LmuHePYB+m1Fd?^
zSQZG_k35?BtYCt0{hbLZX39@d7n2%>Ivl!j)>6Zsl-VTYLu$<TUv|64$ufrId1Do`
z5PY~xFzPVcYqo)n$K-&IgfQJjHYHEnm^2Z3z1`j29<&xkmQ%dRhDSpDby-ljJ9&Dz
zNr5}zoy!IRMbV0oa1cvbup|VS$G*W0-lfZ0wIbxTglPw7IRL_)%Ywtb;2<$ST^5J-
zArtzIP({jSmPz6emn>WsZw`0i9ZzZFqwB`#1K`F&wqRV1As{&;1RxOC%s#-lxBvSP
z3vf5Dp=OYfrCNw$oXCFSVt$AmF*2<cH-tRT<%%RU8Ve>NfsY>eKEw*#qZjZW%x1I2
z>@8f<2w|n5;eK2YVmhsOJnW|MObJWXa{{)PL;@kQs;V0A-vbml!DkD(LN3etp7OGC
zZ{<8oK$${F!aPxTH9v$)=*4WYh#YW(#7TxBKqOg+Rw|YLl6`xA-=bzGg8!m!d)Y7T
zrDG!6q-Cn9&k4@m$Rl1dvWFre-bFO&=EZ|;63WE}PRPMQ2}=_G=$5_qMz`^Mb%ltB
zI3cqHheg)y$fML^a5hmD38u5eq{7QbJH)}*m%4?#W$*e~BS*4$B3zM@tEK~mLQ(~d
zgoKpT8I%;efjBTIkn$TEe4Mkva~o~6-{6>;J8*Cad<@KGPR<7t3|wFsv*Qo2c(M)e
z7?=-m@2RR(wB_ryT4n6r^)GO>)uo2+pI*H`Rqwr<64E^YA-0k2-*IEk<V>+-IlTu}
z2{NKHqNl_e+uwcto3BTJYyZAMNON&^cHvnj#Cqt&s%PWX%6wgr>4YF7Otn;C^<Gq!
z-1Dj`^4sk(vHZXPyd8flHt!>x^NiTkA^)(eL$ddv)Gr--;B{frJf;(Z9*jO1+?W3m
zg0f(>`mWtdNVy1a$0EA_m4n=aA7YaaS6RF}_A$(S5hSiD%9Nyxxr{}R+n=z%A7Y6Q
z)t@53Dgjd^#H7LrnR{iB((UrL87|Ou(8+j`2SMMEn;T|?P7LgYPKc9fLbms2F;S7N
zC~L)sC`b2CX$r<eQ4|5nhT<iuEj=>l-QnS}H7iRM4zPU4;qvm-l6*uo(0t787VR~Q
zymqlKq9i1@M2LMq1W%njPVl`XQ8}KTjrQH7um7#i2-_p%k@_L_QPn|ea&G4nqAo5A
zt4mgRbaeK%v`NUHEE9s;^qDgoWt^zcV3B*yTtdcM!Is(=5-!g%5GyeZ+*ALp<vsQ6
z)2km|U6Z-aVC(8e=V_QZwg^FZOs-k2^N2w1@6-tgD+?1f$s9V?ZlQFqEZJa@5S^}=
zy7tx?axTwaaX<!R#sPXHW+Z9?*_>z>;}T9YJ@u?y3tb^GV6Ep^Cd7%-RC}6sK%hqQ
z#}miN-X0wvVe0z{jF@q9etdj{ajxj>`1p^N<9HWG$Ilu$@mNhfKIxsA=HAXRp28L`
z7GKygaVl%-B+zsuZRt4H2_dbDjm6v=AKf7ma&dTwqw^L<%sn`P@fi>jq9qoAUOa{i
zKm<RN6UhZmBrxG)chTq^L+OW%x9x8q$<_%6rx`i8{_x?zA-f7k5)3_v<7&&N%xF&R
z4Sm$DFp|CfD1T=lq*H`+ijb}+q%nkaijYncf)j~kt~+;#EF56`kW<W(+5ZHIY1c6O
z8pcbw@D9dLFy|C9)-V<NK#p?aJ2mk-!-=mxz>N;jvP&Z$uZdF~;eZ!$gl|}v5Jbfi
zV^7ZqiB8U5M7I!f-f2R*?g$BacGz{HB&0(^`iTU)Wpqf$rXNDyy?>3>0HCc6Xl3~S
zJ&f;xkWZkcKL7#OFk+4AcV7Xn`zi~4t+z~1yn^d6k{yCBS?Skq5DabXX=`-3eL|c@
zn{dKX?AGf`bTlXD{Yg0-8v+Etk;X7X6(RTC`8m8%!nX}!tkew+jCuDh=#))D$feT8
z2kIOTc_V*c=Mu(OJs|)f<Wv*#O5Tv+#5a;TsXp$S)}p^n6vkL3e+ZJ(MVUGGNr<yn
z3uBVD+<9;yGttc)!|Vsl;J8u`{uMD2aydu{U?d?#Nr)!o`lsk12rU>K3onVZ2vW^P
zkk*Yi>&xAR5GPcX(9%Lg#EN-o2m8MVsD5}?C>dCz;mws&4Odb%z<8;22<no9Pf~}B
zCth7%pWZc6nR!*T7YmjS?K~(}$)|ZW;p@$5-%WM9{G`^)<3kdIopm>t1^i)AsoRH#
zjeL7sjB^e=G+~>^f`VM&W|2#^;z(#7ndZLMC1f1gPn7|Y=B4w%$WER;J31d--B?o0
zh!~H~?c)dyV|5(od0f|mGRD$02?AWCOrIOvTotiz(%I}w$QXQ`228D6Zd=+Z9Z>Nd
z34vl--=6eKmh7cNGICG)Y6)r~NkC^KQUC+E8VuM$y|IoA8}~0ECZ3#VN*I>upAA1)
z>_~`mO|()+J%HKa*1;D+>fQvU6sZ6%ii8OugJ%{M<DCg1PUhD^;Od2|##(i=<RpYI
z)a)!FNQh3@A<!8F+oo6r>7PNSNsu%!hCCFwWQn@<qcWSI4DCt?!rP-oswoLv)m#Kw
z*}=74B&qBNI~@dE6)=4bA!uSji4wcWLMHiOJqN4R3VEPH)OEgSN{^4)MB9>(Nugyr
zxIk%Auy|Q<txPA;!Se*E#ZG0r!PHzt39(NIsbb|2Cut2zy<O}r{U)k_2pRmcO@@(>
ziB{l(2E)S2ih_yUFFj2Pxs!j(%Vua(vflkWnF3~)m^*9F=q0iX7gN4hm60t4Ip$${
zbK>z;-o#7>Zj?MHDXm+-%(j+Y8{RAZyk@2!Uy$>;$ABEGNuNYEMN<!5kgmDTOPzEK
zh>%++-7SM^0#s}JwMYxa3B|<=g+|1!Ux7gX-y1ovmbpM53PTM8BQc-uhg`gc2)uom
zMPPPl!oGxTy-Il0*26DrO!6S1b-ebQCW@-6EIrRF%c_c^rdhVJ0Kp1|TUeUPu@Fr*
zNkWVtasVLKBm_r%*qAQT9*l!`_9X-{M?wsEwX9u~4dxDzW+B=meOQ4C(F+jTD4X6b
zkV$Ev<1u-;iyvaTBjEA2nSO{;Zeg7cEd!HShlw7)gcwr7TqH%$3UxK`6$7NkwZ&^@
zfh&@_jWWJY^mb<|qjF@DglzgD#>yhQC64l@6{%8=6ok31wD3HB3E7ZwuL@&|@f?tJ
z=57T`gCbxQjphDU-z|oCjHG0O4zc2gXf`}QmvMBeqywvh+k<__aQlOh@v>RxwQvKZ
zB~g;0kphw=!S`sL51xw*S^|rTsx*$WDOKQ9531RINaj_3jK(4xmeaJx!0peD5W|W7
zW@Y5><#A0}Dv@Y%sEG4+ZyA-wqZ*|@up+3#lIvf5!eMKIe#q7S9f>3Z6P%Y38XF0S
zEi+a;U01p)(ZlEv%bOc=<G?F>`>KM$ga5U2I|lbfp`CxwMIv8D-c<h!Gk0$H-VkGv
zD67a{phRO-BrtX#%0_Eq(2t*xd0rXW5+c*<MeovxxJ50aF>)|TC}UaMtALM9^|ES~
zYmi_;85$yqOh=+xG%$`{ah&-JB4oTikULPwLlKx&gQWoyB;xh0j;67)2nxoweMQc_
z5?NTZ$bvM=b?S?DYt_|M#LH4Ex1S#&)`f~MYwgk)hbF*KS>1*h)r)#Rlk*I~&km0c
zPh_{~Kkvf@4=N#_%2hIoqQ>`^;U1Du3peef<tPrC271HlgEvGTM%*a3Uo#;FS-BU}
zU}fA#y{_XAYJN>hMJ--*N8Lppe+IMnn|}#Gzr23^)fc9Gp9Gi;3Uik`2F^>0RguzK
z#(PFwJP{%}Y1-Hg05?1uhLE;1APHV{U3ZoS|M|m@KYsHZ{{IV@y<Y-tY>!DWpQ1ja
zNNAle{HWwxmb@oIluP61XgHfRN9t~ZvYrs?eun*!zkd(!zeGY9-PmLW3~msTQ1s>$
z6#|%OP&W-!kS9WZ+NG(QMIH+bl_8`*V;=pp;}<W!qwe>g0eI;plsbNiYn>7!4Sba_
zD(X7U+jZzim6uH@xAjEGW;i3`=xMffEdcn`vmQaQ(twJAs}<_(=g*%f3@3;lb<e<_
z-^iFV=h=*{r6)p+uoyp6h4CX1)PA^FtXql2VzGxtSQ7!tyl^WIO)+VVjXrNK5syFG
zJLv{OrhX_HO(bF!53ffL`(ovKqrTks%EaD(v{%Qn9zBSHlOZ95R850tnpFWa;`B9q
zh_ha?@@`?UrzOh{Bq0vJINUs!^$F_azdt}iJm&%MM2OlkG#gadXGjsUUt#~&-q+hN
z@n!!4PggX5l|3Cw&`4aZcZ2Aa@Oq?j6l6qFu91Vt4kP!5Q^PPT(~H$U#tk@J=9#=x
z{?RXfVT5c*h(pvC?*G`k0@pUKGY;_K2e8mVjSELugs?6oIW4^?oH!0n$QCS>rW|%b
z_T^Yav{?cuN07Zj<qRXu1IIlH@KnmlBbp|KAcpbTQ)4RFu6RU1H>;f!9HpQ}%%oNu
zp*r?Iuy?X$$1?3Ux<R7t0lIhJd+&Rv`|*9>``z7p&j3V=Gu|BCkU~>XSi)JrNr-GK
zTsg{wE-L^;T#_kfw?nZmX5m{?Ve6Ypp7tvTd2K7VpX2h3D0!wz+0^_uXx2vQmoKPy
z=G!joqqpAr4RkKXj{!Ns)<UJ|N$t9q3bCSef;kHa>T!EgDcikP*?tLtT_0yWr<cu^
z(VXT6o#f4$H3vJ))zqkZ(2p=Y1)vYw6yzqYSwmW^;G<A_V$=b;Fo=a%JT{m^T9zkm
z34qjKmM;#d+91y3v+JAKMl|ViK^(QRzzt*V1Ucg4wP81|x(s}LK<x<XFRg_DYYc7y
z5Qh^w3P?HBFS&MtpVg(S)@)#H!nl|IwIqsG6cC~w1prWH69jQ6=oB~TwT%)(*^{pT
zPC&80=#n*>%pL3lnvt2!0_C7~IVu^iTmYbJjK9*;jK#N91VXKn_87t<<)>29b2Tb0
zCUh~Dk@KTEHBHR{Kt1U4^|{OTaEWn5t6V%5cPI@hIY`BpZj4Zl%#?opP7Y94xGZ#h
z*Ura}AAioZ04ZDx2A!qgTwQX4u*x_A0YTJ~oOA^MtztkBaMF)KknZ%b(grPVl&-mo
z!TWWFk+J|FSbB1RnjW=eDxKi-+X2QEsLTNbq9!7KS4tRaLCDXf7#9Gynk0q`@x)q~
z@Qg;b*<xkhN=?uUxGQK}^ZF@M!>{H&eEG`LU_$qt`qe;ghjG^LNCRwhdp5od0Nn{l
z`y&Soh_LWAOKq&TEJRq9Tzjon4GV!@Z7q2ShzTF7Kvhd2bvF2*&e%g331~#IP+0vN
z(EK_TlQwrMuyf}sfL2jqAt=eR7oVi&JrskFY$_6R7GzRXXYVYpK7z)?giR7DISc^J
zZI<BK@d-9wg_^6(P_n}<&O!4EG$OL(k;8?I+BHEP5pJGm+wau(0cj0;UlrCqu!uMG
z>$~G2wQ2X-d<6FP+}}M=yLL;G>{Y;tliq=Vv<n>LwL~!>IRg-BFuI`t2)(^I49KRC
zE-yX0opCnbg`xw?8!M_V%DYfLi%)75D6imS=^}hQdHQDKiqeRYtESYw{Iupd6Nn`M
zIJrvjJdqBk#Lt9GHa`Ky#X#u$^imi#^O4WE`NVos=^`HT2@dMVzdA8o)=tzOa<Wak
zJsgN$v)gZK_8H(-D~gb|+a-HU1q4F$T?jB?KzX|)?XCxN^=sHd&NqT{`^JaXqoPBL
zB>hZwVFpbbC^j>GaYhp<j}adl*Ztx)4N#{%RCqjGI|-+^ly!M2G(S&AJmQ9GxVWGw
ziKCG_R{4A#gBhYcQ#)QIka2PjQ!zw&iDJ+Rs5^NGpugfpl^%0@JVYDG0tjQh3fI?X
z8FRB16_6W?I7_c@eX%u=(s-czc%xR2kLUYn&O)$#iqNCB83w1@RB+q+%&bNrcMbq}
zvZog}v}RjZF=jKnjZDhAO!GvF0N$<7n~Rk!4}xt(0RT=L8L^G<?gUQ)o29{GO#qL(
zC0UwOIU82bV^chyP!|BwUZ)BE1*T5Je=DW#N#e}^?xPdD(_U+i;TK;V<slf5{W-OV
zeET`x-N}j$X6AO%p0=c|;GlI|ew-~47P8&s=;YrcTc))1wL9$^3qd?dl0@eMW=AcA
z<5`kz{dIykxcmD*v|9xLg5SG0t#Ws(63w%15LnXZ-fwh(n$hAgi);IEQt)X@mC>s6
z=?F43;VV&EGXBWp7w8&5j$iO?W5ZhdIY1ETGP#&*Wyen*b1#`HfDk#W?3F*!s^A}O
z70AwZ`;SFge6wR5RDAa!8wq3jh-11Ws`?<?iu=bCH)uGq!3j&OrHFpm;nTXCha7p@
zi=eUXwh)#Pn<}JDf-Q$d`tUMv<`J6$x_ui^(SC{RRRoKW-i>@sjPSb6$`-^|kZm|?
zbd)i%b><Xk!y^iBv5l(0TbEZ&Xl&SG#PYG|3_z)(8n4d$18)DDwhNFNwgEDa+1!1$
z(Hsa?D^VZ92%`K%D#2T<BT7Izm0D&C!wI_UEQH00ZqG41B!-880Q$vD`Sp_BKNL<y
zE=1%Uphi???gye$Ooav$Q}DRd*|@7TKG14Un60PhEZ05J-J+}%MLC%O2uNW|IeA_a
zDKY%aE=!k*xJP7iB}%58fi+4BUI1uL_VikLeQ3b477~9u7MDd6CkFkP1WFrRgrX+K
zhZYqGq+PYSa)=5&nDvtK1ip+FC!j71>c4;c=Wl;_WEO5GAY8_hHodn9@v8nOYEc15
zMNLqC?ek0m0R5!@;`y)SH_p6Qg<7?c;YFo*uHaE;KZq>`m`kKs1=wL0$A_vyyb5En
zg|jezt2n9rxuUI|BmEl@FEl340KG)@Psb9oOQ&?{(d=E1hb&hDq6_jjmEv||C{dW4
zo>vgm7ZMp?d>2jsXh)>Z!n07qn*DZ{1uq{U9SaA*<M;pa{-=99WIwtFDt*(=%p8}Q
zD%kBNFi4yN#dnG~4K^<Jo_N)<{!kHJXvtL?s8`U%lk2ZR{qEiSzm_ic`&|Id7{RWK
zTK*L1$(2(=+Eu#`jR}2iu|GW%aY7MeEQnJqLC_^pEp9{O4{vy1PlxpZRq(sG+Jldi
zKb*ehr~-l#<*R5hXW-$Zuk6A5h#!|Ob^8k{c<vQ0(GDRu3USTz%512od}Sw;1E@<0
zU2^5a1~#Ew-tH<UImuaIddGkEY$Jtl_!al6EProjGF$Lw0WEEj=2|5cai!wojWhMN
z3$?IY4C|RhA<kzmrIt=&H7hQkIja=!s;ismVLort;?ClPQvc}D?R(DJ1X(_v-UL9+
zWaFKZd|nq7ai*BmJ=xMqw%c45v2P)>doHV;p0|)+-YPkEVv1hLMji;V3qV+i$y<TQ
zlmS+ZEpF$URZe#Jw{iKG9$O@Fk4nb|V`@Nl#7`<9#HDytoI>STBvw496q093R9c)8
zBK}Mj@*>Ux?1)KOoXj;m%W)^?A6=K@F?Re3lwzuuysA@aYI!xL0+&Dc<>hq;l)OSb
z`$u_B_NF(~ZUcli_QQ7{S-`B5hY&1FumrG#K`jVF%K1p3dD<u=5X*ugH}fn_&@9Ol
z`ik49ARd4-lSV(hn{2&*^_dl#0FDQg^6|=EDI!Tj59`Kt+zN+V(}-6Pi4_nmusm?M
znD0}8AQiwO<63}Fap#DjIkUO@hrM8Ic6S?nmyaA88w$JtsapVf+*-);-v{JS6U+Xy
z8h{RezSGPl)V+WhE=xe2Jmkes-8ag@OZ@%x!-JrX{tw8D#X|r-ZMm$j1mwm43~2Z$
z5BWi0FQ|Xs4(grCUx06WyVyctxZh?hQ~t^C_TGma<sp`fufCubg8mbLAm05CsSP?{
z60Z&<=d516dZ(J&hW(#Dy-))KFE1}Oub}uACAGl^yzDHgkV6c^P3F(n9&Eq_h=5o{
z&p=NF#03Jdc+2&*Yr!%=H0S^@9D}4NJ>pMF#XiV5RaI<o0aY<2B_%O2B_Kc%fBmHY
zbbqRn7*JRhtPTjkG>n0p22wBvtw5@=Zp(Zx%5sRIL5rA@7=XMper@B(;`mRU0<^S{
z;lY7{F!U*nt4(5Lb})biD1n@XjO2q|FAFD3S*3tkf)xXp17jn==7@EGAaECK5(9@3
zM`CNqfdLBw2!XK)2HKy3N*lKbrNK1+K;Nu3bridm?6BC7uYvE(?3>lFAC2D33aydx
zP{aab>{#dQPXidlVgRb-D3Qan8>9v@k{{B|x$j2~gd~Q-xKbE;FCe1efI3wOLLmT9
z72wbT|JWHoM+Y36d|1)c*na)x%YXgiFb=JI1f+?+{74MoAgP-lHiV%7xF{qB-UG-$
z;+kOL2%WJ+xvU}bG0Mzi)SxNnh_N!sK{S<{6p$c~Au<)HF>*f;%t>1Gep5!qUedDn
zOAi@h^Tv&|2Tn7cZhDBmx5%HR)9DuVY@}bL8yvCq;zhdYAbLTdcNo}gwpe)Lpt-Su
z(*qg0q=f>6GY<FZYJO8k<Q4J?L#UHaI|yYuFc|~T$RFMZb>Zo{1M=y12lP8QfED^*
zJkznafH3g3iylDh2C0SMDQ_S++vH6Gk|r-Y2u<>P9zsKT3)(ZQ0o0v*8&Qog93d-Q
zGd@1`k3NS!jX?-QLm(jL*YsSBG9s&x*BOCOPXTZc66BL60hy$NMnI;?%K)rGu7K33
zLxocZ0;mBaAV0N%kUX+OAon_fpaPQa075zh5(FZu5r!lfyrd1E<T0_~1L0_Ds6e#e
z@a)J8A@4pzIHFmpJK$4z`SRtjPLM2!bt3@M>OMnAoiju^p=>!A7LZRhaUvk3kY@<g
zX+{8)|5~Xe5P7*$sgxO_@;XP<l$(gL3MqzY*2(WvAbAi-u7>3teIu)8Xr<G|7k+9e
zQtm)>$b%e`E;bxQ70{&KzPAI5exPy>u(f@!1z`cXpz)LDkZ^%OjNa<%N+V#fXhKzJ
z*E_tU0Xq&b60$##LweWwTh2QI-gSJ|{@~&v0U2}77Z6c?NJ=1kZyh_dqpRAWaI}8B
zqf=C=-Gk78nCA)zqDmHDJIERDys(`7*akn62Q|Oc5pWbwu;)B}Q}}Kn=o~odO=@8u
z1Q1d?2jIylG7u1yg>hKKw_;d_Kv2|a#KB7!)%N5=0fI^=>mf`I+Le937eM0Lr48Y?
z$F9WScN}I%AE<rxRSfxQMvvUjBrH52=WHKB!jnWIzH%2LYcjP2RDs=$l%)+Sa@dvq
zh9ASx`OhM>i%bc;9ck?Y!;Tk3>@6Xo3Jej*Ia~H30ASDeyXeo`%3UAH%f(ey-MgKO
zKah{q6cM}fwLxtl5S*=p2>9WMWRY6tTdEtXDL4%S6$w2K5RiQ^IYcWb%CVk!VBWIl
z$6;N{<ZNEf7wqIsBQO8Ex+~|G&<8T*xr3IT+7M6W#3RVt_LF_1=4S2aoXp)ZHZ5CE
znS!m^bQ<Bz=yqzOD-n)PquG3R_BrI}3<?Fv?_2ZkCx#iR>+)92l5%1+FIDCL<7+a$
zx+$N`0{4N`q;zfhvoVv&_2*?WYwOo*8L8iTAal!m(#~4)ATlG9>zOC)e|pKyls3A(
zFb{6MgaU-0$7Qd7PpStX;N8|o@veMLpHj;rFLO6*JMv~;#v>g-ejcfAS*z8ZgMZK6
zS{kXzzj^vUP}Fi$Bb)B*aCN6t)k{l}@1qy=JCTuBnTvvT1#<3|y&nhVp$lOE>2Zc|
zu_vV!)#akIm79&^Woq^DT{*h;4iJ68sIDg?ltZd|&ay0-tm#w2*vmaPa4&1wnS-j`
zXCR2pjBQ!Ae17IYv{UWW2h@XIhQk2D>eJJcW%8~-Hl=jkY<AfTfGkz-%6$c9la^Wd
z2FR$W?gT(eUlaxh6AFkRAdy{NPYuqMd?0A<X5xeNefvIi1>zOAw~H+d>*nH^IYdvV
zJrR(h*kIhXEGue52uYorj@ipup_bA2am8IAAbsKukWHD~pOGm*)&a!ZI(R%+S{kn2
z?GJ$b`1l8XW5gpMdTKTDO3&+eMus<|3(&(p#PdAP!VniL6S^L?-1wk5&@+(Xl?kh~
z*iUj90XeIkA>vbMyHbvNTT=G<K-OiSHzy~k8Z3MJ_9mtXh!t^m^w%?)`N9MFyq0+_
zXm<Vc@lzS6y0!G3Ocib?&GlTokkQA1_cTHl5|BbNwb<9cShDPu;huodZ?E0x_0KOW
zUF|c^avuWDn(NMA5lA+==Pm=T&F>pp)^)!SsE+St$7|UI3VS4A*InGmyHR)9sAVq#
z)Us2CmyJf_EAb6nAs;t9GFn8R^*&_z;_TI{mp}jP`mN|tZyUoEefIKafBEQ>Pd@s4
ze;7baP1DTYMlU!Afhafw68b2GO6U0I$|0aKMvfG!!c|q(sk_630BUDkfPXe2df?%-
z8jY~Nq56$hGgd(u2Ey=S&ZSU?<3PuQ3?fA^&|Pp)+#IYvfC$dco%LxP+<byQmW_qP
z#7K*+-*UM>kbn3&NFX#hFE6nW!+5$#H}w;u2V{R6iwZvw>;Qm5UwaXJ*{71_t4d>T
zGzTpJcw1F#7q*8_&|uyn*bU)8qDYLd`%#lX4#&kH5+(kGAWCWvv;HDo5Id>_1Q%__
zOvD;uixESR*OIBWgv`L6N!u!rt#j<J5CH}PDTxM`6np*pKsM`H91KJ<W-4imQmZ`A
z?}>7>0~0t%hD`1Lg35@%h2@)>dYnogU71P#5=cBxRg(!xp0t%cYui8=$2Ujfh!%@O
zAasK+hYv!G!M()@GHCKvgh5?Q10hokp_G_XC>Sb@#Z#f1HbV!00%xeb^%HpM6#7AW
zzB|3)sG*JSC%-)YqX)$E^CJl%$G0pP_p<pz3)~;5N3-#(Vg0&0-E5b>(?ObkOfG6h
z2#k{b^jpF7D~JDXgXunrAZZqI((q7!UI>iGv)hH?yckzfO`OHzVIEbCz&J~<R>;!=
zU2Pu2iV;H2*UK$nK>_9jt-!!`x$Z;K{)P~e-Sa6Ldf=9B=XN<HKS{k2LMGLKiM-Kj
zSJ@FiT!RT_KnpCGY}b+BydnQ91co!NLnH2WlK+ux_-02vN=-dbYK}Hpp`XP2Ul<51
zi@)U;utX(NafmDr%X7r(vJi)gK%R5(?=M5x@-55mz~tIBbmA<23~Xh@f4}iejZlOh
z&toF(`=?WEi9ssLvM~anEP&Mj$UoWsGA94FAt%oXA!Pj1F|^{&vyjN^hTlJUrdCFu
zF1t#<pDeLj12sXlE!7PXr5tZ<LsThq@h)G5vEcLD(;L#d5Ti9Acl>xtNYWp|x)3Tb
zo1sr6MF*`_)qrv#{fk`4Yb=K<v6=zks3_~AS7}m#6mk}k_MRb1$es2LNzTIhh9K_%
zGMho@C^>YgQuL~dmnu*~2Hg&+31JvdCOD8YR*0gQJ}Z2vC18wq1tMd-oyizukzo!{
zLI%AXV(Sp%3jU(TagGxw?{Gw~+z?U8pcK-p2|?)Uz^YjZq7>D(<qt1s)Y{0E<?*MT
zb)&4hp$Dj@T#D(+Y&@N82(w+jP#F9YpkLPLE=9u-v|UBPVvtD6Y-Ab+t0gO<Ccq#x
zjC%Ew1{o*}STuf_7n?#d6vHS8<)!e809)wA0u31a0p@>hsU^#{lg3Hsv`hEs+^Z_M
zzdHBabE@cs;w2VMQy3M`G)Ici7R|P)B+%ew6Cem#7lCN8WU*LG4pa>jJ{!7)4r16e
zMc>Drs@Bq4$pMVu(n=OvI1y<@Xk!Dw5ReZaV<z7L5ZTU<oX9uw`1^@8Ymn1<{3<VK
z<};aWL`;J1L=uKM=>iaJv?f3n6Q0i<$R_3z65Z$GL#VLc>9_UBNyeRtQh(Rvj;^EA
z3mEGF0LXM0XC-~H1B0nt2L!XMzT~(X=S3A;)n!dM3~qbc5JQDU?FFZ}_XQ127-F@Q
zQRYX6==2$@x0bP~Dnlz2jh=%Bh;9YsU*8r;$lNfra(P*<RB&&jktI^mCG<-7pz`LX
z7enN1?xd1qCr~A+%PiKEB1{&u<*`A!0f^%Hdn3>D3nLvjyQe2S&m8Hv%>l=Q_at<a
zAL^c$h+G3B^nJ!h9xv#m_gSaU4t4ZF+jRJ-M23!@m;(9rERdsCE9n#rqn8}S)L5%k
zZW+DuK!qAB4>a|h4b@&t6RTTq&{B<aUf+4?9H~h-M8F#OGveAZniQ)W4Kf@V@76;q
zVTfr?TXrSg?PlOG+3tay?uNE3+jcX|R&2|%^SJkg4{UFzF_vZWT`Qg0KB?F&%v%iZ
zCCzm$W|5(rcP$uh1ai2$yIZqHm`?7Pp5yRR8)|3tynv?Q^%*xy1*}qu#5xRnBcFW0
z;RWuL^a2}sPG<ynGE1Y~z&Z=~*@*Me1jw&00~s2I5q!Q=<2W~F+Tp`<oVB4=9co%W
za|S_yJVt9^$PflrFFWXThTl4$f1hONjBDlLPL(y{{{P|>^&KttO8_~^T5gW5$(YwQ
z+jVo+MkQytmX*y~?7+5c@))ShN@p2kc7|CNbMsl2se~2*`McYNQpvK7N*A8;10K?D
zZ#o^cXQp#JVuiNJJ7;Zn=%Fcb7!URR^#q2RY^fdaHVC1Q^-IhFkh6s2o+*oW6kXqB
z1sy;XpTlsYhZKu7R_{5OQC@t>>cz5i1a*k{J#Fw-)fuYQl!l>YULO`%vB8{S*<lSh
zL(KVnr-uW30@bK-R{Yjq+Ufbf$0GJFmn_U@Gt;%)e6v}pgs$8T^HMjgR5n5>=gO5_
zSP9oEb7@2jDW9`W(pD25kj2W>gqNJy0J3dmY5wzINkE#F49ori5L(qcrfzN?mjHyf
z5g_)CkDY?&w0Aw{Y|%N^6BI<0byhg;v%L}T?0WEm5nqacSTz3$eVy^m36QCW(8ZpL
zpgxWvoChs6Ssga`=}TTT&RJua;zw0}YE(IH_)|lrjny)+4Ffi$_yI5YzURPwra+df
z0m4b}RzM&>5r`YQ-4j{LHoI0%?lvoPuG{UpZXPfyYhlG*L$JU|1PKd6LaA%zD>V5T
zb`gkt6OdnBi6JJcT79Qb-~z}#D?koS=S;`p2_Sa_5R2@H9{}P2*3w8US%^P~_WOM4
zcvlCE5kkpzF(f{YA%lTx^cr-v(=w+2TwHBfUD}C&6qmsxMnINe9|I9k20oT7UQi7~
z>kSN}z>)y+3oThPq-!-dLIEW2h8r6jSqVVoSs?DlMl*W>h;3v3U8ph~NFo~<x<3*_
zXfw6XXgUD|z5*z_>zk(IO@J(thXB-WyN?yEa0Vy>NQbpId0*czDQ(UU+nb|4J8pAF
zPu%DsLj(0$_5a!F_dNnKFusFoG>TOx0s=&_R^%Z^MzwKTMo=$DKw3U8QYb%9#eF^;
zIP4T2lwu7v{&VfJ-n$-1ZVuBYed&g@WDyW7TN0M6xm-5_5=wcoWPO>l?6ljIb5<rl
z29jqkg1%(CS@e@F%|iPJf_ef#bfg!G>2yj33LMzv2D}sS(sQtRPCyXUJ6?j=G0u70
zb6A14z33S2!@!P}fSG+poyR6;Fz9z?fXoDSQq=EwP;+QKDjMH9yy0^IX#q&<B`ZWh
zUF|s>0%jD{8w6zMoGwv}JI+oG8fzHm_~gYO+x9}<y14k>b=%%tlu=;4LJZG$o2Z++
z%(XJI1rLFjbXhnK>bAuY<*`OFd)qoeD|9P^AqO&mV3d?00|sBeWF;0$ZIK`<`$14D
zZF+qV$z3T3*7fIoPw{Y^`|bTcxd^@mL0ebWgT7Zo%2Df&bo^=)mcF;%C-H<qN!*Z!
zXuVod6)E?*AEau-Uadu`haVJ;awE3<vet^%>d9Jz)+{v{1hB_zeySH#jb1Iaqn(o_
zR%`62&{8`pHA7W<w|R(U+flkVm(AFDdoG=pky2z1Xxn=tNoiZoAHYt~U_UrW%W^(@
zkWXjl@GUP(_JJ+Iasm%YXY-OI3^yf)AfclXEs26)GS(ANp(PTq>QEsHjesGtB<P4N
z3Jj3QAO>H*?Tu@O8izuyVHhGUjH}R94Qiae8q^czA<z&{R0#StaYWj9n1<7!6NBGr
z9)e)}CIN>4Mr0!^sc5CKbz&C=SR`@0(Pl~~*8_Q%G6gbQTpSmwv`Kk4(&Lv3y=2nJ
zFc}%?kqS*48=(J;K;HX>ii<xxki{A8s(O8<K7A&2p|~5H;Xo>6IyO=!O?+~O$@wk=
zdH557pdNlL5a~@bF-p?ZE=?>F$<^v3+20-r6=|bJC_>ehv3=T$ghVHq)*{DiR6-bk
z6bL@1-VmczhnBCXdKE2G%hX`0!Y4kWv6@)lq6W4pkO<UeAiw$O(N9>i?!LPJ@LC|!
zc($h#D?uiog2=^p8fJJ%<8|%rf$WzMw^2Am+8)iTVjg-5?D&LvpWt|<w(gY<AtrXh
zV{H3}hb2%%W6lt{ZrdB53avWTBii7`Q^jgkizdF@7^o=sriPlP^-_an7|GmgG$@1*
z8jUK2@XK-$2p&%V=gR#2?O$@Z_u}hc<NwRL0t7p&tc+$mw8Il=YzZX^pBYTG9p*)*
zv4+EigwyJ<EYUYP3u9h>TOgE&=y(o}%1CGI4L%hK6{;O7i9%ne+KF?BG``U9`^d>7
zr%~29ci7(UK4*-#m76@|S|H1)BpPw!J3egGMWE1@eWV$2RCUpzQW}qljd5j%JLu?f
z#`zIU)APhG1Hnu_{N$U3`P=WZ9^8BVm|m8pSC=jVk>=bSO}VvgTVo*G%)&&c8M86n
zmH^`BWZ4aE8+9*Cz8EH@yG-OCZjObr^tK+d=<n$Xy~FiBTHO6Q5)+g_^gaVArEoX_
zf`W=Z3Xp;br&$b;nD|R0pSMd4)PBH2W<<>Yw|-sKjDYVn(86TA<aOs1E0xbsNa>;0
zm1<EIo?=G>X9>y2QIahoFTW~dAmZiY|K6Hkoxkmp1-bkF%18f!ckdoPeLAybA(z1P
zgT~*0AtKatDJQWo`4w9L0So|XR;U=6$>s<g^)n1WxuimrE&+M`;r*xL1<t4cm<{TB
ziF>+-87CkV8v31)vxfqEp<|ut7lFL-q`t^sJa3nZC!E7~IwL|k1@ije?mrY4`}fCJ
zJOqMloaP;Acmza4+j8m#JfwjJnS5$#K=xQ`km7ZaD;oaN>2mD)CF}mDzj=zcBkylL
zT75GA0`q&jS{8`>?$yfIAARt_C!aKDUlBoqC%bNC>>;x4<~K0YSr^IqED+Li;f5Ol
z3A3&MVpG}oGLSExZGHNIkUx1dE52g#<K0c(jyxnPsq~!@fQ<aT-B}={wLNp3n|J}+
z(>XmOS(*jX{`lF}2cOWjKKxU1nY=>CR1uYwb6zAMumQx;_b5*pJs&wds_n&CG79P#
z#2NrHTm}?6)9k4PkdL2z@%Yn^zFt{*wYvJ`$@>p(?I9rY+ZT@>eFbSsGqcxqrN3F(
z36L<9;0J`lW_Fr@%#DGNhDxwBi6LVk-K#+UvbBXvk$gd~Wlbfa6gqm)(E&uc10egT
z?K!A#^$RFA9s<bX1c(9+<itC6SlWCB&k#Ud0GSAY{B>(9y4ItufqLy5ZiTuU)YUPN
z<tnbp5k3IM2$qUYkupSxs<z5LEA}TquF7)q<E_7Z_2|*7dBQROXRKJa1p;|+_r;SZ
zPgYkq=B7l%;&Xzsp#UO6y5(Ak3iw*-x|vxZ612)2Ao({ya#w-;*UIbFRdKOr9s!w(
ze$F?2gbR3x0tuW_spNM61dKSp00hMoj6EYD!jlm7cNaO;wK{O4sVMC~y#D5ixY)u9
z#gMClJHP6q+}Nm#l-plQrBZ&KfZ%ZW7)ZRFIyGu+h(FC)I=vx=eDQi^9v1_R`T5WO
z1rBn{pdJx<@cy4a`{P0c<jd$Eh3s$%LBj?V$cCFv=QGv`Fd<^Fi$KszW%sd*NMj(`
z3Sx;kVe}UP`R4V)!s_bk!osuXvp^Dy4lj%prQb10SZP<^E%7q~LX$oPa%h?*-cd{w
z?m&-jt-XGK6tKg9mGl|Hn}2vczStjc0HVbl{`ro&-1vPmnH-2m=SGU-!4s4+W5r&T
z)+Bl~l5$uPh592_*trqNH>(Tu@3R;0KLC$gZF{G3_wIwccQ3stC)><Q0|;xP_-<p~
z<%(oAZP+l~7k62x!82E~n=nPeM=*1{ER-(qvR*w|xc7kM-v7-8b*x$EY)|ZS>FH|V
zm{^%Seh455eV>hENC`l=!&%|%j^9y4^&X>{<C*ljfj7JD-T!KJ;eW)%e*3Dd&c=`^
z3TSE#u|ZpIFbAjgvBN?j;YR?X(sT1-%|TFyDPW8@j20SasM1fPznR2vWnunz_Z|qj
zJH~OVS4pFv(w8ehq<k(ziAT<btmV>_mSl2v?gYl|oB*=6h6DY%X1=nGj`7cORAkJ#
zYgn<a0=auF5Zc1FDL3@YHpDa)GPOO=ge_ru2^wHxnWJtKNr-7iCLsyk+iZ_!3G3@$
zt*(xNJOYpjj0-RSXt5&YhP`qTQcj8|Q^kSy5=L~zdP$5xVi+q|ld5P2s`gLr%~+>l
z7zo2trAW0DkBO3|8Bqo{Z;`q%gr!qf!~>Ltr7K-Jbm)SF#D>HR@Bl2(g-75WcnZ$G
z94F$afs$kBFU7XbiK^yHe2(>d%wom}BpktyAqprC0>V;p8wh`tTR}}9;Z2QQaF8vl
zxf-uYf)yNHK-?1$5)f8Kt0(N8gDRsQtTO7PkQF(Hx`5dKi9pCv%?3udK4SfDHK>Fv
z;wHnTX&T0q_&S){^%+=WF=V#>Rw9sT>!u!-)O{en{BR50o~RGRK0^q^^Q^lPMG=fO
zCr~$s=ww^;0%7-idwq}*F)gmR$wprg#d?5rs(;8*aV%`M_JPQVa|i-a2&7wVw&sY}
zAb=F}#6Z+QZ^+RAVf|#t`jz_~i~k(5HgCfFLxN>WK=i5f{*cM8_yUq%*c`BTqeojv
z0fkMLf2R3(8VU$Y=Z~^LlErMEB9M_jTf-bljt9($FRKcHz<qfK->4jrv3cF5^FIRd
zc&KoCzDOcL9>KE62}m42JUh3Jgxu_F2hS|#5H-@peQjS63Ax3tyIEchnA9;9DSh(-
zeuP9uQM9_+<hU?xrEj;_*+fhy>rdM3UL}GU2;g|Nm4Vm>1~y>j+F5KREP)hbv4j0_
z=wV@Dt9Bxs2uWdc+<_q6D-6DYwJ%_6ZR-n|!($h(n!xU_U;f4BgCq?R*uPy?Y4!S&
zj)6H&4&?Tx=SWD$W~e1gb+1+N{q}ksmv^U3gy6cjN_X`3^l>qY`>*E)31MNjqfM9V
z&*|!H43DetO^m>AV*~t<&b~qBMu?YnBgR~zC4^9z{<_A-7+aY*pUq<{6uE*;%&I<i
z=$WI~tc_wRMnpiRQN^$`B+;csvNC}uHUlBTk1b7K)hftiu!N8iBLqOFi*C>w<q5@~
z*X!IEq}bpyBr$3c5JZS4h#-eHJe2x>%mqS_!0M{XjQO3Iab6mO`UW9Gin(82%viNy
zAO^#e=<<WKYI0Yv_XdWn&Tb6%Duzy-{ltZogI0LZ-#hnP5=h8*=*N;SP1YSq$ki27
zj{4kcnFt{2A%2yt>{w4u28|_BPyRw#_D5x81+L#^ME{l*fhU<ix7nOQ5UhY?Wy`vd
zG6^zC%dGC_>=XhS_k=*uUSA<6ncp{cP=xwOUS{XID0*xVWbv{e#=4MrLehV~Ljs9U
zUV*4wf$+Yc7KrfhM}e08m_eR>WXr<%Kp;sHX0$-?r#d6?MO+0!17^#5yE%~Y{AVC?
zUm*MpY3(-5kKr>!0)&m9AwS9kurg(5h{(kZ0XsvkBX+-O%MuV<PxqE32^q0v5wf8-
zbvMsnE$VYGh1k?hf42`e#gwHSAH+QbFbyrs6#2tW#66?{W`kN*ME&t4t<9c9gR-lh
zB!CiyH~|#P1nTuxRuK=*R*?W!3d^HdCMn=3(=wZQuy8gBphX6ld0{qDv6TfZIz4le
zvrpy|3nZlTi3TT+XP1^u5<ng{X=&YE@oWOIfYXX|0@0wNqVSN50HQ3H<o8%Rb=sY|
zL<8ly#DhE2rmh9f^6*eIhwwn=aJBY;_65=g0H;Js%i<6PiKa}e256H9Er6`7l~qMA
zQmahB<>;LdWgsvm0s?`lsVPh?G3rC6t(_!5^`R3Ufk_8|vwE}x64Ip}nv(EgWzYsG
z+5tJMLKA*Tcy5gE4>9G&v6=)%AukWYu>=JNFb(Oq=i#S%r7oaVO6xgw&kooOg@9iz
zd}W&kMF7_#2aS!uDLiOW>xeZqg`E;d>3l7=J%*;-*R?>F;VQByUzbJEOs)jZ1$AX5
zE<l^mmjQu_7;*vb;{mM-J3DwFb4Hr;rYggdxv4TGz?2)l3<zbhmhx2J4tYtmeh38-
zg0?OTv<@`;IJuw!xP}zhx-2coq!ACRBs@aoWHpvmkPVhC11>PdwNMUb8Dd?QsWSJ$
zJJZMocMfvHHhsc3w!_zDdDH_fqs_`ii3R{IXUy6*5XJGasWRQcA%U^zqo2X>C<z>)
zsEb_+#fx~*42BHm3LRV!QK59umeFIuWUw|vhd72V!6anP<RKkO=#<4@p{I+glSPA#
zT0gkw^TGM=dq3_p=r0XE#$mT+gmF6Pd){M4xtHc|+a1yzf0%dTq;ACT=7+u|Qn8Yn
z+uS89X=``5=!CV!!p>s2+baB~CKo_nKhyj1KOR}u+uP`0v`Hba8K7vA+E+5KF<Ups
z-x5g})D1<q2R|*53J_DH97yJ$-d%)J)fYpO$wCvUgmo@%1&H@Kl>rEc)eQlhrTxZ6
zR#N}zyd3~yZ85|^gr8pce*;qS_G<U~!u>Zf0Pf!JwW>~S3uNszq{ib2je#35_J@by
z9GDG9m<-M;fjk$%Cl@>3CP12p>Ao!x1_3XZ3rz-GElQq?0Qr90d=yA=Wa%sKj}F7q
zJihYFqAF&;mc-Ec^5*&K9;xYmf3hJEZzq+I@h}a@?Y6UGBXe{T#6W;h69ym*1Kohy
z3;-s#kWbPX(^E^N3Z!&o`Fexc)vKuMGStCLR%G&o03Jqk1Jx!#ylF!T(c3#qqynUT
zWbNJexSfTO>k^uhBN(ylV<L^1$cMF<S)auO(bcaqkgY!-;$6qgaq_|nnog7Rge%E_
zDd`09EFcLgkw^?ccaaf>OFhVYX9SGpOn7wK_q??`#P?4w&03XisE*H*qa{a4pcJtn
z8U<Q76O#;)q^Vjo5=!FDG{dhRCh}Kz-~HxVAg!+_mnDn`N6B=_kO(jn>y1#0VKhTx
z2w7K=>YXv&Q^zw466DoTzpB@Iez(0t8rSiDQP<zZozaWq#u>n03bg8z1_l*E3q$^f
zuJtl72p9oTAs_@)nUER=2`CC2kkIL<kRHUL?CS;seVO#dun@rkBkA!d?qdi7E(JuP
zltLd>pnpKWvGIBL+&kH8_BzL{)-vm#Mn8SuH)BgOsx9J8FSKnpb*HVkvZ>aS$m`Zx
zUs}Bqy36cst+nCNiulf@`-iT-_zrIPFe3ymVf*MdJREx^=0jTDSlh&{wrpJl8kiZt
zS`lkwDqXD17+Y<qvh>bA`t~26gOQmFcJ2wGam#oWh}^dQ(CTh<Fk_iA?!f>sQ5QzL
z-zHBQ{{R!e|I0US^t-Pi7hkY5FNC;#x^=?!ihGFHRz%ZU$C}l_b#mPeMw{3+FO2G>
z?yoH`txUL@h_`DXM7ELs^s}GLq%4S#gAkNj9#Vd7S#4CyY;tX6Aln9PGu^DUEXFpM
z8rOwPkhHfiX(-lF`wX(y84-dK<AsC|<*2MGn{_WuoDE%~v~D7^wsD))CI&%865z^?
zFJV+b&pzJOksn`_vd)hX=xS{^ACi2<<y7~)W@#g}u^=SjrYX(J$Oy}c$EG!0P8h%3
zM>0}@T0<R~Nm+X#4yH=Vt0XXdFv{>Kkt=D9WqGvXb#v3Mbfejz@lacXV|`Z$z!IqJ
zCkt_ZV+Ftx%PR{o)epg-P1h)$!GpEUbW)GpvMRS$RMTA{0F%Ff>#QHIhQI-PBm^SF
z(c>bE+bOk7n`jm4u{LckJEnDCP04%twSgTITV4mMxK$IqD<lX)^~pOwd2`Cz3vn<!
zw1#ObyCyPf;<lH%G;!NR+HjrJhDFSdgT7U%>_%z5J3;_fC4Yt~`<sTn2O$m?wwl$Q
zEc@Cf8l}(?ZHF#Uc13bi>o{tno_9=|xPZQH?g-IACfLXBf|KJKa^}0eKR8(kv@M=U
zZHyo0@IxhGAYz@FRm6g93^Orkor%n=>_(YY&vlQygAfh-D0G)MoRqTmsmJIIuZ>}G
z&$DLGxyhqOWeLj0!I-?tSZKhB=}9^vd{;;&c=QA&h_ey0r%@Ie-EisZL`G#_MLG1W
zk$F#&K8%bJ!3bR%qE(KR!T6pK#?x=ylzrD8cVg&->;nWEB0eIR_>@qL2{h!!?+DgW
zSi;lrWIplG=dl&!6(J~qvDWEA9E>82e2fV3C?OR2jzAoYhOi+NBV}MMs_cloSA<9y
zYyE7ls2^YyReKo4*ufluAO|DFcU&Z`#{p(~fZZ3uKK_rp?c#BSJX#IeZ@})@z`Ngf
z4VL?d+l5FxirqZKdsT@1?vu~nIVEM?haG6gFgFjum?aqB7s5FE_6dBw!n}|J48IPx
z-;glbfFI}|enklJKmO`{xG3x7QP%l)ayS-p+z8?bxuXg14lzXT@5W;xFP=Y#%jD*Z
z`s-i>VB~+n2rTXkLE@L+K7-r*&DRj`xM75LFuH$)@6agrj)dHN{q>h{f4~b;*5yKo
zD$BCn2&NJQkK)#DkayG$Mcs#=nOQ>}d4Ld-v_MO$M)lNX{ML@-bucGHAfW;FTgY0o
z5pvY%;9z~&G_G3EN|!wtKWYadsH*ck`Uqx-kC?LNh1539b6>6Mj1yFq(T%})Mu<|P
z{`EUYHRLE|9W}JFd7d*l)hk43sBL6@G9yF<BK;g<<TXY84MJoGuyHV|MTqdajk*n)
z5fTI}`76|s`I-9T3CVjNlCbQw)!LJm40c0igalb7)=)=|B4k!by&@suQK4I7H$%Cp
zx)IF@$%McD4H!9kb8#+0q$ND$b)h?B$4a~L6`B!}W-<R4e0kEmkVi{dXk8d<{MxL$
zrtH;3+*oH`2&(@CQ}%OH7E+zjW~17=OtcvapLhMd5XKeUJ^t((LgmtEJ4%}t{mnFh
z5Hs;vAq|(`ybm!l^Y;5A){xpXO~X}RXFQm$Cv=h!f#T=xR`CZRz&k<678XkL{fa9S
z7v70N#Iq+bWj|Yp1(-LiWXp#$gj7$zdjH*{52*H++032&ez}l54=X`ZQ|CONhLWjM
zQkFpMIeeyjc7)WXszfMlZFo9~vLCvUoFK%1_5`LQXV(zxV1r3p6x-@1ui75X3nAp`
zSMZtc|8JC47hPA5acKjdO}y^hF?*U2_@0ELqCO)eE4!`;hO#qUO;nYo!T2O0zk32n
z>%37Gi3@<4s%<TeCmeU(<lz&9gik;G@SpQS&VT#;G$Gip+~*Xe+J3x7LLmq~O^ExJ
z!!wJzcOOO$uz4ZB`ssN>0On`_s~iji3={7}A&|3<guJCumWL@c3=6!SyHo0U7YI3u
zkYgG?z})ggA)lWw#KGu1Y+lIScELRtUn_(n?B=a_|GR65c>8q}?Vd-wb!0}!%sgZV
z+r0|jGtnNlTVP6n=AI!lLS||Rz6T?BVPp?;Yj#V7PZjd0H3W0nV^Rf~o04&s`54v_
zHButd0Amluc|zcMrgBDb7>wkS2;p(ykxFF(UIkT|fcPVF2MAyTh{yv>!laRTLotyF
zeuI$NQ5F(`AVlU29MCXe7+~Apgxd|+F^Ov8ydfCL9^)AyXO6O<J)njld1Wz=7KNdh
zuy(m29!6?uP^F8aM^s!bi=GclTNK@f%f-Yms3Bx%i(8&9m)6I)x+zBFA+-PwY{0@$
zQniJHwOvsZBOk6by&z>#c(svBx7`GX>7u6|jY|hei>38Q=$I%hfeGuXtIo&g*N_WO
z13DH$<K@EA;VQ4Y4XWBj0YZ>kELQxwNY?h2*F{rKTopQqi*YCyhCe()F#LUqs~3}6
zjwl3}6QXVPo*4?W2H)4q<i=82wq_`M4lwj^AsBiCFL`6-vPYy|EPCWo8HsWQylYSu
z7x}uo9m-Z$9~iz~*pR%1lr=9Tcwtd|mB?;HB8Z$2BGbZv3GoLI5?Oz3c{GJ?#ZB8@
z5+RtS5eWHW8m@X?rI8bY1(nNeD8}n<<f&ugv<o@xvG2RqaQxsJf~#O%Fy5L9wmD4F
zs{px`^&+Xte1Mpc#V9)=E#vXBzb>^UGeRE!tP=+(ymUfF5W)#pAOs_b<Cj9#)~jt*
z_B<+jSwyWB^z@>BTtn&tSIemaA;j$wgb|m^7D4p=tz$bO{@O+4zae4Wbc{Z{sAHbK
z6oPmKLR`<}2M~S1LCD&0SsGDx>#m`1H9}rn)IrE_W$JEZ8=is?Hj=6^aEt~wR<OED
z-kXMkr3+K3vUF+Yf})P<;uca?x*Qn;!pH@Smqin9Qx+4-r7ZDcyk1x#+j6<=>BDP?
zvp?=qmSAWAAr(`aJ@1D1v?@j>9aG%o!&S+KvRp2vHwZbJ7|suS9~dDXDlO*qqF7Z$
z&$H!*uR0Heph_=_BrY14>H`~>izRf=9c}pBl=ablAzT#;TeXI(#mH6XYN|nQ1BR}T
zfH`#RgKeP?BTMlmLQ+@Mp+@?xMQqvgxJ%)P>fHvIs$8YZA|LFi0k$H%?)+0z*5ghL
zNz5<_rSw86h-f^*8XPtPlS(zTl9;ImF;+E=l(&>HLC&oqKe{6Xvj*cZmOfCaXnX)d
zlMFzOA2!vN*@Q8`1i%=%WMYT`fJv+bj~n7Q0{(|WH3WLAU;_j&-5Im2X&g+91kVV0
z+*3&p6GOV2BjMdNcKeu;m+Poo5WJs0kq6AwH;0KK-odD&Y=Ou%x`!Q@TNpimV)(~{
zkS)NYcVN5TY+<l&3nN>Y>+S(YS@f2L{P0tT+*V)Ga9HQ_LfqN!?qusrX(X*r5dtS$
zD|9goskbZyzBVK$mu@zSBX!Cs3ob`^io;7`45Be(^FrWq1VJu^RZ;qug}|km2_nS9
z4~-5=(GcY-n~xBev;H0s5<VP;DXQvPofIKIfA`CkPl%84gJJ*W?TT632EyoC(qNE4
z+|cRpZx9>>fw;k1R0td%A}*5!9TEjHxNzhG#gHk4F7+NdB$EZ13&ja^DP#;8x|Kqq
z(Em`s%Tbk(_}V+{XCnkgJX=rC_wIC`E@px&4?zNMP@#nCjVNTpJkiL!<~T*A+aXZo
zTDQ4383P$7Aae-<Mbe+V4k9ZwCyEf6c?_NSIs_gW&o3^7FEr;u;ZG!SIm9lWdbuA&
zR)MUgnNtwdM8BI&CY3K)#knT9)M&OohX7bW{kHOjAc~k%wBZ&6io85O*sg>>nKA}R
zGRJ5y&`bMQJD<)1$w-qVYjp@bvU@vJ#1q2>NE;;^vC>XK;F0s~vmi3)0rejf<nOZR
zo>62LN+#(>R&cVij^XA*hZv8HL|%HM%_YMOKwh~8fk!^_ybUBvsMb!0K$ZU1B!sM$
zQDVZc>I7MB6)s?kqZ^bEQ$Hk$xxK~7KL~;j`)NL4-eeSHG02vtEL-rDrg!Cl29Y6Y
z3$>=f#cmZtp3^u4?1T%1U#B4Gj=cX$2O)H{HjTTaOB!|iO0V`yHi$z|m>8K`K~`Jz
z*?DAlUa7k9MXfX!Cj8Qef^2rNw^QU=2a#3xWDRo(g3I~)9akp-WWwk{8s-)x{GNJ;
z7jO4I+;V?ZNQgt3P`5*{EaAboo5KLI`=rerg4hRPq|?tKWLhXihAoSz-!ve1?0w83
zSfgn4S`c3-gc9?uizOYyPLW?<ZV-QjGRF$_Ut6U>R<el6ry6xgVevdow`SZsYgw`;
zV$CYr5cuO!hammVbx8tHN)|;_?71C+^m}|*2a)9qvbes6Ag+Za)Bf}@?3cBuSubW&
zcgh07mtM6V+0~8AeIXl0QE7iMb~^+fIX{(62pNka7QH%lHR{;(`n^dWKqe!Q(I2zv
z+ESLa$XE?x@91mdDARkRvD+a~<Va)#$^t;Cx;#2MSlWhQ2Z~H}vLN%K!$A?FaXZ_Y
zu6!zK2RqO>%vnhGE%bam8jqg29fD^y={AZpZ?Ys83q78iY;EfS?M|BRfGh@G_UC1g
zb??mX*$>Uef=cyUd9hOwi>+zg%0lFk<O2tmQveR+0OKPE$94oXASaiwF)y#lmpsta
zl((@J7$2>><uLY#VCE1|#eN-O7df^8^T*U!nr}xy0K`Be1)#JvIT?sK2t^2Dps|$#
zPzwZwpbUber_POh44i4m!5K4RDF9Qaf-;CQjd$T<0*UNW3PCciEp3=Uc3CYYptThe
zAB0+2kT$ULlc}+kfvJcsZ8Ta+iVa9KWG7PsvN<Gh9bkqD<d!AurUWEt0OJEk4ngD*
zZZHiD%z*x><b!?yb63#XIFf}=3u(M~`=~~-wm}!O=dB2YVXmG_NI_lAN*I;}8K#!S
z&0f?<2;;dljR7}?Wfwev31HFmxfc-!1dJAwxiq>Mu#GP<7-%*>V85yq+h!)3?l=)M
zUnEu4drySu%X^<nPE=<z!AI$jPVNvAT{|2&_dd&ai}hHILxFQ8AD_L;QnV0alEYz|
zMBYa~{s&ZwkYCMu>c*jvXBTIP!X7I)kV8>bcx*y|Ul$=j9or{J6B^l<jk3ypKTzSb
z8e%fW8fwjY1=vlKm<?o&8ml0I{h&QlRd!3g?Y$G)KtR9CbLV}T_5eZ*TcBqAsEic^
zBd!2HH&Z8O1=2AyiMpujNERFNW&<m!Vt5-=F{N7(hXW#r=vRS)w*i$-h~`~=06KSh
zf;;AtS3fm=v8WsM-h4h^JGj#7Hy(}g1O|-IS4T8xjr!UtSS7z;9-=<R{ZB{}%C{!a
zxRrt`tSlZ^lbDTiQx0!9O{_3N*2n-6MhIg`d~2x`5mJ81(z{l_-*^9_>3}BoBh?N1
zt9^qm(qrJcEB#<XYISZU38i49CKCls&8}15hFnV%j{o;eXjUsCq<E%oE_fJi&JuoI
znawt)x!E9D%-LoZkJ&J)B;y%D&>KFEHc=9ulg(xWDiAsoK|E$eo}pH_IQTB>@C?yk
ze9&ac!W?g<W1bi2K^v2k)u7{E1bYTg*8@yD+(3H>A<OA>Lf5vD^?Dgt@O%Ew=Kj>_
zO>74y+j#Hz!c+H`KF#cV5Td?V%ZixE7NgmS^KdhwG~BWUQijH6nvbY8W>vycdX1ph
zqq9^x{>eEVpNXKHjnHqIUz#Dnqi0Ber3HcRSysQ>agi-SfShq(23J;p)s+TM7~J6K
zr7IfkU=0Bwm%GV(+OyX*40&evc*y6wFxzpybGR_oI80V%uicPZg@hE()JY=_&xzFR
z)QY1K-IDa=JU)qrxbDeVW(b19u_=Q_JUUOU^9DZ|BB?e*nlETh(lNBZ;3b&lm#nr6
zyj%rVNB7+BAn0EN?u95#fxFV&7lQ!|RtE;J?TWMs^uq~x5>iSn>tk*0Pi=lVv3gS{
z$-;Fq-__>trqg)7<DtFdmw%_r=@(?kZ;A*JqLK0+SVCK))Y>LFgNA?*mgcNlk%Wj~
zHj9R%go2QqE$Ei9Fkd7maWsSX7bB$G?_$EO1(r8JJsJ$IK7fe<c5I&1mkSR*D9Y7K
z9rlM1Qs?io%%^jds4%panLB}A*xa&~(@BC1q4ST)<<w4kH*{wk{Jtd%sIV5Q5tJm2
zQWU4eN|Q7m?hz83AcQ6S+^n!SX)B~$60&7)1R)4S6{AvU4u7*X@DL5@2LnhpQbG}O
zu}{cFx6|>25Bp;fvYgt}HQj|LYoFf|;(X-udAOS-bH4{g;eWM_`x8=CbO^mhZDNg>
zUW1TE68^w8`37B<stjSsAM=KSA_4*V^Enulge;IH$dpA4ixo90K)G*}D<)(Gk0ivi
zRLN3=w2$1*K)>n=U-00Pr8H#cB%uRhc6>QOVRGm)%qH}mElQSux#K+$qDs~Q8X{_z
zHI7qgcNm)NhL3a3&s#K3>6ma3LboDC2!`?4ibph$sdX&~X`~3Updn!%^6SPIY6wsc
zA)05k2ikX1wN*j{uG^NPz7i!1e*J^nx2)CSgcx;BIj3P}gcQ;}-`!Aj4BngeEZ-3>
ze`kRZKDXBvME$<Ez4H2z#xNeoEt9ocgqW|<->^n2j`JaDZQ1L%ML?ZdZNY)G5TW^X
zqjd(6Z;j(TV&aSl8dB0s9Z*Xi6+i8j%~3nhG_Boj<AS&4Q1{Ts{jM+s(h#(}o(JE-
zggkLFK-4L}mpNI@$a?<7&hS#Q%&{Hc$Neq_1_t%aN1#zSQ-7~S{ihEXA=S(@86k}Z
zfwrUDAVgTiqZ2VEB8-S3g9Q!|i?lISkg)8nj!?!&xW$A3nywo7)jUvibqxdTfH0_C
z`aeU6S`_Rqh{>N_gRdrG7`F!ljv6*KP=*?s&k!Or<hW&$PbEt>WbXkZ`r@c2-+M7|
z0HTow*;ft~rx-T3Z%cWWr5}|EP5YD~PygoF1y@o6Ew<aXt~Tt-tafQDg56Vui0hJ9
zh{_P`Dp6Ed(xMt*&xl=`RH))aH8}3kG<)^m(*s0Zw#5NI7r^KXOCJBb^o1pxk`UnO
zbMdD3@=!M>ua29N5a8**Mogqg8ITpQ_4ax5aWzDqeeq4nORplYL5Ny<RsOL~Npy&%
zS5egkA@WE2{Xa%xNy$bDFbTB&PtDWj>2IGsriREA`R@A?7bn)*U!R^HfBQT2&7NOQ
zga(uVsXNZA<I`icY@Xo%kMVXGot1!SxXr(6;wKY}CO)EuV0-rLZKv%8-;{u(?>+Cu
z*T<*LW3?V8zFG6qcP6EzNZoOkul{h_#5Gd?j)c|QzkT~vIrtxKcWA>f5JLeJnVsZP
zOP20v3$s9FDd3lQh3*iAhX&sQ9U;SYfmTtXD1mMK;E_+hb<CdncX3x_KAc|tdqPMq
zb$Ud(-`rijk+g<c|BUkL;SOY`mGA&~iQo=Zn4Ep!o)XE`pa|h#P_4YhUUR2i2+U#2
zG%mdrvavuzptL4JhY9&<3FeVl0W=88zD8_gV3=3hmzE{vAW4`OC;lPx6DO-f8)2xH
zn6}P_hPBn24>?zm0wD|oPu>RF>-_(tOV={cR5ofFR&WGK(>9ql*aQ&^`|7krmK=~9
zzE}Jwn4&B+(lrB(`22bx$yqI=jt&87kcSmd$Y@N~mjiHg$=)uz!j18PPf7EDL4FL7
z?;xH-^6|!i#LM30#2`6+Bk}KmKteEw_@^w|CFKYJI6)D9UYZlwJYy%K&XXIijOzhz
zuDcdc;6^~GvPZ7S(JpCprWz~1X=$!4u+*?BR&Lk@+3pI8i2Ceg9#Je(dpy<P@c`Ej
z`t3ux)xEZjwfURXUa6b|8K#_<fXvcPIE_;kC&-sUv7nvNIFOX7t!R-cbfl{_gA*2-
z1VoH^*C7)DLN{fWy2XYPhIvE0Zyhq11BAV4p_TA!X)z413BGFs`3Lqnl0U)@ux~WZ
z(Rt4E^*iU$<D>I<O5*Fr0pSgU$CQj7b=DA`CwxMVTf)W?DjC8|lQ}gEBg4AWiz7I(
zlTiF5g9%7tG_eAHxUtN{Pb`THIf)#`vOpP@DW3pZ6!VbGV={3Bx3Mzet|Nuv48utH
z>o6x7dyNFsWU2^M(!qFa4!F$RI8R4F81K5n#3W(33H$Gc0l@`T)6@VFgfUA5jFD05
zBa8^65s)0M^&&c_MTlb*!Hl=+Qw|Y8T~bxO8{)A%C}L+;h>ek?#p3(tA)v#H>5k<^
zn2fC8W>uk>AfPxDx0rtMb%c1-PFr0B6UPghW%U`8nPU9AUq?SFsel4+o$*Kvki>As
zT$dwkJ|A#wJ^>F}cPvX)hjulh7{{KNF?Nk~F{VroHOt>IB3=Z77u64xO^Yf6jFPnw
zYhH*8)ldWiKH_YEApi+9XvoN6?AYjr#X;^_ZYv}=3kY3&x<4<OzL>FH4kOmKv@W#;
zgVBQP%0xUg!xx*`2pg^~QvwYxJnizt6$rk2Isn>`T^ZSmfMr<`=u#)bjL68Y&11us
zPr8WbIeOo7+vP4bfJea({^G6Qbg`_+*kF1X+3uVbB98u4orgP*i~5$E)BTKVa~Z|O
zxb4npVcjlwF~mymyED2Ej%08I5Nx>w<D_+xy-g9Q$N=7EWkn*}hp%i|t{?}D2(rz~
ziW@&nOqW3i2#~ngkq)qIy98%!TM%!VeiQDrC|v?%m#2>H>{&csFatY;%teBubvcMj
z42_vI<isKK!!1gI<8FSpxqI_~=#lu(=C@z&Nz!w^S(dUxBYnJN4jQ_3K$o&lyF}bJ
zuTmv5qDzvbyEBr08r;b~9W=E8#S1;Z$>O7LE$RBu-RtNZ?Y+}r$<l^s#<KKht%hZp
z70Loq8)gdS0Ssuna>-g7d_0!-y6dW@Mqf&xM{>GqUQ)t|^Qw1138Cr7nBt<`c&eqU
zs^vqzn3rGdZ)JBw)Y2YP;JGzR>xCcJ^dWOIpd6j+-Rog`l+{k%lBB<dxN?Y|3`BbL
ztesX>zwsaHRa(;nOpJM5>qO^kx&{z@%+d3;;QbF;HfWwmQjb5f!b4r^WwdO^Z|G9D
zotCuhcN7=0roL;Gy5c=+&5AH`(%=}N>p@cod7hx=Ys)$~$__6obGP5`-#j3aPn**1
zZL@yg402|$><MW-d+>2>b;<NM%|S$9dZv^$qq}Rn#XaxDtmlJ5wi_CdA#~Fm?&qUl
zE%#T;e{wn0gR{48>8c?4ZQZZ+ga?<uTJpzJ9|A&*!_Jmwg-+RD?5%Y8_XkVmYS+-W
zn$<o$PUoK$t@1?wmU6hQtsRI4hnjkd@<e>{ZYxvn8B04_rMdS%zYZ_75CN}Fc_cQM
zgSO=VuE{f2^ilUIYUzWb#<kw%Tjk;FO4IrPo<TUE_+6#6ZydjRy}`d%qx*e~9MIMO
z?USmc`_1YGCA4;`ytC|Om~<t#Hu(ExGhb<#(UIiWvccwQ+ENa)1Bw^T;K`of=!)}0
z?*J2g<dNENu5X-de5Lve5F-3nDJZ^ltSHyN9*}>!NrphOrgy||^s6Hazo4yjHXFQO
zQ`J*{Q>B!H3<=~$Hu`7=KQ4I}nq;M({4fv^B^)j7Lz2_<!H?Sq;)~(i4e|Z1T=svp
zj+gW9^5Dnq58Hk5JRf3?NA10Ovycv)^nTj=`hzHnjjS1dujlux!Q6`Yse7T)uU-e3
zG|LA$wYo(x1VqG6<>EB_YH#Ow+1sJtocQJbOplT{AlSKTSMw!3Ob=ev4#e|xi0NF`
zvmoeJ^y8hkJ^Z5l7YGPGJB?_wb5VYCygYmxiOrgIKnQX`*8*LDa9r(ULQ6Y*PSYP7
zr4{k}A0F!u3tC$0aKH7$bk@_<?7@$}N)g5jR`}v*(CCZzhaRLP{`*6i%3`@H9X#0x
z@0Qpe`9N0(juqzmxBjt!B%Nu7q~vYMFQ2-(waT37-csc>Al;Pi-5Lrtiy%JUL*}y4
z*;?N@^zPrgkXG71bd8KmNYfjLn0}=P;$fG5Om_z2$yUJ%f8TZPblYXWwFe8>YV7j@
z;qkf^wF-N|-@49W^}jx}(zE%&F9+vUx40~vd=S(9brrAcAtH`CcyVF|6v1A`8|7CI
zcJN(2XfN0D{DPiISC(#5LKv@^e%0tXOTDHSyeM_WhDz}lTHjswf-^n3tG#*4gG<cw
z^!J^Rp6{%m_=V;9Zdf>!*TFn)sLmbB==mQtw^)rZX{Ni%R{ij)U-IOdc~AEnor^t>
zO0Q7*w0?XnJ$AIy5TQlWf1(AAZfkkyK^XCG8+g5^?K-8$PgbJu%MnKHmu*P4I77aB
zf8#v_FY1ycJw^+fBn`th5IrN^Z%g}SNm>bODu+06S&GDl6tzl{WCh!LN2)a6Nmq?7
zMFrKTJX+Kun$z~Rt+X$e2awYR?O3Z6)$pzwZd&{1Rp}Y#(TwDIQWbsbE$Q7EwcLA@
z4nL}LIbY5<(|#*mY3oC+#}N+Cck;T<9=>&L1)h_mJZ+Y|@?|@n*HkC1Y<EJ$cyG$R
zD5t*EF3-J4ymh*7b}6oTh_;q1>t<ekTr>BrXONm4EyG^)X(dz2moFPz*g471s}aJt
z)R($f=ta$PK7Gj%yzoP1QPTAupOYlB`$?DYz{2FIW`0<JRhex7^@<~?AbI5;?2r3;
z_b184s9^1?{cZ21UUe>`@6$d;j<#QVlhH1J-nu`$zj4#AERtcrQE(WyQ*|C=Cshxz
z;$qu%QYitu3SssX_7~!el5(k0Tva%bmhFg;jLqJ(9h)P>o>hn~7>Zz|d}Lqw*s)PY
z;XvGW(g6mkdcCgjG_$&@$i_uQ$k@bCcxN`n!wvLs`;p?Zw|3*=%56gryv(i&)Rqy-
ztX2dH{K&BR_G$<|6CT*HUBTrMLlqIjju1y&q4c;|&y@QY_4qhLzygt7>^!RQvW#%%
zQANfa8S7#Ofh|NGT(C)FdsQKhLNX}@R-(NcQ5Zl?Kpznfrd+QG*eF(P*-6QWL+#l*
zm|V5pjLQQ&!bU*CuFJCQI_}L+>X=dtxZ%cL*;tF=gX12;$$K>cF#>mrp~J*6MIaTA
zvKAT`W>j(@VFba9&CELigpFxa3Wg|+1yI6AFvj#^n>cpIw3+b{CNzcx4URR)gqMgS
zjwcEH*Z^+nfk@kCB;r^yu@LK{v9XC89Mj1x(8MSuD1nY)hz(;H7^~rtV+2U}M4dqc
z5jG8;Ppp9L__}#<ae8i@)U6ni&|?mXd()v<W?XDYcqEn~BWfbTbTFBel&0k<!j1c5
zNiGS)^>S6BFg*zaF}|+DW|f2~IK$>KHr#8H2~d8j$>@>2sinm8hz60QGx_7jT8T@<
zWKd#xN+ul+k+>uUIycOa>13x@GBQFt;>bK1OT`b|2$Ud@u>#4+EEvLcehKG~hU2sX
zaUiGGSQppbM0wi$p+ChofsPOnfW8(rcG8p)y{2q1pi`15OlhV;t_3)8FakJ<0K(VZ
zu;~&c$RxwZ=>-l5EC(VP0Z2oD4=fG^-pvC-SPmv%9V~}&l9d=}Rv?IT)tL41ND5)Q
zf?^ep#}@%*=?vo-+kFm;h2s$6Nor5NY?$F#4hC`aWrTUu?(<B7<^syBfw*|fdKQaw
zAjFzDU&eYQ28u}n4u%pZpj=GhnlIv!Xk0WYdii`cg_%MOfnESO%<LwmALC^p#;|GJ
zAOkiEV8;HKX*QqsRTzV2M%Y2#zM{($H!yWCpv^{JSnhM|)L-*_jF+mu_#ht=)UGOv
zUfRnCnA|)d$f&0T3cER%aqCK^uAq#o)H6k(ZQgKs$4x0lJ)%lVrkOf4r4A6QG6s-}
zFMtk#olikdown<>YKV)BM>2|AXElX-UBI%fzz(P&?7DWH+{zAk0^+=^q=csanP&hp
zwqk25VJ4N55wcg~mj{7`#R1cXttgNQFl1u}PO!nIOE?60!dB_6{Pnj*7h!oUN*`FV
z(=dGshA_^g>h!@bwqugQrtFf|a<^y`%qC5pi#oq3^%;{8&aegK3gDDDDdMon8O6FS
z6JnGsp*&!27?YsF4?VHHcG;3%5eUy+DSL@qrR<J)q=y7Au2t5bZrw|t`uL{*#*imQ
zqhoz;mpl69jNXwfT@MNxyGsxM+Kc|B=g*jyl-dgBboH%rqNY#XLo>LgmYFZQ^spgy
z%)yt|8@*D57t@ZE$9F&`LU>V<q*LEX>yk$gB`L4zdY_(1x^z&^N<PMmmu+z4IlARm
zJLSuquJ@$Vdbz6h$fmAZa3-zpL?8x2eMgs8LWHYU$?^-5CFNg#5Kk^CX&zeEj$AhD
z4Zs*VTGcvuqDfvT&Z$)VraV};I%d!;cdXkN{dFr?2LaHRwlJ+pniV|JEWMjK^wQm#
z>@a6l^#GBk7KrKj@`^SndMF2GD|415J;%g(X9f+ca~j=ESFPuWv`SV8N9C5Z0b!(@
z9Wc#~x&f5q2tNBE#SV~*PoL2n2LvzZQFB<zhhL=kH;nlqEghV_jc)b$2bX8P=t<9?
zyA-##URJcAHGDK{&q(t9p`-Whz2^u5@|Q-JHjdBr%Box3*xttv@{ZJ3fCoj(hhIns
z&8=AgzAf2@*%V~fp(VU~`?DD!js;{TTCniR!*gqJk^c9UNc0BIJ^O(!qzClnvEDE0
z2N>#E^y5zb-3LU7aj#xX56)m6^7EH19fG=Uh0S!ZG^EQ9U%U=#p3<<|dO$cjrxMiK
z>b@R`KW*H%`1WvJg|*X$c6qmGMF=vaFE*b4zCzAA6%F2zoqX`gN<9M36Fm^iCF|<K
zhk(pn(#`To(0cuxJ$yYlWQkg8-cshx2+>>F;I~fLlr}g*nkU_M_PN-w%3f(45Iuqn
z+MqZ6cj`ROSyX&c>x(bub_U|T1M%qD*`LYGkj`A5?L=Sg_&<O9V)NeYl^Tg+Yd)Vo
z6(Ar|FRu<b7LeLNtR2&u)>Dd)f0-4}m+gedN-{rcU8mvc7XRC+xSh?HccMd8{Jpo%
zYFiMHLN{D|jZZ$DOJ247^>-Wuq<IXPB&z`wBVbS+AgWcwZ+25BKII6S%U8|d?6Y`2
zES6_`Fz=bqqPRJLfP5W@zrgdG_wsEkVkO27)DOPyzZS%^+smFv#Rc8;ztK8*wZGmA
zG1odCh>gd8n-yQI1Vv5lLqH(g-uMVT(ft>%S96*g6yKnqzZG-kLnxIz2b*^wAi%5C
z%)D2P5c+aYl@4%I`i@d@ea$Lod$iOmtYs$|5{U)#8NKNq!s^LzSUr3b7S#O%dJjqv
z&(2<jb1QW2@@^+uJdNgVi%0jaSca6|J@pH^e1FB+3tC5mBt!ZTki~B6WGD4_`whCE
zm-U!O7o`LEW`1A>n-=$*MYm05X~>_b;-^mT>3}DA@$=$t9FT9%J->Os^yg4a4`$40
z5i+DtYbD)pl`5FN-o?2cMe{L_&(;Rb@}Te;fBbATo(^zajcIDZ(ux7KG02cSS}3)3
z5T$dLklD1Ny@z56G9+BA&JJ#MWUWsh+=Hw_Tx%HuvhjP5oOdce2_H?RI>-%L+ACHh
z`_R&sw~V8=7kTdI@5IgJ^24SUXGn*Z15vBgRJ`bgh|osXWOdoMwqlpe<KwdFH#D)4
z1Y|9>AO*H&-h2<?;yvV*Q|?%o|J}v&U2*&1KX=2K75u;x)4F~d-M<ZASzAHQQdchY
zm9*rqOO+W*l@!e5`G=(gaem9uJ*|J?IqIpDNB4o}BPhw6pnNXrx)q)1=nGAky7-+Z
z{;t_tvWFCR!=g%#ETyVz-qCKz$}ViL@pGDIxtpqY3StF|?I9MdGHRxG%F@;1CHmN-
zzXFdZ&627@MNoRQ|F7cffs^+1;S&}+nqzJUVh+CZgJ!8?9X#mblYCKqV+9N9C?MO_
zrXKGhstRS5omtD%2Z+Np*mv%ocxwNmL)f#pwXW;g0p;n1^av6$&D>ZUgz$7-dKKcP
z4z6_RQWOh&TMZR`DX9>Ug|$@iDGU#8^b_tn1SEciwr!sMVni|m64=KOpv$O?Eepx0
zz++hvsI15WZ@2;@P<#%F6|e)^29tLMf?URfO+AnWjAU1kc|j%^cpR2NMkcb$6Ov(W
z44GtH0RRBOtYPLLwvLV1499FDLynL7g6)pLH5)^YjWFmS3GfIw%P20#MA;!h23H6%
zn8;ujfGacW&|`B>U}wfZM`1w7n4oH~IRGQZ25_ARDQ6D?0yMZmBR8<lY=D42c0rF2
z2Nr`JO=1>rBoO!;>>&k9p~*R9^rlY`hu8=1$p;28iH8sYDPUmM!e{(rC5pL;cFYDn
z*1#TNMU)XE6R}7l8vEnO*iB-MFcHGV;$&im<Hx3BZ#WSoblwc6(7^)m5t)i6Zj)Q$
znIw)U0*H)Zvu4cXMyhC}!n9fqHSa~3XKtoi)Bno?vuo5#<{7g{0)c_#u_Ar{k7UT7
zv|~Cs_)c!z^gd-??@S1|rm|Dj5ijFHcdYOSvs2Zn#DuzTX3D(=hsX-%rv9&+x~}zy
zV!`#X>v;dDI<-lNT@UeyG1X$%)cCYFo!pe9``VxW|5_GAWXZHCAqhIxjC$9KOUX4J
zOgdv?8k7+^k{byTOh$uap^4ei-*{;1o12J_`BOc(rXmPW&?L&&VNVzAI?Sm-)=p?{
z!u&tAvx!PvmAGytZl;!!YvOa-Pe_8OBIW*9EbMrTEGUr5^Hzux(A1|L7zLUFaV};$
zmMr*l2n?v@nKjw3*P<O51?%mnMCYlo5E&sXhT+=rc{;QMqae>-+n5Cc@D^DJU}z~t
zJ1`0?4FT-iAr1f_2td)o#{F+>V$PyTF}xS4e~d(w-H&0(j3&$tSqIk<ak?Q-(Gmnf
z1VIo%5JZq~iZI5`&d9(F?+voB(-yF>k0iiCo-SqvCT7M#14aQe6999SUnert*{%Qp
N002ovPDHLkV1f$s#LfT!

literal 0
HcmV?d00001

diff --git a/cli/experimental/images/vlans-deeper-look.svg b/cli/experimental/images/vlans-deeper-look.svg
new file mode 100644
index 00000000..96cd21d5
--- /dev/null
+++ b/cli/experimental/images/vlans-deeper-look.svg
@@ -0,0 +1 @@
+<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="586" height="601"><style xmlns="http://www.w3.org/1999/xhtml"></style><defs/><g transform="translate(0,0)"><g><rect fill="#FFFFFF" stroke="none" x="0" y="0" width="586" height="601"/></g><g transform="matrix(1,0,0,1,295,192.98406475670114)"><g transform="translate(0,0)"><g transform="translate(-39,-89.9329528808594) translate(-256,-103.05111187584174) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#666666" d="M 300 323.5 L 300 197.98406475670114" stroke-miterlimit="10" stroke-width="3"/></g></g></g></g><g transform="matrix(1,0,0,1,295,192.98406475670114)"><g transform="translate(0,0)"><g transform="translate(-39,-89.9329528808594) translate(-256,-103.05111187584174) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#999999" d="M 300 323.5 L 300 197.98406475670114" stroke-miterlimit="10" stroke-width="3"/></g></g></g></g><g transform="matrix(1,0,0,1,252,201.98406475670117)"><g transform="translate(0,0)"><g transform="translate(4,-98.9329528808594) translate(-256,-103.05111187584177) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#666666" d="M 257 332.5 L 257 206.98406475670117" stroke-miterlimit="10" stroke-width="3"/></g></g></g></g><g transform="matrix(1,0,0,1,252,201.98406475670117)"><g transform="translate(0,0)"><g transform="translate(4,-98.9329528808594) translate(-256,-103.05111187584177) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#999999" d="M 257 332.5 L 257 206.98406475670117" stroke-miterlimit="10" stroke-width="3"/></g></g></g></g><g transform="translate(0,0) matrix(0.9970841003774397,-0.07631052859541608,0.07631052859541608,0.9970841003774397,6.812265994936054,40.19841100496578)"><g><g transform="translate(0,0) scale(5.40007959672885,3.87815826436388) translate(0.00001348378,-0.001498589)"><g><g><path fill="#FFFFFF" stroke="#999999" d="M 33.84 5.912 C 16.263 2.403 6.986 11.405 8.451 19.186 L 8.57 19.61 C -5.128 21.942 -1.537 38.106 5.033 38.106 L 5.679 38.085 C 4.026 45.68 20.032 53.41 28.958 49.548 L 29.531 48.92 C 32.713 55.752 44.02 56.893 55.201 57.177 C 64.89 57.425 70.546 56.658 74.702 52.411 L 75.341 52.599 C 90.852 53.845 97.915 43.133 94.526 35.442 L 95.36 35.207 C 100.648 33.808 101.258 21.602 92.187 19.797 L 92.361 19.325 C 96.299 11.385 87.011 3.896 74.124 5.303 L 73.23 4.837 C 64.003 -3.517 37.449 -2.157 34.373 6.108 L 33.84 5.912 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,15,322)"><g><g transform="translate(0,0) scale(5.31,2.59)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.18832391713747648,0.3861003861003861)"><path fill="#c5e4fc" stroke="none" d="M 10 0 L 521 0 Q 531 0 531 10 L 531 249 Q 531 259 521 259 L 10 259 Q 0 259 0 249 L 0 10 Q 0 0 10 0 Z" opacity="0.93"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 521 0 Q 531 0 531 10 L 531 249 Q 531 259 521 259 L 10 259 Q 0 259 0 249 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" stroke-width="2" opacity="0.93"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,47,409)"><g transform="translate(4,4) scale(1.0034722222222223,1.004201680672269)"><g><g transform="translate(0,0) scale(1.44,1.19)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,0.8403361344537815)"><path fill="#000000" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 109 Q 144 119 134 119 L 10 119 Q 0 119 0 109 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 109 Q 144 119 134 119 L 10 119 Q 0 119 0 109 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.44,1.19)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,0.8403361344537815)"><path fill="#5fcc5a" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 109 Q 144 119 134 119 L 10 119 Q 0 119 0 109 L 0 10 Q 0 0 10 0 Z" opacity="0.99"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 109 Q 144 119 134 119 L 10 119 Q 0 119 0 109 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.99"/></g></g></g></g></g><g transform="matrix(1,0,0,1,115,387)"><g transform="translate(0,0)"><g transform="translate(38,-78.9329528808594) translate(-153,-308.0670471191406) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 119 409 L 119 391" stroke-miterlimit="10"/></g></g></g></g><g transform="matrix(1,0,0,1,-3,543)"><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="566" height="32" fill-opacity="0"/></g></g><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="566" height="32" fill-opacity="0"/></g></g><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="25" y="0" width="83" height="16" fill-opacity="0"/></g></g><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="25" y="0" width="83" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="25" y="14">Docker</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="76" y="14">Host</text></g><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="108" y="0" width="360" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="108" y="14">:</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="115" y="14">Frontend</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="171" y="14">,</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="179" y="14">Backend</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="234" y="14"> &amp;</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="251" y="14">Credit</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="292" y="14">Card</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="326" y="14">App</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="355" y="14">Tiers</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="390" y="14">are</text></g><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="414" y="0" width="53" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="bold" text-decoration="" line-height="16.5px" x="414" y="14">Isolated</text></g><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="467" y="0" width="515" height="32" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="471" y="14">but</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="494" y="14">can</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="521" y="14">still</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="27" y="30">communicate</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="114" y="30">inside</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="201" y="30">interface</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="258" y="30">or</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="275" y="30">any</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="301" y="30">other</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="337" y="30">Docker</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="385" y="30">hosts</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="423" y="30">using</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="normal" text-decoration="" line-height="16.5px" x="460" y="30">the</text></g><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="154" y="16" width="44" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="154" y="30">parent</text></g><g transform="translate(1676,32) matrix(1,0,0,1,0,0) translate(-1676,-32)"><g><rect fill="rgb(0,0,0)" stroke="none" x="483" y="16" width="57" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="483" y="30">VLAN</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="525" y="30">ID</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,31,290)"><g transform="translate(4,4) scale(1.0010060362173039,1.00625)"><g><g transform="translate(0,0) scale(4.97,0.8)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.2012072434607646,1.25)"><path fill="#000000" stroke="none" d="M 10 0 L 487 0 Q 497 0 497 10 L 497 70 Q 497 80 487 80 L 10 80 Q 0 80 0 70 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 487 0 Q 497 0 497 10 L 497 70 Q 497 80 487 80 L 10 80 Q 0 80 0 70 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(4.97,0.8)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.2012072434607646,1.25)"><path fill="#cccccc" stroke="none" d="M 10 0 L 487 0 Q 497 0 497 10 L 497 70 Q 497 80 487 80 L 10 80 Q 0 80 0 70 L 0 10 Q 0 0 10 0 Z"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 487 0 Q 497 0 497 10 L 497 70 Q 497 80 487 80 L 10 80 Q 0 80 0 70 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="matrix(1,0,0,1,300,248)"><g transform="translate(211,0) matrix(1,0,0,1,0,0) translate(-211,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="258" height="48" fill-opacity="0"/></g></g><g transform="translate(211,0) matrix(1,0,0,1,0,0) translate(-211,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="258" height="32" fill-opacity="0"/></g></g><g transform="translate(211,0) matrix(1,0,0,1,0,0) translate(-211,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="3" y="0" width="101" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="3" y="14">802</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="27" y="14">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="31" y="14">1Q</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="53" y="14">Trunk</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="91" y="14"> -</text></g><g transform="translate(211,0) matrix(1,0,0,1,0,0) translate(-211,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="104" y="0" width="242" height="32" fill-opacity="0"/></g></g><g transform="translate(211,0) matrix(1,0,0,1,0,0) translate(-211,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="104" y="0" width="242" height="32" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="104" y="14">can</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="130" y="14">be</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="150" y="14">a</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="161" y="14">single</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="202" y="14">Ethernet</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="14" y="30">link</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="39" y="30">or</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="55" y="30">Multiple</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="107" y="30">Bonded</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="159" y="30">Ethernet</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="italic" font-weight="normal" text-decoration="" line-height="16.5px" x="216" y="30">links</text></g></g><g transform="matrix(1,0,0,1,200,307)"><g transform="translate(32,0) matrix(1,0,0,1,0,0) translate(-32,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="157" height="22" fill-opacity="0"/></g></g><g transform="translate(32,0) matrix(1,0,0,1,0,0) translate(-32,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="157" height="22" fill-opacity="0"/></g></g><g transform="translate(32,0) matrix(1,0,0,1,0,0) translate(-32,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="16" y="0" width="125" height="22" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="normal" text-decoration="" line-height="22.75px" x="63" y="19">Interface</text></g><g transform="translate(32,0) matrix(1,0,0,1,0,0) translate(-32,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="16" y="0" width="42" height="22" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="20px" font-style="normal" font-weight="bold" text-decoration="" line-height="22.75px" x="16" y="19">eth0</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,207,331)"><g transform="translate(4,4) scale(1.0034722222222223,1.0083333333333333)"><g><g transform="translate(0,0) scale(1.44,0.6)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,1.6666666666666667)"><path fill="#000000" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.44,0.6)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,1.6666666666666667)"><path fill="#fca13f" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" opacity="0.99"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.99"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,207,409)"><g transform="translate(4,4) scale(1.0034722222222223,1.004201680672269)"><g><g transform="translate(0,0) scale(1.44,1.19)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,0.8403361344537815)"><path fill="#000000" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 109 Q 144 119 134 119 L 10 119 Q 0 119 0 109 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 109 Q 144 119 134 119 L 10 119 Q 0 119 0 109 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.44,1.19)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,0.8403361344537815)"><path fill="#fca13f" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 109 Q 144 119 134 119 L 10 119 Q 0 119 0 109 L 0 10 Q 0 0 10 0 Z" opacity="0.99"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 109 Q 144 119 134 119 L 10 119 Q 0 119 0 109 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.99"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,234.91044776119404,438.2696192696193)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,225.955223880597,428.63480963480964)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,217,419)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="matrix(1,0,0,1,227,424)"><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="83" height="44" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="83" height="14" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="8" y="0" width="67" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="8" y="12">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="61" y="12">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="65" y="12">s</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="71" y="12">)</text></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="83" height="30" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="28" y="14" width="73" height="30" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="28" y="14" width="73" height="30" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="28" y="27">Eth0</text></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="5" y="29" width="73" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="5" y="42">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="20" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="23" y="42">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="31" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="34" y="42">20</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="49" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="52" y="42">0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="60" y="42">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="63" y="42">24</text></g></g><g transform="matrix(1,0,0,1,275,387)"><g transform="translate(0,0)"><g transform="translate(-292,-88.9329528808594) translate(17,-298.0670471191406) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 279 409 L 279 391" stroke-miterlimit="10"/></g></g></g></g><g transform="matrix(1,0,0,1,215,341)"><g transform="translate(176,60) matrix(1,0,0,1,0,0) translate(-176,-60)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="129" height="40" fill-opacity="0"/></g></g><g transform="translate(176,60) matrix(1,0,0,1,0,0) translate(-176,-60)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="129" height="20" fill-opacity="0"/></g></g><g transform="translate(176,60) matrix(1,0,0,1,0,0) translate(-176,-60)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="0" width="127" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="2" y="17">Parent</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="55" y="17">:</text></g><g transform="translate(176,60) matrix(1,0,0,1,0,0) translate(-176,-60)"><g><rect fill="rgb(0,0,0)" stroke="none" x="65" y="0" width="63" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="65" y="17">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="102" y="17">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="107" y="17">20</text></g><g transform="translate(176,60) matrix(1,0,0,1,0,0) translate(-176,-60)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="20" width="129" height="20" fill-opacity="0"/></g></g><g transform="translate(176,60) matrix(1,0,0,1,0,0) translate(-176,-60)"><g><rect fill="rgb(0,0,0)" stroke="none" x="14" y="20" width="101" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="14" y="37">VLAN</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="66" y="37">ID</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="84" y="37">:</text></g><g transform="translate(176,60) matrix(1,0,0,1,0,0) translate(-176,-60)"><g><rect fill="rgb(0,0,0)" stroke="none" x="95" y="20" width="21" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="95" y="37">20</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,367,409)"><g transform="translate(4,4) scale(1.0034722222222223,1.0042735042735043)"><g><g transform="translate(0,0) scale(1.44,1.17)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,0.8547008547008548)"><path fill="#000000" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 107 Q 144 117 134 117 L 10 117 Q 0 117 0 107 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 107 Q 144 117 134 117 L 10 117 Q 0 117 0 107 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.44,1.17)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,0.8547008547008548)"><path fill="#eb6c6c" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 107 Q 144 117 134 117 L 10 117 Q 0 117 0 107 L 0 10 Q 0 0 10 0 Z" opacity="0.99"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 107 Q 144 117 134 117 L 10 117 Q 0 117 0 107 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.99"/></g></g></g></g></g><g transform="matrix(1,0,0,1,435,387)"><g transform="translate(0,0)"><g transform="translate(-622,-98.9329528808594) translate(187,-288.0670471191406) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#000000" d="M 439 409 L 439 391" stroke-miterlimit="10"/></g></g></g></g><g transform="matrix(1,0,0,1,373,501)"><g transform="translate(15,0) matrix(1,0,0,1,0,0) translate(-15,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="132" height="20" fill-opacity="0"/></g></g><g transform="translate(15,0) matrix(1,0,0,1,0,0) translate(-15,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="132" height="20" fill-opacity="0"/></g></g><g transform="translate(15,0) matrix(1,0,0,1,0,0) translate(-15,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="15" y="0" width="102" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="15" y="17">Credit</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="69" y="17">Cards</text></g></g><g transform="matrix(1,0,0,1,211,502)"><g transform="translate(31,0) matrix(1,0,0,1,0,0) translate(-31,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="132" height="20" fill-opacity="0"/></g></g><g transform="translate(31,0) matrix(1,0,0,1,0,0) translate(-31,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="132" height="20" fill-opacity="0"/></g></g><g transform="translate(31,0) matrix(1,0,0,1,0,0) translate(-31,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="31" y="0" width="72" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="31" y="17">Backend</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,394.910447761194,438.2696192696193)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,385.95522388059703,428.63480963480964)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,377,419)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="matrix(1,0,0,1,387,424)"><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="83" height="44" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="83" height="14" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="8" y="0" width="67" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="8" y="12">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="61" y="12">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="65" y="12">s</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="71" y="12">)</text></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="83" height="30" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="28" y="14" width="73" height="30" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="28" y="14" width="73" height="30" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="28" y="27">Eth0</text></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="5" y="29" width="73" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="5" y="42">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="20" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="23" y="42">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="31" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="34" y="42">30</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="49" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="52" y="42">0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="60" y="42">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="63" y="42">24</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,74.91044776119404,438.2696192696193)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,65.95522388059702,428.63480963480964)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,57,419)"><g transform="translate(4,4) scale(1.0048976608187135,1.00910441426146)"><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#000000" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.0208955223880598,0.5491841491841488)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.9795321637426899,1.8208828522920215)"><path fill="#4cacf5" stroke="none" d="M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" opacity="0.97"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 92.08955223880598 0 Q 102.08955223880598 0 102.08955223880598 10 L 102.08955223880598 44.91841491841488 Q 102.08955223880598 54.91841491841488 92.08955223880598 54.91841491841488 L 10 54.91841491841488 Q 0 54.91841491841488 0 44.91841491841488 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.97"/></g></g></g></g></g><g transform="matrix(1,0,0,1,67,424)"><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="83" height="44" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="83" height="14" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="8" y="0" width="67" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="8" y="12">Container</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="61" y="12">(</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="65" y="12">s</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="71" y="12">)</text></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="83" height="30" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="28" y="14" width="73" height="30" fill-opacity="0"/></g></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="28" y="14" width="73" height="30" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="normal" text-decoration="" line-height="15.5px" x="28" y="27">Eth0</text></g><g transform="translate(69,71) matrix(1,0,0,1,0,0) translate(-69,-71)"><g><rect fill="rgb(0,0,0)" stroke="none" x="5" y="29" width="73" height="15" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="5" y="42">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="20" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="23" y="42">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="31" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="34" y="42">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="49" y="42">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="52" y="42">0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="60" y="42">/</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="13px" font-style="normal" font-weight="bold" text-decoration="" line-height="15.5px" x="63" y="42">24</text></g></g><g transform="matrix(1,0,0,1,53,502)"><g transform="translate(30,0) matrix(1,0,0,1,0,0) translate(-30,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="132" height="20" fill-opacity="0"/></g></g><g transform="translate(30,0) matrix(1,0,0,1,0,0) translate(-30,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="132" height="20" fill-opacity="0"/></g></g><g transform="translate(30,0) matrix(1,0,0,1,0,0) translate(-30,0)"><g><rect fill="rgb(0,0,0)" stroke="none" x="30" y="0" width="74" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="30" y="17">Frontend</text></g></g><g transform="matrix(1,0,0,1,271.50000000000006,96.41047267550272)"><g transform="translate(0,0)"><g transform="translate(-274,-128.00000000000003) translate(2.499999999999943,31.58952732449731) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#ff9900" d="M 278.00000000000006 102.91047267550272 M 278.00000000000006 102.91047267550272 L 278.00000000000006 108.91047267550272 M 278.00000000000006 108.91047267550272 M 278.00000000000006 114.91047267550272 L 278.00000000000006 120.91047267550272 M 278.00000000000006 120.91047267550272 M 278.00000000000006 126.91047267550272 L 278.00000000000006 132.91047267550272 M 278.00000000000006 132.91047267550272 M 278.00000000000006 138.91047267550272 L 278.00000000000006 144.91047267550272 M 278.00000000000006 144.91047267550272 M 278.00000000000006 150.91047267550272 L 278.00000000000006 156.91047267550272 M 278.00000000000006 156.91047267550272 M 278.00000000000006 162.91047267550272 L 278.00000000000006 168.91047267550272 M 278.00000000000006 168.91047267550272 M 278.00000000000006 174.91047267550272 L 278.00000000000006 180.91047267550272 M 278.00000000000006 180.91047267550272 M 278.00000000000006 186.91047267550272 L 278.00000000000006 192.91047267550272 M 278.00000000000006 192.91047267550272 M 278.00000000000006 198.91047267550272 L 278.00000000000006 204.91047267550272 M 278.00000000000006 204.91047267550272 M 278.00000000000006 210.91047267550272 L 278.00000000000006 216.91047267550272 M 278.00000000000006 216.91047267550272 M 278.00000000000006 222.91047267550272 L 278.00000000000006 228.91047267550272 M 278.00000000000006 228.91047267550272 M 278.00000000000006 234.91047267550272 L 278.00000000000006 240.91047267550272 M 278.00000000000006 240.91047267550272 M 278.00000000000006 246.91047267550272 L 278.00000000000006 252.91047267550272 M 278.00000000000006 252.91047267550272 M 278.00000000000006 258.9104726755027 L 278.00000000000006 264.9104726755027 M 278.00000000000006 264.9104726755027 M 278.00000000000006 270.9104726755027 L 278.00000000000006 276.9104726755027 M 278.00000000000006 276.9104726755027 M 278.00000000000006 282.9104726755027 L 278.00000000000006 288.9104726755027 M 278.00000000000006 288.9104726755027 M 278.00000000000006 294.9104726755027 L 278.0000000000001 300.9104726755027 M 278.0000000000001 300.9104726755027" stroke-miterlimit="10" stroke-width="6"/></g></g></g></g><g transform="matrix(1,0,0,1,284.40277777777806,243.31491457745426)"><g transform="translate(0,0)"><g transform="translate(-104.62600160256406,-181.95081824533966) translate(-179.776776175214,-61.3640963321146) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#cc0000" d="M 395.6805555555633 368.59527295942837 M 395.6805555555633 368.59527295942837 L 395.6805555555633 362.59527295942837 M 395.6805555555633 362.59527295942837 M 395.6805555555633 356.59527295942837 L 395.6805555555633 350.59527295942837 M 395.6805555555633 350.59527295942837 M 395.6805555555633 344.59527295942837 L 395.6805555555633 338.59527295942837 M 395.6805555555633 338.59527295942837 M 395.6805555555633 332.59527295942837 L 395.6805555555633 326.59527295942837 M 395.6805555555633 326.59527295942837 M 395.6805555555633 320.59527295942837 L 395.6805555555633 314.59527295942837 M 395.6805555555633 314.59527295942837 M 395.6454730957975 308.5959974887863 Q 395.42473204507803 305.08992137071624 393.81507437340014 302.97276187360467 M 393.81507437340014 302.97276187360467 M 388.7448234749301 300.0250475217899 Q 387.3524512811001 299.74552399008303 385.6805555555633 299.74552399008303 L 382.7625569263178 299.74552399008303 M 382.7625569263178 299.74552399008303 M 376.7625569263178 299.74552399008303 L 370.7625569263178 299.74552399008303 M 370.7625569263178 299.74552399008303 M 364.7625569263178 299.74552399008303 L 358.7625569263178 299.74552399008303 M 358.7625569263178 299.74552399008303 M 352.7625569263178 299.74552399008303 L 346.7625569263178 299.74552399008303 M 346.7625569263178 299.74552399008303 M 340.7625569263178 299.74552399008303 L 334.7625569263178 299.74552399008303 M 334.7625569263178 299.74552399008303 M 328.7625569263178 299.74552399008303 L 322.7625569263178 299.74552399008303 M 322.7625569263178 299.74552399008303 M 316.7625569263178 299.74552399008303 L 310.7625569263178 299.74552399008303 M 310.7625569263178 299.74552399008303 M 304.7625569263178 299.74552399008303 L 300.90277777777806 299.74552399008303 Q 299.7712873305603 299.74552399008303 298.7678239465571 299.6174969268685 M 298.7678239465571 299.6174969268685 M 293.3857693473039 297.228457504614 Q 291.4531834876415 295.28265607285664 291.0247864262038 291.83266584287463 M 291.0247864262038 291.83266584287463 M 290.90277777777806 285.8375555400254 L 290.90277777777806 279.8375555400254 M 290.90277777777806 279.8375555400254 M 290.90277777777806 273.8375555400254 L 290.90277777777806 267.8375555400254 M 290.90277777777806 267.8375555400254 M 290.90277777777806 261.8375555400254 L 290.90277777777806 255.8375555400254 M 290.90277777777806 255.8375555400254 M 290.90277777777806 249.8375555400254 L 290.90277777777806 249.81491457745426" stroke-miterlimit="10" stroke-width="6"/></g></g></g></g><g transform="matrix(1,0,0,1,284.40277777777794,125.75909597261261)"><g transform="translate(0,0)"><g transform="translate(-520.5887419871792,-284.3176338453479) translate(236.18596420940128,158.55853787273531) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#cc0000" d="M 399.0972222222224 132.2590959726126 M 399.0972222222224 132.2590959726126 L 399.0972222222224 138.2590959726126 M 399.0972222222224 138.2590959726126 M 399.0972222222224 144.2590959726126 L 399.0972222222224 150.2590959726126 M 399.0972222222224 150.2590959726126 M 399.0972222222224 156.2590959726126 L 399.0972222222224 162.2590959726126 M 399.0972222222224 162.2590959726126 M 399.0972222222224 168.2590959726126 L 399.0972222222224 174.2590959726126 M 399.0972222222224 174.2590959726126 M 399.0972222222224 180.2590959726126 L 399.0972222222224 186.2590959726126 M 399.0972222222224 186.2590959726126 M 399.0972222222224 192.2590959726126 L 399.0972222222224 192.67013315779485 Q 399.0972222222224 195.91836389834842 398.0421219278347 198.11149434451426 M 398.0421219278347 198.11149434451426 M 393.6659405128273 201.97829744802294 Q 391.72749922241087 202.67013315779496 389.0972222222224 202.67013315779502 L 387.7405118088071 202.67013315779505 M 387.7405118088071 202.67013315779505 M 381.7405118088071 202.67013315779514 L 375.7405118088071 202.67013315779522 M 375.7405118088071 202.67013315779522 M 369.7405118088071 202.6701331577953 L 363.7405118088071 202.6701331577954 M 363.7405118088071 202.6701331577954 M 357.7405118088071 202.67013315779548 L 351.7405118088071 202.67013315779556 M 351.7405118088071 202.67013315779556 M 345.7405118088071 202.67013315779565 L 339.7405118088071 202.67013315779573 M 339.7405118088071 202.67013315779573 M 333.7405118088071 202.67013315779585 L 327.7405118088071 202.67013315779593 M 327.7405118088071 202.67013315779593 M 321.7405118088071 202.67013315779604 L 315.7405118088071 202.67013315779613 M 315.7405118088071 202.67013315779613 M 309.7405118088071 202.67013315779624 L 303.7405118088071 202.67013315779633 M 303.7405118088071 202.67013315779633 M 297.7598678856485 202.9657135423712 Q 294.4328042761472 203.65647640532174 292.72003362291935 205.9615322245457 M 292.72003362291935 205.9615322245457 M 290.93300792210687 211.60072437358687 Q 290.90277777777794 212.12031369352724 290.90277777777794 212.67013315779656 L 290.90277777777794 217.600146725365 M 290.90277777777794 217.600146725365 M 290.90277777777794 223.600146725365 L 290.90277777777794 229.600146725365 M 290.90277777777794 229.600146725365 M 290.90277777777794 235.600146725365 L 290.90277777777794 241.600146725365 M 290.90277777777794 241.600146725365 M 290.90277777777794 247.600146725365 L 290.90277777777794 251.03945435457118" stroke-miterlimit="10" stroke-width="6"/></g></g></g></g><g transform="matrix(1,0,0,1,155.81944444443684,107.17033542596326)"><g transform="translate(0,0)"><g transform="translate(-453.3739983974361,-305.60207610719107) translate(297.55455395299924,198.4317406812278) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#38761d" d="M 162.31944444443684 113.67033542596326 M 162.31944444443684 113.67033542596326 L 162.31944444443684 119.67033542596326 M 162.31944444443684 119.67033542596326 M 162.31944444443684 125.67033542596326 L 162.31944444443684 131.67033542596326 M 162.31944444443684 131.67033542596326 M 162.31944444443684 137.67033542596326 L 162.31944444443684 143.67033542596326 M 162.31944444443684 143.67033542596326 M 162.31944444443684 149.67033542596326 L 162.31944444443684 155.67033542596326 M 162.31944444443684 155.67033542596326 M 162.31944444443684 161.67033542596326 L 162.31944444443684 167.67033542596326 M 162.31944444443684 167.67033542596326 M 162.31944444443684 173.67033542596326 L 162.31944444443684 179.67033542596326 M 162.31944444443684 179.67033542596326 M 162.31944444443684 185.67033542596326 L 162.31944444443684 189.5415587499461 Q 162.31944444443684 190.66665091919444 162.44602768336722 191.66515984951238 M 162.44602768336722 191.66515984951238 M 164.82839767826374 197.05049598033753 Q 166.77191548654997 198.987072120429 170.22094619965992 199.41813535569676 M 170.22094619965992 199.41813535569676 M 176.2159687190514 199.5415587499461 L 182.2159687190514 199.5415587499461 M 182.2159687190514 199.5415587499461 M 188.2159687190514 199.5415587499461 L 194.2159687190514 199.5415587499461 M 194.2159687190514 199.5415587499461 M 200.2159687190514 199.5415587499461 L 206.2159687190514 199.5415587499461 M 206.2159687190514 199.5415587499461 M 212.2159687190514 199.5415587499461 L 218.2159687190514 199.5415587499461 M 218.2159687190514 199.5415587499461 M 224.2159687190514 199.5415587499461 L 230.2159687190514 199.5415587499461 M 230.2159687190514 199.5415587499461 M 236.2159687190514 199.5415587499461 L 242.2159687190514 199.5415587499461 M 242.2159687190514 199.5415587499461 M 248.2159687190514 199.5415587499461 L 254.2159687190514 199.5415587499461 M 254.2159687190514 199.5415587499461 M 260.1975055563821 199.82836878769723 Q 263.5309416038837 200.5080005580397 265.2539063203237 202.79810365944377 M 265.2539063203237 202.79810365944377 M 267.0644085030223 208.4287072615088 Q 267.09722222222206 208.96872614612755 267.09722222222206 209.5415587499461 L 267.09722222222206 214.4280528453731 M 267.09722222222206 214.4280528453731 M 267.09722222222206 220.4280528453731 L 267.09722222222206 226.4280528453731 M 267.09722222222206 226.4280528453731 M 267.09722222222206 232.4280528453731 L 267.09722222222206 235.81551770804643" stroke-miterlimit="10" stroke-width="6"/></g></g></g></g><g transform="matrix(1,0,0,1,152.4027777777773,228.0562890247442)"><g transform="translate(0,0)"><g transform="translate(-37.41125801282108,-200.3354013688455) translate(-114.99151976495621,-27.72088765589868) matrix(1,0,0,1,0,0)"><g><path fill="none" stroke="#38761d" d="M 158.9027777777773 356.7014713068111 M 158.9027777777773 356.7014713068111 L 158.9027777777773 350.7014713068111 M 158.9027777777773 350.7014713068111 M 158.9027777777773 344.7014713068111 L 158.9027777777773 338.7014713068111 M 158.9027777777773 338.7014713068111 M 158.9027777777773 332.7014713068111 L 158.9027777777773 326.7014713068111 M 158.9027777777773 326.7014713068111 M 158.9027777777773 320.7014713068111 L 158.90277777777732 314.7014713068111 M 158.90277777777732 314.7014713068111 M 158.9386276948351 308.7022201112491 Q 159.16189382506047 305.19660315095655 160.77561686556083 303.081443100939 M 160.77561686556083 303.081443100939 M 165.85041734767782 300.14100539293156 Q 167.23802796592435 299.86386619932506 168.90277777777732 299.863866199325 L 171.83292026888248 299.8638661993249 M 171.83292026888248 299.8638661993249 M 177.83292026888248 299.86386619932466 L 183.83292026888248 299.86386619932443 M 183.83292026888248 299.86386619932443 M 189.83292026888248 299.8638661993242 L 195.83292026888248 299.863866199324 M 195.83292026888248 299.863866199324 M 201.83292026888248 299.86386619932375 L 207.83292026888248 299.8638661993235 M 207.83292026888248 299.8638661993235 M 213.83292026888248 299.8638661993233 L 219.83292026888248 299.86386619932307 M 219.83292026888248 299.86386619932307 M 225.83292026888248 299.86386619932284 L 231.83292026888248 299.8638661993226 M 231.83292026888248 299.8638661993226 M 237.83292026888248 299.8638661993224 L 243.83292026888248 299.86386619932216 M 243.83292026888248 299.86386619932216 M 249.83292026888248 299.86386619932193 L 255.83292026888248 299.86386619932176 M 255.83292026888248 299.86386619932176 M 261.7528202251644 299.1405476054279 Q 264.7675844859315 298.0314529459795 266.0817275073145 295.22173704714703 M 266.0817275073145 295.22173704714703 M 267.0972222222195 289.3604205540609 L 267.0972222222195 283.3604205540609 M 267.0972222222195 283.3604205540609 M 267.0972222222195 277.3604205540609 L 267.0972222222195 271.3604205540609 M 267.0972222222195 271.3604205540609 M 267.0972222222195 265.3604205540609 L 267.0972222222195 259.3604205540609 M 267.0972222222195 259.3604205540609 M 267.0972222222195 253.3604205540609 L 267.0972222222195 247.3604205540609 M 267.0972222222195 247.3604205540609 M 267.0972222222195 241.3604205540609 L 267.0972222222195 235.3604205540609 M 267.0972222222195 235.3604205540609" stroke-miterlimit="10" stroke-width="6"/></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,193.51767083236396,40.461511948529306)"><g><g transform="translate(0,0) scale(1.7520258247164675,1.25824690354917) translate(0.00001348378,-0.001498589)"><g><g><path fill="#FFFFFF" stroke="#ff9900" d="M 33.84 5.912 C 16.263 2.403 6.986 11.405 8.451 19.186 L 8.57 19.61 C -5.128 21.942 -1.537 38.106 5.033 38.106 L 5.679 38.085 C 4.026 45.68 20.032 53.41 28.958 49.548 L 29.531 48.92 C 32.713 55.752 44.02 56.893 55.201 57.177 C 64.89 57.425 70.546 56.658 74.702 52.411 L 75.341 52.599 C 90.852 53.845 97.915 43.133 94.526 35.442 L 95.36 35.207 C 100.648 33.808 101.258 21.602 92.187 19.797 L 92.361 19.325 C 96.299 11.385 87.011 3.896 74.124 5.303 L 73.23 4.837 C 64.003 -3.517 37.449 -2.157 34.373 6.108 L 33.84 5.912 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,213,55)"><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="137" height="56" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="137" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="18" y="0" width="51" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="18" y="12">Gateway</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="69" y="0" width="51" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="69" y="12">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="82" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="86" y="12">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="92" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="96" y="12">20</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="109" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="112" y="12">1</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="137" height="28" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="14" width="4" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="5" y="14" width="58" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="9" y="26">and</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="32" y="26">other</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="63" y="14" width="129" height="28" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="63" y="26">containers</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="122" y="26">on</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="7" y="40">the</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="27" y="40">same</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="59" y="40">VLAN</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="91" y="40">/</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="94" y="28" width="37" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="94" y="40">subnet</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="42" width="137" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="67" y="42" width="5" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g/></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,345.9019607843137,48.00000000000003)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,341.48549019607844,44.15384615384616)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,336,39.00000000000003)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,57.51767083236396,94.4615119485293)"><g><g transform="translate(0,0) scale(1.7520258247164675,1.25824690354917) translate(0.00001348378,-0.001498589)"><g><g><path fill="#FFFFFF" stroke="#38761d" d="M 33.84 5.912 C 16.263 2.403 6.986 11.405 8.451 19.186 L 8.57 19.61 C -5.128 21.942 -1.537 38.106 5.033 38.106 L 5.679 38.085 C 4.026 45.68 20.032 53.41 28.958 49.548 L 29.531 48.92 C 32.713 55.752 44.02 56.893 55.201 57.177 C 64.89 57.425 70.546 56.658 74.702 52.411 L 75.341 52.599 C 90.852 53.845 97.915 43.133 94.526 35.442 L 95.36 35.207 C 100.648 33.808 101.258 21.602 92.187 19.797 L 92.361 19.325 C 96.299 11.385 87.011 3.896 74.124 5.303 L 73.23 4.837 C 64.003 -3.517 37.449 -2.157 34.373 6.108 L 33.84 5.912 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,77,109)"><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="137" height="56" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="137" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="18" y="0" width="51" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="18" y="12">Gateway</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="69" y="0" width="51" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="69" y="12">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="82" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="86" y="12">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="92" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="96" y="12">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="109" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="112" y="12">1</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="137" height="28" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="14" width="4" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="5" y="14" width="58" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="9" y="26">and</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="32" y="26">other</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="63" y="14" width="129" height="28" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="63" y="26">containers</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="122" y="26">on</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="7" y="40">the</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="27" y="40">same</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="59" y="40">VLAN</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="91" y="40">/</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="94" y="28" width="37" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="94" y="40">subnet</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="42" width="137" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="67" y="42" width="5" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g/></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,98.9019607843137,163.00000000000003)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,94.48549019607844,159.15384615384616)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,89,154.00000000000003)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0,0) matrix(1,0,0,1,345.51767083236393,86.4615119485293)"><g><g transform="translate(0,0) scale(1.7520258247164675,1.25824690354917) translate(0.00001348378,-0.001498589)"><g><g><path fill="#FFFFFF" stroke="#cc0000" d="M 33.84 5.912 C 16.263 2.403 6.986 11.405 8.451 19.186 L 8.57 19.61 C -5.128 21.942 -1.537 38.106 5.033 38.106 L 5.679 38.085 C 4.026 45.68 20.032 53.41 28.958 49.548 L 29.531 48.92 C 32.713 55.752 44.02 56.893 55.201 57.177 C 64.89 57.425 70.546 56.658 74.702 52.411 L 75.341 52.599 C 90.852 53.845 97.915 43.133 94.526 35.442 L 95.36 35.207 C 100.648 33.808 101.258 21.602 92.187 19.797 L 92.361 19.325 C 96.299 11.385 87.011 3.896 74.124 5.303 L 73.23 4.837 C 64.003 -3.517 37.449 -2.157 34.373 6.108 L 33.84 5.912 Z" stroke-miterlimit="10" stroke-width="2"/></g></g></g></g></g><g transform="matrix(1,0,0,1,365,101)"><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="137" height="56" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="137" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="18" y="0" width="51" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="18" y="12">Gateway</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="69" y="0" width="51" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="69" y="12">10</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="82" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="86" y="12">1</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="92" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="96" y="12">30</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="109" y="12">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="bold" text-decoration="" line-height="14px" x="112" y="12">1</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="14" width="137" height="28" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="2" y="14" width="4" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="5" y="14" width="58" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="9" y="26">and</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="32" y="26">other</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="63" y="14" width="129" height="28" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="63" y="26">containers</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="122" y="26">on</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="7" y="40">the</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="27" y="40">same</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="59" y="40">VLAN</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="91" y="40">/</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="94" y="28" width="37" height="14" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="12px" font-style="normal" font-weight="normal" text-decoration="" line-height="14px" x="94" y="40">subnet</text></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="42" width="137" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g><rect fill="rgb(0,0,0)" stroke="none" x="67" y="42" width="5" height="14" fill-opacity="0"/></g></g><g transform="translate(318,224) matrix(1,0,0,1,0,0) translate(-318,-224)"><g/></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,451.9019607843137,158.00000000000003)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,447.48549019607844,154.15384615384616)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,442,149.00000000000003)"><g><g transform="translate(0,0) scale(0.3709803921568625,0.18000000000000005)"><g><path fill="#4cacf5" stroke="none" d="M 0 0 L 100 0 Q 100 0 100 0 L 100 100 Q 100 100 100 100 L 0 100 Q 0 100 0 100 L 0 0 Q 0 0 0 0 Z"/><g transform="scale(2.6955602536997905,5.5555555555555545)"><path fill="none" stroke="none" d="M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z"/><path fill="none" stroke="#666666" d="M 0 0 M 0 0 L 37.09803921568625 0 Q 37.09803921568625 0 37.09803921568625 0 L 37.09803921568625 18.000000000000004 Q 37.09803921568625 18.000000000000004 37.09803921568625 18.000000000000004 L 0 18.000000000000004 Q 0 18.000000000000004 0 18.000000000000004 L 0 0 Q 0 0 0 0 Z" stroke-miterlimit="10"/></g></g></g></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,47,331)"><g transform="translate(4,4) scale(1.0034722222222223,1.0083333333333333)"><g><g transform="translate(0,0) scale(1.44,0.6)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,1.6666666666666667)"><path fill="#000000" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.44,0.6)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,1.6666666666666667)"><path fill="#5fcc5a" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" opacity="0.99"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.99"/></g></g></g></g></g><g transform="matrix(1,0,0,1,50,342)"><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="135" height="40" fill-opacity="0"/></g></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="135" height="20" fill-opacity="0"/></g></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="5" y="0" width="127" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="58" y="17">:</text></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="5" y="0" width="54" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="5" y="17">Parent</text></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="68" y="0" width="63" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="68" y="17">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="105" y="17">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="110" y="17">10</text></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="20" width="135" height="20" fill-opacity="0"/></g></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="17" y="20" width="71" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="17" y="37">VLAN</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="69" y="37">ID</text></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="87" y="20" width="6" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="87" y="37">:</text></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="93" y="20" width="26" height="20" fill-opacity="0"/></g></g><g transform="translate(373,100) matrix(1,0,0,1,0,0) translate(-373,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="98" y="20" width="21" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="98" y="37">10</text></g></g><g transform="translate(0.5,0.5) matrix(1,0,0,1,367,331)"><g transform="translate(4,4) scale(1.0034722222222223,1.0083333333333333)"><g><g transform="translate(0,0) scale(1.44,0.6)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,1.6666666666666667)"><path fill="#000000" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" opacity="0.294117647"/><path fill="none" stroke="rgb(0,0,0)" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" stroke-opacity="0" stroke-miterlimit="10" opacity="0.294117647"/></g></g></g></g></g><g><g transform="translate(0,0) scale(1.44,0.6)"><g><path fill="none" stroke="none" d="M 10 0 L 90 0 Q 100 0 100 10 L 100 90 Q 100 100 90 100 L 10 100 Q 0 100 0 90 L 0 10 Q 0 0 10 0 Z"/><g transform="scale(0.6944444444444444,1.6666666666666667)"><path fill="#eb6c6c" stroke="none" d="M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" opacity="0.99"/><path fill="none" stroke="#434343" d="M 10 0 M 10 0 L 134 0 Q 144 0 144 10 L 144 50 Q 144 60 134 60 L 10 60 Q 0 60 0 50 L 0 10 Q 0 0 10 0 Z" stroke-miterlimit="10" opacity="0.99"/></g></g></g></g></g><g transform="matrix(1,0,0,1,369,341)"><g transform="translate(194,100) matrix(1,0,0,1,0,0) translate(-194,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="138" height="40" fill-opacity="0"/></g></g><g transform="translate(194,100) matrix(1,0,0,1,0,0) translate(-194,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="138" height="20" fill-opacity="0"/></g></g><g transform="translate(194,100) matrix(1,0,0,1,0,0) translate(-194,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="4" y="0" width="132" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="9" y="17">Parent</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="62" y="17">:</text></g><g transform="translate(194,100) matrix(1,0,0,1,0,0) translate(-194,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="72" y="0" width="63" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="72" y="17">eth0</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="109" y="17">.</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="114" y="17">30</text></g><g transform="translate(194,100) matrix(1,0,0,1,0,0) translate(-194,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="20" width="138" height="20" fill-opacity="0"/></g></g><g transform="translate(194,100) matrix(1,0,0,1,0,0) translate(-194,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="30" y="20" width="78" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="30" y="37">VLAN</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="normal" text-decoration="" line-height="20.5px" x="77" y="37">:</text></g><g transform="translate(194,100) matrix(1,0,0,1,0,0) translate(-194,-100)"><g><rect fill="rgb(0,0,0)" stroke="none" x="88" y="20" width="21" height="20" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="18px" font-style="normal" font-weight="bold" text-decoration="" line-height="20.5px" x="88" y="37">30</text></g><g transform="translate(194,100) matrix(1,0,0,1,0,0) translate(-194,-100)"><g/></g></g><g transform="matrix(1,0,0,1,371,44)"><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="142" height="32" fill-opacity="0"/></g></g><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="0" width="142" height="16" fill-opacity="0"/></g></g><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="17" y="0" width="75" height="16" fill-opacity="0"/></g></g><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="17" y="0" width="75" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="17" y="14">Network</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="72" y="14"> &amp;&#160;</text></g><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="90" y="0" width="36" height="16" fill-opacity="0"/></g></g><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="90" y="0" width="36" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="90" y="14">other</text></g><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="0" y="16" width="142" height="16" fill-opacity="0"/></g></g><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="26" y="16" width="92" height="16" fill-opacity="0"/></g></g><g transform="translate(266,48) matrix(1,0,0,1,0,0) translate(-266,-48)"><g><rect fill="rgb(0,0,0)" stroke="none" x="26" y="16" width="92" height="16" fill-opacity="0"/></g><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="26" y="30">Docker</text><text fill="rgb(0, 0, 0)" stroke="none" font-family="Arial" font-size="14px" font-style="normal" font-weight="bold" text-decoration="" line-height="16.5px" x="77" y="30">Hosts</text></g></g></g></svg>
\ No newline at end of file
diff --git a/cli/experimental/vlan-networks.md b/cli/experimental/vlan-networks.md
new file mode 100644
index 00000000..f0309b1a
--- /dev/null
+++ b/cli/experimental/vlan-networks.md
@@ -0,0 +1,475 @@
+# Ipvlan Network Driver
+
+### Getting Started
+
+The Ipvlan driver is currently in experimental mode in order to incubate Docker users use cases and vet the implementation to ensure a hardened, production ready driver in a future release. Libnetwork now gives users total control over both IPv4 and IPv6 addressing. The VLAN driver builds on top of that in giving operators complete control of layer 2 VLAN tagging and even Ipvlan L3 routing for users interested in underlay network integration. For overlay deployments that abstract away physical constraints see the [multi-host overlay ](https://docs.docker.com/engine/userguide/networking/get-started-overlay/) driver.
+
+Ipvlan is a new twist on the tried and true network virtualization technique. The Linux implementations are extremely lightweight because rather than using the traditional Linux bridge for isolation, they are simply associated to a Linux Ethernet interface or sub-interface to enforce separation between networks and connectivity to the physical network.
+
+Ipvlan offers a number of unique features and plenty of room for further innovations with the various modes. Two high level advantages of these approaches are, the positive performance implications of bypassing the Linux bridge and the simplicity of having fewer moving parts. Removing the bridge that traditionally resides in between the Docker host NIC and container interface leaves a simple setup consisting of container interfaces, attached directly to the Docker host interface. This result is easy access for external facing services as there is no need for port mappings in these scenarios.
+
+### Pre-Requisites
+
+- The examples on this page are all single host and setup using Docker experimental builds that can be installed with the following instructions: [Install Docker experimental](https://github.com/docker/docker/tree/master/experimental)
+
+- All of the examples can be performed on a single host running Docker. Any examples using a sub-interface like `eth0.10` can be replaced with `eth0` or any other valid parent interface on the Docker host. Sub-interfaces with a `.` are created on the fly. `-o parent` interfaces can also be left out of the `docker network create` all together and the driver will create a `dummy` interface that will enable local host connectivity to perform the examples.
+
+- Kernel requirements:
+ 
+ - To check your current kernel version, use `uname -r` to display your kernel version
+ - Ipvlan Linux kernel v4.2+ (support for earlier kernels exists but is buggy)
+
+### Ipvlan L2 Mode Example Usage
+
+An example of the ipvlan `L2` mode topology is shown in the following image. The driver is specified with `-d driver_name` option. In this case `-d ipvlan`.
+
+![Simple Ipvlan L2 Mode Example](images/ipvlan_l2_simple.png)
+
+The parent interface in the next example `-o parent=eth0` is configured as followed:
+
+```
+$ ip addr show eth0
+3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    inet 192.168.1.250/24 brd 192.168.1.255 scope global eth0
+```
+
+Use the network from the host's interface as the `--subnet` in the `docker network create`. The container will be attached to the same network as the host interface as set via the `-o parent=` option.
+
+Create the ipvlan network and run a container attaching to it:
+
+```
+# Ipvlan  (-o ipvlan_mode= Defaults to L2 mode if not specified)
+$ docker network  create -d ipvlan \
+    --subnet=192.168.1.0/24 \ 
+    --gateway=192.168.1.1 \
+    -o ipvlan_mode=l2 \
+    -o parent=eth0 db_net
+
+# Start a container on the db_net network
+$ docker  run --net=db_net -it --rm alpine /bin/sh
+
+# NOTE: the containers can NOT ping the underlying host interfaces as
+# they are intentionally filtered by Linux for additional isolation.
+```
+
+The default mode for Ipvlan is `l2`. If `-o ipvlan_mode=` are left unspecified, the default mode will be used. Similarly, if the `--gateway` is left empty, the first usable address on the network will be set as the gateway. For example, if the subnet provided in the network create is `--subnet=192.168.1.0/24` then the gateway the container receives is `192.168.1.1`.
+
+To help understand how this mode interacts with other hosts, the following figure shows the same layer 2 segment between two Docker hosts that applies to and Ipvlan L2 mode.
+
+![Multiple Ipvlan Hosts](images/macvlan-bridge-ipvlan-l2.png)
+
+The following will create the exact same network as the network `db_net` created prior, with the driver defaults for `--gateway=192.168.1.1` and `-o ipvlan_mode=l2`.
+
+```
+# Ipvlan  (-o ipvlan_mode= Defaults to L2 mode if not specified)
+$ docker network  create -d ipvlan \
+    --subnet=192.168.1.0/24 \ 
+    -o parent=eth0 db_net_ipv
+
+# Start a container with an explicit name in daemon mode
+$ docker  run --net=db_net_ipv --name=ipv1 -itd alpine /bin/sh
+
+# Start a second container and ping using the container name
+# to see the docker included name resolution functionality
+$ docker  run --net=db_net_ipv --name=ipv2 -it --rm alpine /bin/sh
+$ ping -c 4 ipv1
+
+# NOTE: the containers can NOT ping the underlying host interfaces as
+# they are intentionally filtered by Linux for additional isolation.
+```
+
+The drivers also support the `--internal` flag that will completely isolate containers on a network from any communications external to that network. Since network isolation is tightly coupled to the network's parent interface the result of leaving the `-o parent=` option off of a `docker network create` is the exact same as the `--internal` option. If the parent interface is not specified or the `--internal` flag is used, a netlink type `dummy` parent interface is created for the user and used as the parent interface effectively isolating the network completely.
+
+The following two `docker network create` examples result in identical networks that you can attach container to:
+
+```
+# Empty '-o parent=' creates an isolated network
+$ docker network  create -d ipvlan \
+    --subnet=192.168.10.0/24 isolated1
+
+# Explicit '--internal' flag is the same:
+$ docker network  create -d ipvlan \
+    --subnet=192.168.11.0/24 --internal isolated2
+
+# Even the '--subnet=' can be left empty and the default 
+# IPAM subnet of 172.18.0.0/16 will be assigned
+$ docker network  create -d ipvlan isolated3
+
+$ docker run --net=isolated1 --name=cid1 -it --rm alpine /bin/sh
+$ docker run --net=isolated2 --name=cid2 -it --rm alpine /bin/sh
+$ docker run --net=isolated3 --name=cid3 -it --rm alpine /bin/sh
+
+# To attach to any use `docker exec` and start a shell
+$ docker exec -it cid1 /bin/sh
+$ docker exec -it cid2 /bin/sh
+$ docker exec -it cid3 /bin/sh
+```
+
+### Ipvlan 802.1q Trunk L2 Mode Example Usage
+
+Architecturally, Ipvlan L2 mode trunking is the same as Macvlan with regard to gateways and L2 path isolation. There are nuances that can be advantageous for CAM table pressure in ToR switches, one MAC per port and MAC exhaustion on a host's parent NIC to name a few. The 802.1q trunk scenario looks the same. Both modes adhere to tagging standards and have seamless integration with the physical network for underlay integration and hardware vendor plugin integrations.
+
+Hosts on the same VLAN are typically on the same subnet and almost always are grouped together based on their security policy. In most scenarios, a multi-tier application is tiered into different subnets because the security profile of each process requires some form of isolation. For example, hosting your credit card processing on the same virtual network as the frontend webserver would be a regulatory compliance issue, along with circumventing the long standing best practice of layered defense in depth architectures. VLANs or the equivocal VNI (Virtual Network Identifier) when using the Overlay driver, are the first step in isolating tenant traffic.
+
+![Docker VLANs in Depth](images/vlans-deeper-look.png)
+
+The Linux sub-interface tagged with a vlan can either already exist or will be created when you call a `docker network create`. `docker network rm` will delete the sub-interface. Parent interfaces such as `eth0` are not deleted, only sub-interfaces with a netlink parent index > 0.
+
+For the driver to add/delete the vlan sub-interfaces the format needs to be `interface_name.vlan_tag`. Other sub-interface naming can be used as the specified parent, but the link will not be deleted automatically when `docker network rm` is invoked. 
+
+The option to use either existing parent vlan sub-interfaces or let Docker manage them enables the user to either completely manage the Linux interfaces and networking or let Docker create and delete the Vlan parent sub-interfaces (netlink `ip link`) with no effort from the user.
+
+For example: use `eth0.10` to denote a sub-interface of `eth0` tagged with the vlan id of `10`. The equivalent `ip link` command would be `ip link add link eth0 name eth0.10 type vlan id 10`.
+
+The example creates the vlan tagged networks and then start two containers to test connectivity between containers. Different Vlans cannot ping one another without a router routing between the two networks. The default namespace is not reachable per ipvlan design in order to isolate container namespaces from the underlying host.
+
+**Vlan ID 20**
+
+In the first network tagged and isolated by the Docker host, `eth0.20` is the parent interface tagged with vlan id `20` specified with `-o parent=eth0.20`. Other naming formats can be used, but the links need to be added and deleted manually using `ip link` or Linux configuration files. As long as the `-o parent` exists anything can be used if compliant with Linux netlink.
+
+```
+# now add networks and hosts as you would normally by attaching to the master (sub)interface that is tagged
+$ docker network  create  -d ipvlan \
+    --subnet=192.168.20.0/24 \
+    --gateway=192.168.20.1 \
+    -o parent=eth0.20 ipvlan20
+
+# in two separate terminals, start a Docker container and the containers can now ping one another.
+$ docker run --net=ipvlan20 -it --name ivlan_test1 --rm alpine /bin/sh
+$ docker run --net=ipvlan20 -it --name ivlan_test2 --rm alpine /bin/sh
+```
+
+**Vlan ID 30**
+
+In the second network, tagged and isolated by the Docker host, `eth0.30` is the parent interface tagged with vlan id `30` specified with `-o parent=eth0.30`. The `ipvlan_mode=` defaults to l2 mode `ipvlan_mode=l2`. It can also be explicitly set with the same result as shown in the next example.
+
+```
+# now add networks and hosts as you would normally by attaching to the master (sub)interface that is tagged.
+$ docker network  create  -d ipvlan \
+    --subnet=192.168.30.0/24 \
+    --gateway=192.168.30.1 \
+    -o parent=eth0.30 \
+    -o ipvlan_mode=l2 ipvlan30
+
+# in two separate terminals, start a Docker container and the containers can now ping one another.
+$ docker run --net=ipvlan30 -it --name ivlan_test3 --rm alpine /bin/sh
+$ docker run --net=ipvlan30 -it --name ivlan_test4 --rm alpine /bin/sh
+```
+
+The gateway is set inside of the container as the default gateway. That gateway would typically be an external router on the network.
+
+```
+$$ ip route
+  default via 192.168.30.1 dev eth0
+  192.168.30.0/24 dev eth0  src 192.168.30.2
+```
+
+Example: Multi-Subnet Ipvlan L2 Mode starting two containers on the same subnet and pinging one another. In order for the `192.168.114.0/24` to reach `192.168.116.0/24` it requires an external router in L2 mode. L3 mode can route between subnets that share a common `-o parent=`. 
+
+Secondary addresses on network routers are common as an address space becomes exhausted to add another secondary to an L3 vlan interface or commonly referred to as a "switched virtual interface" (SVI).
+
+```
+$ docker network  create  -d ipvlan \
+    --subnet=192.168.114.0/24 --subnet=192.168.116.0/24 \
+    --gateway=192.168.114.254  --gateway=192.168.116.254 \
+     -o parent=eth0.114 \
+     -o ipvlan_mode=l2 ipvlan114
+     
+$ docker run --net=ipvlan114 --ip=192.168.114.10 -it --rm alpine /bin/sh
+$ docker run --net=ipvlan114 --ip=192.168.114.11 -it --rm alpine /bin/sh
+```
+
+A key takeaway is, operators have the ability to map their physical network into their virtual network for integrating containers into their environment with no operational overhauls required. NetOps simply drops an 802.1q trunk into the Docker host. That virtual link would be the `-o parent=` passed in the network creation. For untagged (non-VLAN) links, it is as simple as `-o parent=eth0` or for 802.1q trunks with VLAN IDs each network gets mapped to the corresponding VLAN/Subnet from the network.
+
+An example being, NetOps provides VLAN ID and the associated subnets for VLANs being passed on the Ethernet link to the Docker host server. Those values are simply plugged into the `docker network create` commands when provisioning the Docker networks. These are persistent configurations that are applied every time the Docker engine starts which alleviates having to manage often complex configuration files. The network interfaces can also be managed manually by being pre-created and docker networking will never modify them, simply use them as parent interfaces. Example mappings from NetOps to Docker network commands are as follows:
+
+- VLAN: 10, Subnet: 172.16.80.0/24, Gateway: 172.16.80.1
+
+    - `--subnet=172.16.80.0/24 --gateway=172.16.80.1 -o parent=eth0.10` 
+
+- VLAN: 20, IP subnet: 172.16.50.0/22, Gateway: 172.16.50.1
+
+    - `--subnet=172.16.50.0/22 --gateway=172.16.50.1 -o parent=eth0.20 ` 
+
+- VLAN: 30, Subnet: 10.1.100.0/16, Gateway: 10.1.100.1
+
+    - `--subnet=10.1.100.0/16 --gateway=10.1.100.1 -o parent=eth0.30` 
+
+### IPVlan L3 Mode Example
+
+IPVlan will require routes to be distributed to each endpoint. The driver only builds the Ipvlan L3 mode port and attaches the container to the interface. Route distribution throughout a cluster is beyond the initial implementation of this single host scoped driver. In L3 mode, the Docker host is very similar to a router starting new networks in the container. They are on networks that the upstream network will not know about without route distribution. For those curious how Ipvlan L3 will fit into container networking see the following examples.
+
+![Docker Ipvlan L2 Mode](images/ipvlan-l3.png)
+
+Ipvlan L3 mode drops all broadcast and multicast traffic. This reason alone makes Ipvlan L3 mode a prime candidate for those looking for massive scale and predictable network integrations. It is predictable and in turn will lead to greater uptimes because there is no bridging involved. Bridging loops have been responsible for high profile outages that can be hard to pinpoint depending on the size of the failure domain. This is due to the cascading nature of BPDUs (Bridge Port Data Units) that are flooded throughout a broadcast domain (VLAN) to find and block topology loops. Eliminating bridging domains, or at the least, keeping them isolated to a pair of ToRs (top of rack switches) will reduce hard to troubleshoot bridging instabilities. Ipvlan L2 modes is well suited for isolated VLANs only trunked into a pair of ToRs that can provide a loop-free non-blocking fabric. The next step further is to route at the edge via Ipvlan L3 mode that reduces a failure domain to a local host only. 
+
+- L3 mode needs to be on a separate subnet as the default namespace since it requires a netlink route in the default namespace pointing to the Ipvlan parent interface.
+
+- The parent interface used in this example is `eth0` and it is on the subnet `192.168.1.0/24`. Notice the `docker network` is **not** on the same subnet as `eth0`.
+
+- Unlike ipvlan l2 modes, different subnets/networks can ping one another as long as they share the same parent interface `-o parent=`.
+
+```
+$$ ip a show eth0
+3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 00:50:56:39:45:2e brd ff:ff:ff:ff:ff:ff
+    inet 192.168.1.250/24 brd 192.168.1.255 scope global eth0
+```
+
+- A traditional gateway doesn't mean much to an L3 mode Ipvlan interface since there is no broadcast traffic allowed. Because of that, the container default gateway simply points to the containers `eth0` device. See below for CLI output of `ip route` or `ip -6 route` from inside an L3 container for details.
+
+The mode ` -o ipvlan_mode=l3` must be explicitly specified since the default ipvlan mode is `l2`.
+
+The following example does not specify a parent interface. The network drivers will create a dummy type link for the user rather than rejecting the network creation and isolating containers from only communicating with one another.
+
+```
+# Create the Ipvlan L3 network
+$ docker network  create  -d ipvlan \
+    --subnet=192.168.214.0/24 \
+    --subnet=10.1.214.0/24 \
+     -o ipvlan_mode=l3 ipnet210
+
+# Test 192.168.214.0/24 connectivity
+$ docker run --net=ipnet210 --ip=192.168.214.10 -itd alpine /bin/sh
+$ docker run --net=ipnet210 --ip=10.1.214.10 -itd alpine /bin/sh
+
+# Test L3 connectivity from 10.1.214.0/24 to 192.168.212.0/24
+$ docker run --net=ipnet210 --ip=192.168.214.9 -it --rm alpine ping -c 2 10.1.214.10
+
+# Test L3 connectivity from 192.168.212.0/24 to 10.1.214.0/24
+$ docker run --net=ipnet210 --ip=10.1.214.9 -it --rm alpine ping -c 2 192.168.214.10
+
+```
+
+Notice there is no `--gateway=` option in the network create. The field is ignored if one is specified `l3` mode. Take a look at the container routing table from inside of the container:
+
+```
+# Inside an L3 mode container
+$$ ip route
+  default dev eth0
+  192.168.214.0/24 dev eth0  src 192.168.214.10
+```
+
+In order to ping the containers from a remote Docker host or the container be able to ping a remote host, the remote host or the physical network in between need to have a route pointing to the host IP address of the container's Docker host eth interface. More on this as we evolve the Ipvlan `L3` story.
+
+### Dual Stack IPv4 IPv6 Ipvlan L2 Mode
+
+- Not only does Libnetwork give you complete control over IPv4 addressing, but it also gives you total control over IPv6 addressing as well as feature parity between the two address families.
+
+- The next example will start with IPv6 only. Start two containers on the same VLAN `139` and ping one another. Since the IPv4 subnet is not specified, the default IPAM will provision a default IPv4 subnet. That subnet is isolated unless the upstream network is explicitly routing it on VLAN `139`.
+
+```
+# Create a v6 network
+$ docker network create -d ipvlan \
+    --subnet=2001:db8:abc2::/64 --gateway=2001:db8:abc2::22 \
+    -o parent=eth0.139 v6ipvlan139
+    
+# Start a container on the network
+$ docker run --net=v6ipvlan139 -it --rm alpine /bin/sh
+
+```
+
+View the container eth0 interface and v6 routing table:
+
+```
+# Inside the IPv6 container
+$$ ip a show eth0
+75: eth0@if55: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
+    link/ether 00:50:56:2b:29:40 brd ff:ff:ff:ff:ff:ff
+    inet 172.18.0.2/16 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 2001:db8:abc4::250:56ff:fe2b:2940/64 scope link
+       valid_lft forever preferred_lft forever
+    inet6 2001:db8:abc2::1/64 scope link nodad
+       valid_lft forever preferred_lft forever
+       
+$$ ip -6 route
+2001:db8:abc4::/64 dev eth0  proto kernel  metric 256
+2001:db8:abc2::/64 dev eth0  proto kernel  metric 256
+default via 2001:db8:abc2::22 dev eth0  metric 1024
+```
+
+Start a second container and ping the first container's v6 address. 
+
+```
+# Test L2 connectivity over IPv6
+$ docker run --net=v6ipvlan139 -it --rm alpine /bin/sh
+
+# Inside the second IPv6 container
+$$ ip a show eth0
+75: eth0@if55: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
+    link/ether 00:50:56:2b:29:40 brd ff:ff:ff:ff:ff:ff
+    inet 172.18.0.3/16 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 2001:db8:abc4::250:56ff:fe2b:2940/64 scope link tentative dadfailed
+       valid_lft forever preferred_lft forever
+    inet6 2001:db8:abc2::2/64 scope link nodad
+       valid_lft forever preferred_lft forever
+
+$$ ping6 2001:db8:abc2::1
+PING 2001:db8:abc2::1 (2001:db8:abc2::1): 56 data bytes
+64 bytes from 2001:db8:abc2::1%eth0: icmp_seq=0 ttl=64 time=0.044 ms
+64 bytes from 2001:db8:abc2::1%eth0: icmp_seq=1 ttl=64 time=0.058 ms
+
+2 packets transmitted, 2 packets received, 0% packet loss
+round-trip min/avg/max/stddev = 0.044/0.051/0.058/0.000 ms
+```
+
+The next example with setup a dual stack IPv4/IPv6 network with an example VLAN ID of `140`.
+
+Next create a network with two IPv4 subnets and one IPv6 subnets, all of which have explicit gateways:
+
+```
+$ docker network  create  -d ipvlan \
+    --subnet=192.168.140.0/24 --subnet=192.168.142.0/24 \
+    --gateway=192.168.140.1  --gateway=192.168.142.1 \
+    --subnet=2001:db8:abc9::/64 --gateway=2001:db8:abc9::22 \
+     -o parent=eth0.140 \
+     -o ipvlan_mode=l2 ipvlan140
+```
+
+Start a container and view eth0 and both v4 & v6 routing tables:
+
+```
+$ docker run --net=ipvlan140 --ip6=2001:db8:abc2::51 -it --rm alpine /bin/sh
+
+$ ip a show eth0
+78: eth0@if77: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
+    link/ether 00:50:56:2b:29:40 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.140.2/24 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 2001:db8:abc4::250:56ff:fe2b:2940/64 scope link
+       valid_lft forever preferred_lft forever
+    inet6 2001:db8:abc9::1/64 scope link nodad
+       valid_lft forever preferred_lft forever
+
+$$ ip route
+default via 192.168.140.1 dev eth0
+192.168.140.0/24 dev eth0  proto kernel  scope link  src 192.168.140.2
+
+$$ ip -6 route
+2001:db8:abc4::/64 dev eth0  proto kernel  metric 256
+2001:db8:abc9::/64 dev eth0  proto kernel  metric 256
+default via 2001:db8:abc9::22 dev eth0  metric 1024
+```
+
+Start a second container with a specific `--ip4` address and ping the first host using IPv4 packets:
+
+```
+$ docker run --net=ipvlan140 --ip=192.168.140.10 -it --rm alpine /bin/sh
+```
+
+**Note**: Different subnets on the same parent interface in Ipvlan `L2` mode cannot ping one another. That requires a router to proxy-arp the requests with a secondary subnet. However, Ipvlan `L3` will route the unicast traffic between disparate subnets as long as they share the same `-o parent` parent link.
+
+### Dual Stack IPv4 IPv6 Ipvlan L3 Mode 
+
+**Example:** IpVlan L3 Mode Dual Stack IPv4/IPv6, Multi-Subnet w/ 802.1q Vlan Tag:118
+
+As in all of the examples, a tagged VLAN interface does not have to be used. The sub-interfaces can be swapped with `eth0`, `eth1`, `bond0` or any other valid interface on the host other then the `lo` loopback.
+
+The primary difference you will see is that L3 mode does not create a default route with a next-hop but rather sets a default route pointing to `dev eth` only since ARP/Broadcasts/Multicast are all filtered by Linux as per the design. Since the parent interface is essentially acting as a router, the parent interface IP and subnet needs to be different from the container networks. That is the opposite of bridge and L2 modes, which need to be on the same subnet (broadcast domain) in order to forward broadcast and multicast packets.
+
+```
+# Create an IPv6+IPv4 Dual Stack Ipvlan L3 network 
+# Gateways for both v4 and v6 are set to a dev e.g. 'default dev eth0'
+$ docker network  create  -d ipvlan \
+    --subnet=192.168.110.0/24 \
+    --subnet=192.168.112.0/24 \
+    --subnet=2001:db8:abc6::/64 \
+     -o parent=eth0 \
+     -o ipvlan_mode=l3 ipnet110
+
+
+# Start a few of containers on the network (ipnet110) 
+# in separate terminals and check connectivity
+$ docker run --net=ipnet110 -it --rm alpine /bin/sh
+# Start a second container specifying the v6 address
+$ docker run --net=ipnet110 --ip6=2001:db8:abc6::10 -it --rm alpine /bin/sh
+# Start a third specifying the IPv4 address
+$ docker run --net=ipnet110 --ip=192.168.112.30 -it --rm alpine /bin/sh
+# Start a 4th specifying both the IPv4 and IPv6 addresses
+$ docker run --net=ipnet110 --ip6=2001:db8:abc6::50 --ip=192.168.112.50 -it --rm alpine /bin/sh
+```
+
+Interface and routing table outputs are as follows:
+
+```
+$$ ip a show eth0
+63: eth0@if59: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
+    link/ether 00:50:56:2b:29:40 brd ff:ff:ff:ff:ff:ff
+    inet 192.168.112.2/24 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 2001:db8:abc4::250:56ff:fe2b:2940/64 scope link
+       valid_lft forever preferred_lft forever
+    inet6 2001:db8:abc6::10/64 scope link nodad
+       valid_lft forever preferred_lft forever
+     
+# Note the default route is simply the eth device because ARPs are filtered.
+$$ ip route
+  default dev eth0  scope link
+  192.168.112.0/24 dev eth0  proto kernel  scope link  src 192.168.112.2
+
+$$ ip -6 route
+2001:db8:abc4::/64 dev eth0  proto kernel  metric 256
+2001:db8:abc6::/64 dev eth0  proto kernel  metric 256
+default dev eth0  metric 1024
+```
+
+*Note:* There may be a bug when specifying `--ip6=` addresses when you delete a container with a specified v6 address and then start a new container with the same v6 address it throws the following like the address isn't properly being released to the v6 pool. It will fail to unmount the container and be left dead.
+
+```
+docker: Error response from daemon: Address already in use.
+```
+
+### Manually Creating 802.1q Links
+
+**Vlan ID 40**
+
+If a user does not want the driver to create the vlan sub-interface it simply needs to exist prior to the `docker network create`. If you have sub-interface naming that is not `interface.vlan_id` it is honored in the `-o parent=` option again as long as the interface exists and is up.
+
+Links, when manually created, can be named anything as long as they exist when the network is created. Manually created links do not get deleted regardless of the name when the network is deleted with `docker network rm`.
+
+```
+# create a new sub-interface tied to dot1q vlan 40
+$ ip link add link eth0 name eth0.40 type vlan id 40
+
+# enable the new sub-interface
+$ ip link set eth0.40 up
+
+# now add networks and hosts as you would normally by attaching to the master (sub)interface that is tagged
+$ docker network  create  -d ipvlan \
+   --subnet=192.168.40.0/24 \
+   --gateway=192.168.40.1 \
+   -o parent=eth0.40 ipvlan40
+
+# in two separate terminals, start a Docker container and the containers can now ping one another.
+$ docker run --net=ipvlan40 -it --name ivlan_test5 --rm alpine /bin/sh
+$ docker run --net=ipvlan40 -it --name ivlan_test6 --rm alpine /bin/sh
+```
+
+**Example:** Vlan sub-interface manually created with any name:
+
+```
+# create a new sub interface tied to dot1q vlan 40
+$ ip link add link eth0 name foo type vlan id 40
+
+# enable the new sub-interface
+$ ip link set foo up
+
+# now add networks and hosts as you would normally by attaching to the master (sub)interface that is tagged
+$ docker network  create  -d ipvlan \
+    --subnet=192.168.40.0/24 --gateway=192.168.40.1 \
+    -o parent=foo ipvlan40
+
+# in two separate terminals, start a Docker container and the containers can now ping one another.
+$ docker run --net=ipvlan40 -it --name ivlan_test5 --rm alpine /bin/sh
+$ docker run --net=ipvlan40 -it --name ivlan_test6 --rm alpine /bin/sh
+```
+
+Manually created links can be cleaned up with:
+
+```
+$ ip link del foo
+```
+
+As with all of the Libnetwork drivers, they can be mixed and matched, even as far as running 3rd party ecosystem drivers in parallel for maximum flexibility to the Docker user.
diff --git a/cli/gometalinter.json b/cli/gometalinter.json
new file mode 100644
index 00000000..a31a6a20
--- /dev/null
+++ b/cli/gometalinter.json
@@ -0,0 +1,42 @@
+{
+  "Vendor": true,
+  "Deadline": "2m",
+  "Sort": ["linter", "severity", "path", "line"],
+  "Exclude": [
+      "cli/compose/schema/bindata.go",
+      "cli/command/stack/kubernetes/api/openapi",
+      "cli/command/stack/kubernetes/api/client",
+      ".*generated.*",
+      "parameter .* always receives"
+  ],
+  "EnableGC": true,
+  "Linters": {
+      "nakedret": {
+        "Command": "nakedret",
+        "Pattern": "^(?P<path>.*?\\.go):(?P<line>\\d+)\\s*(?P<message>.*)$"
+      }
+  },
+  "WarnUnmatchedDirective": true,
+
+  "DisableAll": true,
+  "Enable": [
+    "deadcode",
+    "gocyclo",
+    "gofmt",
+    "goimports",
+    "golint",
+    "gosimple",
+    "ineffassign",
+    "interfacer",
+    "lll",
+    "misspell",
+    "nakedret",
+    "unconvert",
+    "unparam",
+    "unused",
+    "vet"
+  ],
+
+  "Cyclo": 16,
+  "LineLength": 200
+}
diff --git a/cli/internal/test/builders/config.go b/cli/internal/test/builders/config.go
new file mode 100644
index 00000000..be48c303
--- /dev/null
+++ b/cli/internal/test/builders/config.go
@@ -0,0 +1,68 @@
+package builders
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// Config creates a config with default values.
+// Any number of config builder functions can be passed to augment it.
+func Config(builders ...func(config *swarm.Config)) *swarm.Config {
+	config := &swarm.Config{}
+
+	for _, builder := range builders {
+		builder(config)
+	}
+
+	return config
+}
+
+// ConfigLabels sets the config's labels
+func ConfigLabels(labels map[string]string) func(config *swarm.Config) {
+	return func(config *swarm.Config) {
+		config.Spec.Labels = labels
+	}
+}
+
+// ConfigName sets the config's name
+func ConfigName(name string) func(config *swarm.Config) {
+	return func(config *swarm.Config) {
+		config.Spec.Name = name
+	}
+}
+
+// ConfigID sets the config's ID
+func ConfigID(ID string) func(config *swarm.Config) {
+	return func(config *swarm.Config) {
+		config.ID = ID
+	}
+}
+
+// ConfigVersion sets the version for the config
+func ConfigVersion(v swarm.Version) func(*swarm.Config) {
+	return func(config *swarm.Config) {
+		config.Version = v
+	}
+}
+
+// ConfigCreatedAt sets the creation time for the config
+func ConfigCreatedAt(t time.Time) func(*swarm.Config) {
+	return func(config *swarm.Config) {
+		config.CreatedAt = t
+	}
+}
+
+// ConfigUpdatedAt sets the update time for the config
+func ConfigUpdatedAt(t time.Time) func(*swarm.Config) {
+	return func(config *swarm.Config) {
+		config.UpdatedAt = t
+	}
+}
+
+// ConfigData sets the config payload.
+func ConfigData(data []byte) func(*swarm.Config) {
+	return func(config *swarm.Config) {
+		config.Spec.Data = data
+	}
+}
diff --git a/cli/internal/test/builders/container.go b/cli/internal/test/builders/container.go
new file mode 100644
index 00000000..6dce7409
--- /dev/null
+++ b/cli/internal/test/builders/container.go
@@ -0,0 +1,79 @@
+package builders
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types"
+)
+
+// Container creates a container with default values.
+// Any number of container function builder can be passed to augment it.
+func Container(name string, builders ...func(container *types.Container)) *types.Container {
+	// now := time.Now()
+	// onehourago := now.Add(-120 * time.Minute)
+	container := &types.Container{
+		ID:      "container_id",
+		Names:   []string{"/" + name},
+		Command: "top",
+		Image:   "busybox:latest",
+		Status:  "Up 1 second",
+		Created: time.Now().UnixNano(),
+	}
+
+	for _, builder := range builders {
+		builder(container)
+	}
+
+	return container
+}
+
+// WithLabel adds a label to the container
+func WithLabel(key, value string) func(*types.Container) {
+	return func(c *types.Container) {
+		if c.Labels == nil {
+			c.Labels = map[string]string{}
+		}
+		c.Labels[key] = value
+	}
+}
+
+// WithName adds a name to the container
+func WithName(name string) func(*types.Container) {
+	return func(c *types.Container) {
+		c.Names = append(c.Names, "/"+name)
+	}
+}
+
+// WithPort adds a port mapping to the container
+func WithPort(privateport, publicport uint16, builders ...func(*types.Port)) func(*types.Container) {
+	return func(c *types.Container) {
+		if c.Ports == nil {
+			c.Ports = []types.Port{}
+		}
+		port := &types.Port{
+			PrivatePort: privateport,
+			PublicPort:  publicport,
+		}
+		for _, builder := range builders {
+			builder(port)
+		}
+		c.Ports = append(c.Ports, *port)
+	}
+}
+
+// IP sets the ip of the port
+func IP(ip string) func(*types.Port) {
+	return func(p *types.Port) {
+		p.IP = ip
+	}
+}
+
+// TCP sets the port to tcp
+func TCP(p *types.Port) {
+	p.Type = "tcp"
+}
+
+// UDP sets the port to udp
+func UDP(p *types.Port) {
+	p.Type = "udp"
+}
diff --git a/cli/internal/test/builders/doc.go b/cli/internal/test/builders/doc.go
new file mode 100644
index 00000000..eac991c2
--- /dev/null
+++ b/cli/internal/test/builders/doc.go
@@ -0,0 +1,3 @@
+// Package builders helps you create struct for your unit test while keeping them expressive.
+//
+package builders
diff --git a/cli/internal/test/builders/network.go b/cli/internal/test/builders/network.go
new file mode 100644
index 00000000..cc4accc0
--- /dev/null
+++ b/cli/internal/test/builders/network.go
@@ -0,0 +1,45 @@
+package builders
+
+import (
+	"github.com/docker/docker/api/types"
+)
+
+// NetworkResource creates a network resource with default values.
+// Any number of networkResource function builder can be pass to modify the existing value.
+// feel free to add another builder func if you need to override another value
+func NetworkResource(builders ...func(resource *types.NetworkResource)) *types.NetworkResource {
+	resource := &types.NetworkResource{}
+
+	for _, builder := range builders {
+		builder(resource)
+	}
+	return resource
+}
+
+// NetworkResourceName sets the name of the resource network
+func NetworkResourceName(name string) func(networkResource *types.NetworkResource) {
+	return func(networkResource *types.NetworkResource) {
+		networkResource.Name = name
+	}
+}
+
+// NetworkResourceID sets the ID of the resource network
+func NetworkResourceID(id string) func(networkResource *types.NetworkResource) {
+	return func(networkResource *types.NetworkResource) {
+		networkResource.ID = id
+	}
+}
+
+// NetworkResourceDriver sets the driver of the resource network
+func NetworkResourceDriver(name string) func(networkResource *types.NetworkResource) {
+	return func(networkResource *types.NetworkResource) {
+		networkResource.Driver = name
+	}
+}
+
+// NetworkResourceScope sets the Scope of the resource network
+func NetworkResourceScope(scope string) func(networkResource *types.NetworkResource) {
+	return func(networkResource *types.NetworkResource) {
+		networkResource.Scope = scope
+	}
+}
diff --git a/cli/internal/test/builders/node.go b/cli/internal/test/builders/node.go
new file mode 100644
index 00000000..4e3eb06d
--- /dev/null
+++ b/cli/internal/test/builders/node.go
@@ -0,0 +1,134 @@
+package builders
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// Node creates a node with default values.
+// Any number of node function builder can be pass to augment it.
+//
+//	n1 := Node() // Returns a default node
+//	n2 := Node(NodeID("foo"), NodeHostname("bar"), Leader())
+func Node(builders ...func(*swarm.Node)) *swarm.Node {
+	t1 := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+	node := &swarm.Node{
+		ID: "nodeID",
+		Meta: swarm.Meta{
+			CreatedAt: t1,
+		},
+		Description: swarm.NodeDescription{
+			Hostname: "defaultNodeHostname",
+			Platform: swarm.Platform{
+				Architecture: "x86_64",
+				OS:           "linux",
+			},
+			Resources: swarm.Resources{
+				NanoCPUs:    4,
+				MemoryBytes: 20 * 1024 * 1024,
+			},
+			Engine: swarm.EngineDescription{
+				EngineVersion: "1.13.0",
+				Labels: map[string]string{
+					"engine": "label",
+				},
+				Plugins: []swarm.PluginDescription{
+					{
+						Type: "Volume",
+						Name: "local",
+					},
+					{
+						Type: "Network",
+						Name: "bridge",
+					},
+					{
+						Type: "Network",
+						Name: "overlay",
+					},
+				},
+			},
+		},
+		Status: swarm.NodeStatus{
+			State: swarm.NodeStateReady,
+			Addr:  "127.0.0.1",
+		},
+		Spec: swarm.NodeSpec{
+			Annotations: swarm.Annotations{
+				Name: "defaultNodeName",
+			},
+			Role:         swarm.NodeRoleWorker,
+			Availability: swarm.NodeAvailabilityActive,
+		},
+	}
+
+	for _, builder := range builders {
+		builder(node)
+	}
+
+	return node
+}
+
+// NodeID sets the node id
+func NodeID(id string) func(*swarm.Node) {
+	return func(node *swarm.Node) {
+		node.ID = id
+	}
+}
+
+// NodeName sets the node name
+func NodeName(name string) func(*swarm.Node) {
+	return func(node *swarm.Node) {
+		node.Spec.Annotations.Name = name
+	}
+}
+
+// NodeLabels sets the node labels
+func NodeLabels(labels map[string]string) func(*swarm.Node) {
+	return func(node *swarm.Node) {
+		node.Spec.Labels = labels
+	}
+}
+
+// Hostname sets the node hostname
+func Hostname(hostname string) func(*swarm.Node) {
+	return func(node *swarm.Node) {
+		node.Description.Hostname = hostname
+	}
+}
+
+// Leader sets the current node as a leader
+func Leader() func(*swarm.ManagerStatus) {
+	return func(managerStatus *swarm.ManagerStatus) {
+		managerStatus.Leader = true
+	}
+}
+
+// Manager set the current node as a manager
+func Manager(managerStatusBuilders ...func(*swarm.ManagerStatus)) func(*swarm.Node) {
+	return func(node *swarm.Node) {
+		node.Spec.Role = swarm.NodeRoleManager
+		node.ManagerStatus = ManagerStatus(managerStatusBuilders...)
+	}
+}
+
+// ManagerStatus create a ManageStatus with default values.
+func ManagerStatus(managerStatusBuilders ...func(*swarm.ManagerStatus)) *swarm.ManagerStatus {
+	managerStatus := &swarm.ManagerStatus{
+		Reachability: swarm.ReachabilityReachable,
+		Addr:         "127.0.0.1",
+	}
+
+	for _, builder := range managerStatusBuilders {
+		builder(managerStatus)
+	}
+
+	return managerStatus
+}
+
+// EngineVersion sets the node's engine version
+func EngineVersion(version string) func(*swarm.Node) {
+	return func(node *swarm.Node) {
+		node.Description.Engine.EngineVersion = version
+	}
+}
diff --git a/cli/internal/test/builders/secret.go b/cli/internal/test/builders/secret.go
new file mode 100644
index 00000000..3cd5f787
--- /dev/null
+++ b/cli/internal/test/builders/secret.go
@@ -0,0 +1,70 @@
+package builders
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// Secret creates a secret with default values.
+// Any number of secret builder functions can be passed to augment it.
+func Secret(builders ...func(secret *swarm.Secret)) *swarm.Secret {
+	secret := &swarm.Secret{}
+
+	for _, builder := range builders {
+		builder(secret)
+	}
+
+	return secret
+}
+
+// SecretLabels sets the secret's labels
+func SecretLabels(labels map[string]string) func(secret *swarm.Secret) {
+	return func(secret *swarm.Secret) {
+		secret.Spec.Labels = labels
+	}
+}
+
+// SecretName sets the secret's name
+func SecretName(name string) func(secret *swarm.Secret) {
+	return func(secret *swarm.Secret) {
+		secret.Spec.Name = name
+	}
+}
+
+// SecretDriver sets the secret's driver name
+func SecretDriver(driver string) func(secret *swarm.Secret) {
+	return func(secret *swarm.Secret) {
+		secret.Spec.Driver = &swarm.Driver{
+			Name: driver,
+		}
+	}
+}
+
+// SecretID sets the secret's ID
+func SecretID(ID string) func(secret *swarm.Secret) {
+	return func(secret *swarm.Secret) {
+		secret.ID = ID
+	}
+}
+
+// SecretVersion sets the version for the secret
+func SecretVersion(v swarm.Version) func(*swarm.Secret) {
+	return func(secret *swarm.Secret) {
+		secret.Version = v
+	}
+}
+
+// SecretCreatedAt sets the creation time for the secret
+func SecretCreatedAt(t time.Time) func(*swarm.Secret) {
+	return func(secret *swarm.Secret) {
+		secret.CreatedAt = t
+	}
+}
+
+// SecretUpdatedAt sets the update time for the secret
+func SecretUpdatedAt(t time.Time) func(*swarm.Secret) {
+	return func(secret *swarm.Secret) {
+		secret.UpdatedAt = t
+	}
+}
diff --git a/cli/internal/test/builders/service.go b/cli/internal/test/builders/service.go
new file mode 100644
index 00000000..2817e6e2
--- /dev/null
+++ b/cli/internal/test/builders/service.go
@@ -0,0 +1,74 @@
+package builders
+
+import (
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// Service creates a service with default values.
+// Any number of service builder functions can be passed to augment it.
+// Currently, only ServiceName is implemented
+func Service(builders ...func(*swarm.Service)) *swarm.Service {
+	service := &swarm.Service{
+		ID: "serviceID",
+		Spec: swarm.ServiceSpec{
+			Annotations: swarm.Annotations{
+				Name: "defaultServiceName",
+			},
+			EndpointSpec: &swarm.EndpointSpec{},
+		},
+	}
+
+	for _, builder := range builders {
+		builder(service)
+	}
+
+	return service
+}
+
+// ServiceID sets the service ID
+func ServiceID(ID string) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.ID = ID
+	}
+}
+
+// ServiceName sets the service name
+func ServiceName(name string) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.Annotations.Name = name
+	}
+}
+
+// ServiceLabels sets the service's labels
+func ServiceLabels(labels map[string]string) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.Annotations.Labels = labels
+	}
+}
+
+// ReplicatedService sets the number of replicas for the service
+func ReplicatedService(replicas uint64) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.Mode = swarm.ServiceMode{Replicated: &swarm.ReplicatedService{Replicas: &replicas}}
+	}
+}
+
+// ServiceImage sets the service's image
+func ServiceImage(image string) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.TaskTemplate = swarm.TaskSpec{ContainerSpec: &swarm.ContainerSpec{Image: image}}
+	}
+}
+
+// ServicePort sets the service's port
+func ServicePort(port swarm.PortConfig) func(*swarm.Service) {
+	return func(service *swarm.Service) {
+		service.Spec.EndpointSpec.Ports = append(service.Spec.EndpointSpec.Ports, port)
+
+		assignedPort := port
+		if assignedPort.PublishedPort == 0 {
+			assignedPort.PublishedPort = 30000
+		}
+		service.Endpoint.Ports = append(service.Endpoint.Ports, assignedPort)
+	}
+}
diff --git a/cli/internal/test/builders/swarm.go b/cli/internal/test/builders/swarm.go
new file mode 100644
index 00000000..ab1a9306
--- /dev/null
+++ b/cli/internal/test/builders/swarm.go
@@ -0,0 +1,39 @@
+package builders
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// Swarm creates a swarm with default values.
+// Any number of swarm function builder can be pass to augment it.
+func Swarm(swarmBuilders ...func(*swarm.Swarm)) *swarm.Swarm {
+	t1 := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+	swarm := &swarm.Swarm{
+		ClusterInfo: swarm.ClusterInfo{
+			ID: "swarm",
+			Meta: swarm.Meta{
+				CreatedAt: t1,
+			},
+			Spec: swarm.Spec{},
+		},
+		JoinTokens: swarm.JoinTokens{
+			Worker:  "worker-join-token",
+			Manager: "manager-join-token",
+		},
+	}
+
+	for _, builder := range swarmBuilders {
+		builder(swarm)
+	}
+
+	return swarm
+}
+
+// Autolock set the swarm into autolock mode
+func Autolock() func(*swarm.Swarm) {
+	return func(swarm *swarm.Swarm) {
+		swarm.Spec.EncryptionConfig.AutoLockManagers = true
+	}
+}
diff --git a/cli/internal/test/builders/task.go b/cli/internal/test/builders/task.go
new file mode 100644
index 00000000..40efc3d9
--- /dev/null
+++ b/cli/internal/test/builders/task.go
@@ -0,0 +1,160 @@
+package builders
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+var (
+	defaultTime = time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
+)
+
+// Task creates a task with default values .
+// Any number of task function builder can be pass to augment it.
+func Task(taskBuilders ...func(*swarm.Task)) *swarm.Task {
+	task := &swarm.Task{
+		ID: "taskID",
+		Meta: swarm.Meta{
+			CreatedAt: defaultTime,
+		},
+		Annotations: swarm.Annotations{
+			Name: "defaultTaskName",
+		},
+		Spec:         *TaskSpec(),
+		ServiceID:    "rl02d5gwz6chzu7il5fhtb8be",
+		Slot:         1,
+		Status:       *TaskStatus(),
+		DesiredState: swarm.TaskStateReady,
+	}
+
+	for _, builder := range taskBuilders {
+		builder(task)
+	}
+
+	return task
+}
+
+// TaskID sets the task ID
+func TaskID(id string) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.ID = id
+	}
+}
+
+// TaskName sets the task name
+func TaskName(name string) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.Annotations.Name = name
+	}
+}
+
+// TaskServiceID sets the task service's ID
+func TaskServiceID(id string) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.ServiceID = id
+	}
+}
+
+// TaskNodeID sets the task's node id
+func TaskNodeID(id string) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.NodeID = id
+	}
+}
+
+// TaskDesiredState sets the task's desired state
+func TaskDesiredState(state swarm.TaskState) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.DesiredState = state
+	}
+}
+
+// TaskSlot sets the task's slot
+func TaskSlot(slot int) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.Slot = slot
+	}
+}
+
+// WithStatus sets the task status
+func WithStatus(statusBuilders ...func(*swarm.TaskStatus)) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.Status = *TaskStatus(statusBuilders...)
+	}
+}
+
+// TaskStatus creates a task status with default values .
+// Any number of taskStatus function builder can be pass to augment it.
+func TaskStatus(statusBuilders ...func(*swarm.TaskStatus)) *swarm.TaskStatus {
+	timestamp := defaultTime.Add(1 * time.Hour)
+	taskStatus := &swarm.TaskStatus{
+		State:     swarm.TaskStateReady,
+		Timestamp: timestamp,
+	}
+
+	for _, builder := range statusBuilders {
+		builder(taskStatus)
+	}
+
+	return taskStatus
+}
+
+// Timestamp sets the task status timestamp
+func Timestamp(t time.Time) func(*swarm.TaskStatus) {
+	return func(taskStatus *swarm.TaskStatus) {
+		taskStatus.Timestamp = t
+	}
+}
+
+// StatusErr sets the tasks status error
+func StatusErr(err string) func(*swarm.TaskStatus) {
+	return func(taskStatus *swarm.TaskStatus) {
+		taskStatus.Err = err
+	}
+}
+
+// TaskState sets the task's current state
+func TaskState(state swarm.TaskState) func(*swarm.TaskStatus) {
+	return func(taskStatus *swarm.TaskStatus) {
+		taskStatus.State = state
+	}
+}
+
+// PortStatus sets the tasks port config status
+// FIXME(vdemeester) should be a sub builder 👼
+func PortStatus(portConfigs []swarm.PortConfig) func(*swarm.TaskStatus) {
+	return func(taskStatus *swarm.TaskStatus) {
+		taskStatus.PortStatus.Ports = portConfigs
+	}
+}
+
+// WithTaskSpec sets the task spec
+func WithTaskSpec(specBuilders ...func(*swarm.TaskSpec)) func(*swarm.Task) {
+	return func(task *swarm.Task) {
+		task.Spec = *TaskSpec(specBuilders...)
+	}
+}
+
+// TaskSpec creates a task spec with default values .
+// Any number of taskSpec function builder can be pass to augment it.
+func TaskSpec(specBuilders ...func(*swarm.TaskSpec)) *swarm.TaskSpec {
+	taskSpec := &swarm.TaskSpec{
+		ContainerSpec: &swarm.ContainerSpec{
+			Image: "myimage:mytag",
+		},
+	}
+
+	for _, builder := range specBuilders {
+		builder(taskSpec)
+	}
+
+	return taskSpec
+}
+
+// TaskImage sets the task's image
+func TaskImage(image string) func(*swarm.TaskSpec) {
+	return func(taskSpec *swarm.TaskSpec) {
+		taskSpec.ContainerSpec.Image = image
+	}
+}
diff --git a/cli/internal/test/builders/volume.go b/cli/internal/test/builders/volume.go
new file mode 100644
index 00000000..c3c87990
--- /dev/null
+++ b/cli/internal/test/builders/volume.go
@@ -0,0 +1,43 @@
+package builders
+
+import (
+	"github.com/docker/docker/api/types"
+)
+
+// Volume creates a volume with default values.
+// Any number of volume function builder can be passed to augment it.
+func Volume(builders ...func(volume *types.Volume)) *types.Volume {
+	volume := &types.Volume{
+		Name:       "volume",
+		Driver:     "local",
+		Mountpoint: "/data/volume",
+		Scope:      "local",
+	}
+
+	for _, builder := range builders {
+		builder(volume)
+	}
+
+	return volume
+}
+
+// VolumeLabels sets the volume labels
+func VolumeLabels(labels map[string]string) func(volume *types.Volume) {
+	return func(volume *types.Volume) {
+		volume.Labels = labels
+	}
+}
+
+// VolumeName sets the volume labels
+func VolumeName(name string) func(volume *types.Volume) {
+	return func(volume *types.Volume) {
+		volume.Name = name
+	}
+}
+
+// VolumeDriver sets the volume driver
+func VolumeDriver(name string) func(volume *types.Volume) {
+	return func(volume *types.Volume) {
+		volume.Driver = name
+	}
+}
diff --git a/cli/internal/test/cli.go b/cli/internal/test/cli.go
new file mode 100644
index 00000000..17fab645
--- /dev/null
+++ b/cli/internal/test/cli.go
@@ -0,0 +1,169 @@
+package test
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config/configfile"
+	manifeststore "github.com/docker/cli/cli/manifest/store"
+	registryclient "github.com/docker/cli/cli/registry/client"
+	"github.com/docker/cli/cli/trust"
+	"github.com/docker/docker/client"
+	notaryclient "github.com/theupdateframework/notary/client"
+)
+
+// NotaryClientFuncType defines a function that returns a fake notary client
+type NotaryClientFuncType func(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error)
+type clientInfoFuncType func() command.ClientInfo
+
+// FakeCli emulates the default DockerCli
+type FakeCli struct {
+	command.DockerCli
+	client           client.APIClient
+	configfile       *configfile.ConfigFile
+	out              *command.OutStream
+	outBuffer        *bytes.Buffer
+	err              *bytes.Buffer
+	in               *command.InStream
+	server           command.ServerInfo
+	clientInfoFunc   clientInfoFuncType
+	notaryClientFunc NotaryClientFuncType
+	manifestStore    manifeststore.Store
+	registryClient   registryclient.RegistryClient
+	contentTrust     bool
+}
+
+// NewFakeCli returns a fake for the command.Cli interface
+func NewFakeCli(client client.APIClient, opts ...func(*FakeCli)) *FakeCli {
+	outBuffer := new(bytes.Buffer)
+	errBuffer := new(bytes.Buffer)
+	c := &FakeCli{
+		client:    client,
+		out:       command.NewOutStream(outBuffer),
+		outBuffer: outBuffer,
+		err:       errBuffer,
+		in:        command.NewInStream(ioutil.NopCloser(strings.NewReader(""))),
+		// Use an empty string for filename so that tests don't create configfiles
+		// Set cli.ConfigFile().Filename to a tempfile to support Save.
+		configfile: configfile.New(""),
+	}
+	for _, opt := range opts {
+		opt(c)
+	}
+	return c
+}
+
+// SetIn sets the input of the cli to the specified ReadCloser
+func (c *FakeCli) SetIn(in *command.InStream) {
+	c.in = in
+}
+
+// SetErr sets the stderr stream for the cli to the specified io.Writer
+func (c *FakeCli) SetErr(err *bytes.Buffer) {
+	c.err = err
+}
+
+// SetConfigFile sets the "fake" config file
+func (c *FakeCli) SetConfigFile(configfile *configfile.ConfigFile) {
+	c.configfile = configfile
+}
+
+// Client returns a docker API client
+func (c *FakeCli) Client() client.APIClient {
+	return c.client
+}
+
+// Out returns the output stream (stdout) the cli should write on
+func (c *FakeCli) Out() *command.OutStream {
+	return c.out
+}
+
+// Err returns the output stream (stderr) the cli should write on
+func (c *FakeCli) Err() io.Writer {
+	return c.err
+}
+
+// In returns the input stream the cli will use
+func (c *FakeCli) In() *command.InStream {
+	return c.in
+}
+
+// ConfigFile returns the cli configfile object (to get client configuration)
+func (c *FakeCli) ConfigFile() *configfile.ConfigFile {
+	return c.configfile
+}
+
+// ServerInfo returns API server information for the server used by this client
+func (c *FakeCli) ServerInfo() command.ServerInfo {
+	return c.server
+}
+
+// ClientInfo returns client information
+func (c *FakeCli) ClientInfo() command.ClientInfo {
+	if c.clientInfoFunc != nil {
+		return c.clientInfoFunc()
+	}
+	return c.DockerCli.ClientInfo()
+}
+
+// SetClientInfo sets the internal getter for retrieving a ClientInfo
+func (c *FakeCli) SetClientInfo(clientInfoFunc clientInfoFuncType) {
+	c.clientInfoFunc = clientInfoFunc
+}
+
+// OutBuffer returns the stdout buffer
+func (c *FakeCli) OutBuffer() *bytes.Buffer {
+	return c.outBuffer
+}
+
+// ErrBuffer Buffer returns the stderr buffer
+func (c *FakeCli) ErrBuffer() *bytes.Buffer {
+	return c.err
+}
+
+// SetNotaryClient sets the internal getter for retrieving a NotaryClient
+func (c *FakeCli) SetNotaryClient(notaryClientFunc NotaryClientFuncType) {
+	c.notaryClientFunc = notaryClientFunc
+}
+
+// NotaryClient returns an err for testing unless defined
+func (c *FakeCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (notaryclient.Repository, error) {
+	if c.notaryClientFunc != nil {
+		return c.notaryClientFunc(imgRefAndAuth, actions)
+	}
+	return nil, fmt.Errorf("no notary client available unless defined")
+}
+
+// ManifestStore returns a fake store used for testing
+func (c *FakeCli) ManifestStore() manifeststore.Store {
+	return c.manifestStore
+}
+
+// RegistryClient returns a fake client for testing
+func (c *FakeCli) RegistryClient(insecure bool) registryclient.RegistryClient {
+	return c.registryClient
+}
+
+// SetManifestStore on the fake cli
+func (c *FakeCli) SetManifestStore(store manifeststore.Store) {
+	c.manifestStore = store
+}
+
+// SetRegistryClient on the fake cli
+func (c *FakeCli) SetRegistryClient(client registryclient.RegistryClient) {
+	c.registryClient = client
+}
+
+// ContentTrustEnabled on the fake cli
+func (c *FakeCli) ContentTrustEnabled() bool {
+	return c.contentTrust
+}
+
+// EnableContentTrust on the fake cli
+func EnableContentTrust(c *FakeCli) {
+	c.contentTrust = true
+}
diff --git a/cli/internal/test/doc.go b/cli/internal/test/doc.go
new file mode 100644
index 00000000..342441d5
--- /dev/null
+++ b/cli/internal/test/doc.go
@@ -0,0 +1,5 @@
+// Package test is a test-only package that can be used by other cli package to write unit test.
+//
+// It as an internal package and cannot be used outside of github.com/docker/cli package.
+//
+package test
diff --git a/cli/internal/test/environment/testenv.go b/cli/internal/test/environment/testenv.go
new file mode 100644
index 00000000..3e4ef849
--- /dev/null
+++ b/cli/internal/test/environment/testenv.go
@@ -0,0 +1,78 @@
+package environment
+
+import (
+	"os"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	"gotest.tools/poll"
+)
+
+// Setup a new environment
+func Setup() error {
+	dockerHost := os.Getenv("TEST_DOCKER_HOST")
+	if dockerHost == "" {
+		return errors.New("$TEST_DOCKER_HOST must be set")
+	}
+	if err := os.Setenv("DOCKER_HOST", dockerHost); err != nil {
+		return err
+	}
+
+	if dockerCertPath := os.Getenv("TEST_DOCKER_CERT_PATH"); dockerCertPath != "" {
+		if err := os.Setenv("DOCKER_CERT_PATH", dockerCertPath); err != nil {
+			return err
+		}
+		if err := os.Setenv("DOCKER_TLS_VERIFY", "1"); err != nil {
+			return err
+		}
+	}
+
+	if kubeConfig := os.Getenv("TEST_KUBECONFIG"); kubeConfig != "" {
+		if err := os.Setenv("KUBECONFIG", kubeConfig); err != nil {
+			return err
+		}
+	}
+
+	if val := boolFromString(os.Getenv("TEST_REMOTE_DAEMON")); val {
+		if err := os.Setenv("REMOTE_DAEMON", "1"); err != nil {
+			return err
+		}
+	}
+
+	if val := boolFromString(os.Getenv("TEST_SKIP_PLUGIN_TESTS")); val {
+		if err := os.Setenv("SKIP_PLUGIN_TESTS", "1"); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// KubernetesEnabled returns if Kubernetes testing is enabled
+func KubernetesEnabled() bool {
+	return os.Getenv("KUBECONFIG") != ""
+}
+
+// RemoteDaemon returns true if running against a remote daemon
+func RemoteDaemon() bool {
+	return os.Getenv("REMOTE_DAEMON") != ""
+}
+
+// SkipPluginTests returns if plugin tests should be skipped
+func SkipPluginTests() bool {
+	return os.Getenv("SKIP_PLUGIN_TESTS") != ""
+}
+
+// boolFromString determines boolean value from string
+func boolFromString(val string) bool {
+	switch strings.ToLower(val) {
+	case "true", "1":
+		return true
+	default:
+		return false
+	}
+}
+
+// DefaultPollSettings used with gotestyourself/poll
+var DefaultPollSettings = poll.WithDelay(100 * time.Millisecond)
diff --git a/cli/internal/test/network/client.go b/cli/internal/test/network/client.go
new file mode 100644
index 00000000..5a65dcb5
--- /dev/null
+++ b/cli/internal/test/network/client.go
@@ -0,0 +1,57 @@
+package network
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
+)
+
+// FakeClient is a fake NetworkAPIClient
+type FakeClient struct {
+	NetworkInspectFunc func(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error)
+}
+
+// NetworkConnect fakes connecting to a network
+func (c *FakeClient) NetworkConnect(ctx context.Context, networkID, container string, config *network.EndpointSettings) error {
+	return nil
+}
+
+// NetworkCreate fakes creating a network
+func (c *FakeClient) NetworkCreate(_ context.Context, _ string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
+	return types.NetworkCreateResponse{}, nil
+}
+
+// NetworkDisconnect fakes disconnecting from a network
+func (c *FakeClient) NetworkDisconnect(ctx context.Context, networkID, container string, force bool) error {
+	return nil
+}
+
+// NetworkInspect fakes inspecting a network
+func (c *FakeClient) NetworkInspect(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
+	if c.NetworkInspectFunc != nil {
+		return c.NetworkInspectFunc(ctx, networkID, options)
+	}
+	return types.NetworkResource{}, nil
+}
+
+// NetworkInspectWithRaw fakes inspecting a network with a raw response
+func (c *FakeClient) NetworkInspectWithRaw(_ context.Context, _ string, _ types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
+	return types.NetworkResource{}, nil, nil
+}
+
+// NetworkList fakes listing networks
+func (c *FakeClient) NetworkList(_ context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+	return nil, nil
+}
+
+// NetworkRemove fakes removing networks
+func (c *FakeClient) NetworkRemove(ctx context.Context, networkID string) error {
+	return nil
+}
+
+// NetworksPrune fakes pruning networks
+func (c *FakeClient) NetworksPrune(_ context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error) {
+	return types.NetworksPruneReport{}, nil
+}
diff --git a/cli/internal/test/notary/client.go b/cli/internal/test/notary/client.go
new file mode 100644
index 00000000..efaf8a78
--- /dev/null
+++ b/cli/internal/test/notary/client.go
@@ -0,0 +1,543 @@
+package notary
+
+import (
+	"github.com/docker/cli/cli/trust"
+	"github.com/theupdateframework/notary/client"
+	"github.com/theupdateframework/notary/client/changelist"
+	"github.com/theupdateframework/notary/cryptoservice"
+	"github.com/theupdateframework/notary/passphrase"
+	"github.com/theupdateframework/notary/storage"
+	"github.com/theupdateframework/notary/trustmanager"
+	"github.com/theupdateframework/notary/tuf/data"
+	"github.com/theupdateframework/notary/tuf/signed"
+)
+
+// GetOfflineNotaryRepository returns a OfflineNotaryRepository
+func GetOfflineNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+	return OfflineNotaryRepository{}, nil
+}
+
+// OfflineNotaryRepository is a mock Notary repository that is offline
+type OfflineNotaryRepository struct{}
+
+// Initialize creates a new repository by using rootKey as the root Key for the
+// TUF repository.
+func (o OfflineNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
+	return storage.ErrOffline{}
+}
+
+// InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
+func (o OfflineNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
+	return storage.ErrOffline{}
+}
+
+// Publish pushes the local changes in signed material to the remote notary-server
+// Conceptually it performs an operation similar to a `git rebase`
+func (o OfflineNotaryRepository) Publish() error {
+	return storage.ErrOffline{}
+}
+
+// AddTarget creates new changelist entries to add a target to the given roles
+// in the repository when the changelist gets applied at publish time.
+func (o OfflineNotaryRepository) AddTarget(target *client.Target, roles ...data.RoleName) error {
+	return nil
+}
+
+// RemoveTarget creates new changelist entries to remove a target from the given
+// roles in the repository when the changelist gets applied at publish time.
+func (o OfflineNotaryRepository) RemoveTarget(targetName string, roles ...data.RoleName) error {
+	return nil
+}
+
+// ListTargets lists all targets for the current repository. The list of
+// roles should be passed in order from highest to lowest priority.
+func (o OfflineNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
+	return nil, storage.ErrOffline{}
+}
+
+// GetTargetByName returns a target by the given name.
+func (o OfflineNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+	return nil, storage.ErrOffline{}
+}
+
+// GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
+// roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
+func (o OfflineNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
+	return nil, storage.ErrOffline{}
+}
+
+// GetChangelist returns the list of the repository's unpublished changes
+func (o OfflineNotaryRepository) GetChangelist() (changelist.Changelist, error) {
+	return changelist.NewMemChangelist(), nil
+}
+
+// ListRoles returns a list of RoleWithSignatures objects for this repo
+func (o OfflineNotaryRepository) ListRoles() ([]client.RoleWithSignatures, error) {
+	return nil, storage.ErrOffline{}
+}
+
+// GetDelegationRoles returns the keys and roles of the repository's delegations
+func (o OfflineNotaryRepository) GetDelegationRoles() ([]data.Role, error) {
+	return nil, storage.ErrOffline{}
+}
+
+// AddDelegation creates changelist entries to add provided delegation public keys and paths.
+func (o OfflineNotaryRepository) AddDelegation(name data.RoleName, delegationKeys []data.PublicKey, paths []string) error {
+	return nil
+}
+
+// AddDelegationRoleAndKeys creates a changelist entry to add provided delegation public keys.
+func (o OfflineNotaryRepository) AddDelegationRoleAndKeys(name data.RoleName, delegationKeys []data.PublicKey) error {
+	return nil
+}
+
+// AddDelegationPaths creates a changelist entry to add provided paths to an existing delegation.
+func (o OfflineNotaryRepository) AddDelegationPaths(name data.RoleName, paths []string) error {
+	return nil
+}
+
+// RemoveDelegationKeysAndPaths creates changelist entries to remove provided delegation key IDs and paths.
+func (o OfflineNotaryRepository) RemoveDelegationKeysAndPaths(name data.RoleName, keyIDs, paths []string) error {
+	return nil
+}
+
+// RemoveDelegationRole creates a changelist to remove all paths and keys from a role, and delete the role in its entirety.
+func (o OfflineNotaryRepository) RemoveDelegationRole(name data.RoleName) error {
+	return nil
+}
+
+// RemoveDelegationPaths creates a changelist entry to remove provided paths from an existing delegation.
+func (o OfflineNotaryRepository) RemoveDelegationPaths(name data.RoleName, paths []string) error {
+	return nil
+}
+
+// RemoveDelegationKeys creates a changelist entry to remove provided keys from an existing delegation.
+func (o OfflineNotaryRepository) RemoveDelegationKeys(name data.RoleName, keyIDs []string) error {
+	return nil
+}
+
+// ClearDelegationPaths creates a changelist entry to remove all paths from an existing delegation.
+func (o OfflineNotaryRepository) ClearDelegationPaths(name data.RoleName) error {
+	return nil
+}
+
+// Witness creates change objects to witness (i.e. re-sign) the given
+// roles on the next publish. One change is created per role
+func (o OfflineNotaryRepository) Witness(roles ...data.RoleName) ([]data.RoleName, error) {
+	return nil, nil
+}
+
+// RotateKey rotates a private key and returns the public component from the remote server
+func (o OfflineNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
+	return storage.ErrOffline{}
+}
+
+// GetCryptoService is the getter for the repository's CryptoService
+func (o OfflineNotaryRepository) GetCryptoService() signed.CryptoService {
+	return nil
+}
+
+// SetLegacyVersions allows the number of legacy versions of the root
+// to be inspected for old signing keys to be configured.
+func (o OfflineNotaryRepository) SetLegacyVersions(version int) {}
+
+// GetGUN is a getter for the GUN object from a Repository
+func (o OfflineNotaryRepository) GetGUN() data.GUN {
+	return data.GUN("gun")
+}
+
+// GetUninitializedNotaryRepository returns an UninitializedNotaryRepository
+func GetUninitializedNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+	return UninitializedNotaryRepository{}, nil
+}
+
+// UninitializedNotaryRepository is a mock Notary repository that is uninintialized
+// it builds on top of the OfflineNotaryRepository, instead returning ErrRepositoryNotExist
+// for any online operation
+type UninitializedNotaryRepository struct {
+	OfflineNotaryRepository
+}
+
+// Initialize creates a new repository by using rootKey as the root Key for the
+// TUF repository.
+func (u UninitializedNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
+	return client.ErrRepositoryNotExist{}
+}
+
+// InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
+func (u UninitializedNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
+	return client.ErrRepositoryNotExist{}
+}
+
+// Publish pushes the local changes in signed material to the remote notary-server
+// Conceptually it performs an operation similar to a `git rebase`
+func (u UninitializedNotaryRepository) Publish() error {
+	return client.ErrRepositoryNotExist{}
+}
+
+// ListTargets lists all targets for the current repository. The list of
+// roles should be passed in order from highest to lowest priority.
+func (u UninitializedNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
+	return nil, client.ErrRepositoryNotExist{}
+}
+
+// GetTargetByName returns a target by the given name.
+func (u UninitializedNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+	return nil, client.ErrRepositoryNotExist{}
+}
+
+// GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
+// roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
+func (u UninitializedNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
+	return nil, client.ErrRepositoryNotExist{}
+}
+
+// ListRoles returns a list of RoleWithSignatures objects for this repo
+func (u UninitializedNotaryRepository) ListRoles() ([]client.RoleWithSignatures, error) {
+	return nil, client.ErrRepositoryNotExist{}
+}
+
+// GetDelegationRoles returns the keys and roles of the repository's delegations
+func (u UninitializedNotaryRepository) GetDelegationRoles() ([]data.Role, error) {
+	return nil, client.ErrRepositoryNotExist{}
+}
+
+// RotateKey rotates a private key and returns the public component from the remote server
+func (u UninitializedNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
+	return client.ErrRepositoryNotExist{}
+}
+
+// GetEmptyTargetsNotaryRepository returns an EmptyTargetsNotaryRepository
+func GetEmptyTargetsNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+	return EmptyTargetsNotaryRepository{}, nil
+}
+
+// EmptyTargetsNotaryRepository is a mock Notary repository that is initialized
+// but does not have any signed targets
+type EmptyTargetsNotaryRepository struct {
+	OfflineNotaryRepository
+}
+
+// Initialize creates a new repository by using rootKey as the root Key for the
+// TUF repository.
+func (e EmptyTargetsNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
+	return nil
+}
+
+// InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
+func (e EmptyTargetsNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
+	return nil
+}
+
+// Publish pushes the local changes in signed material to the remote notary-server
+// Conceptually it performs an operation similar to a `git rebase`
+func (e EmptyTargetsNotaryRepository) Publish() error {
+	return nil
+}
+
+// ListTargets lists all targets for the current repository. The list of
+// roles should be passed in order from highest to lowest priority.
+func (e EmptyTargetsNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
+	return []*client.TargetWithRole{}, nil
+}
+
+// GetTargetByName returns a target by the given name.
+func (e EmptyTargetsNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+	return nil, client.ErrNoSuchTarget(name)
+}
+
+// GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
+// roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
+func (e EmptyTargetsNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
+	return nil, client.ErrNoSuchTarget(name)
+}
+
+// ListRoles returns a list of RoleWithSignatures objects for this repo
+func (e EmptyTargetsNotaryRepository) ListRoles() ([]client.RoleWithSignatures, error) {
+	rootRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"rootID"},
+			Threshold: 1,
+		},
+		Name: data.CanonicalRootRole,
+	}
+
+	targetsRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"targetsID"},
+			Threshold: 1,
+		},
+		Name: data.CanonicalTargetsRole,
+	}
+	return []client.RoleWithSignatures{
+		{Role: rootRole},
+		{Role: targetsRole}}, nil
+}
+
+// GetDelegationRoles returns the keys and roles of the repository's delegations
+func (e EmptyTargetsNotaryRepository) GetDelegationRoles() ([]data.Role, error) {
+	return []data.Role{}, nil
+}
+
+// RotateKey rotates a private key and returns the public component from the remote server
+func (e EmptyTargetsNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
+	return nil
+}
+
+// GetLoadedNotaryRepository returns a LoadedNotaryRepository
+func GetLoadedNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+	return LoadedNotaryRepository{}, nil
+}
+
+// LoadedNotaryRepository is a mock Notary repository that is loaded with targets, delegations, and keys
+type LoadedNotaryRepository struct {
+	EmptyTargetsNotaryRepository
+	statefulCryptoService signed.CryptoService
+}
+
+// LoadedNotaryRepository has three delegations:
+// - targets/releases: includes keys A and B
+// - targets/alice: includes key A
+// - targets/bob: includes key B
+var loadedReleasesRole = data.DelegationRole{
+	BaseRole: data.BaseRole{
+		Name:      "targets/releases",
+		Keys:      map[string]data.PublicKey{"A": nil, "B": nil},
+		Threshold: 1,
+	},
+}
+var loadedAliceRole = data.DelegationRole{
+	BaseRole: data.BaseRole{
+		Name:      "targets/alice",
+		Keys:      map[string]data.PublicKey{"A": nil},
+		Threshold: 1,
+	},
+}
+var loadedBobRole = data.DelegationRole{
+	BaseRole: data.BaseRole{
+		Name:      "targets/bob",
+		Keys:      map[string]data.PublicKey{"B": nil},
+		Threshold: 1,
+	},
+}
+var loadedDelegationRoles = []data.Role{
+	{
+		Name: loadedReleasesRole.Name,
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"A", "B"},
+			Threshold: 1,
+		},
+	},
+	{
+		Name: loadedAliceRole.Name,
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"A"},
+			Threshold: 1,
+		},
+	},
+	{
+		Name: loadedBobRole.Name,
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"B"},
+			Threshold: 1,
+		},
+	},
+}
+var loadedTargetsRole = data.DelegationRole{
+	BaseRole: data.BaseRole{
+		Name:      data.CanonicalTargetsRole,
+		Keys:      map[string]data.PublicKey{"C": nil},
+		Threshold: 1,
+	},
+}
+
+// LoadedNotaryRepository has three targets:
+// - red: signed by targets/releases, targets/alice, targets/bob
+// - blue: signed by targets/releases, targets/alice
+// - green: signed by targets/releases
+var loadedRedTarget = client.Target{
+	Name:   "red",
+	Hashes: data.Hashes{"sha256": []byte("red-digest")},
+}
+var loadedBlueTarget = client.Target{
+	Name:   "blue",
+	Hashes: data.Hashes{"sha256": []byte("blue-digest")},
+}
+var loadedGreenTarget = client.Target{
+	Name:   "green",
+	Hashes: data.Hashes{"sha256": []byte("green-digest")},
+}
+var loadedTargets = []client.TargetSignedStruct{
+	// red is signed by all three delegations
+	{Target: loadedRedTarget, Role: loadedReleasesRole},
+	{Target: loadedRedTarget, Role: loadedAliceRole},
+	{Target: loadedRedTarget, Role: loadedBobRole},
+
+	// blue is signed by targets/releases, targets/alice
+	{Target: loadedBlueTarget, Role: loadedReleasesRole},
+	{Target: loadedBlueTarget, Role: loadedAliceRole},
+
+	// green is signed by targets/releases
+	{Target: loadedGreenTarget, Role: loadedReleasesRole},
+}
+
+// ListRoles returns a list of RoleWithSignatures objects for this repo
+func (l LoadedNotaryRepository) ListRoles() ([]client.RoleWithSignatures, error) {
+	rootRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"rootID"},
+			Threshold: 1,
+		},
+		Name: data.CanonicalRootRole,
+	}
+
+	targetsRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"targetsID"},
+			Threshold: 1,
+		},
+		Name: data.CanonicalTargetsRole,
+	}
+
+	aliceRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"A"},
+			Threshold: 1,
+		},
+		Name: data.RoleName("targets/alice"),
+	}
+
+	bobRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"B"},
+			Threshold: 1,
+		},
+		Name: data.RoleName("targets/bob"),
+	}
+
+	releasesRole := data.Role{
+		RootRole: data.RootRole{
+			KeyIDs:    []string{"A", "B"},
+			Threshold: 1,
+		},
+		Name: data.RoleName("targets/releases"),
+	}
+	// have releases only signed off by Alice last
+	releasesSig := []data.Signature{{KeyID: "A"}}
+
+	return []client.RoleWithSignatures{
+		{Role: rootRole},
+		{Role: targetsRole},
+		{Role: aliceRole},
+		{Role: bobRole},
+		{Role: releasesRole, Signatures: releasesSig},
+	}, nil
+}
+
+// ListTargets lists all targets for the current repository. The list of
+// roles should be passed in order from highest to lowest priority.
+func (l LoadedNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
+	filteredTargets := []*client.TargetWithRole{}
+	for _, tgt := range loadedTargets {
+		if len(roles) == 0 || (len(roles) > 0 && roles[0] == tgt.Role.Name) {
+			filteredTargets = append(filteredTargets, &client.TargetWithRole{Target: tgt.Target, Role: tgt.Role.Name})
+		}
+	}
+	return filteredTargets, nil
+}
+
+// GetTargetByName returns a target by the given name.
+func (l LoadedNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+	for _, tgt := range loadedTargets {
+		if name == tgt.Target.Name {
+			if len(roles) == 0 || (len(roles) > 0 && roles[0] == tgt.Role.Name) {
+				return &client.TargetWithRole{Target: tgt.Target, Role: tgt.Role.Name}, nil
+			}
+		}
+	}
+	return nil, client.ErrNoSuchTarget(name)
+}
+
+// GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
+// roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
+func (l LoadedNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
+	if name == "" {
+		return loadedTargets, nil
+	}
+	filteredTargets := []client.TargetSignedStruct{}
+	for _, tgt := range loadedTargets {
+		if name == tgt.Target.Name {
+			filteredTargets = append(filteredTargets, tgt)
+		}
+	}
+	if len(filteredTargets) == 0 {
+		return nil, client.ErrNoSuchTarget(name)
+	}
+	return filteredTargets, nil
+}
+
+// GetGUN is a getter for the GUN object from a Repository
+func (l LoadedNotaryRepository) GetGUN() data.GUN {
+	return data.GUN("signed-repo")
+}
+
+// GetDelegationRoles returns the keys and roles of the repository's delegations
+func (l LoadedNotaryRepository) GetDelegationRoles() ([]data.Role, error) {
+	return loadedDelegationRoles, nil
+}
+
+// GetCryptoService is the getter for the repository's CryptoService
+func (l LoadedNotaryRepository) GetCryptoService() signed.CryptoService {
+	if l.statefulCryptoService == nil {
+		// give it an in-memory cryptoservice with a root key and targets key
+		l.statefulCryptoService = cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore(passphrase.ConstantRetriever("password")))
+		l.statefulCryptoService.AddKey(data.CanonicalRootRole, l.GetGUN(), nil)
+		l.statefulCryptoService.AddKey(data.CanonicalTargetsRole, l.GetGUN(), nil)
+	}
+	return l.statefulCryptoService
+}
+
+// GetLoadedWithNoSignersNotaryRepository returns a LoadedWithNoSignersNotaryRepository
+func GetLoadedWithNoSignersNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+	return LoadedWithNoSignersNotaryRepository{}, nil
+}
+
+// LoadedWithNoSignersNotaryRepository is a mock Notary repository that is loaded with targets but no delegations
+// it only contains the green target
+type LoadedWithNoSignersNotaryRepository struct {
+	LoadedNotaryRepository
+}
+
+// ListTargets lists all targets for the current repository. The list of
+// roles should be passed in order from highest to lowest priority.
+func (l LoadedWithNoSignersNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
+	filteredTargets := []*client.TargetWithRole{}
+	for _, tgt := range loadedTargets {
+		if len(roles) == 0 || (len(roles) > 0 && roles[0] == tgt.Role.Name) {
+			filteredTargets = append(filteredTargets, &client.TargetWithRole{Target: tgt.Target, Role: tgt.Role.Name})
+		}
+	}
+	return filteredTargets, nil
+}
+
+// GetTargetByName returns a target by the given name.
+func (l LoadedWithNoSignersNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+	if name == "" || name == loadedGreenTarget.Name {
+		return &client.TargetWithRole{Target: loadedGreenTarget, Role: data.CanonicalTargetsRole}, nil
+	}
+	return nil, client.ErrNoSuchTarget(name)
+}
+
+// GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
+// roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
+func (l LoadedWithNoSignersNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
+	if name == "" || name == loadedGreenTarget.Name {
+		return []client.TargetSignedStruct{{Target: loadedGreenTarget, Role: loadedTargetsRole}}, nil
+	}
+	return nil, client.ErrNoSuchTarget(name)
+}
+
+// GetDelegationRoles returns the keys and roles of the repository's delegations
+func (l LoadedWithNoSignersNotaryRepository) GetDelegationRoles() ([]data.Role, error) {
+	return []data.Role{}, nil
+}
diff --git a/cli/internal/test/output/output.go b/cli/internal/test/output/output.go
new file mode 100644
index 00000000..d085359c
--- /dev/null
+++ b/cli/internal/test/output/output.go
@@ -0,0 +1,65 @@
+package output
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/pkg/errors"
+)
+
+// Assert checks output lines at specified locations
+func Assert(t *testing.T, actual string, expectedLines map[int]func(string) error) {
+	t.Helper()
+	for i, line := range strings.Split(actual, "\n") {
+		cmp, ok := expectedLines[i]
+		if !ok {
+			continue
+		}
+		if err := cmp(line); err != nil {
+			t.Errorf("line %d: %s", i, err)
+		}
+	}
+	if t.Failed() {
+		t.Log(actual)
+	}
+}
+
+// Prefix returns whether the line has the specified string as prefix
+func Prefix(expected string) func(string) error {
+	return func(actual string) error {
+		if strings.HasPrefix(actual, expected) {
+			return nil
+		}
+		return errors.Errorf("expected %q to start with %q", actual, expected)
+	}
+}
+
+// Suffix returns whether the line has the specified string as suffix
+func Suffix(expected string) func(string) error {
+	return func(actual string) error {
+		if strings.HasSuffix(actual, expected) {
+			return nil
+		}
+		return errors.Errorf("expected %q to end with %q", actual, expected)
+	}
+}
+
+// Contains returns whether the line contains the specified string
+func Contains(expected string) func(string) error {
+	return func(actual string) error {
+		if strings.Contains(actual, expected) {
+			return nil
+		}
+		return errors.Errorf("expected %q to contain %q", actual, expected)
+	}
+}
+
+// Equals returns wether the line is the same as the specified string
+func Equals(expected string) func(string) error {
+	return func(actual string) error {
+		if expected == actual {
+			return nil
+		}
+		return errors.Errorf("got %q, expected %q", actual, expected)
+	}
+}
diff --git a/cli/internal/test/store.go b/cli/internal/test/store.go
new file mode 100644
index 00000000..35565dc6
--- /dev/null
+++ b/cli/internal/test/store.go
@@ -0,0 +1,79 @@
+package test
+
+import (
+	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/docker/api/types"
+)
+
+// FakeStore implements a credentials.Store that only acts as an in memory map
+type FakeStore struct {
+	store      map[string]types.AuthConfig
+	eraseFunc  func(serverAddress string) error
+	getFunc    func(serverAddress string) (types.AuthConfig, error)
+	getAllFunc func() (map[string]types.AuthConfig, error)
+	storeFunc  func(authConfig types.AuthConfig) error
+}
+
+// NewFakeStore creates a new file credentials store.
+func NewFakeStore() credentials.Store {
+	return &FakeStore{store: map[string]types.AuthConfig{}}
+}
+
+// SetStore is used to overrides Set function
+func (c *FakeStore) SetStore(store map[string]types.AuthConfig) {
+	c.store = store
+}
+
+// SetEraseFunc is used to overrides Erase function
+func (c *FakeStore) SetEraseFunc(eraseFunc func(string) error) {
+	c.eraseFunc = eraseFunc
+}
+
+// SetGetFunc is used to overrides Get function
+func (c *FakeStore) SetGetFunc(getFunc func(string) (types.AuthConfig, error)) {
+	c.getFunc = getFunc
+}
+
+// SetGetAllFunc is used to  overrides GetAll function
+func (c *FakeStore) SetGetAllFunc(getAllFunc func() (map[string]types.AuthConfig, error)) {
+	c.getAllFunc = getAllFunc
+}
+
+// SetStoreFunc is used to override Store function
+func (c *FakeStore) SetStoreFunc(storeFunc func(types.AuthConfig) error) {
+	c.storeFunc = storeFunc
+}
+
+// Erase removes the given credentials from the map store
+func (c *FakeStore) Erase(serverAddress string) error {
+	if c.eraseFunc != nil {
+		return c.eraseFunc(serverAddress)
+	}
+	delete(c.store, serverAddress)
+	return nil
+}
+
+// Get retrieves credentials for a specific server from the map store.
+func (c *FakeStore) Get(serverAddress string) (types.AuthConfig, error) {
+	if c.getFunc != nil {
+		return c.getFunc(serverAddress)
+	}
+	return c.store[serverAddress], nil
+}
+
+// GetAll returns the key value pairs of ServerAddress => Username
+func (c *FakeStore) GetAll() (map[string]types.AuthConfig, error) {
+	if c.getAllFunc != nil {
+		return c.getAllFunc()
+	}
+	return c.store, nil
+}
+
+// Store saves the given credentials in the map store.
+func (c *FakeStore) Store(authConfig types.AuthConfig) error {
+	if c.storeFunc != nil {
+		return c.storeFunc(authConfig)
+	}
+	c.store[authConfig.ServerAddress] = authConfig
+	return nil
+}
diff --git a/cli/kubernetes/README.md b/cli/kubernetes/README.md
new file mode 100644
index 00000000..7d5e1fd0
--- /dev/null
+++ b/cli/kubernetes/README.md
@@ -0,0 +1,4 @@
+# Kubernetes client libraries
+
+This package (and sub-packages) holds the client libraries for the kubernetes integration in
+the docker platform. Most of the code is currently generated.
\ No newline at end of file
diff --git a/cli/kubernetes/check.go b/cli/kubernetes/check.go
new file mode 100644
index 00000000..47152b01
--- /dev/null
+++ b/cli/kubernetes/check.go
@@ -0,0 +1,55 @@
+package kubernetes
+
+import (
+	apiv1beta1 "github.com/docker/cli/kubernetes/compose/v1beta1"
+	apiv1beta2 "github.com/docker/cli/kubernetes/compose/v1beta2"
+	"github.com/pkg/errors"
+	apimachinerymetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/kubernetes"
+)
+
+// StackVersion represents the detected Compose Component on Kubernetes side.
+type StackVersion string
+
+const (
+	// StackAPIV1Beta1 is returned if it's the most recent version available.
+	StackAPIV1Beta1 = StackVersion("v1beta1")
+	// StackAPIV1Beta2 is returned if it's the most recent version available.
+	StackAPIV1Beta2 = StackVersion("v1beta2")
+)
+
+// GetStackAPIVersion returns the most recent stack API installed.
+func GetStackAPIVersion(clientSet *kubernetes.Clientset) (StackVersion, error) {
+	groups, err := clientSet.Discovery().ServerGroups()
+	if err != nil {
+		return "", err
+	}
+
+	return getAPIVersion(groups)
+}
+
+func getAPIVersion(groups *metav1.APIGroupList) (StackVersion, error) {
+	switch {
+	case findVersion(apiv1beta2.SchemeGroupVersion, groups.Groups):
+		return StackAPIV1Beta2, nil
+	case findVersion(apiv1beta1.SchemeGroupVersion, groups.Groups):
+		return StackAPIV1Beta1, nil
+	default:
+		return "", errors.Errorf("failed to find a Stack API version")
+	}
+}
+
+func findVersion(stackAPI schema.GroupVersion, groups []apimachinerymetav1.APIGroup) bool {
+	for _, group := range groups {
+		if group.Name == stackAPI.Group {
+			for _, version := range group.Versions {
+				if version.Version == stackAPI.Version {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
diff --git a/cli/kubernetes/check_test.go b/cli/kubernetes/check_test.go
new file mode 100644
index 00000000..e9b9aa7f
--- /dev/null
+++ b/cli/kubernetes/check_test.go
@@ -0,0 +1,51 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestGetStackAPIVersion(t *testing.T) {
+	var tests = []struct {
+		description   string
+		groups        *metav1.APIGroupList
+		err           bool
+		expectedStack StackVersion
+	}{
+		{"no stack api", makeGroups(), true, ""},
+		{"v1beta1", makeGroups(groupVersion{"compose.docker.com", []string{"v1beta1"}}), false, StackAPIV1Beta1},
+		{"v1beta2", makeGroups(groupVersion{"compose.docker.com", []string{"v1beta2"}}), false, StackAPIV1Beta2},
+		{"most recent has precedence", makeGroups(groupVersion{"compose.docker.com", []string{"v1beta1", "v1beta2"}}), false, StackAPIV1Beta2},
+	}
+
+	for _, test := range tests {
+		version, err := getAPIVersion(test.groups)
+		if test.err {
+			assert.ErrorContains(t, err, "")
+		} else {
+			assert.NilError(t, err)
+		}
+		assert.Check(t, is.Equal(test.expectedStack, version))
+	}
+}
+
+type groupVersion struct {
+	name     string
+	versions []string
+}
+
+func makeGroups(versions ...groupVersion) *metav1.APIGroupList {
+	groups := make([]metav1.APIGroup, len(versions))
+	for i := range versions {
+		groups[i].Name = versions[i].name
+		for _, v := range versions[i].versions {
+			groups[i].Versions = append(groups[i].Versions, metav1.GroupVersionForDiscovery{Version: v})
+		}
+	}
+	return &metav1.APIGroupList{
+		Groups: groups,
+	}
+}
diff --git a/cli/kubernetes/client/clientset/clientset.go b/cli/kubernetes/client/clientset/clientset.go
new file mode 100644
index 00000000..b9cea6bb
--- /dev/null
+++ b/cli/kubernetes/client/clientset/clientset.go
@@ -0,0 +1,96 @@
+package clientset
+
+import (
+	composev1beta1 "github.com/docker/cli/kubernetes/client/clientset/typed/compose/v1beta1"
+	composev1beta2 "github.com/docker/cli/kubernetes/client/clientset/typed/compose/v1beta2"
+	"github.com/golang/glog"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/util/flowcontrol"
+)
+
+// Interface defines the methods a compose kube client should have
+// FIXME(vdemeester) is it required ?
+type Interface interface {
+	Discovery() discovery.DiscoveryInterface
+	ComposeV1beta2() composev1beta2.ComposeV1beta2Interface
+	ComposeV1beta1() composev1beta1.ComposeV1beta1Interface
+}
+
+// Clientset contains the clients for groups. Each group has exactly one
+// version included in a Clientset.
+type Clientset struct {
+	*discovery.DiscoveryClient
+	*composev1beta2.ComposeV1beta2Client
+	*composev1beta1.ComposeV1beta1Client
+}
+
+// ComposeV1beta2 retrieves the ComposeV1beta2Client
+func (c *Clientset) ComposeV1beta2() composev1beta2.ComposeV1beta2Interface {
+	if c == nil {
+		return nil
+	}
+	return c.ComposeV1beta2Client
+}
+
+// ComposeV1beta1 retrieves the ComposeV1beta1Client
+func (c *Clientset) ComposeV1beta1() composev1beta1.ComposeV1beta1Interface {
+	if c == nil {
+		return nil
+	}
+	return c.ComposeV1beta1Client
+}
+
+// Discovery retrieves the DiscoveryClient
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	if c == nil {
+		return nil
+	}
+	return c.DiscoveryClient
+}
+
+// NewForConfig creates a new Clientset for the given config.
+func NewForConfig(c *rest.Config) (*Clientset, error) {
+	configShallowCopy := *c
+	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
+	}
+	var cs Clientset
+	var err error
+	cs.ComposeV1beta2Client, err = composev1beta2.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.ComposeV1beta1Client, err = composev1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy)
+	if err != nil {
+		glog.Errorf("failed to create the DiscoveryClient: %v", err)
+		return nil, err
+	}
+	return &cs, nil
+}
+
+// NewForConfigOrDie creates a new Clientset for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *Clientset {
+	var cs Clientset
+	cs.ComposeV1beta2Client = composev1beta2.NewForConfigOrDie(c)
+	cs.ComposeV1beta1Client = composev1beta1.NewForConfigOrDie(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
+	return &cs
+}
+
+// New creates a new Clientset for the given RESTClient.
+func New(c rest.Interface) *Clientset {
+	var cs Clientset
+	cs.ComposeV1beta2Client = composev1beta2.New(c)
+	cs.ComposeV1beta1Client = composev1beta1.New(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
+	return &cs
+}
diff --git a/cli/kubernetes/client/clientset/scheme/register.go b/cli/kubernetes/client/clientset/scheme/register.go
new file mode 100644
index 00000000..ffd6e4f0
--- /dev/null
+++ b/cli/kubernetes/client/clientset/scheme/register.go
@@ -0,0 +1,41 @@
+package scheme
+
+import (
+	composev1beta1 "github.com/docker/cli/kubernetes/compose/v1beta1"
+	composev1beta2 "github.com/docker/cli/kubernetes/compose/v1beta2"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// Variables required for registration
+var (
+	Scheme         = runtime.NewScheme()
+	Codecs         = serializer.NewCodecFactory(Scheme)
+	ParameterCodec = runtime.NewParameterCodec(Scheme)
+)
+
+func init() {
+	v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
+	AddToScheme(Scheme)
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//   import (
+//     "k8s.io/client-go/kubernetes"
+//     clientsetscheme "k8s.io/client-go/kuberentes/scheme"
+//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//   )
+//
+//   kclientset, _ := kubernetes.NewForConfig(c)
+//   aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+func AddToScheme(scheme *runtime.Scheme) {
+	composev1beta2.AddToScheme(scheme)
+	composev1beta1.AddToScheme(scheme)
+}
diff --git a/cli/kubernetes/client/clientset/typed/compose/v1beta1/compose_client.go b/cli/kubernetes/client/clientset/typed/compose/v1beta1/compose_client.go
new file mode 100644
index 00000000..4039d4de
--- /dev/null
+++ b/cli/kubernetes/client/clientset/typed/compose/v1beta1/compose_client.go
@@ -0,0 +1,74 @@
+package v1beta1
+
+import (
+	"github.com/docker/cli/kubernetes/client/clientset/scheme"
+	"github.com/docker/cli/kubernetes/compose/v1beta1"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/rest"
+)
+
+// ComposeV1beta1Interface defines the methods a compose v1beta1 client has
+type ComposeV1beta1Interface interface {
+	RESTClient() rest.Interface
+	StacksGetter
+}
+
+// ComposeV1beta1Client is used to interact with features provided by the compose.docker.com group.
+type ComposeV1beta1Client struct {
+	restClient rest.Interface
+}
+
+// Stacks returns a stack client
+func (c *ComposeV1beta1Client) Stacks(namespace string) StackInterface {
+	return newStacks(c, namespace)
+}
+
+// NewForConfig creates a new ComposeV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*ComposeV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &ComposeV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new ComposeV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *ComposeV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new ComposeV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *ComposeV1beta1Client {
+	return &ComposeV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *ComposeV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/kubernetes/client/clientset/typed/compose/v1beta1/stack.go b/cli/kubernetes/client/clientset/typed/compose/v1beta1/stack.go
new file mode 100644
index 00000000..1fbe53f8
--- /dev/null
+++ b/cli/kubernetes/client/clientset/typed/compose/v1beta1/stack.go
@@ -0,0 +1,157 @@
+package v1beta1
+
+import (
+	"github.com/docker/cli/kubernetes/client/clientset/scheme"
+	"github.com/docker/cli/kubernetes/compose/v1beta1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/rest"
+)
+
+// StacksGetter has a method to return a StackInterface.
+// A group's client should implement this interface.
+type StacksGetter interface {
+	Stacks(namespace string) StackInterface
+}
+
+// StackInterface has methods to work with Stack resources.
+type StackInterface interface {
+	Create(*v1beta1.Stack) (*v1beta1.Stack, error)
+	Update(*v1beta1.Stack) (*v1beta1.Stack, error)
+	UpdateStatus(*v1beta1.Stack) (*v1beta1.Stack, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.Stack, error)
+	List(opts v1.ListOptions) (*v1beta1.StackList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (*v1beta1.Stack, error)
+}
+
+var _ StackInterface = &stacks{}
+
+// stacks implements StackInterface
+type stacks struct {
+	client rest.Interface
+	ns     string
+}
+
+// newStacks returns a Stacks
+func newStacks(c *ComposeV1beta1Client, namespace string) *stacks {
+	return &stacks{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Create takes the representation of a stack and creates it.  Returns the server's representation of the stack, and an error, if there is any.
+func (c *stacks) Create(stack *v1beta1.Stack) (*v1beta1.Stack, error) {
+	result := &v1beta1.Stack{}
+	err := c.client.Post().
+		Namespace(c.ns).
+		Resource("stacks").
+		Body(stack).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// Update takes the representation of a stack and updates it. Returns the server's representation of the stack, and an error, if there is any.
+func (c *stacks) Update(stack *v1beta1.Stack) (*v1beta1.Stack, error) {
+	result := &v1beta1.Stack{}
+	err := c.client.Put().
+		Namespace(c.ns).
+		Resource("stacks").
+		Name(stack.Name).
+		Body(stack).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclientstatus=false comment above the type to avoid generating UpdateStatus().
+
+func (c *stacks) UpdateStatus(stack *v1beta1.Stack) (*v1beta1.Stack, error) {
+	result := &v1beta1.Stack{}
+	err := c.client.Put().
+		Namespace(c.ns).
+		Resource("stacks").
+		Name(stack.Name).
+		SubResource("status").
+		Body(stack).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// Delete takes name of the stack and deletes it. Returns an error if one occurs.
+func (c *stacks) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("stacks").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *stacks) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("stacks").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Get takes name of the stack, and returns the corresponding stack object, and an error if there is any.
+func (c *stacks) Get(name string, options v1.GetOptions) (*v1beta1.Stack, error) {
+	result := &v1beta1.Stack{}
+	err := c.client.Get().
+		Namespace(c.ns).
+		Resource("stacks").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// List takes label and field selectors, and returns the list of Stacks that match those selectors.
+func (c *stacks) List(opts v1.ListOptions) (*v1beta1.StackList, error) {
+	result := &v1beta1.StackList{}
+	err := c.client.Get().
+		Namespace(c.ns).
+		Resource("stacks").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// Watch returns a watch.Interface that watches the requested stacks.
+func (c *stacks) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("stacks").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Patch applies the patch and returns the patched stack.
+func (c *stacks) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (*v1beta1.Stack, error) {
+	result := &v1beta1.Stack{}
+	err := c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("stacks").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return result, err
+}
diff --git a/cli/kubernetes/client/clientset/typed/compose/v1beta2/compose_client.go b/cli/kubernetes/client/clientset/typed/compose/v1beta2/compose_client.go
new file mode 100644
index 00000000..34bee389
--- /dev/null
+++ b/cli/kubernetes/client/clientset/typed/compose/v1beta2/compose_client.go
@@ -0,0 +1,74 @@
+package v1beta2
+
+import (
+	"github.com/docker/cli/kubernetes/client/clientset/scheme"
+	"github.com/docker/cli/kubernetes/compose/v1beta2"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/rest"
+)
+
+// ComposeV1beta2Interface defines the methods a compose v1beta2 client has
+type ComposeV1beta2Interface interface {
+	RESTClient() rest.Interface
+	StacksGetter
+}
+
+// ComposeV1beta2Client is used to interact with features provided by the compose.docker.com group.
+type ComposeV1beta2Client struct {
+	restClient rest.Interface
+}
+
+// Stacks returns a stack client
+func (c *ComposeV1beta2Client) Stacks(namespace string) StackInterface {
+	return newStacks(c, namespace)
+}
+
+// NewForConfig creates a new ComposeV1beta2Client for the given config.
+func NewForConfig(c *rest.Config) (*ComposeV1beta2Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &ComposeV1beta2Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new ComposeV1beta2Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *ComposeV1beta2Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new ComposeV1beta2Client for the given RESTClient.
+func New(c rest.Interface) *ComposeV1beta2Client {
+	return &ComposeV1beta2Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta2.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *ComposeV1beta2Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/kubernetes/client/clientset/typed/compose/v1beta2/stack.go b/cli/kubernetes/client/clientset/typed/compose/v1beta2/stack.go
new file mode 100644
index 00000000..6937b4bf
--- /dev/null
+++ b/cli/kubernetes/client/clientset/typed/compose/v1beta2/stack.go
@@ -0,0 +1,155 @@
+package v1beta2
+
+import (
+	"github.com/docker/cli/kubernetes/client/clientset/scheme"
+	"github.com/docker/cli/kubernetes/compose/v1beta2"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/rest"
+)
+
+// StacksGetter has a method to return a StackInterface.
+// A group's client should implement this interface.
+type StacksGetter interface {
+	Stacks(namespace string) StackInterface
+}
+
+// StackInterface has methods to work with Stack resources.
+type StackInterface interface {
+	Create(*v1beta2.Stack) (*v1beta2.Stack, error)
+	Update(*v1beta2.Stack) (*v1beta2.Stack, error)
+	UpdateStatus(*v1beta2.Stack) (*v1beta2.Stack, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta2.Stack, error)
+	List(opts v1.ListOptions) (*v1beta2.StackList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (*v1beta2.Stack, error)
+}
+
+// stacks implements StackInterface
+type stacks struct {
+	client rest.Interface
+	ns     string
+}
+
+// newStacks returns a Stacks
+func newStacks(c *ComposeV1beta2Client, namespace string) *stacks {
+	return &stacks{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Create takes the representation of a stack and creates it.  Returns the server's representation of the stack, and an error, if there is any.
+func (c *stacks) Create(stack *v1beta2.Stack) (*v1beta2.Stack, error) {
+	result := &v1beta2.Stack{}
+	err := c.client.Post().
+		Namespace(c.ns).
+		Resource("stacks").
+		Body(stack).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// Update takes the representation of a stack and updates it. Returns the server's representation of the stack, and an error, if there is any.
+func (c *stacks) Update(stack *v1beta2.Stack) (*v1beta2.Stack, error) {
+	result := &v1beta2.Stack{}
+	err := c.client.Put().
+		Namespace(c.ns).
+		Resource("stacks").
+		Name(stack.Name).
+		Body(stack).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclientstatus=false comment above the type to avoid generating UpdateStatus().
+
+func (c *stacks) UpdateStatus(stack *v1beta2.Stack) (*v1beta2.Stack, error) {
+	result := &v1beta2.Stack{}
+	err := c.client.Put().
+		Namespace(c.ns).
+		Resource("stacks").
+		Name(stack.Name).
+		SubResource("status").
+		Body(stack).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// Delete takes name of the stack and deletes it. Returns an error if one occurs.
+func (c *stacks) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("stacks").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *stacks) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("stacks").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Get takes name of the stack, and returns the corresponding stack object, and an error if there is any.
+func (c *stacks) Get(name string, options v1.GetOptions) (*v1beta2.Stack, error) {
+	result := &v1beta2.Stack{}
+	err := c.client.Get().
+		Namespace(c.ns).
+		Resource("stacks").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// List takes label and field selectors, and returns the list of Stacks that match those selectors.
+func (c *stacks) List(opts v1.ListOptions) (*v1beta2.StackList, error) {
+	result := &v1beta2.StackList{}
+	err := c.client.Get().
+		Namespace(c.ns).
+		Resource("stacks").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// Watch returns a watch.Interface that watches the requested stacks.
+func (c *stacks) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("stacks").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Patch applies the patch and returns the patched stack.
+func (c *stacks) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (*v1beta2.Stack, error) {
+	result := &v1beta2.Stack{}
+	err := c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("stacks").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return result, err
+}
diff --git a/cli/kubernetes/client/informers/compose/interface.go b/cli/kubernetes/client/informers/compose/interface.go
new file mode 100644
index 00000000..73928705
--- /dev/null
+++ b/cli/kubernetes/client/informers/compose/interface.go
@@ -0,0 +1,25 @@
+package compose
+
+import (
+	"github.com/docker/cli/kubernetes/client/informers/compose/v1beta2"
+	"github.com/docker/cli/kubernetes/client/informers/internalinterfaces"
+)
+
+// Interface provides access to each of this group's versions.
+type Interface interface {
+	V1beta2() v1beta2.Interface
+}
+
+type group struct {
+	internalinterfaces.SharedInformerFactory
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory) Interface {
+	return &group{f}
+}
+
+// V1beta2 returns a new v1beta2.Interface.
+func (g *group) V1beta2() v1beta2.Interface {
+	return v1beta2.New(g.SharedInformerFactory)
+}
diff --git a/cli/kubernetes/client/informers/compose/v1beta2/interface.go b/cli/kubernetes/client/informers/compose/v1beta2/interface.go
new file mode 100644
index 00000000..06ea1ac0
--- /dev/null
+++ b/cli/kubernetes/client/informers/compose/v1beta2/interface.go
@@ -0,0 +1,25 @@
+package v1beta2
+
+import (
+	"github.com/docker/cli/kubernetes/client/informers/internalinterfaces"
+)
+
+// Interface provides access to all the informers in this group version.
+type Interface interface {
+	// Stacks returns a StackInformer.
+	Stacks() StackInformer
+}
+
+type version struct {
+	internalinterfaces.SharedInformerFactory
+}
+
+// New returns a new Interface.
+func New(f internalinterfaces.SharedInformerFactory) Interface {
+	return &version{f}
+}
+
+// Stacks returns a StackInformer.
+func (v *version) Stacks() StackInformer {
+	return &stackInformer{factory: v.SharedInformerFactory}
+}
diff --git a/cli/kubernetes/client/informers/compose/v1beta2/stack.go b/cli/kubernetes/client/informers/compose/v1beta2/stack.go
new file mode 100644
index 00000000..487aeb97
--- /dev/null
+++ b/cli/kubernetes/client/informers/compose/v1beta2/stack.go
@@ -0,0 +1,51 @@
+package v1beta2
+
+import (
+	"time"
+
+	"github.com/docker/cli/kubernetes/client/clientset"
+	"github.com/docker/cli/kubernetes/client/informers/internalinterfaces"
+	"github.com/docker/cli/kubernetes/client/listers/compose/v1beta2"
+	compose_v1beta2 "github.com/docker/cli/kubernetes/compose/v1beta2"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/tools/cache"
+)
+
+// StackInformer provides access to a shared informer and lister for
+// Stacks.
+type StackInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1beta2.StackLister
+}
+
+type stackInformer struct {
+	factory internalinterfaces.SharedInformerFactory
+}
+
+func newStackInformer(client clientset.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	sharedIndexInformer := cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				return client.ComposeV1beta2().Stacks(v1.NamespaceAll).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				return client.ComposeV1beta2().Stacks(v1.NamespaceAll).Watch(options)
+			},
+		},
+		&compose_v1beta2.Stack{},
+		resyncPeriod,
+		cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc},
+	)
+
+	return sharedIndexInformer
+}
+
+func (f *stackInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&compose_v1beta2.Stack{}, newStackInformer)
+}
+
+func (f *stackInformer) Lister() v1beta2.StackLister {
+	return v1beta2.NewStackLister(f.Informer().GetIndexer())
+}
diff --git a/cli/kubernetes/client/informers/factory.go b/cli/kubernetes/client/informers/factory.go
new file mode 100644
index 00000000..9cba7013
--- /dev/null
+++ b/cli/kubernetes/client/informers/factory.go
@@ -0,0 +1,101 @@
+package informers
+
+import (
+	"reflect"
+	"sync"
+	"time"
+
+	"github.com/docker/cli/kubernetes/client/clientset"
+	"github.com/docker/cli/kubernetes/client/informers/compose"
+	"github.com/docker/cli/kubernetes/client/informers/internalinterfaces"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/tools/cache"
+)
+
+type sharedInformerFactory struct {
+	client        clientset.Interface
+	lock          sync.Mutex
+	defaultResync time.Duration
+
+	informers map[reflect.Type]cache.SharedIndexInformer
+	// startedInformers is used for tracking which informers have been started.
+	// This allows Start() to be called multiple times safely.
+	startedInformers map[reflect.Type]bool
+}
+
+// NewSharedInformerFactory constructs a new instance of sharedInformerFactory
+func NewSharedInformerFactory(client clientset.Interface, defaultResync time.Duration) SharedInformerFactory {
+	return &sharedInformerFactory{
+		client:           client,
+		defaultResync:    defaultResync,
+		informers:        make(map[reflect.Type]cache.SharedIndexInformer),
+		startedInformers: make(map[reflect.Type]bool),
+	}
+}
+
+// Start initializes all requested informers.
+func (f *sharedInformerFactory) Start(stopCh <-chan struct{}) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	for informerType, informer := range f.informers {
+		if !f.startedInformers[informerType] {
+			go informer.Run(stopCh)
+			f.startedInformers[informerType] = true
+		}
+	}
+}
+
+// WaitForCacheSync waits for all started informers' cache were synced.
+func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool {
+	informers := func() map[reflect.Type]cache.SharedIndexInformer {
+		f.lock.Lock()
+		defer f.lock.Unlock()
+
+		informers := map[reflect.Type]cache.SharedIndexInformer{}
+		for informerType, informer := range f.informers {
+			if f.startedInformers[informerType] {
+				informers[informerType] = informer
+			}
+		}
+		return informers
+	}()
+
+	res := map[reflect.Type]bool{}
+	for informType, informer := range informers {
+		res[informType] = cache.WaitForCacheSync(stopCh, informer.HasSynced)
+	}
+	return res
+}
+
+// InternalInformerFor returns the SharedIndexInformer for obj using an internal
+// client.
+func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	informerType := reflect.TypeOf(obj)
+	informer, exists := f.informers[informerType]
+	if exists {
+		return informer
+	}
+	informer = newFunc(f.client, f.defaultResync)
+	f.informers[informerType] = informer
+
+	return informer
+}
+
+// SharedInformerFactory provides shared informers for resources in all known
+// API group versions.
+type SharedInformerFactory interface {
+	internalinterfaces.SharedInformerFactory
+	ForResource(resource schema.GroupVersionResource) (GenericInformer, error)
+	WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
+
+	Compose() compose.Interface
+}
+
+func (f *sharedInformerFactory) Compose() compose.Interface {
+	return compose.New(f)
+}
diff --git a/cli/kubernetes/client/informers/generic.go b/cli/kubernetes/client/informers/generic.go
new file mode 100644
index 00000000..f3baa854
--- /dev/null
+++ b/cli/kubernetes/client/informers/generic.go
@@ -0,0 +1,44 @@
+package informers
+
+import (
+	"fmt"
+
+	"github.com/docker/cli/kubernetes/compose/v1beta2"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/tools/cache"
+)
+
+// GenericInformer is type of SharedIndexInformer which will locate and delegate to other
+// sharedInformers based on type
+type GenericInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() cache.GenericLister
+}
+
+type genericInformer struct {
+	informer cache.SharedIndexInformer
+	resource schema.GroupResource
+}
+
+// Informer returns the SharedIndexInformer.
+func (f *genericInformer) Informer() cache.SharedIndexInformer {
+	return f.informer
+}
+
+// Lister returns the GenericLister.
+func (f *genericInformer) Lister() cache.GenericLister {
+	return cache.NewGenericLister(f.Informer().GetIndexer(), f.resource)
+}
+
+// ForResource gives generic access to a shared informer of the matching type
+// TODO extend this to unknown resources with a client pool
+func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
+	switch resource {
+	// Group=Compose, Version=V1beta1
+	case v1beta2.SchemeGroupVersion.WithResource("stacks"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Compose().V1beta2().Stacks().Informer()}, nil
+
+	}
+
+	return nil, fmt.Errorf("no informer found for %v", resource)
+}
diff --git a/cli/kubernetes/client/informers/internalinterfaces/factory_interfaces.go b/cli/kubernetes/client/informers/internalinterfaces/factory_interfaces.go
new file mode 100644
index 00000000..079b8186
--- /dev/null
+++ b/cli/kubernetes/client/informers/internalinterfaces/factory_interfaces.go
@@ -0,0 +1,18 @@
+package internalinterfaces
+
+import (
+	"time"
+
+	"github.com/docker/cli/kubernetes/client/clientset"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/cache"
+)
+
+// NewInformerFunc defines a Informer constructor (from a clientset and a duration)
+type NewInformerFunc func(clientset.Interface, time.Duration) cache.SharedIndexInformer
+
+// SharedInformerFactory a small interface to allow for adding an informer without an import cycle
+type SharedInformerFactory interface {
+	Start(stopCh <-chan struct{})
+	InformerFor(obj runtime.Object, newFunc NewInformerFunc) cache.SharedIndexInformer
+}
diff --git a/cli/kubernetes/client/listers/compose/v1beta2/expansion_generated.go b/cli/kubernetes/client/listers/compose/v1beta2/expansion_generated.go
new file mode 100644
index 00000000..1d0f5529
--- /dev/null
+++ b/cli/kubernetes/client/listers/compose/v1beta2/expansion_generated.go
@@ -0,0 +1,9 @@
+package v1beta2
+
+// StackListerExpansion allows custom methods to be added to
+// StackLister.
+type StackListerExpansion interface{}
+
+// StackNamespaceListerExpansion allows custom methods to be added to
+// StackNamespaceLister.
+type StackNamespaceListerExpansion interface{}
diff --git a/cli/kubernetes/client/listers/compose/v1beta2/stack.go b/cli/kubernetes/client/listers/compose/v1beta2/stack.go
new file mode 100644
index 00000000..c4bb2989
--- /dev/null
+++ b/cli/kubernetes/client/listers/compose/v1beta2/stack.go
@@ -0,0 +1,78 @@
+package v1beta2
+
+import (
+	"github.com/docker/cli/kubernetes/compose/v1beta2"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// StackLister helps list Stacks.
+type StackLister interface {
+	// List lists all Stacks in the indexer.
+	List(selector labels.Selector) ([]*v1beta2.Stack, error)
+	// Stacks returns an object that can list and get Stacks.
+	Stacks(namespace string) StackNamespaceLister
+	StackListerExpansion
+}
+
+// stackLister implements the StackLister interface.
+type stackLister struct {
+	indexer cache.Indexer
+}
+
+// NewStackLister returns a new StackLister.
+func NewStackLister(indexer cache.Indexer) StackLister {
+	return &stackLister{indexer: indexer}
+}
+
+// List lists all Stacks in the indexer.
+func (s *stackLister) List(selector labels.Selector) ([]*v1beta2.Stack, error) {
+	stacks := []*v1beta2.Stack{}
+	err := cache.ListAll(s.indexer, selector, func(m interface{}) {
+		stacks = append(stacks, m.(*v1beta2.Stack))
+	})
+	return stacks, err
+}
+
+// Stacks returns an object that can list and get Stacks.
+func (s *stackLister) Stacks(namespace string) StackNamespaceLister {
+	return stackNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// StackNamespaceLister helps list and get Stacks.
+type StackNamespaceLister interface {
+	// List lists all Stacks in the indexer for a given namespace.
+	List(selector labels.Selector) ([]*v1beta2.Stack, error)
+	// Get retrieves the Stack from the indexer for a given namespace and name.
+	Get(name string) (*v1beta2.Stack, error)
+	StackNamespaceListerExpansion
+}
+
+// stackNamespaceLister implements the StackNamespaceLister
+// interface.
+type stackNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all Stacks in the indexer for a given namespace.
+func (s stackNamespaceLister) List(selector labels.Selector) ([]*v1beta2.Stack, error) {
+	stacks := []*v1beta2.Stack{}
+	err := cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		stacks = append(stacks, m.(*v1beta2.Stack))
+	})
+	return stacks, err
+}
+
+// Get retrieves the Stack from the indexer for a given namespace and name.
+func (s stackNamespaceLister) Get(name string) (*v1beta2.Stack, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1beta2.GroupResource("stack"), name)
+	}
+	return obj.(*v1beta2.Stack), nil
+}
diff --git a/cli/kubernetes/compose/clone/maps.go b/cli/kubernetes/compose/clone/maps.go
new file mode 100644
index 00000000..fc892ddc
--- /dev/null
+++ b/cli/kubernetes/compose/clone/maps.go
@@ -0,0 +1,25 @@
+package clone
+
+// MapOfStringToSliceOfString deep copy a map[string][]string
+func MapOfStringToSliceOfString(source map[string][]string) map[string][]string {
+	if source == nil {
+		return nil
+	}
+	res := make(map[string][]string, len(source))
+	for k, v := range source {
+		res[k] = SliceOfString(v)
+	}
+	return res
+}
+
+// MapOfStringToInt deep copy a map[string]int
+func MapOfStringToInt(source map[string]int) map[string]int {
+	if source == nil {
+		return nil
+	}
+	res := make(map[string]int, len(source))
+	for k, v := range source {
+		res[k] = v
+	}
+	return res
+}
diff --git a/cli/kubernetes/compose/clone/slices.go b/cli/kubernetes/compose/clone/slices.go
new file mode 100644
index 00000000..cdfa8ba1
--- /dev/null
+++ b/cli/kubernetes/compose/clone/slices.go
@@ -0,0 +1,11 @@
+package clone
+
+// SliceOfString deep copy a slice of strings
+func SliceOfString(source []string) []string {
+	if source == nil {
+		return nil
+	}
+	res := make([]string, len(source))
+	copy(res, source)
+	return res
+}
diff --git a/cli/kubernetes/compose/doc.go b/cli/kubernetes/compose/doc.go
new file mode 100644
index 00000000..e434a253
--- /dev/null
+++ b/cli/kubernetes/compose/doc.go
@@ -0,0 +1,5 @@
+// +k8s:deepcopy-gen=package,register
+// +groupName=compose.docker.com
+
+// Package compose is the internal version of the API.
+package compose
diff --git a/cli/kubernetes/compose/impersonation/impersonationconfig.go b/cli/kubernetes/compose/impersonation/impersonationconfig.go
new file mode 100644
index 00000000..06514b60
--- /dev/null
+++ b/cli/kubernetes/compose/impersonation/impersonationconfig.go
@@ -0,0 +1,26 @@
+package impersonation
+
+import "github.com/docker/cli/kubernetes/compose/clone"
+
+// Config contains the data required to impersonate a user.
+type Config struct {
+	// UserName is the username to impersonate on each request.
+	UserName string
+	// Groups are the groups to impersonate on each request.
+	Groups []string
+	// Extra is a free-form field which can be used to link some authentication information
+	// to authorization information.  This field allows you to impersonate it.
+	Extra map[string][]string
+}
+
+// Clone clones the impersonation config
+func (ic *Config) Clone() *Config {
+	if ic == nil {
+		return nil
+	}
+	result := new(Config)
+	result.UserName = ic.UserName
+	result.Groups = clone.SliceOfString(ic.Groups)
+	result.Extra = clone.MapOfStringToSliceOfString(ic.Extra)
+	return result
+}
diff --git a/cli/kubernetes/compose/v1beta1/doc.go b/cli/kubernetes/compose/v1beta1/doc.go
new file mode 100644
index 00000000..c5f5dcbb
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta1/doc.go
@@ -0,0 +1,11 @@
+// Api versions allow the api contract for a resource to be changed while keeping
+// backward compatibility by support multiple concurrent versions
+// of the same resource
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package,register
+// +k8s:defaulter-gen=TypeMeta
+// +groupName=compose.docker.com
+
+// Package v1beta1 is the first version of the Stack spec, containing only a compose file
+package v1beta1 // import "github.com/docker/cli/kubernetes/compose/v1beta1"
diff --git a/cli/kubernetes/compose/v1beta1/owner.go b/cli/kubernetes/compose/v1beta1/owner.go
new file mode 100644
index 00000000..1e598233
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta1/owner.go
@@ -0,0 +1,31 @@
+package v1beta1
+
+import (
+	"github.com/docker/cli/kubernetes/compose/impersonation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// Owner defines the owner of a stack. It is used to impersonate the controller calls
+// to kubernetes api.
+type Owner struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Owner             impersonation.Config `json:"owner,omitempty"`
+}
+
+func (o *Owner) clone() *Owner {
+	if o == nil {
+		return nil
+	}
+	result := new(Owner)
+	result.TypeMeta = o.TypeMeta
+	result.ObjectMeta = o.ObjectMeta
+	result.Owner = *result.Owner.Clone()
+	return result
+}
+
+// DeepCopyObject clones the owner
+func (o *Owner) DeepCopyObject() runtime.Object {
+	return o.clone()
+}
diff --git a/cli/kubernetes/compose/v1beta1/parsing.go b/cli/kubernetes/compose/v1beta1/parsing.go
new file mode 100644
index 00000000..634a8428
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta1/parsing.go
@@ -0,0 +1,4 @@
+package v1beta1
+
+// MaxComposeVersion is the most recent version of compose file Schema supported in v1beta1
+const MaxComposeVersion = "3.5"
diff --git a/cli/kubernetes/compose/v1beta1/register.go b/cli/kubernetes/compose/v1beta1/register.go
new file mode 100644
index 00000000..3b418230
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta1/register.go
@@ -0,0 +1,39 @@
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name used to register these objects
+const GroupName = "compose.docker.com"
+
+// Alias variables for the registration
+var (
+	// SchemeGroupVersion is group version used to register these objects
+	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Stack{},
+		&StackList{},
+		&Owner{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
diff --git a/cli/kubernetes/compose/v1beta1/stack.go b/cli/kubernetes/compose/v1beta1/stack.go
new file mode 100644
index 00000000..83ad9f08
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta1/stack.go
@@ -0,0 +1,87 @@
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// StackList defines a list of stacks
+type StackList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Items []Stack `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// DeepCopyObject clones the stack list
+func (s *StackList) DeepCopyObject() runtime.Object {
+	if s == nil {
+		return nil
+	}
+	result := new(StackList)
+	result.TypeMeta = s.TypeMeta
+	result.ListMeta = s.ListMeta
+	if s.Items == nil {
+		return result
+	}
+	result.Items = make([]Stack, len(s.Items))
+	for ix, s := range s.Items {
+		result.Items[ix] = *s.clone()
+	}
+	return result
+}
+
+// Stack defines a stack object to be register in the kubernetes API
+type Stack struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   StackSpec   `json:"spec,omitempty"`
+	Status StackStatus `json:"status,omitempty"`
+}
+
+// StackSpec defines the desired state of Stack
+type StackSpec struct {
+	ComposeFile string `json:"composeFile,omitempty"`
+}
+
+// StackPhase defines the status phase in which the stack is.
+type StackPhase string
+
+// These are valid conditions of a stack.
+const (
+	// StackAvailable means the stack is available.
+	StackAvailable StackPhase = "Available"
+	// StackProgressing means the deployment is progressing.
+	StackProgressing StackPhase = "Progressing"
+	// StackFailure is added in a stack when one of its members fails to be created
+	// or deleted.
+	StackFailure StackPhase = "Failure"
+)
+
+// StackStatus defines the observed state of Stack
+type StackStatus struct {
+	// Current condition of the stack.
+	Phase StackPhase `json:"phase,omitempty" protobuf:"bytes,1,opt,name=phase,casttype=StackPhase"`
+	// A human readable message indicating details about the stack.
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+func (s *Stack) clone() *Stack {
+	if s == nil {
+		return nil
+	}
+	// in v1beta1, Stack has no pointer, slice or map. Plain old struct copy is ok
+	result := *s
+	return &result
+}
+
+// Clone implements the Cloner interface for kubernetes
+func (s *Stack) Clone() *Stack {
+	return s.clone()
+}
+
+// DeepCopyObject clones the stack
+func (s *Stack) DeepCopyObject() runtime.Object {
+	return s.clone()
+}
diff --git a/cli/kubernetes/compose/v1beta1/stack_test.go b/cli/kubernetes/compose/v1beta1/stack_test.go
new file mode 100644
index 00000000..d540e894
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta1/stack_test.go
@@ -0,0 +1 @@
+package v1beta1
diff --git a/cli/kubernetes/compose/v1beta2/composefile_stack_types.go b/cli/kubernetes/compose/v1beta2/composefile_stack_types.go
new file mode 100644
index 00000000..1a1c2cb2
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta2/composefile_stack_types.go
@@ -0,0 +1,26 @@
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// ComposeFile is the content of a stack's compose file if any
+type ComposeFile struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	ComposeFile       string `json:"composeFile,omitempty"`
+}
+
+func (c *ComposeFile) clone() *ComposeFile {
+	if c == nil {
+		return nil
+	}
+	res := *c
+	return &res
+}
+
+// DeepCopyObject clones the ComposeFile
+func (c *ComposeFile) DeepCopyObject() runtime.Object {
+	return c.clone()
+}
diff --git a/cli/kubernetes/compose/v1beta2/doc.go b/cli/kubernetes/compose/v1beta2/doc.go
new file mode 100644
index 00000000..edfe46da
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta2/doc.go
@@ -0,0 +1,6 @@
+// Api versions allow the api contract for a resource to be changed while keeping
+// backward compatibility by support multiple concurrent versions
+// of the same resource
+
+// Package v1beta2 is the second version of the stack, containing a structured spec
+package v1beta2 // import "github.com/docker/cli/kubernetes/compose/v1beta2"
diff --git a/cli/kubernetes/compose/v1beta2/owner.go b/cli/kubernetes/compose/v1beta2/owner.go
new file mode 100644
index 00000000..5dfc8652
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta2/owner.go
@@ -0,0 +1,30 @@
+package v1beta2
+
+import (
+	"github.com/docker/cli/kubernetes/compose/impersonation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// Owner describes the user who created the stack
+type Owner struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Owner             impersonation.Config `json:"owner,omitempty"`
+}
+
+func (o *Owner) clone() *Owner {
+	if o == nil {
+		return nil
+	}
+	result := new(Owner)
+	result.TypeMeta = o.TypeMeta
+	result.ObjectMeta = o.ObjectMeta
+	result.Owner = *result.Owner.Clone()
+	return result
+}
+
+// DeepCopyObject clones the owner
+func (o *Owner) DeepCopyObject() runtime.Object {
+	return o.clone()
+}
diff --git a/cli/kubernetes/compose/v1beta2/register.go b/cli/kubernetes/compose/v1beta2/register.go
new file mode 100644
index 00000000..23555093
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta2/register.go
@@ -0,0 +1,42 @@
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the name of the compose group
+const GroupName = "compose.docker.com"
+
+var (
+	// SchemeGroupVersion is group version used to register these objects
+	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta2"}
+	// SchemeBuilder is the scheme builder
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// AddToScheme adds to scheme
+	AddToScheme = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Stack{},
+		&StackList{},
+		&Owner{},
+		&ComposeFile{},
+		&Scale{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
+
+// GroupResource takes an unqualified resource and returns a Group qualified GroupResource
+func GroupResource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
diff --git a/cli/kubernetes/compose/v1beta2/scale.go b/cli/kubernetes/compose/v1beta2/scale.go
new file mode 100644
index 00000000..13ec54b8
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta2/scale.go
@@ -0,0 +1,29 @@
+package v1beta2
+
+import (
+	"github.com/docker/cli/kubernetes/compose/clone"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// Scale contains the current/desired replica count for services in a stack.
+type Scale struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              map[string]int `json:"spec,omitempty"`
+	Status            map[string]int `json:"status,omitempty"`
+}
+
+func (s *Scale) clone() *Scale {
+	return &Scale{
+		TypeMeta:   s.TypeMeta,
+		ObjectMeta: s.ObjectMeta,
+		Spec:       clone.MapOfStringToInt(s.Spec),
+		Status:     clone.MapOfStringToInt(s.Status),
+	}
+}
+
+// DeepCopyObject clones the scale
+func (s *Scale) DeepCopyObject() runtime.Object {
+	return s.clone()
+}
diff --git a/cli/kubernetes/compose/v1beta2/stack.go b/cli/kubernetes/compose/v1beta2/stack.go
new file mode 100644
index 00000000..6c90cdf1
--- /dev/null
+++ b/cli/kubernetes/compose/v1beta2/stack.go
@@ -0,0 +1,256 @@
+package v1beta2
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// StackList is a list of stacks
+type StackList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Items []Stack `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// Stack is v1beta2's representation of a Stack
+type Stack struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   *StackSpec   `json:"spec,omitempty"`
+	Status *StackStatus `json:"status,omitempty"`
+}
+
+// DeepCopyObject clones the stack
+func (s *Stack) DeepCopyObject() runtime.Object {
+	return s.clone()
+}
+
+// DeepCopyObject clones the stack list
+func (s *StackList) DeepCopyObject() runtime.Object {
+	if s == nil {
+		return nil
+	}
+	result := new(StackList)
+	result.TypeMeta = s.TypeMeta
+	result.ListMeta = s.ListMeta
+	if s.Items == nil {
+		return result
+	}
+	result.Items = make([]Stack, len(s.Items))
+	for ix, s := range s.Items {
+		result.Items[ix] = *s.clone()
+	}
+	return result
+}
+
+func (s *Stack) clone() *Stack {
+	if s == nil {
+		return nil
+	}
+	result := new(Stack)
+	result.TypeMeta = s.TypeMeta
+	result.ObjectMeta = s.ObjectMeta
+	result.Spec = s.Spec.clone()
+	result.Status = s.Status.clone()
+	return result
+}
+
+// StackSpec defines the desired state of Stack
+type StackSpec struct {
+	Services []ServiceConfig            `json:"services,omitempty"`
+	Secrets  map[string]SecretConfig    `json:"secrets,omitempty"`
+	Configs  map[string]ConfigObjConfig `json:"configs,omitempty"`
+}
+
+// ServiceConfig is the configuration of one service
+type ServiceConfig struct {
+	Name string `json:"name,omitempty"`
+
+	CapAdd          []string                 `json:"cap_add,omitempty"`
+	CapDrop         []string                 `json:"cap_drop,omitempty"`
+	Command         []string                 `json:"command,omitempty"`
+	Configs         []ServiceConfigObjConfig `json:"configs,omitempty"`
+	Deploy          DeployConfig             `json:"deploy,omitempty"`
+	Entrypoint      []string                 `json:"entrypoint,omitempty"`
+	Environment     map[string]*string       `json:"environment,omitempty"`
+	ExtraHosts      []string                 `json:"extra_hosts,omitempty"`
+	Hostname        string                   `json:"hostname,omitempty"`
+	HealthCheck     *HealthCheckConfig       `json:"health_check,omitempty"`
+	Image           string                   `json:"image,omitempty"`
+	Ipc             string                   `json:"ipc,omitempty"`
+	Labels          map[string]string        `json:"labels,omitempty"`
+	Pid             string                   `json:"pid,omitempty"`
+	Ports           []ServicePortConfig      `json:"ports,omitempty"`
+	Privileged      bool                     `json:"privileged,omitempty"`
+	ReadOnly        bool                     `json:"read_only,omitempty"`
+	Secrets         []ServiceSecretConfig    `json:"secrets,omitempty"`
+	StdinOpen       bool                     `json:"stdin_open,omitempty"`
+	StopGracePeriod *time.Duration           `json:"stop_grace_period,omitempty"`
+	Tmpfs           []string                 `json:"tmpfs,omitempty"`
+	Tty             bool                     `json:"tty,omitempty"`
+	User            *int64                   `json:"user,omitempty"`
+	Volumes         []ServiceVolumeConfig    `json:"volumes,omitempty"`
+	WorkingDir      string                   `json:"working_dir,omitempty"`
+}
+
+// ServicePortConfig is the port configuration for a service
+type ServicePortConfig struct {
+	Mode      string `json:"mode,omitempty"`
+	Target    uint32 `json:"target,omitempty"`
+	Published uint32 `json:"published,omitempty"`
+	Protocol  string `json:"protocol,omitempty"`
+}
+
+// FileObjectConfig is a config type for a file used by a service
+type FileObjectConfig struct {
+	Name     string            `json:"name,omitempty"`
+	File     string            `json:"file,omitempty"`
+	External External          `json:"external,omitempty"`
+	Labels   map[string]string `json:"labels,omitempty"`
+}
+
+// SecretConfig for a secret
+type SecretConfig FileObjectConfig
+
+// ConfigObjConfig is the config for the swarm "Config" object
+type ConfigObjConfig FileObjectConfig
+
+// External identifies a Volume or Network as a reference to a resource that is
+// not managed, and should already exist.
+// External.name is deprecated and replaced by Volume.name
+type External struct {
+	Name     string `json:"name,omitempty"`
+	External bool   `json:"external,omitempty"`
+}
+
+// FileReferenceConfig for a reference to a swarm file object
+type FileReferenceConfig struct {
+	Source string  `json:"source,omitempty"`
+	Target string  `json:"target,omitempty"`
+	UID    string  `json:"uid,omitempty"`
+	GID    string  `json:"gid,omitempty"`
+	Mode   *uint32 `json:"mode,omitempty"`
+}
+
+// ServiceConfigObjConfig is the config obj configuration for a service
+type ServiceConfigObjConfig FileReferenceConfig
+
+// ServiceSecretConfig is the secret configuration for a service
+type ServiceSecretConfig FileReferenceConfig
+
+// DeployConfig is the deployment configuration for a service
+type DeployConfig struct {
+	Mode          string            `json:"mode,omitempty"`
+	Replicas      *uint64           `json:"replicas,omitempty"`
+	Labels        map[string]string `json:"labels,omitempty"`
+	UpdateConfig  *UpdateConfig     `json:"update_config,omitempty"`
+	Resources     Resources         `json:"resources,omitempty"`
+	RestartPolicy *RestartPolicy    `json:"restart_policy,omitempty"`
+	Placement     Placement         `json:"placement,omitempty"`
+}
+
+// UpdateConfig is the service update configuration
+type UpdateConfig struct {
+	Parallelism *uint64 `json:"paralellism,omitempty"`
+}
+
+// Resources the resource limits and reservations
+type Resources struct {
+	Limits       *Resource `json:"limits,omitempty"`
+	Reservations *Resource `json:"reservations,omitempty"`
+}
+
+// Resource is a resource to be limited or reserved
+type Resource struct {
+	NanoCPUs    string `json:"cpus,omitempty"`
+	MemoryBytes int64  `json:"memory,omitempty"`
+}
+
+// RestartPolicy is the service restart policy
+type RestartPolicy struct {
+	Condition string `json:"condition,omitempty"`
+}
+
+// Placement constraints for the service
+type Placement struct {
+	Constraints *Constraints `json:"constraints,omitempty"`
+}
+
+// Constraints lists constraints that can be set on the service
+type Constraints struct {
+	OperatingSystem *Constraint
+	Architecture    *Constraint
+	Hostname        *Constraint
+	MatchLabels     map[string]Constraint
+}
+
+// Constraint defines a constraint and it's operator (== or !=)
+type Constraint struct {
+	Value    string
+	Operator string
+}
+
+// HealthCheckConfig the healthcheck configuration for a service
+type HealthCheckConfig struct {
+	Test     []string       `json:"test,omitempty"`
+	Timeout  *time.Duration `json:"timeout,omitempty"`
+	Interval *time.Duration `json:"interval,omitempty"`
+	Retries  *uint64        `json:"retries,omitempty"`
+}
+
+// ServiceVolumeConfig are references to a volume used by a service
+type ServiceVolumeConfig struct {
+	Type     string `json:"type,omitempty"`
+	Source   string `json:"source,omitempty"`
+	Target   string `json:"target,omitempty"`
+	ReadOnly bool   `json:"read_only,omitempty"`
+}
+
+func (s *StackSpec) clone() *StackSpec {
+	if s == nil {
+		return nil
+	}
+	result := *s
+	return &result
+}
+
+// StackPhase is the deployment phase of a stack
+type StackPhase string
+
+// These are valid conditions of a stack.
+const (
+	// StackAvailable means the stack is available.
+	StackAvailable StackPhase = "Available"
+	// StackProgressing means the deployment is progressing.
+	StackProgressing StackPhase = "Progressing"
+	// StackFailure is added in a stack when one of its members fails to be created
+	// or deleted.
+	StackFailure StackPhase = "Failure"
+)
+
+// StackStatus defines the observed state of Stack
+type StackStatus struct {
+	// Current condition of the stack.
+	// +optional
+	Phase StackPhase `json:"phase,omitempty" protobuf:"bytes,1,opt,name=phase,casttype=StackPhase"`
+	// A human readable message indicating details about the stack.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+func (s *StackStatus) clone() *StackStatus {
+	if s == nil {
+		return nil
+	}
+	result := *s
+	return &result
+}
+
+// Clone clones a Stack
+func (s *Stack) Clone() *Stack {
+	return s.clone()
+}
diff --git a/cli/kubernetes/config.go b/cli/kubernetes/config.go
new file mode 100644
index 00000000..287a6a6b
--- /dev/null
+++ b/cli/kubernetes/config.go
@@ -0,0 +1,26 @@
+package kubernetes
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/homedir"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// NewKubernetesConfig resolves the path to the desired Kubernetes configuration file based on
+// the KUBECONFIG environment variable and command line flags.
+func NewKubernetesConfig(configPath string) clientcmd.ClientConfig {
+	kubeConfig := configPath
+	if kubeConfig == "" {
+		if config := os.Getenv("KUBECONFIG"); config != "" {
+			kubeConfig = config
+		} else {
+			kubeConfig = filepath.Join(homedir.Get(), ".kube/config")
+		}
+	}
+
+	return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+		&clientcmd.ClientConfigLoadingRules{ExplicitPath: kubeConfig},
+		&clientcmd.ConfigOverrides{})
+}
diff --git a/cli/kubernetes/doc.go b/cli/kubernetes/doc.go
new file mode 100644
index 00000000..b50d402e
--- /dev/null
+++ b/cli/kubernetes/doc.go
@@ -0,0 +1,4 @@
+//
+// +domain=docker.com
+
+package kubernetes
diff --git a/cli/kubernetes/labels/labels.go b/cli/kubernetes/labels/labels.go
new file mode 100644
index 00000000..5709af03
--- /dev/null
+++ b/cli/kubernetes/labels/labels.go
@@ -0,0 +1,45 @@
+package labels
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	// ForServiceName is the label for the service name.
+	ForServiceName = "com.docker.service.name"
+	// ForStackName is the label for the stack name.
+	ForStackName = "com.docker.stack.namespace"
+	// ForServiceID is the label for the service id.
+	ForServiceID = "com.docker.service.id"
+)
+
+// ForService gives the labels to select a given service in a stack.
+func ForService(stackName, serviceName string) map[string]string {
+	labels := map[string]string{}
+
+	if serviceName != "" {
+		labels[ForServiceName] = serviceName
+	}
+	if stackName != "" {
+		labels[ForStackName] = stackName
+	}
+	if serviceName != "" && stackName != "" {
+		labels[ForServiceID] = stackName + "-" + serviceName
+	}
+
+	return labels
+}
+
+// SelectorForStack gives the labelSelector to use for a given stack.
+// Specific service names can be passed to narrow down the selection.
+func SelectorForStack(stackName string, serviceNames ...string) string {
+	switch len(serviceNames) {
+	case 0:
+		return fmt.Sprintf("%s=%s", ForStackName, stackName)
+	case 1:
+		return fmt.Sprintf("%s=%s,%s=%s", ForStackName, stackName, ForServiceName, serviceNames[0])
+	default:
+		return fmt.Sprintf("%s=%s,%s in (%s)", ForStackName, stackName, ForServiceName, strings.Join(serviceNames, ","))
+	}
+}
diff --git a/cli/kubernetes/labels/labels_test.go b/cli/kubernetes/labels/labels_test.go
new file mode 100644
index 00000000..7815b73d
--- /dev/null
+++ b/cli/kubernetes/labels/labels_test.go
@@ -0,0 +1,23 @@
+package labels
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestForService(t *testing.T) {
+	labels := ForService("stack", "service")
+
+	assert.Check(t, is.Len(labels, 3))
+	assert.Check(t, is.Equal("stack", labels["com.docker.stack.namespace"]))
+	assert.Check(t, is.Equal("service", labels["com.docker.service.name"]))
+	assert.Check(t, is.Equal("stack-service", labels["com.docker.service.id"]))
+}
+
+func TestSelectorForStack(t *testing.T) {
+	assert.Check(t, is.Equal("com.docker.stack.namespace=demostack", SelectorForStack("demostack")))
+	assert.Check(t, is.Equal("com.docker.stack.namespace=stack,com.docker.service.name=service", SelectorForStack("stack", "service")))
+	assert.Check(t, is.Equal("com.docker.stack.namespace=stack,com.docker.service.name in (service1,service2)", SelectorForStack("stack", "service1", "service2")))
+}
diff --git a/cli/man/Dockerfile.5.md b/cli/man/Dockerfile.5.md
new file mode 100644
index 00000000..5191b193
--- /dev/null
+++ b/cli/man/Dockerfile.5.md
@@ -0,0 +1,474 @@
+% DOCKERFILE(5) Docker User Manuals
+% Zac Dover
+% May 2014
+# NAME
+
+Dockerfile - automate the steps of creating a Docker image
+
+# INTRODUCTION
+
+The **Dockerfile** is a configuration file that automates the steps of creating
+a Docker image. It is similar to a Makefile. Docker reads instructions from the
+**Dockerfile** to automate the steps otherwise performed manually to create an
+image. To build an image, create a file called **Dockerfile**.
+
+The **Dockerfile** describes the steps taken to assemble the image. When the
+**Dockerfile** has been created, call the `docker build` command, using the
+path of directory that contains **Dockerfile** as the argument.
+
+# SYNOPSIS
+
+INSTRUCTION arguments
+
+For example:
+
+  FROM image
+
+# DESCRIPTION
+
+A Dockerfile is a file that automates the steps of creating a Docker image.
+A Dockerfile is similar to a Makefile.
+
+# USAGE
+
+  docker build .
+
+  -- Runs the steps and commits them, building a final image.
+  The path to the source repository defines where to find the context of the
+  build. The build is run by the Docker daemon, not the CLI. The whole
+  context must be transferred to the daemon. The Docker CLI reports
+  `"Sending build context to Docker daemon"` when the context is sent to the
+  daemon.
+
+  ```
+  docker build -t repository/tag .
+  ```
+
+  -- specifies a repository and tag at which to save the new image if the build
+  succeeds. The Docker daemon runs the steps one-by-one, committing the result
+  to a new image if necessary, before finally outputting the ID of the new
+  image. The Docker daemon automatically cleans up the context it is given.
+
+  Docker re-uses intermediate images whenever possible. This significantly
+  accelerates the *docker build* process.
+
+# FORMAT
+
+  `FROM image`
+
+  `FROM image:tag`
+
+  `FROM image@digest`
+
+  -- The **FROM** instruction sets the base image for subsequent instructions. A
+  valid Dockerfile must have **FROM** as its first instruction. The image can be any
+  valid image. It is easy to start by pulling an image from the public
+  repositories.
+
+  -- **FROM** must be the first non-comment instruction in Dockerfile.
+
+  -- **FROM** may appear multiple times within a single Dockerfile in order to create
+  multiple images. Make a note of the last image ID output by the commit before
+  each new **FROM** command.
+
+  -- If no tag is given to the **FROM** instruction, Docker applies the
+  `latest` tag. If the used tag does not exist, an error is returned.
+
+  -- If no digest is given to the **FROM** instruction, Docker applies the
+  `latest` tag. If the used tag does not exist, an error is returned.
+
+**MAINTAINER**
+  -- **MAINTAINER** sets the Author field for the generated images.
+  Useful for providing users with an email or url for support.
+
+**RUN**
+  -- **RUN** has two forms:
+
+  ```
+  # the command is run in a shell - /bin/sh -c
+  RUN <command>
+
+  # Executable form
+  RUN ["executable", "param1", "param2"]
+  ```
+
+
+  -- The **RUN** instruction executes any commands in a new layer on top of the current
+  image and commits the results. The committed image is used for the next step in
+  Dockerfile.
+
+  -- Layering **RUN** instructions and generating commits conforms to the core
+  concepts of Docker where commits are cheap and containers can be created from
+  any point in the history of an image. This is similar to source control.  The
+  exec form makes it possible to avoid shell string munging. The exec form makes
+  it possible to **RUN** commands using a base image that does not contain `/bin/sh`.
+
+  Note that the exec form is parsed as a JSON array, which means that you must
+  use double-quotes (") around words not single-quotes (').
+
+**CMD**
+  -- **CMD** has three forms:
+
+  ```
+  # Executable form
+  CMD ["executable", "param1", "param2"]`
+
+  # Provide default arguments to ENTRYPOINT
+  CMD ["param1", "param2"]`
+
+  # the command is run in a shell - /bin/sh -c
+  CMD command param1 param2
+  ```
+
+  -- There should be only one **CMD** in a Dockerfile. If more than one **CMD** is listed, only
+  the last **CMD** takes effect.
+  The main purpose of a **CMD** is to provide defaults for an executing container.
+  These defaults may include an executable, or they can omit the executable. If
+  they omit the executable, an **ENTRYPOINT** must be specified.
+  When used in the shell or exec formats, the **CMD** instruction sets the command to
+  be executed when running the image.
+  If you use the shell form of the **CMD**, the `<command>` executes in `/bin/sh -c`:
+
+  Note that the exec form is parsed as a JSON array, which means that you must
+  use double-quotes (") around words not single-quotes (').
+
+  ```
+  FROM ubuntu
+  CMD echo "This is a test." | wc -
+  ```
+
+  -- If you run **command** without a shell, then you must express the command as a
+  JSON array and give the full path to the executable. This array form is the
+  preferred form of **CMD**. All additional parameters must be individually expressed
+  as strings in the array:
+
+  ```
+  FROM ubuntu
+  CMD ["/usr/bin/wc","--help"]
+  ```
+
+  -- To make the container run the same executable every time, use **ENTRYPOINT** in
+  combination with **CMD**.
+  If the user specifies arguments to `docker run`, the specified commands
+  override the default in **CMD**.
+  Do not confuse **RUN** with **CMD**. **RUN** runs a command and commits the result.
+  **CMD** executes nothing at build time, but specifies the intended command for
+  the image.
+
+**LABEL**
+  -- `LABEL <key>=<value> [<key>=<value> ...]`or
+  ```
+  LABEL <key>[ <value>]
+  LABEL <key>[ <value>]
+  ...
+  ```
+  The **LABEL** instruction adds metadata to an image. A **LABEL** is a
+  key-value pair. To specify a **LABEL** without a value, simply use an empty
+  string. To include spaces within a **LABEL** value, use quotes and
+  backslashes as you would in command-line parsing.
+
+  ```
+  LABEL com.example.vendor="ACME Incorporated"
+  LABEL com.example.vendor "ACME Incorporated"
+  LABEL com.example.vendor.is-beta ""
+  LABEL com.example.vendor.is-beta=
+  LABEL com.example.vendor.is-beta=""
+  ```
+
+  An image can have more than one label. To specify multiple labels, separate
+  each key-value pair by a space.
+
+  Labels are additive including `LABEL`s in `FROM` images. As the system
+  encounters and then applies a new label, new `key`s override any previous
+  labels with identical keys.
+
+  To display an image's labels, use the `docker inspect` command.
+
+**EXPOSE**
+  -- `EXPOSE <port> [<port>...]`
+  The **EXPOSE** instruction informs Docker that the container listens on the
+  specified network ports at runtime. Docker uses this information to
+  interconnect containers using links and to set up port redirection on the host
+  system.
+
+**ENV**
+  -- `ENV <key> <value>`
+  The **ENV** instruction sets the environment variable <key> to
+  the value `<value>`. This value is passed to all future
+  **RUN**, **ENTRYPOINT**, and **CMD** instructions. This is
+  functionally equivalent to prefixing the command with `<key>=<value>`.  The
+  environment variables that are set with **ENV** persist when a container is run
+  from the resulting image. Use `docker inspect` to inspect these values, and
+  change them using `docker run --env <key>=<value>`.
+
+  Note that setting "`ENV DEBIAN_FRONTEND noninteractive`" may cause
+  unintended consequences, because it will persist when the container is run
+  interactively, as with the following command: `docker run -t -i image bash`
+
+**ADD**
+  -- **ADD** has two forms:
+
+  ```
+  ADD <src> <dest>
+
+  # Required for paths with whitespace
+  ADD ["<src>",... "<dest>"]
+  ```
+
+  The **ADD** instruction copies new files, directories
+  or remote file URLs to the filesystem of the container at path `<dest>`.
+  Multiple `<src>` resources may be specified but if they are files or directories
+  then they must be relative to the source directory that is being built
+  (the context of the build). The `<dest>` is the absolute path, or path relative
+  to **WORKDIR**, into which the source is copied inside the target container.
+  If the `<src>` argument is a local file in a recognized compression format
+  (tar, gzip, bzip2, etc) then it is unpacked at the specified `<dest>` in the
+  container's filesystem.  Note that only local compressed files will be unpacked,
+  i.e., the URL download and archive unpacking features cannot be used together.
+  All new directories are created with mode 0755 and with the uid and gid of **0**.
+
+**COPY**
+  -- **COPY** has two forms:
+
+  ```
+  COPY <src> <dest>
+
+  # Required for paths with whitespace
+  COPY ["<src>",... "<dest>"]
+  ```
+
+  The **COPY** instruction copies new files from `<src>` and
+  adds them to the filesystem of the container at path <dest>. The `<src>` must be
+  the path to a file or directory relative to the source directory that is
+  being built (the context of the build) or a remote file URL. The `<dest>` is an
+  absolute path, or a path relative to **WORKDIR**, into which the source will
+  be copied inside the target container. If you **COPY** an archive file it will
+  land in the container exactly as it appears in the build context without any
+  attempt to unpack it.  All new files and directories are created with mode **0755**
+  and with the uid and gid of **0**.
+
+**ENTRYPOINT**
+  -- **ENTRYPOINT** has two forms:
+
+  ```
+  # executable form
+  ENTRYPOINT ["executable", "param1", "param2"]`
+
+  # run command in a shell - /bin/sh -c
+  ENTRYPOINT command param1 param2
+  ```
+
+  -- An **ENTRYPOINT** helps you configure a
+  container that can be run as an executable. When you specify an **ENTRYPOINT**,
+  the whole container runs as if it was only that executable.  The **ENTRYPOINT**
+  instruction adds an entry command that is not overwritten when arguments are
+  passed to docker run. This is different from the behavior of **CMD**. This allows
+  arguments to be passed to the entrypoint, for instance `docker run <image> -d`
+  passes the -d argument to the **ENTRYPOINT**.  Specify parameters either in the
+  **ENTRYPOINT** JSON array (as in the preferred exec form above), or by using a **CMD**
+  statement.  Parameters in the **ENTRYPOINT** are not overwritten by the docker run
+  arguments.  Parameters specified via **CMD** are overwritten by docker run
+  arguments.  Specify a plain string for the **ENTRYPOINT**, and it will execute in
+  `/bin/sh -c`, like a **CMD** instruction:
+
+  ```
+  FROM ubuntu
+  ENTRYPOINT wc -l -
+  ```
+
+  This means that the Dockerfile's image always takes stdin as input (that's
+  what "-" means), and prints the number of lines (that's what "-l" means). To
+  make this optional but default, use a **CMD**:
+
+  ```
+  FROM ubuntu
+  CMD ["-l", "-"]
+  ENTRYPOINT ["/usr/bin/wc"]
+  ```
+
+**VOLUME**
+  -- `VOLUME ["/data"]`
+  The **VOLUME** instruction creates a mount point with the specified name and marks
+  it as holding externally-mounted volumes from the native host or from other
+  containers.
+
+**USER**
+  -- `USER daemon`
+  Sets the username or UID used for running subsequent commands.
+
+  The **USER** instruction can optionally be used to set the group or GID. The
+  followings examples are all valid:
+  USER [user | user:group | uid | uid:gid | user:gid | uid:group ]
+
+  Until the **USER** instruction is set, instructions will be run as root. The USER
+  instruction can be used any number of times in a Dockerfile, and will only affect
+  subsequent commands.
+
+**WORKDIR**
+  -- `WORKDIR /path/to/workdir`
+  The **WORKDIR** instruction sets the working directory for the **RUN**, **CMD**,
+  **ENTRYPOINT**, **COPY** and **ADD** Dockerfile commands that follow it. It can
+  be used multiple times in a single Dockerfile. Relative paths are defined
+  relative to the path of the previous **WORKDIR** instruction. For example:
+
+  ```
+  WORKDIR /a
+  WORKDIR b
+  WORKDIR c
+  RUN pwd
+  ```
+
+  In the above example, the output of the **pwd** command is **a/b/c**.
+
+**ARG**
+   -- ARG <name>[=<default value>]
+
+  The `ARG` instruction defines a variable that users can pass at build-time to
+  the builder with the `docker build` command using the `--build-arg
+  <varname>=<value>` flag. If a user specifies a build argument that was not
+  defined in the Dockerfile, the build outputs a warning.
+
+  ```
+  [Warning] One or more build-args [foo] were not consumed
+  ```
+
+  The Dockerfile author can define a single variable by specifying `ARG` once or many
+  variables by specifying `ARG` more than once. For example, a valid Dockerfile:
+
+  ```
+  FROM busybox
+  ARG user1
+  ARG buildno
+  ...
+  ```
+
+  A Dockerfile author may optionally specify a default value for an `ARG` instruction:
+
+  ```
+  FROM busybox
+  ARG user1=someuser
+  ARG buildno=1
+  ...
+  ```
+
+  If an `ARG` value has a default and if there is no value passed at build-time, the
+  builder uses the default.
+
+  An `ARG` variable definition comes into effect from the line on which it is
+  defined in the `Dockerfile` not from the argument's use on the command-line or
+  elsewhere.  For example, consider this Dockerfile:
+
+  ```
+  1 FROM busybox
+  2 USER ${user:-some_user}
+  3 ARG user
+  4 USER $user
+  ...
+  ```
+  A user builds this file by calling:
+
+  ```
+  $ docker build --build-arg user=what_user Dockerfile
+  ```
+
+  The `USER` at line 2 evaluates to `some_user` as the `user` variable is defined on the
+  subsequent line 3. The `USER` at line 4 evaluates to `what_user` as `user` is
+  defined and the `what_user` value was passed on the command line. Prior to its definition by an
+  `ARG` instruction, any use of a variable results in an empty string.
+
+  > **Warning:** It is not recommended to use build-time variables for
+  >  passing secrets like github keys, user credentials etc. Build-time variable
+  >  values are visible to any user of the image with the `docker history` command.
+
+  You can use an `ARG` or an `ENV` instruction to specify variables that are
+  available to the `RUN` instruction. Environment variables defined using the
+  `ENV` instruction always override an `ARG` instruction of the same name. Consider
+  this Dockerfile with an `ENV` and `ARG` instruction.
+
+  ```
+  1 FROM ubuntu
+  2 ARG CONT_IMG_VER
+  3 ENV CONT_IMG_VER v1.0.0
+  4 RUN echo $CONT_IMG_VER
+  ```
+  Then, assume this image is built with this command:
+
+  ```
+  $ docker build --build-arg CONT_IMG_VER=v2.0.1 Dockerfile
+  ```
+
+  In this case, the `RUN` instruction uses `v1.0.0` instead of the `ARG` setting
+  passed by the user:`v2.0.1` This behavior is similar to a shell
+  script where a locally scoped variable overrides the variables passed as
+  arguments or inherited from environment, from its point of definition.
+
+  Using the example above but a different `ENV` specification you can create more
+  useful interactions between `ARG` and `ENV` instructions:
+
+  ```
+  1 FROM ubuntu
+  2 ARG CONT_IMG_VER
+  3 ENV CONT_IMG_VER ${CONT_IMG_VER:-v1.0.0}
+  4 RUN echo $CONT_IMG_VER
+  ```
+
+  Unlike an `ARG` instruction, `ENV` values are always persisted in the built
+  image. Consider a docker build without the --build-arg flag:
+
+  ```
+  $ docker build Dockerfile
+  ```
+
+  Using this Dockerfile example, `CONT_IMG_VER` is still persisted in the image but
+  its value would be `v1.0.0` as it is the default set in line 3 by the `ENV` instruction.
+
+  The variable expansion technique in this example allows you to pass arguments
+  from the command line and persist them in the final image by leveraging the
+  `ENV` instruction. Variable expansion is only supported for [a limited set of
+  Dockerfile instructions.](#environment-replacement)
+
+  Docker has a set of predefined `ARG` variables that you can use without a
+  corresponding `ARG` instruction in the Dockerfile.
+
+  * `HTTP_PROXY`
+  * `http_proxy`
+  * `HTTPS_PROXY`
+  * `https_proxy`
+  * `FTP_PROXY`
+  * `ftp_proxy`
+  * `NO_PROXY`
+  * `no_proxy`
+
+  To use these, simply pass them on the command line using the `--build-arg
+  <varname>=<value>` flag.
+
+**ONBUILD**
+  -- `ONBUILD [INSTRUCTION]`
+  The **ONBUILD** instruction adds a trigger instruction to an image. The
+  trigger is executed at a later time, when the image is used as the base for
+  another build. Docker executes the trigger in the context of the downstream
+  build, as if the trigger existed immediately after the **FROM** instruction in
+  the downstream Dockerfile.
+
+  You can register any build instruction as a trigger. A trigger is useful if
+  you are defining an image to use as a base for building other images. For
+  example, if you are defining an application build environment or a daemon that
+  is customized with a user-specific configuration.  
+
+  Consider an image intended as a reusable python application builder. It must
+  add application source code to a particular directory, and might need a build
+  script called after that. You can't just call **ADD** and **RUN** now, because
+  you don't yet have access to the application source code, and it is different
+  for each application build.
+
+  -- Providing application developers with a boilerplate Dockerfile to copy-paste
+  into their application is inefficient, error-prone, and
+  difficult to update because it mixes with application-specific code.
+  The solution is to use **ONBUILD** to register instructions in advance, to
+  run later, during the next build stage.
+
+# HISTORY
+*May 2014, Compiled by Zac Dover (zdover at redhat dot com) based on docker.com Dockerfile documentation.
+*Feb 2015, updated by Brian Goff (cpuguy83@gmail.com) for readability
+*Sept 2015, updated by Sally O'Malley (somalley@redhat.com)
+*Oct 2016, updated by Addam Hardy (addam.hardy@gmail.com)
diff --git a/cli/man/README.md b/cli/man/README.md
new file mode 100644
index 00000000..82dac650
--- /dev/null
+++ b/cli/man/README.md
@@ -0,0 +1,15 @@
+Docker Documentation
+====================
+
+This directory contains scripts for generating the man pages. Many of the man
+pages are generated directly from the `spf13/cobra` `Command` definition. Some
+legacy pages are still generated from the markdown files in this directory.
+Do *not* edit the man pages in the man1 directory. Instead, update the
+Cobra command or amend the Markdown files for legacy pages.
+
+
+## Generate the man pages
+
+From within the project root directory run:
+
+    make manpages
diff --git a/cli/man/docker-build.1.md b/cli/man/docker-build.1.md
new file mode 100644
index 00000000..3ac9f81f
--- /dev/null
+++ b/cli/man/docker-build.1.md
@@ -0,0 +1,359 @@
+% DOCKER(1) Docker User Manuals
+% Docker Community
+% JUNE 2014
+# NAME
+docker-build - Build an image from a Dockerfile
+
+# SYNOPSIS
+**docker build**
+[**--add-host**[=*[]*]]
+[**--build-arg**[=*[]*]]
+[**--cache-from**[=*[]*]]
+[**--cpu-shares**[=*0*]]
+[**--cgroup-parent**[=*CGROUP-PARENT*]]
+[**--help**]
+[**--iidfile**[=*CIDFILE*]]
+[**-f**|**--file**[=*PATH/Dockerfile*]]
+[**-squash**] *Experimental*
+[**--force-rm**]
+[**--isolation**[=*default*]]
+[**--label**[=*[]*]]
+[**--no-cache**]
+[**--pull**]
+[**--compress**]
+[**-q**|**--quiet**]
+[**--rm**[=*true*]]
+[**-t**|**--tag**[=*[]*]]
+[**-m**|**--memory**[=*MEMORY*]]
+[**--memory-swap**[=*LIMIT*]]
+[**--network**[=*"default"*]]
+[**--shm-size**[=*SHM-SIZE*]]
+[**--cpu-period**[=*0*]]
+[**--cpu-quota**[=*0*]]
+[**--cpuset-cpus**[=*CPUSET-CPUS*]]
+[**--cpuset-mems**[=*CPUSET-MEMS*]]
+[**--target**[=*[]*]]
+[**--ulimit**[=*[]*]]
+PATH | URL | -
+
+# DESCRIPTION
+This will read the Dockerfile from the directory specified in **PATH**.
+It also sends any other files and directories found in the current
+directory to the Docker daemon. The contents of this directory would
+be used by **ADD** commands found within the Dockerfile.
+
+Warning, this will send a lot of data to the Docker daemon depending
+on the contents of the current directory. The build is run by the Docker
+daemon, not by the CLI, so the whole context must be transferred to the daemon. 
+The Docker CLI reports "Sending build context to Docker daemon" when the context is sent to
+the daemon.
+
+When the URL to a tarball archive or to a single Dockerfile is given, no context is sent from
+the client to the Docker daemon. In this case, the Dockerfile at the root of the archive and
+the rest of the archive will get used as the context of the build.  When a Git repository is
+set as the **URL**, the repository is cloned locally and then sent as the context.
+
+# OPTIONS
+**-f**, **--file**=*PATH/Dockerfile*
+   Path to the Dockerfile to use. If the path is a relative path and you are
+   building from a local directory, then the path must be relative to that
+   directory. If you are building from a remote URL pointing to either a
+   tarball or a Git repository, then the path must be relative to the root of
+   the remote context. In all cases, the file must be within the build context.
+   The default is *Dockerfile*.
+
+**--squash**=*true*|*false*
+   **Experimental Only**
+   Once the image is built, squash the new layers into a new image with a single
+   new layer. Squashing does not destroy any existing image, rather it creates a new
+   image with the content of the squashed layers. This effectively makes it look
+   like all `Dockerfile` commands were created with a single layer. The build
+   cache is preserved with this method.
+
+   **Note**: using this option means the new image will not be able to take
+   advantage of layer sharing with other images and may use significantly more
+   space.
+
+   **Note**: using this option you may see significantly more space used due to
+   storing two copies of the image, one for the build cache with all the cache
+   layers in tact, and one for the squashed version.
+
+**--add-host**=[]
+   Add a custom host-to-IP mapping (host:ip)
+
+   Add a line to /etc/hosts. The format is hostname:ip.  The **--add-host**
+option can be set multiple times.
+
+**--build-arg**=*variable*
+   name and value of a **buildarg**.
+
+   For example, if you want to pass a value for `http_proxy`, use
+   `--build-arg=http_proxy="http://some.proxy.url"`
+
+   Users pass these values at build-time. Docker uses the `buildargs` as the
+   environment context for command(s) run via the Dockerfile's `RUN` instruction
+   or for variable expansion in other Dockerfile instructions. This is not meant
+   for passing secret values. [Read more about the buildargs instruction](https://docs.docker.com/engine/reference/builder/#arg)
+
+**--cache-from**=""
+   Set image that will be used as a build cache source.
+
+**--force-rm**=*true*|*false*
+   Always remove intermediate containers, even after unsuccessful builds. The default is *false*.
+
+**--isolation**="*default*"
+   Isolation specifies the type of isolation technology used by containers. 
+
+**--label**=*label*
+   Set metadata for an image
+
+**--no-cache**=*true*|*false*
+   Do not use cache when building the image. The default is *false*.
+
+**--iidfile**=""
+   Write the image ID to the file
+
+**--help**
+  Print usage statement
+
+**--pull**=*true*|*false*
+   Always attempt to pull a newer version of the image. The default is *false*.
+
+**--compress**=*true*|*false*
+    Compress the build context using gzip. The default is *false*.
+
+**-q**, **--quiet**=*true*|*false*
+   Suppress the build output and print image ID on success. The default is *false*.
+
+**--rm**=*true*|*false*
+   Remove intermediate containers after a successful build. The default is *true*.
+
+**-t**, **--tag**=""
+   Repository names (and optionally with tags) to be applied to the resulting 
+   image in case of success. Refer to **docker-tag(1)** for more information
+   about valid tag names.
+
+**-m**, **--memory**=*MEMORY*
+  Memory limit
+
+**--memory-swap**=*LIMIT*
+   A limit value equal to memory plus swap. Must be used with the  **-m**
+(**--memory**) flag. The swap `LIMIT` should always be larger than **-m**
+(**--memory**) value.
+
+   The format of `LIMIT` is `<number>[<unit>]`. Unit can be `b` (bytes),
+`k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you don't specify a
+unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap.
+
+**--network**=*bridge*
+  Set the networking mode for the RUN instructions during build. Supported standard
+  values are: `bridge`, `host`, `none` and `container:<name|id>`. Any other value
+  is taken as a custom network's name or ID which this container should connect to.
+
+**--shm-size**=*SHM-SIZE*
+  Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`.
+  Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes.
+  If you omit the size entirely, the system uses `64m`.
+
+**--cpu-shares**=*0*
+  CPU shares (relative weight).
+
+  By default, all containers get the same proportion of CPU cycles.
+  CPU shares is a 'relative weight', relative to the default setting of 1024.
+  This default value is defined here: 
+  ```
+   cat /sys/fs/cgroup/cpu/cpu.shares
+   1024
+  ```
+  You can change this proportion by adjusting the container's CPU share 
+  weighting relative to the weighting of all other running containers.
+
+  To modify the proportion from the default of 1024, use the **--cpu-shares**
+  flag to set the weighting to 2 or higher.
+
+      Container   CPU share    Flag             
+      {C0}        60% of CPU  --cpu-shares=614 (614 is 60% of 1024)
+      {C1}        40% of CPU  --cpu-shares=410 (410 is 40% of 1024)
+
+  The proportion is only applied when CPU-intensive processes are running.
+  When tasks in one container are idle, the other containers can use the
+  left-over CPU time. The actual amount of CPU time used varies depending on
+  the number of containers running on the system.
+
+  For example, consider three containers, where one has **--cpu-shares=1024** and
+  two others have **--cpu-shares=512**. When processes in all three
+  containers attempt to use 100% of CPU, the first container would receive
+  50% of the total CPU time. If you add a fourth container with **--cpu-shares=1024**,
+  the first container only gets 33% of the CPU. The remaining containers
+  receive 16.5%, 16.5% and 33% of the CPU.
+
+
+      Container   CPU share   Flag                CPU time            
+      {C0}        100%        --cpu-shares=1024   33%
+      {C1}        50%         --cpu-shares=512    16.5%
+      {C2}        50%         --cpu-shares=512    16.5%
+      {C4}        100%        --cpu-shares=1024   33%
+
+
+  On a multi-core system, the shares of CPU time are distributed across the CPU
+  cores. Even if a container is limited to less than 100% of CPU time, it can
+  use 100% of each individual CPU core.
+
+  For example, consider a system with more than three cores. If you start one
+  container **{C0}** with **--cpu-shares=512** running one process, and another container
+  **{C1}** with **--cpu-shares=1024** running two processes, this can result in the following
+  division of CPU shares:
+
+      PID    container    CPU    CPU share
+      100    {C0}         0      100% of CPU0
+      101    {C1}         1      100% of CPU1
+      102    {C1}         2      100% of CPU2
+
+**--cpu-period**=*0*
+  Limit the CPU CFS (Completely Fair Scheduler) period.
+
+  Limit the container's CPU usage. This flag causes the kernel to restrict the
+  container's CPU usage to the period you specify.
+
+**--cpu-quota**=*0*
+  Limit the CPU CFS (Completely Fair Scheduler) quota. 
+
+  By default, containers run with the full CPU resource. This flag causes the
+kernel to restrict the container's CPU usage to the quota you specify.
+
+**--cpuset-cpus**=*CPUSET-CPUS*
+  CPUs in which to allow execution (0-3, 0,1).
+
+**--cpuset-mems**=*CPUSET-MEMS*
+  Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on
+  NUMA systems.
+
+  For example, if you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1`
+to ensure the processes in your Docker container only use memory from the first
+two memory nodes.
+
+**--cgroup-parent**=*CGROUP-PARENT*
+  Path to `cgroups` under which the container's `cgroup` are created.
+
+  If the path is not absolute, the path is considered relative to the `cgroups` path of the init process.
+Cgroups are created if they do not already exist.
+
+**--target**=""
+   Set the target build stage name.
+
+**--ulimit**=[]
+  Ulimit options
+
+  For more information about `ulimit` see [Setting ulimits in a 
+container](https://docs.docker.com/engine/reference/commandline/run/#set-ulimits-in-container---ulimit)
+
+# EXAMPLES
+
+## Building an image using a Dockerfile located inside the current directory
+
+Docker images can be built using the build command and a Dockerfile:
+
+    docker build .
+
+During the build process Docker creates intermediate images. In order to
+keep them, you must explicitly set `--rm=false`.
+
+    docker build --rm=false .
+
+A good practice is to make a sub-directory with a related name and create
+the Dockerfile in that directory. For example, a directory called mongo may
+contain a Dockerfile to create a Docker MongoDB image. Likewise, another
+directory called httpd may be used to store Dockerfiles for Apache web
+server images.
+
+It is also a good practice to add the files required for the image to the
+sub-directory. These files will then be specified with the `COPY` or `ADD`
+instructions in the `Dockerfile`.
+
+Note: If you include a tar file (a good practice), then Docker will
+automatically extract the contents of the tar file specified within the `ADD`
+instruction into the specified target.
+
+## Building an image and naming that image
+
+A good practice is to give a name to the image you are building. Note that 
+only a-z0-9-_. should be used for consistency.  There are no hard rules here but it is best to give the names consideration. 
+
+The **-t**/**--tag** flag is used to rename an image. Here are some examples:
+
+Though it is not a good practice, image names can be arbitrary:
+
+    docker build -t myimage .
+
+A better approach is to provide a fully qualified and meaningful repository,
+name, and tag (where the tag in this context means the qualifier after 
+the ":"). In this example we build a JBoss image for the Fedora repository 
+and give it the version 1.0:
+
+    docker build -t fedora/jboss:1.0 .
+
+The next example is for the "whenry" user repository and uses Fedora and
+JBoss and gives it the version 2.1 :
+
+    docker build -t whenry/fedora-jboss:v2.1 .
+
+If you do not provide a version tag then Docker will assign `latest`:
+
+    docker build -t whenry/fedora-jboss .
+
+When you list the images, the image above will have the tag `latest`.
+
+You can apply multiple tags to an image. For example, you can apply the `latest`
+tag to a newly built image and add another tag that references a specific
+version.
+For example, to tag an image both as `whenry/fedora-jboss:latest` and
+`whenry/fedora-jboss:v2.1`, use the following:
+
+    docker build -t whenry/fedora-jboss:latest -t whenry/fedora-jboss:v2.1 .
+
+So renaming an image is arbitrary but consideration should be given to 
+a useful convention that makes sense for consumers and should also take
+into account Docker community conventions.
+
+
+## Building an image using a URL
+
+This will clone the specified GitHub repository from the URL and use it
+as context. The Dockerfile at the root of the repository is used as
+Dockerfile. This only works if the GitHub repository is a dedicated
+repository.
+
+    docker build github.com/scollier/purpletest
+
+Note: You can set an arbitrary Git repository via the `git://` scheme.
+
+## Building an image using a URL to a tarball'ed context
+
+This will send the URL itself to the Docker daemon. The daemon will fetch the
+tarball archive, decompress it and use its contents as the build context.  The 
+Dockerfile at the root of the archive and the rest of the archive will get used
+as the context of the build. If you pass an **-f PATH/Dockerfile** option as well,
+the system will look for that file inside the contents of the tarball.
+
+    docker build -f dev/Dockerfile https://10.10.10.1/docker/context.tar.gz
+
+Note: supported compression formats are 'xz', 'bzip2', 'gzip' and 'identity' (no compression).
+
+## Specify isolation technology for container (--isolation)
+
+This option is useful in situations where you are running Docker containers on
+Windows. The `--isolation=<value>` option sets a container's isolation
+technology. On Linux, the only supported is the `default` option which uses
+Linux namespaces. On Microsoft Windows, you can specify these values:
+
+* `default`: Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value.
+* `process`: Namespace isolation only.
+* `hyperv`: Hyper-V hypervisor partition-based isolation.
+
+Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`.
+
+# HISTORY
+March 2014, Originally compiled by William Henry (whenry at redhat dot com)
+based on docker.com source material and internal work.
+June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
+June 2015, updated by Sally O'Malley <somalley@redhat.com>
diff --git a/cli/man/docker-config-json.5.md b/cli/man/docker-config-json.5.md
new file mode 100644
index 00000000..49987f08
--- /dev/null
+++ b/cli/man/docker-config-json.5.md
@@ -0,0 +1,72 @@
+% CONFIG.JSON(5) Docker User Manuals
+% Docker Community
+% JANUARY 2016
+# NAME
+HOME/.docker/config.json - Default Docker configuration file
+
+# INTRODUCTION
+
+By default, the Docker command line stores its configuration files in a
+directory called `.docker` within your `$HOME` directory.  Docker manages most of
+the files in the configuration directory and you should not modify them.
+However, you *can modify* the `config.json` file to control certain aspects of
+how the `docker` command behaves.
+
+Currently, you can modify the `docker` command behavior using environment
+variables or command-line options. You can also use options within
+`config.json` to modify some of the same behavior. When using these
+mechanisms, you must keep in mind the order of precedence among them. Command
+line options override environment variables and environment variables override
+properties you specify in a `config.json` file.
+
+The `config.json` file stores a JSON encoding of several properties:
+
+* The `HttpHeaders` property specifies a set of headers to include in all messages
+sent from the Docker client to the daemon. Docker does not try to interpret or
+understand these header; it simply puts them into the messages. Docker does not
+allow these headers to change any headers it sets for itself.
+
+* The `psFormat` property specifies the default format for `docker ps` output.
+When the `--format` flag is not provided with the `docker ps` command,
+Docker's client uses this property. If this property is not set, the client
+falls back to the default table format. For a list of supported formatting
+directives, see **docker-ps(1)**.
+
+* The `detachKeys` property specifies the default key sequence which
+detaches the container. When the `--detach-keys` flag is not provide
+with the `docker attach`, `docker exec`, `docker run` or `docker
+start`, Docker's client uses this property. If this property is not
+set, the client falls back to the default sequence `ctrl-p,ctrl-q`.
+
+
+* The `imagesFormat` property  specifies the default format for `docker images`
+output. When the `--format` flag is not provided with the `docker images`
+command, Docker's client uses this property. If this property is not set, the
+client falls back to the default table format. For a list of supported
+formatting directives, see **docker-images(1)**.
+
+You can specify a different location for the configuration files via the
+`DOCKER_CONFIG` environment variable or the `--config` command line option. If
+both are specified, then the `--config` option overrides the `DOCKER_CONFIG`
+environment variable:
+
+    docker --config ~/testconfigs/ ps
+
+This command instructs Docker to use the configuration files in the
+`~/testconfigs/` directory when running the `ps` command.
+
+## Examples
+
+Following is a sample `config.json` file:
+
+    {
+      "HttpHeaders": {
+        "MyHeader": "MyValue"
+      },
+      "psFormat": "table {{.ID}}\\t{{.Image}}\\t{{.Command}}\\t{{.Labels}}",
+      "imagesFormat": "table {{.ID}}\\t{{.Repository}}\\t{{.Tag}}\\t{{.CreatedAt}}",
+      "detachKeys": "ctrl-e,e"
+    }
+
+# HISTORY
+January 2016, created by Moxiegirl <mary@docker.com>
diff --git a/cli/man/docker-run.1.md b/cli/man/docker-run.1.md
new file mode 100644
index 00000000..e0337700
--- /dev/null
+++ b/cli/man/docker-run.1.md
@@ -0,0 +1,1126 @@
+% DOCKER(1) Docker User Manuals
+% Docker Community
+% JUNE 2014
+# NAME
+docker-run - Run a command in a new container
+
+# SYNOPSIS
+**docker run**
+[**-a**|**--attach**[=*[]*]]
+[**--add-host**[=*[]*]]
+[**--blkio-weight**[=*[BLKIO-WEIGHT]*]]
+[**--blkio-weight-device**[=*[]*]]
+[**--cpu-shares**[=*0*]]
+[**--cap-add**[=*[]*]]
+[**--cap-drop**[=*[]*]]
+[**--cgroup-parent**[=*CGROUP-PATH*]]
+[**--cidfile**[=*CIDFILE*]]
+[**--cpu-count**[=*0*]]
+[**--cpu-percent**[=*0*]]
+[**--cpu-period**[=*0*]]
+[**--cpu-quota**[=*0*]]
+[**--cpu-rt-period**[=*0*]]
+[**--cpu-rt-runtime**[=*0*]]
+[**--cpus**[=*0.0*]]
+[**--cpuset-cpus**[=*CPUSET-CPUS*]]
+[**--cpuset-mems**[=*CPUSET-MEMS*]]
+[**-d**|**--detach**]
+[**--detach-keys**[=*[]*]]
+[**--device**[=*[]*]]
+[**--device-cgroup-rule**[=*[]*]]
+[**--device-read-bps**[=*[]*]]
+[**--device-read-iops**[=*[]*]]
+[**--device-write-bps**[=*[]*]]
+[**--device-write-iops**[=*[]*]]
+[**--dns**[=*[]*]]
+[**--dns-option**[=*[]*]]
+[**--dns-search**[=*[]*]]
+[**-e**|**--env**[=*[]*]]
+[**--entrypoint**[=*ENTRYPOINT*]]
+[**--env-file**[=*[]*]]
+[**--expose**[=*[]*]]
+[**--group-add**[=*[]*]]
+[**-h**|**--hostname**[=*HOSTNAME*]]
+[**--help**]
+[**--init**]
+[**-i**|**--interactive**]
+[**--ip**[=*IPv4-ADDRESS*]]
+[**--ip6**[=*IPv6-ADDRESS*]]
+[**--ipc**[=*IPC*]]
+[**--isolation**[=*default*]]
+[**--kernel-memory**[=*KERNEL-MEMORY*]]
+[**-l**|**--label**[=*[]*]]
+[**--label-file**[=*[]*]]
+[**--link**[=*[]*]]
+[**--link-local-ip**[=*[]*]]
+[**--log-driver**[=*[]*]]
+[**--log-opt**[=*[]*]]
+[**-m**|**--memory**[=*MEMORY*]]
+[**--mac-address**[=*MAC-ADDRESS*]]
+[**--memory-reservation**[=*MEMORY-RESERVATION*]]
+[**--memory-swap**[=*LIMIT*]]
+[**--memory-swappiness**[=*MEMORY-SWAPPINESS*]]
+[**--mount**[=*[MOUNT]*]]
+[**--name**[=*NAME*]]
+[**--network-alias**[=*[]*]]
+[**--network**[=*"bridge"*]]
+[**--oom-kill-disable**]
+[**--oom-score-adj**[=*0*]]
+[**-P**|**--publish-all**]
+[**-p**|**--publish**[=*[]*]]
+[**--pid**[=*[PID]*]]
+[**--userns**[=*[]*]]
+[**--pids-limit**[=*PIDS_LIMIT*]]
+[**--privileged**]
+[**--read-only**]
+[**--restart**[=*RESTART*]]
+[**--rm**]
+[**--security-opt**[=*[]*]]
+[**--storage-opt**[=*[]*]]
+[**--stop-signal**[=*SIGNAL*]]
+[**--stop-timeout**[=*TIMEOUT*]]
+[**--shm-size**[=*[]*]]
+[**--sig-proxy**[=*true*]]
+[**--sysctl**[=*[]*]]
+[**-t**|**--tty**]
+[**--tmpfs**[=*[CONTAINER-DIR[:OPTIONS]*]]
+[**-u**|**--user**[=*USER*]]
+[**--ulimit**[=*[]*]]
+[**--uts**[=*[]*]]
+[**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]]
+[**--volume-driver**[=*DRIVER*]]
+[**--volumes-from**[=*[]*]]
+[**-w**|**--workdir**[=*WORKDIR*]]
+IMAGE [COMMAND] [ARG...]
+
+# DESCRIPTION
+
+Run a process in a new container. **docker run** starts a process with its own
+file system, its own networking, and its own isolated process tree. The IMAGE
+which starts the process may define defaults related to the process that will be
+run in the container, the networking to expose, and more, but **docker run**
+gives final control to the operator or administrator who starts the container
+from the image. For that reason **docker run** has more options than any other
+Docker command.
+
+If the IMAGE is not already loaded then **docker run** will pull the IMAGE, and
+all image dependencies, from the repository in the same way running **docker
+pull** IMAGE, before it starts the container from that image.
+
+# OPTIONS
+**-a**, **--attach**=[]
+   Attach to STDIN, STDOUT or STDERR.
+
+   In foreground mode (the default when **-d**
+is not specified), **docker run** can start the process in the container
+and attach the console to the process's standard input, output, and standard
+error. It can even pretend to be a TTY (this is what most commandline
+executables expect) and pass along signals. The **-a** option can be set for
+each of stdin, stdout, and stderr.
+
+**--add-host**=[]
+   Add a custom host-to-IP mapping (host:ip)
+
+   Add a line to /etc/hosts. The format is hostname:ip.  The **--add-host**
+option can be set multiple times.
+
+**--blkio-weight**=*0*
+   Block IO weight (relative weight) accepts a weight value between 10 and 1000.
+
+**--blkio-weight-device**=[]
+   Block IO weight (relative device weight, format: `DEVICE_NAME:WEIGHT`).
+
+**--cpu-shares**=*0*
+   CPU shares (relative weight)
+
+   By default, all containers get the same proportion of CPU cycles. This proportion
+can be modified by changing the container's CPU share weighting relative
+to the weighting of all other running containers.
+
+To modify the proportion from the default of 1024, use the **--cpu-shares**
+flag to set the weighting to 2 or higher.
+
+The proportion will only apply when CPU-intensive processes are running.
+When tasks in one container are idle, other containers can use the
+left-over CPU time. The actual amount of CPU time will vary depending on
+the number of containers running on the system.
+
+For example, consider three containers, one has a cpu-share of 1024 and
+two others have a cpu-share setting of 512. When processes in all three
+containers attempt to use 100% of CPU, the first container would receive
+50% of the total CPU time. If you add a fourth container with a cpu-share
+of 1024, the first container only gets 33% of the CPU. The remaining containers
+receive 16.5%, 16.5% and 33% of the CPU.
+
+On a multi-core system, the shares of CPU time are distributed over all CPU
+cores. Even if a container is limited to less than 100% of CPU time, it can
+use 100% of each individual CPU core.
+
+For example, consider a system with more than three cores. If you start one
+container **{C0}** with **-c=512** running one process, and another container
+**{C1}** with **-c=1024** running two processes, this can result in the following
+division of CPU shares:
+
+    PID    container	CPU	CPU share
+    100    {C0}		0	100% of CPU0
+    101    {C1}		1	100% of CPU1
+    102    {C1}		2	100% of CPU2
+
+**--cap-add**=[]
+   Add Linux capabilities
+
+**--cap-drop**=[]
+   Drop Linux capabilities
+
+**--cgroup-parent**=""
+   Path to cgroups under which the cgroup for the container will be created. If the path is not absolute, the path is considered to be relative to the cgroups path of the init process. Cgroups will be created if they do not already exist.
+
+**--cidfile**=""
+   Write the container ID to the file
+
+**--cpu-count**=*0*
+    Limit the number of CPUs available for execution by the container.
+    
+    On Windows Server containers, this is approximated as a percentage of total CPU usage.
+
+    On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last.
+
+**--cpu-percent**=*0*
+    Limit the percentage of CPU available for execution by a container running on a Windows daemon.
+
+    On Windows Server containers, the processor resource controls are mutually exclusive, the order of precedence is CPUCount first, then CPUShares, and CPUPercent last.
+
+**--cpu-period**=*0*
+   Limit the CPU CFS (Completely Fair Scheduler) period
+
+   Limit the container's CPU usage. This flag tell the kernel to restrict the container's CPU usage to the period you specify.
+
+**--cpuset-cpus**=""
+   CPUs in which to allow execution (0-3, 0,1)
+
+**--cpuset-mems**=""
+   Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.
+
+   If you have four memory nodes on your system (0-3), use `--cpuset-mems=0,1`
+then processes in your Docker container will only use memory from the first
+two memory nodes.
+
+**--cpu-quota**=*0*
+   Limit the CPU CFS (Completely Fair Scheduler) quota
+
+   Limit the container's CPU usage. By default, containers run with the full
+CPU resource. This flag tell the kernel to restrict the container's CPU usage
+to the quota you specify.
+
+**--cpu-rt-period**=0
+   Limit the CPU real-time period in microseconds
+
+   Limit the container's Real Time CPU usage. This flag tell the kernel to restrict the container's Real Time CPU usage to the period you specify.
+
+**--cpu-rt-runtime**=0
+   Limit the CPU real-time runtime in microseconds
+
+   Limit the containers Real Time CPU usage. This flag tells the kernel to limit the amount of time in a given CPU period Real Time tasks may consume. Ex:
+   Period of 1,000,000us and Runtime of 950,000us means that this container could consume 95% of available CPU and leave the remaining 5% to normal priority tasks.
+
+   The sum of all runtimes across containers cannot exceed the amount allotted to the parent cgroup.
+
+**--cpus**=0.0
+   Number of CPUs. The default is *0.0* which means no limit.
+
+**-d**, **--detach**=*true*|*false*
+   Detached mode: run the container in the background and print the new container ID. The default is *false*.
+
+   At any time you can run **docker ps** in
+the other shell to view a list of the running containers. You can reattach to a
+detached container with **docker attach**.
+
+   When attached in the tty mode, you can detach from the container (and leave it
+running) using a configurable key sequence. The default sequence is `CTRL-p CTRL-q`.
+You configure the key sequence using the **--detach-keys** option or a configuration file.
+See **config-json(5)** for documentation on using a configuration file.
+
+**--detach-keys**=*key*
+   Override the key sequence for detaching a container; *key* is a single character from the [a-Z] range, or **ctrl**-*value*, where *value* is one of: **a-z**, **@**, **^**, **[**, **,**, or **_**.
+
+**--device**=*onhost*:*incontainer*[:*mode*]
+   Add a host device *onhost* to the container under the *incontainer* name.
+Optional *mode* parameter can be used to specify device permissions, it is
+a combination of **r** (for read), **w** (for write), and **m** (for **mknod**(2)).
+
+For example, **--device=/dev/sdc:/dev/xvdc:rwm** will give a container all
+permissions for the host device **/dev/sdc**, seen as **/dev/xvdc** inside the container.
+
+**--device-cgroup-rule**="*type* *major*:*minor* *mode*"
+   Add a rule to the cgroup allowed devices list. The rule is expected to be in the format specified in the Linux kernel documentation (Documentation/cgroup-v1/devices.txt):
+     - *type*: **a** (all), **c** (char), or **b** (block);
+     - *major* and *minor*: either a number, or __*__ for all;
+     - *mode*: a composition of **r** (read), **w** (write), and **m** (**mknod**(2)).
+
+   Example: **--device-cgroup-rule "c 1:3 mr"**: allow for a character device idendified by **1:3**  to be created and read.
+
+**--device-read-bps**=[]
+   Limit read rate from a device (e.g. --device-read-bps=/dev/sda:1mb)
+
+**--device-read-iops**=[]
+   Limit read rate from a device (e.g. --device-read-iops=/dev/sda:1000)
+
+**--device-write-bps**=[]
+   Limit write rate to a device (e.g. --device-write-bps=/dev/sda:1mb)
+
+**--device-write-iops**=[]
+   Limit write rate to a device (e.g. --device-write-iops=/dev/sda:1000)
+
+**--dns-search**=[]
+   Set custom DNS search domains (Use --dns-search=. if you don't wish to set the search domain)
+
+**--dns-option**=[]
+   Set custom DNS options
+
+**--dns**=[]
+   Set custom DNS servers
+
+   This option can be used to override the DNS
+configuration passed to the container. Typically this is necessary when the
+host DNS configuration is invalid for the container (e.g., 127.0.0.1). When this
+is the case the **--dns** flags is necessary for every run.
+
+**-e**, **--env**=[]
+   Set environment variables
+
+   This option allows you to specify arbitrary
+environment variables that are available for the process that will be launched
+inside of the container.
+
+**--entrypoint**=""
+   Overwrite the default ENTRYPOINT of the image
+
+   This option allows you to overwrite the default entrypoint of the image that
+is set in the Dockerfile. The ENTRYPOINT of an image is similar to a COMMAND
+because it specifies what executable to run when the container starts, but it is
+(purposely) more difficult to override. The ENTRYPOINT gives a container its
+default nature or behavior, so that when you set an ENTRYPOINT you can run the
+container as if it were that binary, complete with default options, and you can
+pass in more options via the COMMAND. But, sometimes an operator may want to run
+something else inside the container, so you can override the default ENTRYPOINT
+at runtime by using a **--entrypoint** and a string to specify the new
+ENTRYPOINT.
+
+**--env-file**=[]
+   Read in a line delimited file of environment variables
+
+**--expose**=[]
+   Expose a port, or a range of ports (e.g. --expose=3300-3310) informs Docker
+that the container listens on the specified network ports at runtime. Docker
+uses this information to interconnect containers using links and to set up port
+redirection on the host system.
+
+**--group-add**=[]
+   Add additional groups to run as
+
+**-h**, **--hostname**=""
+   Container host name
+
+   Sets the container host name that is available inside the container.
+
+**--help**
+   Print usage statement
+
+**--init**
+   Run an init inside the container that forwards signals and reaps processes
+
+**-i**, **--interactive**=*true*|*false*
+   Keep STDIN open even if not attached. The default is *false*.
+
+   When set to true, keep stdin open even if not attached.
+
+**--ip**=""
+   Sets the container's interface IPv4 address (e.g., 172.23.0.9)
+
+   It can only be used in conjunction with **--network** for user-defined networks
+
+**--ip6**=""
+   Sets the container's interface IPv6 address (e.g., 2001:db8::1b99)
+
+   It can only be used in conjunction with **--network** for user-defined networks
+
+**--ipc**=""
+   Sets the IPC mode for the container. The following values are accepted:
+
+| Value                      | Description                                                                       |
+|:---------------------------|:----------------------------------------------------------------------------------|
+| (empty)                    | Use daemon's default.                                                             |
+| **none**                   | Own private IPC namespace, with /dev/shm not mounted.                             |
+| **private**                | Own private IPC namespace.                                                        |
+| **shareable**              | Own private IPC namespace, with a possibility to share it with other containers.  |
+| **container:**_name-or-ID_ | Join another ("shareable") container's IPC namespace.                             |
+| **host**                   | Use the host system's IPC namespace.                                              |
+
+If not specified, daemon default is used, which can either be **private**
+or **shareable**, depending on the daemon version and configuration.
+
+**--isolation**="*default*"
+   Isolation specifies the type of isolation technology used by containers. Note
+that the default on Windows server is `process`, and the default on Windows client
+is `hyperv`. Linux only supports `default`.
+
+**-l**, **--label** *key*=*value*
+   Set metadata on the container (for example, **--label com.example.key=value**).
+
+**--kernel-memory**=*number*[*S*]
+   Kernel memory limit; *S* is an optional suffix which can be one of **b**, **k**, **m**, or **g**.
+
+   Constrains the kernel memory available to a container. If a limit of 0
+is specified (not using **--kernel-memory**), the container's kernel memory
+is not limited. If you specify a limit, it may be rounded up to a multiple
+of the operating system's page size and the value can be very large,
+millions of trillions.
+
+**--label-file**=[]
+   Read in a line delimited file of labels
+
+**--link**=*name-or-id*[:*alias*]
+   Add link to another container.
+
+   If the operator
+uses **--link** when starting the new client container, then the client
+container can access the exposed port via a private networking interface. Docker
+will set some environment variables in the client container to help indicate
+which interface and port to use.
+
+**--link-local-ip**=[]
+   Add one or more link-local IPv4/IPv6 addresses to the container's interface
+
+**--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*"
+  Logging driver for the container. Default is defined by daemon **--log-driver** flag.
+  **Warning**: the `docker logs` command works only for the `json-file` and
+  `journald` logging drivers.
+
+**--log-opt**=[]
+  Logging driver specific options.
+
+**-m**, **--memory**=*number*[*S]
+   Memory limit; *S* is an optional suffix which can be one of **b**, **k**, **m**, or **g**.
+
+   Allows you to constrain the memory available to a container. If the host
+supports swap memory, then the **-m** memory setting can be larger than physical
+RAM. If a limit of 0 is specified (not using **-m**), the container's memory is
+not limited. The actual limit may be rounded up to a multiple of the operating
+system's page size (the value would be very large, that's millions of trillions).
+
+**--memory-reservation**=*number*[*S]
+   Memory soft limit; *S* is an optional suffix which can be one of **b**, **k**, **m**, or **g**.
+
+   After setting memory reservation, when the system detects memory contention
+or low memory, containers are forced to restrict their consumption to their
+reservation. So you should always set the value below **--memory**, otherwise the
+hard limit will take precedence. By default, memory reservation will be the same
+as memory limit.
+
+**--memory-swap**=*number*[*S*]
+   Combined memory plus swap limit; *S* is an optional suffix which can be one of **b**, **k**, **m**, or **g**.
+
+   This option can only be used together with **--memory**. The argument should always be larger than that of **--memory**. Default is double the value of **--memory**. Set to **-1** to enable unlimited swap.
+
+**--mac-address**=""
+   Container MAC address (e.g., **92:d0:c6:0a:29:33**)
+
+   Remember that the MAC address in an Ethernet network must be unique.
+The IPv6 link-local address will be based on the device's MAC address
+according to RFC4862.
+
+**--mount** **type=**_TYPE_,*TYPE-SPECIFIC-OPTION*[,...]
+   Attach a filesystem mount to the container
+
+   Current supported mount `TYPES` are `bind`, `volume`, and `tmpfs`.
+
+   e.g.
+
+   `type=bind,source=/path/on/host,destination=/path/in/container`
+
+   `type=volume,source=my-volume,destination=/path/in/container,volume-label="color=red",volume-label="shape=round"`
+
+   `type=tmpfs,tmpfs-size=512M,destination=/path/in/container`
+
+   Common Options:
+
+   * `src`, `source`: mount source spec for `bind` and `volume`. Mandatory for `bind`.
+   * `dst`, `destination`, `target`: mount destination spec.
+   * `ro`, `read-only`: `true` or `false` (default).
+
+   Options specific to `bind`:
+
+   * `bind-propagation`: `shared`, `slave`, `private`, `rshared`, `rslave`, or `rprivate`(default). See also `mount(2)`.
+   * `consistency`: `consistent`(default), `cached`, or `delegated`. Currently, only effective for Docker for Mac.
+
+   Options specific to `volume`:
+
+   * `volume-driver`: Name of the volume-driver plugin.
+   * `volume-label`: Custom metadata.
+   * `volume-nocopy`: `true`(default) or `false`. If set to `false`, the Engine copies existing files and directories under the mount-path into the volume, allowing the host to access them.
+   * `volume-opt`: specific to a given volume driver.
+
+   Options specific to `tmpfs`:
+
+   * `tmpfs-size`: Size of the tmpfs mount in bytes. Unlimited by default in Linux.
+   * `tmpfs-mode`: File mode of the tmpfs in octal. (e.g. `700` or `0700`.) Defaults to `1777` in Linux.
+
+**--name**=""
+   Assign a name to the container
+
+   The operator can identify a container in three ways:
+
+| Identifier type       | Example value                                                      |
+|:----------------------|:-------------------------------------------------------------------|
+| UUID long identifier  | "f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778" |
+| UUID short identifier | "f78375b1c487"                                                     |
+| Name                  | "evil_ptolemy"                                                     |
+
+   The UUID identifiers come from the Docker daemon, and if a name is not assigned
+to the container with **--name** then the daemon will also generate a random
+string name. The name is useful when defining links (see **--link**) (or any
+other place you need to identify a container). This works for both background
+and foreground Docker containers.
+
+**--network**=*type*
+   Set the Network mode for the container. Supported values are:
+
+| Value                       | Description                                                                              |
+|:----------------------------|:-----------------------------------------------------------------------------------------|
+| **none**                    | No networking in the container.                                                          |
+| **bridge**                  | Connect the container to the default Docker bridge via veth interfaces.                  |
+| **host**                    | Use the host's network stack inside the container.                                       |
+| **container:**_name_|_id_   | Use the network stack of another container, specified via its _name_ or _id_.            |
+| _network-name_|_network-id_ | Connects the container to a user created network (using `docker network create` command) |
+
+Default is **bridge**.
+
+**--network-alias**=[]
+   Add network-scoped alias for the container
+
+**--oom-kill-disable**=*true*|*false*
+   Whether to disable OOM Killer for the container or not.
+
+**--oom-score-adj**=""
+   Tune the host's OOM preferences for containers (accepts -1000 to 1000)
+
+**-P**, **--publish-all**=*true*|*false*
+   Publish all exposed ports to random ports on the host interfaces. The default is *false*.
+
+   When set to true publish all exposed ports to the host interfaces. The
+default is false. If the operator uses -P (or -p) then Docker will make the
+exposed port accessible on the host and the ports will be available to any
+client that can reach the host. When using -P, Docker will bind any exposed
+port to a random port on the host within an *ephemeral port range* defined by
+`/proc/sys/net/ipv4/ip_local_port_range`. To find the mapping between the host
+ports and the exposed ports, use `docker port`(1).
+
+**-p**, **--publish** *ip*:[*hostPort*]:*containerPort* | [*hostPort*:]*containerPort*
+   Publish a container's port, or range of ports, to the host.
+
+Both *hostPort* and *containerPort* can be specified as a range.
+When specifying ranges for both, the number of ports in ranges should be equal.
+
+Examples: **-p 1234-1236:1222-1224**, **-p 127.0.0.1:$HOSTPORT:$CONTAINERPORT**.
+
+Use `docker port`(1) to see the actual mapping, e.g. `docker port CONTAINER $CONTAINERPORT`.
+
+**--pid**=""
+   Set the PID mode for the container
+   Default is to create a private PID namespace for the container
+                               'container:<name|id>': join another container's PID namespace
+                               'host': use the host's PID namespace for the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
+
+**--userns**=""
+   Set the usernamespace mode for the container when `userns-remap` option is enabled.
+     **host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
+
+**--pids-limit**=""
+   Tune the container's pids (process IDs) limit. Set to `-1` to have unlimited pids for the container.
+
+**--uts**=*type*
+   Set the UTS mode for the container. The only possible *type* is **host**, meaning to
+use the host's UTS namespace inside the container.
+     Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
+
+**--privileged** [**true**|**false**]
+   Give extended privileges to this container. A "privileged" container is given access to all devices.
+
+   When the operator executes **docker run --privileged**, Docker will enable access
+to all devices on the host as well as set some configuration in AppArmor to
+allow the container nearly all the same access to the host as processes running
+outside of a container on the host.
+
+**--read-only**=**true**|**false**
+   Mount the container's root filesystem as read only.
+
+   By default a container will have its root filesystem writable allowing processes
+to write files anywhere.  By specifying the `--read-only` flag the container will have
+its root filesystem mounted as read only prohibiting any writes.
+
+**--restart** *policy*
+   Restart policy to apply when a container exits. Supported values are:
+
+| Policy                         | Result                |
+|:-------------------------------|:----------------------|
+| **no**                         | Do not automatically restart the container when it exits. |
+| **on-failure**[:_max-retries_] | Restart only if the container exits with a non-zero exit status. Optionally, limit the number of restart retries the Docker daemon attempts. |
+| **always**                     | Always restart the container regardless of the exit status. When you specify always, the Docker daemon will try to restart the container indefinitely. The container will also always start on daemon startup, regardless of the current state of the container. |
+| **unless-stopped**             | Always restart the container regardless of the exit status, but do not start it on daemon startup if the container has been put to a stopped state before. |
+
+Default is **no**.
+
+**--rm** **true**|**false**
+   Automatically remove the container when it exits. The default is **false**.
+   `--rm` flag can work together with `-d`, and auto-removal will be done on daemon side. Note that it's
+incompatible with any restart policy other than `none`.
+
+**--security-opt** *value*[,...]
+   Security Options for the container. The following options can be given:
+
+    "label=user:USER"   : Set the label user for the container
+    "label=role:ROLE"   : Set the label role for the container
+    "label=type:TYPE"   : Set the label type for the container
+    "label=level:LEVEL" : Set the label level for the container
+    "label=disable"     : Turn off label confinement for the container
+    "no-new-privileges" : Disable container processes from gaining additional privileges
+
+    "seccomp=unconfined" : Turn off seccomp confinement for the container
+    "seccomp=profile.json :  White listed syscalls seccomp Json file to be used as a seccomp filter
+
+    "apparmor=unconfined" : Turn off apparmor confinement for the container
+    "apparmor=your-profile" : Set the apparmor confinement profile for the container
+
+**--storage-opt**
+   Storage driver options per container
+
+   $ docker run -it --storage-opt size=120G fedora /bin/bash
+
+   This (size) will allow to set the container rootfs size to 120G at creation time.
+   This option is only available for the `devicemapper`, `btrfs`, `overlay2`  and `zfs` graph drivers.
+   For the `devicemapper`, `btrfs` and `zfs` storage drivers, user cannot pass a size less than the Default BaseFS Size.
+   For the `overlay2` storage driver, the size option is only available if the backing fs is `xfs` and mounted with the `pquota` mount option.
+   Under these conditions, user can pass any size less than the backing fs size.
+
+**--stop-signal**=*SIGTERM*
+  Signal to stop a container. Default is SIGTERM.
+
+**--stop-timeout**=*10*
+  Timeout (in seconds) to stop a container. Default is 10.
+
+**--shm-size**=""
+   Size of `/dev/shm`. The format is `<number><unit>`.
+   `number` must be greater than `0`.  Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes).
+   If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`.
+
+**--sysctl**=SYSCTL
+  Configure namespaced kernel parameters at runtime
+
+  IPC Namespace - current sysctls allowed:
+
+  kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
+  Sysctls beginning with fs.mqueue.*
+
+  If you use the `--ipc=host` option these sysctls will not be allowed.
+
+  Network Namespace - current sysctls allowed:
+      Sysctls beginning with net.*
+
+  If you use the `--network=host` option these sysctls will not be allowed.
+
+**--sig-proxy**=*true*|*false*
+   Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*.
+
+**--memory-swappiness**=""
+   Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+
+**-t**, **--tty**=*true*|*false*
+   Allocate a pseudo-TTY. The default is *false*.
+
+   When set to true Docker can allocate a pseudo-tty and attach to the standard
+input of any container. This can be used, for example, to run a throwaway
+interactive shell. The default is false.
+
+The **-t** option is incompatible with a redirection of the docker client
+standard input.
+
+**--tmpfs**=[] Create a tmpfs mount
+
+   Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
+
+   $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image
+
+   This command mounts a `tmpfs` at `/tmp` within the container.  The supported mount
+options are the same as the Linux default `mount` flags. If you do not specify
+any options, the systems uses the following options:
+`rw,noexec,nosuid,nodev,size=65536k`.
+
+   See also `--mount`, which is the successor of `--tmpfs` and `--volume`.
+   Even though there is no plan to deprecate `--tmpfs`, usage of `--mount` is recommended.
+
+**-u**, **--user**=""
+   Sets the username or UID used and optionally the groupname or GID for the specified command.
+
+   The followings examples are all valid:
+   --user [user | user:group | uid | uid:gid | user:gid | uid:group ]
+
+   Without this argument the command will be run as root in the container.
+
+**--ulimit**=[]
+    Ulimit options
+
+**-v**|**--volume**[=*[[HOST-DIR:]CONTAINER-DIR[:OPTIONS]]*]
+   Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, Docker
+   bind mounts `/HOST-DIR` in the host to `/CONTAINER-DIR` in the Docker
+   container. If 'HOST-DIR' is omitted,  Docker automatically creates the new
+   volume on the host.  The `OPTIONS` are a comma delimited list and can be:
+
+   * [rw|ro]
+   * [z|Z]
+   * [`[r]shared`|`[r]slave`|`[r]private`]
+   * [`delegated`|`cached`|`consistent`]
+   * [nocopy]
+
+The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR`
+can be an absolute path or a `name` value. A `name` value must start with an
+alphanumeric character, followed by `a-z0-9`, `_` (underscore), `.` (period) or
+`-` (hyphen). An absolute path starts with a `/` (forward slash).
+
+If you supply a `HOST-DIR` that is an absolute path,  Docker bind-mounts to the
+path you specify. If you supply a `name`, Docker creates a named volume by that
+`name`. For example, you can specify either `/foo` or `foo` for a `HOST-DIR`
+value. If you supply the `/foo` value, Docker creates a bind mount. If you
+supply the `foo` specification, Docker creates a named volume.
+
+You can specify multiple  **-v** options to mount one or more mounts to a
+container. To use these same mounts in other containers, specify the
+**--volumes-from** option also.
+
+You can supply additional options for each bind mount following an additional
+colon.  A `:ro` or `:rw` suffix mounts a volume in read-only or read-write
+mode, respectively. By default, volumes are mounted in read-write mode.
+You can also specify the consistency requirement for the mount, either
+`:consistent` (the default), `:cached`, or `:delegated`.  Multiple options are
+separated by commas, e.g. `:ro,cached`.
+
+Labeling systems like SELinux require that proper labels are placed on volume
+content mounted into a container. Without a label, the security system might
+prevent the processes running inside the container from using the content. By
+default, Docker does not change the labels set by the OS.
+
+To change a label in the container context, you can add either of two suffixes
+`:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file
+objects on the shared volumes. The `z` option tells Docker that two containers
+share the volume content. As a result, Docker labels the content with a shared
+content label. Shared volume labels allow all containers to read/write content.
+The `Z` option tells Docker to label the content with a private unshared label.
+Only the current container can use a private volume.
+
+By default bind mounted volumes are `private`. That means any mounts done
+inside container will not be visible on host and vice-a-versa. One can change
+this behavior by specifying a volume mount propagation property. Making a
+volume `shared` mounts done under that volume inside container will be
+visible on host and vice-a-versa. Making a volume `slave` enables only one
+way mount propagation and that is mounts done on host under that volume
+will be visible inside container but not the other way around.
+
+To control mount propagation property of volume one can use `:[r]shared`,
+`:[r]slave` or `:[r]private` propagation flag. Propagation property can
+be specified only for bind mounted volumes and not for internal volumes or
+named volumes. For mount propagation to work source mount point (mount point
+where source dir is mounted on) has to have right propagation properties. For
+shared volumes, source mount point has to be shared. And for slave volumes,
+source mount has to be either shared or slave.
+
+Use `df <source-dir>` to figure out the source mount and then use
+`findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation
+properties of source mount. If `findmnt` utility is not available, then one
+can look at mount entry for source mount point in `/proc/self/mountinfo`. Look
+at `optional fields` and see if any propagation properties are specified.
+`shared:X` means mount is `shared`, `master:X` means mount is `slave` and if
+nothing is there that means mount is `private`.
+
+To change propagation properties of a mount point use `mount` command. For
+example, if one wants to bind mount source directory `/foo` one can do
+`mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This
+will convert /foo into a `shared` mount point. Alternatively one can directly
+change propagation properties of source mount. Say `/` is source mount for
+`/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
+
+> **Note**:
+> When using systemd to manage the Docker daemon's start and stop, in the systemd
+> unit file there is an option to control mount propagation for the Docker daemon
+> itself, called `MountFlags`. The value of this setting may cause Docker to not
+> see mount propagation changes made on the mount point. For example, if this value
+> is `slave`, you may not be able to use the `shared` or `rshared` propagation on
+> a volume.
+
+To disable automatic copying of data from the container path to the volume, use
+the `nocopy` flag. The `nocopy` flag can be set on bind mounts and named volumes.
+
+See also `--mount`, which is the successor of `--tmpfs` and `--volume`.
+Even though there is no plan to deprecate `--volume`, usage of `--mount` is recommended.
+
+**--volume-driver**=""
+   Container's volume driver. This driver creates volumes specified either from
+   a Dockerfile's `VOLUME` instruction or from the `docker run -v` flag.
+   See **docker-volume-create(1)** for full details.
+
+**--volumes-from**=[]
+   Mount volumes from the specified container(s)
+
+   Mounts already mounted volumes from a source container onto another
+   container. You must supply the source's container-id. To share
+   a volume, use the **--volumes-from** option when running
+   the target container. You can share volumes even if the source container
+   is not running.
+
+   By default, Docker mounts the volumes in the same mode (read-write or
+   read-only) as it is mounted in the source container. Optionally, you
+   can change this by suffixing the container-id with either the `:ro` or
+   `:rw ` keyword.
+
+   If the location of the volume from the source container overlaps with
+   data residing on a target container, then the volume hides
+   that data on the target.
+
+**-w**, **--workdir**=""
+   Working directory inside the container
+
+   The default working directory for
+running binaries within a container is the root directory (/). The developer can
+set a different default with the Dockerfile WORKDIR instruction. The operator
+can override the working directory by using the **-w** option.
+
+# Exit Status
+
+The exit code from `docker run` gives information about why the container
+failed to run or why it exited.  When `docker run` exits with a non-zero code,
+the exit codes follow the `chroot` standard, see below:
+
+**_125_** if the error is with Docker daemon **_itself_** 
+
+    $ docker run --foo busybox; echo $?
+    # flag provided but not defined: --foo
+      See 'docker run --help'.
+      125
+
+**_126_** if the **_contained command_** cannot be invoked
+
+    $ docker run busybox /etc; echo $?
+    # exec: "/etc": permission denied
+      docker: Error response from daemon: Contained command could not be invoked
+      126
+
+**_127_** if the **_contained command_** cannot be found
+
+    $ docker run busybox foo; echo $?
+    # exec: "foo": executable file not found in $PATH
+      docker: Error response from daemon: Contained command not found or does not exist
+      127
+
+**_Exit code_** of **_contained command_** otherwise 
+    
+    $ docker run busybox /bin/sh -c 'exit 3' 
+    # 3
+
+# EXAMPLES
+
+## Running container in read-only mode
+
+During container image development, containers often need to write to the image
+content.  Installing packages into /usr, for example.  In production,
+applications seldom need to write to the image.  Container applications write
+to volumes if they need to write to file systems at all.  Applications can be
+made more secure by running them in read-only mode using the --read-only switch.
+This protects the containers image from modification. Read only containers may
+still need to write temporary data.  The best way to handle this is to mount
+tmpfs directories on /run and /tmp.
+
+    # docker run --read-only --tmpfs /run --tmpfs /tmp -i -t fedora /bin/bash
+
+## Exposing log messages from the container to the host's log
+
+If you want messages that are logged in your container to show up in the host's
+syslog/journal then you should bind mount the /dev/log directory as follows.
+
+    # docker run -v /dev/log:/dev/log -i -t fedora /bin/bash
+
+From inside the container you can test this by sending a message to the log.
+
+    (bash)# logger "Hello from my container"
+
+Then exit and check the journal.
+
+    # exit
+
+    # journalctl -b | grep Hello
+
+This should list the message sent to logger.
+
+## Attaching to one or more from STDIN, STDOUT, STDERR
+
+If you do not specify -a then Docker will attach everything (stdin,stdout,stderr)
+. You can specify to which of the three standard streams (stdin, stdout, stderr)
+you'd like to connect instead, as in:
+
+    # docker run -a stdin -a stdout -i -t fedora /bin/bash
+
+## Sharing IPC between containers
+
+Using shm_server.c available here: https://www.cs.cf.ac.uk/Dave/C/node27.html
+
+Testing `--ipc=host` mode:
+
+Host shows a shared memory segment with 7 pids attached, happens to be from httpd:
+
+```
+ $ sudo ipcs -m
+
+ ------ Shared Memory Segments --------
+ key        shmid      owner      perms      bytes      nattch     status      
+ 0x01128e25 0          root       600        1000       7                       
+```
+
+Now run a regular container, and it correctly does NOT see the shared memory segment from the host:
+
+```
+ $ docker run -it shm ipcs -m
+
+ ------ Shared Memory Segments --------
+ key        shmid      owner      perms      bytes      nattch     status      
+```
+
+Run a container with the new `--ipc=host` option, and it now sees the shared memory segment from the host httpd:
+
+ ```
+ $ docker run -it --ipc=host shm ipcs -m
+
+ ------ Shared Memory Segments --------
+ key        shmid      owner      perms      bytes      nattch     status      
+ 0x01128e25 0          root       600        1000       7                   
+```
+Testing `--ipc=container:CONTAINERID` mode:
+
+Start a container with a program to create a shared memory segment:
+```
+ $ docker run -it shm bash
+ $ sudo shm/shm_server &
+ $ sudo ipcs -m
+
+ ------ Shared Memory Segments --------
+ key        shmid      owner      perms      bytes      nattch     status      
+ 0x0000162e 0          root       666        27         1                       
+```
+Create a 2nd container correctly shows no shared memory segment from 1st container:
+```
+ $ docker run shm ipcs -m
+
+ ------ Shared Memory Segments --------
+ key        shmid      owner      perms      bytes      nattch     status      
+```
+
+Create a 3rd container using the new --ipc=container:CONTAINERID option, now it shows the shared memory segment from the first:
+
+```
+ $ docker run -it --ipc=container:ed735b2264ac shm ipcs -m
+ $ sudo ipcs -m
+
+ ------ Shared Memory Segments --------
+ key        shmid      owner      perms      bytes      nattch     status      
+ 0x0000162e 0          root       666        27         1
+```
+
+## Linking Containers
+
+> **Note**: This section describes linking between containers on the
+> default (bridge) network, also known as "legacy links". Using `--link`
+> on user-defined networks uses the DNS-based discovery, which does not add
+> entries to `/etc/hosts`, and does not set environment variables for
+> discovery.
+
+The link feature allows multiple containers to communicate with each other. For
+example, a container whose Dockerfile has exposed port 80 can be run and named
+as follows:
+
+    # docker run --name=link-test -d -i -t fedora/httpd
+
+A second container, in this case called linker, can communicate with the httpd
+container, named link-test, by running with the **--link=<name>:<alias>**
+
+    # docker run -t -i --link=link-test:lt --name=linker fedora /bin/bash
+
+Now the container linker is linked to container link-test with the alias lt.
+Running the **env** command in the linker container shows environment variables
+ with the LT (alias) context (**LT_**)
+
+    # env
+    HOSTNAME=668231cb0978
+    TERM=xterm
+    LT_PORT_80_TCP=tcp://172.17.0.3:80
+    LT_PORT_80_TCP_PORT=80
+    LT_PORT_80_TCP_PROTO=tcp
+    LT_PORT=tcp://172.17.0.3:80
+    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+    PWD=/
+    LT_NAME=/linker/lt
+    SHLVL=1
+    HOME=/
+    LT_PORT_80_TCP_ADDR=172.17.0.3
+    _=/usr/bin/env
+
+When linking two containers Docker will use the exposed ports of the container
+to create a secure tunnel for the parent to access.
+
+If a container is connected to the default bridge network and `linked`
+with other containers, then the container's `/etc/hosts` file is updated
+with the linked container's name.
+
+> **Note** Since Docker may live update the container's `/etc/hosts` file, there
+may be situations when processes inside the container can end up reading an
+empty or incomplete `/etc/hosts` file. In most cases, retrying the read again
+should fix the problem.
+
+
+## Mapping Ports for External Usage
+
+The exposed port of an application can be mapped to a host port using the **-p**
+flag. For example, an httpd port 80 can be mapped to the host port 8080 using the
+following:
+
+    # docker run -p 8080:80 -d -i -t fedora/httpd
+
+## Creating and Mounting a Data Volume Container
+
+Many applications require the sharing of persistent data across several
+containers. Docker allows you to create a Data Volume Container that other
+containers can mount from. For example, create a named container that contains
+directories /var/volume1 and /tmp/volume2. The image will need to contain these
+directories so a couple of RUN mkdir instructions might be required for you
+fedora-data image:
+
+    # docker run --name=data -v /var/volume1 -v /tmp/volume2 -i -t fedora-data true
+    # docker run --volumes-from=data --name=fedora-container1 -i -t fedora bash
+
+Multiple --volumes-from parameters will bring together multiple data volumes from
+multiple containers. And it's possible to mount the volumes that came from the
+DATA container in yet another container via the fedora-container1 intermediary
+container, allowing to abstract the actual data source from users of that data:
+
+    # docker run --volumes-from=fedora-container1 --name=fedora-container2 -i -t fedora bash
+
+## Mounting External Volumes
+
+To mount a host directory as a container volume, specify the absolute path to
+the directory and the absolute path for the container directory separated by a
+colon:
+
+    # docker run -v /var/db:/data1 -i -t fedora bash
+
+When using SELinux, be aware that the host has no knowledge of container SELinux
+policy. Therefore, in the above example, if SELinux policy is enforced, the
+`/var/db` directory is not writable to the container. A "Permission Denied"
+message will occur and an avc: message in the host's syslog.
+
+
+To work around this, at time of writing this man page, the following command
+needs to be run in order for the proper SELinux policy type label to be attached
+to the host directory:
+
+    # chcon -Rt svirt_sandbox_file_t /var/db
+
+
+Now, writing to the /data1 volume in the container will be allowed and the
+changes will also be reflected on the host in /var/db.
+
+## Using alternative security labeling
+
+You can override the default labeling scheme for each container by specifying
+the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
+requirement for MLS systems. Specifying the level in the following command
+allows you to share the same content between containers.
+
+    # docker run --security-opt label=level:s0:c100,c200 -i -t fedora bash
+
+An MLS example might be:
+
+    # docker run --security-opt label=level:TopSecret -i -t rhel7 bash
+
+To disable the security labeling for this container versus running with the
+`--permissive` flag, use the following command:
+
+    # docker run --security-opt label=disable -i -t fedora bash
+
+If you want a tighter security policy on the processes within a container,
+you can specify an alternate type for the container. You could run a container
+that is only allowed to listen on Apache ports by executing the following
+command:
+
+    # docker run --security-opt label=type:svirt_apache_t -i -t centos bash
+
+Note:
+
+You would have to write policy defining a `svirt_apache_t` type.
+
+## Setting device weight
+
+If you want to set `/dev/sda` device weight to `200`, you can specify the device
+weight by `--blkio-weight-device` flag. Use the following command:
+
+    # docker run -it --blkio-weight-device "/dev/sda:200" ubuntu
+
+## Specify isolation technology for container (--isolation)
+
+This option is useful in situations where you are running Docker containers on
+Microsoft Windows. The `--isolation <value>` option sets a container's isolation
+technology. On Linux, the only supported is the `default` option which uses
+Linux namespaces. These two commands are equivalent on Linux:
+
+```
+$ docker run -d busybox top
+$ docker run -d --isolation default busybox top
+```
+
+On Microsoft Windows, can take any of these values:
+
+* `default`: Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value.
+* `process`: Namespace isolation only.
+* `hyperv`: Hyper-V hypervisor partition-based isolation.
+
+In practice, when running on Microsoft Windows without a `daemon` option set,  these two commands are equivalent:
+
+```
+$ docker run -d --isolation default busybox top
+$ docker run -d --isolation process busybox top
+```
+
+If you have set the `--exec-opt isolation=hyperv` option on the Docker `daemon`, any of these commands also result in `hyperv` isolation:
+
+```
+$ docker run -d --isolation default busybox top
+$ docker run -d --isolation hyperv busybox top
+```
+
+## Setting Namespaced Kernel Parameters (Sysctls)
+
+The `--sysctl` sets namespaced kernel parameters (sysctls) in the
+container. For example, to turn on IP forwarding in the containers
+network namespace, run this command:
+
+    $ docker run --sysctl net.ipv4.ip_forward=1 someimage
+
+Note:
+
+Not all sysctls are namespaced. Docker does not support changing sysctls
+inside of a container that also modify the host system. As the kernel 
+evolves we expect to see more sysctls become namespaced.
+
+See the definition of the `--sysctl` option above for the current list of 
+supported sysctls.
+
+# HISTORY
+April 2014, Originally compiled by William Henry (whenry at redhat dot com)
+based on docker.com source material and internal work.
+June 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
+July 2014, updated by Sven Dowideit <SvenDowideit@home.org.au>
+November 2015, updated by Sally O'Malley <somalley@redhat.com>
diff --git a/cli/man/docker.1.md b/cli/man/docker.1.md
new file mode 100644
index 00000000..abedb45c
--- /dev/null
+++ b/cli/man/docker.1.md
@@ -0,0 +1,70 @@
+% DOCKER(1) Docker User Manuals
+% William Henry
+% APRIL 2014
+# NAME
+docker \- Docker image and container command line interface
+
+# SYNOPSIS
+**docker** [OPTIONS] COMMAND [ARG...]
+
+**docker** [--help|-v|--version]
+
+# DESCRIPTION
+**docker** is a client for interacting with the daemon (see **dockerd(8)**) through the CLI.
+
+The Docker CLI has over 30 commands. The commands are listed below and each has
+its own man page which explain usage and arguments.
+
+To see the man page for a command run **man docker <command>**.
+
+# OPTIONS
+**--help**
+  Print usage statement
+
+**--config**=""
+  Specifies the location of the Docker client configuration files. The default is '~/.docker'.
+
+**-D**, **--debug**=*true*|*false*
+  Enable debug mode. Default is false.
+
+**-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host]:[port][path] to bind or
+unix://[/path/to/socket] to use.
+  The socket(s) to bind to in daemon mode specified using one or more
+  tcp://host:port/path, unix:///path/to/socket, fd://* or fd://socketfd.
+  If the tcp port is not specified, then it will default to either `2375` when
+  `--tls` is off, or `2376` when `--tls` is on, or `--tlsverify` is specified.
+
+**-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*"
+  Set the logging level. Default is `info`.
+
+**--tls**=*true*|*false*
+  Use TLS; implied by --tlsverify. Default is false.
+
+**--tlscacert**=*~/.docker/ca.pem*
+  Trust certs signed only by this CA.
+
+**--tlscert**=*~/.docker/cert.pem*
+  Path to TLS certificate file.
+
+**--tlskey**=*~/.docker/key.pem*
+  Path to TLS key file.
+
+**--tlsverify**=*true*|*false*
+  Use TLS and verify the remote (daemon: verify client, client: verify daemon).
+  Default is false.
+
+**-v**, **--version**=*true*|*false*
+  Print version information and quit. Default is false.
+
+# COMMANDS
+
+Use "docker help" or "docker --help" to get an overview of available commands.
+
+# EXAMPLES
+For specific client examples please see the man page for the specific Docker
+command. For example:
+
+    man docker-run
+
+# HISTORY
+April 2014, Originally compiled by William Henry (whenry at redhat dot com) based on docker.com source material and internal work.
diff --git a/cli/man/dockerd.8.md b/cli/man/dockerd.8.md
new file mode 100644
index 00000000..02240359
--- /dev/null
+++ b/cli/man/dockerd.8.md
@@ -0,0 +1,839 @@
+% DOCKER(8) Docker User Manuals
+% Shishir Mahajan
+% SEPTEMBER 2015
+# NAME
+dockerd - Enable daemon mode
+
+# SYNOPSIS
+**dockerd**
+[**--add-runtime**[=*[]*]]
+[**--allow-nondistributable-artifacts**[=*[]*]]
+[**--api-cors-header**=[=*API-CORS-HEADER*]]
+[**--authorization-plugin**[=*[]*]]
+[**-b**|**--bridge**[=*BRIDGE*]]
+[**--bip**[=*BIP*]]
+[**--cgroup-parent**[=*[]*]]
+[**--cluster-store**[=*[]*]]
+[**--cluster-advertise**[=*[]*]]
+[**--cluster-store-opt**[=*map[]*]]
+[**--config-file**[=*/etc/docker/daemon.json*]]
+[**--containerd**[=*SOCKET-PATH*]]
+[**--data-root**[=*/var/lib/docker*]]
+[**-D**|**--debug**]
+[**--default-gateway**[=*DEFAULT-GATEWAY*]]
+[**--default-gateway-v6**[=*DEFAULT-GATEWAY-V6*]]
+[**--default-address-pool**[=*DEFAULT-ADDRESS-POOL*]]
+[**--default-runtime**[=*runc*]]
+[**--default-ipc-mode**=*MODE*]
+[**--default-shm-size**[=*64MiB*]]
+[**--default-ulimit**[=*[]*]]
+[**--dns**[=*[]*]]
+[**--dns-opt**[=*[]*]]
+[**--dns-search**[=*[]*]]
+[**--exec-opt**[=*[]*]]
+[**--exec-root**[=*/var/run/docker*]]
+[**--experimental**[=*false*]]
+[**--fixed-cidr**[=*FIXED-CIDR*]]
+[**--fixed-cidr-v6**[=*FIXED-CIDR-V6*]]
+[**-G**|**--group**[=*docker*]]
+[**-H**|**--host**[=*[]*]]
+[**--help**]
+[**--icc**[=*true*]]
+[**--init**[=*false*]]
+[**--init-path**[=*""*]]
+[**--insecure-registry**[=*[]*]]
+[**--ip**[=*0.0.0.0*]]
+[**--ip-forward**[=*true*]]
+[**--ip-masq**[=*true*]]
+[**--iptables**[=*true*]]
+[**--ipv6**]
+[**--isolation**[=*default*]]
+[**-l**|**--log-level**[=*info*]]
+[**--label**[=*[]*]]
+[**--live-restore**[=*false*]]
+[**--log-driver**[=*json-file*]]
+[**--log-opt**[=*map[]*]]
+[**--mtu**[=*0*]]
+[**--max-concurrent-downloads**[=*3*]]
+[**--max-concurrent-uploads**[=*5*]]
+[**--node-generic-resources**[=*[]*]]
+[**-p**|**--pidfile**[=*/var/run/docker.pid*]]
+[**--raw-logs**]
+[**--registry-mirror**[=*[]*]]
+[**-s**|**--storage-driver**[=*STORAGE-DRIVER*]]
+[**--seccomp-profile**[=*SECCOMP-PROFILE-PATH*]]
+[**--selinux-enabled**]
+[**--shutdown-timeout**[=*15*]]
+[**--storage-opt**[=*[]*]]
+[**--swarm-default-advertise-addr**[=*IP|INTERFACE*]]
+[**--tls**]
+[**--tlscacert**[=*~/.docker/ca.pem*]]
+[**--tlscert**[=*~/.docker/cert.pem*]]
+[**--tlskey**[=*~/.docker/key.pem*]]
+[**--tlsverify**]
+[**--userland-proxy**[=*true*]]
+[**--userland-proxy-path**[=*""*]]
+[**--userns-remap**[=*default*]]
+
+# DESCRIPTION
+**dockerd** is used for starting the Docker daemon (i.e., to command the daemon
+to manage images, containers etc).  So **dockerd** is a server, as a daemon.
+
+To run the Docker daemon you can specify **dockerd**.
+You can check the daemon options using **dockerd --help**.
+Daemon options should be specified after the **dockerd** keyword in the
+following format.
+
+**dockerd [OPTIONS]**
+
+# OPTIONS
+
+**--add-runtime**=[]
+  Runtimes can be registered with the daemon either via the
+configuration file or using the `--add-runtime` command line argument.
+
+  The following is an example adding 2 runtimes via the configuration:
+
+```json
+{
+	"default-runtime": "runc",
+	"runtimes": {
+		"runc": {
+			"path": "runc"
+		},
+		"custom": {
+			"path": "/usr/local/bin/my-runc-replacement",
+			"runtimeArgs": [
+				"--debug"
+			]
+		}
+	}
+}
+```
+
+  This is the same example via the command line:
+
+```bash
+$ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement
+```
+
+  **Note**: defining runtime arguments via the command line is not supported.
+
+**--allow-nondistributable-artifacts**=[]
+  Push nondistributable artifacts to the specified registries.
+
+  List can contain elements with CIDR notation to specify a whole subnet.
+
+  This option is useful when pushing images containing nondistributable
+  artifacts to a registry on an air-gapped network so hosts on that network can
+  pull the images without connecting to another server.
+
+  **Warning**: Nondistributable artifacts typically have restrictions on how
+  and where they can be distributed and shared. Only use this feature to push
+  artifacts to private registries and ensure that you are in compliance with
+  any terms that cover redistributing nondistributable artifacts.
+
+**--api-cors-header**=""
+  Set CORS headers in the Engine API. Default is cors disabled. Give urls like
+  "http://foo, http://bar, ...". Give "*" to allow all.
+
+**--authorization-plugin**=""
+  Set authorization plugins to load
+
+**-b**, **--bridge**=""
+  Attach containers to a pre\-existing network bridge; use 'none' to disable
+  container networking
+
+**--bip**=""
+  Use the provided CIDR notation address for the dynamically created bridge
+  (docker0); Mutually exclusive of \-b
+
+**--cgroup-parent**=""
+  Set parent cgroup for all containers. Default is "/docker" for fs cgroup
+  driver and "system.slice" for systemd cgroup driver.
+
+**--cluster-store**=""
+  URL of the distributed storage backend
+
+**--cluster-advertise**=""
+  Specifies the 'host:port' or `interface:port` combination that this
+  particular daemon instance should use when advertising itself to the cluster.
+  The daemon is reached through this value.
+
+**--cluster-store-opt**=""
+  Specifies options for the Key/Value store.
+
+**--config-file**="/etc/docker/daemon.json"
+  Specifies the JSON file path to load the configuration from.
+
+**--containerd**=""
+  Path to containerd socket.
+
+**--data-root**=""
+  Path to the directory used to store persisted Docker data such as
+  configuration for resources, swarm cluster state, and filesystem data for
+  images, containers, and local volumes. Default is `/var/lib/docker`.
+
+**-D**, **--debug**=*true*|*false*
+  Enable debug mode. Default is false.
+
+**--default-gateway**=""
+  IPv4 address of the container default gateway; this address must be part of
+  the bridge subnet (which is defined by \-b or \--bip)
+
+**--default-gateway-v6**=""
+  IPv6 address of the container default gateway
+
+**--default-address-pool**=""
+  Default address pool from which IPAM driver selects a subnet for the networks.
+  Example: base=172.30.0.0/16,size=24 will set the default
+  address pools for the selected scope networks to {172.30.[0-255].0/24}
+
+**--default-runtime**="runc"
+  Set default runtime if there're more than one specified by `--add-runtime`.
+
+**--default-ipc-mode**="**private**|**shareable**"
+  Set the default IPC mode for newly created containers. The argument
+  can either be **private** or **shareable**.
+
+**--default-shm-size**=*64MiB*
+  Set the daemon-wide default shm size for containers. Default is `64MiB`.
+
+**--default-ulimit**=[]
+  Default ulimits for containers.
+
+**--dns**=""
+  Force Docker to use specific DNS servers
+
+**--dns-opt**=""
+  DNS options to use.
+
+**--dns-search**=[]
+  DNS search domains to use.
+
+**--exec-opt**=[]
+  Set runtime execution options. See RUNTIME EXECUTION OPTIONS.
+
+**--exec-root**=""
+  Path to use as the root of the Docker execution state files. Default is
+  `/var/run/docker`.
+
+**--experimental**=""
+  Enable the daemon experimental features.
+
+**--fixed-cidr**=""
+  IPv4 subnet for fixed IPs (e.g., 10.20.0.0/16); this subnet must be nested in
+  the bridge subnet (which is defined by \-b or \-\-bip).
+
+**--fixed-cidr-v6**=""
+  IPv6 subnet for global IPv6 addresses (e.g., 2a00:1450::/64)
+
+**-G**, **--group**=""
+  Group to assign the unix socket specified by -H when running in daemon mode.
+  use '' (the empty string) to disable setting of a group. Default is `docker`.
+
+**-H**, **--host**=[*unix:///var/run/docker.sock*]: tcp://[host:port] to bind or
+unix://[/path/to/socket] to use.
+  The socket(s) to bind to in daemon mode specified using one or more
+  tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
+
+**--help**
+  Print usage statement
+
+**--icc**=*true*|*false*
+  Allow unrestricted inter\-container and Docker daemon host communication. If
+  disabled, containers can still be linked together using the **--link** option
+  (see **docker-run(1)**). Default is true.
+
+**--init**
+  Run an init process inside containers for signal forwarding and process
+  reaping.
+
+**--init-path**
+  Path to the docker-init binary.
+
+**--insecure-registry**=[]
+  Enable insecure registry communication, i.e., enable un-encrypted and/or
+  untrusted communication.
+
+  List of insecure registries can contain an element with CIDR notation to
+  specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS
+  with certificates from unknown CAs.
+
+  Enabling `--insecure-registry` is useful when running a local registry.
+  However, because its use creates security vulnerabilities it should ONLY be
+  enabled for testing purposes.  For increased security, users should add their
+  CA to their system's list of trusted CAs instead of using
+  `--insecure-registry`.
+
+**--ip**=""
+  Default IP address to use when binding container ports. Default is `0.0.0.0`.
+
+**--ip-forward**=*true*|*false*
+  Enables IP forwarding on the Docker host. The default is `true`. This flag
+  interacts with the IP forwarding setting on your host system's kernel. If
+  your system has IP forwarding disabled, this setting enables it. If your
+  system has IP forwarding enabled, setting this flag to `--ip-forward=false`
+  has no effect.
+
+  This setting will also enable IPv6 forwarding if you have both
+  `--ip-forward=true` and `--fixed-cidr-v6` set. Note that this may reject
+  Router Advertisements and interfere with the host's existing IPv6
+  configuration. For more information, please consult the documentation about
+  "Advanced Networking - IPv6".
+
+**--ip-masq**=*true*|*false*
+  Enable IP masquerading for bridge's IP range. Default is true.
+
+**--iptables**=*true*|*false*
+  Enable Docker's addition of iptables rules. Default is true.
+
+**--ipv6**=*true*|*false*
+  Enable IPv6 support. Default is false. Docker will create an IPv6-enabled
+  bridge with address fe80::1 which will allow you to create IPv6-enabled
+  containers. Use together with `--fixed-cidr-v6` to provide globally routable
+  IPv6 addresses. IPv6 forwarding will be enabled if not used with
+  `--ip-forward=false`. This may collide with your host's current IPv6
+  settings. For more information please consult the documentation about
+  "Advanced Networking - IPv6".
+
+**--isolation**="*default*"
+   Isolation specifies the type of isolation technology used by containers.
+   Note that the default on Windows server is `process`, and the default on
+   Windows client is `hyperv`. Linux only supports `default`.
+
+**-l**, **--log-level**="*debug*|*info*|*warn*|*error*|*fatal*"
+  Set the logging level. Default is `info`.
+
+**--label**="[]"
+  Set key=value labels to the daemon (displayed in `docker info`)
+
+**--live-restore**=*false*
+  Enable live restore of running containers when the daemon starts so that they
+  are not restarted. This option is applicable only for docker daemon running
+  on Linux host.
+
+**--log-driver**="*json-file*|*syslog*|*journald*|*gelf*|*fluentd*|*awslogs*|*splunk*|*etwlogs*|*gcplogs*|*none*"
+  Default driver for container logs. Default is `json-file`.
+  **Warning**: `docker logs` command works only for `json-file` logging driver.
+
+**--log-opt**=[]
+  Logging driver specific options.
+
+**--mtu**=*0*
+  Set the containers network mtu. Default is `0`.
+
+**--max-concurrent-downloads**=*3*
+  Set the max concurrent downloads for each pull. Default is `3`.
+
+**--max-concurrent-uploads**=*5*
+  Set the max concurrent uploads for each push. Default is `5`.
+
+**--node-generic-resources**=*[]*
+  Advertise user-defined resource. Default is `[]`.
+  Use this if your swarm cluster has some nodes with custom
+  resources (e.g: NVIDIA GPU, SSD, ...) and you need your services to land on
+  nodes advertising these resources.
+  Usage example: `--node-generic-resources "NVIDIA-GPU=UUID1"
+  --node-generic-resources "NVIDIA-GPU=UUID2"`
+
+
+**-p**, **--pidfile**=""
+  Path to use for daemon PID file. Default is `/var/run/docker.pid`
+
+**--raw-logs**
+  Output daemon logs in full timestamp format without ANSI coloring. If this
+  flag is not set, the daemon outputs condensed, colorized logs if a terminal
+  is detected, or full ("raw") output otherwise.
+
+**--registry-mirror**=*<scheme>://<host>*
+  Prepend a registry mirror to be used for image pulls. May be specified
+  multiple times.
+
+**-s**, **--storage-driver**=""
+  Force the Docker runtime to use a specific storage driver.
+
+**--seccomp-profile**=""
+  Path to seccomp profile.
+
+**--selinux-enabled**=*true*|*false*
+  Enable selinux support. Default is false.
+
+**--shutdown-timeout**=*15*
+  Set the shutdown timeout value in seconds. Default is `15`.
+
+**--storage-opt**=[]
+  Set storage driver options. See STORAGE DRIVER OPTIONS.
+
+**--swarm-default-advertise-addr**=*IP|INTERFACE*
+  Set default address or interface for swarm to advertise as its
+  externally-reachable address to other cluster members. This can be a
+  hostname, an IP address, or an interface such as `eth0`. A port cannot be
+  specified with this option.
+
+**--tls**=*true*|*false*
+  Use TLS; implied by --tlsverify. Default is false.
+
+**--tlscacert**=*~/.docker/ca.pem*
+  Trust certs signed only by this CA.
+
+**--tlscert**=*~/.docker/cert.pem*
+  Path to TLS certificate file.
+
+**--tlskey**=*~/.docker/key.pem*
+  Path to TLS key file.
+
+**--tlsverify**=*true*|*false*
+  Use TLS and verify the remote (daemon: verify client, client: verify daemon).
+  Default is false.
+
+**--userland-proxy**=*true*|*false*
+  Rely on a userland proxy implementation for inter-container and
+  outside-to-container loopback communications. Default is true.
+
+**--userland-proxy-path**=""
+  Path to the userland proxy binary.
+
+**--userns-remap**=*default*|*uid:gid*|*user:group*|*user*|*uid*
+  Enable user namespaces for containers on the daemon. Specifying "default"
+  will cause a new user and group to be created to handle UID and GID range
+  remapping for the user namespace mappings used for contained processes.
+  Specifying a user (or uid) and optionally a group (or gid) will cause the
+  daemon to lookup the user and group's subordinate ID ranges for use as the
+  user namespace mappings for contained processes.
+
+# STORAGE DRIVER OPTIONS
+
+Docker uses storage backends (known as "graphdrivers" in the Docker
+internals) to create writable containers from images.  Many of these
+backends use operating system level technologies and can be
+configured.
+
+Specify options to the storage backend with **--storage-opt** flags. The
+backends that currently take options are *devicemapper*, *zfs* and *btrfs*.
+Options for *devicemapper* are prefixed with *dm*, options for *zfs*
+start with *zfs* and options for *btrfs* start with *btrfs*.
+
+Specifically for devicemapper, the default is a "loopback" model which
+requires no pre-configuration, but is extremely inefficient.  Do not
+use it in production.
+
+To make the best use of Docker with the devicemapper backend, you must
+have a recent version of LVM.  Use `lvm` to create a thin pool; for
+more information see `man lvmthin`.  Then, use `--storage-opt
+dm.thinpooldev` to tell the Docker engine to use that pool for
+allocating images and container snapshots.
+
+## Devicemapper options
+
+#### dm.thinpooldev
+
+Specifies a custom block storage device to use for the thin pool.
+
+If using a block device for device mapper storage, it is best to use `lvm`
+to create and manage the thin-pool volume. This volume is then handed to Docker
+to exclusively create snapshot volumes needed for images and containers.
+
+Managing the thin-pool outside of Engine makes for the most feature-rich
+method of having Docker utilize device mapper thin provisioning as the
+backing storage for Docker containers. The highlights of the lvm-based
+thin-pool management feature include: automatic or interactive thin-pool
+resize support, dynamically changing thin-pool features, automatic thinp
+metadata checking when lvm activates the thin-pool, etc.
+
+As a fallback if no thin pool is provided, loopback files are
+created. Loopback is very slow, but can be used without any
+pre-configuration of storage. It is strongly recommended that you do
+not use loopback in production. Ensure your Engine daemon has a
+`--storage-opt dm.thinpooldev` argument provided.
+
+Example use:
+
+   $ dockerd \
+         --storage-opt dm.thinpooldev=/dev/mapper/thin-pool
+
+#### dm.directlvm_device
+
+As an alternative to manually creating a thin pool as above, Docker can
+automatically configure a block device for you.
+
+Example use:
+
+   $ dockerd \
+         --storage-opt dm.directlvm_device=/dev/xvdf
+
+##### dm.thinp_percent
+
+Sets the percentage of passed in block device to use for storage.
+
+###### Example:
+
+   $ sudo dockerd \
+        --storage-opt dm.thinp_percent=95
+
+##### `dm.thinp_metapercent`
+
+Sets the percentage of the passed in block device to use for metadata storage.
+
+###### Example:
+
+   $ sudo dockerd \
+         --storage-opt dm.thinp_metapercent=1
+
+##### dm.thinp_autoextend_threshold
+
+Sets the value of the percentage of space used before `lvm` attempts to
+autoextend the available space [100 = disabled]
+
+###### Example:
+
+   $ sudo dockerd \
+         --storage-opt dm.thinp_autoextend_threshold=80
+
+##### dm.thinp_autoextend_percent
+
+Sets the value percentage value to increase the thin pool by when `lvm`
+attempts to autoextend the available space [100 = disabled]
+
+###### Example:
+
+   $ sudo dockerd \
+         --storage-opt dm.thinp_autoextend_percent=20
+
+#### dm.basesize
+
+Specifies the size to use when creating the base device, which limits
+the size of images and containers. The default value is 10G. Note,
+thin devices are inherently "sparse", so a 10G device which is mostly
+empty doesn't use 10 GB of space on the pool. However, the filesystem
+will use more space for base images the larger the device
+is.
+
+The base device size can be increased at daemon restart which will allow
+all future images and containers (based on those new images) to be of the
+new base device size.
+
+Example use: `dockerd --storage-opt dm.basesize=50G`
+
+This will increase the base device size to 50G. The Docker daemon will throw an
+error if existing base device size is larger than 50G. A user can use
+this option to expand the base device size however shrinking is not permitted.
+
+This value affects the system-wide "base" empty filesystem that may already
+be initialized and inherited by pulled images. Typically, a change to this
+value requires additional steps to take effect:
+
+        $ sudo service docker stop
+        $ sudo rm -rf /var/lib/docker
+        $ sudo service docker start
+
+Example use: `dockerd --storage-opt dm.basesize=20G`
+
+#### dm.fs
+
+Specifies the filesystem type to use for the base device. The
+supported options are `ext4` and `xfs`. The default is `ext4`.
+
+Example use: `dockerd --storage-opt dm.fs=xfs`
+
+#### dm.mkfsarg
+
+Specifies extra mkfs arguments to be used when creating the base device.
+
+Example use: `dockerd --storage-opt "dm.mkfsarg=-O ^has_journal"`
+
+#### dm.mountopt
+
+Specifies extra mount options used when mounting the thin devices.
+
+Example use: `dockerd --storage-opt dm.mountopt=nodiscard`
+
+#### dm.use_deferred_removal
+
+Enables use of deferred device removal if `libdm` and the kernel driver
+support the mechanism.
+
+Deferred device removal means that if device is busy when devices are
+being removed/deactivated, then a deferred removal is scheduled on
+device. And devices automatically go away when last user of the device
+exits.
+
+For example, when a container exits, its associated thin device is removed. If
+that device has leaked into some other mount namespace and can't be removed,
+the container exit still succeeds and this option causes the system to schedule
+the device for deferred removal. It does not wait in a loop trying to remove a
+busy device.
+
+Example use: `dockerd --storage-opt dm.use_deferred_removal=true`
+
+#### dm.use_deferred_deletion
+
+Enables use of deferred device deletion for thin pool devices. By default,
+thin pool device deletion is synchronous. Before a container is deleted, the
+Docker daemon removes any associated devices. If the storage driver can not
+remove a device, the container deletion fails and daemon returns.
+
+`Error deleting container: Error response from daemon: Cannot destroy container`
+
+To avoid this failure, enable both deferred device deletion and deferred
+device removal on the daemon.
+
+`dockerd --storage-opt dm.use_deferred_deletion=true --storage-opt dm.use_deferred_removal=true`
+
+With these two options enabled, if a device is busy when the driver is
+deleting a container, the driver marks the device as deleted. Later, when the
+device isn't in use, the driver deletes it.
+
+In general it should be safe to enable this option by default. It will help
+when unintentional leaking of mount point happens across multiple mount
+namespaces.
+
+#### dm.loopdatasize
+
+**Note**: This option configures devicemapper loopback, which should not be
+used in production.
+
+Specifies the size to use when creating the loopback file for the "data" device
+which is used for the thin pool. The default size is 100G. The file is sparse,
+so it will not initially take up this much space.
+
+Example use: `dockerd --storage-opt dm.loopdatasize=200G`
+
+#### dm.loopmetadatasize
+
+**Note**: This option configures devicemapper loopback, which should not be
+used in production.
+
+Specifies the size to use when creating the loopback file for the "metadata"
+device which is used for the thin pool. The default size is 2G. The file is
+sparse, so it will not initially take up this much space.
+
+Example use: `dockerd --storage-opt dm.loopmetadatasize=4G`
+
+#### dm.datadev
+
+(Deprecated, use `dm.thinpooldev`)
+
+Specifies a custom blockdevice to use for data for a Docker-managed thin pool.
+It is better to use `dm.thinpooldev` - see the documentation for it above for
+discussion of the advantages.
+
+#### dm.metadatadev
+
+(Deprecated, use `dm.thinpooldev`)
+
+Specifies a custom blockdevice to use for metadata for a Docker-managed thin
+pool.  See `dm.datadev` for why this is deprecated.
+
+#### dm.blocksize
+
+Specifies a custom blocksize to use for the thin pool.  The default
+blocksize is 64K.
+
+Example use: `dockerd --storage-opt dm.blocksize=512K`
+
+#### dm.blkdiscard
+
+Enables or disables the use of `blkdiscard` when removing devicemapper devices.
+This is disabled by default due to the additional latency, but as a special
+case with loopback devices it will be enabled, in order to re-sparsify the
+loopback file on image/container removal.
+
+Disabling this on loopback can lead to *much* faster container removal times,
+but it also prevents the space used in `/var/lib/docker` directory from being
+returned to the system for other use when containers are removed.
+
+Example use: `dockerd --storage-opt dm.blkdiscard=false`
+
+#### dm.override_udev_sync_check
+
+By default, the devicemapper backend attempts to synchronize with the `udev`
+device manager for the Linux kernel.  This option allows disabling that
+synchronization, to continue even though the configuration may be buggy.
+
+To view the `udev` sync support of a Docker daemon that is using the
+`devicemapper` driver, run:
+
+        $ docker info
+        [...]
+         Udev Sync Supported: true
+        [...]
+
+When `udev` sync support is `true`, then `devicemapper` and `udev` can
+coordinate the activation and deactivation of devices for containers.
+
+When `udev` sync support is `false`, a race condition occurs between the
+`devicemapper` and `udev` during create and cleanup. The race condition results
+in errors and failures. (For information on these failures, see
+[docker#4036](https://github.com/docker/docker/issues/4036))
+
+To allow the `docker` daemon to start, regardless of whether `udev` sync is
+`false`, set `dm.override_udev_sync_check` to true:
+
+        $ dockerd --storage-opt dm.override_udev_sync_check=true
+
+When this value is `true`, the driver continues and simply warns you the errors
+are happening.
+
+**Note**: The ideal is to pursue a `docker` daemon and environment that does
+support synchronizing with `udev`. For further discussion on this topic, see
+[docker#4036](https://github.com/docker/docker/issues/4036).
+Otherwise, set this flag for migrating existing Docker daemons to a daemon with
+a supported environment.
+
+#### dm.min_free_space
+
+Specifies the min free space percent in a thin pool require for new device
+creation to succeed. This check applies to both free data space as well
+as free metadata space. Valid values are from 0% - 99%. Value 0% disables
+free space checking logic. If user does not specify a value for this option,
+the Engine uses a default value of 10%.
+
+Whenever a new a thin pool device is created (during `docker pull` or during
+container creation), the Engine checks if the minimum free space is available.
+If the space is unavailable, then device creation fails and any relevant
+`docker` operation fails.
+
+To recover from this error, you must create more free space in the thin pool to
+recover from the error. You can create free space by deleting some images and
+containers from tge thin pool. You can also add more storage to the thin pool.
+
+To add more space to an LVM (logical volume management) thin pool, just add
+more storage to the  group container thin pool; this should automatically
+resolve any errors. If your configuration uses loop devices, then stop the
+Engine daemon, grow the size of loop files and restart the daemon to resolve
+the issue.
+
+Example use:: `dockerd --storage-opt dm.min_free_space=10%`
+
+#### dm.xfs_nospace_max_retries
+
+Specifies the maximum number of retries XFS should attempt to complete IO when
+ENOSPC (no space) error is returned by underlying storage device.
+
+By default XFS retries infinitely for IO to finish and this can result in
+unkillable process. To change this behavior one can set xfs_nospace_max_retries
+to say 0 and XFS will not retry IO after getting ENOSPC and will shutdown
+filesystem.
+
+Example use:
+
+    $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0
+
+##### dm.libdm_log_level
+
+Specifies the maxmimum libdm log level that will be forwarded to the dockerd
+log (as specified by --log-level). This option is primarily intended for
+debugging problems involving libdm. Using values other than the defaults may
+cause false-positive warnings to be logged.
+
+Values specified must fall within the range of valid libdm log levels. At the
+time of writing, the following is the list of libdm log levels as well as their
+corresponding levels when output by dockerd.
+
+| libdm Level | Value | --log-level |
+| ----------- | -----:| ----------- |
+| _LOG_FATAL  |     2 | error       |
+| _LOG_ERR    |     3 | error       |
+| _LOG_WARN   |     4 | warn        |
+| _LOG_NOTICE |     5 | info        |
+| _LOG_INFO   |     6 | info        |
+| _LOG_DEBUG  |     7 | debug       |
+
+Example use:
+
+    $ sudo dockerd \
+	      --log-level debug \
+          --storage-opt dm.libdm_log_level=7
+
+## ZFS options
+
+#### zfs.fsname
+
+Set zfs filesystem under which docker will create its own datasets.  By default
+docker will pick up the zfs filesystem where docker graph (`/var/lib/docker`)
+is located.
+
+Example use: `dockerd -s zfs --storage-opt zfs.fsname=zroot/docker`
+
+## Btrfs options
+
+#### btrfs.min_space
+
+Specifies the minimum size to use when creating the subvolume which is used for
+containers. If user uses disk quota for btrfs when creating or running a
+container with **--storage-opt size** option, docker should ensure the **size**
+cannot be smaller than **btrfs.min_space**.
+
+Example use: `docker daemon -s btrfs --storage-opt btrfs.min_space=10G`
+
+# CLUSTER STORE OPTIONS
+
+The daemon uses libkv to advertise the node within the cluster.  Some Key/Value
+backends support mutual TLS, and the client TLS settings used by the daemon can
+be configured using the **--cluster-store-opt** flag, specifying the paths to
+PEM encoded files.
+
+#### kv.cacertfile
+
+Specifies the path to a local file with PEM encoded CA certificates to trust
+
+#### kv.certfile
+
+Specifies the path to a local file with a PEM encoded certificate.  This
+certificate is used as the client cert for communication with the Key/Value
+store.
+
+#### kv.keyfile
+
+Specifies the path to a local file with a PEM encoded private key.  This
+private key is used as the client key for communication with the Key/Value
+store.
+
+# Access authorization
+
+Docker's access authorization can be extended by authorization plugins that
+your organization can purchase or build themselves. You can install one or more
+authorization plugins when you start the Docker `daemon` using the
+`--authorization-plugin=PLUGIN_ID` option.
+
+```bash
+dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
+```
+
+The `PLUGIN_ID` value is either the plugin's name or a path to its
+specification file. The plugin's implementation determines whether you can
+specify a name or path. Consult with your Docker administrator to get
+information about the plugins available to you.
+
+Once a plugin is installed, requests made to the `daemon` through the
+command line or Docker's Engine API are allowed or denied by the plugin.
+If you have multiple plugins installed, each plugin, in order, must
+allow the request for it to complete.
+
+For information about how to create an authorization plugin, see [access authorization
+plugin](https://docs.docker.com/engine/extend/plugins_authorization/) section in the
+Docker extend section of this documentation.
+
+# RUNTIME EXECUTION OPTIONS
+
+You can configure the runtime using options specified with the `--exec-opt` flag.
+All the flag's options have the `native` prefix. A single `native.cgroupdriver`
+option is available.
+
+The `native.cgroupdriver` option specifies the management of the container's
+cgroups. You can only specify `cgroupfs` or `systemd`. If you specify
+`systemd` and it is not available, the system errors out. If you omit the
+`native.cgroupdriver` option,` cgroupfs` is used.
+
+This example sets the `cgroupdriver` to `systemd`:
+
+```bash
+$ sudo dockerd --exec-opt native.cgroupdriver=systemd
+```
+
+Setting this option applies to all containers the daemon launches.
+
+# HISTORY
+Sept 2015, Originally compiled by Shishir Mahajan <shishir.mahajan@redhat.com>
+based on docker.com source material and internal work.
diff --git a/cli/man/generate.go b/cli/man/generate.go
new file mode 100644
index 00000000..4197558a
--- /dev/null
+++ b/cli/man/generate.go
@@ -0,0 +1,108 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/command/commands"
+	"github.com/docker/docker/pkg/term"
+	"github.com/spf13/cobra"
+	"github.com/spf13/cobra/doc"
+	"github.com/spf13/pflag"
+)
+
+const descriptionSourcePath = "man/src/"
+
+func generateManPages(opts *options) error {
+	header := &doc.GenManHeader{
+		Title:   "DOCKER",
+		Section: "1",
+		Source:  "Docker Community",
+	}
+
+	stdin, stdout, stderr := term.StdStreams()
+	dockerCli := command.NewDockerCli(stdin, stdout, stderr, false)
+	cmd := &cobra.Command{Use: "docker"}
+	commands.AddCommands(cmd, dockerCli)
+	source := filepath.Join(opts.source, descriptionSourcePath)
+	if err := loadLongDescription(cmd, source); err != nil {
+		return err
+	}
+
+	cmd.DisableAutoGenTag = true
+	cmd.DisableFlagsInUseLine = true
+	return doc.GenManTreeFromOpts(cmd, doc.GenManTreeOptions{
+		Header:           header,
+		Path:             opts.target,
+		CommandSeparator: "-",
+	})
+}
+
+func loadLongDescription(cmd *cobra.Command, path string) error {
+	for _, cmd := range cmd.Commands() {
+		cmd.DisableFlagsInUseLine = true
+		if cmd.Name() == "" {
+			continue
+		}
+		fullpath := filepath.Join(path, cmd.Name()+".md")
+
+		if cmd.HasSubCommands() {
+			loadLongDescription(cmd, filepath.Join(path, cmd.Name()))
+		}
+
+		if _, err := os.Stat(fullpath); err != nil {
+			log.Printf("WARN: %s does not exist, skipping\n", fullpath)
+			continue
+		}
+
+		content, err := ioutil.ReadFile(fullpath)
+		if err != nil {
+			return err
+		}
+		cmd.Long = string(content)
+
+		fullpath = filepath.Join(path, cmd.Name()+"-example.md")
+		if _, err := os.Stat(fullpath); err != nil {
+			continue
+		}
+
+		content, err = ioutil.ReadFile(fullpath)
+		if err != nil {
+			return err
+		}
+		cmd.Example = string(content)
+
+	}
+	return nil
+}
+
+type options struct {
+	source string
+	target string
+}
+
+func parseArgs() (*options, error) {
+	opts := &options{}
+	cwd, _ := os.Getwd()
+	flags := pflag.NewFlagSet(os.Args[0], pflag.ContinueOnError)
+	flags.StringVar(&opts.source, "root", cwd, "Path to project root")
+	flags.StringVar(&opts.target, "target", "/tmp", "Target path for generated man pages")
+	err := flags.Parse(os.Args[1:])
+	return opts, err
+}
+
+func main() {
+	opts, err := parseArgs()
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err.Error())
+	}
+	fmt.Printf("Project root: %s\n", opts.source)
+	fmt.Printf("Generating man pages into %s\n", opts.target)
+	if err := generateManPages(opts); err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to generate man pages: %s\n", err.Error())
+	}
+}
diff --git a/cli/man/import.go b/cli/man/import.go
new file mode 100644
index 00000000..bc117bdc
--- /dev/null
+++ b/cli/man/import.go
@@ -0,0 +1,7 @@
+// +build never
+
+package main
+
+// Not used, but required for generating other man pages.
+// Import it here so that the package is included by vndr.
+import _ "github.com/cpuguy83/go-md2man"
diff --git a/cli/man/md2man-all.sh b/cli/man/md2man-all.sh
new file mode 100755
index 00000000..46c7b8f0
--- /dev/null
+++ b/cli/man/md2man-all.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -e
+
+# get into this script's directory
+cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
+
+[ "$1" = '-q' ] || {
+	set -x
+	pwd
+}
+
+for FILE in *.md; do
+	base="$(basename "$FILE")"
+	name="${base%.md}"
+	num="${name##*.}"
+	if [ -z "$num" -o "$name" = "$num" ]; then
+		# skip files that aren't of the format xxxx.N.md (like README.md)
+		continue
+	fi
+	mkdir -p "./man${num}"
+	go-md2man -in "$FILE" -out "./man${num}/${name}"
+done
diff --git a/cli/man/src/attach.md b/cli/man/src/attach.md
new file mode 100644
index 00000000..ff1102e1
--- /dev/null
+++ b/cli/man/src/attach.md
@@ -0,0 +1,2 @@
+
+Alias for `docker container attach`.
diff --git a/cli/man/src/commit.md b/cli/man/src/commit.md
new file mode 100644
index 00000000..3deb25bb
--- /dev/null
+++ b/cli/man/src/commit.md
@@ -0,0 +1 @@
+Alias for `docker container commit`.
diff --git a/cli/man/src/container/attach.md b/cli/man/src/container/attach.md
new file mode 100644
index 00000000..e2fa4f8a
--- /dev/null
+++ b/cli/man/src/container/attach.md
@@ -0,0 +1,66 @@
+The **docker attach** command allows you to attach to a running container using
+the container's ID or name, either to view its ongoing output or to control it
+interactively.  You can attach to the same contained process multiple times
+simultaneously, screen sharing style, or quickly view the progress of your
+detached process.
+
+To stop a container, use `CTRL-c`. This key sequence sends `SIGKILL` to the
+container. You can detach from the container (and leave it running) using a
+configurable key sequence. The default sequence is `CTRL-p CTRL-q`. You
+configure the key sequence using the **--detach-keys** option or a configuration
+file. See **config-json(5)** for documentation on using a configuration file.
+
+It is forbidden to redirect the standard input of a `docker attach` command while
+attaching to a tty-enabled container (i.e.: launched with `-t`).
+
+# Override the detach sequence
+
+If you want, you can configure an override the Docker key sequence for detach.
+This is useful if the Docker default sequence conflicts with key sequence you
+use for other applications. There are two ways to define your own detach key
+sequence, as a per-container override or as a configuration property on  your
+entire configuration.
+
+To override the sequence for an individual container, use the
+`--detach-keys="<sequence>"` flag with the `docker attach` command. The format of
+the `<sequence>` is either a letter [a-Z], or the `ctrl-` combined with any of
+the following:
+
+* `a-z` (a single lowercase alpha character )
+* `@` (at sign)
+* `[` (left bracket)
+* `\\` (two backward slashes)
+*  `_` (underscore)
+* `^` (caret)
+
+These `a`, `ctrl-a`, `X`, or `ctrl-\\` values are all examples of valid key
+sequences. To configure a different configuration default key sequence for all
+containers, see **docker(1)**.
+
+# EXAMPLES
+
+## Attaching to a container
+
+In this example the top command is run inside a container, from an image called
+fedora, in detached mode. The ID from the container is passed into the **docker
+attach** command:
+
+    $ ID=$(sudo docker run -d fedora /usr/bin/top -b)
+    $ sudo docker attach $ID
+    top - 02:05:52 up  3:05,  0 users,  load average: 0.01, 0.02, 0.05
+    Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+    Cpu(s):  0.1%us,  0.2%sy,  0.0%ni, 99.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
+    Mem:    373572k total,   355560k used,    18012k free,    27872k buffers
+    Swap:   786428k total,        0k used,   786428k free,   221740k cached
+
+    PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
+    1 root      20   0 17200 1116  912 R    0  0.3   0:00.03 top
+
+    top - 02:05:55 up  3:05,  0 users,  load average: 0.01, 0.02, 0.05
+    Tasks:   1 total,   1 running,   0 sleeping,   0 stopped,   0 zombie
+    Cpu(s):  0.0%us,  0.2%sy,  0.0%ni, 99.8%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
+    Mem:    373572k total,   355244k used,    18328k free,    27872k buffers
+    Swap:   786428k total,        0k used,   786428k free,   221776k cached
+
+    PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
+    1 root      20   0 17208 1144  932 R    0  0.3   0:00.03 top
diff --git a/cli/man/src/container/commit.md b/cli/man/src/container/commit.md
new file mode 100644
index 00000000..43d2e9c2
--- /dev/null
+++ b/cli/man/src/container/commit.md
@@ -0,0 +1,30 @@
+Create a new image from an existing container specified by name or
+container ID.  The new image will contain the contents of the
+container filesystem, *excluding* any data volumes. Refer to **docker-tag(1)**
+for more information about valid image and tag names.
+
+While the `docker commit` command is a convenient way of extending an
+existing image, you should prefer the use of a Dockerfile and `docker
+build` for generating images that you intend to share with other
+people.
+
+# EXAMPLES
+
+## Creating a new image from an existing container
+An existing Fedora based container has had Apache installed while running
+in interactive mode with the bash shell. Apache is also running. To
+create a new image run `docker ps` to find the container's ID and then run:
+
+    $ docker commit -m="Added Apache to Fedora base image" \
+      -a="A D Ministrator" 98bd7fc99854 fedora/fedora_httpd:20
+
+Note that only a-z0-9-_. are allowed when naming images from an 
+existing container.
+
+## Apply specified Dockerfile instructions while committing the image
+If an existing container was created without the DEBUG environment
+variable set to "true", you can create a new image based on that
+container by first getting the container's ID with `docker ps` and
+then running:
+
+    $ docker container commit -c="ENV DEBUG true" 98bd7fc99854 debug-image
diff --git a/cli/man/src/container/cp.md b/cli/man/src/container/cp.md
new file mode 100644
index 00000000..557e76de
--- /dev/null
+++ b/cli/man/src/container/cp.md
@@ -0,0 +1,145 @@
+The `docker container cp` utility copies the contents of `SRC_PATH` to the `DEST_PATH`.
+You can copy from the container's file system to the local machine or the
+reverse, from the local filesystem to the container. If `-` is specified for
+either the `SRC_PATH` or `DEST_PATH`, you can also stream a tar archive from
+`STDIN` or to `STDOUT`. The `CONTAINER` can be a running or stopped container.
+The `SRC_PATH` or `DEST_PATH` can be a file or directory.
+
+The `docker container cp` command assumes container paths are relative to the container's 
+`/` (root) directory. This means supplying the initial forward slash is optional; 
+The command sees `compassionate_darwin:/tmp/foo/myfile.txt` and
+`compassionate_darwin:tmp/foo/myfile.txt` as identical. Local machine paths can
+be an absolute or relative value. The command interprets a local machine's
+relative paths as relative to the current working directory where `docker container cp` is
+run.
+
+The `cp` command behaves like the Unix `cp -a` command in that directories are
+copied recursively with permissions preserved if possible. Ownership is set to
+the user and primary group at the destination. For example, files copied to a
+container are created with `UID:GID` of the root user. Files copied to the local
+machine are created with the `UID:GID` of the user which invoked the `docker container cp`
+command.  If you specify the `-L` option, `docker container cp` follows any symbolic link
+in the `SRC_PATH`. `docker container cp` does *not* create parent directories for
+`DEST_PATH` if they do not exist.
+
+Assuming a path separator of `/`, a first argument of `SRC_PATH` and second
+argument of `DEST_PATH`, the behavior is as follows:
+
+- `SRC_PATH` specifies a file
+    - `DEST_PATH` does not exist
+        - the file is saved to a file created at `DEST_PATH`
+    - `DEST_PATH` does not exist and ends with `/`
+        - Error condition: the destination directory must exist.
+    - `DEST_PATH` exists and is a file
+        - the destination is overwritten with the source file's contents
+    - `DEST_PATH` exists and is a directory
+        - the file is copied into this directory using the basename from
+          `SRC_PATH`
+- `SRC_PATH` specifies a directory
+    - `DEST_PATH` does not exist
+        - `DEST_PATH` is created as a directory and the *contents* of the source
+           directory are copied into this directory
+    - `DEST_PATH` exists and is a file
+        - Error condition: cannot copy a directory to a file
+    - `DEST_PATH` exists and is a directory
+        - `SRC_PATH` does not end with `/.` (that is: _slash_ followed by _dot_)
+            - the source directory is copied into this directory
+        - `SRC_PATH` does end with `/.` (that is: _slash_ followed by _dot_)
+            - the *content* of the source directory is copied into this
+              directory
+
+The command requires `SRC_PATH` and `DEST_PATH` to exist according to the above
+rules. If `SRC_PATH` is local and is a symbolic link, the symbolic link, not
+the target, is copied by default. To copy the link target and not the link, 
+specify the `-L` option.
+
+A colon (`:`) is used as a delimiter between `CONTAINER` and its path. You can
+also use `:` when specifying paths to a `SRC_PATH` or `DEST_PATH` on a local
+machine, for example  `file:name.txt`. If you use a `:` in a local machine path,
+you must be explicit with a relative or absolute path, for example:
+
+    `/path/to/file:name.txt` or `./file:name.txt`
+
+It is not possible to copy certain system files such as resources under
+`/proc`, `/sys`, `/dev`, tmpfs, and mounts created by the user in the container.
+However, you can still copy such files by manually running `tar` in `docker exec`.
+For example (consider `SRC_PATH` and `DEST_PATH` are directories):
+
+    $ docker exec foo tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | tar Cxf DEST_PATH -
+
+or
+
+    $ tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | docker exec -i foo tar Cxf DEST_PATH -
+
+
+Using `-` as the `SRC_PATH` streams the contents of `STDIN` as a tar archive.
+The command extracts the content of the tar to the `DEST_PATH` in container's
+filesystem. In this case, `DEST_PATH` must specify a directory. Using `-` as
+the `DEST_PATH` streams the contents of the resource as a tar archive to `STDOUT`.
+
+# EXAMPLES
+
+Suppose a container has finished producing some output as a file it saves
+to somewhere in its filesystem. This could be the output of a build job or
+some other computation. You can copy these outputs from the container to a
+location on your local host.
+
+If you want to copy the `/tmp/foo` directory from a container to the
+existing `/tmp` directory on your host. If you run `docker container cp` in your `~`
+(home) directory on the local host:
+
+    $ docker container cp compassionate_darwin:tmp/foo /tmp
+
+Docker creates a `/tmp/foo` directory on your host. Alternatively, you can omit
+the leading slash in the command. If you execute this command from your home
+directory:
+
+    $ docker container cp compassionate_darwin:tmp/foo tmp
+
+If `~/tmp` does not exist, Docker will create it and copy the contents of
+`/tmp/foo` from the container into this new directory. If `~/tmp` already
+exists as a directory, then Docker will copy the contents of `/tmp/foo` from
+the container into a directory at `~/tmp/foo`.
+
+When copying a single file to an existing `LOCALPATH`, the `docker container cp` command
+will either overwrite the contents of `LOCALPATH` if it is a file or place it
+into `LOCALPATH` if it is a directory, overwriting an existing file of the same
+name if one exists. For example, this command:
+
+    $ docker container cp sharp_ptolemy:/tmp/foo/myfile.txt /test
+
+If `/test` does not exist on the local machine, it will be created as a file
+with the contents of `/tmp/foo/myfile.txt` from the container. If `/test`
+exists as a file, it will be overwritten. Lastly, if `/test` exists as a
+directory, the file will be copied to `/test/myfile.txt`.
+
+Next, suppose you want to copy a file or folder into a container. For example,
+this could be a configuration file or some other input to a long running
+computation that you would like to place into a created container before it
+starts. This is useful because it does not require the configuration file or
+other input to exist in the container image.
+
+If you have a file, `config.yml`, in the current directory on your local host
+and wish to copy it to an existing directory at `/etc/my-app.d` in a container,
+this command can be used:
+
+    $ docker container cp config.yml myappcontainer:/etc/my-app.d
+
+If you have several files in a local directory `/config` which you need to copy
+to a directory `/etc/my-app.d` in a container:
+
+    $ docker container cp /config/. myappcontainer:/etc/my-app.d
+
+The above command will copy the contents of the local `/config` directory into
+the directory `/etc/my-app.d` in the container.
+
+Finally, if you want to copy a symbolic link into a container, you typically
+want to  copy the linked target and not the link itself. To copy the target, use
+the `-L` option, for example:
+
+    $ ln -s /tmp/somefile /tmp/somefile.ln
+    $ docker container cp -L /tmp/somefile.ln myappcontainer:/tmp/
+
+This command copies content of the local `/tmp/somefile` into the file
+`/tmp/somefile.ln` in the container. Without `-L` option, the `/tmp/somefile.ln`
+preserves its symbolic link but not its content.
diff --git a/cli/man/src/container/create-example.md b/cli/man/src/container/create-example.md
new file mode 100644
index 00000000..bd832936
--- /dev/null
+++ b/cli/man/src/container/create-example.md
@@ -0,0 +1,35 @@
+### Specify isolation technology for container (--isolation)
+
+This option is useful in situations where you are running Docker containers on
+Windows. The `--isolation=<value>` option sets a container's isolation
+technology. On Linux, the only supported is the `default` option which uses
+Linux namespaces. On Microsoft Windows, you can specify these values:
+
+* `default`: Use the value specified by the Docker daemon's `--exec-opt` . If the `daemon` does not specify an isolation technology, Microsoft Windows uses `process` as its default value.
+* `process`: Namespace isolation only.
+* `hyperv`: Hyper-V hypervisor partition-based isolation.
+
+Specifying the `--isolation` flag without a value is the same as setting `--isolation="default"`.
+
+### Dealing with dynamically created devices (--device-cgroup-rule)
+
+Devices available to a container are assigned at creation time. The
+assigned devices will both be added to the cgroup.allow file and
+created into the container once it is run. This poses a problem when
+a new device needs to be added to running container.
+
+One of the solution is to add a more permissive rule to a container
+allowing it access to a wider range of devices. For example, supposing
+our container needs access to a character device with major `42` and
+any number of minor number (added as new devices appear), the
+following rule would be added:
+
+```
+docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image
+```
+
+Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 <minor>`
+the required device when it is added.
+
+NOTE: initially present devices still need to be explicitly added to
+the create/run command
diff --git a/cli/man/src/container/create.md b/cli/man/src/container/create.md
new file mode 100644
index 00000000..c680d54f
--- /dev/null
+++ b/cli/man/src/container/create.md
@@ -0,0 +1,88 @@
+Creates a writeable container layer over the specified image and prepares it for
+running the specified command. The container ID is then printed to STDOUT. This
+is similar to **docker run -d** except the container is never started. You can 
+then use the **docker start <container_id>** command to start the container at
+any point.
+
+The initial status of the container created with **docker create** is 'created'.
+
+### OPTIONS 
+
+The `CONTAINER-DIR` must be an absolute path such as `/src/docs`. The `HOST-DIR`
+can be an absolute path or a `name` value. A `name` value must start with an
+alphanumeric character, followed by `a-z0-9`, `_` (underscore), `.` (period) or
+`-` (hyphen). An absolute path starts with a `/` (forward slash).
+
+If you supply a `HOST-DIR` that is an absolute path,  Docker bind-mounts to the
+path you specify. If you supply a `name`, Docker creates a named volume by that
+`name`. For example, you can specify either `/foo` or `foo` for a `HOST-DIR`
+value. If you supply the `/foo` value, Docker creates a bind mount. If you
+supply the `foo` specification, Docker creates a named volume.
+
+You can specify multiple  **-v** options to mount one or more mounts to a
+container. To use these same mounts in other containers, specify the
+**--volumes-from** option also.
+
+You can supply additional options for each bind mount following an additional
+colon.  A `:ro` or `:rw` suffix mounts a volume in read-only or read-write
+mode, respectively. By default, volumes are mounted in read-write mode.  
+You can also specify the consistency requirement for the mount, either
+`:consistent` (the default), `:cached`, or `:delegated`.  Multiple options are
+separated by commas, e.g. `:ro,cached`.
+
+Labeling systems like SELinux require that proper labels are placed on volume
+content mounted into a container. Without a label, the security system might
+prevent the processes running inside the container from using the content. By
+default, Docker does not change the labels set by the OS.
+
+To change a label in the container context, you can add either of two suffixes
+`:z` or `:Z` to the volume mount. These suffixes tell Docker to relabel file
+objects on the shared volumes. The `z` option tells Docker that two containers
+share the volume content. As a result, Docker labels the content with a shared
+content label. Shared volume labels allow all containers to read/write content.
+The `Z` option tells Docker to label the content with a private unshared label.
+Only the current container can use a private volume.
+
+By default bind mounted volumes are `private`. That means any mounts done
+inside container will not be visible on host and vice-a-versa. One can change
+this behavior by specifying a volume mount propagation property. Making a
+volume `shared` mounts done under that volume inside container will be
+visible on host and vice-a-versa. Making a volume `slave` enables only one
+way mount propagation and that is mounts done on host under that volume
+will be visible inside container but not the other way around.
+
+To control mount propagation property of volume one can use `:[r]shared`,
+`:[r]slave` or `:[r]private` propagation flag. Propagation property can
+be specified only for bind mounted volumes and not for internal volumes or
+named volumes. For mount propagation to work source mount point (mount point
+where source dir is mounted on) has to have right propagation properties. For
+shared volumes, source mount point has to be shared. And for slave volumes,
+source mount has to be either shared or slave.
+
+Use `df <source-dir>` to figure out the source mount and then use
+`findmnt -o TARGET,PROPAGATION <source-mount-dir>` to figure out propagation
+properties of source mount. If `findmnt` utility is not available, then one
+can look at mount entry for source mount point in `/proc/self/mountinfo`. Look
+at `optional fields` and see if any propagation properties are specified.
+`shared:X` means mount is `shared`, `master:X` means mount is `slave` and if
+nothing is there that means mount is `private`.
+
+To change propagation properties of a mount point use `mount` command. For
+example, if one wants to bind mount source directory `/foo` one can do
+`mount --bind /foo /foo` and `mount --make-private --make-shared /foo`. This
+will convert /foo into a `shared` mount point. Alternatively one can directly
+change propagation properties of source mount. Say `/` is source mount for
+`/foo`, then use `mount --make-shared /` to convert `/` into a `shared` mount.
+
+> **Note**:
+> When using systemd to manage the Docker daemon's start and stop, in the systemd
+> unit file there is an option to control mount propagation for the Docker daemon
+> itself, called `MountFlags`. The value of this setting may cause Docker to not
+> see mount propagation changes made on the mount point. For example, if this value
+> is `slave`, you may not be able to use the `shared` or `rshared` propagation on
+> a volume.
+
+
+To disable automatic copying of data from the container path to the volume, use
+the `nocopy` flag. The `nocopy` flag can be set on named volumes, and does not
+apply to bind mounts..
diff --git a/cli/man/src/container/diff.md b/cli/man/src/container/diff.md
new file mode 100644
index 00000000..eb485e36
--- /dev/null
+++ b/cli/man/src/container/diff.md
@@ -0,0 +1,39 @@
+List the changed files and directories in a container᾿s filesystem since the
+container was created. Three different types of change are tracked:
+
+| Symbol | Description                     |
+|--------|---------------------------------|
+| `A`    | A file or directory was added   |
+| `D`    | A file or directory was deleted |
+| `C`    | A file or directory was changed |
+
+You can use the full or shortened container ID or the container name set using
+**docker run --name** option.
+
+# EXAMPLES
+
+Inspect the changes to an `nginx` container:
+
+```bash
+$ docker diff 1fdfd1f54c1b
+
+C /dev
+C /dev/console
+C /dev/core
+C /dev/stdout
+C /dev/fd
+C /dev/ptmx
+C /dev/stderr
+C /dev/stdin
+C /run
+A /run/nginx.pid
+C /var/lib/nginx/tmp
+A /var/lib/nginx/tmp/client_body
+A /var/lib/nginx/tmp/fastcgi
+A /var/lib/nginx/tmp/proxy
+A /var/lib/nginx/tmp/scgi
+A /var/lib/nginx/tmp/uwsgi
+C /var/log/nginx
+A /var/log/nginx/access.log
+A /var/log/nginx/error.log
+```
diff --git a/cli/man/src/container/exec.md b/cli/man/src/container/exec.md
new file mode 100644
index 00000000..033db426
--- /dev/null
+++ b/cli/man/src/container/exec.md
@@ -0,0 +1,25 @@
+Run a process in a running container.
+
+The command started using `docker exec` will only run while the container's primary
+process (`PID 1`) is running, and will not be restarted if the container is restarted.
+
+If the container is paused, then the `docker exec` command will wait until the
+container is unpaused, and then run
+
+# CAPABILITIES
+
+`privileged` gives the process extended
+[Linux capabilities](http://man7.org/linux/man-pages/man7/capabilities.7.html)
+when running in a container. 
+
+Without this flag, the process run by `docker exec` in a running container has
+the same capabilities as the container, which may be limited. Set
+`--privileged` to give all capabilities to the process.
+
+# USER
+`user` sets the username or UID used and optionally the groupname or GID for the specified command.
+
+   The followings examples are all valid:
+   --user [user | user:group | uid | uid:gid | user:gid | uid:group ]
+
+   Without this argument the command will be run as root in the container.
diff --git a/cli/man/src/container/export.md b/cli/man/src/container/export.md
new file mode 100644
index 00000000..ac07d963
--- /dev/null
+++ b/cli/man/src/container/export.md
@@ -0,0 +1,20 @@
+Export the contents of a container's filesystem using the full or shortened
+container ID or container name. The output is exported to STDOUT and can be
+redirected to a tar file.
+
+Stream to a file instead of STDOUT by using **-o**.
+
+# EXAMPLES
+Export the contents of the container called angry_bell to a tar file
+called angry_bell.tar:
+
+    $ docker export angry_bell > angry_bell.tar
+    $ docker export --output=angry_bell-latest.tar angry_bell
+    $ ls -sh angry_bell.tar
+    321M angry_bell.tar
+    $ ls -sh angry_bell-latest.tar
+    321M angry_bell-latest.tar
+
+# See also
+**docker-import(1)** to create an empty filesystem image
+and import the contents of the tarball into it, then optionally tag it.
diff --git a/cli/man/src/container/kill.md b/cli/man/src/container/kill.md
new file mode 100644
index 00000000..b8b94e52
--- /dev/null
+++ b/cli/man/src/container/kill.md
@@ -0,0 +1,2 @@
+The main process inside each container specified will be sent SIGKILL,
+ or any signal specified with option --signal.
diff --git a/cli/man/src/container/logs.md b/cli/man/src/container/logs.md
new file mode 100644
index 00000000..f2b4ad6d
--- /dev/null
+++ b/cli/man/src/container/logs.md
@@ -0,0 +1,40 @@
+The **docker container logs** command batch-retrieves whatever logs are present for
+a container at the time of execution. This does not guarantee execution
+order when combined with a docker run (i.e., your run may not have generated
+any logs at the time you execute docker container logs).
+
+The **docker container logs --follow** command combines commands **docker container logs** and
+**docker attach**. It will first return all logs from the beginning and
+then continue streaming new output from the container's stdout and stderr.
+
+**Warning**: This command works only for the **json-file** or **journald**
+logging drivers.
+
+The `--since` and `--until` options can be Unix timestamps, date formatted timestamps, 
+or Go duration strings (e.g. `10m`, `1h30m`) computed relative to the client machine's
+time. Supported formats for date formatted time stamps include RFC3339Nano,
+RFC3339, `2006-01-02T15:04:05`, `2006-01-02T15:04:05.999999999`,
+`2006-01-02Z07:00`, and `2006-01-02`. The local timezone on the client will be
+used if you do not provide either a `Z` or a `+-00:00` timezone offset at the
+end of the timestamp.  When providing Unix timestamps enter
+seconds[.nanoseconds], where seconds is the number of seconds that have elapsed
+since January 1, 1970 (midnight UTC/GMT), not counting leap  seconds (aka Unix
+epoch or Unix time), and the optional .nanoseconds field is a fraction of a
+second no more than nine digits long. You can combine the `--since` or `--until` 
+options with either or both of the `--follow` or `--tail` options.
+
+The `docker container logs --details` command will add on extra attributes, such as
+environment variables and labels, provided to `--log-opt` when creating the
+container.
+
+In order to retrieve logs before a specific point in time, run:
+
+```bash
+$ docker run --name test -d busybox sh -c "while true; do $(echo date); sleep 1; done"
+$ date
+Tue 14 Nov 2017 16:40:00 CET
+$ docker logs -f --until=2s
+Tue 14 Nov 2017 16:40:00 CET
+Tue 14 Nov 2017 16:40:01 CET
+Tue 14 Nov 2017 16:40:02 CET
+```
\ No newline at end of file
diff --git a/cli/man/src/container/ls.md b/cli/man/src/container/ls.md
new file mode 100644
index 00000000..93a87efc
--- /dev/null
+++ b/cli/man/src/container/ls.md
@@ -0,0 +1,117 @@
+List the containers in the local repository. By default this shows only
+the running containers.
+
+## Filters
+
+Filter output based on these conditions:
+   - ancestor=(<image-name>[:tag]|<image-id>|<image@digest>)
+     containers created from an image or a descendant.
+   - before=(<container-name>|<container-id>)
+   - expose=(<port>[/<proto>]|<startport-endport>/[<proto>])
+   - exited=<int> an exit code of <int>
+   - health=(starting|healthy|unhealthy|none)
+   - id=<ID> a container's ID
+   - isolation=(`default`|`process`|`hyperv`) (Windows daemon only)
+   - is-task=(true|false)
+   - label=<key> or label=<key>=<value>
+   - name=<string> a container's name
+   - network=(<network-id>|<network-name>)
+   - publish=(<port>[/<proto>]|<startport-endport>/[<proto>])
+   - since=(<container-name>|<container-id>)
+   - status=(created|restarting|removing|running|paused|exited)
+   - volume=(<volume name>|<mount point destination>)
+
+## Format
+
+The formatting option (**--format**) pretty-prints container output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+   - .ID           - Container ID.
+   - .Image        - Image ID.
+   - .Command      - Quoted command.
+   - .CreatedAt    - Time when the container was created.
+   - .RunningFor   - Elapsed time since the container was started.
+   - .Ports        - Exposed ports.
+   - .Status       - Container status.
+   - .Size         - Container disk size.
+   - .Names        - Container names.
+   - .Labels       - All labels assigned to the container.
+   - .Label        - Value of a specific label for this container.
+                     For example **'{{.Label "com.docker.swarm.cpu"}}'**.
+   - .Mounts       - Names of the volumes mounted in this container.
+   - .Networks     - Names of the networks attached to this container.
+
+# EXAMPLES
+
+## Display all containers, including non-running
+
+    $ docker container ls -a
+    CONTAINER ID        IMAGE                 COMMAND                CREATED             STATUS      PORTS    NAMES
+    a87ecb4f327c        fedora:20             /bin/sh -c #(nop) MA   20 minutes ago      Exit 0               desperate_brattain
+    01946d9d34d8        vpavlin/rhel7:latest  /bin/sh -c #(nop) MA   33 minutes ago      Exit 0               thirsty_bell
+    c1d3b0166030        acffc0358b9e          /bin/sh -c yum -y up   2 weeks ago         Exit 1               determined_torvalds
+    41d50ecd2f57        fedora:20             /bin/sh -c #(nop) MA   2 weeks ago         Exit 0               drunk_pike
+
+## Display only IDs of all containers, including non-running
+
+    $ docker container ls -a -q
+    a87ecb4f327c
+    01946d9d34d8
+    c1d3b0166030
+    41d50ecd2f57
+
+## Display only IDs of all containers that have the name `determined_torvalds`
+
+    $ docker container ls -a -q --filter=name=determined_torvalds
+    c1d3b0166030
+
+## Display containers with their commands
+
+    $ docker container ls --format "{{.ID}}: {{.Command}}"
+    a87ecb4f327c: /bin/sh -c #(nop) MA
+    01946d9d34d8: /bin/sh -c #(nop) MA
+    c1d3b0166030: /bin/sh -c yum -y up
+    41d50ecd2f57: /bin/sh -c #(nop) MA
+
+## Display containers with their labels in a table
+
+    $ docker container ls --format "table {{.ID}}\t{{.Labels}}"
+    CONTAINER ID        LABELS
+    a87ecb4f327c        com.docker.swarm.node=ubuntu,com.docker.swarm.storage=ssd
+    01946d9d34d8
+    c1d3b0166030        com.docker.swarm.node=debian,com.docker.swarm.cpu=6
+    41d50ecd2f57        com.docker.swarm.node=fedora,com.docker.swarm.cpu=3,com.docker.swarm.storage=ssd
+
+## Display containers with their node label in a table
+
+    $ docker container ls --format 'table {{.ID}}\t{{(.Label "com.docker.swarm.node")}}'
+    CONTAINER ID        NODE
+    a87ecb4f327c        ubuntu
+    01946d9d34d8
+    c1d3b0166030        debian
+    41d50ecd2f57        fedora
+
+## Display containers with `remote-volume` mounted
+
+    $ docker container ls --filter volume=remote-volume --format "table {{.ID}}\t{{.Mounts}}"
+    CONTAINER ID        MOUNTS
+    9c3527ed70ce        remote-volume
+
+## Display containers with a volume mounted in `/data`
+
+    $ docker container ls --filter volume=/data --format "table {{.ID}}\t{{.Mounts}}"
+    CONTAINER ID        MOUNTS
+    9c3527ed70ce        remote-volume
+
+## Display containers that have published port of 80:
+
+    $ docker ps --filter publish=80
+    CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS                   NAMES
+    fc7e477723b7        busybox             "top"               About a minute ago   Up About a minute   0.0.0.0:32768->80/tcp   admiring_roentgen
+
+## Display containers that have exposed TCP port in the range of `8000-8080`:
+
+    $ docker ps --filter expose=8000-8080/tcp
+    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+    9833437217a5        busybox             "top"               21 seconds ago      Up 19 seconds       8080/tcp            dreamy_mccarthy
diff --git a/cli/man/src/container/pause.md b/cli/man/src/container/pause.md
new file mode 100644
index 00000000..09ea5b93
--- /dev/null
+++ b/cli/man/src/container/pause.md
@@ -0,0 +1,12 @@
+The `docker container pause` command suspends all processes in the specified containers.
+On Linux, this uses the cgroups freezer. Traditionally, when suspending a process
+the `SIGSTOP` signal is used, which is observable by the process being suspended.
+With the cgroups freezer the process is unaware, and unable to capture,
+that it is being suspended, and subsequently resumed. On Windows, only Hyper-V
+containers can be paused.
+
+See the [cgroups freezer documentation]
+(https://www.kernel.org/doc/Documentation/cgroup-v1/freezer-subsystem.txt) for
+further details.
+
+**docker-container-unpause(1)** to unpause all processes within a container.
diff --git a/cli/man/src/container/port.md b/cli/man/src/container/port.md
new file mode 100644
index 00000000..a1c8cc6e
--- /dev/null
+++ b/cli/man/src/container/port.md
@@ -0,0 +1,26 @@
+List port mappings for the CONTAINER, or lookup the public-facing port that is NAT-ed to the PRIVATE_PORT
+
+# EXAMPLES
+
+    $ docker ps
+    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                                            NAMES
+    b650456536c7        busybox:latest      top                 54 minutes ago      Up 54 minutes       0.0.0.0:1234->9876/tcp, 0.0.0.0:4321->7890/tcp   test
+
+## Find out all the ports mapped
+
+    $ docker container port test
+    7890/tcp -> 0.0.0.0:4321
+    9876/tcp -> 0.0.0.0:1234
+
+## Find out a specific mapping
+
+    $ docker container port test 7890/tcp
+    0.0.0.0:4321
+
+    $ docker container port test 7890
+    0.0.0.0:4321
+
+## An example showing error for non-existent mapping
+
+    $ docker container port test 7890/udp
+    2014/06/24 11:53:36 Error: No public port '7890/udp' published for test
diff --git a/cli/man/src/container/rename.md b/cli/man/src/container/rename.md
new file mode 100644
index 00000000..e6f49a0e
--- /dev/null
+++ b/cli/man/src/container/rename.md
@@ -0,0 +1 @@
+Rename a container.  Container may be running, paused or stopped.
diff --git a/cli/man/src/container/restart.md b/cli/man/src/container/restart.md
new file mode 100644
index 00000000..66ef6688
--- /dev/null
+++ b/cli/man/src/container/restart.md
@@ -0,0 +1 @@
+Restart each container listed.
diff --git a/cli/man/src/container/rm.md b/cli/man/src/container/rm.md
new file mode 100644
index 00000000..561f0e91
--- /dev/null
+++ b/cli/man/src/container/rm.md
@@ -0,0 +1,37 @@
+**docker container rm** will remove one or more containers from the host node. The
+container name or ID can be used. This does not remove images. You cannot
+remove a running container unless you use the **-f** option. To see all
+containers on a host use the **docker container ls -a** command.
+
+# EXAMPLES
+
+## Removing a container using its ID
+
+To remove a container using its ID, find either from a **docker ps -a**
+command, or use the ID returned from the **docker run** command, or retrieve
+it from a file used to store it using the **docker run --cidfile**:
+
+    docker container rm abebf7571666
+
+## Removing a container using the container name
+
+The name of the container can be found using the **docker ps -a**
+command. The use that name as follows:
+
+    docker container rm hopeful_morse
+
+## Removing a container and all associated volumes
+
+    $ docker container rm -v redis
+    redis
+
+This command will remove the container and any volumes associated with it.
+Note that if a volume was specified with a name, it will not be removed.
+
+    $ docker create -v awesome:/foo -v /bar --name hello redis
+    hello
+    $ docker container rm -v hello
+
+In this example, the volume for `/foo` will remain in tact, but the volume for
+`/bar` will be removed. The same behavior holds for volumes inherited with
+`--volumes-from`.
diff --git a/cli/man/src/container/run.md b/cli/man/src/container/run.md
new file mode 100644
index 00000000..5e20273e
--- /dev/null
+++ b/cli/man/src/container/run.md
@@ -0,0 +1 @@
+Alias for `docker run`.
diff --git a/cli/man/src/container/start.md b/cli/man/src/container/start.md
new file mode 100644
index 00000000..48d8592c
--- /dev/null
+++ b/cli/man/src/container/start.md
@@ -0,0 +1 @@
+Start one or more containers.
diff --git a/cli/man/src/container/stats.md b/cli/man/src/container/stats.md
new file mode 100644
index 00000000..2de672ee
--- /dev/null
+++ b/cli/man/src/container/stats.md
@@ -0,0 +1,43 @@
+Display a live stream of one or more containers' resource usage statistics
+
+# Format
+
+   Pretty-print containers statistics using a Go template.
+   Valid placeholders:
+      .Container - Container name or ID.
+      .Name - Container name.
+      .ID - Container ID.
+      .CPUPerc - CPU percentage.
+      .MemUsage - Memory usage.
+      .NetIO - Network IO.
+      .BlockIO - Block IO.
+      .MemPerc - Memory percentage (Not available on Windows).
+      .PIDs - Number of PIDs (Not available on Windows).
+
+# EXAMPLES
+
+Running `docker container stats` on all running containers.
+
+    $ docker container stats
+    CONTAINER           CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O
+    1285939c1fd3        0.07%               796 KiB / 64 MiB        1.21%               788 B / 648 B       3.568 MB / 512 KB
+    9c76f7834ae2        0.07%               2.746 MiB / 64 MiB      4.29%               1.266 KB / 648 B    12.4 MB / 0 B
+    d1ea048f04e4        0.03%               4.583 MiB / 64 MiB      6.30%               2.854 KB / 648 B    27.7 MB / 0 B
+
+Running `docker container stats` on multiple containers by name and id.
+
+    $ docker container stats fervent_panini 5acfcb1b4fd1
+    CONTAINER           CPU %               MEM USAGE/LIMIT     MEM %               NET I/O
+    5acfcb1b4fd1        0.00%               115.2 MiB/1.045 GiB   11.03%              1.422 kB/648 B
+    fervent_panini      0.02%               11.08 MiB/1.045 GiB   1.06%               648 B/648 B
+
+Running `docker container stats` with customized format on all (Running and Stopped) containers.
+
+    $ docker container stats --all --format "table {{.ID}}\t{{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}"
+    CONTAINER ID                                                       NAME                     CPU %               MEM USAGE / LIMIT
+    c9dfa83f0317f87637d5b7e67aa4223337d947215c5a9947e697e4f7d3e0f834   ecstatic_noether         0.00%               56KiB / 15.57GiB
+    8f92d01cf3b29b4f5fca4cd33d907e05def7af5a3684711b20a2369d211ec67f   stoic_goodall            0.07%               32.86MiB / 15.57GiB
+    38dd23dba00f307d53d040c1d18a91361bbdcccbf592315927d56cf13d8b7343   drunk_visvesvaraya       0.00%               0B / 0B
+    5a8b07ec4cc52823f3cbfdb964018623c1ba307bce2c057ccdbde5f4f6990833   big_heisenberg           0.00%               0B / 0B
+
+`drunk_visvesvaraya` and `big_heisenberg` are stopped containers in the above example.
diff --git a/cli/man/src/container/stop.md b/cli/man/src/container/stop.md
new file mode 100644
index 00000000..e3142481
--- /dev/null
+++ b/cli/man/src/container/stop.md
@@ -0,0 +1 @@
+Stop a container (Send SIGTERM, and then SIGKILL after grace period)
diff --git a/cli/man/src/container/top.md b/cli/man/src/container/top.md
new file mode 100644
index 00000000..5e243569
--- /dev/null
+++ b/cli/man/src/container/top.md
@@ -0,0 +1,11 @@
+Display the running process of the container. ps-OPTION can be any of the options you would pass to a Linux ps command.
+
+All displayed information is from host's point of view.
+
+# EXAMPLES
+
+Run **docker container top** with the ps option of -x:
+
+    $ docker container top 8601afda2b -x
+    PID      TTY       STAT       TIME         COMMAND
+    16623    ?         Ss         0:00         sleep 99999
diff --git a/cli/man/src/container/unpause.md b/cli/man/src/container/unpause.md
new file mode 100644
index 00000000..0e77ceed
--- /dev/null
+++ b/cli/man/src/container/unpause.md
@@ -0,0 +1,6 @@
+The `docker container unpause` command un-suspends all processes in a container.
+On Linux, it does this using the cgroups freezer.
+
+See the [cgroups freezer documentation]
+(https://www.kernel.org/doc/Documentation/cgroup-v1/freezer-subsystem.txt) for
+further details.
diff --git a/cli/man/src/container/update.md b/cli/man/src/container/update.md
new file mode 100644
index 00000000..26ee4e32
--- /dev/null
+++ b/cli/man/src/container/update.md
@@ -0,0 +1,102 @@
+The **docker container update** command dynamically updates container configuration.
+You can use this command to prevent containers from consuming too many 
+resources from their Docker host.  With a single command, you can place 
+limits on a single container or on many. To specify more than one container,
+provide space-separated list of container names or IDs.
+
+With the exception of the **--kernel-memory** option, you can specify these
+options on a running or a stopped container. On kernel version older than
+4.6, You can only update **--kernel-memory** on a stopped container or on
+a running container with kernel memory initialized.
+
+# OPTIONS
+
+## kernel-memory
+
+Kernel memory limit (format: `<number>[<unit>]`, where unit = b, k, m or g)
+
+Note that on kernel version older than 4.6, you can not update kernel memory on
+a running container if the container is started without kernel memory initialized,
+in this case, it can only be updated after it's stopped. The new setting takes
+effect when the container is started.
+
+## memory
+
+Memory limit (format: <number><optional unit>, where unit = b, k, m or g)
+
+Note that the memory should be smaller than the already set swap memory limit.
+If you want update a memory limit bigger than the already set swap memory limit,
+you should update swap memory limit at the same time. If you don't set swap memory 
+limit on docker create/run but only memory limit, the swap memory is double
+the memory limit.
+
+# EXAMPLES
+
+The following sections illustrate ways to use this command.
+
+### Update a container's cpu-shares
+
+To limit a container's cpu-shares to 512, first identify the container
+name or ID. You can use **docker ps** to find these values. You can also
+use the ID returned from the **docker run** command.  Then, do the following:
+
+```bash
+$ docker container update --cpu-shares 512 abebf7571666
+```
+
+### Update a container with cpu-shares and memory
+
+To update multiple resource configurations for multiple containers:
+
+```bash
+$ docker container update --cpu-shares 512 -m 300M abebf7571666 hopeful_morse
+```
+
+### Update a container's kernel memory constraints
+
+You can update a container's kernel memory limit using the **--kernel-memory**
+option. On kernel version older than 4.6, this option can be updated on a
+running container only if the container was started with **--kernel-memory**.
+If the container was started *without* **--kernel-memory** you need to stop
+the container before updating kernel memory.
+
+For example, if you started a container with this command:
+
+```bash
+$ docker run -dit --name test --kernel-memory 50M ubuntu bash
+```
+
+You can update kernel memory while the container is running:
+
+```bash
+$ docker container update --kernel-memory 80M test
+```
+
+If you started a container *without* kernel memory initialized:
+
+```bash
+$ docker run -dit --name test2 --memory 300M ubuntu bash
+```
+
+Update kernel memory of running container `test2` will fail. You need to stop
+the container before updating the **--kernel-memory** setting. The next time you
+start it, the container uses the new value.
+
+Kernel version newer than (include) 4.6 does not have this limitation, you
+can use `--kernel-memory` the same way as other options.
+
+### Update a container's restart policy
+
+You can change a container's restart policy on a running container. The new
+restart policy takes effect instantly after you run `docker container update` on a
+container.
+
+To update restart policy for one or more containers:
+
+```bash
+$ docker container update --restart=on-failure:3 abebf7571666 hopeful_morse
+```
+
+Note that if the container is started with "--rm" flag, you cannot update the restart
+policy for it. The `AutoRemove` and `RestartPolicy` are mutually exclusive for the
+container.
diff --git a/cli/man/src/container/wait.md b/cli/man/src/container/wait.md
new file mode 100644
index 00000000..63dcc5a4
--- /dev/null
+++ b/cli/man/src/container/wait.md
@@ -0,0 +1,8 @@
+Block until a container stops, then print its exit code.
+
+# EXAMPLES
+
+    $ docker run -d fedora sleep 99
+    079b83f558a2bc52ecad6b2a5de13622d584e6bb1aea058c11b36511e85e7622
+    $ docker container wait 079b83f558a2bc
+    0
diff --git a/cli/man/src/cp.md b/cli/man/src/cp.md
new file mode 100644
index 00000000..b1898ffc
--- /dev/null
+++ b/cli/man/src/cp.md
@@ -0,0 +1 @@
+Alias for `docker container cp`.
diff --git a/cli/man/src/create.md b/cli/man/src/create.md
new file mode 100644
index 00000000..f600d7d5
--- /dev/null
+++ b/cli/man/src/create.md
@@ -0,0 +1 @@
+Alias for `docker container create`.
diff --git a/cli/man/src/diff.md b/cli/man/src/diff.md
new file mode 100644
index 00000000..29a639ef
--- /dev/null
+++ b/cli/man/src/diff.md
@@ -0,0 +1 @@
+Alias for `docker container diff`.
diff --git a/cli/man/src/events.md b/cli/man/src/events.md
new file mode 100644
index 00000000..05fa614b
--- /dev/null
+++ b/cli/man/src/events.md
@@ -0,0 +1 @@
+Alias for `docker system events`.
diff --git a/cli/man/src/exec.md b/cli/man/src/exec.md
new file mode 100644
index 00000000..21d2ce31
--- /dev/null
+++ b/cli/man/src/exec.md
@@ -0,0 +1 @@
+Alias for `docker container exec`.
diff --git a/cli/man/src/export.md b/cli/man/src/export.md
new file mode 100644
index 00000000..1cc97997
--- /dev/null
+++ b/cli/man/src/export.md
@@ -0,0 +1 @@
+Alias for `docker container export`.
diff --git a/cli/man/src/history.md b/cli/man/src/history.md
new file mode 100644
index 00000000..8b5f3e87
--- /dev/null
+++ b/cli/man/src/history.md
@@ -0,0 +1 @@
+Alias for `docker image history`.
diff --git a/cli/man/src/image/build.md b/cli/man/src/image/build.md
new file mode 100644
index 00000000..9dc89758
--- /dev/null
+++ b/cli/man/src/image/build.md
@@ -0,0 +1 @@
+Alias for `docker build`.
diff --git a/cli/man/src/image/history.md b/cli/man/src/image/history.md
new file mode 100644
index 00000000..8c10e997
--- /dev/null
+++ b/cli/man/src/image/history.md
@@ -0,0 +1,54 @@
+Show the history of when and how an image was created.
+
+# EXAMPLES
+    $ docker history fedora
+    IMAGE          CREATED          CREATED BY                                      SIZE                COMMENT
+    105182bb5e8b   5 days ago       /bin/sh -c #(nop) ADD file:71356d2ad59aa3119d   372.7 MB
+    73bd853d2ea5   13 days ago      /bin/sh -c #(nop) MAINTAINER Lokesh Mandvekar   0 B
+    511136ea3c5a   10 months ago                                                    0 B                 Imported from -
+
+## Display comments in the image history
+The `docker commit` command has a **-m** flag for adding comments to the image. These comments will be displayed in the image history.
+
+    $ sudo docker history docker:scm
+    IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
+    2ac9d1098bf1        3 months ago        /bin/bash                                       241.4 MB            Added Apache to Fedora base image
+    88b42ffd1f7c        5 months ago        /bin/sh -c #(nop) ADD file:1fd8d7f9f6557cafc7   373.7 MB            
+    c69cab00d6ef        5 months ago        /bin/sh -c #(nop) MAINTAINER Lokesh Mandvekar   0 B                 
+    511136ea3c5a        19 months ago                                                       0 B                 Imported from -
+
+### Format the output
+
+The formatting option (`--format`) will pretty-prints history output
+using a Go template.
+
+Valid placeholders for the Go template are listed below:
+
+| Placeholder     | Description |
+| --------------- | ----------- |
+| `.ID`           | Image ID    |
+| `.CreatedSince` | Elapsed time since the image was created if `--human=true`, otherwise timestamp of when image was created |
+| `.CreatedAt`    | Timestamp of when image was created |
+| `.CreatedBy`    | Command that was used to create the image |
+| `.Size`         | Image disk size |
+| `.Comment`      | Comment for image |
+
+When using the `--format` option, the `history` command will either
+output the data exactly as the template declares or, when using the
+`table` directive, will include column headers as well.
+
+The following example uses a template without headers and outputs the
+`ID` and `CreatedSince` entries separated by a colon for all images:
+
+```bash
+$ docker images --format "{{.ID}}: {{.CreatedSince}} ago"
+
+cc1b61406712: 2 weeks ago
+<missing>: 2 weeks ago
+<missing>: 2 weeks ago
+<missing>: 2 weeks ago
+<missing>: 2 weeks ago
+<missing>: 3 weeks ago
+<missing>: 3 weeks ago
+<missing>: 3 weeks ago
+```
diff --git a/cli/man/src/image/import.md b/cli/man/src/image/import.md
new file mode 100644
index 00000000..2814a71e
--- /dev/null
+++ b/cli/man/src/image/import.md
@@ -0,0 +1,42 @@
+Create a new filesystem image from the contents of a tarball (`.tar`,
+`.tar.gz`, `.tgz`, `.bzip`, `.tar.xz`, `.txz`) into it, then optionally tag it.
+
+
+# EXAMPLES
+
+## Import from a remote location
+
+    # docker image import http://example.com/exampleimage.tgz example/imagerepo
+
+## Import from a local file
+
+Import to docker via pipe and stdin:
+
+    # cat exampleimage.tgz | docker image import - example/imagelocal
+
+Import with a commit message. 
+
+    # cat exampleimage.tgz | docker image import --message "New image imported from tarball" - exampleimagelocal:new
+
+Import to a Docker image from a local file.
+
+    # docker image import /path/to/exampleimage.tgz 
+
+
+## Import from a local file and tag
+
+Import to docker via pipe and stdin:
+
+    # cat exampleimageV2.tgz | docker image import - example/imagelocal:V-2.0
+
+## Import from a local directory
+
+    # tar -c . | docker image import - exampleimagedir
+
+## Apply specified Dockerfile instructions while importing the image
+This example sets the docker image ENV variable DEBUG to true by default.
+
+    # tar -c . | docker image import -c="ENV DEBUG true" - exampleimagedir
+
+# See also
+**docker-export(1)** to export the contents of a filesystem as a tar archive to STDOUT.
diff --git a/cli/man/src/image/load.md b/cli/man/src/image/load.md
new file mode 100644
index 00000000..81f126fd
--- /dev/null
+++ b/cli/man/src/image/load.md
@@ -0,0 +1,25 @@
+Loads a tarred repository from a file or the standard input stream.
+Restores both images and tags. Write image names or IDs imported it
+standard output stream.
+
+# EXAMPLES
+
+    $ docker images
+    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+    busybox             latest              769b9341d937        7 weeks ago         2.489 MB
+    $ docker load --input fedora.tar
+    # […]
+    Loaded image: fedora:rawhide
+    # […]
+    Loaded image: fedora:20
+    # […]
+    $ docker images
+    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+    busybox             latest              769b9341d937        7 weeks ago         2.489 MB
+    fedora              rawhide             0d20aec6529d        7 weeks ago         387 MB
+    fedora              20                  58394af37342        7 weeks ago         385.5 MB
+    fedora              heisenbug           58394af37342        7 weeks ago         385.5 MB
+    fedora              latest              58394af37342        7 weeks ago         385.5 MB
+
+# See also
+**docker-image-save(1)** to save one or more images to a tar archive (streamed to STDOUT by default).
diff --git a/cli/man/src/image/ls.md b/cli/man/src/image/ls.md
new file mode 100644
index 00000000..7e327499
--- /dev/null
+++ b/cli/man/src/image/ls.md
@@ -0,0 +1,118 @@
+This command lists the images stored in the local Docker repository.
+
+By default, intermediate images, used during builds, are not listed. Some of the
+output, e.g., image ID, is truncated, for space reasons. However the truncated
+image ID, and often the first few characters, are enough to be used in other
+Docker commands that use the image ID. The output includes repository, tag, image
+ID, date created and the virtual size.
+
+The title REPOSITORY for the first title may seem confusing. It is essentially
+the image name. However, because you can tag a specific image, and multiple tags
+(image instances) can be associated with a single name, the name is really a
+repository for all tagged images of the same name. For example consider an image
+called fedora. It may be tagged with 18, 19, or 20, etc. to manage different
+versions.
+
+## Filters
+
+Filters the output based on these conditions:
+
+   - dangling=(true|false) - find unused images
+   - label=<key> or label=<key>=<value>
+   - before=(<image-name>[:tag]|<image-id>|<image@digest>)
+   - since=(<image-name>[:tag]|<image-id>|<image@digest>)
+   - reference=(pattern of an image reference)
+
+## Format
+
+   Pretty-print images using a Go template.
+   Valid placeholders:
+      .ID - Image ID
+      .Repository - Image repository
+      .Tag - Image tag
+      .Digest - Image digest
+      .CreatedSince - Elapsed time since the image was created
+      .CreatedAt - Time when the image was created
+      .Size - Image disk size
+
+# EXAMPLES
+
+## Listing the images
+
+To list the images in a local repository (not the registry) run:
+
+    docker image ls
+
+The list will contain the image repository name, a tag for the image, and an
+image ID, when it was created and its virtual size. Columns: REPOSITORY, TAG,
+IMAGE ID, CREATED, and SIZE.
+
+The `docker image ls` command takes an optional `[REPOSITORY[:TAG]]` argument
+that restricts the list to images that match the argument. If you specify
+`REPOSITORY` but no `TAG`, the `docker image ls` command lists all images in the
+given repository.
+
+    docker image ls java
+
+The `[REPOSITORY[:TAG]]` value must be an "exact match". This means that, for example,
+`docker image ls jav` does not match the image `java`.
+
+If both `REPOSITORY` and `TAG` are provided, only images matching that
+repository and tag are listed.  To find all local images in the "java"
+repository with tag "8" you can use:
+
+    docker image ls java:8
+
+To get a verbose list of images which contains all the intermediate images
+used in builds use **-a**:
+
+    docker image ls -a
+
+Previously, the docker image ls command supported the --tree and --dot arguments,
+which displayed different visualizations of the image data. Docker core removed
+this functionality in the 1.7 version. If you liked this functionality, you can
+still find it in the third-party dockviz tool: https://github.com/justone/dockviz.
+
+## Listing images in a desired format
+
+When using the --format option, the image command will either output the data 
+exactly as the template declares or, when using the `table` directive, will 
+include column headers as well. You can use special characters like `\t` for
+inserting tab spacing between columns. 
+
+The following example uses a template without headers and outputs the ID and 
+Repository entries separated by a colon for all images:
+
+    docker images --format "{{.ID}}: {{.Repository}}"
+    77af4d6b9913: <none>
+    b6fa739cedf5: committ
+    78a85c484bad: ipbabble
+    30557a29d5ab: docker
+    5ed6274db6ce: <none>
+    746b819f315e: postgres
+    746b819f315e: postgres
+    746b819f315e: postgres
+    746b819f315e: postgres
+
+To list all images with their repository and tag in a table format you can use:
+
+    docker images --format "table {{.ID}}\t{{.Repository}}\t{{.Tag}}"
+    IMAGE ID            REPOSITORY                TAG
+    77af4d6b9913        <none>                    <none>
+    b6fa739cedf5        committ                   latest
+    78a85c484bad        ipbabble                  <none>
+    30557a29d5ab        docker                    latest
+    5ed6274db6ce        <none>                    <none>
+    746b819f315e        postgres                  9
+    746b819f315e        postgres                  9.3
+    746b819f315e        postgres                  9.3.5
+    746b819f315e        postgres                  latest
+
+Valid template placeholders are listed above.
+
+## Listing only the shortened image IDs
+
+Listing just the shortened image IDs. This can be useful for some automated
+tools.
+
+    docker image ls -q
diff --git a/cli/man/src/image/pull.md b/cli/man/src/image/pull.md
new file mode 100644
index 00000000..73f641f7
--- /dev/null
+++ b/cli/man/src/image/pull.md
@@ -0,0 +1,189 @@
+This command pulls down an image or a repository from a registry. If
+there is more than one image for a repository (e.g., fedora) then all
+images for that repository name can be pulled down including any tags
+(see the option **-a** or **--all-tags**).
+
+If you do not specify a `REGISTRY_HOST`, the command uses Docker's public
+registry located at `registry-1.docker.io` by default. 
+
+# EXAMPLES
+
+### Pull an image from Docker Hub
+
+To download a particular image, or set of images (i.e., a repository), use
+`docker image pull`. If no tag is provided, Docker Engine uses the `:latest` tag as a
+default. This command pulls the `debian:latest` image:
+
+    $ docker image pull debian
+
+    Using default tag: latest
+    latest: Pulling from library/debian
+    fdd5d7827f33: Pull complete
+    a3ed95caeb02: Pull complete
+    Digest: sha256:e7d38b3517548a1c71e41bffe9c8ae6d6d29546ce46bf62159837aad072c90aa
+    Status: Downloaded newer image for debian:latest
+
+Docker images can consist of multiple layers. In the example above, the image
+consists of two layers; `fdd5d7827f33` and `a3ed95caeb02`.
+
+Layers can be reused by images. For example, the `debian:jessie` image shares
+both layers with `debian:latest`. Pulling the `debian:jessie` image therefore
+only pulls its metadata, but not its layers, because all layers are already
+present locally:
+
+    $ docker image pull debian:jessie
+
+    jessie: Pulling from library/debian
+    fdd5d7827f33: Already exists
+    a3ed95caeb02: Already exists
+    Digest: sha256:a9c958be96d7d40df920e7041608f2f017af81800ca5ad23e327bc402626b58e
+    Status: Downloaded newer image for debian:jessie
+
+To see which images are present locally, use the **docker-images(1)**
+command:
+
+    $ docker images
+
+    REPOSITORY   TAG      IMAGE ID        CREATED      SIZE
+    debian       jessie   f50f9524513f    5 days ago   125.1 MB
+    debian       latest   f50f9524513f    5 days ago   125.1 MB
+
+Docker uses a content-addressable image store, and the image ID is a SHA256
+digest covering the image's configuration and layers. In the example above,
+`debian:jessie` and `debian:latest` have the same image ID because they are
+actually the *same* image tagged with different names. Because they are the
+same image, their layers are stored only once and do not consume extra disk
+space.
+
+For more information about images, layers, and the content-addressable store,
+refer to [about storage drivers](https://docs.docker.com/storage/storagedriver/)
+in the online documentation.
+
+
+## Pull an image by digest (immutable identifier)
+
+So far, you've pulled images by their name (and "tag"). Using names and tags is
+a convenient way to work with images. When using tags, you can `docker image pull` an
+image again to make sure you have the most up-to-date version of that image.
+For example, `docker image pull ubuntu:14.04` pulls the latest version of the Ubuntu
+14.04 image.
+
+In some cases you don't want images to be updated to newer versions, but prefer
+to use a fixed version of an image. Docker enables you to pull an image by its
+*digest*. When pulling an image by digest, you specify *exactly* which version
+of an image to pull. Doing so, allows you to "pin" an image to that version,
+and guarantee that the image you're using is always the same.
+
+To know the digest of an image, pull the image first. Let's pull the latest
+`ubuntu:14.04` image from Docker Hub:
+
+    $ docker image pull ubuntu:14.04
+
+    14.04: Pulling from library/ubuntu
+    5a132a7e7af1: Pull complete
+    fd2731e4c50c: Pull complete
+    28a2f68d1120: Pull complete
+    a3ed95caeb02: Pull complete
+    Digest: sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+    Status: Downloaded newer image for ubuntu:14.04
+
+Docker prints the digest of the image after the pull has finished. In the example
+above, the digest of the image is:
+
+    sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+
+Docker also prints the digest of an image when *pushing* to a registry. This
+may be useful if you want to pin to a version of the image you just pushed.
+
+A digest takes the place of the tag when pulling an image, for example, to 
+pull the above image by digest, run the following command:
+
+    $ docker image pull ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+
+    sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2: Pulling from library/ubuntu
+    5a132a7e7af1: Already exists
+    fd2731e4c50c: Already exists
+    28a2f68d1120: Already exists
+    a3ed95caeb02: Already exists
+    Digest: sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+    Status: Downloaded newer image for ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+
+Digest can also be used in the `FROM` of a Dockerfile, for example:
+
+    FROM ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+    MAINTAINER some maintainer <maintainer@example.com>
+
+> **Note**: Using this feature "pins" an image to a specific version in time.
+> Docker will therefore not pull updated versions of an image, which may include 
+> security updates. If you want to pull an updated image, you need to change the
+> digest accordingly.
+
+## Pulling from a different registry
+
+By default, `docker image pull` pulls images from Docker Hub. It is also possible to
+manually specify the path of a registry to pull from. For example, if you have
+set up a local registry, you can specify its path to pull from it. A registry
+path is similar to a URL, but does not contain a protocol specifier (`https://`).
+
+The following command pulls the `testing/test-image` image from a local registry
+listening on port 5000 (`myregistry.local:5000`):
+
+    $ docker image pull myregistry.local:5000/testing/test-image
+
+Registry credentials are managed by **docker-login(1)**.
+
+Docker uses the `https://` protocol to communicate with a registry, unless the
+registry is allowed to be accessed over an insecure connection. Refer to the
+[insecure registries](https://docs.docker.com/engine/reference/commandline/dockerd/#insecure-registries)
+section in the online documentation for more information.
+
+
+## Pull a repository with multiple images
+
+By default, `docker image pull` pulls a *single* image from the registry. A repository
+can contain multiple images. To pull all images from a repository, provide the
+`-a` (or `--all-tags`) option when using `docker image pull`.
+
+This command pulls all images from the `fedora` repository:
+
+    $ docker image pull --all-tags fedora
+
+    Pulling repository fedora
+    ad57ef8d78d7: Download complete
+    105182bb5e8b: Download complete
+    511136ea3c5a: Download complete
+    73bd853d2ea5: Download complete
+    ....
+
+    Status: Downloaded newer image for fedora
+
+After the pull has completed use the `docker images` command to see the
+images that were pulled. The example below shows all the `fedora` images
+that are present locally:
+
+    $ docker images fedora
+
+    REPOSITORY   TAG         IMAGE ID        CREATED      SIZE
+    fedora       rawhide     ad57ef8d78d7    5 days ago   359.3 MB
+    fedora       20          105182bb5e8b    5 days ago   372.7 MB
+    fedora       heisenbug   105182bb5e8b    5 days ago   372.7 MB
+    fedora       latest      105182bb5e8b    5 days ago   372.7 MB
+
+
+## Canceling a pull
+
+Killing the `docker image pull` process, for example by pressing `CTRL-c` while it is
+running in a terminal, will terminate the pull operation.
+
+    $ docker image pull fedora
+
+    Using default tag: latest
+    latest: Pulling from library/fedora
+    a3ed95caeb02: Pulling fs layer
+    236608c7b546: Pulling fs layer
+    ^C
+
+> **Note**: Technically, the Engine terminates a pull operation when the
+> connection between the Docker Engine daemon and the Docker Engine client
+> initiating the pull is lost. If the connection with the Engine daemon is
+> lost for other reasons than a manual interaction, the pull is also aborted.
diff --git a/cli/man/src/image/push.md b/cli/man/src/image/push.md
new file mode 100644
index 00000000..8b4334d2
--- /dev/null
+++ b/cli/man/src/image/push.md
@@ -0,0 +1,34 @@
+Use `docker image push` to share your images to the [Docker Hub](https://hub.docker.com)
+registry or to a self-hosted one.
+
+Refer to **docker-image-tag(1)** for more information about valid image and tag names.
+
+Killing the **docker image push** process, for example by pressing **CTRL-c** while it
+is running in a terminal, terminates the push operation.
+
+Registry credentials are managed by **docker-login(1)**.
+
+# EXAMPLES
+
+## Pushing a new image to a registry
+
+First save the new image by finding the container ID (using **docker container ls**)
+and then committing it to a new image name.  Note that only a-z0-9-_. are
+allowed when naming images:
+
+    # docker container commit c16378f943fe rhel-httpd
+
+Now, push the image to the registry using the image ID. In this example the
+registry is on host named `registry-host` and listening on port `5000`. To do
+this, tag the image with the host name or IP address, and the port of the
+registry:
+
+    # docker image tag rhel-httpd registry-host:5000/myadmin/rhel-httpd
+    # docker image push registry-host:5000/myadmin/rhel-httpd
+
+Check that this worked by running:
+
+    # docker image ls
+
+You should see both `rhel-httpd` and `registry-host:5000/myadmin/rhel-httpd`
+listed.
diff --git a/cli/man/src/image/rm.md b/cli/man/src/image/rm.md
new file mode 100644
index 00000000..348d4540
--- /dev/null
+++ b/cli/man/src/image/rm.md
@@ -0,0 +1,11 @@
+Removes one or more images from the host node. This does not remove images from
+a registry. You cannot remove an image of a running container unless you use the
+**-f** option. To see all images on a host use the **docker image ls** command.
+
+# EXAMPLES
+
+## Removing an image
+
+Here is an example of removing an image:
+
+    docker image rm fedora/httpd
diff --git a/cli/man/src/image/save.md b/cli/man/src/image/save.md
new file mode 100644
index 00000000..19d885ec
--- /dev/null
+++ b/cli/man/src/image/save.md
@@ -0,0 +1,19 @@
+Produces a tarred repository to the standard output stream. Contains all
+parent layers, and all tags + versions, or specified repo:tag.
+
+Stream to a file instead of STDOUT by using **-o**.
+
+# EXAMPLES
+
+Save all fedora repository images to a fedora-all.tar and save the latest
+fedora image to a fedora-latest.tar:
+
+    $ docker image save fedora > fedora-all.tar
+    $ docker image save --output=fedora-latest.tar fedora:latest
+    $ ls -sh fedora-all.tar
+    721M fedora-all.tar
+    $ ls -sh fedora-latest.tar
+    367M fedora-latest.tar
+
+# See also
+**docker-image-load(1)** to load an image from a tar archive on STDIN.
diff --git a/cli/man/src/image/tag.md b/cli/man/src/image/tag.md
new file mode 100644
index 00000000..16abd752
--- /dev/null
+++ b/cli/man/src/image/tag.md
@@ -0,0 +1,54 @@
+Assigns a new alias to an image in a registry. An alias refers to the
+entire image name including the optional `TAG` after the ':'. 
+
+# OPTIONS
+**NAME**
+   The image name which is made up of slash-separated name components, 
+   optionally prefixed by a registry hostname. The hostname must comply with 
+   standard DNS rules, but may not contain underscores. If a hostname is 
+   present, it may optionally be followed by a port number in the format 
+   `:8080`. If not present, the command uses Docker's public registry located at
+   `registry-1.docker.io` by default. Name components may contain lowercase 
+   letters, digits and separators. A separator is defined as a period, one or
+   two underscores, or one or more dashes. A name component may not start or end 
+   with a separator.
+
+**TAG**
+   The tag assigned to the image to version and distinguish images with the same
+   name. The tag name must be valid ASCII and may contain lowercase and
+   uppercase letters, digits, underscores, periods and hyphens. A tag name
+   may not start with a period or a hyphen and may contain a maximum of 128
+   characters.
+
+# EXAMPLES
+
+## Tagging an image referenced by ID
+
+To tag a local image with ID "0e5574283393" into the "fedora" repository with 
+"version1.0":
+
+    docker image tag 0e5574283393 fedora/httpd:version1.0
+
+## Tagging an image referenced by Name
+
+To tag a local image with name "httpd" into the "fedora" repository with 
+"version1.0":
+
+    docker image tag httpd fedora/httpd:version1.0
+
+Note that since the tag name is not specified, the alias is created for an
+existing local version `httpd:latest`.
+
+## Tagging an image referenced by Name and Tag
+
+To tag a local image with name "httpd" and tag "test" into the "fedora"
+repository with "version1.0.test":
+
+    docker image tag httpd:test fedora/httpd:version1.0.test
+
+## Tagging an image for a private repository
+
+To push an image to a private registry and not the central Docker
+registry you must tag it with the registry hostname and port (if needed).
+
+    docker image tag 0e5574283393 myregistryhost:5000/fedora/httpd:version1.0
diff --git a/cli/man/src/images.md b/cli/man/src/images.md
new file mode 100644
index 00000000..ae6a3875
--- /dev/null
+++ b/cli/man/src/images.md
@@ -0,0 +1 @@
+Alias for `docker image ls`.
diff --git a/cli/man/src/import.md b/cli/man/src/import.md
new file mode 100644
index 00000000..826c71b1
--- /dev/null
+++ b/cli/man/src/import.md
@@ -0,0 +1 @@
+Alias for `docker image import`.
diff --git a/cli/man/src/info.md b/cli/man/src/info.md
new file mode 100644
index 00000000..35e62f86
--- /dev/null
+++ b/cli/man/src/info.md
@@ -0,0 +1 @@
+Alias for `docker system info`.
diff --git a/cli/man/src/inspect.md b/cli/man/src/inspect.md
new file mode 100644
index 00000000..d0a2a683
--- /dev/null
+++ b/cli/man/src/inspect.md
@@ -0,0 +1,286 @@
+This displays the low-level information on Docker object(s) (e.g. container, 
+image, volume,network, node, service, or task) identified by name or ID. By default,
+this will render all results in a JSON array. If the container and image have
+the same name, this will return container JSON for unspecified type. If a format
+is specified, the given template will be executed for each result.
+
+# EXAMPLES
+
+Get information about an image when image name conflicts with the container name,
+e.g. both image and container are named rhel7:
+
+    $ docker inspect --type=image rhel7
+    [
+    {
+     "Id": "fe01a428b9d9de35d29531e9994157978e8c48fa693e1bf1d221dffbbb67b170",
+     "Parent": "10acc31def5d6f249b548e01e8ffbaccfd61af0240c17315a7ad393d022c5ca2",
+     ....
+    }
+    ]
+
+## Getting information on a container
+
+To get information on a container use its ID or instance name:
+
+    $ docker inspect d2cc496561d6
+    [{
+    "Id": "d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47",
+    "Created": "2015-06-08T16:18:02.505155285Z",
+    "Path": "bash",
+    "Args": [],
+    "State": {
+        "Running": false,
+        "Paused": false,
+        "Restarting": false,
+        "OOMKilled": false,
+        "Dead": false,
+        "Pid": 0,
+        "ExitCode": 0,
+        "Error": "",
+        "StartedAt": "2015-06-08T16:18:03.643865954Z",
+        "FinishedAt": "2015-06-08T16:57:06.448552862Z"
+    },
+    "Image": "ded7cd95e059788f2586a51c275a4f151653779d6a7f4dad77c2bd34601d94e4",
+    "NetworkSettings": {
+        "Bridge": "",
+        "SandboxID": "6b4851d1903e16dd6a567bd526553a86664361f31036eaaa2f8454d6f4611f6f",
+        "HairpinMode": false,
+        "LinkLocalIPv6Address": "",
+        "LinkLocalIPv6PrefixLen": 0,
+        "Ports": {},
+        "SandboxKey": "/var/run/docker/netns/6b4851d1903e",
+        "SecondaryIPAddresses": null,
+        "SecondaryIPv6Addresses": null,
+        "EndpointID": "7587b82f0dada3656fda26588aee72630c6fab1536d36e394b2bfbcf898c971d",
+        "Gateway": "172.17.0.1",
+        "GlobalIPv6Address": "",
+        "GlobalIPv6PrefixLen": 0,
+        "IPAddress": "172.17.0.2",
+        "IPPrefixLen": 16,
+        "IPv6Gateway": "",
+        "MacAddress": "02:42:ac:12:00:02",
+        "Networks": {
+            "bridge": {
+                "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                "EndpointID": "7587b82f0dada3656fda26588aee72630c6fab1536d36e394b2bfbcf898c971d",
+                "Gateway": "172.17.0.1",
+                "IPAddress": "172.17.0.2",
+                "IPPrefixLen": 16,
+                "IPv6Gateway": "",
+                "GlobalIPv6Address": "",
+                "GlobalIPv6PrefixLen": 0,
+                "MacAddress": "02:42:ac:12:00:02"
+            }
+        }
+
+    },
+    "ResolvConfPath": "/var/lib/docker/containers/d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47/resolv.conf",
+    "HostnamePath": "/var/lib/docker/containers/d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47/hostname",
+    "HostsPath": "/var/lib/docker/containers/d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47/hosts",
+    "LogPath": "/var/lib/docker/containers/d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47/d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47-json.log",
+    "Name": "/adoring_wozniak",
+    "RestartCount": 0,
+    "Driver": "devicemapper",
+    "MountLabel": "",
+    "ProcessLabel": "",
+    "Mounts": [
+      {
+        "Source": "/data",
+        "Destination": "/data",
+        "Mode": "ro,Z",
+        "RW": false
+	"Propagation": ""
+      }
+    ],
+    "AppArmorProfile": "",
+    "ExecIDs": null,
+    "HostConfig": {
+        "Binds": null,
+        "ContainerIDFile": "",
+        "Memory": 0,
+        "MemorySwap": 0,
+        "CpuShares": 0,
+        "CpuPeriod": 0,
+        "CpusetCpus": "",
+        "CpusetMems": "",
+        "CpuQuota": 0,
+        "BlkioWeight": 0,
+        "OomKillDisable": false,
+        "Privileged": false,
+        "PortBindings": {},
+        "Links": null,
+        "PublishAllPorts": false,
+        "Dns": null,
+        "DnsSearch": null,
+        "DnsOptions": null,
+        "ExtraHosts": null,
+        "VolumesFrom": null,
+        "Devices": [],
+        "NetworkMode": "bridge",
+        "IpcMode": "",
+        "PidMode": "",
+        "UTSMode": "",
+        "CapAdd": null,
+        "CapDrop": null,
+        "RestartPolicy": {
+            "Name": "no",
+            "MaximumRetryCount": 0
+        },
+        "SecurityOpt": null,
+        "ReadonlyRootfs": false,
+        "Ulimits": null,
+        "LogConfig": {
+            "Type": "json-file",
+            "Config": {}
+        },
+        "CgroupParent": ""
+    },
+    "GraphDriver": {
+        "Name": "devicemapper",
+        "Data": {
+            "DeviceId": "5",
+            "DeviceName": "docker-253:1-2763198-d2cc496561d6d520cbc0236b4ba88c362c446a7619992123f11c809cded25b47",
+            "DeviceSize": "171798691840"
+        }
+    },
+    "Config": {
+        "Hostname": "d2cc496561d6",
+        "Domainname": "",
+        "User": "",
+        "AttachStdin": true,
+        "AttachStdout": true,
+        "AttachStderr": true,
+        "ExposedPorts": null,
+        "Tty": true,
+        "OpenStdin": true,
+        "StdinOnce": true,
+        "Env": null,
+        "Cmd": [
+            "bash"
+        ],
+        "Image": "fedora",
+        "Volumes": null,
+        "VolumeDriver": "",
+        "WorkingDir": "",
+        "Entrypoint": null,
+        "NetworkDisabled": false,
+        "MacAddress": "",
+        "OnBuild": null,
+        "Labels": {},
+        "Memory": 0,
+        "MemorySwap": 0,
+        "CpuShares": 0,
+        "Cpuset": "",
+        "StopSignal": "SIGTERM"
+    }
+    }
+    ]
+## Getting the IP address of a container instance
+
+To get the IP address of a container use:
+
+    $ docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' d2cc496561d6
+    172.17.0.2
+
+## Listing all port bindings
+
+One can loop over arrays and maps in the results to produce simple text
+output:
+
+    $ docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}} \
+      {{$p}} -> {{(index $conf 0).HostPort}} {{end}}' d2cc496561d6
+      80/tcp -> 80
+
+You can get more information about how to write a Go template from:
+https://golang.org/pkg/text/template/.
+
+## Getting size information on a container
+
+    $ docker inspect -s d2cc496561d6
+    [
+    {
+    ....
+    "SizeRw": 0,
+    "SizeRootFs": 972,
+    ....
+    }
+    ]
+
+## Getting information on an image
+
+Use an image's ID or name (e.g., repository/name[:tag]) to get information
+about the image:
+
+    $ docker inspect ded7cd95e059
+    [{
+    "Id": "ded7cd95e059788f2586a51c275a4f151653779d6a7f4dad77c2bd34601d94e4",
+    "Parent": "48ecf305d2cf7046c1f5f8fcbcd4994403173441d4a7f125b1bb0ceead9de731",
+    "Comment": "",
+    "Created": "2015-05-27T16:58:22.937503085Z",
+    "Container": "76cf7f67d83a7a047454b33007d03e32a8f474ad332c3a03c94537edd22b312b",
+    "ContainerConfig": {
+        "Hostname": "76cf7f67d83a",
+        "Domainname": "",
+        "User": "",
+        "AttachStdin": false,
+        "AttachStdout": false,
+        "AttachStderr": false,
+        "ExposedPorts": null,
+        "Tty": false,
+        "OpenStdin": false,
+        "StdinOnce": false,
+        "Env": null,
+        "Cmd": [
+            "/bin/sh",
+            "-c",
+            "#(nop) ADD file:4be46382bcf2b095fcb9fe8334206b584eff60bb3fad8178cbd97697fcb2ea83 in /"
+        ],
+        "Image": "48ecf305d2cf7046c1f5f8fcbcd4994403173441d4a7f125b1bb0ceead9de731",
+        "Volumes": null,
+        "VolumeDriver": "",
+        "WorkingDir": "",
+        "Entrypoint": null,
+        "NetworkDisabled": false,
+        "MacAddress": "",
+        "OnBuild": null,
+        "Labels": {}
+    },
+    "DockerVersion": "1.6.0",
+    "Author": "Lokesh Mandvekar \u003clsm5@fedoraproject.org\u003e",
+    "Config": {
+        "Hostname": "76cf7f67d83a",
+        "Domainname": "",
+        "User": "",
+        "AttachStdin": false,
+        "AttachStdout": false,
+        "AttachStderr": false,
+        "ExposedPorts": null,
+        "Tty": false,
+        "OpenStdin": false,
+        "StdinOnce": false,
+        "Env": null,
+        "Cmd": null,
+        "Image": "48ecf305d2cf7046c1f5f8fcbcd4994403173441d4a7f125b1bb0ceead9de731",
+        "Volumes": null,
+        "VolumeDriver": "",
+        "WorkingDir": "",
+        "Entrypoint": null,
+        "NetworkDisabled": false,
+        "MacAddress": "",
+        "OnBuild": null,
+        "Labels": {}
+    },
+    "Architecture": "amd64",
+    "Os": "linux",
+    "Size": 186507296,
+    "VirtualSize": 186507296,
+    "GraphDriver": {
+        "Name": "devicemapper",
+        "Data": {
+            "DeviceId": "3",
+            "DeviceName": "docker-253:1-2763198-ded7cd95e059788f2586a51c275a4f151653779d6a7f4dad77c2bd34601d94e4",
+            "DeviceSize": "171798691840"
+        }
+    }
+    }
+    ]
diff --git a/cli/man/src/kill.md b/cli/man/src/kill.md
new file mode 100644
index 00000000..50efbcf0
--- /dev/null
+++ b/cli/man/src/kill.md
@@ -0,0 +1 @@
+Alias for `docker container kill`.
diff --git a/cli/man/src/load.md b/cli/man/src/load.md
new file mode 100644
index 00000000..60e77d7a
--- /dev/null
+++ b/cli/man/src/load.md
@@ -0,0 +1 @@
+Alias for `docker image load`.
diff --git a/cli/man/src/login.md b/cli/man/src/login.md
new file mode 100644
index 00000000..4d60882f
--- /dev/null
+++ b/cli/man/src/login.md
@@ -0,0 +1,22 @@
+Log in to a Docker Registry located on the specified
+`SERVER`.  You can specify a URL or a `hostname` for the `SERVER` value. If you
+do not specify a `SERVER`, the command uses Docker's public registry located at
+`https://registry-1.docker.io/` by default.  To get a username/password for Docker's public registry, create an account on Docker Hub.
+
+`docker login` requires user to use `sudo` or be `root`, except when:
+
+1.  connecting to  a remote daemon, such as a `docker-machine` provisioned `docker engine`.
+2.  user is added to the `docker` group.  This will impact the security of your system; the `docker` group is `root` equivalent.  See [Docker Daemon Attack Surface](https://docs.docker.com/engine/security/security/#/docker-daemon-attack-surface) for details.
+
+You can log into any public or private repository for which you have
+credentials.  When you log in, the command stores encoded credentials in
+`$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on Windows.
+
+# EXAMPLES
+
+## Login to a registry on your localhost
+
+    # docker login localhost:8080
+
+# See also
+**docker-logout(1)** to log out from a Docker registry.
diff --git a/cli/man/src/logout.md b/cli/man/src/logout.md
new file mode 100644
index 00000000..82620180
--- /dev/null
+++ b/cli/man/src/logout.md
@@ -0,0 +1,13 @@
+Log out of a Docker Registry located on the specified `SERVER`. You can
+specify a URL or a `hostname` for the `SERVER` value. If you do not specify a
+`SERVER`, the command attempts to log you out of Docker's public registry
+located at `https://registry-1.docker.io/` by default.  
+
+# EXAMPLES
+
+## Log out from a registry on your localhost
+
+    # docker logout localhost:8080
+
+# See also
+**docker-login(1)** to log in to a Docker registry server.
diff --git a/cli/man/src/logs.md b/cli/man/src/logs.md
new file mode 100644
index 00000000..e528150e
--- /dev/null
+++ b/cli/man/src/logs.md
@@ -0,0 +1 @@
+Alias for `docker container logs`.
diff --git a/cli/man/src/network/connect.md b/cli/man/src/network/connect.md
new file mode 100644
index 00000000..59bcc030
--- /dev/null
+++ b/cli/man/src/network/connect.md
@@ -0,0 +1,39 @@
+Connects a container to a network. You can connect a container by name
+or by ID. Once connected, the container can communicate with other containers in
+the same network.
+
+```bash
+$ docker network connect multi-host-network container1
+```
+
+You can also use the `docker run --network=<network-name>` option to start a container and immediately connect it to a network.
+
+```bash
+$ docker run -itd --network=multi-host-network --ip 172.20.88.22 --ip6 2001:db8::8822 busybox
+```
+You can pause, restart, and stop containers that are connected to a network.
+A container connects to its configured networks when it runs.
+
+If specified, the container's IP address(es) is reapplied when a stopped
+container is restarted. If the IP address is no longer available, the container
+fails to start. One way to guarantee that the IP address is available is
+to specify an `--ip-range` when creating the network, and choose the static IP
+address(es) from outside that range. This ensures that the IP address is not
+given to another container while this container is not on the network.
+
+```bash
+$ docker network create --subnet 172.20.0.0/16 --ip-range 172.20.240.0/20 multi-host-network
+```
+
+```bash
+$ docker network connect --ip 172.20.128.2 multi-host-network container2
+```
+
+To verify the container is connected, use the `docker network inspect` command. Use `docker network disconnect` to remove a container from the network.
+
+Once connected in network, containers can communicate using only another
+container's IP address or name. For `overlay` networks or custom plugins that
+support multi-host connectivity, containers connected to the same multi-host
+network but launched from different Engines can also communicate in this way.
+
+You can connect a container to one or more networks. The networks need not be the same type. For example, you can connect a single container bridge and overlay networks.
diff --git a/cli/man/src/network/create.md b/cli/man/src/network/create.md
new file mode 100644
index 00000000..e10e8060
--- /dev/null
+++ b/cli/man/src/network/create.md
@@ -0,0 +1,177 @@
+Creates a new network. The `DRIVER` accepts `bridge` or `overlay` which are the
+built-in network drivers. If you have installed a third party or your own custom
+network driver you can specify that `DRIVER` here also. If you don't specify the
+`--driver` option, the command automatically creates a `bridge` network for you.
+When you install Docker Engine it creates a `bridge` network automatically. This
+network corresponds to the `docker0` bridge that Engine has traditionally relied
+on. When you launch a new container with  `docker run` it automatically connects to
+this bridge network. You cannot remove this default bridge network but you can
+create new ones using the `network create` command.
+
+```bash
+$ docker network create -d bridge my-bridge-network
+```
+
+Bridge networks are isolated networks on a single Engine installation. If you
+want to create a network that spans multiple Docker hosts each running an
+Engine, you must create an `overlay` network. Unlike `bridge` networks overlay
+networks require some pre-existing conditions before you can create one. These
+conditions are:
+
+* Access to a key-value store. Engine supports Consul, Etcd, and Zookeeper (Distributed store) key-value stores.
+* A cluster of hosts with connectivity to the key-value store.
+* A properly configured Engine `daemon` on each host in the cluster.
+
+The `dockerd` options that support the `overlay` network are:
+
+* `--cluster-store`
+* `--cluster-store-opt`
+* `--cluster-advertise`
+
+To read more about these options and how to configure them, see ["*Get started
+with multi-host
+network*"](https://docs.docker.com/engine/userguide/networking/get-started-overlay/).
+
+It is also a good idea, though not required, that you install Docker Swarm on to
+manage the cluster that makes up your network. Swarm provides sophisticated
+discovery and server management that can assist your implementation.
+
+Once you have prepared the `overlay` network prerequisites you simply choose a
+Docker host in the cluster and issue the following to create the network:
+
+```bash
+$ docker network create -d overlay my-multihost-network
+```
+
+Network names must be unique. The Docker daemon attempts to identify naming
+conflicts but this is not guaranteed. It is the user's responsibility to avoid
+name conflicts.
+
+## Connect containers
+
+When you start a container use the `--network` flag to connect it to a network.
+This adds the `busybox` container to the `mynet` network.
+
+```bash
+$ docker run -itd --network=mynet busybox
+```
+
+If you want to add a container to a network after the container is already
+running use the `docker network connect` subcommand.
+
+You can connect multiple containers to the same network. Once connected, the
+containers can communicate using only another container's IP address or name.
+For `overlay` networks or custom plugins that support multi-host connectivity,
+containers connected to the same multi-host network but launched from different
+Engines can also communicate in this way.
+
+You can disconnect a container from a network using the `docker network
+disconnect` command.
+
+## Specifying advanced options
+
+When you create a network, Engine creates a non-overlapping subnetwork for the
+network by default. This subnetwork is not a subdivision of an existing network.
+It is purely for ip-addressing purposes. You can override this default and
+specify subnetwork values directly using the `--subnet` option. On a
+`bridge` network you can only create a single subnet:
+
+```bash
+$ docker network create -d bridge --subnet=192.168.0.0/16 br0
+```
+
+Additionally, you also specify the `--gateway` `--ip-range` and `--aux-address`
+options.
+
+```bash
+$ docker network create \
+  --driver=bridge \
+  --subnet=172.28.0.0/16 \
+  --ip-range=172.28.5.0/24 \
+  --gateway=172.28.5.254 \
+  br0
+```
+
+If you omit the `--gateway` flag the Engine selects one for you from inside a
+preferred pool. For `overlay` networks and for network driver plugins that
+support it you can create multiple subnetworks.
+
+```bash
+$ docker network create -d overlay \
+  --subnet=192.168.0.0/16 \
+  --subnet=192.170.0.0/16 \
+  --gateway=192.168.0.100 \ 
+  --gateway=192.170.0.100 \
+  --ip-range=192.168.1.0/24 \
+  --aux-address="my-router=192.168.1.5" --aux-address="my-switch=192.168.1.6" \
+  --aux-address="my-printer=192.170.1.5" --aux-address="my-nas=192.170.1.6" \
+  my-multihost-network
+```
+
+Be sure that your subnetworks do not overlap. If they do, the network create
+fails and Engine returns an error.
+
+### Network internal mode
+
+By default, when you connect a container to an `overlay` network, Docker also
+connects a bridge network to it to provide external connectivity. If you want
+to create an externally isolated `overlay` network, you can specify the
+`--internal` option.
+
+### Network ingress mode
+
+You can create the network which will be used to provide the routing-mesh in the
+swarm cluster. You do so by specifying `--ingress` when creating the network. Only
+one ingress network can be created at the time. The network can be removed only
+if no services depend on it. Any option available when creating an overlay network
+is also available when creating the ingress network, besides the `--attachable` option.
+
+```bash
+$ docker network create -d overlay \
+  --subnet=10.11.0.0/16 \
+  --ingress \
+  --opt com.docker.network.mtu=9216 \
+  --opt encrypted=true \
+  my-ingress-network
+```
+
+### Run services on predefined networks
+
+You can create services on the predefined docker networks `bridge` and `host`.
+
+```bash
+$ docker service create --name my-service \
+  --network host \
+  --replicas 2 \
+  busybox top
+```
+
+### Swarm networks with local scope drivers
+
+You can create a swarm network with local scope network drivers. You do so
+by promoting the network scope to `swarm` during the creation of the network. 
+You will then be able to use this network when creating services. 
+
+```bash
+$ docker network create -d bridge \
+  --scope swarm \
+  --attachable \
+  swarm-network
+```
+
+For network drivers which provide connectivity across hosts (ex. macvlan), if
+node specific configurations are needed in order to plumb the network on each
+host, you will supply that configuration via a configuration only network.
+When you create the swarm scoped network, you will then specify the name of the 
+network which contains the configuration.
+
+
+```bash
+node1$ docker network create --config-only --subnet 192.168.100.0/24 --gateway 192.168.100.115 mv-config
+node2$ docker network create --config-only --subnet 192.168.200.0/24 --gateway 192.168.200.202 mv-config
+node1$ docker network create -d macvlan --scope swarm --config-from mv-config --attachable swarm-network
+```
+
+
+
+
diff --git a/cli/man/src/network/disconnect.md b/cli/man/src/network/disconnect.md
new file mode 100644
index 00000000..13943f3f
--- /dev/null
+++ b/cli/man/src/network/disconnect.md
@@ -0,0 +1,5 @@
+Disconnects a container from a network.
+
+```bash
+$ docker network disconnect multi-host-network container1
+```
diff --git a/cli/man/src/network/inspect.md b/cli/man/src/network/inspect.md
new file mode 100644
index 00000000..a42db71c
--- /dev/null
+++ b/cli/man/src/network/inspect.md
@@ -0,0 +1,183 @@
+Returns information about one or more networks. By default, this command renders all results in a JSON object. For example, if you connect two containers to the default `bridge` network:
+
+```bash
+$ sudo docker run -itd --name=container1 busybox
+f2870c98fd504370fb86e59f32cd0753b1ac9b69b7d80566ffc7192a82b3ed27
+
+$ sudo docker run -itd --name=container2 busybox
+bda12f8922785d1f160be70736f26c1e331ab8aaf8ed8d56728508f2e2fd4727
+```
+
+The `network inspect` command shows the containers, by id, in its
+results. You can specify an alternate format to execute a given
+template for each result. Go's
+[text/template](http://golang.org/pkg/text/template/) package
+describes all the details of the format.
+
+```bash
+$ sudo docker network inspect bridge
+[
+    {
+        "Name": "bridge",
+        "Id": "b2b1a2cba717161d984383fd68218cf70bbbd17d328496885f7c921333228b0f",
+        "Scope": "local",
+        "Driver": "bridge",
+        "IPAM": {
+            "Driver": "default",
+            "Config": [
+                {
+                    "Subnet": "172.17.42.1/16",
+                    "Gateway": "172.17.42.1"
+                }
+            ]
+        },
+        "Internal": false,
+        "Ingress": false,
+        "Containers": {
+            "bda12f8922785d1f160be70736f26c1e331ab8aaf8ed8d56728508f2e2fd4727": {
+                "Name": "container2",
+                "EndpointID": "0aebb8fcd2b282abe1365979536f21ee4ceaf3ed56177c628eae9f706e00e019",
+                "MacAddress": "02:42:ac:11:00:02",
+                "IPv4Address": "172.17.0.2/16",
+                "IPv6Address": ""
+            },
+            "f2870c98fd504370fb86e59f32cd0753b1ac9b69b7d80566ffc7192a82b3ed27": {
+                "Name": "container1",
+                "EndpointID": "a00676d9c91a96bbe5bcfb34f705387a33d7cc365bac1a29e4e9728df92d10ad",
+                "MacAddress": "02:42:ac:11:00:01",
+                "IPv4Address": "172.17.0.1/16",
+                "IPv6Address": ""
+            }
+        },
+        "Options": {
+            "com.docker.network.bridge.default_bridge": "true",
+            "com.docker.network.bridge.enable_icc": "true",
+            "com.docker.network.bridge.enable_ip_masquerade": "true",
+            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+            "com.docker.network.bridge.name": "docker0",
+            "com.docker.network.driver.mtu": "1500"
+        }
+    }
+]
+```
+
+Returns the information about the user-defined network:
+
+```bash
+$ docker network create simple-network
+69568e6336d8c96bbf57869030919f7c69524f71183b44d80948bd3927c87f6a
+$ docker network inspect simple-network
+[
+    {
+        "Name": "simple-network",
+        "Id": "69568e6336d8c96bbf57869030919f7c69524f71183b44d80948bd3927c87f6a",
+        "Scope": "local",
+        "Driver": "bridge",
+        "IPAM": {
+            "Driver": "default",
+            "Config": [
+                {
+                    "Subnet": "172.22.0.0/16",
+                    "Gateway": "172.22.0.1"
+                }
+            ]
+        },
+        "Containers": {},
+        "Options": {}
+    }
+]
+```
+
+`docker network inspect --verbose` for swarm mode overlay networks shows service-specific
+details such as the service's VIP and port mappings. It also shows IPs of service tasks,
+and the IPs of the nodes where the tasks are running.
+
+Following is an example output for an overlay network `ov1` that has one service `s1`
+attached to. service `s1` in this case has three replicas.
+
+```bash
+$ docker network inspect --verbose ov1
+[
+    {
+        "Name": "ov1",
+        "Id": "ybmyjvao9vtzy3oorxbssj13b",
+        "Created": "2017-03-13T17:04:39.776106792Z",
+        "Scope": "swarm",
+        "Driver": "overlay",
+        "EnableIPv6": false,
+        "IPAM": {
+            "Driver": "default",
+            "Options": null,
+            "Config": [
+                {
+                    "Subnet": "10.0.0.0/24",
+                    "Gateway": "10.0.0.1"
+                }
+            ]
+        },
+        "Internal": false,
+        "Attachable": false,
+        "Ingress": false,
+        "Containers": {
+            "020403bd88a15f60747fd25d1ad5fa1272eb740e8a97fc547d8ad07b2f721c5e": {
+                "Name": "s1.1.pjn2ik0sfgkfzed3h0s00gs9o",
+                "EndpointID": "ad16946f416562d658f3bb30b9830d73ad91ccf6feae44411269cd0ff674714e",
+                "MacAddress": "02:42:0a:00:00:04",
+                "IPv4Address": "10.0.0.4/24",
+                "IPv6Address": ""
+            }
+        },
+        "Options": {
+            "com.docker.network.driver.overlay.vxlanid_list": "4097"
+        },
+        "Labels": {},
+        "Peers": [
+            {
+                "Name": "net-3-5d3cfd30a58c",
+                "IP": "192.168.33.13"
+            },
+            {
+                "Name": "net-1-6ecbc0040a73",
+                "IP": "192.168.33.11"
+            },
+            {
+                "Name": "net-2-fb80208efd75",
+                "IP": "192.168.33.12"
+            }
+        ],
+        "Services": {
+            "s1": {
+                "VIP": "10.0.0.2",
+                "Ports": [],
+                "LocalLBIndex": 257,
+                "Tasks": [
+                    {
+                        "Name": "s1.2.q4hcq2aiiml25ubtrtg4q1txt",
+                        "EndpointID": "040879b027e55fb658e8b60ae3b87c6cdac7d291e86a190a3b5ac6567b26511a",
+                        "EndpointIP": "10.0.0.5",
+                        "Info": {
+                            "Host IP": "192.168.33.11"
+                        }
+                    },
+                    {
+                        "Name": "s1.3.yawl4cgkp7imkfx469kn9j6lm",
+                        "EndpointID": "106edff9f120efe44068b834e1cddb5b39dd4a3af70211378b2f7a9e562bbad8",
+                        "EndpointIP": "10.0.0.3",
+                        "Info": {
+                            "Host IP": "192.168.33.12"
+                        }
+                    },
+                    {
+                        "Name": "s1.1.pjn2ik0sfgkfzed3h0s00gs9o",
+                        "EndpointID": "ad16946f416562d658f3bb30b9830d73ad91ccf6feae44411269cd0ff674714e",
+                        "EndpointIP": "10.0.0.4",
+                        "Info": {
+                            "Host IP": "192.168.33.13"
+                        }
+                    }
+                ]
+            }
+        }
+    }
+]
+```
diff --git a/cli/man/src/network/ls.md b/cli/man/src/network/ls.md
new file mode 100644
index 00000000..41734495
--- /dev/null
+++ b/cli/man/src/network/ls.md
@@ -0,0 +1,182 @@
+Lists all the networks the Engine `daemon` knows about. This includes the
+networks that span across multiple hosts in a cluster, for example:
+
+```bash
+    $ docker network ls
+    NETWORK ID          NAME                DRIVER          SCOPE
+    7fca4eb8c647        bridge              bridge          local
+    9f904ee27bf5        none                null            local
+    cf03ee007fb4        host                host            local
+    78b03ee04fc4        multi-host          overlay         swarm
+```
+
+Use the `--no-trunc` option to display the full network id:
+
+```bash
+$ docker network ls --no-trunc
+NETWORK ID                                                         NAME                DRIVER
+18a2866682b85619a026c81b98a5e375bd33e1b0936a26cc497c283d27bae9b3   none                null                
+c288470c46f6c8949c5f7e5099b5b7947b07eabe8d9a27d79a9cbf111adcbf47   host                host                
+7b369448dccbf865d397c8d2be0cda7cf7edc6b0945f77d2529912ae917a0185   bridge              bridge              
+95e74588f40db048e86320c6526440c504650a1ff3e9f7d60a497c4d2163e5bd   foo                 bridge    
+63d1ff1f77b07ca51070a8c227e962238358bd310bde1529cf62e6c307ade161   dev                 bridge
+```
+
+## Filtering
+
+The filtering flag (`-f` or `--filter`) format is a `key=value` pair. If there
+is more than one filter, then pass multiple flags (e.g. `--filter "foo=bar" --filter "bif=baz"`).
+Multiple filter flags are combined as an `OR` filter. For example, 
+`-f type=custom -f type=builtin` returns both `custom` and `builtin` networks.
+
+The currently supported filters are:
+
+* driver
+* id (network's id)
+* label (`label=<key>` or `label=<key>=<value>`)
+* name (network's name)
+* scope (`swarm|global|local`)
+* type (custom|builtin)
+
+#### Driver
+
+The `driver` filter matches networks based on their driver.
+
+The following example matches networks with the `bridge` driver:
+
+```bash
+$ docker network ls --filter driver=bridge
+NETWORK ID          NAME                DRIVER
+db9db329f835        test1               bridge
+f6e212da9dfd        test2               bridge
+```
+
+#### ID
+
+The `id` filter matches on all or part of a network's ID.
+
+The following filter matches all networks with an ID containing the
+`63d1ff1f77b0...` string.
+
+```bash
+$ docker network ls --filter id=63d1ff1f77b07ca51070a8c227e962238358bd310bde1529cf62e6c307ade161
+NETWORK ID          NAME                DRIVER
+63d1ff1f77b0        dev                 bridge
+```
+
+You can also filter for a substring in an ID as this shows:
+
+```bash
+$ docker network ls --filter id=95e74588f40d
+NETWORK ID          NAME                DRIVER
+95e74588f40d        foo                 bridge
+
+$ docker network ls --filter id=95e
+NETWORK ID          NAME                DRIVER
+95e74588f40d        foo                 bridge
+```
+
+#### Label
+
+The `label` filter matches networks based on the presence of a `label` alone or a `label` and a
+value.
+
+The following filter matches networks with the `usage` label regardless of its value.
+
+```bash
+$ docker network ls -f "label=usage"
+NETWORK ID          NAME                DRIVER
+db9db329f835        test1               bridge              
+f6e212da9dfd        test2               bridge
+```
+
+The following filter matches networks with the `usage` label with the `prod` value.
+
+```bash
+$ docker network ls -f "label=usage=prod"
+NETWORK ID          NAME                DRIVER
+f6e212da9dfd        test2               bridge
+```
+
+#### Name
+
+The `name` filter matches on all or part of a network's name.
+
+The following filter matches all networks with a name containing the `foobar` string.
+
+```bash
+$ docker network ls --filter name=foobar
+NETWORK ID          NAME                DRIVER
+06e7eef0a170        foobar              bridge
+```
+
+You can also filter for a substring in a name as this shows:
+
+```bash
+$ docker network ls --filter name=foo
+NETWORK ID          NAME                DRIVER
+95e74588f40d        foo                 bridge
+06e7eef0a170        foobar              bridge
+```
+
+#### Scope
+
+The `scope` filter matches networks based on their scope.
+
+The following example matches networks with the `swarm` scope:
+
+```bash
+$ docker network ls --filter scope=swarm
+NETWORK ID          NAME                DRIVER              SCOPE
+xbtm0v4f1lfh        ingress             overlay             swarm
+ic6r88twuu92        swarmnet            overlay             swarm
+```
+
+The following example matches networks with the `local` scope:
+
+```bash
+$ docker network ls --filter scope=local
+NETWORK ID          NAME                DRIVER              SCOPE
+e85227439ac7        bridge              bridge              local
+0ca0e19443ed        host                host                local
+ca13cc149a36        localnet            bridge              local
+f9e115d2de35        none                null                local
+```
+
+#### Type
+
+The `type` filter supports two values; `builtin` displays predefined networks
+(`bridge`, `none`, `host`), whereas `custom` displays user defined networks.
+
+The following filter matches all user defined networks:
+
+```bash
+$ docker network ls --filter type=custom
+NETWORK ID          NAME                DRIVER
+95e74588f40d        foo                 bridge
+63d1ff1f77b0        dev                 bridge
+```
+
+By having this flag it allows for batch cleanup. For example, use this filter
+to delete all user defined networks:
+
+```bash
+$ docker network rm `docker network ls --filter type=custom -q`
+```
+
+A warning will be issued when trying to remove a network that has containers
+attached.
+
+## Format
+
+Format uses a Go template to print the output. The following variables are 
+supported: 
+
+* .ID - Network ID
+* .Name - Network name
+* .Driver - Network driver
+* .Scope - Network scope (local, global)
+* .IPv6 - Whether IPv6 is enabled on the network or not
+* .Internal - Whether the network is internal or not
+* .Labels - All labels assigned to the network
+* .Label - Value of a specific label for this network. For example `{{.Label "project.version"}}`
diff --git a/cli/man/src/network/rm.md b/cli/man/src/network/rm.md
new file mode 100644
index 00000000..815b6a48
--- /dev/null
+++ b/cli/man/src/network/rm.md
@@ -0,0 +1,20 @@
+Removes one or more networks by name or identifier. To remove a network,
+you must first disconnect any containers connected to it.
+To remove the network named 'my-network':
+
+```bash
+  $ docker network rm my-network
+```
+
+To delete multiple networks in a single `docker network rm` command, provide
+multiple network names or ids. The following example deletes a network with id
+`3695c422697f` and a network named `my-network`:
+
+```bash
+  $ docker network rm 3695c422697f my-network
+```
+
+When you specify multiple networks, the command attempts to delete each in turn.
+If the deletion of one network fails, the command continues to the next on the
+list and tries to delete that. The command reports success or failure for each
+deletion.
diff --git a/cli/man/src/pause.md b/cli/man/src/pause.md
new file mode 100644
index 00000000..8779d060
--- /dev/null
+++ b/cli/man/src/pause.md
@@ -0,0 +1 @@
+Alias for `docker container pause`.
diff --git a/cli/man/src/plugin/ls.md b/cli/man/src/plugin/ls.md
new file mode 100644
index 00000000..f9f39452
--- /dev/null
+++ b/cli/man/src/plugin/ls.md
@@ -0,0 +1,43 @@
+Lists all the plugins that are currently installed. You can install plugins
+using the `docker plugin install` command.
+You can also filter using the `-f` or `--filter` flag.
+
+## Filters
+
+Filter output based on these conditions:
+   - enabled=(true|false) - plugins that are enabled or not
+   - capability=<string> - filters plugins based on capabilities (currently `volumedriver`, `networkdriver`, `ipamdriver`, or `authz`)
+
+## Format
+
+   Pretty-print plugins using a Go template.
+   Valid placeholders:
+      .ID - Plugin ID.
+      .Name - Plugin Name.
+      .Description - Plugin description.
+      .Enabled - Whether plugin is enabled or not.
+
+# EXAMPLES
+## Display all plugins
+
+    $ docker plugin ls
+    ID                  NAME                                    DESCRIPTION                         ENABLED
+    869080b57404        tiborvass/sample-volume-plugin:latest   A sample volume plugin for Docker   true
+    141bf6c02ddd        vieux/sshfs:latest                      sshFS plugin for Docker             false
+
+## Display plugins with their ID and names
+
+    $ docker plugin ls --format "{{.ID}}: {{.Name}}"
+    869080b57404: tiborvass/sample-volume-plugin:latest
+
+## Display enabled plugins
+
+    $ docker plugin ls --filter enabled=true
+    ID                  NAME                                    DESCRIPTION                         ENABLED
+    869080b57404        tiborvass/sample-volume-plugin:latest   A sample volume plugin for Docker   true
+
+## Display plugins with `volumedriver` capability
+
+    $ docker plugin ls --filter capability=volumedriver --format "table {{.ID}}\t{{.Name}}"
+    ID                  Name
+    869080b57404        tiborvass/sample-volume-plugin:latest
diff --git a/cli/man/src/port.md b/cli/man/src/port.md
new file mode 100644
index 00000000..b540ce17
--- /dev/null
+++ b/cli/man/src/port.md
@@ -0,0 +1 @@
+Alias for `docker container port`.
diff --git a/cli/man/src/ps.md b/cli/man/src/ps.md
new file mode 100644
index 00000000..83f289e8
--- /dev/null
+++ b/cli/man/src/ps.md
@@ -0,0 +1 @@
+Alias for `docker container ls`.
diff --git a/cli/man/src/pull.md b/cli/man/src/pull.md
new file mode 100644
index 00000000..78b0ab87
--- /dev/null
+++ b/cli/man/src/pull.md
@@ -0,0 +1 @@
+Alias for `docker image pull`.
diff --git a/cli/man/src/push.md b/cli/man/src/push.md
new file mode 100644
index 00000000..84f721e0
--- /dev/null
+++ b/cli/man/src/push.md
@@ -0,0 +1 @@
+Alias for `docker image push`.
diff --git a/cli/man/src/rename.md b/cli/man/src/rename.md
new file mode 100644
index 00000000..7a237f42
--- /dev/null
+++ b/cli/man/src/rename.md
@@ -0,0 +1 @@
+Alias for `docker container rename`.
diff --git a/cli/man/src/restart.md b/cli/man/src/restart.md
new file mode 100644
index 00000000..eddad06b
--- /dev/null
+++ b/cli/man/src/restart.md
@@ -0,0 +1 @@
+Alias for `docker container restart`.
diff --git a/cli/man/src/rm.md b/cli/man/src/rm.md
new file mode 100644
index 00000000..8b0cbd65
--- /dev/null
+++ b/cli/man/src/rm.md
@@ -0,0 +1 @@
+Alias for `docker container rm`.
diff --git a/cli/man/src/rmi.md b/cli/man/src/rmi.md
new file mode 100644
index 00000000..b7775049
--- /dev/null
+++ b/cli/man/src/rmi.md
@@ -0,0 +1 @@
+Alias for `docker image rm`.
diff --git a/cli/man/src/save.md b/cli/man/src/save.md
new file mode 100644
index 00000000..95127f5a
--- /dev/null
+++ b/cli/man/src/save.md
@@ -0,0 +1 @@
+Alias for `docker image save`.
diff --git a/cli/man/src/search.md b/cli/man/src/search.md
new file mode 100644
index 00000000..cf2ac4f1
--- /dev/null
+++ b/cli/man/src/search.md
@@ -0,0 +1,36 @@
+Search Docker Hub for images that match the specified `TERM`. The table
+of images returned displays the name, description (truncated by default), number
+of stars awarded, whether the image is official, and whether it is automated.
+
+*Note* - Search queries will only return up to 25 results
+
+## Filter
+
+   Filter output based on these conditions:
+   - stars=<numberOfStar>
+   - is-automated=(true|false)
+   - is-official=(true|false)
+
+# EXAMPLES
+
+## Search Docker Hub for ranked images
+
+Search a registry for the term 'fedora' and only display those images
+ranked 3 or higher:
+
+    $ docker search --filter=stars=3 fedora
+    NAME                  DESCRIPTION                                    STARS OFFICIAL  AUTOMATED
+    mattdm/fedora         A basic Fedora image corresponding roughly...  50
+    fedora                (Semi) Official Fedora base image.             38
+    mattdm/fedora-small   A small Fedora image on which to build. Co...  8
+    goldmann/wildfly      A WildFly application server running on a ...  3               [OK]
+
+## Search Docker Hub for automated images
+
+Search Docker Hub for the term 'fedora' and only display automated images
+ranked 1 or higher:
+
+    $ docker search --filter=is-automated=true --filter=stars=1 fedora
+    NAME               DESCRIPTION                                     STARS OFFICIAL  AUTOMATED
+    goldmann/wildfly   A WildFly application server running on a ...   3               [OK]
+    tutum/fedora-20    Fedora 20 image with SSH access. For the r...   1               [OK]
diff --git a/cli/man/src/start.md b/cli/man/src/start.md
new file mode 100644
index 00000000..9bab8677
--- /dev/null
+++ b/cli/man/src/start.md
@@ -0,0 +1 @@
+Alias for `docker container start`.
diff --git a/cli/man/src/stats.md b/cli/man/src/stats.md
new file mode 100644
index 00000000..f709ce4f
--- /dev/null
+++ b/cli/man/src/stats.md
@@ -0,0 +1 @@
+Alias for `docker container stats`.
diff --git a/cli/man/src/stop.md b/cli/man/src/stop.md
new file mode 100644
index 00000000..35fd07b6
--- /dev/null
+++ b/cli/man/src/stop.md
@@ -0,0 +1 @@
+Alias for `docker container stop`.
diff --git a/cli/man/src/system/events.md b/cli/man/src/system/events.md
new file mode 100644
index 00000000..44adc6c3
--- /dev/null
+++ b/cli/man/src/system/events.md
@@ -0,0 +1,134 @@
+Get event information from the Docker daemon. Information can include historical
+information and real-time information.
+
+Docker containers will report the following events:
+
+    attach, commit, copy, create, destroy, detach, die, exec_create, exec_detach, exec_start, export, kill, oom, pause, rename, resize, restart, start, stop, top, unpause, update
+
+Docker images report the following events:
+
+    delete, import, load, pull, push, save, tag, untag
+
+Docker volumes report the following events:
+
+    create, mount, unmount, destroy
+
+Docker networks report the following events:
+
+    create, connect, disconnect, destroy
+
+# OPTIONS
+
+The `--since` and `--until` parameters can be Unix timestamps, date formatted
+timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed
+relative to the client machine's time. If you do not provide the `--since` option,
+the command returns only new and/or live events.  Supported formats for date
+formatted time stamps include RFC3339Nano, RFC3339, `2006-01-02T15:04:05`,
+`2006-01-02T15:04:05.999999999`, `2006-01-02Z07:00`, and `2006-01-02`. The local
+timezone on the client will be used if you do not provide either a `Z` or a
+`+-00:00` timezone offset at the end of the timestamp.  When providing Unix
+timestamps enter seconds[.nanoseconds], where seconds is the number of seconds
+that have elapsed since January 1, 1970 (midnight UTC/GMT), not counting leap
+seconds (aka Unix epoch or Unix time), and the optional .nanoseconds field is a
+fraction of a second no more than nine digits long.
+
+# EXAMPLES
+
+## Listening for Docker events
+
+After running docker events a container 786d698004576 is started and stopped
+(The container name has been shortened in the output below):
+
+    # docker events
+    2015-01-28T20:21:31.000000000-08:00 59211849bc10: (from whenry/testimage:latest) start
+    2015-01-28T20:21:31.000000000-08:00 59211849bc10: (from whenry/testimage:latest) die
+    2015-01-28T20:21:32.000000000-08:00 59211849bc10: (from whenry/testimage:latest) stop
+
+## Listening for events since a given date
+Again the output container IDs have been shortened for the purposes of this document:
+
+    # docker events --since '2015-01-28'
+    2015-01-28T20:25:38.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) create
+    2015-01-28T20:25:38.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) start
+    2015-01-28T20:25:39.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) create
+    2015-01-28T20:25:39.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) start
+    2015-01-28T20:25:40.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) die
+    2015-01-28T20:25:42.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) stop
+    2015-01-28T20:25:45.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) start
+    2015-01-28T20:25:45.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) die
+    2015-01-28T20:25:46.000000000-08:00 c21f6c22ba27: (from whenry/testimage:latest) stop
+
+The following example outputs all events that were generated in the last 3 minutes,
+relative to the current time on the client machine:
+
+    # docker events --since '3m'
+    2015-05-12T11:51:30.999999999Z07:00  4386fb97867d: (from ubuntu-1:14.04) die
+    2015-05-12T15:52:12.999999999Z07:00  4386fb97867d: (from ubuntu-1:14.04) stop
+    2015-05-12T15:53:45.999999999Z07:00  7805c1d35632: (from redis:2.8) die
+    2015-05-12T15:54:03.999999999Z07:00  7805c1d35632: (from redis:2.8) stop
+
+If you do not provide the --since option, the command returns only new and/or
+live events.
+
+## Format
+
+If a format (`--format`) is specified, the given template will be executed
+instead of the default format. Go's **text/template** package describes all the
+details of the format.
+
+    # docker events --filter 'type=container' --format 'Type={{.Type}}  Status={{.Status}}  ID={{.ID}}'
+    Type=container  Status=create  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+    Type=container  Status=attach  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+    Type=container  Status=start  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+    Type=container  Status=resize  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+    Type=container  Status=die  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+    Type=container  Status=destroy  ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26
+
+If a format is set to `{{json .}}`, the events are streamed as valid JSON
+Lines. For information about JSON Lines, please refer to http://jsonlines.org/ .
+
+    # docker events --format '{{json .}}'
+    {"status":"create","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+    {"status":"attach","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+    {"Type":"network","Action":"connect","Actor":{"ID":"1b50a5bf755f6021dfa78e..
+    {"status":"start","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f42..
+    {"status":"resize","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4..
+
+## Filters
+
+    $ docker events --filter 'event=stop'
+    2014-05-10T17:42:14.999999999Z07:00 container stop 4386fb97867d (image=ubuntu-1:14.04)
+    2014-09-03T17:42:14.999999999Z07:00 container stop 7805c1d35632 (image=redis:2.8)
+
+    $ docker events --filter 'image=ubuntu-1:14.04'
+    2014-05-10T17:42:14.999999999Z07:00 container start 4386fb97867d (image=ubuntu-1:14.04)
+    2014-05-10T17:42:14.999999999Z07:00 container die 4386fb97867d (image=ubuntu-1:14.04)
+    2014-05-10T17:42:14.999999999Z07:00 container stop 4386fb97867d (image=ubuntu-1:14.04)
+
+    $ docker events --filter 'container=7805c1d35632'
+    2014-05-10T17:42:14.999999999Z07:00 container die 7805c1d35632 (image=redis:2.8)
+    2014-09-03T15:49:29.999999999Z07:00 container stop 7805c1d35632 (image= redis:2.8)
+
+    $ docker events --filter 'container=7805c1d35632' --filter 'container=4386fb97867d'
+    2014-09-03T15:49:29.999999999Z07:00 container die 4386fb97867d (image=ubuntu-1:14.04)
+    2014-05-10T17:42:14.999999999Z07:00 container stop 4386fb97867d (image=ubuntu-1:14.04)
+    2014-05-10T17:42:14.999999999Z07:00 container die 7805c1d35632 (image=redis:2.8)
+    2014-09-03T15:49:29.999999999Z07:00 container stop 7805c1d35632 (image=redis:2.8)
+
+    $ docker events --filter 'container=7805c1d35632' --filter 'event=stop'
+    2014-09-03T15:49:29.999999999Z07:00 container stop 7805c1d35632 (image=redis:2.8)
+
+    $ docker events --filter 'type=volume'
+    2015-12-23T21:05:28.136212689Z volume create test-event-volume-local (driver=local)
+    2015-12-23T21:05:28.383462717Z volume mount test-event-volume-local (read/write=true, container=562fe10671e9273da25eed36cdce26159085ac7ee6707105fd534866340a5025, destination=/foo, driver=local, propagation=rprivate)
+    2015-12-23T21:05:28.650314265Z volume unmount test-event-volume-local (container=562fe10671e9273da25eed36cdce26159085ac7ee6707105fd534866340a5025, driver=local)
+    2015-12-23T21:05:28.716218405Z volume destroy test-event-volume-local (driver=local)
+
+    $ docker events --filter 'type=network'
+    2015-12-23T21:38:24.705709133Z network create 8b111217944ba0ba844a65b13efcd57dc494932ee2527577758f939315ba2c5b (name=test-event-network-local, type=bridge)
+    2015-12-23T21:38:25.119625123Z network connect 8b111217944ba0ba844a65b13efcd57dc494932ee2527577758f939315ba2c5b (name=test-event-network-local, container=b4be644031a3d90b400f88ab3d4bdf4dc23adb250e696b6328b85441abe2c54e, type=bridge)
+
+    $ docker events --filter 'type=plugin' (experimental)
+    2016-07-25T17:30:14.825557616Z plugin pull ec7b87f2ce84330fe076e666f17dfc049d2d7ae0b8190763de94e1f2d105993f (name=tiborvass/sample-volume-plugin:latest)
+    2016-07-25T17:30:14.888127370Z plugin enable ec7b87f2ce84330fe076e666f17dfc049d2d7ae0b8190763de94e1f2d105993f (name=tiborvass/sample-volume-plugin:latest)
+
diff --git a/cli/man/src/system/info.md b/cli/man/src/system/info.md
new file mode 100644
index 00000000..9a87e985
--- /dev/null
+++ b/cli/man/src/system/info.md
@@ -0,0 +1,163 @@
+This command displays system wide information regarding the Docker installation.
+Information displayed includes the kernel version, number of containers and images.
+The number of images shown is the number of unique images. The same image tagged
+under different names is counted only once.
+
+If a format is specified, the given template will be executed instead of the
+default format. Go's **text/template** package
+describes all the details of the format.
+
+Depending on the storage driver in use, additional information can be shown, such
+as pool name, data file, metadata file, data space used, total data space, metadata
+space used, and total metadata space.
+
+The data file is where the images are stored and the metadata file is where the
+meta data regarding those images are stored. When run for the first time Docker
+allocates a certain amount of data space and meta data space from the space
+available on the volume where `/var/lib/docker` is mounted.
+
+# EXAMPLES
+
+## Display Docker system information
+
+Here is a sample output for a daemon running on Ubuntu, using the overlay2
+storage driver:
+
+    $ docker -D info
+    Containers: 14
+     Running: 3
+     Paused: 1
+     Stopped: 10
+    Images: 52
+    Server Version: 1.13.0
+    Storage Driver: overlay2
+     Backing Filesystem: extfs
+     Supports d_type: true
+     Native Overlay Diff: false
+    Logging Driver: json-file
+    Cgroup Driver: cgroupfs
+    Plugins:
+     Volume: local
+     Network: bridge host macvlan null overlay
+    Swarm: active
+     NodeID: rdjq45w1op418waxlairloqbm
+     Is Manager: true
+     ClusterID: te8kdyw33n36fqiz74bfjeixd
+     Managers: 1
+     Nodes: 2
+     Orchestration:
+      Task History Retention Limit: 5
+     Raft:
+      Snapshot Interval: 10000
+      Number of Old Snapshots to Retain: 0
+      Heartbeat Tick: 1
+      Election Tick: 3
+     Dispatcher:
+      Heartbeat Period: 5 seconds
+     CA Configuration:
+      Expiry Duration: 3 months
+     Node Address: 172.16.66.128 172.16.66.129
+     Manager Addresses:
+      172.16.66.128:2477
+    Runtimes: runc
+    Default Runtime: runc
+    Init Binary: docker-init
+    containerd version: 8517738ba4b82aff5662c97ca4627e7e4d03b531
+    runc version: ac031b5bf1cc92239461125f4c1ffb760522bbf2
+    init version: N/A (expected: v0.13.0)
+    Security Options:
+     apparmor
+     seccomp
+      Profile: default
+    Kernel Version: 4.4.0-31-generic
+    Operating System: Ubuntu 16.04.1 LTS
+    OSType: linux
+    Architecture: x86_64
+    CPUs: 2
+    Total Memory: 1.937 GiB
+    Name: ubuntu
+    ID: H52R:7ZR6:EIIA:76JG:ORIY:BVKF:GSFU:HNPG:B5MK:APSC:SZ3Q:N326
+    Docker Root Dir: /var/lib/docker
+    Debug Mode (client): true
+    Debug Mode (server): true
+     File Descriptors: 30
+     Goroutines: 123
+     System Time: 2016-11-12T17:24:37.955404361-08:00
+     EventsListeners: 0
+    Http Proxy: http://test:test@proxy.example.com:8080
+    Https Proxy: https://test:test@proxy.example.com:8080
+    No Proxy: localhost,127.0.0.1,docker-registry.somecorporation.com
+    Registry: https://index.docker.io/v1/
+    WARNING: No swap limit support
+    Labels:
+     storage=ssd
+     staging=true
+    Experimental: false
+    Insecure Registries:
+     127.0.0.0/8
+    Registry Mirrors:
+      http://192.168.1.2/
+      http://registry-mirror.example.com:5000/
+    Live Restore Enabled: false
+
+
+
+The global `-D` option tells all `docker` commands to output debug information.
+
+The example below shows the output for a daemon running on Red Hat Enterprise Linux,
+using the devicemapper storage driver. As can be seen in the output, additional
+information about the devicemapper storage driver is shown:
+
+    $ docker info
+    Containers: 14
+     Running: 3
+     Paused: 1
+     Stopped: 10
+    Untagged Images: 52
+    Server Version: 1.10.3
+    Storage Driver: devicemapper
+     Pool Name: docker-202:2-25583803-pool
+     Pool Blocksize: 65.54 kB
+     Base Device Size: 10.74 GB
+     Backing Filesystem: xfs
+     Data file: /dev/loop0
+     Metadata file: /dev/loop1
+     Data Space Used: 1.68 GB
+     Data Space Total: 107.4 GB
+     Data Space Available: 7.548 GB
+     Metadata Space Used: 2.322 MB
+     Metadata Space Total: 2.147 GB
+     Metadata Space Available: 2.145 GB
+     Udev Sync Supported: true
+     Deferred Removal Enabled: false
+     Deferred Deletion Enabled: false
+     Deferred Deleted Device Count: 0
+     Data loop file: /var/lib/docker/devicemapper/devicemapper/data
+     Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
+     Library Version: 1.02.107-RHEL7 (2015-12-01)
+    Execution Driver: native-0.2
+    Logging Driver: json-file
+    Plugins:
+     Volume: local
+     Network: null host bridge
+    Kernel Version: 3.10.0-327.el7.x86_64
+    Operating System: Red Hat Enterprise Linux Server 7.2 (Maipo)
+    OSType: linux
+    Architecture: x86_64
+    CPUs: 1
+    Total Memory: 991.7 MiB
+    Name: ip-172-30-0-91.ec2.internal
+    ID: I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S
+    Docker Root Dir: /var/lib/docker
+    Debug mode (client): false
+    Debug mode (server): false
+    Username: gordontheturtle
+    Registry: https://index.docker.io/v1/
+    Insecure registries:
+     myinsecurehost:5000
+     127.0.0.0/8
+
+You can also specify the output format:
+
+    $ docker info --format '{{json .}}'
+	{"ID":"I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S","Containers":14, ...}
diff --git a/cli/man/src/tag.md b/cli/man/src/tag.md
new file mode 100644
index 00000000..55c4ef1a
--- /dev/null
+++ b/cli/man/src/tag.md
@@ -0,0 +1 @@
+Alias for `docker image tag`.
diff --git a/cli/man/src/top.md b/cli/man/src/top.md
new file mode 100644
index 00000000..ac0f0845
--- /dev/null
+++ b/cli/man/src/top.md
@@ -0,0 +1 @@
+Alias for `docker container top`.
diff --git a/cli/man/src/unpause.md b/cli/man/src/unpause.md
new file mode 100644
index 00000000..df538e13
--- /dev/null
+++ b/cli/man/src/unpause.md
@@ -0,0 +1 @@
+Alias for `docker container unpause`.
diff --git a/cli/man/src/update.md b/cli/man/src/update.md
new file mode 100644
index 00000000..162022ab
--- /dev/null
+++ b/cli/man/src/update.md
@@ -0,0 +1 @@
+Alias for `docker container update`.
diff --git a/cli/man/src/version.md b/cli/man/src/version.md
new file mode 100644
index 00000000..5dea4a29
--- /dev/null
+++ b/cli/man/src/version.md
@@ -0,0 +1,37 @@
+This command displays version information for both the Docker client and 
+daemon. 
+
+# EXAMPLES
+
+## Display Docker version information
+
+The default output:
+
+    $ docker version
+	Client:
+	 Version:      1.8.0
+	 API version:  1.20
+	 Go version:   go1.4.2
+	 Git commit:   f5bae0a
+	 Built:        Tue Jun 23 17:56:00 UTC 2015
+	 OS/Arch:      linux/amd64
+
+	Server:
+	 Version:      1.8.0
+	 API version:  1.20
+	 Go version:   go1.4.2
+	 Git commit:   f5bae0a
+	 Built:        Tue Jun 23 17:56:00 UTC 2015
+	 OS/Arch:      linux/amd64
+
+Get server version:
+
+    $ docker version --format '{{.Server.Version}}'
+	1.8.0
+
+Dump raw data:
+
+To view all available fields, you can use the format `{{json .}}`.
+
+    $ docker version --format '{{json .}}'
+    {"Client":{"Version":"1.8.0","ApiVersion":"1.20","GitCommit":"f5bae0a","GoVersion":"go1.4.2","Os":"linux","Arch":"amd64","BuildTime":"Tue Jun 23 17:56:00 UTC 2015"},"ServerOK":true,"Server":{"Version":"1.8.0","ApiVersion":"1.20","GitCommit":"f5bae0a","GoVersion":"go1.4.2","Os":"linux","Arch":"amd64","KernelVersion":"3.13.2-gentoo","BuildTime":"Tue Jun 23 17:56:00 UTC 2015"}}
diff --git a/cli/man/src/volume.md b/cli/man/src/volume.md
new file mode 100644
index 00000000..0a09a41d
--- /dev/null
+++ b/cli/man/src/volume.md
@@ -0,0 +1,14 @@
+The `docker volume` command has subcommands for managing data volumes. A data
+volume is a specially-designated directory that by-passes storage driver
+management.
+
+Data volumes persist data independent of a container's life cycle. When you
+delete a container, the Docker daemon does not delete any data volumes. You can
+share volumes across multiple containers. Moreover, you can share data volumes
+with other computing resources in your system.
+
+To see help for a subcommand, use:
+
+    docker volume COMMAND --help
+
+For full details on using docker volume visit Docker's online documentation.
diff --git a/cli/man/src/volume/create.md b/cli/man/src/volume/create.md
new file mode 100644
index 00000000..408079d6
--- /dev/null
+++ b/cli/man/src/volume/create.md
@@ -0,0 +1,35 @@
+Creates a new volume that containers can consume and store data in. If a name
+is not specified, Docker generates a random name. You create a volume and then
+configure the container to use it, for example:
+
+    $ docker volume create hello
+    hello
+    $ docker run -d -v hello:/world busybox ls /world
+
+The mount is created inside the container's `/src` directory. Docker doesn't
+not support relative paths for mount points inside the container.
+
+Multiple containers can use the same volume in the same time period. This is
+useful if two containers need access to shared data. For example, if one
+container writes and the other reads the data.
+
+## Driver specific options
+
+Some volume drivers may take options to customize the volume creation. Use the
+`-o` or `--opt` flags to pass driver options:
+
+    $ docker volume create --driver fake --opt tardis=blue --opt timey=wimey
+
+These options are passed directly to the volume driver. Options for different
+volume drivers may do different things (or nothing at all).
+
+The built-in `local` driver on Windows does not support any options.
+
+The built-in `local` driver on Linux accepts options similar to the linux
+`mount` command:
+
+    $ docker volume create --driver local --opt type=tmpfs --opt device=tmpfs --opt o=size=100m,uid=1000
+
+Another example:
+
+    $ docker volume create --driver local --opt type=btrfs --opt device=/dev/sda2
diff --git a/cli/man/src/volume/inspect.md b/cli/man/src/volume/inspect.md
new file mode 100644
index 00000000..0885caab
--- /dev/null
+++ b/cli/man/src/volume/inspect.md
@@ -0,0 +1,4 @@
+Returns information about one or more volumes. By default, this command renders
+all results in a JSON array. You can specify an alternate format to execute a
+given template is executed for each result. Go's https://golang.org/pkg/text/template/
+package describes all the details of the format.
diff --git a/cli/man/src/volume/ls.md b/cli/man/src/volume/ls.md
new file mode 100644
index 00000000..59788427
--- /dev/null
+++ b/cli/man/src/volume/ls.md
@@ -0,0 +1,11 @@
+Lists all the volumes Docker manages. You can filter using the `-f` or
+`--filter` flag. The filtering format is a `key=value` pair. To specify
+more than one filter,  pass multiple flags (for example,
+`--filter "foo=bar" --filter "bif=baz"`)
+
+The currently supported filters are:
+
+* `dangling` (boolean - `true` or `false`, `1` or `0`)
+* `driver` (a volume driver's name)
+* `label` (`label=<key>` or `label=<key>=<value>`)
+* `name` (a volume's name)
diff --git a/cli/man/src/wait.md b/cli/man/src/wait.md
new file mode 100644
index 00000000..8700848e
--- /dev/null
+++ b/cli/man/src/wait.md
@@ -0,0 +1 @@
+Alias for `docker container wait`.
diff --git a/cli/opts/config.go b/cli/opts/config.go
new file mode 100644
index 00000000..82fd2bce
--- /dev/null
+++ b/cli/opts/config.go
@@ -0,0 +1,98 @@
+package opts
+
+import (
+	"encoding/csv"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+)
+
+// ConfigOpt is a Value type for parsing configs
+type ConfigOpt struct {
+	values []*swarmtypes.ConfigReference
+}
+
+// Set a new config value
+func (o *ConfigOpt) Set(value string) error {
+	csvReader := csv.NewReader(strings.NewReader(value))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return err
+	}
+
+	options := &swarmtypes.ConfigReference{
+		File: &swarmtypes.ConfigReferenceFileTarget{
+			UID:  "0",
+			GID:  "0",
+			Mode: 0444,
+		},
+	}
+
+	// support a simple syntax of --config foo
+	if len(fields) == 1 {
+		options.File.Name = fields[0]
+		options.ConfigName = fields[0]
+		o.values = append(o.values, options)
+		return nil
+	}
+
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		key := strings.ToLower(parts[0])
+
+		if len(parts) != 2 {
+			return fmt.Errorf("invalid field '%s' must be a key=value pair", field)
+		}
+
+		value := parts[1]
+		switch key {
+		case "source", "src":
+			options.ConfigName = value
+		case "target":
+			options.File.Name = value
+		case "uid":
+			options.File.UID = value
+		case "gid":
+			options.File.GID = value
+		case "mode":
+			m, err := strconv.ParseUint(value, 0, 32)
+			if err != nil {
+				return fmt.Errorf("invalid mode specified: %v", err)
+			}
+
+			options.File.Mode = os.FileMode(m)
+		default:
+			return fmt.Errorf("invalid field in config request: %s", key)
+		}
+	}
+
+	if options.ConfigName == "" {
+		return fmt.Errorf("source is required")
+	}
+
+	o.values = append(o.values, options)
+	return nil
+}
+
+// Type returns the type of this option
+func (o *ConfigOpt) Type() string {
+	return "config"
+}
+
+// String returns a string repr of this option
+func (o *ConfigOpt) String() string {
+	configs := []string{}
+	for _, config := range o.values {
+		repr := fmt.Sprintf("%s -> %s", config.ConfigName, config.File.Name)
+		configs = append(configs, repr)
+	}
+	return strings.Join(configs, ", ")
+}
+
+// Value returns the config requests
+func (o *ConfigOpt) Value() []*swarmtypes.ConfigReference {
+	return o.values
+}
diff --git a/cli/opts/duration.go b/cli/opts/duration.go
new file mode 100644
index 00000000..5dc6eeaa
--- /dev/null
+++ b/cli/opts/duration.go
@@ -0,0 +1,64 @@
+package opts
+
+import (
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+// PositiveDurationOpt is an option type for time.Duration that uses a pointer.
+// It behave similarly to DurationOpt but only allows positive duration values.
+type PositiveDurationOpt struct {
+	DurationOpt
+}
+
+// Set a new value on the option. Setting a negative duration value will cause
+// an error to be returned.
+func (d *PositiveDurationOpt) Set(s string) error {
+	err := d.DurationOpt.Set(s)
+	if err != nil {
+		return err
+	}
+	if *d.DurationOpt.value < 0 {
+		return errors.Errorf("duration cannot be negative")
+	}
+	return nil
+}
+
+// DurationOpt is an option type for time.Duration that uses a pointer. This
+// allows us to get nil values outside, instead of defaulting to 0
+type DurationOpt struct {
+	value *time.Duration
+}
+
+// NewDurationOpt creates a DurationOpt with the specified duration
+func NewDurationOpt(value *time.Duration) *DurationOpt {
+	return &DurationOpt{
+		value: value,
+	}
+}
+
+// Set a new value on the option
+func (d *DurationOpt) Set(s string) error {
+	v, err := time.ParseDuration(s)
+	d.value = &v
+	return err
+}
+
+// Type returns the type of this option, which will be displayed in `--help` output
+func (d *DurationOpt) Type() string {
+	return "duration"
+}
+
+// String returns a string repr of this option
+func (d *DurationOpt) String() string {
+	if d.value != nil {
+		return d.value.String()
+	}
+	return ""
+}
+
+// Value returns the time.Duration
+func (d *DurationOpt) Value() *time.Duration {
+	return d.value
+}
diff --git a/cli/opts/duration_test.go b/cli/opts/duration_test.go
new file mode 100644
index 00000000..1a2c76a8
--- /dev/null
+++ b/cli/opts/duration_test.go
@@ -0,0 +1,30 @@
+package opts
+
+import (
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDurationOptString(t *testing.T) {
+	dur := time.Duration(300 * 10e8)
+	duration := DurationOpt{value: &dur}
+	assert.Check(t, is.Equal("5m0s", duration.String()))
+}
+
+func TestDurationOptSetAndValue(t *testing.T) {
+	var duration DurationOpt
+	assert.NilError(t, duration.Set("300s"))
+	assert.Check(t, is.Equal(time.Duration(300*10e8), *duration.Value()))
+	assert.NilError(t, duration.Set("-300s"))
+	assert.Check(t, is.Equal(time.Duration(-300*10e8), *duration.Value()))
+}
+
+func TestPositiveDurationOptSetAndValue(t *testing.T) {
+	var duration PositiveDurationOpt
+	assert.NilError(t, duration.Set("300s"))
+	assert.Check(t, is.Equal(time.Duration(300*10e8), *duration.Value()))
+	assert.Error(t, duration.Set("-300s"), "duration cannot be negative")
+}
diff --git a/cli/opts/env.go b/cli/opts/env.go
new file mode 100644
index 00000000..e6ddd733
--- /dev/null
+++ b/cli/opts/env.go
@@ -0,0 +1,46 @@
+package opts
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+)
+
+// ValidateEnv validates an environment variable and returns it.
+// If no value is specified, it returns the current value using os.Getenv.
+//
+// As on ParseEnvFile and related to #16585, environment variable names
+// are not validate what so ever, it's up to application inside docker
+// to validate them or not.
+//
+// The only validation here is to check if name is empty, per #25099
+func ValidateEnv(val string) (string, error) {
+	arr := strings.Split(val, "=")
+	if arr[0] == "" {
+		return "", fmt.Errorf("invalid environment variable: %s", val)
+	}
+	if len(arr) > 1 {
+		return val, nil
+	}
+	if !doesEnvExist(val) {
+		return val, nil
+	}
+	return fmt.Sprintf("%s=%s", val, os.Getenv(val)), nil
+}
+
+func doesEnvExist(name string) bool {
+	for _, entry := range os.Environ() {
+		parts := strings.SplitN(entry, "=", 2)
+		if runtime.GOOS == "windows" {
+			// Environment variable are case-insensitive on Windows. PaTh, path and PATH are equivalent.
+			if strings.EqualFold(parts[0], name) {
+				return true
+			}
+		}
+		if parts[0] == name {
+			return true
+		}
+	}
+	return false
+}
diff --git a/cli/opts/env_test.go b/cli/opts/env_test.go
new file mode 100644
index 00000000..6f6c7a7a
--- /dev/null
+++ b/cli/opts/env_test.go
@@ -0,0 +1,42 @@
+package opts
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"testing"
+)
+
+func TestValidateEnv(t *testing.T) {
+	valids := map[string]string{
+		"a":                   "a",
+		"something":           "something",
+		"_=a":                 "_=a",
+		"env1=value1":         "env1=value1",
+		"_env1=value1":        "_env1=value1",
+		"env2=value2=value3":  "env2=value2=value3",
+		"env3=abc!qwe":        "env3=abc!qwe",
+		"env_4=value 4":       "env_4=value 4",
+		"PATH":                fmt.Sprintf("PATH=%v", os.Getenv("PATH")),
+		"PATH=something":      "PATH=something",
+		"asd!qwe":             "asd!qwe",
+		"1asd":                "1asd",
+		"123":                 "123",
+		"some space":          "some space",
+		"  some space before": "  some space before",
+		"some space after  ":  "some space after  ",
+	}
+	// Environment variables are case in-sensitive on Windows
+	if runtime.GOOS == "windows" {
+		valids["PaTh"] = fmt.Sprintf("PaTh=%v", os.Getenv("PATH"))
+	}
+	for value, expected := range valids {
+		actual, err := ValidateEnv(value)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if actual != expected {
+			t.Fatalf("Expected [%v], got [%v]", expected, actual)
+		}
+	}
+}
diff --git a/cli/opts/envfile.go b/cli/opts/envfile.go
new file mode 100644
index 00000000..10054c89
--- /dev/null
+++ b/cli/opts/envfile.go
@@ -0,0 +1,22 @@
+package opts
+
+import (
+	"os"
+)
+
+// ParseEnvFile reads a file with environment variables enumerated by lines
+//
+// ``Environment variable names used by the utilities in the Shell and
+// Utilities volume of IEEE Std 1003.1-2001 consist solely of uppercase
+// letters, digits, and the '_' (underscore) from the characters defined in
+// Portable Character Set and do not begin with a digit. *But*, other
+// characters may be permitted by an implementation; applications shall
+// tolerate the presence of such names.''
+// -- http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html
+//
+// As of #16585, it's up to application inside docker to validate or not
+// environment variables, that's why we just strip leading whitespace and
+// nothing more.
+func ParseEnvFile(filename string) ([]string, error) {
+	return parseKeyValueFile(filename, os.Getenv)
+}
diff --git a/cli/opts/envfile_test.go b/cli/opts/envfile_test.go
new file mode 100644
index 00000000..63022638
--- /dev/null
+++ b/cli/opts/envfile_test.go
@@ -0,0 +1,141 @@
+package opts
+
+import (
+	"bufio"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func tmpFileWithContent(content string, t *testing.T) string {
+	tmpFile, err := ioutil.TempFile("", "envfile-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer tmpFile.Close()
+
+	tmpFile.WriteString(content)
+	return tmpFile.Name()
+}
+
+// Test ParseEnvFile for a file with a few well formatted lines
+func TestParseEnvFileGoodFile(t *testing.T) {
+	content := `foo=bar
+    baz=quux
+# comment
+
+_foobar=foobaz
+with.dots=working
+and_underscore=working too
+`
+	// Adding a newline + a line with pure whitespace.
+	// This is being done like this instead of the block above
+	// because it's common for editors to trim trailing whitespace
+	// from lines, which becomes annoying since that's the
+	// exact thing we need to test.
+	content += "\n    \t  "
+	tmpFile := tmpFileWithContent(content, t)
+	defer os.Remove(tmpFile)
+
+	lines, err := ParseEnvFile(tmpFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedLines := []string{
+		"foo=bar",
+		"baz=quux",
+		"_foobar=foobaz",
+		"with.dots=working",
+		"and_underscore=working too",
+	}
+
+	if !reflect.DeepEqual(lines, expectedLines) {
+		t.Fatal("lines not equal to expectedLines")
+	}
+}
+
+// Test ParseEnvFile for an empty file
+func TestParseEnvFileEmptyFile(t *testing.T) {
+	tmpFile := tmpFileWithContent("", t)
+	defer os.Remove(tmpFile)
+
+	lines, err := ParseEnvFile(tmpFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(lines) != 0 {
+		t.Fatal("lines not empty; expected empty")
+	}
+}
+
+// Test ParseEnvFile for a non existent file
+func TestParseEnvFileNonExistentFile(t *testing.T) {
+	_, err := ParseEnvFile("foo_bar_baz")
+	if err == nil {
+		t.Fatal("ParseEnvFile succeeded; expected failure")
+	}
+	if _, ok := err.(*os.PathError); !ok {
+		t.Fatalf("Expected a PathError, got [%v]", err)
+	}
+}
+
+// Test ParseEnvFile for a badly formatted file
+func TestParseEnvFileBadlyFormattedFile(t *testing.T) {
+	content := `foo=bar
+    f   =quux
+`
+
+	tmpFile := tmpFileWithContent(content, t)
+	defer os.Remove(tmpFile)
+
+	_, err := ParseEnvFile(tmpFile)
+	if err == nil {
+		t.Fatalf("Expected an ErrBadKey, got nothing")
+	}
+	if _, ok := err.(ErrBadKey); !ok {
+		t.Fatalf("Expected an ErrBadKey, got [%v]", err)
+	}
+	expectedMessage := "poorly formatted environment: variable 'f   ' has white spaces"
+	if err.Error() != expectedMessage {
+		t.Fatalf("Expected [%v], got [%v]", expectedMessage, err.Error())
+	}
+}
+
+// Test ParseEnvFile for a file with a line exceeding bufio.MaxScanTokenSize
+func TestParseEnvFileLineTooLongFile(t *testing.T) {
+	content := strings.Repeat("a", bufio.MaxScanTokenSize+42)
+	content = fmt.Sprint("foo=", content)
+
+	tmpFile := tmpFileWithContent(content, t)
+	defer os.Remove(tmpFile)
+
+	_, err := ParseEnvFile(tmpFile)
+	if err == nil {
+		t.Fatal("ParseEnvFile succeeded; expected failure")
+	}
+}
+
+// ParseEnvFile with a random file, pass through
+func TestParseEnvFileRandomFile(t *testing.T) {
+	content := `first line
+another invalid line`
+	tmpFile := tmpFileWithContent(content, t)
+	defer os.Remove(tmpFile)
+
+	_, err := ParseEnvFile(tmpFile)
+	if err == nil {
+		t.Fatalf("Expected an ErrBadKey, got nothing")
+	}
+	if _, ok := err.(ErrBadKey); !ok {
+		t.Fatalf("Expected an ErrBadKey, got [%v]", err)
+	}
+	expectedMessage := "poorly formatted environment: variable 'first line' has white spaces"
+	if err.Error() != expectedMessage {
+		t.Fatalf("Expected [%v], got [%v]", expectedMessage, err.Error())
+	}
+}
diff --git a/cli/opts/file.go b/cli/opts/file.go
new file mode 100644
index 00000000..28190594
--- /dev/null
+++ b/cli/opts/file.go
@@ -0,0 +1,71 @@
+package opts
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+var whiteSpaces = " \t"
+
+// ErrBadKey typed error for bad environment variable
+type ErrBadKey struct {
+	msg string
+}
+
+func (e ErrBadKey) Error() string {
+	return fmt.Sprintf("poorly formatted environment: %s", e.msg)
+}
+
+func parseKeyValueFile(filename string, emptyFn func(string) string) ([]string, error) {
+	fh, err := os.Open(filename)
+	if err != nil {
+		return []string{}, err
+	}
+	defer fh.Close()
+
+	lines := []string{}
+	scanner := bufio.NewScanner(fh)
+	currentLine := 0
+	utf8bom := []byte{0xEF, 0xBB, 0xBF}
+	for scanner.Scan() {
+		scannedBytes := scanner.Bytes()
+		if !utf8.Valid(scannedBytes) {
+			return []string{}, fmt.Errorf("env file %s contains invalid utf8 bytes at line %d: %v", filename, currentLine+1, scannedBytes)
+		}
+		// We trim UTF8 BOM
+		if currentLine == 0 {
+			scannedBytes = bytes.TrimPrefix(scannedBytes, utf8bom)
+		}
+		// trim the line from all leading whitespace first
+		line := strings.TrimLeftFunc(string(scannedBytes), unicode.IsSpace)
+		currentLine++
+		// line is not empty, and not starting with '#'
+		if len(line) > 0 && !strings.HasPrefix(line, "#") {
+			data := strings.SplitN(line, "=", 2)
+
+			// trim the front of a variable, but nothing else
+			variable := strings.TrimLeft(data[0], whiteSpaces)
+			if strings.ContainsAny(variable, whiteSpaces) {
+				return []string{}, ErrBadKey{fmt.Sprintf("variable '%s' has white spaces", variable)}
+			}
+
+			if len(data) > 1 {
+				// pass the value through, no trimming
+				lines = append(lines, fmt.Sprintf("%s=%s", variable, data[1]))
+			} else {
+				var value string
+				if emptyFn != nil {
+					value = emptyFn(line)
+				}
+				// if only a pass-through variable is given, clean it up.
+				lines = append(lines, fmt.Sprintf("%s=%s", strings.TrimSpace(line), value))
+			}
+		}
+	}
+	return lines, scanner.Err()
+}
diff --git a/cli/opts/hosts.go b/cli/opts/hosts.go
new file mode 100644
index 00000000..594cccf2
--- /dev/null
+++ b/cli/opts/hosts.go
@@ -0,0 +1,165 @@
+package opts
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+var (
+	// DefaultHTTPPort Default HTTP Port used if only the protocol is provided to -H flag e.g. dockerd -H tcp://
+	// These are the IANA registered port numbers for use with Docker
+	// see http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=docker
+	DefaultHTTPPort = 2375 // Default HTTP Port
+	// DefaultTLSHTTPPort Default HTTP Port used when TLS enabled
+	DefaultTLSHTTPPort = 2376 // Default TLS encrypted HTTP Port
+	// DefaultUnixSocket Path for the unix socket.
+	// Docker daemon by default always listens on the default unix socket
+	DefaultUnixSocket = "/var/run/docker.sock"
+	// DefaultTCPHost constant defines the default host string used by docker on Windows
+	DefaultTCPHost = fmt.Sprintf("tcp://%s:%d", DefaultHTTPHost, DefaultHTTPPort)
+	// DefaultTLSHost constant defines the default host string used by docker for TLS sockets
+	DefaultTLSHost = fmt.Sprintf("tcp://%s:%d", DefaultHTTPHost, DefaultTLSHTTPPort)
+	// DefaultNamedPipe defines the default named pipe used by docker on Windows
+	DefaultNamedPipe = `//./pipe/docker_engine`
+)
+
+// ValidateHost validates that the specified string is a valid host and returns it.
+func ValidateHost(val string) (string, error) {
+	host := strings.TrimSpace(val)
+	// The empty string means default and is not handled by parseDockerDaemonHost
+	if host != "" {
+		_, err := parseDockerDaemonHost(host)
+		if err != nil {
+			return val, err
+		}
+	}
+	// Note: unlike most flag validators, we don't return the mutated value here
+	//       we need to know what the user entered later (using ParseHost) to adjust for TLS
+	return val, nil
+}
+
+// ParseHost and set defaults for a Daemon host string
+func ParseHost(defaultToTLS bool, val string) (string, error) {
+	host := strings.TrimSpace(val)
+	if host == "" {
+		if defaultToTLS {
+			host = DefaultTLSHost
+		} else {
+			host = DefaultHost
+		}
+	} else {
+		var err error
+		host, err = parseDockerDaemonHost(host)
+		if err != nil {
+			return val, err
+		}
+	}
+	return host, nil
+}
+
+// parseDockerDaemonHost parses the specified address and returns an address that will be used as the host.
+// Depending of the address specified, this may return one of the global Default* strings defined in hosts.go.
+func parseDockerDaemonHost(addr string) (string, error) {
+	addrParts := strings.SplitN(addr, "://", 2)
+	if len(addrParts) == 1 && addrParts[0] != "" {
+		addrParts = []string{"tcp", addrParts[0]}
+	}
+
+	switch addrParts[0] {
+	case "tcp":
+		return ParseTCPAddr(addrParts[1], DefaultTCPHost)
+	case "unix":
+		return parseSimpleProtoAddr("unix", addrParts[1], DefaultUnixSocket)
+	case "npipe":
+		return parseSimpleProtoAddr("npipe", addrParts[1], DefaultNamedPipe)
+	case "fd":
+		return addr, nil
+	default:
+		return "", fmt.Errorf("Invalid bind address format: %s", addr)
+	}
+}
+
+// parseSimpleProtoAddr parses and validates that the specified address is a valid
+// socket address for simple protocols like unix and npipe. It returns a formatted
+// socket address, either using the address parsed from addr, or the contents of
+// defaultAddr if addr is a blank string.
+func parseSimpleProtoAddr(proto, addr, defaultAddr string) (string, error) {
+	addr = strings.TrimPrefix(addr, proto+"://")
+	if strings.Contains(addr, "://") {
+		return "", fmt.Errorf("Invalid proto, expected %s: %s", proto, addr)
+	}
+	if addr == "" {
+		addr = defaultAddr
+	}
+	return fmt.Sprintf("%s://%s", proto, addr), nil
+}
+
+// ParseTCPAddr parses and validates that the specified address is a valid TCP
+// address. It returns a formatted TCP address, either using the address parsed
+// from tryAddr, or the contents of defaultAddr if tryAddr is a blank string.
+// tryAddr is expected to have already been Trim()'d
+// defaultAddr must be in the full `tcp://host:port` form
+func ParseTCPAddr(tryAddr string, defaultAddr string) (string, error) {
+	if tryAddr == "" || tryAddr == "tcp://" {
+		return defaultAddr, nil
+	}
+	addr := strings.TrimPrefix(tryAddr, "tcp://")
+	if strings.Contains(addr, "://") || addr == "" {
+		return "", fmt.Errorf("Invalid proto, expected tcp: %s", tryAddr)
+	}
+
+	defaultAddr = strings.TrimPrefix(defaultAddr, "tcp://")
+	defaultHost, defaultPort, err := net.SplitHostPort(defaultAddr)
+	if err != nil {
+		return "", err
+	}
+	// url.Parse fails for trailing colon on IPv6 brackets on Go 1.5, but
+	// not 1.4. See https://github.com/golang/go/issues/12200 and
+	// https://github.com/golang/go/issues/6530.
+	if strings.HasSuffix(addr, "]:") {
+		addr += defaultPort
+	}
+
+	u, err := url.Parse("tcp://" + addr)
+	if err != nil {
+		return "", err
+	}
+	host, port, err := net.SplitHostPort(u.Host)
+	if err != nil {
+		// try port addition once
+		host, port, err = net.SplitHostPort(net.JoinHostPort(u.Host, defaultPort))
+	}
+	if err != nil {
+		return "", fmt.Errorf("Invalid bind address format: %s", tryAddr)
+	}
+
+	if host == "" {
+		host = defaultHost
+	}
+	if port == "" {
+		port = defaultPort
+	}
+	p, err := strconv.Atoi(port)
+	if err != nil && p == 0 {
+		return "", fmt.Errorf("Invalid bind address format: %s", tryAddr)
+	}
+
+	return fmt.Sprintf("tcp://%s%s", net.JoinHostPort(host, port), u.Path), nil
+}
+
+// ValidateExtraHost validates that the specified string is a valid extrahost and returns it.
+// ExtraHost is in the form of name:ip where the ip has to be a valid ip (IPv4 or IPv6).
+func ValidateExtraHost(val string) (string, error) {
+	// allow for IPv6 addresses in extra hosts by only splitting on first ":"
+	arr := strings.SplitN(val, ":", 2)
+	if len(arr) != 2 || len(arr[0]) == 0 {
+		return "", fmt.Errorf("bad format for add-host: %q", val)
+	}
+	if _, err := ValidateIPAddress(arr[1]); err != nil {
+		return "", fmt.Errorf("invalid IP address in add-host: %q", arr[1])
+	}
+	return val, nil
+}
diff --git a/cli/opts/hosts_test.go b/cli/opts/hosts_test.go
new file mode 100644
index 00000000..8aada6a9
--- /dev/null
+++ b/cli/opts/hosts_test.go
@@ -0,0 +1,181 @@
+package opts
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func TestParseHost(t *testing.T) {
+	invalid := []string{
+		"something with spaces",
+		"://",
+		"unknown://",
+		"tcp://:port",
+		"tcp://invalid:port",
+	}
+
+	valid := map[string]string{
+		"":                         DefaultHost,
+		" ":                        DefaultHost,
+		"  ":                       DefaultHost,
+		"fd://":                    "fd://",
+		"fd://something":           "fd://something",
+		"tcp://host:":              fmt.Sprintf("tcp://host:%d", DefaultHTTPPort),
+		"tcp://":                   DefaultTCPHost,
+		"tcp://:2375":              fmt.Sprintf("tcp://%s:2375", DefaultHTTPHost),
+		"tcp://:2376":              fmt.Sprintf("tcp://%s:2376", DefaultHTTPHost),
+		"tcp://0.0.0.0:8080":       "tcp://0.0.0.0:8080",
+		"tcp://192.168.0.0:12000":  "tcp://192.168.0.0:12000",
+		"tcp://192.168:8080":       "tcp://192.168:8080",
+		"tcp://0.0.0.0:1234567890": "tcp://0.0.0.0:1234567890", // yeah it's valid :P
+		" tcp://:7777/path ":       fmt.Sprintf("tcp://%s:7777/path", DefaultHTTPHost),
+		"tcp://docker.com:2375":    "tcp://docker.com:2375",
+		"unix://":                  "unix://" + DefaultUnixSocket,
+		"unix://path/to/socket":    "unix://path/to/socket",
+		"npipe://":                 "npipe://" + DefaultNamedPipe,
+		"npipe:////./pipe/foo":     "npipe:////./pipe/foo",
+	}
+
+	for _, value := range invalid {
+		if _, err := ParseHost(false, value); err == nil {
+			t.Errorf("Expected an error for %v, got [nil]", value)
+		}
+	}
+
+	for value, expected := range valid {
+		if actual, err := ParseHost(false, value); err != nil || actual != expected {
+			t.Errorf("Expected for %v [%v], got [%v, %v]", value, expected, actual, err)
+		}
+	}
+}
+
+func TestParseDockerDaemonHost(t *testing.T) {
+	invalids := map[string]string{
+
+		"tcp:a.b.c.d":                   "Invalid bind address format: tcp:a.b.c.d",
+		"tcp:a.b.c.d/path":              "Invalid bind address format: tcp:a.b.c.d/path",
+		"udp://127.0.0.1":               "Invalid bind address format: udp://127.0.0.1",
+		"udp://127.0.0.1:2375":          "Invalid bind address format: udp://127.0.0.1:2375",
+		"tcp://unix:///run/docker.sock": "Invalid proto, expected tcp: unix:///run/docker.sock",
+		" tcp://:7777/path ":            "Invalid bind address format:  tcp://:7777/path ",
+		"":                              "Invalid bind address format: ",
+	}
+	valids := map[string]string{
+		"0.0.0.1:":                    "tcp://0.0.0.1:2375",
+		"0.0.0.1:5555":                "tcp://0.0.0.1:5555",
+		"0.0.0.1:5555/path":           "tcp://0.0.0.1:5555/path",
+		"[::1]:":                      "tcp://[::1]:2375",
+		"[::1]:5555/path":             "tcp://[::1]:5555/path",
+		"[0:0:0:0:0:0:0:1]:":          "tcp://[0:0:0:0:0:0:0:1]:2375",
+		"[0:0:0:0:0:0:0:1]:5555/path": "tcp://[0:0:0:0:0:0:0:1]:5555/path",
+		":6666":                   fmt.Sprintf("tcp://%s:6666", DefaultHTTPHost),
+		":6666/path":              fmt.Sprintf("tcp://%s:6666/path", DefaultHTTPHost),
+		"tcp://":                  DefaultTCPHost,
+		"tcp://:7777":             fmt.Sprintf("tcp://%s:7777", DefaultHTTPHost),
+		"tcp://:7777/path":        fmt.Sprintf("tcp://%s:7777/path", DefaultHTTPHost),
+		"unix:///run/docker.sock": "unix:///run/docker.sock",
+		"unix://":                 "unix://" + DefaultUnixSocket,
+		"fd://":                   "fd://",
+		"fd://something":          "fd://something",
+		"localhost:":              "tcp://localhost:2375",
+		"localhost:5555":          "tcp://localhost:5555",
+		"localhost:5555/path":     "tcp://localhost:5555/path",
+	}
+	for invalidAddr, expectedError := range invalids {
+		if addr, err := parseDockerDaemonHost(invalidAddr); err == nil || err.Error() != expectedError {
+			t.Errorf("tcp %v address expected error %q return, got %q and addr %v", invalidAddr, expectedError, err, addr)
+		}
+	}
+	for validAddr, expectedAddr := range valids {
+		if addr, err := parseDockerDaemonHost(validAddr); err != nil || addr != expectedAddr {
+			t.Errorf("%v -> expected %v, got (%v) addr (%v)", validAddr, expectedAddr, err, addr)
+		}
+	}
+}
+
+func TestParseTCP(t *testing.T) {
+	var (
+		defaultHTTPHost = "tcp://127.0.0.1:2376"
+	)
+	invalids := map[string]string{
+		"tcp:a.b.c.d":          "Invalid bind address format: tcp:a.b.c.d",
+		"tcp:a.b.c.d/path":     "Invalid bind address format: tcp:a.b.c.d/path",
+		"udp://127.0.0.1":      "Invalid proto, expected tcp: udp://127.0.0.1",
+		"udp://127.0.0.1:2375": "Invalid proto, expected tcp: udp://127.0.0.1:2375",
+	}
+	valids := map[string]string{
+		"":                            defaultHTTPHost,
+		"tcp://":                      defaultHTTPHost,
+		"0.0.0.1:":                    "tcp://0.0.0.1:2376",
+		"0.0.0.1:5555":                "tcp://0.0.0.1:5555",
+		"0.0.0.1:5555/path":           "tcp://0.0.0.1:5555/path",
+		":6666":                       "tcp://127.0.0.1:6666",
+		":6666/path":                  "tcp://127.0.0.1:6666/path",
+		"tcp://:7777":                 "tcp://127.0.0.1:7777",
+		"tcp://:7777/path":            "tcp://127.0.0.1:7777/path",
+		"[::1]:":                      "tcp://[::1]:2376",
+		"[::1]:5555":                  "tcp://[::1]:5555",
+		"[::1]:5555/path":             "tcp://[::1]:5555/path",
+		"[0:0:0:0:0:0:0:1]:":          "tcp://[0:0:0:0:0:0:0:1]:2376",
+		"[0:0:0:0:0:0:0:1]:5555":      "tcp://[0:0:0:0:0:0:0:1]:5555",
+		"[0:0:0:0:0:0:0:1]:5555/path": "tcp://[0:0:0:0:0:0:0:1]:5555/path",
+		"localhost:":                  "tcp://localhost:2376",
+		"localhost:5555":              "tcp://localhost:5555",
+		"localhost:5555/path":         "tcp://localhost:5555/path",
+	}
+	for invalidAddr, expectedError := range invalids {
+		if addr, err := ParseTCPAddr(invalidAddr, defaultHTTPHost); err == nil || err.Error() != expectedError {
+			t.Errorf("tcp %v address expected error %v return, got %s and addr %v", invalidAddr, expectedError, err, addr)
+		}
+	}
+	for validAddr, expectedAddr := range valids {
+		if addr, err := ParseTCPAddr(validAddr, defaultHTTPHost); err != nil || addr != expectedAddr {
+			t.Errorf("%v -> expected %v, got %v and addr %v", validAddr, expectedAddr, err, addr)
+		}
+	}
+}
+
+func TestParseInvalidUnixAddrInvalid(t *testing.T) {
+	if _, err := parseSimpleProtoAddr("unix", "tcp://127.0.0.1", "unix:///var/run/docker.sock"); err == nil || err.Error() != "Invalid proto, expected unix: tcp://127.0.0.1" {
+		t.Fatalf("Expected an error, got %v", err)
+	}
+	if _, err := parseSimpleProtoAddr("unix", "unix://tcp://127.0.0.1", "/var/run/docker.sock"); err == nil || err.Error() != "Invalid proto, expected unix: tcp://127.0.0.1" {
+		t.Fatalf("Expected an error, got %v", err)
+	}
+	if v, err := parseSimpleProtoAddr("unix", "", "/var/run/docker.sock"); err != nil || v != "unix:///var/run/docker.sock" {
+		t.Fatalf("Expected an %v, got %v", v, "unix:///var/run/docker.sock")
+	}
+}
+
+func TestValidateExtraHosts(t *testing.T) {
+	valid := []string{
+		`myhost:192.168.0.1`,
+		`thathost:10.0.2.1`,
+		`anipv6host:2003:ab34:e::1`,
+		`ipv6local:::1`,
+	}
+
+	invalid := map[string]string{
+		`myhost:192.notanipaddress.1`:  `invalid IP`,
+		`thathost-nosemicolon10.0.0.1`: `bad format`,
+		`anipv6host:::::1`:             `invalid IP`,
+		`ipv6local:::0::`:              `invalid IP`,
+	}
+
+	for _, extrahost := range valid {
+		if _, err := ValidateExtraHost(extrahost); err != nil {
+			t.Fatalf("ValidateExtraHost(`"+extrahost+"`) should succeed: error %v", err)
+		}
+	}
+
+	for extraHost, expectedError := range invalid {
+		if _, err := ValidateExtraHost(extraHost); err == nil {
+			t.Fatalf("ValidateExtraHost(`%q`) should have failed validation", extraHost)
+		} else {
+			if !strings.Contains(err.Error(), expectedError) {
+				t.Fatalf("ValidateExtraHost(`%q`) error should contain %q", extraHost, expectedError)
+			}
+		}
+	}
+}
diff --git a/cli/opts/hosts_unix.go b/cli/opts/hosts_unix.go
new file mode 100644
index 00000000..611407a9
--- /dev/null
+++ b/cli/opts/hosts_unix.go
@@ -0,0 +1,8 @@
+// +build !windows
+
+package opts
+
+import "fmt"
+
+// DefaultHost constant defines the default host string used by docker on other hosts than Windows
+var DefaultHost = fmt.Sprintf("unix://%s", DefaultUnixSocket)
diff --git a/cli/opts/hosts_windows.go b/cli/opts/hosts_windows.go
new file mode 100644
index 00000000..7c239e00
--- /dev/null
+++ b/cli/opts/hosts_windows.go
@@ -0,0 +1,6 @@
+// +build windows
+
+package opts
+
+// DefaultHost constant defines the default host string used by docker on Windows
+var DefaultHost = "npipe://" + DefaultNamedPipe
diff --git a/cli/opts/ip.go b/cli/opts/ip.go
new file mode 100644
index 00000000..fb03b501
--- /dev/null
+++ b/cli/opts/ip.go
@@ -0,0 +1,47 @@
+package opts
+
+import (
+	"fmt"
+	"net"
+)
+
+// IPOpt holds an IP. It is used to store values from CLI flags.
+type IPOpt struct {
+	*net.IP
+}
+
+// NewIPOpt creates a new IPOpt from a reference net.IP and a
+// string representation of an IP. If the string is not a valid
+// IP it will fallback to the specified reference.
+func NewIPOpt(ref *net.IP, defaultVal string) *IPOpt {
+	o := &IPOpt{
+		IP: ref,
+	}
+	o.Set(defaultVal)
+	return o
+}
+
+// Set sets an IPv4 or IPv6 address from a given string. If the given
+// string is not parseable as an IP address it returns an error.
+func (o *IPOpt) Set(val string) error {
+	ip := net.ParseIP(val)
+	if ip == nil {
+		return fmt.Errorf("%s is not an ip address", val)
+	}
+	*o.IP = ip
+	return nil
+}
+
+// String returns the IP address stored in the IPOpt. If stored IP is a
+// nil pointer, it returns an empty string.
+func (o *IPOpt) String() string {
+	if *o.IP == nil {
+		return ""
+	}
+	return o.IP.String()
+}
+
+// Type returns the type of the option
+func (o *IPOpt) Type() string {
+	return "ip"
+}
diff --git a/cli/opts/ip_test.go b/cli/opts/ip_test.go
new file mode 100644
index 00000000..1027d84a
--- /dev/null
+++ b/cli/opts/ip_test.go
@@ -0,0 +1,54 @@
+package opts
+
+import (
+	"net"
+	"testing"
+)
+
+func TestIpOptString(t *testing.T) {
+	addresses := []string{"", "0.0.0.0"}
+	var ip net.IP
+
+	for _, address := range addresses {
+		stringAddress := NewIPOpt(&ip, address).String()
+		if stringAddress != address {
+			t.Fatalf("IpOpt string should be `%s`, not `%s`", address, stringAddress)
+		}
+	}
+}
+
+func TestNewIpOptInvalidDefaultVal(t *testing.T) {
+	ip := net.IPv4(127, 0, 0, 1)
+	defaultVal := "Not an ip"
+
+	ipOpt := NewIPOpt(&ip, defaultVal)
+
+	expected := "127.0.0.1"
+	if ipOpt.String() != expected {
+		t.Fatalf("Expected [%v], got [%v]", expected, ipOpt.String())
+	}
+}
+
+func TestNewIpOptValidDefaultVal(t *testing.T) {
+	ip := net.IPv4(127, 0, 0, 1)
+	defaultVal := "192.168.1.1"
+
+	ipOpt := NewIPOpt(&ip, defaultVal)
+
+	expected := "192.168.1.1"
+	if ipOpt.String() != expected {
+		t.Fatalf("Expected [%v], got [%v]", expected, ipOpt.String())
+	}
+}
+
+func TestIpOptSetInvalidVal(t *testing.T) {
+	ip := net.IPv4(127, 0, 0, 1)
+	ipOpt := &IPOpt{IP: &ip}
+
+	invalidIP := "invalid ip"
+	expectedError := "invalid ip is not an ip address"
+	err := ipOpt.Set(invalidIP)
+	if err == nil || err.Error() != expectedError {
+		t.Fatalf("Expected an Error with [%v], got [%v]", expectedError, err.Error())
+	}
+}
diff --git a/cli/opts/mount.go b/cli/opts/mount.go
new file mode 100644
index 00000000..3aa98494
--- /dev/null
+++ b/cli/opts/mount.go
@@ -0,0 +1,174 @@
+package opts
+
+import (
+	"encoding/csv"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/go-units"
+)
+
+// MountOpt is a Value type for parsing mounts
+type MountOpt struct {
+	values []mounttypes.Mount
+}
+
+// Set a new mount value
+// nolint: gocyclo
+func (m *MountOpt) Set(value string) error {
+	csvReader := csv.NewReader(strings.NewReader(value))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return err
+	}
+
+	mount := mounttypes.Mount{}
+
+	volumeOptions := func() *mounttypes.VolumeOptions {
+		if mount.VolumeOptions == nil {
+			mount.VolumeOptions = &mounttypes.VolumeOptions{
+				Labels: make(map[string]string),
+			}
+		}
+		if mount.VolumeOptions.DriverConfig == nil {
+			mount.VolumeOptions.DriverConfig = &mounttypes.Driver{}
+		}
+		return mount.VolumeOptions
+	}
+
+	bindOptions := func() *mounttypes.BindOptions {
+		if mount.BindOptions == nil {
+			mount.BindOptions = new(mounttypes.BindOptions)
+		}
+		return mount.BindOptions
+	}
+
+	tmpfsOptions := func() *mounttypes.TmpfsOptions {
+		if mount.TmpfsOptions == nil {
+			mount.TmpfsOptions = new(mounttypes.TmpfsOptions)
+		}
+		return mount.TmpfsOptions
+	}
+
+	setValueOnMap := func(target map[string]string, value string) {
+		parts := strings.SplitN(value, "=", 2)
+		if len(parts) == 1 {
+			target[value] = ""
+		} else {
+			target[parts[0]] = parts[1]
+		}
+	}
+
+	mount.Type = mounttypes.TypeVolume // default to volume mounts
+	// Set writable as the default
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		key := strings.ToLower(parts[0])
+
+		if len(parts) == 1 {
+			switch key {
+			case "readonly", "ro":
+				mount.ReadOnly = true
+				continue
+			case "volume-nocopy":
+				volumeOptions().NoCopy = true
+				continue
+			}
+		}
+
+		if len(parts) != 2 {
+			return fmt.Errorf("invalid field '%s' must be a key=value pair", field)
+		}
+
+		value := parts[1]
+		switch key {
+		case "type":
+			mount.Type = mounttypes.Type(strings.ToLower(value))
+		case "source", "src":
+			mount.Source = value
+		case "target", "dst", "destination":
+			mount.Target = value
+		case "readonly", "ro":
+			mount.ReadOnly, err = strconv.ParseBool(value)
+			if err != nil {
+				return fmt.Errorf("invalid value for %s: %s", key, value)
+			}
+		case "consistency":
+			mount.Consistency = mounttypes.Consistency(strings.ToLower(value))
+		case "bind-propagation":
+			bindOptions().Propagation = mounttypes.Propagation(strings.ToLower(value))
+		case "volume-nocopy":
+			volumeOptions().NoCopy, err = strconv.ParseBool(value)
+			if err != nil {
+				return fmt.Errorf("invalid value for volume-nocopy: %s", value)
+			}
+		case "volume-label":
+			setValueOnMap(volumeOptions().Labels, value)
+		case "volume-driver":
+			volumeOptions().DriverConfig.Name = value
+		case "volume-opt":
+			if volumeOptions().DriverConfig.Options == nil {
+				volumeOptions().DriverConfig.Options = make(map[string]string)
+			}
+			setValueOnMap(volumeOptions().DriverConfig.Options, value)
+		case "tmpfs-size":
+			sizeBytes, err := units.RAMInBytes(value)
+			if err != nil {
+				return fmt.Errorf("invalid value for %s: %s", key, value)
+			}
+			tmpfsOptions().SizeBytes = sizeBytes
+		case "tmpfs-mode":
+			ui64, err := strconv.ParseUint(value, 8, 32)
+			if err != nil {
+				return fmt.Errorf("invalid value for %s: %s", key, value)
+			}
+			tmpfsOptions().Mode = os.FileMode(ui64)
+		default:
+			return fmt.Errorf("unexpected key '%s' in '%s'", key, field)
+		}
+	}
+
+	if mount.Type == "" {
+		return fmt.Errorf("type is required")
+	}
+
+	if mount.Target == "" {
+		return fmt.Errorf("target is required")
+	}
+
+	if mount.VolumeOptions != nil && mount.Type != mounttypes.TypeVolume {
+		return fmt.Errorf("cannot mix 'volume-*' options with mount type '%s'", mount.Type)
+	}
+	if mount.BindOptions != nil && mount.Type != mounttypes.TypeBind {
+		return fmt.Errorf("cannot mix 'bind-*' options with mount type '%s'", mount.Type)
+	}
+	if mount.TmpfsOptions != nil && mount.Type != mounttypes.TypeTmpfs {
+		return fmt.Errorf("cannot mix 'tmpfs-*' options with mount type '%s'", mount.Type)
+	}
+
+	m.values = append(m.values, mount)
+	return nil
+}
+
+// Type returns the type of this option
+func (m *MountOpt) Type() string {
+	return "mount"
+}
+
+// String returns a string repr of this option
+func (m *MountOpt) String() string {
+	mounts := []string{}
+	for _, mount := range m.values {
+		repr := fmt.Sprintf("%s %s %s", mount.Type, mount.Source, mount.Target)
+		mounts = append(mounts, repr)
+	}
+	return strings.Join(mounts, ", ")
+}
+
+// Value returns the mounts
+func (m *MountOpt) Value() []mounttypes.Mount {
+	return m.values
+}
diff --git a/cli/opts/mount_test.go b/cli/opts/mount_test.go
new file mode 100644
index 00000000..e59f07fe
--- /dev/null
+++ b/cli/opts/mount_test.go
@@ -0,0 +1,185 @@
+package opts
+
+import (
+	"os"
+	"testing"
+
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestMountOptString(t *testing.T) {
+	mount := MountOpt{
+		values: []mounttypes.Mount{
+			{
+				Type:   mounttypes.TypeBind,
+				Source: "/home/path",
+				Target: "/target",
+			},
+			{
+				Type:   mounttypes.TypeVolume,
+				Source: "foo",
+				Target: "/target/foo",
+			},
+		},
+	}
+	expected := "bind /home/path /target, volume foo /target/foo"
+	assert.Check(t, is.Equal(expected, mount.String()))
+}
+
+func TestMountOptSetBindNoErrorBind(t *testing.T) {
+	for _, testcase := range []string{
+		// tests several aliases that should have same result.
+		"type=bind,target=/target,source=/source",
+		"type=bind,src=/source,dst=/target",
+		"type=bind,source=/source,dst=/target",
+		"type=bind,src=/source,target=/target",
+	} {
+		var mount MountOpt
+
+		assert.NilError(t, mount.Set(testcase))
+
+		mounts := mount.Value()
+		assert.Assert(t, is.Len(mounts, 1))
+		assert.Check(t, is.DeepEqual(mounttypes.Mount{
+			Type:   mounttypes.TypeBind,
+			Source: "/source",
+			Target: "/target",
+		}, mounts[0]))
+	}
+}
+
+func TestMountOptSetVolumeNoError(t *testing.T) {
+	for _, testcase := range []string{
+		// tests several aliases that should have same result.
+		"type=volume,target=/target,source=/source",
+		"type=volume,src=/source,dst=/target",
+		"type=volume,source=/source,dst=/target",
+		"type=volume,src=/source,target=/target",
+	} {
+		var mount MountOpt
+
+		assert.NilError(t, mount.Set(testcase))
+
+		mounts := mount.Value()
+		assert.Assert(t, is.Len(mounts, 1))
+		assert.Check(t, is.DeepEqual(mounttypes.Mount{
+			Type:   mounttypes.TypeVolume,
+			Source: "/source",
+			Target: "/target",
+		}, mounts[0]))
+	}
+}
+
+// TestMountOptDefaultType ensures that a mount without the type defaults to a
+// volume mount.
+func TestMountOptDefaultType(t *testing.T) {
+	var mount MountOpt
+	assert.NilError(t, mount.Set("target=/target,source=/foo"))
+	assert.Check(t, is.Equal(mounttypes.TypeVolume, mount.values[0].Type))
+}
+
+func TestMountOptSetErrorNoTarget(t *testing.T) {
+	var mount MountOpt
+	assert.Error(t, mount.Set("type=volume,source=/foo"), "target is required")
+}
+
+func TestMountOptSetErrorInvalidKey(t *testing.T) {
+	var mount MountOpt
+	assert.Error(t, mount.Set("type=volume,bogus=foo"), "unexpected key 'bogus' in 'bogus=foo'")
+}
+
+func TestMountOptSetErrorInvalidField(t *testing.T) {
+	var mount MountOpt
+	assert.Error(t, mount.Set("type=volume,bogus"), "invalid field 'bogus' must be a key=value pair")
+}
+
+func TestMountOptSetErrorInvalidReadOnly(t *testing.T) {
+	var mount MountOpt
+	assert.Error(t, mount.Set("type=volume,readonly=no"), "invalid value for readonly: no")
+	assert.Error(t, mount.Set("type=volume,readonly=invalid"), "invalid value for readonly: invalid")
+}
+
+func TestMountOptDefaultEnableReadOnly(t *testing.T) {
+	var m MountOpt
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo"))
+	assert.Check(t, !m.values[0].ReadOnly)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo,readonly"))
+	assert.Check(t, m.values[0].ReadOnly)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo,readonly=1"))
+	assert.Check(t, m.values[0].ReadOnly)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo,readonly=true"))
+	assert.Check(t, m.values[0].ReadOnly)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo,readonly=0"))
+	assert.Check(t, !m.values[0].ReadOnly)
+}
+
+func TestMountOptVolumeNoCopy(t *testing.T) {
+	var m MountOpt
+	assert.NilError(t, m.Set("type=volume,target=/foo,volume-nocopy"))
+	assert.Check(t, is.Equal("", m.values[0].Source))
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=volume,target=/foo,source=foo"))
+	assert.Check(t, m.values[0].VolumeOptions == nil)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=volume,target=/foo,source=foo,volume-nocopy=true"))
+	assert.Check(t, m.values[0].VolumeOptions != nil)
+	assert.Check(t, m.values[0].VolumeOptions.NoCopy)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=volume,target=/foo,source=foo,volume-nocopy"))
+	assert.Check(t, m.values[0].VolumeOptions != nil)
+	assert.Check(t, m.values[0].VolumeOptions.NoCopy)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=volume,target=/foo,source=foo,volume-nocopy=1"))
+	assert.Check(t, m.values[0].VolumeOptions != nil)
+	assert.Check(t, m.values[0].VolumeOptions.NoCopy)
+}
+
+func TestMountOptTypeConflict(t *testing.T) {
+	var m MountOpt
+	assert.ErrorContains(t, m.Set("type=bind,target=/foo,source=/foo,volume-nocopy=true"), "cannot mix")
+	assert.ErrorContains(t, m.Set("type=volume,target=/foo,source=/foo,bind-propagation=rprivate"), "cannot mix")
+}
+
+func TestMountOptSetTmpfsNoError(t *testing.T) {
+	for _, testcase := range []string{
+		// tests several aliases that should have same result.
+		"type=tmpfs,target=/target,tmpfs-size=1m,tmpfs-mode=0700",
+		"type=tmpfs,target=/target,tmpfs-size=1MB,tmpfs-mode=700",
+	} {
+		var mount MountOpt
+
+		assert.NilError(t, mount.Set(testcase))
+
+		mounts := mount.Value()
+		assert.Assert(t, is.Len(mounts, 1))
+		assert.Check(t, is.DeepEqual(mounttypes.Mount{
+			Type:   mounttypes.TypeTmpfs,
+			Target: "/target",
+			TmpfsOptions: &mounttypes.TmpfsOptions{
+				SizeBytes: 1024 * 1024, // not 1000 * 1000
+				Mode:      os.FileMode(0700),
+			},
+		}, mounts[0]))
+	}
+}
+
+func TestMountOptSetTmpfsError(t *testing.T) {
+	var m MountOpt
+	assert.ErrorContains(t, m.Set("type=tmpfs,target=/foo,tmpfs-size=foo"), "invalid value for tmpfs-size")
+	assert.ErrorContains(t, m.Set("type=tmpfs,target=/foo,tmpfs-mode=foo"), "invalid value for tmpfs-mode")
+	assert.ErrorContains(t, m.Set("type=tmpfs"), "target is required")
+}
diff --git a/cli/opts/network.go b/cli/opts/network.go
new file mode 100644
index 00000000..ec4967ff
--- /dev/null
+++ b/cli/opts/network.go
@@ -0,0 +1,106 @@
+package opts
+
+import (
+	"encoding/csv"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+const (
+	networkOptName  = "name"
+	networkOptAlias = "alias"
+	driverOpt       = "driver-opt"
+)
+
+// NetworkAttachmentOpts represents the network options for endpoint creation
+type NetworkAttachmentOpts struct {
+	Target     string
+	Aliases    []string
+	DriverOpts map[string]string
+}
+
+// NetworkOpt represents a network config in swarm mode.
+type NetworkOpt struct {
+	options []NetworkAttachmentOpts
+}
+
+// Set networkopts value
+func (n *NetworkOpt) Set(value string) error {
+	longSyntax, err := regexp.MatchString(`\w+=\w+(,\w+=\w+)*`, value)
+	if err != nil {
+		return err
+	}
+
+	var netOpt NetworkAttachmentOpts
+	if longSyntax {
+		csvReader := csv.NewReader(strings.NewReader(value))
+		fields, err := csvReader.Read()
+		if err != nil {
+			return err
+		}
+
+		netOpt.Aliases = []string{}
+		for _, field := range fields {
+			parts := strings.SplitN(field, "=", 2)
+
+			if len(parts) < 2 {
+				return fmt.Errorf("invalid field %s", field)
+			}
+
+			key := strings.TrimSpace(strings.ToLower(parts[0]))
+			value := strings.TrimSpace(strings.ToLower(parts[1]))
+
+			switch key {
+			case networkOptName:
+				netOpt.Target = value
+			case networkOptAlias:
+				netOpt.Aliases = append(netOpt.Aliases, value)
+			case driverOpt:
+				key, value, err = parseDriverOpt(value)
+				if err == nil {
+					if netOpt.DriverOpts == nil {
+						netOpt.DriverOpts = make(map[string]string)
+					}
+					netOpt.DriverOpts[key] = value
+				} else {
+					return err
+				}
+			default:
+				return fmt.Errorf("invalid field key %s", key)
+			}
+		}
+		if len(netOpt.Target) == 0 {
+			return fmt.Errorf("network name/id is not specified")
+		}
+	} else {
+		netOpt.Target = value
+	}
+	n.options = append(n.options, netOpt)
+	return nil
+}
+
+// Type returns the type of this option
+func (n *NetworkOpt) Type() string {
+	return "network"
+}
+
+// Value returns the networkopts
+func (n *NetworkOpt) Value() []NetworkAttachmentOpts {
+	return n.options
+}
+
+// String returns the network opts as a string
+func (n *NetworkOpt) String() string {
+	return ""
+}
+
+func parseDriverOpt(driverOpt string) (string, string, error) {
+	parts := strings.SplitN(driverOpt, "=", 2)
+	if len(parts) != 2 {
+		return "", "", fmt.Errorf("invalid key value pair format in driver options")
+	}
+	key := strings.TrimSpace(strings.ToLower(parts[0]))
+	value := strings.TrimSpace(strings.ToLower(parts[1]))
+	return key, value, nil
+}
diff --git a/cli/opts/network_test.go b/cli/opts/network_test.go
new file mode 100644
index 00000000..5219d14a
--- /dev/null
+++ b/cli/opts/network_test.go
@@ -0,0 +1,100 @@
+package opts
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNetworkOptLegacySyntax(t *testing.T) {
+	testCases := []struct {
+		value    string
+		expected []NetworkAttachmentOpts
+	}{
+		{
+			value: "docknet1",
+			expected: []NetworkAttachmentOpts{
+				{
+					Target: "docknet1",
+				},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		var network NetworkOpt
+		assert.NilError(t, network.Set(tc.value))
+		assert.Check(t, is.DeepEqual(tc.expected, network.Value()))
+	}
+}
+
+func TestNetworkOptCompleteSyntax(t *testing.T) {
+	testCases := []struct {
+		value    string
+		expected []NetworkAttachmentOpts
+	}{
+		{
+			value: "name=docknet1,alias=web,driver-opt=field1=value1",
+			expected: []NetworkAttachmentOpts{
+				{
+					Target:  "docknet1",
+					Aliases: []string{"web"},
+					DriverOpts: map[string]string{
+						"field1": "value1",
+					},
+				},
+			},
+		},
+		{
+			value: "name=docknet1,alias=web1,alias=web2,driver-opt=field1=value1,driver-opt=field2=value2",
+			expected: []NetworkAttachmentOpts{
+				{
+					Target:  "docknet1",
+					Aliases: []string{"web1", "web2"},
+					DriverOpts: map[string]string{
+						"field1": "value1",
+						"field2": "value2",
+					},
+				},
+			},
+		},
+		{
+			value: "name=docknet1",
+			expected: []NetworkAttachmentOpts{
+				{
+					Target:  "docknet1",
+					Aliases: []string{},
+				},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		var network NetworkOpt
+		assert.NilError(t, network.Set(tc.value))
+		assert.Check(t, is.DeepEqual(tc.expected, network.Value()))
+	}
+}
+
+func TestNetworkOptInvalidSyntax(t *testing.T) {
+	testCases := []struct {
+		value         string
+		expectedError string
+	}{
+		{
+			value:         "invalidField=docknet1",
+			expectedError: "invalid field",
+		},
+		{
+			value:         "network=docknet1,invalid=web",
+			expectedError: "invalid field",
+		},
+		{
+			value:         "driver-opt=field1=value1,driver-opt=field2=value2",
+			expectedError: "network name/id is not specified",
+		},
+	}
+	for _, tc := range testCases {
+		var network NetworkOpt
+		assert.ErrorContains(t, network.Set(tc.value), tc.expectedError)
+	}
+}
diff --git a/cli/opts/opts.go b/cli/opts/opts.go
new file mode 100644
index 00000000..51519e03
--- /dev/null
+++ b/cli/opts/opts.go
@@ -0,0 +1,524 @@
+package opts
+
+import (
+	"fmt"
+	"math/big"
+	"net"
+	"path"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types/filters"
+	units "github.com/docker/go-units"
+)
+
+var (
+	alphaRegexp  = regexp.MustCompile(`[a-zA-Z]`)
+	domainRegexp = regexp.MustCompile(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`)
+)
+
+// ListOpts holds a list of values and a validation function.
+type ListOpts struct {
+	values    *[]string
+	validator ValidatorFctType
+}
+
+// NewListOpts creates a new ListOpts with the specified validator.
+func NewListOpts(validator ValidatorFctType) ListOpts {
+	var values []string
+	return *NewListOptsRef(&values, validator)
+}
+
+// NewListOptsRef creates a new ListOpts with the specified values and validator.
+func NewListOptsRef(values *[]string, validator ValidatorFctType) *ListOpts {
+	return &ListOpts{
+		values:    values,
+		validator: validator,
+	}
+}
+
+func (opts *ListOpts) String() string {
+	if len(*opts.values) == 0 {
+		return ""
+	}
+	return fmt.Sprintf("%v", *opts.values)
+}
+
+// Set validates if needed the input value and adds it to the
+// internal slice.
+func (opts *ListOpts) Set(value string) error {
+	if opts.validator != nil {
+		v, err := opts.validator(value)
+		if err != nil {
+			return err
+		}
+		value = v
+	}
+	(*opts.values) = append((*opts.values), value)
+	return nil
+}
+
+// Delete removes the specified element from the slice.
+func (opts *ListOpts) Delete(key string) {
+	for i, k := range *opts.values {
+		if k == key {
+			(*opts.values) = append((*opts.values)[:i], (*opts.values)[i+1:]...)
+			return
+		}
+	}
+}
+
+// GetMap returns the content of values in a map in order to avoid
+// duplicates.
+func (opts *ListOpts) GetMap() map[string]struct{} {
+	ret := make(map[string]struct{})
+	for _, k := range *opts.values {
+		ret[k] = struct{}{}
+	}
+	return ret
+}
+
+// GetAll returns the values of slice.
+func (opts *ListOpts) GetAll() []string {
+	return (*opts.values)
+}
+
+// GetAllOrEmpty returns the values of the slice
+// or an empty slice when there are no values.
+func (opts *ListOpts) GetAllOrEmpty() []string {
+	v := *opts.values
+	if v == nil {
+		return make([]string, 0)
+	}
+	return v
+}
+
+// Get checks the existence of the specified key.
+func (opts *ListOpts) Get(key string) bool {
+	for _, k := range *opts.values {
+		if k == key {
+			return true
+		}
+	}
+	return false
+}
+
+// Len returns the amount of element in the slice.
+func (opts *ListOpts) Len() int {
+	return len((*opts.values))
+}
+
+// Type returns a string name for this Option type
+func (opts *ListOpts) Type() string {
+	return "list"
+}
+
+// WithValidator returns the ListOpts with validator set.
+func (opts *ListOpts) WithValidator(validator ValidatorFctType) *ListOpts {
+	opts.validator = validator
+	return opts
+}
+
+// NamedOption is an interface that list and map options
+// with names implement.
+type NamedOption interface {
+	Name() string
+}
+
+// NamedListOpts is a ListOpts with a configuration name.
+// This struct is useful to keep reference to the assigned
+// field name in the internal configuration struct.
+type NamedListOpts struct {
+	name string
+	ListOpts
+}
+
+var _ NamedOption = &NamedListOpts{}
+
+// NewNamedListOptsRef creates a reference to a new NamedListOpts struct.
+func NewNamedListOptsRef(name string, values *[]string, validator ValidatorFctType) *NamedListOpts {
+	return &NamedListOpts{
+		name:     name,
+		ListOpts: *NewListOptsRef(values, validator),
+	}
+}
+
+// Name returns the name of the NamedListOpts in the configuration.
+func (o *NamedListOpts) Name() string {
+	return o.name
+}
+
+// MapOpts holds a map of values and a validation function.
+type MapOpts struct {
+	values    map[string]string
+	validator ValidatorFctType
+}
+
+// Set validates if needed the input value and add it to the
+// internal map, by splitting on '='.
+func (opts *MapOpts) Set(value string) error {
+	if opts.validator != nil {
+		v, err := opts.validator(value)
+		if err != nil {
+			return err
+		}
+		value = v
+	}
+	vals := strings.SplitN(value, "=", 2)
+	if len(vals) == 1 {
+		(opts.values)[vals[0]] = ""
+	} else {
+		(opts.values)[vals[0]] = vals[1]
+	}
+	return nil
+}
+
+// GetAll returns the values of MapOpts as a map.
+func (opts *MapOpts) GetAll() map[string]string {
+	return opts.values
+}
+
+func (opts *MapOpts) String() string {
+	return fmt.Sprintf("%v", opts.values)
+}
+
+// Type returns a string name for this Option type
+func (opts *MapOpts) Type() string {
+	return "map"
+}
+
+// NewMapOpts creates a new MapOpts with the specified map of values and a validator.
+func NewMapOpts(values map[string]string, validator ValidatorFctType) *MapOpts {
+	if values == nil {
+		values = make(map[string]string)
+	}
+	return &MapOpts{
+		values:    values,
+		validator: validator,
+	}
+}
+
+// NamedMapOpts is a MapOpts struct with a configuration name.
+// This struct is useful to keep reference to the assigned
+// field name in the internal configuration struct.
+type NamedMapOpts struct {
+	name string
+	MapOpts
+}
+
+var _ NamedOption = &NamedMapOpts{}
+
+// NewNamedMapOpts creates a reference to a new NamedMapOpts struct.
+func NewNamedMapOpts(name string, values map[string]string, validator ValidatorFctType) *NamedMapOpts {
+	return &NamedMapOpts{
+		name:    name,
+		MapOpts: *NewMapOpts(values, validator),
+	}
+}
+
+// Name returns the name of the NamedMapOpts in the configuration.
+func (o *NamedMapOpts) Name() string {
+	return o.name
+}
+
+// ValidatorFctType defines a validator function that returns a validated string and/or an error.
+type ValidatorFctType func(val string) (string, error)
+
+// ValidatorFctListType defines a validator function that returns a validated list of string and/or an error
+type ValidatorFctListType func(val string) ([]string, error)
+
+// ValidateIPAddress validates an Ip address.
+func ValidateIPAddress(val string) (string, error) {
+	var ip = net.ParseIP(strings.TrimSpace(val))
+	if ip != nil {
+		return ip.String(), nil
+	}
+	return "", fmt.Errorf("%s is not an ip address", val)
+}
+
+// ValidateMACAddress validates a MAC address.
+func ValidateMACAddress(val string) (string, error) {
+	_, err := net.ParseMAC(strings.TrimSpace(val))
+	if err != nil {
+		return "", err
+	}
+	return val, nil
+}
+
+// ValidateDNSSearch validates domain for resolvconf search configuration.
+// A zero length domain is represented by a dot (.).
+func ValidateDNSSearch(val string) (string, error) {
+	if val = strings.Trim(val, " "); val == "." {
+		return val, nil
+	}
+	return validateDomain(val)
+}
+
+func validateDomain(val string) (string, error) {
+	if alphaRegexp.FindString(val) == "" {
+		return "", fmt.Errorf("%s is not a valid domain", val)
+	}
+	ns := domainRegexp.FindSubmatch([]byte(val))
+	if len(ns) > 0 && len(ns[1]) < 255 {
+		return string(ns[1]), nil
+	}
+	return "", fmt.Errorf("%s is not a valid domain", val)
+}
+
+// ValidateLabel validates that the specified string is a valid label, and returns it.
+// Labels are in the form on key=value.
+func ValidateLabel(val string) (string, error) {
+	if strings.Count(val, "=") < 1 {
+		return "", fmt.Errorf("bad attribute format: %s", val)
+	}
+	return val, nil
+}
+
+// ValidateSysctl validates a sysctl and returns it.
+func ValidateSysctl(val string) (string, error) {
+	validSysctlMap := map[string]bool{
+		"kernel.msgmax":          true,
+		"kernel.msgmnb":          true,
+		"kernel.msgmni":          true,
+		"kernel.sem":             true,
+		"kernel.shmall":          true,
+		"kernel.shmmax":          true,
+		"kernel.shmmni":          true,
+		"kernel.shm_rmid_forced": true,
+	}
+	validSysctlPrefixes := []string{
+		"net.",
+		"fs.mqueue.",
+	}
+	arr := strings.Split(val, "=")
+	if len(arr) < 2 {
+		return "", fmt.Errorf("sysctl '%s' is not whitelisted", val)
+	}
+	if validSysctlMap[arr[0]] {
+		return val, nil
+	}
+
+	for _, vp := range validSysctlPrefixes {
+		if strings.HasPrefix(arr[0], vp) {
+			return val, nil
+		}
+	}
+	return "", fmt.Errorf("sysctl '%s' is not whitelisted", val)
+}
+
+// FilterOpt is a flag type for validating filters
+type FilterOpt struct {
+	filter filters.Args
+}
+
+// NewFilterOpt returns a new FilterOpt
+func NewFilterOpt() FilterOpt {
+	return FilterOpt{filter: filters.NewArgs()}
+}
+
+func (o *FilterOpt) String() string {
+	repr, err := filters.ToParam(o.filter)
+	if err != nil {
+		return "invalid filters"
+	}
+	return repr
+}
+
+// Set sets the value of the opt by parsing the command line value
+func (o *FilterOpt) Set(value string) error {
+	var err error
+	o.filter, err = filters.ParseFlag(value, o.filter)
+	return err
+}
+
+// Type returns the option type
+func (o *FilterOpt) Type() string {
+	return "filter"
+}
+
+// Value returns the value of this option
+func (o *FilterOpt) Value() filters.Args {
+	return o.filter
+}
+
+// NanoCPUs is a type for fixed point fractional number.
+type NanoCPUs int64
+
+// String returns the string format of the number
+func (c *NanoCPUs) String() string {
+	if *c == 0 {
+		return ""
+	}
+	return big.NewRat(c.Value(), 1e9).FloatString(3)
+}
+
+// Set sets the value of the NanoCPU by passing a string
+func (c *NanoCPUs) Set(value string) error {
+	cpus, err := ParseCPUs(value)
+	*c = NanoCPUs(cpus)
+	return err
+}
+
+// Type returns the type
+func (c *NanoCPUs) Type() string {
+	return "decimal"
+}
+
+// Value returns the value in int64
+func (c *NanoCPUs) Value() int64 {
+	return int64(*c)
+}
+
+// ParseCPUs takes a string ratio and returns an integer value of nano cpus
+func ParseCPUs(value string) (int64, error) {
+	cpu, ok := new(big.Rat).SetString(value)
+	if !ok {
+		return 0, fmt.Errorf("failed to parse %v as a rational number", value)
+	}
+	nano := cpu.Mul(cpu, big.NewRat(1e9, 1))
+	if !nano.IsInt() {
+		return 0, fmt.Errorf("value is too precise")
+	}
+	return nano.Num().Int64(), nil
+}
+
+// ParseLink parses and validates the specified string as a link format (name:alias)
+func ParseLink(val string) (string, string, error) {
+	if val == "" {
+		return "", "", fmt.Errorf("empty string specified for links")
+	}
+	arr := strings.Split(val, ":")
+	if len(arr) > 2 {
+		return "", "", fmt.Errorf("bad format for links: %s", val)
+	}
+	if len(arr) == 1 {
+		return val, val, nil
+	}
+	// This is kept because we can actually get a HostConfig with links
+	// from an already created container and the format is not `foo:bar`
+	// but `/foo:/c1/bar`
+	if strings.HasPrefix(arr[0], "/") {
+		_, alias := path.Split(arr[1])
+		return arr[0][1:], alias, nil
+	}
+	return arr[0], arr[1], nil
+}
+
+// ValidateLink validates that the specified string has a valid link format (containerName:alias).
+func ValidateLink(val string) (string, error) {
+	_, _, err := ParseLink(val)
+	return val, err
+}
+
+// MemBytes is a type for human readable memory bytes (like 128M, 2g, etc)
+type MemBytes int64
+
+// String returns the string format of the human readable memory bytes
+func (m *MemBytes) String() string {
+	// NOTE: In spf13/pflag/flag.go, "0" is considered as "zero value" while "0 B" is not.
+	// We return "0" in case value is 0 here so that the default value is hidden.
+	// (Sometimes "default 0 B" is actually misleading)
+	if m.Value() != 0 {
+		return units.BytesSize(float64(m.Value()))
+	}
+	return "0"
+}
+
+// Set sets the value of the MemBytes by passing a string
+func (m *MemBytes) Set(value string) error {
+	val, err := units.RAMInBytes(value)
+	*m = MemBytes(val)
+	return err
+}
+
+// Type returns the type
+func (m *MemBytes) Type() string {
+	return "bytes"
+}
+
+// Value returns the value in int64
+func (m *MemBytes) Value() int64 {
+	return int64(*m)
+}
+
+// UnmarshalJSON is the customized unmarshaler for MemBytes
+func (m *MemBytes) UnmarshalJSON(s []byte) error {
+	if len(s) <= 2 || s[0] != '"' || s[len(s)-1] != '"' {
+		return fmt.Errorf("invalid size: %q", s)
+	}
+	val, err := units.RAMInBytes(string(s[1 : len(s)-1]))
+	*m = MemBytes(val)
+	return err
+}
+
+// MemSwapBytes is a type for human readable memory bytes (like 128M, 2g, etc).
+// It differs from MemBytes in that -1 is valid and the default.
+type MemSwapBytes int64
+
+// Set sets the value of the MemSwapBytes by passing a string
+func (m *MemSwapBytes) Set(value string) error {
+	if value == "-1" {
+		*m = MemSwapBytes(-1)
+		return nil
+	}
+	val, err := units.RAMInBytes(value)
+	*m = MemSwapBytes(val)
+	return err
+}
+
+// Type returns the type
+func (m *MemSwapBytes) Type() string {
+	return "bytes"
+}
+
+// Value returns the value in int64
+func (m *MemSwapBytes) Value() int64 {
+	return int64(*m)
+}
+
+func (m *MemSwapBytes) String() string {
+	b := MemBytes(*m)
+	return b.String()
+}
+
+// UnmarshalJSON is the customized unmarshaler for MemSwapBytes
+func (m *MemSwapBytes) UnmarshalJSON(s []byte) error {
+	b := MemBytes(*m)
+	return b.UnmarshalJSON(s)
+}
+
+// NullableBool is a type for tri-state boolean options
+type NullableBool struct {
+	b *bool
+}
+
+// Type returns the type
+func (n *NullableBool) Type() string {
+	return ""
+}
+
+// Value returns the value in *bool
+func (n *NullableBool) Value() *bool {
+	return n.b
+}
+
+// Set sets the value. If value is empty string or "auto", nil is set.
+// Otherwise true or false are set based on flag.Bool behavior.
+func (n *NullableBool) Set(value string) error {
+	if value != "auto" && value != "" {
+		b, err := strconv.ParseBool(value)
+		if err != nil {
+			return err
+		}
+		n.b = &b
+	}
+	return nil
+}
+
+func (n *NullableBool) String() string {
+	if n.b == nil {
+		return "auto"
+	}
+	return strconv.FormatBool(*n.b)
+}
diff --git a/cli/opts/opts_test.go b/cli/opts/opts_test.go
new file mode 100644
index 00000000..723a212e
--- /dev/null
+++ b/cli/opts/opts_test.go
@@ -0,0 +1,308 @@
+package opts
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func TestValidateIPAddress(t *testing.T) {
+	if ret, err := ValidateIPAddress(`1.2.3.4`); err != nil || ret == "" {
+		t.Fatalf("ValidateIPAddress(`1.2.3.4`) got %s %s", ret, err)
+	}
+
+	if ret, err := ValidateIPAddress(`127.0.0.1`); err != nil || ret == "" {
+		t.Fatalf("ValidateIPAddress(`127.0.0.1`) got %s %s", ret, err)
+	}
+
+	if ret, err := ValidateIPAddress(`::1`); err != nil || ret == "" {
+		t.Fatalf("ValidateIPAddress(`::1`) got %s %s", ret, err)
+	}
+
+	if ret, err := ValidateIPAddress(`127`); err == nil || ret != "" {
+		t.Fatalf("ValidateIPAddress(`127`) got %s %s", ret, err)
+	}
+
+	if ret, err := ValidateIPAddress(`random invalid string`); err == nil || ret != "" {
+		t.Fatalf("ValidateIPAddress(`random invalid string`) got %s %s", ret, err)
+	}
+
+}
+
+func TestMapOpts(t *testing.T) {
+	tmpMap := make(map[string]string)
+	o := NewMapOpts(tmpMap, logOptsValidator)
+	o.Set("max-size=1")
+	if o.String() != "map[max-size:1]" {
+		t.Errorf("%s != [map[max-size:1]", o.String())
+	}
+
+	o.Set("max-file=2")
+	if len(tmpMap) != 2 {
+		t.Errorf("map length %d != 2", len(tmpMap))
+	}
+
+	if tmpMap["max-file"] != "2" {
+		t.Errorf("max-file = %s != 2", tmpMap["max-file"])
+	}
+
+	if tmpMap["max-size"] != "1" {
+		t.Errorf("max-size = %s != 1", tmpMap["max-size"])
+	}
+	if o.Set("dummy-val=3") == nil {
+		t.Error("validator is not being called")
+	}
+}
+
+func TestListOptsWithoutValidator(t *testing.T) {
+	o := NewListOpts(nil)
+	o.Set("foo")
+	if o.String() != "[foo]" {
+		t.Errorf("%s != [foo]", o.String())
+	}
+	o.Set("bar")
+	if o.Len() != 2 {
+		t.Errorf("%d != 2", o.Len())
+	}
+	o.Set("bar")
+	if o.Len() != 3 {
+		t.Errorf("%d != 3", o.Len())
+	}
+	if !o.Get("bar") {
+		t.Error("o.Get(\"bar\") == false")
+	}
+	if o.Get("baz") {
+		t.Error("o.Get(\"baz\") == true")
+	}
+	o.Delete("foo")
+	if o.String() != "[bar bar]" {
+		t.Errorf("%s != [bar bar]", o.String())
+	}
+	listOpts := o.GetAll()
+	if len(listOpts) != 2 || listOpts[0] != "bar" || listOpts[1] != "bar" {
+		t.Errorf("Expected [[bar bar]], got [%v]", listOpts)
+	}
+	mapListOpts := o.GetMap()
+	if len(mapListOpts) != 1 {
+		t.Errorf("Expected [map[bar:{}]], got [%v]", mapListOpts)
+	}
+
+}
+
+func TestListOptsWithValidator(t *testing.T) {
+	// Re-using logOptsvalidator (used by MapOpts)
+	o := NewListOpts(logOptsValidator)
+	o.Set("foo")
+	if o.String() != "" {
+		t.Errorf(`%s != ""`, o.String())
+	}
+	o.Set("foo=bar")
+	if o.String() != "" {
+		t.Errorf(`%s != ""`, o.String())
+	}
+	o.Set("max-file=2")
+	if o.Len() != 1 {
+		t.Errorf("%d != 1", o.Len())
+	}
+	if !o.Get("max-file=2") {
+		t.Error("o.Get(\"max-file=2\") == false")
+	}
+	if o.Get("baz") {
+		t.Error("o.Get(\"baz\") == true")
+	}
+	o.Delete("max-file=2")
+	if o.String() != "" {
+		t.Errorf(`%s != ""`, o.String())
+	}
+}
+
+// nolint: lll
+func TestValidateDNSSearch(t *testing.T) {
+	valid := []string{
+		`.`,
+		`a`,
+		`a.`,
+		`1.foo`,
+		`17.foo`,
+		`foo.bar`,
+		`foo.bar.baz`,
+		`foo.bar.`,
+		`foo.bar.baz`,
+		`foo1.bar2`,
+		`foo1.bar2.baz`,
+		`1foo.2bar.`,
+		`1foo.2bar.baz`,
+		`foo-1.bar-2`,
+		`foo-1.bar-2.baz`,
+		`foo-1.bar-2.`,
+		`foo-1.bar-2.baz`,
+		`1-foo.2-bar`,
+		`1-foo.2-bar.baz`,
+		`1-foo.2-bar.`,
+		`1-foo.2-bar.baz`,
+	}
+
+	invalid := []string{
+		``,
+		` `,
+		`  `,
+		`17`,
+		`17.`,
+		`.17`,
+		`17-.`,
+		`17-.foo`,
+		`.foo`,
+		`foo-.bar`,
+		`-foo.bar`,
+		`foo.bar-`,
+		`foo.bar-.baz`,
+		`foo.-bar`,
+		`foo.-bar.baz`,
+		`foo.bar.baz.this.should.fail.on.long.name.because.it.is.longer.thanisshouldbethis.should.fail.on.long.name.because.it.is.longer.thanisshouldbethis.should.fail.on.long.name.because.it.is.longer.thanisshouldbethis.should.fail.on.long.name.because.it.is.longer.thanisshouldbe`,
+	}
+
+	for _, domain := range valid {
+		if ret, err := ValidateDNSSearch(domain); err != nil || ret == "" {
+			t.Fatalf("ValidateDNSSearch(`"+domain+"`) got %s %s", ret, err)
+		}
+	}
+
+	for _, domain := range invalid {
+		if ret, err := ValidateDNSSearch(domain); err == nil || ret != "" {
+			t.Fatalf("ValidateDNSSearch(`"+domain+"`) got %s %s", ret, err)
+		}
+	}
+}
+
+func TestValidateLabel(t *testing.T) {
+	if _, err := ValidateLabel("label"); err == nil || err.Error() != "bad attribute format: label" {
+		t.Fatalf("Expected an error [bad attribute format: label], go %v", err)
+	}
+	if actual, err := ValidateLabel("key1=value1"); err != nil || actual != "key1=value1" {
+		t.Fatalf("Expected [key1=value1], got [%v,%v]", actual, err)
+	}
+	// Validate it's working with more than one =
+	if actual, err := ValidateLabel("key1=value1=value2"); err != nil {
+		t.Fatalf("Expected [key1=value1=value2], got [%v,%v]", actual, err)
+	}
+	// Validate it's working with one more
+	if actual, err := ValidateLabel("key1=value1=value2=value3"); err != nil {
+		t.Fatalf("Expected [key1=value1=value2=value2], got [%v,%v]", actual, err)
+	}
+}
+
+func logOptsValidator(val string) (string, error) {
+	allowedKeys := map[string]string{"max-size": "1", "max-file": "2"}
+	vals := strings.Split(val, "=")
+	if allowedKeys[vals[0]] != "" {
+		return val, nil
+	}
+	return "", fmt.Errorf("invalid key %s", vals[0])
+}
+
+func TestNamedListOpts(t *testing.T) {
+	var v []string
+	o := NewNamedListOptsRef("foo-name", &v, nil)
+
+	o.Set("foo")
+	if o.String() != "[foo]" {
+		t.Errorf("%s != [foo]", o.String())
+	}
+	if o.Name() != "foo-name" {
+		t.Errorf("%s != foo-name", o.Name())
+	}
+	if len(v) != 1 {
+		t.Errorf("expected foo to be in the values, got %v", v)
+	}
+}
+
+func TestNamedMapOpts(t *testing.T) {
+	tmpMap := make(map[string]string)
+	o := NewNamedMapOpts("max-name", tmpMap, nil)
+
+	o.Set("max-size=1")
+	if o.String() != "map[max-size:1]" {
+		t.Errorf("%s != [map[max-size:1]", o.String())
+	}
+	if o.Name() != "max-name" {
+		t.Errorf("%s != max-name", o.Name())
+	}
+	if _, exist := tmpMap["max-size"]; !exist {
+		t.Errorf("expected map-size to be in the values, got %v", tmpMap)
+	}
+}
+
+func TestValidateMACAddress(t *testing.T) {
+	if _, err := ValidateMACAddress(`92:d0:c6:0a:29:33`); err != nil {
+		t.Fatalf("ValidateMACAddress(`92:d0:c6:0a:29:33`) got %s", err)
+	}
+
+	if _, err := ValidateMACAddress(`92:d0:c6:0a:33`); err == nil {
+		t.Fatalf("ValidateMACAddress(`92:d0:c6:0a:33`) succeeded; expected failure on invalid MAC")
+	}
+
+	if _, err := ValidateMACAddress(`random invalid string`); err == nil {
+		t.Fatalf("ValidateMACAddress(`random invalid string`) succeeded; expected failure on invalid MAC")
+	}
+}
+
+func TestValidateLink(t *testing.T) {
+	valid := []string{
+		"name",
+		"dcdfbe62ecd0:alias",
+		"7a67485460b7642516a4ad82ecefe7f57d0c4916f530561b71a50a3f9c4e33da",
+		"angry_torvalds:linus",
+	}
+	invalid := map[string]string{
+		"":               "empty string specified for links",
+		"too:much:of:it": "bad format for links: too:much:of:it",
+	}
+
+	for _, link := range valid {
+		if _, err := ValidateLink(link); err != nil {
+			t.Fatalf("ValidateLink(`%q`) should succeed: error %q", link, err)
+		}
+	}
+
+	for link, expectedError := range invalid {
+		if _, err := ValidateLink(link); err == nil {
+			t.Fatalf("ValidateLink(`%q`) should have failed validation", link)
+		} else {
+			if !strings.Contains(err.Error(), expectedError) {
+				t.Fatalf("ValidateLink(`%q`) error should contain %q", link, expectedError)
+			}
+		}
+	}
+}
+
+func TestParseLink(t *testing.T) {
+	name, alias, err := ParseLink("name:alias")
+	if err != nil {
+		t.Fatalf("Expected not to error out on a valid name:alias format but got: %v", err)
+	}
+	if name != "name" {
+		t.Fatalf("Link name should have been name, got %s instead", name)
+	}
+	if alias != "alias" {
+		t.Fatalf("Link alias should have been alias, got %s instead", alias)
+	}
+	// short format definition
+	name, alias, err = ParseLink("name")
+	if err != nil {
+		t.Fatalf("Expected not to error out on a valid name only format but got: %v", err)
+	}
+	if name != "name" {
+		t.Fatalf("Link name should have been name, got %s instead", name)
+	}
+	if alias != "name" {
+		t.Fatalf("Link alias should have been name, got %s instead", alias)
+	}
+	// empty string link definition is not allowed
+	if _, _, err := ParseLink(""); err == nil || !strings.Contains(err.Error(), "empty string specified for links") {
+		t.Fatalf("Expected error 'empty string specified for links' but got: %v", err)
+	}
+	// more than two colons are not allowed
+	if _, _, err := ParseLink("link:alias:wrong"); err == nil || !strings.Contains(err.Error(), "bad format for links: link:alias:wrong") {
+		t.Fatalf("Expected error 'bad format for links: link:alias:wrong' but got: %v", err)
+	}
+}
diff --git a/cli/opts/opts_unix.go b/cli/opts/opts_unix.go
new file mode 100644
index 00000000..2766a43a
--- /dev/null
+++ b/cli/opts/opts_unix.go
@@ -0,0 +1,6 @@
+// +build !windows
+
+package opts
+
+// DefaultHTTPHost Default HTTP Host used if only port is provided to -H flag e.g. dockerd -H tcp://:8080
+const DefaultHTTPHost = "localhost"
diff --git a/cli/opts/opts_windows.go b/cli/opts/opts_windows.go
new file mode 100644
index 00000000..98b7251a
--- /dev/null
+++ b/cli/opts/opts_windows.go
@@ -0,0 +1,56 @@
+package opts
+
+// TODO Windows. Identify bug in GOLang 1.5.1+ and/or Windows Server 2016 TP5.
+// @jhowardmsft, @swernli.
+//
+// On Windows, this mitigates a problem with the default options of running
+// a docker client against a local docker daemon on TP5.
+//
+// What was found that if the default host is "localhost", even if the client
+// (and daemon as this is local) is not physically on a network, and the DNS
+// cache is flushed (ipconfig /flushdns), then the client will pause for
+// exactly one second when connecting to the daemon for calls. For example
+// using docker run windowsservercore cmd, the CLI will send a create followed
+// by an attach. You see the delay between the attach finishing and the attach
+// being seen by the daemon.
+//
+// Here's some daemon debug logs with additional debug spew put in. The
+// AfterWriteJSON log is the very last thing the daemon does as part of the
+// create call. The POST /attach is the second CLI call. Notice the second
+// time gap.
+//
+// time="2015-11-06T13:38:37.259627400-08:00" level=debug msg="After createRootfs"
+// time="2015-11-06T13:38:37.263626300-08:00" level=debug msg="After setHostConfig"
+// time="2015-11-06T13:38:37.267631200-08:00" level=debug msg="before createContainerPl...."
+// time="2015-11-06T13:38:37.271629500-08:00" level=debug msg=ToDiskLocking....
+// time="2015-11-06T13:38:37.275643200-08:00" level=debug msg="loggin event...."
+// time="2015-11-06T13:38:37.277627600-08:00" level=debug msg="logged event...."
+// time="2015-11-06T13:38:37.279631800-08:00" level=debug msg="In defer func"
+// time="2015-11-06T13:38:37.282628100-08:00" level=debug msg="After daemon.create"
+// time="2015-11-06T13:38:37.286651700-08:00" level=debug msg="return 2"
+// time="2015-11-06T13:38:37.289629500-08:00" level=debug msg="Returned from daemon.ContainerCreate"
+// time="2015-11-06T13:38:37.311629100-08:00" level=debug msg="After WriteJSON"
+// ... 1 second gap here....
+// time="2015-11-06T13:38:38.317866200-08:00" level=debug msg="Calling POST /v1.22/containers/984758282b842f779e805664b2c95d563adc9a979c8a3973e68c807843ee4757/attach"
+// time="2015-11-06T13:38:38.326882500-08:00" level=info msg="POST /v1.22/containers/984758282b842f779e805664b2c95d563adc9a979c8a3973e68c807843ee4757/attach?stderr=1&stdin=1&stdout=1&stream=1"
+//
+// We suspect this is either a bug introduced in GOLang 1.5.1, or that a change
+// in GOLang 1.5.1 (from 1.4.3) is exposing a bug in Windows. In theory,
+// the Windows networking stack is supposed to resolve "localhost" internally,
+// without hitting DNS, or even reading the hosts file (which is why localhost
+// is commented out in the hosts file on Windows).
+//
+// We have validated that working around this using the actual IPv4 localhost
+// address does not cause the delay.
+//
+// This does not occur with the docker client built with 1.4.3 on the same
+// Windows build, regardless of whether the daemon is built using 1.5.1
+// or 1.4.3. It does not occur on Linux. We also verified we see the same thing
+// on a cross-compiled Windows binary (from Linux).
+//
+// Final note: This is a mitigation, not a 'real' fix. It is still susceptible
+// to the delay if a user were to do 'docker run -H=tcp://localhost:2375...'
+// explicitly.
+
+// DefaultHTTPHost Default HTTP Host used if only port is provided to -H flag e.g. dockerd -H tcp://:8080
+const DefaultHTTPHost = "127.0.0.1"
diff --git a/cli/opts/parse.go b/cli/opts/parse.go
new file mode 100644
index 00000000..679759de
--- /dev/null
+++ b/cli/opts/parse.go
@@ -0,0 +1,99 @@
+package opts
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+// ReadKVStrings reads a file of line terminated key=value pairs, and overrides any keys
+// present in the file with additional pairs specified in the override parameter
+func ReadKVStrings(files []string, override []string) ([]string, error) {
+	return readKVStrings(files, override, nil)
+}
+
+// ReadKVEnvStrings reads a file of line terminated key=value pairs, and overrides any keys
+// present in the file with additional pairs specified in the override parameter.
+// If a key has no value, it will get the value from the environment.
+func ReadKVEnvStrings(files []string, override []string) ([]string, error) {
+	return readKVStrings(files, override, os.Getenv)
+}
+
+func readKVStrings(files []string, override []string, emptyFn func(string) string) ([]string, error) {
+	variables := []string{}
+	for _, ef := range files {
+		parsedVars, err := parseKeyValueFile(ef, emptyFn)
+		if err != nil {
+			return nil, err
+		}
+		variables = append(variables, parsedVars...)
+	}
+	// parse the '-e' and '--env' after, to allow override
+	variables = append(variables, override...)
+
+	return variables, nil
+}
+
+// ConvertKVStringsToMap converts ["key=value"] to {"key":"value"}
+func ConvertKVStringsToMap(values []string) map[string]string {
+	result := make(map[string]string, len(values))
+	for _, value := range values {
+		kv := strings.SplitN(value, "=", 2)
+		if len(kv) == 1 {
+			result[kv[0]] = ""
+		} else {
+			result[kv[0]] = kv[1]
+		}
+	}
+
+	return result
+}
+
+// ConvertKVStringsToMapWithNil converts ["key=value"] to {"key":"value"}
+// but set unset keys to nil - meaning the ones with no "=" in them.
+// We use this in cases where we need to distinguish between
+//   FOO=  and FOO
+// where the latter case just means FOO was mentioned but not given a value
+func ConvertKVStringsToMapWithNil(values []string) map[string]*string {
+	result := make(map[string]*string, len(values))
+	for _, value := range values {
+		kv := strings.SplitN(value, "=", 2)
+		if len(kv) == 1 {
+			result[kv[0]] = nil
+		} else {
+			result[kv[0]] = &kv[1]
+		}
+	}
+
+	return result
+}
+
+// ParseRestartPolicy returns the parsed policy or an error indicating what is incorrect
+func ParseRestartPolicy(policy string) (container.RestartPolicy, error) {
+	p := container.RestartPolicy{}
+
+	if policy == "" {
+		return p, nil
+	}
+
+	parts := strings.Split(policy, ":")
+
+	if len(parts) > 2 {
+		return p, fmt.Errorf("invalid restart policy format")
+	}
+	if len(parts) == 2 {
+		count, err := strconv.Atoi(parts[1])
+		if err != nil {
+			return p, fmt.Errorf("maximum retry count must be an integer")
+		}
+
+		p.MaximumRetryCount = count
+	}
+
+	p.Name = parts[0]
+
+	return p, nil
+}
diff --git a/cli/opts/port.go b/cli/opts/port.go
new file mode 100644
index 00000000..201aefaf
--- /dev/null
+++ b/cli/opts/port.go
@@ -0,0 +1,167 @@
+package opts
+
+import (
+	"encoding/csv"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/go-connections/nat"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	portOptTargetPort    = "target"
+	portOptPublishedPort = "published"
+	portOptProtocol      = "protocol"
+	portOptMode          = "mode"
+)
+
+// PortOpt represents a port config in swarm mode.
+type PortOpt struct {
+	ports []swarm.PortConfig
+}
+
+// Set a new port value
+// nolint: gocyclo
+func (p *PortOpt) Set(value string) error {
+	longSyntax, err := regexp.MatchString(`\w+=\w+(,\w+=\w+)*`, value)
+	if err != nil {
+		return err
+	}
+	if longSyntax {
+		csvReader := csv.NewReader(strings.NewReader(value))
+		fields, err := csvReader.Read()
+		if err != nil {
+			return err
+		}
+
+		pConfig := swarm.PortConfig{}
+		for _, field := range fields {
+			parts := strings.SplitN(field, "=", 2)
+			if len(parts) != 2 {
+				return fmt.Errorf("invalid field %s", field)
+			}
+
+			key := strings.ToLower(parts[0])
+			value := strings.ToLower(parts[1])
+
+			switch key {
+			case portOptProtocol:
+				if value != string(swarm.PortConfigProtocolTCP) && value != string(swarm.PortConfigProtocolUDP) && value != string(swarm.PortConfigProtocolSCTP) {
+					return fmt.Errorf("invalid protocol value %s", value)
+				}
+
+				pConfig.Protocol = swarm.PortConfigProtocol(value)
+			case portOptMode:
+				if value != string(swarm.PortConfigPublishModeIngress) && value != string(swarm.PortConfigPublishModeHost) {
+					return fmt.Errorf("invalid publish mode value %s", value)
+				}
+
+				pConfig.PublishMode = swarm.PortConfigPublishMode(value)
+			case portOptTargetPort:
+				tPort, err := strconv.ParseUint(value, 10, 16)
+				if err != nil {
+					return err
+				}
+
+				pConfig.TargetPort = uint32(tPort)
+			case portOptPublishedPort:
+				pPort, err := strconv.ParseUint(value, 10, 16)
+				if err != nil {
+					return err
+				}
+
+				pConfig.PublishedPort = uint32(pPort)
+			default:
+				return fmt.Errorf("invalid field key %s", key)
+			}
+		}
+
+		if pConfig.TargetPort == 0 {
+			return fmt.Errorf("missing mandatory field %q", portOptTargetPort)
+		}
+
+		if pConfig.PublishMode == "" {
+			pConfig.PublishMode = swarm.PortConfigPublishModeIngress
+		}
+
+		if pConfig.Protocol == "" {
+			pConfig.Protocol = swarm.PortConfigProtocolTCP
+		}
+
+		p.ports = append(p.ports, pConfig)
+	} else {
+		// short syntax
+		portConfigs := []swarm.PortConfig{}
+		ports, portBindingMap, err := nat.ParsePortSpecs([]string{value})
+		if err != nil {
+			return err
+		}
+		for _, portBindings := range portBindingMap {
+			for _, portBinding := range portBindings {
+				if portBinding.HostIP != "" {
+					return fmt.Errorf("hostip is not supported")
+				}
+			}
+		}
+
+		for port := range ports {
+			portConfig, err := ConvertPortToPortConfig(port, portBindingMap)
+			if err != nil {
+				return err
+			}
+			portConfigs = append(portConfigs, portConfig...)
+		}
+		p.ports = append(p.ports, portConfigs...)
+	}
+	return nil
+}
+
+// Type returns the type of this option
+func (p *PortOpt) Type() string {
+	return "port"
+}
+
+// String returns a string repr of this option
+func (p *PortOpt) String() string {
+	ports := []string{}
+	for _, port := range p.ports {
+		repr := fmt.Sprintf("%v:%v/%s/%s", port.PublishedPort, port.TargetPort, port.Protocol, port.PublishMode)
+		ports = append(ports, repr)
+	}
+	return strings.Join(ports, ", ")
+}
+
+// Value returns the ports
+func (p *PortOpt) Value() []swarm.PortConfig {
+	return p.ports
+}
+
+// ConvertPortToPortConfig converts ports to the swarm type
+func ConvertPortToPortConfig(
+	port nat.Port,
+	portBindings map[nat.Port][]nat.PortBinding,
+) ([]swarm.PortConfig, error) {
+	ports := []swarm.PortConfig{}
+
+	for _, binding := range portBindings[port] {
+		if binding.HostIP != "" && binding.HostIP != "0.0.0.0" {
+			logrus.Warnf("ignoring IP-address (%s:%s:%s) service will listen on '0.0.0.0'", binding.HostIP, binding.HostPort, port)
+		}
+		hostPort, err := strconv.ParseUint(binding.HostPort, 10, 16)
+		if err != nil && binding.HostPort != "" {
+			return nil, fmt.Errorf("invalid hostport binding (%s) for port (%s)", binding.HostPort, port.Port())
+		}
+		ports = append(ports, swarm.PortConfig{
+			//TODO Name: ?
+			Protocol:      swarm.PortConfigProtocol(strings.ToLower(port.Proto())),
+			TargetPort:    uint32(port.Int()),
+			PublishedPort: uint32(hostPort),
+			PublishMode:   swarm.PortConfigPublishModeIngress,
+		})
+	}
+	return ports, nil
+}
diff --git a/cli/opts/port_test.go b/cli/opts/port_test.go
new file mode 100644
index 00000000..fb3498f7
--- /dev/null
+++ b/cli/opts/port_test.go
@@ -0,0 +1,296 @@
+package opts
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestPortOptValidSimpleSyntax(t *testing.T) {
+	testCases := []struct {
+		value    string
+		expected []swarm.PortConfig
+	}{
+		{
+			value: "80",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:    "tcp",
+					TargetPort:  80,
+					PublishMode: swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "80:8080",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:      "tcp",
+					TargetPort:    8080,
+					PublishedPort: 80,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "8080:80/tcp",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:      "tcp",
+					TargetPort:    80,
+					PublishedPort: 8080,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "80:8080/udp",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:      "udp",
+					TargetPort:    8080,
+					PublishedPort: 80,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "80-81:8080-8081/tcp",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:      "tcp",
+					TargetPort:    8080,
+					PublishedPort: 80,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+				{
+					Protocol:      "tcp",
+					TargetPort:    8081,
+					PublishedPort: 81,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "80-82:8080-8082/udp",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:      "udp",
+					TargetPort:    8080,
+					PublishedPort: 80,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+				{
+					Protocol:      "udp",
+					TargetPort:    8081,
+					PublishedPort: 81,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+				{
+					Protocol:      "udp",
+					TargetPort:    8082,
+					PublishedPort: 82,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		var port PortOpt
+		assert.NilError(t, port.Set(tc.value))
+		assert.Check(t, is.Len(port.Value(), len(tc.expected)))
+		for _, expectedPortConfig := range tc.expected {
+			assertContains(t, port.Value(), expectedPortConfig)
+		}
+	}
+}
+
+func TestPortOptValidComplexSyntax(t *testing.T) {
+	testCases := []struct {
+		value    string
+		expected []swarm.PortConfig
+	}{
+		{
+			value: "target=80",
+			expected: []swarm.PortConfig{
+				{
+					TargetPort:  80,
+					Protocol:    "tcp",
+					PublishMode: swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "target=80,protocol=tcp",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:    "tcp",
+					TargetPort:  80,
+					PublishMode: swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "target=80,published=8080,protocol=tcp",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:      "tcp",
+					TargetPort:    80,
+					PublishedPort: 8080,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "published=80,target=8080,protocol=tcp",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:      "tcp",
+					TargetPort:    8080,
+					PublishedPort: 80,
+					PublishMode:   swarm.PortConfigPublishModeIngress,
+				},
+			},
+		},
+		{
+			value: "target=80,published=8080,protocol=tcp,mode=host",
+			expected: []swarm.PortConfig{
+				{
+					Protocol:      "tcp",
+					TargetPort:    80,
+					PublishedPort: 8080,
+					PublishMode:   "host",
+				},
+			},
+		},
+		{
+			value: "target=80,published=8080,mode=host",
+			expected: []swarm.PortConfig{
+				{
+					TargetPort:    80,
+					PublishedPort: 8080,
+					PublishMode:   "host",
+					Protocol:      "tcp",
+				},
+			},
+		},
+		{
+			value: "target=80,published=8080,mode=ingress",
+			expected: []swarm.PortConfig{
+				{
+					TargetPort:    80,
+					PublishedPort: 8080,
+					PublishMode:   "ingress",
+					Protocol:      "tcp",
+				},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		var port PortOpt
+		assert.NilError(t, port.Set(tc.value))
+		assert.Check(t, is.Len(port.Value(), len(tc.expected)))
+		for _, expectedPortConfig := range tc.expected {
+			assertContains(t, port.Value(), expectedPortConfig)
+		}
+	}
+}
+
+func TestPortOptInvalidComplexSyntax(t *testing.T) {
+	testCases := []struct {
+		value         string
+		expectedError string
+	}{
+		{
+			value:         "invalid,target=80",
+			expectedError: "invalid field",
+		},
+		{
+			value:         "invalid=field",
+			expectedError: "invalid field",
+		},
+		{
+			value:         "protocol=invalid",
+			expectedError: "invalid protocol value",
+		},
+		{
+			value:         "target=invalid",
+			expectedError: "invalid syntax",
+		},
+		{
+			value:         "published=invalid",
+			expectedError: "invalid syntax",
+		},
+		{
+			value:         "mode=invalid",
+			expectedError: "invalid publish mode value",
+		},
+		{
+			value:         "published=8080,protocol=tcp,mode=ingress",
+			expectedError: "missing mandatory field",
+		},
+		{
+			value:         `target=80,protocol="tcp,mode=ingress"`,
+			expectedError: "non-quoted-field",
+		},
+		{
+			value:         `target=80,"protocol=tcp,mode=ingress"`,
+			expectedError: "invalid protocol value",
+		},
+	}
+	for _, tc := range testCases {
+		var port PortOpt
+		assert.ErrorContains(t, port.Set(tc.value), tc.expectedError)
+	}
+}
+
+func TestPortOptInvalidSimpleSyntax(t *testing.T) {
+	testCases := []struct {
+		value         string
+		expectedError string
+	}{
+		{
+			value:         "9999999",
+			expectedError: "Invalid containerPort: 9999999",
+		},
+		{
+			value:         "80/xyz",
+			expectedError: "Invalid proto: xyz",
+		},
+		{
+			value:         "tcp",
+			expectedError: "Invalid containerPort: tcp",
+		},
+		{
+			value:         "udp",
+			expectedError: "Invalid containerPort: udp",
+		},
+		{
+			value:         "",
+			expectedError: "No port specified: <empty>",
+		},
+		{
+			value:         "1.1.1.1:80:80",
+			expectedError: "hostip is not supported",
+		},
+	}
+	for _, tc := range testCases {
+		var port PortOpt
+		assert.Error(t, port.Set(tc.value), tc.expectedError)
+	}
+}
+
+func assertContains(t *testing.T, portConfigs []swarm.PortConfig, expected swarm.PortConfig) {
+	var contains = false
+	for _, portConfig := range portConfigs {
+		if portConfig == expected {
+			contains = true
+			break
+		}
+	}
+	if !contains {
+		t.Errorf("expected %v to contain %v, did not", portConfigs, expected)
+	}
+}
diff --git a/cli/opts/quotedstring.go b/cli/opts/quotedstring.go
new file mode 100644
index 00000000..09c68a52
--- /dev/null
+++ b/cli/opts/quotedstring.go
@@ -0,0 +1,37 @@
+package opts
+
+// QuotedString is a string that may have extra quotes around the value. The
+// quotes are stripped from the value.
+type QuotedString struct {
+	value *string
+}
+
+// Set sets a new value
+func (s *QuotedString) Set(val string) error {
+	*s.value = trimQuotes(val)
+	return nil
+}
+
+// Type returns the type of the value
+func (s *QuotedString) Type() string {
+	return "string"
+}
+
+func (s *QuotedString) String() string {
+	return *s.value
+}
+
+func trimQuotes(value string) string {
+	lastIndex := len(value) - 1
+	for _, char := range []byte{'\'', '"'} {
+		if value[0] == char && value[lastIndex] == char {
+			return value[1:lastIndex]
+		}
+	}
+	return value
+}
+
+// NewQuotedString returns a new quoted string option
+func NewQuotedString(value *string) *QuotedString {
+	return &QuotedString{value: value}
+}
diff --git a/cli/opts/quotedstring_test.go b/cli/opts/quotedstring_test.go
new file mode 100644
index 00000000..72ec6a21
--- /dev/null
+++ b/cli/opts/quotedstring_test.go
@@ -0,0 +1,30 @@
+package opts
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestQuotedStringSetWithQuotes(t *testing.T) {
+	value := ""
+	qs := NewQuotedString(&value)
+	assert.NilError(t, qs.Set(`"something"`))
+	assert.Check(t, is.Equal("something", qs.String()))
+	assert.Check(t, is.Equal("something", value))
+}
+
+func TestQuotedStringSetWithMismatchedQuotes(t *testing.T) {
+	value := ""
+	qs := NewQuotedString(&value)
+	assert.NilError(t, qs.Set(`"something'`))
+	assert.Check(t, is.Equal(`"something'`, qs.String()))
+}
+
+func TestQuotedStringSetWithNoQuotes(t *testing.T) {
+	value := ""
+	qs := NewQuotedString(&value)
+	assert.NilError(t, qs.Set("something"))
+	assert.Check(t, is.Equal("something", qs.String()))
+}
diff --git a/cli/opts/runtime.go b/cli/opts/runtime.go
new file mode 100644
index 00000000..4361b3ce
--- /dev/null
+++ b/cli/opts/runtime.go
@@ -0,0 +1,79 @@
+package opts
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+)
+
+// RuntimeOpt defines a map of Runtimes
+type RuntimeOpt struct {
+	name             string
+	stockRuntimeName string
+	values           *map[string]types.Runtime
+}
+
+// NewNamedRuntimeOpt creates a new RuntimeOpt
+func NewNamedRuntimeOpt(name string, ref *map[string]types.Runtime, stockRuntime string) *RuntimeOpt {
+	if ref == nil {
+		ref = &map[string]types.Runtime{}
+	}
+	return &RuntimeOpt{name: name, values: ref, stockRuntimeName: stockRuntime}
+}
+
+// Name returns the name of the NamedListOpts in the configuration.
+func (o *RuntimeOpt) Name() string {
+	return o.name
+}
+
+// Set validates and updates the list of Runtimes
+func (o *RuntimeOpt) Set(val string) error {
+	parts := strings.SplitN(val, "=", 2)
+	if len(parts) != 2 {
+		return fmt.Errorf("invalid runtime argument: %s", val)
+	}
+
+	parts[0] = strings.TrimSpace(parts[0])
+	parts[1] = strings.TrimSpace(parts[1])
+	if parts[0] == "" || parts[1] == "" {
+		return fmt.Errorf("invalid runtime argument: %s", val)
+	}
+
+	parts[0] = strings.ToLower(parts[0])
+	if parts[0] == o.stockRuntimeName {
+		return fmt.Errorf("runtime name '%s' is reserved", o.stockRuntimeName)
+	}
+
+	if _, ok := (*o.values)[parts[0]]; ok {
+		return fmt.Errorf("runtime '%s' was already defined", parts[0])
+	}
+
+	(*o.values)[parts[0]] = types.Runtime{Path: parts[1]}
+
+	return nil
+}
+
+// String returns Runtime values as a string.
+func (o *RuntimeOpt) String() string {
+	var out []string
+	for k := range *o.values {
+		out = append(out, k)
+	}
+
+	return fmt.Sprintf("%v", out)
+}
+
+// GetMap returns a map of Runtimes (name: path)
+func (o *RuntimeOpt) GetMap() map[string]types.Runtime {
+	if o.values != nil {
+		return *o.values
+	}
+
+	return map[string]types.Runtime{}
+}
+
+// Type returns the type of the option
+func (o *RuntimeOpt) Type() string {
+	return "runtime"
+}
diff --git a/cli/opts/secret.go b/cli/opts/secret.go
new file mode 100644
index 00000000..a1fde54d
--- /dev/null
+++ b/cli/opts/secret.go
@@ -0,0 +1,98 @@
+package opts
+
+import (
+	"encoding/csv"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+)
+
+// SecretOpt is a Value type for parsing secrets
+type SecretOpt struct {
+	values []*swarmtypes.SecretReference
+}
+
+// Set a new secret value
+func (o *SecretOpt) Set(value string) error {
+	csvReader := csv.NewReader(strings.NewReader(value))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return err
+	}
+
+	options := &swarmtypes.SecretReference{
+		File: &swarmtypes.SecretReferenceFileTarget{
+			UID:  "0",
+			GID:  "0",
+			Mode: 0444,
+		},
+	}
+
+	// support a simple syntax of --secret foo
+	if len(fields) == 1 {
+		options.File.Name = fields[0]
+		options.SecretName = fields[0]
+		o.values = append(o.values, options)
+		return nil
+	}
+
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		key := strings.ToLower(parts[0])
+
+		if len(parts) != 2 {
+			return fmt.Errorf("invalid field '%s' must be a key=value pair", field)
+		}
+
+		value := parts[1]
+		switch key {
+		case "source", "src":
+			options.SecretName = value
+		case "target":
+			options.File.Name = value
+		case "uid":
+			options.File.UID = value
+		case "gid":
+			options.File.GID = value
+		case "mode":
+			m, err := strconv.ParseUint(value, 0, 32)
+			if err != nil {
+				return fmt.Errorf("invalid mode specified: %v", err)
+			}
+
+			options.File.Mode = os.FileMode(m)
+		default:
+			return fmt.Errorf("invalid field in secret request: %s", key)
+		}
+	}
+
+	if options.SecretName == "" {
+		return fmt.Errorf("source is required")
+	}
+
+	o.values = append(o.values, options)
+	return nil
+}
+
+// Type returns the type of this option
+func (o *SecretOpt) Type() string {
+	return "secret"
+}
+
+// String returns a string repr of this option
+func (o *SecretOpt) String() string {
+	secrets := []string{}
+	for _, secret := range o.values {
+		repr := fmt.Sprintf("%s -> %s", secret.SecretName, secret.File.Name)
+		secrets = append(secrets, repr)
+	}
+	return strings.Join(secrets, ", ")
+}
+
+// Value returns the secret requests
+func (o *SecretOpt) Value() []*swarmtypes.SecretReference {
+	return o.values
+}
diff --git a/cli/opts/secret_test.go b/cli/opts/secret_test.go
new file mode 100644
index 00000000..94dd80d1
--- /dev/null
+++ b/cli/opts/secret_test.go
@@ -0,0 +1,80 @@
+package opts
+
+import (
+	"os"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSecretOptionsSimple(t *testing.T) {
+	var opt SecretOpt
+
+	testCase := "app-secret"
+	assert.NilError(t, opt.Set(testCase))
+
+	reqs := opt.Value()
+	assert.Assert(t, is.Len(reqs, 1))
+	req := reqs[0]
+	assert.Check(t, is.Equal("app-secret", req.SecretName))
+	assert.Check(t, is.Equal("app-secret", req.File.Name))
+	assert.Check(t, is.Equal("0", req.File.UID))
+	assert.Check(t, is.Equal("0", req.File.GID))
+}
+
+func TestSecretOptionsSourceTarget(t *testing.T) {
+	var opt SecretOpt
+
+	testCase := "source=foo,target=testing"
+	assert.NilError(t, opt.Set(testCase))
+
+	reqs := opt.Value()
+	assert.Assert(t, is.Len(reqs, 1))
+	req := reqs[0]
+	assert.Check(t, is.Equal("foo", req.SecretName))
+	assert.Check(t, is.Equal("testing", req.File.Name))
+}
+
+func TestSecretOptionsShorthand(t *testing.T) {
+	var opt SecretOpt
+
+	testCase := "src=foo,target=testing"
+	assert.NilError(t, opt.Set(testCase))
+
+	reqs := opt.Value()
+	assert.Assert(t, is.Len(reqs, 1))
+	req := reqs[0]
+	assert.Check(t, is.Equal("foo", req.SecretName))
+}
+
+func TestSecretOptionsCustomUidGid(t *testing.T) {
+	var opt SecretOpt
+
+	testCase := "source=foo,target=testing,uid=1000,gid=1001"
+	assert.NilError(t, opt.Set(testCase))
+
+	reqs := opt.Value()
+	assert.Assert(t, is.Len(reqs, 1))
+	req := reqs[0]
+	assert.Check(t, is.Equal("foo", req.SecretName))
+	assert.Check(t, is.Equal("testing", req.File.Name))
+	assert.Check(t, is.Equal("1000", req.File.UID))
+	assert.Check(t, is.Equal("1001", req.File.GID))
+}
+
+func TestSecretOptionsCustomMode(t *testing.T) {
+	var opt SecretOpt
+
+	testCase := "source=foo,target=testing,uid=1000,gid=1001,mode=0444"
+	assert.NilError(t, opt.Set(testCase))
+
+	reqs := opt.Value()
+	assert.Assert(t, is.Len(reqs, 1))
+	req := reqs[0]
+	assert.Check(t, is.Equal("foo", req.SecretName))
+	assert.Check(t, is.Equal("testing", req.File.Name))
+	assert.Check(t, is.Equal("1000", req.File.UID))
+	assert.Check(t, is.Equal("1001", req.File.GID))
+	assert.Check(t, is.Equal(os.FileMode(0444), req.File.Mode))
+}
diff --git a/cli/opts/throttledevice.go b/cli/opts/throttledevice.go
new file mode 100644
index 00000000..0959efae
--- /dev/null
+++ b/cli/opts/throttledevice.go
@@ -0,0 +1,108 @@
+package opts
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types/blkiodev"
+	"github.com/docker/go-units"
+)
+
+// ValidatorThrottleFctType defines a validator function that returns a validated struct and/or an error.
+type ValidatorThrottleFctType func(val string) (*blkiodev.ThrottleDevice, error)
+
+// ValidateThrottleBpsDevice validates that the specified string has a valid device-rate format.
+func ValidateThrottleBpsDevice(val string) (*blkiodev.ThrottleDevice, error) {
+	split := strings.SplitN(val, ":", 2)
+	if len(split) != 2 {
+		return nil, fmt.Errorf("bad format: %s", val)
+	}
+	if !strings.HasPrefix(split[0], "/dev/") {
+		return nil, fmt.Errorf("bad format for device path: %s", val)
+	}
+	rate, err := units.RAMInBytes(split[1])
+	if err != nil {
+		return nil, fmt.Errorf("invalid rate for device: %s. The correct format is <device-path>:<number>[<unit>]. Number must be a positive integer. Unit is optional and can be kb, mb, or gb", val)
+	}
+	if rate < 0 {
+		return nil, fmt.Errorf("invalid rate for device: %s. The correct format is <device-path>:<number>[<unit>]. Number must be a positive integer. Unit is optional and can be kb, mb, or gb", val)
+	}
+
+	return &blkiodev.ThrottleDevice{
+		Path: split[0],
+		Rate: uint64(rate),
+	}, nil
+}
+
+// ValidateThrottleIOpsDevice validates that the specified string has a valid device-rate format.
+func ValidateThrottleIOpsDevice(val string) (*blkiodev.ThrottleDevice, error) {
+	split := strings.SplitN(val, ":", 2)
+	if len(split) != 2 {
+		return nil, fmt.Errorf("bad format: %s", val)
+	}
+	if !strings.HasPrefix(split[0], "/dev/") {
+		return nil, fmt.Errorf("bad format for device path: %s", val)
+	}
+	rate, err := strconv.ParseUint(split[1], 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("invalid rate for device: %s. The correct format is <device-path>:<number>. Number must be a positive integer", val)
+	}
+	if rate < 0 {
+		return nil, fmt.Errorf("invalid rate for device: %s. The correct format is <device-path>:<number>. Number must be a positive integer", val)
+	}
+
+	return &blkiodev.ThrottleDevice{Path: split[0], Rate: rate}, nil
+}
+
+// ThrottledeviceOpt defines a map of ThrottleDevices
+type ThrottledeviceOpt struct {
+	values    []*blkiodev.ThrottleDevice
+	validator ValidatorThrottleFctType
+}
+
+// NewThrottledeviceOpt creates a new ThrottledeviceOpt
+func NewThrottledeviceOpt(validator ValidatorThrottleFctType) ThrottledeviceOpt {
+	values := []*blkiodev.ThrottleDevice{}
+	return ThrottledeviceOpt{
+		values:    values,
+		validator: validator,
+	}
+}
+
+// Set validates a ThrottleDevice and sets its name as a key in ThrottledeviceOpt
+func (opt *ThrottledeviceOpt) Set(val string) error {
+	var value *blkiodev.ThrottleDevice
+	if opt.validator != nil {
+		v, err := opt.validator(val)
+		if err != nil {
+			return err
+		}
+		value = v
+	}
+	(opt.values) = append((opt.values), value)
+	return nil
+}
+
+// String returns ThrottledeviceOpt values as a string.
+func (opt *ThrottledeviceOpt) String() string {
+	var out []string
+	for _, v := range opt.values {
+		out = append(out, v.String())
+	}
+
+	return fmt.Sprintf("%v", out)
+}
+
+// GetList returns a slice of pointers to ThrottleDevices.
+func (opt *ThrottledeviceOpt) GetList() []*blkiodev.ThrottleDevice {
+	var throttledevice []*blkiodev.ThrottleDevice
+	throttledevice = append(throttledevice, opt.values...)
+
+	return throttledevice
+}
+
+// Type returns the option type
+func (opt *ThrottledeviceOpt) Type() string {
+	return "list"
+}
diff --git a/cli/opts/ulimit.go b/cli/opts/ulimit.go
new file mode 100644
index 00000000..5adfe308
--- /dev/null
+++ b/cli/opts/ulimit.go
@@ -0,0 +1,57 @@
+package opts
+
+import (
+	"fmt"
+
+	"github.com/docker/go-units"
+)
+
+// UlimitOpt defines a map of Ulimits
+type UlimitOpt struct {
+	values *map[string]*units.Ulimit
+}
+
+// NewUlimitOpt creates a new UlimitOpt
+func NewUlimitOpt(ref *map[string]*units.Ulimit) *UlimitOpt {
+	if ref == nil {
+		ref = &map[string]*units.Ulimit{}
+	}
+	return &UlimitOpt{ref}
+}
+
+// Set validates a Ulimit and sets its name as a key in UlimitOpt
+func (o *UlimitOpt) Set(val string) error {
+	l, err := units.ParseUlimit(val)
+	if err != nil {
+		return err
+	}
+
+	(*o.values)[l.Name] = l
+
+	return nil
+}
+
+// String returns Ulimit values as a string.
+func (o *UlimitOpt) String() string {
+	var out []string
+	for _, v := range *o.values {
+		out = append(out, v.String())
+	}
+
+	return fmt.Sprintf("%v", out)
+}
+
+// GetList returns a slice of pointers to Ulimits.
+func (o *UlimitOpt) GetList() []*units.Ulimit {
+	var ulimits []*units.Ulimit
+	for _, v := range *o.values {
+		ulimits = append(ulimits, v)
+	}
+
+	return ulimits
+}
+
+// Type returns the option type
+func (o *UlimitOpt) Type() string {
+	return "ulimit"
+}
diff --git a/cli/opts/ulimit_test.go b/cli/opts/ulimit_test.go
new file mode 100644
index 00000000..0aa3facd
--- /dev/null
+++ b/cli/opts/ulimit_test.go
@@ -0,0 +1,42 @@
+package opts
+
+import (
+	"testing"
+
+	"github.com/docker/go-units"
+)
+
+func TestUlimitOpt(t *testing.T) {
+	ulimitMap := map[string]*units.Ulimit{
+		"nofile": {"nofile", 1024, 512},
+	}
+
+	ulimitOpt := NewUlimitOpt(&ulimitMap)
+
+	expected := "[nofile=512:1024]"
+	if ulimitOpt.String() != expected {
+		t.Fatalf("Expected %v, got %v", expected, ulimitOpt)
+	}
+
+	// Valid ulimit append to opts
+	if err := ulimitOpt.Set("core=1024:1024"); err != nil {
+		t.Fatal(err)
+	}
+
+	// Invalid ulimit type returns an error and do not append to opts
+	if err := ulimitOpt.Set("notavalidtype=1024:1024"); err == nil {
+		t.Fatalf("Expected error on invalid ulimit type")
+	}
+	expected = "[nofile=512:1024 core=1024:1024]"
+	expected2 := "[core=1024:1024 nofile=512:1024]"
+	result := ulimitOpt.String()
+	if result != expected && result != expected2 {
+		t.Fatalf("Expected %v or %v, got %v", expected, expected2, ulimitOpt)
+	}
+
+	// And test GetList
+	ulimits := ulimitOpt.GetList()
+	if len(ulimits) != 2 {
+		t.Fatalf("Expected a ulimit list of 2, got %v", ulimits)
+	}
+}
diff --git a/cli/opts/weightdevice.go b/cli/opts/weightdevice.go
new file mode 100644
index 00000000..46ce9b65
--- /dev/null
+++ b/cli/opts/weightdevice.go
@@ -0,0 +1,84 @@
+package opts
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types/blkiodev"
+)
+
+// ValidatorWeightFctType defines a validator function that returns a validated struct and/or an error.
+type ValidatorWeightFctType func(val string) (*blkiodev.WeightDevice, error)
+
+// ValidateWeightDevice validates that the specified string has a valid device-weight format.
+func ValidateWeightDevice(val string) (*blkiodev.WeightDevice, error) {
+	split := strings.SplitN(val, ":", 2)
+	if len(split) != 2 {
+		return nil, fmt.Errorf("bad format: %s", val)
+	}
+	if !strings.HasPrefix(split[0], "/dev/") {
+		return nil, fmt.Errorf("bad format for device path: %s", val)
+	}
+	weight, err := strconv.ParseUint(split[1], 10, 0)
+	if err != nil {
+		return nil, fmt.Errorf("invalid weight for device: %s", val)
+	}
+	if weight > 0 && (weight < 10 || weight > 1000) {
+		return nil, fmt.Errorf("invalid weight for device: %s", val)
+	}
+
+	return &blkiodev.WeightDevice{
+		Path:   split[0],
+		Weight: uint16(weight),
+	}, nil
+}
+
+// WeightdeviceOpt defines a map of WeightDevices
+type WeightdeviceOpt struct {
+	values    []*blkiodev.WeightDevice
+	validator ValidatorWeightFctType
+}
+
+// NewWeightdeviceOpt creates a new WeightdeviceOpt
+func NewWeightdeviceOpt(validator ValidatorWeightFctType) WeightdeviceOpt {
+	values := []*blkiodev.WeightDevice{}
+	return WeightdeviceOpt{
+		values:    values,
+		validator: validator,
+	}
+}
+
+// Set validates a WeightDevice and sets its name as a key in WeightdeviceOpt
+func (opt *WeightdeviceOpt) Set(val string) error {
+	var value *blkiodev.WeightDevice
+	if opt.validator != nil {
+		v, err := opt.validator(val)
+		if err != nil {
+			return err
+		}
+		value = v
+	}
+	(opt.values) = append((opt.values), value)
+	return nil
+}
+
+// String returns WeightdeviceOpt values as a string.
+func (opt *WeightdeviceOpt) String() string {
+	var out []string
+	for _, v := range opt.values {
+		out = append(out, v.String())
+	}
+
+	return fmt.Sprintf("%v", out)
+}
+
+// GetList returns a slice of pointers to WeightDevices.
+func (opt *WeightdeviceOpt) GetList() []*blkiodev.WeightDevice {
+	return opt.values
+}
+
+// Type returns the option type
+func (opt *WeightdeviceOpt) Type() string {
+	return "list"
+}
diff --git a/cli/poule.yml b/cli/poule.yml
new file mode 100644
index 00000000..2235d714
--- /dev/null
+++ b/cli/poule.yml
@@ -0,0 +1,41 @@
+# Add a "status/0-triage" to every newly opened pull request.
+- triggers:
+      pull_request: [ opened ]
+  operations:
+      - type:       label
+        filters: {
+            ~labels: [ "status/0-triage", "status/1-design-review", "status/2-code-review", "status/3-docs-review", "status/4-merge" ],
+        }
+        settings: {
+            patterns: {
+                status/0-triage:     [ ".*" ],
+            }
+        }
+
+# For every newly created or modified issue, assign label based on matching regexp using the `label`
+# operation, as well as an Engine-specific version label using `version-label`.
+- triggers:
+      issues:       [ edited, opened, reopened ]
+  operations:
+      - type:       label
+        settings: {
+            patterns: {
+                area/builder:        [ "dockerfile", "docker build" ],
+                area/distribution:   [ "docker login", "docker logout", "docker pull", "docker push", "docker search" ],
+                area/plugins:        [ "docker plugin" ],
+                area/networking:     [ "docker network", "ipvs", "vxlan" ],
+                area/swarm:          [ "docker node", "docker swarm", "docker service create", "docker service inspect", "docker service logs", "docker service ls", "docker service ps", "docker service rm", "docker service scale", "docker service update" ],
+                platform/desktop:    [ "docker for mac", "docker for windows" ],
+                platform/freebsd:    [ "freebsd" ],
+                platform/windows:    [ "nanoserver", "windowsservercore", "windows server" ],
+                platform/arm:        [ "raspberry", "raspbian", "rpi", "beaglebone", "pine64" ],
+            }
+        }
+      - type:       version-label
+
+# When a pull request is closed, attach it to the currently active milestone.
+- triggers:
+      pull_request: [ closed ]
+  operations:
+      - type:       version-milestone
+
diff --git a/cli/scripts/build/.variables b/cli/scripts/build/.variables
new file mode 100755
index 00000000..208f44c3
--- /dev/null
+++ b/cli/scripts/build/.variables
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eu
+
+PLATFORM=${PLATFORM:-}
+VERSION=${VERSION:-"unknown-version"}
+GITCOMMIT=${GITCOMMIT:-$(git rev-parse --short HEAD 2> /dev/null || true)}
+BUILDTIME=${BUILDTIME:-$(date --utc --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')}
+
+PLATFORM_LDFLAGS=
+if test -n "${PLATFORM}"; then
+	PLATFORM_LDFLAGS="-X \"github.com/docker/cli/cli.PlatformName=${PLATFORM}\""
+fi
+
+export LDFLAGS="\
+    -w \
+    ${PLATFORM_LDFLAGS} \
+    -X \"github.com/docker/cli/cli.GitCommit=${GITCOMMIT}\" \
+    -X \"github.com/docker/cli/cli.BuildTime=${BUILDTIME}\" \
+    -X \"github.com/docker/cli/cli.Version=${VERSION}\" \
+    ${LDFLAGS:-} \
+"
+
+GOOS="${GOOS:-$(go env GOHOSTOS)}"
+GOARCH="${GOARCH:-$(go env GOHOSTARCH)}"
+export TARGET="build/docker-$GOOS-$GOARCH"
+export SOURCE="github.com/docker/cli/cmd/docker"
diff --git a/cli/scripts/build/binary b/cli/scripts/build/binary
new file mode 100755
index 00000000..41c4196c
--- /dev/null
+++ b/cli/scripts/build/binary
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+#
+# Build a static binary for the host OS/ARCH
+#
+
+set -eu -o pipefail
+
+source ./scripts/build/.variables
+
+echo "Building statically linked $TARGET"
+export CGO_ENABLED=0
+go build -o "${TARGET}" --ldflags "${LDFLAGS}" "${SOURCE}"
+
+ln -sf "$(basename "${TARGET}")" build/docker
diff --git a/cli/scripts/build/cross b/cli/scripts/build/cross
new file mode 100755
index 00000000..919390df
--- /dev/null
+++ b/cli/scripts/build/cross
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+#
+# Build a binary for all supported platforms
+#
+
+set -eu -o pipefail
+
+BUILDDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+export SHELL=bash
+
+jobs=(
+    "$BUILDDIR/windows" \
+    "$BUILDDIR/osx" \
+    "GOOS=linux GOARCH=amd64   $BUILDDIR/binary" \
+    "GOOS=linux GOARCH=arm     $BUILDDIR/binary" \
+    "GOOS=linux GOARCH=ppc64le $BUILDDIR/binary" \
+    "GOOS=linux GOARCH=s390x   $BUILDDIR/binary" \
+)
+
+# Outside of circleCI run all at once. On circleCI run two at a time because
+# each container has access to two cores.
+group=${CROSS_GROUP-"all"}
+
+if [ "$group" == "all" ]; then
+
+    echo "Building binaries for all platforms"
+    parallel ::: "${jobs[@]}"
+    exit 0
+
+fi
+
+declare -i start="$group*2"
+parallel ::: "${jobs[@]:$start:2}"
diff --git a/cli/scripts/build/dynbinary b/cli/scripts/build/dynbinary
new file mode 100755
index 00000000..3c32ed34
--- /dev/null
+++ b/cli/scripts/build/dynbinary
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+#
+# Build a dynamically linked binary for the host OS/ARCH
+#
+
+set -eu -o pipefail
+
+source ./scripts/build/.variables
+
+echo "Building dynamically linked $TARGET"
+export CGO_ENABLED=1
+go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" "${SOURCE}"
+
+ln -sf "$(basename "${TARGET}")" build/docker
diff --git a/cli/scripts/build/osx b/cli/scripts/build/osx
new file mode 100755
index 00000000..a5e7d943
--- /dev/null
+++ b/cli/scripts/build/osx
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+#
+# Build an osx binary from linux
+#
+
+set -eu -o pipefail
+
+source ./scripts/build/.variables
+
+export CGO_ENABLED=1
+export GOOS=darwin
+export GOARCH=amd64
+export CC=o64-clang
+export LDFLAGS="$LDFLAGS -linkmode external -s"
+export LDFLAGS_STATIC_DOCKER='-extld='${CC}
+
+# Override TARGET
+TARGET="build/docker-$GOOS-$GOARCH"
+
+echo "Building $TARGET"
+go build -o "${TARGET}" -tags pkcs11 --ldflags "${LDFLAGS}" "${SOURCE}"
diff --git a/cli/scripts/build/windows b/cli/scripts/build/windows
new file mode 100755
index 00000000..ea26ab1e
--- /dev/null
+++ b/cli/scripts/build/windows
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+#
+# Build a windows binary from linux
+#
+
+set -eu -o pipefail
+
+source ./scripts/build/.variables
+
+export CC=x86_64-w64-mingw32-gcc
+export CGO_ENABLED=1
+export GOOS=windows
+export GOARCH=amd64
+
+# Override TARGET
+TARGET="build/docker-$GOOS-$GOARCH"
+
+echo "Generating windows resources"
+go generate ./cli/winresources
+
+echo "Building $TARGET"
+# TODO: -tags pkcs11
+go build -o "${TARGET}" --ldflags "${LDFLAGS}" "${SOURCE}"
diff --git a/cli/scripts/docs/generate-authors.sh b/cli/scripts/docs/generate-authors.sh
new file mode 100755
index 00000000..620897d3
--- /dev/null
+++ b/cli/scripts/docs/generate-authors.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -e
+
+cd "$(dirname "$(readlink -f "${BASH_SOURCE[*]}")")/../.."
+
+# see also ".mailmap" for how email addresses and names are deduplicated
+
+{
+	cat <<-'EOH'
+	# This file lists all individuals having contributed content to the repository.
+	# For how it is generated, see `scripts/docs/generate-authors.sh`.
+	EOH
+	echo
+	git log --format='%aN <%aE>' | LC_ALL=C.UTF-8 sort -uf
+} > AUTHORS
diff --git a/cli/scripts/docs/generate-man.sh b/cli/scripts/docs/generate-man.sh
new file mode 100755
index 00000000..7412e5ba
--- /dev/null
+++ b/cli/scripts/docs/generate-man.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Generate man pages for docker/cli
+set -eu -o pipefail
+
+mkdir -p ./man/man1
+
+go install ./vendor/github.com/cpuguy83/go-md2man
+
+# Generate man pages from cobra commands
+go build -o /tmp/gen-manpages github.com/docker/cli/man
+/tmp/gen-manpages --root "$(pwd)" --target "$(pwd)/man/man1"
+
+# Generate legacy pages from markdown
+./man/md2man-all.sh -q
diff --git a/cli/scripts/docs/generate-yaml.sh b/cli/scripts/docs/generate-yaml.sh
new file mode 100755
index 00000000..2a7b0a89
--- /dev/null
+++ b/cli/scripts/docs/generate-yaml.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# Generate yaml for docker/cli reference docs
+set -eu -o pipefail
+
+mkdir -p docs/yaml/gen
+
+go build -o build/yaml-docs-generator github.com/docker/cli/docs/yaml
+build/yaml-docs-generator --root "$(pwd)" --target "$(pwd)/docs/yaml/gen"
diff --git a/cli/scripts/gen/windows-resources b/cli/scripts/gen/windows-resources
new file mode 100755
index 00000000..14b45e08
--- /dev/null
+++ b/cli/scripts/gen/windows-resources
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+#
+# Compile the Windows resources into the sources
+#
+
+set -eu -o pipefail
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+# shellcheck source=/go/src/github.com/docker/cli/scripts/build/.variables
+source $SCRIPTDIR/../build/.variables
+
+RESOURCES=$SCRIPTDIR/../winresources
+
+TEMPDIR=$(mktemp -d)
+trap 'rm -rf $TEMPDIR' EXIT
+
+if [ "$(go env GOHOSTOS)" == "windows" ]; then
+	WINDRES=windres
+else
+	# Cross compiling
+	WINDRES=x86_64-w64-mingw32-windres
+fi
+
+# Generate a Windows file version of the form major,minor,patch,build (with any part optional)
+VERSION_QUAD=$(echo -n "$VERSION" | sed -re 's/^([0-9.]*).*$/\1/' | tr . ,)
+
+# Pass version and commit information into the resource compiler
+defs=
+[ ! -z "$VERSION" ]      && defs+=( "-D DOCKER_VERSION=\"$VERSION\"")
+[ ! -z "$VERSION_QUAD" ] && defs+=( "-D DOCKER_VERSION_QUAD=$VERSION_QUAD")
+[ ! -z "$GITCOMMIT" ]    && defs+=( "-D DOCKER_COMMIT=\"$GITCOMMIT\"")
+
+function makeres {
+	"$WINDRES" \
+		-i "$RESOURCES/$1" \
+		-o "$3" \
+		-F "$2" \
+		--use-temp-file \
+		-I "$TEMPDIR" \
+		${defs[*]}
+}
+
+makeres docker.rc pe-x86-64 rsrc_amd64.syso
+makeres docker.rc pe-i386   rsrc_386.syso
diff --git a/cli/scripts/make.ps1 b/cli/scripts/make.ps1
new file mode 100644
index 00000000..bb875b59
--- /dev/null
+++ b/cli/scripts/make.ps1
@@ -0,0 +1,172 @@
+<#
+.NOTES
+    Summary: Windows native build script.
+
+             It does however provided the minimum necessary to support parts of local Windows
+             development and Windows to Windows CI.
+
+             Usage Examples (run from repo root):
+                "scripts/make.ps1 -Client" to build docker.exe client 64-bit binary (remote repo)
+                "scripts/make.ps1 -TestUnit" to run unit tests
+                "scripts/make.ps1 -Daemon -TestUnit" to build the daemon and run unit tests
+                "scripts/make.ps1 -All" to run everything this script knows about that can run in a container
+                "scripts/make.ps1" to build the daemon binary (same as -Daemon)
+                "scripts/make.ps1 -Binary" shortcut to -Client and -Daemon
+
+.PARAMETER Binary
+     Builds the client and daemon binaries. A convenient shortcut to `make.ps1 -Client -Daemon`.
+
+.PARAMETER Race
+     Use -race in go build and go test.
+
+.PARAMETER Noisy
+     Use -v in go build.
+
+.PARAMETER ForceBuildAll
+     Use -a in go build.
+
+.PARAMETER NoOpt
+     Use -gcflags -N -l in go build to disable optimisation (can aide debugging).
+
+.PARAMETER CommitSuffix
+     Adds a custom string to be appended to the commit ID (spaces are stripped).
+
+.PARAMETER TestUnit
+     Runs unit tests.
+
+.PARAMETER All
+     Runs everything this script knows about that can run in a container.
+
+
+TODO
+- Unify the head commit
+- Add golint and other checks (swagger maybe?)
+
+#>
+
+
+param(
+    [Parameter(Mandatory=$False)][switch]$Binary,
+    [Parameter(Mandatory=$False)][switch]$Race,
+    [Parameter(Mandatory=$False)][switch]$Noisy,
+    [Parameter(Mandatory=$False)][switch]$ForceBuildAll,
+    [Parameter(Mandatory=$False)][switch]$NoOpt,
+    [Parameter(Mandatory=$False)][switch]$TestUnit,
+    [Parameter(Mandatory=$False)][switch]$All
+)
+
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+$pushed=$False  # To restore the directory if we have temporarily pushed to one.
+
+# Build a binary (client or daemon)
+Function Execute-Build($additionalBuildTags, $directory) {
+    # Generate the build flags
+    $buildTags = "autogen"
+    if ($Noisy)                     { $verboseParm=" -v" }
+    if ($Race)                      { Write-Warning "Using race detector"; $raceParm=" -race"}
+    if ($ForceBuildAll)             { $allParm=" -a" }
+    if ($NoOpt)                     { $optParm=" -gcflags "+""""+"-N -l"+"""" }
+    if ($additionalBuildTags -ne "") { $buildTags += $(" " + $additionalBuildTags) }
+
+    # Do the go build in the appropriate directory
+    # Note -linkmode=internal is required to be able to debug on Windows.
+    # https://github.com/golang/go/issues/14319#issuecomment-189576638
+    Write-Host "INFO: Building..."
+    Push-Location $root\cmd\$directory; $global:pushed=$True
+    $buildCommand = "go build" + `
+                    $raceParm + `
+                    $verboseParm + `
+                    $allParm + `
+                    $optParm + `
+                    " -tags """ + $buildTags + """" + `
+                    " -ldflags """ + "-linkmode=internal" + """" + `
+                    " -o $root\build\"+$directory+".exe"
+    Invoke-Expression $buildCommand
+    if ($LASTEXITCODE -ne 0) { Throw "Failed to compile" }
+    Pop-Location; $global:pushed=$False
+}
+
+# Run the unit tests
+Function Run-UnitTests() {
+    Write-Host "INFO: Running unit tests..."
+    $testPath="./..."
+    $goListCommand = "go list -e -f '{{if ne .Name """ + '\"github.com/docker/cli\"' + """}}{{.ImportPath}}{{end}}' $testPath"
+    $pkgList = $(Invoke-Expression $goListCommand)
+    if ($LASTEXITCODE -ne 0) { Throw "go list for unit tests failed" }
+    $pkgList = $pkgList | Select-String -Pattern "github.com/docker/cli"
+    $pkgList = $pkgList | Select-String -NotMatch "github.com/docker/cli/vendor"
+    $pkgList = $pkgList | Select-String -NotMatch "github.com/docker/cli/man"
+    $pkgList = $pkgList | Select-String -NotMatch "github.com/docker/cli/e2e"
+    $pkgList = $pkgList -replace "`r`n", " "
+    $goTestCommand = "go test" + $raceParm + " -cover -ldflags -w -tags """ + "autogen" + """ -a """ + "-test.timeout=10m" + """ $pkgList"
+    Invoke-Expression $goTestCommand
+    if ($LASTEXITCODE -ne 0) { Throw "Unit tests failed" }
+}
+
+# Start of main code.
+Try {
+    Write-Host -ForegroundColor Cyan "INFO: make.ps1 starting at $(Get-Date)"
+
+    # Get to the root of the repo
+    $root = $(Split-Path $MyInvocation.MyCommand.Definition -Parent | Split-Path -Parent)
+    Push-Location $root
+
+    # Handle the "-All" shortcut to turn on all things we can handle.
+    # Note we expressly only include the items which can run in a container - the validations tests cannot
+    # as they require the .git directory which is excluded from the image by .dockerignore
+    if ($All) { $Client=$True; $TestUnit=$True }
+
+    # Handle the "-Binary" shortcut to build both client and daemon.
+    if ($Binary) { $Client = $True; }
+
+    # Verify git is installed
+    if ($(Get-Command git -ErrorAction SilentlyContinue) -eq $nil) { Throw "Git does not appear to be installed" }
+
+    # Verify go is installed
+    if ($(Get-Command go -ErrorAction SilentlyContinue) -eq $nil) { Throw "GoLang does not appear to be installed" }
+
+    # Build the binaries
+    if ($Client) {
+        # Create the build directory if it doesn't exist
+        if (-not (Test-Path ".\build")) { New-Item ".\build" -ItemType Directory | Out-Null }
+
+        # Perform the actual build
+        Execute-Build "" "docker"
+    }
+
+    # Run unit tests
+    if ($TestUnit) { Run-UnitTests }
+
+    # Gratuitous ASCII art.
+    if ($Client) {
+        Write-Host
+        Write-Host -ForegroundColor Green " ________   ____  __."
+        Write-Host -ForegroundColor Green " \_____  \ `|    `|/ _`|"
+        Write-Host -ForegroundColor Green " /   `|   \`|      `<"
+        Write-Host -ForegroundColor Green " /    `|    \    `|  \"
+        Write-Host -ForegroundColor Green " \_______  /____`|__ \"
+        Write-Host -ForegroundColor Green "         \/        \/"
+        Write-Host
+    }
+}
+Catch [Exception] {
+    Write-Host -ForegroundColor Red ("`nERROR: make.ps1 failed:`n$_")
+
+    # More gratuitous ASCII art.
+    Write-Host
+    Write-Host -ForegroundColor Red  "___________      .__.__             .___"
+    Write-Host -ForegroundColor Red  "\_   _____/____  `|__`|  `|   ____   __`| _/"
+    Write-Host -ForegroundColor Red  " `|    __) \__  \ `|  `|  `| _/ __ \ / __ `| "
+    Write-Host -ForegroundColor Red  " `|     \   / __ \`|  `|  `|_\  ___// /_/ `| "
+    Write-Host -ForegroundColor Red  " \___  /  (____  /__`|____/\___  `>____ `| "
+    Write-Host -ForegroundColor Red  "     \/        \/             \/     \/ "
+    Write-Host
+
+    Throw $_
+}
+Finally {
+    Pop-Location # As we pushed to the root of the repo as the very first thing
+    if ($global:pushed) { Pop-Location }
+    Write-Host -ForegroundColor Cyan "INFO: make.ps1 ended at $(Get-Date)"
+}
diff --git a/cli/scripts/test/e2e/entry b/cli/scripts/test/e2e/entry
new file mode 100755
index 00000000..bbd1d3dd
--- /dev/null
+++ b/cli/scripts/test/e2e/entry
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+if [[ -n "${REMOTE_DAEMON-}" ]]; then
+  # Run tests against a remote daemon.
+  ./scripts/test/e2e/run fetch-images
+  ./scripts/test/e2e/run test "${DOCKER_HOST-}"
+else
+  # Run tests against dind.
+  ./scripts/test/e2e/wrapper
+fi
diff --git a/cli/scripts/test/e2e/load-image b/cli/scripts/test/e2e/load-image
new file mode 100755
index 00000000..8aa56489
--- /dev/null
+++ b/cli/scripts/test/e2e/load-image
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# Fetch images used for e2e testing
+set -eu -o pipefail
+
+alpine_src=alpine@sha256:f006ecbb824d87947d0b51ab8488634bf69fe4094959d935c0c103f4820a417d
+alpine_dest=registry:5000/alpine:3.6
+
+busybox_src=busybox@sha256:3e8fa85ddfef1af9ca85a5cfb714148956984e02f00bec3f7f49d3925a91e0e7
+busybox_dest=registry:5000/busybox:1.27.2
+
+function fetch_tag_image {
+    local src=$1
+    local dest=$2
+    docker pull "$src"
+    docker tag "$src" "$dest"
+}
+
+function push_image {
+  local img=$1
+  docker push "$img"
+}
+
+cmd=${1-}
+case "$cmd" in
+    alpine)
+        fetch_tag_image "$alpine_src" "$alpine_dest"
+        push_image "$alpine_dest"
+        exit
+        ;;
+    busybox)
+        fetch_tag_image "$busybox_src" "$busybox_dest"
+        push_image "$busybox_dest"
+        exit
+        ;;
+    all|"")
+        fetch_tag_image "$alpine_src" "$alpine_dest"
+        push_image "$alpine_dest"
+        fetch_tag_image "$busybox_src" "$busybox_dest"
+        push_image "$busybox_dest"
+        exit
+        ;;
+    fetch-only)
+        fetch_tag_image "$alpine_src" "$alpine_dest"
+        fetch_tag_image "$busybox_src" "$busybox_dest"
+        exit
+        ;;
+    *)
+        echo "Unknown command: $cmd"
+        echo "Usage:"
+        echo "    $0 [alpine | busybox | all | fetch-only]"
+        exit 1
+        ;;
+esac
diff --git a/cli/scripts/test/e2e/run b/cli/scripts/test/e2e/run
new file mode 100755
index 00000000..84e85620
--- /dev/null
+++ b/cli/scripts/test/e2e/run
@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+# Run integration tests against the latest docker-ce dind
+set -eu -o pipefail
+
+function container_ip {
+    local cid=$1
+    local network=$2
+    docker inspect \
+        -f "{{.NetworkSettings.Networks.${network}.IPAddress}}" "$cid"
+}
+
+function fetch_images {
+    ./scripts/test/e2e/load-image fetch-only
+}
+
+function setup {
+    local project=$1
+    COMPOSE_PROJECT_NAME=$1 COMPOSE_FILE=$2 docker-compose up --build -d >&2
+
+    local network="${project}_default"
+    # TODO: only run if inside a container
+    docker network connect "$network" "$(hostname)"
+
+    engine_ip="$(container_ip "${project}_engine_1" "$network")"
+    engine_host="tcp://$engine_ip:2375"
+    (
+        export DOCKER_HOST="$engine_host"
+        timeout 200 ./scripts/test/e2e/wait-on-daemon
+        ./scripts/test/e2e/load-image
+        is_swarm_enabled || docker swarm init
+    ) >&2
+    echo "$engine_host"
+}
+
+function is_swarm_enabled {
+    docker info 2> /dev/null | grep -q 'Swarm: active'
+}
+
+function cleanup {
+    local project=$1
+    local network="${project}_default"
+    docker network disconnect "$network" "$(hostname)"
+    COMPOSE_PROJECT_NAME=$1 COMPOSE_FILE=$2 docker-compose down -v --rmi local >&2
+}
+
+function runtests {
+    local engine_host=$1
+
+    # shellcheck disable=SC2086
+    env -i \
+        TEST_DOCKER_HOST="$engine_host" \
+        TEST_DOCKER_CERT_PATH="${DOCKER_CERT_PATH-}" \
+        TEST_KUBECONFIG="${KUBECONFIG-}" \
+        TEST_REMOTE_DAEMON="${REMOTE_DAEMON-}" \
+        TEST_SKIP_PLUGIN_TESTS="${SKIP_PLUGIN_TESTS-}" \
+        GOPATH="$GOPATH" \
+        PATH="$PWD/build/" \
+        "$(which go)" test -v ./e2e/... ${TESTFLAGS-}
+}
+
+export unique_id="${E2E_UNIQUE_ID:-cliendtoendsuite}"
+compose_env_file=./e2e/compose-env.yaml
+
+cmd=${1-}
+
+case "$cmd" in
+    setup)
+        setup "$unique_id" "$compose_env_file"
+        exit
+        ;;
+    cleanup)
+        cleanup "$unique_id" "$compose_env_file"
+        exit
+        ;;
+    fetch-images)
+        fetch_images
+        exit
+        ;;
+    test)
+        engine_host=${2-}
+        if [[ -z "${engine_host}" ]]; then
+            echo "missing parameter docker engine host"
+            echo "Usage: $0 test ENGINE_HOST"
+            exit 3
+        fi
+        runtests "$engine_host"
+        ;;
+    run|"")
+        engine_host="$(setup "$unique_id" "$compose_env_file")"
+        testexit=0
+        runtests "$engine_host" || testexit=$?
+        cleanup "$unique_id" "$compose_env_file"
+        exit $testexit
+        ;;
+    shell)
+        $SHELL
+        ;;
+    *)
+        echo "Unknown command: $cmd"
+        echo "Usage: "
+        echo "    $0 [setup | cleanup | test | run] [engine_host]"
+        exit 1
+        ;;
+esac
diff --git a/cli/scripts/test/e2e/wait-on-daemon b/cli/scripts/test/e2e/wait-on-daemon
new file mode 100755
index 00000000..d1dd5c39
--- /dev/null
+++ b/cli/scripts/test/e2e/wait-on-daemon
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+echo "Waiting for docker daemon to become available at $DOCKER_HOST"
+while ! docker version > /dev/null; do
+    sleep 0.3
+done
+
+docker version
diff --git a/cli/scripts/test/e2e/wrapper b/cli/scripts/test/e2e/wrapper
new file mode 100755
index 00000000..3d1f7a1c
--- /dev/null
+++ b/cli/scripts/test/e2e/wrapper
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Setup, run and teardown e2e test suite in containers.
+set -eu -o pipefail
+
+engine_host=$(./scripts/test/e2e/run setup)
+testexit=0
+
+
+test_cmd="test"
+if [[ -n "${TEST_DEBUG-}" ]]; then
+    test_cmd="shell"
+fi
+
+./scripts/test/e2e/run "$test_cmd" "$engine_host" || testexit="$?"
+
+./scripts/test/e2e/run cleanup
+exit "$testexit"
diff --git a/cli/scripts/test/unit b/cli/scripts/test/unit
new file mode 100755
index 00000000..7eb82d0f
--- /dev/null
+++ b/cli/scripts/test/unit
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+go test -v "$@"
diff --git a/cli/scripts/test/unit-with-coverage b/cli/scripts/test/unit-with-coverage
new file mode 100755
index 00000000..a8dbed26
--- /dev/null
+++ b/cli/scripts/test/unit-with-coverage
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -eu -o pipefail
+
+# install test dependencies once before running tests for each package. This
+# reduces the runtime from 200s down to 23s
+go test -i "$@"
+
+for pkg in "$@"; do
+    ./scripts/test/unit \
+        -cover \
+        -coverprofile=profile.out \
+        -covermode=atomic \
+        "${pkg}"
+
+    if test -f profile.out; then
+        cat profile.out >> coverage.txt
+        rm profile.out
+    fi
+done
diff --git a/cli/scripts/validate/check-git-diff b/cli/scripts/validate/check-git-diff
new file mode 100755
index 00000000..333fc62f
--- /dev/null
+++ b/cli/scripts/validate/check-git-diff
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -eu
+
+DIFF_PATH=$1
+DIFF=$(git status --porcelain -- "$DIFF_PATH")
+
+if [ "$DIFF" ]; then
+    echo
+    echo "These files were changed:"
+    echo
+    echo "$DIFF"
+    echo
+    exit 1
+else
+    echo "$DIFF_PATH is correct"
+fi;
diff --git a/cli/scripts/validate/shellcheck b/cli/scripts/validate/shellcheck
new file mode 100755
index 00000000..63cedf13
--- /dev/null
+++ b/cli/scripts/validate/shellcheck
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+shellcheck contrib/completion/bash/docker
+find scripts/ -type f | grep -v scripts/winresources | grep -v '.*.ps1' | xargs shellcheck
diff --git a/cli/scripts/warn-outside-container b/cli/scripts/warn-outside-container
new file mode 100755
index 00000000..cb11b8fa
--- /dev/null
+++ b/cli/scripts/warn-outside-container
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -eu
+
+target="${1:-}"
+
+if [[ -z "${DISABLE_WARN_OUTSIDE_CONTAINER:-}" ]]; then
+    (
+        echo
+        echo
+        echo "WARNING: you are not in a container."
+        echo "Use \"make -f docker.Makefile $target\" or set"
+        echo "DISABLE_WARN_OUTSIDE_CONTAINER=1 to disable this warning."
+        echo
+        echo "Press Ctrl+C now to abort."
+        echo
+    ) >&2
+    sleep 10
+fi
diff --git a/cli/scripts/winresources/common.rc b/cli/scripts/winresources/common.rc
new file mode 100644
index 00000000..000fb353
--- /dev/null
+++ b/cli/scripts/winresources/common.rc
@@ -0,0 +1,38 @@
+// Application icon
+1 ICON "docker.ico"
+
+// Windows executable manifest
+1 24 /* RT_MANIFEST */ "docker.exe.manifest"
+
+// Version information
+1 VERSIONINFO
+
+#ifdef DOCKER_VERSION_QUAD
+FILEVERSION     DOCKER_VERSION_QUAD
+PRODUCTVERSION  DOCKER_VERSION_QUAD
+#endif
+
+BEGIN
+  BLOCK "StringFileInfo"
+  BEGIN
+    BLOCK "000004B0"
+    BEGIN
+      VALUE "ProductName", DOCKER_NAME
+
+#ifdef DOCKER_VERSION
+      VALUE "FileVersion", DOCKER_VERSION
+      VALUE "ProductVersion", DOCKER_VERSION
+#endif
+
+#ifdef DOCKER_COMMIT
+      VALUE "OriginalFileName", DOCKER_COMMIT
+#endif
+
+    END
+  END
+
+  BLOCK "VarFileInfo"
+  BEGIN
+    VALUE "Translation", 0x0000, 0x04B0
+  END
+END
diff --git a/cli/scripts/winresources/docker.exe.manifest b/cli/scripts/winresources/docker.exe.manifest
new file mode 100644
index 00000000..674bc942
--- /dev/null
+++ b/cli/scripts/winresources/docker.exe.manifest
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <description>Docker</description>
+    <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
+        <application> 
+            <!-- Windows 10 -->
+            <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
+            <!-- Windows 8.1 -->
+            <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
+            <!-- Windows Vista -->
+            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
+            <!-- Windows 7 -->
+            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
+            <!-- Windows 8 -->
+            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
+        </application> 
+    </compatibility>
+</assembly>
\ No newline at end of file
diff --git a/cli/scripts/winresources/docker.ico b/cli/scripts/winresources/docker.ico
new file mode 100644
index 0000000000000000000000000000000000000000..c6506ec8dbd8e295d98a084412e9d2c358a6ba39
GIT binary patch
literal 370070
zcmeEP2Y405+TL?c0%F4sD!rrFr6_v!{$4AJ1?*S7-fQo@E1)91i}a!b(rX$m0Ro|S
zl8_#Huc9K5%>TY~c9PA>Nlzf<JJ0iGW_NaHXWy^PH?y-F%W_$jEdE?p9ji&50P7Xx
zJ9f0U&vIG4vG2}1?d|`wtdJ&w*7etWx5qcMtmHQWtvYq=?F%gHhrWT<1xQ)nYXO#Z
z?azT$6V!<vmgV;D=cZ+$P=3OIFdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F
z1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^
zFdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o
z2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|l
zfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!
z3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit
z!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynX
zAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F
z1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^
zFdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o
z2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fi>m^YzX_0Ys1`^UF*YMa1~pn
zQjstq44g3rHUvNJ**NcYPxRuB0h?D14oKMWTR>{++JN8Fl)E5}8uGT~8vB{$p7Fiq
z3GHSD%<W|b%<p3bEa+ziME+=b7XM^<q6S&+rGqW;9R(p)jui%q$UyXhk6dwUhP#qu
zXS(B-_wdB6>>rR6Jw0Ie?|buO<F2ROmb;r}1&q4R3LM|wsx+#V71+~b1-xfjo|`LM
z?ltT3Z`0GiwOnD{y}lv5uN4r{&+@=exZy8c3kO)PC4=%`R}pEE(}jU@%RubnuibI0
ze+o=anD5EyCKvUz0#=S`boIKR$L`q}{$ab=WxbzH*f{>Fq?qadi(lEl=jLTyr^ZHo
z7akkcdFke*UDm`d?HV1stb2UylFl*Mw>EBh&(-lO`z&8Q{gHVQeLchH_qMvv>*e}n
zb`R@6u;-^>-%l(WU_HF#C+qHIL#^iPMp?BEg<AnRwa4tA{Eg*?PY8@0Xayi%$d8XQ
zr%EaeR7eIkFYn<_ikaa~-W=>n-W;06W+I1Ne$J)^pInx>VeC~g3qScfHtL7TiJK;c
zro@FsC2sibAoeS4E1a*A<HA%*e7H(UT&Pl$76FkCEW-W;YD>y8wPnjH6}NVbS~}?=
zHMiddDy*BO!n(Tvrj~*aP;+{E0bihiKd`-Zc6VzT(lGdjX$$&WgBJa0y}Pi#)e_s)
zR*keSKCsZL<SW2goppTRL7nb-y)F0Rff6J5awOXolY!04dwUYrkIm>)V-|m<$Jfyd
z-o1A7ioUNV$IkjTe$BAx#ElbAr6kOUZO^qaPo*S8*tWem9d>>)HF4pIl*EV=DGA}g
zd>)^cf%v&;h$Yguq%KQO*f=45`IJY~X7>zC3+`;Cg?6>lVDqPJoJ4xU#!1WtoC4B;
z4BvpVY<c*EG}!jO@IKZO_=@i6|6fPk&~Ehzs}?1@d}vmiM;&gA9Ri~yKB$<AUxDvB
z4mO{fvcj|XxN@xzc|zO!hS|?wl(cC|^SD+02PSTsvIhP5!KBz(u<>xOjiWzj9ySk~
zj(}}PoWwS5JlzJ$;2-ocJkEi*xoS)D61{KjocGk+{+Fnb&USy_!wp-`?DzfIHuk04
zFn)qQ!uShQrsyM#pD^(Q(w*=PD-kP9!Cc~th!YyYCtT(f|D>-i*VK-P5qe^taiEMB
zoZLvh{4lV2c^`MurtuklJ?{+T@Ou+CP3WDpX;QL|-4nuL&#+y@>4@QJ<Lt}Xk7u=M
zr+w#?k7v9vU&s5KSC3GOM%|$8KC~<BUE6*3emn>J&(`1Pa2$OBeT0r57&rJH2VbBt
z&#)aa!U*_-k1#*b+*iUO-7F8EIr#3EZDF7+G7!IZxM%mlR9EbhuDY*}jqF%Ee(i|&
zF=mfTiJN^qIev~xO~lw-_wC`Zb@uDFAIQnJ^V*MbLTVD{03y|zu(#CgUgxNgA7Jma
z`yP4r_xZK=ypA*ez{Cpl4SFmQYR@qsKKKLUhB(9rLos&v=c?h}@q&?aw-+oIVupaF
zc=l-aNh%DK1qL>+=z}@@p`PtqmU-=dafj;@H;x~H`T0Z1@p}B8o{|`W{+?rY_VJFG
zy(oFu{+8q@l^8ukEgAa{ZTF$wX!nfui@nb;Or7)t977Q1{B({P;0tyDzu?)yODjiM
z=NdV~U%0p)0dtKqe`rXNv{W(>z2IXv*5T;*b?R%Dd-Jj$EfUs^o|YUNl*V`*^K`U%
z_VLAM^TuD$_EVRu&8vs0@Ike`<NW-M@r@mx?$jA0q;dX$egH_v7~v4+2*+TY&}Qu@
zs~Uy9ezfHZ>Iz?gm|(@QtaFN`QW>OC6^eoQHN)Mh3E?_c-8BELrU~mtO-zmr{uBK?
z;`;@(dyMIev9C9F&lE8QZGY3^E^1Ei^HgXT+L7mU+jCK`XJP|0caY9G1NeeC_=3Jz
zU({47uiaz3;6kk6VN6h=luT~6)G-jf@MAZg*Xg;v^+D|}k6$yiJK}uUI_y4i0sH!*
zkLjJZ?whCW<GKF2`Jci50u-L<oz8K7QEfh_^XUWl{E^Vdz!#)r955gA1y4m!w9YY#
z5YZQNhVtyd&>`t*Vqksn<1UWzdAZ-(S?-u6ou0xNe=DEUd*l2PwtLg>rz}_N=6wvi
zcYB|~m7cMFPPSdp{bml4_h({)&F}+XE*s{3o;c=RtWCxmBg6?351c0bugI6#IPW#r
z#<{O*+h055!J6@_hfT!#J=#6S^&H>x*?ck0>E%=p$NRAT_2FN5pTBp{*Yo^>+Fofp
zUdIGx?hs>u!+1u}W9bm95%rPpAn=(1)*p!<sK^Fdg7+R1)fMx4y|jKsFYfec!ul}>
z>{uVRUqa)1UmsxGKF9lE-79(5@SeVBd!@lA=$L@<0DS@04;{fcU@-hZUA4nIM}T=m
zJ}(eIP=dBl(W;JH(M|XHk^QYISku!xDK-et@vuHGF`Vml3cgOKFz0Z*k7s<FR}EKl
z`kY^0#`}f!DYSn+OZ57IUe*!x|9zJav96?U;+<x`kECT*(R5Yrw|E(dj_jcIXyd#O
zuZ&yu(@J}sPrEPiSU(xh4!z*ofpEO@GhIatuIHWS@98nm&9bE?PUak%FTC&lWITf}
zto@ai^JxEken9Y<!6D8MtQcZlKrNW?1?C1YPguMfA+=Q$24L@cet*-VFIwXHezG0!
z^Lbve+P<-K)N98Q5o$})0<|q=vD&d^iQ2VwiQ2nolft_L3i_-T4GvV1gWWk|(IB@X
z7XIW`3kJGX!~nON-`}O?_jRecy<Pe}KjR~q8Xw`@SH|-60~{N8*A(@#67X$;XQ`(l
zT`U)Tf*bLHUXxW(bXV@P@C;y$KEAyXtZhGfaffFUqo*Ik93SI-KGQ3Pc;EEvSgWt?
zJW}o48l`q`U!nHxTCEQ5U8fH1+n^5b--vXb`u#|<+7UBSMGX%CJQ?W{<el)Au{=BU
zal>%DjmRM$?IRZa=vLwV-D+MR_y#<8=USW$e_%g@D?`3O`vJ6H`vHsr=HY$A>!=Ci
z5DUNuNGwozv#1bf;$3?eY+c(v*73cIHGC>1X%YH+zF%8-+c$lDYGOESev#U>ZJEQ?
zH>x8CqJd2sw0kc$==}$FuTU$-HAH`J!QKNiY}nXxp;L#SU>%F$6CwwDblfl>K4ETe
zuRoyuXZQr<%YZ+~cy@^O1Ha?>;1BD6vCg6bW1H_BN-R(zthwMfnH)D;_YrZchjiex
zJ*?%y8s2%F<43=*L0{ktQ)Z``eu8$-^R^~0LjS%@?ccpd+jgd{Z?bLO*nDQnzW?aq
z6t#Kbt7_3t7W(x{#b^7DSRjl4@Z%FWj$n+yu|pY)5BS_rzjJ_RhU@W7!@H;voD;xz
zjwBW+xOtT8Gg6b6>V5&=*y)rUhj;Xn7N5dAKfblW@9Ow|TPN#xc37Umclx|*{nKIh
z@DUMd7{8~%=1(2kzu^@6_*3ZDZ7{y~#`u~2eWvXn-nU*IJ(Qq!Cr?*VBhFKchq_?<
z0VQw$e*A(NPtZ?r-huvra|v9hYhr^^921zi0k$_Cw*N!iB=0&xt|i8^Lx}~-wN>Zu
z<`UNas`Vf#W@cx`{P-3}T4MARmALUYm9SyVse}z<PsXnseIkC{sN)Iie*QCl-Oqnv
z8+l+o%g3ehn_P*}(-gkvrN{FJ_N>i_;}2sz?;X?A<`L%~+?;;oV9ZJ6PaNL2@g&OA
zv-$zV{)gh##?ZE>ukZI``&nWGlp9~bbjeVR6)?Xzzn|Od3+(3&rPLSjU86L{FPIlt
ziM2w_s2Ruy;+tmT1M+7k<@%_^b-%b$;^#C-ik(?!^NN0TVxqpUyK&w-bvDd?vG#`9
z|Es-j)?>BS&TLz2-K<AzuATKrtu-?rM*fjn8^WHevtiCFb)px3UN>fG&${phb&ej2
zYqEbw<RjZ+Ms?d3GjiIFgvs;wZd(|6Xz%)k2luXt*|#ksZU4?C>d@Y`-m(9|&F~A+
z^bPa_CyyRZJh?MryjncWea8BIU)%S$ZT!Jv_yRt22=9lu0N)QRrE!6oALO&b!+1vU
zsyc4DKD^KSjG$aAx7=Kg4B+{YCmi3s59@3NOvRe=91kpFK|<tfy6)A}A3Zm2(R&Z3
zZXEK`zFjL{*qc0cz|OdFNA~YrdIJ6+{m`D3==&4YhTwbBBL`V0G44<EXM3e>pVJrU
zxBz1W_P1Pf!1=>c6c_0ELADKZgCot{ApC*M2^3Ms%i8If6UuR|s5*R$XHR(bb7Ci)
zbLpmWRW9E&?ySq#{ZgsU+Mg@cBQ}hwTyxE+v#wY>x@xnHV=inIJE8jJ2f}X2_C4IZ
zI2nAa6%aMN=_T6}C!L=d`9{0#vA;~&kuZMt^3fOkv3LmP{D%dkmo{6^t37&r!1)3^
zQ{ego&K;Jrn1Hc>nHyZOe3*4L<%IEoe)f}>%%r^RGk~=r+V(O2dmhh*r$Y7<5Eo8`
zUQ9>dFdOqli-FbH7YiiV*ou_jv)hic6g)pqTsl1P;L_m%yMaVJqhE?~@hrr{(-#j3
zn6_kSz|>{KD*d)%MCHM&Mpk}r#fVDv7Y#YL>Z)IBT$&Qr<~*g+{l*)S&sd)2L#nh~
zHazgzs9^!Iw!QiB1Dq2)GxLIZ`2bUHd;!M?^D#bPzgvo)Cu$!6dG5t?!TYGyd_Ex0
z2+O{G=XM9?8xrXM?}Y62yb$}RoZ!?~lMf%@!n}Ouni`|;xu!!sr*O{SQNsfNTt2)~
z!m{B3-QXu)TsgAJvm1Xo{|dHw{m<uVp8(&X{nL^mfpw7Q+<%7sd!GejZh+4P&<4GY
z^+CB_J0J6VC3(IXA8?I91lA+Y>E$Xdet>g>{QgiH#)7X<20=f-|N4BxocrZh_8Gwc
zwbS;s{%7k#JOhfRJ;Uz*2G|!kVb+nDHRj$qWPJO6;UIS!^qJ#wU!20elYYSc{>Sk{
zJ?VOF-!M-y?0n&hk(K)|9bT!?+EM3JC)-g&1Dj{qzis0S2U=<|p2aO0Q3XCI0Q2zJ
z9*XVaTpv_|{zAtD@LOD;%ymZeyS5y1^uau)1i`fex*x!tz_;Wb-zj(JHa_Gr@+*4`
z1b6k$^FYqMZGF-)U|zaK{hZU&rPs*$uBU}<7qstXUrx|hoB-$_OdaX8cf|gwONV<p
zA^zW`%Z3N0>-m7;XQ|EM&#Ha#!_>j8Q`Nqt(JCSGRkd`~Meqs5yhbpyO{Q(dnwqfz
z=L_fdIpcmn&k1mRg7M(6#7W*YgYsR0vS;HtwHV)-_r}yeS*<aCPvdu~^Rj!Edu`v+
z^I1k`9rjvWHo^G7#0eR(zSs5xus+vP%YUh^_9Ttd>jGCU4^y+I4OdZ-Gu6QZN$Sv!
zFtuuY<1*(1cz=e|g+F=py9kE!{K%%5kI7gs1RpRhak6zDb&3BAIVYWx{bhpz^S`Xs
zZp(wXf01qbjPY~#0lMEWaohLjL+B3>8+hmcBQe(B5i?lr*%PNaeeqxQ;J>a_58i!)
zdf={W)rW6Cu96d1sr_4KV7=fu-g$viJ};>KnooRT`~c?)`A*Uqe0Hc~Ld*ruTRYn8
z15DphHnd$@>B|7(I{kbX&v~C_j0d~VSKQBIIcHT2F~2_>&wC%n^jHU=)=X`o{`w<T
z_3HAjy64Vj>WN2gQ;$E~TBrB@-?i$?kDpgZ@V-FI-1ce_<^xX4`vN}p>(8bOvoFIB
zV6CzC1N70Se+_}|8{h*LZW?1<M17L~Z|rMTWovuyY^%~dJkPV|n)G)g^6LK=K?jXK
z7Dktge2#7ZNlV^TJGQP<|9;|5_1J?gRr|KLs&)_EqSHs)v{Vn@caw_Uv{-H5&;|ZV
zuN%nQx0I0m7Wtli+QoMcxQ2jovt^fi%$8S7m;Z9zM_??lFm8%<Hnm;8FIKi}o~^}m
z9lfpt>3eqHpJ&`pJ&VBm@n_WbX$P?XMd<&xto&TX$1YaSwEu^qz0>|5d$1MqE!3+o
zKBOLbpt)MUG+6D99e{ZX+JDA;Vwuky8Sr@l=U`8>574>-9}tpYzdM9ygEAjbM%;i|
z%dzoS{k(6Ztvk8){XAwq#-F9ahV1@7cHWcf@WDj&+J7HVZSQNYo_O>&_3-`8)!+eN
zt35kbsrg|e)%I;0Rm$>@^*cjl<yl}sIM#ju&kebzkbe9$`T-LMjHlZ7dDU{^9b&(0
zx5|iFRG4N$PqeSbxc`~__WkT*3cR+br21Rfzn=U5^-6W@&{{P+c$8{;?+vQW-8Z7o
zZ=seio~%y(m8AYS9E<k~V=zx}lb$aq%j5sNd;<Ld*B0|VWIcX6J#z!z`G9^_e;Utk
zUrG#67M#e;@4Rxt`rZ}xSU=akpU3cdw23+M(#6wKZeoD>&#1rt+^!<#j#D4M`;>bA
zsk_wA!@pO@4#(l0p%j%E^`Up{kK<2EyGqLE<+on=frW!S`klkm6bqbUAA+?bUsCr&
z?6o9i!44{78xi~KIsd4itb6&q-?o1~<Mlg#L>=OMbE&d@hb?e@PxPF2>gc{D>d#}T
zYR@iwS785Ub#V7G6}RwZy%u;0*8w`tDerkBs|c*eK22kSQ_v-aHRR9GrjW`zL#5QY
zOz-HmfAsx*ZJW>anIH9s-?%wr&-(JT+W;NgFCBG(T0ip+tOI;nZ3?+pE&sKecioSE
zPoQ+a2T)S}$czc*nK3~QK0YVkUx59(AHn+qe_&nEom743m%KY%%6tIE`+9x`?{-$l
zdY}Dve3)zB&+k{5{-mVzw5at)aXtWRf%uG%&jq+Pfb#>~U)tXVEb6`I=X}bK&kNZ{
zm*AK{`vB-wD*i8d9jd;0ucVZjL4|D&p7ZN@Kg`oUWY7EMX#4d2y6?xFQhs#o%pZe3
zp7w4~2G{zPB!~0?oWJF_$@DtUl9?aWu_XHbxjSZBfiyJptf|5pT`9V8_+}lGVXkJH
z9oyyj%%A;4S?K#q(q_tI-6j^8U2?I&N%kAiv0hYtj0t2MPzrp&GW)x(DO0U;Ap02G
z{>}Vfwz)sba8aoq_m`Epr1Z5jGZyf^Pf&nyel|Vvb8b5Njx>%nA_rRSsQOqZB=do1
z*azU7K3WENf4ePwGRJ|8{r$%O?EB}I;yM5F*e{=ndor=W9QgWTewTngfZr6|xpKI7
zE&y{+vOe$(`T)p7+dswt?}Sm_-K`UTe7E-RlwGNN-k;}lfYR5`o(Y>S=rwgLfH@vM
z<E7kl(uqRs_pTA{V}&VYxd*>txmJyk^?_%?1(<nQ$^o%hs4eH5V}HbM{NGmv)g?K;
zY;(qUJ80*{=m+%LAoTqoQST9BRQS07yr1Se-RS&wEggGB4RKXP|9{YyZ;r7)pBI<j
z=lx~d#!9u1#4`eZXMq2&pqP9>I-fP5zT;7YTsP7O4Ef?x&%<q6pLQE4sLiph<>j}i
zzx~{QkX0M=GTJ9|e$Ou;uZ06$YUv2B_Z3t$4k-5}_#Z3y{|{=m{S4Tzp5&xI+4p<j
z5$IzrP^sQA=;~n=ZyW&sQyI7zxDvPwI2Yi)D!|#mIVFYHpS|{c`m)eomEH{M>Q+Hr
z-01+*YzRhq_`pE5U~tJ|A?nWyCEbRi)Spw^i&AGvpPN&go%`7a?{+0Mr*B|3{qUzV
z`Pg?dxSLyr^sJ=E0k1rD?fLE7mYlv9(2i((v_aY;^OpcMfJ=cY#T5gfu6n==z#t$J
zI0*2273sj=!0*6e;8-z%^&Pcw<gtftIrP*cEl)i2XbbhU15Z8DLJ?1Dv_#rcJ@qKS
zw5UKmyw)?1wNTFj-s^g=!RtKnaL!=4X^XQC*2V2&Yh!NrsN3H%qy64%+wJ$$_9wAV
zw;6Ssdp75szV>?g&bYpVE6u5&b{jc3+fR<4ZHKy$YQ7!%VPsR_^x>A&bzl89dU^z9
z1Z}_x?lXGKV|~vr?6#@*IO<FTXp5|C1uzPD1Gok#_U9I;vnp@{@Cq;kI0W$eB?kCg
z_27NCsr&A}UEP20?dk!b4YnV8ptZtyOu;|c*Y<uxr`<#RmPWzB^UQrb+U8bV^Hz1=
zJ+0N<ceTbfajgeXCysgi;alKeym<Q2TVO9<aNm=_<7jU?T)!=jZ-YASy}Px#_g|<3
zbv=abN3h>q$D4ZVEliuUoTJ;HSvT9ucHe_*-;Xx1J-o*!(0;b_X-B)cuRY4LoP+kZ
zz2D2DX)o_T%QXwZGtYN&&AQ1qxnX<B)xH0^P3PHW9#2l$Msoa&%{jR@a$p(T#`d?d
z@0q-}xv#Z)1a+JCGo`*1^d5K~^{{>0R$1zD)_Vr>f8d(ozz0Ap;L_si^PTmeUe0-V
z2(zF2m`8dc@H`L#Fcu&`rvUmT`pn#L(mu|Y)4#Ak1z6Sop<Cv{#wULA@>RRPf2V=!
z@Mfd*FJEh-K7RRX^~Q78sTUq^t{#2R>mR5;1a$!CLSI^GnK7RmcpS^A>pY)!|Ma7+
z)cgN!t~$SWqZ;_tb!u#vW-6%P)hc30Q?-0lW3_Iq7n{a6QZW;}SU;|@TK#Kde7n1e
zS}?S!3hIBgn$Z0kHKNnCs?Vp_s}677q~3k8xqANbmik(}4)GAK`$!wF-^g#9o%ch%
zr2dl!-UI8T-MsX4OZD{|H>rM~U$1`Ye65<%=W4ZZSW~s~m&R)Cn8qp^ZI4FVc`w`-
zIUH@qJ&x^ijT-pn^{Ug`H>%hF-9pz(KgM=G%68&f+Q;R=tG_n#Jl0{_X*hWHu~zD>
z7n-ZD(B7UO-=KzexK{nv^%^y^@6{@Na8nfpPFJCgY%AML&e?t=hZUn6>w60saFrV0
zt(hA9&2_5l2REpXU%FX6*S=MTT-)A{{(}C*mbtTyzIiXN&<(WtVe~Z*-G5s;V04Lk
zeE^6776PHbRA3x1(awh<T@EAw?ElTVCS@JQ26D3#meHno9`lQVw}C5d8`QRF=iS&(
zTg}+V{l)cTy>|Usu3_(MjdU(x+R3(>do?Njg1Hy&V}1t^1bhPA1vCPxBMv<Om1nNe
z&;FCASPN68SSo3<bt-<MrDDgs)cP?2YQ^ZvYSGXtYDTY%)yQwJQs2CJGxWZNwtM#7
zZ6EOZZR#E6iFz}@?Z;p<_v1MD8TB^wkG4*Iqke6h*+3ndQ&0W1psxB8I2K+{9i3lK
z9hp~89h&O^j^T0KcNkzf!Q*+}@r8BO9})G`zOedg%ZvtU^Q4Aq`RFEUO3!B6FVN2z
zpTIWL7qD%4*_b&-_t`j){o%(iH;1iXqw7zc+EDEct*`!A;Jt@qXan1S*tFl-Znha^
zrp;{k{@L|a^0bE9r%mkMO#2er68l%$uerXHQ{TMdoxbV*d%W?`zuVE)Td3|I-2hv?
z2LJb@sfwN0NTp71p!S3`P``sWa^}l<M!U(q&9{*Q%Xn`*_s@vB>Mxv68SDsZpyI&y
z68N@Z9j{jJ{^wfw%9e;N@ZB}|0e}5D_wn8sliYvL?OI1(c>Lyc^g*io2lckYcRY>z
zydJ0nTmn?~XJ6P)TjX3>HK0Cl8$i3A03-n?0Hcqz3&LzWQ?q|9${zwUu7`XUd*rsi
zwv^O9$MyAC!`}W7DeukrG;=Ssb>kB_ZWsYP3S7wcA<feEgo)m{)=gvG7sO4pHpWe`
z6jE*f_;wq8fr4L9^b1?3dtiGtp#$~RR@g23xuG4d(>87T8q}}lYEt$+>^FOTa)Vlg
z<7q3@A!FkQ=G52wc8Ao5UfRGhJT5Qn!7&;*PoIx%+CS^0k8ob+5cbjEu<z~j+4bsw
zPqoy2INQgz`tt+ar(<0l^U5<V;QOxAeLC&J)J@yik883W8TXJ&+fAE!>~6cg2T>pG
z$Z*1Tjzhov9^x1iXZUL$?T0><F$0gI-{|tejcRJItI=mS(!S-WT`%jV{T>7l^f{)z
zhBt2K#W%}M`zb4)%YCfR_y%5QPsrseVsKT}=aX9M-|buIab&xPyzw8~OSJX&_3EXk
zZd5%#s;j2=x=5}0B`_W9&s8e0eTMZI^%ZGGJZ$tA@}kYtCbQ@=%bh=zbH46wpbx<Q
zkFut1IBkUcjO`CVUeD<v<uw9;T(9B0UP<TK7JxB<<^<`>fU$etgSn4g$bSdu*u}I9
z+q|bN7~l0$U03vYS55T!sqFWGG^X$aO8W!&gw5kEl{mQy<X<mC=IjRu`v3Xp&%Z(J
z&A5+oG4+)?$yk$dF!lR)=mzc6SI@YwIAQ8{>NM*=G`GI)x7e1{=?zubk5{WNUuT=W
zHe_tf=xCdJZ&fco*;4nPTM<*R-=?0M`b}EYwwroPN}s}5W@m5%6^!xCo6o_9&=$xp
z!%rFCM8EsN|C*~Qy_zY;BD8Pz&1@&zW$JWtvA2ZyHrLu0#&*<DJ7#*+@{xh+hxZy_
z4$0eo&J!@sfB(g13c82*(xdHt>vZTB`Wxt5THFK|QrD^tzk2ll68Zk!1|G~cYkLO=
z+8&wu!00vYL+6d&GsV7(0LBIJfbj!Po9SjB$8%Xnsj++Keb{Z}z3Z4ADdz`yKlEu#
zhXb`7$MJr0^kcAd9aA7}2<)NV1KR%WJhmwh!~oOIfv<1q)hp<b>8}sK|FfSt4EtIz
z^eXkvf12w#y}@5!r~6{so9;KzUli3=igG^nlWk^7J7Hf%pTM}}qnDcNc|?x8$s_yJ
z9vCAh!KP^Uj48~yMQKBR&Nc01zpDM~tOkgyuho8v;}*tKoGW<k*%m5zz}1>l9>;s4
zZELyU9`kdpk~(H@XhXyY_0+Z*Ra7cs$6vm$uI>ImPuvW<zeFWWa;YuT*r(9uU1~FJ
z-m81mKOKJ}eVuxYG)oM?efjx8j#>Iko`Ze#1DycQ>uXsf-2`Ox`}wK+Odo^xniznw
zJ?~>LpkpSa#)swkY{GDh^jhEuK>pM1l=%$%-!lDt*ncDFmA7xn&>h;94fb0c&ra*z
zOzYnP#I`KUIJTJkp2F6vZOm>nZD&tt12y1_>-Bs%eE{bTj?9CffPc_&?ipyev1R%J
z`XJ7WzVJj#{j7uYhN&|eX3Tk*{=Kk#l+1Yz;A<Nw>J7(`6T4liB8Q&C*dDg7`*^3#
z+q#ye|4D}aT})d;TBQEi*Cw#t65zZdZAX8b5NV<O%$e{7rmaZ-3DEYNu^rq`<hM=W
zRUeD=2H+3CkNtbc0b6HWX!rj<_V2I_>LKF+XRKc`x>bBWh5aSl%(%Pjhc{pjznPwo
zEG;%gKft*H&ebg)*;IY~=1poFVgknayMv35hmw&~1Ni=in3KIo$N8L3Vt;SzS#GI`
z0Y0TJ<M@2*bZ)v2+tBeak3pXEiu3{R*xNd$&h7ltQie90aZn57Z#L~W`}5mQ!z<Dj
zzzM*={bT?3nU`e5|9R<3Y3%cJYcu14eeeN1hQ44Qw;g`1G~~^=g>7L>pxa!^+L#kh
z95-&AacO>S->HL)0rcE8(jvtGPMd(8Xn%sVF7Pkgeu}Mr=e0^QkG7k6fIMS;f9(LL
zrvJ~?{^=KX%&L}e`_D-a%EJEQo*ygDdoImw%j-Vr1E@osPoh5M17;rTW9qKaReyS1
zn0>Gv^E|Co&-dkaZ@34}aTMBb8BUSr8vj#PJ7!g{5cZ#!9!q)QV<Y;2ok5qw_T73;
znR=BAjQwxMF&EJekQQ3k{n=4b?Z;o8WoaMyH2r@r^M76$?F_mC_RsNL;pH#q3U~AY
zyMnL8GXPI+wr|Q#+Ww(P&jQMlO`guSf?M<auQBp_ZLW>qH8RlYF0p^{eZ}Pa_hU|Q
zcW@0n^Y`Qx2N+#k2i?@)3_hLqQQoiRu>V@fZ^?)Kr=t%S2nW=GQ#MW_CAggi<jYSo
z4%i)B6FwjyOFv`lpmU#j9^Ibyi1K227Es=8J3sdaF7<c{>4m^XfV?y2qTkJeT^P4<
z-r4*7pU(gV6`6y*S>$hQp5wy?^a1n-Oif?m*C#Lz*b_n@5SUvWV4ejA+xG8*ZWil2
zKz?kcJRbu--N5z0KY&|-*1p&_<D&MM1AHEHxX%eHEC>JI5p>y$JA<mdwR6_xUt><F
z*Y1#-!}o^P9ScP638{TxPiP%~w$9jqK7sxqOSz5%v=0c#X+4nX|CzS1eSpLO<=G+0
zy_GozHvMLul{)?WMmvM5x84(4s~zU}e%=#OD;_b@?|bpyh}Z7*{IMA)WcUKF52&Tb
z0$ghjJNJc&0eai^U#REZWscO-*kEwZ7$8S%n|ZMZJ|C!_3#xgJM%-C!u^F!AHrFdo
zDonj4Q77A5T=hnMW4X3ZujYYG6<eKbo4J3(ZGqDu=t0mG0kH7^jNt=e+kwX-T4a$s
z+N`&sH;piM{1~yp1mF+vn29k!1KK}h0__{<1H5AazjJ~n2G{`|<ye(^S_$yjd8gh6
zU|%4>RF@Z*JfxnS8Q3t{J0?R~7w8Uj27V|czQ=jJ0R3Iq<dE|N4lb(w7SJ8&4E#_C
ze2;T_0so1f7NB(#^|!XK!|N5Mt-QxBz;_#`xN4G}eG6(-#WgwtU4X*0ljpFleS!N8
z<G4mUfSeSit=(|`$H2L)7ikuoHP<Rk3OjdgpLLlVKEVUq4mh?Tt3TK<)(Y4@<Ko&o
zgRl56;(`^JKlsy*3FrqnSCHnN6Re@14LaTjGO>Vp7Vt9LNBb^FJ8?Yc4d^GtClrLZ
zd>#v3(lHs*e*y|fw^QZ|ij(#^TGpwdRja@jHUbJrvs2~^f>ZYKVF|O&(Yk|cyl-FU
zR3X~vyvKCd|81lS_Fo6r`MZE^^SzIg_W3;x{b=9MMQm%Def}1tm$P1^B_2m_n|X-~
z&yEB4hc(C&!|a%K>Ft<17_ld`?s3}>&<C9I`T(pC$i7C%*#8RH@Vh`)pg%Aa7-?fT
z(!RjAz&k)YpgExZo#B!x_K6>G5>mvx(Iup}1GJ4NfyaR(z)ipx0PU;_Fdc{hE(g{D
z!+}cyp7%8Hke&Yzn-xE^N+sAsG_VRd57-Cv0BQq=fR})~0NT;@z^A|gpgJ%f;Ca=6
zL|_5y<PX<)*S^lpNWTNN1GRv$0NYgwNCEl)O@O_?YrypY+sgDS=3)POZVL8)C9XkV
zGZd%+uuabacLT?PmcT~<@8LpVDzFJ)+^`xL1=Iyj0DZkJ)ouL+*ZCW`2$%-s#NV?h
zy9+pKr!OI8TQ2}60J{PG9Xq5YZvUqJOyLLIuyMo(^}Kz>FP0nrp#jDaBQbx7v4I{7
z&<CXL4EC-Qgq@oH-=t<NV7Bv0`Ci*jAQGToxC_wl6|zmpGcKSnD7ILL^;Wc>(IuqD
z{uu|{0UQEo=dS>YydWJ9gxL8N$oI4J)Ki|<0$~0{?vI;!7VUpCu$0?KcLN;&4{#88
z6le<2)@bLi0sHJ@M<5?%=VOpx%shXn|2_LU)scP#q}uz3AivtqCn4VvI1ixh(5LZu
zw(nx#ZRUOKpY729;}$9NZGh_l+J8;pzrbGBk8~Wc#?CKAzCXb64v+26{ruq?V}Rp!
z{x{@9?Yu94|3cZ-0R1l0wt(S%6!QCkOYCz`tNrtu=C=cL8nAQBBUICNw`102H(~rg
z+nyi59AU$>9YK6wz_0!D88zQmBbax>>^F0U&N__mh{rjDfLl#_kk@kvW?RyNF#w(N
z`t(fuzZ?7h51<~_1l|PFSu0ZZL$mGtD&)1EBc)B<1Keuowf)CuxBtDc4cb5b!eO92
za4kSvyBv5OIKcXmjs}+5dHRq@=J~@ljQz8Hp90%}K!EXxvHxV`85>*(u>XGwxB_5X
z>DS(2-jDrr{7(PGHa!U30I*N52fP9p|3v#=&-Nf)4h#f1-r=#@FWPOT{r_#}=|6Mg
z?|zhB2eALY7T~;rvH#J?mkRsmeekDaf;mk*C)PZ!{Q%w%cpc9W_tOu+KcsJ;$@d1c
z`2eR)=a#3v6J{+7eS#TB@I2<jf%^cxz7VOz0$$M+=r8oj*Z$cLu`j3nUkSVc82isn
zf9W?`0kp52`hVL0Hvs!d+J8IX8i2M|9bo@&?0*#UdD(vrT<a5HE8qeA*?(2+r~N+x
znEt;S@;UYYeQ;eDz&1Squ>Yq`*8yGz{Mr99?Eev{4CH42?EiDJ|NBsO4M6*6`WRsB
zztr^qzRI;L_zKVO;Wug>+BWmj`j{h(;dp>!0jxdA&BhB;M!RRsVB!JhX8}#wE~JbF
zv_JA~r)>LY06Hf24{Gf3KW$#@-@mHlxEFJRdX6x4+PRlvZg81BAAos5d_x4^5%Tj)
zpfI-YJjcWaW~}f#?EY;wkoHeMkYi(|APWOx|5@h$#Qw8rN8TG)TdMopq$y`#0^47o
zY5SS$1yiP;Q<SlQ)9!uq^aJz(CLS1#{Ml@^_<+1+$0Nl4#s2fBDcO(OGQFy{{aM{D
z4{U!X)(>z^5Z4LX>jpUv;P(XU;+yo9OUeh(C(!;m7GOREFy9`MI3T;&vg{H27yHkm
z5Cz!4|4`6zKh_R?Y|sCnaN2%mz5%|+T3f$2Y}=@BKVDqhP9IQ-w}R`*d_XQT75f+a
z&qY0QEW&)hwySM3E^f3pw2oN=knwInrtN306NaCFo#*>IVukey#s>^x<6-|21LP=0
ziU0jP|C9N@T=c~h!M^ocOneVylx^!-;(lNI=Qf@R;Cr-1dM=nBpJ3($c<ifeFVZY)
z7|lIMD)uk-UvMih?=@|odGYla+y8El`*ZC3oxXrR0P_Z%3!t5vdAt1BbwQ3X_3pzp
z8uAX2$~eG}s3rcF_}`CO<htw7yk<J4-W5{wOWU?H-UoErdT#lYsb?E|=KQ^Rj%W52
zHKqL@2UyQ^-V9Rt{)iu`iv5fI`%#NLcg2peJXq_KY}<Ig`hIgPV}M=3HSyg__kP<(
zX{TJ<LqEWj$ZvdLjx*;up9gZ^7~mY<5K@T&d?f3~{<#i~Yx%hTuQtGSvS$6?MC9iH
zZeTU=BdbHoHGdBPx7qm@x!<w=*R12?yEB~tu9M~Zzb62$ujO-hzH{>?!1n^&z|R2J
z)p9Lf9N=&LZyj9kGl1)V&jLmOdQCo3uK(=}Tmo?I>@xt@3$v|UH>lST`-%Vi;aXgu
z%r><JZUVTbuOYzoiTinPNPh!1*m<^d5O6M#+xkDQpU#QD2T^t-@H=n=!1an|{ol{X
zmx}ejSnsd<evIR9#+?7(#-?-Y>wU`fJOO;iuhHYID=;7UIqWhDF!OfKzMr<u{pQ^O
z<_);d_Z%M2^A7+&1OK3Wkc!=t2tPmQm6j*c+o^BBEdbxI=bBl*+xI+>##51UExV4V
zkVXQ1?EU6EzAwnUwtxHmpNw~RU>n<k4ghU>H^BAv^#Q&&dl^9c+QB-J4hFQ%BV7mh
zd;f>;#=Q?D*zM?t{3<&ikNoEV{Q~_1*VA&{KihX6@CNff_MeXHbhoe1Hu3!*u223Q
z;QLAc22A_7{@=XU6p4H<`@CbwJJ<jJit8M++msuB<h(IJJ7-ECZ0vs+@_T?Y{{9cY
zAHsXV{C_9!w*<33@At9wjCBBx{a6>s=YcgMg8O;r<q{^j&w`EK2z&tW`F$#I6fpMe
z^a=j*T>qB@Oah(<Y605jP0BXQFFOO!DP#Y4P~U*@HclWN1k44vzatO_qyXK3-M|`v
z-``+4`!?!2^Z(<Ol7i3UdU(DgYx?~^k*BTn1o*D~bYLXFzLxLL%mw)VTvveS?E-!P
zXjAi-{+iKN^Zw63Tx%h~KC=g~9-!a)2H-mSD1biUFJKn%Bf$0z0K%Dv{kLLUvHq9u
z_tED0E-$}V!Zu9-Mg#N<Lx3=V?fV|!d(C{GfqAxbEzkqtdHQ=-tQXhd`@g*Acfe*K
z1@On;MC>00kawnhSJ-*pPHb1R>(nx1{&fHNjSyZF^L`_3n=a_s-?smn^FsSuo^8{s
zdbZBIC`<ngn>`2M|F(GycnjzN^ag&k!EXh82k?6Wj{`jREGHM(=KDZ0@9!kVPaZmD
z?4SJ)ZHD@H5;zE?1IK~=0Ckae#$%X20{mg;S<Z9*w($%vl@fCPS+Iq0fVNJ%U~K<~
zBhOel4cKp|e<9^DJeD?p1YkKae)IH7TAsMZtM+wxP1-i!Rc4#mp2K#Y`&h>P%(HE2
z0R00~-q$YJ|IKWxz5ag-uERF)`Ue2EkKY7fo<4y0VcK^Td5&RtEZfQZ;<4QBz&iQE
zHTnbOl-JCQzf(Adyz^L|LtZHZ=2roi*>#=~`{%cUc>OiMSZD1CtsUiWy`Q6>_t*Dx
zAL4)X|G_nN9Lf5UCI{+wcww(adY9LnZ>L#&3a=x-oEd;_oef+KF!m&_0vb8;4UunZ
z!{nP_n|X6AkLSB<7w}5S!RNUSEUeW4Xa+R0)2om+w)0JqHnH>E$L*^D9?RoQ{u<=#
znAXE)F9xm!8Usy%tL^+%jy(6VjK?(d$!DCmX{uYV7vCFkWuSdcXZzSTXZx6Eo7h%o
z`?!zWZ1;6Qb<<XGaRtx}Fr1M?lXvn*&dHzQ(#XIZ%T)KhrtZ_7nz29L>1lxR`vKej
z3o`dd``7UTzA4z1?f*Uerfj|p_N(9FLF)TWK;5TfKU01ykdS`<bSr{fuR=0_F~5$#
zF!y&O>=(AIzXe)Q`^OsLdVD89j}ejT_xCF#p{4Am(Z6tBzc`Q)d!c{59H_Nvs^>~?
z>aLNQ_b?Bb@+|q9C?j}YZ9sqfij?hNQ1d*X&VGEe3#fs7EpNVN&8+zv*yb_19LHtk
zxlf;mxW6*%jGZ3n!8M%MWSgCBMLV4B<FWd9?&q<lt#z<pzkkAd!KbU3IL+2ivi{Tg
zL(H!2e^=0zEn&B`e~jfb-}T8~zCjw+3-f;pw`beoQ_g5ib2|B}XxD<?2LLMpj=?#O
z<@lCkTW*`wnddQPKlA1s9utHZUF#pl*YDWlY%|{G`~b(@X0E{GIc7I`rUcJ1`~O0$
z-jZ^OhW+9iX6}I3V_SLsoZ82B`nHwx5j<YUwn%k*%ZuC*^XvP;n%`T!_FtH}|N89v
zx28@zrv`c1KJ$_@?$^qTd`jDWQ2&8V0OzjX2aW;rfUf|~&5Z>(KSrDB0?YvZ1o%v!
z&la`<{Jsz88t1E++jLw3`+d*0<t|7$C(rq}uYi@nPT+0e5Wu;|ZvoCF{s!=P`T#yt
z2x1=gujl_^|21$8&a*`UUjS?q=kEEefOgL33!IbZ9OFm8I$#&@A+QZt2JpUko}T|l
zTE6T*w6@p&Lu=l;H;ny%f$iUZ_Fr=@broZXa>Y++v%fRl9_T;E5`5;RzvGFN_R;~M
zUpN3f0&otDHd76F4bb1$L^>QW=S3sG*xV27*4RJS415HnvJ5HL;OOW7NRxmL0N3R3
z`P}0`b%6GN0q_>{uz&siU)cYZxCYyypX1y4Hb}1p=&R@-{tN8kwUGV>thV#?8T|m>
z7oRKW=l|Shd3pI^&cCSkkMTl1g_!>Za)Nk5`u_5w9DeQt`fu!Cum8jLUV!#r31F<<
z9=Hym-EnQs>%ak4g>)2P&f~g+NOK9;t+D@F$bSlK0|J5JfVN4b$pD|tUkLCy{Zqgd
z0PX*B;9chZ*neMKi+0R5JqX+YFfOPEyaMR&{~;X*thd{`9QlDj6@bT<OZ&$+KD7Pg
zJ>FIv!xwP;k9ood_+LS_cW;?~fqssOwL}^7L`JrfmLCRS2gd&OIyr39{=We@FF^Zm
z2k?0zZLK=M{@<VdGluYI|21I4p8#6{58!M6-(g=>fcF0cVEX@R$a9R~&;I-1TAZ_E
zn;rn@pJ>x{fR_P(_RrY=N1!rLZtWlTs_lRK%*zTh|F56>Vea4uYWRWKjdWe*N89C2
zd>Mc(i2eJLQiiuNXRqV+t<x`PjDGwm`*X|z<mdUHJ_a$vZv3y&TBHDLi6r(f!@7{4
zri=ZTukk<sCm7`(Gr>9^_P@rq|2)6@;hiU}r|>@mKIQrNKLOJBlZbNu6Z<b;_D^*^
zFuRFa|NpD~yg#q?|K@$a)k#yToX<MUH-nj%U-@M~?7#fkKi2-}^?K;byYCIH$M`=t
z``2@Rc;0^!{}b$=)bt%emrLAVeoa2hor(RIKl_IrYx~9j48PAY_Rnb!-~`_h#{UTV
zmWqMA#Qj+;q<n9P{g*%cHyWEbwNfRl2iR?o0sPs&cfLQQ=H%d?EVo+so@?vO3*>p9
zA+Q3ZV*lmS{{LQlhqhxp%Nt_bzwaC%w)M0AWyzDz((i)enW5Nz1+aPNEsFh@Py5IE
zA05ZzJHY?6-veU*Z(;!S`>_4c+KF3dUR;OzVBQ;a>W1XYKLcX_<<tJR;{SfBRqb_u
z4m%HbJO?zkpR{$xh1XKUcLaIA7g+waUGC7A0f+sYb-c3v*O#O+x{djNJr9UAK@ZsP
z0_yQT{6XB785isS$Gs~=-t8@;;w_eDJM7=A|J{v!9RRMc=Xb97{?Ana*V>x*f6V&Y
z5!h$Wi$UJs`#)UI`!TSE4MsW`Fzf&M{!d5XJb>RCb-w>|5w>$$|J#do*=^$cKV1LI
zcY109{{zhXKV1L6#y)l_@_dhx>zd2$`#-!_=kMtJ8?+C=cL7H5y&k;Jvp99yd3AUU
zo)gGizmu#An1?NJ{qF`~H9-5`1M~)(0DS-N4S+Uw3b+N}`?LE1zH2iP;5YB;0tvu;
zL!q%<q_+Wlr<d#h8w0-q>j1v<!}os%05<}A0NVR40N?*%+KG9*|I?iH+VB7I8-aZ9
zuo1vE(cT{d_)hYjz~=z(f$s`V12zIz0KC7SfvW-5VSGrrwgJ4mug3uRAAmJ6C-5!4
z3#7l%BDQZdwPL2wf2|itD*=3WhyA<xmIm_$0qu~-&q)ofs@I;tZu!nH?f8_PGG7p+
z<9LGhe}`@V^f`rXqq!gR{f`P^|3<s9o>$BJNcfE|yd$V%0#hbw#bp5Y#Qy(HpgYhN
z=nQlLy4iW|GyA!ZWju!YA8fF^7x2RFaPQhN*zK(Vzah@PpXdy9^U3oYA1vd3mh+q9
z&OEojh5gs0gwX$2#Wgwryq>dtCePHgmG{H8vW?6$<u=g=xQ}%r)po&rdH(H~bt&w=
zhJ44XJPTRwO&Aacgn<GwfIg6OVu8hgjQ$1vHvc~uzxPobs1SX00mUYV3j-B`0r(JY
z|42D!_zN%<m<CMr$#dTnU=lDLnC!@NAIpeP;NK(<sf>jygciw7mQ@CfjUwf@gv|f@
z*^fNu6Zt=W_-#?<4+H%FWz4huIKcVG0|4g|dG0=d<vqy<(sDijUsh!<?G^?M1F%uk
z|8p$?zaQQQs07fC9|HLQe`)ItfL8(i{2%E!U>)m0x(pZyoD1;SzV?2xe?zpS!aylx
z0JiG1f7-nMb~jSy+W^-A{J(#-ftLaOePX1(_WvXH(Qoir{ryj*V*jO3=F%i#z%T$C
z^|gQY|D0bm_J2L{jP2_Hw12%m5h?9ofBzRL`+wU1Spbg}`!@tjDh!lj24JiH?B9j`
zwEqVH_W${{|H}5UV*jOB=F&7_z%T%N75g`2NGc3eFb2f_E11CLc7*{417iOUG9)Vu
zR4@j_{wtWk<#vSu2LodN4l*Pw3{)@%#QrOoz~y#@0S5zO{|+)FD-2XH2E_g=n84+B
zg#iZxV*d^@Br6P5Fb4eCe?RQwI)1MIYYXuGAFlu7`#-M%`$-Yf-+&EvemU|#0et^Q
z*8f&89g^EEy9~fyo$LSj{$F?7rcWZz^}p8uzXR2P=YZ{YIoJQ|?-L_k1eo`Rjv+7W
zf6J~)NXsh_1F%*7jSi$&0(_r81>iS8*#9pDBJBKZr2MupkC_Z?1^7(>e*1&p2;h0s
z0G_A6|A|!I|EoZ{B)3}j7=VqM{{J%MR{*r*T|hKI8{cl{cOu;a!~%POL}0U>k3-7;
zH?R%haUYTir1JfrvZoT#;tI$BZ581E1>twV&Ic|As@gF53$V>&SkB{2-g(|7*nf5f
zq)={I7!U@80bxKGD3c7J-{yP&j01`aJ*Fs=BuJx$0bxKG5C((+VL%uV2801&Ko}4P
zgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV2801&
zKo}4PgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV
z2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+
zVL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG
z5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@8
z0bxKG5C((+VL%uV2801&Ko}4PgaKio%rT(kCkzM!!hkR!3<v|lfG|*D8A!D{<aX~1
z5ZqSI`GDg(_N|@c0UdR@l~egCZ?RQ1hXW4V<vCSgS8rMVTaa!}w>*9?;BCD=sDr-)
zQZvr?e}M&=<$gKJEVlgJL1y!C;2qf;;Ao!ZkD?5AcpX0tNacR>b7il8fhp5zhinIQ
z%u-%ETX~k^><u)+wGYcCf-JXZS$-O*va}%E^|51tqYZcXIl$S5+CJr}B-K%YuM)E8
z4jg2Dz6^Infh*ONX1{^V5<BN}{cPnOvK){_JM^)4<WXKbOS$vby_d>*gW1co-k^_o
zP(@Y=W-rew!7SRT8<1CdRvSt6Hrn~OgYyRcl;4p@d2MI;0%y(Md=`QVQJ#fBKj&v5
zu%q{y&cAt;XCctf`B@0et=wN(Mnk|-cG+f>dhIlGGh0rRxWMX=tpGb}t5mO}JM2;Z
z%TIZ`qvKWmmZR>DT878($f<mxE<dIGmP0_l>+-Z5%TMZZ{PEX5r+^Am?i8TE^Ybcq
z3fSNId6suDcjqUi&~qzSu;@GdoR_)Fr##iF+|jztvUJKbZQ+{}u-~$3u-xPA!H-)P
zI8E@tn9znnBN~M42pZ5JWE9S#OT5FJtrW_y2^ujbvz+~f!v?dLr)Kfe*~{s(I%HhH
ze|csDvX`TNM?aXod;!Wc8|c40Q^&HGcf|RbI+DE{#d(%z>WKgIGYQC6?(LE?2tqmJ
z<KREta&^ph{jr(yIc2#HJNWU+KOj^7C|6$l)iTJ`59mp4>|%Ltzr4#c$@N#yDW5Km
zPQa_5-lMaZHwYNsz}g-#Ag6NZr@ntvo+*6q9;3g-Rqiw&*6CY+ZSRFL{uZ?Sj*K(C
znXKohJFQb6;9K4ykMn(secG?Gi9c)oDw}wH%Dd!Ie;?m+`kx^9AA5g_Z+TYz@GV7e
zMgMo$Ve{D!Df%ARNv@T^zvfz=d4K*7lX4^fvdK?g^3O|u{NJ_g6$XR>VL%uta||@W
zFrlL!D`2=_)nN`lmp75W!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|l
zfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!
z3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``E5gAw?^oVPH$kVP3
zbN=UAANGQ4eejd6b<^*W4_+0K*V1%)+{*s0_|=2m3G03iNKJ|a76+sxE(qAUE5V&p
zJI8%)xkI~I0Zz>AWd(%ywLJ5BTdv3-<)dghad)QoC#)UrN?8A^Cpm6Tz?Lm*a+ERK
zIk>jvne~!&R>&vrv#0*os<L~-5By?ouIHHh3+`&UL%Lc4^Pm^=`&e$#3B$~pNnzh^
z+V%F`TeA4?4RhW<Z}ajVH^i?U^<?74ai7Jn89pv4X6B^i%^`CVH%*96SU)B?DQ4=n
zl(^t68^S+L4*&7u^|QNM^Je#OO@+;mhinHU{Rnt^L4WJ+h`v_MHKVL^{M}{H50;01
z0>|V_hy2wc`wGTD;>HP{EvcDyz9ID0!1#5eS|n|n{8e)7%sI)MgZC!K&q+&;pRH07
z!hH~-wr*Xc5;sj%ODDEbvwK!j@cAmNdv?t3VJQM-$LI94wgK~D`~Bzlww_zi&$@d3
z&-||inZIe@TJAYLtN@gWE@aYDY&rON_qNpK8QjLN8QM50dRk}L_2!iLxsdaGAVR?>
zFii(eLjGRF&pV0zr?#XlO<Onj!?ZcQ&Q1&d-bxGW=1PNniBrHyKVVrl{eWJiK_3!f
z`@h0pJilmwRnvK+vpVaz0sqZHenn*<X32N1<jp~zJ%20h=i}FoYz==tBPDLmi42)*
zd23mpg3KX%huuRr5C^K1_<1Vox4TquXA3s(f^B=U$<?2%u`k_*(GjLu&V@ew30(+B
ztoR0W;YxGQGrqT6(360L{Uv@hoD?KQAMQp!t?g*@iUCcNVy4YZiJ#-O^GuniWs$e9
z?30(M#F&|C!O*4(Ht&^t4_6lX`N}h&+w=|e8AczdC+sthK^G=r>~Qb;U-%zwENl9=
zmJ9m>7Rfjw-{ObA58%OzhFukyuwiVc<jtXfYyX}QL3z`!Ll1HR>^(Jku}X@Wp~45%
zRUxqZ**yb_L+<|SpzNs!S#$xmzXAQj%gY8^XY*cW{eT#ur&lMqEkFMZB*jkCvX5Ev
zLzATFsjE`r(YGf?(6<x0%N^y(kbN>@fuy)ODq`qW+U~>P?-}bk5tc*jM>{S8s0;K9
z^bgu6K;|jXgV&Z1v(DljQwI=BX2df7S*VzMVdq-*acf3AoD>^$%p1>Xd(Yah+j@`;
z-7uhTq$2*?k`$qKZeOcbO?yzyMGPM?AW(((cWKP;=Th_fy42j>E;XlDMvR|TFN!9A
zr|y{8(&)iv=)t3u?4+-BY#=eBL(RACjMp{+-~TqoaIpD>wD;pcW-O09<b4V@&VC?m
zYx1J>om->S-kmGefjw*0!M$tL(ZeZf+oqq?;=z`R8WE_XhI_JM$uN&177z8P$iW`9
z@FzF)1iH}&v0+cI{Tp9V1Yclu!Ndw$4-g-OVw~8Jx6Zf#I#J<$!IoXII=;u4ZUE-;
z=;PD$xDLLYv3mw!<B+-9y?uq2_u&JZ)X{@6=|>JkpE|OC<4L4xhxV>XUoo~G<Z7uU
z!vnRPjlBJ)KKii)I<aUF^}(&?LLb85LyAckGGYYAiI_`xk2>)4CzcC3QDJ?-`nhlE
zdryp>-Xtk@*6_qlQ@SN?7}ptdb>AcQ`!-?2nC}xePV9_%n;u(}7xdk~Giv7k9SdV2
z=fs1%m;Zin_X>4r-&%EO?^^Zy(XA?B$%pBS23l!R!z<-2d)p8A>V@$cOQ0Kzhj`S2
zfo|;^=nJR|MT{LX^Z;_7jd8&h)C0r?y6<DYBK^Q=mN{H=?{By)R~!7l;TO-b+~Y5{
zDw+Mx^vK~I=lzwY>hIqX`6P5=(B7?cV^@r+d1~<x*#58pZU5ARqUZv3!{`HbA>v2)
z1;h{30j&##ix*6ss37-U7%%=G?+aW6U=G1AAI|$O5BY`meMSznE`c3{&F<-n#uzPj
zPEXIaIlVmlfP=^%UN|t|VAP1p$ADc+hF6YRGOW_ZrNb+&iW(j;3Vr<7kprxDv);FA
zO?l9*?Puk%i!Xo=4@J3(9OOE+V1T6-{Aj7g+SZ{HIoN!D_fr>mEc=N0h$T(`P{=re
zz91d_K^o$KHz?Pc-&+BT2bO;w2=3zT^C0`7Hg{(HY~m*Ecj<$3mW|WKEANJ#Pg^#k
z(gRV$1H&Q*S!&&+`lnK({-+YdA4V*A7JRwO>lccs18k4+36by#9A7|&h4lw|oWS!j
zhuD=m5Cm@U{Hfgf0o<qV^WpdI;eA8?ls$PcNJmVb9yP*~4z8U@!?wXm<cU-EF<w1E
z%(v(#OKqCbT&-O`Np<=D6ZPxpA64qQJ}Rmh<c@1)(?{w8#}bSgIesWazmU-%fSX~|
zfl1$#|L4r;`=WeppWHFtGJe({-#P4~UO*QDPoiH)Pg>Jkz5dFx>YjfzR;{kDp?)6O
zM<vd?NB0H!8W;GHa}L+d(1#2?D7-&7K|Y`ZKN}q=Z}Y}xtb_jUDTnQApHJC`_b-&}
zGi1QHFKU>j;#d8so_+E@_2AvtsxF;gRbe6H)aJPlsf7bEFHnTBL0&q*a-#>FZ=yU4
z=nuR)(90S`9hmW5`5GGzdBfYUK@S!=ZJ!)5uFem?xgA5<QpSl9kE>ZT#;E^1*H$GZ
zty6y;T%wkYI9DwhYL5*HVc)r3*Iya+V9{Xjc%gtgz&T|4f$ymUIJaEP4`9wi-v{Qu
zZnbS+&xzT3pkwMn_<cV*gV-PQKk@S)QAw+Nsm)71Qy3TOIl(0u7x<G^N$u1313h4$
z#(OS+9_V-&e)1LS0M0G*^8;K%$9uu^kAAkywVsm`&dV2%>`i<Yp#1>n0yq{}Jj9Lp
zfYU2`r%v(S7$b7bm`@#`ZE$RO0&()~nm5~im@jKT6US_sX$2zgi?`*^cwhICk?@nn
zD}VOGoCD-D0HkM7_P%<+=MDMv1)3l5l@c|`x{NYE)8oQ+58dJ_3`Tx+f%g6L`?zl6
zy;HX-d)h*A^!rYZOKYBUQ1k(u)8M=TpEvRTLv0%{w&0VVWI3K!PNw|3zImzV?dO}h
z9&g*KP;$sgcC5Q3f9U(Q@5g%Ccd=Gd0VkPa{Vn{oOD!AWR!fKH6Fe5s=h%5}=llG;
zuH&q;gz9D6myL8|t^&`ZF=s%VuzB&9YOWUcwO*r)aO@e02cbJ2;BufIPy@IKI2Wi2
zT;K=Xe_s2xx19Ux)7MmG+h=wS96hUxM+J59oDAxU6qrA-64vPeKV?S*_Aej?dsA-D
zA6Qw<^TB+atB>VzHn{DtPTzgb^CD1>vwr4zyt56y=lk1s*2(smw)nO?d=TzsKqVF2
z-OB~}m<fJn{t)0qI=5$a2{<tN>x-M!X!gWe&$YYhJa9|ynHq50?8{9iJmx}xGNdf8
z1Oh3a+<rKwGSD1&510<@1{Cl+upc;N<AA+=6zNHT#}Mg{J$Os{qit?c#3K(dZKWQ6
zxP^N5u@>sz?V9WK8RX6OQ;)Pzk3QH^J<_J7dJHMIpKsq>z4%0P_1`DGcmermaqi=7
zTV@=~<J-4wp`L!!TQBQoy#}oRIn=}Lb`N>$=XIWB{g0!5)J?pAJg>=XvrZoS4C>^$
zti#mDlx@)0LHXmj_M<qS=dj-PXxp=odFwOn<~{IU*hbd>@B=s=c=BQIvCllpGPDuE
zx#>K=-GjFrd$>*OzhF}toRU`?X5T4nlY7d9vT(}f2)20~%R+#Ufm?toxyjzQ49Bzo
zsSk7lSU>AzJ4_px{spW6hC%M1KmKs5SH^U%wrhOXOV!9uSETp(q_+C%jb`fQXIiPY
z58SHm`B!Vz_WoPJ)vbE_-n(1lzFVnp-n>bT`t~|Cd*Ib-+32Qf!*7jM?8HVYesUuf
zH>r_|p3qpW`L&5!JOb-H`!`dgzq?NT@cxbJt>-C+TNLYg;GWjt_*RW}58Vpc+^Y9K
zg7m%rwopHPeLc=a{iB+yji`S!>Sf&<$2V5Xam~;luU11kT&F&IskyG>UbL0xvMyaO
z(l+<D)^(DD*Pm;tzJKo~H3IFP)vuX~9DbErjW$N3KGw~)^B#Du<)fRZxj$W{e(8Lz
z>h$)F(4m{vefQiB4qAhYTNLDt?SH5T@4xNTOHbdZ{`b_4>)YPnx@Y^gtth+y0?z?2
z0iObcfF-~mfKwJmHpj5P2hbEK@Y)le1F#>^@dxz+`C7mRz+5i|`8NQ)9y<J|i}bUM
z;}O<*+h<tYw@tUyw&|`krh7v!QhP!gsg*xBRztqIPW|VJmWtf|yL~G)zS}h_Wm-dZ
zbbdYc=YqQGSVUcQG`yZVJg=TQG&d86kw1cczoYCA9HWm#et%ef6$6f^^=_s<fAuEl
z7W~bF;1hm_ZSD8@^=jSN#_Hf4Z~Z)%*K*d+JolM;dEHIFHBy7Vz7D>km3j#J3f)!@
z-ghf><7PFfM>Dl)d?U3tw7xoqHn1%`mu)-3x*hFiU8a8Cn`w8_)GO84&eh<1Zq#z8
zU+ML69X0pI^G?P5=2ly$TXV?!!*^$YMuhv)TqC^<coA3w7`Y@Pf0ZpWEkA5imIc-W
zyAJAteisJmy#TNC1(4B~An*F(wI+Id`N+z(HcxOJ0ThrPJKj>;XI57S<}}pu<Nc>j
zZ>R=*aXsw0vHE*aU6j?=T<!^}ul9gbg53IpDL2RNgZ#<&9}!;tSTw9D{B}$A>a#7>
z+A)pQpZ5N}IL@5ouYPB}ye?(-=Yo1FW<n$N-iyuE6A!mia|T|eb&}U&Ij^nHD@3~w
zf{$b2)ztEl=csNU)KM!(S5~kal{(c@36rd}IPeEO_%~(H=aV|@lPSXh2Qr==VjpEh
zTcm9CIY@a<p=8c$I)A9g=vzbN_4-Dnrak%^Nt3;6+~Ox%b$~ws1*9|G6?~=IKf7TD
zSF}ai&7rwonUHUCSy=FVBirK(>uGzBpWIOE#BRu@F!l2sp38QoKwnq>(pde4y3Mr;
zQ>XL(c>dndM(|%X)sC3~3jEPtG{9M!&EHz2dK`c>L*7O<lrKP?(8nOX54euyNQ*`G
z=2~{0rccnRvkdLi*F#GA{{c|`ypQzV!8OwN&u);8``5s|r^9a2nVNmYl|p9e@VV*G
zF@24q*2{Jtm|Z^|_MXnVi%_2*{iY9T2tBI@`JbiYCTPyc8*$1`pC!-8=Q<vw4gmD`
zxgO_~Sz+=y=@r^%<bNgdN9?x4{$04gn$YtGe(t~UHV--ESfAInaxTy9Tz_T7SYI0I
zKLwn$f$e&<4ctpTl{}@2tphG&J4~17S5A}-bs)dT7w2(kr@k)I3xTZwegARD|8K}Y
zopBoP(O_>VeQDk>$LBXaQ+4ij+?&6)vOM#cEV@ab0)1#ey-+Dr&-SMS_fl5ivqWvX
zIP?K+bOG!G8UYQ7?XxbsVQ0`4H}4F({3aVW?+vMa)#0#4^$vwLtbaHRuv2amM^Lse
zq;^vrfAh9!)f#P`a#_7?Q>)eAHl<qqt$<Fs4Pd+8j#<^OMVxWNA=G8+(5by`>OUCT
zpuw)-D{k5`vwAb0XX<2qzIAS&UcCvgzdxjIW8GFq-K@`Chh=+$Yc}Jt_WharbfzuQ
zzJKivt@H5iklLRj9kVyIZVYsVzQFcn4d@?ELI={leSypL0eW5-Tm}H-mv93ffcuDI
z@9&F4AAIZBIK}HHR!y|(ubpJI0q(YOk0bvt<R4fw(Q3-`4=t|K3b+rr8@R`Y$uqtG
zj};9s3>|J&#(AvASr_X!`<VXoy_YTbk*In#ab6qXUjXZH*2nw<hnCdQvDBJL)(trC
z0f6mtwwLwkwyvJ&eJ>ct=G*_qjrVw<i%s{0)P4`Tunf8Y`Rjf%EqQ7ci~%y@0mjn}
z$VF~)W*KnCeT3Z(wgqsxcg(8h-W6QKy)*a<cl@-o^*C|EWNRo84MYJefn~r78_aJ6
zep70q=is8+Yk*b25@3Z7mSH>T=#mEiUNP2czG1Q}3Fj@h!Fo-dyw0+XlU<4PhgsDR
zN7nro=fwj{f#m?}WnE0UZygZaxxMAWdGmqQJRe})tkdL|A|DHMqI}|}RjC9!$Ngpl
zWL?7pyAObz1JLJZlM~8Y?g_0k1wH_M0%F1`IwsU(C~&z3hyYdrD}hL0GSCHR59oIc
zjE-QtRQdz(r0*MPU*Kcl9pEeAL*P9-{S4^`>nB+QRs5Z2Lk?qr4}cGW_w4jjd*25K
z7S-zZdsKtxmyfk>+c?Gb6V83##-~U>a%_Ky^3e-NTD1=^uJ;wrCq4l_0^YarHPUx&
z42_*0coxq81$fJ@hwc0vcpG4QS$_wD+#@Z}8V-z&+=y8M4$ZsHjWM$J9lL_AxE-;=
zCin!EIJpx00_uR#1IC0-nEk(F|4iU6TL*L>!F*}@fgdCP{>Xm=P)6U`>6b{q0H_aN
zLH>hO;=igu7UO|00LuJxfO6yZmrNo5{*eC*kbi5)cO=fGd`w*?rLKL6^05m>TD2g5
z%DJ;$2kT^A)P?VW&j9Wl89mig8Rv}yC}&gG*T}Qoybjy?EzprXBQ22powC^-Qp*F|
z*XO59t6CjCVE3NT+L#aWPzN}cW<21FllDI9gwX}+f&OL*(rkXldCk+E2R}~vlRL_#
zlbw=J+CFvQ3oZYI|D*l?X3OMbq(%pfj6Q?>``YrS{SU{vMmDU=)JePj4CP}Wf7(Cg
zPgy(lihiIIKs_Lg{Kw+l5A3>FH}!z+W}a>BNRUgUg_b|hKN8Vg`vCL<KQk_bPe_B0
zfNb@c&}sL+dCK0Y3%jx1iglJI9RNQfe+tFV4?bUWvnQn1%alF9@qnH?#rVd|4;dTx
zmA`YFdcf@iz_q*-(ozu*i2VHs9=i}PYP;Vy^P=<7?<YIu&scE(>_%$ajEjs8urHvD
z_53PQr|eDsZ+k!IkoEWNkm_srZ^7x=>yUpx<n!|XKdHpK*#D0M=<kjHH$I!G)Bm&o
z&yW9S|IZlWd%)Di{@&OBkFfiHr~hZ4;?MsVD*iL9!{2M$M-1?+Eqgs5Wast#0OwFK
zH*my`2aTMWI%5OoO_|9*&g)>mzJ|HxnMfV-XZ**$)5OoFKQ(>oXXyV2tN4Gi|7ZNi
z{+RM-n$h<o|0(+a-j4o%80!24aK-@KX8-?*qyPT~=W+~a<j=T*^6v=nI>d;WX#tG?
z#{i7=DSOsSz18(0WqiT-r4#u?TB!d2;M^u&-yd3MTn_Tr`hdCAH)4LX{)Kp8BIKD2
z7&|vIXL<ri0EPj#0HwnB+x+PJ1W%NIBCrbB0IUVp+36aj3F{|Y!+8$my8?&<)&m=X
zO-v7ZQ|{Y&bV<F(myNNm!}xwXumRZQ16;!uy>YTTG59CzqQjAO=r?wt4&ORsu%G)9
zQ8v?Vb12#q1F&7rb~4X>oOAftKDNN}-w{+z`{jw9Ef;+MrmVi-%nj=21`4s@e|epQ
zbFbpuUnPKZtp5NW1RetJ1UUDa@qC`gm$o1Hx)5jx)boS7*w+BKnC(v6{>a%X<-V%G
z`Hqx%jr7#}t18ve-Jpu)n%K*A{**qJFREgn#`vDDb6KZ4@p=Hxzd)tlZ|Y(FRqgGn
zD*4_E)Sf5w_ngp<YIb|rF5mW=ww}j&3-iOAv9`}`vo5Ux`5&|8&*uX6yl`eLh}iH>
zUSsR@3;cdB!Fhe?0CnVy`+R4c3Yy<A$qGO}@X@+SRyUwC@B@K;Iz|3_<om21Z#DaS
z)z#GwMb_z#xxLQ74~GDzHn^_~%D+?F?ytOdqV-Rl+ZX5ZeAcDwMxN>SKriH9W_yt@
z(YOhHzLx*4keUrJ1~76rDRn^SF;8@C=d9{=*rr`US8{&U`5ZvY+LpO4<8h_+2Rm{B
z?p$E{3HpfzzyyH(@I+t|Fxk#egr5&zGr@Z9ujNf!!EZ;R-<}9e044*I?Cr5g$Dw?M
z+R)<4brbcR(`?i+-qd5~SvU8we*N49X>RQ_Wrfxe%<*XX?+LBd0I|N2yGbd3-S@*c
zL{Of`>^XwcD%;{{7dY2^BE1wC4RB8P1HjA?GhXEO2ata^*#Gm8f9nGaYYl{)&0H>H
zMa~(U?GI2sO0B!GHso*S8BJ`+`U%E%?*g2cW-M7~x#pJ#J{#e&=m+XS#wPC1CV%+;
z|M57C6$%_<@Vv70GrS|c1mO6K@}jI5Z*%-*(k~$Y{*eC*w){sx-W<y@t|#;yF;d3!
zUqJq2)w-J~f6n1{_Nj~Ye+w|iCq@A!F8>`t)%7*D%((C(`1n0O{lA_Af?jM$o>E!I
zBRlQm%aS|`+E&9mQrbWLKF3~Wj7ZsM%<V${eQo*Q2Kf$$oU_dlV;}v%XDA=zkUyV0
zP_HO!*2%GGCxCiDoEG_$n<L>jX&r!^m)i0-egJ7buA#!GvS9lmwaauo$9u@n58P`$
zkX8u!@0;CF`*isBUbg(XF60FBka-VshGzj4LiW5@ANkY&(>`gFw0qjDNk51E_w(`p
zoFAg^H~oN_+xy(d{=fIBi~i-b`+wdq>|4tg^T4;$-XZtDwd_OdO#Sss%k|fy+e*A2
zVmnI94{~tY|IgT_Z|0mEK{-(un0^fT_jJU6gCTd$;}Pr!7y~lT^#dP4{-f>qk1+(F
z+tc^6Zi4Y7pGh-iEXcX!)5iOW$baf<!3WH?Wj`Zj`gyv~$2y_Y){fGk1BQ2`7X!0^
zK0ptkFVG+8mkHN6TmH9Vd^Zhp?rWnzQlcNw1L%$NP__Q%nu!0{&vUJSv##FQ9tiMS
ztbg3;<O1=%cN`c}vo*$qLy~8lqvv?cv!T=3mNR`VaBu9N>o4g4!+}s>whuzEy%gjB
ze;!|PRXxaf5fBE<_5t_J!JO`FtSLDcb2=~JJgx}~23T*HBjrBMIrJqDNKdQn;aQ))
z9{PJX`i0Ya?K3TRxxQs#4CvzeK+Fe-?7jBKIX2E05*hPt&TZJg>(6CPT=4I1*tvnr
zk>@^c>*pd!-vKrN3xUNBaE&SVtp@b-C!`{Wa$=Z}r5<M??G7+5=n8NhU>AVv!FmE*
z7r=eLmXq6-+prmcOpW}1K)wUOu_EUN&0I0}ajuBqT%y>1Ino};)5xFp{w=_H0*(`z
zQV%)-)CFP`Ao8ym@;7rtBL8wEZ{J&iJ?CWqB7a}9%Hg(;{2AwQ9Vlh*`~C;x0`dRl
zOa~xSWB-irDR=hyjP>|l8P^F=A2>E7h62+6mm?j3JdON0&YKTR1*Y3zeg-fFm<3Gb
zts@m3C?`4qS?W1<q_+bc1JK?%=Hq&BlYWgn{e%9N5>k<WIg!8IhA=<|VAGrr4#)!)
zX1#@Ig)krt2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit
z!hkR!3<v|lfG{8o2m``^Fdz&F1HwSrVL-`G7&y}mq+9rgx8t|KvT8dvPr;mAj_t!V
zuRAh#;Bd>ToVm?S#|i0r+v;ErV0HM_HrvO&+Zh$4dbd5M+}^g#wo(i95gqIu9bMiU
z?y$ElOMkU1<DR_LWwg+4j%C>w$k?`T(QY2j^490OZ8sO?9rOX2+jsbE*Y>-u+0$(z
z>6x|bT}oNk>kR+64x@>Yna6t+&N$@UPC*Ts+uj?<dE0wKndJ^f+0x^gBH|{#>fS*o
z$6eNc&T>KEsooP#rgeDtP#VgPdu4d?>kjW8IMCq^+>4fB#`bY9#g1*=!i;USgcq>4
zJMd2QHtN^)rB>I+^ZMty(74pvEYAF8Y<K+6xfEu`HrwmmW_!7P2mbKK`jKSY?!ZF)
zOnC>rm9c%;-bA^s?}*v9uXi$Y`&_Rq%#Lj7DWCG=KHDeRUdQimw%741=(cZtzSm33
zXuIPgk}Y`#n!wKQ1UdpPs}BC+cc=a<e}n;HKo}4PgaKhd7!U@80bxKG5C((+VL%uV
z28x-1*d-lZn^*L5t(y8kx&P)+Qp^l@a@_2I)Z}FW`w#E&d%vSTv|K?ySf0>sR>15Y
zR=}K|mS<k?)B8RC;uLY>#__I{_;~?awyeo^zf+&GT;V+f&OWeb<$1@CCR7=GUC#G8
z<2%buKIZi*J^$M`FP>83=Xkbl^WJyNq7I&<=*ib7#m;;ud2{gSq}W-DljFjow<Is#
z9v#(lPsE^F+rqk8(X)HFR^UEoLGC{SZ_Vvx-4W5(`+s50^@6)tZj|Zox|w~YDNWoo
z*`1OQuD>Oeuy*7{xZjV!#U|)MI`*rSg!w8paiQ9hyhN=EdQr{p5vW4DS}Lr&e}Ip}
zKsfICW7tANbFU#?wN8|(Zx$s*Pjl}&{Fl~s<X=sRo3qz@&k?wHV*W{NpG-+ycxv&O
zJJNzWS!to&-05N6U1_*~gOkV`aG#T#6X0SV^y1+aL%sj&7QVuRZT+3M|8MU);Ho&b
z{_ee(rYLGGFDQZ(yHP`oG0i+<UV5xAF`5`PF-DChcB4`h6<a`1P@-6(u>jJ0mtwHQ
zihv;9LY1P%20P#X%)JW;SfkIp_p!g<|DM^I*_m_Bl-)ZsXGYe|v!KawHeBwsBhGEI
zQUimioFQ{{R(jOU%yW^qKp}f%b$;G4>4^6yEYx0Lk?XZs_|GB>Tc?&0vM?ES<c5BP
zDveIaO+dX7PC@RENLF7vLB#zts|%@zow)w9QUiLRkI&9NAH!vb{46g!o)uh3V#SvZ
zvx+MjEbp`vi{B)$L+-jPajS|YZc(y?Uz9A~P00?rDp<6$$RZp>Ugr1F1?fZ9LqL?H
zU_^R=4xUNB@Voa{T>kVE+XtRI<}xw)pw-Bfgr#FMPwyO6oFDz|)v|MQuT|!5xLTQ;
z@P|k5>v66EbRcrMNq&y4N_I$tL{QR4%mxM5MF`59bV21_2XdVtzcSQ?k)#8}Q=!jn
z@V=q2r*Q?LAEI>8Ke>e13;BU|=*L$J+3~JIPQoT3HEyHu$H5IkV63ySF=3PH3;3@&
zx~nxy_P4A~+NKK~h-&#|J=CG357JHCCIyRHUt1^Y=zwG=J@9@4JS-tz@QzT%I6ZwG
zAV1#bp!@gLJc&}c1J!3Ol%*ExH&N{x#G{@c+o@gcw__rkG5s4B?>UksZ4p?)7R0S1
zcYU{9FXA`fQx7CR^_dJjIm$X9`ZTYd^VB*<yNl)WuN7{i-b&zCf((Re4XQxz#Jee~
zPVClWyEjc@R@PQ5Ip#-}uvviY_m>~fs`aC3AMu-&EW%N&-zKO(xUJEFJ;{xC<X`R+
zM}0g<Yz*#;Tk*aI{r4-BC)%Av?UmXt^=Ap-xgk_&*8)5GTSt~0@;*DV(}3S6Y*955
zx3TBdX>)xbpI8?K-UAKvAlHK_q=RjX3{)S#|AzSQPhM$Mj=Hi@{D-|FG<|K1qhJ?-
z_ZPlR@BF?+!G7PWMv}XN9p2VBe&2#Nk8(fs5b-G;IZaM+&(j7yvK{GzqJLqL!~+0c
zr0}(Z1bXYBlQ59viE?<n?*ol)+Jl+{&jSWP%h4YXYV-Ms0Y<%E9?@Zsjb6Nmtq${B
zrCk-hNt?w2F+kV`9Tw=Q%K{wkM&No~7V50aqFnV@>}DMn?W%qze4`EvLKwyO*E~b_
z<WFhJ@uFOH@O-_rk&m~%4%=s=#SYkMu>gBjRe-&c`K?qP|M0!n|1tWLLB^v$d8G?@
zHvu{UZAcD)<RQ68K9cjU_Xgbqroh)g5^xi!0!l}IJSh6pVXy4An_+&{X1WENIibHa
zX86l&#D@dfsE=P}-;cLsYv%N2TWx!@T`PLAUzhh{Zq~io>e+qS?5|&B<3<i(BR(3)
zKBH$qza9G$TRE#X{??_v*($`HGVZ0j;*G^~vnIXB!!{$mok*9`cSn56@B8un*{F|R
zX2U;twR-G`0c^sjmU+WJe02|WumybY0HT3nfaD-~jsa5u3*avKsqV;rpgI8QVDD$c
z2X>>d3w}cD9B-jG>wv)W{f(;s*ws^7@#BlqzSVuCf?#v0BGOE{8f_|F(}3LMSBS7P
z`?^VP)_tY1BL_*lSH2+S`dLWjb>dT8y3g~s;OUJUHAr$<+)p~aw>wX}Zd^*AryXU6
zvx8099(xmJHO)eba&5s<_9{wqeT0t0Zzj&u0{;XvU^{Re(5Eoa2C~ck2;==Is3B1E
zjdkWXEyHvBg=^^^A}b2%3?9tb)#xtlYE&0i8g9x8LvWsLJrv=-B+QIeM47T{h@0bQ
z&gm7zr?9&5>HbQ%8M_{%jz?)%;yHT0eq8yv(r~ltt5GI*E(hvWp=|DCcnU1tLs&<$
z_&c`N-n+6rmlJJRN%Cl9B=>#)Lm*u4Kb1DqyKx<4c#3V1c0TA$oZEY&FvR?JVX)bs
zMIq)_ibKt>lxTqSJ+Bvsn3V%pz&D{3{9Z*pxLOu&URo!9InIOqlj3ROmQnnIV6*Gc
zLj}bnsM9s8KwO*|Y>KmEImj)MUJ!>Bg<7y|@0L|*`$>MW1bqI3WWDGwh_>HbDBYJC
zYHwZMNil0e@B7M4&&U_)Kz0+&@KlOOw?l@9*b(Q~nG^*Z8|C`9eIeafe`JQQ{xD#8
zx=-_wxdCnal|&i8TO8GSWN~EYVW6W+B8^|q^fefi=G}a>Chmv~AN>ysLOb>?iRwHY
zaR|fU9#s@(^kSN~{yT`r(@pnnJ}T3<<&dJ_&YcT_I&}d|h~iAmo<$)h?*i7)#ZjE8
zDCPPZ+(8{B9n2!0!LJTc`NF*dxJxcM>`~|`FZH(u=n!BxumNz!*^@g`eYM9{B$)n;
z^C&lA58{o$j`D;q^G<jQGZ1Gdu<?|a=yKdc*l;nT-DhR-Cfg8a1I2}VM^Q}2FA%m0
zaojZNZUMD>5PztXuc59)Wc%nd=%5TbI0soXfy00sFqqN+eQX`jvnYQ>hHrCz)*jC1
zeH&->tpMn}-Z`f{g=OdbbiRcAi*Oz<owG#eFIknxcOluQA`YF)J0H)@J>el(LH=<F
zqqCamoQC<3-=;9ya6H23>|Z(uT0R$g!G*vM%JQ&oipxQr6m*^{&QVq1Om!vNo2od>
zoVU@!kS?#_zB=oG9_c^=ztkTPWcPl!n``v&*!2K>@jeptp8(0v&lraMOVj*xsQl?X
zYC3;{U=10kBWw!dk^CeZ$-e~hk3krnOGNU|gZ#FTe;mT*o;e`W`NgDH(gUU6D8B{4
zow<M3fo3Y4FNt=5{vf1F)p;*1S!R;|jt1mD2yp&E8%^^;bq&18@(+dE1+XJPMrX)B
z0rF#y{myg-3!TO0i26SpVKWei&iGw<+Do*9jH@93SCF61^riFp>>$4*<o^m`w$RaP
z#3kLX0c`KZ6V(9<!`aGj)7i?v9rOhZXX~Ctf9Q{PPzgCn7lcwE6lhP+fIhDLydMQ$
z-2p0}A2e8y;-l3c@=t&~bT&1eHL|cW(d@kwIL8)p<E(RWCNKx*6n}d;vO^!pOlALr
z1`A3L8d)N2Jkq1Gr*x?ed`A3&HsF`)KZQXLi!}1zR8!O4<e%xK-41g01bP8&$nR-f
zC^OC*Xmh|CSO(YtYmV&`zPNhG{NK>aTEGVNVHxfho%3%t80UMg)WoB>>wq_iKhTGI
zSJldI>Y$PT22s2h7En5<3tT_srVBcF?EX)kLhUb=2cXn|=L2^Kfa)x@-zBKW%kf_L
z0p&amZGz68Sc1OcC+K16`GDr*(Jt%}2lYZAP@VsTasbr^<g|Gmug$sERV#lNJB|ER
zcpp}vUofFq`F?Gb8kwJ%+_kyay1*+hf6%r7+BomCNC!5Me>&u!0@<mrTY$4%=R<z0
zjDTiiApbH=T&m~P-uXBu=sjhw&6U@CP5n3dR3kt2e{(4g?jI_Ry6HWx8~n=hw}X2X
zKz%lqsV(H60r{tD<fnH7$#0GF{{r%_MER4R2=>6o!~^I<@s9UC&-Zd*$2KVU%A!!y
zZS;I;c=v~DKNR;#T;Nxhza`w805`xD*oFS=2lVq){<{HJzzu!ChIIdC@1y;%M_XS7
z*aI$z`!?|d`cU#yT$DG@8@hNA-v<2sPX5p8g3P)=bD$ZZk2CC5*OR&_(f*r5_GW-S
z<X4~`7?s3!`ms2+(==czFdKe7iSLqwMvqi}1)6$*I*;$8zxTN|ke`<==wM)LS)2)d
zC(xNan}OjZKj=f3KgFjDeLj5`^17h*c{aZ&b9yh-fX=WcP9T%00q?WmehnbG>3lN!
zUZC$F-v5C<vi#3R+DFe-mJPJN{PbVo|C9Vw|Mvm>{~zdY0H50d{a-GBxjnRooI?Q8
z17RreyxdkEy=FB%@!zBYlr{B-crV_CXWoDRH|em6*Cq`#X`o31O&Vy@K$8ZVH1IeY
zc=|gL{M8()G~0>fXf|H4Rc`@9+pE|hZQAI>nDW3bAGGmFIsRVjsBd}19MTHzWg1KO
zHk!R&2Ftsg7~kUl#)H*+z#t)hPYKcmDz%DhWfN<|q-=@r2m+eTVhuF@nuzg;dpjkY
z*@OO>uBJD#ve^l`*U<7fW8BrbBxCiBlwFS+tM8xcFYOc2510Vd>=R**o2IKt15Fxe
z(m<02nl#X)fhG+!Y2b-yAmii?G5z>v@p#}k5%v>*`|(cL@Ns+2-0Z`uOGSAN`1Q0F
zM6$!c+IViu`FF6<qJkp6b21Ye%%gZM6tu1s9&cG$az@{8PUGuL0#*tl$pcv$$ooVp
z!2=S3O_}n-<t(0e=2>r(thC^1u%p}q8^dF{IZ0WmM>ZD5Y&N+Zx?0G9UBDl(%kT%*
zVm<ulupKn5n>^(BkJ`;;r$_L)>+{K;WFzJQS#FVSU{-o0%gsK*PDU+cp=-5SFzn)B
z4_MdENp_R%-(lFd%z-R?Eo(5^3CU4cuBYLSbMMXbIDgj1ChJ@{c#dFM=Llg{`FY20
zo;kR<3if=};p-Gq_|Ig|NOp}JRVWLx#~>Rel7ri<fmT8mN65j~oWV_H@l@*6A0g8@
z@A-Lue4m^BdjWKPCO_}Q+2X>p#pPvLRfV}Buup2i;>aEYwn~Y0ZSkB$*e8N-wOu0d
zF58@OIly-*%40m~oNR5Lv<wlB`n=9WIBI<q?PBN@;h?=TajV`c*w5IV@_E@d_m5=@
z&xVb0f(_NJlY3gQ1UHQ>nZ{1&F8eXa61uj=j*j@Ja^ZGkkYihdtDyDU0zrII{S@?~
z=G{T)jeKs9jc@Em5jIf@*ayMp3wA(puHucPUxbw4Z9{HtSUs5?-DAZ46JZZjWAg+%
zBH8{c0XBhTA6Z8Z;-A|*L52v}*zt8Pu*G@gx>RR<yEuNdrMUGc1HK*s>Fy-k!{`l)
zn}^(0u;Y@URh_U!2R1kY^K~1_+&3>{$2~20J!)XjMD|dCY_~+VjgheDqjU)*1KBu2
zu8`<Wddi8zdx}3zHdoxwX6b(IJl<I?f0C=vA?j!03hYDK@9qi-XlRq<E=tFL)nRA$
zw}Cy9NbwrRfgO`<ha}rIk?qkT*e*sRZH@iYZS=DY`E4ZL4%jyS4rz>U=$>p#$Tp`l
z(BjKcmYt0HjOpM!r`?3T);eU{Q%!b1kuEwc0Jc8dK8S3KG;V(f9TvP^1-m017UiPN
zg6hPPZHXc@c0^=PM0QE!FWV=1*lDvp)>_PaxmK0Gy^6Wad2VcL)34fnG3ur6;D>BQ
zh%d4g>Y%xASyvAD=>e|+UI2rw(UJH5^``amndbh#SQ)~ur+3waPX|a}jvgR6E_gxm
zTH8|!cJ3|(0sGhVlr}7SL7FwmQi2^2>|q8-tLF5TJP{{kLwCv7p$F_<`be-3l0JEV
zpfm+^&D<AYGt)~7Sl^w;@pJ4UxmopMQ^xjVpA8!zE&8teE#$R!*axqE4?7PV@Du>t
z0Zs#>fVTDc=j{dlB;WMqKXlcn@H}5(Ilw9+JKs6GuRA-wyBlm(Okv|fAX^tR^*!uv
zVDG_v9D1`v_a59&9gpIe!hXe+rF(T{dsg*fSw0rrhK2mEY0@C~pRuOwoTo`u#Kx94
zv%Ca$(O+$^aM)dsw?o)3jR9}35nrIZZy~pQk)P~;a<_^<ld?~=KIfr;O^``tMWpHV
z$|$p<q7aKhpn&X1V5?FL+mb@if|5|vD>q`ziosK1F~VV+!ov|(NO8)-O|RTMXj)tz
zVP5z78)WYS+&~<uEW#Z2I)+k)hmxi36Y|sc>$M{Ol7CZi{f4==R?M5+OVz7?<NKX}
zf3mSrE}db)<72&k^K?(qurSETFw@7-^sJZOH)%e)Q&YWlW}NqH@xhhYF5^q0ji;5y
z7|$q-F#7Pchwhh%Gc8RW{vpD@l*0?cJAZU)zwQ^Q-nt0aoe3L~_e(>~J6sO#WK<Ar
zWQ28My)Fltd{z|FbuaF(!M26$1?HXiRCERHd2n-cJ(A^7*9ybNfy)Bg23QT)VeRL-
z6kn|wwC)+}URPip=+8wlhTp@+!xlCk_6T2d)<-oH>j5czCBoOi286<`5WW&=H~<rg
zAJCe*a3#D4&#NM;ui525!@P8qJ@}<H?ze$#U?ITk1}Kk9Y253A++wPy$kR_gprkdd
zO8~OzSOlAvDd2A&)+WxwT0JYQ(Vq(cdC3P9v}Sd2s*m<mgwLgQtq5OI6m9q&)^E<j
zx>i~POX-ZGe6##osjxPY>^2D8HV5l9|3&NdF9!TWUZYQPQ~^XoWquz<2IRx#1Z@Ls
z1f0O98`k8{yn4uD3D%&lz*_uuC9y`|VNIshNe^))*5<8E_Et^Rgs-ej;NerjKi1-k
z&PZbm@D1?+TBHBc@NV3VHMc>u?wDlA^=-Kodh`LWXMrQYCZGj93;Mt^pm=mqK0ptk
z5AZ^=x56khQ2#q%{`o-t#h^nkM6{ihAO75e3*l`SgT8~c#1rAa09bN9u=x<Ir8UO0
zeKp|U&~S4e<n^IBzO7W?KSN$OT^!oQlJbXNjhuA<xEFNK^8;-IeXa(Ug0Hn_y|rdk
z9x}H<U0;EAu^Q`MXP_LcPkCakyoca`Ht{9p33sD>)Z;%*&A;h!=w1spAN(28H=ueH
zz1Ni!x}q}R-_xMa0am~)$g()qSBu)i9Nr${O@2aqo&x{5Xb)uDM7AqqC@oMGo}qLa
zlznMfSDrR>9YFk}PkNi4fejD$C-+~y<a|Np_OKp&{*vOOnpF<HgMYF)+l>C^N3@3}
z)E-bi>!JTIC~vqM)jx&Fe4-tX1i1Y<<hW;idggI2jShQ)Qhn}^_FxG9yP?1AhqYt<
zuvWTre%NzUs6BvMfexX(;C^U+ux|dL<36q&^`C?8dA$HNKz&*TECU?TPx1N>_XByt
zw}=9Ie`0l}K9BOfrVOYqE6#c=Md)8a>-H!dl-6-B0cHc%0Jm2HeIWmG`p<%bKdygJ
z1HcJz0JZ>=G;;l|`ImJDeyJ>a1O0)Q0B-9H+MwT&pJ}2`Rs+yAm4S>Vy+2v?Hl^02
zfhG++V-2VmA*l~i!eLUHHCg`&N{h9S&rMq01zJw4x<GR%Z{Q#u83t-g%fLXPCj$-D
zsYCPNFJi|mS~jNC_=`kwRS?ZLv#c^!-&f(^Da*GsyGaz+O$wJR2Xo3;%q@OzHkjv6
z5$K*t54e}(JszcXS|-3-K+QTWKI#IGrmIN<O&a*G)Ie5>k9aa{ni#gG;W)w55D4?h
zVpe)M_GeCP@W0V}sUXt)9_DFiPv$57{|ED^%AD+^nsg_lE4zNRpm|xrQG?JGf_8m*
zpXA=Rzwc9zMW-EJr<Ii!G9oiA_&4a_%()Z4UW#!uFT%WCj%F@>Kjy+_L4IzFO*}y#
z%D<wI6XCPC%(<Bd-@;z0*|cYDZg!%SacVb<+|ZVV(!Ri&{rxoaWHeV+4L;(K?|Z}p
z?T3u}8r_lK!(8W%x$*xa$#F|Mrk~v9eLmSE_F{HaFy@4hoH{Vz+9B-Gnz%(<!dzW7
z_GPWc{+oA@&mHg~g%U7dhkI|#m-4w3xEs`)`g~}{_r;%oe4g`*y%XCby=2Ur<;A%O
zY1k7r1#`I(;lK3E_xoiC_VyDcK5vNmT)wX&<_&3&#jtf^70QM0a|k{%p`)&pm+QQ?
z$`9UsQ^fp}yjNGF|G6+<$H%~<e-^B1{_gNL)tw{TRV-<n7CX94U@_afv#?#m*s&b~
zpZAmZ8|3>LZdcC_f?wKi@HWl;VSmBwBp3A_YjIBZE(^%t7V}ZYpAH*n^3S)28tt~y
zJLbI#b9YX<cQ7AU4O)#o|Ehu<wW`CM6jHF0js$;DT?un_93dLNAo6q2k@hduy1ma<
z3-fo)LUr0rZi_iP+RKmT>}a1qV}OsTlYZcChy1r-KfGTjkL@?c-=THIPP^{RZe~B4
zi^G1D7A$GI1q*lS&eqNA%NBgwp9MOp{S)20GS?-2*qm=(Wcyb4WN}-%vZKFRutVFr
zvW<&+-dZ-pggGrVc7Nl|w_hDMYQSvF-6kTx;Uhn)-7k)Km^8+c&ruf!3a#^f6?vFj
zyICG#QF1-TtmtZ#SxIH2X))%@ipwI*N(zE4ivPr%RAr=D3Fgy^%Hel8i2D^`?yVei
zTGudl_Gd+uS=GgWmMqUlI3*o@o|o;wmxt^2=|B9gb^(6G&qoYYy#B^J;_OL1R7u<P
z+NJL6`W)tj#+~-mwoUPF_DxZ=$;_fClSR3~Z6~JrsD3)-q5b2f@Q&nfT@cx6@;P6v
z=@d8FOaHB$1HD?OdKh)O5MX9m64uQ+%ezH!%3jPZ>{U$3Iv~D8^4{;l+zqdvpkHAO
zb~)yJ=3?A$KF0X0b3$7EfcYM4jJqx<jDCI&{A_4U7UQope`1ek-lViKZm!Hefa6MW
zVZI?e$EO9&ThV+E&6VsY|9f32nz<d!X^cAUDOh0)cml?MX}<~E+>q82vEP&pFsC5;
z`N{BGfidlG!6)rmWsPU}yg*)Hd)_}|ta<>=fnw}B1^G`w-mbuWfbR=-FCNIBk01I7
zBGSe_A>smz@h`~^HuxH2o>tJuY|JH5o;3Hu*P6hs1#p=$&dmEAP|aRXrduh^M;ZT=
z(*nhqxM)Lj63BlxbiNe%FG}&zo&&uv1Akvr+MqS{3i)z3s0GcNV9zO2ij(c#OdGQE
zx=8mAb0L2n;6s%8aOD3g<R4KM-{qaGpqAq>$FmmmIAbZD%pi4n*G&`iA4=?V(YmhR
zUv*<1hU*x5p#972F}^#I(yT}{<No#2NBN7;L8D>y<KF8Y`d2`HWp;>x0=nn=!yYM<
z0PLIB`8#?JWBiTgfjZcz|Gn~hkiR@u3fdm%2Jktv2R-+{7EXEqXdLs2>i2(5Pk(25
zXmsJBE|{`0jFd<i4XMJA3e4y*#3I-v3Bo|o!OW&?J7CAkY&PMb>g}x9CI%Eq%Yd_y
zi^eHvSi%IT8K-!p-VqNzqYLMhh-c!KiCE+LNcBH6HAu`kAA6US^xp;Fth6TjzG>kb
z8)rJS<?ohTj43Z>MH^sktgfsAd^g{7?W>dXTK?SSvP%8@OPTh$=cCRi?C4XBZ{`aj
ztHng{uqbSuq8+8>I=`)Q=+Ge|zDYSh@y;Tr_9{Vncz192)R?a>oeCa#G0v?S*1KWN
zqKhceH#7d17RNXU?@}5;D{J3}^Cop|rZk$|ddK3HU;C|AvhejnRfv;;<mcQOYtvNN
z&sq=rT<b}pj@q<W^{o}(wSRNK>z}pxc5L4+pN|+M{xqdmi{6&+4G48^<rw>mS=E_+
zJqlAjOv{6v&C8SbnwKBmVO|#I()~)Nw^{Mgon}(lhBjvhy!@(pmmZ^g5ijz^*jr*j
zoX*=hK{~5%AL%;(a-`nE%MmRX-a2Z!FfUZK>QY3Dmlzw_tTeLSx;$U4GZ+1Y@8xG_
zPwvUTDGu!x+Me)K{xdVE<-*J$gGE`v20vv4=+8K^M|ky&moDEou{gBrt_uOr?>PCZ
z@Mb}<Va>Nrs+W4r)0qRRW|&7GUmVlv%S#dMr=2;Vn88wB6Dz`d%HIt`@$JCN0`#sr
zLEj~S;!<RL&JW&)mcaZ&yK41KJfHVc(LR1Wjx0l6itjp}F23RPfamIl;eCy{;=lIJ
puAAP2+z)z(sK-oc+_V<uHiD323>XMPEdI^h2te4?+VHw@{||kfaxDM=

literal 0
HcmV?d00001

diff --git a/cli/scripts/winresources/docker.png b/cli/scripts/winresources/docker.png
new file mode 100644
index 0000000000000000000000000000000000000000..88df0b66dfcf0b298de8cd296b793b9220c4a914
GIT binary patch
literal 658195
zcmeI52VfLM-^S;9dgxUo6akTtgq{#WZz3H8tb`;KDWNHduM$KQ)K9@e6$LBOqzFor
zPy}pLL3-~cKzhILKbJeW9LeSS?%qA4!|l#a{mo{dow~Dn_2}&HQ^kid=HInThdzwS
zW^?PMCYOZm&Hknz@3CD5O<>HoEVnYY@QX@}`ScvozJ0G=!{aB$PZ%CQHmGa+_CaIE
z#}6GbDvq(qCl~h}*01l43av8Ernc)gGvTvt@qNmB1@&q7K|;AXb?VpfF7@=x8cR=<
z@4cgR$BxRX`<Bd9eDqPmhvj=W@O$6qxaM+=uRogp&CK`z%(?K!HzSX2&A9qc{)Yde
zuB}X2y#9bD(aUdcm&U!DCiwl>?(x#+r|;dp=fdTNZKnCu9?MF3t&goSA+MH<Wxf>|
z`BcqB&2LOL`G~I<OYFWVG4!$bw1GF<EqFne@Qy5T;+z)Uyb{W>Hd8)o_dRRVNtUp9
zex1H-iINTeD`v<g)+?9|t~>SW5tgtxbHN)j_WWlx%FC9_VL@f%W_Do1Te6i0o_)U~
z8yL#U4eho&oE;Blp<M?I?ZVdl!V>qF@?FQg{8(u3nKPbb$~V~HeYI*$X74Ou<vJw~
zh`j&Q>QdM06R8F3A~)3z?>Oywui$Z-0RtL7UT=Tbicghm7A=on*rwsm*B4Z7G_6VC
z`4p;$C3DJCX;bnh?+;kLe}A)&HU_*Ld~>^6TXV>eOZit0tQgydu?rL5I+WiaWPO!{
zmg<Dj`CmVgq#XW|?~+$DJ{Y<#u+0Xx<i^PXDPuXCj!S26I&tF4<;%yP-rer`=syR%
znLljj%ZUT>MrFMfnVXSz{<n*@r!{(UT4!bE`JI2KKJ(pU2R`wBXUOTRA9v3E#aEkK
z?MThtU59KMSijt*-etyp)M4R=DUH6XIjh|#PyYVIVQuWia}9D7QRkYnHLpa;-k1}-
z?8O*Gdbhfz22M=8n88@`miQh2*7H&%44;1Cz$ES6)_I+mJi!u%cKu`=V=r~6-LT)E
z>s#;jVywfGY4z8%t(v-{QiDYGV>?u*clhQGZuU;Q+PinQE7i^?HsP`HgP&aacDs7-
z{<Ef9{lOvswyD-6vG?$IKOGy;aA*Ht16qv@%#QZ@a!0+b)4Y{!_j#3#u5ogvY{>fq
zYklNZalwqt8auiu%Y0Bf=#QD@de`hWr)ih4KJWJn>ffbWa;x$3@b_Nmw0Ta;eXP;j
zx$kc69QN6?b-i2t>$jo(re)2mywmAx--EFe!xnyAVacL{<A1Kw>ceJBuN_=5Jn-bl
zQSJAJCSI?kX}o(>Xv00b+O2KT!28pfzt+}V>9=A}l{L?<RBV}*7IR?jBxRXt9TUBq
zDJQiHihjIpmx0d=>~XxyvY^LmHz|G6yScaGo!&d^*8Fr?x1Z~5E}gZz(vU`B?+xtI
zpw_W6AD0a&^~TKhyPMZ8Gpl{0x|?RpyRQAV-{CTcI~^X=r`C-IKQ3z0rAn<&|2P>t
za-Ampvj#y=?VE9V@#S5Y8(*$^xkmEyK8uI68TV~w-;4G7{Q1h$m9Lb#(&UOdZhoV-
z{l8h*=ghLD{Yp3e__=ngmTv6xQ}6edm2L9s!tj5lSLoX9yH#I*ex%Cqio-KT{B(Wd
z=F(?Af4s-Mg98r#b))n3dDj)Gll=VOEkAwl%whE^FRG-eG_3NZN<Yni=KIP=KB&C6
zUug5NTl23i2wV`~e_;KM_5W9X&YwP?KmB=~&#TrC>G$LE@0Xul?%O}5|6lz+{_&;0
zZ?5jtzj5D7KYIT=cSZl@i+kPbTea`7A6qVaZ~3rg@%>tV`_`bmS?WQ%p4rv2{kOfB
ztbO^?);&SKF_qU(Zct;S|B82Coz`@Bowfg*_}^>wx6IG0w&jCX%YR%N-oEkEjR&mn
zlk(Zn)|yN6$7Oyov4{7ydOyrddF%bN<?cRt@yV*+H+g1LSlkOEm(QIyci@UHD|)Z!
zd}~{?)pvea{Qb6$TL$G!3uwFd>AEk}?L6$`{i?;+`kv@}<_Di2Ds*oZk+!<w@{!+F
zUAm>ir0rvVNSgoUZ!aZ$`Aqx|XJ6lTE&H)IL-P9Njn4idt+U@i^?JYB>QjFED@Fd^
zbX<I7wUE81?)Ps0;;uIBzl;7ndftV1=4?6?`OVQz|JNz-!x4L4xK#Vn=slzNd{akV
zr$(J_-EVeJTG*%irthEpzU4D5pV|A*-~W95&#?tf7qtreuhF$d*B1S^=-e-ZpPT$#
zgN@5J{u<YH-R0-LAC$Cl>zEnOg%A2}VE^Y{T;FNc;#E%^+p=oQ52b(D)Z^10E51B7
zY}cCm8~@n&<1dxhTsf{jwR+>|jc-N|8&YxDFTbzemGtShPv6}9=Ktlj()ho3B49<e
z=c>Im;pg$?BA$&nyKw&(Nv+@fJ$3GlkYNK4lsa&{@uiJr|9W!wh{b&u9qBx*;;>B<
zrl-vOU{<%c|7tids^Oxld(Q0JcKPXvY2#kJFy(OC;zjEh?Yy(>)K5vxl13!GclxWp
zn|$@;mxCHlIJj$H`}4i89BS?R)#srj&#io`XZxPhhHbc3D<mdl&VW__t@-7<Ny{^$
z?^cXTj~f5grKn4h&CfPEJLu)Vn<xIV@0Y)N?u!5N<r(MNPpzem)lShKVm~B2AseQc
zHLdNm=jAz>Q~p<D`$w%KPQ|6KJ8`G&hf6lKE#LOzw^zM=Wyh)-!}r~uy{bmWwfXz!
z>>m*@qt{#4j~&!RUyc4?*IRydXS_FKz`LzK8as1fl|y0knoc@&y8VQ69kM&j?QnL{
zu&|!tKLtPCw0_j`hOb1PY`(e4=GJ=}4juIO(SeHxb{*C2vG9iVS2r6o>bG;bcT(QF
zxcH*)r8g?h583zP*w>ft-<dk&hYCM7EYl!jZkuOj_Gt0hy|$(5FRSq36Uk*KJ@Jvx
z>pQFM99A>rP_sibkGFrJ{^LE8yVUPK<&)cUwl;me_V10qYj9=LJ9U4Yz4aOYXU;5&
z__D&n*MdejY8A09Z2Bj2W{+#Pyhis=Hx9cw?CQ|h{#qF~V_p95V?OvL<nhlne~er|
zd!=enu+PSJ-(T<dT)qG5Yt{{m8!&YHKePS}pS$AAr~bL~_xe9i&2Ik1-LJHF%Iqw2
z;ggNuz1wX-aJ7L~x2=37d|l+Y*H8IeDzAF#-DlM+BY%B=WBt)bd#<=MVBYGtw$+)^
zedM&4cKrGFjt#Prw|x8iT$%Cat<(SAd9mlfkU{4*L}$OdxN21SS?{kdcdFvN@>7r3
zJ3aYI)%W86+`i!SXFvbAV)v%l149oFy>azy@R!dA%w0b3>b!t4{wGfU?0@drpYNol
zcRUp`@1J_7woKpHe$zMGBY)i*_ro9i|7qE}-?#lz`(^iQmUQ^chUot?#~ezk`o`Au
zCby5CdVXt0Ueq7Io$4>^-~H&&qj5Q1bJl0HUOj91jm)_@qhDOrWAwN?dliQjd74@Q
z8~@w%@6l?9TlMSn@v*0Fbq?5D{kQzZcP9n=H}miRe_!mmSZi#D*Dv45@IIIExPQdS
z*FJn><ps@=>aSHBRxRX}b_<gic3RYTVb1eIp5NT_@2Eq^Zl0Zz+xb-Wz%QCa4to9R
zlzxAVIC<mkBcBdSKJek<&lkV>R>Q2*gHL_E@r`RS`_H`+7=L$jsfia3chr7xt>xC1
z`(H@@bz<_mQ&-9k_;tX-pCVo!eRJZ?$ox-_^xV7Ui!BRRZ+c<mrlcv`HoP%3<3`ml
zo9{o9y6yG*6|~2Wei`2C%(j#%@fp8oq@Am9=B@E{^Y;I><;0}ANvpQ@-1>5An>%e!
zv_JFS(bmuBpFV!~^wd`pCoM@ibh>kfddBnv`E$}f4s5Ubc)`biz3cz(tuI?dg@<2k
zJwES7?how`#2%>gWySoj^Z#01u|mjOnMZH^xBt-mLrdo+&---y=>L6}cQf%;<)2RN
z*}3QO-~O1~IP9g=XLIiCm~?tlwY%S(3+#FMe?e30X@_U6P3wE`hn!C<fBLCbshFRV
z8`C)W6k`!BM)VsvabWjnB4Xl4H;j&r9}?Ga^60VjBFb1~>&auIV@AeJ3>p$QY{ZyW
zHSccOUNdM!Y^$0BnsyKEKDK?_@DW|6jF0O(rANP*DI;UTV{5jK@`;=rK@p6On;0E5
zdGx3;6Cx(Js;P@Nf{wX!NX;Ofmx&`=)ojZX3>w(IS5W)-@o_;-8#WD&32hV>)I7Xl
zSktD>n>T6@)F?EpNl0i|NLb_Gu<(c`O(H@=gY>3mln)(6j*lH0(WgTveR6cxs^;*C
z6URn`giM+=so|u?4dcfT3keGk4-W}#6w;_sF!>0c@cNjE(UXJ6OsG{5i6Nd2aT8+3
zj~F{~MEsZ_9&hxJ_*W;ks#%jK^uXxLHG1rWgvLzJvm=TjlcUFmgf$EeDJD?&?&gDy
z9$jR}2@^ZMMmf=!tjGi>^m~15Tu7g|3GuIvkBRH}THKh4wTj9_Y|Mjr#=bg!l#Wkq
zOi0|QxX~130%bm|$SjOCv_KvNFO-c3my0d^#1TUuR!*U?{7SLG;wFzMCK$g`5KMO~
z6x2{8-G347$Hzraj33`GK7LeG!Cm&S{Y1?tepdz6>mD65VhnFoJsBBd8t7q-Ka4M~
zL-fSBC<@y&IJ8-CXybliP3d-wXiCS;>A)zG0-q*vbf>#NHhN;TC9xFpYZ^~{?1-VS
zTNKMfpM~S--aVr0m<bc3$Hc^S?GQy}Z#ZH^Y($G@Lz)k19@Zi_u2IwI;3hHjHy7Qk
zMdRSOnC30Q!{VBShc;`ZD`er|k3`)eKIT<^D^b)1fBLcUF%<oS8zdsGNnBiPqb4!I
zjpG^*4Gs%y-Xgd~c;m*wLu0}l4{c1z#0@Q=NeLN6_DDiK$B&>VQ}ie!KfElllvvZD
zEt-T6iES1f8yhn;xJhX2kl^r`A+f>H;mu>CW1EFGj*X5sl%<Gh9!aXphzWE*y>4`$
z(cPwd_VkS#SJ>5XVbloSGh}S^_z7|RPqS4`!{6qEht7j%3J;_E6OV|F;ZL8a7=8oC
z#YTn{a($Ss2O;&rMm$=bmLVvJ-za$TX-pa(H^$uUUl5hfSMiZdh#xv}QuO$^w!`QS
zvFvZNAl||OO%sR=;m_+)Bb-nb6QW<UuOck_yK<9?cz7qr438c&EG{-G#BdWE94xE5
zf*LLS*Jb#Nee|y}GBze+X#Dum(G#OajE)`_7czFtu*i^yjt|p}eE1w{A3rL7eE0a+
zxTwaFAw@YC8H)PfdKGlPMNR0_xm{4#j_sR;g*R&!+^AugaWqE$jN;)^7eP-Py8EMb
zf9VwF5jRu+1NoC<)T=uG%^QW12?^u>>Vq0zHVrz+d{E=dra>Qu>_2A2#3*|9>oRKM
zY!r&?afA+PUwU<ni=v{LI+^<JHDYqysDT|ukX}sS&%GwRP`W^-SBeZdsMwH3SM(tZ
zZYZNyJl(URz?EJg>D@Kt!OQC-kC6w@TSp!|ERrK*HHiy}m;f<<3S8#-m|O)e6CmbK
zfy+D}ldHgG0>u0&aGB?0auv8tfS5l8F7td$t^$_{5c8+NWuA}8Rp2rKV*V7k%=0n1
z3S1^Y%%1|6c|Imrfy)Gl`BUIB&&T8{aG3xxe+pdY`IuY<E)yW;Pl3xkACs%VWdg+f
zDR7zRV{#R^On{g_1upY^Os)c#2@vzAz-69~$yMMo0b>3XxXkl0xe8n+K+K;4mw7%W
zSAoj}i1}0CGSA24DsY(qF@FkN=J}Xh1uhdH=1+mkJRg&*z-0o&{3&pm=VNjexJ-bU
zKQ)WX=izeDxG}T_bP_H0%;}f-4=of8is{m)J7ZIxpj}L+GnS>L-y4j*8p_zs!L-J7
zK4TT*KY980PR#rF?5-W!_M0qYTJj{*@_%7K00ck)1VF$_0&*+;!#fCo00@8p2<Qkv
zKyV{~00@8p2-rjb0%8+31OfpN009tyfZ!eg0T2KI5U_~=1jHt62m}Hk00JNY0l_^0
z0w4eaAYc;#2#8JC5C{Z700ck)0)l%01V8`;K)@yf5D=TNArJ_F00@8p1O)d02!H?x
zfPhT|ARsnjLm&_U0T2KI2ng;05C8!X00El_KtOE5hCm<y0w4ea5D?r0AOHd&00K4<
zfPmP94S_%a1V8`;ARxF0KmY_l00e9z00FTH8v=m<2!H?xKtOO0fB*=900`Jb00LqY
zHUt6z5C8!XfPmm0009sH0T8f>00hJ)YzPDbAOHd&00F^000JNY0w7=$0SJgq*boQ=
zKmY_l00M%000ck)1VF$h0uT_Juptl#fB*=900ad000@8p2!Mc11Rx+bVM8Dg009sH
z0SE~00T2KI5C8$22tYt=!iGQ~00JNY0uT_~10VnbAOHe35rBZ$gbjf}00ck)1Rx-|
z2S5M>KmY`6A^-ug2^#`|00@8p2tYt^4}bs&fB*>CL;wO}6E*|_0T2KI5P*Q-9smIl
z009uNi2ww|CTs`<0w4eaAOHcuJpckA00JOj69EW_P1q0!1V8`;KmY=QdjJGL00i8N
zfGi<@s_RMw6>%MFqyz#W00M4B00QDx)rrD@00@A9>j*$VT*n$IfdB}AfLjrOfVfq4
zqA(x;0wCZz0uT__u|`TD00JQ3Rs<j*ZdIKq3<!V#2)K>_1jKc$krD`i00_7h0SJg&
zRVNAq0w4eat|I^eaUE-<1Ogxc0&YbB0^(NHiNb&Y2!Md=2tYtw#~LYt00@A9TM>YO
zxK(wcFdzT|AmBOz5D?d~MoJ(60wCa41Rx-8Rh=jd2!H?xxQ+k>#C5EZ5(t0*2)Gpi
z2#8x%Ckg`sAOHfcBLD$$9c!cn0w4eaZbbkB;#Sp(!hiq>fPm`=KtNo_8YzJQ2!McF
z5rBZWRdu2;AOHd&;5q^j5ZAFrO2rUJ&`vGp3Y<Xz1Vm2&DkAzSLIyzq1VBKX1Rx;d
ztQX`81V8`;L{9($BKj&q20;J>KtP-XARywb7vu^AKmY_pPXGcU`YJ*OK>!3mK%4|1
zAmXeS<O&2p00cx&00JWVDnbT900clloCF{s;;a|s3Isp^1Vm2&0wVe<LIyzq1VBKX
z1Rx;dtQX`81V8`;L{9($BKj&q20;J>KtP-Xl-6WRCX-p?9ezPT^aQH!Od3L&3~+Hq
zzq=4s=9Y`oL~<bT2m!5D`-q!04ps?>H4(!v2uOs$Ta?f0F3xKrr3V3VF?1y7cmn9c
zay(PS2m&Ag0v<sC0^$+Xj6zyKU@3Jg@jlubdcXJix!!Gu-mSO(JX(Lg*2s_EiPg~i
znWJ}@ray0M@PJ<sa2Em)5O=9blmi4n00dl200QD-;7ASxKmY{Xg#ZM^U1}2L009sH
z0T&a1fVdbqk^=z{00DO)00D8AnnXE300cx&AVE7-^m(*8gHRExks$yGfB*=904D$e
z!F>P%AOHd&U=sldh)viK2n0X?1V8`+f_nf2KmY_lz$O9^5Sy?e5D0((2!H?t1or?4
zfB*=9fK3D-AU0t`AP@in5C8!P2<`z8009sH0h<UwKy1Q>Kp+4DAOHdo5ZnVG00JNY
z0yYtVfY^i$fj|HRKmY_FAh-uW00ck)1Z*Mz0kH`i0)YSsfB*<UKyVL$00@8p2-rjb
z0%8+31OfpN009tyfZ!eg0T2KI5U_~=1jHt62m}Hk00JNY0l_^00w4eaAYc;#nO3W{
zIG{`>v)C^@f`AkVRNt9&p7L3pY#Q0yWR+yAlI4FG7s+x{iL8d~Ewbrk{m7Ojn?d#_
zS#Ee7+*~1>OSTMIf3o+<-XrTpwjx<>!Y)LWIaqLre?dSv0@ghLi^?VcV}Sty5Ma!g
zAaH9i{B6k~3I@0Gh6DYtcM*QL_!yf&I^h-u1l*1Q1jOyC)L{im&`xz&T%wO?CFQW3
zi*uRe;`ERl2sniR`mvmX6_J7f2!Me23E10@g^_ge*D-Pk0w4eaq9gzT5oNU?Qy>5W
zARvAM5D@X#5poCuAOHfQB!H20QC5qSGqv(?BBjvU$*Gt|-<$PoxW?c}b7*_f@lS?x
z7ya&_IkasGrM2?#c{(?pa#hHS6Hda21?KWP0W6|)EdjJZT+17&fdB}AfZGs23&d@z
z(x!r3pioQ5@|A9r$Z|8S;D_-RLI~MSWcQH`BKtDg8)WB`<z_5dzR+O-+3RH6kmW6#
zLuA*G<*V?9kuAv>!W+`uK>-rU8p87xd9%rKGn_16mA91ad9p3Yb|z~`lMdNb{tua1
zWHZSQCR<V~!w|j{`Hd%=MRq1xZU&R(;eRB1oNOrBo@7suT}GB0Lz;8w_#W9VWSf&U
zlqHCcUnUD9Ab~P#FR7DyR?8MJ3vQJ(S|Dy!omLm-JawfcP$<KLlIhM1+z#qv`&I8}
ziT?b$kstn`<YvC!PonOOv4i^a`TFyce&$oxQUZB0q?xEcH-x{(&-HHC^^q;npZ}^q
zKWOAf@5E;6{hT*AnE5s2dA8n9rcpT!;g{*lwMOsfxRD=2)U)+|_URoG_2)|r9`Gv+
zfpY6Ezv-(|-7CBHQlv0BaKBU`AnsSEC=m#NfC&K-jWB<edYW3U@b*`0c9dOr39UgB
zMz)+nKy0CgFdzT|k|N-xRBn*#cl1-pWb#0@W(l=O5+qd!5oQ(wBEm{RmOuam97lkJ
z;&m^Dva)fEGA3gIYR%O0>o0$1?2cpW2tYur;|1R!00I&sK!fITAEolmqOvR_#{iXP
zB#Fq}qOQZOWC9S7k{Q7V2!Mb@2~fAycomI%n9Dwi$OwptIYPx>gMbvz23J4;1SC#C
zqfkt=qzF0@S$BDcC4S-OApr=;Ll!s!0T6H_0yOg~ipD++U-BxkWd3UP6dErXUZO{M
zct8LG@&E-6KmY{XiGWfrpJGjU_`o_%^_@#od|O)+&XfH@Ks>qjQFah;V*+Z0!s-Qs
ze5$XnQoV@=-wVy!a$`((6%7Jn7d`|A0T2))0cu6Gphbhm-zl~@n<}|nL+eKVvN(VT
zdxU^^aOI=uAmFY96f$|7J!SJ&D63Xje`UEnad<*l2#6=tGRg=79!7vxn_JU;m7q0j
zg=xykPo?fp&6!@N?l^x)04nm31&%-f1l)uGEdU9!w<vtIp^sAa9Sw?j*&CO;hKGQ-
zYt5ouAmE_{=z(921~b%-C_W9Q_)uJiEtnk<rCY@T0dcG9L}5Sx1Y|PS!I2bvm8#CP
zu%xjg<8+s}ARz8ilPCuWfPjtw&Bu*!BnrNhuSTI<>Bu<UB`yevyVNAg0RkYPBcNci
z`i@57tyBilfchXu$1C;tARtn&LF69<K%fu-YB7{6<lvwa+8gB~2Sw#J(Lg}lrYcbo
z5C8#AfV!|sIfDcVNF{28^mj(wQjHS=BGsBhzCi#4iX=b+;#1@W2RPEKthXHyjoU;4
z0dbqEL_t6R1ULcO8Byab64VN*OVfm_IxBvu#R~zET8$yUAOHep3DBe|z6Q`KhVQsY
zTm8;*O5_rZR4KtcBg>8>P>HQPJeZ<;*yJxb=PA_Y|Bz{>_fxOnl$Ft+^HV>)TMu#z
zrDJZnsjc_(c)@9j|MsZ9Gl_>aq!~)*gX!E5-cNtdBPzrHA=8E2g6OvyKOs}w$WMU_
zW6zOWI-OK9IGFi0<k>I)t2Qd9A$&V><NfP~y)qs*@?(g)AGzJ86T?iPP`w`mKZ8H~
zN|XRCEbJ`NtUEm0GObo?ain}cG>jV%Sa~>+O5y4cAM|GZ8m=+WqX&C0I{wLU?xNov
z7oy6vDU{aA!{_O|dLcLGpM(*MgU(OJGgGMk%Z(hROzyOoWB$avmzDW=QqO9aq)ynH
z=YLUUMHg04RNw{zARt)+^iG`T%*^xGXxg!Hj5E`aO59FUX{iA4(0o2a<#u)5r<t(c
zK<A}R+?;)yTSNj4$<5U-QYl5`15OSiKyTIA6qVBk(s?!&a(Ns6>*)qvSe||dp!^`<
zW(2BkxORhPOI2`Yv9j~>QZ99?6yVG>ToE_Auv|eIX@CF-NQOYZR_pW@9u1`XO9qG&
zGwSN5yAz9os6hY(K!7n4kSosSz$X;ZdJw}*J7*^++W1}F4=!2|F3H%+!+bjEaF?X@
zFp+yS<7f86Q<`#AFhw@V*v$pU%V-AF@dxRwJj|!H4t#L#nuGJiVu^85#9}O+moj#9
z!SQ@zas5F$D-XAz<1P=*U2|~IcvhTil5|Zf`AmD1Qi^hRYNR2}DUD;!PDjk~LqJ?x
zJ6u4fx;9C6fzm4^Aap*MtgEN-9;7rM3J7CdKwQmY2c@}$tg+z&Qr+0W1;=YBjfVol
z7#9#%vsg-L@_e|Rp%%y<D%1#P7fjA%PdGabvBwVq5qk|Ge;@z?RuQ0SyxXh_V7q6P
z?LqY+m!ITgDSS3!DYC{x3R!fXO7;$WwhmtmD@tRWVNqt#jWgAjx)Au3@@e`q&e5OO
zcu;13y}-{}y<0S63EHW8$KHC!9lG-ZkN5R%HS~U#K8URN1HQUWMwj_rtTX&v?`8-;
zPJiB3@8yt@p9^}oFuk8?`tzmw^DzB+Nk4pbos2v!)q9+#KR1NGU{uaSdOvOTe#Ys~
zmm2xeJ5jj`;@x3zF!O83a}B+p`$pw7gzv2{SG3;GS|dM(sB7r`%+Whc)1S9Bcqrl5
zkmt2}f6@9f^wyv6Fe>MLy;}{vpK1DY(;Mo(QJ6z|KW_U&tNgCz<mY8LyMWY>RobF7
zmY?)y%TGp<9YOYUvRlcXB%4X$lgVBn%j@NUk>&kk7s;lPzq@3Qko}2l0@=P~d6$OZ
z2F(z`s{k1Q0T6IBft>vOQ!2TFFZ6Mm(K1H=7h#s4<O@++lI=>iHQ6w-_B?BO6NTFb
zWP6b<Fw0M#po8sX*OJ{v&6S*j3$FXuo<g}Umq-Z&KmY`+Ads7%&mXK#6%dk-s}HiY
z{3P$w;<F*1CEJ^<FIi`sx|9I7!^!ei$}0MuOG3h1GA=O?5SL&^A|L<)t|XAB)qYOt
z#XB=iYJOZ+tT<gGPn#b{=?o!T(V6L$5O-<19;>s<Pwu7P_sOm$F`;Za&tM?Ld2A6g
z2!Mb<1ZW)OR90TzeP<@GmdmHhW$YxS@j6){#ly6i;pD(~E8Rz}k~XFn9eEA`aU@N|
z1p*)-8Uoq*dF!2-nS0q;6=|$R%)L0xsQkgsWB>tiCSAl00w5q50U8JSpSGBBZhJFz
zH!G8+=em5%+S+WNrT`194P=df2#7Vb;1>iyKr#fV8|y+wZZ4mx<WR$fBPq-2vxFUy
z=aDo9!nY@Ont^~g4J{%D0T2+H0Ci)%>c~9M`Vw{{Bh8UfIxDWFBp#cc6}cf^2#A3M
zen9{P+>XGV9@W-UE99ah3P$^+uxsgQe8)ydMCZ&n&Qs)Lotc0kZU~5h1b#sP1l*E9
zR(|dfM?CU*%Y(N-L~i)N%m8YA+;c@fAt0`xj5I(11Oy{Mt&nXrZt;gb8Mu>~A%#J6
zUc{j!9)H?XR%^mSK&+t!zaRhtk|aQ%5$r-!ZfzP+PR`C^_p<r6RiZajNj#RgGM5k#
zSJFmWAOHe_5TF@Z_tJ8+W327UqVW@UJ5#hf;u^D@MdI<cv4bm)At0`xj5I(11Oz8Q
zU0L6z=45|uX-4>X$MuX<C#@v0G#3{6dz-{#vPC`}><I$mV4#Q&1VBK%1a5Y(`f^%M
z_U|R-koMA|8CR)dpK-+p%!iS9Of9KA&bkf(aTZy`3j!b@N&?rrSB*@|&DmF6=J@LM
z>m(jDW>TCNF}U-cfZLOJEEF;`5D+2hBW(}>0YL~{f2K+}b!YujRN^->(phF+Zc&%S
z;<l195<=p!OXv)Vc_T2P*&uxo00B28P-g9=3QD;=#I$&Pz?{0cOr6DYewi}Dw<lRA
zmJFc<B9@v!K0p8jTtcAix=Y>sRH_SJ3S|}J1o>3m`!r=&geHaZ#6MU3l$gYWb3zM*
zQ-A>h5D+1O1g*nIhpFiyr>4jEq#y%iOjfASDb)1fD+Wbo_(#*{k^PX=<F?51rppdg
zM2xk9Jb?fRIFtZydUz{T-)R(zK+}l%7Q45^wM*g=%Hv$J-;i*KdizEQi0R#ga}WRl
zw;@2Sj_PWKVzrM_)u?crqo9a<#QZvmhqbE=odAgMJ->qNauN+LAd)Z;5J^-MG6@18
zU=0Bhj*2R|d?^V>C%H^kly)%M?_IaxLo3V{yH}_@yUA`Pn@FO;zW^mUBeMoxG4&w1
zLJOARm4`zq?F0JsdDE0n81y2mA<O4~@J?7hyTP9<H--;8`_eHNdw!k!Q<3!{%l8LO
zCCiPWY0gL8_$+pQo%_4M`ZWxq-v_4p&ZI;-X-(D;p8tUbkmbgZrXf7v35X9b^7MH=
zc-%Y<Zg?0Tmgj-TWhe_@<-|9EP>}T_%T4bKQDxQ?9MZol5BH*ff6|{D!W+`$>G5<8
z;rR<9?+@mNv*C;k{5U(Ft|3i2e87T-;bD0mcw9S(MH~8kV2H(eI;l?95WXn>hVZ;h
z+@G4PH(6ePhAswE{`@-kXDEw-A33owVsVfk=*-H)W9j!}{h1-pw$!<SzqxzKz;7wB
z7_3jzZGK2NYLIX&AmM0F!cpu@A->S#N?Hob(^|CP<01j#ag`&>8Cz=j-x6Q6ab9oF
z(C;C#2gNd`Va@ZO^8JY6H#Lkf1o#8O*zku9x5mcsP%^mjhZ462!yk&KehlJc@MG?`
zsPLxo@jn>jKN|jrWa`Ht5{9(6aGClsTr29=G&~mtZViTulxcjX{EAA`Ac}@~%>5P>
z-ZV`vaK?uJ{h0bO<!@RR<M2fto95Y;I=AFrDk^Qsy74g%wOlcSrdNfKaF{JeE{Vpq
zbc@A<zko#11OI|9(&Z=lJy3=$uX|osrXs~(0Ju$}Fczs3`IW4JfVj5mZc%b`T$?1_
z$d8(p<n-_j_|famaN%!X#)hA}nnh9F1Yc4<_yfU}hTjLq<^Y|zn#G^S8Ia;JwKgg!
z<g#fRxpE*4j+e5e41AxGt7%p(HUIU2c<=<Ct;1WP+`<q6bYbB(009t?3;`02QVN-D
zf=aG<fkY#yq}GOU!3xA9MK|_g>|VlgZxW3)CHRr-WprUlw(5{^5C8#72$WrWDNG@k
zk5bCyok%nuvqm%w@fUoPHq~13xJKcBHpGG7M+u+{>rp0f0Ra#YkN~wZno}#|1zPmi
zhFTg=(4e^Sc$n2WGl)l)^_yHRrq&0aC;?Lp0SHJjVBib_AmCgABoq~CyqnLKicl~a
zZ)MaW!6-xGVLC8vb4Co}VZ#oIeDIu)kHMHB;JE^_{A6X~(%cN2M=k}bH8p9bNBKuC
zzySn6;86lHR+_d9QPZ5La%9WUGJrr5i?U<`6f(KDBZcD8#A&{{{=*(NhzE~uGqpa>
z6%{Ys9un|e0b#5yVfgMLijt2s3MKPbna;E=IUIa|00_92fSuyOGyAb?b1co&9M)8n
zVDZaJFwe*`2!KEd1RNk9$0&)-B_xB(M8J~;qyp{$5C8%9BH#e=;6P?m_Z1%lfhmE2
zCwF0)t{5%>6)uAS2#A@0jq5y2i*%bDzBP5kdC>$sSwJjWxmq+fxPkx(h>3u1dlFh<
z&NoQ3)6ApR2j6oJ#sUJKEFi{vN?Cx4dqJz#LQwDq0xl!KH%8=pTk&5z4c~<Fb35bk
zsNkL~AXYC<%7=b<)E@^5D}DloE!lJJ7Y|<8uc-BLL;R%{PYyj<K&+lXzz67HKmY{9
zL4dC;zm}d#Te3Uk?~?a@y(f;6NhcScEFh-aW|vrNT6AHR$Os-lz!d~C=rgqZOM(u3
zsr!~%9|c>syP^PYl7`i9;m#;`c=x_l$eMm@!5K-}6{p#oH9<SouE-G>1VF%Y0;xIK
zy5@)3KT6A^<34#4<Q?mRINvut7}aE}IzJ`bQxJuU=(E3!1GBv-R)@5D*v&!hWvesl
zSpl?6mgTwMT##kc*BBksFXNWC&Hd~wcEj->GUrW@qCOZS7(;p%@-M#qNS6PK)`&tt
z_O4%bl?ZhwyNbZMsyV_x9cGoW@Ee#`#R<=a324q9WTn=9!erT=H=R<Jn@we(&Ad+i
zRTv7+bOi2XWw6_s4u84eqbM`QgqWUz{4<~{$o3+8MND}!&5I}mgn${QMLk0q+)C$_
zOfxEm^IXiua%wdw?%!hm+rMS1o9F34I)}+K4BuaOYO<n;T%MVxE3@jxdFH=!8B^TD
zj37hB@F)CDYIWSpqSl$?%@5T2IPUmpZHtkfeSDh?zL!dGeGE3NIj}8lTSAFKKq%uO
zMwt(%;{yb;wUL`M4y}HbvAYFAE1mpze9yd2{Nar9NIFi{jdQH@s`nXxkaEKxq@`DX
zz?4b6aq8YiarZhaMP*f8<DdGaZ-r79Ug=eIepOVxDuPr3ALroHtx{;*gPU^a53yQ%
zS2MZwANVLL|2gFNW>FV}aHD5lOG=l2<G7Vk`o_;jBWH0Oie)O+KocCi1+txhenP)f
zsEf<$hrLOBMV(sRg~e}X{vYjAT~vH#-S~qrVCxd5ymgUz{kMnZd;78M$DcAA#uF~e
zXiAOm-y4|EetPNB79N&T+`Gw2ub9bFBm1+Ary>c5_1wkIklzdbyMAP{oUB4wm1m~1
z(rf;YrH6H9X-&E^t;*0yFXYXwPxt~4E*^#@=7HBvv08gpk$BKOlXRJ#iRjPLO7l-M
z*lhUH^RqUGc2Gci&hb{p+hoU+HGQdnj@*7HD@r5yhtUaM4I*=tY;jFB-Um2|?Dr%j
zyfy0>v;5>Nis&_KBdg{Y!05vu76;?qFus5P!o2@Yq^}ehJs{<BmeOhf%V-cqak<}v
zu_QoTIJ}PU)rp5Z?S4t#S@vV~SW4?bEU#3>68%cS0~bf$Ri(akti<f*`vkDGrrlU(
zy$GgNs!H_l4j!`d^7IQm3jSs)(zsBKKi4vu(S9Xb`uNn1I?dUY;I=H=+v@%8_zPq$
z5)i%tmLP_nef$rfzdZA2QMF<+kxA|i>DhOxnCo^q+xua3K?Q^W@&WTivP~_Zz(s~n
zwOc_j^DOXh-plfnQ^>;%^PV2PTFKj&`C9N{5apdK%=_?m=5_K9#vhi&8Quy>i5kfA
z0?QZY#jV^G$+vYaFz=(gtRLf`2L=~h{zjhf6DUb8^7Q-6_n%GlLa~EhD6G4U^Syjo
z=2NX$#*;1G`hH2HzZcz1D{Ap;Qt#@7qx6*%#nyK|eXQqpjZk)-1lEcc$(tk|f=u0|
z=N@lm^d-xmL7~MK?BNC8trh8vo*2mr2tni@<ycLYzk*w1E|TX3WS0<7+dIgYpNyk8
z7Fv@q_ghBe%}Q(dB#B22Z*6GK9MH|8QC+p-g@IZ$8TBKnyP_k@3n=$!#1eOrr`;>y
za{3?Y=eNIKUrP^+%zEK0qhVW?Tc(O6=qQt}G4CUZI`NcI7mU3or*bWpRjV<}su{}i
z{L9!IooK?}rGfG!nr+2}qso7~Sw;Q=W`)ouR|wLHNfN!7<#_oOSFY=Hfww-K(KTLN
znv9-#{APWL>~ONxi}hIah27-bkDhrqioR@{t0V=4KyuOenyj@DjVbZ&tVFV0gnlNl
z=jqpSv;1T?^8B;q0SbKb&k|OkR*23}pS|+dC8oY|lBqBLtNXQY4!?|LS8u>F>a}3m
zK@BC_UBUbFxlpJtpCB$r8E=g_%j8t4%`)q@V41ZVF|Ec`Gr%n?4WEkab$UNdn%GAJ
z;#Ry+SQh;QU%6$gvg~U0$<||BShT95UvM4-5a9v;W4@hwkEzZdVdc;4XQeM6Cl~H&
zqoFUZ->+DM-K$!UCDU&jy=d?*FTEK`;<3nZ;>=%q*70W?f7bLN+m`HuOwh5l<}w9%
zk)Cyl)&?xjzoZ0&U_MR-nMQVSaRsu&{S1XoB)f;~-(>$I(8a&%EkD_W{QO1MLc^QW
z_gJa>H(15gJ2Xq^0zD*8(Ru~mMd^6M2Til9Jz4Nzp#J~7QWYGZhy!Be-E+!2mvutQ
zCkUv>DsR($ZZaV5fTYYvL9Mv#s&!Zv2`}fCSGtmU|4zEfXH==_;ioxwm_*|wlR0L#
zkmb3h2WM`%$5>AJ>MXZ>HL{Ph+_H~}_GN@m-Bw=yk7>^yW&y-YPHSPDVe;tjDY-%o
zmKjj)TBYNAM#;4KhbW!1^o+1Wr3&Yio^MKWsZX{s*$A?&$krw6Xv1H=-=w@>v^Qc&
z2nc~~Km{F5Hkz!fMgemvE#6<kU;TJj*EO=d`N!?uw6ax8oom|Tr+h_0cI3HPOhGrV
zf~E^9=vc+Oqp0geO?}q<SCf*YyG~&RG5ORS&!so19C{$+m8nb*g(}qDRo*oZ1`-1W
zi6{SKS0t0=zueNpQc2e3VqrlI@PTLkHl9OW8U+v0Dh?kvk*6o?rWq@5l5o=66+R7@
zk8z03a8V&a<)X^R+VTP`=(<XE$9|=04u?H2#g>(pciZXi8S2VY-nmLI8N`gHY74y9
zCzW!4mh2_H<qu@uy~P(GrIF>=`7t-VS!Zb45j4hUb8ySwRCw3a6J%?Xb=C8YzZ@?i
z`xyzzVfwYnh*m&IG<e7Cvt(Z&+tQ}eAyA0~_=7Ufzbwo54WtKT0L%CCXId{Gmaq0M
z)TN`F25LNeEI*f~j%L#vGTn#tmdv}IxaHGF`Gb-FVaqf4@qOK|wFAB-W?TRdyo)Q(
zw-n2#hbA94$oHdT8jRNx7cKE(G&9c7{UghvmL<)a<K0la4_?QCizxNY%gORzx7c!p
z%Fd^h>+T(z$;4k&I1}#1?-|{FLt{=_dePGI$s=<9lC3wy#d!KL=OO33_%FYI_<ck(
z>=g9!B}!p6ltcQzd#MQDkmVDMteRCODghzUXh?;4T5ow1&hq)L<QWD8KmY_lz-9vZ
z6q1X{2C^GTOn5h)StF=`kYLoK+(nXYLzWMWS0f7p0w4eaARs&e-gUp7>@Ko9NKlTO
zX33=j649d{UslfthFa@?c^@DQ2!H?xfPnZ3+@dV*Buk5sbfR)-&$^X%O(GC<A)(;B
z=l;HcrKSwEB_E0aU+SQ9{@|l6c|#Zw5E}t)W;V;uD7;;ZOY%q)2v|Vivus$46)s6n
zVu{$>0`cr8pj^Ji*80}w@JU`UAOHep3D9ct{L~C##Dizd+h;Gt!)y)Nb<t=_g<bJT
zGq7C#GvjY4bdy_aw7E2MiP5YS7!Uw~A_-`7^H_db!ECl7JviG@siHagif+zM#*^ds
z>=ww-=9x^T;&Z*NHrkv#n}o;egb)A(BuGG;MO{`Yv{Q)j2BNMmhmX%lHX`D#tCRJl
z^gLTYcugynd?Ard2HjXTVM8FP6G+fbHD3fnzg4;bgC52?^Y#6k4G;gq*a^puCjb>u
zD7V{+Rhx~$5L?+Hocj^r{Z@I&X-x39E0rpXX}mhRA7Sy82m+!|EU~p(bblx|45HYY
z9>RfuSPAfHRt5c5)(<K=v`l<p)7vMS#Wua?(0CD9kpw(@F0TQ}N87SlZjMbG*~opo
zm`r0+P($kY1p(<2pn(oPTFzS^qA<RGKeLgM-9?cX31k9uc^y$nYE|){tSKRWK4J(1
z0-i`fo0UUdR_Wpq4~>TQ%2xIC#JUiw%;>`6<Q2*_wpM^PFP~}Y8=Np8;4uUq43yJ6
zU9oiGDirzDb=95?ZO%7^f^iW62nYwQRDG&j6k;QEZ6@Dd83qL0p8%gYl6PMO1LdZu
zef<(hJWAX_&@>p%?IVCO5CgwC+i$Y0EStYht_Y-WXv%2-4+aF>kpORXq|;c37-t^(
z`0in&TH(79Hr#g@1F->GkwH}IUy5|M&@mrlAr_K?H>nZevki6AbHykg8ch;YtJ_MA
zsk`JCU08;iRH<gz)s001ilXTcHk1j!AYcyx-s(uB&8%ocE0!<t^xUG#p-|*9FYj>b
zy24DBqWHML4FY0-9M|k5y~$YhNiRcC-7o)RqisiFK)@XcXtQaC6(8#mW2=J$=IcFt
z{bFgi#FOs8TdHM%fEd@DT5Z?9&wN^=DBskK%ZOtTFh_u|>)>1H@|_UHGQ+B<{QCMW
zrL9Vq7Ig`3t|Nd!bYs?E{8f(KyL*#%fwOruT&7krxv!UTtR8pF;XPT}o7MK$Fn_gz
zC1>Zc6ZbRONwP5FC7}Co2X94-SvWX8AKK??RI8@qB`KYp**l010Wq!XPj?<=8R_*+
zovk^S(-)^?9{9y6Idv=as$Pl>t5=>?^nP@8{)N<RHvhky?AOcpnFxE-t*K(S^2=9|
zYxxW-TGJ$Yqw%`VyuGVq+`}<71p#pk$A_^j*!vv2fB(CO4%Q#ZlnN&I_pv^pghTkL
z6l`{jYOF~)`dp*lB;UW!l9Q8JU|=Bg4+t<gvn^MW*_;1dVVP2RU_HpS8y@g+JKDoa
z*Yzre;;B>_%*Q8)4GX_1h3rZpj}Q=N)Y9zj$t*j|-=3&FX^$)gwLBKJ3Sy1Q7KrA)
zJ$u>4pEt1U*RJUhDwRq$>5VC@dQkNTNVi>0W)uIogqFwyBCb8)qM`fFtk}D&3|JJ3
zJQ_3)r*V(J3{Lp9pMbprf<g46>OiCUvM6V3+;o4OVx0PDO(87w`+V&(55(h}B}>_t
zi@tau9z2RR?b;O*5AN2!N&xFxEs!6=xR8MEQ-SogC%!09^kW?cE^@h+`T4&9@h|`p
z&o2a|sJc)nCe!yY?c3mrcMs4UdUrQ!T74f=r(gm9j_rwT*N&Z!6uE4<vX8iNhY?R!
zDAFB{P9Q)pGkj(h-*R0vJLg(bOg>%L&wm0<*Ij0bcldEF0SHJ@y!rQTy?uTv>XJ2X
zy1_{|UmMc2ye|u+nO3|hykY&%MdIOITDkNgd4oB6<X_!kHD5KW8|c|H)(lLX`O9Zl
z6|5we;GS)M{<Em%@v$@cAa2_UKtPIPr&JE3R*2oxQgnlqV)<4=ab>l`-5>y$FI}P;
z(07ZB>B9N*?7itT*oJlMb=_N^d_0@+0d{VlEahEf7&zKbz_9V5q{cdoi|yzC6@A!z
zvau76#YI3VuIz{?H$$5zvAMf9u+&t$KTgBD4io`2z|5QDZf4483T~m~`^jcYcIo0p
z#;w8JCjkkd*;%Ei^#bEq0=kwjpIs&87Z+dOpV=!dhd7oDVskVBw{L+YXs6oAOsN`d
z_kak`f_{mwow*TZ@O!jUkQ-mWhjVx>$*8X{ZDC9%CC9$;CQH)t7(X;OTDO#3YJ(l7
z73Ax;m5pp=_uHFkv^aM>0k>BXyO8mwh_}yTyW-FX=C6dh=`W6mOhj><OUcsZrrP6=
z(>#647QmD*U!IjITSgb|RB}Oh5fw>#S<!!6RyWu|+viH!`1$Xk@6vXZbQwG-^AM1d
zDqE=>N#DwJ$VMD|0zMzrbSJa-W~y#gphBTw9lLb4sAyfEd0OZ1PF61a_inmHVc@9<
z0(^Q^dX|3YLkW(On-<B}Zx8idwJ~+Zxp)acKuW5cq0RZe(bG%vX6bd^$U5J7(M?Qx
zZa(|=^c`Jkx^{b-HE0-Ywq)TgBUsB;t#p3AIB^RbP@1Jx%tie&a$SqVT|P#m>$Zw)
zSxkxHEK&m45X;hvnUi>(Wo1^h)O$((_^yk5_eFOwK1w<Ju1!r=gLY8Nr|uL!r+3Sy
z%`7wH;bIs+KR@<#_h(r9jvZ)1fs7rzlg?sypJ%xqvf|Pq^~{BXTClqPN9fpXjGzBH
zYI*c@oAOAgAoeathk#gG*$eiypb4mZ9l3<pokWE1pg6x}b)ATCq<rxQpTnDyl0q9|
zmC`Lom&*$pyhrY4urYftvb)rU1!DmL-c>~{4Yv~xUUWWR7gMe*xCxx&1p?w6u0_ZC
z`R=tWEwx9{7j1KOClTQ-k=VNB+4Hr^GL7QVdCO_k-SySU+wAL8w^=q?9wpx}d~lq%
zIOq#cZntw7pV#i|_aTYLt0jYg4`&g8fH;e6QSr{-t6>=#Nh~MZvgt-e#ZiQt+*`wB
zUg{#Qh`@=uN)$3hhFq!MDpx39q88X=IoTP1(xa`|Wq`gUBrPlYv)Ta~7C?(VcuRwS
z5M<BIG?s;JcuTBQzPCD`Y@rj55`9b11K;4v*KaJX6#PVjxp%89LqJ?zo%8qhVJXS0
z9NCq{iy+g`*Qk6%u(t<wt<$?<zCy0NEmNwN%jJr3=`V#8>TB}(`j9d^BPB;mn_<B?
zj)0b?;Ob`TNqs7=IV60eIY0k?w87OHbKY>xH3T3auHjrbmASirqGjs63Om|=ru&$P
zAHCSSa@jg{CCO#-TxwlhlgpLcWD1>N+$*UxszrM<sTHCr$sewlOn|pEbS(~dZ=Lav
zdieUap)W%HSuz#)a0LN-1qAz<*iuVMRbQsj++<l<Mej9hOPmyjFE-3ePG@pInxRGO
zDja6`gdOUNqS;URa+xBX2D2|Sg>pLy$K3RnL;tmQEjVw1WM!miNO>HVMURWfod?E?
zs!WaMI#X-HNIb3=bs28bB!F31w$|H%ePJ}M_h))Ady%F2t6CM)<|}9(tDMg5ezKN0
zE~1;oN&ggdIdOHML}j@$nLJY_m*1n~n@lc0M8|6~UJfgIuUs3-?!EM2hup064f!&y
zNC$0fD3l9>=r*h3Gpe!+^$NN$2LdGJ<GYXkE?TiMtv#sF0&un=Nqbu$5D*)nTNGr$
zzAE%k*N~W0CI9@l9R2!}E!YH#N5X}Nu~Pid$YfGD-F~$im9inV78F{U>>l-MU1eHX
zGPNR(()BYmE^);uj8hN2mmY}C&&f{6%ge2zmGdDI7^?_S>yLL+<?{uk?%qvh42E~b
z`uWeJ!SYv(opCH40uT`K)P>vRq|-0QpA8LE{$FSruPU_yz2qMrxz1K!DA<GDZ3^jv
zf)uniXnccD!}T<yP~_5hM+|+?<7-bVx|GTb0g+N|i7>A(Y&}-SPo<hy!%x|<c7QtY
zF+YvmM^$)e?0Q-j>$3T@2y-vOEb+A)e9tr9MMcLRX*8N!wEa&6&9uTzBk~)-UI8im
zq!4*wkv-c9Y(IbXi5)jHMyX`7j+K0r)hl_cyvup3WZoneCG|;F^3|}&ioR_3jWpXc
z;Lag+T~ss$m(Qk>@`pGaQAfVMTbN4Sg$Bz#R6QL5Q95y83`9D0^+-<txO|<z0Mx#k
znHPL9H77Dp%R*IhS&)xXR*Jqg>s?x{RQjtGGL2F}6Q)X%iASO@<Zv-LgZ0>Uwvd}g
zpK#HjZ<**s!=2Y{SX#;a6P~_)6R68-wxvPfPj~|Mwm={t4ywc7PMr(P%+vlxkLfVJ
zO-DwaR!gg{^K)q%ql{c_9=Y-1(_Ff)n?FU{deH1yS-y-$(&^!@n@LNLBsrgL%d^C%
zRe961pC3`HK~9UimEN?vPbFt^H3bONC}rjSePtT8>n1~u+k2jEzwW`U5S?i7mIhh=
zp?6(PI_L(Hax@yR8_dhA4Ru)^mvS*YG4Bu%5!E`0h|i6Ty!{ou6?I*eE&d%2UoS7_
z3L&{k-=65S$-}y}4c$|Gl{i`&g>P%#s`d5zmiDuHvG4_)NriyD0)p>>IIyPMJy9c_
z#G}!rwA@n;jMi*ad3kv(IW3Ldp%0CxXJ%4+#(A&B6?`;oKn>Gb$7Zu9$%|TI%2$Tx
z)2Ctc?xpI!Bnj~_sY;bPmH7vBf_Rv4@vu{LVL73~sU@O5m7H_ri2zj{Cq!>HO8%`4
zwMxajsB4S=I@+YuTX@vQlkW8$4@1`!AJgEi3@3`PqwB*sz69-5<5MRd^QMQ7?^gO$
zXLlMccgW{DotRrhT>=4n-#VcpB>=YdGAW7TU{coKp=C6ow#H#^IQ|h14Jirl<5DRd
zH|uWG#UwWApKJDJPq^@0HE7C|ZrT)A4r+G5SU^CnPGR0Y18KlxqXoX<MFIpMAR@1%
zcYZ&%C8C0N2cfgcn<rdMc+-T7iQx-Rw&aW7bOX1aVJGfq*%I9KVQ5i?K`?Zp;Ymxv
z9YLG+%Ar=rDr$8MqE-jB(_q|%00cw=HTn9^qu+O^<THr3{>5Sx)H+e=#Y9D;@q9$y
z8gqkI7<S$)!clb+2i-?Cc&maR^Tinw?U%BqKAh&)%j+7`c=e`M#~)5h0}%^G00JTy
zdg~G%x%J4~U90-M$v@pEM#EbuN)i!+<$}VkxkV(a&fI3x58n``IJ{NCTM~v}y>LJ*
z98?`jWe)T4na+ksOm|R>h(?42ARr>Fl;W~9WYghZ9V>gUuIQ~4QCp<A+!nYSgoU?Q
zc()g~hGXs{X4iRk=&pmuQhAGk7Sw3@ejpEyx!Xh0FrRB&wV8l!klbf8Q>yrvpHgg&
z2LUBP00JV3YI>N-*iDD(gqGGEu3uWix8s$(IdLzOjoEdX(W*(^_Y7$fWWiUl%=Xuj
zXYQYigT8x7cO&b?Lh?|gS^#gKGfb`K!f{ZlML@o-BLD%hj+ZEWPfa|m&SLTtovQi<
zi6TRGW@7Exdu+}jfx5En%sYY;0gWb!c0e3S!m$iIJc|GXM8fqQv-$9%-qn0##X2rx
z4chnrxz2vQh<)F!VJ5g=l`5Tt<8AtA$1K6~f(!^k00JTicE=?ev-wEJ@N(*nHT~6&
zTd3i<>{%RBE{$1C{QVL;d^^M9Fz_f40hKC?gkuiPl6W0k=L%E@B1skkB9e-*CmSE_
zJ?eEmOM9eq72n!shYsvX#06oKv-8-f9T(Z<)NB`|h9s;epd{h&_FBjk%JEpwVKqIs
z3;+RfqiTJ5)8WaTD|x?5AMKFLEG<*~H`8<2=$#kYtqiO;Gi4*#xk{bJyfmNDEVeh;
z$W~Z(FIYv0FJTCX`0B*29L?HutV~uu+aFocySiNw2^jc7N;Vs}>ms|Cg=dw3)xZbG
z@6sZ`59mW3?+Ka@BraM45D?K;jeQv#y7kDIh_afG9`{pOw?y2&WE~dzTyhqhu=^53
z#9>4&jEMJvdU>6uPXoS5!hu;;7Gm>MZx9eSuKBO_pHTmolDoNWMeo)ch4gy0AR;cj
zIr(P+y}WkN0>Du;9ru_EQ$|t}CIA7EaOGK=^_lyQH<UB&uT9E&Rkk#YSp4w;^+|g!
zvukNNV#$(w<%4%qsWo5IjH>_9z<8>A6%M6wHUS8Tvk8kR{xQG(`&_*M)xvs#YF`m$
ztHi9_&B|qy_grD8Xw^E50|@ZehQ@0jZL9nS8y24EfEW>lhZ2B*cwoi9z30DiK|acN
zAM;guNu~H1x%q6y-`CilYj{bvsm}P=hQ{kMZK1q`wttyHp96#%+XNDUj0r$MjA?k#
zF@3N~w*5xtq-x&sw`vEdy`@lezWvo#$8NLlPTbLLg(ZbN3!X=f<_-;rucj`lX*9NR
zMezI}18zkC0^(NHX<K1t>^&Y`PA&gG`i^dC+hTBSs9jf6*!%mhv$P!AZ5O660p8M3
ztM8I%Y@%(CXHXZ_zlA;E3<MlU00QDTmXeQY$)Qu>*VFU92ri|n?=8~rju;^GLG|f>
zU1i4|y%oG60V)0JL_>3px~G0-O64pX3_l~K>?5zzB_LG+NzhJ}E_6xcocg!|cHheU
zxQ4ItxvD<m9W3FSXnpnHZT91-B>oK$&ocb0O=|UVntQu~_QC&z`lzrSrDxp%qA0CY
zRYVl<JRuWbA37a%DJ|#2x&f-jWi$#=eiQLnQU;qzTl%{7Mp|;YmIUJ}ZAP_|`lr62
z&;9-83HKk$C~g7}5OLR!XmUrb68ZkS*?sczwNpt<>IbOk`+_1eS$SIa<*{3A^_hDt
zPyeMU5oOQ%tjOj0G?;ON`lbFPyPWI_7SjYPVyq{L5Kbfj0dXQ+ca55h$*Gjwc9+s~
z{#VUg(X6(=+MD;qi@}_|pT%a=7pnffBeA{VRjN$tjyg|Mrhcc7|NcmOiEI%APvijv
z%n^Wqn4^Ph77-vpDZBetR=iTC9az;{5%id^N+q<O@Gn#?K6;zo$rRbvzFcXQN)ij@
zCF+hkKw`m#Vhst#ZHr*T69|Zi00cxtmEkT~`SIT~Wq!Yv`HHVX)~kxQyl!=0m9L*l
z?s84Z%*$uXPu<lGvh&r5E;U>z6v`~7RNSIg#c3v2kXXoeFc}HP(B|nb%?lC(0VffF
zfH(;(qAg6||NcBt>&U(AI6sA~bvcc^R%LHRDVpJ>a>X}!lc*K)_3=Aw<AwW-&)jmD
z;roIp6q(eDxJ&j5*;8Z>l1ThP?tik_rdbY43lV{U2nj$yL|7@Fl%;Wr$Eu!7&FSZ(
zkTvsD%IXBFWR**)<bi=IxtFg>rtnuOWHeyUln!XX+@vp6@ulp)6elFS)xZa@WwKoQ
z%_1R4qu={<P68pLrQEVhbbN~J5pq9(9SA+?PDNRZA^-s?iVECBM<9IFfqEn|!M;k_
z6Eyv+T28(;&|fLn<mBi3QY*%b-1y@^fIfku`v^*Au9gpeq|0TpyzG2!erBFFm$WEd
z&ScrAQ*%%JeJAq*g}6_fL)|7Z;Io~s(=4YuqANHu1Og%^;8Fn*F$ZJ~1V8`;K)}TW
zM70*c#brlwAOHd&00MRpfPmNm4?#fy1VF%(2|z$Rx%N?Z5C8!Xu!8^u#141}3IZSi
z0-j6&0^-TFkFtXR2!Mbc1Rx-Gz(Y_F009v2WC9QnPp*BG9RxrC1neLH0kH!ff`R}D
zfPg0xfPi>%?W61<00JOj2LT9(9q<qo1V8`;JedFl#FJ|uWp@RE1npE;B!e_SKp+B8
z5rM!XSr7mL5Rf_n2#C~c5cvlI5C8#z2tYst0*_=t00cll>I5JlQm;Ye9|S-E1Oy@g
z0TBp1k_7<}00F5JfPhH729bXd009sXhyVmcAn-^Q1V8`;q)q?=BJ~<X{y_i)KtLb@
z5D<aDBUumt0T7Tn0SJiHYY_Pd0T2KIfe1iA1Oks_K>!3mK<We_AX2YE<R1h;00aag
z009vQJdy<g5C8$G6M%q7y#|qg5C8!X5QqQ-L?G};76d>51f)&?0wVPqME*el1VBI_
z0uT^^z#~}@009t?IspiX)N2s=2LTWO0f7iWKm-DhWI+G~KtSpQARtn&LF69<KmY^;
zB48pQ3EHUwWdzBB00@8p2uP5CiHb<D1jsT7fB*=9fFJ}QAc9~=q96bQARv7L5D@9t
zAxZ!OAOHe_5P*OPf*py100@A9^a(&fq+f?90SJHq2na#|0wM@@Bnko`00Pn{00EJH
z9ijvv00JN&2muI)AlQ*82!H?xNS^=%MEZ4z5`X{*fPf$bARvNZN1`AA0w5rL0uT`C
z*C9#(0w4eaf)Id!2!b7nf&d7Bfb<DKK%`%XC;<q700;;|00JTib|eY{AOHf=CjbGF
zejTC&AOHd&AP4~nh#=UJC<uT62uPm*1Vs9Eh!TJR2!Mbf1Rx-SU`L`L00JN&eF6{=
z>DM7j00JNY0)h~LfCz#ei3(33K|59WOdtm!AbkQ*5$V?<N&o^N00M##fPe^s9f^Vf
z2!Md}2|z%kUxz3G2!H?x2toh?A_#UQ3IZSi0@5b{0g-+kq68oS0w5p=0SJg7*pVm*
zfB*<cp8y0z`gMpBfB*=9fFJ}QAc9~=q96bQARv7L5D@9tAxZ!OAOHe_5P*OPf*py1
z00@A9^a(&fq+f?90SJHq2na#|0wM@@Bnko`00Pn{00EJH9ijvv00JN&2muI)AlQ*8
z2!H?xNS^=%MEZ4z5`X{*fPf$bARvNZN1`AA0w5rL0uT`C*C9#(0w4eaf)Id!2!b7n
zf&d7Bfb<DKK%`%XC;<q700;;|00JTib|eY{AOHfcB9Ne+>dd5|BF?0XxIq8}K){U&
zKtSBMa#1u8009tiCIJYDGwC935C8!XaAN`x5I3$|6b%GG00f*#00QDnx`-PDKmY{X
zm;eOCjVl*L0|5{K0cR3`fH;#b;syZ_00B2900D91%0<yY00cn5nFJsp&ZLXDK>!3m
zz>Nt&K-{=;Q8W+$0T6H|0SJgQ=^}0r009tiV*(HmH?CY14Fo^{1e{3#0^&@%h#Lez
z00i8a00hL1D;Grr0T2KIXA*#bIFl~o1_2NN0XHT90deEXMbSV21VF%<1Rx;Jq>H#g
z00cn5jR`<N+_-X4G!Os*5O5{|2#7Q3B5n`>0T6Iw0uT^4u3Qui1V8`;oJjxz;!L`T
z+j;^C+NstDLI@B50l^4BMFc~Sgh2oVKtS3AARyANKja<+KmY^;BLD#r3_TJC0T2KI
zX%m2eNW1=!dk_Et5D<(21Vk|ONEie_00g8>00JWI`a|wP00cllFai(|!O$aN5C8!X
zkTwAbh_veuxd#Cd00F@WKtKdTkAy)01VBLA1Rx;Nu0P}+1V8`;1S0?e5ez*N1_2NN
z0cjI}fJnRkkb4jS0T2+300cxZ^hg*4KmY`!O#lKS?fOIRK>!3mKrjLj5W&zRVGsZT
z5Rf(j2#B=n54i^c5C8$e2tYstLyv?(00cll+5{jV(yl+`9t1!D1Oy`h0TB#65(WVf
z00C(efPhH5{*ZeR00D^-nB6gcvqZCAINMN>!aQ&W0w4eaAYdT@2#AHC;0**o00cmw
zFaZciVIDXG0T2KI5U`K{1jIs6@CE`P00JOTm;eN%Fb|x800@8p2v|q}0%9R3cmn|t
z009svOaKB>m<P^400ck)1S})~0kIGiynz4+fB*;-CIA5`%mZg200JNY0u~a0fLI6$
z-ar5ZKmY^^6M%pe=7BR1009sH0SgJp7}IJ$=+<odSD!chhKK3eu}6p1?FPU7{{_3K
AApigX

literal 0
HcmV?d00001

diff --git a/cli/scripts/winresources/docker.rc b/cli/scripts/winresources/docker.rc
new file mode 100644
index 00000000..40c645ad
--- /dev/null
+++ b/cli/scripts/winresources/docker.rc
@@ -0,0 +1,3 @@
+#define DOCKER_NAME "Docker Client"
+
+#include "common.rc"
diff --git a/cli/service/logs/parse_logs.go b/cli/service/logs/parse_logs.go
new file mode 100644
index 00000000..c01564ce
--- /dev/null
+++ b/cli/service/logs/parse_logs.go
@@ -0,0 +1,39 @@
+/*Package logs contains tools for parsing docker log lines.
+ */
+package logs
+
+import (
+	"net/url"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+// ParseLogDetails parses a string of key value pairs in the form
+// "k=v,l=w", where the keys and values are url query escaped, and each pair
+// is separated by a comma. Returns a map of the key value pairs on success,
+// and an error if the details string is not in a valid format.
+//
+// The details string encoding is implemented in
+// github.com/moby/moby/api/server/httputils/write_log_stream.go
+func ParseLogDetails(details string) (map[string]string, error) {
+	pairs := strings.Split(details, ",")
+	detailsMap := make(map[string]string, len(pairs))
+	for _, pair := range pairs {
+		p := strings.SplitN(pair, "=", 2)
+		// if there is no equals sign, we will only get 1 part back
+		if len(p) != 2 {
+			return nil, errors.New("invalid details format")
+		}
+		k, err := url.QueryUnescape(p[0])
+		if err != nil {
+			return nil, err
+		}
+		v, err := url.QueryUnescape(p[1])
+		if err != nil {
+			return nil, err
+		}
+		detailsMap[k] = v
+	}
+	return detailsMap, nil
+}
diff --git a/cli/service/logs/parse_logs_test.go b/cli/service/logs/parse_logs_test.go
new file mode 100644
index 00000000..24bd0db7
--- /dev/null
+++ b/cli/service/logs/parse_logs_test.go
@@ -0,0 +1,34 @@
+package logs
+
+import (
+	"testing"
+
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestParseLogDetails(t *testing.T) {
+	testCases := []struct {
+		line     string
+		expected map[string]string
+		err      error
+	}{
+		{"key=value", map[string]string{"key": "value"}, nil},
+		{"key1=value1,key2=value2", map[string]string{"key1": "value1", "key2": "value2"}, nil},
+		{"key+with+spaces=value%3Dequals,asdf%2C=", map[string]string{"key with spaces": "value=equals", "asdf,": ""}, nil},
+		{"key=,=nothing", map[string]string{"key": "", "": "nothing"}, nil},
+		{"=", map[string]string{"": ""}, nil},
+		{"errors", nil, errors.New("invalid details format")},
+	}
+	for _, testcase := range testCases {
+		t.Run(testcase.line, func(t *testing.T) {
+			actual, err := ParseLogDetails(testcase.line)
+			if testcase.err != nil {
+				assert.Error(t, err, testcase.err.Error())
+				return
+			}
+			assert.Check(t, is.DeepEqual(testcase.expected, actual))
+		})
+	}
+}
diff --git a/cli/templates/templates.go b/cli/templates/templates.go
new file mode 100644
index 00000000..6cc2ec36
--- /dev/null
+++ b/cli/templates/templates.go
@@ -0,0 +1,84 @@
+package templates
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"text/template"
+)
+
+// basicFunctions are the set of initial
+// functions provided to every template.
+var basicFunctions = template.FuncMap{
+	"json": func(v interface{}) string {
+		buf := &bytes.Buffer{}
+		enc := json.NewEncoder(buf)
+		enc.SetEscapeHTML(false)
+		enc.Encode(v)
+		// Remove the trailing new line added by the encoder
+		return strings.TrimSpace(buf.String())
+	},
+	"split":    strings.Split,
+	"join":     strings.Join,
+	"title":    strings.Title,
+	"lower":    strings.ToLower,
+	"upper":    strings.ToUpper,
+	"pad":      padWithSpace,
+	"truncate": truncateWithLength,
+}
+
+// HeaderFunctions are used to created headers of a table.
+// This is a replacement of basicFunctions for header generation
+// because we want the header to remain intact.
+// Some functions like `split` are irrelevant so not added.
+var HeaderFunctions = template.FuncMap{
+	"json": func(v string) string {
+		return v
+	},
+	"title": func(v string) string {
+		return v
+	},
+	"lower": func(v string) string {
+		return v
+	},
+	"upper": func(v string) string {
+		return v
+	},
+	"truncate": func(v string, _ int) string {
+		return v
+	},
+}
+
+// Parse creates a new anonymous template with the basic functions
+// and parses the given format.
+func Parse(format string) (*template.Template, error) {
+	return NewParse("", format)
+}
+
+// New creates a new empty template with the provided tag and built-in
+// template functions.
+func New(tag string) *template.Template {
+	return template.New(tag).Funcs(basicFunctions)
+}
+
+// NewParse creates a new tagged template with the basic functions
+// and parses the given format.
+func NewParse(tag, format string) (*template.Template, error) {
+	return New(tag).Parse(format)
+}
+
+// padWithSpace adds whitespace to the input if the input is non-empty
+func padWithSpace(source string, prefix, suffix int) string {
+	if source == "" {
+		return source
+	}
+	return strings.Repeat(" ", prefix) + source + strings.Repeat(" ", suffix)
+}
+
+// truncateWithLength truncates the source string up to the length provided by the input
+func truncateWithLength(source string, length int) string {
+	if len(source) < length {
+		return source
+	}
+	return source[:length]
+}
diff --git a/cli/templates/templates_test.go b/cli/templates/templates_test.go
new file mode 100644
index 00000000..102de2bd
--- /dev/null
+++ b/cli/templates/templates_test.go
@@ -0,0 +1,89 @@
+package templates
+
+import (
+	"bytes"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// GitHub #32120
+func TestParseJSONFunctions(t *testing.T) {
+	tm, err := Parse(`{{json .Ports}}`)
+	assert.NilError(t, err)
+
+	var b bytes.Buffer
+	assert.NilError(t, tm.Execute(&b, map[string]string{"Ports": "0.0.0.0:2->8/udp"}))
+	want := "\"0.0.0.0:2->8/udp\""
+	assert.Check(t, is.Equal(want, b.String()))
+}
+
+func TestParseStringFunctions(t *testing.T) {
+	tm, err := Parse(`{{join (split . ":") "/"}}`)
+	assert.NilError(t, err)
+
+	var b bytes.Buffer
+	assert.NilError(t, tm.Execute(&b, "text:with:colon"))
+	want := "text/with/colon"
+	assert.Check(t, is.Equal(want, b.String()))
+}
+
+func TestNewParse(t *testing.T) {
+	tm, err := NewParse("foo", "this is a {{ . }}")
+	assert.NilError(t, err)
+
+	var b bytes.Buffer
+	assert.NilError(t, tm.Execute(&b, "string"))
+	want := "this is a string"
+	assert.Check(t, is.Equal(want, b.String()))
+}
+
+func TestParseTruncateFunction(t *testing.T) {
+	source := "tupx5xzf6hvsrhnruz5cr8gwp"
+
+	testCases := []struct {
+		template string
+		expected string
+	}{
+		{
+			template: `{{truncate . 5}}`,
+			expected: "tupx5",
+		},
+		{
+			template: `{{truncate . 25}}`,
+			expected: "tupx5xzf6hvsrhnruz5cr8gwp",
+		},
+		{
+			template: `{{truncate . 30}}`,
+			expected: "tupx5xzf6hvsrhnruz5cr8gwp",
+		},
+		{
+			template: `{{pad . 3 3}}`,
+			expected: "   tupx5xzf6hvsrhnruz5cr8gwp   ",
+		},
+	}
+
+	for _, testCase := range testCases {
+		tm, err := Parse(testCase.template)
+		assert.NilError(t, err)
+
+		t.Run("Non Empty Source Test with template: "+testCase.template, func(t *testing.T) {
+			var b bytes.Buffer
+			assert.NilError(t, tm.Execute(&b, source))
+			assert.Check(t, is.Equal(testCase.expected, b.String()))
+		})
+
+		t.Run("Empty Source Test with template: "+testCase.template, func(t *testing.T) {
+			var c bytes.Buffer
+			assert.NilError(t, tm.Execute(&c, ""))
+			assert.Check(t, is.Equal("", c.String()))
+		})
+
+		t.Run("Nil Source Test with template: "+testCase.template, func(t *testing.T) {
+			var c bytes.Buffer
+			assert.Check(t, tm.Execute(&c, nil) != nil)
+			assert.Check(t, is.Equal("", c.String()))
+		})
+	}
+}
diff --git a/cli/vendor.conf b/cli/vendor.conf
new file mode 100755
index 00000000..7266f577
--- /dev/null
+++ b/cli/vendor.conf
@@ -0,0 +1,96 @@
+github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
+github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109
+github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
+github.com/containerd/containerd b41633746ed4833f52c3c071e8edcfa2713e5677
+github.com/containerd/continuity d3c23511c1bf5851696cba83143d9cbcd666869b
+github.com/coreos/etcd v3.2.1
+github.com/cpuguy83/go-md2man v1.0.8
+github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76
+github.com/docker/distribution 83389a148052d74ac602f5f1d62f86ff2f3c4aa5
+github.com/docker/docker 371b590ace0d4a329cd6a3328d31d33c4f77a780 https://github.com/docker/engine
+github.com/docker/docker-credential-helpers 5241b46610f2491efdf9d1c85f1ddf5b02f6d962
+# the docker/go package contains a customized version of canonical/json
+# and is used by Notary. The package is periodically rebased on current Go versions.
+github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06
+github.com/docker/go-connections 7beb39f0b969b075d1325fecb092faf27fd357b6
+github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18
+github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
+github.com/docker/swarmkit 199cf49cd99690135d99e52a1907ec82e8113c4f
+github.com/emicklei/go-restful ff4f55a206334ef123e4f79bbf348980da81ca46
+github.com/emicklei/go-restful-swagger12 dcef7f55730566d41eae5db10e7d6981829720f6
+github.com/flynn-archive/go-shlex 3f9db97f856818214da2e1057f8ad84803971cff
+github.com/ghodss/yaml 0ca9ea5df5451ffdf184b4428c902747c2c11cd7
+github.com/gogo/protobuf v1.0.0
+github.com/google/go-cmp v0.2.0
+github.com/golang/glog 44145f04b68cf362d9c4df2182967c2275eaefed
+github.com/golang/protobuf v1.1.0
+github.com/google/btree 316fb6d3f031ae8f4d457c6c5186b9e3ded70435
+github.com/google/gofuzz 44d81051d367757e1c7c6a5a86423ece9afcf63c
+github.com/googleapis/gnostic e4f56557df6250e1945ee6854f181ce4e1c2c646
+github.com/gorilla/context v1.1
+github.com/gorilla/mux v1.1
+gotest.tools v2.1.0
+github.com/go-openapi/jsonpointer 46af16f9f7b149af66e5d1bd010e3574dc06de98
+github.com/go-openapi/jsonreference 13c6e3589ad90f49bd3e3bbe2c2cb3d7a4142272
+github.com/go-openapi/spec 6aced65f8501fe1217321abf0749d354824ba2ff
+github.com/go-openapi/swag 1d0bd113de87027671077d3c71eb3ac5d7dbba72
+github.com/gregjones/httpcache c1f8028e62adb3d518b823a2f8e6a95c38bdd3aa
+github.com/grpc-ecosystem/grpc-gateway 1a03ca3bad1e1ebadaedd3abb76bc58d4ac8143b
+github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
+github.com/hashicorp/golang-lru a0d98a5f288019575c6d1f4bb1573fef2d1fcdc4
+github.com/howeyc/gopass 3ca23474a7c7203e0a0a070fd33508f6efdb9b3d
+github.com/imdario/mergo v0.3.5
+github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+github.com/juju/ratelimit 5b9ff866471762aa2ab2dced63c9fb6f53921342
+github.com/json-iterator/go 6240e1e7983a85228f7fd9c3e1b6932d46ec58e2
+github.com/mailru/easyjson d5b7844b561a7bc640052f1b935f7b800330d7e0
+github.com/mattn/go-shellwords v1.0.3
+github.com/matttproud/golang_protobuf_extensions v1.0.0
+github.com/Microsoft/go-winio v0.4.8
+github.com/miekg/pkcs11 5f6e0d0dad6f472df908c8e968a98ef00c9224bb
+github.com/mitchellh/mapstructure f3009df150dadf309fdee4a54ed65c124afad715
+github.com/moby/buildkit 98f1604134f945d48538ffca0e18662337b4a850
+github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b
+github.com/Nvveen/Gotty a8b993ba6abdb0e0c12b0125c603323a71c7790c https://github.com/ijc25/Gotty
+github.com/opencontainers/go-digest v1.0.0-rc1
+github.com/opencontainers/image-spec v1.0.1
+github.com/opencontainers/runc ad0f5255060d36872be04de22f8731f38ef2d7b1
+github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
+github.com/peterbourgon/diskv 5f041e8faa004a95c88a202771f4cc3e991971e6
+github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9
+github.com/prometheus/client_golang 52437c81da6b127a9925d17eb3a382a2e5fd395e
+github.com/prometheus/client_model fa8ad6fec33561be4280a8f0514318c79d7f6cb6
+github.com/prometheus/common ebdfc6da46522d58825777cf1f90490a5b1ef1d8
+github.com/prometheus/procfs abf152e5f3e97f2fafac028d2cc06c1feb87ffa5
+github.com/PuerkitoBio/purell 8a290539e2e8629dbc4e6bad948158f790ec31f4
+github.com/PuerkitoBio/urlesc 5bd2802263f21d8788851d5305584c82a5c75d7e
+github.com/russross/blackfriday 1d6b8e9301e720b08a8938b8c25c018285885438
+github.com/shurcooL/sanitized_anchor_name 10ef21a441db47d8b13ebcc5fd2310f636973c77
+github.com/sirupsen/logrus v1.0.3
+github.com/spf13/cobra v0.0.3
+github.com/spf13/pflag v1.0.1
+github.com/theupdateframework/notary v0.6.1
+github.com/tonistiigi/fsutil 8abad97ee3969cdf5e9c367f46adba2c212b3ddb
+github.com/xeipuuv/gojsonpointer e0fe6f68307607d540ed8eac07a342c33fa1b54a
+github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45
+github.com/xeipuuv/gojsonschema 93e72a773fade158921402d6a24c819b48aba29d
+golang.org/x/crypto 1a580b3eff7814fc9b40602fd35256c63b50f491
+golang.org/x/net 0ed95abb35c445290478a5348a7b38bb154135fd
+golang.org/x/sync fd80eb99c8f653c847d294a001bdf2a3a6f768f5
+golang.org/x/sys 37707fdb30a5b38865cfb95e5aab41707daec7fd
+golang.org/x/text f72d8390a633d5dfb0cc84043294db9f6c935756
+golang.org/x/time a4bde12657593d5e90d0533a3e4fd95e635124cb
+google.golang.org/genproto 694d95ba50e67b2e363f3483057db5d4910c18f9
+google.golang.org/grpc v1.12.0
+gopkg.in/inf.v0 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4
+gopkg.in/yaml.v2 4c78c975fe7c825c6d1466c42be594d1d6f3aba6
+k8s.io/api kubernetes-1.8.14
+k8s.io/apimachinery kubernetes-1.8.14
+k8s.io/client-go kubernetes-1.8.14
+k8s.io/kubernetes v1.8.14
+k8s.io/kube-openapi 0c329704159e3b051aafac400b15baacf2a94a04
+vbom.ml/util 928aaa586d7718c70f4090ddf83f2b34c16fdc8d
+github.com/containerd/console 5d1b48d6114b8c9666f0c8b916f871af97b0a761
+github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
+github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716
diff --git a/cli/vendor/github.com/Nvveen/Gotty/LICENSE b/cli/vendor/github.com/Nvveen/Gotty/LICENSE
new file mode 100644
index 00000000..0b71c973
--- /dev/null
+++ b/cli/vendor/github.com/Nvveen/Gotty/LICENSE
@@ -0,0 +1,26 @@
+Copyright (c) 2012, Neal van Veen (nealvanveen@gmail.com)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met: 
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer. 
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution. 
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+The views and conclusions contained in the software and documentation are those
+of the authors and should not be interpreted as representing official policies, 
+either expressed or implied, of the FreeBSD Project.
diff --git a/cli/vendor/github.com/Nvveen/Gotty/README b/cli/vendor/github.com/Nvveen/Gotty/README
new file mode 100644
index 00000000..a6b0d9a8
--- /dev/null
+++ b/cli/vendor/github.com/Nvveen/Gotty/README
@@ -0,0 +1,5 @@
+Gotty is a library written in Go that determines and reads termcap database
+files to produce an interface for interacting with the capabilities of a
+terminal.
+See the godoc documentation or the source code for more information about
+function usage.
diff --git a/cli/vendor/github.com/Nvveen/Gotty/attributes.go b/cli/vendor/github.com/Nvveen/Gotty/attributes.go
new file mode 100644
index 00000000..a4c005fa
--- /dev/null
+++ b/cli/vendor/github.com/Nvveen/Gotty/attributes.go
@@ -0,0 +1,514 @@
+// Copyright 2012 Neal van Veen. All rights reserved.
+// Usage of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package gotty
+
+// Boolean capabilities
+var BoolAttr = [...]string{
+	"auto_left_margin", "bw",
+	"auto_right_margin", "am",
+	"no_esc_ctlc", "xsb",
+	"ceol_standout_glitch", "xhp",
+	"eat_newline_glitch", "xenl",
+	"erase_overstrike", "eo",
+	"generic_type", "gn",
+	"hard_copy", "hc",
+	"has_meta_key", "km",
+	"has_status_line", "hs",
+	"insert_null_glitch", "in",
+	"memory_above", "da",
+	"memory_below", "db",
+	"move_insert_mode", "mir",
+	"move_standout_mode", "msgr",
+	"over_strike", "os",
+	"status_line_esc_ok", "eslok",
+	"dest_tabs_magic_smso", "xt",
+	"tilde_glitch", "hz",
+	"transparent_underline", "ul",
+	"xon_xoff", "nxon",
+	"needs_xon_xoff", "nxon",
+	"prtr_silent", "mc5i",
+	"hard_cursor", "chts",
+	"non_rev_rmcup", "nrrmc",
+	"no_pad_char", "npc",
+	"non_dest_scroll_region", "ndscr",
+	"can_change", "ccc",
+	"back_color_erase", "bce",
+	"hue_lightness_saturation", "hls",
+	"col_addr_glitch", "xhpa",
+	"cr_cancels_micro_mode", "crxm",
+	"has_print_wheel", "daisy",
+	"row_addr_glitch", "xvpa",
+	"semi_auto_right_margin", "sam",
+	"cpi_changes_res", "cpix",
+	"lpi_changes_res", "lpix",
+	"backspaces_with_bs", "",
+	"crt_no_scrolling", "",
+	"no_correctly_working_cr", "",
+	"gnu_has_meta_key", "",
+	"linefeed_is_newline", "",
+	"has_hardware_tabs", "",
+	"return_does_clr_eol", "",
+}
+
+// Numerical capabilities
+var NumAttr = [...]string{
+	"columns", "cols",
+	"init_tabs", "it",
+	"lines", "lines",
+	"lines_of_memory", "lm",
+	"magic_cookie_glitch", "xmc",
+	"padding_baud_rate", "pb",
+	"virtual_terminal", "vt",
+	"width_status_line", "wsl",
+	"num_labels", "nlab",
+	"label_height", "lh",
+	"label_width", "lw",
+	"max_attributes", "ma",
+	"maximum_windows", "wnum",
+	"max_colors", "colors",
+	"max_pairs", "pairs",
+	"no_color_video", "ncv",
+	"buffer_capacity", "bufsz",
+	"dot_vert_spacing", "spinv",
+	"dot_horz_spacing", "spinh",
+	"max_micro_address", "maddr",
+	"max_micro_jump", "mjump",
+	"micro_col_size", "mcs",
+	"micro_line_size", "mls",
+	"number_of_pins", "npins",
+	"output_res_char", "orc",
+	"output_res_line", "orl",
+	"output_res_horz_inch", "orhi",
+	"output_res_vert_inch", "orvi",
+	"print_rate", "cps",
+	"wide_char_size", "widcs",
+	"buttons", "btns",
+	"bit_image_entwining", "bitwin",
+	"bit_image_type", "bitype",
+	"magic_cookie_glitch_ul", "",
+	"carriage_return_delay", "",
+	"new_line_delay", "",
+	"backspace_delay", "",
+	"horizontal_tab_delay", "",
+	"number_of_function_keys", "",
+}
+
+// String capabilities
+var StrAttr = [...]string{
+	"back_tab", "cbt",
+	"bell", "bel",
+	"carriage_return", "cr",
+	"change_scroll_region", "csr",
+	"clear_all_tabs", "tbc",
+	"clear_screen", "clear",
+	"clr_eol", "el",
+	"clr_eos", "ed",
+	"column_address", "hpa",
+	"command_character", "cmdch",
+	"cursor_address", "cup",
+	"cursor_down", "cud1",
+	"cursor_home", "home",
+	"cursor_invisible", "civis",
+	"cursor_left", "cub1",
+	"cursor_mem_address", "mrcup",
+	"cursor_normal", "cnorm",
+	"cursor_right", "cuf1",
+	"cursor_to_ll", "ll",
+	"cursor_up", "cuu1",
+	"cursor_visible", "cvvis",
+	"delete_character", "dch1",
+	"delete_line", "dl1",
+	"dis_status_line", "dsl",
+	"down_half_line", "hd",
+	"enter_alt_charset_mode", "smacs",
+	"enter_blink_mode", "blink",
+	"enter_bold_mode", "bold",
+	"enter_ca_mode", "smcup",
+	"enter_delete_mode", "smdc",
+	"enter_dim_mode", "dim",
+	"enter_insert_mode", "smir",
+	"enter_secure_mode", "invis",
+	"enter_protected_mode", "prot",
+	"enter_reverse_mode", "rev",
+	"enter_standout_mode", "smso",
+	"enter_underline_mode", "smul",
+	"erase_chars", "ech",
+	"exit_alt_charset_mode", "rmacs",
+	"exit_attribute_mode", "sgr0",
+	"exit_ca_mode", "rmcup",
+	"exit_delete_mode", "rmdc",
+	"exit_insert_mode", "rmir",
+	"exit_standout_mode", "rmso",
+	"exit_underline_mode", "rmul",
+	"flash_screen", "flash",
+	"form_feed", "ff",
+	"from_status_line", "fsl",
+	"init_1string", "is1",
+	"init_2string", "is2",
+	"init_3string", "is3",
+	"init_file", "if",
+	"insert_character", "ich1",
+	"insert_line", "il1",
+	"insert_padding", "ip",
+	"key_backspace", "kbs",
+	"key_catab", "ktbc",
+	"key_clear", "kclr",
+	"key_ctab", "kctab",
+	"key_dc", "kdch1",
+	"key_dl", "kdl1",
+	"key_down", "kcud1",
+	"key_eic", "krmir",
+	"key_eol", "kel",
+	"key_eos", "ked",
+	"key_f0", "kf0",
+	"key_f1", "kf1",
+	"key_f10", "kf10",
+	"key_f2", "kf2",
+	"key_f3", "kf3",
+	"key_f4", "kf4",
+	"key_f5", "kf5",
+	"key_f6", "kf6",
+	"key_f7", "kf7",
+	"key_f8", "kf8",
+	"key_f9", "kf9",
+	"key_home", "khome",
+	"key_ic", "kich1",
+	"key_il", "kil1",
+	"key_left", "kcub1",
+	"key_ll", "kll",
+	"key_npage", "knp",
+	"key_ppage", "kpp",
+	"key_right", "kcuf1",
+	"key_sf", "kind",
+	"key_sr", "kri",
+	"key_stab", "khts",
+	"key_up", "kcuu1",
+	"keypad_local", "rmkx",
+	"keypad_xmit", "smkx",
+	"lab_f0", "lf0",
+	"lab_f1", "lf1",
+	"lab_f10", "lf10",
+	"lab_f2", "lf2",
+	"lab_f3", "lf3",
+	"lab_f4", "lf4",
+	"lab_f5", "lf5",
+	"lab_f6", "lf6",
+	"lab_f7", "lf7",
+	"lab_f8", "lf8",
+	"lab_f9", "lf9",
+	"meta_off", "rmm",
+	"meta_on", "smm",
+	"newline", "_glitch",
+	"pad_char", "npc",
+	"parm_dch", "dch",
+	"parm_delete_line", "dl",
+	"parm_down_cursor", "cud",
+	"parm_ich", "ich",
+	"parm_index", "indn",
+	"parm_insert_line", "il",
+	"parm_left_cursor", "cub",
+	"parm_right_cursor", "cuf",
+	"parm_rindex", "rin",
+	"parm_up_cursor", "cuu",
+	"pkey_key", "pfkey",
+	"pkey_local", "pfloc",
+	"pkey_xmit", "pfx",
+	"print_screen", "mc0",
+	"prtr_off", "mc4",
+	"prtr_on", "mc5",
+	"repeat_char", "rep",
+	"reset_1string", "rs1",
+	"reset_2string", "rs2",
+	"reset_3string", "rs3",
+	"reset_file", "rf",
+	"restore_cursor", "rc",
+	"row_address", "mvpa",
+	"save_cursor", "row_address",
+	"scroll_forward", "ind",
+	"scroll_reverse", "ri",
+	"set_attributes", "sgr",
+	"set_tab", "hts",
+	"set_window", "wind",
+	"tab", "s_magic_smso",
+	"to_status_line", "tsl",
+	"underline_char", "uc",
+	"up_half_line", "hu",
+	"init_prog", "iprog",
+	"key_a1", "ka1",
+	"key_a3", "ka3",
+	"key_b2", "kb2",
+	"key_c1", "kc1",
+	"key_c3", "kc3",
+	"prtr_non", "mc5p",
+	"char_padding", "rmp",
+	"acs_chars", "acsc",
+	"plab_norm", "pln",
+	"key_btab", "kcbt",
+	"enter_xon_mode", "smxon",
+	"exit_xon_mode", "rmxon",
+	"enter_am_mode", "smam",
+	"exit_am_mode", "rmam",
+	"xon_character", "xonc",
+	"xoff_character", "xoffc",
+	"ena_acs", "enacs",
+	"label_on", "smln",
+	"label_off", "rmln",
+	"key_beg", "kbeg",
+	"key_cancel", "kcan",
+	"key_close", "kclo",
+	"key_command", "kcmd",
+	"key_copy", "kcpy",
+	"key_create", "kcrt",
+	"key_end", "kend",
+	"key_enter", "kent",
+	"key_exit", "kext",
+	"key_find", "kfnd",
+	"key_help", "khlp",
+	"key_mark", "kmrk",
+	"key_message", "kmsg",
+	"key_move", "kmov",
+	"key_next", "knxt",
+	"key_open", "kopn",
+	"key_options", "kopt",
+	"key_previous", "kprv",
+	"key_print", "kprt",
+	"key_redo", "krdo",
+	"key_reference", "kref",
+	"key_refresh", "krfr",
+	"key_replace", "krpl",
+	"key_restart", "krst",
+	"key_resume", "kres",
+	"key_save", "ksav",
+	"key_suspend", "kspd",
+	"key_undo", "kund",
+	"key_sbeg", "kBEG",
+	"key_scancel", "kCAN",
+	"key_scommand", "kCMD",
+	"key_scopy", "kCPY",
+	"key_screate", "kCRT",
+	"key_sdc", "kDC",
+	"key_sdl", "kDL",
+	"key_select", "kslt",
+	"key_send", "kEND",
+	"key_seol", "kEOL",
+	"key_sexit", "kEXT",
+	"key_sfind", "kFND",
+	"key_shelp", "kHLP",
+	"key_shome", "kHOM",
+	"key_sic", "kIC",
+	"key_sleft", "kLFT",
+	"key_smessage", "kMSG",
+	"key_smove", "kMOV",
+	"key_snext", "kNXT",
+	"key_soptions", "kOPT",
+	"key_sprevious", "kPRV",
+	"key_sprint", "kPRT",
+	"key_sredo", "kRDO",
+	"key_sreplace", "kRPL",
+	"key_sright", "kRIT",
+	"key_srsume", "kRES",
+	"key_ssave", "kSAV",
+	"key_ssuspend", "kSPD",
+	"key_sundo", "kUND",
+	"req_for_input", "rfi",
+	"key_f11", "kf11",
+	"key_f12", "kf12",
+	"key_f13", "kf13",
+	"key_f14", "kf14",
+	"key_f15", "kf15",
+	"key_f16", "kf16",
+	"key_f17", "kf17",
+	"key_f18", "kf18",
+	"key_f19", "kf19",
+	"key_f20", "kf20",
+	"key_f21", "kf21",
+	"key_f22", "kf22",
+	"key_f23", "kf23",
+	"key_f24", "kf24",
+	"key_f25", "kf25",
+	"key_f26", "kf26",
+	"key_f27", "kf27",
+	"key_f28", "kf28",
+	"key_f29", "kf29",
+	"key_f30", "kf30",
+	"key_f31", "kf31",
+	"key_f32", "kf32",
+	"key_f33", "kf33",
+	"key_f34", "kf34",
+	"key_f35", "kf35",
+	"key_f36", "kf36",
+	"key_f37", "kf37",
+	"key_f38", "kf38",
+	"key_f39", "kf39",
+	"key_f40", "kf40",
+	"key_f41", "kf41",
+	"key_f42", "kf42",
+	"key_f43", "kf43",
+	"key_f44", "kf44",
+	"key_f45", "kf45",
+	"key_f46", "kf46",
+	"key_f47", "kf47",
+	"key_f48", "kf48",
+	"key_f49", "kf49",
+	"key_f50", "kf50",
+	"key_f51", "kf51",
+	"key_f52", "kf52",
+	"key_f53", "kf53",
+	"key_f54", "kf54",
+	"key_f55", "kf55",
+	"key_f56", "kf56",
+	"key_f57", "kf57",
+	"key_f58", "kf58",
+	"key_f59", "kf59",
+	"key_f60", "kf60",
+	"key_f61", "kf61",
+	"key_f62", "kf62",
+	"key_f63", "kf63",
+	"clr_bol", "el1",
+	"clear_margins", "mgc",
+	"set_left_margin", "smgl",
+	"set_right_margin", "smgr",
+	"label_format", "fln",
+	"set_clock", "sclk",
+	"display_clock", "dclk",
+	"remove_clock", "rmclk",
+	"create_window", "cwin",
+	"goto_window", "wingo",
+	"hangup", "hup",
+	"dial_phone", "dial",
+	"quick_dial", "qdial",
+	"tone", "tone",
+	"pulse", "pulse",
+	"flash_hook", "hook",
+	"fixed_pause", "pause",
+	"wait_tone", "wait",
+	"user0", "u0",
+	"user1", "u1",
+	"user2", "u2",
+	"user3", "u3",
+	"user4", "u4",
+	"user5", "u5",
+	"user6", "u6",
+	"user7", "u7",
+	"user8", "u8",
+	"user9", "u9",
+	"orig_pair", "op",
+	"orig_colors", "oc",
+	"initialize_color", "initc",
+	"initialize_pair", "initp",
+	"set_color_pair", "scp",
+	"set_foreground", "setf",
+	"set_background", "setb",
+	"change_char_pitch", "cpi",
+	"change_line_pitch", "lpi",
+	"change_res_horz", "chr",
+	"change_res_vert", "cvr",
+	"define_char", "defc",
+	"enter_doublewide_mode", "swidm",
+	"enter_draft_quality", "sdrfq",
+	"enter_italics_mode", "sitm",
+	"enter_leftward_mode", "slm",
+	"enter_micro_mode", "smicm",
+	"enter_near_letter_quality", "snlq",
+	"enter_normal_quality", "snrmq",
+	"enter_shadow_mode", "sshm",
+	"enter_subscript_mode", "ssubm",
+	"enter_superscript_mode", "ssupm",
+	"enter_upward_mode", "sum",
+	"exit_doublewide_mode", "rwidm",
+	"exit_italics_mode", "ritm",
+	"exit_leftward_mode", "rlm",
+	"exit_micro_mode", "rmicm",
+	"exit_shadow_mode", "rshm",
+	"exit_subscript_mode", "rsubm",
+	"exit_superscript_mode", "rsupm",
+	"exit_upward_mode", "rum",
+	"micro_column_address", "mhpa",
+	"micro_down", "mcud1",
+	"micro_left", "mcub1",
+	"micro_right", "mcuf1",
+	"micro_row_address", "mvpa",
+	"micro_up", "mcuu1",
+	"order_of_pins", "porder",
+	"parm_down_micro", "mcud",
+	"parm_left_micro", "mcub",
+	"parm_right_micro", "mcuf",
+	"parm_up_micro", "mcuu",
+	"select_char_set", "scs",
+	"set_bottom_margin", "smgb",
+	"set_bottom_margin_parm", "smgbp",
+	"set_left_margin_parm", "smglp",
+	"set_right_margin_parm", "smgrp",
+	"set_top_margin", "smgt",
+	"set_top_margin_parm", "smgtp",
+	"start_bit_image", "sbim",
+	"start_char_set_def", "scsd",
+	"stop_bit_image", "rbim",
+	"stop_char_set_def", "rcsd",
+	"subscript_characters", "subcs",
+	"superscript_characters", "supcs",
+	"these_cause_cr", "docr",
+	"zero_motion", "zerom",
+	"char_set_names", "csnm",
+	"key_mouse", "kmous",
+	"mouse_info", "minfo",
+	"req_mouse_pos", "reqmp",
+	"get_mouse", "getm",
+	"set_a_foreground", "setaf",
+	"set_a_background", "setab",
+	"pkey_plab", "pfxl",
+	"device_type", "devt",
+	"code_set_init", "csin",
+	"set0_des_seq", "s0ds",
+	"set1_des_seq", "s1ds",
+	"set2_des_seq", "s2ds",
+	"set3_des_seq", "s3ds",
+	"set_lr_margin", "smglr",
+	"set_tb_margin", "smgtb",
+	"bit_image_repeat", "birep",
+	"bit_image_newline", "binel",
+	"bit_image_carriage_return", "bicr",
+	"color_names", "colornm",
+	"define_bit_image_region", "defbi",
+	"end_bit_image_region", "endbi",
+	"set_color_band", "setcolor",
+	"set_page_length", "slines",
+	"display_pc_char", "dispc",
+	"enter_pc_charset_mode", "smpch",
+	"exit_pc_charset_mode", "rmpch",
+	"enter_scancode_mode", "smsc",
+	"exit_scancode_mode", "rmsc",
+	"pc_term_options", "pctrm",
+	"scancode_escape", "scesc",
+	"alt_scancode_esc", "scesa",
+	"enter_horizontal_hl_mode", "ehhlm",
+	"enter_left_hl_mode", "elhlm",
+	"enter_low_hl_mode", "elohlm",
+	"enter_right_hl_mode", "erhlm",
+	"enter_top_hl_mode", "ethlm",
+	"enter_vertical_hl_mode", "evhlm",
+	"set_a_attributes", "sgr1",
+	"set_pglen_inch", "slength",
+	"termcap_init2", "",
+	"termcap_reset", "",
+	"linefeed_if_not_lf", "",
+	"backspace_if_not_bs", "",
+	"other_non_function_keys", "",
+	"arrow_key_map", "",
+	"acs_ulcorner", "",
+	"acs_llcorner", "",
+	"acs_urcorner", "",
+	"acs_lrcorner", "",
+	"acs_ltee", "",
+	"acs_rtee", "",
+	"acs_btee", "",
+	"acs_ttee", "",
+	"acs_hline", "",
+	"acs_vline", "",
+	"acs_plus", "",
+	"memory_lock", "",
+	"memory_unlock", "",
+	"box_chars_1", "",
+}
diff --git a/cli/vendor/github.com/Nvveen/Gotty/gotty.go b/cli/vendor/github.com/Nvveen/Gotty/gotty.go
new file mode 100644
index 00000000..c329778a
--- /dev/null
+++ b/cli/vendor/github.com/Nvveen/Gotty/gotty.go
@@ -0,0 +1,244 @@
+// Copyright 2012 Neal van Veen. All rights reserved.
+// Usage of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Gotty is a Go-package for reading and parsing the terminfo database
+package gotty
+
+// TODO add more concurrency to name lookup, look for more opportunities.
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"os"
+	"path"
+	"reflect"
+	"strings"
+	"sync"
+)
+
+// Open a terminfo file by the name given and construct a TermInfo object.
+// If something went wrong reading the terminfo database file, an error is
+// returned.
+func OpenTermInfo(termName string) (*TermInfo, error) {
+	if len(termName) == 0 {
+		return nil, errors.New("No termname given")
+	}
+	// Find the environment variables
+	if termloc := os.Getenv("TERMINFO"); len(termloc) > 0 {
+		return readTermInfo(path.Join(termloc, string(termName[0]), termName))
+	} else {
+		// Search like ncurses
+		locations := []string{}
+		if h := os.Getenv("HOME"); len(h) > 0 {
+			locations = append(locations, path.Join(h, ".terminfo"))
+		}
+		locations = append(locations,
+			"/etc/terminfo/",
+			"/lib/terminfo/",
+			"/usr/share/terminfo/")
+		for _, str := range locations {
+			term, err := readTermInfo(path.Join(str, string(termName[0]), termName))
+			if err == nil {
+				return term, nil
+			}
+		}
+		return nil, errors.New("No terminfo file(-location) found")
+	}
+}
+
+// Open a terminfo file from the environment variable containing the current
+// terminal name and construct a TermInfo object. If something went wrong
+// reading the terminfo database file, an error is returned.
+func OpenTermInfoEnv() (*TermInfo, error) {
+	termenv := os.Getenv("TERM")
+	return OpenTermInfo(termenv)
+}
+
+// Return an attribute by the name attr provided. If none can be found,
+// an error is returned.
+func (term *TermInfo) GetAttribute(attr string) (stacker, error) {
+	// Channel to store the main value in.
+	var value stacker
+	// Add a blocking WaitGroup
+	var block sync.WaitGroup
+	// Keep track of variable being written.
+	written := false
+	// Function to put into goroutine.
+	f := func(ats interface{}) {
+		var ok bool
+		var v stacker
+		// Switch on type of map to use and assign value to it.
+		switch reflect.TypeOf(ats).Elem().Kind() {
+		case reflect.Bool:
+			v, ok = ats.(map[string]bool)[attr]
+		case reflect.Int16:
+			v, ok = ats.(map[string]int16)[attr]
+		case reflect.String:
+			v, ok = ats.(map[string]string)[attr]
+		}
+		// If ok, a value is found, so we can write.
+		if ok {
+			value = v
+			written = true
+		}
+		// Goroutine is done
+		block.Done()
+	}
+	block.Add(3)
+	// Go for all 3 attribute lists.
+	go f(term.boolAttributes)
+	go f(term.numAttributes)
+	go f(term.strAttributes)
+	// Wait until every goroutine is done.
+	block.Wait()
+	// If a value has been written, return it.
+	if written {
+		return value, nil
+	}
+	// Otherwise, error.
+	return nil, fmt.Errorf("Erorr finding attribute")
+}
+
+// Return an attribute by the name attr provided. If none can be found,
+// an error is returned. A name is first converted to its termcap value.
+func (term *TermInfo) GetAttributeName(name string) (stacker, error) {
+	tc := GetTermcapName(name)
+	return term.GetAttribute(tc)
+}
+
+// A utility function that finds and returns the termcap equivalent of a
+// variable name.
+func GetTermcapName(name string) string {
+	// Termcap name
+	var tc string
+	// Blocking group
+	var wait sync.WaitGroup
+	// Function to put into a goroutine
+	f := func(attrs []string) {
+		// Find the string corresponding to the name
+		for i, s := range attrs {
+			if s == name {
+				tc = attrs[i+1]
+			}
+		}
+		// Goroutine is finished
+		wait.Done()
+	}
+	wait.Add(3)
+	// Go for all 3 attribute lists
+	go f(BoolAttr[:])
+	go f(NumAttr[:])
+	go f(StrAttr[:])
+	// Wait until every goroutine is done
+	wait.Wait()
+	// Return the termcap name
+	return tc
+}
+
+// This function takes a path to a terminfo file and reads it in binary
+// form to construct the actual TermInfo file.
+func readTermInfo(path string) (*TermInfo, error) {
+	// Open the terminfo file
+	file, err := os.Open(path)
+	defer file.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	// magic, nameSize, boolSize, nrSNum, nrOffsetsStr, strSize
+	// Header is composed of the magic 0432 octal number, size of the name
+	// section, size of the boolean section, the amount of number values,
+	// the number of offsets of strings, and the size of the string section.
+	var header [6]int16
+	// Byte array is used to read in byte values
+	var byteArray []byte
+	// Short array is used to read in short values
+	var shArray []int16
+	// TermInfo object to store values
+	var term TermInfo
+
+	// Read in the header
+	err = binary.Read(file, binary.LittleEndian, &header)
+	if err != nil {
+		return nil, err
+	}
+	// If magic number isn't there or isn't correct, we have the wrong filetype
+	if header[0] != 0432 {
+		return nil, errors.New(fmt.Sprintf("Wrong filetype"))
+	}
+
+	// Read in the names
+	byteArray = make([]byte, header[1])
+	err = binary.Read(file, binary.LittleEndian, &byteArray)
+	if err != nil {
+		return nil, err
+	}
+	term.Names = strings.Split(string(byteArray), "|")
+
+	// Read in the booleans
+	byteArray = make([]byte, header[2])
+	err = binary.Read(file, binary.LittleEndian, &byteArray)
+	if err != nil {
+		return nil, err
+	}
+	term.boolAttributes = make(map[string]bool)
+	for i, b := range byteArray {
+		if b == 1 {
+			term.boolAttributes[BoolAttr[i*2+1]] = true
+		}
+	}
+	// If the number of bytes read is not even, a byte for alignment is added
+	// We know the header is an even number of bytes so only need to check the
+	// total of the names and booleans.
+	if (header[1]+header[2])%2 != 0 {
+		err = binary.Read(file, binary.LittleEndian, make([]byte, 1))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Read in shorts
+	shArray = make([]int16, header[3])
+	err = binary.Read(file, binary.LittleEndian, &shArray)
+	if err != nil {
+		return nil, err
+	}
+	term.numAttributes = make(map[string]int16)
+	for i, n := range shArray {
+		if n != 0377 && n > -1 {
+			term.numAttributes[NumAttr[i*2+1]] = n
+		}
+	}
+
+	// Read the offsets into the short array
+	shArray = make([]int16, header[4])
+	err = binary.Read(file, binary.LittleEndian, &shArray)
+	if err != nil {
+		return nil, err
+	}
+	// Read the actual strings in the byte array
+	byteArray = make([]byte, header[5])
+	err = binary.Read(file, binary.LittleEndian, &byteArray)
+	if err != nil {
+		return nil, err
+	}
+	term.strAttributes = make(map[string]string)
+	// We get an offset, and then iterate until the string is null-terminated
+	for i, offset := range shArray {
+		if offset > -1 {
+			if int(offset) >= len(byteArray) {
+				return nil, errors.New("array out of bounds reading string section")
+			}
+			r := bytes.IndexByte(byteArray[offset:], 0)
+			if r == -1 {
+				return nil, errors.New("missing nul byte reading string section")
+			}
+			r += int(offset)
+			term.strAttributes[StrAttr[i*2+1]] = string(byteArray[offset:r])
+		}
+	}
+	return &term, nil
+}
diff --git a/cli/vendor/github.com/Nvveen/Gotty/parser.go b/cli/vendor/github.com/Nvveen/Gotty/parser.go
new file mode 100644
index 00000000..a9d5d23c
--- /dev/null
+++ b/cli/vendor/github.com/Nvveen/Gotty/parser.go
@@ -0,0 +1,362 @@
+// Copyright 2012 Neal van Veen. All rights reserved.
+// Usage of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package gotty
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+var exp = [...]string{
+	"%%",
+	"%c",
+	"%s",
+	"%p(\\d)",
+	"%P([A-z])",
+	"%g([A-z])",
+	"%'(.)'",
+	"%{([0-9]+)}",
+	"%l",
+	"%\\+|%-|%\\*|%/|%m",
+	"%&|%\\||%\\^",
+	"%=|%>|%<",
+	"%A|%O",
+	"%!|%~",
+	"%i",
+	"%(:[\\ #\\-\\+]{0,4})?(\\d+\\.\\d+|\\d+)?[doxXs]",
+	"%\\?(.*?);",
+}
+
+var regex *regexp.Regexp
+var staticVar map[byte]stacker
+
+// Parses the attribute that is received with name attr and parameters params.
+func (term *TermInfo) Parse(attr string, params ...interface{}) (string, error) {
+	// Get the attribute name first.
+	iface, err := term.GetAttribute(attr)
+	str, ok := iface.(string)
+	if err != nil {
+		return "", err
+	}
+	if !ok {
+		return str, errors.New("Only string capabilities can be parsed.")
+	}
+	// Construct the hidden parser struct so we can use a recursive stack based
+	// parser.
+	ps := &parser{}
+	// Dynamic variables only exist in this context.
+	ps.dynamicVar = make(map[byte]stacker, 26)
+	ps.parameters = make([]stacker, len(params))
+	// Convert the parameters to insert them into the parser struct.
+	for i, x := range params {
+		ps.parameters[i] = x
+	}
+	// Recursively walk and return.
+	result, err := ps.walk(str)
+	return result, err
+}
+
+// Parses the attribute that is received with name attr and parameters params.
+// Only works on full name of a capability that is given, which it uses to
+// search for the termcap name.
+func (term *TermInfo) ParseName(attr string, params ...interface{}) (string, error) {
+	tc := GetTermcapName(attr)
+	return term.Parse(tc, params)
+}
+
+// Identify each token in a stack based manner and do the actual parsing.
+func (ps *parser) walk(attr string) (string, error) {
+	// We use a buffer to get the modified string.
+	var buf bytes.Buffer
+	// Next, find and identify all tokens by their indices and strings.
+	tokens := regex.FindAllStringSubmatch(attr, -1)
+	if len(tokens) == 0 {
+		return attr, nil
+	}
+	indices := regex.FindAllStringIndex(attr, -1)
+	q := 0 // q counts the matches of one token
+	// Iterate through the string per character.
+	for i := 0; i < len(attr); i++ {
+		// If the current position is an identified token, execute the following
+		// steps.
+		if q < len(indices) && i >= indices[q][0] && i < indices[q][1] {
+			// Switch on token.
+			switch {
+			case tokens[q][0][:2] == "%%":
+				// Literal percentage character.
+				buf.WriteByte('%')
+			case tokens[q][0][:2] == "%c":
+				// Pop a character.
+				c, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				buf.WriteByte(c.(byte))
+			case tokens[q][0][:2] == "%s":
+				// Pop a string.
+				str, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				if _, ok := str.(string); !ok {
+					return buf.String(), errors.New("Stack head is not a string")
+				}
+				buf.WriteString(str.(string))
+			case tokens[q][0][:2] == "%p":
+				// Push a parameter on the stack.
+				index, err := strconv.ParseInt(tokens[q][1], 10, 8)
+				index--
+				if err != nil {
+					return buf.String(), err
+				}
+				if int(index) >= len(ps.parameters) {
+					return buf.String(), errors.New("Parameters index out of bound")
+				}
+				ps.st.push(ps.parameters[index])
+			case tokens[q][0][:2] == "%P":
+				// Pop a variable from the stack as a dynamic or static variable.
+				val, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				index := tokens[q][2]
+				if len(index) > 1 {
+					errorStr := fmt.Sprintf("%s is not a valid dynamic variables index",
+						index)
+					return buf.String(), errors.New(errorStr)
+				}
+				// Specify either dynamic or static.
+				if index[0] >= 'a' && index[0] <= 'z' {
+					ps.dynamicVar[index[0]] = val
+				} else if index[0] >= 'A' && index[0] <= 'Z' {
+					staticVar[index[0]] = val
+				}
+			case tokens[q][0][:2] == "%g":
+				// Push a variable from the stack as a dynamic or static variable.
+				index := tokens[q][3]
+				if len(index) > 1 {
+					errorStr := fmt.Sprintf("%s is not a valid static variables index",
+						index)
+					return buf.String(), errors.New(errorStr)
+				}
+				var val stacker
+				if index[0] >= 'a' && index[0] <= 'z' {
+					val = ps.dynamicVar[index[0]]
+				} else if index[0] >= 'A' && index[0] <= 'Z' {
+					val = staticVar[index[0]]
+				}
+				ps.st.push(val)
+			case tokens[q][0][:2] == "%'":
+				// Push a character constant.
+				con := tokens[q][4]
+				if len(con) > 1 {
+					errorStr := fmt.Sprintf("%s is not a valid character constant", con)
+					return buf.String(), errors.New(errorStr)
+				}
+				ps.st.push(con[0])
+			case tokens[q][0][:2] == "%{":
+				// Push an integer constant.
+				con, err := strconv.ParseInt(tokens[q][5], 10, 32)
+				if err != nil {
+					return buf.String(), err
+				}
+				ps.st.push(con)
+			case tokens[q][0][:2] == "%l":
+				// Push the length of the string that is popped from the stack.
+				popStr, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				if _, ok := popStr.(string); !ok {
+					errStr := fmt.Sprintf("Stack head is not a string")
+					return buf.String(), errors.New(errStr)
+				}
+				ps.st.push(len(popStr.(string)))
+			case tokens[q][0][:2] == "%?":
+				// If-then-else construct. First, the whole string is identified and
+				// then inside this substring, we can specify which parts to switch on.
+				ifReg, _ := regexp.Compile("%\\?(.*)%t(.*)%e(.*);|%\\?(.*)%t(.*);")
+				ifTokens := ifReg.FindStringSubmatch(tokens[q][0])
+				var (
+					ifStr string
+					err   error
+				)
+				// Parse the if-part to determine if-else.
+				if len(ifTokens[1]) > 0 {
+					ifStr, err = ps.walk(ifTokens[1])
+				} else { // else
+					ifStr, err = ps.walk(ifTokens[4])
+				}
+				// Return any errors
+				if err != nil {
+					return buf.String(), err
+				} else if len(ifStr) > 0 {
+					// Self-defined limitation, not sure if this is correct, but didn't
+					// seem like it.
+					return buf.String(), errors.New("If-clause cannot print statements")
+				}
+				var thenStr string
+				// Pop the first value that is set by parsing the if-clause.
+				choose, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				// Switch to if or else.
+				if choose.(int) == 0 && len(ifTokens[1]) > 0 {
+					thenStr, err = ps.walk(ifTokens[3])
+				} else if choose.(int) != 0 {
+					if len(ifTokens[1]) > 0 {
+						thenStr, err = ps.walk(ifTokens[2])
+					} else {
+						thenStr, err = ps.walk(ifTokens[5])
+					}
+				}
+				if err != nil {
+					return buf.String(), err
+				}
+				buf.WriteString(thenStr)
+			case tokens[q][0][len(tokens[q][0])-1] == 'd': // Fallthrough for printing
+				fallthrough
+			case tokens[q][0][len(tokens[q][0])-1] == 'o': // digits.
+				fallthrough
+			case tokens[q][0][len(tokens[q][0])-1] == 'x':
+				fallthrough
+			case tokens[q][0][len(tokens[q][0])-1] == 'X':
+				fallthrough
+			case tokens[q][0][len(tokens[q][0])-1] == 's':
+				token := tokens[q][0]
+				// Remove the : that comes before a flag.
+				if token[1] == ':' {
+					token = token[:1] + token[2:]
+				}
+				digit, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				// The rest is determined like the normal formatted prints.
+				digitStr := fmt.Sprintf(token, digit.(int))
+				buf.WriteString(digitStr)
+			case tokens[q][0][:2] == "%i":
+				// Increment the parameters by one.
+				if len(ps.parameters) < 2 {
+					return buf.String(), errors.New("Not enough parameters to increment.")
+				}
+				val1, val2 := ps.parameters[0].(int), ps.parameters[1].(int)
+				val1++
+				val2++
+				ps.parameters[0], ps.parameters[1] = val1, val2
+			default:
+				// The rest of the tokens is a special case, where two values are
+				// popped and then operated on by the token that comes after them.
+				op1, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				op2, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				var result stacker
+				switch tokens[q][0][:2] {
+				case "%+":
+					// Addition
+					result = op2.(int) + op1.(int)
+				case "%-":
+					// Subtraction
+					result = op2.(int) - op1.(int)
+				case "%*":
+					// Multiplication
+					result = op2.(int) * op1.(int)
+				case "%/":
+					// Division
+					result = op2.(int) / op1.(int)
+				case "%m":
+					// Modulo
+					result = op2.(int) % op1.(int)
+				case "%&":
+					// Bitwise AND
+					result = op2.(int) & op1.(int)
+				case "%|":
+					// Bitwise OR
+					result = op2.(int) | op1.(int)
+				case "%^":
+					// Bitwise XOR
+					result = op2.(int) ^ op1.(int)
+				case "%=":
+					// Equals
+					result = op2 == op1
+				case "%>":
+					// Greater-than
+					result = op2.(int) > op1.(int)
+				case "%<":
+					// Lesser-than
+					result = op2.(int) < op1.(int)
+				case "%A":
+					// Logical AND
+					result = op2.(bool) && op1.(bool)
+				case "%O":
+					// Logical OR
+					result = op2.(bool) || op1.(bool)
+				case "%!":
+					// Logical complement
+					result = !op1.(bool)
+				case "%~":
+					// Bitwise complement
+					result = ^(op1.(int))
+				}
+				ps.st.push(result)
+			}
+
+			i = indices[q][1] - 1
+			q++
+		} else {
+			// We are not "inside" a token, so just skip until the end or the next
+			// token, and add all characters to the buffer.
+			j := i
+			if q != len(indices) {
+				for !(j >= indices[q][0] && j < indices[q][1]) {
+					j++
+				}
+			} else {
+				j = len(attr)
+			}
+			buf.WriteString(string(attr[i:j]))
+			i = j
+		}
+	}
+	// Return the buffer as a string.
+	return buf.String(), nil
+}
+
+// Push a stacker-value onto the stack.
+func (st *stack) push(s stacker) {
+	*st = append(*st, s)
+}
+
+// Pop a stacker-value from the stack.
+func (st *stack) pop() (stacker, error) {
+	if len(*st) == 0 {
+		return nil, errors.New("Stack is empty.")
+	}
+	newStack := make(stack, len(*st)-1)
+	val := (*st)[len(*st)-1]
+	copy(newStack, (*st)[:len(*st)-1])
+	*st = newStack
+	return val, nil
+}
+
+// Initialize regexes and the static vars (that don't get changed between
+// calls.
+func init() {
+	// Initialize the main regex.
+	expStr := strings.Join(exp[:], "|")
+	regex, _ = regexp.Compile(expStr)
+	// Initialize the static variables.
+	staticVar = make(map[byte]stacker, 26)
+}
diff --git a/cli/vendor/github.com/Nvveen/Gotty/types.go b/cli/vendor/github.com/Nvveen/Gotty/types.go
new file mode 100644
index 00000000..9bcc65e9
--- /dev/null
+++ b/cli/vendor/github.com/Nvveen/Gotty/types.go
@@ -0,0 +1,23 @@
+// Copyright 2012 Neal van Veen. All rights reserved.
+// Usage of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package gotty
+
+type TermInfo struct {
+	boolAttributes map[string]bool
+	numAttributes  map[string]int16
+	strAttributes  map[string]string
+	// The various names of the TermInfo file.
+	Names []string
+}
+
+type stacker interface {
+}
+type stack []stacker
+
+type parser struct {
+	st         stack
+	parameters []stacker
+	dynamicVar map[byte]stacker
+}
diff --git a/cli/vendor/github.com/containerd/continuity/LICENSE b/cli/vendor/github.com/containerd/continuity/LICENSE
new file mode 100644
index 00000000..8f71f43f
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/LICENSE
@@ -0,0 +1,202 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
diff --git a/cli/vendor/github.com/containerd/continuity/README.md b/cli/vendor/github.com/containerd/continuity/README.md
new file mode 100644
index 00000000..0e91ce07
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/README.md
@@ -0,0 +1,74 @@
+# continuity
+
+[![GoDoc](https://godoc.org/github.com/containerd/continuity?status.svg)](https://godoc.org/github.com/containerd/continuity)
+[![Build Status](https://travis-ci.org/containerd/continuity.svg?branch=master)](https://travis-ci.org/containerd/continuity)
+
+A transport-agnostic, filesystem metadata manifest system
+
+This project is a staging area for experiments in providing transport agnostic
+metadata storage.
+
+Please see https://github.com/opencontainers/specs/issues/11 for more details.
+
+## Manifest Format
+
+A continuity manifest encodes filesystem metadata in Protocol Buffers.
+Please refer to [proto/manifest.proto](proto/manifest.proto).
+
+## Usage
+
+Build:
+
+```console
+$ make
+```
+
+Create a manifest (of this repo itself):
+
+```console
+$ ./bin/continuity build . > /tmp/a.pb
+```
+
+Dump a manifest:
+
+```console
+$ ./bin/continuity ls /tmp/a.pb
+...
+-rw-rw-r--      270 B   /.gitignore
+-rw-rw-r--      88 B    /.mailmap
+-rw-rw-r--      187 B   /.travis.yml
+-rw-rw-r--      359 B   /AUTHORS
+-rw-rw-r--      11 kB   /LICENSE
+-rw-rw-r--      1.5 kB  /Makefile
+...
+-rw-rw-r--      986 B   /testutil_test.go
+drwxrwxr-x      0 B     /version
+-rw-rw-r--      478 B   /version/version.go
+```
+
+Verify a manifest:
+
+```console
+$ ./bin/continuity verify . /tmp/a.pb
+```
+
+Break the directory and restore using the manifest:
+```console
+$ chmod 777 Makefile
+$ ./bin/continuity verify . /tmp/a.pb
+2017/06/23 08:00:34 error verifying manifest: resource "/Makefile" has incorrect mode: -rwxrwxrwx != -rw-rw-r--
+$ ./bin/continuity apply . /tmp/a.pb
+$ stat -c %a Makefile
+664
+$ ./bin/continuity verify . /tmp/a.pb
+```
+
+
+## Contribution Guide
+### Building Proto Package
+
+If you change the proto file you will need to rebuild the generated Go with `go generate`.
+
+```console
+$ go generate ./proto
+```
diff --git a/cli/vendor/github.com/containerd/continuity/pathdriver/path_driver.go b/cli/vendor/github.com/containerd/continuity/pathdriver/path_driver.go
new file mode 100644
index 00000000..b43d55fe
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/pathdriver/path_driver.go
@@ -0,0 +1,85 @@
+package pathdriver
+
+import (
+	"path/filepath"
+)
+
+// PathDriver provides all of the path manipulation functions in a common
+// interface. The context should call these and never use the `filepath`
+// package or any other package to manipulate paths.
+type PathDriver interface {
+	Join(paths ...string) string
+	IsAbs(path string) bool
+	Rel(base, target string) (string, error)
+	Base(path string) string
+	Dir(path string) string
+	Clean(path string) string
+	Split(path string) (dir, file string)
+	Separator() byte
+	Abs(path string) (string, error)
+	Walk(string, filepath.WalkFunc) error
+	FromSlash(path string) string
+	ToSlash(path string) string
+	Match(pattern, name string) (matched bool, err error)
+}
+
+// pathDriver is a simple default implementation calls the filepath package.
+type pathDriver struct{}
+
+// LocalPathDriver is the exported pathDriver struct for convenience.
+var LocalPathDriver PathDriver = &pathDriver{}
+
+func (*pathDriver) Join(paths ...string) string {
+	return filepath.Join(paths...)
+}
+
+func (*pathDriver) IsAbs(path string) bool {
+	return filepath.IsAbs(path)
+}
+
+func (*pathDriver) Rel(base, target string) (string, error) {
+	return filepath.Rel(base, target)
+}
+
+func (*pathDriver) Base(path string) string {
+	return filepath.Base(path)
+}
+
+func (*pathDriver) Dir(path string) string {
+	return filepath.Dir(path)
+}
+
+func (*pathDriver) Clean(path string) string {
+	return filepath.Clean(path)
+}
+
+func (*pathDriver) Split(path string) (dir, file string) {
+	return filepath.Split(path)
+}
+
+func (*pathDriver) Separator() byte {
+	return filepath.Separator
+}
+
+func (*pathDriver) Abs(path string) (string, error) {
+	return filepath.Abs(path)
+}
+
+// Note that filepath.Walk calls os.Stat, so if the context wants to
+// to call Driver.Stat() for Walk, they need to create a new struct that
+// overrides this method.
+func (*pathDriver) Walk(root string, walkFn filepath.WalkFunc) error {
+	return filepath.Walk(root, walkFn)
+}
+
+func (*pathDriver) FromSlash(path string) string {
+	return filepath.FromSlash(path)
+}
+
+func (*pathDriver) ToSlash(path string) string {
+	return filepath.ToSlash(path)
+}
+
+func (*pathDriver) Match(pattern, name string) (bool, error) {
+	return filepath.Match(pattern, name)
+}
diff --git a/cli/vendor/github.com/containerd/continuity/syscallx/syscall_unix.go b/cli/vendor/github.com/containerd/continuity/syscallx/syscall_unix.go
new file mode 100644
index 00000000..4205d1e8
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/syscallx/syscall_unix.go
@@ -0,0 +1,10 @@
+// +build !windows
+
+package syscallx
+
+import "syscall"
+
+// Readlink returns the destination of the named symbolic link.
+func Readlink(path string, buf []byte) (n int, err error) {
+	return syscall.Readlink(path, buf)
+}
diff --git a/cli/vendor/github.com/containerd/continuity/syscallx/syscall_windows.go b/cli/vendor/github.com/containerd/continuity/syscallx/syscall_windows.go
new file mode 100644
index 00000000..9637a287
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/syscallx/syscall_windows.go
@@ -0,0 +1,96 @@
+package syscallx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+type reparseDataBuffer struct {
+	ReparseTag        uint32
+	ReparseDataLength uint16
+	Reserved          uint16
+
+	// GenericReparseBuffer
+	reparseBuffer byte
+}
+
+type mountPointReparseBuffer struct {
+	SubstituteNameOffset uint16
+	SubstituteNameLength uint16
+	PrintNameOffset      uint16
+	PrintNameLength      uint16
+	PathBuffer           [1]uint16
+}
+
+type symbolicLinkReparseBuffer struct {
+	SubstituteNameOffset uint16
+	SubstituteNameLength uint16
+	PrintNameOffset      uint16
+	PrintNameLength      uint16
+	Flags                uint32
+	PathBuffer           [1]uint16
+}
+
+const (
+	_IO_REPARSE_TAG_MOUNT_POINT = 0xA0000003
+	_SYMLINK_FLAG_RELATIVE      = 1
+)
+
+// Readlink returns the destination of the named symbolic link.
+func Readlink(path string, buf []byte) (n int, err error) {
+	fd, err := syscall.CreateFile(syscall.StringToUTF16Ptr(path), syscall.GENERIC_READ, 0, nil, syscall.OPEN_EXISTING,
+		syscall.FILE_FLAG_OPEN_REPARSE_POINT|syscall.FILE_FLAG_BACKUP_SEMANTICS, 0)
+	if err != nil {
+		return -1, err
+	}
+	defer syscall.CloseHandle(fd)
+
+	rdbbuf := make([]byte, syscall.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)
+	var bytesReturned uint32
+	err = syscall.DeviceIoControl(fd, syscall.FSCTL_GET_REPARSE_POINT, nil, 0, &rdbbuf[0], uint32(len(rdbbuf)), &bytesReturned, nil)
+	if err != nil {
+		return -1, err
+	}
+
+	rdb := (*reparseDataBuffer)(unsafe.Pointer(&rdbbuf[0]))
+	var s string
+	switch rdb.ReparseTag {
+	case syscall.IO_REPARSE_TAG_SYMLINK:
+		data := (*symbolicLinkReparseBuffer)(unsafe.Pointer(&rdb.reparseBuffer))
+		p := (*[0xffff]uint16)(unsafe.Pointer(&data.PathBuffer[0]))
+		s = syscall.UTF16ToString(p[data.SubstituteNameOffset/2 : (data.SubstituteNameOffset+data.SubstituteNameLength)/2])
+		if data.Flags&_SYMLINK_FLAG_RELATIVE == 0 {
+			if len(s) >= 4 && s[:4] == `\??\` {
+				s = s[4:]
+				switch {
+				case len(s) >= 2 && s[1] == ':': // \??\C:\foo\bar
+					// do nothing
+				case len(s) >= 4 && s[:4] == `UNC\`: // \??\UNC\foo\bar
+					s = `\\` + s[4:]
+				default:
+					// unexpected; do nothing
+				}
+			} else {
+				// unexpected; do nothing
+			}
+		}
+	case _IO_REPARSE_TAG_MOUNT_POINT:
+		data := (*mountPointReparseBuffer)(unsafe.Pointer(&rdb.reparseBuffer))
+		p := (*[0xffff]uint16)(unsafe.Pointer(&data.PathBuffer[0]))
+		s = syscall.UTF16ToString(p[data.SubstituteNameOffset/2 : (data.SubstituteNameOffset+data.SubstituteNameLength)/2])
+		if len(s) >= 4 && s[:4] == `\??\` { // \??\C:\foo\bar
+			if len(s) < 48 || s[:11] != `\??\Volume{` {
+				s = s[4:]
+			}
+		} else {
+			// unexpected; do nothing
+		}
+	default:
+		// the path is not a symlink or junction but another type of reparse
+		// point
+		return -1, syscall.ENOENT
+	}
+	n = copy(buf, []byte(s))
+
+	return n, nil
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/asm.s b/cli/vendor/github.com/containerd/continuity/sysx/asm.s
new file mode 100644
index 00000000..8ed2fdb9
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/asm.s
@@ -0,0 +1,10 @@
+// Copyright 2014 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !gccgo
+
+#include "textflag.h"
+
+TEXT ·use(SB),NOSPLIT,$0
+	RET
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin.go b/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin.go
new file mode 100644
index 00000000..e3ae2b7b
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin.go
@@ -0,0 +1,18 @@
+package sysx
+
+const (
+	// AtSymlinkNoFollow defined from AT_SYMLINK_NOFOLLOW in <sys/fcntl.h>
+	AtSymlinkNofollow = 0x20
+)
+
+const (
+
+	// SYS_FCHMODAT defined from golang.org/sys/unix
+	SYS_FCHMODAT = 467
+)
+
+// These functions will be generated by generate.sh
+//    $ GOOS=darwin GOARCH=386 ./generate.sh chmod
+//    $ GOOS=darwin GOARCH=amd64 ./generate.sh chmod
+
+//sys  Fchmodat(dirfd int, path string, mode uint32, flags int) (err error)
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin_386.go b/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin_386.go
new file mode 100644
index 00000000..5a8cf5b5
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin_386.go
@@ -0,0 +1,25 @@
+// mksyscall.pl -l32 chmod_darwin.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall6(SYS_FCHMODAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
+	use(unsafe.Pointer(_p0))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin_amd64.go b/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin_amd64.go
new file mode 100644
index 00000000..3287d1d5
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/chmod_darwin_amd64.go
@@ -0,0 +1,25 @@
+// mksyscall.pl chmod_darwin.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall6(SYS_FCHMODAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
+	use(unsafe.Pointer(_p0))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/chmod_freebsd.go b/cli/vendor/github.com/containerd/continuity/sysx/chmod_freebsd.go
new file mode 100644
index 00000000..b64a708b
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/chmod_freebsd.go
@@ -0,0 +1,17 @@
+package sysx
+
+const (
+	// AtSymlinkNoFollow defined from AT_SYMLINK_NOFOLLOW in <sys/fcntl.h>
+	AtSymlinkNofollow = 0x200
+)
+
+const (
+
+	// SYS_FCHMODAT defined from golang.org/sys/unix
+	SYS_FCHMODAT = 490
+)
+
+// These functions will be generated by generate.sh
+//    $ GOOS=freebsd GOARCH=amd64 ./generate.sh chmod
+
+//sys  Fchmodat(dirfd int, path string, mode uint32, flags int) (err error)
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/chmod_freebsd_amd64.go b/cli/vendor/github.com/containerd/continuity/sysx/chmod_freebsd_amd64.go
new file mode 100644
index 00000000..5a271abb
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/chmod_freebsd_amd64.go
@@ -0,0 +1,25 @@
+// mksyscall.pl chmod_freebsd.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall6(SYS_FCHMODAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
+	use(unsafe.Pointer(_p0))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/chmod_linux.go b/cli/vendor/github.com/containerd/continuity/sysx/chmod_linux.go
new file mode 100644
index 00000000..89df6d38
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/chmod_linux.go
@@ -0,0 +1,12 @@
+package sysx
+
+import "syscall"
+
+const (
+	// AtSymlinkNoFollow defined from AT_SYMLINK_NOFOLLOW in /usr/include/linux/fcntl.h
+	AtSymlinkNofollow = 0x100
+)
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) error {
+	return syscall.Fchmodat(dirfd, path, mode, flags)
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/chmod_solaris.go b/cli/vendor/github.com/containerd/continuity/sysx/chmod_solaris.go
new file mode 100644
index 00000000..3ba6e5ed
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/chmod_solaris.go
@@ -0,0 +1,11 @@
+package sysx
+
+import "golang.org/x/sys/unix"
+
+const (
+	AtSymlinkNofollow = unix.AT_SYMLINK_NOFOLLOW
+)
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) error {
+	return unix.Fchmodat(dirfd, path, mode, flags)
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/file_posix.go b/cli/vendor/github.com/containerd/continuity/sysx/file_posix.go
new file mode 100644
index 00000000..d0784f81
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/file_posix.go
@@ -0,0 +1,112 @@
+package sysx
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/continuity/syscallx"
+)
+
+// Readlink returns the destination of the named symbolic link.
+// If there is an error, it will be of type *PathError.
+func Readlink(name string) (string, error) {
+	for len := 128; ; len *= 2 {
+		b := make([]byte, len)
+		n, e := fixCount(syscallx.Readlink(fixLongPath(name), b))
+		if e != nil {
+			return "", &os.PathError{Op: "readlink", Path: name, Err: e}
+		}
+		if n < len {
+			return string(b[0:n]), nil
+		}
+	}
+}
+
+// Many functions in package syscall return a count of -1 instead of 0.
+// Using fixCount(call()) instead of call() corrects the count.
+func fixCount(n int, err error) (int, error) {
+	if n < 0 {
+		n = 0
+	}
+	return n, err
+}
+
+// fixLongPath returns the extended-length (\\?\-prefixed) form of
+// path when needed, in order to avoid the default 260 character file
+// path limit imposed by Windows. If path is not easily converted to
+// the extended-length form (for example, if path is a relative path
+// or contains .. elements), or is short enough, fixLongPath returns
+// path unmodified.
+//
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx#maxpath
+func fixLongPath(path string) string {
+	// Do nothing (and don't allocate) if the path is "short".
+	// Empirically (at least on the Windows Server 2013 builder),
+	// the kernel is arbitrarily okay with < 248 bytes. That
+	// matches what the docs above say:
+	// "When using an API to create a directory, the specified
+	// path cannot be so long that you cannot append an 8.3 file
+	// name (that is, the directory name cannot exceed MAX_PATH
+	// minus 12)." Since MAX_PATH is 260, 260 - 12 = 248.
+	//
+	// The MSDN docs appear to say that a normal path that is 248 bytes long
+	// will work; empirically the path must be less then 248 bytes long.
+	if len(path) < 248 {
+		// Don't fix. (This is how Go 1.7 and earlier worked,
+		// not automatically generating the \\?\ form)
+		return path
+	}
+
+	// The extended form begins with \\?\, as in
+	// \\?\c:\windows\foo.txt or \\?\UNC\server\share\foo.txt.
+	// The extended form disables evaluation of . and .. path
+	// elements and disables the interpretation of / as equivalent
+	// to \. The conversion here rewrites / to \ and elides
+	// . elements as well as trailing or duplicate separators. For
+	// simplicity it avoids the conversion entirely for relative
+	// paths or paths containing .. elements. For now,
+	// \\server\share paths are not converted to
+	// \\?\UNC\server\share paths because the rules for doing so
+	// are less well-specified.
+	if len(path) >= 2 && path[:2] == `\\` {
+		// Don't canonicalize UNC paths.
+		return path
+	}
+	if !filepath.IsAbs(path) {
+		// Relative path
+		return path
+	}
+
+	const prefix = `\\?`
+
+	pathbuf := make([]byte, len(prefix)+len(path)+len(`\`))
+	copy(pathbuf, prefix)
+	n := len(path)
+	r, w := 0, len(prefix)
+	for r < n {
+		switch {
+		case os.IsPathSeparator(path[r]):
+			// empty block
+			r++
+		case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+			// /./
+			r++
+		case r+1 < n && path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+			// /../ is currently unhandled
+			return path
+		default:
+			pathbuf[w] = '\\'
+			w++
+			for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+				pathbuf[w] = path[r]
+				w++
+			}
+		}
+	}
+	// A drive's root directory needs a trailing \
+	if w == len(`\\?\c:`) {
+		pathbuf[w] = '\\'
+		w++
+	}
+	return string(pathbuf[:w])
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/nodata_linux.go b/cli/vendor/github.com/containerd/continuity/sysx/nodata_linux.go
new file mode 100644
index 00000000..fc47ddb8
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/nodata_linux.go
@@ -0,0 +1,7 @@
+package sysx
+
+import (
+	"syscall"
+)
+
+const ENODATA = syscall.ENODATA
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/nodata_solaris.go b/cli/vendor/github.com/containerd/continuity/sysx/nodata_solaris.go
new file mode 100644
index 00000000..53cc8e06
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/nodata_solaris.go
@@ -0,0 +1,8 @@
+package sysx
+
+import (
+	"syscall"
+)
+
+// This should actually be a set that contains ENOENT and EPERM
+const ENODATA = syscall.ENOENT
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/nodata_unix.go b/cli/vendor/github.com/containerd/continuity/sysx/nodata_unix.go
new file mode 100644
index 00000000..7e685120
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/nodata_unix.go
@@ -0,0 +1,9 @@
+// +build darwin freebsd
+
+package sysx
+
+import (
+	"syscall"
+)
+
+const ENODATA = syscall.ENOATTR
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/sys.go b/cli/vendor/github.com/containerd/continuity/sysx/sys.go
new file mode 100644
index 00000000..0bb16762
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/sys.go
@@ -0,0 +1,37 @@
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+var _zero uintptr
+
+// use is a no-op, but the compiler cannot see that it is.
+// Calling use(p) ensures that p is kept live until that point.
+//go:noescape
+func use(p unsafe.Pointer)
+
+// Do the interface allocations only once for common
+// Errno values.
+var (
+	errEAGAIN error = syscall.EAGAIN
+	errEINVAL error = syscall.EINVAL
+	errENOENT error = syscall.ENOENT
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return nil
+	case syscall.EAGAIN:
+		return errEAGAIN
+	case syscall.EINVAL:
+		return errEINVAL
+	case syscall.ENOENT:
+		return errENOENT
+	}
+	return e
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr.go
new file mode 100644
index 00000000..20937c2d
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr.go
@@ -0,0 +1,67 @@
+package sysx
+
+import (
+	"bytes"
+	"fmt"
+	"syscall"
+)
+
+const defaultXattrBufferSize = 5
+
+var ErrNotSupported = fmt.Errorf("not supported")
+
+type listxattrFunc func(path string, dest []byte) (int, error)
+
+func listxattrAll(path string, listFunc listxattrFunc) ([]string, error) {
+	var p []byte // nil on first execution
+
+	for {
+		n, err := listFunc(path, p) // first call gets buffer size.
+		if err != nil {
+			return nil, err
+		}
+
+		if n > len(p) {
+			p = make([]byte, n)
+			continue
+		}
+
+		p = p[:n]
+
+		ps := bytes.Split(bytes.TrimSuffix(p, []byte{0}), []byte{0})
+		var entries []string
+		for _, p := range ps {
+			s := string(p)
+			if s != "" {
+				entries = append(entries, s)
+			}
+		}
+
+		return entries, nil
+	}
+}
+
+type getxattrFunc func(string, string, []byte) (int, error)
+
+func getxattrAll(path, attr string, getFunc getxattrFunc) ([]byte, error) {
+	p := make([]byte, defaultXattrBufferSize)
+	for {
+		n, err := getFunc(path, attr, p)
+		if err != nil {
+			if errno, ok := err.(syscall.Errno); ok && errno == syscall.ERANGE {
+				p = make([]byte, len(p)*2) // this can't be ideal.
+				continue                   // try again!
+			}
+
+			return nil, err
+		}
+
+		// realloc to correct size and repeat
+		if n > len(p) {
+			p = make([]byte, n)
+			continue
+		}
+
+		return p[:n], nil
+	}
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin.go
new file mode 100644
index 00000000..1164a7d1
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin.go
@@ -0,0 +1,71 @@
+package sysx
+
+// These functions will be generated by generate.sh
+//    $ GOOS=darwin GOARCH=386 ./generate.sh xattr
+//    $ GOOS=darwin GOARCH=amd64 ./generate.sh xattr
+
+//sys  getxattr(path string, attr string, dest []byte, pos int, options int) (sz int, err error)
+//sys  setxattr(path string, attr string, data []byte, flags int) (err error)
+//sys  removexattr(path string, attr string, options int) (err error)
+//sys  listxattr(path string, dest []byte, options int) (sz int, err error)
+//sys  Fchmodat(dirfd int, path string, mode uint32, flags int) (err error)
+
+const (
+	xattrNoFollow = 0x01
+)
+
+func listxattrFollow(path string, dest []byte) (sz int, err error) {
+	return listxattr(path, dest, 0)
+}
+
+// Listxattr calls syscall getxattr
+func Listxattr(path string) ([]string, error) {
+	return listxattrAll(path, listxattrFollow)
+}
+
+// Removexattr calls syscall getxattr
+func Removexattr(path string, attr string) (err error) {
+	return removexattr(path, attr, 0)
+}
+
+// Setxattr calls syscall setxattr
+func Setxattr(path string, attr string, data []byte, flags int) (err error) {
+	return setxattr(path, attr, data, flags)
+}
+
+func getxattrFollow(path, attr string, dest []byte) (sz int, err error) {
+	return getxattr(path, attr, dest, 0, 0)
+}
+
+// Getxattr calls syscall getxattr
+func Getxattr(path, attr string) ([]byte, error) {
+	return getxattrAll(path, attr, getxattrFollow)
+}
+
+func listxattrNoFollow(path string, dest []byte) (sz int, err error) {
+	return listxattr(path, dest, xattrNoFollow)
+}
+
+// LListxattr calls syscall listxattr with XATTR_NOFOLLOW
+func LListxattr(path string) ([]string, error) {
+	return listxattrAll(path, listxattrNoFollow)
+}
+
+// LRemovexattr calls syscall removexattr with XATTR_NOFOLLOW
+func LRemovexattr(path string, attr string) (err error) {
+	return removexattr(path, attr, xattrNoFollow)
+}
+
+// Setxattr calls syscall setxattr with XATTR_NOFOLLOW
+func LSetxattr(path string, attr string, data []byte, flags int) (err error) {
+	return setxattr(path, attr, data, flags|xattrNoFollow)
+}
+
+func getxattrNoFollow(path, attr string, dest []byte) (sz int, err error) {
+	return getxattr(path, attr, dest, 0, xattrNoFollow)
+}
+
+// LGetxattr calls syscall getxattr with XATTR_NOFOLLOW
+func LGetxattr(path, attr string) ([]byte, error) {
+	return getxattrAll(path, attr, getxattrNoFollow)
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin_386.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin_386.go
new file mode 100644
index 00000000..aa896b57
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin_386.go
@@ -0,0 +1,111 @@
+// mksyscall.pl -l32 xattr_darwin.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func getxattr(path string, attr string, dest []byte, pos int, options int) (sz int, err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	var _p2 unsafe.Pointer
+	if len(dest) > 0 {
+		_p2 = unsafe.Pointer(&dest[0])
+	} else {
+		_p2 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(_p2), uintptr(len(dest)), uintptr(pos), uintptr(options))
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	sz = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func setxattr(path string, attr string, data []byte, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	var _p2 unsafe.Pointer
+	if len(data) > 0 {
+		_p2 = unsafe.Pointer(&data[0])
+	} else {
+		_p2 = unsafe.Pointer(&_zero)
+	}
+	_, _, e1 := syscall.Syscall6(syscall.SYS_SETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(_p2), uintptr(len(data)), uintptr(flags), 0)
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func removexattr(path string, attr string, options int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall(syscall.SYS_REMOVEXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(options))
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func listxattr(path string, dest []byte, options int) (sz int, err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 unsafe.Pointer
+	if len(dest) > 0 {
+		_p1 = unsafe.Pointer(&dest[0])
+	} else {
+		_p1 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall.Syscall6(syscall.SYS_LISTXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(_p1), uintptr(len(dest)), uintptr(options), 0, 0)
+	use(unsafe.Pointer(_p0))
+	sz = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin_amd64.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin_amd64.go
new file mode 100644
index 00000000..6ff27e27
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr_darwin_amd64.go
@@ -0,0 +1,111 @@
+// mksyscall.pl xattr_darwin.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func getxattr(path string, attr string, dest []byte, pos int, options int) (sz int, err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	var _p2 unsafe.Pointer
+	if len(dest) > 0 {
+		_p2 = unsafe.Pointer(&dest[0])
+	} else {
+		_p2 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(_p2), uintptr(len(dest)), uintptr(pos), uintptr(options))
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	sz = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func setxattr(path string, attr string, data []byte, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	var _p2 unsafe.Pointer
+	if len(data) > 0 {
+		_p2 = unsafe.Pointer(&data[0])
+	} else {
+		_p2 = unsafe.Pointer(&_zero)
+	}
+	_, _, e1 := syscall.Syscall6(syscall.SYS_SETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(_p2), uintptr(len(data)), uintptr(flags), 0)
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func removexattr(path string, attr string, options int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall(syscall.SYS_REMOVEXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(options))
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func listxattr(path string, dest []byte, options int) (sz int, err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 unsafe.Pointer
+	if len(dest) > 0 {
+		_p1 = unsafe.Pointer(&dest[0])
+	} else {
+		_p1 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall.Syscall6(syscall.SYS_LISTXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(_p1), uintptr(len(dest)), uintptr(options), 0, 0)
+	use(unsafe.Pointer(_p0))
+	sz = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr_freebsd.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr_freebsd.go
new file mode 100644
index 00000000..e8017d31
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr_freebsd.go
@@ -0,0 +1,12 @@
+package sysx
+
+import (
+	"errors"
+)
+
+// Initial stub version for FreeBSD. FreeBSD has a different
+// syscall API from Darwin and Linux for extended attributes;
+// it is also not widely used. It is not exposed at all by the
+// Go syscall package, so we need to implement directly eventually.
+
+var unsupported = errors.New("extended attributes unsupported on FreeBSD")
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr_linux.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr_linux.go
new file mode 100644
index 00000000..311b896d
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr_linux.go
@@ -0,0 +1,44 @@
+package sysx
+
+import "golang.org/x/sys/unix"
+
+// Listxattr calls syscall listxattr and reads all content
+// and returns a string array
+func Listxattr(path string) ([]string, error) {
+	return listxattrAll(path, unix.Listxattr)
+}
+
+// Removexattr calls syscall removexattr
+func Removexattr(path string, attr string) (err error) {
+	return unix.Removexattr(path, attr)
+}
+
+// Setxattr calls syscall setxattr
+func Setxattr(path string, attr string, data []byte, flags int) (err error) {
+	return unix.Setxattr(path, attr, data, flags)
+}
+
+// Getxattr calls syscall getxattr
+func Getxattr(path, attr string) ([]byte, error) {
+	return getxattrAll(path, attr, unix.Getxattr)
+}
+
+// LListxattr lists xattrs, not following symlinks
+func LListxattr(path string) ([]string, error) {
+	return listxattrAll(path, unix.Llistxattr)
+}
+
+// LRemovexattr removes an xattr, not following symlinks
+func LRemovexattr(path string, attr string) (err error) {
+	return unix.Lremovexattr(path, attr)
+}
+
+// LSetxattr sets an xattr, not following symlinks
+func LSetxattr(path string, attr string, data []byte, flags int) (err error) {
+	return unix.Lsetxattr(path, attr, data, flags)
+}
+
+// LGetxattr gets an xattr, not following symlinks
+func LGetxattr(path, attr string) ([]byte, error) {
+	return getxattrAll(path, attr, unix.Lgetxattr)
+}
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr_openbsd.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr_openbsd.go
new file mode 100644
index 00000000..72361997
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr_openbsd.go
@@ -0,0 +1,7 @@
+package sysx
+
+import (
+	"errors"
+)
+
+var unsupported = errors.New("extended attributes unsupported on OpenBSD")
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr_solaris.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr_solaris.go
new file mode 100644
index 00000000..fc523fcb
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr_solaris.go
@@ -0,0 +1,12 @@
+package sysx
+
+import (
+	"errors"
+)
+
+// Initial stub version for Solaris. Solaris has a different
+// syscall API from Darwin and Linux for extended attributes;
+// it is also not widely used. It is not exposed at all by the
+// Go syscall package, so we need to implement directly eventually.
+
+var unsupported = errors.New("extended attributes unsupported on Solaris")
diff --git a/cli/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go b/cli/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go
new file mode 100644
index 00000000..c8389bc1
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go
@@ -0,0 +1,44 @@
+// +build freebsd openbsd solaris
+
+package sysx
+
+// Listxattr calls syscall listxattr and reads all content
+// and returns a string array
+func Listxattr(path string) ([]string, error) {
+	return []string{}, nil
+}
+
+// Removexattr calls syscall removexattr
+func Removexattr(path string, attr string) (err error) {
+	return unsupported
+}
+
+// Setxattr calls syscall setxattr
+func Setxattr(path string, attr string, data []byte, flags int) (err error) {
+	return unsupported
+}
+
+// Getxattr calls syscall getxattr
+func Getxattr(path, attr string) ([]byte, error) {
+	return []byte{}, unsupported
+}
+
+// LListxattr lists xattrs, not following symlinks
+func LListxattr(path string) ([]string, error) {
+	return []string{}, nil
+}
+
+// LRemovexattr removes an xattr, not following symlinks
+func LRemovexattr(path string, attr string) (err error) {
+	return unsupported
+}
+
+// LSetxattr sets an xattr, not following symlinks
+func LSetxattr(path string, attr string, data []byte, flags int) (err error) {
+	return unsupported
+}
+
+// LGetxattr gets an xattr, not following symlinks
+func LGetxattr(path, attr string) ([]byte, error) {
+	return []byte{}, nil
+}
diff --git a/cli/vendor/github.com/containerd/continuity/vendor.conf b/cli/vendor/github.com/containerd/continuity/vendor.conf
new file mode 100644
index 00000000..7c80deec
--- /dev/null
+++ b/cli/vendor/github.com/containerd/continuity/vendor.conf
@@ -0,0 +1,13 @@
+bazil.org/fuse 371fbbdaa8987b715bdd21d6adc4c9b20155f748
+github.com/dustin/go-humanize bb3d318650d48840a39aa21a027c6630e198e626
+github.com/golang/protobuf 1e59b77b52bf8e4b449a57e6f79f21226d571845
+github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+github.com/opencontainers/go-digest 279bed98673dd5bef374d3b6e4b09e2af76183bf
+github.com/pkg/errors f15c970de5b76fac0b59abb32d62c17cc7bed265
+github.com/sirupsen/logrus 89742aefa4b206dcf400792f3bd35b542998eb3b
+github.com/spf13/cobra 2da4a54c5ceefcee7ca5dd0eea1e18a3b6366489
+github.com/spf13/pflag 4c012f6dcd9546820e378d0bdda4d8fc772cdfea
+golang.org/x/crypto 9f005a07e0d31d45e6656d241bb5c0f2efd4bc94
+golang.org/x/net a337091b0525af65de94df2eb7e98bd9962dcbe2
+golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
+golang.org/x/sys 665f6529cca930e27b831a0d1dafffbe1c172924
diff --git a/cli/vendor/github.com/gregjones/httpcache/LICENSE.txt b/cli/vendor/github.com/gregjones/httpcache/LICENSE.txt
new file mode 100644
index 00000000..81316beb
--- /dev/null
+++ b/cli/vendor/github.com/gregjones/httpcache/LICENSE.txt
@@ -0,0 +1,7 @@
+Copyright © 2012 Greg Jones (greg.jones@gmail.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/cli/vendor/github.com/gregjones/httpcache/README.md b/cli/vendor/github.com/gregjones/httpcache/README.md
new file mode 100644
index 00000000..61bd830e
--- /dev/null
+++ b/cli/vendor/github.com/gregjones/httpcache/README.md
@@ -0,0 +1,24 @@
+httpcache
+=========
+
+[![Build Status](https://travis-ci.org/gregjones/httpcache.svg?branch=master)](https://travis-ci.org/gregjones/httpcache) [![GoDoc](https://godoc.org/github.com/gregjones/httpcache?status.svg)](https://godoc.org/github.com/gregjones/httpcache)
+
+Package httpcache provides a http.RoundTripper implementation that works as a mostly RFC-compliant cache for http responses.
+
+It is only suitable for use as a 'private' cache (i.e. for a web-browser or an API-client and not for a shared proxy).
+
+Cache Backends
+--------------
+
+- The built-in 'memory' cache stores responses in an in-memory map.
+- [`github.com/gregjones/httpcache/diskcache`](https://github.com/gregjones/httpcache/tree/master/diskcache) provides a filesystem-backed cache using the [diskv](https://github.com/peterbourgon/diskv) library.
+- [`github.com/gregjones/httpcache/memcache`](https://github.com/gregjones/httpcache/tree/master/memcache) provides memcache implementations, for both App Engine and 'normal' memcache servers.
+- [`sourcegraph.com/sourcegraph/s3cache`](https://sourcegraph.com/github.com/sourcegraph/s3cache) uses Amazon S3 for storage.
+- [`github.com/gregjones/httpcache/leveldbcache`](https://github.com/gregjones/httpcache/tree/master/leveldbcache) provides a filesystem-backed cache using [leveldb](https://github.com/syndtr/goleveldb/leveldb).
+- [`github.com/die-net/lrucache`](https://github.com/die-net/lrucache) provides an in-memory cache that will evict least-recently used entries.
+- [`github.com/die-net/lrucache/twotier`](https://github.com/die-net/lrucache/tree/master/twotier) allows caches to be combined, for example to use lrucache above with a persistent disk-cache.
+
+License
+-------
+
+-	[MIT License](LICENSE.txt)
diff --git a/cli/vendor/github.com/gregjones/httpcache/diskcache/diskcache.go b/cli/vendor/github.com/gregjones/httpcache/diskcache/diskcache.go
new file mode 100644
index 00000000..42e3129d
--- /dev/null
+++ b/cli/vendor/github.com/gregjones/httpcache/diskcache/diskcache.go
@@ -0,0 +1,61 @@
+// Package diskcache provides an implementation of httpcache.Cache that uses the diskv package
+// to supplement an in-memory map with persistent storage
+//
+package diskcache
+
+import (
+	"bytes"
+	"crypto/md5"
+	"encoding/hex"
+	"github.com/peterbourgon/diskv"
+	"io"
+)
+
+// Cache is an implementation of httpcache.Cache that supplements the in-memory map with persistent storage
+type Cache struct {
+	d *diskv.Diskv
+}
+
+// Get returns the response corresponding to key if present
+func (c *Cache) Get(key string) (resp []byte, ok bool) {
+	key = keyToFilename(key)
+	resp, err := c.d.Read(key)
+	if err != nil {
+		return []byte{}, false
+	}
+	return resp, true
+}
+
+// Set saves a response to the cache as key
+func (c *Cache) Set(key string, resp []byte) {
+	key = keyToFilename(key)
+	c.d.WriteStream(key, bytes.NewReader(resp), true)
+}
+
+// Delete removes the response with key from the cache
+func (c *Cache) Delete(key string) {
+	key = keyToFilename(key)
+	c.d.Erase(key)
+}
+
+func keyToFilename(key string) string {
+	h := md5.New()
+	io.WriteString(h, key)
+	return hex.EncodeToString(h.Sum(nil))
+}
+
+// New returns a new Cache that will store files in basePath
+func New(basePath string) *Cache {
+	return &Cache{
+		d: diskv.New(diskv.Options{
+			BasePath:     basePath,
+			CacheSizeMax: 100 * 1024 * 1024, // 100MB
+		}),
+	}
+}
+
+// NewWithDiskv returns a new Cache using the provided Diskv as underlying
+// storage.
+func NewWithDiskv(d *diskv.Diskv) *Cache {
+	return &Cache{d}
+}
diff --git a/cli/vendor/github.com/gregjones/httpcache/httpcache.go b/cli/vendor/github.com/gregjones/httpcache/httpcache.go
new file mode 100644
index 00000000..b26e167f
--- /dev/null
+++ b/cli/vendor/github.com/gregjones/httpcache/httpcache.go
@@ -0,0 +1,557 @@
+// Package httpcache provides a http.RoundTripper implementation that works as a
+// mostly RFC-compliant cache for http responses.
+//
+// It is only suitable for use as a 'private' cache (i.e. for a web-browser or an API-client
+// and not for a shared proxy).
+//
+package httpcache
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httputil"
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	stale = iota
+	fresh
+	transparent
+	// XFromCache is the header added to responses that are returned from the cache
+	XFromCache = "X-From-Cache"
+)
+
+// A Cache interface is used by the Transport to store and retrieve responses.
+type Cache interface {
+	// Get returns the []byte representation of a cached response and a bool
+	// set to true if the value isn't empty
+	Get(key string) (responseBytes []byte, ok bool)
+	// Set stores the []byte representation of a response against a key
+	Set(key string, responseBytes []byte)
+	// Delete removes the value associated with the key
+	Delete(key string)
+}
+
+// cacheKey returns the cache key for req.
+func cacheKey(req *http.Request) string {
+	if req.Method == http.MethodGet {
+		return req.URL.String()
+	} else {
+		return req.Method + " " + req.URL.String()
+	}
+}
+
+// CachedResponse returns the cached http.Response for req if present, and nil
+// otherwise.
+func CachedResponse(c Cache, req *http.Request) (resp *http.Response, err error) {
+	cachedVal, ok := c.Get(cacheKey(req))
+	if !ok {
+		return
+	}
+
+	b := bytes.NewBuffer(cachedVal)
+	return http.ReadResponse(bufio.NewReader(b), req)
+}
+
+// MemoryCache is an implemtation of Cache that stores responses in an in-memory map.
+type MemoryCache struct {
+	mu    sync.RWMutex
+	items map[string][]byte
+}
+
+// Get returns the []byte representation of the response and true if present, false if not
+func (c *MemoryCache) Get(key string) (resp []byte, ok bool) {
+	c.mu.RLock()
+	resp, ok = c.items[key]
+	c.mu.RUnlock()
+	return resp, ok
+}
+
+// Set saves response resp to the cache with key
+func (c *MemoryCache) Set(key string, resp []byte) {
+	c.mu.Lock()
+	c.items[key] = resp
+	c.mu.Unlock()
+}
+
+// Delete removes key from the cache
+func (c *MemoryCache) Delete(key string) {
+	c.mu.Lock()
+	delete(c.items, key)
+	c.mu.Unlock()
+}
+
+// NewMemoryCache returns a new Cache that will store items in an in-memory map
+func NewMemoryCache() *MemoryCache {
+	c := &MemoryCache{items: map[string][]byte{}}
+	return c
+}
+
+// Transport is an implementation of http.RoundTripper that will return values from a cache
+// where possible (avoiding a network request) and will additionally add validators (etag/if-modified-since)
+// to repeated requests allowing servers to return 304 / Not Modified
+type Transport struct {
+	// The RoundTripper interface actually used to make requests
+	// If nil, http.DefaultTransport is used
+	Transport http.RoundTripper
+	Cache     Cache
+	// If true, responses returned from the cache will be given an extra header, X-From-Cache
+	MarkCachedResponses bool
+}
+
+// NewTransport returns a new Transport with the
+// provided Cache implementation and MarkCachedResponses set to true
+func NewTransport(c Cache) *Transport {
+	return &Transport{Cache: c, MarkCachedResponses: true}
+}
+
+// Client returns an *http.Client that caches responses.
+func (t *Transport) Client() *http.Client {
+	return &http.Client{Transport: t}
+}
+
+// varyMatches will return false unless all of the cached values for the headers listed in Vary
+// match the new request
+func varyMatches(cachedResp *http.Response, req *http.Request) bool {
+	for _, header := range headerAllCommaSepValues(cachedResp.Header, "vary") {
+		header = http.CanonicalHeaderKey(header)
+		if header != "" && req.Header.Get(header) != cachedResp.Header.Get("X-Varied-"+header) {
+			return false
+		}
+	}
+	return true
+}
+
+// RoundTrip takes a Request and returns a Response
+//
+// If there is a fresh Response already in cache, then it will be returned without connecting to
+// the server.
+//
+// If there is a stale Response, then any validators it contains will be set on the new request
+// to give the server a chance to respond with NotModified. If this happens, then the cached Response
+// will be returned.
+func (t *Transport) RoundTrip(req *http.Request) (resp *http.Response, err error) {
+	cacheKey := cacheKey(req)
+	cacheable := (req.Method == "GET" || req.Method == "HEAD") && req.Header.Get("range") == ""
+	var cachedResp *http.Response
+	if cacheable {
+		cachedResp, err = CachedResponse(t.Cache, req)
+	} else {
+		// Need to invalidate an existing value
+		t.Cache.Delete(cacheKey)
+	}
+
+	transport := t.Transport
+	if transport == nil {
+		transport = http.DefaultTransport
+	}
+
+	if cacheable && cachedResp != nil && err == nil {
+		if t.MarkCachedResponses {
+			cachedResp.Header.Set(XFromCache, "1")
+		}
+
+		if varyMatches(cachedResp, req) {
+			// Can only use cached value if the new request doesn't Vary significantly
+			freshness := getFreshness(cachedResp.Header, req.Header)
+			if freshness == fresh {
+				return cachedResp, nil
+			}
+
+			if freshness == stale {
+				var req2 *http.Request
+				// Add validators if caller hasn't already done so
+				etag := cachedResp.Header.Get("etag")
+				if etag != "" && req.Header.Get("etag") == "" {
+					req2 = cloneRequest(req)
+					req2.Header.Set("if-none-match", etag)
+				}
+				lastModified := cachedResp.Header.Get("last-modified")
+				if lastModified != "" && req.Header.Get("last-modified") == "" {
+					if req2 == nil {
+						req2 = cloneRequest(req)
+					}
+					req2.Header.Set("if-modified-since", lastModified)
+				}
+				if req2 != nil {
+					req = req2
+				}
+			}
+		}
+
+		resp, err = transport.RoundTrip(req)
+		if err == nil && req.Method == "GET" && resp.StatusCode == http.StatusNotModified {
+			// Replace the 304 response with the one from cache, but update with some new headers
+			endToEndHeaders := getEndToEndHeaders(resp.Header)
+			for _, header := range endToEndHeaders {
+				cachedResp.Header[header] = resp.Header[header]
+			}
+			cachedResp.Status = fmt.Sprintf("%d %s", http.StatusOK, http.StatusText(http.StatusOK))
+			cachedResp.StatusCode = http.StatusOK
+
+			resp = cachedResp
+		} else if (err != nil || (cachedResp != nil && resp.StatusCode >= 500)) &&
+			req.Method == "GET" && canStaleOnError(cachedResp.Header, req.Header) {
+			// In case of transport failure and stale-if-error activated, returns cached content
+			// when available
+			cachedResp.Status = fmt.Sprintf("%d %s", http.StatusOK, http.StatusText(http.StatusOK))
+			cachedResp.StatusCode = http.StatusOK
+			return cachedResp, nil
+		} else {
+			if err != nil || resp.StatusCode != http.StatusOK {
+				t.Cache.Delete(cacheKey)
+			}
+			if err != nil {
+				return nil, err
+			}
+		}
+	} else {
+		reqCacheControl := parseCacheControl(req.Header)
+		if _, ok := reqCacheControl["only-if-cached"]; ok {
+			resp = newGatewayTimeoutResponse(req)
+		} else {
+			resp, err = transport.RoundTrip(req)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	if cacheable && canStore(parseCacheControl(req.Header), parseCacheControl(resp.Header)) {
+		for _, varyKey := range headerAllCommaSepValues(resp.Header, "vary") {
+			varyKey = http.CanonicalHeaderKey(varyKey)
+			fakeHeader := "X-Varied-" + varyKey
+			reqValue := req.Header.Get(varyKey)
+			if reqValue != "" {
+				resp.Header.Set(fakeHeader, reqValue)
+			}
+		}
+		switch req.Method {
+		case "GET":
+			// Delay caching until EOF is reached.
+			resp.Body = &cachingReadCloser{
+				R: resp.Body,
+				OnEOF: func(r io.Reader) {
+					resp := *resp
+					resp.Body = ioutil.NopCloser(r)
+					respBytes, err := httputil.DumpResponse(&resp, true)
+					if err == nil {
+						t.Cache.Set(cacheKey, respBytes)
+					}
+				},
+			}
+		default:
+			respBytes, err := httputil.DumpResponse(resp, true)
+			if err == nil {
+				t.Cache.Set(cacheKey, respBytes)
+			}
+		}
+	} else {
+		t.Cache.Delete(cacheKey)
+	}
+	return resp, nil
+}
+
+// ErrNoDateHeader indicates that the HTTP headers contained no Date header.
+var ErrNoDateHeader = errors.New("no Date header")
+
+// Date parses and returns the value of the Date header.
+func Date(respHeaders http.Header) (date time.Time, err error) {
+	dateHeader := respHeaders.Get("date")
+	if dateHeader == "" {
+		err = ErrNoDateHeader
+		return
+	}
+
+	return time.Parse(time.RFC1123, dateHeader)
+}
+
+type realClock struct{}
+
+func (c *realClock) since(d time.Time) time.Duration {
+	return time.Since(d)
+}
+
+type timer interface {
+	since(d time.Time) time.Duration
+}
+
+var clock timer = &realClock{}
+
+// getFreshness will return one of fresh/stale/transparent based on the cache-control
+// values of the request and the response
+//
+// fresh indicates the response can be returned
+// stale indicates that the response needs validating before it is returned
+// transparent indicates the response should not be used to fulfil the request
+//
+// Because this is only a private cache, 'public' and 'private' in cache-control aren't
+// signficant. Similarly, smax-age isn't used.
+func getFreshness(respHeaders, reqHeaders http.Header) (freshness int) {
+	respCacheControl := parseCacheControl(respHeaders)
+	reqCacheControl := parseCacheControl(reqHeaders)
+	if _, ok := reqCacheControl["no-cache"]; ok {
+		return transparent
+	}
+	if _, ok := respCacheControl["no-cache"]; ok {
+		return stale
+	}
+	if _, ok := reqCacheControl["only-if-cached"]; ok {
+		return fresh
+	}
+
+	date, err := Date(respHeaders)
+	if err != nil {
+		return stale
+	}
+	currentAge := clock.since(date)
+
+	var lifetime time.Duration
+	var zeroDuration time.Duration
+
+	// If a response includes both an Expires header and a max-age directive,
+	// the max-age directive overrides the Expires header, even if the Expires header is more restrictive.
+	if maxAge, ok := respCacheControl["max-age"]; ok {
+		lifetime, err = time.ParseDuration(maxAge + "s")
+		if err != nil {
+			lifetime = zeroDuration
+		}
+	} else {
+		expiresHeader := respHeaders.Get("Expires")
+		if expiresHeader != "" {
+			expires, err := time.Parse(time.RFC1123, expiresHeader)
+			if err != nil {
+				lifetime = zeroDuration
+			} else {
+				lifetime = expires.Sub(date)
+			}
+		}
+	}
+
+	if maxAge, ok := reqCacheControl["max-age"]; ok {
+		// the client is willing to accept a response whose age is no greater than the specified time in seconds
+		lifetime, err = time.ParseDuration(maxAge + "s")
+		if err != nil {
+			lifetime = zeroDuration
+		}
+	}
+	if minfresh, ok := reqCacheControl["min-fresh"]; ok {
+		//  the client wants a response that will still be fresh for at least the specified number of seconds.
+		minfreshDuration, err := time.ParseDuration(minfresh + "s")
+		if err == nil {
+			currentAge = time.Duration(currentAge + minfreshDuration)
+		}
+	}
+
+	if maxstale, ok := reqCacheControl["max-stale"]; ok {
+		// Indicates that the client is willing to accept a response that has exceeded its expiration time.
+		// If max-stale is assigned a value, then the client is willing to accept a response that has exceeded
+		// its expiration time by no more than the specified number of seconds.
+		// If no value is assigned to max-stale, then the client is willing to accept a stale response of any age.
+		//
+		// Responses served only because of a max-stale value are supposed to have a Warning header added to them,
+		// but that seems like a  hassle, and is it actually useful? If so, then there needs to be a different
+		// return-value available here.
+		if maxstale == "" {
+			return fresh
+		}
+		maxstaleDuration, err := time.ParseDuration(maxstale + "s")
+		if err == nil {
+			currentAge = time.Duration(currentAge - maxstaleDuration)
+		}
+	}
+
+	if lifetime > currentAge {
+		return fresh
+	}
+
+	return stale
+}
+
+// Returns true if either the request or the response includes the stale-if-error
+// cache control extension: https://tools.ietf.org/html/rfc5861
+func canStaleOnError(respHeaders, reqHeaders http.Header) bool {
+	respCacheControl := parseCacheControl(respHeaders)
+	reqCacheControl := parseCacheControl(reqHeaders)
+
+	var err error
+	lifetime := time.Duration(-1)
+
+	if staleMaxAge, ok := respCacheControl["stale-if-error"]; ok {
+		if staleMaxAge != "" {
+			lifetime, err = time.ParseDuration(staleMaxAge + "s")
+			if err != nil {
+				return false
+			}
+		} else {
+			return true
+		}
+	}
+	if staleMaxAge, ok := reqCacheControl["stale-if-error"]; ok {
+		if staleMaxAge != "" {
+			lifetime, err = time.ParseDuration(staleMaxAge + "s")
+			if err != nil {
+				return false
+			}
+		} else {
+			return true
+		}
+	}
+
+	if lifetime >= 0 {
+		date, err := Date(respHeaders)
+		if err != nil {
+			return false
+		}
+		currentAge := clock.since(date)
+		if lifetime > currentAge {
+			return true
+		}
+	}
+
+	return false
+}
+
+func getEndToEndHeaders(respHeaders http.Header) []string {
+	// These headers are always hop-by-hop
+	hopByHopHeaders := map[string]struct{}{
+		"Connection":          struct{}{},
+		"Keep-Alive":          struct{}{},
+		"Proxy-Authenticate":  struct{}{},
+		"Proxy-Authorization": struct{}{},
+		"Te":                struct{}{},
+		"Trailers":          struct{}{},
+		"Transfer-Encoding": struct{}{},
+		"Upgrade":           struct{}{},
+	}
+
+	for _, extra := range strings.Split(respHeaders.Get("connection"), ",") {
+		// any header listed in connection, if present, is also considered hop-by-hop
+		if strings.Trim(extra, " ") != "" {
+			hopByHopHeaders[http.CanonicalHeaderKey(extra)] = struct{}{}
+		}
+	}
+	endToEndHeaders := []string{}
+	for respHeader, _ := range respHeaders {
+		if _, ok := hopByHopHeaders[respHeader]; !ok {
+			endToEndHeaders = append(endToEndHeaders, respHeader)
+		}
+	}
+	return endToEndHeaders
+}
+
+func canStore(reqCacheControl, respCacheControl cacheControl) (canStore bool) {
+	if _, ok := respCacheControl["no-store"]; ok {
+		return false
+	}
+	if _, ok := reqCacheControl["no-store"]; ok {
+		return false
+	}
+	return true
+}
+
+func newGatewayTimeoutResponse(req *http.Request) *http.Response {
+	var braw bytes.Buffer
+	braw.WriteString("HTTP/1.1 504 Gateway Timeout\r\n\r\n")
+	resp, err := http.ReadResponse(bufio.NewReader(&braw), req)
+	if err != nil {
+		panic(err)
+	}
+	return resp
+}
+
+// cloneRequest returns a clone of the provided *http.Request.
+// The clone is a shallow copy of the struct and its Header map.
+// (This function copyright goauth2 authors: https://code.google.com/p/goauth2)
+func cloneRequest(r *http.Request) *http.Request {
+	// shallow copy of the struct
+	r2 := new(http.Request)
+	*r2 = *r
+	// deep copy of the Header
+	r2.Header = make(http.Header)
+	for k, s := range r.Header {
+		r2.Header[k] = s
+	}
+	return r2
+}
+
+type cacheControl map[string]string
+
+func parseCacheControl(headers http.Header) cacheControl {
+	cc := cacheControl{}
+	ccHeader := headers.Get("Cache-Control")
+	for _, part := range strings.Split(ccHeader, ",") {
+		part = strings.Trim(part, " ")
+		if part == "" {
+			continue
+		}
+		if strings.ContainsRune(part, '=') {
+			keyval := strings.Split(part, "=")
+			cc[strings.Trim(keyval[0], " ")] = strings.Trim(keyval[1], ",")
+		} else {
+			cc[part] = ""
+		}
+	}
+	return cc
+}
+
+// headerAllCommaSepValues returns all comma-separated values (each
+// with whitespace trimmed) for header name in headers. According to
+// Section 4.2 of the HTTP/1.1 spec
+// (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2),
+// values from multiple occurrences of a header should be concatenated, if
+// the header's value is a comma-separated list.
+func headerAllCommaSepValues(headers http.Header, name string) []string {
+	var vals []string
+	for _, val := range headers[http.CanonicalHeaderKey(name)] {
+		fields := strings.Split(val, ",")
+		for i, f := range fields {
+			fields[i] = strings.TrimSpace(f)
+		}
+		vals = append(vals, fields...)
+	}
+	return vals
+}
+
+// cachingReadCloser is a wrapper around ReadCloser R that calls OnEOF
+// handler with a full copy of the content read from R when EOF is
+// reached.
+type cachingReadCloser struct {
+	// Underlying ReadCloser.
+	R io.ReadCloser
+	// OnEOF is called with a copy of the content of R when EOF is reached.
+	OnEOF func(io.Reader)
+
+	buf bytes.Buffer // buf stores a copy of the content of R.
+}
+
+// Read reads the next len(p) bytes from R or until R is drained. The
+// return value n is the number of bytes read. If R has no data to
+// return, err is io.EOF and OnEOF is called with a full copy of what
+// has been read so far.
+func (r *cachingReadCloser) Read(p []byte) (n int, err error) {
+	n, err = r.R.Read(p)
+	r.buf.Write(p[:n])
+	if err == io.EOF {
+		r.OnEOF(bytes.NewReader(r.buf.Bytes()))
+	}
+	return n, err
+}
+
+func (r *cachingReadCloser) Close() error {
+	return r.R.Close()
+}
+
+// NewMemoryCacheTransport returns a new Transport using the in-memory cache implementation
+func NewMemoryCacheTransport() *Transport {
+	c := NewMemoryCache()
+	t := NewTransport(c)
+	return t
+}
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/LICENSE b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/LICENSE
new file mode 100644
index 00000000..abe5fe17
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2016, gRPC Ecosystem
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of grpc-opentracing nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/PATENTS b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/PATENTS
new file mode 100644
index 00000000..5cfe0175
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/PATENTS
@@ -0,0 +1,23 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the GRPC project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of GRPC, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of GRPC.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of GRPC or any code incorporated within this
+implementation of GRPC constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of GRPC
+shall terminate as of the date such litigation is filed.
+Status API Training Shop Blog About
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/README.rst b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/README.rst
new file mode 100644
index 00000000..1d44e691
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/README.rst
@@ -0,0 +1,25 @@
+################
+GRPC-OpenTracing
+################
+
+This package enables distributed tracing in GRPC clients and servers via `The OpenTracing Project`_: a set of consistent, expressive, vendor-neutral APIs for distributed tracing and context propagation.
+
+Once a production system contends with real concurrency or splits into many services, crucial (and formerly easy) tasks become difficult: user-facing latency optimization, root-cause analysis of backend errors, communication about distinct pieces of a now-distributed system, etc. Distributed tracing follows a request on its journey from inception to completion from mobile/browser all the way to the microservices. 
+
+As core services and libraries adopt OpenTracing, the application builder is no longer burdened with the task of adding basic tracing instrumentation to their own code. In this way, developers can build their applications with the tools they prefer and benefit from built-in tracing instrumentation. OpenTracing implementations exist for major distributed tracing systems and can be bound or swapped with a one-line configuration change.
+
+*******************
+Further Information
+*******************
+
+If you’re interested in learning more about the OpenTracing standard, join the conversation on our `mailing list`_ or `Gitter`_.
+
+If you want to learn more about the underlying API for your platform, visit the `source code`_. 
+
+If you would like to implement OpenTracing in your project and need help, feel free to send us a note at `community@opentracing.io`_.
+
+.. _The OpenTracing Project: http://opentracing.io/
+.. _source code: https://github.com/opentracing/
+.. _mailing list: http://opentracing.us13.list-manage.com/subscribe?u=180afe03860541dae59e84153&id=19117aa6cd
+.. _Gitter: https://gitter.im/opentracing/public
+.. _community@opentracing.io: community@opentracing.io
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/README.md b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/README.md
new file mode 100644
index 00000000..78c49dbb
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/README.md
@@ -0,0 +1,57 @@
+# OpenTracing support for gRPC in Go
+
+The `otgrpc` package makes it easy to add OpenTracing support to gRPC-based
+systems in Go.
+
+## Installation
+
+```
+go get github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc
+```
+
+## Documentation
+
+See the basic usage examples below and the [package documentation on
+godoc.org](https://godoc.org/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc).
+
+## Client-side usage example
+
+Wherever you call `grpc.Dial`:
+
+```go
+// You must have some sort of OpenTracing Tracer instance on hand.
+var tracer opentracing.Tracer = ...
+...
+
+// Set up a connection to the server peer.
+conn, err := grpc.Dial(
+    address,
+    ... // other options
+    grpc.WithUnaryInterceptor(
+        otgrpc.OpenTracingClientInterceptor(tracer)),
+    grpc.WithStreamInterceptor(
+        otgrpc.OpenTracingStreamClientInterceptor(tracer)))
+
+// All future RPC activity involving `conn` will be automatically traced.
+```
+
+## Server-side usage example
+
+Wherever you call `grpc.NewServer`:
+
+```go
+// You must have some sort of OpenTracing Tracer instance on hand.
+var tracer opentracing.Tracer = ...
+...
+
+// Initialize the gRPC server.
+s := grpc.NewServer(
+    ... // other options
+    grpc.UnaryInterceptor(
+        otgrpc.OpenTracingServerInterceptor(tracer)),
+    grpc.StreamInterceptor(
+        otgrpc.OpenTracingStreamServerInterceptor(tracer)))
+
+// All future RPC activity involving `s` will be automatically traced.
+```
+
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/client.go b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/client.go
new file mode 100644
index 00000000..3414e55c
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/client.go
@@ -0,0 +1,239 @@
+package otgrpc
+
+import (
+	"github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"github.com/opentracing/opentracing-go/log"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+	"io"
+	"runtime"
+	"sync/atomic"
+)
+
+// OpenTracingClientInterceptor returns a grpc.UnaryClientInterceptor suitable
+// for use in a grpc.Dial call.
+//
+// For example:
+//
+//     conn, err := grpc.Dial(
+//         address,
+//         ...,  // (existing DialOptions)
+//         grpc.WithUnaryInterceptor(otgrpc.OpenTracingClientInterceptor(tracer)))
+//
+// All gRPC client spans will inject the OpenTracing SpanContext into the gRPC
+// metadata; they will also look in the context.Context for an active
+// in-process parent Span and establish a ChildOf reference if such a parent
+// Span could be found.
+func OpenTracingClientInterceptor(tracer opentracing.Tracer, optFuncs ...Option) grpc.UnaryClientInterceptor {
+	otgrpcOpts := newOptions()
+	otgrpcOpts.apply(optFuncs...)
+	return func(
+		ctx context.Context,
+		method string,
+		req, resp interface{},
+		cc *grpc.ClientConn,
+		invoker grpc.UnaryInvoker,
+		opts ...grpc.CallOption,
+	) error {
+		var err error
+		var parentCtx opentracing.SpanContext
+		if parent := opentracing.SpanFromContext(ctx); parent != nil {
+			parentCtx = parent.Context()
+		}
+		if otgrpcOpts.inclusionFunc != nil &&
+			!otgrpcOpts.inclusionFunc(parentCtx, method, req, resp) {
+			return invoker(ctx, method, req, resp, cc, opts...)
+		}
+		clientSpan := tracer.StartSpan(
+			method,
+			opentracing.ChildOf(parentCtx),
+			ext.SpanKindRPCClient,
+			gRPCComponentTag,
+		)
+		defer clientSpan.Finish()
+		ctx = injectSpanContext(ctx, tracer, clientSpan)
+		if otgrpcOpts.logPayloads {
+			clientSpan.LogFields(log.Object("gRPC request", req))
+		}
+		err = invoker(ctx, method, req, resp, cc, opts...)
+		if err == nil {
+			if otgrpcOpts.logPayloads {
+				clientSpan.LogFields(log.Object("gRPC response", resp))
+			}
+		} else {
+			SetSpanTags(clientSpan, err, true)
+			clientSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+		}
+		if otgrpcOpts.decorator != nil {
+			otgrpcOpts.decorator(clientSpan, method, req, resp, err)
+		}
+		return err
+	}
+}
+
+// OpenTracingStreamClientInterceptor returns a grpc.StreamClientInterceptor suitable
+// for use in a grpc.Dial call. The interceptor instruments streaming RPCs by creating
+// a single span to correspond to the lifetime of the RPC's stream.
+//
+// For example:
+//
+//     conn, err := grpc.Dial(
+//         address,
+//         ...,  // (existing DialOptions)
+//         grpc.WithStreamInterceptor(otgrpc.OpenTracingStreamClientInterceptor(tracer)))
+//
+// All gRPC client spans will inject the OpenTracing SpanContext into the gRPC
+// metadata; they will also look in the context.Context for an active
+// in-process parent Span and establish a ChildOf reference if such a parent
+// Span could be found.
+func OpenTracingStreamClientInterceptor(tracer opentracing.Tracer, optFuncs ...Option) grpc.StreamClientInterceptor {
+	otgrpcOpts := newOptions()
+	otgrpcOpts.apply(optFuncs...)
+	return func(
+		ctx context.Context,
+		desc *grpc.StreamDesc,
+		cc *grpc.ClientConn,
+		method string,
+		streamer grpc.Streamer,
+		opts ...grpc.CallOption,
+	) (grpc.ClientStream, error) {
+		var err error
+		var parentCtx opentracing.SpanContext
+		if parent := opentracing.SpanFromContext(ctx); parent != nil {
+			parentCtx = parent.Context()
+		}
+		if otgrpcOpts.inclusionFunc != nil &&
+			!otgrpcOpts.inclusionFunc(parentCtx, method, nil, nil) {
+			return streamer(ctx, desc, cc, method, opts...)
+		}
+
+		clientSpan := tracer.StartSpan(
+			method,
+			opentracing.ChildOf(parentCtx),
+			ext.SpanKindRPCClient,
+			gRPCComponentTag,
+		)
+		ctx = injectSpanContext(ctx, tracer, clientSpan)
+		cs, err := streamer(ctx, desc, cc, method, opts...)
+		if err != nil {
+			clientSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+			SetSpanTags(clientSpan, err, true)
+			clientSpan.Finish()
+			return cs, err
+		}
+		return newOpenTracingClientStream(cs, method, desc, clientSpan, otgrpcOpts), nil
+	}
+}
+
+func newOpenTracingClientStream(cs grpc.ClientStream, method string, desc *grpc.StreamDesc, clientSpan opentracing.Span, otgrpcOpts *options) grpc.ClientStream {
+	finishChan := make(chan struct{})
+
+	isFinished := new(int32)
+	*isFinished = 0
+	finishFunc := func(err error) {
+		// The current OpenTracing specification forbids finishing a span more than
+		// once. Since we have multiple code paths that could concurrently call
+		// `finishFunc`, we need to add some sort of synchronization to guard against
+		// multiple finishing.
+		if !atomic.CompareAndSwapInt32(isFinished, 0, 1) {
+			return
+		}
+		close(finishChan)
+		defer clientSpan.Finish()
+		if err != nil {
+			clientSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+			SetSpanTags(clientSpan, err, true)
+		}
+		if otgrpcOpts.decorator != nil {
+			otgrpcOpts.decorator(clientSpan, method, nil, nil, err)
+		}
+	}
+	go func() {
+		select {
+		case <-finishChan:
+			// The client span is being finished by another code path; hence, no
+			// action is necessary.
+		case <-cs.Context().Done():
+			finishFunc(cs.Context().Err())
+		}
+	}()
+	otcs := &openTracingClientStream{
+		ClientStream: cs,
+		desc:         desc,
+		finishFunc:   finishFunc,
+	}
+
+	// The `ClientStream` interface allows one to omit calling `Recv` if it's
+	// known that the result will be `io.EOF`. See
+	// http://stackoverflow.com/q/42915337
+	// In such cases, there's nothing that triggers the span to finish. We,
+	// therefore, set a finalizer so that the span and the context goroutine will
+	// at least be cleaned up when the garbage collector is run.
+	runtime.SetFinalizer(otcs, func(otcs *openTracingClientStream) {
+		otcs.finishFunc(nil)
+	})
+	return otcs
+}
+
+type openTracingClientStream struct {
+	grpc.ClientStream
+	desc       *grpc.StreamDesc
+	finishFunc func(error)
+}
+
+func (cs *openTracingClientStream) Header() (metadata.MD, error) {
+	md, err := cs.ClientStream.Header()
+	if err != nil {
+		cs.finishFunc(err)
+	}
+	return md, err
+}
+
+func (cs *openTracingClientStream) SendMsg(m interface{}) error {
+	err := cs.ClientStream.SendMsg(m)
+	if err != nil {
+		cs.finishFunc(err)
+	}
+	return err
+}
+
+func (cs *openTracingClientStream) RecvMsg(m interface{}) error {
+	err := cs.ClientStream.RecvMsg(m)
+	if err == io.EOF {
+		cs.finishFunc(nil)
+		return err
+	} else if err != nil {
+		cs.finishFunc(err)
+		return err
+	}
+	if !cs.desc.ServerStreams {
+		cs.finishFunc(nil)
+	}
+	return err
+}
+
+func (cs *openTracingClientStream) CloseSend() error {
+	err := cs.ClientStream.CloseSend()
+	if err != nil {
+		cs.finishFunc(err)
+	}
+	return err
+}
+
+func injectSpanContext(ctx context.Context, tracer opentracing.Tracer, clientSpan opentracing.Span) context.Context {
+	md, ok := metadata.FromOutgoingContext(ctx)
+	if !ok {
+		md = metadata.New(nil)
+	} else {
+		md = md.Copy()
+	}
+	mdWriter := metadataReaderWriter{md}
+	err := tracer.Inject(clientSpan.Context(), opentracing.HTTPHeaders, mdWriter)
+	// We have no better place to record an error than the Span itself :-/
+	if err != nil {
+		clientSpan.LogFields(log.String("event", "Tracer.Inject() failed"), log.Error(err))
+	}
+	return metadata.NewOutgoingContext(ctx, md)
+}
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/errors.go b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/errors.go
new file mode 100644
index 00000000..41a6346f
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/errors.go
@@ -0,0 +1,69 @@
+package otgrpc
+
+import (
+	"github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// A Class is a set of types of outcomes (including errors) that will often
+// be handled in the same way.
+type Class string
+
+const (
+	Unknown Class = "0xx"
+	// Success represents outcomes that achieved the desired results.
+	Success Class = "2xx"
+	// ClientError represents errors that were the client's fault.
+	ClientError Class = "4xx"
+	// ServerError represents errors that were the server's fault.
+	ServerError Class = "5xx"
+)
+
+// ErrorClass returns the class of the given error
+func ErrorClass(err error) Class {
+	if s, ok := status.FromError(err); ok {
+		switch s.Code() {
+		// Success or "success"
+		case codes.OK, codes.Canceled:
+			return Success
+
+		// Client errors
+		case codes.InvalidArgument, codes.NotFound, codes.AlreadyExists,
+			codes.PermissionDenied, codes.Unauthenticated, codes.FailedPrecondition,
+			codes.OutOfRange:
+			return ClientError
+
+		// Server errors
+		case codes.DeadlineExceeded, codes.ResourceExhausted, codes.Aborted,
+			codes.Unimplemented, codes.Internal, codes.Unavailable, codes.DataLoss:
+			return ServerError
+
+		// Not sure
+		case codes.Unknown:
+			fallthrough
+		default:
+			return Unknown
+		}
+	}
+	return Unknown
+}
+
+// SetSpanTags sets one or more tags on the given span according to the
+// error.
+func SetSpanTags(span opentracing.Span, err error, client bool) {
+	c := ErrorClass(err)
+	code := codes.Unknown
+	if s, ok := status.FromError(err); ok {
+		code = s.Code()
+	}
+	span.SetTag("response_code", code)
+	span.SetTag("response_class", c)
+	if err == nil {
+		return
+	}
+	if client || c == ServerError {
+		ext.Error.Set(span, true)
+	}
+}
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/options.go b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/options.go
new file mode 100644
index 00000000..903e8382
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/options.go
@@ -0,0 +1,76 @@
+package otgrpc
+
+import "github.com/opentracing/opentracing-go"
+
+// Option instances may be used in OpenTracing(Server|Client)Interceptor
+// initialization.
+//
+// See this post about the "functional options" pattern:
+// http://dave.cheney.net/2014/10/17/functional-options-for-friendly-apis
+type Option func(o *options)
+
+// LogPayloads returns an Option that tells the OpenTracing instrumentation to
+// try to log application payloads in both directions.
+func LogPayloads() Option {
+	return func(o *options) {
+		o.logPayloads = true
+	}
+}
+
+// SpanInclusionFunc provides an optional mechanism to decide whether or not
+// to trace a given gRPC call. Return true to create a Span and initiate
+// tracing, false to not create a Span and not trace.
+//
+// parentSpanCtx may be nil if no parent could be extraction from either the Go
+// context.Context (on the client) or the RPC (on the server).
+type SpanInclusionFunc func(
+	parentSpanCtx opentracing.SpanContext,
+	method string,
+	req, resp interface{}) bool
+
+// IncludingSpans binds a IncludeSpanFunc to the options
+func IncludingSpans(inclusionFunc SpanInclusionFunc) Option {
+	return func(o *options) {
+		o.inclusionFunc = inclusionFunc
+	}
+}
+
+// SpanDecoratorFunc provides an (optional) mechanism for otgrpc users to add
+// arbitrary tags/logs/etc to the opentracing.Span associated with client
+// and/or server RPCs.
+type SpanDecoratorFunc func(
+	span opentracing.Span,
+	method string,
+	req, resp interface{},
+	grpcError error)
+
+// SpanDecorator binds a function that decorates gRPC Spans.
+func SpanDecorator(decorator SpanDecoratorFunc) Option {
+	return func(o *options) {
+		o.decorator = decorator
+	}
+}
+
+// The internal-only options struct. Obviously overkill at the moment; but will
+// scale well as production use dictates other configuration and tuning
+// parameters.
+type options struct {
+	logPayloads bool
+	decorator   SpanDecoratorFunc
+	// May be nil.
+	inclusionFunc SpanInclusionFunc
+}
+
+// newOptions returns the default options.
+func newOptions() *options {
+	return &options{
+		logPayloads:   false,
+		inclusionFunc: nil,
+	}
+}
+
+func (o *options) apply(opts ...Option) {
+	for _, opt := range opts {
+		opt(o)
+	}
+}
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/package.go b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/package.go
new file mode 100644
index 00000000..4ff3d199
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/package.go
@@ -0,0 +1,5 @@
+// Package otgrpc provides OpenTracing support for any gRPC client or server.
+//
+// See the README for simple usage examples:
+// https://github.com/grpc-ecosystem/grpc-opentracing/blob/master/go/otgrpc/README.md
+package otgrpc
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/server.go b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/server.go
new file mode 100644
index 00000000..62cf54d2
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/server.go
@@ -0,0 +1,141 @@
+package otgrpc
+
+import (
+	"github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"github.com/opentracing/opentracing-go/log"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+// OpenTracingServerInterceptor returns a grpc.UnaryServerInterceptor suitable
+// for use in a grpc.NewServer call.
+//
+// For example:
+//
+//     s := grpc.NewServer(
+//         ...,  // (existing ServerOptions)
+//         grpc.UnaryInterceptor(otgrpc.OpenTracingServerInterceptor(tracer)))
+//
+// All gRPC server spans will look for an OpenTracing SpanContext in the gRPC
+// metadata; if found, the server span will act as the ChildOf that RPC
+// SpanContext.
+//
+// Root or not, the server Span will be embedded in the context.Context for the
+// application-specific gRPC handler(s) to access.
+func OpenTracingServerInterceptor(tracer opentracing.Tracer, optFuncs ...Option) grpc.UnaryServerInterceptor {
+	otgrpcOpts := newOptions()
+	otgrpcOpts.apply(optFuncs...)
+	return func(
+		ctx context.Context,
+		req interface{},
+		info *grpc.UnaryServerInfo,
+		handler grpc.UnaryHandler,
+	) (resp interface{}, err error) {
+		spanContext, err := extractSpanContext(ctx, tracer)
+		if err != nil && err != opentracing.ErrSpanContextNotFound {
+			// TODO: establish some sort of error reporting mechanism here. We
+			// don't know where to put such an error and must rely on Tracer
+			// implementations to do something appropriate for the time being.
+		}
+		if otgrpcOpts.inclusionFunc != nil &&
+			!otgrpcOpts.inclusionFunc(spanContext, info.FullMethod, req, nil) {
+			return handler(ctx, req)
+		}
+		serverSpan := tracer.StartSpan(
+			info.FullMethod,
+			ext.RPCServerOption(spanContext),
+			gRPCComponentTag,
+		)
+		defer serverSpan.Finish()
+
+		ctx = opentracing.ContextWithSpan(ctx, serverSpan)
+		if otgrpcOpts.logPayloads {
+			serverSpan.LogFields(log.Object("gRPC request", req))
+		}
+		resp, err = handler(ctx, req)
+		if err == nil {
+			if otgrpcOpts.logPayloads {
+				serverSpan.LogFields(log.Object("gRPC response", resp))
+			}
+		} else {
+			SetSpanTags(serverSpan, err, false)
+			serverSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+		}
+		if otgrpcOpts.decorator != nil {
+			otgrpcOpts.decorator(serverSpan, info.FullMethod, req, resp, err)
+		}
+		return resp, err
+	}
+}
+
+// OpenTracingStreamServerInterceptor returns a grpc.StreamServerInterceptor suitable
+// for use in a grpc.NewServer call. The interceptor instruments streaming RPCs by
+// creating a single span to correspond to the lifetime of the RPC's stream.
+//
+// For example:
+//
+//     s := grpc.NewServer(
+//         ...,  // (existing ServerOptions)
+//         grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(tracer)))
+//
+// All gRPC server spans will look for an OpenTracing SpanContext in the gRPC
+// metadata; if found, the server span will act as the ChildOf that RPC
+// SpanContext.
+//
+// Root or not, the server Span will be embedded in the context.Context for the
+// application-specific gRPC handler(s) to access.
+func OpenTracingStreamServerInterceptor(tracer opentracing.Tracer, optFuncs ...Option) grpc.StreamServerInterceptor {
+	otgrpcOpts := newOptions()
+	otgrpcOpts.apply(optFuncs...)
+	return func(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+		spanContext, err := extractSpanContext(ss.Context(), tracer)
+		if err != nil && err != opentracing.ErrSpanContextNotFound {
+			// TODO: establish some sort of error reporting mechanism here. We
+			// don't know where to put such an error and must rely on Tracer
+			// implementations to do something appropriate for the time being.
+		}
+		if otgrpcOpts.inclusionFunc != nil &&
+			!otgrpcOpts.inclusionFunc(spanContext, info.FullMethod, nil, nil) {
+			return handler(srv, ss)
+		}
+
+		serverSpan := tracer.StartSpan(
+			info.FullMethod,
+			ext.RPCServerOption(spanContext),
+			gRPCComponentTag,
+		)
+		defer serverSpan.Finish()
+		ss = &openTracingServerStream{
+			ServerStream: ss,
+			ctx:          opentracing.ContextWithSpan(ss.Context(), serverSpan),
+		}
+		err = handler(srv, ss)
+		if err != nil {
+			SetSpanTags(serverSpan, err, false)
+			serverSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+		}
+		if otgrpcOpts.decorator != nil {
+			otgrpcOpts.decorator(serverSpan, info.FullMethod, nil, nil, err)
+		}
+		return err
+	}
+}
+
+type openTracingServerStream struct {
+	grpc.ServerStream
+	ctx context.Context
+}
+
+func (ss *openTracingServerStream) Context() context.Context {
+	return ss.ctx
+}
+
+func extractSpanContext(ctx context.Context, tracer opentracing.Tracer) (opentracing.SpanContext, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		md = metadata.New(nil)
+	}
+	return tracer.Extract(opentracing.HTTPHeaders, metadataReaderWriter{md})
+}
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/shared.go b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/shared.go
new file mode 100644
index 00000000..9abd5eaa
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/shared.go
@@ -0,0 +1,42 @@
+package otgrpc
+
+import (
+	"strings"
+
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"google.golang.org/grpc/metadata"
+)
+
+var (
+	// Morally a const:
+	gRPCComponentTag = opentracing.Tag{string(ext.Component), "gRPC"}
+)
+
+// metadataReaderWriter satisfies both the opentracing.TextMapReader and
+// opentracing.TextMapWriter interfaces.
+type metadataReaderWriter struct {
+	metadata.MD
+}
+
+func (w metadataReaderWriter) Set(key, val string) {
+	// The GRPC HPACK implementation rejects any uppercase keys here.
+	//
+	// As such, since the HTTP_HEADERS format is case-insensitive anyway, we
+	// blindly lowercase the key (which is guaranteed to work in the
+	// Inject/Extract sense per the OpenTracing spec).
+	key = strings.ToLower(key)
+	w.MD[key] = append(w.MD[key], val)
+}
+
+func (w metadataReaderWriter) ForeachKey(handler func(key, val string) error) error {
+	for k, vals := range w.MD {
+		for _, v := range vals {
+			if err := handler(k, v); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/README.md b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/README.md
new file mode 100644
index 00000000..843acd9a
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/README.md
@@ -0,0 +1,4 @@
+The repo has moved.
+-------------------
+
+https://github.com/opentracing-contrib/python-grpc
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/command_line.proto b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/command_line.proto
new file mode 100644
index 00000000..b2367a72
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/command_line.proto
@@ -0,0 +1,15 @@
+syntax = "proto3";
+
+package command_line;
+
+service CommandLine {
+  rpc Echo(CommandRequest) returns (CommandResponse) {}
+}
+
+message CommandRequest {
+  string text = 1;
+}
+
+message CommandResponse {
+  string text = 1;
+}
diff --git a/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/store.proto b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/store.proto
new file mode 100644
index 00000000..6822d985
--- /dev/null
+++ b/cli/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/store.proto
@@ -0,0 +1,37 @@
+syntax = "proto3";
+
+package store;
+
+service Store {
+  rpc AddItem(AddItemRequest) returns (Empty) {}
+  rpc AddItems(stream AddItemRequest) returns (Empty) {}
+  rpc RemoveItem(RemoveItemRequest) returns (RemoveItemResponse) {}
+  rpc RemoveItems(stream RemoveItemRequest) returns (RemoveItemResponse) {}
+  rpc ListInventory(Empty) returns (stream QuantityResponse) {}
+  rpc QueryQuantity(QueryItemRequest) returns (QuantityResponse) {}
+  rpc QueryQuantities(stream QueryItemRequest) 
+                          returns (stream QuantityResponse) {}
+}
+
+message Empty {}
+
+message AddItemRequest {
+  string name = 1;
+}
+
+message RemoveItemRequest {
+  string name = 1;
+}
+
+message RemoveItemResponse {
+  bool was_successful = 1;
+}
+
+message QueryItemRequest {
+  string name = 1;
+}
+
+message QuantityResponse {
+  string name = 1;
+  int32 count = 2;
+}
diff --git a/cli/vendor/github.com/howeyc/gopass/LICENSE.txt b/cli/vendor/github.com/howeyc/gopass/LICENSE.txt
new file mode 100644
index 00000000..14f74708
--- /dev/null
+++ b/cli/vendor/github.com/howeyc/gopass/LICENSE.txt
@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2012 Chris Howey
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/cli/vendor/github.com/howeyc/gopass/README.md b/cli/vendor/github.com/howeyc/gopass/README.md
new file mode 100644
index 00000000..2d6a4e72
--- /dev/null
+++ b/cli/vendor/github.com/howeyc/gopass/README.md
@@ -0,0 +1,27 @@
+# getpasswd in Go [![GoDoc](https://godoc.org/github.com/howeyc/gopass?status.svg)](https://godoc.org/github.com/howeyc/gopass) [![Build Status](https://secure.travis-ci.org/howeyc/gopass.png?branch=master)](http://travis-ci.org/howeyc/gopass)
+
+Retrieve password from user terminal or piped input without echo.
+
+Verified on BSD, Linux, and Windows.
+
+Example:
+```go
+package main
+
+import "fmt"
+import "github.com/howeyc/gopass"
+
+func main() {
+	fmt.Printf("Password: ")
+
+	// Silent. For printing *'s use gopass.GetPasswdMasked()
+	pass, err := gopass.GetPasswd()
+	if err != nil {
+		// Handle gopass.ErrInterrupted or getch() read error
+	}
+
+	// Do something with pass
+}
+```
+
+Caution: Multi-byte characters not supported!
diff --git a/cli/vendor/github.com/howeyc/gopass/pass.go b/cli/vendor/github.com/howeyc/gopass/pass.go
new file mode 100644
index 00000000..31c853ae
--- /dev/null
+++ b/cli/vendor/github.com/howeyc/gopass/pass.go
@@ -0,0 +1,91 @@
+package gopass
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+)
+
+var defaultGetCh = func() (byte, error) {
+	buf := make([]byte, 1)
+	if n, err := os.Stdin.Read(buf); n == 0 || err != nil {
+		if err != nil {
+			return 0, err
+		}
+		return 0, io.EOF
+	}
+	return buf[0], nil
+}
+
+var (
+	maxLength            = 512
+	ErrInterrupted       = errors.New("interrupted")
+	ErrMaxLengthExceeded = fmt.Errorf("maximum byte limit (%v) exceeded", maxLength)
+
+	// Provide variable so that tests can provide a mock implementation.
+	getch = defaultGetCh
+)
+
+// getPasswd returns the input read from terminal.
+// If masked is true, typing will be matched by asterisks on the screen.
+// Otherwise, typing will echo nothing.
+func getPasswd(masked bool) ([]byte, error) {
+	var err error
+	var pass, bs, mask []byte
+	if masked {
+		bs = []byte("\b \b")
+		mask = []byte("*")
+	}
+
+	if isTerminal(os.Stdin.Fd()) {
+		if oldState, err := makeRaw(os.Stdin.Fd()); err != nil {
+			return pass, err
+		} else {
+			defer restore(os.Stdin.Fd(), oldState)
+		}
+	}
+
+	// Track total bytes read, not just bytes in the password.  This ensures any
+	// errors that might flood the console with nil or -1 bytes infinitely are
+	// capped.
+	var counter int
+	for counter = 0; counter <= maxLength; counter++ {
+		if v, e := getch(); e != nil {
+			err = e
+			break
+		} else if v == 127 || v == 8 {
+			if l := len(pass); l > 0 {
+				pass = pass[:l-1]
+				fmt.Print(string(bs))
+			}
+		} else if v == 13 || v == 10 {
+			break
+		} else if v == 3 {
+			err = ErrInterrupted
+			break
+		} else if v != 0 {
+			pass = append(pass, v)
+			fmt.Print(string(mask))
+		}
+	}
+
+	if counter > maxLength {
+		err = ErrMaxLengthExceeded
+	}
+
+	fmt.Println()
+	return pass, err
+}
+
+// GetPasswd returns the password read from the terminal without echoing input.
+// The returned byte array does not include end-of-line characters.
+func GetPasswd() ([]byte, error) {
+	return getPasswd(false)
+}
+
+// GetPasswdMasked returns the password read from the terminal, echoing asterisks.
+// The returned byte array does not include end-of-line characters.
+func GetPasswdMasked() ([]byte, error) {
+	return getPasswd(true)
+}
diff --git a/cli/vendor/github.com/howeyc/gopass/terminal.go b/cli/vendor/github.com/howeyc/gopass/terminal.go
new file mode 100644
index 00000000..08356414
--- /dev/null
+++ b/cli/vendor/github.com/howeyc/gopass/terminal.go
@@ -0,0 +1,25 @@
+// +build !solaris
+
+package gopass
+
+import "golang.org/x/crypto/ssh/terminal"
+
+type terminalState struct {
+	state *terminal.State
+}
+
+func isTerminal(fd uintptr) bool {
+	return terminal.IsTerminal(int(fd))
+}
+
+func makeRaw(fd uintptr) (*terminalState, error) {
+	state, err := terminal.MakeRaw(int(fd))
+
+	return &terminalState{
+		state: state,
+	}, err
+}
+
+func restore(fd uintptr, oldState *terminalState) error {
+	return terminal.Restore(int(fd), oldState.state)
+}
diff --git a/cli/vendor/github.com/moby/buildkit/LICENSE b/cli/vendor/github.com/moby/buildkit/LICENSE
new file mode 100644
index 00000000..261eeb9e
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/cli/vendor/github.com/moby/buildkit/README.md b/cli/vendor/github.com/moby/buildkit/README.md
new file mode 100644
index 00000000..10b2b0e6
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/README.md
@@ -0,0 +1,274 @@
+[![asciicinema example](https://asciinema.org/a/gPEIEo1NzmDTUu2bEPsUboqmU.png)](https://asciinema.org/a/gPEIEo1NzmDTUu2bEPsUboqmU)
+
+
+## BuildKit
+
+[![GoDoc](https://godoc.org/github.com/moby/buildkit?status.svg)](https://godoc.org/github.com/moby/buildkit/client/llb)
+[![Build Status](https://travis-ci.org/moby/buildkit.svg?branch=master)](https://travis-ci.org/moby/buildkit)
+[![Go Report Card](https://goreportcard.com/badge/github.com/moby/buildkit)](https://goreportcard.com/report/github.com/moby/buildkit)
+
+
+BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.
+
+Key features:
+- Automatic garbage collection
+- Extendable frontend formats
+- Concurrent dependency resolution
+- Efficient instruction caching
+- Build cache import/export
+- Nested build job invocations
+- Distributable workers
+- Multiple output formats
+- Pluggable architecture
+- Execution without root privileges
+
+
+Read the proposal from https://github.com/moby/moby/issues/32925
+
+Introductory blog post https://blog.mobyproject.org/introducing-buildkit-17e056cc5317
+
+### Used by
+
+[Moby](https://github.com/moby/moby/pull/37151)
+
+[img](https://github.com/genuinetools/img)
+
+[OpenFaaS Cloud](https://github.com/openfaas/openfaas-cloud)
+
+[container build interface](https://github.com/containerbuilding/cbi)
+
+### Quick start
+
+Dependencies:
+- [runc](https://github.com/opencontainers/runc)
+- [containerd](https://github.com/containerd/containerd) (if you want to use containerd worker)
+
+
+The following command installs `buildkitd` and `buildctl` to `/usr/local/bin`:
+
+```bash
+$ make && sudo make install
+```
+
+You can also use `make binaries-all` to prepare `buildkitd.containerd_only` and `buildkitd.oci_only`.
+
+#### Starting the buildkitd daemon:
+
+```
+buildkitd --debug --root /var/lib/buildkit
+```
+
+The buildkitd daemon supports two worker backends: OCI (runc) and containerd.
+
+By default, the OCI (runc) worker is used.
+You can set `--oci-worker=false --containerd-worker=true` to use the containerd worker.
+
+We are open to adding more backends.
+
+#### Exploring LLB
+
+BuildKit builds are based on a binary intermediate format called LLB that is used for defining the dependency graph for processes running part of your build. tl;dr: LLB is to Dockerfile what LLVM IR is to C.
+
+- Marshaled as Protobuf messages
+- Concurrently executable
+- Efficiently cacheable
+- Vendor-neutral (i.e. non-Dockerfile languages can be easily implemented)
+
+See [`solver/pb/ops.proto`](./solver/pb/ops.proto) for the format definition.
+
+Currently, following high-level languages has been implemented for LLB:
+
+- Dockerfile (See [Exploring Dockerfiles](#exploring-dockerfiles))
+- (open a PR to add your own language)
+
+For understanding the basics of LLB, `examples/buildkit*` directory contains scripts that define how to build different configurations of BuildKit itself and its dependencies using the `client` package. Running one of these scripts generates a protobuf definition of a build graph. Note that the script itself does not execute any steps of the build.
+
+You can use `buildctl debug dump-llb` to see what data is in this definition. Add `--dot` to generate dot layout.
+
+```bash
+go run examples/buildkit0/buildkit.go | buildctl debug dump-llb | jq .
+```
+
+To start building use `buildctl build` command. The example script accepts `--with-containerd` flag to choose if containerd binaries and support should be included in the end result as well. 
+
+```bash
+go run examples/buildkit0/buildkit.go | buildctl build
+```
+
+`buildctl build` will show interactive progress bar by default while the build job is running. It will also show you the path to the trace file that contains all information about the timing of the individual steps and logs.
+
+Different versions of the example scripts show different ways of describing the build definition for this project to show the capabilities of the library. New versions have been added when new features have become available.
+
+- `./examples/buildkit0` - uses only exec operations, defines a full stage per component.
+- `./examples/buildkit1` - cloning git repositories has been separated for extra concurrency.
+- `./examples/buildkit2` - uses git sources directly instead of running `git clone`, allowing better performance and much safer caching.
+- `./examples/buildkit3` - allows using local source files for separate components eg. `./buildkit3 --runc=local | buildctl build --local runc-src=some/local/path`  
+- `./examples/dockerfile2llb` - can be used to convert a Dockerfile to LLB for debugging purposes
+- `./examples/gobuild` - shows how to use nested invocation to generate LLB for Go package internal dependencies
+
+
+#### Exploring Dockerfiles
+
+Frontends are components that run inside BuildKit and convert any build definition to LLB. There is a special frontend called gateway (gateway.v0) that allows using any image as a frontend.
+
+During development, Dockerfile frontend (dockerfile.v0) is also part of the BuildKit repo. In the future, this will be moved out, and Dockerfiles can be built using an external image.
+
+##### Building a Dockerfile with `buildctl`
+
+```
+buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=.
+buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=. --frontend-opt target=foo --frontend-opt build-arg:foo=bar
+```
+
+`--local` exposes local source files from client to the builder. `context` and `dockerfile` are the names Dockerfile frontend looks for build context and Dockerfile location.
+
+##### build-using-dockerfile utility
+
+For people familiar with `docker build` command, there is an example wrapper utility in `./examples/build-using-dockerfile` that allows building Dockerfiles with BuildKit using a syntax similar to `docker build`.
+
+```
+go build ./examples/build-using-dockerfile && sudo install build-using-dockerfile /usr/local/bin
+
+build-using-dockerfile -t myimage .
+build-using-dockerfile -t mybuildkit -f ./hack/dockerfiles/test.Dockerfile .
+
+# build-using-dockerfile will automatically load the resulting image to Docker
+docker inspect myimage
+```
+
+##### Building a Dockerfile using [external frontend](https://hub.docker.com/r/tonistiigi/dockerfile/tags/):
+
+During development, an external version of the Dockerfile frontend is pushed to https://hub.docker.com/r/tonistiigi/dockerfile that can be used with the gateway frontend. The source for the external frontend is currently located in `./frontend/dockerfile/cmd/dockerfile-frontend` but will move out of this repository in the future ([#163](https://github.com/moby/buildkit/issues/163)). For automatic build from master branch of this repository `tonistiigi/dockerfile:master` image can be used.
+
+```
+buildctl build --frontend=gateway.v0 --frontend-opt=source=tonistiigi/dockerfile --local context=. --local dockerfile=.
+buildctl build --frontend gateway.v0 --frontend-opt=source=tonistiigi/dockerfile --frontend-opt=context=git://github.com/moby/moby --frontend-opt build-arg:APT_MIRROR=cdn-fastly.deb.debian.org
+````
+
+### Exporters
+
+By default, the build result and intermediate cache will only remain internally in BuildKit. Exporter needs to be specified to retrieve the result.
+
+##### Exporting resulting image to containerd
+
+The containerd worker needs to be used
+
+```
+buildctl build ... --exporter=image --exporter-opt name=docker.io/username/image
+ctr --namespace=buildkit images ls
+```
+
+##### Push resulting image to registry
+
+```
+buildctl build ... --exporter=image --exporter-opt name=docker.io/username/image --exporter-opt push=true
+```
+
+If credentials are required, `buildctl` will attempt to read Docker configuration file.
+
+
+##### Exporting build result back to client
+
+The local client will copy the files directly to the client. This is useful if BuildKit is being used for building something else than container images.
+
+```
+buildctl build ... --exporter=local --exporter-opt output=path/to/output-dir
+```
+
+##### Exporting built image to Docker
+
+```
+# exported tarball is also compatible with OCI spec
+buildctl build ... --exporter=docker --exporter-opt name=myimage | docker load
+```
+
+##### Exporting [OCI Image Format](https://github.com/opencontainers/image-spec) tarball to client
+
+```
+buildctl build ... --exporter=oci --exporter-opt output=path/to/output.tar
+buildctl build ... --exporter=oci > output.tar
+```
+
+### Other
+
+#### View build cache
+
+```
+buildctl du -v
+```
+
+#### Show enabled workers
+
+```
+buildctl debug workers -v
+```
+
+### Running containerized buildkit
+
+BuildKit can also be used by running the `buildkitd` daemon inside a Docker container and accessing it remotely. The client tool `buildctl` is also available for Mac and Windows.
+
+To run daemon in a container:
+
+```
+docker run -d --privileged -p 1234:1234 tonistiigi/buildkit --addr tcp://0.0.0.0:1234
+export BUILDKIT_HOST=tcp://0.0.0.0:1234
+buildctl build --help
+```
+
+The `tonistiigi/buildkit` image can be built locally using the Dockerfile in `./hack/dockerfiles/test.Dockerfile`.
+
+### Opentracing support
+
+BuildKit supports opentracing for buildkitd gRPC API and buildctl commands. To capture the trace to [Jaeger](https://github.com/jaegertracing/jaeger), set `JAEGER_TRACE` environment variable to the collection address.
+
+
+```
+docker run -d -p6831:6831/udp -p16686:16686 jaegertracing/all-in-one:latest
+export JAEGER_TRACE=0.0.0.0:6831
+# restart buildkitd and buildctl so they know JAEGER_TRACE
+# any buildctl command should be traced to http://127.0.0.1:16686/
+```
+
+
+### Supported runc version
+
+During development, BuildKit is tested with the version of runc that is being used by the containerd repository. Please refer to [runc.md](https://github.com/containerd/containerd/blob/v1.1.0/RUNC.md) for more information.
+
+### Running BuildKit without root privileges
+
+Please refer to [`docs/rootless.md`](docs/rootless.md).
+
+### Contributing
+
+Running tests:
+
+```bash
+make test
+```
+
+This runs all unit and integration tests in a containerized environment. Locally, every package can be tested separately with standard Go tools, but integration tests are skipped if local user doesn't have enough permissions or worker binaries are not installed.
+
+```
+# test a specific package only
+make test TESTPKGS=./client
+
+# run a specific test with all worker combinations
+make test TESTPKGS=./client TESTFLAGS="--run /TestCallDiskUsage -v" 
+
+# run all integration tests with a specific worker
+# supported workers: oci, oci-rootless, containerd, containerd-1.0
+make test TESTPKGS=./client TESTFLAGS="--run //worker=containerd -v" 
+```
+
+Updating vendored dependencies:
+
+```bash
+# update vendor.conf
+make vendor
+```
+
+Validating your updates before submission:
+
+```bash
+make validate-all
+```
diff --git a/cli/vendor/github.com/moby/buildkit/api/services/control/control.pb.go b/cli/vendor/github.com/moby/buildkit/api/services/control/control.pb.go
new file mode 100644
index 00000000..9df84f12
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/api/services/control/control.pb.go
@@ -0,0 +1,4589 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: control.proto
+
+/*
+	Package moby_buildkit_v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		control.proto
+
+	It has these top-level messages:
+		PruneRequest
+		DiskUsageRequest
+		DiskUsageResponse
+		UsageRecord
+		SolveRequest
+		CacheOptions
+		SolveResponse
+		StatusRequest
+		StatusResponse
+		Vertex
+		VertexStatus
+		VertexLog
+		BytesMessage
+		ListWorkersRequest
+		ListWorkersResponse
+*/
+package moby_buildkit_v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+import _ "github.com/golang/protobuf/ptypes/timestamp"
+import pb "github.com/moby/buildkit/solver/pb"
+import moby_buildkit_v1_types "github.com/moby/buildkit/api/types"
+
+import time "time"
+import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest"
+
+import context "golang.org/x/net/context"
+import grpc "google.golang.org/grpc"
+
+import types "github.com/gogo/protobuf/types"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+var _ = time.Kitchen
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type PruneRequest struct {
+}
+
+func (m *PruneRequest) Reset()                    { *m = PruneRequest{} }
+func (m *PruneRequest) String() string            { return proto.CompactTextString(m) }
+func (*PruneRequest) ProtoMessage()               {}
+func (*PruneRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{0} }
+
+type DiskUsageRequest struct {
+	Filter string `protobuf:"bytes,1,opt,name=filter,proto3" json:"filter,omitempty"`
+}
+
+func (m *DiskUsageRequest) Reset()                    { *m = DiskUsageRequest{} }
+func (m *DiskUsageRequest) String() string            { return proto.CompactTextString(m) }
+func (*DiskUsageRequest) ProtoMessage()               {}
+func (*DiskUsageRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{1} }
+
+func (m *DiskUsageRequest) GetFilter() string {
+	if m != nil {
+		return m.Filter
+	}
+	return ""
+}
+
+type DiskUsageResponse struct {
+	Record []*UsageRecord `protobuf:"bytes,1,rep,name=record" json:"record,omitempty"`
+}
+
+func (m *DiskUsageResponse) Reset()                    { *m = DiskUsageResponse{} }
+func (m *DiskUsageResponse) String() string            { return proto.CompactTextString(m) }
+func (*DiskUsageResponse) ProtoMessage()               {}
+func (*DiskUsageResponse) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{2} }
+
+func (m *DiskUsageResponse) GetRecord() []*UsageRecord {
+	if m != nil {
+		return m.Record
+	}
+	return nil
+}
+
+type UsageRecord struct {
+	ID          string     `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Mutable     bool       `protobuf:"varint,2,opt,name=Mutable,proto3" json:"Mutable,omitempty"`
+	InUse       bool       `protobuf:"varint,3,opt,name=InUse,proto3" json:"InUse,omitempty"`
+	Size_       int64      `protobuf:"varint,4,opt,name=Size,proto3" json:"Size,omitempty"`
+	Parent      string     `protobuf:"bytes,5,opt,name=Parent,proto3" json:"Parent,omitempty"`
+	CreatedAt   time.Time  `protobuf:"bytes,6,opt,name=CreatedAt,stdtime" json:"CreatedAt"`
+	LastUsedAt  *time.Time `protobuf:"bytes,7,opt,name=LastUsedAt,stdtime" json:"LastUsedAt,omitempty"`
+	UsageCount  int64      `protobuf:"varint,8,opt,name=UsageCount,proto3" json:"UsageCount,omitempty"`
+	Description string     `protobuf:"bytes,9,opt,name=Description,proto3" json:"Description,omitempty"`
+}
+
+func (m *UsageRecord) Reset()                    { *m = UsageRecord{} }
+func (m *UsageRecord) String() string            { return proto.CompactTextString(m) }
+func (*UsageRecord) ProtoMessage()               {}
+func (*UsageRecord) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{3} }
+
+func (m *UsageRecord) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *UsageRecord) GetMutable() bool {
+	if m != nil {
+		return m.Mutable
+	}
+	return false
+}
+
+func (m *UsageRecord) GetInUse() bool {
+	if m != nil {
+		return m.InUse
+	}
+	return false
+}
+
+func (m *UsageRecord) GetSize_() int64 {
+	if m != nil {
+		return m.Size_
+	}
+	return 0
+}
+
+func (m *UsageRecord) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *UsageRecord) GetCreatedAt() time.Time {
+	if m != nil {
+		return m.CreatedAt
+	}
+	return time.Time{}
+}
+
+func (m *UsageRecord) GetLastUsedAt() *time.Time {
+	if m != nil {
+		return m.LastUsedAt
+	}
+	return nil
+}
+
+func (m *UsageRecord) GetUsageCount() int64 {
+	if m != nil {
+		return m.UsageCount
+	}
+	return 0
+}
+
+func (m *UsageRecord) GetDescription() string {
+	if m != nil {
+		return m.Description
+	}
+	return ""
+}
+
+type SolveRequest struct {
+	Ref           string            `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	Definition    *pb.Definition    `protobuf:"bytes,2,opt,name=Definition" json:"Definition,omitempty"`
+	Exporter      string            `protobuf:"bytes,3,opt,name=Exporter,proto3" json:"Exporter,omitempty"`
+	ExporterAttrs map[string]string `protobuf:"bytes,4,rep,name=ExporterAttrs" json:"ExporterAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Session       string            `protobuf:"bytes,5,opt,name=Session,proto3" json:"Session,omitempty"`
+	Frontend      string            `protobuf:"bytes,6,opt,name=Frontend,proto3" json:"Frontend,omitempty"`
+	FrontendAttrs map[string]string `protobuf:"bytes,7,rep,name=FrontendAttrs" json:"FrontendAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Cache         CacheOptions      `protobuf:"bytes,8,opt,name=Cache" json:"Cache"`
+}
+
+func (m *SolveRequest) Reset()                    { *m = SolveRequest{} }
+func (m *SolveRequest) String() string            { return proto.CompactTextString(m) }
+func (*SolveRequest) ProtoMessage()               {}
+func (*SolveRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{4} }
+
+func (m *SolveRequest) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetDefinition() *pb.Definition {
+	if m != nil {
+		return m.Definition
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetExporter() string {
+	if m != nil {
+		return m.Exporter
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetExporterAttrs() map[string]string {
+	if m != nil {
+		return m.ExporterAttrs
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetSession() string {
+	if m != nil {
+		return m.Session
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetFrontend() string {
+	if m != nil {
+		return m.Frontend
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetFrontendAttrs() map[string]string {
+	if m != nil {
+		return m.FrontendAttrs
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetCache() CacheOptions {
+	if m != nil {
+		return m.Cache
+	}
+	return CacheOptions{}
+}
+
+type CacheOptions struct {
+	ExportRef   string            `protobuf:"bytes,1,opt,name=ExportRef,proto3" json:"ExportRef,omitempty"`
+	ImportRefs  []string          `protobuf:"bytes,2,rep,name=ImportRefs" json:"ImportRefs,omitempty"`
+	ExportAttrs map[string]string `protobuf:"bytes,3,rep,name=ExportAttrs" json:"ExportAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *CacheOptions) Reset()                    { *m = CacheOptions{} }
+func (m *CacheOptions) String() string            { return proto.CompactTextString(m) }
+func (*CacheOptions) ProtoMessage()               {}
+func (*CacheOptions) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{5} }
+
+func (m *CacheOptions) GetExportRef() string {
+	if m != nil {
+		return m.ExportRef
+	}
+	return ""
+}
+
+func (m *CacheOptions) GetImportRefs() []string {
+	if m != nil {
+		return m.ImportRefs
+	}
+	return nil
+}
+
+func (m *CacheOptions) GetExportAttrs() map[string]string {
+	if m != nil {
+		return m.ExportAttrs
+	}
+	return nil
+}
+
+type SolveResponse struct {
+	ExporterResponse map[string]string `protobuf:"bytes,1,rep,name=ExporterResponse" json:"ExporterResponse,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *SolveResponse) Reset()                    { *m = SolveResponse{} }
+func (m *SolveResponse) String() string            { return proto.CompactTextString(m) }
+func (*SolveResponse) ProtoMessage()               {}
+func (*SolveResponse) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{6} }
+
+func (m *SolveResponse) GetExporterResponse() map[string]string {
+	if m != nil {
+		return m.ExporterResponse
+	}
+	return nil
+}
+
+type StatusRequest struct {
+	Ref string `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+}
+
+func (m *StatusRequest) Reset()                    { *m = StatusRequest{} }
+func (m *StatusRequest) String() string            { return proto.CompactTextString(m) }
+func (*StatusRequest) ProtoMessage()               {}
+func (*StatusRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{7} }
+
+func (m *StatusRequest) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+type StatusResponse struct {
+	Vertexes []*Vertex       `protobuf:"bytes,1,rep,name=vertexes" json:"vertexes,omitempty"`
+	Statuses []*VertexStatus `protobuf:"bytes,2,rep,name=statuses" json:"statuses,omitempty"`
+	Logs     []*VertexLog    `protobuf:"bytes,3,rep,name=logs" json:"logs,omitempty"`
+}
+
+func (m *StatusResponse) Reset()                    { *m = StatusResponse{} }
+func (m *StatusResponse) String() string            { return proto.CompactTextString(m) }
+func (*StatusResponse) ProtoMessage()               {}
+func (*StatusResponse) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{8} }
+
+func (m *StatusResponse) GetVertexes() []*Vertex {
+	if m != nil {
+		return m.Vertexes
+	}
+	return nil
+}
+
+func (m *StatusResponse) GetStatuses() []*VertexStatus {
+	if m != nil {
+		return m.Statuses
+	}
+	return nil
+}
+
+func (m *StatusResponse) GetLogs() []*VertexLog {
+	if m != nil {
+		return m.Logs
+	}
+	return nil
+}
+
+type Vertex struct {
+	Digest    github_com_opencontainers_go_digest.Digest   `protobuf:"bytes,1,opt,name=digest,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"digest"`
+	Inputs    []github_com_opencontainers_go_digest.Digest `protobuf:"bytes,2,rep,name=inputs,customtype=github.com/opencontainers/go-digest.Digest" json:"inputs"`
+	Name      string                                       `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	Cached    bool                                         `protobuf:"varint,4,opt,name=cached,proto3" json:"cached,omitempty"`
+	Started   *time.Time                                   `protobuf:"bytes,5,opt,name=started,stdtime" json:"started,omitempty"`
+	Completed *time.Time                                   `protobuf:"bytes,6,opt,name=completed,stdtime" json:"completed,omitempty"`
+	Error     string                                       `protobuf:"bytes,7,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (m *Vertex) Reset()                    { *m = Vertex{} }
+func (m *Vertex) String() string            { return proto.CompactTextString(m) }
+func (*Vertex) ProtoMessage()               {}
+func (*Vertex) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{9} }
+
+func (m *Vertex) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *Vertex) GetCached() bool {
+	if m != nil {
+		return m.Cached
+	}
+	return false
+}
+
+func (m *Vertex) GetStarted() *time.Time {
+	if m != nil {
+		return m.Started
+	}
+	return nil
+}
+
+func (m *Vertex) GetCompleted() *time.Time {
+	if m != nil {
+		return m.Completed
+	}
+	return nil
+}
+
+func (m *Vertex) GetError() string {
+	if m != nil {
+		return m.Error
+	}
+	return ""
+}
+
+type VertexStatus struct {
+	ID      string                                     `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Vertex  github_com_opencontainers_go_digest.Digest `protobuf:"bytes,2,opt,name=vertex,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"vertex"`
+	Name    string                                     `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	Current int64                                      `protobuf:"varint,4,opt,name=current,proto3" json:"current,omitempty"`
+	Total   int64                                      `protobuf:"varint,5,opt,name=total,proto3" json:"total,omitempty"`
+	// TODO: add started, completed
+	Timestamp time.Time  `protobuf:"bytes,6,opt,name=timestamp,stdtime" json:"timestamp"`
+	Started   *time.Time `protobuf:"bytes,7,opt,name=started,stdtime" json:"started,omitempty"`
+	Completed *time.Time `protobuf:"bytes,8,opt,name=completed,stdtime" json:"completed,omitempty"`
+}
+
+func (m *VertexStatus) Reset()                    { *m = VertexStatus{} }
+func (m *VertexStatus) String() string            { return proto.CompactTextString(m) }
+func (*VertexStatus) ProtoMessage()               {}
+func (*VertexStatus) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{10} }
+
+func (m *VertexStatus) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *VertexStatus) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *VertexStatus) GetCurrent() int64 {
+	if m != nil {
+		return m.Current
+	}
+	return 0
+}
+
+func (m *VertexStatus) GetTotal() int64 {
+	if m != nil {
+		return m.Total
+	}
+	return 0
+}
+
+func (m *VertexStatus) GetTimestamp() time.Time {
+	if m != nil {
+		return m.Timestamp
+	}
+	return time.Time{}
+}
+
+func (m *VertexStatus) GetStarted() *time.Time {
+	if m != nil {
+		return m.Started
+	}
+	return nil
+}
+
+func (m *VertexStatus) GetCompleted() *time.Time {
+	if m != nil {
+		return m.Completed
+	}
+	return nil
+}
+
+type VertexLog struct {
+	Vertex    github_com_opencontainers_go_digest.Digest `protobuf:"bytes,1,opt,name=vertex,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"vertex"`
+	Timestamp time.Time                                  `protobuf:"bytes,2,opt,name=timestamp,stdtime" json:"timestamp"`
+	Stream    int64                                      `protobuf:"varint,3,opt,name=stream,proto3" json:"stream,omitempty"`
+	Msg       []byte                                     `protobuf:"bytes,4,opt,name=msg,proto3" json:"msg,omitempty"`
+}
+
+func (m *VertexLog) Reset()                    { *m = VertexLog{} }
+func (m *VertexLog) String() string            { return proto.CompactTextString(m) }
+func (*VertexLog) ProtoMessage()               {}
+func (*VertexLog) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{11} }
+
+func (m *VertexLog) GetTimestamp() time.Time {
+	if m != nil {
+		return m.Timestamp
+	}
+	return time.Time{}
+}
+
+func (m *VertexLog) GetStream() int64 {
+	if m != nil {
+		return m.Stream
+	}
+	return 0
+}
+
+func (m *VertexLog) GetMsg() []byte {
+	if m != nil {
+		return m.Msg
+	}
+	return nil
+}
+
+type BytesMessage struct {
+	Data []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *BytesMessage) Reset()                    { *m = BytesMessage{} }
+func (m *BytesMessage) String() string            { return proto.CompactTextString(m) }
+func (*BytesMessage) ProtoMessage()               {}
+func (*BytesMessage) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{12} }
+
+func (m *BytesMessage) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+type ListWorkersRequest struct {
+	Filter []string `protobuf:"bytes,1,rep,name=filter" json:"filter,omitempty"`
+}
+
+func (m *ListWorkersRequest) Reset()                    { *m = ListWorkersRequest{} }
+func (m *ListWorkersRequest) String() string            { return proto.CompactTextString(m) }
+func (*ListWorkersRequest) ProtoMessage()               {}
+func (*ListWorkersRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{13} }
+
+func (m *ListWorkersRequest) GetFilter() []string {
+	if m != nil {
+		return m.Filter
+	}
+	return nil
+}
+
+type ListWorkersResponse struct {
+	Record []*moby_buildkit_v1_types.WorkerRecord `protobuf:"bytes,1,rep,name=record" json:"record,omitempty"`
+}
+
+func (m *ListWorkersResponse) Reset()                    { *m = ListWorkersResponse{} }
+func (m *ListWorkersResponse) String() string            { return proto.CompactTextString(m) }
+func (*ListWorkersResponse) ProtoMessage()               {}
+func (*ListWorkersResponse) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{14} }
+
+func (m *ListWorkersResponse) GetRecord() []*moby_buildkit_v1_types.WorkerRecord {
+	if m != nil {
+		return m.Record
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*PruneRequest)(nil), "moby.buildkit.v1.PruneRequest")
+	proto.RegisterType((*DiskUsageRequest)(nil), "moby.buildkit.v1.DiskUsageRequest")
+	proto.RegisterType((*DiskUsageResponse)(nil), "moby.buildkit.v1.DiskUsageResponse")
+	proto.RegisterType((*UsageRecord)(nil), "moby.buildkit.v1.UsageRecord")
+	proto.RegisterType((*SolveRequest)(nil), "moby.buildkit.v1.SolveRequest")
+	proto.RegisterType((*CacheOptions)(nil), "moby.buildkit.v1.CacheOptions")
+	proto.RegisterType((*SolveResponse)(nil), "moby.buildkit.v1.SolveResponse")
+	proto.RegisterType((*StatusRequest)(nil), "moby.buildkit.v1.StatusRequest")
+	proto.RegisterType((*StatusResponse)(nil), "moby.buildkit.v1.StatusResponse")
+	proto.RegisterType((*Vertex)(nil), "moby.buildkit.v1.Vertex")
+	proto.RegisterType((*VertexStatus)(nil), "moby.buildkit.v1.VertexStatus")
+	proto.RegisterType((*VertexLog)(nil), "moby.buildkit.v1.VertexLog")
+	proto.RegisterType((*BytesMessage)(nil), "moby.buildkit.v1.BytesMessage")
+	proto.RegisterType((*ListWorkersRequest)(nil), "moby.buildkit.v1.ListWorkersRequest")
+	proto.RegisterType((*ListWorkersResponse)(nil), "moby.buildkit.v1.ListWorkersResponse")
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// Client API for Control service
+
+type ControlClient interface {
+	DiskUsage(ctx context.Context, in *DiskUsageRequest, opts ...grpc.CallOption) (*DiskUsageResponse, error)
+	Prune(ctx context.Context, in *PruneRequest, opts ...grpc.CallOption) (Control_PruneClient, error)
+	Solve(ctx context.Context, in *SolveRequest, opts ...grpc.CallOption) (*SolveResponse, error)
+	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (Control_StatusClient, error)
+	Session(ctx context.Context, opts ...grpc.CallOption) (Control_SessionClient, error)
+	ListWorkers(ctx context.Context, in *ListWorkersRequest, opts ...grpc.CallOption) (*ListWorkersResponse, error)
+}
+
+type controlClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewControlClient(cc *grpc.ClientConn) ControlClient {
+	return &controlClient{cc}
+}
+
+func (c *controlClient) DiskUsage(ctx context.Context, in *DiskUsageRequest, opts ...grpc.CallOption) (*DiskUsageResponse, error) {
+	out := new(DiskUsageResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.Control/DiskUsage", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlClient) Prune(ctx context.Context, in *PruneRequest, opts ...grpc.CallOption) (Control_PruneClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_Control_serviceDesc.Streams[0], c.cc, "/moby.buildkit.v1.Control/Prune", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &controlPruneClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type Control_PruneClient interface {
+	Recv() (*UsageRecord, error)
+	grpc.ClientStream
+}
+
+type controlPruneClient struct {
+	grpc.ClientStream
+}
+
+func (x *controlPruneClient) Recv() (*UsageRecord, error) {
+	m := new(UsageRecord)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *controlClient) Solve(ctx context.Context, in *SolveRequest, opts ...grpc.CallOption) (*SolveResponse, error) {
+	out := new(SolveResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.Control/Solve", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (Control_StatusClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_Control_serviceDesc.Streams[1], c.cc, "/moby.buildkit.v1.Control/Status", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &controlStatusClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type Control_StatusClient interface {
+	Recv() (*StatusResponse, error)
+	grpc.ClientStream
+}
+
+type controlStatusClient struct {
+	grpc.ClientStream
+}
+
+func (x *controlStatusClient) Recv() (*StatusResponse, error) {
+	m := new(StatusResponse)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *controlClient) Session(ctx context.Context, opts ...grpc.CallOption) (Control_SessionClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_Control_serviceDesc.Streams[2], c.cc, "/moby.buildkit.v1.Control/Session", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &controlSessionClient{stream}
+	return x, nil
+}
+
+type Control_SessionClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type controlSessionClient struct {
+	grpc.ClientStream
+}
+
+func (x *controlSessionClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *controlSessionClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *controlClient) ListWorkers(ctx context.Context, in *ListWorkersRequest, opts ...grpc.CallOption) (*ListWorkersResponse, error) {
+	out := new(ListWorkersResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.Control/ListWorkers", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Server API for Control service
+
+type ControlServer interface {
+	DiskUsage(context.Context, *DiskUsageRequest) (*DiskUsageResponse, error)
+	Prune(*PruneRequest, Control_PruneServer) error
+	Solve(context.Context, *SolveRequest) (*SolveResponse, error)
+	Status(*StatusRequest, Control_StatusServer) error
+	Session(Control_SessionServer) error
+	ListWorkers(context.Context, *ListWorkersRequest) (*ListWorkersResponse, error)
+}
+
+func RegisterControlServer(s *grpc.Server, srv ControlServer) {
+	s.RegisterService(&_Control_serviceDesc, srv)
+}
+
+func _Control_DiskUsage_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DiskUsageRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServer).DiskUsage(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.Control/DiskUsage",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServer).DiskUsage(ctx, req.(*DiskUsageRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Control_Prune_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(PruneRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(ControlServer).Prune(m, &controlPruneServer{stream})
+}
+
+type Control_PruneServer interface {
+	Send(*UsageRecord) error
+	grpc.ServerStream
+}
+
+type controlPruneServer struct {
+	grpc.ServerStream
+}
+
+func (x *controlPruneServer) Send(m *UsageRecord) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func _Control_Solve_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SolveRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServer).Solve(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.Control/Solve",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServer).Solve(ctx, req.(*SolveRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Control_Status_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(StatusRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(ControlServer).Status(m, &controlStatusServer{stream})
+}
+
+type Control_StatusServer interface {
+	Send(*StatusResponse) error
+	grpc.ServerStream
+}
+
+type controlStatusServer struct {
+	grpc.ServerStream
+}
+
+func (x *controlStatusServer) Send(m *StatusResponse) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func _Control_Session_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(ControlServer).Session(&controlSessionServer{stream})
+}
+
+type Control_SessionServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type controlSessionServer struct {
+	grpc.ServerStream
+}
+
+func (x *controlSessionServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *controlSessionServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func _Control_ListWorkers_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListWorkersRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServer).ListWorkers(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.Control/ListWorkers",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServer).ListWorkers(ctx, req.(*ListWorkersRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _Control_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.buildkit.v1.Control",
+	HandlerType: (*ControlServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "DiskUsage",
+			Handler:    _Control_DiskUsage_Handler,
+		},
+		{
+			MethodName: "Solve",
+			Handler:    _Control_Solve_Handler,
+		},
+		{
+			MethodName: "ListWorkers",
+			Handler:    _Control_ListWorkers_Handler,
+		},
+	},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "Prune",
+			Handler:       _Control_Prune_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "Status",
+			Handler:       _Control_Status_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "Session",
+			Handler:       _Control_Session_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "control.proto",
+}
+
+func (m *PruneRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PruneRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	return i, nil
+}
+
+func (m *DiskUsageRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DiskUsageRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Filter)))
+		i += copy(dAtA[i:], m.Filter)
+	}
+	return i, nil
+}
+
+func (m *DiskUsageResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DiskUsageResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Record) > 0 {
+		for _, msg := range m.Record {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *UsageRecord) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *UsageRecord) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if m.Mutable {
+		dAtA[i] = 0x10
+		i++
+		if m.Mutable {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.InUse {
+		dAtA[i] = 0x18
+		i++
+		if m.InUse {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.Size_ != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Size_))
+	}
+	if len(m.Parent) > 0 {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Parent)))
+		i += copy(dAtA[i:], m.Parent)
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(m.CreatedAt)))
+	n1, err := types.StdTimeMarshalTo(m.CreatedAt, dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if m.LastUsedAt != nil {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.LastUsedAt)))
+		n2, err := types.StdTimeMarshalTo(*m.LastUsedAt, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	if m.UsageCount != 0 {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.UsageCount))
+	}
+	if len(m.Description) > 0 {
+		dAtA[i] = 0x4a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Description)))
+		i += copy(dAtA[i:], m.Description)
+	}
+	return i, nil
+}
+
+func (m *SolveRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SolveRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ref) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Ref)))
+		i += copy(dAtA[i:], m.Ref)
+	}
+	if m.Definition != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Definition.Size()))
+		n3, err := m.Definition.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n3
+	}
+	if len(m.Exporter) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Exporter)))
+		i += copy(dAtA[i:], m.Exporter)
+	}
+	if len(m.ExporterAttrs) > 0 {
+		for k, _ := range m.ExporterAttrs {
+			dAtA[i] = 0x22
+			i++
+			v := m.ExporterAttrs[k]
+			mapSize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			i = encodeVarintControl(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.Session) > 0 {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Session)))
+		i += copy(dAtA[i:], m.Session)
+	}
+	if len(m.Frontend) > 0 {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Frontend)))
+		i += copy(dAtA[i:], m.Frontend)
+	}
+	if len(m.FrontendAttrs) > 0 {
+		for k, _ := range m.FrontendAttrs {
+			dAtA[i] = 0x3a
+			i++
+			v := m.FrontendAttrs[k]
+			mapSize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			i = encodeVarintControl(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintControl(dAtA, i, uint64(m.Cache.Size()))
+	n4, err := m.Cache.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	return i, nil
+}
+
+func (m *CacheOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CacheOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ExportRef) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.ExportRef)))
+		i += copy(dAtA[i:], m.ExportRef)
+	}
+	if len(m.ImportRefs) > 0 {
+		for _, s := range m.ImportRefs {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.ExportAttrs) > 0 {
+		for k, _ := range m.ExportAttrs {
+			dAtA[i] = 0x1a
+			i++
+			v := m.ExportAttrs[k]
+			mapSize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			i = encodeVarintControl(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *SolveResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SolveResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ExporterResponse) > 0 {
+		for k, _ := range m.ExporterResponse {
+			dAtA[i] = 0xa
+			i++
+			v := m.ExporterResponse[k]
+			mapSize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			i = encodeVarintControl(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *StatusRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatusRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ref) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Ref)))
+		i += copy(dAtA[i:], m.Ref)
+	}
+	return i, nil
+}
+
+func (m *StatusResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatusResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Vertexes) > 0 {
+		for _, msg := range m.Vertexes {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Statuses) > 0 {
+		for _, msg := range m.Statuses {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Logs) > 0 {
+		for _, msg := range m.Logs {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *Vertex) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Vertex) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Digest) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Digest)))
+		i += copy(dAtA[i:], m.Digest)
+	}
+	if len(m.Inputs) > 0 {
+		for _, s := range m.Inputs {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Name) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Name)))
+		i += copy(dAtA[i:], m.Name)
+	}
+	if m.Cached {
+		dAtA[i] = 0x20
+		i++
+		if m.Cached {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.Started != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.Started)))
+		n5, err := types.StdTimeMarshalTo(*m.Started, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n5
+	}
+	if m.Completed != nil {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.Completed)))
+		n6, err := types.StdTimeMarshalTo(*m.Completed, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	if len(m.Error) > 0 {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Error)))
+		i += copy(dAtA[i:], m.Error)
+	}
+	return i, nil
+}
+
+func (m *VertexStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VertexStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if len(m.Vertex) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Vertex)))
+		i += copy(dAtA[i:], m.Vertex)
+	}
+	if len(m.Name) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Name)))
+		i += copy(dAtA[i:], m.Name)
+	}
+	if m.Current != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Current))
+	}
+	if m.Total != 0 {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Total))
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(m.Timestamp)))
+	n7, err := types.StdTimeMarshalTo(m.Timestamp, dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	if m.Started != nil {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.Started)))
+		n8, err := types.StdTimeMarshalTo(*m.Started, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	if m.Completed != nil {
+		dAtA[i] = 0x42
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.Completed)))
+		n9, err := types.StdTimeMarshalTo(*m.Completed, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n9
+	}
+	return i, nil
+}
+
+func (m *VertexLog) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VertexLog) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Vertex) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Vertex)))
+		i += copy(dAtA[i:], m.Vertex)
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(m.Timestamp)))
+	n10, err := types.StdTimeMarshalTo(m.Timestamp, dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	if m.Stream != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Stream))
+	}
+	if len(m.Msg) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Msg)))
+		i += copy(dAtA[i:], m.Msg)
+	}
+	return i, nil
+}
+
+func (m *BytesMessage) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BytesMessage) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Data) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func (m *ListWorkersRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ListWorkersRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		for _, s := range m.Filter {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *ListWorkersResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ListWorkersResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Record) > 0 {
+		for _, msg := range m.Record {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeVarintControl(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *PruneRequest) Size() (n int) {
+	var l int
+	_ = l
+	return n
+}
+
+func (m *DiskUsageRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Filter)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *DiskUsageResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Record) > 0 {
+		for _, e := range m.Record {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *UsageRecord) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Mutable {
+		n += 2
+	}
+	if m.InUse {
+		n += 2
+	}
+	if m.Size_ != 0 {
+		n += 1 + sovControl(uint64(m.Size_))
+	}
+	l = len(m.Parent)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = types.SizeOfStdTime(m.CreatedAt)
+	n += 1 + l + sovControl(uint64(l))
+	if m.LastUsedAt != nil {
+		l = types.SizeOfStdTime(*m.LastUsedAt)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.UsageCount != 0 {
+		n += 1 + sovControl(uint64(m.UsageCount))
+	}
+	l = len(m.Description)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *SolveRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Definition != nil {
+		l = m.Definition.Size()
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Exporter)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if len(m.ExporterAttrs) > 0 {
+		for k, v := range m.ExporterAttrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			n += mapEntrySize + 1 + sovControl(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.Session)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Frontend)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if len(m.FrontendAttrs) > 0 {
+		for k, v := range m.FrontendAttrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			n += mapEntrySize + 1 + sovControl(uint64(mapEntrySize))
+		}
+	}
+	l = m.Cache.Size()
+	n += 1 + l + sovControl(uint64(l))
+	return n
+}
+
+func (m *CacheOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ExportRef)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if len(m.ImportRefs) > 0 {
+		for _, s := range m.ImportRefs {
+			l = len(s)
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	if len(m.ExportAttrs) > 0 {
+		for k, v := range m.ExportAttrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			n += mapEntrySize + 1 + sovControl(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *SolveResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.ExporterResponse) > 0 {
+		for k, v := range m.ExporterResponse {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			n += mapEntrySize + 1 + sovControl(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *StatusRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *StatusResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Vertexes) > 0 {
+		for _, e := range m.Vertexes {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	if len(m.Statuses) > 0 {
+		for _, e := range m.Statuses {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	if len(m.Logs) > 0 {
+		for _, e := range m.Logs {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Vertex) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Digest)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if len(m.Inputs) > 0 {
+		for _, s := range m.Inputs {
+			l = len(s)
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	l = len(m.Name)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Cached {
+		n += 2
+	}
+	if m.Started != nil {
+		l = types.SizeOfStdTime(*m.Started)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Completed != nil {
+		l = types.SizeOfStdTime(*m.Completed)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Error)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *VertexStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Vertex)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Name)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Current != 0 {
+		n += 1 + sovControl(uint64(m.Current))
+	}
+	if m.Total != 0 {
+		n += 1 + sovControl(uint64(m.Total))
+	}
+	l = types.SizeOfStdTime(m.Timestamp)
+	n += 1 + l + sovControl(uint64(l))
+	if m.Started != nil {
+		l = types.SizeOfStdTime(*m.Started)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Completed != nil {
+		l = types.SizeOfStdTime(*m.Completed)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *VertexLog) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Vertex)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = types.SizeOfStdTime(m.Timestamp)
+	n += 1 + l + sovControl(uint64(l))
+	if m.Stream != 0 {
+		n += 1 + sovControl(uint64(m.Stream))
+	}
+	l = len(m.Msg)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *BytesMessage) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *ListWorkersRequest) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		for _, s := range m.Filter {
+			l = len(s)
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ListWorkersResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Record) > 0 {
+		for _, e := range m.Record {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovControl(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozControl(x uint64) (n int) {
+	return sovControl(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *PruneRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PruneRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PruneRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DiskUsageRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DiskUsageRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DiskUsageRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Filter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Filter = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DiskUsageResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DiskUsageResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DiskUsageResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Record", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Record = append(m.Record, &UsageRecord{})
+			if err := m.Record[len(m.Record)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *UsageRecord) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: UsageRecord: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: UsageRecord: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Mutable", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Mutable = bool(v != 0)
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InUse", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.InUse = bool(v != 0)
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Size_", wireType)
+			}
+			m.Size_ = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Size_ |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Parent", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Parent = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CreatedAt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := types.StdTimeUnmarshal(&m.CreatedAt, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastUsedAt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LastUsedAt == nil {
+				m.LastUsedAt = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.LastUsedAt, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UsageCount", wireType)
+			}
+			m.UsageCount = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UsageCount |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Description = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SolveRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SolveRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SolveRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Definition", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Definition == nil {
+				m.Definition = &pb.Definition{}
+			}
+			if err := m.Definition.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Exporter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Exporter = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExporterAttrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExporterAttrs == nil {
+				m.ExporterAttrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipControl(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthControl
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.ExporterAttrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Session", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Session = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Frontend", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Frontend = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FrontendAttrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FrontendAttrs == nil {
+				m.FrontendAttrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipControl(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthControl
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.FrontendAttrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Cache", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Cache.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CacheOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CacheOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CacheOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExportRef", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExportRef = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ImportRefs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ImportRefs = append(m.ImportRefs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExportAttrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExportAttrs == nil {
+				m.ExportAttrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipControl(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthControl
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.ExportAttrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SolveResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SolveResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SolveResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExporterResponse", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExporterResponse == nil {
+				m.ExporterResponse = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipControl(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthControl
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.ExporterResponse[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatusRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatusRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatusRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatusResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatusResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatusResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Vertexes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Vertexes = append(m.Vertexes, &Vertex{})
+			if err := m.Vertexes[len(m.Vertexes)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Statuses", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Statuses = append(m.Statuses, &VertexStatus{})
+			if err := m.Statuses[len(m.Statuses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Logs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Logs = append(m.Logs, &VertexLog{})
+			if err := m.Logs[len(m.Logs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Vertex) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Vertex: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Vertex: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Digest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Digest = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Inputs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Inputs = append(m.Inputs, github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Cached", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Cached = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Started", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Started == nil {
+				m.Started = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.Started, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Completed", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Completed == nil {
+				m.Completed = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.Completed, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Error = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VertexStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VertexStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VertexStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Vertex", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Vertex = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Current", wireType)
+			}
+			m.Current = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Current |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Total", wireType)
+			}
+			m.Total = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Total |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Timestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := types.StdTimeUnmarshal(&m.Timestamp, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Started", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Started == nil {
+				m.Started = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.Started, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Completed", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Completed == nil {
+				m.Completed = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.Completed, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VertexLog) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VertexLog: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VertexLog: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Vertex", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Vertex = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Timestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := types.StdTimeUnmarshal(&m.Timestamp, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stream", wireType)
+			}
+			m.Stream = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Stream |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Msg", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Msg = append(m.Msg[:0], dAtA[iNdEx:postIndex]...)
+			if m.Msg == nil {
+				m.Msg = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *BytesMessage) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BytesMessage: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BytesMessage: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ListWorkersRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ListWorkersRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ListWorkersRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Filter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Filter = append(m.Filter, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ListWorkersResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ListWorkersResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ListWorkersResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Record", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Record = append(m.Record, &moby_buildkit_v1_types.WorkerRecord{})
+			if err := m.Record[len(m.Record)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipControl(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthControl
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipControl(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthControl = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowControl   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("control.proto", fileDescriptorControl) }
+
+var fileDescriptorControl = []byte{
+	// 1176 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0x4d, 0x6f, 0x23, 0x45,
+	0x13, 0x7e, 0xc7, 0x76, 0xfc, 0x51, 0x76, 0xa2, 0xbc, 0x0d, 0xac, 0x46, 0x03, 0x24, 0x66, 0x00,
+	0xc9, 0x5a, 0xed, 0xce, 0x64, 0x03, 0x2b, 0xa1, 0x08, 0xad, 0x76, 0x1d, 0x2f, 0x22, 0x51, 0x22,
+	0x96, 0xce, 0x86, 0x95, 0xb8, 0x8d, 0xed, 0x8e, 0x77, 0x14, 0x7b, 0x7a, 0xe8, 0xee, 0x09, 0x6b,
+	0x7e, 0x05, 0x07, 0xfe, 0x09, 0x07, 0xce, 0x1c, 0x90, 0xf6, 0xc8, 0x99, 0x43, 0x16, 0xe5, 0x0e,
+	0xbf, 0x01, 0xf5, 0xc7, 0xd8, 0xed, 0xd8, 0xf9, 0xdc, 0x53, 0xba, 0x2a, 0x4f, 0x3d, 0x53, 0x5d,
+	0x4f, 0xb9, 0xab, 0x60, 0xb9, 0x47, 0x13, 0xc1, 0xe8, 0x30, 0x48, 0x19, 0x15, 0x14, 0xad, 0x8e,
+	0x68, 0x77, 0x1c, 0x74, 0xb3, 0x78, 0xd8, 0x3f, 0x8e, 0x45, 0x70, 0xf2, 0xc0, 0xbb, 0x3f, 0x88,
+	0xc5, 0xcb, 0xac, 0x1b, 0xf4, 0xe8, 0x28, 0x1c, 0xd0, 0x01, 0x0d, 0x15, 0xb0, 0x9b, 0x1d, 0x29,
+	0x4b, 0x19, 0xea, 0xa4, 0x09, 0xbc, 0xf5, 0x01, 0xa5, 0x83, 0x21, 0x99, 0xa2, 0x44, 0x3c, 0x22,
+	0x5c, 0x44, 0xa3, 0xd4, 0x00, 0xee, 0x59, 0x7c, 0xf2, 0x63, 0x61, 0xfe, 0xb1, 0x90, 0xd3, 0xe1,
+	0x09, 0x61, 0x61, 0xda, 0x0d, 0x69, 0xca, 0x0d, 0x3a, 0xbc, 0x10, 0x1d, 0xa5, 0x71, 0x28, 0xc6,
+	0x29, 0xe1, 0xe1, 0x8f, 0x94, 0x1d, 0x13, 0xa6, 0x03, 0xfc, 0x15, 0x68, 0x3c, 0x63, 0x59, 0x42,
+	0x30, 0xf9, 0x21, 0x23, 0x5c, 0xf8, 0x77, 0x61, 0xb5, 0x13, 0xf3, 0xe3, 0x43, 0x1e, 0x0d, 0x72,
+	0x1f, 0xba, 0x03, 0xe5, 0xa3, 0x78, 0x28, 0x08, 0x73, 0x9d, 0xa6, 0xd3, 0xaa, 0x61, 0x63, 0xf9,
+	0xbb, 0xf0, 0x7f, 0x0b, 0xcb, 0x53, 0x9a, 0x70, 0x82, 0x1e, 0x42, 0x99, 0x91, 0x1e, 0x65, 0x7d,
+	0xd7, 0x69, 0x16, 0x5b, 0xf5, 0xcd, 0x0f, 0x83, 0xf3, 0x25, 0x0a, 0x4c, 0x80, 0x04, 0x61, 0x03,
+	0xf6, 0x7f, 0x2f, 0x40, 0xdd, 0xf2, 0xa3, 0x15, 0x28, 0xec, 0x74, 0xcc, 0xf7, 0x0a, 0x3b, 0x1d,
+	0xe4, 0x42, 0x65, 0x3f, 0x13, 0x51, 0x77, 0x48, 0xdc, 0x42, 0xd3, 0x69, 0x55, 0x71, 0x6e, 0xa2,
+	0x77, 0x61, 0x69, 0x27, 0x39, 0xe4, 0xc4, 0x2d, 0x2a, 0xbf, 0x36, 0x10, 0x82, 0xd2, 0x41, 0xfc,
+	0x13, 0x71, 0x4b, 0x4d, 0xa7, 0x55, 0xc4, 0xea, 0x2c, 0xef, 0xf1, 0x2c, 0x62, 0x24, 0x11, 0xee,
+	0x92, 0xbe, 0x87, 0xb6, 0x50, 0x1b, 0x6a, 0xdb, 0x8c, 0x44, 0x82, 0xf4, 0x9f, 0x08, 0xb7, 0xdc,
+	0x74, 0x5a, 0xf5, 0x4d, 0x2f, 0xd0, 0xba, 0x04, 0xb9, 0x2e, 0xc1, 0xf3, 0x5c, 0x97, 0x76, 0xf5,
+	0xf5, 0xe9, 0xfa, 0xff, 0x7e, 0x7e, 0xb3, 0xee, 0xe0, 0x69, 0x18, 0x7a, 0x0c, 0xb0, 0x17, 0x71,
+	0x71, 0xc8, 0x15, 0x49, 0xe5, 0x4a, 0x92, 0x92, 0x22, 0xb0, 0x62, 0xd0, 0x1a, 0x80, 0x2a, 0xc0,
+	0x36, 0xcd, 0x12, 0xe1, 0x56, 0x55, 0xde, 0x96, 0x07, 0x35, 0xa1, 0xde, 0x21, 0xbc, 0xc7, 0xe2,
+	0x54, 0xc4, 0x34, 0x71, 0x6b, 0xea, 0x0a, 0xb6, 0xcb, 0xff, 0xa5, 0x04, 0x8d, 0x03, 0xd9, 0x14,
+	0xb9, 0x70, 0xab, 0x50, 0xc4, 0xe4, 0xc8, 0x54, 0x51, 0x1e, 0x51, 0x00, 0xd0, 0x21, 0x47, 0x71,
+	0x12, 0x2b, 0x8e, 0x82, 0x4a, 0x73, 0x25, 0x48, 0xbb, 0xc1, 0xd4, 0x8b, 0x2d, 0x04, 0xf2, 0xa0,
+	0xfa, 0xf4, 0x55, 0x4a, 0x99, 0x14, 0xbf, 0xa8, 0x68, 0x26, 0x36, 0x7a, 0x01, 0xcb, 0xf9, 0xf9,
+	0x89, 0x10, 0x8c, 0xbb, 0x25, 0x25, 0xf8, 0x83, 0x79, 0xc1, 0xed, 0xa4, 0x82, 0x99, 0x98, 0xa7,
+	0x89, 0x60, 0x63, 0x3c, 0xcb, 0x23, 0xb5, 0x3e, 0x20, 0x9c, 0xcb, 0x0c, 0xb5, 0x50, 0xb9, 0x29,
+	0xd3, 0xf9, 0x8a, 0xd1, 0x44, 0x90, 0xa4, 0xaf, 0x84, 0xaa, 0xe1, 0x89, 0x2d, 0xd3, 0xc9, 0xcf,
+	0x3a, 0x9d, 0xca, 0xb5, 0xd2, 0x99, 0x89, 0x31, 0xe9, 0xcc, 0xf8, 0xd0, 0x16, 0x2c, 0x6d, 0x47,
+	0xbd, 0x97, 0x44, 0x69, 0x52, 0xdf, 0x5c, 0x9b, 0x27, 0x54, 0xff, 0xfe, 0x46, 0x89, 0xc0, 0xdb,
+	0x25, 0xd9, 0x1e, 0x58, 0x87, 0x78, 0x8f, 0x01, 0xcd, 0xdf, 0x57, 0xea, 0x72, 0x4c, 0xc6, 0xb9,
+	0x2e, 0xc7, 0x64, 0x2c, 0x9b, 0xf8, 0x24, 0x1a, 0x66, 0xba, 0xb9, 0x6b, 0x58, 0x1b, 0x5b, 0x85,
+	0x2f, 0x1c, 0xc9, 0x30, 0x9f, 0xe2, 0x4d, 0x18, 0xfc, 0x37, 0x0e, 0x34, 0xec, 0x0c, 0xd1, 0x07,
+	0x50, 0xd3, 0x49, 0x4d, 0x9b, 0x63, 0xea, 0x90, 0x7d, 0xb8, 0x33, 0x32, 0x06, 0x77, 0x0b, 0xcd,
+	0x62, 0xab, 0x86, 0x2d, 0x0f, 0xfa, 0x16, 0xea, 0x1a, 0xac, 0xab, 0x5c, 0x54, 0x55, 0x0e, 0x2f,
+	0x2f, 0x4a, 0x60, 0x45, 0xe8, 0x1a, 0xdb, 0x1c, 0xde, 0x23, 0x58, 0x3d, 0x0f, 0xb8, 0xd1, 0x0d,
+	0x7f, 0x73, 0x60, 0xd9, 0x88, 0x6a, 0x5e, 0xa1, 0x28, 0x67, 0x24, 0x2c, 0xf7, 0x99, 0xf7, 0xe8,
+	0xe1, 0x85, 0xfd, 0xa0, 0x61, 0xc1, 0xf9, 0x38, 0x9d, 0xef, 0x1c, 0x9d, 0xb7, 0x0d, 0xef, 0x2d,
+	0x84, 0xde, 0x28, 0xf3, 0x8f, 0x60, 0xf9, 0x40, 0x44, 0x22, 0xe3, 0x17, 0xfe, 0x64, 0xfd, 0x5f,
+	0x1d, 0x58, 0xc9, 0x31, 0xe6, 0x76, 0x9f, 0x43, 0xf5, 0x84, 0x30, 0x41, 0x5e, 0x11, 0x6e, 0x6e,
+	0xe5, 0xce, 0xdf, 0xea, 0x3b, 0x85, 0xc0, 0x13, 0x24, 0xda, 0x82, 0x2a, 0x57, 0x3c, 0x44, 0xcb,
+	0xba, 0xb0, 0x95, 0x75, 0x94, 0xf9, 0xde, 0x04, 0x8f, 0x42, 0x28, 0x0d, 0xe9, 0x20, 0x57, 0xfb,
+	0xfd, 0x8b, 0xe2, 0xf6, 0xe8, 0x00, 0x2b, 0xa0, 0x7f, 0x5a, 0x80, 0xb2, 0xf6, 0xa1, 0x5d, 0x28,
+	0xf7, 0xe3, 0x01, 0xe1, 0x42, 0xdf, 0xaa, 0xbd, 0x29, 0x7f, 0x20, 0x7f, 0x9d, 0xae, 0xdf, 0xb5,
+	0x66, 0x15, 0x4d, 0x49, 0x22, 0x27, 0x6b, 0x14, 0x27, 0x84, 0xf1, 0x70, 0x40, 0xef, 0xeb, 0x90,
+	0xa0, 0xa3, 0xfe, 0x60, 0xc3, 0x20, 0xb9, 0xe2, 0x24, 0xcd, 0x84, 0x69, 0xcc, 0xdb, 0x71, 0x69,
+	0x06, 0x39, 0x22, 0x92, 0x68, 0x44, 0xcc, 0xbb, 0xa6, 0xce, 0x72, 0x44, 0xf4, 0x64, 0xdf, 0xf6,
+	0xd5, 0xe0, 0xa8, 0x62, 0x63, 0xa1, 0x2d, 0xa8, 0x70, 0x11, 0x31, 0x41, 0xfa, 0xea, 0x49, 0xba,
+	0xce, 0xdb, 0x9e, 0x07, 0xa0, 0x47, 0x50, 0xeb, 0xd1, 0x51, 0x3a, 0x24, 0x32, 0xba, 0x7c, 0xcd,
+	0xe8, 0x69, 0x88, 0xec, 0x1e, 0xc2, 0x18, 0x65, 0x6a, 0xaa, 0xd4, 0xb0, 0x36, 0xfc, 0x7f, 0x0b,
+	0xd0, 0xb0, 0xc5, 0x9a, 0x9b, 0x98, 0xbb, 0x50, 0xd6, 0xd2, 0xeb, 0xae, 0xbb, 0x5d, 0xa9, 0x34,
+	0xc3, 0xc2, 0x52, 0xb9, 0x50, 0xe9, 0x65, 0x4c, 0x8d, 0x53, 0x3d, 0x64, 0x73, 0x53, 0x26, 0x2c,
+	0xa8, 0x88, 0x86, 0xaa, 0x54, 0x45, 0xac, 0x0d, 0x39, 0x65, 0x27, 0xbb, 0xcd, 0xcd, 0xa6, 0xec,
+	0x24, 0xcc, 0x96, 0xa1, 0xf2, 0x56, 0x32, 0x54, 0x6f, 0x2c, 0x83, 0xff, 0x87, 0x03, 0xb5, 0x49,
+	0x97, 0x5b, 0xd5, 0x75, 0xde, 0xba, 0xba, 0x33, 0x95, 0x29, 0xdc, 0xae, 0x32, 0x77, 0xa0, 0xcc,
+	0x05, 0x23, 0xd1, 0x48, 0x69, 0x54, 0xc4, 0xc6, 0x92, 0xef, 0xc9, 0x88, 0x0f, 0x94, 0x42, 0x0d,
+	0x2c, 0x8f, 0xbe, 0x0f, 0x8d, 0xf6, 0x58, 0x10, 0xbe, 0x4f, 0xb8, 0x5c, 0x2e, 0xa4, 0xb6, 0xfd,
+	0x48, 0x44, 0xea, 0x1e, 0x0d, 0xac, 0xce, 0xfe, 0x3d, 0x40, 0x7b, 0x31, 0x17, 0x2f, 0xd4, 0xa6,
+	0xc8, 0x17, 0xed, 0x81, 0x45, 0x6b, 0x0f, 0x3c, 0x80, 0x77, 0x66, 0xd0, 0xe6, 0x95, 0xfa, 0xf2,
+	0xdc, 0x26, 0xf8, 0xc9, 0xfc, 0xab, 0xa1, 0x16, 0xd2, 0x40, 0x07, 0xce, 0x2e, 0x84, 0x9b, 0xff,
+	0x14, 0xa1, 0xb2, 0xad, 0x77, 0x6d, 0xf4, 0x1c, 0x6a, 0x93, 0x45, 0x13, 0xf9, 0xf3, 0x34, 0xe7,
+	0x37, 0x56, 0xef, 0xe3, 0x4b, 0x31, 0x26, 0xbf, 0xaf, 0x61, 0x49, 0xad, 0xbe, 0x68, 0xc1, 0x33,
+	0x68, 0xef, 0xc4, 0xde, 0xe5, 0x2b, 0xec, 0x86, 0x23, 0x99, 0xd4, 0x0c, 0x59, 0xc4, 0x64, 0x2f,
+	0x1b, 0xde, 0xfa, 0x15, 0xc3, 0x07, 0xed, 0x43, 0xd9, 0xfc, 0x9c, 0x17, 0x41, 0xed, 0x49, 0xe1,
+	0x35, 0x2f, 0x06, 0x68, 0xb2, 0x0d, 0x07, 0xed, 0x4f, 0x36, 0xa9, 0x45, 0xa9, 0xd9, 0x6d, 0xe0,
+	0x5d, 0xf1, 0xff, 0x96, 0xb3, 0xe1, 0xa0, 0xef, 0xa1, 0x6e, 0x09, 0x8d, 0x16, 0x08, 0x3a, 0xdf,
+	0x35, 0xde, 0xa7, 0x57, 0xa0, 0x74, 0xb2, 0xed, 0xc6, 0xeb, 0xb3, 0x35, 0xe7, 0xcf, 0xb3, 0x35,
+	0xe7, 0xef, 0xb3, 0x35, 0xa7, 0x5b, 0x56, 0x7d, 0xff, 0xd9, 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff,
+	0xe1, 0xef, 0xcc, 0xf5, 0x6f, 0x0d, 0x00, 0x00,
+}
diff --git a/cli/vendor/github.com/moby/buildkit/api/services/control/control.proto b/cli/vendor/github.com/moby/buildkit/api/services/control/control.proto
new file mode 100644
index 00000000..8d61c7eb
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/api/services/control/control.proto
@@ -0,0 +1,121 @@
+syntax = "proto3";
+
+package moby.buildkit.v1;
+
+// The control API is currently considered experimental and may break in a backwards
+// incompatible way.
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+import "google/protobuf/timestamp.proto";
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+import "github.com/moby/buildkit/api/types/worker.proto";
+
+option (gogoproto.sizer_all) = true;
+option (gogoproto.marshaler_all) = true;
+option (gogoproto.unmarshaler_all) = true;
+
+service Control {
+	rpc DiskUsage(DiskUsageRequest) returns (DiskUsageResponse);
+	rpc Prune(PruneRequest) returns (stream UsageRecord);
+	rpc Solve(SolveRequest) returns (SolveResponse);
+	rpc Status(StatusRequest) returns (stream StatusResponse);
+	rpc Session(stream BytesMessage) returns (stream BytesMessage);
+	rpc ListWorkers(ListWorkersRequest) returns (ListWorkersResponse);
+	// rpc Info(InfoRequest) returns (InfoResponse);
+}
+
+message PruneRequest {
+	// TODO: filter
+}
+
+message DiskUsageRequest {
+	string filter = 1; // FIXME: this should be containerd-compatible repeated string?
+}
+
+message DiskUsageResponse {
+	repeated UsageRecord record = 1;
+}
+
+message UsageRecord {
+	string ID = 1;
+	bool Mutable = 2;
+	bool InUse = 3;
+	int64 Size = 4;
+	string Parent = 5;
+	google.protobuf.Timestamp CreatedAt = 6 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+	google.protobuf.Timestamp LastUsedAt = 7 [(gogoproto.stdtime) = true];
+	int64 UsageCount = 8;
+	string Description = 9;
+}
+
+message SolveRequest {
+	string Ref = 1;
+	pb.Definition Definition = 2;
+	string Exporter = 3;
+	map<string, string> ExporterAttrs = 4;
+	string Session = 5;
+	string Frontend = 6;
+	map<string, string> FrontendAttrs = 7;
+	CacheOptions Cache = 8 [(gogoproto.nullable) = false];
+}
+
+message CacheOptions {
+	string ExportRef = 1;
+	repeated string ImportRefs = 2;
+	map<string, string> ExportAttrs = 3;
+}
+
+message SolveResponse {
+	map<string, string> ExporterResponse = 1;
+}
+
+message StatusRequest {
+	string Ref = 1;
+}
+
+message StatusResponse {
+	repeated Vertex vertexes = 1;
+	repeated VertexStatus statuses = 2;
+	repeated VertexLog logs = 3;
+}
+
+message Vertex {
+	string digest = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	repeated string inputs = 2 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	string name = 3;
+	bool cached = 4;
+	google.protobuf.Timestamp started = 5 [(gogoproto.stdtime) = true ];
+	google.protobuf.Timestamp completed = 6 [(gogoproto.stdtime) = true ];
+	string error = 7; // typed errors?
+}
+
+message VertexStatus {
+	string ID = 1;
+	string vertex = 2 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	string name = 3;
+	int64 current = 4;
+	int64 total = 5;
+	// TODO: add started, completed
+	google.protobuf.Timestamp timestamp = 6 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+	google.protobuf.Timestamp started = 7 [(gogoproto.stdtime) = true ];
+	google.protobuf.Timestamp completed = 8 [(gogoproto.stdtime) = true ];
+}
+
+message VertexLog {
+	string vertex = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	google.protobuf.Timestamp timestamp = 2 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+	int64 stream = 3;
+	bytes msg = 4;
+}
+
+message BytesMessage {
+	bytes data = 1;
+}
+
+message ListWorkersRequest {
+	repeated string filter = 1; // containerd style
+}
+
+message ListWorkersResponse {
+	repeated moby.buildkit.v1.types.WorkerRecord record = 1;
+}
\ No newline at end of file
diff --git a/cli/vendor/github.com/moby/buildkit/api/services/control/generate.go b/cli/vendor/github.com/moby/buildkit/api/services/control/generate.go
new file mode 100644
index 00000000..1c161155
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/api/services/control/generate.go
@@ -0,0 +1,3 @@
+package moby_buildkit_v1
+
+//go:generate protoc -I=. -I=../../../vendor/ -I=../../../../../../ --gogo_out=plugins=grpc:. control.proto
diff --git a/cli/vendor/github.com/moby/buildkit/api/types/generate.go b/cli/vendor/github.com/moby/buildkit/api/types/generate.go
new file mode 100644
index 00000000..84007df1
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/api/types/generate.go
@@ -0,0 +1,3 @@
+package moby_buildkit_v1_types
+
+//go:generate protoc -I=. -I=../../vendor/ -I=../../../../../ --gogo_out=plugins=grpc:. worker.proto
diff --git a/cli/vendor/github.com/moby/buildkit/api/types/worker.pb.go b/cli/vendor/github.com/moby/buildkit/api/types/worker.pb.go
new file mode 100644
index 00000000..46c8538f
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/api/types/worker.pb.go
@@ -0,0 +1,523 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: worker.proto
+
+/*
+	Package moby_buildkit_v1_types is a generated protocol buffer package.
+
+	It is generated from these files:
+		worker.proto
+
+	It has these top-level messages:
+		WorkerRecord
+*/
+package moby_buildkit_v1_types
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+import pb "github.com/moby/buildkit/solver/pb"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type WorkerRecord struct {
+	ID        string            `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Labels    map[string]string `protobuf:"bytes,2,rep,name=Labels" json:"Labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Platforms []pb.Platform     `protobuf:"bytes,3,rep,name=platforms" json:"platforms"`
+}
+
+func (m *WorkerRecord) Reset()                    { *m = WorkerRecord{} }
+func (m *WorkerRecord) String() string            { return proto.CompactTextString(m) }
+func (*WorkerRecord) ProtoMessage()               {}
+func (*WorkerRecord) Descriptor() ([]byte, []int) { return fileDescriptorWorker, []int{0} }
+
+func (m *WorkerRecord) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *WorkerRecord) GetLabels() map[string]string {
+	if m != nil {
+		return m.Labels
+	}
+	return nil
+}
+
+func (m *WorkerRecord) GetPlatforms() []pb.Platform {
+	if m != nil {
+		return m.Platforms
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*WorkerRecord)(nil), "moby.buildkit.v1.types.WorkerRecord")
+}
+func (m *WorkerRecord) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WorkerRecord) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintWorker(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if len(m.Labels) > 0 {
+		for k, _ := range m.Labels {
+			dAtA[i] = 0x12
+			i++
+			v := m.Labels[k]
+			mapSize := 1 + len(k) + sovWorker(uint64(len(k))) + 1 + len(v) + sovWorker(uint64(len(v)))
+			i = encodeVarintWorker(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintWorker(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintWorker(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.Platforms) > 0 {
+		for _, msg := range m.Platforms {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintWorker(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeVarintWorker(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *WorkerRecord) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovWorker(uint64(l))
+	}
+	if len(m.Labels) > 0 {
+		for k, v := range m.Labels {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovWorker(uint64(len(k))) + 1 + len(v) + sovWorker(uint64(len(v)))
+			n += mapEntrySize + 1 + sovWorker(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Platforms) > 0 {
+		for _, e := range m.Platforms {
+			l = e.Size()
+			n += 1 + l + sovWorker(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovWorker(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozWorker(x uint64) (n int) {
+	return sovWorker(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *WorkerRecord) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowWorker
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: WorkerRecord: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: WorkerRecord: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthWorker
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthWorker
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Labels == nil {
+				m.Labels = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowWorker
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowWorker
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthWorker
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowWorker
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthWorker
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipWorker(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthWorker
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Labels[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Platforms", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthWorker
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Platforms = append(m.Platforms, pb.Platform{})
+			if err := m.Platforms[len(m.Platforms)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipWorker(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthWorker
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipWorker(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowWorker
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthWorker
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowWorker
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipWorker(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthWorker = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowWorker   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("worker.proto", fileDescriptorWorker) }
+
+var fileDescriptorWorker = []byte{
+	// 273 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x8f, 0x41, 0x4b, 0xf3, 0x40,
+	0x10, 0x86, 0xbf, 0x4d, 0x3e, 0x0b, 0xdd, 0x06, 0x91, 0x45, 0x24, 0xe4, 0x10, 0x8b, 0xa7, 0x1e,
+	0x74, 0xb6, 0xea, 0x45, 0x3d, 0x96, 0x0a, 0x16, 0x3c, 0x48, 0x2e, 0x9e, 0xb3, 0xed, 0x36, 0x86,
+	0x24, 0xce, 0xb2, 0xd9, 0x44, 0xf2, 0x0f, 0x7b, 0xf4, 0xe2, 0x55, 0x24, 0xbf, 0x44, 0xba, 0x89,
+	0x98, 0x83, 0xb7, 0x79, 0x87, 0x67, 0x1e, 0xde, 0xa1, 0xde, 0x1b, 0xea, 0x4c, 0x6a, 0x50, 0x1a,
+	0x0d, 0xb2, 0x93, 0x02, 0x45, 0x03, 0xa2, 0x4a, 0xf3, 0x4d, 0x96, 0x1a, 0xa8, 0x2f, 0xc1, 0x34,
+	0x4a, 0x96, 0xc1, 0x45, 0x92, 0x9a, 0x97, 0x4a, 0xc0, 0x1a, 0x0b, 0x9e, 0x60, 0x82, 0xdc, 0xe2,
+	0xa2, 0xda, 0xda, 0x64, 0x83, 0x9d, 0x3a, 0x4d, 0x70, 0x3e, 0xc0, 0xf7, 0x46, 0xfe, 0x63, 0xe4,
+	0x25, 0xe6, 0xb5, 0xd4, 0x5c, 0x09, 0x8e, 0xaa, 0xec, 0xe8, 0xb3, 0x0f, 0x42, 0xbd, 0x67, 0xdb,
+	0x22, 0x92, 0x6b, 0xd4, 0x1b, 0x76, 0x48, 0x9d, 0xd5, 0xd2, 0x27, 0x53, 0x32, 0x1b, 0x47, 0xce,
+	0x6a, 0xc9, 0x1e, 0xe8, 0xe8, 0x31, 0x16, 0x32, 0x2f, 0x7d, 0x67, 0xea, 0xce, 0x26, 0x57, 0x73,
+	0xf8, 0xbb, 0x26, 0x0c, 0x2d, 0xd0, 0x9d, 0xdc, 0xbf, 0x1a, 0xdd, 0x44, 0xfd, 0x3d, 0x9b, 0xd3,
+	0xb1, 0xca, 0x63, 0xb3, 0x45, 0x5d, 0x94, 0xbe, 0x6b, 0x65, 0x1e, 0x28, 0x01, 0x4f, 0xfd, 0x72,
+	0xf1, 0x7f, 0xf7, 0x79, 0xfa, 0x2f, 0xfa, 0x85, 0x82, 0x5b, 0x3a, 0x19, 0x88, 0xd8, 0x11, 0x75,
+	0x33, 0xd9, 0xf4, 0xdd, 0xf6, 0x23, 0x3b, 0xa6, 0x07, 0x75, 0x9c, 0x57, 0xd2, 0x77, 0xec, 0xae,
+	0x0b, 0x77, 0xce, 0x0d, 0x59, 0x78, 0xbb, 0x36, 0x24, 0xef, 0x6d, 0x48, 0xbe, 0xda, 0x90, 0x88,
+	0x91, 0x7d, 0xf6, 0xfa, 0x3b, 0x00, 0x00, 0xff, 0xff, 0xa9, 0x5c, 0x8f, 0x26, 0x71, 0x01, 0x00,
+	0x00,
+}
diff --git a/cli/vendor/github.com/moby/buildkit/api/types/worker.proto b/cli/vendor/github.com/moby/buildkit/api/types/worker.proto
new file mode 100644
index 00000000..b1376b74
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/api/types/worker.proto
@@ -0,0 +1,16 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.types;
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+
+option (gogoproto.sizer_all) = true;
+option (gogoproto.marshaler_all) = true;
+option (gogoproto.unmarshaler_all) = true;
+
+message WorkerRecord {
+	string ID = 1;
+	map<string, string> Labels = 2;
+	repeated pb.Platform platforms = 3 [(gogoproto.nullable) = false];
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/client.go b/cli/vendor/github.com/moby/buildkit/client/client.go
new file mode 100644
index 00000000..403ed52a
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/client.go
@@ -0,0 +1,132 @@
+package client
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/util/appdefaults"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+)
+
+type Client struct {
+	conn *grpc.ClientConn
+}
+
+type ClientOpt interface{}
+
+// New returns a new buildkit client. Address can be empty for the system-default address.
+func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error) {
+	gopts := []grpc.DialOption{
+		grpc.WithDialer(dialer),
+		grpc.FailOnNonTempDialError(true),
+	}
+	needWithInsecure := true
+	for _, o := range opts {
+		if _, ok := o.(*withBlockOpt); ok {
+			gopts = append(gopts, grpc.WithBlock(), grpc.FailOnNonTempDialError(true))
+		}
+		if credInfo, ok := o.(*withCredentials); ok {
+			opt, err := loadCredentials(credInfo)
+			if err != nil {
+				return nil, err
+			}
+			gopts = append(gopts, opt)
+			needWithInsecure = false
+		}
+		if wt, ok := o.(*withTracer); ok {
+			gopts = append(gopts,
+				grpc.WithUnaryInterceptor(otgrpc.OpenTracingClientInterceptor(wt.tracer, otgrpc.LogPayloads())),
+				grpc.WithStreamInterceptor(otgrpc.OpenTracingStreamClientInterceptor(wt.tracer)))
+		}
+	}
+	if needWithInsecure {
+		gopts = append(gopts, grpc.WithInsecure())
+	}
+	if address == "" {
+		address = appdefaults.Address
+	}
+
+	conn, err := grpc.DialContext(ctx, address, gopts...)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to dial %q . make sure buildkitd is running", address)
+	}
+	c := &Client{
+		conn: conn,
+	}
+	return c, nil
+}
+
+func (c *Client) controlClient() controlapi.ControlClient {
+	return controlapi.NewControlClient(c.conn)
+}
+
+func (c *Client) Close() error {
+	return c.conn.Close()
+}
+
+type withBlockOpt struct{}
+
+func WithBlock() ClientOpt {
+	return &withBlockOpt{}
+}
+
+type withCredentials struct {
+	ServerName string
+	CACert     string
+	Cert       string
+	Key        string
+}
+
+// WithCredentials configures the TLS parameters of the client.
+// Arguments:
+// * serverName: specifies the name of the target server
+// * ca:				 specifies the filepath of the CA certificate to use for verification
+// * cert:			 specifies the filepath of the client certificate
+// * key:				 specifies the filepath of the client key
+func WithCredentials(serverName, ca, cert, key string) ClientOpt {
+	return &withCredentials{serverName, ca, cert, key}
+}
+
+func loadCredentials(opts *withCredentials) (grpc.DialOption, error) {
+	ca, err := ioutil.ReadFile(opts.CACert)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not read ca certificate")
+	}
+
+	certPool := x509.NewCertPool()
+	if ok := certPool.AppendCertsFromPEM(ca); !ok {
+		return nil, errors.New("failed to append ca certs")
+	}
+
+	cfg := &tls.Config{
+		ServerName: opts.ServerName,
+		RootCAs:    certPool,
+	}
+
+	// we will produce an error if the user forgot about either cert or key if at least one is specified
+	if opts.Cert != "" || opts.Key != "" {
+		cert, err := tls.LoadX509KeyPair(opts.Cert, opts.Key)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not read certificate/key")
+		}
+		cfg.Certificates = []tls.Certificate{cert}
+		cfg.BuildNameToCertificate()
+	}
+
+	return grpc.WithTransportCredentials(credentials.NewTLS(cfg)), nil
+}
+
+func WithTracer(t opentracing.Tracer) ClientOpt {
+	return &withTracer{t}
+}
+
+type withTracer struct {
+	tracer opentracing.Tracer
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/client_unix.go b/cli/vendor/github.com/moby/buildkit/client/client_unix.go
new file mode 100644
index 00000000..93afb956
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/client_unix.go
@@ -0,0 +1,19 @@
+// +build !windows
+
+package client
+
+import (
+	"net"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+func dialer(address string, timeout time.Duration) (net.Conn, error) {
+	addrParts := strings.SplitN(address, "://", 2)
+	if len(addrParts) != 2 {
+		return nil, errors.Errorf("invalid address %s", address)
+	}
+	return net.DialTimeout(addrParts[0], addrParts[1], timeout)
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/client_windows.go b/cli/vendor/github.com/moby/buildkit/client/client_windows.go
new file mode 100644
index 00000000..75905f52
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/client_windows.go
@@ -0,0 +1,24 @@
+package client
+
+import (
+	"net"
+	"strings"
+	"time"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/pkg/errors"
+)
+
+func dialer(address string, timeout time.Duration) (net.Conn, error) {
+	addrParts := strings.SplitN(address, "://", 2)
+	if len(addrParts) != 2 {
+		return nil, errors.Errorf("invalid address %s", address)
+	}
+	switch addrParts[0] {
+	case "npipe":
+		address = strings.Replace(addrParts[1], "/", "\\", 0)
+		return winio.DialPipe(address, &timeout)
+	default:
+		return net.DialTimeout(addrParts[0], addrParts[1], timeout)
+	}
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/diskusage.go b/cli/vendor/github.com/moby/buildkit/client/diskusage.go
new file mode 100644
index 00000000..5ed50432
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/diskusage.go
@@ -0,0 +1,73 @@
+package client
+
+import (
+	"context"
+	"sort"
+	"time"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/pkg/errors"
+)
+
+type UsageInfo struct {
+	ID      string
+	Mutable bool
+	InUse   bool
+	Size    int64
+
+	CreatedAt   time.Time
+	LastUsedAt  *time.Time
+	UsageCount  int
+	Parent      string
+	Description string
+}
+
+func (c *Client) DiskUsage(ctx context.Context, opts ...DiskUsageOption) ([]*UsageInfo, error) {
+	info := &DiskUsageInfo{}
+	for _, o := range opts {
+		o(info)
+	}
+
+	req := &controlapi.DiskUsageRequest{Filter: info.Filter}
+	resp, err := c.controlClient().DiskUsage(ctx, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to call diskusage")
+	}
+
+	var du []*UsageInfo
+
+	for _, d := range resp.Record {
+		du = append(du, &UsageInfo{
+			ID:          d.ID,
+			Mutable:     d.Mutable,
+			InUse:       d.InUse,
+			Size:        d.Size_,
+			Parent:      d.Parent,
+			CreatedAt:   d.CreatedAt,
+			Description: d.Description,
+			UsageCount:  int(d.UsageCount),
+			LastUsedAt:  d.LastUsedAt,
+		})
+	}
+
+	sort.Slice(du, func(i, j int) bool {
+		if du[i].Size == du[j].Size {
+			return du[i].ID > du[j].ID
+		}
+		return du[i].Size > du[j].Size
+	})
+
+	return du, nil
+}
+
+type DiskUsageOption func(*DiskUsageInfo)
+
+type DiskUsageInfo struct {
+	Filter string
+}
+
+func WithFilter(f string) DiskUsageOption {
+	return func(di *DiskUsageInfo) {
+		di.Filter = f
+	}
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/exporters.go b/cli/vendor/github.com/moby/buildkit/client/exporters.go
new file mode 100644
index 00000000..4160d92a
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/exporters.go
@@ -0,0 +1,8 @@
+package client
+
+const (
+	ExporterImage  = "image"
+	ExporterLocal  = "local"
+	ExporterOCI    = "oci"
+	ExporterDocker = "docker"
+)
diff --git a/cli/vendor/github.com/moby/buildkit/client/graph.go b/cli/vendor/github.com/moby/buildkit/client/graph.go
new file mode 100644
index 00000000..141a393c
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/graph.go
@@ -0,0 +1,45 @@
+package client
+
+import (
+	"time"
+
+	digest "github.com/opencontainers/go-digest"
+)
+
+type Vertex struct {
+	Digest    digest.Digest
+	Inputs    []digest.Digest
+	Name      string
+	Started   *time.Time
+	Completed *time.Time
+	Cached    bool
+	Error     string
+}
+
+type VertexStatus struct {
+	ID        string
+	Vertex    digest.Digest
+	Name      string
+	Total     int64
+	Current   int64
+	Timestamp time.Time
+	Started   *time.Time
+	Completed *time.Time
+}
+
+type VertexLog struct {
+	Vertex    digest.Digest
+	Stream    int
+	Data      []byte
+	Timestamp time.Time
+}
+
+type SolveStatus struct {
+	Vertexes []*Vertex
+	Statuses []*VertexStatus
+	Logs     []*VertexLog
+}
+
+type SolveResponse struct {
+	ExporterResponse map[string]string
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/llb/exec.go b/cli/vendor/github.com/moby/buildkit/client/llb/exec.go
new file mode 100644
index 00000000..9dec170f
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/llb/exec.go
@@ -0,0 +1,409 @@
+package llb
+
+import (
+	_ "crypto/sha256"
+	"sort"
+
+	"github.com/moby/buildkit/solver/pb"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type Meta struct {
+	Args     []string
+	Env      EnvList
+	Cwd      string
+	User     string
+	ProxyEnv *ProxyEnv
+}
+
+func NewExecOp(root Output, meta Meta, readOnly bool, c Constraints) *ExecOp {
+	e := &ExecOp{meta: meta, constraints: c}
+	rootMount := &mount{
+		target:   pb.RootMount,
+		source:   root,
+		readonly: readOnly,
+	}
+	e.mounts = append(e.mounts, rootMount)
+	if readOnly {
+		e.root = root
+	} else {
+		o := &output{vertex: e, getIndex: e.getMountIndexFn(rootMount)}
+		if p := c.Platform; p != nil {
+			o.platform = p
+		}
+		e.root = o
+	}
+	rootMount.output = e.root
+	return e
+}
+
+type mount struct {
+	target       string
+	readonly     bool
+	source       Output
+	output       Output
+	selector     string
+	cacheID      string
+	tmpfs        bool
+	cacheSharing CacheMountSharingMode
+	// hasOutput bool
+}
+
+type ExecOp struct {
+	MarshalCache
+	root        Output
+	mounts      []*mount
+	meta        Meta
+	constraints Constraints
+	isValidated bool
+}
+
+func (e *ExecOp) AddMount(target string, source Output, opt ...MountOption) Output {
+	m := &mount{
+		target: target,
+		source: source,
+	}
+	for _, o := range opt {
+		o(m)
+	}
+	e.mounts = append(e.mounts, m)
+	if m.readonly {
+		m.output = source
+	} else if m.tmpfs {
+		m.output = &output{vertex: e, err: errors.Errorf("tmpfs mount for %s can't be used as a parent", target)}
+	} else {
+		o := &output{vertex: e, getIndex: e.getMountIndexFn(m)}
+		if p := e.constraints.Platform; p != nil {
+			o.platform = p
+		}
+		m.output = o
+	}
+	e.Store(nil, nil, nil)
+	e.isValidated = false
+	return m.output
+}
+
+func (e *ExecOp) GetMount(target string) Output {
+	for _, m := range e.mounts {
+		if m.target == target {
+			return m.output
+		}
+	}
+	return nil
+}
+
+func (e *ExecOp) Validate() error {
+	if e.isValidated {
+		return nil
+	}
+	if len(e.meta.Args) == 0 {
+		return errors.Errorf("arguments are required")
+	}
+	if e.meta.Cwd == "" {
+		return errors.Errorf("working directory is required")
+	}
+	for _, m := range e.mounts {
+		if m.source != nil {
+			if err := m.source.Vertex().Validate(); err != nil {
+				return err
+			}
+		}
+	}
+	e.isValidated = true
+	return nil
+}
+
+func (e *ExecOp) Marshal(c *Constraints) (digest.Digest, []byte, *pb.OpMetadata, error) {
+	if e.Cached(c) {
+		return e.Load()
+	}
+	if err := e.Validate(); err != nil {
+		return "", nil, nil, err
+	}
+	// make sure mounts are sorted
+	sort.Slice(e.mounts, func(i, j int) bool {
+		return e.mounts[i].target < e.mounts[j].target
+	})
+
+	peo := &pb.ExecOp{
+		Meta: &pb.Meta{
+			Args: e.meta.Args,
+			Env:  e.meta.Env.ToArray(),
+			Cwd:  e.meta.Cwd,
+			User: e.meta.User,
+		},
+	}
+
+	if p := e.meta.ProxyEnv; p != nil {
+		peo.Meta.ProxyEnv = &pb.ProxyEnv{
+			HttpProxy:  p.HttpProxy,
+			HttpsProxy: p.HttpsProxy,
+			FtpProxy:   p.FtpProxy,
+			NoProxy:    p.NoProxy,
+		}
+	}
+
+	pop, md := MarshalConstraints(c, &e.constraints)
+	pop.Op = &pb.Op_Exec{
+		Exec: peo,
+	}
+
+	outIndex := 0
+	for _, m := range e.mounts {
+		inputIndex := pb.InputIndex(len(pop.Inputs))
+		if m.source != nil {
+			if m.tmpfs {
+				return "", nil, nil, errors.Errorf("tmpfs mounts must use scratch")
+			}
+			inp, err := m.source.ToInput(c)
+			if err != nil {
+				return "", nil, nil, err
+			}
+
+			newInput := true
+
+			for i, inp2 := range pop.Inputs {
+				if *inp == *inp2 {
+					inputIndex = pb.InputIndex(i)
+					newInput = false
+					break
+				}
+			}
+
+			if newInput {
+				pop.Inputs = append(pop.Inputs, inp)
+			}
+		} else {
+			inputIndex = pb.Empty
+		}
+
+		outputIndex := pb.OutputIndex(-1)
+		if !m.readonly && m.cacheID == "" && !m.tmpfs {
+			outputIndex = pb.OutputIndex(outIndex)
+			outIndex++
+		}
+
+		pm := &pb.Mount{
+			Input:    inputIndex,
+			Dest:     m.target,
+			Readonly: m.readonly,
+			Output:   outputIndex,
+			Selector: m.selector,
+		}
+		if m.cacheID != "" {
+			pm.MountType = pb.MountType_CACHE
+			pm.CacheOpt = &pb.CacheOpt{
+				ID: m.cacheID,
+			}
+			switch m.cacheSharing {
+			case CacheMountShared:
+				pm.CacheOpt.Sharing = pb.CacheSharingOpt_SHARED
+			case CacheMountPrivate:
+				pm.CacheOpt.Sharing = pb.CacheSharingOpt_PRIVATE
+			case CacheMountLocked:
+				pm.CacheOpt.Sharing = pb.CacheSharingOpt_LOCKED
+			}
+		}
+		if m.tmpfs {
+			pm.MountType = pb.MountType_TMPFS
+		}
+		peo.Mounts = append(peo.Mounts, pm)
+	}
+
+	dt, err := pop.Marshal()
+	if err != nil {
+		return "", nil, nil, err
+	}
+	e.Store(dt, md, c)
+	return e.Load()
+}
+
+func (e *ExecOp) Output() Output {
+	return e.root
+}
+
+func (e *ExecOp) Inputs() (inputs []Output) {
+	mm := map[Output]struct{}{}
+	for _, m := range e.mounts {
+		if m.source != nil {
+			mm[m.source] = struct{}{}
+		}
+	}
+	for o := range mm {
+		inputs = append(inputs, o)
+	}
+	return
+}
+
+func (e *ExecOp) getMountIndexFn(m *mount) func() (pb.OutputIndex, error) {
+	return func() (pb.OutputIndex, error) {
+		// make sure mounts are sorted
+		sort.Slice(e.mounts, func(i, j int) bool {
+			return e.mounts[i].target < e.mounts[j].target
+		})
+
+		i := 0
+		for _, m2 := range e.mounts {
+			if m2.readonly || m2.cacheID != "" {
+				continue
+			}
+			if m == m2 {
+				return pb.OutputIndex(i), nil
+			}
+			i++
+		}
+		return pb.OutputIndex(0), errors.Errorf("invalid mount: %s", m.target)
+	}
+}
+
+type ExecState struct {
+	State
+	exec *ExecOp
+}
+
+func (e ExecState) AddMount(target string, source State, opt ...MountOption) State {
+	return source.WithOutput(e.exec.AddMount(target, source.Output(), opt...))
+}
+
+func (e ExecState) GetMount(target string) State {
+	return NewState(e.exec.GetMount(target))
+}
+
+func (e ExecState) Root() State {
+	return e.State
+}
+
+type MountOption func(*mount)
+
+func Readonly(m *mount) {
+	m.readonly = true
+}
+
+func SourcePath(src string) MountOption {
+	return func(m *mount) {
+		m.selector = src
+	}
+}
+
+func AsPersistentCacheDir(id string, sharing CacheMountSharingMode) MountOption {
+	return func(m *mount) {
+		m.cacheID = id
+		m.cacheSharing = sharing
+	}
+}
+
+func Tmpfs() MountOption {
+	return func(m *mount) {
+		m.tmpfs = true
+	}
+}
+
+type RunOption interface {
+	SetRunOption(es *ExecInfo)
+}
+
+type runOptionFunc func(*ExecInfo)
+
+func (fn runOptionFunc) SetRunOption(ei *ExecInfo) {
+	fn(ei)
+}
+
+func Shlex(str string) RunOption {
+	return Shlexf(str)
+}
+func Shlexf(str string, v ...interface{}) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = shlexf(str, v...)(ei.State)
+	})
+}
+
+func Args(a []string) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = args(a...)(ei.State)
+	})
+}
+
+func AddEnv(key, value string) RunOption {
+	return AddEnvf(key, value)
+}
+
+func AddEnvf(key, value string, v ...interface{}) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.AddEnvf(key, value, v...)
+	})
+}
+
+func User(str string) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.User(str)
+	})
+}
+
+func Dir(str string) RunOption {
+	return Dirf(str)
+}
+func Dirf(str string, v ...interface{}) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.Dirf(str, v...)
+	})
+}
+
+func Reset(s State) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.Reset(s)
+	})
+}
+
+func With(so ...StateOption) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.With(so...)
+	})
+}
+
+func AddMount(dest string, mountState State, opts ...MountOption) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.Mounts = append(ei.Mounts, MountInfo{dest, mountState.Output(), opts})
+	})
+}
+
+func ReadonlyRootFS() RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.ReadonlyRootFS = true
+	})
+}
+
+func WithProxy(ps ProxyEnv) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.ProxyEnv = &ps
+	})
+}
+
+type ExecInfo struct {
+	constraintsWrapper
+	State          State
+	Mounts         []MountInfo
+	ReadonlyRootFS bool
+	ProxyEnv       *ProxyEnv
+}
+
+type MountInfo struct {
+	Target string
+	Source Output
+	Opts   []MountOption
+}
+
+type ProxyEnv struct {
+	HttpProxy  string
+	HttpsProxy string
+	FtpProxy   string
+	NoProxy    string
+}
+
+type CacheMountSharingMode int
+
+const (
+	CacheMountShared CacheMountSharingMode = iota
+	CacheMountPrivate
+	CacheMountLocked
+)
diff --git a/cli/vendor/github.com/moby/buildkit/client/llb/marshal.go b/cli/vendor/github.com/moby/buildkit/client/llb/marshal.go
new file mode 100644
index 00000000..65a352fa
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/llb/marshal.go
@@ -0,0 +1,112 @@
+package llb
+
+import (
+	"io"
+	"io/ioutil"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/moby/buildkit/solver/pb"
+	digest "github.com/opencontainers/go-digest"
+)
+
+// Definition is the LLB definition structure with per-vertex metadata entries
+// Corresponds to the Definition structure defined in solver/pb.Definition.
+type Definition struct {
+	Def      [][]byte
+	Metadata map[digest.Digest]pb.OpMetadata
+}
+
+func (def *Definition) ToPB() *pb.Definition {
+	md := make(map[digest.Digest]pb.OpMetadata)
+	for k, v := range def.Metadata {
+		md[k] = v
+	}
+	return &pb.Definition{
+		Def:      def.Def,
+		Metadata: md,
+	}
+}
+
+func (def *Definition) FromPB(x *pb.Definition) {
+	def.Def = x.Def
+	def.Metadata = make(map[digest.Digest]pb.OpMetadata)
+	for k, v := range x.Metadata {
+		def.Metadata[k] = v
+	}
+}
+
+func WriteTo(def *Definition, w io.Writer) error {
+	b, err := def.ToPB().Marshal()
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(b)
+	return err
+}
+
+func ReadFrom(r io.Reader) (*Definition, error) {
+	b, err := ioutil.ReadAll(r)
+	if err != nil {
+		return nil, err
+	}
+	var pbDef pb.Definition
+	if err := pbDef.Unmarshal(b); err != nil {
+		return nil, err
+	}
+	var def Definition
+	def.FromPB(&pbDef)
+	return &def, nil
+}
+
+func MarshalConstraints(base, override *Constraints) (*pb.Op, *pb.OpMetadata) {
+	c := *base
+	c.WorkerConstraints = append([]string{}, c.WorkerConstraints...)
+
+	if p := override.Platform; p != nil {
+		c.Platform = p
+	}
+
+	for _, wc := range override.WorkerConstraints {
+		c.WorkerConstraints = append(c.WorkerConstraints, wc)
+	}
+
+	c.Metadata = mergeMetadata(c.Metadata, override.Metadata)
+
+	if c.Platform == nil {
+		defaultPlatform := platforms.Normalize(platforms.DefaultSpec())
+		c.Platform = &defaultPlatform
+	}
+
+	return &pb.Op{
+		Platform: &pb.Platform{
+			OS:           c.Platform.OS,
+			Architecture: c.Platform.Architecture,
+			Variant:      c.Platform.Variant,
+			OSVersion:    c.Platform.OSVersion,
+			OSFeatures:   c.Platform.OSFeatures,
+		},
+		Constraints: &pb.WorkerConstraints{
+			Filter: c.WorkerConstraints,
+		},
+	}, &c.Metadata
+}
+
+type MarshalCache struct {
+	digest      digest.Digest
+	dt          []byte
+	md          *pb.OpMetadata
+	constraints *Constraints
+}
+
+func (mc *MarshalCache) Cached(c *Constraints) bool {
+	return mc.dt != nil && mc.constraints == c
+}
+func (mc *MarshalCache) Load() (digest.Digest, []byte, *pb.OpMetadata, error) {
+	return mc.digest, mc.dt, mc.md, nil
+}
+func (mc *MarshalCache) Store(dt []byte, md *pb.OpMetadata, c *Constraints) {
+	mc.digest = digest.FromBytes(dt)
+	mc.dt = dt
+	mc.md = md
+	mc.constraints = c
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/llb/meta.go b/cli/vendor/github.com/moby/buildkit/client/llb/meta.go
new file mode 100644
index 00000000..22aea097
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/llb/meta.go
@@ -0,0 +1,170 @@
+package llb
+
+import (
+	"fmt"
+	"path"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/google/shlex"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type contextKeyT string
+
+var (
+	keyArgs     = contextKeyT("llb.exec.args")
+	keyDir      = contextKeyT("llb.exec.dir")
+	keyEnv      = contextKeyT("llb.exec.env")
+	keyUser     = contextKeyT("llb.exec.user")
+	keyPlatform = contextKeyT("llb.platform")
+)
+
+func addEnv(key, value string) StateOption {
+	return addEnvf(key, value)
+}
+
+func addEnvf(key, value string, v ...interface{}) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyEnv, getEnv(s).AddOrReplace(key, fmt.Sprintf(value, v...)))
+	}
+}
+
+func dir(str string) StateOption {
+	return dirf(str)
+}
+
+func dirf(str string, v ...interface{}) StateOption {
+	return func(s State) State {
+		value := fmt.Sprintf(str, v...)
+		if !path.IsAbs(value) {
+			prev := getDir(s)
+			if prev == "" {
+				prev = "/"
+			}
+			value = path.Join(prev, value)
+		}
+		return s.WithValue(keyDir, value)
+	}
+}
+
+func user(str string) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyUser, str)
+	}
+}
+
+func reset(s_ State) StateOption {
+	return func(s State) State {
+		s = NewState(s.Output())
+		s.ctx = s_.ctx
+		return s
+	}
+}
+
+func getEnv(s State) EnvList {
+	v := s.Value(keyEnv)
+	if v != nil {
+		return v.(EnvList)
+	}
+	return EnvList{}
+}
+
+func getDir(s State) string {
+	v := s.Value(keyDir)
+	if v != nil {
+		return v.(string)
+	}
+	return ""
+}
+
+func getArgs(s State) []string {
+	v := s.Value(keyArgs)
+	if v != nil {
+		return v.([]string)
+	}
+	return nil
+}
+
+func getUser(s State) string {
+	v := s.Value(keyUser)
+	if v != nil {
+		return v.(string)
+	}
+	return ""
+}
+
+func args(args ...string) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyArgs, args)
+	}
+}
+
+func shlexf(str string, v ...interface{}) StateOption {
+	return func(s State) State {
+		arg, err := shlex.Split(fmt.Sprintf(str, v...))
+		if err != nil {
+			// TODO: handle error
+		}
+		return args(arg...)(s)
+	}
+}
+
+func platform(p specs.Platform) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyPlatform, platforms.Normalize(p))
+	}
+}
+
+func getPlatform(s State) *specs.Platform {
+	v := s.Value(keyPlatform)
+	if v != nil {
+		p := v.(specs.Platform)
+		return &p
+	}
+	return nil
+}
+
+type EnvList []KeyValue
+
+type KeyValue struct {
+	key   string
+	value string
+}
+
+func (e EnvList) AddOrReplace(k, v string) EnvList {
+	e = e.Delete(k)
+	e = append(e, KeyValue{key: k, value: v})
+	return e
+}
+
+func (e EnvList) Delete(k string) EnvList {
+	e = append([]KeyValue(nil), e...)
+	if i, ok := e.Index(k); ok {
+		return append(e[:i], e[i+1:]...)
+	}
+	return e
+}
+
+func (e EnvList) Get(k string) (string, bool) {
+	if index, ok := e.Index(k); ok {
+		return e[index].value, true
+	}
+	return "", false
+}
+
+func (e EnvList) Index(k string) (int, bool) {
+	for i, kv := range e {
+		if kv.key == k {
+			return i, true
+		}
+	}
+	return -1, false
+}
+
+func (e EnvList) ToArray() []string {
+	out := make([]string, 0, len(e))
+	for _, kv := range e {
+		out = append(out, kv.key+"="+kv.value)
+	}
+	return out
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/llb/resolver.go b/cli/vendor/github.com/moby/buildkit/client/llb/resolver.go
new file mode 100644
index 00000000..b539b115
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/llb/resolver.go
@@ -0,0 +1,18 @@
+package llb
+
+import (
+	"context"
+
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func WithMetaResolver(mr ImageMetaResolver) ImageOption {
+	return ImageOptionFunc(func(ii *ImageInfo) {
+		ii.metaResolver = mr
+	})
+}
+
+type ImageMetaResolver interface {
+	ResolveImageConfig(ctx context.Context, ref string, platform *specs.Platform) (digest.Digest, []byte, error)
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/llb/source.go b/cli/vendor/github.com/moby/buildkit/client/llb/source.go
new file mode 100644
index 00000000..5b4aa9bf
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/llb/source.go
@@ -0,0 +1,363 @@
+package llb
+
+import (
+	"context"
+	_ "crypto/sha256"
+	"encoding/json"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/moby/buildkit/solver/pb"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type SourceOp struct {
+	MarshalCache
+	id          string
+	attrs       map[string]string
+	output      Output
+	constraints Constraints
+	err         error
+}
+
+func NewSource(id string, attrs map[string]string, c Constraints) *SourceOp {
+	s := &SourceOp{
+		id:          id,
+		attrs:       attrs,
+		constraints: c,
+	}
+	s.output = &output{vertex: s, platform: c.Platform}
+	return s
+}
+
+func (s *SourceOp) Validate() error {
+	if s.err != nil {
+		return s.err
+	}
+	if s.id == "" {
+		return errors.Errorf("source identifier can't be empty")
+	}
+	return nil
+}
+
+func (s *SourceOp) Marshal(constraints *Constraints) (digest.Digest, []byte, *pb.OpMetadata, error) {
+	if s.Cached(constraints) {
+		return s.Load()
+	}
+	if err := s.Validate(); err != nil {
+		return "", nil, nil, err
+	}
+
+	if strings.HasPrefix(s.id, "local://") {
+		if _, hasSession := s.attrs[pb.AttrLocalSessionID]; !hasSession {
+			uid := s.constraints.LocalUniqueID
+			if uid == "" {
+				uid = constraints.LocalUniqueID
+			}
+			s.attrs[pb.AttrLocalUniqueID] = uid
+		}
+	}
+	proto, md := MarshalConstraints(constraints, &s.constraints)
+
+	proto.Op = &pb.Op_Source{
+		Source: &pb.SourceOp{Identifier: s.id, Attrs: s.attrs},
+	}
+	dt, err := proto.Marshal()
+	if err != nil {
+		return "", nil, nil, err
+	}
+
+	s.Store(dt, md, constraints)
+	return s.Load()
+}
+
+func (s *SourceOp) Output() Output {
+	return s.output
+}
+
+func (s *SourceOp) Inputs() []Output {
+	return nil
+}
+
+func Image(ref string, opts ...ImageOption) State {
+	r, err := reference.ParseNormalizedNamed(ref)
+	if err == nil {
+		ref = reference.TagNameOnly(r).String()
+	}
+	var info ImageInfo
+	for _, opt := range opts {
+		opt.SetImageOption(&info)
+	}
+	src := NewSource("docker-image://"+ref, nil, info.Constraints) // controversial
+	if err != nil {
+		src.err = err
+	}
+	if info.metaResolver != nil {
+		_, dt, err := info.metaResolver.ResolveImageConfig(context.TODO(), ref, info.Constraints.Platform)
+		if err != nil {
+			src.err = err
+		} else {
+			var img struct {
+				Config struct {
+					Env        []string `json:"Env,omitempty"`
+					WorkingDir string   `json:"WorkingDir,omitempty"`
+					User       string   `json:"User,omitempty"`
+				} `json:"config,omitempty"`
+			}
+			if err := json.Unmarshal(dt, &img); err != nil {
+				src.err = err
+			} else {
+				st := NewState(src.Output())
+				for _, env := range img.Config.Env {
+					parts := strings.SplitN(env, "=", 2)
+					if len(parts[0]) > 0 {
+						var v string
+						if len(parts) > 1 {
+							v = parts[1]
+						}
+						st = st.AddEnv(parts[0], v)
+					}
+				}
+				st = st.Dir(img.Config.WorkingDir)
+				return st
+			}
+		}
+	}
+	return NewState(src.Output())
+}
+
+type ImageOption interface {
+	SetImageOption(*ImageInfo)
+}
+
+type ImageOptionFunc func(*ImageInfo)
+
+func (fn ImageOptionFunc) SetImageOption(ii *ImageInfo) {
+	fn(ii)
+}
+
+type ImageInfo struct {
+	constraintsWrapper
+	metaResolver ImageMetaResolver
+}
+
+func Git(remote, ref string, opts ...GitOption) State {
+	url := ""
+
+	for _, prefix := range []string{
+		"http://", "https://", "git://", "git@",
+	} {
+		if strings.HasPrefix(remote, prefix) {
+			url = strings.Split(remote, "#")[0]
+			remote = strings.TrimPrefix(remote, prefix)
+		}
+	}
+
+	id := remote
+
+	if ref != "" {
+		id += "#" + ref
+	}
+
+	gi := &GitInfo{}
+	for _, o := range opts {
+		o.SetGitOption(gi)
+	}
+	attrs := map[string]string{}
+	if gi.KeepGitDir {
+		attrs[pb.AttrKeepGitDir] = "true"
+	}
+	if url != "" {
+		attrs[pb.AttrFullRemoteURL] = url
+	}
+	source := NewSource("git://"+id, attrs, gi.Constraints)
+	return NewState(source.Output())
+}
+
+type GitOption interface {
+	SetGitOption(*GitInfo)
+}
+type gitOptionFunc func(*GitInfo)
+
+func (fn gitOptionFunc) SetGitOption(gi *GitInfo) {
+	fn(gi)
+}
+
+type GitInfo struct {
+	constraintsWrapper
+	KeepGitDir bool
+}
+
+func KeepGitDir() GitOption {
+	return gitOptionFunc(func(gi *GitInfo) {
+		gi.KeepGitDir = true
+	})
+}
+
+func Scratch() State {
+	return NewState(nil)
+}
+
+func Local(name string, opts ...LocalOption) State {
+	gi := &LocalInfo{}
+
+	for _, o := range opts {
+		o.SetLocalOption(gi)
+	}
+	attrs := map[string]string{}
+	if gi.SessionID != "" {
+		attrs[pb.AttrLocalSessionID] = gi.SessionID
+	}
+	if gi.IncludePatterns != "" {
+		attrs[pb.AttrIncludePatterns] = gi.IncludePatterns
+	}
+	if gi.FollowPaths != "" {
+		attrs[pb.AttrFollowPaths] = gi.FollowPaths
+	}
+	if gi.ExcludePatterns != "" {
+		attrs[pb.AttrExcludePatterns] = gi.ExcludePatterns
+	}
+	if gi.SharedKeyHint != "" {
+		attrs[pb.AttrSharedKeyHint] = gi.SharedKeyHint
+	}
+
+	source := NewSource("local://"+name, attrs, gi.Constraints)
+	return NewState(source.Output())
+}
+
+type LocalOption interface {
+	SetLocalOption(*LocalInfo)
+}
+
+type localOptionFunc func(*LocalInfo)
+
+func (fn localOptionFunc) SetLocalOption(li *LocalInfo) {
+	fn(li)
+}
+
+func SessionID(id string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		li.SessionID = id
+	})
+}
+
+func IncludePatterns(p []string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		if len(p) == 0 {
+			li.IncludePatterns = ""
+			return
+		}
+		dt, _ := json.Marshal(p) // empty on error
+		li.IncludePatterns = string(dt)
+	})
+}
+
+func FollowPaths(p []string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		if len(p) == 0 {
+			li.FollowPaths = ""
+			return
+		}
+		dt, _ := json.Marshal(p) // empty on error
+		li.FollowPaths = string(dt)
+	})
+}
+
+func ExcludePatterns(p []string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		if len(p) == 0 {
+			li.ExcludePatterns = ""
+			return
+		}
+		dt, _ := json.Marshal(p) // empty on error
+		li.ExcludePatterns = string(dt)
+	})
+}
+
+func SharedKeyHint(h string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		li.SharedKeyHint = h
+	})
+}
+
+type LocalInfo struct {
+	constraintsWrapper
+	SessionID       string
+	IncludePatterns string
+	ExcludePatterns string
+	FollowPaths     string
+	SharedKeyHint   string
+}
+
+func HTTP(url string, opts ...HTTPOption) State {
+	hi := &HTTPInfo{}
+	for _, o := range opts {
+		o.SetHTTPOption(hi)
+	}
+	attrs := map[string]string{}
+	if hi.Checksum != "" {
+		attrs[pb.AttrHTTPChecksum] = hi.Checksum.String()
+	}
+	if hi.Filename != "" {
+		attrs[pb.AttrHTTPFilename] = hi.Filename
+	}
+	if hi.Perm != 0 {
+		attrs[pb.AttrHTTPPerm] = "0" + strconv.FormatInt(int64(hi.Perm), 8)
+	}
+	if hi.UID != 0 {
+		attrs[pb.AttrHTTPUID] = strconv.Itoa(hi.UID)
+	}
+	if hi.UID != 0 {
+		attrs[pb.AttrHTTPGID] = strconv.Itoa(hi.GID)
+	}
+
+	source := NewSource(url, attrs, hi.Constraints)
+	return NewState(source.Output())
+}
+
+type HTTPInfo struct {
+	constraintsWrapper
+	Checksum digest.Digest
+	Filename string
+	Perm     int
+	UID      int
+	GID      int
+}
+
+type HTTPOption interface {
+	SetHTTPOption(*HTTPInfo)
+}
+
+type httpOptionFunc func(*HTTPInfo)
+
+func (fn httpOptionFunc) SetHTTPOption(hi *HTTPInfo) {
+	fn(hi)
+}
+
+func Checksum(dgst digest.Digest) HTTPOption {
+	return httpOptionFunc(func(hi *HTTPInfo) {
+		hi.Checksum = dgst
+	})
+}
+
+func Chmod(perm os.FileMode) HTTPOption {
+	return httpOptionFunc(func(hi *HTTPInfo) {
+		hi.Perm = int(perm) & 0777
+	})
+}
+
+func Filename(name string) HTTPOption {
+	return httpOptionFunc(func(hi *HTTPInfo) {
+		hi.Filename = name
+	})
+}
+
+func Chown(uid, gid int) HTTPOption {
+	return httpOptionFunc(func(hi *HTTPInfo) {
+		hi.UID = uid
+		hi.GID = gid
+	})
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/llb/state.go b/cli/vendor/github.com/moby/buildkit/client/llb/state.go
new file mode 100644
index 00000000..a0a98500
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/llb/state.go
@@ -0,0 +1,396 @@
+package llb
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/system"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type StateOption func(State) State
+
+type Output interface {
+	ToInput(*Constraints) (*pb.Input, error)
+	Vertex() Vertex
+}
+
+type Vertex interface {
+	Validate() error
+	Marshal(*Constraints) (digest.Digest, []byte, *pb.OpMetadata, error)
+	Output() Output
+	Inputs() []Output
+}
+
+func NewState(o Output) State {
+	s := State{
+		out: o,
+		ctx: context.Background(),
+	}
+	s = dir("/")(s)
+	s = addEnv("PATH", system.DefaultPathEnv)(s)
+	s = s.ensurePlatform()
+	return s
+}
+
+type State struct {
+	out  Output
+	ctx  context.Context
+	opts []ConstraintsOpt
+}
+
+func (s State) ensurePlatform() State {
+	if o, ok := s.out.(interface {
+		Platform() *specs.Platform
+	}); ok {
+		if p := o.Platform(); p != nil {
+			s = platform(*p)(s)
+		}
+	}
+	return s
+}
+
+func (s State) WithValue(k, v interface{}) State {
+	return State{
+		out: s.out,
+		ctx: context.WithValue(s.ctx, k, v),
+	}
+}
+
+func (s State) Value(k interface{}) interface{} {
+	return s.ctx.Value(k)
+}
+
+func (s State) SetMarhalDefaults(co ...ConstraintsOpt) State {
+	s.opts = co
+	return s
+}
+
+func (s State) Marshal(co ...ConstraintsOpt) (*Definition, error) {
+	def := &Definition{
+		Metadata: make(map[digest.Digest]pb.OpMetadata, 0),
+	}
+	if s.Output() == nil {
+		return def, nil
+	}
+
+	defaultPlatform := platforms.Normalize(platforms.DefaultSpec())
+	c := &Constraints{
+		Platform:      &defaultPlatform,
+		LocalUniqueID: identity.NewID(),
+	}
+	for _, o := range append(s.opts, co...) {
+		o.SetConstraintsOption(c)
+	}
+
+	def, err := marshal(s.Output().Vertex(), def, map[digest.Digest]struct{}{}, map[Vertex]struct{}{}, c)
+	if err != nil {
+		return def, err
+	}
+	inp, err := s.Output().ToInput(c)
+	if err != nil {
+		return def, err
+	}
+	proto := &pb.Op{Inputs: []*pb.Input{inp}}
+	dt, err := proto.Marshal()
+	if err != nil {
+		return def, err
+	}
+	def.Def = append(def.Def, dt)
+	return def, nil
+}
+
+func marshal(v Vertex, def *Definition, cache map[digest.Digest]struct{}, vertexCache map[Vertex]struct{}, c *Constraints) (*Definition, error) {
+	if _, ok := vertexCache[v]; ok {
+		return def, nil
+	}
+	for _, inp := range v.Inputs() {
+		var err error
+		def, err = marshal(inp.Vertex(), def, cache, vertexCache, c)
+		if err != nil {
+			return def, err
+		}
+	}
+
+	dgst, dt, opMeta, err := v.Marshal(c)
+	if err != nil {
+		return def, err
+	}
+	vertexCache[v] = struct{}{}
+	if opMeta != nil {
+		def.Metadata[dgst] = mergeMetadata(def.Metadata[dgst], *opMeta)
+	}
+	if _, ok := cache[dgst]; ok {
+		return def, nil
+	}
+	def.Def = append(def.Def, dt)
+	cache[dgst] = struct{}{}
+	return def, nil
+}
+
+func (s State) Validate() error {
+	return s.Output().Vertex().Validate()
+}
+
+func (s State) Output() Output {
+	return s.out
+}
+
+func (s State) WithOutput(o Output) State {
+	s = State{
+		out: o,
+		ctx: s.ctx,
+	}
+	s = s.ensurePlatform()
+	return s
+}
+
+func (s State) Run(ro ...RunOption) ExecState {
+	ei := &ExecInfo{State: s}
+	if p := s.GetPlatform(); p != nil {
+		ei.Constraints.Platform = p
+	}
+	for _, o := range ro {
+		o.SetRunOption(ei)
+	}
+	meta := Meta{
+		Args:     getArgs(ei.State),
+		Cwd:      getDir(ei.State),
+		Env:      getEnv(ei.State),
+		User:     getUser(ei.State),
+		ProxyEnv: ei.ProxyEnv,
+	}
+
+	exec := NewExecOp(s.Output(), meta, ei.ReadonlyRootFS, ei.Constraints)
+	for _, m := range ei.Mounts {
+		exec.AddMount(m.Target, m.Source, m.Opts...)
+	}
+
+	return ExecState{
+		State: s.WithOutput(exec.Output()),
+		exec:  exec,
+	}
+}
+
+func (s State) AddEnv(key, value string) State {
+	return s.AddEnvf(key, value)
+}
+
+func (s State) AddEnvf(key, value string, v ...interface{}) State {
+	return addEnvf(key, value, v...)(s)
+}
+
+func (s State) Dir(str string) State {
+	return s.Dirf(str)
+}
+func (s State) Dirf(str string, v ...interface{}) State {
+	return dirf(str, v...)(s)
+}
+
+func (s State) GetEnv(key string) (string, bool) {
+	return getEnv(s).Get(key)
+}
+
+func (s State) GetDir() string {
+	return getDir(s)
+}
+
+func (s State) GetArgs() []string {
+	return getArgs(s)
+}
+
+func (s State) Reset(s2 State) State {
+	return reset(s2)(s)
+}
+
+func (s State) User(v string) State {
+	return user(v)(s)
+}
+
+func (s State) Platform(p specs.Platform) State {
+	return platform(p)(s)
+}
+
+func (s State) GetPlatform() *specs.Platform {
+	return getPlatform(s)
+}
+
+func (s State) With(so ...StateOption) State {
+	for _, o := range so {
+		s = o(s)
+	}
+	return s
+}
+
+type output struct {
+	vertex   Vertex
+	getIndex func() (pb.OutputIndex, error)
+	err      error
+	platform *specs.Platform
+}
+
+func (o *output) ToInput(c *Constraints) (*pb.Input, error) {
+	if o.err != nil {
+		return nil, o.err
+	}
+	var index pb.OutputIndex
+	if o.getIndex != nil {
+		var err error
+		index, err = o.getIndex()
+		if err != nil {
+			return nil, err
+		}
+	}
+	dgst, _, _, err := o.vertex.Marshal(c)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.Input{Digest: dgst, Index: index}, nil
+}
+
+func (o *output) Vertex() Vertex {
+	return o.vertex
+}
+
+func (o *output) Platform() *specs.Platform {
+	return o.platform
+}
+
+type ConstraintsOpt interface {
+	SetConstraintsOption(*Constraints)
+	RunOption
+	LocalOption
+	HTTPOption
+	ImageOption
+	GitOption
+}
+
+type constraintsOptFunc func(m *Constraints)
+
+func (fn constraintsOptFunc) SetConstraintsOption(m *Constraints) {
+	fn(m)
+}
+
+func (fn constraintsOptFunc) SetRunOption(ei *ExecInfo) {
+	ei.applyConstraints(fn)
+}
+
+func (fn constraintsOptFunc) SetLocalOption(li *LocalInfo) {
+	li.applyConstraints(fn)
+}
+
+func (fn constraintsOptFunc) SetHTTPOption(hi *HTTPInfo) {
+	hi.applyConstraints(fn)
+}
+
+func (fn constraintsOptFunc) SetImageOption(ii *ImageInfo) {
+	ii.applyConstraints(fn)
+}
+
+func (fn constraintsOptFunc) SetGitOption(gi *GitInfo) {
+	gi.applyConstraints(fn)
+}
+
+func mergeMetadata(m1, m2 pb.OpMetadata) pb.OpMetadata {
+	if m2.IgnoreCache {
+		m1.IgnoreCache = true
+	}
+	if len(m2.Description) > 0 {
+		if m1.Description == nil {
+			m1.Description = make(map[string]string)
+		}
+		for k, v := range m2.Description {
+			m1.Description[k] = v
+		}
+	}
+	if m2.ExportCache != nil {
+		m1.ExportCache = m2.ExportCache
+	}
+
+	return m1
+}
+
+var IgnoreCache = constraintsOptFunc(func(c *Constraints) {
+	c.Metadata.IgnoreCache = true
+})
+
+func WithDescription(m map[string]string) ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		c.Metadata.Description = m
+	})
+}
+
+// WithExportCache forces results for this vertex to be exported with the cache
+func WithExportCache() ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		c.Metadata.ExportCache = &pb.ExportCache{Value: true}
+	})
+}
+
+// WithoutExportCache sets results for this vertex to be not exported with
+// the cache
+func WithoutExportCache() ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		// ExportCache with value false means to disable exporting
+		c.Metadata.ExportCache = &pb.ExportCache{Value: false}
+	})
+}
+
+// WithoutDefaultExportCache resets the cache export for the vertex to use
+// the default defined by the build configuration.
+func WithoutDefaultExportCache() ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		// nil means no vertex based config has been set
+		c.Metadata.ExportCache = nil
+	})
+}
+
+type constraintsWrapper struct {
+	Constraints
+}
+
+func (cw *constraintsWrapper) applyConstraints(f func(c *Constraints)) {
+	f(&cw.Constraints)
+}
+
+type Constraints struct {
+	Platform          *specs.Platform
+	WorkerConstraints []string
+	Metadata          pb.OpMetadata
+	LocalUniqueID     string
+}
+
+func Platform(p specs.Platform) ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		c.Platform = &p
+	})
+}
+
+func LocalUniqueID(v string) ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		c.LocalUniqueID = v
+	})
+}
+
+var (
+	LinuxAmd64   = Platform(specs.Platform{OS: "linux", Architecture: "amd64"})
+	LinuxArmhf   = Platform(specs.Platform{OS: "linux", Architecture: "arm", Variant: "v7"})
+	LinuxArm     = LinuxArmhf
+	LinuxArmel   = Platform(specs.Platform{OS: "linux", Architecture: "arm", Variant: "v6"})
+	LinuxArm64   = Platform(specs.Platform{OS: "linux", Architecture: "arm64"})
+	LinuxS390x   = Platform(specs.Platform{OS: "linux", Architecture: "s390x"})
+	LinuxPpc64le = Platform(specs.Platform{OS: "linux", Architecture: "ppc64le"})
+	Darwin       = Platform(specs.Platform{OS: "darwin", Architecture: "amd64"})
+	Windows      = Platform(specs.Platform{OS: "windows", Architecture: "amd64"})
+)
+
+func Require(filters ...string) ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		for _, f := range filters {
+			c.WorkerConstraints = append(c.WorkerConstraints, f)
+		}
+	})
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/prune.go b/cli/vendor/github.com/moby/buildkit/client/prune.go
new file mode 100644
index 00000000..b3c1edcd
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/prune.go
@@ -0,0 +1,50 @@
+package client
+
+import (
+	"context"
+	"io"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/pkg/errors"
+)
+
+func (c *Client) Prune(ctx context.Context, ch chan UsageInfo, opts ...PruneOption) error {
+	info := &PruneInfo{}
+	for _, o := range opts {
+		o(info)
+	}
+
+	req := &controlapi.PruneRequest{}
+	cl, err := c.controlClient().Prune(ctx, req)
+	if err != nil {
+		return errors.Wrap(err, "failed to call prune")
+	}
+
+	for {
+		d, err := cl.Recv()
+		if err != nil {
+			if err == io.EOF {
+				return nil
+			}
+			return err
+		}
+		if ch != nil {
+			ch <- UsageInfo{
+				ID:          d.ID,
+				Mutable:     d.Mutable,
+				InUse:       d.InUse,
+				Size:        d.Size_,
+				Parent:      d.Parent,
+				CreatedAt:   d.CreatedAt,
+				Description: d.Description,
+				UsageCount:  int(d.UsageCount),
+				LastUsedAt:  d.LastUsedAt,
+			}
+		}
+	}
+}
+
+type PruneOption func(*PruneInfo)
+
+type PruneInfo struct {
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/solve.go b/cli/vendor/github.com/moby/buildkit/client/solve.go
new file mode 100644
index 00000000..972b6b3e
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/solve.go
@@ -0,0 +1,251 @@
+package client
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/filesync"
+	"github.com/moby/buildkit/session/grpchijack"
+	"github.com/moby/buildkit/solver/pb"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+type SolveOpt struct {
+	Exporter          string
+	ExporterAttrs     map[string]string
+	ExporterOutput    io.WriteCloser // for ExporterOCI and ExporterDocker
+	ExporterOutputDir string         // for ExporterLocal
+	LocalDirs         map[string]string
+	SharedKey         string
+	Frontend          string
+	FrontendAttrs     map[string]string
+	ExportCache       string
+	ExportCacheAttrs  map[string]string
+	ImportCache       []string
+	Session           []session.Attachable
+}
+
+// Solve calls Solve on the controller.
+// def must be nil if (and only if) opt.Frontend is set.
+func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, statusChan chan *SolveStatus) (*SolveResponse, error) {
+	defer func() {
+		if statusChan != nil {
+			close(statusChan)
+		}
+	}()
+
+	if opt.Frontend == "" && def == nil {
+		return nil, errors.New("invalid empty definition")
+	}
+	if opt.Frontend != "" && def != nil {
+		return nil, errors.Errorf("invalid definition for frontend %s", opt.Frontend)
+	}
+
+	syncedDirs, err := prepareSyncedDirs(def, opt.LocalDirs)
+	if err != nil {
+		return nil, err
+	}
+
+	ref := identity.NewID()
+	eg, ctx := errgroup.WithContext(ctx)
+
+	statusContext, cancelStatus := context.WithCancel(context.Background())
+	defer cancelStatus()
+
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		statusContext = opentracing.ContextWithSpan(statusContext, span)
+	}
+
+	s, err := session.NewSession(statusContext, defaultSessionName(), opt.SharedKey)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create session")
+	}
+
+	if len(syncedDirs) > 0 {
+		s.Allow(filesync.NewFSSyncProvider(syncedDirs))
+	}
+
+	for _, a := range opt.Session {
+		s.Allow(a)
+	}
+
+	switch opt.Exporter {
+	case ExporterLocal:
+		if opt.ExporterOutput != nil {
+			return nil, errors.New("output file writer is not supported by local exporter")
+		}
+		if opt.ExporterOutputDir == "" {
+			return nil, errors.New("output directory is required for local exporter")
+		}
+		s.Allow(filesync.NewFSSyncTargetDir(opt.ExporterOutputDir))
+	case ExporterOCI, ExporterDocker:
+		if opt.ExporterOutputDir != "" {
+			return nil, errors.Errorf("output directory %s is not supported by %s exporter", opt.ExporterOutputDir, opt.Exporter)
+		}
+		if opt.ExporterOutput == nil {
+			return nil, errors.Errorf("output file writer is required for %s exporter", opt.Exporter)
+		}
+		s.Allow(filesync.NewFSSyncTarget(opt.ExporterOutput))
+	default:
+		if opt.ExporterOutput != nil {
+			return nil, errors.Errorf("output file writer is not supported by %s exporter", opt.Exporter)
+		}
+		if opt.ExporterOutputDir != "" {
+			return nil, errors.Errorf("output directory %s is not supported by %s exporter", opt.ExporterOutputDir, opt.Exporter)
+		}
+	}
+
+	eg.Go(func() error {
+		return s.Run(statusContext, grpchijack.Dialer(c.controlClient()))
+	})
+
+	var res *SolveResponse
+	eg.Go(func() error {
+		defer func() { // make sure the Status ends cleanly on build errors
+			go func() {
+				<-time.After(3 * time.Second)
+				cancelStatus()
+			}()
+			logrus.Debugf("stopping session")
+			s.Close()
+		}()
+		var pbd *pb.Definition
+		if def != nil {
+			pbd = def.ToPB()
+		}
+		resp, err := c.controlClient().Solve(ctx, &controlapi.SolveRequest{
+			Ref:           ref,
+			Definition:    pbd,
+			Exporter:      opt.Exporter,
+			ExporterAttrs: opt.ExporterAttrs,
+			Session:       s.ID(),
+			Frontend:      opt.Frontend,
+			FrontendAttrs: opt.FrontendAttrs,
+			Cache: controlapi.CacheOptions{
+				ExportRef:   opt.ExportCache,
+				ImportRefs:  opt.ImportCache,
+				ExportAttrs: opt.ExportCacheAttrs,
+			},
+		})
+		if err != nil {
+			return errors.Wrap(err, "failed to solve")
+		}
+		res = &SolveResponse{
+			ExporterResponse: resp.ExporterResponse,
+		}
+		return nil
+	})
+
+	eg.Go(func() error {
+		stream, err := c.controlClient().Status(statusContext, &controlapi.StatusRequest{
+			Ref: ref,
+		})
+		if err != nil {
+			return errors.Wrap(err, "failed to get status")
+		}
+		for {
+			resp, err := stream.Recv()
+			if err != nil {
+				if err == io.EOF {
+					return nil
+				}
+				return errors.Wrap(err, "failed to receive status")
+			}
+			s := SolveStatus{}
+			for _, v := range resp.Vertexes {
+				s.Vertexes = append(s.Vertexes, &Vertex{
+					Digest:    v.Digest,
+					Inputs:    v.Inputs,
+					Name:      v.Name,
+					Started:   v.Started,
+					Completed: v.Completed,
+					Error:     v.Error,
+					Cached:    v.Cached,
+				})
+			}
+			for _, v := range resp.Statuses {
+				s.Statuses = append(s.Statuses, &VertexStatus{
+					ID:        v.ID,
+					Vertex:    v.Vertex,
+					Name:      v.Name,
+					Total:     v.Total,
+					Current:   v.Current,
+					Timestamp: v.Timestamp,
+					Started:   v.Started,
+					Completed: v.Completed,
+				})
+			}
+			for _, v := range resp.Logs {
+				s.Logs = append(s.Logs, &VertexLog{
+					Vertex:    v.Vertex,
+					Stream:    int(v.Stream),
+					Data:      v.Msg,
+					Timestamp: v.Timestamp,
+				})
+			}
+			if statusChan != nil {
+				statusChan <- &s
+			}
+		}
+	})
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+func prepareSyncedDirs(def *llb.Definition, localDirs map[string]string) ([]filesync.SyncedDir, error) {
+	for _, d := range localDirs {
+		fi, err := os.Stat(d)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not find %s", d)
+		}
+		if !fi.IsDir() {
+			return nil, errors.Errorf("%s not a directory", d)
+		}
+	}
+	dirs := make([]filesync.SyncedDir, 0, len(localDirs))
+	if def == nil {
+		for name, d := range localDirs {
+			dirs = append(dirs, filesync.SyncedDir{Name: name, Dir: d})
+		}
+	} else {
+		for _, dt := range def.Def {
+			var op pb.Op
+			if err := (&op).Unmarshal(dt); err != nil {
+				return nil, errors.Wrap(err, "failed to parse llb proto op")
+			}
+			if src := op.GetSource(); src != nil {
+				if strings.HasPrefix(src.Identifier, "local://") { // TODO: just make a type property
+					name := strings.TrimPrefix(src.Identifier, "local://")
+					d, ok := localDirs[name]
+					if !ok {
+						return nil, errors.Errorf("local directory %s not enabled", name)
+					}
+					dirs = append(dirs, filesync.SyncedDir{Name: name, Dir: d}) // TODO: excludes
+				}
+			}
+		}
+	}
+	return dirs, nil
+}
+
+func defaultSessionName() string {
+	wd, err := os.Getwd()
+	if err != nil {
+		return "unknown"
+	}
+	return filepath.Base(wd)
+}
diff --git a/cli/vendor/github.com/moby/buildkit/client/workers.go b/cli/vendor/github.com/moby/buildkit/client/workers.go
new file mode 100644
index 00000000..e70dcbc6
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/client/workers.go
@@ -0,0 +1,53 @@
+package client
+
+import (
+	"context"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/solver/pb"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type WorkerInfo struct {
+	ID        string
+	Labels    map[string]string
+	Platforms []specs.Platform
+}
+
+func (c *Client) ListWorkers(ctx context.Context, opts ...ListWorkersOption) ([]*WorkerInfo, error) {
+	info := &ListWorkersInfo{}
+	for _, o := range opts {
+		o(info)
+	}
+
+	req := &controlapi.ListWorkersRequest{Filter: info.Filter}
+	resp, err := c.controlClient().ListWorkers(ctx, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to list workers")
+	}
+
+	var wi []*WorkerInfo
+
+	for _, w := range resp.Record {
+		wi = append(wi, &WorkerInfo{
+			ID:        w.ID,
+			Labels:    w.Labels,
+			Platforms: pb.ToSpecPlatforms(w.Platforms),
+		})
+	}
+
+	return wi, nil
+}
+
+type ListWorkersOption func(*ListWorkersInfo)
+
+type ListWorkersInfo struct {
+	Filter []string
+}
+
+func WithWorkerFilter(f []string) ListWorkersOption {
+	return func(wi *ListWorkersInfo) {
+		wi.Filter = f
+	}
+}
diff --git a/cli/vendor/github.com/moby/buildkit/identity/randomid.go b/cli/vendor/github.com/moby/buildkit/identity/randomid.go
new file mode 100644
index 00000000..0eb13527
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/identity/randomid.go
@@ -0,0 +1,53 @@
+package identity
+
+import (
+	cryptorand "crypto/rand"
+	"fmt"
+	"io"
+	"math/big"
+)
+
+var (
+	// idReader is used for random id generation. This declaration allows us to
+	// replace it for testing.
+	idReader = cryptorand.Reader
+)
+
+// parameters for random identifier generation. We can tweak this when there is
+// time for further analysis.
+const (
+	randomIDEntropyBytes = 17
+	randomIDBase         = 36
+
+	// To ensure that all identifiers are fixed length, we make sure they
+	// get padded out or truncated to 25 characters.
+	//
+	// For academics,  f5lxx1zz5pnorynqglhzmsp33  == 2^128 - 1. This value
+	// was calculated from floor(log(2^128-1, 36)) + 1.
+	//
+	// While 128 bits is the largest whole-byte size that fits into 25
+	// base-36 characters, we generate an extra byte of entropy to fill
+	// in the high bits, which would otherwise be 0. This gives us a more
+	// even distribution of the first character.
+	//
+	// See http://mathworld.wolfram.com/NumberLength.html for more information.
+	maxRandomIDLength = 25
+)
+
+// NewID generates a new identifier for use where random identifiers with low
+// collision probability are required.
+//
+// With the parameters in this package, the generated identifier will provide
+// ~129 bits of entropy encoded with base36. Leading padding is added if the
+// string is less 25 bytes. We do not intend to maintain this interface, so
+// identifiers should be treated opaquely.
+func NewID() string {
+	var p [randomIDEntropyBytes]byte
+
+	if _, err := io.ReadFull(idReader, p[:]); err != nil {
+		panic(fmt.Errorf("failed to read random bytes: %v", err))
+	}
+
+	p[0] |= 0x80 // set high bit to avoid the need for padding
+	return (&big.Int{}).SetBytes(p[:]).Text(randomIDBase)[1 : maxRandomIDLength+1]
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/auth/auth.go b/cli/vendor/github.com/moby/buildkit/session/auth/auth.go
new file mode 100644
index 00000000..2b96a7ce
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/auth/auth.go
@@ -0,0 +1,26 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/session"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func CredentialsFunc(ctx context.Context, c session.Caller) func(string) (string, string, error) {
+	return func(host string) (string, string, error) {
+		client := NewAuthClient(c.Conn())
+
+		resp, err := client.Credentials(ctx, &CredentialsRequest{
+			Host: host,
+		})
+		if err != nil {
+			if st, ok := status.FromError(err); ok && st.Code() == codes.Unimplemented {
+				return "", "", nil
+			}
+			return "", "", err
+		}
+		return resp.Username, resp.Secret, nil
+	}
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/auth/auth.pb.go b/cli/vendor/github.com/moby/buildkit/session/auth/auth.pb.go
new file mode 100644
index 00000000..8993b85b
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/auth/auth.pb.go
@@ -0,0 +1,673 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: auth.proto
+
+/*
+	Package auth is a generated protocol buffer package.
+
+	It is generated from these files:
+		auth.proto
+
+	It has these top-level messages:
+		CredentialsRequest
+		CredentialsResponse
+*/
+package auth
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import context "golang.org/x/net/context"
+import grpc "google.golang.org/grpc"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type CredentialsRequest struct {
+	Host string `protobuf:"bytes,1,opt,name=Host,proto3" json:"Host,omitempty"`
+}
+
+func (m *CredentialsRequest) Reset()                    { *m = CredentialsRequest{} }
+func (*CredentialsRequest) ProtoMessage()               {}
+func (*CredentialsRequest) Descriptor() ([]byte, []int) { return fileDescriptorAuth, []int{0} }
+
+func (m *CredentialsRequest) GetHost() string {
+	if m != nil {
+		return m.Host
+	}
+	return ""
+}
+
+type CredentialsResponse struct {
+	Username string `protobuf:"bytes,1,opt,name=Username,proto3" json:"Username,omitempty"`
+	Secret   string `protobuf:"bytes,2,opt,name=Secret,proto3" json:"Secret,omitempty"`
+}
+
+func (m *CredentialsResponse) Reset()                    { *m = CredentialsResponse{} }
+func (*CredentialsResponse) ProtoMessage()               {}
+func (*CredentialsResponse) Descriptor() ([]byte, []int) { return fileDescriptorAuth, []int{1} }
+
+func (m *CredentialsResponse) GetUsername() string {
+	if m != nil {
+		return m.Username
+	}
+	return ""
+}
+
+func (m *CredentialsResponse) GetSecret() string {
+	if m != nil {
+		return m.Secret
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*CredentialsRequest)(nil), "moby.filesync.v1.CredentialsRequest")
+	proto.RegisterType((*CredentialsResponse)(nil), "moby.filesync.v1.CredentialsResponse")
+}
+func (this *CredentialsRequest) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*CredentialsRequest)
+	if !ok {
+		that2, ok := that.(CredentialsRequest)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.Host != that1.Host {
+		return false
+	}
+	return true
+}
+func (this *CredentialsResponse) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*CredentialsResponse)
+	if !ok {
+		that2, ok := that.(CredentialsResponse)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.Username != that1.Username {
+		return false
+	}
+	if this.Secret != that1.Secret {
+		return false
+	}
+	return true
+}
+func (this *CredentialsRequest) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&auth.CredentialsRequest{")
+	s = append(s, "Host: "+fmt.Sprintf("%#v", this.Host)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func (this *CredentialsResponse) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 6)
+	s = append(s, "&auth.CredentialsResponse{")
+	s = append(s, "Username: "+fmt.Sprintf("%#v", this.Username)+",\n")
+	s = append(s, "Secret: "+fmt.Sprintf("%#v", this.Secret)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringAuth(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// Client API for Auth service
+
+type AuthClient interface {
+	Credentials(ctx context.Context, in *CredentialsRequest, opts ...grpc.CallOption) (*CredentialsResponse, error)
+}
+
+type authClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewAuthClient(cc *grpc.ClientConn) AuthClient {
+	return &authClient{cc}
+}
+
+func (c *authClient) Credentials(ctx context.Context, in *CredentialsRequest, opts ...grpc.CallOption) (*CredentialsResponse, error) {
+	out := new(CredentialsResponse)
+	err := grpc.Invoke(ctx, "/moby.filesync.v1.Auth/Credentials", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Server API for Auth service
+
+type AuthServer interface {
+	Credentials(context.Context, *CredentialsRequest) (*CredentialsResponse, error)
+}
+
+func RegisterAuthServer(s *grpc.Server, srv AuthServer) {
+	s.RegisterService(&_Auth_serviceDesc, srv)
+}
+
+func _Auth_Credentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CredentialsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServer).Credentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.filesync.v1.Auth/Credentials",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServer).Credentials(ctx, req.(*CredentialsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _Auth_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.Auth",
+	HandlerType: (*AuthServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Credentials",
+			Handler:    _Auth_Credentials_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "auth.proto",
+}
+
+func (m *CredentialsRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CredentialsRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Host) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Host)))
+		i += copy(dAtA[i:], m.Host)
+	}
+	return i, nil
+}
+
+func (m *CredentialsResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CredentialsResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Username) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Username)))
+		i += copy(dAtA[i:], m.Username)
+	}
+	if len(m.Secret) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Secret)))
+		i += copy(dAtA[i:], m.Secret)
+	}
+	return i, nil
+}
+
+func encodeVarintAuth(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CredentialsRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Host)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	return n
+}
+
+func (m *CredentialsResponse) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Username)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	l = len(m.Secret)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	return n
+}
+
+func sovAuth(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozAuth(x uint64) (n int) {
+	return sovAuth(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CredentialsRequest) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CredentialsRequest{`,
+		`Host:` + fmt.Sprintf("%v", this.Host) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CredentialsResponse) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CredentialsResponse{`,
+		`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
+		`Secret:` + fmt.Sprintf("%v", this.Secret) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringAuth(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CredentialsRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialsRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialsRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuth(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAuth
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CredentialsResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialsResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialsResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Username = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Secret", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Secret = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuth(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAuth
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipAuth(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthAuth
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowAuth
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipAuth(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthAuth = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowAuth   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("auth.proto", fileDescriptorAuth) }
+
+var fileDescriptorAuth = []byte{
+	// 224 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4a, 0x2c, 0x2d, 0xc9,
+	0xd0, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xc8, 0xcd, 0x4f, 0xaa, 0xd4, 0x4b, 0xcb, 0xcc,
+	0x49, 0x2d, 0xae, 0xcc, 0x4b, 0xd6, 0x2b, 0x33, 0x54, 0xd2, 0xe0, 0x12, 0x72, 0x2e, 0x4a, 0x4d,
+	0x49, 0xcd, 0x2b, 0xc9, 0x4c, 0xcc, 0x29, 0x0e, 0x4a, 0x2d, 0x2c, 0x4d, 0x2d, 0x2e, 0x11, 0x12,
+	0xe2, 0x62, 0xf1, 0xc8, 0x2f, 0x2e, 0x91, 0x60, 0x54, 0x60, 0xd4, 0xe0, 0x0c, 0x02, 0xb3, 0x95,
+	0x3c, 0xb9, 0x84, 0x51, 0x54, 0x16, 0x17, 0xe4, 0xe7, 0x15, 0xa7, 0x0a, 0x49, 0x71, 0x71, 0x84,
+	0x16, 0xa7, 0x16, 0xe5, 0x25, 0xe6, 0xa6, 0x42, 0x95, 0xc3, 0xf9, 0x42, 0x62, 0x5c, 0x6c, 0xc1,
+	0xa9, 0xc9, 0x45, 0xa9, 0x25, 0x12, 0x4c, 0x60, 0x19, 0x28, 0xcf, 0x28, 0x89, 0x8b, 0xc5, 0xb1,
+	0xb4, 0x24, 0x43, 0x28, 0x8a, 0x8b, 0x1b, 0xc9, 0x48, 0x21, 0x15, 0x3d, 0x74, 0xe7, 0xe9, 0x61,
+	0xba, 0x4d, 0x4a, 0x95, 0x80, 0x2a, 0x88, 0xbb, 0x9c, 0x8c, 0x2e, 0x3c, 0x94, 0x63, 0xb8, 0xf1,
+	0x50, 0x8e, 0xe1, 0xc3, 0x43, 0x39, 0xc6, 0x86, 0x47, 0x72, 0x8c, 0x2b, 0x1e, 0xc9, 0x31, 0x9e,
+	0x78, 0x24, 0xc7, 0x78, 0xe1, 0x91, 0x1c, 0xe3, 0x83, 0x47, 0x72, 0x8c, 0x2f, 0x1e, 0xc9, 0x31,
+	0x7c, 0x78, 0x24, 0xc7, 0x38, 0xe1, 0xb1, 0x1c, 0x43, 0x14, 0x0b, 0x28, 0x90, 0x92, 0xd8, 0xc0,
+	0xa1, 0x64, 0x0c, 0x08, 0x00, 0x00, 0xff, 0xff, 0xaa, 0x73, 0xf3, 0xd5, 0x33, 0x01, 0x00, 0x00,
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/auth/auth.proto b/cli/vendor/github.com/moby/buildkit/session/auth/auth.proto
new file mode 100644
index 00000000..59331274
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/auth/auth.proto
@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "auth";
+
+service Auth{
+  rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
+}
+
+
+message CredentialsRequest {
+	string Host = 1;
+}
+
+message CredentialsResponse {
+	string Username = 1;
+	string Secret = 2;
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go b/cli/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go
new file mode 100644
index 00000000..a286567e
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/auth/authprovider/authprovider.go
@@ -0,0 +1,44 @@
+package authprovider
+
+import (
+	"context"
+	"io/ioutil"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
+	"google.golang.org/grpc"
+)
+
+func NewDockerAuthProvider() session.Attachable {
+	return &authProvider{
+		config: config.LoadDefaultConfigFile(ioutil.Discard),
+	}
+}
+
+type authProvider struct {
+	config *configfile.ConfigFile
+}
+
+func (ap *authProvider) Register(server *grpc.Server) {
+	auth.RegisterAuthServer(server, ap)
+}
+
+func (ap *authProvider) Credentials(ctx context.Context, req *auth.CredentialsRequest) (*auth.CredentialsResponse, error) {
+	if req.Host == "registry-1.docker.io" {
+		req.Host = "https://index.docker.io/v1/"
+	}
+	ac, err := ap.config.GetAuthConfig(req.Host)
+	if err != nil {
+		return nil, err
+	}
+	res := &auth.CredentialsResponse{}
+	if ac.IdentityToken != "" {
+		res.Secret = ac.IdentityToken
+	} else {
+		res.Username = ac.Username
+		res.Secret = ac.Password
+	}
+	return res, nil
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/auth/generate.go b/cli/vendor/github.com/moby/buildkit/session/auth/generate.go
new file mode 100644
index 00000000..687aa7cc
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/auth/generate.go
@@ -0,0 +1,3 @@
+package auth
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. auth.proto
diff --git a/cli/vendor/github.com/moby/buildkit/session/context.go b/cli/vendor/github.com/moby/buildkit/session/context.go
new file mode 100644
index 00000000..31a29f08
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/context.go
@@ -0,0 +1,22 @@
+package session
+
+import "context"
+
+type contextKeyT string
+
+var contextKey = contextKeyT("buildkit/session-id")
+
+func NewContext(ctx context.Context, id string) context.Context {
+	if id != "" {
+		return context.WithValue(ctx, contextKey, id)
+	}
+	return ctx
+}
+
+func FromContext(ctx context.Context) string {
+	v := ctx.Value(contextKey)
+	if v == nil {
+		return ""
+	}
+	return v.(string)
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go b/cli/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go
new file mode 100644
index 00000000..d0f8e76d
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go
@@ -0,0 +1,114 @@
+package filesync
+
+import (
+	"bufio"
+	io "io"
+	"os"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/tonistiigi/fsutil"
+	"google.golang.org/grpc"
+)
+
+func sendDiffCopy(stream grpc.Stream, dir string, includes, excludes, followPaths []string, progress progressCb, _map func(*fsutil.Stat) bool) error {
+	return fsutil.Send(stream.Context(), stream, dir, &fsutil.WalkOpt{
+		ExcludePatterns: excludes,
+		IncludePatterns: includes,
+		FollowPaths:     followPaths,
+		Map:             _map,
+	}, progress)
+}
+
+func newStreamWriter(stream grpc.ClientStream) io.WriteCloser {
+	wc := &streamWriterCloser{ClientStream: stream}
+	return &bufferedWriteCloser{Writer: bufio.NewWriter(wc), Closer: wc}
+}
+
+type bufferedWriteCloser struct {
+	*bufio.Writer
+	io.Closer
+}
+
+func (bwc *bufferedWriteCloser) Close() error {
+	if err := bwc.Writer.Flush(); err != nil {
+		return err
+	}
+	return bwc.Closer.Close()
+}
+
+type streamWriterCloser struct {
+	grpc.ClientStream
+}
+
+func (wc *streamWriterCloser) Write(dt []byte) (int, error) {
+	if err := wc.ClientStream.SendMsg(&BytesMessage{Data: dt}); err != nil {
+		return 0, err
+	}
+	return len(dt), nil
+}
+
+func (wc *streamWriterCloser) Close() error {
+	if err := wc.ClientStream.CloseSend(); err != nil {
+		return err
+	}
+	// block until receiver is done
+	var bm BytesMessage
+	if err := wc.ClientStream.RecvMsg(&bm); err != io.EOF {
+		return err
+	}
+	return nil
+}
+
+func recvDiffCopy(ds grpc.Stream, dest string, cu CacheUpdater, progress progressCb) error {
+	st := time.Now()
+	defer func() {
+		logrus.Debugf("diffcopy took: %v", time.Since(st))
+	}()
+	var cf fsutil.ChangeFunc
+	var ch fsutil.ContentHasher
+	if cu != nil {
+		cu.MarkSupported(true)
+		cf = cu.HandleChange
+		ch = cu.ContentHasher()
+	}
+	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+		NotifyHashed:  cf,
+		ContentHasher: ch,
+		ProgressCb:    progress,
+	})
+}
+
+func syncTargetDiffCopy(ds grpc.Stream, dest string) error {
+	if err := os.MkdirAll(dest, 0700); err != nil {
+		return err
+	}
+	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+		Merge: true,
+		Filter: func() func(*fsutil.Stat) bool {
+			uid := os.Getuid()
+			gid := os.Getgid()
+			return func(st *fsutil.Stat) bool {
+				st.Uid = uint32(uid)
+				st.Gid = uint32(gid)
+				return true
+			}
+		}(),
+	})
+}
+
+func writeTargetFile(ds grpc.Stream, wc io.WriteCloser) error {
+	for {
+		bm := BytesMessage{}
+		if err := ds.RecvMsg(&bm); err != nil {
+			if errors.Cause(err) == io.EOF {
+				return nil
+			}
+			return err
+		}
+		if _, err := wc.Write(bm.Data); err != nil {
+			return err
+		}
+	}
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.go b/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.go
new file mode 100644
index 00000000..ee2668f0
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.go
@@ -0,0 +1,289 @@
+package filesync
+
+import (
+	"context"
+	"fmt"
+	io "io"
+	"os"
+	"strings"
+
+	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+const (
+	keyOverrideExcludes = "override-excludes"
+	keyIncludePatterns  = "include-patterns"
+	keyExcludePatterns  = "exclude-patterns"
+	keyFollowPaths      = "followpaths"
+	keyDirName          = "dir-name"
+)
+
+type fsSyncProvider struct {
+	dirs   map[string]SyncedDir
+	p      progressCb
+	doneCh chan error
+}
+
+type SyncedDir struct {
+	Name     string
+	Dir      string
+	Excludes []string
+	Map      func(*fsutil.Stat) bool
+}
+
+// NewFSSyncProvider creates a new provider for sending files from client
+func NewFSSyncProvider(dirs []SyncedDir) session.Attachable {
+	p := &fsSyncProvider{
+		dirs: map[string]SyncedDir{},
+	}
+	for _, d := range dirs {
+		p.dirs[d.Name] = d
+	}
+	return p
+}
+
+func (sp *fsSyncProvider) Register(server *grpc.Server) {
+	RegisterFileSyncServer(server, sp)
+}
+
+func (sp *fsSyncProvider) DiffCopy(stream FileSync_DiffCopyServer) error {
+	return sp.handle("diffcopy", stream)
+}
+func (sp *fsSyncProvider) TarStream(stream FileSync_TarStreamServer) error {
+	return sp.handle("tarstream", stream)
+}
+
+func (sp *fsSyncProvider) handle(method string, stream grpc.ServerStream) (retErr error) {
+	var pr *protocol
+	for _, p := range supportedProtocols {
+		if method == p.name && isProtoSupported(p.name) {
+			pr = &p
+			break
+		}
+	}
+	if pr == nil {
+		return errors.New("failed to negotiate protocol")
+	}
+
+	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
+
+	dirName := ""
+	name, ok := opts[keyDirName]
+	if ok && len(name) > 0 {
+		dirName = name[0]
+	}
+
+	dir, ok := sp.dirs[dirName]
+	if !ok {
+		return errors.Errorf("no access allowed to dir %q", dirName)
+	}
+
+	excludes := opts[keyExcludePatterns]
+	if len(dir.Excludes) != 0 && (len(opts[keyOverrideExcludes]) == 0 || opts[keyOverrideExcludes][0] != "true") {
+		excludes = dir.Excludes
+	}
+	includes := opts[keyIncludePatterns]
+
+	followPaths := opts[keyFollowPaths]
+
+	var progress progressCb
+	if sp.p != nil {
+		progress = sp.p
+		sp.p = nil
+	}
+
+	var doneCh chan error
+	if sp.doneCh != nil {
+		doneCh = sp.doneCh
+		sp.doneCh = nil
+	}
+	err := pr.sendFn(stream, dir.Dir, includes, excludes, followPaths, progress, dir.Map)
+	if doneCh != nil {
+		if err != nil {
+			doneCh <- err
+		}
+		close(doneCh)
+	}
+	return err
+}
+
+func (sp *fsSyncProvider) SetNextProgressCallback(f func(int, bool), doneCh chan error) {
+	sp.p = f
+	sp.doneCh = doneCh
+}
+
+type progressCb func(int, bool)
+
+type protocol struct {
+	name   string
+	sendFn func(stream grpc.Stream, srcDir string, includes, excludes, followPaths []string, progress progressCb, _map func(*fsutil.Stat) bool) error
+	recvFn func(stream grpc.Stream, destDir string, cu CacheUpdater, progress progressCb) error
+}
+
+func isProtoSupported(p string) bool {
+	// TODO: this should be removed after testing if stability is confirmed
+	if override := os.Getenv("BUILD_STREAM_PROTOCOL"); override != "" {
+		return strings.EqualFold(p, override)
+	}
+	return true
+}
+
+var supportedProtocols = []protocol{
+	{
+		name:   "diffcopy",
+		sendFn: sendDiffCopy,
+		recvFn: recvDiffCopy,
+	},
+}
+
+// FSSendRequestOpt defines options for FSSend request
+type FSSendRequestOpt struct {
+	Name             string
+	IncludePatterns  []string
+	ExcludePatterns  []string
+	FollowPaths      []string
+	OverrideExcludes bool // deprecated: this is used by docker/cli for automatically loading .dockerignore from the directory
+	DestDir          string
+	CacheUpdater     CacheUpdater
+	ProgressCb       func(int, bool)
+}
+
+// CacheUpdater is an object capable of sending notifications for the cache hash changes
+type CacheUpdater interface {
+	MarkSupported(bool)
+	HandleChange(fsutil.ChangeKind, string, os.FileInfo, error) error
+	ContentHasher() fsutil.ContentHasher
+}
+
+// FSSync initializes a transfer of files
+func FSSync(ctx context.Context, c session.Caller, opt FSSendRequestOpt) error {
+	var pr *protocol
+	for _, p := range supportedProtocols {
+		if isProtoSupported(p.name) && c.Supports(session.MethodURL(_FileSync_serviceDesc.ServiceName, p.name)) {
+			pr = &p
+			break
+		}
+	}
+	if pr == nil {
+		return errors.New("no fssync handlers")
+	}
+
+	opts := make(map[string][]string)
+	if opt.OverrideExcludes {
+		opts[keyOverrideExcludes] = []string{"true"}
+	}
+
+	if opt.IncludePatterns != nil {
+		opts[keyIncludePatterns] = opt.IncludePatterns
+	}
+
+	if opt.ExcludePatterns != nil {
+		opts[keyExcludePatterns] = opt.ExcludePatterns
+	}
+
+	if opt.FollowPaths != nil {
+		opts[keyFollowPaths] = opt.FollowPaths
+	}
+
+	opts[keyDirName] = []string{opt.Name}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	client := NewFileSyncClient(c.Conn())
+
+	var stream grpc.ClientStream
+
+	ctx = metadata.NewOutgoingContext(ctx, opts)
+
+	switch pr.name {
+	case "tarstream":
+		cc, err := client.TarStream(ctx)
+		if err != nil {
+			return err
+		}
+		stream = cc
+	case "diffcopy":
+		cc, err := client.DiffCopy(ctx)
+		if err != nil {
+			return err
+		}
+		stream = cc
+	default:
+		panic(fmt.Sprintf("invalid protocol: %q", pr.name))
+	}
+
+	return pr.recvFn(stream, opt.DestDir, opt.CacheUpdater, opt.ProgressCb)
+}
+
+// NewFSSyncTargetDir allows writing into a directory
+func NewFSSyncTargetDir(outdir string) session.Attachable {
+	p := &fsSyncTarget{
+		outdir: outdir,
+	}
+	return p
+}
+
+// NewFSSyncTarget allows writing into an io.WriteCloser
+func NewFSSyncTarget(w io.WriteCloser) session.Attachable {
+	p := &fsSyncTarget{
+		outfile: w,
+	}
+	return p
+}
+
+type fsSyncTarget struct {
+	outdir  string
+	outfile io.WriteCloser
+}
+
+func (sp *fsSyncTarget) Register(server *grpc.Server) {
+	RegisterFileSendServer(server, sp)
+}
+
+func (sp *fsSyncTarget) DiffCopy(stream FileSend_DiffCopyServer) error {
+	if sp.outdir != "" {
+		return syncTargetDiffCopy(stream, sp.outdir)
+	}
+	if sp.outfile == nil {
+		return errors.New("empty outfile and outdir")
+	}
+	defer sp.outfile.Close()
+	return writeTargetFile(stream, sp.outfile)
+}
+
+func CopyToCaller(ctx context.Context, srcPath string, c session.Caller, progress func(int, bool)) error {
+	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
+	if !c.Supports(method) {
+		return errors.Errorf("method %s not supported by the client", method)
+	}
+
+	client := NewFileSendClient(c.Conn())
+
+	cc, err := client.DiffCopy(ctx)
+	if err != nil {
+		return err
+	}
+
+	return sendDiffCopy(cc, srcPath, nil, nil, nil, progress, nil)
+}
+
+func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, error) {
+	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
+	if !c.Supports(method) {
+		return nil, errors.Errorf("method %s not supported by the client", method)
+	}
+
+	client := NewFileSendClient(c.Conn())
+
+	cc, err := client.DiffCopy(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return newStreamWriter(cc), nil
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go b/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go
new file mode 100644
index 00000000..4a9697e3
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go
@@ -0,0 +1,644 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: filesync.proto
+
+/*
+Package filesync is a generated protocol buffer package.
+
+It is generated from these files:
+	filesync.proto
+
+It has these top-level messages:
+	BytesMessage
+*/
+package filesync
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+
+import context "golang.org/x/net/context"
+import grpc "google.golang.org/grpc"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// BytesMessage contains a chunk of byte data
+type BytesMessage struct {
+	Data []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *BytesMessage) Reset()                    { *m = BytesMessage{} }
+func (*BytesMessage) ProtoMessage()               {}
+func (*BytesMessage) Descriptor() ([]byte, []int) { return fileDescriptorFilesync, []int{0} }
+
+func (m *BytesMessage) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*BytesMessage)(nil), "moby.filesync.v1.BytesMessage")
+}
+func (this *BytesMessage) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*BytesMessage)
+	if !ok {
+		that2, ok := that.(BytesMessage)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if !bytes.Equal(this.Data, that1.Data) {
+		return false
+	}
+	return true
+}
+func (this *BytesMessage) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&filesync.BytesMessage{")
+	s = append(s, "Data: "+fmt.Sprintf("%#v", this.Data)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringFilesync(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// Client API for FileSync service
+
+type FileSyncClient interface {
+	DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSync_DiffCopyClient, error)
+	TarStream(ctx context.Context, opts ...grpc.CallOption) (FileSync_TarStreamClient, error)
+}
+
+type fileSyncClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewFileSyncClient(cc *grpc.ClientConn) FileSyncClient {
+	return &fileSyncClient{cc}
+}
+
+func (c *fileSyncClient) DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSync_DiffCopyClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_FileSync_serviceDesc.Streams[0], c.cc, "/moby.filesync.v1.FileSync/DiffCopy", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSyncDiffCopyClient{stream}
+	return x, nil
+}
+
+type FileSync_DiffCopyClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSyncDiffCopyClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSyncDiffCopyClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSyncDiffCopyClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *fileSyncClient) TarStream(ctx context.Context, opts ...grpc.CallOption) (FileSync_TarStreamClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_FileSync_serviceDesc.Streams[1], c.cc, "/moby.filesync.v1.FileSync/TarStream", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSyncTarStreamClient{stream}
+	return x, nil
+}
+
+type FileSync_TarStreamClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSyncTarStreamClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSyncTarStreamClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSyncTarStreamClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// Server API for FileSync service
+
+type FileSyncServer interface {
+	DiffCopy(FileSync_DiffCopyServer) error
+	TarStream(FileSync_TarStreamServer) error
+}
+
+func RegisterFileSyncServer(s *grpc.Server, srv FileSyncServer) {
+	s.RegisterService(&_FileSync_serviceDesc, srv)
+}
+
+func _FileSync_DiffCopy_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSyncServer).DiffCopy(&fileSyncDiffCopyServer{stream})
+}
+
+type FileSync_DiffCopyServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSyncDiffCopyServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSyncDiffCopyServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSyncDiffCopyServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func _FileSync_TarStream_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSyncServer).TarStream(&fileSyncTarStreamServer{stream})
+}
+
+type FileSync_TarStreamServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSyncTarStreamServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSyncTarStreamServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSyncTarStreamServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _FileSync_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.FileSync",
+	HandlerType: (*FileSyncServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "DiffCopy",
+			Handler:       _FileSync_DiffCopy_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+		{
+			StreamName:    "TarStream",
+			Handler:       _FileSync_TarStream_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "filesync.proto",
+}
+
+// Client API for FileSend service
+
+type FileSendClient interface {
+	DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSend_DiffCopyClient, error)
+}
+
+type fileSendClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewFileSendClient(cc *grpc.ClientConn) FileSendClient {
+	return &fileSendClient{cc}
+}
+
+func (c *fileSendClient) DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSend_DiffCopyClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_FileSend_serviceDesc.Streams[0], c.cc, "/moby.filesync.v1.FileSend/DiffCopy", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSendDiffCopyClient{stream}
+	return x, nil
+}
+
+type FileSend_DiffCopyClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSendDiffCopyClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSendDiffCopyClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSendDiffCopyClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// Server API for FileSend service
+
+type FileSendServer interface {
+	DiffCopy(FileSend_DiffCopyServer) error
+}
+
+func RegisterFileSendServer(s *grpc.Server, srv FileSendServer) {
+	s.RegisterService(&_FileSend_serviceDesc, srv)
+}
+
+func _FileSend_DiffCopy_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSendServer).DiffCopy(&fileSendDiffCopyServer{stream})
+}
+
+type FileSend_DiffCopyServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSendDiffCopyServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSendDiffCopyServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSendDiffCopyServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _FileSend_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.FileSend",
+	HandlerType: (*FileSendServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "DiffCopy",
+			Handler:       _FileSend_DiffCopy_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "filesync.proto",
+}
+
+func (m *BytesMessage) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BytesMessage) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Data) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintFilesync(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func encodeVarintFilesync(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *BytesMessage) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovFilesync(uint64(l))
+	}
+	return n
+}
+
+func sovFilesync(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozFilesync(x uint64) (n int) {
+	return sovFilesync(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *BytesMessage) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&BytesMessage{`,
+		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringFilesync(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *BytesMessage) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowFilesync
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BytesMessage: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BytesMessage: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthFilesync
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipFilesync(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthFilesync
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipFilesync(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowFilesync
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthFilesync
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowFilesync
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipFilesync(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthFilesync = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowFilesync   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("filesync.proto", fileDescriptorFilesync) }
+
+var fileDescriptorFilesync = []byte{
+	// 208 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4b, 0xcb, 0xcc, 0x49,
+	0x2d, 0xae, 0xcc, 0x4b, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xc8, 0xcd, 0x4f, 0xaa,
+	0xd4, 0x83, 0x0b, 0x96, 0x19, 0x2a, 0x29, 0x71, 0xf1, 0x38, 0x55, 0x96, 0xa4, 0x16, 0xfb, 0xa6,
+	0x16, 0x17, 0x27, 0xa6, 0xa7, 0x0a, 0x09, 0x71, 0xb1, 0xa4, 0x24, 0x96, 0x24, 0x4a, 0x30, 0x2a,
+	0x30, 0x6a, 0xf0, 0x04, 0x81, 0xd9, 0x46, 0xab, 0x19, 0xb9, 0x38, 0xdc, 0x32, 0x73, 0x52, 0x83,
+	0x2b, 0xf3, 0x92, 0x85, 0xfc, 0xb8, 0x38, 0x5c, 0x32, 0xd3, 0xd2, 0x9c, 0xf3, 0x0b, 0x2a, 0x85,
+	0xe4, 0xf4, 0xd0, 0xcd, 0xd3, 0x43, 0x36, 0x4c, 0x8a, 0x80, 0xbc, 0x06, 0xa3, 0x01, 0xa3, 0x90,
+	0x3f, 0x17, 0x67, 0x48, 0x62, 0x51, 0x70, 0x49, 0x51, 0x6a, 0x62, 0x2e, 0x35, 0x0c, 0x34, 0x8a,
+	0x82, 0x3a, 0x36, 0x35, 0x2f, 0x85, 0xda, 0x8e, 0x75, 0x32, 0xbb, 0xf0, 0x50, 0x8e, 0xe1, 0xc6,
+	0x43, 0x39, 0x86, 0x0f, 0x0f, 0xe5, 0x18, 0x1b, 0x1e, 0xc9, 0x31, 0xae, 0x78, 0x24, 0xc7, 0x78,
+	0xe2, 0x91, 0x1c, 0xe3, 0x85, 0x47, 0x72, 0x8c, 0x0f, 0x1e, 0xc9, 0x31, 0xbe, 0x78, 0x24, 0xc7,
+	0xf0, 0xe1, 0x91, 0x1c, 0xe3, 0x84, 0xc7, 0x72, 0x0c, 0x51, 0x1c, 0x30, 0xb3, 0x92, 0xd8, 0xc0,
+	0xc1, 0x6f, 0x0c, 0x08, 0x00, 0x00, 0xff, 0xff, 0x72, 0x81, 0x1a, 0x91, 0x90, 0x01, 0x00, 0x00,
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.proto b/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.proto
new file mode 100644
index 00000000..0ae29373
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/filesync/filesync.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "filesync";
+
+service FileSync{
+  rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
+  rpc TarStream(stream BytesMessage) returns (stream BytesMessage);
+}
+
+service FileSend{
+  rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
+}
+
+
+// BytesMessage contains a chunk of byte data
+message BytesMessage{
+	bytes data = 1;
+}
\ No newline at end of file
diff --git a/cli/vendor/github.com/moby/buildkit/session/filesync/generate.go b/cli/vendor/github.com/moby/buildkit/session/filesync/generate.go
new file mode 100644
index 00000000..261e8762
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/filesync/generate.go
@@ -0,0 +1,3 @@
+package filesync
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. filesync.proto
diff --git a/cli/vendor/github.com/moby/buildkit/session/grpc.go b/cli/vendor/github.com/moby/buildkit/session/grpc.go
new file mode 100644
index 00000000..2798b6ab
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/grpc.go
@@ -0,0 +1,81 @@
+package session
+
+import (
+	"context"
+	"net"
+	"sync/atomic"
+	"time"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/http2"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/health/grpc_health_v1"
+)
+
+func serve(ctx context.Context, grpcServer *grpc.Server, conn net.Conn) {
+	go func() {
+		<-ctx.Done()
+		conn.Close()
+	}()
+	logrus.Debugf("serving grpc connection")
+	(&http2.Server{}).ServeConn(conn, &http2.ServeConnOpts{Handler: grpcServer})
+}
+
+func grpcClientConn(ctx context.Context, conn net.Conn) (context.Context, *grpc.ClientConn, error) {
+	var dialCount int64
+	dialer := grpc.WithDialer(func(addr string, d time.Duration) (net.Conn, error) {
+		if c := atomic.AddInt64(&dialCount, 1); c > 1 {
+			return nil, errors.Errorf("only one connection allowed")
+		}
+		return conn, nil
+	})
+
+	dialOpts := []grpc.DialOption{
+		dialer,
+		grpc.WithInsecure(),
+	}
+
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		tracer := span.Tracer()
+		dialOpts = append(dialOpts,
+			grpc.WithUnaryInterceptor(otgrpc.OpenTracingClientInterceptor(tracer, traceFilter())),
+			grpc.WithStreamInterceptor(otgrpc.OpenTracingStreamClientInterceptor(tracer, traceFilter())),
+		)
+	}
+
+	cc, err := grpc.DialContext(ctx, "", dialOpts...)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to create grpc client")
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	go monitorHealth(ctx, cc, cancel)
+
+	return ctx, cc, nil
+}
+
+func monitorHealth(ctx context.Context, cc *grpc.ClientConn, cancelConn func()) {
+	defer cancelConn()
+	defer cc.Close()
+
+	ticker := time.NewTicker(1 * time.Second)
+	defer ticker.Stop()
+	healthClient := grpc_health_v1.NewHealthClient(cc)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+			_, err := healthClient.Check(ctx, &grpc_health_v1.HealthCheckRequest{})
+			cancel()
+			if err != nil {
+				return
+			}
+		}
+	}
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/grpchijack/dial.go b/cli/vendor/github.com/moby/buildkit/session/grpchijack/dial.go
new file mode 100644
index 00000000..151ab549
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/grpchijack/dial.go
@@ -0,0 +1,156 @@
+package grpchijack
+
+import (
+	"context"
+	"io"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/session"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+func Dialer(api controlapi.ControlClient) session.Dialer {
+	return func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
+
+		meta = lowerHeaders(meta)
+
+		md := metadata.MD(meta)
+
+		ctx = metadata.NewOutgoingContext(ctx, md)
+
+		stream, err := api.Session(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		c, _ := streamToConn(stream)
+		return c, nil
+	}
+}
+
+func streamToConn(stream grpc.Stream) (net.Conn, <-chan struct{}) {
+	closeCh := make(chan struct{})
+	c := &conn{stream: stream, buf: make([]byte, 32*1<<10), closeCh: closeCh}
+	return c, closeCh
+}
+
+type conn struct {
+	stream  grpc.Stream
+	buf     []byte
+	lastBuf []byte
+
+	closedOnce sync.Once
+	readMu     sync.Mutex
+	err        error
+	closeCh    chan struct{}
+}
+
+func (c *conn) Read(b []byte) (n int, err error) {
+	c.readMu.Lock()
+	defer c.readMu.Unlock()
+
+	if c.lastBuf != nil {
+		n := copy(b, c.lastBuf)
+		c.lastBuf = c.lastBuf[n:]
+		if len(c.lastBuf) == 0 {
+			c.lastBuf = nil
+		}
+		return n, nil
+	}
+	m := new(controlapi.BytesMessage)
+	m.Data = c.buf
+
+	if err := c.stream.RecvMsg(m); err != nil {
+		return 0, err
+	}
+	c.buf = m.Data[:cap(m.Data)]
+
+	n = copy(b, m.Data)
+	if n < len(m.Data) {
+		c.lastBuf = m.Data[n:]
+	}
+
+	return n, nil
+}
+
+func (c *conn) Write(b []byte) (int, error) {
+	m := &controlapi.BytesMessage{Data: b}
+	if err := c.stream.SendMsg(m); err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}
+
+func (c *conn) Close() (err error) {
+	c.closedOnce.Do(func() {
+		defer func() {
+			close(c.closeCh)
+		}()
+
+		if cs, ok := c.stream.(grpc.ClientStream); ok {
+			err = cs.CloseSend()
+			if err != nil {
+				return
+			}
+		}
+
+		c.readMu.Lock()
+		for {
+			m := new(controlapi.BytesMessage)
+			m.Data = c.buf
+			err = c.stream.RecvMsg(m)
+			if err != nil {
+				if err != io.EOF {
+					return
+				}
+				err = nil
+				break
+			}
+			c.buf = m.Data[:cap(m.Data)]
+			c.lastBuf = append(c.lastBuf, c.buf...)
+		}
+		c.readMu.Unlock()
+
+	})
+	return nil
+}
+
+func (c *conn) LocalAddr() net.Addr {
+	return dummyAddr{}
+}
+func (c *conn) RemoteAddr() net.Addr {
+	return dummyAddr{}
+}
+func (c *conn) SetDeadline(t time.Time) error {
+	return nil
+}
+func (c *conn) SetReadDeadline(t time.Time) error {
+	return nil
+}
+func (c *conn) SetWriteDeadline(t time.Time) error {
+	return nil
+}
+
+type dummyAddr struct {
+}
+
+func (d dummyAddr) Network() string {
+	return "tcp"
+}
+
+func (d dummyAddr) String() string {
+	return "localhost"
+}
+
+func lowerHeaders(in map[string][]string) map[string][]string {
+	out := map[string][]string{}
+	for k := range in {
+		out[strings.ToLower(k)] = in[k]
+	}
+	return out
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go b/cli/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go
new file mode 100644
index 00000000..6e34b216
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go
@@ -0,0 +1,14 @@
+package grpchijack
+
+import (
+	"net"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"google.golang.org/grpc/metadata"
+)
+
+func Hijack(stream controlapi.Control_SessionServer) (net.Conn, <-chan struct{}, map[string][]string) {
+	md, _ := metadata.FromIncomingContext(stream.Context())
+	c, closeCh := streamToConn(stream)
+	return c, closeCh, md
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/manager.go b/cli/vendor/github.com/moby/buildkit/session/manager.go
new file mode 100644
index 00000000..f401c7fb
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/manager.go
@@ -0,0 +1,218 @@
+package session
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+)
+
+// Caller can invoke requests on the session
+type Caller interface {
+	Context() context.Context
+	Supports(method string) bool
+	Conn() *grpc.ClientConn
+	Name() string
+	SharedKey() string
+}
+
+type client struct {
+	Session
+	cc        *grpc.ClientConn
+	supported map[string]struct{}
+}
+
+// Manager is a controller for accessing currently active sessions
+type Manager struct {
+	sessions        map[string]*client
+	mu              sync.Mutex
+	updateCondition *sync.Cond
+}
+
+// NewManager returns a new Manager
+func NewManager() (*Manager, error) {
+	sm := &Manager{
+		sessions: make(map[string]*client),
+	}
+	sm.updateCondition = sync.NewCond(&sm.mu)
+	return sm, nil
+}
+
+// HandleHTTPRequest handles an incoming HTTP request
+func (sm *Manager) HandleHTTPRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		return errors.New("handler does not support hijack")
+	}
+
+	id := r.Header.Get(headerSessionID)
+
+	proto := r.Header.Get("Upgrade")
+
+	sm.mu.Lock()
+	if _, ok := sm.sessions[id]; ok {
+		sm.mu.Unlock()
+		return errors.Errorf("session %s already exists", id)
+	}
+
+	if proto == "" {
+		sm.mu.Unlock()
+		return errors.New("no upgrade proto in request")
+	}
+
+	if proto != "h2c" {
+		sm.mu.Unlock()
+		return errors.Errorf("protocol %s not supported", proto)
+	}
+
+	conn, _, err := hijacker.Hijack()
+	if err != nil {
+		sm.mu.Unlock()
+		return errors.Wrap(err, "failed to hijack connection")
+	}
+
+	resp := &http.Response{
+		StatusCode: http.StatusSwitchingProtocols,
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+		Header:     http.Header{},
+	}
+	resp.Header.Set("Connection", "Upgrade")
+	resp.Header.Set("Upgrade", proto)
+
+	// set raw mode
+	conn.Write([]byte{})
+	resp.Write(conn)
+
+	return sm.handleConn(ctx, conn, r.Header)
+}
+
+// HandleConn handles an incoming raw connection
+func (sm *Manager) HandleConn(ctx context.Context, conn net.Conn, opts map[string][]string) error {
+	sm.mu.Lock()
+	return sm.handleConn(ctx, conn, opts)
+}
+
+// caller needs to take lock, this function will release it
+func (sm *Manager) handleConn(ctx context.Context, conn net.Conn, opts map[string][]string) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	opts = canonicalHeaders(opts)
+
+	h := http.Header(opts)
+	id := h.Get(headerSessionID)
+	name := h.Get(headerSessionName)
+	sharedKey := h.Get(headerSessionSharedKey)
+
+	ctx, cc, err := grpcClientConn(ctx, conn)
+	if err != nil {
+		sm.mu.Unlock()
+		return err
+	}
+
+	c := &client{
+		Session: Session{
+			id:        id,
+			name:      name,
+			sharedKey: sharedKey,
+			ctx:       ctx,
+			cancelCtx: cancel,
+			done:      make(chan struct{}),
+		},
+		cc:        cc,
+		supported: make(map[string]struct{}),
+	}
+
+	for _, m := range opts[headerSessionMethod] {
+		c.supported[strings.ToLower(m)] = struct{}{}
+	}
+	sm.sessions[id] = c
+	sm.updateCondition.Broadcast()
+	sm.mu.Unlock()
+
+	defer func() {
+		sm.mu.Lock()
+		delete(sm.sessions, id)
+		sm.mu.Unlock()
+	}()
+
+	<-c.ctx.Done()
+	conn.Close()
+	close(c.done)
+
+	return nil
+}
+
+// Get returns a session by ID
+func (sm *Manager) Get(ctx context.Context, id string) (Caller, error) {
+	// session prefix is used to identify vertexes with different contexts so
+	// they would not collide, but for lookup we don't need the prefix
+	if p := strings.SplitN(id, ":", 2); len(p) == 2 && len(p[1]) > 0 {
+		id = p[1]
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	go func() {
+		select {
+		case <-ctx.Done():
+			sm.updateCondition.Broadcast()
+		}
+	}()
+
+	var c *client
+
+	sm.mu.Lock()
+	for {
+		select {
+		case <-ctx.Done():
+			sm.mu.Unlock()
+			return nil, errors.Wrapf(ctx.Err(), "no active session for %s", id)
+		default:
+		}
+		var ok bool
+		c, ok = sm.sessions[id]
+		if !ok || c.closed() {
+			sm.updateCondition.Wait()
+			continue
+		}
+		sm.mu.Unlock()
+		break
+	}
+
+	return c, nil
+}
+
+func (c *client) Context() context.Context {
+	return c.context()
+}
+
+func (c *client) Name() string {
+	return c.name
+}
+
+func (c *client) SharedKey() string {
+	return c.sharedKey
+}
+
+func (c *client) Supports(url string) bool {
+	_, ok := c.supported[strings.ToLower(url)]
+	return ok
+}
+func (c *client) Conn() *grpc.ClientConn {
+	return c.cc
+}
+
+func canonicalHeaders(in map[string][]string) map[string][]string {
+	out := map[string][]string{}
+	for k := range in {
+		out[http.CanonicalHeaderKey(k)] = in[k]
+	}
+	return out
+}
diff --git a/cli/vendor/github.com/moby/buildkit/session/session.go b/cli/vendor/github.com/moby/buildkit/session/session.go
new file mode 100644
index 00000000..47c95796
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/session/session.go
@@ -0,0 +1,143 @@
+package session
+
+import (
+	"context"
+	"net"
+	"strings"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+	"github.com/moby/buildkit/identity"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/health"
+	"google.golang.org/grpc/health/grpc_health_v1"
+)
+
+const (
+	headerSessionID        = "X-Docker-Expose-Session-Uuid"
+	headerSessionName      = "X-Docker-Expose-Session-Name"
+	headerSessionSharedKey = "X-Docker-Expose-Session-Sharedkey"
+	headerSessionMethod    = "X-Docker-Expose-Session-Grpc-Method"
+)
+
+// Dialer returns a connection that can be used by the session
+type Dialer func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error)
+
+// Attachable defines a feature that can be expsed on a session
+type Attachable interface {
+	Register(*grpc.Server)
+}
+
+// Session is a long running connection between client and a daemon
+type Session struct {
+	id         string
+	name       string
+	sharedKey  string
+	ctx        context.Context
+	cancelCtx  func()
+	done       chan struct{}
+	grpcServer *grpc.Server
+	conn       net.Conn
+}
+
+// NewSession returns a new long running session
+func NewSession(ctx context.Context, name, sharedKey string) (*Session, error) {
+	id := identity.NewID()
+
+	serverOpts := []grpc.ServerOption{}
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		tracer := span.Tracer()
+		serverOpts = []grpc.ServerOption{
+			grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(span.Tracer(), traceFilter())),
+			grpc.UnaryInterceptor(otgrpc.OpenTracingServerInterceptor(tracer, traceFilter())),
+		}
+	}
+
+	s := &Session{
+		id:         id,
+		name:       name,
+		sharedKey:  sharedKey,
+		grpcServer: grpc.NewServer(serverOpts...),
+	}
+
+	grpc_health_v1.RegisterHealthServer(s.grpcServer, health.NewServer())
+
+	return s, nil
+}
+
+// Allow enable a given service to be reachable through the grpc session
+func (s *Session) Allow(a Attachable) {
+	a.Register(s.grpcServer)
+}
+
+// ID returns unique identifier for the session
+func (s *Session) ID() string {
+	return s.id
+}
+
+// Run activates the session
+func (s *Session) Run(ctx context.Context, dialer Dialer) error {
+	ctx, cancel := context.WithCancel(ctx)
+	s.cancelCtx = cancel
+	s.done = make(chan struct{})
+
+	defer cancel()
+	defer close(s.done)
+
+	meta := make(map[string][]string)
+	meta[headerSessionID] = []string{s.id}
+	meta[headerSessionName] = []string{s.name}
+	meta[headerSessionSharedKey] = []string{s.sharedKey}
+
+	for name, svc := range s.grpcServer.GetServiceInfo() {
+		for _, method := range svc.Methods {
+			meta[headerSessionMethod] = append(meta[headerSessionMethod], MethodURL(name, method.Name))
+		}
+	}
+	conn, err := dialer(ctx, "h2c", meta)
+	if err != nil {
+		return errors.Wrap(err, "failed to dial gRPC")
+	}
+	s.conn = conn
+	serve(ctx, s.grpcServer, conn)
+	return nil
+}
+
+// Close closes the session
+func (s *Session) Close() error {
+	if s.cancelCtx != nil && s.done != nil {
+		if s.conn != nil {
+			s.conn.Close()
+		}
+		s.grpcServer.Stop()
+		<-s.done
+	}
+	return nil
+}
+
+func (s *Session) context() context.Context {
+	return s.ctx
+}
+
+func (s *Session) closed() bool {
+	select {
+	case <-s.context().Done():
+		return true
+	default:
+		return false
+	}
+}
+
+// MethodURL returns a gRPC method URL for service and method name
+func MethodURL(s, m string) string {
+	return "/" + s + "/" + m
+}
+
+func traceFilter() otgrpc.Option {
+	return otgrpc.IncludingSpans(func(parentSpanCtx opentracing.SpanContext,
+		method string,
+		req, resp interface{}) bool {
+		return !strings.HasSuffix(method, "Health/Check")
+	})
+}
diff --git a/cli/vendor/github.com/moby/buildkit/solver/pb/attr.go b/cli/vendor/github.com/moby/buildkit/solver/pb/attr.go
new file mode 100644
index 00000000..6f5f77ff
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/solver/pb/attr.go
@@ -0,0 +1,17 @@
+package pb
+
+const AttrKeepGitDir = "git.keepgitdir"
+const AttrFullRemoteURL = "git.fullurl"
+const AttrLocalSessionID = "local.session"
+const AttrLocalUniqueID = "local.unique"
+const AttrIncludePatterns = "local.includepattern"
+const AttrFollowPaths = "local.followpaths"
+const AttrExcludePatterns = "local.excludepatterns"
+const AttrSharedKeyHint = "local.sharedkeyhint"
+const AttrLLBDefinitionFilename = "llbbuild.filename"
+
+const AttrHTTPChecksum = "http.checksum"
+const AttrHTTPFilename = "http.filename"
+const AttrHTTPPerm = "http.perm"
+const AttrHTTPUID = "http.uid"
+const AttrHTTPGID = "http.gid"
diff --git a/cli/vendor/github.com/moby/buildkit/solver/pb/const.go b/cli/vendor/github.com/moby/buildkit/solver/pb/const.go
new file mode 100644
index 00000000..2cb99510
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/solver/pb/const.go
@@ -0,0 +1,12 @@
+package pb
+
+type InputIndex int64
+type OutputIndex int64
+
+const RootMount = "/"
+const SkipOutput OutputIndex = -1
+const Empty InputIndex = -1
+const LLBBuilder InputIndex = -1
+
+const LLBDefinitionInput = "buildkit.llb.definition"
+const LLBDefaultDefinitionFile = LLBDefinitionInput
diff --git a/cli/vendor/github.com/moby/buildkit/solver/pb/generate.go b/cli/vendor/github.com/moby/buildkit/solver/pb/generate.go
new file mode 100644
index 00000000..c31e148f
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/solver/pb/generate.go
@@ -0,0 +1,3 @@
+package pb
+
+//go:generate protoc -I=. -I=../../vendor/ --gogofaster_out=. ops.proto
diff --git a/cli/vendor/github.com/moby/buildkit/solver/pb/ops.pb.go b/cli/vendor/github.com/moby/buildkit/solver/pb/ops.pb.go
new file mode 100644
index 00000000..881e87c3
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/solver/pb/ops.pb.go
@@ -0,0 +1,4960 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: ops.proto
+
+/*
+	Package pb is a generated protocol buffer package.
+
+	Package pb provides the protobuf definition of LLB: low-level builder instruction.
+	LLB is DAG-structured; Op represents a vertex, and Definition represents a graph.
+
+	It is generated from these files:
+		ops.proto
+
+	It has these top-level messages:
+		Op
+		Platform
+		Input
+		ExecOp
+		Meta
+		Mount
+		CacheOpt
+		CopyOp
+		CopySource
+		SourceOp
+		BuildOp
+		BuildInput
+		OpMetadata
+		ExportCache
+		ProxyEnv
+		WorkerConstraints
+		Definition
+*/
+package pb
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+
+import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// MountType defines a type of a mount from a supported set
+type MountType int32
+
+const (
+	MountType_BIND   MountType = 0
+	MountType_SECRET MountType = 1
+	MountType_SSH    MountType = 2
+	MountType_CACHE  MountType = 3
+	MountType_TMPFS  MountType = 4
+)
+
+var MountType_name = map[int32]string{
+	0: "BIND",
+	1: "SECRET",
+	2: "SSH",
+	3: "CACHE",
+	4: "TMPFS",
+}
+var MountType_value = map[string]int32{
+	"BIND":   0,
+	"SECRET": 1,
+	"SSH":    2,
+	"CACHE":  3,
+	"TMPFS":  4,
+}
+
+func (x MountType) String() string {
+	return proto.EnumName(MountType_name, int32(x))
+}
+func (MountType) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} }
+
+// CacheSharingOpt defines different sharing modes for cache mount
+type CacheSharingOpt int32
+
+const (
+	// SHARED cache mount can be used concurrently by multiple writers
+	CacheSharingOpt_SHARED CacheSharingOpt = 0
+	// PRIVATE creates a new mount if there are multiple writers
+	CacheSharingOpt_PRIVATE CacheSharingOpt = 1
+	// LOCKED pauses second writer until first one releases the mount
+	CacheSharingOpt_LOCKED CacheSharingOpt = 2
+)
+
+var CacheSharingOpt_name = map[int32]string{
+	0: "SHARED",
+	1: "PRIVATE",
+	2: "LOCKED",
+}
+var CacheSharingOpt_value = map[string]int32{
+	"SHARED":  0,
+	"PRIVATE": 1,
+	"LOCKED":  2,
+}
+
+func (x CacheSharingOpt) String() string {
+	return proto.EnumName(CacheSharingOpt_name, int32(x))
+}
+func (CacheSharingOpt) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} }
+
+// Op represents a vertex of the LLB DAG.
+type Op struct {
+	// inputs is a set of input edges.
+	Inputs []*Input `protobuf:"bytes,1,rep,name=inputs" json:"inputs,omitempty"`
+	// Types that are valid to be assigned to Op:
+	//	*Op_Exec
+	//	*Op_Source
+	//	*Op_Copy
+	//	*Op_Build
+	Op          isOp_Op            `protobuf_oneof:"op"`
+	Platform    *Platform          `protobuf:"bytes,10,opt,name=platform" json:"platform,omitempty"`
+	Constraints *WorkerConstraints `protobuf:"bytes,11,opt,name=constraints" json:"constraints,omitempty"`
+}
+
+func (m *Op) Reset()                    { *m = Op{} }
+func (m *Op) String() string            { return proto.CompactTextString(m) }
+func (*Op) ProtoMessage()               {}
+func (*Op) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} }
+
+type isOp_Op interface {
+	isOp_Op()
+	MarshalTo([]byte) (int, error)
+	Size() int
+}
+
+type Op_Exec struct {
+	Exec *ExecOp `protobuf:"bytes,2,opt,name=exec,oneof"`
+}
+type Op_Source struct {
+	Source *SourceOp `protobuf:"bytes,3,opt,name=source,oneof"`
+}
+type Op_Copy struct {
+	Copy *CopyOp `protobuf:"bytes,4,opt,name=copy,oneof"`
+}
+type Op_Build struct {
+	Build *BuildOp `protobuf:"bytes,5,opt,name=build,oneof"`
+}
+
+func (*Op_Exec) isOp_Op()   {}
+func (*Op_Source) isOp_Op() {}
+func (*Op_Copy) isOp_Op()   {}
+func (*Op_Build) isOp_Op()  {}
+
+func (m *Op) GetOp() isOp_Op {
+	if m != nil {
+		return m.Op
+	}
+	return nil
+}
+
+func (m *Op) GetInputs() []*Input {
+	if m != nil {
+		return m.Inputs
+	}
+	return nil
+}
+
+func (m *Op) GetExec() *ExecOp {
+	if x, ok := m.GetOp().(*Op_Exec); ok {
+		return x.Exec
+	}
+	return nil
+}
+
+func (m *Op) GetSource() *SourceOp {
+	if x, ok := m.GetOp().(*Op_Source); ok {
+		return x.Source
+	}
+	return nil
+}
+
+func (m *Op) GetCopy() *CopyOp {
+	if x, ok := m.GetOp().(*Op_Copy); ok {
+		return x.Copy
+	}
+	return nil
+}
+
+func (m *Op) GetBuild() *BuildOp {
+	if x, ok := m.GetOp().(*Op_Build); ok {
+		return x.Build
+	}
+	return nil
+}
+
+func (m *Op) GetPlatform() *Platform {
+	if m != nil {
+		return m.Platform
+	}
+	return nil
+}
+
+func (m *Op) GetConstraints() *WorkerConstraints {
+	if m != nil {
+		return m.Constraints
+	}
+	return nil
+}
+
+// XXX_OneofFuncs is for the internal use of the proto package.
+func (*Op) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
+	return _Op_OneofMarshaler, _Op_OneofUnmarshaler, _Op_OneofSizer, []interface{}{
+		(*Op_Exec)(nil),
+		(*Op_Source)(nil),
+		(*Op_Copy)(nil),
+		(*Op_Build)(nil),
+	}
+}
+
+func _Op_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
+	m := msg.(*Op)
+	// op
+	switch x := m.Op.(type) {
+	case *Op_Exec:
+		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Exec); err != nil {
+			return err
+		}
+	case *Op_Source:
+		_ = b.EncodeVarint(3<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Source); err != nil {
+			return err
+		}
+	case *Op_Copy:
+		_ = b.EncodeVarint(4<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Copy); err != nil {
+			return err
+		}
+	case *Op_Build:
+		_ = b.EncodeVarint(5<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Build); err != nil {
+			return err
+		}
+	case nil:
+	default:
+		return fmt.Errorf("Op.Op has unexpected type %T", x)
+	}
+	return nil
+}
+
+func _Op_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
+	m := msg.(*Op)
+	switch tag {
+	case 2: // op.exec
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(ExecOp)
+		err := b.DecodeMessage(msg)
+		m.Op = &Op_Exec{msg}
+		return true, err
+	case 3: // op.source
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(SourceOp)
+		err := b.DecodeMessage(msg)
+		m.Op = &Op_Source{msg}
+		return true, err
+	case 4: // op.copy
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(CopyOp)
+		err := b.DecodeMessage(msg)
+		m.Op = &Op_Copy{msg}
+		return true, err
+	case 5: // op.build
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(BuildOp)
+		err := b.DecodeMessage(msg)
+		m.Op = &Op_Build{msg}
+		return true, err
+	default:
+		return false, nil
+	}
+}
+
+func _Op_OneofSizer(msg proto.Message) (n int) {
+	m := msg.(*Op)
+	// op
+	switch x := m.Op.(type) {
+	case *Op_Exec:
+		s := proto.Size(x.Exec)
+		n += proto.SizeVarint(2<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case *Op_Source:
+		s := proto.Size(x.Source)
+		n += proto.SizeVarint(3<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case *Op_Copy:
+		s := proto.Size(x.Copy)
+		n += proto.SizeVarint(4<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case *Op_Build:
+		s := proto.Size(x.Build)
+		n += proto.SizeVarint(5<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case nil:
+	default:
+		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
+	}
+	return n
+}
+
+// Platform is github.com/opencontainers/image-spec/specs-go/v1.Platform
+type Platform struct {
+	Architecture string   `protobuf:"bytes,1,opt,name=Architecture,proto3" json:"Architecture,omitempty"`
+	OS           string   `protobuf:"bytes,2,opt,name=OS,proto3" json:"OS,omitempty"`
+	Variant      string   `protobuf:"bytes,3,opt,name=Variant,proto3" json:"Variant,omitempty"`
+	OSVersion    string   `protobuf:"bytes,4,opt,name=OSVersion,proto3" json:"OSVersion,omitempty"`
+	OSFeatures   []string `protobuf:"bytes,5,rep,name=OSFeatures" json:"OSFeatures,omitempty"`
+}
+
+func (m *Platform) Reset()                    { *m = Platform{} }
+func (m *Platform) String() string            { return proto.CompactTextString(m) }
+func (*Platform) ProtoMessage()               {}
+func (*Platform) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} }
+
+func (m *Platform) GetArchitecture() string {
+	if m != nil {
+		return m.Architecture
+	}
+	return ""
+}
+
+func (m *Platform) GetOS() string {
+	if m != nil {
+		return m.OS
+	}
+	return ""
+}
+
+func (m *Platform) GetVariant() string {
+	if m != nil {
+		return m.Variant
+	}
+	return ""
+}
+
+func (m *Platform) GetOSVersion() string {
+	if m != nil {
+		return m.OSVersion
+	}
+	return ""
+}
+
+func (m *Platform) GetOSFeatures() []string {
+	if m != nil {
+		return m.OSFeatures
+	}
+	return nil
+}
+
+// Input represents an input edge for an Op.
+type Input struct {
+	// digest of the marshaled input Op
+	Digest github_com_opencontainers_go_digest.Digest `protobuf:"bytes,1,opt,name=digest,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"digest"`
+	// output index of the input Op
+	Index OutputIndex `protobuf:"varint,2,opt,name=index,proto3,customtype=OutputIndex" json:"index"`
+}
+
+func (m *Input) Reset()                    { *m = Input{} }
+func (m *Input) String() string            { return proto.CompactTextString(m) }
+func (*Input) ProtoMessage()               {}
+func (*Input) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{2} }
+
+// ExecOp executes a command in a container.
+type ExecOp struct {
+	Meta   *Meta    `protobuf:"bytes,1,opt,name=meta" json:"meta,omitempty"`
+	Mounts []*Mount `protobuf:"bytes,2,rep,name=mounts" json:"mounts,omitempty"`
+}
+
+func (m *ExecOp) Reset()                    { *m = ExecOp{} }
+func (m *ExecOp) String() string            { return proto.CompactTextString(m) }
+func (*ExecOp) ProtoMessage()               {}
+func (*ExecOp) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{3} }
+
+func (m *ExecOp) GetMeta() *Meta {
+	if m != nil {
+		return m.Meta
+	}
+	return nil
+}
+
+func (m *ExecOp) GetMounts() []*Mount {
+	if m != nil {
+		return m.Mounts
+	}
+	return nil
+}
+
+// Meta is a set of arguments for ExecOp.
+// Meta is unrelated to LLB metadata.
+// FIXME: rename (ExecContext? ExecArgs?)
+type Meta struct {
+	Args     []string  `protobuf:"bytes,1,rep,name=args" json:"args,omitempty"`
+	Env      []string  `protobuf:"bytes,2,rep,name=env" json:"env,omitempty"`
+	Cwd      string    `protobuf:"bytes,3,opt,name=cwd,proto3" json:"cwd,omitempty"`
+	User     string    `protobuf:"bytes,4,opt,name=user,proto3" json:"user,omitempty"`
+	ProxyEnv *ProxyEnv `protobuf:"bytes,5,opt,name=proxy_env,json=proxyEnv" json:"proxy_env,omitempty"`
+}
+
+func (m *Meta) Reset()                    { *m = Meta{} }
+func (m *Meta) String() string            { return proto.CompactTextString(m) }
+func (*Meta) ProtoMessage()               {}
+func (*Meta) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{4} }
+
+func (m *Meta) GetArgs() []string {
+	if m != nil {
+		return m.Args
+	}
+	return nil
+}
+
+func (m *Meta) GetEnv() []string {
+	if m != nil {
+		return m.Env
+	}
+	return nil
+}
+
+func (m *Meta) GetCwd() string {
+	if m != nil {
+		return m.Cwd
+	}
+	return ""
+}
+
+func (m *Meta) GetUser() string {
+	if m != nil {
+		return m.User
+	}
+	return ""
+}
+
+func (m *Meta) GetProxyEnv() *ProxyEnv {
+	if m != nil {
+		return m.ProxyEnv
+	}
+	return nil
+}
+
+// Mount specifies how to mount an input Op as a filesystem.
+type Mount struct {
+	Input     InputIndex  `protobuf:"varint,1,opt,name=input,proto3,customtype=InputIndex" json:"input"`
+	Selector  string      `protobuf:"bytes,2,opt,name=selector,proto3" json:"selector,omitempty"`
+	Dest      string      `protobuf:"bytes,3,opt,name=dest,proto3" json:"dest,omitempty"`
+	Output    OutputIndex `protobuf:"varint,4,opt,name=output,proto3,customtype=OutputIndex" json:"output"`
+	Readonly  bool        `protobuf:"varint,5,opt,name=readonly,proto3" json:"readonly,omitempty"`
+	MountType MountType   `protobuf:"varint,6,opt,name=mountType,proto3,enum=pb.MountType" json:"mountType,omitempty"`
+	CacheOpt  *CacheOpt   `protobuf:"bytes,20,opt,name=cacheOpt" json:"cacheOpt,omitempty"`
+}
+
+func (m *Mount) Reset()                    { *m = Mount{} }
+func (m *Mount) String() string            { return proto.CompactTextString(m) }
+func (*Mount) ProtoMessage()               {}
+func (*Mount) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{5} }
+
+func (m *Mount) GetSelector() string {
+	if m != nil {
+		return m.Selector
+	}
+	return ""
+}
+
+func (m *Mount) GetDest() string {
+	if m != nil {
+		return m.Dest
+	}
+	return ""
+}
+
+func (m *Mount) GetReadonly() bool {
+	if m != nil {
+		return m.Readonly
+	}
+	return false
+}
+
+func (m *Mount) GetMountType() MountType {
+	if m != nil {
+		return m.MountType
+	}
+	return MountType_BIND
+}
+
+func (m *Mount) GetCacheOpt() *CacheOpt {
+	if m != nil {
+		return m.CacheOpt
+	}
+	return nil
+}
+
+// CacheOpt defines options specific to cache mounts
+type CacheOpt struct {
+	// ID is an optional namespace for the mount
+	ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	// Sharing is the sharing mode for the mount
+	Sharing CacheSharingOpt `protobuf:"varint,2,opt,name=sharing,proto3,enum=pb.CacheSharingOpt" json:"sharing,omitempty"`
+}
+
+func (m *CacheOpt) Reset()                    { *m = CacheOpt{} }
+func (m *CacheOpt) String() string            { return proto.CompactTextString(m) }
+func (*CacheOpt) ProtoMessage()               {}
+func (*CacheOpt) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{6} }
+
+func (m *CacheOpt) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *CacheOpt) GetSharing() CacheSharingOpt {
+	if m != nil {
+		return m.Sharing
+	}
+	return CacheSharingOpt_SHARED
+}
+
+// CopyOp copies files across Ops.
+type CopyOp struct {
+	Src  []*CopySource `protobuf:"bytes,1,rep,name=src" json:"src,omitempty"`
+	Dest string        `protobuf:"bytes,2,opt,name=dest,proto3" json:"dest,omitempty"`
+}
+
+func (m *CopyOp) Reset()                    { *m = CopyOp{} }
+func (m *CopyOp) String() string            { return proto.CompactTextString(m) }
+func (*CopyOp) ProtoMessage()               {}
+func (*CopyOp) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{7} }
+
+func (m *CopyOp) GetSrc() []*CopySource {
+	if m != nil {
+		return m.Src
+	}
+	return nil
+}
+
+func (m *CopyOp) GetDest() string {
+	if m != nil {
+		return m.Dest
+	}
+	return ""
+}
+
+// CopySource specifies a source for CopyOp.
+type CopySource struct {
+	Input    InputIndex `protobuf:"varint,1,opt,name=input,proto3,customtype=InputIndex" json:"input"`
+	Selector string     `protobuf:"bytes,2,opt,name=selector,proto3" json:"selector,omitempty"`
+}
+
+func (m *CopySource) Reset()                    { *m = CopySource{} }
+func (m *CopySource) String() string            { return proto.CompactTextString(m) }
+func (*CopySource) ProtoMessage()               {}
+func (*CopySource) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{8} }
+
+func (m *CopySource) GetSelector() string {
+	if m != nil {
+		return m.Selector
+	}
+	return ""
+}
+
+// SourceOp specifies a source such as build contexts and images.
+type SourceOp struct {
+	// TODO: use source type or any type instead of URL protocol.
+	// identifier e.g. local://, docker-image://, git://, https://...
+	Identifier string `protobuf:"bytes,1,opt,name=identifier,proto3" json:"identifier,omitempty"`
+	// attrs are defined in attr.go
+	Attrs map[string]string `protobuf:"bytes,2,rep,name=attrs" json:"attrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *SourceOp) Reset()                    { *m = SourceOp{} }
+func (m *SourceOp) String() string            { return proto.CompactTextString(m) }
+func (*SourceOp) ProtoMessage()               {}
+func (*SourceOp) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{9} }
+
+func (m *SourceOp) GetIdentifier() string {
+	if m != nil {
+		return m.Identifier
+	}
+	return ""
+}
+
+func (m *SourceOp) GetAttrs() map[string]string {
+	if m != nil {
+		return m.Attrs
+	}
+	return nil
+}
+
+// BuildOp is used for nested build invocation.
+// BuildOp is experimental and can break without backwards compatibility
+type BuildOp struct {
+	Builder InputIndex             `protobuf:"varint,1,opt,name=builder,proto3,customtype=InputIndex" json:"builder"`
+	Inputs  map[string]*BuildInput `protobuf:"bytes,2,rep,name=inputs" json:"inputs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value"`
+	Def     *Definition            `protobuf:"bytes,3,opt,name=def" json:"def,omitempty"`
+	Attrs   map[string]string      `protobuf:"bytes,4,rep,name=attrs" json:"attrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *BuildOp) Reset()                    { *m = BuildOp{} }
+func (m *BuildOp) String() string            { return proto.CompactTextString(m) }
+func (*BuildOp) ProtoMessage()               {}
+func (*BuildOp) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{10} }
+
+func (m *BuildOp) GetInputs() map[string]*BuildInput {
+	if m != nil {
+		return m.Inputs
+	}
+	return nil
+}
+
+func (m *BuildOp) GetDef() *Definition {
+	if m != nil {
+		return m.Def
+	}
+	return nil
+}
+
+func (m *BuildOp) GetAttrs() map[string]string {
+	if m != nil {
+		return m.Attrs
+	}
+	return nil
+}
+
+// BuildInput is used for BuildOp.
+type BuildInput struct {
+	Input InputIndex `protobuf:"varint,1,opt,name=input,proto3,customtype=InputIndex" json:"input"`
+}
+
+func (m *BuildInput) Reset()                    { *m = BuildInput{} }
+func (m *BuildInput) String() string            { return proto.CompactTextString(m) }
+func (*BuildInput) ProtoMessage()               {}
+func (*BuildInput) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{11} }
+
+// OpMetadata is a per-vertex metadata entry, which can be defined for arbitrary Op vertex and overridable on the run time.
+type OpMetadata struct {
+	// ignore_cache specifies to ignore the cache for this Op.
+	IgnoreCache bool `protobuf:"varint,1,opt,name=ignore_cache,json=ignoreCache,proto3" json:"ignore_cache,omitempty"`
+	// Description can be used for keeping any text fields that builder doesn't parse
+	Description map[string]string `protobuf:"bytes,2,rep,name=description" json:"description,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// index 3 reserved for WorkerConstraint in previous versions
+	// WorkerConstraint worker_constraint = 3;
+	ExportCache *ExportCache `protobuf:"bytes,4,opt,name=export_cache,json=exportCache" json:"export_cache,omitempty"`
+}
+
+func (m *OpMetadata) Reset()                    { *m = OpMetadata{} }
+func (m *OpMetadata) String() string            { return proto.CompactTextString(m) }
+func (*OpMetadata) ProtoMessage()               {}
+func (*OpMetadata) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{12} }
+
+func (m *OpMetadata) GetIgnoreCache() bool {
+	if m != nil {
+		return m.IgnoreCache
+	}
+	return false
+}
+
+func (m *OpMetadata) GetDescription() map[string]string {
+	if m != nil {
+		return m.Description
+	}
+	return nil
+}
+
+func (m *OpMetadata) GetExportCache() *ExportCache {
+	if m != nil {
+		return m.ExportCache
+	}
+	return nil
+}
+
+type ExportCache struct {
+	Value bool `protobuf:"varint,1,opt,name=Value,proto3" json:"Value,omitempty"`
+}
+
+func (m *ExportCache) Reset()                    { *m = ExportCache{} }
+func (m *ExportCache) String() string            { return proto.CompactTextString(m) }
+func (*ExportCache) ProtoMessage()               {}
+func (*ExportCache) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{13} }
+
+func (m *ExportCache) GetValue() bool {
+	if m != nil {
+		return m.Value
+	}
+	return false
+}
+
+type ProxyEnv struct {
+	HttpProxy  string `protobuf:"bytes,1,opt,name=http_proxy,json=httpProxy,proto3" json:"http_proxy,omitempty"`
+	HttpsProxy string `protobuf:"bytes,2,opt,name=https_proxy,json=httpsProxy,proto3" json:"https_proxy,omitempty"`
+	FtpProxy   string `protobuf:"bytes,3,opt,name=ftp_proxy,json=ftpProxy,proto3" json:"ftp_proxy,omitempty"`
+	NoProxy    string `protobuf:"bytes,4,opt,name=no_proxy,json=noProxy,proto3" json:"no_proxy,omitempty"`
+}
+
+func (m *ProxyEnv) Reset()                    { *m = ProxyEnv{} }
+func (m *ProxyEnv) String() string            { return proto.CompactTextString(m) }
+func (*ProxyEnv) ProtoMessage()               {}
+func (*ProxyEnv) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{14} }
+
+func (m *ProxyEnv) GetHttpProxy() string {
+	if m != nil {
+		return m.HttpProxy
+	}
+	return ""
+}
+
+func (m *ProxyEnv) GetHttpsProxy() string {
+	if m != nil {
+		return m.HttpsProxy
+	}
+	return ""
+}
+
+func (m *ProxyEnv) GetFtpProxy() string {
+	if m != nil {
+		return m.FtpProxy
+	}
+	return ""
+}
+
+func (m *ProxyEnv) GetNoProxy() string {
+	if m != nil {
+		return m.NoProxy
+	}
+	return ""
+}
+
+// WorkerConstraints defines conditions for the worker
+type WorkerConstraints struct {
+	Filter []string `protobuf:"bytes,1,rep,name=filter" json:"filter,omitempty"`
+}
+
+func (m *WorkerConstraints) Reset()                    { *m = WorkerConstraints{} }
+func (m *WorkerConstraints) String() string            { return proto.CompactTextString(m) }
+func (*WorkerConstraints) ProtoMessage()               {}
+func (*WorkerConstraints) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{15} }
+
+func (m *WorkerConstraints) GetFilter() []string {
+	if m != nil {
+		return m.Filter
+	}
+	return nil
+}
+
+// Definition is the LLB definition structure with per-vertex metadata entries
+type Definition struct {
+	// def is a list of marshaled Op messages
+	Def [][]byte `protobuf:"bytes,1,rep,name=def" json:"def,omitempty"`
+	// metadata contains metadata for the each of the Op messages.
+	// A key must be an LLB op digest string. Currently, empty string is not expected as a key, but it may change in the future.
+	Metadata map[github_com_opencontainers_go_digest.Digest]OpMetadata `protobuf:"bytes,2,rep,name=metadata,castkey=github.com/opencontainers/go-digest.Digest" json:"metadata" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value"`
+}
+
+func (m *Definition) Reset()                    { *m = Definition{} }
+func (m *Definition) String() string            { return proto.CompactTextString(m) }
+func (*Definition) ProtoMessage()               {}
+func (*Definition) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{16} }
+
+func (m *Definition) GetDef() [][]byte {
+	if m != nil {
+		return m.Def
+	}
+	return nil
+}
+
+func (m *Definition) GetMetadata() map[github_com_opencontainers_go_digest.Digest]OpMetadata {
+	if m != nil {
+		return m.Metadata
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Op)(nil), "pb.Op")
+	proto.RegisterType((*Platform)(nil), "pb.Platform")
+	proto.RegisterType((*Input)(nil), "pb.Input")
+	proto.RegisterType((*ExecOp)(nil), "pb.ExecOp")
+	proto.RegisterType((*Meta)(nil), "pb.Meta")
+	proto.RegisterType((*Mount)(nil), "pb.Mount")
+	proto.RegisterType((*CacheOpt)(nil), "pb.CacheOpt")
+	proto.RegisterType((*CopyOp)(nil), "pb.CopyOp")
+	proto.RegisterType((*CopySource)(nil), "pb.CopySource")
+	proto.RegisterType((*SourceOp)(nil), "pb.SourceOp")
+	proto.RegisterType((*BuildOp)(nil), "pb.BuildOp")
+	proto.RegisterType((*BuildInput)(nil), "pb.BuildInput")
+	proto.RegisterType((*OpMetadata)(nil), "pb.OpMetadata")
+	proto.RegisterType((*ExportCache)(nil), "pb.ExportCache")
+	proto.RegisterType((*ProxyEnv)(nil), "pb.ProxyEnv")
+	proto.RegisterType((*WorkerConstraints)(nil), "pb.WorkerConstraints")
+	proto.RegisterType((*Definition)(nil), "pb.Definition")
+	proto.RegisterEnum("pb.MountType", MountType_name, MountType_value)
+	proto.RegisterEnum("pb.CacheSharingOpt", CacheSharingOpt_name, CacheSharingOpt_value)
+}
+func (m *Op) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Op) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Inputs) > 0 {
+		for _, msg := range m.Inputs {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.Op != nil {
+		nn1, err := m.Op.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += nn1
+	}
+	if m.Platform != nil {
+		dAtA[i] = 0x52
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Platform.Size()))
+		n2, err := m.Platform.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	if m.Constraints != nil {
+		dAtA[i] = 0x5a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Constraints.Size()))
+		n3, err := m.Constraints.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n3
+	}
+	return i, nil
+}
+
+func (m *Op_Exec) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Exec != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Exec.Size()))
+		n4, err := m.Exec.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n4
+	}
+	return i, nil
+}
+func (m *Op_Source) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Source != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Source.Size()))
+		n5, err := m.Source.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n5
+	}
+	return i, nil
+}
+func (m *Op_Copy) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Copy != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Copy.Size()))
+		n6, err := m.Copy.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	return i, nil
+}
+func (m *Op_Build) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Build != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Build.Size()))
+		n7, err := m.Build.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	return i, nil
+}
+func (m *Platform) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Platform) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Architecture) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Architecture)))
+		i += copy(dAtA[i:], m.Architecture)
+	}
+	if len(m.OS) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.OS)))
+		i += copy(dAtA[i:], m.OS)
+	}
+	if len(m.Variant) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Variant)))
+		i += copy(dAtA[i:], m.Variant)
+	}
+	if len(m.OSVersion) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.OSVersion)))
+		i += copy(dAtA[i:], m.OSVersion)
+	}
+	if len(m.OSFeatures) > 0 {
+		for _, s := range m.OSFeatures {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *Input) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Input) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Digest) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Digest)))
+		i += copy(dAtA[i:], m.Digest)
+	}
+	if m.Index != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Index))
+	}
+	return i, nil
+}
+
+func (m *ExecOp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExecOp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Meta != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Meta.Size()))
+		n8, err := m.Meta.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	if len(m.Mounts) > 0 {
+		for _, msg := range m.Mounts {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *Meta) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Meta) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Args) > 0 {
+		for _, s := range m.Args {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Env) > 0 {
+		for _, s := range m.Env {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Cwd) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Cwd)))
+		i += copy(dAtA[i:], m.Cwd)
+	}
+	if len(m.User) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.User)))
+		i += copy(dAtA[i:], m.User)
+	}
+	if m.ProxyEnv != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.ProxyEnv.Size()))
+		n9, err := m.ProxyEnv.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n9
+	}
+	return i, nil
+}
+
+func (m *Mount) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Mount) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Input != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Input))
+	}
+	if len(m.Selector) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Selector)))
+		i += copy(dAtA[i:], m.Selector)
+	}
+	if len(m.Dest) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Dest)))
+		i += copy(dAtA[i:], m.Dest)
+	}
+	if m.Output != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Output))
+	}
+	if m.Readonly {
+		dAtA[i] = 0x28
+		i++
+		if m.Readonly {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.MountType != 0 {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.MountType))
+	}
+	if m.CacheOpt != nil {
+		dAtA[i] = 0xa2
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.CacheOpt.Size()))
+		n10, err := m.CacheOpt.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n10
+	}
+	return i, nil
+}
+
+func (m *CacheOpt) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CacheOpt) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if m.Sharing != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Sharing))
+	}
+	return i, nil
+}
+
+func (m *CopyOp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CopyOp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Src) > 0 {
+		for _, msg := range m.Src {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Dest) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Dest)))
+		i += copy(dAtA[i:], m.Dest)
+	}
+	return i, nil
+}
+
+func (m *CopySource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CopySource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Input != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Input))
+	}
+	if len(m.Selector) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Selector)))
+		i += copy(dAtA[i:], m.Selector)
+	}
+	return i, nil
+}
+
+func (m *SourceOp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SourceOp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Identifier) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Identifier)))
+		i += copy(dAtA[i:], m.Identifier)
+	}
+	if len(m.Attrs) > 0 {
+		for k, _ := range m.Attrs {
+			dAtA[i] = 0x12
+			i++
+			v := m.Attrs[k]
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *BuildOp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BuildOp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Builder != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Builder))
+	}
+	if len(m.Inputs) > 0 {
+		for k, _ := range m.Inputs {
+			dAtA[i] = 0x12
+			i++
+			v := m.Inputs[k]
+			msgSize := 0
+			if v != nil {
+				msgSize = v.Size()
+				msgSize += 1 + sovOps(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + msgSize
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			if v != nil {
+				dAtA[i] = 0x12
+				i++
+				i = encodeVarintOps(dAtA, i, uint64(v.Size()))
+				n11, err := v.MarshalTo(dAtA[i:])
+				if err != nil {
+					return 0, err
+				}
+				i += n11
+			}
+		}
+	}
+	if m.Def != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Def.Size()))
+		n12, err := m.Def.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n12
+	}
+	if len(m.Attrs) > 0 {
+		for k, _ := range m.Attrs {
+			dAtA[i] = 0x22
+			i++
+			v := m.Attrs[k]
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *BuildInput) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BuildInput) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Input != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Input))
+	}
+	return i, nil
+}
+
+func (m *OpMetadata) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *OpMetadata) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.IgnoreCache {
+		dAtA[i] = 0x8
+		i++
+		if m.IgnoreCache {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if len(m.Description) > 0 {
+		for k, _ := range m.Description {
+			dAtA[i] = 0x12
+			i++
+			v := m.Description[k]
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if m.ExportCache != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.ExportCache.Size()))
+		n13, err := m.ExportCache.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n13
+	}
+	return i, nil
+}
+
+func (m *ExportCache) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExportCache) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Value {
+		dAtA[i] = 0x8
+		i++
+		if m.Value {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *ProxyEnv) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ProxyEnv) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.HttpProxy) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.HttpProxy)))
+		i += copy(dAtA[i:], m.HttpProxy)
+	}
+	if len(m.HttpsProxy) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.HttpsProxy)))
+		i += copy(dAtA[i:], m.HttpsProxy)
+	}
+	if len(m.FtpProxy) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.FtpProxy)))
+		i += copy(dAtA[i:], m.FtpProxy)
+	}
+	if len(m.NoProxy) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.NoProxy)))
+		i += copy(dAtA[i:], m.NoProxy)
+	}
+	return i, nil
+}
+
+func (m *WorkerConstraints) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WorkerConstraints) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		for _, s := range m.Filter {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *Definition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Definition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Def) > 0 {
+		for _, b := range m.Def {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(b)))
+			i += copy(dAtA[i:], b)
+		}
+	}
+	if len(m.Metadata) > 0 {
+		for k, _ := range m.Metadata {
+			dAtA[i] = 0x12
+			i++
+			v := m.Metadata[k]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovOps(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + msgSize
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64((&v).Size()))
+			n14, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n14
+		}
+	}
+	return i, nil
+}
+
+func encodeVarintOps(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Op) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Inputs) > 0 {
+		for _, e := range m.Inputs {
+			l = e.Size()
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	if m.Op != nil {
+		n += m.Op.Size()
+	}
+	if m.Platform != nil {
+		l = m.Platform.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.Constraints != nil {
+		l = m.Constraints.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *Op_Exec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Exec != nil {
+		l = m.Exec.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+func (m *Op_Source) Size() (n int) {
+	var l int
+	_ = l
+	if m.Source != nil {
+		l = m.Source.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+func (m *Op_Copy) Size() (n int) {
+	var l int
+	_ = l
+	if m.Copy != nil {
+		l = m.Copy.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+func (m *Op_Build) Size() (n int) {
+	var l int
+	_ = l
+	if m.Build != nil {
+		l = m.Build.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+func (m *Platform) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Architecture)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.OS)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.Variant)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.OSVersion)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if len(m.OSFeatures) > 0 {
+		for _, s := range m.OSFeatures {
+			l = len(s)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Input) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Digest)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.Index != 0 {
+		n += 1 + sovOps(uint64(m.Index))
+	}
+	return n
+}
+
+func (m *ExecOp) Size() (n int) {
+	var l int
+	_ = l
+	if m.Meta != nil {
+		l = m.Meta.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if len(m.Mounts) > 0 {
+		for _, e := range m.Mounts {
+			l = e.Size()
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Meta) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Args) > 0 {
+		for _, s := range m.Args {
+			l = len(s)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	if len(m.Env) > 0 {
+		for _, s := range m.Env {
+			l = len(s)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	l = len(m.Cwd)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.User)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.ProxyEnv != nil {
+		l = m.ProxyEnv.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *Mount) Size() (n int) {
+	var l int
+	_ = l
+	if m.Input != 0 {
+		n += 1 + sovOps(uint64(m.Input))
+	}
+	l = len(m.Selector)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.Dest)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.Output != 0 {
+		n += 1 + sovOps(uint64(m.Output))
+	}
+	if m.Readonly {
+		n += 2
+	}
+	if m.MountType != 0 {
+		n += 1 + sovOps(uint64(m.MountType))
+	}
+	if m.CacheOpt != nil {
+		l = m.CacheOpt.Size()
+		n += 2 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *CacheOpt) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.Sharing != 0 {
+		n += 1 + sovOps(uint64(m.Sharing))
+	}
+	return n
+}
+
+func (m *CopyOp) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Src) > 0 {
+		for _, e := range m.Src {
+			l = e.Size()
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	l = len(m.Dest)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *CopySource) Size() (n int) {
+	var l int
+	_ = l
+	if m.Input != 0 {
+		n += 1 + sovOps(uint64(m.Input))
+	}
+	l = len(m.Selector)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *SourceOp) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Identifier)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if len(m.Attrs) > 0 {
+		for k, v := range m.Attrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *BuildOp) Size() (n int) {
+	var l int
+	_ = l
+	if m.Builder != 0 {
+		n += 1 + sovOps(uint64(m.Builder))
+	}
+	if len(m.Inputs) > 0 {
+		for k, v := range m.Inputs {
+			_ = k
+			_ = v
+			l = 0
+			if v != nil {
+				l = v.Size()
+				l += 1 + sovOps(uint64(l))
+			}
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + l
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	if m.Def != nil {
+		l = m.Def.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if len(m.Attrs) > 0 {
+		for k, v := range m.Attrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *BuildInput) Size() (n int) {
+	var l int
+	_ = l
+	if m.Input != 0 {
+		n += 1 + sovOps(uint64(m.Input))
+	}
+	return n
+}
+
+func (m *OpMetadata) Size() (n int) {
+	var l int
+	_ = l
+	if m.IgnoreCache {
+		n += 2
+	}
+	if len(m.Description) > 0 {
+		for k, v := range m.Description {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	if m.ExportCache != nil {
+		l = m.ExportCache.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *ExportCache) Size() (n int) {
+	var l int
+	_ = l
+	if m.Value {
+		n += 2
+	}
+	return n
+}
+
+func (m *ProxyEnv) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.HttpProxy)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.HttpsProxy)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.FtpProxy)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.NoProxy)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *WorkerConstraints) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		for _, s := range m.Filter {
+			l = len(s)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Definition) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Def) > 0 {
+		for _, b := range m.Def {
+			l = len(b)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	if len(m.Metadata) > 0 {
+		for k, v := range m.Metadata {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + l + sovOps(uint64(l))
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func sovOps(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozOps(x uint64) (n int) {
+	return sovOps(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *Op) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Op: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Op: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Inputs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Inputs = append(m.Inputs, &Input{})
+			if err := m.Inputs[len(m.Inputs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Exec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &ExecOp{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Op = &Op_Exec{v}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &SourceOp{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Op = &Op_Source{v}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Copy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &CopyOp{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Op = &Op_Copy{v}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Build", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &BuildOp{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Op = &Op_Build{v}
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Platform", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Platform == nil {
+				m.Platform = &Platform{}
+			}
+			if err := m.Platform.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Constraints", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Constraints == nil {
+				m.Constraints = &WorkerConstraints{}
+			}
+			if err := m.Constraints.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Platform) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Platform: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Platform: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Architecture", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Architecture = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OS", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OS = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Variant", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Variant = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OSVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OSVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OSFeatures", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OSFeatures = append(m.OSFeatures, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Input) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Input: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Input: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Digest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Digest = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Index", wireType)
+			}
+			m.Index = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Index |= (OutputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExecOp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExecOp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExecOp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Meta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Meta == nil {
+				m.Meta = &Meta{}
+			}
+			if err := m.Meta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Mounts", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Mounts = append(m.Mounts, &Mount{})
+			if err := m.Mounts[len(m.Mounts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Meta) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Meta: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Meta: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Args", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Args = append(m.Args, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Env", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Env = append(m.Env, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Cwd", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Cwd = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.User = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ProxyEnv", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ProxyEnv == nil {
+				m.ProxyEnv = &ProxyEnv{}
+			}
+			if err := m.ProxyEnv.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Mount) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Mount: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Mount: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Input", wireType)
+			}
+			m.Input = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Input |= (InputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Selector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Dest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Dest = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Output", wireType)
+			}
+			m.Output = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Output |= (OutputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Readonly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Readonly = bool(v != 0)
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MountType", wireType)
+			}
+			m.MountType = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MountType |= (MountType(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 20:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CacheOpt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.CacheOpt == nil {
+				m.CacheOpt = &CacheOpt{}
+			}
+			if err := m.CacheOpt.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CacheOpt) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CacheOpt: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CacheOpt: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Sharing", wireType)
+			}
+			m.Sharing = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Sharing |= (CacheSharingOpt(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CopyOp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CopyOp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CopyOp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Src", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Src = append(m.Src, &CopySource{})
+			if err := m.Src[len(m.Src)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Dest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Dest = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CopySource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CopySource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CopySource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Input", wireType)
+			}
+			m.Input = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Input |= (InputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Selector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SourceOp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SourceOp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SourceOp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Identifier", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Identifier = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Attrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Attrs == nil {
+				m.Attrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Attrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *BuildOp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BuildOp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BuildOp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Builder", wireType)
+			}
+			m.Builder = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Builder |= (InputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Inputs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Inputs == nil {
+				m.Inputs = make(map[string]*BuildInput)
+			}
+			var mapkey string
+			var mapvalue *BuildInput
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var mapmsglen int
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						mapmsglen |= (int(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					if mapmsglen < 0 {
+						return ErrInvalidLengthOps
+					}
+					postmsgIndex := iNdEx + mapmsglen
+					if mapmsglen < 0 {
+						return ErrInvalidLengthOps
+					}
+					if postmsgIndex > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = &BuildInput{}
+					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+						return err
+					}
+					iNdEx = postmsgIndex
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Inputs[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Def", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Def == nil {
+				m.Def = &Definition{}
+			}
+			if err := m.Def.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Attrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Attrs == nil {
+				m.Attrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Attrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *BuildInput) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BuildInput: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BuildInput: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Input", wireType)
+			}
+			m.Input = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Input |= (InputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *OpMetadata) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: OpMetadata: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: OpMetadata: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IgnoreCache", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.IgnoreCache = bool(v != 0)
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Description == nil {
+				m.Description = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Description[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExportCache", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExportCache == nil {
+				m.ExportCache = &ExportCache{}
+			}
+			if err := m.ExportCache.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExportCache) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExportCache: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExportCache: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Value = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ProxyEnv) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ProxyEnv: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ProxyEnv: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HttpProxy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HttpProxy = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HttpsProxy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HttpsProxy = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FtpProxy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FtpProxy = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NoProxy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NoProxy = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *WorkerConstraints) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: WorkerConstraints: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: WorkerConstraints: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Filter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Filter = append(m.Filter, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Definition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Definition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Definition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Def", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Def = append(m.Def, make([]byte, postIndex-iNdEx))
+			copy(m.Def[len(m.Def)-1], dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Metadata", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Metadata == nil {
+				m.Metadata = make(map[github_com_opencontainers_go_digest.Digest]OpMetadata)
+			}
+			var mapkey github_com_opencontainers_go_digest.Digest
+			mapvalue := &OpMetadata{}
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var mapmsglen int
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						mapmsglen |= (int(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					if mapmsglen < 0 {
+						return ErrInvalidLengthOps
+					}
+					postmsgIndex := iNdEx + mapmsglen
+					if mapmsglen < 0 {
+						return ErrInvalidLengthOps
+					}
+					if postmsgIndex > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = &OpMetadata{}
+					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+						return err
+					}
+					iNdEx = postmsgIndex
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Metadata[github_com_opencontainers_go_digest.Digest(mapkey)] = *mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipOps(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthOps
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipOps(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthOps = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowOps   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("ops.proto", fileDescriptorOps) }
+
+var fileDescriptorOps = []byte{
+	// 1203 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0x4d, 0x8f, 0x1b, 0x45,
+	0x13, 0xde, 0x19, 0x7f, 0xcd, 0xd4, 0x6c, 0x36, 0x7e, 0x3b, 0x79, 0x83, 0x59, 0xc2, 0xae, 0x99,
+	0x20, 0xe4, 0x7c, 0xac, 0x57, 0x32, 0x52, 0x88, 0x38, 0x44, 0xac, 0x3f, 0xa2, 0x35, 0x21, 0x38,
+	0x6a, 0xaf, 0x96, 0x63, 0x34, 0x1e, 0xb7, 0xbd, 0xa3, 0x78, 0xa7, 0x47, 0x3d, 0xed, 0xb0, 0x3e,
+	0x80, 0x44, 0x7e, 0x01, 0x12, 0x12, 0x77, 0x7e, 0x08, 0xf7, 0x1c, 0xb9, 0xc2, 0x21, 0xa0, 0x20,
+	0xf1, 0x3b, 0x50, 0x75, 0xb7, 0x67, 0x66, 0x93, 0x20, 0x25, 0x82, 0x93, 0xbb, 0xab, 0x9e, 0x7a,
+	0xba, 0xea, 0xe9, 0x9a, 0x6a, 0x83, 0xcb, 0x93, 0xb4, 0x9d, 0x08, 0x2e, 0x39, 0xb1, 0x93, 0xc9,
+	0xf6, 0xde, 0x3c, 0x92, 0x27, 0xcb, 0x49, 0x3b, 0xe4, 0xa7, 0xfb, 0x73, 0x3e, 0xe7, 0xfb, 0xca,
+	0x35, 0x59, 0xce, 0xd4, 0x4e, 0x6d, 0xd4, 0x4a, 0x87, 0xf8, 0x3f, 0xd9, 0x60, 0x8f, 0x12, 0xf2,
+	0x01, 0x54, 0xa3, 0x38, 0x59, 0xca, 0xb4, 0x61, 0x35, 0x4b, 0x2d, 0xaf, 0xe3, 0xb6, 0x93, 0x49,
+	0x7b, 0x88, 0x16, 0x6a, 0x1c, 0xa4, 0x09, 0x65, 0x76, 0xc6, 0xc2, 0x86, 0xdd, 0xb4, 0x5a, 0x5e,
+	0x07, 0x10, 0x30, 0x38, 0x63, 0xe1, 0x28, 0x39, 0xdc, 0xa0, 0xca, 0x43, 0x3e, 0x82, 0x6a, 0xca,
+	0x97, 0x22, 0x64, 0x8d, 0x92, 0xc2, 0x6c, 0x22, 0x66, 0xac, 0x2c, 0x0a, 0x65, 0xbc, 0xc8, 0x14,
+	0xf2, 0x64, 0xd5, 0x28, 0xe7, 0x4c, 0x3d, 0x9e, 0xac, 0x34, 0x13, 0x7a, 0xc8, 0x35, 0xa8, 0x4c,
+	0x96, 0xd1, 0x62, 0xda, 0xa8, 0x28, 0x88, 0x87, 0x90, 0x2e, 0x1a, 0x14, 0x46, 0xfb, 0x48, 0x0b,
+	0x9c, 0x64, 0x11, 0xc8, 0x19, 0x17, 0xa7, 0x0d, 0xc8, 0x0f, 0x7c, 0x68, 0x6c, 0x34, 0xf3, 0x92,
+	0x4f, 0xc0, 0x0b, 0x79, 0x9c, 0x4a, 0x11, 0x44, 0xb1, 0x4c, 0x1b, 0x9e, 0x02, 0xff, 0x1f, 0xc1,
+	0x5f, 0x71, 0xf1, 0x98, 0x89, 0x5e, 0xee, 0xa4, 0x45, 0x64, 0xb7, 0x0c, 0x36, 0x4f, 0xfc, 0x1f,
+	0x2d, 0x70, 0xd6, 0xac, 0xc4, 0x87, 0xcd, 0x03, 0x11, 0x9e, 0x44, 0x92, 0x85, 0x72, 0x29, 0x58,
+	0xc3, 0x6a, 0x5a, 0x2d, 0x97, 0x9e, 0xb3, 0x91, 0x2d, 0xb0, 0x47, 0x63, 0x25, 0x94, 0x4b, 0xed,
+	0xd1, 0x98, 0x34, 0xa0, 0x76, 0x1c, 0x88, 0x28, 0x88, 0xa5, 0x52, 0xc6, 0xa5, 0xeb, 0x2d, 0xb9,
+	0x0a, 0xee, 0x68, 0x7c, 0xcc, 0x44, 0x1a, 0xf1, 0x58, 0xe9, 0xe1, 0xd2, 0xdc, 0x40, 0x76, 0x00,
+	0x46, 0xe3, 0x7b, 0x2c, 0x40, 0xd2, 0xb4, 0x51, 0x69, 0x96, 0x5a, 0x2e, 0x2d, 0x58, 0xfc, 0x6f,
+	0xa1, 0xa2, 0xee, 0x88, 0x7c, 0x0e, 0xd5, 0x69, 0x34, 0x67, 0xa9, 0xd4, 0xe9, 0x74, 0x3b, 0xcf,
+	0x9e, 0xef, 0x6e, 0xfc, 0xf6, 0x7c, 0xf7, 0x46, 0xa1, 0x19, 0x78, 0xc2, 0xe2, 0x90, 0xc7, 0x32,
+	0x88, 0x62, 0x26, 0xd2, 0xfd, 0x39, 0xdf, 0xd3, 0x21, 0xed, 0xbe, 0xfa, 0xa1, 0x86, 0x81, 0x5c,
+	0x87, 0x4a, 0x14, 0x4f, 0xd9, 0x99, 0xca, 0xbf, 0xd4, 0xbd, 0x64, 0xa8, 0xbc, 0xd1, 0x52, 0x26,
+	0x4b, 0x39, 0x44, 0x17, 0xd5, 0x08, 0x7f, 0x08, 0x55, 0xdd, 0x02, 0xe4, 0x2a, 0x94, 0x4f, 0x99,
+	0x0c, 0xd4, 0xf1, 0x5e, 0xc7, 0x41, 0x69, 0x1f, 0x30, 0x19, 0x50, 0x65, 0xc5, 0xee, 0x3a, 0xe5,
+	0x4b, 0x94, 0xde, 0xce, 0xbb, 0xeb, 0x01, 0x5a, 0xa8, 0x71, 0xf8, 0xdf, 0x40, 0x19, 0x03, 0x08,
+	0x81, 0x72, 0x20, 0xe6, 0xba, 0x0d, 0x5d, 0xaa, 0xd6, 0xa4, 0x0e, 0x25, 0x16, 0x3f, 0x51, 0xb1,
+	0x2e, 0xc5, 0x25, 0x5a, 0xc2, 0xaf, 0xa7, 0x46, 0x4c, 0x5c, 0x62, 0xdc, 0x32, 0x65, 0xc2, 0x68,
+	0xa8, 0xd6, 0xe4, 0x3a, 0xb8, 0x89, 0xe0, 0x67, 0xab, 0x47, 0x18, 0x5d, 0x29, 0x74, 0x08, 0x1a,
+	0x07, 0xf1, 0x13, 0xea, 0x24, 0x66, 0xe5, 0x7f, 0x67, 0x43, 0x45, 0x25, 0x44, 0x5a, 0x58, 0x7e,
+	0xb2, 0xd4, 0x4a, 0x96, 0xba, 0xc4, 0x94, 0x0f, 0x4a, 0xe8, 0xac, 0x7a, 0x14, 0x7d, 0x1b, 0x9c,
+	0x94, 0x2d, 0x58, 0x28, 0xb9, 0x30, 0x77, 0x9d, 0xed, 0x31, 0x9d, 0x29, 0x5e, 0x87, 0xce, 0x50,
+	0xad, 0xc9, 0x4d, 0xa8, 0x72, 0xa5, 0xa1, 0x4a, 0xf2, 0x1f, 0x94, 0x35, 0x10, 0x24, 0x17, 0x2c,
+	0x98, 0xf2, 0x78, 0xb1, 0x52, 0xa9, 0x3b, 0x34, 0xdb, 0x93, 0x9b, 0xe0, 0x2a, 0xd5, 0x8e, 0x56,
+	0x09, 0x6b, 0x54, 0x9b, 0x56, 0x6b, 0xab, 0x73, 0x21, 0x53, 0x14, 0x8d, 0x34, 0xf7, 0xe3, 0x57,
+	0x12, 0x06, 0xe1, 0x09, 0x1b, 0x25, 0xb2, 0x71, 0x39, 0xd7, 0xa0, 0x67, 0x6c, 0x34, 0xf3, 0xfa,
+	0x43, 0x70, 0xd6, 0x56, 0xec, 0xe0, 0x61, 0xdf, 0xf4, 0xb6, 0x3d, 0xec, 0x93, 0x3d, 0xa8, 0xa5,
+	0x27, 0x81, 0x88, 0xe2, 0xb9, 0x2a, 0x75, 0xab, 0x73, 0x29, 0x23, 0x19, 0x6b, 0x3b, 0x72, 0xad,
+	0x31, 0xfe, 0x5d, 0xa8, 0xea, 0x2f, 0x9a, 0x34, 0xa1, 0x94, 0x8a, 0xd0, 0x4c, 0x95, 0xad, 0xf5,
+	0xa7, 0xae, 0x87, 0x02, 0x45, 0x57, 0x26, 0x95, 0x9d, 0x4b, 0xe5, 0x53, 0x80, 0x1c, 0xf6, 0xdf,
+	0x5c, 0x89, 0xff, 0x83, 0x05, 0xce, 0x7a, 0x18, 0xe1, 0x97, 0x15, 0x4d, 0x59, 0x2c, 0xa3, 0x59,
+	0xc4, 0x84, 0xa9, 0xb3, 0x60, 0x21, 0x7b, 0x50, 0x09, 0xa4, 0x14, 0xeb, 0x86, 0x7d, 0xa7, 0x38,
+	0xc9, 0xda, 0x07, 0xe8, 0x19, 0xc4, 0x52, 0xac, 0xa8, 0x46, 0x6d, 0xdf, 0x01, 0xc8, 0x8d, 0xd8,
+	0x9d, 0x8f, 0xd9, 0xca, 0xb0, 0xe2, 0x92, 0x5c, 0x86, 0xca, 0x93, 0x60, 0xb1, 0x64, 0x26, 0x29,
+	0xbd, 0xf9, 0xd4, 0xbe, 0x63, 0xf9, 0x3f, 0xdb, 0x50, 0x33, 0x93, 0x8d, 0xdc, 0x82, 0x9a, 0x9a,
+	0x6c, 0x26, 0xa3, 0xd7, 0x57, 0xba, 0x86, 0x90, 0xfd, 0x6c, 0x64, 0x17, 0x72, 0x34, 0x54, 0x7a,
+	0x74, 0x9b, 0x1c, 0xf3, 0x01, 0x5e, 0x9a, 0xb2, 0x99, 0x99, 0xcd, 0xea, 0x2a, 0xfa, 0x6c, 0x16,
+	0xc5, 0x91, 0x8c, 0x78, 0x4c, 0xd1, 0x45, 0x6e, 0xad, 0xab, 0x2e, 0x2b, 0xc6, 0x2b, 0x45, 0xc6,
+	0x57, 0x8b, 0x1e, 0x82, 0x57, 0x38, 0xe6, 0x35, 0x55, 0x7f, 0x58, 0xac, 0xda, 0x1c, 0xa9, 0xe8,
+	0xf4, 0xc3, 0x92, 0xab, 0xf0, 0x2f, 0xf4, 0xbb, 0x0d, 0x90, 0x53, 0xbe, 0x79, 0xa7, 0xf8, 0x7f,
+	0x59, 0x00, 0xa3, 0x04, 0x47, 0xce, 0x34, 0x50, 0x13, 0x6a, 0x33, 0x9a, 0xc7, 0x5c, 0xb0, 0x47,
+	0xea, 0x73, 0x50, 0xf1, 0x0e, 0xf5, 0xb4, 0x4d, 0xb5, 0x39, 0x39, 0x00, 0x6f, 0xca, 0xd2, 0x50,
+	0x44, 0x09, 0x0a, 0x66, 0x44, 0xdf, 0xc5, 0x9a, 0x72, 0x9e, 0x76, 0x3f, 0x47, 0x68, 0xad, 0x8a,
+	0x31, 0xa4, 0x03, 0x9b, 0xec, 0x2c, 0xe1, 0x42, 0x9a, 0x53, 0xf4, 0x03, 0x78, 0x51, 0x3f, 0xa5,
+	0x68, 0x57, 0x27, 0x51, 0x8f, 0xe5, 0x9b, 0xed, 0xbb, 0x50, 0x7f, 0x99, 0xf4, 0xad, 0x04, 0xba,
+	0x06, 0x5e, 0x81, 0x1b, 0x81, 0xc7, 0x0a, 0xa8, 0x2b, 0xd4, 0x1b, 0xff, 0x29, 0xbe, 0x70, 0x66,
+	0x16, 0x92, 0xf7, 0x01, 0x4e, 0xa4, 0x4c, 0x1e, 0xa9, 0xe1, 0x68, 0x0e, 0x71, 0xd1, 0xa2, 0x10,
+	0x64, 0x17, 0x3c, 0xdc, 0xa4, 0xc6, 0xaf, 0x0f, 0x54, 0x11, 0xa9, 0x06, 0xbc, 0x07, 0xee, 0x2c,
+	0x0b, 0xd7, 0x03, 0xd0, 0x99, 0xad, 0xa3, 0xdf, 0x05, 0x27, 0xe6, 0xc6, 0xa7, 0x67, 0x75, 0x2d,
+	0xe6, 0xca, 0xe5, 0xdf, 0x84, 0xff, 0xbd, 0xf2, 0x1c, 0x93, 0x2b, 0x50, 0x9d, 0x45, 0x0b, 0xa9,
+	0x3e, 0x09, 0x1c, 0xff, 0x66, 0xe7, 0xff, 0x6a, 0x01, 0xe4, 0xed, 0x8b, 0x8a, 0x60, 0x6f, 0x23,
+	0x66, 0x53, 0xf7, 0xf2, 0x02, 0x9c, 0x53, 0x73, 0x2b, 0xe6, 0xae, 0xae, 0x9e, 0x6f, 0xf9, 0xf6,
+	0xfa, 0xd2, 0x94, 0xa6, 0xfa, 0xc9, 0x7c, 0xfa, 0xfb, 0x5b, 0x3d, 0x99, 0xd9, 0x09, 0xdb, 0xf7,
+	0xe1, 0xc2, 0x39, 0xba, 0x37, 0xfc, 0x1a, 0xf2, 0xce, 0x29, 0x5c, 0xd9, 0x8d, 0xcf, 0xc0, 0xcd,
+	0x46, 0x39, 0x71, 0xa0, 0xdc, 0x1d, 0x7e, 0xd9, 0xaf, 0x6f, 0x10, 0x80, 0xea, 0x78, 0xd0, 0xa3,
+	0x83, 0xa3, 0xba, 0x45, 0x6a, 0x50, 0x1a, 0x8f, 0x0f, 0xeb, 0x36, 0x71, 0xa1, 0xd2, 0x3b, 0xe8,
+	0x1d, 0x0e, 0xea, 0x25, 0x5c, 0x1e, 0x3d, 0x78, 0x78, 0x6f, 0x5c, 0x2f, 0xdf, 0xb8, 0x0d, 0x17,
+	0x5f, 0x9a, 0xcd, 0x2a, 0xfa, 0xf0, 0x80, 0x0e, 0x90, 0xc9, 0x83, 0xda, 0x43, 0x3a, 0x3c, 0x3e,
+	0x38, 0x1a, 0xd4, 0x2d, 0x74, 0x7c, 0x31, 0xea, 0xdd, 0x1f, 0xf4, 0xeb, 0x76, 0xb7, 0xfe, 0xec,
+	0xc5, 0x8e, 0xf5, 0xcb, 0x8b, 0x1d, 0xeb, 0x8f, 0x17, 0x3b, 0xd6, 0xf7, 0x7f, 0xee, 0x6c, 0x4c,
+	0xaa, 0xea, 0x6f, 0xe2, 0xc7, 0x7f, 0x07, 0x00, 0x00, 0xff, 0xff, 0x42, 0x80, 0x11, 0x1b, 0x66,
+	0x0a, 0x00, 0x00,
+}
diff --git a/cli/vendor/github.com/moby/buildkit/solver/pb/ops.proto b/cli/vendor/github.com/moby/buildkit/solver/pb/ops.proto
new file mode 100644
index 00000000..db44c5a4
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/solver/pb/ops.proto
@@ -0,0 +1,165 @@
+syntax = "proto3";
+
+// Package pb provides the protobuf definition of LLB: low-level builder instruction.
+// LLB is DAG-structured; Op represents a vertex, and Definition represents a graph.
+package pb;
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+
+// Op represents a vertex of the LLB DAG.
+message Op {
+	// inputs is a set of input edges.
+	repeated Input inputs = 1;
+	oneof op {
+		ExecOp exec = 2;
+		SourceOp source = 3;
+		CopyOp copy = 4;
+		BuildOp build = 5;
+	}
+	Platform platform = 10;
+	WorkerConstraints constraints = 11;
+}
+
+// Platform is github.com/opencontainers/image-spec/specs-go/v1.Platform
+message Platform {
+	string Architecture = 1;
+	string OS = 2;
+	string Variant = 3;
+	string OSVersion = 4; // unused
+	repeated string OSFeatures = 5; // unused
+}
+
+// Input represents an input edge for an Op.
+message Input {
+	// digest of the marshaled input Op
+	string digest = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	// output index of the input Op
+	int64 index = 2 [(gogoproto.customtype) = "OutputIndex", (gogoproto.nullable) = false];
+}
+
+// ExecOp executes a command in a container.
+message ExecOp {
+	Meta meta = 1;
+	repeated Mount mounts = 2;
+}
+
+// Meta is a set of arguments for ExecOp.
+// Meta is unrelated to LLB metadata.
+// FIXME: rename (ExecContext? ExecArgs?)
+message Meta {
+	repeated string args = 1;
+	repeated string env = 2;
+	string cwd = 3;
+	string user = 4;
+	ProxyEnv proxy_env = 5;
+}
+
+// Mount specifies how to mount an input Op as a filesystem.
+message Mount {
+	int64 input = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
+	string selector = 2;
+	string dest = 3;
+	int64 output = 4 [(gogoproto.customtype) = "OutputIndex", (gogoproto.nullable) = false];
+	bool readonly = 5;
+	MountType mountType = 6;
+	CacheOpt cacheOpt = 20;
+}
+
+// MountType defines a type of a mount from a supported set
+enum MountType {
+	BIND = 0;
+	SECRET = 1;
+	SSH = 2;
+	CACHE = 3;
+	TMPFS = 4;
+}
+
+// CacheOpt defines options specific to cache mounts
+message CacheOpt {
+	// ID is an optional namespace for the mount
+	string ID = 1;
+	// Sharing is the sharing mode for the mount 
+	CacheSharingOpt sharing = 2;
+}
+
+// CacheSharingOpt defines different sharing modes for cache mount
+enum CacheSharingOpt {
+	// SHARED cache mount can be used concurrently by multiple writers
+	SHARED = 0;
+	// PRIVATE creates a new mount if there are multiple writers
+	PRIVATE = 1;
+	// LOCKED pauses second writer until first one releases the mount
+	LOCKED = 2;
+}
+
+// CopyOp copies files across Ops.
+message CopyOp {
+	repeated CopySource src = 1;
+	string dest = 2;
+}
+
+// CopySource specifies a source for CopyOp.
+message CopySource {
+	int64 input = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
+	string selector = 2;
+}
+
+// SourceOp specifies a source such as build contexts and images.
+message SourceOp {
+	// TODO: use source type or any type instead of URL protocol.
+	// identifier e.g. local://, docker-image://, git://, https://...
+	string identifier = 1;
+	// attrs are defined in attr.go
+	map<string, string> attrs = 2;
+}
+
+// BuildOp is used for nested build invocation.
+// BuildOp is experimental and can break without backwards compatibility
+message BuildOp {
+	int64 builder = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
+	map<string, BuildInput> inputs = 2;
+	Definition def = 3;
+	map<string, string> attrs = 4;
+	// outputs
+}
+
+// BuildInput is used for BuildOp.
+message BuildInput {
+	int64 input = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
+}
+
+// OpMetadata is a per-vertex metadata entry, which can be defined for arbitrary Op vertex and overridable on the run time.
+message OpMetadata {
+	// ignore_cache specifies to ignore the cache for this Op.
+	bool ignore_cache = 1;
+	// Description can be used for keeping any text fields that builder doesn't parse
+	map<string, string> description = 2; 
+	// index 3 reserved for WorkerConstraint in previous versions
+	// WorkerConstraint worker_constraint = 3;
+	ExportCache export_cache = 4;
+}
+
+message ExportCache {
+	bool Value = 1;
+}
+
+message ProxyEnv {
+	string http_proxy = 1;
+	string https_proxy = 2;
+	string ftp_proxy = 3;
+	string no_proxy = 4;
+}
+
+// WorkerConstraints defines conditions for the worker
+message WorkerConstraints {
+	repeated string filter = 1; // containerd-style filter
+}
+
+// Definition is the LLB definition structure with per-vertex metadata entries
+message Definition {
+	// def is a list of marshaled Op messages
+	repeated bytes def = 1;
+	// metadata contains metadata for the each of the Op messages.
+	// A key must be an LLB op digest string. Currently, empty string is not expected as a key, but it may change in the future.
+	map<string, OpMetadata> metadata = 2 [(gogoproto.castkey) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+}
diff --git a/cli/vendor/github.com/moby/buildkit/solver/pb/platform.go b/cli/vendor/github.com/moby/buildkit/solver/pb/platform.go
new file mode 100644
index 00000000..a434aa71
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/solver/pb/platform.go
@@ -0,0 +1,41 @@
+package pb
+
+import (
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func (p *Platform) Spec() specs.Platform {
+	return specs.Platform{
+		OS:           p.OS,
+		Architecture: p.Architecture,
+		Variant:      p.Variant,
+		OSVersion:    p.OSVersion,
+		OSFeatures:   p.OSFeatures,
+	}
+}
+
+func PlatformFromSpec(p specs.Platform) Platform {
+	return Platform{
+		OS:           p.OS,
+		Architecture: p.Architecture,
+		Variant:      p.Variant,
+		OSVersion:    p.OSVersion,
+		OSFeatures:   p.OSFeatures,
+	}
+}
+
+func ToSpecPlatforms(p []Platform) []specs.Platform {
+	out := make([]specs.Platform, 0, len(p))
+	for _, pp := range p {
+		out = append(out, pp.Spec())
+	}
+	return out
+}
+
+func PlatformsFromSpec(p []specs.Platform) []Platform {
+	out := make([]Platform, 0, len(p))
+	for _, pp := range p {
+		out = append(out, PlatformFromSpec(pp))
+	}
+	return out
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext.go b/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext.go
new file mode 100644
index 00000000..e74da2cd
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext.go
@@ -0,0 +1,41 @@
+package appcontext
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"sync"
+
+	"github.com/sirupsen/logrus"
+)
+
+var appContextCache context.Context
+var appContextOnce sync.Once
+
+// Context returns a static context that reacts to termination signals of the
+// running process. Useful in CLI tools.
+func Context() context.Context {
+	appContextOnce.Do(func() {
+		signals := make(chan os.Signal, 2048)
+		signal.Notify(signals, terminationSignals...)
+
+		const exitLimit = 3
+		retries := 0
+
+		ctx, cancel := context.WithCancel(context.Background())
+		appContextCache = ctx
+
+		go func() {
+			for {
+				<-signals
+				cancel()
+				retries++
+				if retries >= exitLimit {
+					logrus.Errorf("got %d SIGTERM/SIGINTs, forcing shutdown", retries)
+					os.Exit(1)
+				}
+			}
+		}()
+	})
+	return appContextCache
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext_unix.go b/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext_unix.go
new file mode 100644
index 00000000..b586e2f6
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext_unix.go
@@ -0,0 +1,11 @@
+// +build !windows
+
+package appcontext
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+var terminationSignals = []os.Signal{unix.SIGTERM, unix.SIGINT}
diff --git a/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext_windows.go b/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext_windows.go
new file mode 100644
index 00000000..0a8bcbe7
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/appcontext/appcontext_windows.go
@@ -0,0 +1,7 @@
+package appcontext
+
+import (
+	"os"
+)
+
+var terminationSignals = []os.Signal{os.Interrupt}
diff --git a/cli/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_unix.go b/cli/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_unix.go
new file mode 100644
index 00000000..7b907ad3
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_unix.go
@@ -0,0 +1,55 @@
+// +build !windows
+
+package appdefaults
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+const (
+	Address = "unix:///run/buildkit/buildkitd.sock"
+	Root    = "/var/lib/buildkit"
+)
+
+// UserAddress typically returns /run/user/$UID/buildkit/buildkitd.sock
+func UserAddress() string {
+	//  pam_systemd sets XDG_RUNTIME_DIR but not other dirs.
+	xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR")
+	if xdgRuntimeDir != "" {
+		dirs := strings.Split(xdgRuntimeDir, ":")
+		return "unix://" + filepath.Join(dirs[0], "buildkit", "buildkitd.sock")
+	}
+	return Address
+}
+
+// EnsureUserAddressDir sets sticky bit on XDG_RUNTIME_DIR if XDG_RUNTIME_DIR is set.
+// See https://github.com/opencontainers/runc/issues/1694
+func EnsureUserAddressDir() error {
+	xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR")
+	if xdgRuntimeDir != "" {
+		dirs := strings.Split(xdgRuntimeDir, ":")
+		dir := filepath.Join(dirs[0], "buildkit")
+		if err := os.MkdirAll(dir, 0700); err != nil {
+			return err
+		}
+		return os.Chmod(dir, 0700|os.ModeSticky)
+	}
+	return nil
+}
+
+// UserRoot typically returns /home/$USER/.local/share/buildkit
+func UserRoot() string {
+	//  pam_systemd sets XDG_RUNTIME_DIR but not other dirs.
+	xdgDataHome := os.Getenv("XDG_DATA_HOME")
+	if xdgDataHome != "" {
+		dirs := strings.Split(xdgDataHome, ":")
+		return filepath.Join(dirs[0], "buildkit")
+	}
+	home := os.Getenv("HOME")
+	if home != "" {
+		return filepath.Join(home, ".local", "share", "buildkit")
+	}
+	return Root
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_windows.go b/cli/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_windows.go
new file mode 100644
index 00000000..dbc96c80
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_windows.go
@@ -0,0 +1,18 @@
+package appdefaults
+
+const (
+	Address = "npipe:////./pipe/buildkitd"
+	Root    = ".buildstate"
+)
+
+func UserAddress() string {
+	return Address
+}
+
+func EnsureUserAddressDir() error {
+	return nil
+}
+
+func UserRoot() string {
+	return Root
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/progress/progressui/display.go b/cli/vendor/github.com/moby/buildkit/util/progress/progressui/display.go
new file mode 100644
index 00000000..0be544d4
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/progress/progressui/display.go
@@ -0,0 +1,427 @@
+package progressui
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	"github.com/containerd/console"
+	"github.com/moby/buildkit/client"
+	"github.com/morikuni/aec"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/tonistiigi/units"
+	"golang.org/x/time/rate"
+)
+
+func DisplaySolveStatus(ctx context.Context, c console.Console, w io.Writer, ch chan *client.SolveStatus) error {
+
+	modeConsole := c != nil
+
+	disp := &display{c: c}
+	printer := &textMux{w: w}
+
+	t := newTrace(w)
+
+	var done bool
+	ticker := time.NewTicker(100 * time.Millisecond)
+	defer ticker.Stop()
+
+	displayLimiter := rate.NewLimiter(rate.Every(70*time.Millisecond), 1)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		case ss, ok := <-ch:
+			if ok {
+				t.update(ss)
+			} else {
+				done = true
+			}
+		}
+
+		if modeConsole {
+			if done {
+				disp.print(t.displayInfo(), true)
+				t.printErrorLogs(c)
+				return nil
+			} else if displayLimiter.Allow() {
+				disp.print(t.displayInfo(), false)
+			}
+		} else {
+			if done || displayLimiter.Allow() {
+				printer.print(t)
+				if done {
+					return nil
+				}
+			}
+		}
+	}
+}
+
+type displayInfo struct {
+	startTime      time.Time
+	jobs           []job
+	countTotal     int
+	countCompleted int
+}
+
+type job struct {
+	startTime     *time.Time
+	completedTime *time.Time
+	name          string
+	status        string
+	hasError      bool
+	isCanceled    bool
+}
+
+type trace struct {
+	w             io.Writer
+	localTimeDiff time.Duration
+	vertexes      []*vertex
+	byDigest      map[digest.Digest]*vertex
+	nextIndex     int
+	updates       map[digest.Digest]struct{}
+}
+
+type vertex struct {
+	*client.Vertex
+	statuses []*status
+	byID     map[string]*status
+	indent   string
+	index    int
+
+	logs          [][]byte
+	logsPartial   bool
+	logsOffset    int
+	prev          *client.Vertex
+	events        []string
+	lastBlockTime *time.Time
+	count         int
+	statusUpdates map[string]struct{}
+}
+
+func (v *vertex) update(c int) {
+	if v.count == 0 {
+		now := time.Now()
+		v.lastBlockTime = &now
+	}
+	v.count += c
+}
+
+type status struct {
+	*client.VertexStatus
+}
+
+func newTrace(w io.Writer) *trace {
+	return &trace{
+		byDigest: make(map[digest.Digest]*vertex),
+		updates:  make(map[digest.Digest]struct{}),
+		w:        w,
+	}
+}
+
+func (t *trace) triggerVertexEvent(v *client.Vertex) {
+	if v.Started == nil {
+		return
+	}
+
+	var old client.Vertex
+	vtx := t.byDigest[v.Digest]
+	if v := vtx.prev; v != nil {
+		old = *v
+	}
+
+	var ev []string
+	if v.Digest != old.Digest {
+		ev = append(ev, fmt.Sprintf("%13s %s", "digest:", v.Digest))
+	}
+	if v.Name != old.Name {
+		ev = append(ev, fmt.Sprintf("%13s %q", "name:", v.Name))
+	}
+	if v.Started != old.Started {
+		if v.Started != nil && old.Started == nil || !v.Started.Equal(*old.Started) {
+			ev = append(ev, fmt.Sprintf("%13s %v", "started:", v.Started))
+		}
+	}
+	if v.Completed != old.Completed && v.Completed != nil {
+		ev = append(ev, fmt.Sprintf("%13s %v", "completed:", v.Completed))
+		if v.Started != nil {
+			ev = append(ev, fmt.Sprintf("%13s %v", "duration:", v.Completed.Sub(*v.Started)))
+		}
+	}
+	if v.Cached != old.Cached {
+		ev = append(ev, fmt.Sprintf("%13s %v", "cached:", v.Cached))
+	}
+	if v.Error != old.Error {
+		ev = append(ev, fmt.Sprintf("%13s %q", "error:", v.Error))
+	}
+
+	if len(ev) > 0 {
+		vtx.events = append(vtx.events, ev...)
+		vtx.update(len(ev))
+		t.updates[v.Digest] = struct{}{}
+	}
+
+	t.byDigest[v.Digest].prev = v
+}
+
+func (t *trace) update(s *client.SolveStatus) {
+	for _, v := range s.Vertexes {
+		prev, ok := t.byDigest[v.Digest]
+		if !ok {
+			t.nextIndex++
+			t.byDigest[v.Digest] = &vertex{
+				byID:          make(map[string]*status),
+				statusUpdates: make(map[string]struct{}),
+				index:         t.nextIndex,
+			}
+		}
+		t.triggerVertexEvent(v)
+		if v.Started != nil && (prev == nil || prev.Started == nil) {
+			if t.localTimeDiff == 0 {
+				t.localTimeDiff = time.Since(*v.Started)
+			}
+			t.vertexes = append(t.vertexes, t.byDigest[v.Digest])
+		}
+		t.byDigest[v.Digest].Vertex = v
+	}
+	for _, s := range s.Statuses {
+		v, ok := t.byDigest[s.Vertex]
+		if !ok {
+			continue // shouldn't happen
+		}
+		prev, ok := v.byID[s.ID]
+		if !ok {
+			v.byID[s.ID] = &status{VertexStatus: s}
+		}
+		if s.Started != nil && (prev == nil || prev.Started == nil) {
+			v.statuses = append(v.statuses, v.byID[s.ID])
+		}
+		v.byID[s.ID].VertexStatus = s
+		v.statusUpdates[s.ID] = struct{}{}
+		t.updates[v.Digest] = struct{}{}
+		v.update(1)
+	}
+	for _, l := range s.Logs {
+		v, ok := t.byDigest[l.Vertex]
+		if !ok {
+			continue // shouldn't happen
+		}
+		i := 0
+		complete := split(l.Data, byte('\n'), func(dt []byte) {
+			if v.logsPartial && len(v.logs) != 0 && i == 0 {
+				v.logs[len(v.logs)-1] = append(v.logs[len(v.logs)-1], dt...)
+			} else {
+				ts := time.Duration(0)
+				if v.Started != nil {
+					ts = l.Timestamp.Sub(*v.Started)
+				}
+				v.logs = append(v.logs, []byte(fmt.Sprintf("#%d %s %s", v.index, fmt.Sprintf("%#.4g", ts.Seconds())[:5], dt)))
+			}
+			i++
+		})
+		v.logsPartial = !complete
+		t.updates[v.Digest] = struct{}{}
+		v.update(1)
+	}
+}
+
+func (t *trace) printErrorLogs(f io.Writer) {
+	for _, v := range t.vertexes {
+		if v.Error != "" && !strings.HasSuffix(v.Error, context.Canceled.Error()) {
+			fmt.Fprintln(f, "------")
+			fmt.Fprintf(f, " > %s:\n", v.Name)
+			for _, l := range v.logs {
+				f.Write(l)
+				fmt.Fprintln(f)
+			}
+			fmt.Fprintln(f, "------")
+		}
+	}
+}
+
+func (t *trace) displayInfo() (d displayInfo) {
+	d.startTime = time.Now()
+	if t.localTimeDiff != 0 {
+		d.startTime = (*t.vertexes[0].Started).Add(t.localTimeDiff)
+	}
+	d.countTotal = len(t.byDigest)
+	for _, v := range t.byDigest {
+		if v.Completed != nil {
+			d.countCompleted++
+		}
+	}
+
+	for _, v := range t.vertexes {
+		j := job{
+			startTime:     addTime(v.Started, t.localTimeDiff),
+			completedTime: addTime(v.Completed, t.localTimeDiff),
+			name:          strings.Replace(v.Name, "\t", " ", -1),
+		}
+		if v.Error != "" {
+			if strings.HasSuffix(v.Error, context.Canceled.Error()) {
+				j.isCanceled = true
+				j.name = "CANCELED " + j.name
+			} else {
+				j.hasError = true
+				j.name = "ERROR " + j.name
+			}
+		}
+		if v.Cached {
+			j.name = "CACHED " + j.name
+		}
+		j.name = v.indent + j.name
+		d.jobs = append(d.jobs, j)
+		for _, s := range v.statuses {
+			j := job{
+				startTime:     addTime(s.Started, t.localTimeDiff),
+				completedTime: addTime(s.Completed, t.localTimeDiff),
+				name:          v.indent + "=> " + s.ID,
+			}
+			if s.Total != 0 {
+				j.status = fmt.Sprintf("%.2f / %.2f", units.Bytes(s.Current), units.Bytes(s.Total))
+			} else if s.Current != 0 {
+				j.status = fmt.Sprintf("%.2f", units.Bytes(s.Current))
+			}
+			d.jobs = append(d.jobs, j)
+		}
+	}
+
+	return d
+}
+
+func split(dt []byte, sep byte, fn func([]byte)) bool {
+	if len(dt) == 0 {
+		return false
+	}
+	for {
+		if len(dt) == 0 {
+			return true
+		}
+		idx := bytes.IndexByte(dt, sep)
+		if idx == -1 {
+			fn(dt)
+			return false
+		}
+		fn(dt[:idx])
+		dt = dt[idx+1:]
+	}
+}
+
+func addTime(tm *time.Time, d time.Duration) *time.Time {
+	if tm == nil {
+		return nil
+	}
+	t := (*tm).Add(d)
+	return &t
+}
+
+type display struct {
+	c         console.Console
+	lineCount int
+	repeated  bool
+}
+
+func (disp *display) print(d displayInfo, all bool) {
+	// this output is inspired by Buck
+	width := 80
+	height := 10
+	size, err := disp.c.Size()
+	if err == nil && size.Width > 0 && size.Height > 0 {
+		width = int(size.Width)
+		height = int(size.Height)
+	}
+
+	if !all {
+		d.jobs = wrapHeight(d.jobs, height-2)
+	}
+
+	b := aec.EmptyBuilder
+	for i := 0; i <= disp.lineCount; i++ {
+		b = b.Up(1)
+	}
+	if !disp.repeated {
+		b = b.Down(1)
+	}
+	disp.repeated = true
+	fmt.Fprint(disp.c, b.Column(0).ANSI)
+
+	statusStr := ""
+	if d.countCompleted > 0 && d.countCompleted == d.countTotal && all {
+		statusStr = "FINISHED"
+	}
+
+	fmt.Fprint(disp.c, aec.Hide)
+	defer fmt.Fprint(disp.c, aec.Show)
+
+	out := fmt.Sprintf("[+] Building %.1fs (%d/%d) %s", time.Since(d.startTime).Seconds(), d.countCompleted, d.countTotal, statusStr)
+	out = align(out, "", width)
+	fmt.Fprintln(disp.c, out)
+	lineCount := 0
+	for _, j := range d.jobs {
+		endTime := time.Now()
+		if j.completedTime != nil {
+			endTime = *j.completedTime
+		}
+		if j.startTime == nil {
+			continue
+		}
+		dt := endTime.Sub(*j.startTime).Seconds()
+		if dt < 0.05 {
+			dt = 0
+		}
+		pfx := " => "
+		timer := fmt.Sprintf(" %3.1fs\n", dt)
+		status := j.status
+		showStatus := false
+
+		left := width - len(pfx) - len(timer) - 1
+		if status != "" {
+			if left+len(status) > 20 {
+				showStatus = true
+				left -= len(status) + 1
+			}
+		}
+		if left < 12 { // too small screen to show progress
+			continue
+		}
+		if len(j.name) > left {
+			j.name = j.name[:left]
+		}
+
+		out := pfx + j.name
+		if showStatus {
+			out += " " + status
+		}
+
+		out = align(out, timer, width)
+		if j.completedTime != nil {
+			color := aec.BlueF
+			if j.isCanceled {
+				color = aec.YellowF
+			} else if j.hasError {
+				color = aec.RedF
+			}
+			out = aec.Apply(out, color)
+		}
+		fmt.Fprint(disp.c, out)
+		lineCount++
+	}
+	disp.lineCount = lineCount
+}
+
+func align(l, r string, w int) string {
+	return fmt.Sprintf("%-[2]*[1]s %[3]s", l, w-len(r)-1, r)
+}
+
+func wrapHeight(j []job, limit int) []job {
+	if len(j) > limit {
+		j = j[len(j)-limit:]
+	}
+	return j
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/progress/progressui/printer.go b/cli/vendor/github.com/moby/buildkit/util/progress/progressui/printer.go
new file mode 100644
index 00000000..3794105a
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/progress/progressui/printer.go
@@ -0,0 +1,248 @@
+package progressui
+
+import (
+	"fmt"
+	"io"
+	"time"
+
+	digest "github.com/opencontainers/go-digest"
+	"github.com/tonistiigi/units"
+)
+
+const antiFlicker = 5 * time.Second
+const maxDelay = 10 * time.Second
+const minTimeDelta = 5 * time.Second
+const minProgressDelta = 0.05 // %
+
+type lastStatus struct {
+	Current   int64
+	Timestamp time.Time
+}
+
+type textMux struct {
+	w       io.Writer
+	current digest.Digest
+	last    map[string]lastStatus
+}
+
+func (p *textMux) printVtx(t *trace, dgst digest.Digest) {
+	if p.last == nil {
+		p.last = make(map[string]lastStatus)
+	}
+
+	v, ok := t.byDigest[dgst]
+	if !ok {
+		return
+	}
+
+	if dgst != p.current {
+		if p.current != "" {
+			old := t.byDigest[p.current]
+			if old.logsPartial {
+				fmt.Fprintln(p.w, "")
+			}
+			old.logsOffset = 0
+			old.count = 0
+			fmt.Fprintf(p.w, "#%d ...\n", v.index)
+		}
+
+		fmt.Fprintf(p.w, "\n#%d %s\n", v.index, limitString(v.Name, 72))
+	}
+
+	if len(v.events) != 0 {
+		v.logsOffset = 0
+	}
+	for _, ev := range v.events {
+		fmt.Fprintf(p.w, "#%d %s\n", v.index, ev)
+	}
+	v.events = v.events[:0]
+
+	for _, s := range v.statuses {
+		if _, ok := v.statusUpdates[s.ID]; ok {
+			doPrint := true
+
+			if last, ok := p.last[s.ID]; ok && s.Completed == nil {
+				var progressDelta float64
+				if s.Total > 0 {
+					progressDelta = float64(s.Current-last.Current) / float64(s.Total)
+				}
+				timeDelta := s.Timestamp.Sub(last.Timestamp)
+				if progressDelta < minProgressDelta && timeDelta < minTimeDelta {
+					doPrint = false
+				}
+			}
+
+			if !doPrint {
+				continue
+			}
+
+			p.last[s.ID] = lastStatus{
+				Timestamp: s.Timestamp,
+				Current:   s.Current,
+			}
+
+			var bytes string
+			if s.Total != 0 {
+				bytes = fmt.Sprintf(" %.2f / %.2f", units.Bytes(s.Current), units.Bytes(s.Total))
+			} else if s.Current != 0 {
+				bytes = fmt.Sprintf(" %.2f", units.Bytes(s.Current))
+			}
+			var tm string
+			endTime := s.Timestamp
+			if s.Completed != nil {
+				endTime = *s.Completed
+			}
+			if s.Started != nil {
+				diff := endTime.Sub(*s.Started).Seconds()
+				if diff > 0.01 {
+					tm = fmt.Sprintf(" %.1fs", diff)
+				}
+			}
+			if s.Completed != nil {
+				tm += " done"
+			}
+			fmt.Fprintf(p.w, "#%d %s%s%s\n", v.index, s.ID, bytes, tm)
+		}
+	}
+	v.statusUpdates = map[string]struct{}{}
+
+	for i, l := range v.logs {
+		if i == 0 {
+			l = l[v.logsOffset:]
+		}
+		fmt.Fprintf(p.w, "%s", []byte(l))
+		if i != len(v.logs)-1 || !v.logsPartial {
+			fmt.Fprintln(p.w, "")
+		}
+	}
+
+	if len(v.logs) > 0 {
+		if v.logsPartial {
+			v.logs = v.logs[len(v.logs)-1:]
+			v.logsOffset = len(v.logs[0])
+		} else {
+			v.logs = nil
+			v.logsOffset = 0
+		}
+	}
+
+	p.current = dgst
+
+	if v.Completed != nil {
+		p.current = ""
+		v.count = 0
+		fmt.Fprintf(p.w, "\n")
+	}
+
+	delete(t.updates, dgst)
+}
+
+func (p *textMux) print(t *trace) {
+
+	completed := map[digest.Digest]struct{}{}
+	rest := map[digest.Digest]struct{}{}
+
+	for dgst := range t.updates {
+		v, ok := t.byDigest[dgst]
+		if !ok {
+			continue
+		}
+		if v.Vertex.Completed != nil {
+			completed[dgst] = struct{}{}
+		} else {
+			rest[dgst] = struct{}{}
+		}
+	}
+
+	current := p.current
+
+	// items that have completed need to be printed first
+	if _, ok := completed[current]; ok {
+		p.printVtx(t, current)
+	}
+
+	for dgst := range completed {
+		if dgst != current {
+			p.printVtx(t, dgst)
+		}
+	}
+
+	if len(rest) == 0 {
+		if current != "" {
+			if v := t.byDigest[current]; v.Started != nil && v.Completed == nil {
+				return
+			}
+		}
+		// make any open vertex active
+		for dgst, v := range t.byDigest {
+			if v.Started != nil && v.Completed == nil {
+				p.printVtx(t, dgst)
+				return
+			}
+		}
+		return
+	}
+
+	// now print the active one
+	if _, ok := rest[current]; ok {
+		p.printVtx(t, current)
+	}
+
+	stats := map[digest.Digest]*vtxStat{}
+	now := time.Now()
+	sum := 0.0
+	var max digest.Digest
+	if current != "" {
+		rest[current] = struct{}{}
+	}
+	for dgst := range rest {
+		v, ok := t.byDigest[dgst]
+		if !ok {
+			continue
+		}
+		tm := now.Sub(*v.lastBlockTime)
+		speed := float64(v.count) / tm.Seconds()
+		overLimit := tm > maxDelay && dgst != current
+		stats[dgst] = &vtxStat{blockTime: tm, speed: speed, overLimit: overLimit}
+		sum += speed
+		if overLimit || max == "" || stats[max].speed < speed {
+			max = dgst
+		}
+	}
+	for dgst := range stats {
+		stats[dgst].share = stats[dgst].speed / sum
+	}
+
+	if _, ok := completed[current]; ok || current == "" {
+		p.printVtx(t, max)
+		return
+	}
+
+	// show items that were hidden
+	for dgst := range rest {
+		if stats[dgst].overLimit {
+			p.printVtx(t, dgst)
+			return
+		}
+	}
+
+	// fair split between vertexes
+	if 1.0/(1.0-stats[current].share)*antiFlicker.Seconds() < stats[current].blockTime.Seconds() {
+		p.printVtx(t, max)
+		return
+	}
+}
+
+type vtxStat struct {
+	blockTime time.Duration
+	speed     float64
+	share     float64
+	overLimit bool
+}
+
+func limitString(s string, l int) string {
+	if len(s) > l {
+		return s[:l] + "..."
+	}
+	return s
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/system/path_unix.go b/cli/vendor/github.com/moby/buildkit/util/system/path_unix.go
new file mode 100644
index 00000000..c607c4db
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/system/path_unix.go
@@ -0,0 +1,14 @@
+// +build !windows
+
+package system
+
+// DefaultPathEnv is unix style list of directories to search for
+// executables. Each directory is separated from the next by a colon
+// ':' character .
+const DefaultPathEnv = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+// CheckSystemDriveAndRemoveDriveLetter verifies that a path, if it includes a drive letter,
+// is the system drive. This is a no-op on Linux.
+func CheckSystemDriveAndRemoveDriveLetter(path string) (string, error) {
+	return path, nil
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/system/path_windows.go b/cli/vendor/github.com/moby/buildkit/util/system/path_windows.go
new file mode 100644
index 00000000..cbfe2c15
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/system/path_windows.go
@@ -0,0 +1,37 @@
+// +build windows
+
+package system
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+)
+
+// DefaultPathEnv is deliberately empty on Windows as the default path will be set by
+// the container. Docker has no context of what the default path should be.
+const DefaultPathEnv = ""
+
+// CheckSystemDriveAndRemoveDriveLetter verifies and manipulates a Windows path.
+// This is used, for example, when validating a user provided path in docker cp.
+// If a drive letter is supplied, it must be the system drive. The drive letter
+// is always removed. Also, it translates it to OS semantics (IOW / to \). We
+// need the path in this syntax so that it can ultimately be contatenated with
+// a Windows long-path which doesn't support drive-letters. Examples:
+// C:			--> Fail
+// C:\			--> \
+// a			--> a
+// /a			--> \a
+// d:\			--> Fail
+func CheckSystemDriveAndRemoveDriveLetter(path string) (string, error) {
+	if len(path) == 2 && string(path[1]) == ":" {
+		return "", fmt.Errorf("No relative path specified in %q", path)
+	}
+	if !filepath.IsAbs(path) || len(path) < 2 {
+		return filepath.FromSlash(path), nil
+	}
+	if string(path[1]) == ":" && !strings.EqualFold(string(path[0]), "c") {
+		return "", fmt.Errorf("The specified path is not on the system drive (C:)")
+	}
+	return filepath.FromSlash(path[2:]), nil
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/system/seccomp_linux.go b/cli/vendor/github.com/moby/buildkit/util/system/seccomp_linux.go
new file mode 100644
index 00000000..62afa03f
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/system/seccomp_linux.go
@@ -0,0 +1,29 @@
+// +build linux,seccomp
+
+package system
+
+import (
+	"sync"
+
+	"golang.org/x/sys/unix"
+)
+
+var seccompSupported bool
+var seccompOnce sync.Once
+
+func SeccompSupported() bool {
+	seccompOnce.Do(func() {
+		seccompSupported = getSeccompSupported()
+	})
+	return seccompSupported
+}
+
+func getSeccompSupported() bool {
+	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+			return true
+		}
+	}
+	return false
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/system/seccomp_nolinux.go b/cli/vendor/github.com/moby/buildkit/util/system/seccomp_nolinux.go
new file mode 100644
index 00000000..e348c379
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/system/seccomp_nolinux.go
@@ -0,0 +1,7 @@
+// +build !linux,seccomp
+
+package system
+
+func SeccompSupported() bool {
+	return false
+}
diff --git a/cli/vendor/github.com/moby/buildkit/util/system/seccomp_noseccomp.go b/cli/vendor/github.com/moby/buildkit/util/system/seccomp_noseccomp.go
new file mode 100644
index 00000000..84cfb7fa
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/util/system/seccomp_noseccomp.go
@@ -0,0 +1,7 @@
+// +build !seccomp
+
+package system
+
+func SeccompSupported() bool {
+	return false
+}
diff --git a/cli/vendor/github.com/moby/buildkit/vendor.conf b/cli/vendor/github.com/moby/buildkit/vendor.conf
new file mode 100644
index 00000000..9bde31d7
--- /dev/null
+++ b/cli/vendor/github.com/moby/buildkit/vendor.conf
@@ -0,0 +1,69 @@
+github.com/boltdb/bolt e9cf4fae01b5a8ff89d0ec6b32f0d9c9f79aefdd
+github.com/pkg/errors v0.8.0
+
+github.com/stretchr/testify v1.1.4
+github.com/davecgh/go-spew v1.1.0
+github.com/pmezard/go-difflib v1.0.0
+golang.org/x/sys 314a259e304ff91bd6985da2a7149bbf91237993
+
+github.com/containerd/containerd b41633746ed4833f52c3c071e8edcfa2713e5677
+github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
+golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
+github.com/sirupsen/logrus v1.0.0
+google.golang.org/grpc v1.12.0
+github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
+golang.org/x/net 0ed95abb35c445290478a5348a7b38bb154135fd
+github.com/gogo/protobuf v1.0.0
+github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
+github.com/golang/protobuf v1.1.0
+github.com/containerd/continuity d3c23511c1bf5851696cba83143d9cbcd666869b
+github.com/opencontainers/image-spec v1.0.1
+github.com/opencontainers/runc ad0f5255060d36872be04de22f8731f38ef2d7b1
+github.com/Microsoft/go-winio v0.4.7
+github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
+github.com/opencontainers/runtime-spec v1.0.1
+github.com/containerd/go-runc f271fa2021de855d4d918dbef83c5fe19db1bdd5
+github.com/containerd/console 5d1b48d6114b8c9666f0c8b916f871af97b0a761
+google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
+golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
+github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
+github.com/Microsoft/hcsshim v0.6.11
+
+github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
+github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b
+github.com/docker/go-units v0.3.1
+github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716
+golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
+
+github.com/docker/docker 71cd53e4a197b303c6ba086bd584ffd67a884281
+github.com/pkg/profile 5b67d428864e92711fcbd2f8629456121a56d91f
+
+github.com/tonistiigi/fsutil 8abad97ee3969cdf5e9c367f46adba2c212b3ddb
+github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git
+github.com/hashicorp/golang-lru a0d98a5f288019575c6d1f4bb1573fef2d1fcdc4
+github.com/mitchellh/hashstructure 2bca23e0e452137f789efbc8610126fd8b94f73b
+github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
+github.com/docker/distribution 30578ca32960a4d368bf6db67b0a33c2a1f3dc6f
+
+github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
+github.com/docker/cli 99576756eb3303b7af8102c502f21a912e3c1af6 https://github.com/tonistiigi/docker-cli.git
+github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
+github.com/docker/libnetwork 822e5b59d346b7ad0735df2c8e445e9787320e67
+
+
+github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
+github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
+github.com/uber/jaeger-client-go e02c85f9069ea625a96fc4e1afb5e9ac6c569a6d
+github.com/apache/thrift b2a4d4ae21c789b689dd162deb819665567f481c
+github.com/uber/jaeger-lib c48167d9cae5887393dd5e61efd06a4a48b7fbb3
+github.com/codahale/hdrhistogram f8ad88b59a584afeee9d334eff879b104439117b
+
+github.com/opentracing-contrib/go-stdlib b1a47cfbdd7543e70e9ef3e73d0802ad306cc1cc
+
+# used by dockerfile tests
+gotest.tools v2.1.0
+github.com/google/go-cmp v0.2.0
+
+# used by rootless spec conv test
+github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
diff --git a/cli/vendor/github.com/morikuni/aec/LICENSE b/cli/vendor/github.com/morikuni/aec/LICENSE
new file mode 100644
index 00000000..1c264016
--- /dev/null
+++ b/cli/vendor/github.com/morikuni/aec/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Taihei Morikuni
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/cli/vendor/github.com/morikuni/aec/README.md b/cli/vendor/github.com/morikuni/aec/README.md
new file mode 100644
index 00000000..3cbc4343
--- /dev/null
+++ b/cli/vendor/github.com/morikuni/aec/README.md
@@ -0,0 +1,178 @@
+# aec
+
+[![GoDoc](https://godoc.org/github.com/morikuni/aec?status.svg)](https://godoc.org/github.com/morikuni/aec)
+
+Go wrapper for ANSI escape code.
+
+## Install
+
+```bash
+go get github.com/morikuni/aec
+```
+
+## Features
+
+ANSI escape codes depend on terminal environment.  
+Some of these features may not work.  
+Check supported Font-Style/Font-Color features with [checkansi](./checkansi).
+
+[Wikipedia](https://en.wikipedia.org/wiki/ANSI_escape_code) for more detail.
+
+### Cursor
+
+- `Up(n)`
+- `Down(n)`
+- `Right(n)`
+- `Left(n)`
+- `NextLine(n)`
+- `PreviousLine(n)`
+- `Column(col)`
+- `Position(row, col)`
+- `Save`
+- `Restore`
+- `Hide`
+- `Show`
+- `Report`
+
+### Erase
+
+- `EraseDisplay(mode)`
+- `EraseLine(mode)`
+
+### Scroll
+
+- `ScrollUp(n)`
+- `ScrollDown(n)`
+
+### Font Style
+
+- `Bold`
+- `Faint`
+- `Italic`
+- `Underline`
+- `BlinkSlow`
+- `BlinkRapid`
+- `Inverse`
+- `Conceal`
+- `CrossOut`
+- `Frame`
+- `Encircle`
+- `Overline`
+
+### Font Color
+
+Foreground color.
+
+- `DefaultF`
+- `BlackF`
+- `RedF`
+- `GreenF`
+- `YellowF`
+- `BlueF`
+- `MagentaF`
+- `CyanF`
+- `WhiteF`
+- `LightBlackF`
+- `LightRedF`
+- `LightGreenF`
+- `LightYellowF`
+- `LightBlueF`
+- `LightMagentaF`
+- `LightCyanF`
+- `LightWhiteF`
+- `Color3BitF(color)`
+- `Color8BitF(color)`
+- `FullColorF(r, g, b)`
+
+Background color.
+
+- `DefaultB`
+- `BlackB`
+- `RedB`
+- `GreenB`
+- `YellowB`
+- `BlueB`
+- `MagentaB`
+- `CyanB`
+- `WhiteB`
+- `LightBlackB`
+- `LightRedB`
+- `LightGreenB`
+- `LightYellowB`
+- `LightBlueB`
+- `LightMagentaB`
+- `LightCyanB`
+- `LightWhiteB`
+- `Color3BitB(color)`
+- `Color8BitB(color)`
+- `FullColorB(r, g, b)`
+
+### Color Converter
+
+24bit RGB color to ANSI color.
+
+- `NewRGB3Bit(r, g, b)`
+- `NewRGB8Bit(r, g, b)`
+
+### Builder
+
+To mix these features.
+
+```go
+custom := aec.EmptyBuilder.Right(2).RGB8BitF(128, 255, 64).RedB().ANSI
+custom.Apply("Hello World")
+```
+
+## Usage
+
+1. Create ANSI by `aec.XXX().With(aec.YYY())` or `aec.EmptyBuilder.XXX().YYY().ANSI`
+2. Print ANSI by `fmt.Print(ansi, "some string", aec.Reset)` or `fmt.Print(ansi.Apply("some string"))`
+
+`aec.Reset` should be added when using font style or font color features.
+
+## Example
+
+Simple progressbar.
+
+![sample](./sample.gif)
+
+```go
+package main
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/morikuni/aec"
+)
+
+func main() {
+	const n = 20
+	builder := aec.EmptyBuilder
+
+	up2 := aec.Up(2)
+	col := aec.Column(n + 2)
+	bar := aec.Color8BitF(aec.NewRGB8Bit(64, 255, 64))
+	label := builder.LightRedF().Underline().With(col).Right(1).ANSI
+
+	// for up2
+	fmt.Println()
+	fmt.Println()
+
+	for i := 0; i <= n; i++ {
+		fmt.Print(up2)
+		fmt.Println(label.Apply(fmt.Sprint(i, "/", n)))
+		fmt.Print("[")
+		fmt.Print(bar.Apply(strings.Repeat("=", i)))
+		fmt.Println(col.Apply("]"))
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+```
+
+## License
+
+[MIT](./LICENSE)
+
+
diff --git a/cli/vendor/github.com/morikuni/aec/aec.go b/cli/vendor/github.com/morikuni/aec/aec.go
new file mode 100644
index 00000000..566be6eb
--- /dev/null
+++ b/cli/vendor/github.com/morikuni/aec/aec.go
@@ -0,0 +1,137 @@
+package aec
+
+import "fmt"
+
+// EraseMode is listed in a variable EraseModes.
+type EraseMode uint
+
+var (
+	// EraseModes is a list of EraseMode.
+	EraseModes struct {
+		// All erase all.
+		All EraseMode
+
+		// Head erase to head.
+		Head EraseMode
+
+		// Tail erase to tail.
+		Tail EraseMode
+	}
+
+	// Save saves the cursor position.
+	Save ANSI
+
+	// Restore restores the cursor position.
+	Restore ANSI
+
+	// Hide hides the cursor.
+	Hide ANSI
+
+	// Show shows the cursor.
+	Show ANSI
+
+	// Report reports the cursor position.
+	Report ANSI
+)
+
+// Up moves up the cursor.
+func Up(n uint) ANSI {
+	if n == 0 {
+		return empty
+	}
+	return newAnsi(fmt.Sprintf(esc+"%dA", n))
+}
+
+// Down moves down the cursor.
+func Down(n uint) ANSI {
+	if n == 0 {
+		return empty
+	}
+	return newAnsi(fmt.Sprintf(esc+"%dB", n))
+}
+
+// Right moves right the cursor.
+func Right(n uint) ANSI {
+	if n == 0 {
+		return empty
+	}
+	return newAnsi(fmt.Sprintf(esc+"%dC", n))
+}
+
+// Left moves left the cursor.
+func Left(n uint) ANSI {
+	if n == 0 {
+		return empty
+	}
+	return newAnsi(fmt.Sprintf(esc+"%dD", n))
+}
+
+// NextLine moves down the cursor to head of a line.
+func NextLine(n uint) ANSI {
+	if n == 0 {
+		return empty
+	}
+	return newAnsi(fmt.Sprintf(esc+"%dE", n))
+}
+
+// PreviousLine moves up the cursor to head of a line.
+func PreviousLine(n uint) ANSI {
+	if n == 0 {
+		return empty
+	}
+	return newAnsi(fmt.Sprintf(esc+"%dF", n))
+}
+
+// Column set the cursor position to a given column.
+func Column(col uint) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"%dG", col))
+}
+
+// Position set the cursor position to a given absolute position.
+func Position(row, col uint) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"%d;%dH", row, col))
+}
+
+// EraseDisplay erases display by given EraseMode.
+func EraseDisplay(m EraseMode) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"%dJ", m))
+}
+
+// EraseLine erases lines by given EraseMode.
+func EraseLine(m EraseMode) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"%dK", m))
+}
+
+// ScrollUp scrolls up the page.
+func ScrollUp(n int) ANSI {
+	if n == 0 {
+		return empty
+	}
+	return newAnsi(fmt.Sprintf(esc+"%dS", n))
+}
+
+// ScrollDown scrolls down the page.
+func ScrollDown(n int) ANSI {
+	if n == 0 {
+		return empty
+	}
+	return newAnsi(fmt.Sprintf(esc+"%dT", n))
+}
+
+func init() {
+	EraseModes = struct {
+		All  EraseMode
+		Head EraseMode
+		Tail EraseMode
+	}{
+		Tail: 0,
+		Head: 1,
+		All:  2,
+	}
+
+	Save = newAnsi(esc + "s")
+	Restore = newAnsi(esc + "u")
+	Hide = newAnsi(esc + "?25l")
+	Show = newAnsi(esc + "?25h")
+	Report = newAnsi(esc + "6n")
+}
diff --git a/cli/vendor/github.com/morikuni/aec/ansi.go b/cli/vendor/github.com/morikuni/aec/ansi.go
new file mode 100644
index 00000000..e60722e6
--- /dev/null
+++ b/cli/vendor/github.com/morikuni/aec/ansi.go
@@ -0,0 +1,59 @@
+package aec
+
+import (
+	"fmt"
+	"strings"
+)
+
+const esc = "\x1b["
+
+// Reset resets SGR effect.
+const Reset string = "\x1b[0m"
+
+var empty = newAnsi("")
+
+// ANSI represents ANSI escape code.
+type ANSI interface {
+	fmt.Stringer
+
+	// With adapts given ANSIs.
+	With(...ANSI) ANSI
+
+	// Apply wraps given string in ANSI.
+	Apply(string) string
+}
+
+type ansiImpl string
+
+func newAnsi(s string) *ansiImpl {
+	r := ansiImpl(s)
+	return &r
+}
+
+func (a *ansiImpl) With(ansi ...ANSI) ANSI {
+	return concat(append([]ANSI{a}, ansi...))
+}
+
+func (a *ansiImpl) Apply(s string) string {
+	return a.String() + s + Reset
+}
+
+func (a *ansiImpl) String() string {
+	return string(*a)
+}
+
+// Apply wraps given string in ANSIs.
+func Apply(s string, ansi ...ANSI) string {
+	if len(ansi) == 0 {
+		return s
+	}
+	return concat(ansi).Apply(s)
+}
+
+func concat(ansi []ANSI) ANSI {
+	strs := make([]string, 0, len(ansi))
+	for _, p := range ansi {
+		strs = append(strs, p.String())
+	}
+	return newAnsi(strings.Join(strs, ""))
+}
diff --git a/cli/vendor/github.com/morikuni/aec/builder.go b/cli/vendor/github.com/morikuni/aec/builder.go
new file mode 100644
index 00000000..13bd002d
--- /dev/null
+++ b/cli/vendor/github.com/morikuni/aec/builder.go
@@ -0,0 +1,388 @@
+package aec
+
+// Builder is a lightweight syntax to construct customized ANSI.
+type Builder struct {
+	ANSI ANSI
+}
+
+// EmptyBuilder is an initialized Builder.
+var EmptyBuilder *Builder
+
+// NewBuilder creates a Builder from existing ANSI.
+func NewBuilder(a ...ANSI) *Builder {
+	return &Builder{concat(a)}
+}
+
+// With is a syntax for With.
+func (builder *Builder) With(a ...ANSI) *Builder {
+	return NewBuilder(builder.ANSI.With(a...))
+}
+
+// Up is a syntax for Up.
+func (builder *Builder) Up(n uint) *Builder {
+	return builder.With(Up(n))
+}
+
+// Down is a syntax for Down.
+func (builder *Builder) Down(n uint) *Builder {
+	return builder.With(Down(n))
+}
+
+// Right is a syntax for Right.
+func (builder *Builder) Right(n uint) *Builder {
+	return builder.With(Right(n))
+}
+
+// Left is a syntax for Left.
+func (builder *Builder) Left(n uint) *Builder {
+	return builder.With(Left(n))
+}
+
+// NextLine is a syntax for NextLine.
+func (builder *Builder) NextLine(n uint) *Builder {
+	return builder.With(NextLine(n))
+}
+
+// PreviousLine is a syntax for PreviousLine.
+func (builder *Builder) PreviousLine(n uint) *Builder {
+	return builder.With(PreviousLine(n))
+}
+
+// Column is a syntax for Column.
+func (builder *Builder) Column(col uint) *Builder {
+	return builder.With(Column(col))
+}
+
+// Position is a syntax for Position.
+func (builder *Builder) Position(row, col uint) *Builder {
+	return builder.With(Position(row, col))
+}
+
+// EraseDisplay is a syntax for EraseDisplay.
+func (builder *Builder) EraseDisplay(m EraseMode) *Builder {
+	return builder.With(EraseDisplay(m))
+}
+
+// EraseLine is a syntax for EraseLine.
+func (builder *Builder) EraseLine(m EraseMode) *Builder {
+	return builder.With(EraseLine(m))
+}
+
+// ScrollUp is a syntax for ScrollUp.
+func (builder *Builder) ScrollUp(n int) *Builder {
+	return builder.With(ScrollUp(n))
+}
+
+// ScrollDown is a syntax for ScrollDown.
+func (builder *Builder) ScrollDown(n int) *Builder {
+	return builder.With(ScrollDown(n))
+}
+
+// Save is a syntax for Save.
+func (builder *Builder) Save() *Builder {
+	return builder.With(Save)
+}
+
+// Restore is a syntax for Restore.
+func (builder *Builder) Restore() *Builder {
+	return builder.With(Restore)
+}
+
+// Hide is a syntax for Hide.
+func (builder *Builder) Hide() *Builder {
+	return builder.With(Hide)
+}
+
+// Show is a syntax for Show.
+func (builder *Builder) Show() *Builder {
+	return builder.With(Show)
+}
+
+// Report is a syntax for Report.
+func (builder *Builder) Report() *Builder {
+	return builder.With(Report)
+}
+
+// Bold is a syntax for Bold.
+func (builder *Builder) Bold() *Builder {
+	return builder.With(Bold)
+}
+
+// Faint is a syntax for Faint.
+func (builder *Builder) Faint() *Builder {
+	return builder.With(Faint)
+}
+
+// Italic is a syntax for Italic.
+func (builder *Builder) Italic() *Builder {
+	return builder.With(Italic)
+}
+
+// Underline is a syntax for Underline.
+func (builder *Builder) Underline() *Builder {
+	return builder.With(Underline)
+}
+
+// BlinkSlow is a syntax for BlinkSlow.
+func (builder *Builder) BlinkSlow() *Builder {
+	return builder.With(BlinkSlow)
+}
+
+// BlinkRapid is a syntax for BlinkRapid.
+func (builder *Builder) BlinkRapid() *Builder {
+	return builder.With(BlinkRapid)
+}
+
+// Inverse is a syntax for Inverse.
+func (builder *Builder) Inverse() *Builder {
+	return builder.With(Inverse)
+}
+
+// Conceal is a syntax for Conceal.
+func (builder *Builder) Conceal() *Builder {
+	return builder.With(Conceal)
+}
+
+// CrossOut is a syntax for CrossOut.
+func (builder *Builder) CrossOut() *Builder {
+	return builder.With(CrossOut)
+}
+
+// BlackF is a syntax for BlackF.
+func (builder *Builder) BlackF() *Builder {
+	return builder.With(BlackF)
+}
+
+// RedF is a syntax for RedF.
+func (builder *Builder) RedF() *Builder {
+	return builder.With(RedF)
+}
+
+// GreenF is a syntax for GreenF.
+func (builder *Builder) GreenF() *Builder {
+	return builder.With(GreenF)
+}
+
+// YellowF is a syntax for YellowF.
+func (builder *Builder) YellowF() *Builder {
+	return builder.With(YellowF)
+}
+
+// BlueF is a syntax for BlueF.
+func (builder *Builder) BlueF() *Builder {
+	return builder.With(BlueF)
+}
+
+// MagentaF is a syntax for MagentaF.
+func (builder *Builder) MagentaF() *Builder {
+	return builder.With(MagentaF)
+}
+
+// CyanF is a syntax for CyanF.
+func (builder *Builder) CyanF() *Builder {
+	return builder.With(CyanF)
+}
+
+// WhiteF is a syntax for WhiteF.
+func (builder *Builder) WhiteF() *Builder {
+	return builder.With(WhiteF)
+}
+
+// DefaultF is a syntax for DefaultF.
+func (builder *Builder) DefaultF() *Builder {
+	return builder.With(DefaultF)
+}
+
+// BlackB is a syntax for BlackB.
+func (builder *Builder) BlackB() *Builder {
+	return builder.With(BlackB)
+}
+
+// RedB is a syntax for RedB.
+func (builder *Builder) RedB() *Builder {
+	return builder.With(RedB)
+}
+
+// GreenB is a syntax for GreenB.
+func (builder *Builder) GreenB() *Builder {
+	return builder.With(GreenB)
+}
+
+// YellowB is a syntax for YellowB.
+func (builder *Builder) YellowB() *Builder {
+	return builder.With(YellowB)
+}
+
+// BlueB is a syntax for BlueB.
+func (builder *Builder) BlueB() *Builder {
+	return builder.With(BlueB)
+}
+
+// MagentaB is a syntax for MagentaB.
+func (builder *Builder) MagentaB() *Builder {
+	return builder.With(MagentaB)
+}
+
+// CyanB is a syntax for CyanB.
+func (builder *Builder) CyanB() *Builder {
+	return builder.With(CyanB)
+}
+
+// WhiteB is a syntax for WhiteB.
+func (builder *Builder) WhiteB() *Builder {
+	return builder.With(WhiteB)
+}
+
+// DefaultB is a syntax for DefaultB.
+func (builder *Builder) DefaultB() *Builder {
+	return builder.With(DefaultB)
+}
+
+// Frame is a syntax for Frame.
+func (builder *Builder) Frame() *Builder {
+	return builder.With(Frame)
+}
+
+// Encircle is a syntax for Encircle.
+func (builder *Builder) Encircle() *Builder {
+	return builder.With(Encircle)
+}
+
+// Overline is a syntax for Overline.
+func (builder *Builder) Overline() *Builder {
+	return builder.With(Overline)
+}
+
+// LightBlackF is a syntax for LightBlueF.
+func (builder *Builder) LightBlackF() *Builder {
+	return builder.With(LightBlackF)
+}
+
+// LightRedF is a syntax for LightRedF.
+func (builder *Builder) LightRedF() *Builder {
+	return builder.With(LightRedF)
+}
+
+// LightGreenF is a syntax for LightGreenF.
+func (builder *Builder) LightGreenF() *Builder {
+	return builder.With(LightGreenF)
+}
+
+// LightYellowF is a syntax for LightYellowF.
+func (builder *Builder) LightYellowF() *Builder {
+	return builder.With(LightYellowF)
+}
+
+// LightBlueF is a syntax for LightBlueF.
+func (builder *Builder) LightBlueF() *Builder {
+	return builder.With(LightBlueF)
+}
+
+// LightMagentaF is a syntax for LightMagentaF.
+func (builder *Builder) LightMagentaF() *Builder {
+	return builder.With(LightMagentaF)
+}
+
+// LightCyanF is a syntax for LightCyanF.
+func (builder *Builder) LightCyanF() *Builder {
+	return builder.With(LightCyanF)
+}
+
+// LightWhiteF is a syntax for LightWhiteF.
+func (builder *Builder) LightWhiteF() *Builder {
+	return builder.With(LightWhiteF)
+}
+
+// LightBlackB is a syntax for LightBlackB.
+func (builder *Builder) LightBlackB() *Builder {
+	return builder.With(LightBlackB)
+}
+
+// LightRedB is a syntax for LightRedB.
+func (builder *Builder) LightRedB() *Builder {
+	return builder.With(LightRedB)
+}
+
+// LightGreenB is a syntax for LightGreenB.
+func (builder *Builder) LightGreenB() *Builder {
+	return builder.With(LightGreenB)
+}
+
+// LightYellowB is a syntax for LightYellowB.
+func (builder *Builder) LightYellowB() *Builder {
+	return builder.With(LightYellowB)
+}
+
+// LightBlueB is a syntax for LightBlueB.
+func (builder *Builder) LightBlueB() *Builder {
+	return builder.With(LightBlueB)
+}
+
+// LightMagentaB is a syntax for LightMagentaB.
+func (builder *Builder) LightMagentaB() *Builder {
+	return builder.With(LightMagentaB)
+}
+
+// LightCyanB is a syntax for LightCyanB.
+func (builder *Builder) LightCyanB() *Builder {
+	return builder.With(LightCyanB)
+}
+
+// LightWhiteB is a syntax for LightWhiteB.
+func (builder *Builder) LightWhiteB() *Builder {
+	return builder.With(LightWhiteB)
+}
+
+// Color3BitF is a syntax for Color3BitF.
+func (builder *Builder) Color3BitF(c RGB3Bit) *Builder {
+	return builder.With(Color3BitF(c))
+}
+
+// Color3BitB is a syntax for Color3BitB.
+func (builder *Builder) Color3BitB(c RGB3Bit) *Builder {
+	return builder.With(Color3BitB(c))
+}
+
+// Color8BitF is a syntax for Color8BitF.
+func (builder *Builder) Color8BitF(c RGB8Bit) *Builder {
+	return builder.With(Color8BitF(c))
+}
+
+// Color8BitB is a syntax for Color8BitB.
+func (builder *Builder) Color8BitB(c RGB8Bit) *Builder {
+	return builder.With(Color8BitB(c))
+}
+
+// FullColorF is a syntax for FullColorF.
+func (builder *Builder) FullColorF(r, g, b uint8) *Builder {
+	return builder.With(FullColorF(r, g, b))
+}
+
+// FullColorB is a syntax for FullColorB.
+func (builder *Builder) FullColorB(r, g, b uint8) *Builder {
+	return builder.With(FullColorB(r, g, b))
+}
+
+// RGB3BitF is a syntax for Color3BitF with NewRGB3Bit.
+func (builder *Builder) RGB3BitF(r, g, b uint8) *Builder {
+	return builder.Color3BitF(NewRGB3Bit(r, g, b))
+}
+
+// RGB3BitB is a syntax for Color3BitB with NewRGB3Bit.
+func (builder *Builder) RGB3BitB(r, g, b uint8) *Builder {
+	return builder.Color3BitB(NewRGB3Bit(r, g, b))
+}
+
+// RGB8BitF is a syntax for Color8BitF with NewRGB8Bit.
+func (builder *Builder) RGB8BitF(r, g, b uint8) *Builder {
+	return builder.Color8BitF(NewRGB8Bit(r, g, b))
+}
+
+// RGB8BitB is a syntax for Color8BitB with NewRGB8Bit.
+func (builder *Builder) RGB8BitB(r, g, b uint8) *Builder {
+	return builder.Color8BitB(NewRGB8Bit(r, g, b))
+}
+
+func init() {
+	EmptyBuilder = &Builder{empty}
+}
diff --git a/cli/vendor/github.com/morikuni/aec/sgr.go b/cli/vendor/github.com/morikuni/aec/sgr.go
new file mode 100644
index 00000000..0ba3464e
--- /dev/null
+++ b/cli/vendor/github.com/morikuni/aec/sgr.go
@@ -0,0 +1,202 @@
+package aec
+
+import (
+	"fmt"
+)
+
+// RGB3Bit is a 3bit RGB color.
+type RGB3Bit uint8
+
+// RGB8Bit is a 8bit RGB color.
+type RGB8Bit uint8
+
+func newSGR(n uint) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"%dm", n))
+}
+
+// NewRGB3Bit create a RGB3Bit from given RGB.
+func NewRGB3Bit(r, g, b uint8) RGB3Bit {
+	return RGB3Bit((r >> 7) | ((g >> 6) & 0x2) | ((b >> 5) & 0x4))
+}
+
+// NewRGB8Bit create a RGB8Bit from given RGB.
+func NewRGB8Bit(r, g, b uint8) RGB8Bit {
+	return RGB8Bit(16 + 36*(r/43) + 6*(g/43) + b/43)
+}
+
+// Color3BitF set the foreground color of text.
+func Color3BitF(c RGB3Bit) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"%dm", c+30))
+}
+
+// Color3BitB set the background color of text.
+func Color3BitB(c RGB3Bit) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"%dm", c+40))
+}
+
+// Color8BitF set the foreground color of text.
+func Color8BitF(c RGB8Bit) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"38;5;%dm", c))
+}
+
+// Color8BitB set the background color of text.
+func Color8BitB(c RGB8Bit) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"48;5;%dm", c))
+}
+
+// FullColorF set the foreground color of text.
+func FullColorF(r, g, b uint8) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"38;2;%d;%d;%dm", r, g, b))
+}
+
+// FullColorB set the foreground color of text.
+func FullColorB(r, g, b uint8) ANSI {
+	return newAnsi(fmt.Sprintf(esc+"48;2;%d;%d;%dm", r, g, b))
+}
+
+// Style
+var (
+	// Bold set the text style to bold or increased intensity.
+	Bold ANSI
+
+	// Faint set the text style to faint.
+	Faint ANSI
+
+	// Italic set the text style to italic.
+	Italic ANSI
+
+	// Underline set the text style to underline.
+	Underline ANSI
+
+	// BlinkSlow set the text style to slow blink.
+	BlinkSlow ANSI
+
+	// BlinkRapid set the text style to rapid blink.
+	BlinkRapid ANSI
+
+	// Inverse swap the foreground color and background color.
+	Inverse ANSI
+
+	// Conceal set the text style to conceal.
+	Conceal ANSI
+
+	// CrossOut set the text style to crossed out.
+	CrossOut ANSI
+
+	// Frame set the text style to framed.
+	Frame ANSI
+
+	// Encircle set the text style to encircled.
+	Encircle ANSI
+
+	// Overline set the text style to overlined.
+	Overline ANSI
+)
+
+// Foreground color of text.
+var (
+	// DefaultF is the default color of foreground.
+	DefaultF ANSI
+
+	// Normal color
+	BlackF   ANSI
+	RedF     ANSI
+	GreenF   ANSI
+	YellowF  ANSI
+	BlueF    ANSI
+	MagentaF ANSI
+	CyanF    ANSI
+	WhiteF   ANSI
+
+	// Light color
+	LightBlackF   ANSI
+	LightRedF     ANSI
+	LightGreenF   ANSI
+	LightYellowF  ANSI
+	LightBlueF    ANSI
+	LightMagentaF ANSI
+	LightCyanF    ANSI
+	LightWhiteF   ANSI
+)
+
+// Background color of text.
+var (
+	// DefaultB is the default color of background.
+	DefaultB ANSI
+
+	// Normal color
+	BlackB   ANSI
+	RedB     ANSI
+	GreenB   ANSI
+	YellowB  ANSI
+	BlueB    ANSI
+	MagentaB ANSI
+	CyanB    ANSI
+	WhiteB   ANSI
+
+	// Light color
+	LightBlackB   ANSI
+	LightRedB     ANSI
+	LightGreenB   ANSI
+	LightYellowB  ANSI
+	LightBlueB    ANSI
+	LightMagentaB ANSI
+	LightCyanB    ANSI
+	LightWhiteB   ANSI
+)
+
+func init() {
+	Bold = newSGR(1)
+	Faint = newSGR(2)
+	Italic = newSGR(3)
+	Underline = newSGR(4)
+	BlinkSlow = newSGR(5)
+	BlinkRapid = newSGR(6)
+	Inverse = newSGR(7)
+	Conceal = newSGR(8)
+	CrossOut = newSGR(9)
+
+	BlackF = newSGR(30)
+	RedF = newSGR(31)
+	GreenF = newSGR(32)
+	YellowF = newSGR(33)
+	BlueF = newSGR(34)
+	MagentaF = newSGR(35)
+	CyanF = newSGR(36)
+	WhiteF = newSGR(37)
+
+	DefaultF = newSGR(39)
+
+	BlackB = newSGR(40)
+	RedB = newSGR(41)
+	GreenB = newSGR(42)
+	YellowB = newSGR(43)
+	BlueB = newSGR(44)
+	MagentaB = newSGR(45)
+	CyanB = newSGR(46)
+	WhiteB = newSGR(47)
+
+	DefaultB = newSGR(49)
+
+	Frame = newSGR(51)
+	Encircle = newSGR(52)
+	Overline = newSGR(53)
+
+	LightBlackF = newSGR(90)
+	LightRedF = newSGR(91)
+	LightGreenF = newSGR(92)
+	LightYellowF = newSGR(93)
+	LightBlueF = newSGR(94)
+	LightMagentaF = newSGR(95)
+	LightCyanF = newSGR(96)
+	LightWhiteF = newSGR(97)
+
+	LightBlackB = newSGR(100)
+	LightRedB = newSGR(101)
+	LightGreenB = newSGR(102)
+	LightYellowB = newSGR(103)
+	LightBlueB = newSGR(104)
+	LightMagentaB = newSGR(105)
+	LightCyanB = newSGR(106)
+	LightWhiteB = newSGR(107)
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/LICENSE b/cli/vendor/github.com/tonistiigi/fsutil/LICENSE
new file mode 100644
index 00000000..7df441d9
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/LICENSE
@@ -0,0 +1,22 @@
+MIT
+
+Copyright 2017 Tõnis Tiigi <tonistiigi@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/chtimes_linux.go b/cli/vendor/github.com/tonistiigi/fsutil/chtimes_linux.go
new file mode 100644
index 00000000..74f08a15
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/chtimes_linux.go
@@ -0,0 +1,20 @@
+// +build linux
+
+package fsutil
+
+import (
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+func chtimes(path string, un int64) error {
+	var utimes [2]unix.Timespec
+	utimes[0] = unix.NsecToTimespec(un)
+	utimes[1] = utimes[0]
+
+	if err := unix.UtimesNanoAt(unix.AT_FDCWD, path, utimes[0:], unix.AT_SYMLINK_NOFOLLOW); err != nil {
+		return errors.Wrap(err, "failed call to UtimesNanoAt")
+	}
+
+	return nil
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/chtimes_nolinux.go b/cli/vendor/github.com/tonistiigi/fsutil/chtimes_nolinux.go
new file mode 100644
index 00000000..cdd80ec9
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/chtimes_nolinux.go
@@ -0,0 +1,20 @@
+// +build !linux
+
+package fsutil
+
+import (
+	"os"
+	"time"
+)
+
+func chtimes(path string, un int64) error {
+	mtime := time.Unix(0, un)
+	fi, err := os.Lstat(path)
+	if err != nil {
+		return err
+	}
+	if fi.Mode()&os.ModeSymlink != 0 {
+		return nil
+	}
+	return os.Chtimes(path, mtime, mtime)
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/diff.go b/cli/vendor/github.com/tonistiigi/fsutil/diff.go
new file mode 100644
index 00000000..340a0e48
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/diff.go
@@ -0,0 +1,43 @@
+package fsutil
+
+import (
+	"context"
+	"hash"
+	"os"
+)
+
+type walkerFn func(ctx context.Context, pathC chan<- *currentPath) error
+
+func Changes(ctx context.Context, a, b walkerFn, changeFn ChangeFunc) error {
+	return nil
+}
+
+type HandleChangeFn func(ChangeKind, string, os.FileInfo, error) error
+
+type ContentHasher func(*Stat) (hash.Hash, error)
+
+func GetWalkerFn(root string) walkerFn {
+	return func(ctx context.Context, pathC chan<- *currentPath) error {
+		return Walk(ctx, root, nil, func(path string, f os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+
+			p := &currentPath{
+				path: path,
+				f:    f,
+			}
+
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			case pathC <- p:
+				return nil
+			}
+		})
+	}
+}
+
+func emptyWalker(ctx context.Context, pathC chan<- *currentPath) error {
+	return nil
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/diff_containerd.go b/cli/vendor/github.com/tonistiigi/fsutil/diff_containerd.go
new file mode 100644
index 00000000..2722cef4
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/diff_containerd.go
@@ -0,0 +1,199 @@
+package fsutil
+
+import (
+	"context"
+	"os"
+	"strings"
+
+	"golang.org/x/sync/errgroup"
+)
+
+// Everything below is copied from containerd/fs. TODO: remove duplication @dmcgowan
+
+// Const redefined because containerd/fs doesn't build on !linux
+
+// ChangeKind is the type of modification that
+// a change is making.
+type ChangeKind int
+
+const (
+	// ChangeKindAdd represents an addition of
+	// a file
+	ChangeKindAdd ChangeKind = iota
+
+	// ChangeKindModify represents a change to
+	// an existing file
+	ChangeKindModify
+
+	// ChangeKindDelete represents a delete of
+	// a file
+	ChangeKindDelete
+)
+
+// ChangeFunc is the type of function called for each change
+// computed during a directory changes calculation.
+type ChangeFunc func(ChangeKind, string, os.FileInfo, error) error
+
+type currentPath struct {
+	path string
+	f    os.FileInfo
+	//	fullPath string
+}
+
+// doubleWalkDiff walks both directories to create a diff
+func doubleWalkDiff(ctx context.Context, changeFn ChangeFunc, a, b walkerFn) (err error) {
+	g, ctx := errgroup.WithContext(ctx)
+
+	var (
+		c1 = make(chan *currentPath, 128)
+		c2 = make(chan *currentPath, 128)
+
+		f1, f2 *currentPath
+		rmdir  string
+	)
+	g.Go(func() error {
+		defer close(c1)
+		return a(ctx, c1)
+	})
+	g.Go(func() error {
+		defer close(c2)
+		return b(ctx, c2)
+	})
+	g.Go(func() error {
+	loop0:
+		for c1 != nil || c2 != nil {
+			if f1 == nil && c1 != nil {
+				f1, err = nextPath(ctx, c1)
+				if err != nil {
+					return err
+				}
+				if f1 == nil {
+					c1 = nil
+				}
+			}
+
+			if f2 == nil && c2 != nil {
+				f2, err = nextPath(ctx, c2)
+				if err != nil {
+					return err
+				}
+				if f2 == nil {
+					c2 = nil
+				}
+			}
+			if f1 == nil && f2 == nil {
+				continue
+			}
+
+			var f os.FileInfo
+			k, p := pathChange(f1, f2)
+			switch k {
+			case ChangeKindAdd:
+				if rmdir != "" {
+					rmdir = ""
+				}
+				f = f2.f
+				f2 = nil
+			case ChangeKindDelete:
+				// Check if this file is already removed by being
+				// under of a removed directory
+				if rmdir != "" && strings.HasPrefix(f1.path, rmdir) {
+					f1 = nil
+					continue
+				} else if rmdir == "" && f1.f.IsDir() {
+					rmdir = f1.path + string(os.PathSeparator)
+				} else if rmdir != "" {
+					rmdir = ""
+				}
+				f1 = nil
+			case ChangeKindModify:
+				same, err := sameFile(f1, f2)
+				if err != nil {
+					return err
+				}
+				if f1.f.IsDir() && !f2.f.IsDir() {
+					rmdir = f1.path + string(os.PathSeparator)
+				} else if rmdir != "" {
+					rmdir = ""
+				}
+				f = f2.f
+				f1 = nil
+				f2 = nil
+				if same {
+					continue loop0
+				}
+			}
+			if err := changeFn(k, p, f, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+
+	return g.Wait()
+}
+
+func pathChange(lower, upper *currentPath) (ChangeKind, string) {
+	if lower == nil {
+		if upper == nil {
+			panic("cannot compare nil paths")
+		}
+		return ChangeKindAdd, upper.path
+	}
+	if upper == nil {
+		return ChangeKindDelete, lower.path
+	}
+
+	switch i := ComparePath(lower.path, upper.path); {
+	case i < 0:
+		// File in lower that is not in upper
+		return ChangeKindDelete, lower.path
+	case i > 0:
+		// File in upper that is not in lower
+		return ChangeKindAdd, upper.path
+	default:
+		return ChangeKindModify, upper.path
+	}
+}
+
+func sameFile(f1, f2 *currentPath) (same bool, retErr error) {
+	// If not a directory also check size, modtime, and content
+	if !f1.f.IsDir() {
+		if f1.f.Size() != f2.f.Size() {
+			return false, nil
+		}
+
+		t1 := f1.f.ModTime()
+		t2 := f2.f.ModTime()
+		if t1.UnixNano() != t2.UnixNano() {
+			return false, nil
+		}
+	}
+
+	ls1, ok := f1.f.Sys().(*Stat)
+	if !ok {
+		return false, nil
+	}
+	ls2, ok := f1.f.Sys().(*Stat)
+	if !ok {
+		return false, nil
+	}
+
+	return compareStat(ls1, ls2)
+}
+
+// compareStat returns whether the stats are equivalent,
+// whether the files are considered the same file, and
+// an error
+func compareStat(ls1, ls2 *Stat) (bool, error) {
+	return ls1.Mode == ls2.Mode && ls1.Uid == ls2.Uid && ls1.Gid == ls2.Gid && ls1.Devmajor == ls2.Devmajor && ls1.Devminor == ls2.Devminor && ls1.Linkname == ls2.Linkname, nil
+}
+
+func nextPath(ctx context.Context, pathC <-chan *currentPath) (*currentPath, error) {
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case p := <-pathC:
+		return p, nil
+	}
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/diff_containerd_linux.go b/cli/vendor/github.com/tonistiigi/fsutil/diff_containerd_linux.go
new file mode 100644
index 00000000..4ac7ec5e
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/diff_containerd_linux.go
@@ -0,0 +1,37 @@
+package fsutil
+
+import (
+	"bytes"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+)
+
+// compareSysStat returns whether the stats are equivalent,
+// whether the files are considered the same file, and
+// an error
+func compareSysStat(s1, s2 interface{}) (bool, error) {
+	ls1, ok := s1.(*syscall.Stat_t)
+	if !ok {
+		return false, nil
+	}
+	ls2, ok := s2.(*syscall.Stat_t)
+	if !ok {
+		return false, nil
+	}
+
+	return ls1.Mode == ls2.Mode && ls1.Uid == ls2.Uid && ls1.Gid == ls2.Gid && ls1.Rdev == ls2.Rdev, nil
+}
+
+func compareCapabilities(p1, p2 string) (bool, error) {
+	c1, err := sysx.LGetxattr(p1, "security.capability")
+	if err != nil && err != syscall.ENODATA {
+		return false, errors.Wrapf(err, "failed to get xattr for %s", p1)
+	}
+	c2, err := sysx.LGetxattr(p2, "security.capability")
+	if err != nil && err != syscall.ENODATA {
+		return false, errors.Wrapf(err, "failed to get xattr for %s", p2)
+	}
+	return bytes.Equal(c1, c2), nil
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/diskwriter.go b/cli/vendor/github.com/tonistiigi/fsutil/diskwriter.go
new file mode 100644
index 00000000..aa1974f2
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/diskwriter.go
@@ -0,0 +1,340 @@
+package fsutil
+
+import (
+	"context"
+	"hash"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+type WriteToFunc func(context.Context, string, io.WriteCloser) error
+
+type DiskWriterOpt struct {
+	AsyncDataCb   WriteToFunc
+	SyncDataCb    WriteToFunc
+	NotifyCb      func(ChangeKind, string, os.FileInfo, error) error
+	ContentHasher ContentHasher
+	Filter        FilterFunc
+}
+
+type FilterFunc func(*Stat) bool
+
+type DiskWriter struct {
+	opt  DiskWriterOpt
+	dest string
+
+	wg     sync.WaitGroup
+	ctx    context.Context
+	cancel func()
+	eg     *errgroup.Group
+	filter FilterFunc
+}
+
+func NewDiskWriter(ctx context.Context, dest string, opt DiskWriterOpt) (*DiskWriter, error) {
+	if opt.SyncDataCb == nil && opt.AsyncDataCb == nil {
+		return nil, errors.New("no data callback specified")
+	}
+	if opt.SyncDataCb != nil && opt.AsyncDataCb != nil {
+		return nil, errors.New("can't specify both sync and async data callbacks")
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	eg, ctx := errgroup.WithContext(ctx)
+
+	return &DiskWriter{
+		opt:    opt,
+		dest:   dest,
+		eg:     eg,
+		ctx:    ctx,
+		cancel: cancel,
+		filter: opt.Filter,
+	}, nil
+}
+
+func (dw *DiskWriter) Wait(ctx context.Context) error {
+	return dw.eg.Wait()
+}
+
+func (dw *DiskWriter) HandleChange(kind ChangeKind, p string, fi os.FileInfo, err error) (retErr error) {
+	if err != nil {
+		return err
+	}
+
+	select {
+	case <-dw.ctx.Done():
+		return dw.ctx.Err()
+	default:
+	}
+
+	defer func() {
+		if retErr != nil {
+			dw.cancel()
+		}
+	}()
+
+	destPath := filepath.Join(dw.dest, filepath.FromSlash(p))
+
+	if kind == ChangeKindDelete {
+		// todo: no need to validate if diff is trusted but is it always?
+		if err := os.RemoveAll(destPath); err != nil {
+			return errors.Wrapf(err, "failed to remove: %s", destPath)
+		}
+		if dw.opt.NotifyCb != nil {
+			if err := dw.opt.NotifyCb(kind, p, nil, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	stat, ok := fi.Sys().(*Stat)
+	if !ok {
+		return errors.Errorf("%s invalid change without stat information", p)
+	}
+
+	statCopy := *stat
+
+	if dw.filter != nil {
+		if ok := dw.filter(&statCopy); !ok {
+			return nil
+		}
+	}
+
+	rename := true
+	oldFi, err := os.Lstat(destPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			if kind != ChangeKindAdd {
+				return errors.Wrapf(err, "invalid addition: %s", destPath)
+			}
+			rename = false
+		} else {
+			return errors.Wrapf(err, "failed to stat %s", destPath)
+		}
+	}
+
+	if oldFi != nil && fi.IsDir() && oldFi.IsDir() {
+		if err := rewriteMetadata(destPath, &statCopy); err != nil {
+			return errors.Wrapf(err, "error setting dir metadata for %s", destPath)
+		}
+		return nil
+	}
+
+	newPath := destPath
+	if rename {
+		newPath = filepath.Join(filepath.Dir(destPath), ".tmp."+nextSuffix())
+	}
+
+	isRegularFile := false
+
+	switch {
+	case fi.IsDir():
+		if err := os.Mkdir(newPath, fi.Mode()); err != nil {
+			return errors.Wrapf(err, "failed to create dir %s", newPath)
+		}
+	case fi.Mode()&os.ModeDevice != 0 || fi.Mode()&os.ModeNamedPipe != 0:
+		if err := handleTarTypeBlockCharFifo(newPath, &statCopy); err != nil {
+			return errors.Wrapf(err, "failed to create device %s", newPath)
+		}
+	case fi.Mode()&os.ModeSymlink != 0:
+		if err := os.Symlink(statCopy.Linkname, newPath); err != nil {
+			return errors.Wrapf(err, "failed to symlink %s", newPath)
+		}
+	case statCopy.Linkname != "":
+		if err := os.Link(filepath.Join(dw.dest, statCopy.Linkname), newPath); err != nil {
+			return errors.Wrapf(err, "failed to link %s to %s", newPath, statCopy.Linkname)
+		}
+	default:
+		isRegularFile = true
+		file, err := os.OpenFile(newPath, os.O_CREATE|os.O_WRONLY, fi.Mode()) //todo: windows
+		if err != nil {
+			return errors.Wrapf(err, "failed to create %s", newPath)
+		}
+		if dw.opt.SyncDataCb != nil {
+			if err := dw.processChange(ChangeKindAdd, p, fi, file); err != nil {
+				file.Close()
+				return err
+			}
+			break
+		}
+		if err := file.Close(); err != nil {
+			return errors.Wrapf(err, "failed to close %s", newPath)
+		}
+	}
+
+	if err := rewriteMetadata(newPath, &statCopy); err != nil {
+		return errors.Wrapf(err, "error setting metadata for %s", newPath)
+	}
+
+	if rename {
+		if err := os.Rename(newPath, destPath); err != nil {
+			return errors.Wrapf(err, "failed to rename %s to %s", newPath, destPath)
+		}
+	}
+
+	if isRegularFile {
+		if dw.opt.AsyncDataCb != nil {
+			dw.requestAsyncFileData(p, destPath, fi)
+		}
+	} else {
+		return dw.processChange(kind, p, fi, nil)
+	}
+
+	return nil
+}
+
+func (dw *DiskWriter) requestAsyncFileData(p, dest string, fi os.FileInfo) {
+	// todo: limit worker threads
+	dw.eg.Go(func() error {
+		if err := dw.processChange(ChangeKindAdd, p, fi, &lazyFileWriter{
+			dest: dest,
+		}); err != nil {
+			return err
+		}
+		return chtimes(dest, fi.ModTime().UnixNano()) // TODO: parent dirs
+	})
+}
+
+func (dw *DiskWriter) processChange(kind ChangeKind, p string, fi os.FileInfo, w io.WriteCloser) error {
+	origw := w
+	var hw *hashedWriter
+	if dw.opt.NotifyCb != nil {
+		var err error
+		if hw, err = newHashWriter(dw.opt.ContentHasher, fi, w); err != nil {
+			return err
+		}
+		w = hw
+	}
+	if origw != nil {
+		fn := dw.opt.SyncDataCb
+		if fn == nil && dw.opt.AsyncDataCb != nil {
+			fn = dw.opt.AsyncDataCb
+		}
+		if err := fn(dw.ctx, p, w); err != nil {
+			return err
+		}
+	} else {
+		if hw != nil {
+			hw.Close()
+		}
+	}
+	if hw != nil {
+		return dw.opt.NotifyCb(kind, p, hw, nil)
+	}
+	return nil
+}
+
+type hashedWriter struct {
+	os.FileInfo
+	io.Writer
+	h    hash.Hash
+	w    io.WriteCloser
+	dgst digest.Digest
+}
+
+func newHashWriter(ch ContentHasher, fi os.FileInfo, w io.WriteCloser) (*hashedWriter, error) {
+	stat, ok := fi.Sys().(*Stat)
+	if !ok {
+		return nil, errors.Errorf("invalid change without stat information")
+	}
+
+	h, err := ch(stat)
+	if err != nil {
+		return nil, err
+	}
+	hw := &hashedWriter{
+		FileInfo: fi,
+		Writer:   io.MultiWriter(w, h),
+		h:        h,
+		w:        w,
+	}
+	return hw, nil
+}
+
+func (hw *hashedWriter) Close() error {
+	hw.dgst = digest.NewDigest(digest.SHA256, hw.h)
+	if hw.w != nil {
+		return hw.w.Close()
+	}
+	return nil
+}
+
+func (hw *hashedWriter) Digest() digest.Digest {
+	return hw.dgst
+}
+
+type lazyFileWriter struct {
+	dest     string
+	ctx      context.Context
+	f        *os.File
+	fileMode *os.FileMode
+}
+
+func (lfw *lazyFileWriter) Write(dt []byte) (int, error) {
+	if lfw.f == nil {
+		file, err := os.OpenFile(lfw.dest, os.O_WRONLY, 0) //todo: windows
+		if os.IsPermission(err) {
+			// retry after chmod
+			fi, er := os.Stat(lfw.dest)
+			if er == nil {
+				mode := fi.Mode()
+				lfw.fileMode = &mode
+				er = os.Chmod(lfw.dest, mode|0222)
+				if er == nil {
+					file, err = os.OpenFile(lfw.dest, os.O_WRONLY, 0)
+				}
+			}
+		}
+		if err != nil {
+			return 0, errors.Wrapf(err, "failed to open %s", lfw.dest)
+		}
+		lfw.f = file
+	}
+	return lfw.f.Write(dt)
+}
+
+func (lfw *lazyFileWriter) Close() error {
+	var err error
+	if lfw.f != nil {
+		err = lfw.f.Close()
+	}
+	if err == nil && lfw.fileMode != nil {
+		err = os.Chmod(lfw.dest, *lfw.fileMode)
+	}
+	return err
+}
+
+func mkdev(major int64, minor int64) uint32 {
+	return uint32(((minor & 0xfff00) << 12) | ((major & 0xfff) << 8) | (minor & 0xff))
+}
+
+// Random number state.
+// We generate random temporary file names so that there's a good
+// chance the file doesn't exist yet - keeps the number of tries in
+// TempFile to a minimum.
+var rand uint32
+var randmu sync.Mutex
+
+func reseed() uint32 {
+	return uint32(time.Now().UnixNano() + int64(os.Getpid()))
+}
+
+func nextSuffix() string {
+	randmu.Lock()
+	r := rand
+	if r == 0 {
+		r = reseed()
+	}
+	r = r*1664525 + 1013904223 // constants from Numerical Recipes
+	rand = r
+	randmu.Unlock()
+	return strconv.Itoa(int(1e9 + r%1e9))[1:]
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/diskwriter_unix.go b/cli/vendor/github.com/tonistiigi/fsutil/diskwriter_unix.go
new file mode 100644
index 00000000..19dffabf
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/diskwriter_unix.go
@@ -0,0 +1,51 @@
+// +build !windows
+
+package fsutil
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+)
+
+func rewriteMetadata(p string, stat *Stat) error {
+	for key, value := range stat.Xattrs {
+		sysx.Setxattr(p, key, value, 0)
+	}
+
+	if err := os.Lchown(p, int(stat.Uid), int(stat.Gid)); err != nil {
+		return errors.Wrapf(err, "failed to lchown %s", p)
+	}
+
+	if os.FileMode(stat.Mode)&os.ModeSymlink == 0 {
+		if err := os.Chmod(p, os.FileMode(stat.Mode)); err != nil {
+			return errors.Wrapf(err, "failed to chown %s", p)
+		}
+	}
+
+	if err := chtimes(p, stat.ModTime); err != nil {
+		return errors.Wrapf(err, "failed to chtimes %s", p)
+	}
+
+	return nil
+}
+
+// handleTarTypeBlockCharFifo is an OS-specific helper function used by
+// createTarFile to handle the following types of header: Block; Char; Fifo
+func handleTarTypeBlockCharFifo(path string, stat *Stat) error {
+	mode := uint32(stat.Mode & 07777)
+	if os.FileMode(stat.Mode)&os.ModeCharDevice != 0 {
+		mode |= syscall.S_IFCHR
+	} else if os.FileMode(stat.Mode)&os.ModeNamedPipe != 0 {
+		mode |= syscall.S_IFIFO
+	} else {
+		mode |= syscall.S_IFBLK
+	}
+
+	if err := syscall.Mknod(path, mode, int(mkdev(stat.Devmajor, stat.Devminor))); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/diskwriter_windows.go b/cli/vendor/github.com/tonistiigi/fsutil/diskwriter_windows.go
new file mode 100644
index 00000000..c6d0d7be
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/diskwriter_windows.go
@@ -0,0 +1,17 @@
+// +build windows
+
+package fsutil
+
+import (
+	"github.com/pkg/errors"
+)
+
+func rewriteMetadata(p string, stat *Stat) error {
+	return chtimes(p, stat.ModTime)
+}
+
+// handleTarTypeBlockCharFifo is an OS-specific helper function used by
+// createTarFile to handle the following types of header: Block; Char; Fifo
+func handleTarTypeBlockCharFifo(path string, stat *Stat) error {
+	return errors.New("Not implemented on windows")
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/followlinks.go b/cli/vendor/github.com/tonistiigi/fsutil/followlinks.go
new file mode 100644
index 00000000..ed4af6e8
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/followlinks.go
@@ -0,0 +1,150 @@
+package fsutil
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sort"
+	strings "strings"
+
+	"github.com/pkg/errors"
+)
+
+func FollowLinks(root string, paths []string) ([]string, error) {
+	r := &symlinkResolver{root: root, resolved: map[string]struct{}{}}
+	for _, p := range paths {
+		if err := r.append(p); err != nil {
+			return nil, err
+		}
+	}
+	res := make([]string, 0, len(r.resolved))
+	for r := range r.resolved {
+		res = append(res, r)
+	}
+	sort.Strings(res)
+	return dedupePaths(res), nil
+}
+
+type symlinkResolver struct {
+	root     string
+	resolved map[string]struct{}
+}
+
+func (r *symlinkResolver) append(p string) error {
+	p = filepath.Join(".", p)
+	current := "."
+	for {
+		parts := strings.SplitN(p, string(filepath.Separator), 2)
+		current = filepath.Join(current, parts[0])
+
+		targets, err := r.readSymlink(current, true)
+		if err != nil {
+			return err
+		}
+
+		p = ""
+		if len(parts) == 2 {
+			p = parts[1]
+		}
+
+		if p == "" || targets != nil {
+			if _, ok := r.resolved[current]; ok {
+				return nil
+			}
+		}
+
+		if targets != nil {
+			r.resolved[current] = struct{}{}
+			for _, target := range targets {
+				if err := r.append(filepath.Join(target, p)); err != nil {
+					return err
+				}
+			}
+			return nil
+		}
+
+		if p == "" {
+			r.resolved[current] = struct{}{}
+			return nil
+		}
+	}
+}
+
+func (r *symlinkResolver) readSymlink(p string, allowWildcard bool) ([]string, error) {
+	realPath := filepath.Join(r.root, p)
+	base := filepath.Base(p)
+	if allowWildcard && containsWildcards(base) {
+		fis, err := ioutil.ReadDir(filepath.Dir(realPath))
+		if err != nil {
+			if os.IsNotExist(err) {
+				return nil, nil
+			}
+			return nil, errors.Wrapf(err, "failed to read dir %s", filepath.Dir(realPath))
+		}
+		var out []string
+		for _, f := range fis {
+			if ok, _ := filepath.Match(base, f.Name()); ok {
+				res, err := r.readSymlink(filepath.Join(filepath.Dir(p), f.Name()), false)
+				if err != nil {
+					return nil, err
+				}
+				out = append(out, res...)
+			}
+		}
+		return out, nil
+	}
+
+	fi, err := os.Lstat(realPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, errors.Wrapf(err, "failed to lstat %s", realPath)
+	}
+	if fi.Mode()&os.ModeSymlink == 0 {
+		return nil, nil
+	}
+	link, err := os.Readlink(realPath)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to readlink %s", realPath)
+	}
+	link = filepath.Clean(link)
+	if filepath.IsAbs(link) {
+		return []string{link}, nil
+	}
+	return []string{
+		filepath.Join(string(filepath.Separator), filepath.Join(filepath.Dir(p), link)),
+	}, nil
+}
+
+func containsWildcards(name string) bool {
+	isWindows := runtime.GOOS == "windows"
+	for i := 0; i < len(name); i++ {
+		ch := name[i]
+		if ch == '\\' && !isWindows {
+			i++
+		} else if ch == '*' || ch == '?' || ch == '[' {
+			return true
+		}
+	}
+	return false
+}
+
+// dedupePaths expects input as a sorted list
+func dedupePaths(in []string) []string {
+	out := make([]string, 0, len(in))
+	var last string
+	for _, s := range in {
+		// if one of the paths is root there is no filter
+		if s == "." {
+			return nil
+		}
+		if strings.HasPrefix(s, last+string(filepath.Separator)) {
+			continue
+		}
+		out = append(out, s)
+		last = s
+	}
+	return out
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/generate.go b/cli/vendor/github.com/tonistiigi/fsutil/generate.go
new file mode 100644
index 00000000..e4331956
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/generate.go
@@ -0,0 +1,3 @@
+package fsutil
+
+//go:generate protoc --gogoslick_out=. stat.proto wire.proto
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/hardlinks.go b/cli/vendor/github.com/tonistiigi/fsutil/hardlinks.go
new file mode 100644
index 00000000..e598ead7
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/hardlinks.go
@@ -0,0 +1,46 @@
+package fsutil
+
+import (
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+// Hardlinks validates that all targets for links were part of the changes
+
+type Hardlinks struct {
+	seenFiles map[string]struct{}
+}
+
+func (v *Hardlinks) HandleChange(kind ChangeKind, p string, fi os.FileInfo, err error) error {
+	if err != nil {
+		return err
+	}
+
+	if v.seenFiles == nil {
+		v.seenFiles = make(map[string]struct{})
+	}
+
+	if kind == ChangeKindDelete {
+		return nil
+	}
+
+	stat, ok := fi.Sys().(*Stat)
+	if !ok {
+		return errors.Errorf("invalid change without stat info: %s", p)
+	}
+
+	if fi.IsDir() || fi.Mode()&os.ModeSymlink != 0 {
+		return nil
+	}
+
+	if len(stat.Linkname) > 0 {
+		if _, ok := v.seenFiles[stat.Linkname]; !ok {
+			return errors.Errorf("invalid link %s to unknown path: %q", p, stat.Linkname)
+		}
+	} else {
+		v.seenFiles[p] = struct{}{}
+	}
+
+	return nil
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/readme.md b/cli/vendor/github.com/tonistiigi/fsutil/readme.md
new file mode 100644
index 00000000..5ce685b7
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/readme.md
@@ -0,0 +1,45 @@
+Incremental file directory sync tools in golang.
+
+```
+BENCH_FILE_SIZE=10000 ./bench.test --test.bench .
+BenchmarkCopyWithTar10-4                	    2000	    995242 ns/op
+BenchmarkCopyWithTar50-4                	     300	   4710021 ns/op
+BenchmarkCopyWithTar200-4               	     100	  16627260 ns/op
+BenchmarkCopyWithTar1000-4              	      20	  60031459 ns/op
+BenchmarkCPA10-4                        	    1000	   1678367 ns/op
+BenchmarkCPA50-4                        	     500	   3690306 ns/op
+BenchmarkCPA200-4                       	     200	   9495066 ns/op
+BenchmarkCPA1000-4                      	      50	  29769289 ns/op
+BenchmarkDiffCopy10-4                   	    2000	    943889 ns/op
+BenchmarkDiffCopy50-4                   	     500	   3285950 ns/op
+BenchmarkDiffCopy200-4                  	     200	   8563792 ns/op
+BenchmarkDiffCopy1000-4                 	      50	  29511340 ns/op
+BenchmarkDiffCopyProto10-4              	    2000	    944615 ns/op
+BenchmarkDiffCopyProto50-4              	     500	   3334940 ns/op
+BenchmarkDiffCopyProto200-4             	     200	   9420038 ns/op
+BenchmarkDiffCopyProto1000-4            	      50	  30632429 ns/op
+BenchmarkIncrementalDiffCopy10-4        	    2000	    691993 ns/op
+BenchmarkIncrementalDiffCopy50-4        	    1000	   1304253 ns/op
+BenchmarkIncrementalDiffCopy200-4       	     500	   3306519 ns/op
+BenchmarkIncrementalDiffCopy1000-4      	     200	  10211343 ns/op
+BenchmarkIncrementalDiffCopy5000-4      	      20	  55194427 ns/op
+BenchmarkIncrementalDiffCopy10000-4     	      20	  91759289 ns/op
+BenchmarkIncrementalCopyWithTar10-4     	    2000	   1020258 ns/op
+BenchmarkIncrementalCopyWithTar50-4     	     300	   5348786 ns/op
+BenchmarkIncrementalCopyWithTar200-4    	     100	  19495000 ns/op
+BenchmarkIncrementalCopyWithTar1000-4   	      20	  70338507 ns/op
+BenchmarkIncrementalRsync10-4           	      30	  45215754 ns/op
+BenchmarkIncrementalRsync50-4           	      30	  45837260 ns/op
+BenchmarkIncrementalRsync200-4          	      30	  48780614 ns/op
+BenchmarkIncrementalRsync1000-4         	      20	  54801892 ns/op
+BenchmarkIncrementalRsync5000-4         	      20	  84782542 ns/op
+BenchmarkIncrementalRsync10000-4        	      10	 103355108 ns/op
+BenchmarkRsync10-4                      	      30	  46776470 ns/op
+BenchmarkRsync50-4                      	      30	  48601555 ns/op
+BenchmarkRsync200-4                     	      20	  59642691 ns/op
+BenchmarkRsync1000-4                    	      20	 101343010 ns/op
+BenchmarkGnuTar10-4                     	     500	   3171448 ns/op
+BenchmarkGnuTar50-4                     	     300	   5030296 ns/op
+BenchmarkGnuTar200-4                    	     100	  10464313 ns/op
+BenchmarkGnuTar1000-4                   	      50	  30375257 ns/op
+```
\ No newline at end of file
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/receive.go b/cli/vendor/github.com/tonistiigi/fsutil/receive.go
new file mode 100644
index 00000000..14ccb6c7
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/receive.go
@@ -0,0 +1,269 @@
+package fsutil
+
+import (
+	"context"
+	"io"
+	"os"
+	"sync"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+type ReceiveOpt struct {
+	NotifyHashed  ChangeFunc
+	ContentHasher ContentHasher
+	ProgressCb    func(int, bool)
+	Merge         bool
+	Filter        FilterFunc
+}
+
+func Receive(ctx context.Context, conn Stream, dest string, opt ReceiveOpt) error {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	r := &receiver{
+		conn:          &syncStream{Stream: conn},
+		dest:          dest,
+		files:         make(map[string]uint32),
+		pipes:         make(map[uint32]io.WriteCloser),
+		notifyHashed:  opt.NotifyHashed,
+		contentHasher: opt.ContentHasher,
+		progressCb:    opt.ProgressCb,
+		merge:         opt.Merge,
+		filter:        opt.Filter,
+	}
+	return r.run(ctx)
+}
+
+type receiver struct {
+	dest       string
+	conn       Stream
+	files      map[string]uint32
+	pipes      map[uint32]io.WriteCloser
+	mu         sync.RWMutex
+	muPipes    sync.RWMutex
+	progressCb func(int, bool)
+	merge      bool
+	filter     FilterFunc
+
+	notifyHashed   ChangeFunc
+	contentHasher  ContentHasher
+	orderValidator Validator
+	hlValidator    Hardlinks
+}
+
+type dynamicWalker struct {
+	walkChan chan *currentPath
+	err      error
+	closeCh  chan struct{}
+}
+
+func newDynamicWalker() *dynamicWalker {
+	return &dynamicWalker{
+		walkChan: make(chan *currentPath, 128),
+		closeCh:  make(chan struct{}),
+	}
+}
+
+func (w *dynamicWalker) update(p *currentPath) error {
+	select {
+	case <-w.closeCh:
+		return errors.Wrap(w.err, "walker is closed")
+	default:
+	}
+	if p == nil {
+		close(w.walkChan)
+		return nil
+	}
+	select {
+	case w.walkChan <- p:
+		return nil
+	case <-w.closeCh:
+		return errors.Wrap(w.err, "walker is closed")
+	}
+}
+
+func (w *dynamicWalker) fill(ctx context.Context, pathC chan<- *currentPath) error {
+	for {
+		select {
+		case p, ok := <-w.walkChan:
+			if !ok {
+				return nil
+			}
+			pathC <- p
+		case <-ctx.Done():
+			w.err = ctx.Err()
+			close(w.closeCh)
+			return ctx.Err()
+		}
+	}
+	return nil
+}
+
+func (r *receiver) run(ctx context.Context) error {
+	g, ctx := errgroup.WithContext(ctx)
+
+	dw, err := NewDiskWriter(ctx, r.dest, DiskWriterOpt{
+		AsyncDataCb:   r.asyncDataFunc,
+		NotifyCb:      r.notifyHashed,
+		ContentHasher: r.contentHasher,
+		Filter:        r.filter,
+	})
+	if err != nil {
+		return err
+	}
+
+	w := newDynamicWalker()
+
+	g.Go(func() (retErr error) {
+		defer func() {
+			if retErr != nil {
+				r.conn.SendMsg(&Packet{Type: PACKET_ERR, Data: []byte(retErr.Error())})
+			}
+		}()
+		destWalker := emptyWalker
+		if !r.merge {
+			destWalker = GetWalkerFn(r.dest)
+		}
+		err := doubleWalkDiff(ctx, dw.HandleChange, destWalker, w.fill)
+		if err != nil {
+			return err
+		}
+		if err := dw.Wait(ctx); err != nil {
+			return err
+		}
+		r.conn.SendMsg(&Packet{Type: PACKET_FIN})
+		return nil
+	})
+
+	g.Go(func() error {
+		var i uint32 = 0
+
+		size := 0
+		if r.progressCb != nil {
+			defer func() {
+				r.progressCb(size, true)
+			}()
+		}
+		var p Packet
+		for {
+			p = Packet{Data: p.Data[:0]}
+			if err := r.conn.RecvMsg(&p); err != nil {
+				return err
+			}
+			if r.progressCb != nil {
+				size += p.Size()
+				r.progressCb(size, false)
+			}
+
+			switch p.Type {
+			case PACKET_ERR:
+				return errors.Errorf("error from sender: %s", p.Data)
+			case PACKET_STAT:
+				if p.Stat == nil {
+					if err := w.update(nil); err != nil {
+						return err
+					}
+					break
+				}
+				if fileCanRequestData(os.FileMode(p.Stat.Mode)) {
+					r.mu.Lock()
+					r.files[p.Stat.Path] = i
+					r.mu.Unlock()
+				}
+				i++
+				cp := &currentPath{path: p.Stat.Path, f: &StatInfo{p.Stat}}
+				if err := r.orderValidator.HandleChange(ChangeKindAdd, cp.path, cp.f, nil); err != nil {
+					return err
+				}
+				if err := r.hlValidator.HandleChange(ChangeKindAdd, cp.path, cp.f, nil); err != nil {
+					return err
+				}
+				if err := w.update(cp); err != nil {
+					return err
+				}
+			case PACKET_DATA:
+				r.muPipes.Lock()
+				pw, ok := r.pipes[p.ID]
+				r.muPipes.Unlock()
+				if !ok {
+					return errors.Errorf("invalid file request %s", p.ID)
+				}
+				if len(p.Data) == 0 {
+					if err := pw.Close(); err != nil {
+						return err
+					}
+				} else {
+					if _, err := pw.Write(p.Data); err != nil {
+						return err
+					}
+				}
+			case PACKET_FIN:
+				for {
+					var p Packet
+					if err := r.conn.RecvMsg(&p); err != nil {
+						if err == io.EOF {
+							return nil
+						}
+						return err
+					}
+				}
+			}
+		}
+	})
+	return g.Wait()
+}
+
+func (r *receiver) asyncDataFunc(ctx context.Context, p string, wc io.WriteCloser) error {
+	r.mu.Lock()
+	id, ok := r.files[p]
+	if !ok {
+		r.mu.Unlock()
+		return errors.Errorf("invalid file request %s", p)
+	}
+	delete(r.files, p)
+	r.mu.Unlock()
+
+	wwc := newWrappedWriteCloser(wc)
+	r.muPipes.Lock()
+	r.pipes[id] = wwc
+	r.muPipes.Unlock()
+	if err := r.conn.SendMsg(&Packet{Type: PACKET_REQ, ID: id}); err != nil {
+		return err
+	}
+	err := wwc.Wait(ctx)
+	if err != nil {
+		return err
+	}
+	r.muPipes.Lock()
+	delete(r.pipes, id)
+	r.muPipes.Unlock()
+	return nil
+}
+
+type wrappedWriteCloser struct {
+	io.WriteCloser
+	err  error
+	once sync.Once
+	done chan struct{}
+}
+
+func newWrappedWriteCloser(wc io.WriteCloser) *wrappedWriteCloser {
+	return &wrappedWriteCloser{WriteCloser: wc, done: make(chan struct{})}
+}
+
+func (w *wrappedWriteCloser) Close() error {
+	w.err = w.WriteCloser.Close()
+	w.once.Do(func() { close(w.done) })
+	return w.err
+}
+
+func (w *wrappedWriteCloser) Wait(ctx context.Context) error {
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-w.done:
+		return w.err
+	}
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/send.go b/cli/vendor/github.com/tonistiigi/fsutil/send.go
new file mode 100644
index 00000000..61f6170a
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/send.go
@@ -0,0 +1,208 @@
+package fsutil
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+var bufPool = sync.Pool{
+	New: func() interface{} {
+		return make([]byte, 32*1<<10)
+	},
+}
+
+type Stream interface {
+	RecvMsg(interface{}) error
+	SendMsg(m interface{}) error
+	Context() context.Context
+}
+
+func Send(ctx context.Context, conn Stream, root string, opt *WalkOpt, progressCb func(int, bool)) error {
+	s := &sender{
+		conn:         &syncStream{Stream: conn},
+		root:         root,
+		opt:          opt,
+		files:        make(map[uint32]string),
+		progressCb:   progressCb,
+		sendpipeline: make(chan *sendHandle, 128),
+	}
+	return s.run(ctx)
+}
+
+type sendHandle struct {
+	id   uint32
+	path string
+}
+
+type sender struct {
+	conn            Stream
+	opt             *WalkOpt
+	root            string
+	files           map[uint32]string
+	mu              sync.RWMutex
+	progressCb      func(int, bool)
+	progressCurrent int
+	sendpipeline    chan *sendHandle
+}
+
+func (s *sender) run(ctx context.Context) error {
+	g, ctx := errgroup.WithContext(ctx)
+
+	defer s.updateProgress(0, true)
+
+	g.Go(func() error {
+		err := s.walk(ctx)
+		if err != nil {
+			s.conn.SendMsg(&Packet{Type: PACKET_ERR, Data: []byte(err.Error())})
+		}
+		return err
+	})
+
+	for i := 0; i < 4; i++ {
+		g.Go(func() error {
+			for h := range s.sendpipeline {
+				select {
+				case <-ctx.Done():
+					return ctx.Err()
+				default:
+				}
+				if err := s.sendFile(h); err != nil {
+					return err
+				}
+			}
+			return nil
+		})
+	}
+
+	g.Go(func() error {
+		defer close(s.sendpipeline)
+
+		for {
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			default:
+			}
+			var p Packet
+			if err := s.conn.RecvMsg(&p); err != nil {
+				return err
+			}
+			switch p.Type {
+			case PACKET_ERR:
+				return errors.Errorf("error from receiver: %s", p.Data)
+			case PACKET_REQ:
+				if err := s.queue(p.ID); err != nil {
+					return err
+				}
+			case PACKET_FIN:
+				return s.conn.SendMsg(&Packet{Type: PACKET_FIN})
+			}
+		}
+	})
+
+	return g.Wait()
+}
+
+func (s *sender) updateProgress(size int, last bool) {
+	if s.progressCb != nil {
+		s.progressCurrent += size
+		s.progressCb(s.progressCurrent, last)
+	}
+}
+
+func (s *sender) queue(id uint32) error {
+	s.mu.Lock()
+	p, ok := s.files[id]
+	if !ok {
+		s.mu.Unlock()
+		return errors.Errorf("invalid file id %d", id)
+	}
+	delete(s.files, id)
+	s.mu.Unlock()
+	s.sendpipeline <- &sendHandle{id, p}
+	return nil
+}
+
+func (s *sender) sendFile(h *sendHandle) error {
+	f, err := os.Open(filepath.Join(s.root, h.path))
+	if err == nil {
+		defer f.Close()
+		buf := bufPool.Get().([]byte)
+		defer bufPool.Put(buf)
+		if _, err := io.CopyBuffer(&fileSender{sender: s, id: h.id}, f, buf); err != nil {
+			return err
+		}
+	}
+	return s.conn.SendMsg(&Packet{ID: h.id, Type: PACKET_DATA})
+}
+
+func (s *sender) walk(ctx context.Context) error {
+	var i uint32 = 0
+	err := Walk(ctx, s.root, s.opt, func(path string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		stat, ok := fi.Sys().(*Stat)
+		if !ok {
+			return errors.Wrapf(err, "invalid fileinfo without stat info: %s", path)
+		}
+
+		p := &Packet{
+			Type: PACKET_STAT,
+			Stat: stat,
+		}
+		if fileCanRequestData(os.FileMode(stat.Mode)) {
+			s.mu.Lock()
+			s.files[i] = stat.Path
+			s.mu.Unlock()
+		}
+		i++
+		s.updateProgress(p.Size(), false)
+		return errors.Wrapf(s.conn.SendMsg(p), "failed to send stat %s", path)
+	})
+	if err != nil {
+		return err
+	}
+	return errors.Wrapf(s.conn.SendMsg(&Packet{Type: PACKET_STAT}), "failed to send last stat")
+}
+
+func fileCanRequestData(m os.FileMode) bool {
+	// avoid updating this function as it needs to match between sender/receiver.
+	// version if needed
+	return m&os.ModeType == 0
+}
+
+type fileSender struct {
+	sender *sender
+	id     uint32
+}
+
+func (fs *fileSender) Write(dt []byte) (int, error) {
+	if len(dt) == 0 {
+		return 0, nil
+	}
+	p := &Packet{Type: PACKET_DATA, ID: fs.id, Data: dt}
+	if err := fs.sender.conn.SendMsg(p); err != nil {
+		return 0, err
+	}
+	fs.sender.updateProgress(p.Size(), false)
+	return len(dt), nil
+}
+
+type syncStream struct {
+	Stream
+	mu sync.Mutex
+}
+
+func (ss *syncStream) SendMsg(m interface{}) error {
+	ss.mu.Lock()
+	err := ss.Stream.SendMsg(m)
+	ss.mu.Unlock()
+	return err
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/stat.pb.go b/cli/vendor/github.com/tonistiigi/fsutil/stat.pb.go
new file mode 100644
index 00000000..3f6925e4
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/stat.pb.go
@@ -0,0 +1,931 @@
+// Code generated by protoc-gen-gogo.
+// source: stat.proto
+// DO NOT EDIT!
+
+/*
+	Package fsutil is a generated protocol buffer package.
+
+	It is generated from these files:
+		stat.proto
+		wire.proto
+
+	It has these top-level messages:
+		Stat
+		Packet
+*/
+package fsutil
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type Stat struct {
+	Path    string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
+	Mode    uint32 `protobuf:"varint,2,opt,name=mode,proto3" json:"mode,omitempty"`
+	Uid     uint32 `protobuf:"varint,3,opt,name=uid,proto3" json:"uid,omitempty"`
+	Gid     uint32 `protobuf:"varint,4,opt,name=gid,proto3" json:"gid,omitempty"`
+	Size_   int64  `protobuf:"varint,5,opt,name=size,proto3" json:"size,omitempty"`
+	ModTime int64  `protobuf:"varint,6,opt,name=modTime,proto3" json:"modTime,omitempty"`
+	// int32 typeflag = 7;
+	Linkname string            `protobuf:"bytes,7,opt,name=linkname,proto3" json:"linkname,omitempty"`
+	Devmajor int64             `protobuf:"varint,8,opt,name=devmajor,proto3" json:"devmajor,omitempty"`
+	Devminor int64             `protobuf:"varint,9,opt,name=devminor,proto3" json:"devminor,omitempty"`
+	Xattrs   map[string][]byte `protobuf:"bytes,10,rep,name=xattrs" json:"xattrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *Stat) Reset()                    { *m = Stat{} }
+func (*Stat) ProtoMessage()               {}
+func (*Stat) Descriptor() ([]byte, []int) { return fileDescriptorStat, []int{0} }
+
+func (m *Stat) GetPath() string {
+	if m != nil {
+		return m.Path
+	}
+	return ""
+}
+
+func (m *Stat) GetMode() uint32 {
+	if m != nil {
+		return m.Mode
+	}
+	return 0
+}
+
+func (m *Stat) GetUid() uint32 {
+	if m != nil {
+		return m.Uid
+	}
+	return 0
+}
+
+func (m *Stat) GetGid() uint32 {
+	if m != nil {
+		return m.Gid
+	}
+	return 0
+}
+
+func (m *Stat) GetSize_() int64 {
+	if m != nil {
+		return m.Size_
+	}
+	return 0
+}
+
+func (m *Stat) GetModTime() int64 {
+	if m != nil {
+		return m.ModTime
+	}
+	return 0
+}
+
+func (m *Stat) GetLinkname() string {
+	if m != nil {
+		return m.Linkname
+	}
+	return ""
+}
+
+func (m *Stat) GetDevmajor() int64 {
+	if m != nil {
+		return m.Devmajor
+	}
+	return 0
+}
+
+func (m *Stat) GetDevminor() int64 {
+	if m != nil {
+		return m.Devminor
+	}
+	return 0
+}
+
+func (m *Stat) GetXattrs() map[string][]byte {
+	if m != nil {
+		return m.Xattrs
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Stat)(nil), "fsutil.Stat")
+}
+func (this *Stat) Equal(that interface{}) bool {
+	if that == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	}
+
+	that1, ok := that.(*Stat)
+	if !ok {
+		that2, ok := that.(Stat)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	} else if this == nil {
+		return false
+	}
+	if this.Path != that1.Path {
+		return false
+	}
+	if this.Mode != that1.Mode {
+		return false
+	}
+	if this.Uid != that1.Uid {
+		return false
+	}
+	if this.Gid != that1.Gid {
+		return false
+	}
+	if this.Size_ != that1.Size_ {
+		return false
+	}
+	if this.ModTime != that1.ModTime {
+		return false
+	}
+	if this.Linkname != that1.Linkname {
+		return false
+	}
+	if this.Devmajor != that1.Devmajor {
+		return false
+	}
+	if this.Devminor != that1.Devminor {
+		return false
+	}
+	if len(this.Xattrs) != len(that1.Xattrs) {
+		return false
+	}
+	for i := range this.Xattrs {
+		if !bytes.Equal(this.Xattrs[i], that1.Xattrs[i]) {
+			return false
+		}
+	}
+	return true
+}
+func (this *Stat) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 14)
+	s = append(s, "&fsutil.Stat{")
+	s = append(s, "Path: "+fmt.Sprintf("%#v", this.Path)+",\n")
+	s = append(s, "Mode: "+fmt.Sprintf("%#v", this.Mode)+",\n")
+	s = append(s, "Uid: "+fmt.Sprintf("%#v", this.Uid)+",\n")
+	s = append(s, "Gid: "+fmt.Sprintf("%#v", this.Gid)+",\n")
+	s = append(s, "Size_: "+fmt.Sprintf("%#v", this.Size_)+",\n")
+	s = append(s, "ModTime: "+fmt.Sprintf("%#v", this.ModTime)+",\n")
+	s = append(s, "Linkname: "+fmt.Sprintf("%#v", this.Linkname)+",\n")
+	s = append(s, "Devmajor: "+fmt.Sprintf("%#v", this.Devmajor)+",\n")
+	s = append(s, "Devminor: "+fmt.Sprintf("%#v", this.Devminor)+",\n")
+	keysForXattrs := make([]string, 0, len(this.Xattrs))
+	for k, _ := range this.Xattrs {
+		keysForXattrs = append(keysForXattrs, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForXattrs)
+	mapStringForXattrs := "map[string][]byte{"
+	for _, k := range keysForXattrs {
+		mapStringForXattrs += fmt.Sprintf("%#v: %#v,", k, this.Xattrs[k])
+	}
+	mapStringForXattrs += "}"
+	if this.Xattrs != nil {
+		s = append(s, "Xattrs: "+mapStringForXattrs+",\n")
+	}
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringStat(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+func (m *Stat) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Stat) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Path) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(len(m.Path)))
+		i += copy(dAtA[i:], m.Path)
+	}
+	if m.Mode != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Mode))
+	}
+	if m.Uid != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Uid))
+	}
+	if m.Gid != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Gid))
+	}
+	if m.Size_ != 0 {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Size_))
+	}
+	if m.ModTime != 0 {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.ModTime))
+	}
+	if len(m.Linkname) > 0 {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(len(m.Linkname)))
+		i += copy(dAtA[i:], m.Linkname)
+	}
+	if m.Devmajor != 0 {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Devmajor))
+	}
+	if m.Devminor != 0 {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Devminor))
+	}
+	if len(m.Xattrs) > 0 {
+		for k, _ := range m.Xattrs {
+			dAtA[i] = 0x52
+			i++
+			v := m.Xattrs[k]
+			byteSize := 0
+			if len(v) > 0 {
+				byteSize = 1 + len(v) + sovStat(uint64(len(v)))
+			}
+			mapSize := 1 + len(k) + sovStat(uint64(len(k))) + byteSize
+			i = encodeVarintStat(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintStat(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			if len(v) > 0 {
+				dAtA[i] = 0x12
+				i++
+				i = encodeVarintStat(dAtA, i, uint64(len(v)))
+				i += copy(dAtA[i:], v)
+			}
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Stat(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Stat(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintStat(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Stat) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	if l > 0 {
+		n += 1 + l + sovStat(uint64(l))
+	}
+	if m.Mode != 0 {
+		n += 1 + sovStat(uint64(m.Mode))
+	}
+	if m.Uid != 0 {
+		n += 1 + sovStat(uint64(m.Uid))
+	}
+	if m.Gid != 0 {
+		n += 1 + sovStat(uint64(m.Gid))
+	}
+	if m.Size_ != 0 {
+		n += 1 + sovStat(uint64(m.Size_))
+	}
+	if m.ModTime != 0 {
+		n += 1 + sovStat(uint64(m.ModTime))
+	}
+	l = len(m.Linkname)
+	if l > 0 {
+		n += 1 + l + sovStat(uint64(l))
+	}
+	if m.Devmajor != 0 {
+		n += 1 + sovStat(uint64(m.Devmajor))
+	}
+	if m.Devminor != 0 {
+		n += 1 + sovStat(uint64(m.Devminor))
+	}
+	if len(m.Xattrs) > 0 {
+		for k, v := range m.Xattrs {
+			_ = k
+			_ = v
+			l = 0
+			if len(v) > 0 {
+				l = 1 + len(v) + sovStat(uint64(len(v)))
+			}
+			mapEntrySize := 1 + len(k) + sovStat(uint64(len(k))) + l
+			n += mapEntrySize + 1 + sovStat(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func sovStat(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozStat(x uint64) (n int) {
+	return sovStat(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *Stat) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForXattrs := make([]string, 0, len(this.Xattrs))
+	for k, _ := range this.Xattrs {
+		keysForXattrs = append(keysForXattrs, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForXattrs)
+	mapStringForXattrs := "map[string][]byte{"
+	for _, k := range keysForXattrs {
+		mapStringForXattrs += fmt.Sprintf("%v: %v,", k, this.Xattrs[k])
+	}
+	mapStringForXattrs += "}"
+	s := strings.Join([]string{`&Stat{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`Mode:` + fmt.Sprintf("%v", this.Mode) + `,`,
+		`Uid:` + fmt.Sprintf("%v", this.Uid) + `,`,
+		`Gid:` + fmt.Sprintf("%v", this.Gid) + `,`,
+		`Size_:` + fmt.Sprintf("%v", this.Size_) + `,`,
+		`ModTime:` + fmt.Sprintf("%v", this.ModTime) + `,`,
+		`Linkname:` + fmt.Sprintf("%v", this.Linkname) + `,`,
+		`Devmajor:` + fmt.Sprintf("%v", this.Devmajor) + `,`,
+		`Devminor:` + fmt.Sprintf("%v", this.Devminor) + `,`,
+		`Xattrs:` + mapStringForXattrs + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringStat(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *Stat) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowStat
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Stat: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Stat: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthStat
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType)
+			}
+			m.Mode = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Mode |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Uid", wireType)
+			}
+			m.Uid = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Uid |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Gid", wireType)
+			}
+			m.Gid = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Gid |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Size_", wireType)
+			}
+			m.Size_ = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Size_ |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ModTime", wireType)
+			}
+			m.ModTime = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ModTime |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Linkname", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthStat
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Linkname = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Devmajor", wireType)
+			}
+			m.Devmajor = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Devmajor |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Devminor", wireType)
+			}
+			m.Devminor = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Devminor |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Xattrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthStat
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthStat
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Xattrs == nil {
+				m.Xattrs = make(map[string][]byte)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowStat
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapbyteLen uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowStat
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapbyteLen |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intMapbyteLen := int(mapbyteLen)
+				if intMapbyteLen < 0 {
+					return ErrInvalidLengthStat
+				}
+				postbytesIndex := iNdEx + intMapbyteLen
+				if postbytesIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := make([]byte, mapbyteLen)
+				copy(mapvalue, dAtA[iNdEx:postbytesIndex])
+				iNdEx = postbytesIndex
+				m.Xattrs[mapkey] = mapvalue
+			} else {
+				var mapvalue []byte
+				m.Xattrs[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipStat(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthStat
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipStat(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowStat
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthStat
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowStat
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipStat(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthStat = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowStat   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("stat.proto", fileDescriptorStat) }
+
+var fileDescriptorStat = []byte{
+	// 303 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x4c, 0x91, 0xb1, 0x4e, 0xf3, 0x30,
+	0x14, 0x85, 0x73, 0x9b, 0x36, 0x6d, 0xdd, 0xff, 0x97, 0x90, 0xc5, 0x70, 0xd5, 0xc1, 0x8a, 0x98,
+	0x32, 0xa0, 0x08, 0xc1, 0x02, 0x8c, 0x48, 0xbc, 0x40, 0x60, 0x60, 0x35, 0xb2, 0x29, 0xa6, 0x4d,
+	0x5c, 0x25, 0x4e, 0x45, 0x99, 0x78, 0x04, 0x1e, 0x83, 0xd7, 0x60, 0x63, 0xec, 0xc8, 0x48, 0xcc,
+	0xc2, 0xd8, 0x47, 0x40, 0x76, 0xda, 0xc2, 0x76, 0xce, 0x77, 0x7c, 0x65, 0x9d, 0x7b, 0x09, 0xa9,
+	0x0c, 0x37, 0xe9, 0xbc, 0xd4, 0x46, 0xd3, 0xe8, 0xae, 0xaa, 0x8d, 0x9a, 0x1d, 0xbc, 0x75, 0x48,
+	0xf7, 0xca, 0x70, 0x43, 0x29, 0xe9, 0xce, 0xb9, 0xb9, 0x47, 0x88, 0x21, 0x19, 0x66, 0x5e, 0x3b,
+	0x96, 0x6b, 0x21, 0xb1, 0x13, 0x43, 0xf2, 0x3f, 0xf3, 0x9a, 0xee, 0x91, 0xb0, 0x56, 0x02, 0x43,
+	0x8f, 0x9c, 0x74, 0x64, 0xa2, 0x04, 0x76, 0x5b, 0x32, 0x51, 0xc2, 0xcd, 0x55, 0xea, 0x49, 0x62,
+	0x2f, 0x86, 0x24, 0xcc, 0xbc, 0xa6, 0x48, 0xfa, 0xb9, 0x16, 0xd7, 0x2a, 0x97, 0x18, 0x79, 0xbc,
+	0xb5, 0x74, 0x4c, 0x06, 0x33, 0x55, 0x4c, 0x0b, 0x9e, 0x4b, 0xec, 0xfb, 0xdf, 0x77, 0xde, 0x65,
+	0x42, 0x2e, 0x72, 0xfe, 0xa0, 0x4b, 0x1c, 0xf8, 0xb1, 0x9d, 0xdf, 0x66, 0xaa, 0xd0, 0x25, 0x0e,
+	0x7f, 0x33, 0xe7, 0xe9, 0x11, 0x89, 0x1e, 0xb9, 0x31, 0x65, 0x85, 0x24, 0x0e, 0x93, 0xd1, 0x31,
+	0xa6, 0x6d, 0xdf, 0xd4, 0x75, 0x4d, 0x6f, 0x7c, 0x74, 0x59, 0x98, 0x72, 0x99, 0x6d, 0xde, 0x8d,
+	0xcf, 0xc8, 0xe8, 0x0f, 0x76, 0xa5, 0xa6, 0x72, 0xb9, 0xd9, 0x86, 0x93, 0x74, 0x9f, 0xf4, 0x16,
+	0x7c, 0x56, 0xb7, 0xdb, 0xf8, 0x97, 0xb5, 0xe6, 0xbc, 0x73, 0x0a, 0x17, 0x87, 0xab, 0x86, 0x05,
+	0x1f, 0x0d, 0x0b, 0xd6, 0x0d, 0x83, 0x67, 0xcb, 0xe0, 0xd5, 0x32, 0x78, 0xb7, 0x0c, 0x56, 0x96,
+	0xc1, 0xa7, 0x65, 0xf0, 0x6d, 0x59, 0xb0, 0xb6, 0x0c, 0x5e, 0xbe, 0x58, 0x70, 0x1b, 0xf9, 0x03,
+	0x9c, 0xfc, 0x04, 0x00, 0x00, 0xff, 0xff, 0x19, 0x97, 0x14, 0xf4, 0x8e, 0x01, 0x00, 0x00,
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/stat.proto b/cli/vendor/github.com/tonistiigi/fsutil/stat.proto
new file mode 100644
index 00000000..e2794130
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/stat.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package fsutil;
+
+message Stat {
+  string path = 1;
+  uint32 mode = 2;
+  uint32 uid = 3;
+  uint32 gid = 4;
+  int64 size = 5;
+  int64 modTime = 6;
+  // int32 typeflag = 7;
+  string linkname = 7;
+  int64 devmajor = 8;
+  int64 devminor = 9;
+  map<string, bytes> xattrs = 10;
+}
\ No newline at end of file
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/validator.go b/cli/vendor/github.com/tonistiigi/fsutil/validator.go
new file mode 100644
index 00000000..2bd1287a
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/validator.go
@@ -0,0 +1,92 @@
+package fsutil
+
+import (
+	"os"
+	"path"
+	"runtime"
+	"sort"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+type parent struct {
+	dir  string
+	last string
+}
+
+type Validator struct {
+	parentDirs []parent
+}
+
+func (v *Validator) HandleChange(kind ChangeKind, p string, fi os.FileInfo, err error) (retErr error) {
+	if err != nil {
+		return err
+	}
+	// test that all paths are in order and all parent dirs were present
+	if v.parentDirs == nil {
+		v.parentDirs = make([]parent, 1, 10)
+	}
+	if runtime.GOOS == "windows" {
+		p = strings.Replace(p, "\\", "", -1)
+	}
+	if p != path.Clean(p) {
+		return errors.Errorf("invalid unclean path %s", p)
+	}
+	if path.IsAbs(p) {
+		return errors.Errorf("abolute path %s not allowed", p)
+	}
+	dir := path.Dir(p)
+	base := path.Base(p)
+	if dir == "." {
+		dir = ""
+	}
+	if dir == ".." || strings.HasPrefix(p, "../") {
+		return errors.Errorf("invalid path: %s", p)
+	}
+
+	// find a parent dir from saved records
+	i := sort.Search(len(v.parentDirs), func(i int) bool {
+		return ComparePath(v.parentDirs[len(v.parentDirs)-1-i].dir, dir) <= 0
+	})
+	i = len(v.parentDirs) - 1 - i
+	if i != len(v.parentDirs)-1 { // skipping back to grandparent
+		v.parentDirs = v.parentDirs[:i+1]
+	}
+
+	if dir != v.parentDirs[len(v.parentDirs)-1].dir || v.parentDirs[i].last >= base {
+		return errors.Errorf("changes out of order: %q %q", p, path.Join(v.parentDirs[i].dir, v.parentDirs[i].last))
+	}
+	v.parentDirs[i].last = base
+	if kind != ChangeKindDelete && fi.IsDir() {
+		v.parentDirs = append(v.parentDirs, parent{
+			dir:  path.Join(dir, base),
+			last: "",
+		})
+	}
+	// todo: validate invalid mode combinations
+	return err
+}
+
+func ComparePath(p1, p2 string) int {
+	// byte-by-byte comparison to be compatible with str<>str
+	min := min(len(p1), len(p2))
+	for i := 0; i < min; i++ {
+		switch {
+		case p1[i] == p2[i]:
+			continue
+		case p2[i] != '/' && p1[i] < p2[i] || p1[i] == '/':
+			return -1
+		default:
+			return 1
+		}
+	}
+	return len(p1) - len(p2)
+}
+
+func min(x, y int) int {
+	if x < y {
+		return x
+	}
+	return y
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/walker.go b/cli/vendor/github.com/tonistiigi/fsutil/walker.go
new file mode 100644
index 00000000..aa509914
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/walker.go
@@ -0,0 +1,246 @@
+package fsutil
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/pkg/errors"
+)
+
+type WalkOpt struct {
+	IncludePatterns []string
+	ExcludePatterns []string
+	// FollowPaths contains symlinks that are resolved into include patterns
+	// before performing the fs walk
+	FollowPaths []string
+	Map         func(*Stat) bool
+}
+
+func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) error {
+	root, err := filepath.EvalSymlinks(p)
+	if err != nil {
+		return errors.Wrapf(err, "failed to resolve %s", root)
+	}
+	fi, err := os.Stat(root)
+	if err != nil {
+		return errors.Wrapf(err, "failed to stat: %s", root)
+	}
+	if !fi.IsDir() {
+		return errors.Errorf("%s is not a directory", root)
+	}
+
+	var pm *fileutils.PatternMatcher
+	if opt != nil && opt.ExcludePatterns != nil {
+		pm, err = fileutils.NewPatternMatcher(opt.ExcludePatterns)
+		if err != nil {
+			return errors.Wrapf(err, "invalid excludepaths %s", opt.ExcludePatterns)
+		}
+	}
+
+	var includePatterns []string
+	if opt != nil && opt.IncludePatterns != nil {
+		includePatterns = make([]string, len(opt.IncludePatterns))
+		for k := range opt.IncludePatterns {
+			includePatterns[k] = filepath.Clean(opt.IncludePatterns[k])
+		}
+	}
+	if opt != nil && opt.FollowPaths != nil {
+		targets, err := FollowLinks(p, opt.FollowPaths)
+		if err != nil {
+			return err
+		}
+		if targets != nil {
+			includePatterns = append(includePatterns, targets...)
+			includePatterns = dedupePaths(includePatterns)
+		}
+	}
+
+	var lastIncludedDir string
+
+	seenFiles := make(map[uint64]string)
+	return filepath.Walk(root, func(path string, fi os.FileInfo, err error) (retErr error) {
+		if err != nil {
+			if os.IsNotExist(err) {
+				return filepath.SkipDir
+			}
+			return err
+		}
+		defer func() {
+			if retErr != nil && os.IsNotExist(errors.Cause(retErr)) {
+				retErr = filepath.SkipDir
+			}
+		}()
+		origpath := path
+		path, err = filepath.Rel(root, path)
+		if err != nil {
+			return err
+		}
+		// Skip root
+		if path == "." {
+			return nil
+		}
+
+		if opt != nil {
+			if includePatterns != nil {
+				skip := false
+				if lastIncludedDir != "" {
+					if strings.HasPrefix(path, lastIncludedDir+string(filepath.Separator)) {
+						skip = true
+					}
+				}
+
+				if !skip {
+					matched := false
+					partial := true
+					for _, p := range includePatterns {
+						if ok, p := matchPrefix(p, path); ok {
+							matched = true
+							if !p {
+								partial = false
+								break
+							}
+						}
+					}
+					if !matched {
+						if fi.IsDir() {
+							return filepath.SkipDir
+						}
+						return nil
+					}
+					if !partial && fi.IsDir() {
+						lastIncludedDir = path
+					}
+				}
+			}
+			if pm != nil {
+				m, err := pm.Matches(path)
+				if err != nil {
+					return errors.Wrap(err, "failed to match excludepatterns")
+				}
+
+				if m {
+					if fi.IsDir() {
+						if !pm.Exclusions() {
+							return filepath.SkipDir
+						}
+						dirSlash := path + string(filepath.Separator)
+						for _, pat := range pm.Patterns() {
+							if !pat.Exclusion() {
+								continue
+							}
+							patStr := pat.String() + string(filepath.Separator)
+							if strings.HasPrefix(patStr, dirSlash) {
+								goto passedFilter
+							}
+						}
+						return filepath.SkipDir
+					}
+					return nil
+				}
+			}
+		}
+
+	passedFilter:
+		path = filepath.ToSlash(path)
+
+		stat := &Stat{
+			Path:    path,
+			Mode:    uint32(fi.Mode()),
+			ModTime: fi.ModTime().UnixNano(),
+		}
+
+		setUnixOpt(fi, stat, path, seenFiles)
+
+		if !fi.IsDir() {
+			stat.Size_ = fi.Size()
+			if fi.Mode()&os.ModeSymlink != 0 {
+				link, err := os.Readlink(origpath)
+				if err != nil {
+					return errors.Wrapf(err, "failed to readlink %s", origpath)
+				}
+				stat.Linkname = link
+			}
+		}
+		if err := loadXattr(origpath, stat); err != nil {
+			return errors.Wrapf(err, "failed to xattr %s", path)
+		}
+
+		if runtime.GOOS == "windows" {
+			permPart := stat.Mode & uint32(os.ModePerm)
+			noPermPart := stat.Mode &^ uint32(os.ModePerm)
+			// Add the x bit: make everything +x from windows
+			permPart |= 0111
+			permPart &= 0755
+			stat.Mode = noPermPart | permPart
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			if opt != nil && opt.Map != nil {
+				if allowed := opt.Map(stat); !allowed {
+					return nil
+				}
+			}
+			if err := fn(stat.Path, &StatInfo{stat}, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
+
+type StatInfo struct {
+	*Stat
+}
+
+func (s *StatInfo) Name() string {
+	return filepath.Base(s.Stat.Path)
+}
+func (s *StatInfo) Size() int64 {
+	return s.Stat.Size_
+}
+func (s *StatInfo) Mode() os.FileMode {
+	return os.FileMode(s.Stat.Mode)
+}
+func (s *StatInfo) ModTime() time.Time {
+	return time.Unix(s.Stat.ModTime/1e9, s.Stat.ModTime%1e9)
+}
+func (s *StatInfo) IsDir() bool {
+	return s.Mode().IsDir()
+}
+func (s *StatInfo) Sys() interface{} {
+	return s.Stat
+}
+
+func matchPrefix(pattern, name string) (bool, bool) {
+	count := strings.Count(name, string(filepath.Separator))
+	partial := false
+	if strings.Count(pattern, string(filepath.Separator)) > count {
+		pattern = trimUntilIndex(pattern, string(filepath.Separator), count)
+		partial = true
+	}
+	m, _ := filepath.Match(pattern, name)
+	return m, partial
+}
+
+func trimUntilIndex(str, sep string, count int) string {
+	s := str
+	i := 0
+	c := 0
+	for {
+		idx := strings.Index(s, sep)
+		s = s[idx+len(sep):]
+		i += idx + len(sep)
+		c++
+		if c > count {
+			return str[:i-len(sep)]
+		}
+	}
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/walker_unix.go b/cli/vendor/github.com/tonistiigi/fsutil/walker_unix.go
new file mode 100644
index 00000000..7e8ee803
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/walker_unix.go
@@ -0,0 +1,61 @@
+// +build !windows
+
+package fsutil
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+)
+
+func loadXattr(origpath string, stat *Stat) error {
+	xattrs, err := sysx.LListxattr(origpath)
+	if err != nil {
+		return errors.Wrapf(err, "failed to xattr %s", origpath)
+	}
+	if len(xattrs) > 0 {
+		m := make(map[string][]byte)
+		for _, key := range xattrs {
+			v, err := sysx.LGetxattr(origpath, key)
+			if err == nil {
+				m[key] = v
+			}
+		}
+		stat.Xattrs = m
+	}
+	return nil
+}
+
+func setUnixOpt(fi os.FileInfo, stat *Stat, path string, seenFiles map[uint64]string) {
+	s := fi.Sys().(*syscall.Stat_t)
+
+	stat.Uid = s.Uid
+	stat.Gid = s.Gid
+
+	if !fi.IsDir() {
+		if s.Mode&syscall.S_IFBLK != 0 ||
+			s.Mode&syscall.S_IFCHR != 0 {
+			stat.Devmajor = int64(major(uint64(s.Rdev)))
+			stat.Devminor = int64(minor(uint64(s.Rdev)))
+		}
+
+		ino := s.Ino
+		if s.Nlink > 1 {
+			if oldpath, ok := seenFiles[ino]; ok {
+				stat.Linkname = oldpath
+				stat.Size_ = 0
+			}
+		}
+		seenFiles[ino] = path
+	}
+}
+
+func major(device uint64) uint64 {
+	return (device >> 8) & 0xfff
+}
+
+func minor(device uint64) uint64 {
+	return (device & 0xff) | ((device >> 12) & 0xfff00)
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/walker_windows.go b/cli/vendor/github.com/tonistiigi/fsutil/walker_windows.go
new file mode 100644
index 00000000..a1a2b455
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/walker_windows.go
@@ -0,0 +1,14 @@
+// +build windows
+
+package fsutil
+
+import (
+	"os"
+)
+
+func loadXattr(_ string, _ *Stat) error {
+	return nil
+}
+
+func setUnixOpt(_ os.FileInfo, _ *Stat, _ string, _ map[uint64]string) {
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/wire.pb.go b/cli/vendor/github.com/tonistiigi/fsutil/wire.pb.go
new file mode 100644
index 00000000..9d334bbd
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/wire.pb.go
@@ -0,0 +1,567 @@
+// Code generated by protoc-gen-gogo.
+// source: wire.proto
+// DO NOT EDIT!
+
+package fsutil
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strconv "strconv"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+type Packet_PacketType int32
+
+const (
+	PACKET_STAT Packet_PacketType = 0
+	PACKET_REQ  Packet_PacketType = 1
+	PACKET_DATA Packet_PacketType = 2
+	PACKET_FIN  Packet_PacketType = 3
+	PACKET_ERR  Packet_PacketType = 4
+)
+
+var Packet_PacketType_name = map[int32]string{
+	0: "PACKET_STAT",
+	1: "PACKET_REQ",
+	2: "PACKET_DATA",
+	3: "PACKET_FIN",
+	4: "PACKET_ERR",
+}
+var Packet_PacketType_value = map[string]int32{
+	"PACKET_STAT": 0,
+	"PACKET_REQ":  1,
+	"PACKET_DATA": 2,
+	"PACKET_FIN":  3,
+	"PACKET_ERR":  4,
+}
+
+func (Packet_PacketType) EnumDescriptor() ([]byte, []int) { return fileDescriptorWire, []int{0, 0} }
+
+type Packet struct {
+	Type Packet_PacketType `protobuf:"varint,1,opt,name=type,proto3,enum=fsutil.Packet_PacketType" json:"type,omitempty"`
+	Stat *Stat             `protobuf:"bytes,2,opt,name=stat" json:"stat,omitempty"`
+	ID   uint32            `protobuf:"varint,3,opt,name=ID,proto3" json:"ID,omitempty"`
+	Data []byte            `protobuf:"bytes,4,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *Packet) Reset()                    { *m = Packet{} }
+func (*Packet) ProtoMessage()               {}
+func (*Packet) Descriptor() ([]byte, []int) { return fileDescriptorWire, []int{0} }
+
+func (m *Packet) GetType() Packet_PacketType {
+	if m != nil {
+		return m.Type
+	}
+	return PACKET_STAT
+}
+
+func (m *Packet) GetStat() *Stat {
+	if m != nil {
+		return m.Stat
+	}
+	return nil
+}
+
+func (m *Packet) GetID() uint32 {
+	if m != nil {
+		return m.ID
+	}
+	return 0
+}
+
+func (m *Packet) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Packet)(nil), "fsutil.Packet")
+	proto.RegisterEnum("fsutil.Packet_PacketType", Packet_PacketType_name, Packet_PacketType_value)
+}
+func (x Packet_PacketType) String() string {
+	s, ok := Packet_PacketType_name[int32(x)]
+	if ok {
+		return s
+	}
+	return strconv.Itoa(int(x))
+}
+func (this *Packet) Equal(that interface{}) bool {
+	if that == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	}
+
+	that1, ok := that.(*Packet)
+	if !ok {
+		that2, ok := that.(Packet)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	} else if this == nil {
+		return false
+	}
+	if this.Type != that1.Type {
+		return false
+	}
+	if !this.Stat.Equal(that1.Stat) {
+		return false
+	}
+	if this.ID != that1.ID {
+		return false
+	}
+	if !bytes.Equal(this.Data, that1.Data) {
+		return false
+	}
+	return true
+}
+func (this *Packet) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 8)
+	s = append(s, "&fsutil.Packet{")
+	s = append(s, "Type: "+fmt.Sprintf("%#v", this.Type)+",\n")
+	if this.Stat != nil {
+		s = append(s, "Stat: "+fmt.Sprintf("%#v", this.Stat)+",\n")
+	}
+	s = append(s, "ID: "+fmt.Sprintf("%#v", this.ID)+",\n")
+	s = append(s, "Data: "+fmt.Sprintf("%#v", this.Data)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringWire(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+func (m *Packet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Packet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Type != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintWire(dAtA, i, uint64(m.Type))
+	}
+	if m.Stat != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintWire(dAtA, i, uint64(m.Stat.Size()))
+		n1, err := m.Stat.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n1
+	}
+	if m.ID != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintWire(dAtA, i, uint64(m.ID))
+	}
+	if len(m.Data) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintWire(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func encodeFixed64Wire(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Wire(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintWire(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Packet) Size() (n int) {
+	var l int
+	_ = l
+	if m.Type != 0 {
+		n += 1 + sovWire(uint64(m.Type))
+	}
+	if m.Stat != nil {
+		l = m.Stat.Size()
+		n += 1 + l + sovWire(uint64(l))
+	}
+	if m.ID != 0 {
+		n += 1 + sovWire(uint64(m.ID))
+	}
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovWire(uint64(l))
+	}
+	return n
+}
+
+func sovWire(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozWire(x uint64) (n int) {
+	return sovWire(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *Packet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Packet{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Stat:` + strings.Replace(fmt.Sprintf("%v", this.Stat), "Stat", "Stat", 1) + `,`,
+		`ID:` + fmt.Sprintf("%v", this.ID) + `,`,
+		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringWire(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *Packet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowWire
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Packet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Packet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			m.Type = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Type |= (Packet_PacketType(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stat", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthWire
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Stat == nil {
+				m.Stat = &Stat{}
+			}
+			if err := m.Stat.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			m.ID = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ID |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthWire
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipWire(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthWire
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipWire(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowWire
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthWire
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowWire
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipWire(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthWire = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowWire   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("wire.proto", fileDescriptorWire) }
+
+var fileDescriptorWire = []byte{
+	// 259 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xe2, 0xe2, 0x2a, 0xcf, 0x2c, 0x4a,
+	0xd5, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x4b, 0x2b, 0x2e, 0x2d, 0xc9, 0xcc, 0x91, 0xe2,
+	0x2a, 0x2e, 0x49, 0x2c, 0x81, 0x88, 0x29, 0xdd, 0x65, 0xe4, 0x62, 0x0b, 0x48, 0x4c, 0xce, 0x4e,
+	0x2d, 0x11, 0xd2, 0xe5, 0x62, 0x29, 0xa9, 0x2c, 0x48, 0x95, 0x60, 0x54, 0x60, 0xd4, 0xe0, 0x33,
+	0x92, 0xd4, 0x83, 0xa8, 0xd6, 0x83, 0xc8, 0x42, 0xa9, 0x90, 0xca, 0x82, 0xd4, 0x20, 0xb0, 0x32,
+	0x21, 0x05, 0x2e, 0x16, 0x90, 0x39, 0x12, 0x4c, 0x0a, 0x8c, 0x1a, 0xdc, 0x46, 0x3c, 0x30, 0xe5,
+	0xc1, 0x25, 0x89, 0x25, 0x41, 0x60, 0x19, 0x21, 0x3e, 0x2e, 0x26, 0x4f, 0x17, 0x09, 0x66, 0x05,
+	0x46, 0x0d, 0xde, 0x20, 0x26, 0x4f, 0x17, 0x21, 0x21, 0x2e, 0x96, 0x94, 0xc4, 0x92, 0x44, 0x09,
+	0x16, 0x05, 0x46, 0x0d, 0x9e, 0x20, 0x30, 0x5b, 0x29, 0x8e, 0x8b, 0x0b, 0x61, 0xb2, 0x10, 0x3f,
+	0x17, 0x77, 0x80, 0xa3, 0xb3, 0xb7, 0x6b, 0x48, 0x7c, 0x70, 0x88, 0x63, 0x88, 0x00, 0x83, 0x10,
+	0x1f, 0x17, 0x17, 0x54, 0x20, 0xc8, 0x35, 0x50, 0x80, 0x11, 0x49, 0x81, 0x8b, 0x63, 0x88, 0xa3,
+	0x00, 0x13, 0x92, 0x02, 0x37, 0x4f, 0x3f, 0x01, 0x66, 0x24, 0xbe, 0x6b, 0x50, 0x90, 0x00, 0x8b,
+	0x93, 0xce, 0x85, 0x87, 0x72, 0x0c, 0x37, 0x1e, 0xca, 0x31, 0x7c, 0x78, 0x28, 0xc7, 0xd8, 0xf0,
+	0x48, 0x8e, 0x71, 0xc5, 0x23, 0x39, 0xc6, 0x13, 0x8f, 0xe4, 0x18, 0x2f, 0x3c, 0x92, 0x63, 0x7c,
+	0xf0, 0x48, 0x8e, 0xf1, 0xc5, 0x23, 0x39, 0x86, 0x0f, 0x8f, 0xe4, 0x18, 0x27, 0x3c, 0x96, 0x63,
+	0x48, 0x62, 0x03, 0x07, 0x8a, 0x31, 0x20, 0x00, 0x00, 0xff, 0xff, 0x8b, 0xce, 0x55, 0x3b, 0x36,
+	0x01, 0x00, 0x00,
+}
diff --git a/cli/vendor/github.com/tonistiigi/fsutil/wire.proto b/cli/vendor/github.com/tonistiigi/fsutil/wire.proto
new file mode 100644
index 00000000..f9b33f31
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/fsutil/wire.proto
@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package fsutil;
+
+import "stat.proto";
+
+message Packet {
+  enum PacketType {
+      PACKET_STAT = 0;
+      PACKET_REQ = 1;
+      PACKET_DATA = 2;
+      PACKET_FIN = 3;
+      PACKET_ERR = 4;
+    }
+  PacketType type = 1;
+  Stat stat = 2;
+  uint32 ID = 3;
+  bytes data = 4;
+}
diff --git a/cli/vendor/github.com/tonistiigi/units/LICENSE b/cli/vendor/github.com/tonistiigi/units/LICENSE
new file mode 100644
index 00000000..5c1095df
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/units/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Tõnis Tiigi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/cli/vendor/github.com/tonistiigi/units/bytes.go b/cli/vendor/github.com/tonistiigi/units/bytes.go
new file mode 100644
index 00000000..5a82fc1b
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/units/bytes.go
@@ -0,0 +1,125 @@
+/*
+	Simple byte size formatting.
+
+	This package implements types that can be used in stdlib formatting functions
+	like `fmt.Printf` to control the output of the expected printed string.
+
+
+	Floating point flags %f and %g print the value in using the correct unit
+	suffix. Decimal units are default, # switches to binary units. If a value is
+	best represented as full bytes, integer bytes are printed instead.
+
+		Examples:
+			fmt.Printf("%.2f", 123 * B)   => "123B"
+			fmt.Printf("%.2f", 1234 * B)  => "1.23kB"
+			fmt.Printf("%g", 1200 * B)    => "1.2kB"
+			fmt.Printf("%#g", 1024 * B)   => "1KiB"
+
+
+	Integer flag %d always prints the value in bytes. # flag adds an unit prefix.
+
+		Examples:
+			fmt.Printf("%d", 1234 * B)    => "1234"
+			fmt.Printf("%#d", 1234 * B)   => "1234B"
+
+	%v is equal to %g
+
+*/
+package units
+
+import (
+	"fmt"
+	"io"
+	"math"
+	"math/big"
+)
+
+type Bytes int64
+
+const (
+	B Bytes = 1 << (10 * iota)
+	KiB
+	MiB
+	GiB
+	TiB
+	PiB
+	EiB
+
+	KB = 1e3 * B
+	MB = 1e3 * KB
+	GB = 1e3 * MB
+	TB = 1e3 * GB
+	PB = 1e3 * TB
+	EB = 1e3 * PB
+)
+
+var units = map[bool][]string{
+	false: []string{
+		"B", "kB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB",
+	},
+	true: []string{
+		"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB", "ZiB", "YiB",
+	},
+}
+
+func (b Bytes) Format(f fmt.State, c rune) {
+	switch c {
+	case 'f', 'g':
+		fv, unit, ok := b.floatValue(f.Flag('#'))
+		if !ok {
+			b.formatInt(&noPrecision{f}, 'd', true)
+			return
+		}
+		big.NewFloat(fv).Format(f, c)
+		io.WriteString(f, unit)
+	case 'd':
+		b.formatInt(f, c, f.Flag('#'))
+	default:
+		if f.Flag('#') {
+			fmt.Fprintf(f, "bytes(%d)", int64(b))
+		} else {
+			fmt.Fprintf(f, "%g", b)
+		}
+	}
+}
+
+func (b Bytes) formatInt(f fmt.State, c rune, withUnit bool) {
+	big.NewInt(int64(b)).Format(f, c)
+	if withUnit {
+		io.WriteString(f, "B")
+	}
+}
+
+func (b Bytes) floatValue(binary bool) (float64, string, bool) {
+	i := 0
+	var baseUnit Bytes = 1
+	if b < 0 {
+		baseUnit *= -1
+	}
+	for {
+		next := baseUnit
+		if binary {
+			next *= 1 << 10
+		} else {
+			next *= 1e3
+		}
+		if (baseUnit > 0 && b >= next) || (baseUnit < 0 && b <= next) {
+			i++
+			baseUnit = next
+			continue
+		}
+		if i == 0 {
+			return 0, "", false
+		}
+
+		return float64(b) / math.Abs(float64(baseUnit)), units[binary][i], true
+	}
+}
+
+type noPrecision struct {
+	fmt.State
+}
+
+func (*noPrecision) Precision() (prec int, ok bool) {
+	return 0, false
+}
diff --git a/cli/vendor/github.com/tonistiigi/units/readme.md b/cli/vendor/github.com/tonistiigi/units/readme.md
new file mode 100644
index 00000000..5c67d30d
--- /dev/null
+++ b/cli/vendor/github.com/tonistiigi/units/readme.md
@@ -0,0 +1,29 @@
+#### Simple byte size formatting.
+
+This package implements types that can be used in stdlib formatting functions
+like `fmt.Printf` to control the output of the expected printed string.
+
+Floating point flags `%f` and %g print the value in using the correct unit
+suffix. Decimal units are default, `#` switches to binary units. If a value is
+best represented as full bytes, integer bytes are printed instead.
+
+##### Examples:
+
+```
+fmt.Printf("%.2f", 123 * B)   => "123B"
+fmt.Printf("%.2f", 1234 * B)  => "1.23kB"
+fmt.Printf("%g", 1200 * B)    => "1.2kB"
+fmt.Printf("%#g", 1024 * B)   => "1KiB"
+```
+
+
+Integer flag `%d` always prints the value in bytes. `#` flag adds an unit prefix.
+
+##### Examples:
+
+```
+fmt.Printf("%d", 1234 * B)    => "1234"
+fmt.Printf("%#d", 1234 * B)   => "1234B"
+```
+
+`%v` is equal to `%g`
\ No newline at end of file
diff --git a/cli/vendor/k8s.io/api/LICENSE b/cli/vendor/k8s.io/api/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/cli/vendor/k8s.io/api/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/cli/vendor/k8s.io/api/README.md b/cli/vendor/k8s.io/api/README.md
new file mode 100644
index 00000000..967543a4
--- /dev/null
+++ b/cli/vendor/k8s.io/api/README.md
@@ -0,0 +1 @@
+This repo is still in the experimental stage. Shortly it will contain the schema of the API that are served by the Kubernetes apiserver.
diff --git a/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/doc.go b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/doc.go
new file mode 100644
index 00000000..49e0e098
--- /dev/null
+++ b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/doc.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// Package v1alpha1 is the v1alpha1 version of the API.
+// AdmissionConfiguration and AdmissionPluginConfiguration are legacy static admission plugin configuration
+// InitializerConfiguration and ExternalAdmissionHookConfiguration is for the
+// new dynamic admission controller configuration.
+// +groupName=admissionregistration.k8s.io
+package v1alpha1 // import "k8s.io/api/admissionregistration/v1alpha1"
diff --git a/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go
new file mode 100644
index 00000000..c0d24a33
--- /dev/null
+++ b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.pb.go
@@ -0,0 +1,2187 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1alpha1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto
+
+	It has these top-level messages:
+		AdmissionHookClientConfig
+		ExternalAdmissionHook
+		ExternalAdmissionHookConfiguration
+		ExternalAdmissionHookConfigurationList
+		Initializer
+		InitializerConfiguration
+		InitializerConfigurationList
+		Rule
+		RuleWithOperations
+		ServiceReference
+*/
+package v1alpha1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *AdmissionHookClientConfig) Reset()      { *m = AdmissionHookClientConfig{} }
+func (*AdmissionHookClientConfig) ProtoMessage() {}
+func (*AdmissionHookClientConfig) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{0}
+}
+
+func (m *ExternalAdmissionHook) Reset()                    { *m = ExternalAdmissionHook{} }
+func (*ExternalAdmissionHook) ProtoMessage()               {}
+func (*ExternalAdmissionHook) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *ExternalAdmissionHookConfiguration) Reset()      { *m = ExternalAdmissionHookConfiguration{} }
+func (*ExternalAdmissionHookConfiguration) ProtoMessage() {}
+func (*ExternalAdmissionHookConfiguration) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{2}
+}
+
+func (m *ExternalAdmissionHookConfigurationList) Reset() {
+	*m = ExternalAdmissionHookConfigurationList{}
+}
+func (*ExternalAdmissionHookConfigurationList) ProtoMessage() {}
+func (*ExternalAdmissionHookConfigurationList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{3}
+}
+
+func (m *Initializer) Reset()                    { *m = Initializer{} }
+func (*Initializer) ProtoMessage()               {}
+func (*Initializer) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *InitializerConfiguration) Reset()      { *m = InitializerConfiguration{} }
+func (*InitializerConfiguration) ProtoMessage() {}
+func (*InitializerConfiguration) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{5}
+}
+
+func (m *InitializerConfigurationList) Reset()      { *m = InitializerConfigurationList{} }
+func (*InitializerConfigurationList) ProtoMessage() {}
+func (*InitializerConfigurationList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{6}
+}
+
+func (m *Rule) Reset()                    { *m = Rule{} }
+func (*Rule) ProtoMessage()               {}
+func (*Rule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *RuleWithOperations) Reset()                    { *m = RuleWithOperations{} }
+func (*RuleWithOperations) ProtoMessage()               {}
+func (*RuleWithOperations) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *ServiceReference) Reset()                    { *m = ServiceReference{} }
+func (*ServiceReference) ProtoMessage()               {}
+func (*ServiceReference) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func init() {
+	proto.RegisterType((*AdmissionHookClientConfig)(nil), "k8s.io.api.admissionregistration.v1alpha1.AdmissionHookClientConfig")
+	proto.RegisterType((*ExternalAdmissionHook)(nil), "k8s.io.api.admissionregistration.v1alpha1.ExternalAdmissionHook")
+	proto.RegisterType((*ExternalAdmissionHookConfiguration)(nil), "k8s.io.api.admissionregistration.v1alpha1.ExternalAdmissionHookConfiguration")
+	proto.RegisterType((*ExternalAdmissionHookConfigurationList)(nil), "k8s.io.api.admissionregistration.v1alpha1.ExternalAdmissionHookConfigurationList")
+	proto.RegisterType((*Initializer)(nil), "k8s.io.api.admissionregistration.v1alpha1.Initializer")
+	proto.RegisterType((*InitializerConfiguration)(nil), "k8s.io.api.admissionregistration.v1alpha1.InitializerConfiguration")
+	proto.RegisterType((*InitializerConfigurationList)(nil), "k8s.io.api.admissionregistration.v1alpha1.InitializerConfigurationList")
+	proto.RegisterType((*Rule)(nil), "k8s.io.api.admissionregistration.v1alpha1.Rule")
+	proto.RegisterType((*RuleWithOperations)(nil), "k8s.io.api.admissionregistration.v1alpha1.RuleWithOperations")
+	proto.RegisterType((*ServiceReference)(nil), "k8s.io.api.admissionregistration.v1alpha1.ServiceReference")
+}
+func (m *AdmissionHookClientConfig) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AdmissionHookClientConfig) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Service.Size()))
+	n1, err := m.Service.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if m.CABundle != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.CABundle)))
+		i += copy(dAtA[i:], m.CABundle)
+	}
+	return i, nil
+}
+
+func (m *ExternalAdmissionHook) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExternalAdmissionHook) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ClientConfig.Size()))
+	n2, err := m.ClientConfig.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.FailurePolicy != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.FailurePolicy)))
+		i += copy(dAtA[i:], *m.FailurePolicy)
+	}
+	return i, nil
+}
+
+func (m *ExternalAdmissionHookConfiguration) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExternalAdmissionHookConfiguration) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n3, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	if len(m.ExternalAdmissionHooks) > 0 {
+		for _, msg := range m.ExternalAdmissionHooks {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ExternalAdmissionHookConfigurationList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExternalAdmissionHookConfigurationList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n4, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *Initializer) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Initializer) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *InitializerConfiguration) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *InitializerConfiguration) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n5, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if len(m.Initializers) > 0 {
+		for _, msg := range m.Initializers {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *InitializerConfigurationList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *InitializerConfigurationList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n6, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *Rule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Rule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.APIVersions) > 0 {
+		for _, s := range m.APIVersions {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *RuleWithOperations) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RuleWithOperations) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Operations) > 0 {
+		for _, s := range m.Operations {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Rule.Size()))
+	n7, err := m.Rule.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	return i, nil
+}
+
+func (m *ServiceReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServiceReference) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *AdmissionHookClientConfig) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Service.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.CABundle != nil {
+		l = len(m.CABundle)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ExternalAdmissionHook) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.ClientConfig.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.FailurePolicy != nil {
+		l = len(*m.FailurePolicy)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ExternalAdmissionHookConfiguration) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.ExternalAdmissionHooks) > 0 {
+		for _, e := range m.ExternalAdmissionHooks {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ExternalAdmissionHookConfigurationList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Initializer) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *InitializerConfiguration) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Initializers) > 0 {
+		for _, e := range m.Initializers {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *InitializerConfigurationList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Rule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.APIVersions) > 0 {
+		for _, s := range m.APIVersions {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RuleWithOperations) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Operations) > 0 {
+		for _, s := range m.Operations {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.Rule.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ServiceReference) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *AdmissionHookClientConfig) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AdmissionHookClientConfig{`,
+		`Service:` + strings.Replace(strings.Replace(this.Service.String(), "ServiceReference", "ServiceReference", 1), `&`, ``, 1) + `,`,
+		`CABundle:` + valueToStringGenerated(this.CABundle) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ExternalAdmissionHook) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ExternalAdmissionHook{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`ClientConfig:` + strings.Replace(strings.Replace(this.ClientConfig.String(), "AdmissionHookClientConfig", "AdmissionHookClientConfig", 1), `&`, ``, 1) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "RuleWithOperations", "RuleWithOperations", 1), `&`, ``, 1) + `,`,
+		`FailurePolicy:` + valueToStringGenerated(this.FailurePolicy) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ExternalAdmissionHookConfiguration) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ExternalAdmissionHookConfiguration{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`ExternalAdmissionHooks:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ExternalAdmissionHooks), "ExternalAdmissionHook", "ExternalAdmissionHook", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ExternalAdmissionHookConfigurationList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ExternalAdmissionHookConfigurationList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ExternalAdmissionHookConfiguration", "ExternalAdmissionHookConfiguration", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Initializer) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Initializer{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "Rule", "Rule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *InitializerConfiguration) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&InitializerConfiguration{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Initializers:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Initializers), "Initializer", "Initializer", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *InitializerConfigurationList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&InitializerConfigurationList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "InitializerConfiguration", "InitializerConfiguration", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Rule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Rule{`,
+		`APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`,
+		`APIVersions:` + fmt.Sprintf("%v", this.APIVersions) + `,`,
+		`Resources:` + fmt.Sprintf("%v", this.Resources) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RuleWithOperations) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RuleWithOperations{`,
+		`Operations:` + fmt.Sprintf("%v", this.Operations) + `,`,
+		`Rule:` + strings.Replace(strings.Replace(this.Rule.String(), "Rule", "Rule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServiceReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServiceReference{`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *AdmissionHookClientConfig) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AdmissionHookClientConfig: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AdmissionHookClientConfig: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Service", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Service.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CABundle", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CABundle = append(m.CABundle[:0], dAtA[iNdEx:postIndex]...)
+			if m.CABundle == nil {
+				m.CABundle = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExternalAdmissionHook) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExternalAdmissionHook: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExternalAdmissionHook: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ClientConfig", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ClientConfig.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, RuleWithOperations{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FailurePolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := FailurePolicyType(dAtA[iNdEx:postIndex])
+			m.FailurePolicy = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExternalAdmissionHookConfiguration) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExternalAdmissionHookConfiguration: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExternalAdmissionHookConfiguration: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExternalAdmissionHooks", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExternalAdmissionHooks = append(m.ExternalAdmissionHooks, ExternalAdmissionHook{})
+			if err := m.ExternalAdmissionHooks[len(m.ExternalAdmissionHooks)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExternalAdmissionHookConfigurationList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExternalAdmissionHookConfigurationList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExternalAdmissionHookConfigurationList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ExternalAdmissionHookConfiguration{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Initializer) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Initializer: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Initializer: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, Rule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *InitializerConfiguration) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: InitializerConfiguration: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: InitializerConfiguration: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Initializers", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Initializers = append(m.Initializers, Initializer{})
+			if err := m.Initializers[len(m.Initializers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *InitializerConfigurationList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: InitializerConfigurationList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: InitializerConfigurationList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, InitializerConfiguration{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Rule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Rule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Rule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroups = append(m.APIGroups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersions", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersions = append(m.APIVersions, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RuleWithOperations) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RuleWithOperations: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RuleWithOperations: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Operations", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Operations = append(m.Operations, OperationType(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rule", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Rule.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServiceReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServiceReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServiceReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 871 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x55, 0xcd, 0x8b, 0x23, 0x45,
+	0x14, 0x4f, 0x65, 0x32, 0x6c, 0x52, 0x49, 0xd8, 0xdd, 0x42, 0x97, 0x38, 0x48, 0x77, 0xe8, 0xc3,
+	0x12, 0x11, 0xbb, 0x9d, 0x51, 0x16, 0x41, 0x44, 0xa7, 0xc7, 0xaf, 0x81, 0xfd, 0x18, 0xcb, 0x45,
+	0x41, 0x3c, 0x58, 0xe9, 0xbc, 0x24, 0x65, 0xfa, 0x8b, 0xaa, 0xea, 0xe0, 0x78, 0x10, 0x2f, 0xde,
+	0x05, 0x2f, 0x5e, 0xbd, 0x79, 0xf1, 0xff, 0x98, 0xe3, 0x1e, 0xf7, 0x14, 0x9c, 0x16, 0xbc, 0x08,
+	0xfe, 0x01, 0x73, 0x92, 0xfe, 0x4a, 0x3a, 0x9b, 0x84, 0x4d, 0x5c, 0x98, 0x5b, 0xea, 0xf7, 0xea,
+	0xf7, 0xde, 0xef, 0xfd, 0xf2, 0x5e, 0x35, 0xa6, 0x93, 0x77, 0xa4, 0xc9, 0x03, 0x6b, 0x12, 0xf5,
+	0x41, 0xf8, 0xa0, 0x40, 0x5a, 0x53, 0xf0, 0x07, 0x81, 0xb0, 0xf2, 0x00, 0x0b, 0xb9, 0xc5, 0x06,
+	0x1e, 0x97, 0x92, 0x07, 0xbe, 0x80, 0x11, 0x97, 0x4a, 0x30, 0xc5, 0x03, 0xdf, 0x9a, 0x1e, 0x32,
+	0x37, 0x1c, 0xb3, 0x43, 0x6b, 0x04, 0x3e, 0x08, 0xa6, 0x60, 0x60, 0x86, 0x22, 0x50, 0x01, 0x79,
+	0x2d, 0xa3, 0x9a, 0x2c, 0xe4, 0xe6, 0x5a, 0xaa, 0x59, 0x50, 0x0f, 0xde, 0x18, 0x71, 0x35, 0x8e,
+	0xfa, 0xa6, 0x13, 0x78, 0xd6, 0x28, 0x18, 0x05, 0x56, 0x9a, 0xa1, 0x1f, 0x0d, 0xd3, 0x53, 0x7a,
+	0x48, 0x7f, 0x65, 0x99, 0x0f, 0xde, 0x5e, 0x88, 0xf2, 0x98, 0x33, 0xe6, 0x3e, 0x88, 0x73, 0x2b,
+	0x9c, 0x8c, 0x12, 0x40, 0x5a, 0x1e, 0x28, 0x66, 0x4d, 0x57, 0xf4, 0x1c, 0x58, 0x9b, 0x58, 0x22,
+	0xf2, 0x15, 0xf7, 0x60, 0x85, 0x70, 0xef, 0x79, 0x04, 0xe9, 0x8c, 0xc1, 0x63, 0x2b, 0xbc, 0xb7,
+	0x36, 0xf1, 0x22, 0xc5, 0x5d, 0x8b, 0xfb, 0x4a, 0x2a, 0xf1, 0x2c, 0xc9, 0xf8, 0x03, 0xe1, 0x57,
+	0x8e, 0x0b, 0x97, 0x3e, 0x0d, 0x82, 0xc9, 0x89, 0xcb, 0xc1, 0x57, 0x27, 0x81, 0x3f, 0xe4, 0x23,
+	0x32, 0xc4, 0x37, 0x24, 0x88, 0x29, 0x77, 0xa0, 0x83, 0xba, 0xa8, 0xd7, 0x3c, 0x7a, 0xd7, 0xdc,
+	0xda, 0x5d, 0xf3, 0xf3, 0x8c, 0x49, 0x61, 0x08, 0x02, 0x7c, 0x07, 0xec, 0x9b, 0x17, 0x33, 0xbd,
+	0x12, 0xcf, 0xf4, 0x1b, 0x45, 0xa4, 0x48, 0x4e, 0x7a, 0xb8, 0xee, 0x30, 0x3b, 0xf2, 0x07, 0x2e,
+	0x74, 0xaa, 0x5d, 0xd4, 0x6b, 0xd9, 0xad, 0x78, 0xa6, 0xd7, 0x4f, 0x8e, 0x33, 0x8c, 0xce, 0xa3,
+	0xc6, 0x3f, 0x55, 0xfc, 0xf2, 0x47, 0xdf, 0x29, 0x10, 0x3e, 0x73, 0x97, 0x74, 0x93, 0x2e, 0xae,
+	0xf9, 0xcc, 0xcb, 0x84, 0x36, 0xec, 0x56, 0x5e, 0xab, 0xf6, 0x90, 0x79, 0x40, 0xd3, 0x08, 0xf9,
+	0x01, 0xb7, 0x9c, 0x52, 0x77, 0x69, 0xa5, 0xe6, 0xd1, 0x87, 0x3b, 0xb4, 0xb4, 0xd1, 0x29, 0xfb,
+	0xa5, 0xbc, 0x5e, 0xab, 0x8c, 0xd2, 0xa5, 0x7a, 0xa4, 0x8f, 0xf7, 0x45, 0xe4, 0x82, 0xec, 0xec,
+	0x75, 0xf7, 0x7a, 0xcd, 0xa3, 0xf7, 0x76, 0x28, 0x4c, 0x23, 0x17, 0xbe, 0xe4, 0x6a, 0xfc, 0x28,
+	0x84, 0x2c, 0x24, 0xed, 0x76, 0x5e, 0x71, 0x3f, 0x89, 0x49, 0x9a, 0xa5, 0x26, 0xf7, 0x71, 0x7b,
+	0xc8, 0xb8, 0x1b, 0x09, 0x38, 0x0b, 0x5c, 0xee, 0x9c, 0x77, 0x6a, 0xa9, 0x1d, 0x77, 0xe3, 0x99,
+	0xde, 0xfe, 0xb8, 0x1c, 0xb8, 0x9a, 0xe9, 0xb7, 0x97, 0x80, 0xc7, 0xe7, 0x21, 0xd0, 0x65, 0xb2,
+	0xf1, 0x5b, 0x15, 0x1b, 0x6b, 0xdd, 0xce, 0x3a, 0x8a, 0x32, 0x2d, 0xe4, 0x1b, 0x5c, 0x4f, 0xa6,
+	0x7f, 0xc0, 0x14, 0xcb, 0xe7, 0xe4, 0xcd, 0x52, 0x6f, 0xf3, 0x61, 0x34, 0xc3, 0xc9, 0x28, 0x01,
+	0xa4, 0x99, 0xdc, 0x36, 0xa7, 0x87, 0xe6, 0xa3, 0xfe, 0xb7, 0xe0, 0xa8, 0x07, 0xa0, 0x98, 0x4d,
+	0xf2, 0x76, 0xf0, 0x02, 0xa3, 0xf3, 0xac, 0xe4, 0x57, 0x84, 0xef, 0xc0, 0x3a, 0x21, 0xb2, 0x53,
+	0x4d, 0xcd, 0xfc, 0x60, 0x07, 0x33, 0xd7, 0x76, 0x64, 0x6b, 0xb9, 0x80, 0x3b, 0x6b, 0xc3, 0x92,
+	0x6e, 0xa8, 0x6f, 0x5c, 0x21, 0x7c, 0xf7, 0xf9, 0x1e, 0xdd, 0xe7, 0x52, 0x91, 0xaf, 0x57, 0x7c,
+	0x32, 0xb7, 0xf3, 0x29, 0x61, 0xa7, 0x2e, 0xdd, 0xca, 0x45, 0xd6, 0x0b, 0xa4, 0xe4, 0x91, 0xc0,
+	0xfb, 0x5c, 0x81, 0x57, 0x38, 0xf2, 0xe0, 0x45, 0x1d, 0x59, 0xd2, 0xbf, 0x18, 0xb7, 0xd3, 0xa4,
+	0x06, 0xcd, 0x4a, 0x19, 0x3f, 0x21, 0xdc, 0x3c, 0xf5, 0xb9, 0xe2, 0xcc, 0xe5, 0xdf, 0x83, 0xd8,
+	0x62, 0x09, 0x1f, 0x17, 0x4b, 0x90, 0xa9, 0xb4, 0x76, 0x5c, 0x82, 0xf5, 0x63, 0x6f, 0xfc, 0x8b,
+	0x70, 0xa7, 0xa4, 0xe3, 0xba, 0xc7, 0x33, 0xc4, 0x2d, 0xbe, 0xa8, 0x5e, 0xf4, 0x76, 0x6f, 0x87,
+	0xde, 0x4a, 0xe2, 0x17, 0x6f, 0x49, 0x09, 0x94, 0x74, 0xa9, 0x82, 0xf1, 0x37, 0xc2, 0xaf, 0x6e,
+	0x6a, 0xf8, 0x1a, 0x66, 0x6d, 0xbc, 0x3c, 0x6b, 0x27, 0xff, 0xaf, 0xd3, 0x6d, 0x26, 0xec, 0x17,
+	0x84, 0x6b, 0xc9, 0x5f, 0x4d, 0x5e, 0xc7, 0x0d, 0x16, 0xf2, 0x4f, 0x44, 0x10, 0x85, 0xb2, 0x83,
+	0xba, 0x7b, 0xbd, 0x86, 0xdd, 0x8e, 0x67, 0x7a, 0xe3, 0xf8, 0xec, 0x34, 0x03, 0xe9, 0x22, 0x4e,
+	0x0e, 0x71, 0x93, 0x85, 0xfc, 0x0b, 0x10, 0x89, 0x8e, 0x4c, 0x65, 0xc3, 0xbe, 0x19, 0xcf, 0xf4,
+	0xe6, 0xf1, 0xd9, 0x69, 0x01, 0xd3, 0xf2, 0x9d, 0x24, 0xbf, 0x00, 0x19, 0x44, 0xc2, 0xc9, 0x5f,
+	0xe8, 0x3c, 0x3f, 0x2d, 0x40, 0xba, 0x88, 0x1b, 0xbf, 0x23, 0x4c, 0x56, 0xdf, 0x64, 0xf2, 0x3e,
+	0xc6, 0xc1, 0xfc, 0x94, 0x8b, 0xd4, 0xd3, 0xa9, 0x99, 0xa3, 0x57, 0x33, 0xbd, 0x3d, 0x3f, 0xa5,
+	0x6f, 0x6e, 0x89, 0x42, 0x3e, 0xc3, 0xb5, 0x64, 0xa0, 0xf3, 0x4f, 0xd3, 0xce, 0xcb, 0x31, 0x5f,
+	0xb8, 0xe4, 0x44, 0xd3, 0x54, 0x06, 0xe0, 0x5b, 0xcf, 0x7e, 0x89, 0x89, 0x85, 0x1b, 0xc9, 0x32,
+	0xca, 0x90, 0x39, 0xc5, 0xae, 0xde, 0xce, 0xa9, 0x8d, 0x87, 0x45, 0x80, 0x2e, 0xee, 0xcc, 0xf7,
+	0xba, 0xba, 0x69, 0xaf, 0x6d, 0xf3, 0xe2, 0x52, 0xab, 0x3c, 0xb9, 0xd4, 0x2a, 0x4f, 0x2f, 0xb5,
+	0xca, 0x8f, 0xb1, 0x86, 0x2e, 0x62, 0x0d, 0x3d, 0x89, 0x35, 0xf4, 0x34, 0xd6, 0xd0, 0x9f, 0xb1,
+	0x86, 0x7e, 0xfe, 0x4b, 0xab, 0x7c, 0x55, 0x2f, 0xf4, 0xfe, 0x17, 0x00, 0x00, 0xff, 0xff, 0xe7,
+	0xb5, 0x5f, 0xd5, 0xfb, 0x09, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto
new file mode 100644
index 00000000..98da461f
--- /dev/null
+++ b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/generated.proto
@@ -0,0 +1,196 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.admissionregistration.v1alpha1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1alpha1";
+
+// AdmissionHookClientConfig contains the information to make a TLS
+// connection with the webhook
+message AdmissionHookClientConfig {
+  // Service is a reference to the service for this webhook. If there is only
+  // one port open for the service, that port will be used. If there are multiple
+  // ports open, port 443 will be used if it is open, otherwise it is an error.
+  // Required
+  optional ServiceReference service = 1;
+
+  // CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
+  // Required
+  optional bytes caBundle = 2;
+}
+
+// ExternalAdmissionHook describes an external admission webhook and the
+// resources and operations it applies to.
+message ExternalAdmissionHook {
+  // The name of the external admission webhook.
+  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+  // of the organization.
+  // Required.
+  optional string name = 1;
+
+  // ClientConfig defines how to communicate with the hook.
+  // Required
+  optional AdmissionHookClientConfig clientConfig = 2;
+
+  // Rules describes what operations on what resources/subresources the webhook cares about.
+  // The webhook cares about an operation if it matches _any_ Rule.
+  repeated RuleWithOperations rules = 3;
+
+  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+  // allowed values are Ignore or Fail. Defaults to Ignore.
+  // +optional
+  optional string failurePolicy = 4;
+}
+
+// ExternalAdmissionHookConfiguration describes the configuration of initializers.
+message ExternalAdmissionHookConfiguration {
+  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // ExternalAdmissionHooks is a list of external admission webhooks and the
+  // affected resources and operations.
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated ExternalAdmissionHook externalAdmissionHooks = 2;
+}
+
+// ExternalAdmissionHookConfigurationList is a list of ExternalAdmissionHookConfiguration.
+message ExternalAdmissionHookConfigurationList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of ExternalAdmissionHookConfiguration.
+  repeated ExternalAdmissionHookConfiguration items = 2;
+}
+
+// Initializer describes the name and the failure policy of an initializer, and
+// what resources it applies to.
+message Initializer {
+  // Name is the identifier of the initializer. It will be added to the
+  // object that needs to be initialized.
+  // Name should be fully qualified, e.g., alwayspullimages.kubernetes.io, where
+  // "alwayspullimages" is the name of the webhook, and kubernetes.io is the name
+  // of the organization.
+  // Required
+  optional string name = 1;
+
+  // Rules describes what resources/subresources the initializer cares about.
+  // The initializer cares about an operation if it matches _any_ Rule.
+  // Rule.Resources must not include subresources.
+  repeated Rule rules = 2;
+}
+
+// InitializerConfiguration describes the configuration of initializers.
+message InitializerConfiguration {
+  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Initializers is a list of resources and their default initializers
+  // Order-sensitive.
+  // When merging multiple InitializerConfigurations, we sort the initializers
+  // from different InitializerConfigurations by the name of the
+  // InitializerConfigurations; the order of the initializers from the same
+  // InitializerConfiguration is preserved.
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  // +optional
+  repeated Initializer initializers = 2;
+}
+
+// InitializerConfigurationList is a list of InitializerConfiguration.
+message InitializerConfigurationList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of InitializerConfiguration.
+  repeated InitializerConfiguration items = 2;
+}
+
+// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
+// to make sure that all the tuple expansions are valid.
+message Rule {
+  // APIGroups is the API groups the resources belong to. '*' is all groups.
+  // If '*' is present, the length of the slice must be one.
+  // Required.
+  repeated string apiGroups = 1;
+
+  // APIVersions is the API versions the resources belong to. '*' is all versions.
+  // If '*' is present, the length of the slice must be one.
+  // Required.
+  repeated string apiVersions = 2;
+
+  // Resources is a list of resources this rule applies to.
+  // 
+  // For example:
+  // 'pods' means pods.
+  // 'pods/log' means the log subresource of pods.
+  // '*' means all resources, but not subresources.
+  // 'pods/*' means all subresources of pods.
+  // '*/scale' means all scale subresources.
+  // '*/*' means all resources and their subresources.
+  // 
+  // If wildcard is present, the validation rule will ensure resources do not
+  // overlap with each other.
+  // 
+  // Depending on the enclosing object, subresources might not be allowed.
+  // Required.
+  repeated string resources = 3;
+}
+
+// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+// sure that all the tuple expansions are valid.
+message RuleWithOperations {
+  // Operations is the operations the admission hook cares about - CREATE, UPDATE, or *
+  // for all operations.
+  // If '*' is present, the length of the slice must be one.
+  // Required.
+  repeated string operations = 1;
+
+  // Rule is embedded, it describes other criteria of the rule, like
+  // APIGroups, APIVersions, Resources, etc.
+  optional Rule rule = 2;
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+message ServiceReference {
+  // Namespace is the namespace of the service
+  // Required
+  optional string namespace = 1;
+
+  // Name is the name of the service
+  // Required
+  optional string name = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/register.go b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/register.go
new file mode 100644
index 00000000..e178cf74
--- /dev/null
+++ b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/register.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "admissionregistration.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&InitializerConfiguration{},
+		&InitializerConfigurationList{},
+		&ExternalAdmissionHookConfiguration{},
+		&ExternalAdmissionHookConfigurationList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/types.go b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/types.go
new file mode 100644
index 00000000..d4827e59
--- /dev/null
+++ b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/types.go
@@ -0,0 +1,219 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// InitializerConfiguration describes the configuration of initializers.
+type InitializerConfiguration struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Initializers is a list of resources and their default initializers
+	// Order-sensitive.
+	// When merging multiple InitializerConfigurations, we sort the initializers
+	// from different InitializerConfigurations by the name of the
+	// InitializerConfigurations; the order of the initializers from the same
+	// InitializerConfiguration is preserved.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	// +optional
+	Initializers []Initializer `json:"initializers,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=initializers"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// InitializerConfigurationList is a list of InitializerConfiguration.
+type InitializerConfigurationList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of InitializerConfiguration.
+	Items []InitializerConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// Initializer describes the name and the failure policy of an initializer, and
+// what resources it applies to.
+type Initializer struct {
+	// Name is the identifier of the initializer. It will be added to the
+	// object that needs to be initialized.
+	// Name should be fully qualified, e.g., alwayspullimages.kubernetes.io, where
+	// "alwayspullimages" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+
+	// Rules describes what resources/subresources the initializer cares about.
+	// The initializer cares about an operation if it matches _any_ Rule.
+	// Rule.Resources must not include subresources.
+	Rules []Rule `json:"rules,omitempty" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
+// to make sure that all the tuple expansions are valid.
+type Rule struct {
+	// APIGroups is the API groups the resources belong to. '*' is all groups.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,1,rep,name=apiGroups"`
+
+	// APIVersions is the API versions the resources belong to. '*' is all versions.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	APIVersions []string `json:"apiVersions,omitempty" protobuf:"bytes,2,rep,name=apiVersions"`
+
+	// Resources is a list of resources this rule applies to.
+	//
+	// For example:
+	// 'pods' means pods.
+	// 'pods/log' means the log subresource of pods.
+	// '*' means all resources, but not subresources.
+	// 'pods/*' means all subresources of pods.
+	// '*/scale' means all scale subresources.
+	// '*/*' means all resources and their subresources.
+	//
+	// If wildcard is present, the validation rule will ensure resources do not
+	// overlap with each other.
+	//
+	// Depending on the enclosing object, subresources might not be allowed.
+	// Required.
+	Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
+}
+
+type FailurePolicyType string
+
+const (
+	// Ignore means the initilizer is removed from the initializers list of an
+	// object if the initializer is timed out.
+	Ignore FailurePolicyType = "Ignore"
+	// For 1.7, only "Ignore" is allowed. "Fail" will be allowed when the
+	// extensible admission feature is beta.
+	Fail FailurePolicyType = "Fail"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ExternalAdmissionHookConfiguration describes the configuration of initializers.
+type ExternalAdmissionHookConfiguration struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	// ExternalAdmissionHooks is a list of external admission webhooks and the
+	// affected resources and operations.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	ExternalAdmissionHooks []ExternalAdmissionHook `json:"externalAdmissionHooks,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=externalAdmissionHooks"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ExternalAdmissionHookConfigurationList is a list of ExternalAdmissionHookConfiguration.
+type ExternalAdmissionHookConfigurationList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	// List of ExternalAdmissionHookConfiguration.
+	Items []ExternalAdmissionHookConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// ExternalAdmissionHook describes an external admission webhook and the
+// resources and operations it applies to.
+type ExternalAdmissionHook struct {
+	// The name of the external admission webhook.
+	// Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+	// "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+	// of the organization.
+	// Required.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+
+	// ClientConfig defines how to communicate with the hook.
+	// Required
+	ClientConfig AdmissionHookClientConfig `json:"clientConfig" protobuf:"bytes,2,opt,name=clientConfig"`
+
+	// Rules describes what operations on what resources/subresources the webhook cares about.
+	// The webhook cares about an operation if it matches _any_ Rule.
+	Rules []RuleWithOperations `json:"rules,omitempty" protobuf:"bytes,3,rep,name=rules"`
+
+	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+	// allowed values are Ignore or Fail. Defaults to Ignore.
+	// +optional
+	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" protobuf:"bytes,4,opt,name=failurePolicy,casttype=FailurePolicyType"`
+}
+
+// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
+// sure that all the tuple expansions are valid.
+type RuleWithOperations struct {
+	// Operations is the operations the admission hook cares about - CREATE, UPDATE, or *
+	// for all operations.
+	// If '*' is present, the length of the slice must be one.
+	// Required.
+	Operations []OperationType `json:"operations,omitempty" protobuf:"bytes,1,rep,name=operations,casttype=OperationType"`
+	// Rule is embedded, it describes other criteria of the rule, like
+	// APIGroups, APIVersions, Resources, etc.
+	Rule `json:",inline" protobuf:"bytes,2,opt,name=rule"`
+}
+
+type OperationType string
+
+// The constants should be kept in sync with those defined in k8s.io/kubernetes/pkg/admission/interface.go.
+const (
+	OperationAll OperationType = "*"
+	Create       OperationType = "CREATE"
+	Update       OperationType = "UPDATE"
+	Delete       OperationType = "DELETE"
+	Connect      OperationType = "CONNECT"
+)
+
+// AdmissionHookClientConfig contains the information to make a TLS
+// connection with the webhook
+type AdmissionHookClientConfig struct {
+	// Service is a reference to the service for this webhook. If there is only
+	// one port open for the service, that port will be used. If there are multiple
+	// ports open, port 443 will be used if it is open, otherwise it is an error.
+	// Required
+	Service ServiceReference `json:"service" protobuf:"bytes,1,opt,name=service"`
+	// CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
+	// Required
+	CABundle []byte `json:"caBundle" protobuf:"bytes,2,opt,name=caBundle"`
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+type ServiceReference struct {
+	// Namespace is the namespace of the service
+	// Required
+	Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"`
+	// Name is the name of the service
+	// Required
+	Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
+}
diff --git a/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..0b30ecc8
--- /dev/null
+++ b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/types_swagger_doc_generated.go
@@ -0,0 +1,132 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_AdmissionHookClientConfig = map[string]string{
+	"":         "AdmissionHookClientConfig contains the information to make a TLS connection with the webhook",
+	"service":  "Service is a reference to the service for this webhook. If there is only one port open for the service, that port will be used. If there are multiple ports open, port 443 will be used if it is open, otherwise it is an error. Required",
+	"caBundle": "CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate. Required",
+}
+
+func (AdmissionHookClientConfig) SwaggerDoc() map[string]string {
+	return map_AdmissionHookClientConfig
+}
+
+var map_ExternalAdmissionHook = map[string]string{
+	"":              "ExternalAdmissionHook describes an external admission webhook and the resources and operations it applies to.",
+	"name":          "The name of the external admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.",
+	"clientConfig":  "ClientConfig defines how to communicate with the hook. Required",
+	"rules":         "Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule.",
+	"failurePolicy": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.",
+}
+
+func (ExternalAdmissionHook) SwaggerDoc() map[string]string {
+	return map_ExternalAdmissionHook
+}
+
+var map_ExternalAdmissionHookConfiguration = map[string]string{
+	"":                       "ExternalAdmissionHookConfiguration describes the configuration of initializers.",
+	"metadata":               "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.",
+	"externalAdmissionHooks": "ExternalAdmissionHooks is a list of external admission webhooks and the affected resources and operations.",
+}
+
+func (ExternalAdmissionHookConfiguration) SwaggerDoc() map[string]string {
+	return map_ExternalAdmissionHookConfiguration
+}
+
+var map_ExternalAdmissionHookConfigurationList = map[string]string{
+	"":         "ExternalAdmissionHookConfigurationList is a list of ExternalAdmissionHookConfiguration.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of ExternalAdmissionHookConfiguration.",
+}
+
+func (ExternalAdmissionHookConfigurationList) SwaggerDoc() map[string]string {
+	return map_ExternalAdmissionHookConfigurationList
+}
+
+var map_Initializer = map[string]string{
+	"":      "Initializer describes the name and the failure policy of an initializer, and what resources it applies to.",
+	"name":  "Name is the identifier of the initializer. It will be added to the object that needs to be initialized. Name should be fully qualified, e.g., alwayspullimages.kubernetes.io, where \"alwayspullimages\" is the name of the webhook, and kubernetes.io is the name of the organization. Required",
+	"rules": "Rules describes what resources/subresources the initializer cares about. The initializer cares about an operation if it matches _any_ Rule. Rule.Resources must not include subresources.",
+}
+
+func (Initializer) SwaggerDoc() map[string]string {
+	return map_Initializer
+}
+
+var map_InitializerConfiguration = map[string]string{
+	"":             "InitializerConfiguration describes the configuration of initializers.",
+	"metadata":     "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.",
+	"initializers": "Initializers is a list of resources and their default initializers Order-sensitive. When merging multiple InitializerConfigurations, we sort the initializers from different InitializerConfigurations by the name of the InitializerConfigurations; the order of the initializers from the same InitializerConfiguration is preserved.",
+}
+
+func (InitializerConfiguration) SwaggerDoc() map[string]string {
+	return map_InitializerConfiguration
+}
+
+var map_InitializerConfigurationList = map[string]string{
+	"":         "InitializerConfigurationList is a list of InitializerConfiguration.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of InitializerConfiguration.",
+}
+
+func (InitializerConfigurationList) SwaggerDoc() map[string]string {
+	return map_InitializerConfigurationList
+}
+
+var map_Rule = map[string]string{
+	"":            "Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended to make sure that all the tuple expansions are valid.",
+	"apiGroups":   "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.",
+	"apiVersions": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.",
+	"resources":   "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.",
+}
+
+func (Rule) SwaggerDoc() map[string]string {
+	return map_Rule
+}
+
+var map_RuleWithOperations = map[string]string{
+	"":           "RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.",
+	"operations": "Operations is the operations the admission hook cares about - CREATE, UPDATE, or * for all operations. If '*' is present, the length of the slice must be one. Required.",
+}
+
+func (RuleWithOperations) SwaggerDoc() map[string]string {
+	return map_RuleWithOperations
+}
+
+var map_ServiceReference = map[string]string{
+	"":          "ServiceReference holds a reference to Service.legacy.k8s.io",
+	"namespace": "Namespace is the namespace of the service Required",
+	"name":      "Name is the name of the service Required",
+}
+
+func (ServiceReference) SwaggerDoc() map[string]string {
+	return map_ServiceReference
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..9560b169
--- /dev/null
+++ b/cli/vendor/k8s.io/api/admissionregistration/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,363 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AdmissionHookClientConfig).DeepCopyInto(out.(*AdmissionHookClientConfig))
+			return nil
+		}, InType: reflect.TypeOf(&AdmissionHookClientConfig{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ExternalAdmissionHook).DeepCopyInto(out.(*ExternalAdmissionHook))
+			return nil
+		}, InType: reflect.TypeOf(&ExternalAdmissionHook{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ExternalAdmissionHookConfiguration).DeepCopyInto(out.(*ExternalAdmissionHookConfiguration))
+			return nil
+		}, InType: reflect.TypeOf(&ExternalAdmissionHookConfiguration{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ExternalAdmissionHookConfigurationList).DeepCopyInto(out.(*ExternalAdmissionHookConfigurationList))
+			return nil
+		}, InType: reflect.TypeOf(&ExternalAdmissionHookConfigurationList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Initializer).DeepCopyInto(out.(*Initializer))
+			return nil
+		}, InType: reflect.TypeOf(&Initializer{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*InitializerConfiguration).DeepCopyInto(out.(*InitializerConfiguration))
+			return nil
+		}, InType: reflect.TypeOf(&InitializerConfiguration{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*InitializerConfigurationList).DeepCopyInto(out.(*InitializerConfigurationList))
+			return nil
+		}, InType: reflect.TypeOf(&InitializerConfigurationList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Rule).DeepCopyInto(out.(*Rule))
+			return nil
+		}, InType: reflect.TypeOf(&Rule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RuleWithOperations).DeepCopyInto(out.(*RuleWithOperations))
+			return nil
+		}, InType: reflect.TypeOf(&RuleWithOperations{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServiceReference).DeepCopyInto(out.(*ServiceReference))
+			return nil
+		}, InType: reflect.TypeOf(&ServiceReference{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionHookClientConfig) DeepCopyInto(out *AdmissionHookClientConfig) {
+	*out = *in
+	out.Service = in.Service
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionHookClientConfig.
+func (in *AdmissionHookClientConfig) DeepCopy() *AdmissionHookClientConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionHookClientConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalAdmissionHook) DeepCopyInto(out *ExternalAdmissionHook) {
+	*out = *in
+	in.ClientConfig.DeepCopyInto(&out.ClientConfig)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]RuleWithOperations, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FailurePolicy != nil {
+		in, out := &in.FailurePolicy, &out.FailurePolicy
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(FailurePolicyType)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAdmissionHook.
+func (in *ExternalAdmissionHook) DeepCopy() *ExternalAdmissionHook {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalAdmissionHook)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalAdmissionHookConfiguration) DeepCopyInto(out *ExternalAdmissionHookConfiguration) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.ExternalAdmissionHooks != nil {
+		in, out := &in.ExternalAdmissionHooks, &out.ExternalAdmissionHooks
+		*out = make([]ExternalAdmissionHook, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAdmissionHookConfiguration.
+func (in *ExternalAdmissionHookConfiguration) DeepCopy() *ExternalAdmissionHookConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalAdmissionHookConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExternalAdmissionHookConfiguration) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalAdmissionHookConfigurationList) DeepCopyInto(out *ExternalAdmissionHookConfigurationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ExternalAdmissionHookConfiguration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAdmissionHookConfigurationList.
+func (in *ExternalAdmissionHookConfigurationList) DeepCopy() *ExternalAdmissionHookConfigurationList {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalAdmissionHookConfigurationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExternalAdmissionHookConfigurationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Initializer) DeepCopyInto(out *Initializer) {
+	*out = *in
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]Rule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Initializer.
+func (in *Initializer) DeepCopy() *Initializer {
+	if in == nil {
+		return nil
+	}
+	out := new(Initializer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InitializerConfiguration) DeepCopyInto(out *InitializerConfiguration) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Initializers != nil {
+		in, out := &in.Initializers, &out.Initializers
+		*out = make([]Initializer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InitializerConfiguration.
+func (in *InitializerConfiguration) DeepCopy() *InitializerConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(InitializerConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InitializerConfiguration) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InitializerConfigurationList) DeepCopyInto(out *InitializerConfigurationList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]InitializerConfiguration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InitializerConfigurationList.
+func (in *InitializerConfigurationList) DeepCopy() *InitializerConfigurationList {
+	if in == nil {
+		return nil
+	}
+	out := new(InitializerConfigurationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InitializerConfigurationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Rule) DeepCopyInto(out *Rule) {
+	*out = *in
+	if in.APIGroups != nil {
+		in, out := &in.APIGroups, &out.APIGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.APIVersions != nil {
+		in, out := &in.APIVersions, &out.APIVersions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
+func (in *Rule) DeepCopy() *Rule {
+	if in == nil {
+		return nil
+	}
+	out := new(Rule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleWithOperations) DeepCopyInto(out *RuleWithOperations) {
+	*out = *in
+	if in.Operations != nil {
+		in, out := &in.Operations, &out.Operations
+		*out = make([]OperationType, len(*in))
+		copy(*out, *in)
+	}
+	in.Rule.DeepCopyInto(&out.Rule)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleWithOperations.
+func (in *RuleWithOperations) DeepCopy() *RuleWithOperations {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleWithOperations)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceReference) DeepCopyInto(out *ServiceReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceReference.
+func (in *ServiceReference) DeepCopy() *ServiceReference {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceReference)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/apps/v1beta1/doc.go b/cli/vendor/k8s.io/api/apps/v1beta1/doc.go
new file mode 100644
index 00000000..158f0000
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+package v1beta1 // import "k8s.io/api/apps/v1beta1"
diff --git a/cli/vendor/k8s.io/api/apps/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/apps/v1beta1/generated.pb.go
new file mode 100644
index 00000000..10459174
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta1/generated.pb.go
@@ -0,0 +1,4964 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/apps/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/apps/v1beta1/generated.proto
+
+	It has these top-level messages:
+		ControllerRevision
+		ControllerRevisionList
+		Deployment
+		DeploymentCondition
+		DeploymentList
+		DeploymentRollback
+		DeploymentSpec
+		DeploymentStatus
+		DeploymentStrategy
+		RollbackConfig
+		RollingUpdateDeployment
+		RollingUpdateStatefulSetStrategy
+		Scale
+		ScaleSpec
+		ScaleStatus
+		StatefulSet
+		StatefulSetList
+		StatefulSetSpec
+		StatefulSetStatus
+		StatefulSetUpdateStrategy
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import k8s_io_apimachinery_pkg_util_intstr "k8s.io/apimachinery/pkg/util/intstr"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ControllerRevision) Reset()                    { *m = ControllerRevision{} }
+func (*ControllerRevision) ProtoMessage()               {}
+func (*ControllerRevision) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *ControllerRevisionList) Reset()                    { *m = ControllerRevisionList{} }
+func (*ControllerRevisionList) ProtoMessage()               {}
+func (*ControllerRevisionList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *Deployment) Reset()                    { *m = Deployment{} }
+func (*Deployment) ProtoMessage()               {}
+func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *DeploymentCondition) Reset()                    { *m = DeploymentCondition{} }
+func (*DeploymentCondition) ProtoMessage()               {}
+func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *DeploymentList) Reset()                    { *m = DeploymentList{} }
+func (*DeploymentList) ProtoMessage()               {}
+func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *DeploymentRollback) Reset()                    { *m = DeploymentRollback{} }
+func (*DeploymentRollback) ProtoMessage()               {}
+func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *DeploymentSpec) Reset()                    { *m = DeploymentSpec{} }
+func (*DeploymentSpec) ProtoMessage()               {}
+func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *DeploymentStatus) Reset()                    { *m = DeploymentStatus{} }
+func (*DeploymentStatus) ProtoMessage()               {}
+func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *DeploymentStrategy) Reset()                    { *m = DeploymentStrategy{} }
+func (*DeploymentStrategy) ProtoMessage()               {}
+func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *RollbackConfig) Reset()                    { *m = RollbackConfig{} }
+func (*RollbackConfig) ProtoMessage()               {}
+func (*RollbackConfig) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *RollingUpdateDeployment) Reset()      { *m = RollingUpdateDeployment{} }
+func (*RollingUpdateDeployment) ProtoMessage() {}
+func (*RollingUpdateDeployment) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{10}
+}
+
+func (m *RollingUpdateStatefulSetStrategy) Reset()      { *m = RollingUpdateStatefulSetStrategy{} }
+func (*RollingUpdateStatefulSetStrategy) ProtoMessage() {}
+func (*RollingUpdateStatefulSetStrategy) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{11}
+}
+
+func (m *Scale) Reset()                    { *m = Scale{} }
+func (*Scale) ProtoMessage()               {}
+func (*Scale) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
+
+func (m *ScaleSpec) Reset()                    { *m = ScaleSpec{} }
+func (*ScaleSpec) ProtoMessage()               {}
+func (*ScaleSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+
+func (m *ScaleStatus) Reset()                    { *m = ScaleStatus{} }
+func (*ScaleStatus) ProtoMessage()               {}
+func (*ScaleStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
+
+func (m *StatefulSet) Reset()                    { *m = StatefulSet{} }
+func (*StatefulSet) ProtoMessage()               {}
+func (*StatefulSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
+
+func (m *StatefulSetList) Reset()                    { *m = StatefulSetList{} }
+func (*StatefulSetList) ProtoMessage()               {}
+func (*StatefulSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
+
+func (m *StatefulSetSpec) Reset()                    { *m = StatefulSetSpec{} }
+func (*StatefulSetSpec) ProtoMessage()               {}
+func (*StatefulSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
+
+func (m *StatefulSetStatus) Reset()                    { *m = StatefulSetStatus{} }
+func (*StatefulSetStatus) ProtoMessage()               {}
+func (*StatefulSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
+
+func (m *StatefulSetUpdateStrategy) Reset()      { *m = StatefulSetUpdateStrategy{} }
+func (*StatefulSetUpdateStrategy) ProtoMessage() {}
+func (*StatefulSetUpdateStrategy) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{19}
+}
+
+func init() {
+	proto.RegisterType((*ControllerRevision)(nil), "k8s.io.api.apps.v1beta1.ControllerRevision")
+	proto.RegisterType((*ControllerRevisionList)(nil), "k8s.io.api.apps.v1beta1.ControllerRevisionList")
+	proto.RegisterType((*Deployment)(nil), "k8s.io.api.apps.v1beta1.Deployment")
+	proto.RegisterType((*DeploymentCondition)(nil), "k8s.io.api.apps.v1beta1.DeploymentCondition")
+	proto.RegisterType((*DeploymentList)(nil), "k8s.io.api.apps.v1beta1.DeploymentList")
+	proto.RegisterType((*DeploymentRollback)(nil), "k8s.io.api.apps.v1beta1.DeploymentRollback")
+	proto.RegisterType((*DeploymentSpec)(nil), "k8s.io.api.apps.v1beta1.DeploymentSpec")
+	proto.RegisterType((*DeploymentStatus)(nil), "k8s.io.api.apps.v1beta1.DeploymentStatus")
+	proto.RegisterType((*DeploymentStrategy)(nil), "k8s.io.api.apps.v1beta1.DeploymentStrategy")
+	proto.RegisterType((*RollbackConfig)(nil), "k8s.io.api.apps.v1beta1.RollbackConfig")
+	proto.RegisterType((*RollingUpdateDeployment)(nil), "k8s.io.api.apps.v1beta1.RollingUpdateDeployment")
+	proto.RegisterType((*RollingUpdateStatefulSetStrategy)(nil), "k8s.io.api.apps.v1beta1.RollingUpdateStatefulSetStrategy")
+	proto.RegisterType((*Scale)(nil), "k8s.io.api.apps.v1beta1.Scale")
+	proto.RegisterType((*ScaleSpec)(nil), "k8s.io.api.apps.v1beta1.ScaleSpec")
+	proto.RegisterType((*ScaleStatus)(nil), "k8s.io.api.apps.v1beta1.ScaleStatus")
+	proto.RegisterType((*StatefulSet)(nil), "k8s.io.api.apps.v1beta1.StatefulSet")
+	proto.RegisterType((*StatefulSetList)(nil), "k8s.io.api.apps.v1beta1.StatefulSetList")
+	proto.RegisterType((*StatefulSetSpec)(nil), "k8s.io.api.apps.v1beta1.StatefulSetSpec")
+	proto.RegisterType((*StatefulSetStatus)(nil), "k8s.io.api.apps.v1beta1.StatefulSetStatus")
+	proto.RegisterType((*StatefulSetUpdateStrategy)(nil), "k8s.io.api.apps.v1beta1.StatefulSetUpdateStrategy")
+}
+func (m *ControllerRevision) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ControllerRevision) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Data.Size()))
+	n2, err := m.Data.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Revision))
+	return i, nil
+}
+
+func (m *ControllerRevisionList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ControllerRevisionList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n3, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *Deployment) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Deployment) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n4, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n5, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n6, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	return i, nil
+}
+
+func (m *DeploymentCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastUpdateTime.Size()))
+	n7, err := m.LastUpdateTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n8, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	return i, nil
+}
+
+func (m *DeploymentList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n9, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DeploymentRollback) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentRollback) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	if len(m.UpdatedAnnotations) > 0 {
+		keysForUpdatedAnnotations := make([]string, 0, len(m.UpdatedAnnotations))
+		for k := range m.UpdatedAnnotations {
+			keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+		for _, k := range keysForUpdatedAnnotations {
+			dAtA[i] = 0x12
+			i++
+			v := m.UpdatedAnnotations[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RollbackTo.Size()))
+	n10, err := m.RollbackTo.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	return i, nil
+}
+
+func (m *DeploymentSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n11, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n11
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n12, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n12
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Strategy.Size()))
+	n13, err := m.Strategy.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n13
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinReadySeconds))
+	if m.RevisionHistoryLimit != nil {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RevisionHistoryLimit))
+	}
+	dAtA[i] = 0x38
+	i++
+	if m.Paused {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.RollbackTo != nil {
+		dAtA[i] = 0x42
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollbackTo.Size()))
+		n14, err := m.RollbackTo.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n14
+	}
+	if m.ProgressDeadlineSeconds != nil {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.ProgressDeadlineSeconds))
+	}
+	return i, nil
+}
+
+func (m *DeploymentStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdatedReplicas))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.AvailableReplicas))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UnavailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x38
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ReadyReplicas))
+	if m.CollisionCount != nil {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CollisionCount))
+	}
+	return i, nil
+}
+
+func (m *DeploymentStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.RollingUpdate != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollingUpdate.Size()))
+		n15, err := m.RollingUpdate.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n15
+	}
+	return i, nil
+}
+
+func (m *RollbackConfig) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollbackConfig) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Revision))
+	return i, nil
+}
+
+func (m *RollingUpdateDeployment) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollingUpdateDeployment) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxUnavailable.Size()))
+		n16, err := m.MaxUnavailable.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n16
+	}
+	if m.MaxSurge != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxSurge.Size()))
+		n17, err := m.MaxSurge.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n17
+	}
+	return i, nil
+}
+
+func (m *RollingUpdateStatefulSetStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollingUpdateStatefulSetStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Partition != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Partition))
+	}
+	return i, nil
+}
+
+func (m *Scale) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Scale) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n18, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n18
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n19, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n19
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n20, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n20
+	return i, nil
+}
+
+func (m *ScaleSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	return i, nil
+}
+
+func (m *ScaleStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	if len(m.Selector) > 0 {
+		keysForSelector := make([]string, 0, len(m.Selector))
+		for k := range m.Selector {
+			keysForSelector = append(keysForSelector, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		for _, k := range keysForSelector {
+			dAtA[i] = 0x12
+			i++
+			v := m.Selector[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.TargetSelector)))
+	i += copy(dAtA[i:], m.TargetSelector)
+	return i, nil
+}
+
+func (m *StatefulSet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n21, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n21
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n22, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n22
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n23, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n23
+	return i, nil
+}
+
+func (m *StatefulSetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n24, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n24
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *StatefulSetSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSetSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n25, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n25
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n26, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n26
+	if len(m.VolumeClaimTemplates) > 0 {
+		for _, msg := range m.VolumeClaimTemplates {
+			dAtA[i] = 0x22
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceName)))
+	i += copy(dAtA[i:], m.ServiceName)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodManagementPolicy)))
+	i += copy(dAtA[i:], m.PodManagementPolicy)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdateStrategy.Size()))
+	n27, err := m.UpdateStrategy.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n27
+	if m.RevisionHistoryLimit != nil {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RevisionHistoryLimit))
+	}
+	return i, nil
+}
+
+func (m *StatefulSetStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSetStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ObservedGeneration != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.ObservedGeneration))
+	}
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ReadyReplicas))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentReplicas))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdatedReplicas))
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.CurrentRevision)))
+	i += copy(dAtA[i:], m.CurrentRevision)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UpdateRevision)))
+	i += copy(dAtA[i:], m.UpdateRevision)
+	if m.CollisionCount != nil {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CollisionCount))
+	}
+	return i, nil
+}
+
+func (m *StatefulSetUpdateStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSetUpdateStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.RollingUpdate != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollingUpdate.Size()))
+		n28, err := m.RollingUpdate.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n28
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *ControllerRevision) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Data.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Revision))
+	return n
+}
+
+func (m *ControllerRevisionList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Deployment) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeploymentCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastUpdateTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeploymentList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeploymentRollback) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.UpdatedAnnotations) > 0 {
+		for k, v := range m.UpdatedAnnotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = m.RollbackTo.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeploymentSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		n += 1 + sovGenerated(uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Strategy.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.MinReadySeconds))
+	if m.RevisionHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.RevisionHistoryLimit))
+	}
+	n += 2
+	if m.RollbackTo != nil {
+		l = m.RollbackTo.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ProgressDeadlineSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.ProgressDeadlineSeconds))
+	}
+	return n
+}
+
+func (m *DeploymentStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	n += 1 + sovGenerated(uint64(m.UpdatedReplicas))
+	n += 1 + sovGenerated(uint64(m.AvailableReplicas))
+	n += 1 + sovGenerated(uint64(m.UnavailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 1 + sovGenerated(uint64(m.ReadyReplicas))
+	if m.CollisionCount != nil {
+		n += 1 + sovGenerated(uint64(*m.CollisionCount))
+	}
+	return n
+}
+
+func (m *DeploymentStrategy) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RollingUpdate != nil {
+		l = m.RollingUpdate.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *RollbackConfig) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Revision))
+	return n
+}
+
+func (m *RollingUpdateDeployment) Size() (n int) {
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		l = m.MaxUnavailable.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.MaxSurge != nil {
+		l = m.MaxSurge.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *RollingUpdateStatefulSetStrategy) Size() (n int) {
+	var l int
+	_ = l
+	if m.Partition != nil {
+		n += 1 + sovGenerated(uint64(*m.Partition))
+	}
+	return n
+}
+
+func (m *Scale) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ScaleSpec) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	return n
+}
+
+func (m *ScaleStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	if len(m.Selector) > 0 {
+		for k, v := range m.Selector {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.TargetSelector)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *StatefulSet) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *StatefulSetList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *StatefulSetSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		n += 1 + sovGenerated(uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.VolumeClaimTemplates) > 0 {
+		for _, e := range m.VolumeClaimTemplates {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.ServiceName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.PodManagementPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.UpdateStrategy.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RevisionHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.RevisionHistoryLimit))
+	}
+	return n
+}
+
+func (m *StatefulSetStatus) Size() (n int) {
+	var l int
+	_ = l
+	if m.ObservedGeneration != nil {
+		n += 1 + sovGenerated(uint64(*m.ObservedGeneration))
+	}
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	n += 1 + sovGenerated(uint64(m.ReadyReplicas))
+	n += 1 + sovGenerated(uint64(m.CurrentReplicas))
+	n += 1 + sovGenerated(uint64(m.UpdatedReplicas))
+	l = len(m.CurrentRevision)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UpdateRevision)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.CollisionCount != nil {
+		n += 1 + sovGenerated(uint64(*m.CollisionCount))
+	}
+	return n
+}
+
+func (m *StatefulSetUpdateStrategy) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RollingUpdate != nil {
+		l = m.RollingUpdate.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *ControllerRevision) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ControllerRevision{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Data:` + strings.Replace(strings.Replace(this.Data.String(), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
+		`Revision:` + fmt.Sprintf("%v", this.Revision) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ControllerRevisionList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ControllerRevisionList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ControllerRevision", "ControllerRevision", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Deployment) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Deployment{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "DeploymentSpec", "DeploymentSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "DeploymentStatus", "DeploymentStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`LastUpdateTime:` + strings.Replace(strings.Replace(this.LastUpdateTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Deployment", "Deployment", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentRollback) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForUpdatedAnnotations := make([]string, 0, len(this.UpdatedAnnotations))
+	for k := range this.UpdatedAnnotations {
+		keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+	mapStringForUpdatedAnnotations := "map[string]string{"
+	for _, k := range keysForUpdatedAnnotations {
+		mapStringForUpdatedAnnotations += fmt.Sprintf("%v: %v,", k, this.UpdatedAnnotations[k])
+	}
+	mapStringForUpdatedAnnotations += "}"
+	s := strings.Join([]string{`&DeploymentRollback{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`UpdatedAnnotations:` + mapStringForUpdatedAnnotations + `,`,
+		`RollbackTo:` + strings.Replace(strings.Replace(this.RollbackTo.String(), "RollbackConfig", "RollbackConfig", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentSpec{`,
+		`Replicas:` + valueToStringGenerated(this.Replicas) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`Strategy:` + strings.Replace(strings.Replace(this.Strategy.String(), "DeploymentStrategy", "DeploymentStrategy", 1), `&`, ``, 1) + `,`,
+		`MinReadySeconds:` + fmt.Sprintf("%v", this.MinReadySeconds) + `,`,
+		`RevisionHistoryLimit:` + valueToStringGenerated(this.RevisionHistoryLimit) + `,`,
+		`Paused:` + fmt.Sprintf("%v", this.Paused) + `,`,
+		`RollbackTo:` + strings.Replace(fmt.Sprintf("%v", this.RollbackTo), "RollbackConfig", "RollbackConfig", 1) + `,`,
+		`ProgressDeadlineSeconds:` + valueToStringGenerated(this.ProgressDeadlineSeconds) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentStatus{`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`UpdatedReplicas:` + fmt.Sprintf("%v", this.UpdatedReplicas) + `,`,
+		`AvailableReplicas:` + fmt.Sprintf("%v", this.AvailableReplicas) + `,`,
+		`UnavailableReplicas:` + fmt.Sprintf("%v", this.UnavailableReplicas) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "DeploymentCondition", "DeploymentCondition", 1), `&`, ``, 1) + `,`,
+		`ReadyReplicas:` + fmt.Sprintf("%v", this.ReadyReplicas) + `,`,
+		`CollisionCount:` + valueToStringGenerated(this.CollisionCount) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentStrategy{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`RollingUpdate:` + strings.Replace(fmt.Sprintf("%v", this.RollingUpdate), "RollingUpdateDeployment", "RollingUpdateDeployment", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollbackConfig) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollbackConfig{`,
+		`Revision:` + fmt.Sprintf("%v", this.Revision) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollingUpdateDeployment) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollingUpdateDeployment{`,
+		`MaxUnavailable:` + strings.Replace(fmt.Sprintf("%v", this.MaxUnavailable), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`MaxSurge:` + strings.Replace(fmt.Sprintf("%v", this.MaxSurge), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollingUpdateStatefulSetStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollingUpdateStatefulSetStrategy{`,
+		`Partition:` + valueToStringGenerated(this.Partition) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Scale) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Scale{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ScaleSpec", "ScaleSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ScaleStatus", "ScaleStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ScaleSpec{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForSelector := make([]string, 0, len(this.Selector))
+	for k := range this.Selector {
+		keysForSelector = append(keysForSelector, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	mapStringForSelector := "map[string]string{"
+	for _, k := range keysForSelector {
+		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
+	}
+	mapStringForSelector += "}"
+	s := strings.Join([]string{`&ScaleStatus{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`Selector:` + mapStringForSelector + `,`,
+		`TargetSelector:` + fmt.Sprintf("%v", this.TargetSelector) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSet{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "StatefulSetSpec", "StatefulSetSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "StatefulSetStatus", "StatefulSetStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSetList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "StatefulSet", "StatefulSet", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSetSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSetSpec{`,
+		`Replicas:` + valueToStringGenerated(this.Replicas) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`VolumeClaimTemplates:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.VolumeClaimTemplates), "PersistentVolumeClaim", "k8s_io_api_core_v1.PersistentVolumeClaim", 1), `&`, ``, 1) + `,`,
+		`ServiceName:` + fmt.Sprintf("%v", this.ServiceName) + `,`,
+		`PodManagementPolicy:` + fmt.Sprintf("%v", this.PodManagementPolicy) + `,`,
+		`UpdateStrategy:` + strings.Replace(strings.Replace(this.UpdateStrategy.String(), "StatefulSetUpdateStrategy", "StatefulSetUpdateStrategy", 1), `&`, ``, 1) + `,`,
+		`RevisionHistoryLimit:` + valueToStringGenerated(this.RevisionHistoryLimit) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSetStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSetStatus{`,
+		`ObservedGeneration:` + valueToStringGenerated(this.ObservedGeneration) + `,`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`ReadyReplicas:` + fmt.Sprintf("%v", this.ReadyReplicas) + `,`,
+		`CurrentReplicas:` + fmt.Sprintf("%v", this.CurrentReplicas) + `,`,
+		`UpdatedReplicas:` + fmt.Sprintf("%v", this.UpdatedReplicas) + `,`,
+		`CurrentRevision:` + fmt.Sprintf("%v", this.CurrentRevision) + `,`,
+		`UpdateRevision:` + fmt.Sprintf("%v", this.UpdateRevision) + `,`,
+		`CollisionCount:` + valueToStringGenerated(this.CollisionCount) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSetUpdateStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSetUpdateStrategy{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`RollingUpdate:` + strings.Replace(fmt.Sprintf("%v", this.RollingUpdate), "RollingUpdateStatefulSetStrategy", "RollingUpdateStatefulSetStrategy", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ControllerRevision) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ControllerRevision: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ControllerRevision: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Data.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Revision", wireType)
+			}
+			m.Revision = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Revision |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ControllerRevisionList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ControllerRevisionList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ControllerRevisionList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ControllerRevision{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Deployment) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Deployment: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Deployment: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = DeploymentConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastUpdateTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastUpdateTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Deployment{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentRollback) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentRollback: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentRollback: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedAnnotations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.UpdatedAnnotations == nil {
+				m.UpdatedAnnotations = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.UpdatedAnnotations[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.UpdatedAnnotations[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollbackTo", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RollbackTo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Replicas = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Strategy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Strategy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReadySeconds", wireType)
+			}
+			m.MinReadySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinReadySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RevisionHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RevisionHistoryLimit = &v
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Paused", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Paused = bool(v != 0)
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollbackTo", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollbackTo == nil {
+				m.RollbackTo = &RollbackConfig{}
+			}
+			if err := m.RollbackTo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ProgressDeadlineSeconds", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ProgressDeadlineSeconds = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedReplicas", wireType)
+			}
+			m.UpdatedReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UpdatedReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AvailableReplicas", wireType)
+			}
+			m.AvailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.AvailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UnavailableReplicas", wireType)
+			}
+			m.UnavailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UnavailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, DeploymentCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadyReplicas", wireType)
+			}
+			m.ReadyReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ReadyReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CollisionCount", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CollisionCount = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = DeploymentStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollingUpdate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollingUpdate == nil {
+				m.RollingUpdate = &RollingUpdateDeployment{}
+			}
+			if err := m.RollingUpdate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollbackConfig) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollbackConfig: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollbackConfig: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Revision", wireType)
+			}
+			m.Revision = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Revision |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollingUpdateDeployment) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollingUpdateDeployment: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollingUpdateDeployment: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxUnavailable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxUnavailable == nil {
+				m.MaxUnavailable = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxUnavailable.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxSurge", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxSurge == nil {
+				m.MaxSurge = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxSurge.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollingUpdateStatefulSetStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollingUpdateStatefulSetStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollingUpdateStatefulSetStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Partition", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Partition = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Scale) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Scale: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Scale: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Selector == nil {
+				m.Selector = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Selector[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Selector[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetSelector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TargetSelector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, StatefulSet{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSetSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSetSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSetSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Replicas = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeClaimTemplates", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeClaimTemplates = append(m.VolumeClaimTemplates, k8s_io_api_core_v1.PersistentVolumeClaim{})
+			if err := m.VolumeClaimTemplates[len(m.VolumeClaimTemplates)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServiceName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServiceName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodManagementPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PodManagementPolicy = PodManagementPolicyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdateStrategy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.UpdateStrategy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RevisionHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RevisionHistoryLimit = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSetStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSetStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSetStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ObservedGeneration = &v
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadyReplicas", wireType)
+			}
+			m.ReadyReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ReadyReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentReplicas", wireType)
+			}
+			m.CurrentReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.CurrentReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedReplicas", wireType)
+			}
+			m.UpdatedReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UpdatedReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentRevision", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CurrentRevision = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdateRevision", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UpdateRevision = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CollisionCount", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CollisionCount = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSetUpdateStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSetUpdateStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSetUpdateStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = StatefulSetUpdateStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollingUpdate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollingUpdate == nil {
+				m.RollingUpdate = &RollingUpdateStatefulSetStrategy{}
+			}
+			if err := m.RollingUpdate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/apps/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 1820 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x58, 0x4b, 0x6f, 0x1b, 0xc9,
+	0x11, 0xd6, 0x50, 0xa4, 0x44, 0xb6, 0x56, 0x94, 0xd5, 0x52, 0x24, 0xae, 0x36, 0xa1, 0x04, 0x66,
+	0xb1, 0x2b, 0xef, 0xae, 0x86, 0x6b, 0xd9, 0x31, 0xfc, 0x00, 0x8c, 0x88, 0x94, 0x63, 0xcb, 0x90,
+	0x22, 0xb9, 0x29, 0x39, 0x88, 0x93, 0x00, 0x6e, 0x0e, 0xdb, 0xd4, 0x58, 0xf3, 0xc2, 0x4c, 0x0f,
+	0x63, 0x22, 0x97, 0xdc, 0x13, 0xc0, 0x39, 0xe7, 0x57, 0xe4, 0x18, 0x24, 0xb7, 0x9c, 0x74, 0x09,
+	0x60, 0xe4, 0x12, 0x9f, 0x84, 0x98, 0xbe, 0xe6, 0x9a, 0x8b, 0x81, 0x00, 0x41, 0xf7, 0xf4, 0xbc,
+	0x67, 0x24, 0x2a, 0x40, 0x74, 0xc8, 0x8d, 0xd3, 0x55, 0xf5, 0x55, 0x75, 0x77, 0x75, 0xd5, 0x57,
+	0x04, 0x3f, 0x3c, 0xb9, 0xe3, 0xc8, 0xaa, 0xd9, 0x3c, 0x71, 0xbb, 0xc4, 0x36, 0x08, 0x25, 0x4e,
+	0x73, 0x40, 0x8c, 0x9e, 0x69, 0x37, 0x85, 0x00, 0x5b, 0x6a, 0x13, 0x5b, 0x96, 0xd3, 0x1c, 0xdc,
+	0xe8, 0x12, 0x8a, 0x6f, 0x34, 0xfb, 0xc4, 0x20, 0x36, 0xa6, 0xa4, 0x27, 0x5b, 0xb6, 0x49, 0x4d,
+	0xb8, 0xec, 0x29, 0xca, 0xd8, 0x52, 0x65, 0xa6, 0x28, 0x0b, 0xc5, 0x95, 0x8d, 0xbe, 0x4a, 0x8f,
+	0xdd, 0xae, 0xac, 0x98, 0x7a, 0xb3, 0x6f, 0xf6, 0xcd, 0x26, 0xd7, 0xef, 0xba, 0x2f, 0xf9, 0x17,
+	0xff, 0xe0, 0xbf, 0x3c, 0x9c, 0x95, 0x46, 0xc4, 0xa1, 0x62, 0xda, 0xa4, 0x39, 0x48, 0xf9, 0x5a,
+	0xb9, 0x1e, 0xd1, 0xb1, 0x4c, 0x4d, 0x55, 0x86, 0x79, 0x61, 0xad, 0xdc, 0x0a, 0x55, 0x75, 0xac,
+	0x1c, 0xab, 0x06, 0xb1, 0x87, 0x4d, 0xeb, 0xa4, 0xcf, 0x16, 0x9c, 0xa6, 0x4e, 0x28, 0xce, 0x72,
+	0xd0, 0xcc, 0xb3, 0xb2, 0x5d, 0x83, 0xaa, 0x3a, 0x49, 0x19, 0xdc, 0xbe, 0xc8, 0xc0, 0x51, 0x8e,
+	0x89, 0x8e, 0x53, 0x76, 0x37, 0xf3, 0xec, 0x5c, 0xaa, 0x6a, 0x4d, 0xd5, 0xa0, 0x0e, 0xb5, 0x93,
+	0x46, 0x8d, 0x7f, 0x49, 0x00, 0xb6, 0x4d, 0x83, 0xda, 0xa6, 0xa6, 0x11, 0x1b, 0x91, 0x81, 0xea,
+	0xa8, 0xa6, 0x01, 0x5f, 0x80, 0x32, 0xdb, 0x4f, 0x0f, 0x53, 0x5c, 0x93, 0xd6, 0xa4, 0xf5, 0x99,
+	0xcd, 0x6f, 0xe5, 0xf0, 0x52, 0x02, 0x78, 0xd9, 0x3a, 0xe9, 0xb3, 0x05, 0x47, 0x66, 0xda, 0xf2,
+	0xe0, 0x86, 0xbc, 0xdf, 0x7d, 0x45, 0x14, 0xba, 0x47, 0x28, 0x6e, 0xc1, 0xd3, 0xb3, 0xd5, 0x89,
+	0xd1, 0xd9, 0x2a, 0x08, 0xd7, 0x50, 0x80, 0x0a, 0xf7, 0x41, 0x91, 0xa3, 0x17, 0x38, 0xfa, 0x46,
+	0x2e, 0xba, 0xd8, 0xb4, 0x8c, 0xf0, 0x2f, 0x1f, 0xbe, 0xa6, 0xc4, 0x60, 0xe1, 0xb5, 0x3e, 0x11,
+	0xd0, 0xc5, 0x6d, 0x4c, 0x31, 0xe2, 0x40, 0xf0, 0x1b, 0x50, 0xb6, 0x45, 0xf8, 0xb5, 0xc9, 0x35,
+	0x69, 0x7d, 0xb2, 0x75, 0x4d, 0x68, 0x95, 0xfd, 0x6d, 0xa1, 0x40, 0xa3, 0x71, 0x2a, 0x81, 0xa5,
+	0xf4, 0xbe, 0x77, 0x55, 0x87, 0xc2, 0x9f, 0xa7, 0xf6, 0x2e, 0x8f, 0xb7, 0x77, 0x66, 0xcd, 0x77,
+	0x1e, 0x38, 0xf6, 0x57, 0x22, 0xfb, 0x3e, 0x00, 0x25, 0x95, 0x12, 0xdd, 0xa9, 0x15, 0xd6, 0x26,
+	0xd7, 0x67, 0x36, 0xbf, 0x96, 0x73, 0x72, 0x5d, 0x4e, 0x47, 0xd7, 0x9a, 0x15, 0xb8, 0xa5, 0x1d,
+	0x86, 0x80, 0x3c, 0xa0, 0xc6, 0x6f, 0x0b, 0x00, 0x6c, 0x13, 0x4b, 0x33, 0x87, 0x3a, 0x31, 0xe8,
+	0x15, 0x5c, 0xdd, 0x0e, 0x28, 0x3a, 0x16, 0x51, 0xc4, 0xd5, 0x7d, 0x99, 0xbb, 0x83, 0x30, 0xa8,
+	0x8e, 0x45, 0x94, 0xf0, 0xd2, 0xd8, 0x17, 0xe2, 0x10, 0xf0, 0x29, 0x98, 0x72, 0x28, 0xa6, 0xae,
+	0xc3, 0xaf, 0x6c, 0x66, 0xf3, 0xfa, 0x38, 0x60, 0xdc, 0xa0, 0x55, 0x15, 0x70, 0x53, 0xde, 0x37,
+	0x12, 0x40, 0x8d, 0xbf, 0x4f, 0x82, 0x85, 0x50, 0xb9, 0x6d, 0x1a, 0x3d, 0x95, 0xb2, 0x94, 0xbe,
+	0x0f, 0x8a, 0x74, 0x68, 0x11, 0x7e, 0x26, 0x95, 0xd6, 0x97, 0x7e, 0x30, 0x87, 0x43, 0x8b, 0x7c,
+	0x3c, 0x5b, 0x5d, 0xce, 0x30, 0x61, 0x22, 0xc4, 0x8d, 0xe0, 0x6e, 0x10, 0x67, 0x81, 0x9b, 0xdf,
+	0x8a, 0x3b, 0xff, 0x78, 0xb6, 0x9a, 0x51, 0x6b, 0xe4, 0x00, 0x29, 0x1e, 0x22, 0xfc, 0x02, 0x4c,
+	0xd9, 0x04, 0x3b, 0xa6, 0x51, 0x2b, 0x72, 0xb4, 0x60, 0x2b, 0x88, 0xaf, 0x22, 0x21, 0x85, 0xd7,
+	0xc1, 0xb4, 0x4e, 0x1c, 0x07, 0xf7, 0x49, 0xad, 0xc4, 0x15, 0xe7, 0x84, 0xe2, 0xf4, 0x9e, 0xb7,
+	0x8c, 0x7c, 0x39, 0x7c, 0x05, 0xaa, 0x1a, 0x76, 0xe8, 0x91, 0xd5, 0xc3, 0x94, 0x1c, 0xaa, 0x3a,
+	0xa9, 0x4d, 0xf1, 0x03, 0xfd, 0x6a, 0xbc, 0xbb, 0x67, 0x16, 0xad, 0x25, 0x81, 0x5e, 0xdd, 0x8d,
+	0x21, 0xa1, 0x04, 0x32, 0x1c, 0x00, 0xc8, 0x56, 0x0e, 0x6d, 0x6c, 0x38, 0xde, 0x41, 0x31, 0x7f,
+	0xd3, 0x97, 0xf6, 0xb7, 0x22, 0xfc, 0xc1, 0xdd, 0x14, 0x1a, 0xca, 0xf0, 0xd0, 0xf8, 0xa3, 0x04,
+	0xaa, 0xe1, 0x35, 0x5d, 0xc1, 0x5b, 0x7d, 0x1c, 0x7f, 0xab, 0xdf, 0x1f, 0x23, 0x39, 0x73, 0xde,
+	0xe8, 0x3f, 0x0b, 0x00, 0x86, 0x4a, 0xc8, 0xd4, 0xb4, 0x2e, 0x56, 0x4e, 0xe0, 0x1a, 0x28, 0x1a,
+	0x58, 0xf7, 0x73, 0x32, 0x78, 0x20, 0x3f, 0xc6, 0x3a, 0x41, 0x5c, 0x02, 0xdf, 0x48, 0x00, 0xba,
+	0xfc, 0xe8, 0x7b, 0x5b, 0x86, 0x61, 0x52, 0xcc, 0x4e, 0xc3, 0x0f, 0xa8, 0x3d, 0x46, 0x40, 0xbe,
+	0x2f, 0xf9, 0x28, 0x85, 0xf2, 0xd0, 0xa0, 0xf6, 0x30, 0xbc, 0x85, 0xb4, 0x02, 0xca, 0x70, 0x0d,
+	0x7f, 0x06, 0x80, 0x2d, 0x30, 0x0f, 0x4d, 0xf1, 0x6c, 0xf3, 0x6b, 0x80, 0xef, 0xbe, 0x6d, 0x1a,
+	0x2f, 0xd5, 0x7e, 0x58, 0x58, 0x50, 0x00, 0x81, 0x22, 0x70, 0x2b, 0x0f, 0xc1, 0x72, 0x4e, 0x9c,
+	0xf0, 0x1a, 0x98, 0x3c, 0x21, 0x43, 0xef, 0xa8, 0x10, 0xfb, 0x09, 0x17, 0x41, 0x69, 0x80, 0x35,
+	0x97, 0x78, 0x6f, 0x12, 0x79, 0x1f, 0xf7, 0x0a, 0x77, 0xa4, 0xc6, 0x1f, 0x4a, 0xd1, 0x4c, 0x61,
+	0xf5, 0x06, 0xae, 0xb3, 0xf6, 0x60, 0x69, 0xaa, 0x82, 0x1d, 0x8e, 0x51, 0x6a, 0x7d, 0xe2, 0xb5,
+	0x06, 0x6f, 0x0d, 0x05, 0x52, 0xf8, 0x0b, 0x50, 0x76, 0x88, 0x46, 0x14, 0x6a, 0xda, 0xa2, 0xc4,
+	0xdd, 0x1c, 0x33, 0xa7, 0x70, 0x97, 0x68, 0x1d, 0x61, 0xea, 0xc1, 0xfb, 0x5f, 0x28, 0x80, 0x84,
+	0x4f, 0x41, 0x99, 0x12, 0xdd, 0xd2, 0x30, 0x25, 0xe2, 0xf4, 0x62, 0x79, 0xc5, 0x6a, 0x07, 0x03,
+	0x3b, 0x30, 0x7b, 0x87, 0x42, 0x8d, 0x57, 0xcf, 0x20, 0x4f, 0xfd, 0x55, 0x14, 0xc0, 0xc0, 0x9f,
+	0x82, 0xb2, 0x43, 0x59, 0x57, 0xef, 0x0f, 0x79, 0x45, 0x39, 0xaf, 0xad, 0x44, 0xeb, 0xa8, 0x67,
+	0x12, 0x42, 0xfb, 0x2b, 0x28, 0x80, 0x83, 0x5b, 0x60, 0x4e, 0x57, 0x0d, 0x44, 0x70, 0x6f, 0xd8,
+	0x21, 0x8a, 0x69, 0xf4, 0x1c, 0x5e, 0x8a, 0x4a, 0xad, 0x65, 0x61, 0x34, 0xb7, 0x17, 0x17, 0xa3,
+	0xa4, 0x3e, 0xdc, 0x05, 0x8b, 0x7e, 0xdb, 0x7d, 0xac, 0x3a, 0xd4, 0xb4, 0x87, 0xbb, 0xaa, 0xae,
+	0x52, 0x5e, 0xa0, 0x4a, 0xad, 0xda, 0xe8, 0x6c, 0x75, 0x11, 0x65, 0xc8, 0x51, 0xa6, 0x15, 0xab,
+	0x9d, 0x16, 0x76, 0x1d, 0xd2, 0xe3, 0x05, 0xa7, 0x1c, 0xd6, 0xce, 0x03, 0xbe, 0x8a, 0x84, 0x14,
+	0xfe, 0x24, 0x96, 0xa6, 0xe5, 0xcb, 0xa5, 0x69, 0x35, 0x3f, 0x45, 0xe1, 0x11, 0x58, 0xb6, 0x6c,
+	0xb3, 0x6f, 0x13, 0xc7, 0xd9, 0x26, 0xb8, 0xa7, 0xa9, 0x06, 0xf1, 0x4f, 0xa6, 0xc2, 0x77, 0xf4,
+	0xd9, 0xe8, 0x6c, 0x75, 0xf9, 0x20, 0x5b, 0x05, 0xe5, 0xd9, 0x36, 0xfe, 0x52, 0x04, 0xd7, 0x92,
+	0x3d, 0x0e, 0x3e, 0x01, 0xd0, 0xec, 0x3a, 0xc4, 0x1e, 0x90, 0xde, 0x23, 0x8f, 0xb8, 0x31, 0x76,
+	0x23, 0x71, 0x76, 0x13, 0xbc, 0xdb, 0xfd, 0x94, 0x06, 0xca, 0xb0, 0xf2, 0xf8, 0x91, 0x78, 0x00,
+	0x05, 0x1e, 0x68, 0x84, 0x1f, 0xa5, 0x1e, 0xc1, 0x16, 0x98, 0x13, 0x6f, 0xdf, 0x17, 0xf2, 0x64,
+	0x8d, 0xdc, 0xfb, 0x51, 0x5c, 0x8c, 0x92, 0xfa, 0xf0, 0x11, 0x98, 0xc7, 0x03, 0xac, 0x6a, 0xb8,
+	0xab, 0x91, 0x00, 0xa4, 0xc8, 0x41, 0x3e, 0x15, 0x20, 0xf3, 0x5b, 0x49, 0x05, 0x94, 0xb6, 0x81,
+	0x7b, 0x60, 0xc1, 0x35, 0xd2, 0x50, 0x5e, 0x1e, 0x7e, 0x26, 0xa0, 0x16, 0x8e, 0xd2, 0x2a, 0x28,
+	0xcb, 0x0e, 0xbe, 0x00, 0x40, 0xf1, 0x1b, 0xb3, 0x53, 0x9b, 0xe2, 0x95, 0xf4, 0x9b, 0x31, 0xde,
+	0x4b, 0xd0, 0xcd, 0xc3, 0x2a, 0x16, 0x2c, 0x39, 0x28, 0x82, 0x09, 0xef, 0x83, 0x59, 0x9b, 0xbd,
+	0x80, 0x20, 0xd4, 0x69, 0x1e, 0xea, 0x77, 0x84, 0xd9, 0x2c, 0x8a, 0x0a, 0x51, 0x5c, 0x17, 0xde,
+	0x03, 0x55, 0xc5, 0xd4, 0x34, 0x9e, 0xf9, 0x6d, 0xd3, 0x35, 0x28, 0x4f, 0xde, 0x52, 0x0b, 0xb2,
+	0xce, 0xdc, 0x8e, 0x49, 0x50, 0x42, 0xb3, 0xf1, 0x67, 0x29, 0xda, 0x66, 0xfc, 0xe7, 0x0c, 0xef,
+	0xc5, 0xa8, 0xcf, 0x17, 0x09, 0xea, 0xb3, 0x94, 0xb6, 0x88, 0x30, 0x1f, 0x15, 0xcc, 0xb2, 0xe4,
+	0x57, 0x8d, 0xbe, 0x77, 0xe1, 0xa2, 0x24, 0x7e, 0x7b, 0xee, 0x53, 0x0a, 0xb4, 0x23, 0x8d, 0x71,
+	0x9e, 0xef, 0x3c, 0x2a, 0x44, 0x71, 0xe4, 0xc6, 0x03, 0x50, 0x8d, 0xbf, 0xc3, 0x18, 0xa7, 0x97,
+	0x2e, 0xe4, 0xf4, 0x1f, 0x24, 0xb0, 0x9c, 0xe3, 0x1d, 0x6a, 0xa0, 0xaa, 0xe3, 0xd7, 0x91, 0x1c,
+	0xb9, 0x90, 0x1b, 0xb3, 0xa9, 0x49, 0xf6, 0xa6, 0x26, 0x79, 0xc7, 0xa0, 0xfb, 0x76, 0x87, 0xda,
+	0xaa, 0xd1, 0xf7, 0xee, 0x61, 0x2f, 0x86, 0x85, 0x12, 0xd8, 0xf0, 0x39, 0x28, 0xeb, 0xf8, 0x75,
+	0xc7, 0xb5, 0xfb, 0x59, 0xe7, 0x35, 0x9e, 0x1f, 0xde, 0x3f, 0xf6, 0x04, 0x0a, 0x0a, 0xf0, 0x1a,
+	0xfb, 0x60, 0x2d, 0xb6, 0x49, 0x56, 0x2a, 0xc8, 0x4b, 0x57, 0xeb, 0x90, 0xf0, 0xc2, 0xbf, 0x06,
+	0x15, 0x0b, 0xdb, 0x54, 0x0d, 0xca, 0x45, 0xa9, 0x35, 0x3b, 0x3a, 0x5b, 0xad, 0x1c, 0xf8, 0x8b,
+	0x28, 0x94, 0x37, 0xfe, 0x2d, 0x81, 0x52, 0x47, 0xc1, 0x1a, 0xb9, 0x82, 0xd1, 0x61, 0x3b, 0x36,
+	0x3a, 0x34, 0x72, 0x93, 0x88, 0xc7, 0x93, 0x3b, 0x35, 0xec, 0x26, 0xa6, 0x86, 0xcf, 0x2f, 0xc0,
+	0x39, 0x7f, 0x60, 0xb8, 0x0b, 0x2a, 0x81, 0xbb, 0x58, 0x95, 0x94, 0x2e, 0xaa, 0x92, 0x8d, 0xdf,
+	0x17, 0xc0, 0x4c, 0xc4, 0xc5, 0xe5, 0xac, 0xd9, 0x71, 0x47, 0x88, 0x06, 0x2b, 0x43, 0x9b, 0xe3,
+	0x6c, 0x44, 0xf6, 0x49, 0x85, 0xc7, 0xdf, 0xc2, 0xee, 0x9d, 0xe6, 0x1a, 0x0f, 0x40, 0x95, 0x62,
+	0xbb, 0x4f, 0xa8, 0x2f, 0xe3, 0x07, 0x56, 0x09, 0x99, 0xfe, 0x61, 0x4c, 0x8a, 0x12, 0xda, 0x2b,
+	0xf7, 0xc1, 0x6c, 0xcc, 0xd9, 0xa5, 0x48, 0xd8, 0x1b, 0x76, 0x38, 0x61, 0x72, 0x5e, 0x41, 0x76,
+	0x3d, 0x89, 0x65, 0xd7, 0x7a, 0xfe, 0x61, 0x46, 0x9e, 0x4c, 0x5e, 0x8e, 0xa1, 0x44, 0x8e, 0x7d,
+	0x35, 0x16, 0xda, 0xf9, 0x99, 0xf6, 0x27, 0x09, 0xcc, 0x45, 0xb4, 0xaf, 0x60, 0x82, 0xd9, 0x89,
+	0x4f, 0x30, 0x9f, 0x8f, 0xb3, 0x89, 0x9c, 0x11, 0xe6, 0xaf, 0xa5, 0x58, 0xf0, 0xff, 0xf7, 0xa4,
+	0xfa, 0x57, 0x60, 0x71, 0x60, 0x6a, 0xae, 0x4e, 0xda, 0x1a, 0x56, 0x75, 0x5f, 0x81, 0x31, 0x98,
+	0xc9, 0xe4, 0x1f, 0x15, 0x01, 0x3c, 0xb1, 0x1d, 0xd5, 0xa1, 0xc4, 0xa0, 0xcf, 0x42, 0xcb, 0xd6,
+	0x77, 0x85, 0x93, 0xc5, 0x67, 0x19, 0x70, 0x28, 0xd3, 0x09, 0xfc, 0x01, 0x98, 0x61, 0x04, 0x4e,
+	0x55, 0x08, 0x9b, 0x05, 0xc5, 0xf4, 0xbf, 0x20, 0x80, 0x66, 0x3a, 0xa1, 0x08, 0x45, 0xf5, 0xe0,
+	0x31, 0x58, 0xb0, 0xcc, 0xde, 0x1e, 0x36, 0x70, 0x9f, 0xb0, 0xb6, 0x77, 0xc0, 0xff, 0xd0, 0xe4,
+	0x4c, 0xbb, 0xd2, 0xba, 0xed, 0x33, 0xa5, 0x83, 0xb4, 0xca, 0x47, 0x46, 0x59, 0xd3, 0xcb, 0x9c,
+	0x07, 0x64, 0x41, 0x42, 0x1b, 0x54, 0x5d, 0xd1, 0x7e, 0xc4, 0xe0, 0xe1, 0xcd, 0xff, 0x9b, 0xe3,
+	0x64, 0xd8, 0x51, 0xcc, 0x32, 0xac, 0x46, 0xf1, 0x75, 0x94, 0xf0, 0x90, 0x3b, 0x48, 0x94, 0xff,
+	0x9b, 0x41, 0xa2, 0xf1, 0x9b, 0x22, 0x98, 0x4f, 0x3d, 0x5d, 0xf8, 0xa3, 0x73, 0x18, 0xf7, 0xd2,
+	0xff, 0x8c, 0x6d, 0xa7, 0x08, 0xe3, 0xe4, 0x25, 0x08, 0xe3, 0x16, 0x98, 0x53, 0x5c, 0xdb, 0x66,
+	0xb3, 0x7e, 0x9c, 0x65, 0x07, 0x54, 0xbd, 0x1d, 0x17, 0xa3, 0xa4, 0x7e, 0x16, 0xdb, 0x2f, 0x5d,
+	0x92, 0xed, 0x47, 0xa3, 0x10, 0x8c, 0xcd, 0x4b, 0xbb, 0x74, 0x14, 0x82, 0xb8, 0x25, 0xf5, 0x59,
+	0xb7, 0xf2, 0x50, 0x03, 0x84, 0xe9, 0x78, 0xb7, 0x3a, 0x8a, 0x49, 0x51, 0x42, 0x3b, 0x83, 0x39,
+	0x57, 0xc6, 0x66, 0xce, 0x7f, 0x93, 0xc0, 0xa7, 0xb9, 0x19, 0x0a, 0xb7, 0x62, 0x04, 0x7a, 0x23,
+	0x41, 0xa0, 0xbf, 0x97, 0x6b, 0x18, 0xe1, 0xd1, 0x76, 0x36, 0x8f, 0xbe, 0x3b, 0x1e, 0x8f, 0xce,
+	0x20, 0x79, 0x17, 0x13, 0xea, 0xd6, 0xc6, 0xe9, 0xfb, 0xfa, 0xc4, 0xdb, 0xf7, 0xf5, 0x89, 0x77,
+	0xef, 0xeb, 0x13, 0xbf, 0x1e, 0xd5, 0xa5, 0xd3, 0x51, 0x5d, 0x7a, 0x3b, 0xaa, 0x4b, 0xef, 0x46,
+	0x75, 0xe9, 0x1f, 0xa3, 0xba, 0xf4, 0xbb, 0x0f, 0xf5, 0x89, 0xe7, 0xd3, 0xc2, 0xe3, 0x7f, 0x02,
+	0x00, 0x00, 0xff, 0xff, 0x3a, 0x2e, 0x29, 0xcd, 0xb9, 0x19, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/apps/v1beta1/generated.proto b/cli/vendor/k8s.io/api/apps/v1beta1/generated.proto
new file mode 100644
index 00000000..a48fce43
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta1/generated.proto
@@ -0,0 +1,457 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.apps.v1beta1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/api/policy/v1beta1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// DEPRECATED - This group version of ControllerRevision is deprecated by apps/v1beta2/ControllerRevision. See the
+// release notes for more information.
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+message ControllerRevision {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Data is the serialized representation of the state.
+  optional k8s.io.apimachinery.pkg.runtime.RawExtension data = 2;
+
+  // Revision indicates the revision of the state represented by Data.
+  optional int64 revision = 3;
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+message ControllerRevisionList {
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of ControllerRevisions
+  repeated ControllerRevision items = 2;
+}
+
+// DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for
+// more information.
+// Deployment enables declarative updates for Pods and ReplicaSets.
+message Deployment {
+  // Standard object metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of the Deployment.
+  // +optional
+  optional DeploymentSpec spec = 2;
+
+  // Most recently observed status of the Deployment.
+  // +optional
+  optional DeploymentStatus status = 3;
+}
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+message DeploymentCondition {
+  // Type of deployment condition.
+  optional string type = 1;
+
+  // Status of the condition, one of True, False, Unknown.
+  optional string status = 2;
+
+  // The last time this condition was updated.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 6;
+
+  // Last time the condition transitioned from one status to another.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 7;
+
+  // The reason for the condition's last transition.
+  optional string reason = 4;
+
+  // A human readable message indicating details about the transition.
+  optional string message = 5;
+}
+
+// DeploymentList is a list of Deployments.
+message DeploymentList {
+  // Standard list metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of Deployments.
+  repeated Deployment items = 2;
+}
+
+// DEPRECATED.
+// DeploymentRollback stores the information required to rollback a deployment.
+message DeploymentRollback {
+  // Required: This must match the Name of a deployment.
+  optional string name = 1;
+
+  // The annotations to be updated to a deployment
+  // +optional
+  map<string, string> updatedAnnotations = 2;
+
+  // The config of this deployment rollback.
+  optional RollbackConfig rollbackTo = 3;
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+message DeploymentSpec {
+  // Number of desired pods. This is a pointer to distinguish between explicit
+  // zero and not specified. Defaults to 1.
+  // +optional
+  optional int32 replicas = 1;
+
+  // Label selector for pods. Existing ReplicaSets whose pods are
+  // selected by this will be the ones affected by this deployment.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+  // Template describes the pods that will be created.
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
+
+  // The deployment strategy to use to replace existing pods with new ones.
+  // +optional
+  optional DeploymentStrategy strategy = 4;
+
+  // Minimum number of seconds for which a newly created pod should be ready
+  // without any of its container crashing, for it to be considered available.
+  // Defaults to 0 (pod will be considered available as soon as it is ready)
+  // +optional
+  optional int32 minReadySeconds = 5;
+
+  // The number of old ReplicaSets to retain to allow rollback.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // Defaults to 2.
+  // +optional
+  optional int32 revisionHistoryLimit = 6;
+
+  // Indicates that the deployment is paused.
+  // +optional
+  optional bool paused = 7;
+
+  // DEPRECATED.
+  // The config this deployment is rolling back to. Will be cleared after rollback is done.
+  // +optional
+  optional RollbackConfig rollbackTo = 8;
+
+  // The maximum time in seconds for a deployment to make progress before it
+  // is considered to be failed. The deployment controller will continue to
+  // process failed deployments and a condition with a ProgressDeadlineExceeded
+  // reason will be surfaced in the deployment status. Note that progress will
+  // not be estimated during the time a deployment is paused. Defaults to 600s.
+  // +optional
+  optional int32 progressDeadlineSeconds = 9;
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+message DeploymentStatus {
+  // The generation observed by the deployment controller.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+  // +optional
+  optional int32 replicas = 2;
+
+  // Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+  // +optional
+  optional int32 updatedReplicas = 3;
+
+  // Total number of ready pods targeted by this deployment.
+  // +optional
+  optional int32 readyReplicas = 7;
+
+  // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+  // +optional
+  optional int32 availableReplicas = 4;
+
+  // Total number of unavailable pods targeted by this deployment. This is the total number of
+  // pods that are still required for the deployment to have 100% available capacity. They may
+  // either be pods that are running but not yet available or pods that still have not been created.
+  // +optional
+  optional int32 unavailableReplicas = 5;
+
+  // Represents the latest available observations of a deployment's current state.
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated DeploymentCondition conditions = 6;
+
+  // Count of hash collisions for the Deployment. The Deployment controller uses this
+  // field as a collision avoidance mechanism when it needs to create the name for the
+  // newest ReplicaSet.
+  // +optional
+  optional int32 collisionCount = 8;
+}
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+message DeploymentStrategy {
+  // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+  // +optional
+  optional string type = 1;
+
+  // Rolling update config params. Present only if DeploymentStrategyType =
+  // RollingUpdate.
+  // ---
+  // TODO: Update this to follow our convention for oneOf, whatever we decide it
+  // to be.
+  // +optional
+  optional RollingUpdateDeployment rollingUpdate = 2;
+}
+
+// DEPRECATED.
+message RollbackConfig {
+  // The revision to rollback to. If set to 0, rollback to the last revision.
+  // +optional
+  optional int64 revision = 1;
+}
+
+// Spec to control the desired behavior of rolling update.
+message RollingUpdateDeployment {
+  // The maximum number of pods that can be unavailable during the update.
+  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+  // Absolute number is calculated from percentage by rounding down.
+  // This can not be 0 if MaxSurge is 0.
+  // Defaults to 25%.
+  // Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods
+  // immediately when the rolling update starts. Once new pods are ready, old RC
+  // can be scaled down further, followed by scaling up the new RC, ensuring
+  // that the total number of pods available at all times during the update is at
+  // least 70% of desired pods.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
+
+  // The maximum number of pods that can be scheduled above the desired number of
+  // pods.
+  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+  // This can not be 0 if MaxUnavailable is 0.
+  // Absolute number is calculated from percentage by rounding up.
+  // Defaults to 25%.
+  // Example: when this is set to 30%, the new RC can be scaled up immediately when
+  // the rolling update starts, such that the total number of old and new pods do not exceed
+  // 130% of desired pods. Once old pods have been killed,
+  // new RC can be scaled up further, ensuring that total number of pods running
+  // at any time during the update is atmost 130% of desired pods.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
+}
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+message RollingUpdateStatefulSetStrategy {
+  // Partition indicates the ordinal at which the StatefulSet should be
+  // partitioned.
+  optional int32 partition = 1;
+}
+
+// Scale represents a scaling request for a resource.
+message Scale {
+  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+  // +optional
+  optional ScaleSpec spec = 2;
+
+  // current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.
+  // +optional
+  optional ScaleStatus status = 3;
+}
+
+// ScaleSpec describes the attributes of a scale subresource
+message ScaleSpec {
+  // desired number of instances for the scaled object.
+  // +optional
+  optional int32 replicas = 1;
+}
+
+// ScaleStatus represents the current status of a scale subresource.
+message ScaleStatus {
+  // actual number of observed instances of the scaled object.
+  optional int32 replicas = 1;
+
+  // label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
+  // +optional
+  map<string, string> selector = 2;
+
+  // label selector for pods that should match the replicas count. This is a serializated
+  // version of both map-based and more expressive set-based selectors. This is done to
+  // avoid introspection in the clients. The string will be in the same format as the
+  // query-param syntax. If the target type only supports map-based selectors, both this
+  // field and map-based selector field are populated.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  // +optional
+  optional string targetSelector = 3;
+}
+
+// DEPRECATED - This group version of StatefulSet is deprecated by apps/v1beta2/StatefulSet. See the release notes for
+// more information.
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//  - Network: A single stable DNS and hostname.
+//  - Storage: As many VolumeClaims as requested.
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+message StatefulSet {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the desired identities of pods in this set.
+  // +optional
+  optional StatefulSetSpec spec = 2;
+
+  // Status is the current status of Pods in this StatefulSet. This data
+  // may be out of date by some window of time.
+  // +optional
+  optional StatefulSetStatus status = 3;
+}
+
+// StatefulSetList is a collection of StatefulSets.
+message StatefulSetList {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  repeated StatefulSet items = 2;
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+message StatefulSetSpec {
+  // replicas is the desired number of replicas of the given Template.
+  // These are replicas in the sense that they are instantiations of the
+  // same Template, but individual replicas also have a consistent identity.
+  // If unspecified, defaults to 1.
+  // TODO: Consider a rename of this field.
+  // +optional
+  optional int32 replicas = 1;
+
+  // selector is a label query over pods that should match the replica count.
+  // If empty, defaulted to labels on the pod template.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+  // template is the object that describes the pod that will be created if
+  // insufficient replicas are detected. Each pod stamped out by the StatefulSet
+  // will fulfill this Template, but have a unique identity from the rest
+  // of the StatefulSet.
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
+
+  // volumeClaimTemplates is a list of claims that pods are allowed to reference.
+  // The StatefulSet controller is responsible for mapping network identities to
+  // claims in a way that maintains the identity of a pod. Every claim in
+  // this list must have at least one matching (by name) volumeMount in one
+  // container in the template. A claim in this list takes precedence over
+  // any volumes in the template, with the same name.
+  // TODO: Define the behavior if a claim already exists with the same name.
+  // +optional
+  repeated k8s.io.api.core.v1.PersistentVolumeClaim volumeClaimTemplates = 4;
+
+  // serviceName is the name of the service that governs this StatefulSet.
+  // This service must exist before the StatefulSet, and is responsible for
+  // the network identity of the set. Pods get DNS/hostnames that follow the
+  // pattern: pod-specific-string.serviceName.default.svc.cluster.local
+  // where "pod-specific-string" is managed by the StatefulSet controller.
+  optional string serviceName = 5;
+
+  // podManagementPolicy controls how pods are created during initial scale up,
+  // when replacing pods on nodes, or when scaling down. The default policy is
+  // `OrderedReady`, where pods are created in increasing order (pod-0, then
+  // pod-1, etc) and the controller will wait until each pod is ready before
+  // continuing. When scaling down, the pods are removed in the opposite order.
+  // The alternative policy is `Parallel` which will create pods in parallel
+  // to match the desired scale without waiting, and on scale down will delete
+  // all pods at once.
+  // +optional
+  optional string podManagementPolicy = 6;
+
+  // updateStrategy indicates the StatefulSetUpdateStrategy that will be
+  // employed to update Pods in the StatefulSet when a revision is made to
+  // Template.
+  optional StatefulSetUpdateStrategy updateStrategy = 7;
+
+  // revisionHistoryLimit is the maximum number of revisions that will
+  // be maintained in the StatefulSet's revision history. The revision history
+  // consists of all revisions not represented by a currently applied
+  // StatefulSetSpec version. The default value is 10.
+  optional int32 revisionHistoryLimit = 8;
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+message StatefulSetStatus {
+  // observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+  // StatefulSet's generation, which is updated on mutation by the API Server.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // replicas is the number of Pods created by the StatefulSet controller.
+  optional int32 replicas = 2;
+
+  // readyReplicas is the number of Pods created by the StatefulSet controller that have a Ready Condition.
+  optional int32 readyReplicas = 3;
+
+  // currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+  // indicated by currentRevision.
+  optional int32 currentReplicas = 4;
+
+  // updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+  // indicated by updateRevision.
+  optional int32 updatedReplicas = 5;
+
+  // currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+  // sequence [0,currentReplicas).
+  optional string currentRevision = 6;
+
+  // updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+  // [replicas-updatedReplicas,replicas)
+  optional string updateRevision = 7;
+
+  // collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+  // uses this field as a collision avoidance mechanism when it needs to create the name for the
+  // newest ControllerRevision.
+  // +optional
+  optional int32 collisionCount = 9;
+}
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+message StatefulSetUpdateStrategy {
+  // Type indicates the type of the StatefulSetUpdateStrategy.
+  optional string type = 1;
+
+  // RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+  optional RollingUpdateStatefulSetStrategy rollingUpdate = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/apps/v1beta1/register.go b/cli/vendor/k8s.io/api/apps/v1beta1/register.go
new file mode 100644
index 00000000..84789be6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta1/register.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "apps"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Deployment{},
+		&DeploymentList{},
+		&DeploymentRollback{},
+		&Scale{},
+		&StatefulSet{},
+		&StatefulSetList{},
+		&ControllerRevision{},
+		&ControllerRevisionList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/apps/v1beta1/types.go b/cli/vendor/k8s.io/api/apps/v1beta1/types.go
new file mode 100644
index 00000000..63d1c725
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta1/types.go
@@ -0,0 +1,542 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+const (
+	ControllerRevisionHashLabelKey = "controller-revision-hash"
+	StatefulSetRevisionLabel       = ControllerRevisionHashLabelKey
+)
+
+// ScaleSpec describes the attributes of a scale subresource
+type ScaleSpec struct {
+	// desired number of instances for the scaled object.
+	// +optional
+	Replicas int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+}
+
+// ScaleStatus represents the current status of a scale subresource.
+type ScaleStatus struct {
+	// actual number of observed instances of the scaled object.
+	Replicas int32 `json:"replicas" protobuf:"varint,1,opt,name=replicas"`
+
+	// label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
+	// +optional
+	Selector map[string]string `json:"selector,omitempty" protobuf:"bytes,2,rep,name=selector"`
+
+	// label selector for pods that should match the replicas count. This is a serializated
+	// version of both map-based and more expressive set-based selectors. This is done to
+	// avoid introspection in the clients. The string will be in the same format as the
+	// query-param syntax. If the target type only supports map-based selectors, both this
+	// field and map-based selector field are populated.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	TargetSelector string `json:"targetSelector,omitempty" protobuf:"bytes,3,opt,name=targetSelector"`
+}
+
+// +genclient
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Scale represents a scaling request for a resource.
+type Scale struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+	// +optional
+	Spec ScaleSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.
+	// +optional
+	Status ScaleStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DEPRECATED - This group version of StatefulSet is deprecated by apps/v1beta2/StatefulSet. See the release notes for
+// more information.
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//  - Network: A single stable DNS and hostname.
+//  - Storage: As many VolumeClaims as requested.
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+type StatefulSet struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	Spec StatefulSetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	Status StatefulSetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+type PodManagementPolicyType string
+
+const (
+	// OrderedReadyPodManagement will create pods in strictly increasing order on
+	// scale up and strictly decreasing order on scale down, progressing only when
+	// the previous pod is ready or terminated. At most one pod will be changed
+	// at any time.
+	OrderedReadyPodManagement PodManagementPolicyType = "OrderedReady"
+	// ParallelPodManagement will create and delete pods as soon as the stateful set
+	// replica count is changed, and will not wait for pods to be ready or complete
+	// termination.
+	ParallelPodManagement = "Parallel"
+)
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+type StatefulSetUpdateStrategy struct {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	Type StatefulSetUpdateStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=StatefulSetStrategyType"`
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	RollingUpdate *RollingUpdateStatefulSetStrategy `json:"rollingUpdate,omitempty" protobuf:"bytes,2,opt,name=rollingUpdate"`
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+type StatefulSetUpdateStrategyType string
+
+const (
+	// RollingUpdateStatefulSetStrategyType indicates that update will be
+	// applied to all Pods in the StatefulSet with respect to the StatefulSet
+	// ordering constraints. When a scale operation is performed with this
+	// strategy, new Pods will be created from the specification version indicated
+	// by the StatefulSet's updateRevision.
+	RollingUpdateStatefulSetStrategyType = "RollingUpdate"
+	// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+	// tracking and ordered rolling restarts are disabled. Pods are recreated
+	// from the StatefulSetSpec when they are manually deleted. When a scale
+	// operation is performed with this strategy,specification version indicated
+	// by the StatefulSet's currentRevision.
+	OnDeleteStatefulSetStrategyType = "OnDelete"
+)
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+type RollingUpdateStatefulSetStrategy struct {
+	// Partition indicates the ordinal at which the StatefulSet should be
+	// partitioned.
+	Partition *int32 `json:"partition,omitempty" protobuf:"varint,1,opt,name=partition"`
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+type StatefulSetSpec struct {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+
+	// selector is a label query over pods that should match the replica count.
+	// If empty, defaulted to labels on the pod template.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"`
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet.
+	Template v1.PodTemplateSpec `json:"template" protobuf:"bytes,3,opt,name=template"`
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	VolumeClaimTemplates []v1.PersistentVolumeClaim `json:"volumeClaimTemplates,omitempty" protobuf:"bytes,4,rep,name=volumeClaimTemplates"`
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	ServiceName string `json:"serviceName" protobuf:"bytes,5,opt,name=serviceName"`
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	PodManagementPolicy PodManagementPolicyType `json:"podManagementPolicy,omitempty" protobuf:"bytes,6,opt,name=podManagementPolicy,casttype=PodManagementPolicyType"`
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	UpdateStrategy StatefulSetUpdateStrategy `json:"updateStrategy,omitempty" protobuf:"bytes,7,opt,name=updateStrategy"`
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty" protobuf:"varint,8,opt,name=revisionHistoryLimit"`
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+type StatefulSetStatus struct {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	Replicas int32 `json:"replicas" protobuf:"varint,2,opt,name=replicas"`
+
+	// readyReplicas is the number of Pods created by the StatefulSet controller that have a Ready Condition.
+	ReadyReplicas int32 `json:"readyReplicas,omitempty" protobuf:"varint,3,opt,name=readyReplicas"`
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	CurrentReplicas int32 `json:"currentReplicas,omitempty" protobuf:"varint,4,opt,name=currentReplicas"`
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	UpdatedReplicas int32 `json:"updatedReplicas,omitempty" protobuf:"varint,5,opt,name=updatedReplicas"`
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	CurrentRevision string `json:"currentRevision,omitempty" protobuf:"bytes,6,opt,name=currentRevision"`
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	UpdateRevision string `json:"updateRevision,omitempty" protobuf:"bytes,7,opt,name=updateRevision"`
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	CollisionCount *int32 `json:"collisionCount,omitempty" protobuf:"varint,9,opt,name=collisionCount"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// StatefulSetList is a collection of StatefulSets.
+type StatefulSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	Items           []StatefulSet `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for
+// more information.
+// Deployment enables declarative updates for Pods and ReplicaSets.
+type Deployment struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	Spec DeploymentSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	Status DeploymentStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+type DeploymentSpec struct {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"`
+
+	// Template describes the pods that will be created.
+	Template v1.PodTemplateSpec `json:"template" protobuf:"bytes,3,opt,name=template"`
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	Strategy DeploymentStrategy `json:"strategy,omitempty" protobuf:"bytes,4,opt,name=strategy"`
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,5,opt,name=minReadySeconds"`
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 2.
+	// +optional
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty" protobuf:"varint,6,opt,name=revisionHistoryLimit"`
+
+	// Indicates that the deployment is paused.
+	// +optional
+	Paused bool `json:"paused,omitempty" protobuf:"varint,7,opt,name=paused"`
+
+	// DEPRECATED.
+	// The config this deployment is rolling back to. Will be cleared after rollback is done.
+	// +optional
+	RollbackTo *RollbackConfig `json:"rollbackTo,omitempty" protobuf:"bytes,8,opt,name=rollbackTo"`
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	// +optional
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty" protobuf:"varint,9,opt,name=progressDeadlineSeconds"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DEPRECATED.
+// DeploymentRollback stores the information required to rollback a deployment.
+type DeploymentRollback struct {
+	metav1.TypeMeta `json:",inline"`
+	// Required: This must match the Name of a deployment.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// The annotations to be updated to a deployment
+	// +optional
+	UpdatedAnnotations map[string]string `json:"updatedAnnotations,omitempty" protobuf:"bytes,2,rep,name=updatedAnnotations"`
+	// The config of this deployment rollback.
+	RollbackTo RollbackConfig `json:"rollbackTo" protobuf:"bytes,3,opt,name=rollbackTo"`
+}
+
+// DEPRECATED.
+type RollbackConfig struct {
+	// The revision to rollback to. If set to 0, rollback to the last revision.
+	// +optional
+	Revision int64 `json:"revision,omitempty" protobuf:"varint,1,opt,name=revision"`
+}
+
+const (
+	// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+	// to existing RCs (and label key that is added to its pods) to prevent the existing RCs
+	// to select new pods (and old pods being select by new RC).
+	DefaultDeploymentUniqueLabelKey string = "pod-template-hash"
+)
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+type DeploymentStrategy struct {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	Type DeploymentStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=DeploymentStrategyType"`
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	RollingUpdate *RollingUpdateDeployment `json:"rollingUpdate,omitempty" protobuf:"bytes,2,opt,name=rollingUpdate"`
+}
+
+type DeploymentStrategyType string
+
+const (
+	// Kill all existing pods before creating new ones.
+	RecreateDeploymentStrategyType DeploymentStrategyType = "Recreate"
+
+	// Replace the old RCs by new one using rolling update i.e gradually scale down the old RCs and scale up the new one.
+	RollingUpdateDeploymentStrategyType DeploymentStrategyType = "RollingUpdate"
+)
+
+// Spec to control the desired behavior of rolling update.
+type RollingUpdateDeployment struct {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old RC
+	// can be scaled down further, followed by scaling up the new RC, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,1,opt,name=maxUnavailable"`
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new RC can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new RC can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is atmost 130% of desired pods.
+	// +optional
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty" protobuf:"bytes,2,opt,name=maxSurge"`
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+type DeploymentStatus struct {
+	// The generation observed by the deployment controller.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	Replicas int32 `json:"replicas,omitempty" protobuf:"varint,2,opt,name=replicas"`
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	UpdatedReplicas int32 `json:"updatedReplicas,omitempty" protobuf:"varint,3,opt,name=updatedReplicas"`
+
+	// Total number of ready pods targeted by this deployment.
+	// +optional
+	ReadyReplicas int32 `json:"readyReplicas,omitempty" protobuf:"varint,7,opt,name=readyReplicas"`
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	AvailableReplicas int32 `json:"availableReplicas,omitempty" protobuf:"varint,4,opt,name=availableReplicas"`
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	UnavailableReplicas int32 `json:"unavailableReplicas,omitempty" protobuf:"varint,5,opt,name=unavailableReplicas"`
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []DeploymentCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,6,rep,name=conditions"`
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	CollisionCount *int32 `json:"collisionCount,omitempty" protobuf:"varint,8,opt,name=collisionCount"`
+}
+
+type DeploymentConditionType string
+
+// These are valid conditions of a deployment.
+const (
+	// Available means the deployment is available, ie. at least the minimum available
+	// replicas required are up and running for at least minReadySeconds.
+	DeploymentAvailable DeploymentConditionType = "Available"
+	// Progressing means the deployment is progressing. Progress for a deployment is
+	// considered when a new replica set is created or adopted, and when new pods scale
+	// up or old pods scale down. Progress is not estimated for paused deployments or
+	// when progressDeadlineSeconds is not specified.
+	DeploymentProgressing DeploymentConditionType = "Progressing"
+	// ReplicaFailure is added in a deployment when one of its pods fails to be created
+	// or deleted.
+	DeploymentReplicaFailure DeploymentConditionType = "ReplicaFailure"
+)
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+type DeploymentCondition struct {
+	// Type of deployment condition.
+	Type DeploymentConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=DeploymentConditionType"`
+	// Status of the condition, one of True, False, Unknown.
+	Status v1.ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"`
+	// The last time this condition was updated.
+	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,6,opt,name=lastUpdateTime"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,7,opt,name=lastTransitionTime"`
+	// The reason for the condition's last transition.
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+	// A human readable message indicating details about the transition.
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DeploymentList is a list of Deployments.
+type DeploymentList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of Deployments.
+	Items []Deployment `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DEPRECATED - This group version of ControllerRevision is deprecated by apps/v1beta2/ControllerRevision. See the
+// release notes for more information.
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+type ControllerRevision struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Data is the serialized representation of the state.
+	Data runtime.RawExtension `json:"data,omitempty" protobuf:"bytes,2,opt,name=data"`
+
+	// Revision indicates the revision of the state represented by Data.
+	Revision int64 `json:"revision" protobuf:"varint,3,opt,name=revision"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+type ControllerRevisionList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of ControllerRevisions
+	Items []ControllerRevision `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..72d5e69c
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,259 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_ControllerRevision = map[string]string{
+	"":         "DEPRECATED - This group version of ControllerRevision is deprecated by apps/v1beta2/ControllerRevision. See the release notes for more information. ControllerRevision implements an immutable snapshot of state data. Clients are responsible for serializing and deserializing the objects that contain their internal state. Once a ControllerRevision has been successfully created, it can not be updated. The API Server will fail validation of all requests that attempt to mutate the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability. It is primarily for internal use by controllers.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"data":     "Data is the serialized representation of the state.",
+	"revision": "Revision indicates the revision of the state represented by Data.",
+}
+
+func (ControllerRevision) SwaggerDoc() map[string]string {
+	return map_ControllerRevision
+}
+
+var map_ControllerRevisionList = map[string]string{
+	"":         "ControllerRevisionList is a resource containing a list of ControllerRevision objects.",
+	"metadata": "More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is the list of ControllerRevisions",
+}
+
+func (ControllerRevisionList) SwaggerDoc() map[string]string {
+	return map_ControllerRevisionList
+}
+
+var map_Deployment = map[string]string{
+	"":         "DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for more information. Deployment enables declarative updates for Pods and ReplicaSets.",
+	"metadata": "Standard object metadata.",
+	"spec":     "Specification of the desired behavior of the Deployment.",
+	"status":   "Most recently observed status of the Deployment.",
+}
+
+func (Deployment) SwaggerDoc() map[string]string {
+	return map_Deployment
+}
+
+var map_DeploymentCondition = map[string]string{
+	"":                   "DeploymentCondition describes the state of a deployment at a certain point.",
+	"type":               "Type of deployment condition.",
+	"status":             "Status of the condition, one of True, False, Unknown.",
+	"lastUpdateTime":     "The last time this condition was updated.",
+	"lastTransitionTime": "Last time the condition transitioned from one status to another.",
+	"reason":             "The reason for the condition's last transition.",
+	"message":            "A human readable message indicating details about the transition.",
+}
+
+func (DeploymentCondition) SwaggerDoc() map[string]string {
+	return map_DeploymentCondition
+}
+
+var map_DeploymentList = map[string]string{
+	"":         "DeploymentList is a list of Deployments.",
+	"metadata": "Standard list metadata.",
+	"items":    "Items is the list of Deployments.",
+}
+
+func (DeploymentList) SwaggerDoc() map[string]string {
+	return map_DeploymentList
+}
+
+var map_DeploymentRollback = map[string]string{
+	"":                   "DEPRECATED. DeploymentRollback stores the information required to rollback a deployment.",
+	"name":               "Required: This must match the Name of a deployment.",
+	"updatedAnnotations": "The annotations to be updated to a deployment",
+	"rollbackTo":         "The config of this deployment rollback.",
+}
+
+func (DeploymentRollback) SwaggerDoc() map[string]string {
+	return map_DeploymentRollback
+}
+
+var map_DeploymentSpec = map[string]string{
+	"":                        "DeploymentSpec is the specification of the desired behavior of the Deployment.",
+	"replicas":                "Number of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.",
+	"selector":                "Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment.",
+	"template":                "Template describes the pods that will be created.",
+	"strategy":                "The deployment strategy to use to replace existing pods with new ones.",
+	"minReadySeconds":         "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)",
+	"revisionHistoryLimit":    "The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 2.",
+	"paused":                  "Indicates that the deployment is paused.",
+	"rollbackTo":              "DEPRECATED. The config this deployment is rolling back to. Will be cleared after rollback is done.",
+	"progressDeadlineSeconds": "The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. Defaults to 600s.",
+}
+
+func (DeploymentSpec) SwaggerDoc() map[string]string {
+	return map_DeploymentSpec
+}
+
+var map_DeploymentStatus = map[string]string{
+	"":                    "DeploymentStatus is the most recently observed status of the Deployment.",
+	"observedGeneration":  "The generation observed by the deployment controller.",
+	"replicas":            "Total number of non-terminated pods targeted by this deployment (their labels match the selector).",
+	"updatedReplicas":     "Total number of non-terminated pods targeted by this deployment that have the desired template spec.",
+	"readyReplicas":       "Total number of ready pods targeted by this deployment.",
+	"availableReplicas":   "Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.",
+	"unavailableReplicas": "Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.",
+	"conditions":          "Represents the latest available observations of a deployment's current state.",
+	"collisionCount":      "Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.",
+}
+
+func (DeploymentStatus) SwaggerDoc() map[string]string {
+	return map_DeploymentStatus
+}
+
+var map_DeploymentStrategy = map[string]string{
+	"":              "DeploymentStrategy describes how to replace existing pods with new ones.",
+	"type":          "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.",
+	"rollingUpdate": "Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.",
+}
+
+func (DeploymentStrategy) SwaggerDoc() map[string]string {
+	return map_DeploymentStrategy
+}
+
+var map_RollbackConfig = map[string]string{
+	"":         "DEPRECATED.",
+	"revision": "The revision to rollback to. If set to 0, rollback to the last revision.",
+}
+
+func (RollbackConfig) SwaggerDoc() map[string]string {
+	return map_RollbackConfig
+}
+
+var map_RollingUpdateDeployment = map[string]string{
+	"":               "Spec to control the desired behavior of rolling update.",
+	"maxUnavailable": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old RC can be scaled down further, followed by scaling up the new RC, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.",
+	"maxSurge":       "The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new RC can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new RC can be scaled up further, ensuring that total number of pods running at any time during the update is atmost 130% of desired pods.",
+}
+
+func (RollingUpdateDeployment) SwaggerDoc() map[string]string {
+	return map_RollingUpdateDeployment
+}
+
+var map_RollingUpdateStatefulSetStrategy = map[string]string{
+	"":          "RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.",
+	"partition": "Partition indicates the ordinal at which the StatefulSet should be partitioned.",
+}
+
+func (RollingUpdateStatefulSetStrategy) SwaggerDoc() map[string]string {
+	return map_RollingUpdateStatefulSetStrategy
+}
+
+var map_Scale = map[string]string{
+	"":         "Scale represents a scaling request for a resource.",
+	"metadata": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.",
+	"spec":     "defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.",
+	"status":   "current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.",
+}
+
+func (Scale) SwaggerDoc() map[string]string {
+	return map_Scale
+}
+
+var map_ScaleSpec = map[string]string{
+	"":         "ScaleSpec describes the attributes of a scale subresource",
+	"replicas": "desired number of instances for the scaled object.",
+}
+
+func (ScaleSpec) SwaggerDoc() map[string]string {
+	return map_ScaleSpec
+}
+
+var map_ScaleStatus = map[string]string{
+	"":               "ScaleStatus represents the current status of a scale subresource.",
+	"replicas":       "actual number of observed instances of the scaled object.",
+	"selector":       "label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors",
+	"targetSelector": "label selector for pods that should match the replicas count. This is a serializated version of both map-based and more expressive set-based selectors. This is done to avoid introspection in the clients. The string will be in the same format as the query-param syntax. If the target type only supports map-based selectors, both this field and map-based selector field are populated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+}
+
+func (ScaleStatus) SwaggerDoc() map[string]string {
+	return map_ScaleStatus
+}
+
+var map_StatefulSet = map[string]string{
+	"":       "DEPRECATED - This group version of StatefulSet is deprecated by apps/v1beta2/StatefulSet. See the release notes for more information. StatefulSet represents a set of pods with consistent identities. Identities are defined as:\n - Network: A single stable DNS and hostname.\n - Storage: As many VolumeClaims as requested.\nThe StatefulSet guarantees that a given network identity will always map to the same storage identity.",
+	"spec":   "Spec defines the desired identities of pods in this set.",
+	"status": "Status is the current status of Pods in this StatefulSet. This data may be out of date by some window of time.",
+}
+
+func (StatefulSet) SwaggerDoc() map[string]string {
+	return map_StatefulSet
+}
+
+var map_StatefulSetList = map[string]string{
+	"": "StatefulSetList is a collection of StatefulSets.",
+}
+
+func (StatefulSetList) SwaggerDoc() map[string]string {
+	return map_StatefulSetList
+}
+
+var map_StatefulSetSpec = map[string]string{
+	"":                     "A StatefulSetSpec is the specification of a StatefulSet.",
+	"replicas":             "replicas is the desired number of replicas of the given Template. These are replicas in the sense that they are instantiations of the same Template, but individual replicas also have a consistent identity. If unspecified, defaults to 1.",
+	"selector":             "selector is a label query over pods that should match the replica count. If empty, defaulted to labels on the pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+	"template":             "template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet.",
+	"volumeClaimTemplates": "volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.",
+	"serviceName":          "serviceName is the name of the service that governs this StatefulSet. This service must exist before the StatefulSet, and is responsible for the network identity of the set. Pods get DNS/hostnames that follow the pattern: pod-specific-string.serviceName.default.svc.cluster.local where \"pod-specific-string\" is managed by the StatefulSet controller.",
+	"podManagementPolicy":  "podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.",
+	"updateStrategy":       "updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.",
+	"revisionHistoryLimit": "revisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.",
+}
+
+func (StatefulSetSpec) SwaggerDoc() map[string]string {
+	return map_StatefulSetSpec
+}
+
+var map_StatefulSetStatus = map[string]string{
+	"":                   "StatefulSetStatus represents the current state of a StatefulSet.",
+	"observedGeneration": "observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the StatefulSet's generation, which is updated on mutation by the API Server.",
+	"replicas":           "replicas is the number of Pods created by the StatefulSet controller.",
+	"readyReplicas":      "readyReplicas is the number of Pods created by the StatefulSet controller that have a Ready Condition.",
+	"currentReplicas":    "currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by currentRevision.",
+	"updatedReplicas":    "updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by updateRevision.",
+	"currentRevision":    "currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas).",
+	"updateRevision":     "updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas)",
+	"collisionCount":     "collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.",
+}
+
+func (StatefulSetStatus) SwaggerDoc() map[string]string {
+	return map_StatefulSetStatus
+}
+
+var map_StatefulSetUpdateStrategy = map[string]string{
+	"":              "StatefulSetUpdateStrategy indicates the strategy that the StatefulSet controller will use to perform updates. It includes any additional parameters necessary to perform the update for the indicated strategy.",
+	"type":          "Type indicates the type of the StatefulSetUpdateStrategy.",
+	"rollingUpdate": "RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.",
+}
+
+func (StatefulSetUpdateStrategy) SwaggerDoc() map[string]string {
+	return map_StatefulSetUpdateStrategy
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/apps/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/apps/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..ba580fbd
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,737 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	core_v1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	intstr "k8s.io/apimachinery/pkg/util/intstr"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ControllerRevision).DeepCopyInto(out.(*ControllerRevision))
+			return nil
+		}, InType: reflect.TypeOf(&ControllerRevision{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ControllerRevisionList).DeepCopyInto(out.(*ControllerRevisionList))
+			return nil
+		}, InType: reflect.TypeOf(&ControllerRevisionList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Deployment).DeepCopyInto(out.(*Deployment))
+			return nil
+		}, InType: reflect.TypeOf(&Deployment{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentCondition).DeepCopyInto(out.(*DeploymentCondition))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentList).DeepCopyInto(out.(*DeploymentList))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentRollback).DeepCopyInto(out.(*DeploymentRollback))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentRollback{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentSpec).DeepCopyInto(out.(*DeploymentSpec))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentStatus).DeepCopyInto(out.(*DeploymentStatus))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentStrategy).DeepCopyInto(out.(*DeploymentStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentStrategy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollbackConfig).DeepCopyInto(out.(*RollbackConfig))
+			return nil
+		}, InType: reflect.TypeOf(&RollbackConfig{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollingUpdateDeployment).DeepCopyInto(out.(*RollingUpdateDeployment))
+			return nil
+		}, InType: reflect.TypeOf(&RollingUpdateDeployment{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollingUpdateStatefulSetStrategy).DeepCopyInto(out.(*RollingUpdateStatefulSetStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&RollingUpdateStatefulSetStrategy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Scale).DeepCopyInto(out.(*Scale))
+			return nil
+		}, InType: reflect.TypeOf(&Scale{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleSpec).DeepCopyInto(out.(*ScaleSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleStatus).DeepCopyInto(out.(*ScaleStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSet).DeepCopyInto(out.(*StatefulSet))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSet{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSetList).DeepCopyInto(out.(*StatefulSetList))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSetSpec).DeepCopyInto(out.(*StatefulSetSpec))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSetSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSetStatus).DeepCopyInto(out.(*StatefulSetStatus))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSetStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSetUpdateStrategy).DeepCopyInto(out.(*StatefulSetUpdateStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSetUpdateStrategy{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ControllerRevision) DeepCopyInto(out *ControllerRevision) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Data.DeepCopyInto(&out.Data)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerRevision.
+func (in *ControllerRevision) DeepCopy() *ControllerRevision {
+	if in == nil {
+		return nil
+	}
+	out := new(ControllerRevision)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ControllerRevision) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ControllerRevisionList) DeepCopyInto(out *ControllerRevisionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ControllerRevision, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerRevisionList.
+func (in *ControllerRevisionList) DeepCopy() *ControllerRevisionList {
+	if in == nil {
+		return nil
+	}
+	out := new(ControllerRevisionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ControllerRevisionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Deployment) DeepCopyInto(out *Deployment) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deployment.
+func (in *Deployment) DeepCopy() *Deployment {
+	if in == nil {
+		return nil
+	}
+	out := new(Deployment)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Deployment) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentCondition) DeepCopyInto(out *DeploymentCondition) {
+	*out = *in
+	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentCondition.
+func (in *DeploymentCondition) DeepCopy() *DeploymentCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentList) DeepCopyInto(out *DeploymentList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Deployment, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentList.
+func (in *DeploymentList) DeepCopy() *DeploymentList {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeploymentList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentRollback) DeepCopyInto(out *DeploymentRollback) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.UpdatedAnnotations != nil {
+		in, out := &in.UpdatedAnnotations, &out.UpdatedAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	out.RollbackTo = in.RollbackTo
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentRollback.
+func (in *DeploymentRollback) DeepCopy() *DeploymentRollback {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentRollback)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeploymentRollback) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentSpec) DeepCopyInto(out *DeploymentSpec) {
+	*out = *in
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	in.Strategy.DeepCopyInto(&out.Strategy)
+	if in.RevisionHistoryLimit != nil {
+		in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.RollbackTo != nil {
+		in, out := &in.RollbackTo, &out.RollbackTo
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollbackConfig)
+			**out = **in
+		}
+	}
+	if in.ProgressDeadlineSeconds != nil {
+		in, out := &in.ProgressDeadlineSeconds, &out.ProgressDeadlineSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentSpec.
+func (in *DeploymentSpec) DeepCopy() *DeploymentSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentStatus) DeepCopyInto(out *DeploymentStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]DeploymentCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CollisionCount != nil {
+		in, out := &in.CollisionCount, &out.CollisionCount
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStatus.
+func (in *DeploymentStatus) DeepCopy() *DeploymentStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentStrategy) DeepCopyInto(out *DeploymentStrategy) {
+	*out = *in
+	if in.RollingUpdate != nil {
+		in, out := &in.RollingUpdate, &out.RollingUpdate
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollingUpdateDeployment)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStrategy.
+func (in *DeploymentStrategy) DeepCopy() *DeploymentStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollbackConfig) DeepCopyInto(out *RollbackConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollbackConfig.
+func (in *RollbackConfig) DeepCopy() *RollbackConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(RollbackConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollingUpdateDeployment) DeepCopyInto(out *RollingUpdateDeployment) {
+	*out = *in
+	if in.MaxUnavailable != nil {
+		in, out := &in.MaxUnavailable, &out.MaxUnavailable
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	if in.MaxSurge != nil {
+		in, out := &in.MaxSurge, &out.MaxSurge
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollingUpdateDeployment.
+func (in *RollingUpdateDeployment) DeepCopy() *RollingUpdateDeployment {
+	if in == nil {
+		return nil
+	}
+	out := new(RollingUpdateDeployment)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollingUpdateStatefulSetStrategy) DeepCopyInto(out *RollingUpdateStatefulSetStrategy) {
+	*out = *in
+	if in.Partition != nil {
+		in, out := &in.Partition, &out.Partition
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollingUpdateStatefulSetStrategy.
+func (in *RollingUpdateStatefulSetStrategy) DeepCopy() *RollingUpdateStatefulSetStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(RollingUpdateStatefulSetStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Scale) DeepCopyInto(out *Scale) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Scale.
+func (in *Scale) DeepCopy() *Scale {
+	if in == nil {
+		return nil
+	}
+	out := new(Scale)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Scale) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleSpec) DeepCopyInto(out *ScaleSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleSpec.
+func (in *ScaleSpec) DeepCopy() *ScaleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleStatus) DeepCopyInto(out *ScaleStatus) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleStatus.
+func (in *ScaleStatus) DeepCopy() *ScaleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSet) DeepCopyInto(out *StatefulSet) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSet.
+func (in *StatefulSet) DeepCopy() *StatefulSet {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StatefulSet) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSetList) DeepCopyInto(out *StatefulSetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]StatefulSet, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSetList.
+func (in *StatefulSetList) DeepCopy() *StatefulSetList {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StatefulSetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSetSpec) DeepCopyInto(out *StatefulSetSpec) {
+	*out = *in
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	if in.VolumeClaimTemplates != nil {
+		in, out := &in.VolumeClaimTemplates, &out.VolumeClaimTemplates
+		*out = make([]core_v1.PersistentVolumeClaim, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.UpdateStrategy.DeepCopyInto(&out.UpdateStrategy)
+	if in.RevisionHistoryLimit != nil {
+		in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSetSpec.
+func (in *StatefulSetSpec) DeepCopy() *StatefulSetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSetStatus) DeepCopyInto(out *StatefulSetStatus) {
+	*out = *in
+	if in.ObservedGeneration != nil {
+		in, out := &in.ObservedGeneration, &out.ObservedGeneration
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.CollisionCount != nil {
+		in, out := &in.CollisionCount, &out.CollisionCount
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSetStatus.
+func (in *StatefulSetStatus) DeepCopy() *StatefulSetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSetUpdateStrategy) DeepCopyInto(out *StatefulSetUpdateStrategy) {
+	*out = *in
+	if in.RollingUpdate != nil {
+		in, out := &in.RollingUpdate, &out.RollingUpdate
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollingUpdateStatefulSetStrategy)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSetUpdateStrategy.
+func (in *StatefulSetUpdateStrategy) DeepCopy() *StatefulSetUpdateStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSetUpdateStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/apps/v1beta2/doc.go b/cli/vendor/k8s.io/api/apps/v1beta2/doc.go
new file mode 100644
index 00000000..dafca120
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta2/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+package v1beta2 // import "k8s.io/api/apps/v1beta2"
diff --git a/cli/vendor/k8s.io/api/apps/v1beta2/generated.pb.go b/cli/vendor/k8s.io/api/apps/v1beta2/generated.pb.go
new file mode 100644
index 00000000..fc4371b7
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta2/generated.pb.go
@@ -0,0 +1,6934 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/apps/v1beta2/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta2 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/apps/v1beta2/generated.proto
+
+	It has these top-level messages:
+		ControllerRevision
+		ControllerRevisionList
+		DaemonSet
+		DaemonSetList
+		DaemonSetSpec
+		DaemonSetStatus
+		DaemonSetUpdateStrategy
+		Deployment
+		DeploymentCondition
+		DeploymentList
+		DeploymentSpec
+		DeploymentStatus
+		DeploymentStrategy
+		ReplicaSet
+		ReplicaSetCondition
+		ReplicaSetList
+		ReplicaSetSpec
+		ReplicaSetStatus
+		RollingUpdateDaemonSet
+		RollingUpdateDeployment
+		RollingUpdateStatefulSetStrategy
+		Scale
+		ScaleSpec
+		ScaleStatus
+		StatefulSet
+		StatefulSetList
+		StatefulSetSpec
+		StatefulSetStatus
+		StatefulSetUpdateStrategy
+*/
+package v1beta2
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import k8s_io_apimachinery_pkg_util_intstr "k8s.io/apimachinery/pkg/util/intstr"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ControllerRevision) Reset()                    { *m = ControllerRevision{} }
+func (*ControllerRevision) ProtoMessage()               {}
+func (*ControllerRevision) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *ControllerRevisionList) Reset()                    { *m = ControllerRevisionList{} }
+func (*ControllerRevisionList) ProtoMessage()               {}
+func (*ControllerRevisionList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *DaemonSet) Reset()                    { *m = DaemonSet{} }
+func (*DaemonSet) ProtoMessage()               {}
+func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *DaemonSetList) Reset()                    { *m = DaemonSetList{} }
+func (*DaemonSetList) ProtoMessage()               {}
+func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *DaemonSetSpec) Reset()                    { *m = DaemonSetSpec{} }
+func (*DaemonSetSpec) ProtoMessage()               {}
+func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *DaemonSetStatus) Reset()                    { *m = DaemonSetStatus{} }
+func (*DaemonSetStatus) ProtoMessage()               {}
+func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *DaemonSetUpdateStrategy) Reset()                    { *m = DaemonSetUpdateStrategy{} }
+func (*DaemonSetUpdateStrategy) ProtoMessage()               {}
+func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *Deployment) Reset()                    { *m = Deployment{} }
+func (*Deployment) ProtoMessage()               {}
+func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *DeploymentCondition) Reset()                    { *m = DeploymentCondition{} }
+func (*DeploymentCondition) ProtoMessage()               {}
+func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *DeploymentList) Reset()                    { *m = DeploymentList{} }
+func (*DeploymentList) ProtoMessage()               {}
+func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *DeploymentSpec) Reset()                    { *m = DeploymentSpec{} }
+func (*DeploymentSpec) ProtoMessage()               {}
+func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func (m *DeploymentStatus) Reset()                    { *m = DeploymentStatus{} }
+func (*DeploymentStatus) ProtoMessage()               {}
+func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
+
+func (m *DeploymentStrategy) Reset()                    { *m = DeploymentStrategy{} }
+func (*DeploymentStrategy) ProtoMessage()               {}
+func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
+
+func (m *ReplicaSet) Reset()                    { *m = ReplicaSet{} }
+func (*ReplicaSet) ProtoMessage()               {}
+func (*ReplicaSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+
+func (m *ReplicaSetCondition) Reset()                    { *m = ReplicaSetCondition{} }
+func (*ReplicaSetCondition) ProtoMessage()               {}
+func (*ReplicaSetCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
+
+func (m *ReplicaSetList) Reset()                    { *m = ReplicaSetList{} }
+func (*ReplicaSetList) ProtoMessage()               {}
+func (*ReplicaSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
+
+func (m *ReplicaSetSpec) Reset()                    { *m = ReplicaSetSpec{} }
+func (*ReplicaSetSpec) ProtoMessage()               {}
+func (*ReplicaSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
+
+func (m *ReplicaSetStatus) Reset()                    { *m = ReplicaSetStatus{} }
+func (*ReplicaSetStatus) ProtoMessage()               {}
+func (*ReplicaSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
+
+func (m *RollingUpdateDaemonSet) Reset()                    { *m = RollingUpdateDaemonSet{} }
+func (*RollingUpdateDaemonSet) ProtoMessage()               {}
+func (*RollingUpdateDaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
+
+func (m *RollingUpdateDeployment) Reset()      { *m = RollingUpdateDeployment{} }
+func (*RollingUpdateDeployment) ProtoMessage() {}
+func (*RollingUpdateDeployment) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{19}
+}
+
+func (m *RollingUpdateStatefulSetStrategy) Reset()      { *m = RollingUpdateStatefulSetStrategy{} }
+func (*RollingUpdateStatefulSetStrategy) ProtoMessage() {}
+func (*RollingUpdateStatefulSetStrategy) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{20}
+}
+
+func (m *Scale) Reset()                    { *m = Scale{} }
+func (*Scale) ProtoMessage()               {}
+func (*Scale) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
+
+func (m *ScaleSpec) Reset()                    { *m = ScaleSpec{} }
+func (*ScaleSpec) ProtoMessage()               {}
+func (*ScaleSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{22} }
+
+func (m *ScaleStatus) Reset()                    { *m = ScaleStatus{} }
+func (*ScaleStatus) ProtoMessage()               {}
+func (*ScaleStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{23} }
+
+func (m *StatefulSet) Reset()                    { *m = StatefulSet{} }
+func (*StatefulSet) ProtoMessage()               {}
+func (*StatefulSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{24} }
+
+func (m *StatefulSetList) Reset()                    { *m = StatefulSetList{} }
+func (*StatefulSetList) ProtoMessage()               {}
+func (*StatefulSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{25} }
+
+func (m *StatefulSetSpec) Reset()                    { *m = StatefulSetSpec{} }
+func (*StatefulSetSpec) ProtoMessage()               {}
+func (*StatefulSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{26} }
+
+func (m *StatefulSetStatus) Reset()                    { *m = StatefulSetStatus{} }
+func (*StatefulSetStatus) ProtoMessage()               {}
+func (*StatefulSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{27} }
+
+func (m *StatefulSetUpdateStrategy) Reset()      { *m = StatefulSetUpdateStrategy{} }
+func (*StatefulSetUpdateStrategy) ProtoMessage() {}
+func (*StatefulSetUpdateStrategy) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{28}
+}
+
+func init() {
+	proto.RegisterType((*ControllerRevision)(nil), "k8s.io.api.apps.v1beta2.ControllerRevision")
+	proto.RegisterType((*ControllerRevisionList)(nil), "k8s.io.api.apps.v1beta2.ControllerRevisionList")
+	proto.RegisterType((*DaemonSet)(nil), "k8s.io.api.apps.v1beta2.DaemonSet")
+	proto.RegisterType((*DaemonSetList)(nil), "k8s.io.api.apps.v1beta2.DaemonSetList")
+	proto.RegisterType((*DaemonSetSpec)(nil), "k8s.io.api.apps.v1beta2.DaemonSetSpec")
+	proto.RegisterType((*DaemonSetStatus)(nil), "k8s.io.api.apps.v1beta2.DaemonSetStatus")
+	proto.RegisterType((*DaemonSetUpdateStrategy)(nil), "k8s.io.api.apps.v1beta2.DaemonSetUpdateStrategy")
+	proto.RegisterType((*Deployment)(nil), "k8s.io.api.apps.v1beta2.Deployment")
+	proto.RegisterType((*DeploymentCondition)(nil), "k8s.io.api.apps.v1beta2.DeploymentCondition")
+	proto.RegisterType((*DeploymentList)(nil), "k8s.io.api.apps.v1beta2.DeploymentList")
+	proto.RegisterType((*DeploymentSpec)(nil), "k8s.io.api.apps.v1beta2.DeploymentSpec")
+	proto.RegisterType((*DeploymentStatus)(nil), "k8s.io.api.apps.v1beta2.DeploymentStatus")
+	proto.RegisterType((*DeploymentStrategy)(nil), "k8s.io.api.apps.v1beta2.DeploymentStrategy")
+	proto.RegisterType((*ReplicaSet)(nil), "k8s.io.api.apps.v1beta2.ReplicaSet")
+	proto.RegisterType((*ReplicaSetCondition)(nil), "k8s.io.api.apps.v1beta2.ReplicaSetCondition")
+	proto.RegisterType((*ReplicaSetList)(nil), "k8s.io.api.apps.v1beta2.ReplicaSetList")
+	proto.RegisterType((*ReplicaSetSpec)(nil), "k8s.io.api.apps.v1beta2.ReplicaSetSpec")
+	proto.RegisterType((*ReplicaSetStatus)(nil), "k8s.io.api.apps.v1beta2.ReplicaSetStatus")
+	proto.RegisterType((*RollingUpdateDaemonSet)(nil), "k8s.io.api.apps.v1beta2.RollingUpdateDaemonSet")
+	proto.RegisterType((*RollingUpdateDeployment)(nil), "k8s.io.api.apps.v1beta2.RollingUpdateDeployment")
+	proto.RegisterType((*RollingUpdateStatefulSetStrategy)(nil), "k8s.io.api.apps.v1beta2.RollingUpdateStatefulSetStrategy")
+	proto.RegisterType((*Scale)(nil), "k8s.io.api.apps.v1beta2.Scale")
+	proto.RegisterType((*ScaleSpec)(nil), "k8s.io.api.apps.v1beta2.ScaleSpec")
+	proto.RegisterType((*ScaleStatus)(nil), "k8s.io.api.apps.v1beta2.ScaleStatus")
+	proto.RegisterType((*StatefulSet)(nil), "k8s.io.api.apps.v1beta2.StatefulSet")
+	proto.RegisterType((*StatefulSetList)(nil), "k8s.io.api.apps.v1beta2.StatefulSetList")
+	proto.RegisterType((*StatefulSetSpec)(nil), "k8s.io.api.apps.v1beta2.StatefulSetSpec")
+	proto.RegisterType((*StatefulSetStatus)(nil), "k8s.io.api.apps.v1beta2.StatefulSetStatus")
+	proto.RegisterType((*StatefulSetUpdateStrategy)(nil), "k8s.io.api.apps.v1beta2.StatefulSetUpdateStrategy")
+}
+func (m *ControllerRevision) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ControllerRevision) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Data.Size()))
+	n2, err := m.Data.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Revision))
+	return i, nil
+}
+
+func (m *ControllerRevisionList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ControllerRevisionList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n3, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DaemonSet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n4, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n5, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n6, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	return i, nil
+}
+
+func (m *DaemonSetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n7, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DaemonSetSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSetSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Selector != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n8, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n9, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdateStrategy.Size()))
+	n10, err := m.UpdateStrategy.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinReadySeconds))
+	if m.RevisionHistoryLimit != nil {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RevisionHistoryLimit))
+	}
+	return i, nil
+}
+
+func (m *DaemonSetStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSetStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentNumberScheduled))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NumberMisscheduled))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.DesiredNumberScheduled))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NumberReady))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x30
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdatedNumberScheduled))
+	dAtA[i] = 0x38
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NumberAvailable))
+	dAtA[i] = 0x40
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NumberUnavailable))
+	if m.CollisionCount != nil {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CollisionCount))
+	}
+	return i, nil
+}
+
+func (m *DaemonSetUpdateStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSetUpdateStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.RollingUpdate != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollingUpdate.Size()))
+		n11, err := m.RollingUpdate.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n11
+	}
+	return i, nil
+}
+
+func (m *Deployment) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Deployment) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n12, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n12
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n13, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n13
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n14, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n14
+	return i, nil
+}
+
+func (m *DeploymentCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastUpdateTime.Size()))
+	n15, err := m.LastUpdateTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n15
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n16, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n16
+	return i, nil
+}
+
+func (m *DeploymentList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n17, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n17
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DeploymentSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n18, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n18
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n19, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n19
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Strategy.Size()))
+	n20, err := m.Strategy.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n20
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinReadySeconds))
+	if m.RevisionHistoryLimit != nil {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RevisionHistoryLimit))
+	}
+	dAtA[i] = 0x38
+	i++
+	if m.Paused {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.ProgressDeadlineSeconds != nil {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.ProgressDeadlineSeconds))
+	}
+	return i, nil
+}
+
+func (m *DeploymentStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdatedReplicas))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.AvailableReplicas))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UnavailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x38
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ReadyReplicas))
+	if m.CollisionCount != nil {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CollisionCount))
+	}
+	return i, nil
+}
+
+func (m *DeploymentStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.RollingUpdate != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollingUpdate.Size()))
+		n21, err := m.RollingUpdate.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n21
+	}
+	return i, nil
+}
+
+func (m *ReplicaSet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n22, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n22
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n23, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n23
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n24, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n24
+	return i, nil
+}
+
+func (m *ReplicaSetCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSetCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n25, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n25
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *ReplicaSetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n26, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n26
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ReplicaSetSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSetSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n27, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n27
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n28, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n28
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinReadySeconds))
+	return i, nil
+}
+
+func (m *ReplicaSetStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSetStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.FullyLabeledReplicas))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ReadyReplicas))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.AvailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RollingUpdateDaemonSet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollingUpdateDaemonSet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxUnavailable.Size()))
+		n29, err := m.MaxUnavailable.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n29
+	}
+	return i, nil
+}
+
+func (m *RollingUpdateDeployment) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollingUpdateDeployment) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxUnavailable.Size()))
+		n30, err := m.MaxUnavailable.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n30
+	}
+	if m.MaxSurge != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxSurge.Size()))
+		n31, err := m.MaxSurge.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n31
+	}
+	return i, nil
+}
+
+func (m *RollingUpdateStatefulSetStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollingUpdateStatefulSetStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Partition != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Partition))
+	}
+	return i, nil
+}
+
+func (m *Scale) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Scale) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n32, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n32
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n33, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n33
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n34, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n34
+	return i, nil
+}
+
+func (m *ScaleSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	return i, nil
+}
+
+func (m *ScaleStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	if len(m.Selector) > 0 {
+		keysForSelector := make([]string, 0, len(m.Selector))
+		for k := range m.Selector {
+			keysForSelector = append(keysForSelector, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		for _, k := range keysForSelector {
+			dAtA[i] = 0x12
+			i++
+			v := m.Selector[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.TargetSelector)))
+	i += copy(dAtA[i:], m.TargetSelector)
+	return i, nil
+}
+
+func (m *StatefulSet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n35, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n35
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n36, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n36
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n37, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n37
+	return i, nil
+}
+
+func (m *StatefulSetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n38, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n38
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *StatefulSetSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSetSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n39, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n39
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n40, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n40
+	if len(m.VolumeClaimTemplates) > 0 {
+		for _, msg := range m.VolumeClaimTemplates {
+			dAtA[i] = 0x22
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceName)))
+	i += copy(dAtA[i:], m.ServiceName)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodManagementPolicy)))
+	i += copy(dAtA[i:], m.PodManagementPolicy)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdateStrategy.Size()))
+	n41, err := m.UpdateStrategy.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n41
+	if m.RevisionHistoryLimit != nil {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RevisionHistoryLimit))
+	}
+	return i, nil
+}
+
+func (m *StatefulSetStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSetStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ReadyReplicas))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentReplicas))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdatedReplicas))
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.CurrentRevision)))
+	i += copy(dAtA[i:], m.CurrentRevision)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UpdateRevision)))
+	i += copy(dAtA[i:], m.UpdateRevision)
+	if m.CollisionCount != nil {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CollisionCount))
+	}
+	return i, nil
+}
+
+func (m *StatefulSetUpdateStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatefulSetUpdateStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.RollingUpdate != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollingUpdate.Size()))
+		n42, err := m.RollingUpdate.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n42
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *ControllerRevision) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Data.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Revision))
+	return n
+}
+
+func (m *ControllerRevisionList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DaemonSet) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DaemonSetList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DaemonSetSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.UpdateStrategy.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.MinReadySeconds))
+	if m.RevisionHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.RevisionHistoryLimit))
+	}
+	return n
+}
+
+func (m *DaemonSetStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.CurrentNumberScheduled))
+	n += 1 + sovGenerated(uint64(m.NumberMisscheduled))
+	n += 1 + sovGenerated(uint64(m.DesiredNumberScheduled))
+	n += 1 + sovGenerated(uint64(m.NumberReady))
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.UpdatedNumberScheduled))
+	n += 1 + sovGenerated(uint64(m.NumberAvailable))
+	n += 1 + sovGenerated(uint64(m.NumberUnavailable))
+	if m.CollisionCount != nil {
+		n += 1 + sovGenerated(uint64(*m.CollisionCount))
+	}
+	return n
+}
+
+func (m *DaemonSetUpdateStrategy) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RollingUpdate != nil {
+		l = m.RollingUpdate.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *Deployment) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeploymentCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastUpdateTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeploymentList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeploymentSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		n += 1 + sovGenerated(uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Strategy.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.MinReadySeconds))
+	if m.RevisionHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.RevisionHistoryLimit))
+	}
+	n += 2
+	if m.ProgressDeadlineSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.ProgressDeadlineSeconds))
+	}
+	return n
+}
+
+func (m *DeploymentStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	n += 1 + sovGenerated(uint64(m.UpdatedReplicas))
+	n += 1 + sovGenerated(uint64(m.AvailableReplicas))
+	n += 1 + sovGenerated(uint64(m.UnavailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 1 + sovGenerated(uint64(m.ReadyReplicas))
+	if m.CollisionCount != nil {
+		n += 1 + sovGenerated(uint64(*m.CollisionCount))
+	}
+	return n
+}
+
+func (m *DeploymentStrategy) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RollingUpdate != nil {
+		l = m.RollingUpdate.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ReplicaSet) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ReplicaSetCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ReplicaSetList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ReplicaSetSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		n += 1 + sovGenerated(uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.MinReadySeconds))
+	return n
+}
+
+func (m *ReplicaSetStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	n += 1 + sovGenerated(uint64(m.FullyLabeledReplicas))
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.ReadyReplicas))
+	n += 1 + sovGenerated(uint64(m.AvailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RollingUpdateDaemonSet) Size() (n int) {
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		l = m.MaxUnavailable.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *RollingUpdateDeployment) Size() (n int) {
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		l = m.MaxUnavailable.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.MaxSurge != nil {
+		l = m.MaxSurge.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *RollingUpdateStatefulSetStrategy) Size() (n int) {
+	var l int
+	_ = l
+	if m.Partition != nil {
+		n += 1 + sovGenerated(uint64(*m.Partition))
+	}
+	return n
+}
+
+func (m *Scale) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ScaleSpec) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	return n
+}
+
+func (m *ScaleStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	if len(m.Selector) > 0 {
+		for k, v := range m.Selector {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.TargetSelector)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *StatefulSet) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *StatefulSetList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *StatefulSetSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		n += 1 + sovGenerated(uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.VolumeClaimTemplates) > 0 {
+		for _, e := range m.VolumeClaimTemplates {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.ServiceName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.PodManagementPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.UpdateStrategy.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RevisionHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.RevisionHistoryLimit))
+	}
+	return n
+}
+
+func (m *StatefulSetStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	n += 1 + sovGenerated(uint64(m.ReadyReplicas))
+	n += 1 + sovGenerated(uint64(m.CurrentReplicas))
+	n += 1 + sovGenerated(uint64(m.UpdatedReplicas))
+	l = len(m.CurrentRevision)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UpdateRevision)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.CollisionCount != nil {
+		n += 1 + sovGenerated(uint64(*m.CollisionCount))
+	}
+	return n
+}
+
+func (m *StatefulSetUpdateStrategy) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RollingUpdate != nil {
+		l = m.RollingUpdate.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *ControllerRevision) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ControllerRevision{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Data:` + strings.Replace(strings.Replace(this.Data.String(), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
+		`Revision:` + fmt.Sprintf("%v", this.Revision) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ControllerRevisionList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ControllerRevisionList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ControllerRevision", "ControllerRevision", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSet{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "DaemonSetSpec", "DaemonSetSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "DaemonSetStatus", "DaemonSetStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSetList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "DaemonSet", "DaemonSet", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSetSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSetSpec{`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`UpdateStrategy:` + strings.Replace(strings.Replace(this.UpdateStrategy.String(), "DaemonSetUpdateStrategy", "DaemonSetUpdateStrategy", 1), `&`, ``, 1) + `,`,
+		`MinReadySeconds:` + fmt.Sprintf("%v", this.MinReadySeconds) + `,`,
+		`RevisionHistoryLimit:` + valueToStringGenerated(this.RevisionHistoryLimit) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSetStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSetStatus{`,
+		`CurrentNumberScheduled:` + fmt.Sprintf("%v", this.CurrentNumberScheduled) + `,`,
+		`NumberMisscheduled:` + fmt.Sprintf("%v", this.NumberMisscheduled) + `,`,
+		`DesiredNumberScheduled:` + fmt.Sprintf("%v", this.DesiredNumberScheduled) + `,`,
+		`NumberReady:` + fmt.Sprintf("%v", this.NumberReady) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`UpdatedNumberScheduled:` + fmt.Sprintf("%v", this.UpdatedNumberScheduled) + `,`,
+		`NumberAvailable:` + fmt.Sprintf("%v", this.NumberAvailable) + `,`,
+		`NumberUnavailable:` + fmt.Sprintf("%v", this.NumberUnavailable) + `,`,
+		`CollisionCount:` + valueToStringGenerated(this.CollisionCount) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSetUpdateStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSetUpdateStrategy{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`RollingUpdate:` + strings.Replace(fmt.Sprintf("%v", this.RollingUpdate), "RollingUpdateDaemonSet", "RollingUpdateDaemonSet", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Deployment) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Deployment{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "DeploymentSpec", "DeploymentSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "DeploymentStatus", "DeploymentStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`LastUpdateTime:` + strings.Replace(strings.Replace(this.LastUpdateTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Deployment", "Deployment", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentSpec{`,
+		`Replicas:` + valueToStringGenerated(this.Replicas) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`Strategy:` + strings.Replace(strings.Replace(this.Strategy.String(), "DeploymentStrategy", "DeploymentStrategy", 1), `&`, ``, 1) + `,`,
+		`MinReadySeconds:` + fmt.Sprintf("%v", this.MinReadySeconds) + `,`,
+		`RevisionHistoryLimit:` + valueToStringGenerated(this.RevisionHistoryLimit) + `,`,
+		`Paused:` + fmt.Sprintf("%v", this.Paused) + `,`,
+		`ProgressDeadlineSeconds:` + valueToStringGenerated(this.ProgressDeadlineSeconds) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentStatus{`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`UpdatedReplicas:` + fmt.Sprintf("%v", this.UpdatedReplicas) + `,`,
+		`AvailableReplicas:` + fmt.Sprintf("%v", this.AvailableReplicas) + `,`,
+		`UnavailableReplicas:` + fmt.Sprintf("%v", this.UnavailableReplicas) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "DeploymentCondition", "DeploymentCondition", 1), `&`, ``, 1) + `,`,
+		`ReadyReplicas:` + fmt.Sprintf("%v", this.ReadyReplicas) + `,`,
+		`CollisionCount:` + valueToStringGenerated(this.CollisionCount) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentStrategy{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`RollingUpdate:` + strings.Replace(fmt.Sprintf("%v", this.RollingUpdate), "RollingUpdateDeployment", "RollingUpdateDeployment", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSet{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ReplicaSetSpec", "ReplicaSetSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ReplicaSetStatus", "ReplicaSetStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSetCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSetCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSetList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ReplicaSet", "ReplicaSet", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSetSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSetSpec{`,
+		`Replicas:` + valueToStringGenerated(this.Replicas) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`MinReadySeconds:` + fmt.Sprintf("%v", this.MinReadySeconds) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSetStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSetStatus{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`FullyLabeledReplicas:` + fmt.Sprintf("%v", this.FullyLabeledReplicas) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`ReadyReplicas:` + fmt.Sprintf("%v", this.ReadyReplicas) + `,`,
+		`AvailableReplicas:` + fmt.Sprintf("%v", this.AvailableReplicas) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "ReplicaSetCondition", "ReplicaSetCondition", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollingUpdateDaemonSet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollingUpdateDaemonSet{`,
+		`MaxUnavailable:` + strings.Replace(fmt.Sprintf("%v", this.MaxUnavailable), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollingUpdateDeployment) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollingUpdateDeployment{`,
+		`MaxUnavailable:` + strings.Replace(fmt.Sprintf("%v", this.MaxUnavailable), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`MaxSurge:` + strings.Replace(fmt.Sprintf("%v", this.MaxSurge), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollingUpdateStatefulSetStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollingUpdateStatefulSetStrategy{`,
+		`Partition:` + valueToStringGenerated(this.Partition) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Scale) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Scale{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ScaleSpec", "ScaleSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ScaleStatus", "ScaleStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ScaleSpec{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForSelector := make([]string, 0, len(this.Selector))
+	for k := range this.Selector {
+		keysForSelector = append(keysForSelector, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	mapStringForSelector := "map[string]string{"
+	for _, k := range keysForSelector {
+		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
+	}
+	mapStringForSelector += "}"
+	s := strings.Join([]string{`&ScaleStatus{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`Selector:` + mapStringForSelector + `,`,
+		`TargetSelector:` + fmt.Sprintf("%v", this.TargetSelector) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSet{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "StatefulSetSpec", "StatefulSetSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "StatefulSetStatus", "StatefulSetStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSetList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "StatefulSet", "StatefulSet", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSetSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSetSpec{`,
+		`Replicas:` + valueToStringGenerated(this.Replicas) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`VolumeClaimTemplates:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.VolumeClaimTemplates), "PersistentVolumeClaim", "k8s_io_api_core_v1.PersistentVolumeClaim", 1), `&`, ``, 1) + `,`,
+		`ServiceName:` + fmt.Sprintf("%v", this.ServiceName) + `,`,
+		`PodManagementPolicy:` + fmt.Sprintf("%v", this.PodManagementPolicy) + `,`,
+		`UpdateStrategy:` + strings.Replace(strings.Replace(this.UpdateStrategy.String(), "StatefulSetUpdateStrategy", "StatefulSetUpdateStrategy", 1), `&`, ``, 1) + `,`,
+		`RevisionHistoryLimit:` + valueToStringGenerated(this.RevisionHistoryLimit) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSetStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSetStatus{`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`ReadyReplicas:` + fmt.Sprintf("%v", this.ReadyReplicas) + `,`,
+		`CurrentReplicas:` + fmt.Sprintf("%v", this.CurrentReplicas) + `,`,
+		`UpdatedReplicas:` + fmt.Sprintf("%v", this.UpdatedReplicas) + `,`,
+		`CurrentRevision:` + fmt.Sprintf("%v", this.CurrentRevision) + `,`,
+		`UpdateRevision:` + fmt.Sprintf("%v", this.UpdateRevision) + `,`,
+		`CollisionCount:` + valueToStringGenerated(this.CollisionCount) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatefulSetUpdateStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatefulSetUpdateStrategy{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`RollingUpdate:` + strings.Replace(fmt.Sprintf("%v", this.RollingUpdate), "RollingUpdateStatefulSetStrategy", "RollingUpdateStatefulSetStrategy", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ControllerRevision) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ControllerRevision: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ControllerRevision: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Data.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Revision", wireType)
+			}
+			m.Revision = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Revision |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ControllerRevisionList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ControllerRevisionList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ControllerRevisionList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ControllerRevision{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, DaemonSet{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSetSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSetSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSetSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdateStrategy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.UpdateStrategy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReadySeconds", wireType)
+			}
+			m.MinReadySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinReadySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RevisionHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RevisionHistoryLimit = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSetStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSetStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSetStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentNumberScheduled", wireType)
+			}
+			m.CurrentNumberScheduled = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.CurrentNumberScheduled |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NumberMisscheduled", wireType)
+			}
+			m.NumberMisscheduled = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NumberMisscheduled |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DesiredNumberScheduled", wireType)
+			}
+			m.DesiredNumberScheduled = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.DesiredNumberScheduled |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NumberReady", wireType)
+			}
+			m.NumberReady = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NumberReady |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedNumberScheduled", wireType)
+			}
+			m.UpdatedNumberScheduled = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UpdatedNumberScheduled |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NumberAvailable", wireType)
+			}
+			m.NumberAvailable = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NumberAvailable |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NumberUnavailable", wireType)
+			}
+			m.NumberUnavailable = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NumberUnavailable |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CollisionCount", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CollisionCount = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSetUpdateStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSetUpdateStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSetUpdateStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = DaemonSetUpdateStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollingUpdate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollingUpdate == nil {
+				m.RollingUpdate = &RollingUpdateDaemonSet{}
+			}
+			if err := m.RollingUpdate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Deployment) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Deployment: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Deployment: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = DeploymentConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastUpdateTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastUpdateTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Deployment{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Replicas = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Strategy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Strategy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReadySeconds", wireType)
+			}
+			m.MinReadySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinReadySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RevisionHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RevisionHistoryLimit = &v
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Paused", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Paused = bool(v != 0)
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ProgressDeadlineSeconds", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ProgressDeadlineSeconds = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedReplicas", wireType)
+			}
+			m.UpdatedReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UpdatedReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AvailableReplicas", wireType)
+			}
+			m.AvailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.AvailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UnavailableReplicas", wireType)
+			}
+			m.UnavailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UnavailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, DeploymentCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadyReplicas", wireType)
+			}
+			m.ReadyReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ReadyReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CollisionCount", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CollisionCount = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = DeploymentStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollingUpdate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollingUpdate == nil {
+				m.RollingUpdate = &RollingUpdateDeployment{}
+			}
+			if err := m.RollingUpdate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSetCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSetCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSetCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = ReplicaSetConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ReplicaSet{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSetSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSetSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSetSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Replicas = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReadySeconds", wireType)
+			}
+			m.MinReadySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinReadySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSetStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSetStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSetStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FullyLabeledReplicas", wireType)
+			}
+			m.FullyLabeledReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.FullyLabeledReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadyReplicas", wireType)
+			}
+			m.ReadyReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ReadyReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AvailableReplicas", wireType)
+			}
+			m.AvailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.AvailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, ReplicaSetCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollingUpdateDaemonSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollingUpdateDaemonSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollingUpdateDaemonSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxUnavailable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxUnavailable == nil {
+				m.MaxUnavailable = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxUnavailable.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollingUpdateDeployment) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollingUpdateDeployment: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollingUpdateDeployment: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxUnavailable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxUnavailable == nil {
+				m.MaxUnavailable = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxUnavailable.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxSurge", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxSurge == nil {
+				m.MaxSurge = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxSurge.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollingUpdateStatefulSetStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollingUpdateStatefulSetStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollingUpdateStatefulSetStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Partition", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Partition = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Scale) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Scale: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Scale: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Selector == nil {
+				m.Selector = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Selector[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Selector[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetSelector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TargetSelector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, StatefulSet{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSetSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSetSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSetSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Replicas = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeClaimTemplates", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeClaimTemplates = append(m.VolumeClaimTemplates, k8s_io_api_core_v1.PersistentVolumeClaim{})
+			if err := m.VolumeClaimTemplates[len(m.VolumeClaimTemplates)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServiceName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServiceName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodManagementPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PodManagementPolicy = PodManagementPolicyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdateStrategy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.UpdateStrategy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RevisionHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RevisionHistoryLimit = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSetStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSetStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSetStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadyReplicas", wireType)
+			}
+			m.ReadyReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ReadyReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentReplicas", wireType)
+			}
+			m.CurrentReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.CurrentReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedReplicas", wireType)
+			}
+			m.UpdatedReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UpdatedReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentRevision", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CurrentRevision = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdateRevision", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UpdateRevision = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CollisionCount", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CollisionCount = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatefulSetUpdateStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatefulSetUpdateStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatefulSetUpdateStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = StatefulSetUpdateStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollingUpdate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollingUpdate == nil {
+				m.RollingUpdate = &RollingUpdateStatefulSetStrategy{}
+			}
+			if err := m.RollingUpdate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/apps/v1beta2/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 2119 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5a, 0xcb, 0x6f, 0x1c, 0xb7,
+	0x19, 0xd7, 0xec, 0x43, 0xda, 0xa5, 0x2c, 0xc9, 0xa6, 0x54, 0x49, 0x91, 0xdb, 0x95, 0xb0, 0x09,
+	0x1c, 0x39, 0xb6, 0x67, 0x6d, 0xe5, 0x81, 0xc4, 0x06, 0xda, 0x6a, 0xa5, 0xd4, 0x76, 0xa0, 0x57,
+	0x28, 0xc9, 0x40, 0x83, 0x16, 0x30, 0xb5, 0x4b, 0xaf, 0x26, 0x9a, 0x17, 0x66, 0x38, 0x5b, 0x2f,
+	0x7a, 0xe9, 0xa9, 0x40, 0x81, 0x02, 0xe9, 0xb9, 0xff, 0x44, 0x7b, 0x2a, 0x8a, 0xf6, 0x56, 0x04,
+	0x85, 0x2f, 0x05, 0x82, 0x5e, 0x92, 0x93, 0x50, 0x6f, 0x8e, 0x3d, 0xf7, 0x12, 0xa0, 0x40, 0x41,
+	0x0e, 0xe7, 0xc1, 0x79, 0x58, 0x23, 0x25, 0xde, 0x14, 0xb9, 0x69, 0xf9, 0xfd, 0xbe, 0x1f, 0x3f,
+	0x0e, 0x3f, 0x7e, 0xdf, 0x6f, 0x38, 0x02, 0x3f, 0x3e, 0x79, 0xd7, 0x55, 0x35, 0xab, 0x75, 0xe2,
+	0x1d, 0x11, 0xc7, 0x24, 0x94, 0xb8, 0xad, 0x3e, 0x31, 0xbb, 0x96, 0xd3, 0x12, 0x06, 0x6c, 0x6b,
+	0x2d, 0x6c, 0xdb, 0x6e, 0xab, 0x7f, 0xe7, 0x88, 0x50, 0xbc, 0xd6, 0xea, 0x11, 0x93, 0x38, 0x98,
+	0x92, 0xae, 0x6a, 0x3b, 0x16, 0xb5, 0xe0, 0x82, 0x0f, 0x54, 0xb1, 0xad, 0xa9, 0x0c, 0xa8, 0x0a,
+	0xe0, 0xd2, 0xad, 0x9e, 0x46, 0x8f, 0xbd, 0x23, 0xb5, 0x63, 0x19, 0xad, 0x9e, 0xd5, 0xb3, 0x5a,
+	0x1c, 0x7f, 0xe4, 0x3d, 0xe1, 0xbf, 0xf8, 0x0f, 0xfe, 0x97, 0xcf, 0xb3, 0xd4, 0x8c, 0x4d, 0xd8,
+	0xb1, 0x1c, 0xd2, 0xea, 0xdf, 0x49, 0xce, 0xb5, 0x74, 0x3d, 0x86, 0xb1, 0x2d, 0x5d, 0xeb, 0x0c,
+	0x44, 0x58, 0x69, 0xe8, 0x5b, 0x11, 0xd4, 0xc0, 0x9d, 0x63, 0xcd, 0x24, 0xce, 0xa0, 0x65, 0x9f,
+	0xf4, 0xd8, 0x80, 0xdb, 0x32, 0x08, 0xc5, 0x59, 0x13, 0xb4, 0xf2, 0xbc, 0x1c, 0xcf, 0xa4, 0x9a,
+	0x41, 0x52, 0x0e, 0xef, 0x9c, 0xe5, 0xe0, 0x76, 0x8e, 0x89, 0x81, 0x53, 0x7e, 0x6f, 0xe6, 0xf9,
+	0x79, 0x54, 0xd3, 0x5b, 0x9a, 0x49, 0x5d, 0xea, 0x24, 0x9d, 0x9a, 0xff, 0x51, 0x00, 0xdc, 0xb0,
+	0x4c, 0xea, 0x58, 0xba, 0x4e, 0x1c, 0x44, 0xfa, 0x9a, 0xab, 0x59, 0x26, 0x7c, 0x0c, 0x6a, 0x6c,
+	0x3d, 0x5d, 0x4c, 0xf1, 0xa2, 0xb2, 0xa2, 0xac, 0x4e, 0xae, 0xdd, 0x56, 0xa3, 0x4d, 0x09, 0xe9,
+	0x55, 0xfb, 0xa4, 0xc7, 0x06, 0x5c, 0x95, 0xa1, 0xd5, 0xfe, 0x1d, 0x75, 0xf7, 0xe8, 0x63, 0xd2,
+	0xa1, 0xdb, 0x84, 0xe2, 0x36, 0x7c, 0x76, 0xba, 0x3c, 0x36, 0x3c, 0x5d, 0x06, 0xd1, 0x18, 0x0a,
+	0x59, 0xe1, 0x2e, 0xa8, 0x70, 0xf6, 0x12, 0x67, 0xbf, 0x95, 0xcb, 0x2e, 0x16, 0xad, 0x22, 0xfc,
+	0x8b, 0xf7, 0x9f, 0x52, 0x62, 0xb2, 0xf0, 0xda, 0x97, 0x04, 0x75, 0x65, 0x13, 0x53, 0x8c, 0x38,
+	0x11, 0xbc, 0x09, 0x6a, 0x8e, 0x08, 0x7f, 0xb1, 0xbc, 0xa2, 0xac, 0x96, 0xdb, 0x97, 0x05, 0xaa,
+	0x16, 0x2c, 0x0b, 0x85, 0x88, 0xe6, 0x33, 0x05, 0xcc, 0xa7, 0xd7, 0xbd, 0xa5, 0xb9, 0x14, 0xfe,
+	0x2c, 0xb5, 0x76, 0xb5, 0xd8, 0xda, 0x99, 0x37, 0x5f, 0x79, 0x38, 0x71, 0x30, 0x12, 0x5b, 0xf7,
+	0x1e, 0xa8, 0x6a, 0x94, 0x18, 0xee, 0x62, 0x69, 0xa5, 0xbc, 0x3a, 0xb9, 0x76, 0x43, 0xcd, 0xc9,
+	0x75, 0x35, 0x1d, 0x5d, 0x7b, 0x4a, 0xf0, 0x56, 0x1f, 0x32, 0x06, 0xe4, 0x13, 0x35, 0x7f, 0x53,
+	0x02, 0xf5, 0x4d, 0x4c, 0x0c, 0xcb, 0xdc, 0x27, 0x74, 0x04, 0x3b, 0xf7, 0x00, 0x54, 0x5c, 0x9b,
+	0x74, 0xc4, 0xce, 0x5d, 0xcb, 0x5d, 0x40, 0x18, 0xd3, 0xbe, 0x4d, 0x3a, 0xd1, 0x96, 0xb1, 0x5f,
+	0x88, 0x33, 0xc0, 0x3d, 0x30, 0xee, 0x52, 0x4c, 0x3d, 0x97, 0x6f, 0xd8, 0xe4, 0xda, 0x6a, 0x01,
+	0x2e, 0x8e, 0x6f, 0x4f, 0x0b, 0xb6, 0x71, 0xff, 0x37, 0x12, 0x3c, 0xcd, 0x3f, 0x29, 0x60, 0x2a,
+	0xc4, 0x8e, 0x60, 0x37, 0xef, 0xcb, 0xbb, 0xd9, 0x3c, 0x7b, 0x01, 0x39, 0x9b, 0xf8, 0x69, 0x39,
+	0x16, 0x38, 0x7b, 0x44, 0xf0, 0xe7, 0xa0, 0xe6, 0x12, 0x9d, 0x74, 0xa8, 0xe5, 0x88, 0xc0, 0xdf,
+	0x2c, 0x18, 0x38, 0x3e, 0x22, 0xfa, 0xbe, 0x70, 0x6d, 0x5f, 0x62, 0x91, 0x07, 0xbf, 0x50, 0x48,
+	0x09, 0x3f, 0x04, 0x35, 0x4a, 0x0c, 0x5b, 0xc7, 0x94, 0x88, 0x9d, 0x7c, 0x35, 0x1e, 0x3c, 0x2b,
+	0x97, 0x8c, 0x6c, 0xcf, 0xea, 0x1e, 0x08, 0x18, 0xdf, 0xc6, 0xf0, 0x61, 0x04, 0xa3, 0x28, 0xa4,
+	0x81, 0x36, 0x98, 0xf6, 0xec, 0x2e, 0x43, 0x52, 0x56, 0x62, 0x7a, 0x03, 0xb1, 0xad, 0xb7, 0xcf,
+	0x7e, 0x2a, 0x87, 0x92, 0x5f, 0x7b, 0x5e, 0xcc, 0x32, 0x2d, 0x8f, 0xa3, 0x04, 0x3f, 0x5c, 0x07,
+	0x33, 0x86, 0x66, 0x22, 0x82, 0xbb, 0x83, 0x7d, 0xd2, 0xb1, 0xcc, 0xae, 0xbb, 0x58, 0x59, 0x51,
+	0x56, 0xab, 0xed, 0x05, 0x41, 0x30, 0xb3, 0x2d, 0x9b, 0x51, 0x12, 0x0f, 0xb7, 0xc0, 0x5c, 0x50,
+	0x14, 0x1e, 0x68, 0x2e, 0xb5, 0x9c, 0xc1, 0x96, 0x66, 0x68, 0x74, 0x71, 0x9c, 0xf3, 0x2c, 0x0e,
+	0x4f, 0x97, 0xe7, 0x50, 0x86, 0x1d, 0x65, 0x7a, 0x35, 0xff, 0x58, 0x05, 0x33, 0x89, 0x5c, 0x85,
+	0x8f, 0xc0, 0x7c, 0xc7, 0x73, 0x1c, 0x62, 0xd2, 0x1d, 0xcf, 0x38, 0x22, 0xce, 0x7e, 0xe7, 0x98,
+	0x74, 0x3d, 0x9d, 0x74, 0xf9, 0xb6, 0x56, 0xdb, 0x0d, 0x11, 0xeb, 0xfc, 0x46, 0x26, 0x0a, 0xe5,
+	0x78, 0xc3, 0x0f, 0x00, 0x34, 0xf9, 0xd0, 0xb6, 0xe6, 0xba, 0x21, 0x67, 0x89, 0x73, 0x2e, 0x09,
+	0x4e, 0xb8, 0x93, 0x42, 0xa0, 0x0c, 0x2f, 0x16, 0x63, 0x97, 0xb8, 0x9a, 0x43, 0xba, 0xc9, 0x18,
+	0xcb, 0x72, 0x8c, 0x9b, 0x99, 0x28, 0x94, 0xe3, 0x0d, 0xdf, 0x06, 0x93, 0xfe, 0x6c, 0xfc, 0x99,
+	0x8b, 0xcd, 0x99, 0x15, 0x64, 0x93, 0x3b, 0x91, 0x09, 0xc5, 0x71, 0x6c, 0x69, 0xd6, 0x91, 0x4b,
+	0x9c, 0x3e, 0xe9, 0xde, 0xf7, 0x1b, 0x16, 0xab, 0xea, 0x55, 0x5e, 0xd5, 0xc3, 0xa5, 0xed, 0xa6,
+	0x10, 0x28, 0xc3, 0x8b, 0x2d, 0xcd, 0xcf, 0x9a, 0xd4, 0xd2, 0xc6, 0xe5, 0xa5, 0x1d, 0x66, 0xa2,
+	0x50, 0x8e, 0x37, 0xcb, 0x3d, 0x3f, 0xe4, 0xf5, 0x3e, 0xd6, 0x74, 0x7c, 0xa4, 0x93, 0xc5, 0x09,
+	0x39, 0xf7, 0x76, 0x64, 0x33, 0x4a, 0xe2, 0xe1, 0x7d, 0x70, 0xc5, 0x1f, 0x3a, 0x34, 0x71, 0x48,
+	0x52, 0xe3, 0x24, 0xaf, 0x08, 0x92, 0x2b, 0x3b, 0x49, 0x00, 0x4a, 0xfb, 0xc0, 0xbb, 0x60, 0xba,
+	0x63, 0xe9, 0x3a, 0xcf, 0xc7, 0x0d, 0xcb, 0x33, 0xe9, 0x62, 0x9d, 0xb3, 0x40, 0x76, 0x86, 0x36,
+	0x24, 0x0b, 0x4a, 0x20, 0x9b, 0x9f, 0x2a, 0x60, 0x21, 0xe7, 0x1c, 0xc2, 0x1f, 0x81, 0x0a, 0x1d,
+	0xd8, 0x84, 0x27, 0x6a, 0xbd, 0x7d, 0x23, 0x28, 0xe1, 0x07, 0x03, 0x9b, 0x7c, 0x75, 0xba, 0x7c,
+	0x35, 0xc7, 0x8d, 0x99, 0x11, 0x77, 0x84, 0xc7, 0x60, 0x8a, 0xf5, 0x30, 0xcd, 0xec, 0xf9, 0x10,
+	0x51, 0x6a, 0x5a, 0xb9, 0x15, 0x01, 0xc5, 0xd1, 0x51, 0xd1, 0xbc, 0x32, 0x3c, 0x5d, 0x9e, 0x92,
+	0x6c, 0x48, 0x26, 0x6e, 0xfe, 0xb6, 0x04, 0xc0, 0x26, 0xb1, 0x75, 0x6b, 0x60, 0x10, 0x73, 0x14,
+	0x6d, 0xf0, 0xa1, 0xd4, 0x06, 0x5f, 0xcf, 0xaf, 0x71, 0x61, 0x50, 0xb9, 0x7d, 0xf0, 0xc3, 0x44,
+	0x1f, 0xbc, 0x5e, 0x84, 0xec, 0xc5, 0x8d, 0xf0, 0xf3, 0x32, 0x98, 0x8d, 0xc0, 0x1b, 0x96, 0xd9,
+	0xd5, 0xf8, 0x69, 0xb8, 0x27, 0xed, 0xe8, 0xeb, 0x89, 0x1d, 0x5d, 0xc8, 0x70, 0x89, 0xed, 0xe6,
+	0x56, 0x18, 0x67, 0x89, 0xbb, 0xbf, 0x25, 0x4f, 0xfe, 0xd5, 0xe9, 0x72, 0x86, 0xe2, 0x56, 0x43,
+	0x26, 0x39, 0x44, 0x78, 0x0d, 0x8c, 0x3b, 0x04, 0xbb, 0x96, 0xc9, 0xcb, 0x42, 0x3d, 0x5a, 0x0a,
+	0xe2, 0xa3, 0x48, 0x58, 0xe1, 0x75, 0x30, 0x61, 0x10, 0xd7, 0xc5, 0x3d, 0xc2, 0x2b, 0x40, 0xbd,
+	0x3d, 0x23, 0x80, 0x13, 0xdb, 0xfe, 0x30, 0x0a, 0xec, 0xf0, 0x63, 0x30, 0xad, 0x63, 0x57, 0xa4,
+	0xe3, 0x81, 0x66, 0x10, 0x7e, 0xc6, 0x27, 0xd7, 0xde, 0x28, 0xb6, 0xf7, 0xcc, 0x23, 0xea, 0x3d,
+	0x5b, 0x12, 0x13, 0x4a, 0x30, 0xc3, 0x3e, 0x80, 0x6c, 0xe4, 0xc0, 0xc1, 0xa6, 0xeb, 0x3f, 0x28,
+	0x36, 0xdf, 0xc4, 0xb9, 0xe7, 0x0b, 0xeb, 0xd9, 0x56, 0x8a, 0x0d, 0x65, 0xcc, 0xd0, 0xfc, 0xb3,
+	0x02, 0xa6, 0xa3, 0x6d, 0x1a, 0x81, 0xc6, 0x79, 0x20, 0x6b, 0x9c, 0x57, 0x0b, 0x24, 0x67, 0x8e,
+	0xc8, 0xf9, 0xbc, 0x12, 0x0f, 0x9d, 0xab, 0x9c, 0x55, 0xa6, 0xda, 0x6d, 0x5d, 0xeb, 0x60, 0x57,
+	0xb4, 0xc3, 0x4b, 0xbe, 0x62, 0xf7, 0xc7, 0x50, 0x68, 0x95, 0xf4, 0x50, 0xe9, 0xe5, 0xea, 0xa1,
+	0xf2, 0x37, 0xa3, 0x87, 0x7e, 0x0a, 0x6a, 0x6e, 0xa0, 0x84, 0x2a, 0x9c, 0xf2, 0x46, 0xa1, 0x83,
+	0x2d, 0x44, 0x50, 0x48, 0x1d, 0xca, 0x9f, 0x90, 0x2e, 0x4b, 0xf8, 0x54, 0xbf, 0x4d, 0xe1, 0xc3,
+	0x0e, 0xb3, 0x8d, 0x3d, 0x97, 0x74, 0xf9, 0x09, 0xa8, 0x45, 0x87, 0x79, 0x8f, 0x8f, 0x22, 0x61,
+	0x85, 0x87, 0x60, 0xc1, 0x76, 0xac, 0x9e, 0x43, 0x5c, 0x77, 0x93, 0xe0, 0xae, 0xae, 0x99, 0x24,
+	0x58, 0x80, 0xdf, 0xb2, 0xae, 0x0e, 0x4f, 0x97, 0x17, 0xf6, 0xb2, 0x21, 0x28, 0xcf, 0xb7, 0xf9,
+	0xb7, 0x0a, 0xb8, 0x9c, 0xac, 0x8d, 0x39, 0x2a, 0x42, 0xb9, 0x90, 0x8a, 0xb8, 0x19, 0xcb, 0x53,
+	0x5f, 0x62, 0xc5, 0xde, 0x2e, 0x53, 0xb9, 0xba, 0x0e, 0x66, 0x84, 0x6a, 0x08, 0x8c, 0x42, 0x47,
+	0x85, 0xdb, 0x73, 0x28, 0x9b, 0x51, 0x12, 0xcf, 0xb4, 0x41, 0xd4, 0xf2, 0x03, 0x92, 0x8a, 0xac,
+	0x0d, 0xd6, 0x93, 0x00, 0x94, 0xf6, 0x81, 0xdb, 0x60, 0xd6, 0x33, 0xd3, 0x54, 0x7e, 0xba, 0x5c,
+	0x15, 0x54, 0xb3, 0x87, 0x69, 0x08, 0xca, 0xf2, 0x83, 0x8f, 0x01, 0xe8, 0x04, 0x05, 0xdd, 0x5d,
+	0x1c, 0xe7, 0x25, 0xe1, 0x66, 0x81, 0xb4, 0x0e, 0xbb, 0x40, 0xd4, 0x56, 0xc3, 0x21, 0x17, 0xc5,
+	0x38, 0xe1, 0x3d, 0x30, 0xe5, 0x70, 0x49, 0x18, 0x84, 0xea, 0xcb, 0xaa, 0xef, 0x09, 0xb7, 0x29,
+	0x14, 0x37, 0x22, 0x19, 0x9b, 0xa1, 0x84, 0x6a, 0x85, 0x95, 0xd0, 0x5f, 0x15, 0x00, 0xd3, 0xe7,
+	0x10, 0xde, 0x95, 0x5a, 0xe6, 0xb5, 0x44, 0xcb, 0x9c, 0x4f, 0x7b, 0xc4, 0x3a, 0xa6, 0x96, 0xad,
+	0x7f, 0x6e, 0x17, 0xd4, 0x3f, 0x51, 0x41, 0x2d, 0x26, 0x80, 0xc4, 0x63, 0x18, 0xcd, 0x3d, 0x40,
+	0x51, 0x01, 0x14, 0x05, 0xf5, 0x0d, 0x08, 0xa0, 0x18, 0xd9, 0x8b, 0x05, 0xd0, 0xbf, 0x4b, 0x60,
+	0x36, 0x02, 0x17, 0x16, 0x40, 0x19, 0x2e, 0x2f, 0x4d, 0x00, 0x65, 0x2b, 0x88, 0xf2, 0xcb, 0x56,
+	0x10, 0x2f, 0x41, 0x78, 0x71, 0x51, 0x12, 0x3d, 0xba, 0xff, 0x27, 0x51, 0x12, 0x45, 0x95, 0x23,
+	0x4a, 0xfe, 0x50, 0x8a, 0x87, 0xfe, 0x9d, 0x17, 0x25, 0x5f, 0xff, 0xca, 0xa4, 0xf9, 0xf7, 0x32,
+	0xb8, 0x9c, 0x3c, 0x87, 0x52, 0x83, 0x54, 0xce, 0x6c, 0x90, 0x7b, 0x60, 0xee, 0x89, 0xa7, 0xeb,
+	0x03, 0xfe, 0x18, 0x62, 0x5d, 0xd2, 0x6f, 0xad, 0xdf, 0x17, 0x9e, 0x73, 0x3f, 0xc9, 0xc0, 0xa0,
+	0x4c, 0xcf, 0x9c, 0x66, 0x5f, 0xbe, 0x50, 0xb3, 0x4f, 0x75, 0xa0, 0xca, 0x39, 0x3a, 0x50, 0x66,
+	0xe3, 0xae, 0x5e, 0xa0, 0x71, 0x9f, 0xaf, 0xd3, 0x66, 0x14, 0xae, 0xb3, 0x3a, 0x6d, 0xf3, 0xd7,
+	0x0a, 0x98, 0xcf, 0x7e, 0xe1, 0x86, 0x3a, 0x98, 0x36, 0xf0, 0xd3, 0xf8, 0xbd, 0xc4, 0x59, 0x4d,
+	0xc4, 0xa3, 0x9a, 0xae, 0xfa, 0x5f, 0x19, 0xd4, 0x87, 0x26, 0xdd, 0x75, 0xf6, 0xa9, 0xa3, 0x99,
+	0x3d, 0xbf, 0xf3, 0x6e, 0x4b, 0x5c, 0x28, 0xc1, 0xdd, 0xfc, 0x52, 0x01, 0x0b, 0x39, 0x9d, 0x6f,
+	0xb4, 0x91, 0xc0, 0x8f, 0x40, 0xcd, 0xc0, 0x4f, 0xf7, 0x3d, 0xa7, 0x97, 0xd5, 0xab, 0x8b, 0xcd,
+	0xc3, 0x4f, 0xf3, 0xb6, 0x60, 0x41, 0x21, 0x5f, 0x73, 0x17, 0xac, 0x48, 0x8b, 0x64, 0x27, 0x87,
+	0x3c, 0xf1, 0x74, 0x7e, 0x88, 0x84, 0xd8, 0xb8, 0x01, 0xea, 0x36, 0x76, 0xa8, 0x16, 0x4a, 0xd5,
+	0x6a, 0x7b, 0x6a, 0x78, 0xba, 0x5c, 0xdf, 0x0b, 0x06, 0x51, 0x64, 0x6f, 0xfe, 0x57, 0x01, 0xd5,
+	0xfd, 0x0e, 0xd6, 0xc9, 0x08, 0xba, 0xfd, 0xa6, 0xd4, 0xed, 0xf3, 0x2f, 0xba, 0x79, 0x3c, 0xb9,
+	0x8d, 0x7e, 0x2b, 0xd1, 0xe8, 0x5f, 0x3b, 0x83, 0xe7, 0xc5, 0x3d, 0xfe, 0x3d, 0x50, 0x0f, 0xa7,
+	0x3b, 0x5f, 0x01, 0x6a, 0xfe, 0xbe, 0x04, 0x26, 0x63, 0x53, 0x9c, 0xb3, 0x7c, 0x3d, 0x96, 0xca,
+	0x3e, 0x3b, 0x98, 0x6b, 0x45, 0x16, 0xa2, 0x06, 0x25, 0xfe, 0x7d, 0x93, 0x3a, 0xf1, 0x17, 0xbc,
+	0x74, 0xe5, 0xff, 0x21, 0x98, 0xa6, 0xd8, 0xe9, 0x11, 0x1a, 0xd8, 0xf8, 0x03, 0xab, 0x47, 0xb7,
+	0x13, 0x07, 0x92, 0x15, 0x25, 0xd0, 0x4b, 0xf7, 0xc0, 0x94, 0x34, 0x19, 0xbc, 0x0c, 0xca, 0x27,
+	0x64, 0xe0, 0xcb, 0x1e, 0xc4, 0xfe, 0x84, 0x73, 0xa0, 0xda, 0xc7, 0xba, 0xe7, 0xe7, 0x79, 0x1d,
+	0xf9, 0x3f, 0xee, 0x96, 0xde, 0x55, 0x9a, 0x9f, 0xb0, 0x87, 0x13, 0x25, 0xe7, 0x08, 0xb2, 0xeb,
+	0x03, 0x29, 0xbb, 0xf2, 0xbf, 0x03, 0xc5, 0x8f, 0x4c, 0x5e, 0x8e, 0xa1, 0x44, 0x8e, 0xbd, 0x51,
+	0x88, 0xed, 0xc5, 0x99, 0xf6, 0x17, 0x05, 0xcc, 0xc4, 0xd0, 0x23, 0x10, 0x38, 0x0f, 0x65, 0x81,
+	0xf3, 0x5a, 0x91, 0x45, 0xe4, 0x28, 0x9c, 0x7f, 0x54, 0xa5, 0xe0, 0xbf, 0xf3, 0x12, 0xe7, 0x97,
+	0x60, 0xae, 0x6f, 0xe9, 0x9e, 0x41, 0x36, 0x74, 0xac, 0x19, 0x01, 0x80, 0x75, 0xf1, 0x72, 0xf2,
+	0xdd, 0x22, 0xa4, 0x27, 0x8e, 0xab, 0xb9, 0x94, 0x98, 0xf4, 0x51, 0xe4, 0x19, 0xe9, 0x90, 0x47,
+	0x19, 0x74, 0x28, 0x73, 0x12, 0xf8, 0x36, 0x98, 0x64, 0x7a, 0x42, 0xeb, 0x90, 0x1d, 0x6c, 0x04,
+	0xc2, 0x39, 0xfc, 0xe2, 0xb1, 0x1f, 0x99, 0x50, 0x1c, 0x07, 0x8f, 0xc1, 0xac, 0x6d, 0x75, 0xb7,
+	0xb1, 0x89, 0x7b, 0x84, 0xb5, 0xbd, 0x3d, 0xfe, 0xaf, 0x08, 0xfc, 0x32, 0xa6, 0xde, 0x7e, 0x27,
+	0x78, 0x4b, 0xdf, 0x4b, 0x43, 0xd8, 0x4b, 0x4b, 0xc6, 0x30, 0x7f, 0x69, 0xc9, 0xa2, 0x84, 0x4e,
+	0xea, 0x2b, 0x9d, 0x7f, 0x67, 0xb9, 0x56, 0x24, 0xc3, 0x2e, 0xf8, 0x9d, 0x2e, 0xef, 0xae, 0xa9,
+	0x76, 0xa1, 0x8f, 0x6c, 0x9f, 0x54, 0xc0, 0x95, 0xd4, 0xd1, 0xfd, 0x16, 0x6f, 0x7b, 0x52, 0x72,
+	0xb1, 0x7c, 0x0e, 0xb9, 0xb8, 0x0e, 0x66, 0xc4, 0xf7, 0xbd, 0x84, 0xda, 0x0c, 0xf5, 0xf8, 0x86,
+	0x6c, 0x46, 0x49, 0x7c, 0xd6, 0x6d, 0x53, 0xf5, 0x9c, 0xb7, 0x4d, 0xf1, 0x28, 0xc4, 0xff, 0x50,
+	0xf8, 0xa9, 0x97, 0x8e, 0x42, 0xfc, 0x2b, 0x45, 0x12, 0xcf, 0x3a, 0x96, 0xcf, 0x1a, 0x32, 0x4c,
+	0xc8, 0x1d, 0xeb, 0x50, 0xb2, 0xa2, 0x04, 0xfa, 0x6b, 0x7d, 0xc3, 0xfa, 0xa7, 0x02, 0x5e, 0xc9,
+	0xcd, 0x52, 0xb8, 0x2e, 0xbd, 0xf2, 0xdf, 0x4a, 0xbc, 0xf2, 0xff, 0x20, 0xd7, 0x31, 0xf6, 0xe2,
+	0xef, 0x64, 0xdf, 0xe3, 0xbc, 0x57, 0xec, 0x1e, 0x27, 0x43, 0xe8, 0x9d, 0x7d, 0xa1, 0xd3, 0xbe,
+	0xf5, 0xec, 0x79, 0x63, 0xec, 0xb3, 0xe7, 0x8d, 0xb1, 0x2f, 0x9e, 0x37, 0xc6, 0x7e, 0x35, 0x6c,
+	0x28, 0xcf, 0x86, 0x0d, 0xe5, 0xb3, 0x61, 0x43, 0xf9, 0x62, 0xd8, 0x50, 0xfe, 0x35, 0x6c, 0x28,
+	0xbf, 0xfb, 0xb2, 0x31, 0xf6, 0xd1, 0x84, 0x98, 0xf1, 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xe8,
+	0x1d, 0x40, 0xdd, 0x77, 0x25, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/apps/v1beta2/generated.proto b/cli/vendor/k8s.io/api/apps/v1beta2/generated.proto
new file mode 100644
index 00000000..2cddd48f
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta2/generated.proto
@@ -0,0 +1,688 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.apps.v1beta2;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/api/policy/v1beta1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta2";
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+message ControllerRevision {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Data is the serialized representation of the state.
+  optional k8s.io.apimachinery.pkg.runtime.RawExtension data = 2;
+
+  // Revision indicates the revision of the state represented by Data.
+  optional int64 revision = 3;
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+message ControllerRevisionList {
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of ControllerRevisions
+  repeated ControllerRevision items = 2;
+}
+
+// DaemonSet represents the configuration of a daemon set.
+message DaemonSet {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // The desired behavior of this daemon set.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional DaemonSetSpec spec = 2;
+
+  // The current status of this daemon set. This data may be
+  // out of date by some window of time.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional DaemonSetStatus status = 3;
+}
+
+// DaemonSetList is a collection of daemon sets.
+message DaemonSetList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // A list of daemon sets.
+  repeated DaemonSet items = 2;
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+message DaemonSetSpec {
+  // A label query over pods that are managed by the daemon set.
+  // Must match in order to be controlled.
+  // It must match the pod template's labels.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 1;
+
+  // An object that describes the pod that will be created.
+  // The DaemonSet will create exactly one copy of this pod on every node
+  // that matches the template's node selector (or on every node if no node
+  // selector is specified).
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 2;
+
+  // An update strategy to replace existing DaemonSet pods with new pods.
+  // +optional
+  optional DaemonSetUpdateStrategy updateStrategy = 3;
+
+  // The minimum number of seconds for which a newly created DaemonSet pod should
+  // be ready without any of its container crashing, for it to be considered
+  // available. Defaults to 0 (pod will be considered available as soon as it
+  // is ready).
+  // +optional
+  optional int32 minReadySeconds = 4;
+
+  // The number of old history to retain to allow rollback.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // Defaults to 10.
+  // +optional
+  optional int32 revisionHistoryLimit = 6;
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+message DaemonSetStatus {
+  // The number of nodes that are running at least 1
+  // daemon pod and are supposed to run the daemon pod.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+  optional int32 currentNumberScheduled = 1;
+
+  // The number of nodes that are running the daemon pod, but are
+  // not supposed to run the daemon pod.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+  optional int32 numberMisscheduled = 2;
+
+  // The total number of nodes that should be running the daemon
+  // pod (including nodes correctly running the daemon pod).
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+  optional int32 desiredNumberScheduled = 3;
+
+  // The number of nodes that should be running the daemon pod and have one
+  // or more of the daemon pod running and ready.
+  optional int32 numberReady = 4;
+
+  // The most recent generation observed by the daemon set controller.
+  // +optional
+  optional int64 observedGeneration = 5;
+
+  // The total number of nodes that are running updated daemon pod
+  // +optional
+  optional int32 updatedNumberScheduled = 6;
+
+  // The number of nodes that should be running the
+  // daemon pod and have one or more of the daemon pod running and
+  // available (ready for at least spec.minReadySeconds)
+  // +optional
+  optional int32 numberAvailable = 7;
+
+  // The number of nodes that should be running the
+  // daemon pod and have none of the daemon pod running and available
+  // (ready for at least spec.minReadySeconds)
+  // +optional
+  optional int32 numberUnavailable = 8;
+
+  // Count of hash collisions for the DaemonSet. The DaemonSet controller
+  // uses this field as a collision avoidance mechanism when it needs to
+  // create the name for the newest ControllerRevision.
+  // +optional
+  optional int32 collisionCount = 9;
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+message DaemonSetUpdateStrategy {
+  // Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+  // +optional
+  optional string type = 1;
+
+  // Rolling update config params. Present only if type = "RollingUpdate".
+  // ---
+  // TODO: Update this to follow our convention for oneOf, whatever we decide it
+  // to be. Same as Deployment `strategy.rollingUpdate`.
+  // See https://github.com/kubernetes/kubernetes/issues/35345
+  // +optional
+  optional RollingUpdateDaemonSet rollingUpdate = 2;
+}
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+message Deployment {
+  // Standard object metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of the Deployment.
+  // +optional
+  optional DeploymentSpec spec = 2;
+
+  // Most recently observed status of the Deployment.
+  // +optional
+  optional DeploymentStatus status = 3;
+}
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+message DeploymentCondition {
+  // Type of deployment condition.
+  optional string type = 1;
+
+  // Status of the condition, one of True, False, Unknown.
+  optional string status = 2;
+
+  // The last time this condition was updated.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 6;
+
+  // Last time the condition transitioned from one status to another.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 7;
+
+  // The reason for the condition's last transition.
+  optional string reason = 4;
+
+  // A human readable message indicating details about the transition.
+  optional string message = 5;
+}
+
+// DeploymentList is a list of Deployments.
+message DeploymentList {
+  // Standard list metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of Deployments.
+  repeated Deployment items = 2;
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+message DeploymentSpec {
+  // Number of desired pods. This is a pointer to distinguish between explicit
+  // zero and not specified. Defaults to 1.
+  // +optional
+  optional int32 replicas = 1;
+
+  // Label selector for pods. Existing ReplicaSets whose pods are
+  // selected by this will be the ones affected by this deployment.
+  // It must match the pod template's labels.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+  // Template describes the pods that will be created.
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
+
+  // The deployment strategy to use to replace existing pods with new ones.
+  // +optional
+  optional DeploymentStrategy strategy = 4;
+
+  // Minimum number of seconds for which a newly created pod should be ready
+  // without any of its container crashing, for it to be considered available.
+  // Defaults to 0 (pod will be considered available as soon as it is ready)
+  // +optional
+  optional int32 minReadySeconds = 5;
+
+  // The number of old ReplicaSets to retain to allow rollback.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // Defaults to 10.
+  // +optional
+  optional int32 revisionHistoryLimit = 6;
+
+  // Indicates that the deployment is paused.
+  // +optional
+  optional bool paused = 7;
+
+  // The maximum time in seconds for a deployment to make progress before it
+  // is considered to be failed. The deployment controller will continue to
+  // process failed deployments and a condition with a ProgressDeadlineExceeded
+  // reason will be surfaced in the deployment status. Note that progress will
+  // not be estimated during the time a deployment is paused. Defaults to 600s.
+  optional int32 progressDeadlineSeconds = 9;
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+message DeploymentStatus {
+  // The generation observed by the deployment controller.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+  // +optional
+  optional int32 replicas = 2;
+
+  // Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+  // +optional
+  optional int32 updatedReplicas = 3;
+
+  // Total number of ready pods targeted by this deployment.
+  // +optional
+  optional int32 readyReplicas = 7;
+
+  // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+  // +optional
+  optional int32 availableReplicas = 4;
+
+  // Total number of unavailable pods targeted by this deployment. This is the total number of
+  // pods that are still required for the deployment to have 100% available capacity. They may
+  // either be pods that are running but not yet available or pods that still have not been created.
+  // +optional
+  optional int32 unavailableReplicas = 5;
+
+  // Represents the latest available observations of a deployment's current state.
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated DeploymentCondition conditions = 6;
+
+  // Count of hash collisions for the Deployment. The Deployment controller uses this
+  // field as a collision avoidance mechanism when it needs to create the name for the
+  // newest ReplicaSet.
+  // +optional
+  optional int32 collisionCount = 8;
+}
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+message DeploymentStrategy {
+  // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+  // +optional
+  optional string type = 1;
+
+  // Rolling update config params. Present only if DeploymentStrategyType =
+  // RollingUpdate.
+  // ---
+  // TODO: Update this to follow our convention for oneOf, whatever we decide it
+  // to be.
+  // +optional
+  optional RollingUpdateDeployment rollingUpdate = 2;
+}
+
+// ReplicaSet represents the configuration of a ReplicaSet.
+message ReplicaSet {
+  // If the Labels of a ReplicaSet are empty, they are defaulted to
+  // be the same as the Pod(s) that the ReplicaSet manages.
+  // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the specification of the desired behavior of the ReplicaSet.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ReplicaSetSpec spec = 2;
+
+  // Status is the most recently observed status of the ReplicaSet.
+  // This data may be out of date by some window of time.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ReplicaSetStatus status = 3;
+}
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+message ReplicaSetCondition {
+  // Type of replica set condition.
+  optional string type = 1;
+
+  // Status of the condition, one of True, False, Unknown.
+  optional string status = 2;
+
+  // The last time the condition transitioned from one status to another.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
+
+  // The reason for the condition's last transition.
+  // +optional
+  optional string reason = 4;
+
+  // A human readable message indicating details about the transition.
+  // +optional
+  optional string message = 5;
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+message ReplicaSetList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of ReplicaSets.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+  repeated ReplicaSet items = 2;
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+message ReplicaSetSpec {
+  // Replicas is the number of desired replicas.
+  // This is a pointer to distinguish between explicit zero and unspecified.
+  // Defaults to 1.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+  // +optional
+  optional int32 replicas = 1;
+
+  // Minimum number of seconds for which a newly created pod should be ready
+  // without any of its container crashing, for it to be considered available.
+  // Defaults to 0 (pod will be considered available as soon as it is ready)
+  // +optional
+  optional int32 minReadySeconds = 4;
+
+  // Selector is a label query over pods that should match the replica count.
+  // Label keys and values that must match in order to be controlled by this replica set.
+  // It must match the pod template's labels.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+  // Template is the object that describes the pod that will be created if
+  // insufficient replicas are detected.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+  // +optional
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+message ReplicaSetStatus {
+  // Replicas is the most recently oberved number of replicas.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+  optional int32 replicas = 1;
+
+  // The number of pods that have labels matching the labels of the pod template of the replicaset.
+  // +optional
+  optional int32 fullyLabeledReplicas = 2;
+
+  // The number of ready replicas for this replica set.
+  // +optional
+  optional int32 readyReplicas = 4;
+
+  // The number of available replicas (ready for at least minReadySeconds) for this replica set.
+  // +optional
+  optional int32 availableReplicas = 5;
+
+  // ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+  // +optional
+  optional int64 observedGeneration = 3;
+
+  // Represents the latest available observations of a replica set's current state.
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated ReplicaSetCondition conditions = 6;
+}
+
+// Spec to control the desired behavior of daemon set rolling update.
+message RollingUpdateDaemonSet {
+  // The maximum number of DaemonSet pods that can be unavailable during the
+  // update. Value can be an absolute number (ex: 5) or a percentage of total
+  // number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+  // number is calculated from percentage by rounding up.
+  // This cannot be 0.
+  // Default value is 1.
+  // Example: when this is set to 30%, at most 30% of the total number of nodes
+  // that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+  // can have their pods stopped for an update at any given
+  // time. The update starts by stopping at most 30% of those DaemonSet pods
+  // and then brings up new DaemonSet pods in their place. Once the new pods
+  // are available, it then proceeds onto other DaemonSet pods, thus ensuring
+  // that at least 70% of original number of DaemonSet pods are available at
+  // all times during the update.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
+}
+
+// Spec to control the desired behavior of rolling update.
+message RollingUpdateDeployment {
+  // The maximum number of pods that can be unavailable during the update.
+  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+  // Absolute number is calculated from percentage by rounding down.
+  // This can not be 0 if MaxSurge is 0.
+  // Defaults to 25%.
+  // Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods
+  // immediately when the rolling update starts. Once new pods are ready, old RC
+  // can be scaled down further, followed by scaling up the new RC, ensuring
+  // that the total number of pods available at all times during the update is at
+  // least 70% of desired pods.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
+
+  // The maximum number of pods that can be scheduled above the desired number of
+  // pods.
+  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+  // This can not be 0 if MaxUnavailable is 0.
+  // Absolute number is calculated from percentage by rounding up.
+  // Defaults to 25%.
+  // Example: when this is set to 30%, the new RC can be scaled up immediately when
+  // the rolling update starts, such that the total number of old and new pods do not exceed
+  // 130% of desired pods. Once old pods have been killed,
+  // new RC can be scaled up further, ensuring that total number of pods running
+  // at any time during the update is atmost 130% of desired pods.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
+}
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+message RollingUpdateStatefulSetStrategy {
+  // Partition indicates the ordinal at which the StatefulSet should be
+  // partitioned.
+  // Default value is 0.
+  // +optional
+  optional int32 partition = 1;
+}
+
+// Scale represents a scaling request for a resource.
+message Scale {
+  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+  // +optional
+  optional ScaleSpec spec = 2;
+
+  // current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.
+  // +optional
+  optional ScaleStatus status = 3;
+}
+
+// ScaleSpec describes the attributes of a scale subresource
+message ScaleSpec {
+  // desired number of instances for the scaled object.
+  // +optional
+  optional int32 replicas = 1;
+}
+
+// ScaleStatus represents the current status of a scale subresource.
+message ScaleStatus {
+  // actual number of observed instances of the scaled object.
+  optional int32 replicas = 1;
+
+  // label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
+  // +optional
+  map<string, string> selector = 2;
+
+  // label selector for pods that should match the replicas count. This is a serializated
+  // version of both map-based and more expressive set-based selectors. This is done to
+  // avoid introspection in the clients. The string will be in the same format as the
+  // query-param syntax. If the target type only supports map-based selectors, both this
+  // field and map-based selector field are populated.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  // +optional
+  optional string targetSelector = 3;
+}
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//  - Network: A single stable DNS and hostname.
+//  - Storage: As many VolumeClaims as requested.
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+message StatefulSet {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the desired identities of pods in this set.
+  // +optional
+  optional StatefulSetSpec spec = 2;
+
+  // Status is the current status of Pods in this StatefulSet. This data
+  // may be out of date by some window of time.
+  // +optional
+  optional StatefulSetStatus status = 3;
+}
+
+// StatefulSetList is a collection of StatefulSets.
+message StatefulSetList {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  repeated StatefulSet items = 2;
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+message StatefulSetSpec {
+  // replicas is the desired number of replicas of the given Template.
+  // These are replicas in the sense that they are instantiations of the
+  // same Template, but individual replicas also have a consistent identity.
+  // If unspecified, defaults to 1.
+  // TODO: Consider a rename of this field.
+  // +optional
+  optional int32 replicas = 1;
+
+  // selector is a label query over pods that should match the replica count.
+  // It must match the pod template's labels.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+  // template is the object that describes the pod that will be created if
+  // insufficient replicas are detected. Each pod stamped out by the StatefulSet
+  // will fulfill this Template, but have a unique identity from the rest
+  // of the StatefulSet.
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
+
+  // volumeClaimTemplates is a list of claims that pods are allowed to reference.
+  // The StatefulSet controller is responsible for mapping network identities to
+  // claims in a way that maintains the identity of a pod. Every claim in
+  // this list must have at least one matching (by name) volumeMount in one
+  // container in the template. A claim in this list takes precedence over
+  // any volumes in the template, with the same name.
+  // TODO: Define the behavior if a claim already exists with the same name.
+  // +optional
+  repeated k8s.io.api.core.v1.PersistentVolumeClaim volumeClaimTemplates = 4;
+
+  // serviceName is the name of the service that governs this StatefulSet.
+  // This service must exist before the StatefulSet, and is responsible for
+  // the network identity of the set. Pods get DNS/hostnames that follow the
+  // pattern: pod-specific-string.serviceName.default.svc.cluster.local
+  // where "pod-specific-string" is managed by the StatefulSet controller.
+  optional string serviceName = 5;
+
+  // podManagementPolicy controls how pods are created during initial scale up,
+  // when replacing pods on nodes, or when scaling down. The default policy is
+  // `OrderedReady`, where pods are created in increasing order (pod-0, then
+  // pod-1, etc) and the controller will wait until each pod is ready before
+  // continuing. When scaling down, the pods are removed in the opposite order.
+  // The alternative policy is `Parallel` which will create pods in parallel
+  // to match the desired scale without waiting, and on scale down will delete
+  // all pods at once.
+  // +optional
+  optional string podManagementPolicy = 6;
+
+  // updateStrategy indicates the StatefulSetUpdateStrategy that will be
+  // employed to update Pods in the StatefulSet when a revision is made to
+  // Template.
+  optional StatefulSetUpdateStrategy updateStrategy = 7;
+
+  // revisionHistoryLimit is the maximum number of revisions that will
+  // be maintained in the StatefulSet's revision history. The revision history
+  // consists of all revisions not represented by a currently applied
+  // StatefulSetSpec version. The default value is 10.
+  optional int32 revisionHistoryLimit = 8;
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+message StatefulSetStatus {
+  // observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+  // StatefulSet's generation, which is updated on mutation by the API Server.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // replicas is the number of Pods created by the StatefulSet controller.
+  optional int32 replicas = 2;
+
+  // readyReplicas is the number of Pods created by the StatefulSet controller that have a Ready Condition.
+  optional int32 readyReplicas = 3;
+
+  // currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+  // indicated by currentRevision.
+  optional int32 currentReplicas = 4;
+
+  // updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+  // indicated by updateRevision.
+  optional int32 updatedReplicas = 5;
+
+  // currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+  // sequence [0,currentReplicas).
+  optional string currentRevision = 6;
+
+  // updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+  // [replicas-updatedReplicas,replicas)
+  optional string updateRevision = 7;
+
+  // collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+  // uses this field as a collision avoidance mechanism when it needs to create the name for the
+  // newest ControllerRevision.
+  // +optional
+  optional int32 collisionCount = 9;
+}
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+message StatefulSetUpdateStrategy {
+  // Type indicates the type of the StatefulSetUpdateStrategy.
+  // Default is RollingUpdate.
+  // +optional
+  optional string type = 1;
+
+  // RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+  // +optional
+  optional RollingUpdateStatefulSetStrategy rollingUpdate = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/apps/v1beta2/register.go b/cli/vendor/k8s.io/api/apps/v1beta2/register.go
new file mode 100644
index 00000000..e207c7dc
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta2/register.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "apps"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta2"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Deployment{},
+		&DeploymentList{},
+		&Scale{},
+		&StatefulSet{},
+		&StatefulSetList{},
+		&DaemonSet{},
+		&DaemonSetList{},
+		&ReplicaSet{},
+		&ReplicaSetList{},
+		&ControllerRevision{},
+		&ControllerRevisionList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/apps/v1beta2/types.go b/cli/vendor/k8s.io/api/apps/v1beta2/types.go
new file mode 100644
index 00000000..21767b63
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta2/types.go
@@ -0,0 +1,820 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+const (
+	ControllerRevisionHashLabelKey = "controller-revision-hash"
+	StatefulSetRevisionLabel       = ControllerRevisionHashLabelKey
+	DeprecatedRollbackTo           = "deprecated.deployment.rollback.to"
+	DeprecatedTemplateGeneration   = "deprecated.daemonset.template.generation"
+)
+
+// ScaleSpec describes the attributes of a scale subresource
+type ScaleSpec struct {
+	// desired number of instances for the scaled object.
+	// +optional
+	Replicas int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+}
+
+// ScaleStatus represents the current status of a scale subresource.
+type ScaleStatus struct {
+	// actual number of observed instances of the scaled object.
+	Replicas int32 `json:"replicas" protobuf:"varint,1,opt,name=replicas"`
+
+	// label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
+	// +optional
+	Selector map[string]string `json:"selector,omitempty" protobuf:"bytes,2,rep,name=selector"`
+
+	// label selector for pods that should match the replicas count. This is a serializated
+	// version of both map-based and more expressive set-based selectors. This is done to
+	// avoid introspection in the clients. The string will be in the same format as the
+	// query-param syntax. If the target type only supports map-based selectors, both this
+	// field and map-based selector field are populated.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	TargetSelector string `json:"targetSelector,omitempty" protobuf:"bytes,3,opt,name=targetSelector"`
+}
+
+// +genclient
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Scale represents a scaling request for a resource.
+type Scale struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+	// +optional
+	Spec ScaleSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.
+	// +optional
+	Status ScaleStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +genclient
+// +genclient:method=GetScale,verb=get,subresource=scale,result=Scale
+// +genclient:method=UpdateScale,verb=update,subresource=scale,input=Scale,result=Scale
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//  - Network: A single stable DNS and hostname.
+//  - Storage: As many VolumeClaims as requested.
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+type StatefulSet struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	Spec StatefulSetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	Status StatefulSetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+type PodManagementPolicyType string
+
+const (
+	// OrderedReadyPodManagement will create pods in strictly increasing order on
+	// scale up and strictly decreasing order on scale down, progressing only when
+	// the previous pod is ready or terminated. At most one pod will be changed
+	// at any time.
+	OrderedReadyPodManagement PodManagementPolicyType = "OrderedReady"
+	// ParallelPodManagement will create and delete pods as soon as the stateful set
+	// replica count is changed, and will not wait for pods to be ready or complete
+	// termination.
+	ParallelPodManagement = "Parallel"
+)
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+type StatefulSetUpdateStrategy struct {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	// +optional
+	Type StatefulSetUpdateStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=StatefulSetStrategyType"`
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	// +optional
+	RollingUpdate *RollingUpdateStatefulSetStrategy `json:"rollingUpdate,omitempty" protobuf:"bytes,2,opt,name=rollingUpdate"`
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+type StatefulSetUpdateStrategyType string
+
+const (
+	// RollingUpdateStatefulSetStrategyType indicates that update will be
+	// applied to all Pods in the StatefulSet with respect to the StatefulSet
+	// ordering constraints. When a scale operation is performed with this
+	// strategy, new Pods will be created from the specification version indicated
+	// by the StatefulSet's updateRevision.
+	RollingUpdateStatefulSetStrategyType = "RollingUpdate"
+	// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+	// tracking and ordered rolling restarts are disabled. Pods are recreated
+	// from the StatefulSetSpec when they are manually deleted. When a scale
+	// operation is performed with this strategy,specification version indicated
+	// by the StatefulSet's currentRevision.
+	OnDeleteStatefulSetStrategyType = "OnDelete"
+)
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+type RollingUpdateStatefulSetStrategy struct {
+	// Partition indicates the ordinal at which the StatefulSet should be
+	// partitioned.
+	// Default value is 0.
+	// +optional
+	Partition *int32 `json:"partition,omitempty" protobuf:"varint,1,opt,name=partition"`
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+type StatefulSetSpec struct {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelector `json:"selector" protobuf:"bytes,2,opt,name=selector"`
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet.
+	Template v1.PodTemplateSpec `json:"template" protobuf:"bytes,3,opt,name=template"`
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	VolumeClaimTemplates []v1.PersistentVolumeClaim `json:"volumeClaimTemplates,omitempty" protobuf:"bytes,4,rep,name=volumeClaimTemplates"`
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	ServiceName string `json:"serviceName" protobuf:"bytes,5,opt,name=serviceName"`
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	PodManagementPolicy PodManagementPolicyType `json:"podManagementPolicy,omitempty" protobuf:"bytes,6,opt,name=podManagementPolicy,casttype=PodManagementPolicyType"`
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	UpdateStrategy StatefulSetUpdateStrategy `json:"updateStrategy,omitempty" protobuf:"bytes,7,opt,name=updateStrategy"`
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty" protobuf:"varint,8,opt,name=revisionHistoryLimit"`
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+type StatefulSetStatus struct {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	Replicas int32 `json:"replicas" protobuf:"varint,2,opt,name=replicas"`
+
+	// readyReplicas is the number of Pods created by the StatefulSet controller that have a Ready Condition.
+	ReadyReplicas int32 `json:"readyReplicas,omitempty" protobuf:"varint,3,opt,name=readyReplicas"`
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	CurrentReplicas int32 `json:"currentReplicas,omitempty" protobuf:"varint,4,opt,name=currentReplicas"`
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	UpdatedReplicas int32 `json:"updatedReplicas,omitempty" protobuf:"varint,5,opt,name=updatedReplicas"`
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	CurrentRevision string `json:"currentRevision,omitempty" protobuf:"bytes,6,opt,name=currentRevision"`
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	UpdateRevision string `json:"updateRevision,omitempty" protobuf:"bytes,7,opt,name=updateRevision"`
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	CollisionCount *int32 `json:"collisionCount,omitempty" protobuf:"varint,9,opt,name=collisionCount"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// StatefulSetList is a collection of StatefulSets.
+type StatefulSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	Items           []StatefulSet `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+type Deployment struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	Spec DeploymentSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	Status DeploymentStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+type DeploymentSpec struct {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	Selector *metav1.LabelSelector `json:"selector" protobuf:"bytes,2,opt,name=selector"`
+
+	// Template describes the pods that will be created.
+	Template v1.PodTemplateSpec `json:"template" protobuf:"bytes,3,opt,name=template"`
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	Strategy DeploymentStrategy `json:"strategy,omitempty" protobuf:"bytes,4,opt,name=strategy"`
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,5,opt,name=minReadySeconds"`
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty" protobuf:"varint,6,opt,name=revisionHistoryLimit"`
+
+	// Indicates that the deployment is paused.
+	// +optional
+	Paused bool `json:"paused,omitempty" protobuf:"varint,7,opt,name=paused"`
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty" protobuf:"varint,9,opt,name=progressDeadlineSeconds"`
+}
+
+const (
+	// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+	// to existing RCs (and label key that is added to its pods) to prevent the existing RCs
+	// to select new pods (and old pods being select by new RC).
+	DefaultDeploymentUniqueLabelKey string = "pod-template-hash"
+)
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+type DeploymentStrategy struct {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	Type DeploymentStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=DeploymentStrategyType"`
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	RollingUpdate *RollingUpdateDeployment `json:"rollingUpdate,omitempty" protobuf:"bytes,2,opt,name=rollingUpdate"`
+}
+
+type DeploymentStrategyType string
+
+const (
+	// Kill all existing pods before creating new ones.
+	RecreateDeploymentStrategyType DeploymentStrategyType = "Recreate"
+
+	// Replace the old RCs by new one using rolling update i.e gradually scale down the old RCs and scale up the new one.
+	RollingUpdateDeploymentStrategyType DeploymentStrategyType = "RollingUpdate"
+)
+
+// Spec to control the desired behavior of rolling update.
+type RollingUpdateDeployment struct {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old RC
+	// can be scaled down further, followed by scaling up the new RC, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,1,opt,name=maxUnavailable"`
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new RC can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new RC can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is atmost 130% of desired pods.
+	// +optional
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty" protobuf:"bytes,2,opt,name=maxSurge"`
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+type DeploymentStatus struct {
+	// The generation observed by the deployment controller.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	Replicas int32 `json:"replicas,omitempty" protobuf:"varint,2,opt,name=replicas"`
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	UpdatedReplicas int32 `json:"updatedReplicas,omitempty" protobuf:"varint,3,opt,name=updatedReplicas"`
+
+	// Total number of ready pods targeted by this deployment.
+	// +optional
+	ReadyReplicas int32 `json:"readyReplicas,omitempty" protobuf:"varint,7,opt,name=readyReplicas"`
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	AvailableReplicas int32 `json:"availableReplicas,omitempty" protobuf:"varint,4,opt,name=availableReplicas"`
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	UnavailableReplicas int32 `json:"unavailableReplicas,omitempty" protobuf:"varint,5,opt,name=unavailableReplicas"`
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []DeploymentCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,6,rep,name=conditions"`
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	CollisionCount *int32 `json:"collisionCount,omitempty" protobuf:"varint,8,opt,name=collisionCount"`
+}
+
+type DeploymentConditionType string
+
+// These are valid conditions of a deployment.
+const (
+	// Available means the deployment is available, ie. at least the minimum available
+	// replicas required are up and running for at least minReadySeconds.
+	DeploymentAvailable DeploymentConditionType = "Available"
+	// Progressing means the deployment is progressing. Progress for a deployment is
+	// considered when a new replica set is created or adopted, and when new pods scale
+	// up or old pods scale down. Progress is not estimated for paused deployments or
+	// when progressDeadlineSeconds is not specified.
+	DeploymentProgressing DeploymentConditionType = "Progressing"
+	// ReplicaFailure is added in a deployment when one of its pods fails to be created
+	// or deleted.
+	DeploymentReplicaFailure DeploymentConditionType = "ReplicaFailure"
+)
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+type DeploymentCondition struct {
+	// Type of deployment condition.
+	Type DeploymentConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=DeploymentConditionType"`
+	// Status of the condition, one of True, False, Unknown.
+	Status v1.ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"`
+	// The last time this condition was updated.
+	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,6,opt,name=lastUpdateTime"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,7,opt,name=lastTransitionTime"`
+	// The reason for the condition's last transition.
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+	// A human readable message indicating details about the transition.
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DeploymentList is a list of Deployments.
+type DeploymentList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of Deployments.
+	Items []Deployment `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+type DaemonSetUpdateStrategy struct {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	// +optional
+	Type DaemonSetUpdateStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"`
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	RollingUpdate *RollingUpdateDaemonSet `json:"rollingUpdate,omitempty" protobuf:"bytes,2,opt,name=rollingUpdate"`
+}
+
+type DaemonSetUpdateStrategyType string
+
+const (
+	// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+	RollingUpdateDaemonSetStrategyType DaemonSetUpdateStrategyType = "RollingUpdate"
+
+	// Replace the old daemons only when it's killed
+	OnDeleteDaemonSetStrategyType DaemonSetUpdateStrategyType = "OnDelete"
+)
+
+// Spec to control the desired behavior of daemon set rolling update.
+type RollingUpdateDaemonSet struct {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0.
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given
+	// time. The update starts by stopping at most 30% of those DaemonSet pods
+	// and then brings up new DaemonSet pods in their place. Once the new pods
+	// are available, it then proceeds onto other DaemonSet pods, thus ensuring
+	// that at least 70% of original number of DaemonSet pods are available at
+	// all times during the update.
+	// +optional
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,1,opt,name=maxUnavailable"`
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+type DaemonSetSpec struct {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelector `json:"selector" protobuf:"bytes,1,opt,name=selector"`
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	Template v1.PodTemplateSpec `json:"template" protobuf:"bytes,2,opt,name=template"`
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	UpdateStrategy DaemonSetUpdateStrategy `json:"updateStrategy,omitempty" protobuf:"bytes,3,opt,name=updateStrategy"`
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,4,opt,name=minReadySeconds"`
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty" protobuf:"varint,6,opt,name=revisionHistoryLimit"`
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+type DaemonSetStatus struct {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	CurrentNumberScheduled int32 `json:"currentNumberScheduled" protobuf:"varint,1,opt,name=currentNumberScheduled"`
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	NumberMisscheduled int32 `json:"numberMisscheduled" protobuf:"varint,2,opt,name=numberMisscheduled"`
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	DesiredNumberScheduled int32 `json:"desiredNumberScheduled" protobuf:"varint,3,opt,name=desiredNumberScheduled"`
+
+	// The number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running and ready.
+	NumberReady int32 `json:"numberReady" protobuf:"varint,4,opt,name=numberReady"`
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,5,opt,name=observedGeneration"`
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	UpdatedNumberScheduled int32 `json:"updatedNumberScheduled,omitempty" protobuf:"varint,6,opt,name=updatedNumberScheduled"`
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	NumberAvailable int32 `json:"numberAvailable,omitempty" protobuf:"varint,7,opt,name=numberAvailable"`
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	NumberUnavailable int32 `json:"numberUnavailable,omitempty" protobuf:"varint,8,opt,name=numberUnavailable"`
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	CollisionCount *int32 `json:"collisionCount,omitempty" protobuf:"varint,9,opt,name=collisionCount"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DaemonSet represents the configuration of a daemon set.
+type DaemonSet struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec DaemonSetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status DaemonSetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+const (
+	// DEPRECATED: DefaultDaemonSetUniqueLabelKey is used instead.
+	// DaemonSetTemplateGenerationKey is the key of the labels that is added
+	// to daemon set pods to distinguish between old and new pod templates
+	// during DaemonSet template update.
+	DaemonSetTemplateGenerationKey string = "pod-template-generation"
+
+	// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+	// to existing DaemonSet pods to distinguish between old and new
+	// DaemonSet pods during DaemonSet template updates.
+	DefaultDaemonSetUniqueLabelKey = ControllerRevisionHashLabelKey
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DaemonSetList is a collection of daemon sets.
+type DaemonSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// A list of daemon sets.
+	Items []DaemonSet `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ReplicaSet represents the configuration of a ReplicaSet.
+type ReplicaSet struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec ReplicaSetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status ReplicaSetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ReplicaSetList is a collection of ReplicaSets.
+type ReplicaSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	Items []ReplicaSet `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+type ReplicaSetSpec struct {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,4,opt,name=minReadySeconds"`
+
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	Selector *metav1.LabelSelector `json:"selector" protobuf:"bytes,2,opt,name=selector"`
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	Template v1.PodTemplateSpec `json:"template,omitempty" protobuf:"bytes,3,opt,name=template"`
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+type ReplicaSetStatus struct {
+	// Replicas is the most recently oberved number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	Replicas int32 `json:"replicas" protobuf:"varint,1,opt,name=replicas"`
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	FullyLabeledReplicas int32 `json:"fullyLabeledReplicas,omitempty" protobuf:"varint,2,opt,name=fullyLabeledReplicas"`
+
+	// The number of ready replicas for this replica set.
+	// +optional
+	ReadyReplicas int32 `json:"readyReplicas,omitempty" protobuf:"varint,4,opt,name=readyReplicas"`
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	AvailableReplicas int32 `json:"availableReplicas,omitempty" protobuf:"varint,5,opt,name=availableReplicas"`
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,3,opt,name=observedGeneration"`
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []ReplicaSetCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,6,rep,name=conditions"`
+}
+
+type ReplicaSetConditionType string
+
+// These are valid conditions of a replica set.
+const (
+	// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+	// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+	// due to kubelet being down or finalizers are failing.
+	ReplicaSetReplicaFailure ReplicaSetConditionType = "ReplicaFailure"
+)
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+type ReplicaSetCondition struct {
+	// Type of replica set condition.
+	Type ReplicaSetConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=ReplicaSetConditionType"`
+	// Status of the condition, one of True, False, Unknown.
+	Status v1.ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"`
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,3,opt,name=lastTransitionTime"`
+	// The reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+	// A human readable message indicating details about the transition.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+type ControllerRevision struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Data is the serialized representation of the state.
+	Data runtime.RawExtension `json:"data,omitempty" protobuf:"bytes,2,opt,name=data"`
+
+	// Revision indicates the revision of the state represented by Data.
+	Revision int64 `json:"revision" protobuf:"varint,3,opt,name=revision"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+type ControllerRevisionList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of ControllerRevisions
+	Items []ControllerRevision `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go
new file mode 100644
index 00000000..cbfa9ea8
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta2/types_swagger_doc_generated.go
@@ -0,0 +1,368 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_ControllerRevision = map[string]string{
+	"":         "ControllerRevision implements an immutable snapshot of state data. Clients are responsible for serializing and deserializing the objects that contain their internal state. Once a ControllerRevision has been successfully created, it can not be updated. The API Server will fail validation of all requests that attempt to mutate the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability. It is primarily for internal use by controllers.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"data":     "Data is the serialized representation of the state.",
+	"revision": "Revision indicates the revision of the state represented by Data.",
+}
+
+func (ControllerRevision) SwaggerDoc() map[string]string {
+	return map_ControllerRevision
+}
+
+var map_ControllerRevisionList = map[string]string{
+	"":         "ControllerRevisionList is a resource containing a list of ControllerRevision objects.",
+	"metadata": "More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is the list of ControllerRevisions",
+}
+
+func (ControllerRevisionList) SwaggerDoc() map[string]string {
+	return map_ControllerRevisionList
+}
+
+var map_DaemonSet = map[string]string{
+	"":         "DaemonSet represents the configuration of a daemon set.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "The current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (DaemonSet) SwaggerDoc() map[string]string {
+	return map_DaemonSet
+}
+
+var map_DaemonSetList = map[string]string{
+	"":         "DaemonSetList is a collection of daemon sets.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "A list of daemon sets.",
+}
+
+func (DaemonSetList) SwaggerDoc() map[string]string {
+	return map_DaemonSetList
+}
+
+var map_DaemonSetSpec = map[string]string{
+	"":                     "DaemonSetSpec is the specification of a daemon set.",
+	"selector":             "A label query over pods that are managed by the daemon set. Must match in order to be controlled. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+	"template":             "An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
+	"updateStrategy":       "An update strategy to replace existing DaemonSet pods with new pods.",
+	"minReadySeconds":      "The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).",
+	"revisionHistoryLimit": "The number of old history to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.",
+}
+
+func (DaemonSetSpec) SwaggerDoc() map[string]string {
+	return map_DaemonSetSpec
+}
+
+var map_DaemonSetStatus = map[string]string{
+	"": "DaemonSetStatus represents the current status of a daemon set.",
+	"currentNumberScheduled": "The number of nodes that are running at least 1 daemon pod and are supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",
+	"numberMisscheduled":     "The number of nodes that are running the daemon pod, but are not supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",
+	"desiredNumberScheduled": "The total number of nodes that should be running the daemon pod (including nodes correctly running the daemon pod). More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",
+	"numberReady":            "The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and ready.",
+	"observedGeneration":     "The most recent generation observed by the daemon set controller.",
+	"updatedNumberScheduled": "The total number of nodes that are running updated daemon pod",
+	"numberAvailable":        "The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and available (ready for at least spec.minReadySeconds)",
+	"numberUnavailable":      "The number of nodes that should be running the daemon pod and have none of the daemon pod running and available (ready for at least spec.minReadySeconds)",
+	"collisionCount":         "Count of hash collisions for the DaemonSet. The DaemonSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.",
+}
+
+func (DaemonSetStatus) SwaggerDoc() map[string]string {
+	return map_DaemonSetStatus
+}
+
+var map_DaemonSetUpdateStrategy = map[string]string{
+	"":              "DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.",
+	"type":          "Type of daemon set update. Can be \"RollingUpdate\" or \"OnDelete\". Default is RollingUpdate.",
+	"rollingUpdate": "Rolling update config params. Present only if type = \"RollingUpdate\".",
+}
+
+func (DaemonSetUpdateStrategy) SwaggerDoc() map[string]string {
+	return map_DaemonSetUpdateStrategy
+}
+
+var map_Deployment = map[string]string{
+	"":         "Deployment enables declarative updates for Pods and ReplicaSets.",
+	"metadata": "Standard object metadata.",
+	"spec":     "Specification of the desired behavior of the Deployment.",
+	"status":   "Most recently observed status of the Deployment.",
+}
+
+func (Deployment) SwaggerDoc() map[string]string {
+	return map_Deployment
+}
+
+var map_DeploymentCondition = map[string]string{
+	"":                   "DeploymentCondition describes the state of a deployment at a certain point.",
+	"type":               "Type of deployment condition.",
+	"status":             "Status of the condition, one of True, False, Unknown.",
+	"lastUpdateTime":     "The last time this condition was updated.",
+	"lastTransitionTime": "Last time the condition transitioned from one status to another.",
+	"reason":             "The reason for the condition's last transition.",
+	"message":            "A human readable message indicating details about the transition.",
+}
+
+func (DeploymentCondition) SwaggerDoc() map[string]string {
+	return map_DeploymentCondition
+}
+
+var map_DeploymentList = map[string]string{
+	"":         "DeploymentList is a list of Deployments.",
+	"metadata": "Standard list metadata.",
+	"items":    "Items is the list of Deployments.",
+}
+
+func (DeploymentList) SwaggerDoc() map[string]string {
+	return map_DeploymentList
+}
+
+var map_DeploymentSpec = map[string]string{
+	"":                        "DeploymentSpec is the specification of the desired behavior of the Deployment.",
+	"replicas":                "Number of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.",
+	"selector":                "Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment. It must match the pod template's labels.",
+	"template":                "Template describes the pods that will be created.",
+	"strategy":                "The deployment strategy to use to replace existing pods with new ones.",
+	"minReadySeconds":         "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)",
+	"revisionHistoryLimit":    "The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.",
+	"paused":                  "Indicates that the deployment is paused.",
+	"progressDeadlineSeconds": "The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. Defaults to 600s.",
+}
+
+func (DeploymentSpec) SwaggerDoc() map[string]string {
+	return map_DeploymentSpec
+}
+
+var map_DeploymentStatus = map[string]string{
+	"":                    "DeploymentStatus is the most recently observed status of the Deployment.",
+	"observedGeneration":  "The generation observed by the deployment controller.",
+	"replicas":            "Total number of non-terminated pods targeted by this deployment (their labels match the selector).",
+	"updatedReplicas":     "Total number of non-terminated pods targeted by this deployment that have the desired template spec.",
+	"readyReplicas":       "Total number of ready pods targeted by this deployment.",
+	"availableReplicas":   "Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.",
+	"unavailableReplicas": "Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.",
+	"conditions":          "Represents the latest available observations of a deployment's current state.",
+	"collisionCount":      "Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.",
+}
+
+func (DeploymentStatus) SwaggerDoc() map[string]string {
+	return map_DeploymentStatus
+}
+
+var map_DeploymentStrategy = map[string]string{
+	"":              "DeploymentStrategy describes how to replace existing pods with new ones.",
+	"type":          "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.",
+	"rollingUpdate": "Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.",
+}
+
+func (DeploymentStrategy) SwaggerDoc() map[string]string {
+	return map_DeploymentStrategy
+}
+
+var map_ReplicaSet = map[string]string{
+	"":         "ReplicaSet represents the configuration of a ReplicaSet.",
+	"metadata": "If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (ReplicaSet) SwaggerDoc() map[string]string {
+	return map_ReplicaSet
+}
+
+var map_ReplicaSetCondition = map[string]string{
+	"":                   "ReplicaSetCondition describes the state of a replica set at a certain point.",
+	"type":               "Type of replica set condition.",
+	"status":             "Status of the condition, one of True, False, Unknown.",
+	"lastTransitionTime": "The last time the condition transitioned from one status to another.",
+	"reason":             "The reason for the condition's last transition.",
+	"message":            "A human readable message indicating details about the transition.",
+}
+
+func (ReplicaSetCondition) SwaggerDoc() map[string]string {
+	return map_ReplicaSetCondition
+}
+
+var map_ReplicaSetList = map[string]string{
+	"":         "ReplicaSetList is a collection of ReplicaSets.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of ReplicaSets. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller",
+}
+
+func (ReplicaSetList) SwaggerDoc() map[string]string {
+	return map_ReplicaSetList
+}
+
+var map_ReplicaSetSpec = map[string]string{
+	"":                "ReplicaSetSpec is the specification of a ReplicaSet.",
+	"replicas":        "Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller",
+	"minReadySeconds": "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)",
+	"selector":        "Selector is a label query over pods that should match the replica count. Label keys and values that must match in order to be controlled by this replica set. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+	"template":        "Template is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
+}
+
+func (ReplicaSetSpec) SwaggerDoc() map[string]string {
+	return map_ReplicaSetSpec
+}
+
+var map_ReplicaSetStatus = map[string]string{
+	"":                     "ReplicaSetStatus represents the current status of a ReplicaSet.",
+	"replicas":             "Replicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller",
+	"fullyLabeledReplicas": "The number of pods that have labels matching the labels of the pod template of the replicaset.",
+	"readyReplicas":        "The number of ready replicas for this replica set.",
+	"availableReplicas":    "The number of available replicas (ready for at least minReadySeconds) for this replica set.",
+	"observedGeneration":   "ObservedGeneration reflects the generation of the most recently observed ReplicaSet.",
+	"conditions":           "Represents the latest available observations of a replica set's current state.",
+}
+
+func (ReplicaSetStatus) SwaggerDoc() map[string]string {
+	return map_ReplicaSetStatus
+}
+
+var map_RollingUpdateDaemonSet = map[string]string{
+	"":               "Spec to control the desired behavior of daemon set rolling update.",
+	"maxUnavailable": "The maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding up. This cannot be 0. Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.",
+}
+
+func (RollingUpdateDaemonSet) SwaggerDoc() map[string]string {
+	return map_RollingUpdateDaemonSet
+}
+
+var map_RollingUpdateDeployment = map[string]string{
+	"":               "Spec to control the desired behavior of rolling update.",
+	"maxUnavailable": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old RC can be scaled down further, followed by scaling up the new RC, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.",
+	"maxSurge":       "The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new RC can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new RC can be scaled up further, ensuring that total number of pods running at any time during the update is atmost 130% of desired pods.",
+}
+
+func (RollingUpdateDeployment) SwaggerDoc() map[string]string {
+	return map_RollingUpdateDeployment
+}
+
+var map_RollingUpdateStatefulSetStrategy = map[string]string{
+	"":          "RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.",
+	"partition": "Partition indicates the ordinal at which the StatefulSet should be partitioned. Default value is 0.",
+}
+
+func (RollingUpdateStatefulSetStrategy) SwaggerDoc() map[string]string {
+	return map_RollingUpdateStatefulSetStrategy
+}
+
+var map_Scale = map[string]string{
+	"":         "Scale represents a scaling request for a resource.",
+	"metadata": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.",
+	"spec":     "defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.",
+	"status":   "current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.",
+}
+
+func (Scale) SwaggerDoc() map[string]string {
+	return map_Scale
+}
+
+var map_ScaleSpec = map[string]string{
+	"":         "ScaleSpec describes the attributes of a scale subresource",
+	"replicas": "desired number of instances for the scaled object.",
+}
+
+func (ScaleSpec) SwaggerDoc() map[string]string {
+	return map_ScaleSpec
+}
+
+var map_ScaleStatus = map[string]string{
+	"":               "ScaleStatus represents the current status of a scale subresource.",
+	"replicas":       "actual number of observed instances of the scaled object.",
+	"selector":       "label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors",
+	"targetSelector": "label selector for pods that should match the replicas count. This is a serializated version of both map-based and more expressive set-based selectors. This is done to avoid introspection in the clients. The string will be in the same format as the query-param syntax. If the target type only supports map-based selectors, both this field and map-based selector field are populated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+}
+
+func (ScaleStatus) SwaggerDoc() map[string]string {
+	return map_ScaleStatus
+}
+
+var map_StatefulSet = map[string]string{
+	"":       "StatefulSet represents a set of pods with consistent identities. Identities are defined as:\n - Network: A single stable DNS and hostname.\n - Storage: As many VolumeClaims as requested.\nThe StatefulSet guarantees that a given network identity will always map to the same storage identity.",
+	"spec":   "Spec defines the desired identities of pods in this set.",
+	"status": "Status is the current status of Pods in this StatefulSet. This data may be out of date by some window of time.",
+}
+
+func (StatefulSet) SwaggerDoc() map[string]string {
+	return map_StatefulSet
+}
+
+var map_StatefulSetList = map[string]string{
+	"": "StatefulSetList is a collection of StatefulSets.",
+}
+
+func (StatefulSetList) SwaggerDoc() map[string]string {
+	return map_StatefulSetList
+}
+
+var map_StatefulSetSpec = map[string]string{
+	"":                     "A StatefulSetSpec is the specification of a StatefulSet.",
+	"replicas":             "replicas is the desired number of replicas of the given Template. These are replicas in the sense that they are instantiations of the same Template, but individual replicas also have a consistent identity. If unspecified, defaults to 1.",
+	"selector":             "selector is a label query over pods that should match the replica count. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+	"template":             "template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet.",
+	"volumeClaimTemplates": "volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.",
+	"serviceName":          "serviceName is the name of the service that governs this StatefulSet. This service must exist before the StatefulSet, and is responsible for the network identity of the set. Pods get DNS/hostnames that follow the pattern: pod-specific-string.serviceName.default.svc.cluster.local where \"pod-specific-string\" is managed by the StatefulSet controller.",
+	"podManagementPolicy":  "podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.",
+	"updateStrategy":       "updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.",
+	"revisionHistoryLimit": "revisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.",
+}
+
+func (StatefulSetSpec) SwaggerDoc() map[string]string {
+	return map_StatefulSetSpec
+}
+
+var map_StatefulSetStatus = map[string]string{
+	"":                   "StatefulSetStatus represents the current state of a StatefulSet.",
+	"observedGeneration": "observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the StatefulSet's generation, which is updated on mutation by the API Server.",
+	"replicas":           "replicas is the number of Pods created by the StatefulSet controller.",
+	"readyReplicas":      "readyReplicas is the number of Pods created by the StatefulSet controller that have a Ready Condition.",
+	"currentReplicas":    "currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by currentRevision.",
+	"updatedReplicas":    "updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by updateRevision.",
+	"currentRevision":    "currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas).",
+	"updateRevision":     "updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas)",
+	"collisionCount":     "collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.",
+}
+
+func (StatefulSetStatus) SwaggerDoc() map[string]string {
+	return map_StatefulSetStatus
+}
+
+var map_StatefulSetUpdateStrategy = map[string]string{
+	"":              "StatefulSetUpdateStrategy indicates the strategy that the StatefulSet controller will use to perform updates. It includes any additional parameters necessary to perform the update for the indicated strategy.",
+	"type":          "Type indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate.",
+	"rollingUpdate": "RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.",
+}
+
+func (StatefulSetUpdateStrategy) SwaggerDoc() map[string]string {
+	return map_StatefulSetUpdateStrategy
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/apps/v1beta2/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/apps/v1beta2/zz_generated.deepcopy.go
new file mode 100644
index 00000000..87d1dbf6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/apps/v1beta2/zz_generated.deepcopy.go
@@ -0,0 +1,1017 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta2
+
+import (
+	core_v1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	intstr "k8s.io/apimachinery/pkg/util/intstr"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ControllerRevision).DeepCopyInto(out.(*ControllerRevision))
+			return nil
+		}, InType: reflect.TypeOf(&ControllerRevision{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ControllerRevisionList).DeepCopyInto(out.(*ControllerRevisionList))
+			return nil
+		}, InType: reflect.TypeOf(&ControllerRevisionList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSet).DeepCopyInto(out.(*DaemonSet))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSet{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSetList).DeepCopyInto(out.(*DaemonSetList))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSetSpec).DeepCopyInto(out.(*DaemonSetSpec))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSetSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSetStatus).DeepCopyInto(out.(*DaemonSetStatus))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSetStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSetUpdateStrategy).DeepCopyInto(out.(*DaemonSetUpdateStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSetUpdateStrategy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Deployment).DeepCopyInto(out.(*Deployment))
+			return nil
+		}, InType: reflect.TypeOf(&Deployment{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentCondition).DeepCopyInto(out.(*DeploymentCondition))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentList).DeepCopyInto(out.(*DeploymentList))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentSpec).DeepCopyInto(out.(*DeploymentSpec))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentStatus).DeepCopyInto(out.(*DeploymentStatus))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentStrategy).DeepCopyInto(out.(*DeploymentStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentStrategy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSet).DeepCopyInto(out.(*ReplicaSet))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSet{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSetCondition).DeepCopyInto(out.(*ReplicaSetCondition))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSetCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSetList).DeepCopyInto(out.(*ReplicaSetList))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSetSpec).DeepCopyInto(out.(*ReplicaSetSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSetSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSetStatus).DeepCopyInto(out.(*ReplicaSetStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSetStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollingUpdateDaemonSet).DeepCopyInto(out.(*RollingUpdateDaemonSet))
+			return nil
+		}, InType: reflect.TypeOf(&RollingUpdateDaemonSet{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollingUpdateDeployment).DeepCopyInto(out.(*RollingUpdateDeployment))
+			return nil
+		}, InType: reflect.TypeOf(&RollingUpdateDeployment{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollingUpdateStatefulSetStrategy).DeepCopyInto(out.(*RollingUpdateStatefulSetStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&RollingUpdateStatefulSetStrategy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Scale).DeepCopyInto(out.(*Scale))
+			return nil
+		}, InType: reflect.TypeOf(&Scale{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleSpec).DeepCopyInto(out.(*ScaleSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleStatus).DeepCopyInto(out.(*ScaleStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSet).DeepCopyInto(out.(*StatefulSet))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSet{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSetList).DeepCopyInto(out.(*StatefulSetList))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSetSpec).DeepCopyInto(out.(*StatefulSetSpec))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSetSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSetStatus).DeepCopyInto(out.(*StatefulSetStatus))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSetStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatefulSetUpdateStrategy).DeepCopyInto(out.(*StatefulSetUpdateStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&StatefulSetUpdateStrategy{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ControllerRevision) DeepCopyInto(out *ControllerRevision) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Data.DeepCopyInto(&out.Data)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerRevision.
+func (in *ControllerRevision) DeepCopy() *ControllerRevision {
+	if in == nil {
+		return nil
+	}
+	out := new(ControllerRevision)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ControllerRevision) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ControllerRevisionList) DeepCopyInto(out *ControllerRevisionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ControllerRevision, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerRevisionList.
+func (in *ControllerRevisionList) DeepCopy() *ControllerRevisionList {
+	if in == nil {
+		return nil
+	}
+	out := new(ControllerRevisionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ControllerRevisionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSet) DeepCopyInto(out *DaemonSet) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSet.
+func (in *DaemonSet) DeepCopy() *DaemonSet {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DaemonSet) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSetList) DeepCopyInto(out *DaemonSetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]DaemonSet, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSetList.
+func (in *DaemonSetList) DeepCopy() *DaemonSetList {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DaemonSetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSetSpec) DeepCopyInto(out *DaemonSetSpec) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	in.UpdateStrategy.DeepCopyInto(&out.UpdateStrategy)
+	if in.RevisionHistoryLimit != nil {
+		in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSetSpec.
+func (in *DaemonSetSpec) DeepCopy() *DaemonSetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSetStatus) DeepCopyInto(out *DaemonSetStatus) {
+	*out = *in
+	if in.CollisionCount != nil {
+		in, out := &in.CollisionCount, &out.CollisionCount
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSetStatus.
+func (in *DaemonSetStatus) DeepCopy() *DaemonSetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSetUpdateStrategy) DeepCopyInto(out *DaemonSetUpdateStrategy) {
+	*out = *in
+	if in.RollingUpdate != nil {
+		in, out := &in.RollingUpdate, &out.RollingUpdate
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollingUpdateDaemonSet)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSetUpdateStrategy.
+func (in *DaemonSetUpdateStrategy) DeepCopy() *DaemonSetUpdateStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSetUpdateStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Deployment) DeepCopyInto(out *Deployment) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deployment.
+func (in *Deployment) DeepCopy() *Deployment {
+	if in == nil {
+		return nil
+	}
+	out := new(Deployment)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Deployment) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentCondition) DeepCopyInto(out *DeploymentCondition) {
+	*out = *in
+	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentCondition.
+func (in *DeploymentCondition) DeepCopy() *DeploymentCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentList) DeepCopyInto(out *DeploymentList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Deployment, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentList.
+func (in *DeploymentList) DeepCopy() *DeploymentList {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeploymentList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentSpec) DeepCopyInto(out *DeploymentSpec) {
+	*out = *in
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	in.Strategy.DeepCopyInto(&out.Strategy)
+	if in.RevisionHistoryLimit != nil {
+		in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.ProgressDeadlineSeconds != nil {
+		in, out := &in.ProgressDeadlineSeconds, &out.ProgressDeadlineSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentSpec.
+func (in *DeploymentSpec) DeepCopy() *DeploymentSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentStatus) DeepCopyInto(out *DeploymentStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]DeploymentCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CollisionCount != nil {
+		in, out := &in.CollisionCount, &out.CollisionCount
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStatus.
+func (in *DeploymentStatus) DeepCopy() *DeploymentStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentStrategy) DeepCopyInto(out *DeploymentStrategy) {
+	*out = *in
+	if in.RollingUpdate != nil {
+		in, out := &in.RollingUpdate, &out.RollingUpdate
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollingUpdateDeployment)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStrategy.
+func (in *DeploymentStrategy) DeepCopy() *DeploymentStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSet) DeepCopyInto(out *ReplicaSet) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSet.
+func (in *ReplicaSet) DeepCopy() *ReplicaSet {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReplicaSet) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSetCondition) DeepCopyInto(out *ReplicaSetCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSetCondition.
+func (in *ReplicaSetCondition) DeepCopy() *ReplicaSetCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSetCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSetList) DeepCopyInto(out *ReplicaSetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ReplicaSet, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSetList.
+func (in *ReplicaSetList) DeepCopy() *ReplicaSetList {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReplicaSetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSetSpec) DeepCopyInto(out *ReplicaSetSpec) {
+	*out = *in
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSetSpec.
+func (in *ReplicaSetSpec) DeepCopy() *ReplicaSetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSetStatus) DeepCopyInto(out *ReplicaSetStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ReplicaSetCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSetStatus.
+func (in *ReplicaSetStatus) DeepCopy() *ReplicaSetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollingUpdateDaemonSet) DeepCopyInto(out *RollingUpdateDaemonSet) {
+	*out = *in
+	if in.MaxUnavailable != nil {
+		in, out := &in.MaxUnavailable, &out.MaxUnavailable
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollingUpdateDaemonSet.
+func (in *RollingUpdateDaemonSet) DeepCopy() *RollingUpdateDaemonSet {
+	if in == nil {
+		return nil
+	}
+	out := new(RollingUpdateDaemonSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollingUpdateDeployment) DeepCopyInto(out *RollingUpdateDeployment) {
+	*out = *in
+	if in.MaxUnavailable != nil {
+		in, out := &in.MaxUnavailable, &out.MaxUnavailable
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	if in.MaxSurge != nil {
+		in, out := &in.MaxSurge, &out.MaxSurge
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollingUpdateDeployment.
+func (in *RollingUpdateDeployment) DeepCopy() *RollingUpdateDeployment {
+	if in == nil {
+		return nil
+	}
+	out := new(RollingUpdateDeployment)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollingUpdateStatefulSetStrategy) DeepCopyInto(out *RollingUpdateStatefulSetStrategy) {
+	*out = *in
+	if in.Partition != nil {
+		in, out := &in.Partition, &out.Partition
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollingUpdateStatefulSetStrategy.
+func (in *RollingUpdateStatefulSetStrategy) DeepCopy() *RollingUpdateStatefulSetStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(RollingUpdateStatefulSetStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Scale) DeepCopyInto(out *Scale) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Scale.
+func (in *Scale) DeepCopy() *Scale {
+	if in == nil {
+		return nil
+	}
+	out := new(Scale)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Scale) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleSpec) DeepCopyInto(out *ScaleSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleSpec.
+func (in *ScaleSpec) DeepCopy() *ScaleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleStatus) DeepCopyInto(out *ScaleStatus) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleStatus.
+func (in *ScaleStatus) DeepCopy() *ScaleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSet) DeepCopyInto(out *StatefulSet) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSet.
+func (in *StatefulSet) DeepCopy() *StatefulSet {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StatefulSet) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSetList) DeepCopyInto(out *StatefulSetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]StatefulSet, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSetList.
+func (in *StatefulSetList) DeepCopy() *StatefulSetList {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StatefulSetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSetSpec) DeepCopyInto(out *StatefulSetSpec) {
+	*out = *in
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	if in.VolumeClaimTemplates != nil {
+		in, out := &in.VolumeClaimTemplates, &out.VolumeClaimTemplates
+		*out = make([]core_v1.PersistentVolumeClaim, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.UpdateStrategy.DeepCopyInto(&out.UpdateStrategy)
+	if in.RevisionHistoryLimit != nil {
+		in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSetSpec.
+func (in *StatefulSetSpec) DeepCopy() *StatefulSetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSetStatus) DeepCopyInto(out *StatefulSetStatus) {
+	*out = *in
+	if in.CollisionCount != nil {
+		in, out := &in.CollisionCount, &out.CollisionCount
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSetStatus.
+func (in *StatefulSetStatus) DeepCopy() *StatefulSetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatefulSetUpdateStrategy) DeepCopyInto(out *StatefulSetUpdateStrategy) {
+	*out = *in
+	if in.RollingUpdate != nil {
+		in, out := &in.RollingUpdate, &out.RollingUpdate
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollingUpdateStatefulSetStrategy)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSetUpdateStrategy.
+func (in *StatefulSetUpdateStrategy) DeepCopy() *StatefulSetUpdateStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(StatefulSetUpdateStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/authentication/v1/doc.go b/cli/vendor/k8s.io/api/authentication/v1/doc.go
new file mode 100644
index 00000000..15b117a4
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +groupName=authentication.k8s.io
+// +k8s:openapi-gen=true
+package v1 // import "k8s.io/api/authentication/v1"
diff --git a/cli/vendor/k8s.io/api/authentication/v1/generated.pb.go b/cli/vendor/k8s.io/api/authentication/v1/generated.pb.go
new file mode 100644
index 00000000..2e66666e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1/generated.pb.go
@@ -0,0 +1,1302 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/authentication/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/authentication/v1/generated.proto
+
+	It has these top-level messages:
+		ExtraValue
+		TokenReview
+		TokenReviewSpec
+		TokenReviewStatus
+		UserInfo
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ExtraValue) Reset()                    { *m = ExtraValue{} }
+func (*ExtraValue) ProtoMessage()               {}
+func (*ExtraValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *TokenReview) Reset()                    { *m = TokenReview{} }
+func (*TokenReview) ProtoMessage()               {}
+func (*TokenReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *TokenReviewSpec) Reset()                    { *m = TokenReviewSpec{} }
+func (*TokenReviewSpec) ProtoMessage()               {}
+func (*TokenReviewSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *TokenReviewStatus) Reset()                    { *m = TokenReviewStatus{} }
+func (*TokenReviewStatus) ProtoMessage()               {}
+func (*TokenReviewStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *UserInfo) Reset()                    { *m = UserInfo{} }
+func (*UserInfo) ProtoMessage()               {}
+func (*UserInfo) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func init() {
+	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authentication.v1.ExtraValue")
+	proto.RegisterType((*TokenReview)(nil), "k8s.io.api.authentication.v1.TokenReview")
+	proto.RegisterType((*TokenReviewSpec)(nil), "k8s.io.api.authentication.v1.TokenReviewSpec")
+	proto.RegisterType((*TokenReviewStatus)(nil), "k8s.io.api.authentication.v1.TokenReviewStatus")
+	proto.RegisterType((*UserInfo)(nil), "k8s.io.api.authentication.v1.UserInfo")
+}
+func (m ExtraValue) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m ExtraValue) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *TokenReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TokenReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *TokenReviewSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TokenReviewSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Token)))
+	i += copy(dAtA[i:], m.Token)
+	return i, nil
+}
+
+func (m *TokenReviewStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TokenReviewStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	if m.Authenticated {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.User.Size()))
+	n4, err := m.User.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Error)))
+	i += copy(dAtA[i:], m.Error)
+	return i, nil
+}
+
+func (m *UserInfo) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *UserInfo) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Username)))
+	i += copy(dAtA[i:], m.Username)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Extra) > 0 {
+		keysForExtra := make([]string, 0, len(m.Extra))
+		for k := range m.Extra {
+			keysForExtra = append(keysForExtra, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		for _, k := range keysForExtra {
+			dAtA[i] = 0x22
+			i++
+			v := m.Extra[string(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n5, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n5
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m ExtraValue) Size() (n int) {
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *TokenReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *TokenReviewSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Token)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *TokenReviewStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 2
+	l = m.User.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Error)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *UserInfo) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Username)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Extra) > 0 {
+		for k, v := range m.Extra {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *TokenReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TokenReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "TokenReviewSpec", "TokenReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "TokenReviewStatus", "TokenReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *TokenReviewSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TokenReviewSpec{`,
+		`Token:` + fmt.Sprintf("%v", this.Token) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *TokenReviewStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TokenReviewStatus{`,
+		`Authenticated:` + fmt.Sprintf("%v", this.Authenticated) + `,`,
+		`User:` + strings.Replace(strings.Replace(this.User.String(), "UserInfo", "UserInfo", 1), `&`, ``, 1) + `,`,
+		`Error:` + fmt.Sprintf("%v", this.Error) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *UserInfo) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForExtra := make([]string, 0, len(this.Extra))
+	for k := range this.Extra {
+		keysForExtra = append(keysForExtra, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	mapStringForExtra := "map[string]ExtraValue{"
+	for _, k := range keysForExtra {
+		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
+	}
+	mapStringForExtra += "}"
+	s := strings.Join([]string{`&UserInfo{`,
+		`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`Groups:` + fmt.Sprintf("%v", this.Groups) + `,`,
+		`Extra:` + mapStringForExtra + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ExtraValue) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExtraValue: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExtraValue: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			*m = append(*m, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TokenReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TokenReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TokenReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TokenReviewSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TokenReviewSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TokenReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Token", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Token = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TokenReviewStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TokenReviewStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TokenReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Authenticated", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Authenticated = bool(v != 0)
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.User.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Error = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *UserInfo) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: UserInfo: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: UserInfo: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Username = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Extra", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Extra == nil {
+				m.Extra = make(map[string]ExtraValue)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &ExtraValue{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Extra[mapkey] = *mapvalue
+			} else {
+				var mapvalue ExtraValue
+				m.Extra[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/authentication/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 642 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x53, 0x4d, 0x6f, 0xd3, 0x40,
+	0x10, 0xb5, 0xf3, 0x51, 0x25, 0x1b, 0x0a, 0x65, 0x25, 0xa4, 0x28, 0x02, 0x27, 0x0a, 0x12, 0xca,
+	0x81, 0xae, 0x49, 0x41, 0xa5, 0x2a, 0x12, 0x12, 0x16, 0x11, 0xf4, 0x80, 0x2a, 0x2d, 0xb4, 0x48,
+	0x9c, 0xd8, 0x38, 0x53, 0xc7, 0xa4, 0xfe, 0xd0, 0x7a, 0x6d, 0xe8, 0xad, 0x3f, 0x81, 0x23, 0xdc,
+	0xf8, 0x17, 0x1c, 0xb9, 0xf6, 0xd8, 0x63, 0x0f, 0xa8, 0xa2, 0xe6, 0x8f, 0xa0, 0x5d, 0x2f, 0x4d,
+	0xda, 0xd2, 0xd0, 0x9b, 0xf7, 0xcd, 0x7b, 0x6f, 0x67, 0x9e, 0x77, 0xd0, 0x60, 0xb2, 0x96, 0x10,
+	0x3f, 0xb2, 0x27, 0xe9, 0x10, 0x78, 0x08, 0x02, 0x12, 0x3b, 0x83, 0x70, 0x14, 0x71, 0x5b, 0x17,
+	0x58, 0xec, 0xdb, 0x2c, 0x15, 0x63, 0x08, 0x85, 0xef, 0x32, 0xe1, 0x47, 0xa1, 0x9d, 0xf5, 0x6d,
+	0x0f, 0x42, 0xe0, 0x4c, 0xc0, 0x88, 0xc4, 0x3c, 0x12, 0x11, 0xbe, 0x5d, 0xb0, 0x09, 0x8b, 0x7d,
+	0x72, 0x96, 0x4d, 0xb2, 0x7e, 0x6b, 0xd9, 0xf3, 0xc5, 0x38, 0x1d, 0x12, 0x37, 0x0a, 0x6c, 0x2f,
+	0xf2, 0x22, 0x5b, 0x89, 0x86, 0xe9, 0x8e, 0x3a, 0xa9, 0x83, 0xfa, 0x2a, 0xcc, 0x5a, 0x8f, 0xa6,
+	0x57, 0x07, 0xcc, 0x1d, 0xfb, 0x21, 0xf0, 0x3d, 0x3b, 0x9e, 0x78, 0x12, 0x48, 0xec, 0x00, 0x04,
+	0xfb, 0x47, 0x0b, 0x2d, 0xfb, 0x32, 0x15, 0x4f, 0x43, 0xe1, 0x07, 0x70, 0x41, 0xb0, 0xfa, 0x3f,
+	0x41, 0xe2, 0x8e, 0x21, 0x60, 0x17, 0x74, 0x0f, 0x2f, 0xd3, 0xa5, 0xc2, 0xdf, 0xb5, 0xfd, 0x50,
+	0x24, 0x82, 0x9f, 0x17, 0x75, 0x1f, 0x23, 0x34, 0xf8, 0x24, 0x38, 0xdb, 0x66, 0xbb, 0x29, 0xe0,
+	0x36, 0xaa, 0xfa, 0x02, 0x82, 0xa4, 0x69, 0x76, 0xca, 0xbd, 0xba, 0x53, 0xcf, 0x8f, 0xdb, 0xd5,
+	0x0d, 0x09, 0xd0, 0x02, 0x5f, 0xaf, 0x7d, 0xf9, 0xd6, 0x36, 0xf6, 0x7f, 0x76, 0x8c, 0xee, 0xd7,
+	0x12, 0x6a, 0xbc, 0x89, 0x26, 0x10, 0x52, 0xc8, 0x7c, 0xf8, 0x88, 0xdf, 0xa3, 0x9a, 0x4c, 0x60,
+	0xc4, 0x04, 0x6b, 0x9a, 0x1d, 0xb3, 0xd7, 0x58, 0x79, 0x40, 0xa6, 0xe1, 0x9f, 0x36, 0x44, 0xe2,
+	0x89, 0x27, 0x81, 0x84, 0x48, 0x36, 0xc9, 0xfa, 0x64, 0x73, 0xf8, 0x01, 0x5c, 0xf1, 0x0a, 0x04,
+	0x73, 0xf0, 0xc1, 0x71, 0xdb, 0xc8, 0x8f, 0xdb, 0x68, 0x8a, 0xd1, 0x53, 0x57, 0xbc, 0x89, 0x2a,
+	0x49, 0x0c, 0x6e, 0xb3, 0xa4, 0xdc, 0x97, 0xc9, 0xbc, 0x5f, 0x4b, 0x66, 0x5a, 0x7b, 0x1d, 0x83,
+	0xeb, 0x5c, 0xd3, 0xd6, 0x15, 0x79, 0xa2, 0xca, 0x08, 0xbf, 0x45, 0x0b, 0x89, 0x60, 0x22, 0x4d,
+	0x9a, 0x65, 0x65, 0x69, 0x5f, 0xdd, 0x52, 0xc9, 0x9c, 0xeb, 0xda, 0x74, 0xa1, 0x38, 0x53, 0x6d,
+	0xd7, 0x5d, 0x45, 0x37, 0xce, 0xdd, 0x8f, 0xef, 0xa2, 0xaa, 0x90, 0x90, 0xca, 0xa6, 0xee, 0x2c,
+	0x6a, 0x65, 0xb5, 0xe0, 0x15, 0xb5, 0xee, 0x0f, 0x13, 0xdd, 0xbc, 0x70, 0x0b, 0x7e, 0x82, 0x16,
+	0x67, 0x9a, 0x81, 0x91, 0xb2, 0xa8, 0x39, 0xb7, 0xb4, 0xc5, 0xe2, 0xb3, 0xd9, 0x22, 0x3d, 0xcb,
+	0xc5, 0x2f, 0x51, 0x25, 0x4d, 0x80, 0xeb, 0xd0, 0xee, 0xcd, 0x9f, 0x70, 0x2b, 0x01, 0xbe, 0x11,
+	0xee, 0x44, 0xd3, 0xb4, 0x24, 0x42, 0x95, 0x83, 0x9c, 0x00, 0x38, 0x8f, 0xb8, 0x0a, 0x6b, 0x66,
+	0x82, 0x81, 0x04, 0x69, 0x51, 0xeb, 0x7e, 0x2f, 0xa1, 0xda, 0x5f, 0x17, 0x7c, 0x1f, 0xd5, 0xa4,
+	0x32, 0x64, 0x01, 0xe8, 0xb1, 0x97, 0xb4, 0x48, 0x71, 0x24, 0x4e, 0x4f, 0x19, 0xf8, 0x0e, 0x2a,
+	0xa7, 0xfe, 0x48, 0x35, 0x5a, 0x77, 0x1a, 0x9a, 0x58, 0xde, 0xda, 0x78, 0x4e, 0x25, 0x8e, 0xbb,
+	0x68, 0xc1, 0xe3, 0x51, 0x1a, 0xcb, 0x9f, 0x25, 0xdf, 0x26, 0x92, 0xb9, 0xbf, 0x50, 0x08, 0xd5,
+	0x15, 0xbc, 0x8d, 0xaa, 0x20, 0x1f, 0x73, 0xb3, 0xd2, 0x29, 0xf7, 0x1a, 0x2b, 0xfd, 0xab, 0x4d,
+	0x4b, 0xd4, 0x02, 0x0c, 0x42, 0xc1, 0xf7, 0x66, 0xa6, 0x92, 0x18, 0x2d, 0xec, 0x5a, 0x43, 0xbd,
+	0x24, 0x8a, 0x83, 0x97, 0x50, 0x79, 0x02, 0x7b, 0xc5, 0x44, 0x54, 0x7e, 0xe2, 0xa7, 0xa8, 0x9a,
+	0xc9, 0xfd, 0xd1, 0x29, 0xf7, 0xe6, 0xdf, 0x3b, 0xdd, 0x37, 0x5a, 0xc8, 0xd6, 0x4b, 0x6b, 0xa6,
+	0xd3, 0x3b, 0x38, 0xb1, 0x8c, 0xc3, 0x13, 0xcb, 0x38, 0x3a, 0xb1, 0x8c, 0xfd, 0xdc, 0x32, 0x0f,
+	0x72, 0xcb, 0x3c, 0xcc, 0x2d, 0xf3, 0x28, 0xb7, 0xcc, 0x5f, 0xb9, 0x65, 0x7e, 0xfe, 0x6d, 0x19,
+	0xef, 0x4a, 0x59, 0xff, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xeb, 0x3a, 0x3c, 0x31, 0x1b, 0x05,
+	0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/authentication/v1/generated.proto b/cli/vendor/k8s.io/api/authentication/v1/generated.proto
new file mode 100644
index 00000000..ea7b3b28
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1/generated.proto
@@ -0,0 +1,99 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.authentication.v1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message ExtraValue {
+  // items, if empty, will result in an empty slice
+
+  repeated string items = 1;
+}
+
+// TokenReview attempts to authenticate a token to a known user.
+// Note: TokenReview requests may be cached by the webhook token authenticator
+// plugin in the kube-apiserver.
+message TokenReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated
+  optional TokenReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates whether the request can be authenticated.
+  // +optional
+  optional TokenReviewStatus status = 3;
+}
+
+// TokenReviewSpec is a description of the token authentication request.
+message TokenReviewSpec {
+  // Token is the opaque bearer token.
+  // +optional
+  optional string token = 1;
+}
+
+// TokenReviewStatus is the result of the token authentication request.
+message TokenReviewStatus {
+  // Authenticated indicates that the token was associated with a known user.
+  // +optional
+  optional bool authenticated = 1;
+
+  // User is the UserInfo associated with the provided token.
+  // +optional
+  optional UserInfo user = 2;
+
+  // Error indicates that the token couldn't be checked
+  // +optional
+  optional string error = 3;
+}
+
+// UserInfo holds the information about the user needed to implement the
+// user.Info interface.
+message UserInfo {
+  // The name that uniquely identifies this user among all active users.
+  // +optional
+  optional string username = 1;
+
+  // A unique value that identifies this user across time. If this user is
+  // deleted and another user by the same name is added, they will have
+  // different UIDs.
+  // +optional
+  optional string uid = 2;
+
+  // The names of groups this user is a part of.
+  // +optional
+  repeated string groups = 3;
+
+  // Any additional information provided by the authenticator.
+  // +optional
+  map<string, ExtraValue> extra = 4;
+}
+
diff --git a/cli/vendor/k8s.io/api/authentication/v1/register.go b/cli/vendor/k8s.io/api/authentication/v1/register.go
new file mode 100644
index 00000000..936237c2
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1/register.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "authentication.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenReview{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/authentication/v1/types.go b/cli/vendor/k8s.io/api/authentication/v1/types.go
new file mode 100644
index 00000000..b6d30bbe
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1/types.go
@@ -0,0 +1,107 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	// ImpersonateUserHeader is used to impersonate a particular user during an API server request
+	ImpersonateUserHeader = "Impersonate-User"
+
+	// ImpersonateGroupHeader is used to impersonate a particular group during an API server request.
+	// It can be repeated multiplied times for multiple groups.
+	ImpersonateGroupHeader = "Impersonate-Group"
+
+	// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the
+	// extra map[string][]string for user.Info.  The key will be every after the prefix.
+	// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple
+	// times to have multiple elements in the slice under a single key
+	ImpersonateUserExtraHeaderPrefix = "Impersonate-Extra-"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TokenReview attempts to authenticate a token to a known user.
+// Note: TokenReview requests may be cached by the webhook token authenticator
+// plugin in the kube-apiserver.
+type TokenReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated
+	Spec TokenReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates whether the request can be authenticated.
+	// +optional
+	Status TokenReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// TokenReviewSpec is a description of the token authentication request.
+type TokenReviewSpec struct {
+	// Token is the opaque bearer token.
+	// +optional
+	Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"`
+}
+
+// TokenReviewStatus is the result of the token authentication request.
+type TokenReviewStatus struct {
+	// Authenticated indicates that the token was associated with a known user.
+	// +optional
+	Authenticated bool `json:"authenticated,omitempty" protobuf:"varint,1,opt,name=authenticated"`
+	// User is the UserInfo associated with the provided token.
+	// +optional
+	User UserInfo `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
+	// Error indicates that the token couldn't be checked
+	// +optional
+	Error string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"`
+}
+
+// UserInfo holds the information about the user needed to implement the
+// user.Info interface.
+type UserInfo struct {
+	// The name that uniquely identifies this user among all active users.
+	// +optional
+	Username string `json:"username,omitempty" protobuf:"bytes,1,opt,name=username"`
+	// A unique value that identifies this user across time. If this user is
+	// deleted and another user by the same name is added, they will have
+	// different UIDs.
+	// +optional
+	UID string `json:"uid,omitempty" protobuf:"bytes,2,opt,name=uid"`
+	// The names of groups this user is a part of.
+	// +optional
+	Groups []string `json:"groups,omitempty" protobuf:"bytes,3,rep,name=groups"`
+	// Any additional information provided by the authenticator.
+	// +optional
+	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,4,rep,name=extra"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
+}
diff --git a/cli/vendor/k8s.io/api/authentication/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/authentication/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..bb235e4e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1/types_swagger_doc_generated.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_TokenReview = map[string]string{
+	"":       "TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.",
+	"spec":   "Spec holds information about the request being evaluated",
+	"status": "Status is filled in by the server and indicates whether the request can be authenticated.",
+}
+
+func (TokenReview) SwaggerDoc() map[string]string {
+	return map_TokenReview
+}
+
+var map_TokenReviewSpec = map[string]string{
+	"":      "TokenReviewSpec is a description of the token authentication request.",
+	"token": "Token is the opaque bearer token.",
+}
+
+func (TokenReviewSpec) SwaggerDoc() map[string]string {
+	return map_TokenReviewSpec
+}
+
+var map_TokenReviewStatus = map[string]string{
+	"":              "TokenReviewStatus is the result of the token authentication request.",
+	"authenticated": "Authenticated indicates that the token was associated with a known user.",
+	"user":          "User is the UserInfo associated with the provided token.",
+	"error":         "Error indicates that the token couldn't be checked",
+}
+
+func (TokenReviewStatus) SwaggerDoc() map[string]string {
+	return map_TokenReviewStatus
+}
+
+var map_UserInfo = map[string]string{
+	"":         "UserInfo holds the information about the user needed to implement the user.Info interface.",
+	"username": "The name that uniquely identifies this user among all active users.",
+	"uid":      "A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.",
+	"groups":   "The names of groups this user is a part of.",
+	"extra":    "Any additional information provided by the authenticator.",
+}
+
+func (UserInfo) SwaggerDoc() map[string]string {
+	return map_UserInfo
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/authentication/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/authentication/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..77b5f08d
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1/zz_generated.deepcopy.go
@@ -0,0 +1,147 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TokenReview).DeepCopyInto(out.(*TokenReview))
+			return nil
+		}, InType: reflect.TypeOf(&TokenReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TokenReviewSpec).DeepCopyInto(out.(*TokenReviewSpec))
+			return nil
+		}, InType: reflect.TypeOf(&TokenReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TokenReviewStatus).DeepCopyInto(out.(*TokenReviewStatus))
+			return nil
+		}, InType: reflect.TypeOf(&TokenReviewStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*UserInfo).DeepCopyInto(out.(*UserInfo))
+			return nil
+		}, InType: reflect.TypeOf(&UserInfo{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenReview) DeepCopyInto(out *TokenReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenReview.
+func (in *TokenReview) DeepCopy() *TokenReview {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenReviewSpec) DeepCopyInto(out *TokenReviewSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenReviewSpec.
+func (in *TokenReviewSpec) DeepCopy() *TokenReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenReviewStatus) DeepCopyInto(out *TokenReviewStatus) {
+	*out = *in
+	in.User.DeepCopyInto(&out.User)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenReviewStatus.
+func (in *TokenReviewStatus) DeepCopy() *TokenReviewStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenReviewStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserInfo) DeepCopyInto(out *UserInfo) {
+	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extra != nil {
+		in, out := &in.Extra, &out.Extra
+		*out = make(map[string]ExtraValue, len(*in))
+		for key, val := range *in {
+			(*out)[key] = make(ExtraValue, len(val))
+			copy((*out)[key], val)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInfo.
+func (in *UserInfo) DeepCopy() *UserInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(UserInfo)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/authentication/v1beta1/doc.go b/cli/vendor/k8s.io/api/authentication/v1beta1/doc.go
new file mode 100644
index 00000000..065cfbd9
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +groupName=authentication.k8s.io
+// +k8s:openapi-gen=true
+package v1beta1 // import "k8s.io/api/authentication/v1beta1"
diff --git a/cli/vendor/k8s.io/api/authentication/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/authentication/v1beta1/generated.pb.go
new file mode 100644
index 00000000..86e362b8
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1beta1/generated.pb.go
@@ -0,0 +1,1302 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/authentication/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/authentication/v1beta1/generated.proto
+
+	It has these top-level messages:
+		ExtraValue
+		TokenReview
+		TokenReviewSpec
+		TokenReviewStatus
+		UserInfo
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ExtraValue) Reset()                    { *m = ExtraValue{} }
+func (*ExtraValue) ProtoMessage()               {}
+func (*ExtraValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *TokenReview) Reset()                    { *m = TokenReview{} }
+func (*TokenReview) ProtoMessage()               {}
+func (*TokenReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *TokenReviewSpec) Reset()                    { *m = TokenReviewSpec{} }
+func (*TokenReviewSpec) ProtoMessage()               {}
+func (*TokenReviewSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *TokenReviewStatus) Reset()                    { *m = TokenReviewStatus{} }
+func (*TokenReviewStatus) ProtoMessage()               {}
+func (*TokenReviewStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *UserInfo) Reset()                    { *m = UserInfo{} }
+func (*UserInfo) ProtoMessage()               {}
+func (*UserInfo) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func init() {
+	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authentication.v1beta1.ExtraValue")
+	proto.RegisterType((*TokenReview)(nil), "k8s.io.api.authentication.v1beta1.TokenReview")
+	proto.RegisterType((*TokenReviewSpec)(nil), "k8s.io.api.authentication.v1beta1.TokenReviewSpec")
+	proto.RegisterType((*TokenReviewStatus)(nil), "k8s.io.api.authentication.v1beta1.TokenReviewStatus")
+	proto.RegisterType((*UserInfo)(nil), "k8s.io.api.authentication.v1beta1.UserInfo")
+}
+func (m ExtraValue) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m ExtraValue) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *TokenReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TokenReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *TokenReviewSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TokenReviewSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Token)))
+	i += copy(dAtA[i:], m.Token)
+	return i, nil
+}
+
+func (m *TokenReviewStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TokenReviewStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	if m.Authenticated {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.User.Size()))
+	n4, err := m.User.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Error)))
+	i += copy(dAtA[i:], m.Error)
+	return i, nil
+}
+
+func (m *UserInfo) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *UserInfo) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Username)))
+	i += copy(dAtA[i:], m.Username)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Extra) > 0 {
+		keysForExtra := make([]string, 0, len(m.Extra))
+		for k := range m.Extra {
+			keysForExtra = append(keysForExtra, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		for _, k := range keysForExtra {
+			dAtA[i] = 0x22
+			i++
+			v := m.Extra[string(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n5, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n5
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m ExtraValue) Size() (n int) {
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *TokenReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *TokenReviewSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Token)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *TokenReviewStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 2
+	l = m.User.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Error)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *UserInfo) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Username)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Extra) > 0 {
+		for k, v := range m.Extra {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *TokenReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TokenReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "TokenReviewSpec", "TokenReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "TokenReviewStatus", "TokenReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *TokenReviewSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TokenReviewSpec{`,
+		`Token:` + fmt.Sprintf("%v", this.Token) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *TokenReviewStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TokenReviewStatus{`,
+		`Authenticated:` + fmt.Sprintf("%v", this.Authenticated) + `,`,
+		`User:` + strings.Replace(strings.Replace(this.User.String(), "UserInfo", "UserInfo", 1), `&`, ``, 1) + `,`,
+		`Error:` + fmt.Sprintf("%v", this.Error) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *UserInfo) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForExtra := make([]string, 0, len(this.Extra))
+	for k := range this.Extra {
+		keysForExtra = append(keysForExtra, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	mapStringForExtra := "map[string]ExtraValue{"
+	for _, k := range keysForExtra {
+		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
+	}
+	mapStringForExtra += "}"
+	s := strings.Join([]string{`&UserInfo{`,
+		`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`Groups:` + fmt.Sprintf("%v", this.Groups) + `,`,
+		`Extra:` + mapStringForExtra + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ExtraValue) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExtraValue: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExtraValue: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			*m = append(*m, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TokenReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TokenReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TokenReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TokenReviewSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TokenReviewSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TokenReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Token", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Token = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TokenReviewStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TokenReviewStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TokenReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Authenticated", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Authenticated = bool(v != 0)
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.User.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Error = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *UserInfo) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: UserInfo: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: UserInfo: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Username = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Extra", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Extra == nil {
+				m.Extra = make(map[string]ExtraValue)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &ExtraValue{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Extra[mapkey] = *mapvalue
+			} else {
+				var mapvalue ExtraValue
+				m.Extra[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/authentication/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 650 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0x4d, 0x4f, 0x14, 0x4d,
+	0x10, 0xc7, 0x67, 0xf6, 0x85, 0x67, 0xb7, 0xf7, 0x41, 0xb1, 0x13, 0x93, 0xcd, 0x26, 0xce, 0xae,
+	0xeb, 0x85, 0x44, 0xe9, 0x11, 0x24, 0x48, 0xf0, 0xe4, 0x28, 0x31, 0x98, 0x10, 0x93, 0x16, 0x3c,
+	0xa8, 0x07, 0x7b, 0x67, 0x8b, 0xd9, 0x76, 0x99, 0x97, 0xf4, 0xf4, 0xac, 0x72, 0xe3, 0x23, 0x78,
+	0xf4, 0x68, 0xe2, 0x27, 0x31, 0xf1, 0xc0, 0x91, 0x23, 0x07, 0x43, 0x64, 0xfc, 0x22, 0xa6, 0x7b,
+	0x5a, 0x76, 0x61, 0x43, 0x80, 0xdb, 0xf4, 0xbf, 0xea, 0xff, 0x9b, 0xaa, 0xea, 0x2e, 0xf4, 0x72,
+	0xb8, 0x9a, 0x12, 0x1e, 0xbb, 0xc3, 0xac, 0x07, 0x22, 0x02, 0x09, 0xa9, 0x3b, 0x82, 0xa8, 0x1f,
+	0x0b, 0xd7, 0x04, 0x58, 0xc2, 0x5d, 0x96, 0xc9, 0x01, 0x44, 0x92, 0xfb, 0x4c, 0xf2, 0x38, 0x72,
+	0x47, 0x8b, 0x3d, 0x90, 0x6c, 0xd1, 0x0d, 0x20, 0x02, 0xc1, 0x24, 0xf4, 0x49, 0x22, 0x62, 0x19,
+	0xe3, 0xbb, 0x85, 0x85, 0xb0, 0x84, 0x93, 0xb3, 0x16, 0x62, 0x2c, 0xad, 0x85, 0x80, 0xcb, 0x41,
+	0xd6, 0x23, 0x7e, 0x1c, 0xba, 0x41, 0x1c, 0xc4, 0xae, 0x76, 0xf6, 0xb2, 0x1d, 0x7d, 0xd2, 0x07,
+	0xfd, 0x55, 0x10, 0x5b, 0xcb, 0xe3, 0x22, 0x42, 0xe6, 0x0f, 0x78, 0x04, 0x62, 0xcf, 0x4d, 0x86,
+	0x81, 0x12, 0x52, 0x37, 0x04, 0xc9, 0xdc, 0xd1, 0x54, 0x1d, 0x2d, 0xf7, 0x22, 0x97, 0xc8, 0x22,
+	0xc9, 0x43, 0x98, 0x32, 0xac, 0x5c, 0x66, 0x48, 0xfd, 0x01, 0x84, 0x6c, 0xca, 0xf7, 0xe8, 0x22,
+	0x5f, 0x26, 0xf9, 0xae, 0xcb, 0x23, 0x99, 0x4a, 0x71, 0xde, 0xd4, 0x7d, 0x8c, 0xd0, 0xfa, 0x67,
+	0x29, 0xd8, 0x1b, 0xb6, 0x9b, 0x01, 0x6e, 0xa3, 0x2a, 0x97, 0x10, 0xa6, 0x4d, 0xbb, 0x53, 0x9e,
+	0xaf, 0x7b, 0xf5, 0xfc, 0xb8, 0x5d, 0xdd, 0x50, 0x02, 0x2d, 0xf4, 0xb5, 0xda, 0xd7, 0x6f, 0x6d,
+	0x6b, 0xff, 0x57, 0xc7, 0xea, 0x7e, 0x2f, 0xa1, 0xc6, 0x56, 0x3c, 0x84, 0x88, 0xc2, 0x88, 0xc3,
+	0x27, 0xfc, 0x01, 0xd5, 0xd4, 0x04, 0xfa, 0x4c, 0xb2, 0xa6, 0xdd, 0xb1, 0xe7, 0x1b, 0x4b, 0x0f,
+	0xc9, 0xf8, 0x06, 0x4e, 0x0b, 0x22, 0xc9, 0x30, 0x50, 0x42, 0x4a, 0x54, 0x36, 0x19, 0x2d, 0x92,
+	0x57, 0xbd, 0x8f, 0xe0, 0xcb, 0x4d, 0x90, 0xcc, 0xc3, 0x07, 0xc7, 0x6d, 0x2b, 0x3f, 0x6e, 0xa3,
+	0xb1, 0x46, 0x4f, 0xa9, 0x78, 0x0b, 0x55, 0xd2, 0x04, 0xfc, 0x66, 0x49, 0xd3, 0x97, 0xc8, 0xa5,
+	0xf7, 0x4b, 0x26, 0xea, 0x7b, 0x9d, 0x80, 0xef, 0xfd, 0x6f, 0xf8, 0x15, 0x75, 0xa2, 0x9a, 0x86,
+	0xdf, 0xa3, 0x99, 0x54, 0x32, 0x99, 0xa5, 0xcd, 0xb2, 0xe6, 0x2e, 0x5f, 0x93, 0xab, 0xbd, 0xde,
+	0x0d, 0x43, 0x9e, 0x29, 0xce, 0xd4, 0x30, 0xbb, 0x2b, 0xe8, 0xe6, 0xb9, 0x22, 0xf0, 0x3d, 0x54,
+	0x95, 0x4a, 0xd2, 0x53, 0xaa, 0x7b, 0xb3, 0xc6, 0x59, 0x2d, 0xf2, 0x8a, 0x58, 0xf7, 0xa7, 0x8d,
+	0x6e, 0x4d, 0xfd, 0x05, 0x3f, 0x41, 0xb3, 0x13, 0x15, 0x41, 0x5f, 0x23, 0x6a, 0xde, 0x6d, 0x83,
+	0x98, 0x7d, 0x3a, 0x19, 0xa4, 0x67, 0x73, 0xf1, 0x26, 0xaa, 0x64, 0x29, 0x08, 0x33, 0xbe, 0xfb,
+	0x57, 0x68, 0x73, 0x3b, 0x05, 0xb1, 0x11, 0xed, 0xc4, 0xe3, 0xb9, 0x29, 0x85, 0x6a, 0x8c, 0x6a,
+	0x03, 0x84, 0x88, 0x85, 0x1e, 0xdb, 0x44, 0x1b, 0xeb, 0x4a, 0xa4, 0x45, 0xac, 0xfb, 0xa3, 0x84,
+	0x6a, 0xff, 0x28, 0xf8, 0x01, 0xaa, 0x29, 0x67, 0xc4, 0x42, 0x30, 0xbd, 0xcf, 0x19, 0x93, 0xce,
+	0x51, 0x3a, 0x3d, 0xcd, 0xc0, 0x77, 0x50, 0x39, 0xe3, 0x7d, 0x5d, 0x6d, 0xdd, 0x6b, 0x98, 0xc4,
+	0xf2, 0xf6, 0xc6, 0x73, 0xaa, 0x74, 0xdc, 0x45, 0x33, 0x81, 0x88, 0xb3, 0x44, 0x5d, 0x9b, 0x7a,
+	0xaa, 0x48, 0x0d, 0xff, 0x85, 0x56, 0xa8, 0x89, 0xe0, 0x77, 0xa8, 0x0a, 0xea, 0x6d, 0x37, 0x2b,
+	0x9d, 0xf2, 0x7c, 0x63, 0x69, 0xe5, 0x1a, 0x2d, 0x13, 0xbd, 0x14, 0xeb, 0x91, 0x14, 0x7b, 0x13,
+	0xad, 0x29, 0x8d, 0x16, 0xcc, 0x56, 0x60, 0x16, 0x47, 0xe7, 0xe0, 0x39, 0x54, 0x1e, 0xc2, 0x5e,
+	0xd1, 0x16, 0x55, 0x9f, 0xf8, 0x19, 0xaa, 0x8e, 0xd4, 0x4e, 0x99, 0x79, 0x2f, 0x5c, 0xe1, 0xe7,
+	0xe3, 0x45, 0xa4, 0x85, 0x77, 0xad, 0xb4, 0x6a, 0x7b, 0x0b, 0x07, 0x27, 0x8e, 0x75, 0x78, 0xe2,
+	0x58, 0x47, 0x27, 0x8e, 0xb5, 0x9f, 0x3b, 0xf6, 0x41, 0xee, 0xd8, 0x87, 0xb9, 0x63, 0x1f, 0xe5,
+	0x8e, 0xfd, 0x3b, 0x77, 0xec, 0x2f, 0x7f, 0x1c, 0xeb, 0xed, 0x7f, 0x06, 0xf2, 0x37, 0x00, 0x00,
+	0xff, 0xff, 0x36, 0x0e, 0x35, 0x2a, 0x43, 0x05, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/authentication/v1beta1/generated.proto b/cli/vendor/k8s.io/api/authentication/v1beta1/generated.proto
new file mode 100644
index 00000000..3d0abd15
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1beta1/generated.proto
@@ -0,0 +1,99 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.authentication.v1beta1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message ExtraValue {
+  // items, if empty, will result in an empty slice
+
+  repeated string items = 1;
+}
+
+// TokenReview attempts to authenticate a token to a known user.
+// Note: TokenReview requests may be cached by the webhook token authenticator
+// plugin in the kube-apiserver.
+message TokenReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated
+  optional TokenReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates whether the request can be authenticated.
+  // +optional
+  optional TokenReviewStatus status = 3;
+}
+
+// TokenReviewSpec is a description of the token authentication request.
+message TokenReviewSpec {
+  // Token is the opaque bearer token.
+  // +optional
+  optional string token = 1;
+}
+
+// TokenReviewStatus is the result of the token authentication request.
+message TokenReviewStatus {
+  // Authenticated indicates that the token was associated with a known user.
+  // +optional
+  optional bool authenticated = 1;
+
+  // User is the UserInfo associated with the provided token.
+  // +optional
+  optional UserInfo user = 2;
+
+  // Error indicates that the token couldn't be checked
+  // +optional
+  optional string error = 3;
+}
+
+// UserInfo holds the information about the user needed to implement the
+// user.Info interface.
+message UserInfo {
+  // The name that uniquely identifies this user among all active users.
+  // +optional
+  optional string username = 1;
+
+  // A unique value that identifies this user across time. If this user is
+  // deleted and another user by the same name is added, they will have
+  // different UIDs.
+  // +optional
+  optional string uid = 2;
+
+  // The names of groups this user is a part of.
+  // +optional
+  repeated string groups = 3;
+
+  // Any additional information provided by the authenticator.
+  // +optional
+  map<string, ExtraValue> extra = 4;
+}
+
diff --git a/cli/vendor/k8s.io/api/authentication/v1beta1/register.go b/cli/vendor/k8s.io/api/authentication/v1beta1/register.go
new file mode 100644
index 00000000..7d89e5ef
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1beta1/register.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "authentication.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&TokenReview{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/authentication/v1beta1/types.go b/cli/vendor/k8s.io/api/authentication/v1beta1/types.go
new file mode 100644
index 00000000..a90949dc
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1beta1/types.go
@@ -0,0 +1,92 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TokenReview attempts to authenticate a token to a known user.
+// Note: TokenReview requests may be cached by the webhook token authenticator
+// plugin in the kube-apiserver.
+type TokenReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated
+	Spec TokenReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates whether the request can be authenticated.
+	// +optional
+	Status TokenReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// TokenReviewSpec is a description of the token authentication request.
+type TokenReviewSpec struct {
+	// Token is the opaque bearer token.
+	// +optional
+	Token string `json:"token,omitempty" protobuf:"bytes,1,opt,name=token"`
+}
+
+// TokenReviewStatus is the result of the token authentication request.
+type TokenReviewStatus struct {
+	// Authenticated indicates that the token was associated with a known user.
+	// +optional
+	Authenticated bool `json:"authenticated,omitempty" protobuf:"varint,1,opt,name=authenticated"`
+	// User is the UserInfo associated with the provided token.
+	// +optional
+	User UserInfo `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
+	// Error indicates that the token couldn't be checked
+	// +optional
+	Error string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"`
+}
+
+// UserInfo holds the information about the user needed to implement the
+// user.Info interface.
+type UserInfo struct {
+	// The name that uniquely identifies this user among all active users.
+	// +optional
+	Username string `json:"username,omitempty" protobuf:"bytes,1,opt,name=username"`
+	// A unique value that identifies this user across time. If this user is
+	// deleted and another user by the same name is added, they will have
+	// different UIDs.
+	// +optional
+	UID string `json:"uid,omitempty" protobuf:"bytes,2,opt,name=uid"`
+	// The names of groups this user is a part of.
+	// +optional
+	Groups []string `json:"groups,omitempty" protobuf:"bytes,3,rep,name=groups"`
+	// Any additional information provided by the authenticator.
+	// +optional
+	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,4,rep,name=extra"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
+}
diff --git a/cli/vendor/k8s.io/api/authentication/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/authentication/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..f910bea6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_TokenReview = map[string]string{
+	"":       "TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.",
+	"spec":   "Spec holds information about the request being evaluated",
+	"status": "Status is filled in by the server and indicates whether the request can be authenticated.",
+}
+
+func (TokenReview) SwaggerDoc() map[string]string {
+	return map_TokenReview
+}
+
+var map_TokenReviewSpec = map[string]string{
+	"":      "TokenReviewSpec is a description of the token authentication request.",
+	"token": "Token is the opaque bearer token.",
+}
+
+func (TokenReviewSpec) SwaggerDoc() map[string]string {
+	return map_TokenReviewSpec
+}
+
+var map_TokenReviewStatus = map[string]string{
+	"":              "TokenReviewStatus is the result of the token authentication request.",
+	"authenticated": "Authenticated indicates that the token was associated with a known user.",
+	"user":          "User is the UserInfo associated with the provided token.",
+	"error":         "Error indicates that the token couldn't be checked",
+}
+
+func (TokenReviewStatus) SwaggerDoc() map[string]string {
+	return map_TokenReviewStatus
+}
+
+var map_UserInfo = map[string]string{
+	"":         "UserInfo holds the information about the user needed to implement the user.Info interface.",
+	"username": "The name that uniquely identifies this user among all active users.",
+	"uid":      "A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.",
+	"groups":   "The names of groups this user is a part of.",
+	"extra":    "Any additional information provided by the authenticator.",
+}
+
+func (UserInfo) SwaggerDoc() map[string]string {
+	return map_UserInfo
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/authentication/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/authentication/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..e8545a3f
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authentication/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,147 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TokenReview).DeepCopyInto(out.(*TokenReview))
+			return nil
+		}, InType: reflect.TypeOf(&TokenReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TokenReviewSpec).DeepCopyInto(out.(*TokenReviewSpec))
+			return nil
+		}, InType: reflect.TypeOf(&TokenReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TokenReviewStatus).DeepCopyInto(out.(*TokenReviewStatus))
+			return nil
+		}, InType: reflect.TypeOf(&TokenReviewStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*UserInfo).DeepCopyInto(out.(*UserInfo))
+			return nil
+		}, InType: reflect.TypeOf(&UserInfo{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenReview) DeepCopyInto(out *TokenReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenReview.
+func (in *TokenReview) DeepCopy() *TokenReview {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TokenReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenReviewSpec) DeepCopyInto(out *TokenReviewSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenReviewSpec.
+func (in *TokenReviewSpec) DeepCopy() *TokenReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenReviewStatus) DeepCopyInto(out *TokenReviewStatus) {
+	*out = *in
+	in.User.DeepCopyInto(&out.User)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenReviewStatus.
+func (in *TokenReviewStatus) DeepCopy() *TokenReviewStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenReviewStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserInfo) DeepCopyInto(out *UserInfo) {
+	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extra != nil {
+		in, out := &in.Extra, &out.Extra
+		*out = make(map[string]ExtraValue, len(*in))
+		for key, val := range *in {
+			(*out)[key] = make(ExtraValue, len(val))
+			copy((*out)[key], val)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInfo.
+func (in *UserInfo) DeepCopy() *UserInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(UserInfo)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/authorization/v1/doc.go b/cli/vendor/k8s.io/api/authorization/v1/doc.go
new file mode 100644
index 00000000..b02e09ca
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// +groupName=authorization.k8s.io
+package v1 // import "k8s.io/api/authorization/v1"
diff --git a/cli/vendor/k8s.io/api/authorization/v1/generated.pb.go b/cli/vendor/k8s.io/api/authorization/v1/generated.pb.go
new file mode 100644
index 00000000..60245b51
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1/generated.pb.go
@@ -0,0 +1,3498 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/authorization/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/authorization/v1/generated.proto
+
+	It has these top-level messages:
+		ExtraValue
+		LocalSubjectAccessReview
+		NonResourceAttributes
+		NonResourceRule
+		ResourceAttributes
+		ResourceRule
+		SelfSubjectAccessReview
+		SelfSubjectAccessReviewSpec
+		SelfSubjectRulesReview
+		SelfSubjectRulesReviewSpec
+		SubjectAccessReview
+		SubjectAccessReviewSpec
+		SubjectAccessReviewStatus
+		SubjectRulesReviewStatus
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ExtraValue) Reset()                    { *m = ExtraValue{} }
+func (*ExtraValue) ProtoMessage()               {}
+func (*ExtraValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *LocalSubjectAccessReview) Reset()      { *m = LocalSubjectAccessReview{} }
+func (*LocalSubjectAccessReview) ProtoMessage() {}
+func (*LocalSubjectAccessReview) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{1}
+}
+
+func (m *NonResourceAttributes) Reset()                    { *m = NonResourceAttributes{} }
+func (*NonResourceAttributes) ProtoMessage()               {}
+func (*NonResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *NonResourceRule) Reset()                    { *m = NonResourceRule{} }
+func (*NonResourceRule) ProtoMessage()               {}
+func (*NonResourceRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *ResourceAttributes) Reset()                    { *m = ResourceAttributes{} }
+func (*ResourceAttributes) ProtoMessage()               {}
+func (*ResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *ResourceRule) Reset()                    { *m = ResourceRule{} }
+func (*ResourceRule) ProtoMessage()               {}
+func (*ResourceRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *SelfSubjectAccessReview) Reset()                    { *m = SelfSubjectAccessReview{} }
+func (*SelfSubjectAccessReview) ProtoMessage()               {}
+func (*SelfSubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *SelfSubjectAccessReviewSpec) Reset()      { *m = SelfSubjectAccessReviewSpec{} }
+func (*SelfSubjectAccessReviewSpec) ProtoMessage() {}
+func (*SelfSubjectAccessReviewSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{7}
+}
+
+func (m *SelfSubjectRulesReview) Reset()                    { *m = SelfSubjectRulesReview{} }
+func (*SelfSubjectRulesReview) ProtoMessage()               {}
+func (*SelfSubjectRulesReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *SelfSubjectRulesReviewSpec) Reset()      { *m = SelfSubjectRulesReviewSpec{} }
+func (*SelfSubjectRulesReviewSpec) ProtoMessage() {}
+func (*SelfSubjectRulesReviewSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{9}
+}
+
+func (m *SubjectAccessReview) Reset()                    { *m = SubjectAccessReview{} }
+func (*SubjectAccessReview) ProtoMessage()               {}
+func (*SubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func (m *SubjectAccessReviewSpec) Reset()      { *m = SubjectAccessReviewSpec{} }
+func (*SubjectAccessReviewSpec) ProtoMessage() {}
+func (*SubjectAccessReviewSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{11}
+}
+
+func (m *SubjectAccessReviewStatus) Reset()      { *m = SubjectAccessReviewStatus{} }
+func (*SubjectAccessReviewStatus) ProtoMessage() {}
+func (*SubjectAccessReviewStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{12}
+}
+
+func (m *SubjectRulesReviewStatus) Reset()      { *m = SubjectRulesReviewStatus{} }
+func (*SubjectRulesReviewStatus) ProtoMessage() {}
+func (*SubjectRulesReviewStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{13}
+}
+
+func init() {
+	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authorization.v1.ExtraValue")
+	proto.RegisterType((*LocalSubjectAccessReview)(nil), "k8s.io.api.authorization.v1.LocalSubjectAccessReview")
+	proto.RegisterType((*NonResourceAttributes)(nil), "k8s.io.api.authorization.v1.NonResourceAttributes")
+	proto.RegisterType((*NonResourceRule)(nil), "k8s.io.api.authorization.v1.NonResourceRule")
+	proto.RegisterType((*ResourceAttributes)(nil), "k8s.io.api.authorization.v1.ResourceAttributes")
+	proto.RegisterType((*ResourceRule)(nil), "k8s.io.api.authorization.v1.ResourceRule")
+	proto.RegisterType((*SelfSubjectAccessReview)(nil), "k8s.io.api.authorization.v1.SelfSubjectAccessReview")
+	proto.RegisterType((*SelfSubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1.SelfSubjectAccessReviewSpec")
+	proto.RegisterType((*SelfSubjectRulesReview)(nil), "k8s.io.api.authorization.v1.SelfSubjectRulesReview")
+	proto.RegisterType((*SelfSubjectRulesReviewSpec)(nil), "k8s.io.api.authorization.v1.SelfSubjectRulesReviewSpec")
+	proto.RegisterType((*SubjectAccessReview)(nil), "k8s.io.api.authorization.v1.SubjectAccessReview")
+	proto.RegisterType((*SubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1.SubjectAccessReviewSpec")
+	proto.RegisterType((*SubjectAccessReviewStatus)(nil), "k8s.io.api.authorization.v1.SubjectAccessReviewStatus")
+	proto.RegisterType((*SubjectRulesReviewStatus)(nil), "k8s.io.api.authorization.v1.SubjectRulesReviewStatus")
+}
+func (m ExtraValue) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m ExtraValue) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *LocalSubjectAccessReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LocalSubjectAccessReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *NonResourceAttributes) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NonResourceAttributes) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Verb)))
+	i += copy(dAtA[i:], m.Verb)
+	return i, nil
+}
+
+func (m *NonResourceRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NonResourceRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *ResourceAttributes) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceAttributes) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Verb)))
+	i += copy(dAtA[i:], m.Verb)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Version)))
+	i += copy(dAtA[i:], m.Version)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Resource)))
+	i += copy(dAtA[i:], m.Resource)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Subresource)))
+	i += copy(dAtA[i:], m.Subresource)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func (m *ResourceRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *SelfSubjectAccessReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SelfSubjectAccessReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n4, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n5, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n6, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	return i, nil
+}
+
+func (m *SelfSubjectAccessReviewSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SelfSubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ResourceAttributes != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ResourceAttributes.Size()))
+		n7, err := m.ResourceAttributes.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	if m.NonResourceAttributes != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NonResourceAttributes.Size()))
+		n8, err := m.NonResourceAttributes.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	return i, nil
+}
+
+func (m *SelfSubjectRulesReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SelfSubjectRulesReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n9, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n10, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n11, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n11
+	return i, nil
+}
+
+func (m *SelfSubjectRulesReviewSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SelfSubjectRulesReviewSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	return i, nil
+}
+
+func (m *SubjectAccessReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SubjectAccessReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n12, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n12
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n13, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n13
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n14, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n14
+	return i, nil
+}
+
+func (m *SubjectAccessReviewSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ResourceAttributes != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ResourceAttributes.Size()))
+		n15, err := m.ResourceAttributes.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n15
+	}
+	if m.NonResourceAttributes != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NonResourceAttributes.Size()))
+		n16, err := m.NonResourceAttributes.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n16
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.User)))
+	i += copy(dAtA[i:], m.User)
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Extra) > 0 {
+		keysForExtra := make([]string, 0, len(m.Extra))
+		for k := range m.Extra {
+			keysForExtra = append(keysForExtra, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		for _, k := range keysForExtra {
+			dAtA[i] = 0x2a
+			i++
+			v := m.Extra[string(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n17, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n17
+		}
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	return i, nil
+}
+
+func (m *SubjectAccessReviewStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SubjectAccessReviewStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	if m.Allowed {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.EvaluationError)))
+	i += copy(dAtA[i:], m.EvaluationError)
+	return i, nil
+}
+
+func (m *SubjectRulesReviewStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SubjectRulesReviewStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ResourceRules) > 0 {
+		for _, msg := range m.ResourceRules {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.NonResourceRules) > 0 {
+		for _, msg := range m.NonResourceRules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x18
+	i++
+	if m.Incomplete {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.EvaluationError)))
+	i += copy(dAtA[i:], m.EvaluationError)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m ExtraValue) Size() (n int) {
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *LocalSubjectAccessReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NonResourceAttributes) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Verb)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NonResourceRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ResourceAttributes) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Verb)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Version)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Resource)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Subresource)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ResourceRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *SelfSubjectAccessReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SelfSubjectAccessReviewSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.ResourceAttributes != nil {
+		l = m.ResourceAttributes.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NonResourceAttributes != nil {
+		l = m.NonResourceAttributes.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *SelfSubjectRulesReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SelfSubjectRulesReviewSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SubjectAccessReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SubjectAccessReviewSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.ResourceAttributes != nil {
+		l = m.ResourceAttributes.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NonResourceAttributes != nil {
+		l = m.NonResourceAttributes.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.User)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Extra) > 0 {
+		for k, v := range m.Extra {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SubjectAccessReviewStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 2
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.EvaluationError)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SubjectRulesReviewStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.ResourceRules) > 0 {
+		for _, e := range m.ResourceRules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.NonResourceRules) > 0 {
+		for _, e := range m.NonResourceRules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 2
+	l = len(m.EvaluationError)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *LocalSubjectAccessReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LocalSubjectAccessReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SubjectAccessReviewSpec", "SubjectAccessReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectAccessReviewStatus", "SubjectAccessReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NonResourceAttributes) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NonResourceAttributes{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`Verb:` + fmt.Sprintf("%v", this.Verb) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NonResourceRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NonResourceRule{`,
+		`Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`,
+		`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceAttributes) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceAttributes{`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`Verb:` + fmt.Sprintf("%v", this.Verb) + `,`,
+		`Group:` + fmt.Sprintf("%v", this.Group) + `,`,
+		`Version:` + fmt.Sprintf("%v", this.Version) + `,`,
+		`Resource:` + fmt.Sprintf("%v", this.Resource) + `,`,
+		`Subresource:` + fmt.Sprintf("%v", this.Subresource) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceRule{`,
+		`Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`,
+		`APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`,
+		`Resources:` + fmt.Sprintf("%v", this.Resources) + `,`,
+		`ResourceNames:` + fmt.Sprintf("%v", this.ResourceNames) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SelfSubjectAccessReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SelfSubjectAccessReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SelfSubjectAccessReviewSpec", "SelfSubjectAccessReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectAccessReviewStatus", "SubjectAccessReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SelfSubjectAccessReviewSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SelfSubjectAccessReviewSpec{`,
+		`ResourceAttributes:` + strings.Replace(fmt.Sprintf("%v", this.ResourceAttributes), "ResourceAttributes", "ResourceAttributes", 1) + `,`,
+		`NonResourceAttributes:` + strings.Replace(fmt.Sprintf("%v", this.NonResourceAttributes), "NonResourceAttributes", "NonResourceAttributes", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SelfSubjectRulesReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SelfSubjectRulesReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SelfSubjectRulesReviewSpec", "SelfSubjectRulesReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectRulesReviewStatus", "SubjectRulesReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SelfSubjectRulesReviewSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SelfSubjectRulesReviewSpec{`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SubjectAccessReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SubjectAccessReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SubjectAccessReviewSpec", "SubjectAccessReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectAccessReviewStatus", "SubjectAccessReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SubjectAccessReviewSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForExtra := make([]string, 0, len(this.Extra))
+	for k := range this.Extra {
+		keysForExtra = append(keysForExtra, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	mapStringForExtra := "map[string]ExtraValue{"
+	for _, k := range keysForExtra {
+		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
+	}
+	mapStringForExtra += "}"
+	s := strings.Join([]string{`&SubjectAccessReviewSpec{`,
+		`ResourceAttributes:` + strings.Replace(fmt.Sprintf("%v", this.ResourceAttributes), "ResourceAttributes", "ResourceAttributes", 1) + `,`,
+		`NonResourceAttributes:` + strings.Replace(fmt.Sprintf("%v", this.NonResourceAttributes), "NonResourceAttributes", "NonResourceAttributes", 1) + `,`,
+		`User:` + fmt.Sprintf("%v", this.User) + `,`,
+		`Groups:` + fmt.Sprintf("%v", this.Groups) + `,`,
+		`Extra:` + mapStringForExtra + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SubjectAccessReviewStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SubjectAccessReviewStatus{`,
+		`Allowed:` + fmt.Sprintf("%v", this.Allowed) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`EvaluationError:` + fmt.Sprintf("%v", this.EvaluationError) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SubjectRulesReviewStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SubjectRulesReviewStatus{`,
+		`ResourceRules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ResourceRules), "ResourceRule", "ResourceRule", 1), `&`, ``, 1) + `,`,
+		`NonResourceRules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.NonResourceRules), "NonResourceRule", "NonResourceRule", 1), `&`, ``, 1) + `,`,
+		`Incomplete:` + fmt.Sprintf("%v", this.Incomplete) + `,`,
+		`EvaluationError:` + fmt.Sprintf("%v", this.EvaluationError) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ExtraValue) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExtraValue: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExtraValue: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			*m = append(*m, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LocalSubjectAccessReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LocalSubjectAccessReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LocalSubjectAccessReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NonResourceAttributes) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NonResourceAttributes: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NonResourceAttributes: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verb", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verb = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NonResourceRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NonResourceRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NonResourceRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceURLs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceAttributes) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceAttributes: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceAttributes: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verb", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verb = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Version = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resource = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subresource", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subresource = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroups = append(m.APIGroups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceNames", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceNames = append(m.ResourceNames, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SelfSubjectAccessReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SelfSubjectAccessReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SelfSubjectAccessReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SelfSubjectAccessReviewSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SelfSubjectAccessReviewSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SelfSubjectAccessReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceAttributes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ResourceAttributes == nil {
+				m.ResourceAttributes = &ResourceAttributes{}
+			}
+			if err := m.ResourceAttributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceAttributes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NonResourceAttributes == nil {
+				m.NonResourceAttributes = &NonResourceAttributes{}
+			}
+			if err := m.NonResourceAttributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SelfSubjectRulesReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SelfSubjectRulesReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SelfSubjectRulesReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SelfSubjectRulesReviewSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SelfSubjectRulesReviewSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SelfSubjectRulesReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SubjectAccessReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SubjectAccessReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SubjectAccessReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SubjectAccessReviewSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SubjectAccessReviewSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SubjectAccessReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceAttributes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ResourceAttributes == nil {
+				m.ResourceAttributes = &ResourceAttributes{}
+			}
+			if err := m.ResourceAttributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceAttributes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NonResourceAttributes == nil {
+				m.NonResourceAttributes = &NonResourceAttributes{}
+			}
+			if err := m.NonResourceAttributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.User = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Extra", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Extra == nil {
+				m.Extra = make(map[string]ExtraValue)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &ExtraValue{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Extra[mapkey] = *mapvalue
+			} else {
+				var mapvalue ExtraValue
+				m.Extra[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SubjectAccessReviewStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SubjectAccessReviewStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SubjectAccessReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Allowed", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Allowed = bool(v != 0)
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EvaluationError", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.EvaluationError = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SubjectRulesReviewStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SubjectRulesReviewStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SubjectRulesReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceRules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceRules = append(m.ResourceRules, ResourceRule{})
+			if err := m.ResourceRules[len(m.ResourceRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceRules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NonResourceRules = append(m.NonResourceRules, NonResourceRule{})
+			if err := m.NonResourceRules[len(m.NonResourceRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Incomplete", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Incomplete = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EvaluationError", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.EvaluationError = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/authorization/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 1137 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
+	0x14, 0xf7, 0xae, 0xed, 0xc4, 0x1e, 0x37, 0x24, 0x9d, 0x28, 0xcd, 0x36, 0x15, 0x76, 0xb4, 0x48,
+	0x90, 0x8a, 0xb2, 0x4b, 0x4c, 0xdb, 0x44, 0x95, 0x2a, 0x14, 0xab, 0x11, 0x8a, 0xd4, 0x96, 0x6a,
+	0xa2, 0x44, 0xa2, 0x08, 0xc4, 0x78, 0x3d, 0xb1, 0x97, 0xd8, 0xbb, 0xcb, 0xcc, 0xac, 0x43, 0x38,
+	0x55, 0xe2, 0x0b, 0x70, 0xe4, 0xc0, 0x81, 0x6f, 0x80, 0x90, 0x90, 0xb8, 0x71, 0xe0, 0x80, 0x72,
+	0xec, 0xb1, 0x07, 0x64, 0x91, 0xe5, 0xcc, 0x77, 0x40, 0x33, 0x3b, 0xf6, 0xae, 0x93, 0xb5, 0x9b,
+	0x70, 0xa0, 0x97, 0xde, 0x76, 0xdf, 0xef, 0xf7, 0xfe, 0xcc, 0x7b, 0x6f, 0xde, 0x3c, 0xf0, 0xe0,
+	0x70, 0x93, 0x59, 0xae, 0x6f, 0x1f, 0x86, 0x4d, 0x42, 0x3d, 0xc2, 0x09, 0xb3, 0xfb, 0xc4, 0x6b,
+	0xf9, 0xd4, 0x56, 0x00, 0x0e, 0x5c, 0x1b, 0x87, 0xbc, 0xe3, 0x53, 0xf7, 0x1b, 0xcc, 0x5d, 0xdf,
+	0xb3, 0xfb, 0xeb, 0x76, 0x9b, 0x78, 0x84, 0x62, 0x4e, 0x5a, 0x56, 0x40, 0x7d, 0xee, 0xc3, 0x1b,
+	0x31, 0xd9, 0xc2, 0x81, 0x6b, 0x8d, 0x91, 0xad, 0xfe, 0xfa, 0xca, 0x7b, 0x6d, 0x97, 0x77, 0xc2,
+	0xa6, 0xe5, 0xf8, 0x3d, 0xbb, 0xed, 0xb7, 0x7d, 0x5b, 0xea, 0x34, 0xc3, 0x03, 0xf9, 0x27, 0x7f,
+	0xe4, 0x57, 0x6c, 0x6b, 0xe5, 0x76, 0xe2, 0xb8, 0x87, 0x9d, 0x8e, 0xeb, 0x11, 0x7a, 0x6c, 0x07,
+	0x87, 0x6d, 0x21, 0x60, 0x76, 0x8f, 0x70, 0x9c, 0x11, 0xc1, 0x8a, 0x3d, 0x49, 0x8b, 0x86, 0x1e,
+	0x77, 0x7b, 0xe4, 0x9c, 0xc2, 0xdd, 0x97, 0x29, 0x30, 0xa7, 0x43, 0x7a, 0xf8, 0x9c, 0xde, 0x07,
+	0x93, 0xf4, 0x42, 0xee, 0x76, 0x6d, 0xd7, 0xe3, 0x8c, 0xd3, 0xb3, 0x4a, 0xe6, 0x06, 0x00, 0xdb,
+	0x5f, 0x73, 0x8a, 0xf7, 0x71, 0x37, 0x24, 0xb0, 0x06, 0x8a, 0x2e, 0x27, 0x3d, 0x66, 0x68, 0xab,
+	0xf9, 0xb5, 0x72, 0xa3, 0x1c, 0x0d, 0x6a, 0xc5, 0x1d, 0x21, 0x40, 0xb1, 0xfc, 0x5e, 0xe9, 0xfb,
+	0x1f, 0x6b, 0xb9, 0x67, 0x7f, 0xae, 0xe6, 0xcc, 0x5f, 0x74, 0x60, 0x3c, 0xf4, 0x1d, 0xdc, 0xdd,
+	0x0d, 0x9b, 0x5f, 0x12, 0x87, 0x6f, 0x39, 0x0e, 0x61, 0x0c, 0x91, 0xbe, 0x4b, 0x8e, 0xe0, 0x17,
+	0xa0, 0x24, 0xd2, 0xd1, 0xc2, 0x1c, 0x1b, 0xda, 0xaa, 0xb6, 0x56, 0xa9, 0xbf, 0x6f, 0x25, 0x85,
+	0x18, 0x45, 0x67, 0x05, 0x87, 0x6d, 0x21, 0x60, 0x96, 0x60, 0x5b, 0xfd, 0x75, 0xeb, 0x63, 0x69,
+	0xeb, 0x11, 0xe1, 0xb8, 0x01, 0x4f, 0x06, 0xb5, 0x5c, 0x34, 0xa8, 0x81, 0x44, 0x86, 0x46, 0x56,
+	0xe1, 0x3e, 0x28, 0xb0, 0x80, 0x38, 0x86, 0x2e, 0xad, 0xdf, 0xb6, 0xa6, 0x94, 0xd9, 0xca, 0x88,
+	0x70, 0x37, 0x20, 0x4e, 0xe3, 0x8a, 0xf2, 0x50, 0x10, 0x7f, 0x48, 0xda, 0x83, 0x9f, 0x83, 0x19,
+	0xc6, 0x31, 0x0f, 0x99, 0x91, 0x97, 0x96, 0xef, 0x5e, 0xda, 0xb2, 0xd4, 0x6e, 0xbc, 0xa1, 0x6c,
+	0xcf, 0xc4, 0xff, 0x48, 0x59, 0x35, 0x3f, 0x05, 0x4b, 0x8f, 0x7d, 0x0f, 0x11, 0xe6, 0x87, 0xd4,
+	0x21, 0x5b, 0x9c, 0x53, 0xb7, 0x19, 0x72, 0xc2, 0xe0, 0x2a, 0x28, 0x04, 0x98, 0x77, 0x64, 0xba,
+	0xca, 0x49, 0x68, 0x4f, 0x30, 0xef, 0x20, 0x89, 0x08, 0x46, 0x9f, 0xd0, 0xa6, 0x3c, 0x72, 0x8a,
+	0xb1, 0x4f, 0x68, 0x13, 0x49, 0xc4, 0xfc, 0x0a, 0xcc, 0xa7, 0x8c, 0xa3, 0xb0, 0x2b, 0x2b, 0x2a,
+	0xa0, 0xb1, 0x8a, 0x0a, 0x0d, 0x86, 0x62, 0x39, 0xbc, 0x0f, 0xe6, 0xbd, 0x44, 0x67, 0x0f, 0x3d,
+	0x64, 0x86, 0x2e, 0xa9, 0x8b, 0xd1, 0xa0, 0x96, 0x36, 0x27, 0x20, 0x74, 0x96, 0x6b, 0xfe, 0xa6,
+	0x03, 0x98, 0x71, 0x1a, 0x1b, 0x94, 0x3d, 0xdc, 0x23, 0x2c, 0xc0, 0x0e, 0x51, 0x47, 0xba, 0xaa,
+	0x02, 0x2e, 0x3f, 0x1e, 0x02, 0x28, 0xe1, 0xbc, 0xfc, 0x70, 0xf0, 0x2d, 0x50, 0x6c, 0x53, 0x3f,
+	0x0c, 0x64, 0x61, 0xca, 0x8d, 0x39, 0x45, 0x29, 0x7e, 0x24, 0x84, 0x28, 0xc6, 0xe0, 0x4d, 0x30,
+	0xdb, 0x27, 0x94, 0xb9, 0xbe, 0x67, 0x14, 0x24, 0x6d, 0x5e, 0xd1, 0x66, 0xf7, 0x63, 0x31, 0x1a,
+	0xe2, 0xf0, 0x16, 0x28, 0x51, 0x15, 0xb8, 0x51, 0x94, 0xdc, 0x05, 0xc5, 0x2d, 0x8d, 0x32, 0x38,
+	0x62, 0xc0, 0x3b, 0xa0, 0xc2, 0xc2, 0xe6, 0x48, 0x61, 0x46, 0x2a, 0x2c, 0x2a, 0x85, 0xca, 0x6e,
+	0x02, 0xa1, 0x34, 0x4f, 0x1c, 0x4b, 0x9c, 0xd1, 0x98, 0x1d, 0x3f, 0x96, 0x48, 0x01, 0x92, 0x88,
+	0xf9, 0xbb, 0x06, 0xae, 0x5c, 0xae, 0x62, 0xef, 0x82, 0x32, 0x0e, 0x5c, 0x79, 0xec, 0x61, 0xad,
+	0xe6, 0x44, 0x5e, 0xb7, 0x9e, 0xec, 0xc4, 0x42, 0x94, 0xe0, 0x82, 0x3c, 0x0c, 0x46, 0xb4, 0xf4,
+	0x88, 0x3c, 0x74, 0xc9, 0x50, 0x82, 0xc3, 0x0d, 0x30, 0x37, 0xfc, 0x91, 0x45, 0x32, 0x0a, 0x52,
+	0xe1, 0x6a, 0x34, 0xa8, 0xcd, 0xa1, 0x34, 0x80, 0xc6, 0x79, 0xe6, 0xaf, 0x3a, 0x58, 0xde, 0x25,
+	0xdd, 0x83, 0x57, 0x33, 0x0b, 0x9e, 0x8e, 0xcd, 0x82, 0xcd, 0xe9, 0x37, 0x36, 0x3b, 0xca, 0x57,
+	0x36, 0x0f, 0x7e, 0xd0, 0xc1, 0x8d, 0x29, 0x31, 0xc1, 0x23, 0x00, 0xe9, 0xb9, 0xeb, 0xa5, 0xf2,
+	0x68, 0x4f, 0x8d, 0xe5, 0xfc, 0xad, 0x6c, 0x5c, 0x8b, 0x06, 0xb5, 0x8c, 0xdb, 0x8a, 0x32, 0x5c,
+	0xc0, 0x6f, 0x35, 0xb0, 0xe4, 0x65, 0x4d, 0x2a, 0x95, 0xe6, 0xfa, 0x54, 0xe7, 0x99, 0x33, 0xae,
+	0x71, 0x3d, 0x1a, 0xd4, 0xb2, 0xc7, 0x1f, 0xca, 0xf6, 0x25, 0x5e, 0x99, 0x6b, 0xa9, 0xf4, 0x88,
+	0x0b, 0xf2, 0xff, 0xf5, 0xd5, 0x27, 0x63, 0x7d, 0xb5, 0x71, 0xd1, 0xbe, 0x4a, 0x05, 0x39, 0xb1,
+	0xad, 0x3e, 0x3b, 0xd3, 0x56, 0x77, 0x2e, 0xd2, 0x56, 0x69, 0xc3, 0xd3, 0xbb, 0xea, 0x11, 0x58,
+	0x99, 0x1c, 0xd0, 0xa5, 0x87, 0xb3, 0xf9, 0x93, 0x0e, 0x16, 0x5f, 0x3f, 0xf3, 0x97, 0xb9, 0xd6,
+	0x7f, 0x14, 0xc0, 0xf2, 0xeb, 0x2b, 0x3d, 0x69, 0xd1, 0x09, 0x19, 0xa1, 0xea, 0x19, 0x1f, 0x15,
+	0x67, 0x8f, 0x11, 0x8a, 0x24, 0x02, 0x4d, 0x30, 0xd3, 0x8e, 0x5f, 0xb7, 0xf8, 0xfd, 0x01, 0x22,
+	0xc1, 0xea, 0x69, 0x53, 0x08, 0x6c, 0x81, 0x22, 0x11, 0x7b, 0xab, 0x51, 0x5c, 0xcd, 0xaf, 0x55,
+	0xea, 0x1f, 0xfe, 0x97, 0xce, 0xb0, 0xe4, 0xe6, 0xbb, 0xed, 0x71, 0x7a, 0x9c, 0xac, 0x13, 0x52,
+	0x86, 0x62, 0xe3, 0xf0, 0x4d, 0x90, 0x0f, 0xdd, 0x96, 0x7a, 0xed, 0x2b, 0x8a, 0x92, 0xdf, 0xdb,
+	0x79, 0x80, 0x84, 0x7c, 0x05, 0xab, 0xe5, 0x59, 0x9a, 0x80, 0x0b, 0x20, 0x7f, 0x48, 0x8e, 0xe3,
+	0x0b, 0x85, 0xc4, 0x27, 0xbc, 0x0f, 0x8a, 0x7d, 0xb1, 0x57, 0xab, 0xfc, 0xbe, 0x33, 0x35, 0xc8,
+	0x64, 0x0d, 0x47, 0xb1, 0xd6, 0x3d, 0x7d, 0x53, 0x33, 0x7f, 0xd6, 0xc0, 0xf5, 0x89, 0xed, 0x27,
+	0xd6, 0x1d, 0xdc, 0xed, 0xfa, 0x47, 0xa4, 0x25, 0xdd, 0x96, 0x92, 0x75, 0x67, 0x2b, 0x16, 0xa3,
+	0x21, 0x0e, 0xdf, 0x06, 0x33, 0x94, 0x60, 0xe6, 0x7b, 0x6a, 0xc5, 0x1a, 0x75, 0x2e, 0x92, 0x52,
+	0xa4, 0x50, 0xb8, 0x05, 0xe6, 0x89, 0x70, 0x2f, 0xe3, 0xda, 0xa6, 0xd4, 0x1f, 0x56, 0x6a, 0x59,
+	0x29, 0xcc, 0x6f, 0x8f, 0xc3, 0xe8, 0x2c, 0xdf, 0xfc, 0x47, 0x07, 0xc6, 0xa4, 0x91, 0x05, 0x0f,
+	0x92, 0x1d, 0x43, 0x82, 0x72, 0xcd, 0xa9, 0xd4, 0x6f, 0x5e, 0xa8, 0xf1, 0x85, 0x46, 0x63, 0x49,
+	0x05, 0x32, 0x97, 0x96, 0xa6, 0x56, 0x12, 0xf9, 0x0b, 0x29, 0x58, 0xf0, 0xc6, 0x77, 0xe1, 0x78,
+	0x59, 0xaa, 0xd4, 0x6f, 0x5d, 0xb4, 0xcd, 0xa5, 0x37, 0x43, 0x79, 0x5b, 0x38, 0x03, 0x30, 0x74,
+	0xce, 0x3e, 0xac, 0x03, 0xe0, 0x7a, 0x8e, 0xdf, 0x0b, 0xba, 0x84, 0x13, 0x99, 0xb6, 0x52, 0x32,
+	0xdf, 0x76, 0x46, 0x08, 0x4a, 0xb1, 0xb2, 0xf2, 0x5d, 0xb8, 0x5c, 0xbe, 0x1b, 0x6b, 0x27, 0xa7,
+	0xd5, 0xdc, 0xf3, 0xd3, 0x6a, 0xee, 0xc5, 0x69, 0x35, 0xf7, 0x2c, 0xaa, 0x6a, 0x27, 0x51, 0x55,
+	0x7b, 0x1e, 0x55, 0xb5, 0x17, 0x51, 0x55, 0xfb, 0x2b, 0xaa, 0x6a, 0xdf, 0xfd, 0x5d, 0xcd, 0x3d,
+	0xd5, 0xfb, 0xeb, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xd9, 0x3f, 0xd9, 0x21, 0x54, 0x0f, 0x00,
+	0x00,
+}
diff --git a/cli/vendor/k8s.io/api/authorization/v1/generated.proto b/cli/vendor/k8s.io/api/authorization/v1/generated.proto
new file mode 100644
index 00000000..180d8768
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1/generated.proto
@@ -0,0 +1,265 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.authorization.v1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message ExtraValue {
+  // items, if empty, will result in an empty slice
+
+  repeated string items = 1;
+}
+
+// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
+// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
+// checking.
+message LocalSubjectAccessReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
+  // you made the request against.  If empty, it is defaulted.
+  optional SubjectAccessReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates whether the request is allowed or not
+  // +optional
+  optional SubjectAccessReviewStatus status = 3;
+}
+
+// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
+message NonResourceAttributes {
+  // Path is the URL path of the request
+  // +optional
+  optional string path = 1;
+
+  // Verb is the standard HTTP verb
+  // +optional
+  optional string verb = 2;
+}
+
+// NonResourceRule holds information that describes a rule for the non-resource
+message NonResourceRule {
+  // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
+  repeated string verbs = 1;
+
+  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
+  // final step in the path.  "*" means all.
+  // +optional
+  repeated string nonResourceURLs = 2;
+}
+
+// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
+message ResourceAttributes {
+  // Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
+  // "" (empty) is defaulted for LocalSubjectAccessReviews
+  // "" (empty) is empty for cluster-scoped resources
+  // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+  // +optional
+  optional string namespace = 1;
+
+  // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+  // +optional
+  optional string verb = 2;
+
+  // Group is the API Group of the Resource.  "*" means all.
+  // +optional
+  optional string group = 3;
+
+  // Version is the API Version of the Resource.  "*" means all.
+  // +optional
+  optional string version = 4;
+
+  // Resource is one of the existing resource types.  "*" means all.
+  // +optional
+  optional string resource = 5;
+
+  // Subresource is one of the existing resource types.  "" means none.
+  // +optional
+  optional string subresource = 6;
+
+  // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+  // +optional
+  optional string name = 7;
+}
+
+// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
+// may contain duplicates, and possibly be incomplete.
+message ResourceRule {
+  // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+  repeated string verbs = 1;
+
+  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+  // the enumerated resources in any API group will be allowed.  "*" means all.
+  // +optional
+  repeated string apiGroups = 2;
+
+  // Resources is a list of resources this rule applies to.  ResourceAll represents all resources.  "*" means all.
+  // +optional
+  repeated string resources = 3;
+
+  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
+  // +optional
+  repeated string resourceNames = 4;
+}
+
+// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
+// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
+// to check whether they can perform an action
+message SelfSubjectAccessReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated.  user and groups must be empty
+  optional SelfSubjectAccessReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates whether the request is allowed or not
+  // +optional
+  optional SubjectAccessReviewStatus status = 3;
+}
+
+// SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+message SelfSubjectAccessReviewSpec {
+  // ResourceAuthorizationAttributes describes information for a resource access request
+  // +optional
+  optional ResourceAttributes resourceAttributes = 1;
+
+  // NonResourceAttributes describes information for a non-resource access request
+  // +optional
+  optional NonResourceAttributes nonResourceAttributes = 2;
+}
+
+// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
+// The returned list of actions may be incomplete depending on the server's authorization mode,
+// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
+// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
+// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
+// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
+message SelfSubjectRulesReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated.
+  optional SelfSubjectRulesReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates the set of actions a user can perform.
+  // +optional
+  optional SubjectRulesReviewStatus status = 3;
+}
+
+message SelfSubjectRulesReviewSpec {
+  // Namespace to evaluate rules for. Required.
+  optional string namespace = 1;
+}
+
+// SubjectAccessReview checks whether or not a user or group can perform an action.
+message SubjectAccessReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated
+  optional SubjectAccessReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates whether the request is allowed or not
+  // +optional
+  optional SubjectAccessReviewStatus status = 3;
+}
+
+// SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+message SubjectAccessReviewSpec {
+  // ResourceAuthorizationAttributes describes information for a resource access request
+  // +optional
+  optional ResourceAttributes resourceAttributes = 1;
+
+  // NonResourceAttributes describes information for a non-resource access request
+  // +optional
+  optional NonResourceAttributes nonResourceAttributes = 2;
+
+  // User is the user you're testing for.
+  // If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
+  // +optional
+  optional string user = 3;
+
+  // Groups is the groups you're testing for.
+  // +optional
+  repeated string groups = 4;
+
+  // Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
+  // it needs a reflection here.
+  // +optional
+  map<string, ExtraValue> extra = 5;
+
+  // UID information about the requesting user.
+  // +optional
+  optional string uid = 6;
+}
+
+// SubjectAccessReviewStatus
+message SubjectAccessReviewStatus {
+  // Allowed is required.  True if the action would be allowed, false otherwise.
+  optional bool allowed = 1;
+
+  // Reason is optional.  It indicates why a request was allowed or denied.
+  // +optional
+  optional string reason = 2;
+
+  // EvaluationError is an indication that some error occurred during the authorization check.
+  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+  // +optional
+  optional string evaluationError = 3;
+}
+
+// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
+// the set of authorizers the server is configured with and any errors experienced during evaluation.
+// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
+// even if that list is incomplete.
+message SubjectRulesReviewStatus {
+  // ResourceRules is the list of actions the subject is allowed to perform on resources.
+  // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+  repeated ResourceRule resourceRules = 1;
+
+  // NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
+  // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+  repeated NonResourceRule nonResourceRules = 2;
+
+  // Incomplete is true when the rules returned by this call are incomplete. This is most commonly
+  // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
+  optional bool incomplete = 3;
+
+  // EvaluationError can appear in combination with Rules. It indicates an error occurred during
+  // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
+  // ResourceRules and/or NonResourceRules may be incomplete.
+  // +optional
+  optional string evaluationError = 4;
+}
+
diff --git a/cli/vendor/k8s.io/api/authorization/v1/register.go b/cli/vendor/k8s.io/api/authorization/v1/register.go
new file mode 100644
index 00000000..d716eaa9
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1/register.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "authorization.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&SelfSubjectRulesReview{},
+		&SelfSubjectAccessReview{},
+		&SubjectAccessReview{},
+		&LocalSubjectAccessReview{},
+	)
+
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/authorization/v1/types.go b/cli/vendor/k8s.io/api/authorization/v1/types.go
new file mode 100644
index 00000000..99ec3bcb
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1/types.go
@@ -0,0 +1,261 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SubjectAccessReview checks whether or not a user or group can perform an action.
+type SubjectAccessReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated
+	Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
+// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
+// to check whether they can perform an action
+type SelfSubjectAccessReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated.  user and groups must be empty
+	Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +genclient
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
+// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
+// checking.
+type LocalSubjectAccessReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
+	// you made the request against.  If empty, it is defaulted.
+	Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
+type ResourceAttributes struct {
+	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
+	// "" (empty) is defaulted for LocalSubjectAccessReviews
+	// "" (empty) is empty for cluster-scoped resources
+	// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
+	// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+	// +optional
+	Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
+	// Group is the API Group of the Resource.  "*" means all.
+	// +optional
+	Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"`
+	// Version is the API Version of the Resource.  "*" means all.
+	// +optional
+	Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"`
+	// Resource is one of the existing resource types.  "*" means all.
+	// +optional
+	Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"`
+	// Subresource is one of the existing resource types.  "" means none.
+	// +optional
+	Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"`
+	// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"`
+}
+
+// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
+type NonResourceAttributes struct {
+	// Path is the URL path of the request
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
+	// Verb is the standard HTTP verb
+	// +optional
+	Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
+}
+
+// SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+type SubjectAccessReviewSpec struct {
+	// ResourceAuthorizationAttributes describes information for a resource access request
+	// +optional
+	ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
+	// NonResourceAttributes describes information for a non-resource access request
+	// +optional
+	NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
+
+	// User is the user you're testing for.
+	// If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
+	// +optional
+	User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
+	// Groups is the groups you're testing for.
+	// +optional
+	Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
+	// Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
+	// it needs a reflection here.
+	// +optional
+	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"`
+	// UID information about the requesting user.
+	// +optional
+	UID string `json:"uid,omitempty" protobuf:"bytes,6,opt,name=uid"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
+}
+
+// SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+type SelfSubjectAccessReviewSpec struct {
+	// ResourceAuthorizationAttributes describes information for a resource access request
+	// +optional
+	ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
+	// NonResourceAttributes describes information for a non-resource access request
+	// +optional
+	NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
+}
+
+// SubjectAccessReviewStatus
+type SubjectAccessReviewStatus struct {
+	// Allowed is required.  True if the action would be allowed, false otherwise.
+	Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
+	// Reason is optional.  It indicates why a request was allowed or denied.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
+	// EvaluationError is an indication that some error occurred during the authorization check.
+	// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+	// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+	// +optional
+	EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
+// The returned list of actions may be incomplete depending on the server's authorization mode,
+// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
+// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
+// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
+// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
+type SelfSubjectRulesReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated.
+	Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates the set of actions a user can perform.
+	// +optional
+	Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+type SelfSubjectRulesReviewSpec struct {
+	// Namespace to evaluate rules for. Required.
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
+}
+
+// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
+// the set of authorizers the server is configured with and any errors experienced during evaluation.
+// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
+// even if that list is incomplete.
+type SubjectRulesReviewStatus struct {
+	// ResourceRules is the list of actions the subject is allowed to perform on resources.
+	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+	ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"`
+	// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
+	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+	NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"`
+	// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
+	// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
+	Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"`
+	// EvaluationError can appear in combination with Rules. It indicates an error occurred during
+	// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
+	// ResourceRules and/or NonResourceRules may be incomplete.
+	// +optional
+	EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"`
+}
+
+// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
+// may contain duplicates, and possibly be incomplete.
+type ResourceRule struct {
+	// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+	Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed.  "*" means all.
+	// +optional
+	APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
+	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.  "*" means all.
+	// +optional
+	Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
+	// +optional
+	ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
+}
+
+// NonResourceRule holds information that describes a rule for the non-resource
+type NonResourceRule struct {
+	// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
+	Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
+	// final step in the path.  "*" means all.
+	// +optional
+	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"`
+}
diff --git a/cli/vendor/k8s.io/api/authorization/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/authorization/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..8a0fb8a8
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1/types_swagger_doc_generated.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_LocalSubjectAccessReview = map[string]string{
+	"":       "LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.",
+	"spec":   "Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace you made the request against.  If empty, it is defaulted.",
+	"status": "Status is filled in by the server and indicates whether the request is allowed or not",
+}
+
+func (LocalSubjectAccessReview) SwaggerDoc() map[string]string {
+	return map_LocalSubjectAccessReview
+}
+
+var map_NonResourceAttributes = map[string]string{
+	"":     "NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface",
+	"path": "Path is the URL path of the request",
+	"verb": "Verb is the standard HTTP verb",
+}
+
+func (NonResourceAttributes) SwaggerDoc() map[string]string {
+	return map_NonResourceAttributes
+}
+
+var map_NonResourceRule = map[string]string{
+	"":                "NonResourceRule holds information that describes a rule for the non-resource",
+	"verbs":           "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  \"*\" means all.",
+	"nonResourceURLs": "NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path.  \"*\" means all.",
+}
+
+func (NonResourceRule) SwaggerDoc() map[string]string {
+	return map_NonResourceRule
+}
+
+var map_ResourceAttributes = map[string]string{
+	"":            "ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface",
+	"namespace":   "Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces \"\" (empty) is defaulted for LocalSubjectAccessReviews \"\" (empty) is empty for cluster-scoped resources \"\" (empty) means \"all\" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview",
+	"verb":        "Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  \"*\" means all.",
+	"group":       "Group is the API Group of the Resource.  \"*\" means all.",
+	"version":     "Version is the API Version of the Resource.  \"*\" means all.",
+	"resource":    "Resource is one of the existing resource types.  \"*\" means all.",
+	"subresource": "Subresource is one of the existing resource types.  \"\" means none.",
+	"name":        "Name is the name of the resource being requested for a \"get\" or deleted for a \"delete\". \"\" (empty) means all.",
+}
+
+func (ResourceAttributes) SwaggerDoc() map[string]string {
+	return map_ResourceAttributes
+}
+
+var map_ResourceRule = map[string]string{
+	"":              "ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
+	"verbs":         "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  \"*\" means all.",
+	"apiGroups":     "APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.  \"*\" means all.",
+	"resources":     "Resources is a list of resources this rule applies to.  ResourceAll represents all resources.  \"*\" means all.",
+	"resourceNames": "ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  \"*\" means all.",
+}
+
+func (ResourceRule) SwaggerDoc() map[string]string {
+	return map_ResourceRule
+}
+
+var map_SelfSubjectAccessReview = map[string]string{
+	"":       "SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a spec.namespace means \"in all namespaces\".  Self is a special case, because users should always be able to check whether they can perform an action",
+	"spec":   "Spec holds information about the request being evaluated.  user and groups must be empty",
+	"status": "Status is filled in by the server and indicates whether the request is allowed or not",
+}
+
+func (SelfSubjectAccessReview) SwaggerDoc() map[string]string {
+	return map_SelfSubjectAccessReview
+}
+
+var map_SelfSubjectAccessReviewSpec = map[string]string{
+	"":                      "SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set",
+	"resourceAttributes":    "ResourceAuthorizationAttributes describes information for a resource access request",
+	"nonResourceAttributes": "NonResourceAttributes describes information for a non-resource access request",
+}
+
+func (SelfSubjectAccessReviewSpec) SwaggerDoc() map[string]string {
+	return map_SelfSubjectAccessReviewSpec
+}
+
+var map_SelfSubjectRulesReview = map[string]string{
+	"":       "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.",
+	"spec":   "Spec holds information about the request being evaluated.",
+	"status": "Status is filled in by the server and indicates the set of actions a user can perform.",
+}
+
+func (SelfSubjectRulesReview) SwaggerDoc() map[string]string {
+	return map_SelfSubjectRulesReview
+}
+
+var map_SelfSubjectRulesReviewSpec = map[string]string{
+	"namespace": "Namespace to evaluate rules for. Required.",
+}
+
+func (SelfSubjectRulesReviewSpec) SwaggerDoc() map[string]string {
+	return map_SelfSubjectRulesReviewSpec
+}
+
+var map_SubjectAccessReview = map[string]string{
+	"":       "SubjectAccessReview checks whether or not a user or group can perform an action.",
+	"spec":   "Spec holds information about the request being evaluated",
+	"status": "Status is filled in by the server and indicates whether the request is allowed or not",
+}
+
+func (SubjectAccessReview) SwaggerDoc() map[string]string {
+	return map_SubjectAccessReview
+}
+
+var map_SubjectAccessReviewSpec = map[string]string{
+	"":                      "SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set",
+	"resourceAttributes":    "ResourceAuthorizationAttributes describes information for a resource access request",
+	"nonResourceAttributes": "NonResourceAttributes describes information for a non-resource access request",
+	"user":                  "User is the user you're testing for. If you specify \"User\" but not \"Groups\", then is it interpreted as \"What if User were not a member of any groups",
+	"groups":                "Groups is the groups you're testing for.",
+	"extra":                 "Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer it needs a reflection here.",
+	"uid":                   "UID information about the requesting user.",
+}
+
+func (SubjectAccessReviewSpec) SwaggerDoc() map[string]string {
+	return map_SubjectAccessReviewSpec
+}
+
+var map_SubjectAccessReviewStatus = map[string]string{
+	"":                "SubjectAccessReviewStatus",
+	"allowed":         "Allowed is required.  True if the action would be allowed, false otherwise.",
+	"reason":          "Reason is optional.  It indicates why a request was allowed or denied.",
+	"evaluationError": "EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.",
+}
+
+func (SubjectAccessReviewStatus) SwaggerDoc() map[string]string {
+	return map_SubjectAccessReviewStatus
+}
+
+var map_SubjectRulesReviewStatus = map[string]string{
+	"":                 "SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.",
+	"resourceRules":    "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
+	"nonResourceRules": "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
+	"incomplete":       "Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.",
+	"evaluationError":  "EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.",
+}
+
+func (SubjectRulesReviewStatus) SwaggerDoc() map[string]string {
+	return map_SubjectRulesReviewStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/authorization/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/authorization/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..17f2ef44
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1/zz_generated.deepcopy.go
@@ -0,0 +1,445 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LocalSubjectAccessReview).DeepCopyInto(out.(*LocalSubjectAccessReview))
+			return nil
+		}, InType: reflect.TypeOf(&LocalSubjectAccessReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NonResourceAttributes).DeepCopyInto(out.(*NonResourceAttributes))
+			return nil
+		}, InType: reflect.TypeOf(&NonResourceAttributes{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NonResourceRule).DeepCopyInto(out.(*NonResourceRule))
+			return nil
+		}, InType: reflect.TypeOf(&NonResourceRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceAttributes).DeepCopyInto(out.(*ResourceAttributes))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceAttributes{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceRule).DeepCopyInto(out.(*ResourceRule))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SelfSubjectAccessReview).DeepCopyInto(out.(*SelfSubjectAccessReview))
+			return nil
+		}, InType: reflect.TypeOf(&SelfSubjectAccessReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SelfSubjectAccessReviewSpec).DeepCopyInto(out.(*SelfSubjectAccessReviewSpec))
+			return nil
+		}, InType: reflect.TypeOf(&SelfSubjectAccessReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SelfSubjectRulesReview).DeepCopyInto(out.(*SelfSubjectRulesReview))
+			return nil
+		}, InType: reflect.TypeOf(&SelfSubjectRulesReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SelfSubjectRulesReviewSpec).DeepCopyInto(out.(*SelfSubjectRulesReviewSpec))
+			return nil
+		}, InType: reflect.TypeOf(&SelfSubjectRulesReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SubjectAccessReview).DeepCopyInto(out.(*SubjectAccessReview))
+			return nil
+		}, InType: reflect.TypeOf(&SubjectAccessReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SubjectAccessReviewSpec).DeepCopyInto(out.(*SubjectAccessReviewSpec))
+			return nil
+		}, InType: reflect.TypeOf(&SubjectAccessReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SubjectAccessReviewStatus).DeepCopyInto(out.(*SubjectAccessReviewStatus))
+			return nil
+		}, InType: reflect.TypeOf(&SubjectAccessReviewStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SubjectRulesReviewStatus).DeepCopyInto(out.(*SubjectRulesReviewStatus))
+			return nil
+		}, InType: reflect.TypeOf(&SubjectRulesReviewStatus{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalSubjectAccessReview) DeepCopyInto(out *LocalSubjectAccessReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalSubjectAccessReview.
+func (in *LocalSubjectAccessReview) DeepCopy() *LocalSubjectAccessReview {
+	if in == nil {
+		return nil
+	}
+	out := new(LocalSubjectAccessReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LocalSubjectAccessReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NonResourceAttributes) DeepCopyInto(out *NonResourceAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NonResourceAttributes.
+func (in *NonResourceAttributes) DeepCopy() *NonResourceAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(NonResourceAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NonResourceRule) DeepCopyInto(out *NonResourceRule) {
+	*out = *in
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.NonResourceURLs != nil {
+		in, out := &in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NonResourceRule.
+func (in *NonResourceRule) DeepCopy() *NonResourceRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NonResourceRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceAttributes) DeepCopyInto(out *ResourceAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAttributes.
+func (in *ResourceAttributes) DeepCopy() *ResourceAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceRule) DeepCopyInto(out *ResourceRule) {
+	*out = *in
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.APIGroups != nil {
+		in, out := &in.APIGroups, &out.APIGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceNames != nil {
+		in, out := &in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRule.
+func (in *ResourceRule) DeepCopy() *ResourceRule {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SelfSubjectAccessReview) DeepCopyInto(out *SelfSubjectAccessReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectAccessReview.
+func (in *SelfSubjectAccessReview) DeepCopy() *SelfSubjectAccessReview {
+	if in == nil {
+		return nil
+	}
+	out := new(SelfSubjectAccessReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SelfSubjectAccessReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SelfSubjectAccessReviewSpec) DeepCopyInto(out *SelfSubjectAccessReviewSpec) {
+	*out = *in
+	if in.ResourceAttributes != nil {
+		in, out := &in.ResourceAttributes, &out.ResourceAttributes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceAttributes)
+			**out = **in
+		}
+	}
+	if in.NonResourceAttributes != nil {
+		in, out := &in.NonResourceAttributes, &out.NonResourceAttributes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NonResourceAttributes)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectAccessReviewSpec.
+func (in *SelfSubjectAccessReviewSpec) DeepCopy() *SelfSubjectAccessReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SelfSubjectAccessReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SelfSubjectRulesReview) DeepCopyInto(out *SelfSubjectRulesReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReview.
+func (in *SelfSubjectRulesReview) DeepCopy() *SelfSubjectRulesReview {
+	if in == nil {
+		return nil
+	}
+	out := new(SelfSubjectRulesReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SelfSubjectRulesReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SelfSubjectRulesReviewSpec) DeepCopyInto(out *SelfSubjectRulesReviewSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReviewSpec.
+func (in *SelfSubjectRulesReviewSpec) DeepCopy() *SelfSubjectRulesReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SelfSubjectRulesReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubjectAccessReview) DeepCopyInto(out *SubjectAccessReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAccessReview.
+func (in *SubjectAccessReview) DeepCopy() *SubjectAccessReview {
+	if in == nil {
+		return nil
+	}
+	out := new(SubjectAccessReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SubjectAccessReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubjectAccessReviewSpec) DeepCopyInto(out *SubjectAccessReviewSpec) {
+	*out = *in
+	if in.ResourceAttributes != nil {
+		in, out := &in.ResourceAttributes, &out.ResourceAttributes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceAttributes)
+			**out = **in
+		}
+	}
+	if in.NonResourceAttributes != nil {
+		in, out := &in.NonResourceAttributes, &out.NonResourceAttributes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NonResourceAttributes)
+			**out = **in
+		}
+	}
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extra != nil {
+		in, out := &in.Extra, &out.Extra
+		*out = make(map[string]ExtraValue, len(*in))
+		for key, val := range *in {
+			(*out)[key] = make(ExtraValue, len(val))
+			copy((*out)[key], val)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAccessReviewSpec.
+func (in *SubjectAccessReviewSpec) DeepCopy() *SubjectAccessReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SubjectAccessReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubjectAccessReviewStatus) DeepCopyInto(out *SubjectAccessReviewStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAccessReviewStatus.
+func (in *SubjectAccessReviewStatus) DeepCopy() *SubjectAccessReviewStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SubjectAccessReviewStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubjectRulesReviewStatus) DeepCopyInto(out *SubjectRulesReviewStatus) {
+	*out = *in
+	if in.ResourceRules != nil {
+		in, out := &in.ResourceRules, &out.ResourceRules
+		*out = make([]ResourceRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NonResourceRules != nil {
+		in, out := &in.NonResourceRules, &out.NonResourceRules
+		*out = make([]NonResourceRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectRulesReviewStatus.
+func (in *SubjectRulesReviewStatus) DeepCopy() *SubjectRulesReviewStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SubjectRulesReviewStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/authorization/v1beta1/doc.go b/cli/vendor/k8s.io/api/authorization/v1beta1/doc.go
new file mode 100644
index 00000000..6809b811
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1beta1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// +groupName=authorization.k8s.io
+package v1beta1 // import "k8s.io/api/authorization/v1beta1"
diff --git a/cli/vendor/k8s.io/api/authorization/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/authorization/v1beta1/generated.pb.go
new file mode 100644
index 00000000..ffef889b
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1beta1/generated.pb.go
@@ -0,0 +1,3498 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/authorization/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/authorization/v1beta1/generated.proto
+
+	It has these top-level messages:
+		ExtraValue
+		LocalSubjectAccessReview
+		NonResourceAttributes
+		NonResourceRule
+		ResourceAttributes
+		ResourceRule
+		SelfSubjectAccessReview
+		SelfSubjectAccessReviewSpec
+		SelfSubjectRulesReview
+		SelfSubjectRulesReviewSpec
+		SubjectAccessReview
+		SubjectAccessReviewSpec
+		SubjectAccessReviewStatus
+		SubjectRulesReviewStatus
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ExtraValue) Reset()                    { *m = ExtraValue{} }
+func (*ExtraValue) ProtoMessage()               {}
+func (*ExtraValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *LocalSubjectAccessReview) Reset()      { *m = LocalSubjectAccessReview{} }
+func (*LocalSubjectAccessReview) ProtoMessage() {}
+func (*LocalSubjectAccessReview) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{1}
+}
+
+func (m *NonResourceAttributes) Reset()                    { *m = NonResourceAttributes{} }
+func (*NonResourceAttributes) ProtoMessage()               {}
+func (*NonResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *NonResourceRule) Reset()                    { *m = NonResourceRule{} }
+func (*NonResourceRule) ProtoMessage()               {}
+func (*NonResourceRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *ResourceAttributes) Reset()                    { *m = ResourceAttributes{} }
+func (*ResourceAttributes) ProtoMessage()               {}
+func (*ResourceAttributes) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *ResourceRule) Reset()                    { *m = ResourceRule{} }
+func (*ResourceRule) ProtoMessage()               {}
+func (*ResourceRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *SelfSubjectAccessReview) Reset()                    { *m = SelfSubjectAccessReview{} }
+func (*SelfSubjectAccessReview) ProtoMessage()               {}
+func (*SelfSubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *SelfSubjectAccessReviewSpec) Reset()      { *m = SelfSubjectAccessReviewSpec{} }
+func (*SelfSubjectAccessReviewSpec) ProtoMessage() {}
+func (*SelfSubjectAccessReviewSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{7}
+}
+
+func (m *SelfSubjectRulesReview) Reset()                    { *m = SelfSubjectRulesReview{} }
+func (*SelfSubjectRulesReview) ProtoMessage()               {}
+func (*SelfSubjectRulesReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *SelfSubjectRulesReviewSpec) Reset()      { *m = SelfSubjectRulesReviewSpec{} }
+func (*SelfSubjectRulesReviewSpec) ProtoMessage() {}
+func (*SelfSubjectRulesReviewSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{9}
+}
+
+func (m *SubjectAccessReview) Reset()                    { *m = SubjectAccessReview{} }
+func (*SubjectAccessReview) ProtoMessage()               {}
+func (*SubjectAccessReview) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func (m *SubjectAccessReviewSpec) Reset()      { *m = SubjectAccessReviewSpec{} }
+func (*SubjectAccessReviewSpec) ProtoMessage() {}
+func (*SubjectAccessReviewSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{11}
+}
+
+func (m *SubjectAccessReviewStatus) Reset()      { *m = SubjectAccessReviewStatus{} }
+func (*SubjectAccessReviewStatus) ProtoMessage() {}
+func (*SubjectAccessReviewStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{12}
+}
+
+func (m *SubjectRulesReviewStatus) Reset()      { *m = SubjectRulesReviewStatus{} }
+func (*SubjectRulesReviewStatus) ProtoMessage() {}
+func (*SubjectRulesReviewStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{13}
+}
+
+func init() {
+	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authorization.v1beta1.ExtraValue")
+	proto.RegisterType((*LocalSubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.LocalSubjectAccessReview")
+	proto.RegisterType((*NonResourceAttributes)(nil), "k8s.io.api.authorization.v1beta1.NonResourceAttributes")
+	proto.RegisterType((*NonResourceRule)(nil), "k8s.io.api.authorization.v1beta1.NonResourceRule")
+	proto.RegisterType((*ResourceAttributes)(nil), "k8s.io.api.authorization.v1beta1.ResourceAttributes")
+	proto.RegisterType((*ResourceRule)(nil), "k8s.io.api.authorization.v1beta1.ResourceRule")
+	proto.RegisterType((*SelfSubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectAccessReview")
+	proto.RegisterType((*SelfSubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectAccessReviewSpec")
+	proto.RegisterType((*SelfSubjectRulesReview)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectRulesReview")
+	proto.RegisterType((*SelfSubjectRulesReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SelfSubjectRulesReviewSpec")
+	proto.RegisterType((*SubjectAccessReview)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReview")
+	proto.RegisterType((*SubjectAccessReviewSpec)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReviewSpec")
+	proto.RegisterType((*SubjectAccessReviewStatus)(nil), "k8s.io.api.authorization.v1beta1.SubjectAccessReviewStatus")
+	proto.RegisterType((*SubjectRulesReviewStatus)(nil), "k8s.io.api.authorization.v1beta1.SubjectRulesReviewStatus")
+}
+func (m ExtraValue) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m ExtraValue) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *LocalSubjectAccessReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LocalSubjectAccessReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *NonResourceAttributes) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NonResourceAttributes) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Verb)))
+	i += copy(dAtA[i:], m.Verb)
+	return i, nil
+}
+
+func (m *NonResourceRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NonResourceRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *ResourceAttributes) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceAttributes) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Verb)))
+	i += copy(dAtA[i:], m.Verb)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Version)))
+	i += copy(dAtA[i:], m.Version)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Resource)))
+	i += copy(dAtA[i:], m.Resource)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Subresource)))
+	i += copy(dAtA[i:], m.Subresource)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func (m *ResourceRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *SelfSubjectAccessReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SelfSubjectAccessReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n4, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n5, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n6, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	return i, nil
+}
+
+func (m *SelfSubjectAccessReviewSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SelfSubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ResourceAttributes != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ResourceAttributes.Size()))
+		n7, err := m.ResourceAttributes.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	if m.NonResourceAttributes != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NonResourceAttributes.Size()))
+		n8, err := m.NonResourceAttributes.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	return i, nil
+}
+
+func (m *SelfSubjectRulesReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SelfSubjectRulesReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n9, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n10, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n11, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n11
+	return i, nil
+}
+
+func (m *SelfSubjectRulesReviewSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SelfSubjectRulesReviewSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	return i, nil
+}
+
+func (m *SubjectAccessReview) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SubjectAccessReview) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n12, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n12
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n13, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n13
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n14, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n14
+	return i, nil
+}
+
+func (m *SubjectAccessReviewSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SubjectAccessReviewSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ResourceAttributes != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ResourceAttributes.Size()))
+		n15, err := m.ResourceAttributes.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n15
+	}
+	if m.NonResourceAttributes != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NonResourceAttributes.Size()))
+		n16, err := m.NonResourceAttributes.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n16
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.User)))
+	i += copy(dAtA[i:], m.User)
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Extra) > 0 {
+		keysForExtra := make([]string, 0, len(m.Extra))
+		for k := range m.Extra {
+			keysForExtra = append(keysForExtra, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		for _, k := range keysForExtra {
+			dAtA[i] = 0x2a
+			i++
+			v := m.Extra[string(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n17, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n17
+		}
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	return i, nil
+}
+
+func (m *SubjectAccessReviewStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SubjectAccessReviewStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	if m.Allowed {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.EvaluationError)))
+	i += copy(dAtA[i:], m.EvaluationError)
+	return i, nil
+}
+
+func (m *SubjectRulesReviewStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SubjectRulesReviewStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ResourceRules) > 0 {
+		for _, msg := range m.ResourceRules {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.NonResourceRules) > 0 {
+		for _, msg := range m.NonResourceRules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x18
+	i++
+	if m.Incomplete {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.EvaluationError)))
+	i += copy(dAtA[i:], m.EvaluationError)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m ExtraValue) Size() (n int) {
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *LocalSubjectAccessReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NonResourceAttributes) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Verb)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NonResourceRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ResourceAttributes) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Verb)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Version)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Resource)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Subresource)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ResourceRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *SelfSubjectAccessReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SelfSubjectAccessReviewSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.ResourceAttributes != nil {
+		l = m.ResourceAttributes.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NonResourceAttributes != nil {
+		l = m.NonResourceAttributes.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *SelfSubjectRulesReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SelfSubjectRulesReviewSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SubjectAccessReview) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SubjectAccessReviewSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.ResourceAttributes != nil {
+		l = m.ResourceAttributes.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NonResourceAttributes != nil {
+		l = m.NonResourceAttributes.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.User)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Extra) > 0 {
+		for k, v := range m.Extra {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SubjectAccessReviewStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 2
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.EvaluationError)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SubjectRulesReviewStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.ResourceRules) > 0 {
+		for _, e := range m.ResourceRules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.NonResourceRules) > 0 {
+		for _, e := range m.NonResourceRules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 2
+	l = len(m.EvaluationError)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *LocalSubjectAccessReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LocalSubjectAccessReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SubjectAccessReviewSpec", "SubjectAccessReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectAccessReviewStatus", "SubjectAccessReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NonResourceAttributes) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NonResourceAttributes{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`Verb:` + fmt.Sprintf("%v", this.Verb) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NonResourceRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NonResourceRule{`,
+		`Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`,
+		`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceAttributes) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceAttributes{`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`Verb:` + fmt.Sprintf("%v", this.Verb) + `,`,
+		`Group:` + fmt.Sprintf("%v", this.Group) + `,`,
+		`Version:` + fmt.Sprintf("%v", this.Version) + `,`,
+		`Resource:` + fmt.Sprintf("%v", this.Resource) + `,`,
+		`Subresource:` + fmt.Sprintf("%v", this.Subresource) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceRule{`,
+		`Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`,
+		`APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`,
+		`Resources:` + fmt.Sprintf("%v", this.Resources) + `,`,
+		`ResourceNames:` + fmt.Sprintf("%v", this.ResourceNames) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SelfSubjectAccessReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SelfSubjectAccessReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SelfSubjectAccessReviewSpec", "SelfSubjectAccessReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectAccessReviewStatus", "SubjectAccessReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SelfSubjectAccessReviewSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SelfSubjectAccessReviewSpec{`,
+		`ResourceAttributes:` + strings.Replace(fmt.Sprintf("%v", this.ResourceAttributes), "ResourceAttributes", "ResourceAttributes", 1) + `,`,
+		`NonResourceAttributes:` + strings.Replace(fmt.Sprintf("%v", this.NonResourceAttributes), "NonResourceAttributes", "NonResourceAttributes", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SelfSubjectRulesReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SelfSubjectRulesReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SelfSubjectRulesReviewSpec", "SelfSubjectRulesReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectRulesReviewStatus", "SubjectRulesReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SelfSubjectRulesReviewSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SelfSubjectRulesReviewSpec{`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SubjectAccessReview) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SubjectAccessReview{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "SubjectAccessReviewSpec", "SubjectAccessReviewSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SubjectAccessReviewStatus", "SubjectAccessReviewStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SubjectAccessReviewSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForExtra := make([]string, 0, len(this.Extra))
+	for k := range this.Extra {
+		keysForExtra = append(keysForExtra, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	mapStringForExtra := "map[string]ExtraValue{"
+	for _, k := range keysForExtra {
+		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
+	}
+	mapStringForExtra += "}"
+	s := strings.Join([]string{`&SubjectAccessReviewSpec{`,
+		`ResourceAttributes:` + strings.Replace(fmt.Sprintf("%v", this.ResourceAttributes), "ResourceAttributes", "ResourceAttributes", 1) + `,`,
+		`NonResourceAttributes:` + strings.Replace(fmt.Sprintf("%v", this.NonResourceAttributes), "NonResourceAttributes", "NonResourceAttributes", 1) + `,`,
+		`User:` + fmt.Sprintf("%v", this.User) + `,`,
+		`Groups:` + fmt.Sprintf("%v", this.Groups) + `,`,
+		`Extra:` + mapStringForExtra + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SubjectAccessReviewStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SubjectAccessReviewStatus{`,
+		`Allowed:` + fmt.Sprintf("%v", this.Allowed) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`EvaluationError:` + fmt.Sprintf("%v", this.EvaluationError) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SubjectRulesReviewStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SubjectRulesReviewStatus{`,
+		`ResourceRules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ResourceRules), "ResourceRule", "ResourceRule", 1), `&`, ``, 1) + `,`,
+		`NonResourceRules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.NonResourceRules), "NonResourceRule", "NonResourceRule", 1), `&`, ``, 1) + `,`,
+		`Incomplete:` + fmt.Sprintf("%v", this.Incomplete) + `,`,
+		`EvaluationError:` + fmt.Sprintf("%v", this.EvaluationError) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ExtraValue) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExtraValue: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExtraValue: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			*m = append(*m, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LocalSubjectAccessReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LocalSubjectAccessReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LocalSubjectAccessReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NonResourceAttributes) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NonResourceAttributes: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NonResourceAttributes: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verb", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verb = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NonResourceRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NonResourceRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NonResourceRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceURLs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceAttributes) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceAttributes: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceAttributes: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verb", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verb = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Version = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resource = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subresource", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subresource = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroups = append(m.APIGroups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceNames", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceNames = append(m.ResourceNames, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SelfSubjectAccessReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SelfSubjectAccessReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SelfSubjectAccessReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SelfSubjectAccessReviewSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SelfSubjectAccessReviewSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SelfSubjectAccessReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceAttributes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ResourceAttributes == nil {
+				m.ResourceAttributes = &ResourceAttributes{}
+			}
+			if err := m.ResourceAttributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceAttributes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NonResourceAttributes == nil {
+				m.NonResourceAttributes = &NonResourceAttributes{}
+			}
+			if err := m.NonResourceAttributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SelfSubjectRulesReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SelfSubjectRulesReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SelfSubjectRulesReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SelfSubjectRulesReviewSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SelfSubjectRulesReviewSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SelfSubjectRulesReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SubjectAccessReview) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SubjectAccessReview: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SubjectAccessReview: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SubjectAccessReviewSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SubjectAccessReviewSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SubjectAccessReviewSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceAttributes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ResourceAttributes == nil {
+				m.ResourceAttributes = &ResourceAttributes{}
+			}
+			if err := m.ResourceAttributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceAttributes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NonResourceAttributes == nil {
+				m.NonResourceAttributes = &NonResourceAttributes{}
+			}
+			if err := m.NonResourceAttributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.User = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Extra", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Extra == nil {
+				m.Extra = make(map[string]ExtraValue)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &ExtraValue{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Extra[mapkey] = *mapvalue
+			} else {
+				var mapvalue ExtraValue
+				m.Extra[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SubjectAccessReviewStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SubjectAccessReviewStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SubjectAccessReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Allowed", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Allowed = bool(v != 0)
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EvaluationError", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.EvaluationError = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SubjectRulesReviewStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SubjectRulesReviewStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SubjectRulesReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceRules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceRules = append(m.ResourceRules, ResourceRule{})
+			if err := m.ResourceRules[len(m.ResourceRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceRules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NonResourceRules = append(m.NonResourceRules, NonResourceRule{})
+			if err := m.NonResourceRules[len(m.NonResourceRules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Incomplete", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Incomplete = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EvaluationError", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.EvaluationError = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/authorization/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 1139 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0xcf, 0x6f, 0x1b, 0x45,
+	0x14, 0xf6, 0xfa, 0x47, 0x62, 0x8f, 0x1b, 0x92, 0x4e, 0x94, 0x66, 0x1b, 0x84, 0x6d, 0x19, 0x09,
+	0x05, 0xd1, 0xee, 0x92, 0x50, 0x48, 0x09, 0xf4, 0x10, 0xab, 0x11, 0x8a, 0xd4, 0x96, 0x6a, 0xa2,
+	0xe4, 0x40, 0x25, 0x60, 0x76, 0x33, 0xb1, 0x17, 0xdb, 0xbb, 0xcb, 0xcc, 0xac, 0x43, 0x10, 0x87,
+	0x1e, 0x39, 0x72, 0xe4, 0xc8, 0x89, 0x3b, 0x47, 0x2e, 0x48, 0x70, 0xca, 0xb1, 0xc7, 0x1c, 0x90,
+	0x45, 0x96, 0x3f, 0x82, 0x2b, 0x9a, 0xd9, 0xb1, 0x77, 0x1d, 0xaf, 0xe3, 0x24, 0x87, 0xf6, 0xd2,
+	0xdb, 0xce, 0xfb, 0xde, 0xf7, 0xde, 0x9b, 0x37, 0xef, 0xbd, 0x7d, 0x60, 0xa7, 0x7d, 0x9f, 0x19,
+	0x8e, 0x67, 0xb6, 0x03, 0x8b, 0x50, 0x97, 0x70, 0xc2, 0xcc, 0x1e, 0x71, 0x0f, 0x3c, 0x6a, 0x2a,
+	0x00, 0xfb, 0x8e, 0x89, 0x03, 0xde, 0xf2, 0xa8, 0xf3, 0x3d, 0xe6, 0x8e, 0xe7, 0x9a, 0xbd, 0x35,
+	0x8b, 0x70, 0xbc, 0x66, 0x36, 0x89, 0x4b, 0x28, 0xe6, 0xe4, 0xc0, 0xf0, 0xa9, 0xc7, 0x3d, 0x58,
+	0x8b, 0x18, 0x06, 0xf6, 0x1d, 0x63, 0x84, 0x61, 0x28, 0xc6, 0xca, 0xdd, 0xa6, 0xc3, 0x5b, 0x81,
+	0x65, 0xd8, 0x5e, 0xd7, 0x6c, 0x7a, 0x4d, 0xcf, 0x94, 0x44, 0x2b, 0x38, 0x94, 0x27, 0x79, 0x90,
+	0x5f, 0x91, 0xc1, 0x95, 0x7b, 0x71, 0x08, 0x5d, 0x6c, 0xb7, 0x1c, 0x97, 0xd0, 0x63, 0xd3, 0x6f,
+	0x37, 0x85, 0x80, 0x99, 0x5d, 0xc2, 0xb1, 0xd9, 0x1b, 0x0b, 0x63, 0xc5, 0x9c, 0xc4, 0xa2, 0x81,
+	0xcb, 0x9d, 0x2e, 0x19, 0x23, 0x7c, 0x34, 0x8d, 0xc0, 0xec, 0x16, 0xe9, 0xe2, 0x31, 0xde, 0x07,
+	0x93, 0x78, 0x01, 0x77, 0x3a, 0xa6, 0xe3, 0x72, 0xc6, 0xe9, 0x79, 0x52, 0x7d, 0x03, 0x80, 0xed,
+	0xef, 0x38, 0xc5, 0xfb, 0xb8, 0x13, 0x10, 0x58, 0x05, 0x05, 0x87, 0x93, 0x2e, 0xd3, 0xb5, 0x5a,
+	0x6e, 0xb5, 0xd4, 0x28, 0x85, 0xfd, 0x6a, 0x61, 0x47, 0x08, 0x50, 0x24, 0xdf, 0x2c, 0xfe, 0xfc,
+	0x4b, 0x35, 0xf3, 0xfc, 0xef, 0x5a, 0xa6, 0xfe, 0x47, 0x16, 0xe8, 0x8f, 0x3c, 0x1b, 0x77, 0x76,
+	0x03, 0xeb, 0x1b, 0x62, 0xf3, 0x2d, 0xdb, 0x26, 0x8c, 0x21, 0xd2, 0x73, 0xc8, 0x11, 0xfc, 0x1a,
+	0x14, 0x45, 0x3a, 0x0e, 0x30, 0xc7, 0xba, 0x56, 0xd3, 0x56, 0xcb, 0xeb, 0xef, 0x1b, 0xf1, 0x6b,
+	0x0c, 0xa3, 0x33, 0xfc, 0x76, 0x53, 0x08, 0x98, 0x21, 0xb4, 0x8d, 0xde, 0x9a, 0xf1, 0xb9, 0xb4,
+	0xf5, 0x98, 0x70, 0xdc, 0x80, 0x27, 0xfd, 0x6a, 0x26, 0xec, 0x57, 0x41, 0x2c, 0x43, 0x43, 0xab,
+	0xf0, 0x19, 0xc8, 0x33, 0x9f, 0xd8, 0x7a, 0x56, 0x5a, 0xff, 0xd8, 0x98, 0xf6, 0xd6, 0x46, 0x4a,
+	0x98, 0xbb, 0x3e, 0xb1, 0x1b, 0x37, 0x94, 0x9b, 0xbc, 0x38, 0x21, 0x69, 0x14, 0xda, 0x60, 0x86,
+	0x71, 0xcc, 0x03, 0xa6, 0xe7, 0xa4, 0xf9, 0x4f, 0xae, 0x67, 0x5e, 0x9a, 0x68, 0xbc, 0xa1, 0x1c,
+	0xcc, 0x44, 0x67, 0xa4, 0x4c, 0xd7, 0x9f, 0x81, 0xa5, 0x27, 0x9e, 0x8b, 0x08, 0xf3, 0x02, 0x6a,
+	0x93, 0x2d, 0xce, 0xa9, 0x63, 0x05, 0x9c, 0x30, 0x58, 0x03, 0x79, 0x1f, 0xf3, 0x96, 0x4c, 0x5c,
+	0x29, 0x8e, 0xef, 0x29, 0xe6, 0x2d, 0x24, 0x11, 0xa1, 0xd1, 0x23, 0xd4, 0x92, 0x97, 0x4f, 0x68,
+	0xec, 0x13, 0x6a, 0x21, 0x89, 0xd4, 0xbf, 0x05, 0xf3, 0x09, 0xe3, 0x28, 0xe8, 0xc8, 0xb7, 0x15,
+	0xd0, 0xc8, 0xdb, 0x0a, 0x06, 0x43, 0x91, 0x1c, 0x3e, 0x00, 0xf3, 0x6e, 0xcc, 0xd9, 0x43, 0x8f,
+	0x98, 0x9e, 0x95, 0xaa, 0x8b, 0x61, 0xbf, 0x9a, 0x34, 0x27, 0x20, 0x74, 0x5e, 0x57, 0x14, 0x04,
+	0x4c, 0xb9, 0x8d, 0x09, 0x4a, 0x2e, 0xee, 0x12, 0xe6, 0x63, 0x9b, 0xa8, 0x2b, 0xdd, 0x54, 0x01,
+	0x97, 0x9e, 0x0c, 0x00, 0x14, 0xeb, 0x4c, 0xbf, 0x1c, 0x7c, 0x1b, 0x14, 0x9a, 0xd4, 0x0b, 0x7c,
+	0xf9, 0x3a, 0xa5, 0xc6, 0x9c, 0x52, 0x29, 0x7c, 0x26, 0x84, 0x28, 0xc2, 0xe0, 0xbb, 0x60, 0xb6,
+	0x47, 0x28, 0x73, 0x3c, 0x57, 0xcf, 0x4b, 0xb5, 0x79, 0xa5, 0x36, 0xbb, 0x1f, 0x89, 0xd1, 0x00,
+	0x87, 0x77, 0x40, 0x91, 0xaa, 0xc0, 0xf5, 0x82, 0xd4, 0x5d, 0x50, 0xba, 0xc5, 0x61, 0x06, 0x87,
+	0x1a, 0xf0, 0x43, 0x50, 0x66, 0x81, 0x35, 0x24, 0xcc, 0x48, 0xc2, 0xa2, 0x22, 0x94, 0x77, 0x63,
+	0x08, 0x25, 0xf5, 0xc4, 0xb5, 0xc4, 0x1d, 0xf5, 0xd9, 0xd1, 0x6b, 0x89, 0x14, 0x20, 0x89, 0xd4,
+	0xff, 0xd2, 0xc0, 0x8d, 0xab, 0xbd, 0xd8, 0x7b, 0xa0, 0x84, 0x7d, 0x47, 0x5e, 0x7b, 0xf0, 0x56,
+	0x73, 0x22, 0xaf, 0x5b, 0x4f, 0x77, 0x22, 0x21, 0x8a, 0x71, 0xa1, 0x3c, 0x08, 0x46, 0xd4, 0xf5,
+	0x50, 0x79, 0xe0, 0x92, 0xa1, 0x18, 0x87, 0x1b, 0x60, 0x6e, 0x70, 0x90, 0x8f, 0xa4, 0xe7, 0x25,
+	0xe1, 0x66, 0xd8, 0xaf, 0xce, 0xa1, 0x24, 0x80, 0x46, 0xf5, 0xea, 0x7f, 0x66, 0xc1, 0xf2, 0x2e,
+	0xe9, 0x1c, 0xbe, 0x9a, 0xa9, 0xf0, 0xd5, 0xc8, 0x54, 0x78, 0x70, 0x89, 0xb6, 0x4d, 0x0f, 0xf5,
+	0xd5, 0x4e, 0x86, 0x5f, 0xb3, 0xe0, 0xcd, 0x0b, 0x02, 0x83, 0x3f, 0x00, 0x48, 0xc7, 0x1a, 0x4d,
+	0x65, 0xf4, 0xde, 0xf4, 0x80, 0xc6, 0x9b, 0xb4, 0x71, 0x2b, 0xec, 0x57, 0x53, 0x9a, 0x17, 0xa5,
+	0xf8, 0x81, 0x3f, 0x6a, 0x60, 0xc9, 0x4d, 0x1b, 0x5c, 0x2a, 0xeb, 0x1b, 0xd3, 0x23, 0x48, 0x9d,
+	0x7b, 0x8d, 0xdb, 0x61, 0xbf, 0x9a, 0x3e, 0x12, 0x51, 0xba, 0x43, 0x31, 0x72, 0x6e, 0x25, 0x12,
+	0x25, 0x9a, 0xe6, 0xe5, 0xd5, 0xda, 0x97, 0x23, 0xb5, 0xf6, 0xe9, 0x95, 0x6a, 0x2d, 0x11, 0xe9,
+	0xc4, 0x52, 0xb3, 0xce, 0x95, 0xda, 0xe6, 0xa5, 0x4b, 0x2d, 0x69, 0xfd, 0xe2, 0x4a, 0x7b, 0x0c,
+	0x56, 0x26, 0x47, 0x75, 0xe5, 0xd1, 0x5d, 0xff, 0x3d, 0x0b, 0x16, 0x5f, 0xaf, 0x03, 0xd7, 0x6b,
+	0xfa, 0xd3, 0x3c, 0x58, 0x7e, 0xdd, 0xf0, 0x17, 0x37, 0xbc, 0xf8, 0x89, 0x06, 0x8c, 0x50, 0xf5,
+	0xe3, 0x1f, 0xbe, 0xd5, 0x1e, 0x23, 0x14, 0x49, 0x04, 0xd6, 0x06, 0xbb, 0x41, 0xf4, 0xc3, 0x02,
+	0x22, 0xd3, 0xea, 0x5f, 0xa8, 0x16, 0x03, 0x07, 0x14, 0x88, 0xd8, 0x78, 0xf5, 0x42, 0x2d, 0xb7,
+	0x5a, 0x5e, 0x7f, 0x78, 0xed, 0x5a, 0x31, 0xe4, 0xe2, 0xbc, 0xed, 0x72, 0x7a, 0x1c, 0xef, 0x20,
+	0x52, 0x86, 0x22, 0x0f, 0xf0, 0x2d, 0x90, 0x0b, 0x9c, 0x03, 0xb5, 0x22, 0x94, 0x95, 0x4a, 0x6e,
+	0x6f, 0xe7, 0x21, 0x12, 0xf2, 0x95, 0x43, 0xb5, 0x7b, 0x4b, 0x13, 0x70, 0x01, 0xe4, 0xda, 0xe4,
+	0x38, 0xea, 0x33, 0x24, 0x3e, 0x61, 0x03, 0x14, 0x7a, 0x62, 0x2d, 0x57, 0x79, 0xbe, 0x33, 0x3d,
+	0xd2, 0x78, 0x95, 0x47, 0x11, 0x75, 0x33, 0x7b, 0x5f, 0xab, 0xff, 0xa6, 0x81, 0xdb, 0x13, 0x0b,
+	0x52, 0x2c, 0x4a, 0xb8, 0xd3, 0xf1, 0x8e, 0xc8, 0x81, 0xf4, 0x5d, 0x8c, 0x17, 0xa5, 0xad, 0x48,
+	0x8c, 0x06, 0x38, 0x7c, 0x07, 0xcc, 0x50, 0x82, 0x99, 0xe7, 0xaa, 0xe5, 0x6c, 0x58, 0xcb, 0x48,
+	0x4a, 0x91, 0x42, 0xe1, 0x16, 0x98, 0x27, 0xc2, 0xbd, 0x0c, 0x6e, 0x9b, 0x52, 0x6f, 0xf0, 0x62,
+	0xcb, 0x8a, 0x30, 0xbf, 0x3d, 0x0a, 0xa3, 0xf3, 0xfa, 0xf5, 0xff, 0xb2, 0x40, 0x9f, 0x34, 0xce,
+	0x60, 0x3b, 0xde, 0x4e, 0x24, 0x28, 0x17, 0xa4, 0xf2, 0xba, 0x71, 0xf9, 0x56, 0x10, 0xb4, 0xc6,
+	0x92, 0x8a, 0x66, 0x2e, 0x29, 0x4d, 0x6c, 0x34, 0xf2, 0x08, 0x8f, 0xc0, 0x82, 0x3b, 0xba, 0x4a,
+	0x47, 0xbb, 0x56, 0x79, 0x7d, 0xed, 0x4a, 0x85, 0x2f, 0x5d, 0xea, 0xca, 0xe5, 0xc2, 0x39, 0x80,
+	0xa1, 0x31, 0x27, 0x70, 0x1d, 0x00, 0xc7, 0xb5, 0xbd, 0xae, 0xdf, 0x21, 0x9c, 0xc8, 0x04, 0x16,
+	0xe3, 0x29, 0xb8, 0x33, 0x44, 0x50, 0x42, 0x2b, 0x2d, 0xf3, 0xf9, 0xab, 0x65, 0xbe, 0x71, 0xf7,
+	0xe4, 0xac, 0x92, 0x79, 0x71, 0x56, 0xc9, 0x9c, 0x9e, 0x55, 0x32, 0xcf, 0xc3, 0x8a, 0x76, 0x12,
+	0x56, 0xb4, 0x17, 0x61, 0x45, 0x3b, 0x0d, 0x2b, 0xda, 0x3f, 0x61, 0x45, 0xfb, 0xe9, 0xdf, 0x4a,
+	0xe6, 0x8b, 0x59, 0x75, 0xc3, 0xff, 0x03, 0x00, 0x00, 0xff, 0xff, 0x29, 0xa9, 0x9d, 0x7c, 0xb1,
+	0x0f, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/authorization/v1beta1/generated.proto b/cli/vendor/k8s.io/api/authorization/v1beta1/generated.proto
new file mode 100644
index 00000000..9931bbed
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1beta1/generated.proto
@@ -0,0 +1,265 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.authorization.v1beta1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message ExtraValue {
+  // items, if empty, will result in an empty slice
+
+  repeated string items = 1;
+}
+
+// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
+// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
+// checking.
+message LocalSubjectAccessReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
+  // you made the request against.  If empty, it is defaulted.
+  optional SubjectAccessReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates whether the request is allowed or not
+  // +optional
+  optional SubjectAccessReviewStatus status = 3;
+}
+
+// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
+message NonResourceAttributes {
+  // Path is the URL path of the request
+  // +optional
+  optional string path = 1;
+
+  // Verb is the standard HTTP verb
+  // +optional
+  optional string verb = 2;
+}
+
+// NonResourceRule holds information that describes a rule for the non-resource
+message NonResourceRule {
+  // Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
+  repeated string verbs = 1;
+
+  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
+  // final step in the path.  "*" means all.
+  // +optional
+  repeated string nonResourceURLs = 2;
+}
+
+// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
+message ResourceAttributes {
+  // Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
+  // "" (empty) is defaulted for LocalSubjectAccessReviews
+  // "" (empty) is empty for cluster-scoped resources
+  // "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+  // +optional
+  optional string namespace = 1;
+
+  // Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+  // +optional
+  optional string verb = 2;
+
+  // Group is the API Group of the Resource.  "*" means all.
+  // +optional
+  optional string group = 3;
+
+  // Version is the API Version of the Resource.  "*" means all.
+  // +optional
+  optional string version = 4;
+
+  // Resource is one of the existing resource types.  "*" means all.
+  // +optional
+  optional string resource = 5;
+
+  // Subresource is one of the existing resource types.  "" means none.
+  // +optional
+  optional string subresource = 6;
+
+  // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+  // +optional
+  optional string name = 7;
+}
+
+// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
+// may contain duplicates, and possibly be incomplete.
+message ResourceRule {
+  // Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+  repeated string verbs = 1;
+
+  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+  // the enumerated resources in any API group will be allowed.  "*" means all.
+  // +optional
+  repeated string apiGroups = 2;
+
+  // Resources is a list of resources this rule applies to.  ResourceAll represents all resources.  "*" means all.
+  // +optional
+  repeated string resources = 3;
+
+  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
+  // +optional
+  repeated string resourceNames = 4;
+}
+
+// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
+// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
+// to check whether they can perform an action
+message SelfSubjectAccessReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated.  user and groups must be empty
+  optional SelfSubjectAccessReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates whether the request is allowed or not
+  // +optional
+  optional SubjectAccessReviewStatus status = 3;
+}
+
+// SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+message SelfSubjectAccessReviewSpec {
+  // ResourceAuthorizationAttributes describes information for a resource access request
+  // +optional
+  optional ResourceAttributes resourceAttributes = 1;
+
+  // NonResourceAttributes describes information for a non-resource access request
+  // +optional
+  optional NonResourceAttributes nonResourceAttributes = 2;
+}
+
+// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
+// The returned list of actions may be incomplete depending on the server's authorization mode,
+// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
+// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
+// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
+// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
+message SelfSubjectRulesReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated.
+  optional SelfSubjectRulesReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates the set of actions a user can perform.
+  // +optional
+  optional SubjectRulesReviewStatus status = 3;
+}
+
+message SelfSubjectRulesReviewSpec {
+  // Namespace to evaluate rules for. Required.
+  optional string namespace = 1;
+}
+
+// SubjectAccessReview checks whether or not a user or group can perform an action.
+message SubjectAccessReview {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec holds information about the request being evaluated
+  optional SubjectAccessReviewSpec spec = 2;
+
+  // Status is filled in by the server and indicates whether the request is allowed or not
+  // +optional
+  optional SubjectAccessReviewStatus status = 3;
+}
+
+// SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+message SubjectAccessReviewSpec {
+  // ResourceAuthorizationAttributes describes information for a resource access request
+  // +optional
+  optional ResourceAttributes resourceAttributes = 1;
+
+  // NonResourceAttributes describes information for a non-resource access request
+  // +optional
+  optional NonResourceAttributes nonResourceAttributes = 2;
+
+  // User is the user you're testing for.
+  // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
+  // +optional
+  optional string user = 3;
+
+  // Groups is the groups you're testing for.
+  // +optional
+  repeated string group = 4;
+
+  // Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
+  // it needs a reflection here.
+  // +optional
+  map<string, ExtraValue> extra = 5;
+
+  // UID information about the requesting user.
+  // +optional
+  optional string uid = 6;
+}
+
+// SubjectAccessReviewStatus
+message SubjectAccessReviewStatus {
+  // Allowed is required.  True if the action would be allowed, false otherwise.
+  optional bool allowed = 1;
+
+  // Reason is optional.  It indicates why a request was allowed or denied.
+  // +optional
+  optional string reason = 2;
+
+  // EvaluationError is an indication that some error occurred during the authorization check.
+  // It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+  // For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+  // +optional
+  optional string evaluationError = 3;
+}
+
+// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
+// the set of authorizers the server is configured with and any errors experienced during evaluation.
+// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
+// even if that list is incomplete.
+message SubjectRulesReviewStatus {
+  // ResourceRules is the list of actions the subject is allowed to perform on resources.
+  // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+  repeated ResourceRule resourceRules = 1;
+
+  // NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
+  // The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+  repeated NonResourceRule nonResourceRules = 2;
+
+  // Incomplete is true when the rules returned by this call are incomplete. This is most commonly
+  // encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
+  optional bool incomplete = 3;
+
+  // EvaluationError can appear in combination with Rules. It indicates an error occurred during
+  // rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
+  // ResourceRules and/or NonResourceRules may be incomplete.
+  // +optional
+  optional string evaluationError = 4;
+}
+
diff --git a/cli/vendor/k8s.io/api/authorization/v1beta1/register.go b/cli/vendor/k8s.io/api/authorization/v1beta1/register.go
new file mode 100644
index 00000000..d8116d5a
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1beta1/register.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "authorization.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&SelfSubjectRulesReview{},
+		&SelfSubjectAccessReview{},
+		&SubjectAccessReview{},
+		&LocalSubjectAccessReview{},
+	)
+
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/authorization/v1beta1/types.go b/cli/vendor/k8s.io/api/authorization/v1beta1/types.go
new file mode 100644
index 00000000..a0659d51
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1beta1/types.go
@@ -0,0 +1,261 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SubjectAccessReview checks whether or not a user or group can perform an action.
+type SubjectAccessReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated
+	Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a
+// spec.namespace means "in all namespaces".  Self is a special case, because users should always be able
+// to check whether they can perform an action
+type SelfSubjectAccessReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated.  user and groups must be empty
+	Spec SelfSubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +genclient
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace.
+// Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions
+// checking.
+type LocalSubjectAccessReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace
+	// you made the request against.  If empty, it is defaulted.
+	Spec SubjectAccessReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates whether the request is allowed or not
+	// +optional
+	Status SubjectAccessReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
+type ResourceAttributes struct {
+	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
+	// "" (empty) is defaulted for LocalSubjectAccessReviews
+	// "" (empty) is empty for cluster-scoped resources
+	// "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
+	// Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+	// +optional
+	Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
+	// Group is the API Group of the Resource.  "*" means all.
+	// +optional
+	Group string `json:"group,omitempty" protobuf:"bytes,3,opt,name=group"`
+	// Version is the API Version of the Resource.  "*" means all.
+	// +optional
+	Version string `json:"version,omitempty" protobuf:"bytes,4,opt,name=version"`
+	// Resource is one of the existing resource types.  "*" means all.
+	// +optional
+	Resource string `json:"resource,omitempty" protobuf:"bytes,5,opt,name=resource"`
+	// Subresource is one of the existing resource types.  "" means none.
+	// +optional
+	Subresource string `json:"subresource,omitempty" protobuf:"bytes,6,opt,name=subresource"`
+	// Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"`
+}
+
+// NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
+type NonResourceAttributes struct {
+	// Path is the URL path of the request
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
+	// Verb is the standard HTTP verb
+	// +optional
+	Verb string `json:"verb,omitempty" protobuf:"bytes,2,opt,name=verb"`
+}
+
+// SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+type SubjectAccessReviewSpec struct {
+	// ResourceAuthorizationAttributes describes information for a resource access request
+	// +optional
+	ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
+	// NonResourceAttributes describes information for a non-resource access request
+	// +optional
+	NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
+
+	// User is the user you're testing for.
+	// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups
+	// +optional
+	User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
+	// Groups is the groups you're testing for.
+	// +optional
+	Groups []string `json:"group,omitempty" protobuf:"bytes,4,rep,name=group"`
+	// Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer
+	// it needs a reflection here.
+	// +optional
+	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,5,rep,name=extra"`
+	// UID information about the requesting user.
+	// +optional
+	UID string `json:"uid,omitempty" protobuf:"bytes,6,opt,name=uid"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
+}
+
+// SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes
+// and NonResourceAuthorizationAttributes must be set
+type SelfSubjectAccessReviewSpec struct {
+	// ResourceAuthorizationAttributes describes information for a resource access request
+	// +optional
+	ResourceAttributes *ResourceAttributes `json:"resourceAttributes,omitempty" protobuf:"bytes,1,opt,name=resourceAttributes"`
+	// NonResourceAttributes describes information for a non-resource access request
+	// +optional
+	NonResourceAttributes *NonResourceAttributes `json:"nonResourceAttributes,omitempty" protobuf:"bytes,2,opt,name=nonResourceAttributes"`
+}
+
+// SubjectAccessReviewStatus
+type SubjectAccessReviewStatus struct {
+	// Allowed is required.  True if the action would be allowed, false otherwise.
+	Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"`
+	// Reason is optional.  It indicates why a request was allowed or denied.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
+	// EvaluationError is an indication that some error occurred during the authorization check.
+	// It is entirely possible to get an error and be able to continue determine authorization status in spite of it.
+	// For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
+	// +optional
+	EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,3,opt,name=evaluationError"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace.
+// The returned list of actions may be incomplete depending on the server's authorization mode,
+// and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions,
+// or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to
+// drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns.
+// SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
+type SelfSubjectRulesReview struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec holds information about the request being evaluated.
+	Spec SelfSubjectRulesReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is filled in by the server and indicates the set of actions a user can perform.
+	// +optional
+	Status SubjectRulesReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+type SelfSubjectRulesReviewSpec struct {
+	// Namespace to evaluate rules for. Required.
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,1,opt,name=namespace"`
+}
+
+// SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on
+// the set of authorizers the server is configured with and any errors experienced during evaluation.
+// Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission,
+// even if that list is incomplete.
+type SubjectRulesReviewStatus struct {
+	// ResourceRules is the list of actions the subject is allowed to perform on resources.
+	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+	ResourceRules []ResourceRule `json:"resourceRules" protobuf:"bytes,1,rep,name=resourceRules"`
+	// NonResourceRules is the list of actions the subject is allowed to perform on non-resources.
+	// The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
+	NonResourceRules []NonResourceRule `json:"nonResourceRules" protobuf:"bytes,2,rep,name=nonResourceRules"`
+	// Incomplete is true when the rules returned by this call are incomplete. This is most commonly
+	// encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
+	Incomplete bool `json:"incomplete" protobuf:"bytes,3,rep,name=incomplete"`
+	// EvaluationError can appear in combination with Rules. It indicates an error occurred during
+	// rule evaluation, such as an authorizer that doesn't support rule evaluation, and that
+	// ResourceRules and/or NonResourceRules may be incomplete.
+	// +optional
+	EvaluationError string `json:"evaluationError,omitempty" protobuf:"bytes,4,opt,name=evaluationError"`
+}
+
+// ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant,
+// may contain duplicates, and possibly be incomplete.
+type ResourceRule struct {
+	// Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  "*" means all.
+	Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed.  "*" means all.
+	// +optional
+	APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
+	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.  "*" means all.
+	// +optional
+	Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  "*" means all.
+	// +optional
+	ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
+}
+
+// NonResourceRule holds information that describes a rule for the non-resource
+type NonResourceRule struct {
+	// Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  "*" means all.
+	Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full,
+	// final step in the path.  "*" means all.
+	// +optional
+	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,2,rep,name=nonResourceURLs"`
+}
diff --git a/cli/vendor/k8s.io/api/authorization/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/authorization/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..1d8bb984
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_LocalSubjectAccessReview = map[string]string{
+	"":       "LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.",
+	"spec":   "Spec holds information about the request being evaluated.  spec.namespace must be equal to the namespace you made the request against.  If empty, it is defaulted.",
+	"status": "Status is filled in by the server and indicates whether the request is allowed or not",
+}
+
+func (LocalSubjectAccessReview) SwaggerDoc() map[string]string {
+	return map_LocalSubjectAccessReview
+}
+
+var map_NonResourceAttributes = map[string]string{
+	"":     "NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface",
+	"path": "Path is the URL path of the request",
+	"verb": "Verb is the standard HTTP verb",
+}
+
+func (NonResourceAttributes) SwaggerDoc() map[string]string {
+	return map_NonResourceAttributes
+}
+
+var map_NonResourceRule = map[string]string{
+	"":                "NonResourceRule holds information that describes a rule for the non-resource",
+	"verbs":           "Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options.  \"*\" means all.",
+	"nonResourceURLs": "NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path.  \"*\" means all.",
+}
+
+func (NonResourceRule) SwaggerDoc() map[string]string {
+	return map_NonResourceRule
+}
+
+var map_ResourceAttributes = map[string]string{
+	"":            "ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface",
+	"namespace":   "Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces \"\" (empty) is defaulted for LocalSubjectAccessReviews \"\" (empty) is empty for cluster-scoped resources \"\" (empty) means \"all\" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview",
+	"verb":        "Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy.  \"*\" means all.",
+	"group":       "Group is the API Group of the Resource.  \"*\" means all.",
+	"version":     "Version is the API Version of the Resource.  \"*\" means all.",
+	"resource":    "Resource is one of the existing resource types.  \"*\" means all.",
+	"subresource": "Subresource is one of the existing resource types.  \"\" means none.",
+	"name":        "Name is the name of the resource being requested for a \"get\" or deleted for a \"delete\". \"\" (empty) means all.",
+}
+
+func (ResourceAttributes) SwaggerDoc() map[string]string {
+	return map_ResourceAttributes
+}
+
+var map_ResourceRule = map[string]string{
+	"":              "ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
+	"verbs":         "Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy.  \"*\" means all.",
+	"apiGroups":     "APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.  \"*\" means all.",
+	"resources":     "Resources is a list of resources this rule applies to.  ResourceAll represents all resources.  \"*\" means all.",
+	"resourceNames": "ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.  \"*\" means all.",
+}
+
+func (ResourceRule) SwaggerDoc() map[string]string {
+	return map_ResourceRule
+}
+
+var map_SelfSubjectAccessReview = map[string]string{
+	"":       "SelfSubjectAccessReview checks whether or the current user can perform an action.  Not filling in a spec.namespace means \"in all namespaces\".  Self is a special case, because users should always be able to check whether they can perform an action",
+	"spec":   "Spec holds information about the request being evaluated.  user and groups must be empty",
+	"status": "Status is filled in by the server and indicates whether the request is allowed or not",
+}
+
+func (SelfSubjectAccessReview) SwaggerDoc() map[string]string {
+	return map_SelfSubjectAccessReview
+}
+
+var map_SelfSubjectAccessReviewSpec = map[string]string{
+	"":                      "SelfSubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set",
+	"resourceAttributes":    "ResourceAuthorizationAttributes describes information for a resource access request",
+	"nonResourceAttributes": "NonResourceAttributes describes information for a non-resource access request",
+}
+
+func (SelfSubjectAccessReviewSpec) SwaggerDoc() map[string]string {
+	return map_SelfSubjectAccessReviewSpec
+}
+
+var map_SelfSubjectRulesReview = map[string]string{
+	"":       "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.",
+	"spec":   "Spec holds information about the request being evaluated.",
+	"status": "Status is filled in by the server and indicates the set of actions a user can perform.",
+}
+
+func (SelfSubjectRulesReview) SwaggerDoc() map[string]string {
+	return map_SelfSubjectRulesReview
+}
+
+var map_SelfSubjectRulesReviewSpec = map[string]string{
+	"namespace": "Namespace to evaluate rules for. Required.",
+}
+
+func (SelfSubjectRulesReviewSpec) SwaggerDoc() map[string]string {
+	return map_SelfSubjectRulesReviewSpec
+}
+
+var map_SubjectAccessReview = map[string]string{
+	"":       "SubjectAccessReview checks whether or not a user or group can perform an action.",
+	"spec":   "Spec holds information about the request being evaluated",
+	"status": "Status is filled in by the server and indicates whether the request is allowed or not",
+}
+
+func (SubjectAccessReview) SwaggerDoc() map[string]string {
+	return map_SubjectAccessReview
+}
+
+var map_SubjectAccessReviewSpec = map[string]string{
+	"":                      "SubjectAccessReviewSpec is a description of the access request.  Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set",
+	"resourceAttributes":    "ResourceAuthorizationAttributes describes information for a resource access request",
+	"nonResourceAttributes": "NonResourceAttributes describes information for a non-resource access request",
+	"user":                  "User is the user you're testing for. If you specify \"User\" but not \"Group\", then is it interpreted as \"What if User were not a member of any groups",
+	"group":                 "Groups is the groups you're testing for.",
+	"extra":                 "Extra corresponds to the user.Info.GetExtra() method from the authenticator.  Since that is input to the authorizer it needs a reflection here.",
+	"uid":                   "UID information about the requesting user.",
+}
+
+func (SubjectAccessReviewSpec) SwaggerDoc() map[string]string {
+	return map_SubjectAccessReviewSpec
+}
+
+var map_SubjectAccessReviewStatus = map[string]string{
+	"":                "SubjectAccessReviewStatus",
+	"allowed":         "Allowed is required.  True if the action would be allowed, false otherwise.",
+	"reason":          "Reason is optional.  It indicates why a request was allowed or denied.",
+	"evaluationError": "EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.",
+}
+
+func (SubjectAccessReviewStatus) SwaggerDoc() map[string]string {
+	return map_SubjectAccessReviewStatus
+}
+
+var map_SubjectRulesReviewStatus = map[string]string{
+	"":                 "SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.",
+	"resourceRules":    "ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
+	"nonResourceRules": "NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.",
+	"incomplete":       "Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.",
+	"evaluationError":  "EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.",
+}
+
+func (SubjectRulesReviewStatus) SwaggerDoc() map[string]string {
+	return map_SubjectRulesReviewStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/authorization/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/authorization/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..bc585ceb
--- /dev/null
+++ b/cli/vendor/k8s.io/api/authorization/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,445 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LocalSubjectAccessReview).DeepCopyInto(out.(*LocalSubjectAccessReview))
+			return nil
+		}, InType: reflect.TypeOf(&LocalSubjectAccessReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NonResourceAttributes).DeepCopyInto(out.(*NonResourceAttributes))
+			return nil
+		}, InType: reflect.TypeOf(&NonResourceAttributes{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NonResourceRule).DeepCopyInto(out.(*NonResourceRule))
+			return nil
+		}, InType: reflect.TypeOf(&NonResourceRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceAttributes).DeepCopyInto(out.(*ResourceAttributes))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceAttributes{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceRule).DeepCopyInto(out.(*ResourceRule))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SelfSubjectAccessReview).DeepCopyInto(out.(*SelfSubjectAccessReview))
+			return nil
+		}, InType: reflect.TypeOf(&SelfSubjectAccessReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SelfSubjectAccessReviewSpec).DeepCopyInto(out.(*SelfSubjectAccessReviewSpec))
+			return nil
+		}, InType: reflect.TypeOf(&SelfSubjectAccessReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SelfSubjectRulesReview).DeepCopyInto(out.(*SelfSubjectRulesReview))
+			return nil
+		}, InType: reflect.TypeOf(&SelfSubjectRulesReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SelfSubjectRulesReviewSpec).DeepCopyInto(out.(*SelfSubjectRulesReviewSpec))
+			return nil
+		}, InType: reflect.TypeOf(&SelfSubjectRulesReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SubjectAccessReview).DeepCopyInto(out.(*SubjectAccessReview))
+			return nil
+		}, InType: reflect.TypeOf(&SubjectAccessReview{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SubjectAccessReviewSpec).DeepCopyInto(out.(*SubjectAccessReviewSpec))
+			return nil
+		}, InType: reflect.TypeOf(&SubjectAccessReviewSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SubjectAccessReviewStatus).DeepCopyInto(out.(*SubjectAccessReviewStatus))
+			return nil
+		}, InType: reflect.TypeOf(&SubjectAccessReviewStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SubjectRulesReviewStatus).DeepCopyInto(out.(*SubjectRulesReviewStatus))
+			return nil
+		}, InType: reflect.TypeOf(&SubjectRulesReviewStatus{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalSubjectAccessReview) DeepCopyInto(out *LocalSubjectAccessReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalSubjectAccessReview.
+func (in *LocalSubjectAccessReview) DeepCopy() *LocalSubjectAccessReview {
+	if in == nil {
+		return nil
+	}
+	out := new(LocalSubjectAccessReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LocalSubjectAccessReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NonResourceAttributes) DeepCopyInto(out *NonResourceAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NonResourceAttributes.
+func (in *NonResourceAttributes) DeepCopy() *NonResourceAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(NonResourceAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NonResourceRule) DeepCopyInto(out *NonResourceRule) {
+	*out = *in
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.NonResourceURLs != nil {
+		in, out := &in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NonResourceRule.
+func (in *NonResourceRule) DeepCopy() *NonResourceRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NonResourceRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceAttributes) DeepCopyInto(out *ResourceAttributes) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAttributes.
+func (in *ResourceAttributes) DeepCopy() *ResourceAttributes {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceAttributes)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceRule) DeepCopyInto(out *ResourceRule) {
+	*out = *in
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.APIGroups != nil {
+		in, out := &in.APIGroups, &out.APIGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceNames != nil {
+		in, out := &in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRule.
+func (in *ResourceRule) DeepCopy() *ResourceRule {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SelfSubjectAccessReview) DeepCopyInto(out *SelfSubjectAccessReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectAccessReview.
+func (in *SelfSubjectAccessReview) DeepCopy() *SelfSubjectAccessReview {
+	if in == nil {
+		return nil
+	}
+	out := new(SelfSubjectAccessReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SelfSubjectAccessReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SelfSubjectAccessReviewSpec) DeepCopyInto(out *SelfSubjectAccessReviewSpec) {
+	*out = *in
+	if in.ResourceAttributes != nil {
+		in, out := &in.ResourceAttributes, &out.ResourceAttributes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceAttributes)
+			**out = **in
+		}
+	}
+	if in.NonResourceAttributes != nil {
+		in, out := &in.NonResourceAttributes, &out.NonResourceAttributes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NonResourceAttributes)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectAccessReviewSpec.
+func (in *SelfSubjectAccessReviewSpec) DeepCopy() *SelfSubjectAccessReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SelfSubjectAccessReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SelfSubjectRulesReview) DeepCopyInto(out *SelfSubjectRulesReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReview.
+func (in *SelfSubjectRulesReview) DeepCopy() *SelfSubjectRulesReview {
+	if in == nil {
+		return nil
+	}
+	out := new(SelfSubjectRulesReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SelfSubjectRulesReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SelfSubjectRulesReviewSpec) DeepCopyInto(out *SelfSubjectRulesReviewSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectRulesReviewSpec.
+func (in *SelfSubjectRulesReviewSpec) DeepCopy() *SelfSubjectRulesReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SelfSubjectRulesReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubjectAccessReview) DeepCopyInto(out *SubjectAccessReview) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAccessReview.
+func (in *SubjectAccessReview) DeepCopy() *SubjectAccessReview {
+	if in == nil {
+		return nil
+	}
+	out := new(SubjectAccessReview)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SubjectAccessReview) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubjectAccessReviewSpec) DeepCopyInto(out *SubjectAccessReviewSpec) {
+	*out = *in
+	if in.ResourceAttributes != nil {
+		in, out := &in.ResourceAttributes, &out.ResourceAttributes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceAttributes)
+			**out = **in
+		}
+	}
+	if in.NonResourceAttributes != nil {
+		in, out := &in.NonResourceAttributes, &out.NonResourceAttributes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NonResourceAttributes)
+			**out = **in
+		}
+	}
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extra != nil {
+		in, out := &in.Extra, &out.Extra
+		*out = make(map[string]ExtraValue, len(*in))
+		for key, val := range *in {
+			(*out)[key] = make(ExtraValue, len(val))
+			copy((*out)[key], val)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAccessReviewSpec.
+func (in *SubjectAccessReviewSpec) DeepCopy() *SubjectAccessReviewSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SubjectAccessReviewSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubjectAccessReviewStatus) DeepCopyInto(out *SubjectAccessReviewStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAccessReviewStatus.
+func (in *SubjectAccessReviewStatus) DeepCopy() *SubjectAccessReviewStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SubjectAccessReviewStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SubjectRulesReviewStatus) DeepCopyInto(out *SubjectRulesReviewStatus) {
+	*out = *in
+	if in.ResourceRules != nil {
+		in, out := &in.ResourceRules, &out.ResourceRules
+		*out = make([]ResourceRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NonResourceRules != nil {
+		in, out := &in.NonResourceRules, &out.NonResourceRules
+		*out = make([]NonResourceRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectRulesReviewStatus.
+func (in *SubjectRulesReviewStatus) DeepCopy() *SubjectRulesReviewStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SubjectRulesReviewStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/autoscaling/v1/doc.go b/cli/vendor/k8s.io/api/autoscaling/v1/doc.go
new file mode 100644
index 00000000..1689adb5
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+package v1 // import "k8s.io/api/autoscaling/v1"
diff --git a/cli/vendor/k8s.io/api/autoscaling/v1/generated.pb.go b/cli/vendor/k8s.io/api/autoscaling/v1/generated.pb.go
new file mode 100644
index 00000000..4c6a1712
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v1/generated.pb.go
@@ -0,0 +1,3786 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/autoscaling/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/autoscaling/v1/generated.proto
+
+	It has these top-level messages:
+		CrossVersionObjectReference
+		HorizontalPodAutoscaler
+		HorizontalPodAutoscalerCondition
+		HorizontalPodAutoscalerList
+		HorizontalPodAutoscalerSpec
+		HorizontalPodAutoscalerStatus
+		MetricSpec
+		MetricStatus
+		ObjectMetricSource
+		ObjectMetricStatus
+		PodsMetricSource
+		PodsMetricStatus
+		ResourceMetricSource
+		ResourceMetricStatus
+		Scale
+		ScaleSpec
+		ScaleStatus
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_apimachinery_pkg_api_resource "k8s.io/apimachinery/pkg/api/resource"
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *CrossVersionObjectReference) Reset()      { *m = CrossVersionObjectReference{} }
+func (*CrossVersionObjectReference) ProtoMessage() {}
+func (*CrossVersionObjectReference) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{0}
+}
+
+func (m *HorizontalPodAutoscaler) Reset()                    { *m = HorizontalPodAutoscaler{} }
+func (*HorizontalPodAutoscaler) ProtoMessage()               {}
+func (*HorizontalPodAutoscaler) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *HorizontalPodAutoscalerCondition) Reset()      { *m = HorizontalPodAutoscalerCondition{} }
+func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
+func (*HorizontalPodAutoscalerCondition) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{2}
+}
+
+func (m *HorizontalPodAutoscalerList) Reset()      { *m = HorizontalPodAutoscalerList{} }
+func (*HorizontalPodAutoscalerList) ProtoMessage() {}
+func (*HorizontalPodAutoscalerList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{3}
+}
+
+func (m *HorizontalPodAutoscalerSpec) Reset()      { *m = HorizontalPodAutoscalerSpec{} }
+func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
+func (*HorizontalPodAutoscalerSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{4}
+}
+
+func (m *HorizontalPodAutoscalerStatus) Reset()      { *m = HorizontalPodAutoscalerStatus{} }
+func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
+func (*HorizontalPodAutoscalerStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{5}
+}
+
+func (m *MetricSpec) Reset()                    { *m = MetricSpec{} }
+func (*MetricSpec) ProtoMessage()               {}
+func (*MetricSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *MetricStatus) Reset()                    { *m = MetricStatus{} }
+func (*MetricStatus) ProtoMessage()               {}
+func (*MetricStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *ObjectMetricSource) Reset()                    { *m = ObjectMetricSource{} }
+func (*ObjectMetricSource) ProtoMessage()               {}
+func (*ObjectMetricSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *ObjectMetricStatus) Reset()                    { *m = ObjectMetricStatus{} }
+func (*ObjectMetricStatus) ProtoMessage()               {}
+func (*ObjectMetricStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *PodsMetricSource) Reset()                    { *m = PodsMetricSource{} }
+func (*PodsMetricSource) ProtoMessage()               {}
+func (*PodsMetricSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func (m *PodsMetricStatus) Reset()                    { *m = PodsMetricStatus{} }
+func (*PodsMetricStatus) ProtoMessage()               {}
+func (*PodsMetricStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
+
+func (m *ResourceMetricSource) Reset()                    { *m = ResourceMetricSource{} }
+func (*ResourceMetricSource) ProtoMessage()               {}
+func (*ResourceMetricSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
+
+func (m *ResourceMetricStatus) Reset()                    { *m = ResourceMetricStatus{} }
+func (*ResourceMetricStatus) ProtoMessage()               {}
+func (*ResourceMetricStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+
+func (m *Scale) Reset()                    { *m = Scale{} }
+func (*Scale) ProtoMessage()               {}
+func (*Scale) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
+
+func (m *ScaleSpec) Reset()                    { *m = ScaleSpec{} }
+func (*ScaleSpec) ProtoMessage()               {}
+func (*ScaleSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
+
+func (m *ScaleStatus) Reset()                    { *m = ScaleStatus{} }
+func (*ScaleStatus) ProtoMessage()               {}
+func (*ScaleStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
+
+func init() {
+	proto.RegisterType((*CrossVersionObjectReference)(nil), "k8s.io.api.autoscaling.v1.CrossVersionObjectReference")
+	proto.RegisterType((*HorizontalPodAutoscaler)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscaler")
+	proto.RegisterType((*HorizontalPodAutoscalerCondition)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscalerCondition")
+	proto.RegisterType((*HorizontalPodAutoscalerList)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscalerList")
+	proto.RegisterType((*HorizontalPodAutoscalerSpec)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscalerSpec")
+	proto.RegisterType((*HorizontalPodAutoscalerStatus)(nil), "k8s.io.api.autoscaling.v1.HorizontalPodAutoscalerStatus")
+	proto.RegisterType((*MetricSpec)(nil), "k8s.io.api.autoscaling.v1.MetricSpec")
+	proto.RegisterType((*MetricStatus)(nil), "k8s.io.api.autoscaling.v1.MetricStatus")
+	proto.RegisterType((*ObjectMetricSource)(nil), "k8s.io.api.autoscaling.v1.ObjectMetricSource")
+	proto.RegisterType((*ObjectMetricStatus)(nil), "k8s.io.api.autoscaling.v1.ObjectMetricStatus")
+	proto.RegisterType((*PodsMetricSource)(nil), "k8s.io.api.autoscaling.v1.PodsMetricSource")
+	proto.RegisterType((*PodsMetricStatus)(nil), "k8s.io.api.autoscaling.v1.PodsMetricStatus")
+	proto.RegisterType((*ResourceMetricSource)(nil), "k8s.io.api.autoscaling.v1.ResourceMetricSource")
+	proto.RegisterType((*ResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v1.ResourceMetricStatus")
+	proto.RegisterType((*Scale)(nil), "k8s.io.api.autoscaling.v1.Scale")
+	proto.RegisterType((*ScaleSpec)(nil), "k8s.io.api.autoscaling.v1.ScaleSpec")
+	proto.RegisterType((*ScaleStatus)(nil), "k8s.io.api.autoscaling.v1.ScaleStatus")
+}
+func (m *CrossVersionObjectReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CrossVersionObjectReference) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i += copy(dAtA[i:], m.APIVersion)
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscaler) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscaler) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscalerCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscalerCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n4, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscalerList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscalerList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n5, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscalerSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscalerSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ScaleTargetRef.Size()))
+	n6, err := m.ScaleTargetRef.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if m.MinReplicas != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.MinReplicas))
+	}
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MaxReplicas))
+	if m.TargetCPUUtilizationPercentage != nil {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TargetCPUUtilizationPercentage))
+	}
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscalerStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscalerStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ObservedGeneration != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.ObservedGeneration))
+	}
+	if m.LastScaleTime != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.LastScaleTime.Size()))
+		n7, err := m.LastScaleTime.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentReplicas))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.DesiredReplicas))
+	if m.CurrentCPUUtilizationPercentage != nil {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CurrentCPUUtilizationPercentage))
+	}
+	return i, nil
+}
+
+func (m *MetricSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *MetricSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.Object != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Object.Size()))
+		n8, err := m.Object.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	if m.Pods != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Pods.Size()))
+		n9, err := m.Pods.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n9
+	}
+	if m.Resource != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Resource.Size()))
+		n10, err := m.Resource.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n10
+	}
+	return i, nil
+}
+
+func (m *MetricStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *MetricStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.Object != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Object.Size()))
+		n11, err := m.Object.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n11
+	}
+	if m.Pods != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Pods.Size()))
+		n12, err := m.Pods.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n12
+	}
+	if m.Resource != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Resource.Size()))
+		n13, err := m.Resource.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n13
+	}
+	return i, nil
+}
+
+func (m *ObjectMetricSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ObjectMetricSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Target.Size()))
+	n14, err := m.Target.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n14
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MetricName)))
+	i += copy(dAtA[i:], m.MetricName)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TargetValue.Size()))
+	n15, err := m.TargetValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n15
+	return i, nil
+}
+
+func (m *ObjectMetricStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ObjectMetricStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Target.Size()))
+	n16, err := m.Target.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n16
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MetricName)))
+	i += copy(dAtA[i:], m.MetricName)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentValue.Size()))
+	n17, err := m.CurrentValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n17
+	return i, nil
+}
+
+func (m *PodsMetricSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodsMetricSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MetricName)))
+	i += copy(dAtA[i:], m.MetricName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TargetAverageValue.Size()))
+	n18, err := m.TargetAverageValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n18
+	return i, nil
+}
+
+func (m *PodsMetricStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodsMetricStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MetricName)))
+	i += copy(dAtA[i:], m.MetricName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentAverageValue.Size()))
+	n19, err := m.CurrentAverageValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n19
+	return i, nil
+}
+
+func (m *ResourceMetricSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceMetricSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	if m.TargetAverageUtilization != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TargetAverageUtilization))
+	}
+	if m.TargetAverageValue != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.TargetAverageValue.Size()))
+		n20, err := m.TargetAverageValue.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n20
+	}
+	return i, nil
+}
+
+func (m *ResourceMetricStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceMetricStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	if m.CurrentAverageUtilization != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CurrentAverageUtilization))
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentAverageValue.Size()))
+	n21, err := m.CurrentAverageValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n21
+	return i, nil
+}
+
+func (m *Scale) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Scale) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n22, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n22
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n23, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n23
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n24, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n24
+	return i, nil
+}
+
+func (m *ScaleSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	return i, nil
+}
+
+func (m *ScaleStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Selector)))
+	i += copy(dAtA[i:], m.Selector)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CrossVersionObjectReference) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.APIVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *HorizontalPodAutoscaler) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *HorizontalPodAutoscalerCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *HorizontalPodAutoscalerList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *HorizontalPodAutoscalerSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ScaleTargetRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.MinReplicas != nil {
+		n += 1 + sovGenerated(uint64(*m.MinReplicas))
+	}
+	n += 1 + sovGenerated(uint64(m.MaxReplicas))
+	if m.TargetCPUUtilizationPercentage != nil {
+		n += 1 + sovGenerated(uint64(*m.TargetCPUUtilizationPercentage))
+	}
+	return n
+}
+
+func (m *HorizontalPodAutoscalerStatus) Size() (n int) {
+	var l int
+	_ = l
+	if m.ObservedGeneration != nil {
+		n += 1 + sovGenerated(uint64(*m.ObservedGeneration))
+	}
+	if m.LastScaleTime != nil {
+		l = m.LastScaleTime.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 1 + sovGenerated(uint64(m.CurrentReplicas))
+	n += 1 + sovGenerated(uint64(m.DesiredReplicas))
+	if m.CurrentCPUUtilizationPercentage != nil {
+		n += 1 + sovGenerated(uint64(*m.CurrentCPUUtilizationPercentage))
+	}
+	return n
+}
+
+func (m *MetricSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Object != nil {
+		l = m.Object.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Pods != nil {
+		l = m.Pods.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Resource != nil {
+		l = m.Resource.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *MetricStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Object != nil {
+		l = m.Object.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Pods != nil {
+		l = m.Pods.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Resource != nil {
+		l = m.Resource.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ObjectMetricSource) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Target.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.MetricName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.TargetValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ObjectMetricStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Target.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.MetricName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.CurrentValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodsMetricSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.MetricName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.TargetAverageValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodsMetricStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.MetricName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.CurrentAverageValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ResourceMetricSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TargetAverageUtilization != nil {
+		n += 1 + sovGenerated(uint64(*m.TargetAverageUtilization))
+	}
+	if m.TargetAverageValue != nil {
+		l = m.TargetAverageValue.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ResourceMetricStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.CurrentAverageUtilization != nil {
+		n += 1 + sovGenerated(uint64(*m.CurrentAverageUtilization))
+	}
+	l = m.CurrentAverageValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Scale) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ScaleSpec) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	return n
+}
+
+func (m *ScaleStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	l = len(m.Selector)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CrossVersionObjectReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CrossVersionObjectReference{`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`APIVersion:` + fmt.Sprintf("%v", this.APIVersion) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscaler) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscaler{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "HorizontalPodAutoscalerSpec", "HorizontalPodAutoscalerSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "HorizontalPodAutoscalerStatus", "HorizontalPodAutoscalerStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscalerCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscalerCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscalerList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscalerList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "HorizontalPodAutoscaler", "HorizontalPodAutoscaler", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscalerSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscalerSpec{`,
+		`ScaleTargetRef:` + strings.Replace(strings.Replace(this.ScaleTargetRef.String(), "CrossVersionObjectReference", "CrossVersionObjectReference", 1), `&`, ``, 1) + `,`,
+		`MinReplicas:` + valueToStringGenerated(this.MinReplicas) + `,`,
+		`MaxReplicas:` + fmt.Sprintf("%v", this.MaxReplicas) + `,`,
+		`TargetCPUUtilizationPercentage:` + valueToStringGenerated(this.TargetCPUUtilizationPercentage) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscalerStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscalerStatus{`,
+		`ObservedGeneration:` + valueToStringGenerated(this.ObservedGeneration) + `,`,
+		`LastScaleTime:` + strings.Replace(fmt.Sprintf("%v", this.LastScaleTime), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`CurrentReplicas:` + fmt.Sprintf("%v", this.CurrentReplicas) + `,`,
+		`DesiredReplicas:` + fmt.Sprintf("%v", this.DesiredReplicas) + `,`,
+		`CurrentCPUUtilizationPercentage:` + valueToStringGenerated(this.CurrentCPUUtilizationPercentage) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *MetricSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&MetricSpec{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Object:` + strings.Replace(fmt.Sprintf("%v", this.Object), "ObjectMetricSource", "ObjectMetricSource", 1) + `,`,
+		`Pods:` + strings.Replace(fmt.Sprintf("%v", this.Pods), "PodsMetricSource", "PodsMetricSource", 1) + `,`,
+		`Resource:` + strings.Replace(fmt.Sprintf("%v", this.Resource), "ResourceMetricSource", "ResourceMetricSource", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *MetricStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&MetricStatus{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Object:` + strings.Replace(fmt.Sprintf("%v", this.Object), "ObjectMetricStatus", "ObjectMetricStatus", 1) + `,`,
+		`Pods:` + strings.Replace(fmt.Sprintf("%v", this.Pods), "PodsMetricStatus", "PodsMetricStatus", 1) + `,`,
+		`Resource:` + strings.Replace(fmt.Sprintf("%v", this.Resource), "ResourceMetricStatus", "ResourceMetricStatus", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ObjectMetricSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ObjectMetricSource{`,
+		`Target:` + strings.Replace(strings.Replace(this.Target.String(), "CrossVersionObjectReference", "CrossVersionObjectReference", 1), `&`, ``, 1) + `,`,
+		`MetricName:` + fmt.Sprintf("%v", this.MetricName) + `,`,
+		`TargetValue:` + strings.Replace(strings.Replace(this.TargetValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ObjectMetricStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ObjectMetricStatus{`,
+		`Target:` + strings.Replace(strings.Replace(this.Target.String(), "CrossVersionObjectReference", "CrossVersionObjectReference", 1), `&`, ``, 1) + `,`,
+		`MetricName:` + fmt.Sprintf("%v", this.MetricName) + `,`,
+		`CurrentValue:` + strings.Replace(strings.Replace(this.CurrentValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodsMetricSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodsMetricSource{`,
+		`MetricName:` + fmt.Sprintf("%v", this.MetricName) + `,`,
+		`TargetAverageValue:` + strings.Replace(strings.Replace(this.TargetAverageValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodsMetricStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodsMetricStatus{`,
+		`MetricName:` + fmt.Sprintf("%v", this.MetricName) + `,`,
+		`CurrentAverageValue:` + strings.Replace(strings.Replace(this.CurrentAverageValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceMetricSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceMetricSource{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`TargetAverageUtilization:` + valueToStringGenerated(this.TargetAverageUtilization) + `,`,
+		`TargetAverageValue:` + strings.Replace(fmt.Sprintf("%v", this.TargetAverageValue), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceMetricStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceMetricStatus{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`CurrentAverageUtilization:` + valueToStringGenerated(this.CurrentAverageUtilization) + `,`,
+		`CurrentAverageValue:` + strings.Replace(strings.Replace(this.CurrentAverageValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Scale) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Scale{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ScaleSpec", "ScaleSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ScaleStatus", "ScaleStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ScaleSpec{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ScaleStatus{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`Selector:` + fmt.Sprintf("%v", this.Selector) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CrossVersionObjectReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CrossVersionObjectReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CrossVersionObjectReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscaler) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscaler: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscaler: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscalerCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = HorizontalPodAutoscalerConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscalerList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, HorizontalPodAutoscaler{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscalerSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ScaleTargetRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ScaleTargetRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReplicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.MinReplicas = &v
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxReplicas", wireType)
+			}
+			m.MaxReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MaxReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetCPUUtilizationPercentage", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TargetCPUUtilizationPercentage = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscalerStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ObservedGeneration = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastScaleTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LastScaleTime == nil {
+				m.LastScaleTime = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.LastScaleTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentReplicas", wireType)
+			}
+			m.CurrentReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.CurrentReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DesiredReplicas", wireType)
+			}
+			m.DesiredReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.DesiredReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentCPUUtilizationPercentage", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CurrentCPUUtilizationPercentage = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *MetricSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: MetricSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: MetricSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = MetricSourceType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Object", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Object == nil {
+				m.Object = &ObjectMetricSource{}
+			}
+			if err := m.Object.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Pods", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Pods == nil {
+				m.Pods = &PodsMetricSource{}
+			}
+			if err := m.Pods.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Resource == nil {
+				m.Resource = &ResourceMetricSource{}
+			}
+			if err := m.Resource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *MetricStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: MetricStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: MetricStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = MetricSourceType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Object", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Object == nil {
+				m.Object = &ObjectMetricStatus{}
+			}
+			if err := m.Object.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Pods", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Pods == nil {
+				m.Pods = &PodsMetricStatus{}
+			}
+			if err := m.Pods.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Resource == nil {
+				m.Resource = &ResourceMetricStatus{}
+			}
+			if err := m.Resource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ObjectMetricSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ObjectMetricSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ObjectMetricSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Target", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Target.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MetricName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MetricName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.TargetValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ObjectMetricStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ObjectMetricStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ObjectMetricStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Target", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Target.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MetricName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MetricName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CurrentValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodsMetricSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodsMetricSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodsMetricSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MetricName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MetricName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetAverageValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.TargetAverageValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodsMetricStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodsMetricStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodsMetricStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MetricName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MetricName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentAverageValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CurrentAverageValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceMetricSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceMetricSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceMetricSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = k8s_io_api_core_v1.ResourceName(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetAverageUtilization", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TargetAverageUtilization = &v
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetAverageValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.TargetAverageValue == nil {
+				m.TargetAverageValue = &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+			}
+			if err := m.TargetAverageValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceMetricStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceMetricStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceMetricStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = k8s_io_api_core_v1.ResourceName(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentAverageUtilization", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CurrentAverageUtilization = &v
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentAverageValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CurrentAverageValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Scale) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Scale: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Scale: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Selector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/autoscaling/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 1370 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x57, 0x4d, 0x6f, 0x13, 0xc7,
+	0x1b, 0x8f, 0x5f, 0x12, 0xc2, 0x38, 0x10, 0xfe, 0x03, 0x02, 0x13, 0xfe, 0x78, 0xa3, 0x2d, 0x42,
+	0xf4, 0x85, 0xdd, 0xc6, 0xa5, 0x88, 0x1e, 0x63, 0x57, 0x14, 0xd4, 0x04, 0xc2, 0x60, 0x28, 0x7d,
+	0x51, 0xc5, 0x64, 0x77, 0x70, 0x86, 0x78, 0x5f, 0x34, 0x33, 0xb6, 0x1a, 0xa4, 0x4a, 0xed, 0xa1,
+	0xe7, 0x56, 0x95, 0xfa, 0x31, 0x7a, 0xe6, 0x50, 0xf5, 0xd0, 0x4a, 0x95, 0x38, 0x72, 0xe8, 0x81,
+	0x93, 0x55, 0xb6, 0xc7, 0x7e, 0x03, 0x4e, 0xd5, 0xcc, 0x8e, 0xd7, 0xbb, 0xb6, 0xd7, 0x21, 0x21,
+	0x42, 0xbd, 0xed, 0xce, 0xfc, 0x9e, 0xdf, 0xf3, 0x3a, 0xcf, 0x3c, 0x03, 0x1a, 0xdb, 0x57, 0xb8,
+	0x45, 0x03, 0x7b, 0xbb, 0xbb, 0x49, 0x98, 0x4f, 0x04, 0xe1, 0x76, 0x8f, 0xf8, 0x6e, 0xc0, 0x6c,
+	0xbd, 0x81, 0x43, 0x6a, 0xe3, 0xae, 0x08, 0xb8, 0x83, 0x3b, 0xd4, 0x6f, 0xdb, 0xbd, 0x15, 0xbb,
+	0x4d, 0x7c, 0xc2, 0xb0, 0x20, 0xae, 0x15, 0xb2, 0x40, 0x04, 0xf0, 0x74, 0x0c, 0xb5, 0x70, 0x48,
+	0xad, 0x14, 0xd4, 0xea, 0xad, 0x2c, 0x5d, 0x6c, 0x53, 0xb1, 0xd5, 0xdd, 0xb4, 0x9c, 0xc0, 0xb3,
+	0xdb, 0x41, 0x3b, 0xb0, 0x95, 0xc4, 0x66, 0xf7, 0x81, 0xfa, 0x53, 0x3f, 0xea, 0x2b, 0x66, 0x5a,
+	0x32, 0x53, 0x4a, 0x9d, 0x80, 0x91, 0x09, 0xda, 0x96, 0x2e, 0x0d, 0x31, 0x1e, 0x76, 0xb6, 0xa8,
+	0x4f, 0xd8, 0x8e, 0x1d, 0x6e, 0xb7, 0x95, 0x10, 0x23, 0x3c, 0xe8, 0x32, 0x87, 0xec, 0x49, 0x8a,
+	0xdb, 0x1e, 0x11, 0x78, 0x92, 0x2e, 0x3b, 0x4f, 0x8a, 0x75, 0x7d, 0x41, 0xbd, 0x71, 0x35, 0x97,
+	0x77, 0x13, 0xe0, 0xce, 0x16, 0xf1, 0xf0, 0x98, 0xdc, 0x7b, 0x79, 0x72, 0x5d, 0x41, 0x3b, 0x36,
+	0xf5, 0x05, 0x17, 0x6c, 0x54, 0xc8, 0xfc, 0xa9, 0x00, 0xce, 0x34, 0x59, 0xc0, 0xf9, 0x5d, 0xc2,
+	0x38, 0x0d, 0xfc, 0x9b, 0x9b, 0x0f, 0x89, 0x23, 0x10, 0x79, 0x40, 0x18, 0xf1, 0x1d, 0x02, 0x97,
+	0x41, 0x79, 0x9b, 0xfa, 0x6e, 0xb5, 0xb0, 0x5c, 0xb8, 0x70, 0xb8, 0xb1, 0xf0, 0xa4, 0x6f, 0xcc,
+	0x44, 0x7d, 0xa3, 0xfc, 0x31, 0xf5, 0x5d, 0xa4, 0x76, 0x24, 0xc2, 0xc7, 0x1e, 0xa9, 0x16, 0xb3,
+	0x88, 0x1b, 0xd8, 0x23, 0x48, 0xed, 0xc0, 0x3a, 0x00, 0x38, 0xa4, 0x5a, 0x41, 0xb5, 0xa4, 0x70,
+	0x50, 0xe3, 0xc0, 0xea, 0xc6, 0x75, 0xbd, 0x83, 0x52, 0x28, 0xf3, 0x71, 0x11, 0x9c, 0xba, 0x16,
+	0x30, 0xfa, 0x28, 0xf0, 0x05, 0xee, 0x6c, 0x04, 0xee, 0xaa, 0x2e, 0x0a, 0xc2, 0xe0, 0x7d, 0x30,
+	0x2f, 0x83, 0xed, 0x62, 0x81, 0x95, 0x5d, 0x95, 0xfa, 0xbb, 0xd6, 0xb0, 0x7c, 0x12, 0xdf, 0xad,
+	0x70, 0xbb, 0x2d, 0x17, 0xb8, 0x25, 0xd1, 0x56, 0x6f, 0xc5, 0x8a, 0x9d, 0x5b, 0x27, 0x02, 0x0f,
+	0xf5, 0x0f, 0xd7, 0x50, 0xc2, 0x0a, 0xef, 0x81, 0x32, 0x0f, 0x89, 0xa3, 0x7c, 0xaa, 0xd4, 0x2f,
+	0x5b, 0xb9, 0xc5, 0x69, 0xe5, 0xd8, 0x78, 0x3b, 0x24, 0xce, 0x30, 0x16, 0xf2, 0x0f, 0x29, 0x46,
+	0x78, 0x1f, 0xcc, 0x71, 0x81, 0x45, 0x97, 0xab, 0x38, 0x54, 0xea, 0x57, 0xf6, 0xc1, 0xad, 0xe4,
+	0x1b, 0x47, 0x35, 0xfb, 0x5c, 0xfc, 0x8f, 0x34, 0xaf, 0xf9, 0x5d, 0x09, 0x2c, 0xe7, 0x48, 0x36,
+	0x03, 0xdf, 0xa5, 0x82, 0x06, 0x3e, 0xbc, 0x06, 0xca, 0x62, 0x27, 0x24, 0x3a, 0xad, 0x97, 0x06,
+	0x86, 0xb6, 0x76, 0x42, 0xf2, 0xa2, 0x6f, 0x9c, 0xdb, 0x4d, 0x5e, 0xe2, 0x90, 0x62, 0x80, 0x6b,
+	0x89, 0x43, 0xc5, 0x0c, 0x97, 0x36, 0xeb, 0x45, 0xdf, 0x98, 0x70, 0x20, 0xad, 0x84, 0x29, 0x6b,
+	0x3c, 0xec, 0x01, 0xd8, 0xc1, 0x5c, 0xb4, 0x18, 0xf6, 0x79, 0xac, 0x89, 0x7a, 0x44, 0x87, 0xea,
+	0xad, 0x97, 0x4b, 0xb2, 0x94, 0x68, 0x2c, 0x69, 0x2b, 0xe0, 0xda, 0x18, 0x1b, 0x9a, 0xa0, 0x01,
+	0x9e, 0x07, 0x73, 0x8c, 0x60, 0x1e, 0xf8, 0xd5, 0xb2, 0xf2, 0x22, 0x09, 0x2e, 0x52, 0xab, 0x48,
+	0xef, 0xc2, 0x37, 0xc1, 0x21, 0x8f, 0x70, 0x8e, 0xdb, 0xa4, 0x3a, 0xab, 0x80, 0x8b, 0x1a, 0x78,
+	0x68, 0x3d, 0x5e, 0x46, 0x83, 0x7d, 0xf3, 0xcf, 0x02, 0x38, 0x93, 0x13, 0xc7, 0x35, 0xca, 0x05,
+	0xfc, 0x62, 0xac, 0x8a, 0xad, 0x97, 0x73, 0x50, 0x4a, 0xab, 0x1a, 0x3e, 0xa6, 0x75, 0xcf, 0x0f,
+	0x56, 0x52, 0x15, 0xfc, 0x09, 0x98, 0xa5, 0x82, 0x78, 0x32, 0x2b, 0xa5, 0x0b, 0x95, 0x7a, 0x7d,
+	0xef, 0x65, 0xd6, 0x38, 0xa2, 0xe9, 0x67, 0xaf, 0x4b, 0x22, 0x14, 0xf3, 0x99, 0xff, 0x14, 0x73,
+	0xdd, 0x92, 0x65, 0x0e, 0x7b, 0xe0, 0xa8, 0xfa, 0x6b, 0x61, 0xd6, 0x26, 0xb2, 0x91, 0x68, 0xe7,
+	0xa6, 0x1d, 0xa2, 0x29, 0x0d, 0xa8, 0x71, 0x52, 0x5b, 0x71, 0xf4, 0x76, 0x86, 0x15, 0x8d, 0x68,
+	0x81, 0x2b, 0xa0, 0xe2, 0x51, 0x1f, 0x91, 0xb0, 0x43, 0x1d, 0x1c, 0x17, 0xe3, 0x6c, 0x63, 0x31,
+	0xea, 0x1b, 0x95, 0xf5, 0xe1, 0x32, 0x4a, 0x63, 0xe0, 0xfb, 0xa0, 0xe2, 0xe1, 0xaf, 0x12, 0x91,
+	0x92, 0x12, 0x39, 0xae, 0xf5, 0x55, 0xd6, 0x87, 0x5b, 0x28, 0x8d, 0x83, 0x0f, 0x41, 0x4d, 0x28,
+	0xb5, 0xcd, 0x8d, 0x3b, 0x77, 0x04, 0xed, 0xd0, 0x47, 0x58, 0xd6, 0xd1, 0x06, 0x61, 0x0e, 0xf1,
+	0x85, 0x2c, 0x8d, 0xb2, 0x62, 0x32, 0xa3, 0xbe, 0x51, 0x6b, 0x4d, 0x45, 0xa2, 0x5d, 0x98, 0xcc,
+	0xdf, 0x4a, 0xe0, 0xec, 0xd4, 0x36, 0x00, 0xaf, 0x02, 0x18, 0x6c, 0x72, 0xc2, 0x7a, 0xc4, 0xfd,
+	0x28, 0xee, 0xed, 0xb2, 0xc9, 0xca, 0x98, 0x97, 0x1a, 0x27, 0xe5, 0x09, 0xb8, 0x39, 0xb6, 0x8b,
+	0x26, 0x48, 0x40, 0x07, 0x1c, 0x91, 0xe7, 0x22, 0x8e, 0x32, 0xd5, 0xfd, 0x7c, 0x6f, 0x87, 0xee,
+	0x7f, 0x51, 0xdf, 0x38, 0xb2, 0x96, 0x26, 0x41, 0x59, 0x4e, 0xb8, 0x0a, 0x16, 0x9d, 0x2e, 0x63,
+	0xc4, 0x17, 0x23, 0x51, 0x3f, 0xa5, 0xa3, 0xbe, 0xd8, 0xcc, 0x6e, 0xa3, 0x51, 0xbc, 0xa4, 0x70,
+	0x09, 0xa7, 0x8c, 0xb8, 0x09, 0x45, 0x39, 0x4b, 0xf1, 0x61, 0x76, 0x1b, 0x8d, 0xe2, 0xa1, 0x07,
+	0x0c, 0xcd, 0x9a, 0x9b, 0xc1, 0x59, 0x45, 0xf9, 0x46, 0xd4, 0x37, 0x8c, 0xe6, 0x74, 0x28, 0xda,
+	0x8d, 0xcb, 0xfc, 0xa5, 0x08, 0xc0, 0x3a, 0x11, 0x8c, 0x3a, 0xea, 0x80, 0x5c, 0xca, 0xb4, 0xde,
+	0xe5, 0x91, 0xd6, 0x7b, 0x4c, 0x23, 0xd5, 0x04, 0x92, 0x6a, 0xb3, 0xb7, 0xc0, 0x5c, 0xa0, 0x4e,
+	0x86, 0xce, 0xcb, 0xc5, 0x29, 0xc7, 0x29, 0xb9, 0xd2, 0x12, 0xa2, 0x06, 0x90, 0xbd, 0x4c, 0x1f,
+	0x2d, 0x4d, 0x04, 0xaf, 0x83, 0x72, 0x18, 0xb8, 0x83, 0x8b, 0xe8, 0xed, 0x29, 0x84, 0x1b, 0x81,
+	0xcb, 0x33, 0x74, 0xf3, 0xd2, 0x62, 0xb9, 0x8a, 0x14, 0x05, 0xfc, 0x14, 0xcc, 0x0f, 0xa6, 0x26,
+	0x95, 0x8d, 0x4a, 0xdd, 0x9e, 0x42, 0x87, 0x34, 0x34, 0x43, 0xb9, 0x20, 0x1b, 0xd9, 0x60, 0x07,
+	0x25, 0x74, 0xe6, 0xaf, 0x45, 0xb0, 0xa0, 0x81, 0x71, 0xc1, 0xbf, 0xe6, 0xf8, 0xc5, 0x97, 0xed,
+	0x81, 0xc5, 0x2f, 0xa6, 0x3b, 0xd0, 0xf8, 0xc5, 0x94, 0x79, 0xf1, 0xfb, 0xbe, 0x08, 0xe0, 0x78,
+	0x41, 0xc0, 0x2f, 0xc1, 0x5c, 0xdc, 0x7a, 0x5e, 0xb1, 0x3d, 0x27, 0x17, 0xa5, 0xee, 0xc4, 0x9a,
+	0x55, 0xce, 0x7c, 0x9e, 0xd2, 0x77, 0x63, 0x38, 0x1b, 0x26, 0x33, 0xd7, 0x7a, 0xb2, 0x83, 0x52,
+	0x28, 0x48, 0x40, 0x25, 0x96, 0xbe, 0x8b, 0x3b, 0xdd, 0xc1, 0xad, 0x3f, 0xf5, 0x52, 0xb4, 0x06,
+	0x6e, 0x5a, 0xb7, 0xba, 0xd8, 0x17, 0x54, 0xec, 0x0c, 0xfb, 0x77, 0x6b, 0x48, 0x85, 0xd2, 0xbc,
+	0xe6, 0x8f, 0xa3, 0x11, 0x89, 0xeb, 0xea, 0xbf, 0x18, 0x91, 0x2d, 0xb0, 0xa0, 0xbb, 0xcb, 0xab,
+	0x84, 0xe4, 0x84, 0xd6, 0xb2, 0xd0, 0x4c, 0x71, 0xa1, 0x0c, 0xb3, 0xf9, 0x7b, 0x01, 0x1c, 0x1b,
+	0x3d, 0xe6, 0x23, 0x26, 0x17, 0x5e, 0xca, 0xe4, 0x47, 0x00, 0xc6, 0x0e, 0xaf, 0xf6, 0x08, 0xc3,
+	0x6d, 0x12, 0x1b, 0x5e, 0xdc, 0x97, 0xe1, 0xc9, 0x14, 0xd7, 0x1a, 0x63, 0x44, 0x13, 0xb4, 0x98,
+	0x7f, 0x64, 0x9d, 0x88, 0xf3, 0xba, 0x1f, 0x27, 0xbe, 0x06, 0xc7, 0x75, 0x74, 0x0e, 0xc0, 0x8b,
+	0x33, 0x5a, 0xd9, 0xf1, 0xe6, 0x38, 0x25, 0x9a, 0xa4, 0xc7, 0xfc, 0xb9, 0x08, 0x4e, 0x4c, 0x6a,
+	0x92, 0xb0, 0xa9, 0xdf, 0x5a, 0xb1, 0x17, 0x76, 0xfa, 0xad, 0xf5, 0xa2, 0x6f, 0x18, 0x13, 0x06,
+	0xed, 0x01, 0x4d, 0xea, 0x39, 0x76, 0x0f, 0x54, 0x33, 0xb1, 0x4b, 0xdd, 0x5a, 0x7a, 0x6c, 0xfa,
+	0x7f, 0xd4, 0x37, 0xaa, 0xad, 0x1c, 0x0c, 0xca, 0x95, 0x96, 0xd3, 0xfb, 0x84, 0xdc, 0xef, 0xaf,
+	0x68, 0x4f, 0xee, 0x21, 0xef, 0x8f, 0xc7, 0xe3, 0x15, 0xe7, 0xfe, 0x40, 0xe2, 0xf5, 0x39, 0x38,
+	0x9d, 0x4d, 0xd2, 0x78, 0xc0, 0xce, 0x46, 0x7d, 0xe3, 0x74, 0x33, 0x0f, 0x84, 0xf2, 0xe5, 0xf3,
+	0x2a, 0xad, 0xf4, 0x9a, 0x2a, 0xed, 0xdb, 0x22, 0x98, 0x55, 0xe3, 0xd9, 0x6b, 0x78, 0x54, 0x5f,
+	0xcd, 0x3c, 0xaa, 0xcf, 0x4d, 0x69, 0xaf, 0xca, 0xa2, 0xdc, 0x27, 0xf4, 0x8d, 0x91, 0x27, 0xf4,
+	0xf9, 0x5d, 0x99, 0xa6, 0x3f, 0x98, 0x3f, 0x00, 0x87, 0x13, 0x85, 0xf0, 0x1d, 0x79, 0x13, 0xeb,
+	0xb9, 0xb2, 0xa0, 0x72, 0x9b, 0xbc, 0xb2, 0x92, 0x81, 0x32, 0x41, 0x98, 0x14, 0x54, 0x52, 0x1a,
+	0xf6, 0x26, 0x2c, 0xd1, 0x9c, 0x74, 0x88, 0x23, 0x02, 0xa6, 0xaf, 0x83, 0x04, 0x7d, 0x5b, 0xaf,
+	0xa3, 0x04, 0xd1, 0xb8, 0xf0, 0xe4, 0x79, 0x6d, 0xe6, 0xe9, 0xf3, 0xda, 0xcc, 0xb3, 0xe7, 0xb5,
+	0x99, 0x6f, 0xa2, 0x5a, 0xe1, 0x49, 0x54, 0x2b, 0x3c, 0x8d, 0x6a, 0x85, 0x67, 0x51, 0xad, 0xf0,
+	0x57, 0x54, 0x2b, 0xfc, 0xf0, 0x77, 0x6d, 0xe6, 0xb3, 0x62, 0x6f, 0xe5, 0xdf, 0x00, 0x00, 0x00,
+	0xff, 0xff, 0x45, 0xeb, 0xd1, 0x70, 0x8f, 0x13, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/autoscaling/v1/generated.proto b/cli/vendor/k8s.io/api/autoscaling/v1/generated.proto
new file mode 100644
index 00000000..aa752a80
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v1/generated.proto
@@ -0,0 +1,321 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.autoscaling.v1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+message CrossVersionObjectReference {
+  // Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds"
+  optional string kind = 1;
+
+  // Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+  optional string name = 2;
+
+  // API version of the referent
+  // +optional
+  optional string apiVersion = 3;
+}
+
+// configuration of a horizontal pod autoscaler.
+message HorizontalPodAutoscaler {
+  // Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+  // +optional
+  optional HorizontalPodAutoscalerSpec spec = 2;
+
+  // current information about the autoscaler.
+  // +optional
+  optional HorizontalPodAutoscalerStatus status = 3;
+}
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+message HorizontalPodAutoscalerCondition {
+  // type describes the current condition
+  optional string type = 1;
+
+  // status is the status of the condition (True, False, Unknown)
+  optional string status = 2;
+
+  // lastTransitionTime is the last time the condition transitioned from
+  // one status to another
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
+
+  // reason is the reason for the condition's last transition.
+  // +optional
+  optional string reason = 4;
+
+  // message is a human-readable explanation containing details about
+  // the transition
+  // +optional
+  optional string message = 5;
+}
+
+// list of horizontal pod autoscaler objects.
+message HorizontalPodAutoscalerList {
+  // Standard list metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // list of horizontal pod autoscaler objects.
+  repeated HorizontalPodAutoscaler items = 2;
+}
+
+// specification of a horizontal pod autoscaler.
+message HorizontalPodAutoscalerSpec {
+  // reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption
+  // and will set the desired number of pods by using its Scale subresource.
+  optional CrossVersionObjectReference scaleTargetRef = 1;
+
+  // lower limit for the number of pods that can be set by the autoscaler, default 1.
+  // +optional
+  optional int32 minReplicas = 2;
+
+  // upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
+  optional int32 maxReplicas = 3;
+
+  // target average CPU utilization (represented as a percentage of requested CPU) over all the pods;
+  // if not specified the default autoscaling policy will be used.
+  // +optional
+  optional int32 targetCPUUtilizationPercentage = 4;
+}
+
+// current status of a horizontal pod autoscaler
+message HorizontalPodAutoscalerStatus {
+  // most recent generation observed by this autoscaler.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // last time the HorizontalPodAutoscaler scaled the number of pods;
+  // used by the autoscaler to control how often the number of pods is changed.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScaleTime = 2;
+
+  // current number of replicas of pods managed by this autoscaler.
+  optional int32 currentReplicas = 3;
+
+  // desired number of replicas of pods managed by this autoscaler.
+  optional int32 desiredReplicas = 4;
+
+  // current average CPU utilization over all pods, represented as a percentage of requested CPU,
+  // e.g. 70 means that an average pod is using now 70% of its requested CPU.
+  // +optional
+  optional int32 currentCPUUtilizationPercentage = 5;
+}
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+message MetricSpec {
+  // type is the type of metric source.  It should match one of the fields below.
+  optional string type = 1;
+
+  // object refers to a metric describing a single kubernetes object
+  // (for example, hits-per-second on an Ingress object).
+  // +optional
+  optional ObjectMetricSource object = 2;
+
+  // pods refers to a metric describing each pod in the current scale target
+  // (for example, transactions-processed-per-second).  The values will be
+  // averaged together before being compared to the target value.
+  // +optional
+  optional PodsMetricSource pods = 3;
+
+  // resource refers to a resource metric (such as those specified in
+  // requests and limits) known to Kubernetes describing each pod in the
+  // current scale target (e.g. CPU or memory). Such metrics are built in to
+  // Kubernetes, and have special scaling options on top of those available
+  // to normal per-pod metrics using the "pods" source.
+  // +optional
+  optional ResourceMetricSource resource = 4;
+}
+
+// MetricStatus describes the last-read state of a single metric.
+message MetricStatus {
+  // type is the type of metric source.  It will match one of the fields below.
+  optional string type = 1;
+
+  // object refers to a metric describing a single kubernetes object
+  // (for example, hits-per-second on an Ingress object).
+  // +optional
+  optional ObjectMetricStatus object = 2;
+
+  // pods refers to a metric describing each pod in the current scale target
+  // (for example, transactions-processed-per-second).  The values will be
+  // averaged together before being compared to the target value.
+  // +optional
+  optional PodsMetricStatus pods = 3;
+
+  // resource refers to a resource metric (such as those specified in
+  // requests and limits) known to Kubernetes describing each pod in the
+  // current scale target (e.g. CPU or memory). Such metrics are built in to
+  // Kubernetes, and have special scaling options on top of those available
+  // to normal per-pod metrics using the "pods" source.
+  // +optional
+  optional ResourceMetricStatus resource = 4;
+}
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+message ObjectMetricSource {
+  // target is the described Kubernetes object.
+  optional CrossVersionObjectReference target = 1;
+
+  // metricName is the name of the metric in question.
+  optional string metricName = 2;
+
+  // targetValue is the target value of the metric (as a quantity).
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetValue = 3;
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+message ObjectMetricStatus {
+  // target is the described Kubernetes object.
+  optional CrossVersionObjectReference target = 1;
+
+  // metricName is the name of the metric in question.
+  optional string metricName = 2;
+
+  // currentValue is the current value of the metric (as a quantity).
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentValue = 3;
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+message PodsMetricSource {
+  // metricName is the name of the metric in question
+  optional string metricName = 1;
+
+  // targetAverageValue is the target value of the average of the
+  // metric across all relevant pods (as a quantity)
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 2;
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+message PodsMetricStatus {
+  // metricName is the name of the metric in question
+  optional string metricName = 1;
+
+  // currentAverageValue is the current value of the average of the
+  // metric across all relevant pods (as a quantity)
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 2;
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+message ResourceMetricSource {
+  // name is the name of the resource in question.
+  optional string name = 1;
+
+  // targetAverageUtilization is the target value of the average of the
+  // resource metric across all relevant pods, represented as a percentage of
+  // the requested value of the resource for the pods.
+  // +optional
+  optional int32 targetAverageUtilization = 2;
+
+  // targetAverageValue is the target value of the average of the
+  // resource metric across all relevant pods, as a raw value (instead of as
+  // a percentage of the request), similar to the "pods" metric source type.
+  // +optional
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 3;
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+message ResourceMetricStatus {
+  // name is the name of the resource in question.
+  optional string name = 1;
+
+  // currentAverageUtilization is the current value of the average of the
+  // resource metric across all relevant pods, represented as a percentage of
+  // the requested value of the resource for the pods.  It will only be
+  // present if `targetAverageValue` was set in the corresponding metric
+  // specification.
+  // +optional
+  optional int32 currentAverageUtilization = 2;
+
+  // currentAverageValue is the current value of the average of the
+  // resource metric across all relevant pods, as a raw value (instead of as
+  // a percentage of the request), similar to the "pods" metric source type.
+  // It will always be set, regardless of the corresponding metric specification.
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 3;
+}
+
+// Scale represents a scaling request for a resource.
+message Scale {
+  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+  // +optional
+  optional ScaleSpec spec = 2;
+
+  // current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.
+  // +optional
+  optional ScaleStatus status = 3;
+}
+
+// ScaleSpec describes the attributes of a scale subresource.
+message ScaleSpec {
+  // desired number of instances for the scaled object.
+  // +optional
+  optional int32 replicas = 1;
+}
+
+// ScaleStatus represents the current status of a scale subresource.
+message ScaleStatus {
+  // actual number of observed instances of the scaled object.
+  optional int32 replicas = 1;
+
+  // label query over pods that should match the replicas count. This is same
+  // as the label selector but in the string format to avoid introspection
+  // by clients. The string will be in the same format as the query-param syntax.
+  // More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors
+  // +optional
+  optional string selector = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/autoscaling/v1/register.go b/cli/vendor/k8s.io/api/autoscaling/v1/register.go
new file mode 100644
index 00000000..521c0e4a
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v1/register.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "autoscaling"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&HorizontalPodAutoscaler{},
+		&HorizontalPodAutoscalerList{},
+		&Scale{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/autoscaling/v1/types.go b/cli/vendor/k8s.io/api/autoscaling/v1/types.go
new file mode 100644
index 00000000..a18c3730
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v1/types.go
@@ -0,0 +1,337 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+type CrossVersionObjectReference struct {
+	// Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds"
+	Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
+	// Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+	Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
+	// API version of the referent
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,3,opt,name=apiVersion"`
+}
+
+// specification of a horizontal pod autoscaler.
+type HorizontalPodAutoscalerSpec struct {
+	// reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption
+	// and will set the desired number of pods by using its Scale subresource.
+	ScaleTargetRef CrossVersionObjectReference `json:"scaleTargetRef" protobuf:"bytes,1,opt,name=scaleTargetRef"`
+	// lower limit for the number of pods that can be set by the autoscaler, default 1.
+	// +optional
+	MinReplicas *int32 `json:"minReplicas,omitempty" protobuf:"varint,2,opt,name=minReplicas"`
+	// upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
+	MaxReplicas int32 `json:"maxReplicas" protobuf:"varint,3,opt,name=maxReplicas"`
+	// target average CPU utilization (represented as a percentage of requested CPU) over all the pods;
+	// if not specified the default autoscaling policy will be used.
+	// +optional
+	TargetCPUUtilizationPercentage *int32 `json:"targetCPUUtilizationPercentage,omitempty" protobuf:"varint,4,opt,name=targetCPUUtilizationPercentage"`
+}
+
+// current status of a horizontal pod autoscaler
+type HorizontalPodAutoscalerStatus struct {
+	// most recent generation observed by this autoscaler.
+	// +optional
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
+
+	// last time the HorizontalPodAutoscaler scaled the number of pods;
+	// used by the autoscaler to control how often the number of pods is changed.
+	// +optional
+	LastScaleTime *metav1.Time `json:"lastScaleTime,omitempty" protobuf:"bytes,2,opt,name=lastScaleTime"`
+
+	// current number of replicas of pods managed by this autoscaler.
+	CurrentReplicas int32 `json:"currentReplicas" protobuf:"varint,3,opt,name=currentReplicas"`
+
+	// desired number of replicas of pods managed by this autoscaler.
+	DesiredReplicas int32 `json:"desiredReplicas" protobuf:"varint,4,opt,name=desiredReplicas"`
+
+	// current average CPU utilization over all pods, represented as a percentage of requested CPU,
+	// e.g. 70 means that an average pod is using now 70% of its requested CPU.
+	// +optional
+	CurrentCPUUtilizationPercentage *int32 `json:"currentCPUUtilizationPercentage,omitempty" protobuf:"varint,5,opt,name=currentCPUUtilizationPercentage"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// configuration of a horizontal pod autoscaler.
+type HorizontalPodAutoscaler struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+	// +optional
+	Spec HorizontalPodAutoscalerSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// current information about the autoscaler.
+	// +optional
+	Status HorizontalPodAutoscalerStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// list of horizontal pod autoscaler objects.
+type HorizontalPodAutoscalerList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// list of horizontal pod autoscaler objects.
+	Items []HorizontalPodAutoscaler `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Scale represents a scaling request for a resource.
+type Scale struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+	// +optional
+	Spec ScaleSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.
+	// +optional
+	Status ScaleStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// ScaleSpec describes the attributes of a scale subresource.
+type ScaleSpec struct {
+	// desired number of instances for the scaled object.
+	// +optional
+	Replicas int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+}
+
+// ScaleStatus represents the current status of a scale subresource.
+type ScaleStatus struct {
+	// actual number of observed instances of the scaled object.
+	Replicas int32 `json:"replicas" protobuf:"varint,1,opt,name=replicas"`
+
+	// label query over pods that should match the replicas count. This is same
+	// as the label selector but in the string format to avoid introspection
+	// by clients. The string will be in the same format as the query-param syntax.
+	// More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors
+	// +optional
+	Selector string `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"`
+}
+
+// the types below are used in the alpha metrics annotation
+
+// MetricSourceType indicates the type of metric.
+type MetricSourceType string
+
+var (
+	// ObjectMetricSourceType is a metric describing a kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	ObjectMetricSourceType MetricSourceType = "Object"
+	// PodsMetricSourceType is a metric describing each pod in the current scale
+	// target (for example, transactions-processed-per-second).  The values
+	// will be averaged together before being compared to the target value.
+	PodsMetricSourceType MetricSourceType = "Pods"
+	// ResourceMetricSourceType is a resource metric known to Kubernetes, as
+	// specified in requests and limits, describing each pod in the current
+	// scale target (e.g. CPU or memory).  Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics (the "pods" source).
+	ResourceMetricSourceType MetricSourceType = "Resource"
+)
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+type MetricSpec struct {
+	// type is the type of metric source.  It should match one of the fields below.
+	Type MetricSourceType `json:"type" protobuf:"bytes,1,name=type"`
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	Object *ObjectMetricSource `json:"object,omitempty" protobuf:"bytes,2,opt,name=object"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	Pods *PodsMetricSource `json:"pods,omitempty" protobuf:"bytes,3,opt,name=pods"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	Resource *ResourceMetricSource `json:"resource,omitempty" protobuf:"bytes,4,opt,name=resource"`
+}
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+type ObjectMetricSource struct {
+	// target is the described Kubernetes object.
+	Target CrossVersionObjectReference `json:"target" protobuf:"bytes,1,name=target"`
+
+	// metricName is the name of the metric in question.
+	MetricName string `json:"metricName" protobuf:"bytes,2,name=metricName"`
+	// targetValue is the target value of the metric (as a quantity).
+	TargetValue resource.Quantity `json:"targetValue" protobuf:"bytes,3,name=targetValue"`
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+type PodsMetricSource struct {
+	// metricName is the name of the metric in question
+	MetricName string `json:"metricName" protobuf:"bytes,1,name=metricName"`
+	// targetAverageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	TargetAverageValue resource.Quantity `json:"targetAverageValue" protobuf:"bytes,2,name=targetAverageValue"`
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+type ResourceMetricSource struct {
+	// name is the name of the resource in question.
+	Name v1.ResourceName `json:"name" protobuf:"bytes,1,name=name"`
+	// targetAverageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	TargetAverageUtilization *int32 `json:"targetAverageUtilization,omitempty" protobuf:"varint,2,opt,name=targetAverageUtilization"`
+	// targetAverageValue is the target value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// +optional
+	TargetAverageValue *resource.Quantity `json:"targetAverageValue,omitempty" protobuf:"bytes,3,opt,name=targetAverageValue"`
+}
+
+// MetricStatus describes the last-read state of a single metric.
+type MetricStatus struct {
+	// type is the type of metric source.  It will match one of the fields below.
+	Type MetricSourceType `json:"type" protobuf:"bytes,1,name=type"`
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	Object *ObjectMetricStatus `json:"object,omitempty" protobuf:"bytes,2,opt,name=object"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	Pods *PodsMetricStatus `json:"pods,omitempty" protobuf:"bytes,3,opt,name=pods"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	Resource *ResourceMetricStatus `json:"resource,omitempty" protobuf:"bytes,4,opt,name=resource"`
+}
+
+// HorizontalPodAutoscalerConditionType are the valid conditions of
+// a HorizontalPodAutoscaler.
+type HorizontalPodAutoscalerConditionType string
+
+var (
+	// ScalingActive indicates that the HPA controller is able to scale if necessary:
+	// it's correctly configured, can fetch the desired metrics, and isn't disabled.
+	ScalingActive HorizontalPodAutoscalerConditionType = "ScalingActive"
+	// AbleToScale indicates a lack of transient issues which prevent scaling from occuring,
+	// such as being in a backoff window, or being unable to access/update the target scale.
+	AbleToScale HorizontalPodAutoscalerConditionType = "AbleToScale"
+	// ScalingLimited indicates that the calculated scale based on metrics would be above or
+	// below the range for the HPA, and has thus been capped.
+	ScalingLimited HorizontalPodAutoscalerConditionType = "ScalingLimited"
+)
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+type HorizontalPodAutoscalerCondition struct {
+	// type describes the current condition
+	Type HorizontalPodAutoscalerConditionType `json:"type" protobuf:"bytes,1,name=type"`
+	// status is the status of the condition (True, False, Unknown)
+	Status v1.ConditionStatus `json:"status" protobuf:"bytes,2,name=status"`
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,3,opt,name=lastTransitionTime"`
+	// reason is the reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+	// message is a human-readable explanation containing details about
+	// the transition
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+type ObjectMetricStatus struct {
+	// target is the described Kubernetes object.
+	Target CrossVersionObjectReference `json:"target" protobuf:"bytes,1,name=target"`
+
+	// metricName is the name of the metric in question.
+	MetricName string `json:"metricName" protobuf:"bytes,2,name=metricName"`
+	// currentValue is the current value of the metric (as a quantity).
+	CurrentValue resource.Quantity `json:"currentValue" protobuf:"bytes,3,name=currentValue"`
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+type PodsMetricStatus struct {
+	// metricName is the name of the metric in question
+	MetricName string `json:"metricName" protobuf:"bytes,1,name=metricName"`
+	// currentAverageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	CurrentAverageValue resource.Quantity `json:"currentAverageValue" protobuf:"bytes,2,name=currentAverageValue"`
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+type ResourceMetricStatus struct {
+	// name is the name of the resource in question.
+	Name v1.ResourceName `json:"name" protobuf:"bytes,1,name=name"`
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.  It will only be
+	// present if `targetAverageValue` was set in the corresponding metric
+	// specification.
+	// +optional
+	CurrentAverageUtilization *int32 `json:"currentAverageUtilization,omitempty" protobuf:"bytes,2,opt,name=currentAverageUtilization"`
+	// currentAverageValue is the current value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// It will always be set, regardless of the corresponding metric specification.
+	CurrentAverageValue resource.Quantity `json:"currentAverageValue" protobuf:"bytes,3,name=currentAverageValue"`
+}
diff --git a/cli/vendor/k8s.io/api/autoscaling/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/autoscaling/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..7f84c2d9
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v1/types_swagger_doc_generated.go
@@ -0,0 +1,218 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_CrossVersionObjectReference = map[string]string{
+	"":           "CrossVersionObjectReference contains enough information to let you identify the referred resource.",
+	"kind":       "Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds\"",
+	"name":       "Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names",
+	"apiVersion": "API version of the referent",
+}
+
+func (CrossVersionObjectReference) SwaggerDoc() map[string]string {
+	return map_CrossVersionObjectReference
+}
+
+var map_HorizontalPodAutoscaler = map[string]string{
+	"":         "configuration of a horizontal pod autoscaler.",
+	"metadata": "Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.",
+	"status":   "current information about the autoscaler.",
+}
+
+func (HorizontalPodAutoscaler) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscaler
+}
+
+var map_HorizontalPodAutoscalerCondition = map[string]string{
+	"":                   "HorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.",
+	"type":               "type describes the current condition",
+	"status":             "status is the status of the condition (True, False, Unknown)",
+	"lastTransitionTime": "lastTransitionTime is the last time the condition transitioned from one status to another",
+	"reason":             "reason is the reason for the condition's last transition.",
+	"message":            "message is a human-readable explanation containing details about the transition",
+}
+
+func (HorizontalPodAutoscalerCondition) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscalerCondition
+}
+
+var map_HorizontalPodAutoscalerList = map[string]string{
+	"":         "list of horizontal pod autoscaler objects.",
+	"metadata": "Standard list metadata.",
+	"items":    "list of horizontal pod autoscaler objects.",
+}
+
+func (HorizontalPodAutoscalerList) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscalerList
+}
+
+var map_HorizontalPodAutoscalerSpec = map[string]string{
+	"":                               "specification of a horizontal pod autoscaler.",
+	"scaleTargetRef":                 "reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption and will set the desired number of pods by using its Scale subresource.",
+	"minReplicas":                    "lower limit for the number of pods that can be set by the autoscaler, default 1.",
+	"maxReplicas":                    "upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.",
+	"targetCPUUtilizationPercentage": "target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.",
+}
+
+func (HorizontalPodAutoscalerSpec) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscalerSpec
+}
+
+var map_HorizontalPodAutoscalerStatus = map[string]string{
+	"":                                "current status of a horizontal pod autoscaler",
+	"observedGeneration":              "most recent generation observed by this autoscaler.",
+	"lastScaleTime":                   "last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed.",
+	"currentReplicas":                 "current number of replicas of pods managed by this autoscaler.",
+	"desiredReplicas":                 "desired number of replicas of pods managed by this autoscaler.",
+	"currentCPUUtilizationPercentage": "current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.",
+}
+
+func (HorizontalPodAutoscalerStatus) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscalerStatus
+}
+
+var map_MetricSpec = map[string]string{
+	"":         "MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).",
+	"type":     "type is the type of metric source.  It should match one of the fields below.",
+	"object":   "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
+	"pods":     "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
+	"resource": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
+}
+
+func (MetricSpec) SwaggerDoc() map[string]string {
+	return map_MetricSpec
+}
+
+var map_MetricStatus = map[string]string{
+	"":         "MetricStatus describes the last-read state of a single metric.",
+	"type":     "type is the type of metric source.  It will match one of the fields below.",
+	"object":   "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
+	"pods":     "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
+	"resource": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
+}
+
+func (MetricStatus) SwaggerDoc() map[string]string {
+	return map_MetricStatus
+}
+
+var map_ObjectMetricSource = map[string]string{
+	"":            "ObjectMetricSource indicates how to scale on a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).",
+	"target":      "target is the described Kubernetes object.",
+	"metricName":  "metricName is the name of the metric in question.",
+	"targetValue": "targetValue is the target value of the metric (as a quantity).",
+}
+
+func (ObjectMetricSource) SwaggerDoc() map[string]string {
+	return map_ObjectMetricSource
+}
+
+var map_ObjectMetricStatus = map[string]string{
+	"":             "ObjectMetricStatus indicates the current value of a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).",
+	"target":       "target is the described Kubernetes object.",
+	"metricName":   "metricName is the name of the metric in question.",
+	"currentValue": "currentValue is the current value of the metric (as a quantity).",
+}
+
+func (ObjectMetricStatus) SwaggerDoc() map[string]string {
+	return map_ObjectMetricStatus
+}
+
+var map_PodsMetricSource = map[string]string{
+	"":                   "PodsMetricSource indicates how to scale on a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.",
+	"metricName":         "metricName is the name of the metric in question",
+	"targetAverageValue": "targetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
+}
+
+func (PodsMetricSource) SwaggerDoc() map[string]string {
+	return map_PodsMetricSource
+}
+
+var map_PodsMetricStatus = map[string]string{
+	"":                    "PodsMetricStatus indicates the current value of a metric describing each pod in the current scale target (for example, transactions-processed-per-second).",
+	"metricName":          "metricName is the name of the metric in question",
+	"currentAverageValue": "currentAverageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
+}
+
+func (PodsMetricStatus) SwaggerDoc() map[string]string {
+	return map_PodsMetricStatus
+}
+
+var map_ResourceMetricSource = map[string]string{
+	"":     "ResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  The values will be averaged together before being compared to the target.  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.  Only one \"target\" type should be set.",
+	"name": "name is the name of the resource in question.",
+	"targetAverageUtilization": "targetAverageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.",
+	"targetAverageValue":       "targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type.",
+}
+
+func (ResourceMetricSource) SwaggerDoc() map[string]string {
+	return map_ResourceMetricSource
+}
+
+var map_ResourceMetricStatus = map[string]string{
+	"":     "ResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
+	"name": "name is the name of the resource in question.",
+	"currentAverageUtilization": "currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.  It will only be present if `targetAverageValue` was set in the corresponding metric specification.",
+	"currentAverageValue":       "currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type. It will always be set, regardless of the corresponding metric specification.",
+}
+
+func (ResourceMetricStatus) SwaggerDoc() map[string]string {
+	return map_ResourceMetricStatus
+}
+
+var map_Scale = map[string]string{
+	"":         "Scale represents a scaling request for a resource.",
+	"metadata": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.",
+	"spec":     "defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.",
+	"status":   "current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.",
+}
+
+func (Scale) SwaggerDoc() map[string]string {
+	return map_Scale
+}
+
+var map_ScaleSpec = map[string]string{
+	"":         "ScaleSpec describes the attributes of a scale subresource.",
+	"replicas": "desired number of instances for the scaled object.",
+}
+
+func (ScaleSpec) SwaggerDoc() map[string]string {
+	return map_ScaleSpec
+}
+
+var map_ScaleStatus = map[string]string{
+	"":         "ScaleStatus represents the current status of a scale subresource.",
+	"replicas": "actual number of observed instances of the scaled object.",
+	"selector": "label query over pods that should match the replicas count. This is same as the label selector but in the string format to avoid introspection by clients. The string will be in the same format as the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors",
+}
+
+func (ScaleStatus) SwaggerDoc() map[string]string {
+	return map_ScaleStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/autoscaling/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/autoscaling/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..8c7c98e9
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v1/zz_generated.deepcopy.go
@@ -0,0 +1,561 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CrossVersionObjectReference).DeepCopyInto(out.(*CrossVersionObjectReference))
+			return nil
+		}, InType: reflect.TypeOf(&CrossVersionObjectReference{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscaler).DeepCopyInto(out.(*HorizontalPodAutoscaler))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscaler{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscalerCondition).DeepCopyInto(out.(*HorizontalPodAutoscalerCondition))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscalerCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscalerList).DeepCopyInto(out.(*HorizontalPodAutoscalerList))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscalerList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscalerSpec).DeepCopyInto(out.(*HorizontalPodAutoscalerSpec))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscalerSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscalerStatus).DeepCopyInto(out.(*HorizontalPodAutoscalerStatus))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscalerStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*MetricSpec).DeepCopyInto(out.(*MetricSpec))
+			return nil
+		}, InType: reflect.TypeOf(&MetricSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*MetricStatus).DeepCopyInto(out.(*MetricStatus))
+			return nil
+		}, InType: reflect.TypeOf(&MetricStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ObjectMetricSource).DeepCopyInto(out.(*ObjectMetricSource))
+			return nil
+		}, InType: reflect.TypeOf(&ObjectMetricSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ObjectMetricStatus).DeepCopyInto(out.(*ObjectMetricStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ObjectMetricStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodsMetricSource).DeepCopyInto(out.(*PodsMetricSource))
+			return nil
+		}, InType: reflect.TypeOf(&PodsMetricSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodsMetricStatus).DeepCopyInto(out.(*PodsMetricStatus))
+			return nil
+		}, InType: reflect.TypeOf(&PodsMetricStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceMetricSource).DeepCopyInto(out.(*ResourceMetricSource))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceMetricSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceMetricStatus).DeepCopyInto(out.(*ResourceMetricStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceMetricStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Scale).DeepCopyInto(out.(*Scale))
+			return nil
+		}, InType: reflect.TypeOf(&Scale{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleSpec).DeepCopyInto(out.(*ScaleSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleStatus).DeepCopyInto(out.(*ScaleStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleStatus{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CrossVersionObjectReference) DeepCopyInto(out *CrossVersionObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossVersionObjectReference.
+func (in *CrossVersionObjectReference) DeepCopy() *CrossVersionObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(CrossVersionObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscaler) DeepCopyInto(out *HorizontalPodAutoscaler) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscaler.
+func (in *HorizontalPodAutoscaler) DeepCopy() *HorizontalPodAutoscaler {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscaler)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HorizontalPodAutoscaler) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscalerCondition) DeepCopyInto(out *HorizontalPodAutoscalerCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscalerCondition.
+func (in *HorizontalPodAutoscalerCondition) DeepCopy() *HorizontalPodAutoscalerCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscalerCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscalerList) DeepCopyInto(out *HorizontalPodAutoscalerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]HorizontalPodAutoscaler, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscalerList.
+func (in *HorizontalPodAutoscalerList) DeepCopy() *HorizontalPodAutoscalerList {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscalerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HorizontalPodAutoscalerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscalerSpec) DeepCopyInto(out *HorizontalPodAutoscalerSpec) {
+	*out = *in
+	out.ScaleTargetRef = in.ScaleTargetRef
+	if in.MinReplicas != nil {
+		in, out := &in.MinReplicas, &out.MinReplicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.TargetCPUUtilizationPercentage != nil {
+		in, out := &in.TargetCPUUtilizationPercentage, &out.TargetCPUUtilizationPercentage
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscalerSpec.
+func (in *HorizontalPodAutoscalerSpec) DeepCopy() *HorizontalPodAutoscalerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscalerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscalerStatus) DeepCopyInto(out *HorizontalPodAutoscalerStatus) {
+	*out = *in
+	if in.ObservedGeneration != nil {
+		in, out := &in.ObservedGeneration, &out.ObservedGeneration
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.LastScaleTime != nil {
+		in, out := &in.LastScaleTime, &out.LastScaleTime
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.CurrentCPUUtilizationPercentage != nil {
+		in, out := &in.CurrentCPUUtilizationPercentage, &out.CurrentCPUUtilizationPercentage
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscalerStatus.
+func (in *HorizontalPodAutoscalerStatus) DeepCopy() *HorizontalPodAutoscalerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscalerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MetricSpec) DeepCopyInto(out *MetricSpec) {
+	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectMetricSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Pods != nil {
+		in, out := &in.Pods, &out.Pods
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PodsMetricSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceMetricSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricSpec.
+func (in *MetricSpec) DeepCopy() *MetricSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(MetricSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MetricStatus) DeepCopyInto(out *MetricStatus) {
+	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectMetricStatus)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Pods != nil {
+		in, out := &in.Pods, &out.Pods
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PodsMetricStatus)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceMetricStatus)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricStatus.
+func (in *MetricStatus) DeepCopy() *MetricStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(MetricStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectMetricSource) DeepCopyInto(out *ObjectMetricSource) {
+	*out = *in
+	out.Target = in.Target
+	out.TargetValue = in.TargetValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectMetricSource.
+func (in *ObjectMetricSource) DeepCopy() *ObjectMetricSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectMetricSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectMetricStatus) DeepCopyInto(out *ObjectMetricStatus) {
+	*out = *in
+	out.Target = in.Target
+	out.CurrentValue = in.CurrentValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectMetricStatus.
+func (in *ObjectMetricStatus) DeepCopy() *ObjectMetricStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectMetricStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodsMetricSource) DeepCopyInto(out *PodsMetricSource) {
+	*out = *in
+	out.TargetAverageValue = in.TargetAverageValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodsMetricSource.
+func (in *PodsMetricSource) DeepCopy() *PodsMetricSource {
+	if in == nil {
+		return nil
+	}
+	out := new(PodsMetricSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodsMetricStatus) DeepCopyInto(out *PodsMetricStatus) {
+	*out = *in
+	out.CurrentAverageValue = in.CurrentAverageValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodsMetricStatus.
+func (in *PodsMetricStatus) DeepCopy() *PodsMetricStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PodsMetricStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceMetricSource) DeepCopyInto(out *ResourceMetricSource) {
+	*out = *in
+	if in.TargetAverageUtilization != nil {
+		in, out := &in.TargetAverageUtilization, &out.TargetAverageUtilization
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.TargetAverageValue != nil {
+		in, out := &in.TargetAverageValue, &out.TargetAverageValue
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(resource.Quantity)
+			**out = (*in).DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceMetricSource.
+func (in *ResourceMetricSource) DeepCopy() *ResourceMetricSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceMetricSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceMetricStatus) DeepCopyInto(out *ResourceMetricStatus) {
+	*out = *in
+	if in.CurrentAverageUtilization != nil {
+		in, out := &in.CurrentAverageUtilization, &out.CurrentAverageUtilization
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	out.CurrentAverageValue = in.CurrentAverageValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceMetricStatus.
+func (in *ResourceMetricStatus) DeepCopy() *ResourceMetricStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceMetricStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Scale) DeepCopyInto(out *Scale) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Scale.
+func (in *Scale) DeepCopy() *Scale {
+	if in == nil {
+		return nil
+	}
+	out := new(Scale)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Scale) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleSpec) DeepCopyInto(out *ScaleSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleSpec.
+func (in *ScaleSpec) DeepCopy() *ScaleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleStatus) DeepCopyInto(out *ScaleStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleStatus.
+func (in *ScaleStatus) DeepCopy() *ScaleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/autoscaling/v2beta1/doc.go b/cli/vendor/k8s.io/api/autoscaling/v2beta1/doc.go
new file mode 100644
index 00000000..689f369b
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v2beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+package v2beta1 // import "k8s.io/api/autoscaling/v2beta1"
diff --git a/cli/vendor/k8s.io/api/autoscaling/v2beta1/generated.pb.go b/cli/vendor/k8s.io/api/autoscaling/v2beta1/generated.pb.go
new file mode 100644
index 00000000..908c049e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v2beta1/generated.pb.go
@@ -0,0 +1,3401 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/autoscaling/v2beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v2beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/autoscaling/v2beta1/generated.proto
+
+	It has these top-level messages:
+		CrossVersionObjectReference
+		HorizontalPodAutoscaler
+		HorizontalPodAutoscalerCondition
+		HorizontalPodAutoscalerList
+		HorizontalPodAutoscalerSpec
+		HorizontalPodAutoscalerStatus
+		MetricSpec
+		MetricStatus
+		ObjectMetricSource
+		ObjectMetricStatus
+		PodsMetricSource
+		PodsMetricStatus
+		ResourceMetricSource
+		ResourceMetricStatus
+*/
+package v2beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_apimachinery_pkg_api_resource "k8s.io/apimachinery/pkg/api/resource"
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *CrossVersionObjectReference) Reset()      { *m = CrossVersionObjectReference{} }
+func (*CrossVersionObjectReference) ProtoMessage() {}
+func (*CrossVersionObjectReference) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{0}
+}
+
+func (m *HorizontalPodAutoscaler) Reset()                    { *m = HorizontalPodAutoscaler{} }
+func (*HorizontalPodAutoscaler) ProtoMessage()               {}
+func (*HorizontalPodAutoscaler) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *HorizontalPodAutoscalerCondition) Reset()      { *m = HorizontalPodAutoscalerCondition{} }
+func (*HorizontalPodAutoscalerCondition) ProtoMessage() {}
+func (*HorizontalPodAutoscalerCondition) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{2}
+}
+
+func (m *HorizontalPodAutoscalerList) Reset()      { *m = HorizontalPodAutoscalerList{} }
+func (*HorizontalPodAutoscalerList) ProtoMessage() {}
+func (*HorizontalPodAutoscalerList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{3}
+}
+
+func (m *HorizontalPodAutoscalerSpec) Reset()      { *m = HorizontalPodAutoscalerSpec{} }
+func (*HorizontalPodAutoscalerSpec) ProtoMessage() {}
+func (*HorizontalPodAutoscalerSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{4}
+}
+
+func (m *HorizontalPodAutoscalerStatus) Reset()      { *m = HorizontalPodAutoscalerStatus{} }
+func (*HorizontalPodAutoscalerStatus) ProtoMessage() {}
+func (*HorizontalPodAutoscalerStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{5}
+}
+
+func (m *MetricSpec) Reset()                    { *m = MetricSpec{} }
+func (*MetricSpec) ProtoMessage()               {}
+func (*MetricSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *MetricStatus) Reset()                    { *m = MetricStatus{} }
+func (*MetricStatus) ProtoMessage()               {}
+func (*MetricStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *ObjectMetricSource) Reset()                    { *m = ObjectMetricSource{} }
+func (*ObjectMetricSource) ProtoMessage()               {}
+func (*ObjectMetricSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *ObjectMetricStatus) Reset()                    { *m = ObjectMetricStatus{} }
+func (*ObjectMetricStatus) ProtoMessage()               {}
+func (*ObjectMetricStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *PodsMetricSource) Reset()                    { *m = PodsMetricSource{} }
+func (*PodsMetricSource) ProtoMessage()               {}
+func (*PodsMetricSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func (m *PodsMetricStatus) Reset()                    { *m = PodsMetricStatus{} }
+func (*PodsMetricStatus) ProtoMessage()               {}
+func (*PodsMetricStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
+
+func (m *ResourceMetricSource) Reset()                    { *m = ResourceMetricSource{} }
+func (*ResourceMetricSource) ProtoMessage()               {}
+func (*ResourceMetricSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
+
+func (m *ResourceMetricStatus) Reset()                    { *m = ResourceMetricStatus{} }
+func (*ResourceMetricStatus) ProtoMessage()               {}
+func (*ResourceMetricStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+
+func init() {
+	proto.RegisterType((*CrossVersionObjectReference)(nil), "k8s.io.api.autoscaling.v2beta1.CrossVersionObjectReference")
+	proto.RegisterType((*HorizontalPodAutoscaler)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscaler")
+	proto.RegisterType((*HorizontalPodAutoscalerCondition)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerCondition")
+	proto.RegisterType((*HorizontalPodAutoscalerList)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerList")
+	proto.RegisterType((*HorizontalPodAutoscalerSpec)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec")
+	proto.RegisterType((*HorizontalPodAutoscalerStatus)(nil), "k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerStatus")
+	proto.RegisterType((*MetricSpec)(nil), "k8s.io.api.autoscaling.v2beta1.MetricSpec")
+	proto.RegisterType((*MetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.MetricStatus")
+	proto.RegisterType((*ObjectMetricSource)(nil), "k8s.io.api.autoscaling.v2beta1.ObjectMetricSource")
+	proto.RegisterType((*ObjectMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.ObjectMetricStatus")
+	proto.RegisterType((*PodsMetricSource)(nil), "k8s.io.api.autoscaling.v2beta1.PodsMetricSource")
+	proto.RegisterType((*PodsMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.PodsMetricStatus")
+	proto.RegisterType((*ResourceMetricSource)(nil), "k8s.io.api.autoscaling.v2beta1.ResourceMetricSource")
+	proto.RegisterType((*ResourceMetricStatus)(nil), "k8s.io.api.autoscaling.v2beta1.ResourceMetricStatus")
+}
+func (m *CrossVersionObjectReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CrossVersionObjectReference) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i += copy(dAtA[i:], m.APIVersion)
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscaler) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscaler) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscalerCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscalerCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n4, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscalerList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscalerList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n5, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscalerSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscalerSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ScaleTargetRef.Size()))
+	n6, err := m.ScaleTargetRef.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if m.MinReplicas != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.MinReplicas))
+	}
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MaxReplicas))
+	if len(m.Metrics) > 0 {
+		for _, msg := range m.Metrics {
+			dAtA[i] = 0x22
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *HorizontalPodAutoscalerStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HorizontalPodAutoscalerStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ObservedGeneration != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.ObservedGeneration))
+	}
+	if m.LastScaleTime != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.LastScaleTime.Size()))
+		n7, err := m.LastScaleTime.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentReplicas))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.DesiredReplicas))
+	if len(m.CurrentMetrics) > 0 {
+		for _, msg := range m.CurrentMetrics {
+			dAtA[i] = 0x2a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *MetricSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *MetricSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.Object != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Object.Size()))
+		n8, err := m.Object.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	if m.Pods != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Pods.Size()))
+		n9, err := m.Pods.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n9
+	}
+	if m.Resource != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Resource.Size()))
+		n10, err := m.Resource.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n10
+	}
+	return i, nil
+}
+
+func (m *MetricStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *MetricStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.Object != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Object.Size()))
+		n11, err := m.Object.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n11
+	}
+	if m.Pods != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Pods.Size()))
+		n12, err := m.Pods.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n12
+	}
+	if m.Resource != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Resource.Size()))
+		n13, err := m.Resource.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n13
+	}
+	return i, nil
+}
+
+func (m *ObjectMetricSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ObjectMetricSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Target.Size()))
+	n14, err := m.Target.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n14
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MetricName)))
+	i += copy(dAtA[i:], m.MetricName)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TargetValue.Size()))
+	n15, err := m.TargetValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n15
+	return i, nil
+}
+
+func (m *ObjectMetricStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ObjectMetricStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Target.Size()))
+	n16, err := m.Target.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n16
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MetricName)))
+	i += copy(dAtA[i:], m.MetricName)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentValue.Size()))
+	n17, err := m.CurrentValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n17
+	return i, nil
+}
+
+func (m *PodsMetricSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodsMetricSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MetricName)))
+	i += copy(dAtA[i:], m.MetricName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TargetAverageValue.Size()))
+	n18, err := m.TargetAverageValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n18
+	return i, nil
+}
+
+func (m *PodsMetricStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodsMetricStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MetricName)))
+	i += copy(dAtA[i:], m.MetricName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentAverageValue.Size()))
+	n19, err := m.CurrentAverageValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n19
+	return i, nil
+}
+
+func (m *ResourceMetricSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceMetricSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	if m.TargetAverageUtilization != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TargetAverageUtilization))
+	}
+	if m.TargetAverageValue != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.TargetAverageValue.Size()))
+		n20, err := m.TargetAverageValue.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n20
+	}
+	return i, nil
+}
+
+func (m *ResourceMetricStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceMetricStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	if m.CurrentAverageUtilization != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CurrentAverageUtilization))
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentAverageValue.Size()))
+	n21, err := m.CurrentAverageValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n21
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CrossVersionObjectReference) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.APIVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *HorizontalPodAutoscaler) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *HorizontalPodAutoscalerCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *HorizontalPodAutoscalerList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *HorizontalPodAutoscalerSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ScaleTargetRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.MinReplicas != nil {
+		n += 1 + sovGenerated(uint64(*m.MinReplicas))
+	}
+	n += 1 + sovGenerated(uint64(m.MaxReplicas))
+	if len(m.Metrics) > 0 {
+		for _, e := range m.Metrics {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *HorizontalPodAutoscalerStatus) Size() (n int) {
+	var l int
+	_ = l
+	if m.ObservedGeneration != nil {
+		n += 1 + sovGenerated(uint64(*m.ObservedGeneration))
+	}
+	if m.LastScaleTime != nil {
+		l = m.LastScaleTime.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 1 + sovGenerated(uint64(m.CurrentReplicas))
+	n += 1 + sovGenerated(uint64(m.DesiredReplicas))
+	if len(m.CurrentMetrics) > 0 {
+		for _, e := range m.CurrentMetrics {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *MetricSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Object != nil {
+		l = m.Object.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Pods != nil {
+		l = m.Pods.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Resource != nil {
+		l = m.Resource.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *MetricStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Object != nil {
+		l = m.Object.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Pods != nil {
+		l = m.Pods.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Resource != nil {
+		l = m.Resource.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ObjectMetricSource) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Target.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.MetricName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.TargetValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ObjectMetricStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Target.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.MetricName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.CurrentValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodsMetricSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.MetricName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.TargetAverageValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodsMetricStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.MetricName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.CurrentAverageValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ResourceMetricSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TargetAverageUtilization != nil {
+		n += 1 + sovGenerated(uint64(*m.TargetAverageUtilization))
+	}
+	if m.TargetAverageValue != nil {
+		l = m.TargetAverageValue.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ResourceMetricStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.CurrentAverageUtilization != nil {
+		n += 1 + sovGenerated(uint64(*m.CurrentAverageUtilization))
+	}
+	l = m.CurrentAverageValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CrossVersionObjectReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CrossVersionObjectReference{`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`APIVersion:` + fmt.Sprintf("%v", this.APIVersion) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscaler) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscaler{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "HorizontalPodAutoscalerSpec", "HorizontalPodAutoscalerSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "HorizontalPodAutoscalerStatus", "HorizontalPodAutoscalerStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscalerCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscalerCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscalerList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscalerList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "HorizontalPodAutoscaler", "HorizontalPodAutoscaler", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscalerSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscalerSpec{`,
+		`ScaleTargetRef:` + strings.Replace(strings.Replace(this.ScaleTargetRef.String(), "CrossVersionObjectReference", "CrossVersionObjectReference", 1), `&`, ``, 1) + `,`,
+		`MinReplicas:` + valueToStringGenerated(this.MinReplicas) + `,`,
+		`MaxReplicas:` + fmt.Sprintf("%v", this.MaxReplicas) + `,`,
+		`Metrics:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Metrics), "MetricSpec", "MetricSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HorizontalPodAutoscalerStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HorizontalPodAutoscalerStatus{`,
+		`ObservedGeneration:` + valueToStringGenerated(this.ObservedGeneration) + `,`,
+		`LastScaleTime:` + strings.Replace(fmt.Sprintf("%v", this.LastScaleTime), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`CurrentReplicas:` + fmt.Sprintf("%v", this.CurrentReplicas) + `,`,
+		`DesiredReplicas:` + fmt.Sprintf("%v", this.DesiredReplicas) + `,`,
+		`CurrentMetrics:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.CurrentMetrics), "MetricStatus", "MetricStatus", 1), `&`, ``, 1) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "HorizontalPodAutoscalerCondition", "HorizontalPodAutoscalerCondition", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *MetricSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&MetricSpec{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Object:` + strings.Replace(fmt.Sprintf("%v", this.Object), "ObjectMetricSource", "ObjectMetricSource", 1) + `,`,
+		`Pods:` + strings.Replace(fmt.Sprintf("%v", this.Pods), "PodsMetricSource", "PodsMetricSource", 1) + `,`,
+		`Resource:` + strings.Replace(fmt.Sprintf("%v", this.Resource), "ResourceMetricSource", "ResourceMetricSource", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *MetricStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&MetricStatus{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Object:` + strings.Replace(fmt.Sprintf("%v", this.Object), "ObjectMetricStatus", "ObjectMetricStatus", 1) + `,`,
+		`Pods:` + strings.Replace(fmt.Sprintf("%v", this.Pods), "PodsMetricStatus", "PodsMetricStatus", 1) + `,`,
+		`Resource:` + strings.Replace(fmt.Sprintf("%v", this.Resource), "ResourceMetricStatus", "ResourceMetricStatus", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ObjectMetricSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ObjectMetricSource{`,
+		`Target:` + strings.Replace(strings.Replace(this.Target.String(), "CrossVersionObjectReference", "CrossVersionObjectReference", 1), `&`, ``, 1) + `,`,
+		`MetricName:` + fmt.Sprintf("%v", this.MetricName) + `,`,
+		`TargetValue:` + strings.Replace(strings.Replace(this.TargetValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ObjectMetricStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ObjectMetricStatus{`,
+		`Target:` + strings.Replace(strings.Replace(this.Target.String(), "CrossVersionObjectReference", "CrossVersionObjectReference", 1), `&`, ``, 1) + `,`,
+		`MetricName:` + fmt.Sprintf("%v", this.MetricName) + `,`,
+		`CurrentValue:` + strings.Replace(strings.Replace(this.CurrentValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodsMetricSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodsMetricSource{`,
+		`MetricName:` + fmt.Sprintf("%v", this.MetricName) + `,`,
+		`TargetAverageValue:` + strings.Replace(strings.Replace(this.TargetAverageValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodsMetricStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodsMetricStatus{`,
+		`MetricName:` + fmt.Sprintf("%v", this.MetricName) + `,`,
+		`CurrentAverageValue:` + strings.Replace(strings.Replace(this.CurrentAverageValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceMetricSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceMetricSource{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`TargetAverageUtilization:` + valueToStringGenerated(this.TargetAverageUtilization) + `,`,
+		`TargetAverageValue:` + strings.Replace(fmt.Sprintf("%v", this.TargetAverageValue), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceMetricStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceMetricStatus{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`CurrentAverageUtilization:` + valueToStringGenerated(this.CurrentAverageUtilization) + `,`,
+		`CurrentAverageValue:` + strings.Replace(strings.Replace(this.CurrentAverageValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CrossVersionObjectReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CrossVersionObjectReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CrossVersionObjectReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscaler) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscaler: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscaler: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscalerCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = HorizontalPodAutoscalerConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscalerList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, HorizontalPodAutoscaler{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscalerSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ScaleTargetRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ScaleTargetRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReplicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.MinReplicas = &v
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxReplicas", wireType)
+			}
+			m.MaxReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MaxReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Metrics", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Metrics = append(m.Metrics, MetricSpec{})
+			if err := m.Metrics[len(m.Metrics)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HorizontalPodAutoscalerStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HorizontalPodAutoscalerStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ObservedGeneration = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastScaleTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LastScaleTime == nil {
+				m.LastScaleTime = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.LastScaleTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentReplicas", wireType)
+			}
+			m.CurrentReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.CurrentReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DesiredReplicas", wireType)
+			}
+			m.DesiredReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.DesiredReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentMetrics", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CurrentMetrics = append(m.CurrentMetrics, MetricStatus{})
+			if err := m.CurrentMetrics[len(m.CurrentMetrics)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, HorizontalPodAutoscalerCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *MetricSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: MetricSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: MetricSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = MetricSourceType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Object", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Object == nil {
+				m.Object = &ObjectMetricSource{}
+			}
+			if err := m.Object.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Pods", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Pods == nil {
+				m.Pods = &PodsMetricSource{}
+			}
+			if err := m.Pods.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Resource == nil {
+				m.Resource = &ResourceMetricSource{}
+			}
+			if err := m.Resource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *MetricStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: MetricStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: MetricStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = MetricSourceType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Object", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Object == nil {
+				m.Object = &ObjectMetricStatus{}
+			}
+			if err := m.Object.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Pods", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Pods == nil {
+				m.Pods = &PodsMetricStatus{}
+			}
+			if err := m.Pods.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Resource == nil {
+				m.Resource = &ResourceMetricStatus{}
+			}
+			if err := m.Resource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ObjectMetricSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ObjectMetricSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ObjectMetricSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Target", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Target.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MetricName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MetricName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.TargetValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ObjectMetricStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ObjectMetricStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ObjectMetricStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Target", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Target.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MetricName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MetricName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CurrentValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodsMetricSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodsMetricSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodsMetricSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MetricName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MetricName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetAverageValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.TargetAverageValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodsMetricStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodsMetricStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodsMetricStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MetricName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MetricName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentAverageValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CurrentAverageValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceMetricSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceMetricSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceMetricSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = k8s_io_api_core_v1.ResourceName(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetAverageUtilization", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TargetAverageUtilization = &v
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetAverageValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.TargetAverageValue == nil {
+				m.TargetAverageValue = &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+			}
+			if err := m.TargetAverageValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceMetricStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceMetricStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceMetricStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = k8s_io_api_core_v1.ResourceName(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentAverageUtilization", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CurrentAverageUtilization = &v
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentAverageValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CurrentAverageValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/autoscaling/v2beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 1316 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x57, 0xcd, 0x6f, 0x1b, 0x45,
+	0x14, 0x8f, 0x1d, 0x27, 0x0d, 0xe3, 0x34, 0x29, 0xd3, 0xaa, 0x75, 0x53, 0x6a, 0x47, 0x2b, 0x84,
+	0x4a, 0x45, 0x77, 0x5b, 0x13, 0x3e, 0x24, 0x84, 0x44, 0x6c, 0x44, 0x5b, 0x91, 0xb4, 0x65, 0x9a,
+	0x56, 0x08, 0x0a, 0x62, 0xb2, 0x3b, 0x75, 0x86, 0x78, 0x3f, 0x34, 0x33, 0xb6, 0x48, 0x11, 0x12,
+	0x17, 0xee, 0x1c, 0x40, 0xfc, 0x15, 0x5c, 0xe1, 0x0c, 0x12, 0x52, 0x85, 0x38, 0xf4, 0x58, 0x84,
+	0x64, 0x51, 0xf3, 0x5f, 0xf4, 0x84, 0xe6, 0xc3, 0xfb, 0x61, 0x7b, 0xe3, 0xc4, 0x44, 0xc0, 0xcd,
+	0x3b, 0xef, 0xf7, 0x7e, 0xef, 0xbd, 0xdf, 0xbc, 0x79, 0x33, 0x06, 0x57, 0x77, 0x5f, 0xe7, 0x36,
+	0x0d, 0x9d, 0xdd, 0xce, 0x36, 0x61, 0x01, 0x11, 0x84, 0x3b, 0x5d, 0x12, 0x78, 0x21, 0x73, 0x8c,
+	0x01, 0x47, 0xd4, 0xc1, 0x1d, 0x11, 0x72, 0x17, 0xb7, 0x69, 0xd0, 0x72, 0xba, 0xf5, 0x6d, 0x22,
+	0xf0, 0x15, 0xa7, 0x45, 0x02, 0xc2, 0xb0, 0x20, 0x9e, 0x1d, 0xb1, 0x50, 0x84, 0xb0, 0xaa, 0xf1,
+	0x36, 0x8e, 0xa8, 0x9d, 0xc2, 0xdb, 0x06, 0xbf, 0x72, 0xa9, 0x45, 0xc5, 0x4e, 0x67, 0xdb, 0x76,
+	0x43, 0xdf, 0x69, 0x85, 0xad, 0xd0, 0x51, 0x6e, 0xdb, 0x9d, 0xfb, 0xea, 0x4b, 0x7d, 0xa8, 0x5f,
+	0x9a, 0x6e, 0xc5, 0x4a, 0x85, 0x77, 0x43, 0x46, 0x9c, 0xee, 0x48, 0xc8, 0x95, 0xb5, 0x04, 0xe3,
+	0x63, 0x77, 0x87, 0x06, 0x84, 0xed, 0x39, 0xd1, 0x6e, 0x4b, 0x39, 0x31, 0xc2, 0xc3, 0x0e, 0x73,
+	0xc9, 0xa1, 0xbc, 0xb8, 0xe3, 0x13, 0x81, 0xc7, 0xc5, 0x72, 0xf2, 0xbc, 0x58, 0x27, 0x10, 0xd4,
+	0x1f, 0x0d, 0xf3, 0xea, 0x24, 0x07, 0xee, 0xee, 0x10, 0x1f, 0x8f, 0xf8, 0xbd, 0x9c, 0xe7, 0xd7,
+	0x11, 0xb4, 0xed, 0xd0, 0x40, 0x70, 0xc1, 0x86, 0x9d, 0xac, 0x6f, 0x0b, 0xe0, 0x5c, 0x93, 0x85,
+	0x9c, 0xdf, 0x25, 0x8c, 0xd3, 0x30, 0xb8, 0xb9, 0xfd, 0x29, 0x71, 0x05, 0x22, 0xf7, 0x09, 0x23,
+	0x81, 0x4b, 0xe0, 0x2a, 0x28, 0xed, 0xd2, 0xc0, 0xab, 0x14, 0x56, 0x0b, 0x17, 0x9e, 0x69, 0x2c,
+	0x3e, 0xec, 0xd5, 0x66, 0xfa, 0xbd, 0x5a, 0xe9, 0x5d, 0x1a, 0x78, 0x48, 0x59, 0x24, 0x22, 0xc0,
+	0x3e, 0xa9, 0x14, 0xb3, 0x88, 0x1b, 0xd8, 0x27, 0x48, 0x59, 0x60, 0x1d, 0x00, 0x1c, 0x51, 0x13,
+	0xa0, 0x32, 0xab, 0x70, 0xd0, 0xe0, 0xc0, 0xfa, 0xad, 0xeb, 0xc6, 0x82, 0x52, 0x28, 0xeb, 0xa7,
+	0x22, 0x38, 0x73, 0x2d, 0x64, 0xf4, 0x41, 0x18, 0x08, 0xdc, 0xbe, 0x15, 0x7a, 0xeb, 0xa6, 0x33,
+	0x08, 0x83, 0x9f, 0x80, 0x05, 0x29, 0xb6, 0x87, 0x05, 0x56, 0x79, 0x95, 0xeb, 0x97, 0xed, 0xa4,
+	0x87, 0xe2, 0xda, 0xed, 0x68, 0xb7, 0x25, 0x17, 0xb8, 0x2d, 0xd1, 0x76, 0xf7, 0x8a, 0xad, 0x8b,
+	0xdb, 0x24, 0x02, 0x27, 0xf1, 0x93, 0x35, 0x14, 0xb3, 0xc2, 0x8f, 0x40, 0x89, 0x47, 0xc4, 0x55,
+	0x35, 0x95, 0xeb, 0x6f, 0xd8, 0xfb, 0x77, 0xa8, 0x9d, 0x93, 0xe8, 0xed, 0x88, 0xb8, 0x89, 0x20,
+	0xf2, 0x0b, 0x29, 0x5a, 0x48, 0xc0, 0x3c, 0x17, 0x58, 0x74, 0xb8, 0x12, 0xa3, 0x5c, 0x7f, 0x73,
+	0xda, 0x00, 0x8a, 0xa4, 0xb1, 0x64, 0x42, 0xcc, 0xeb, 0x6f, 0x64, 0xc8, 0xad, 0xaf, 0x66, 0xc1,
+	0x6a, 0x8e, 0x67, 0x33, 0x0c, 0x3c, 0x2a, 0x68, 0x18, 0xc0, 0x6b, 0xa0, 0x24, 0xf6, 0x22, 0x62,
+	0x36, 0x78, 0x6d, 0x90, 0xed, 0xd6, 0x5e, 0x44, 0x9e, 0xf6, 0x6a, 0xcf, 0x4f, 0xf2, 0x97, 0x38,
+	0xa4, 0x18, 0xe0, 0x46, 0x5c, 0x55, 0x31, 0xc3, 0x65, 0xd2, 0x7a, 0xda, 0xab, 0x8d, 0x39, 0x9a,
+	0x76, 0xcc, 0x94, 0x4d, 0x1e, 0x76, 0x01, 0x6c, 0x63, 0x2e, 0xb6, 0x18, 0x0e, 0xb8, 0x8e, 0x44,
+	0x7d, 0x62, 0xf4, 0xba, 0x78, 0xb0, 0xed, 0x96, 0x1e, 0x8d, 0x15, 0x93, 0x05, 0xdc, 0x18, 0x61,
+	0x43, 0x63, 0x22, 0xc0, 0x17, 0xc0, 0x3c, 0x23, 0x98, 0x87, 0x41, 0xa5, 0xa4, 0xaa, 0x88, 0xc5,
+	0x45, 0x6a, 0x15, 0x19, 0x2b, 0x7c, 0x11, 0x1c, 0xf3, 0x09, 0xe7, 0xb8, 0x45, 0x2a, 0x73, 0x0a,
+	0xb8, 0x6c, 0x80, 0xc7, 0x36, 0xf5, 0x32, 0x1a, 0xd8, 0xad, 0xdf, 0x0b, 0xe0, 0x5c, 0x8e, 0x8e,
+	0x1b, 0x94, 0x0b, 0x78, 0x6f, 0xa4, 0x9f, 0xed, 0x83, 0x15, 0x28, 0xbd, 0x55, 0x37, 0x9f, 0x30,
+	0xb1, 0x17, 0x06, 0x2b, 0xa9, 0x5e, 0xbe, 0x07, 0xe6, 0xa8, 0x20, 0xbe, 0xdc, 0x95, 0xd9, 0x0b,
+	0xe5, 0xfa, 0x6b, 0x53, 0xf6, 0x5a, 0xe3, 0xb8, 0x89, 0x31, 0x77, 0x5d, 0xb2, 0x21, 0x4d, 0x6a,
+	0xfd, 0x51, 0xcc, 0xad, 0x4d, 0x36, 0x3c, 0xfc, 0x1c, 0x2c, 0xa9, 0xaf, 0x2d, 0xcc, 0x5a, 0x44,
+	0xce, 0x15, 0x53, 0xe1, 0xc4, 0x33, 0xb5, 0xcf, 0x50, 0x6a, 0x9c, 0x36, 0xa9, 0x2c, 0xdd, 0xce,
+	0x50, 0xa3, 0xa1, 0x50, 0xf0, 0x0a, 0x28, 0xfb, 0x34, 0x40, 0x24, 0x6a, 0x53, 0x17, 0xeb, 0xb6,
+	0x9c, 0x6b, 0x2c, 0xf7, 0x7b, 0xb5, 0xf2, 0x66, 0xb2, 0x8c, 0xd2, 0x18, 0xf8, 0x0a, 0x28, 0xfb,
+	0xf8, 0xb3, 0xd8, 0x65, 0x56, 0xb9, 0x9c, 0x34, 0xf1, 0xca, 0x9b, 0x89, 0x09, 0xa5, 0x71, 0xf0,
+	0x8e, 0xec, 0x06, 0xc1, 0xa8, 0xcb, 0x2b, 0x25, 0x25, 0xf3, 0xc5, 0x49, 0xf5, 0x6d, 0x2a, 0xb8,
+	0x1a, 0x11, 0xa9, 0xce, 0x51, 0x14, 0x68, 0xc0, 0x65, 0xfd, 0x50, 0x02, 0xe7, 0xf7, 0x3d, 0xfb,
+	0xf0, 0x1d, 0x00, 0xc3, 0x6d, 0x4e, 0x58, 0x97, 0x78, 0x57, 0xf5, 0x68, 0x97, 0x33, 0x56, 0x6a,
+	0x3c, 0xdb, 0x38, 0x2d, 0xdb, 0xfe, 0xe6, 0x88, 0x15, 0x8d, 0xf1, 0x80, 0x2e, 0x38, 0x2e, 0x0f,
+	0x83, 0x16, 0x94, 0x9a, 0x71, 0x7e, 0xb8, 0x93, 0xf6, 0x6c, 0xbf, 0x57, 0x3b, 0xbe, 0x91, 0x26,
+	0x41, 0x59, 0x4e, 0xb8, 0x0e, 0x96, 0xdd, 0x0e, 0x63, 0x24, 0x10, 0x43, 0x02, 0x9f, 0x31, 0x0a,
+	0x2c, 0x37, 0xb3, 0x66, 0x34, 0x8c, 0x97, 0x14, 0x1e, 0xe1, 0x94, 0x11, 0x2f, 0xa6, 0x28, 0x65,
+	0x29, 0xde, 0xce, 0x9a, 0xd1, 0x30, 0x1e, 0xb6, 0xc1, 0x92, 0x61, 0x35, 0x7a, 0x57, 0xe6, 0xd4,
+	0x96, 0xbd, 0x74, 0xc0, 0x2d, 0xd3, 0x43, 0x37, 0xee, 0xc1, 0x66, 0x86, 0x0b, 0x0d, 0x71, 0x43,
+	0x01, 0x80, 0x3b, 0x18, 0x71, 0xbc, 0x32, 0xaf, 0x22, 0xbd, 0x35, 0xe5, 0x19, 0x8c, 0x67, 0x65,
+	0x72, 0x7d, 0xc5, 0x4b, 0x1c, 0xa5, 0xe2, 0x58, 0xbf, 0x16, 0x01, 0x48, 0x3a, 0x0c, 0xae, 0x65,
+	0x86, 0xfc, 0xea, 0xd0, 0x90, 0x3f, 0x61, 0x90, 0xea, 0xd5, 0x93, 0x1a, 0xe8, 0x77, 0xc1, 0x7c,
+	0xa8, 0x4e, 0x9e, 0x69, 0x86, 0xfa, 0xa4, 0xb4, 0xe3, 0xbb, 0x34, 0x66, 0x6b, 0x00, 0x39, 0x3a,
+	0xcd, 0xf9, 0x35, 0x6c, 0xf0, 0x06, 0x28, 0x45, 0xa1, 0x37, 0xb8, 0xfc, 0x2e, 0x4f, 0x62, 0xbd,
+	0x15, 0x7a, 0x3c, 0xc3, 0xb9, 0x20, 0x73, 0x97, 0xab, 0x48, 0xf1, 0xc0, 0x8f, 0xc1, 0xc2, 0xe0,
+	0xcd, 0xa6, 0x9a, 0xa1, 0x5c, 0x5f, 0x9b, 0xc4, 0x89, 0x0c, 0x3e, 0xc3, 0xbb, 0x28, 0x27, 0xe8,
+	0xc0, 0x82, 0x62, 0x4e, 0xeb, 0xb7, 0x22, 0x58, 0x4c, 0xef, 0xfd, 0x7f, 0x22, 0xa7, 0xee, 0xba,
+	0xa3, 0x95, 0x53, 0x73, 0x1e, 0xbd, 0x9c, 0x9a, 0x37, 0x4f, 0xce, 0x6f, 0x8a, 0x00, 0x8e, 0x76,
+	0x0a, 0x74, 0xc1, 0xbc, 0x50, 0x93, 0xfb, 0x28, 0x6e, 0x88, 0xf8, 0xd6, 0x36, 0x97, 0x81, 0xa1,
+	0x96, 0x4f, 0x51, 0x3d, 0x5b, 0x6f, 0x24, 0x4f, 0xd6, 0xf8, 0x2c, 0x6d, 0xc6, 0x16, 0x94, 0x42,
+	0x41, 0x02, 0xca, 0xda, 0xfb, 0x2e, 0x6e, 0x77, 0x06, 0x4f, 0x90, 0x7d, 0x6f, 0x68, 0x7b, 0x50,
+	0xab, 0xfd, 0x5e, 0x07, 0x07, 0x82, 0x8a, 0xbd, 0xe4, 0x0a, 0xd9, 0x4a, 0xa8, 0x50, 0x9a, 0xd7,
+	0xfa, 0x6e, 0x58, 0x16, 0xdd, 0x6b, 0xff, 0x5b, 0x59, 0x76, 0xc0, 0xa2, 0x19, 0x75, 0xff, 0x44,
+	0x97, 0x53, 0x26, 0xca, 0x62, 0x33, 0xc5, 0x85, 0x32, 0xcc, 0xd6, 0xcf, 0x05, 0x70, 0x62, 0x78,
+	0x08, 0x0c, 0xa5, 0x5c, 0x38, 0x50, 0xca, 0x0f, 0x00, 0xd4, 0x05, 0xaf, 0x77, 0x09, 0xc3, 0x2d,
+	0xa2, 0x13, 0x2f, 0x4e, 0x95, 0x78, 0xfc, 0xae, 0xdc, 0x1a, 0x61, 0x44, 0x63, 0xa2, 0x58, 0xbf,
+	0x64, 0x8b, 0xd0, 0x9b, 0x3b, 0x4d, 0x11, 0x5f, 0x80, 0x93, 0x46, 0x9d, 0x23, 0xa8, 0xe2, 0x9c,
+	0x09, 0x76, 0xb2, 0x39, 0x4a, 0x89, 0xc6, 0xc5, 0xb1, 0xbe, 0x2f, 0x82, 0x53, 0xe3, 0xa6, 0x27,
+	0x6c, 0x9a, 0xff, 0x81, 0xba, 0x0a, 0x27, 0xfd, 0x3f, 0xf0, 0x69, 0xaf, 0x56, 0x1b, 0xf3, 0xf4,
+	0x1f, 0xd0, 0xa4, 0xfe, 0x2a, 0xbe, 0x0f, 0x2a, 0x19, 0xed, 0xee, 0x08, 0xda, 0xa6, 0x0f, 0xf4,
+	0xa3, 0x46, 0x3f, 0xdf, 0x9e, 0xeb, 0xf7, 0x6a, 0x95, 0xad, 0x1c, 0x0c, 0xca, 0xf5, 0x96, 0xff,
+	0x27, 0xc6, 0xec, 0xfd, 0x74, 0x4d, 0x7b, 0xfa, 0x10, 0xfb, 0xfe, 0xe3, 0xa8, 0x5e, 0x7a, 0xef,
+	0x8f, 0x44, 0xaf, 0x0f, 0xc1, 0xd9, 0xec, 0x26, 0x8d, 0x0a, 0x76, 0xbe, 0xdf, 0xab, 0x9d, 0x6d,
+	0xe6, 0x81, 0x50, 0xbe, 0x7f, 0x5e, 0xa7, 0xcd, 0xfe, 0x3b, 0x9d, 0xd6, 0xb8, 0xf4, 0xf0, 0x49,
+	0x75, 0xe6, 0xd1, 0x93, 0xea, 0xcc, 0xe3, 0x27, 0xd5, 0x99, 0x2f, 0xfb, 0xd5, 0xc2, 0xc3, 0x7e,
+	0xb5, 0xf0, 0xa8, 0x5f, 0x2d, 0x3c, 0xee, 0x57, 0x0b, 0x7f, 0xf6, 0xab, 0x85, 0xaf, 0xff, 0xaa,
+	0xce, 0x7c, 0x70, 0xcc, 0xcc, 0xbd, 0xbf, 0x03, 0x00, 0x00, 0xff, 0xff, 0xac, 0xf1, 0x6a, 0x4f,
+	0x90, 0x12, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/autoscaling/v2beta1/generated.proto b/cli/vendor/k8s.io/api/autoscaling/v2beta1/generated.proto
new file mode 100644
index 00000000..cce8e425
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v2beta1/generated.proto
@@ -0,0 +1,301 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.autoscaling.v2beta1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v2beta1";
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+message CrossVersionObjectReference {
+  // Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds"
+  optional string kind = 1;
+
+  // Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+  optional string name = 2;
+
+  // API version of the referent
+  // +optional
+  optional string apiVersion = 3;
+}
+
+// HorizontalPodAutoscaler is the configuration for a horizontal pod
+// autoscaler, which automatically manages the replica count of any resource
+// implementing the scale subresource based on the metrics specified.
+message HorizontalPodAutoscaler {
+  // metadata is the standard object metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // spec is the specification for the behaviour of the autoscaler.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+  // +optional
+  optional HorizontalPodAutoscalerSpec spec = 2;
+
+  // status is the current information about the autoscaler.
+  // +optional
+  optional HorizontalPodAutoscalerStatus status = 3;
+}
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+message HorizontalPodAutoscalerCondition {
+  // type describes the current condition
+  optional string type = 1;
+
+  // status is the status of the condition (True, False, Unknown)
+  optional string status = 2;
+
+  // lastTransitionTime is the last time the condition transitioned from
+  // one status to another
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
+
+  // reason is the reason for the condition's last transition.
+  // +optional
+  optional string reason = 4;
+
+  // message is a human-readable explanation containing details about
+  // the transition
+  // +optional
+  optional string message = 5;
+}
+
+// HorizontalPodAutoscaler is a list of horizontal pod autoscaler objects.
+message HorizontalPodAutoscalerList {
+  // metadata is the standard list metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // items is the list of horizontal pod autoscaler objects.
+  repeated HorizontalPodAutoscaler items = 2;
+}
+
+// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
+message HorizontalPodAutoscalerSpec {
+  // scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+  // should be collected, as well as to actually change the replica count.
+  optional CrossVersionObjectReference scaleTargetRef = 1;
+
+  // minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.
+  // It defaults to 1 pod.
+  // +optional
+  optional int32 minReplicas = 2;
+
+  // maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+  // It cannot be less that minReplicas.
+  optional int32 maxReplicas = 3;
+
+  // metrics contains the specifications for which to use to calculate the
+  // desired replica count (the maximum replica count across all metrics will
+  // be used).  The desired replica count is calculated multiplying the
+  // ratio between the target value and the current value by the current
+  // number of pods.  Ergo, metrics used must decrease as the pod count is
+  // increased, and vice-versa.  See the individual metric source types for
+  // more information about how each type of metric must respond.
+  // +optional
+  repeated MetricSpec metrics = 4;
+}
+
+// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
+message HorizontalPodAutoscalerStatus {
+  // observedGeneration is the most recent generation observed by this autoscaler.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
+  // used by the autoscaler to control how often the number of pods is changed.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScaleTime = 2;
+
+  // currentReplicas is current number of replicas of pods managed by this autoscaler,
+  // as last seen by the autoscaler.
+  optional int32 currentReplicas = 3;
+
+  // desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
+  // as last calculated by the autoscaler.
+  optional int32 desiredReplicas = 4;
+
+  // currentMetrics is the last read state of the metrics used by this autoscaler.
+  repeated MetricStatus currentMetrics = 5;
+
+  // conditions is the set of conditions required for this autoscaler to scale its target,
+  // and indicates whether or not those conditions are met.
+  repeated HorizontalPodAutoscalerCondition conditions = 6;
+}
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+message MetricSpec {
+  // type is the type of metric source.  It should match one of the fields below.
+  optional string type = 1;
+
+  // object refers to a metric describing a single kubernetes object
+  // (for example, hits-per-second on an Ingress object).
+  // +optional
+  optional ObjectMetricSource object = 2;
+
+  // pods refers to a metric describing each pod in the current scale target
+  // (for example, transactions-processed-per-second).  The values will be
+  // averaged together before being compared to the target value.
+  // +optional
+  optional PodsMetricSource pods = 3;
+
+  // resource refers to a resource metric (such as those specified in
+  // requests and limits) known to Kubernetes describing each pod in the
+  // current scale target (e.g. CPU or memory). Such metrics are built in to
+  // Kubernetes, and have special scaling options on top of those available
+  // to normal per-pod metrics using the "pods" source.
+  // +optional
+  optional ResourceMetricSource resource = 4;
+}
+
+// MetricStatus describes the last-read state of a single metric.
+message MetricStatus {
+  // type is the type of metric source.  It will match one of the fields below.
+  optional string type = 1;
+
+  // object refers to a metric describing a single kubernetes object
+  // (for example, hits-per-second on an Ingress object).
+  // +optional
+  optional ObjectMetricStatus object = 2;
+
+  // pods refers to a metric describing each pod in the current scale target
+  // (for example, transactions-processed-per-second).  The values will be
+  // averaged together before being compared to the target value.
+  // +optional
+  optional PodsMetricStatus pods = 3;
+
+  // resource refers to a resource metric (such as those specified in
+  // requests and limits) known to Kubernetes describing each pod in the
+  // current scale target (e.g. CPU or memory). Such metrics are built in to
+  // Kubernetes, and have special scaling options on top of those available
+  // to normal per-pod metrics using the "pods" source.
+  // +optional
+  optional ResourceMetricStatus resource = 4;
+}
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+message ObjectMetricSource {
+  // target is the described Kubernetes object.
+  optional CrossVersionObjectReference target = 1;
+
+  // metricName is the name of the metric in question.
+  optional string metricName = 2;
+
+  // targetValue is the target value of the metric (as a quantity).
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetValue = 3;
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+message ObjectMetricStatus {
+  // target is the described Kubernetes object.
+  optional CrossVersionObjectReference target = 1;
+
+  // metricName is the name of the metric in question.
+  optional string metricName = 2;
+
+  // currentValue is the current value of the metric (as a quantity).
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentValue = 3;
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+message PodsMetricSource {
+  // metricName is the name of the metric in question
+  optional string metricName = 1;
+
+  // targetAverageValue is the target value of the average of the
+  // metric across all relevant pods (as a quantity)
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 2;
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+message PodsMetricStatus {
+  // metricName is the name of the metric in question
+  optional string metricName = 1;
+
+  // currentAverageValue is the current value of the average of the
+  // metric across all relevant pods (as a quantity)
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 2;
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+message ResourceMetricSource {
+  // name is the name of the resource in question.
+  optional string name = 1;
+
+  // targetAverageUtilization is the target value of the average of the
+  // resource metric across all relevant pods, represented as a percentage of
+  // the requested value of the resource for the pods.
+  // +optional
+  optional int32 targetAverageUtilization = 2;
+
+  // targetAverageValue is the target value of the average of the
+  // resource metric across all relevant pods, as a raw value (instead of as
+  // a percentage of the request), similar to the "pods" metric source type.
+  // +optional
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity targetAverageValue = 3;
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+message ResourceMetricStatus {
+  // name is the name of the resource in question.
+  optional string name = 1;
+
+  // currentAverageUtilization is the current value of the average of the
+  // resource metric across all relevant pods, represented as a percentage of
+  // the requested value of the resource for the pods.  It will only be
+  // present if `targetAverageValue` was set in the corresponding metric
+  // specification.
+  // +optional
+  optional int32 currentAverageUtilization = 2;
+
+  // currentAverageValue is the current value of the average of the
+  // resource metric across all relevant pods, as a raw value (instead of as
+  // a percentage of the request), similar to the "pods" metric source type.
+  // It will always be set, regardless of the corresponding metric specification.
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity currentAverageValue = 3;
+}
+
diff --git a/cli/vendor/k8s.io/api/autoscaling/v2beta1/register.go b/cli/vendor/k8s.io/api/autoscaling/v2beta1/register.go
new file mode 100644
index 00000000..9025b421
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v2beta1/register.go
@@ -0,0 +1,52 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "autoscaling"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&HorizontalPodAutoscaler{},
+		&HorizontalPodAutoscalerList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/autoscaling/v2beta1/types.go b/cli/vendor/k8s.io/api/autoscaling/v2beta1/types.go
new file mode 100644
index 00000000..d7b262ff
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v2beta1/types.go
@@ -0,0 +1,312 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2beta1
+
+import (
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+type CrossVersionObjectReference struct {
+	// Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds"
+	Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
+	// Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+	Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
+	// API version of the referent
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,3,opt,name=apiVersion"`
+}
+
+// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
+type HorizontalPodAutoscalerSpec struct {
+	// scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+	// should be collected, as well as to actually change the replica count.
+	ScaleTargetRef CrossVersionObjectReference `json:"scaleTargetRef" protobuf:"bytes,1,opt,name=scaleTargetRef"`
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.
+	// It defaults to 1 pod.
+	// +optional
+	MinReplicas *int32 `json:"minReplicas,omitempty" protobuf:"varint,2,opt,name=minReplicas"`
+	// maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+	// It cannot be less that minReplicas.
+	MaxReplicas int32 `json:"maxReplicas" protobuf:"varint,3,opt,name=maxReplicas"`
+	// metrics contains the specifications for which to use to calculate the
+	// desired replica count (the maximum replica count across all metrics will
+	// be used).  The desired replica count is calculated multiplying the
+	// ratio between the target value and the current value by the current
+	// number of pods.  Ergo, metrics used must decrease as the pod count is
+	// increased, and vice-versa.  See the individual metric source types for
+	// more information about how each type of metric must respond.
+	// +optional
+	Metrics []MetricSpec `json:"metrics,omitempty" protobuf:"bytes,4,rep,name=metrics"`
+}
+
+// MetricSourceType indicates the type of metric.
+type MetricSourceType string
+
+var (
+	// ObjectMetricSourceType is a metric describing a kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	ObjectMetricSourceType MetricSourceType = "Object"
+	// PodsMetricSourceType is a metric describing each pod in the current scale
+	// target (for example, transactions-processed-per-second).  The values
+	// will be averaged together before being compared to the target value.
+	PodsMetricSourceType MetricSourceType = "Pods"
+	// ResourceMetricSourceType is a resource metric known to Kubernetes, as
+	// specified in requests and limits, describing each pod in the current
+	// scale target (e.g. CPU or memory).  Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics (the "pods" source).
+	ResourceMetricSourceType MetricSourceType = "Resource"
+)
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+type MetricSpec struct {
+	// type is the type of metric source.  It should match one of the fields below.
+	Type MetricSourceType `json:"type" protobuf:"bytes,1,name=type"`
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	Object *ObjectMetricSource `json:"object,omitempty" protobuf:"bytes,2,opt,name=object"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	Pods *PodsMetricSource `json:"pods,omitempty" protobuf:"bytes,3,opt,name=pods"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	Resource *ResourceMetricSource `json:"resource,omitempty" protobuf:"bytes,4,opt,name=resource"`
+}
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+type ObjectMetricSource struct {
+	// target is the described Kubernetes object.
+	Target CrossVersionObjectReference `json:"target" protobuf:"bytes,1,name=target"`
+
+	// metricName is the name of the metric in question.
+	MetricName string `json:"metricName" protobuf:"bytes,2,name=metricName"`
+	// targetValue is the target value of the metric (as a quantity).
+	TargetValue resource.Quantity `json:"targetValue" protobuf:"bytes,3,name=targetValue"`
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+type PodsMetricSource struct {
+	// metricName is the name of the metric in question
+	MetricName string `json:"metricName" protobuf:"bytes,1,name=metricName"`
+	// targetAverageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	TargetAverageValue resource.Quantity `json:"targetAverageValue" protobuf:"bytes,2,name=targetAverageValue"`
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+type ResourceMetricSource struct {
+	// name is the name of the resource in question.
+	Name v1.ResourceName `json:"name" protobuf:"bytes,1,name=name"`
+	// targetAverageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	TargetAverageUtilization *int32 `json:"targetAverageUtilization,omitempty" protobuf:"varint,2,opt,name=targetAverageUtilization"`
+	// targetAverageValue is the target value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// +optional
+	TargetAverageValue *resource.Quantity `json:"targetAverageValue,omitempty" protobuf:"bytes,3,opt,name=targetAverageValue"`
+}
+
+// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
+type HorizontalPodAutoscalerStatus struct {
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	// +optional
+	ObservedGeneration *int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
+
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
+	// used by the autoscaler to control how often the number of pods is changed.
+	// +optional
+	LastScaleTime *metav1.Time `json:"lastScaleTime,omitempty" protobuf:"bytes,2,opt,name=lastScaleTime"`
+
+	// currentReplicas is current number of replicas of pods managed by this autoscaler,
+	// as last seen by the autoscaler.
+	CurrentReplicas int32 `json:"currentReplicas" protobuf:"varint,3,opt,name=currentReplicas"`
+
+	// desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
+	// as last calculated by the autoscaler.
+	DesiredReplicas int32 `json:"desiredReplicas" protobuf:"varint,4,opt,name=desiredReplicas"`
+
+	// currentMetrics is the last read state of the metrics used by this autoscaler.
+	CurrentMetrics []MetricStatus `json:"currentMetrics" protobuf:"bytes,5,rep,name=currentMetrics"`
+
+	// conditions is the set of conditions required for this autoscaler to scale its target,
+	// and indicates whether or not those conditions are met.
+	Conditions []HorizontalPodAutoscalerCondition `json:"conditions" protobuf:"bytes,6,rep,name=conditions"`
+}
+
+// HorizontalPodAutoscalerConditionType are the valid conditions of
+// a HorizontalPodAutoscaler.
+type HorizontalPodAutoscalerConditionType string
+
+var (
+	// ScalingActive indicates that the HPA controller is able to scale if necessary:
+	// it's correctly configured, can fetch the desired metrics, and isn't disabled.
+	ScalingActive HorizontalPodAutoscalerConditionType = "ScalingActive"
+	// AbleToScale indicates a lack of transient issues which prevent scaling from occuring,
+	// such as being in a backoff window, or being unable to access/update the target scale.
+	AbleToScale HorizontalPodAutoscalerConditionType = "AbleToScale"
+	// ScalingLimited indicates that the calculated scale based on metrics would be above or
+	// below the range for the HPA, and has thus been capped.
+	ScalingLimited HorizontalPodAutoscalerConditionType = "ScalingLimited"
+)
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+type HorizontalPodAutoscalerCondition struct {
+	// type describes the current condition
+	Type HorizontalPodAutoscalerConditionType `json:"type" protobuf:"bytes,1,name=type"`
+	// status is the status of the condition (True, False, Unknown)
+	Status v1.ConditionStatus `json:"status" protobuf:"bytes,2,name=status"`
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,3,opt,name=lastTransitionTime"`
+	// reason is the reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+	// message is a human-readable explanation containing details about
+	// the transition
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+// MetricStatus describes the last-read state of a single metric.
+type MetricStatus struct {
+	// type is the type of metric source.  It will match one of the fields below.
+	Type MetricSourceType `json:"type" protobuf:"bytes,1,name=type"`
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	Object *ObjectMetricStatus `json:"object,omitempty" protobuf:"bytes,2,opt,name=object"`
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	Pods *PodsMetricStatus `json:"pods,omitempty" protobuf:"bytes,3,opt,name=pods"`
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	Resource *ResourceMetricStatus `json:"resource,omitempty" protobuf:"bytes,4,opt,name=resource"`
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+type ObjectMetricStatus struct {
+	// target is the described Kubernetes object.
+	Target CrossVersionObjectReference `json:"target" protobuf:"bytes,1,name=target"`
+
+	// metricName is the name of the metric in question.
+	MetricName string `json:"metricName" protobuf:"bytes,2,name=metricName"`
+	// currentValue is the current value of the metric (as a quantity).
+	CurrentValue resource.Quantity `json:"currentValue" protobuf:"bytes,3,name=currentValue"`
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+type PodsMetricStatus struct {
+	// metricName is the name of the metric in question
+	MetricName string `json:"metricName" protobuf:"bytes,1,name=metricName"`
+	// currentAverageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	CurrentAverageValue resource.Quantity `json:"currentAverageValue" protobuf:"bytes,2,name=currentAverageValue"`
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+type ResourceMetricStatus struct {
+	// name is the name of the resource in question.
+	Name v1.ResourceName `json:"name" protobuf:"bytes,1,name=name"`
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.  It will only be
+	// present if `targetAverageValue` was set in the corresponding metric
+	// specification.
+	// +optional
+	CurrentAverageUtilization *int32 `json:"currentAverageUtilization,omitempty" protobuf:"bytes,2,opt,name=currentAverageUtilization"`
+	// currentAverageValue is the current value of the average of the
+	// resource metric across all relevant pods, as a raw value (instead of as
+	// a percentage of the request), similar to the "pods" metric source type.
+	// It will always be set, regardless of the corresponding metric specification.
+	CurrentAverageValue resource.Quantity `json:"currentAverageValue" protobuf:"bytes,3,name=currentAverageValue"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// HorizontalPodAutoscaler is the configuration for a horizontal pod
+// autoscaler, which automatically manages the replica count of any resource
+// implementing the scale subresource based on the metrics specified.
+type HorizontalPodAutoscaler struct {
+	metav1.TypeMeta `json:",inline"`
+	// metadata is the standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// spec is the specification for the behaviour of the autoscaler.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+	// +optional
+	Spec HorizontalPodAutoscalerSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// status is the current information about the autoscaler.
+	// +optional
+	Status HorizontalPodAutoscalerStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// HorizontalPodAutoscaler is a list of horizontal pod autoscaler objects.
+type HorizontalPodAutoscalerList struct {
+	metav1.TypeMeta `json:",inline"`
+	// metadata is the standard list metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// items is the list of horizontal pod autoscaler objects.
+	Items []HorizontalPodAutoscaler `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/autoscaling/v2beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/autoscaling/v2beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..c7002b3d
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v2beta1/types_swagger_doc_generated.go
@@ -0,0 +1,189 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_CrossVersionObjectReference = map[string]string{
+	"":           "CrossVersionObjectReference contains enough information to let you identify the referred resource.",
+	"kind":       "Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds\"",
+	"name":       "Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names",
+	"apiVersion": "API version of the referent",
+}
+
+func (CrossVersionObjectReference) SwaggerDoc() map[string]string {
+	return map_CrossVersionObjectReference
+}
+
+var map_HorizontalPodAutoscaler = map[string]string{
+	"":         "HorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified.",
+	"metadata": "metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.",
+	"status":   "status is the current information about the autoscaler.",
+}
+
+func (HorizontalPodAutoscaler) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscaler
+}
+
+var map_HorizontalPodAutoscalerCondition = map[string]string{
+	"":                   "HorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.",
+	"type":               "type describes the current condition",
+	"status":             "status is the status of the condition (True, False, Unknown)",
+	"lastTransitionTime": "lastTransitionTime is the last time the condition transitioned from one status to another",
+	"reason":             "reason is the reason for the condition's last transition.",
+	"message":            "message is a human-readable explanation containing details about the transition",
+}
+
+func (HorizontalPodAutoscalerCondition) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscalerCondition
+}
+
+var map_HorizontalPodAutoscalerList = map[string]string{
+	"":         "HorizontalPodAutoscaler is a list of horizontal pod autoscaler objects.",
+	"metadata": "metadata is the standard list metadata.",
+	"items":    "items is the list of horizontal pod autoscaler objects.",
+}
+
+func (HorizontalPodAutoscalerList) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscalerList
+}
+
+var map_HorizontalPodAutoscalerSpec = map[string]string{
+	"":               "HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.",
+	"scaleTargetRef": "scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count.",
+	"minReplicas":    "minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod.",
+	"maxReplicas":    "maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.",
+	"metrics":        "metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).  The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods.  Ergo, metrics used must decrease as the pod count is increased, and vice-versa.  See the individual metric source types for more information about how each type of metric must respond.",
+}
+
+func (HorizontalPodAutoscalerSpec) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscalerSpec
+}
+
+var map_HorizontalPodAutoscalerStatus = map[string]string{
+	"":                   "HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.",
+	"observedGeneration": "observedGeneration is the most recent generation observed by this autoscaler.",
+	"lastScaleTime":      "lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, used by the autoscaler to control how often the number of pods is changed.",
+	"currentReplicas":    "currentReplicas is current number of replicas of pods managed by this autoscaler, as last seen by the autoscaler.",
+	"desiredReplicas":    "desiredReplicas is the desired number of replicas of pods managed by this autoscaler, as last calculated by the autoscaler.",
+	"currentMetrics":     "currentMetrics is the last read state of the metrics used by this autoscaler.",
+	"conditions":         "conditions is the set of conditions required for this autoscaler to scale its target, and indicates whether or not those conditions are met.",
+}
+
+func (HorizontalPodAutoscalerStatus) SwaggerDoc() map[string]string {
+	return map_HorizontalPodAutoscalerStatus
+}
+
+var map_MetricSpec = map[string]string{
+	"":         "MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).",
+	"type":     "type is the type of metric source.  It should match one of the fields below.",
+	"object":   "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
+	"pods":     "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
+	"resource": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
+}
+
+func (MetricSpec) SwaggerDoc() map[string]string {
+	return map_MetricSpec
+}
+
+var map_MetricStatus = map[string]string{
+	"":         "MetricStatus describes the last-read state of a single metric.",
+	"type":     "type is the type of metric source.  It will match one of the fields below.",
+	"object":   "object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).",
+	"pods":     "pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second).  The values will be averaged together before being compared to the target value.",
+	"resource": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
+}
+
+func (MetricStatus) SwaggerDoc() map[string]string {
+	return map_MetricStatus
+}
+
+var map_ObjectMetricSource = map[string]string{
+	"":            "ObjectMetricSource indicates how to scale on a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).",
+	"target":      "target is the described Kubernetes object.",
+	"metricName":  "metricName is the name of the metric in question.",
+	"targetValue": "targetValue is the target value of the metric (as a quantity).",
+}
+
+func (ObjectMetricSource) SwaggerDoc() map[string]string {
+	return map_ObjectMetricSource
+}
+
+var map_ObjectMetricStatus = map[string]string{
+	"":             "ObjectMetricStatus indicates the current value of a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).",
+	"target":       "target is the described Kubernetes object.",
+	"metricName":   "metricName is the name of the metric in question.",
+	"currentValue": "currentValue is the current value of the metric (as a quantity).",
+}
+
+func (ObjectMetricStatus) SwaggerDoc() map[string]string {
+	return map_ObjectMetricStatus
+}
+
+var map_PodsMetricSource = map[string]string{
+	"":                   "PodsMetricSource indicates how to scale on a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.",
+	"metricName":         "metricName is the name of the metric in question",
+	"targetAverageValue": "targetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity)",
+}
+
+func (PodsMetricSource) SwaggerDoc() map[string]string {
+	return map_PodsMetricSource
+}
+
+var map_PodsMetricStatus = map[string]string{
+	"":                    "PodsMetricStatus indicates the current value of a metric describing each pod in the current scale target (for example, transactions-processed-per-second).",
+	"metricName":          "metricName is the name of the metric in question",
+	"currentAverageValue": "currentAverageValue is the current value of the average of the metric across all relevant pods (as a quantity)",
+}
+
+func (PodsMetricStatus) SwaggerDoc() map[string]string {
+	return map_PodsMetricStatus
+}
+
+var map_ResourceMetricSource = map[string]string{
+	"":     "ResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  The values will be averaged together before being compared to the target.  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.  Only one \"target\" type should be set.",
+	"name": "name is the name of the resource in question.",
+	"targetAverageUtilization": "targetAverageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.",
+	"targetAverageValue":       "targetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type.",
+}
+
+func (ResourceMetricSource) SwaggerDoc() map[string]string {
+	return map_ResourceMetricSource
+}
+
+var map_ResourceMetricStatus = map[string]string{
+	"":     "ResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory).  Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.",
+	"name": "name is the name of the resource in question.",
+	"currentAverageUtilization": "currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.  It will only be present if `targetAverageValue` was set in the corresponding metric specification.",
+	"currentAverageValue":       "currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the \"pods\" metric source type. It will always be set, regardless of the corresponding metric specification.",
+}
+
+func (ResourceMetricStatus) SwaggerDoc() map[string]string {
+	return map_ResourceMetricStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/autoscaling/v2beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/autoscaling/v2beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..95553606
--- /dev/null
+++ b/cli/vendor/k8s.io/api/autoscaling/v2beta1/zz_generated.deepcopy.go
@@ -0,0 +1,491 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v2beta1
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CrossVersionObjectReference).DeepCopyInto(out.(*CrossVersionObjectReference))
+			return nil
+		}, InType: reflect.TypeOf(&CrossVersionObjectReference{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscaler).DeepCopyInto(out.(*HorizontalPodAutoscaler))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscaler{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscalerCondition).DeepCopyInto(out.(*HorizontalPodAutoscalerCondition))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscalerCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscalerList).DeepCopyInto(out.(*HorizontalPodAutoscalerList))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscalerList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscalerSpec).DeepCopyInto(out.(*HorizontalPodAutoscalerSpec))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscalerSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HorizontalPodAutoscalerStatus).DeepCopyInto(out.(*HorizontalPodAutoscalerStatus))
+			return nil
+		}, InType: reflect.TypeOf(&HorizontalPodAutoscalerStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*MetricSpec).DeepCopyInto(out.(*MetricSpec))
+			return nil
+		}, InType: reflect.TypeOf(&MetricSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*MetricStatus).DeepCopyInto(out.(*MetricStatus))
+			return nil
+		}, InType: reflect.TypeOf(&MetricStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ObjectMetricSource).DeepCopyInto(out.(*ObjectMetricSource))
+			return nil
+		}, InType: reflect.TypeOf(&ObjectMetricSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ObjectMetricStatus).DeepCopyInto(out.(*ObjectMetricStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ObjectMetricStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodsMetricSource).DeepCopyInto(out.(*PodsMetricSource))
+			return nil
+		}, InType: reflect.TypeOf(&PodsMetricSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodsMetricStatus).DeepCopyInto(out.(*PodsMetricStatus))
+			return nil
+		}, InType: reflect.TypeOf(&PodsMetricStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceMetricSource).DeepCopyInto(out.(*ResourceMetricSource))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceMetricSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceMetricStatus).DeepCopyInto(out.(*ResourceMetricStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceMetricStatus{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CrossVersionObjectReference) DeepCopyInto(out *CrossVersionObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossVersionObjectReference.
+func (in *CrossVersionObjectReference) DeepCopy() *CrossVersionObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(CrossVersionObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscaler) DeepCopyInto(out *HorizontalPodAutoscaler) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscaler.
+func (in *HorizontalPodAutoscaler) DeepCopy() *HorizontalPodAutoscaler {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscaler)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HorizontalPodAutoscaler) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscalerCondition) DeepCopyInto(out *HorizontalPodAutoscalerCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscalerCondition.
+func (in *HorizontalPodAutoscalerCondition) DeepCopy() *HorizontalPodAutoscalerCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscalerCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscalerList) DeepCopyInto(out *HorizontalPodAutoscalerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]HorizontalPodAutoscaler, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscalerList.
+func (in *HorizontalPodAutoscalerList) DeepCopy() *HorizontalPodAutoscalerList {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscalerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *HorizontalPodAutoscalerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscalerSpec) DeepCopyInto(out *HorizontalPodAutoscalerSpec) {
+	*out = *in
+	out.ScaleTargetRef = in.ScaleTargetRef
+	if in.MinReplicas != nil {
+		in, out := &in.MinReplicas, &out.MinReplicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Metrics != nil {
+		in, out := &in.Metrics, &out.Metrics
+		*out = make([]MetricSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscalerSpec.
+func (in *HorizontalPodAutoscalerSpec) DeepCopy() *HorizontalPodAutoscalerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscalerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HorizontalPodAutoscalerStatus) DeepCopyInto(out *HorizontalPodAutoscalerStatus) {
+	*out = *in
+	if in.ObservedGeneration != nil {
+		in, out := &in.ObservedGeneration, &out.ObservedGeneration
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.LastScaleTime != nil {
+		in, out := &in.LastScaleTime, &out.LastScaleTime
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.CurrentMetrics != nil {
+		in, out := &in.CurrentMetrics, &out.CurrentMetrics
+		*out = make([]MetricStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]HorizontalPodAutoscalerCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HorizontalPodAutoscalerStatus.
+func (in *HorizontalPodAutoscalerStatus) DeepCopy() *HorizontalPodAutoscalerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HorizontalPodAutoscalerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MetricSpec) DeepCopyInto(out *MetricSpec) {
+	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectMetricSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Pods != nil {
+		in, out := &in.Pods, &out.Pods
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PodsMetricSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceMetricSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricSpec.
+func (in *MetricSpec) DeepCopy() *MetricSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(MetricSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MetricStatus) DeepCopyInto(out *MetricStatus) {
+	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectMetricStatus)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Pods != nil {
+		in, out := &in.Pods, &out.Pods
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PodsMetricStatus)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceMetricStatus)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricStatus.
+func (in *MetricStatus) DeepCopy() *MetricStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(MetricStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectMetricSource) DeepCopyInto(out *ObjectMetricSource) {
+	*out = *in
+	out.Target = in.Target
+	out.TargetValue = in.TargetValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectMetricSource.
+func (in *ObjectMetricSource) DeepCopy() *ObjectMetricSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectMetricSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectMetricStatus) DeepCopyInto(out *ObjectMetricStatus) {
+	*out = *in
+	out.Target = in.Target
+	out.CurrentValue = in.CurrentValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectMetricStatus.
+func (in *ObjectMetricStatus) DeepCopy() *ObjectMetricStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectMetricStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodsMetricSource) DeepCopyInto(out *PodsMetricSource) {
+	*out = *in
+	out.TargetAverageValue = in.TargetAverageValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodsMetricSource.
+func (in *PodsMetricSource) DeepCopy() *PodsMetricSource {
+	if in == nil {
+		return nil
+	}
+	out := new(PodsMetricSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodsMetricStatus) DeepCopyInto(out *PodsMetricStatus) {
+	*out = *in
+	out.CurrentAverageValue = in.CurrentAverageValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodsMetricStatus.
+func (in *PodsMetricStatus) DeepCopy() *PodsMetricStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PodsMetricStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceMetricSource) DeepCopyInto(out *ResourceMetricSource) {
+	*out = *in
+	if in.TargetAverageUtilization != nil {
+		in, out := &in.TargetAverageUtilization, &out.TargetAverageUtilization
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.TargetAverageValue != nil {
+		in, out := &in.TargetAverageValue, &out.TargetAverageValue
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(resource.Quantity)
+			**out = (*in).DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceMetricSource.
+func (in *ResourceMetricSource) DeepCopy() *ResourceMetricSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceMetricSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceMetricStatus) DeepCopyInto(out *ResourceMetricStatus) {
+	*out = *in
+	if in.CurrentAverageUtilization != nil {
+		in, out := &in.CurrentAverageUtilization, &out.CurrentAverageUtilization
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	out.CurrentAverageValue = in.CurrentAverageValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceMetricStatus.
+func (in *ResourceMetricStatus) DeepCopy() *ResourceMetricStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceMetricStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/batch/v1/doc.go b/cli/vendor/k8s.io/api/batch/v1/doc.go
new file mode 100644
index 00000000..52a1d903
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+package v1 // import "k8s.io/api/batch/v1"
diff --git a/cli/vendor/k8s.io/api/batch/v1/generated.pb.go b/cli/vendor/k8s.io/api/batch/v1/generated.pb.go
new file mode 100644
index 00000000..8599b673
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1/generated.pb.go
@@ -0,0 +1,1615 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/batch/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/batch/v1/generated.proto
+
+	It has these top-level messages:
+		Job
+		JobCondition
+		JobList
+		JobSpec
+		JobStatus
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *Job) Reset()                    { *m = Job{} }
+func (*Job) ProtoMessage()               {}
+func (*Job) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *JobCondition) Reset()                    { *m = JobCondition{} }
+func (*JobCondition) ProtoMessage()               {}
+func (*JobCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *JobList) Reset()                    { *m = JobList{} }
+func (*JobList) ProtoMessage()               {}
+func (*JobList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *JobSpec) Reset()                    { *m = JobSpec{} }
+func (*JobSpec) ProtoMessage()               {}
+func (*JobSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *JobStatus) Reset()                    { *m = JobStatus{} }
+func (*JobStatus) ProtoMessage()               {}
+func (*JobStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func init() {
+	proto.RegisterType((*Job)(nil), "k8s.io.api.batch.v1.Job")
+	proto.RegisterType((*JobCondition)(nil), "k8s.io.api.batch.v1.JobCondition")
+	proto.RegisterType((*JobList)(nil), "k8s.io.api.batch.v1.JobList")
+	proto.RegisterType((*JobSpec)(nil), "k8s.io.api.batch.v1.JobSpec")
+	proto.RegisterType((*JobStatus)(nil), "k8s.io.api.batch.v1.JobStatus")
+}
+func (m *Job) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Job) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *JobCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *JobCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastProbeTime.Size()))
+	n4, err := m.LastProbeTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n5, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *JobList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *JobList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n6, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *JobSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *JobSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Parallelism != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Parallelism))
+	}
+	if m.Completions != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Completions))
+	}
+	if m.ActiveDeadlineSeconds != nil {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.ActiveDeadlineSeconds))
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n7, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	if m.ManualSelector != nil {
+		dAtA[i] = 0x28
+		i++
+		if *m.ManualSelector {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n8, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	if m.BackoffLimit != nil {
+		dAtA[i] = 0x38
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.BackoffLimit))
+	}
+	return i, nil
+}
+
+func (m *JobStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *JobStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.StartTime != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.StartTime.Size()))
+		n9, err := m.StartTime.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n9
+	}
+	if m.CompletionTime != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.CompletionTime.Size()))
+		n10, err := m.CompletionTime.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n10
+	}
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Active))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Succeeded))
+	dAtA[i] = 0x30
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Failed))
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Job) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *JobCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastProbeTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *JobList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *JobSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Parallelism != nil {
+		n += 1 + sovGenerated(uint64(*m.Parallelism))
+	}
+	if m.Completions != nil {
+		n += 1 + sovGenerated(uint64(*m.Completions))
+	}
+	if m.ActiveDeadlineSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.ActiveDeadlineSeconds))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ManualSelector != nil {
+		n += 2
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.BackoffLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.BackoffLimit))
+	}
+	return n
+}
+
+func (m *JobStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.StartTime != nil {
+		l = m.StartTime.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.CompletionTime != nil {
+		l = m.CompletionTime.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 1 + sovGenerated(uint64(m.Active))
+	n += 1 + sovGenerated(uint64(m.Succeeded))
+	n += 1 + sovGenerated(uint64(m.Failed))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *Job) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Job{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "JobSpec", "JobSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "JobStatus", "JobStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *JobCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&JobCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastProbeTime:` + strings.Replace(strings.Replace(this.LastProbeTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *JobList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&JobList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Job", "Job", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *JobSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&JobSpec{`,
+		`Parallelism:` + valueToStringGenerated(this.Parallelism) + `,`,
+		`Completions:` + valueToStringGenerated(this.Completions) + `,`,
+		`ActiveDeadlineSeconds:` + valueToStringGenerated(this.ActiveDeadlineSeconds) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`ManualSelector:` + valueToStringGenerated(this.ManualSelector) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`BackoffLimit:` + valueToStringGenerated(this.BackoffLimit) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *JobStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&JobStatus{`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "JobCondition", "JobCondition", 1), `&`, ``, 1) + `,`,
+		`StartTime:` + strings.Replace(fmt.Sprintf("%v", this.StartTime), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`CompletionTime:` + strings.Replace(fmt.Sprintf("%v", this.CompletionTime), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`Active:` + fmt.Sprintf("%v", this.Active) + `,`,
+		`Succeeded:` + fmt.Sprintf("%v", this.Succeeded) + `,`,
+		`Failed:` + fmt.Sprintf("%v", this.Failed) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *Job) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Job: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Job: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *JobCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: JobCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: JobCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = JobConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastProbeTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastProbeTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *JobList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: JobList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: JobList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Job{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *JobSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: JobSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: JobSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Parallelism", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Parallelism = &v
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Completions", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Completions = &v
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ActiveDeadlineSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ActiveDeadlineSeconds = &v
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ManualSelector", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.ManualSelector = &b
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field BackoffLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.BackoffLimit = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *JobStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: JobStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: JobStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, JobCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StartTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.StartTime == nil {
+				m.StartTime = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.StartTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CompletionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.CompletionTime == nil {
+				m.CompletionTime = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.CompletionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Active", wireType)
+			}
+			m.Active = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Active |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Succeeded", wireType)
+			}
+			m.Succeeded = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Succeeded |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Failed", wireType)
+			}
+			m.Failed = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Failed |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/batch/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 907 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x54, 0x41, 0x6f, 0xe3, 0x44,
+	0x18, 0x8d, 0x9b, 0xa6, 0x4d, 0x26, 0x69, 0x77, 0x19, 0x54, 0x29, 0x54, 0xc8, 0x59, 0x82, 0x84,
+	0x0a, 0x12, 0x36, 0xe9, 0x56, 0x08, 0x21, 0x40, 0xc2, 0x45, 0x2b, 0x51, 0xa5, 0xda, 0x32, 0x29,
+	0x42, 0x42, 0x20, 0x31, 0xb6, 0xbf, 0xa4, 0x43, 0x6c, 0x8f, 0xe5, 0x99, 0x44, 0xea, 0x8d, 0x9f,
+	0xc0, 0x8f, 0x40, 0xfc, 0x14, 0xd4, 0xe3, 0x1e, 0xf7, 0x14, 0x51, 0xc3, 0x9d, 0xfb, 0x9e, 0xd0,
+	0x8c, 0x1d, 0xdb, 0x69, 0x13, 0xd1, 0xe5, 0x66, 0xbf, 0x79, 0xef, 0x7d, 0x33, 0xf3, 0xbd, 0xf9,
+	0xd0, 0x67, 0xd3, 0x4f, 0x84, 0xc5, 0xb8, 0x3d, 0x9d, 0xb9, 0x90, 0x44, 0x20, 0x41, 0xd8, 0x73,
+	0x88, 0x7c, 0x9e, 0xd8, 0xf9, 0x02, 0x8d, 0x99, 0xed, 0x52, 0xe9, 0x5d, 0xd9, 0xf3, 0x81, 0x3d,
+	0x81, 0x08, 0x12, 0x2a, 0xc1, 0xb7, 0xe2, 0x84, 0x4b, 0x8e, 0xdf, 0xcc, 0x48, 0x16, 0x8d, 0x99,
+	0xa5, 0x49, 0xd6, 0x7c, 0x70, 0xf8, 0xe1, 0x84, 0xc9, 0xab, 0x99, 0x6b, 0x79, 0x3c, 0xb4, 0x27,
+	0x7c, 0xc2, 0x6d, 0xcd, 0x75, 0x67, 0x63, 0xfd, 0xa7, 0x7f, 0xf4, 0x57, 0xe6, 0x71, 0xd8, 0xaf,
+	0x14, 0xf2, 0x78, 0x02, 0x6b, 0xea, 0x1c, 0x9e, 0x94, 0x9c, 0x90, 0x7a, 0x57, 0x2c, 0x82, 0xe4,
+	0xda, 0x8e, 0xa7, 0x13, 0x05, 0x08, 0x3b, 0x04, 0x49, 0xd7, 0xa9, 0xec, 0x4d, 0xaa, 0x64, 0x16,
+	0x49, 0x16, 0xc2, 0x3d, 0xc1, 0xc7, 0xff, 0x25, 0x10, 0xde, 0x15, 0x84, 0xf4, 0x9e, 0xee, 0xe9,
+	0x26, 0xdd, 0x4c, 0xb2, 0xc0, 0x66, 0x91, 0x14, 0x32, 0xb9, 0x2b, 0xea, 0xff, 0x63, 0xa0, 0xfa,
+	0x19, 0x77, 0xf1, 0x4f, 0xa8, 0xa9, 0x0e, 0xe0, 0x53, 0x49, 0xbb, 0xc6, 0x13, 0xe3, 0xa8, 0x7d,
+	0xfc, 0x91, 0x55, 0x5e, 0x6b, 0xe1, 0x67, 0xc5, 0xd3, 0x89, 0x02, 0x84, 0xa5, 0xd8, 0xd6, 0x7c,
+	0x60, 0x3d, 0x77, 0x7f, 0x06, 0x4f, 0x9e, 0x83, 0xa4, 0x0e, 0xbe, 0x59, 0xf4, 0x6a, 0xe9, 0xa2,
+	0x87, 0x4a, 0x8c, 0x14, 0xae, 0xf8, 0x0b, 0xb4, 0x2d, 0x62, 0xf0, 0xba, 0x5b, 0xda, 0xfd, 0x6d,
+	0x6b, 0x4d, 0xd3, 0xac, 0x33, 0xee, 0x8e, 0x62, 0xf0, 0x9c, 0x4e, 0xee, 0xb4, 0xad, 0xfe, 0x88,
+	0xd6, 0xe1, 0x67, 0x68, 0x47, 0x48, 0x2a, 0x67, 0xa2, 0x5b, 0xd7, 0x0e, 0xe6, 0x46, 0x07, 0xcd,
+	0x72, 0xf6, 0x73, 0x8f, 0x9d, 0xec, 0x9f, 0xe4, 0xea, 0xfe, 0x1f, 0x75, 0xd4, 0x39, 0xe3, 0xee,
+	0x29, 0x8f, 0x7c, 0x26, 0x19, 0x8f, 0xf0, 0x09, 0xda, 0x96, 0xd7, 0x31, 0xe8, 0x63, 0xb7, 0x9c,
+	0x27, 0xcb, 0xd2, 0x97, 0xd7, 0x31, 0xbc, 0x5a, 0xf4, 0x1e, 0x57, 0xb9, 0x0a, 0x23, 0x9a, 0x8d,
+	0x87, 0xc5, 0x76, 0xb6, 0xb4, 0xee, 0x64, 0xb5, 0xdc, 0xab, 0x45, 0x6f, 0x4d, 0xa4, 0xac, 0xc2,
+	0x69, 0x75, 0x53, 0x78, 0x82, 0xf6, 0x02, 0x2a, 0xe4, 0x45, 0xc2, 0x5d, 0xb8, 0x64, 0x21, 0xe4,
+	0x67, 0xfc, 0xe0, 0x61, 0x3d, 0x50, 0x0a, 0xe7, 0x20, 0xdf, 0xc0, 0xde, 0xb0, 0x6a, 0x44, 0x56,
+	0x7d, 0xf1, 0x1c, 0x61, 0x05, 0x5c, 0x26, 0x34, 0x12, 0xd9, 0x91, 0x54, 0xb5, 0xed, 0xd7, 0xae,
+	0x76, 0x98, 0x57, 0xc3, 0xc3, 0x7b, 0x6e, 0x64, 0x4d, 0x05, 0xfc, 0x1e, 0xda, 0x49, 0x80, 0x0a,
+	0x1e, 0x75, 0x1b, 0xfa, 0xba, 0x8a, 0xee, 0x10, 0x8d, 0x92, 0x7c, 0x15, 0xbf, 0x8f, 0x76, 0x43,
+	0x10, 0x82, 0x4e, 0xa0, 0xbb, 0xa3, 0x89, 0x8f, 0x72, 0xe2, 0xee, 0x79, 0x06, 0x93, 0xe5, 0x7a,
+	0xff, 0x77, 0x03, 0xed, 0x9e, 0x71, 0x77, 0xc8, 0x84, 0xc4, 0x3f, 0xdc, 0x8b, 0xaf, 0xf5, 0xb0,
+	0xc3, 0x28, 0xb5, 0x0e, 0xef, 0xe3, 0xbc, 0x4e, 0x73, 0x89, 0x54, 0xa2, 0xfb, 0x39, 0x6a, 0x30,
+	0x09, 0xa1, 0x6a, 0x75, 0xfd, 0xa8, 0x7d, 0xdc, 0xdd, 0x94, 0x3c, 0x67, 0x2f, 0x37, 0x69, 0x7c,
+	0xad, 0xe8, 0x24, 0x53, 0xf5, 0xff, 0xae, 0xeb, 0x8d, 0xaa, 0x2c, 0xe3, 0x01, 0x6a, 0xc7, 0x34,
+	0xa1, 0x41, 0x00, 0x01, 0x13, 0xa1, 0xde, 0x6b, 0xc3, 0x79, 0x94, 0x2e, 0x7a, 0xed, 0x8b, 0x12,
+	0x26, 0x55, 0x8e, 0x92, 0x78, 0x3c, 0x8c, 0x03, 0x50, 0x97, 0x99, 0xc5, 0x2d, 0x97, 0x9c, 0x96,
+	0x30, 0xa9, 0x72, 0xf0, 0x73, 0x74, 0x40, 0x3d, 0xc9, 0xe6, 0xf0, 0x15, 0x50, 0x3f, 0x60, 0x11,
+	0x8c, 0xc0, 0xe3, 0x91, 0x9f, 0x3d, 0x9d, 0xba, 0xf3, 0x56, 0xba, 0xe8, 0x1d, 0x7c, 0xb9, 0x8e,
+	0x40, 0xd6, 0xeb, 0xf0, 0x8f, 0xa8, 0x29, 0x20, 0x00, 0x4f, 0xf2, 0x24, 0x0f, 0xcb, 0xd3, 0x07,
+	0xde, 0x2f, 0x75, 0x21, 0x18, 0xe5, 0x52, 0xa7, 0xa3, 0x2e, 0x78, 0xf9, 0x47, 0x0a, 0x4b, 0xfc,
+	0x29, 0xda, 0x0f, 0x69, 0x34, 0xa3, 0x05, 0x53, 0xa7, 0xa4, 0xe9, 0xe0, 0x74, 0xd1, 0xdb, 0x3f,
+	0x5f, 0x59, 0x21, 0x77, 0x98, 0xf8, 0x1b, 0xd4, 0x94, 0x10, 0xc6, 0x01, 0x95, 0x59, 0x64, 0xda,
+	0xc7, 0xef, 0x56, 0xfb, 0xa3, 0x5e, 0x9e, 0xda, 0xc8, 0x05, 0xf7, 0x2f, 0x73, 0x9a, 0x1e, 0x31,
+	0x45, 0xbf, 0x97, 0x28, 0x29, 0x6c, 0xf0, 0x09, 0xea, 0xb8, 0xd4, 0x9b, 0xf2, 0xf1, 0x78, 0xc8,
+	0x42, 0x26, 0xbb, 0xbb, 0xfa, 0xca, 0x1f, 0xa7, 0x8b, 0x5e, 0xc7, 0xa9, 0xe0, 0x64, 0x85, 0xd5,
+	0xff, 0xad, 0x8e, 0x5a, 0xc5, 0xf8, 0xc1, 0xdf, 0x22, 0xe4, 0x2d, 0x1f, 0xbb, 0xe8, 0x1a, 0x3a,
+	0x38, 0xef, 0x6c, 0x0a, 0x4e, 0x31, 0x16, 0xca, 0x19, 0x5a, 0x40, 0x82, 0x54, 0x8c, 0xf0, 0x77,
+	0xa8, 0x25, 0x24, 0x4d, 0xa4, 0x7e, 0xb6, 0x5b, 0xaf, 0xfd, 0x6c, 0xf7, 0xd2, 0x45, 0xaf, 0x35,
+	0x5a, 0x1a, 0x90, 0xd2, 0x0b, 0x8f, 0xd1, 0x7e, 0x99, 0xa0, 0xff, 0x39, 0x82, 0x74, 0xbb, 0x4e,
+	0x57, 0x5c, 0xc8, 0x1d, 0x57, 0x35, 0x08, 0xb2, 0x88, 0xe9, 0x1c, 0x35, 0xca, 0x41, 0x90, 0xe5,
+	0x91, 0xe4, 0xab, 0xd8, 0x46, 0x2d, 0x31, 0xf3, 0x3c, 0x00, 0x1f, 0x7c, 0x9d, 0x86, 0x86, 0xf3,
+	0x46, 0x4e, 0x6d, 0x8d, 0x96, 0x0b, 0xa4, 0xe4, 0x28, 0xe3, 0x31, 0x65, 0x01, 0xf8, 0x3a, 0x05,
+	0x15, 0xe3, 0x67, 0x1a, 0x25, 0xf9, 0xaa, 0x73, 0x74, 0x73, 0x6b, 0xd6, 0x5e, 0xdc, 0x9a, 0xb5,
+	0x97, 0xb7, 0x66, 0xed, 0x97, 0xd4, 0x34, 0x6e, 0x52, 0xd3, 0x78, 0x91, 0x9a, 0xc6, 0xcb, 0xd4,
+	0x34, 0xfe, 0x4c, 0x4d, 0xe3, 0xd7, 0xbf, 0xcc, 0xda, 0xf7, 0x5b, 0xf3, 0xc1, 0xbf, 0x01, 0x00,
+	0x00, 0xff, 0xff, 0xce, 0x80, 0xf2, 0xbe, 0x96, 0x08, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/batch/v1/generated.proto b/cli/vendor/k8s.io/api/batch/v1/generated.proto
new file mode 100644
index 00000000..f8790c83
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1/generated.proto
@@ -0,0 +1,173 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.batch.v1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// Job represents the configuration of a single job.
+message Job {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of a job.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional JobSpec spec = 2;
+
+  // Current status of a job.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional JobStatus status = 3;
+}
+
+// JobCondition describes current state of a job.
+message JobCondition {
+  // Type of job condition, Complete or Failed.
+  optional string type = 1;
+
+  // Status of the condition, one of True, False, Unknown.
+  optional string status = 2;
+
+  // Last time the condition was checked.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastProbeTime = 3;
+
+  // Last time the condition transit from one status to another.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 4;
+
+  // (brief) reason for the condition's last transition.
+  // +optional
+  optional string reason = 5;
+
+  // Human readable message indicating details about last transition.
+  // +optional
+  optional string message = 6;
+}
+
+// JobList is a collection of jobs.
+message JobList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // items is the list of Jobs.
+  repeated Job items = 2;
+}
+
+// JobSpec describes how the job execution will look like.
+message JobSpec {
+  // Specifies the maximum desired number of pods the job should
+  // run at any given time. The actual number of pods running in steady state will
+  // be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism),
+  // i.e. when the work left to do is less than max parallelism.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+  // +optional
+  optional int32 parallelism = 1;
+
+  // Specifies the desired number of successfully finished pods the
+  // job should be run with.  Setting to nil means that the success of any
+  // pod signals the success of all pods, and allows parallelism to have any positive
+  // value.  Setting to 1 means that parallelism is limited to 1 and the success of that
+  // pod signals the success of the job.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+  // +optional
+  optional int32 completions = 2;
+
+  // Specifies the duration in seconds relative to the startTime that the job may be active
+  // before the system tries to terminate it; value must be positive integer
+  // +optional
+  optional int64 activeDeadlineSeconds = 3;
+
+  // Specifies the number of retries before marking this job failed.
+  // Defaults to 6
+  // +optional
+  optional int32 backoffLimit = 7;
+
+  // A label query over pods that should match the pod count.
+  // Normally, the system sets this field for you.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 4;
+
+  // manualSelector controls generation of pod labels and pod selectors.
+  // Leave `manualSelector` unset unless you are certain what you are doing.
+  // When false or unset, the system pick labels unique to this job
+  // and appends those labels to the pod template.  When true,
+  // the user is responsible for picking unique labels and specifying
+  // the selector.  Failure to pick a unique label may cause this
+  // and other jobs to not function correctly.  However, You may see
+  // `manualSelector=true` in jobs that were created with the old `extensions/v1beta1`
+  // API.
+  // More info: https://git.k8s.io/community/contributors/design-proposals/selector-generation.md
+  // +optional
+  optional bool manualSelector = 5;
+
+  // Describes the pod that will be created when executing a job.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 6;
+}
+
+// JobStatus represents the current state of a Job.
+message JobStatus {
+  // The latest available observations of an object's current state.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated JobCondition conditions = 1;
+
+  // Represents time when the job was acknowledged by the job controller.
+  // It is not guaranteed to be set in happens-before order across separate operations.
+  // It is represented in RFC3339 form and is in UTC.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time startTime = 2;
+
+  // Represents time when the job was completed. It is not guaranteed to
+  // be set in happens-before order across separate operations.
+  // It is represented in RFC3339 form and is in UTC.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time completionTime = 3;
+
+  // The number of actively running pods.
+  // +optional
+  optional int32 active = 4;
+
+  // The number of pods which reached phase Succeeded.
+  // +optional
+  optional int32 succeeded = 5;
+
+  // The number of pods which reached phase Failed.
+  // +optional
+  optional int32 failed = 6;
+}
+
diff --git a/cli/vendor/k8s.io/api/batch/v1/register.go b/cli/vendor/k8s.io/api/batch/v1/register.go
new file mode 100644
index 00000000..2cdfc98c
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1/register.go
@@ -0,0 +1,52 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "batch"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Job{},
+		&JobList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/batch/v1/types.go b/cli/vendor/k8s.io/api/batch/v1/types.go
new file mode 100644
index 00000000..4f3b83e8
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1/types.go
@@ -0,0 +1,181 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Job represents the configuration of a single job.
+type Job struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec JobSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Current status of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status JobStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// JobList is a collection of jobs.
+type JobList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// items is the list of Jobs.
+	Items []Job `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// JobSpec describes how the job execution will look like.
+type JobSpec struct {
+
+	// Specifies the maximum desired number of pods the job should
+	// run at any given time. The actual number of pods running in steady state will
+	// be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism),
+	// i.e. when the work left to do is less than max parallelism.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	Parallelism *int32 `json:"parallelism,omitempty" protobuf:"varint,1,opt,name=parallelism"`
+
+	// Specifies the desired number of successfully finished pods the
+	// job should be run with.  Setting to nil means that the success of any
+	// pod signals the success of all pods, and allows parallelism to have any positive
+	// value.  Setting to 1 means that parallelism is limited to 1 and the success of that
+	// pod signals the success of the job.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	Completions *int32 `json:"completions,omitempty" protobuf:"varint,2,opt,name=completions"`
+
+	// Specifies the duration in seconds relative to the startTime that the job may be active
+	// before the system tries to terminate it; value must be positive integer
+	// +optional
+	ActiveDeadlineSeconds *int64 `json:"activeDeadlineSeconds,omitempty" protobuf:"varint,3,opt,name=activeDeadlineSeconds"`
+
+	// Specifies the number of retries before marking this job failed.
+	// Defaults to 6
+	// +optional
+	BackoffLimit *int32 `json:"backoffLimit,omitempty" protobuf:"varint,7,opt,name=backoffLimit"`
+
+	// TODO enabled it when https://github.com/kubernetes/kubernetes/issues/28486 has been fixed
+	// Optional number of failed pods to retain.
+	// +optional
+	// FailedPodsLimit *int32 `json:"failedPodsLimit,omitempty" protobuf:"varint,9,opt,name=failedPodsLimit"`
+
+	// A label query over pods that should match the pod count.
+	// Normally, the system sets this field for you.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,4,opt,name=selector"`
+
+	// manualSelector controls generation of pod labels and pod selectors.
+	// Leave `manualSelector` unset unless you are certain what you are doing.
+	// When false or unset, the system pick labels unique to this job
+	// and appends those labels to the pod template.  When true,
+	// the user is responsible for picking unique labels and specifying
+	// the selector.  Failure to pick a unique label may cause this
+	// and other jobs to not function correctly.  However, You may see
+	// `manualSelector=true` in jobs that were created with the old `extensions/v1beta1`
+	// API.
+	// More info: https://git.k8s.io/community/contributors/design-proposals/selector-generation.md
+	// +optional
+	ManualSelector *bool `json:"manualSelector,omitempty" protobuf:"varint,5,opt,name=manualSelector"`
+
+	// Describes the pod that will be created when executing a job.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	Template v1.PodTemplateSpec `json:"template" protobuf:"bytes,6,opt,name=template"`
+}
+
+// JobStatus represents the current state of a Job.
+type JobStatus struct {
+	// The latest available observations of an object's current state.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []JobCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+
+	// Represents time when the job was acknowledged by the job controller.
+	// It is not guaranteed to be set in happens-before order across separate operations.
+	// It is represented in RFC3339 form and is in UTC.
+	// +optional
+	StartTime *metav1.Time `json:"startTime,omitempty" protobuf:"bytes,2,opt,name=startTime"`
+
+	// Represents time when the job was completed. It is not guaranteed to
+	// be set in happens-before order across separate operations.
+	// It is represented in RFC3339 form and is in UTC.
+	// +optional
+	CompletionTime *metav1.Time `json:"completionTime,omitempty" protobuf:"bytes,3,opt,name=completionTime"`
+
+	// The number of actively running pods.
+	// +optional
+	Active int32 `json:"active,omitempty" protobuf:"varint,4,opt,name=active"`
+
+	// The number of pods which reached phase Succeeded.
+	// +optional
+	Succeeded int32 `json:"succeeded,omitempty" protobuf:"varint,5,opt,name=succeeded"`
+
+	// The number of pods which reached phase Failed.
+	// +optional
+	Failed int32 `json:"failed,omitempty" protobuf:"varint,6,opt,name=failed"`
+}
+
+type JobConditionType string
+
+// These are valid conditions of a job.
+const (
+	// JobComplete means the job has completed its execution.
+	JobComplete JobConditionType = "Complete"
+	// JobFailed means the job has failed its execution.
+	JobFailed JobConditionType = "Failed"
+)
+
+// JobCondition describes current state of a job.
+type JobCondition struct {
+	// Type of job condition, Complete or Failed.
+	Type JobConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=JobConditionType"`
+	// Status of the condition, one of True, False, Unknown.
+	Status v1.ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"`
+	// Last time the condition was checked.
+	// +optional
+	LastProbeTime metav1.Time `json:"lastProbeTime,omitempty" protobuf:"bytes,3,opt,name=lastProbeTime"`
+	// Last time the condition transit from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,4,opt,name=lastTransitionTime"`
+	// (brief) reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,5,opt,name=reason"`
+	// Human readable message indicating details about last transition.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,6,opt,name=message"`
+}
diff --git a/cli/vendor/k8s.io/api/batch/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/batch/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..53b2d634
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1/types_swagger_doc_generated.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_Job = map[string]string{
+	"":         "Job represents the configuration of a single job.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior of a job. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Current status of a job. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (Job) SwaggerDoc() map[string]string {
+	return map_Job
+}
+
+var map_JobCondition = map[string]string{
+	"":                   "JobCondition describes current state of a job.",
+	"type":               "Type of job condition, Complete or Failed.",
+	"status":             "Status of the condition, one of True, False, Unknown.",
+	"lastProbeTime":      "Last time the condition was checked.",
+	"lastTransitionTime": "Last time the condition transit from one status to another.",
+	"reason":             "(brief) reason for the condition's last transition.",
+	"message":            "Human readable message indicating details about last transition.",
+}
+
+func (JobCondition) SwaggerDoc() map[string]string {
+	return map_JobCondition
+}
+
+var map_JobList = map[string]string{
+	"":         "JobList is a collection of jobs.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "items is the list of Jobs.",
+}
+
+func (JobList) SwaggerDoc() map[string]string {
+	return map_JobList
+}
+
+var map_JobSpec = map[string]string{
+	"":                      "JobSpec describes how the job execution will look like.",
+	"parallelism":           "Specifies the maximum desired number of pods the job should run at any given time. The actual number of pods running in steady state will be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), i.e. when the work left to do is less than max parallelism. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",
+	"completions":           "Specifies the desired number of successfully finished pods the job should be run with.  Setting to nil means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value.  Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",
+	"activeDeadlineSeconds": "Specifies the duration in seconds relative to the startTime that the job may be active before the system tries to terminate it; value must be positive integer",
+	"backoffLimit":          "Specifies the number of retries before marking this job failed. Defaults to 6",
+	"selector":              "A label query over pods that should match the pod count. Normally, the system sets this field for you. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+	"manualSelector":        "manualSelector controls generation of pod labels and pod selectors. Leave `manualSelector` unset unless you are certain what you are doing. When false or unset, the system pick labels unique to this job and appends those labels to the pod template.  When true, the user is responsible for picking unique labels and specifying the selector.  Failure to pick a unique label may cause this and other jobs to not function correctly.  However, You may see `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` API. More info: https://git.k8s.io/community/contributors/design-proposals/selector-generation.md",
+	"template":              "Describes the pod that will be created when executing a job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",
+}
+
+func (JobSpec) SwaggerDoc() map[string]string {
+	return map_JobSpec
+}
+
+var map_JobStatus = map[string]string{
+	"":               "JobStatus represents the current state of a Job.",
+	"conditions":     "The latest available observations of an object's current state. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/",
+	"startTime":      "Represents time when the job was acknowledged by the job controller. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.",
+	"completionTime": "Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC.",
+	"active":         "The number of actively running pods.",
+	"succeeded":      "The number of pods which reached phase Succeeded.",
+	"failed":         "The number of pods which reached phase Failed.",
+}
+
+func (JobStatus) SwaggerDoc() map[string]string {
+	return map_JobStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/batch/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/batch/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..6862e17f
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1/zz_generated.deepcopy.go
@@ -0,0 +1,254 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Job).DeepCopyInto(out.(*Job))
+			return nil
+		}, InType: reflect.TypeOf(&Job{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*JobCondition).DeepCopyInto(out.(*JobCondition))
+			return nil
+		}, InType: reflect.TypeOf(&JobCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*JobList).DeepCopyInto(out.(*JobList))
+			return nil
+		}, InType: reflect.TypeOf(&JobList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*JobSpec).DeepCopyInto(out.(*JobSpec))
+			return nil
+		}, InType: reflect.TypeOf(&JobSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*JobStatus).DeepCopyInto(out.(*JobStatus))
+			return nil
+		}, InType: reflect.TypeOf(&JobStatus{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Job) DeepCopyInto(out *Job) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Job.
+func (in *Job) DeepCopy() *Job {
+	if in == nil {
+		return nil
+	}
+	out := new(Job)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Job) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobCondition) DeepCopyInto(out *JobCondition) {
+	*out = *in
+	in.LastProbeTime.DeepCopyInto(&out.LastProbeTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobCondition.
+func (in *JobCondition) DeepCopy() *JobCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(JobCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobList) DeepCopyInto(out *JobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Job, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobList.
+func (in *JobList) DeepCopy() *JobList {
+	if in == nil {
+		return nil
+	}
+	out := new(JobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobSpec) DeepCopyInto(out *JobSpec) {
+	*out = *in
+	if in.Parallelism != nil {
+		in, out := &in.Parallelism, &out.Parallelism
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Completions != nil {
+		in, out := &in.Completions, &out.Completions
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.ActiveDeadlineSeconds != nil {
+		in, out := &in.ActiveDeadlineSeconds, &out.ActiveDeadlineSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.BackoffLimit != nil {
+		in, out := &in.BackoffLimit, &out.BackoffLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.ManualSelector != nil {
+		in, out := &in.ManualSelector, &out.ManualSelector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobSpec.
+func (in *JobSpec) DeepCopy() *JobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobStatus) DeepCopyInto(out *JobStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]JobCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.CompletionTime != nil {
+		in, out := &in.CompletionTime, &out.CompletionTime
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobStatus.
+func (in *JobStatus) DeepCopy() *JobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(JobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/batch/v1beta1/doc.go b/cli/vendor/k8s.io/api/batch/v1beta1/doc.go
new file mode 100644
index 00000000..653ebe04
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+package v1beta1 // import "k8s.io/api/batch/v1beta1"
diff --git a/cli/vendor/k8s.io/api/batch/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/batch/v1beta1/generated.pb.go
new file mode 100644
index 00000000..6544184d
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1beta1/generated.pb.go
@@ -0,0 +1,1509 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/batch/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/batch/v1beta1/generated.proto
+
+	It has these top-level messages:
+		CronJob
+		CronJobList
+		CronJobSpec
+		CronJobStatus
+		JobTemplate
+		JobTemplateSpec
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *CronJob) Reset()                    { *m = CronJob{} }
+func (*CronJob) ProtoMessage()               {}
+func (*CronJob) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *CronJobList) Reset()                    { *m = CronJobList{} }
+func (*CronJobList) ProtoMessage()               {}
+func (*CronJobList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *CronJobSpec) Reset()                    { *m = CronJobSpec{} }
+func (*CronJobSpec) ProtoMessage()               {}
+func (*CronJobSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *CronJobStatus) Reset()                    { *m = CronJobStatus{} }
+func (*CronJobStatus) ProtoMessage()               {}
+func (*CronJobStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *JobTemplate) Reset()                    { *m = JobTemplate{} }
+func (*JobTemplate) ProtoMessage()               {}
+func (*JobTemplate) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *JobTemplateSpec) Reset()                    { *m = JobTemplateSpec{} }
+func (*JobTemplateSpec) ProtoMessage()               {}
+func (*JobTemplateSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func init() {
+	proto.RegisterType((*CronJob)(nil), "k8s.io.api.batch.v1beta1.CronJob")
+	proto.RegisterType((*CronJobList)(nil), "k8s.io.api.batch.v1beta1.CronJobList")
+	proto.RegisterType((*CronJobSpec)(nil), "k8s.io.api.batch.v1beta1.CronJobSpec")
+	proto.RegisterType((*CronJobStatus)(nil), "k8s.io.api.batch.v1beta1.CronJobStatus")
+	proto.RegisterType((*JobTemplate)(nil), "k8s.io.api.batch.v1beta1.JobTemplate")
+	proto.RegisterType((*JobTemplateSpec)(nil), "k8s.io.api.batch.v1beta1.JobTemplateSpec")
+}
+func (m *CronJob) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CronJob) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *CronJobList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CronJobList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n4, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *CronJobSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CronJobSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Schedule)))
+	i += copy(dAtA[i:], m.Schedule)
+	if m.StartingDeadlineSeconds != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.StartingDeadlineSeconds))
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ConcurrencyPolicy)))
+	i += copy(dAtA[i:], m.ConcurrencyPolicy)
+	if m.Suspend != nil {
+		dAtA[i] = 0x20
+		i++
+		if *m.Suspend {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.JobTemplate.Size()))
+	n5, err := m.JobTemplate.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if m.SuccessfulJobsHistoryLimit != nil {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.SuccessfulJobsHistoryLimit))
+	}
+	if m.FailedJobsHistoryLimit != nil {
+		dAtA[i] = 0x38
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.FailedJobsHistoryLimit))
+	}
+	return i, nil
+}
+
+func (m *CronJobStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CronJobStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Active) > 0 {
+		for _, msg := range m.Active {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.LastScheduleTime != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.LastScheduleTime.Size()))
+		n6, err := m.LastScheduleTime.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	return i, nil
+}
+
+func (m *JobTemplate) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *JobTemplate) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n7, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n8, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	return i, nil
+}
+
+func (m *JobTemplateSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *JobTemplateSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n9, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n10, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CronJob) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CronJobList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *CronJobSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Schedule)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.StartingDeadlineSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.StartingDeadlineSeconds))
+	}
+	l = len(m.ConcurrencyPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Suspend != nil {
+		n += 2
+	}
+	l = m.JobTemplate.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SuccessfulJobsHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.SuccessfulJobsHistoryLimit))
+	}
+	if m.FailedJobsHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.FailedJobsHistoryLimit))
+	}
+	return n
+}
+
+func (m *CronJobStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Active) > 0 {
+		for _, e := range m.Active {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.LastScheduleTime != nil {
+		l = m.LastScheduleTime.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *JobTemplate) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *JobTemplateSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CronJob) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CronJob{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "CronJobSpec", "CronJobSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "CronJobStatus", "CronJobStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CronJobList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CronJobList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "CronJob", "CronJob", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CronJobSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CronJobSpec{`,
+		`Schedule:` + fmt.Sprintf("%v", this.Schedule) + `,`,
+		`StartingDeadlineSeconds:` + valueToStringGenerated(this.StartingDeadlineSeconds) + `,`,
+		`ConcurrencyPolicy:` + fmt.Sprintf("%v", this.ConcurrencyPolicy) + `,`,
+		`Suspend:` + valueToStringGenerated(this.Suspend) + `,`,
+		`JobTemplate:` + strings.Replace(strings.Replace(this.JobTemplate.String(), "JobTemplateSpec", "JobTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`SuccessfulJobsHistoryLimit:` + valueToStringGenerated(this.SuccessfulJobsHistoryLimit) + `,`,
+		`FailedJobsHistoryLimit:` + valueToStringGenerated(this.FailedJobsHistoryLimit) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CronJobStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CronJobStatus{`,
+		`Active:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Active), "ObjectReference", "k8s_io_api_core_v1.ObjectReference", 1), `&`, ``, 1) + `,`,
+		`LastScheduleTime:` + strings.Replace(fmt.Sprintf("%v", this.LastScheduleTime), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *JobTemplate) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&JobTemplate{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "JobTemplateSpec", "JobTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *JobTemplateSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&JobTemplateSpec{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "JobSpec", "k8s_io_api_batch_v1.JobSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CronJob) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CronJob: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CronJob: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CronJobList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CronJobList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CronJobList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, CronJob{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CronJobSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CronJobSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CronJobSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Schedule", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Schedule = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StartingDeadlineSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.StartingDeadlineSeconds = &v
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConcurrencyPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ConcurrencyPolicy = ConcurrencyPolicy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Suspend", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Suspend = &b
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field JobTemplate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.JobTemplate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SuccessfulJobsHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.SuccessfulJobsHistoryLimit = &v
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FailedJobsHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.FailedJobsHistoryLimit = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CronJobStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CronJobStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CronJobStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Active", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Active = append(m.Active, k8s_io_api_core_v1.ObjectReference{})
+			if err := m.Active[len(m.Active)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastScheduleTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LastScheduleTime == nil {
+				m.LastScheduleTime = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.LastScheduleTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *JobTemplate) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: JobTemplate: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: JobTemplate: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *JobTemplateSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: JobTemplateSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: JobTemplateSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/batch/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 784 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x94, 0xcf, 0x6f, 0xe3, 0x44,
+	0x14, 0xc7, 0xe3, 0x34, 0xbf, 0x76, 0xc2, 0x42, 0xd7, 0xa0, 0x5d, 0x2b, 0x20, 0x27, 0x64, 0xb5,
+	0x22, 0x20, 0x76, 0x4c, 0x0b, 0x42, 0x9c, 0x90, 0xd6, 0x8b, 0x16, 0x28, 0x45, 0x8b, 0x9c, 0x22,
+	0x24, 0x54, 0xa1, 0x8e, 0xc7, 0x2f, 0xc9, 0x34, 0xb6, 0xc7, 0xf2, 0x8c, 0x23, 0xe5, 0xc6, 0x85,
+	0x3b, 0xff, 0x08, 0x27, 0xfe, 0x89, 0x88, 0x53, 0x8f, 0x3d, 0x45, 0xd4, 0xfc, 0x17, 0x9c, 0x90,
+	0x27, 0xce, 0x8f, 0xe6, 0x47, 0x5b, 0x2e, 0xbd, 0x79, 0x9e, 0xbf, 0xdf, 0xcf, 0xbc, 0x79, 0xef,
+	0xcd, 0xa0, 0x17, 0xc3, 0x2f, 0x04, 0x66, 0xdc, 0x1a, 0x26, 0x2e, 0xc4, 0x21, 0x48, 0x10, 0xd6,
+	0x08, 0x42, 0x8f, 0xc7, 0x56, 0xfe, 0x83, 0x44, 0xcc, 0x72, 0x89, 0xa4, 0x03, 0x6b, 0x74, 0xe0,
+	0x82, 0x24, 0x07, 0x56, 0x1f, 0x42, 0x88, 0x89, 0x04, 0x0f, 0x47, 0x31, 0x97, 0x5c, 0x37, 0x66,
+	0x4a, 0x4c, 0x22, 0x86, 0x95, 0x12, 0xe7, 0xca, 0xc6, 0xf3, 0x3e, 0x93, 0x83, 0xc4, 0xc5, 0x94,
+	0x07, 0x56, 0x9f, 0xf7, 0xb9, 0xa5, 0x0c, 0x6e, 0xd2, 0x53, 0x2b, 0xb5, 0x50, 0x5f, 0x33, 0x50,
+	0xe3, 0xe9, 0x96, 0x2d, 0xd7, 0x77, 0x6b, 0xb4, 0x57, 0x44, 0x94, 0xc7, 0xb0, 0x4d, 0xf3, 0xd9,
+	0x52, 0x13, 0x10, 0x3a, 0x60, 0x21, 0xc4, 0x63, 0x2b, 0x1a, 0xf6, 0xb3, 0x80, 0xb0, 0x02, 0x90,
+	0x64, 0x9b, 0xcb, 0xda, 0xe5, 0x8a, 0x93, 0x50, 0xb2, 0x00, 0x36, 0x0c, 0x9f, 0xdf, 0x66, 0x10,
+	0x74, 0x00, 0x01, 0xd9, 0xf0, 0x7d, 0xba, 0xcb, 0x97, 0x48, 0xe6, 0x5b, 0x2c, 0x94, 0x42, 0xc6,
+	0xeb, 0xa6, 0xf6, 0x6f, 0x45, 0x54, 0x7d, 0x19, 0xf3, 0xf0, 0x88, 0xbb, 0xfa, 0x19, 0xaa, 0x65,
+	0x87, 0xf0, 0x88, 0x24, 0x86, 0xd6, 0xd2, 0x3a, 0xf5, 0xc3, 0x4f, 0xf0, 0xb2, 0x09, 0x0b, 0x26,
+	0x8e, 0x86, 0xfd, 0x2c, 0x20, 0x70, 0xa6, 0xc6, 0xa3, 0x03, 0xfc, 0xda, 0x3d, 0x07, 0x2a, 0xbf,
+	0x07, 0x49, 0x6c, 0x7d, 0x32, 0x6d, 0x16, 0xd2, 0x69, 0x13, 0x2d, 0x63, 0xce, 0x82, 0xaa, 0x7f,
+	0x8d, 0x4a, 0x22, 0x02, 0x6a, 0x14, 0x15, 0xfd, 0x19, 0xde, 0xd5, 0x62, 0x9c, 0xa7, 0xd4, 0x8d,
+	0x80, 0xda, 0x6f, 0xe4, 0xc8, 0x52, 0xb6, 0x72, 0x14, 0x40, 0x7f, 0x8d, 0x2a, 0x42, 0x12, 0x99,
+	0x08, 0x63, 0x4f, 0xa1, 0x3e, 0xb8, 0x1d, 0xa5, 0xe4, 0xf6, 0x9b, 0x39, 0xac, 0x32, 0x5b, 0x3b,
+	0x39, 0xa6, 0xfd, 0xa7, 0x86, 0xea, 0xb9, 0xf2, 0x98, 0x09, 0xa9, 0x9f, 0x6e, 0xd4, 0x02, 0xdf,
+	0xad, 0x16, 0x99, 0x5b, 0x55, 0x62, 0x3f, 0xdf, 0xa9, 0x36, 0x8f, 0xac, 0xd4, 0xe1, 0x15, 0x2a,
+	0x33, 0x09, 0x81, 0x30, 0x8a, 0xad, 0xbd, 0x4e, 0xfd, 0xf0, 0xfd, 0x5b, 0xb3, 0xb7, 0x1f, 0xe6,
+	0xb4, 0xf2, 0xb7, 0x99, 0xcf, 0x99, 0xd9, 0xdb, 0x7f, 0x94, 0x16, 0x59, 0x67, 0xc5, 0xd1, 0x3f,
+	0x46, 0xb5, 0x6c, 0x38, 0xbc, 0xc4, 0x07, 0x95, 0xf5, 0x83, 0x65, 0x16, 0xdd, 0x3c, 0xee, 0x2c,
+	0x14, 0xfa, 0x8f, 0xe8, 0x89, 0x90, 0x24, 0x96, 0x2c, 0xec, 0x7f, 0x05, 0xc4, 0xf3, 0x59, 0x08,
+	0x5d, 0xa0, 0x3c, 0xf4, 0x84, 0x6a, 0xd0, 0x9e, 0xfd, 0x6e, 0x3a, 0x6d, 0x3e, 0xe9, 0x6e, 0x97,
+	0x38, 0xbb, 0xbc, 0xfa, 0x29, 0x7a, 0x44, 0x79, 0x48, 0x93, 0x38, 0x86, 0x90, 0x8e, 0x7f, 0xe0,
+	0x3e, 0xa3, 0x63, 0xd5, 0xa6, 0x07, 0x36, 0xce, 0xb3, 0x79, 0xf4, 0x72, 0x5d, 0xf0, 0xef, 0xb6,
+	0xa0, 0xb3, 0x09, 0xd2, 0x9f, 0xa1, 0xaa, 0x48, 0x44, 0x04, 0xa1, 0x67, 0x94, 0x5a, 0x5a, 0xa7,
+	0x66, 0xd7, 0xd3, 0x69, 0xb3, 0xda, 0x9d, 0x85, 0x9c, 0xf9, 0x3f, 0xfd, 0x0c, 0xd5, 0xcf, 0xb9,
+	0x7b, 0x02, 0x41, 0xe4, 0x13, 0x09, 0x46, 0x59, 0xb5, 0xf0, 0xc3, 0xdd, 0x75, 0x3e, 0x5a, 0x8a,
+	0xd5, 0xd0, 0xbd, 0x9d, 0x67, 0x5a, 0x5f, 0xf9, 0xe1, 0xac, 0x22, 0xf5, 0x5f, 0x50, 0x43, 0x24,
+	0x94, 0x82, 0x10, 0xbd, 0xc4, 0x3f, 0xe2, 0xae, 0xf8, 0x86, 0x09, 0xc9, 0xe3, 0xf1, 0x31, 0x0b,
+	0x98, 0x34, 0x2a, 0x2d, 0xad, 0x53, 0xb6, 0xcd, 0x74, 0xda, 0x6c, 0x74, 0x77, 0xaa, 0x9c, 0x1b,
+	0x08, 0xba, 0x83, 0x1e, 0xf7, 0x08, 0xf3, 0xc1, 0xdb, 0x60, 0x57, 0x15, 0xbb, 0x91, 0x4e, 0x9b,
+	0x8f, 0x5f, 0x6d, 0x55, 0x38, 0x3b, 0x9c, 0xed, 0xbf, 0x34, 0xf4, 0xf0, 0xda, 0x7d, 0xd0, 0xbf,
+	0x43, 0x15, 0x42, 0x25, 0x1b, 0x65, 0xf3, 0x92, 0x8d, 0xe2, 0xd3, 0xd5, 0x12, 0x65, 0x0f, 0xe1,
+	0xf2, 0x7e, 0x3b, 0xd0, 0x83, 0xac, 0x13, 0xb0, 0xbc, 0x44, 0x2f, 0x94, 0xd5, 0xc9, 0x11, 0xba,
+	0x8f, 0xf6, 0x7d, 0x22, 0xe4, 0x7c, 0xd4, 0x4e, 0x58, 0x00, 0xaa, 0x49, 0xf5, 0xc3, 0x8f, 0xee,
+	0x76, 0x79, 0x32, 0x87, 0xfd, 0x4e, 0x3a, 0x6d, 0xee, 0x1f, 0xaf, 0x71, 0x9c, 0x0d, 0x72, 0x7b,
+	0xa2, 0xa1, 0xd5, 0xee, 0xdc, 0xc3, 0xf3, 0xf5, 0x13, 0xaa, 0xc9, 0xf9, 0x44, 0x15, 0xff, 0xef,
+	0x44, 0x2d, 0x6e, 0xe2, 0x62, 0x9c, 0x16, 0xb0, 0xec, 0xf5, 0x79, 0x6b, 0x4d, 0x7f, 0x0f, 0xc7,
+	0xf9, 0xf2, 0xda, 0x6b, 0xfc, 0xde, 0xb6, 0xa3, 0xe0, 0x1b, 0x1e, 0x61, 0xfb, 0xf9, 0xe4, 0xca,
+	0x2c, 0x5c, 0x5c, 0x99, 0x85, 0xcb, 0x2b, 0xb3, 0xf0, 0x6b, 0x6a, 0x6a, 0x93, 0xd4, 0xd4, 0x2e,
+	0x52, 0x53, 0xbb, 0x4c, 0x4d, 0xed, 0xef, 0xd4, 0xd4, 0x7e, 0xff, 0xc7, 0x2c, 0xfc, 0x5c, 0xcd,
+	0x0b, 0xf2, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xc0, 0x78, 0xe4, 0x62, 0x14, 0x08, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/batch/v1beta1/generated.proto b/cli/vendor/k8s.io/api/batch/v1beta1/generated.proto
new file mode 100644
index 00000000..767d375a
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1beta1/generated.proto
@@ -0,0 +1,135 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.batch.v1beta1;
+
+import "k8s.io/api/batch/v1/generated.proto";
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// CronJob represents the configuration of a single cron job.
+message CronJob {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of a cron job, including the schedule.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional CronJobSpec spec = 2;
+
+  // Current status of a cron job.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional CronJobStatus status = 3;
+}
+
+// CronJobList is a collection of cron jobs.
+message CronJobList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // items is the list of CronJobs.
+  repeated CronJob items = 2;
+}
+
+// CronJobSpec describes how the job execution will look like and when it will actually run.
+message CronJobSpec {
+  // The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+  optional string schedule = 1;
+
+  // Optional deadline in seconds for starting the job if it misses scheduled
+  // time for any reason.  Missed jobs executions will be counted as failed ones.
+  // +optional
+  optional int64 startingDeadlineSeconds = 2;
+
+  // Specifies how to treat concurrent executions of a Job.
+  // Defaults to Allow.
+  // +optional
+  optional string concurrencyPolicy = 3;
+
+  // This flag tells the controller to suspend subsequent executions, it does
+  // not apply to already started executions.  Defaults to false.
+  // +optional
+  optional bool suspend = 4;
+
+  // Specifies the job that will be created when executing a CronJob.
+  optional JobTemplateSpec jobTemplate = 5;
+
+  // The number of successful finished jobs to retain.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // Defaults to 3.
+  // +optional
+  optional int32 successfulJobsHistoryLimit = 6;
+
+  // The number of failed finished jobs to retain.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // Defaults to 1.
+  // +optional
+  optional int32 failedJobsHistoryLimit = 7;
+}
+
+// CronJobStatus represents the current state of a cron job.
+message CronJobStatus {
+  // A list of pointers to currently running jobs.
+  // +optional
+  repeated k8s.io.api.core.v1.ObjectReference active = 1;
+
+  // Information when was the last time the job was successfully scheduled.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScheduleTime = 4;
+}
+
+// JobTemplate describes a template for creating copies of a predefined pod.
+message JobTemplate {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Defines jobs that will be created from this template.
+  // https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional JobTemplateSpec template = 2;
+}
+
+// JobTemplateSpec describes the data a Job should have when created from a template
+message JobTemplateSpec {
+  // Standard object's metadata of the jobs created from this template.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of the job.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional k8s.io.api.batch.v1.JobSpec spec = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/batch/v1beta1/register.go b/cli/vendor/k8s.io/api/batch/v1beta1/register.go
new file mode 100644
index 00000000..569817d3
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1beta1/register.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "batch"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&JobTemplate{},
+		&CronJob{},
+		&CronJobList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/batch/v1beta1/types.go b/cli/vendor/k8s.io/api/batch/v1beta1/types.go
new file mode 100644
index 00000000..ad13bba2
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1beta1/types.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	batchv1 "k8s.io/api/batch/v1"
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// JobTemplate describes a template for creating copies of a predefined pod.
+type JobTemplate struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Defines jobs that will be created from this template.
+	// https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Template JobTemplateSpec `json:"template,omitempty" protobuf:"bytes,2,opt,name=template"`
+}
+
+// JobTemplateSpec describes the data a Job should have when created from a template
+type JobTemplateSpec struct {
+	// Standard object's metadata of the jobs created from this template.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of the job.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec batchv1.JobSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CronJob represents the configuration of a single cron job.
+type CronJob struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of a cron job, including the schedule.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec CronJobSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Current status of a cron job.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status CronJobStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CronJobList is a collection of cron jobs.
+type CronJobList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// items is the list of CronJobs.
+	Items []CronJob `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// CronJobSpec describes how the job execution will look like and when it will actually run.
+type CronJobSpec struct {
+
+	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+	Schedule string `json:"schedule" protobuf:"bytes,1,opt,name=schedule"`
+
+	// Optional deadline in seconds for starting the job if it misses scheduled
+	// time for any reason.  Missed jobs executions will be counted as failed ones.
+	// +optional
+	StartingDeadlineSeconds *int64 `json:"startingDeadlineSeconds,omitempty" protobuf:"varint,2,opt,name=startingDeadlineSeconds"`
+
+	// Specifies how to treat concurrent executions of a Job.
+	// Defaults to Allow.
+	// +optional
+	ConcurrencyPolicy ConcurrencyPolicy `json:"concurrencyPolicy,omitempty" protobuf:"bytes,3,opt,name=concurrencyPolicy,casttype=ConcurrencyPolicy"`
+
+	// This flag tells the controller to suspend subsequent executions, it does
+	// not apply to already started executions.  Defaults to false.
+	// +optional
+	Suspend *bool `json:"suspend,omitempty" protobuf:"varint,4,opt,name=suspend"`
+
+	// Specifies the job that will be created when executing a CronJob.
+	JobTemplate JobTemplateSpec `json:"jobTemplate" protobuf:"bytes,5,opt,name=jobTemplate"`
+
+	// The number of successful finished jobs to retain.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 3.
+	// +optional
+	SuccessfulJobsHistoryLimit *int32 `json:"successfulJobsHistoryLimit,omitempty" protobuf:"varint,6,opt,name=successfulJobsHistoryLimit"`
+
+	// The number of failed finished jobs to retain.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 1.
+	// +optional
+	FailedJobsHistoryLimit *int32 `json:"failedJobsHistoryLimit,omitempty" protobuf:"varint,7,opt,name=failedJobsHistoryLimit"`
+}
+
+// ConcurrencyPolicy describes how the job will be handled.
+// Only one of the following concurrent policies may be specified.
+// If none of the following policies is specified, the default one
+// is AllowConcurrent.
+type ConcurrencyPolicy string
+
+const (
+	// AllowConcurrent allows CronJobs to run concurrently.
+	AllowConcurrent ConcurrencyPolicy = "Allow"
+
+	// ForbidConcurrent forbids concurrent runs, skipping next run if previous
+	// hasn't finished yet.
+	ForbidConcurrent ConcurrencyPolicy = "Forbid"
+
+	// ReplaceConcurrent cancels currently running job and replaces it with a new one.
+	ReplaceConcurrent ConcurrencyPolicy = "Replace"
+)
+
+// CronJobStatus represents the current state of a cron job.
+type CronJobStatus struct {
+	// A list of pointers to currently running jobs.
+	// +optional
+	Active []v1.ObjectReference `json:"active,omitempty" protobuf:"bytes,1,rep,name=active"`
+
+	// Information when was the last time the job was successfully scheduled.
+	// +optional
+	LastScheduleTime *metav1.Time `json:"lastScheduleTime,omitempty" protobuf:"bytes,4,opt,name=lastScheduleTime"`
+}
diff --git a/cli/vendor/k8s.io/api/batch/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/batch/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..f4c74e43
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,96 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_CronJob = map[string]string{
+	"":         "CronJob represents the configuration of a single cron job.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Current status of a cron job. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (CronJob) SwaggerDoc() map[string]string {
+	return map_CronJob
+}
+
+var map_CronJobList = map[string]string{
+	"":         "CronJobList is a collection of cron jobs.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "items is the list of CronJobs.",
+}
+
+func (CronJobList) SwaggerDoc() map[string]string {
+	return map_CronJobList
+}
+
+var map_CronJobSpec = map[string]string{
+	"":                           "CronJobSpec describes how the job execution will look like and when it will actually run.",
+	"schedule":                   "The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.",
+	"startingDeadlineSeconds":    "Optional deadline in seconds for starting the job if it misses scheduled time for any reason.  Missed jobs executions will be counted as failed ones.",
+	"concurrencyPolicy":          "Specifies how to treat concurrent executions of a Job. Defaults to Allow.",
+	"suspend":                    "This flag tells the controller to suspend subsequent executions, it does not apply to already started executions.  Defaults to false.",
+	"jobTemplate":                "Specifies the job that will be created when executing a CronJob.",
+	"successfulJobsHistoryLimit": "The number of successful finished jobs to retain. This is a pointer to distinguish between explicit zero and not specified. Defaults to 3.",
+	"failedJobsHistoryLimit":     "The number of failed finished jobs to retain. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.",
+}
+
+func (CronJobSpec) SwaggerDoc() map[string]string {
+	return map_CronJobSpec
+}
+
+var map_CronJobStatus = map[string]string{
+	"":                 "CronJobStatus represents the current state of a cron job.",
+	"active":           "A list of pointers to currently running jobs.",
+	"lastScheduleTime": "Information when was the last time the job was successfully scheduled.",
+}
+
+func (CronJobStatus) SwaggerDoc() map[string]string {
+	return map_CronJobStatus
+}
+
+var map_JobTemplate = map[string]string{
+	"":         "JobTemplate describes a template for creating copies of a predefined pod.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"template": "Defines jobs that will be created from this template. https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (JobTemplate) SwaggerDoc() map[string]string {
+	return map_JobTemplate
+}
+
+var map_JobTemplateSpec = map[string]string{
+	"":         "JobTemplateSpec describes the data a Job should have when created from a template",
+	"metadata": "Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (JobTemplateSpec) SwaggerDoc() map[string]string {
+	return map_JobTemplateSpec
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/batch/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/batch/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..a4f4ed73
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,258 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CronJob).DeepCopyInto(out.(*CronJob))
+			return nil
+		}, InType: reflect.TypeOf(&CronJob{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CronJobList).DeepCopyInto(out.(*CronJobList))
+			return nil
+		}, InType: reflect.TypeOf(&CronJobList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CronJobSpec).DeepCopyInto(out.(*CronJobSpec))
+			return nil
+		}, InType: reflect.TypeOf(&CronJobSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CronJobStatus).DeepCopyInto(out.(*CronJobStatus))
+			return nil
+		}, InType: reflect.TypeOf(&CronJobStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*JobTemplate).DeepCopyInto(out.(*JobTemplate))
+			return nil
+		}, InType: reflect.TypeOf(&JobTemplate{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*JobTemplateSpec).DeepCopyInto(out.(*JobTemplateSpec))
+			return nil
+		}, InType: reflect.TypeOf(&JobTemplateSpec{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CronJob) DeepCopyInto(out *CronJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CronJob.
+func (in *CronJob) DeepCopy() *CronJob {
+	if in == nil {
+		return nil
+	}
+	out := new(CronJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CronJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CronJobList) DeepCopyInto(out *CronJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CronJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CronJobList.
+func (in *CronJobList) DeepCopy() *CronJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(CronJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CronJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CronJobSpec) DeepCopyInto(out *CronJobSpec) {
+	*out = *in
+	if in.StartingDeadlineSeconds != nil {
+		in, out := &in.StartingDeadlineSeconds, &out.StartingDeadlineSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.Suspend != nil {
+		in, out := &in.Suspend, &out.Suspend
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	in.JobTemplate.DeepCopyInto(&out.JobTemplate)
+	if in.SuccessfulJobsHistoryLimit != nil {
+		in, out := &in.SuccessfulJobsHistoryLimit, &out.SuccessfulJobsHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.FailedJobsHistoryLimit != nil {
+		in, out := &in.FailedJobsHistoryLimit, &out.FailedJobsHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CronJobSpec.
+func (in *CronJobSpec) DeepCopy() *CronJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CronJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CronJobStatus) DeepCopyInto(out *CronJobStatus) {
+	*out = *in
+	if in.Active != nil {
+		in, out := &in.Active, &out.Active
+		*out = make([]v1.ObjectReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.LastScheduleTime != nil {
+		in, out := &in.LastScheduleTime, &out.LastScheduleTime
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CronJobStatus.
+func (in *CronJobStatus) DeepCopy() *CronJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CronJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobTemplate) DeepCopyInto(out *JobTemplate) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Template.DeepCopyInto(&out.Template)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobTemplate.
+func (in *JobTemplate) DeepCopy() *JobTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(JobTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JobTemplate) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobTemplateSpec) DeepCopyInto(out *JobTemplateSpec) {
+	*out = *in
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobTemplateSpec.
+func (in *JobTemplateSpec) DeepCopy() *JobTemplateSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JobTemplateSpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/batch/v2alpha1/doc.go b/cli/vendor/k8s.io/api/batch/v2alpha1/doc.go
new file mode 100644
index 00000000..288275d6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v2alpha1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+package v2alpha1 // import "k8s.io/api/batch/v2alpha1"
diff --git a/cli/vendor/k8s.io/api/batch/v2alpha1/generated.pb.go b/cli/vendor/k8s.io/api/batch/v2alpha1/generated.pb.go
new file mode 100644
index 00000000..2560953e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v2alpha1/generated.pb.go
@@ -0,0 +1,1510 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/batch/v2alpha1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v2alpha1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/batch/v2alpha1/generated.proto
+
+	It has these top-level messages:
+		CronJob
+		CronJobList
+		CronJobSpec
+		CronJobStatus
+		JobTemplate
+		JobTemplateSpec
+*/
+package v2alpha1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *CronJob) Reset()                    { *m = CronJob{} }
+func (*CronJob) ProtoMessage()               {}
+func (*CronJob) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *CronJobList) Reset()                    { *m = CronJobList{} }
+func (*CronJobList) ProtoMessage()               {}
+func (*CronJobList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *CronJobSpec) Reset()                    { *m = CronJobSpec{} }
+func (*CronJobSpec) ProtoMessage()               {}
+func (*CronJobSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *CronJobStatus) Reset()                    { *m = CronJobStatus{} }
+func (*CronJobStatus) ProtoMessage()               {}
+func (*CronJobStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *JobTemplate) Reset()                    { *m = JobTemplate{} }
+func (*JobTemplate) ProtoMessage()               {}
+func (*JobTemplate) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *JobTemplateSpec) Reset()                    { *m = JobTemplateSpec{} }
+func (*JobTemplateSpec) ProtoMessage()               {}
+func (*JobTemplateSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func init() {
+	proto.RegisterType((*CronJob)(nil), "k8s.io.api.batch.v2alpha1.CronJob")
+	proto.RegisterType((*CronJobList)(nil), "k8s.io.api.batch.v2alpha1.CronJobList")
+	proto.RegisterType((*CronJobSpec)(nil), "k8s.io.api.batch.v2alpha1.CronJobSpec")
+	proto.RegisterType((*CronJobStatus)(nil), "k8s.io.api.batch.v2alpha1.CronJobStatus")
+	proto.RegisterType((*JobTemplate)(nil), "k8s.io.api.batch.v2alpha1.JobTemplate")
+	proto.RegisterType((*JobTemplateSpec)(nil), "k8s.io.api.batch.v2alpha1.JobTemplateSpec")
+}
+func (m *CronJob) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CronJob) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *CronJobList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CronJobList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n4, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *CronJobSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CronJobSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Schedule)))
+	i += copy(dAtA[i:], m.Schedule)
+	if m.StartingDeadlineSeconds != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.StartingDeadlineSeconds))
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ConcurrencyPolicy)))
+	i += copy(dAtA[i:], m.ConcurrencyPolicy)
+	if m.Suspend != nil {
+		dAtA[i] = 0x20
+		i++
+		if *m.Suspend {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.JobTemplate.Size()))
+	n5, err := m.JobTemplate.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if m.SuccessfulJobsHistoryLimit != nil {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.SuccessfulJobsHistoryLimit))
+	}
+	if m.FailedJobsHistoryLimit != nil {
+		dAtA[i] = 0x38
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.FailedJobsHistoryLimit))
+	}
+	return i, nil
+}
+
+func (m *CronJobStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CronJobStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Active) > 0 {
+		for _, msg := range m.Active {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.LastScheduleTime != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.LastScheduleTime.Size()))
+		n6, err := m.LastScheduleTime.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	return i, nil
+}
+
+func (m *JobTemplate) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *JobTemplate) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n7, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n8, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	return i, nil
+}
+
+func (m *JobTemplateSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *JobTemplateSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n9, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n10, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CronJob) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CronJobList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *CronJobSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Schedule)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.StartingDeadlineSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.StartingDeadlineSeconds))
+	}
+	l = len(m.ConcurrencyPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Suspend != nil {
+		n += 2
+	}
+	l = m.JobTemplate.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SuccessfulJobsHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.SuccessfulJobsHistoryLimit))
+	}
+	if m.FailedJobsHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.FailedJobsHistoryLimit))
+	}
+	return n
+}
+
+func (m *CronJobStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Active) > 0 {
+		for _, e := range m.Active {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.LastScheduleTime != nil {
+		l = m.LastScheduleTime.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *JobTemplate) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *JobTemplateSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CronJob) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CronJob{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "CronJobSpec", "CronJobSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "CronJobStatus", "CronJobStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CronJobList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CronJobList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "CronJob", "CronJob", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CronJobSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CronJobSpec{`,
+		`Schedule:` + fmt.Sprintf("%v", this.Schedule) + `,`,
+		`StartingDeadlineSeconds:` + valueToStringGenerated(this.StartingDeadlineSeconds) + `,`,
+		`ConcurrencyPolicy:` + fmt.Sprintf("%v", this.ConcurrencyPolicy) + `,`,
+		`Suspend:` + valueToStringGenerated(this.Suspend) + `,`,
+		`JobTemplate:` + strings.Replace(strings.Replace(this.JobTemplate.String(), "JobTemplateSpec", "JobTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`SuccessfulJobsHistoryLimit:` + valueToStringGenerated(this.SuccessfulJobsHistoryLimit) + `,`,
+		`FailedJobsHistoryLimit:` + valueToStringGenerated(this.FailedJobsHistoryLimit) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CronJobStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CronJobStatus{`,
+		`Active:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Active), "ObjectReference", "k8s_io_api_core_v1.ObjectReference", 1), `&`, ``, 1) + `,`,
+		`LastScheduleTime:` + strings.Replace(fmt.Sprintf("%v", this.LastScheduleTime), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *JobTemplate) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&JobTemplate{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "JobTemplateSpec", "JobTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *JobTemplateSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&JobTemplateSpec{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "JobSpec", "k8s_io_api_batch_v1.JobSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CronJob) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CronJob: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CronJob: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CronJobList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CronJobList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CronJobList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, CronJob{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CronJobSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CronJobSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CronJobSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Schedule", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Schedule = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StartingDeadlineSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.StartingDeadlineSeconds = &v
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConcurrencyPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ConcurrencyPolicy = ConcurrencyPolicy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Suspend", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Suspend = &b
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field JobTemplate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.JobTemplate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SuccessfulJobsHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.SuccessfulJobsHistoryLimit = &v
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FailedJobsHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.FailedJobsHistoryLimit = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CronJobStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CronJobStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CronJobStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Active", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Active = append(m.Active, k8s_io_api_core_v1.ObjectReference{})
+			if err := m.Active[len(m.Active)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastScheduleTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LastScheduleTime == nil {
+				m.LastScheduleTime = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.LastScheduleTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *JobTemplate) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: JobTemplate: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: JobTemplate: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *JobTemplateSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: JobTemplateSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: JobTemplateSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/batch/v2alpha1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 787 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x94, 0xcf, 0x6f, 0xe3, 0x44,
+	0x14, 0xc7, 0xe3, 0x34, 0xbf, 0x3a, 0xa1, 0xd0, 0x1a, 0xd4, 0x86, 0x80, 0x9c, 0xc8, 0x15, 0x28,
+	0x42, 0x30, 0xa6, 0x05, 0x21, 0x4e, 0x48, 0xb8, 0x08, 0x4a, 0x29, 0xa2, 0x72, 0x8a, 0x84, 0x50,
+	0xb5, 0xda, 0xf1, 0x78, 0x92, 0x4c, 0x63, 0x7b, 0x2c, 0xcf, 0x38, 0x52, 0x6e, 0x7b, 0xdb, 0xeb,
+	0xfe, 0x25, 0x7b, 0xd9, 0xfd, 0x23, 0xba, 0x7b, 0xea, 0xb1, 0xa7, 0x68, 0xeb, 0xfd, 0x2f, 0xf6,
+	0xb4, 0xf2, 0xc4, 0xf9, 0xd1, 0x38, 0x69, 0xbb, 0x97, 0xde, 0x3c, 0xcf, 0xdf, 0xef, 0x67, 0xde,
+	0xbc, 0xf7, 0x66, 0x80, 0xd9, 0xff, 0x99, 0x43, 0xca, 0x8c, 0x7e, 0x64, 0x93, 0xd0, 0x27, 0x82,
+	0x70, 0x63, 0x40, 0x7c, 0x87, 0x85, 0x46, 0xfa, 0x03, 0x05, 0xd4, 0xb0, 0x91, 0xc0, 0x3d, 0x63,
+	0xb0, 0x8f, 0xdc, 0xa0, 0x87, 0xf6, 0x8c, 0x2e, 0xf1, 0x49, 0x88, 0x04, 0x71, 0x60, 0x10, 0x32,
+	0xc1, 0xd4, 0xcf, 0xc7, 0x52, 0x88, 0x02, 0x0a, 0xa5, 0x14, 0x4e, 0xa4, 0xf5, 0xef, 0xba, 0x54,
+	0xf4, 0x22, 0x1b, 0x62, 0xe6, 0x19, 0x5d, 0xd6, 0x65, 0x86, 0x74, 0xd8, 0x51, 0x47, 0xae, 0xe4,
+	0x42, 0x7e, 0x8d, 0x49, 0xf5, 0xdd, 0xec, 0xa6, 0x99, 0xed, 0xea, 0xfa, 0x9c, 0x08, 0xb3, 0x90,
+	0x2c, 0xd3, 0xfc, 0x38, 0xd3, 0x78, 0x08, 0xf7, 0xa8, 0x4f, 0xc2, 0xa1, 0x11, 0xf4, 0xbb, 0x49,
+	0x80, 0x1b, 0x1e, 0x11, 0x68, 0x99, 0xcb, 0x58, 0xe5, 0x0a, 0x23, 0x5f, 0x50, 0x8f, 0x64, 0x0c,
+	0x3f, 0xdd, 0x65, 0xe0, 0xb8, 0x47, 0x3c, 0x94, 0xf1, 0xfd, 0xb0, 0xca, 0x17, 0x09, 0xea, 0x1a,
+	0xd4, 0x17, 0x5c, 0x84, 0x8b, 0x26, 0xfd, 0x69, 0x1e, 0x94, 0x0f, 0x42, 0xe6, 0x1f, 0x31, 0x5b,
+	0x7d, 0x0c, 0x2a, 0xc9, 0x21, 0x1c, 0x24, 0x50, 0x4d, 0x69, 0x2a, 0xad, 0xea, 0xfe, 0xf7, 0x70,
+	0xd6, 0x85, 0x29, 0x13, 0x06, 0xfd, 0x6e, 0x12, 0xe0, 0x30, 0x51, 0xc3, 0xc1, 0x1e, 0xfc, 0xc7,
+	0x3e, 0x27, 0x58, 0xfc, 0x4d, 0x04, 0x32, 0xd5, 0x8b, 0x51, 0x23, 0x17, 0x8f, 0x1a, 0x60, 0x16,
+	0xb3, 0xa6, 0x54, 0xf5, 0x10, 0x14, 0x78, 0x40, 0x70, 0x2d, 0x2f, 0xe9, 0x5f, 0xc3, 0x95, 0x3d,
+	0x86, 0x69, 0x4e, 0xed, 0x80, 0x60, 0xf3, 0xa3, 0x94, 0x59, 0x48, 0x56, 0x96, 0x24, 0xa8, 0x27,
+	0xa0, 0xc4, 0x05, 0x12, 0x11, 0xaf, 0xad, 0x49, 0x56, 0xeb, 0x1e, 0x2c, 0xa9, 0x37, 0x3f, 0x4e,
+	0x69, 0xa5, 0xf1, 0xda, 0x4a, 0x39, 0xfa, 0x4b, 0x05, 0x54, 0x53, 0xe5, 0x31, 0xe5, 0x42, 0x3d,
+	0xcb, 0x54, 0x03, 0xde, 0xaf, 0x1a, 0x89, 0x5b, 0xd6, 0x62, 0x33, 0xdd, 0xa9, 0x32, 0x89, 0xcc,
+	0x55, 0xe2, 0x0f, 0x50, 0xa4, 0x82, 0x78, 0xbc, 0x96, 0x6f, 0xae, 0xb5, 0xaa, 0xfb, 0xfa, 0xdd,
+	0xe9, 0x9b, 0x1b, 0x29, 0xae, 0xf8, 0x67, 0x62, 0xb4, 0xc6, 0x7e, 0xfd, 0x79, 0x61, 0x9a, 0x76,
+	0x52, 0x1e, 0xf5, 0x5b, 0x50, 0x49, 0xe6, 0xc3, 0x89, 0x5c, 0x22, 0xd3, 0x5e, 0x9f, 0xa5, 0xd1,
+	0x4e, 0xe3, 0xd6, 0x54, 0xa1, 0xfe, 0x0b, 0x76, 0xb8, 0x40, 0xa1, 0xa0, 0x7e, 0xf7, 0x37, 0x82,
+	0x1c, 0x97, 0xfa, 0xa4, 0x4d, 0x30, 0xf3, 0x1d, 0x2e, 0x7b, 0xb4, 0x66, 0x7e, 0x11, 0x8f, 0x1a,
+	0x3b, 0xed, 0xe5, 0x12, 0x6b, 0x95, 0x57, 0x3d, 0x03, 0x5b, 0x98, 0xf9, 0x38, 0x0a, 0x43, 0xe2,
+	0xe3, 0xe1, 0x09, 0x73, 0x29, 0x1e, 0xca, 0x46, 0xad, 0x9b, 0x30, 0xcd, 0x66, 0xeb, 0x60, 0x51,
+	0xf0, 0x6e, 0x59, 0xd0, 0xca, 0x82, 0xd4, 0xaf, 0x40, 0x99, 0x47, 0x3c, 0x20, 0xbe, 0x53, 0x2b,
+	0x34, 0x95, 0x56, 0xc5, 0xac, 0xc6, 0xa3, 0x46, 0xb9, 0x3d, 0x0e, 0x59, 0x93, 0x7f, 0x2a, 0x02,
+	0xd5, 0x73, 0x66, 0x9f, 0x12, 0x2f, 0x70, 0x91, 0x20, 0xb5, 0xa2, 0xec, 0xe1, 0x37, 0xb7, 0x14,
+	0xfa, 0x68, 0xa6, 0x96, 0x73, 0xf7, 0x69, 0x9a, 0x6a, 0x75, 0xee, 0x87, 0x35, 0xcf, 0x54, 0x1f,
+	0x81, 0x3a, 0x8f, 0x30, 0x26, 0x9c, 0x77, 0x22, 0xf7, 0x88, 0xd9, 0xfc, 0x90, 0x72, 0xc1, 0xc2,
+	0xe1, 0x31, 0xf5, 0xa8, 0xa8, 0x95, 0x9a, 0x4a, 0xab, 0x68, 0x6a, 0xf1, 0xa8, 0x51, 0x6f, 0xaf,
+	0x54, 0x59, 0xb7, 0x10, 0x54, 0x0b, 0x6c, 0x77, 0x10, 0x75, 0x89, 0x93, 0x61, 0x97, 0x25, 0xbb,
+	0x1e, 0x8f, 0x1a, 0xdb, 0xbf, 0x2f, 0x55, 0x58, 0x2b, 0x9c, 0xfa, 0x6b, 0x05, 0x6c, 0xdc, 0xb8,
+	0x11, 0xea, 0x5f, 0xa0, 0x84, 0xb0, 0xa0, 0x83, 0x64, 0x60, 0x92, 0x61, 0xdc, 0x9d, 0xaf, 0x51,
+	0xf2, 0x18, 0xce, 0xee, 0xb8, 0x45, 0x3a, 0x24, 0x69, 0x05, 0x99, 0x5d, 0xa3, 0x5f, 0xa5, 0xd5,
+	0x4a, 0x11, 0xaa, 0x0b, 0x36, 0x5d, 0xc4, 0xc5, 0x64, 0xd6, 0x4e, 0xa9, 0x47, 0x64, 0x97, 0x6e,
+	0x96, 0xfe, 0x96, 0xeb, 0x93, 0x38, 0xcc, 0xcf, 0xe2, 0x51, 0x63, 0xf3, 0x78, 0x81, 0x63, 0x65,
+	0xc8, 0xfa, 0x2b, 0x05, 0xcc, 0x77, 0xe7, 0x01, 0x9e, 0xb0, 0xff, 0x40, 0x45, 0x4c, 0x46, 0x2a,
+	0xff, 0xc1, 0x23, 0x35, 0xbd, 0x8b, 0xd3, 0x79, 0x9a, 0xd2, 0xf4, 0x17, 0x0a, 0xf8, 0x64, 0x41,
+	0xff, 0x00, 0xe7, 0xf9, 0xe5, 0xc6, 0x93, 0xfc, 0xe5, 0x92, 0xb3, 0xc8, 0x53, 0xac, 0x7a, 0x88,
+	0x4d, 0x78, 0x71, 0xad, 0xe5, 0x2e, 0xaf, 0xb5, 0xdc, 0xd5, 0xb5, 0x96, 0x7b, 0x12, 0x6b, 0xca,
+	0x45, 0xac, 0x29, 0x97, 0xb1, 0xa6, 0x5c, 0xc5, 0x9a, 0xf2, 0x26, 0xd6, 0x94, 0x67, 0x6f, 0xb5,
+	0xdc, 0xff, 0x95, 0x49, 0x45, 0xde, 0x07, 0x00, 0x00, 0xff, 0xff, 0x02, 0x60, 0xaa, 0x00, 0x1c,
+	0x08, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/batch/v2alpha1/generated.proto b/cli/vendor/k8s.io/api/batch/v2alpha1/generated.proto
new file mode 100644
index 00000000..1aa071f2
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v2alpha1/generated.proto
@@ -0,0 +1,133 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.batch.v2alpha1;
+
+import "k8s.io/api/batch/v1/generated.proto";
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v2alpha1";
+
+// CronJob represents the configuration of a single cron job.
+message CronJob {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of a cron job, including the schedule.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional CronJobSpec spec = 2;
+
+  // Current status of a cron job.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional CronJobStatus status = 3;
+}
+
+// CronJobList is a collection of cron jobs.
+message CronJobList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // items is the list of CronJobs.
+  repeated CronJob items = 2;
+}
+
+// CronJobSpec describes how the job execution will look like and when it will actually run.
+message CronJobSpec {
+  // The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+  optional string schedule = 1;
+
+  // Optional deadline in seconds for starting the job if it misses scheduled
+  // time for any reason.  Missed jobs executions will be counted as failed ones.
+  // +optional
+  optional int64 startingDeadlineSeconds = 2;
+
+  // Specifies how to treat concurrent executions of a Job.
+  // Defaults to Allow.
+  // +optional
+  optional string concurrencyPolicy = 3;
+
+  // This flag tells the controller to suspend subsequent executions, it does
+  // not apply to already started executions.  Defaults to false.
+  // +optional
+  optional bool suspend = 4;
+
+  // Specifies the job that will be created when executing a CronJob.
+  optional JobTemplateSpec jobTemplate = 5;
+
+  // The number of successful finished jobs to retain.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // +optional
+  optional int32 successfulJobsHistoryLimit = 6;
+
+  // The number of failed finished jobs to retain.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // +optional
+  optional int32 failedJobsHistoryLimit = 7;
+}
+
+// CronJobStatus represents the current state of a cron job.
+message CronJobStatus {
+  // A list of pointers to currently running jobs.
+  // +optional
+  repeated k8s.io.api.core.v1.ObjectReference active = 1;
+
+  // Information when was the last time the job was successfully scheduled.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastScheduleTime = 4;
+}
+
+// JobTemplate describes a template for creating copies of a predefined pod.
+message JobTemplate {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Defines jobs that will be created from this template.
+  // https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional JobTemplateSpec template = 2;
+}
+
+// JobTemplateSpec describes the data a Job should have when created from a template
+message JobTemplateSpec {
+  // Standard object's metadata of the jobs created from this template.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of the job.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional k8s.io.api.batch.v1.JobSpec spec = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/batch/v2alpha1/register.go b/cli/vendor/k8s.io/api/batch/v2alpha1/register.go
new file mode 100644
index 00000000..4b02c0f4
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v2alpha1/register.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "batch"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&JobTemplate{},
+		&CronJob{},
+		&CronJobList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/batch/v2alpha1/types.go b/cli/vendor/k8s.io/api/batch/v2alpha1/types.go
new file mode 100644
index 00000000..451df40e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v2alpha1/types.go
@@ -0,0 +1,153 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2alpha1
+
+import (
+	batchv1 "k8s.io/api/batch/v1"
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// JobTemplate describes a template for creating copies of a predefined pod.
+type JobTemplate struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Defines jobs that will be created from this template.
+	// https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Template JobTemplateSpec `json:"template,omitempty" protobuf:"bytes,2,opt,name=template"`
+}
+
+// JobTemplateSpec describes the data a Job should have when created from a template
+type JobTemplateSpec struct {
+	// Standard object's metadata of the jobs created from this template.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of the job.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec batchv1.JobSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CronJob represents the configuration of a single cron job.
+type CronJob struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of a cron job, including the schedule.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec CronJobSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Current status of a cron job.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status CronJobStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CronJobList is a collection of cron jobs.
+type CronJobList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// items is the list of CronJobs.
+	Items []CronJob `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// CronJobSpec describes how the job execution will look like and when it will actually run.
+type CronJobSpec struct {
+
+	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+	Schedule string `json:"schedule" protobuf:"bytes,1,opt,name=schedule"`
+
+	// Optional deadline in seconds for starting the job if it misses scheduled
+	// time for any reason.  Missed jobs executions will be counted as failed ones.
+	// +optional
+	StartingDeadlineSeconds *int64 `json:"startingDeadlineSeconds,omitempty" protobuf:"varint,2,opt,name=startingDeadlineSeconds"`
+
+	// Specifies how to treat concurrent executions of a Job.
+	// Defaults to Allow.
+	// +optional
+	ConcurrencyPolicy ConcurrencyPolicy `json:"concurrencyPolicy,omitempty" protobuf:"bytes,3,opt,name=concurrencyPolicy,casttype=ConcurrencyPolicy"`
+
+	// This flag tells the controller to suspend subsequent executions, it does
+	// not apply to already started executions.  Defaults to false.
+	// +optional
+	Suspend *bool `json:"suspend,omitempty" protobuf:"varint,4,opt,name=suspend"`
+
+	// Specifies the job that will be created when executing a CronJob.
+	JobTemplate JobTemplateSpec `json:"jobTemplate" protobuf:"bytes,5,opt,name=jobTemplate"`
+
+	// The number of successful finished jobs to retain.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// +optional
+	SuccessfulJobsHistoryLimit *int32 `json:"successfulJobsHistoryLimit,omitempty" protobuf:"varint,6,opt,name=successfulJobsHistoryLimit"`
+
+	// The number of failed finished jobs to retain.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// +optional
+	FailedJobsHistoryLimit *int32 `json:"failedJobsHistoryLimit,omitempty" protobuf:"varint,7,opt,name=failedJobsHistoryLimit"`
+}
+
+// ConcurrencyPolicy describes how the job will be handled.
+// Only one of the following concurrent policies may be specified.
+// If none of the following policies is specified, the default one
+// is AllowConcurrent.
+type ConcurrencyPolicy string
+
+const (
+	// AllowConcurrent allows CronJobs to run concurrently.
+	AllowConcurrent ConcurrencyPolicy = "Allow"
+
+	// ForbidConcurrent forbids concurrent runs, skipping next run if previous
+	// hasn't finished yet.
+	ForbidConcurrent ConcurrencyPolicy = "Forbid"
+
+	// ReplaceConcurrent cancels currently running job and replaces it with a new one.
+	ReplaceConcurrent ConcurrencyPolicy = "Replace"
+)
+
+// CronJobStatus represents the current state of a cron job.
+type CronJobStatus struct {
+	// A list of pointers to currently running jobs.
+	// +optional
+	Active []v1.ObjectReference `json:"active,omitempty" protobuf:"bytes,1,rep,name=active"`
+
+	// Information when was the last time the job was successfully scheduled.
+	// +optional
+	LastScheduleTime *metav1.Time `json:"lastScheduleTime,omitempty" protobuf:"bytes,4,opt,name=lastScheduleTime"`
+}
diff --git a/cli/vendor/k8s.io/api/batch/v2alpha1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/batch/v2alpha1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..2b3ed4c5
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v2alpha1/types_swagger_doc_generated.go
@@ -0,0 +1,96 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_CronJob = map[string]string{
+	"":         "CronJob represents the configuration of a single cron job.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Current status of a cron job. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (CronJob) SwaggerDoc() map[string]string {
+	return map_CronJob
+}
+
+var map_CronJobList = map[string]string{
+	"":         "CronJobList is a collection of cron jobs.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "items is the list of CronJobs.",
+}
+
+func (CronJobList) SwaggerDoc() map[string]string {
+	return map_CronJobList
+}
+
+var map_CronJobSpec = map[string]string{
+	"":                           "CronJobSpec describes how the job execution will look like and when it will actually run.",
+	"schedule":                   "The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.",
+	"startingDeadlineSeconds":    "Optional deadline in seconds for starting the job if it misses scheduled time for any reason.  Missed jobs executions will be counted as failed ones.",
+	"concurrencyPolicy":          "Specifies how to treat concurrent executions of a Job. Defaults to Allow.",
+	"suspend":                    "This flag tells the controller to suspend subsequent executions, it does not apply to already started executions.  Defaults to false.",
+	"jobTemplate":                "Specifies the job that will be created when executing a CronJob.",
+	"successfulJobsHistoryLimit": "The number of successful finished jobs to retain. This is a pointer to distinguish between explicit zero and not specified.",
+	"failedJobsHistoryLimit":     "The number of failed finished jobs to retain. This is a pointer to distinguish between explicit zero and not specified.",
+}
+
+func (CronJobSpec) SwaggerDoc() map[string]string {
+	return map_CronJobSpec
+}
+
+var map_CronJobStatus = map[string]string{
+	"":                 "CronJobStatus represents the current state of a cron job.",
+	"active":           "A list of pointers to currently running jobs.",
+	"lastScheduleTime": "Information when was the last time the job was successfully scheduled.",
+}
+
+func (CronJobStatus) SwaggerDoc() map[string]string {
+	return map_CronJobStatus
+}
+
+var map_JobTemplate = map[string]string{
+	"":         "JobTemplate describes a template for creating copies of a predefined pod.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"template": "Defines jobs that will be created from this template. https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (JobTemplate) SwaggerDoc() map[string]string {
+	return map_JobTemplate
+}
+
+var map_JobTemplateSpec = map[string]string{
+	"":         "JobTemplateSpec describes the data a Job should have when created from a template",
+	"metadata": "Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (JobTemplateSpec) SwaggerDoc() map[string]string {
+	return map_JobTemplateSpec
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/batch/v2alpha1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/batch/v2alpha1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..28dc1c3b
--- /dev/null
+++ b/cli/vendor/k8s.io/api/batch/v2alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,258 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v2alpha1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CronJob).DeepCopyInto(out.(*CronJob))
+			return nil
+		}, InType: reflect.TypeOf(&CronJob{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CronJobList).DeepCopyInto(out.(*CronJobList))
+			return nil
+		}, InType: reflect.TypeOf(&CronJobList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CronJobSpec).DeepCopyInto(out.(*CronJobSpec))
+			return nil
+		}, InType: reflect.TypeOf(&CronJobSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CronJobStatus).DeepCopyInto(out.(*CronJobStatus))
+			return nil
+		}, InType: reflect.TypeOf(&CronJobStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*JobTemplate).DeepCopyInto(out.(*JobTemplate))
+			return nil
+		}, InType: reflect.TypeOf(&JobTemplate{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*JobTemplateSpec).DeepCopyInto(out.(*JobTemplateSpec))
+			return nil
+		}, InType: reflect.TypeOf(&JobTemplateSpec{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CronJob) DeepCopyInto(out *CronJob) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CronJob.
+func (in *CronJob) DeepCopy() *CronJob {
+	if in == nil {
+		return nil
+	}
+	out := new(CronJob)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CronJob) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CronJobList) DeepCopyInto(out *CronJobList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CronJob, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CronJobList.
+func (in *CronJobList) DeepCopy() *CronJobList {
+	if in == nil {
+		return nil
+	}
+	out := new(CronJobList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CronJobList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CronJobSpec) DeepCopyInto(out *CronJobSpec) {
+	*out = *in
+	if in.StartingDeadlineSeconds != nil {
+		in, out := &in.StartingDeadlineSeconds, &out.StartingDeadlineSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.Suspend != nil {
+		in, out := &in.Suspend, &out.Suspend
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	in.JobTemplate.DeepCopyInto(&out.JobTemplate)
+	if in.SuccessfulJobsHistoryLimit != nil {
+		in, out := &in.SuccessfulJobsHistoryLimit, &out.SuccessfulJobsHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.FailedJobsHistoryLimit != nil {
+		in, out := &in.FailedJobsHistoryLimit, &out.FailedJobsHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CronJobSpec.
+func (in *CronJobSpec) DeepCopy() *CronJobSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CronJobSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CronJobStatus) DeepCopyInto(out *CronJobStatus) {
+	*out = *in
+	if in.Active != nil {
+		in, out := &in.Active, &out.Active
+		*out = make([]v1.ObjectReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.LastScheduleTime != nil {
+		in, out := &in.LastScheduleTime, &out.LastScheduleTime
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CronJobStatus.
+func (in *CronJobStatus) DeepCopy() *CronJobStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CronJobStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobTemplate) DeepCopyInto(out *JobTemplate) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Template.DeepCopyInto(&out.Template)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobTemplate.
+func (in *JobTemplate) DeepCopy() *JobTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(JobTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *JobTemplate) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JobTemplateSpec) DeepCopyInto(out *JobTemplateSpec) {
+	*out = *in
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobTemplateSpec.
+func (in *JobTemplateSpec) DeepCopy() *JobTemplateSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(JobTemplateSpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/certificates/v1beta1/doc.go b/cli/vendor/k8s.io/api/certificates/v1beta1/doc.go
new file mode 100644
index 00000000..d98ee7c3
--- /dev/null
+++ b/cli/vendor/k8s.io/api/certificates/v1beta1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// +groupName=certificates.k8s.io
+package v1beta1 // import "k8s.io/api/certificates/v1beta1"
diff --git a/cli/vendor/k8s.io/api/certificates/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/certificates/v1beta1/generated.pb.go
new file mode 100644
index 00000000..7f704bf8
--- /dev/null
+++ b/cli/vendor/k8s.io/api/certificates/v1beta1/generated.pb.go
@@ -0,0 +1,1693 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/certificates/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/certificates/v1beta1/generated.proto
+
+	It has these top-level messages:
+		CertificateSigningRequest
+		CertificateSigningRequestCondition
+		CertificateSigningRequestList
+		CertificateSigningRequestSpec
+		CertificateSigningRequestStatus
+		ExtraValue
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *CertificateSigningRequest) Reset()      { *m = CertificateSigningRequest{} }
+func (*CertificateSigningRequest) ProtoMessage() {}
+func (*CertificateSigningRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{0}
+}
+
+func (m *CertificateSigningRequestCondition) Reset()      { *m = CertificateSigningRequestCondition{} }
+func (*CertificateSigningRequestCondition) ProtoMessage() {}
+func (*CertificateSigningRequestCondition) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{1}
+}
+
+func (m *CertificateSigningRequestList) Reset()      { *m = CertificateSigningRequestList{} }
+func (*CertificateSigningRequestList) ProtoMessage() {}
+func (*CertificateSigningRequestList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{2}
+}
+
+func (m *CertificateSigningRequestSpec) Reset()      { *m = CertificateSigningRequestSpec{} }
+func (*CertificateSigningRequestSpec) ProtoMessage() {}
+func (*CertificateSigningRequestSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{3}
+}
+
+func (m *CertificateSigningRequestStatus) Reset()      { *m = CertificateSigningRequestStatus{} }
+func (*CertificateSigningRequestStatus) ProtoMessage() {}
+func (*CertificateSigningRequestStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{4}
+}
+
+func (m *ExtraValue) Reset()                    { *m = ExtraValue{} }
+func (*ExtraValue) ProtoMessage()               {}
+func (*ExtraValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func init() {
+	proto.RegisterType((*CertificateSigningRequest)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequest")
+	proto.RegisterType((*CertificateSigningRequestCondition)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestCondition")
+	proto.RegisterType((*CertificateSigningRequestList)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestList")
+	proto.RegisterType((*CertificateSigningRequestSpec)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestSpec")
+	proto.RegisterType((*CertificateSigningRequestStatus)(nil), "k8s.io.api.certificates.v1beta1.CertificateSigningRequestStatus")
+	proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.certificates.v1beta1.ExtraValue")
+}
+func (m *CertificateSigningRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CertificateSigningRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n3, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *CertificateSigningRequestCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CertificateSigningRequestCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastUpdateTime.Size()))
+	n4, err := m.LastUpdateTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	return i, nil
+}
+
+func (m *CertificateSigningRequestList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CertificateSigningRequestList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n5, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *CertificateSigningRequestSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CertificateSigningRequestSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Request != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Request)))
+		i += copy(dAtA[i:], m.Request)
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Username)))
+	i += copy(dAtA[i:], m.Username)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Usages) > 0 {
+		for _, s := range m.Usages {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Extra) > 0 {
+		keysForExtra := make([]string, 0, len(m.Extra))
+		for k := range m.Extra {
+			keysForExtra = append(keysForExtra, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+		for _, k := range keysForExtra {
+			dAtA[i] = 0x32
+			i++
+			v := m.Extra[string(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n6, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n6
+		}
+	}
+	return i, nil
+}
+
+func (m *CertificateSigningRequestStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CertificateSigningRequestStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.Certificate != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Certificate)))
+		i += copy(dAtA[i:], m.Certificate)
+	}
+	return i, nil
+}
+
+func (m ExtraValue) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m ExtraValue) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CertificateSigningRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CertificateSigningRequestCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastUpdateTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CertificateSigningRequestList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *CertificateSigningRequestSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Request != nil {
+		l = len(m.Request)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.Username)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Groups) > 0 {
+		for _, s := range m.Groups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Usages) > 0 {
+		for _, s := range m.Usages {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Extra) > 0 {
+		for k, v := range m.Extra {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *CertificateSigningRequestStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.Certificate != nil {
+		l = len(m.Certificate)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m ExtraValue) Size() (n int) {
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CertificateSigningRequest) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CertificateSigningRequest{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "CertificateSigningRequestSpec", "CertificateSigningRequestSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "CertificateSigningRequestStatus", "CertificateSigningRequestStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CertificateSigningRequestCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CertificateSigningRequestCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`LastUpdateTime:` + strings.Replace(strings.Replace(this.LastUpdateTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CertificateSigningRequestList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CertificateSigningRequestList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "CertificateSigningRequest", "CertificateSigningRequest", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CertificateSigningRequestSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForExtra := make([]string, 0, len(this.Extra))
+	for k := range this.Extra {
+		keysForExtra = append(keysForExtra, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForExtra)
+	mapStringForExtra := "map[string]ExtraValue{"
+	for _, k := range keysForExtra {
+		mapStringForExtra += fmt.Sprintf("%v: %v,", k, this.Extra[k])
+	}
+	mapStringForExtra += "}"
+	s := strings.Join([]string{`&CertificateSigningRequestSpec{`,
+		`Request:` + valueToStringGenerated(this.Request) + `,`,
+		`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`Groups:` + fmt.Sprintf("%v", this.Groups) + `,`,
+		`Usages:` + fmt.Sprintf("%v", this.Usages) + `,`,
+		`Extra:` + mapStringForExtra + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CertificateSigningRequestStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CertificateSigningRequestStatus{`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "CertificateSigningRequestCondition", "CertificateSigningRequestCondition", 1), `&`, ``, 1) + `,`,
+		`Certificate:` + valueToStringGenerated(this.Certificate) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CertificateSigningRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequestCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequestCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = RequestConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastUpdateTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastUpdateTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CertificateSigningRequestList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequestList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequestList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, CertificateSigningRequest{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequestSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequestSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Request", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Request = append(m.Request[:0], dAtA[iNdEx:postIndex]...)
+			if m.Request == nil {
+				m.Request = []byte{}
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Username = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Usages", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Usages = append(m.Usages, KeyUsage(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Extra", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Extra == nil {
+				m.Extra = make(map[string]ExtraValue)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &ExtraValue{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Extra[mapkey] = *mapvalue
+			} else {
+				var mapvalue ExtraValue
+				m.Extra[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CertificateSigningRequestStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CertificateSigningRequestStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CertificateSigningRequestStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, CertificateSigningRequestCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Certificate", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Certificate = append(m.Certificate[:0], dAtA[iNdEx:postIndex]...)
+			if m.Certificate == nil {
+				m.Certificate = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExtraValue) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExtraValue: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExtraValue: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			*m = append(*m, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/certificates/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 816 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0x4d, 0x6f, 0x1b, 0x45,
+	0x18, 0xf6, 0xfa, 0x2b, 0xf6, 0x38, 0xa4, 0xd5, 0x08, 0x55, 0x4b, 0xa4, 0xee, 0x46, 0x2b, 0x40,
+	0xe1, 0xa3, 0xb3, 0xa4, 0x20, 0x88, 0x72, 0x40, 0xb0, 0xa1, 0x82, 0x88, 0x56, 0x48, 0xd3, 0x86,
+	0x03, 0x42, 0xa2, 0xe3, 0xf5, 0xdb, 0xcd, 0xd4, 0xd9, 0x0f, 0x76, 0x66, 0x0d, 0xbe, 0xf5, 0x27,
+	0x70, 0xe4, 0x82, 0xc4, 0x2f, 0xe1, 0x1c, 0x0e, 0x48, 0x3d, 0xf6, 0x80, 0x2c, 0x62, 0xfe, 0x45,
+	0x4f, 0x68, 0x66, 0xc7, 0x5e, 0x63, 0xcb, 0x75, 0xd5, 0xdc, 0xf6, 0x7d, 0xde, 0xf7, 0x79, 0xde,
+	0xcf, 0x59, 0xf4, 0xd5, 0xf0, 0x50, 0x10, 0x9e, 0xfa, 0xc3, 0xa2, 0x0f, 0x79, 0x02, 0x12, 0x84,
+	0x3f, 0x82, 0x64, 0x90, 0xe6, 0xbe, 0x71, 0xb0, 0x8c, 0xfb, 0x21, 0xe4, 0x92, 0x3f, 0xe2, 0x21,
+	0xd3, 0xee, 0x83, 0x3e, 0x48, 0x76, 0xe0, 0x47, 0x90, 0x40, 0xce, 0x24, 0x0c, 0x48, 0x96, 0xa7,
+	0x32, 0xc5, 0x6e, 0x49, 0x20, 0x2c, 0xe3, 0x64, 0x91, 0x40, 0x0c, 0x61, 0xf7, 0x56, 0xc4, 0xe5,
+	0x59, 0xd1, 0x27, 0x61, 0x1a, 0xfb, 0x51, 0x1a, 0xa5, 0xbe, 0xe6, 0xf5, 0x8b, 0x47, 0xda, 0xd2,
+	0x86, 0xfe, 0x2a, 0xf5, 0x76, 0x3f, 0xaa, 0x0a, 0x88, 0x59, 0x78, 0xc6, 0x13, 0xc8, 0xc7, 0x7e,
+	0x36, 0x8c, 0x14, 0x20, 0xfc, 0x18, 0x24, 0xf3, 0x47, 0x2b, 0x55, 0xec, 0xfa, 0xeb, 0x58, 0x79,
+	0x91, 0x48, 0x1e, 0xc3, 0x0a, 0xe1, 0xe3, 0x4d, 0x04, 0x11, 0x9e, 0x41, 0xcc, 0x56, 0x78, 0x1f,
+	0xae, 0xe3, 0x15, 0x92, 0x9f, 0xfb, 0x3c, 0x91, 0x42, 0xe6, 0xcb, 0x24, 0xef, 0xcf, 0x3a, 0x7a,
+	0xe3, 0xb8, 0x9a, 0xcd, 0x7d, 0x1e, 0x25, 0x3c, 0x89, 0x28, 0xfc, 0x58, 0x80, 0x90, 0xf8, 0x21,
+	0xea, 0xa8, 0xb6, 0x06, 0x4c, 0x32, 0xdb, 0xda, 0xb3, 0xf6, 0x7b, 0xb7, 0x3f, 0x20, 0xd5, 0x50,
+	0xe7, 0x59, 0x48, 0x36, 0x8c, 0x14, 0x20, 0x88, 0x8a, 0x26, 0xa3, 0x03, 0xf2, 0x4d, 0xff, 0x31,
+	0x84, 0xf2, 0x1e, 0x48, 0x16, 0xe0, 0x8b, 0x89, 0x5b, 0x9b, 0x4e, 0x5c, 0x54, 0x61, 0x74, 0xae,
+	0x8a, 0x1f, 0xa2, 0xa6, 0xc8, 0x20, 0xb4, 0xeb, 0x5a, 0xfd, 0x53, 0xb2, 0x61, 0x65, 0x64, 0x6d,
+	0xad, 0xf7, 0x33, 0x08, 0x83, 0x6d, 0x93, 0xab, 0xa9, 0x2c, 0xaa, 0x95, 0xf1, 0x19, 0x6a, 0x0b,
+	0xc9, 0x64, 0x21, 0xec, 0x86, 0xce, 0xf1, 0xd9, 0x15, 0x72, 0x68, 0x9d, 0x60, 0xc7, 0x64, 0x69,
+	0x97, 0x36, 0x35, 0xfa, 0xde, 0x6f, 0x75, 0xe4, 0xad, 0xe5, 0x1e, 0xa7, 0xc9, 0x80, 0x4b, 0x9e,
+	0x26, 0xf8, 0x10, 0x35, 0xe5, 0x38, 0x03, 0x3d, 0xd0, 0x6e, 0xf0, 0xe6, 0xac, 0xe4, 0x07, 0xe3,
+	0x0c, 0x9e, 0x4f, 0xdc, 0xd7, 0x97, 0xe3, 0x15, 0x4e, 0x35, 0x03, 0xbf, 0x8d, 0xda, 0x39, 0x30,
+	0x91, 0x26, 0x7a, 0x5c, 0xdd, 0xaa, 0x10, 0xaa, 0x51, 0x6a, 0xbc, 0xf8, 0x1d, 0xb4, 0x15, 0x83,
+	0x10, 0x2c, 0x02, 0xdd, 0x73, 0x37, 0xb8, 0x66, 0x02, 0xb7, 0xee, 0x95, 0x30, 0x9d, 0xf9, 0xf1,
+	0x63, 0xb4, 0x73, 0xce, 0x84, 0x3c, 0xcd, 0x06, 0x4c, 0xc2, 0x03, 0x1e, 0x83, 0xdd, 0xd4, 0x53,
+	0x7a, 0xf7, 0xe5, 0xf6, 0xac, 0x18, 0xc1, 0x0d, 0xa3, 0xbe, 0x73, 0xf7, 0x7f, 0x4a, 0x74, 0x49,
+	0xd9, 0x9b, 0x58, 0xe8, 0xe6, 0xda, 0xf9, 0xdc, 0xe5, 0x42, 0xe2, 0xef, 0x57, 0xee, 0x8d, 0xbc,
+	0x5c, 0x1d, 0x8a, 0xad, 0xaf, 0xed, 0xba, 0xa9, 0xa5, 0x33, 0x43, 0x16, 0x6e, 0xed, 0x07, 0xd4,
+	0xe2, 0x12, 0x62, 0x61, 0xd7, 0xf7, 0x1a, 0xfb, 0xbd, 0xdb, 0x47, 0xaf, 0x7e, 0x08, 0xc1, 0x6b,
+	0x26, 0x4d, 0xeb, 0x44, 0x09, 0xd2, 0x52, 0xd7, 0xfb, 0xa3, 0xf1, 0x82, 0x06, 0xd5, 0x49, 0xe2,
+	0xb7, 0xd0, 0x56, 0x5e, 0x9a, 0xba, 0xbf, 0xed, 0xa0, 0xa7, 0xb6, 0x62, 0x22, 0xe8, 0xcc, 0x87,
+	0xdf, 0x47, 0x9d, 0x42, 0x40, 0x9e, 0xb0, 0x18, 0xcc, 0xaa, 0xe7, 0x7d, 0x9d, 0x1a, 0x9c, 0xce,
+	0x23, 0xf0, 0x4d, 0xd4, 0x28, 0xf8, 0xc0, 0xac, 0xba, 0x67, 0x02, 0x1b, 0xa7, 0x27, 0x5f, 0x50,
+	0x85, 0x63, 0x0f, 0xb5, 0xa3, 0x3c, 0x2d, 0x32, 0x61, 0x37, 0xf7, 0x1a, 0xfb, 0xdd, 0x00, 0xa9,
+	0x8b, 0xf9, 0x52, 0x23, 0xd4, 0x78, 0x30, 0x41, 0xed, 0x42, 0xdd, 0x83, 0xb0, 0x5b, 0x3a, 0xe6,
+	0x86, 0x8a, 0x39, 0xd5, 0xc8, 0xf3, 0x89, 0xdb, 0xf9, 0x1a, 0xc6, 0xda, 0xa0, 0x26, 0x0a, 0x27,
+	0xa8, 0x05, 0x3f, 0xcb, 0x9c, 0xd9, 0x6d, 0x3d, 0xca, 0x93, 0xab, 0xbd, 0x5b, 0x72, 0x47, 0x69,
+	0xdd, 0x49, 0x64, 0x3e, 0xae, 0x26, 0xab, 0x31, 0x5a, 0xa6, 0xd9, 0x05, 0x84, 0xaa, 0x18, 0x7c,
+	0x1d, 0x35, 0x86, 0x30, 0x2e, 0x1f, 0x10, 0x55, 0x9f, 0xf8, 0x73, 0xd4, 0x1a, 0xb1, 0xf3, 0x02,
+	0xcc, 0x7f, 0xe4, 0xbd, 0x8d, 0xf5, 0x68, 0xb5, 0x6f, 0x15, 0x85, 0x96, 0xcc, 0xa3, 0xfa, 0xa1,
+	0xe5, 0xfd, 0x65, 0x21, 0x77, 0xc3, 0xeb, 0xc7, 0x3f, 0x21, 0x14, 0xce, 0xde, 0xa6, 0xb0, 0x2d,
+	0xdd, 0xff, 0xf1, 0xab, 0xf7, 0x3f, 0x7f, 0xe7, 0xd5, 0x8f, 0x72, 0x0e, 0x09, 0xba, 0x90, 0x0a,
+	0x1f, 0xa0, 0xde, 0x82, 0xb4, 0xee, 0x74, 0x3b, 0xb8, 0x36, 0x9d, 0xb8, 0xbd, 0x05, 0x71, 0xba,
+	0x18, 0xe3, 0x7d, 0x62, 0xc6, 0xa6, 0x1b, 0xc5, 0xee, 0xec, 0xfe, 0x2d, 0xbd, 0xe3, 0xee, 0xf2,
+	0xfd, 0x1e, 0x75, 0x7e, 0xfd, 0xdd, 0xad, 0x3d, 0xf9, 0x7b, 0xaf, 0x16, 0xdc, 0xba, 0xb8, 0x74,
+	0x6a, 0x4f, 0x2f, 0x9d, 0xda, 0xb3, 0x4b, 0xa7, 0xf6, 0x64, 0xea, 0x58, 0x17, 0x53, 0xc7, 0x7a,
+	0x3a, 0x75, 0xac, 0x67, 0x53, 0xc7, 0xfa, 0x67, 0xea, 0x58, 0xbf, 0xfc, 0xeb, 0xd4, 0xbe, 0xdb,
+	0x32, 0xdd, 0xfd, 0x17, 0x00, 0x00, 0xff, 0xff, 0x73, 0x7d, 0xca, 0x2a, 0xb4, 0x07, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/certificates/v1beta1/generated.proto b/cli/vendor/k8s.io/api/certificates/v1beta1/generated.proto
new file mode 100644
index 00000000..e3cd9000
--- /dev/null
+++ b/cli/vendor/k8s.io/api/certificates/v1beta1/generated.proto
@@ -0,0 +1,122 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.certificates.v1beta1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// Describes a certificate signing request
+message CertificateSigningRequest {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // The certificate request itself and any additional information.
+  // +optional
+  optional CertificateSigningRequestSpec spec = 2;
+
+  // Derived information about the request.
+  // +optional
+  optional CertificateSigningRequestStatus status = 3;
+}
+
+message CertificateSigningRequestCondition {
+  // request approval state, currently Approved or Denied.
+  optional string type = 1;
+
+  // brief reason for the request state
+  // +optional
+  optional string reason = 2;
+
+  // human readable message with details about the request state
+  // +optional
+  optional string message = 3;
+
+  // timestamp for the last update to this condition
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 4;
+}
+
+message CertificateSigningRequestList {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  repeated CertificateSigningRequest items = 2;
+}
+
+// This information is immutable after the request is created. Only the Request
+// and Usages fields can be set on creation, other fields are derived by
+// Kubernetes and cannot be modified by users.
+message CertificateSigningRequestSpec {
+  // Base64-encoded PKCS#10 CSR data
+  optional bytes request = 1;
+
+  // allowedUsages specifies a set of usage contexts the key will be
+  // valid for.
+  // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+  //      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+  repeated string usages = 5;
+
+  // Information about the requesting user.
+  // See user.Info interface for details.
+  // +optional
+  optional string username = 2;
+
+  // UID information about the requesting user.
+  // See user.Info interface for details.
+  // +optional
+  optional string uid = 3;
+
+  // Group information about the requesting user.
+  // See user.Info interface for details.
+  // +optional
+  repeated string groups = 4;
+
+  // Extra information about the requesting user.
+  // See user.Info interface for details.
+  // +optional
+  map<string, ExtraValue> extra = 6;
+}
+
+message CertificateSigningRequestStatus {
+  // Conditions applied to the request, such as approval or denial.
+  // +optional
+  repeated CertificateSigningRequestCondition conditions = 1;
+
+  // If request was approved, the controller will place the issued certificate here.
+  // +optional
+  optional bytes certificate = 2;
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message ExtraValue {
+  // items, if empty, will result in an empty slice
+
+  repeated string items = 1;
+}
+
diff --git a/cli/vendor/k8s.io/api/certificates/v1beta1/register.go b/cli/vendor/k8s.io/api/certificates/v1beta1/register.go
new file mode 100644
index 00000000..b5ba3d7e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/certificates/v1beta1/register.go
@@ -0,0 +1,59 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "certificates.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CertificateSigningRequest{},
+		&CertificateSigningRequestList{},
+	)
+
+	// Add the watch version that applies
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/certificates/v1beta1/types.go b/cli/vendor/k8s.io/api/certificates/v1beta1/types.go
new file mode 100644
index 00000000..cc33043e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/certificates/v1beta1/types.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Describes a certificate signing request
+type CertificateSigningRequest struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// The certificate request itself and any additional information.
+	// +optional
+	Spec CertificateSigningRequestSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Derived information about the request.
+	// +optional
+	Status CertificateSigningRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// This information is immutable after the request is created. Only the Request
+// and Usages fields can be set on creation, other fields are derived by
+// Kubernetes and cannot be modified by users.
+type CertificateSigningRequestSpec struct {
+	// Base64-encoded PKCS#10 CSR data
+	Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"`
+
+	// allowedUsages specifies a set of usage contexts the key will be
+	// valid for.
+	// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+	//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+	Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=usages"`
+
+	// Information about the requesting user.
+	// See user.Info interface for details.
+	// +optional
+	Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"`
+	// UID information about the requesting user.
+	// See user.Info interface for details.
+	// +optional
+	UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"`
+	// Group information about the requesting user.
+	// See user.Info interface for details.
+	// +optional
+	Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
+	// Extra information about the requesting user.
+	// See user.Info interface for details.
+	// +optional
+	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"`
+}
+
+// ExtraValue masks the value so protobuf can generate
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type ExtraValue []string
+
+func (t ExtraValue) String() string {
+	return fmt.Sprintf("%v", []string(t))
+}
+
+type CertificateSigningRequestStatus struct {
+	// Conditions applied to the request, such as approval or denial.
+	// +optional
+	Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty" protobuf:"bytes,1,rep,name=conditions"`
+
+	// If request was approved, the controller will place the issued certificate here.
+	// +optional
+	Certificate []byte `json:"certificate,omitempty" protobuf:"bytes,2,opt,name=certificate"`
+}
+
+type RequestConditionType string
+
+// These are the possible conditions for a certificate request.
+const (
+	CertificateApproved RequestConditionType = "Approved"
+	CertificateDenied   RequestConditionType = "Denied"
+)
+
+type CertificateSigningRequestCondition struct {
+	// request approval state, currently Approved or Denied.
+	Type RequestConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=RequestConditionType"`
+	// brief reason for the request state
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
+	// human readable message with details about the request state
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,3,opt,name=message"`
+	// timestamp for the last update to this condition
+	// +optional
+	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,4,opt,name=lastUpdateTime"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type CertificateSigningRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	Items []CertificateSigningRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// KeyUsages specifies valid usage contexts for keys.
+// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+type KeyUsage string
+
+const (
+	UsageSigning            KeyUsage = "signing"
+	UsageDigitalSignature   KeyUsage = "digital signature"
+	UsageContentCommittment KeyUsage = "content committment"
+	UsageKeyEncipherment    KeyUsage = "key encipherment"
+	UsageKeyAgreement       KeyUsage = "key agreement"
+	UsageDataEncipherment   KeyUsage = "data encipherment"
+	UsageCertSign           KeyUsage = "cert sign"
+	UsageCRLSign            KeyUsage = "crl sign"
+	UsageEncipherOnly       KeyUsage = "encipher only"
+	UsageDecipherOnly       KeyUsage = "decipher only"
+	UsageAny                KeyUsage = "any"
+	UsageServerAuth         KeyUsage = "server auth"
+	UsageClientAuth         KeyUsage = "client auth"
+	UsageCodeSigning        KeyUsage = "code signing"
+	UsageEmailProtection    KeyUsage = "email protection"
+	UsageSMIME              KeyUsage = "s/mime"
+	UsageIPsecEndSystem     KeyUsage = "ipsec end system"
+	UsageIPsecTunnel        KeyUsage = "ipsec tunnel"
+	UsageIPsecUser          KeyUsage = "ipsec user"
+	UsageTimestamping       KeyUsage = "timestamping"
+	UsageOCSPSigning        KeyUsage = "ocsp signing"
+	UsageMicrosoftSGC       KeyUsage = "microsoft sgc"
+	UsageNetscapSGC         KeyUsage = "netscape sgc"
+)
diff --git a/cli/vendor/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..4fd91df0
--- /dev/null
+++ b/cli/vendor/k8s.io/api/certificates/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,74 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_CertificateSigningRequest = map[string]string{
+	"":       "Describes a certificate signing request",
+	"spec":   "The certificate request itself and any additional information.",
+	"status": "Derived information about the request.",
+}
+
+func (CertificateSigningRequest) SwaggerDoc() map[string]string {
+	return map_CertificateSigningRequest
+}
+
+var map_CertificateSigningRequestCondition = map[string]string{
+	"type":           "request approval state, currently Approved or Denied.",
+	"reason":         "brief reason for the request state",
+	"message":        "human readable message with details about the request state",
+	"lastUpdateTime": "timestamp for the last update to this condition",
+}
+
+func (CertificateSigningRequestCondition) SwaggerDoc() map[string]string {
+	return map_CertificateSigningRequestCondition
+}
+
+var map_CertificateSigningRequestSpec = map[string]string{
+	"":         "This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.",
+	"request":  "Base64-encoded PKCS#10 CSR data",
+	"usages":   "allowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n     https://tools.ietf.org/html/rfc5280#section-4.2.1.12",
+	"username": "Information about the requesting user. See user.Info interface for details.",
+	"uid":      "UID information about the requesting user. See user.Info interface for details.",
+	"groups":   "Group information about the requesting user. See user.Info interface for details.",
+	"extra":    "Extra information about the requesting user. See user.Info interface for details.",
+}
+
+func (CertificateSigningRequestSpec) SwaggerDoc() map[string]string {
+	return map_CertificateSigningRequestSpec
+}
+
+var map_CertificateSigningRequestStatus = map[string]string{
+	"conditions":  "Conditions applied to the request, such as approval or denial.",
+	"certificate": "If request was approved, the controller will place the issued certificate here.",
+}
+
+func (CertificateSigningRequestStatus) SwaggerDoc() map[string]string {
+	return map_CertificateSigningRequestStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..26831b16
--- /dev/null
+++ b/cli/vendor/k8s.io/api/certificates/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,207 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CertificateSigningRequest).DeepCopyInto(out.(*CertificateSigningRequest))
+			return nil
+		}, InType: reflect.TypeOf(&CertificateSigningRequest{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CertificateSigningRequestCondition).DeepCopyInto(out.(*CertificateSigningRequestCondition))
+			return nil
+		}, InType: reflect.TypeOf(&CertificateSigningRequestCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CertificateSigningRequestList).DeepCopyInto(out.(*CertificateSigningRequestList))
+			return nil
+		}, InType: reflect.TypeOf(&CertificateSigningRequestList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CertificateSigningRequestSpec).DeepCopyInto(out.(*CertificateSigningRequestSpec))
+			return nil
+		}, InType: reflect.TypeOf(&CertificateSigningRequestSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CertificateSigningRequestStatus).DeepCopyInto(out.(*CertificateSigningRequestStatus))
+			return nil
+		}, InType: reflect.TypeOf(&CertificateSigningRequestStatus{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequest) DeepCopyInto(out *CertificateSigningRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequest.
+func (in *CertificateSigningRequest) DeepCopy() *CertificateSigningRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CertificateSigningRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequestCondition) DeepCopyInto(out *CertificateSigningRequestCondition) {
+	*out = *in
+	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestCondition.
+func (in *CertificateSigningRequestCondition) DeepCopy() *CertificateSigningRequestCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequestCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequestList) DeepCopyInto(out *CertificateSigningRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CertificateSigningRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestList.
+func (in *CertificateSigningRequestList) DeepCopy() *CertificateSigningRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CertificateSigningRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequestSpec) DeepCopyInto(out *CertificateSigningRequestSpec) {
+	*out = *in
+	if in.Request != nil {
+		in, out := &in.Request, &out.Request
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.Usages != nil {
+		in, out := &in.Usages, &out.Usages
+		*out = make([]KeyUsage, len(*in))
+		copy(*out, *in)
+	}
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extra != nil {
+		in, out := &in.Extra, &out.Extra
+		*out = make(map[string]ExtraValue, len(*in))
+		for key, val := range *in {
+			(*out)[key] = make(ExtraValue, len(val))
+			copy((*out)[key], val)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestSpec.
+func (in *CertificateSigningRequestSpec) DeepCopy() *CertificateSigningRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertificateSigningRequestStatus) DeepCopyInto(out *CertificateSigningRequestStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]CertificateSigningRequestCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestStatus.
+func (in *CertificateSigningRequestStatus) DeepCopy() *CertificateSigningRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CertificateSigningRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/core/v1/annotation_key_constants.go b/cli/vendor/k8s.io/api/core/v1/annotation_key_constants.go
new file mode 100644
index 00000000..e623913f
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/annotation_key_constants.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file should be consistent with pkg/api/annotation_key_constants.go.
+
+package v1
+
+const (
+	// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+	// webhook backend fails.
+	ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
+
+	// PodPresetOptOutAnnotationKey represents the annotation key for a pod to exempt itself from pod preset manipulation
+	PodPresetOptOutAnnotationKey string = "podpreset.admission.kubernetes.io/exclude"
+
+	// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
+	MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"
+
+	// TolerationsAnnotationKey represents the key of tolerations data (json serialized)
+	// in the Annotations of a Pod.
+	TolerationsAnnotationKey string = "scheduler.alpha.kubernetes.io/tolerations"
+
+	// TaintsAnnotationKey represents the key of taints data (json serialized)
+	// in the Annotations of a Node.
+	TaintsAnnotationKey string = "scheduler.alpha.kubernetes.io/taints"
+
+	// SeccompPodAnnotationKey represents the key of a seccomp profile applied
+	// to all containers of a pod.
+	SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod"
+
+	// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
+	// to one container of a pod.
+	SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/"
+
+	// CreatedByAnnotation represents the key used to store the spec(json)
+	// used to create the resource.
+	// This field is deprecated in favor of ControllerRef (see #44407).
+	// TODO(#50720): Remove this field in v1.9.
+	CreatedByAnnotation = "kubernetes.io/created-by"
+
+	// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
+	// in the Annotations of a Node.
+	PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods"
+
+	// SysctlsPodAnnotationKey represents the key of sysctls which are set for the infrastructure
+	// container of a pod. The annotation value is a comma separated list of sysctl_name=value
+	// key-value pairs. Only a limited set of whitelisted and isolated sysctls is supported by
+	// the kubelet. Pods with other sysctls will fail to launch.
+	SysctlsPodAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
+
+	// UnsafeSysctlsPodAnnotationKey represents the key of sysctls which are set for the infrastructure
+	// container of a pod. The annotation value is a comma separated list of sysctl_name=value
+	// key-value pairs. Unsafe sysctls must be explicitly enabled for a kubelet. They are properly
+	// namespaced to a pod or a container, but their isolation is usually unclear or weak. Their use
+	// is at-your-own-risk. Pods that attempt to set an unsafe sysctl that is not enabled for a kubelet
+	// will fail to launch.
+	UnsafeSysctlsPodAnnotationKey string = "security.alpha.kubernetes.io/unsafe-sysctls"
+
+	// ObjectTTLAnnotations represents a suggestion for kubelet for how long it can cache
+	// an object (e.g. secret, config map) before fetching it again from apiserver.
+	// This annotation can be attached to node.
+	ObjectTTLAnnotationKey string = "node.alpha.kubernetes.io/ttl"
+
+	// annotation key prefix used to identify non-convertible json paths.
+	NonConvertibleAnnotationPrefix = "non-convertible.kubernetes.io"
+
+	kubectlPrefix = "kubectl.kubernetes.io/"
+
+	// LastAppliedConfigAnnotation is the annotation used to store the previous
+	// configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
+	LastAppliedConfigAnnotation = kubectlPrefix + "last-applied-configuration"
+
+	// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
+	//
+	// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
+	// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
+	// access only from the CIDRs currently allocated to MIT & the USPS.
+	//
+	// Not all cloud providers support this annotation, though AWS & GCE do.
+	AnnotationLoadBalancerSourceRangesKey = "service.beta.kubernetes.io/load-balancer-source-ranges"
+)
diff --git a/cli/vendor/k8s.io/api/core/v1/doc.go b/cli/vendor/k8s.io/api/core/v1/doc.go
new file mode 100644
index 00000000..a31af9ea
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package,register
+
+// Package v1 is the v1 version of the core API.
+package v1 // import "k8s.io/api/core/v1"
diff --git a/cli/vendor/k8s.io/api/core/v1/generated.pb.go b/cli/vendor/k8s.io/api/core/v1/generated.pb.go
new file mode 100644
index 00000000..1b78c705
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/generated.pb.go
@@ -0,0 +1,47534 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/core/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/core/v1/generated.proto
+
+	It has these top-level messages:
+		AWSElasticBlockStoreVolumeSource
+		Affinity
+		AttachedVolume
+		AvoidPods
+		AzureDiskVolumeSource
+		AzureFilePersistentVolumeSource
+		AzureFileVolumeSource
+		Binding
+		Capabilities
+		CephFSPersistentVolumeSource
+		CephFSVolumeSource
+		CinderVolumeSource
+		ClientIPConfig
+		ComponentCondition
+		ComponentStatus
+		ComponentStatusList
+		ConfigMap
+		ConfigMapEnvSource
+		ConfigMapKeySelector
+		ConfigMapList
+		ConfigMapProjection
+		ConfigMapVolumeSource
+		Container
+		ContainerImage
+		ContainerPort
+		ContainerState
+		ContainerStateRunning
+		ContainerStateTerminated
+		ContainerStateWaiting
+		ContainerStatus
+		DaemonEndpoint
+		DeleteOptions
+		DownwardAPIProjection
+		DownwardAPIVolumeFile
+		DownwardAPIVolumeSource
+		EmptyDirVolumeSource
+		EndpointAddress
+		EndpointPort
+		EndpointSubset
+		Endpoints
+		EndpointsList
+		EnvFromSource
+		EnvVar
+		EnvVarSource
+		Event
+		EventList
+		EventSource
+		ExecAction
+		FCVolumeSource
+		FlexVolumeSource
+		FlockerVolumeSource
+		GCEPersistentDiskVolumeSource
+		GitRepoVolumeSource
+		GlusterfsVolumeSource
+		HTTPGetAction
+		HTTPHeader
+		Handler
+		HostAlias
+		HostPathVolumeSource
+		ISCSIVolumeSource
+		KeyToPath
+		Lifecycle
+		LimitRange
+		LimitRangeItem
+		LimitRangeList
+		LimitRangeSpec
+		List
+		ListOptions
+		LoadBalancerIngress
+		LoadBalancerStatus
+		LocalObjectReference
+		LocalVolumeSource
+		NFSVolumeSource
+		Namespace
+		NamespaceList
+		NamespaceSpec
+		NamespaceStatus
+		Node
+		NodeAddress
+		NodeAffinity
+		NodeCondition
+		NodeConfigSource
+		NodeDaemonEndpoints
+		NodeList
+		NodeProxyOptions
+		NodeResources
+		NodeSelector
+		NodeSelectorRequirement
+		NodeSelectorTerm
+		NodeSpec
+		NodeStatus
+		NodeSystemInfo
+		ObjectFieldSelector
+		ObjectMeta
+		ObjectReference
+		PersistentVolume
+		PersistentVolumeClaim
+		PersistentVolumeClaimCondition
+		PersistentVolumeClaimList
+		PersistentVolumeClaimSpec
+		PersistentVolumeClaimStatus
+		PersistentVolumeClaimVolumeSource
+		PersistentVolumeList
+		PersistentVolumeSource
+		PersistentVolumeSpec
+		PersistentVolumeStatus
+		PhotonPersistentDiskVolumeSource
+		Pod
+		PodAffinity
+		PodAffinityTerm
+		PodAntiAffinity
+		PodAttachOptions
+		PodCondition
+		PodExecOptions
+		PodList
+		PodLogOptions
+		PodPortForwardOptions
+		PodProxyOptions
+		PodSecurityContext
+		PodSignature
+		PodSpec
+		PodStatus
+		PodStatusResult
+		PodTemplate
+		PodTemplateList
+		PodTemplateSpec
+		PortworxVolumeSource
+		Preconditions
+		PreferAvoidPodsEntry
+		PreferredSchedulingTerm
+		Probe
+		ProjectedVolumeSource
+		QuobyteVolumeSource
+		RBDVolumeSource
+		RangeAllocation
+		ReplicationController
+		ReplicationControllerCondition
+		ReplicationControllerList
+		ReplicationControllerSpec
+		ReplicationControllerStatus
+		ResourceFieldSelector
+		ResourceQuota
+		ResourceQuotaList
+		ResourceQuotaSpec
+		ResourceQuotaStatus
+		ResourceRequirements
+		SELinuxOptions
+		ScaleIOPersistentVolumeSource
+		ScaleIOVolumeSource
+		Secret
+		SecretEnvSource
+		SecretKeySelector
+		SecretList
+		SecretProjection
+		SecretReference
+		SecretVolumeSource
+		SecurityContext
+		SerializedReference
+		Service
+		ServiceAccount
+		ServiceAccountList
+		ServiceList
+		ServicePort
+		ServiceProxyOptions
+		ServiceSpec
+		ServiceStatus
+		SessionAffinityConfig
+		StorageOSPersistentVolumeSource
+		StorageOSVolumeSource
+		Sysctl
+		TCPSocketAction
+		Taint
+		Toleration
+		Volume
+		VolumeMount
+		VolumeProjection
+		VolumeSource
+		VsphereVirtualDiskVolumeSource
+		WeightedPodAffinityTerm
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_apimachinery_pkg_api_resource "k8s.io/apimachinery/pkg/api/resource"
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+import k8s_io_apimachinery_pkg_runtime "k8s.io/apimachinery/pkg/runtime"
+
+import k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *AWSElasticBlockStoreVolumeSource) Reset()      { *m = AWSElasticBlockStoreVolumeSource{} }
+func (*AWSElasticBlockStoreVolumeSource) ProtoMessage() {}
+func (*AWSElasticBlockStoreVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{0}
+}
+
+func (m *Affinity) Reset()                    { *m = Affinity{} }
+func (*Affinity) ProtoMessage()               {}
+func (*Affinity) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *AttachedVolume) Reset()                    { *m = AttachedVolume{} }
+func (*AttachedVolume) ProtoMessage()               {}
+func (*AttachedVolume) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *AvoidPods) Reset()                    { *m = AvoidPods{} }
+func (*AvoidPods) ProtoMessage()               {}
+func (*AvoidPods) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *AzureDiskVolumeSource) Reset()                    { *m = AzureDiskVolumeSource{} }
+func (*AzureDiskVolumeSource) ProtoMessage()               {}
+func (*AzureDiskVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *AzureFilePersistentVolumeSource) Reset()      { *m = AzureFilePersistentVolumeSource{} }
+func (*AzureFilePersistentVolumeSource) ProtoMessage() {}
+func (*AzureFilePersistentVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{5}
+}
+
+func (m *AzureFileVolumeSource) Reset()                    { *m = AzureFileVolumeSource{} }
+func (*AzureFileVolumeSource) ProtoMessage()               {}
+func (*AzureFileVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *Binding) Reset()                    { *m = Binding{} }
+func (*Binding) ProtoMessage()               {}
+func (*Binding) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *Capabilities) Reset()                    { *m = Capabilities{} }
+func (*Capabilities) ProtoMessage()               {}
+func (*Capabilities) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *CephFSPersistentVolumeSource) Reset()      { *m = CephFSPersistentVolumeSource{} }
+func (*CephFSPersistentVolumeSource) ProtoMessage() {}
+func (*CephFSPersistentVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{9}
+}
+
+func (m *CephFSVolumeSource) Reset()                    { *m = CephFSVolumeSource{} }
+func (*CephFSVolumeSource) ProtoMessage()               {}
+func (*CephFSVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func (m *CinderVolumeSource) Reset()                    { *m = CinderVolumeSource{} }
+func (*CinderVolumeSource) ProtoMessage()               {}
+func (*CinderVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
+
+func (m *ClientIPConfig) Reset()                    { *m = ClientIPConfig{} }
+func (*ClientIPConfig) ProtoMessage()               {}
+func (*ClientIPConfig) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
+
+func (m *ComponentCondition) Reset()                    { *m = ComponentCondition{} }
+func (*ComponentCondition) ProtoMessage()               {}
+func (*ComponentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+
+func (m *ComponentStatus) Reset()                    { *m = ComponentStatus{} }
+func (*ComponentStatus) ProtoMessage()               {}
+func (*ComponentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
+
+func (m *ComponentStatusList) Reset()                    { *m = ComponentStatusList{} }
+func (*ComponentStatusList) ProtoMessage()               {}
+func (*ComponentStatusList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
+
+func (m *ConfigMap) Reset()                    { *m = ConfigMap{} }
+func (*ConfigMap) ProtoMessage()               {}
+func (*ConfigMap) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
+
+func (m *ConfigMapEnvSource) Reset()                    { *m = ConfigMapEnvSource{} }
+func (*ConfigMapEnvSource) ProtoMessage()               {}
+func (*ConfigMapEnvSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
+
+func (m *ConfigMapKeySelector) Reset()                    { *m = ConfigMapKeySelector{} }
+func (*ConfigMapKeySelector) ProtoMessage()               {}
+func (*ConfigMapKeySelector) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
+
+func (m *ConfigMapList) Reset()                    { *m = ConfigMapList{} }
+func (*ConfigMapList) ProtoMessage()               {}
+func (*ConfigMapList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
+
+func (m *ConfigMapProjection) Reset()                    { *m = ConfigMapProjection{} }
+func (*ConfigMapProjection) ProtoMessage()               {}
+func (*ConfigMapProjection) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
+
+func (m *ConfigMapVolumeSource) Reset()                    { *m = ConfigMapVolumeSource{} }
+func (*ConfigMapVolumeSource) ProtoMessage()               {}
+func (*ConfigMapVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
+
+func (m *Container) Reset()                    { *m = Container{} }
+func (*Container) ProtoMessage()               {}
+func (*Container) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{22} }
+
+func (m *ContainerImage) Reset()                    { *m = ContainerImage{} }
+func (*ContainerImage) ProtoMessage()               {}
+func (*ContainerImage) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{23} }
+
+func (m *ContainerPort) Reset()                    { *m = ContainerPort{} }
+func (*ContainerPort) ProtoMessage()               {}
+func (*ContainerPort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{24} }
+
+func (m *ContainerState) Reset()                    { *m = ContainerState{} }
+func (*ContainerState) ProtoMessage()               {}
+func (*ContainerState) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{25} }
+
+func (m *ContainerStateRunning) Reset()                    { *m = ContainerStateRunning{} }
+func (*ContainerStateRunning) ProtoMessage()               {}
+func (*ContainerStateRunning) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{26} }
+
+func (m *ContainerStateTerminated) Reset()      { *m = ContainerStateTerminated{} }
+func (*ContainerStateTerminated) ProtoMessage() {}
+func (*ContainerStateTerminated) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{27}
+}
+
+func (m *ContainerStateWaiting) Reset()                    { *m = ContainerStateWaiting{} }
+func (*ContainerStateWaiting) ProtoMessage()               {}
+func (*ContainerStateWaiting) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{28} }
+
+func (m *ContainerStatus) Reset()                    { *m = ContainerStatus{} }
+func (*ContainerStatus) ProtoMessage()               {}
+func (*ContainerStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{29} }
+
+func (m *DaemonEndpoint) Reset()                    { *m = DaemonEndpoint{} }
+func (*DaemonEndpoint) ProtoMessage()               {}
+func (*DaemonEndpoint) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{30} }
+
+func (m *DeleteOptions) Reset()                    { *m = DeleteOptions{} }
+func (*DeleteOptions) ProtoMessage()               {}
+func (*DeleteOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{31} }
+
+func (m *DownwardAPIProjection) Reset()                    { *m = DownwardAPIProjection{} }
+func (*DownwardAPIProjection) ProtoMessage()               {}
+func (*DownwardAPIProjection) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{32} }
+
+func (m *DownwardAPIVolumeFile) Reset()                    { *m = DownwardAPIVolumeFile{} }
+func (*DownwardAPIVolumeFile) ProtoMessage()               {}
+func (*DownwardAPIVolumeFile) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{33} }
+
+func (m *DownwardAPIVolumeSource) Reset()      { *m = DownwardAPIVolumeSource{} }
+func (*DownwardAPIVolumeSource) ProtoMessage() {}
+func (*DownwardAPIVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{34}
+}
+
+func (m *EmptyDirVolumeSource) Reset()                    { *m = EmptyDirVolumeSource{} }
+func (*EmptyDirVolumeSource) ProtoMessage()               {}
+func (*EmptyDirVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{35} }
+
+func (m *EndpointAddress) Reset()                    { *m = EndpointAddress{} }
+func (*EndpointAddress) ProtoMessage()               {}
+func (*EndpointAddress) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{36} }
+
+func (m *EndpointPort) Reset()                    { *m = EndpointPort{} }
+func (*EndpointPort) ProtoMessage()               {}
+func (*EndpointPort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{37} }
+
+func (m *EndpointSubset) Reset()                    { *m = EndpointSubset{} }
+func (*EndpointSubset) ProtoMessage()               {}
+func (*EndpointSubset) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{38} }
+
+func (m *Endpoints) Reset()                    { *m = Endpoints{} }
+func (*Endpoints) ProtoMessage()               {}
+func (*Endpoints) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{39} }
+
+func (m *EndpointsList) Reset()                    { *m = EndpointsList{} }
+func (*EndpointsList) ProtoMessage()               {}
+func (*EndpointsList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{40} }
+
+func (m *EnvFromSource) Reset()                    { *m = EnvFromSource{} }
+func (*EnvFromSource) ProtoMessage()               {}
+func (*EnvFromSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{41} }
+
+func (m *EnvVar) Reset()                    { *m = EnvVar{} }
+func (*EnvVar) ProtoMessage()               {}
+func (*EnvVar) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{42} }
+
+func (m *EnvVarSource) Reset()                    { *m = EnvVarSource{} }
+func (*EnvVarSource) ProtoMessage()               {}
+func (*EnvVarSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{43} }
+
+func (m *Event) Reset()                    { *m = Event{} }
+func (*Event) ProtoMessage()               {}
+func (*Event) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{44} }
+
+func (m *EventList) Reset()                    { *m = EventList{} }
+func (*EventList) ProtoMessage()               {}
+func (*EventList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{45} }
+
+func (m *EventSource) Reset()                    { *m = EventSource{} }
+func (*EventSource) ProtoMessage()               {}
+func (*EventSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{46} }
+
+func (m *ExecAction) Reset()                    { *m = ExecAction{} }
+func (*ExecAction) ProtoMessage()               {}
+func (*ExecAction) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{47} }
+
+func (m *FCVolumeSource) Reset()                    { *m = FCVolumeSource{} }
+func (*FCVolumeSource) ProtoMessage()               {}
+func (*FCVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{48} }
+
+func (m *FlexVolumeSource) Reset()                    { *m = FlexVolumeSource{} }
+func (*FlexVolumeSource) ProtoMessage()               {}
+func (*FlexVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{49} }
+
+func (m *FlockerVolumeSource) Reset()                    { *m = FlockerVolumeSource{} }
+func (*FlockerVolumeSource) ProtoMessage()               {}
+func (*FlockerVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{50} }
+
+func (m *GCEPersistentDiskVolumeSource) Reset()      { *m = GCEPersistentDiskVolumeSource{} }
+func (*GCEPersistentDiskVolumeSource) ProtoMessage() {}
+func (*GCEPersistentDiskVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{51}
+}
+
+func (m *GitRepoVolumeSource) Reset()                    { *m = GitRepoVolumeSource{} }
+func (*GitRepoVolumeSource) ProtoMessage()               {}
+func (*GitRepoVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{52} }
+
+func (m *GlusterfsVolumeSource) Reset()                    { *m = GlusterfsVolumeSource{} }
+func (*GlusterfsVolumeSource) ProtoMessage()               {}
+func (*GlusterfsVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{53} }
+
+func (m *HTTPGetAction) Reset()                    { *m = HTTPGetAction{} }
+func (*HTTPGetAction) ProtoMessage()               {}
+func (*HTTPGetAction) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{54} }
+
+func (m *HTTPHeader) Reset()                    { *m = HTTPHeader{} }
+func (*HTTPHeader) ProtoMessage()               {}
+func (*HTTPHeader) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{55} }
+
+func (m *Handler) Reset()                    { *m = Handler{} }
+func (*Handler) ProtoMessage()               {}
+func (*Handler) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{56} }
+
+func (m *HostAlias) Reset()                    { *m = HostAlias{} }
+func (*HostAlias) ProtoMessage()               {}
+func (*HostAlias) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{57} }
+
+func (m *HostPathVolumeSource) Reset()                    { *m = HostPathVolumeSource{} }
+func (*HostPathVolumeSource) ProtoMessage()               {}
+func (*HostPathVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{58} }
+
+func (m *ISCSIVolumeSource) Reset()                    { *m = ISCSIVolumeSource{} }
+func (*ISCSIVolumeSource) ProtoMessage()               {}
+func (*ISCSIVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{59} }
+
+func (m *KeyToPath) Reset()                    { *m = KeyToPath{} }
+func (*KeyToPath) ProtoMessage()               {}
+func (*KeyToPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{60} }
+
+func (m *Lifecycle) Reset()                    { *m = Lifecycle{} }
+func (*Lifecycle) ProtoMessage()               {}
+func (*Lifecycle) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{61} }
+
+func (m *LimitRange) Reset()                    { *m = LimitRange{} }
+func (*LimitRange) ProtoMessage()               {}
+func (*LimitRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{62} }
+
+func (m *LimitRangeItem) Reset()                    { *m = LimitRangeItem{} }
+func (*LimitRangeItem) ProtoMessage()               {}
+func (*LimitRangeItem) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{63} }
+
+func (m *LimitRangeList) Reset()                    { *m = LimitRangeList{} }
+func (*LimitRangeList) ProtoMessage()               {}
+func (*LimitRangeList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{64} }
+
+func (m *LimitRangeSpec) Reset()                    { *m = LimitRangeSpec{} }
+func (*LimitRangeSpec) ProtoMessage()               {}
+func (*LimitRangeSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{65} }
+
+func (m *List) Reset()                    { *m = List{} }
+func (*List) ProtoMessage()               {}
+func (*List) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{66} }
+
+func (m *ListOptions) Reset()                    { *m = ListOptions{} }
+func (*ListOptions) ProtoMessage()               {}
+func (*ListOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{67} }
+
+func (m *LoadBalancerIngress) Reset()                    { *m = LoadBalancerIngress{} }
+func (*LoadBalancerIngress) ProtoMessage()               {}
+func (*LoadBalancerIngress) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{68} }
+
+func (m *LoadBalancerStatus) Reset()                    { *m = LoadBalancerStatus{} }
+func (*LoadBalancerStatus) ProtoMessage()               {}
+func (*LoadBalancerStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{69} }
+
+func (m *LocalObjectReference) Reset()                    { *m = LocalObjectReference{} }
+func (*LocalObjectReference) ProtoMessage()               {}
+func (*LocalObjectReference) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{70} }
+
+func (m *LocalVolumeSource) Reset()                    { *m = LocalVolumeSource{} }
+func (*LocalVolumeSource) ProtoMessage()               {}
+func (*LocalVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{71} }
+
+func (m *NFSVolumeSource) Reset()                    { *m = NFSVolumeSource{} }
+func (*NFSVolumeSource) ProtoMessage()               {}
+func (*NFSVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{72} }
+
+func (m *Namespace) Reset()                    { *m = Namespace{} }
+func (*Namespace) ProtoMessage()               {}
+func (*Namespace) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{73} }
+
+func (m *NamespaceList) Reset()                    { *m = NamespaceList{} }
+func (*NamespaceList) ProtoMessage()               {}
+func (*NamespaceList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{74} }
+
+func (m *NamespaceSpec) Reset()                    { *m = NamespaceSpec{} }
+func (*NamespaceSpec) ProtoMessage()               {}
+func (*NamespaceSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{75} }
+
+func (m *NamespaceStatus) Reset()                    { *m = NamespaceStatus{} }
+func (*NamespaceStatus) ProtoMessage()               {}
+func (*NamespaceStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{76} }
+
+func (m *Node) Reset()                    { *m = Node{} }
+func (*Node) ProtoMessage()               {}
+func (*Node) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{77} }
+
+func (m *NodeAddress) Reset()                    { *m = NodeAddress{} }
+func (*NodeAddress) ProtoMessage()               {}
+func (*NodeAddress) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{78} }
+
+func (m *NodeAffinity) Reset()                    { *m = NodeAffinity{} }
+func (*NodeAffinity) ProtoMessage()               {}
+func (*NodeAffinity) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{79} }
+
+func (m *NodeCondition) Reset()                    { *m = NodeCondition{} }
+func (*NodeCondition) ProtoMessage()               {}
+func (*NodeCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{80} }
+
+func (m *NodeConfigSource) Reset()                    { *m = NodeConfigSource{} }
+func (*NodeConfigSource) ProtoMessage()               {}
+func (*NodeConfigSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{81} }
+
+func (m *NodeDaemonEndpoints) Reset()                    { *m = NodeDaemonEndpoints{} }
+func (*NodeDaemonEndpoints) ProtoMessage()               {}
+func (*NodeDaemonEndpoints) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{82} }
+
+func (m *NodeList) Reset()                    { *m = NodeList{} }
+func (*NodeList) ProtoMessage()               {}
+func (*NodeList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{83} }
+
+func (m *NodeProxyOptions) Reset()                    { *m = NodeProxyOptions{} }
+func (*NodeProxyOptions) ProtoMessage()               {}
+func (*NodeProxyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{84} }
+
+func (m *NodeResources) Reset()                    { *m = NodeResources{} }
+func (*NodeResources) ProtoMessage()               {}
+func (*NodeResources) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{85} }
+
+func (m *NodeSelector) Reset()                    { *m = NodeSelector{} }
+func (*NodeSelector) ProtoMessage()               {}
+func (*NodeSelector) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{86} }
+
+func (m *NodeSelectorRequirement) Reset()      { *m = NodeSelectorRequirement{} }
+func (*NodeSelectorRequirement) ProtoMessage() {}
+func (*NodeSelectorRequirement) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{87}
+}
+
+func (m *NodeSelectorTerm) Reset()                    { *m = NodeSelectorTerm{} }
+func (*NodeSelectorTerm) ProtoMessage()               {}
+func (*NodeSelectorTerm) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{88} }
+
+func (m *NodeSpec) Reset()                    { *m = NodeSpec{} }
+func (*NodeSpec) ProtoMessage()               {}
+func (*NodeSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{89} }
+
+func (m *NodeStatus) Reset()                    { *m = NodeStatus{} }
+func (*NodeStatus) ProtoMessage()               {}
+func (*NodeStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{90} }
+
+func (m *NodeSystemInfo) Reset()                    { *m = NodeSystemInfo{} }
+func (*NodeSystemInfo) ProtoMessage()               {}
+func (*NodeSystemInfo) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{91} }
+
+func (m *ObjectFieldSelector) Reset()                    { *m = ObjectFieldSelector{} }
+func (*ObjectFieldSelector) ProtoMessage()               {}
+func (*ObjectFieldSelector) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{92} }
+
+func (m *ObjectMeta) Reset()                    { *m = ObjectMeta{} }
+func (*ObjectMeta) ProtoMessage()               {}
+func (*ObjectMeta) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{93} }
+
+func (m *ObjectReference) Reset()                    { *m = ObjectReference{} }
+func (*ObjectReference) ProtoMessage()               {}
+func (*ObjectReference) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{94} }
+
+func (m *PersistentVolume) Reset()                    { *m = PersistentVolume{} }
+func (*PersistentVolume) ProtoMessage()               {}
+func (*PersistentVolume) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{95} }
+
+func (m *PersistentVolumeClaim) Reset()                    { *m = PersistentVolumeClaim{} }
+func (*PersistentVolumeClaim) ProtoMessage()               {}
+func (*PersistentVolumeClaim) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{96} }
+
+func (m *PersistentVolumeClaimCondition) Reset()      { *m = PersistentVolumeClaimCondition{} }
+func (*PersistentVolumeClaimCondition) ProtoMessage() {}
+func (*PersistentVolumeClaimCondition) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{97}
+}
+
+func (m *PersistentVolumeClaimList) Reset()      { *m = PersistentVolumeClaimList{} }
+func (*PersistentVolumeClaimList) ProtoMessage() {}
+func (*PersistentVolumeClaimList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{98}
+}
+
+func (m *PersistentVolumeClaimSpec) Reset()      { *m = PersistentVolumeClaimSpec{} }
+func (*PersistentVolumeClaimSpec) ProtoMessage() {}
+func (*PersistentVolumeClaimSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{99}
+}
+
+func (m *PersistentVolumeClaimStatus) Reset()      { *m = PersistentVolumeClaimStatus{} }
+func (*PersistentVolumeClaimStatus) ProtoMessage() {}
+func (*PersistentVolumeClaimStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{100}
+}
+
+func (m *PersistentVolumeClaimVolumeSource) Reset()      { *m = PersistentVolumeClaimVolumeSource{} }
+func (*PersistentVolumeClaimVolumeSource) ProtoMessage() {}
+func (*PersistentVolumeClaimVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{101}
+}
+
+func (m *PersistentVolumeList) Reset()                    { *m = PersistentVolumeList{} }
+func (*PersistentVolumeList) ProtoMessage()               {}
+func (*PersistentVolumeList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{102} }
+
+func (m *PersistentVolumeSource) Reset()      { *m = PersistentVolumeSource{} }
+func (*PersistentVolumeSource) ProtoMessage() {}
+func (*PersistentVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{103}
+}
+
+func (m *PersistentVolumeSpec) Reset()                    { *m = PersistentVolumeSpec{} }
+func (*PersistentVolumeSpec) ProtoMessage()               {}
+func (*PersistentVolumeSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{104} }
+
+func (m *PersistentVolumeStatus) Reset()      { *m = PersistentVolumeStatus{} }
+func (*PersistentVolumeStatus) ProtoMessage() {}
+func (*PersistentVolumeStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{105}
+}
+
+func (m *PhotonPersistentDiskVolumeSource) Reset()      { *m = PhotonPersistentDiskVolumeSource{} }
+func (*PhotonPersistentDiskVolumeSource) ProtoMessage() {}
+func (*PhotonPersistentDiskVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{106}
+}
+
+func (m *Pod) Reset()                    { *m = Pod{} }
+func (*Pod) ProtoMessage()               {}
+func (*Pod) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{107} }
+
+func (m *PodAffinity) Reset()                    { *m = PodAffinity{} }
+func (*PodAffinity) ProtoMessage()               {}
+func (*PodAffinity) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{108} }
+
+func (m *PodAffinityTerm) Reset()                    { *m = PodAffinityTerm{} }
+func (*PodAffinityTerm) ProtoMessage()               {}
+func (*PodAffinityTerm) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{109} }
+
+func (m *PodAntiAffinity) Reset()                    { *m = PodAntiAffinity{} }
+func (*PodAntiAffinity) ProtoMessage()               {}
+func (*PodAntiAffinity) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{110} }
+
+func (m *PodAttachOptions) Reset()                    { *m = PodAttachOptions{} }
+func (*PodAttachOptions) ProtoMessage()               {}
+func (*PodAttachOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{111} }
+
+func (m *PodCondition) Reset()                    { *m = PodCondition{} }
+func (*PodCondition) ProtoMessage()               {}
+func (*PodCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{112} }
+
+func (m *PodExecOptions) Reset()                    { *m = PodExecOptions{} }
+func (*PodExecOptions) ProtoMessage()               {}
+func (*PodExecOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{113} }
+
+func (m *PodList) Reset()                    { *m = PodList{} }
+func (*PodList) ProtoMessage()               {}
+func (*PodList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{114} }
+
+func (m *PodLogOptions) Reset()                    { *m = PodLogOptions{} }
+func (*PodLogOptions) ProtoMessage()               {}
+func (*PodLogOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{115} }
+
+func (m *PodPortForwardOptions) Reset()                    { *m = PodPortForwardOptions{} }
+func (*PodPortForwardOptions) ProtoMessage()               {}
+func (*PodPortForwardOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{116} }
+
+func (m *PodProxyOptions) Reset()                    { *m = PodProxyOptions{} }
+func (*PodProxyOptions) ProtoMessage()               {}
+func (*PodProxyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{117} }
+
+func (m *PodSecurityContext) Reset()                    { *m = PodSecurityContext{} }
+func (*PodSecurityContext) ProtoMessage()               {}
+func (*PodSecurityContext) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{118} }
+
+func (m *PodSignature) Reset()                    { *m = PodSignature{} }
+func (*PodSignature) ProtoMessage()               {}
+func (*PodSignature) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{119} }
+
+func (m *PodSpec) Reset()                    { *m = PodSpec{} }
+func (*PodSpec) ProtoMessage()               {}
+func (*PodSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{120} }
+
+func (m *PodStatus) Reset()                    { *m = PodStatus{} }
+func (*PodStatus) ProtoMessage()               {}
+func (*PodStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{121} }
+
+func (m *PodStatusResult) Reset()                    { *m = PodStatusResult{} }
+func (*PodStatusResult) ProtoMessage()               {}
+func (*PodStatusResult) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{122} }
+
+func (m *PodTemplate) Reset()                    { *m = PodTemplate{} }
+func (*PodTemplate) ProtoMessage()               {}
+func (*PodTemplate) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{123} }
+
+func (m *PodTemplateList) Reset()                    { *m = PodTemplateList{} }
+func (*PodTemplateList) ProtoMessage()               {}
+func (*PodTemplateList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{124} }
+
+func (m *PodTemplateSpec) Reset()                    { *m = PodTemplateSpec{} }
+func (*PodTemplateSpec) ProtoMessage()               {}
+func (*PodTemplateSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{125} }
+
+func (m *PortworxVolumeSource) Reset()                    { *m = PortworxVolumeSource{} }
+func (*PortworxVolumeSource) ProtoMessage()               {}
+func (*PortworxVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{126} }
+
+func (m *Preconditions) Reset()                    { *m = Preconditions{} }
+func (*Preconditions) ProtoMessage()               {}
+func (*Preconditions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{127} }
+
+func (m *PreferAvoidPodsEntry) Reset()                    { *m = PreferAvoidPodsEntry{} }
+func (*PreferAvoidPodsEntry) ProtoMessage()               {}
+func (*PreferAvoidPodsEntry) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{128} }
+
+func (m *PreferredSchedulingTerm) Reset()      { *m = PreferredSchedulingTerm{} }
+func (*PreferredSchedulingTerm) ProtoMessage() {}
+func (*PreferredSchedulingTerm) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{129}
+}
+
+func (m *Probe) Reset()                    { *m = Probe{} }
+func (*Probe) ProtoMessage()               {}
+func (*Probe) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{130} }
+
+func (m *ProjectedVolumeSource) Reset()                    { *m = ProjectedVolumeSource{} }
+func (*ProjectedVolumeSource) ProtoMessage()               {}
+func (*ProjectedVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{131} }
+
+func (m *QuobyteVolumeSource) Reset()                    { *m = QuobyteVolumeSource{} }
+func (*QuobyteVolumeSource) ProtoMessage()               {}
+func (*QuobyteVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{132} }
+
+func (m *RBDVolumeSource) Reset()                    { *m = RBDVolumeSource{} }
+func (*RBDVolumeSource) ProtoMessage()               {}
+func (*RBDVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{133} }
+
+func (m *RangeAllocation) Reset()                    { *m = RangeAllocation{} }
+func (*RangeAllocation) ProtoMessage()               {}
+func (*RangeAllocation) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{134} }
+
+func (m *ReplicationController) Reset()                    { *m = ReplicationController{} }
+func (*ReplicationController) ProtoMessage()               {}
+func (*ReplicationController) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{135} }
+
+func (m *ReplicationControllerCondition) Reset()      { *m = ReplicationControllerCondition{} }
+func (*ReplicationControllerCondition) ProtoMessage() {}
+func (*ReplicationControllerCondition) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{136}
+}
+
+func (m *ReplicationControllerList) Reset()      { *m = ReplicationControllerList{} }
+func (*ReplicationControllerList) ProtoMessage() {}
+func (*ReplicationControllerList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{137}
+}
+
+func (m *ReplicationControllerSpec) Reset()      { *m = ReplicationControllerSpec{} }
+func (*ReplicationControllerSpec) ProtoMessage() {}
+func (*ReplicationControllerSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{138}
+}
+
+func (m *ReplicationControllerStatus) Reset()      { *m = ReplicationControllerStatus{} }
+func (*ReplicationControllerStatus) ProtoMessage() {}
+func (*ReplicationControllerStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{139}
+}
+
+func (m *ResourceFieldSelector) Reset()                    { *m = ResourceFieldSelector{} }
+func (*ResourceFieldSelector) ProtoMessage()               {}
+func (*ResourceFieldSelector) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{140} }
+
+func (m *ResourceQuota) Reset()                    { *m = ResourceQuota{} }
+func (*ResourceQuota) ProtoMessage()               {}
+func (*ResourceQuota) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{141} }
+
+func (m *ResourceQuotaList) Reset()                    { *m = ResourceQuotaList{} }
+func (*ResourceQuotaList) ProtoMessage()               {}
+func (*ResourceQuotaList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{142} }
+
+func (m *ResourceQuotaSpec) Reset()                    { *m = ResourceQuotaSpec{} }
+func (*ResourceQuotaSpec) ProtoMessage()               {}
+func (*ResourceQuotaSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{143} }
+
+func (m *ResourceQuotaStatus) Reset()                    { *m = ResourceQuotaStatus{} }
+func (*ResourceQuotaStatus) ProtoMessage()               {}
+func (*ResourceQuotaStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{144} }
+
+func (m *ResourceRequirements) Reset()                    { *m = ResourceRequirements{} }
+func (*ResourceRequirements) ProtoMessage()               {}
+func (*ResourceRequirements) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{145} }
+
+func (m *SELinuxOptions) Reset()                    { *m = SELinuxOptions{} }
+func (*SELinuxOptions) ProtoMessage()               {}
+func (*SELinuxOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{146} }
+
+func (m *ScaleIOPersistentVolumeSource) Reset()      { *m = ScaleIOPersistentVolumeSource{} }
+func (*ScaleIOPersistentVolumeSource) ProtoMessage() {}
+func (*ScaleIOPersistentVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{147}
+}
+
+func (m *ScaleIOVolumeSource) Reset()                    { *m = ScaleIOVolumeSource{} }
+func (*ScaleIOVolumeSource) ProtoMessage()               {}
+func (*ScaleIOVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{148} }
+
+func (m *Secret) Reset()                    { *m = Secret{} }
+func (*Secret) ProtoMessage()               {}
+func (*Secret) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{149} }
+
+func (m *SecretEnvSource) Reset()                    { *m = SecretEnvSource{} }
+func (*SecretEnvSource) ProtoMessage()               {}
+func (*SecretEnvSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{150} }
+
+func (m *SecretKeySelector) Reset()                    { *m = SecretKeySelector{} }
+func (*SecretKeySelector) ProtoMessage()               {}
+func (*SecretKeySelector) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{151} }
+
+func (m *SecretList) Reset()                    { *m = SecretList{} }
+func (*SecretList) ProtoMessage()               {}
+func (*SecretList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{152} }
+
+func (m *SecretProjection) Reset()                    { *m = SecretProjection{} }
+func (*SecretProjection) ProtoMessage()               {}
+func (*SecretProjection) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{153} }
+
+func (m *SecretReference) Reset()                    { *m = SecretReference{} }
+func (*SecretReference) ProtoMessage()               {}
+func (*SecretReference) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{154} }
+
+func (m *SecretVolumeSource) Reset()                    { *m = SecretVolumeSource{} }
+func (*SecretVolumeSource) ProtoMessage()               {}
+func (*SecretVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{155} }
+
+func (m *SecurityContext) Reset()                    { *m = SecurityContext{} }
+func (*SecurityContext) ProtoMessage()               {}
+func (*SecurityContext) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{156} }
+
+func (m *SerializedReference) Reset()                    { *m = SerializedReference{} }
+func (*SerializedReference) ProtoMessage()               {}
+func (*SerializedReference) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{157} }
+
+func (m *Service) Reset()                    { *m = Service{} }
+func (*Service) ProtoMessage()               {}
+func (*Service) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{158} }
+
+func (m *ServiceAccount) Reset()                    { *m = ServiceAccount{} }
+func (*ServiceAccount) ProtoMessage()               {}
+func (*ServiceAccount) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{159} }
+
+func (m *ServiceAccountList) Reset()                    { *m = ServiceAccountList{} }
+func (*ServiceAccountList) ProtoMessage()               {}
+func (*ServiceAccountList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{160} }
+
+func (m *ServiceList) Reset()                    { *m = ServiceList{} }
+func (*ServiceList) ProtoMessage()               {}
+func (*ServiceList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{161} }
+
+func (m *ServicePort) Reset()                    { *m = ServicePort{} }
+func (*ServicePort) ProtoMessage()               {}
+func (*ServicePort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{162} }
+
+func (m *ServiceProxyOptions) Reset()                    { *m = ServiceProxyOptions{} }
+func (*ServiceProxyOptions) ProtoMessage()               {}
+func (*ServiceProxyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{163} }
+
+func (m *ServiceSpec) Reset()                    { *m = ServiceSpec{} }
+func (*ServiceSpec) ProtoMessage()               {}
+func (*ServiceSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{164} }
+
+func (m *ServiceStatus) Reset()                    { *m = ServiceStatus{} }
+func (*ServiceStatus) ProtoMessage()               {}
+func (*ServiceStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{165} }
+
+func (m *SessionAffinityConfig) Reset()                    { *m = SessionAffinityConfig{} }
+func (*SessionAffinityConfig) ProtoMessage()               {}
+func (*SessionAffinityConfig) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{166} }
+
+func (m *StorageOSPersistentVolumeSource) Reset()      { *m = StorageOSPersistentVolumeSource{} }
+func (*StorageOSPersistentVolumeSource) ProtoMessage() {}
+func (*StorageOSPersistentVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{167}
+}
+
+func (m *StorageOSVolumeSource) Reset()                    { *m = StorageOSVolumeSource{} }
+func (*StorageOSVolumeSource) ProtoMessage()               {}
+func (*StorageOSVolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{168} }
+
+func (m *Sysctl) Reset()                    { *m = Sysctl{} }
+func (*Sysctl) ProtoMessage()               {}
+func (*Sysctl) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{169} }
+
+func (m *TCPSocketAction) Reset()                    { *m = TCPSocketAction{} }
+func (*TCPSocketAction) ProtoMessage()               {}
+func (*TCPSocketAction) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{170} }
+
+func (m *Taint) Reset()                    { *m = Taint{} }
+func (*Taint) ProtoMessage()               {}
+func (*Taint) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{171} }
+
+func (m *Toleration) Reset()                    { *m = Toleration{} }
+func (*Toleration) ProtoMessage()               {}
+func (*Toleration) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{172} }
+
+func (m *Volume) Reset()                    { *m = Volume{} }
+func (*Volume) ProtoMessage()               {}
+func (*Volume) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{173} }
+
+func (m *VolumeMount) Reset()                    { *m = VolumeMount{} }
+func (*VolumeMount) ProtoMessage()               {}
+func (*VolumeMount) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{174} }
+
+func (m *VolumeProjection) Reset()                    { *m = VolumeProjection{} }
+func (*VolumeProjection) ProtoMessage()               {}
+func (*VolumeProjection) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{175} }
+
+func (m *VolumeSource) Reset()                    { *m = VolumeSource{} }
+func (*VolumeSource) ProtoMessage()               {}
+func (*VolumeSource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{176} }
+
+func (m *VsphereVirtualDiskVolumeSource) Reset()      { *m = VsphereVirtualDiskVolumeSource{} }
+func (*VsphereVirtualDiskVolumeSource) ProtoMessage() {}
+func (*VsphereVirtualDiskVolumeSource) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{177}
+}
+
+func (m *WeightedPodAffinityTerm) Reset()      { *m = WeightedPodAffinityTerm{} }
+func (*WeightedPodAffinityTerm) ProtoMessage() {}
+func (*WeightedPodAffinityTerm) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{178}
+}
+
+func init() {
+	proto.RegisterType((*AWSElasticBlockStoreVolumeSource)(nil), "k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource")
+	proto.RegisterType((*Affinity)(nil), "k8s.io.api.core.v1.Affinity")
+	proto.RegisterType((*AttachedVolume)(nil), "k8s.io.api.core.v1.AttachedVolume")
+	proto.RegisterType((*AvoidPods)(nil), "k8s.io.api.core.v1.AvoidPods")
+	proto.RegisterType((*AzureDiskVolumeSource)(nil), "k8s.io.api.core.v1.AzureDiskVolumeSource")
+	proto.RegisterType((*AzureFilePersistentVolumeSource)(nil), "k8s.io.api.core.v1.AzureFilePersistentVolumeSource")
+	proto.RegisterType((*AzureFileVolumeSource)(nil), "k8s.io.api.core.v1.AzureFileVolumeSource")
+	proto.RegisterType((*Binding)(nil), "k8s.io.api.core.v1.Binding")
+	proto.RegisterType((*Capabilities)(nil), "k8s.io.api.core.v1.Capabilities")
+	proto.RegisterType((*CephFSPersistentVolumeSource)(nil), "k8s.io.api.core.v1.CephFSPersistentVolumeSource")
+	proto.RegisterType((*CephFSVolumeSource)(nil), "k8s.io.api.core.v1.CephFSVolumeSource")
+	proto.RegisterType((*CinderVolumeSource)(nil), "k8s.io.api.core.v1.CinderVolumeSource")
+	proto.RegisterType((*ClientIPConfig)(nil), "k8s.io.api.core.v1.ClientIPConfig")
+	proto.RegisterType((*ComponentCondition)(nil), "k8s.io.api.core.v1.ComponentCondition")
+	proto.RegisterType((*ComponentStatus)(nil), "k8s.io.api.core.v1.ComponentStatus")
+	proto.RegisterType((*ComponentStatusList)(nil), "k8s.io.api.core.v1.ComponentStatusList")
+	proto.RegisterType((*ConfigMap)(nil), "k8s.io.api.core.v1.ConfigMap")
+	proto.RegisterType((*ConfigMapEnvSource)(nil), "k8s.io.api.core.v1.ConfigMapEnvSource")
+	proto.RegisterType((*ConfigMapKeySelector)(nil), "k8s.io.api.core.v1.ConfigMapKeySelector")
+	proto.RegisterType((*ConfigMapList)(nil), "k8s.io.api.core.v1.ConfigMapList")
+	proto.RegisterType((*ConfigMapProjection)(nil), "k8s.io.api.core.v1.ConfigMapProjection")
+	proto.RegisterType((*ConfigMapVolumeSource)(nil), "k8s.io.api.core.v1.ConfigMapVolumeSource")
+	proto.RegisterType((*Container)(nil), "k8s.io.api.core.v1.Container")
+	proto.RegisterType((*ContainerImage)(nil), "k8s.io.api.core.v1.ContainerImage")
+	proto.RegisterType((*ContainerPort)(nil), "k8s.io.api.core.v1.ContainerPort")
+	proto.RegisterType((*ContainerState)(nil), "k8s.io.api.core.v1.ContainerState")
+	proto.RegisterType((*ContainerStateRunning)(nil), "k8s.io.api.core.v1.ContainerStateRunning")
+	proto.RegisterType((*ContainerStateTerminated)(nil), "k8s.io.api.core.v1.ContainerStateTerminated")
+	proto.RegisterType((*ContainerStateWaiting)(nil), "k8s.io.api.core.v1.ContainerStateWaiting")
+	proto.RegisterType((*ContainerStatus)(nil), "k8s.io.api.core.v1.ContainerStatus")
+	proto.RegisterType((*DaemonEndpoint)(nil), "k8s.io.api.core.v1.DaemonEndpoint")
+	proto.RegisterType((*DeleteOptions)(nil), "k8s.io.api.core.v1.DeleteOptions")
+	proto.RegisterType((*DownwardAPIProjection)(nil), "k8s.io.api.core.v1.DownwardAPIProjection")
+	proto.RegisterType((*DownwardAPIVolumeFile)(nil), "k8s.io.api.core.v1.DownwardAPIVolumeFile")
+	proto.RegisterType((*DownwardAPIVolumeSource)(nil), "k8s.io.api.core.v1.DownwardAPIVolumeSource")
+	proto.RegisterType((*EmptyDirVolumeSource)(nil), "k8s.io.api.core.v1.EmptyDirVolumeSource")
+	proto.RegisterType((*EndpointAddress)(nil), "k8s.io.api.core.v1.EndpointAddress")
+	proto.RegisterType((*EndpointPort)(nil), "k8s.io.api.core.v1.EndpointPort")
+	proto.RegisterType((*EndpointSubset)(nil), "k8s.io.api.core.v1.EndpointSubset")
+	proto.RegisterType((*Endpoints)(nil), "k8s.io.api.core.v1.Endpoints")
+	proto.RegisterType((*EndpointsList)(nil), "k8s.io.api.core.v1.EndpointsList")
+	proto.RegisterType((*EnvFromSource)(nil), "k8s.io.api.core.v1.EnvFromSource")
+	proto.RegisterType((*EnvVar)(nil), "k8s.io.api.core.v1.EnvVar")
+	proto.RegisterType((*EnvVarSource)(nil), "k8s.io.api.core.v1.EnvVarSource")
+	proto.RegisterType((*Event)(nil), "k8s.io.api.core.v1.Event")
+	proto.RegisterType((*EventList)(nil), "k8s.io.api.core.v1.EventList")
+	proto.RegisterType((*EventSource)(nil), "k8s.io.api.core.v1.EventSource")
+	proto.RegisterType((*ExecAction)(nil), "k8s.io.api.core.v1.ExecAction")
+	proto.RegisterType((*FCVolumeSource)(nil), "k8s.io.api.core.v1.FCVolumeSource")
+	proto.RegisterType((*FlexVolumeSource)(nil), "k8s.io.api.core.v1.FlexVolumeSource")
+	proto.RegisterType((*FlockerVolumeSource)(nil), "k8s.io.api.core.v1.FlockerVolumeSource")
+	proto.RegisterType((*GCEPersistentDiskVolumeSource)(nil), "k8s.io.api.core.v1.GCEPersistentDiskVolumeSource")
+	proto.RegisterType((*GitRepoVolumeSource)(nil), "k8s.io.api.core.v1.GitRepoVolumeSource")
+	proto.RegisterType((*GlusterfsVolumeSource)(nil), "k8s.io.api.core.v1.GlusterfsVolumeSource")
+	proto.RegisterType((*HTTPGetAction)(nil), "k8s.io.api.core.v1.HTTPGetAction")
+	proto.RegisterType((*HTTPHeader)(nil), "k8s.io.api.core.v1.HTTPHeader")
+	proto.RegisterType((*Handler)(nil), "k8s.io.api.core.v1.Handler")
+	proto.RegisterType((*HostAlias)(nil), "k8s.io.api.core.v1.HostAlias")
+	proto.RegisterType((*HostPathVolumeSource)(nil), "k8s.io.api.core.v1.HostPathVolumeSource")
+	proto.RegisterType((*ISCSIVolumeSource)(nil), "k8s.io.api.core.v1.ISCSIVolumeSource")
+	proto.RegisterType((*KeyToPath)(nil), "k8s.io.api.core.v1.KeyToPath")
+	proto.RegisterType((*Lifecycle)(nil), "k8s.io.api.core.v1.Lifecycle")
+	proto.RegisterType((*LimitRange)(nil), "k8s.io.api.core.v1.LimitRange")
+	proto.RegisterType((*LimitRangeItem)(nil), "k8s.io.api.core.v1.LimitRangeItem")
+	proto.RegisterType((*LimitRangeList)(nil), "k8s.io.api.core.v1.LimitRangeList")
+	proto.RegisterType((*LimitRangeSpec)(nil), "k8s.io.api.core.v1.LimitRangeSpec")
+	proto.RegisterType((*List)(nil), "k8s.io.api.core.v1.List")
+	proto.RegisterType((*ListOptions)(nil), "k8s.io.api.core.v1.ListOptions")
+	proto.RegisterType((*LoadBalancerIngress)(nil), "k8s.io.api.core.v1.LoadBalancerIngress")
+	proto.RegisterType((*LoadBalancerStatus)(nil), "k8s.io.api.core.v1.LoadBalancerStatus")
+	proto.RegisterType((*LocalObjectReference)(nil), "k8s.io.api.core.v1.LocalObjectReference")
+	proto.RegisterType((*LocalVolumeSource)(nil), "k8s.io.api.core.v1.LocalVolumeSource")
+	proto.RegisterType((*NFSVolumeSource)(nil), "k8s.io.api.core.v1.NFSVolumeSource")
+	proto.RegisterType((*Namespace)(nil), "k8s.io.api.core.v1.Namespace")
+	proto.RegisterType((*NamespaceList)(nil), "k8s.io.api.core.v1.NamespaceList")
+	proto.RegisterType((*NamespaceSpec)(nil), "k8s.io.api.core.v1.NamespaceSpec")
+	proto.RegisterType((*NamespaceStatus)(nil), "k8s.io.api.core.v1.NamespaceStatus")
+	proto.RegisterType((*Node)(nil), "k8s.io.api.core.v1.Node")
+	proto.RegisterType((*NodeAddress)(nil), "k8s.io.api.core.v1.NodeAddress")
+	proto.RegisterType((*NodeAffinity)(nil), "k8s.io.api.core.v1.NodeAffinity")
+	proto.RegisterType((*NodeCondition)(nil), "k8s.io.api.core.v1.NodeCondition")
+	proto.RegisterType((*NodeConfigSource)(nil), "k8s.io.api.core.v1.NodeConfigSource")
+	proto.RegisterType((*NodeDaemonEndpoints)(nil), "k8s.io.api.core.v1.NodeDaemonEndpoints")
+	proto.RegisterType((*NodeList)(nil), "k8s.io.api.core.v1.NodeList")
+	proto.RegisterType((*NodeProxyOptions)(nil), "k8s.io.api.core.v1.NodeProxyOptions")
+	proto.RegisterType((*NodeResources)(nil), "k8s.io.api.core.v1.NodeResources")
+	proto.RegisterType((*NodeSelector)(nil), "k8s.io.api.core.v1.NodeSelector")
+	proto.RegisterType((*NodeSelectorRequirement)(nil), "k8s.io.api.core.v1.NodeSelectorRequirement")
+	proto.RegisterType((*NodeSelectorTerm)(nil), "k8s.io.api.core.v1.NodeSelectorTerm")
+	proto.RegisterType((*NodeSpec)(nil), "k8s.io.api.core.v1.NodeSpec")
+	proto.RegisterType((*NodeStatus)(nil), "k8s.io.api.core.v1.NodeStatus")
+	proto.RegisterType((*NodeSystemInfo)(nil), "k8s.io.api.core.v1.NodeSystemInfo")
+	proto.RegisterType((*ObjectFieldSelector)(nil), "k8s.io.api.core.v1.ObjectFieldSelector")
+	proto.RegisterType((*ObjectMeta)(nil), "k8s.io.api.core.v1.ObjectMeta")
+	proto.RegisterType((*ObjectReference)(nil), "k8s.io.api.core.v1.ObjectReference")
+	proto.RegisterType((*PersistentVolume)(nil), "k8s.io.api.core.v1.PersistentVolume")
+	proto.RegisterType((*PersistentVolumeClaim)(nil), "k8s.io.api.core.v1.PersistentVolumeClaim")
+	proto.RegisterType((*PersistentVolumeClaimCondition)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimCondition")
+	proto.RegisterType((*PersistentVolumeClaimList)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimList")
+	proto.RegisterType((*PersistentVolumeClaimSpec)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimSpec")
+	proto.RegisterType((*PersistentVolumeClaimStatus)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimStatus")
+	proto.RegisterType((*PersistentVolumeClaimVolumeSource)(nil), "k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource")
+	proto.RegisterType((*PersistentVolumeList)(nil), "k8s.io.api.core.v1.PersistentVolumeList")
+	proto.RegisterType((*PersistentVolumeSource)(nil), "k8s.io.api.core.v1.PersistentVolumeSource")
+	proto.RegisterType((*PersistentVolumeSpec)(nil), "k8s.io.api.core.v1.PersistentVolumeSpec")
+	proto.RegisterType((*PersistentVolumeStatus)(nil), "k8s.io.api.core.v1.PersistentVolumeStatus")
+	proto.RegisterType((*PhotonPersistentDiskVolumeSource)(nil), "k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource")
+	proto.RegisterType((*Pod)(nil), "k8s.io.api.core.v1.Pod")
+	proto.RegisterType((*PodAffinity)(nil), "k8s.io.api.core.v1.PodAffinity")
+	proto.RegisterType((*PodAffinityTerm)(nil), "k8s.io.api.core.v1.PodAffinityTerm")
+	proto.RegisterType((*PodAntiAffinity)(nil), "k8s.io.api.core.v1.PodAntiAffinity")
+	proto.RegisterType((*PodAttachOptions)(nil), "k8s.io.api.core.v1.PodAttachOptions")
+	proto.RegisterType((*PodCondition)(nil), "k8s.io.api.core.v1.PodCondition")
+	proto.RegisterType((*PodExecOptions)(nil), "k8s.io.api.core.v1.PodExecOptions")
+	proto.RegisterType((*PodList)(nil), "k8s.io.api.core.v1.PodList")
+	proto.RegisterType((*PodLogOptions)(nil), "k8s.io.api.core.v1.PodLogOptions")
+	proto.RegisterType((*PodPortForwardOptions)(nil), "k8s.io.api.core.v1.PodPortForwardOptions")
+	proto.RegisterType((*PodProxyOptions)(nil), "k8s.io.api.core.v1.PodProxyOptions")
+	proto.RegisterType((*PodSecurityContext)(nil), "k8s.io.api.core.v1.PodSecurityContext")
+	proto.RegisterType((*PodSignature)(nil), "k8s.io.api.core.v1.PodSignature")
+	proto.RegisterType((*PodSpec)(nil), "k8s.io.api.core.v1.PodSpec")
+	proto.RegisterType((*PodStatus)(nil), "k8s.io.api.core.v1.PodStatus")
+	proto.RegisterType((*PodStatusResult)(nil), "k8s.io.api.core.v1.PodStatusResult")
+	proto.RegisterType((*PodTemplate)(nil), "k8s.io.api.core.v1.PodTemplate")
+	proto.RegisterType((*PodTemplateList)(nil), "k8s.io.api.core.v1.PodTemplateList")
+	proto.RegisterType((*PodTemplateSpec)(nil), "k8s.io.api.core.v1.PodTemplateSpec")
+	proto.RegisterType((*PortworxVolumeSource)(nil), "k8s.io.api.core.v1.PortworxVolumeSource")
+	proto.RegisterType((*Preconditions)(nil), "k8s.io.api.core.v1.Preconditions")
+	proto.RegisterType((*PreferAvoidPodsEntry)(nil), "k8s.io.api.core.v1.PreferAvoidPodsEntry")
+	proto.RegisterType((*PreferredSchedulingTerm)(nil), "k8s.io.api.core.v1.PreferredSchedulingTerm")
+	proto.RegisterType((*Probe)(nil), "k8s.io.api.core.v1.Probe")
+	proto.RegisterType((*ProjectedVolumeSource)(nil), "k8s.io.api.core.v1.ProjectedVolumeSource")
+	proto.RegisterType((*QuobyteVolumeSource)(nil), "k8s.io.api.core.v1.QuobyteVolumeSource")
+	proto.RegisterType((*RBDVolumeSource)(nil), "k8s.io.api.core.v1.RBDVolumeSource")
+	proto.RegisterType((*RangeAllocation)(nil), "k8s.io.api.core.v1.RangeAllocation")
+	proto.RegisterType((*ReplicationController)(nil), "k8s.io.api.core.v1.ReplicationController")
+	proto.RegisterType((*ReplicationControllerCondition)(nil), "k8s.io.api.core.v1.ReplicationControllerCondition")
+	proto.RegisterType((*ReplicationControllerList)(nil), "k8s.io.api.core.v1.ReplicationControllerList")
+	proto.RegisterType((*ReplicationControllerSpec)(nil), "k8s.io.api.core.v1.ReplicationControllerSpec")
+	proto.RegisterType((*ReplicationControllerStatus)(nil), "k8s.io.api.core.v1.ReplicationControllerStatus")
+	proto.RegisterType((*ResourceFieldSelector)(nil), "k8s.io.api.core.v1.ResourceFieldSelector")
+	proto.RegisterType((*ResourceQuota)(nil), "k8s.io.api.core.v1.ResourceQuota")
+	proto.RegisterType((*ResourceQuotaList)(nil), "k8s.io.api.core.v1.ResourceQuotaList")
+	proto.RegisterType((*ResourceQuotaSpec)(nil), "k8s.io.api.core.v1.ResourceQuotaSpec")
+	proto.RegisterType((*ResourceQuotaStatus)(nil), "k8s.io.api.core.v1.ResourceQuotaStatus")
+	proto.RegisterType((*ResourceRequirements)(nil), "k8s.io.api.core.v1.ResourceRequirements")
+	proto.RegisterType((*SELinuxOptions)(nil), "k8s.io.api.core.v1.SELinuxOptions")
+	proto.RegisterType((*ScaleIOPersistentVolumeSource)(nil), "k8s.io.api.core.v1.ScaleIOPersistentVolumeSource")
+	proto.RegisterType((*ScaleIOVolumeSource)(nil), "k8s.io.api.core.v1.ScaleIOVolumeSource")
+	proto.RegisterType((*Secret)(nil), "k8s.io.api.core.v1.Secret")
+	proto.RegisterType((*SecretEnvSource)(nil), "k8s.io.api.core.v1.SecretEnvSource")
+	proto.RegisterType((*SecretKeySelector)(nil), "k8s.io.api.core.v1.SecretKeySelector")
+	proto.RegisterType((*SecretList)(nil), "k8s.io.api.core.v1.SecretList")
+	proto.RegisterType((*SecretProjection)(nil), "k8s.io.api.core.v1.SecretProjection")
+	proto.RegisterType((*SecretReference)(nil), "k8s.io.api.core.v1.SecretReference")
+	proto.RegisterType((*SecretVolumeSource)(nil), "k8s.io.api.core.v1.SecretVolumeSource")
+	proto.RegisterType((*SecurityContext)(nil), "k8s.io.api.core.v1.SecurityContext")
+	proto.RegisterType((*SerializedReference)(nil), "k8s.io.api.core.v1.SerializedReference")
+	proto.RegisterType((*Service)(nil), "k8s.io.api.core.v1.Service")
+	proto.RegisterType((*ServiceAccount)(nil), "k8s.io.api.core.v1.ServiceAccount")
+	proto.RegisterType((*ServiceAccountList)(nil), "k8s.io.api.core.v1.ServiceAccountList")
+	proto.RegisterType((*ServiceList)(nil), "k8s.io.api.core.v1.ServiceList")
+	proto.RegisterType((*ServicePort)(nil), "k8s.io.api.core.v1.ServicePort")
+	proto.RegisterType((*ServiceProxyOptions)(nil), "k8s.io.api.core.v1.ServiceProxyOptions")
+	proto.RegisterType((*ServiceSpec)(nil), "k8s.io.api.core.v1.ServiceSpec")
+	proto.RegisterType((*ServiceStatus)(nil), "k8s.io.api.core.v1.ServiceStatus")
+	proto.RegisterType((*SessionAffinityConfig)(nil), "k8s.io.api.core.v1.SessionAffinityConfig")
+	proto.RegisterType((*StorageOSPersistentVolumeSource)(nil), "k8s.io.api.core.v1.StorageOSPersistentVolumeSource")
+	proto.RegisterType((*StorageOSVolumeSource)(nil), "k8s.io.api.core.v1.StorageOSVolumeSource")
+	proto.RegisterType((*Sysctl)(nil), "k8s.io.api.core.v1.Sysctl")
+	proto.RegisterType((*TCPSocketAction)(nil), "k8s.io.api.core.v1.TCPSocketAction")
+	proto.RegisterType((*Taint)(nil), "k8s.io.api.core.v1.Taint")
+	proto.RegisterType((*Toleration)(nil), "k8s.io.api.core.v1.Toleration")
+	proto.RegisterType((*Volume)(nil), "k8s.io.api.core.v1.Volume")
+	proto.RegisterType((*VolumeMount)(nil), "k8s.io.api.core.v1.VolumeMount")
+	proto.RegisterType((*VolumeProjection)(nil), "k8s.io.api.core.v1.VolumeProjection")
+	proto.RegisterType((*VolumeSource)(nil), "k8s.io.api.core.v1.VolumeSource")
+	proto.RegisterType((*VsphereVirtualDiskVolumeSource)(nil), "k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource")
+	proto.RegisterType((*WeightedPodAffinityTerm)(nil), "k8s.io.api.core.v1.WeightedPodAffinityTerm")
+}
+func (m *AWSElasticBlockStoreVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AWSElasticBlockStoreVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeID)))
+	i += copy(dAtA[i:], m.VolumeID)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Partition))
+	dAtA[i] = 0x20
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *Affinity) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Affinity) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.NodeAffinity != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NodeAffinity.Size()))
+		n1, err := m.NodeAffinity.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n1
+	}
+	if m.PodAffinity != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PodAffinity.Size()))
+		n2, err := m.PodAffinity.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	if m.PodAntiAffinity != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PodAntiAffinity.Size()))
+		n3, err := m.PodAntiAffinity.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n3
+	}
+	return i, nil
+}
+
+func (m *AttachedVolume) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AttachedVolume) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.DevicePath)))
+	i += copy(dAtA[i:], m.DevicePath)
+	return i, nil
+}
+
+func (m *AvoidPods) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AvoidPods) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.PreferAvoidPods) > 0 {
+		for _, msg := range m.PreferAvoidPods {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *AzureDiskVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AzureDiskVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.DiskName)))
+	i += copy(dAtA[i:], m.DiskName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.DataDiskURI)))
+	i += copy(dAtA[i:], m.DataDiskURI)
+	if m.CachingMode != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.CachingMode)))
+		i += copy(dAtA[i:], *m.CachingMode)
+	}
+	if m.FSType != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.FSType)))
+		i += copy(dAtA[i:], *m.FSType)
+	}
+	if m.ReadOnly != nil {
+		dAtA[i] = 0x28
+		i++
+		if *m.ReadOnly {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.Kind != nil {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Kind)))
+		i += copy(dAtA[i:], *m.Kind)
+	}
+	return i, nil
+}
+
+func (m *AzureFilePersistentVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AzureFilePersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SecretName)))
+	i += copy(dAtA[i:], m.SecretName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ShareName)))
+	i += copy(dAtA[i:], m.ShareName)
+	dAtA[i] = 0x18
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.SecretNamespace != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.SecretNamespace)))
+		i += copy(dAtA[i:], *m.SecretNamespace)
+	}
+	return i, nil
+}
+
+func (m *AzureFileVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AzureFileVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SecretName)))
+	i += copy(dAtA[i:], m.SecretName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ShareName)))
+	i += copy(dAtA[i:], m.ShareName)
+	dAtA[i] = 0x18
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *Binding) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Binding) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n4, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Target.Size()))
+	n5, err := m.Target.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	return i, nil
+}
+
+func (m *Capabilities) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Capabilities) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Add) > 0 {
+		for _, s := range m.Add {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Drop) > 0 {
+		for _, s := range m.Drop {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *CephFSPersistentVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CephFSPersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Monitors) > 0 {
+		for _, s := range m.Monitors {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.User)))
+	i += copy(dAtA[i:], m.User)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SecretFile)))
+	i += copy(dAtA[i:], m.SecretFile)
+	if m.SecretRef != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n6, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	dAtA[i] = 0x30
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *CephFSVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CephFSVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Monitors) > 0 {
+		for _, s := range m.Monitors {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.User)))
+	i += copy(dAtA[i:], m.User)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SecretFile)))
+	i += copy(dAtA[i:], m.SecretFile)
+	if m.SecretRef != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n7, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	dAtA[i] = 0x30
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *CinderVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CinderVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeID)))
+	i += copy(dAtA[i:], m.VolumeID)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x18
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *ClientIPConfig) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClientIPConfig) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.TimeoutSeconds != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TimeoutSeconds))
+	}
+	return i, nil
+}
+
+func (m *ComponentCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ComponentCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Error)))
+	i += copy(dAtA[i:], m.Error)
+	return i, nil
+}
+
+func (m *ComponentStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ComponentStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n8, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ComponentStatusList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ComponentStatusList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n9, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ConfigMap) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ConfigMap) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n10, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	if len(m.Data) > 0 {
+		keysForData := make([]string, 0, len(m.Data))
+		for k := range m.Data {
+			keysForData = append(keysForData, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForData)
+		for _, k := range keysForData {
+			dAtA[i] = 0x12
+			i++
+			v := m.Data[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *ConfigMapEnvSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ConfigMapEnvSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LocalObjectReference.Size()))
+	n11, err := m.LocalObjectReference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n11
+	if m.Optional != nil {
+		dAtA[i] = 0x10
+		i++
+		if *m.Optional {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *ConfigMapKeySelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ConfigMapKeySelector) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LocalObjectReference.Size()))
+	n12, err := m.LocalObjectReference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n12
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i += copy(dAtA[i:], m.Key)
+	if m.Optional != nil {
+		dAtA[i] = 0x18
+		i++
+		if *m.Optional {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *ConfigMapList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ConfigMapList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n13, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n13
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ConfigMapProjection) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ConfigMapProjection) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LocalObjectReference.Size()))
+	n14, err := m.LocalObjectReference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n14
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.Optional != nil {
+		dAtA[i] = 0x20
+		i++
+		if *m.Optional {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *ConfigMapVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ConfigMapVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LocalObjectReference.Size()))
+	n15, err := m.LocalObjectReference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n15
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.DefaultMode != nil {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.DefaultMode))
+	}
+	if m.Optional != nil {
+		dAtA[i] = 0x20
+		i++
+		if *m.Optional {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *Container) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Container) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Image)))
+	i += copy(dAtA[i:], m.Image)
+	if len(m.Command) > 0 {
+		for _, s := range m.Command {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Args) > 0 {
+		for _, s := range m.Args {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.WorkingDir)))
+	i += copy(dAtA[i:], m.WorkingDir)
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Env) > 0 {
+		for _, msg := range m.Env {
+			dAtA[i] = 0x3a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Resources.Size()))
+	n16, err := m.Resources.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n16
+	if len(m.VolumeMounts) > 0 {
+		for _, msg := range m.VolumeMounts {
+			dAtA[i] = 0x4a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.LivenessProbe != nil {
+		dAtA[i] = 0x52
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.LivenessProbe.Size()))
+		n17, err := m.LivenessProbe.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n17
+	}
+	if m.ReadinessProbe != nil {
+		dAtA[i] = 0x5a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ReadinessProbe.Size()))
+		n18, err := m.ReadinessProbe.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n18
+	}
+	if m.Lifecycle != nil {
+		dAtA[i] = 0x62
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Lifecycle.Size()))
+		n19, err := m.Lifecycle.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n19
+	}
+	dAtA[i] = 0x6a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.TerminationMessagePath)))
+	i += copy(dAtA[i:], m.TerminationMessagePath)
+	dAtA[i] = 0x72
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ImagePullPolicy)))
+	i += copy(dAtA[i:], m.ImagePullPolicy)
+	if m.SecurityContext != nil {
+		dAtA[i] = 0x7a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecurityContext.Size()))
+		n20, err := m.SecurityContext.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n20
+	}
+	dAtA[i] = 0x80
+	i++
+	dAtA[i] = 0x1
+	i++
+	if m.Stdin {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x88
+	i++
+	dAtA[i] = 0x1
+	i++
+	if m.StdinOnce {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x90
+	i++
+	dAtA[i] = 0x1
+	i++
+	if m.TTY {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if len(m.EnvFrom) > 0 {
+		for _, msg := range m.EnvFrom {
+			dAtA[i] = 0x9a
+			i++
+			dAtA[i] = 0x1
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0xa2
+	i++
+	dAtA[i] = 0x1
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.TerminationMessagePolicy)))
+	i += copy(dAtA[i:], m.TerminationMessagePolicy)
+	return i, nil
+}
+
+func (m *ContainerImage) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ContainerImage) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Names) > 0 {
+		for _, s := range m.Names {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.SizeBytes))
+	return i, nil
+}
+
+func (m *ContainerPort) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ContainerPort) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.HostPort))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ContainerPort))
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Protocol)))
+	i += copy(dAtA[i:], m.Protocol)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.HostIP)))
+	i += copy(dAtA[i:], m.HostIP)
+	return i, nil
+}
+
+func (m *ContainerState) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ContainerState) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Waiting != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Waiting.Size()))
+		n21, err := m.Waiting.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n21
+	}
+	if m.Running != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Running.Size()))
+		n22, err := m.Running.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n22
+	}
+	if m.Terminated != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Terminated.Size()))
+		n23, err := m.Terminated.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n23
+	}
+	return i, nil
+}
+
+func (m *ContainerStateRunning) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ContainerStateRunning) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.StartedAt.Size()))
+	n24, err := m.StartedAt.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n24
+	return i, nil
+}
+
+func (m *ContainerStateTerminated) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ContainerStateTerminated) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ExitCode))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Signal))
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.StartedAt.Size()))
+	n25, err := m.StartedAt.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n25
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.FinishedAt.Size()))
+	n26, err := m.FinishedAt.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n26
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContainerID)))
+	i += copy(dAtA[i:], m.ContainerID)
+	return i, nil
+}
+
+func (m *ContainerStateWaiting) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ContainerStateWaiting) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *ContainerStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ContainerStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.State.Size()))
+	n27, err := m.State.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n27
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTerminationState.Size()))
+	n28, err := m.LastTerminationState.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n28
+	dAtA[i] = 0x20
+	i++
+	if m.Ready {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RestartCount))
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Image)))
+	i += copy(dAtA[i:], m.Image)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ImageID)))
+	i += copy(dAtA[i:], m.ImageID)
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContainerID)))
+	i += copy(dAtA[i:], m.ContainerID)
+	return i, nil
+}
+
+func (m *DaemonEndpoint) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonEndpoint) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Port))
+	return i, nil
+}
+
+func (m *DeleteOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeleteOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.GracePeriodSeconds != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.GracePeriodSeconds))
+	}
+	if m.Preconditions != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Preconditions.Size()))
+		n29, err := m.Preconditions.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n29
+	}
+	if m.OrphanDependents != nil {
+		dAtA[i] = 0x18
+		i++
+		if *m.OrphanDependents {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.PropagationPolicy != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.PropagationPolicy)))
+		i += copy(dAtA[i:], *m.PropagationPolicy)
+	}
+	return i, nil
+}
+
+func (m *DownwardAPIProjection) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DownwardAPIProjection) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DownwardAPIVolumeFile) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DownwardAPIVolumeFile) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	if m.FieldRef != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.FieldRef.Size()))
+		n30, err := m.FieldRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n30
+	}
+	if m.ResourceFieldRef != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ResourceFieldRef.Size()))
+		n31, err := m.ResourceFieldRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n31
+	}
+	if m.Mode != nil {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Mode))
+	}
+	return i, nil
+}
+
+func (m *DownwardAPIVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DownwardAPIVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.DefaultMode != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.DefaultMode))
+	}
+	return i, nil
+}
+
+func (m *EmptyDirVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EmptyDirVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Medium)))
+	i += copy(dAtA[i:], m.Medium)
+	if m.SizeLimit != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SizeLimit.Size()))
+		n32, err := m.SizeLimit.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n32
+	}
+	return i, nil
+}
+
+func (m *EndpointAddress) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EndpointAddress) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.IP)))
+	i += copy(dAtA[i:], m.IP)
+	if m.TargetRef != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.TargetRef.Size()))
+		n33, err := m.TargetRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n33
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Hostname)))
+	i += copy(dAtA[i:], m.Hostname)
+	if m.NodeName != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.NodeName)))
+		i += copy(dAtA[i:], *m.NodeName)
+	}
+	return i, nil
+}
+
+func (m *EndpointPort) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EndpointPort) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Port))
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Protocol)))
+	i += copy(dAtA[i:], m.Protocol)
+	return i, nil
+}
+
+func (m *EndpointSubset) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EndpointSubset) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Addresses) > 0 {
+		for _, msg := range m.Addresses {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.NotReadyAddresses) > 0 {
+		for _, msg := range m.NotReadyAddresses {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *Endpoints) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Endpoints) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n34, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n34
+	if len(m.Subsets) > 0 {
+		for _, msg := range m.Subsets {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *EndpointsList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EndpointsList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n35, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n35
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *EnvFromSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EnvFromSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Prefix)))
+	i += copy(dAtA[i:], m.Prefix)
+	if m.ConfigMapRef != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ConfigMapRef.Size()))
+		n36, err := m.ConfigMapRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n36
+	}
+	if m.SecretRef != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n37, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n37
+	}
+	return i, nil
+}
+
+func (m *EnvVar) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EnvVar) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i += copy(dAtA[i:], m.Value)
+	if m.ValueFrom != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ValueFrom.Size()))
+		n38, err := m.ValueFrom.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n38
+	}
+	return i, nil
+}
+
+func (m *EnvVarSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EnvVarSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.FieldRef != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.FieldRef.Size()))
+		n39, err := m.FieldRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n39
+	}
+	if m.ResourceFieldRef != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ResourceFieldRef.Size()))
+		n40, err := m.ResourceFieldRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n40
+	}
+	if m.ConfigMapKeyRef != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ConfigMapKeyRef.Size()))
+		n41, err := m.ConfigMapKeyRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n41
+	}
+	if m.SecretKeyRef != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretKeyRef.Size()))
+		n42, err := m.SecretKeyRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n42
+	}
+	return i, nil
+}
+
+func (m *Event) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Event) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n43, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n43
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.InvolvedObject.Size()))
+	n44, err := m.InvolvedObject.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n44
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Source.Size()))
+	n45, err := m.Source.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n45
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.FirstTimestamp.Size()))
+	n46, err := m.FirstTimestamp.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n46
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTimestamp.Size()))
+	n47, err := m.LastTimestamp.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n47
+	dAtA[i] = 0x40
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Count))
+	dAtA[i] = 0x4a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	return i, nil
+}
+
+func (m *EventList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EventList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n48, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n48
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *EventSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *EventSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Component)))
+	i += copy(dAtA[i:], m.Component)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Host)))
+	i += copy(dAtA[i:], m.Host)
+	return i, nil
+}
+
+func (m *ExecAction) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExecAction) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Command) > 0 {
+		for _, s := range m.Command {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *FCVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *FCVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.TargetWWNs) > 0 {
+		for _, s := range m.TargetWWNs {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if m.Lun != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Lun))
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x20
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if len(m.WWIDs) > 0 {
+		for _, s := range m.WWIDs {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *FlexVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *FlexVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Driver)))
+	i += copy(dAtA[i:], m.Driver)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	if m.SecretRef != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n49, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n49
+	}
+	dAtA[i] = 0x20
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if len(m.Options) > 0 {
+		keysForOptions := make([]string, 0, len(m.Options))
+		for k := range m.Options {
+			keysForOptions = append(keysForOptions, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForOptions)
+		for _, k := range keysForOptions {
+			dAtA[i] = 0x2a
+			i++
+			v := m.Options[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *FlockerVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *FlockerVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.DatasetName)))
+	i += copy(dAtA[i:], m.DatasetName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.DatasetUUID)))
+	i += copy(dAtA[i:], m.DatasetUUID)
+	return i, nil
+}
+
+func (m *GCEPersistentDiskVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GCEPersistentDiskVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PDName)))
+	i += copy(dAtA[i:], m.PDName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Partition))
+	dAtA[i] = 0x20
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *GitRepoVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GitRepoVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Repository)))
+	i += copy(dAtA[i:], m.Repository)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Revision)))
+	i += copy(dAtA[i:], m.Revision)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Directory)))
+	i += copy(dAtA[i:], m.Directory)
+	return i, nil
+}
+
+func (m *GlusterfsVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GlusterfsVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.EndpointsName)))
+	i += copy(dAtA[i:], m.EndpointsName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	dAtA[i] = 0x18
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *HTTPGetAction) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HTTPGetAction) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Port.Size()))
+	n50, err := m.Port.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n50
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Host)))
+	i += copy(dAtA[i:], m.Host)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Scheme)))
+	i += copy(dAtA[i:], m.Scheme)
+	if len(m.HTTPHeaders) > 0 {
+		for _, msg := range m.HTTPHeaders {
+			dAtA[i] = 0x2a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *HTTPHeader) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HTTPHeader) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i += copy(dAtA[i:], m.Value)
+	return i, nil
+}
+
+func (m *Handler) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Handler) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Exec != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Exec.Size()))
+		n51, err := m.Exec.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n51
+	}
+	if m.HTTPGet != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.HTTPGet.Size()))
+		n52, err := m.HTTPGet.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n52
+	}
+	if m.TCPSocket != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.TCPSocket.Size()))
+		n53, err := m.TCPSocket.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n53
+	}
+	return i, nil
+}
+
+func (m *HostAlias) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HostAlias) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.IP)))
+	i += copy(dAtA[i:], m.IP)
+	if len(m.Hostnames) > 0 {
+		for _, s := range m.Hostnames {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *HostPathVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HostPathVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	if m.Type != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Type)))
+		i += copy(dAtA[i:], *m.Type)
+	}
+	return i, nil
+}
+
+func (m *ISCSIVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ISCSIVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.TargetPortal)))
+	i += copy(dAtA[i:], m.TargetPortal)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.IQN)))
+	i += copy(dAtA[i:], m.IQN)
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Lun))
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ISCSIInterface)))
+	i += copy(dAtA[i:], m.ISCSIInterface)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x30
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if len(m.Portals) > 0 {
+		for _, s := range m.Portals {
+			dAtA[i] = 0x3a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x40
+	i++
+	if m.DiscoveryCHAPAuth {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.SecretRef != nil {
+		dAtA[i] = 0x52
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n54, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n54
+	}
+	dAtA[i] = 0x58
+	i++
+	if m.SessionCHAPAuth {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.InitiatorName != nil {
+		dAtA[i] = 0x62
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.InitiatorName)))
+		i += copy(dAtA[i:], *m.InitiatorName)
+	}
+	return i, nil
+}
+
+func (m *KeyToPath) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *KeyToPath) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i += copy(dAtA[i:], m.Key)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	if m.Mode != nil {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Mode))
+	}
+	return i, nil
+}
+
+func (m *Lifecycle) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Lifecycle) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.PostStart != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PostStart.Size()))
+		n55, err := m.PostStart.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n55
+	}
+	if m.PreStop != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PreStop.Size()))
+		n56, err := m.PreStop.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n56
+	}
+	return i, nil
+}
+
+func (m *LimitRange) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LimitRange) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n57, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n57
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n58, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n58
+	return i, nil
+}
+
+func (m *LimitRangeItem) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LimitRangeItem) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if len(m.Max) > 0 {
+		keysForMax := make([]string, 0, len(m.Max))
+		for k := range m.Max {
+			keysForMax = append(keysForMax, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForMax)
+		for _, k := range keysForMax {
+			dAtA[i] = 0x12
+			i++
+			v := m.Max[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n59, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n59
+		}
+	}
+	if len(m.Min) > 0 {
+		keysForMin := make([]string, 0, len(m.Min))
+		for k := range m.Min {
+			keysForMin = append(keysForMin, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForMin)
+		for _, k := range keysForMin {
+			dAtA[i] = 0x1a
+			i++
+			v := m.Min[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n60, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n60
+		}
+	}
+	if len(m.Default) > 0 {
+		keysForDefault := make([]string, 0, len(m.Default))
+		for k := range m.Default {
+			keysForDefault = append(keysForDefault, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForDefault)
+		for _, k := range keysForDefault {
+			dAtA[i] = 0x22
+			i++
+			v := m.Default[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n61, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n61
+		}
+	}
+	if len(m.DefaultRequest) > 0 {
+		keysForDefaultRequest := make([]string, 0, len(m.DefaultRequest))
+		for k := range m.DefaultRequest {
+			keysForDefaultRequest = append(keysForDefaultRequest, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForDefaultRequest)
+		for _, k := range keysForDefaultRequest {
+			dAtA[i] = 0x2a
+			i++
+			v := m.DefaultRequest[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n62, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n62
+		}
+	}
+	if len(m.MaxLimitRequestRatio) > 0 {
+		keysForMaxLimitRequestRatio := make([]string, 0, len(m.MaxLimitRequestRatio))
+		for k := range m.MaxLimitRequestRatio {
+			keysForMaxLimitRequestRatio = append(keysForMaxLimitRequestRatio, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForMaxLimitRequestRatio)
+		for _, k := range keysForMaxLimitRequestRatio {
+			dAtA[i] = 0x32
+			i++
+			v := m.MaxLimitRequestRatio[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n63, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n63
+		}
+	}
+	return i, nil
+}
+
+func (m *LimitRangeList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LimitRangeList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n64, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n64
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *LimitRangeSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LimitRangeSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Limits) > 0 {
+		for _, msg := range m.Limits {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *List) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *List) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n65, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n65
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ListOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ListOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.LabelSelector)))
+	i += copy(dAtA[i:], m.LabelSelector)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FieldSelector)))
+	i += copy(dAtA[i:], m.FieldSelector)
+	dAtA[i] = 0x18
+	i++
+	if m.Watch {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
+	i += copy(dAtA[i:], m.ResourceVersion)
+	if m.TimeoutSeconds != nil {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TimeoutSeconds))
+	}
+	dAtA[i] = 0x30
+	i++
+	if m.IncludeUninitialized {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *LoadBalancerIngress) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LoadBalancerIngress) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.IP)))
+	i += copy(dAtA[i:], m.IP)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Hostname)))
+	i += copy(dAtA[i:], m.Hostname)
+	return i, nil
+}
+
+func (m *LoadBalancerStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LoadBalancerStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ingress) > 0 {
+		for _, msg := range m.Ingress {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *LocalObjectReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LocalObjectReference) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func (m *LocalVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LocalVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	return i, nil
+}
+
+func (m *NFSVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NFSVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Server)))
+	i += copy(dAtA[i:], m.Server)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	dAtA[i] = 0x18
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *Namespace) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Namespace) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n66, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n66
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n67, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n67
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n68, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n68
+	return i, nil
+}
+
+func (m *NamespaceList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NamespaceList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n69, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n69
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NamespaceSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NamespaceSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Finalizers) > 0 {
+		for _, s := range m.Finalizers {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *NamespaceStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NamespaceStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Phase)))
+	i += copy(dAtA[i:], m.Phase)
+	return i, nil
+}
+
+func (m *Node) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Node) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n70, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n70
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n71, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n71
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n72, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n72
+	return i, nil
+}
+
+func (m *NodeAddress) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeAddress) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Address)))
+	i += copy(dAtA[i:], m.Address)
+	return i, nil
+}
+
+func (m *NodeAffinity) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeAffinity) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.RequiredDuringSchedulingIgnoredDuringExecution != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RequiredDuringSchedulingIgnoredDuringExecution.Size()))
+		n73, err := m.RequiredDuringSchedulingIgnoredDuringExecution.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n73
+	}
+	if len(m.PreferredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, msg := range m.PreferredDuringSchedulingIgnoredDuringExecution {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NodeCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastHeartbeatTime.Size()))
+	n74, err := m.LastHeartbeatTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n74
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n75, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n75
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *NodeConfigSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeConfigSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ConfigMapRef != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ConfigMapRef.Size()))
+		n76, err := m.ConfigMapRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n76
+	}
+	return i, nil
+}
+
+func (m *NodeDaemonEndpoints) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeDaemonEndpoints) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.KubeletEndpoint.Size()))
+	n77, err := m.KubeletEndpoint.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n77
+	return i, nil
+}
+
+func (m *NodeList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n78, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n78
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NodeProxyOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeProxyOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	return i, nil
+}
+
+func (m *NodeResources) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeResources) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Capacity) > 0 {
+		keysForCapacity := make([]string, 0, len(m.Capacity))
+		for k := range m.Capacity {
+			keysForCapacity = append(keysForCapacity, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		for _, k := range keysForCapacity {
+			dAtA[i] = 0xa
+			i++
+			v := m.Capacity[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n79, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n79
+		}
+	}
+	return i, nil
+}
+
+func (m *NodeSelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeSelector) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.NodeSelectorTerms) > 0 {
+		for _, msg := range m.NodeSelectorTerms {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NodeSelectorRequirement) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeSelectorRequirement) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i += copy(dAtA[i:], m.Key)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Operator)))
+	i += copy(dAtA[i:], m.Operator)
+	if len(m.Values) > 0 {
+		for _, s := range m.Values {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *NodeSelectorTerm) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeSelectorTerm) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.MatchExpressions) > 0 {
+		for _, msg := range m.MatchExpressions {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NodeSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodCIDR)))
+	i += copy(dAtA[i:], m.PodCIDR)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ExternalID)))
+	i += copy(dAtA[i:], m.ExternalID)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ProviderID)))
+	i += copy(dAtA[i:], m.ProviderID)
+	dAtA[i] = 0x20
+	i++
+	if m.Unschedulable {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if len(m.Taints) > 0 {
+		for _, msg := range m.Taints {
+			dAtA[i] = 0x2a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.ConfigSource != nil {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ConfigSource.Size()))
+		n80, err := m.ConfigSource.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n80
+	}
+	return i, nil
+}
+
+func (m *NodeStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Capacity) > 0 {
+		keysForCapacity := make([]string, 0, len(m.Capacity))
+		for k := range m.Capacity {
+			keysForCapacity = append(keysForCapacity, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		for _, k := range keysForCapacity {
+			dAtA[i] = 0xa
+			i++
+			v := m.Capacity[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n81, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n81
+		}
+	}
+	if len(m.Allocatable) > 0 {
+		keysForAllocatable := make([]string, 0, len(m.Allocatable))
+		for k := range m.Allocatable {
+			keysForAllocatable = append(keysForAllocatable, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatable)
+		for _, k := range keysForAllocatable {
+			dAtA[i] = 0x12
+			i++
+			v := m.Allocatable[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n82, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n82
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Phase)))
+	i += copy(dAtA[i:], m.Phase)
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x22
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Addresses) > 0 {
+		for _, msg := range m.Addresses {
+			dAtA[i] = 0x2a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.DaemonEndpoints.Size()))
+	n83, err := m.DaemonEndpoints.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n83
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NodeInfo.Size()))
+	n84, err := m.NodeInfo.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n84
+	if len(m.Images) > 0 {
+		for _, msg := range m.Images {
+			dAtA[i] = 0x42
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.VolumesInUse) > 0 {
+		for _, s := range m.VolumesInUse {
+			dAtA[i] = 0x4a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.VolumesAttached) > 0 {
+		for _, msg := range m.VolumesAttached {
+			dAtA[i] = 0x52
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NodeSystemInfo) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NodeSystemInfo) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MachineID)))
+	i += copy(dAtA[i:], m.MachineID)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SystemUUID)))
+	i += copy(dAtA[i:], m.SystemUUID)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.BootID)))
+	i += copy(dAtA[i:], m.BootID)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.KernelVersion)))
+	i += copy(dAtA[i:], m.KernelVersion)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.OSImage)))
+	i += copy(dAtA[i:], m.OSImage)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContainerRuntimeVersion)))
+	i += copy(dAtA[i:], m.ContainerRuntimeVersion)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.KubeletVersion)))
+	i += copy(dAtA[i:], m.KubeletVersion)
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.KubeProxyVersion)))
+	i += copy(dAtA[i:], m.KubeProxyVersion)
+	dAtA[i] = 0x4a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.OperatingSystem)))
+	i += copy(dAtA[i:], m.OperatingSystem)
+	dAtA[i] = 0x52
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Architecture)))
+	i += copy(dAtA[i:], m.Architecture)
+	return i, nil
+}
+
+func (m *ObjectFieldSelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ObjectFieldSelector) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i += copy(dAtA[i:], m.APIVersion)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FieldPath)))
+	i += copy(dAtA[i:], m.FieldPath)
+	return i, nil
+}
+
+func (m *ObjectMeta) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ObjectMeta) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.GenerateName)))
+	i += copy(dAtA[i:], m.GenerateName)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SelfLink)))
+	i += copy(dAtA[i:], m.SelfLink)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
+	i += copy(dAtA[i:], m.ResourceVersion)
+	dAtA[i] = 0x38
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Generation))
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CreationTimestamp.Size()))
+	n85, err := m.CreationTimestamp.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n85
+	if m.DeletionTimestamp != nil {
+		dAtA[i] = 0x4a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.DeletionTimestamp.Size()))
+		n86, err := m.DeletionTimestamp.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n86
+	}
+	if m.DeletionGracePeriodSeconds != nil {
+		dAtA[i] = 0x50
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.DeletionGracePeriodSeconds))
+	}
+	if len(m.Labels) > 0 {
+		keysForLabels := make([]string, 0, len(m.Labels))
+		for k := range m.Labels {
+			keysForLabels = append(keysForLabels, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
+		for _, k := range keysForLabels {
+			dAtA[i] = 0x5a
+			i++
+			v := m.Labels[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.Annotations) > 0 {
+		keysForAnnotations := make([]string, 0, len(m.Annotations))
+		for k := range m.Annotations {
+			keysForAnnotations = append(keysForAnnotations, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+		for _, k := range keysForAnnotations {
+			dAtA[i] = 0x62
+			i++
+			v := m.Annotations[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.OwnerReferences) > 0 {
+		for _, msg := range m.OwnerReferences {
+			dAtA[i] = 0x6a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Finalizers) > 0 {
+		for _, s := range m.Finalizers {
+			dAtA[i] = 0x72
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x7a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ClusterName)))
+	i += copy(dAtA[i:], m.ClusterName)
+	if m.Initializers != nil {
+		dAtA[i] = 0x82
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Initializers.Size()))
+		n87, err := m.Initializers.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n87
+	}
+	return i, nil
+}
+
+func (m *ObjectReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ObjectReference) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i += copy(dAtA[i:], m.APIVersion)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
+	i += copy(dAtA[i:], m.ResourceVersion)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FieldPath)))
+	i += copy(dAtA[i:], m.FieldPath)
+	return i, nil
+}
+
+func (m *PersistentVolume) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolume) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n88, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n88
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n89, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n89
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n90, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n90
+	return i, nil
+}
+
+func (m *PersistentVolumeClaim) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeClaim) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n91, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n91
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n92, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n92
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n93, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n93
+	return i, nil
+}
+
+func (m *PersistentVolumeClaimCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeClaimCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastProbeTime.Size()))
+	n94, err := m.LastProbeTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n94
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n95, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n95
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *PersistentVolumeClaimList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeClaimList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n96, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n96
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PersistentVolumeClaimSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeClaimSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.AccessModes) > 0 {
+		for _, s := range m.AccessModes {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Resources.Size()))
+	n97, err := m.Resources.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n97
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeName)))
+	i += copy(dAtA[i:], m.VolumeName)
+	if m.Selector != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n98, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n98
+	}
+	if m.StorageClassName != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.StorageClassName)))
+		i += copy(dAtA[i:], *m.StorageClassName)
+	}
+	return i, nil
+}
+
+func (m *PersistentVolumeClaimStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeClaimStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Phase)))
+	i += copy(dAtA[i:], m.Phase)
+	if len(m.AccessModes) > 0 {
+		for _, s := range m.AccessModes {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Capacity) > 0 {
+		keysForCapacity := make([]string, 0, len(m.Capacity))
+		for k := range m.Capacity {
+			keysForCapacity = append(keysForCapacity, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		for _, k := range keysForCapacity {
+			dAtA[i] = 0x1a
+			i++
+			v := m.Capacity[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n99, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n99
+		}
+	}
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x22
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PersistentVolumeClaimVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeClaimVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ClaimName)))
+	i += copy(dAtA[i:], m.ClaimName)
+	dAtA[i] = 0x10
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *PersistentVolumeList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n100, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n100
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PersistentVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.GCEPersistentDisk != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.GCEPersistentDisk.Size()))
+		n101, err := m.GCEPersistentDisk.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n101
+	}
+	if m.AWSElasticBlockStore != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.AWSElasticBlockStore.Size()))
+		n102, err := m.AWSElasticBlockStore.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n102
+	}
+	if m.HostPath != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.HostPath.Size()))
+		n103, err := m.HostPath.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n103
+	}
+	if m.Glusterfs != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Glusterfs.Size()))
+		n104, err := m.Glusterfs.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n104
+	}
+	if m.NFS != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NFS.Size()))
+		n105, err := m.NFS.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n105
+	}
+	if m.RBD != nil {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RBD.Size()))
+		n106, err := m.RBD.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n106
+	}
+	if m.ISCSI != nil {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ISCSI.Size()))
+		n107, err := m.ISCSI.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n107
+	}
+	if m.Cinder != nil {
+		dAtA[i] = 0x42
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Cinder.Size()))
+		n108, err := m.Cinder.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n108
+	}
+	if m.CephFS != nil {
+		dAtA[i] = 0x4a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.CephFS.Size()))
+		n109, err := m.CephFS.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n109
+	}
+	if m.FC != nil {
+		dAtA[i] = 0x52
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.FC.Size()))
+		n110, err := m.FC.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n110
+	}
+	if m.Flocker != nil {
+		dAtA[i] = 0x5a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Flocker.Size()))
+		n111, err := m.Flocker.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n111
+	}
+	if m.FlexVolume != nil {
+		dAtA[i] = 0x62
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.FlexVolume.Size()))
+		n112, err := m.FlexVolume.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n112
+	}
+	if m.AzureFile != nil {
+		dAtA[i] = 0x6a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.AzureFile.Size()))
+		n113, err := m.AzureFile.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n113
+	}
+	if m.VsphereVolume != nil {
+		dAtA[i] = 0x72
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.VsphereVolume.Size()))
+		n114, err := m.VsphereVolume.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n114
+	}
+	if m.Quobyte != nil {
+		dAtA[i] = 0x7a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Quobyte.Size()))
+		n115, err := m.Quobyte.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n115
+	}
+	if m.AzureDisk != nil {
+		dAtA[i] = 0x82
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.AzureDisk.Size()))
+		n116, err := m.AzureDisk.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n116
+	}
+	if m.PhotonPersistentDisk != nil {
+		dAtA[i] = 0x8a
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PhotonPersistentDisk.Size()))
+		n117, err := m.PhotonPersistentDisk.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n117
+	}
+	if m.PortworxVolume != nil {
+		dAtA[i] = 0x92
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PortworxVolume.Size()))
+		n118, err := m.PortworxVolume.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n118
+	}
+	if m.ScaleIO != nil {
+		dAtA[i] = 0x9a
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ScaleIO.Size()))
+		n119, err := m.ScaleIO.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n119
+	}
+	if m.Local != nil {
+		dAtA[i] = 0xa2
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Local.Size()))
+		n120, err := m.Local.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n120
+	}
+	if m.StorageOS != nil {
+		dAtA[i] = 0xaa
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.StorageOS.Size()))
+		n121, err := m.StorageOS.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n121
+	}
+	return i, nil
+}
+
+func (m *PersistentVolumeSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Capacity) > 0 {
+		keysForCapacity := make([]string, 0, len(m.Capacity))
+		for k := range m.Capacity {
+			keysForCapacity = append(keysForCapacity, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+		for _, k := range keysForCapacity {
+			dAtA[i] = 0xa
+			i++
+			v := m.Capacity[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n122, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n122
+		}
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.PersistentVolumeSource.Size()))
+	n123, err := m.PersistentVolumeSource.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n123
+	if len(m.AccessModes) > 0 {
+		for _, s := range m.AccessModes {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if m.ClaimRef != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ClaimRef.Size()))
+		n124, err := m.ClaimRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n124
+	}
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PersistentVolumeReclaimPolicy)))
+	i += copy(dAtA[i:], m.PersistentVolumeReclaimPolicy)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StorageClassName)))
+	i += copy(dAtA[i:], m.StorageClassName)
+	if len(m.MountOptions) > 0 {
+		for _, s := range m.MountOptions {
+			dAtA[i] = 0x3a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *PersistentVolumeStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PersistentVolumeStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Phase)))
+	i += copy(dAtA[i:], m.Phase)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	return i, nil
+}
+
+func (m *PhotonPersistentDiskVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PhotonPersistentDiskVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PdID)))
+	i += copy(dAtA[i:], m.PdID)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	return i, nil
+}
+
+func (m *Pod) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Pod) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n125, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n125
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n126, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n126
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n127, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n127
+	return i, nil
+}
+
+func (m *PodAffinity) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodAffinity) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.RequiredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, msg := range m.RequiredDuringSchedulingIgnoredDuringExecution {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.PreferredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, msg := range m.PreferredDuringSchedulingIgnoredDuringExecution {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PodAffinityTerm) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodAffinityTerm) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.LabelSelector != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.LabelSelector.Size()))
+		n128, err := m.LabelSelector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n128
+	}
+	if len(m.Namespaces) > 0 {
+		for _, s := range m.Namespaces {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.TopologyKey)))
+	i += copy(dAtA[i:], m.TopologyKey)
+	return i, nil
+}
+
+func (m *PodAntiAffinity) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodAntiAffinity) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.RequiredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, msg := range m.RequiredDuringSchedulingIgnoredDuringExecution {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.PreferredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, msg := range m.PreferredDuringSchedulingIgnoredDuringExecution {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PodAttachOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodAttachOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	if m.Stdin {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x10
+	i++
+	if m.Stdout {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x18
+	i++
+	if m.Stderr {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x20
+	i++
+	if m.TTY {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Container)))
+	i += copy(dAtA[i:], m.Container)
+	return i, nil
+}
+
+func (m *PodCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastProbeTime.Size()))
+	n129, err := m.LastProbeTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n129
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n130, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n130
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *PodExecOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodExecOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	if m.Stdin {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x10
+	i++
+	if m.Stdout {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x18
+	i++
+	if m.Stderr {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x20
+	i++
+	if m.TTY {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Container)))
+	i += copy(dAtA[i:], m.Container)
+	if len(m.Command) > 0 {
+		for _, s := range m.Command {
+			dAtA[i] = 0x32
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *PodList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n131, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n131
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PodLogOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodLogOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Container)))
+	i += copy(dAtA[i:], m.Container)
+	dAtA[i] = 0x10
+	i++
+	if m.Follow {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x18
+	i++
+	if m.Previous {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.SinceSeconds != nil {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.SinceSeconds))
+	}
+	if m.SinceTime != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SinceTime.Size()))
+		n132, err := m.SinceTime.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n132
+	}
+	dAtA[i] = 0x30
+	i++
+	if m.Timestamps {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.TailLines != nil {
+		dAtA[i] = 0x38
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TailLines))
+	}
+	if m.LimitBytes != nil {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.LimitBytes))
+	}
+	return i, nil
+}
+
+func (m *PodPortForwardOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodPortForwardOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, num := range m.Ports {
+			dAtA[i] = 0x8
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(num))
+		}
+	}
+	return i, nil
+}
+
+func (m *PodProxyOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodProxyOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	return i, nil
+}
+
+func (m *PodSecurityContext) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodSecurityContext) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.SELinuxOptions != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SELinuxOptions.Size()))
+		n133, err := m.SELinuxOptions.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n133
+	}
+	if m.RunAsUser != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RunAsUser))
+	}
+	if m.RunAsNonRoot != nil {
+		dAtA[i] = 0x18
+		i++
+		if *m.RunAsNonRoot {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if len(m.SupplementalGroups) > 0 {
+		for _, num := range m.SupplementalGroups {
+			dAtA[i] = 0x20
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(num))
+		}
+	}
+	if m.FSGroup != nil {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.FSGroup))
+	}
+	return i, nil
+}
+
+func (m *PodSignature) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodSignature) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.PodController != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PodController.Size()))
+		n134, err := m.PodController.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n134
+	}
+	return i, nil
+}
+
+func (m *PodSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Volumes) > 0 {
+		for _, msg := range m.Volumes {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Containers) > 0 {
+		for _, msg := range m.Containers {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.RestartPolicy)))
+	i += copy(dAtA[i:], m.RestartPolicy)
+	if m.TerminationGracePeriodSeconds != nil {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TerminationGracePeriodSeconds))
+	}
+	if m.ActiveDeadlineSeconds != nil {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.ActiveDeadlineSeconds))
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.DNSPolicy)))
+	i += copy(dAtA[i:], m.DNSPolicy)
+	if len(m.NodeSelector) > 0 {
+		keysForNodeSelector := make([]string, 0, len(m.NodeSelector))
+		for k := range m.NodeSelector {
+			keysForNodeSelector = append(keysForNodeSelector, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+		for _, k := range keysForNodeSelector {
+			dAtA[i] = 0x3a
+			i++
+			v := m.NodeSelector[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceAccountName)))
+	i += copy(dAtA[i:], m.ServiceAccountName)
+	dAtA[i] = 0x4a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.DeprecatedServiceAccount)))
+	i += copy(dAtA[i:], m.DeprecatedServiceAccount)
+	dAtA[i] = 0x52
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.NodeName)))
+	i += copy(dAtA[i:], m.NodeName)
+	dAtA[i] = 0x58
+	i++
+	if m.HostNetwork {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x60
+	i++
+	if m.HostPID {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x68
+	i++
+	if m.HostIPC {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.SecurityContext != nil {
+		dAtA[i] = 0x72
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecurityContext.Size()))
+		n135, err := m.SecurityContext.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n135
+	}
+	if len(m.ImagePullSecrets) > 0 {
+		for _, msg := range m.ImagePullSecrets {
+			dAtA[i] = 0x7a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x82
+	i++
+	dAtA[i] = 0x1
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Hostname)))
+	i += copy(dAtA[i:], m.Hostname)
+	dAtA[i] = 0x8a
+	i++
+	dAtA[i] = 0x1
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Subdomain)))
+	i += copy(dAtA[i:], m.Subdomain)
+	if m.Affinity != nil {
+		dAtA[i] = 0x92
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Affinity.Size()))
+		n136, err := m.Affinity.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n136
+	}
+	dAtA[i] = 0x9a
+	i++
+	dAtA[i] = 0x1
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SchedulerName)))
+	i += copy(dAtA[i:], m.SchedulerName)
+	if len(m.InitContainers) > 0 {
+		for _, msg := range m.InitContainers {
+			dAtA[i] = 0xa2
+			i++
+			dAtA[i] = 0x1
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.AutomountServiceAccountToken != nil {
+		dAtA[i] = 0xa8
+		i++
+		dAtA[i] = 0x1
+		i++
+		if *m.AutomountServiceAccountToken {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if len(m.Tolerations) > 0 {
+		for _, msg := range m.Tolerations {
+			dAtA[i] = 0xb2
+			i++
+			dAtA[i] = 0x1
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.HostAliases) > 0 {
+		for _, msg := range m.HostAliases {
+			dAtA[i] = 0xba
+			i++
+			dAtA[i] = 0x1
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0xc2
+	i++
+	dAtA[i] = 0x1
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PriorityClassName)))
+	i += copy(dAtA[i:], m.PriorityClassName)
+	if m.Priority != nil {
+		dAtA[i] = 0xc8
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Priority))
+	}
+	return i, nil
+}
+
+func (m *PodStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Phase)))
+	i += copy(dAtA[i:], m.Phase)
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.HostIP)))
+	i += copy(dAtA[i:], m.HostIP)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PodIP)))
+	i += copy(dAtA[i:], m.PodIP)
+	if m.StartTime != nil {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.StartTime.Size()))
+		n137, err := m.StartTime.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n137
+	}
+	if len(m.ContainerStatuses) > 0 {
+		for _, msg := range m.ContainerStatuses {
+			dAtA[i] = 0x42
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x4a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.QOSClass)))
+	i += copy(dAtA[i:], m.QOSClass)
+	if len(m.InitContainerStatuses) > 0 {
+		for _, msg := range m.InitContainerStatuses {
+			dAtA[i] = 0x52
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PodStatusResult) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodStatusResult) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n138, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n138
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n139, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n139
+	return i, nil
+}
+
+func (m *PodTemplate) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodTemplate) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n140, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n140
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n141, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n141
+	return i, nil
+}
+
+func (m *PodTemplateList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodTemplateList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n142, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n142
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PodTemplateSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodTemplateSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n143, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n143
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n144, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n144
+	return i, nil
+}
+
+func (m *PortworxVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PortworxVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeID)))
+	i += copy(dAtA[i:], m.VolumeID)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x18
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *Preconditions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Preconditions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.UID != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.UID)))
+		i += copy(dAtA[i:], *m.UID)
+	}
+	return i, nil
+}
+
+func (m *PreferAvoidPodsEntry) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PreferAvoidPodsEntry) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.PodSignature.Size()))
+	n145, err := m.PodSignature.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n145
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.EvictionTime.Size()))
+	n146, err := m.EvictionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n146
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *PreferredSchedulingTerm) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PreferredSchedulingTerm) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Weight))
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Preference.Size()))
+	n147, err := m.Preference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n147
+	return i, nil
+}
+
+func (m *Probe) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Probe) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Handler.Size()))
+	n148, err := m.Handler.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n148
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.InitialDelaySeconds))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TimeoutSeconds))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.PeriodSeconds))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.SuccessThreshold))
+	dAtA[i] = 0x30
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.FailureThreshold))
+	return i, nil
+}
+
+func (m *ProjectedVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ProjectedVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Sources) > 0 {
+		for _, msg := range m.Sources {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.DefaultMode != nil {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.DefaultMode))
+	}
+	return i, nil
+}
+
+func (m *QuobyteVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *QuobyteVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Registry)))
+	i += copy(dAtA[i:], m.Registry)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Volume)))
+	i += copy(dAtA[i:], m.Volume)
+	dAtA[i] = 0x18
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.User)))
+	i += copy(dAtA[i:], m.User)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	return i, nil
+}
+
+func (m *RBDVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RBDVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.CephMonitors) > 0 {
+		for _, s := range m.CephMonitors {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.RBDImage)))
+	i += copy(dAtA[i:], m.RBDImage)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.RBDPool)))
+	i += copy(dAtA[i:], m.RBDPool)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.RadosUser)))
+	i += copy(dAtA[i:], m.RadosUser)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Keyring)))
+	i += copy(dAtA[i:], m.Keyring)
+	if m.SecretRef != nil {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n149, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n149
+	}
+	dAtA[i] = 0x40
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *RangeAllocation) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RangeAllocation) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n150, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n150
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Range)))
+	i += copy(dAtA[i:], m.Range)
+	if m.Data != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func (m *ReplicationController) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicationController) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n151, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n151
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n152, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n152
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n153, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n153
+	return i, nil
+}
+
+func (m *ReplicationControllerCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicationControllerCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n154, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n154
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *ReplicationControllerList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicationControllerList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n155, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n155
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ReplicationControllerSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicationControllerSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Replicas))
+	}
+	if len(m.Selector) > 0 {
+		keysForSelector := make([]string, 0, len(m.Selector))
+		for k := range m.Selector {
+			keysForSelector = append(keysForSelector, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		for _, k := range keysForSelector {
+			dAtA[i] = 0x12
+			i++
+			v := m.Selector[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if m.Template != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+		n156, err := m.Template.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n156
+	}
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinReadySeconds))
+	return i, nil
+}
+
+func (m *ReplicationControllerStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicationControllerStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.FullyLabeledReplicas))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ReadyReplicas))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.AvailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ResourceFieldSelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceFieldSelector) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContainerName)))
+	i += copy(dAtA[i:], m.ContainerName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Resource)))
+	i += copy(dAtA[i:], m.Resource)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Divisor.Size()))
+	n157, err := m.Divisor.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n157
+	return i, nil
+}
+
+func (m *ResourceQuota) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceQuota) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n158, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n158
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n159, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n159
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n160, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n160
+	return i, nil
+}
+
+func (m *ResourceQuotaList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceQuotaList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n161, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n161
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ResourceQuotaSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceQuotaSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Hard) > 0 {
+		keysForHard := make([]string, 0, len(m.Hard))
+		for k := range m.Hard {
+			keysForHard = append(keysForHard, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForHard)
+		for _, k := range keysForHard {
+			dAtA[i] = 0xa
+			i++
+			v := m.Hard[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n162, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n162
+		}
+	}
+	if len(m.Scopes) > 0 {
+		for _, s := range m.Scopes {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *ResourceQuotaStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceQuotaStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Hard) > 0 {
+		keysForHard := make([]string, 0, len(m.Hard))
+		for k := range m.Hard {
+			keysForHard = append(keysForHard, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForHard)
+		for _, k := range keysForHard {
+			dAtA[i] = 0xa
+			i++
+			v := m.Hard[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n163, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n163
+		}
+	}
+	if len(m.Used) > 0 {
+		keysForUsed := make([]string, 0, len(m.Used))
+		for k := range m.Used {
+			keysForUsed = append(keysForUsed, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForUsed)
+		for _, k := range keysForUsed {
+			dAtA[i] = 0x12
+			i++
+			v := m.Used[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n164, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n164
+		}
+	}
+	return i, nil
+}
+
+func (m *ResourceRequirements) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResourceRequirements) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Limits) > 0 {
+		keysForLimits := make([]string, 0, len(m.Limits))
+		for k := range m.Limits {
+			keysForLimits = append(keysForLimits, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForLimits)
+		for _, k := range keysForLimits {
+			dAtA[i] = 0xa
+			i++
+			v := m.Limits[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n165, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n165
+		}
+	}
+	if len(m.Requests) > 0 {
+		keysForRequests := make([]string, 0, len(m.Requests))
+		for k := range m.Requests {
+			keysForRequests = append(keysForRequests, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+		for _, k := range keysForRequests {
+			dAtA[i] = 0x12
+			i++
+			v := m.Requests[ResourceName(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n166, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n166
+		}
+	}
+	return i, nil
+}
+
+func (m *SELinuxOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SELinuxOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.User)))
+	i += copy(dAtA[i:], m.User)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Role)))
+	i += copy(dAtA[i:], m.Role)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Level)))
+	i += copy(dAtA[i:], m.Level)
+	return i, nil
+}
+
+func (m *ScaleIOPersistentVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleIOPersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Gateway)))
+	i += copy(dAtA[i:], m.Gateway)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.System)))
+	i += copy(dAtA[i:], m.System)
+	if m.SecretRef != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n167, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n167
+	}
+	dAtA[i] = 0x20
+	i++
+	if m.SSLEnabled {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ProtectionDomain)))
+	i += copy(dAtA[i:], m.ProtectionDomain)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StoragePool)))
+	i += copy(dAtA[i:], m.StoragePool)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StorageMode)))
+	i += copy(dAtA[i:], m.StorageMode)
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeName)))
+	i += copy(dAtA[i:], m.VolumeName)
+	dAtA[i] = 0x4a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x50
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *ScaleIOVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleIOVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Gateway)))
+	i += copy(dAtA[i:], m.Gateway)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.System)))
+	i += copy(dAtA[i:], m.System)
+	if m.SecretRef != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n168, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n168
+	}
+	dAtA[i] = 0x20
+	i++
+	if m.SSLEnabled {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ProtectionDomain)))
+	i += copy(dAtA[i:], m.ProtectionDomain)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StoragePool)))
+	i += copy(dAtA[i:], m.StoragePool)
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StorageMode)))
+	i += copy(dAtA[i:], m.StorageMode)
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeName)))
+	i += copy(dAtA[i:], m.VolumeName)
+	dAtA[i] = 0x4a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x50
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *Secret) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Secret) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n169, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n169
+	if len(m.Data) > 0 {
+		keysForData := make([]string, 0, len(m.Data))
+		for k := range m.Data {
+			keysForData = append(keysForData, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForData)
+		for _, k := range keysForData {
+			dAtA[i] = 0x12
+			i++
+			v := m.Data[string(k)]
+			byteSize := 0
+			if v != nil {
+				byteSize = 1 + len(v) + sovGenerated(uint64(len(v)))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + byteSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			if v != nil {
+				dAtA[i] = 0x12
+				i++
+				i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+				i += copy(dAtA[i:], v)
+			}
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if len(m.StringData) > 0 {
+		keysForStringData := make([]string, 0, len(m.StringData))
+		for k := range m.StringData {
+			keysForStringData = append(keysForStringData, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForStringData)
+		for _, k := range keysForStringData {
+			dAtA[i] = 0x22
+			i++
+			v := m.StringData[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *SecretEnvSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SecretEnvSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LocalObjectReference.Size()))
+	n170, err := m.LocalObjectReference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n170
+	if m.Optional != nil {
+		dAtA[i] = 0x10
+		i++
+		if *m.Optional {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *SecretKeySelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SecretKeySelector) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LocalObjectReference.Size()))
+	n171, err := m.LocalObjectReference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n171
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i += copy(dAtA[i:], m.Key)
+	if m.Optional != nil {
+		dAtA[i] = 0x18
+		i++
+		if *m.Optional {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *SecretList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SecretList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n172, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n172
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *SecretProjection) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SecretProjection) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LocalObjectReference.Size()))
+	n173, err := m.LocalObjectReference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n173
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.Optional != nil {
+		dAtA[i] = 0x20
+		i++
+		if *m.Optional {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *SecretReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SecretReference) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	return i, nil
+}
+
+func (m *SecretVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SecretVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SecretName)))
+	i += copy(dAtA[i:], m.SecretName)
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.DefaultMode != nil {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.DefaultMode))
+	}
+	if m.Optional != nil {
+		dAtA[i] = 0x20
+		i++
+		if *m.Optional {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *SecurityContext) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SecurityContext) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Capabilities != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Capabilities.Size()))
+		n174, err := m.Capabilities.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n174
+	}
+	if m.Privileged != nil {
+		dAtA[i] = 0x10
+		i++
+		if *m.Privileged {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.SELinuxOptions != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SELinuxOptions.Size()))
+		n175, err := m.SELinuxOptions.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n175
+	}
+	if m.RunAsUser != nil {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RunAsUser))
+	}
+	if m.RunAsNonRoot != nil {
+		dAtA[i] = 0x28
+		i++
+		if *m.RunAsNonRoot {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.ReadOnlyRootFilesystem != nil {
+		dAtA[i] = 0x30
+		i++
+		if *m.ReadOnlyRootFilesystem {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.AllowPrivilegeEscalation != nil {
+		dAtA[i] = 0x38
+		i++
+		if *m.AllowPrivilegeEscalation {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *SerializedReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SerializedReference) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Reference.Size()))
+	n176, err := m.Reference.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n176
+	return i, nil
+}
+
+func (m *Service) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Service) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n177, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n177
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n178, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n178
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n179, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n179
+	return i, nil
+}
+
+func (m *ServiceAccount) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServiceAccount) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n180, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n180
+	if len(m.Secrets) > 0 {
+		for _, msg := range m.Secrets {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.ImagePullSecrets) > 0 {
+		for _, msg := range m.ImagePullSecrets {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.AutomountServiceAccountToken != nil {
+		dAtA[i] = 0x20
+		i++
+		if *m.AutomountServiceAccountToken {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *ServiceAccountList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServiceAccountList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n181, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n181
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ServiceList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServiceList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n182, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n182
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ServicePort) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServicePort) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Protocol)))
+	i += copy(dAtA[i:], m.Protocol)
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Port))
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TargetPort.Size()))
+	n183, err := m.TargetPort.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n183
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NodePort))
+	return i, nil
+}
+
+func (m *ServiceProxyOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServiceProxyOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	return i, nil
+}
+
+func (m *ServiceSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServiceSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Selector) > 0 {
+		keysForSelector := make([]string, 0, len(m.Selector))
+		for k := range m.Selector {
+			keysForSelector = append(keysForSelector, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		for _, k := range keysForSelector {
+			dAtA[i] = 0x12
+			i++
+			v := m.Selector[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ClusterIP)))
+	i += copy(dAtA[i:], m.ClusterIP)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if len(m.ExternalIPs) > 0 {
+		for _, s := range m.ExternalIPs {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SessionAffinity)))
+	i += copy(dAtA[i:], m.SessionAffinity)
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.LoadBalancerIP)))
+	i += copy(dAtA[i:], m.LoadBalancerIP)
+	if len(m.LoadBalancerSourceRanges) > 0 {
+		for _, s := range m.LoadBalancerSourceRanges {
+			dAtA[i] = 0x4a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x52
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ExternalName)))
+	i += copy(dAtA[i:], m.ExternalName)
+	dAtA[i] = 0x5a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ExternalTrafficPolicy)))
+	i += copy(dAtA[i:], m.ExternalTrafficPolicy)
+	dAtA[i] = 0x60
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.HealthCheckNodePort))
+	dAtA[i] = 0x68
+	i++
+	if m.PublishNotReadyAddresses {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.SessionAffinityConfig != nil {
+		dAtA[i] = 0x72
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SessionAffinityConfig.Size()))
+		n184, err := m.SessionAffinityConfig.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n184
+	}
+	return i, nil
+}
+
+func (m *ServiceStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServiceStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LoadBalancer.Size()))
+	n185, err := m.LoadBalancer.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n185
+	return i, nil
+}
+
+func (m *SessionAffinityConfig) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SessionAffinityConfig) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.ClientIP != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ClientIP.Size()))
+		n186, err := m.ClientIP.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n186
+	}
+	return i, nil
+}
+
+func (m *StorageOSPersistentVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageOSPersistentVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeName)))
+	i += copy(dAtA[i:], m.VolumeName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeNamespace)))
+	i += copy(dAtA[i:], m.VolumeNamespace)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x20
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.SecretRef != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n187, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n187
+	}
+	return i, nil
+}
+
+func (m *StorageOSVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageOSVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeName)))
+	i += copy(dAtA[i:], m.VolumeName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumeNamespace)))
+	i += copy(dAtA[i:], m.VolumeNamespace)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x20
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.SecretRef != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SecretRef.Size()))
+		n188, err := m.SecretRef.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n188
+	}
+	return i, nil
+}
+
+func (m *Sysctl) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Sysctl) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i += copy(dAtA[i:], m.Value)
+	return i, nil
+}
+
+func (m *TCPSocketAction) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TCPSocketAction) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Port.Size()))
+	n189, err := m.Port.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n189
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Host)))
+	i += copy(dAtA[i:], m.Host)
+	return i, nil
+}
+
+func (m *Taint) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Taint) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i += copy(dAtA[i:], m.Key)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i += copy(dAtA[i:], m.Value)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Effect)))
+	i += copy(dAtA[i:], m.Effect)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TimeAdded.Size()))
+	n190, err := m.TimeAdded.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n190
+	return i, nil
+}
+
+func (m *Toleration) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Toleration) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i += copy(dAtA[i:], m.Key)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Operator)))
+	i += copy(dAtA[i:], m.Operator)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i += copy(dAtA[i:], m.Value)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Effect)))
+	i += copy(dAtA[i:], m.Effect)
+	if m.TolerationSeconds != nil {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TolerationSeconds))
+	}
+	return i, nil
+}
+
+func (m *Volume) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Volume) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.VolumeSource.Size()))
+	n191, err := m.VolumeSource.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n191
+	return i, nil
+}
+
+func (m *VolumeMount) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VolumeMount) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x10
+	i++
+	if m.ReadOnly {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.MountPath)))
+	i += copy(dAtA[i:], m.MountPath)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SubPath)))
+	i += copy(dAtA[i:], m.SubPath)
+	if m.MountPropagation != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.MountPropagation)))
+		i += copy(dAtA[i:], *m.MountPropagation)
+	}
+	return i, nil
+}
+
+func (m *VolumeProjection) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VolumeProjection) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Secret != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Secret.Size()))
+		n192, err := m.Secret.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n192
+	}
+	if m.DownwardAPI != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.DownwardAPI.Size()))
+		n193, err := m.DownwardAPI.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n193
+	}
+	if m.ConfigMap != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ConfigMap.Size()))
+		n194, err := m.ConfigMap.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n194
+	}
+	return i, nil
+}
+
+func (m *VolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.HostPath != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.HostPath.Size()))
+		n195, err := m.HostPath.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n195
+	}
+	if m.EmptyDir != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.EmptyDir.Size()))
+		n196, err := m.EmptyDir.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n196
+	}
+	if m.GCEPersistentDisk != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.GCEPersistentDisk.Size()))
+		n197, err := m.GCEPersistentDisk.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n197
+	}
+	if m.AWSElasticBlockStore != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.AWSElasticBlockStore.Size()))
+		n198, err := m.AWSElasticBlockStore.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n198
+	}
+	if m.GitRepo != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.GitRepo.Size()))
+		n199, err := m.GitRepo.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n199
+	}
+	if m.Secret != nil {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Secret.Size()))
+		n200, err := m.Secret.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n200
+	}
+	if m.NFS != nil {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NFS.Size()))
+		n201, err := m.NFS.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n201
+	}
+	if m.ISCSI != nil {
+		dAtA[i] = 0x42
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ISCSI.Size()))
+		n202, err := m.ISCSI.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n202
+	}
+	if m.Glusterfs != nil {
+		dAtA[i] = 0x4a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Glusterfs.Size()))
+		n203, err := m.Glusterfs.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n203
+	}
+	if m.PersistentVolumeClaim != nil {
+		dAtA[i] = 0x52
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PersistentVolumeClaim.Size()))
+		n204, err := m.PersistentVolumeClaim.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n204
+	}
+	if m.RBD != nil {
+		dAtA[i] = 0x5a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RBD.Size()))
+		n205, err := m.RBD.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n205
+	}
+	if m.FlexVolume != nil {
+		dAtA[i] = 0x62
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.FlexVolume.Size()))
+		n206, err := m.FlexVolume.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n206
+	}
+	if m.Cinder != nil {
+		dAtA[i] = 0x6a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Cinder.Size()))
+		n207, err := m.Cinder.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n207
+	}
+	if m.CephFS != nil {
+		dAtA[i] = 0x72
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.CephFS.Size()))
+		n208, err := m.CephFS.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n208
+	}
+	if m.Flocker != nil {
+		dAtA[i] = 0x7a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Flocker.Size()))
+		n209, err := m.Flocker.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n209
+	}
+	if m.DownwardAPI != nil {
+		dAtA[i] = 0x82
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.DownwardAPI.Size()))
+		n210, err := m.DownwardAPI.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n210
+	}
+	if m.FC != nil {
+		dAtA[i] = 0x8a
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.FC.Size()))
+		n211, err := m.FC.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n211
+	}
+	if m.AzureFile != nil {
+		dAtA[i] = 0x92
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.AzureFile.Size()))
+		n212, err := m.AzureFile.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n212
+	}
+	if m.ConfigMap != nil {
+		dAtA[i] = 0x9a
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ConfigMap.Size()))
+		n213, err := m.ConfigMap.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n213
+	}
+	if m.VsphereVolume != nil {
+		dAtA[i] = 0xa2
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.VsphereVolume.Size()))
+		n214, err := m.VsphereVolume.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n214
+	}
+	if m.Quobyte != nil {
+		dAtA[i] = 0xaa
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Quobyte.Size()))
+		n215, err := m.Quobyte.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n215
+	}
+	if m.AzureDisk != nil {
+		dAtA[i] = 0xb2
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.AzureDisk.Size()))
+		n216, err := m.AzureDisk.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n216
+	}
+	if m.PhotonPersistentDisk != nil {
+		dAtA[i] = 0xba
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PhotonPersistentDisk.Size()))
+		n217, err := m.PhotonPersistentDisk.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n217
+	}
+	if m.PortworxVolume != nil {
+		dAtA[i] = 0xc2
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PortworxVolume.Size()))
+		n218, err := m.PortworxVolume.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n218
+	}
+	if m.ScaleIO != nil {
+		dAtA[i] = 0xca
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.ScaleIO.Size()))
+		n219, err := m.ScaleIO.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n219
+	}
+	if m.Projected != nil {
+		dAtA[i] = 0xd2
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Projected.Size()))
+		n220, err := m.Projected.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n220
+	}
+	if m.StorageOS != nil {
+		dAtA[i] = 0xda
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.StorageOS.Size()))
+		n221, err := m.StorageOS.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n221
+	}
+	return i, nil
+}
+
+func (m *VsphereVirtualDiskVolumeSource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VsphereVirtualDiskVolumeSource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.VolumePath)))
+	i += copy(dAtA[i:], m.VolumePath)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FSType)))
+	i += copy(dAtA[i:], m.FSType)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StoragePolicyName)))
+	i += copy(dAtA[i:], m.StoragePolicyName)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StoragePolicyID)))
+	i += copy(dAtA[i:], m.StoragePolicyID)
+	return i, nil
+}
+
+func (m *WeightedPodAffinityTerm) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WeightedPodAffinityTerm) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Weight))
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.PodAffinityTerm.Size()))
+	n222, err := m.PodAffinityTerm.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n222
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *AWSElasticBlockStoreVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.VolumeID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Partition))
+	n += 2
+	return n
+}
+
+func (m *Affinity) Size() (n int) {
+	var l int
+	_ = l
+	if m.NodeAffinity != nil {
+		l = m.NodeAffinity.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.PodAffinity != nil {
+		l = m.PodAffinity.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.PodAntiAffinity != nil {
+		l = m.PodAntiAffinity.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *AttachedVolume) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.DevicePath)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *AvoidPods) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.PreferAvoidPods) > 0 {
+		for _, e := range m.PreferAvoidPods {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *AzureDiskVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.DiskName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.DataDiskURI)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.CachingMode != nil {
+		l = len(*m.CachingMode)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.FSType != nil {
+		l = len(*m.FSType)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ReadOnly != nil {
+		n += 2
+	}
+	if m.Kind != nil {
+		l = len(*m.Kind)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *AzureFilePersistentVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.SecretName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ShareName)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	if m.SecretNamespace != nil {
+		l = len(*m.SecretNamespace)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *AzureFileVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.SecretName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ShareName)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *Binding) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Target.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Capabilities) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Add) > 0 {
+		for _, s := range m.Add {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Drop) > 0 {
+		for _, s := range m.Drop {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *CephFSPersistentVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Monitors) > 0 {
+		for _, s := range m.Monitors {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.User)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.SecretFile)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 2
+	return n
+}
+
+func (m *CephFSVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Monitors) > 0 {
+		for _, s := range m.Monitors {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.User)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.SecretFile)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 2
+	return n
+}
+
+func (m *CinderVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.VolumeID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *ClientIPConfig) Size() (n int) {
+	var l int
+	_ = l
+	if m.TimeoutSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.TimeoutSeconds))
+	}
+	return n
+}
+
+func (m *ComponentCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Error)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ComponentStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ComponentStatusList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ConfigMap) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Data) > 0 {
+		for k, v := range m.Data {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *ConfigMapEnvSource) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LocalObjectReference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Optional != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *ConfigMapKeySelector) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LocalObjectReference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Optional != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *ConfigMapList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ConfigMapProjection) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LocalObjectReference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.Optional != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *ConfigMapVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LocalObjectReference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.DefaultMode != nil {
+		n += 1 + sovGenerated(uint64(*m.DefaultMode))
+	}
+	if m.Optional != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *Container) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Image)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Command) > 0 {
+		for _, s := range m.Command {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Args) > 0 {
+		for _, s := range m.Args {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.WorkingDir)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Env) > 0 {
+		for _, e := range m.Env {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.Resources.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.VolumeMounts) > 0 {
+		for _, e := range m.VolumeMounts {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.LivenessProbe != nil {
+		l = m.LivenessProbe.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ReadinessProbe != nil {
+		l = m.ReadinessProbe.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Lifecycle != nil {
+		l = m.Lifecycle.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.TerminationMessagePath)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ImagePullPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SecurityContext != nil {
+		l = m.SecurityContext.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 3
+	n += 3
+	n += 3
+	if len(m.EnvFrom) > 0 {
+		for _, e := range m.EnvFrom {
+			l = e.Size()
+			n += 2 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.TerminationMessagePolicy)
+	n += 2 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ContainerImage) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Names) > 0 {
+		for _, s := range m.Names {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 1 + sovGenerated(uint64(m.SizeBytes))
+	return n
+}
+
+func (m *ContainerPort) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.HostPort))
+	n += 1 + sovGenerated(uint64(m.ContainerPort))
+	l = len(m.Protocol)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.HostIP)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ContainerState) Size() (n int) {
+	var l int
+	_ = l
+	if m.Waiting != nil {
+		l = m.Waiting.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Running != nil {
+		l = m.Running.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Terminated != nil {
+		l = m.Terminated.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ContainerStateRunning) Size() (n int) {
+	var l int
+	_ = l
+	l = m.StartedAt.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ContainerStateTerminated) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.ExitCode))
+	n += 1 + sovGenerated(uint64(m.Signal))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.StartedAt.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.FinishedAt.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ContainerID)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ContainerStateWaiting) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ContainerStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.State.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTerminationState.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	n += 1 + sovGenerated(uint64(m.RestartCount))
+	l = len(m.Image)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ImageID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ContainerID)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DaemonEndpoint) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Port))
+	return n
+}
+
+func (m *DeleteOptions) Size() (n int) {
+	var l int
+	_ = l
+	if m.GracePeriodSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.GracePeriodSeconds))
+	}
+	if m.Preconditions != nil {
+		l = m.Preconditions.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.OrphanDependents != nil {
+		n += 2
+	}
+	if m.PropagationPolicy != nil {
+		l = len(*m.PropagationPolicy)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *DownwardAPIProjection) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DownwardAPIVolumeFile) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.FieldRef != nil {
+		l = m.FieldRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ResourceFieldRef != nil {
+		l = m.ResourceFieldRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Mode != nil {
+		n += 1 + sovGenerated(uint64(*m.Mode))
+	}
+	return n
+}
+
+func (m *DownwardAPIVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.DefaultMode != nil {
+		n += 1 + sovGenerated(uint64(*m.DefaultMode))
+	}
+	return n
+}
+
+func (m *EmptyDirVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Medium)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SizeLimit != nil {
+		l = m.SizeLimit.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *EndpointAddress) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.IP)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TargetRef != nil {
+		l = m.TargetRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.Hostname)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.NodeName != nil {
+		l = len(*m.NodeName)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *EndpointPort) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Port))
+	l = len(m.Protocol)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *EndpointSubset) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Addresses) > 0 {
+		for _, e := range m.Addresses {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.NotReadyAddresses) > 0 {
+		for _, e := range m.NotReadyAddresses {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Endpoints) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Subsets) > 0 {
+		for _, e := range m.Subsets {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *EndpointsList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *EnvFromSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Prefix)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.ConfigMapRef != nil {
+		l = m.ConfigMapRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *EnvVar) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.ValueFrom != nil {
+		l = m.ValueFrom.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *EnvVarSource) Size() (n int) {
+	var l int
+	_ = l
+	if m.FieldRef != nil {
+		l = m.FieldRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ResourceFieldRef != nil {
+		l = m.ResourceFieldRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ConfigMapKeyRef != nil {
+		l = m.ConfigMapKeyRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.SecretKeyRef != nil {
+		l = m.SecretKeyRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *Event) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.InvolvedObject.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Source.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.FirstTimestamp.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTimestamp.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Count))
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *EventList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *EventSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Component)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Host)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ExecAction) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Command) > 0 {
+		for _, s := range m.Command {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *FCVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.TargetWWNs) > 0 {
+		for _, s := range m.TargetWWNs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.Lun != nil {
+		n += 1 + sovGenerated(uint64(*m.Lun))
+	}
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	if len(m.WWIDs) > 0 {
+		for _, s := range m.WWIDs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *FlexVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Driver)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 2
+	if len(m.Options) > 0 {
+		for k, v := range m.Options {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *FlockerVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.DatasetName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.DatasetUUID)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *GCEPersistentDiskVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.PDName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Partition))
+	n += 2
+	return n
+}
+
+func (m *GitRepoVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Repository)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Revision)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Directory)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *GlusterfsVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.EndpointsName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *HTTPGetAction) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Port.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Host)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Scheme)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.HTTPHeaders) > 0 {
+		for _, e := range m.HTTPHeaders {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *HTTPHeader) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Handler) Size() (n int) {
+	var l int
+	_ = l
+	if m.Exec != nil {
+		l = m.Exec.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.HTTPGet != nil {
+		l = m.HTTPGet.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.TCPSocket != nil {
+		l = m.TCPSocket.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *HostAlias) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.IP)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Hostnames) > 0 {
+		for _, s := range m.Hostnames {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *HostPathVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Type != nil {
+		l = len(*m.Type)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ISCSIVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.TargetPortal)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.IQN)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Lun))
+	l = len(m.ISCSIInterface)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	if len(m.Portals) > 0 {
+		for _, s := range m.Portals {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 2
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 2
+	if m.InitiatorName != nil {
+		l = len(*m.InitiatorName)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *KeyToPath) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Mode != nil {
+		n += 1 + sovGenerated(uint64(*m.Mode))
+	}
+	return n
+}
+
+func (m *Lifecycle) Size() (n int) {
+	var l int
+	_ = l
+	if m.PostStart != nil {
+		l = m.PostStart.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.PreStop != nil {
+		l = m.PreStop.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *LimitRange) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *LimitRangeItem) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Max) > 0 {
+		for k, v := range m.Max {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Min) > 0 {
+		for k, v := range m.Min {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Default) > 0 {
+		for k, v := range m.Default {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.DefaultRequest) > 0 {
+		for k, v := range m.DefaultRequest {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.MaxLimitRequestRatio) > 0 {
+		for k, v := range m.MaxLimitRequestRatio {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *LimitRangeList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *LimitRangeSpec) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Limits) > 0 {
+		for _, e := range m.Limits {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *List) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ListOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.LabelSelector)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FieldSelector)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	l = len(m.ResourceVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TimeoutSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.TimeoutSeconds))
+	}
+	n += 2
+	return n
+}
+
+func (m *LoadBalancerIngress) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.IP)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Hostname)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *LoadBalancerStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ingress) > 0 {
+		for _, e := range m.Ingress {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *LocalObjectReference) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *LocalVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NFSVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Server)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *Namespace) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NamespaceList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NamespaceSpec) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Finalizers) > 0 {
+		for _, s := range m.Finalizers {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NamespaceStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Phase)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Node) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NodeAddress) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Address)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NodeAffinity) Size() (n int) {
+	var l int
+	_ = l
+	if m.RequiredDuringSchedulingIgnoredDuringExecution != nil {
+		l = m.RequiredDuringSchedulingIgnoredDuringExecution.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.PreferredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, e := range m.PreferredDuringSchedulingIgnoredDuringExecution {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NodeCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastHeartbeatTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NodeConfigSource) Size() (n int) {
+	var l int
+	_ = l
+	if m.ConfigMapRef != nil {
+		l = m.ConfigMapRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *NodeDaemonEndpoints) Size() (n int) {
+	var l int
+	_ = l
+	l = m.KubeletEndpoint.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NodeList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NodeProxyOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NodeResources) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Capacity) > 0 {
+		for k, v := range m.Capacity {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *NodeSelector) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.NodeSelectorTerms) > 0 {
+		for _, e := range m.NodeSelectorTerms {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NodeSelectorRequirement) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Operator)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Values) > 0 {
+		for _, s := range m.Values {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NodeSelectorTerm) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.MatchExpressions) > 0 {
+		for _, e := range m.MatchExpressions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NodeSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.PodCIDR)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ExternalID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ProviderID)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	if len(m.Taints) > 0 {
+		for _, e := range m.Taints {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.ConfigSource != nil {
+		l = m.ConfigSource.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *NodeStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Capacity) > 0 {
+		for k, v := range m.Capacity {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Allocatable) > 0 {
+		for k, v := range m.Allocatable {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.Phase)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Addresses) > 0 {
+		for _, e := range m.Addresses {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.DaemonEndpoints.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.NodeInfo.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Images) > 0 {
+		for _, e := range m.Images {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.VolumesInUse) > 0 {
+		for _, s := range m.VolumesInUse {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.VolumesAttached) > 0 {
+		for _, e := range m.VolumesAttached {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NodeSystemInfo) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.MachineID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.SystemUUID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.BootID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.KernelVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.OSImage)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ContainerRuntimeVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.KubeletVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.KubeProxyVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.OperatingSystem)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Architecture)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ObjectFieldSelector) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.APIVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FieldPath)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ObjectMeta) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.GenerateName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.SelfLink)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ResourceVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Generation))
+	l = m.CreationTimestamp.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.DeletionTimestamp != nil {
+		l = m.DeletionTimestamp.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.DeletionGracePeriodSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.DeletionGracePeriodSeconds))
+	}
+	if len(m.Labels) > 0 {
+		for k, v := range m.Labels {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Annotations) > 0 {
+		for k, v := range m.Annotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.OwnerReferences) > 0 {
+		for _, e := range m.OwnerReferences {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Finalizers) > 0 {
+		for _, s := range m.Finalizers {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.ClusterName)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Initializers != nil {
+		l = m.Initializers.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ObjectReference) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.APIVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ResourceVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FieldPath)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PersistentVolume) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PersistentVolumeClaim) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PersistentVolumeClaimCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastProbeTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PersistentVolumeClaimList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PersistentVolumeClaimSpec) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.AccessModes) > 0 {
+		for _, s := range m.AccessModes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.Resources.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.VolumeName)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.StorageClassName != nil {
+		l = len(*m.StorageClassName)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *PersistentVolumeClaimStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Phase)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.AccessModes) > 0 {
+		for _, s := range m.AccessModes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Capacity) > 0 {
+		for k, v := range m.Capacity {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PersistentVolumeClaimVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ClaimName)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *PersistentVolumeList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PersistentVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	if m.GCEPersistentDisk != nil {
+		l = m.GCEPersistentDisk.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.AWSElasticBlockStore != nil {
+		l = m.AWSElasticBlockStore.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.HostPath != nil {
+		l = m.HostPath.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Glusterfs != nil {
+		l = m.Glusterfs.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NFS != nil {
+		l = m.NFS.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.RBD != nil {
+		l = m.RBD.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ISCSI != nil {
+		l = m.ISCSI.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Cinder != nil {
+		l = m.Cinder.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.CephFS != nil {
+		l = m.CephFS.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.FC != nil {
+		l = m.FC.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Flocker != nil {
+		l = m.Flocker.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.FlexVolume != nil {
+		l = m.FlexVolume.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.AzureFile != nil {
+		l = m.AzureFile.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.VsphereVolume != nil {
+		l = m.VsphereVolume.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Quobyte != nil {
+		l = m.Quobyte.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.AzureDisk != nil {
+		l = m.AzureDisk.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.PhotonPersistentDisk != nil {
+		l = m.PhotonPersistentDisk.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.PortworxVolume != nil {
+		l = m.PortworxVolume.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.ScaleIO != nil {
+		l = m.ScaleIO.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.Local != nil {
+		l = m.Local.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.StorageOS != nil {
+		l = m.StorageOS.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *PersistentVolumeSpec) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Capacity) > 0 {
+		for k, v := range m.Capacity {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = m.PersistentVolumeSource.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.AccessModes) > 0 {
+		for _, s := range m.AccessModes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.ClaimRef != nil {
+		l = m.ClaimRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.PersistentVolumeReclaimPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.StorageClassName)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.MountOptions) > 0 {
+		for _, s := range m.MountOptions {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PersistentVolumeStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Phase)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PhotonPersistentDiskVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.PdID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Pod) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodAffinity) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.RequiredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, e := range m.RequiredDuringSchedulingIgnoredDuringExecution {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.PreferredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, e := range m.PreferredDuringSchedulingIgnoredDuringExecution {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodAffinityTerm) Size() (n int) {
+	var l int
+	_ = l
+	if m.LabelSelector != nil {
+		l = m.LabelSelector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.Namespaces) > 0 {
+		for _, s := range m.Namespaces {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.TopologyKey)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodAntiAffinity) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.RequiredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, e := range m.RequiredDuringSchedulingIgnoredDuringExecution {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.PreferredDuringSchedulingIgnoredDuringExecution) > 0 {
+		for _, e := range m.PreferredDuringSchedulingIgnoredDuringExecution {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodAttachOptions) Size() (n int) {
+	var l int
+	_ = l
+	n += 2
+	n += 2
+	n += 2
+	n += 2
+	l = len(m.Container)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastProbeTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodExecOptions) Size() (n int) {
+	var l int
+	_ = l
+	n += 2
+	n += 2
+	n += 2
+	n += 2
+	l = len(m.Container)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Command) > 0 {
+		for _, s := range m.Command {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodLogOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Container)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	n += 2
+	if m.SinceSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.SinceSeconds))
+	}
+	if m.SinceTime != nil {
+		l = m.SinceTime.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 2
+	if m.TailLines != nil {
+		n += 1 + sovGenerated(uint64(*m.TailLines))
+	}
+	if m.LimitBytes != nil {
+		n += 1 + sovGenerated(uint64(*m.LimitBytes))
+	}
+	return n
+}
+
+func (m *PodPortForwardOptions) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			n += 1 + sovGenerated(uint64(e))
+		}
+	}
+	return n
+}
+
+func (m *PodProxyOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodSecurityContext) Size() (n int) {
+	var l int
+	_ = l
+	if m.SELinuxOptions != nil {
+		l = m.SELinuxOptions.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.RunAsUser != nil {
+		n += 1 + sovGenerated(uint64(*m.RunAsUser))
+	}
+	if m.RunAsNonRoot != nil {
+		n += 2
+	}
+	if len(m.SupplementalGroups) > 0 {
+		for _, e := range m.SupplementalGroups {
+			n += 1 + sovGenerated(uint64(e))
+		}
+	}
+	if m.FSGroup != nil {
+		n += 1 + sovGenerated(uint64(*m.FSGroup))
+	}
+	return n
+}
+
+func (m *PodSignature) Size() (n int) {
+	var l int
+	_ = l
+	if m.PodController != nil {
+		l = m.PodController.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *PodSpec) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Volumes) > 0 {
+		for _, e := range m.Volumes {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Containers) > 0 {
+		for _, e := range m.Containers {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.RestartPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TerminationGracePeriodSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.TerminationGracePeriodSeconds))
+	}
+	if m.ActiveDeadlineSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.ActiveDeadlineSeconds))
+	}
+	l = len(m.DNSPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.NodeSelector) > 0 {
+		for k, v := range m.NodeSelector {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.ServiceAccountName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.DeprecatedServiceAccount)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.NodeName)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	n += 2
+	n += 2
+	if m.SecurityContext != nil {
+		l = m.SecurityContext.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.ImagePullSecrets) > 0 {
+		for _, e := range m.ImagePullSecrets {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.Hostname)
+	n += 2 + l + sovGenerated(uint64(l))
+	l = len(m.Subdomain)
+	n += 2 + l + sovGenerated(uint64(l))
+	if m.Affinity != nil {
+		l = m.Affinity.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.SchedulerName)
+	n += 2 + l + sovGenerated(uint64(l))
+	if len(m.InitContainers) > 0 {
+		for _, e := range m.InitContainers {
+			l = e.Size()
+			n += 2 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.AutomountServiceAccountToken != nil {
+		n += 3
+	}
+	if len(m.Tolerations) > 0 {
+		for _, e := range m.Tolerations {
+			l = e.Size()
+			n += 2 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.HostAliases) > 0 {
+		for _, e := range m.HostAliases {
+			l = e.Size()
+			n += 2 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.PriorityClassName)
+	n += 2 + l + sovGenerated(uint64(l))
+	if m.Priority != nil {
+		n += 2 + sovGenerated(uint64(*m.Priority))
+	}
+	return n
+}
+
+func (m *PodStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Phase)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.HostIP)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.PodIP)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.StartTime != nil {
+		l = m.StartTime.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.ContainerStatuses) > 0 {
+		for _, e := range m.ContainerStatuses {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.QOSClass)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.InitContainerStatuses) > 0 {
+		for _, e := range m.InitContainerStatuses {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodStatusResult) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodTemplate) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodTemplateList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodTemplateSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PortworxVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.VolumeID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *Preconditions) Size() (n int) {
+	var l int
+	_ = l
+	if m.UID != nil {
+		l = len(*m.UID)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *PreferAvoidPodsEntry) Size() (n int) {
+	var l int
+	_ = l
+	l = m.PodSignature.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.EvictionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PreferredSchedulingTerm) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Weight))
+	l = m.Preference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Probe) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Handler.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.InitialDelaySeconds))
+	n += 1 + sovGenerated(uint64(m.TimeoutSeconds))
+	n += 1 + sovGenerated(uint64(m.PeriodSeconds))
+	n += 1 + sovGenerated(uint64(m.SuccessThreshold))
+	n += 1 + sovGenerated(uint64(m.FailureThreshold))
+	return n
+}
+
+func (m *ProjectedVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Sources) > 0 {
+		for _, e := range m.Sources {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.DefaultMode != nil {
+		n += 1 + sovGenerated(uint64(*m.DefaultMode))
+	}
+	return n
+}
+
+func (m *QuobyteVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Registry)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Volume)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	l = len(m.User)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *RBDVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.CephMonitors) > 0 {
+		for _, s := range m.CephMonitors {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.RBDImage)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.RBDPool)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.RadosUser)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Keyring)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 2
+	return n
+}
+
+func (m *RangeAllocation) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Range)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Data != nil {
+		l = len(m.Data)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ReplicationController) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ReplicationControllerCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ReplicationControllerList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ReplicationControllerSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		n += 1 + sovGenerated(uint64(*m.Replicas))
+	}
+	if len(m.Selector) > 0 {
+		for k, v := range m.Selector {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if m.Template != nil {
+		l = m.Template.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 1 + sovGenerated(uint64(m.MinReadySeconds))
+	return n
+}
+
+func (m *ReplicationControllerStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	n += 1 + sovGenerated(uint64(m.FullyLabeledReplicas))
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.ReadyReplicas))
+	n += 1 + sovGenerated(uint64(m.AvailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ResourceFieldSelector) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ContainerName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Resource)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Divisor.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ResourceQuota) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ResourceQuotaList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ResourceQuotaSpec) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Hard) > 0 {
+		for k, v := range m.Hard {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Scopes) > 0 {
+		for _, s := range m.Scopes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ResourceQuotaStatus) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Hard) > 0 {
+		for k, v := range m.Hard {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Used) > 0 {
+		for k, v := range m.Used {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *ResourceRequirements) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Limits) > 0 {
+		for k, v := range m.Limits {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Requests) > 0 {
+		for k, v := range m.Requests {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *SELinuxOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.User)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Role)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Level)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ScaleIOPersistentVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Gateway)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.System)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 2
+	l = len(m.ProtectionDomain)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.StoragePool)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.StorageMode)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.VolumeName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *ScaleIOVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Gateway)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.System)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 2
+	l = len(m.ProtectionDomain)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.StoragePool)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.StorageMode)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.VolumeName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *Secret) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Data) > 0 {
+		for k, v := range m.Data {
+			_ = k
+			_ = v
+			l = 0
+			if v != nil {
+				l = 1 + len(v) + sovGenerated(uint64(len(v)))
+			}
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + l
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.StringData) > 0 {
+		for k, v := range m.StringData {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *SecretEnvSource) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LocalObjectReference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Optional != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *SecretKeySelector) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LocalObjectReference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Optional != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *SecretList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *SecretProjection) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LocalObjectReference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.Optional != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *SecretReference) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SecretVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.SecretName)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.DefaultMode != nil {
+		n += 1 + sovGenerated(uint64(*m.DefaultMode))
+	}
+	if m.Optional != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *SecurityContext) Size() (n int) {
+	var l int
+	_ = l
+	if m.Capabilities != nil {
+		l = m.Capabilities.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Privileged != nil {
+		n += 2
+	}
+	if m.SELinuxOptions != nil {
+		l = m.SELinuxOptions.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.RunAsUser != nil {
+		n += 1 + sovGenerated(uint64(*m.RunAsUser))
+	}
+	if m.RunAsNonRoot != nil {
+		n += 2
+	}
+	if m.ReadOnlyRootFilesystem != nil {
+		n += 2
+	}
+	if m.AllowPrivilegeEscalation != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *SerializedReference) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Reference.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Service) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ServiceAccount) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Secrets) > 0 {
+		for _, e := range m.Secrets {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.ImagePullSecrets) > 0 {
+		for _, e := range m.ImagePullSecrets {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.AutomountServiceAccountToken != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *ServiceAccountList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ServiceList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ServicePort) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Protocol)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Port))
+	l = m.TargetPort.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.NodePort))
+	return n
+}
+
+func (m *ServiceProxyOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ServiceSpec) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Selector) > 0 {
+		for k, v := range m.Selector {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.ClusterIP)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.ExternalIPs) > 0 {
+		for _, s := range m.ExternalIPs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.SessionAffinity)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.LoadBalancerIP)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.LoadBalancerSourceRanges) > 0 {
+		for _, s := range m.LoadBalancerSourceRanges {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.ExternalName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ExternalTrafficPolicy)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.HealthCheckNodePort))
+	n += 2
+	if m.SessionAffinityConfig != nil {
+		l = m.SessionAffinityConfig.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ServiceStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LoadBalancer.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SessionAffinityConfig) Size() (n int) {
+	var l int
+	_ = l
+	if m.ClientIP != nil {
+		l = m.ClientIP.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *StorageOSPersistentVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.VolumeName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.VolumeNamespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *StorageOSVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.VolumeName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.VolumeNamespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	if m.SecretRef != nil {
+		l = m.SecretRef.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *Sysctl) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *TCPSocketAction) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Port.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Host)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Taint) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Effect)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.TimeAdded.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Toleration) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Operator)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Effect)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TolerationSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.TolerationSeconds))
+	}
+	return n
+}
+
+func (m *Volume) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.VolumeSource.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *VolumeMount) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	l = len(m.MountPath)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.SubPath)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.MountPropagation != nil {
+		l = len(*m.MountPropagation)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *VolumeProjection) Size() (n int) {
+	var l int
+	_ = l
+	if m.Secret != nil {
+		l = m.Secret.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.DownwardAPI != nil {
+		l = m.DownwardAPI.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ConfigMap != nil {
+		l = m.ConfigMap.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *VolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	if m.HostPath != nil {
+		l = m.HostPath.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.EmptyDir != nil {
+		l = m.EmptyDir.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.GCEPersistentDisk != nil {
+		l = m.GCEPersistentDisk.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.AWSElasticBlockStore != nil {
+		l = m.AWSElasticBlockStore.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.GitRepo != nil {
+		l = m.GitRepo.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Secret != nil {
+		l = m.Secret.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NFS != nil {
+		l = m.NFS.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ISCSI != nil {
+		l = m.ISCSI.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Glusterfs != nil {
+		l = m.Glusterfs.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.PersistentVolumeClaim != nil {
+		l = m.PersistentVolumeClaim.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.RBD != nil {
+		l = m.RBD.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.FlexVolume != nil {
+		l = m.FlexVolume.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Cinder != nil {
+		l = m.Cinder.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.CephFS != nil {
+		l = m.CephFS.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Flocker != nil {
+		l = m.Flocker.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.DownwardAPI != nil {
+		l = m.DownwardAPI.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.FC != nil {
+		l = m.FC.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.AzureFile != nil {
+		l = m.AzureFile.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.ConfigMap != nil {
+		l = m.ConfigMap.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.VsphereVolume != nil {
+		l = m.VsphereVolume.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.Quobyte != nil {
+		l = m.Quobyte.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.AzureDisk != nil {
+		l = m.AzureDisk.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.PhotonPersistentDisk != nil {
+		l = m.PhotonPersistentDisk.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.PortworxVolume != nil {
+		l = m.PortworxVolume.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.ScaleIO != nil {
+		l = m.ScaleIO.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.Projected != nil {
+		l = m.Projected.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	if m.StorageOS != nil {
+		l = m.StorageOS.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *VsphereVirtualDiskVolumeSource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.VolumePath)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FSType)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.StoragePolicyName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.StoragePolicyID)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *WeightedPodAffinityTerm) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Weight))
+	l = m.PodAffinityTerm.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *AWSElasticBlockStoreVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AWSElasticBlockStoreVolumeSource{`,
+		`VolumeID:` + fmt.Sprintf("%v", this.VolumeID) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`Partition:` + fmt.Sprintf("%v", this.Partition) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Affinity) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Affinity{`,
+		`NodeAffinity:` + strings.Replace(fmt.Sprintf("%v", this.NodeAffinity), "NodeAffinity", "NodeAffinity", 1) + `,`,
+		`PodAffinity:` + strings.Replace(fmt.Sprintf("%v", this.PodAffinity), "PodAffinity", "PodAffinity", 1) + `,`,
+		`PodAntiAffinity:` + strings.Replace(fmt.Sprintf("%v", this.PodAntiAffinity), "PodAntiAffinity", "PodAntiAffinity", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *AttachedVolume) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AttachedVolume{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`DevicePath:` + fmt.Sprintf("%v", this.DevicePath) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *AvoidPods) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AvoidPods{`,
+		`PreferAvoidPods:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.PreferAvoidPods), "PreferAvoidPodsEntry", "PreferAvoidPodsEntry", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *AzureDiskVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AzureDiskVolumeSource{`,
+		`DiskName:` + fmt.Sprintf("%v", this.DiskName) + `,`,
+		`DataDiskURI:` + fmt.Sprintf("%v", this.DataDiskURI) + `,`,
+		`CachingMode:` + valueToStringGenerated(this.CachingMode) + `,`,
+		`FSType:` + valueToStringGenerated(this.FSType) + `,`,
+		`ReadOnly:` + valueToStringGenerated(this.ReadOnly) + `,`,
+		`Kind:` + valueToStringGenerated(this.Kind) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *AzureFilePersistentVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AzureFilePersistentVolumeSource{`,
+		`SecretName:` + fmt.Sprintf("%v", this.SecretName) + `,`,
+		`ShareName:` + fmt.Sprintf("%v", this.ShareName) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`SecretNamespace:` + valueToStringGenerated(this.SecretNamespace) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *AzureFileVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AzureFileVolumeSource{`,
+		`SecretName:` + fmt.Sprintf("%v", this.SecretName) + `,`,
+		`ShareName:` + fmt.Sprintf("%v", this.ShareName) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Binding) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Binding{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Target:` + strings.Replace(strings.Replace(this.Target.String(), "ObjectReference", "ObjectReference", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Capabilities) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Capabilities{`,
+		`Add:` + fmt.Sprintf("%v", this.Add) + `,`,
+		`Drop:` + fmt.Sprintf("%v", this.Drop) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CephFSPersistentVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CephFSPersistentVolumeSource{`,
+		`Monitors:` + fmt.Sprintf("%v", this.Monitors) + `,`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`User:` + fmt.Sprintf("%v", this.User) + `,`,
+		`SecretFile:` + fmt.Sprintf("%v", this.SecretFile) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "SecretReference", "SecretReference", 1) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CephFSVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CephFSVolumeSource{`,
+		`Monitors:` + fmt.Sprintf("%v", this.Monitors) + `,`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`User:` + fmt.Sprintf("%v", this.User) + `,`,
+		`SecretFile:` + fmt.Sprintf("%v", this.SecretFile) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "LocalObjectReference", "LocalObjectReference", 1) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CinderVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CinderVolumeSource{`,
+		`VolumeID:` + fmt.Sprintf("%v", this.VolumeID) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClientIPConfig) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClientIPConfig{`,
+		`TimeoutSeconds:` + valueToStringGenerated(this.TimeoutSeconds) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ComponentCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ComponentCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`Error:` + fmt.Sprintf("%v", this.Error) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ComponentStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ComponentStatus{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "ComponentCondition", "ComponentCondition", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ComponentStatusList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ComponentStatusList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ComponentStatus", "ComponentStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ConfigMap) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForData := make([]string, 0, len(this.Data))
+	for k := range this.Data {
+		keysForData = append(keysForData, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForData)
+	mapStringForData := "map[string]string{"
+	for _, k := range keysForData {
+		mapStringForData += fmt.Sprintf("%v: %v,", k, this.Data[k])
+	}
+	mapStringForData += "}"
+	s := strings.Join([]string{`&ConfigMap{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Data:` + mapStringForData + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ConfigMapEnvSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ConfigMapEnvSource{`,
+		`LocalObjectReference:` + strings.Replace(strings.Replace(this.LocalObjectReference.String(), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`Optional:` + valueToStringGenerated(this.Optional) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ConfigMapKeySelector) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ConfigMapKeySelector{`,
+		`LocalObjectReference:` + strings.Replace(strings.Replace(this.LocalObjectReference.String(), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Optional:` + valueToStringGenerated(this.Optional) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ConfigMapList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ConfigMapList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ConfigMap", "ConfigMap", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ConfigMapProjection) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ConfigMapProjection{`,
+		`LocalObjectReference:` + strings.Replace(strings.Replace(this.LocalObjectReference.String(), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "KeyToPath", "KeyToPath", 1), `&`, ``, 1) + `,`,
+		`Optional:` + valueToStringGenerated(this.Optional) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ConfigMapVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ConfigMapVolumeSource{`,
+		`LocalObjectReference:` + strings.Replace(strings.Replace(this.LocalObjectReference.String(), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "KeyToPath", "KeyToPath", 1), `&`, ``, 1) + `,`,
+		`DefaultMode:` + valueToStringGenerated(this.DefaultMode) + `,`,
+		`Optional:` + valueToStringGenerated(this.Optional) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Container) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Container{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Image:` + fmt.Sprintf("%v", this.Image) + `,`,
+		`Command:` + fmt.Sprintf("%v", this.Command) + `,`,
+		`Args:` + fmt.Sprintf("%v", this.Args) + `,`,
+		`WorkingDir:` + fmt.Sprintf("%v", this.WorkingDir) + `,`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "ContainerPort", "ContainerPort", 1), `&`, ``, 1) + `,`,
+		`Env:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Env), "EnvVar", "EnvVar", 1), `&`, ``, 1) + `,`,
+		`Resources:` + strings.Replace(strings.Replace(this.Resources.String(), "ResourceRequirements", "ResourceRequirements", 1), `&`, ``, 1) + `,`,
+		`VolumeMounts:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.VolumeMounts), "VolumeMount", "VolumeMount", 1), `&`, ``, 1) + `,`,
+		`LivenessProbe:` + strings.Replace(fmt.Sprintf("%v", this.LivenessProbe), "Probe", "Probe", 1) + `,`,
+		`ReadinessProbe:` + strings.Replace(fmt.Sprintf("%v", this.ReadinessProbe), "Probe", "Probe", 1) + `,`,
+		`Lifecycle:` + strings.Replace(fmt.Sprintf("%v", this.Lifecycle), "Lifecycle", "Lifecycle", 1) + `,`,
+		`TerminationMessagePath:` + fmt.Sprintf("%v", this.TerminationMessagePath) + `,`,
+		`ImagePullPolicy:` + fmt.Sprintf("%v", this.ImagePullPolicy) + `,`,
+		`SecurityContext:` + strings.Replace(fmt.Sprintf("%v", this.SecurityContext), "SecurityContext", "SecurityContext", 1) + `,`,
+		`Stdin:` + fmt.Sprintf("%v", this.Stdin) + `,`,
+		`StdinOnce:` + fmt.Sprintf("%v", this.StdinOnce) + `,`,
+		`TTY:` + fmt.Sprintf("%v", this.TTY) + `,`,
+		`EnvFrom:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.EnvFrom), "EnvFromSource", "EnvFromSource", 1), `&`, ``, 1) + `,`,
+		`TerminationMessagePolicy:` + fmt.Sprintf("%v", this.TerminationMessagePolicy) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ContainerImage) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ContainerImage{`,
+		`Names:` + fmt.Sprintf("%v", this.Names) + `,`,
+		`SizeBytes:` + fmt.Sprintf("%v", this.SizeBytes) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ContainerPort) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ContainerPort{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`HostPort:` + fmt.Sprintf("%v", this.HostPort) + `,`,
+		`ContainerPort:` + fmt.Sprintf("%v", this.ContainerPort) + `,`,
+		`Protocol:` + fmt.Sprintf("%v", this.Protocol) + `,`,
+		`HostIP:` + fmt.Sprintf("%v", this.HostIP) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ContainerState) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ContainerState{`,
+		`Waiting:` + strings.Replace(fmt.Sprintf("%v", this.Waiting), "ContainerStateWaiting", "ContainerStateWaiting", 1) + `,`,
+		`Running:` + strings.Replace(fmt.Sprintf("%v", this.Running), "ContainerStateRunning", "ContainerStateRunning", 1) + `,`,
+		`Terminated:` + strings.Replace(fmt.Sprintf("%v", this.Terminated), "ContainerStateTerminated", "ContainerStateTerminated", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ContainerStateRunning) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ContainerStateRunning{`,
+		`StartedAt:` + strings.Replace(strings.Replace(this.StartedAt.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ContainerStateTerminated) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ContainerStateTerminated{`,
+		`ExitCode:` + fmt.Sprintf("%v", this.ExitCode) + `,`,
+		`Signal:` + fmt.Sprintf("%v", this.Signal) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`StartedAt:` + strings.Replace(strings.Replace(this.StartedAt.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`FinishedAt:` + strings.Replace(strings.Replace(this.FinishedAt.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`ContainerID:` + fmt.Sprintf("%v", this.ContainerID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ContainerStateWaiting) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ContainerStateWaiting{`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ContainerStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ContainerStatus{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`State:` + strings.Replace(strings.Replace(this.State.String(), "ContainerState", "ContainerState", 1), `&`, ``, 1) + `,`,
+		`LastTerminationState:` + strings.Replace(strings.Replace(this.LastTerminationState.String(), "ContainerState", "ContainerState", 1), `&`, ``, 1) + `,`,
+		`Ready:` + fmt.Sprintf("%v", this.Ready) + `,`,
+		`RestartCount:` + fmt.Sprintf("%v", this.RestartCount) + `,`,
+		`Image:` + fmt.Sprintf("%v", this.Image) + `,`,
+		`ImageID:` + fmt.Sprintf("%v", this.ImageID) + `,`,
+		`ContainerID:` + fmt.Sprintf("%v", this.ContainerID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonEndpoint) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonEndpoint{`,
+		`Port:` + fmt.Sprintf("%v", this.Port) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeleteOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeleteOptions{`,
+		`GracePeriodSeconds:` + valueToStringGenerated(this.GracePeriodSeconds) + `,`,
+		`Preconditions:` + strings.Replace(fmt.Sprintf("%v", this.Preconditions), "Preconditions", "Preconditions", 1) + `,`,
+		`OrphanDependents:` + valueToStringGenerated(this.OrphanDependents) + `,`,
+		`PropagationPolicy:` + valueToStringGenerated(this.PropagationPolicy) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DownwardAPIProjection) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DownwardAPIProjection{`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "DownwardAPIVolumeFile", "DownwardAPIVolumeFile", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DownwardAPIVolumeFile) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DownwardAPIVolumeFile{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`FieldRef:` + strings.Replace(fmt.Sprintf("%v", this.FieldRef), "ObjectFieldSelector", "ObjectFieldSelector", 1) + `,`,
+		`ResourceFieldRef:` + strings.Replace(fmt.Sprintf("%v", this.ResourceFieldRef), "ResourceFieldSelector", "ResourceFieldSelector", 1) + `,`,
+		`Mode:` + valueToStringGenerated(this.Mode) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DownwardAPIVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DownwardAPIVolumeSource{`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "DownwardAPIVolumeFile", "DownwardAPIVolumeFile", 1), `&`, ``, 1) + `,`,
+		`DefaultMode:` + valueToStringGenerated(this.DefaultMode) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EmptyDirVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EmptyDirVolumeSource{`,
+		`Medium:` + fmt.Sprintf("%v", this.Medium) + `,`,
+		`SizeLimit:` + strings.Replace(fmt.Sprintf("%v", this.SizeLimit), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EndpointAddress) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EndpointAddress{`,
+		`IP:` + fmt.Sprintf("%v", this.IP) + `,`,
+		`TargetRef:` + strings.Replace(fmt.Sprintf("%v", this.TargetRef), "ObjectReference", "ObjectReference", 1) + `,`,
+		`Hostname:` + fmt.Sprintf("%v", this.Hostname) + `,`,
+		`NodeName:` + valueToStringGenerated(this.NodeName) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EndpointPort) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EndpointPort{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Port:` + fmt.Sprintf("%v", this.Port) + `,`,
+		`Protocol:` + fmt.Sprintf("%v", this.Protocol) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EndpointSubset) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EndpointSubset{`,
+		`Addresses:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Addresses), "EndpointAddress", "EndpointAddress", 1), `&`, ``, 1) + `,`,
+		`NotReadyAddresses:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.NotReadyAddresses), "EndpointAddress", "EndpointAddress", 1), `&`, ``, 1) + `,`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "EndpointPort", "EndpointPort", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Endpoints) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Endpoints{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Subsets:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subsets), "EndpointSubset", "EndpointSubset", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EndpointsList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EndpointsList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Endpoints", "Endpoints", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EnvFromSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EnvFromSource{`,
+		`Prefix:` + fmt.Sprintf("%v", this.Prefix) + `,`,
+		`ConfigMapRef:` + strings.Replace(fmt.Sprintf("%v", this.ConfigMapRef), "ConfigMapEnvSource", "ConfigMapEnvSource", 1) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "SecretEnvSource", "SecretEnvSource", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EnvVar) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EnvVar{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`ValueFrom:` + strings.Replace(fmt.Sprintf("%v", this.ValueFrom), "EnvVarSource", "EnvVarSource", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EnvVarSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EnvVarSource{`,
+		`FieldRef:` + strings.Replace(fmt.Sprintf("%v", this.FieldRef), "ObjectFieldSelector", "ObjectFieldSelector", 1) + `,`,
+		`ResourceFieldRef:` + strings.Replace(fmt.Sprintf("%v", this.ResourceFieldRef), "ResourceFieldSelector", "ResourceFieldSelector", 1) + `,`,
+		`ConfigMapKeyRef:` + strings.Replace(fmt.Sprintf("%v", this.ConfigMapKeyRef), "ConfigMapKeySelector", "ConfigMapKeySelector", 1) + `,`,
+		`SecretKeyRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretKeyRef), "SecretKeySelector", "SecretKeySelector", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Event) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Event{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`InvolvedObject:` + strings.Replace(strings.Replace(this.InvolvedObject.String(), "ObjectReference", "ObjectReference", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`Source:` + strings.Replace(strings.Replace(this.Source.String(), "EventSource", "EventSource", 1), `&`, ``, 1) + `,`,
+		`FirstTimestamp:` + strings.Replace(strings.Replace(this.FirstTimestamp.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`LastTimestamp:` + strings.Replace(strings.Replace(this.LastTimestamp.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Count:` + fmt.Sprintf("%v", this.Count) + `,`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EventList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EventList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Event", "Event", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *EventSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&EventSource{`,
+		`Component:` + fmt.Sprintf("%v", this.Component) + `,`,
+		`Host:` + fmt.Sprintf("%v", this.Host) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ExecAction) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ExecAction{`,
+		`Command:` + fmt.Sprintf("%v", this.Command) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *FCVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&FCVolumeSource{`,
+		`TargetWWNs:` + fmt.Sprintf("%v", this.TargetWWNs) + `,`,
+		`Lun:` + valueToStringGenerated(this.Lun) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`WWIDs:` + fmt.Sprintf("%v", this.WWIDs) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *FlexVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForOptions := make([]string, 0, len(this.Options))
+	for k := range this.Options {
+		keysForOptions = append(keysForOptions, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForOptions)
+	mapStringForOptions := "map[string]string{"
+	for _, k := range keysForOptions {
+		mapStringForOptions += fmt.Sprintf("%v: %v,", k, this.Options[k])
+	}
+	mapStringForOptions += "}"
+	s := strings.Join([]string{`&FlexVolumeSource{`,
+		`Driver:` + fmt.Sprintf("%v", this.Driver) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "LocalObjectReference", "LocalObjectReference", 1) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`Options:` + mapStringForOptions + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *FlockerVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&FlockerVolumeSource{`,
+		`DatasetName:` + fmt.Sprintf("%v", this.DatasetName) + `,`,
+		`DatasetUUID:` + fmt.Sprintf("%v", this.DatasetUUID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *GCEPersistentDiskVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&GCEPersistentDiskVolumeSource{`,
+		`PDName:` + fmt.Sprintf("%v", this.PDName) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`Partition:` + fmt.Sprintf("%v", this.Partition) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *GitRepoVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&GitRepoVolumeSource{`,
+		`Repository:` + fmt.Sprintf("%v", this.Repository) + `,`,
+		`Revision:` + fmt.Sprintf("%v", this.Revision) + `,`,
+		`Directory:` + fmt.Sprintf("%v", this.Directory) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *GlusterfsVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&GlusterfsVolumeSource{`,
+		`EndpointsName:` + fmt.Sprintf("%v", this.EndpointsName) + `,`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HTTPGetAction) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HTTPGetAction{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`Port:` + strings.Replace(strings.Replace(this.Port.String(), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1), `&`, ``, 1) + `,`,
+		`Host:` + fmt.Sprintf("%v", this.Host) + `,`,
+		`Scheme:` + fmt.Sprintf("%v", this.Scheme) + `,`,
+		`HTTPHeaders:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.HTTPHeaders), "HTTPHeader", "HTTPHeader", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HTTPHeader) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HTTPHeader{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Handler) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Handler{`,
+		`Exec:` + strings.Replace(fmt.Sprintf("%v", this.Exec), "ExecAction", "ExecAction", 1) + `,`,
+		`HTTPGet:` + strings.Replace(fmt.Sprintf("%v", this.HTTPGet), "HTTPGetAction", "HTTPGetAction", 1) + `,`,
+		`TCPSocket:` + strings.Replace(fmt.Sprintf("%v", this.TCPSocket), "TCPSocketAction", "TCPSocketAction", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HostAlias) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HostAlias{`,
+		`IP:` + fmt.Sprintf("%v", this.IP) + `,`,
+		`Hostnames:` + fmt.Sprintf("%v", this.Hostnames) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HostPathVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HostPathVolumeSource{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`Type:` + valueToStringGenerated(this.Type) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ISCSIVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ISCSIVolumeSource{`,
+		`TargetPortal:` + fmt.Sprintf("%v", this.TargetPortal) + `,`,
+		`IQN:` + fmt.Sprintf("%v", this.IQN) + `,`,
+		`Lun:` + fmt.Sprintf("%v", this.Lun) + `,`,
+		`ISCSIInterface:` + fmt.Sprintf("%v", this.ISCSIInterface) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`Portals:` + fmt.Sprintf("%v", this.Portals) + `,`,
+		`DiscoveryCHAPAuth:` + fmt.Sprintf("%v", this.DiscoveryCHAPAuth) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "LocalObjectReference", "LocalObjectReference", 1) + `,`,
+		`SessionCHAPAuth:` + fmt.Sprintf("%v", this.SessionCHAPAuth) + `,`,
+		`InitiatorName:` + valueToStringGenerated(this.InitiatorName) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *KeyToPath) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&KeyToPath{`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`Mode:` + valueToStringGenerated(this.Mode) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Lifecycle) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Lifecycle{`,
+		`PostStart:` + strings.Replace(fmt.Sprintf("%v", this.PostStart), "Handler", "Handler", 1) + `,`,
+		`PreStop:` + strings.Replace(fmt.Sprintf("%v", this.PreStop), "Handler", "Handler", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LimitRange) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LimitRange{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "LimitRangeSpec", "LimitRangeSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LimitRangeItem) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForMax := make([]string, 0, len(this.Max))
+	for k := range this.Max {
+		keysForMax = append(keysForMax, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForMax)
+	mapStringForMax := "ResourceList{"
+	for _, k := range keysForMax {
+		mapStringForMax += fmt.Sprintf("%v: %v,", k, this.Max[ResourceName(k)])
+	}
+	mapStringForMax += "}"
+	keysForMin := make([]string, 0, len(this.Min))
+	for k := range this.Min {
+		keysForMin = append(keysForMin, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForMin)
+	mapStringForMin := "ResourceList{"
+	for _, k := range keysForMin {
+		mapStringForMin += fmt.Sprintf("%v: %v,", k, this.Min[ResourceName(k)])
+	}
+	mapStringForMin += "}"
+	keysForDefault := make([]string, 0, len(this.Default))
+	for k := range this.Default {
+		keysForDefault = append(keysForDefault, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForDefault)
+	mapStringForDefault := "ResourceList{"
+	for _, k := range keysForDefault {
+		mapStringForDefault += fmt.Sprintf("%v: %v,", k, this.Default[ResourceName(k)])
+	}
+	mapStringForDefault += "}"
+	keysForDefaultRequest := make([]string, 0, len(this.DefaultRequest))
+	for k := range this.DefaultRequest {
+		keysForDefaultRequest = append(keysForDefaultRequest, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForDefaultRequest)
+	mapStringForDefaultRequest := "ResourceList{"
+	for _, k := range keysForDefaultRequest {
+		mapStringForDefaultRequest += fmt.Sprintf("%v: %v,", k, this.DefaultRequest[ResourceName(k)])
+	}
+	mapStringForDefaultRequest += "}"
+	keysForMaxLimitRequestRatio := make([]string, 0, len(this.MaxLimitRequestRatio))
+	for k := range this.MaxLimitRequestRatio {
+		keysForMaxLimitRequestRatio = append(keysForMaxLimitRequestRatio, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForMaxLimitRequestRatio)
+	mapStringForMaxLimitRequestRatio := "ResourceList{"
+	for _, k := range keysForMaxLimitRequestRatio {
+		mapStringForMaxLimitRequestRatio += fmt.Sprintf("%v: %v,", k, this.MaxLimitRequestRatio[ResourceName(k)])
+	}
+	mapStringForMaxLimitRequestRatio += "}"
+	s := strings.Join([]string{`&LimitRangeItem{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Max:` + mapStringForMax + `,`,
+		`Min:` + mapStringForMin + `,`,
+		`Default:` + mapStringForDefault + `,`,
+		`DefaultRequest:` + mapStringForDefaultRequest + `,`,
+		`MaxLimitRequestRatio:` + mapStringForMaxLimitRequestRatio + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LimitRangeList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LimitRangeList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "LimitRange", "LimitRange", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LimitRangeSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LimitRangeSpec{`,
+		`Limits:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Limits), "LimitRangeItem", "LimitRangeItem", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *List) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&List{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ListOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ListOptions{`,
+		`LabelSelector:` + fmt.Sprintf("%v", this.LabelSelector) + `,`,
+		`FieldSelector:` + fmt.Sprintf("%v", this.FieldSelector) + `,`,
+		`Watch:` + fmt.Sprintf("%v", this.Watch) + `,`,
+		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
+		`TimeoutSeconds:` + valueToStringGenerated(this.TimeoutSeconds) + `,`,
+		`IncludeUninitialized:` + fmt.Sprintf("%v", this.IncludeUninitialized) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LoadBalancerIngress) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LoadBalancerIngress{`,
+		`IP:` + fmt.Sprintf("%v", this.IP) + `,`,
+		`Hostname:` + fmt.Sprintf("%v", this.Hostname) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LoadBalancerStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LoadBalancerStatus{`,
+		`Ingress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ingress), "LoadBalancerIngress", "LoadBalancerIngress", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LocalObjectReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LocalObjectReference{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LocalVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LocalVolumeSource{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NFSVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NFSVolumeSource{`,
+		`Server:` + fmt.Sprintf("%v", this.Server) + `,`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Namespace) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Namespace{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "NamespaceSpec", "NamespaceSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "NamespaceStatus", "NamespaceStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NamespaceList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NamespaceList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Namespace", "Namespace", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NamespaceSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NamespaceSpec{`,
+		`Finalizers:` + fmt.Sprintf("%v", this.Finalizers) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NamespaceStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NamespaceStatus{`,
+		`Phase:` + fmt.Sprintf("%v", this.Phase) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Node) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Node{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "NodeSpec", "NodeSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "NodeStatus", "NodeStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeAddress) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeAddress{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Address:` + fmt.Sprintf("%v", this.Address) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeAffinity) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeAffinity{`,
+		`RequiredDuringSchedulingIgnoredDuringExecution:` + strings.Replace(fmt.Sprintf("%v", this.RequiredDuringSchedulingIgnoredDuringExecution), "NodeSelector", "NodeSelector", 1) + `,`,
+		`PreferredDuringSchedulingIgnoredDuringExecution:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.PreferredDuringSchedulingIgnoredDuringExecution), "PreferredSchedulingTerm", "PreferredSchedulingTerm", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastHeartbeatTime:` + strings.Replace(strings.Replace(this.LastHeartbeatTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeConfigSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeConfigSource{`,
+		`ConfigMapRef:` + strings.Replace(fmt.Sprintf("%v", this.ConfigMapRef), "ObjectReference", "ObjectReference", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeDaemonEndpoints) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeDaemonEndpoints{`,
+		`KubeletEndpoint:` + strings.Replace(strings.Replace(this.KubeletEndpoint.String(), "DaemonEndpoint", "DaemonEndpoint", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Node", "Node", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeProxyOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeProxyOptions{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeResources) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForCapacity := make([]string, 0, len(this.Capacity))
+	for k := range this.Capacity {
+		keysForCapacity = append(keysForCapacity, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	mapStringForCapacity := "ResourceList{"
+	for _, k := range keysForCapacity {
+		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[ResourceName(k)])
+	}
+	mapStringForCapacity += "}"
+	s := strings.Join([]string{`&NodeResources{`,
+		`Capacity:` + mapStringForCapacity + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeSelector) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeSelector{`,
+		`NodeSelectorTerms:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.NodeSelectorTerms), "NodeSelectorTerm", "NodeSelectorTerm", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeSelectorRequirement) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeSelectorRequirement{`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Operator:` + fmt.Sprintf("%v", this.Operator) + `,`,
+		`Values:` + fmt.Sprintf("%v", this.Values) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeSelectorTerm) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeSelectorTerm{`,
+		`MatchExpressions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.MatchExpressions), "NodeSelectorRequirement", "NodeSelectorRequirement", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeSpec{`,
+		`PodCIDR:` + fmt.Sprintf("%v", this.PodCIDR) + `,`,
+		`ExternalID:` + fmt.Sprintf("%v", this.ExternalID) + `,`,
+		`ProviderID:` + fmt.Sprintf("%v", this.ProviderID) + `,`,
+		`Unschedulable:` + fmt.Sprintf("%v", this.Unschedulable) + `,`,
+		`Taints:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Taints), "Taint", "Taint", 1), `&`, ``, 1) + `,`,
+		`ConfigSource:` + strings.Replace(fmt.Sprintf("%v", this.ConfigSource), "NodeConfigSource", "NodeConfigSource", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForCapacity := make([]string, 0, len(this.Capacity))
+	for k := range this.Capacity {
+		keysForCapacity = append(keysForCapacity, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	mapStringForCapacity := "ResourceList{"
+	for _, k := range keysForCapacity {
+		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[ResourceName(k)])
+	}
+	mapStringForCapacity += "}"
+	keysForAllocatable := make([]string, 0, len(this.Allocatable))
+	for k := range this.Allocatable {
+		keysForAllocatable = append(keysForAllocatable, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForAllocatable)
+	mapStringForAllocatable := "ResourceList{"
+	for _, k := range keysForAllocatable {
+		mapStringForAllocatable += fmt.Sprintf("%v: %v,", k, this.Allocatable[ResourceName(k)])
+	}
+	mapStringForAllocatable += "}"
+	s := strings.Join([]string{`&NodeStatus{`,
+		`Capacity:` + mapStringForCapacity + `,`,
+		`Allocatable:` + mapStringForAllocatable + `,`,
+		`Phase:` + fmt.Sprintf("%v", this.Phase) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "NodeCondition", "NodeCondition", 1), `&`, ``, 1) + `,`,
+		`Addresses:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Addresses), "NodeAddress", "NodeAddress", 1), `&`, ``, 1) + `,`,
+		`DaemonEndpoints:` + strings.Replace(strings.Replace(this.DaemonEndpoints.String(), "NodeDaemonEndpoints", "NodeDaemonEndpoints", 1), `&`, ``, 1) + `,`,
+		`NodeInfo:` + strings.Replace(strings.Replace(this.NodeInfo.String(), "NodeSystemInfo", "NodeSystemInfo", 1), `&`, ``, 1) + `,`,
+		`Images:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Images), "ContainerImage", "ContainerImage", 1), `&`, ``, 1) + `,`,
+		`VolumesInUse:` + fmt.Sprintf("%v", this.VolumesInUse) + `,`,
+		`VolumesAttached:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.VolumesAttached), "AttachedVolume", "AttachedVolume", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NodeSystemInfo) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NodeSystemInfo{`,
+		`MachineID:` + fmt.Sprintf("%v", this.MachineID) + `,`,
+		`SystemUUID:` + fmt.Sprintf("%v", this.SystemUUID) + `,`,
+		`BootID:` + fmt.Sprintf("%v", this.BootID) + `,`,
+		`KernelVersion:` + fmt.Sprintf("%v", this.KernelVersion) + `,`,
+		`OSImage:` + fmt.Sprintf("%v", this.OSImage) + `,`,
+		`ContainerRuntimeVersion:` + fmt.Sprintf("%v", this.ContainerRuntimeVersion) + `,`,
+		`KubeletVersion:` + fmt.Sprintf("%v", this.KubeletVersion) + `,`,
+		`KubeProxyVersion:` + fmt.Sprintf("%v", this.KubeProxyVersion) + `,`,
+		`OperatingSystem:` + fmt.Sprintf("%v", this.OperatingSystem) + `,`,
+		`Architecture:` + fmt.Sprintf("%v", this.Architecture) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ObjectFieldSelector) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ObjectFieldSelector{`,
+		`APIVersion:` + fmt.Sprintf("%v", this.APIVersion) + `,`,
+		`FieldPath:` + fmt.Sprintf("%v", this.FieldPath) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ObjectMeta) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForLabels := make([]string, 0, len(this.Labels))
+	for k := range this.Labels {
+		keysForLabels = append(keysForLabels, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
+	mapStringForLabels := "map[string]string{"
+	for _, k := range keysForLabels {
+		mapStringForLabels += fmt.Sprintf("%v: %v,", k, this.Labels[k])
+	}
+	mapStringForLabels += "}"
+	keysForAnnotations := make([]string, 0, len(this.Annotations))
+	for k := range this.Annotations {
+		keysForAnnotations = append(keysForAnnotations, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	mapStringForAnnotations := "map[string]string{"
+	for _, k := range keysForAnnotations {
+		mapStringForAnnotations += fmt.Sprintf("%v: %v,", k, this.Annotations[k])
+	}
+	mapStringForAnnotations += "}"
+	s := strings.Join([]string{`&ObjectMeta{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`GenerateName:` + fmt.Sprintf("%v", this.GenerateName) + `,`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`SelfLink:` + fmt.Sprintf("%v", this.SelfLink) + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
+		`Generation:` + fmt.Sprintf("%v", this.Generation) + `,`,
+		`CreationTimestamp:` + strings.Replace(strings.Replace(this.CreationTimestamp.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`DeletionTimestamp:` + strings.Replace(fmt.Sprintf("%v", this.DeletionTimestamp), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`DeletionGracePeriodSeconds:` + valueToStringGenerated(this.DeletionGracePeriodSeconds) + `,`,
+		`Labels:` + mapStringForLabels + `,`,
+		`Annotations:` + mapStringForAnnotations + `,`,
+		`OwnerReferences:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.OwnerReferences), "OwnerReference", "k8s_io_apimachinery_pkg_apis_meta_v1.OwnerReference", 1), `&`, ``, 1) + `,`,
+		`Finalizers:` + fmt.Sprintf("%v", this.Finalizers) + `,`,
+		`ClusterName:` + fmt.Sprintf("%v", this.ClusterName) + `,`,
+		`Initializers:` + strings.Replace(fmt.Sprintf("%v", this.Initializers), "Initializers", "k8s_io_apimachinery_pkg_apis_meta_v1.Initializers", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ObjectReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ObjectReference{`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`APIVersion:` + fmt.Sprintf("%v", this.APIVersion) + `,`,
+		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
+		`FieldPath:` + fmt.Sprintf("%v", this.FieldPath) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolume) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolume{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PersistentVolumeSpec", "PersistentVolumeSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "PersistentVolumeStatus", "PersistentVolumeStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeClaim) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolumeClaim{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PersistentVolumeClaimSpec", "PersistentVolumeClaimSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "PersistentVolumeClaimStatus", "PersistentVolumeClaimStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeClaimCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolumeClaimCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastProbeTime:` + strings.Replace(strings.Replace(this.LastProbeTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeClaimList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolumeClaimList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "PersistentVolumeClaim", "PersistentVolumeClaim", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeClaimSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolumeClaimSpec{`,
+		`AccessModes:` + fmt.Sprintf("%v", this.AccessModes) + `,`,
+		`Resources:` + strings.Replace(strings.Replace(this.Resources.String(), "ResourceRequirements", "ResourceRequirements", 1), `&`, ``, 1) + `,`,
+		`VolumeName:` + fmt.Sprintf("%v", this.VolumeName) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`StorageClassName:` + valueToStringGenerated(this.StorageClassName) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeClaimStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForCapacity := make([]string, 0, len(this.Capacity))
+	for k := range this.Capacity {
+		keysForCapacity = append(keysForCapacity, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	mapStringForCapacity := "ResourceList{"
+	for _, k := range keysForCapacity {
+		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[ResourceName(k)])
+	}
+	mapStringForCapacity += "}"
+	s := strings.Join([]string{`&PersistentVolumeClaimStatus{`,
+		`Phase:` + fmt.Sprintf("%v", this.Phase) + `,`,
+		`AccessModes:` + fmt.Sprintf("%v", this.AccessModes) + `,`,
+		`Capacity:` + mapStringForCapacity + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "PersistentVolumeClaimCondition", "PersistentVolumeClaimCondition", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeClaimVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolumeClaimVolumeSource{`,
+		`ClaimName:` + fmt.Sprintf("%v", this.ClaimName) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolumeList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "PersistentVolume", "PersistentVolume", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolumeSource{`,
+		`GCEPersistentDisk:` + strings.Replace(fmt.Sprintf("%v", this.GCEPersistentDisk), "GCEPersistentDiskVolumeSource", "GCEPersistentDiskVolumeSource", 1) + `,`,
+		`AWSElasticBlockStore:` + strings.Replace(fmt.Sprintf("%v", this.AWSElasticBlockStore), "AWSElasticBlockStoreVolumeSource", "AWSElasticBlockStoreVolumeSource", 1) + `,`,
+		`HostPath:` + strings.Replace(fmt.Sprintf("%v", this.HostPath), "HostPathVolumeSource", "HostPathVolumeSource", 1) + `,`,
+		`Glusterfs:` + strings.Replace(fmt.Sprintf("%v", this.Glusterfs), "GlusterfsVolumeSource", "GlusterfsVolumeSource", 1) + `,`,
+		`NFS:` + strings.Replace(fmt.Sprintf("%v", this.NFS), "NFSVolumeSource", "NFSVolumeSource", 1) + `,`,
+		`RBD:` + strings.Replace(fmt.Sprintf("%v", this.RBD), "RBDVolumeSource", "RBDVolumeSource", 1) + `,`,
+		`ISCSI:` + strings.Replace(fmt.Sprintf("%v", this.ISCSI), "ISCSIVolumeSource", "ISCSIVolumeSource", 1) + `,`,
+		`Cinder:` + strings.Replace(fmt.Sprintf("%v", this.Cinder), "CinderVolumeSource", "CinderVolumeSource", 1) + `,`,
+		`CephFS:` + strings.Replace(fmt.Sprintf("%v", this.CephFS), "CephFSPersistentVolumeSource", "CephFSPersistentVolumeSource", 1) + `,`,
+		`FC:` + strings.Replace(fmt.Sprintf("%v", this.FC), "FCVolumeSource", "FCVolumeSource", 1) + `,`,
+		`Flocker:` + strings.Replace(fmt.Sprintf("%v", this.Flocker), "FlockerVolumeSource", "FlockerVolumeSource", 1) + `,`,
+		`FlexVolume:` + strings.Replace(fmt.Sprintf("%v", this.FlexVolume), "FlexVolumeSource", "FlexVolumeSource", 1) + `,`,
+		`AzureFile:` + strings.Replace(fmt.Sprintf("%v", this.AzureFile), "AzureFilePersistentVolumeSource", "AzureFilePersistentVolumeSource", 1) + `,`,
+		`VsphereVolume:` + strings.Replace(fmt.Sprintf("%v", this.VsphereVolume), "VsphereVirtualDiskVolumeSource", "VsphereVirtualDiskVolumeSource", 1) + `,`,
+		`Quobyte:` + strings.Replace(fmt.Sprintf("%v", this.Quobyte), "QuobyteVolumeSource", "QuobyteVolumeSource", 1) + `,`,
+		`AzureDisk:` + strings.Replace(fmt.Sprintf("%v", this.AzureDisk), "AzureDiskVolumeSource", "AzureDiskVolumeSource", 1) + `,`,
+		`PhotonPersistentDisk:` + strings.Replace(fmt.Sprintf("%v", this.PhotonPersistentDisk), "PhotonPersistentDiskVolumeSource", "PhotonPersistentDiskVolumeSource", 1) + `,`,
+		`PortworxVolume:` + strings.Replace(fmt.Sprintf("%v", this.PortworxVolume), "PortworxVolumeSource", "PortworxVolumeSource", 1) + `,`,
+		`ScaleIO:` + strings.Replace(fmt.Sprintf("%v", this.ScaleIO), "ScaleIOPersistentVolumeSource", "ScaleIOPersistentVolumeSource", 1) + `,`,
+		`Local:` + strings.Replace(fmt.Sprintf("%v", this.Local), "LocalVolumeSource", "LocalVolumeSource", 1) + `,`,
+		`StorageOS:` + strings.Replace(fmt.Sprintf("%v", this.StorageOS), "StorageOSPersistentVolumeSource", "StorageOSPersistentVolumeSource", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForCapacity := make([]string, 0, len(this.Capacity))
+	for k := range this.Capacity {
+		keysForCapacity = append(keysForCapacity, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForCapacity)
+	mapStringForCapacity := "ResourceList{"
+	for _, k := range keysForCapacity {
+		mapStringForCapacity += fmt.Sprintf("%v: %v,", k, this.Capacity[ResourceName(k)])
+	}
+	mapStringForCapacity += "}"
+	s := strings.Join([]string{`&PersistentVolumeSpec{`,
+		`Capacity:` + mapStringForCapacity + `,`,
+		`PersistentVolumeSource:` + strings.Replace(strings.Replace(this.PersistentVolumeSource.String(), "PersistentVolumeSource", "PersistentVolumeSource", 1), `&`, ``, 1) + `,`,
+		`AccessModes:` + fmt.Sprintf("%v", this.AccessModes) + `,`,
+		`ClaimRef:` + strings.Replace(fmt.Sprintf("%v", this.ClaimRef), "ObjectReference", "ObjectReference", 1) + `,`,
+		`PersistentVolumeReclaimPolicy:` + fmt.Sprintf("%v", this.PersistentVolumeReclaimPolicy) + `,`,
+		`StorageClassName:` + fmt.Sprintf("%v", this.StorageClassName) + `,`,
+		`MountOptions:` + fmt.Sprintf("%v", this.MountOptions) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PersistentVolumeStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PersistentVolumeStatus{`,
+		`Phase:` + fmt.Sprintf("%v", this.Phase) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PhotonPersistentDiskVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PhotonPersistentDiskVolumeSource{`,
+		`PdID:` + fmt.Sprintf("%v", this.PdID) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Pod) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Pod{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodSpec", "PodSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "PodStatus", "PodStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodAffinity) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodAffinity{`,
+		`RequiredDuringSchedulingIgnoredDuringExecution:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.RequiredDuringSchedulingIgnoredDuringExecution), "PodAffinityTerm", "PodAffinityTerm", 1), `&`, ``, 1) + `,`,
+		`PreferredDuringSchedulingIgnoredDuringExecution:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.PreferredDuringSchedulingIgnoredDuringExecution), "WeightedPodAffinityTerm", "WeightedPodAffinityTerm", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodAffinityTerm) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodAffinityTerm{`,
+		`LabelSelector:` + strings.Replace(fmt.Sprintf("%v", this.LabelSelector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`,
+		`TopologyKey:` + fmt.Sprintf("%v", this.TopologyKey) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodAntiAffinity) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodAntiAffinity{`,
+		`RequiredDuringSchedulingIgnoredDuringExecution:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.RequiredDuringSchedulingIgnoredDuringExecution), "PodAffinityTerm", "PodAffinityTerm", 1), `&`, ``, 1) + `,`,
+		`PreferredDuringSchedulingIgnoredDuringExecution:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.PreferredDuringSchedulingIgnoredDuringExecution), "WeightedPodAffinityTerm", "WeightedPodAffinityTerm", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodAttachOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodAttachOptions{`,
+		`Stdin:` + fmt.Sprintf("%v", this.Stdin) + `,`,
+		`Stdout:` + fmt.Sprintf("%v", this.Stdout) + `,`,
+		`Stderr:` + fmt.Sprintf("%v", this.Stderr) + `,`,
+		`TTY:` + fmt.Sprintf("%v", this.TTY) + `,`,
+		`Container:` + fmt.Sprintf("%v", this.Container) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastProbeTime:` + strings.Replace(strings.Replace(this.LastProbeTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodExecOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodExecOptions{`,
+		`Stdin:` + fmt.Sprintf("%v", this.Stdin) + `,`,
+		`Stdout:` + fmt.Sprintf("%v", this.Stdout) + `,`,
+		`Stderr:` + fmt.Sprintf("%v", this.Stderr) + `,`,
+		`TTY:` + fmt.Sprintf("%v", this.TTY) + `,`,
+		`Container:` + fmt.Sprintf("%v", this.Container) + `,`,
+		`Command:` + fmt.Sprintf("%v", this.Command) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Pod", "Pod", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodLogOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodLogOptions{`,
+		`Container:` + fmt.Sprintf("%v", this.Container) + `,`,
+		`Follow:` + fmt.Sprintf("%v", this.Follow) + `,`,
+		`Previous:` + fmt.Sprintf("%v", this.Previous) + `,`,
+		`SinceSeconds:` + valueToStringGenerated(this.SinceSeconds) + `,`,
+		`SinceTime:` + strings.Replace(fmt.Sprintf("%v", this.SinceTime), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`Timestamps:` + fmt.Sprintf("%v", this.Timestamps) + `,`,
+		`TailLines:` + valueToStringGenerated(this.TailLines) + `,`,
+		`LimitBytes:` + valueToStringGenerated(this.LimitBytes) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodPortForwardOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodPortForwardOptions{`,
+		`Ports:` + fmt.Sprintf("%v", this.Ports) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodProxyOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodProxyOptions{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodSecurityContext) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodSecurityContext{`,
+		`SELinuxOptions:` + strings.Replace(fmt.Sprintf("%v", this.SELinuxOptions), "SELinuxOptions", "SELinuxOptions", 1) + `,`,
+		`RunAsUser:` + valueToStringGenerated(this.RunAsUser) + `,`,
+		`RunAsNonRoot:` + valueToStringGenerated(this.RunAsNonRoot) + `,`,
+		`SupplementalGroups:` + fmt.Sprintf("%v", this.SupplementalGroups) + `,`,
+		`FSGroup:` + valueToStringGenerated(this.FSGroup) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodSignature) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodSignature{`,
+		`PodController:` + strings.Replace(fmt.Sprintf("%v", this.PodController), "OwnerReference", "k8s_io_apimachinery_pkg_apis_meta_v1.OwnerReference", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForNodeSelector := make([]string, 0, len(this.NodeSelector))
+	for k := range this.NodeSelector {
+		keysForNodeSelector = append(keysForNodeSelector, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForNodeSelector)
+	mapStringForNodeSelector := "map[string]string{"
+	for _, k := range keysForNodeSelector {
+		mapStringForNodeSelector += fmt.Sprintf("%v: %v,", k, this.NodeSelector[k])
+	}
+	mapStringForNodeSelector += "}"
+	s := strings.Join([]string{`&PodSpec{`,
+		`Volumes:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Volumes), "Volume", "Volume", 1), `&`, ``, 1) + `,`,
+		`Containers:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Containers), "Container", "Container", 1), `&`, ``, 1) + `,`,
+		`RestartPolicy:` + fmt.Sprintf("%v", this.RestartPolicy) + `,`,
+		`TerminationGracePeriodSeconds:` + valueToStringGenerated(this.TerminationGracePeriodSeconds) + `,`,
+		`ActiveDeadlineSeconds:` + valueToStringGenerated(this.ActiveDeadlineSeconds) + `,`,
+		`DNSPolicy:` + fmt.Sprintf("%v", this.DNSPolicy) + `,`,
+		`NodeSelector:` + mapStringForNodeSelector + `,`,
+		`ServiceAccountName:` + fmt.Sprintf("%v", this.ServiceAccountName) + `,`,
+		`DeprecatedServiceAccount:` + fmt.Sprintf("%v", this.DeprecatedServiceAccount) + `,`,
+		`NodeName:` + fmt.Sprintf("%v", this.NodeName) + `,`,
+		`HostNetwork:` + fmt.Sprintf("%v", this.HostNetwork) + `,`,
+		`HostPID:` + fmt.Sprintf("%v", this.HostPID) + `,`,
+		`HostIPC:` + fmt.Sprintf("%v", this.HostIPC) + `,`,
+		`SecurityContext:` + strings.Replace(fmt.Sprintf("%v", this.SecurityContext), "PodSecurityContext", "PodSecurityContext", 1) + `,`,
+		`ImagePullSecrets:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ImagePullSecrets), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`Hostname:` + fmt.Sprintf("%v", this.Hostname) + `,`,
+		`Subdomain:` + fmt.Sprintf("%v", this.Subdomain) + `,`,
+		`Affinity:` + strings.Replace(fmt.Sprintf("%v", this.Affinity), "Affinity", "Affinity", 1) + `,`,
+		`SchedulerName:` + fmt.Sprintf("%v", this.SchedulerName) + `,`,
+		`InitContainers:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.InitContainers), "Container", "Container", 1), `&`, ``, 1) + `,`,
+		`AutomountServiceAccountToken:` + valueToStringGenerated(this.AutomountServiceAccountToken) + `,`,
+		`Tolerations:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Tolerations), "Toleration", "Toleration", 1), `&`, ``, 1) + `,`,
+		`HostAliases:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.HostAliases), "HostAlias", "HostAlias", 1), `&`, ``, 1) + `,`,
+		`PriorityClassName:` + fmt.Sprintf("%v", this.PriorityClassName) + `,`,
+		`Priority:` + valueToStringGenerated(this.Priority) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodStatus{`,
+		`Phase:` + fmt.Sprintf("%v", this.Phase) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "PodCondition", "PodCondition", 1), `&`, ``, 1) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`HostIP:` + fmt.Sprintf("%v", this.HostIP) + `,`,
+		`PodIP:` + fmt.Sprintf("%v", this.PodIP) + `,`,
+		`StartTime:` + strings.Replace(fmt.Sprintf("%v", this.StartTime), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1) + `,`,
+		`ContainerStatuses:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ContainerStatuses), "ContainerStatus", "ContainerStatus", 1), `&`, ``, 1) + `,`,
+		`QOSClass:` + fmt.Sprintf("%v", this.QOSClass) + `,`,
+		`InitContainerStatuses:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.InitContainerStatuses), "ContainerStatus", "ContainerStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodStatusResult) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodStatusResult{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "PodStatus", "PodStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodTemplate) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodTemplate{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodTemplateList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodTemplateList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "PodTemplate", "PodTemplate", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodTemplateSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodTemplateSpec{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodSpec", "PodSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PortworxVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PortworxVolumeSource{`,
+		`VolumeID:` + fmt.Sprintf("%v", this.VolumeID) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Preconditions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Preconditions{`,
+		`UID:` + valueToStringGenerated(this.UID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PreferAvoidPodsEntry) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PreferAvoidPodsEntry{`,
+		`PodSignature:` + strings.Replace(strings.Replace(this.PodSignature.String(), "PodSignature", "PodSignature", 1), `&`, ``, 1) + `,`,
+		`EvictionTime:` + strings.Replace(strings.Replace(this.EvictionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PreferredSchedulingTerm) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PreferredSchedulingTerm{`,
+		`Weight:` + fmt.Sprintf("%v", this.Weight) + `,`,
+		`Preference:` + strings.Replace(strings.Replace(this.Preference.String(), "NodeSelectorTerm", "NodeSelectorTerm", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Probe) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Probe{`,
+		`Handler:` + strings.Replace(strings.Replace(this.Handler.String(), "Handler", "Handler", 1), `&`, ``, 1) + `,`,
+		`InitialDelaySeconds:` + fmt.Sprintf("%v", this.InitialDelaySeconds) + `,`,
+		`TimeoutSeconds:` + fmt.Sprintf("%v", this.TimeoutSeconds) + `,`,
+		`PeriodSeconds:` + fmt.Sprintf("%v", this.PeriodSeconds) + `,`,
+		`SuccessThreshold:` + fmt.Sprintf("%v", this.SuccessThreshold) + `,`,
+		`FailureThreshold:` + fmt.Sprintf("%v", this.FailureThreshold) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ProjectedVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ProjectedVolumeSource{`,
+		`Sources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Sources), "VolumeProjection", "VolumeProjection", 1), `&`, ``, 1) + `,`,
+		`DefaultMode:` + valueToStringGenerated(this.DefaultMode) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *QuobyteVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&QuobyteVolumeSource{`,
+		`Registry:` + fmt.Sprintf("%v", this.Registry) + `,`,
+		`Volume:` + fmt.Sprintf("%v", this.Volume) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`User:` + fmt.Sprintf("%v", this.User) + `,`,
+		`Group:` + fmt.Sprintf("%v", this.Group) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RBDVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RBDVolumeSource{`,
+		`CephMonitors:` + fmt.Sprintf("%v", this.CephMonitors) + `,`,
+		`RBDImage:` + fmt.Sprintf("%v", this.RBDImage) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`RBDPool:` + fmt.Sprintf("%v", this.RBDPool) + `,`,
+		`RadosUser:` + fmt.Sprintf("%v", this.RadosUser) + `,`,
+		`Keyring:` + fmt.Sprintf("%v", this.Keyring) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "LocalObjectReference", "LocalObjectReference", 1) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RangeAllocation) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RangeAllocation{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Range:` + fmt.Sprintf("%v", this.Range) + `,`,
+		`Data:` + valueToStringGenerated(this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicationController) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicationController{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ReplicationControllerSpec", "ReplicationControllerSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ReplicationControllerStatus", "ReplicationControllerStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicationControllerCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicationControllerCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicationControllerList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicationControllerList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ReplicationController", "ReplicationController", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicationControllerSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForSelector := make([]string, 0, len(this.Selector))
+	for k := range this.Selector {
+		keysForSelector = append(keysForSelector, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	mapStringForSelector := "map[string]string{"
+	for _, k := range keysForSelector {
+		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
+	}
+	mapStringForSelector += "}"
+	s := strings.Join([]string{`&ReplicationControllerSpec{`,
+		`Replicas:` + valueToStringGenerated(this.Replicas) + `,`,
+		`Selector:` + mapStringForSelector + `,`,
+		`Template:` + strings.Replace(fmt.Sprintf("%v", this.Template), "PodTemplateSpec", "PodTemplateSpec", 1) + `,`,
+		`MinReadySeconds:` + fmt.Sprintf("%v", this.MinReadySeconds) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicationControllerStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicationControllerStatus{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`FullyLabeledReplicas:` + fmt.Sprintf("%v", this.FullyLabeledReplicas) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`ReadyReplicas:` + fmt.Sprintf("%v", this.ReadyReplicas) + `,`,
+		`AvailableReplicas:` + fmt.Sprintf("%v", this.AvailableReplicas) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "ReplicationControllerCondition", "ReplicationControllerCondition", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceFieldSelector) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceFieldSelector{`,
+		`ContainerName:` + fmt.Sprintf("%v", this.ContainerName) + `,`,
+		`Resource:` + fmt.Sprintf("%v", this.Resource) + `,`,
+		`Divisor:` + strings.Replace(strings.Replace(this.Divisor.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceQuota) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceQuota{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ResourceQuotaSpec", "ResourceQuotaSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ResourceQuotaStatus", "ResourceQuotaStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceQuotaList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ResourceQuotaList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ResourceQuota", "ResourceQuota", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceQuotaSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForHard := make([]string, 0, len(this.Hard))
+	for k := range this.Hard {
+		keysForHard = append(keysForHard, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForHard)
+	mapStringForHard := "ResourceList{"
+	for _, k := range keysForHard {
+		mapStringForHard += fmt.Sprintf("%v: %v,", k, this.Hard[ResourceName(k)])
+	}
+	mapStringForHard += "}"
+	s := strings.Join([]string{`&ResourceQuotaSpec{`,
+		`Hard:` + mapStringForHard + `,`,
+		`Scopes:` + fmt.Sprintf("%v", this.Scopes) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceQuotaStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForHard := make([]string, 0, len(this.Hard))
+	for k := range this.Hard {
+		keysForHard = append(keysForHard, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForHard)
+	mapStringForHard := "ResourceList{"
+	for _, k := range keysForHard {
+		mapStringForHard += fmt.Sprintf("%v: %v,", k, this.Hard[ResourceName(k)])
+	}
+	mapStringForHard += "}"
+	keysForUsed := make([]string, 0, len(this.Used))
+	for k := range this.Used {
+		keysForUsed = append(keysForUsed, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForUsed)
+	mapStringForUsed := "ResourceList{"
+	for _, k := range keysForUsed {
+		mapStringForUsed += fmt.Sprintf("%v: %v,", k, this.Used[ResourceName(k)])
+	}
+	mapStringForUsed += "}"
+	s := strings.Join([]string{`&ResourceQuotaStatus{`,
+		`Hard:` + mapStringForHard + `,`,
+		`Used:` + mapStringForUsed + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ResourceRequirements) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForLimits := make([]string, 0, len(this.Limits))
+	for k := range this.Limits {
+		keysForLimits = append(keysForLimits, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForLimits)
+	mapStringForLimits := "ResourceList{"
+	for _, k := range keysForLimits {
+		mapStringForLimits += fmt.Sprintf("%v: %v,", k, this.Limits[ResourceName(k)])
+	}
+	mapStringForLimits += "}"
+	keysForRequests := make([]string, 0, len(this.Requests))
+	for k := range this.Requests {
+		keysForRequests = append(keysForRequests, string(k))
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForRequests)
+	mapStringForRequests := "ResourceList{"
+	for _, k := range keysForRequests {
+		mapStringForRequests += fmt.Sprintf("%v: %v,", k, this.Requests[ResourceName(k)])
+	}
+	mapStringForRequests += "}"
+	s := strings.Join([]string{`&ResourceRequirements{`,
+		`Limits:` + mapStringForLimits + `,`,
+		`Requests:` + mapStringForRequests + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SELinuxOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SELinuxOptions{`,
+		`User:` + fmt.Sprintf("%v", this.User) + `,`,
+		`Role:` + fmt.Sprintf("%v", this.Role) + `,`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Level:` + fmt.Sprintf("%v", this.Level) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleIOPersistentVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ScaleIOPersistentVolumeSource{`,
+		`Gateway:` + fmt.Sprintf("%v", this.Gateway) + `,`,
+		`System:` + fmt.Sprintf("%v", this.System) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "SecretReference", "SecretReference", 1) + `,`,
+		`SSLEnabled:` + fmt.Sprintf("%v", this.SSLEnabled) + `,`,
+		`ProtectionDomain:` + fmt.Sprintf("%v", this.ProtectionDomain) + `,`,
+		`StoragePool:` + fmt.Sprintf("%v", this.StoragePool) + `,`,
+		`StorageMode:` + fmt.Sprintf("%v", this.StorageMode) + `,`,
+		`VolumeName:` + fmt.Sprintf("%v", this.VolumeName) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleIOVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ScaleIOVolumeSource{`,
+		`Gateway:` + fmt.Sprintf("%v", this.Gateway) + `,`,
+		`System:` + fmt.Sprintf("%v", this.System) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "LocalObjectReference", "LocalObjectReference", 1) + `,`,
+		`SSLEnabled:` + fmt.Sprintf("%v", this.SSLEnabled) + `,`,
+		`ProtectionDomain:` + fmt.Sprintf("%v", this.ProtectionDomain) + `,`,
+		`StoragePool:` + fmt.Sprintf("%v", this.StoragePool) + `,`,
+		`StorageMode:` + fmt.Sprintf("%v", this.StorageMode) + `,`,
+		`VolumeName:` + fmt.Sprintf("%v", this.VolumeName) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Secret) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForData := make([]string, 0, len(this.Data))
+	for k := range this.Data {
+		keysForData = append(keysForData, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForData)
+	mapStringForData := "map[string][]byte{"
+	for _, k := range keysForData {
+		mapStringForData += fmt.Sprintf("%v: %v,", k, this.Data[k])
+	}
+	mapStringForData += "}"
+	keysForStringData := make([]string, 0, len(this.StringData))
+	for k := range this.StringData {
+		keysForStringData = append(keysForStringData, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForStringData)
+	mapStringForStringData := "map[string]string{"
+	for _, k := range keysForStringData {
+		mapStringForStringData += fmt.Sprintf("%v: %v,", k, this.StringData[k])
+	}
+	mapStringForStringData += "}"
+	s := strings.Join([]string{`&Secret{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Data:` + mapStringForData + `,`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`StringData:` + mapStringForStringData + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SecretEnvSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SecretEnvSource{`,
+		`LocalObjectReference:` + strings.Replace(strings.Replace(this.LocalObjectReference.String(), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`Optional:` + valueToStringGenerated(this.Optional) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SecretKeySelector) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SecretKeySelector{`,
+		`LocalObjectReference:` + strings.Replace(strings.Replace(this.LocalObjectReference.String(), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Optional:` + valueToStringGenerated(this.Optional) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SecretList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SecretList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Secret", "Secret", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SecretProjection) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SecretProjection{`,
+		`LocalObjectReference:` + strings.Replace(strings.Replace(this.LocalObjectReference.String(), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "KeyToPath", "KeyToPath", 1), `&`, ``, 1) + `,`,
+		`Optional:` + valueToStringGenerated(this.Optional) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SecretReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SecretReference{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SecretVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SecretVolumeSource{`,
+		`SecretName:` + fmt.Sprintf("%v", this.SecretName) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "KeyToPath", "KeyToPath", 1), `&`, ``, 1) + `,`,
+		`DefaultMode:` + valueToStringGenerated(this.DefaultMode) + `,`,
+		`Optional:` + valueToStringGenerated(this.Optional) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SecurityContext) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SecurityContext{`,
+		`Capabilities:` + strings.Replace(fmt.Sprintf("%v", this.Capabilities), "Capabilities", "Capabilities", 1) + `,`,
+		`Privileged:` + valueToStringGenerated(this.Privileged) + `,`,
+		`SELinuxOptions:` + strings.Replace(fmt.Sprintf("%v", this.SELinuxOptions), "SELinuxOptions", "SELinuxOptions", 1) + `,`,
+		`RunAsUser:` + valueToStringGenerated(this.RunAsUser) + `,`,
+		`RunAsNonRoot:` + valueToStringGenerated(this.RunAsNonRoot) + `,`,
+		`ReadOnlyRootFilesystem:` + valueToStringGenerated(this.ReadOnlyRootFilesystem) + `,`,
+		`AllowPrivilegeEscalation:` + valueToStringGenerated(this.AllowPrivilegeEscalation) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SerializedReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SerializedReference{`,
+		`Reference:` + strings.Replace(strings.Replace(this.Reference.String(), "ObjectReference", "ObjectReference", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Service) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Service{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ServiceSpec", "ServiceSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ServiceStatus", "ServiceStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServiceAccount) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServiceAccount{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Secrets:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Secrets), "ObjectReference", "ObjectReference", 1), `&`, ``, 1) + `,`,
+		`ImagePullSecrets:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ImagePullSecrets), "LocalObjectReference", "LocalObjectReference", 1), `&`, ``, 1) + `,`,
+		`AutomountServiceAccountToken:` + valueToStringGenerated(this.AutomountServiceAccountToken) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServiceAccountList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServiceAccountList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ServiceAccount", "ServiceAccount", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServiceList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServiceList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Service", "Service", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServicePort) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServicePort{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Protocol:` + fmt.Sprintf("%v", this.Protocol) + `,`,
+		`Port:` + fmt.Sprintf("%v", this.Port) + `,`,
+		`TargetPort:` + strings.Replace(strings.Replace(this.TargetPort.String(), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1), `&`, ``, 1) + `,`,
+		`NodePort:` + fmt.Sprintf("%v", this.NodePort) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServiceProxyOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServiceProxyOptions{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServiceSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForSelector := make([]string, 0, len(this.Selector))
+	for k := range this.Selector {
+		keysForSelector = append(keysForSelector, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	mapStringForSelector := "map[string]string{"
+	for _, k := range keysForSelector {
+		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
+	}
+	mapStringForSelector += "}"
+	s := strings.Join([]string{`&ServiceSpec{`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "ServicePort", "ServicePort", 1), `&`, ``, 1) + `,`,
+		`Selector:` + mapStringForSelector + `,`,
+		`ClusterIP:` + fmt.Sprintf("%v", this.ClusterIP) + `,`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`ExternalIPs:` + fmt.Sprintf("%v", this.ExternalIPs) + `,`,
+		`SessionAffinity:` + fmt.Sprintf("%v", this.SessionAffinity) + `,`,
+		`LoadBalancerIP:` + fmt.Sprintf("%v", this.LoadBalancerIP) + `,`,
+		`LoadBalancerSourceRanges:` + fmt.Sprintf("%v", this.LoadBalancerSourceRanges) + `,`,
+		`ExternalName:` + fmt.Sprintf("%v", this.ExternalName) + `,`,
+		`ExternalTrafficPolicy:` + fmt.Sprintf("%v", this.ExternalTrafficPolicy) + `,`,
+		`HealthCheckNodePort:` + fmt.Sprintf("%v", this.HealthCheckNodePort) + `,`,
+		`PublishNotReadyAddresses:` + fmt.Sprintf("%v", this.PublishNotReadyAddresses) + `,`,
+		`SessionAffinityConfig:` + strings.Replace(fmt.Sprintf("%v", this.SessionAffinityConfig), "SessionAffinityConfig", "SessionAffinityConfig", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServiceStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServiceStatus{`,
+		`LoadBalancer:` + strings.Replace(strings.Replace(this.LoadBalancer.String(), "LoadBalancerStatus", "LoadBalancerStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SessionAffinityConfig) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SessionAffinityConfig{`,
+		`ClientIP:` + strings.Replace(fmt.Sprintf("%v", this.ClientIP), "ClientIPConfig", "ClientIPConfig", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StorageOSPersistentVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StorageOSPersistentVolumeSource{`,
+		`VolumeName:` + fmt.Sprintf("%v", this.VolumeName) + `,`,
+		`VolumeNamespace:` + fmt.Sprintf("%v", this.VolumeNamespace) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "ObjectReference", "ObjectReference", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StorageOSVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StorageOSVolumeSource{`,
+		`VolumeName:` + fmt.Sprintf("%v", this.VolumeName) + `,`,
+		`VolumeNamespace:` + fmt.Sprintf("%v", this.VolumeNamespace) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`SecretRef:` + strings.Replace(fmt.Sprintf("%v", this.SecretRef), "LocalObjectReference", "LocalObjectReference", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Sysctl) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Sysctl{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *TCPSocketAction) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TCPSocketAction{`,
+		`Port:` + strings.Replace(strings.Replace(this.Port.String(), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1), `&`, ``, 1) + `,`,
+		`Host:` + fmt.Sprintf("%v", this.Host) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Taint) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Taint{`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`Effect:` + fmt.Sprintf("%v", this.Effect) + `,`,
+		`TimeAdded:` + strings.Replace(strings.Replace(this.TimeAdded.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Toleration) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Toleration{`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Operator:` + fmt.Sprintf("%v", this.Operator) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`Effect:` + fmt.Sprintf("%v", this.Effect) + `,`,
+		`TolerationSeconds:` + valueToStringGenerated(this.TolerationSeconds) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Volume) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Volume{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`VolumeSource:` + strings.Replace(strings.Replace(this.VolumeSource.String(), "VolumeSource", "VolumeSource", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *VolumeMount) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&VolumeMount{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`ReadOnly:` + fmt.Sprintf("%v", this.ReadOnly) + `,`,
+		`MountPath:` + fmt.Sprintf("%v", this.MountPath) + `,`,
+		`SubPath:` + fmt.Sprintf("%v", this.SubPath) + `,`,
+		`MountPropagation:` + valueToStringGenerated(this.MountPropagation) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *VolumeProjection) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&VolumeProjection{`,
+		`Secret:` + strings.Replace(fmt.Sprintf("%v", this.Secret), "SecretProjection", "SecretProjection", 1) + `,`,
+		`DownwardAPI:` + strings.Replace(fmt.Sprintf("%v", this.DownwardAPI), "DownwardAPIProjection", "DownwardAPIProjection", 1) + `,`,
+		`ConfigMap:` + strings.Replace(fmt.Sprintf("%v", this.ConfigMap), "ConfigMapProjection", "ConfigMapProjection", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *VolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&VolumeSource{`,
+		`HostPath:` + strings.Replace(fmt.Sprintf("%v", this.HostPath), "HostPathVolumeSource", "HostPathVolumeSource", 1) + `,`,
+		`EmptyDir:` + strings.Replace(fmt.Sprintf("%v", this.EmptyDir), "EmptyDirVolumeSource", "EmptyDirVolumeSource", 1) + `,`,
+		`GCEPersistentDisk:` + strings.Replace(fmt.Sprintf("%v", this.GCEPersistentDisk), "GCEPersistentDiskVolumeSource", "GCEPersistentDiskVolumeSource", 1) + `,`,
+		`AWSElasticBlockStore:` + strings.Replace(fmt.Sprintf("%v", this.AWSElasticBlockStore), "AWSElasticBlockStoreVolumeSource", "AWSElasticBlockStoreVolumeSource", 1) + `,`,
+		`GitRepo:` + strings.Replace(fmt.Sprintf("%v", this.GitRepo), "GitRepoVolumeSource", "GitRepoVolumeSource", 1) + `,`,
+		`Secret:` + strings.Replace(fmt.Sprintf("%v", this.Secret), "SecretVolumeSource", "SecretVolumeSource", 1) + `,`,
+		`NFS:` + strings.Replace(fmt.Sprintf("%v", this.NFS), "NFSVolumeSource", "NFSVolumeSource", 1) + `,`,
+		`ISCSI:` + strings.Replace(fmt.Sprintf("%v", this.ISCSI), "ISCSIVolumeSource", "ISCSIVolumeSource", 1) + `,`,
+		`Glusterfs:` + strings.Replace(fmt.Sprintf("%v", this.Glusterfs), "GlusterfsVolumeSource", "GlusterfsVolumeSource", 1) + `,`,
+		`PersistentVolumeClaim:` + strings.Replace(fmt.Sprintf("%v", this.PersistentVolumeClaim), "PersistentVolumeClaimVolumeSource", "PersistentVolumeClaimVolumeSource", 1) + `,`,
+		`RBD:` + strings.Replace(fmt.Sprintf("%v", this.RBD), "RBDVolumeSource", "RBDVolumeSource", 1) + `,`,
+		`FlexVolume:` + strings.Replace(fmt.Sprintf("%v", this.FlexVolume), "FlexVolumeSource", "FlexVolumeSource", 1) + `,`,
+		`Cinder:` + strings.Replace(fmt.Sprintf("%v", this.Cinder), "CinderVolumeSource", "CinderVolumeSource", 1) + `,`,
+		`CephFS:` + strings.Replace(fmt.Sprintf("%v", this.CephFS), "CephFSVolumeSource", "CephFSVolumeSource", 1) + `,`,
+		`Flocker:` + strings.Replace(fmt.Sprintf("%v", this.Flocker), "FlockerVolumeSource", "FlockerVolumeSource", 1) + `,`,
+		`DownwardAPI:` + strings.Replace(fmt.Sprintf("%v", this.DownwardAPI), "DownwardAPIVolumeSource", "DownwardAPIVolumeSource", 1) + `,`,
+		`FC:` + strings.Replace(fmt.Sprintf("%v", this.FC), "FCVolumeSource", "FCVolumeSource", 1) + `,`,
+		`AzureFile:` + strings.Replace(fmt.Sprintf("%v", this.AzureFile), "AzureFileVolumeSource", "AzureFileVolumeSource", 1) + `,`,
+		`ConfigMap:` + strings.Replace(fmt.Sprintf("%v", this.ConfigMap), "ConfigMapVolumeSource", "ConfigMapVolumeSource", 1) + `,`,
+		`VsphereVolume:` + strings.Replace(fmt.Sprintf("%v", this.VsphereVolume), "VsphereVirtualDiskVolumeSource", "VsphereVirtualDiskVolumeSource", 1) + `,`,
+		`Quobyte:` + strings.Replace(fmt.Sprintf("%v", this.Quobyte), "QuobyteVolumeSource", "QuobyteVolumeSource", 1) + `,`,
+		`AzureDisk:` + strings.Replace(fmt.Sprintf("%v", this.AzureDisk), "AzureDiskVolumeSource", "AzureDiskVolumeSource", 1) + `,`,
+		`PhotonPersistentDisk:` + strings.Replace(fmt.Sprintf("%v", this.PhotonPersistentDisk), "PhotonPersistentDiskVolumeSource", "PhotonPersistentDiskVolumeSource", 1) + `,`,
+		`PortworxVolume:` + strings.Replace(fmt.Sprintf("%v", this.PortworxVolume), "PortworxVolumeSource", "PortworxVolumeSource", 1) + `,`,
+		`ScaleIO:` + strings.Replace(fmt.Sprintf("%v", this.ScaleIO), "ScaleIOVolumeSource", "ScaleIOVolumeSource", 1) + `,`,
+		`Projected:` + strings.Replace(fmt.Sprintf("%v", this.Projected), "ProjectedVolumeSource", "ProjectedVolumeSource", 1) + `,`,
+		`StorageOS:` + strings.Replace(fmt.Sprintf("%v", this.StorageOS), "StorageOSVolumeSource", "StorageOSVolumeSource", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *VsphereVirtualDiskVolumeSource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&VsphereVirtualDiskVolumeSource{`,
+		`VolumePath:` + fmt.Sprintf("%v", this.VolumePath) + `,`,
+		`FSType:` + fmt.Sprintf("%v", this.FSType) + `,`,
+		`StoragePolicyName:` + fmt.Sprintf("%v", this.StoragePolicyName) + `,`,
+		`StoragePolicyID:` + fmt.Sprintf("%v", this.StoragePolicyID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *WeightedPodAffinityTerm) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&WeightedPodAffinityTerm{`,
+		`Weight:` + fmt.Sprintf("%v", this.Weight) + `,`,
+		`PodAffinityTerm:` + strings.Replace(strings.Replace(this.PodAffinityTerm.String(), "PodAffinityTerm", "PodAffinityTerm", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *AWSElasticBlockStoreVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AWSElasticBlockStoreVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AWSElasticBlockStoreVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Partition", wireType)
+			}
+			m.Partition = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Partition |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Affinity) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Affinity: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Affinity: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeAffinity", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NodeAffinity == nil {
+				m.NodeAffinity = &NodeAffinity{}
+			}
+			if err := m.NodeAffinity.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodAffinity", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PodAffinity == nil {
+				m.PodAffinity = &PodAffinity{}
+			}
+			if err := m.PodAffinity.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodAntiAffinity", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PodAntiAffinity == nil {
+				m.PodAntiAffinity = &PodAntiAffinity{}
+			}
+			if err := m.PodAntiAffinity.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AttachedVolume) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AttachedVolume: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AttachedVolume: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = UniqueVolumeName(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DevicePath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DevicePath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AvoidPods) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AvoidPods: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AvoidPods: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PreferAvoidPods", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PreferAvoidPods = append(m.PreferAvoidPods, PreferAvoidPodsEntry{})
+			if err := m.PreferAvoidPods[len(m.PreferAvoidPods)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AzureDiskVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AzureDiskVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AzureDiskVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DiskName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DiskName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DataDiskURI", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DataDiskURI = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CachingMode", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := AzureDataDiskCachingMode(dAtA[iNdEx:postIndex])
+			m.CachingMode = &s
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.FSType = &s
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.ReadOnly = &b
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := AzureDataDiskKind(dAtA[iNdEx:postIndex])
+			m.Kind = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AzureFilePersistentVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AzureFilePersistentVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AzureFilePersistentVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SecretName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ShareName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ShareName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretNamespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.SecretNamespace = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AzureFileVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AzureFileVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AzureFileVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SecretName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ShareName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ShareName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Binding) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Binding: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Binding: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Target", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Target.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Capabilities) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Capabilities: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Capabilities: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Add", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Add = append(m.Add, Capability(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Drop", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Drop = append(m.Drop, Capability(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CephFSPersistentVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CephFSPersistentVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CephFSPersistentVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Monitors", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Monitors = append(m.Monitors, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.User = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretFile", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SecretFile = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &SecretReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CephFSVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CephFSVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CephFSVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Monitors", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Monitors = append(m.Monitors, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.User = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretFile", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SecretFile = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &LocalObjectReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CinderVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CinderVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CinderVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClientIPConfig) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClientIPConfig: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClientIPConfig: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TimeoutSeconds", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TimeoutSeconds = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ComponentCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ComponentCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ComponentCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = ComponentConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Error = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ComponentStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ComponentStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ComponentStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, ComponentCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ComponentStatusList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ComponentStatusList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ComponentStatusList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ComponentStatus{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ConfigMap) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ConfigMap: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ConfigMap: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Data == nil {
+				m.Data = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Data[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Data[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ConfigMapEnvSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ConfigMapEnvSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ConfigMapEnvSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LocalObjectReference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LocalObjectReference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Optional", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Optional = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ConfigMapKeySelector) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ConfigMapKeySelector: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ConfigMapKeySelector: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LocalObjectReference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LocalObjectReference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Optional", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Optional = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ConfigMapList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ConfigMapList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ConfigMapList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ConfigMap{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ConfigMapProjection) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ConfigMapProjection: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ConfigMapProjection: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LocalObjectReference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LocalObjectReference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, KeyToPath{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Optional", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Optional = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ConfigMapVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ConfigMapVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ConfigMapVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LocalObjectReference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LocalObjectReference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, KeyToPath{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultMode", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.DefaultMode = &v
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Optional", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Optional = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Container) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Container: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Container: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Image", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Image = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Command", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Command = append(m.Command, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Args", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Args = append(m.Args, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field WorkingDir", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.WorkingDir = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, ContainerPort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Env", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Env = append(m.Env, EnvVar{})
+			if err := m.Env[len(m.Env)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Resources.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeMounts", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeMounts = append(m.VolumeMounts, VolumeMount{})
+			if err := m.VolumeMounts[len(m.VolumeMounts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LivenessProbe", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LivenessProbe == nil {
+				m.LivenessProbe = &Probe{}
+			}
+			if err := m.LivenessProbe.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadinessProbe", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ReadinessProbe == nil {
+				m.ReadinessProbe = &Probe{}
+			}
+			if err := m.ReadinessProbe.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 12:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Lifecycle", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Lifecycle == nil {
+				m.Lifecycle = &Lifecycle{}
+			}
+			if err := m.Lifecycle.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 13:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TerminationMessagePath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TerminationMessagePath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ImagePullPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ImagePullPolicy = PullPolicy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecurityContext", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecurityContext == nil {
+				m.SecurityContext = &SecurityContext{}
+			}
+			if err := m.SecurityContext.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 16:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stdin", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Stdin = bool(v != 0)
+		case 17:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StdinOnce", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.StdinOnce = bool(v != 0)
+		case 18:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TTY", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TTY = bool(v != 0)
+		case 19:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EnvFrom", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.EnvFrom = append(m.EnvFrom, EnvFromSource{})
+			if err := m.EnvFrom[len(m.EnvFrom)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 20:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TerminationMessagePolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TerminationMessagePolicy = TerminationMessagePolicy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ContainerImage) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ContainerImage: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ContainerImage: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Names", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Names = append(m.Names, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SizeBytes", wireType)
+			}
+			m.SizeBytes = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.SizeBytes |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ContainerPort) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ContainerPort: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ContainerPort: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostPort", wireType)
+			}
+			m.HostPort = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.HostPort |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ContainerPort", wireType)
+			}
+			m.ContainerPort = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ContainerPort |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Protocol", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Protocol = Protocol(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostIP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HostIP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ContainerState) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ContainerState: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ContainerState: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Waiting", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Waiting == nil {
+				m.Waiting = &ContainerStateWaiting{}
+			}
+			if err := m.Waiting.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Running", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Running == nil {
+				m.Running = &ContainerStateRunning{}
+			}
+			if err := m.Running.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Terminated", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Terminated == nil {
+				m.Terminated = &ContainerStateTerminated{}
+			}
+			if err := m.Terminated.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ContainerStateRunning) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ContainerStateRunning: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ContainerStateRunning: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StartedAt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.StartedAt.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ContainerStateTerminated) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ContainerStateTerminated: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ContainerStateTerminated: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExitCode", wireType)
+			}
+			m.ExitCode = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ExitCode |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Signal", wireType)
+			}
+			m.Signal = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Signal |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StartedAt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.StartedAt.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FinishedAt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.FinishedAt.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ContainerID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ContainerID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ContainerStateWaiting) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ContainerStateWaiting: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ContainerStateWaiting: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ContainerStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ContainerStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ContainerStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field State", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.State.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTerminationState", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTerminationState.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ready", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Ready = bool(v != 0)
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RestartCount", wireType)
+			}
+			m.RestartCount = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.RestartCount |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Image", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Image = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ImageID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ImageID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ContainerID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ContainerID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonEndpoint) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonEndpoint: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonEndpoint: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType)
+			}
+			m.Port = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Port |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeleteOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeleteOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeleteOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GracePeriodSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.GracePeriodSeconds = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Preconditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Preconditions == nil {
+				m.Preconditions = &Preconditions{}
+			}
+			if err := m.Preconditions.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OrphanDependents", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.OrphanDependents = &b
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PropagationPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := DeletionPropagation(dAtA[iNdEx:postIndex])
+			m.PropagationPolicy = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DownwardAPIProjection) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DownwardAPIProjection: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DownwardAPIProjection: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, DownwardAPIVolumeFile{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DownwardAPIVolumeFile) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DownwardAPIVolumeFile: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DownwardAPIVolumeFile: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FieldRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FieldRef == nil {
+				m.FieldRef = &ObjectFieldSelector{}
+			}
+			if err := m.FieldRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceFieldRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ResourceFieldRef == nil {
+				m.ResourceFieldRef = &ResourceFieldSelector{}
+			}
+			if err := m.ResourceFieldRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Mode = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DownwardAPIVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DownwardAPIVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DownwardAPIVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, DownwardAPIVolumeFile{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultMode", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.DefaultMode = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EmptyDirVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EmptyDirVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EmptyDirVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Medium", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Medium = StorageMedium(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SizeLimit", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SizeLimit == nil {
+				m.SizeLimit = &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+			}
+			if err := m.SizeLimit.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EndpointAddress) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EndpointAddress: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EndpointAddress: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.IP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.TargetRef == nil {
+				m.TargetRef = &ObjectReference{}
+			}
+			if err := m.TargetRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hostname", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Hostname = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.NodeName = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EndpointPort) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EndpointPort: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EndpointPort: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType)
+			}
+			m.Port = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Port |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Protocol", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Protocol = Protocol(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EndpointSubset) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EndpointSubset: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EndpointSubset: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Addresses", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Addresses = append(m.Addresses, EndpointAddress{})
+			if err := m.Addresses[len(m.Addresses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NotReadyAddresses", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NotReadyAddresses = append(m.NotReadyAddresses, EndpointAddress{})
+			if err := m.NotReadyAddresses[len(m.NotReadyAddresses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, EndpointPort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Endpoints) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Endpoints: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Endpoints: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subsets", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subsets = append(m.Subsets, EndpointSubset{})
+			if err := m.Subsets[len(m.Subsets)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EndpointsList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EndpointsList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EndpointsList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Endpoints{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EnvFromSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EnvFromSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EnvFromSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Prefix", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Prefix = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConfigMapRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ConfigMapRef == nil {
+				m.ConfigMapRef = &ConfigMapEnvSource{}
+			}
+			if err := m.ConfigMapRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &SecretEnvSource{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EnvVar) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EnvVar: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EnvVar: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ValueFrom", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ValueFrom == nil {
+				m.ValueFrom = &EnvVarSource{}
+			}
+			if err := m.ValueFrom.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EnvVarSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EnvVarSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EnvVarSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FieldRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FieldRef == nil {
+				m.FieldRef = &ObjectFieldSelector{}
+			}
+			if err := m.FieldRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceFieldRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ResourceFieldRef == nil {
+				m.ResourceFieldRef = &ResourceFieldSelector{}
+			}
+			if err := m.ResourceFieldRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConfigMapKeyRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ConfigMapKeyRef == nil {
+				m.ConfigMapKeyRef = &ConfigMapKeySelector{}
+			}
+			if err := m.ConfigMapKeyRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretKeyRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretKeyRef == nil {
+				m.SecretKeyRef = &SecretKeySelector{}
+			}
+			if err := m.SecretKeyRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Event) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Event: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Event: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InvolvedObject", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.InvolvedObject.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Source.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FirstTimestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.FirstTimestamp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTimestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTimestamp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Count", wireType)
+			}
+			m.Count = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Count |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EventList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EventList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EventList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Event{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *EventSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: EventSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: EventSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Component", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Component = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExecAction) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExecAction: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExecAction: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Command", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Command = append(m.Command, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *FCVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: FCVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: FCVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetWWNs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TargetWWNs = append(m.TargetWWNs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Lun", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Lun = &v
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field WWIDs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.WWIDs = append(m.WWIDs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *FlexVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: FlexVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: FlexVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Driver", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Driver = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &LocalObjectReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Options", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Options == nil {
+				m.Options = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Options[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Options[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *FlockerVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: FlockerVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: FlockerVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DatasetName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DatasetName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DatasetUUID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DatasetUUID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GCEPersistentDiskVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GCEPersistentDiskVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GCEPersistentDiskVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PDName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PDName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Partition", wireType)
+			}
+			m.Partition = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Partition |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GitRepoVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GitRepoVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GitRepoVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Repository", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Repository = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Revision", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Revision = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Directory", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Directory = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GlusterfsVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GlusterfsVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GlusterfsVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EndpointsName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.EndpointsName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HTTPGetAction) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HTTPGetAction: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HTTPGetAction: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Port.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Scheme", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Scheme = URIScheme(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HTTPHeaders", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HTTPHeaders = append(m.HTTPHeaders, HTTPHeader{})
+			if err := m.HTTPHeaders[len(m.HTTPHeaders)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HTTPHeader) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HTTPHeader: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HTTPHeader: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Handler) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Handler: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Handler: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Exec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Exec == nil {
+				m.Exec = &ExecAction{}
+			}
+			if err := m.Exec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HTTPGet", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.HTTPGet == nil {
+				m.HTTPGet = &HTTPGetAction{}
+			}
+			if err := m.HTTPGet.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TCPSocket", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.TCPSocket == nil {
+				m.TCPSocket = &TCPSocketAction{}
+			}
+			if err := m.TCPSocket.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HostAlias) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HostAlias: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HostAlias: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.IP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hostnames", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Hostnames = append(m.Hostnames, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HostPathVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HostPathVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HostPathVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := HostPathType(dAtA[iNdEx:postIndex])
+			m.Type = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ISCSIVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ISCSIVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ISCSIVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetPortal", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TargetPortal = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IQN", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.IQN = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Lun", wireType)
+			}
+			m.Lun = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Lun |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ISCSIInterface", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ISCSIInterface = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Portals", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Portals = append(m.Portals, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DiscoveryCHAPAuth", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.DiscoveryCHAPAuth = bool(v != 0)
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &LocalObjectReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 11:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SessionCHAPAuth", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.SessionCHAPAuth = bool(v != 0)
+		case 12:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InitiatorName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.InitiatorName = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *KeyToPath) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: KeyToPath: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: KeyToPath: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Mode = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Lifecycle) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Lifecycle: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Lifecycle: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PostStart", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PostStart == nil {
+				m.PostStart = &Handler{}
+			}
+			if err := m.PostStart.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PreStop", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PreStop == nil {
+				m.PreStop = &Handler{}
+			}
+			if err := m.PreStop.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LimitRange) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LimitRange: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LimitRange: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LimitRangeItem) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LimitRangeItem: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LimitRangeItem: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = LimitType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Max", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Max == nil {
+				m.Max = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Max[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Max[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Min", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Min == nil {
+				m.Min = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Min[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Min[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Default", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Default == nil {
+				m.Default = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Default[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Default[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultRequest", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.DefaultRequest == nil {
+				m.DefaultRequest = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.DefaultRequest[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.DefaultRequest[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxLimitRequestRatio", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.MaxLimitRequestRatio == nil {
+				m.MaxLimitRequestRatio = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.MaxLimitRequestRatio[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.MaxLimitRequestRatio[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LimitRangeList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LimitRangeList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LimitRangeList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, LimitRange{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LimitRangeSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LimitRangeSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LimitRangeSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Limits", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Limits = append(m.Limits, LimitRangeItem{})
+			if err := m.Limits[len(m.Limits)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *List) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: List: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: List: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, k8s_io_apimachinery_pkg_runtime.RawExtension{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ListOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ListOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ListOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LabelSelector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.LabelSelector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FieldSelector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FieldSelector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Watch", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Watch = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TimeoutSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TimeoutSeconds = &v
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IncludeUninitialized", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.IncludeUninitialized = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LoadBalancerIngress) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LoadBalancerIngress: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LoadBalancerIngress: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.IP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hostname", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Hostname = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LoadBalancerStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LoadBalancerStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LoadBalancerStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ingress", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ingress = append(m.Ingress, LoadBalancerIngress{})
+			if err := m.Ingress[len(m.Ingress)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LocalObjectReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LocalObjectReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LocalObjectReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LocalVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LocalVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LocalVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NFSVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NFSVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NFSVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Server", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Server = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Namespace) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Namespace: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Namespace: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NamespaceList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NamespaceList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NamespaceList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Namespace{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NamespaceSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NamespaceSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NamespaceSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Finalizers", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Finalizers = append(m.Finalizers, FinalizerName(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NamespaceStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NamespaceStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NamespaceStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Phase", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Phase = NamespacePhase(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Node) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Node: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Node: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeAddress) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeAddress: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeAddress: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = NodeAddressType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Address", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Address = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeAffinity) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeAffinity: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeAffinity: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RequiredDuringSchedulingIgnoredDuringExecution", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RequiredDuringSchedulingIgnoredDuringExecution == nil {
+				m.RequiredDuringSchedulingIgnoredDuringExecution = &NodeSelector{}
+			}
+			if err := m.RequiredDuringSchedulingIgnoredDuringExecution.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PreferredDuringSchedulingIgnoredDuringExecution", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PreferredDuringSchedulingIgnoredDuringExecution = append(m.PreferredDuringSchedulingIgnoredDuringExecution, PreferredSchedulingTerm{})
+			if err := m.PreferredDuringSchedulingIgnoredDuringExecution[len(m.PreferredDuringSchedulingIgnoredDuringExecution)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = NodeConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastHeartbeatTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastHeartbeatTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeConfigSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeConfigSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeConfigSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConfigMapRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ConfigMapRef == nil {
+				m.ConfigMapRef = &ObjectReference{}
+			}
+			if err := m.ConfigMapRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeDaemonEndpoints) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeDaemonEndpoints: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeDaemonEndpoints: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field KubeletEndpoint", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.KubeletEndpoint.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Node{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeProxyOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeProxyOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeProxyOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeResources) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeResources: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeResources: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Capacity", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Capacity == nil {
+				m.Capacity = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Capacity[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Capacity[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeSelector) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeSelector: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeSelector: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeSelectorTerms", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NodeSelectorTerms = append(m.NodeSelectorTerms, NodeSelectorTerm{})
+			if err := m.NodeSelectorTerms[len(m.NodeSelectorTerms)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeSelectorRequirement) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeSelectorRequirement: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeSelectorRequirement: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Operator", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Operator = NodeSelectorOperator(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Values", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Values = append(m.Values, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeSelectorTerm) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeSelectorTerm: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeSelectorTerm: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MatchExpressions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MatchExpressions = append(m.MatchExpressions, NodeSelectorRequirement{})
+			if err := m.MatchExpressions[len(m.MatchExpressions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodCIDR", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PodCIDR = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExternalID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExternalID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ProviderID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ProviderID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Unschedulable", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Unschedulable = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Taints", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Taints = append(m.Taints, Taint{})
+			if err := m.Taints[len(m.Taints)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConfigSource", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ConfigSource == nil {
+				m.ConfigSource = &NodeConfigSource{}
+			}
+			if err := m.ConfigSource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Capacity", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Capacity == nil {
+				m.Capacity = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Capacity[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Capacity[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Allocatable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Allocatable == nil {
+				m.Allocatable = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Allocatable[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Allocatable[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Phase", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Phase = NodePhase(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, NodeCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Addresses", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Addresses = append(m.Addresses, NodeAddress{})
+			if err := m.Addresses[len(m.Addresses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DaemonEndpoints", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.DaemonEndpoints.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeInfo", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.NodeInfo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Images", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Images = append(m.Images, ContainerImage{})
+			if err := m.Images[len(m.Images)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumesInUse", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumesInUse = append(m.VolumesInUse, UniqueVolumeName(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumesAttached", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumesAttached = append(m.VolumesAttached, AttachedVolume{})
+			if err := m.VolumesAttached[len(m.VolumesAttached)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NodeSystemInfo) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NodeSystemInfo: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NodeSystemInfo: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MachineID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MachineID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SystemUUID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SystemUUID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field BootID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.BootID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field KernelVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.KernelVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OSImage", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OSImage = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ContainerRuntimeVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ContainerRuntimeVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field KubeletVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.KubeletVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field KubeProxyVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.KubeProxyVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OperatingSystem", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OperatingSystem = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Architecture", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Architecture = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ObjectFieldSelector) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ObjectFieldSelector: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ObjectFieldSelector: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FieldPath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FieldPath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ObjectMeta) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ObjectMeta: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ObjectMeta: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GenerateName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.GenerateName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SelfLink", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SelfLink = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Generation", wireType)
+			}
+			m.Generation = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Generation |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CreationTimestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CreationTimestamp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DeletionTimestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.DeletionTimestamp == nil {
+				m.DeletionTimestamp = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.DeletionTimestamp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 10:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DeletionGracePeriodSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.DeletionGracePeriodSeconds = &v
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Labels == nil {
+				m.Labels = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Labels[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Labels[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 12:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Annotations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Annotations == nil {
+				m.Annotations = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Annotations[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Annotations[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 13:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OwnerReferences", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OwnerReferences = append(m.OwnerReferences, k8s_io_apimachinery_pkg_apis_meta_v1.OwnerReference{})
+			if err := m.OwnerReferences[len(m.OwnerReferences)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Finalizers", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Finalizers = append(m.Finalizers, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ClusterName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ClusterName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 16:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Initializers", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Initializers == nil {
+				m.Initializers = &k8s_io_apimachinery_pkg_apis_meta_v1.Initializers{}
+			}
+			if err := m.Initializers.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ObjectReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ObjectReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ObjectReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FieldPath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FieldPath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolume) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolume: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolume: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeClaim) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeClaim: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeClaim: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeClaimCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeClaimCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeClaimCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = PersistentVolumeClaimConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastProbeTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastProbeTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeClaimList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeClaimList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeClaimList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, PersistentVolumeClaim{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeClaimSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeClaimSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeClaimSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AccessModes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AccessModes = append(m.AccessModes, PersistentVolumeAccessMode(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Resources.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StorageClassName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.StorageClassName = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeClaimStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeClaimStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeClaimStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Phase", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Phase = PersistentVolumeClaimPhase(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AccessModes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AccessModes = append(m.AccessModes, PersistentVolumeAccessMode(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Capacity", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Capacity == nil {
+				m.Capacity = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Capacity[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Capacity[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, PersistentVolumeClaimCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeClaimVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeClaimVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeClaimVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ClaimName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ClaimName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, PersistentVolume{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GCEPersistentDisk", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.GCEPersistentDisk == nil {
+				m.GCEPersistentDisk = &GCEPersistentDiskVolumeSource{}
+			}
+			if err := m.GCEPersistentDisk.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AWSElasticBlockStore", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AWSElasticBlockStore == nil {
+				m.AWSElasticBlockStore = &AWSElasticBlockStoreVolumeSource{}
+			}
+			if err := m.AWSElasticBlockStore.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostPath", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.HostPath == nil {
+				m.HostPath = &HostPathVolumeSource{}
+			}
+			if err := m.HostPath.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Glusterfs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Glusterfs == nil {
+				m.Glusterfs = &GlusterfsVolumeSource{}
+			}
+			if err := m.Glusterfs.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NFS", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NFS == nil {
+				m.NFS = &NFSVolumeSource{}
+			}
+			if err := m.NFS.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RBD", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RBD == nil {
+				m.RBD = &RBDVolumeSource{}
+			}
+			if err := m.RBD.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ISCSI", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ISCSI == nil {
+				m.ISCSI = &ISCSIVolumeSource{}
+			}
+			if err := m.ISCSI.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Cinder", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Cinder == nil {
+				m.Cinder = &CinderVolumeSource{}
+			}
+			if err := m.Cinder.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CephFS", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.CephFS == nil {
+				m.CephFS = &CephFSPersistentVolumeSource{}
+			}
+			if err := m.CephFS.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FC", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FC == nil {
+				m.FC = &FCVolumeSource{}
+			}
+			if err := m.FC.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Flocker", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Flocker == nil {
+				m.Flocker = &FlockerVolumeSource{}
+			}
+			if err := m.Flocker.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 12:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FlexVolume", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FlexVolume == nil {
+				m.FlexVolume = &FlexVolumeSource{}
+			}
+			if err := m.FlexVolume.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 13:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AzureFile", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AzureFile == nil {
+				m.AzureFile = &AzureFilePersistentVolumeSource{}
+			}
+			if err := m.AzureFile.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VsphereVolume", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.VsphereVolume == nil {
+				m.VsphereVolume = &VsphereVirtualDiskVolumeSource{}
+			}
+			if err := m.VsphereVolume.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Quobyte", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Quobyte == nil {
+				m.Quobyte = &QuobyteVolumeSource{}
+			}
+			if err := m.Quobyte.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 16:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AzureDisk", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AzureDisk == nil {
+				m.AzureDisk = &AzureDiskVolumeSource{}
+			}
+			if err := m.AzureDisk.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 17:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PhotonPersistentDisk", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PhotonPersistentDisk == nil {
+				m.PhotonPersistentDisk = &PhotonPersistentDiskVolumeSource{}
+			}
+			if err := m.PhotonPersistentDisk.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 18:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PortworxVolume", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PortworxVolume == nil {
+				m.PortworxVolume = &PortworxVolumeSource{}
+			}
+			if err := m.PortworxVolume.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 19:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ScaleIO", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ScaleIO == nil {
+				m.ScaleIO = &ScaleIOPersistentVolumeSource{}
+			}
+			if err := m.ScaleIO.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 20:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Local", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Local == nil {
+				m.Local = &LocalVolumeSource{}
+			}
+			if err := m.Local.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 21:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StorageOS", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.StorageOS == nil {
+				m.StorageOS = &StorageOSPersistentVolumeSource{}
+			}
+			if err := m.StorageOS.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Capacity", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Capacity == nil {
+				m.Capacity = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Capacity[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Capacity[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PersistentVolumeSource", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.PersistentVolumeSource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AccessModes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AccessModes = append(m.AccessModes, PersistentVolumeAccessMode(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ClaimRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ClaimRef == nil {
+				m.ClaimRef = &ObjectReference{}
+			}
+			if err := m.ClaimRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PersistentVolumeReclaimPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PersistentVolumeReclaimPolicy = PersistentVolumeReclaimPolicy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StorageClassName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.StorageClassName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MountOptions", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MountOptions = append(m.MountOptions, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PersistentVolumeStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PersistentVolumeStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PersistentVolumeStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Phase", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Phase = PersistentVolumePhase(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PhotonPersistentDiskVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PhotonPersistentDiskVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PhotonPersistentDiskVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PdID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PdID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Pod) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Pod: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Pod: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodAffinity) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodAffinity: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodAffinity: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RequiredDuringSchedulingIgnoredDuringExecution", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.RequiredDuringSchedulingIgnoredDuringExecution = append(m.RequiredDuringSchedulingIgnoredDuringExecution, PodAffinityTerm{})
+			if err := m.RequiredDuringSchedulingIgnoredDuringExecution[len(m.RequiredDuringSchedulingIgnoredDuringExecution)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PreferredDuringSchedulingIgnoredDuringExecution", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PreferredDuringSchedulingIgnoredDuringExecution = append(m.PreferredDuringSchedulingIgnoredDuringExecution, WeightedPodAffinityTerm{})
+			if err := m.PreferredDuringSchedulingIgnoredDuringExecution[len(m.PreferredDuringSchedulingIgnoredDuringExecution)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodAffinityTerm) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodAffinityTerm: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodAffinityTerm: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LabelSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LabelSelector == nil {
+				m.LabelSelector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.LabelSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespaces", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespaces = append(m.Namespaces, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TopologyKey", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TopologyKey = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodAntiAffinity) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodAntiAffinity: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodAntiAffinity: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RequiredDuringSchedulingIgnoredDuringExecution", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.RequiredDuringSchedulingIgnoredDuringExecution = append(m.RequiredDuringSchedulingIgnoredDuringExecution, PodAffinityTerm{})
+			if err := m.RequiredDuringSchedulingIgnoredDuringExecution[len(m.RequiredDuringSchedulingIgnoredDuringExecution)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PreferredDuringSchedulingIgnoredDuringExecution", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PreferredDuringSchedulingIgnoredDuringExecution = append(m.PreferredDuringSchedulingIgnoredDuringExecution, WeightedPodAffinityTerm{})
+			if err := m.PreferredDuringSchedulingIgnoredDuringExecution[len(m.PreferredDuringSchedulingIgnoredDuringExecution)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodAttachOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodAttachOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodAttachOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stdin", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Stdin = bool(v != 0)
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stdout", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Stdout = bool(v != 0)
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stderr", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Stderr = bool(v != 0)
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TTY", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TTY = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Container", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Container = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = PodConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastProbeTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastProbeTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodExecOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodExecOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodExecOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stdin", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Stdin = bool(v != 0)
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stdout", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Stdout = bool(v != 0)
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stderr", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Stderr = bool(v != 0)
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TTY", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TTY = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Container", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Container = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Command", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Command = append(m.Command, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Pod{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodLogOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodLogOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodLogOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Container", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Container = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Follow", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Follow = bool(v != 0)
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Previous", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Previous = bool(v != 0)
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SinceSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.SinceSeconds = &v
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SinceTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SinceTime == nil {
+				m.SinceTime = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.SinceTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Timestamps", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Timestamps = bool(v != 0)
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TailLines", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TailLines = &v
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LimitBytes", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.LimitBytes = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodPortForwardOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodPortForwardOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodPortForwardOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType == 0 {
+				var v int32
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					v |= (int32(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				m.Ports = append(m.Ports, v)
+			} else if wireType == 2 {
+				var packedLen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					packedLen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if packedLen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postIndex := iNdEx + packedLen
+				if postIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				for iNdEx < postIndex {
+					var v int32
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						v |= (int32(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					m.Ports = append(m.Ports, v)
+				}
+			} else {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodProxyOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodProxyOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodProxyOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodSecurityContext) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodSecurityContext: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodSecurityContext: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SELinuxOptions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SELinuxOptions == nil {
+				m.SELinuxOptions = &SELinuxOptions{}
+			}
+			if err := m.SELinuxOptions.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RunAsUser", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RunAsUser = &v
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RunAsNonRoot", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.RunAsNonRoot = &b
+		case 4:
+			if wireType == 0 {
+				var v int64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					v |= (int64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				m.SupplementalGroups = append(m.SupplementalGroups, v)
+			} else if wireType == 2 {
+				var packedLen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					packedLen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if packedLen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postIndex := iNdEx + packedLen
+				if postIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				for iNdEx < postIndex {
+					var v int64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGenerated
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						v |= (int64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					m.SupplementalGroups = append(m.SupplementalGroups, v)
+				}
+			} else {
+				return fmt.Errorf("proto: wrong wireType = %d for field SupplementalGroups", wireType)
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSGroup", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.FSGroup = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodSignature) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodSignature: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodSignature: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodController", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PodController == nil {
+				m.PodController = &k8s_io_apimachinery_pkg_apis_meta_v1.OwnerReference{}
+			}
+			if err := m.PodController.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Volumes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Volumes = append(m.Volumes, Volume{})
+			if err := m.Volumes[len(m.Volumes)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Containers", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Containers = append(m.Containers, Container{})
+			if err := m.Containers[len(m.Containers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RestartPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.RestartPolicy = RestartPolicy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TerminationGracePeriodSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TerminationGracePeriodSeconds = &v
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ActiveDeadlineSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ActiveDeadlineSeconds = &v
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DNSPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DNSPolicy = DNSPolicy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.NodeSelector == nil {
+				m.NodeSelector = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.NodeSelector[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.NodeSelector[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServiceAccountName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServiceAccountName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DeprecatedServiceAccount", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DeprecatedServiceAccount = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodeName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NodeName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 11:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostNetwork", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.HostNetwork = bool(v != 0)
+		case 12:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostPID", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.HostPID = bool(v != 0)
+		case 13:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostIPC", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.HostIPC = bool(v != 0)
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecurityContext", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecurityContext == nil {
+				m.SecurityContext = &PodSecurityContext{}
+			}
+			if err := m.SecurityContext.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ImagePullSecrets", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ImagePullSecrets = append(m.ImagePullSecrets, LocalObjectReference{})
+			if err := m.ImagePullSecrets[len(m.ImagePullSecrets)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 16:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hostname", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Hostname = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 17:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subdomain", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subdomain = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 18:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Affinity", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Affinity == nil {
+				m.Affinity = &Affinity{}
+			}
+			if err := m.Affinity.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 19:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SchedulerName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SchedulerName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 20:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InitContainers", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.InitContainers = append(m.InitContainers, Container{})
+			if err := m.InitContainers[len(m.InitContainers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 21:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AutomountServiceAccountToken", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.AutomountServiceAccountToken = &b
+		case 22:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Tolerations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Tolerations = append(m.Tolerations, Toleration{})
+			if err := m.Tolerations[len(m.Tolerations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 23:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostAliases", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HostAliases = append(m.HostAliases, HostAlias{})
+			if err := m.HostAliases[len(m.HostAliases)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 24:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PriorityClassName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PriorityClassName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 25:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Priority", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Priority = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Phase", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Phase = PodPhase(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, PodCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostIP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HostIP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodIP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PodIP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StartTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.StartTime == nil {
+				m.StartTime = &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+			}
+			if err := m.StartTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ContainerStatuses", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ContainerStatuses = append(m.ContainerStatuses, ContainerStatus{})
+			if err := m.ContainerStatuses[len(m.ContainerStatuses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field QOSClass", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.QOSClass = PodQOSClass(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InitContainerStatuses", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.InitContainerStatuses = append(m.InitContainerStatuses, ContainerStatus{})
+			if err := m.InitContainerStatuses[len(m.InitContainerStatuses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodStatusResult) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodStatusResult: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodStatusResult: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodTemplate) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodTemplate: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodTemplate: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodTemplateList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodTemplateList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodTemplateList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, PodTemplate{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodTemplateSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodTemplateSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodTemplateSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PortworxVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PortworxVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PortworxVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Preconditions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Preconditions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Preconditions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			m.UID = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PreferAvoidPodsEntry) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PreferAvoidPodsEntry: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PreferAvoidPodsEntry: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodSignature", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.PodSignature.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EvictionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.EvictionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PreferredSchedulingTerm) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PreferredSchedulingTerm: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PreferredSchedulingTerm: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Weight", wireType)
+			}
+			m.Weight = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Weight |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Preference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Preference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Probe) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Probe: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Probe: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Handler", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Handler.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InitialDelaySeconds", wireType)
+			}
+			m.InitialDelaySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.InitialDelaySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TimeoutSeconds", wireType)
+			}
+			m.TimeoutSeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.TimeoutSeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PeriodSeconds", wireType)
+			}
+			m.PeriodSeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.PeriodSeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SuccessThreshold", wireType)
+			}
+			m.SuccessThreshold = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.SuccessThreshold |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FailureThreshold", wireType)
+			}
+			m.FailureThreshold = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.FailureThreshold |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ProjectedVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ProjectedVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ProjectedVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Sources", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Sources = append(m.Sources, VolumeProjection{})
+			if err := m.Sources[len(m.Sources)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultMode", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.DefaultMode = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *QuobyteVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: QuobyteVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: QuobyteVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Registry", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Registry = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Volume", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Volume = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.User = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RBDVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RBDVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RBDVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CephMonitors", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CephMonitors = append(m.CephMonitors, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RBDImage", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.RBDImage = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RBDPool", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.RBDPool = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RadosUser", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.RadosUser = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Keyring", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Keyring = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &LocalObjectReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RangeAllocation) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RangeAllocation: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RangeAllocation: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Range", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Range = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicationController) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicationController: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicationController: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicationControllerCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicationControllerCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicationControllerCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = ReplicationControllerConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicationControllerList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicationControllerList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicationControllerList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ReplicationController{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicationControllerSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicationControllerSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicationControllerSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Replicas = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Selector == nil {
+				m.Selector = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Selector[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Selector[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Template == nil {
+				m.Template = &PodTemplateSpec{}
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReadySeconds", wireType)
+			}
+			m.MinReadySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinReadySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicationControllerStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicationControllerStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicationControllerStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FullyLabeledReplicas", wireType)
+			}
+			m.FullyLabeledReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.FullyLabeledReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadyReplicas", wireType)
+			}
+			m.ReadyReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ReadyReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AvailableReplicas", wireType)
+			}
+			m.AvailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.AvailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, ReplicationControllerCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceFieldSelector) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceFieldSelector: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceFieldSelector: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ContainerName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ContainerName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resource = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Divisor", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Divisor.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceQuota) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceQuota: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceQuota: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceQuotaList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceQuotaList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceQuotaList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ResourceQuota{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceQuotaSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceQuotaSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceQuotaSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hard", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Hard == nil {
+				m.Hard = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Hard[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Hard[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Scopes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Scopes = append(m.Scopes, ResourceQuotaScope(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceQuotaStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceQuotaStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceQuotaStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hard", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Hard == nil {
+				m.Hard = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Hard[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Hard[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Used", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Used == nil {
+				m.Used = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Used[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Used[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResourceRequirements) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResourceRequirements: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResourceRequirements: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Limits", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Limits == nil {
+				m.Limits = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Limits[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Limits[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Requests", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := ResourceName(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Requests == nil {
+				m.Requests = make(ResourceList)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_api_resource.Quantity{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.Requests[ResourceName(mapkey)] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_api_resource.Quantity
+				m.Requests[ResourceName(mapkey)] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SELinuxOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SELinuxOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SELinuxOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.User = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Role", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Role = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Level", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Level = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleIOPersistentVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleIOPersistentVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleIOPersistentVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Gateway", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Gateway = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field System", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.System = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &SecretReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SSLEnabled", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.SSLEnabled = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ProtectionDomain", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ProtectionDomain = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StoragePool", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.StoragePool = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StorageMode", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.StorageMode = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 10:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleIOVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleIOVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleIOVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Gateway", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Gateway = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field System", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.System = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &LocalObjectReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SSLEnabled", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.SSLEnabled = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ProtectionDomain", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ProtectionDomain = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StoragePool", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.StoragePool = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StorageMode", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.StorageMode = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 10:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Secret) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Secret: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Secret: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Data == nil {
+				m.Data = make(map[string][]byte)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapbyteLen uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapbyteLen |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intMapbyteLen := int(mapbyteLen)
+				if intMapbyteLen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postbytesIndex := iNdEx + intMapbyteLen
+				if postbytesIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := make([]byte, mapbyteLen)
+				copy(mapvalue, dAtA[iNdEx:postbytesIndex])
+				iNdEx = postbytesIndex
+				m.Data[mapkey] = mapvalue
+			} else {
+				var mapvalue []byte
+				m.Data[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = SecretType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StringData", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.StringData == nil {
+				m.StringData = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.StringData[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.StringData[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SecretEnvSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SecretEnvSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SecretEnvSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LocalObjectReference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LocalObjectReference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Optional", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Optional = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SecretKeySelector) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SecretKeySelector: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SecretKeySelector: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LocalObjectReference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LocalObjectReference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Optional", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Optional = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SecretList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SecretList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SecretList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Secret{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SecretProjection) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SecretProjection: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SecretProjection: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LocalObjectReference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LocalObjectReference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, KeyToPath{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Optional", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Optional = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SecretReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SecretReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SecretReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SecretVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SecretVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SecretVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SecretName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, KeyToPath{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultMode", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.DefaultMode = &v
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Optional", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Optional = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SecurityContext) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SecurityContext: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SecurityContext: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Capabilities", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Capabilities == nil {
+				m.Capabilities = &Capabilities{}
+			}
+			if err := m.Capabilities.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Privileged", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Privileged = &b
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SELinuxOptions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SELinuxOptions == nil {
+				m.SELinuxOptions = &SELinuxOptions{}
+			}
+			if err := m.SELinuxOptions.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RunAsUser", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RunAsUser = &v
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RunAsNonRoot", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.RunAsNonRoot = &b
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnlyRootFilesystem", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.ReadOnlyRootFilesystem = &b
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowPrivilegeEscalation", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.AllowPrivilegeEscalation = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SerializedReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SerializedReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SerializedReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reference", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Reference.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Service) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Service: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Service: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServiceAccount) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServiceAccount: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServiceAccount: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Secrets", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Secrets = append(m.Secrets, ObjectReference{})
+			if err := m.Secrets[len(m.Secrets)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ImagePullSecrets", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ImagePullSecrets = append(m.ImagePullSecrets, LocalObjectReference{})
+			if err := m.ImagePullSecrets[len(m.ImagePullSecrets)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AutomountServiceAccountToken", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.AutomountServiceAccountToken = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServiceAccountList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServiceAccountList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServiceAccountList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ServiceAccount{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServiceList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServiceList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServiceList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Service{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServicePort) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServicePort: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServicePort: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Protocol", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Protocol = Protocol(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType)
+			}
+			m.Port = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Port |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetPort", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.TargetPort.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NodePort", wireType)
+			}
+			m.NodePort = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NodePort |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServiceProxyOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServiceProxyOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServiceProxyOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServiceSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServiceSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServiceSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, ServicePort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Selector == nil {
+				m.Selector = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Selector[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Selector[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ClusterIP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ClusterIP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = ServiceType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExternalIPs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExternalIPs = append(m.ExternalIPs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SessionAffinity", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SessionAffinity = ServiceAffinity(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LoadBalancerIP", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.LoadBalancerIP = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LoadBalancerSourceRanges", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.LoadBalancerSourceRanges = append(m.LoadBalancerSourceRanges, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExternalName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExternalName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExternalTrafficPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExternalTrafficPolicy = ServiceExternalTrafficPolicyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 12:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HealthCheckNodePort", wireType)
+			}
+			m.HealthCheckNodePort = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.HealthCheckNodePort |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 13:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PublishNotReadyAddresses", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.PublishNotReadyAddresses = bool(v != 0)
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SessionAffinityConfig", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SessionAffinityConfig == nil {
+				m.SessionAffinityConfig = &SessionAffinityConfig{}
+			}
+			if err := m.SessionAffinityConfig.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServiceStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServiceStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServiceStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LoadBalancer", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LoadBalancer.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SessionAffinityConfig) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SessionAffinityConfig: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SessionAffinityConfig: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ClientIP", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ClientIP == nil {
+				m.ClientIP = &ClientIPConfig{}
+			}
+			if err := m.ClientIP.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StorageOSPersistentVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageOSPersistentVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageOSPersistentVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeNamespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeNamespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &ObjectReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StorageOSVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageOSVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageOSVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeNamespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeNamespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SecretRef == nil {
+				m.SecretRef = &LocalObjectReference{}
+			}
+			if err := m.SecretRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Sysctl) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Sysctl: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Sysctl: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TCPSocketAction) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TCPSocketAction: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TCPSocketAction: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Port.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Taint) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Taint: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Taint: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Effect", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Effect = TaintEffect(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TimeAdded", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.TimeAdded.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Toleration) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Toleration: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Toleration: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Operator", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Operator = TolerationOperator(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Effect", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Effect = TaintEffect(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TolerationSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TolerationSeconds = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Volume) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Volume: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Volume: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeSource", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.VolumeSource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VolumeMount) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VolumeMount: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VolumeMount: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnly = bool(v != 0)
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MountPath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MountPath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SubPath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SubPath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MountPropagation", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := MountPropagationMode(dAtA[iNdEx:postIndex])
+			m.MountPropagation = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VolumeProjection) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VolumeProjection: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VolumeProjection: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Secret", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Secret == nil {
+				m.Secret = &SecretProjection{}
+			}
+			if err := m.Secret.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DownwardAPI", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.DownwardAPI == nil {
+				m.DownwardAPI = &DownwardAPIProjection{}
+			}
+			if err := m.DownwardAPI.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConfigMap", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ConfigMap == nil {
+				m.ConfigMap = &ConfigMapProjection{}
+			}
+			if err := m.ConfigMap.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostPath", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.HostPath == nil {
+				m.HostPath = &HostPathVolumeSource{}
+			}
+			if err := m.HostPath.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EmptyDir", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.EmptyDir == nil {
+				m.EmptyDir = &EmptyDirVolumeSource{}
+			}
+			if err := m.EmptyDir.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GCEPersistentDisk", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.GCEPersistentDisk == nil {
+				m.GCEPersistentDisk = &GCEPersistentDiskVolumeSource{}
+			}
+			if err := m.GCEPersistentDisk.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AWSElasticBlockStore", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AWSElasticBlockStore == nil {
+				m.AWSElasticBlockStore = &AWSElasticBlockStoreVolumeSource{}
+			}
+			if err := m.AWSElasticBlockStore.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GitRepo", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.GitRepo == nil {
+				m.GitRepo = &GitRepoVolumeSource{}
+			}
+			if err := m.GitRepo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Secret", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Secret == nil {
+				m.Secret = &SecretVolumeSource{}
+			}
+			if err := m.Secret.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NFS", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NFS == nil {
+				m.NFS = &NFSVolumeSource{}
+			}
+			if err := m.NFS.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ISCSI", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ISCSI == nil {
+				m.ISCSI = &ISCSIVolumeSource{}
+			}
+			if err := m.ISCSI.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Glusterfs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Glusterfs == nil {
+				m.Glusterfs = &GlusterfsVolumeSource{}
+			}
+			if err := m.Glusterfs.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PersistentVolumeClaim", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PersistentVolumeClaim == nil {
+				m.PersistentVolumeClaim = &PersistentVolumeClaimVolumeSource{}
+			}
+			if err := m.PersistentVolumeClaim.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RBD", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RBD == nil {
+				m.RBD = &RBDVolumeSource{}
+			}
+			if err := m.RBD.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 12:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FlexVolume", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FlexVolume == nil {
+				m.FlexVolume = &FlexVolumeSource{}
+			}
+			if err := m.FlexVolume.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 13:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Cinder", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Cinder == nil {
+				m.Cinder = &CinderVolumeSource{}
+			}
+			if err := m.Cinder.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CephFS", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.CephFS == nil {
+				m.CephFS = &CephFSVolumeSource{}
+			}
+			if err := m.CephFS.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Flocker", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Flocker == nil {
+				m.Flocker = &FlockerVolumeSource{}
+			}
+			if err := m.Flocker.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 16:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DownwardAPI", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.DownwardAPI == nil {
+				m.DownwardAPI = &DownwardAPIVolumeSource{}
+			}
+			if err := m.DownwardAPI.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 17:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FC", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FC == nil {
+				m.FC = &FCVolumeSource{}
+			}
+			if err := m.FC.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 18:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AzureFile", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AzureFile == nil {
+				m.AzureFile = &AzureFileVolumeSource{}
+			}
+			if err := m.AzureFile.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 19:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ConfigMap", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ConfigMap == nil {
+				m.ConfigMap = &ConfigMapVolumeSource{}
+			}
+			if err := m.ConfigMap.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 20:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VsphereVolume", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.VsphereVolume == nil {
+				m.VsphereVolume = &VsphereVirtualDiskVolumeSource{}
+			}
+			if err := m.VsphereVolume.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 21:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Quobyte", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Quobyte == nil {
+				m.Quobyte = &QuobyteVolumeSource{}
+			}
+			if err := m.Quobyte.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 22:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AzureDisk", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.AzureDisk == nil {
+				m.AzureDisk = &AzureDiskVolumeSource{}
+			}
+			if err := m.AzureDisk.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 23:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PhotonPersistentDisk", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PhotonPersistentDisk == nil {
+				m.PhotonPersistentDisk = &PhotonPersistentDiskVolumeSource{}
+			}
+			if err := m.PhotonPersistentDisk.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 24:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PortworxVolume", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PortworxVolume == nil {
+				m.PortworxVolume = &PortworxVolumeSource{}
+			}
+			if err := m.PortworxVolume.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 25:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ScaleIO", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ScaleIO == nil {
+				m.ScaleIO = &ScaleIOVolumeSource{}
+			}
+			if err := m.ScaleIO.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 26:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Projected", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Projected == nil {
+				m.Projected = &ProjectedVolumeSource{}
+			}
+			if err := m.Projected.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 27:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StorageOS", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.StorageOS == nil {
+				m.StorageOS = &StorageOSVolumeSource{}
+			}
+			if err := m.StorageOS.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VsphereVirtualDiskVolumeSource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VsphereVirtualDiskVolumeSource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VsphereVirtualDiskVolumeSource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumePath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumePath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FSType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StoragePolicyName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.StoragePolicyName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StoragePolicyID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.StoragePolicyID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *WeightedPodAffinityTerm) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: WeightedPodAffinityTerm: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: WeightedPodAffinityTerm: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Weight", wireType)
+			}
+			m.Weight = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Weight |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodAffinityTerm", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.PodAffinityTerm.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/core/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 11869 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x7d, 0x6d, 0x70, 0x24, 0xc7,
+	0x75, 0x98, 0x66, 0x17, 0x5f, 0xfb, 0xf0, 0xdd, 0x87, 0x23, 0x97, 0x20, 0xef, 0x70, 0x1c, 0x4a,
+	0xe4, 0xf1, 0x0b, 0x10, 0x8f, 0xa4, 0x48, 0x8b, 0x14, 0x6d, 0x00, 0x0b, 0xdc, 0x81, 0x77, 0xb8,
+	0x5b, 0xf6, 0xe2, 0x8e, 0x22, 0x45, 0x33, 0x1a, 0xec, 0x34, 0x80, 0x21, 0x06, 0x33, 0xcb, 0x99,
+	0x59, 0xdc, 0x81, 0x65, 0x57, 0x25, 0x8a, 0xac, 0x7c, 0xc8, 0x3f, 0x5c, 0x89, 0x2a, 0x71, 0x2c,
+	0x95, 0x53, 0x95, 0x8f, 0xb2, 0x15, 0x27, 0xa9, 0x38, 0x72, 0x64, 0x47, 0x72, 0x2a, 0x8e, 0xf3,
+	0x51, 0xf2, 0x1f, 0xc5, 0xce, 0x1f, 0xa9, 0x2a, 0x15, 0xd8, 0x3a, 0xa5, 0x92, 0xca, 0x8f, 0xa4,
+	0x92, 0xe8, 0x97, 0x11, 0x27, 0x4a, 0xf5, 0xe7, 0x74, 0xcf, 0xce, 0xec, 0x2e, 0x8e, 0x77, 0x20,
+	0xa5, 0xd2, 0xbf, 0xdd, 0xf7, 0x5e, 0xbf, 0xee, 0xe9, 0x8f, 0xd7, 0xaf, 0x5f, 0xbf, 0xf7, 0x1a,
+	0x5e, 0xda, 0x7d, 0x31, 0x9e, 0xf7, 0xc2, 0x85, 0xdd, 0xf6, 0x26, 0x89, 0x02, 0x92, 0x90, 0x78,
+	0x61, 0x9f, 0x04, 0x6e, 0x18, 0x2d, 0x08, 0x84, 0xd3, 0xf2, 0x16, 0x9a, 0x61, 0x44, 0x16, 0xf6,
+	0x9f, 0x59, 0xd8, 0x26, 0x01, 0x89, 0x9c, 0x84, 0xb8, 0xf3, 0xad, 0x28, 0x4c, 0x42, 0x84, 0x38,
+	0xcd, 0xbc, 0xd3, 0xf2, 0xe6, 0x29, 0xcd, 0xfc, 0xfe, 0x33, 0xb3, 0x4f, 0x6f, 0x7b, 0xc9, 0x4e,
+	0x7b, 0x73, 0xbe, 0x19, 0xee, 0x2d, 0x6c, 0x87, 0xdb, 0xe1, 0x02, 0x23, 0xdd, 0x6c, 0x6f, 0xb1,
+	0x7f, 0xec, 0x0f, 0xfb, 0xc5, 0x59, 0xcc, 0xae, 0xa7, 0xd5, 0x90, 0x5b, 0x09, 0x09, 0x62, 0x2f,
+	0x0c, 0xe2, 0xa7, 0x9d, 0x96, 0x17, 0x93, 0x68, 0x9f, 0x44, 0x0b, 0xad, 0xdd, 0x6d, 0x8a, 0x8b,
+	0x4d, 0x82, 0x85, 0xfd, 0x67, 0x36, 0x49, 0xe2, 0x74, 0xb4, 0x68, 0xf6, 0xb9, 0x94, 0xdd, 0x9e,
+	0xd3, 0xdc, 0xf1, 0x02, 0x12, 0x1d, 0x48, 0x1e, 0x0b, 0x11, 0x89, 0xc3, 0x76, 0xd4, 0x24, 0xc7,
+	0x2a, 0x15, 0x2f, 0xec, 0x91, 0xc4, 0xc9, 0xf9, 0xfa, 0xd9, 0x85, 0xa2, 0x52, 0x51, 0x3b, 0x48,
+	0xbc, 0xbd, 0xce, 0x6a, 0x3e, 0xd1, 0xab, 0x40, 0xdc, 0xdc, 0x21, 0x7b, 0x4e, 0x47, 0xb9, 0x67,
+	0x8b, 0xca, 0xb5, 0x13, 0xcf, 0x5f, 0xf0, 0x82, 0x24, 0x4e, 0xa2, 0x6c, 0x21, 0xfb, 0x3b, 0x16,
+	0x9c, 0x5b, 0x7c, 0xbd, 0xb1, 0xe2, 0x3b, 0x71, 0xe2, 0x35, 0x97, 0xfc, 0xb0, 0xb9, 0xdb, 0x48,
+	0xc2, 0x88, 0xdc, 0x08, 0xfd, 0xf6, 0x1e, 0x69, 0xb0, 0x8e, 0x40, 0x4f, 0xc1, 0xc8, 0x3e, 0xfb,
+	0xbf, 0x56, 0xab, 0x5a, 0xe7, 0xac, 0xf3, 0x95, 0xa5, 0xa9, 0x6f, 0x1d, 0xce, 0x7d, 0xe4, 0xf6,
+	0xe1, 0xdc, 0xc8, 0x0d, 0x01, 0xc7, 0x8a, 0x02, 0x3d, 0x0a, 0x43, 0x5b, 0xf1, 0xc6, 0x41, 0x8b,
+	0x54, 0x4b, 0x8c, 0x76, 0x42, 0xd0, 0x0e, 0xad, 0x36, 0x28, 0x14, 0x0b, 0x2c, 0x5a, 0x80, 0x4a,
+	0xcb, 0x89, 0x12, 0x2f, 0xf1, 0xc2, 0xa0, 0x5a, 0x3e, 0x67, 0x9d, 0x1f, 0x5c, 0x9a, 0x16, 0xa4,
+	0x95, 0xba, 0x44, 0xe0, 0x94, 0x86, 0x36, 0x23, 0x22, 0x8e, 0x7b, 0x2d, 0xf0, 0x0f, 0xaa, 0x03,
+	0xe7, 0xac, 0xf3, 0x23, 0x69, 0x33, 0xb0, 0x80, 0x63, 0x45, 0x61, 0xff, 0x4a, 0x09, 0x46, 0x16,
+	0xb7, 0xb6, 0xbc, 0xc0, 0x4b, 0x0e, 0xd0, 0x0d, 0x18, 0x0b, 0x42, 0x97, 0xc8, 0xff, 0xec, 0x2b,
+	0x46, 0x2f, 0x9c, 0x9b, 0xef, 0x9c, 0x99, 0xf3, 0x57, 0x35, 0xba, 0xa5, 0xa9, 0xdb, 0x87, 0x73,
+	0x63, 0x3a, 0x04, 0x1b, 0x7c, 0x10, 0x86, 0xd1, 0x56, 0xe8, 0x2a, 0xb6, 0x25, 0xc6, 0x76, 0x2e,
+	0x8f, 0x6d, 0x3d, 0x25, 0x5b, 0x9a, 0xbc, 0x7d, 0x38, 0x37, 0xaa, 0x01, 0xb0, 0xce, 0x04, 0x6d,
+	0xc2, 0x24, 0xfd, 0x1b, 0x24, 0x9e, 0xe2, 0x5b, 0x66, 0x7c, 0x1f, 0x29, 0xe2, 0xab, 0x91, 0x2e,
+	0x9d, 0xba, 0x7d, 0x38, 0x37, 0x99, 0x01, 0xe2, 0x2c, 0x43, 0xfb, 0x3d, 0x98, 0x58, 0x4c, 0x12,
+	0xa7, 0xb9, 0x43, 0x5c, 0x3e, 0x82, 0xe8, 0x39, 0x18, 0x08, 0x9c, 0x3d, 0x22, 0xc6, 0xf7, 0x9c,
+	0xe8, 0xd8, 0x81, 0xab, 0xce, 0x1e, 0x39, 0x3a, 0x9c, 0x9b, 0xba, 0x1e, 0x78, 0xef, 0xb6, 0xc5,
+	0xac, 0xa0, 0x30, 0xcc, 0xa8, 0xd1, 0x05, 0x00, 0x97, 0xec, 0x7b, 0x4d, 0x52, 0x77, 0x92, 0x1d,
+	0x31, 0xde, 0x48, 0x94, 0x85, 0x9a, 0xc2, 0x60, 0x8d, 0xca, 0xbe, 0x05, 0x95, 0xc5, 0xfd, 0xd0,
+	0x73, 0xeb, 0xa1, 0x1b, 0xa3, 0x5d, 0x98, 0x6c, 0x45, 0x64, 0x8b, 0x44, 0x0a, 0x54, 0xb5, 0xce,
+	0x95, 0xcf, 0x8f, 0x5e, 0x38, 0x9f, 0xfb, 0xb1, 0x26, 0xe9, 0x4a, 0x90, 0x44, 0x07, 0x4b, 0xf7,
+	0x8b, 0xfa, 0x26, 0x33, 0x58, 0x9c, 0xe5, 0x6c, 0xff, 0x9b, 0x12, 0x9c, 0x5e, 0x7c, 0xaf, 0x1d,
+	0x91, 0x9a, 0x17, 0xef, 0x66, 0x67, 0xb8, 0xeb, 0xc5, 0xbb, 0x57, 0xd3, 0x1e, 0x50, 0x53, 0xab,
+	0x26, 0xe0, 0x58, 0x51, 0xa0, 0xa7, 0x61, 0x98, 0xfe, 0xbe, 0x8e, 0xd7, 0xc4, 0x27, 0x9f, 0x12,
+	0xc4, 0xa3, 0x35, 0x27, 0x71, 0x6a, 0x1c, 0x85, 0x25, 0x0d, 0x5a, 0x87, 0xd1, 0x26, 0x5b, 0x90,
+	0xdb, 0xeb, 0xa1, 0x4b, 0xd8, 0x60, 0x56, 0x96, 0x9e, 0xa4, 0xe4, 0xcb, 0x29, 0xf8, 0xe8, 0x70,
+	0xae, 0xca, 0xdb, 0x26, 0x58, 0x68, 0x38, 0xac, 0x97, 0x47, 0xb6, 0x5a, 0x5f, 0x03, 0x8c, 0x13,
+	0xe4, 0xac, 0xad, 0xf3, 0xda, 0x52, 0x19, 0x64, 0x4b, 0x65, 0x2c, 0x7f, 0x99, 0xa0, 0x67, 0x60,
+	0x60, 0xd7, 0x0b, 0xdc, 0xea, 0x10, 0xe3, 0x75, 0x86, 0x8e, 0xf9, 0x65, 0x2f, 0x70, 0x8f, 0x0e,
+	0xe7, 0xa6, 0x8d, 0xe6, 0x50, 0x20, 0x66, 0xa4, 0xf6, 0x0f, 0x2c, 0x98, 0x63, 0xb8, 0x55, 0xcf,
+	0x27, 0x75, 0x12, 0xc5, 0x5e, 0x9c, 0x90, 0x20, 0x31, 0x3a, 0xf4, 0x02, 0x40, 0x4c, 0x9a, 0x11,
+	0x49, 0xb4, 0x2e, 0x55, 0x13, 0xa3, 0xa1, 0x30, 0x58, 0xa3, 0xa2, 0x02, 0x21, 0xde, 0x71, 0x22,
+	0x36, 0xbf, 0x44, 0xc7, 0x2a, 0x81, 0xd0, 0x90, 0x08, 0x9c, 0xd2, 0x18, 0x02, 0xa1, 0xdc, 0x4b,
+	0x20, 0xa0, 0x4f, 0xc1, 0x64, 0x5a, 0x59, 0xdc, 0x72, 0x9a, 0xb2, 0x03, 0xd9, 0x92, 0x69, 0x98,
+	0x28, 0x9c, 0xa5, 0xb5, 0xff, 0x81, 0x25, 0x26, 0x0f, 0xfd, 0xea, 0x0f, 0xf9, 0xb7, 0xda, 0xbf,
+	0x63, 0xc1, 0xf0, 0x92, 0x17, 0xb8, 0x5e, 0xb0, 0x8d, 0x3e, 0x0b, 0x23, 0x74, 0x6f, 0x72, 0x9d,
+	0xc4, 0x11, 0x72, 0xef, 0xe3, 0xda, 0xda, 0x52, 0x5b, 0xc5, 0x7c, 0x6b, 0x77, 0x9b, 0x02, 0xe2,
+	0x79, 0x4a, 0x4d, 0x57, 0xdb, 0xb5, 0xcd, 0x77, 0x48, 0x33, 0x59, 0x27, 0x89, 0x93, 0x7e, 0x4e,
+	0x0a, 0xc3, 0x8a, 0x2b, 0xba, 0x0c, 0x43, 0x89, 0x13, 0x6d, 0x93, 0x44, 0x08, 0xc0, 0x5c, 0x41,
+	0xc5, 0x4b, 0x62, 0xba, 0x22, 0x49, 0xd0, 0x24, 0xe9, 0xb6, 0xb0, 0xc1, 0x8a, 0x62, 0xc1, 0xc2,
+	0x6e, 0xc2, 0xd8, 0xb2, 0xd3, 0x72, 0x36, 0x3d, 0xdf, 0x4b, 0x3c, 0x12, 0xa3, 0xc7, 0xa0, 0xec,
+	0xb8, 0x2e, 0x93, 0x0a, 0x95, 0xa5, 0xd3, 0xb7, 0x0f, 0xe7, 0xca, 0x8b, 0x2e, 0x9d, 0x9e, 0xa0,
+	0xa8, 0x0e, 0x30, 0xa5, 0x40, 0x4f, 0xc0, 0x80, 0x1b, 0x85, 0xad, 0x6a, 0x89, 0x51, 0xde, 0x47,
+	0x67, 0x72, 0x2d, 0x0a, 0x5b, 0x19, 0x52, 0x46, 0x63, 0xff, 0x5e, 0x09, 0x1e, 0x5a, 0x26, 0xad,
+	0x9d, 0xd5, 0x46, 0xc1, 0xfc, 0x3d, 0x0f, 0x23, 0x7b, 0x61, 0xe0, 0x25, 0x61, 0x14, 0x8b, 0xaa,
+	0xd9, 0x02, 0x5a, 0x17, 0x30, 0xac, 0xb0, 0xe8, 0x1c, 0x0c, 0xb4, 0x52, 0xe1, 0x37, 0x26, 0x05,
+	0x27, 0x13, 0x7b, 0x0c, 0x43, 0x29, 0xda, 0x31, 0x89, 0xc4, 0xc2, 0x57, 0x14, 0xd7, 0x63, 0x12,
+	0x61, 0x86, 0x49, 0x67, 0x10, 0x9d, 0x5b, 0x62, 0x56, 0x66, 0x66, 0x10, 0xc5, 0x60, 0x8d, 0x0a,
+	0xd5, 0xa1, 0xc2, 0xff, 0x61, 0xb2, 0xc5, 0xd6, 0x78, 0x41, 0xbf, 0x37, 0x24, 0x91, 0xe8, 0xf7,
+	0x71, 0x36, 0xc5, 0x24, 0x10, 0xa7, 0x4c, 0x8c, 0x29, 0x36, 0xd4, 0x73, 0x8a, 0x7d, 0xb3, 0x04,
+	0x88, 0x77, 0xe1, 0x8f, 0x58, 0xc7, 0x5d, 0xef, 0xec, 0xb8, 0xdc, 0xcd, 0xe6, 0x4a, 0xd8, 0x74,
+	0xfc, 0xec, 0xac, 0xbd, 0x5b, 0xbd, 0xf7, 0xcb, 0x16, 0xa0, 0x65, 0x2f, 0x70, 0x49, 0x74, 0x02,
+	0x9a, 0xd6, 0xf1, 0x64, 0xc7, 0x15, 0x98, 0x58, 0xf6, 0x3d, 0x12, 0x24, 0x6b, 0xf5, 0xe5, 0x30,
+	0xd8, 0xf2, 0xb6, 0xd1, 0x27, 0x61, 0x82, 0x2a, 0x9e, 0x61, 0x3b, 0x69, 0x90, 0x66, 0x18, 0xb0,
+	0x3d, 0x9a, 0xaa, 0x6b, 0xe8, 0xf6, 0xe1, 0xdc, 0xc4, 0x86, 0x81, 0xc1, 0x19, 0x4a, 0xfb, 0x3f,
+	0xd2, 0x0f, 0x0d, 0xf7, 0x5a, 0x61, 0x40, 0x82, 0x64, 0x39, 0x0c, 0x5c, 0xae, 0xcb, 0x7d, 0x12,
+	0x06, 0x12, 0xda, 0x70, 0xfe, 0x91, 0x8f, 0xca, 0xa1, 0xa5, 0xcd, 0x3d, 0x3a, 0x9c, 0xbb, 0xaf,
+	0xb3, 0x04, 0xfb, 0x20, 0x56, 0x06, 0xfd, 0x14, 0x0c, 0xc5, 0x89, 0x93, 0xb4, 0x63, 0xf1, 0xd9,
+	0x0f, 0xcb, 0xcf, 0x6e, 0x30, 0xe8, 0xd1, 0xe1, 0xdc, 0xa4, 0x2a, 0xc6, 0x41, 0x58, 0x14, 0x40,
+	0x8f, 0xc3, 0xf0, 0x1e, 0x89, 0x63, 0x67, 0x5b, 0x6e, 0xc3, 0x93, 0xa2, 0xec, 0xf0, 0x3a, 0x07,
+	0x63, 0x89, 0x47, 0x8f, 0xc0, 0x20, 0x89, 0xa2, 0x30, 0x12, 0xb3, 0x6a, 0x5c, 0x10, 0x0e, 0xae,
+	0x50, 0x20, 0xe6, 0x38, 0xfb, 0xdf, 0x5b, 0x30, 0xa9, 0xda, 0xca, 0xeb, 0x3a, 0x01, 0x79, 0xfb,
+	0x26, 0x40, 0x53, 0x7e, 0x60, 0xcc, 0xe4, 0xdd, 0xe8, 0x85, 0x47, 0xf3, 0xa6, 0x70, 0x67, 0x37,
+	0xa6, 0x9c, 0x15, 0x28, 0xc6, 0x1a, 0x37, 0xfb, 0x5f, 0x58, 0x70, 0x2a, 0xf3, 0x45, 0x57, 0xbc,
+	0x38, 0x41, 0x6f, 0x75, 0x7c, 0xd5, 0x7c, 0x7f, 0x5f, 0x45, 0x4b, 0xb3, 0x6f, 0x52, 0x73, 0x4e,
+	0x42, 0xb4, 0x2f, 0xba, 0x04, 0x83, 0x5e, 0x42, 0xf6, 0xe4, 0xc7, 0x3c, 0xd2, 0xf5, 0x63, 0x78,
+	0xab, 0xd2, 0x11, 0x59, 0xa3, 0x25, 0x31, 0x67, 0x60, 0xff, 0x2f, 0x0b, 0x2a, 0x7c, 0xda, 0xae,
+	0x3b, 0xad, 0x13, 0x18, 0x8b, 0x35, 0x18, 0x60, 0xdc, 0x79, 0xc3, 0x1f, 0xcb, 0x6f, 0xb8, 0x68,
+	0xce, 0x3c, 0x55, 0xa6, 0xb8, 0xd2, 0xaa, 0x84, 0x19, 0x05, 0x61, 0xc6, 0x62, 0xf6, 0x05, 0xa8,
+	0x28, 0x02, 0x34, 0x05, 0xe5, 0x5d, 0xc2, 0x0f, 0x2a, 0x15, 0x4c, 0x7f, 0xa2, 0x19, 0x18, 0xdc,
+	0x77, 0xfc, 0xb6, 0x58, 0xec, 0x98, 0xff, 0xf9, 0x64, 0xe9, 0x45, 0xcb, 0xfe, 0x06, 0x5b, 0x63,
+	0xa2, 0x92, 0x95, 0x60, 0x5f, 0x08, 0x93, 0xf7, 0x60, 0xc6, 0xcf, 0x91, 0x61, 0xa2, 0x23, 0xfa,
+	0x97, 0x79, 0x0f, 0x89, 0xb6, 0xce, 0xe4, 0x61, 0x71, 0x6e, 0x1d, 0x74, 0x1b, 0x08, 0x5b, 0x74,
+	0x46, 0x39, 0x3e, 0x6b, 0xaf, 0x50, 0x40, 0xaf, 0x09, 0x18, 0x56, 0x58, 0x2a, 0x20, 0x66, 0x54,
+	0xe3, 0x2f, 0x93, 0x83, 0x06, 0xf1, 0x49, 0x33, 0x09, 0xa3, 0x0f, 0xb4, 0xf9, 0x67, 0x78, 0xef,
+	0x73, 0xf9, 0x32, 0x2a, 0x18, 0x94, 0x2f, 0x93, 0x03, 0x3e, 0x14, 0xfa, 0xd7, 0x95, 0xbb, 0x7e,
+	0xdd, 0x6f, 0x5a, 0x30, 0xae, 0xbe, 0xee, 0x04, 0x16, 0xd2, 0x92, 0xb9, 0x90, 0xce, 0x74, 0x9d,
+	0x8f, 0x05, 0x4b, 0xe8, 0x87, 0x4c, 0x04, 0x08, 0x9a, 0x7a, 0x14, 0xd2, 0xae, 0xa1, 0x32, 0xfb,
+	0x83, 0x1c, 0x90, 0x7e, 0xbe, 0xeb, 0x32, 0x39, 0xd8, 0x08, 0xa9, 0xfa, 0x90, 0xff, 0x5d, 0xc6,
+	0xa8, 0x0d, 0x74, 0x1d, 0xb5, 0xdf, 0x2a, 0xc1, 0x69, 0xd5, 0x03, 0xc6, 0x06, 0xfd, 0xa3, 0xde,
+	0x07, 0xcf, 0xc0, 0xa8, 0x4b, 0xb6, 0x9c, 0xb6, 0x9f, 0xa8, 0xb3, 0xe8, 0x20, 0xb7, 0x47, 0xd4,
+	0x52, 0x30, 0xd6, 0x69, 0x8e, 0xd1, 0x6d, 0xff, 0x16, 0x98, 0xec, 0x4d, 0x1c, 0x3a, 0x83, 0xa9,
+	0xf6, 0xa6, 0x59, 0x14, 0xc6, 0x74, 0x8b, 0x82, 0xb0, 0x1e, 0x3c, 0x02, 0x83, 0xde, 0x1e, 0xdd,
+	0x8b, 0x4b, 0xe6, 0x16, 0xbb, 0x46, 0x81, 0x98, 0xe3, 0xd0, 0xc7, 0x60, 0xb8, 0x19, 0xee, 0xed,
+	0x39, 0x81, 0x5b, 0x2d, 0x33, 0x7d, 0x72, 0x94, 0x6e, 0xd7, 0xcb, 0x1c, 0x84, 0x25, 0x0e, 0x3d,
+	0x04, 0x03, 0x4e, 0xb4, 0x1d, 0x57, 0x07, 0x18, 0xcd, 0x08, 0xad, 0x69, 0x31, 0xda, 0x8e, 0x31,
+	0x83, 0x52, 0x3d, 0xf1, 0x66, 0x18, 0xed, 0x7a, 0xc1, 0x76, 0xcd, 0x8b, 0x98, 0xd2, 0xa7, 0xe9,
+	0x89, 0xaf, 0x2b, 0x0c, 0xd6, 0xa8, 0xd0, 0x2a, 0x0c, 0xb6, 0xc2, 0x28, 0x89, 0xab, 0x43, 0xac,
+	0xbb, 0x1f, 0x2e, 0x58, 0x4a, 0xfc, 0x6b, 0xeb, 0x61, 0x94, 0xa4, 0x1f, 0x40, 0xff, 0xc5, 0x98,
+	0x17, 0x47, 0x3f, 0x05, 0x65, 0x12, 0xec, 0x57, 0x87, 0x19, 0x97, 0xd9, 0x3c, 0x2e, 0x2b, 0xc1,
+	0xfe, 0x0d, 0x27, 0x4a, 0xe5, 0xcc, 0x4a, 0xb0, 0x8f, 0x69, 0x19, 0xf4, 0x06, 0x54, 0xa4, 0x35,
+	0x32, 0xae, 0x8e, 0x14, 0x4f, 0x31, 0x2c, 0x88, 0x30, 0x79, 0xb7, 0xed, 0x45, 0x64, 0x8f, 0x04,
+	0x49, 0x9c, 0x9e, 0x27, 0x25, 0x36, 0xc6, 0x29, 0x37, 0xf4, 0x06, 0x8c, 0x71, 0x3d, 0x72, 0x3d,
+	0x6c, 0x07, 0x49, 0x5c, 0xad, 0xb0, 0xe6, 0xe5, 0x9a, 0xae, 0x6e, 0xa4, 0x74, 0x4b, 0x33, 0x82,
+	0xe9, 0x98, 0x06, 0x8c, 0xb1, 0xc1, 0x0a, 0x61, 0x18, 0xf7, 0xbd, 0x7d, 0x12, 0x90, 0x38, 0xae,
+	0x47, 0xe1, 0x26, 0xa9, 0x02, 0x6b, 0xf9, 0x03, 0xf9, 0x16, 0x9d, 0x70, 0x93, 0x2c, 0x4d, 0xdf,
+	0x3e, 0x9c, 0x1b, 0xbf, 0xa2, 0x97, 0xc1, 0x26, 0x0b, 0x74, 0x1d, 0x26, 0xa8, 0x82, 0xea, 0xa5,
+	0x4c, 0x47, 0x7b, 0x31, 0x65, 0xda, 0x29, 0x36, 0x0a, 0xe1, 0x0c, 0x13, 0xf4, 0x2a, 0x54, 0x7c,
+	0x6f, 0x8b, 0x34, 0x0f, 0x9a, 0x3e, 0xa9, 0x8e, 0x31, 0x8e, 0xb9, 0xcb, 0xea, 0x8a, 0x24, 0xe2,
+	0x07, 0x00, 0xf5, 0x17, 0xa7, 0xc5, 0xd1, 0x0d, 0xb8, 0x2f, 0x21, 0xd1, 0x9e, 0x17, 0x38, 0x74,
+	0x39, 0x08, 0x7d, 0x92, 0xd9, 0xc5, 0xc6, 0xd9, 0x7c, 0x3b, 0x2b, 0xba, 0xee, 0xbe, 0x8d, 0x5c,
+	0x2a, 0x5c, 0x50, 0x1a, 0x5d, 0x83, 0x49, 0xb6, 0x12, 0xea, 0x6d, 0xdf, 0xaf, 0x87, 0xbe, 0xd7,
+	0x3c, 0xa8, 0x4e, 0x30, 0x86, 0x1f, 0x93, 0x86, 0xaf, 0x35, 0x13, 0x4d, 0x4f, 0xbc, 0xe9, 0x3f,
+	0x9c, 0x2d, 0x8d, 0x36, 0x99, 0x21, 0xa4, 0x1d, 0x79, 0xc9, 0x01, 0x9d, 0xbf, 0xe4, 0x56, 0x52,
+	0x9d, 0xec, 0x7a, 0x7e, 0xd4, 0x49, 0x95, 0xb5, 0x44, 0x07, 0xe2, 0x2c, 0x43, 0xba, 0xb4, 0xe3,
+	0xc4, 0xf5, 0x82, 0xea, 0x14, 0x93, 0x18, 0x6a, 0x65, 0x34, 0x28, 0x10, 0x73, 0x1c, 0x33, 0x82,
+	0xd0, 0x1f, 0xd7, 0xa8, 0x04, 0x9d, 0x66, 0x84, 0xa9, 0x11, 0x44, 0x22, 0x70, 0x4a, 0x43, 0xb7,
+	0xe5, 0x24, 0x39, 0xa8, 0x22, 0x46, 0xaa, 0x96, 0xcb, 0xc6, 0xc6, 0x1b, 0x98, 0xc2, 0xd1, 0x15,
+	0x18, 0x26, 0xc1, 0xfe, 0x6a, 0x14, 0xee, 0x55, 0x4f, 0x15, 0xaf, 0xd9, 0x15, 0x4e, 0xc2, 0x05,
+	0x7a, 0x7a, 0x00, 0x10, 0x60, 0x2c, 0x59, 0xa0, 0x5b, 0x50, 0xcd, 0x19, 0x11, 0x3e, 0x00, 0x33,
+	0x6c, 0x00, 0x5e, 0x16, 0x65, 0xab, 0x1b, 0x05, 0x74, 0x47, 0x5d, 0x70, 0xb8, 0x90, 0xbb, 0xbd,
+	0x09, 0x13, 0x4a, 0xb0, 0xb0, 0xb1, 0x45, 0x73, 0x30, 0x48, 0x25, 0xa6, 0x3c, 0x52, 0x57, 0x68,
+	0x57, 0x32, 0xd3, 0x14, 0xe6, 0x70, 0xd6, 0x95, 0xde, 0x7b, 0x64, 0xe9, 0x20, 0x21, 0xfc, 0x58,
+	0x54, 0xd6, 0xba, 0x52, 0x22, 0x70, 0x4a, 0x63, 0xff, 0x3f, 0xae, 0x98, 0xa4, 0xd2, 0xab, 0x0f,
+	0x79, 0xfd, 0x14, 0x8c, 0xec, 0x84, 0x71, 0x42, 0xa9, 0x59, 0x1d, 0x83, 0xa9, 0x2a, 0x72, 0x49,
+	0xc0, 0xb1, 0xa2, 0x40, 0x2f, 0xc1, 0x78, 0x53, 0xaf, 0x40, 0x6c, 0x36, 0xa7, 0x45, 0x11, 0xb3,
+	0x76, 0x6c, 0xd2, 0xa2, 0x17, 0x61, 0x84, 0x5d, 0x50, 0x34, 0x43, 0x5f, 0x1c, 0xc0, 0xe4, 0x8e,
+	0x39, 0x52, 0x17, 0xf0, 0x23, 0xed, 0x37, 0x56, 0xd4, 0xf4, 0x50, 0x4c, 0x9b, 0xb0, 0x56, 0x17,
+	0x62, 0x5e, 0x1d, 0x8a, 0x2f, 0x31, 0x28, 0x16, 0x58, 0xfb, 0xaf, 0x95, 0xb4, 0x5e, 0xa6, 0x47,
+	0x0a, 0x82, 0xea, 0x30, 0x7c, 0xd3, 0xf1, 0x12, 0x2f, 0xd8, 0x16, 0xfb, 0xf9, 0xe3, 0x5d, 0x65,
+	0x3e, 0x2b, 0xf4, 0x3a, 0x2f, 0xc0, 0x77, 0x25, 0xf1, 0x07, 0x4b, 0x36, 0x94, 0x63, 0xd4, 0x0e,
+	0x02, 0xca, 0xb1, 0xd4, 0x2f, 0x47, 0xcc, 0x0b, 0x70, 0x8e, 0xe2, 0x0f, 0x96, 0x6c, 0xd0, 0x5b,
+	0x00, 0x72, 0xde, 0x10, 0x57, 0x5c, 0x0c, 0x3c, 0xd5, 0x9b, 0xe9, 0x86, 0x2a, 0xb3, 0x34, 0x41,
+	0xf7, 0xbc, 0xf4, 0x3f, 0xd6, 0xf8, 0xd9, 0x09, 0xd3, 0x7b, 0x3a, 0x1b, 0x83, 0x3e, 0x43, 0x97,
+	0xaa, 0x13, 0x25, 0xc4, 0x5d, 0x4c, 0x44, 0xe7, 0x3c, 0xd1, 0x9f, 0xda, 0xba, 0xe1, 0xed, 0x11,
+	0x7d, 0x59, 0x0b, 0x26, 0x38, 0xe5, 0x67, 0xff, 0x76, 0x19, 0xaa, 0x45, 0xcd, 0xa5, 0x93, 0x8e,
+	0xdc, 0xf2, 0x92, 0x65, 0xaa, 0xae, 0x58, 0xe6, 0xa4, 0x5b, 0x11, 0x70, 0xac, 0x28, 0xe8, 0xe8,
+	0xc7, 0xde, 0xb6, 0x3c, 0x75, 0x0c, 0xa6, 0xa3, 0xdf, 0x60, 0x50, 0x2c, 0xb0, 0x94, 0x2e, 0x22,
+	0x4e, 0x2c, 0x6e, 0x9e, 0xb4, 0x59, 0x82, 0x19, 0x14, 0x0b, 0xac, 0x6e, 0x30, 0x18, 0xe8, 0x61,
+	0x30, 0x30, 0xba, 0x68, 0xf0, 0xee, 0x76, 0x11, 0x7a, 0x1b, 0x60, 0xcb, 0x0b, 0xbc, 0x78, 0x87,
+	0x71, 0x1f, 0x3a, 0x36, 0x77, 0xa5, 0xec, 0xac, 0x2a, 0x2e, 0x58, 0xe3, 0x88, 0x9e, 0x87, 0x51,
+	0xb5, 0x00, 0xd7, 0x6a, 0xd5, 0x61, 0xf3, 0x5a, 0x23, 0x95, 0x46, 0x35, 0xac, 0xd3, 0xd9, 0xef,
+	0x64, 0xe7, 0x8b, 0x58, 0x01, 0x5a, 0xff, 0x5a, 0xfd, 0xf6, 0x6f, 0xa9, 0x7b, 0xff, 0xda, 0xbf,
+	0x5f, 0x86, 0x49, 0xa3, 0xb2, 0x76, 0xdc, 0x87, 0xcc, 0xba, 0x48, 0x37, 0x22, 0x27, 0x21, 0x62,
+	0xfd, 0xd9, 0xbd, 0x97, 0x8a, 0xbe, 0x59, 0xd1, 0x15, 0xc0, 0xcb, 0xa3, 0xb7, 0xa1, 0xe2, 0x3b,
+	0x31, 0x33, 0x3e, 0x10, 0xb1, 0xee, 0xfa, 0x61, 0x96, 0x2a, 0xfa, 0x4e, 0x9c, 0x68, 0x7b, 0x01,
+	0xe7, 0x9d, 0xb2, 0xa4, 0x3b, 0x26, 0x55, 0x4e, 0xe4, 0xd5, 0xa6, 0x6a, 0x04, 0xd5, 0x60, 0x0e,
+	0x30, 0xc7, 0xa1, 0x17, 0x61, 0x2c, 0x22, 0x6c, 0x56, 0x2c, 0x53, 0x5d, 0x8b, 0x4d, 0xb3, 0xc1,
+	0x54, 0x29, 0xc3, 0x1a, 0x0e, 0x1b, 0x94, 0xa9, 0xae, 0x3d, 0xd4, 0x45, 0xd7, 0x7e, 0x1c, 0x86,
+	0xd9, 0x0f, 0x35, 0x03, 0xd4, 0x68, 0xac, 0x71, 0x30, 0x96, 0xf8, 0xec, 0x84, 0x19, 0xe9, 0x73,
+	0xc2, 0x3c, 0x01, 0x13, 0x35, 0x87, 0xec, 0x85, 0xc1, 0x4a, 0xe0, 0xb6, 0x42, 0x2f, 0x48, 0x50,
+	0x15, 0x06, 0xd8, 0xee, 0xc0, 0xd7, 0xf6, 0x00, 0xe5, 0x80, 0x07, 0xa8, 0xe6, 0x6c, 0xff, 0x51,
+	0x09, 0xc6, 0x6b, 0xc4, 0x27, 0x09, 0xe1, 0x67, 0x8d, 0x18, 0xad, 0x02, 0xda, 0x8e, 0x9c, 0x26,
+	0xa9, 0x93, 0xc8, 0x0b, 0x5d, 0xdd, 0x18, 0x59, 0x66, 0x06, 0x7f, 0x74, 0xb1, 0x03, 0x8b, 0x73,
+	0x4a, 0xa0, 0x37, 0x61, 0xbc, 0x15, 0x11, 0xc3, 0x86, 0x66, 0x15, 0xa9, 0x0b, 0x75, 0x9d, 0x90,
+	0x6b, 0xaa, 0x06, 0x08, 0x9b, 0xac, 0xd0, 0xcf, 0xc0, 0x54, 0x18, 0xb5, 0x76, 0x9c, 0xa0, 0x46,
+	0x5a, 0x24, 0x70, 0xa9, 0x2a, 0x2e, 0x6c, 0x04, 0x33, 0xb7, 0x0f, 0xe7, 0xa6, 0xae, 0x65, 0x70,
+	0xb8, 0x83, 0x1a, 0xbd, 0x09, 0xd3, 0xad, 0x28, 0x6c, 0x39, 0xdb, 0x6c, 0xa2, 0x08, 0x8d, 0x83,
+	0x4b, 0x9f, 0xa7, 0x6e, 0x1f, 0xce, 0x4d, 0xd7, 0xb3, 0xc8, 0xa3, 0xc3, 0xb9, 0x53, 0xac, 0xa3,
+	0x28, 0x24, 0x45, 0xe2, 0x4e, 0x36, 0xf6, 0x36, 0x9c, 0xae, 0x85, 0x37, 0x83, 0x9b, 0x4e, 0xe4,
+	0x2e, 0xd6, 0xd7, 0xb4, 0xc3, 0xfd, 0x55, 0x79, 0xb8, 0xe4, 0xd7, 0xaf, 0xb9, 0xfb, 0x94, 0x56,
+	0x92, 0xab, 0xff, 0xab, 0x9e, 0x4f, 0x0a, 0x8c, 0x08, 0x7f, 0xb3, 0x64, 0xd4, 0x94, 0xd2, 0x2b,
+	0xbb, 0xbf, 0x55, 0x68, 0xf7, 0x7f, 0x0d, 0x46, 0xb6, 0x3c, 0xe2, 0xbb, 0x98, 0x6c, 0x89, 0x91,
+	0x79, 0xac, 0xf8, 0x46, 0x69, 0x95, 0x52, 0x4a, 0xa3, 0x11, 0x3f, 0x9a, 0xae, 0x8a, 0xc2, 0x58,
+	0xb1, 0x41, 0xbb, 0x30, 0x25, 0xcf, 0x3e, 0x12, 0x2b, 0x16, 0xf1, 0xe3, 0xdd, 0x0e, 0x54, 0x26,
+	0x73, 0x36, 0x80, 0x38, 0xc3, 0x06, 0x77, 0x30, 0xa6, 0x67, 0xd1, 0x3d, 0xba, 0x5d, 0x0d, 0xb0,
+	0x29, 0xcd, 0xce, 0xa2, 0xec, 0x58, 0xcd, 0xa0, 0xf6, 0x57, 0x2c, 0xb8, 0xbf, 0xa3, 0x67, 0x84,
+	0x79, 0xe1, 0x2e, 0x8f, 0x42, 0xf6, 0xb8, 0x5f, 0xea, 0x7d, 0xdc, 0xb7, 0xff, 0xa1, 0x05, 0x33,
+	0x2b, 0x7b, 0xad, 0xe4, 0xa0, 0xe6, 0x99, 0x77, 0x13, 0x2f, 0xc0, 0xd0, 0x1e, 0x71, 0xbd, 0xf6,
+	0x9e, 0x18, 0xb9, 0x39, 0x29, 0xd2, 0xd7, 0x19, 0xf4, 0xe8, 0x70, 0x6e, 0xbc, 0x91, 0x84, 0x91,
+	0xb3, 0x4d, 0x38, 0x00, 0x0b, 0x72, 0xb6, 0x31, 0x7a, 0xef, 0x91, 0x2b, 0xde, 0x9e, 0x27, 0x6f,
+	0x08, 0xbb, 0x9a, 0xbc, 0xe6, 0x65, 0x87, 0xce, 0xbf, 0xd6, 0x76, 0x82, 0xc4, 0x4b, 0x0e, 0xc4,
+	0xb5, 0x8b, 0x64, 0x82, 0x53, 0x7e, 0xf6, 0x77, 0x2c, 0x98, 0x94, 0xb2, 0x64, 0xd1, 0x75, 0x23,
+	0x12, 0xc7, 0x68, 0x16, 0x4a, 0x5e, 0x4b, 0xb4, 0x12, 0x44, 0x2b, 0x4b, 0x6b, 0x75, 0x5c, 0xf2,
+	0x5a, 0xa8, 0x0e, 0x15, 0x7e, 0xd1, 0x98, 0x4e, 0xae, 0xbe, 0xae, 0x2b, 0x59, 0x0b, 0x36, 0x64,
+	0x49, 0x9c, 0x32, 0x91, 0x5a, 0x31, 0xdb, 0x87, 0xca, 0xe6, 0x9d, 0xcd, 0x25, 0x01, 0xc7, 0x8a,
+	0x02, 0x9d, 0x87, 0x91, 0x20, 0x74, 0xf9, 0xbd, 0x2f, 0x5f, 0xd3, 0x6c, 0xca, 0x5e, 0x15, 0x30,
+	0xac, 0xb0, 0xf6, 0x2f, 0x5a, 0x30, 0x26, 0xbf, 0xac, 0x4f, 0x05, 0x9d, 0x2e, 0xad, 0x54, 0x39,
+	0x4f, 0x97, 0x16, 0x55, 0xb0, 0x19, 0xc6, 0xd0, 0xab, 0xcb, 0xc7, 0xd1, 0xab, 0xed, 0x2f, 0x97,
+	0x60, 0x42, 0x36, 0xa7, 0xd1, 0xde, 0x8c, 0x49, 0x82, 0x36, 0xa0, 0xe2, 0xf0, 0x2e, 0x27, 0x72,
+	0xc6, 0x3e, 0x92, 0x7f, 0xe2, 0x32, 0xc6, 0x27, 0x55, 0x75, 0x16, 0x65, 0x69, 0x9c, 0x32, 0x42,
+	0x3e, 0x4c, 0x07, 0x61, 0xc2, 0xb6, 0x3d, 0x85, 0xef, 0x76, 0x2f, 0x90, 0xe5, 0xfe, 0x80, 0xe0,
+	0x3e, 0x7d, 0x35, 0xcb, 0x05, 0x77, 0x32, 0x46, 0x2b, 0xd2, 0xca, 0x53, 0x66, 0x35, 0x9c, 0xeb,
+	0x56, 0x43, 0xb1, 0x91, 0xc7, 0xfe, 0x5d, 0x0b, 0x2a, 0x92, 0xec, 0x24, 0xae, 0x80, 0xd6, 0x61,
+	0x38, 0x66, 0x83, 0x20, 0xbb, 0xc6, 0xee, 0xd6, 0x70, 0x3e, 0x5e, 0xe9, 0x6e, 0xce, 0xff, 0xc7,
+	0x58, 0xf2, 0x60, 0x66, 0x6a, 0xd5, 0xfc, 0x0f, 0x89, 0x99, 0x5a, 0xb5, 0xa7, 0x60, 0x87, 0xf9,
+	0xaf, 0xac, 0xcd, 0xda, 0x59, 0x9e, 0x2a, 0x9d, 0xad, 0x88, 0x6c, 0x79, 0xb7, 0xb2, 0x4a, 0x67,
+	0x9d, 0x41, 0xb1, 0xc0, 0xa2, 0xb7, 0x60, 0xac, 0x29, 0xad, 0xbb, 0xa9, 0x18, 0x78, 0xb4, 0xab,
+	0xad, 0x5c, 0x5d, 0xab, 0x70, 0x9f, 0xb0, 0x65, 0xad, 0x3c, 0x36, 0xb8, 0x99, 0x17, 0xf3, 0xe5,
+	0x5e, 0x17, 0xf3, 0x29, 0xdf, 0xc2, 0xab, 0x65, 0xfb, 0x57, 0x2d, 0x18, 0xe2, 0x36, 0xc2, 0xfe,
+	0x8c, 0xaa, 0xda, 0x35, 0x51, 0xda, 0x77, 0x37, 0x28, 0x50, 0xdc, 0x1a, 0xa1, 0x75, 0xa8, 0xb0,
+	0x1f, 0xcc, 0x56, 0x52, 0x2e, 0x76, 0x86, 0xe3, 0xb5, 0xea, 0x0d, 0xbc, 0x21, 0x8b, 0xe1, 0x94,
+	0x83, 0xfd, 0xa5, 0x32, 0x15, 0x55, 0x29, 0xa9, 0xb1, 0x83, 0x5b, 0xf7, 0x6e, 0x07, 0x2f, 0xdd,
+	0xab, 0x1d, 0x7c, 0x1b, 0x26, 0x9b, 0xda, 0x9d, 0x54, 0x3a, 0x92, 0xe7, 0xbb, 0x4e, 0x12, 0xed,
+	0xfa, 0x8a, 0xdb, 0xc9, 0x96, 0x4d, 0x26, 0x38, 0xcb, 0x15, 0x7d, 0x06, 0xc6, 0xf8, 0x38, 0x8b,
+	0x5a, 0x06, 0x58, 0x2d, 0x1f, 0x2b, 0x9e, 0x2f, 0x7a, 0x15, 0x6c, 0x26, 0x36, 0xb4, 0xe2, 0xd8,
+	0x60, 0x66, 0x7f, 0x61, 0x10, 0x06, 0x57, 0xf6, 0x49, 0x90, 0x9c, 0x80, 0x40, 0x6a, 0xc2, 0x84,
+	0x17, 0xec, 0x87, 0xfe, 0x3e, 0x71, 0x39, 0xfe, 0x38, 0x9b, 0xeb, 0x7d, 0x82, 0xf5, 0xc4, 0x9a,
+	0xc1, 0x02, 0x67, 0x58, 0xde, 0x8b, 0x53, 0xfb, 0x45, 0x18, 0xe2, 0x63, 0x2f, 0x8e, 0xec, 0xb9,
+	0x16, 0x70, 0xd6, 0x89, 0x62, 0x15, 0xa4, 0x16, 0x05, 0x6e, 0x72, 0x17, 0xc5, 0xd1, 0x3b, 0x30,
+	0xb1, 0xe5, 0x45, 0x71, 0x42, 0x8f, 0xdb, 0x71, 0xe2, 0xec, 0xb5, 0xee, 0xe0, 0x94, 0xae, 0xfa,
+	0x61, 0xd5, 0xe0, 0x84, 0x33, 0x9c, 0xd1, 0x36, 0x8c, 0xd3, 0x83, 0x63, 0x5a, 0xd5, 0xf0, 0xb1,
+	0xab, 0x52, 0x66, 0xb8, 0x2b, 0x3a, 0x23, 0x6c, 0xf2, 0xa5, 0xc2, 0xa4, 0xc9, 0x0e, 0x9a, 0x23,
+	0x4c, 0xa3, 0x50, 0xc2, 0x84, 0x9f, 0x30, 0x39, 0x8e, 0xca, 0x24, 0xe6, 0xcb, 0x51, 0x31, 0x65,
+	0x52, 0xea, 0xb1, 0x61, 0x7f, 0x95, 0xee, 0x8e, 0xb4, 0x0f, 0x4f, 0x60, 0x6b, 0x79, 0xc5, 0xdc,
+	0x5a, 0x1e, 0x28, 0x1c, 0xcf, 0x82, 0x6d, 0xe5, 0xb3, 0x30, 0xaa, 0x0d, 0x37, 0x5a, 0x80, 0x4a,
+	0x53, 0x3a, 0x1e, 0x08, 0xa9, 0xab, 0xd4, 0x17, 0xe5, 0x91, 0x80, 0x53, 0x1a, 0xda, 0x1b, 0x54,
+	0xd9, 0xcb, 0xba, 0x35, 0x51, 0x55, 0x10, 0x33, 0x8c, 0xfd, 0x2c, 0xc0, 0xca, 0x2d, 0xd2, 0x5c,
+	0xe4, 0x07, 0x2f, 0xed, 0x7e, 0xcb, 0x2a, 0xbe, 0xdf, 0xb2, 0xff, 0x83, 0x05, 0x13, 0xab, 0xcb,
+	0x86, 0x42, 0x3e, 0x0f, 0xc0, 0xb5, 0xd0, 0xd7, 0x5f, 0xbf, 0x2a, 0x2d, 0xc3, 0xdc, 0xb8, 0xa7,
+	0xa0, 0x58, 0xa3, 0x40, 0x0f, 0x40, 0xd9, 0x6f, 0x07, 0x42, 0x39, 0x1c, 0xbe, 0x7d, 0x38, 0x57,
+	0xbe, 0xd2, 0x0e, 0x30, 0x85, 0x69, 0x9e, 0x44, 0xe5, 0xbe, 0x3d, 0x89, 0x7a, 0xba, 0x60, 0xa3,
+	0x39, 0x18, 0xbc, 0x79, 0xd3, 0x73, 0xe3, 0xea, 0x60, 0x6a, 0xb5, 0x7e, 0xfd, 0xf5, 0xb5, 0x5a,
+	0x8c, 0x39, 0xdc, 0xfe, 0x0b, 0x65, 0x98, 0x5a, 0xf5, 0xc9, 0x2d, 0xe3, 0xb3, 0x1e, 0x85, 0x21,
+	0x37, 0xf2, 0xf6, 0x49, 0x94, 0xdd, 0xc5, 0x6b, 0x0c, 0x8a, 0x05, 0xb6, 0x6f, 0xef, 0xa7, 0xeb,
+	0x9d, 0xfb, 0xf1, 0xdd, 0xf6, 0xf7, 0xea, 0xdd, 0x15, 0x6f, 0xc1, 0x30, 0xbf, 0x26, 0xe5, 0x9d,
+	0x31, 0x7a, 0xe1, 0x99, 0xbc, 0x26, 0x64, 0xfb, 0x62, 0x5e, 0x18, 0x3e, 0xb8, 0xcf, 0x88, 0x12,
+	0x62, 0x02, 0x8a, 0x25, 0xcb, 0xd9, 0x4f, 0xc2, 0x98, 0x4e, 0x79, 0x2c, 0xe7, 0x91, 0xbf, 0x68,
+	0xc1, 0xa9, 0x55, 0x3f, 0x6c, 0xee, 0x66, 0x5c, 0xd1, 0x9e, 0x87, 0x51, 0xba, 0x9e, 0x62, 0xc3,
+	0xad, 0xd5, 0x70, 0x74, 0x16, 0x28, 0xac, 0xd3, 0x69, 0xc5, 0xae, 0x5f, 0x5f, 0xab, 0xe5, 0xf9,
+	0x47, 0x0b, 0x14, 0xd6, 0xe9, 0xec, 0x6f, 0x5b, 0x70, 0xe6, 0xe2, 0xf2, 0x4a, 0xea, 0x8d, 0xd9,
+	0xe1, 0xa2, 0x4d, 0x95, 0x3b, 0x57, 0x6b, 0x4a, 0xaa, 0xdc, 0xd5, 0x58, 0x2b, 0x04, 0xf6, 0xc3,
+	0x12, 0x7e, 0xf0, 0xeb, 0x16, 0x9c, 0xba, 0xe8, 0x25, 0x98, 0xb4, 0xc2, 0xac, 0xb3, 0x70, 0x44,
+	0x5a, 0x61, 0xec, 0x25, 0x61, 0x74, 0x90, 0x75, 0x16, 0xc6, 0x0a, 0x83, 0x35, 0x2a, 0x5e, 0xf3,
+	0xbe, 0x17, 0xd3, 0x96, 0x96, 0xcc, 0x13, 0x26, 0x16, 0x70, 0xac, 0x28, 0xe8, 0x87, 0xb9, 0x5e,
+	0xc4, 0x34, 0x84, 0x03, 0xb1, 0x9c, 0xd5, 0x87, 0xd5, 0x24, 0x02, 0xa7, 0x34, 0xf6, 0x57, 0x2c,
+	0x38, 0x7d, 0xd1, 0x6f, 0xc7, 0x09, 0x89, 0xb6, 0x62, 0xa3, 0xb1, 0xcf, 0x42, 0x85, 0x48, 0x2d,
+	0x5c, 0xb4, 0x55, 0xed, 0x1b, 0x4a, 0x3d, 0xe7, 0x9e, 0xca, 0x8a, 0xae, 0x0f, 0xbf, 0xce, 0xe3,
+	0xf9, 0x23, 0x7e, 0xad, 0x04, 0xe3, 0x97, 0x36, 0x36, 0xea, 0x17, 0x49, 0x22, 0x44, 0x66, 0x6f,
+	0x0b, 0x12, 0xd6, 0x0e, 0xc2, 0xdd, 0x74, 0x9d, 0x76, 0xe2, 0xf9, 0xf3, 0x3c, 0x34, 0x66, 0x7e,
+	0x2d, 0x48, 0xae, 0x45, 0x8d, 0x24, 0xf2, 0x82, 0xed, 0xdc, 0xa3, 0xb3, 0x14, 0xec, 0xe5, 0x22,
+	0xc1, 0x8e, 0x9e, 0x85, 0x21, 0x16, 0x9b, 0x23, 0xb5, 0x8e, 0x07, 0x95, 0xaa, 0xc0, 0xa0, 0x47,
+	0x87, 0x73, 0x95, 0xeb, 0x78, 0x8d, 0xff, 0xc1, 0x82, 0x14, 0x5d, 0x87, 0xd1, 0x9d, 0x24, 0x69,
+	0x5d, 0x22, 0x8e, 0x4b, 0x22, 0x29, 0x1d, 0xce, 0xe6, 0x49, 0x07, 0xda, 0x09, 0x9c, 0x2c, 0x5d,
+	0x50, 0x29, 0x2c, 0xc6, 0x3a, 0x1f, 0xbb, 0x01, 0x90, 0xe2, 0xee, 0xd2, 0xb1, 0xc1, 0xfe, 0xbe,
+	0x05, 0xc3, 0x97, 0x9c, 0xc0, 0xf5, 0x49, 0x84, 0x5e, 0x86, 0x01, 0x72, 0x8b, 0x34, 0xc5, 0x0e,
+	0x9e, 0xdb, 0xe0, 0x74, 0x97, 0xe3, 0x46, 0x30, 0xfa, 0x1f, 0xb3, 0x52, 0xe8, 0x12, 0x0c, 0xd3,
+	0xd6, 0x5e, 0x54, 0x3e, 0xe3, 0x0f, 0x17, 0x7d, 0xb1, 0x1a, 0x76, 0xbe, 0x31, 0x0a, 0x10, 0x96,
+	0xc5, 0x99, 0x41, 0xa7, 0xd9, 0x6a, 0x50, 0x01, 0x96, 0x74, 0x3b, 0x6e, 0x6d, 0x2c, 0xd7, 0x39,
+	0x91, 0xe0, 0xc6, 0x0d, 0x3a, 0x12, 0x88, 0x53, 0x26, 0xf6, 0x06, 0x54, 0xe8, 0xa0, 0x2e, 0xfa,
+	0x9e, 0xd3, 0xdd, 0x96, 0xf4, 0x24, 0x54, 0xa4, 0x5d, 0x27, 0x16, 0x6e, 0xe7, 0x8c, 0xab, 0x34,
+	0xfb, 0xc4, 0x38, 0xc5, 0xdb, 0x5b, 0x30, 0xc3, 0x2e, 0x49, 0x9d, 0x64, 0xc7, 0x58, 0x63, 0xbd,
+	0x27, 0xf3, 0x53, 0x42, 0xbf, 0xe2, 0x23, 0x53, 0xd5, 0xfc, 0x64, 0xc7, 0x24, 0x47, 0x4d, 0xd7,
+	0xfa, 0xcf, 0x03, 0x30, 0xbd, 0xd6, 0x58, 0x6e, 0x98, 0x86, 0xc5, 0x17, 0x61, 0x8c, 0x6b, 0x02,
+	0x74, 0x42, 0x3b, 0xbe, 0xa8, 0x4d, 0x5d, 0x1c, 0x6c, 0x68, 0x38, 0x6c, 0x50, 0xa2, 0x33, 0x50,
+	0xf6, 0xde, 0x0d, 0xb2, 0xae, 0x70, 0x6b, 0xaf, 0x5d, 0xc5, 0x14, 0x4e, 0xd1, 0x54, 0xa9, 0xe0,
+	0x02, 0x54, 0xa1, 0x95, 0x62, 0xf1, 0x0a, 0x4c, 0x78, 0x71, 0x33, 0xf6, 0xd6, 0x02, 0x2a, 0x5d,
+	0xd2, 0x98, 0x8b, 0x54, 0xe3, 0xa7, 0x4d, 0x55, 0x58, 0x9c, 0xa1, 0xd6, 0xa4, 0xf9, 0x60, 0xdf,
+	0x8a, 0x49, 0x4f, 0xef, 0x6b, 0xaa, 0x73, 0xb5, 0xd8, 0xd7, 0xc5, 0xcc, 0x2d, 0x47, 0xe8, 0x5c,
+	0xfc, 0x83, 0x63, 0x2c, 0x71, 0xe8, 0x22, 0x4c, 0x37, 0x77, 0x9c, 0xd6, 0x62, 0x3b, 0xd9, 0xa9,
+	0x79, 0x71, 0x33, 0xdc, 0x27, 0xd1, 0x01, 0xd3, 0x84, 0x47, 0x52, 0x23, 0x93, 0x42, 0x2c, 0x5f,
+	0x5a, 0xac, 0x53, 0x4a, 0xdc, 0x59, 0xc6, 0x54, 0x41, 0xe0, 0xae, 0xa9, 0x20, 0x8b, 0x30, 0x29,
+	0xeb, 0x6a, 0x90, 0x98, 0x6d, 0x0f, 0xa3, 0xac, 0x75, 0x2a, 0x24, 0x4a, 0x80, 0x55, 0xdb, 0xb2,
+	0xf4, 0xe8, 0x05, 0x18, 0xf7, 0x02, 0x2f, 0xf1, 0x9c, 0x24, 0x8c, 0xd8, 0xe6, 0x3a, 0xc6, 0x37,
+	0x0c, 0x2a, 0xe1, 0xd7, 0x74, 0x04, 0x36, 0xe9, 0xec, 0x77, 0xa0, 0xa2, 0x7c, 0xcd, 0xa4, 0xbb,
+	0xa4, 0x55, 0xe0, 0x2e, 0xd9, 0x7b, 0x47, 0x90, 0x16, 0xf3, 0x72, 0xae, 0xc5, 0xfc, 0x6f, 0x59,
+	0x90, 0xba, 0xdc, 0xa0, 0x4b, 0x50, 0x69, 0x85, 0xec, 0xd6, 0x2c, 0x92, 0x57, 0xd1, 0x0f, 0xe6,
+	0x0a, 0x0f, 0x2e, 0xa8, 0x78, 0xff, 0xd5, 0x65, 0x09, 0x9c, 0x16, 0x46, 0x4b, 0x30, 0xdc, 0x8a,
+	0x48, 0x23, 0x61, 0x41, 0x23, 0x3d, 0xf9, 0xf0, 0x39, 0xc2, 0xe9, 0xb1, 0x2c, 0x68, 0xff, 0x96,
+	0x05, 0xc0, 0x8d, 0xd2, 0x4e, 0xb0, 0x4d, 0x4e, 0xe0, 0xa0, 0x5d, 0x83, 0x81, 0xb8, 0x45, 0x9a,
+	0xdd, 0xee, 0x33, 0xd3, 0xf6, 0x34, 0x5a, 0xa4, 0x99, 0x76, 0x38, 0xfd, 0x87, 0x59, 0x69, 0xfb,
+	0x17, 0x00, 0x26, 0x52, 0x32, 0x7a, 0x00, 0x42, 0x4f, 0x1b, 0x2e, 0xf9, 0x0f, 0x64, 0x5c, 0xf2,
+	0x2b, 0x8c, 0x5a, 0xf3, 0xc2, 0x7f, 0x07, 0xca, 0x7b, 0xce, 0x2d, 0x71, 0xca, 0x7a, 0xb2, 0x7b,
+	0x33, 0x28, 0xff, 0xf9, 0x75, 0xe7, 0x16, 0xd7, 0x63, 0x9f, 0x94, 0x13, 0x64, 0xdd, 0xb9, 0x75,
+	0xc4, 0x6f, 0x2d, 0x99, 0x90, 0xa2, 0x87, 0xb9, 0xcf, 0xfd, 0x71, 0xfa, 0x9f, 0x4d, 0x3b, 0x5a,
+	0x09, 0xab, 0xcb, 0x0b, 0x84, 0x89, 0xb6, 0xaf, 0xba, 0xbc, 0x20, 0x5b, 0x97, 0x17, 0xf4, 0x51,
+	0x97, 0x17, 0xa0, 0xf7, 0x60, 0x58, 0x5c, 0x87, 0x30, 0x5f, 0xc2, 0xd1, 0x0b, 0x0b, 0x7d, 0xd4,
+	0x27, 0x6e, 0x53, 0x78, 0x9d, 0x0b, 0x52, 0x4f, 0x17, 0xd0, 0x9e, 0xf5, 0xca, 0x0a, 0xd1, 0xdf,
+	0xb0, 0x60, 0x42, 0xfc, 0xc6, 0xe4, 0xdd, 0x36, 0x89, 0x13, 0xa1, 0x0f, 0x7c, 0xa2, 0xff, 0x36,
+	0x88, 0x82, 0xbc, 0x29, 0x9f, 0x90, 0x62, 0xd6, 0x44, 0xf6, 0x6c, 0x51, 0xa6, 0x15, 0xe8, 0x1f,
+	0x5b, 0x30, 0xb3, 0xe7, 0xdc, 0xe2, 0x35, 0x72, 0x18, 0x76, 0x12, 0x2f, 0x14, 0xbe, 0x91, 0x2f,
+	0xf7, 0x37, 0xfc, 0x1d, 0xc5, 0x79, 0x23, 0xa5, 0x1b, 0xd5, 0x4c, 0x1e, 0x49, 0xcf, 0xa6, 0xe6,
+	0xb6, 0x6b, 0x76, 0x0b, 0x46, 0xe4, 0x7c, 0xcb, 0x39, 0x0d, 0xd5, 0x74, 0x65, 0xe7, 0xd8, 0xb7,
+	0x51, 0xda, 0xe9, 0x89, 0xd5, 0x23, 0xe6, 0xda, 0x3d, 0xad, 0xe7, 0x1d, 0x18, 0xd3, 0xe7, 0xd8,
+	0x3d, 0xad, 0xeb, 0x5d, 0x38, 0x95, 0x33, 0x97, 0xee, 0x69, 0x95, 0x37, 0xe1, 0x81, 0xc2, 0xf9,
+	0x71, 0x2f, 0x2b, 0xb6, 0xbf, 0x66, 0xe9, 0x72, 0xf0, 0x04, 0xcc, 0x53, 0xcb, 0xa6, 0x79, 0xea,
+	0x6c, 0xf7, 0x95, 0x53, 0x60, 0xa3, 0x7a, 0x4b, 0x6f, 0x34, 0x95, 0xea, 0xe8, 0x55, 0x18, 0xf2,
+	0x29, 0x44, 0xde, 0xc3, 0xd9, 0xbd, 0x57, 0x64, 0xaa, 0x4b, 0x31, 0x78, 0x8c, 0x05, 0x07, 0xfb,
+	0x77, 0x2c, 0x18, 0x38, 0x81, 0x9e, 0xc0, 0x66, 0x4f, 0x3c, 0x5d, 0xc8, 0x5a, 0xe4, 0x3d, 0x98,
+	0xc7, 0xce, 0xcd, 0x15, 0x99, 0xdb, 0xa1, 0xa0, 0x63, 0xfe, 0x6f, 0x09, 0x46, 0x69, 0x55, 0xd2,
+	0x61, 0xe4, 0x25, 0x18, 0xf7, 0x9d, 0x4d, 0xe2, 0x4b, 0x93, 0x79, 0xf6, 0x10, 0x7b, 0x45, 0x47,
+	0x62, 0x93, 0x96, 0x16, 0xde, 0xd2, 0x6f, 0x0f, 0x84, 0xfe, 0xa2, 0x0a, 0x1b, 0x57, 0x0b, 0xd8,
+	0xa4, 0xa5, 0xe7, 0xa9, 0x9b, 0x4e, 0xd2, 0xdc, 0x11, 0x07, 0x5c, 0xd5, 0xdc, 0xd7, 0x29, 0x10,
+	0x73, 0x1c, 0x55, 0xe0, 0xe4, 0xec, 0xbc, 0x41, 0x22, 0xa6, 0xc0, 0x71, 0xf5, 0x58, 0x29, 0x70,
+	0xd8, 0x44, 0xe3, 0x2c, 0x7d, 0x4e, 0x6c, 0xde, 0x20, 0x73, 0x87, 0xe9, 0x23, 0x36, 0x0f, 0xd5,
+	0x61, 0xc6, 0x0b, 0x9a, 0x7e, 0xdb, 0x25, 0xd7, 0x03, 0xae, 0xdd, 0xf9, 0xde, 0x7b, 0xc4, 0x15,
+	0x0a, 0xb4, 0xf2, 0x5c, 0x5a, 0xcb, 0xa1, 0xc1, 0xb9, 0x25, 0xed, 0x3f, 0x07, 0xa7, 0xae, 0x84,
+	0x8e, 0xbb, 0xe4, 0xf8, 0x4e, 0xd0, 0x24, 0xd1, 0x5a, 0xb0, 0xdd, 0xf3, 0x42, 0x5e, 0xbf, 0x3e,
+	0x2f, 0xf5, 0xba, 0x3e, 0xb7, 0x77, 0x00, 0xe9, 0x15, 0x08, 0x37, 0x30, 0x0c, 0xc3, 0x1e, 0xaf,
+	0x4a, 0x4c, 0xff, 0xc7, 0xf2, 0xb5, 0xeb, 0x8e, 0x96, 0x69, 0x0e, 0x4e, 0x1c, 0x80, 0x25, 0x23,
+	0xfb, 0x45, 0xc8, 0x8d, 0xcd, 0xe8, 0x7d, 0x94, 0xb6, 0x9f, 0x87, 0x69, 0x56, 0xf2, 0x78, 0xc7,
+	0x3c, 0xfb, 0xaf, 0x58, 0x30, 0x79, 0x35, 0x13, 0x4d, 0xfb, 0x28, 0x0c, 0xf1, 0x0c, 0x27, 0x59,
+	0xa3, 0x57, 0x83, 0x41, 0xb1, 0xc0, 0xde, 0x75, 0x9b, 0xcb, 0x0f, 0x2d, 0xa8, 0xa8, 0xd0, 0xf7,
+	0x13, 0x50, 0x6a, 0x97, 0x0d, 0xa5, 0x36, 0xd7, 0x16, 0xa0, 0x9a, 0x53, 0xa4, 0xd3, 0xa2, 0xcb,
+	0x2a, 0x2e, 0xb4, 0x8b, 0x19, 0x20, 0x65, 0xc3, 0xa3, 0x08, 0x27, 0xcc, 0xe0, 0x51, 0x19, 0x29,
+	0xca, 0x6e, 0xc4, 0x15, 0xed, 0x87, 0xe4, 0x46, 0x5c, 0xb5, 0xa7, 0x40, 0xfa, 0xd5, 0xb5, 0x26,
+	0xb3, 0x5d, 0xe1, 0xa7, 0x99, 0xd7, 0x28, 0x5b, 0x9b, 0x2a, 0x1c, 0x7b, 0x4e, 0x78, 0x81, 0x0a,
+	0xe8, 0x11, 0x13, 0x64, 0xe2, 0x1f, 0x4f, 0x53, 0x90, 0x16, 0xb1, 0x2f, 0xc1, 0x64, 0xa6, 0xc3,
+	0xd0, 0xf3, 0x30, 0xd8, 0xda, 0x71, 0x62, 0x92, 0xf1, 0x02, 0x1a, 0xac, 0x53, 0xe0, 0xd1, 0xe1,
+	0xdc, 0x84, 0x2a, 0xc0, 0x20, 0x98, 0x53, 0xdb, 0xff, 0xd3, 0x82, 0x81, 0xab, 0xa1, 0x7b, 0x12,
+	0x93, 0xe9, 0x15, 0x63, 0x32, 0x3d, 0x54, 0x94, 0xe4, 0xa5, 0x70, 0x1e, 0xad, 0x66, 0xe6, 0xd1,
+	0xd9, 0x42, 0x0e, 0xdd, 0xa7, 0xd0, 0x1e, 0x8c, 0xb2, 0xd4, 0x31, 0xc2, 0x2b, 0xe9, 0x59, 0xe3,
+	0x7c, 0x35, 0x97, 0x39, 0x5f, 0x4d, 0x6a, 0xa4, 0xda, 0x29, 0xeb, 0x71, 0x18, 0x16, 0x9e, 0x31,
+	0x59, 0xff, 0x58, 0x41, 0x8b, 0x25, 0xde, 0xfe, 0xd5, 0x32, 0x18, 0xa9, 0x6a, 0xd0, 0xef, 0x5a,
+	0x30, 0x1f, 0xf1, 0x88, 0x20, 0xb7, 0xd6, 0x8e, 0xbc, 0x60, 0xbb, 0xd1, 0xdc, 0x21, 0x6e, 0xdb,
+	0xf7, 0x82, 0xed, 0xb5, 0xed, 0x20, 0x54, 0xe0, 0x95, 0x5b, 0xa4, 0xd9, 0x66, 0x76, 0xf0, 0x1e,
+	0x79, 0x71, 0xd4, 0xcd, 0xf3, 0x85, 0xdb, 0x87, 0x73, 0xf3, 0xf8, 0x58, 0xbc, 0xf1, 0x31, 0xdb,
+	0x82, 0xbe, 0x6d, 0xc1, 0x02, 0xcf, 0xe0, 0xd2, 0x7f, 0xfb, 0xbb, 0x9c, 0x46, 0xeb, 0x92, 0x55,
+	0xca, 0x64, 0x83, 0x44, 0x7b, 0x4b, 0x2f, 0x88, 0x0e, 0x5d, 0xa8, 0x1f, 0xaf, 0x2e, 0x7c, 0xdc,
+	0xc6, 0xd9, 0xff, 0xaa, 0x0c, 0xe3, 0xb4, 0x17, 0xd3, 0x28, 0xf8, 0xe7, 0x8d, 0x29, 0xf1, 0x70,
+	0x66, 0x4a, 0x4c, 0x1b, 0xc4, 0x77, 0x27, 0x00, 0x3e, 0x86, 0x69, 0xdf, 0x89, 0x93, 0x4b, 0xc4,
+	0x89, 0x92, 0x4d, 0xe2, 0xb0, 0xab, 0x5e, 0x31, 0xcd, 0x8f, 0x73, 0x7b, 0xac, 0xcc, 0x5f, 0x57,
+	0xb2, 0xcc, 0x70, 0x27, 0x7f, 0xb4, 0x0f, 0x88, 0x5d, 0x2b, 0x47, 0x4e, 0x10, 0xf3, 0x6f, 0xf1,
+	0x84, 0x8d, 0xfc, 0x78, 0xb5, 0xce, 0x8a, 0x5a, 0xd1, 0x95, 0x0e, 0x6e, 0x38, 0xa7, 0x06, 0xcd,
+	0x5d, 0x60, 0xb0, 0x5f, 0x77, 0x81, 0xa1, 0x1e, 0x4e, 0xe8, 0x7b, 0x30, 0x25, 0x46, 0x65, 0xcb,
+	0xdb, 0x16, 0x9b, 0xf4, 0x1b, 0x19, 0x77, 0x22, 0xab, 0x7f, 0xc7, 0x87, 0x1e, 0xbe, 0x44, 0xf6,
+	0xcf, 0xc1, 0x29, 0x5a, 0x9d, 0xe9, 0x32, 0x1d, 0x23, 0x02, 0x93, 0xbb, 0xed, 0x4d, 0xe2, 0x93,
+	0x44, 0xc2, 0x44, 0xa5, 0xb9, 0x6a, 0xbf, 0x59, 0x3a, 0xd5, 0x2d, 0x2f, 0x9b, 0x2c, 0x70, 0x96,
+	0xa7, 0xfd, 0x6b, 0x16, 0x30, 0xc7, 0xc4, 0x13, 0xd8, 0xfe, 0x3e, 0x65, 0x6e, 0x7f, 0xd5, 0x22,
+	0x09, 0x54, 0xb0, 0xf3, 0x3d, 0xc7, 0x87, 0xa5, 0x1e, 0x85, 0xb7, 0x0e, 0xa4, 0xee, 0xdf, 0x5b,
+	0xe3, 0xfa, 0x3f, 0x16, 0x5f, 0x90, 0x2a, 0x40, 0x12, 0xfd, 0x3c, 0x8c, 0x34, 0x9d, 0x96, 0xd3,
+	0xe4, 0x39, 0xc2, 0x0a, 0xad, 0x3f, 0x46, 0xa1, 0xf9, 0x65, 0x51, 0x82, 0x5b, 0x33, 0x3e, 0x2e,
+	0xbf, 0x52, 0x82, 0x7b, 0x5a, 0x30, 0x54, 0x95, 0xb3, 0xbb, 0x30, 0x6e, 0x30, 0xbb, 0xa7, 0x47,
+	0xdf, 0x9f, 0xe7, 0xdb, 0x85, 0x3a, 0xb1, 0xec, 0xc1, 0x74, 0xa0, 0xfd, 0xa7, 0xc2, 0x51, 0xaa,
+	0xd3, 0x1f, 0xed, 0xb5, 0x21, 0x30, 0x49, 0xaa, 0x39, 0x5e, 0x66, 0xd8, 0xe0, 0x4e, 0xce, 0xf6,
+	0xdf, 0xb1, 0xe0, 0x7e, 0x9d, 0x50, 0x8b, 0x5d, 0xed, 0x65, 0x4f, 0xae, 0xc1, 0x48, 0xd8, 0x22,
+	0x91, 0x93, 0x9e, 0xc9, 0xce, 0xcb, 0x4e, 0xbf, 0x26, 0xe0, 0x47, 0x87, 0x73, 0x33, 0x3a, 0x77,
+	0x09, 0xc7, 0xaa, 0x24, 0xb2, 0x61, 0x88, 0x75, 0x46, 0x2c, 0xe2, 0x8a, 0x59, 0x1e, 0x2d, 0x76,
+	0xdd, 0x15, 0x63, 0x81, 0xb1, 0x7f, 0xc1, 0xe2, 0x13, 0x4b, 0x6f, 0x3a, 0x7a, 0x17, 0xa6, 0xf6,
+	0xe8, 0xf1, 0x6d, 0xe5, 0x56, 0x2b, 0xe2, 0x66, 0x74, 0xd9, 0x4f, 0x4f, 0xf6, 0xea, 0x27, 0xed,
+	0x23, 0x97, 0xaa, 0xa2, 0xcd, 0x53, 0xeb, 0x19, 0x66, 0xb8, 0x83, 0xbd, 0xfd, 0xa7, 0x25, 0xbe,
+	0x12, 0x99, 0x56, 0xf7, 0x38, 0x0c, 0xb7, 0x42, 0x77, 0x79, 0xad, 0x86, 0x45, 0x0f, 0x29, 0x71,
+	0x55, 0xe7, 0x60, 0x2c, 0xf1, 0xe8, 0x02, 0x00, 0xb9, 0x95, 0x90, 0x28, 0x70, 0x7c, 0x75, 0x19,
+	0xaf, 0x94, 0xa7, 0x15, 0x85, 0xc1, 0x1a, 0x15, 0x2d, 0xd3, 0x8a, 0xc2, 0x7d, 0xcf, 0x65, 0x81,
+	0x1d, 0x65, 0xb3, 0x4c, 0x5d, 0x61, 0xb0, 0x46, 0x45, 0x8f, 0xca, 0xed, 0x20, 0xe6, 0x1b, 0xa0,
+	0xb3, 0x29, 0x52, 0xf1, 0x8c, 0xa4, 0x47, 0xe5, 0xeb, 0x3a, 0x12, 0x9b, 0xb4, 0x68, 0x11, 0x86,
+	0x12, 0x87, 0x5d, 0x31, 0x0f, 0x16, 0xbb, 0xec, 0x6c, 0x50, 0x0a, 0x3d, 0x69, 0x14, 0x2d, 0x80,
+	0x45, 0x41, 0xf4, 0xa6, 0x14, 0xc1, 0x5c, 0x24, 0x0b, 0xd7, 0xab, 0xc2, 0x69, 0xab, 0x8b, 0x6f,
+	0x5d, 0x06, 0x0b, 0x97, 0x2e, 0x83, 0x97, 0xfd, 0xf9, 0x0a, 0x40, 0xaa, 0xed, 0xa1, 0xf7, 0x3a,
+	0x44, 0xc4, 0x53, 0xdd, 0xf5, 0xc3, 0xbb, 0x27, 0x1f, 0xd0, 0x17, 0x2c, 0x18, 0x75, 0x7c, 0x3f,
+	0x6c, 0x3a, 0x09, 0xeb, 0xe5, 0x52, 0x77, 0x11, 0x25, 0xea, 0x5f, 0x4c, 0x4b, 0xf0, 0x26, 0x3c,
+	0x2b, 0x6f, 0x8f, 0x35, 0x4c, 0xcf, 0x56, 0xe8, 0x15, 0xa3, 0x8f, 0xcb, 0x43, 0x00, 0x9f, 0x1e,
+	0xb3, 0xd9, 0x43, 0x40, 0x85, 0x49, 0x63, 0x4d, 0xff, 0x47, 0xd7, 0x8d, 0x9c, 0x35, 0x03, 0xc5,
+	0xe1, 0xb9, 0x86, 0xd2, 0xd3, 0x2b, 0x5d, 0x0d, 0xaa, 0xeb, 0x2e, 0xe8, 0x83, 0xc5, 0x31, 0xec,
+	0x9a, 0x76, 0xdd, 0xc3, 0xfd, 0xfc, 0x1d, 0x98, 0x74, 0xcd, 0xed, 0x56, 0xcc, 0xa6, 0xc7, 0x8a,
+	0xf8, 0x66, 0x76, 0xe7, 0x74, 0x83, 0xcd, 0x20, 0x70, 0x96, 0x31, 0xaa, 0xf3, 0x60, 0x80, 0xb5,
+	0x60, 0x2b, 0x14, 0x2e, 0x7c, 0x76, 0xe1, 0x58, 0x1e, 0xc4, 0x09, 0xd9, 0xa3, 0x94, 0xe9, 0x3e,
+	0x7a, 0x55, 0x94, 0xc5, 0x8a, 0x0b, 0x7a, 0x15, 0x86, 0x58, 0x84, 0x56, 0x5c, 0x1d, 0x29, 0xb6,
+	0x03, 0x9a, 0xc1, 0xc5, 0xe9, 0xa2, 0x62, 0x7f, 0x63, 0x2c, 0x38, 0xa0, 0x4b, 0x32, 0x45, 0x40,
+	0xbc, 0x16, 0x5c, 0x8f, 0x09, 0x4b, 0x11, 0x50, 0x59, 0xfa, 0x68, 0x1a, 0xfd, 0xcf, 0xe1, 0xb9,
+	0xe9, 0x21, 0x8d, 0x92, 0x54, 0x5f, 0x11, 0xff, 0x65, 0xd6, 0xc9, 0x2a, 0x14, 0x37, 0xcf, 0xcc,
+	0x4c, 0x99, 0x76, 0xe7, 0x0d, 0x93, 0x05, 0xce, 0xf2, 0x3c, 0xd1, 0xed, 0x73, 0x36, 0x80, 0xa9,
+	0xec, 0xc2, 0xba, 0xa7, 0xdb, 0xf5, 0xf7, 0x07, 0x60, 0xc2, 0x9c, 0x08, 0x68, 0x01, 0x2a, 0x82,
+	0x89, 0x4a, 0x17, 0xa6, 0xe6, 0xf6, 0xba, 0x44, 0xe0, 0x94, 0x86, 0xa5, 0x4b, 0x63, 0xc5, 0x35,
+	0xdf, 0xac, 0x34, 0x5d, 0x9a, 0xc2, 0x60, 0x8d, 0x8a, 0x2a, 0xd1, 0x9b, 0x61, 0x98, 0xa8, 0xad,
+	0x40, 0xcd, 0x96, 0x25, 0x06, 0xc5, 0x02, 0x4b, 0xb7, 0x80, 0x5d, 0x12, 0x05, 0xc4, 0x37, 0x2d,
+	0x99, 0x6a, 0x0b, 0xb8, 0xac, 0x23, 0xb1, 0x49, 0x4b, 0xb7, 0xb4, 0x30, 0x66, 0xd3, 0x4f, 0xa8,
+	0xea, 0xa9, 0xaf, 0x5b, 0x83, 0x47, 0x28, 0x4a, 0x3c, 0x7a, 0x03, 0xee, 0x57, 0x01, 0x85, 0x98,
+	0x5b, 0x86, 0x65, 0x8d, 0x43, 0xc6, 0xc9, 0xfa, 0xfe, 0xe5, 0x7c, 0x32, 0x5c, 0x54, 0x1e, 0xbd,
+	0x02, 0x13, 0x42, 0x05, 0x96, 0x1c, 0x87, 0x4d, 0x67, 0x85, 0xcb, 0x06, 0x16, 0x67, 0xa8, 0x51,
+	0x0d, 0xa6, 0x28, 0x84, 0x69, 0xa1, 0x92, 0x03, 0x0f, 0x8c, 0x54, 0x7b, 0xfd, 0xe5, 0x0c, 0x1e,
+	0x77, 0x94, 0x40, 0x8b, 0x30, 0xc9, 0x75, 0x14, 0x7a, 0xa6, 0x64, 0xe3, 0x20, 0x3c, 0x6b, 0xd5,
+	0x42, 0xb8, 0x66, 0xa2, 0x71, 0x96, 0x1e, 0xbd, 0x08, 0x63, 0x4e, 0xd4, 0xdc, 0xf1, 0x12, 0xd2,
+	0x4c, 0xda, 0x11, 0x4f, 0xc0, 0xa1, 0x79, 0x7b, 0x2c, 0x6a, 0x38, 0x6c, 0x50, 0xda, 0xef, 0xc1,
+	0xa9, 0x1c, 0xa7, 0x7c, 0x3a, 0x71, 0x9c, 0x96, 0x27, 0xbf, 0x29, 0xe3, 0xb5, 0xb6, 0x58, 0x5f,
+	0x93, 0x5f, 0xa3, 0x51, 0xd1, 0xd9, 0xc9, 0x4c, 0xe2, 0x5a, 0x6a, 0x58, 0x35, 0x3b, 0x57, 0x25,
+	0x02, 0xa7, 0x34, 0xf6, 0x1f, 0x00, 0x68, 0x06, 0x9d, 0x3e, 0x7c, 0x96, 0x5e, 0x84, 0x31, 0x99,
+	0xcf, 0x58, 0xcb, 0xa3, 0xa9, 0x3e, 0xf3, 0xa2, 0x86, 0xc3, 0x06, 0x25, 0x6d, 0x5b, 0xa0, 0xb2,
+	0x80, 0x66, 0x7c, 0xe4, 0xd2, 0x1c, 0xa0, 0x29, 0x0d, 0x7a, 0x0a, 0x46, 0x62, 0xe2, 0x6f, 0x5d,
+	0xf1, 0x82, 0x5d, 0x31, 0xb1, 0x95, 0x14, 0x6e, 0x08, 0x38, 0x56, 0x14, 0x68, 0x09, 0xca, 0x6d,
+	0xcf, 0x15, 0x53, 0x59, 0x6e, 0xf8, 0xe5, 0xeb, 0x6b, 0xb5, 0xa3, 0xc3, 0xb9, 0x87, 0x8b, 0xd2,
+	0x34, 0xd3, 0xa3, 0x7d, 0x3c, 0x4f, 0x97, 0x1f, 0x2d, 0x9c, 0x77, 0x37, 0x30, 0x74, 0xcc, 0xbb,
+	0x81, 0x0b, 0x00, 0xe2, 0xab, 0xe5, 0x5c, 0x2e, 0xa7, 0xa3, 0x76, 0x51, 0x61, 0xb0, 0x46, 0x85,
+	0x62, 0x98, 0x6e, 0x46, 0xc4, 0x91, 0x67, 0x68, 0xee, 0x5e, 0x3e, 0x72, 0xe7, 0x06, 0x82, 0xe5,
+	0x2c, 0x33, 0xdc, 0xc9, 0x1f, 0x85, 0x30, 0xed, 0x8a, 0xf8, 0xd5, 0xb4, 0xd2, 0xca, 0xf1, 0x7d,
+	0xda, 0x99, 0x43, 0x4e, 0x96, 0x11, 0xee, 0xe4, 0x8d, 0xde, 0x86, 0x59, 0x09, 0xec, 0x0c, 0x19,
+	0x66, 0xcb, 0xa5, 0xbc, 0x74, 0xf6, 0xf6, 0xe1, 0xdc, 0x6c, 0xad, 0x90, 0x0a, 0x77, 0xe1, 0x80,
+	0x30, 0x0c, 0xb1, 0xbb, 0xa4, 0xb8, 0x3a, 0xca, 0xf6, 0xb9, 0x27, 0x8a, 0x8d, 0x01, 0x74, 0xae,
+	0xcf, 0xb3, 0x7b, 0x28, 0xe1, 0xe6, 0x9b, 0x5e, 0xcb, 0x31, 0x20, 0x16, 0x9c, 0xd0, 0x16, 0x8c,
+	0x3a, 0x41, 0x10, 0x26, 0x0e, 0x57, 0xa1, 0xc6, 0x8a, 0x75, 0x3f, 0x8d, 0xf1, 0x62, 0x5a, 0x82,
+	0x73, 0x57, 0x9e, 0x83, 0x1a, 0x06, 0xeb, 0x8c, 0xd1, 0x4d, 0x98, 0x0c, 0x6f, 0x52, 0xe1, 0x28,
+	0xad, 0x14, 0x71, 0x75, 0x9c, 0xd5, 0xf5, 0x5c, 0x9f, 0x76, 0x5a, 0xa3, 0xb0, 0x26, 0xb5, 0x4c,
+	0xa6, 0x38, 0x5b, 0x0b, 0x9a, 0x37, 0xac, 0xd5, 0x13, 0xa9, 0x3f, 0x7b, 0x6a, 0xad, 0xd6, 0x8d,
+	0xd3, 0x2c, 0x04, 0x9d, 0xbb, 0xad, 0xb2, 0xd5, 0x3f, 0x99, 0x09, 0x41, 0x4f, 0x51, 0x58, 0xa7,
+	0x43, 0x3b, 0x30, 0x96, 0x5e, 0x59, 0x45, 0x31, 0xcb, 0x50, 0x33, 0x7a, 0xe1, 0x42, 0x7f, 0x1f,
+	0xb7, 0xa6, 0x95, 0xe4, 0x27, 0x07, 0x1d, 0x82, 0x0d, 0xce, 0xb3, 0x3f, 0x05, 0xa3, 0xda, 0xc0,
+	0x1e, 0xc7, 0x2b, 0x7b, 0xf6, 0x15, 0x98, 0xca, 0x0e, 0xdd, 0xb1, 0xbc, 0xba, 0xff, 0x77, 0x09,
+	0x26, 0x73, 0x6e, 0xae, 0x58, 0xaa, 0xe7, 0x8c, 0x40, 0x4d, 0x33, 0x3b, 0x9b, 0x62, 0xb1, 0xd4,
+	0x87, 0x58, 0x94, 0x32, 0xba, 0x5c, 0x28, 0xa3, 0x85, 0x28, 0x1c, 0x78, 0x3f, 0xa2, 0xd0, 0xdc,
+	0x7d, 0x06, 0xfb, 0xda, 0x7d, 0xee, 0x82, 0xf8, 0x34, 0x36, 0xb0, 0xe1, 0x3e, 0x36, 0xb0, 0x2f,
+	0x95, 0x60, 0x2a, 0x9b, 0x4f, 0xf8, 0x04, 0xee, 0x3b, 0x5e, 0x35, 0xee, 0x3b, 0xf2, 0x13, 0xa7,
+	0x67, 0xb3, 0x1c, 0x17, 0xdd, 0x7d, 0xe0, 0xcc, 0xdd, 0xc7, 0x13, 0x7d, 0x71, 0xeb, 0x7e, 0x0f,
+	0xf2, 0x77, 0x4b, 0x70, 0x3a, 0x5b, 0x64, 0xd9, 0x77, 0xbc, 0xbd, 0x13, 0xe8, 0x9b, 0x6b, 0x46,
+	0xdf, 0x3c, 0xdd, 0xcf, 0xd7, 0xb0, 0xa6, 0x15, 0x76, 0xd0, 0xeb, 0x99, 0x0e, 0x5a, 0xe8, 0x9f,
+	0x65, 0xf7, 0x5e, 0xfa, 0x4e, 0x19, 0xce, 0xe6, 0x96, 0x4b, 0xaf, 0x0b, 0x56, 0x8d, 0xeb, 0x82,
+	0x0b, 0x99, 0xeb, 0x02, 0xbb, 0x7b, 0xe9, 0xbb, 0x73, 0x7f, 0x20, 0x22, 0xcf, 0x58, 0xf6, 0xb4,
+	0x3b, 0xbc, 0x3b, 0x30, 0x22, 0xcf, 0x14, 0x23, 0x6c, 0xf2, 0xfd, 0x71, 0xba, 0x33, 0xf8, 0x03,
+	0x0b, 0x1e, 0xc8, 0x1d, 0x9b, 0x13, 0xb0, 0xab, 0x5f, 0x35, 0xed, 0xea, 0x8f, 0xf7, 0x3d, 0x5b,
+	0x0b, 0x0c, 0xed, 0x5f, 0x29, 0x17, 0x7c, 0x0b, 0xb3, 0x4c, 0x5e, 0x83, 0x51, 0xa7, 0xd9, 0x24,
+	0x71, 0xbc, 0x1e, 0xba, 0x2a, 0x59, 0xd9, 0xd3, 0x4c, 0xdb, 0x48, 0xc1, 0x47, 0x87, 0x73, 0xb3,
+	0x59, 0x16, 0x29, 0x1a, 0xeb, 0x1c, 0xcc, 0x04, 0x88, 0xa5, 0xbb, 0x9a, 0x00, 0xf1, 0x02, 0xc0,
+	0xbe, 0xb2, 0x57, 0x64, 0xcd, 0x9c, 0x9a, 0x25, 0x43, 0xa3, 0x42, 0x3f, 0xcb, 0x4e, 0x01, 0xdc,
+	0x19, 0x88, 0x4f, 0xc5, 0x67, 0xfb, 0x1c, 0x2b, 0xdd, 0xb1, 0x88, 0x87, 0x38, 0x2b, 0x93, 0xb0,
+	0x62, 0x89, 0x7e, 0x06, 0xa6, 0x62, 0x9e, 0x41, 0x63, 0xd9, 0x77, 0x62, 0x16, 0x58, 0x23, 0x66,
+	0x21, 0x8b, 0x5b, 0x6e, 0x64, 0x70, 0xb8, 0x83, 0xda, 0xfe, 0xd2, 0x00, 0x3c, 0xd8, 0x45, 0xf8,
+	0xa0, 0x45, 0xf3, 0xf2, 0xfe, 0xc9, 0xac, 0xdd, 0x6e, 0x36, 0xb7, 0xb0, 0x61, 0xc8, 0xcb, 0x8c,
+	0x71, 0xe9, 0x7d, 0x8f, 0xf1, 0x17, 0x2d, 0xcd, 0xa2, 0xca, 0x5d, 0x7c, 0x3f, 0x75, 0x4c, 0xa1,
+	0x7a, 0x17, 0x4d, 0xac, 0x5b, 0x39, 0x76, 0xca, 0x0b, 0x7d, 0x37, 0xa7, 0x6f, 0xc3, 0xe5, 0xc9,
+	0x5e, 0xf5, 0x7c, 0xce, 0x82, 0x87, 0x73, 0xdb, 0x6b, 0x38, 0x1b, 0x2d, 0x40, 0xa5, 0x49, 0x81,
+	0x5a, 0x90, 0x5d, 0x1a, 0xea, 0x2a, 0x11, 0x38, 0xa5, 0x31, 0x7c, 0x8a, 0x4a, 0x3d, 0x7d, 0x8a,
+	0xfe, 0xa5, 0x05, 0x33, 0xd9, 0x46, 0x9c, 0x80, 0x04, 0x5c, 0x33, 0x25, 0xe0, 0x47, 0xfb, 0x19,
+	0xcb, 0x02, 0xe1, 0xf7, 0x83, 0x09, 0xb8, 0xaf, 0xe0, 0xbd, 0x88, 0x7d, 0x98, 0xde, 0x6e, 0x12,
+	0x33, 0x7c, 0x51, 0x7c, 0x4c, 0x6e, 0xa4, 0x67, 0xd7, 0x58, 0x47, 0x7e, 0x90, 0xed, 0x20, 0xc1,
+	0x9d, 0x55, 0xa0, 0xcf, 0x59, 0x30, 0xe3, 0xdc, 0x8c, 0x3b, 0xde, 0x6f, 0x12, 0x73, 0xe6, 0xb9,
+	0x5c, 0xfb, 0x6a, 0x8f, 0xf7, 0x9e, 0x58, 0x88, 0xd1, 0x4c, 0x1e, 0x15, 0xce, 0xad, 0x0b, 0x61,
+	0x91, 0x17, 0x92, 0xea, 0xc9, 0x5d, 0x02, 0x6c, 0xf3, 0xc2, 0x9f, 0xb8, 0x2c, 0x94, 0x18, 0xac,
+	0xf8, 0xa0, 0x1b, 0x50, 0xd9, 0x96, 0x31, 0x89, 0x42, 0xd6, 0xe6, 0x6e, 0x5e, 0xb9, 0x81, 0x8b,
+	0x3c, 0xe6, 0x43, 0xa1, 0x70, 0xca, 0x0a, 0xbd, 0x02, 0xe5, 0x60, 0x2b, 0xee, 0xf6, 0x60, 0x46,
+	0xc6, 0x07, 0x8f, 0x47, 0x4a, 0x5f, 0x5d, 0x6d, 0x60, 0x5a, 0x90, 0x96, 0x8f, 0x36, 0x5d, 0x71,
+	0x25, 0x90, 0x5b, 0x1e, 0x2f, 0xd5, 0x3a, 0xcb, 0xe3, 0xa5, 0x1a, 0xa6, 0x05, 0xd1, 0x2a, 0x0c,
+	0xb2, 0x10, 0x27, 0x61, 0xef, 0xcf, 0xcd, 0xf4, 0xd0, 0x11, 0xbe, 0xc5, 0x43, 0xa7, 0x19, 0x18,
+	0xf3, 0xe2, 0xe8, 0x55, 0x18, 0x6a, 0xb2, 0xf7, 0x23, 0x84, 0x71, 0x26, 0x3f, 0x7b, 0x49, 0xc7,
+	0x0b, 0x13, 0xfc, 0x96, 0x93, 0xc3, 0xb1, 0xe0, 0x80, 0x36, 0x60, 0xa8, 0x49, 0x5a, 0x3b, 0x5b,
+	0xb1, 0xb0, 0xb9, 0x7c, 0x3c, 0x97, 0x57, 0x97, 0xe7, 0x52, 0x04, 0x57, 0x46, 0x81, 0x05, 0x2f,
+	0xf4, 0x49, 0x28, 0x6d, 0x35, 0x45, 0xb4, 0x53, 0xae, 0x9d, 0xdf, 0x0c, 0x67, 0x5f, 0x1a, 0xba,
+	0x7d, 0x38, 0x57, 0x5a, 0x5d, 0xc6, 0xa5, 0xad, 0x26, 0xba, 0x0a, 0xc3, 0x5b, 0x3c, 0x26, 0x59,
+	0xe4, 0xf9, 0x7d, 0x2c, 0x3f, 0x5c, 0xba, 0x23, 0x6c, 0x99, 0x47, 0xe9, 0x08, 0x04, 0x96, 0x4c,
+	0xd0, 0x06, 0xc0, 0x96, 0x8a, 0xad, 0x16, 0x89, 0x7e, 0x3f, 0xda, 0x4f, 0x04, 0xb6, 0x30, 0x40,
+	0x28, 0x28, 0xd6, 0xf8, 0xa0, 0xcf, 0x42, 0xc5, 0x91, 0x2f, 0x02, 0xb1, 0x24, 0xbf, 0xa6, 0x3e,
+	0x90, 0x2e, 0xb8, 0xee, 0x8f, 0x25, 0xf1, 0xd9, 0xaa, 0x88, 0x70, 0xca, 0x14, 0xed, 0xc2, 0xf8,
+	0x7e, 0xdc, 0xda, 0x21, 0x72, 0x81, 0xb2, 0xcc, 0xbf, 0x05, 0x1b, 0xd2, 0x0d, 0x41, 0xe8, 0x45,
+	0x49, 0xdb, 0xf1, 0x3b, 0x64, 0x0a, 0x0b, 0xe9, 0xba, 0xa1, 0x33, 0xc3, 0x26, 0x6f, 0xda, 0xe9,
+	0xef, 0xb6, 0xc3, 0xcd, 0x83, 0x84, 0x88, 0x7c, 0xc0, 0xb9, 0x9d, 0xfe, 0x1a, 0x27, 0xe9, 0xec,
+	0x74, 0x81, 0xc0, 0x92, 0x09, 0x5d, 0xc2, 0x8e, 0x7c, 0x6d, 0x4b, 0x58, 0x59, 0x1e, 0x2f, 0xec,
+	0x9e, 0x8e, 0xf6, 0xa6, 0x9d, 0xc2, 0x64, 0x5f, 0xca, 0x8a, 0xc9, 0xbc, 0xd6, 0x4e, 0x98, 0x84,
+	0x41, 0x46, 0xde, 0x4e, 0x17, 0xcb, 0xbc, 0x7a, 0x0e, 0x7d, 0xa7, 0xcc, 0xcb, 0xa3, 0xc2, 0xb9,
+	0x75, 0x21, 0x17, 0x26, 0x5a, 0x61, 0x94, 0xdc, 0x0c, 0x23, 0x39, 0xab, 0x50, 0x97, 0xe3, 0xb7,
+	0x41, 0x29, 0x6a, 0x64, 0x1e, 0xda, 0x26, 0x06, 0x67, 0x78, 0xa2, 0x4f, 0xc3, 0x70, 0xdc, 0x74,
+	0x7c, 0xb2, 0x76, 0xad, 0x7a, 0xaa, 0x78, 0x33, 0x69, 0x70, 0x92, 0x82, 0xd9, 0xc5, 0x06, 0x47,
+	0x90, 0x60, 0xc9, 0x8e, 0xca, 0x21, 0x96, 0x64, 0x9e, 0xa5, 0x32, 0x2e, 0x90, 0x43, 0x1d, 0x5e,
+	0xcc, 0x5c, 0x0e, 0x31, 0x30, 0xe6, 0xc5, 0xe9, 0x1a, 0x10, 0x5a, 0x68, 0x18, 0x57, 0x4f, 0x17,
+	0xaf, 0x01, 0xa1, 0xbc, 0x5e, 0x6b, 0x74, 0x5b, 0x03, 0x8a, 0x08, 0xa7, 0x4c, 0xed, 0x6f, 0x0c,
+	0x75, 0xea, 0x0d, 0xec, 0xb4, 0xf1, 0x79, 0xab, 0xe3, 0x2a, 0xfe, 0x13, 0xfd, 0x1a, 0x3f, 0xee,
+	0xa2, 0xc6, 0xf8, 0x39, 0x0b, 0xee, 0x6b, 0xe5, 0x7e, 0x94, 0xd8, 0x84, 0xfb, 0xb3, 0xa1, 0xf0,
+	0x6e, 0x50, 0x49, 0xc2, 0xf3, 0xf1, 0xb8, 0xa0, 0xa6, 0xac, 0x56, 0x5e, 0x7e, 0xdf, 0x5a, 0xf9,
+	0x3a, 0x8c, 0x30, 0x45, 0x2f, 0x4d, 0x4a, 0xd4, 0x97, 0x43, 0x1b, 0xdb, 0xce, 0x97, 0x45, 0x41,
+	0xac, 0x58, 0xa0, 0x5f, 0xb4, 0xe0, 0x4c, 0xb6, 0xe9, 0x98, 0x30, 0xb4, 0x48, 0x70, 0xc9, 0x0f,
+	0x3a, 0xab, 0xe2, 0xfb, 0xcf, 0xd4, 0xbb, 0x11, 0x1f, 0xf5, 0x22, 0xc0, 0xdd, 0x2b, 0x43, 0xb5,
+	0x9c, 0x93, 0xd6, 0x90, 0x79, 0x53, 0xd7, 0xfb, 0xb4, 0x85, 0x9e, 0x83, 0xb1, 0xbd, 0xb0, 0x1d,
+	0xc8, 0x68, 0x13, 0x11, 0x4b, 0xcc, 0xac, 0xc2, 0xeb, 0x1a, 0x1c, 0x1b, 0x54, 0x27, 0xab, 0xf9,
+	0x7f, 0xd5, 0xca, 0x51, 0x59, 0xf9, 0x59, 0xf0, 0x65, 0xf3, 0x2c, 0xf8, 0x68, 0xf6, 0x2c, 0xd8,
+	0x61, 0xb3, 0x33, 0x8e, 0x81, 0xfd, 0x27, 0xee, 0xed, 0x37, 0x6b, 0x93, 0xed, 0xc3, 0xb9, 0x5e,
+	0x62, 0x9a, 0x39, 0xf5, 0xb9, 0xea, 0xb6, 0x3b, 0x75, 0xea, 0x73, 0xd7, 0x6a, 0x98, 0x61, 0xfa,
+	0xcd, 0xff, 0x61, 0xff, 0x77, 0x0b, 0xca, 0xf5, 0xd0, 0x3d, 0x01, 0x1b, 0xe4, 0xa7, 0x0c, 0x1b,
+	0xe4, 0x83, 0x05, 0xaf, 0x78, 0x16, 0x5a, 0x1c, 0x57, 0x32, 0x16, 0xc7, 0x33, 0x45, 0x0c, 0xba,
+	0xdb, 0x17, 0xff, 0x5e, 0x19, 0xf4, 0x37, 0x47, 0xd1, 0xbf, 0xbe, 0x13, 0xef, 0xf0, 0x72, 0xb7,
+	0x67, 0x48, 0x05, 0x67, 0xe6, 0x0b, 0x28, 0x03, 0x4f, 0x7f, 0xc4, 0x9c, 0xc4, 0x5f, 0x27, 0xde,
+	0xf6, 0x4e, 0x42, 0xdc, 0xec, 0xe7, 0x9c, 0x9c, 0x93, 0xf8, 0x7f, 0xb1, 0x60, 0x32, 0x53, 0x3b,
+	0xf2, 0xf3, 0xa2, 0xd8, 0xee, 0xd0, 0xf6, 0x34, 0xdd, 0x33, 0xec, 0x6d, 0x1e, 0x40, 0x5d, 0xf0,
+	0x48, 0xfb, 0x0e, 0xd3, 0x82, 0xd5, 0x0d, 0x50, 0x8c, 0x35, 0x0a, 0xf4, 0x3c, 0x8c, 0x26, 0x61,
+	0x2b, 0xf4, 0xc3, 0xed, 0x83, 0xcb, 0x44, 0x66, 0x9c, 0x51, 0xd7, 0x70, 0x1b, 0x29, 0x0a, 0xeb,
+	0x74, 0xf6, 0xaf, 0x97, 0x21, 0xfb, 0x4e, 0xed, 0x4f, 0xe6, 0xe4, 0x87, 0x73, 0x4e, 0x7e, 0xc7,
+	0x82, 0x29, 0x5a, 0x3b, 0xf3, 0xb3, 0x92, 0xee, 0xd5, 0xea, 0x85, 0x0f, 0xab, 0xcb, 0x0b, 0x1f,
+	0x8f, 0x52, 0xd9, 0xe5, 0x86, 0xed, 0x44, 0xd8, 0x87, 0x34, 0xe1, 0x44, 0xa1, 0x58, 0x60, 0x05,
+	0x1d, 0x89, 0x22, 0x11, 0x9b, 0xa6, 0xd3, 0x91, 0x28, 0xc2, 0x02, 0x2b, 0x1f, 0x00, 0x19, 0x28,
+	0x78, 0x00, 0x84, 0x25, 0x6b, 0x13, 0xbe, 0x3d, 0x42, 0xa1, 0xd0, 0x92, 0xb5, 0x49, 0xa7, 0x9f,
+	0x94, 0xc6, 0xfe, 0x5a, 0x19, 0xc6, 0xea, 0xa1, 0x9b, 0x5e, 0xb1, 0x3c, 0x67, 0x5c, 0xb1, 0x9c,
+	0xcb, 0x5c, 0xb1, 0x4c, 0xe9, 0xb4, 0x3f, 0xb9, 0x50, 0xf9, 0xa0, 0x2e, 0x54, 0xfe, 0xcc, 0x82,
+	0x89, 0x7a, 0xe8, 0xd2, 0x09, 0xfa, 0xe3, 0x34, 0x1b, 0xf5, 0x54, 0x80, 0x43, 0x5d, 0x52, 0x01,
+	0xfe, 0x7d, 0x0b, 0x86, 0xeb, 0xa1, 0x7b, 0x02, 0xb6, 0xd3, 0x97, 0x4d, 0xdb, 0xe9, 0xfd, 0x05,
+	0x52, 0xb6, 0xc0, 0x5c, 0xfa, 0xf5, 0x32, 0x8c, 0xd3, 0x76, 0x86, 0xdb, 0x72, 0x94, 0x8c, 0x1e,
+	0xb1, 0xfa, 0xe8, 0x11, 0xaa, 0xcc, 0x85, 0xbe, 0x1f, 0xde, 0xcc, 0x8e, 0xd8, 0x2a, 0x83, 0x62,
+	0x81, 0x45, 0x4f, 0xc1, 0x48, 0x2b, 0x22, 0xfb, 0x5e, 0xd8, 0x8e, 0xb3, 0xd1, 0xad, 0x75, 0x01,
+	0xc7, 0x8a, 0x82, 0xea, 0xed, 0xb1, 0x17, 0x34, 0x89, 0xf4, 0xf7, 0x19, 0x60, 0xfe, 0x3e, 0x3c,
+	0x9b, 0xaa, 0x06, 0xc7, 0x06, 0x15, 0x7a, 0x1d, 0x2a, 0xec, 0x3f, 0x5b, 0x37, 0xc7, 0x7f, 0xdf,
+	0x43, 0xa4, 0x30, 0x17, 0x0c, 0x70, 0xca, 0x0b, 0x5d, 0x00, 0x48, 0xa4, 0x67, 0x52, 0x2c, 0x82,
+	0xaf, 0x95, 0x46, 0xa9, 0x7c, 0x96, 0x62, 0xac, 0x51, 0xa1, 0x27, 0xa1, 0x92, 0x38, 0x9e, 0x7f,
+	0xc5, 0x0b, 0x48, 0x2c, 0x3c, 0xbb, 0x44, 0x86, 0x72, 0x01, 0xc4, 0x29, 0x9e, 0xee, 0xe8, 0x2c,
+	0xb4, 0x9f, 0xbf, 0x0e, 0x34, 0xc2, 0xa8, 0xd9, 0x8e, 0x7e, 0x45, 0x41, 0xb1, 0x46, 0x61, 0xbf,
+	0x08, 0xa7, 0xeb, 0xa1, 0x5b, 0x0f, 0xa3, 0x64, 0x35, 0x8c, 0x6e, 0x3a, 0x91, 0x2b, 0xc7, 0x6f,
+	0x4e, 0x26, 0xcb, 0xa6, 0xbb, 0xee, 0x20, 0xb7, 0x06, 0x18, 0x69, 0xb0, 0x9f, 0x65, 0x7b, 0xfa,
+	0x31, 0xc3, 0x70, 0xfe, 0x5d, 0x09, 0x50, 0x9d, 0xf9, 0x4e, 0x19, 0x4f, 0x48, 0xbd, 0x0d, 0x13,
+	0x31, 0xb9, 0xe2, 0x05, 0xed, 0x5b, 0xf2, 0x7c, 0xd5, 0x25, 0xc6, 0xa9, 0xb1, 0xa2, 0x53, 0x72,
+	0xdb, 0x8a, 0x09, 0xc3, 0x19, 0x6e, 0xb4, 0x0b, 0xa3, 0x76, 0xb0, 0x18, 0x5f, 0x8f, 0x49, 0x24,
+	0x9e, 0x4c, 0x62, 0x5d, 0x88, 0x25, 0x10, 0xa7, 0x78, 0x3a, 0x65, 0xd8, 0x9f, 0xab, 0x61, 0x80,
+	0xc3, 0x30, 0x91, 0x93, 0x8c, 0x3d, 0xba, 0xa1, 0xc1, 0xb1, 0x41, 0x85, 0x56, 0x01, 0xc5, 0xed,
+	0x56, 0xcb, 0x67, 0x17, 0x92, 0x8e, 0x7f, 0x31, 0x0a, 0xdb, 0x2d, 0x7e, 0xa9, 0x24, 0xde, 0xab,
+	0x68, 0x74, 0x60, 0x71, 0x4e, 0x09, 0x2a, 0x18, 0xb6, 0x62, 0xf6, 0x5b, 0x44, 0xf7, 0x73, 0x2b,
+	0x67, 0x83, 0x81, 0xb0, 0xc4, 0xd9, 0x3f, 0xcf, 0x36, 0x33, 0xf6, 0xd2, 0x4d, 0xd2, 0x8e, 0x08,
+	0xda, 0x83, 0xf1, 0x16, 0xdb, 0xb0, 0x92, 0x28, 0xf4, 0x7d, 0x22, 0xf5, 0xc6, 0x3b, 0xf3, 0xe3,
+	0xe2, 0x2f, 0x5f, 0xe8, 0xec, 0xb0, 0xc9, 0xdd, 0xfe, 0xfc, 0x24, 0x93, 0x4b, 0x0d, 0x7e, 0x68,
+	0x19, 0x16, 0xde, 0xd9, 0x42, 0x43, 0x9b, 0x2d, 0x7e, 0x59, 0x2e, 0x95, 0xf4, 0xc2, 0xc3, 0x1b,
+	0xcb, 0xb2, 0xe8, 0x35, 0x76, 0x1b, 0xc7, 0x85, 0x41, 0xaf, 0x37, 0x2d, 0x39, 0x95, 0x71, 0xf1,
+	0x26, 0x0a, 0x62, 0x8d, 0x09, 0xba, 0x02, 0xe3, 0xe2, 0x61, 0x14, 0x61, 0x78, 0x28, 0x1b, 0xc7,
+	0xdf, 0x71, 0xac, 0x23, 0x8f, 0xb2, 0x00, 0x6c, 0x16, 0x46, 0xdb, 0x70, 0x46, 0x7b, 0xc6, 0x2b,
+	0xc7, 0x97, 0x90, 0xcb, 0x96, 0x87, 0x6f, 0x1f, 0xce, 0x9d, 0xd9, 0xe8, 0x46, 0x88, 0xbb, 0xf3,
+	0x41, 0xd7, 0xe0, 0xb4, 0xd3, 0x4c, 0xbc, 0x7d, 0x52, 0x23, 0x8e, 0xeb, 0x7b, 0x01, 0x31, 0xd3,
+	0x3d, 0x3c, 0x70, 0xfb, 0x70, 0xee, 0xf4, 0x62, 0x1e, 0x01, 0xce, 0x2f, 0x87, 0x5e, 0x86, 0x8a,
+	0x1b, 0xc4, 0xa2, 0x0f, 0x86, 0x8c, 0x17, 0xea, 0x2a, 0xb5, 0xab, 0x0d, 0xf5, 0xfd, 0xe9, 0x1f,
+	0x9c, 0x16, 0x40, 0xdb, 0x30, 0xa6, 0x87, 0x74, 0x89, 0xd7, 0x0d, 0x9f, 0xee, 0x72, 0xb6, 0x35,
+	0xe2, 0xa0, 0xb8, 0xd5, 0x4d, 0x79, 0xea, 0x1a, 0x21, 0x52, 0x06, 0x63, 0xf4, 0x2a, 0xa0, 0x98,
+	0x44, 0xfb, 0x5e, 0x93, 0x2c, 0x36, 0x59, 0xba, 0x61, 0x66, 0xab, 0x19, 0x31, 0xc2, 0x4e, 0x50,
+	0xa3, 0x83, 0x02, 0xe7, 0x94, 0x42, 0x97, 0xa8, 0x44, 0xd1, 0xa1, 0xc2, 0xb1, 0x5a, 0xaa, 0x79,
+	0xd5, 0x1a, 0x69, 0x45, 0xa4, 0xe9, 0x24, 0xc4, 0x35, 0x39, 0xe2, 0x4c, 0x39, 0xba, 0xdf, 0xa8,
+	0x57, 0x1c, 0xc0, 0x74, 0x07, 0xee, 0x7c, 0xc9, 0x81, 0x9e, 0x90, 0x76, 0xc2, 0x38, 0xb9, 0x4a,
+	0x92, 0x9b, 0x61, 0xb4, 0x2b, 0x72, 0xb4, 0xa5, 0x29, 0x1c, 0x53, 0x14, 0xd6, 0xe9, 0xa8, 0x46,
+	0xc4, 0xae, 0xc3, 0xd6, 0x6a, 0xec, 0xc6, 0x62, 0x24, 0x5d, 0x27, 0x97, 0x38, 0x18, 0x4b, 0xbc,
+	0x24, 0x5d, 0xab, 0x2f, 0xb3, 0x7b, 0x88, 0x0c, 0xe9, 0x5a, 0x7d, 0x19, 0x4b, 0x3c, 0x22, 0x9d,
+	0xaf, 0xff, 0x4d, 0x14, 0xdf, 0x20, 0x75, 0xca, 0xe5, 0x3e, 0x1f, 0x00, 0x0c, 0x60, 0x4a, 0xbd,
+	0x3b, 0xc8, 0x93, 0xd7, 0xc5, 0xd5, 0x49, 0x36, 0x49, 0xfa, 0xcf, 0x7c, 0xa7, 0x6c, 0x71, 0x6b,
+	0x19, 0x4e, 0xb8, 0x83, 0xb7, 0x91, 0x46, 0x64, 0xaa, 0xe7, 0x2b, 0x1c, 0x0b, 0x50, 0x89, 0xdb,
+	0x9b, 0x6e, 0xb8, 0xe7, 0x78, 0x01, 0xbb, 0x36, 0xd0, 0x14, 0x91, 0x86, 0x44, 0xe0, 0x94, 0x06,
+	0xad, 0xc2, 0x88, 0x23, 0x0e, 0x5f, 0xc2, 0xd0, 0x9f, 0x9b, 0x57, 0x40, 0x1e, 0xd0, 0xb8, 0x1d,
+	0x54, 0xfe, 0xc3, 0xaa, 0x2c, 0x7a, 0x09, 0xc6, 0x45, 0xe8, 0x9b, 0xf0, 0x5a, 0x3d, 0x65, 0x46,
+	0x49, 0x34, 0x74, 0x24, 0x36, 0x69, 0xd1, 0xcf, 0xc2, 0x04, 0xe5, 0x92, 0x0a, 0xb6, 0xea, 0x4c,
+	0x3f, 0x12, 0x51, 0xcb, 0xae, 0xae, 0x17, 0xc6, 0x19, 0x66, 0xc8, 0x85, 0x87, 0x9c, 0x76, 0x12,
+	0x32, 0x63, 0xa5, 0x39, 0xff, 0x37, 0xc2, 0x5d, 0x12, 0x30, 0xeb, 0xfe, 0xc8, 0xd2, 0xb9, 0xdb,
+	0x87, 0x73, 0x0f, 0x2d, 0x76, 0xa1, 0xc3, 0x5d, 0xb9, 0xa0, 0xeb, 0x30, 0x9a, 0x84, 0xbe, 0x70,
+	0x37, 0x8f, 0xab, 0xf7, 0x15, 0xa7, 0x41, 0xda, 0x50, 0x64, 0xba, 0x39, 0x41, 0x15, 0xc5, 0x3a,
+	0x1f, 0xb4, 0xc1, 0xd7, 0x18, 0x4b, 0xda, 0x49, 0xe2, 0xea, 0xfd, 0xc5, 0x1d, 0xa3, 0x72, 0x7b,
+	0x9a, 0x4b, 0x50, 0x94, 0xc4, 0x3a, 0x1b, 0x74, 0x11, 0xa6, 0x5b, 0x91, 0x17, 0xb2, 0x89, 0xad,
+	0x0c, 0xc5, 0x55, 0x23, 0x41, 0xde, 0x74, 0x3d, 0x4b, 0x80, 0x3b, 0xcb, 0xa0, 0xf3, 0x54, 0x41,
+	0xe5, 0xc0, 0xea, 0x03, 0xfc, 0x75, 0x16, 0xae, 0x9c, 0x72, 0x18, 0x56, 0xd8, 0xd9, 0x9f, 0x86,
+	0xe9, 0x0e, 0x49, 0x79, 0x2c, 0xd7, 0xdf, 0x7f, 0x32, 0x08, 0x15, 0x65, 0x0e, 0x44, 0x0b, 0xa6,
+	0x95, 0xf7, 0x81, 0xac, 0x95, 0x77, 0x84, 0xea, 0x6b, 0xba, 0x61, 0x77, 0x23, 0xe7, 0x71, 0xf9,
+	0x73, 0x05, 0xa2, 0xa1, 0xff, 0x38, 0xbd, 0x63, 0x3c, 0xbc, 0x9f, 0x1e, 0x18, 0x07, 0xba, 0x1e,
+	0x18, 0xfb, 0x7c, 0xe8, 0x91, 0x1e, 0x0d, 0x5b, 0xa1, 0xbb, 0x56, 0xcf, 0xbe, 0x7c, 0x56, 0xa7,
+	0x40, 0xcc, 0x71, 0x4c, 0xb9, 0xa7, 0xdb, 0x3a, 0x53, 0xee, 0x87, 0xef, 0x50, 0xb9, 0x97, 0x0c,
+	0x70, 0xca, 0x0b, 0xf9, 0x30, 0xdd, 0x34, 0x1f, 0xad, 0x53, 0xb1, 0x79, 0x8f, 0xf4, 0x7c, 0x3e,
+	0xae, 0xad, 0xbd, 0x66, 0xb3, 0x9c, 0xe5, 0x82, 0x3b, 0x19, 0xa3, 0x97, 0x60, 0xe4, 0xdd, 0x30,
+	0x66, 0xd3, 0x4e, 0xec, 0x6d, 0x32, 0x1a, 0x6a, 0xe4, 0xb5, 0x6b, 0x0d, 0x06, 0x3f, 0x3a, 0x9c,
+	0x1b, 0xad, 0x87, 0xae, 0xfc, 0x8b, 0x55, 0x01, 0x74, 0x0b, 0x4e, 0x1b, 0x12, 0x41, 0x35, 0x17,
+	0xfa, 0x6f, 0xee, 0x19, 0x51, 0xdd, 0xe9, 0xb5, 0x3c, 0x4e, 0x38, 0xbf, 0x02, 0xfb, 0x1b, 0xdc,
+	0xe8, 0x29, 0x4c, 0x23, 0x24, 0x6e, 0xfb, 0x27, 0xf1, 0x64, 0xc5, 0x8a, 0x61, 0xb5, 0xb9, 0x63,
+	0xc3, 0xfa, 0xef, 0x5b, 0xcc, 0xb0, 0xbe, 0x41, 0xf6, 0x5a, 0xbe, 0x93, 0x9c, 0x84, 0xc3, 0xf7,
+	0x6b, 0x30, 0x92, 0x88, 0xda, 0xba, 0xbd, 0xb2, 0xa1, 0x35, 0x8a, 0x5d, 0x2e, 0xa8, 0x0d, 0x51,
+	0x42, 0xb1, 0x62, 0x63, 0xff, 0x33, 0x3e, 0x02, 0x12, 0x73, 0x02, 0xb6, 0x85, 0x9a, 0x69, 0x5b,
+	0x98, 0xeb, 0xf1, 0x05, 0x05, 0x36, 0x86, 0x7f, 0x6a, 0xb6, 0x9b, 0x9d, 0x3d, 0x3e, 0xec, 0x37,
+	0x3a, 0xf6, 0xaf, 0x58, 0x30, 0x93, 0xe7, 0x12, 0x40, 0x95, 0x18, 0x7e, 0xf2, 0x51, 0x37, 0x5c,
+	0xaa, 0x07, 0x6f, 0x08, 0x38, 0x56, 0x14, 0x7d, 0x67, 0xba, 0x3f, 0x5e, 0xea, 0xaf, 0x6b, 0x60,
+	0xbe, 0x6f, 0x88, 0x5e, 0xe1, 0x11, 0x1c, 0x96, 0x7a, 0x80, 0xf0, 0x78, 0xd1, 0x1b, 0xf6, 0x6f,
+	0x94, 0x60, 0x86, 0x9b, 0xa8, 0x17, 0xf7, 0x43, 0xcf, 0xad, 0x87, 0xae, 0x88, 0x67, 0x79, 0x13,
+	0xc6, 0x5a, 0xda, 0x71, 0xb5, 0x5b, 0xf2, 0x21, 0xfd, 0x58, 0x9b, 0x1e, 0x1b, 0x74, 0x28, 0x36,
+	0x78, 0x21, 0x17, 0xc6, 0xc8, 0xbe, 0xd7, 0x54, 0x76, 0xce, 0xd2, 0xb1, 0x45, 0xba, 0xaa, 0x65,
+	0x45, 0xe3, 0x83, 0x0d, 0xae, 0xf7, 0xe0, 0x3d, 0x1a, 0xfb, 0xcb, 0x16, 0xdc, 0x5f, 0x90, 0xaa,
+	0x88, 0x56, 0x77, 0x93, 0x5d, 0x06, 0x88, 0xc7, 0x32, 0x55, 0x75, 0xfc, 0x8a, 0x00, 0x0b, 0x2c,
+	0xfa, 0x34, 0x00, 0x37, 0xf1, 0x53, 0x2d, 0x5a, 0x7c, 0x7a, 0x7f, 0x29, 0x3c, 0xb4, 0x3c, 0x0f,
+	0xb2, 0x3c, 0xd6, 0x78, 0xd9, 0xbf, 0x56, 0x86, 0x41, 0xfe, 0x72, 0xfa, 0x2a, 0x0c, 0xef, 0xf0,
+	0xc4, 0xc8, 0xfd, 0xe4, 0x60, 0x4e, 0x8f, 0x23, 0x1c, 0x80, 0x65, 0x61, 0xb4, 0x0e, 0xa7, 0x44,
+	0xcc, 0x54, 0x8d, 0xf8, 0xce, 0x81, 0x3c, 0xd5, 0xf2, 0x47, 0x4a, 0x64, 0x02, 0xfd, 0x53, 0x6b,
+	0x9d, 0x24, 0x38, 0xaf, 0x1c, 0x7a, 0xa5, 0x23, 0x1d, 0x22, 0x4f, 0x29, 0xad, 0x74, 0xe0, 0x1e,
+	0x29, 0x11, 0x5f, 0x82, 0xf1, 0x56, 0xc7, 0xf9, 0x5d, 0x7b, 0xb4, 0xda, 0x3c, 0xb3, 0x9b, 0xb4,
+	0xcc, 0xab, 0xa0, 0xcd, 0x7c, 0x28, 0x36, 0x76, 0x22, 0x12, 0xef, 0x84, 0xbe, 0x2b, 0x5e, 0x68,
+	0x4d, 0xbd, 0x0a, 0x32, 0x78, 0xdc, 0x51, 0x82, 0x72, 0xd9, 0x72, 0x3c, 0xbf, 0x1d, 0x91, 0x94,
+	0xcb, 0x90, 0xc9, 0x65, 0x35, 0x83, 0xc7, 0x1d, 0x25, 0xe8, 0x3c, 0x3a, 0x2d, 0x9e, 0xf7, 0x94,
+	0x91, 0xf4, 0xca, 0x55, 0x64, 0x58, 0x7a, 0xd4, 0x77, 0xc9, 0xee, 0x22, 0xae, 0xfc, 0xd5, 0x03,
+	0xa1, 0xda, 0xe3, 0x71, 0xc2, 0x97, 0x5e, 0x72, 0xb9, 0x93, 0x47, 0x26, 0xff, 0xc4, 0x82, 0x53,
+	0x39, 0x8e, 0x64, 0x5c, 0x54, 0x6d, 0x7b, 0x71, 0xa2, 0xde, 0xc6, 0xd0, 0x44, 0x15, 0x87, 0x63,
+	0x45, 0x41, 0xd7, 0x03, 0x17, 0x86, 0x59, 0x01, 0x28, 0x5c, 0x3e, 0x04, 0xf6, 0x78, 0x02, 0x10,
+	0x9d, 0x83, 0x81, 0x76, 0x4c, 0x22, 0xf9, 0x3a, 0xa3, 0x94, 0xdf, 0xcc, 0x22, 0xc8, 0x30, 0x54,
+	0xa3, 0xdc, 0x56, 0xc6, 0x38, 0x4d, 0xa3, 0xe4, 0xe6, 0x38, 0x8e, 0xb3, 0xbf, 0x58, 0x86, 0xc9,
+	0x8c, 0x2b, 0x28, 0x6d, 0xc8, 0x5e, 0x18, 0x78, 0x49, 0xa8, 0xb2, 0xf1, 0xf1, 0xe4, 0x23, 0xa4,
+	0xb5, 0xb3, 0x2e, 0xe0, 0x58, 0x51, 0xa0, 0x47, 0xe5, 0x93, 0xbd, 0xd9, 0x37, 0x3f, 0x96, 0x6a,
+	0xc6, 0xab, 0xbd, 0xfd, 0x3e, 0xde, 0xf3, 0x08, 0x0c, 0xb4, 0x42, 0xf5, 0x9e, 0xba, 0x1a, 0x4f,
+	0xbc, 0x54, 0xab, 0x87, 0xa1, 0x8f, 0x19, 0x12, 0x7d, 0x4c, 0x7c, 0x7d, 0xe6, 0xbe, 0x02, 0x3b,
+	0x6e, 0x18, 0x6b, 0x5d, 0xf0, 0x38, 0x0c, 0xef, 0x92, 0x83, 0xc8, 0x0b, 0xb6, 0xb3, 0xb7, 0x35,
+	0x97, 0x39, 0x18, 0x4b, 0xbc, 0x99, 0xfc, 0x7e, 0xf8, 0x9e, 0xbc, 0xbf, 0x33, 0xd2, 0x73, 0x57,
+	0xfb, 0xba, 0x05, 0x93, 0x2c, 0xf3, 0xad, 0xc8, 0xd9, 0xe0, 0x85, 0xc1, 0x09, 0xe8, 0x09, 0x8f,
+	0xc0, 0x60, 0x44, 0x2b, 0xcd, 0x3e, 0xaa, 0xc1, 0x5a, 0x82, 0x39, 0x0e, 0x3d, 0x04, 0x03, 0xac,
+	0x09, 0x74, 0xf0, 0xc6, 0x78, 0xee, 0xfb, 0x9a, 0x93, 0x38, 0x98, 0x41, 0x59, 0xf0, 0x1c, 0x26,
+	0x2d, 0xdf, 0xe3, 0x8d, 0x4e, 0xcd, 0xad, 0x1f, 0x8e, 0xe0, 0xb9, 0xdc, 0xa6, 0xbd, 0xbf, 0xe0,
+	0xb9, 0x7c, 0x96, 0xdd, 0x75, 0xf0, 0xff, 0x51, 0x82, 0xb3, 0xb9, 0xe5, 0xfa, 0x0e, 0x9e, 0xeb,
+	0x5e, 0xfa, 0xee, 0xdc, 0xf5, 0xe6, 0x5f, 0xc1, 0x96, 0x4f, 0xf0, 0x0a, 0x76, 0xa0, 0x5f, 0x35,
+	0x65, 0xb0, 0x8f, 0x98, 0xb6, 0xdc, 0x2e, 0xfb, 0x90, 0xc4, 0xb4, 0xe5, 0xb6, 0xad, 0xe0, 0x0c,
+	0xf1, 0xc3, 0x52, 0xc1, 0xb7, 0xb0, 0xd3, 0xc4, 0x79, 0x2a, 0x67, 0x18, 0x32, 0x16, 0x6a, 0xd7,
+	0x18, 0x97, 0x31, 0x1c, 0x86, 0x15, 0x16, 0x79, 0x5a, 0x74, 0x18, 0x6f, 0xda, 0x4b, 0xc7, 0x5a,
+	0x32, 0xf3, 0xa6, 0x75, 0x5c, 0x4f, 0x30, 0x91, 0x8d, 0x14, 0x5b, 0xd7, 0x4e, 0x80, 0xe5, 0xfe,
+	0x4f, 0x80, 0x63, 0xf9, 0xa7, 0x3f, 0xb4, 0x08, 0x93, 0x7b, 0x5e, 0xc0, 0x5e, 0xc6, 0x35, 0xf5,
+	0x1e, 0x15, 0x2c, 0xbd, 0x6e, 0xa2, 0x71, 0x96, 0x7e, 0xf6, 0x25, 0x18, 0xbf, 0x73, 0x93, 0xd5,
+	0x77, 0xca, 0xf0, 0x60, 0x97, 0x65, 0xcf, 0x65, 0xbd, 0x31, 0x06, 0x9a, 0xac, 0xef, 0x18, 0x87,
+	0x3a, 0xcc, 0x6c, 0xb5, 0x7d, 0xff, 0x80, 0x79, 0x39, 0x11, 0x57, 0x52, 0x08, 0xc5, 0x44, 0xa5,
+	0xb5, 0x5e, 0xcd, 0xa1, 0xc1, 0xb9, 0x25, 0xd1, 0xab, 0x80, 0xc2, 0x4d, 0x96, 0x6a, 0xd9, 0x4d,
+	0xd3, 0x66, 0xb0, 0x8e, 0x2f, 0xa7, 0x8b, 0xf1, 0x5a, 0x07, 0x05, 0xce, 0x29, 0x45, 0x35, 0x4c,
+	0xf6, 0x96, 0xbf, 0x6a, 0x56, 0x46, 0xc3, 0xc4, 0x3a, 0x12, 0x9b, 0xb4, 0xe8, 0x22, 0x4c, 0x3b,
+	0xfb, 0x8e, 0xc7, 0xd3, 0xa8, 0x49, 0x06, 0x5c, 0xc5, 0x54, 0x86, 0xa2, 0xc5, 0x2c, 0x01, 0xee,
+	0x2c, 0x93, 0x09, 0x73, 0x1b, 0x2a, 0x0e, 0x73, 0xeb, 0x2e, 0x17, 0x7b, 0xd9, 0xfd, 0xec, 0xff,
+	0x64, 0xd1, 0xed, 0x2b, 0xe7, 0x29, 0x56, 0xda, 0x0f, 0xca, 0x7e, 0xa5, 0x45, 0x9c, 0xa9, 0x7e,
+	0x58, 0xd6, 0x91, 0xd8, 0xa4, 0xe5, 0x13, 0x22, 0x4e, 0x9d, 0xac, 0x0d, 0x3d, 0x51, 0x84, 0x82,
+	0x2a, 0x0a, 0xf4, 0x06, 0x0c, 0xbb, 0xde, 0xbe, 0x17, 0x87, 0x91, 0x58, 0x2c, 0xc7, 0x7d, 0x7e,
+	0x5c, 0xc9, 0xc1, 0x1a, 0x67, 0x83, 0x25, 0x3f, 0xfb, 0x8b, 0x25, 0x18, 0x97, 0x35, 0xbe, 0xd6,
+	0x0e, 0x13, 0xe7, 0x04, 0xb6, 0xe5, 0x8b, 0xc6, 0xb6, 0xfc, 0xb1, 0x6e, 0xf1, 0xb0, 0xac, 0x49,
+	0x85, 0xdb, 0xf1, 0xb5, 0xcc, 0x76, 0xfc, 0x58, 0x6f, 0x56, 0xdd, 0xb7, 0xe1, 0x7f, 0x6e, 0xc1,
+	0xb4, 0x41, 0x7f, 0x02, 0xbb, 0xc1, 0xaa, 0xb9, 0x1b, 0x3c, 0xdc, 0xf3, 0x1b, 0x0a, 0x76, 0x81,
+	0xaf, 0x96, 0x32, 0x6d, 0x67, 0xd2, 0xff, 0x5d, 0x18, 0xd8, 0x71, 0x22, 0xb7, 0x5b, 0x32, 0xd0,
+	0x8e, 0x42, 0xf3, 0x97, 0x9c, 0xc8, 0xe5, 0x32, 0xfc, 0x29, 0xf5, 0x4a, 0x9c, 0x13, 0xb9, 0x3d,
+	0x63, 0x0a, 0x58, 0x55, 0xe8, 0x45, 0x18, 0x8a, 0x9b, 0x61, 0x4b, 0xf9, 0x5e, 0x9e, 0xe3, 0x2f,
+	0xc8, 0x51, 0xc8, 0xd1, 0xe1, 0x1c, 0x32, 0xab, 0xa3, 0x60, 0x2c, 0xe8, 0x67, 0xb7, 0xa1, 0xa2,
+	0xaa, 0xbe, 0xa7, 0x5e, 0xe5, 0x7f, 0x54, 0x86, 0x53, 0x39, 0xf3, 0x02, 0xc5, 0x46, 0x6f, 0x3d,
+	0xd3, 0xe7, 0x74, 0x7a, 0x9f, 0xfd, 0x15, 0xb3, 0x13, 0x8b, 0x2b, 0xc6, 0xbf, 0xef, 0x4a, 0xaf,
+	0xc7, 0x24, 0x5b, 0x29, 0x05, 0xf5, 0xae, 0x94, 0x56, 0x76, 0x62, 0x5d, 0x4d, 0x2b, 0x52, 0x2d,
+	0xbd, 0xa7, 0x63, 0xfa, 0x83, 0x32, 0xcc, 0xe4, 0x85, 0xd1, 0xa3, 0x9f, 0xcb, 0x3c, 0x2d, 0xf2,
+	0x5c, 0xbf, 0x01, 0xf8, 0xfc, 0xbd, 0x11, 0x91, 0x77, 0x68, 0xde, 0x7c, 0x6c, 0xa4, 0x67, 0x37,
+	0x8b, 0x3a, 0x59, 0x90, 0x4f, 0xc4, 0x9f, 0x84, 0x91, 0x4b, 0xfc, 0x13, 0x7d, 0x37, 0x40, 0xbc,
+	0x25, 0x13, 0x67, 0x82, 0x7c, 0x24, 0xb8, 0x77, 0x90, 0x8f, 0xac, 0x79, 0xd6, 0x83, 0x51, 0xed,
+	0x6b, 0xee, 0xe9, 0x88, 0xef, 0xd2, 0x1d, 0x45, 0x6b, 0xf7, 0x3d, 0x1d, 0xf5, 0x2f, 0x5b, 0x90,
+	0xf1, 0x93, 0x52, 0xf6, 0x0f, 0xab, 0xd0, 0xfe, 0x71, 0x0e, 0x06, 0xa2, 0xd0, 0x27, 0xd9, 0xd7,
+	0x26, 0x70, 0xe8, 0x13, 0xcc, 0x30, 0xea, 0x49, 0xe8, 0x72, 0xd1, 0x93, 0xd0, 0xf4, 0x68, 0xec,
+	0x93, 0x7d, 0x22, 0xad, 0x11, 0x4a, 0x26, 0x5f, 0xa1, 0x40, 0xcc, 0x71, 0xf6, 0xd7, 0x07, 0xe0,
+	0x4c, 0xd7, 0xe0, 0x36, 0x7a, 0x64, 0xd9, 0x76, 0x12, 0x72, 0xd3, 0x39, 0xc8, 0xe6, 0xc2, 0xbd,
+	0xc8, 0xc1, 0x58, 0xe2, 0x99, 0x57, 0x27, 0x4f, 0xa7, 0x97, 0xb1, 0x16, 0x89, 0x2c, 0x7a, 0x02,
+	0x7b, 0xcc, 0xf7, 0xfb, 0xfb, 0x31, 0x55, 0x5c, 0x00, 0x88, 0x63, 0x7f, 0x25, 0xa0, 0x1a, 0x98,
+	0x2b, 0xdc, 0x45, 0xd3, 0xb4, 0x8b, 0x8d, 0x2b, 0x02, 0x83, 0x35, 0x2a, 0x54, 0x83, 0xa9, 0x56,
+	0x14, 0x26, 0xdc, 0xf8, 0x56, 0xe3, 0x8e, 0x0a, 0x83, 0x66, 0x84, 0x52, 0x3d, 0x83, 0xc7, 0x1d,
+	0x25, 0xd0, 0xf3, 0x30, 0x2a, 0xa2, 0x96, 0xea, 0x61, 0xe8, 0x0b, 0x53, 0x8d, 0xba, 0xf6, 0x6e,
+	0xa4, 0x28, 0xac, 0xd3, 0x69, 0xc5, 0x98, 0x45, 0x6f, 0x38, 0xb7, 0x18, 0xb7, 0xea, 0x69, 0x74,
+	0x99, 0x94, 0x1a, 0x23, 0x7d, 0xa5, 0xd4, 0x48, 0x8d, 0x57, 0x95, 0xbe, 0x2f, 0x31, 0xa0, 0xa7,
+	0xb9, 0xe7, 0x37, 0x07, 0xe0, 0x94, 0x98, 0x38, 0xf7, 0x7a, 0xba, 0xdc, 0xa3, 0xe7, 0xa5, 0x7f,
+	0x32, 0x67, 0x4e, 0x7a, 0xce, 0x7c, 0xa3, 0x0c, 0x43, 0x7c, 0x28, 0x4e, 0x40, 0x87, 0x5f, 0x15,
+	0x46, 0xbf, 0x2e, 0x49, 0x29, 0x78, 0x5b, 0xe6, 0x6b, 0x4e, 0xe2, 0xf0, 0xfd, 0x4b, 0x89, 0xd1,
+	0xd4, 0x3c, 0x88, 0xe6, 0x0d, 0x41, 0x3b, 0x9b, 0xb1, 0x6a, 0x01, 0xe7, 0xa1, 0x89, 0xdd, 0xb7,
+	0x01, 0x62, 0xf6, 0xc4, 0x31, 0xe5, 0x21, 0xd2, 0x9b, 0x3c, 0xd1, 0xa5, 0xf6, 0x86, 0x22, 0xe6,
+	0x6d, 0x48, 0xa7, 0xa0, 0x42, 0x60, 0x8d, 0xe3, 0xec, 0x0b, 0x50, 0x51, 0xc4, 0xbd, 0x4c, 0x00,
+	0x63, 0xfa, 0xae, 0xf7, 0x29, 0x98, 0xcc, 0xd4, 0x75, 0x2c, 0x0b, 0xc2, 0x6f, 0x5b, 0x30, 0xc9,
+	0x9b, 0xbc, 0x12, 0xec, 0x8b, 0xc5, 0xfe, 0x1e, 0xcc, 0xf8, 0x39, 0x8b, 0x4e, 0x8c, 0x68, 0xff,
+	0x8b, 0x54, 0x59, 0x0c, 0xf2, 0xb0, 0x38, 0xb7, 0x0e, 0x74, 0x1e, 0x46, 0xf8, 0xe3, 0xec, 0x8e,
+	0x2f, 0x5c, 0xd7, 0xc7, 0x78, 0x7a, 0x7a, 0x0e, 0xc3, 0x0a, 0x6b, 0x7f, 0xd7, 0x82, 0x69, 0xde,
+	0xf2, 0xcb, 0xe4, 0x40, 0x9d, 0x8e, 0x3f, 0xc8, 0xb6, 0x8b, 0xec, 0xfb, 0xa5, 0x82, 0xec, 0xfb,
+	0xfa, 0xa7, 0x95, 0xbb, 0x7e, 0xda, 0x6f, 0x58, 0x20, 0x66, 0xe0, 0x09, 0x9c, 0x03, 0x7f, 0xda,
+	0x3c, 0x07, 0xce, 0x16, 0x4f, 0xea, 0x82, 0x03, 0xe0, 0x9f, 0x59, 0x30, 0xc5, 0x09, 0xd2, 0x5b,
+	0xaf, 0x0f, 0x74, 0x1c, 0xfa, 0x79, 0x12, 0x4a, 0xbd, 0xc1, 0x9b, 0xff, 0x51, 0xc6, 0x60, 0x0d,
+	0x74, 0x1d, 0x2c, 0x57, 0x2e, 0xa0, 0x63, 0x3c, 0x75, 0x76, 0xec, 0x84, 0x91, 0xf6, 0x7f, 0xb3,
+	0x00, 0xf1, 0x6a, 0xb2, 0xaf, 0xe2, 0xf3, 0xad, 0x4f, 0xb3, 0x04, 0xa5, 0xa2, 0x46, 0x61, 0xb0,
+	0x46, 0x75, 0x57, 0xba, 0x27, 0x73, 0x75, 0x59, 0xee, 0x7d, 0x75, 0x79, 0x8c, 0x1e, 0xfd, 0xab,
+	0x03, 0x90, 0xf5, 0x93, 0x45, 0x37, 0x60, 0xac, 0xe9, 0xb4, 0x9c, 0x4d, 0xcf, 0xf7, 0x12, 0x8f,
+	0xc4, 0xdd, 0x7c, 0x1e, 0x96, 0x35, 0x3a, 0x71, 0x4f, 0xa8, 0x41, 0xb0, 0xc1, 0x07, 0xcd, 0x03,
+	0xb4, 0x22, 0x6f, 0xdf, 0xf3, 0xc9, 0x36, 0x3b, 0x0a, 0xb3, 0x60, 0x19, 0x7e, 0x91, 0x2f, 0xa1,
+	0x58, 0xa3, 0xc8, 0x09, 0xae, 0x28, 0xdf, 0xbb, 0xe0, 0x8a, 0x81, 0x63, 0x06, 0x57, 0x0c, 0xf6,
+	0x15, 0x5c, 0x81, 0xe1, 0x3e, 0xb9, 0x77, 0xd3, 0xff, 0xab, 0x9e, 0x4f, 0x84, 0xc2, 0xc6, 0x43,
+	0x68, 0x66, 0x6f, 0x1f, 0xce, 0xdd, 0x87, 0x73, 0x29, 0x70, 0x41, 0x49, 0xf4, 0x69, 0xa8, 0x3a,
+	0xbe, 0x1f, 0xde, 0x54, 0xbd, 0xb6, 0x12, 0x37, 0x1d, 0x3f, 0xcd, 0x9f, 0x3c, 0xb2, 0xf4, 0xd0,
+	0xed, 0xc3, 0xb9, 0xea, 0x62, 0x01, 0x0d, 0x2e, 0x2c, 0x6d, 0xef, 0xc2, 0xa9, 0x06, 0x89, 0xe4,
+	0xeb, 0x89, 0x6a, 0x89, 0x6d, 0x40, 0x25, 0xca, 0x08, 0x95, 0xbe, 0xf2, 0x2c, 0x68, 0xb9, 0xed,
+	0xa4, 0x10, 0x49, 0x19, 0xd9, 0x7f, 0x6a, 0xc1, 0xb0, 0xf0, 0xbd, 0x3d, 0x01, 0x5d, 0x66, 0xd1,
+	0xb0, 0x47, 0xce, 0xe5, 0x0b, 0x5e, 0xd6, 0x98, 0x42, 0x4b, 0xe4, 0x5a, 0xc6, 0x12, 0xf9, 0x70,
+	0x37, 0x26, 0xdd, 0x6d, 0x90, 0xbf, 0x5c, 0x86, 0x09, 0xd3, 0xef, 0xf8, 0x04, 0xba, 0xe0, 0x2a,
+	0x0c, 0xc7, 0xc2, 0xc9, 0xbd, 0x54, 0xec, 0x2c, 0x99, 0x1d, 0xc4, 0xd4, 0xa5, 0x42, 0xb8, 0xb5,
+	0x4b, 0x26, 0xb9, 0xde, 0xf3, 0xe5, 0x7b, 0xe8, 0x3d, 0xdf, 0xcb, 0xf5, 0x7b, 0xe0, 0x6e, 0xb8,
+	0x7e, 0xdb, 0xdf, 0x64, 0xc2, 0x5f, 0x87, 0x9f, 0x80, 0x5e, 0x70, 0xd1, 0xdc, 0x26, 0xec, 0x2e,
+	0x33, 0x4b, 0x34, 0xaa, 0x40, 0x3f, 0xf8, 0x47, 0x16, 0x8c, 0x0a, 0xc2, 0x13, 0x68, 0xf6, 0xcf,
+	0x98, 0xcd, 0x7e, 0xb0, 0x4b, 0xb3, 0x0b, 0xda, 0xfb, 0xb7, 0x4b, 0xaa, 0xbd, 0xf5, 0x30, 0x4a,
+	0xfa, 0xca, 0xa7, 0x3f, 0x42, 0x4f, 0x83, 0x61, 0x33, 0xf4, 0xc5, 0x66, 0xfe, 0x50, 0x1a, 0x45,
+	0xc9, 0xe1, 0x47, 0xda, 0x6f, 0xac, 0xa8, 0x59, 0x90, 0x5f, 0x18, 0x25, 0x62, 0x03, 0x4d, 0x83,
+	0xfc, 0xc2, 0x28, 0xc1, 0x0c, 0x83, 0x5c, 0x80, 0xc4, 0x89, 0xb6, 0x49, 0x42, 0x61, 0x22, 0xec,
+	0xb8, 0x78, 0x15, 0xb6, 0x13, 0xcf, 0x9f, 0xf7, 0x82, 0x24, 0x4e, 0xa2, 0xf9, 0xb5, 0x20, 0xb9,
+	0x16, 0xf1, 0xb3, 0x81, 0x16, 0x16, 0xa9, 0x78, 0x61, 0x8d, 0xaf, 0x8c, 0xcb, 0x61, 0x75, 0x0c,
+	0x9a, 0x17, 0x85, 0x57, 0x05, 0x1c, 0x2b, 0x0a, 0xfb, 0x05, 0x26, 0x93, 0x59, 0x07, 0x1d, 0x2f,
+	0x62, 0xf1, 0xdb, 0x23, 0xaa, 0x6b, 0xd9, 0x2d, 0x41, 0x4d, 0x8f, 0x8b, 0xec, 0x2e, 0x02, 0x69,
+	0xc5, 0xba, 0x0f, 0x7a, 0x1a, 0x3c, 0x89, 0x3e, 0xd3, 0x71, 0x7f, 0xfc, 0x74, 0x0f, 0x59, 0x7a,
+	0x8c, 0x1b, 0x63, 0x96, 0xdc, 0x91, 0x25, 0xc1, 0x5b, 0xab, 0x67, 0x5f, 0x3c, 0x58, 0x96, 0x08,
+	0x9c, 0xd2, 0xa0, 0x05, 0x71, 0xb2, 0xe4, 0xf6, 0xb9, 0x07, 0x33, 0x27, 0x4b, 0xf9, 0xf9, 0xda,
+	0xd1, 0xf2, 0x19, 0x18, 0x55, 0xaf, 0x48, 0xd5, 0xf9, 0x63, 0x3c, 0x15, 0xae, 0x4b, 0xad, 0xa4,
+	0x60, 0xac, 0xd3, 0xa0, 0x0d, 0x98, 0x8c, 0xf9, 0x13, 0x57, 0x32, 0x54, 0x46, 0xd8, 0x0d, 0x9e,
+	0x90, 0xf7, 0xce, 0x0d, 0x13, 0x7d, 0xc4, 0x40, 0x7c, 0xb1, 0xca, 0xe0, 0x9a, 0x2c, 0x0b, 0xf4,
+	0x0a, 0x4c, 0xf8, 0xfa, 0x53, 0xbf, 0x75, 0x61, 0x56, 0x50, 0x3e, 0x80, 0xc6, 0x43, 0xc0, 0x75,
+	0x9c, 0xa1, 0xa6, 0x4a, 0x80, 0x0e, 0x11, 0x99, 0x97, 0x9c, 0x60, 0x9b, 0xc4, 0xe2, 0x0d, 0x1c,
+	0xa6, 0x04, 0x5c, 0x29, 0xa0, 0xc1, 0x85, 0xa5, 0xd1, 0x8b, 0x30, 0x26, 0x3f, 0x5f, 0x0b, 0x1d,
+	0x4b, 0x3d, 0x4d, 0x35, 0x1c, 0x36, 0x28, 0xd1, 0x4d, 0x38, 0x2d, 0xff, 0x6f, 0x44, 0xce, 0xd6,
+	0x96, 0xd7, 0x14, 0x91, 0x7b, 0xa3, 0x8c, 0xc5, 0xa2, 0x74, 0xbb, 0x5f, 0xc9, 0x23, 0x3a, 0x3a,
+	0x9c, 0x3b, 0x27, 0x7a, 0x2d, 0x17, 0xcf, 0x06, 0x31, 0x9f, 0x3f, 0x5a, 0x87, 0x53, 0x3b, 0xc4,
+	0xf1, 0x93, 0x9d, 0xe5, 0x1d, 0xd2, 0xdc, 0x95, 0x8b, 0x88, 0x05, 0xa4, 0x69, 0xfe, 0x99, 0x97,
+	0x3a, 0x49, 0x70, 0x5e, 0x39, 0xf4, 0x16, 0x54, 0x5b, 0xed, 0x4d, 0xdf, 0x8b, 0x77, 0xae, 0x86,
+	0x09, 0xbb, 0xea, 0x56, 0x8f, 0x30, 0x89, 0xc8, 0x35, 0x15, 0x8c, 0x57, 0x2f, 0xa0, 0xc3, 0x85,
+	0x1c, 0xd0, 0x7b, 0x70, 0x3a, 0x33, 0x19, 0xf8, 0xbb, 0x5e, 0x22, 0xc2, 0xed, 0xf1, 0xfc, 0xe5,
+	0x94, 0x53, 0x80, 0xc7, 0x53, 0xe6, 0xa2, 0x70, 0x7e, 0x15, 0xef, 0xcf, 0x01, 0xe2, 0x5d, 0x5a,
+	0x58, 0xd3, 0x6e, 0xd0, 0x67, 0x61, 0x4c, 0x9f, 0x45, 0x62, 0x83, 0x79, 0xb4, 0xd7, 0xb3, 0xd6,
+	0x42, 0x37, 0x52, 0x33, 0x4a, 0xc7, 0x61, 0x83, 0xa3, 0x4d, 0x20, 0xff, 0xfb, 0xd0, 0x15, 0x18,
+	0x69, 0xfa, 0x1e, 0x09, 0x92, 0xb5, 0x7a, 0xb7, 0x88, 0xeb, 0x65, 0x41, 0x23, 0x3a, 0x4c, 0x24,
+	0xfe, 0xe2, 0x30, 0xac, 0x38, 0xd8, 0xbf, 0x57, 0x82, 0xb9, 0x1e, 0xb9, 0xdf, 0x32, 0x36, 0x40,
+	0xab, 0x2f, 0x1b, 0xe0, 0xa2, 0x7c, 0x52, 0xea, 0x6a, 0xe6, 0xfc, 0x99, 0x79, 0x2e, 0x2a, 0x3d,
+	0x85, 0x66, 0xe9, 0xfb, 0xf6, 0x9b, 0xd4, 0xcd, 0x88, 0x03, 0x3d, 0xdd, 0x47, 0x8d, 0xeb, 0x83,
+	0xc1, 0xfe, 0x35, 0xfa, 0x42, 0x53, 0xb0, 0xfd, 0xcd, 0x12, 0x9c, 0x56, 0x5d, 0xf8, 0xe3, 0xdb,
+	0x71, 0xd7, 0x3b, 0x3b, 0xee, 0x2e, 0x18, 0xd2, 0xed, 0x6b, 0x30, 0xd4, 0x38, 0x88, 0x9b, 0x89,
+	0xdf, 0x87, 0x02, 0xf4, 0x88, 0xb1, 0x40, 0xd3, 0x6d, 0x9a, 0xbd, 0x0a, 0x29, 0xd6, 0xab, 0xfd,
+	0x97, 0x2c, 0x98, 0xdc, 0x58, 0xae, 0x37, 0xc2, 0xe6, 0x2e, 0x49, 0x16, 0xb9, 0x99, 0x08, 0x0b,
+	0xfd, 0xc7, 0xba, 0x43, 0xbd, 0x26, 0x4f, 0x63, 0x3a, 0x07, 0x03, 0x3b, 0x61, 0x9c, 0x64, 0x6f,
+	0xd9, 0x2e, 0x85, 0x71, 0x82, 0x19, 0xc6, 0xfe, 0x63, 0x0b, 0x06, 0xd9, 0x43, 0x88, 0xbd, 0x1e,
+	0xcc, 0xec, 0xe7, 0xbb, 0xd0, 0xf3, 0x30, 0x44, 0xb6, 0xb6, 0x48, 0x33, 0x11, 0xa3, 0x2a, 0x43,
+	0xb9, 0x86, 0x56, 0x18, 0x94, 0x6e, 0xfa, 0xac, 0x32, 0xfe, 0x17, 0x0b, 0x62, 0xf4, 0x19, 0xa8,
+	0x24, 0xde, 0x1e, 0x59, 0x74, 0x5d, 0x71, 0x4f, 0x71, 0x3c, 0x5f, 0x46, 0xa5, 0x84, 0x6c, 0x48,
+	0x26, 0x38, 0xe5, 0x67, 0xff, 0x52, 0x09, 0x20, 0x0d, 0xf9, 0xec, 0xf5, 0x99, 0x4b, 0x1d, 0xef,
+	0x82, 0x3e, 0x9a, 0xf3, 0x2e, 0x28, 0x4a, 0x19, 0xe6, 0xbc, 0x0a, 0xaa, 0xba, 0xaa, 0xdc, 0x57,
+	0x57, 0x0d, 0x1c, 0xa7, 0xab, 0x96, 0x61, 0x3a, 0x0d, 0x59, 0x35, 0xe3, 0xf7, 0x59, 0xc6, 0xe7,
+	0x8d, 0x2c, 0x12, 0x77, 0xd2, 0xdb, 0x5f, 0xb0, 0x40, 0xf8, 0xb7, 0xf7, 0x31, 0xa1, 0xdf, 0x94,
+	0x4f, 0xf8, 0x19, 0x09, 0x29, 0xcf, 0x15, 0x3b, 0xfc, 0x8b, 0x34, 0x94, 0x6a, 0x03, 0x31, 0x92,
+	0x4f, 0x1a, 0xbc, 0xec, 0xbf, 0x5e, 0x82, 0x51, 0x8e, 0x66, 0xc9, 0x0e, 0xfb, 0x68, 0xcd, 0xb1,
+	0xf2, 0x85, 0xb3, 0xd7, 0xed, 0x28, 0x63, 0x95, 0x56, 0x5a, 0x7f, 0xdd, 0x4e, 0x22, 0x70, 0x4a,
+	0x83, 0x1e, 0x87, 0xe1, 0xb8, 0xbd, 0xc9, 0xc8, 0x33, 0x2e, 0xee, 0x0d, 0x0e, 0xc6, 0x12, 0x8f,
+	0x3e, 0x0d, 0x53, 0xbc, 0x5c, 0x14, 0xb6, 0x9c, 0x6d, 0x6e, 0xdf, 0x19, 0x54, 0x01, 0x4e, 0x53,
+	0xeb, 0x19, 0xdc, 0xd1, 0xe1, 0xdc, 0x4c, 0x16, 0xc6, 0x2c, 0x83, 0x1d, 0x5c, 0xe8, 0x8c, 0x9d,
+	0xca, 0xc6, 0x4e, 0xa0, 0x4b, 0x30, 0xc4, 0x05, 0x92, 0x10, 0x10, 0x5d, 0xee, 0x7b, 0xb4, 0x88,
+	0x0b, 0x96, 0x54, 0x59, 0xc8, 0x34, 0x51, 0x1e, 0xbd, 0x05, 0xa3, 0x6e, 0x78, 0x33, 0xb8, 0xe9,
+	0x44, 0xee, 0x62, 0x7d, 0x4d, 0x8c, 0x67, 0xae, 0x5e, 0x53, 0x4b, 0xc9, 0xf4, 0x28, 0x0e, 0x66,
+	0xdb, 0x4c, 0x51, 0x58, 0x67, 0x87, 0x36, 0x58, 0x7e, 0x1e, 0xfe, 0xfc, 0x74, 0x37, 0x9f, 0x30,
+	0xf5, 0x62, 0xb5, 0xc6, 0x79, 0x5c, 0x24, 0xf1, 0x11, 0x8f, 0x57, 0xa7, 0x8c, 0xec, 0xcf, 0x9d,
+	0x02, 0x63, 0x1e, 0x19, 0xf9, 0xc2, 0xad, 0xbb, 0x94, 0x2f, 0x1c, 0xc3, 0x08, 0xd9, 0x6b, 0x25,
+	0x07, 0x35, 0x2f, 0xea, 0xf6, 0x50, 0xc4, 0x8a, 0xa0, 0xe9, 0xe4, 0x29, 0x31, 0x58, 0xf1, 0xc9,
+	0x4f, 0xea, 0x5e, 0xfe, 0x00, 0x93, 0xba, 0x0f, 0x9c, 0x60, 0x52, 0xf7, 0xab, 0x30, 0xbc, 0xed,
+	0x25, 0x98, 0xb4, 0x42, 0xb1, 0x19, 0xe7, 0xce, 0x84, 0x8b, 0x9c, 0xa4, 0x33, 0xe1, 0xb0, 0x40,
+	0x60, 0xc9, 0x04, 0xbd, 0xaa, 0xd6, 0xc0, 0x50, 0xb1, 0x2e, 0xdb, 0x79, 0x35, 0x90, 0xbb, 0x0a,
+	0x44, 0x12, 0xf7, 0xe1, 0x3b, 0x4d, 0xe2, 0xae, 0x92, 0xb0, 0x8f, 0xbc, 0xbf, 0x24, 0xec, 0x46,
+	0x92, 0xfa, 0xca, 0xdd, 0x4b, 0x52, 0xff, 0x05, 0x0b, 0x4e, 0xb7, 0xf2, 0xde, 0x6b, 0x10, 0xe9,
+	0xd4, 0x9f, 0xef, 0xfb, 0x41, 0x0a, 0xa3, 0x42, 0x76, 0xa8, 0xc9, 0x25, 0xc3, 0xf9, 0xd5, 0xc9,
+	0x6c, 0xf7, 0xa3, 0x77, 0x9a, 0xed, 0xfe, 0xde, 0xe4, 0x5d, 0x4f, 0x73, 0xdf, 0x8f, 0xbf, 0xef,
+	0xdc, 0xf7, 0xaf, 0xaa, 0xdc, 0xf7, 0x5d, 0xb2, 0xa0, 0xf0, 0xcc, 0xf6, 0x3d, 0x33, 0xde, 0x6b,
+	0x59, 0xeb, 0x27, 0xef, 0x46, 0xd6, 0xfa, 0xb7, 0x4d, 0x61, 0xcf, 0x53, 0xa8, 0x3f, 0xd9, 0x43,
+	0xd8, 0x1b, 0x7c, 0xbb, 0x8b, 0x7b, 0x9e, 0xa1, 0x7f, 0xfa, 0x8e, 0x32, 0xf4, 0xdf, 0xd0, 0x73,
+	0xdf, 0xa3, 0x1e, 0xc9, 0xdd, 0x29, 0x51, 0x9f, 0x19, 0xef, 0x6f, 0xe8, 0x5b, 0xd0, 0xa9, 0x62,
+	0xbe, 0x6a, 0xa7, 0xe9, 0xe4, 0x9b, 0xb7, 0x09, 0x75, 0x66, 0xd2, 0x9f, 0x39, 0x99, 0x4c, 0xfa,
+	0xa7, 0xef, 0x7a, 0x26, 0xfd, 0xfb, 0x4e, 0x20, 0x93, 0xfe, 0xfd, 0x1f, 0x68, 0x26, 0xfd, 0xea,
+	0x3d, 0xc8, 0xa4, 0x7f, 0x35, 0xcd, 0xa4, 0xff, 0x40, 0xf1, 0x90, 0xe4, 0xf8, 0x8c, 0x15, 0xe4,
+	0xcf, 0xbf, 0x01, 0x95, 0x96, 0x0c, 0xaf, 0xad, 0xce, 0x16, 0x0f, 0x49, 0x6e, 0x0c, 0x2e, 0x1f,
+	0x12, 0x85, 0xc2, 0x29, 0x2b, 0xca, 0x37, 0xcd, 0xa7, 0xff, 0x60, 0x17, 0xb3, 0x55, 0x9e, 0x41,
+	0xa0, 0x4b, 0x16, 0xfd, 0xbf, 0x5c, 0x82, 0xb3, 0xdd, 0xe7, 0x75, 0x6a, 0x4d, 0xa8, 0xa7, 0xd6,
+	0xef, 0x8c, 0x35, 0x81, 0x29, 0x5d, 0x1a, 0x55, 0xdf, 0x39, 0x08, 0x2e, 0xc2, 0xb4, 0x72, 0x16,
+	0xf3, 0xbd, 0xe6, 0x81, 0xf6, 0xe8, 0x96, 0x0a, 0x5c, 0x69, 0x64, 0x09, 0x70, 0x67, 0x19, 0xb4,
+	0x08, 0x93, 0x06, 0x70, 0xad, 0x26, 0x94, 0x7d, 0x65, 0xbe, 0x68, 0x98, 0x68, 0x9c, 0xa5, 0xb7,
+	0xbf, 0x6a, 0xc1, 0xfd, 0x05, 0x49, 0x75, 0xfb, 0x0e, 0xb1, 0xdf, 0x82, 0xc9, 0x96, 0x59, 0xb4,
+	0x47, 0x26, 0x0e, 0x23, 0x75, 0xaf, 0x6a, 0x6b, 0x06, 0x81, 0xb3, 0x4c, 0x97, 0xce, 0x7f, 0xeb,
+	0x7b, 0x67, 0x3f, 0xf2, 0x87, 0xdf, 0x3b, 0xfb, 0x91, 0xef, 0x7e, 0xef, 0xec, 0x47, 0xfe, 0xfc,
+	0xed, 0xb3, 0xd6, 0xb7, 0x6e, 0x9f, 0xb5, 0xfe, 0xf0, 0xf6, 0x59, 0xeb, 0xbb, 0xb7, 0xcf, 0x5a,
+	0x7f, 0x72, 0xfb, 0xac, 0xf5, 0x4b, 0xdf, 0x3f, 0xfb, 0x91, 0x37, 0x4b, 0xfb, 0xcf, 0xfc, 0xff,
+	0x00, 0x00, 0x00, 0xff, 0xff, 0x71, 0xb4, 0xe3, 0xcb, 0xa3, 0xd3, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/core/v1/generated.proto b/cli/vendor/k8s.io/api/core/v1/generated.proto
new file mode 100644
index 00000000..bb403d65
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/generated.proto
@@ -0,0 +1,4337 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.core.v1;
+
+import "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto";
+import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// Represents a Persistent Disk resource in AWS.
+// 
+// An AWS EBS disk must exist before mounting to a container. The disk
+// must also be in the same AWS zone as the kubelet. An AWS EBS disk
+// can only be mounted as read/write once. AWS EBS volumes support
+// ownership management and SELinux relabeling.
+message AWSElasticBlockStoreVolumeSource {
+  // Unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+  optional string volumeID = 1;
+
+  // Filesystem type of the volume that you want to mount.
+  // Tip: Ensure that the filesystem type is supported by the host operating system.
+  // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+  // TODO: how do we prevent errors in the filesystem from compromising the machine
+  // +optional
+  optional string fsType = 2;
+
+  // The partition in the volume that you want to mount.
+  // If omitted, the default is to mount by volume name.
+  // Examples: For volume /dev/sda1, you specify the partition as "1".
+  // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+  // +optional
+  optional int32 partition = 3;
+
+  // Specify "true" to force and set the ReadOnly property in VolumeMounts to "true".
+  // If omitted, the default is "false".
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+  // +optional
+  optional bool readOnly = 4;
+}
+
+// Affinity is a group of affinity scheduling rules.
+message Affinity {
+  // Describes node affinity scheduling rules for the pod.
+  // +optional
+  optional NodeAffinity nodeAffinity = 1;
+
+  // Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+  // +optional
+  optional PodAffinity podAffinity = 2;
+
+  // Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+  // +optional
+  optional PodAntiAffinity podAntiAffinity = 3;
+}
+
+// AttachedVolume describes a volume attached to a node
+message AttachedVolume {
+  // Name of the attached volume
+  optional string name = 1;
+
+  // DevicePath represents the device path where the volume should be available
+  optional string devicePath = 2;
+}
+
+// AvoidPods describes pods that should avoid this node. This is the value for a
+// Node annotation with key scheduler.alpha.kubernetes.io/preferAvoidPods and
+// will eventually become a field of NodeStatus.
+message AvoidPods {
+  // Bounded-sized list of signatures of pods that should avoid this node, sorted
+  // in timestamp order from oldest to newest. Size of the slice is unspecified.
+  // +optional
+  repeated PreferAvoidPodsEntry preferAvoidPods = 1;
+}
+
+// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+message AzureDiskVolumeSource {
+  // The Name of the data disk in the blob storage
+  optional string diskName = 1;
+
+  // The URI the data disk in the blob storage
+  optional string diskURI = 2;
+
+  // Host Caching mode: None, Read Only, Read Write.
+  // +optional
+  optional string cachingMode = 3;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // +optional
+  optional string fsType = 4;
+
+  // Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 5;
+
+  // Expected values Shared: mulitple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared
+  optional string kind = 6;
+}
+
+// AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+message AzureFilePersistentVolumeSource {
+  // the name of secret that contains Azure Storage Account Name and Key
+  optional string secretName = 1;
+
+  // Share Name
+  optional string shareName = 2;
+
+  // Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 3;
+
+  // the namespace of the secret that contains Azure Storage Account Name and Key
+  // default is the same as the Pod
+  // +optional
+  optional string secretNamespace = 4;
+}
+
+// AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+message AzureFileVolumeSource {
+  // the name of secret that contains Azure Storage Account Name and Key
+  optional string secretName = 1;
+
+  // Share Name
+  optional string shareName = 2;
+
+  // Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 3;
+}
+
+// Binding ties one object to another; for example, a pod is bound to a node by a scheduler.
+// Deprecated in 1.7, please use the bindings subresource of pods instead.
+message Binding {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // The target object that you want to bind to the standard object.
+  optional ObjectReference target = 2;
+}
+
+// Adds and removes POSIX capabilities from running containers.
+message Capabilities {
+  // Added capabilities
+  // +optional
+  repeated string add = 1;
+
+  // Removed capabilities
+  // +optional
+  repeated string drop = 2;
+}
+
+// Represents a Ceph Filesystem mount that lasts the lifetime of a pod
+// Cephfs volumes do not support ownership management or SELinux relabeling.
+message CephFSPersistentVolumeSource {
+  // Required: Monitors is a collection of Ceph monitors
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  repeated string monitors = 1;
+
+  // Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+  // +optional
+  optional string path = 2;
+
+  // Optional: User is the rados user name, default is admin
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // +optional
+  optional string user = 3;
+
+  // Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // +optional
+  optional string secretFile = 4;
+
+  // Optional: SecretRef is reference to the authentication secret for User, default is empty.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // +optional
+  optional SecretReference secretRef = 5;
+
+  // Optional: Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // +optional
+  optional bool readOnly = 6;
+}
+
+// Represents a Ceph Filesystem mount that lasts the lifetime of a pod
+// Cephfs volumes do not support ownership management or SELinux relabeling.
+message CephFSVolumeSource {
+  // Required: Monitors is a collection of Ceph monitors
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  repeated string monitors = 1;
+
+  // Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+  // +optional
+  optional string path = 2;
+
+  // Optional: User is the rados user name, default is admin
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // +optional
+  optional string user = 3;
+
+  // Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // +optional
+  optional string secretFile = 4;
+
+  // Optional: SecretRef is reference to the authentication secret for User, default is empty.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // +optional
+  optional LocalObjectReference secretRef = 5;
+
+  // Optional: Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+  // +optional
+  optional bool readOnly = 6;
+}
+
+// Represents a cinder volume resource in Openstack.
+// A Cinder volume must exist before mounting to a container.
+// The volume must also be in the same region as the kubelet.
+// Cinder volumes support ownership management and SELinux relabeling.
+message CinderVolumeSource {
+  // volume id used to identify the volume in cinder
+  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  optional string volumeID = 1;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // +optional
+  optional string fsType = 2;
+
+  // Optional: Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // +optional
+  optional bool readOnly = 3;
+}
+
+// ClientIPConfig represents the configurations of Client IP based session affinity.
+message ClientIPConfig {
+  // timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+  // The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+  // Default value is 10800(for 3 hours).
+  // +optional
+  optional int32 timeoutSeconds = 1;
+}
+
+// Information about the condition of a component.
+message ComponentCondition {
+  // Type of condition for a component.
+  // Valid value: "Healthy"
+  optional string type = 1;
+
+  // Status of the condition for a component.
+  // Valid values for "Healthy": "True", "False", or "Unknown".
+  optional string status = 2;
+
+  // Message about the condition for a component.
+  // For example, information about a health check.
+  // +optional
+  optional string message = 3;
+
+  // Condition error code for a component.
+  // For example, a health check error code.
+  // +optional
+  optional string error = 4;
+}
+
+// ComponentStatus (and ComponentStatusList) holds the cluster validation info.
+message ComponentStatus {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // List of component conditions observed
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated ComponentCondition conditions = 2;
+}
+
+// Status of all the conditions for the component as a list of ComponentStatus objects.
+message ComponentStatusList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of ComponentStatus objects.
+  repeated ComponentStatus items = 2;
+}
+
+// ConfigMap holds configuration data for pods to consume.
+message ConfigMap {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Data contains the configuration data.
+  // Each key must consist of alphanumeric characters, '-', '_' or '.'.
+  // +optional
+  map<string, string> data = 2;
+}
+
+// ConfigMapEnvSource selects a ConfigMap to populate the environment
+// variables with.
+// 
+// The contents of the target ConfigMap's Data field will represent the
+// key-value pairs as environment variables.
+message ConfigMapEnvSource {
+  // The ConfigMap to select from.
+  optional LocalObjectReference localObjectReference = 1;
+
+  // Specify whether the ConfigMap must be defined
+  // +optional
+  optional bool optional = 2;
+}
+
+// Selects a key from a ConfigMap.
+message ConfigMapKeySelector {
+  // The ConfigMap to select from.
+  optional LocalObjectReference localObjectReference = 1;
+
+  // The key to select.
+  optional string key = 2;
+
+  // Specify whether the ConfigMap or it's key must be defined
+  // +optional
+  optional bool optional = 3;
+}
+
+// ConfigMapList is a resource containing a list of ConfigMap objects.
+message ConfigMapList {
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of ConfigMaps.
+  repeated ConfigMap items = 2;
+}
+
+// Adapts a ConfigMap into a projected volume.
+// 
+// The contents of the target ConfigMap's Data field will be presented in a
+// projected volume as files using the keys in the Data field as the file names,
+// unless the items element is populated with specific mappings of keys to paths.
+// Note that this is identical to a configmap volume source without the default
+// mode.
+message ConfigMapProjection {
+  optional LocalObjectReference localObjectReference = 1;
+
+  // If unspecified, each key-value pair in the Data field of the referenced
+  // ConfigMap will be projected into the volume as a file whose name is the
+  // key and content is the value. If specified, the listed keys will be
+  // projected into the specified paths, and unlisted keys will not be
+  // present. If a key is specified which is not present in the ConfigMap,
+  // the volume setup will error unless it is marked optional. Paths must be
+  // relative and may not contain the '..' path or start with '..'.
+  // +optional
+  repeated KeyToPath items = 2;
+
+  // Specify whether the ConfigMap or it's keys must be defined
+  // +optional
+  optional bool optional = 4;
+}
+
+// Adapts a ConfigMap into a volume.
+// 
+// The contents of the target ConfigMap's Data field will be presented in a
+// volume as files using the keys in the Data field as the file names, unless
+// the items element is populated with specific mappings of keys to paths.
+// ConfigMap volumes support ownership management and SELinux relabeling.
+message ConfigMapVolumeSource {
+  optional LocalObjectReference localObjectReference = 1;
+
+  // If unspecified, each key-value pair in the Data field of the referenced
+  // ConfigMap will be projected into the volume as a file whose name is the
+  // key and content is the value. If specified, the listed keys will be
+  // projected into the specified paths, and unlisted keys will not be
+  // present. If a key is specified which is not present in the ConfigMap,
+  // the volume setup will error unless it is marked optional. Paths must be
+  // relative and may not contain the '..' path or start with '..'.
+  // +optional
+  repeated KeyToPath items = 2;
+
+  // Optional: mode bits to use on created files by default. Must be a
+  // value between 0 and 0777. Defaults to 0644.
+  // Directories within the path are not affected by this setting.
+  // This might be in conflict with other options that affect the file
+  // mode, like fsGroup, and the result can be other mode bits set.
+  // +optional
+  optional int32 defaultMode = 3;
+
+  // Specify whether the ConfigMap or it's keys must be defined
+  // +optional
+  optional bool optional = 4;
+}
+
+// A single application container that you want to run within a pod.
+message Container {
+  // Name of the container specified as a DNS_LABEL.
+  // Each container in a pod must have a unique name (DNS_LABEL).
+  // Cannot be updated.
+  optional string name = 1;
+
+  // Docker image name.
+  // More info: https://kubernetes.io/docs/concepts/containers/images
+  // This field is optional to allow higher level config management to default or override
+  // container images in workload controllers like Deployments and StatefulSets.
+  // +optional
+  optional string image = 2;
+
+  // Entrypoint array. Not executed within a shell.
+  // The docker image's ENTRYPOINT is used if this is not provided.
+  // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+  // cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax
+  // can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded,
+  // regardless of whether the variable exists or not.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+  // +optional
+  repeated string command = 3;
+
+  // Arguments to the entrypoint.
+  // The docker image's CMD is used if this is not provided.
+  // Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+  // cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax
+  // can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded,
+  // regardless of whether the variable exists or not.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+  // +optional
+  repeated string args = 4;
+
+  // Container's working directory.
+  // If not specified, the container runtime's default will be used, which
+  // might be configured in the container image.
+  // Cannot be updated.
+  // +optional
+  optional string workingDir = 5;
+
+  // List of ports to expose from the container. Exposing a port here gives
+  // the system additional information about the network connections a
+  // container uses, but is primarily informational. Not specifying a port here
+  // DOES NOT prevent that port from being exposed. Any port which is
+  // listening on the default "0.0.0.0" address inside a container will be
+  // accessible from the network.
+  // Cannot be updated.
+  // +optional
+  // +patchMergeKey=containerPort
+  // +patchStrategy=merge
+  repeated ContainerPort ports = 6;
+
+  // List of sources to populate environment variables in the container.
+  // The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+  // will be reported as an event when the container is starting. When a key exists in multiple
+  // sources, the value associated with the last source will take precedence.
+  // Values defined by an Env with a duplicate key will take precedence.
+  // Cannot be updated.
+  // +optional
+  repeated EnvFromSource envFrom = 19;
+
+  // List of environment variables to set in the container.
+  // Cannot be updated.
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated EnvVar env = 7;
+
+  // Compute Resources required by this container.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+  // +optional
+  optional ResourceRequirements resources = 8;
+
+  // Pod volumes to mount into the container's filesystem.
+  // Cannot be updated.
+  // +optional
+  // +patchMergeKey=mountPath
+  // +patchStrategy=merge
+  repeated VolumeMount volumeMounts = 9;
+
+  // Periodic probe of container liveness.
+  // Container will be restarted if the probe fails.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+  // +optional
+  optional Probe livenessProbe = 10;
+
+  // Periodic probe of container service readiness.
+  // Container will be removed from service endpoints if the probe fails.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+  // +optional
+  optional Probe readinessProbe = 11;
+
+  // Actions that the management system should take in response to container lifecycle events.
+  // Cannot be updated.
+  // +optional
+  optional Lifecycle lifecycle = 12;
+
+  // Optional: Path at which the file to which the container's termination message
+  // will be written is mounted into the container's filesystem.
+  // Message written is intended to be brief final status, such as an assertion failure message.
+  // Will be truncated by the node if greater than 4096 bytes. The total message length across
+  // all containers will be limited to 12kb.
+  // Defaults to /dev/termination-log.
+  // Cannot be updated.
+  // +optional
+  optional string terminationMessagePath = 13;
+
+  // Indicate how the termination message should be populated. File will use the contents of
+  // terminationMessagePath to populate the container status message on both success and failure.
+  // FallbackToLogsOnError will use the last chunk of container log output if the termination
+  // message file is empty and the container exited with an error.
+  // The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+  // Defaults to File.
+  // Cannot be updated.
+  // +optional
+  optional string terminationMessagePolicy = 20;
+
+  // Image pull policy.
+  // One of Always, Never, IfNotPresent.
+  // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+  // +optional
+  optional string imagePullPolicy = 14;
+
+  // Security options the pod should run with.
+  // More info: https://kubernetes.io/docs/concepts/policy/security-context/
+  // More info: https://git.k8s.io/community/contributors/design-proposals/security_context.md
+  // +optional
+  optional SecurityContext securityContext = 15;
+
+  // Whether this container should allocate a buffer for stdin in the container runtime. If this
+  // is not set, reads from stdin in the container will always result in EOF.
+  // Default is false.
+  // +optional
+  optional bool stdin = 16;
+
+  // Whether the container runtime should close the stdin channel after it has been opened by
+  // a single attach. When stdin is true the stdin stream will remain open across multiple attach
+  // sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+  // first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+  // at which time stdin is closed and remains closed until the container is restarted. If this
+  // flag is false, a container processes that reads from stdin will never receive an EOF.
+  // Default is false
+  // +optional
+  optional bool stdinOnce = 17;
+
+  // Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+  // Default is false.
+  // +optional
+  optional bool tty = 18;
+}
+
+// Describe a container image
+message ContainerImage {
+  // Names by which this image is known.
+  // e.g. ["gcr.io/google_containers/hyperkube:v1.0.7", "dockerhub.io/google_containers/hyperkube:v1.0.7"]
+  repeated string names = 1;
+
+  // The size of the image in bytes.
+  // +optional
+  optional int64 sizeBytes = 2;
+}
+
+// ContainerPort represents a network port in a single container.
+message ContainerPort {
+  // If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+  // named port in a pod must have a unique name. Name for the port that can be
+  // referred to by services.
+  // +optional
+  optional string name = 1;
+
+  // Number of port to expose on the host.
+  // If specified, this must be a valid port number, 0 < x < 65536.
+  // If HostNetwork is specified, this must match ContainerPort.
+  // Most containers do not need this.
+  // +optional
+  optional int32 hostPort = 2;
+
+  // Number of port to expose on the pod's IP address.
+  // This must be a valid port number, 0 < x < 65536.
+  optional int32 containerPort = 3;
+
+  // Protocol for port. Must be UDP or TCP.
+  // Defaults to "TCP".
+  // +optional
+  optional string protocol = 4;
+
+  // What host IP to bind the external port to.
+  // +optional
+  optional string hostIP = 5;
+}
+
+// ContainerState holds a possible state of container.
+// Only one of its members may be specified.
+// If none of them is specified, the default one is ContainerStateWaiting.
+message ContainerState {
+  // Details about a waiting container
+  // +optional
+  optional ContainerStateWaiting waiting = 1;
+
+  // Details about a running container
+  // +optional
+  optional ContainerStateRunning running = 2;
+
+  // Details about a terminated container
+  // +optional
+  optional ContainerStateTerminated terminated = 3;
+}
+
+// ContainerStateRunning is a running state of a container.
+message ContainerStateRunning {
+  // Time at which the container was last (re-)started
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time startedAt = 1;
+}
+
+// ContainerStateTerminated is a terminated state of a container.
+message ContainerStateTerminated {
+  // Exit status from the last termination of the container
+  optional int32 exitCode = 1;
+
+  // Signal from the last termination of the container
+  // +optional
+  optional int32 signal = 2;
+
+  // (brief) reason from the last termination of the container
+  // +optional
+  optional string reason = 3;
+
+  // Message regarding the last termination of the container
+  // +optional
+  optional string message = 4;
+
+  // Time at which previous execution of the container started
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time startedAt = 5;
+
+  // Time at which the container last terminated
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time finishedAt = 6;
+
+  // Container's ID in the format 'docker://<container_id>'
+  // +optional
+  optional string containerID = 7;
+}
+
+// ContainerStateWaiting is a waiting state of a container.
+message ContainerStateWaiting {
+  // (brief) reason the container is not yet running.
+  // +optional
+  optional string reason = 1;
+
+  // Message regarding why the container is not yet running.
+  // +optional
+  optional string message = 2;
+}
+
+// ContainerStatus contains details for the current status of this container.
+message ContainerStatus {
+  // This must be a DNS_LABEL. Each container in a pod must have a unique name.
+  // Cannot be updated.
+  optional string name = 1;
+
+  // Details about the container's current condition.
+  // +optional
+  optional ContainerState state = 2;
+
+  // Details about the container's last termination condition.
+  // +optional
+  optional ContainerState lastState = 3;
+
+  // Specifies whether the container has passed its readiness probe.
+  optional bool ready = 4;
+
+  // The number of times the container has been restarted, currently based on
+  // the number of dead containers that have not yet been removed.
+  // Note that this is calculated from dead containers. But those containers are subject to
+  // garbage collection. This value will get capped at 5 by GC.
+  optional int32 restartCount = 5;
+
+  // The image the container is running.
+  // More info: https://kubernetes.io/docs/concepts/containers/images
+  // TODO(dchen1107): Which image the container is running with?
+  optional string image = 6;
+
+  // ImageID of the container's image.
+  optional string imageID = 7;
+
+  // Container's ID in the format 'docker://<container_id>'.
+  // +optional
+  optional string containerID = 8;
+}
+
+// DaemonEndpoint contains information about a single Daemon endpoint.
+message DaemonEndpoint {
+  // Port number of the given endpoint.
+  optional int32 Port = 1;
+}
+
+// DeleteOptions may be provided when deleting an API object
+// DEPRECATED: This type has been moved to meta/v1 and will be removed soon.
+// +k8s:openapi-gen=false
+message DeleteOptions {
+  // The duration in seconds before the object should be deleted. Value must be non-negative integer.
+  // The value zero indicates delete immediately. If this value is nil, the default grace period for the
+  // specified type will be used.
+  // Defaults to a per object value if not specified. zero means delete immediately.
+  // +optional
+  optional int64 gracePeriodSeconds = 1;
+
+  // Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be
+  // returned.
+  // +optional
+  optional Preconditions preconditions = 2;
+
+  // Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7.
+  // Should the dependent objects be orphaned. If true/false, the "orphan"
+  // finalizer will be added to/removed from the object's finalizers list.
+  // Either this field or PropagationPolicy may be set, but not both.
+  // +optional
+  optional bool orphanDependents = 3;
+
+  // Whether and how garbage collection will be performed.
+  // Either this field or OrphanDependents may be set, but not both.
+  // The default policy is decided by the existing finalizer set in the
+  // metadata.finalizers and the resource-specific default policy.
+  // +optional
+  optional string propagationPolicy = 4;
+}
+
+// Represents downward API info for projecting into a projected volume.
+// Note that this is identical to a downwardAPI volume source without the default
+// mode.
+message DownwardAPIProjection {
+  // Items is a list of DownwardAPIVolume file
+  // +optional
+  repeated DownwardAPIVolumeFile items = 1;
+}
+
+// DownwardAPIVolumeFile represents information to create the file containing the pod field
+message DownwardAPIVolumeFile {
+  // Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
+  optional string path = 1;
+
+  // Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.
+  // +optional
+  optional ObjectFieldSelector fieldRef = 2;
+
+  // Selects a resource of the container: only resources limits and requests
+  // (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+  // +optional
+  optional ResourceFieldSelector resourceFieldRef = 3;
+
+  // Optional: mode bits to use on this file, must be a value between 0
+  // and 0777. If not specified, the volume defaultMode will be used.
+  // This might be in conflict with other options that affect the file
+  // mode, like fsGroup, and the result can be other mode bits set.
+  // +optional
+  optional int32 mode = 4;
+}
+
+// DownwardAPIVolumeSource represents a volume containing downward API info.
+// Downward API volumes support ownership management and SELinux relabeling.
+message DownwardAPIVolumeSource {
+  // Items is a list of downward API volume file
+  // +optional
+  repeated DownwardAPIVolumeFile items = 1;
+
+  // Optional: mode bits to use on created files by default. Must be a
+  // value between 0 and 0777. Defaults to 0644.
+  // Directories within the path are not affected by this setting.
+  // This might be in conflict with other options that affect the file
+  // mode, like fsGroup, and the result can be other mode bits set.
+  // +optional
+  optional int32 defaultMode = 2;
+}
+
+// Represents an empty directory for a pod.
+// Empty directory volumes support ownership management and SELinux relabeling.
+message EmptyDirVolumeSource {
+  // What type of storage medium should back this directory.
+  // The default is "" which means to use the node's default medium.
+  // Must be an empty string (default) or Memory.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+  // +optional
+  optional string medium = 1;
+
+  // Total amount of local storage required for this EmptyDir volume.
+  // The size limit is also applicable for memory medium.
+  // The maximum usage on memory medium EmptyDir would be the minimum value between
+  // the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+  // The default is nil which means that the limit is undefined.
+  // More info: http://kubernetes.io/docs/user-guide/volumes#emptydir
+  // +optional
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity sizeLimit = 2;
+}
+
+// EndpointAddress is a tuple that describes single IP address.
+message EndpointAddress {
+  // The IP of this endpoint.
+  // May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16),
+  // or link-local multicast ((224.0.0.0/24).
+  // IPv6 is also accepted but not fully supported on all platforms. Also, certain
+  // kubernetes components, like kube-proxy, are not IPv6 ready.
+  // TODO: This should allow hostname or IP, See #4447.
+  optional string ip = 1;
+
+  // The Hostname of this endpoint
+  // +optional
+  optional string hostname = 3;
+
+  // Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.
+  // +optional
+  optional string nodeName = 4;
+
+  // Reference to object providing the endpoint.
+  // +optional
+  optional ObjectReference targetRef = 2;
+}
+
+// EndpointPort is a tuple that describes a single port.
+message EndpointPort {
+  // The name of this port (corresponds to ServicePort.Name).
+  // Must be a DNS_LABEL.
+  // Optional only if one port is defined.
+  // +optional
+  optional string name = 1;
+
+  // The port number of the endpoint.
+  optional int32 port = 2;
+
+  // The IP protocol for this port.
+  // Must be UDP or TCP.
+  // Default is TCP.
+  // +optional
+  optional string protocol = 3;
+}
+
+// EndpointSubset is a group of addresses with a common set of ports. The
+// expanded set of endpoints is the Cartesian product of Addresses x Ports.
+// For example, given:
+//   {
+//     Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+//     Ports:     [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+//   }
+// The resulting set of endpoints can be viewed as:
+//     a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],
+//     b: [ 10.10.1.1:309, 10.10.2.2:309 ]
+message EndpointSubset {
+  // IP addresses which offer the related ports that are marked as ready. These endpoints
+  // should be considered safe for load balancers and clients to utilize.
+  // +optional
+  repeated EndpointAddress addresses = 1;
+
+  // IP addresses which offer the related ports but are not currently marked as ready
+  // because they have not yet finished starting, have recently failed a readiness check,
+  // or have recently failed a liveness check.
+  // +optional
+  repeated EndpointAddress notReadyAddresses = 2;
+
+  // Port numbers available on the related IP addresses.
+  // +optional
+  repeated EndpointPort ports = 3;
+}
+
+// Endpoints is a collection of endpoints that implement the actual service. Example:
+//   Name: "mysvc",
+//   Subsets: [
+//     {
+//       Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+//       Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+//     },
+//     {
+//       Addresses: [{"ip": "10.10.3.3"}],
+//       Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}]
+//     },
+//  ]
+message Endpoints {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // The set of all endpoints is the union of all subsets. Addresses are placed into
+  // subsets according to the IPs they share. A single address with multiple ports,
+  // some of which are ready and some of which are not (because they come from
+  // different containers) will result in the address being displayed in different
+  // subsets for the different ports. No address will appear in both Addresses and
+  // NotReadyAddresses in the same subset.
+  // Sets of addresses and ports that comprise a service.
+  repeated EndpointSubset subsets = 2;
+}
+
+// EndpointsList is a list of endpoints.
+message EndpointsList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of endpoints.
+  repeated Endpoints items = 2;
+}
+
+// EnvFromSource represents the source of a set of ConfigMaps
+message EnvFromSource {
+  // An optional identifer to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+  // +optional
+  optional string prefix = 1;
+
+  // The ConfigMap to select from
+  // +optional
+  optional ConfigMapEnvSource configMapRef = 2;
+
+  // The Secret to select from
+  // +optional
+  optional SecretEnvSource secretRef = 3;
+}
+
+// EnvVar represents an environment variable present in a Container.
+message EnvVar {
+  // Name of the environment variable. Must be a C_IDENTIFIER.
+  optional string name = 1;
+
+  // Variable references $(VAR_NAME) are expanded
+  // using the previous defined environment variables in the container and
+  // any service environment variables. If a variable cannot be resolved,
+  // the reference in the input string will be unchanged. The $(VAR_NAME)
+  // syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped
+  // references will never be expanded, regardless of whether the variable
+  // exists or not.
+  // Defaults to "".
+  // +optional
+  optional string value = 2;
+
+  // Source for the environment variable's value. Cannot be used if value is not empty.
+  // +optional
+  optional EnvVarSource valueFrom = 3;
+}
+
+// EnvVarSource represents a source for the value of an EnvVar.
+message EnvVarSource {
+  // Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations,
+  // spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.
+  // +optional
+  optional ObjectFieldSelector fieldRef = 1;
+
+  // Selects a resource of the container: only resources limits and requests
+  // (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+  // +optional
+  optional ResourceFieldSelector resourceFieldRef = 2;
+
+  // Selects a key of a ConfigMap.
+  // +optional
+  optional ConfigMapKeySelector configMapKeyRef = 3;
+
+  // Selects a key of a secret in the pod's namespace
+  // +optional
+  optional SecretKeySelector secretKeyRef = 4;
+}
+
+// Event is a report of an event somewhere in the cluster.
+// TODO: Decide whether to store these separately or with the object they apply to.
+message Event {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // The object that this event is about.
+  optional ObjectReference involvedObject = 2;
+
+  // This should be a short, machine understandable string that gives the reason
+  // for the transition into the object's current status.
+  // TODO: provide exact specification for format.
+  // +optional
+  optional string reason = 3;
+
+  // A human-readable description of the status of this operation.
+  // TODO: decide on maximum length.
+  // +optional
+  optional string message = 4;
+
+  // The component reporting this event. Should be a short machine understandable string.
+  // +optional
+  optional EventSource source = 5;
+
+  // The time at which the event was first recorded. (Time of server receipt is in TypeMeta.)
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time firstTimestamp = 6;
+
+  // The time at which the most recent occurrence of this event was recorded.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTimestamp = 7;
+
+  // The number of times this event has occurred.
+  // +optional
+  optional int32 count = 8;
+
+  // Type of this event (Normal, Warning), new types could be added in the future
+  // +optional
+  optional string type = 9;
+}
+
+// EventList is a list of events.
+message EventList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of events
+  repeated Event items = 2;
+}
+
+// EventSource contains information for an event.
+message EventSource {
+  // Component from which the event is generated.
+  // +optional
+  optional string component = 1;
+
+  // Node name on which the event is generated.
+  // +optional
+  optional string host = 2;
+}
+
+// ExecAction describes a "run in container" action.
+message ExecAction {
+  // Command is the command line to execute inside the container, the working directory for the
+  // command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+  // not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+  // a shell, you need to explicitly call out to that shell.
+  // Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+  // +optional
+  repeated string command = 1;
+}
+
+// Represents a Fibre Channel volume.
+// Fibre Channel volumes can only be mounted as read/write once.
+// Fibre Channel volumes support ownership management and SELinux relabeling.
+message FCVolumeSource {
+  // Optional: FC target worldwide names (WWNs)
+  // +optional
+  repeated string targetWWNs = 1;
+
+  // Optional: FC target lun number
+  // +optional
+  optional int32 lun = 2;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // TODO: how do we prevent errors in the filesystem from compromising the machine
+  // +optional
+  optional string fsType = 3;
+
+  // Optional: Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 4;
+
+  // Optional: FC volume world wide identifiers (wwids)
+  // Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+  // +optional
+  repeated string wwids = 5;
+}
+
+// FlexVolume represents a generic volume resource that is
+// provisioned/attached using an exec based plugin. This is an alpha feature and may change in future.
+message FlexVolumeSource {
+  // Driver is the name of the driver to use for this volume.
+  optional string driver = 1;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+  // +optional
+  optional string fsType = 2;
+
+  // Optional: SecretRef is reference to the secret object containing
+  // sensitive information to pass to the plugin scripts. This may be
+  // empty if no secret object is specified. If the secret object
+  // contains more than one secret, all secrets are passed to the plugin
+  // scripts.
+  // +optional
+  optional LocalObjectReference secretRef = 3;
+
+  // Optional: Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 4;
+
+  // Optional: Extra command options if any.
+  // +optional
+  map<string, string> options = 5;
+}
+
+// Represents a Flocker volume mounted by the Flocker agent.
+// One and only one of datasetName and datasetUUID should be set.
+// Flocker volumes do not support ownership management or SELinux relabeling.
+message FlockerVolumeSource {
+  // Name of the dataset stored as metadata -> name on the dataset for Flocker
+  // should be considered as deprecated
+  // +optional
+  optional string datasetName = 1;
+
+  // UUID of the dataset. This is unique identifier of a Flocker dataset
+  // +optional
+  optional string datasetUUID = 2;
+}
+
+// Represents a Persistent Disk resource in Google Compute Engine.
+// 
+// A GCE PD must exist before mounting to a container. The disk must
+// also be in the same GCE project and zone as the kubelet. A GCE PD
+// can only be mounted as read/write once or read-only many times. GCE
+// PDs support ownership management and SELinux relabeling.
+message GCEPersistentDiskVolumeSource {
+  // Unique name of the PD resource in GCE. Used to identify the disk in GCE.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  optional string pdName = 1;
+
+  // Filesystem type of the volume that you want to mount.
+  // Tip: Ensure that the filesystem type is supported by the host operating system.
+  // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  // TODO: how do we prevent errors in the filesystem from compromising the machine
+  // +optional
+  optional string fsType = 2;
+
+  // The partition in the volume that you want to mount.
+  // If omitted, the default is to mount by volume name.
+  // Examples: For volume /dev/sda1, you specify the partition as "1".
+  // Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  // +optional
+  optional int32 partition = 3;
+
+  // ReadOnly here will force the ReadOnly setting in VolumeMounts.
+  // Defaults to false.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  // +optional
+  optional bool readOnly = 4;
+}
+
+// Represents a volume that is populated with the contents of a git repository.
+// Git repo volumes do not support ownership management.
+// Git repo volumes support SELinux relabeling.
+message GitRepoVolumeSource {
+  // Repository URL
+  optional string repository = 1;
+
+  // Commit hash for the specified revision.
+  // +optional
+  optional string revision = 2;
+
+  // Target directory name.
+  // Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+  // git repository.  Otherwise, if specified, the volume will contain the git repository in
+  // the subdirectory with the given name.
+  // +optional
+  optional string directory = 3;
+}
+
+// Represents a Glusterfs mount that lasts the lifetime of a pod.
+// Glusterfs volumes do not support ownership management or SELinux relabeling.
+message GlusterfsVolumeSource {
+  // EndpointsName is the endpoint name that details Glusterfs topology.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  optional string endpoints = 1;
+
+  // Path is the Glusterfs volume path.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  optional string path = 2;
+
+  // ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+  // Defaults to false.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+  // +optional
+  optional bool readOnly = 3;
+}
+
+// HTTPGetAction describes an action based on HTTP Get requests.
+message HTTPGetAction {
+  // Path to access on the HTTP server.
+  // +optional
+  optional string path = 1;
+
+  // Name or number of the port to access on the container.
+  // Number must be in the range 1 to 65535.
+  // Name must be an IANA_SVC_NAME.
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString port = 2;
+
+  // Host name to connect to, defaults to the pod IP. You probably want to set
+  // "Host" in httpHeaders instead.
+  // +optional
+  optional string host = 3;
+
+  // Scheme to use for connecting to the host.
+  // Defaults to HTTP.
+  // +optional
+  optional string scheme = 4;
+
+  // Custom headers to set in the request. HTTP allows repeated headers.
+  // +optional
+  repeated HTTPHeader httpHeaders = 5;
+}
+
+// HTTPHeader describes a custom header to be used in HTTP probes
+message HTTPHeader {
+  // The header field name
+  optional string name = 1;
+
+  // The header field value
+  optional string value = 2;
+}
+
+// Handler defines a specific action that should be taken
+// TODO: pass structured data to these actions, and document that data here.
+message Handler {
+  // One and only one of the following should be specified.
+  // Exec specifies the action to take.
+  // +optional
+  optional ExecAction exec = 1;
+
+  // HTTPGet specifies the http request to perform.
+  // +optional
+  optional HTTPGetAction httpGet = 2;
+
+  // TCPSocket specifies an action involving a TCP port.
+  // TCP hooks not yet supported
+  // TODO: implement a realistic TCP lifecycle hook
+  // +optional
+  optional TCPSocketAction tcpSocket = 3;
+}
+
+// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+// pod's hosts file.
+message HostAlias {
+  // IP address of the host file entry.
+  optional string ip = 1;
+
+  // Hostnames for the above IP address.
+  repeated string hostnames = 2;
+}
+
+// Represents a host path mapped into a pod.
+// Host path volumes do not support ownership management or SELinux relabeling.
+message HostPathVolumeSource {
+  // Path of the directory on the host.
+  // If the path is a symlink, it will follow the link to the real path.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+  optional string path = 1;
+
+  // Type for HostPath Volume
+  // Defaults to ""
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+  // +optional
+  optional string type = 2;
+}
+
+// Represents an ISCSI disk.
+// ISCSI volumes can only be mounted as read/write once.
+// ISCSI volumes support ownership management and SELinux relabeling.
+message ISCSIVolumeSource {
+  // iSCSI target portal. The portal is either an IP or ip_addr:port if the port
+  // is other than default (typically TCP ports 860 and 3260).
+  optional string targetPortal = 1;
+
+  // Target iSCSI Qualified Name.
+  optional string iqn = 2;
+
+  // iSCSI target lun number.
+  optional int32 lun = 3;
+
+  // Optional: Defaults to 'default' (tcp). iSCSI interface name that uses an iSCSI transport.
+  // +optional
+  optional string iscsiInterface = 4;
+
+  // Filesystem type of the volume that you want to mount.
+  // Tip: Ensure that the filesystem type is supported by the host operating system.
+  // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+  // TODO: how do we prevent errors in the filesystem from compromising the machine
+  // +optional
+  optional string fsType = 5;
+
+  // ReadOnly here will force the ReadOnly setting in VolumeMounts.
+  // Defaults to false.
+  // +optional
+  optional bool readOnly = 6;
+
+  // iSCSI target portal List. The portal is either an IP or ip_addr:port if the port
+  // is other than default (typically TCP ports 860 and 3260).
+  // +optional
+  repeated string portals = 7;
+
+  // whether support iSCSI Discovery CHAP authentication
+  // +optional
+  optional bool chapAuthDiscovery = 8;
+
+  // whether support iSCSI Session CHAP authentication
+  // +optional
+  optional bool chapAuthSession = 11;
+
+  // CHAP secret for iSCSI target and initiator authentication
+  // +optional
+  optional LocalObjectReference secretRef = 10;
+
+  // Custom iSCSI initiator name.
+  // If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+  // <target portal>:<volume name> will be created for the connection.
+  // +optional
+  optional string initiatorName = 12;
+}
+
+// Maps a string key to a path within a volume.
+message KeyToPath {
+  // The key to project.
+  optional string key = 1;
+
+  // The relative path of the file to map the key to.
+  // May not be an absolute path.
+  // May not contain the path element '..'.
+  // May not start with the string '..'.
+  optional string path = 2;
+
+  // Optional: mode bits to use on this file, must be a value between 0
+  // and 0777. If not specified, the volume defaultMode will be used.
+  // This might be in conflict with other options that affect the file
+  // mode, like fsGroup, and the result can be other mode bits set.
+  // +optional
+  optional int32 mode = 3;
+}
+
+// Lifecycle describes actions that the management system should take in response to container lifecycle
+// events. For the PostStart and PreStop lifecycle handlers, management of the container blocks
+// until the action is complete, unless the container process fails, in which case the handler is aborted.
+message Lifecycle {
+  // PostStart is called immediately after a container is created. If the handler fails,
+  // the container is terminated and restarted according to its restart policy.
+  // Other management of the container blocks until the hook completes.
+  // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+  // +optional
+  optional Handler postStart = 1;
+
+  // PreStop is called immediately before a container is terminated.
+  // The container is terminated after the handler completes.
+  // The reason for termination is passed to the handler.
+  // Regardless of the outcome of the handler, the container is eventually terminated.
+  // Other management of the container blocks until the hook completes.
+  // More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+  // +optional
+  optional Handler preStop = 2;
+}
+
+// LimitRange sets resource usage limits for each kind of resource in a Namespace.
+message LimitRange {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the limits enforced.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional LimitRangeSpec spec = 2;
+}
+
+// LimitRangeItem defines a min/max usage limit for any resource that matches on kind.
+message LimitRangeItem {
+  // Type of resource that this limit applies to.
+  // +optional
+  optional string type = 1;
+
+  // Max usage constraints on this kind by resource name.
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> max = 2;
+
+  // Min usage constraints on this kind by resource name.
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> min = 3;
+
+  // Default resource requirement limit value by resource name if resource limit is omitted.
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> default = 4;
+
+  // DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> defaultRequest = 5;
+
+  // MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> maxLimitRequestRatio = 6;
+}
+
+// LimitRangeList is a list of LimitRange items.
+message LimitRangeList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of LimitRange objects.
+  // More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_limit_range.md
+  repeated LimitRange items = 2;
+}
+
+// LimitRangeSpec defines a min/max usage limit for resources that match on kind.
+message LimitRangeSpec {
+  // Limits is the list of LimitRangeItem objects that are enforced.
+  repeated LimitRangeItem limits = 1;
+}
+
+// List holds a list of objects, which may not be known by the server.
+message List {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of objects
+  repeated k8s.io.apimachinery.pkg.runtime.RawExtension items = 2;
+}
+
+// ListOptions is the query options to a standard REST list call.
+// DEPRECATED: This type has been moved to meta/v1 and will be removed soon.
+// +k8s:openapi-gen=false
+message ListOptions {
+  // A selector to restrict the list of returned objects by their labels.
+  // Defaults to everything.
+  // +optional
+  optional string labelSelector = 1;
+
+  // A selector to restrict the list of returned objects by their fields.
+  // Defaults to everything.
+  // +optional
+  optional string fieldSelector = 2;
+
+  // If true, partially initialized resources are included in the response.
+  // +optional
+  optional bool includeUninitialized = 6;
+
+  // Watch for changes to the described resources and return them as a stream of
+  // add, update, and remove notifications. Specify resourceVersion.
+  // +optional
+  optional bool watch = 3;
+
+  // When specified with a watch call, shows changes that occur after that particular version of a resource.
+  // Defaults to changes from the beginning of history.
+  // When specified for list:
+  // - if unset, then the result is returned from remote storage based on quorum-read flag;
+  // - if it's 0, then we simply return what we currently have in cache, no guarantee;
+  // - if set to non zero, then the result is at least as fresh as given rv.
+  // +optional
+  optional string resourceVersion = 4;
+
+  // Timeout for the list/watch call.
+  // +optional
+  optional int64 timeoutSeconds = 5;
+}
+
+// LoadBalancerIngress represents the status of a load-balancer ingress point:
+// traffic intended for the service should be sent to an ingress point.
+message LoadBalancerIngress {
+  // IP is set for load-balancer ingress points that are IP based
+  // (typically GCE or OpenStack load-balancers)
+  // +optional
+  optional string ip = 1;
+
+  // Hostname is set for load-balancer ingress points that are DNS based
+  // (typically AWS load-balancers)
+  // +optional
+  optional string hostname = 2;
+}
+
+// LoadBalancerStatus represents the status of a load-balancer.
+message LoadBalancerStatus {
+  // Ingress is a list containing ingress points for the load-balancer.
+  // Traffic intended for the service should be sent to these ingress points.
+  // +optional
+  repeated LoadBalancerIngress ingress = 1;
+}
+
+// LocalObjectReference contains enough information to let you locate the
+// referenced object inside the same namespace.
+message LocalObjectReference {
+  // Name of the referent.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+  // TODO: Add other useful fields. apiVersion, kind, uid?
+  // +optional
+  optional string name = 1;
+}
+
+// Local represents directly-attached storage with node affinity
+message LocalVolumeSource {
+  // The full path to the volume on the node
+  // For alpha, this path must be a directory
+  // Once block as a source is supported, then this path can point to a block device
+  optional string path = 1;
+}
+
+// Represents an NFS mount that lasts the lifetime of a pod.
+// NFS volumes do not support ownership management or SELinux relabeling.
+message NFSVolumeSource {
+  // Server is the hostname or IP address of the NFS server.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+  optional string server = 1;
+
+  // Path that is exported by the NFS server.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+  optional string path = 2;
+
+  // ReadOnly here will force
+  // the NFS export to be mounted with read-only permissions.
+  // Defaults to false.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+  // +optional
+  optional bool readOnly = 3;
+}
+
+// Namespace provides a scope for Names.
+// Use of multiple namespaces is optional.
+message Namespace {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the behavior of the Namespace.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional NamespaceSpec spec = 2;
+
+  // Status describes the current status of a Namespace.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional NamespaceStatus status = 3;
+}
+
+// NamespaceList is a list of Namespaces.
+message NamespaceList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of Namespace objects in the list.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+  repeated Namespace items = 2;
+}
+
+// NamespaceSpec describes the attributes on a Namespace.
+message NamespaceSpec {
+  // Finalizers is an opaque list of values that must be empty to permanently remove object from storage.
+  // More info: https://git.k8s.io/community/contributors/design-proposals/namespaces.md#finalizers
+  // +optional
+  repeated string finalizers = 1;
+}
+
+// NamespaceStatus is information about the current status of a Namespace.
+message NamespaceStatus {
+  // Phase is the current lifecycle phase of the namespace.
+  // More info: https://git.k8s.io/community/contributors/design-proposals/namespaces.md#phases
+  // +optional
+  optional string phase = 1;
+}
+
+// Node is a worker node in Kubernetes.
+// Each node will have a unique identifier in the cache (i.e. in etcd).
+message Node {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the behavior of a node.
+  // https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional NodeSpec spec = 2;
+
+  // Most recently observed status of the node.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional NodeStatus status = 3;
+}
+
+// NodeAddress contains information for the node's address.
+message NodeAddress {
+  // Node address type, one of Hostname, ExternalIP or InternalIP.
+  optional string type = 1;
+
+  // The node address.
+  optional string address = 2;
+}
+
+// Node affinity is a group of node affinity scheduling rules.
+message NodeAffinity {
+  // If the affinity requirements specified by this field are not met at
+  // scheduling time, the pod will not be scheduled onto the node.
+  // If the affinity requirements specified by this field cease to be met
+  // at some point during pod execution (e.g. due to an update), the system
+  // may or may not try to eventually evict the pod from its node.
+  // +optional
+  optional NodeSelector requiredDuringSchedulingIgnoredDuringExecution = 1;
+
+  // The scheduler will prefer to schedule pods to nodes that satisfy
+  // the affinity expressions specified by this field, but it may choose
+  // a node that violates one or more of the expressions. The node that is
+  // most preferred is the one with the greatest sum of weights, i.e.
+  // for each node that meets all of the scheduling requirements (resource
+  // request, requiredDuringScheduling affinity expressions, etc.),
+  // compute a sum by iterating through the elements of this field and adding
+  // "weight" to the sum if the node matches the corresponding matchExpressions; the
+  // node(s) with the highest sum are the most preferred.
+  // +optional
+  repeated PreferredSchedulingTerm preferredDuringSchedulingIgnoredDuringExecution = 2;
+}
+
+// NodeCondition contains condition information for a node.
+message NodeCondition {
+  // Type of node condition.
+  optional string type = 1;
+
+  // Status of the condition, one of True, False, Unknown.
+  optional string status = 2;
+
+  // Last time we got an update on a given condition.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastHeartbeatTime = 3;
+
+  // Last time the condition transit from one status to another.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 4;
+
+  // (brief) reason for the condition's last transition.
+  // +optional
+  optional string reason = 5;
+
+  // Human readable message indicating details about last transition.
+  // +optional
+  optional string message = 6;
+}
+
+// NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil.
+message NodeConfigSource {
+  optional ObjectReference configMapRef = 1;
+}
+
+// NodeDaemonEndpoints lists ports opened by daemons running on the Node.
+message NodeDaemonEndpoints {
+  // Endpoint on which Kubelet is listening.
+  // +optional
+  optional DaemonEndpoint kubeletEndpoint = 1;
+}
+
+// NodeList is the whole list of all Nodes which have been registered with master.
+message NodeList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of nodes
+  repeated Node items = 2;
+}
+
+// NodeProxyOptions is the query options to a Node's proxy call.
+message NodeProxyOptions {
+  // Path is the URL path to use for the current proxy request to node.
+  // +optional
+  optional string path = 1;
+}
+
+// NodeResources is an object for conveying resource information about a node.
+// see http://releases.k8s.io/HEAD/docs/design/resources.md for more details.
+message NodeResources {
+  // Capacity represents the available resources of a node
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> capacity = 1;
+}
+
+// A node selector represents the union of the results of one or more label queries
+// over a set of nodes; that is, it represents the OR of the selectors represented
+// by the node selector terms.
+message NodeSelector {
+  // Required. A list of node selector terms. The terms are ORed.
+  repeated NodeSelectorTerm nodeSelectorTerms = 1;
+}
+
+// A node selector requirement is a selector that contains values, a key, and an operator
+// that relates the key and values.
+message NodeSelectorRequirement {
+  // The label key that the selector applies to.
+  optional string key = 1;
+
+  // Represents a key's relationship to a set of values.
+  // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+  optional string operator = 2;
+
+  // An array of string values. If the operator is In or NotIn,
+  // the values array must be non-empty. If the operator is Exists or DoesNotExist,
+  // the values array must be empty. If the operator is Gt or Lt, the values
+  // array must have a single element, which will be interpreted as an integer.
+  // This array is replaced during a strategic merge patch.
+  // +optional
+  repeated string values = 3;
+}
+
+// A null or empty node selector term matches no objects.
+message NodeSelectorTerm {
+  // Required. A list of node selector requirements. The requirements are ANDed.
+  repeated NodeSelectorRequirement matchExpressions = 1;
+}
+
+// NodeSpec describes the attributes that a node is created with.
+message NodeSpec {
+  // PodCIDR represents the pod IP range assigned to the node.
+  // +optional
+  optional string podCIDR = 1;
+
+  // External ID of the node assigned by some machine database (e.g. a cloud provider).
+  // Deprecated.
+  // +optional
+  optional string externalID = 2;
+
+  // ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>
+  // +optional
+  optional string providerID = 3;
+
+  // Unschedulable controls node schedulability of new pods. By default, node is schedulable.
+  // More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration
+  // +optional
+  optional bool unschedulable = 4;
+
+  // If specified, the node's taints.
+  // +optional
+  repeated Taint taints = 5;
+
+  // If specified, the source to get node configuration from
+  // The DynamicKubeletConfig feature gate must be enabled for the Kubelet to use this field
+  // +optional
+  optional NodeConfigSource configSource = 6;
+}
+
+// NodeStatus is information about the current status of a node.
+message NodeStatus {
+  // Capacity represents the total resources of a node.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> capacity = 1;
+
+  // Allocatable represents the resources of a node that are available for scheduling.
+  // Defaults to Capacity.
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> allocatable = 2;
+
+  // NodePhase is the recently observed lifecycle phase of the node.
+  // More info: https://kubernetes.io/docs/concepts/nodes/node/#phase
+  // The field is never populated, and now is deprecated.
+  // +optional
+  optional string phase = 3;
+
+  // Conditions is an array of current observed node conditions.
+  // More info: https://kubernetes.io/docs/concepts/nodes/node/#condition
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated NodeCondition conditions = 4;
+
+  // List of addresses reachable to the node.
+  // Queried from cloud provider, if available.
+  // More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated NodeAddress addresses = 5;
+
+  // Endpoints of daemons running on the Node.
+  // +optional
+  optional NodeDaemonEndpoints daemonEndpoints = 6;
+
+  // Set of ids/uuids to uniquely identify the node.
+  // More info: https://kubernetes.io/docs/concepts/nodes/node/#info
+  // +optional
+  optional NodeSystemInfo nodeInfo = 7;
+
+  // List of container images on this node
+  // +optional
+  repeated ContainerImage images = 8;
+
+  // List of attachable volumes in use (mounted) by the node.
+  // +optional
+  repeated string volumesInUse = 9;
+
+  // List of volumes that are attached to the node.
+  // +optional
+  repeated AttachedVolume volumesAttached = 10;
+}
+
+// NodeSystemInfo is a set of ids/uuids to uniquely identify the node.
+message NodeSystemInfo {
+  // MachineID reported by the node. For unique machine identification
+  // in the cluster this field is preferred. Learn more from man(5)
+  // machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html
+  optional string machineID = 1;
+
+  // SystemUUID reported by the node. For unique machine identification
+  // MachineID is preferred. This field is specific to Red Hat hosts
+  // https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/getting-system-uuid.html
+  optional string systemUUID = 2;
+
+  // Boot ID reported by the node.
+  optional string bootID = 3;
+
+  // Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).
+  optional string kernelVersion = 4;
+
+  // OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).
+  optional string osImage = 5;
+
+  // ContainerRuntime Version reported by the node through runtime remote API (e.g. docker://1.5.0).
+  optional string containerRuntimeVersion = 6;
+
+  // Kubelet Version reported by the node.
+  optional string kubeletVersion = 7;
+
+  // KubeProxy Version reported by the node.
+  optional string kubeProxyVersion = 8;
+
+  // The Operating System reported by the node
+  optional string operatingSystem = 9;
+
+  // The Architecture reported by the node
+  optional string architecture = 10;
+}
+
+// ObjectFieldSelector selects an APIVersioned field of an object.
+message ObjectFieldSelector {
+  // Version of the schema the FieldPath is written in terms of, defaults to "v1".
+  // +optional
+  optional string apiVersion = 1;
+
+  // Path of the field to select in the specified API version.
+  optional string fieldPath = 2;
+}
+
+// ObjectMeta is metadata that all persisted resources must have, which includes all objects
+// users must create.
+// DEPRECATED: Use k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta instead - this type will be removed soon.
+// +k8s:openapi-gen=false
+message ObjectMeta {
+  // Name must be unique within a namespace. Is required when creating resources, although
+  // some resources may allow a client to request the generation of an appropriate name
+  // automatically. Name is primarily intended for creation idempotence and configuration
+  // definition.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+  // +optional
+  optional string name = 1;
+
+  // GenerateName is an optional prefix, used by the server, to generate a unique
+  // name ONLY IF the Name field has not been provided.
+  // If this field is used, the name returned to the client will be different
+  // than the name passed. This value will also be combined with a unique suffix.
+  // The provided value has the same validation rules as the Name field,
+  // and may be truncated by the length of the suffix required to make the value
+  // unique on the server.
+  // 
+  // If this field is specified and the generated name exists, the server will
+  // NOT return a 409 - instead, it will either return 201 Created or 500 with Reason
+  // ServerTimeout indicating a unique name could not be found in the time allotted, and the client
+  // should retry (optionally after the time indicated in the Retry-After header).
+  // 
+  // Applied only if Name is not specified.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency
+  // +optional
+  optional string generateName = 2;
+
+  // Namespace defines the space within each name must be unique. An empty namespace is
+  // equivalent to the "default" namespace, but "default" is the canonical representation.
+  // Not all objects are required to be scoped to a namespace - the value of this field for
+  // those objects will be empty.
+  // 
+  // Must be a DNS_LABEL.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+  // +optional
+  optional string namespace = 3;
+
+  // SelfLink is a URL representing this object.
+  // Populated by the system.
+  // Read-only.
+  // +optional
+  optional string selfLink = 4;
+
+  // UID is the unique in time and space value for this object. It is typically generated by
+  // the server on successful creation of a resource and is not allowed to change on PUT
+  // operations.
+  // 
+  // Populated by the system.
+  // Read-only.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+  // +optional
+  optional string uid = 5;
+
+  // An opaque value that represents the internal version of this object that can
+  // be used by clients to determine when objects have changed. May be used for optimistic
+  // concurrency, change detection, and the watch operation on a resource or set of resources.
+  // Clients must treat these values as opaque and passed unmodified back to the server.
+  // They may only be valid for a particular resource or set of resources.
+  // 
+  // Populated by the system.
+  // Read-only.
+  // Value must be treated as opaque by clients and .
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
+  // +optional
+  optional string resourceVersion = 6;
+
+  // A sequence number representing a specific generation of the desired state.
+  // Populated by the system. Read-only.
+  // +optional
+  optional int64 generation = 7;
+
+  // CreationTimestamp is a timestamp representing the server time when this object was
+  // created. It is not guaranteed to be set in happens-before order across separate operations.
+  // Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+  // 
+  // Populated by the system.
+  // Read-only.
+  // Null for lists.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time creationTimestamp = 8;
+
+  // DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
+  // field is set by the server when a graceful deletion is requested by the user, and is not
+  // directly settable by a client. The resource is expected to be deleted (no longer visible
+  // from resource lists, and not reachable by name) after the time in this field. Once set,
+  // this value may not be unset or be set further into the future, although it may be shortened
+  // or the resource may be deleted prior to this time. For example, a user may request that
+  // a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination
+  // signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard
+  // termination signal (SIGKILL) to the container and after cleanup, remove the pod from the
+  // API. In the presence of network partitions, this object may still exist after this
+  // timestamp, until an administrator or automated process can determine the resource is
+  // fully terminated.
+  // If not set, graceful deletion of the object has not been requested.
+  // 
+  // Populated by the system when a graceful deletion is requested.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time deletionTimestamp = 9;
+
+  // Number of seconds allowed for this object to gracefully terminate before
+  // it will be removed from the system. Only set when deletionTimestamp is also set.
+  // May only be shortened.
+  // Read-only.
+  // +optional
+  optional int64 deletionGracePeriodSeconds = 10;
+
+  // Map of string keys and values that can be used to organize and categorize
+  // (scope and select) objects. May match selectors of replication controllers
+  // and services.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+  // +optional
+  map<string, string> labels = 11;
+
+  // Annotations is an unstructured key value map stored with a resource that may be
+  // set by external tools to store and retrieve arbitrary metadata. They are not
+  // queryable and should be preserved when modifying objects.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  // +optional
+  map<string, string> annotations = 12;
+
+  // List of objects depended by this object. If ALL objects in the list have
+  // been deleted, this object will be garbage collected. If this object is managed by a controller,
+  // then an entry in this list will point to this controller, with the controller field set to true.
+  // There cannot be more than one managing controller.
+  // +optional
+  // +patchMergeKey=uid
+  // +patchStrategy=merge
+  repeated k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference ownerReferences = 13;
+
+  // An initializer is a controller which enforces some system invariant at object creation time.
+  // This field is a list of initializers that have not yet acted on this object. If nil or empty,
+  // this object has been completely initialized. Otherwise, the object is considered uninitialized
+  // and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to
+  // observe uninitialized objects.
+  // 
+  // When an object is created, the system will populate this list with the current set of initializers.
+  // Only privileged users may set or modify this list. Once it is empty, it may not be modified further
+  // by any user.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Initializers initializers = 16;
+
+  // Must be empty before the object is deleted from the registry. Each entry
+  // is an identifier for the responsible component that will remove the entry
+  // from the list. If the deletionTimestamp of the object is non-nil, entries
+  // in this list can only be removed.
+  // +optional
+  // +patchStrategy=merge
+  repeated string finalizers = 14;
+
+  // The name of the cluster which the object belongs to.
+  // This is used to distinguish resources with same name and namespace in different clusters.
+  // This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.
+  // +optional
+  optional string clusterName = 15;
+}
+
+// ObjectReference contains enough information to let you inspect or modify the referred object.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message ObjectReference {
+  // Kind of the referent.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional string kind = 1;
+
+  // Namespace of the referent.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+  // +optional
+  optional string namespace = 2;
+
+  // Name of the referent.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+  // +optional
+  optional string name = 3;
+
+  // UID of the referent.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+  // +optional
+  optional string uid = 4;
+
+  // API version of the referent.
+  // +optional
+  optional string apiVersion = 5;
+
+  // Specific resourceVersion to which this reference is made, if any.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
+  // +optional
+  optional string resourceVersion = 6;
+
+  // If referring to a piece of an object instead of an entire object, this string
+  // should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+  // For example, if the object reference is to a container within a pod, this would take on a value like:
+  // "spec.containers{name}" (where "name" refers to the name of the container that triggered
+  // the event) or if no container name is specified "spec.containers[2]" (container with
+  // index 2 in this pod). This syntax is chosen only to have some well-defined way of
+  // referencing a part of an object.
+  // TODO: this design is not final and this field is subject to change in the future.
+  // +optional
+  optional string fieldPath = 7;
+}
+
+// PersistentVolume (PV) is a storage resource provisioned by an administrator.
+// It is analogous to a node.
+// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
+message PersistentVolume {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines a specification of a persistent volume owned by the cluster.
+  // Provisioned by an administrator.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+  // +optional
+  optional PersistentVolumeSpec spec = 2;
+
+  // Status represents the current information/status for the persistent volume.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+  // +optional
+  optional PersistentVolumeStatus status = 3;
+}
+
+// PersistentVolumeClaim is a user's request for and claim to a persistent volume
+message PersistentVolumeClaim {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the desired characteristics of a volume requested by a pod author.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+  // +optional
+  optional PersistentVolumeClaimSpec spec = 2;
+
+  // Status represents the current information/status of a persistent volume claim.
+  // Read-only.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+  // +optional
+  optional PersistentVolumeClaimStatus status = 3;
+}
+
+// PersistentVolumeClaimCondition contails details about state of pvc
+message PersistentVolumeClaimCondition {
+  optional string type = 1;
+
+  optional string status = 2;
+
+  // Last time we probed the condition.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastProbeTime = 3;
+
+  // Last time the condition transitioned from one status to another.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 4;
+
+  // Unique, this should be a short, machine understandable string that gives the reason
+  // for condition's last transition. If it reports "ResizeStarted" that means the underlying
+  // persistent volume is being resized.
+  // +optional
+  optional string reason = 5;
+
+  // Human-readable message indicating details about last transition.
+  // +optional
+  optional string message = 6;
+}
+
+// PersistentVolumeClaimList is a list of PersistentVolumeClaim items.
+message PersistentVolumeClaimList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // A list of persistent volume claims.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+  repeated PersistentVolumeClaim items = 2;
+}
+
+// PersistentVolumeClaimSpec describes the common attributes of storage devices
+// and allows a Source for provider-specific attributes
+message PersistentVolumeClaimSpec {
+  // AccessModes contains the desired access modes the volume should have.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+  // +optional
+  repeated string accessModes = 1;
+
+  // A label query over volumes to consider for binding.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 4;
+
+  // Resources represents the minimum resources the volume should have.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+  // +optional
+  optional ResourceRequirements resources = 2;
+
+  // VolumeName is the binding reference to the PersistentVolume backing this claim.
+  // +optional
+  optional string volumeName = 3;
+
+  // Name of the StorageClass required by the claim.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+  // +optional
+  optional string storageClassName = 5;
+}
+
+// PersistentVolumeClaimStatus is the current status of a persistent volume claim.
+message PersistentVolumeClaimStatus {
+  // Phase represents the current phase of PersistentVolumeClaim.
+  // +optional
+  optional string phase = 1;
+
+  // AccessModes contains the actual access modes the volume backing the PVC has.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+  // +optional
+  repeated string accessModes = 2;
+
+  // Represents the actual resources of the underlying volume.
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> capacity = 3;
+
+  // Current Condition of persistent volume claim. If underlying persistent volume is being
+  // resized then the Condition will be set to 'ResizeStarted'.
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated PersistentVolumeClaimCondition conditions = 4;
+}
+
+// PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace.
+// This volume finds the bound PV and mounts that volume for the pod. A
+// PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another
+// type of volume that is owned by someone else (the system).
+message PersistentVolumeClaimVolumeSource {
+  // ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+  optional string claimName = 1;
+
+  // Will force the ReadOnly setting in VolumeMounts.
+  // Default false.
+  // +optional
+  optional bool readOnly = 2;
+}
+
+// PersistentVolumeList is a list of PersistentVolume items.
+message PersistentVolumeList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of persistent volumes.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
+  repeated PersistentVolume items = 2;
+}
+
+// PersistentVolumeSource is similar to VolumeSource but meant for the
+// administrator who creates PVs. Exactly one of its members must be set.
+message PersistentVolumeSource {
+  // GCEPersistentDisk represents a GCE Disk resource that is attached to a
+  // kubelet's host machine and then exposed to the pod. Provisioned by an admin.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  // +optional
+  optional GCEPersistentDiskVolumeSource gcePersistentDisk = 1;
+
+  // AWSElasticBlockStore represents an AWS Disk resource that is attached to a
+  // kubelet's host machine and then exposed to the pod.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+  // +optional
+  optional AWSElasticBlockStoreVolumeSource awsElasticBlockStore = 2;
+
+  // HostPath represents a directory on the host.
+  // Provisioned by a developer or tester.
+  // This is useful for single-node development and testing only!
+  // On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+  // +optional
+  optional HostPathVolumeSource hostPath = 3;
+
+  // Glusterfs represents a Glusterfs volume that is attached to a host and
+  // exposed to the pod. Provisioned by an admin.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md
+  // +optional
+  optional GlusterfsVolumeSource glusterfs = 4;
+
+  // NFS represents an NFS mount on the host. Provisioned by an admin.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+  // +optional
+  optional NFSVolumeSource nfs = 5;
+
+  // RBD represents a Rados Block Device mount on the host that shares a pod's lifetime.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md
+  // +optional
+  optional RBDVolumeSource rbd = 6;
+
+  // ISCSI represents an ISCSI Disk resource that is attached to a
+  // kubelet's host machine and then exposed to the pod. Provisioned by an admin.
+  // +optional
+  optional ISCSIVolumeSource iscsi = 7;
+
+  // Cinder represents a cinder volume attached and mounted on kubelets host machine
+  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // +optional
+  optional CinderVolumeSource cinder = 8;
+
+  // CephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+  // +optional
+  optional CephFSPersistentVolumeSource cephfs = 9;
+
+  // FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+  // +optional
+  optional FCVolumeSource fc = 10;
+
+  // Flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running
+  // +optional
+  optional FlockerVolumeSource flocker = 11;
+
+  // FlexVolume represents a generic volume resource that is
+  // provisioned/attached using an exec based plugin. This is an
+  // alpha feature and may change in future.
+  // +optional
+  optional FlexVolumeSource flexVolume = 12;
+
+  // AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+  // +optional
+  optional AzureFilePersistentVolumeSource azureFile = 13;
+
+  // VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+  // +optional
+  optional VsphereVirtualDiskVolumeSource vsphereVolume = 14;
+
+  // Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+  // +optional
+  optional QuobyteVolumeSource quobyte = 15;
+
+  // AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+  // +optional
+  optional AzureDiskVolumeSource azureDisk = 16;
+
+  // PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+  optional PhotonPersistentDiskVolumeSource photonPersistentDisk = 17;
+
+  // PortworxVolume represents a portworx volume attached and mounted on kubelets host machine
+  // +optional
+  optional PortworxVolumeSource portworxVolume = 18;
+
+  // ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+  // +optional
+  optional ScaleIOPersistentVolumeSource scaleIO = 19;
+
+  // Local represents directly-attached storage with node affinity
+  // +optional
+  optional LocalVolumeSource local = 20;
+
+  // StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/storageos/README.md
+  // +optional
+  optional StorageOSPersistentVolumeSource storageos = 21;
+}
+
+// PersistentVolumeSpec is the specification of a persistent volume.
+message PersistentVolumeSpec {
+  // A description of the persistent volume's resources and capacity.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> capacity = 1;
+
+  // The actual volume backing the persistent volume.
+  optional PersistentVolumeSource persistentVolumeSource = 2;
+
+  // AccessModes contains all ways the volume can be mounted.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
+  // +optional
+  repeated string accessModes = 3;
+
+  // ClaimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim.
+  // Expected to be non-nil when bound.
+  // claim.VolumeName is the authoritative bind between PV and PVC.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding
+  // +optional
+  optional ObjectReference claimRef = 4;
+
+  // What happens to a persistent volume when released from its claim.
+  // Valid options are Retain (default) and Recycle.
+  // Recycling must be supported by the volume plugin underlying this persistent volume.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
+  // +optional
+  optional string persistentVolumeReclaimPolicy = 5;
+
+  // Name of StorageClass to which this persistent volume belongs. Empty value
+  // means that this volume does not belong to any StorageClass.
+  // +optional
+  optional string storageClassName = 6;
+
+  // A list of mount options, e.g. ["ro", "soft"]. Not validated - mount will
+  // simply fail if one is invalid.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options
+  // +optional
+  repeated string mountOptions = 7;
+}
+
+// PersistentVolumeStatus is the current status of a persistent volume.
+message PersistentVolumeStatus {
+  // Phase indicates if a volume is available, bound to a claim, or released by a claim.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase
+  // +optional
+  optional string phase = 1;
+
+  // A human-readable message indicating details about why the volume is in this state.
+  // +optional
+  optional string message = 2;
+
+  // Reason is a brief CamelCase string that describes any failure and is meant
+  // for machine parsing and tidy display in the CLI.
+  // +optional
+  optional string reason = 3;
+}
+
+// Represents a Photon Controller persistent disk resource.
+message PhotonPersistentDiskVolumeSource {
+  // ID that identifies Photon Controller persistent disk
+  optional string pdID = 1;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  optional string fsType = 2;
+}
+
+// Pod is a collection of containers that can run on a host. This resource is created
+// by clients and scheduled onto hosts.
+message Pod {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of the pod.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional PodSpec spec = 2;
+
+  // Most recently observed status of the pod.
+  // This data may not be up to date.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional PodStatus status = 3;
+}
+
+// Pod affinity is a group of inter pod affinity scheduling rules.
+message PodAffinity {
+  // If the affinity requirements specified by this field are not met at
+  // scheduling time, the pod will not be scheduled onto the node.
+  // If the affinity requirements specified by this field cease to be met
+  // at some point during pod execution (e.g. due to a pod label update), the
+  // system may or may not try to eventually evict the pod from its node.
+  // When there are multiple elements, the lists of nodes corresponding to each
+  // podAffinityTerm are intersected, i.e. all terms must be satisfied.
+  // +optional
+  repeated PodAffinityTerm requiredDuringSchedulingIgnoredDuringExecution = 1;
+
+  // The scheduler will prefer to schedule pods to nodes that satisfy
+  // the affinity expressions specified by this field, but it may choose
+  // a node that violates one or more of the expressions. The node that is
+  // most preferred is the one with the greatest sum of weights, i.e.
+  // for each node that meets all of the scheduling requirements (resource
+  // request, requiredDuringScheduling affinity expressions, etc.),
+  // compute a sum by iterating through the elements of this field and adding
+  // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+  // node(s) with the highest sum are the most preferred.
+  // +optional
+  repeated WeightedPodAffinityTerm preferredDuringSchedulingIgnoredDuringExecution = 2;
+}
+
+// Defines a set of pods (namely those matching the labelSelector
+// relative to the given namespace(s)) that this pod should be
+// co-located (affinity) or not co-located (anti-affinity) with,
+// where co-located is defined as running on a node whose value of
+// the label with key <topologyKey> tches that of any node on which
+// a pod of the set of pods is running
+message PodAffinityTerm {
+  // A label query over a set of resources, in this case pods.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector labelSelector = 1;
+
+  // namespaces specifies which namespaces the labelSelector applies to (matches against);
+  // null or empty list means "this pod's namespace"
+  repeated string namespaces = 2;
+
+  // This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+  // the labelSelector in the specified namespaces, where co-located is defined as running on a node
+  // whose value of the label with key topologyKey matches that of any node on which any of the
+  // selected pods is running.
+  // For PreferredDuringScheduling pod anti-affinity, empty topologyKey is interpreted as "all topologies"
+  // ("all topologies" here means all the topologyKeys indicated by scheduler command-line argument --failure-domains);
+  // for affinity and for RequiredDuringScheduling pod anti-affinity, empty topologyKey is not allowed.
+  // +optional
+  optional string topologyKey = 3;
+}
+
+// Pod anti affinity is a group of inter pod anti affinity scheduling rules.
+message PodAntiAffinity {
+  // If the anti-affinity requirements specified by this field are not met at
+  // scheduling time, the pod will not be scheduled onto the node.
+  // If the anti-affinity requirements specified by this field cease to be met
+  // at some point during pod execution (e.g. due to a pod label update), the
+  // system may or may not try to eventually evict the pod from its node.
+  // When there are multiple elements, the lists of nodes corresponding to each
+  // podAffinityTerm are intersected, i.e. all terms must be satisfied.
+  // +optional
+  repeated PodAffinityTerm requiredDuringSchedulingIgnoredDuringExecution = 1;
+
+  // The scheduler will prefer to schedule pods to nodes that satisfy
+  // the anti-affinity expressions specified by this field, but it may choose
+  // a node that violates one or more of the expressions. The node that is
+  // most preferred is the one with the greatest sum of weights, i.e.
+  // for each node that meets all of the scheduling requirements (resource
+  // request, requiredDuringScheduling anti-affinity expressions, etc.),
+  // compute a sum by iterating through the elements of this field and adding
+  // "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+  // node(s) with the highest sum are the most preferred.
+  // +optional
+  repeated WeightedPodAffinityTerm preferredDuringSchedulingIgnoredDuringExecution = 2;
+}
+
+// PodAttachOptions is the query options to a Pod's remote attach call.
+// ---
+// TODO: merge w/ PodExecOptions below for stdin, stdout, etc
+// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY
+message PodAttachOptions {
+  // Stdin if true, redirects the standard input stream of the pod for this call.
+  // Defaults to false.
+  // +optional
+  optional bool stdin = 1;
+
+  // Stdout if true indicates that stdout is to be redirected for the attach call.
+  // Defaults to true.
+  // +optional
+  optional bool stdout = 2;
+
+  // Stderr if true indicates that stderr is to be redirected for the attach call.
+  // Defaults to true.
+  // +optional
+  optional bool stderr = 3;
+
+  // TTY if true indicates that a tty will be allocated for the attach call.
+  // This is passed through the container runtime so the tty
+  // is allocated on the worker node by the container runtime.
+  // Defaults to false.
+  // +optional
+  optional bool tty = 4;
+
+  // The container in which to execute the command.
+  // Defaults to only container if there is only one container in the pod.
+  // +optional
+  optional string container = 5;
+}
+
+// PodCondition contains details for the current condition of this pod.
+message PodCondition {
+  // Type is the type of the condition.
+  // Currently only Ready.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+  optional string type = 1;
+
+  // Status is the status of the condition.
+  // Can be True, False, Unknown.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+  optional string status = 2;
+
+  // Last time we probed the condition.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastProbeTime = 3;
+
+  // Last time the condition transitioned from one status to another.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 4;
+
+  // Unique, one-word, CamelCase reason for the condition's last transition.
+  // +optional
+  optional string reason = 5;
+
+  // Human-readable message indicating details about last transition.
+  // +optional
+  optional string message = 6;
+}
+
+// PodExecOptions is the query options to a Pod's remote exec call.
+// ---
+// TODO: This is largely identical to PodAttachOptions above, make sure they stay in sync and see about merging
+// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY
+message PodExecOptions {
+  // Redirect the standard input stream of the pod for this call.
+  // Defaults to false.
+  // +optional
+  optional bool stdin = 1;
+
+  // Redirect the standard output stream of the pod for this call.
+  // Defaults to true.
+  // +optional
+  optional bool stdout = 2;
+
+  // Redirect the standard error stream of the pod for this call.
+  // Defaults to true.
+  // +optional
+  optional bool stderr = 3;
+
+  // TTY if true indicates that a tty will be allocated for the exec call.
+  // Defaults to false.
+  // +optional
+  optional bool tty = 4;
+
+  // Container in which to execute the command.
+  // Defaults to only container if there is only one container in the pod.
+  // +optional
+  optional string container = 5;
+
+  // Command is the remote command to execute. argv array. Not executed within a shell.
+  repeated string command = 6;
+}
+
+// PodList is a list of Pods.
+message PodList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of pods.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md
+  repeated Pod items = 2;
+}
+
+// PodLogOptions is the query options for a Pod's logs REST call.
+message PodLogOptions {
+  // The container for which to stream logs. Defaults to only container if there is one container in the pod.
+  // +optional
+  optional string container = 1;
+
+  // Follow the log stream of the pod. Defaults to false.
+  // +optional
+  optional bool follow = 2;
+
+  // Return previous terminated container logs. Defaults to false.
+  // +optional
+  optional bool previous = 3;
+
+  // A relative time in seconds before the current time from which to show logs. If this value
+  // precedes the time a pod was started, only logs since the pod start will be returned.
+  // If this value is in the future, no logs will be returned.
+  // Only one of sinceSeconds or sinceTime may be specified.
+  // +optional
+  optional int64 sinceSeconds = 4;
+
+  // An RFC3339 timestamp from which to show logs. If this value
+  // precedes the time a pod was started, only logs since the pod start will be returned.
+  // If this value is in the future, no logs will be returned.
+  // Only one of sinceSeconds or sinceTime may be specified.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time sinceTime = 5;
+
+  // If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line
+  // of log output. Defaults to false.
+  // +optional
+  optional bool timestamps = 6;
+
+  // If set, the number of lines from the end of the logs to show. If not specified,
+  // logs are shown from the creation of the container or sinceSeconds or sinceTime
+  // +optional
+  optional int64 tailLines = 7;
+
+  // If set, the number of bytes to read from the server before terminating the
+  // log output. This may not display a complete final line of logging, and may return
+  // slightly more or slightly less than the specified limit.
+  // +optional
+  optional int64 limitBytes = 8;
+}
+
+// PodPortForwardOptions is the query options to a Pod's port forward call
+// when using WebSockets.
+// The `port` query parameter must specify the port or
+// ports (comma separated) to forward over.
+// Port forwarding over SPDY does not use these options. It requires the port
+// to be passed in the `port` header as part of request.
+message PodPortForwardOptions {
+  // List of ports to forward
+  // Required when using WebSockets
+  // +optional
+  repeated int32 ports = 1;
+}
+
+// PodProxyOptions is the query options to a Pod's proxy call.
+message PodProxyOptions {
+  // Path is the URL path to use for the current proxy request to pod.
+  // +optional
+  optional string path = 1;
+}
+
+// PodSecurityContext holds pod-level security attributes and common container settings.
+// Some fields are also present in container.securityContext.  Field values of
+// container.securityContext take precedence over field values of PodSecurityContext.
+message PodSecurityContext {
+  // The SELinux context to be applied to all containers.
+  // If unspecified, the container runtime will allocate a random SELinux context for each
+  // container.  May also be set in SecurityContext.  If set in
+  // both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+  // takes precedence for that container.
+  // +optional
+  optional SELinuxOptions seLinuxOptions = 1;
+
+  // The UID to run the entrypoint of the container process.
+  // Defaults to user specified in image metadata if unspecified.
+  // May also be set in SecurityContext.  If set in both SecurityContext and
+  // PodSecurityContext, the value specified in SecurityContext takes precedence
+  // for that container.
+  // +optional
+  optional int64 runAsUser = 2;
+
+  // Indicates that the container must run as a non-root user.
+  // If true, the Kubelet will validate the image at runtime to ensure that it
+  // does not run as UID 0 (root) and fail to start the container if it does.
+  // If unset or false, no such validation will be performed.
+  // May also be set in SecurityContext.  If set in both SecurityContext and
+  // PodSecurityContext, the value specified in SecurityContext takes precedence.
+  // +optional
+  optional bool runAsNonRoot = 3;
+
+  // A list of groups applied to the first process run in each container, in addition
+  // to the container's primary GID.  If unspecified, no groups will be added to
+  // any container.
+  // +optional
+  repeated int64 supplementalGroups = 4;
+
+  // A special supplemental group that applies to all containers in a pod.
+  // Some volume types allow the Kubelet to change the ownership of that volume
+  // to be owned by the pod:
+  // 
+  // 1. The owning GID will be the FSGroup
+  // 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+  // 3. The permission bits are OR'd with rw-rw----
+  // 
+  // If unset, the Kubelet will not modify the ownership and permissions of any volume.
+  // +optional
+  optional int64 fsGroup = 5;
+}
+
+// Describes the class of pods that should avoid this node.
+// Exactly one field should be set.
+message PodSignature {
+  // Reference to controller whose pods should avoid this node.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference podController = 1;
+}
+
+// PodSpec is a description of a pod.
+message PodSpec {
+  // List of volumes that can be mounted by containers belonging to the pod.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge,retainKeys
+  repeated Volume volumes = 1;
+
+  // List of initialization containers belonging to the pod.
+  // Init containers are executed in order prior to containers being started. If any
+  // init container fails, the pod is considered to have failed and is handled according
+  // to its restartPolicy. The name for an init container or normal container must be
+  // unique among all containers.
+  // Init containers may not have Lifecycle actions, Readiness probes, or Liveness probes.
+  // The resourceRequirements of an init container are taken into account during scheduling
+  // by finding the highest request/limit for each resource type, and then using the max of
+  // of that value or the sum of the normal containers. Limits are applied to init containers
+  // in a similar fashion.
+  // Init containers cannot currently be added or removed.
+  // Cannot be updated.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated Container initContainers = 20;
+
+  // List of containers belonging to the pod.
+  // Containers cannot currently be added or removed.
+  // There must be at least one container in a Pod.
+  // Cannot be updated.
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated Container containers = 2;
+
+  // Restart policy for all containers within the pod.
+  // One of Always, OnFailure, Never.
+  // Default to Always.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
+  // +optional
+  optional string restartPolicy = 3;
+
+  // Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request.
+  // Value must be non-negative integer. The value zero indicates delete immediately.
+  // If this value is nil, the default grace period will be used instead.
+  // The grace period is the duration in seconds after the processes running in the pod are sent
+  // a termination signal and the time when the processes are forcibly halted with a kill signal.
+  // Set this value longer than the expected cleanup time for your process.
+  // Defaults to 30 seconds.
+  // +optional
+  optional int64 terminationGracePeriodSeconds = 4;
+
+  // Optional duration in seconds the pod may be active on the node relative to
+  // StartTime before the system will actively try to mark it failed and kill associated containers.
+  // Value must be a positive integer.
+  // +optional
+  optional int64 activeDeadlineSeconds = 5;
+
+  // Set DNS policy for containers within the pod.
+  // One of 'ClusterFirstWithHostNet', 'ClusterFirst' or 'Default'.
+  // Defaults to "ClusterFirst".
+  // To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.
+  // +optional
+  optional string dnsPolicy = 6;
+
+  // NodeSelector is a selector which must be true for the pod to fit on a node.
+  // Selector which must match a node's labels for the pod to be scheduled on that node.
+  // More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+  // +optional
+  map<string, string> nodeSelector = 7;
+
+  // ServiceAccountName is the name of the ServiceAccount to use to run this pod.
+  // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+  // +optional
+  optional string serviceAccountName = 8;
+
+  // DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+  // Deprecated: Use serviceAccountName instead.
+  // +k8s:conversion-gen=false
+  // +optional
+  optional string serviceAccount = 9;
+
+  // AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
+  // +optional
+  optional bool automountServiceAccountToken = 21;
+
+  // NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
+  // the scheduler simply schedules this pod onto that node, assuming that it fits resource
+  // requirements.
+  // +optional
+  optional string nodeName = 10;
+
+  // Host networking requested for this pod. Use the host's network namespace.
+  // If this option is set, the ports that will be used must be specified.
+  // Default to false.
+  // +k8s:conversion-gen=false
+  // +optional
+  optional bool hostNetwork = 11;
+
+  // Use the host's pid namespace.
+  // Optional: Default to false.
+  // +k8s:conversion-gen=false
+  // +optional
+  optional bool hostPID = 12;
+
+  // Use the host's ipc namespace.
+  // Optional: Default to false.
+  // +k8s:conversion-gen=false
+  // +optional
+  optional bool hostIPC = 13;
+
+  // SecurityContext holds pod-level security attributes and common container settings.
+  // Optional: Defaults to empty.  See type description for default values of each field.
+  // +optional
+  optional PodSecurityContext securityContext = 14;
+
+  // ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
+  // If specified, these secrets will be passed to individual puller implementations for them to use. For example,
+  // in the case of docker, only DockerConfig type secrets are honored.
+  // More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated LocalObjectReference imagePullSecrets = 15;
+
+  // Specifies the hostname of the Pod
+  // If not specified, the pod's hostname will be set to a system-defined value.
+  // +optional
+  optional string hostname = 16;
+
+  // If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>".
+  // If not specified, the pod will not have a domainname at all.
+  // +optional
+  optional string subdomain = 17;
+
+  // If specified, the pod's scheduling constraints
+  // +optional
+  optional Affinity affinity = 18;
+
+  // If specified, the pod will be dispatched by specified scheduler.
+  // If not specified, the pod will be dispatched by default scheduler.
+  // +optional
+  optional string schedulerName = 19;
+
+  // If specified, the pod's tolerations.
+  // +optional
+  repeated Toleration tolerations = 22;
+
+  // HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+  // file if specified. This is only valid for non-hostNetwork pods.
+  // +optional
+  // +patchMergeKey=ip
+  // +patchStrategy=merge
+  repeated HostAlias hostAliases = 23;
+
+  // If specified, indicates the pod's priority. "SYSTEM" is a special keyword
+  // which indicates the highest priority. Any other name must be defined by
+  // creating a PriorityClass object with that name.
+  // If not specified, the pod priority will be default or zero if there is no
+  // default.
+  // +optional
+  optional string priorityClassName = 24;
+
+  // The priority value. Various system components use this field to find the
+  // priority of the pod. When Priority Admission Controller is enabled, it
+  // prevents users from setting this field. The admission controller populates
+  // this field from PriorityClassName.
+  // The higher the value, the higher the priority.
+  // +optional
+  optional int32 priority = 25;
+}
+
+// PodStatus represents information about the status of a pod. Status may trail the actual
+// state of a system.
+message PodStatus {
+  // Current condition of the pod.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase
+  // +optional
+  optional string phase = 1;
+
+  // Current service state of pod.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated PodCondition conditions = 2;
+
+  // A human readable message indicating details about why the pod is in this condition.
+  // +optional
+  optional string message = 3;
+
+  // A brief CamelCase message indicating details about why the pod is in this state.
+  // e.g. 'Evicted'
+  // +optional
+  optional string reason = 4;
+
+  // IP address of the host to which the pod is assigned. Empty if not yet scheduled.
+  // +optional
+  optional string hostIP = 5;
+
+  // IP address allocated to the pod. Routable at least within the cluster.
+  // Empty if not yet allocated.
+  // +optional
+  optional string podIP = 6;
+
+  // RFC 3339 date and time at which the object was acknowledged by the Kubelet.
+  // This is before the Kubelet pulled the container image(s) for the pod.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time startTime = 7;
+
+  // The list has one entry per init container in the manifest. The most recent successful
+  // init container will have ready = true, the most recently started container will have
+  // startTime set.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
+  repeated ContainerStatus initContainerStatuses = 10;
+
+  // The list has one entry per container in the manifest. Each entry is currently the output
+  // of `docker inspect`.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
+  // +optional
+  repeated ContainerStatus containerStatuses = 8;
+
+  // The Quality of Service (QOS) classification assigned to the pod based on resource requirements
+  // See PodQOSClass type for available QOS classes
+  // More info: https://github.com/kubernetes/kubernetes/blob/master/docs/design/resource-qos.md
+  // +optional
+  optional string qosClass = 9;
+}
+
+// PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded
+message PodStatusResult {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Most recently observed status of the pod.
+  // This data may not be up to date.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional PodStatus status = 2;
+}
+
+// PodTemplate describes a template for creating copies of a predefined pod.
+message PodTemplate {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Template defines the pods that will be created from this pod template.
+  // https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional PodTemplateSpec template = 2;
+}
+
+// PodTemplateList is a list of PodTemplates.
+message PodTemplateList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of pod templates
+  repeated PodTemplate items = 2;
+}
+
+// PodTemplateSpec describes the data a pod should have when created from a template
+message PodTemplateSpec {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of the pod.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional PodSpec spec = 2;
+}
+
+// PortworxVolumeSource represents a Portworx volume resource.
+message PortworxVolumeSource {
+  // VolumeID uniquely identifies a Portworx volume
+  optional string volumeID = 1;
+
+  // FSType represents the filesystem type to mount
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+  optional string fsType = 2;
+
+  // Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 3;
+}
+
+// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.
+// +k8s:openapi-gen=false
+message Preconditions {
+  // Specifies the target UID.
+  // +optional
+  optional string uid = 1;
+}
+
+// Describes a class of pods that should avoid this node.
+message PreferAvoidPodsEntry {
+  // The class of pods.
+  optional PodSignature podSignature = 1;
+
+  // Time at which this entry was added to the list.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time evictionTime = 2;
+
+  // (brief) reason why this entry was added to the list.
+  // +optional
+  optional string reason = 3;
+
+  // Human readable message indicating why this entry was added to the list.
+  // +optional
+  optional string message = 4;
+}
+
+// An empty preferred scheduling term matches all objects with implicit weight 0
+// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+message PreferredSchedulingTerm {
+  // Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+  optional int32 weight = 1;
+
+  // A node selector term, associated with the corresponding weight.
+  optional NodeSelectorTerm preference = 2;
+}
+
+// Probe describes a health check to be performed against a container to determine whether it is
+// alive or ready to receive traffic.
+message Probe {
+  // The action taken to determine the health of a container
+  optional Handler handler = 1;
+
+  // Number of seconds after the container has started before liveness probes are initiated.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+  // +optional
+  optional int32 initialDelaySeconds = 2;
+
+  // Number of seconds after which the probe times out.
+  // Defaults to 1 second. Minimum value is 1.
+  // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+  // +optional
+  optional int32 timeoutSeconds = 3;
+
+  // How often (in seconds) to perform the probe.
+  // Default to 10 seconds. Minimum value is 1.
+  // +optional
+  optional int32 periodSeconds = 4;
+
+  // Minimum consecutive successes for the probe to be considered successful after having failed.
+  // Defaults to 1. Must be 1 for liveness. Minimum value is 1.
+  // +optional
+  optional int32 successThreshold = 5;
+
+  // Minimum consecutive failures for the probe to be considered failed after having succeeded.
+  // Defaults to 3. Minimum value is 1.
+  // +optional
+  optional int32 failureThreshold = 6;
+}
+
+// Represents a projected volume source
+message ProjectedVolumeSource {
+  // list of volume projections
+  repeated VolumeProjection sources = 1;
+
+  // Mode bits to use on created files by default. Must be a value between
+  // 0 and 0777.
+  // Directories within the path are not affected by this setting.
+  // This might be in conflict with other options that affect the file
+  // mode, like fsGroup, and the result can be other mode bits set.
+  // +optional
+  optional int32 defaultMode = 2;
+}
+
+// Represents a Quobyte mount that lasts the lifetime of a pod.
+// Quobyte volumes do not support ownership management or SELinux relabeling.
+message QuobyteVolumeSource {
+  // Registry represents a single or multiple Quobyte Registry services
+  // specified as a string as host:port pair (multiple entries are separated with commas)
+  // which acts as the central registry for volumes
+  optional string registry = 1;
+
+  // Volume is a string that references an already created Quobyte volume by name.
+  optional string volume = 2;
+
+  // ReadOnly here will force the Quobyte volume to be mounted with read-only permissions.
+  // Defaults to false.
+  // +optional
+  optional bool readOnly = 3;
+
+  // User to map volume access to
+  // Defaults to serivceaccount user
+  // +optional
+  optional string user = 4;
+
+  // Group to map volume access to
+  // Default is no group
+  // +optional
+  optional string group = 5;
+}
+
+// Represents a Rados Block Device mount that lasts the lifetime of a pod.
+// RBD volumes support ownership management and SELinux relabeling.
+message RBDVolumeSource {
+  // A collection of Ceph monitors.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  repeated string monitors = 1;
+
+  // The rados image name.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  optional string image = 2;
+
+  // Filesystem type of the volume that you want to mount.
+  // Tip: Ensure that the filesystem type is supported by the host operating system.
+  // Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+  // TODO: how do we prevent errors in the filesystem from compromising the machine
+  // +optional
+  optional string fsType = 3;
+
+  // The rados pool name.
+  // Default is rbd.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // +optional
+  optional string pool = 4;
+
+  // The rados user name.
+  // Default is admin.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // +optional
+  optional string user = 5;
+
+  // Keyring is the path to key ring for RBDUser.
+  // Default is /etc/ceph/keyring.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // +optional
+  optional string keyring = 6;
+
+  // SecretRef is name of the authentication secret for RBDUser. If provided
+  // overrides keyring.
+  // Default is nil.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // +optional
+  optional LocalObjectReference secretRef = 7;
+
+  // ReadOnly here will force the ReadOnly setting in VolumeMounts.
+  // Defaults to false.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+  // +optional
+  optional bool readOnly = 8;
+}
+
+// RangeAllocation is not a public type.
+message RangeAllocation {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Range is string that identifies the range represented by 'data'.
+  optional string range = 2;
+
+  // Data is a bit array containing all allocated addresses in the previous segment.
+  optional bytes data = 3;
+}
+
+// ReplicationController represents the configuration of a replication controller.
+message ReplicationController {
+  // If the Labels of a ReplicationController are empty, they are defaulted to
+  // be the same as the Pod(s) that the replication controller manages.
+  // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the specification of the desired behavior of the replication controller.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ReplicationControllerSpec spec = 2;
+
+  // Status is the most recently observed status of the replication controller.
+  // This data may be out of date by some window of time.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ReplicationControllerStatus status = 3;
+}
+
+// ReplicationControllerCondition describes the state of a replication controller at a certain point.
+message ReplicationControllerCondition {
+  // Type of replication controller condition.
+  optional string type = 1;
+
+  // Status of the condition, one of True, False, Unknown.
+  optional string status = 2;
+
+  // The last time the condition transitioned from one status to another.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
+
+  // The reason for the condition's last transition.
+  // +optional
+  optional string reason = 4;
+
+  // A human readable message indicating details about the transition.
+  // +optional
+  optional string message = 5;
+}
+
+// ReplicationControllerList is a collection of replication controllers.
+message ReplicationControllerList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of replication controllers.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+  repeated ReplicationController items = 2;
+}
+
+// ReplicationControllerSpec is the specification of a replication controller.
+message ReplicationControllerSpec {
+  // Replicas is the number of desired replicas.
+  // This is a pointer to distinguish between explicit zero and unspecified.
+  // Defaults to 1.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
+  // +optional
+  optional int32 replicas = 1;
+
+  // Minimum number of seconds for which a newly created pod should be ready
+  // without any of its container crashing, for it to be considered available.
+  // Defaults to 0 (pod will be considered available as soon as it is ready)
+  // +optional
+  optional int32 minReadySeconds = 4;
+
+  // Selector is a label query over pods that should match the Replicas count.
+  // If Selector is empty, it is defaulted to the labels present on the Pod template.
+  // Label keys and values that must match in order to be controlled by this replication
+  // controller, if empty defaulted to labels on Pod template.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  // +optional
+  map<string, string> selector = 2;
+
+  // Template is the object that describes the pod that will be created if
+  // insufficient replicas are detected. This takes precedence over a TemplateRef.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+  // +optional
+  optional PodTemplateSpec template = 3;
+}
+
+// ReplicationControllerStatus represents the current status of a replication
+// controller.
+message ReplicationControllerStatus {
+  // Replicas is the most recently oberved number of replicas.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
+  optional int32 replicas = 1;
+
+  // The number of pods that have labels matching the labels of the pod template of the replication controller.
+  // +optional
+  optional int32 fullyLabeledReplicas = 2;
+
+  // The number of ready replicas for this replication controller.
+  // +optional
+  optional int32 readyReplicas = 4;
+
+  // The number of available replicas (ready for at least minReadySeconds) for this replication controller.
+  // +optional
+  optional int32 availableReplicas = 5;
+
+  // ObservedGeneration reflects the generation of the most recently observed replication controller.
+  // +optional
+  optional int64 observedGeneration = 3;
+
+  // Represents the latest available observations of a replication controller's current state.
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated ReplicationControllerCondition conditions = 6;
+}
+
+// ResourceFieldSelector represents container resources (cpu, memory) and their output format
+message ResourceFieldSelector {
+  // Container name: required for volumes, optional for env vars
+  // +optional
+  optional string containerName = 1;
+
+  // Required: resource to select
+  optional string resource = 2;
+
+  // Specifies the output format of the exposed resources, defaults to "1"
+  // +optional
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity divisor = 3;
+}
+
+// ResourceQuota sets aggregate quota restrictions enforced per namespace
+message ResourceQuota {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the desired quota.
+  // https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ResourceQuotaSpec spec = 2;
+
+  // Status defines the actual enforced quota and its current usage.
+  // https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ResourceQuotaStatus status = 3;
+}
+
+// ResourceQuotaList is a list of ResourceQuota items.
+message ResourceQuotaList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of ResourceQuota objects.
+  // More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md
+  repeated ResourceQuota items = 2;
+}
+
+// ResourceQuotaSpec defines the desired hard limits to enforce for Quota.
+message ResourceQuotaSpec {
+  // Hard is the set of desired hard limits for each named resource.
+  // More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> hard = 1;
+
+  // A collection of filters that must match each object tracked by a quota.
+  // If not specified, the quota matches all objects.
+  // +optional
+  repeated string scopes = 2;
+}
+
+// ResourceQuotaStatus defines the enforced hard limits and observed use.
+message ResourceQuotaStatus {
+  // Hard is the set of enforced hard limits for each named resource.
+  // More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> hard = 1;
+
+  // Used is the current observed total usage of the resource in the namespace.
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> used = 2;
+}
+
+// ResourceRequirements describes the compute resource requirements.
+message ResourceRequirements {
+  // Limits describes the maximum amount of compute resources allowed.
+  // More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> limits = 1;
+
+  // Requests describes the minimum amount of compute resources required.
+  // If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+  // otherwise to an implementation-defined value.
+  // More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
+  // +optional
+  map<string, k8s.io.apimachinery.pkg.api.resource.Quantity> requests = 2;
+}
+
+// SELinuxOptions are the labels to be applied to the container
+message SELinuxOptions {
+  // User is a SELinux user label that applies to the container.
+  // +optional
+  optional string user = 1;
+
+  // Role is a SELinux role label that applies to the container.
+  // +optional
+  optional string role = 2;
+
+  // Type is a SELinux type label that applies to the container.
+  // +optional
+  optional string type = 3;
+
+  // Level is SELinux level label that applies to the container.
+  // +optional
+  optional string level = 4;
+}
+
+// ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume
+message ScaleIOPersistentVolumeSource {
+  // The host address of the ScaleIO API Gateway.
+  optional string gateway = 1;
+
+  // The name of the storage system as configured in ScaleIO.
+  optional string system = 2;
+
+  // SecretRef references to the secret for ScaleIO user and other
+  // sensitive information. If this is not provided, Login operation will fail.
+  optional SecretReference secretRef = 3;
+
+  // Flag to enable/disable SSL communication with Gateway, default false
+  // +optional
+  optional bool sslEnabled = 4;
+
+  // The name of the ScaleIO Protection Domain for the configured storage.
+  // +optional
+  optional string protectionDomain = 5;
+
+  // The ScaleIO Storage Pool associated with the protection domain.
+  // +optional
+  optional string storagePool = 6;
+
+  // Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+  // +optional
+  optional string storageMode = 7;
+
+  // The name of a volume already created in the ScaleIO system
+  // that is associated with this volume source.
+  optional string volumeName = 8;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // +optional
+  optional string fsType = 9;
+
+  // Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 10;
+}
+
+// ScaleIOVolumeSource represents a persistent ScaleIO volume
+message ScaleIOVolumeSource {
+  // The host address of the ScaleIO API Gateway.
+  optional string gateway = 1;
+
+  // The name of the storage system as configured in ScaleIO.
+  optional string system = 2;
+
+  // SecretRef references to the secret for ScaleIO user and other
+  // sensitive information. If this is not provided, Login operation will fail.
+  optional LocalObjectReference secretRef = 3;
+
+  // Flag to enable/disable SSL communication with Gateway, default false
+  // +optional
+  optional bool sslEnabled = 4;
+
+  // The name of the ScaleIO Protection Domain for the configured storage.
+  // +optional
+  optional string protectionDomain = 5;
+
+  // The ScaleIO Storage Pool associated with the protection domain.
+  // +optional
+  optional string storagePool = 6;
+
+  // Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+  // +optional
+  optional string storageMode = 7;
+
+  // The name of a volume already created in the ScaleIO system
+  // that is associated with this volume source.
+  optional string volumeName = 8;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // +optional
+  optional string fsType = 9;
+
+  // Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 10;
+}
+
+// Secret holds secret data of a certain type. The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
+message Secret {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Data contains the secret data. Each key must consist of alphanumeric
+  // characters, '-', '_' or '.'. The serialized form of the secret data is a
+  // base64 encoded string, representing the arbitrary (possibly non-string)
+  // data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
+  // +optional
+  map<string, bytes> data = 2;
+
+  // stringData allows specifying non-binary secret data in string form.
+  // It is provided as a write-only convenience method.
+  // All keys and values are merged into the data field on write, overwriting any existing values.
+  // It is never output when reading from the API.
+  // +k8s:conversion-gen=false
+  // +optional
+  map<string, string> stringData = 4;
+
+  // Used to facilitate programmatic handling of secret data.
+  // +optional
+  optional string type = 3;
+}
+
+// SecretEnvSource selects a Secret to populate the environment
+// variables with.
+// 
+// The contents of the target Secret's Data field will represent the
+// key-value pairs as environment variables.
+message SecretEnvSource {
+  // The Secret to select from.
+  optional LocalObjectReference localObjectReference = 1;
+
+  // Specify whether the Secret must be defined
+  // +optional
+  optional bool optional = 2;
+}
+
+// SecretKeySelector selects a key of a Secret.
+message SecretKeySelector {
+  // The name of the secret in the pod's namespace to select from.
+  optional LocalObjectReference localObjectReference = 1;
+
+  // The key of the secret to select from.  Must be a valid secret key.
+  optional string key = 2;
+
+  // Specify whether the Secret or it's key must be defined
+  // +optional
+  optional bool optional = 3;
+}
+
+// SecretList is a list of Secret.
+message SecretList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of secret objects.
+  // More info: https://kubernetes.io/docs/concepts/configuration/secret
+  repeated Secret items = 2;
+}
+
+// Adapts a secret into a projected volume.
+// 
+// The contents of the target Secret's Data field will be presented in a
+// projected volume as files using the keys in the Data field as the file names.
+// Note that this is identical to a secret volume source without the default
+// mode.
+message SecretProjection {
+  optional LocalObjectReference localObjectReference = 1;
+
+  // If unspecified, each key-value pair in the Data field of the referenced
+  // Secret will be projected into the volume as a file whose name is the
+  // key and content is the value. If specified, the listed keys will be
+  // projected into the specified paths, and unlisted keys will not be
+  // present. If a key is specified which is not present in the Secret,
+  // the volume setup will error unless it is marked optional. Paths must be
+  // relative and may not contain the '..' path or start with '..'.
+  // +optional
+  repeated KeyToPath items = 2;
+
+  // Specify whether the Secret or its key must be defined
+  // +optional
+  optional bool optional = 4;
+}
+
+// SecretReference represents a Secret Reference. It has enough information to retrieve secret
+// in any namespace
+message SecretReference {
+  // Name is unique within a namespace to reference a secret resource.
+  // +optional
+  optional string name = 1;
+
+  // Namespace defines the space within which the secret name must be unique.
+  // +optional
+  optional string namespace = 2;
+}
+
+// Adapts a Secret into a volume.
+// 
+// The contents of the target Secret's Data field will be presented in a volume
+// as files using the keys in the Data field as the file names.
+// Secret volumes support ownership management and SELinux relabeling.
+message SecretVolumeSource {
+  // Name of the secret in the pod's namespace to use.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+  // +optional
+  optional string secretName = 1;
+
+  // If unspecified, each key-value pair in the Data field of the referenced
+  // Secret will be projected into the volume as a file whose name is the
+  // key and content is the value. If specified, the listed keys will be
+  // projected into the specified paths, and unlisted keys will not be
+  // present. If a key is specified which is not present in the Secret,
+  // the volume setup will error unless it is marked optional. Paths must be
+  // relative and may not contain the '..' path or start with '..'.
+  // +optional
+  repeated KeyToPath items = 2;
+
+  // Optional: mode bits to use on created files by default. Must be a
+  // value between 0 and 0777. Defaults to 0644.
+  // Directories within the path are not affected by this setting.
+  // This might be in conflict with other options that affect the file
+  // mode, like fsGroup, and the result can be other mode bits set.
+  // +optional
+  optional int32 defaultMode = 3;
+
+  // Specify whether the Secret or it's keys must be defined
+  // +optional
+  optional bool optional = 4;
+}
+
+// SecurityContext holds security configuration that will be applied to a container.
+// Some fields are present in both SecurityContext and PodSecurityContext.  When both
+// are set, the values in SecurityContext take precedence.
+message SecurityContext {
+  // The capabilities to add/drop when running containers.
+  // Defaults to the default set of capabilities granted by the container runtime.
+  // +optional
+  optional Capabilities capabilities = 1;
+
+  // Run container in privileged mode.
+  // Processes in privileged containers are essentially equivalent to root on the host.
+  // Defaults to false.
+  // +optional
+  optional bool privileged = 2;
+
+  // The SELinux context to be applied to the container.
+  // If unspecified, the container runtime will allocate a random SELinux context for each
+  // container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+  // PodSecurityContext, the value specified in SecurityContext takes precedence.
+  // +optional
+  optional SELinuxOptions seLinuxOptions = 3;
+
+  // The UID to run the entrypoint of the container process.
+  // Defaults to user specified in image metadata if unspecified.
+  // May also be set in PodSecurityContext.  If set in both SecurityContext and
+  // PodSecurityContext, the value specified in SecurityContext takes precedence.
+  // +optional
+  optional int64 runAsUser = 4;
+
+  // Indicates that the container must run as a non-root user.
+  // If true, the Kubelet will validate the image at runtime to ensure that it
+  // does not run as UID 0 (root) and fail to start the container if it does.
+  // If unset or false, no such validation will be performed.
+  // May also be set in PodSecurityContext.  If set in both SecurityContext and
+  // PodSecurityContext, the value specified in SecurityContext takes precedence.
+  // +optional
+  optional bool runAsNonRoot = 5;
+
+  // Whether this container has a read-only root filesystem.
+  // Default is false.
+  // +optional
+  optional bool readOnlyRootFilesystem = 6;
+
+  // AllowPrivilegeEscalation controls whether a process can gain more
+  // privileges than its parent process. This bool directly controls if
+  // the no_new_privs flag will be set on the container process.
+  // AllowPrivilegeEscalation is true always when the container is:
+  // 1) run as Privileged
+  // 2) has CAP_SYS_ADMIN
+  // +optional
+  optional bool allowPrivilegeEscalation = 7;
+}
+
+// SerializedReference is a reference to serialized object.
+message SerializedReference {
+  // The reference to an object in the system.
+  // +optional
+  optional ObjectReference reference = 1;
+}
+
+// Service is a named abstraction of software service (for example, mysql) consisting of local port
+// (for example 3306) that the proxy listens on, and the selector that determines which pods
+// will answer requests sent through the proxy.
+message Service {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the behavior of a service.
+  // https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ServiceSpec spec = 2;
+
+  // Most recently observed status of the service.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ServiceStatus status = 3;
+}
+
+// ServiceAccount binds together:
+// * a name, understood by users, and perhaps by peripheral systems, for an identity
+// * a principal that can be authenticated and authorized
+// * a set of secrets
+message ServiceAccount {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount.
+  // More info: https://kubernetes.io/docs/concepts/configuration/secret
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated ObjectReference secrets = 2;
+
+  // ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images
+  // in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets
+  // can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet.
+  // More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+  // +optional
+  repeated LocalObjectReference imagePullSecrets = 3;
+
+  // AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted.
+  // Can be overridden at the pod level.
+  // +optional
+  optional bool automountServiceAccountToken = 4;
+}
+
+// ServiceAccountList is a list of ServiceAccount objects
+message ServiceAccountList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of ServiceAccounts.
+  // More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+  repeated ServiceAccount items = 2;
+}
+
+// ServiceList holds a list of services.
+message ServiceList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of services
+  repeated Service items = 2;
+}
+
+// ServicePort contains information on service's port.
+message ServicePort {
+  // The name of this port within the service. This must be a DNS_LABEL.
+  // All ports within a ServiceSpec must have unique names. This maps to
+  // the 'Name' field in EndpointPort objects.
+  // Optional if only one ServicePort is defined on this service.
+  // +optional
+  optional string name = 1;
+
+  // The IP protocol for this port. Supports "TCP" and "UDP".
+  // Default is TCP.
+  // +optional
+  optional string protocol = 2;
+
+  // The port that will be exposed by this service.
+  optional int32 port = 3;
+
+  // Number or name of the port to access on the pods targeted by the service.
+  // Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+  // If this is a string, it will be looked up as a named port in the
+  // target Pod's container ports. If this is not specified, the value
+  // of the 'port' field is used (an identity map).
+  // This field is ignored for services with clusterIP=None, and should be
+  // omitted or set equal to the 'port' field.
+  // More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString targetPort = 4;
+
+  // The port on each node on which this service is exposed when type=NodePort or LoadBalancer.
+  // Usually assigned by the system. If specified, it will be allocated to the service
+  // if unused or else creation of the service will fail.
+  // Default is to auto-allocate a port if the ServiceType of this Service requires one.
+  // More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+  // +optional
+  optional int32 nodePort = 5;
+}
+
+// ServiceProxyOptions is the query options to a Service's proxy call.
+message ServiceProxyOptions {
+  // Path is the part of URLs that include service endpoints, suffixes,
+  // and parameters to use for the current proxy request to service.
+  // For example, the whole request URL is
+  // http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy.
+  // Path is _search?q=user:kimchy.
+  // +optional
+  optional string path = 1;
+}
+
+// ServiceSpec describes the attributes that a user creates on a service.
+message ServiceSpec {
+  // The list of ports that are exposed by this service.
+  // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+  // +patchMergeKey=port
+  // +patchStrategy=merge
+  repeated ServicePort ports = 1;
+
+  // Route service traffic to pods with label keys and values matching this
+  // selector. If empty or not present, the service is assumed to have an
+  // external process managing its endpoints, which Kubernetes will not
+  // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer.
+  // Ignored if type is ExternalName.
+  // More info: https://kubernetes.io/docs/concepts/services-networking/service/
+  // +optional
+  map<string, string> selector = 2;
+
+  // clusterIP is the IP address of the service and is usually assigned
+  // randomly by the master. If an address is specified manually and is not in
+  // use by others, it will be allocated to the service; otherwise, creation
+  // of the service will fail. This field can not be changed through updates.
+  // Valid values are "None", empty string (""), or a valid IP address. "None"
+  // can be specified for headless services when proxying is not required.
+  // Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if
+  // type is ExternalName.
+  // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+  // +optional
+  optional string clusterIP = 3;
+
+  // type determines how the Service is exposed. Defaults to ClusterIP. Valid
+  // options are ExternalName, ClusterIP, NodePort, and LoadBalancer.
+  // "ExternalName" maps to the specified externalName.
+  // "ClusterIP" allocates a cluster-internal IP address for load-balancing to
+  // endpoints. Endpoints are determined by the selector or if that is not
+  // specified, by manual construction of an Endpoints object. If clusterIP is
+  // "None", no virtual IP is allocated and the endpoints are published as a
+  // set of endpoints rather than a stable IP.
+  // "NodePort" builds on ClusterIP and allocates a port on every node which
+  // routes to the clusterIP.
+  // "LoadBalancer" builds on NodePort and creates an
+  // external load-balancer (if supported in the current cloud) which routes
+  // to the clusterIP.
+  // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services---service-types
+  // +optional
+  optional string type = 4;
+
+  // externalIPs is a list of IP addresses for which nodes in the cluster
+  // will also accept traffic for this service.  These IPs are not managed by
+  // Kubernetes.  The user is responsible for ensuring that traffic arrives
+  // at a node with this IP.  A common example is external load-balancers
+  // that are not part of the Kubernetes system.
+  // +optional
+  repeated string externalIPs = 5;
+
+  // Supports "ClientIP" and "None". Used to maintain session affinity.
+  // Enable client IP based session affinity.
+  // Must be ClientIP or None.
+  // Defaults to None.
+  // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+  // +optional
+  optional string sessionAffinity = 7;
+
+  // Only applies to Service Type: LoadBalancer
+  // LoadBalancer will get created with the IP specified in this field.
+  // This feature depends on whether the underlying cloud-provider supports specifying
+  // the loadBalancerIP when a load balancer is created.
+  // This field will be ignored if the cloud-provider does not support the feature.
+  // +optional
+  optional string loadBalancerIP = 8;
+
+  // If specified and supported by the platform, this will restrict traffic through the cloud-provider
+  // load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+  // cloud-provider does not support the feature."
+  // More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
+  // +optional
+  repeated string loadBalancerSourceRanges = 9;
+
+  // externalName is the external reference that kubedns or equivalent will
+  // return as a CNAME record for this service. No proxying will be involved.
+  // Must be a valid DNS name and requires Type to be ExternalName.
+  // +optional
+  optional string externalName = 10;
+
+  // externalTrafficPolicy denotes if this Service desires to route external
+  // traffic to node-local or cluster-wide endpoints. "Local" preserves the
+  // client source IP and avoids a second hop for LoadBalancer and Nodeport
+  // type services, but risks potentially imbalanced traffic spreading.
+  // "Cluster" obscures the client source IP and may cause a second hop to
+  // another node, but should have good overall load-spreading.
+  // +optional
+  optional string externalTrafficPolicy = 11;
+
+  // healthCheckNodePort specifies the healthcheck nodePort for the service.
+  // If not specified, HealthCheckNodePort is created by the service api
+  // backend with the allocated nodePort. Will use user-specified nodePort value
+  // if specified by the client. Only effects when Type is set to LoadBalancer
+  // and ExternalTrafficPolicy is set to Local.
+  // +optional
+  optional int32 healthCheckNodePort = 12;
+
+  // publishNotReadyAddresses, when set to true, indicates that DNS implementations
+  // must publish the notReadyAddresses of subsets for the Endpoints associated with
+  // the Service. The default value is false.
+  // The primary use case for setting this field is to use a StatefulSet's Headless Service
+  // to propagate SRV records for its Pods without respect to their readiness for purpose
+  // of peer discovery.
+  // This field will replace the service.alpha.kubernetes.io/tolerate-unready-endpoints
+  // when that annotation is deprecated and all clients have been converted to use this
+  // field.
+  // +optional
+  optional bool publishNotReadyAddresses = 13;
+
+  // sessionAffinityConfig contains the configurations of session affinity.
+  // +optional
+  optional SessionAffinityConfig sessionAffinityConfig = 14;
+}
+
+// ServiceStatus represents the current status of a service.
+message ServiceStatus {
+  // LoadBalancer contains the current status of the load-balancer,
+  // if one is present.
+  // +optional
+  optional LoadBalancerStatus loadBalancer = 1;
+}
+
+// SessionAffinityConfig represents the configurations of session affinity.
+message SessionAffinityConfig {
+  // clientIP contains the configurations of Client IP based session affinity.
+  // +optional
+  optional ClientIPConfig clientIP = 1;
+}
+
+// Represents a StorageOS persistent volume resource.
+message StorageOSPersistentVolumeSource {
+  // VolumeName is the human-readable name of the StorageOS volume.  Volume
+  // names are only unique within a namespace.
+  optional string volumeName = 1;
+
+  // VolumeNamespace specifies the scope of the volume within StorageOS.  If no
+  // namespace is specified then the Pod's namespace will be used.  This allows the
+  // Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+  // Set VolumeName to any name to override the default behaviour.
+  // Set to "default" if you are not using namespaces within StorageOS.
+  // Namespaces that do not pre-exist within StorageOS will be created.
+  // +optional
+  optional string volumeNamespace = 2;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // +optional
+  optional string fsType = 3;
+
+  // Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 4;
+
+  // SecretRef specifies the secret to use for obtaining the StorageOS API
+  // credentials.  If not specified, default values will be attempted.
+  // +optional
+  optional ObjectReference secretRef = 5;
+}
+
+// Represents a StorageOS persistent volume resource.
+message StorageOSVolumeSource {
+  // VolumeName is the human-readable name of the StorageOS volume.  Volume
+  // names are only unique within a namespace.
+  optional string volumeName = 1;
+
+  // VolumeNamespace specifies the scope of the volume within StorageOS.  If no
+  // namespace is specified then the Pod's namespace will be used.  This allows the
+  // Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+  // Set VolumeName to any name to override the default behaviour.
+  // Set to "default" if you are not using namespaces within StorageOS.
+  // Namespaces that do not pre-exist within StorageOS will be created.
+  // +optional
+  optional string volumeNamespace = 2;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // +optional
+  optional string fsType = 3;
+
+  // Defaults to false (read/write). ReadOnly here will force
+  // the ReadOnly setting in VolumeMounts.
+  // +optional
+  optional bool readOnly = 4;
+
+  // SecretRef specifies the secret to use for obtaining the StorageOS API
+  // credentials.  If not specified, default values will be attempted.
+  // +optional
+  optional LocalObjectReference secretRef = 5;
+}
+
+// Sysctl defines a kernel parameter to be set
+message Sysctl {
+  // Name of a property to set
+  optional string name = 1;
+
+  // Value of a property to set
+  optional string value = 2;
+}
+
+// TCPSocketAction describes an action based on opening a socket
+message TCPSocketAction {
+  // Number or name of the port to access on the container.
+  // Number must be in the range 1 to 65535.
+  // Name must be an IANA_SVC_NAME.
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString port = 1;
+
+  // Optional: Host name to connect to, defaults to the pod IP.
+  // +optional
+  optional string host = 2;
+}
+
+// The node this Taint is attached to has the "effect" on
+// any pod that does not tolerate the Taint.
+message Taint {
+  // Required. The taint key to be applied to a node.
+  optional string key = 1;
+
+  // Required. The taint value corresponding to the taint key.
+  // +optional
+  optional string value = 2;
+
+  // Required. The effect of the taint on pods
+  // that do not tolerate the taint.
+  // Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
+  optional string effect = 3;
+
+  // TimeAdded represents the time at which the taint was added.
+  // It is only written for NoExecute taints.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time timeAdded = 4;
+}
+
+// The pod this Toleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
+message Toleration {
+  // Key is the taint key that the toleration applies to. Empty means match all taint keys.
+  // If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+  // +optional
+  optional string key = 1;
+
+  // Operator represents a key's relationship to the value.
+  // Valid operators are Exists and Equal. Defaults to Equal.
+  // Exists is equivalent to wildcard for value, so that a pod can
+  // tolerate all taints of a particular category.
+  // +optional
+  optional string operator = 2;
+
+  // Value is the taint value the toleration matches to.
+  // If the operator is Exists, the value should be empty, otherwise just a regular string.
+  // +optional
+  optional string value = 3;
+
+  // Effect indicates the taint effect to match. Empty means match all taint effects.
+  // When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+  // +optional
+  optional string effect = 4;
+
+  // TolerationSeconds represents the period of time the toleration (which must be
+  // of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+  // it is not set, which means tolerate the taint forever (do not evict). Zero and
+  // negative values will be treated as 0 (evict immediately) by the system.
+  // +optional
+  optional int64 tolerationSeconds = 5;
+}
+
+// Volume represents a named volume in a pod that may be accessed by any container in the pod.
+message Volume {
+  // Volume's name.
+  // Must be a DNS_LABEL and unique within the pod.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+  optional string name = 1;
+
+  // VolumeSource represents the location and type of the mounted volume.
+  // If not specified, the Volume is implied to be an EmptyDir.
+  // This implied behavior is deprecated and will be removed in a future version.
+  optional VolumeSource volumeSource = 2;
+}
+
+// VolumeMount describes a mounting of a Volume within a container.
+message VolumeMount {
+  // This must match the Name of a Volume.
+  optional string name = 1;
+
+  // Mounted read-only if true, read-write otherwise (false or unspecified).
+  // Defaults to false.
+  // +optional
+  optional bool readOnly = 2;
+
+  // Path within the container at which the volume should be mounted.  Must
+  // not contain ':'.
+  optional string mountPath = 3;
+
+  // Path within the volume from which the container's volume should be mounted.
+  // Defaults to "" (volume's root).
+  // +optional
+  optional string subPath = 4;
+
+  // mountPropagation determines how mounts are propagated from the host
+  // to container and the other way around.
+  // When not set, MountPropagationHostToContainer is used.
+  // This field is alpha in 1.8 and can be reworked or removed in a future
+  // release.
+  // +optional
+  optional string mountPropagation = 5;
+}
+
+// Projection that may be projected along with other supported volume types
+message VolumeProjection {
+  // information about the secret data to project
+  optional SecretProjection secret = 1;
+
+  // information about the downwardAPI data to project
+  optional DownwardAPIProjection downwardAPI = 2;
+
+  // information about the configMap data to project
+  optional ConfigMapProjection configMap = 3;
+}
+
+// Represents the source of a volume to mount.
+// Only one of its members may be specified.
+message VolumeSource {
+  // HostPath represents a pre-existing file or directory on the host
+  // machine that is directly exposed to the container. This is generally
+  // used for system agents or other privileged things that are allowed
+  // to see the host machine. Most containers will NOT need this.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+  // ---
+  // TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+  // mount host directories as read/write.
+  // +optional
+  optional HostPathVolumeSource hostPath = 1;
+
+  // EmptyDir represents a temporary directory that shares a pod's lifetime.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+  // +optional
+  optional EmptyDirVolumeSource emptyDir = 2;
+
+  // GCEPersistentDisk represents a GCE Disk resource that is attached to a
+  // kubelet's host machine and then exposed to the pod.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+  // +optional
+  optional GCEPersistentDiskVolumeSource gcePersistentDisk = 3;
+
+  // AWSElasticBlockStore represents an AWS Disk resource that is attached to a
+  // kubelet's host machine and then exposed to the pod.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+  // +optional
+  optional AWSElasticBlockStoreVolumeSource awsElasticBlockStore = 4;
+
+  // GitRepo represents a git repository at a particular revision.
+  // +optional
+  optional GitRepoVolumeSource gitRepo = 5;
+
+  // Secret represents a secret that should populate this volume.
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+  // +optional
+  optional SecretVolumeSource secret = 6;
+
+  // NFS represents an NFS mount on the host that shares a pod's lifetime
+  // More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+  // +optional
+  optional NFSVolumeSource nfs = 7;
+
+  // ISCSI represents an ISCSI Disk resource that is attached to a
+  // kubelet's host machine and then exposed to the pod.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/iscsi/README.md
+  // +optional
+  optional ISCSIVolumeSource iscsi = 8;
+
+  // Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md
+  // +optional
+  optional GlusterfsVolumeSource glusterfs = 9;
+
+  // PersistentVolumeClaimVolumeSource represents a reference to a
+  // PersistentVolumeClaim in the same namespace.
+  // More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+  // +optional
+  optional PersistentVolumeClaimVolumeSource persistentVolumeClaim = 10;
+
+  // RBD represents a Rados Block Device mount on the host that shares a pod's lifetime.
+  // More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md
+  // +optional
+  optional RBDVolumeSource rbd = 11;
+
+  // FlexVolume represents a generic volume resource that is
+  // provisioned/attached using an exec based plugin. This is an
+  // alpha feature and may change in future.
+  // +optional
+  optional FlexVolumeSource flexVolume = 12;
+
+  // Cinder represents a cinder volume attached and mounted on kubelets host machine
+  // More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+  // +optional
+  optional CinderVolumeSource cinder = 13;
+
+  // CephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+  // +optional
+  optional CephFSVolumeSource cephfs = 14;
+
+  // Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+  // +optional
+  optional FlockerVolumeSource flocker = 15;
+
+  // DownwardAPI represents downward API about the pod that should populate this volume
+  // +optional
+  optional DownwardAPIVolumeSource downwardAPI = 16;
+
+  // FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+  // +optional
+  optional FCVolumeSource fc = 17;
+
+  // AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+  // +optional
+  optional AzureFileVolumeSource azureFile = 18;
+
+  // ConfigMap represents a configMap that should populate this volume
+  // +optional
+  optional ConfigMapVolumeSource configMap = 19;
+
+  // VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+  // +optional
+  optional VsphereVirtualDiskVolumeSource vsphereVolume = 20;
+
+  // Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+  // +optional
+  optional QuobyteVolumeSource quobyte = 21;
+
+  // AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+  // +optional
+  optional AzureDiskVolumeSource azureDisk = 22;
+
+  // PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+  optional PhotonPersistentDiskVolumeSource photonPersistentDisk = 23;
+
+  // Items for all in one resources secrets, configmaps, and downward API
+  optional ProjectedVolumeSource projected = 26;
+
+  // PortworxVolume represents a portworx volume attached and mounted on kubelets host machine
+  // +optional
+  optional PortworxVolumeSource portworxVolume = 24;
+
+  // ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+  // +optional
+  optional ScaleIOVolumeSource scaleIO = 25;
+
+  // StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+  // +optional
+  optional StorageOSVolumeSource storageos = 27;
+}
+
+// Represents a vSphere volume resource.
+message VsphereVirtualDiskVolumeSource {
+  // Path that identifies vSphere volume vmdk
+  optional string volumePath = 1;
+
+  // Filesystem type to mount.
+  // Must be a filesystem type supported by the host operating system.
+  // Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+  // +optional
+  optional string fsType = 2;
+
+  // Storage Policy Based Management (SPBM) profile name.
+  // +optional
+  optional string storagePolicyName = 3;
+
+  // Storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
+  // +optional
+  optional string storagePolicyID = 4;
+}
+
+// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+message WeightedPodAffinityTerm {
+  // weight associated with matching the corresponding podAffinityTerm,
+  // in the range 1-100.
+  optional int32 weight = 1;
+
+  // Required. A pod affinity term, associated with the corresponding weight.
+  optional PodAffinityTerm podAffinityTerm = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/core/v1/meta.go b/cli/vendor/k8s.io/api/core/v1/meta.go
new file mode 100644
index 00000000..0e3f5d92
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/meta.go
@@ -0,0 +1,108 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+func (obj *ObjectMeta) GetObjectMeta() metav1.Object { return obj }
+
+// Namespace implements metav1.Object for any object with an ObjectMeta typed field. Allows
+// fast, direct access to metadata fields for API objects.
+func (meta *ObjectMeta) GetNamespace() string                { return meta.Namespace }
+func (meta *ObjectMeta) SetNamespace(namespace string)       { meta.Namespace = namespace }
+func (meta *ObjectMeta) GetName() string                     { return meta.Name }
+func (meta *ObjectMeta) SetName(name string)                 { meta.Name = name }
+func (meta *ObjectMeta) GetGenerateName() string             { return meta.GenerateName }
+func (meta *ObjectMeta) SetGenerateName(generateName string) { meta.GenerateName = generateName }
+func (meta *ObjectMeta) GetUID() types.UID                   { return meta.UID }
+func (meta *ObjectMeta) SetUID(uid types.UID)                { meta.UID = uid }
+func (meta *ObjectMeta) GetResourceVersion() string          { return meta.ResourceVersion }
+func (meta *ObjectMeta) SetResourceVersion(version string)   { meta.ResourceVersion = version }
+func (meta *ObjectMeta) GetGeneration() int64                { return meta.Generation }
+func (meta *ObjectMeta) SetGeneration(generation int64)      { meta.Generation = generation }
+func (meta *ObjectMeta) GetSelfLink() string                 { return meta.SelfLink }
+func (meta *ObjectMeta) SetSelfLink(selfLink string)         { meta.SelfLink = selfLink }
+func (meta *ObjectMeta) GetCreationTimestamp() metav1.Time   { return meta.CreationTimestamp }
+func (meta *ObjectMeta) SetCreationTimestamp(creationTimestamp metav1.Time) {
+	meta.CreationTimestamp = creationTimestamp
+}
+func (meta *ObjectMeta) GetDeletionTimestamp() *metav1.Time { return meta.DeletionTimestamp }
+func (meta *ObjectMeta) SetDeletionTimestamp(deletionTimestamp *metav1.Time) {
+	meta.DeletionTimestamp = deletionTimestamp
+}
+func (meta *ObjectMeta) GetDeletionGracePeriodSeconds() *int64 { return meta.DeletionGracePeriodSeconds }
+func (meta *ObjectMeta) SetDeletionGracePeriodSeconds(deletionGracePeriodSeconds *int64) {
+	meta.DeletionGracePeriodSeconds = deletionGracePeriodSeconds
+}
+func (meta *ObjectMeta) GetLabels() map[string]string                 { return meta.Labels }
+func (meta *ObjectMeta) SetLabels(labels map[string]string)           { meta.Labels = labels }
+func (meta *ObjectMeta) GetAnnotations() map[string]string            { return meta.Annotations }
+func (meta *ObjectMeta) SetAnnotations(annotations map[string]string) { meta.Annotations = annotations }
+func (meta *ObjectMeta) GetInitializers() *metav1.Initializers        { return meta.Initializers }
+func (meta *ObjectMeta) SetInitializers(initializers *metav1.Initializers) {
+	meta.Initializers = initializers
+}
+func (meta *ObjectMeta) GetFinalizers() []string           { return meta.Finalizers }
+func (meta *ObjectMeta) SetFinalizers(finalizers []string) { meta.Finalizers = finalizers }
+
+func (meta *ObjectMeta) GetOwnerReferences() []metav1.OwnerReference {
+	ret := make([]metav1.OwnerReference, len(meta.OwnerReferences))
+	for i := 0; i < len(meta.OwnerReferences); i++ {
+		ret[i].Kind = meta.OwnerReferences[i].Kind
+		ret[i].Name = meta.OwnerReferences[i].Name
+		ret[i].UID = meta.OwnerReferences[i].UID
+		ret[i].APIVersion = meta.OwnerReferences[i].APIVersion
+		if meta.OwnerReferences[i].Controller != nil {
+			value := *meta.OwnerReferences[i].Controller
+			ret[i].Controller = &value
+		}
+		if meta.OwnerReferences[i].BlockOwnerDeletion != nil {
+			value := *meta.OwnerReferences[i].BlockOwnerDeletion
+			ret[i].BlockOwnerDeletion = &value
+		}
+	}
+	return ret
+}
+
+func (meta *ObjectMeta) SetOwnerReferences(references []metav1.OwnerReference) {
+	newReferences := make([]metav1.OwnerReference, len(references))
+	for i := 0; i < len(references); i++ {
+		newReferences[i].Kind = references[i].Kind
+		newReferences[i].Name = references[i].Name
+		newReferences[i].UID = references[i].UID
+		newReferences[i].APIVersion = references[i].APIVersion
+		if references[i].Controller != nil {
+			value := *references[i].Controller
+			newReferences[i].Controller = &value
+		}
+		if references[i].BlockOwnerDeletion != nil {
+			value := *references[i].BlockOwnerDeletion
+			newReferences[i].BlockOwnerDeletion = &value
+		}
+	}
+	meta.OwnerReferences = newReferences
+}
+
+func (meta *ObjectMeta) GetClusterName() string {
+	return meta.ClusterName
+}
+func (meta *ObjectMeta) SetClusterName(clusterName string) {
+	meta.ClusterName = clusterName
+}
diff --git a/cli/vendor/k8s.io/api/core/v1/objectreference.go b/cli/vendor/k8s.io/api/core/v1/objectreference.go
new file mode 100644
index 00000000..ee5335ee
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/objectreference.go
@@ -0,0 +1,33 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// IsAnAPIObject allows clients to preemptively get a reference to an API object and pass it to places that
+// intend only to get a reference to that object. This simplifies the event recording interface.
+func (obj *ObjectReference) SetGroupVersionKind(gvk schema.GroupVersionKind) {
+	obj.APIVersion, obj.Kind = gvk.ToAPIVersionAndKind()
+}
+
+func (obj *ObjectReference) GroupVersionKind() schema.GroupVersionKind {
+	return schema.FromAPIVersionAndKind(obj.APIVersion, obj.Kind)
+}
+
+func (obj *ObjectReference) GetObjectKind() schema.ObjectKind { return obj }
diff --git a/cli/vendor/k8s.io/api/core/v1/register.go b/cli/vendor/k8s.io/api/core/v1/register.go
new file mode 100644
index 00000000..4916ee3c
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/register.go
@@ -0,0 +1,102 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+//TODO: this file is going to be moved to k8s.io/api
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = ""
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Pod{},
+		&PodList{},
+		&PodStatusResult{},
+		&PodTemplate{},
+		&PodTemplateList{},
+		&ReplicationController{},
+		&ReplicationControllerList{},
+		&Service{},
+		&ServiceProxyOptions{},
+		&ServiceList{},
+		&Endpoints{},
+		&EndpointsList{},
+		&Node{},
+		&NodeConfigSource{},
+		&NodeList{},
+		&NodeProxyOptions{},
+		&Binding{},
+		&Event{},
+		&EventList{},
+		&List{},
+		&LimitRange{},
+		&LimitRangeList{},
+		&ResourceQuota{},
+		&ResourceQuotaList{},
+		&Namespace{},
+		&NamespaceList{},
+		&Secret{},
+		&SecretList{},
+		&ServiceAccount{},
+		&ServiceAccountList{},
+		&PersistentVolume{},
+		&PersistentVolumeList{},
+		&PersistentVolumeClaim{},
+		&PersistentVolumeClaimList{},
+		&PodAttachOptions{},
+		&PodLogOptions{},
+		&PodExecOptions{},
+		&PodPortForwardOptions{},
+		&PodProxyOptions{},
+		&ComponentStatus{},
+		&ComponentStatusList{},
+		&SerializedReference{},
+		&RangeAllocation{},
+		&ConfigMap{},
+		&ConfigMapList{},
+	)
+
+	// Add common types
+	scheme.AddKnownTypes(SchemeGroupVersion, &metav1.Status{})
+
+	// Add the watch version that applies
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/core/v1/resource.go b/cli/vendor/k8s.io/api/core/v1/resource.go
new file mode 100644
index 00000000..3bd6fec6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/resource.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+)
+
+// Returns string version of ResourceName.
+func (self ResourceName) String() string {
+	return string(self)
+}
+
+// Returns the CPU limit if specified.
+func (self *ResourceList) Cpu() *resource.Quantity {
+	if val, ok := (*self)[ResourceCPU]; ok {
+		return &val
+	}
+	return &resource.Quantity{Format: resource.DecimalSI}
+}
+
+// Returns the Memory limit if specified.
+func (self *ResourceList) Memory() *resource.Quantity {
+	if val, ok := (*self)[ResourceMemory]; ok {
+		return &val
+	}
+	return &resource.Quantity{Format: resource.BinarySI}
+}
+
+func (self *ResourceList) Pods() *resource.Quantity {
+	if val, ok := (*self)[ResourcePods]; ok {
+		return &val
+	}
+	return &resource.Quantity{}
+}
+
+func (self *ResourceList) NvidiaGPU() *resource.Quantity {
+	if val, ok := (*self)[ResourceNvidiaGPU]; ok {
+		return &val
+	}
+	return &resource.Quantity{}
+}
+
+func (self *ResourceList) StorageEphemeral() *resource.Quantity {
+	if val, ok := (*self)[ResourceEphemeralStorage]; ok {
+		return &val
+	}
+	return &resource.Quantity{}
+}
diff --git a/cli/vendor/k8s.io/api/core/v1/taint.go b/cli/vendor/k8s.io/api/core/v1/taint.go
new file mode 100644
index 00000000..7b606a30
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/taint.go
@@ -0,0 +1,33 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import "fmt"
+
+// MatchTaint checks if the taint matches taintToMatch. Taints are unique by key:effect,
+// if the two taints have same key:effect, regard as they match.
+func (t *Taint) MatchTaint(taintToMatch *Taint) bool {
+	return t.Key == taintToMatch.Key && t.Effect == taintToMatch.Effect
+}
+
+// taint.ToString() converts taint struct to string in format key=value:effect or key:effect.
+func (t *Taint) ToString() string {
+	if len(t.Value) == 0 {
+		return fmt.Sprintf("%v:%v", t.Key, t.Effect)
+	}
+	return fmt.Sprintf("%v=%v:%v", t.Key, t.Value, t.Effect)
+}
diff --git a/cli/vendor/k8s.io/api/core/v1/toleration.go b/cli/vendor/k8s.io/api/core/v1/toleration.go
new file mode 100644
index 00000000..b203d335
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/toleration.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// MatchToleration checks if the toleration matches tolerationToMatch. Tolerations are unique by <key,effect,operator,value>,
+// if the two tolerations have same <key,effect,operator,value> combination, regard as they match.
+// TODO: uniqueness check for tolerations in api validations.
+func (t *Toleration) MatchToleration(tolerationToMatch *Toleration) bool {
+	return t.Key == tolerationToMatch.Key &&
+		t.Effect == tolerationToMatch.Effect &&
+		t.Operator == tolerationToMatch.Operator &&
+		t.Value == tolerationToMatch.Value
+}
+
+// ToleratesTaint checks if the toleration tolerates the taint.
+// The matching follows the rules below:
+// (1) Empty toleration.effect means to match all taint effects,
+//     otherwise taint effect must equal to toleration.effect.
+// (2) If toleration.operator is 'Exists', it means to match all taint values.
+// (3) Empty toleration.key means to match all taint keys.
+//     If toleration.key is empty, toleration.operator must be 'Exists';
+//     this combination means to match all taint values and all taint keys.
+func (t *Toleration) ToleratesTaint(taint *Taint) bool {
+	if len(t.Effect) > 0 && t.Effect != taint.Effect {
+		return false
+	}
+
+	if len(t.Key) > 0 && t.Key != taint.Key {
+		return false
+	}
+
+	// TODO: Use proper defaulting when Toleration becomes a field of PodSpec
+	switch t.Operator {
+	// empty operator means Equal
+	case "", TolerationOpEqual:
+		return t.Value == taint.Value
+	case TolerationOpExists:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/cli/vendor/k8s.io/api/core/v1/types.go b/cli/vendor/k8s.io/api/core/v1/types.go
new file mode 100644
index 00000000..c29126fa
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/types.go
@@ -0,0 +1,4932 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// The comments for the structs and fields can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored and not exported to the SwaggerAPI.
+//
+// The aforementioned methods can be generated by hack/update-generated-swagger-docs.sh
+
+// Common string formats
+// ---------------------
+// Many fields in this API have formatting requirements. The commonly used
+// formats are defined here.
+//
+// C_IDENTIFIER:  This is a string that conforms to the definition of an "identifier"
+//     in the C language. This is captured by the following regex:
+//         [A-Za-z_][A-Za-z0-9_]*
+//     This defines the format, but not the length restriction, which should be
+//     specified at the definition of any field of this type.
+//
+// DNS_LABEL:  This is a string, no more than 63 characters long, that conforms
+//     to the definition of a "label" in RFCs 1035 and 1123. This is captured
+//     by the following regex:
+//         [a-z0-9]([-a-z0-9]*[a-z0-9])?
+//
+// DNS_SUBDOMAIN:  This is a string, no more than 253 characters long, that conforms
+//      to the definition of a "subdomain" in RFCs 1035 and 1123. This is captured
+//      by the following regex:
+//         [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*
+//     or more simply:
+//         DNS_LABEL(\.DNS_LABEL)*
+//
+// IANA_SVC_NAME: This is a string, no more than 15 characters long, that
+//      conforms to the definition of IANA service name in RFC 6335.
+//      It must contains at least one letter [a-z] and it must contains only [a-z0-9-].
+//      Hypens ('-') cannot be leading or trailing character of the string
+//      and cannot be adjacent to other hyphens.
+
+// ObjectMeta is metadata that all persisted resources must have, which includes all objects
+// users must create.
+// DEPRECATED: Use k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta instead - this type will be removed soon.
+// +k8s:openapi-gen=false
+type ObjectMeta struct {
+	// Name must be unique within a namespace. Is required when creating resources, although
+	// some resources may allow a client to request the generation of an appropriate name
+	// automatically. Name is primarily intended for creation idempotence and configuration
+	// definition.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+
+	// GenerateName is an optional prefix, used by the server, to generate a unique
+	// name ONLY IF the Name field has not been provided.
+	// If this field is used, the name returned to the client will be different
+	// than the name passed. This value will also be combined with a unique suffix.
+	// The provided value has the same validation rules as the Name field,
+	// and may be truncated by the length of the suffix required to make the value
+	// unique on the server.
+	//
+	// If this field is specified and the generated name exists, the server will
+	// NOT return a 409 - instead, it will either return 201 Created or 500 with Reason
+	// ServerTimeout indicating a unique name could not be found in the time allotted, and the client
+	// should retry (optionally after the time indicated in the Retry-After header).
+	//
+	// Applied only if Name is not specified.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency
+	// +optional
+	GenerateName string `json:"generateName,omitempty" protobuf:"bytes,2,opt,name=generateName"`
+
+	// Namespace defines the space within each name must be unique. An empty namespace is
+	// equivalent to the "default" namespace, but "default" is the canonical representation.
+	// Not all objects are required to be scoped to a namespace - the value of this field for
+	// those objects will be empty.
+	//
+	// Must be a DNS_LABEL.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,3,opt,name=namespace"`
+
+	// SelfLink is a URL representing this object.
+	// Populated by the system.
+	// Read-only.
+	// +optional
+	SelfLink string `json:"selfLink,omitempty" protobuf:"bytes,4,opt,name=selfLink"`
+
+	// UID is the unique in time and space value for this object. It is typically generated by
+	// the server on successful creation of a resource and is not allowed to change on PUT
+	// operations.
+	//
+	// Populated by the system.
+	// Read-only.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+	// +optional
+	UID types.UID `json:"uid,omitempty" protobuf:"bytes,5,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"`
+
+	// An opaque value that represents the internal version of this object that can
+	// be used by clients to determine when objects have changed. May be used for optimistic
+	// concurrency, change detection, and the watch operation on a resource or set of resources.
+	// Clients must treat these values as opaque and passed unmodified back to the server.
+	// They may only be valid for a particular resource or set of resources.
+	//
+	// Populated by the system.
+	// Read-only.
+	// Value must be treated as opaque by clients and .
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
+	// +optional
+	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,6,opt,name=resourceVersion"`
+
+	// A sequence number representing a specific generation of the desired state.
+	// Populated by the system. Read-only.
+	// +optional
+	Generation int64 `json:"generation,omitempty" protobuf:"varint,7,opt,name=generation"`
+
+	// CreationTimestamp is a timestamp representing the server time when this object was
+	// created. It is not guaranteed to be set in happens-before order across separate operations.
+	// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+	//
+	// Populated by the system.
+	// Read-only.
+	// Null for lists.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	CreationTimestamp metav1.Time `json:"creationTimestamp,omitempty" protobuf:"bytes,8,opt,name=creationTimestamp"`
+
+	// DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
+	// field is set by the server when a graceful deletion is requested by the user, and is not
+	// directly settable by a client. The resource is expected to be deleted (no longer visible
+	// from resource lists, and not reachable by name) after the time in this field. Once set,
+	// this value may not be unset or be set further into the future, although it may be shortened
+	// or the resource may be deleted prior to this time. For example, a user may request that
+	// a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination
+	// signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard
+	// termination signal (SIGKILL) to the container and after cleanup, remove the pod from the
+	// API. In the presence of network partitions, this object may still exist after this
+	// timestamp, until an administrator or automated process can determine the resource is
+	// fully terminated.
+	// If not set, graceful deletion of the object has not been requested.
+	//
+	// Populated by the system when a graceful deletion is requested.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	DeletionTimestamp *metav1.Time `json:"deletionTimestamp,omitempty" protobuf:"bytes,9,opt,name=deletionTimestamp"`
+
+	// Number of seconds allowed for this object to gracefully terminate before
+	// it will be removed from the system. Only set when deletionTimestamp is also set.
+	// May only be shortened.
+	// Read-only.
+	// +optional
+	DeletionGracePeriodSeconds *int64 `json:"deletionGracePeriodSeconds,omitempty" protobuf:"varint,10,opt,name=deletionGracePeriodSeconds"`
+
+	// Map of string keys and values that can be used to organize and categorize
+	// (scope and select) objects. May match selectors of replication controllers
+	// and services.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// +optional
+	Labels map[string]string `json:"labels,omitempty" protobuf:"bytes,11,rep,name=labels"`
+
+	// Annotations is an unstructured key value map stored with a resource that may be
+	// set by external tools to store and retrieve arbitrary metadata. They are not
+	// queryable and should be preserved when modifying objects.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,12,rep,name=annotations"`
+
+	// List of objects depended by this object. If ALL objects in the list have
+	// been deleted, this object will be garbage collected. If this object is managed by a controller,
+	// then an entry in this list will point to this controller, with the controller field set to true.
+	// There cannot be more than one managing controller.
+	// +optional
+	// +patchMergeKey=uid
+	// +patchStrategy=merge
+	OwnerReferences []metav1.OwnerReference `json:"ownerReferences,omitempty" patchStrategy:"merge" patchMergeKey:"uid" protobuf:"bytes,13,rep,name=ownerReferences"`
+
+	// An initializer is a controller which enforces some system invariant at object creation time.
+	// This field is a list of initializers that have not yet acted on this object. If nil or empty,
+	// this object has been completely initialized. Otherwise, the object is considered uninitialized
+	// and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to
+	// observe uninitialized objects.
+	//
+	// When an object is created, the system will populate this list with the current set of initializers.
+	// Only privileged users may set or modify this list. Once it is empty, it may not be modified further
+	// by any user.
+	Initializers *metav1.Initializers `json:"initializers,omitempty" patchStrategy:"merge" protobuf:"bytes,16,rep,name=initializers"`
+
+	// Must be empty before the object is deleted from the registry. Each entry
+	// is an identifier for the responsible component that will remove the entry
+	// from the list. If the deletionTimestamp of the object is non-nil, entries
+	// in this list can only be removed.
+	// +optional
+	// +patchStrategy=merge
+	Finalizers []string `json:"finalizers,omitempty" patchStrategy:"merge" protobuf:"bytes,14,rep,name=finalizers"`
+
+	// The name of the cluster which the object belongs to.
+	// This is used to distinguish resources with same name and namespace in different clusters.
+	// This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.
+	// +optional
+	ClusterName string `json:"clusterName,omitempty" protobuf:"bytes,15,opt,name=clusterName"`
+}
+
+const (
+	// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients
+	NamespaceDefault string = "default"
+	// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces
+	NamespaceAll string = ""
+)
+
+// Volume represents a named volume in a pod that may be accessed by any container in the pod.
+type Volume struct {
+	// Volume's name.
+	// Must be a DNS_LABEL and unique within the pod.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// VolumeSource represents the location and type of the mounted volume.
+	// If not specified, the Volume is implied to be an EmptyDir.
+	// This implied behavior is deprecated and will be removed in a future version.
+	VolumeSource `json:",inline" protobuf:"bytes,2,opt,name=volumeSource"`
+}
+
+// Represents the source of a volume to mount.
+// Only one of its members may be specified.
+type VolumeSource struct {
+	// HostPath represents a pre-existing file or directory on the host
+	// machine that is directly exposed to the container. This is generally
+	// used for system agents or other privileged things that are allowed
+	// to see the host machine. Most containers will NOT need this.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+	// ---
+	// TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not
+	// mount host directories as read/write.
+	// +optional
+	HostPath *HostPathVolumeSource `json:"hostPath,omitempty" protobuf:"bytes,1,opt,name=hostPath"`
+	// EmptyDir represents a temporary directory that shares a pod's lifetime.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+	// +optional
+	EmptyDir *EmptyDirVolumeSource `json:"emptyDir,omitempty" protobuf:"bytes,2,opt,name=emptyDir"`
+	// GCEPersistentDisk represents a GCE Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	// +optional
+	GCEPersistentDisk *GCEPersistentDiskVolumeSource `json:"gcePersistentDisk,omitempty" protobuf:"bytes,3,opt,name=gcePersistentDisk"`
+	// AWSElasticBlockStore represents an AWS Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	// +optional
+	AWSElasticBlockStore *AWSElasticBlockStoreVolumeSource `json:"awsElasticBlockStore,omitempty" protobuf:"bytes,4,opt,name=awsElasticBlockStore"`
+	// GitRepo represents a git repository at a particular revision.
+	// +optional
+	GitRepo *GitRepoVolumeSource `json:"gitRepo,omitempty" protobuf:"bytes,5,opt,name=gitRepo"`
+	// Secret represents a secret that should populate this volume.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+	// +optional
+	Secret *SecretVolumeSource `json:"secret,omitempty" protobuf:"bytes,6,opt,name=secret"`
+	// NFS represents an NFS mount on the host that shares a pod's lifetime
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	// +optional
+	NFS *NFSVolumeSource `json:"nfs,omitempty" protobuf:"bytes,7,opt,name=nfs"`
+	// ISCSI represents an ISCSI Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/iscsi/README.md
+	// +optional
+	ISCSI *ISCSIVolumeSource `json:"iscsi,omitempty" protobuf:"bytes,8,opt,name=iscsi"`
+	// Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md
+	// +optional
+	Glusterfs *GlusterfsVolumeSource `json:"glusterfs,omitempty" protobuf:"bytes,9,opt,name=glusterfs"`
+	// PersistentVolumeClaimVolumeSource represents a reference to a
+	// PersistentVolumeClaim in the same namespace.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+	// +optional
+	PersistentVolumeClaim *PersistentVolumeClaimVolumeSource `json:"persistentVolumeClaim,omitempty" protobuf:"bytes,10,opt,name=persistentVolumeClaim"`
+	// RBD represents a Rados Block Device mount on the host that shares a pod's lifetime.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md
+	// +optional
+	RBD *RBDVolumeSource `json:"rbd,omitempty" protobuf:"bytes,11,opt,name=rbd"`
+	// FlexVolume represents a generic volume resource that is
+	// provisioned/attached using an exec based plugin. This is an
+	// alpha feature and may change in future.
+	// +optional
+	FlexVolume *FlexVolumeSource `json:"flexVolume,omitempty" protobuf:"bytes,12,opt,name=flexVolume"`
+	// Cinder represents a cinder volume attached and mounted on kubelets host machine
+	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// +optional
+	Cinder *CinderVolumeSource `json:"cinder,omitempty" protobuf:"bytes,13,opt,name=cinder"`
+	// CephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+	// +optional
+	CephFS *CephFSVolumeSource `json:"cephfs,omitempty" protobuf:"bytes,14,opt,name=cephfs"`
+	// Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running
+	// +optional
+	Flocker *FlockerVolumeSource `json:"flocker,omitempty" protobuf:"bytes,15,opt,name=flocker"`
+	// DownwardAPI represents downward API about the pod that should populate this volume
+	// +optional
+	DownwardAPI *DownwardAPIVolumeSource `json:"downwardAPI,omitempty" protobuf:"bytes,16,opt,name=downwardAPI"`
+	// FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+	// +optional
+	FC *FCVolumeSource `json:"fc,omitempty" protobuf:"bytes,17,opt,name=fc"`
+	// AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+	// +optional
+	AzureFile *AzureFileVolumeSource `json:"azureFile,omitempty" protobuf:"bytes,18,opt,name=azureFile"`
+	// ConfigMap represents a configMap that should populate this volume
+	// +optional
+	ConfigMap *ConfigMapVolumeSource `json:"configMap,omitempty" protobuf:"bytes,19,opt,name=configMap"`
+	// VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+	// +optional
+	VsphereVolume *VsphereVirtualDiskVolumeSource `json:"vsphereVolume,omitempty" protobuf:"bytes,20,opt,name=vsphereVolume"`
+	// Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+	// +optional
+	Quobyte *QuobyteVolumeSource `json:"quobyte,omitempty" protobuf:"bytes,21,opt,name=quobyte"`
+	// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+	// +optional
+	AzureDisk *AzureDiskVolumeSource `json:"azureDisk,omitempty" protobuf:"bytes,22,opt,name=azureDisk"`
+	// PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+	PhotonPersistentDisk *PhotonPersistentDiskVolumeSource `json:"photonPersistentDisk,omitempty" protobuf:"bytes,23,opt,name=photonPersistentDisk"`
+	// Items for all in one resources secrets, configmaps, and downward API
+	Projected *ProjectedVolumeSource `json:"projected,omitempty" protobuf:"bytes,26,opt,name=projected"`
+	// PortworxVolume represents a portworx volume attached and mounted on kubelets host machine
+	// +optional
+	PortworxVolume *PortworxVolumeSource `json:"portworxVolume,omitempty" protobuf:"bytes,24,opt,name=portworxVolume"`
+	// ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+	// +optional
+	ScaleIO *ScaleIOVolumeSource `json:"scaleIO,omitempty" protobuf:"bytes,25,opt,name=scaleIO"`
+	// StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+	// +optional
+	StorageOS *StorageOSVolumeSource `json:"storageos,omitempty" protobuf:"bytes,27,opt,name=storageos"`
+}
+
+// PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace.
+// This volume finds the bound PV and mounts that volume for the pod. A
+// PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another
+// type of volume that is owned by someone else (the system).
+type PersistentVolumeClaimVolumeSource struct {
+	// ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+	ClaimName string `json:"claimName" protobuf:"bytes,1,opt,name=claimName"`
+	// Will force the ReadOnly setting in VolumeMounts.
+	// Default false.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,2,opt,name=readOnly"`
+}
+
+// PersistentVolumeSource is similar to VolumeSource but meant for the
+// administrator who creates PVs. Exactly one of its members must be set.
+type PersistentVolumeSource struct {
+	// GCEPersistentDisk represents a GCE Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod. Provisioned by an admin.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	// +optional
+	GCEPersistentDisk *GCEPersistentDiskVolumeSource `json:"gcePersistentDisk,omitempty" protobuf:"bytes,1,opt,name=gcePersistentDisk"`
+	// AWSElasticBlockStore represents an AWS Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	// +optional
+	AWSElasticBlockStore *AWSElasticBlockStoreVolumeSource `json:"awsElasticBlockStore,omitempty" protobuf:"bytes,2,opt,name=awsElasticBlockStore"`
+	// HostPath represents a directory on the host.
+	// Provisioned by a developer or tester.
+	// This is useful for single-node development and testing only!
+	// On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+	// +optional
+	HostPath *HostPathVolumeSource `json:"hostPath,omitempty" protobuf:"bytes,3,opt,name=hostPath"`
+	// Glusterfs represents a Glusterfs volume that is attached to a host and
+	// exposed to the pod. Provisioned by an admin.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md
+	// +optional
+	Glusterfs *GlusterfsVolumeSource `json:"glusterfs,omitempty" protobuf:"bytes,4,opt,name=glusterfs"`
+	// NFS represents an NFS mount on the host. Provisioned by an admin.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	// +optional
+	NFS *NFSVolumeSource `json:"nfs,omitempty" protobuf:"bytes,5,opt,name=nfs"`
+	// RBD represents a Rados Block Device mount on the host that shares a pod's lifetime.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md
+	// +optional
+	RBD *RBDVolumeSource `json:"rbd,omitempty" protobuf:"bytes,6,opt,name=rbd"`
+	// ISCSI represents an ISCSI Disk resource that is attached to a
+	// kubelet's host machine and then exposed to the pod. Provisioned by an admin.
+	// +optional
+	ISCSI *ISCSIVolumeSource `json:"iscsi,omitempty" protobuf:"bytes,7,opt,name=iscsi"`
+	// Cinder represents a cinder volume attached and mounted on kubelets host machine
+	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// +optional
+	Cinder *CinderVolumeSource `json:"cinder,omitempty" protobuf:"bytes,8,opt,name=cinder"`
+	// CephFS represents a Ceph FS mount on the host that shares a pod's lifetime
+	// +optional
+	CephFS *CephFSPersistentVolumeSource `json:"cephfs,omitempty" protobuf:"bytes,9,opt,name=cephfs"`
+	// FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
+	// +optional
+	FC *FCVolumeSource `json:"fc,omitempty" protobuf:"bytes,10,opt,name=fc"`
+	// Flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running
+	// +optional
+	Flocker *FlockerVolumeSource `json:"flocker,omitempty" protobuf:"bytes,11,opt,name=flocker"`
+	// FlexVolume represents a generic volume resource that is
+	// provisioned/attached using an exec based plugin. This is an
+	// alpha feature and may change in future.
+	// +optional
+	FlexVolume *FlexVolumeSource `json:"flexVolume,omitempty" protobuf:"bytes,12,opt,name=flexVolume"`
+	// AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+	// +optional
+	AzureFile *AzureFilePersistentVolumeSource `json:"azureFile,omitempty" protobuf:"bytes,13,opt,name=azureFile"`
+	// VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine
+	// +optional
+	VsphereVolume *VsphereVirtualDiskVolumeSource `json:"vsphereVolume,omitempty" protobuf:"bytes,14,opt,name=vsphereVolume"`
+	// Quobyte represents a Quobyte mount on the host that shares a pod's lifetime
+	// +optional
+	Quobyte *QuobyteVolumeSource `json:"quobyte,omitempty" protobuf:"bytes,15,opt,name=quobyte"`
+	// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+	// +optional
+	AzureDisk *AzureDiskVolumeSource `json:"azureDisk,omitempty" protobuf:"bytes,16,opt,name=azureDisk"`
+	// PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine
+	PhotonPersistentDisk *PhotonPersistentDiskVolumeSource `json:"photonPersistentDisk,omitempty" protobuf:"bytes,17,opt,name=photonPersistentDisk"`
+	// PortworxVolume represents a portworx volume attached and mounted on kubelets host machine
+	// +optional
+	PortworxVolume *PortworxVolumeSource `json:"portworxVolume,omitempty" protobuf:"bytes,18,opt,name=portworxVolume"`
+	// ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+	// +optional
+	ScaleIO *ScaleIOPersistentVolumeSource `json:"scaleIO,omitempty" protobuf:"bytes,19,opt,name=scaleIO"`
+	// Local represents directly-attached storage with node affinity
+	// +optional
+	Local *LocalVolumeSource `json:"local,omitempty" protobuf:"bytes,20,opt,name=local"`
+	// StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/storageos/README.md
+	// +optional
+	StorageOS *StorageOSPersistentVolumeSource `json:"storageos,omitempty" protobuf:"bytes,21,opt,name=storageos"`
+}
+
+const (
+	// BetaStorageClassAnnotation represents the beta/previous StorageClass annotation.
+	// It's currently still used and will be held for backwards compatibility
+	BetaStorageClassAnnotation = "volume.beta.kubernetes.io/storage-class"
+
+	// MountOptionAnnotation defines mount option annotation used in PVs
+	MountOptionAnnotation = "volume.beta.kubernetes.io/mount-options"
+
+	// AlphaStorageNodeAffinityAnnotation defines node affinity policies for a PersistentVolume.
+	// Value is a string of the json representation of type NodeAffinity
+	AlphaStorageNodeAffinityAnnotation = "volume.alpha.kubernetes.io/node-affinity"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PersistentVolume (PV) is a storage resource provisioned by an administrator.
+// It is analogous to a node.
+// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
+type PersistentVolume struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines a specification of a persistent volume owned by the cluster.
+	// Provisioned by an administrator.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+	// +optional
+	Spec PersistentVolumeSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status represents the current information/status for the persistent volume.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes
+	// +optional
+	Status PersistentVolumeStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// PersistentVolumeSpec is the specification of a persistent volume.
+type PersistentVolumeSpec struct {
+	// A description of the persistent volume's resources and capacity.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
+	// +optional
+	Capacity ResourceList `json:"capacity,omitempty" protobuf:"bytes,1,rep,name=capacity,casttype=ResourceList,castkey=ResourceName"`
+	// The actual volume backing the persistent volume.
+	PersistentVolumeSource `json:",inline" protobuf:"bytes,2,opt,name=persistentVolumeSource"`
+	// AccessModes contains all ways the volume can be mounted.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes
+	// +optional
+	AccessModes []PersistentVolumeAccessMode `json:"accessModes,omitempty" protobuf:"bytes,3,rep,name=accessModes,casttype=PersistentVolumeAccessMode"`
+	// ClaimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim.
+	// Expected to be non-nil when bound.
+	// claim.VolumeName is the authoritative bind between PV and PVC.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding
+	// +optional
+	ClaimRef *ObjectReference `json:"claimRef,omitempty" protobuf:"bytes,4,opt,name=claimRef"`
+	// What happens to a persistent volume when released from its claim.
+	// Valid options are Retain (default) and Recycle.
+	// Recycling must be supported by the volume plugin underlying this persistent volume.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming
+	// +optional
+	PersistentVolumeReclaimPolicy PersistentVolumeReclaimPolicy `json:"persistentVolumeReclaimPolicy,omitempty" protobuf:"bytes,5,opt,name=persistentVolumeReclaimPolicy,casttype=PersistentVolumeReclaimPolicy"`
+	// Name of StorageClass to which this persistent volume belongs. Empty value
+	// means that this volume does not belong to any StorageClass.
+	// +optional
+	StorageClassName string `json:"storageClassName,omitempty" protobuf:"bytes,6,opt,name=storageClassName"`
+	// A list of mount options, e.g. ["ro", "soft"]. Not validated - mount will
+	// simply fail if one is invalid.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options
+	// +optional
+	MountOptions []string `json:"mountOptions,omitempty" protobuf:"bytes,7,opt,name=mountOptions"`
+}
+
+// PersistentVolumeReclaimPolicy describes a policy for end-of-life maintenance of persistent volumes.
+type PersistentVolumeReclaimPolicy string
+
+const (
+	// PersistentVolumeReclaimRecycle means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim.
+	// The volume plugin must support Recycling.
+	PersistentVolumeReclaimRecycle PersistentVolumeReclaimPolicy = "Recycle"
+	// PersistentVolumeReclaimDelete means the volume will be deleted from Kubernetes on release from its claim.
+	// The volume plugin must support Deletion.
+	PersistentVolumeReclaimDelete PersistentVolumeReclaimPolicy = "Delete"
+	// PersistentVolumeReclaimRetain means the volume will be left in its current phase (Released) for manual reclamation by the administrator.
+	// The default policy is Retain.
+	PersistentVolumeReclaimRetain PersistentVolumeReclaimPolicy = "Retain"
+)
+
+// PersistentVolumeStatus is the current status of a persistent volume.
+type PersistentVolumeStatus struct {
+	// Phase indicates if a volume is available, bound to a claim, or released by a claim.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase
+	// +optional
+	Phase PersistentVolumePhase `json:"phase,omitempty" protobuf:"bytes,1,opt,name=phase,casttype=PersistentVolumePhase"`
+	// A human-readable message indicating details about why the volume is in this state.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,2,opt,name=message"`
+	// Reason is a brief CamelCase string that describes any failure and is meant
+	// for machine parsing and tidy display in the CLI.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PersistentVolumeList is a list of PersistentVolume items.
+type PersistentVolumeList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	// List of persistent volumes.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes
+	Items []PersistentVolume `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PersistentVolumeClaim is a user's request for and claim to a persistent volume
+type PersistentVolumeClaim struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the desired characteristics of a volume requested by a pod author.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+	// +optional
+	Spec PersistentVolumeClaimSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status represents the current information/status of a persistent volume claim.
+	// Read-only.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+	// +optional
+	Status PersistentVolumeClaimStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PersistentVolumeClaimList is a list of PersistentVolumeClaim items.
+type PersistentVolumeClaimList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	// A list of persistent volume claims.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+	Items []PersistentVolumeClaim `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// PersistentVolumeClaimSpec describes the common attributes of storage devices
+// and allows a Source for provider-specific attributes
+type PersistentVolumeClaimSpec struct {
+	// AccessModes contains the desired access modes the volume should have.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+	// +optional
+	AccessModes []PersistentVolumeAccessMode `json:"accessModes,omitempty" protobuf:"bytes,1,rep,name=accessModes,casttype=PersistentVolumeAccessMode"`
+	// A label query over volumes to consider for binding.
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,4,opt,name=selector"`
+	// Resources represents the minimum resources the volume should have.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+	// +optional
+	Resources ResourceRequirements `json:"resources,omitempty" protobuf:"bytes,2,opt,name=resources"`
+	// VolumeName is the binding reference to the PersistentVolume backing this claim.
+	// +optional
+	VolumeName string `json:"volumeName,omitempty" protobuf:"bytes,3,opt,name=volumeName"`
+	// Name of the StorageClass required by the claim.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+	// +optional
+	StorageClassName *string `json:"storageClassName,omitempty" protobuf:"bytes,5,opt,name=storageClassName"`
+}
+
+// PersistentVolumeClaimConditionType is a valid value of PersistentVolumeClaimCondition.Type
+type PersistentVolumeClaimConditionType string
+
+const (
+	// PersistentVolumeClaimResizing - a user trigger resize of pvc has been started
+	PersistentVolumeClaimResizing PersistentVolumeClaimConditionType = "Resizing"
+)
+
+// PersistentVolumeClaimCondition contails details about state of pvc
+type PersistentVolumeClaimCondition struct {
+	Type   PersistentVolumeClaimConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=PersistentVolumeClaimConditionType"`
+	Status ConditionStatus                    `json:"status" protobuf:"bytes,2,opt,name=status,casttype=ConditionStatus"`
+	// Last time we probed the condition.
+	// +optional
+	LastProbeTime metav1.Time `json:"lastProbeTime,omitempty" protobuf:"bytes,3,opt,name=lastProbeTime"`
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,4,opt,name=lastTransitionTime"`
+	// Unique, this should be a short, machine understandable string that gives the reason
+	// for condition's last transition. If it reports "ResizeStarted" that means the underlying
+	// persistent volume is being resized.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,5,opt,name=reason"`
+	// Human-readable message indicating details about last transition.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,6,opt,name=message"`
+}
+
+// PersistentVolumeClaimStatus is the current status of a persistent volume claim.
+type PersistentVolumeClaimStatus struct {
+	// Phase represents the current phase of PersistentVolumeClaim.
+	// +optional
+	Phase PersistentVolumeClaimPhase `json:"phase,omitempty" protobuf:"bytes,1,opt,name=phase,casttype=PersistentVolumeClaimPhase"`
+	// AccessModes contains the actual access modes the volume backing the PVC has.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+	// +optional
+	AccessModes []PersistentVolumeAccessMode `json:"accessModes,omitempty" protobuf:"bytes,2,rep,name=accessModes,casttype=PersistentVolumeAccessMode"`
+	// Represents the actual resources of the underlying volume.
+	// +optional
+	Capacity ResourceList `json:"capacity,omitempty" protobuf:"bytes,3,rep,name=capacity,casttype=ResourceList,castkey=ResourceName"`
+	// Current Condition of persistent volume claim. If underlying persistent volume is being
+	// resized then the Condition will be set to 'ResizeStarted'.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []PersistentVolumeClaimCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,4,rep,name=conditions"`
+}
+
+type PersistentVolumeAccessMode string
+
+const (
+	// can be mounted read/write mode to exactly 1 host
+	ReadWriteOnce PersistentVolumeAccessMode = "ReadWriteOnce"
+	// can be mounted in read-only mode to many hosts
+	ReadOnlyMany PersistentVolumeAccessMode = "ReadOnlyMany"
+	// can be mounted in read/write mode to many hosts
+	ReadWriteMany PersistentVolumeAccessMode = "ReadWriteMany"
+)
+
+type PersistentVolumePhase string
+
+const (
+	// used for PersistentVolumes that are not available
+	VolumePending PersistentVolumePhase = "Pending"
+	// used for PersistentVolumes that are not yet bound
+	// Available volumes are held by the binder and matched to PersistentVolumeClaims
+	VolumeAvailable PersistentVolumePhase = "Available"
+	// used for PersistentVolumes that are bound
+	VolumeBound PersistentVolumePhase = "Bound"
+	// used for PersistentVolumes where the bound PersistentVolumeClaim was deleted
+	// released volumes must be recycled before becoming available again
+	// this phase is used by the persistent volume claim binder to signal to another process to reclaim the resource
+	VolumeReleased PersistentVolumePhase = "Released"
+	// used for PersistentVolumes that failed to be correctly recycled or deleted after being released from a claim
+	VolumeFailed PersistentVolumePhase = "Failed"
+)
+
+type PersistentVolumeClaimPhase string
+
+const (
+	// used for PersistentVolumeClaims that are not yet bound
+	ClaimPending PersistentVolumeClaimPhase = "Pending"
+	// used for PersistentVolumeClaims that are bound
+	ClaimBound PersistentVolumeClaimPhase = "Bound"
+	// used for PersistentVolumeClaims that lost their underlying
+	// PersistentVolume. The claim was bound to a PersistentVolume and this
+	// volume does not exist any longer and all data on it was lost.
+	ClaimLost PersistentVolumeClaimPhase = "Lost"
+)
+
+type HostPathType string
+
+const (
+	// For backwards compatible, leave it empty if unset
+	HostPathUnset HostPathType = ""
+	// If nothing exists at the given path, an empty directory will be created there
+	// as needed with file mode 0755, having the same group and ownership with Kubelet.
+	HostPathDirectoryOrCreate HostPathType = "DirectoryOrCreate"
+	// A directory must exist at the given path
+	HostPathDirectory HostPathType = "Directory"
+	// If nothing exists at the given path, an empty file will be created there
+	// as needed with file mode 0644, having the same group and ownership with Kubelet.
+	HostPathFileOrCreate HostPathType = "FileOrCreate"
+	// A file must exist at the given path
+	HostPathFile HostPathType = "File"
+	// A UNIX socket must exist at the given path
+	HostPathSocket HostPathType = "Socket"
+	// A character device must exist at the given path
+	HostPathCharDev HostPathType = "CharDevice"
+	// A block device must exist at the given path
+	HostPathBlockDev HostPathType = "BlockDevice"
+)
+
+// Represents a host path mapped into a pod.
+// Host path volumes do not support ownership management or SELinux relabeling.
+type HostPathVolumeSource struct {
+	// Path of the directory on the host.
+	// If the path is a symlink, it will follow the link to the real path.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+	Path string `json:"path" protobuf:"bytes,1,opt,name=path"`
+	// Type for HostPath Volume
+	// Defaults to ""
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+	// +optional
+	Type *HostPathType `json:"type,omitempty" protobuf:"bytes,2,opt,name=type"`
+}
+
+// Represents an empty directory for a pod.
+// Empty directory volumes support ownership management and SELinux relabeling.
+type EmptyDirVolumeSource struct {
+	// What type of storage medium should back this directory.
+	// The default is "" which means to use the node's default medium.
+	// Must be an empty string (default) or Memory.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+	// +optional
+	Medium StorageMedium `json:"medium,omitempty" protobuf:"bytes,1,opt,name=medium,casttype=StorageMedium"`
+	// Total amount of local storage required for this EmptyDir volume.
+	// The size limit is also applicable for memory medium.
+	// The maximum usage on memory medium EmptyDir would be the minimum value between
+	// the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+	// The default is nil which means that the limit is undefined.
+	// More info: http://kubernetes.io/docs/user-guide/volumes#emptydir
+	// +optional
+	SizeLimit *resource.Quantity `json:"sizeLimit,omitempty" protobuf:"bytes,2,opt,name=sizeLimit"`
+}
+
+// Represents a Glusterfs mount that lasts the lifetime of a pod.
+// Glusterfs volumes do not support ownership management or SELinux relabeling.
+type GlusterfsVolumeSource struct {
+	// EndpointsName is the endpoint name that details Glusterfs topology.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	EndpointsName string `json:"endpoints" protobuf:"bytes,1,opt,name=endpoints"`
+
+	// Path is the Glusterfs volume path.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	Path string `json:"path" protobuf:"bytes,2,opt,name=path"`
+
+	// ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+	// Defaults to false.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
+}
+
+// Represents a Rados Block Device mount that lasts the lifetime of a pod.
+// RBD volumes support ownership management and SELinux relabeling.
+type RBDVolumeSource struct {
+	// A collection of Ceph monitors.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	CephMonitors []string `json:"monitors" protobuf:"bytes,1,rep,name=monitors"`
+	// The rados image name.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	RBDImage string `json:"image" protobuf:"bytes,2,opt,name=image"`
+	// Filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,3,opt,name=fsType"`
+	// The rados pool name.
+	// Default is rbd.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// +optional
+	RBDPool string `json:"pool,omitempty" protobuf:"bytes,4,opt,name=pool"`
+	// The rados user name.
+	// Default is admin.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// +optional
+	RadosUser string `json:"user,omitempty" protobuf:"bytes,5,opt,name=user"`
+	// Keyring is the path to key ring for RBDUser.
+	// Default is /etc/ceph/keyring.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// +optional
+	Keyring string `json:"keyring,omitempty" protobuf:"bytes,6,opt,name=keyring"`
+	// SecretRef is name of the authentication secret for RBDUser. If provided
+	// overrides keyring.
+	// Default is nil.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// +optional
+	SecretRef *LocalObjectReference `json:"secretRef,omitempty" protobuf:"bytes,7,opt,name=secretRef"`
+	// ReadOnly here will force the ReadOnly setting in VolumeMounts.
+	// Defaults to false.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,8,opt,name=readOnly"`
+}
+
+// Represents a cinder volume resource in Openstack.
+// A Cinder volume must exist before mounting to a container.
+// The volume must also be in the same region as the kubelet.
+// Cinder volumes support ownership management and SELinux relabeling.
+type CinderVolumeSource struct {
+	// volume id used to identify the volume in cinder
+	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	VolumeID string `json:"volumeID" protobuf:"bytes,1,opt,name=volumeID"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
+	// Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
+}
+
+// Represents a Ceph Filesystem mount that lasts the lifetime of a pod
+// Cephfs volumes do not support ownership management or SELinux relabeling.
+type CephFSVolumeSource struct {
+	// Required: Monitors is a collection of Ceph monitors
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	Monitors []string `json:"monitors" protobuf:"bytes,1,rep,name=monitors"`
+	// Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,2,opt,name=path"`
+	// Optional: User is the rados user name, default is admin
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// +optional
+	User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
+	// Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// +optional
+	SecretFile string `json:"secretFile,omitempty" protobuf:"bytes,4,opt,name=secretFile"`
+	// Optional: SecretRef is reference to the authentication secret for User, default is empty.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// +optional
+	SecretRef *LocalObjectReference `json:"secretRef,omitempty" protobuf:"bytes,5,opt,name=secretRef"`
+	// Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,6,opt,name=readOnly"`
+}
+
+// SecretReference represents a Secret Reference. It has enough information to retrieve secret
+// in any namespace
+type SecretReference struct {
+	// Name is unique within a namespace to reference a secret resource.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+	// Namespace defines the space within which the secret name must be unique.
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"`
+}
+
+// Represents a Ceph Filesystem mount that lasts the lifetime of a pod
+// Cephfs volumes do not support ownership management or SELinux relabeling.
+type CephFSPersistentVolumeSource struct {
+	// Required: Monitors is a collection of Ceph monitors
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	Monitors []string `json:"monitors" protobuf:"bytes,1,rep,name=monitors"`
+	// Optional: Used as the mounted root, rather than the full Ceph tree, default is /
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,2,opt,name=path"`
+	// Optional: User is the rados user name, default is admin
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// +optional
+	User string `json:"user,omitempty" protobuf:"bytes,3,opt,name=user"`
+	// Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// +optional
+	SecretFile string `json:"secretFile,omitempty" protobuf:"bytes,4,opt,name=secretFile"`
+	// Optional: SecretRef is reference to the authentication secret for User, default is empty.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// +optional
+	SecretRef *SecretReference `json:"secretRef,omitempty" protobuf:"bytes,5,opt,name=secretRef"`
+	// Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,6,opt,name=readOnly"`
+}
+
+// Represents a Flocker volume mounted by the Flocker agent.
+// One and only one of datasetName and datasetUUID should be set.
+// Flocker volumes do not support ownership management or SELinux relabeling.
+type FlockerVolumeSource struct {
+	// Name of the dataset stored as metadata -> name on the dataset for Flocker
+	// should be considered as deprecated
+	// +optional
+	DatasetName string `json:"datasetName,omitempty" protobuf:"bytes,1,opt,name=datasetName"`
+	// UUID of the dataset. This is unique identifier of a Flocker dataset
+	// +optional
+	DatasetUUID string `json:"datasetUUID,omitempty" protobuf:"bytes,2,opt,name=datasetUUID"`
+}
+
+// StorageMedium defines ways that storage can be allocated to a volume.
+type StorageMedium string
+
+const (
+	StorageMediumDefault   StorageMedium = ""          // use whatever the default is for the node
+	StorageMediumMemory    StorageMedium = "Memory"    // use memory (tmpfs)
+	StorageMediumHugepages StorageMedium = "HugePages" // use hugepages
+)
+
+// Protocol defines network protocols supported for things like container ports.
+type Protocol string
+
+const (
+	// ProtocolTCP is the TCP protocol.
+	ProtocolTCP Protocol = "TCP"
+	// ProtocolUDP is the UDP protocol.
+	ProtocolUDP Protocol = "UDP"
+)
+
+// Represents a Persistent Disk resource in Google Compute Engine.
+//
+// A GCE PD must exist before mounting to a container. The disk must
+// also be in the same GCE project and zone as the kubelet. A GCE PD
+// can only be mounted as read/write once or read-only many times. GCE
+// PDs support ownership management and SELinux relabeling.
+type GCEPersistentDiskVolumeSource struct {
+	// Unique name of the PD resource in GCE. Used to identify the disk in GCE.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	PDName string `json:"pdName" protobuf:"bytes,1,opt,name=pdName"`
+	// Filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
+	// The partition in the volume that you want to mount.
+	// If omitted, the default is to mount by volume name.
+	// Examples: For volume /dev/sda1, you specify the partition as "1".
+	// Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	// +optional
+	Partition int32 `json:"partition,omitempty" protobuf:"varint,3,opt,name=partition"`
+	// ReadOnly here will force the ReadOnly setting in VolumeMounts.
+	// Defaults to false.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,4,opt,name=readOnly"`
+}
+
+// Represents a Quobyte mount that lasts the lifetime of a pod.
+// Quobyte volumes do not support ownership management or SELinux relabeling.
+type QuobyteVolumeSource struct {
+	// Registry represents a single or multiple Quobyte Registry services
+	// specified as a string as host:port pair (multiple entries are separated with commas)
+	// which acts as the central registry for volumes
+	Registry string `json:"registry" protobuf:"bytes,1,opt,name=registry"`
+
+	// Volume is a string that references an already created Quobyte volume by name.
+	Volume string `json:"volume" protobuf:"bytes,2,opt,name=volume"`
+
+	// ReadOnly here will force the Quobyte volume to be mounted with read-only permissions.
+	// Defaults to false.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
+
+	// User to map volume access to
+	// Defaults to serivceaccount user
+	// +optional
+	User string `json:"user,omitempty" protobuf:"bytes,4,opt,name=user"`
+
+	// Group to map volume access to
+	// Default is no group
+	// +optional
+	Group string `json:"group,omitempty" protobuf:"bytes,5,opt,name=group"`
+}
+
+// FlexVolume represents a generic volume resource that is
+// provisioned/attached using an exec based plugin. This is an alpha feature and may change in future.
+type FlexVolumeSource struct {
+	// Driver is the name of the driver to use for this volume.
+	Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
+	// Optional: SecretRef is reference to the secret object containing
+	// sensitive information to pass to the plugin scripts. This may be
+	// empty if no secret object is specified. If the secret object
+	// contains more than one secret, all secrets are passed to the plugin
+	// scripts.
+	// +optional
+	SecretRef *LocalObjectReference `json:"secretRef,omitempty" protobuf:"bytes,3,opt,name=secretRef"`
+	// Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,4,opt,name=readOnly"`
+	// Optional: Extra command options if any.
+	// +optional
+	Options map[string]string `json:"options,omitempty" protobuf:"bytes,5,rep,name=options"`
+}
+
+// Represents a Persistent Disk resource in AWS.
+//
+// An AWS EBS disk must exist before mounting to a container. The disk
+// must also be in the same AWS zone as the kubelet. An AWS EBS disk
+// can only be mounted as read/write once. AWS EBS volumes support
+// ownership management and SELinux relabeling.
+type AWSElasticBlockStoreVolumeSource struct {
+	// Unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	VolumeID string `json:"volumeID" protobuf:"bytes,1,opt,name=volumeID"`
+	// Filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
+	// The partition in the volume that you want to mount.
+	// If omitted, the default is to mount by volume name.
+	// Examples: For volume /dev/sda1, you specify the partition as "1".
+	// Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+	// +optional
+	Partition int32 `json:"partition,omitempty" protobuf:"varint,3,opt,name=partition"`
+	// Specify "true" to force and set the ReadOnly property in VolumeMounts to "true".
+	// If omitted, the default is "false".
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,4,opt,name=readOnly"`
+}
+
+// Represents a volume that is populated with the contents of a git repository.
+// Git repo volumes do not support ownership management.
+// Git repo volumes support SELinux relabeling.
+type GitRepoVolumeSource struct {
+	// Repository URL
+	Repository string `json:"repository" protobuf:"bytes,1,opt,name=repository"`
+	// Commit hash for the specified revision.
+	// +optional
+	Revision string `json:"revision,omitempty" protobuf:"bytes,2,opt,name=revision"`
+	// Target directory name.
+	// Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the
+	// git repository.  Otherwise, if specified, the volume will contain the git repository in
+	// the subdirectory with the given name.
+	// +optional
+	Directory string `json:"directory,omitempty" protobuf:"bytes,3,opt,name=directory"`
+}
+
+// Adapts a Secret into a volume.
+//
+// The contents of the target Secret's Data field will be presented in a volume
+// as files using the keys in the Data field as the file names.
+// Secret volumes support ownership management and SELinux relabeling.
+type SecretVolumeSource struct {
+	// Name of the secret in the pod's namespace to use.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+	// +optional
+	SecretName string `json:"secretName,omitempty" protobuf:"bytes,1,opt,name=secretName"`
+	// If unspecified, each key-value pair in the Data field of the referenced
+	// Secret will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present. If a key is specified which is not present in the Secret,
+	// the volume setup will error unless it is marked optional. Paths must be
+	// relative and may not contain the '..' path or start with '..'.
+	// +optional
+	Items []KeyToPath `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"`
+	// Optional: mode bits to use on created files by default. Must be a
+	// value between 0 and 0777. Defaults to 0644.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	// +optional
+	DefaultMode *int32 `json:"defaultMode,omitempty" protobuf:"bytes,3,opt,name=defaultMode"`
+	// Specify whether the Secret or it's keys must be defined
+	// +optional
+	Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"`
+}
+
+const (
+	SecretVolumeSourceDefaultMode int32 = 0644
+)
+
+// Adapts a secret into a projected volume.
+//
+// The contents of the target Secret's Data field will be presented in a
+// projected volume as files using the keys in the Data field as the file names.
+// Note that this is identical to a secret volume source without the default
+// mode.
+type SecretProjection struct {
+	LocalObjectReference `json:",inline" protobuf:"bytes,1,opt,name=localObjectReference"`
+	// If unspecified, each key-value pair in the Data field of the referenced
+	// Secret will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present. If a key is specified which is not present in the Secret,
+	// the volume setup will error unless it is marked optional. Paths must be
+	// relative and may not contain the '..' path or start with '..'.
+	// +optional
+	Items []KeyToPath `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"`
+	// Specify whether the Secret or its key must be defined
+	// +optional
+	Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"`
+}
+
+// Represents an NFS mount that lasts the lifetime of a pod.
+// NFS volumes do not support ownership management or SELinux relabeling.
+type NFSVolumeSource struct {
+	// Server is the hostname or IP address of the NFS server.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	Server string `json:"server" protobuf:"bytes,1,opt,name=server"`
+
+	// Path that is exported by the NFS server.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	Path string `json:"path" protobuf:"bytes,2,opt,name=path"`
+
+	// ReadOnly here will force
+	// the NFS export to be mounted with read-only permissions.
+	// Defaults to false.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
+}
+
+// Represents an ISCSI disk.
+// ISCSI volumes can only be mounted as read/write once.
+// ISCSI volumes support ownership management and SELinux relabeling.
+type ISCSIVolumeSource struct {
+	// iSCSI target portal. The portal is either an IP or ip_addr:port if the port
+	// is other than default (typically TCP ports 860 and 3260).
+	TargetPortal string `json:"targetPortal" protobuf:"bytes,1,opt,name=targetPortal"`
+	// Target iSCSI Qualified Name.
+	IQN string `json:"iqn" protobuf:"bytes,2,opt,name=iqn"`
+	// iSCSI target lun number.
+	Lun int32 `json:"lun" protobuf:"varint,3,opt,name=lun"`
+	// Optional: Defaults to 'default' (tcp). iSCSI interface name that uses an iSCSI transport.
+	// +optional
+	ISCSIInterface string `json:"iscsiInterface,omitempty" protobuf:"bytes,4,opt,name=iscsiInterface"`
+	// Filesystem type of the volume that you want to mount.
+	// Tip: Ensure that the filesystem type is supported by the host operating system.
+	// Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,5,opt,name=fsType"`
+	// ReadOnly here will force the ReadOnly setting in VolumeMounts.
+	// Defaults to false.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,6,opt,name=readOnly"`
+	// iSCSI target portal List. The portal is either an IP or ip_addr:port if the port
+	// is other than default (typically TCP ports 860 and 3260).
+	// +optional
+	Portals []string `json:"portals,omitempty" protobuf:"bytes,7,opt,name=portals"`
+	// whether support iSCSI Discovery CHAP authentication
+	// +optional
+	DiscoveryCHAPAuth bool `json:"chapAuthDiscovery,omitempty" protobuf:"varint,8,opt,name=chapAuthDiscovery"`
+	// whether support iSCSI Session CHAP authentication
+	// +optional
+	SessionCHAPAuth bool `json:"chapAuthSession,omitempty" protobuf:"varint,11,opt,name=chapAuthSession"`
+	// CHAP secret for iSCSI target and initiator authentication
+	// +optional
+	SecretRef *LocalObjectReference `json:"secretRef,omitempty" protobuf:"bytes,10,opt,name=secretRef"`
+	// Custom iSCSI initiator name.
+	// If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+	// <target portal>:<volume name> will be created for the connection.
+	// +optional
+	InitiatorName *string `json:"initiatorName,omitempty" protobuf:"bytes,12,opt,name=initiatorName"`
+}
+
+// Represents a Fibre Channel volume.
+// Fibre Channel volumes can only be mounted as read/write once.
+// Fibre Channel volumes support ownership management and SELinux relabeling.
+type FCVolumeSource struct {
+	// Optional: FC target worldwide names (WWNs)
+	// +optional
+	TargetWWNs []string `json:"targetWWNs,omitempty" protobuf:"bytes,1,rep,name=targetWWNs"`
+	// Optional: FC target lun number
+	// +optional
+	Lun *int32 `json:"lun,omitempty" protobuf:"varint,2,opt,name=lun"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// TODO: how do we prevent errors in the filesystem from compromising the machine
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,3,opt,name=fsType"`
+	// Optional: Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,4,opt,name=readOnly"`
+	// Optional: FC volume world wide identifiers (wwids)
+	// Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+	// +optional
+	WWIDs []string `json:"wwids,omitempty" protobuf:"bytes,5,rep,name=wwids"`
+}
+
+// AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+type AzureFileVolumeSource struct {
+	// the name of secret that contains Azure Storage Account Name and Key
+	SecretName string `json:"secretName" protobuf:"bytes,1,opt,name=secretName"`
+	// Share Name
+	ShareName string `json:"shareName" protobuf:"bytes,2,opt,name=shareName"`
+	// Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
+}
+
+// AzureFile represents an Azure File Service mount on the host and bind mount to the pod.
+type AzureFilePersistentVolumeSource struct {
+	// the name of secret that contains Azure Storage Account Name and Key
+	SecretName string `json:"secretName" protobuf:"bytes,1,opt,name=secretName"`
+	// Share Name
+	ShareName string `json:"shareName" protobuf:"bytes,2,opt,name=shareName"`
+	// Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
+	// the namespace of the secret that contains Azure Storage Account Name and Key
+	// default is the same as the Pod
+	// +optional
+	SecretNamespace *string `json:"secretNamespace" protobuf:"bytes,4,opt,name=secretNamespace"`
+}
+
+// Represents a vSphere volume resource.
+type VsphereVirtualDiskVolumeSource struct {
+	// Path that identifies vSphere volume vmdk
+	VolumePath string `json:"volumePath" protobuf:"bytes,1,opt,name=volumePath"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
+	// Storage Policy Based Management (SPBM) profile name.
+	// +optional
+	StoragePolicyName string `json:"storagePolicyName,omitempty" protobuf:"bytes,3,opt,name=storagePolicyName"`
+	// Storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.
+	// +optional
+	StoragePolicyID string `json:"storagePolicyID,omitempty" protobuf:"bytes,4,opt,name=storagePolicyID"`
+}
+
+// Represents a Photon Controller persistent disk resource.
+type PhotonPersistentDiskVolumeSource struct {
+	// ID that identifies Photon Controller persistent disk
+	PdID string `json:"pdID" protobuf:"bytes,1,opt,name=pdID"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
+}
+
+type AzureDataDiskCachingMode string
+type AzureDataDiskKind string
+
+const (
+	AzureDataDiskCachingNone      AzureDataDiskCachingMode = "None"
+	AzureDataDiskCachingReadOnly  AzureDataDiskCachingMode = "ReadOnly"
+	AzureDataDiskCachingReadWrite AzureDataDiskCachingMode = "ReadWrite"
+
+	AzureSharedBlobDisk    AzureDataDiskKind = "Shared"
+	AzureDedicatedBlobDisk AzureDataDiskKind = "Dedicated"
+	AzureManagedDisk       AzureDataDiskKind = "Managed"
+)
+
+// AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+type AzureDiskVolumeSource struct {
+	// The Name of the data disk in the blob storage
+	DiskName string `json:"diskName" protobuf:"bytes,1,opt,name=diskName"`
+	// The URI the data disk in the blob storage
+	DataDiskURI string `json:"diskURI" protobuf:"bytes,2,opt,name=diskURI"`
+	// Host Caching mode: None, Read Only, Read Write.
+	// +optional
+	CachingMode *AzureDataDiskCachingMode `json:"cachingMode,omitempty" protobuf:"bytes,3,opt,name=cachingMode,casttype=AzureDataDiskCachingMode"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// +optional
+	FSType *string `json:"fsType,omitempty" protobuf:"bytes,4,opt,name=fsType"`
+	// Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly *bool `json:"readOnly,omitempty" protobuf:"varint,5,opt,name=readOnly"`
+	// Expected values Shared: mulitple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared
+	Kind *AzureDataDiskKind `json:"kind,omitempty" protobuf:"bytes,6,opt,name=kind,casttype=AzureDataDiskKind"`
+}
+
+// PortworxVolumeSource represents a Portworx volume resource.
+type PortworxVolumeSource struct {
+	// VolumeID uniquely identifies a Portworx volume
+	VolumeID string `json:"volumeID" protobuf:"bytes,1,opt,name=volumeID"`
+	// FSType represents the filesystem type to mount
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,2,opt,name=fsType"`
+	// Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,3,opt,name=readOnly"`
+}
+
+// ScaleIOVolumeSource represents a persistent ScaleIO volume
+type ScaleIOVolumeSource struct {
+	// The host address of the ScaleIO API Gateway.
+	Gateway string `json:"gateway" protobuf:"bytes,1,opt,name=gateway"`
+	// The name of the storage system as configured in ScaleIO.
+	System string `json:"system" protobuf:"bytes,2,opt,name=system"`
+	// SecretRef references to the secret for ScaleIO user and other
+	// sensitive information. If this is not provided, Login operation will fail.
+	SecretRef *LocalObjectReference `json:"secretRef" protobuf:"bytes,3,opt,name=secretRef"`
+	// Flag to enable/disable SSL communication with Gateway, default false
+	// +optional
+	SSLEnabled bool `json:"sslEnabled,omitempty" protobuf:"varint,4,opt,name=sslEnabled"`
+	// The name of the ScaleIO Protection Domain for the configured storage.
+	// +optional
+	ProtectionDomain string `json:"protectionDomain,omitempty" protobuf:"bytes,5,opt,name=protectionDomain"`
+	// The ScaleIO Storage Pool associated with the protection domain.
+	// +optional
+	StoragePool string `json:"storagePool,omitempty" protobuf:"bytes,6,opt,name=storagePool"`
+	// Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+	// +optional
+	StorageMode string `json:"storageMode,omitempty" protobuf:"bytes,7,opt,name=storageMode"`
+	// The name of a volume already created in the ScaleIO system
+	// that is associated with this volume source.
+	VolumeName string `json:"volumeName,omitempty" protobuf:"bytes,8,opt,name=volumeName"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,9,opt,name=fsType"`
+	// Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,10,opt,name=readOnly"`
+}
+
+// ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume
+type ScaleIOPersistentVolumeSource struct {
+	// The host address of the ScaleIO API Gateway.
+	Gateway string `json:"gateway" protobuf:"bytes,1,opt,name=gateway"`
+	// The name of the storage system as configured in ScaleIO.
+	System string `json:"system" protobuf:"bytes,2,opt,name=system"`
+	// SecretRef references to the secret for ScaleIO user and other
+	// sensitive information. If this is not provided, Login operation will fail.
+	SecretRef *SecretReference `json:"secretRef" protobuf:"bytes,3,opt,name=secretRef"`
+	// Flag to enable/disable SSL communication with Gateway, default false
+	// +optional
+	SSLEnabled bool `json:"sslEnabled,omitempty" protobuf:"varint,4,opt,name=sslEnabled"`
+	// The name of the ScaleIO Protection Domain for the configured storage.
+	// +optional
+	ProtectionDomain string `json:"protectionDomain,omitempty" protobuf:"bytes,5,opt,name=protectionDomain"`
+	// The ScaleIO Storage Pool associated with the protection domain.
+	// +optional
+	StoragePool string `json:"storagePool,omitempty" protobuf:"bytes,6,opt,name=storagePool"`
+	// Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+	// +optional
+	StorageMode string `json:"storageMode,omitempty" protobuf:"bytes,7,opt,name=storageMode"`
+	// The name of a volume already created in the ScaleIO system
+	// that is associated with this volume source.
+	VolumeName string `json:"volumeName,omitempty" protobuf:"bytes,8,opt,name=volumeName"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,9,opt,name=fsType"`
+	// Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,10,opt,name=readOnly"`
+}
+
+// Represents a StorageOS persistent volume resource.
+type StorageOSVolumeSource struct {
+	// VolumeName is the human-readable name of the StorageOS volume.  Volume
+	// names are only unique within a namespace.
+	VolumeName string `json:"volumeName,omitempty" protobuf:"bytes,1,opt,name=volumeName"`
+	// VolumeNamespace specifies the scope of the volume within StorageOS.  If no
+	// namespace is specified then the Pod's namespace will be used.  This allows the
+	// Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+	// Set VolumeName to any name to override the default behaviour.
+	// Set to "default" if you are not using namespaces within StorageOS.
+	// Namespaces that do not pre-exist within StorageOS will be created.
+	// +optional
+	VolumeNamespace string `json:"volumeNamespace,omitempty" protobuf:"bytes,2,opt,name=volumeNamespace"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,3,opt,name=fsType"`
+	// Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,4,opt,name=readOnly"`
+	// SecretRef specifies the secret to use for obtaining the StorageOS API
+	// credentials.  If not specified, default values will be attempted.
+	// +optional
+	SecretRef *LocalObjectReference `json:"secretRef,omitempty" protobuf:"bytes,5,opt,name=secretRef"`
+}
+
+// Represents a StorageOS persistent volume resource.
+type StorageOSPersistentVolumeSource struct {
+	// VolumeName is the human-readable name of the StorageOS volume.  Volume
+	// names are only unique within a namespace.
+	VolumeName string `json:"volumeName,omitempty" protobuf:"bytes,1,opt,name=volumeName"`
+	// VolumeNamespace specifies the scope of the volume within StorageOS.  If no
+	// namespace is specified then the Pod's namespace will be used.  This allows the
+	// Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+	// Set VolumeName to any name to override the default behaviour.
+	// Set to "default" if you are not using namespaces within StorageOS.
+	// Namespaces that do not pre-exist within StorageOS will be created.
+	// +optional
+	VolumeNamespace string `json:"volumeNamespace,omitempty" protobuf:"bytes,2,opt,name=volumeNamespace"`
+	// Filesystem type to mount.
+	// Must be a filesystem type supported by the host operating system.
+	// Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+	// +optional
+	FSType string `json:"fsType,omitempty" protobuf:"bytes,3,opt,name=fsType"`
+	// Defaults to false (read/write). ReadOnly here will force
+	// the ReadOnly setting in VolumeMounts.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,4,opt,name=readOnly"`
+	// SecretRef specifies the secret to use for obtaining the StorageOS API
+	// credentials.  If not specified, default values will be attempted.
+	// +optional
+	SecretRef *ObjectReference `json:"secretRef,omitempty" protobuf:"bytes,5,opt,name=secretRef"`
+}
+
+// Adapts a ConfigMap into a volume.
+//
+// The contents of the target ConfigMap's Data field will be presented in a
+// volume as files using the keys in the Data field as the file names, unless
+// the items element is populated with specific mappings of keys to paths.
+// ConfigMap volumes support ownership management and SELinux relabeling.
+type ConfigMapVolumeSource struct {
+	LocalObjectReference `json:",inline" protobuf:"bytes,1,opt,name=localObjectReference"`
+	// If unspecified, each key-value pair in the Data field of the referenced
+	// ConfigMap will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present. If a key is specified which is not present in the ConfigMap,
+	// the volume setup will error unless it is marked optional. Paths must be
+	// relative and may not contain the '..' path or start with '..'.
+	// +optional
+	Items []KeyToPath `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"`
+	// Optional: mode bits to use on created files by default. Must be a
+	// value between 0 and 0777. Defaults to 0644.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	// +optional
+	DefaultMode *int32 `json:"defaultMode,omitempty" protobuf:"varint,3,opt,name=defaultMode"`
+	// Specify whether the ConfigMap or it's keys must be defined
+	// +optional
+	Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"`
+}
+
+const (
+	ConfigMapVolumeSourceDefaultMode int32 = 0644
+)
+
+// Adapts a ConfigMap into a projected volume.
+//
+// The contents of the target ConfigMap's Data field will be presented in a
+// projected volume as files using the keys in the Data field as the file names,
+// unless the items element is populated with specific mappings of keys to paths.
+// Note that this is identical to a configmap volume source without the default
+// mode.
+type ConfigMapProjection struct {
+	LocalObjectReference `json:",inline" protobuf:"bytes,1,opt,name=localObjectReference"`
+	// If unspecified, each key-value pair in the Data field of the referenced
+	// ConfigMap will be projected into the volume as a file whose name is the
+	// key and content is the value. If specified, the listed keys will be
+	// projected into the specified paths, and unlisted keys will not be
+	// present. If a key is specified which is not present in the ConfigMap,
+	// the volume setup will error unless it is marked optional. Paths must be
+	// relative and may not contain the '..' path or start with '..'.
+	// +optional
+	Items []KeyToPath `json:"items,omitempty" protobuf:"bytes,2,rep,name=items"`
+	// Specify whether the ConfigMap or it's keys must be defined
+	// +optional
+	Optional *bool `json:"optional,omitempty" protobuf:"varint,4,opt,name=optional"`
+}
+
+// Represents a projected volume source
+type ProjectedVolumeSource struct {
+	// list of volume projections
+	Sources []VolumeProjection `json:"sources" protobuf:"bytes,1,rep,name=sources"`
+	// Mode bits to use on created files by default. Must be a value between
+	// 0 and 0777.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	// +optional
+	DefaultMode *int32 `json:"defaultMode,omitempty" protobuf:"varint,2,opt,name=defaultMode"`
+}
+
+// Projection that may be projected along with other supported volume types
+type VolumeProjection struct {
+	// all types below are the supported types for projection into the same volume
+
+	// information about the secret data to project
+	Secret *SecretProjection `json:"secret,omitempty" protobuf:"bytes,1,opt,name=secret"`
+	// information about the downwardAPI data to project
+	DownwardAPI *DownwardAPIProjection `json:"downwardAPI,omitempty" protobuf:"bytes,2,opt,name=downwardAPI"`
+	// information about the configMap data to project
+	ConfigMap *ConfigMapProjection `json:"configMap,omitempty" protobuf:"bytes,3,opt,name=configMap"`
+}
+
+const (
+	ProjectedVolumeSourceDefaultMode int32 = 0644
+)
+
+// Maps a string key to a path within a volume.
+type KeyToPath struct {
+	// The key to project.
+	Key string `json:"key" protobuf:"bytes,1,opt,name=key"`
+
+	// The relative path of the file to map the key to.
+	// May not be an absolute path.
+	// May not contain the path element '..'.
+	// May not start with the string '..'.
+	Path string `json:"path" protobuf:"bytes,2,opt,name=path"`
+	// Optional: mode bits to use on this file, must be a value between 0
+	// and 0777. If not specified, the volume defaultMode will be used.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	// +optional
+	Mode *int32 `json:"mode,omitempty" protobuf:"varint,3,opt,name=mode"`
+}
+
+// Local represents directly-attached storage with node affinity
+type LocalVolumeSource struct {
+	// The full path to the volume on the node
+	// For alpha, this path must be a directory
+	// Once block as a source is supported, then this path can point to a block device
+	Path string `json:"path" protobuf:"bytes,1,opt,name=path"`
+}
+
+// ContainerPort represents a network port in a single container.
+type ContainerPort struct {
+	// If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+	// named port in a pod must have a unique name. Name for the port that can be
+	// referred to by services.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+	// Number of port to expose on the host.
+	// If specified, this must be a valid port number, 0 < x < 65536.
+	// If HostNetwork is specified, this must match ContainerPort.
+	// Most containers do not need this.
+	// +optional
+	HostPort int32 `json:"hostPort,omitempty" protobuf:"varint,2,opt,name=hostPort"`
+	// Number of port to expose on the pod's IP address.
+	// This must be a valid port number, 0 < x < 65536.
+	ContainerPort int32 `json:"containerPort" protobuf:"varint,3,opt,name=containerPort"`
+	// Protocol for port. Must be UDP or TCP.
+	// Defaults to "TCP".
+	// +optional
+	Protocol Protocol `json:"protocol,omitempty" protobuf:"bytes,4,opt,name=protocol,casttype=Protocol"`
+	// What host IP to bind the external port to.
+	// +optional
+	HostIP string `json:"hostIP,omitempty" protobuf:"bytes,5,opt,name=hostIP"`
+}
+
+// VolumeMount describes a mounting of a Volume within a container.
+type VolumeMount struct {
+	// This must match the Name of a Volume.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// Mounted read-only if true, read-write otherwise (false or unspecified).
+	// Defaults to false.
+	// +optional
+	ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,2,opt,name=readOnly"`
+	// Path within the container at which the volume should be mounted.  Must
+	// not contain ':'.
+	MountPath string `json:"mountPath" protobuf:"bytes,3,opt,name=mountPath"`
+	// Path within the volume from which the container's volume should be mounted.
+	// Defaults to "" (volume's root).
+	// +optional
+	SubPath string `json:"subPath,omitempty" protobuf:"bytes,4,opt,name=subPath"`
+	// mountPropagation determines how mounts are propagated from the host
+	// to container and the other way around.
+	// When not set, MountPropagationHostToContainer is used.
+	// This field is alpha in 1.8 and can be reworked or removed in a future
+	// release.
+	// +optional
+	MountPropagation *MountPropagationMode `json:"mountPropagation,omitempty" protobuf:"bytes,5,opt,name=mountPropagation,casttype=MountPropagationMode"`
+}
+
+// MountPropagationMode describes mount propagation.
+type MountPropagationMode string
+
+const (
+	// MountPropagationHostToContainer means that the volume in a container will
+	// receive new mounts from the host or other containers, but filesystems
+	// mounted inside the container won't be propagated to the host or other
+	// containers.
+	// Note that this mode is recursively applied to all mounts in the volume
+	// ("rslave" in Linux terminology).
+	MountPropagationHostToContainer MountPropagationMode = "HostToContainer"
+	// MountPropagationBidirectional means that the volume in a container will
+	// receive new mounts from the host or other containers, and its own mounts
+	// will be propagated from the container to the host or other containers.
+	// Note that this mode is recursively applied to all mounts in the volume
+	// ("rshared" in Linux terminology).
+	MountPropagationBidirectional MountPropagationMode = "Bidirectional"
+)
+
+// EnvVar represents an environment variable present in a Container.
+type EnvVar struct {
+	// Name of the environment variable. Must be a C_IDENTIFIER.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+
+	// Optional: no more than one of the following may be specified.
+
+	// Variable references $(VAR_NAME) are expanded
+	// using the previous defined environment variables in the container and
+	// any service environment variables. If a variable cannot be resolved,
+	// the reference in the input string will be unchanged. The $(VAR_NAME)
+	// syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped
+	// references will never be expanded, regardless of whether the variable
+	// exists or not.
+	// Defaults to "".
+	// +optional
+	Value string `json:"value,omitempty" protobuf:"bytes,2,opt,name=value"`
+	// Source for the environment variable's value. Cannot be used if value is not empty.
+	// +optional
+	ValueFrom *EnvVarSource `json:"valueFrom,omitempty" protobuf:"bytes,3,opt,name=valueFrom"`
+}
+
+// EnvVarSource represents a source for the value of an EnvVar.
+type EnvVarSource struct {
+	// Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations,
+	// spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.
+	// +optional
+	FieldRef *ObjectFieldSelector `json:"fieldRef,omitempty" protobuf:"bytes,1,opt,name=fieldRef"`
+	// Selects a resource of the container: only resources limits and requests
+	// (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+	// +optional
+	ResourceFieldRef *ResourceFieldSelector `json:"resourceFieldRef,omitempty" protobuf:"bytes,2,opt,name=resourceFieldRef"`
+	// Selects a key of a ConfigMap.
+	// +optional
+	ConfigMapKeyRef *ConfigMapKeySelector `json:"configMapKeyRef,omitempty" protobuf:"bytes,3,opt,name=configMapKeyRef"`
+	// Selects a key of a secret in the pod's namespace
+	// +optional
+	SecretKeyRef *SecretKeySelector `json:"secretKeyRef,omitempty" protobuf:"bytes,4,opt,name=secretKeyRef"`
+}
+
+// ObjectFieldSelector selects an APIVersioned field of an object.
+type ObjectFieldSelector struct {
+	// Version of the schema the FieldPath is written in terms of, defaults to "v1".
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,1,opt,name=apiVersion"`
+	// Path of the field to select in the specified API version.
+	FieldPath string `json:"fieldPath" protobuf:"bytes,2,opt,name=fieldPath"`
+}
+
+// ResourceFieldSelector represents container resources (cpu, memory) and their output format
+type ResourceFieldSelector struct {
+	// Container name: required for volumes, optional for env vars
+	// +optional
+	ContainerName string `json:"containerName,omitempty" protobuf:"bytes,1,opt,name=containerName"`
+	// Required: resource to select
+	Resource string `json:"resource" protobuf:"bytes,2,opt,name=resource"`
+	// Specifies the output format of the exposed resources, defaults to "1"
+	// +optional
+	Divisor resource.Quantity `json:"divisor,omitempty" protobuf:"bytes,3,opt,name=divisor"`
+}
+
+// Selects a key from a ConfigMap.
+type ConfigMapKeySelector struct {
+	// The ConfigMap to select from.
+	LocalObjectReference `json:",inline" protobuf:"bytes,1,opt,name=localObjectReference"`
+	// The key to select.
+	Key string `json:"key" protobuf:"bytes,2,opt,name=key"`
+	// Specify whether the ConfigMap or it's key must be defined
+	// +optional
+	Optional *bool `json:"optional,omitempty" protobuf:"varint,3,opt,name=optional"`
+}
+
+// SecretKeySelector selects a key of a Secret.
+type SecretKeySelector struct {
+	// The name of the secret in the pod's namespace to select from.
+	LocalObjectReference `json:",inline" protobuf:"bytes,1,opt,name=localObjectReference"`
+	// The key of the secret to select from.  Must be a valid secret key.
+	Key string `json:"key" protobuf:"bytes,2,opt,name=key"`
+	// Specify whether the Secret or it's key must be defined
+	// +optional
+	Optional *bool `json:"optional,omitempty" protobuf:"varint,3,opt,name=optional"`
+}
+
+// EnvFromSource represents the source of a set of ConfigMaps
+type EnvFromSource struct {
+	// An optional identifer to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.
+	// +optional
+	Prefix string `json:"prefix,omitempty" protobuf:"bytes,1,opt,name=prefix"`
+	// The ConfigMap to select from
+	// +optional
+	ConfigMapRef *ConfigMapEnvSource `json:"configMapRef,omitempty" protobuf:"bytes,2,opt,name=configMapRef"`
+	// The Secret to select from
+	// +optional
+	SecretRef *SecretEnvSource `json:"secretRef,omitempty" protobuf:"bytes,3,opt,name=secretRef"`
+}
+
+// ConfigMapEnvSource selects a ConfigMap to populate the environment
+// variables with.
+//
+// The contents of the target ConfigMap's Data field will represent the
+// key-value pairs as environment variables.
+type ConfigMapEnvSource struct {
+	// The ConfigMap to select from.
+	LocalObjectReference `json:",inline" protobuf:"bytes,1,opt,name=localObjectReference"`
+	// Specify whether the ConfigMap must be defined
+	// +optional
+	Optional *bool `json:"optional,omitempty" protobuf:"varint,2,opt,name=optional"`
+}
+
+// SecretEnvSource selects a Secret to populate the environment
+// variables with.
+//
+// The contents of the target Secret's Data field will represent the
+// key-value pairs as environment variables.
+type SecretEnvSource struct {
+	// The Secret to select from.
+	LocalObjectReference `json:",inline" protobuf:"bytes,1,opt,name=localObjectReference"`
+	// Specify whether the Secret must be defined
+	// +optional
+	Optional *bool `json:"optional,omitempty" protobuf:"varint,2,opt,name=optional"`
+}
+
+// HTTPHeader describes a custom header to be used in HTTP probes
+type HTTPHeader struct {
+	// The header field name
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// The header field value
+	Value string `json:"value" protobuf:"bytes,2,opt,name=value"`
+}
+
+// HTTPGetAction describes an action based on HTTP Get requests.
+type HTTPGetAction struct {
+	// Path to access on the HTTP server.
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
+	// Name or number of the port to access on the container.
+	// Number must be in the range 1 to 65535.
+	// Name must be an IANA_SVC_NAME.
+	Port intstr.IntOrString `json:"port" protobuf:"bytes,2,opt,name=port"`
+	// Host name to connect to, defaults to the pod IP. You probably want to set
+	// "Host" in httpHeaders instead.
+	// +optional
+	Host string `json:"host,omitempty" protobuf:"bytes,3,opt,name=host"`
+	// Scheme to use for connecting to the host.
+	// Defaults to HTTP.
+	// +optional
+	Scheme URIScheme `json:"scheme,omitempty" protobuf:"bytes,4,opt,name=scheme,casttype=URIScheme"`
+	// Custom headers to set in the request. HTTP allows repeated headers.
+	// +optional
+	HTTPHeaders []HTTPHeader `json:"httpHeaders,omitempty" protobuf:"bytes,5,rep,name=httpHeaders"`
+}
+
+// URIScheme identifies the scheme used for connection to a host for Get actions
+type URIScheme string
+
+const (
+	// URISchemeHTTP means that the scheme used will be http://
+	URISchemeHTTP URIScheme = "HTTP"
+	// URISchemeHTTPS means that the scheme used will be https://
+	URISchemeHTTPS URIScheme = "HTTPS"
+)
+
+// TCPSocketAction describes an action based on opening a socket
+type TCPSocketAction struct {
+	// Number or name of the port to access on the container.
+	// Number must be in the range 1 to 65535.
+	// Name must be an IANA_SVC_NAME.
+	Port intstr.IntOrString `json:"port" protobuf:"bytes,1,opt,name=port"`
+	// Optional: Host name to connect to, defaults to the pod IP.
+	// +optional
+	Host string `json:"host,omitempty" protobuf:"bytes,2,opt,name=host"`
+}
+
+// ExecAction describes a "run in container" action.
+type ExecAction struct {
+	// Command is the command line to execute inside the container, the working directory for the
+	// command  is root ('/') in the container's filesystem. The command is simply exec'd, it is
+	// not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+	// a shell, you need to explicitly call out to that shell.
+	// Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+	// +optional
+	Command []string `json:"command,omitempty" protobuf:"bytes,1,rep,name=command"`
+}
+
+// Probe describes a health check to be performed against a container to determine whether it is
+// alive or ready to receive traffic.
+type Probe struct {
+	// The action taken to determine the health of a container
+	Handler `json:",inline" protobuf:"bytes,1,opt,name=handler"`
+	// Number of seconds after the container has started before liveness probes are initiated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	// +optional
+	InitialDelaySeconds int32 `json:"initialDelaySeconds,omitempty" protobuf:"varint,2,opt,name=initialDelaySeconds"`
+	// Number of seconds after which the probe times out.
+	// Defaults to 1 second. Minimum value is 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	// +optional
+	TimeoutSeconds int32 `json:"timeoutSeconds,omitempty" protobuf:"varint,3,opt,name=timeoutSeconds"`
+	// How often (in seconds) to perform the probe.
+	// Default to 10 seconds. Minimum value is 1.
+	// +optional
+	PeriodSeconds int32 `json:"periodSeconds,omitempty" protobuf:"varint,4,opt,name=periodSeconds"`
+	// Minimum consecutive successes for the probe to be considered successful after having failed.
+	// Defaults to 1. Must be 1 for liveness. Minimum value is 1.
+	// +optional
+	SuccessThreshold int32 `json:"successThreshold,omitempty" protobuf:"varint,5,opt,name=successThreshold"`
+	// Minimum consecutive failures for the probe to be considered failed after having succeeded.
+	// Defaults to 3. Minimum value is 1.
+	// +optional
+	FailureThreshold int32 `json:"failureThreshold,omitempty" protobuf:"varint,6,opt,name=failureThreshold"`
+}
+
+// PullPolicy describes a policy for if/when to pull a container image
+type PullPolicy string
+
+const (
+	// PullAlways means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.
+	PullAlways PullPolicy = "Always"
+	// PullNever means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present
+	PullNever PullPolicy = "Never"
+	// PullIfNotPresent means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.
+	PullIfNotPresent PullPolicy = "IfNotPresent"
+)
+
+// TerminationMessagePolicy describes how termination messages are retrieved from a container.
+type TerminationMessagePolicy string
+
+const (
+	// TerminationMessageReadFile is the default behavior and will set the container status message to
+	// the contents of the container's terminationMessagePath when the container exits.
+	TerminationMessageReadFile TerminationMessagePolicy = "File"
+	// TerminationMessageFallbackToLogsOnError will read the most recent contents of the container logs
+	// for the container status message when the container exits with an error and the
+	// terminationMessagePath has no contents.
+	TerminationMessageFallbackToLogsOnError TerminationMessagePolicy = "FallbackToLogsOnError"
+)
+
+// Capability represent POSIX capabilities type
+type Capability string
+
+// Adds and removes POSIX capabilities from running containers.
+type Capabilities struct {
+	// Added capabilities
+	// +optional
+	Add []Capability `json:"add,omitempty" protobuf:"bytes,1,rep,name=add,casttype=Capability"`
+	// Removed capabilities
+	// +optional
+	Drop []Capability `json:"drop,omitempty" protobuf:"bytes,2,rep,name=drop,casttype=Capability"`
+}
+
+// ResourceRequirements describes the compute resource requirements.
+type ResourceRequirements struct {
+	// Limits describes the maximum amount of compute resources allowed.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
+	// +optional
+	Limits ResourceList `json:"limits,omitempty" protobuf:"bytes,1,rep,name=limits,casttype=ResourceList,castkey=ResourceName"`
+	// Requests describes the minimum amount of compute resources required.
+	// If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+	// otherwise to an implementation-defined value.
+	// More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
+	// +optional
+	Requests ResourceList `json:"requests,omitempty" protobuf:"bytes,2,rep,name=requests,casttype=ResourceList,castkey=ResourceName"`
+}
+
+const (
+	// TerminationMessagePathDefault means the default path to capture the application termination message running in a container
+	TerminationMessagePathDefault string = "/dev/termination-log"
+)
+
+// A single application container that you want to run within a pod.
+type Container struct {
+	// Name of the container specified as a DNS_LABEL.
+	// Each container in a pod must have a unique name (DNS_LABEL).
+	// Cannot be updated.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// Docker image name.
+	// More info: https://kubernetes.io/docs/concepts/containers/images
+	// This field is optional to allow higher level config management to default or override
+	// container images in workload controllers like Deployments and StatefulSets.
+	// +optional
+	Image string `json:"image,omitempty" protobuf:"bytes,2,opt,name=image"`
+	// Entrypoint array. Not executed within a shell.
+	// The docker image's ENTRYPOINT is used if this is not provided.
+	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+	// cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax
+	// can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded,
+	// regardless of whether the variable exists or not.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+	// +optional
+	Command []string `json:"command,omitempty" protobuf:"bytes,3,rep,name=command"`
+	// Arguments to the entrypoint.
+	// The docker image's CMD is used if this is not provided.
+	// Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+	// cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax
+	// can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded,
+	// regardless of whether the variable exists or not.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+	// +optional
+	Args []string `json:"args,omitempty" protobuf:"bytes,4,rep,name=args"`
+	// Container's working directory.
+	// If not specified, the container runtime's default will be used, which
+	// might be configured in the container image.
+	// Cannot be updated.
+	// +optional
+	WorkingDir string `json:"workingDir,omitempty" protobuf:"bytes,5,opt,name=workingDir"`
+	// List of ports to expose from the container. Exposing a port here gives
+	// the system additional information about the network connections a
+	// container uses, but is primarily informational. Not specifying a port here
+	// DOES NOT prevent that port from being exposed. Any port which is
+	// listening on the default "0.0.0.0" address inside a container will be
+	// accessible from the network.
+	// Cannot be updated.
+	// +optional
+	// +patchMergeKey=containerPort
+	// +patchStrategy=merge
+	Ports []ContainerPort `json:"ports,omitempty" patchStrategy:"merge" patchMergeKey:"containerPort" protobuf:"bytes,6,rep,name=ports"`
+	// List of sources to populate environment variables in the container.
+	// The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+	// will be reported as an event when the container is starting. When a key exists in multiple
+	// sources, the value associated with the last source will take precedence.
+	// Values defined by an Env with a duplicate key will take precedence.
+	// Cannot be updated.
+	// +optional
+	EnvFrom []EnvFromSource `json:"envFrom,omitempty" protobuf:"bytes,19,rep,name=envFrom"`
+	// List of environment variables to set in the container.
+	// Cannot be updated.
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Env []EnvVar `json:"env,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,7,rep,name=env"`
+	// Compute Resources required by this container.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+	// +optional
+	Resources ResourceRequirements `json:"resources,omitempty" protobuf:"bytes,8,opt,name=resources"`
+	// Pod volumes to mount into the container's filesystem.
+	// Cannot be updated.
+	// +optional
+	// +patchMergeKey=mountPath
+	// +patchStrategy=merge
+	VolumeMounts []VolumeMount `json:"volumeMounts,omitempty" patchStrategy:"merge" patchMergeKey:"mountPath" protobuf:"bytes,9,rep,name=volumeMounts"`
+	// Periodic probe of container liveness.
+	// Container will be restarted if the probe fails.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	// +optional
+	LivenessProbe *Probe `json:"livenessProbe,omitempty" protobuf:"bytes,10,opt,name=livenessProbe"`
+	// Periodic probe of container service readiness.
+	// Container will be removed from service endpoints if the probe fails.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+	// +optional
+	ReadinessProbe *Probe `json:"readinessProbe,omitempty" protobuf:"bytes,11,opt,name=readinessProbe"`
+	// Actions that the management system should take in response to container lifecycle events.
+	// Cannot be updated.
+	// +optional
+	Lifecycle *Lifecycle `json:"lifecycle,omitempty" protobuf:"bytes,12,opt,name=lifecycle"`
+	// Optional: Path at which the file to which the container's termination message
+	// will be written is mounted into the container's filesystem.
+	// Message written is intended to be brief final status, such as an assertion failure message.
+	// Will be truncated by the node if greater than 4096 bytes. The total message length across
+	// all containers will be limited to 12kb.
+	// Defaults to /dev/termination-log.
+	// Cannot be updated.
+	// +optional
+	TerminationMessagePath string `json:"terminationMessagePath,omitempty" protobuf:"bytes,13,opt,name=terminationMessagePath"`
+	// Indicate how the termination message should be populated. File will use the contents of
+	// terminationMessagePath to populate the container status message on both success and failure.
+	// FallbackToLogsOnError will use the last chunk of container log output if the termination
+	// message file is empty and the container exited with an error.
+	// The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+	// Defaults to File.
+	// Cannot be updated.
+	// +optional
+	TerminationMessagePolicy TerminationMessagePolicy `json:"terminationMessagePolicy,omitempty" protobuf:"bytes,20,opt,name=terminationMessagePolicy,casttype=TerminationMessagePolicy"`
+	// Image pull policy.
+	// One of Always, Never, IfNotPresent.
+	// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+	// +optional
+	ImagePullPolicy PullPolicy `json:"imagePullPolicy,omitempty" protobuf:"bytes,14,opt,name=imagePullPolicy,casttype=PullPolicy"`
+	// Security options the pod should run with.
+	// More info: https://kubernetes.io/docs/concepts/policy/security-context/
+	// More info: https://git.k8s.io/community/contributors/design-proposals/security_context.md
+	// +optional
+	SecurityContext *SecurityContext `json:"securityContext,omitempty" protobuf:"bytes,15,opt,name=securityContext"`
+
+	// Variables for interactive containers, these have very specialized use-cases (e.g. debugging)
+	// and shouldn't be used for general purpose containers.
+
+	// Whether this container should allocate a buffer for stdin in the container runtime. If this
+	// is not set, reads from stdin in the container will always result in EOF.
+	// Default is false.
+	// +optional
+	Stdin bool `json:"stdin,omitempty" protobuf:"varint,16,opt,name=stdin"`
+	// Whether the container runtime should close the stdin channel after it has been opened by
+	// a single attach. When stdin is true the stdin stream will remain open across multiple attach
+	// sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+	// first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+	// at which time stdin is closed and remains closed until the container is restarted. If this
+	// flag is false, a container processes that reads from stdin will never receive an EOF.
+	// Default is false
+	// +optional
+	StdinOnce bool `json:"stdinOnce,omitempty" protobuf:"varint,17,opt,name=stdinOnce"`
+	// Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+	// Default is false.
+	// +optional
+	TTY bool `json:"tty,omitempty" protobuf:"varint,18,opt,name=tty"`
+}
+
+// Handler defines a specific action that should be taken
+// TODO: pass structured data to these actions, and document that data here.
+type Handler struct {
+	// One and only one of the following should be specified.
+	// Exec specifies the action to take.
+	// +optional
+	Exec *ExecAction `json:"exec,omitempty" protobuf:"bytes,1,opt,name=exec"`
+	// HTTPGet specifies the http request to perform.
+	// +optional
+	HTTPGet *HTTPGetAction `json:"httpGet,omitempty" protobuf:"bytes,2,opt,name=httpGet"`
+	// TCPSocket specifies an action involving a TCP port.
+	// TCP hooks not yet supported
+	// TODO: implement a realistic TCP lifecycle hook
+	// +optional
+	TCPSocket *TCPSocketAction `json:"tcpSocket,omitempty" protobuf:"bytes,3,opt,name=tcpSocket"`
+}
+
+// Lifecycle describes actions that the management system should take in response to container lifecycle
+// events. For the PostStart and PreStop lifecycle handlers, management of the container blocks
+// until the action is complete, unless the container process fails, in which case the handler is aborted.
+type Lifecycle struct {
+	// PostStart is called immediately after a container is created. If the handler fails,
+	// the container is terminated and restarted according to its restart policy.
+	// Other management of the container blocks until the hook completes.
+	// More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+	// +optional
+	PostStart *Handler `json:"postStart,omitempty" protobuf:"bytes,1,opt,name=postStart"`
+	// PreStop is called immediately before a container is terminated.
+	// The container is terminated after the handler completes.
+	// The reason for termination is passed to the handler.
+	// Regardless of the outcome of the handler, the container is eventually terminated.
+	// Other management of the container blocks until the hook completes.
+	// More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+	// +optional
+	PreStop *Handler `json:"preStop,omitempty" protobuf:"bytes,2,opt,name=preStop"`
+}
+
+type ConditionStatus string
+
+// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
+// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
+// can't decide if a resource is in the condition or not. In the future, we could add other
+// intermediate conditions, e.g. ConditionDegraded.
+const (
+	ConditionTrue    ConditionStatus = "True"
+	ConditionFalse   ConditionStatus = "False"
+	ConditionUnknown ConditionStatus = "Unknown"
+)
+
+// ContainerStateWaiting is a waiting state of a container.
+type ContainerStateWaiting struct {
+	// (brief) reason the container is not yet running.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,1,opt,name=reason"`
+	// Message regarding why the container is not yet running.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,2,opt,name=message"`
+}
+
+// ContainerStateRunning is a running state of a container.
+type ContainerStateRunning struct {
+	// Time at which the container was last (re-)started
+	// +optional
+	StartedAt metav1.Time `json:"startedAt,omitempty" protobuf:"bytes,1,opt,name=startedAt"`
+}
+
+// ContainerStateTerminated is a terminated state of a container.
+type ContainerStateTerminated struct {
+	// Exit status from the last termination of the container
+	ExitCode int32 `json:"exitCode" protobuf:"varint,1,opt,name=exitCode"`
+	// Signal from the last termination of the container
+	// +optional
+	Signal int32 `json:"signal,omitempty" protobuf:"varint,2,opt,name=signal"`
+	// (brief) reason from the last termination of the container
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"`
+	// Message regarding the last termination of the container
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"`
+	// Time at which previous execution of the container started
+	// +optional
+	StartedAt metav1.Time `json:"startedAt,omitempty" protobuf:"bytes,5,opt,name=startedAt"`
+	// Time at which the container last terminated
+	// +optional
+	FinishedAt metav1.Time `json:"finishedAt,omitempty" protobuf:"bytes,6,opt,name=finishedAt"`
+	// Container's ID in the format 'docker://<container_id>'
+	// +optional
+	ContainerID string `json:"containerID,omitempty" protobuf:"bytes,7,opt,name=containerID"`
+}
+
+// ContainerState holds a possible state of container.
+// Only one of its members may be specified.
+// If none of them is specified, the default one is ContainerStateWaiting.
+type ContainerState struct {
+	// Details about a waiting container
+	// +optional
+	Waiting *ContainerStateWaiting `json:"waiting,omitempty" protobuf:"bytes,1,opt,name=waiting"`
+	// Details about a running container
+	// +optional
+	Running *ContainerStateRunning `json:"running,omitempty" protobuf:"bytes,2,opt,name=running"`
+	// Details about a terminated container
+	// +optional
+	Terminated *ContainerStateTerminated `json:"terminated,omitempty" protobuf:"bytes,3,opt,name=terminated"`
+}
+
+// ContainerStatus contains details for the current status of this container.
+type ContainerStatus struct {
+	// This must be a DNS_LABEL. Each container in a pod must have a unique name.
+	// Cannot be updated.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// Details about the container's current condition.
+	// +optional
+	State ContainerState `json:"state,omitempty" protobuf:"bytes,2,opt,name=state"`
+	// Details about the container's last termination condition.
+	// +optional
+	LastTerminationState ContainerState `json:"lastState,omitempty" protobuf:"bytes,3,opt,name=lastState"`
+	// Specifies whether the container has passed its readiness probe.
+	Ready bool `json:"ready" protobuf:"varint,4,opt,name=ready"`
+	// The number of times the container has been restarted, currently based on
+	// the number of dead containers that have not yet been removed.
+	// Note that this is calculated from dead containers. But those containers are subject to
+	// garbage collection. This value will get capped at 5 by GC.
+	RestartCount int32 `json:"restartCount" protobuf:"varint,5,opt,name=restartCount"`
+	// The image the container is running.
+	// More info: https://kubernetes.io/docs/concepts/containers/images
+	// TODO(dchen1107): Which image the container is running with?
+	Image string `json:"image" protobuf:"bytes,6,opt,name=image"`
+	// ImageID of the container's image.
+	ImageID string `json:"imageID" protobuf:"bytes,7,opt,name=imageID"`
+	// Container's ID in the format 'docker://<container_id>'.
+	// +optional
+	ContainerID string `json:"containerID,omitempty" protobuf:"bytes,8,opt,name=containerID"`
+}
+
+// PodPhase is a label for the condition of a pod at the current time.
+type PodPhase string
+
+// These are the valid statuses of pods.
+const (
+	// PodPending means the pod has been accepted by the system, but one or more of the containers
+	// has not been started. This includes time before being bound to a node, as well as time spent
+	// pulling images onto the host.
+	PodPending PodPhase = "Pending"
+	// PodRunning means the pod has been bound to a node and all of the containers have been started.
+	// At least one container is still running or is in the process of being restarted.
+	PodRunning PodPhase = "Running"
+	// PodSucceeded means that all containers in the pod have voluntarily terminated
+	// with a container exit code of 0, and the system is not going to restart any of these containers.
+	PodSucceeded PodPhase = "Succeeded"
+	// PodFailed means that all containers in the pod have terminated, and at least one container has
+	// terminated in a failure (exited with a non-zero exit code or was stopped by the system).
+	PodFailed PodPhase = "Failed"
+	// PodUnknown means that for some reason the state of the pod could not be obtained, typically due
+	// to an error in communicating with the host of the pod.
+	PodUnknown PodPhase = "Unknown"
+)
+
+// PodConditionType is a valid value for PodCondition.Type
+type PodConditionType string
+
+// These are valid conditions of pod.
+const (
+	// PodScheduled represents status of the scheduling process for this pod.
+	PodScheduled PodConditionType = "PodScheduled"
+	// PodReady means the pod is able to service requests and should be added to the
+	// load balancing pools of all matching services.
+	PodReady PodConditionType = "Ready"
+	// PodInitialized means that all init containers in the pod have started successfully.
+	PodInitialized PodConditionType = "Initialized"
+	// PodReasonUnschedulable reason in PodScheduled PodCondition means that the scheduler
+	// can't schedule the pod right now, for example due to insufficient resources in the cluster.
+	PodReasonUnschedulable = "Unschedulable"
+)
+
+// PodCondition contains details for the current condition of this pod.
+type PodCondition struct {
+	// Type is the type of the condition.
+	// Currently only Ready.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+	Type PodConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=PodConditionType"`
+	// Status is the status of the condition.
+	// Can be True, False, Unknown.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+	Status ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=ConditionStatus"`
+	// Last time we probed the condition.
+	// +optional
+	LastProbeTime metav1.Time `json:"lastProbeTime,omitempty" protobuf:"bytes,3,opt,name=lastProbeTime"`
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,4,opt,name=lastTransitionTime"`
+	// Unique, one-word, CamelCase reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,5,opt,name=reason"`
+	// Human-readable message indicating details about last transition.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,6,opt,name=message"`
+}
+
+// RestartPolicy describes how the container should be restarted.
+// Only one of the following restart policies may be specified.
+// If none of the following policies is specified, the default one
+// is RestartPolicyAlways.
+type RestartPolicy string
+
+const (
+	RestartPolicyAlways    RestartPolicy = "Always"
+	RestartPolicyOnFailure RestartPolicy = "OnFailure"
+	RestartPolicyNever     RestartPolicy = "Never"
+)
+
+// DNSPolicy defines how a pod's DNS will be configured.
+type DNSPolicy string
+
+const (
+	// DNSClusterFirstWithHostNet indicates that the pod should use cluster DNS
+	// first, if it is available, then fall back on the default
+	// (as determined by kubelet) DNS settings.
+	DNSClusterFirstWithHostNet DNSPolicy = "ClusterFirstWithHostNet"
+
+	// DNSClusterFirst indicates that the pod should use cluster DNS
+	// first unless hostNetwork is true, if it is available, then
+	// fall back on the default (as determined by kubelet) DNS settings.
+	DNSClusterFirst DNSPolicy = "ClusterFirst"
+
+	// DNSDefault indicates that the pod should use the default (as
+	// determined by kubelet) DNS settings.
+	DNSDefault DNSPolicy = "Default"
+
+	DefaultTerminationGracePeriodSeconds = 30
+)
+
+// A node selector represents the union of the results of one or more label queries
+// over a set of nodes; that is, it represents the OR of the selectors represented
+// by the node selector terms.
+type NodeSelector struct {
+	//Required. A list of node selector terms. The terms are ORed.
+	NodeSelectorTerms []NodeSelectorTerm `json:"nodeSelectorTerms" protobuf:"bytes,1,rep,name=nodeSelectorTerms"`
+}
+
+// A null or empty node selector term matches no objects.
+type NodeSelectorTerm struct {
+	//Required. A list of node selector requirements. The requirements are ANDed.
+	MatchExpressions []NodeSelectorRequirement `json:"matchExpressions" protobuf:"bytes,1,rep,name=matchExpressions"`
+}
+
+// A node selector requirement is a selector that contains values, a key, and an operator
+// that relates the key and values.
+type NodeSelectorRequirement struct {
+	// The label key that the selector applies to.
+	Key string `json:"key" protobuf:"bytes,1,opt,name=key"`
+	// Represents a key's relationship to a set of values.
+	// Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+	Operator NodeSelectorOperator `json:"operator" protobuf:"bytes,2,opt,name=operator,casttype=NodeSelectorOperator"`
+	// An array of string values. If the operator is In or NotIn,
+	// the values array must be non-empty. If the operator is Exists or DoesNotExist,
+	// the values array must be empty. If the operator is Gt or Lt, the values
+	// array must have a single element, which will be interpreted as an integer.
+	// This array is replaced during a strategic merge patch.
+	// +optional
+	Values []string `json:"values,omitempty" protobuf:"bytes,3,rep,name=values"`
+}
+
+// A node selector operator is the set of operators that can be used in
+// a node selector requirement.
+type NodeSelectorOperator string
+
+const (
+	NodeSelectorOpIn           NodeSelectorOperator = "In"
+	NodeSelectorOpNotIn        NodeSelectorOperator = "NotIn"
+	NodeSelectorOpExists       NodeSelectorOperator = "Exists"
+	NodeSelectorOpDoesNotExist NodeSelectorOperator = "DoesNotExist"
+	NodeSelectorOpGt           NodeSelectorOperator = "Gt"
+	NodeSelectorOpLt           NodeSelectorOperator = "Lt"
+)
+
+// Affinity is a group of affinity scheduling rules.
+type Affinity struct {
+	// Describes node affinity scheduling rules for the pod.
+	// +optional
+	NodeAffinity *NodeAffinity `json:"nodeAffinity,omitempty" protobuf:"bytes,1,opt,name=nodeAffinity"`
+	// Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+	// +optional
+	PodAffinity *PodAffinity `json:"podAffinity,omitempty" protobuf:"bytes,2,opt,name=podAffinity"`
+	// Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+	// +optional
+	PodAntiAffinity *PodAntiAffinity `json:"podAntiAffinity,omitempty" protobuf:"bytes,3,opt,name=podAntiAffinity"`
+}
+
+// Pod affinity is a group of inter pod affinity scheduling rules.
+type PodAffinity struct {
+	// NOT YET IMPLEMENTED. TODO: Uncomment field once it is implemented.
+	// If the affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to a pod label update), the
+	// system will try to eventually evict the pod from its node.
+	// When there are multiple elements, the lists of nodes corresponding to each
+	// podAffinityTerm are intersected, i.e. all terms must be satisfied.
+	// +optional
+	// RequiredDuringSchedulingRequiredDuringExecution []PodAffinityTerm  `json:"requiredDuringSchedulingRequiredDuringExecution,omitempty"`
+
+	// If the affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to a pod label update), the
+	// system may or may not try to eventually evict the pod from its node.
+	// When there are multiple elements, the lists of nodes corresponding to each
+	// podAffinityTerm are intersected, i.e. all terms must be satisfied.
+	// +optional
+	RequiredDuringSchedulingIgnoredDuringExecution []PodAffinityTerm `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty" protobuf:"bytes,1,rep,name=requiredDuringSchedulingIgnoredDuringExecution"`
+	// The scheduler will prefer to schedule pods to nodes that satisfy
+	// the affinity expressions specified by this field, but it may choose
+	// a node that violates one or more of the expressions. The node that is
+	// most preferred is the one with the greatest sum of weights, i.e.
+	// for each node that meets all of the scheduling requirements (resource
+	// request, requiredDuringScheduling affinity expressions, etc.),
+	// compute a sum by iterating through the elements of this field and adding
+	// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+	// node(s) with the highest sum are the most preferred.
+	// +optional
+	PreferredDuringSchedulingIgnoredDuringExecution []WeightedPodAffinityTerm `json:"preferredDuringSchedulingIgnoredDuringExecution,omitempty" protobuf:"bytes,2,rep,name=preferredDuringSchedulingIgnoredDuringExecution"`
+}
+
+// Pod anti affinity is a group of inter pod anti affinity scheduling rules.
+type PodAntiAffinity struct {
+	// NOT YET IMPLEMENTED. TODO: Uncomment field once it is implemented.
+	// If the anti-affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the anti-affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to a pod label update), the
+	// system will try to eventually evict the pod from its node.
+	// When there are multiple elements, the lists of nodes corresponding to each
+	// podAffinityTerm are intersected, i.e. all terms must be satisfied.
+	// +optional
+	// RequiredDuringSchedulingRequiredDuringExecution []PodAffinityTerm  `json:"requiredDuringSchedulingRequiredDuringExecution,omitempty"`
+
+	// If the anti-affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the anti-affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to a pod label update), the
+	// system may or may not try to eventually evict the pod from its node.
+	// When there are multiple elements, the lists of nodes corresponding to each
+	// podAffinityTerm are intersected, i.e. all terms must be satisfied.
+	// +optional
+	RequiredDuringSchedulingIgnoredDuringExecution []PodAffinityTerm `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty" protobuf:"bytes,1,rep,name=requiredDuringSchedulingIgnoredDuringExecution"`
+	// The scheduler will prefer to schedule pods to nodes that satisfy
+	// the anti-affinity expressions specified by this field, but it may choose
+	// a node that violates one or more of the expressions. The node that is
+	// most preferred is the one with the greatest sum of weights, i.e.
+	// for each node that meets all of the scheduling requirements (resource
+	// request, requiredDuringScheduling anti-affinity expressions, etc.),
+	// compute a sum by iterating through the elements of this field and adding
+	// "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+	// node(s) with the highest sum are the most preferred.
+	// +optional
+	PreferredDuringSchedulingIgnoredDuringExecution []WeightedPodAffinityTerm `json:"preferredDuringSchedulingIgnoredDuringExecution,omitempty" protobuf:"bytes,2,rep,name=preferredDuringSchedulingIgnoredDuringExecution"`
+}
+
+// The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+type WeightedPodAffinityTerm struct {
+	// weight associated with matching the corresponding podAffinityTerm,
+	// in the range 1-100.
+	Weight int32 `json:"weight" protobuf:"varint,1,opt,name=weight"`
+	// Required. A pod affinity term, associated with the corresponding weight.
+	PodAffinityTerm PodAffinityTerm `json:"podAffinityTerm" protobuf:"bytes,2,opt,name=podAffinityTerm"`
+}
+
+// Defines a set of pods (namely those matching the labelSelector
+// relative to the given namespace(s)) that this pod should be
+// co-located (affinity) or not co-located (anti-affinity) with,
+// where co-located is defined as running on a node whose value of
+// the label with key <topologyKey> tches that of any node on which
+// a pod of the set of pods is running
+type PodAffinityTerm struct {
+	// A label query over a set of resources, in this case pods.
+	// +optional
+	LabelSelector *metav1.LabelSelector `json:"labelSelector,omitempty" protobuf:"bytes,1,opt,name=labelSelector"`
+	// namespaces specifies which namespaces the labelSelector applies to (matches against);
+	// null or empty list means "this pod's namespace"
+	Namespaces []string `json:"namespaces,omitempty" protobuf:"bytes,2,rep,name=namespaces"`
+	// This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+	// the labelSelector in the specified namespaces, where co-located is defined as running on a node
+	// whose value of the label with key topologyKey matches that of any node on which any of the
+	// selected pods is running.
+	// For PreferredDuringScheduling pod anti-affinity, empty topologyKey is interpreted as "all topologies"
+	// ("all topologies" here means all the topologyKeys indicated by scheduler command-line argument --failure-domains);
+	// for affinity and for RequiredDuringScheduling pod anti-affinity, empty topologyKey is not allowed.
+	// +optional
+	TopologyKey string `json:"topologyKey,omitempty" protobuf:"bytes,3,opt,name=topologyKey"`
+}
+
+// Node affinity is a group of node affinity scheduling rules.
+type NodeAffinity struct {
+	// NOT YET IMPLEMENTED. TODO: Uncomment field once it is implemented.
+	// If the affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to an update), the system
+	// will try to eventually evict the pod from its node.
+	// +optional
+	// RequiredDuringSchedulingRequiredDuringExecution *NodeSelector `json:"requiredDuringSchedulingRequiredDuringExecution,omitempty"`
+
+	// If the affinity requirements specified by this field are not met at
+	// scheduling time, the pod will not be scheduled onto the node.
+	// If the affinity requirements specified by this field cease to be met
+	// at some point during pod execution (e.g. due to an update), the system
+	// may or may not try to eventually evict the pod from its node.
+	// +optional
+	RequiredDuringSchedulingIgnoredDuringExecution *NodeSelector `json:"requiredDuringSchedulingIgnoredDuringExecution,omitempty" protobuf:"bytes,1,opt,name=requiredDuringSchedulingIgnoredDuringExecution"`
+	// The scheduler will prefer to schedule pods to nodes that satisfy
+	// the affinity expressions specified by this field, but it may choose
+	// a node that violates one or more of the expressions. The node that is
+	// most preferred is the one with the greatest sum of weights, i.e.
+	// for each node that meets all of the scheduling requirements (resource
+	// request, requiredDuringScheduling affinity expressions, etc.),
+	// compute a sum by iterating through the elements of this field and adding
+	// "weight" to the sum if the node matches the corresponding matchExpressions; the
+	// node(s) with the highest sum are the most preferred.
+	// +optional
+	PreferredDuringSchedulingIgnoredDuringExecution []PreferredSchedulingTerm `json:"preferredDuringSchedulingIgnoredDuringExecution,omitempty" protobuf:"bytes,2,rep,name=preferredDuringSchedulingIgnoredDuringExecution"`
+}
+
+// An empty preferred scheduling term matches all objects with implicit weight 0
+// (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+type PreferredSchedulingTerm struct {
+	// Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+	Weight int32 `json:"weight" protobuf:"varint,1,opt,name=weight"`
+	// A node selector term, associated with the corresponding weight.
+	Preference NodeSelectorTerm `json:"preference" protobuf:"bytes,2,opt,name=preference"`
+}
+
+// The node this Taint is attached to has the "effect" on
+// any pod that does not tolerate the Taint.
+type Taint struct {
+	// Required. The taint key to be applied to a node.
+	Key string `json:"key" protobuf:"bytes,1,opt,name=key"`
+	// Required. The taint value corresponding to the taint key.
+	// +optional
+	Value string `json:"value,omitempty" protobuf:"bytes,2,opt,name=value"`
+	// Required. The effect of the taint on pods
+	// that do not tolerate the taint.
+	// Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
+	Effect TaintEffect `json:"effect" protobuf:"bytes,3,opt,name=effect,casttype=TaintEffect"`
+	// TimeAdded represents the time at which the taint was added.
+	// It is only written for NoExecute taints.
+	// +optional
+	TimeAdded metav1.Time `json:"timeAdded,omitempty" protobuf:"bytes,4,opt,name=timeAdded"`
+}
+
+type TaintEffect string
+
+const (
+	// Do not allow new pods to schedule onto the node unless they tolerate the taint,
+	// but allow all pods submitted to Kubelet without going through the scheduler
+	// to start, and allow all already-running pods to continue running.
+	// Enforced by the scheduler.
+	TaintEffectNoSchedule TaintEffect = "NoSchedule"
+	// Like TaintEffectNoSchedule, but the scheduler tries not to schedule
+	// new pods onto the node, rather than prohibiting new pods from scheduling
+	// onto the node entirely. Enforced by the scheduler.
+	TaintEffectPreferNoSchedule TaintEffect = "PreferNoSchedule"
+	// NOT YET IMPLEMENTED. TODO: Uncomment field once it is implemented.
+	// Like TaintEffectNoSchedule, but additionally do not allow pods submitted to
+	// Kubelet without going through the scheduler to start.
+	// Enforced by Kubelet and the scheduler.
+	// TaintEffectNoScheduleNoAdmit TaintEffect = "NoScheduleNoAdmit"
+
+	// Evict any already-running pods that do not tolerate the taint.
+	// Currently enforced by NodeController.
+	TaintEffectNoExecute TaintEffect = "NoExecute"
+)
+
+// The pod this Toleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
+type Toleration struct {
+	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
+	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+	// +optional
+	Key string `json:"key,omitempty" protobuf:"bytes,1,opt,name=key"`
+	// Operator represents a key's relationship to the value.
+	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Exists is equivalent to wildcard for value, so that a pod can
+	// tolerate all taints of a particular category.
+	// +optional
+	Operator TolerationOperator `json:"operator,omitempty" protobuf:"bytes,2,opt,name=operator,casttype=TolerationOperator"`
+	// Value is the taint value the toleration matches to.
+	// If the operator is Exists, the value should be empty, otherwise just a regular string.
+	// +optional
+	Value string `json:"value,omitempty" protobuf:"bytes,3,opt,name=value"`
+	// Effect indicates the taint effect to match. Empty means match all taint effects.
+	// When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+	// +optional
+	Effect TaintEffect `json:"effect,omitempty" protobuf:"bytes,4,opt,name=effect,casttype=TaintEffect"`
+	// TolerationSeconds represents the period of time the toleration (which must be
+	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+	// it is not set, which means tolerate the taint forever (do not evict). Zero and
+	// negative values will be treated as 0 (evict immediately) by the system.
+	// +optional
+	TolerationSeconds *int64 `json:"tolerationSeconds,omitempty" protobuf:"varint,5,opt,name=tolerationSeconds"`
+}
+
+// A toleration operator is the set of operators that can be used in a toleration.
+type TolerationOperator string
+
+const (
+	TolerationOpExists TolerationOperator = "Exists"
+	TolerationOpEqual  TolerationOperator = "Equal"
+)
+
+// PodSpec is a description of a pod.
+type PodSpec struct {
+	// List of volumes that can be mounted by containers belonging to the pod.
+	// More info: https://kubernetes.io/docs/concepts/storage/volumes
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge,retainKeys
+	Volumes []Volume `json:"volumes,omitempty" patchStrategy:"merge,retainKeys" patchMergeKey:"name" protobuf:"bytes,1,rep,name=volumes"`
+	// List of initialization containers belonging to the pod.
+	// Init containers are executed in order prior to containers being started. If any
+	// init container fails, the pod is considered to have failed and is handled according
+	// to its restartPolicy. The name for an init container or normal container must be
+	// unique among all containers.
+	// Init containers may not have Lifecycle actions, Readiness probes, or Liveness probes.
+	// The resourceRequirements of an init container are taken into account during scheduling
+	// by finding the highest request/limit for each resource type, and then using the max of
+	// of that value or the sum of the normal containers. Limits are applied to init containers
+	// in a similar fashion.
+	// Init containers cannot currently be added or removed.
+	// Cannot be updated.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	InitContainers []Container `json:"initContainers,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,20,rep,name=initContainers"`
+	// List of containers belonging to the pod.
+	// Containers cannot currently be added or removed.
+	// There must be at least one container in a Pod.
+	// Cannot be updated.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Containers []Container `json:"containers" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=containers"`
+	// Restart policy for all containers within the pod.
+	// One of Always, OnFailure, Never.
+	// Default to Always.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
+	// +optional
+	RestartPolicy RestartPolicy `json:"restartPolicy,omitempty" protobuf:"bytes,3,opt,name=restartPolicy,casttype=RestartPolicy"`
+	// Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request.
+	// Value must be non-negative integer. The value zero indicates delete immediately.
+	// If this value is nil, the default grace period will be used instead.
+	// The grace period is the duration in seconds after the processes running in the pod are sent
+	// a termination signal and the time when the processes are forcibly halted with a kill signal.
+	// Set this value longer than the expected cleanup time for your process.
+	// Defaults to 30 seconds.
+	// +optional
+	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty" protobuf:"varint,4,opt,name=terminationGracePeriodSeconds"`
+	// Optional duration in seconds the pod may be active on the node relative to
+	// StartTime before the system will actively try to mark it failed and kill associated containers.
+	// Value must be a positive integer.
+	// +optional
+	ActiveDeadlineSeconds *int64 `json:"activeDeadlineSeconds,omitempty" protobuf:"varint,5,opt,name=activeDeadlineSeconds"`
+	// Set DNS policy for containers within the pod.
+	// One of 'ClusterFirstWithHostNet', 'ClusterFirst' or 'Default'.
+	// Defaults to "ClusterFirst".
+	// To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.
+	// +optional
+	DNSPolicy DNSPolicy `json:"dnsPolicy,omitempty" protobuf:"bytes,6,opt,name=dnsPolicy,casttype=DNSPolicy"`
+	// NodeSelector is a selector which must be true for the pod to fit on a node.
+	// Selector which must match a node's labels for the pod to be scheduled on that node.
+	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+	// +optional
+	NodeSelector map[string]string `json:"nodeSelector,omitempty" protobuf:"bytes,7,rep,name=nodeSelector"`
+
+	// ServiceAccountName is the name of the ServiceAccount to use to run this pod.
+	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+	// +optional
+	ServiceAccountName string `json:"serviceAccountName,omitempty" protobuf:"bytes,8,opt,name=serviceAccountName"`
+	// DeprecatedServiceAccount is a depreciated alias for ServiceAccountName.
+	// Deprecated: Use serviceAccountName instead.
+	// +k8s:conversion-gen=false
+	// +optional
+	DeprecatedServiceAccount string `json:"serviceAccount,omitempty" protobuf:"bytes,9,opt,name=serviceAccount"`
+	// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
+	// +optional
+	AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty" protobuf:"varint,21,opt,name=automountServiceAccountToken"`
+
+	// NodeName is a request to schedule this pod onto a specific node. If it is non-empty,
+	// the scheduler simply schedules this pod onto that node, assuming that it fits resource
+	// requirements.
+	// +optional
+	NodeName string `json:"nodeName,omitempty" protobuf:"bytes,10,opt,name=nodeName"`
+	// Host networking requested for this pod. Use the host's network namespace.
+	// If this option is set, the ports that will be used must be specified.
+	// Default to false.
+	// +k8s:conversion-gen=false
+	// +optional
+	HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,11,opt,name=hostNetwork"`
+	// Use the host's pid namespace.
+	// Optional: Default to false.
+	// +k8s:conversion-gen=false
+	// +optional
+	HostPID bool `json:"hostPID,omitempty" protobuf:"varint,12,opt,name=hostPID"`
+	// Use the host's ipc namespace.
+	// Optional: Default to false.
+	// +k8s:conversion-gen=false
+	// +optional
+	HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,13,opt,name=hostIPC"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// Optional: Defaults to empty.  See type description for default values of each field.
+	// +optional
+	SecurityContext *PodSecurityContext `json:"securityContext,omitempty" protobuf:"bytes,14,opt,name=securityContext"`
+	// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
+	// If specified, these secrets will be passed to individual puller implementations for them to use. For example,
+	// in the case of docker, only DockerConfig type secrets are honored.
+	// More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	ImagePullSecrets []LocalObjectReference `json:"imagePullSecrets,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,15,rep,name=imagePullSecrets"`
+	// Specifies the hostname of the Pod
+	// If not specified, the pod's hostname will be set to a system-defined value.
+	// +optional
+	Hostname string `json:"hostname,omitempty" protobuf:"bytes,16,opt,name=hostname"`
+	// If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>".
+	// If not specified, the pod will not have a domainname at all.
+	// +optional
+	Subdomain string `json:"subdomain,omitempty" protobuf:"bytes,17,opt,name=subdomain"`
+	// If specified, the pod's scheduling constraints
+	// +optional
+	Affinity *Affinity `json:"affinity,omitempty" protobuf:"bytes,18,opt,name=affinity"`
+	// If specified, the pod will be dispatched by specified scheduler.
+	// If not specified, the pod will be dispatched by default scheduler.
+	// +optional
+	SchedulerName string `json:"schedulerName,omitempty" protobuf:"bytes,19,opt,name=schedulerName"`
+	// If specified, the pod's tolerations.
+	// +optional
+	Tolerations []Toleration `json:"tolerations,omitempty" protobuf:"bytes,22,opt,name=tolerations"`
+	// HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts
+	// file if specified. This is only valid for non-hostNetwork pods.
+	// +optional
+	// +patchMergeKey=ip
+	// +patchStrategy=merge
+	HostAliases []HostAlias `json:"hostAliases,omitempty" patchStrategy:"merge" patchMergeKey:"ip" protobuf:"bytes,23,rep,name=hostAliases"`
+	// If specified, indicates the pod's priority. "SYSTEM" is a special keyword
+	// which indicates the highest priority. Any other name must be defined by
+	// creating a PriorityClass object with that name.
+	// If not specified, the pod priority will be default or zero if there is no
+	// default.
+	// +optional
+	PriorityClassName string `json:"priorityClassName,omitempty" protobuf:"bytes,24,opt,name=priorityClassName"`
+	// The priority value. Various system components use this field to find the
+	// priority of the pod. When Priority Admission Controller is enabled, it
+	// prevents users from setting this field. The admission controller populates
+	// this field from PriorityClassName.
+	// The higher the value, the higher the priority.
+	// +optional
+	Priority *int32 `json:"priority,omitempty" protobuf:"bytes,25,opt,name=priority"`
+}
+
+// HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the
+// pod's hosts file.
+type HostAlias struct {
+	// IP address of the host file entry.
+	IP string `json:"ip,omitempty" protobuf:"bytes,1,opt,name=ip"`
+	// Hostnames for the above IP address.
+	Hostnames []string `json:"hostnames,omitempty" protobuf:"bytes,2,rep,name=hostnames"`
+}
+
+// PodSecurityContext holds pod-level security attributes and common container settings.
+// Some fields are also present in container.securityContext.  Field values of
+// container.securityContext take precedence over field values of PodSecurityContext.
+type PodSecurityContext struct {
+	// The SELinux context to be applied to all containers.
+	// If unspecified, the container runtime will allocate a random SELinux context for each
+	// container.  May also be set in SecurityContext.  If set in
+	// both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+	// takes precedence for that container.
+	// +optional
+	SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,1,opt,name=seLinuxOptions"`
+	// The UID to run the entrypoint of the container process.
+	// Defaults to user specified in image metadata if unspecified.
+	// May also be set in SecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence
+	// for that container.
+	// +optional
+	RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
+	// Indicates that the container must run as a non-root user.
+	// If true, the Kubelet will validate the image at runtime to ensure that it
+	// does not run as UID 0 (root) and fail to start the container if it does.
+	// If unset or false, no such validation will be performed.
+	// May also be set in SecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// +optional
+	RunAsNonRoot *bool `json:"runAsNonRoot,omitempty" protobuf:"varint,3,opt,name=runAsNonRoot"`
+	// A list of groups applied to the first process run in each container, in addition
+	// to the container's primary GID.  If unspecified, no groups will be added to
+	// any container.
+	// +optional
+	SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
+	// A special supplemental group that applies to all containers in a pod.
+	// Some volume types allow the Kubelet to change the ownership of that volume
+	// to be owned by the pod:
+	//
+	// 1. The owning GID will be the FSGroup
+	// 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+	// 3. The permission bits are OR'd with rw-rw----
+	//
+	// If unset, the Kubelet will not modify the ownership and permissions of any volume.
+	// +optional
+	FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
+}
+
+// PodQOSClass defines the supported qos classes of Pods.
+type PodQOSClass string
+
+const (
+	// PodQOSGuaranteed is the Guaranteed qos class.
+	PodQOSGuaranteed PodQOSClass = "Guaranteed"
+	// PodQOSBurstable is the Burstable qos class.
+	PodQOSBurstable PodQOSClass = "Burstable"
+	// PodQOSBestEffort is the BestEffort qos class.
+	PodQOSBestEffort PodQOSClass = "BestEffort"
+)
+
+// PodStatus represents information about the status of a pod. Status may trail the actual
+// state of a system.
+type PodStatus struct {
+	// Current condition of the pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase
+	// +optional
+	Phase PodPhase `json:"phase,omitempty" protobuf:"bytes,1,opt,name=phase,casttype=PodPhase"`
+	// Current service state of pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []PodCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,2,rep,name=conditions"`
+	// A human readable message indicating details about why the pod is in this condition.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,3,opt,name=message"`
+	// A brief CamelCase message indicating details about why the pod is in this state.
+	// e.g. 'Evicted'
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+
+	// IP address of the host to which the pod is assigned. Empty if not yet scheduled.
+	// +optional
+	HostIP string `json:"hostIP,omitempty" protobuf:"bytes,5,opt,name=hostIP"`
+	// IP address allocated to the pod. Routable at least within the cluster.
+	// Empty if not yet allocated.
+	// +optional
+	PodIP string `json:"podIP,omitempty" protobuf:"bytes,6,opt,name=podIP"`
+
+	// RFC 3339 date and time at which the object was acknowledged by the Kubelet.
+	// This is before the Kubelet pulled the container image(s) for the pod.
+	// +optional
+	StartTime *metav1.Time `json:"startTime,omitempty" protobuf:"bytes,7,opt,name=startTime"`
+
+	// The list has one entry per init container in the manifest. The most recent successful
+	// init container will have ready = true, the most recently started container will have
+	// startTime set.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
+	InitContainerStatuses []ContainerStatus `json:"initContainerStatuses,omitempty" protobuf:"bytes,10,rep,name=initContainerStatuses"`
+
+	// The list has one entry per container in the manifest. Each entry is currently the output
+	// of `docker inspect`.
+	// More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status
+	// +optional
+	ContainerStatuses []ContainerStatus `json:"containerStatuses,omitempty" protobuf:"bytes,8,rep,name=containerStatuses"`
+	// The Quality of Service (QOS) classification assigned to the pod based on resource requirements
+	// See PodQOSClass type for available QOS classes
+	// More info: https://github.com/kubernetes/kubernetes/blob/master/docs/design/resource-qos.md
+	// +optional
+	QOSClass PodQOSClass `json:"qosClass,omitempty" protobuf:"bytes,9,rep,name=qosClass"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded
+type PodStatusResult struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	// Most recently observed status of the pod.
+	// This data may not be up to date.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status PodStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Pod is a collection of containers that can run on a host. This resource is created
+// by clients and scheduled onto hosts.
+type Pod struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of the pod.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec PodSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Most recently observed status of the pod.
+	// This data may not be up to date.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status PodStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodList is a list of Pods.
+type PodList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of pods.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md
+	Items []Pod `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// PodTemplateSpec describes the data a pod should have when created from a template
+type PodTemplateSpec struct {
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of the pod.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec PodSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodTemplate describes a template for creating copies of a predefined pod.
+type PodTemplate struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Template defines the pods that will be created from this pod template.
+	// https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Template PodTemplateSpec `json:"template,omitempty" protobuf:"bytes,2,opt,name=template"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodTemplateList is a list of PodTemplates.
+type PodTemplateList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of pod templates
+	Items []PodTemplate `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// ReplicationControllerSpec is the specification of a replication controller.
+type ReplicationControllerSpec struct {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,4,opt,name=minReadySeconds"`
+
+	// Selector is a label query over pods that should match the Replicas count.
+	// If Selector is empty, it is defaulted to the labels present on the Pod template.
+	// Label keys and values that must match in order to be controlled by this replication
+	// controller, if empty defaulted to labels on Pod template.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	Selector map[string]string `json:"selector,omitempty" protobuf:"bytes,2,rep,name=selector"`
+
+	// TemplateRef is a reference to an object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// Reference to an object that describes the pod that will be created if insufficient replicas are detected.
+	// +optional
+	// TemplateRef *ObjectReference `json:"templateRef,omitempty"`
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. This takes precedence over a TemplateRef.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	Template *PodTemplateSpec `json:"template,omitempty" protobuf:"bytes,3,opt,name=template"`
+}
+
+// ReplicationControllerStatus represents the current status of a replication
+// controller.
+type ReplicationControllerStatus struct {
+	// Replicas is the most recently oberved number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller
+	Replicas int32 `json:"replicas" protobuf:"varint,1,opt,name=replicas"`
+
+	// The number of pods that have labels matching the labels of the pod template of the replication controller.
+	// +optional
+	FullyLabeledReplicas int32 `json:"fullyLabeledReplicas,omitempty" protobuf:"varint,2,opt,name=fullyLabeledReplicas"`
+
+	// The number of ready replicas for this replication controller.
+	// +optional
+	ReadyReplicas int32 `json:"readyReplicas,omitempty" protobuf:"varint,4,opt,name=readyReplicas"`
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replication controller.
+	// +optional
+	AvailableReplicas int32 `json:"availableReplicas,omitempty" protobuf:"varint,5,opt,name=availableReplicas"`
+
+	// ObservedGeneration reflects the generation of the most recently observed replication controller.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,3,opt,name=observedGeneration"`
+
+	// Represents the latest available observations of a replication controller's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []ReplicationControllerCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,6,rep,name=conditions"`
+}
+
+type ReplicationControllerConditionType string
+
+// These are valid conditions of a replication controller.
+const (
+	// ReplicationControllerReplicaFailure is added in a replication controller when one of its pods
+	// fails to be created due to insufficient quota, limit ranges, pod security policy, node selectors,
+	// etc. or deleted due to kubelet being down or finalizers are failing.
+	ReplicationControllerReplicaFailure ReplicationControllerConditionType = "ReplicaFailure"
+)
+
+// ReplicationControllerCondition describes the state of a replication controller at a certain point.
+type ReplicationControllerCondition struct {
+	// Type of replication controller condition.
+	Type ReplicationControllerConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=ReplicationControllerConditionType"`
+	// Status of the condition, one of True, False, Unknown.
+	Status ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=ConditionStatus"`
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,3,opt,name=lastTransitionTime"`
+	// The reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+	// A human readable message indicating details about the transition.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+// +genclient
+// +genclient:method=GetScale,verb=get,subresource=scale,result=k8s.io/api/extensions/v1beta1.Scale
+// +genclient:method=UpdateScale,verb=update,subresource=scale,input=k8s.io/api/extensions/v1beta1.Scale,result=k8s.io/api/extensions/v1beta1.Scale
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ReplicationController represents the configuration of a replication controller.
+type ReplicationController struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// If the Labels of a ReplicationController are empty, they are defaulted to
+	// be the same as the Pod(s) that the replication controller manages.
+	// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the specification of the desired behavior of the replication controller.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec ReplicationControllerSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is the most recently observed status of the replication controller.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status ReplicationControllerStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ReplicationControllerList is a collection of replication controllers.
+type ReplicationControllerList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of replication controllers.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	Items []ReplicationController `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// Session Affinity Type string
+type ServiceAffinity string
+
+const (
+	// ServiceAffinityClientIP is the Client IP based.
+	ServiceAffinityClientIP ServiceAffinity = "ClientIP"
+
+	// ServiceAffinityNone - no session affinity.
+	ServiceAffinityNone ServiceAffinity = "None"
+)
+
+const DefaultClientIPServiceAffinitySeconds int32 = 10800
+
+// SessionAffinityConfig represents the configurations of session affinity.
+type SessionAffinityConfig struct {
+	// clientIP contains the configurations of Client IP based session affinity.
+	// +optional
+	ClientIP *ClientIPConfig `json:"clientIP,omitempty" protobuf:"bytes,1,opt,name=clientIP"`
+}
+
+// ClientIPConfig represents the configurations of Client IP based session affinity.
+type ClientIPConfig struct {
+	// timeoutSeconds specifies the seconds of ClientIP type session sticky time.
+	// The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP".
+	// Default value is 10800(for 3 hours).
+	// +optional
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" protobuf:"varint,1,opt,name=timeoutSeconds"`
+}
+
+// Service Type string describes ingress methods for a service
+type ServiceType string
+
+const (
+	// ServiceTypeClusterIP means a service will only be accessible inside the
+	// cluster, via the cluster IP.
+	ServiceTypeClusterIP ServiceType = "ClusterIP"
+
+	// ServiceTypeNodePort means a service will be exposed on one port of
+	// every node, in addition to 'ClusterIP' type.
+	ServiceTypeNodePort ServiceType = "NodePort"
+
+	// ServiceTypeLoadBalancer means a service will be exposed via an
+	// external load balancer (if the cloud provider supports it), in addition
+	// to 'NodePort' type.
+	ServiceTypeLoadBalancer ServiceType = "LoadBalancer"
+
+	// ServiceTypeExternalName means a service consists of only a reference to
+	// an external name that kubedns or equivalent will return as a CNAME
+	// record, with no exposing or proxying of any pods involved.
+	ServiceTypeExternalName ServiceType = "ExternalName"
+)
+
+// Service External Traffic Policy Type string
+type ServiceExternalTrafficPolicyType string
+
+const (
+	// ServiceExternalTrafficPolicyTypeLocal specifies node-local endpoints behavior.
+	ServiceExternalTrafficPolicyTypeLocal ServiceExternalTrafficPolicyType = "Local"
+	// ServiceExternalTrafficPolicyTypeCluster specifies node-global (legacy) behavior.
+	ServiceExternalTrafficPolicyTypeCluster ServiceExternalTrafficPolicyType = "Cluster"
+)
+
+// ServiceStatus represents the current status of a service.
+type ServiceStatus struct {
+	// LoadBalancer contains the current status of the load-balancer,
+	// if one is present.
+	// +optional
+	LoadBalancer LoadBalancerStatus `json:"loadBalancer,omitempty" protobuf:"bytes,1,opt,name=loadBalancer"`
+}
+
+// LoadBalancerStatus represents the status of a load-balancer.
+type LoadBalancerStatus struct {
+	// Ingress is a list containing ingress points for the load-balancer.
+	// Traffic intended for the service should be sent to these ingress points.
+	// +optional
+	Ingress []LoadBalancerIngress `json:"ingress,omitempty" protobuf:"bytes,1,rep,name=ingress"`
+}
+
+// LoadBalancerIngress represents the status of a load-balancer ingress point:
+// traffic intended for the service should be sent to an ingress point.
+type LoadBalancerIngress struct {
+	// IP is set for load-balancer ingress points that are IP based
+	// (typically GCE or OpenStack load-balancers)
+	// +optional
+	IP string `json:"ip,omitempty" protobuf:"bytes,1,opt,name=ip"`
+
+	// Hostname is set for load-balancer ingress points that are DNS based
+	// (typically AWS load-balancers)
+	// +optional
+	Hostname string `json:"hostname,omitempty" protobuf:"bytes,2,opt,name=hostname"`
+}
+
+// ServiceSpec describes the attributes that a user creates on a service.
+type ServiceSpec struct {
+	// The list of ports that are exposed by this service.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+	// +patchMergeKey=port
+	// +patchStrategy=merge
+	Ports []ServicePort `json:"ports,omitempty" patchStrategy:"merge" patchMergeKey:"port" protobuf:"bytes,1,rep,name=ports"`
+
+	// Route service traffic to pods with label keys and values matching this
+	// selector. If empty or not present, the service is assumed to have an
+	// external process managing its endpoints, which Kubernetes will not
+	// modify. Only applies to types ClusterIP, NodePort, and LoadBalancer.
+	// Ignored if type is ExternalName.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/
+	// +optional
+	Selector map[string]string `json:"selector,omitempty" protobuf:"bytes,2,rep,name=selector"`
+
+	// clusterIP is the IP address of the service and is usually assigned
+	// randomly by the master. If an address is specified manually and is not in
+	// use by others, it will be allocated to the service; otherwise, creation
+	// of the service will fail. This field can not be changed through updates.
+	// Valid values are "None", empty string (""), or a valid IP address. "None"
+	// can be specified for headless services when proxying is not required.
+	// Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if
+	// type is ExternalName.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+	// +optional
+	ClusterIP string `json:"clusterIP,omitempty" protobuf:"bytes,3,opt,name=clusterIP"`
+
+	// type determines how the Service is exposed. Defaults to ClusterIP. Valid
+	// options are ExternalName, ClusterIP, NodePort, and LoadBalancer.
+	// "ExternalName" maps to the specified externalName.
+	// "ClusterIP" allocates a cluster-internal IP address for load-balancing to
+	// endpoints. Endpoints are determined by the selector or if that is not
+	// specified, by manual construction of an Endpoints object. If clusterIP is
+	// "None", no virtual IP is allocated and the endpoints are published as a
+	// set of endpoints rather than a stable IP.
+	// "NodePort" builds on ClusterIP and allocates a port on every node which
+	// routes to the clusterIP.
+	// "LoadBalancer" builds on NodePort and creates an
+	// external load-balancer (if supported in the current cloud) which routes
+	// to the clusterIP.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services---service-types
+	// +optional
+	Type ServiceType `json:"type,omitempty" protobuf:"bytes,4,opt,name=type,casttype=ServiceType"`
+
+	// externalIPs is a list of IP addresses for which nodes in the cluster
+	// will also accept traffic for this service.  These IPs are not managed by
+	// Kubernetes.  The user is responsible for ensuring that traffic arrives
+	// at a node with this IP.  A common example is external load-balancers
+	// that are not part of the Kubernetes system.
+	// +optional
+	ExternalIPs []string `json:"externalIPs,omitempty" protobuf:"bytes,5,rep,name=externalIPs"`
+
+	// Supports "ClientIP" and "None". Used to maintain session affinity.
+	// Enable client IP based session affinity.
+	// Must be ClientIP or None.
+	// Defaults to None.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+	// +optional
+	SessionAffinity ServiceAffinity `json:"sessionAffinity,omitempty" protobuf:"bytes,7,opt,name=sessionAffinity,casttype=ServiceAffinity"`
+
+	// Only applies to Service Type: LoadBalancer
+	// LoadBalancer will get created with the IP specified in this field.
+	// This feature depends on whether the underlying cloud-provider supports specifying
+	// the loadBalancerIP when a load balancer is created.
+	// This field will be ignored if the cloud-provider does not support the feature.
+	// +optional
+	LoadBalancerIP string `json:"loadBalancerIP,omitempty" protobuf:"bytes,8,opt,name=loadBalancerIP"`
+
+	// If specified and supported by the platform, this will restrict traffic through the cloud-provider
+	// load-balancer will be restricted to the specified client IPs. This field will be ignored if the
+	// cloud-provider does not support the feature."
+	// More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/
+	// +optional
+	LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty" protobuf:"bytes,9,opt,name=loadBalancerSourceRanges"`
+
+	// externalName is the external reference that kubedns or equivalent will
+	// return as a CNAME record for this service. No proxying will be involved.
+	// Must be a valid DNS name and requires Type to be ExternalName.
+	// +optional
+	ExternalName string `json:"externalName,omitempty" protobuf:"bytes,10,opt,name=externalName"`
+
+	// externalTrafficPolicy denotes if this Service desires to route external
+	// traffic to node-local or cluster-wide endpoints. "Local" preserves the
+	// client source IP and avoids a second hop for LoadBalancer and Nodeport
+	// type services, but risks potentially imbalanced traffic spreading.
+	// "Cluster" obscures the client source IP and may cause a second hop to
+	// another node, but should have good overall load-spreading.
+	// +optional
+	ExternalTrafficPolicy ServiceExternalTrafficPolicyType `json:"externalTrafficPolicy,omitempty" protobuf:"bytes,11,opt,name=externalTrafficPolicy"`
+
+	// healthCheckNodePort specifies the healthcheck nodePort for the service.
+	// If not specified, HealthCheckNodePort is created by the service api
+	// backend with the allocated nodePort. Will use user-specified nodePort value
+	// if specified by the client. Only effects when Type is set to LoadBalancer
+	// and ExternalTrafficPolicy is set to Local.
+	// +optional
+	HealthCheckNodePort int32 `json:"healthCheckNodePort,omitempty" protobuf:"bytes,12,opt,name=healthCheckNodePort"`
+
+	// publishNotReadyAddresses, when set to true, indicates that DNS implementations
+	// must publish the notReadyAddresses of subsets for the Endpoints associated with
+	// the Service. The default value is false.
+	// The primary use case for setting this field is to use a StatefulSet's Headless Service
+	// to propagate SRV records for its Pods without respect to their readiness for purpose
+	// of peer discovery.
+	// This field will replace the service.alpha.kubernetes.io/tolerate-unready-endpoints
+	// when that annotation is deprecated and all clients have been converted to use this
+	// field.
+	// +optional
+	PublishNotReadyAddresses bool `json:"publishNotReadyAddresses,omitempty" protobuf:"varint,13,opt,name=publishNotReadyAddresses"`
+	// sessionAffinityConfig contains the configurations of session affinity.
+	// +optional
+	SessionAffinityConfig *SessionAffinityConfig `json:"sessionAffinityConfig,omitempty" protobuf:"bytes,14,opt,name=sessionAffinityConfig"`
+}
+
+// ServicePort contains information on service's port.
+type ServicePort struct {
+	// The name of this port within the service. This must be a DNS_LABEL.
+	// All ports within a ServiceSpec must have unique names. This maps to
+	// the 'Name' field in EndpointPort objects.
+	// Optional if only one ServicePort is defined on this service.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+
+	// The IP protocol for this port. Supports "TCP" and "UDP".
+	// Default is TCP.
+	// +optional
+	Protocol Protocol `json:"protocol,omitempty" protobuf:"bytes,2,opt,name=protocol,casttype=Protocol"`
+
+	// The port that will be exposed by this service.
+	Port int32 `json:"port" protobuf:"varint,3,opt,name=port"`
+
+	// Number or name of the port to access on the pods targeted by the service.
+	// Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.
+	// If this is a string, it will be looked up as a named port in the
+	// target Pod's container ports. If this is not specified, the value
+	// of the 'port' field is used (an identity map).
+	// This field is ignored for services with clusterIP=None, and should be
+	// omitted or set equal to the 'port' field.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
+	// +optional
+	TargetPort intstr.IntOrString `json:"targetPort,omitempty" protobuf:"bytes,4,opt,name=targetPort"`
+
+	// The port on each node on which this service is exposed when type=NodePort or LoadBalancer.
+	// Usually assigned by the system. If specified, it will be allocated to the service
+	// if unused or else creation of the service will fail.
+	// Default is to auto-allocate a port if the ServiceType of this Service requires one.
+	// More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+	// +optional
+	NodePort int32 `json:"nodePort,omitempty" protobuf:"varint,5,opt,name=nodePort"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Service is a named abstraction of software service (for example, mysql) consisting of local port
+// (for example 3306) that the proxy listens on, and the selector that determines which pods
+// will answer requests sent through the proxy.
+type Service struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the behavior of a service.
+	// https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec ServiceSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Most recently observed status of the service.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status ServiceStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+const (
+	// ClusterIPNone - do not assign a cluster IP
+	// no proxying required and no environment variables should be created for pods
+	ClusterIPNone = "None"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ServiceList holds a list of services.
+type ServiceList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of services
+	Items []Service `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ServiceAccount binds together:
+// * a name, understood by users, and perhaps by peripheral systems, for an identity
+// * a principal that can be authenticated and authorized
+// * a set of secrets
+type ServiceAccount struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount.
+	// More info: https://kubernetes.io/docs/concepts/configuration/secret
+	// +optional
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Secrets []ObjectReference `json:"secrets,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=secrets"`
+
+	// ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images
+	// in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets
+	// can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet.
+	// More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+	// +optional
+	ImagePullSecrets []LocalObjectReference `json:"imagePullSecrets,omitempty" protobuf:"bytes,3,rep,name=imagePullSecrets"`
+
+	// AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted.
+	// Can be overridden at the pod level.
+	// +optional
+	AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty" protobuf:"varint,4,opt,name=automountServiceAccountToken"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ServiceAccountList is a list of ServiceAccount objects
+type ServiceAccountList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of ServiceAccounts.
+	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+	Items []ServiceAccount `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Endpoints is a collection of endpoints that implement the actual service. Example:
+//   Name: "mysvc",
+//   Subsets: [
+//     {
+//       Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+//       Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+//     },
+//     {
+//       Addresses: [{"ip": "10.10.3.3"}],
+//       Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}]
+//     },
+//  ]
+type Endpoints struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// The set of all endpoints is the union of all subsets. Addresses are placed into
+	// subsets according to the IPs they share. A single address with multiple ports,
+	// some of which are ready and some of which are not (because they come from
+	// different containers) will result in the address being displayed in different
+	// subsets for the different ports. No address will appear in both Addresses and
+	// NotReadyAddresses in the same subset.
+	// Sets of addresses and ports that comprise a service.
+	Subsets []EndpointSubset `json:"subsets" protobuf:"bytes,2,rep,name=subsets"`
+}
+
+// EndpointSubset is a group of addresses with a common set of ports. The
+// expanded set of endpoints is the Cartesian product of Addresses x Ports.
+// For example, given:
+//   {
+//     Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
+//     Ports:     [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
+//   }
+// The resulting set of endpoints can be viewed as:
+//     a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],
+//     b: [ 10.10.1.1:309, 10.10.2.2:309 ]
+type EndpointSubset struct {
+	// IP addresses which offer the related ports that are marked as ready. These endpoints
+	// should be considered safe for load balancers and clients to utilize.
+	// +optional
+	Addresses []EndpointAddress `json:"addresses,omitempty" protobuf:"bytes,1,rep,name=addresses"`
+	// IP addresses which offer the related ports but are not currently marked as ready
+	// because they have not yet finished starting, have recently failed a readiness check,
+	// or have recently failed a liveness check.
+	// +optional
+	NotReadyAddresses []EndpointAddress `json:"notReadyAddresses,omitempty" protobuf:"bytes,2,rep,name=notReadyAddresses"`
+	// Port numbers available on the related IP addresses.
+	// +optional
+	Ports []EndpointPort `json:"ports,omitempty" protobuf:"bytes,3,rep,name=ports"`
+}
+
+// EndpointAddress is a tuple that describes single IP address.
+type EndpointAddress struct {
+	// The IP of this endpoint.
+	// May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16),
+	// or link-local multicast ((224.0.0.0/24).
+	// IPv6 is also accepted but not fully supported on all platforms. Also, certain
+	// kubernetes components, like kube-proxy, are not IPv6 ready.
+	// TODO: This should allow hostname or IP, See #4447.
+	IP string `json:"ip" protobuf:"bytes,1,opt,name=ip"`
+	// The Hostname of this endpoint
+	// +optional
+	Hostname string `json:"hostname,omitempty" protobuf:"bytes,3,opt,name=hostname"`
+	// Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.
+	// +optional
+	NodeName *string `json:"nodeName,omitempty" protobuf:"bytes,4,opt,name=nodeName"`
+	// Reference to object providing the endpoint.
+	// +optional
+	TargetRef *ObjectReference `json:"targetRef,omitempty" protobuf:"bytes,2,opt,name=targetRef"`
+}
+
+// EndpointPort is a tuple that describes a single port.
+type EndpointPort struct {
+	// The name of this port (corresponds to ServicePort.Name).
+	// Must be a DNS_LABEL.
+	// Optional only if one port is defined.
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+
+	// The port number of the endpoint.
+	Port int32 `json:"port" protobuf:"varint,2,opt,name=port"`
+
+	// The IP protocol for this port.
+	// Must be UDP or TCP.
+	// Default is TCP.
+	// +optional
+	Protocol Protocol `json:"protocol,omitempty" protobuf:"bytes,3,opt,name=protocol,casttype=Protocol"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// EndpointsList is a list of endpoints.
+type EndpointsList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of endpoints.
+	Items []Endpoints `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// NodeSpec describes the attributes that a node is created with.
+type NodeSpec struct {
+	// PodCIDR represents the pod IP range assigned to the node.
+	// +optional
+	PodCIDR string `json:"podCIDR,omitempty" protobuf:"bytes,1,opt,name=podCIDR"`
+	// External ID of the node assigned by some machine database (e.g. a cloud provider).
+	// Deprecated.
+	// +optional
+	ExternalID string `json:"externalID,omitempty" protobuf:"bytes,2,opt,name=externalID"`
+	// ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>
+	// +optional
+	ProviderID string `json:"providerID,omitempty" protobuf:"bytes,3,opt,name=providerID"`
+	// Unschedulable controls node schedulability of new pods. By default, node is schedulable.
+	// More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration
+	// +optional
+	Unschedulable bool `json:"unschedulable,omitempty" protobuf:"varint,4,opt,name=unschedulable"`
+	// If specified, the node's taints.
+	// +optional
+	Taints []Taint `json:"taints,omitempty" protobuf:"bytes,5,opt,name=taints"`
+	// If specified, the source to get node configuration from
+	// The DynamicKubeletConfig feature gate must be enabled for the Kubelet to use this field
+	// +optional
+	ConfigSource *NodeConfigSource `json:"configSource,omitempty" protobuf:"bytes,6,opt,name=configSource"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil.
+type NodeConfigSource struct {
+	metav1.TypeMeta `json:",inline"`
+	ConfigMapRef    *ObjectReference `json:"configMapRef,omitempty" protobuf:"bytes,1,opt,name=configMapRef"`
+}
+
+// DaemonEndpoint contains information about a single Daemon endpoint.
+type DaemonEndpoint struct {
+	/*
+		The port tag was not properly in quotes in earlier releases, so it must be
+		uppercased for backwards compat (since it was falling back to var name of
+		'Port').
+	*/
+
+	// Port number of the given endpoint.
+	Port int32 `json:"Port" protobuf:"varint,1,opt,name=Port"`
+}
+
+// NodeDaemonEndpoints lists ports opened by daemons running on the Node.
+type NodeDaemonEndpoints struct {
+	// Endpoint on which Kubelet is listening.
+	// +optional
+	KubeletEndpoint DaemonEndpoint `json:"kubeletEndpoint,omitempty" protobuf:"bytes,1,opt,name=kubeletEndpoint"`
+}
+
+// NodeSystemInfo is a set of ids/uuids to uniquely identify the node.
+type NodeSystemInfo struct {
+	// MachineID reported by the node. For unique machine identification
+	// in the cluster this field is preferred. Learn more from man(5)
+	// machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html
+	MachineID string `json:"machineID" protobuf:"bytes,1,opt,name=machineID"`
+	// SystemUUID reported by the node. For unique machine identification
+	// MachineID is preferred. This field is specific to Red Hat hosts
+	// https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/getting-system-uuid.html
+	SystemUUID string `json:"systemUUID" protobuf:"bytes,2,opt,name=systemUUID"`
+	// Boot ID reported by the node.
+	BootID string `json:"bootID" protobuf:"bytes,3,opt,name=bootID"`
+	// Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).
+	KernelVersion string `json:"kernelVersion" protobuf:"bytes,4,opt,name=kernelVersion"`
+	// OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).
+	OSImage string `json:"osImage" protobuf:"bytes,5,opt,name=osImage"`
+	// ContainerRuntime Version reported by the node through runtime remote API (e.g. docker://1.5.0).
+	ContainerRuntimeVersion string `json:"containerRuntimeVersion" protobuf:"bytes,6,opt,name=containerRuntimeVersion"`
+	// Kubelet Version reported by the node.
+	KubeletVersion string `json:"kubeletVersion" protobuf:"bytes,7,opt,name=kubeletVersion"`
+	// KubeProxy Version reported by the node.
+	KubeProxyVersion string `json:"kubeProxyVersion" protobuf:"bytes,8,opt,name=kubeProxyVersion"`
+	// The Operating System reported by the node
+	OperatingSystem string `json:"operatingSystem" protobuf:"bytes,9,opt,name=operatingSystem"`
+	// The Architecture reported by the node
+	Architecture string `json:"architecture" protobuf:"bytes,10,opt,name=architecture"`
+}
+
+// NodeStatus is information about the current status of a node.
+type NodeStatus struct {
+	// Capacity represents the total resources of a node.
+	// More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity
+	// +optional
+	Capacity ResourceList `json:"capacity,omitempty" protobuf:"bytes,1,rep,name=capacity,casttype=ResourceList,castkey=ResourceName"`
+	// Allocatable represents the resources of a node that are available for scheduling.
+	// Defaults to Capacity.
+	// +optional
+	Allocatable ResourceList `json:"allocatable,omitempty" protobuf:"bytes,2,rep,name=allocatable,casttype=ResourceList,castkey=ResourceName"`
+	// NodePhase is the recently observed lifecycle phase of the node.
+	// More info: https://kubernetes.io/docs/concepts/nodes/node/#phase
+	// The field is never populated, and now is deprecated.
+	// +optional
+	Phase NodePhase `json:"phase,omitempty" protobuf:"bytes,3,opt,name=phase,casttype=NodePhase"`
+	// Conditions is an array of current observed node conditions.
+	// More info: https://kubernetes.io/docs/concepts/nodes/node/#condition
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []NodeCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,4,rep,name=conditions"`
+	// List of addresses reachable to the node.
+	// Queried from cloud provider, if available.
+	// More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Addresses []NodeAddress `json:"addresses,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,5,rep,name=addresses"`
+	// Endpoints of daemons running on the Node.
+	// +optional
+	DaemonEndpoints NodeDaemonEndpoints `json:"daemonEndpoints,omitempty" protobuf:"bytes,6,opt,name=daemonEndpoints"`
+	// Set of ids/uuids to uniquely identify the node.
+	// More info: https://kubernetes.io/docs/concepts/nodes/node/#info
+	// +optional
+	NodeInfo NodeSystemInfo `json:"nodeInfo,omitempty" protobuf:"bytes,7,opt,name=nodeInfo"`
+	// List of container images on this node
+	// +optional
+	Images []ContainerImage `json:"images,omitempty" protobuf:"bytes,8,rep,name=images"`
+	// List of attachable volumes in use (mounted) by the node.
+	// +optional
+	VolumesInUse []UniqueVolumeName `json:"volumesInUse,omitempty" protobuf:"bytes,9,rep,name=volumesInUse"`
+	// List of volumes that are attached to the node.
+	// +optional
+	VolumesAttached []AttachedVolume `json:"volumesAttached,omitempty" protobuf:"bytes,10,rep,name=volumesAttached"`
+}
+
+type UniqueVolumeName string
+
+// AttachedVolume describes a volume attached to a node
+type AttachedVolume struct {
+	// Name of the attached volume
+	Name UniqueVolumeName `json:"name" protobuf:"bytes,1,rep,name=name"`
+
+	// DevicePath represents the device path where the volume should be available
+	DevicePath string `json:"devicePath" protobuf:"bytes,2,rep,name=devicePath"`
+}
+
+// AvoidPods describes pods that should avoid this node. This is the value for a
+// Node annotation with key scheduler.alpha.kubernetes.io/preferAvoidPods and
+// will eventually become a field of NodeStatus.
+type AvoidPods struct {
+	// Bounded-sized list of signatures of pods that should avoid this node, sorted
+	// in timestamp order from oldest to newest. Size of the slice is unspecified.
+	// +optional
+	PreferAvoidPods []PreferAvoidPodsEntry `json:"preferAvoidPods,omitempty" protobuf:"bytes,1,rep,name=preferAvoidPods"`
+}
+
+// Describes a class of pods that should avoid this node.
+type PreferAvoidPodsEntry struct {
+	// The class of pods.
+	PodSignature PodSignature `json:"podSignature" protobuf:"bytes,1,opt,name=podSignature"`
+	// Time at which this entry was added to the list.
+	// +optional
+	EvictionTime metav1.Time `json:"evictionTime,omitempty" protobuf:"bytes,2,opt,name=evictionTime"`
+	// (brief) reason why this entry was added to the list.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"`
+	// Human readable message indicating why this entry was added to the list.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"`
+}
+
+// Describes the class of pods that should avoid this node.
+// Exactly one field should be set.
+type PodSignature struct {
+	// Reference to controller whose pods should avoid this node.
+	// +optional
+	PodController *metav1.OwnerReference `json:"podController,omitempty" protobuf:"bytes,1,opt,name=podController"`
+}
+
+// Describe a container image
+type ContainerImage struct {
+	// Names by which this image is known.
+	// e.g. ["gcr.io/google_containers/hyperkube:v1.0.7", "dockerhub.io/google_containers/hyperkube:v1.0.7"]
+	Names []string `json:"names" protobuf:"bytes,1,rep,name=names"`
+	// The size of the image in bytes.
+	// +optional
+	SizeBytes int64 `json:"sizeBytes,omitempty" protobuf:"varint,2,opt,name=sizeBytes"`
+}
+
+type NodePhase string
+
+// These are the valid phases of node.
+const (
+	// NodePending means the node has been created/added by the system, but not configured.
+	NodePending NodePhase = "Pending"
+	// NodeRunning means the node has been configured and has Kubernetes components running.
+	NodeRunning NodePhase = "Running"
+	// NodeTerminated means the node has been removed from the cluster.
+	NodeTerminated NodePhase = "Terminated"
+)
+
+type NodeConditionType string
+
+// These are valid conditions of node. Currently, we don't have enough information to decide
+// node condition. In the future, we will add more. The proposed set of conditions are:
+// NodeReachable, NodeLive, NodeReady, NodeSchedulable, NodeRunnable.
+const (
+	// NodeReady means kubelet is healthy and ready to accept pods.
+	NodeReady NodeConditionType = "Ready"
+	// NodeOutOfDisk means the kubelet will not accept new pods due to insufficient free disk
+	// space on the node.
+	NodeOutOfDisk NodeConditionType = "OutOfDisk"
+	// NodeMemoryPressure means the kubelet is under pressure due to insufficient available memory.
+	NodeMemoryPressure NodeConditionType = "MemoryPressure"
+	// NodeDiskPressure means the kubelet is under pressure due to insufficient available disk.
+	NodeDiskPressure NodeConditionType = "DiskPressure"
+	// NodeNetworkUnavailable means that network for the node is not correctly configured.
+	NodeNetworkUnavailable NodeConditionType = "NetworkUnavailable"
+	// NodeConfigOK indicates whether the kubelet is correctly configured
+	NodeConfigOK NodeConditionType = "ConfigOK"
+)
+
+// NodeCondition contains condition information for a node.
+type NodeCondition struct {
+	// Type of node condition.
+	Type NodeConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=NodeConditionType"`
+	// Status of the condition, one of True, False, Unknown.
+	Status ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=ConditionStatus"`
+	// Last time we got an update on a given condition.
+	// +optional
+	LastHeartbeatTime metav1.Time `json:"lastHeartbeatTime,omitempty" protobuf:"bytes,3,opt,name=lastHeartbeatTime"`
+	// Last time the condition transit from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,4,opt,name=lastTransitionTime"`
+	// (brief) reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,5,opt,name=reason"`
+	// Human readable message indicating details about last transition.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,6,opt,name=message"`
+}
+
+type NodeAddressType string
+
+// These are valid address type of node.
+const (
+	NodeHostName    NodeAddressType = "Hostname"
+	NodeExternalIP  NodeAddressType = "ExternalIP"
+	NodeInternalIP  NodeAddressType = "InternalIP"
+	NodeExternalDNS NodeAddressType = "ExternalDNS"
+	NodeInternalDNS NodeAddressType = "InternalDNS"
+)
+
+// NodeAddress contains information for the node's address.
+type NodeAddress struct {
+	// Node address type, one of Hostname, ExternalIP or InternalIP.
+	Type NodeAddressType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=NodeAddressType"`
+	// The node address.
+	Address string `json:"address" protobuf:"bytes,2,opt,name=address"`
+}
+
+// ResourceName is the name identifying various resources in a ResourceList.
+type ResourceName string
+
+// Resource names must be not more than 63 characters, consisting of upper- or lower-case alphanumeric characters,
+// with the -, _, and . characters allowed anywhere, except the first or last character.
+// The default convention, matching that for annotations, is to use lower-case names, with dashes, rather than
+// camel case, separating compound words.
+// Fully-qualified resource typenames are constructed from a DNS-style subdomain, followed by a slash `/` and a name.
+const (
+	// CPU, in cores. (500m = .5 cores)
+	ResourceCPU ResourceName = "cpu"
+	// Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
+	ResourceMemory ResourceName = "memory"
+	// Volume size, in bytes (e,g. 5Gi = 5GiB = 5 * 1024 * 1024 * 1024)
+	ResourceStorage ResourceName = "storage"
+	// Local ephemeral storage, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
+	// The resource name for ResourceEphemeralStorage is alpha and it can change across releases.
+	ResourceEphemeralStorage ResourceName = "ephemeral-storage"
+	// NVIDIA GPU, in devices. Alpha, might change: although fractional and allowing values >1, only one whole device per node is assigned.
+	ResourceNvidiaGPU ResourceName = "alpha.kubernetes.io/nvidia-gpu"
+)
+
+const (
+	// Namespace prefix for opaque counted resources (alpha).
+	ResourceOpaqueIntPrefix = "pod.alpha.kubernetes.io/opaque-int-resource-"
+	// Default namespace prefix.
+	ResourceDefaultNamespacePrefix = "kubernetes.io/"
+	// Name prefix for huge page resources (alpha).
+	ResourceHugePagesPrefix = "hugepages-"
+)
+
+// ResourceList is a set of (resource name, quantity) pairs.
+type ResourceList map[ResourceName]resource.Quantity
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Node is a worker node in Kubernetes.
+// Each node will have a unique identifier in the cache (i.e. in etcd).
+type Node struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the behavior of a node.
+	// https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec NodeSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Most recently observed status of the node.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status NodeStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NodeList is the whole list of all Nodes which have been registered with master.
+type NodeList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of nodes
+	Items []Node `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// FinalizerName is the name identifying a finalizer during namespace lifecycle.
+type FinalizerName string
+
+// These are internal finalizer values to Kubernetes, must be qualified name unless defined here or
+// in metav1.
+const (
+	FinalizerKubernetes FinalizerName = "kubernetes"
+)
+
+// NamespaceSpec describes the attributes on a Namespace.
+type NamespaceSpec struct {
+	// Finalizers is an opaque list of values that must be empty to permanently remove object from storage.
+	// More info: https://git.k8s.io/community/contributors/design-proposals/namespaces.md#finalizers
+	// +optional
+	Finalizers []FinalizerName `json:"finalizers,omitempty" protobuf:"bytes,1,rep,name=finalizers,casttype=FinalizerName"`
+}
+
+// NamespaceStatus is information about the current status of a Namespace.
+type NamespaceStatus struct {
+	// Phase is the current lifecycle phase of the namespace.
+	// More info: https://git.k8s.io/community/contributors/design-proposals/namespaces.md#phases
+	// +optional
+	Phase NamespacePhase `json:"phase,omitempty" protobuf:"bytes,1,opt,name=phase,casttype=NamespacePhase"`
+}
+
+type NamespacePhase string
+
+// These are the valid phases of a namespace.
+const (
+	// NamespaceActive means the namespace is available for use in the system
+	NamespaceActive NamespacePhase = "Active"
+	// NamespaceTerminating means the namespace is undergoing graceful termination
+	NamespaceTerminating NamespacePhase = "Terminating"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Namespace provides a scope for Names.
+// Use of multiple namespaces is optional.
+type Namespace struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the behavior of the Namespace.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec NamespaceSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status describes the current status of a Namespace.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status NamespaceStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NamespaceList is a list of Namespaces.
+type NamespaceList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of Namespace objects in the list.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	Items []Namespace `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Binding ties one object to another; for example, a pod is bound to a node by a scheduler.
+// Deprecated in 1.7, please use the bindings subresource of pods instead.
+type Binding struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// The target object that you want to bind to the standard object.
+	Target ObjectReference `json:"target" protobuf:"bytes,2,opt,name=target"`
+}
+
+// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.
+// +k8s:openapi-gen=false
+type Preconditions struct {
+	// Specifies the target UID.
+	// +optional
+	UID *types.UID `json:"uid,omitempty" protobuf:"bytes,1,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"`
+}
+
+// DeletionPropagation decides if a deletion will propagate to the dependents of the object, and how the garbage collector will handle the propagation.
+type DeletionPropagation string
+
+const (
+	// Orphans the dependents.
+	DeletePropagationOrphan DeletionPropagation = "Orphan"
+	// Deletes the object from the key-value store, the garbage collector will delete the dependents in the background.
+	DeletePropagationBackground DeletionPropagation = "Background"
+	// The object exists in the key-value store until the garbage collector deletes all the dependents whose ownerReference.blockOwnerDeletion=true from the key-value store.
+	// API sever will put the "DeletingDependents" finalizer on the object, and sets its deletionTimestamp.
+	// This policy is cascading, i.e., the dependents will be deleted with Foreground.
+	DeletePropagationForeground DeletionPropagation = "Foreground"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DeleteOptions may be provided when deleting an API object
+// DEPRECATED: This type has been moved to meta/v1 and will be removed soon.
+// +k8s:openapi-gen=false
+type DeleteOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// The duration in seconds before the object should be deleted. Value must be non-negative integer.
+	// The value zero indicates delete immediately. If this value is nil, the default grace period for the
+	// specified type will be used.
+	// Defaults to a per object value if not specified. zero means delete immediately.
+	// +optional
+	GracePeriodSeconds *int64 `json:"gracePeriodSeconds,omitempty" protobuf:"varint,1,opt,name=gracePeriodSeconds"`
+
+	// Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be
+	// returned.
+	// +optional
+	Preconditions *Preconditions `json:"preconditions,omitempty" protobuf:"bytes,2,opt,name=preconditions"`
+
+	// Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7.
+	// Should the dependent objects be orphaned. If true/false, the "orphan"
+	// finalizer will be added to/removed from the object's finalizers list.
+	// Either this field or PropagationPolicy may be set, but not both.
+	// +optional
+	OrphanDependents *bool `json:"orphanDependents,omitempty" protobuf:"varint,3,opt,name=orphanDependents"`
+
+	// Whether and how garbage collection will be performed.
+	// Either this field or OrphanDependents may be set, but not both.
+	// The default policy is decided by the existing finalizer set in the
+	// metadata.finalizers and the resource-specific default policy.
+	// +optional
+	PropagationPolicy *DeletionPropagation `protobuf:"bytes,4,opt,name=propagationPolicy,casttype=DeletionPropagation"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ListOptions is the query options to a standard REST list call.
+// DEPRECATED: This type has been moved to meta/v1 and will be removed soon.
+// +k8s:openapi-gen=false
+type ListOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// A selector to restrict the list of returned objects by their labels.
+	// Defaults to everything.
+	// +optional
+	LabelSelector string `json:"labelSelector,omitempty" protobuf:"bytes,1,opt,name=labelSelector"`
+	// A selector to restrict the list of returned objects by their fields.
+	// Defaults to everything.
+	// +optional
+	FieldSelector string `json:"fieldSelector,omitempty" protobuf:"bytes,2,opt,name=fieldSelector"`
+	// If true, partially initialized resources are included in the response.
+	// +optional
+	IncludeUninitialized bool `json:"includeUninitialized,omitempty" protobuf:"varint,6,opt,name=includeUninitialized"`
+	// Watch for changes to the described resources and return them as a stream of
+	// add, update, and remove notifications. Specify resourceVersion.
+	// +optional
+	Watch bool `json:"watch,omitempty" protobuf:"varint,3,opt,name=watch"`
+	// When specified with a watch call, shows changes that occur after that particular version of a resource.
+	// Defaults to changes from the beginning of history.
+	// When specified for list:
+	// - if unset, then the result is returned from remote storage based on quorum-read flag;
+	// - if it's 0, then we simply return what we currently have in cache, no guarantee;
+	// - if set to non zero, then the result is at least as fresh as given rv.
+	// +optional
+	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,4,opt,name=resourceVersion"`
+	// Timeout for the list/watch call.
+	// +optional
+	TimeoutSeconds *int64 `json:"timeoutSeconds,omitempty" protobuf:"varint,5,opt,name=timeoutSeconds"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodLogOptions is the query options for a Pod's logs REST call.
+type PodLogOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// The container for which to stream logs. Defaults to only container if there is one container in the pod.
+	// +optional
+	Container string `json:"container,omitempty" protobuf:"bytes,1,opt,name=container"`
+	// Follow the log stream of the pod. Defaults to false.
+	// +optional
+	Follow bool `json:"follow,omitempty" protobuf:"varint,2,opt,name=follow"`
+	// Return previous terminated container logs. Defaults to false.
+	// +optional
+	Previous bool `json:"previous,omitempty" protobuf:"varint,3,opt,name=previous"`
+	// A relative time in seconds before the current time from which to show logs. If this value
+	// precedes the time a pod was started, only logs since the pod start will be returned.
+	// If this value is in the future, no logs will be returned.
+	// Only one of sinceSeconds or sinceTime may be specified.
+	// +optional
+	SinceSeconds *int64 `json:"sinceSeconds,omitempty" protobuf:"varint,4,opt,name=sinceSeconds"`
+	// An RFC3339 timestamp from which to show logs. If this value
+	// precedes the time a pod was started, only logs since the pod start will be returned.
+	// If this value is in the future, no logs will be returned.
+	// Only one of sinceSeconds or sinceTime may be specified.
+	// +optional
+	SinceTime *metav1.Time `json:"sinceTime,omitempty" protobuf:"bytes,5,opt,name=sinceTime"`
+	// If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line
+	// of log output. Defaults to false.
+	// +optional
+	Timestamps bool `json:"timestamps,omitempty" protobuf:"varint,6,opt,name=timestamps"`
+	// If set, the number of lines from the end of the logs to show. If not specified,
+	// logs are shown from the creation of the container or sinceSeconds or sinceTime
+	// +optional
+	TailLines *int64 `json:"tailLines,omitempty" protobuf:"varint,7,opt,name=tailLines"`
+	// If set, the number of bytes to read from the server before terminating the
+	// log output. This may not display a complete final line of logging, and may return
+	// slightly more or slightly less than the specified limit.
+	// +optional
+	LimitBytes *int64 `json:"limitBytes,omitempty" protobuf:"varint,8,opt,name=limitBytes"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodAttachOptions is the query options to a Pod's remote attach call.
+// ---
+// TODO: merge w/ PodExecOptions below for stdin, stdout, etc
+// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY
+type PodAttachOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Stdin if true, redirects the standard input stream of the pod for this call.
+	// Defaults to false.
+	// +optional
+	Stdin bool `json:"stdin,omitempty" protobuf:"varint,1,opt,name=stdin"`
+
+	// Stdout if true indicates that stdout is to be redirected for the attach call.
+	// Defaults to true.
+	// +optional
+	Stdout bool `json:"stdout,omitempty" protobuf:"varint,2,opt,name=stdout"`
+
+	// Stderr if true indicates that stderr is to be redirected for the attach call.
+	// Defaults to true.
+	// +optional
+	Stderr bool `json:"stderr,omitempty" protobuf:"varint,3,opt,name=stderr"`
+
+	// TTY if true indicates that a tty will be allocated for the attach call.
+	// This is passed through the container runtime so the tty
+	// is allocated on the worker node by the container runtime.
+	// Defaults to false.
+	// +optional
+	TTY bool `json:"tty,omitempty" protobuf:"varint,4,opt,name=tty"`
+
+	// The container in which to execute the command.
+	// Defaults to only container if there is only one container in the pod.
+	// +optional
+	Container string `json:"container,omitempty" protobuf:"bytes,5,opt,name=container"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodExecOptions is the query options to a Pod's remote exec call.
+// ---
+// TODO: This is largely identical to PodAttachOptions above, make sure they stay in sync and see about merging
+// and also when we cut V2, we should export a "StreamOptions" or somesuch that contains Stdin, Stdout, Stder and TTY
+type PodExecOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Redirect the standard input stream of the pod for this call.
+	// Defaults to false.
+	// +optional
+	Stdin bool `json:"stdin,omitempty" protobuf:"varint,1,opt,name=stdin"`
+
+	// Redirect the standard output stream of the pod for this call.
+	// Defaults to true.
+	// +optional
+	Stdout bool `json:"stdout,omitempty" protobuf:"varint,2,opt,name=stdout"`
+
+	// Redirect the standard error stream of the pod for this call.
+	// Defaults to true.
+	// +optional
+	Stderr bool `json:"stderr,omitempty" protobuf:"varint,3,opt,name=stderr"`
+
+	// TTY if true indicates that a tty will be allocated for the exec call.
+	// Defaults to false.
+	// +optional
+	TTY bool `json:"tty,omitempty" protobuf:"varint,4,opt,name=tty"`
+
+	// Container in which to execute the command.
+	// Defaults to only container if there is only one container in the pod.
+	// +optional
+	Container string `json:"container,omitempty" protobuf:"bytes,5,opt,name=container"`
+
+	// Command is the remote command to execute. argv array. Not executed within a shell.
+	Command []string `json:"command" protobuf:"bytes,6,rep,name=command"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodPortForwardOptions is the query options to a Pod's port forward call
+// when using WebSockets.
+// The `port` query parameter must specify the port or
+// ports (comma separated) to forward over.
+// Port forwarding over SPDY does not use these options. It requires the port
+// to be passed in the `port` header as part of request.
+type PodPortForwardOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// List of ports to forward
+	// Required when using WebSockets
+	// +optional
+	Ports []int32 `json:"ports,omitempty" protobuf:"varint,1,rep,name=ports"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodProxyOptions is the query options to a Pod's proxy call.
+type PodProxyOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Path is the URL path to use for the current proxy request to pod.
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NodeProxyOptions is the query options to a Node's proxy call.
+type NodeProxyOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Path is the URL path to use for the current proxy request to node.
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ServiceProxyOptions is the query options to a Service's proxy call.
+type ServiceProxyOptions struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Path is the part of URLs that include service endpoints, suffixes,
+	// and parameters to use for the current proxy request to service.
+	// For example, the whole request URL is
+	// http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy.
+	// Path is _search?q=user:kimchy.
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
+}
+
+// ObjectReference contains enough information to let you inspect or modify the referred object.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type ObjectReference struct {
+	// Kind of the referent.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	Kind string `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"`
+	// Namespace of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"`
+	// Name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"`
+	// UID of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+	// +optional
+	UID types.UID `json:"uid,omitempty" protobuf:"bytes,4,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"`
+	// API version of the referent.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,5,opt,name=apiVersion"`
+	// Specific resourceVersion to which this reference is made, if any.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
+	// +optional
+	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,6,opt,name=resourceVersion"`
+
+	// If referring to a piece of an object instead of an entire object, this string
+	// should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+	// For example, if the object reference is to a container within a pod, this would take on a value like:
+	// "spec.containers{name}" (where "name" refers to the name of the container that triggered
+	// the event) or if no container name is specified "spec.containers[2]" (container with
+	// index 2 in this pod). This syntax is chosen only to have some well-defined way of
+	// referencing a part of an object.
+	// TODO: this design is not final and this field is subject to change in the future.
+	// +optional
+	FieldPath string `json:"fieldPath,omitempty" protobuf:"bytes,7,opt,name=fieldPath"`
+}
+
+// LocalObjectReference contains enough information to let you locate the
+// referenced object inside the same namespace.
+type LocalObjectReference struct {
+	// Name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	// TODO: Add other useful fields. apiVersion, kind, uid?
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SerializedReference is a reference to serialized object.
+type SerializedReference struct {
+	metav1.TypeMeta `json:",inline"`
+	// The reference to an object in the system.
+	// +optional
+	Reference ObjectReference `json:"reference,omitempty" protobuf:"bytes,1,opt,name=reference"`
+}
+
+// EventSource contains information for an event.
+type EventSource struct {
+	// Component from which the event is generated.
+	// +optional
+	Component string `json:"component,omitempty" protobuf:"bytes,1,opt,name=component"`
+	// Node name on which the event is generated.
+	// +optional
+	Host string `json:"host,omitempty" protobuf:"bytes,2,opt,name=host"`
+}
+
+// Valid values for event types (new types could be added in future)
+const (
+	// Information only and will not cause any problems
+	EventTypeNormal string = "Normal"
+	// These events are to warn that something might go wrong
+	EventTypeWarning string = "Warning"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Event is a report of an event somewhere in the cluster.
+// TODO: Decide whether to store these separately or with the object they apply to.
+type Event struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata" protobuf:"bytes,1,opt,name=metadata"`
+
+	// The object that this event is about.
+	InvolvedObject ObjectReference `json:"involvedObject" protobuf:"bytes,2,opt,name=involvedObject"`
+
+	// This should be a short, machine understandable string that gives the reason
+	// for the transition into the object's current status.
+	// TODO: provide exact specification for format.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,3,opt,name=reason"`
+
+	// A human-readable description of the status of this operation.
+	// TODO: decide on maximum length.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"`
+
+	// The component reporting this event. Should be a short machine understandable string.
+	// +optional
+	Source EventSource `json:"source,omitempty" protobuf:"bytes,5,opt,name=source"`
+
+	// The time at which the event was first recorded. (Time of server receipt is in TypeMeta.)
+	// +optional
+	FirstTimestamp metav1.Time `json:"firstTimestamp,omitempty" protobuf:"bytes,6,opt,name=firstTimestamp"`
+
+	// The time at which the most recent occurrence of this event was recorded.
+	// +optional
+	LastTimestamp metav1.Time `json:"lastTimestamp,omitempty" protobuf:"bytes,7,opt,name=lastTimestamp"`
+
+	// The number of times this event has occurred.
+	// +optional
+	Count int32 `json:"count,omitempty" protobuf:"varint,8,opt,name=count"`
+
+	// Type of this event (Normal, Warning), new types could be added in the future
+	// +optional
+	Type string `json:"type,omitempty" protobuf:"bytes,9,opt,name=type"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// EventList is a list of events.
+type EventList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of events
+	Items []Event `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// List holds a list of objects, which may not be known by the server.
+type List metav1.List
+
+// LimitType is a type of object that is limited
+type LimitType string
+
+const (
+	// Limit that applies to all pods in a namespace
+	LimitTypePod LimitType = "Pod"
+	// Limit that applies to all containers in a namespace
+	LimitTypeContainer LimitType = "Container"
+	// Limit that applies to all persistent volume claims in a namespace
+	LimitTypePersistentVolumeClaim LimitType = "PersistentVolumeClaim"
+)
+
+// LimitRangeItem defines a min/max usage limit for any resource that matches on kind.
+type LimitRangeItem struct {
+	// Type of resource that this limit applies to.
+	// +optional
+	Type LimitType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=LimitType"`
+	// Max usage constraints on this kind by resource name.
+	// +optional
+	Max ResourceList `json:"max,omitempty" protobuf:"bytes,2,rep,name=max,casttype=ResourceList,castkey=ResourceName"`
+	// Min usage constraints on this kind by resource name.
+	// +optional
+	Min ResourceList `json:"min,omitempty" protobuf:"bytes,3,rep,name=min,casttype=ResourceList,castkey=ResourceName"`
+	// Default resource requirement limit value by resource name if resource limit is omitted.
+	// +optional
+	Default ResourceList `json:"default,omitempty" protobuf:"bytes,4,rep,name=default,casttype=ResourceList,castkey=ResourceName"`
+	// DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.
+	// +optional
+	DefaultRequest ResourceList `json:"defaultRequest,omitempty" protobuf:"bytes,5,rep,name=defaultRequest,casttype=ResourceList,castkey=ResourceName"`
+	// MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
+	// +optional
+	MaxLimitRequestRatio ResourceList `json:"maxLimitRequestRatio,omitempty" protobuf:"bytes,6,rep,name=maxLimitRequestRatio,casttype=ResourceList,castkey=ResourceName"`
+}
+
+// LimitRangeSpec defines a min/max usage limit for resources that match on kind.
+type LimitRangeSpec struct {
+	// Limits is the list of LimitRangeItem objects that are enforced.
+	Limits []LimitRangeItem `json:"limits" protobuf:"bytes,1,rep,name=limits"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// LimitRange sets resource usage limits for each kind of resource in a Namespace.
+type LimitRange struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the limits enforced.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec LimitRangeSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// LimitRangeList is a list of LimitRange items.
+type LimitRangeList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of LimitRange objects.
+	// More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_limit_range.md
+	Items []LimitRange `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// The following identify resource constants for Kubernetes object types
+const (
+	// Pods, number
+	ResourcePods ResourceName = "pods"
+	// Services, number
+	ResourceServices ResourceName = "services"
+	// ReplicationControllers, number
+	ResourceReplicationControllers ResourceName = "replicationcontrollers"
+	// ResourceQuotas, number
+	ResourceQuotas ResourceName = "resourcequotas"
+	// ResourceSecrets, number
+	ResourceSecrets ResourceName = "secrets"
+	// ResourceConfigMaps, number
+	ResourceConfigMaps ResourceName = "configmaps"
+	// ResourcePersistentVolumeClaims, number
+	ResourcePersistentVolumeClaims ResourceName = "persistentvolumeclaims"
+	// ResourceServicesNodePorts, number
+	ResourceServicesNodePorts ResourceName = "services.nodeports"
+	// ResourceServicesLoadBalancers, number
+	ResourceServicesLoadBalancers ResourceName = "services.loadbalancers"
+	// CPU request, in cores. (500m = .5 cores)
+	ResourceRequestsCPU ResourceName = "requests.cpu"
+	// Memory request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
+	ResourceRequestsMemory ResourceName = "requests.memory"
+	// Storage request, in bytes
+	ResourceRequestsStorage ResourceName = "requests.storage"
+	// Local ephemeral storage request, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
+	ResourceRequestsEphemeralStorage ResourceName = "requests.ephemeral-storage"
+	// CPU limit, in cores. (500m = .5 cores)
+	ResourceLimitsCPU ResourceName = "limits.cpu"
+	// Memory limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
+	ResourceLimitsMemory ResourceName = "limits.memory"
+	// Local ephemeral storage limit, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
+	ResourceLimitsEphemeralStorage ResourceName = "limits.ephemeral-storage"
+)
+
+// A ResourceQuotaScope defines a filter that must match each object tracked by a quota
+type ResourceQuotaScope string
+
+const (
+	// Match all pod objects where spec.activeDeadlineSeconds
+	ResourceQuotaScopeTerminating ResourceQuotaScope = "Terminating"
+	// Match all pod objects where !spec.activeDeadlineSeconds
+	ResourceQuotaScopeNotTerminating ResourceQuotaScope = "NotTerminating"
+	// Match all pod objects that have best effort quality of service
+	ResourceQuotaScopeBestEffort ResourceQuotaScope = "BestEffort"
+	// Match all pod objects that do not have best effort quality of service
+	ResourceQuotaScopeNotBestEffort ResourceQuotaScope = "NotBestEffort"
+)
+
+// ResourceQuotaSpec defines the desired hard limits to enforce for Quota.
+type ResourceQuotaSpec struct {
+	// Hard is the set of desired hard limits for each named resource.
+	// More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md
+	// +optional
+	Hard ResourceList `json:"hard,omitempty" protobuf:"bytes,1,rep,name=hard,casttype=ResourceList,castkey=ResourceName"`
+	// A collection of filters that must match each object tracked by a quota.
+	// If not specified, the quota matches all objects.
+	// +optional
+	Scopes []ResourceQuotaScope `json:"scopes,omitempty" protobuf:"bytes,2,rep,name=scopes,casttype=ResourceQuotaScope"`
+}
+
+// ResourceQuotaStatus defines the enforced hard limits and observed use.
+type ResourceQuotaStatus struct {
+	// Hard is the set of enforced hard limits for each named resource.
+	// More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md
+	// +optional
+	Hard ResourceList `json:"hard,omitempty" protobuf:"bytes,1,rep,name=hard,casttype=ResourceList,castkey=ResourceName"`
+	// Used is the current observed total usage of the resource in the namespace.
+	// +optional
+	Used ResourceList `json:"used,omitempty" protobuf:"bytes,2,rep,name=used,casttype=ResourceList,castkey=ResourceName"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ResourceQuota sets aggregate quota restrictions enforced per namespace
+type ResourceQuota struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the desired quota.
+	// https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec ResourceQuotaSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status defines the actual enforced quota and its current usage.
+	// https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status ResourceQuotaStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ResourceQuotaList is a list of ResourceQuota items.
+type ResourceQuotaList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ResourceQuota objects.
+	// More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md
+	Items []ResourceQuota `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Secret holds secret data of a certain type. The total bytes of the values in
+// the Data field must be less than MaxSecretSize bytes.
+type Secret struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Data contains the secret data. Each key must consist of alphanumeric
+	// characters, '-', '_' or '.'. The serialized form of the secret data is a
+	// base64 encoded string, representing the arbitrary (possibly non-string)
+	// data value here. Described in https://tools.ietf.org/html/rfc4648#section-4
+	// +optional
+	Data map[string][]byte `json:"data,omitempty" protobuf:"bytes,2,rep,name=data"`
+
+	// stringData allows specifying non-binary secret data in string form.
+	// It is provided as a write-only convenience method.
+	// All keys and values are merged into the data field on write, overwriting any existing values.
+	// It is never output when reading from the API.
+	// +k8s:conversion-gen=false
+	// +optional
+	StringData map[string]string `json:"stringData,omitempty" protobuf:"bytes,4,rep,name=stringData"`
+
+	// Used to facilitate programmatic handling of secret data.
+	// +optional
+	Type SecretType `json:"type,omitempty" protobuf:"bytes,3,opt,name=type,casttype=SecretType"`
+}
+
+const MaxSecretSize = 1 * 1024 * 1024
+
+type SecretType string
+
+const (
+	// SecretTypeOpaque is the default. Arbitrary user-defined data
+	SecretTypeOpaque SecretType = "Opaque"
+
+	// SecretTypeServiceAccountToken contains a token that identifies a service account to the API
+	//
+	// Required fields:
+	// - Secret.Annotations["kubernetes.io/service-account.name"] - the name of the ServiceAccount the token identifies
+	// - Secret.Annotations["kubernetes.io/service-account.uid"] - the UID of the ServiceAccount the token identifies
+	// - Secret.Data["token"] - a token that identifies the service account to the API
+	SecretTypeServiceAccountToken SecretType = "kubernetes.io/service-account-token"
+
+	// ServiceAccountNameKey is the key of the required annotation for SecretTypeServiceAccountToken secrets
+	ServiceAccountNameKey = "kubernetes.io/service-account.name"
+	// ServiceAccountUIDKey is the key of the required annotation for SecretTypeServiceAccountToken secrets
+	ServiceAccountUIDKey = "kubernetes.io/service-account.uid"
+	// ServiceAccountTokenKey is the key of the required data for SecretTypeServiceAccountToken secrets
+	ServiceAccountTokenKey = "token"
+	// ServiceAccountKubeconfigKey is the key of the optional kubeconfig data for SecretTypeServiceAccountToken secrets
+	ServiceAccountKubeconfigKey = "kubernetes.kubeconfig"
+	// ServiceAccountRootCAKey is the key of the optional root certificate authority for SecretTypeServiceAccountToken secrets
+	ServiceAccountRootCAKey = "ca.crt"
+	// ServiceAccountNamespaceKey is the key of the optional namespace to use as the default for namespaced API calls
+	ServiceAccountNamespaceKey = "namespace"
+
+	// SecretTypeDockercfg contains a dockercfg file that follows the same format rules as ~/.dockercfg
+	//
+	// Required fields:
+	// - Secret.Data[".dockercfg"] - a serialized ~/.dockercfg file
+	SecretTypeDockercfg SecretType = "kubernetes.io/dockercfg"
+
+	// DockerConfigKey is the key of the required data for SecretTypeDockercfg secrets
+	DockerConfigKey = ".dockercfg"
+
+	// SecretTypeDockerConfigJson contains a dockercfg file that follows the same format rules as ~/.docker/config.json
+	//
+	// Required fields:
+	// - Secret.Data[".dockerconfigjson"] - a serialized ~/.docker/config.json file
+	SecretTypeDockerConfigJson SecretType = "kubernetes.io/dockerconfigjson"
+
+	// DockerConfigJsonKey is the key of the required data for SecretTypeDockerConfigJson secrets
+	DockerConfigJsonKey = ".dockerconfigjson"
+
+	// SecretTypeBasicAuth contains data needed for basic authentication.
+	//
+	// Required at least one of fields:
+	// - Secret.Data["username"] - username used for authentication
+	// - Secret.Data["password"] - password or token needed for authentication
+	SecretTypeBasicAuth SecretType = "kubernetes.io/basic-auth"
+
+	// BasicAuthUsernameKey is the key of the username for SecretTypeBasicAuth secrets
+	BasicAuthUsernameKey = "username"
+	// BasicAuthPasswordKey is the key of the password or token for SecretTypeBasicAuth secrets
+	BasicAuthPasswordKey = "password"
+
+	// SecretTypeSSHAuth contains data needed for SSH authetication.
+	//
+	// Required field:
+	// - Secret.Data["ssh-privatekey"] - private SSH key needed for authentication
+	SecretTypeSSHAuth SecretType = "kubernetes.io/ssh-auth"
+
+	// SSHAuthPrivateKey is the key of the required SSH private key for SecretTypeSSHAuth secrets
+	SSHAuthPrivateKey = "ssh-privatekey"
+	// SecretTypeTLS contains information about a TLS client or server secret. It
+	// is primarily used with TLS termination of the Ingress resource, but may be
+	// used in other types.
+	//
+	// Required fields:
+	// - Secret.Data["tls.key"] - TLS private key.
+	//   Secret.Data["tls.crt"] - TLS certificate.
+	// TODO: Consider supporting different formats, specifying CA/destinationCA.
+	SecretTypeTLS SecretType = "kubernetes.io/tls"
+
+	// TLSCertKey is the key for tls certificates in a TLS secert.
+	TLSCertKey = "tls.crt"
+	// TLSPrivateKeyKey is the key for the private key field in a TLS secret.
+	TLSPrivateKeyKey = "tls.key"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// SecretList is a list of Secret.
+type SecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of secret objects.
+	// More info: https://kubernetes.io/docs/concepts/configuration/secret
+	Items []Secret `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ConfigMap holds configuration data for pods to consume.
+type ConfigMap struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Data contains the configuration data.
+	// Each key must consist of alphanumeric characters, '-', '_' or '.'.
+	// +optional
+	Data map[string]string `json:"data,omitempty" protobuf:"bytes,2,rep,name=data"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ConfigMapList is a resource containing a list of ConfigMap objects.
+type ConfigMapList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of ConfigMaps.
+	Items []ConfigMap `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// Type and constants for component health validation.
+type ComponentConditionType string
+
+// These are the valid conditions for the component.
+const (
+	ComponentHealthy ComponentConditionType = "Healthy"
+)
+
+// Information about the condition of a component.
+type ComponentCondition struct {
+	// Type of condition for a component.
+	// Valid value: "Healthy"
+	Type ComponentConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=ComponentConditionType"`
+	// Status of the condition for a component.
+	// Valid values for "Healthy": "True", "False", or "Unknown".
+	Status ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=ConditionStatus"`
+	// Message about the condition for a component.
+	// For example, information about a health check.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,3,opt,name=message"`
+	// Condition error code for a component.
+	// For example, a health check error code.
+	// +optional
+	Error string `json:"error,omitempty" protobuf:"bytes,4,opt,name=error"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ComponentStatus (and ComponentStatusList) holds the cluster validation info.
+type ComponentStatus struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of component conditions observed
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []ComponentCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,2,rep,name=conditions"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Status of all the conditions for the component as a list of ComponentStatus objects.
+type ComponentStatusList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of ComponentStatus objects.
+	Items []ComponentStatus `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// DownwardAPIVolumeSource represents a volume containing downward API info.
+// Downward API volumes support ownership management and SELinux relabeling.
+type DownwardAPIVolumeSource struct {
+	// Items is a list of downward API volume file
+	// +optional
+	Items []DownwardAPIVolumeFile `json:"items,omitempty" protobuf:"bytes,1,rep,name=items"`
+	// Optional: mode bits to use on created files by default. Must be a
+	// value between 0 and 0777. Defaults to 0644.
+	// Directories within the path are not affected by this setting.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	// +optional
+	DefaultMode *int32 `json:"defaultMode,omitempty" protobuf:"varint,2,opt,name=defaultMode"`
+}
+
+const (
+	DownwardAPIVolumeSourceDefaultMode int32 = 0644
+)
+
+// DownwardAPIVolumeFile represents information to create the file containing the pod field
+type DownwardAPIVolumeFile struct {
+	// Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'
+	Path string `json:"path" protobuf:"bytes,1,opt,name=path"`
+	// Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.
+	// +optional
+	FieldRef *ObjectFieldSelector `json:"fieldRef,omitempty" protobuf:"bytes,2,opt,name=fieldRef"`
+	// Selects a resource of the container: only resources limits and requests
+	// (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+	// +optional
+	ResourceFieldRef *ResourceFieldSelector `json:"resourceFieldRef,omitempty" protobuf:"bytes,3,opt,name=resourceFieldRef"`
+	// Optional: mode bits to use on this file, must be a value between 0
+	// and 0777. If not specified, the volume defaultMode will be used.
+	// This might be in conflict with other options that affect the file
+	// mode, like fsGroup, and the result can be other mode bits set.
+	// +optional
+	Mode *int32 `json:"mode,omitempty" protobuf:"varint,4,opt,name=mode"`
+}
+
+// Represents downward API info for projecting into a projected volume.
+// Note that this is identical to a downwardAPI volume source without the default
+// mode.
+type DownwardAPIProjection struct {
+	// Items is a list of DownwardAPIVolume file
+	// +optional
+	Items []DownwardAPIVolumeFile `json:"items,omitempty" protobuf:"bytes,1,rep,name=items"`
+}
+
+// SecurityContext holds security configuration that will be applied to a container.
+// Some fields are present in both SecurityContext and PodSecurityContext.  When both
+// are set, the values in SecurityContext take precedence.
+type SecurityContext struct {
+	// The capabilities to add/drop when running containers.
+	// Defaults to the default set of capabilities granted by the container runtime.
+	// +optional
+	Capabilities *Capabilities `json:"capabilities,omitempty" protobuf:"bytes,1,opt,name=capabilities"`
+	// Run container in privileged mode.
+	// Processes in privileged containers are essentially equivalent to root on the host.
+	// Defaults to false.
+	// +optional
+	Privileged *bool `json:"privileged,omitempty" protobuf:"varint,2,opt,name=privileged"`
+	// The SELinux context to be applied to the container.
+	// If unspecified, the container runtime will allocate a random SELinux context for each
+	// container.  May also be set in PodSecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// +optional
+	SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,3,opt,name=seLinuxOptions"`
+	// The UID to run the entrypoint of the container process.
+	// Defaults to user specified in image metadata if unspecified.
+	// May also be set in PodSecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// +optional
+	RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,4,opt,name=runAsUser"`
+	// Indicates that the container must run as a non-root user.
+	// If true, the Kubelet will validate the image at runtime to ensure that it
+	// does not run as UID 0 (root) and fail to start the container if it does.
+	// If unset or false, no such validation will be performed.
+	// May also be set in PodSecurityContext.  If set in both SecurityContext and
+	// PodSecurityContext, the value specified in SecurityContext takes precedence.
+	// +optional
+	RunAsNonRoot *bool `json:"runAsNonRoot,omitempty" protobuf:"varint,5,opt,name=runAsNonRoot"`
+	// Whether this container has a read-only root filesystem.
+	// Default is false.
+	// +optional
+	ReadOnlyRootFilesystem *bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,6,opt,name=readOnlyRootFilesystem"`
+	// AllowPrivilegeEscalation controls whether a process can gain more
+	// privileges than its parent process. This bool directly controls if
+	// the no_new_privs flag will be set on the container process.
+	// AllowPrivilegeEscalation is true always when the container is:
+	// 1) run as Privileged
+	// 2) has CAP_SYS_ADMIN
+	// +optional
+	AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,7,opt,name=allowPrivilegeEscalation"`
+}
+
+// SELinuxOptions are the labels to be applied to the container
+type SELinuxOptions struct {
+	// User is a SELinux user label that applies to the container.
+	// +optional
+	User string `json:"user,omitempty" protobuf:"bytes,1,opt,name=user"`
+	// Role is a SELinux role label that applies to the container.
+	// +optional
+	Role string `json:"role,omitempty" protobuf:"bytes,2,opt,name=role"`
+	// Type is a SELinux type label that applies to the container.
+	// +optional
+	Type string `json:"type,omitempty" protobuf:"bytes,3,opt,name=type"`
+	// Level is SELinux level label that applies to the container.
+	// +optional
+	Level string `json:"level,omitempty" protobuf:"bytes,4,opt,name=level"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RangeAllocation is not a public type.
+type RangeAllocation struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Range is string that identifies the range represented by 'data'.
+	Range string `json:"range" protobuf:"bytes,2,opt,name=range"`
+	// Data is a bit array containing all allocated addresses in the previous segment.
+	Data []byte `json:"data" protobuf:"bytes,3,opt,name=data"`
+}
+
+const (
+	// "default-scheduler" is the name of default scheduler.
+	DefaultSchedulerName = "default-scheduler"
+
+	// RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule
+	// corresponding to every RequiredDuringScheduling affinity rule.
+	// When the --hard-pod-affinity-weight scheduler flag is not specified,
+	// DefaultHardPodAffinityWeight defines the weight of the implicit PreferredDuringScheduling affinity rule.
+	DefaultHardPodAffinitySymmetricWeight int = 1
+)
+
+// Sysctl defines a kernel parameter to be set
+type Sysctl struct {
+	// Name of a property to set
+	Name string `protobuf:"bytes,1,opt,name=name"`
+	// Value of a property to set
+	Value string `protobuf:"bytes,2,opt,name=value"`
+}
+
+// NodeResources is an object for conveying resource information about a node.
+// see http://releases.k8s.io/HEAD/docs/design/resources.md for more details.
+type NodeResources struct {
+	// Capacity represents the available resources of a node
+	Capacity ResourceList `protobuf:"bytes,1,rep,name=capacity,casttype=ResourceList,castkey=ResourceName"`
+}
+
+const (
+	// Enable stdin for remote command execution
+	ExecStdinParam = "input"
+	// Enable stdout for remote command execution
+	ExecStdoutParam = "output"
+	// Enable stderr for remote command execution
+	ExecStderrParam = "error"
+	// Enable TTY for remote command execution
+	ExecTTYParam = "tty"
+	// Command to run for remote command execution
+	ExecCommandParam = "command"
+
+	// Name of header that specifies stream type
+	StreamType = "streamType"
+	// Value for streamType header for stdin stream
+	StreamTypeStdin = "stdin"
+	// Value for streamType header for stdout stream
+	StreamTypeStdout = "stdout"
+	// Value for streamType header for stderr stream
+	StreamTypeStderr = "stderr"
+	// Value for streamType header for data stream
+	StreamTypeData = "data"
+	// Value for streamType header for error stream
+	StreamTypeError = "error"
+	// Value for streamType header for terminal resize stream
+	StreamTypeResize = "resize"
+
+	// Name of header that specifies the port being forwarded
+	PortHeader = "port"
+	// Name of header that specifies a request ID used to associate the error
+	// and data streams for a single forwarded connection
+	PortForwardRequestIDHeader = "requestID"
+)
diff --git a/cli/vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..539efc6b
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/types_swagger_doc_generated.go
@@ -0,0 +1,2133 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_AWSElasticBlockStoreVolumeSource = map[string]string{
+	"":          "Represents a Persistent Disk resource in AWS.\n\nAn AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.",
+	"volumeID":  "Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
+	"fsType":    "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
+	"partition": "The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).",
+	"readOnly":  "Specify \"true\" to force and set the ReadOnly property in VolumeMounts to \"true\". If omitted, the default is \"false\". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
+}
+
+func (AWSElasticBlockStoreVolumeSource) SwaggerDoc() map[string]string {
+	return map_AWSElasticBlockStoreVolumeSource
+}
+
+var map_Affinity = map[string]string{
+	"":                "Affinity is a group of affinity scheduling rules.",
+	"nodeAffinity":    "Describes node affinity scheduling rules for the pod.",
+	"podAffinity":     "Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).",
+	"podAntiAffinity": "Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).",
+}
+
+func (Affinity) SwaggerDoc() map[string]string {
+	return map_Affinity
+}
+
+var map_AttachedVolume = map[string]string{
+	"":           "AttachedVolume describes a volume attached to a node",
+	"name":       "Name of the attached volume",
+	"devicePath": "DevicePath represents the device path where the volume should be available",
+}
+
+func (AttachedVolume) SwaggerDoc() map[string]string {
+	return map_AttachedVolume
+}
+
+var map_AvoidPods = map[string]string{
+	"":                "AvoidPods describes pods that should avoid this node. This is the value for a Node annotation with key scheduler.alpha.kubernetes.io/preferAvoidPods and will eventually become a field of NodeStatus.",
+	"preferAvoidPods": "Bounded-sized list of signatures of pods that should avoid this node, sorted in timestamp order from oldest to newest. Size of the slice is unspecified.",
+}
+
+func (AvoidPods) SwaggerDoc() map[string]string {
+	return map_AvoidPods
+}
+
+var map_AzureDiskVolumeSource = map[string]string{
+	"":            "AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.",
+	"diskName":    "The Name of the data disk in the blob storage",
+	"diskURI":     "The URI the data disk in the blob storage",
+	"cachingMode": "Host Caching mode: None, Read Only, Read Write.",
+	"fsType":      "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+	"readOnly":    "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+	"kind":        "Expected values Shared: mulitple blob disks per storage account  Dedicated: single blob disk per storage account  Managed: azure managed data disk (only in managed availability set). defaults to shared",
+}
+
+func (AzureDiskVolumeSource) SwaggerDoc() map[string]string {
+	return map_AzureDiskVolumeSource
+}
+
+var map_AzureFilePersistentVolumeSource = map[string]string{
+	"":                "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.",
+	"secretName":      "the name of secret that contains Azure Storage Account Name and Key",
+	"shareName":       "Share Name",
+	"readOnly":        "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+	"secretNamespace": "the namespace of the secret that contains Azure Storage Account Name and Key default is the same as the Pod",
+}
+
+func (AzureFilePersistentVolumeSource) SwaggerDoc() map[string]string {
+	return map_AzureFilePersistentVolumeSource
+}
+
+var map_AzureFileVolumeSource = map[string]string{
+	"":           "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.",
+	"secretName": "the name of secret that contains Azure Storage Account Name and Key",
+	"shareName":  "Share Name",
+	"readOnly":   "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+}
+
+func (AzureFileVolumeSource) SwaggerDoc() map[string]string {
+	return map_AzureFileVolumeSource
+}
+
+var map_Binding = map[string]string{
+	"":         "Binding ties one object to another; for example, a pod is bound to a node by a scheduler. Deprecated in 1.7, please use the bindings subresource of pods instead.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"target":   "The target object that you want to bind to the standard object.",
+}
+
+func (Binding) SwaggerDoc() map[string]string {
+	return map_Binding
+}
+
+var map_Capabilities = map[string]string{
+	"":     "Adds and removes POSIX capabilities from running containers.",
+	"add":  "Added capabilities",
+	"drop": "Removed capabilities",
+}
+
+func (Capabilities) SwaggerDoc() map[string]string {
+	return map_Capabilities
+}
+
+var map_CephFSPersistentVolumeSource = map[string]string{
+	"":           "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.",
+	"monitors":   "Required: Monitors is a collection of Ceph monitors More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"path":       "Optional: Used as the mounted root, rather than the full Ceph tree, default is /",
+	"user":       "Optional: User is the rados user name, default is admin More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"secretFile": "Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"secretRef":  "Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"readOnly":   "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+}
+
+func (CephFSPersistentVolumeSource) SwaggerDoc() map[string]string {
+	return map_CephFSPersistentVolumeSource
+}
+
+var map_CephFSVolumeSource = map[string]string{
+	"":           "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.",
+	"monitors":   "Required: Monitors is a collection of Ceph monitors More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"path":       "Optional: Used as the mounted root, rather than the full Ceph tree, default is /",
+	"user":       "Optional: User is the rados user name, default is admin More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"secretFile": "Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"secretRef":  "Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+	"readOnly":   "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://releases.k8s.io/HEAD/examples/volumes/cephfs/README.md#how-to-use-it",
+}
+
+func (CephFSVolumeSource) SwaggerDoc() map[string]string {
+	return map_CephFSVolumeSource
+}
+
+var map_CinderVolumeSource = map[string]string{
+	"":         "Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.",
+	"volumeID": "volume id used to identify the volume in cinder More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"fsType":   "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"readOnly": "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+}
+
+func (CinderVolumeSource) SwaggerDoc() map[string]string {
+	return map_CinderVolumeSource
+}
+
+var map_ClientIPConfig = map[string]string{
+	"":               "ClientIPConfig represents the configurations of Client IP based session affinity.",
+	"timeoutSeconds": "timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be >0 && <=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours).",
+}
+
+func (ClientIPConfig) SwaggerDoc() map[string]string {
+	return map_ClientIPConfig
+}
+
+var map_ComponentCondition = map[string]string{
+	"":        "Information about the condition of a component.",
+	"type":    "Type of condition for a component. Valid value: \"Healthy\"",
+	"status":  "Status of the condition for a component. Valid values for \"Healthy\": \"True\", \"False\", or \"Unknown\".",
+	"message": "Message about the condition for a component. For example, information about a health check.",
+	"error":   "Condition error code for a component. For example, a health check error code.",
+}
+
+func (ComponentCondition) SwaggerDoc() map[string]string {
+	return map_ComponentCondition
+}
+
+var map_ComponentStatus = map[string]string{
+	"":           "ComponentStatus (and ComponentStatusList) holds the cluster validation info.",
+	"metadata":   "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"conditions": "List of component conditions observed",
+}
+
+func (ComponentStatus) SwaggerDoc() map[string]string {
+	return map_ComponentStatus
+}
+
+var map_ComponentStatusList = map[string]string{
+	"":         "Status of all the conditions for the component as a list of ComponentStatus objects.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of ComponentStatus objects.",
+}
+
+func (ComponentStatusList) SwaggerDoc() map[string]string {
+	return map_ComponentStatusList
+}
+
+var map_ConfigMap = map[string]string{
+	"":         "ConfigMap holds configuration data for pods to consume.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"data":     "Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'.",
+}
+
+func (ConfigMap) SwaggerDoc() map[string]string {
+	return map_ConfigMap
+}
+
+var map_ConfigMapEnvSource = map[string]string{
+	"":         "ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.\n\nThe contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.",
+	"optional": "Specify whether the ConfigMap must be defined",
+}
+
+func (ConfigMapEnvSource) SwaggerDoc() map[string]string {
+	return map_ConfigMapEnvSource
+}
+
+var map_ConfigMapKeySelector = map[string]string{
+	"":         "Selects a key from a ConfigMap.",
+	"key":      "The key to select.",
+	"optional": "Specify whether the ConfigMap or it's key must be defined",
+}
+
+func (ConfigMapKeySelector) SwaggerDoc() map[string]string {
+	return map_ConfigMapKeySelector
+}
+
+var map_ConfigMapList = map[string]string{
+	"":         "ConfigMapList is a resource containing a list of ConfigMap objects.",
+	"metadata": "More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is the list of ConfigMaps.",
+}
+
+func (ConfigMapList) SwaggerDoc() map[string]string {
+	return map_ConfigMapList
+}
+
+var map_ConfigMapProjection = map[string]string{
+	"":         "Adapts a ConfigMap into a projected volume.\n\nThe contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.",
+	"items":    "If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.",
+	"optional": "Specify whether the ConfigMap or it's keys must be defined",
+}
+
+func (ConfigMapProjection) SwaggerDoc() map[string]string {
+	return map_ConfigMapProjection
+}
+
+var map_ConfigMapVolumeSource = map[string]string{
+	"":            "Adapts a ConfigMap into a volume.\n\nThe contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.",
+	"items":       "If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.",
+	"defaultMode": "Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.",
+	"optional":    "Specify whether the ConfigMap or it's keys must be defined",
+}
+
+func (ConfigMapVolumeSource) SwaggerDoc() map[string]string {
+	return map_ConfigMapVolumeSource
+}
+
+var map_Container = map[string]string{
+	"":                         "A single application container that you want to run within a pod.",
+	"name":                     "Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.",
+	"image":                    "Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.",
+	"command":                  "Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell",
+	"args":                     "Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell",
+	"workingDir":               "Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.",
+	"ports":                    "List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default \"0.0.0.0\" address inside a container will be accessible from the network. Cannot be updated.",
+	"envFrom":                  "List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.",
+	"env":                      "List of environment variables to set in the container. Cannot be updated.",
+	"resources":                "Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources",
+	"volumeMounts":             "Pod volumes to mount into the container's filesystem. Cannot be updated.",
+	"livenessProbe":            "Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes",
+	"readinessProbe":           "Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes",
+	"lifecycle":                "Actions that the management system should take in response to container lifecycle events. Cannot be updated.",
+	"terminationMessagePath":   "Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.",
+	"terminationMessagePolicy": "Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.",
+	"imagePullPolicy":          "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images",
+	"securityContext":          "Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://git.k8s.io/community/contributors/design-proposals/security_context.md",
+	"stdin":                    "Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.",
+	"stdinOnce":                "Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false",
+	"tty":                      "Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.",
+}
+
+func (Container) SwaggerDoc() map[string]string {
+	return map_Container
+}
+
+var map_ContainerImage = map[string]string{
+	"":          "Describe a container image",
+	"names":     "Names by which this image is known. e.g. [\"gcr.io/google_containers/hyperkube:v1.0.7\", \"dockerhub.io/google_containers/hyperkube:v1.0.7\"]",
+	"sizeBytes": "The size of the image in bytes.",
+}
+
+func (ContainerImage) SwaggerDoc() map[string]string {
+	return map_ContainerImage
+}
+
+var map_ContainerPort = map[string]string{
+	"":              "ContainerPort represents a network port in a single container.",
+	"name":          "If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.",
+	"hostPort":      "Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.",
+	"containerPort": "Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.",
+	"protocol":      "Protocol for port. Must be UDP or TCP. Defaults to \"TCP\".",
+	"hostIP":        "What host IP to bind the external port to.",
+}
+
+func (ContainerPort) SwaggerDoc() map[string]string {
+	return map_ContainerPort
+}
+
+var map_ContainerState = map[string]string{
+	"":           "ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.",
+	"waiting":    "Details about a waiting container",
+	"running":    "Details about a running container",
+	"terminated": "Details about a terminated container",
+}
+
+func (ContainerState) SwaggerDoc() map[string]string {
+	return map_ContainerState
+}
+
+var map_ContainerStateRunning = map[string]string{
+	"":          "ContainerStateRunning is a running state of a container.",
+	"startedAt": "Time at which the container was last (re-)started",
+}
+
+func (ContainerStateRunning) SwaggerDoc() map[string]string {
+	return map_ContainerStateRunning
+}
+
+var map_ContainerStateTerminated = map[string]string{
+	"":            "ContainerStateTerminated is a terminated state of a container.",
+	"exitCode":    "Exit status from the last termination of the container",
+	"signal":      "Signal from the last termination of the container",
+	"reason":      "(brief) reason from the last termination of the container",
+	"message":     "Message regarding the last termination of the container",
+	"startedAt":   "Time at which previous execution of the container started",
+	"finishedAt":  "Time at which the container last terminated",
+	"containerID": "Container's ID in the format 'docker://<container_id>'",
+}
+
+func (ContainerStateTerminated) SwaggerDoc() map[string]string {
+	return map_ContainerStateTerminated
+}
+
+var map_ContainerStateWaiting = map[string]string{
+	"":        "ContainerStateWaiting is a waiting state of a container.",
+	"reason":  "(brief) reason the container is not yet running.",
+	"message": "Message regarding why the container is not yet running.",
+}
+
+func (ContainerStateWaiting) SwaggerDoc() map[string]string {
+	return map_ContainerStateWaiting
+}
+
+var map_ContainerStatus = map[string]string{
+	"":             "ContainerStatus contains details for the current status of this container.",
+	"name":         "This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.",
+	"state":        "Details about the container's current condition.",
+	"lastState":    "Details about the container's last termination condition.",
+	"ready":        "Specifies whether the container has passed its readiness probe.",
+	"restartCount": "The number of times the container has been restarted, currently based on the number of dead containers that have not yet been removed. Note that this is calculated from dead containers. But those containers are subject to garbage collection. This value will get capped at 5 by GC.",
+	"image":        "The image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images",
+	"imageID":      "ImageID of the container's image.",
+	"containerID":  "Container's ID in the format 'docker://<container_id>'.",
+}
+
+func (ContainerStatus) SwaggerDoc() map[string]string {
+	return map_ContainerStatus
+}
+
+var map_DaemonEndpoint = map[string]string{
+	"":     "DaemonEndpoint contains information about a single Daemon endpoint.",
+	"Port": "Port number of the given endpoint.",
+}
+
+func (DaemonEndpoint) SwaggerDoc() map[string]string {
+	return map_DaemonEndpoint
+}
+
+var map_DeleteOptions = map[string]string{
+	"":                   "DeleteOptions may be provided when deleting an API object DEPRECATED: This type has been moved to meta/v1 and will be removed soon.",
+	"gracePeriodSeconds": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+	"preconditions":      "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.",
+	"orphanDependents":   "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+	"PropagationPolicy":  "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy.",
+}
+
+func (DeleteOptions) SwaggerDoc() map[string]string {
+	return map_DeleteOptions
+}
+
+var map_DownwardAPIProjection = map[string]string{
+	"":      "Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.",
+	"items": "Items is a list of DownwardAPIVolume file",
+}
+
+func (DownwardAPIProjection) SwaggerDoc() map[string]string {
+	return map_DownwardAPIProjection
+}
+
+var map_DownwardAPIVolumeFile = map[string]string{
+	"":                 "DownwardAPIVolumeFile represents information to create the file containing the pod field",
+	"path":             "Required: Path is  the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'",
+	"fieldRef":         "Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.",
+	"resourceFieldRef": "Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.",
+	"mode":             "Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.",
+}
+
+func (DownwardAPIVolumeFile) SwaggerDoc() map[string]string {
+	return map_DownwardAPIVolumeFile
+}
+
+var map_DownwardAPIVolumeSource = map[string]string{
+	"":            "DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.",
+	"items":       "Items is a list of downward API volume file",
+	"defaultMode": "Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.",
+}
+
+func (DownwardAPIVolumeSource) SwaggerDoc() map[string]string {
+	return map_DownwardAPIVolumeSource
+}
+
+var map_EmptyDirVolumeSource = map[string]string{
+	"":          "Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.",
+	"medium":    "What type of storage medium should back this directory. The default is \"\" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir",
+	"sizeLimit": "Total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir",
+}
+
+func (EmptyDirVolumeSource) SwaggerDoc() map[string]string {
+	return map_EmptyDirVolumeSource
+}
+
+var map_EndpointAddress = map[string]string{
+	"":          "EndpointAddress is a tuple that describes single IP address.",
+	"ip":        "The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24). IPv6 is also accepted but not fully supported on all platforms. Also, certain kubernetes components, like kube-proxy, are not IPv6 ready.",
+	"hostname":  "The Hostname of this endpoint",
+	"nodeName":  "Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.",
+	"targetRef": "Reference to object providing the endpoint.",
+}
+
+func (EndpointAddress) SwaggerDoc() map[string]string {
+	return map_EndpointAddress
+}
+
+var map_EndpointPort = map[string]string{
+	"":         "EndpointPort is a tuple that describes a single port.",
+	"name":     "The name of this port (corresponds to ServicePort.Name). Must be a DNS_LABEL. Optional only if one port is defined.",
+	"port":     "The port number of the endpoint.",
+	"protocol": "The IP protocol for this port. Must be UDP or TCP. Default is TCP.",
+}
+
+func (EndpointPort) SwaggerDoc() map[string]string {
+	return map_EndpointPort
+}
+
+var map_EndpointSubset = map[string]string{
+	"":                  "EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n  {\n    Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n    Ports:     [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n  }\nThe resulting set of endpoints can be viewed as:\n    a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n    b: [ 10.10.1.1:309, 10.10.2.2:309 ]",
+	"addresses":         "IP addresses which offer the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize.",
+	"notReadyAddresses": "IP addresses which offer the related ports but are not currently marked as ready because they have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check.",
+	"ports":             "Port numbers available on the related IP addresses.",
+}
+
+func (EndpointSubset) SwaggerDoc() map[string]string {
+	return map_EndpointSubset
+}
+
+var map_Endpoints = map[string]string{
+	"":         "Endpoints is a collection of endpoints that implement the actual service. Example:\n  Name: \"mysvc\",\n  Subsets: [\n    {\n      Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n      Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n    },\n    {\n      Addresses: [{\"ip\": \"10.10.3.3\"}],\n      Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n    },\n ]",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"subsets":  "The set of all endpoints is the union of all subsets. Addresses are placed into subsets according to the IPs they share. A single address with multiple ports, some of which are ready and some of which are not (because they come from different containers) will result in the address being displayed in different subsets for the different ports. No address will appear in both Addresses and NotReadyAddresses in the same subset. Sets of addresses and ports that comprise a service.",
+}
+
+func (Endpoints) SwaggerDoc() map[string]string {
+	return map_Endpoints
+}
+
+var map_EndpointsList = map[string]string{
+	"":         "EndpointsList is a list of endpoints.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of endpoints.",
+}
+
+func (EndpointsList) SwaggerDoc() map[string]string {
+	return map_EndpointsList
+}
+
+var map_EnvFromSource = map[string]string{
+	"":             "EnvFromSource represents the source of a set of ConfigMaps",
+	"prefix":       "An optional identifer to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.",
+	"configMapRef": "The ConfigMap to select from",
+	"secretRef":    "The Secret to select from",
+}
+
+func (EnvFromSource) SwaggerDoc() map[string]string {
+	return map_EnvFromSource
+}
+
+var map_EnvVar = map[string]string{
+	"":          "EnvVar represents an environment variable present in a Container.",
+	"name":      "Name of the environment variable. Must be a C_IDENTIFIER.",
+	"value":     "Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".",
+	"valueFrom": "Source for the environment variable's value. Cannot be used if value is not empty.",
+}
+
+func (EnvVar) SwaggerDoc() map[string]string {
+	return map_EnvVar
+}
+
+var map_EnvVarSource = map[string]string{
+	"":                 "EnvVarSource represents a source for the value of an EnvVar.",
+	"fieldRef":         "Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.",
+	"resourceFieldRef": "Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.",
+	"configMapKeyRef":  "Selects a key of a ConfigMap.",
+	"secretKeyRef":     "Selects a key of a secret in the pod's namespace",
+}
+
+func (EnvVarSource) SwaggerDoc() map[string]string {
+	return map_EnvVarSource
+}
+
+var map_Event = map[string]string{
+	"":               "Event is a report of an event somewhere in the cluster.",
+	"metadata":       "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"involvedObject": "The object that this event is about.",
+	"reason":         "This should be a short, machine understandable string that gives the reason for the transition into the object's current status.",
+	"message":        "A human-readable description of the status of this operation.",
+	"source":         "The component reporting this event. Should be a short machine understandable string.",
+	"firstTimestamp": "The time at which the event was first recorded. (Time of server receipt is in TypeMeta.)",
+	"lastTimestamp":  "The time at which the most recent occurrence of this event was recorded.",
+	"count":          "The number of times this event has occurred.",
+	"type":           "Type of this event (Normal, Warning), new types could be added in the future",
+}
+
+func (Event) SwaggerDoc() map[string]string {
+	return map_Event
+}
+
+var map_EventList = map[string]string{
+	"":         "EventList is a list of events.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of events",
+}
+
+func (EventList) SwaggerDoc() map[string]string {
+	return map_EventList
+}
+
+var map_EventSource = map[string]string{
+	"":          "EventSource contains information for an event.",
+	"component": "Component from which the event is generated.",
+	"host":      "Node name on which the event is generated.",
+}
+
+func (EventSource) SwaggerDoc() map[string]string {
+	return map_EventSource
+}
+
+var map_ExecAction = map[string]string{
+	"":        "ExecAction describes a \"run in container\" action.",
+	"command": "Command is the command line to execute inside the container, the working directory for the command  is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.",
+}
+
+func (ExecAction) SwaggerDoc() map[string]string {
+	return map_ExecAction
+}
+
+var map_FCVolumeSource = map[string]string{
+	"":           "Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.",
+	"targetWWNs": "Optional: FC target worldwide names (WWNs)",
+	"lun":        "Optional: FC target lun number",
+	"fsType":     "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+	"readOnly":   "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+	"wwids":      "Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.",
+}
+
+func (FCVolumeSource) SwaggerDoc() map[string]string {
+	return map_FCVolumeSource
+}
+
+var map_FlexVolumeSource = map[string]string{
+	"":          "FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. This is an alpha feature and may change in future.",
+	"driver":    "Driver is the name of the driver to use for this volume.",
+	"fsType":    "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.",
+	"secretRef": "Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.",
+	"readOnly":  "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+	"options":   "Optional: Extra command options if any.",
+}
+
+func (FlexVolumeSource) SwaggerDoc() map[string]string {
+	return map_FlexVolumeSource
+}
+
+var map_FlockerVolumeSource = map[string]string{
+	"":            "Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.",
+	"datasetName": "Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated",
+	"datasetUUID": "UUID of the dataset. This is unique identifier of a Flocker dataset",
+}
+
+func (FlockerVolumeSource) SwaggerDoc() map[string]string {
+	return map_FlockerVolumeSource
+}
+
+var map_GCEPersistentDiskVolumeSource = map[string]string{
+	"":          "Represents a Persistent Disk resource in Google Compute Engine.\n\nA GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.",
+	"pdName":    "Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
+	"fsType":    "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
+	"partition": "The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
+	"readOnly":  "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
+}
+
+func (GCEPersistentDiskVolumeSource) SwaggerDoc() map[string]string {
+	return map_GCEPersistentDiskVolumeSource
+}
+
+var map_GitRepoVolumeSource = map[string]string{
+	"":           "Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling.",
+	"repository": "Repository URL",
+	"revision":   "Commit hash for the specified revision.",
+	"directory":  "Target directory name. Must not contain or start with '..'.  If '.' is supplied, the volume directory will be the git repository.  Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.",
+}
+
+func (GitRepoVolumeSource) SwaggerDoc() map[string]string {
+	return map_GitRepoVolumeSource
+}
+
+var map_GlusterfsVolumeSource = map[string]string{
+	"":          "Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.",
+	"endpoints": "EndpointsName is the endpoint name that details Glusterfs topology. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"path":      "Path is the Glusterfs volume path. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+	"readOnly":  "ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md#create-a-pod",
+}
+
+func (GlusterfsVolumeSource) SwaggerDoc() map[string]string {
+	return map_GlusterfsVolumeSource
+}
+
+var map_HTTPGetAction = map[string]string{
+	"":            "HTTPGetAction describes an action based on HTTP Get requests.",
+	"path":        "Path to access on the HTTP server.",
+	"port":        "Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.",
+	"host":        "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.",
+	"scheme":      "Scheme to use for connecting to the host. Defaults to HTTP.",
+	"httpHeaders": "Custom headers to set in the request. HTTP allows repeated headers.",
+}
+
+func (HTTPGetAction) SwaggerDoc() map[string]string {
+	return map_HTTPGetAction
+}
+
+var map_HTTPHeader = map[string]string{
+	"":      "HTTPHeader describes a custom header to be used in HTTP probes",
+	"name":  "The header field name",
+	"value": "The header field value",
+}
+
+func (HTTPHeader) SwaggerDoc() map[string]string {
+	return map_HTTPHeader
+}
+
+var map_Handler = map[string]string{
+	"":          "Handler defines a specific action that should be taken",
+	"exec":      "One and only one of the following should be specified. Exec specifies the action to take.",
+	"httpGet":   "HTTPGet specifies the http request to perform.",
+	"tcpSocket": "TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported",
+}
+
+func (Handler) SwaggerDoc() map[string]string {
+	return map_Handler
+}
+
+var map_HostAlias = map[string]string{
+	"":          "HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.",
+	"ip":        "IP address of the host file entry.",
+	"hostnames": "Hostnames for the above IP address.",
+}
+
+func (HostAlias) SwaggerDoc() map[string]string {
+	return map_HostAlias
+}
+
+var map_HostPathVolumeSource = map[string]string{
+	"":     "Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.",
+	"path": "Path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
+	"type": "Type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
+}
+
+func (HostPathVolumeSource) SwaggerDoc() map[string]string {
+	return map_HostPathVolumeSource
+}
+
+var map_ISCSIVolumeSource = map[string]string{
+	"":                  "Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.",
+	"targetPortal":      "iSCSI target portal. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).",
+	"iqn":               "Target iSCSI Qualified Name.",
+	"lun":               "iSCSI target lun number.",
+	"iscsiInterface":    "Optional: Defaults to 'default' (tcp). iSCSI interface name that uses an iSCSI transport.",
+	"fsType":            "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi",
+	"readOnly":          "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.",
+	"portals":           "iSCSI target portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).",
+	"chapAuthDiscovery": "whether support iSCSI Discovery CHAP authentication",
+	"chapAuthSession":   "whether support iSCSI Session CHAP authentication",
+	"secretRef":         "CHAP secret for iSCSI target and initiator authentication",
+	"initiatorName":     "Custom iSCSI initiator name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface <target portal>:<volume name> will be created for the connection.",
+}
+
+func (ISCSIVolumeSource) SwaggerDoc() map[string]string {
+	return map_ISCSIVolumeSource
+}
+
+var map_KeyToPath = map[string]string{
+	"":     "Maps a string key to a path within a volume.",
+	"key":  "The key to project.",
+	"path": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.",
+	"mode": "Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.",
+}
+
+func (KeyToPath) SwaggerDoc() map[string]string {
+	return map_KeyToPath
+}
+
+var map_Lifecycle = map[string]string{
+	"":          "Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.",
+	"postStart": "PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks",
+	"preStop":   "PreStop is called immediately before a container is terminated. The container is terminated after the handler completes. The reason for termination is passed to the handler. Regardless of the outcome of the handler, the container is eventually terminated. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks",
+}
+
+func (Lifecycle) SwaggerDoc() map[string]string {
+	return map_Lifecycle
+}
+
+var map_LimitRange = map[string]string{
+	"":         "LimitRange sets resource usage limits for each kind of resource in a Namespace.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (LimitRange) SwaggerDoc() map[string]string {
+	return map_LimitRange
+}
+
+var map_LimitRangeItem = map[string]string{
+	"":                     "LimitRangeItem defines a min/max usage limit for any resource that matches on kind.",
+	"type":                 "Type of resource that this limit applies to.",
+	"max":                  "Max usage constraints on this kind by resource name.",
+	"min":                  "Min usage constraints on this kind by resource name.",
+	"default":              "Default resource requirement limit value by resource name if resource limit is omitted.",
+	"defaultRequest":       "DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.",
+	"maxLimitRequestRatio": "MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.",
+}
+
+func (LimitRangeItem) SwaggerDoc() map[string]string {
+	return map_LimitRangeItem
+}
+
+var map_LimitRangeList = map[string]string{
+	"":         "LimitRangeList is a list of LimitRange items.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "Items is a list of LimitRange objects. More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_limit_range.md",
+}
+
+func (LimitRangeList) SwaggerDoc() map[string]string {
+	return map_LimitRangeList
+}
+
+var map_LimitRangeSpec = map[string]string{
+	"":       "LimitRangeSpec defines a min/max usage limit for resources that match on kind.",
+	"limits": "Limits is the list of LimitRangeItem objects that are enforced.",
+}
+
+func (LimitRangeSpec) SwaggerDoc() map[string]string {
+	return map_LimitRangeSpec
+}
+
+var map_ListOptions = map[string]string{
+	"":                     "ListOptions is the query options to a standard REST list call. DEPRECATED: This type has been moved to meta/v1 and will be removed soon.",
+	"labelSelector":        "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+	"fieldSelector":        "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+	"includeUninitialized": "If true, partially initialized resources are included in the response.",
+	"watch":                "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+	"resourceVersion":      "When specified with a watch call, shows changes that occur after that particular version of a resource. Defaults to changes from the beginning of history. When specified for list: - if unset, then the result is returned from remote storage based on quorum-read flag; - if it's 0, then we simply return what we currently have in cache, no guarantee; - if set to non zero, then the result is at least as fresh as given rv.",
+	"timeoutSeconds":       "Timeout for the list/watch call.",
+}
+
+func (ListOptions) SwaggerDoc() map[string]string {
+	return map_ListOptions
+}
+
+var map_LoadBalancerIngress = map[string]string{
+	"":         "LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.",
+	"ip":       "IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers)",
+	"hostname": "Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers)",
+}
+
+func (LoadBalancerIngress) SwaggerDoc() map[string]string {
+	return map_LoadBalancerIngress
+}
+
+var map_LoadBalancerStatus = map[string]string{
+	"":        "LoadBalancerStatus represents the status of a load-balancer.",
+	"ingress": "Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.",
+}
+
+func (LoadBalancerStatus) SwaggerDoc() map[string]string {
+	return map_LoadBalancerStatus
+}
+
+var map_LocalObjectReference = map[string]string{
+	"":     "LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.",
+	"name": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
+}
+
+func (LocalObjectReference) SwaggerDoc() map[string]string {
+	return map_LocalObjectReference
+}
+
+var map_LocalVolumeSource = map[string]string{
+	"":     "Local represents directly-attached storage with node affinity",
+	"path": "The full path to the volume on the node For alpha, this path must be a directory Once block as a source is supported, then this path can point to a block device",
+}
+
+func (LocalVolumeSource) SwaggerDoc() map[string]string {
+	return map_LocalVolumeSource
+}
+
+var map_NFSVolumeSource = map[string]string{
+	"":         "Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.",
+	"server":   "Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
+	"path":     "Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
+	"readOnly": "ReadOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
+}
+
+func (NFSVolumeSource) SwaggerDoc() map[string]string {
+	return map_NFSVolumeSource
+}
+
+var map_Namespace = map[string]string{
+	"":         "Namespace provides a scope for Names. Use of multiple namespaces is optional.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Status describes the current status of a Namespace. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (Namespace) SwaggerDoc() map[string]string {
+	return map_Namespace
+}
+
+var map_NamespaceList = map[string]string{
+	"":         "NamespaceList is a list of Namespaces.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "Items is the list of Namespace objects in the list. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
+}
+
+func (NamespaceList) SwaggerDoc() map[string]string {
+	return map_NamespaceList
+}
+
+var map_NamespaceSpec = map[string]string{
+	"":           "NamespaceSpec describes the attributes on a Namespace.",
+	"finalizers": "Finalizers is an opaque list of values that must be empty to permanently remove object from storage. More info: https://git.k8s.io/community/contributors/design-proposals/namespaces.md#finalizers",
+}
+
+func (NamespaceSpec) SwaggerDoc() map[string]string {
+	return map_NamespaceSpec
+}
+
+var map_NamespaceStatus = map[string]string{
+	"":      "NamespaceStatus is information about the current status of a Namespace.",
+	"phase": "Phase is the current lifecycle phase of the namespace. More info: https://git.k8s.io/community/contributors/design-proposals/namespaces.md#phases",
+}
+
+func (NamespaceStatus) SwaggerDoc() map[string]string {
+	return map_NamespaceStatus
+}
+
+var map_Node = map[string]string{
+	"":         "Node is a worker node in Kubernetes. Each node will have a unique identifier in the cache (i.e. in etcd).",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the behavior of a node. https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Most recently observed status of the node. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (Node) SwaggerDoc() map[string]string {
+	return map_Node
+}
+
+var map_NodeAddress = map[string]string{
+	"":        "NodeAddress contains information for the node's address.",
+	"type":    "Node address type, one of Hostname, ExternalIP or InternalIP.",
+	"address": "The node address.",
+}
+
+func (NodeAddress) SwaggerDoc() map[string]string {
+	return map_NodeAddress
+}
+
+var map_NodeAffinity = map[string]string{
+	"": "Node affinity is a group of node affinity scheduling rules.",
+	"requiredDuringSchedulingIgnoredDuringExecution":  "If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.",
+	"preferredDuringSchedulingIgnoredDuringExecution": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.",
+}
+
+func (NodeAffinity) SwaggerDoc() map[string]string {
+	return map_NodeAffinity
+}
+
+var map_NodeCondition = map[string]string{
+	"":                   "NodeCondition contains condition information for a node.",
+	"type":               "Type of node condition.",
+	"status":             "Status of the condition, one of True, False, Unknown.",
+	"lastHeartbeatTime":  "Last time we got an update on a given condition.",
+	"lastTransitionTime": "Last time the condition transit from one status to another.",
+	"reason":             "(brief) reason for the condition's last transition.",
+	"message":            "Human readable message indicating details about last transition.",
+}
+
+func (NodeCondition) SwaggerDoc() map[string]string {
+	return map_NodeCondition
+}
+
+var map_NodeConfigSource = map[string]string{
+	"": "NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil.",
+}
+
+func (NodeConfigSource) SwaggerDoc() map[string]string {
+	return map_NodeConfigSource
+}
+
+var map_NodeDaemonEndpoints = map[string]string{
+	"":                "NodeDaemonEndpoints lists ports opened by daemons running on the Node.",
+	"kubeletEndpoint": "Endpoint on which Kubelet is listening.",
+}
+
+func (NodeDaemonEndpoints) SwaggerDoc() map[string]string {
+	return map_NodeDaemonEndpoints
+}
+
+var map_NodeList = map[string]string{
+	"":         "NodeList is the whole list of all Nodes which have been registered with master.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of nodes",
+}
+
+func (NodeList) SwaggerDoc() map[string]string {
+	return map_NodeList
+}
+
+var map_NodeProxyOptions = map[string]string{
+	"":     "NodeProxyOptions is the query options to a Node's proxy call.",
+	"path": "Path is the URL path to use for the current proxy request to node.",
+}
+
+func (NodeProxyOptions) SwaggerDoc() map[string]string {
+	return map_NodeProxyOptions
+}
+
+var map_NodeResources = map[string]string{
+	"":         "NodeResources is an object for conveying resource information about a node. see http://releases.k8s.io/HEAD/docs/design/resources.md for more details.",
+	"Capacity": "Capacity represents the available resources of a node",
+}
+
+func (NodeResources) SwaggerDoc() map[string]string {
+	return map_NodeResources
+}
+
+var map_NodeSelector = map[string]string{
+	"":                  "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.",
+	"nodeSelectorTerms": "Required. A list of node selector terms. The terms are ORed.",
+}
+
+func (NodeSelector) SwaggerDoc() map[string]string {
+	return map_NodeSelector
+}
+
+var map_NodeSelectorRequirement = map[string]string{
+	"":         "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
+	"key":      "The label key that the selector applies to.",
+	"operator": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.",
+	"values":   "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.",
+}
+
+func (NodeSelectorRequirement) SwaggerDoc() map[string]string {
+	return map_NodeSelectorRequirement
+}
+
+var map_NodeSelectorTerm = map[string]string{
+	"":                 "A null or empty node selector term matches no objects.",
+	"matchExpressions": "Required. A list of node selector requirements. The requirements are ANDed.",
+}
+
+func (NodeSelectorTerm) SwaggerDoc() map[string]string {
+	return map_NodeSelectorTerm
+}
+
+var map_NodeSpec = map[string]string{
+	"":              "NodeSpec describes the attributes that a node is created with.",
+	"podCIDR":       "PodCIDR represents the pod IP range assigned to the node.",
+	"externalID":    "External ID of the node assigned by some machine database (e.g. a cloud provider). Deprecated.",
+	"providerID":    "ID of the node assigned by the cloud provider in the format: <ProviderName>://<ProviderSpecificNodeID>",
+	"unschedulable": "Unschedulable controls node schedulability of new pods. By default, node is schedulable. More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration",
+	"taints":        "If specified, the node's taints.",
+	"configSource":  "If specified, the source to get node configuration from The DynamicKubeletConfig feature gate must be enabled for the Kubelet to use this field",
+}
+
+func (NodeSpec) SwaggerDoc() map[string]string {
+	return map_NodeSpec
+}
+
+var map_NodeStatus = map[string]string{
+	"":                "NodeStatus is information about the current status of a node.",
+	"capacity":        "Capacity represents the total resources of a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity",
+	"allocatable":     "Allocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.",
+	"phase":           "NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.",
+	"conditions":      "Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/concepts/nodes/node/#condition",
+	"addresses":       "List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses",
+	"daemonEndpoints": "Endpoints of daemons running on the Node.",
+	"nodeInfo":        "Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info",
+	"images":          "List of container images on this node",
+	"volumesInUse":    "List of attachable volumes in use (mounted) by the node.",
+	"volumesAttached": "List of volumes that are attached to the node.",
+}
+
+func (NodeStatus) SwaggerDoc() map[string]string {
+	return map_NodeStatus
+}
+
+var map_NodeSystemInfo = map[string]string{
+	"":                        "NodeSystemInfo is a set of ids/uuids to uniquely identify the node.",
+	"machineID":               "MachineID reported by the node. For unique machine identification in the cluster this field is preferred. Learn more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html",
+	"systemUUID":              "SystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html/RHSM/getting-system-uuid.html",
+	"bootID":                  "Boot ID reported by the node.",
+	"kernelVersion":           "Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).",
+	"osImage":                 "OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).",
+	"containerRuntimeVersion": "ContainerRuntime Version reported by the node through runtime remote API (e.g. docker://1.5.0).",
+	"kubeletVersion":          "Kubelet Version reported by the node.",
+	"kubeProxyVersion":        "KubeProxy Version reported by the node.",
+	"operatingSystem":         "The Operating System reported by the node",
+	"architecture":            "The Architecture reported by the node",
+}
+
+func (NodeSystemInfo) SwaggerDoc() map[string]string {
+	return map_NodeSystemInfo
+}
+
+var map_ObjectFieldSelector = map[string]string{
+	"":           "ObjectFieldSelector selects an APIVersioned field of an object.",
+	"apiVersion": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".",
+	"fieldPath":  "Path of the field to select in the specified API version.",
+}
+
+func (ObjectFieldSelector) SwaggerDoc() map[string]string {
+	return map_ObjectFieldSelector
+}
+
+var map_ObjectMeta = map[string]string{
+	"":                           "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create. DEPRECATED: Use k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta instead - this type will be removed soon.",
+	"name":                       "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
+	"generateName":               "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency",
+	"namespace":                  "Namespace defines the space within each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
+	"selfLink":                   "SelfLink is a URL representing this object. Populated by the system. Read-only.",
+	"uid":                        "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids",
+	"resourceVersion":            "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency",
+	"generation":                 "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.",
+	"creationTimestamp":          "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"deletionTimestamp":          "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field. Once set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"deletionGracePeriodSeconds": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.",
+	"labels":                     "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/",
+	"annotations":                "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/",
+	"ownerReferences":            "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.",
+	"initializers":               "An initializer is a controller which enforces some system invariant at object creation time. This field is a list of initializers that have not yet acted on this object. If nil or empty, this object has been completely initialized. Otherwise, the object is considered uninitialized and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to observe uninitialized objects.\n\nWhen an object is created, the system will populate this list with the current set of initializers. Only privileged users may set or modify this list. Once it is empty, it may not be modified further by any user.",
+	"finalizers":                 "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.",
+	"clusterName":                "The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.",
+}
+
+func (ObjectMeta) SwaggerDoc() map[string]string {
+	return map_ObjectMeta
+}
+
+var map_ObjectReference = map[string]string{
+	"":                "ObjectReference contains enough information to let you inspect or modify the referred object.",
+	"kind":            "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"namespace":       "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
+	"name":            "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
+	"uid":             "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids",
+	"apiVersion":      "API version of the referent.",
+	"resourceVersion": "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency",
+	"fieldPath":       "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.",
+}
+
+func (ObjectReference) SwaggerDoc() map[string]string {
+	return map_ObjectReference
+}
+
+var map_PersistentVolume = map[string]string{
+	"":         "PersistentVolume (PV) is a storage resource provisioned by an administrator. It is analogous to a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines a specification of a persistent volume owned by the cluster. Provisioned by an administrator. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes",
+	"status":   "Status represents the current information/status for the persistent volume. Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes",
+}
+
+func (PersistentVolume) SwaggerDoc() map[string]string {
+	return map_PersistentVolume
+}
+
+var map_PersistentVolumeClaim = map[string]string{
+	"":         "PersistentVolumeClaim is a user's request for and claim to a persistent volume",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
+	"status":   "Status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
+}
+
+func (PersistentVolumeClaim) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeClaim
+}
+
+var map_PersistentVolumeClaimCondition = map[string]string{
+	"":                   "PersistentVolumeClaimCondition contails details about state of pvc",
+	"lastProbeTime":      "Last time we probed the condition.",
+	"lastTransitionTime": "Last time the condition transitioned from one status to another.",
+	"reason":             "Unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports \"ResizeStarted\" that means the underlying persistent volume is being resized.",
+	"message":            "Human-readable message indicating details about last transition.",
+}
+
+func (PersistentVolumeClaimCondition) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeClaimCondition
+}
+
+var map_PersistentVolumeClaimList = map[string]string{
+	"":         "PersistentVolumeClaimList is a list of PersistentVolumeClaim items.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "A list of persistent volume claims. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
+}
+
+func (PersistentVolumeClaimList) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeClaimList
+}
+
+var map_PersistentVolumeClaimSpec = map[string]string{
+	"":                 "PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes",
+	"accessModes":      "AccessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1",
+	"selector":         "A label query over volumes to consider for binding.",
+	"resources":        "Resources represents the minimum resources the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources",
+	"volumeName":       "VolumeName is the binding reference to the PersistentVolume backing this claim.",
+	"storageClassName": "Name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1",
+}
+
+func (PersistentVolumeClaimSpec) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeClaimSpec
+}
+
+var map_PersistentVolumeClaimStatus = map[string]string{
+	"":            "PersistentVolumeClaimStatus is the current status of a persistent volume claim.",
+	"phase":       "Phase represents the current phase of PersistentVolumeClaim.",
+	"accessModes": "AccessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1",
+	"capacity":    "Represents the actual resources of the underlying volume.",
+	"conditions":  "Current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.",
+}
+
+func (PersistentVolumeClaimStatus) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeClaimStatus
+}
+
+var map_PersistentVolumeClaimVolumeSource = map[string]string{
+	"":          "PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).",
+	"claimName": "ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
+	"readOnly":  "Will force the ReadOnly setting in VolumeMounts. Default false.",
+}
+
+func (PersistentVolumeClaimVolumeSource) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeClaimVolumeSource
+}
+
+var map_PersistentVolumeList = map[string]string{
+	"":         "PersistentVolumeList is a list of PersistentVolume items.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of persistent volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes",
+}
+
+func (PersistentVolumeList) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeList
+}
+
+var map_PersistentVolumeSource = map[string]string{
+	"":                     "PersistentVolumeSource is similar to VolumeSource but meant for the administrator who creates PVs. Exactly one of its members must be set.",
+	"gcePersistentDisk":    "GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
+	"awsElasticBlockStore": "AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
+	"hostPath":             "HostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
+	"glusterfs":            "Glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md",
+	"nfs":                  "NFS represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
+	"rbd":                  "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md",
+	"iscsi":                "ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.",
+	"cinder":               "Cinder represents a cinder volume attached and mounted on kubelets host machine More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"cephfs":               "CephFS represents a Ceph FS mount on the host that shares a pod's lifetime",
+	"fc":                   "FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.",
+	"flocker":              "Flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running",
+	"flexVolume":           "FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. This is an alpha feature and may change in future.",
+	"azureFile":            "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.",
+	"vsphereVolume":        "VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine",
+	"quobyte":              "Quobyte represents a Quobyte mount on the host that shares a pod's lifetime",
+	"azureDisk":            "AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.",
+	"photonPersistentDisk": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine",
+	"portworxVolume":       "PortworxVolume represents a portworx volume attached and mounted on kubelets host machine",
+	"scaleIO":              "ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.",
+	"local":                "Local represents directly-attached storage with node affinity",
+	"storageos":            "StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://releases.k8s.io/HEAD/examples/volumes/storageos/README.md",
+}
+
+func (PersistentVolumeSource) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeSource
+}
+
+var map_PersistentVolumeSpec = map[string]string{
+	"":                              "PersistentVolumeSpec is the specification of a persistent volume.",
+	"capacity":                      "A description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity",
+	"accessModes":                   "AccessModes contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes",
+	"claimRef":                      "ClaimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding",
+	"persistentVolumeReclaimPolicy": "What happens to a persistent volume when released from its claim. Valid options are Retain (default) and Recycle. Recycling must be supported by the volume plugin underlying this persistent volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming",
+	"storageClassName":              "Name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.",
+	"mountOptions":                  "A list of mount options, e.g. [\"ro\", \"soft\"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options",
+}
+
+func (PersistentVolumeSpec) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeSpec
+}
+
+var map_PersistentVolumeStatus = map[string]string{
+	"":        "PersistentVolumeStatus is the current status of a persistent volume.",
+	"phase":   "Phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase",
+	"message": "A human-readable message indicating details about why the volume is in this state.",
+	"reason":  "Reason is a brief CamelCase string that describes any failure and is meant for machine parsing and tidy display in the CLI.",
+}
+
+func (PersistentVolumeStatus) SwaggerDoc() map[string]string {
+	return map_PersistentVolumeStatus
+}
+
+var map_PhotonPersistentDiskVolumeSource = map[string]string{
+	"":       "Represents a Photon Controller persistent disk resource.",
+	"pdID":   "ID that identifies Photon Controller persistent disk",
+	"fsType": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+}
+
+func (PhotonPersistentDiskVolumeSource) SwaggerDoc() map[string]string {
+	return map_PhotonPersistentDiskVolumeSource
+}
+
+var map_Pod = map[string]string{
+	"":         "Pod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (Pod) SwaggerDoc() map[string]string {
+	return map_Pod
+}
+
+var map_PodAffinity = map[string]string{
+	"": "Pod affinity is a group of inter pod affinity scheduling rules.",
+	"requiredDuringSchedulingIgnoredDuringExecution":  "If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.",
+	"preferredDuringSchedulingIgnoredDuringExecution": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.",
+}
+
+func (PodAffinity) SwaggerDoc() map[string]string {
+	return map_PodAffinity
+}
+
+var map_PodAffinityTerm = map[string]string{
+	"":              "Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key <topologyKey> tches that of any node on which a pod of the set of pods is running",
+	"labelSelector": "A label query over a set of resources, in this case pods.",
+	"namespaces":    "namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\"",
+	"topologyKey":   "This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. For PreferredDuringScheduling pod anti-affinity, empty topologyKey is interpreted as \"all topologies\" (\"all topologies\" here means all the topologyKeys indicated by scheduler command-line argument --failure-domains); for affinity and for RequiredDuringScheduling pod anti-affinity, empty topologyKey is not allowed.",
+}
+
+func (PodAffinityTerm) SwaggerDoc() map[string]string {
+	return map_PodAffinityTerm
+}
+
+var map_PodAntiAffinity = map[string]string{
+	"": "Pod anti affinity is a group of inter pod anti affinity scheduling rules.",
+	"requiredDuringSchedulingIgnoredDuringExecution":  "If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.",
+	"preferredDuringSchedulingIgnoredDuringExecution": "The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.",
+}
+
+func (PodAntiAffinity) SwaggerDoc() map[string]string {
+	return map_PodAntiAffinity
+}
+
+var map_PodAttachOptions = map[string]string{
+	"":          "PodAttachOptions is the query options to a Pod's remote attach call.",
+	"stdin":     "Stdin if true, redirects the standard input stream of the pod for this call. Defaults to false.",
+	"stdout":    "Stdout if true indicates that stdout is to be redirected for the attach call. Defaults to true.",
+	"stderr":    "Stderr if true indicates that stderr is to be redirected for the attach call. Defaults to true.",
+	"tty":       "TTY if true indicates that a tty will be allocated for the attach call. This is passed through the container runtime so the tty is allocated on the worker node by the container runtime. Defaults to false.",
+	"container": "The container in which to execute the command. Defaults to only container if there is only one container in the pod.",
+}
+
+func (PodAttachOptions) SwaggerDoc() map[string]string {
+	return map_PodAttachOptions
+}
+
+var map_PodCondition = map[string]string{
+	"":                   "PodCondition contains details for the current condition of this pod.",
+	"type":               "Type is the type of the condition. Currently only Ready. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
+	"status":             "Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
+	"lastProbeTime":      "Last time we probed the condition.",
+	"lastTransitionTime": "Last time the condition transitioned from one status to another.",
+	"reason":             "Unique, one-word, CamelCase reason for the condition's last transition.",
+	"message":            "Human-readable message indicating details about last transition.",
+}
+
+func (PodCondition) SwaggerDoc() map[string]string {
+	return map_PodCondition
+}
+
+var map_PodExecOptions = map[string]string{
+	"":          "PodExecOptions is the query options to a Pod's remote exec call.",
+	"stdin":     "Redirect the standard input stream of the pod for this call. Defaults to false.",
+	"stdout":    "Redirect the standard output stream of the pod for this call. Defaults to true.",
+	"stderr":    "Redirect the standard error stream of the pod for this call. Defaults to true.",
+	"tty":       "TTY if true indicates that a tty will be allocated for the exec call. Defaults to false.",
+	"container": "Container in which to execute the command. Defaults to only container if there is only one container in the pod.",
+	"command":   "Command is the remote command to execute. argv array. Not executed within a shell.",
+}
+
+func (PodExecOptions) SwaggerDoc() map[string]string {
+	return map_PodExecOptions
+}
+
+var map_PodList = map[string]string{
+	"":         "PodList is a list of Pods.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of pods. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md",
+}
+
+func (PodList) SwaggerDoc() map[string]string {
+	return map_PodList
+}
+
+var map_PodLogOptions = map[string]string{
+	"":             "PodLogOptions is the query options for a Pod's logs REST call.",
+	"container":    "The container for which to stream logs. Defaults to only container if there is one container in the pod.",
+	"follow":       "Follow the log stream of the pod. Defaults to false.",
+	"previous":     "Return previous terminated container logs. Defaults to false.",
+	"sinceSeconds": "A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified.",
+	"sinceTime":    "An RFC3339 timestamp from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified.",
+	"timestamps":   "If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line of log output. Defaults to false.",
+	"tailLines":    "If set, the number of lines from the end of the logs to show. If not specified, logs are shown from the creation of the container or sinceSeconds or sinceTime",
+	"limitBytes":   "If set, the number of bytes to read from the server before terminating the log output. This may not display a complete final line of logging, and may return slightly more or slightly less than the specified limit.",
+}
+
+func (PodLogOptions) SwaggerDoc() map[string]string {
+	return map_PodLogOptions
+}
+
+var map_PodPortForwardOptions = map[string]string{
+	"":      "PodPortForwardOptions is the query options to a Pod's port forward call when using WebSockets. The `port` query parameter must specify the port or ports (comma separated) to forward over. Port forwarding over SPDY does not use these options. It requires the port to be passed in the `port` header as part of request.",
+	"ports": "List of ports to forward Required when using WebSockets",
+}
+
+func (PodPortForwardOptions) SwaggerDoc() map[string]string {
+	return map_PodPortForwardOptions
+}
+
+var map_PodProxyOptions = map[string]string{
+	"":     "PodProxyOptions is the query options to a Pod's proxy call.",
+	"path": "Path is the URL path to use for the current proxy request to pod.",
+}
+
+func (PodProxyOptions) SwaggerDoc() map[string]string {
+	return map_PodProxyOptions
+}
+
+var map_PodSecurityContext = map[string]string{
+	"":                   "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext.  Field values of container.securityContext take precedence over field values of PodSecurityContext.",
+	"seLinuxOptions":     "The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.",
+	"runAsUser":          "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.",
+	"runAsNonRoot":       "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+	"supplementalGroups": "A list of groups applied to the first process run in each container, in addition to the container's primary GID.  If unspecified, no groups will be added to any container.",
+	"fsGroup":            "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw ",
+}
+
+func (PodSecurityContext) SwaggerDoc() map[string]string {
+	return map_PodSecurityContext
+}
+
+var map_PodSignature = map[string]string{
+	"":              "Describes the class of pods that should avoid this node. Exactly one field should be set.",
+	"podController": "Reference to controller whose pods should avoid this node.",
+}
+
+func (PodSignature) SwaggerDoc() map[string]string {
+	return map_PodSignature
+}
+
+var map_PodSpec = map[string]string{
+	"":                              "PodSpec is a description of a pod.",
+	"volumes":                       "List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes",
+	"initContainers":                "List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, or Liveness probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/",
+	"containers":                    "List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.",
+	"restartPolicy":                 "Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy",
+	"terminationGracePeriodSeconds": "Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.",
+	"activeDeadlineSeconds":         "Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.",
+	"dnsPolicy":                     "Set DNS policy for containers within the pod. One of 'ClusterFirstWithHostNet', 'ClusterFirst' or 'Default'. Defaults to \"ClusterFirst\". To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.",
+	"nodeSelector":                  "NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/",
+	"serviceAccountName":            "ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/",
+	"serviceAccount":                "DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.",
+	"automountServiceAccountToken":  "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.",
+	"nodeName":                      "NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.",
+	"hostNetwork":                   "Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.",
+	"hostPID":                       "Use the host's pid namespace. Optional: Default to false.",
+	"hostIPC":                       "Use the host's ipc namespace. Optional: Default to false.",
+	"securityContext":               "SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty.  See type description for default values of each field.",
+	"imagePullSecrets":              "ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod",
+	"hostname":                      "Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.",
+	"subdomain":                     "If specified, the fully qualified Pod hostname will be \"<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>\". If not specified, the pod will not have a domainname at all.",
+	"affinity":                      "If specified, the pod's scheduling constraints",
+	"schedulerName":                 "If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.",
+	"tolerations":                   "If specified, the pod's tolerations.",
+	"hostAliases":                   "HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods.",
+	"priorityClassName":             "If specified, indicates the pod's priority. \"SYSTEM\" is a special keyword which indicates the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.",
+	"priority":                      "The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.",
+}
+
+func (PodSpec) SwaggerDoc() map[string]string {
+	return map_PodSpec
+}
+
+var map_PodStatus = map[string]string{
+	"":                      "PodStatus represents information about the status of a pod. Status may trail the actual state of a system.",
+	"phase":                 "Current condition of the pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase",
+	"conditions":            "Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions",
+	"message":               "A human readable message indicating details about why the pod is in this condition.",
+	"reason":                "A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'",
+	"hostIP":                "IP address of the host to which the pod is assigned. Empty if not yet scheduled.",
+	"podIP":                 "IP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.",
+	"startTime":             "RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.",
+	"initContainerStatuses": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status",
+	"containerStatuses":     "The list has one entry per container in the manifest. Each entry is currently the output of `docker inspect`. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status",
+	"qosClass":              "The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://github.com/kubernetes/kubernetes/blob/master/docs/design/resource-qos.md",
+}
+
+func (PodStatus) SwaggerDoc() map[string]string {
+	return map_PodStatus
+}
+
+var map_PodStatusResult = map[string]string{
+	"":         "PodStatusResult is a wrapper for PodStatus returned by kubelet that can be encode/decoded",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"status":   "Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (PodStatusResult) SwaggerDoc() map[string]string {
+	return map_PodStatusResult
+}
+
+var map_PodTemplate = map[string]string{
+	"":         "PodTemplate describes a template for creating copies of a predefined pod.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"template": "Template defines the pods that will be created from this pod template. https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (PodTemplate) SwaggerDoc() map[string]string {
+	return map_PodTemplate
+}
+
+var map_PodTemplateList = map[string]string{
+	"":         "PodTemplateList is a list of PodTemplates.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of pod templates",
+}
+
+func (PodTemplateList) SwaggerDoc() map[string]string {
+	return map_PodTemplateList
+}
+
+var map_PodTemplateSpec = map[string]string{
+	"":         "PodTemplateSpec describes the data a pod should have when created from a template",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (PodTemplateSpec) SwaggerDoc() map[string]string {
+	return map_PodTemplateSpec
+}
+
+var map_PortworxVolumeSource = map[string]string{
+	"":         "PortworxVolumeSource represents a Portworx volume resource.",
+	"volumeID": "VolumeID uniquely identifies a Portworx volume",
+	"fsType":   "FSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+	"readOnly": "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+}
+
+func (PortworxVolumeSource) SwaggerDoc() map[string]string {
+	return map_PortworxVolumeSource
+}
+
+var map_Preconditions = map[string]string{
+	"":    "Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.",
+	"uid": "Specifies the target UID.",
+}
+
+func (Preconditions) SwaggerDoc() map[string]string {
+	return map_Preconditions
+}
+
+var map_PreferAvoidPodsEntry = map[string]string{
+	"":             "Describes a class of pods that should avoid this node.",
+	"podSignature": "The class of pods.",
+	"evictionTime": "Time at which this entry was added to the list.",
+	"reason":       "(brief) reason why this entry was added to the list.",
+	"message":      "Human readable message indicating why this entry was added to the list.",
+}
+
+func (PreferAvoidPodsEntry) SwaggerDoc() map[string]string {
+	return map_PreferAvoidPodsEntry
+}
+
+var map_PreferredSchedulingTerm = map[string]string{
+	"":           "An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).",
+	"weight":     "Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.",
+	"preference": "A node selector term, associated with the corresponding weight.",
+}
+
+func (PreferredSchedulingTerm) SwaggerDoc() map[string]string {
+	return map_PreferredSchedulingTerm
+}
+
+var map_Probe = map[string]string{
+	"": "Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.",
+	"initialDelaySeconds": "Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes",
+	"timeoutSeconds":      "Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes",
+	"periodSeconds":       "How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.",
+	"successThreshold":    "Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1.",
+	"failureThreshold":    "Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.",
+}
+
+func (Probe) SwaggerDoc() map[string]string {
+	return map_Probe
+}
+
+var map_ProjectedVolumeSource = map[string]string{
+	"":            "Represents a projected volume source",
+	"sources":     "list of volume projections",
+	"defaultMode": "Mode bits to use on created files by default. Must be a value between 0 and 0777. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.",
+}
+
+func (ProjectedVolumeSource) SwaggerDoc() map[string]string {
+	return map_ProjectedVolumeSource
+}
+
+var map_QuobyteVolumeSource = map[string]string{
+	"":         "Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.",
+	"registry": "Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes",
+	"volume":   "Volume is a string that references an already created Quobyte volume by name.",
+	"readOnly": "ReadOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.",
+	"user":     "User to map volume access to Defaults to serivceaccount user",
+	"group":    "Group to map volume access to Default is no group",
+}
+
+func (QuobyteVolumeSource) SwaggerDoc() map[string]string {
+	return map_QuobyteVolumeSource
+}
+
+var map_RBDVolumeSource = map[string]string{
+	"":          "Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.",
+	"monitors":  "A collection of Ceph monitors. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"image":     "The rados image name. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"fsType":    "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd",
+	"pool":      "The rados pool name. Default is rbd. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"user":      "The rados user name. Default is admin. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"keyring":   "Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"secretRef": "SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+	"readOnly":  "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md#how-to-use-it",
+}
+
+func (RBDVolumeSource) SwaggerDoc() map[string]string {
+	return map_RBDVolumeSource
+}
+
+var map_RangeAllocation = map[string]string{
+	"":         "RangeAllocation is not a public type.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"range":    "Range is string that identifies the range represented by 'data'.",
+	"data":     "Data is a bit array containing all allocated addresses in the previous segment.",
+}
+
+func (RangeAllocation) SwaggerDoc() map[string]string {
+	return map_RangeAllocation
+}
+
+var map_ReplicationController = map[string]string{
+	"":         "ReplicationController represents the configuration of a replication controller.",
+	"metadata": "If the Labels of a ReplicationController are empty, they are defaulted to be the same as the Pod(s) that the replication controller manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the specification of the desired behavior of the replication controller. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Status is the most recently observed status of the replication controller. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (ReplicationController) SwaggerDoc() map[string]string {
+	return map_ReplicationController
+}
+
+var map_ReplicationControllerCondition = map[string]string{
+	"":                   "ReplicationControllerCondition describes the state of a replication controller at a certain point.",
+	"type":               "Type of replication controller condition.",
+	"status":             "Status of the condition, one of True, False, Unknown.",
+	"lastTransitionTime": "The last time the condition transitioned from one status to another.",
+	"reason":             "The reason for the condition's last transition.",
+	"message":            "A human readable message indicating details about the transition.",
+}
+
+func (ReplicationControllerCondition) SwaggerDoc() map[string]string {
+	return map_ReplicationControllerCondition
+}
+
+var map_ReplicationControllerList = map[string]string{
+	"":         "ReplicationControllerList is a collection of replication controllers.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of replication controllers. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller",
+}
+
+func (ReplicationControllerList) SwaggerDoc() map[string]string {
+	return map_ReplicationControllerList
+}
+
+var map_ReplicationControllerSpec = map[string]string{
+	"":                "ReplicationControllerSpec is the specification of a replication controller.",
+	"replicas":        "Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller",
+	"minReadySeconds": "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)",
+	"selector":        "Selector is a label query over pods that should match the Replicas count. If Selector is empty, it is defaulted to the labels present on the Pod template. Label keys and values that must match in order to be controlled by this replication controller, if empty defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+	"template":        "Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
+}
+
+func (ReplicationControllerSpec) SwaggerDoc() map[string]string {
+	return map_ReplicationControllerSpec
+}
+
+var map_ReplicationControllerStatus = map[string]string{
+	"":                     "ReplicationControllerStatus represents the current status of a replication controller.",
+	"replicas":             "Replicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller",
+	"fullyLabeledReplicas": "The number of pods that have labels matching the labels of the pod template of the replication controller.",
+	"readyReplicas":        "The number of ready replicas for this replication controller.",
+	"availableReplicas":    "The number of available replicas (ready for at least minReadySeconds) for this replication controller.",
+	"observedGeneration":   "ObservedGeneration reflects the generation of the most recently observed replication controller.",
+	"conditions":           "Represents the latest available observations of a replication controller's current state.",
+}
+
+func (ReplicationControllerStatus) SwaggerDoc() map[string]string {
+	return map_ReplicationControllerStatus
+}
+
+var map_ResourceFieldSelector = map[string]string{
+	"":              "ResourceFieldSelector represents container resources (cpu, memory) and their output format",
+	"containerName": "Container name: required for volumes, optional for env vars",
+	"resource":      "Required: resource to select",
+	"divisor":       "Specifies the output format of the exposed resources, defaults to \"1\"",
+}
+
+func (ResourceFieldSelector) SwaggerDoc() map[string]string {
+	return map_ResourceFieldSelector
+}
+
+var map_ResourceQuota = map[string]string{
+	"":         "ResourceQuota sets aggregate quota restrictions enforced per namespace",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the desired quota. https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Status defines the actual enforced quota and its current usage. https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (ResourceQuota) SwaggerDoc() map[string]string {
+	return map_ResourceQuota
+}
+
+var map_ResourceQuotaList = map[string]string{
+	"":         "ResourceQuotaList is a list of ResourceQuota items.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "Items is a list of ResourceQuota objects. More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md",
+}
+
+func (ResourceQuotaList) SwaggerDoc() map[string]string {
+	return map_ResourceQuotaList
+}
+
+var map_ResourceQuotaSpec = map[string]string{
+	"":       "ResourceQuotaSpec defines the desired hard limits to enforce for Quota.",
+	"hard":   "Hard is the set of desired hard limits for each named resource. More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md",
+	"scopes": "A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.",
+}
+
+func (ResourceQuotaSpec) SwaggerDoc() map[string]string {
+	return map_ResourceQuotaSpec
+}
+
+var map_ResourceQuotaStatus = map[string]string{
+	"":     "ResourceQuotaStatus defines the enforced hard limits and observed use.",
+	"hard": "Hard is the set of enforced hard limits for each named resource. More info: https://git.k8s.io/community/contributors/design-proposals/admission_control_resource_quota.md",
+	"used": "Used is the current observed total usage of the resource in the namespace.",
+}
+
+func (ResourceQuotaStatus) SwaggerDoc() map[string]string {
+	return map_ResourceQuotaStatus
+}
+
+var map_ResourceRequirements = map[string]string{
+	"":         "ResourceRequirements describes the compute resource requirements.",
+	"limits":   "Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/",
+	"requests": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/",
+}
+
+func (ResourceRequirements) SwaggerDoc() map[string]string {
+	return map_ResourceRequirements
+}
+
+var map_SELinuxOptions = map[string]string{
+	"":      "SELinuxOptions are the labels to be applied to the container",
+	"user":  "User is a SELinux user label that applies to the container.",
+	"role":  "Role is a SELinux role label that applies to the container.",
+	"type":  "Type is a SELinux type label that applies to the container.",
+	"level": "Level is SELinux level label that applies to the container.",
+}
+
+func (SELinuxOptions) SwaggerDoc() map[string]string {
+	return map_SELinuxOptions
+}
+
+var map_ScaleIOPersistentVolumeSource = map[string]string{
+	"":                 "ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume",
+	"gateway":          "The host address of the ScaleIO API Gateway.",
+	"system":           "The name of the storage system as configured in ScaleIO.",
+	"secretRef":        "SecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.",
+	"sslEnabled":       "Flag to enable/disable SSL communication with Gateway, default false",
+	"protectionDomain": "The name of the ScaleIO Protection Domain for the configured storage.",
+	"storagePool":      "The ScaleIO Storage Pool associated with the protection domain.",
+	"storageMode":      "Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.",
+	"volumeName":       "The name of a volume already created in the ScaleIO system that is associated with this volume source.",
+	"fsType":           "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+	"readOnly":         "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+}
+
+func (ScaleIOPersistentVolumeSource) SwaggerDoc() map[string]string {
+	return map_ScaleIOPersistentVolumeSource
+}
+
+var map_ScaleIOVolumeSource = map[string]string{
+	"":                 "ScaleIOVolumeSource represents a persistent ScaleIO volume",
+	"gateway":          "The host address of the ScaleIO API Gateway.",
+	"system":           "The name of the storage system as configured in ScaleIO.",
+	"secretRef":        "SecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.",
+	"sslEnabled":       "Flag to enable/disable SSL communication with Gateway, default false",
+	"protectionDomain": "The name of the ScaleIO Protection Domain for the configured storage.",
+	"storagePool":      "The ScaleIO Storage Pool associated with the protection domain.",
+	"storageMode":      "Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.",
+	"volumeName":       "The name of a volume already created in the ScaleIO system that is associated with this volume source.",
+	"fsType":           "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+	"readOnly":         "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+}
+
+func (ScaleIOVolumeSource) SwaggerDoc() map[string]string {
+	return map_ScaleIOVolumeSource
+}
+
+var map_Secret = map[string]string{
+	"":           "Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.",
+	"metadata":   "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"data":       "Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4",
+	"stringData": "stringData allows specifying non-binary secret data in string form. It is provided as a write-only convenience method. All keys and values are merged into the data field on write, overwriting any existing values. It is never output when reading from the API.",
+	"type":       "Used to facilitate programmatic handling of secret data.",
+}
+
+func (Secret) SwaggerDoc() map[string]string {
+	return map_Secret
+}
+
+var map_SecretEnvSource = map[string]string{
+	"":         "SecretEnvSource selects a Secret to populate the environment variables with.\n\nThe contents of the target Secret's Data field will represent the key-value pairs as environment variables.",
+	"optional": "Specify whether the Secret must be defined",
+}
+
+func (SecretEnvSource) SwaggerDoc() map[string]string {
+	return map_SecretEnvSource
+}
+
+var map_SecretKeySelector = map[string]string{
+	"":         "SecretKeySelector selects a key of a Secret.",
+	"key":      "The key of the secret to select from.  Must be a valid secret key.",
+	"optional": "Specify whether the Secret or it's key must be defined",
+}
+
+func (SecretKeySelector) SwaggerDoc() map[string]string {
+	return map_SecretKeySelector
+}
+
+var map_SecretList = map[string]string{
+	"":         "SecretList is a list of Secret.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "Items is a list of secret objects. More info: https://kubernetes.io/docs/concepts/configuration/secret",
+}
+
+func (SecretList) SwaggerDoc() map[string]string {
+	return map_SecretList
+}
+
+var map_SecretProjection = map[string]string{
+	"":         "Adapts a secret into a projected volume.\n\nThe contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.",
+	"items":    "If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.",
+	"optional": "Specify whether the Secret or its key must be defined",
+}
+
+func (SecretProjection) SwaggerDoc() map[string]string {
+	return map_SecretProjection
+}
+
+var map_SecretReference = map[string]string{
+	"":          "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace",
+	"name":      "Name is unique within a namespace to reference a secret resource.",
+	"namespace": "Namespace defines the space within which the secret name must be unique.",
+}
+
+func (SecretReference) SwaggerDoc() map[string]string {
+	return map_SecretReference
+}
+
+var map_SecretVolumeSource = map[string]string{
+	"":            "Adapts a Secret into a volume.\n\nThe contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.",
+	"secretName":  "Name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret",
+	"items":       "If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.",
+	"defaultMode": "Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.",
+	"optional":    "Specify whether the Secret or it's keys must be defined",
+}
+
+func (SecretVolumeSource) SwaggerDoc() map[string]string {
+	return map_SecretVolumeSource
+}
+
+var map_SecurityContext = map[string]string{
+	"":                         "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext.  When both are set, the values in SecurityContext take precedence.",
+	"capabilities":             "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
+	"privileged":               "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
+	"seLinuxOptions":           "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container.  May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+	"runAsUser":                "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+	"runAsNonRoot":             "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext.  If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
+	"readOnlyRootFilesystem":   "Whether this container has a read-only root filesystem. Default is false.",
+	"allowPrivilegeEscalation": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
+}
+
+func (SecurityContext) SwaggerDoc() map[string]string {
+	return map_SecurityContext
+}
+
+var map_SerializedReference = map[string]string{
+	"":          "SerializedReference is a reference to serialized object.",
+	"reference": "The reference to an object in the system.",
+}
+
+func (SerializedReference) SwaggerDoc() map[string]string {
+	return map_SerializedReference
+}
+
+var map_Service = map[string]string{
+	"":         "Service is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the behavior of a service. https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Most recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (Service) SwaggerDoc() map[string]string {
+	return map_Service
+}
+
+var map_ServiceAccount = map[string]string{
+	"":                             "ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets",
+	"metadata":                     "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"secrets":                      "Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount. More info: https://kubernetes.io/docs/concepts/configuration/secret",
+	"imagePullSecrets":             "ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod",
+	"automountServiceAccountToken": "AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. Can be overridden at the pod level.",
+}
+
+func (ServiceAccount) SwaggerDoc() map[string]string {
+	return map_ServiceAccount
+}
+
+var map_ServiceAccountList = map[string]string{
+	"":         "ServiceAccountList is a list of ServiceAccount objects",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of ServiceAccounts. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/",
+}
+
+func (ServiceAccountList) SwaggerDoc() map[string]string {
+	return map_ServiceAccountList
+}
+
+var map_ServiceList = map[string]string{
+	"":         "ServiceList holds a list of services.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of services",
+}
+
+func (ServiceList) SwaggerDoc() map[string]string {
+	return map_ServiceList
+}
+
+var map_ServicePort = map[string]string{
+	"":           "ServicePort contains information on service's port.",
+	"name":       "The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. This maps to the 'Name' field in EndpointPort objects. Optional if only one ServicePort is defined on this service.",
+	"protocol":   "The IP protocol for this port. Supports \"TCP\" and \"UDP\". Default is TCP.",
+	"port":       "The port that will be exposed by this service.",
+	"targetPort": "Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service",
+	"nodePort":   "The port on each node on which this service is exposed when type=NodePort or LoadBalancer. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the ServiceType of this Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport",
+}
+
+func (ServicePort) SwaggerDoc() map[string]string {
+	return map_ServicePort
+}
+
+var map_ServiceProxyOptions = map[string]string{
+	"":     "ServiceProxyOptions is the query options to a Service's proxy call.",
+	"path": "Path is the part of URLs that include service endpoints, suffixes, and parameters to use for the current proxy request to service. For example, the whole request URL is http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. Path is _search?q=user:kimchy.",
+}
+
+func (ServiceProxyOptions) SwaggerDoc() map[string]string {
+	return map_ServiceProxyOptions
+}
+
+var map_ServiceSpec = map[string]string{
+	"":                         "ServiceSpec describes the attributes that a user creates on a service.",
+	"ports":                    "The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies",
+	"selector":                 "Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/",
+	"clusterIP":                "clusterIP is the IP address of the service and is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. This field can not be changed through updates. Valid values are \"None\", empty string (\"\"), or a valid IP address. \"None\" can be specified for headless services when proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies",
+	"type":                     "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ExternalName\" maps to the specified externalName. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services ",
+	"externalIPs":              "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service.  These IPs are not managed by Kubernetes.  The user is responsible for ensuring that traffic arrives at a node with this IP.  A common example is external load-balancers that are not part of the Kubernetes system.",
+	"sessionAffinity":          "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies",
+	"loadBalancerIP":           "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.",
+	"loadBalancerSourceRanges": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/",
+	"externalName":             "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires Type to be ExternalName.",
+	"externalTrafficPolicy":    "externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. \"Local\" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. \"Cluster\" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.",
+	"healthCheckNodePort":      "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.",
+	"publishNotReadyAddresses": "publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery. This field will replace the service.alpha.kubernetes.io/tolerate-unready-endpoints when that annotation is deprecated and all clients have been converted to use this field.",
+	"sessionAffinityConfig":    "sessionAffinityConfig contains the configurations of session affinity.",
+}
+
+func (ServiceSpec) SwaggerDoc() map[string]string {
+	return map_ServiceSpec
+}
+
+var map_ServiceStatus = map[string]string{
+	"":             "ServiceStatus represents the current status of a service.",
+	"loadBalancer": "LoadBalancer contains the current status of the load-balancer, if one is present.",
+}
+
+func (ServiceStatus) SwaggerDoc() map[string]string {
+	return map_ServiceStatus
+}
+
+var map_SessionAffinityConfig = map[string]string{
+	"":         "SessionAffinityConfig represents the configurations of session affinity.",
+	"clientIP": "clientIP contains the configurations of Client IP based session affinity.",
+}
+
+func (SessionAffinityConfig) SwaggerDoc() map[string]string {
+	return map_SessionAffinityConfig
+}
+
+var map_StorageOSPersistentVolumeSource = map[string]string{
+	"":                "Represents a StorageOS persistent volume resource.",
+	"volumeName":      "VolumeName is the human-readable name of the StorageOS volume.  Volume names are only unique within a namespace.",
+	"volumeNamespace": "VolumeNamespace specifies the scope of the volume within StorageOS.  If no namespace is specified then the Pod's namespace will be used.  This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.",
+	"fsType":          "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+	"readOnly":        "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+	"secretRef":       "SecretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.",
+}
+
+func (StorageOSPersistentVolumeSource) SwaggerDoc() map[string]string {
+	return map_StorageOSPersistentVolumeSource
+}
+
+var map_StorageOSVolumeSource = map[string]string{
+	"":                "Represents a StorageOS persistent volume resource.",
+	"volumeName":      "VolumeName is the human-readable name of the StorageOS volume.  Volume names are only unique within a namespace.",
+	"volumeNamespace": "VolumeNamespace specifies the scope of the volume within StorageOS.  If no namespace is specified then the Pod's namespace will be used.  This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.",
+	"fsType":          "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+	"readOnly":        "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.",
+	"secretRef":       "SecretRef specifies the secret to use for obtaining the StorageOS API credentials.  If not specified, default values will be attempted.",
+}
+
+func (StorageOSVolumeSource) SwaggerDoc() map[string]string {
+	return map_StorageOSVolumeSource
+}
+
+var map_Sysctl = map[string]string{
+	"":      "Sysctl defines a kernel parameter to be set",
+	"Name":  "Name of a property to set",
+	"Value": "Value of a property to set",
+}
+
+func (Sysctl) SwaggerDoc() map[string]string {
+	return map_Sysctl
+}
+
+var map_TCPSocketAction = map[string]string{
+	"":     "TCPSocketAction describes an action based on opening a socket",
+	"port": "Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.",
+	"host": "Optional: Host name to connect to, defaults to the pod IP.",
+}
+
+func (TCPSocketAction) SwaggerDoc() map[string]string {
+	return map_TCPSocketAction
+}
+
+var map_Taint = map[string]string{
+	"":          "The node this Taint is attached to has the \"effect\" on any pod that does not tolerate the Taint.",
+	"key":       "Required. The taint key to be applied to a node.",
+	"value":     "Required. The taint value corresponding to the taint key.",
+	"effect":    "Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.",
+	"timeAdded": "TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.",
+}
+
+func (Taint) SwaggerDoc() map[string]string {
+	return map_Taint
+}
+
+var map_Toleration = map[string]string{
+	"":                  "The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+	"key":               "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.",
+	"operator":          "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.",
+	"value":             "Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.",
+	"effect":            "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.",
+	"tolerationSeconds": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.",
+}
+
+func (Toleration) SwaggerDoc() map[string]string {
+	return map_Toleration
+}
+
+var map_Volume = map[string]string{
+	"":     "Volume represents a named volume in a pod that may be accessed by any container in the pod.",
+	"name": "Volume's name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names",
+}
+
+func (Volume) SwaggerDoc() map[string]string {
+	return map_Volume
+}
+
+var map_VolumeMount = map[string]string{
+	"":                 "VolumeMount describes a mounting of a Volume within a container.",
+	"name":             "This must match the Name of a Volume.",
+	"readOnly":         "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.",
+	"mountPath":        "Path within the container at which the volume should be mounted.  Must not contain ':'.",
+	"subPath":          "Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).",
+	"mountPropagation": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationHostToContainer is used. This field is alpha in 1.8 and can be reworked or removed in a future release.",
+}
+
+func (VolumeMount) SwaggerDoc() map[string]string {
+	return map_VolumeMount
+}
+
+var map_VolumeProjection = map[string]string{
+	"":            "Projection that may be projected along with other supported volume types",
+	"secret":      "information about the secret data to project",
+	"downwardAPI": "information about the downwardAPI data to project",
+	"configMap":   "information about the configMap data to project",
+}
+
+func (VolumeProjection) SwaggerDoc() map[string]string {
+	return map_VolumeProjection
+}
+
+var map_VolumeSource = map[string]string{
+	"":                      "Represents the source of a volume to mount. Only one of its members may be specified.",
+	"hostPath":              "HostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath",
+	"emptyDir":              "EmptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir",
+	"gcePersistentDisk":     "GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk",
+	"awsElasticBlockStore":  "AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore",
+	"gitRepo":               "GitRepo represents a git repository at a particular revision.",
+	"secret":                "Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret",
+	"nfs":                   "NFS represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs",
+	"iscsi":                 "ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://releases.k8s.io/HEAD/examples/volumes/iscsi/README.md",
+	"glusterfs":             "Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://releases.k8s.io/HEAD/examples/volumes/glusterfs/README.md",
+	"persistentVolumeClaim": "PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims",
+	"rbd":                  "RBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://releases.k8s.io/HEAD/examples/volumes/rbd/README.md",
+	"flexVolume":           "FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. This is an alpha feature and may change in future.",
+	"cinder":               "Cinder represents a cinder volume attached and mounted on kubelets host machine More info: https://releases.k8s.io/HEAD/examples/mysql-cinder-pd/README.md",
+	"cephfs":               "CephFS represents a Ceph FS mount on the host that shares a pod's lifetime",
+	"flocker":              "Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running",
+	"downwardAPI":          "DownwardAPI represents downward API about the pod that should populate this volume",
+	"fc":                   "FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.",
+	"azureFile":            "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.",
+	"configMap":            "ConfigMap represents a configMap that should populate this volume",
+	"vsphereVolume":        "VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine",
+	"quobyte":              "Quobyte represents a Quobyte mount on the host that shares a pod's lifetime",
+	"azureDisk":            "AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.",
+	"photonPersistentDisk": "PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine",
+	"projected":            "Items for all in one resources secrets, configmaps, and downward API",
+	"portworxVolume":       "PortworxVolume represents a portworx volume attached and mounted on kubelets host machine",
+	"scaleIO":              "ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.",
+	"storageos":            "StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.",
+}
+
+func (VolumeSource) SwaggerDoc() map[string]string {
+	return map_VolumeSource
+}
+
+var map_VsphereVirtualDiskVolumeSource = map[string]string{
+	"":                  "Represents a vSphere volume resource.",
+	"volumePath":        "Path that identifies vSphere volume vmdk",
+	"fsType":            "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.",
+	"storagePolicyName": "Storage Policy Based Management (SPBM) profile name.",
+	"storagePolicyID":   "Storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.",
+}
+
+func (VsphereVirtualDiskVolumeSource) SwaggerDoc() map[string]string {
+	return map_VsphereVirtualDiskVolumeSource
+}
+
+var map_WeightedPodAffinityTerm = map[string]string{
+	"":                "The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)",
+	"weight":          "weight associated with matching the corresponding podAffinityTerm, in the range 1-100.",
+	"podAffinityTerm": "Required. A pod affinity term, associated with the corresponding weight.",
+}
+
+func (WeightedPodAffinityTerm) SwaggerDoc() map[string]string {
+	return map_WeightedPodAffinityTerm
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..9a1fdc14
--- /dev/null
+++ b/cli/vendor/k8s.io/api/core/v1/zz_generated.deepcopy.go
@@ -0,0 +1,6351 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	resource "k8s.io/apimachinery/pkg/api/resource"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	types "k8s.io/apimachinery/pkg/types"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AWSElasticBlockStoreVolumeSource).DeepCopyInto(out.(*AWSElasticBlockStoreVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&AWSElasticBlockStoreVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Affinity).DeepCopyInto(out.(*Affinity))
+			return nil
+		}, InType: reflect.TypeOf(&Affinity{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AttachedVolume).DeepCopyInto(out.(*AttachedVolume))
+			return nil
+		}, InType: reflect.TypeOf(&AttachedVolume{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AvoidPods).DeepCopyInto(out.(*AvoidPods))
+			return nil
+		}, InType: reflect.TypeOf(&AvoidPods{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AzureDiskVolumeSource).DeepCopyInto(out.(*AzureDiskVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&AzureDiskVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AzureFilePersistentVolumeSource).DeepCopyInto(out.(*AzureFilePersistentVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&AzureFilePersistentVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AzureFileVolumeSource).DeepCopyInto(out.(*AzureFileVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&AzureFileVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Binding).DeepCopyInto(out.(*Binding))
+			return nil
+		}, InType: reflect.TypeOf(&Binding{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Capabilities).DeepCopyInto(out.(*Capabilities))
+			return nil
+		}, InType: reflect.TypeOf(&Capabilities{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CephFSPersistentVolumeSource).DeepCopyInto(out.(*CephFSPersistentVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&CephFSPersistentVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CephFSVolumeSource).DeepCopyInto(out.(*CephFSVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&CephFSVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CinderVolumeSource).DeepCopyInto(out.(*CinderVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&CinderVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClientIPConfig).DeepCopyInto(out.(*ClientIPConfig))
+			return nil
+		}, InType: reflect.TypeOf(&ClientIPConfig{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ComponentCondition).DeepCopyInto(out.(*ComponentCondition))
+			return nil
+		}, InType: reflect.TypeOf(&ComponentCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ComponentStatus).DeepCopyInto(out.(*ComponentStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ComponentStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ComponentStatusList).DeepCopyInto(out.(*ComponentStatusList))
+			return nil
+		}, InType: reflect.TypeOf(&ComponentStatusList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ConfigMap).DeepCopyInto(out.(*ConfigMap))
+			return nil
+		}, InType: reflect.TypeOf(&ConfigMap{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ConfigMapEnvSource).DeepCopyInto(out.(*ConfigMapEnvSource))
+			return nil
+		}, InType: reflect.TypeOf(&ConfigMapEnvSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ConfigMapKeySelector).DeepCopyInto(out.(*ConfigMapKeySelector))
+			return nil
+		}, InType: reflect.TypeOf(&ConfigMapKeySelector{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ConfigMapList).DeepCopyInto(out.(*ConfigMapList))
+			return nil
+		}, InType: reflect.TypeOf(&ConfigMapList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ConfigMapProjection).DeepCopyInto(out.(*ConfigMapProjection))
+			return nil
+		}, InType: reflect.TypeOf(&ConfigMapProjection{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ConfigMapVolumeSource).DeepCopyInto(out.(*ConfigMapVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&ConfigMapVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Container).DeepCopyInto(out.(*Container))
+			return nil
+		}, InType: reflect.TypeOf(&Container{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ContainerImage).DeepCopyInto(out.(*ContainerImage))
+			return nil
+		}, InType: reflect.TypeOf(&ContainerImage{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ContainerPort).DeepCopyInto(out.(*ContainerPort))
+			return nil
+		}, InType: reflect.TypeOf(&ContainerPort{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ContainerState).DeepCopyInto(out.(*ContainerState))
+			return nil
+		}, InType: reflect.TypeOf(&ContainerState{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ContainerStateRunning).DeepCopyInto(out.(*ContainerStateRunning))
+			return nil
+		}, InType: reflect.TypeOf(&ContainerStateRunning{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ContainerStateTerminated).DeepCopyInto(out.(*ContainerStateTerminated))
+			return nil
+		}, InType: reflect.TypeOf(&ContainerStateTerminated{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ContainerStateWaiting).DeepCopyInto(out.(*ContainerStateWaiting))
+			return nil
+		}, InType: reflect.TypeOf(&ContainerStateWaiting{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ContainerStatus).DeepCopyInto(out.(*ContainerStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ContainerStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonEndpoint).DeepCopyInto(out.(*DaemonEndpoint))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonEndpoint{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeleteOptions).DeepCopyInto(out.(*DeleteOptions))
+			return nil
+		}, InType: reflect.TypeOf(&DeleteOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DownwardAPIProjection).DeepCopyInto(out.(*DownwardAPIProjection))
+			return nil
+		}, InType: reflect.TypeOf(&DownwardAPIProjection{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DownwardAPIVolumeFile).DeepCopyInto(out.(*DownwardAPIVolumeFile))
+			return nil
+		}, InType: reflect.TypeOf(&DownwardAPIVolumeFile{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DownwardAPIVolumeSource).DeepCopyInto(out.(*DownwardAPIVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&DownwardAPIVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EmptyDirVolumeSource).DeepCopyInto(out.(*EmptyDirVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&EmptyDirVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EndpointAddress).DeepCopyInto(out.(*EndpointAddress))
+			return nil
+		}, InType: reflect.TypeOf(&EndpointAddress{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EndpointPort).DeepCopyInto(out.(*EndpointPort))
+			return nil
+		}, InType: reflect.TypeOf(&EndpointPort{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EndpointSubset).DeepCopyInto(out.(*EndpointSubset))
+			return nil
+		}, InType: reflect.TypeOf(&EndpointSubset{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Endpoints).DeepCopyInto(out.(*Endpoints))
+			return nil
+		}, InType: reflect.TypeOf(&Endpoints{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EndpointsList).DeepCopyInto(out.(*EndpointsList))
+			return nil
+		}, InType: reflect.TypeOf(&EndpointsList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EnvFromSource).DeepCopyInto(out.(*EnvFromSource))
+			return nil
+		}, InType: reflect.TypeOf(&EnvFromSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EnvVar).DeepCopyInto(out.(*EnvVar))
+			return nil
+		}, InType: reflect.TypeOf(&EnvVar{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EnvVarSource).DeepCopyInto(out.(*EnvVarSource))
+			return nil
+		}, InType: reflect.TypeOf(&EnvVarSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Event).DeepCopyInto(out.(*Event))
+			return nil
+		}, InType: reflect.TypeOf(&Event{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EventList).DeepCopyInto(out.(*EventList))
+			return nil
+		}, InType: reflect.TypeOf(&EventList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*EventSource).DeepCopyInto(out.(*EventSource))
+			return nil
+		}, InType: reflect.TypeOf(&EventSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ExecAction).DeepCopyInto(out.(*ExecAction))
+			return nil
+		}, InType: reflect.TypeOf(&ExecAction{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*FCVolumeSource).DeepCopyInto(out.(*FCVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&FCVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*FlexVolumeSource).DeepCopyInto(out.(*FlexVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&FlexVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*FlockerVolumeSource).DeepCopyInto(out.(*FlockerVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&FlockerVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GCEPersistentDiskVolumeSource).DeepCopyInto(out.(*GCEPersistentDiskVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&GCEPersistentDiskVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GitRepoVolumeSource).DeepCopyInto(out.(*GitRepoVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&GitRepoVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GlusterfsVolumeSource).DeepCopyInto(out.(*GlusterfsVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&GlusterfsVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HTTPGetAction).DeepCopyInto(out.(*HTTPGetAction))
+			return nil
+		}, InType: reflect.TypeOf(&HTTPGetAction{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HTTPHeader).DeepCopyInto(out.(*HTTPHeader))
+			return nil
+		}, InType: reflect.TypeOf(&HTTPHeader{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Handler).DeepCopyInto(out.(*Handler))
+			return nil
+		}, InType: reflect.TypeOf(&Handler{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HostAlias).DeepCopyInto(out.(*HostAlias))
+			return nil
+		}, InType: reflect.TypeOf(&HostAlias{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HostPathVolumeSource).DeepCopyInto(out.(*HostPathVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&HostPathVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ISCSIVolumeSource).DeepCopyInto(out.(*ISCSIVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&ISCSIVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*KeyToPath).DeepCopyInto(out.(*KeyToPath))
+			return nil
+		}, InType: reflect.TypeOf(&KeyToPath{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Lifecycle).DeepCopyInto(out.(*Lifecycle))
+			return nil
+		}, InType: reflect.TypeOf(&Lifecycle{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LimitRange).DeepCopyInto(out.(*LimitRange))
+			return nil
+		}, InType: reflect.TypeOf(&LimitRange{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LimitRangeItem).DeepCopyInto(out.(*LimitRangeItem))
+			return nil
+		}, InType: reflect.TypeOf(&LimitRangeItem{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LimitRangeList).DeepCopyInto(out.(*LimitRangeList))
+			return nil
+		}, InType: reflect.TypeOf(&LimitRangeList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LimitRangeSpec).DeepCopyInto(out.(*LimitRangeSpec))
+			return nil
+		}, InType: reflect.TypeOf(&LimitRangeSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*List).DeepCopyInto(out.(*List))
+			return nil
+		}, InType: reflect.TypeOf(&List{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ListOptions).DeepCopyInto(out.(*ListOptions))
+			return nil
+		}, InType: reflect.TypeOf(&ListOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LoadBalancerIngress).DeepCopyInto(out.(*LoadBalancerIngress))
+			return nil
+		}, InType: reflect.TypeOf(&LoadBalancerIngress{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LoadBalancerStatus).DeepCopyInto(out.(*LoadBalancerStatus))
+			return nil
+		}, InType: reflect.TypeOf(&LoadBalancerStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LocalObjectReference).DeepCopyInto(out.(*LocalObjectReference))
+			return nil
+		}, InType: reflect.TypeOf(&LocalObjectReference{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LocalVolumeSource).DeepCopyInto(out.(*LocalVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&LocalVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NFSVolumeSource).DeepCopyInto(out.(*NFSVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&NFSVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Namespace).DeepCopyInto(out.(*Namespace))
+			return nil
+		}, InType: reflect.TypeOf(&Namespace{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NamespaceList).DeepCopyInto(out.(*NamespaceList))
+			return nil
+		}, InType: reflect.TypeOf(&NamespaceList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NamespaceSpec).DeepCopyInto(out.(*NamespaceSpec))
+			return nil
+		}, InType: reflect.TypeOf(&NamespaceSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NamespaceStatus).DeepCopyInto(out.(*NamespaceStatus))
+			return nil
+		}, InType: reflect.TypeOf(&NamespaceStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Node).DeepCopyInto(out.(*Node))
+			return nil
+		}, InType: reflect.TypeOf(&Node{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeAddress).DeepCopyInto(out.(*NodeAddress))
+			return nil
+		}, InType: reflect.TypeOf(&NodeAddress{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeAffinity).DeepCopyInto(out.(*NodeAffinity))
+			return nil
+		}, InType: reflect.TypeOf(&NodeAffinity{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeCondition).DeepCopyInto(out.(*NodeCondition))
+			return nil
+		}, InType: reflect.TypeOf(&NodeCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeConfigSource).DeepCopyInto(out.(*NodeConfigSource))
+			return nil
+		}, InType: reflect.TypeOf(&NodeConfigSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeDaemonEndpoints).DeepCopyInto(out.(*NodeDaemonEndpoints))
+			return nil
+		}, InType: reflect.TypeOf(&NodeDaemonEndpoints{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeList).DeepCopyInto(out.(*NodeList))
+			return nil
+		}, InType: reflect.TypeOf(&NodeList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeProxyOptions).DeepCopyInto(out.(*NodeProxyOptions))
+			return nil
+		}, InType: reflect.TypeOf(&NodeProxyOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeResources).DeepCopyInto(out.(*NodeResources))
+			return nil
+		}, InType: reflect.TypeOf(&NodeResources{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeSelector).DeepCopyInto(out.(*NodeSelector))
+			return nil
+		}, InType: reflect.TypeOf(&NodeSelector{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeSelectorRequirement).DeepCopyInto(out.(*NodeSelectorRequirement))
+			return nil
+		}, InType: reflect.TypeOf(&NodeSelectorRequirement{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeSelectorTerm).DeepCopyInto(out.(*NodeSelectorTerm))
+			return nil
+		}, InType: reflect.TypeOf(&NodeSelectorTerm{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeSpec).DeepCopyInto(out.(*NodeSpec))
+			return nil
+		}, InType: reflect.TypeOf(&NodeSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeStatus).DeepCopyInto(out.(*NodeStatus))
+			return nil
+		}, InType: reflect.TypeOf(&NodeStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NodeSystemInfo).DeepCopyInto(out.(*NodeSystemInfo))
+			return nil
+		}, InType: reflect.TypeOf(&NodeSystemInfo{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ObjectFieldSelector).DeepCopyInto(out.(*ObjectFieldSelector))
+			return nil
+		}, InType: reflect.TypeOf(&ObjectFieldSelector{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ObjectMeta).DeepCopyInto(out.(*ObjectMeta))
+			return nil
+		}, InType: reflect.TypeOf(&ObjectMeta{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ObjectReference).DeepCopyInto(out.(*ObjectReference))
+			return nil
+		}, InType: reflect.TypeOf(&ObjectReference{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolume).DeepCopyInto(out.(*PersistentVolume))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolume{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeClaim).DeepCopyInto(out.(*PersistentVolumeClaim))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeClaim{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeClaimCondition).DeepCopyInto(out.(*PersistentVolumeClaimCondition))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeClaimCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeClaimList).DeepCopyInto(out.(*PersistentVolumeClaimList))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeClaimList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeClaimSpec).DeepCopyInto(out.(*PersistentVolumeClaimSpec))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeClaimSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeClaimStatus).DeepCopyInto(out.(*PersistentVolumeClaimStatus))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeClaimStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeClaimVolumeSource).DeepCopyInto(out.(*PersistentVolumeClaimVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeClaimVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeList).DeepCopyInto(out.(*PersistentVolumeList))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeSource).DeepCopyInto(out.(*PersistentVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeSpec).DeepCopyInto(out.(*PersistentVolumeSpec))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PersistentVolumeStatus).DeepCopyInto(out.(*PersistentVolumeStatus))
+			return nil
+		}, InType: reflect.TypeOf(&PersistentVolumeStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PhotonPersistentDiskVolumeSource).DeepCopyInto(out.(*PhotonPersistentDiskVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&PhotonPersistentDiskVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Pod).DeepCopyInto(out.(*Pod))
+			return nil
+		}, InType: reflect.TypeOf(&Pod{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodAffinity).DeepCopyInto(out.(*PodAffinity))
+			return nil
+		}, InType: reflect.TypeOf(&PodAffinity{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodAffinityTerm).DeepCopyInto(out.(*PodAffinityTerm))
+			return nil
+		}, InType: reflect.TypeOf(&PodAffinityTerm{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodAntiAffinity).DeepCopyInto(out.(*PodAntiAffinity))
+			return nil
+		}, InType: reflect.TypeOf(&PodAntiAffinity{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodAttachOptions).DeepCopyInto(out.(*PodAttachOptions))
+			return nil
+		}, InType: reflect.TypeOf(&PodAttachOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodCondition).DeepCopyInto(out.(*PodCondition))
+			return nil
+		}, InType: reflect.TypeOf(&PodCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodExecOptions).DeepCopyInto(out.(*PodExecOptions))
+			return nil
+		}, InType: reflect.TypeOf(&PodExecOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodList).DeepCopyInto(out.(*PodList))
+			return nil
+		}, InType: reflect.TypeOf(&PodList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodLogOptions).DeepCopyInto(out.(*PodLogOptions))
+			return nil
+		}, InType: reflect.TypeOf(&PodLogOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodPortForwardOptions).DeepCopyInto(out.(*PodPortForwardOptions))
+			return nil
+		}, InType: reflect.TypeOf(&PodPortForwardOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodProxyOptions).DeepCopyInto(out.(*PodProxyOptions))
+			return nil
+		}, InType: reflect.TypeOf(&PodProxyOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodSecurityContext).DeepCopyInto(out.(*PodSecurityContext))
+			return nil
+		}, InType: reflect.TypeOf(&PodSecurityContext{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodSignature).DeepCopyInto(out.(*PodSignature))
+			return nil
+		}, InType: reflect.TypeOf(&PodSignature{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodSpec).DeepCopyInto(out.(*PodSpec))
+			return nil
+		}, InType: reflect.TypeOf(&PodSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodStatus).DeepCopyInto(out.(*PodStatus))
+			return nil
+		}, InType: reflect.TypeOf(&PodStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodStatusResult).DeepCopyInto(out.(*PodStatusResult))
+			return nil
+		}, InType: reflect.TypeOf(&PodStatusResult{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodTemplate).DeepCopyInto(out.(*PodTemplate))
+			return nil
+		}, InType: reflect.TypeOf(&PodTemplate{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodTemplateList).DeepCopyInto(out.(*PodTemplateList))
+			return nil
+		}, InType: reflect.TypeOf(&PodTemplateList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodTemplateSpec).DeepCopyInto(out.(*PodTemplateSpec))
+			return nil
+		}, InType: reflect.TypeOf(&PodTemplateSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PortworxVolumeSource).DeepCopyInto(out.(*PortworxVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&PortworxVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Preconditions).DeepCopyInto(out.(*Preconditions))
+			return nil
+		}, InType: reflect.TypeOf(&Preconditions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PreferAvoidPodsEntry).DeepCopyInto(out.(*PreferAvoidPodsEntry))
+			return nil
+		}, InType: reflect.TypeOf(&PreferAvoidPodsEntry{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PreferredSchedulingTerm).DeepCopyInto(out.(*PreferredSchedulingTerm))
+			return nil
+		}, InType: reflect.TypeOf(&PreferredSchedulingTerm{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Probe).DeepCopyInto(out.(*Probe))
+			return nil
+		}, InType: reflect.TypeOf(&Probe{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ProjectedVolumeSource).DeepCopyInto(out.(*ProjectedVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&ProjectedVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*QuobyteVolumeSource).DeepCopyInto(out.(*QuobyteVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&QuobyteVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RBDVolumeSource).DeepCopyInto(out.(*RBDVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&RBDVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RangeAllocation).DeepCopyInto(out.(*RangeAllocation))
+			return nil
+		}, InType: reflect.TypeOf(&RangeAllocation{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicationController).DeepCopyInto(out.(*ReplicationController))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicationController{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicationControllerCondition).DeepCopyInto(out.(*ReplicationControllerCondition))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicationControllerCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicationControllerList).DeepCopyInto(out.(*ReplicationControllerList))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicationControllerList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicationControllerSpec).DeepCopyInto(out.(*ReplicationControllerSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicationControllerSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicationControllerStatus).DeepCopyInto(out.(*ReplicationControllerStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicationControllerStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceFieldSelector).DeepCopyInto(out.(*ResourceFieldSelector))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceFieldSelector{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceQuota).DeepCopyInto(out.(*ResourceQuota))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceQuota{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceQuotaList).DeepCopyInto(out.(*ResourceQuotaList))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceQuotaList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceQuotaSpec).DeepCopyInto(out.(*ResourceQuotaSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceQuotaSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceQuotaStatus).DeepCopyInto(out.(*ResourceQuotaStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceQuotaStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ResourceRequirements).DeepCopyInto(out.(*ResourceRequirements))
+			return nil
+		}, InType: reflect.TypeOf(&ResourceRequirements{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SELinuxOptions).DeepCopyInto(out.(*SELinuxOptions))
+			return nil
+		}, InType: reflect.TypeOf(&SELinuxOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleIOPersistentVolumeSource).DeepCopyInto(out.(*ScaleIOPersistentVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleIOPersistentVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleIOVolumeSource).DeepCopyInto(out.(*ScaleIOVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleIOVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Secret).DeepCopyInto(out.(*Secret))
+			return nil
+		}, InType: reflect.TypeOf(&Secret{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecretEnvSource).DeepCopyInto(out.(*SecretEnvSource))
+			return nil
+		}, InType: reflect.TypeOf(&SecretEnvSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecretKeySelector).DeepCopyInto(out.(*SecretKeySelector))
+			return nil
+		}, InType: reflect.TypeOf(&SecretKeySelector{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecretList).DeepCopyInto(out.(*SecretList))
+			return nil
+		}, InType: reflect.TypeOf(&SecretList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecretProjection).DeepCopyInto(out.(*SecretProjection))
+			return nil
+		}, InType: reflect.TypeOf(&SecretProjection{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecretReference).DeepCopyInto(out.(*SecretReference))
+			return nil
+		}, InType: reflect.TypeOf(&SecretReference{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecretVolumeSource).DeepCopyInto(out.(*SecretVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&SecretVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SecurityContext).DeepCopyInto(out.(*SecurityContext))
+			return nil
+		}, InType: reflect.TypeOf(&SecurityContext{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SerializedReference).DeepCopyInto(out.(*SerializedReference))
+			return nil
+		}, InType: reflect.TypeOf(&SerializedReference{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Service).DeepCopyInto(out.(*Service))
+			return nil
+		}, InType: reflect.TypeOf(&Service{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServiceAccount).DeepCopyInto(out.(*ServiceAccount))
+			return nil
+		}, InType: reflect.TypeOf(&ServiceAccount{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServiceAccountList).DeepCopyInto(out.(*ServiceAccountList))
+			return nil
+		}, InType: reflect.TypeOf(&ServiceAccountList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServiceList).DeepCopyInto(out.(*ServiceList))
+			return nil
+		}, InType: reflect.TypeOf(&ServiceList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServicePort).DeepCopyInto(out.(*ServicePort))
+			return nil
+		}, InType: reflect.TypeOf(&ServicePort{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServiceProxyOptions).DeepCopyInto(out.(*ServiceProxyOptions))
+			return nil
+		}, InType: reflect.TypeOf(&ServiceProxyOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServiceSpec).DeepCopyInto(out.(*ServiceSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ServiceSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServiceStatus).DeepCopyInto(out.(*ServiceStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ServiceStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SessionAffinityConfig).DeepCopyInto(out.(*SessionAffinityConfig))
+			return nil
+		}, InType: reflect.TypeOf(&SessionAffinityConfig{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StorageOSPersistentVolumeSource).DeepCopyInto(out.(*StorageOSPersistentVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&StorageOSPersistentVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StorageOSVolumeSource).DeepCopyInto(out.(*StorageOSVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&StorageOSVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Sysctl).DeepCopyInto(out.(*Sysctl))
+			return nil
+		}, InType: reflect.TypeOf(&Sysctl{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TCPSocketAction).DeepCopyInto(out.(*TCPSocketAction))
+			return nil
+		}, InType: reflect.TypeOf(&TCPSocketAction{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Taint).DeepCopyInto(out.(*Taint))
+			return nil
+		}, InType: reflect.TypeOf(&Taint{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Toleration).DeepCopyInto(out.(*Toleration))
+			return nil
+		}, InType: reflect.TypeOf(&Toleration{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Volume).DeepCopyInto(out.(*Volume))
+			return nil
+		}, InType: reflect.TypeOf(&Volume{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*VolumeMount).DeepCopyInto(out.(*VolumeMount))
+			return nil
+		}, InType: reflect.TypeOf(&VolumeMount{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*VolumeProjection).DeepCopyInto(out.(*VolumeProjection))
+			return nil
+		}, InType: reflect.TypeOf(&VolumeProjection{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*VolumeSource).DeepCopyInto(out.(*VolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&VolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*VsphereVirtualDiskVolumeSource).DeepCopyInto(out.(*VsphereVirtualDiskVolumeSource))
+			return nil
+		}, InType: reflect.TypeOf(&VsphereVirtualDiskVolumeSource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*WeightedPodAffinityTerm).DeepCopyInto(out.(*WeightedPodAffinityTerm))
+			return nil
+		}, InType: reflect.TypeOf(&WeightedPodAffinityTerm{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSElasticBlockStoreVolumeSource) DeepCopyInto(out *AWSElasticBlockStoreVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSElasticBlockStoreVolumeSource.
+func (in *AWSElasticBlockStoreVolumeSource) DeepCopy() *AWSElasticBlockStoreVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSElasticBlockStoreVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Affinity) DeepCopyInto(out *Affinity) {
+	*out = *in
+	if in.NodeAffinity != nil {
+		in, out := &in.NodeAffinity, &out.NodeAffinity
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NodeAffinity)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.PodAffinity != nil {
+		in, out := &in.PodAffinity, &out.PodAffinity
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PodAffinity)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.PodAntiAffinity != nil {
+		in, out := &in.PodAntiAffinity, &out.PodAntiAffinity
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PodAntiAffinity)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Affinity.
+func (in *Affinity) DeepCopy() *Affinity {
+	if in == nil {
+		return nil
+	}
+	out := new(Affinity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AttachedVolume) DeepCopyInto(out *AttachedVolume) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttachedVolume.
+func (in *AttachedVolume) DeepCopy() *AttachedVolume {
+	if in == nil {
+		return nil
+	}
+	out := new(AttachedVolume)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AvoidPods) DeepCopyInto(out *AvoidPods) {
+	*out = *in
+	if in.PreferAvoidPods != nil {
+		in, out := &in.PreferAvoidPods, &out.PreferAvoidPods
+		*out = make([]PreferAvoidPodsEntry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AvoidPods.
+func (in *AvoidPods) DeepCopy() *AvoidPods {
+	if in == nil {
+		return nil
+	}
+	out := new(AvoidPods)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureDiskVolumeSource) DeepCopyInto(out *AzureDiskVolumeSource) {
+	*out = *in
+	if in.CachingMode != nil {
+		in, out := &in.CachingMode, &out.CachingMode
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AzureDataDiskCachingMode)
+			**out = **in
+		}
+	}
+	if in.FSType != nil {
+		in, out := &in.FSType, &out.FSType
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	if in.ReadOnly != nil {
+		in, out := &in.ReadOnly, &out.ReadOnly
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.Kind != nil {
+		in, out := &in.Kind, &out.Kind
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AzureDataDiskKind)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureDiskVolumeSource.
+func (in *AzureDiskVolumeSource) DeepCopy() *AzureDiskVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureDiskVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureFilePersistentVolumeSource) DeepCopyInto(out *AzureFilePersistentVolumeSource) {
+	*out = *in
+	if in.SecretNamespace != nil {
+		in, out := &in.SecretNamespace, &out.SecretNamespace
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureFilePersistentVolumeSource.
+func (in *AzureFilePersistentVolumeSource) DeepCopy() *AzureFilePersistentVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureFilePersistentVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureFileVolumeSource) DeepCopyInto(out *AzureFileVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureFileVolumeSource.
+func (in *AzureFileVolumeSource) DeepCopy() *AzureFileVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureFileVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Binding) DeepCopyInto(out *Binding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Target = in.Target
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Binding.
+func (in *Binding) DeepCopy() *Binding {
+	if in == nil {
+		return nil
+	}
+	out := new(Binding)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Binding) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Capabilities) DeepCopyInto(out *Capabilities) {
+	*out = *in
+	if in.Add != nil {
+		in, out := &in.Add, &out.Add
+		*out = make([]Capability, len(*in))
+		copy(*out, *in)
+	}
+	if in.Drop != nil {
+		in, out := &in.Drop, &out.Drop
+		*out = make([]Capability, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Capabilities.
+func (in *Capabilities) DeepCopy() *Capabilities {
+	if in == nil {
+		return nil
+	}
+	out := new(Capabilities)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CephFSPersistentVolumeSource) DeepCopyInto(out *CephFSPersistentVolumeSource) {
+	*out = *in
+	if in.Monitors != nil {
+		in, out := &in.Monitors, &out.Monitors
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SecretReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CephFSPersistentVolumeSource.
+func (in *CephFSPersistentVolumeSource) DeepCopy() *CephFSPersistentVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(CephFSPersistentVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CephFSVolumeSource) DeepCopyInto(out *CephFSVolumeSource) {
+	*out = *in
+	if in.Monitors != nil {
+		in, out := &in.Monitors, &out.Monitors
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(LocalObjectReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CephFSVolumeSource.
+func (in *CephFSVolumeSource) DeepCopy() *CephFSVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(CephFSVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CinderVolumeSource) DeepCopyInto(out *CinderVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CinderVolumeSource.
+func (in *CinderVolumeSource) DeepCopy() *CinderVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(CinderVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClientIPConfig) DeepCopyInto(out *ClientIPConfig) {
+	*out = *in
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientIPConfig.
+func (in *ClientIPConfig) DeepCopy() *ClientIPConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(ClientIPConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ComponentCondition) DeepCopyInto(out *ComponentCondition) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentCondition.
+func (in *ComponentCondition) DeepCopy() *ComponentCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ComponentCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ComponentStatus) DeepCopyInto(out *ComponentStatus) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ComponentCondition, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentStatus.
+func (in *ComponentStatus) DeepCopy() *ComponentStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ComponentStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ComponentStatus) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ComponentStatusList) DeepCopyInto(out *ComponentStatusList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ComponentStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentStatusList.
+func (in *ComponentStatusList) DeepCopy() *ComponentStatusList {
+	if in == nil {
+		return nil
+	}
+	out := new(ComponentStatusList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ComponentStatusList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConfigMap) DeepCopyInto(out *ConfigMap) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMap.
+func (in *ConfigMap) DeepCopy() *ConfigMap {
+	if in == nil {
+		return nil
+	}
+	out := new(ConfigMap)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ConfigMap) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConfigMapEnvSource) DeepCopyInto(out *ConfigMapEnvSource) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	if in.Optional != nil {
+		in, out := &in.Optional, &out.Optional
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapEnvSource.
+func (in *ConfigMapEnvSource) DeepCopy() *ConfigMapEnvSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ConfigMapEnvSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConfigMapKeySelector) DeepCopyInto(out *ConfigMapKeySelector) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	if in.Optional != nil {
+		in, out := &in.Optional, &out.Optional
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapKeySelector.
+func (in *ConfigMapKeySelector) DeepCopy() *ConfigMapKeySelector {
+	if in == nil {
+		return nil
+	}
+	out := new(ConfigMapKeySelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConfigMapList) DeepCopyInto(out *ConfigMapList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ConfigMap, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapList.
+func (in *ConfigMapList) DeepCopy() *ConfigMapList {
+	if in == nil {
+		return nil
+	}
+	out := new(ConfigMapList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ConfigMapList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConfigMapProjection) DeepCopyInto(out *ConfigMapProjection) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]KeyToPath, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Optional != nil {
+		in, out := &in.Optional, &out.Optional
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapProjection.
+func (in *ConfigMapProjection) DeepCopy() *ConfigMapProjection {
+	if in == nil {
+		return nil
+	}
+	out := new(ConfigMapProjection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConfigMapVolumeSource) DeepCopyInto(out *ConfigMapVolumeSource) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]KeyToPath, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultMode != nil {
+		in, out := &in.DefaultMode, &out.DefaultMode
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Optional != nil {
+		in, out := &in.Optional, &out.Optional
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapVolumeSource.
+func (in *ConfigMapVolumeSource) DeepCopy() *ConfigMapVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ConfigMapVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Container) DeepCopyInto(out *Container) {
+	*out = *in
+	if in.Command != nil {
+		in, out := &in.Command, &out.Command
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Args != nil {
+		in, out := &in.Args, &out.Args
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]ContainerPort, len(*in))
+		copy(*out, *in)
+	}
+	if in.EnvFrom != nil {
+		in, out := &in.EnvFrom, &out.EnvFrom
+		*out = make([]EnvFromSource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Env != nil {
+		in, out := &in.Env, &out.Env
+		*out = make([]EnvVar, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.Resources.DeepCopyInto(&out.Resources)
+	if in.VolumeMounts != nil {
+		in, out := &in.VolumeMounts, &out.VolumeMounts
+		*out = make([]VolumeMount, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LivenessProbe != nil {
+		in, out := &in.LivenessProbe, &out.LivenessProbe
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Probe)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.ReadinessProbe != nil {
+		in, out := &in.ReadinessProbe, &out.ReadinessProbe
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Probe)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Lifecycle != nil {
+		in, out := &in.Lifecycle, &out.Lifecycle
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Lifecycle)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SecurityContext)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Container.
+func (in *Container) DeepCopy() *Container {
+	if in == nil {
+		return nil
+	}
+	out := new(Container)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContainerImage) DeepCopyInto(out *ContainerImage) {
+	*out = *in
+	if in.Names != nil {
+		in, out := &in.Names, &out.Names
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerImage.
+func (in *ContainerImage) DeepCopy() *ContainerImage {
+	if in == nil {
+		return nil
+	}
+	out := new(ContainerImage)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContainerPort) DeepCopyInto(out *ContainerPort) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerPort.
+func (in *ContainerPort) DeepCopy() *ContainerPort {
+	if in == nil {
+		return nil
+	}
+	out := new(ContainerPort)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContainerState) DeepCopyInto(out *ContainerState) {
+	*out = *in
+	if in.Waiting != nil {
+		in, out := &in.Waiting, &out.Waiting
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ContainerStateWaiting)
+			**out = **in
+		}
+	}
+	if in.Running != nil {
+		in, out := &in.Running, &out.Running
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ContainerStateRunning)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Terminated != nil {
+		in, out := &in.Terminated, &out.Terminated
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ContainerStateTerminated)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerState.
+func (in *ContainerState) DeepCopy() *ContainerState {
+	if in == nil {
+		return nil
+	}
+	out := new(ContainerState)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContainerStateRunning) DeepCopyInto(out *ContainerStateRunning) {
+	*out = *in
+	in.StartedAt.DeepCopyInto(&out.StartedAt)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerStateRunning.
+func (in *ContainerStateRunning) DeepCopy() *ContainerStateRunning {
+	if in == nil {
+		return nil
+	}
+	out := new(ContainerStateRunning)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContainerStateTerminated) DeepCopyInto(out *ContainerStateTerminated) {
+	*out = *in
+	in.StartedAt.DeepCopyInto(&out.StartedAt)
+	in.FinishedAt.DeepCopyInto(&out.FinishedAt)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerStateTerminated.
+func (in *ContainerStateTerminated) DeepCopy() *ContainerStateTerminated {
+	if in == nil {
+		return nil
+	}
+	out := new(ContainerStateTerminated)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContainerStateWaiting) DeepCopyInto(out *ContainerStateWaiting) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerStateWaiting.
+func (in *ContainerStateWaiting) DeepCopy() *ContainerStateWaiting {
+	if in == nil {
+		return nil
+	}
+	out := new(ContainerStateWaiting)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContainerStatus) DeepCopyInto(out *ContainerStatus) {
+	*out = *in
+	in.State.DeepCopyInto(&out.State)
+	in.LastTerminationState.DeepCopyInto(&out.LastTerminationState)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerStatus.
+func (in *ContainerStatus) DeepCopy() *ContainerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ContainerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonEndpoint) DeepCopyInto(out *DaemonEndpoint) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonEndpoint.
+func (in *DaemonEndpoint) DeepCopy() *DaemonEndpoint {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonEndpoint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeleteOptions) DeepCopyInto(out *DeleteOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.GracePeriodSeconds != nil {
+		in, out := &in.GracePeriodSeconds, &out.GracePeriodSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.Preconditions != nil {
+		in, out := &in.Preconditions, &out.Preconditions
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Preconditions)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.OrphanDependents != nil {
+		in, out := &in.OrphanDependents, &out.OrphanDependents
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.PropagationPolicy != nil {
+		in, out := &in.PropagationPolicy, &out.PropagationPolicy
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(DeletionPropagation)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeleteOptions.
+func (in *DeleteOptions) DeepCopy() *DeleteOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(DeleteOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeleteOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DownwardAPIProjection) DeepCopyInto(out *DownwardAPIProjection) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]DownwardAPIVolumeFile, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownwardAPIProjection.
+func (in *DownwardAPIProjection) DeepCopy() *DownwardAPIProjection {
+	if in == nil {
+		return nil
+	}
+	out := new(DownwardAPIProjection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DownwardAPIVolumeFile) DeepCopyInto(out *DownwardAPIVolumeFile) {
+	*out = *in
+	if in.FieldRef != nil {
+		in, out := &in.FieldRef, &out.FieldRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectFieldSelector)
+			**out = **in
+		}
+	}
+	if in.ResourceFieldRef != nil {
+		in, out := &in.ResourceFieldRef, &out.ResourceFieldRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceFieldSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownwardAPIVolumeFile.
+func (in *DownwardAPIVolumeFile) DeepCopy() *DownwardAPIVolumeFile {
+	if in == nil {
+		return nil
+	}
+	out := new(DownwardAPIVolumeFile)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DownwardAPIVolumeSource) DeepCopyInto(out *DownwardAPIVolumeSource) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]DownwardAPIVolumeFile, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultMode != nil {
+		in, out := &in.DefaultMode, &out.DefaultMode
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownwardAPIVolumeSource.
+func (in *DownwardAPIVolumeSource) DeepCopy() *DownwardAPIVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(DownwardAPIVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EmptyDirVolumeSource) DeepCopyInto(out *EmptyDirVolumeSource) {
+	*out = *in
+	if in.SizeLimit != nil {
+		in, out := &in.SizeLimit, &out.SizeLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(resource.Quantity)
+			**out = (*in).DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmptyDirVolumeSource.
+func (in *EmptyDirVolumeSource) DeepCopy() *EmptyDirVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(EmptyDirVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EndpointAddress) DeepCopyInto(out *EndpointAddress) {
+	*out = *in
+	if in.NodeName != nil {
+		in, out := &in.NodeName, &out.NodeName
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	if in.TargetRef != nil {
+		in, out := &in.TargetRef, &out.TargetRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointAddress.
+func (in *EndpointAddress) DeepCopy() *EndpointAddress {
+	if in == nil {
+		return nil
+	}
+	out := new(EndpointAddress)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EndpointPort) DeepCopyInto(out *EndpointPort) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointPort.
+func (in *EndpointPort) DeepCopy() *EndpointPort {
+	if in == nil {
+		return nil
+	}
+	out := new(EndpointPort)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EndpointSubset) DeepCopyInto(out *EndpointSubset) {
+	*out = *in
+	if in.Addresses != nil {
+		in, out := &in.Addresses, &out.Addresses
+		*out = make([]EndpointAddress, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NotReadyAddresses != nil {
+		in, out := &in.NotReadyAddresses, &out.NotReadyAddresses
+		*out = make([]EndpointAddress, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]EndpointPort, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointSubset.
+func (in *EndpointSubset) DeepCopy() *EndpointSubset {
+	if in == nil {
+		return nil
+	}
+	out := new(EndpointSubset)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Endpoints) DeepCopyInto(out *Endpoints) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Subsets != nil {
+		in, out := &in.Subsets, &out.Subsets
+		*out = make([]EndpointSubset, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Endpoints.
+func (in *Endpoints) DeepCopy() *Endpoints {
+	if in == nil {
+		return nil
+	}
+	out := new(Endpoints)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Endpoints) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EndpointsList) DeepCopyInto(out *EndpointsList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Endpoints, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointsList.
+func (in *EndpointsList) DeepCopy() *EndpointsList {
+	if in == nil {
+		return nil
+	}
+	out := new(EndpointsList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *EndpointsList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EnvFromSource) DeepCopyInto(out *EnvFromSource) {
+	*out = *in
+	if in.ConfigMapRef != nil {
+		in, out := &in.ConfigMapRef, &out.ConfigMapRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ConfigMapEnvSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SecretEnvSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvFromSource.
+func (in *EnvFromSource) DeepCopy() *EnvFromSource {
+	if in == nil {
+		return nil
+	}
+	out := new(EnvFromSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EnvVar) DeepCopyInto(out *EnvVar) {
+	*out = *in
+	if in.ValueFrom != nil {
+		in, out := &in.ValueFrom, &out.ValueFrom
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(EnvVarSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvVar.
+func (in *EnvVar) DeepCopy() *EnvVar {
+	if in == nil {
+		return nil
+	}
+	out := new(EnvVar)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EnvVarSource) DeepCopyInto(out *EnvVarSource) {
+	*out = *in
+	if in.FieldRef != nil {
+		in, out := &in.FieldRef, &out.FieldRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectFieldSelector)
+			**out = **in
+		}
+	}
+	if in.ResourceFieldRef != nil {
+		in, out := &in.ResourceFieldRef, &out.ResourceFieldRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ResourceFieldSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.ConfigMapKeyRef != nil {
+		in, out := &in.ConfigMapKeyRef, &out.ConfigMapKeyRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ConfigMapKeySelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.SecretKeyRef != nil {
+		in, out := &in.SecretKeyRef, &out.SecretKeyRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SecretKeySelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvVarSource.
+func (in *EnvVarSource) DeepCopy() *EnvVarSource {
+	if in == nil {
+		return nil
+	}
+	out := new(EnvVarSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Event) DeepCopyInto(out *Event) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.InvolvedObject = in.InvolvedObject
+	out.Source = in.Source
+	in.FirstTimestamp.DeepCopyInto(&out.FirstTimestamp)
+	in.LastTimestamp.DeepCopyInto(&out.LastTimestamp)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Event.
+func (in *Event) DeepCopy() *Event {
+	if in == nil {
+		return nil
+	}
+	out := new(Event)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Event) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EventList) DeepCopyInto(out *EventList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Event, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventList.
+func (in *EventList) DeepCopy() *EventList {
+	if in == nil {
+		return nil
+	}
+	out := new(EventList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *EventList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EventSource) DeepCopyInto(out *EventSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventSource.
+func (in *EventSource) DeepCopy() *EventSource {
+	if in == nil {
+		return nil
+	}
+	out := new(EventSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExecAction) DeepCopyInto(out *ExecAction) {
+	*out = *in
+	if in.Command != nil {
+		in, out := &in.Command, &out.Command
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecAction.
+func (in *ExecAction) DeepCopy() *ExecAction {
+	if in == nil {
+		return nil
+	}
+	out := new(ExecAction)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FCVolumeSource) DeepCopyInto(out *FCVolumeSource) {
+	*out = *in
+	if in.TargetWWNs != nil {
+		in, out := &in.TargetWWNs, &out.TargetWWNs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Lun != nil {
+		in, out := &in.Lun, &out.Lun
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.WWIDs != nil {
+		in, out := &in.WWIDs, &out.WWIDs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FCVolumeSource.
+func (in *FCVolumeSource) DeepCopy() *FCVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(FCVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FlexVolumeSource) DeepCopyInto(out *FlexVolumeSource) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(LocalObjectReference)
+			**out = **in
+		}
+	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlexVolumeSource.
+func (in *FlexVolumeSource) DeepCopy() *FlexVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(FlexVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FlockerVolumeSource) DeepCopyInto(out *FlockerVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlockerVolumeSource.
+func (in *FlockerVolumeSource) DeepCopy() *FlockerVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(FlockerVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCEPersistentDiskVolumeSource) DeepCopyInto(out *GCEPersistentDiskVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCEPersistentDiskVolumeSource.
+func (in *GCEPersistentDiskVolumeSource) DeepCopy() *GCEPersistentDiskVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(GCEPersistentDiskVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepoVolumeSource) DeepCopyInto(out *GitRepoVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepoVolumeSource.
+func (in *GitRepoVolumeSource) DeepCopy() *GitRepoVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepoVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GlusterfsVolumeSource) DeepCopyInto(out *GlusterfsVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlusterfsVolumeSource.
+func (in *GlusterfsVolumeSource) DeepCopy() *GlusterfsVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(GlusterfsVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPGetAction) DeepCopyInto(out *HTTPGetAction) {
+	*out = *in
+	out.Port = in.Port
+	if in.HTTPHeaders != nil {
+		in, out := &in.HTTPHeaders, &out.HTTPHeaders
+		*out = make([]HTTPHeader, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPGetAction.
+func (in *HTTPGetAction) DeepCopy() *HTTPGetAction {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPGetAction)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPHeader) DeepCopyInto(out *HTTPHeader) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPHeader.
+func (in *HTTPHeader) DeepCopy() *HTTPHeader {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPHeader)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Handler) DeepCopyInto(out *Handler) {
+	*out = *in
+	if in.Exec != nil {
+		in, out := &in.Exec, &out.Exec
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ExecAction)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.HTTPGet != nil {
+		in, out := &in.HTTPGet, &out.HTTPGet
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(HTTPGetAction)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.TCPSocket != nil {
+		in, out := &in.TCPSocket, &out.TCPSocket
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(TCPSocketAction)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Handler.
+func (in *Handler) DeepCopy() *Handler {
+	if in == nil {
+		return nil
+	}
+	out := new(Handler)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HostAlias) DeepCopyInto(out *HostAlias) {
+	*out = *in
+	if in.Hostnames != nil {
+		in, out := &in.Hostnames, &out.Hostnames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostAlias.
+func (in *HostAlias) DeepCopy() *HostAlias {
+	if in == nil {
+		return nil
+	}
+	out := new(HostAlias)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HostPathVolumeSource) DeepCopyInto(out *HostPathVolumeSource) {
+	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(HostPathType)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPathVolumeSource.
+func (in *HostPathVolumeSource) DeepCopy() *HostPathVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(HostPathVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ISCSIVolumeSource) DeepCopyInto(out *ISCSIVolumeSource) {
+	*out = *in
+	if in.Portals != nil {
+		in, out := &in.Portals, &out.Portals
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(LocalObjectReference)
+			**out = **in
+		}
+	}
+	if in.InitiatorName != nil {
+		in, out := &in.InitiatorName, &out.InitiatorName
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ISCSIVolumeSource.
+func (in *ISCSIVolumeSource) DeepCopy() *ISCSIVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ISCSIVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KeyToPath) DeepCopyInto(out *KeyToPath) {
+	*out = *in
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyToPath.
+func (in *KeyToPath) DeepCopy() *KeyToPath {
+	if in == nil {
+		return nil
+	}
+	out := new(KeyToPath)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Lifecycle) DeepCopyInto(out *Lifecycle) {
+	*out = *in
+	if in.PostStart != nil {
+		in, out := &in.PostStart, &out.PostStart
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Handler)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.PreStop != nil {
+		in, out := &in.PreStop, &out.PreStop
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Handler)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Lifecycle.
+func (in *Lifecycle) DeepCopy() *Lifecycle {
+	if in == nil {
+		return nil
+	}
+	out := new(Lifecycle)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LimitRange) DeepCopyInto(out *LimitRange) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LimitRange.
+func (in *LimitRange) DeepCopy() *LimitRange {
+	if in == nil {
+		return nil
+	}
+	out := new(LimitRange)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LimitRange) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LimitRangeItem) DeepCopyInto(out *LimitRangeItem) {
+	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Default != nil {
+		in, out := &in.Default, &out.Default
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.DefaultRequest != nil {
+		in, out := &in.DefaultRequest, &out.DefaultRequest
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.MaxLimitRequestRatio != nil {
+		in, out := &in.MaxLimitRequestRatio, &out.MaxLimitRequestRatio
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LimitRangeItem.
+func (in *LimitRangeItem) DeepCopy() *LimitRangeItem {
+	if in == nil {
+		return nil
+	}
+	out := new(LimitRangeItem)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LimitRangeList) DeepCopyInto(out *LimitRangeList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]LimitRange, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LimitRangeList.
+func (in *LimitRangeList) DeepCopy() *LimitRangeList {
+	if in == nil {
+		return nil
+	}
+	out := new(LimitRangeList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LimitRangeList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LimitRangeSpec) DeepCopyInto(out *LimitRangeSpec) {
+	*out = *in
+	if in.Limits != nil {
+		in, out := &in.Limits, &out.Limits
+		*out = make([]LimitRangeItem, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LimitRangeSpec.
+func (in *LimitRangeSpec) DeepCopy() *LimitRangeSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(LimitRangeSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *List) DeepCopyInto(out *List) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]runtime.RawExtension, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new List.
+func (in *List) DeepCopy() *List {
+	if in == nil {
+		return nil
+	}
+	out := new(List)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *List) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ListOptions) DeepCopyInto(out *ListOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListOptions.
+func (in *ListOptions) DeepCopy() *ListOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ListOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ListOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LoadBalancerIngress) DeepCopyInto(out *LoadBalancerIngress) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBalancerIngress.
+func (in *LoadBalancerIngress) DeepCopy() *LoadBalancerIngress {
+	if in == nil {
+		return nil
+	}
+	out := new(LoadBalancerIngress)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LoadBalancerStatus) DeepCopyInto(out *LoadBalancerStatus) {
+	*out = *in
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]LoadBalancerIngress, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBalancerStatus.
+func (in *LoadBalancerStatus) DeepCopy() *LoadBalancerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(LoadBalancerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalObjectReference) DeepCopyInto(out *LocalObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalObjectReference.
+func (in *LocalObjectReference) DeepCopy() *LocalObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(LocalObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LocalVolumeSource) DeepCopyInto(out *LocalVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalVolumeSource.
+func (in *LocalVolumeSource) DeepCopy() *LocalVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(LocalVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NFSVolumeSource) DeepCopyInto(out *NFSVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NFSVolumeSource.
+func (in *NFSVolumeSource) DeepCopy() *NFSVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(NFSVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Namespace) DeepCopyInto(out *Namespace) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Namespace.
+func (in *Namespace) DeepCopy() *Namespace {
+	if in == nil {
+		return nil
+	}
+	out := new(Namespace)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Namespace) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceList) DeepCopyInto(out *NamespaceList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Namespace, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceList.
+func (in *NamespaceList) DeepCopy() *NamespaceList {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NamespaceList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceSpec) DeepCopyInto(out *NamespaceSpec) {
+	*out = *in
+	if in.Finalizers != nil {
+		in, out := &in.Finalizers, &out.Finalizers
+		*out = make([]FinalizerName, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceSpec.
+func (in *NamespaceSpec) DeepCopy() *NamespaceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamespaceStatus) DeepCopyInto(out *NamespaceStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespaceStatus.
+func (in *NamespaceStatus) DeepCopy() *NamespaceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(NamespaceStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Node) DeepCopyInto(out *Node) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Node.
+func (in *Node) DeepCopy() *Node {
+	if in == nil {
+		return nil
+	}
+	out := new(Node)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Node) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeAddress) DeepCopyInto(out *NodeAddress) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeAddress.
+func (in *NodeAddress) DeepCopy() *NodeAddress {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeAddress)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeAffinity) DeepCopyInto(out *NodeAffinity) {
+	*out = *in
+	if in.RequiredDuringSchedulingIgnoredDuringExecution != nil {
+		in, out := &in.RequiredDuringSchedulingIgnoredDuringExecution, &out.RequiredDuringSchedulingIgnoredDuringExecution
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NodeSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.PreferredDuringSchedulingIgnoredDuringExecution != nil {
+		in, out := &in.PreferredDuringSchedulingIgnoredDuringExecution, &out.PreferredDuringSchedulingIgnoredDuringExecution
+		*out = make([]PreferredSchedulingTerm, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeAffinity.
+func (in *NodeAffinity) DeepCopy() *NodeAffinity {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeAffinity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeCondition) DeepCopyInto(out *NodeCondition) {
+	*out = *in
+	in.LastHeartbeatTime.DeepCopyInto(&out.LastHeartbeatTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeCondition.
+func (in *NodeCondition) DeepCopy() *NodeCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeConfigSource) DeepCopyInto(out *NodeConfigSource) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.ConfigMapRef != nil {
+		in, out := &in.ConfigMapRef, &out.ConfigMapRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeConfigSource.
+func (in *NodeConfigSource) DeepCopy() *NodeConfigSource {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeConfigSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NodeConfigSource) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeDaemonEndpoints) DeepCopyInto(out *NodeDaemonEndpoints) {
+	*out = *in
+	out.KubeletEndpoint = in.KubeletEndpoint
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeDaemonEndpoints.
+func (in *NodeDaemonEndpoints) DeepCopy() *NodeDaemonEndpoints {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeDaemonEndpoints)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeList) DeepCopyInto(out *NodeList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Node, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeList.
+func (in *NodeList) DeepCopy() *NodeList {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NodeList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeProxyOptions) DeepCopyInto(out *NodeProxyOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeProxyOptions.
+func (in *NodeProxyOptions) DeepCopy() *NodeProxyOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeProxyOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NodeProxyOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeResources) DeepCopyInto(out *NodeResources) {
+	*out = *in
+	if in.Capacity != nil {
+		in, out := &in.Capacity, &out.Capacity
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeResources.
+func (in *NodeResources) DeepCopy() *NodeResources {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeResources)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeSelector) DeepCopyInto(out *NodeSelector) {
+	*out = *in
+	if in.NodeSelectorTerms != nil {
+		in, out := &in.NodeSelectorTerms, &out.NodeSelectorTerms
+		*out = make([]NodeSelectorTerm, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSelector.
+func (in *NodeSelector) DeepCopy() *NodeSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeSelectorRequirement) DeepCopyInto(out *NodeSelectorRequirement) {
+	*out = *in
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSelectorRequirement.
+func (in *NodeSelectorRequirement) DeepCopy() *NodeSelectorRequirement {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeSelectorRequirement)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeSelectorTerm) DeepCopyInto(out *NodeSelectorTerm) {
+	*out = *in
+	if in.MatchExpressions != nil {
+		in, out := &in.MatchExpressions, &out.MatchExpressions
+		*out = make([]NodeSelectorRequirement, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSelectorTerm.
+func (in *NodeSelectorTerm) DeepCopy() *NodeSelectorTerm {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeSelectorTerm)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeSpec) DeepCopyInto(out *NodeSpec) {
+	*out = *in
+	if in.Taints != nil {
+		in, out := &in.Taints, &out.Taints
+		*out = make([]Taint, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ConfigSource != nil {
+		in, out := &in.ConfigSource, &out.ConfigSource
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NodeConfigSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSpec.
+func (in *NodeSpec) DeepCopy() *NodeSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeStatus) DeepCopyInto(out *NodeStatus) {
+	*out = *in
+	if in.Capacity != nil {
+		in, out := &in.Capacity, &out.Capacity
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Allocatable != nil {
+		in, out := &in.Allocatable, &out.Allocatable
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]NodeCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Addresses != nil {
+		in, out := &in.Addresses, &out.Addresses
+		*out = make([]NodeAddress, len(*in))
+		copy(*out, *in)
+	}
+	out.DaemonEndpoints = in.DaemonEndpoints
+	out.NodeInfo = in.NodeInfo
+	if in.Images != nil {
+		in, out := &in.Images, &out.Images
+		*out = make([]ContainerImage, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VolumesInUse != nil {
+		in, out := &in.VolumesInUse, &out.VolumesInUse
+		*out = make([]UniqueVolumeName, len(*in))
+		copy(*out, *in)
+	}
+	if in.VolumesAttached != nil {
+		in, out := &in.VolumesAttached, &out.VolumesAttached
+		*out = make([]AttachedVolume, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeStatus.
+func (in *NodeStatus) DeepCopy() *NodeStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeSystemInfo) DeepCopyInto(out *NodeSystemInfo) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSystemInfo.
+func (in *NodeSystemInfo) DeepCopy() *NodeSystemInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeSystemInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectFieldSelector) DeepCopyInto(out *ObjectFieldSelector) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectFieldSelector.
+func (in *ObjectFieldSelector) DeepCopy() *ObjectFieldSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectFieldSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectMeta) DeepCopyInto(out *ObjectMeta) {
+	*out = *in
+	in.CreationTimestamp.DeepCopyInto(&out.CreationTimestamp)
+	if in.DeletionTimestamp != nil {
+		in, out := &in.DeletionTimestamp, &out.DeletionTimestamp
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.DeletionGracePeriodSeconds != nil {
+		in, out := &in.DeletionGracePeriodSeconds, &out.DeletionGracePeriodSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.OwnerReferences != nil {
+		in, out := &in.OwnerReferences, &out.OwnerReferences
+		*out = make([]meta_v1.OwnerReference, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Initializers != nil {
+		in, out := &in.Initializers, &out.Initializers
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Initializers)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Finalizers != nil {
+		in, out := &in.Finalizers, &out.Finalizers
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectMeta.
+func (in *ObjectMeta) DeepCopy() *ObjectMeta {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectMeta)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectReference) DeepCopyInto(out *ObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReference.
+func (in *ObjectReference) DeepCopy() *ObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ObjectReference) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolume) DeepCopyInto(out *PersistentVolume) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	out.Status = in.Status
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolume.
+func (in *PersistentVolume) DeepCopy() *PersistentVolume {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolume)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PersistentVolume) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeClaim) DeepCopyInto(out *PersistentVolumeClaim) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaim.
+func (in *PersistentVolumeClaim) DeepCopy() *PersistentVolumeClaim {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeClaim)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PersistentVolumeClaim) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeClaimCondition) DeepCopyInto(out *PersistentVolumeClaimCondition) {
+	*out = *in
+	in.LastProbeTime.DeepCopyInto(&out.LastProbeTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimCondition.
+func (in *PersistentVolumeClaimCondition) DeepCopy() *PersistentVolumeClaimCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeClaimCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeClaimList) DeepCopyInto(out *PersistentVolumeClaimList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PersistentVolumeClaim, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimList.
+func (in *PersistentVolumeClaimList) DeepCopy() *PersistentVolumeClaimList {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeClaimList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PersistentVolumeClaimList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeClaimSpec) DeepCopyInto(out *PersistentVolumeClaimSpec) {
+	*out = *in
+	if in.AccessModes != nil {
+		in, out := &in.AccessModes, &out.AccessModes
+		*out = make([]PersistentVolumeAccessMode, len(*in))
+		copy(*out, *in)
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Resources.DeepCopyInto(&out.Resources)
+	if in.StorageClassName != nil {
+		in, out := &in.StorageClassName, &out.StorageClassName
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(string)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimSpec.
+func (in *PersistentVolumeClaimSpec) DeepCopy() *PersistentVolumeClaimSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeClaimSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeClaimStatus) DeepCopyInto(out *PersistentVolumeClaimStatus) {
+	*out = *in
+	if in.AccessModes != nil {
+		in, out := &in.AccessModes, &out.AccessModes
+		*out = make([]PersistentVolumeAccessMode, len(*in))
+		copy(*out, *in)
+	}
+	if in.Capacity != nil {
+		in, out := &in.Capacity, &out.Capacity
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]PersistentVolumeClaimCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimStatus.
+func (in *PersistentVolumeClaimStatus) DeepCopy() *PersistentVolumeClaimStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeClaimStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeClaimVolumeSource) DeepCopyInto(out *PersistentVolumeClaimVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimVolumeSource.
+func (in *PersistentVolumeClaimVolumeSource) DeepCopy() *PersistentVolumeClaimVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeClaimVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeList) DeepCopyInto(out *PersistentVolumeList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PersistentVolume, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeList.
+func (in *PersistentVolumeList) DeepCopy() *PersistentVolumeList {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PersistentVolumeList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeSource) DeepCopyInto(out *PersistentVolumeSource) {
+	*out = *in
+	if in.GCEPersistentDisk != nil {
+		in, out := &in.GCEPersistentDisk, &out.GCEPersistentDisk
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(GCEPersistentDiskVolumeSource)
+			**out = **in
+		}
+	}
+	if in.AWSElasticBlockStore != nil {
+		in, out := &in.AWSElasticBlockStore, &out.AWSElasticBlockStore
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AWSElasticBlockStoreVolumeSource)
+			**out = **in
+		}
+	}
+	if in.HostPath != nil {
+		in, out := &in.HostPath, &out.HostPath
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(HostPathVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Glusterfs != nil {
+		in, out := &in.Glusterfs, &out.Glusterfs
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(GlusterfsVolumeSource)
+			**out = **in
+		}
+	}
+	if in.NFS != nil {
+		in, out := &in.NFS, &out.NFS
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NFSVolumeSource)
+			**out = **in
+		}
+	}
+	if in.RBD != nil {
+		in, out := &in.RBD, &out.RBD
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RBDVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.ISCSI != nil {
+		in, out := &in.ISCSI, &out.ISCSI
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ISCSIVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Cinder != nil {
+		in, out := &in.Cinder, &out.Cinder
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(CinderVolumeSource)
+			**out = **in
+		}
+	}
+	if in.CephFS != nil {
+		in, out := &in.CephFS, &out.CephFS
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(CephFSPersistentVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.FC != nil {
+		in, out := &in.FC, &out.FC
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(FCVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Flocker != nil {
+		in, out := &in.Flocker, &out.Flocker
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(FlockerVolumeSource)
+			**out = **in
+		}
+	}
+	if in.FlexVolume != nil {
+		in, out := &in.FlexVolume, &out.FlexVolume
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(FlexVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.AzureFile != nil {
+		in, out := &in.AzureFile, &out.AzureFile
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AzureFilePersistentVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.VsphereVolume != nil {
+		in, out := &in.VsphereVolume, &out.VsphereVolume
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(VsphereVirtualDiskVolumeSource)
+			**out = **in
+		}
+	}
+	if in.Quobyte != nil {
+		in, out := &in.Quobyte, &out.Quobyte
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(QuobyteVolumeSource)
+			**out = **in
+		}
+	}
+	if in.AzureDisk != nil {
+		in, out := &in.AzureDisk, &out.AzureDisk
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AzureDiskVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.PhotonPersistentDisk != nil {
+		in, out := &in.PhotonPersistentDisk, &out.PhotonPersistentDisk
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PhotonPersistentDiskVolumeSource)
+			**out = **in
+		}
+	}
+	if in.PortworxVolume != nil {
+		in, out := &in.PortworxVolume, &out.PortworxVolume
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PortworxVolumeSource)
+			**out = **in
+		}
+	}
+	if in.ScaleIO != nil {
+		in, out := &in.ScaleIO, &out.ScaleIO
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ScaleIOPersistentVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Local != nil {
+		in, out := &in.Local, &out.Local
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(LocalVolumeSource)
+			**out = **in
+		}
+	}
+	if in.StorageOS != nil {
+		in, out := &in.StorageOS, &out.StorageOS
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(StorageOSPersistentVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeSource.
+func (in *PersistentVolumeSource) DeepCopy() *PersistentVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeSpec) DeepCopyInto(out *PersistentVolumeSpec) {
+	*out = *in
+	if in.Capacity != nil {
+		in, out := &in.Capacity, &out.Capacity
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	in.PersistentVolumeSource.DeepCopyInto(&out.PersistentVolumeSource)
+	if in.AccessModes != nil {
+		in, out := &in.AccessModes, &out.AccessModes
+		*out = make([]PersistentVolumeAccessMode, len(*in))
+		copy(*out, *in)
+	}
+	if in.ClaimRef != nil {
+		in, out := &in.ClaimRef, &out.ClaimRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectReference)
+			**out = **in
+		}
+	}
+	if in.MountOptions != nil {
+		in, out := &in.MountOptions, &out.MountOptions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeSpec.
+func (in *PersistentVolumeSpec) DeepCopy() *PersistentVolumeSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PersistentVolumeStatus) DeepCopyInto(out *PersistentVolumeStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeStatus.
+func (in *PersistentVolumeStatus) DeepCopy() *PersistentVolumeStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PersistentVolumeStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PhotonPersistentDiskVolumeSource) DeepCopyInto(out *PhotonPersistentDiskVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PhotonPersistentDiskVolumeSource.
+func (in *PhotonPersistentDiskVolumeSource) DeepCopy() *PhotonPersistentDiskVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(PhotonPersistentDiskVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Pod) DeepCopyInto(out *Pod) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Pod.
+func (in *Pod) DeepCopy() *Pod {
+	if in == nil {
+		return nil
+	}
+	out := new(Pod)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Pod) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodAffinity) DeepCopyInto(out *PodAffinity) {
+	*out = *in
+	if in.RequiredDuringSchedulingIgnoredDuringExecution != nil {
+		in, out := &in.RequiredDuringSchedulingIgnoredDuringExecution, &out.RequiredDuringSchedulingIgnoredDuringExecution
+		*out = make([]PodAffinityTerm, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PreferredDuringSchedulingIgnoredDuringExecution != nil {
+		in, out := &in.PreferredDuringSchedulingIgnoredDuringExecution, &out.PreferredDuringSchedulingIgnoredDuringExecution
+		*out = make([]WeightedPodAffinityTerm, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodAffinity.
+func (in *PodAffinity) DeepCopy() *PodAffinity {
+	if in == nil {
+		return nil
+	}
+	out := new(PodAffinity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodAffinityTerm) DeepCopyInto(out *PodAffinityTerm) {
+	*out = *in
+	if in.LabelSelector != nil {
+		in, out := &in.LabelSelector, &out.LabelSelector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Namespaces != nil {
+		in, out := &in.Namespaces, &out.Namespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodAffinityTerm.
+func (in *PodAffinityTerm) DeepCopy() *PodAffinityTerm {
+	if in == nil {
+		return nil
+	}
+	out := new(PodAffinityTerm)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodAntiAffinity) DeepCopyInto(out *PodAntiAffinity) {
+	*out = *in
+	if in.RequiredDuringSchedulingIgnoredDuringExecution != nil {
+		in, out := &in.RequiredDuringSchedulingIgnoredDuringExecution, &out.RequiredDuringSchedulingIgnoredDuringExecution
+		*out = make([]PodAffinityTerm, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PreferredDuringSchedulingIgnoredDuringExecution != nil {
+		in, out := &in.PreferredDuringSchedulingIgnoredDuringExecution, &out.PreferredDuringSchedulingIgnoredDuringExecution
+		*out = make([]WeightedPodAffinityTerm, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodAntiAffinity.
+func (in *PodAntiAffinity) DeepCopy() *PodAntiAffinity {
+	if in == nil {
+		return nil
+	}
+	out := new(PodAntiAffinity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodAttachOptions) DeepCopyInto(out *PodAttachOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodAttachOptions.
+func (in *PodAttachOptions) DeepCopy() *PodAttachOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(PodAttachOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodAttachOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodCondition) DeepCopyInto(out *PodCondition) {
+	*out = *in
+	in.LastProbeTime.DeepCopyInto(&out.LastProbeTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCondition.
+func (in *PodCondition) DeepCopy() *PodCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(PodCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodExecOptions) DeepCopyInto(out *PodExecOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Command != nil {
+		in, out := &in.Command, &out.Command
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodExecOptions.
+func (in *PodExecOptions) DeepCopy() *PodExecOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(PodExecOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodExecOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodList) DeepCopyInto(out *PodList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Pod, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodList.
+func (in *PodList) DeepCopy() *PodList {
+	if in == nil {
+		return nil
+	}
+	out := new(PodList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodLogOptions) DeepCopyInto(out *PodLogOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.SinceSeconds != nil {
+		in, out := &in.SinceSeconds, &out.SinceSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.SinceTime != nil {
+		in, out := &in.SinceTime, &out.SinceTime
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.TailLines != nil {
+		in, out := &in.TailLines, &out.TailLines
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.LimitBytes != nil {
+		in, out := &in.LimitBytes, &out.LimitBytes
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodLogOptions.
+func (in *PodLogOptions) DeepCopy() *PodLogOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(PodLogOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodLogOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodPortForwardOptions) DeepCopyInto(out *PodPortForwardOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]int32, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodPortForwardOptions.
+func (in *PodPortForwardOptions) DeepCopy() *PodPortForwardOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(PodPortForwardOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodPortForwardOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodProxyOptions) DeepCopyInto(out *PodProxyOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodProxyOptions.
+func (in *PodProxyOptions) DeepCopy() *PodProxyOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(PodProxyOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodProxyOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityContext) DeepCopyInto(out *PodSecurityContext) {
+	*out = *in
+	if in.SELinuxOptions != nil {
+		in, out := &in.SELinuxOptions, &out.SELinuxOptions
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SELinuxOptions)
+			**out = **in
+		}
+	}
+	if in.RunAsUser != nil {
+		in, out := &in.RunAsUser, &out.RunAsUser
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.RunAsNonRoot != nil {
+		in, out := &in.RunAsNonRoot, &out.RunAsNonRoot
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.SupplementalGroups != nil {
+		in, out := &in.SupplementalGroups, &out.SupplementalGroups
+		*out = make([]int64, len(*in))
+		copy(*out, *in)
+	}
+	if in.FSGroup != nil {
+		in, out := &in.FSGroup, &out.FSGroup
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityContext.
+func (in *PodSecurityContext) DeepCopy() *PodSecurityContext {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityContext)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSignature) DeepCopyInto(out *PodSignature) {
+	*out = *in
+	if in.PodController != nil {
+		in, out := &in.PodController, &out.PodController
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.OwnerReference)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSignature.
+func (in *PodSignature) DeepCopy() *PodSignature {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSignature)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSpec) DeepCopyInto(out *PodSpec) {
+	*out = *in
+	if in.Volumes != nil {
+		in, out := &in.Volumes, &out.Volumes
+		*out = make([]Volume, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InitContainers != nil {
+		in, out := &in.InitContainers, &out.InitContainers
+		*out = make([]Container, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Containers != nil {
+		in, out := &in.Containers, &out.Containers
+		*out = make([]Container, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TerminationGracePeriodSeconds != nil {
+		in, out := &in.TerminationGracePeriodSeconds, &out.TerminationGracePeriodSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.ActiveDeadlineSeconds != nil {
+		in, out := &in.ActiveDeadlineSeconds, &out.ActiveDeadlineSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.NodeSelector != nil {
+		in, out := &in.NodeSelector, &out.NodeSelector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.AutomountServiceAccountToken != nil {
+		in, out := &in.AutomountServiceAccountToken, &out.AutomountServiceAccountToken
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PodSecurityContext)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.ImagePullSecrets != nil {
+		in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
+		*out = make([]LocalObjectReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.Affinity != nil {
+		in, out := &in.Affinity, &out.Affinity
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Affinity)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]Toleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HostAliases != nil {
+		in, out := &in.HostAliases, &out.HostAliases
+		*out = make([]HostAlias, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSpec.
+func (in *PodSpec) DeepCopy() *PodSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodStatus) DeepCopyInto(out *PodStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]PodCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.InitContainerStatuses != nil {
+		in, out := &in.InitContainerStatuses, &out.InitContainerStatuses
+		*out = make([]ContainerStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ContainerStatuses != nil {
+		in, out := &in.ContainerStatuses, &out.ContainerStatuses
+		*out = make([]ContainerStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodStatus.
+func (in *PodStatus) DeepCopy() *PodStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PodStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodStatusResult) DeepCopyInto(out *PodStatusResult) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodStatusResult.
+func (in *PodStatusResult) DeepCopy() *PodStatusResult {
+	if in == nil {
+		return nil
+	}
+	out := new(PodStatusResult)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodStatusResult) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodTemplate) DeepCopyInto(out *PodTemplate) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Template.DeepCopyInto(&out.Template)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodTemplate.
+func (in *PodTemplate) DeepCopy() *PodTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(PodTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodTemplate) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodTemplateList) DeepCopyInto(out *PodTemplateList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PodTemplate, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodTemplateList.
+func (in *PodTemplateList) DeepCopy() *PodTemplateList {
+	if in == nil {
+		return nil
+	}
+	out := new(PodTemplateList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodTemplateList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodTemplateSpec) DeepCopyInto(out *PodTemplateSpec) {
+	*out = *in
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodTemplateSpec.
+func (in *PodTemplateSpec) DeepCopy() *PodTemplateSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PodTemplateSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PortworxVolumeSource) DeepCopyInto(out *PortworxVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortworxVolumeSource.
+func (in *PortworxVolumeSource) DeepCopy() *PortworxVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(PortworxVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Preconditions) DeepCopyInto(out *Preconditions) {
+	*out = *in
+	if in.UID != nil {
+		in, out := &in.UID, &out.UID
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(types.UID)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Preconditions.
+func (in *Preconditions) DeepCopy() *Preconditions {
+	if in == nil {
+		return nil
+	}
+	out := new(Preconditions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PreferAvoidPodsEntry) DeepCopyInto(out *PreferAvoidPodsEntry) {
+	*out = *in
+	in.PodSignature.DeepCopyInto(&out.PodSignature)
+	in.EvictionTime.DeepCopyInto(&out.EvictionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreferAvoidPodsEntry.
+func (in *PreferAvoidPodsEntry) DeepCopy() *PreferAvoidPodsEntry {
+	if in == nil {
+		return nil
+	}
+	out := new(PreferAvoidPodsEntry)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PreferredSchedulingTerm) DeepCopyInto(out *PreferredSchedulingTerm) {
+	*out = *in
+	in.Preference.DeepCopyInto(&out.Preference)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreferredSchedulingTerm.
+func (in *PreferredSchedulingTerm) DeepCopy() *PreferredSchedulingTerm {
+	if in == nil {
+		return nil
+	}
+	out := new(PreferredSchedulingTerm)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Probe) DeepCopyInto(out *Probe) {
+	*out = *in
+	in.Handler.DeepCopyInto(&out.Handler)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Probe.
+func (in *Probe) DeepCopy() *Probe {
+	if in == nil {
+		return nil
+	}
+	out := new(Probe)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProjectedVolumeSource) DeepCopyInto(out *ProjectedVolumeSource) {
+	*out = *in
+	if in.Sources != nil {
+		in, out := &in.Sources, &out.Sources
+		*out = make([]VolumeProjection, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultMode != nil {
+		in, out := &in.DefaultMode, &out.DefaultMode
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProjectedVolumeSource.
+func (in *ProjectedVolumeSource) DeepCopy() *ProjectedVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ProjectedVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *QuobyteVolumeSource) DeepCopyInto(out *QuobyteVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QuobyteVolumeSource.
+func (in *QuobyteVolumeSource) DeepCopy() *QuobyteVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(QuobyteVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RBDVolumeSource) DeepCopyInto(out *RBDVolumeSource) {
+	*out = *in
+	if in.CephMonitors != nil {
+		in, out := &in.CephMonitors, &out.CephMonitors
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(LocalObjectReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RBDVolumeSource.
+func (in *RBDVolumeSource) DeepCopy() *RBDVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(RBDVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RangeAllocation) DeepCopyInto(out *RangeAllocation) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocation.
+func (in *RangeAllocation) DeepCopy() *RangeAllocation {
+	if in == nil {
+		return nil
+	}
+	out := new(RangeAllocation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RangeAllocation) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicationController) DeepCopyInto(out *ReplicationController) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationController.
+func (in *ReplicationController) DeepCopy() *ReplicationController {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicationController)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReplicationController) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicationControllerCondition) DeepCopyInto(out *ReplicationControllerCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationControllerCondition.
+func (in *ReplicationControllerCondition) DeepCopy() *ReplicationControllerCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicationControllerCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicationControllerList) DeepCopyInto(out *ReplicationControllerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ReplicationController, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationControllerList.
+func (in *ReplicationControllerList) DeepCopy() *ReplicationControllerList {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicationControllerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReplicationControllerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicationControllerSpec) DeepCopyInto(out *ReplicationControllerSpec) {
+	*out = *in
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Template != nil {
+		in, out := &in.Template, &out.Template
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PodTemplateSpec)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationControllerSpec.
+func (in *ReplicationControllerSpec) DeepCopy() *ReplicationControllerSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicationControllerSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicationControllerStatus) DeepCopyInto(out *ReplicationControllerStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ReplicationControllerCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationControllerStatus.
+func (in *ReplicationControllerStatus) DeepCopy() *ReplicationControllerStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicationControllerStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceFieldSelector) DeepCopyInto(out *ResourceFieldSelector) {
+	*out = *in
+	out.Divisor = in.Divisor.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFieldSelector.
+func (in *ResourceFieldSelector) DeepCopy() *ResourceFieldSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceFieldSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceQuota) DeepCopyInto(out *ResourceQuota) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceQuota.
+func (in *ResourceQuota) DeepCopy() *ResourceQuota {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceQuota)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ResourceQuota) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceQuotaList) DeepCopyInto(out *ResourceQuotaList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ResourceQuota, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceQuotaList.
+func (in *ResourceQuotaList) DeepCopy() *ResourceQuotaList {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceQuotaList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ResourceQuotaList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceQuotaSpec) DeepCopyInto(out *ResourceQuotaSpec) {
+	*out = *in
+	if in.Hard != nil {
+		in, out := &in.Hard, &out.Hard
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Scopes != nil {
+		in, out := &in.Scopes, &out.Scopes
+		*out = make([]ResourceQuotaScope, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceQuotaSpec.
+func (in *ResourceQuotaSpec) DeepCopy() *ResourceQuotaSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceQuotaSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceQuotaStatus) DeepCopyInto(out *ResourceQuotaStatus) {
+	*out = *in
+	if in.Hard != nil {
+		in, out := &in.Hard, &out.Hard
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Used != nil {
+		in, out := &in.Used, &out.Used
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceQuotaStatus.
+func (in *ResourceQuotaStatus) DeepCopy() *ResourceQuotaStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceQuotaStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ResourceRequirements) DeepCopyInto(out *ResourceRequirements) {
+	*out = *in
+	if in.Limits != nil {
+		in, out := &in.Limits, &out.Limits
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	if in.Requests != nil {
+		in, out := &in.Requests, &out.Requests
+		*out = make(ResourceList, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val.DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRequirements.
+func (in *ResourceRequirements) DeepCopy() *ResourceRequirements {
+	if in == nil {
+		return nil
+	}
+	out := new(ResourceRequirements)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SELinuxOptions) DeepCopyInto(out *SELinuxOptions) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxOptions.
+func (in *SELinuxOptions) DeepCopy() *SELinuxOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(SELinuxOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleIOPersistentVolumeSource) DeepCopyInto(out *ScaleIOPersistentVolumeSource) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SecretReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleIOPersistentVolumeSource.
+func (in *ScaleIOPersistentVolumeSource) DeepCopy() *ScaleIOPersistentVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleIOPersistentVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleIOVolumeSource) DeepCopyInto(out *ScaleIOVolumeSource) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(LocalObjectReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleIOVolumeSource.
+func (in *ScaleIOVolumeSource) DeepCopy() *ScaleIOVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleIOVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Secret) DeepCopyInto(out *Secret) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string][]byte, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = make([]byte, len(val))
+				copy((*out)[key], val)
+			}
+		}
+	}
+	if in.StringData != nil {
+		in, out := &in.StringData, &out.StringData
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Secret.
+func (in *Secret) DeepCopy() *Secret {
+	if in == nil {
+		return nil
+	}
+	out := new(Secret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Secret) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretEnvSource) DeepCopyInto(out *SecretEnvSource) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	if in.Optional != nil {
+		in, out := &in.Optional, &out.Optional
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretEnvSource.
+func (in *SecretEnvSource) DeepCopy() *SecretEnvSource {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretEnvSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretKeySelector) DeepCopyInto(out *SecretKeySelector) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	if in.Optional != nil {
+		in, out := &in.Optional, &out.Optional
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector.
+func (in *SecretKeySelector) DeepCopy() *SecretKeySelector {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretKeySelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretList) DeepCopyInto(out *SecretList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Secret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretList.
+func (in *SecretList) DeepCopy() *SecretList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretProjection) DeepCopyInto(out *SecretProjection) {
+	*out = *in
+	out.LocalObjectReference = in.LocalObjectReference
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]KeyToPath, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Optional != nil {
+		in, out := &in.Optional, &out.Optional
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretProjection.
+func (in *SecretProjection) DeepCopy() *SecretProjection {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretProjection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretReference) DeepCopyInto(out *SecretReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference.
+func (in *SecretReference) DeepCopy() *SecretReference {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretVolumeSource) DeepCopyInto(out *SecretVolumeSource) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]KeyToPath, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultMode != nil {
+		in, out := &in.DefaultMode, &out.DefaultMode
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Optional != nil {
+		in, out := &in.Optional, &out.Optional
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretVolumeSource.
+func (in *SecretVolumeSource) DeepCopy() *SecretVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecurityContext) DeepCopyInto(out *SecurityContext) {
+	*out = *in
+	if in.Capabilities != nil {
+		in, out := &in.Capabilities, &out.Capabilities
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Capabilities)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Privileged != nil {
+		in, out := &in.Privileged, &out.Privileged
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.SELinuxOptions != nil {
+		in, out := &in.SELinuxOptions, &out.SELinuxOptions
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SELinuxOptions)
+			**out = **in
+		}
+	}
+	if in.RunAsUser != nil {
+		in, out := &in.RunAsUser, &out.RunAsUser
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.RunAsNonRoot != nil {
+		in, out := &in.RunAsNonRoot, &out.RunAsNonRoot
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.ReadOnlyRootFilesystem != nil {
+		in, out := &in.ReadOnlyRootFilesystem, &out.ReadOnlyRootFilesystem
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.AllowPrivilegeEscalation != nil {
+		in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContext.
+func (in *SecurityContext) DeepCopy() *SecurityContext {
+	if in == nil {
+		return nil
+	}
+	out := new(SecurityContext)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SerializedReference) DeepCopyInto(out *SerializedReference) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.Reference = in.Reference
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SerializedReference.
+func (in *SerializedReference) DeepCopy() *SerializedReference {
+	if in == nil {
+		return nil
+	}
+	out := new(SerializedReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SerializedReference) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Service) DeepCopyInto(out *Service) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Service.
+func (in *Service) DeepCopy() *Service {
+	if in == nil {
+		return nil
+	}
+	out := new(Service)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Service) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccount) DeepCopyInto(out *ServiceAccount) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Secrets != nil {
+		in, out := &in.Secrets, &out.Secrets
+		*out = make([]ObjectReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.ImagePullSecrets != nil {
+		in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
+		*out = make([]LocalObjectReference, len(*in))
+		copy(*out, *in)
+	}
+	if in.AutomountServiceAccountToken != nil {
+		in, out := &in.AutomountServiceAccountToken, &out.AutomountServiceAccountToken
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccount.
+func (in *ServiceAccount) DeepCopy() *ServiceAccount {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccount)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ServiceAccount) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountList) DeepCopyInto(out *ServiceAccountList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ServiceAccount, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountList.
+func (in *ServiceAccountList) DeepCopy() *ServiceAccountList {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccountList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ServiceAccountList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceList) DeepCopyInto(out *ServiceList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Service, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceList.
+func (in *ServiceList) DeepCopy() *ServiceList {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ServiceList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServicePort) DeepCopyInto(out *ServicePort) {
+	*out = *in
+	out.TargetPort = in.TargetPort
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePort.
+func (in *ServicePort) DeepCopy() *ServicePort {
+	if in == nil {
+		return nil
+	}
+	out := new(ServicePort)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceProxyOptions) DeepCopyInto(out *ServiceProxyOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceProxyOptions.
+func (in *ServiceProxyOptions) DeepCopy() *ServiceProxyOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceProxyOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ServiceProxyOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceSpec) DeepCopyInto(out *ServiceSpec) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]ServicePort, len(*in))
+		copy(*out, *in)
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.ExternalIPs != nil {
+		in, out := &in.ExternalIPs, &out.ExternalIPs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.LoadBalancerSourceRanges != nil {
+		in, out := &in.LoadBalancerSourceRanges, &out.LoadBalancerSourceRanges
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SessionAffinityConfig != nil {
+		in, out := &in.SessionAffinityConfig, &out.SessionAffinityConfig
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SessionAffinityConfig)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceSpec.
+func (in *ServiceSpec) DeepCopy() *ServiceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceStatus) DeepCopyInto(out *ServiceStatus) {
+	*out = *in
+	in.LoadBalancer.DeepCopyInto(&out.LoadBalancer)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceStatus.
+func (in *ServiceStatus) DeepCopy() *ServiceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SessionAffinityConfig) DeepCopyInto(out *SessionAffinityConfig) {
+	*out = *in
+	if in.ClientIP != nil {
+		in, out := &in.ClientIP, &out.ClientIP
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ClientIPConfig)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SessionAffinityConfig.
+func (in *SessionAffinityConfig) DeepCopy() *SessionAffinityConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(SessionAffinityConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageOSPersistentVolumeSource) DeepCopyInto(out *StorageOSPersistentVolumeSource) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ObjectReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageOSPersistentVolumeSource.
+func (in *StorageOSPersistentVolumeSource) DeepCopy() *StorageOSPersistentVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageOSPersistentVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageOSVolumeSource) DeepCopyInto(out *StorageOSVolumeSource) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(LocalObjectReference)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageOSVolumeSource.
+func (in *StorageOSVolumeSource) DeepCopy() *StorageOSVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageOSVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Sysctl) DeepCopyInto(out *Sysctl) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Sysctl.
+func (in *Sysctl) DeepCopy() *Sysctl {
+	if in == nil {
+		return nil
+	}
+	out := new(Sysctl)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TCPSocketAction) DeepCopyInto(out *TCPSocketAction) {
+	*out = *in
+	out.Port = in.Port
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPSocketAction.
+func (in *TCPSocketAction) DeepCopy() *TCPSocketAction {
+	if in == nil {
+		return nil
+	}
+	out := new(TCPSocketAction)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Taint) DeepCopyInto(out *Taint) {
+	*out = *in
+	in.TimeAdded.DeepCopyInto(&out.TimeAdded)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Taint.
+func (in *Taint) DeepCopy() *Taint {
+	if in == nil {
+		return nil
+	}
+	out := new(Taint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Toleration) DeepCopyInto(out *Toleration) {
+	*out = *in
+	if in.TolerationSeconds != nil {
+		in, out := &in.TolerationSeconds, &out.TolerationSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Toleration.
+func (in *Toleration) DeepCopy() *Toleration {
+	if in == nil {
+		return nil
+	}
+	out := new(Toleration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Volume) DeepCopyInto(out *Volume) {
+	*out = *in
+	in.VolumeSource.DeepCopyInto(&out.VolumeSource)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Volume.
+func (in *Volume) DeepCopy() *Volume {
+	if in == nil {
+		return nil
+	}
+	out := new(Volume)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VolumeMount) DeepCopyInto(out *VolumeMount) {
+	*out = *in
+	if in.MountPropagation != nil {
+		in, out := &in.MountPropagation, &out.MountPropagation
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(MountPropagationMode)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VolumeMount.
+func (in *VolumeMount) DeepCopy() *VolumeMount {
+	if in == nil {
+		return nil
+	}
+	out := new(VolumeMount)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VolumeProjection) DeepCopyInto(out *VolumeProjection) {
+	*out = *in
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SecretProjection)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.DownwardAPI != nil {
+		in, out := &in.DownwardAPI, &out.DownwardAPI
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(DownwardAPIProjection)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.ConfigMap != nil {
+		in, out := &in.ConfigMap, &out.ConfigMap
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ConfigMapProjection)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VolumeProjection.
+func (in *VolumeProjection) DeepCopy() *VolumeProjection {
+	if in == nil {
+		return nil
+	}
+	out := new(VolumeProjection)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VolumeSource) DeepCopyInto(out *VolumeSource) {
+	*out = *in
+	if in.HostPath != nil {
+		in, out := &in.HostPath, &out.HostPath
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(HostPathVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.EmptyDir != nil {
+		in, out := &in.EmptyDir, &out.EmptyDir
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(EmptyDirVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.GCEPersistentDisk != nil {
+		in, out := &in.GCEPersistentDisk, &out.GCEPersistentDisk
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(GCEPersistentDiskVolumeSource)
+			**out = **in
+		}
+	}
+	if in.AWSElasticBlockStore != nil {
+		in, out := &in.AWSElasticBlockStore, &out.AWSElasticBlockStore
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AWSElasticBlockStoreVolumeSource)
+			**out = **in
+		}
+	}
+	if in.GitRepo != nil {
+		in, out := &in.GitRepo, &out.GitRepo
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(GitRepoVolumeSource)
+			**out = **in
+		}
+	}
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SecretVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.NFS != nil {
+		in, out := &in.NFS, &out.NFS
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(NFSVolumeSource)
+			**out = **in
+		}
+	}
+	if in.ISCSI != nil {
+		in, out := &in.ISCSI, &out.ISCSI
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ISCSIVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Glusterfs != nil {
+		in, out := &in.Glusterfs, &out.Glusterfs
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(GlusterfsVolumeSource)
+			**out = **in
+		}
+	}
+	if in.PersistentVolumeClaim != nil {
+		in, out := &in.PersistentVolumeClaim, &out.PersistentVolumeClaim
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PersistentVolumeClaimVolumeSource)
+			**out = **in
+		}
+	}
+	if in.RBD != nil {
+		in, out := &in.RBD, &out.RBD
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RBDVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.FlexVolume != nil {
+		in, out := &in.FlexVolume, &out.FlexVolume
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(FlexVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Cinder != nil {
+		in, out := &in.Cinder, &out.Cinder
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(CinderVolumeSource)
+			**out = **in
+		}
+	}
+	if in.CephFS != nil {
+		in, out := &in.CephFS, &out.CephFS
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(CephFSVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Flocker != nil {
+		in, out := &in.Flocker, &out.Flocker
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(FlockerVolumeSource)
+			**out = **in
+		}
+	}
+	if in.DownwardAPI != nil {
+		in, out := &in.DownwardAPI, &out.DownwardAPI
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(DownwardAPIVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.FC != nil {
+		in, out := &in.FC, &out.FC
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(FCVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.AzureFile != nil {
+		in, out := &in.AzureFile, &out.AzureFile
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AzureFileVolumeSource)
+			**out = **in
+		}
+	}
+	if in.ConfigMap != nil {
+		in, out := &in.ConfigMap, &out.ConfigMap
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ConfigMapVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.VsphereVolume != nil {
+		in, out := &in.VsphereVolume, &out.VsphereVolume
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(VsphereVirtualDiskVolumeSource)
+			**out = **in
+		}
+	}
+	if in.Quobyte != nil {
+		in, out := &in.Quobyte, &out.Quobyte
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(QuobyteVolumeSource)
+			**out = **in
+		}
+	}
+	if in.AzureDisk != nil {
+		in, out := &in.AzureDisk, &out.AzureDisk
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AzureDiskVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.PhotonPersistentDisk != nil {
+		in, out := &in.PhotonPersistentDisk, &out.PhotonPersistentDisk
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PhotonPersistentDiskVolumeSource)
+			**out = **in
+		}
+	}
+	if in.Projected != nil {
+		in, out := &in.Projected, &out.Projected
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ProjectedVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.PortworxVolume != nil {
+		in, out := &in.PortworxVolume, &out.PortworxVolume
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(PortworxVolumeSource)
+			**out = **in
+		}
+	}
+	if in.ScaleIO != nil {
+		in, out := &in.ScaleIO, &out.ScaleIO
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(ScaleIOVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.StorageOS != nil {
+		in, out := &in.StorageOS, &out.StorageOS
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(StorageOSVolumeSource)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VolumeSource.
+func (in *VolumeSource) DeepCopy() *VolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(VolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VsphereVirtualDiskVolumeSource) DeepCopyInto(out *VsphereVirtualDiskVolumeSource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VsphereVirtualDiskVolumeSource.
+func (in *VsphereVirtualDiskVolumeSource) DeepCopy() *VsphereVirtualDiskVolumeSource {
+	if in == nil {
+		return nil
+	}
+	out := new(VsphereVirtualDiskVolumeSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WeightedPodAffinityTerm) DeepCopyInto(out *WeightedPodAffinityTerm) {
+	*out = *in
+	in.PodAffinityTerm.DeepCopyInto(&out.PodAffinityTerm)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WeightedPodAffinityTerm.
+func (in *WeightedPodAffinityTerm) DeepCopy() *WeightedPodAffinityTerm {
+	if in == nil {
+		return nil
+	}
+	out := new(WeightedPodAffinityTerm)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/extensions/v1beta1/doc.go b/cli/vendor/k8s.io/api/extensions/v1beta1/doc.go
new file mode 100644
index 00000000..ac174dd2
--- /dev/null
+++ b/cli/vendor/k8s.io/api/extensions/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+package v1beta1 // import "k8s.io/api/extensions/v1beta1"
diff --git a/cli/vendor/k8s.io/api/extensions/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/extensions/v1beta1/generated.pb.go
new file mode 100644
index 00000000..344323e0
--- /dev/null
+++ b/cli/vendor/k8s.io/api/extensions/v1beta1/generated.pb.go
@@ -0,0 +1,12890 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/extensions/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/extensions/v1beta1/generated.proto
+
+	It has these top-level messages:
+		APIVersion
+		AllowedHostPath
+		CustomMetricCurrentStatus
+		CustomMetricCurrentStatusList
+		CustomMetricTarget
+		CustomMetricTargetList
+		DaemonSet
+		DaemonSetList
+		DaemonSetSpec
+		DaemonSetStatus
+		DaemonSetUpdateStrategy
+		Deployment
+		DeploymentCondition
+		DeploymentList
+		DeploymentRollback
+		DeploymentSpec
+		DeploymentStatus
+		DeploymentStrategy
+		FSGroupStrategyOptions
+		HTTPIngressPath
+		HTTPIngressRuleValue
+		HostPortRange
+		IDRange
+		IPBlock
+		Ingress
+		IngressBackend
+		IngressList
+		IngressRule
+		IngressRuleValue
+		IngressSpec
+		IngressStatus
+		IngressTLS
+		NetworkPolicy
+		NetworkPolicyEgressRule
+		NetworkPolicyIngressRule
+		NetworkPolicyList
+		NetworkPolicyPeer
+		NetworkPolicyPort
+		NetworkPolicySpec
+		PodSecurityPolicy
+		PodSecurityPolicyList
+		PodSecurityPolicySpec
+		ReplicaSet
+		ReplicaSetCondition
+		ReplicaSetList
+		ReplicaSetSpec
+		ReplicaSetStatus
+		ReplicationControllerDummy
+		RollbackConfig
+		RollingUpdateDaemonSet
+		RollingUpdateDeployment
+		RunAsUserStrategyOptions
+		SELinuxStrategyOptions
+		Scale
+		ScaleSpec
+		ScaleStatus
+		SupplementalGroupsStrategyOptions
+		ThirdPartyResource
+		ThirdPartyResourceData
+		ThirdPartyResourceDataList
+		ThirdPartyResourceList
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import k8s_io_apimachinery_pkg_util_intstr "k8s.io/apimachinery/pkg/util/intstr"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *APIVersion) Reset()                    { *m = APIVersion{} }
+func (*APIVersion) ProtoMessage()               {}
+func (*APIVersion) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *AllowedHostPath) Reset()                    { *m = AllowedHostPath{} }
+func (*AllowedHostPath) ProtoMessage()               {}
+func (*AllowedHostPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *CustomMetricCurrentStatus) Reset()      { *m = CustomMetricCurrentStatus{} }
+func (*CustomMetricCurrentStatus) ProtoMessage() {}
+func (*CustomMetricCurrentStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{2}
+}
+
+func (m *CustomMetricCurrentStatusList) Reset()      { *m = CustomMetricCurrentStatusList{} }
+func (*CustomMetricCurrentStatusList) ProtoMessage() {}
+func (*CustomMetricCurrentStatusList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{3}
+}
+
+func (m *CustomMetricTarget) Reset()                    { *m = CustomMetricTarget{} }
+func (*CustomMetricTarget) ProtoMessage()               {}
+func (*CustomMetricTarget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *CustomMetricTargetList) Reset()                    { *m = CustomMetricTargetList{} }
+func (*CustomMetricTargetList) ProtoMessage()               {}
+func (*CustomMetricTargetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *DaemonSet) Reset()                    { *m = DaemonSet{} }
+func (*DaemonSet) ProtoMessage()               {}
+func (*DaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *DaemonSetList) Reset()                    { *m = DaemonSetList{} }
+func (*DaemonSetList) ProtoMessage()               {}
+func (*DaemonSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *DaemonSetSpec) Reset()                    { *m = DaemonSetSpec{} }
+func (*DaemonSetSpec) ProtoMessage()               {}
+func (*DaemonSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *DaemonSetStatus) Reset()                    { *m = DaemonSetStatus{} }
+func (*DaemonSetStatus) ProtoMessage()               {}
+func (*DaemonSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *DaemonSetUpdateStrategy) Reset()      { *m = DaemonSetUpdateStrategy{} }
+func (*DaemonSetUpdateStrategy) ProtoMessage() {}
+func (*DaemonSetUpdateStrategy) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{10}
+}
+
+func (m *Deployment) Reset()                    { *m = Deployment{} }
+func (*Deployment) ProtoMessage()               {}
+func (*Deployment) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
+
+func (m *DeploymentCondition) Reset()                    { *m = DeploymentCondition{} }
+func (*DeploymentCondition) ProtoMessage()               {}
+func (*DeploymentCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{12} }
+
+func (m *DeploymentList) Reset()                    { *m = DeploymentList{} }
+func (*DeploymentList) ProtoMessage()               {}
+func (*DeploymentList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+
+func (m *DeploymentRollback) Reset()                    { *m = DeploymentRollback{} }
+func (*DeploymentRollback) ProtoMessage()               {}
+func (*DeploymentRollback) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
+
+func (m *DeploymentSpec) Reset()                    { *m = DeploymentSpec{} }
+func (*DeploymentSpec) ProtoMessage()               {}
+func (*DeploymentSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
+
+func (m *DeploymentStatus) Reset()                    { *m = DeploymentStatus{} }
+func (*DeploymentStatus) ProtoMessage()               {}
+func (*DeploymentStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
+
+func (m *DeploymentStrategy) Reset()                    { *m = DeploymentStrategy{} }
+func (*DeploymentStrategy) ProtoMessage()               {}
+func (*DeploymentStrategy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
+
+func (m *FSGroupStrategyOptions) Reset()                    { *m = FSGroupStrategyOptions{} }
+func (*FSGroupStrategyOptions) ProtoMessage()               {}
+func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{18} }
+
+func (m *HTTPIngressPath) Reset()                    { *m = HTTPIngressPath{} }
+func (*HTTPIngressPath) ProtoMessage()               {}
+func (*HTTPIngressPath) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
+
+func (m *HTTPIngressRuleValue) Reset()                    { *m = HTTPIngressRuleValue{} }
+func (*HTTPIngressRuleValue) ProtoMessage()               {}
+func (*HTTPIngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
+
+func (m *HostPortRange) Reset()                    { *m = HostPortRange{} }
+func (*HostPortRange) ProtoMessage()               {}
+func (*HostPortRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
+
+func (m *IDRange) Reset()                    { *m = IDRange{} }
+func (*IDRange) ProtoMessage()               {}
+func (*IDRange) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{22} }
+
+func (m *IPBlock) Reset()                    { *m = IPBlock{} }
+func (*IPBlock) ProtoMessage()               {}
+func (*IPBlock) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{23} }
+
+func (m *Ingress) Reset()                    { *m = Ingress{} }
+func (*Ingress) ProtoMessage()               {}
+func (*Ingress) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{24} }
+
+func (m *IngressBackend) Reset()                    { *m = IngressBackend{} }
+func (*IngressBackend) ProtoMessage()               {}
+func (*IngressBackend) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{25} }
+
+func (m *IngressList) Reset()                    { *m = IngressList{} }
+func (*IngressList) ProtoMessage()               {}
+func (*IngressList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{26} }
+
+func (m *IngressRule) Reset()                    { *m = IngressRule{} }
+func (*IngressRule) ProtoMessage()               {}
+func (*IngressRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{27} }
+
+func (m *IngressRuleValue) Reset()                    { *m = IngressRuleValue{} }
+func (*IngressRuleValue) ProtoMessage()               {}
+func (*IngressRuleValue) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{28} }
+
+func (m *IngressSpec) Reset()                    { *m = IngressSpec{} }
+func (*IngressSpec) ProtoMessage()               {}
+func (*IngressSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{29} }
+
+func (m *IngressStatus) Reset()                    { *m = IngressStatus{} }
+func (*IngressStatus) ProtoMessage()               {}
+func (*IngressStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{30} }
+
+func (m *IngressTLS) Reset()                    { *m = IngressTLS{} }
+func (*IngressTLS) ProtoMessage()               {}
+func (*IngressTLS) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{31} }
+
+func (m *NetworkPolicy) Reset()                    { *m = NetworkPolicy{} }
+func (*NetworkPolicy) ProtoMessage()               {}
+func (*NetworkPolicy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{32} }
+
+func (m *NetworkPolicyEgressRule) Reset()      { *m = NetworkPolicyEgressRule{} }
+func (*NetworkPolicyEgressRule) ProtoMessage() {}
+func (*NetworkPolicyEgressRule) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{33}
+}
+
+func (m *NetworkPolicyIngressRule) Reset()      { *m = NetworkPolicyIngressRule{} }
+func (*NetworkPolicyIngressRule) ProtoMessage() {}
+func (*NetworkPolicyIngressRule) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{34}
+}
+
+func (m *NetworkPolicyList) Reset()                    { *m = NetworkPolicyList{} }
+func (*NetworkPolicyList) ProtoMessage()               {}
+func (*NetworkPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{35} }
+
+func (m *NetworkPolicyPeer) Reset()                    { *m = NetworkPolicyPeer{} }
+func (*NetworkPolicyPeer) ProtoMessage()               {}
+func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{36} }
+
+func (m *NetworkPolicyPort) Reset()                    { *m = NetworkPolicyPort{} }
+func (*NetworkPolicyPort) ProtoMessage()               {}
+func (*NetworkPolicyPort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{37} }
+
+func (m *NetworkPolicySpec) Reset()                    { *m = NetworkPolicySpec{} }
+func (*NetworkPolicySpec) ProtoMessage()               {}
+func (*NetworkPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{38} }
+
+func (m *PodSecurityPolicy) Reset()                    { *m = PodSecurityPolicy{} }
+func (*PodSecurityPolicy) ProtoMessage()               {}
+func (*PodSecurityPolicy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{39} }
+
+func (m *PodSecurityPolicyList) Reset()                    { *m = PodSecurityPolicyList{} }
+func (*PodSecurityPolicyList) ProtoMessage()               {}
+func (*PodSecurityPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{40} }
+
+func (m *PodSecurityPolicySpec) Reset()                    { *m = PodSecurityPolicySpec{} }
+func (*PodSecurityPolicySpec) ProtoMessage()               {}
+func (*PodSecurityPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{41} }
+
+func (m *ReplicaSet) Reset()                    { *m = ReplicaSet{} }
+func (*ReplicaSet) ProtoMessage()               {}
+func (*ReplicaSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{42} }
+
+func (m *ReplicaSetCondition) Reset()                    { *m = ReplicaSetCondition{} }
+func (*ReplicaSetCondition) ProtoMessage()               {}
+func (*ReplicaSetCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{43} }
+
+func (m *ReplicaSetList) Reset()                    { *m = ReplicaSetList{} }
+func (*ReplicaSetList) ProtoMessage()               {}
+func (*ReplicaSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{44} }
+
+func (m *ReplicaSetSpec) Reset()                    { *m = ReplicaSetSpec{} }
+func (*ReplicaSetSpec) ProtoMessage()               {}
+func (*ReplicaSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{45} }
+
+func (m *ReplicaSetStatus) Reset()                    { *m = ReplicaSetStatus{} }
+func (*ReplicaSetStatus) ProtoMessage()               {}
+func (*ReplicaSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{46} }
+
+func (m *ReplicationControllerDummy) Reset()      { *m = ReplicationControllerDummy{} }
+func (*ReplicationControllerDummy) ProtoMessage() {}
+func (*ReplicationControllerDummy) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{47}
+}
+
+func (m *RollbackConfig) Reset()                    { *m = RollbackConfig{} }
+func (*RollbackConfig) ProtoMessage()               {}
+func (*RollbackConfig) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{48} }
+
+func (m *RollingUpdateDaemonSet) Reset()                    { *m = RollingUpdateDaemonSet{} }
+func (*RollingUpdateDaemonSet) ProtoMessage()               {}
+func (*RollingUpdateDaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{49} }
+
+func (m *RollingUpdateDeployment) Reset()      { *m = RollingUpdateDeployment{} }
+func (*RollingUpdateDeployment) ProtoMessage() {}
+func (*RollingUpdateDeployment) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{50}
+}
+
+func (m *RunAsUserStrategyOptions) Reset()      { *m = RunAsUserStrategyOptions{} }
+func (*RunAsUserStrategyOptions) ProtoMessage() {}
+func (*RunAsUserStrategyOptions) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{51}
+}
+
+func (m *SELinuxStrategyOptions) Reset()                    { *m = SELinuxStrategyOptions{} }
+func (*SELinuxStrategyOptions) ProtoMessage()               {}
+func (*SELinuxStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{52} }
+
+func (m *Scale) Reset()                    { *m = Scale{} }
+func (*Scale) ProtoMessage()               {}
+func (*Scale) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{53} }
+
+func (m *ScaleSpec) Reset()                    { *m = ScaleSpec{} }
+func (*ScaleSpec) ProtoMessage()               {}
+func (*ScaleSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{54} }
+
+func (m *ScaleStatus) Reset()                    { *m = ScaleStatus{} }
+func (*ScaleStatus) ProtoMessage()               {}
+func (*ScaleStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{55} }
+
+func (m *SupplementalGroupsStrategyOptions) Reset()      { *m = SupplementalGroupsStrategyOptions{} }
+func (*SupplementalGroupsStrategyOptions) ProtoMessage() {}
+func (*SupplementalGroupsStrategyOptions) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{56}
+}
+
+func (m *ThirdPartyResource) Reset()                    { *m = ThirdPartyResource{} }
+func (*ThirdPartyResource) ProtoMessage()               {}
+func (*ThirdPartyResource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{57} }
+
+func (m *ThirdPartyResourceData) Reset()                    { *m = ThirdPartyResourceData{} }
+func (*ThirdPartyResourceData) ProtoMessage()               {}
+func (*ThirdPartyResourceData) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{58} }
+
+func (m *ThirdPartyResourceDataList) Reset()      { *m = ThirdPartyResourceDataList{} }
+func (*ThirdPartyResourceDataList) ProtoMessage() {}
+func (*ThirdPartyResourceDataList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{59}
+}
+
+func (m *ThirdPartyResourceList) Reset()                    { *m = ThirdPartyResourceList{} }
+func (*ThirdPartyResourceList) ProtoMessage()               {}
+func (*ThirdPartyResourceList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{60} }
+
+func init() {
+	proto.RegisterType((*APIVersion)(nil), "k8s.io.api.extensions.v1beta1.APIVersion")
+	proto.RegisterType((*AllowedHostPath)(nil), "k8s.io.api.extensions.v1beta1.AllowedHostPath")
+	proto.RegisterType((*CustomMetricCurrentStatus)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatus")
+	proto.RegisterType((*CustomMetricCurrentStatusList)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricCurrentStatusList")
+	proto.RegisterType((*CustomMetricTarget)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricTarget")
+	proto.RegisterType((*CustomMetricTargetList)(nil), "k8s.io.api.extensions.v1beta1.CustomMetricTargetList")
+	proto.RegisterType((*DaemonSet)(nil), "k8s.io.api.extensions.v1beta1.DaemonSet")
+	proto.RegisterType((*DaemonSetList)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetList")
+	proto.RegisterType((*DaemonSetSpec)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetSpec")
+	proto.RegisterType((*DaemonSetStatus)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetStatus")
+	proto.RegisterType((*DaemonSetUpdateStrategy)(nil), "k8s.io.api.extensions.v1beta1.DaemonSetUpdateStrategy")
+	proto.RegisterType((*Deployment)(nil), "k8s.io.api.extensions.v1beta1.Deployment")
+	proto.RegisterType((*DeploymentCondition)(nil), "k8s.io.api.extensions.v1beta1.DeploymentCondition")
+	proto.RegisterType((*DeploymentList)(nil), "k8s.io.api.extensions.v1beta1.DeploymentList")
+	proto.RegisterType((*DeploymentRollback)(nil), "k8s.io.api.extensions.v1beta1.DeploymentRollback")
+	proto.RegisterType((*DeploymentSpec)(nil), "k8s.io.api.extensions.v1beta1.DeploymentSpec")
+	proto.RegisterType((*DeploymentStatus)(nil), "k8s.io.api.extensions.v1beta1.DeploymentStatus")
+	proto.RegisterType((*DeploymentStrategy)(nil), "k8s.io.api.extensions.v1beta1.DeploymentStrategy")
+	proto.RegisterType((*FSGroupStrategyOptions)(nil), "k8s.io.api.extensions.v1beta1.FSGroupStrategyOptions")
+	proto.RegisterType((*HTTPIngressPath)(nil), "k8s.io.api.extensions.v1beta1.HTTPIngressPath")
+	proto.RegisterType((*HTTPIngressRuleValue)(nil), "k8s.io.api.extensions.v1beta1.HTTPIngressRuleValue")
+	proto.RegisterType((*HostPortRange)(nil), "k8s.io.api.extensions.v1beta1.HostPortRange")
+	proto.RegisterType((*IDRange)(nil), "k8s.io.api.extensions.v1beta1.IDRange")
+	proto.RegisterType((*IPBlock)(nil), "k8s.io.api.extensions.v1beta1.IPBlock")
+	proto.RegisterType((*Ingress)(nil), "k8s.io.api.extensions.v1beta1.Ingress")
+	proto.RegisterType((*IngressBackend)(nil), "k8s.io.api.extensions.v1beta1.IngressBackend")
+	proto.RegisterType((*IngressList)(nil), "k8s.io.api.extensions.v1beta1.IngressList")
+	proto.RegisterType((*IngressRule)(nil), "k8s.io.api.extensions.v1beta1.IngressRule")
+	proto.RegisterType((*IngressRuleValue)(nil), "k8s.io.api.extensions.v1beta1.IngressRuleValue")
+	proto.RegisterType((*IngressSpec)(nil), "k8s.io.api.extensions.v1beta1.IngressSpec")
+	proto.RegisterType((*IngressStatus)(nil), "k8s.io.api.extensions.v1beta1.IngressStatus")
+	proto.RegisterType((*IngressTLS)(nil), "k8s.io.api.extensions.v1beta1.IngressTLS")
+	proto.RegisterType((*NetworkPolicy)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicy")
+	proto.RegisterType((*NetworkPolicyEgressRule)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyEgressRule")
+	proto.RegisterType((*NetworkPolicyIngressRule)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyIngressRule")
+	proto.RegisterType((*NetworkPolicyList)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyList")
+	proto.RegisterType((*NetworkPolicyPeer)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyPeer")
+	proto.RegisterType((*NetworkPolicyPort)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyPort")
+	proto.RegisterType((*NetworkPolicySpec)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicySpec")
+	proto.RegisterType((*PodSecurityPolicy)(nil), "k8s.io.api.extensions.v1beta1.PodSecurityPolicy")
+	proto.RegisterType((*PodSecurityPolicyList)(nil), "k8s.io.api.extensions.v1beta1.PodSecurityPolicyList")
+	proto.RegisterType((*PodSecurityPolicySpec)(nil), "k8s.io.api.extensions.v1beta1.PodSecurityPolicySpec")
+	proto.RegisterType((*ReplicaSet)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSet")
+	proto.RegisterType((*ReplicaSetCondition)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSetCondition")
+	proto.RegisterType((*ReplicaSetList)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSetList")
+	proto.RegisterType((*ReplicaSetSpec)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSetSpec")
+	proto.RegisterType((*ReplicaSetStatus)(nil), "k8s.io.api.extensions.v1beta1.ReplicaSetStatus")
+	proto.RegisterType((*ReplicationControllerDummy)(nil), "k8s.io.api.extensions.v1beta1.ReplicationControllerDummy")
+	proto.RegisterType((*RollbackConfig)(nil), "k8s.io.api.extensions.v1beta1.RollbackConfig")
+	proto.RegisterType((*RollingUpdateDaemonSet)(nil), "k8s.io.api.extensions.v1beta1.RollingUpdateDaemonSet")
+	proto.RegisterType((*RollingUpdateDeployment)(nil), "k8s.io.api.extensions.v1beta1.RollingUpdateDeployment")
+	proto.RegisterType((*RunAsUserStrategyOptions)(nil), "k8s.io.api.extensions.v1beta1.RunAsUserStrategyOptions")
+	proto.RegisterType((*SELinuxStrategyOptions)(nil), "k8s.io.api.extensions.v1beta1.SELinuxStrategyOptions")
+	proto.RegisterType((*Scale)(nil), "k8s.io.api.extensions.v1beta1.Scale")
+	proto.RegisterType((*ScaleSpec)(nil), "k8s.io.api.extensions.v1beta1.ScaleSpec")
+	proto.RegisterType((*ScaleStatus)(nil), "k8s.io.api.extensions.v1beta1.ScaleStatus")
+	proto.RegisterType((*SupplementalGroupsStrategyOptions)(nil), "k8s.io.api.extensions.v1beta1.SupplementalGroupsStrategyOptions")
+	proto.RegisterType((*ThirdPartyResource)(nil), "k8s.io.api.extensions.v1beta1.ThirdPartyResource")
+	proto.RegisterType((*ThirdPartyResourceData)(nil), "k8s.io.api.extensions.v1beta1.ThirdPartyResourceData")
+	proto.RegisterType((*ThirdPartyResourceDataList)(nil), "k8s.io.api.extensions.v1beta1.ThirdPartyResourceDataList")
+	proto.RegisterType((*ThirdPartyResourceList)(nil), "k8s.io.api.extensions.v1beta1.ThirdPartyResourceList")
+}
+func (m *APIVersion) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *APIVersion) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func (m *AllowedHostPath) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *AllowedHostPath) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.PathPrefix)))
+	i += copy(dAtA[i:], m.PathPrefix)
+	return i, nil
+}
+
+func (m *CustomMetricCurrentStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CustomMetricCurrentStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentValue.Size()))
+	n1, err := m.CurrentValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	return i, nil
+}
+
+func (m *CustomMetricCurrentStatusList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CustomMetricCurrentStatusList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *CustomMetricTarget) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CustomMetricTarget) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TargetValue.Size()))
+	n2, err := m.TargetValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	return i, nil
+}
+
+func (m *CustomMetricTargetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CustomMetricTargetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DaemonSet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n3, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n4, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n5, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	return i, nil
+}
+
+func (m *DaemonSetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n6, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DaemonSetSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSetSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Selector != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n7, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n8, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdateStrategy.Size()))
+	n9, err := m.UpdateStrategy.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinReadySeconds))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TemplateGeneration))
+	if m.RevisionHistoryLimit != nil {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RevisionHistoryLimit))
+	}
+	return i, nil
+}
+
+func (m *DaemonSetStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSetStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentNumberScheduled))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NumberMisscheduled))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.DesiredNumberScheduled))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NumberReady))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x30
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdatedNumberScheduled))
+	dAtA[i] = 0x38
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NumberAvailable))
+	dAtA[i] = 0x40
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.NumberUnavailable))
+	if m.CollisionCount != nil {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CollisionCount))
+	}
+	return i, nil
+}
+
+func (m *DaemonSetUpdateStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DaemonSetUpdateStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.RollingUpdate != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollingUpdate.Size()))
+		n10, err := m.RollingUpdate.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n10
+	}
+	return i, nil
+}
+
+func (m *Deployment) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Deployment) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n11, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n11
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n12, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n12
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n13, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n13
+	return i, nil
+}
+
+func (m *DeploymentCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastUpdateTime.Size()))
+	n14, err := m.LastUpdateTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n14
+	dAtA[i] = 0x3a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n15, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n15
+	return i, nil
+}
+
+func (m *DeploymentList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n16, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n16
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DeploymentRollback) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentRollback) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	if len(m.UpdatedAnnotations) > 0 {
+		keysForUpdatedAnnotations := make([]string, 0, len(m.UpdatedAnnotations))
+		for k := range m.UpdatedAnnotations {
+			keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+		for _, k := range keysForUpdatedAnnotations {
+			dAtA[i] = 0x12
+			i++
+			v := m.UpdatedAnnotations[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RollbackTo.Size()))
+	n17, err := m.RollbackTo.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n17
+	return i, nil
+}
+
+func (m *DeploymentSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n18, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n18
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n19, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n19
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Strategy.Size()))
+	n20, err := m.Strategy.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n20
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinReadySeconds))
+	if m.RevisionHistoryLimit != nil {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.RevisionHistoryLimit))
+	}
+	dAtA[i] = 0x38
+	i++
+	if m.Paused {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.RollbackTo != nil {
+		dAtA[i] = 0x42
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollbackTo.Size()))
+		n21, err := m.RollbackTo.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n21
+	}
+	if m.ProgressDeadlineSeconds != nil {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.ProgressDeadlineSeconds))
+	}
+	return i, nil
+}
+
+func (m *DeploymentStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UpdatedReplicas))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.AvailableReplicas))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.UnavailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x38
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ReadyReplicas))
+	if m.CollisionCount != nil {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.CollisionCount))
+	}
+	return i, nil
+}
+
+func (m *DeploymentStrategy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeploymentStrategy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	if m.RollingUpdate != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.RollingUpdate.Size()))
+		n22, err := m.RollingUpdate.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n22
+	}
+	return i, nil
+}
+
+func (m *FSGroupStrategyOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *FSGroupStrategyOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Rule)))
+	i += copy(dAtA[i:], m.Rule)
+	if len(m.Ranges) > 0 {
+		for _, msg := range m.Ranges {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *HTTPIngressPath) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HTTPIngressPath) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Path)))
+	i += copy(dAtA[i:], m.Path)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Backend.Size()))
+	n23, err := m.Backend.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n23
+	return i, nil
+}
+
+func (m *HTTPIngressRuleValue) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HTTPIngressRuleValue) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Paths) > 0 {
+		for _, msg := range m.Paths {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *HostPortRange) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *HostPortRange) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Min))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Max))
+	return i, nil
+}
+
+func (m *IDRange) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IDRange) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Min))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Max))
+	return i, nil
+}
+
+func (m *IPBlock) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IPBlock) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.CIDR)))
+	i += copy(dAtA[i:], m.CIDR)
+	if len(m.Except) > 0 {
+		for _, s := range m.Except {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *Ingress) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Ingress) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n24, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n24
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n25, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n25
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n26, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n26
+	return i, nil
+}
+
+func (m *IngressBackend) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IngressBackend) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServiceName)))
+	i += copy(dAtA[i:], m.ServiceName)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ServicePort.Size()))
+	n27, err := m.ServicePort.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n27
+	return i, nil
+}
+
+func (m *IngressList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IngressList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n28, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n28
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *IngressRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IngressRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Host)))
+	i += copy(dAtA[i:], m.Host)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.IngressRuleValue.Size()))
+	n29, err := m.IngressRuleValue.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n29
+	return i, nil
+}
+
+func (m *IngressRuleValue) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IngressRuleValue) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.HTTP != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.HTTP.Size()))
+		n30, err := m.HTTP.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n30
+	}
+	return i, nil
+}
+
+func (m *IngressSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IngressSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Backend != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Backend.Size()))
+		n31, err := m.Backend.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n31
+	}
+	if len(m.TLS) > 0 {
+		for _, msg := range m.TLS {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *IngressStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IngressStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LoadBalancer.Size()))
+	n32, err := m.LoadBalancer.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n32
+	return i, nil
+}
+
+func (m *IngressTLS) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IngressTLS) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Hosts) > 0 {
+		for _, s := range m.Hosts {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SecretName)))
+	i += copy(dAtA[i:], m.SecretName)
+	return i, nil
+}
+
+func (m *NetworkPolicy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n33, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n33
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n34, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n34
+	return i, nil
+}
+
+func (m *NetworkPolicyEgressRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyEgressRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.To) > 0 {
+		for _, msg := range m.To {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicyIngressRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyIngressRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.From) > 0 {
+		for _, msg := range m.From {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicyList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n35, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n35
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicyPeer) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyPeer) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.PodSelector != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PodSelector.Size()))
+		n36, err := m.PodSelector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n36
+	}
+	if m.NamespaceSelector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NamespaceSelector.Size()))
+		n37, err := m.NamespaceSelector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n37
+	}
+	if m.IPBlock != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.IPBlock.Size()))
+		n38, err := m.IPBlock.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n38
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicyPort) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyPort) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Protocol != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Protocol)))
+		i += copy(dAtA[i:], *m.Protocol)
+	}
+	if m.Port != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Port.Size()))
+		n39, err := m.Port.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n39
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicySpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicySpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.PodSelector.Size()))
+	n40, err := m.PodSelector.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n40
+	if len(m.Ingress) > 0 {
+		for _, msg := range m.Ingress {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Egress) > 0 {
+		for _, msg := range m.Egress {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.PolicyTypes) > 0 {
+		for _, s := range m.PolicyTypes {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *PodSecurityPolicy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodSecurityPolicy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n41, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n41
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n42, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n42
+	return i, nil
+}
+
+func (m *PodSecurityPolicyList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodSecurityPolicyList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n43, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n43
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PodSecurityPolicySpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodSecurityPolicySpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	if m.Privileged {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if len(m.DefaultAddCapabilities) > 0 {
+		for _, s := range m.DefaultAddCapabilities {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.RequiredDropCapabilities) > 0 {
+		for _, s := range m.RequiredDropCapabilities {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.AllowedCapabilities) > 0 {
+		for _, s := range m.AllowedCapabilities {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Volumes) > 0 {
+		for _, s := range m.Volumes {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x30
+	i++
+	if m.HostNetwork {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if len(m.HostPorts) > 0 {
+		for _, msg := range m.HostPorts {
+			dAtA[i] = 0x3a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x40
+	i++
+	if m.HostPID {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x48
+	i++
+	if m.HostIPC {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x52
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.SELinux.Size()))
+	n44, err := m.SELinux.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n44
+	dAtA[i] = 0x5a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RunAsUser.Size()))
+	n45, err := m.RunAsUser.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n45
+	dAtA[i] = 0x62
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.SupplementalGroups.Size()))
+	n46, err := m.SupplementalGroups.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n46
+	dAtA[i] = 0x6a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.FSGroup.Size()))
+	n47, err := m.FSGroup.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n47
+	dAtA[i] = 0x70
+	i++
+	if m.ReadOnlyRootFilesystem {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	if m.DefaultAllowPrivilegeEscalation != nil {
+		dAtA[i] = 0x78
+		i++
+		if *m.DefaultAllowPrivilegeEscalation {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.AllowPrivilegeEscalation != nil {
+		dAtA[i] = 0x80
+		i++
+		dAtA[i] = 0x1
+		i++
+		if *m.AllowPrivilegeEscalation {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if len(m.AllowedHostPaths) > 0 {
+		for _, msg := range m.AllowedHostPaths {
+			dAtA[i] = 0x8a
+			i++
+			dAtA[i] = 0x1
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ReplicaSet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n48, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n48
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n49, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n49
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n50, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n50
+	return i, nil
+}
+
+func (m *ReplicaSetCondition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSetCondition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.LastTransitionTime.Size()))
+	n51, err := m.LastTransitionTime.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n51
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	return i, nil
+}
+
+func (m *ReplicaSetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n52, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n52
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ReplicaSetSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSetSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n53, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n53
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Template.Size()))
+	n54, err := m.Template.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n54
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.MinReadySeconds))
+	return i, nil
+}
+
+func (m *ReplicaSetStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicaSetStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.FullyLabeledReplicas))
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ReadyReplicas))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.AvailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, msg := range m.Conditions {
+			dAtA[i] = 0x32
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ReplicationControllerDummy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReplicationControllerDummy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	return i, nil
+}
+
+func (m *RollbackConfig) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollbackConfig) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Revision))
+	return i, nil
+}
+
+func (m *RollingUpdateDaemonSet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollingUpdateDaemonSet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxUnavailable.Size()))
+		n55, err := m.MaxUnavailable.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n55
+	}
+	return i, nil
+}
+
+func (m *RollingUpdateDeployment) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RollingUpdateDeployment) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxUnavailable.Size()))
+		n56, err := m.MaxUnavailable.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n56
+	}
+	if m.MaxSurge != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxSurge.Size()))
+		n57, err := m.MaxSurge.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n57
+	}
+	return i, nil
+}
+
+func (m *RunAsUserStrategyOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RunAsUserStrategyOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Rule)))
+	i += copy(dAtA[i:], m.Rule)
+	if len(m.Ranges) > 0 {
+		for _, msg := range m.Ranges {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *SELinuxStrategyOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SELinuxStrategyOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Rule)))
+	i += copy(dAtA[i:], m.Rule)
+	if m.SELinuxOptions != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.SELinuxOptions.Size()))
+		n58, err := m.SELinuxOptions.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n58
+	}
+	return i, nil
+}
+
+func (m *Scale) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Scale) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n59, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n59
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n60, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n60
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n61, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n61
+	return i, nil
+}
+
+func (m *ScaleSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	return i, nil
+}
+
+func (m *ScaleStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ScaleStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Replicas))
+	if len(m.Selector) > 0 {
+		keysForSelector := make([]string, 0, len(m.Selector))
+		for k := range m.Selector {
+			keysForSelector = append(keysForSelector, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+		for _, k := range keysForSelector {
+			dAtA[i] = 0x12
+			i++
+			v := m.Selector[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.TargetSelector)))
+	i += copy(dAtA[i:], m.TargetSelector)
+	return i, nil
+}
+
+func (m *SupplementalGroupsStrategyOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SupplementalGroupsStrategyOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Rule)))
+	i += copy(dAtA[i:], m.Rule)
+	if len(m.Ranges) > 0 {
+		for _, msg := range m.Ranges {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ThirdPartyResource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ThirdPartyResource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n62, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n62
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Description)))
+	i += copy(dAtA[i:], m.Description)
+	if len(m.Versions) > 0 {
+		for _, msg := range m.Versions {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ThirdPartyResourceData) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ThirdPartyResourceData) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n63, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n63
+	if m.Data != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func (m *ThirdPartyResourceDataList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ThirdPartyResourceDataList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n64, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n64
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ThirdPartyResourceList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ThirdPartyResourceList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n65, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n65
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *APIVersion) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *AllowedHostPath) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.PathPrefix)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CustomMetricCurrentStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.CurrentValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CustomMetricCurrentStatusList) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *CustomMetricTarget) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.TargetValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *CustomMetricTargetList) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DaemonSet) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DaemonSetList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DaemonSetSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.UpdateStrategy.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.MinReadySeconds))
+	n += 1 + sovGenerated(uint64(m.TemplateGeneration))
+	if m.RevisionHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.RevisionHistoryLimit))
+	}
+	return n
+}
+
+func (m *DaemonSetStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.CurrentNumberScheduled))
+	n += 1 + sovGenerated(uint64(m.NumberMisscheduled))
+	n += 1 + sovGenerated(uint64(m.DesiredNumberScheduled))
+	n += 1 + sovGenerated(uint64(m.NumberReady))
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.UpdatedNumberScheduled))
+	n += 1 + sovGenerated(uint64(m.NumberAvailable))
+	n += 1 + sovGenerated(uint64(m.NumberUnavailable))
+	if m.CollisionCount != nil {
+		n += 1 + sovGenerated(uint64(*m.CollisionCount))
+	}
+	return n
+}
+
+func (m *DaemonSetUpdateStrategy) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RollingUpdate != nil {
+		l = m.RollingUpdate.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *Deployment) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeploymentCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastUpdateTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeploymentList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeploymentRollback) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.UpdatedAnnotations) > 0 {
+		for k, v := range m.UpdatedAnnotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = m.RollbackTo.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeploymentSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		n += 1 + sovGenerated(uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Strategy.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.MinReadySeconds))
+	if m.RevisionHistoryLimit != nil {
+		n += 1 + sovGenerated(uint64(*m.RevisionHistoryLimit))
+	}
+	n += 2
+	if m.RollbackTo != nil {
+		l = m.RollbackTo.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.ProgressDeadlineSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.ProgressDeadlineSeconds))
+	}
+	return n
+}
+
+func (m *DeploymentStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	n += 1 + sovGenerated(uint64(m.UpdatedReplicas))
+	n += 1 + sovGenerated(uint64(m.AvailableReplicas))
+	n += 1 + sovGenerated(uint64(m.UnavailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 1 + sovGenerated(uint64(m.ReadyReplicas))
+	if m.CollisionCount != nil {
+		n += 1 + sovGenerated(uint64(*m.CollisionCount))
+	}
+	return n
+}
+
+func (m *DeploymentStrategy) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.RollingUpdate != nil {
+		l = m.RollingUpdate.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *FSGroupStrategyOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Rule)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Ranges) > 0 {
+		for _, e := range m.Ranges {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *HTTPIngressPath) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Backend.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *HTTPIngressRuleValue) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Paths) > 0 {
+		for _, e := range m.Paths {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *HostPortRange) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Min))
+	n += 1 + sovGenerated(uint64(m.Max))
+	return n
+}
+
+func (m *IDRange) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Min))
+	n += 1 + sovGenerated(uint64(m.Max))
+	return n
+}
+
+func (m *IPBlock) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.CIDR)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Except) > 0 {
+		for _, s := range m.Except {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Ingress) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *IngressBackend) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ServiceName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.ServicePort.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *IngressList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *IngressRule) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Host)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.IngressRuleValue.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *IngressRuleValue) Size() (n int) {
+	var l int
+	_ = l
+	if m.HTTP != nil {
+		l = m.HTTP.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *IngressSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Backend != nil {
+		l = m.Backend.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.TLS) > 0 {
+		for _, e := range m.TLS {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *IngressStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = m.LoadBalancer.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *IngressTLS) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Hosts) > 0 {
+		for _, s := range m.Hosts {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.SecretName)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NetworkPolicy) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NetworkPolicyEgressRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.To) > 0 {
+		for _, e := range m.To {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NetworkPolicyIngressRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.From) > 0 {
+		for _, e := range m.From {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NetworkPolicyList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NetworkPolicyPeer) Size() (n int) {
+	var l int
+	_ = l
+	if m.PodSelector != nil {
+		l = m.PodSelector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NamespaceSelector != nil {
+		l = m.NamespaceSelector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.IPBlock != nil {
+		l = m.IPBlock.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *NetworkPolicyPort) Size() (n int) {
+	var l int
+	_ = l
+	if m.Protocol != nil {
+		l = len(*m.Protocol)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Port != nil {
+		l = m.Port.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *NetworkPolicySpec) Size() (n int) {
+	var l int
+	_ = l
+	l = m.PodSelector.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Ingress) > 0 {
+		for _, e := range m.Ingress {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Egress) > 0 {
+		for _, e := range m.Egress {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.PolicyTypes) > 0 {
+		for _, s := range m.PolicyTypes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodSecurityPolicy) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodSecurityPolicyList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodSecurityPolicySpec) Size() (n int) {
+	var l int
+	_ = l
+	n += 2
+	if len(m.DefaultAddCapabilities) > 0 {
+		for _, s := range m.DefaultAddCapabilities {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.RequiredDropCapabilities) > 0 {
+		for _, s := range m.RequiredDropCapabilities {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.AllowedCapabilities) > 0 {
+		for _, s := range m.AllowedCapabilities {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Volumes) > 0 {
+		for _, s := range m.Volumes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 2
+	if len(m.HostPorts) > 0 {
+		for _, e := range m.HostPorts {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 2
+	n += 2
+	l = m.SELinux.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.RunAsUser.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.SupplementalGroups.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.FSGroup.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	if m.DefaultAllowPrivilegeEscalation != nil {
+		n += 2
+	}
+	if m.AllowPrivilegeEscalation != nil {
+		n += 3
+	}
+	if len(m.AllowedHostPaths) > 0 {
+		for _, e := range m.AllowedHostPaths {
+			l = e.Size()
+			n += 2 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ReplicaSet) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ReplicaSetCondition) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.LastTransitionTime.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ReplicaSetList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ReplicaSetSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Replicas != nil {
+		n += 1 + sovGenerated(uint64(*m.Replicas))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Template.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.MinReadySeconds))
+	return n
+}
+
+func (m *ReplicaSetStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	n += 1 + sovGenerated(uint64(m.FullyLabeledReplicas))
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	n += 1 + sovGenerated(uint64(m.ReadyReplicas))
+	n += 1 + sovGenerated(uint64(m.AvailableReplicas))
+	if len(m.Conditions) > 0 {
+		for _, e := range m.Conditions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ReplicationControllerDummy) Size() (n int) {
+	var l int
+	_ = l
+	return n
+}
+
+func (m *RollbackConfig) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Revision))
+	return n
+}
+
+func (m *RollingUpdateDaemonSet) Size() (n int) {
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		l = m.MaxUnavailable.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *RollingUpdateDeployment) Size() (n int) {
+	var l int
+	_ = l
+	if m.MaxUnavailable != nil {
+		l = m.MaxUnavailable.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.MaxSurge != nil {
+		l = m.MaxSurge.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *RunAsUserStrategyOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Rule)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Ranges) > 0 {
+		for _, e := range m.Ranges {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *SELinuxStrategyOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Rule)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.SELinuxOptions != nil {
+		l = m.SELinuxOptions.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *Scale) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ScaleSpec) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	return n
+}
+
+func (m *ScaleStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Replicas))
+	if len(m.Selector) > 0 {
+		for k, v := range m.Selector {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.TargetSelector)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *SupplementalGroupsStrategyOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Rule)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Ranges) > 0 {
+		for _, e := range m.Ranges {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ThirdPartyResource) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Description)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Versions) > 0 {
+		for _, e := range m.Versions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ThirdPartyResourceData) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Data != nil {
+		l = len(m.Data)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *ThirdPartyResourceDataList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ThirdPartyResourceList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *APIVersion) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&APIVersion{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *AllowedHostPath) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&AllowedHostPath{`,
+		`PathPrefix:` + fmt.Sprintf("%v", this.PathPrefix) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CustomMetricCurrentStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CustomMetricCurrentStatus{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`CurrentValue:` + strings.Replace(strings.Replace(this.CurrentValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CustomMetricCurrentStatusList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CustomMetricCurrentStatusList{`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "CustomMetricCurrentStatus", "CustomMetricCurrentStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CustomMetricTarget) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CustomMetricTarget{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`TargetValue:` + strings.Replace(strings.Replace(this.TargetValue.String(), "Quantity", "k8s_io_apimachinery_pkg_api_resource.Quantity", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CustomMetricTargetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CustomMetricTargetList{`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "CustomMetricTarget", "CustomMetricTarget", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSet{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "DaemonSetSpec", "DaemonSetSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "DaemonSetStatus", "DaemonSetStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSetList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "DaemonSet", "DaemonSet", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSetSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSetSpec{`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`UpdateStrategy:` + strings.Replace(strings.Replace(this.UpdateStrategy.String(), "DaemonSetUpdateStrategy", "DaemonSetUpdateStrategy", 1), `&`, ``, 1) + `,`,
+		`MinReadySeconds:` + fmt.Sprintf("%v", this.MinReadySeconds) + `,`,
+		`TemplateGeneration:` + fmt.Sprintf("%v", this.TemplateGeneration) + `,`,
+		`RevisionHistoryLimit:` + valueToStringGenerated(this.RevisionHistoryLimit) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSetStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSetStatus{`,
+		`CurrentNumberScheduled:` + fmt.Sprintf("%v", this.CurrentNumberScheduled) + `,`,
+		`NumberMisscheduled:` + fmt.Sprintf("%v", this.NumberMisscheduled) + `,`,
+		`DesiredNumberScheduled:` + fmt.Sprintf("%v", this.DesiredNumberScheduled) + `,`,
+		`NumberReady:` + fmt.Sprintf("%v", this.NumberReady) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`UpdatedNumberScheduled:` + fmt.Sprintf("%v", this.UpdatedNumberScheduled) + `,`,
+		`NumberAvailable:` + fmt.Sprintf("%v", this.NumberAvailable) + `,`,
+		`NumberUnavailable:` + fmt.Sprintf("%v", this.NumberUnavailable) + `,`,
+		`CollisionCount:` + valueToStringGenerated(this.CollisionCount) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DaemonSetUpdateStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DaemonSetUpdateStrategy{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`RollingUpdate:` + strings.Replace(fmt.Sprintf("%v", this.RollingUpdate), "RollingUpdateDaemonSet", "RollingUpdateDaemonSet", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Deployment) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Deployment{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "DeploymentSpec", "DeploymentSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "DeploymentStatus", "DeploymentStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`LastUpdateTime:` + strings.Replace(strings.Replace(this.LastUpdateTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Deployment", "Deployment", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentRollback) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForUpdatedAnnotations := make([]string, 0, len(this.UpdatedAnnotations))
+	for k := range this.UpdatedAnnotations {
+		keysForUpdatedAnnotations = append(keysForUpdatedAnnotations, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForUpdatedAnnotations)
+	mapStringForUpdatedAnnotations := "map[string]string{"
+	for _, k := range keysForUpdatedAnnotations {
+		mapStringForUpdatedAnnotations += fmt.Sprintf("%v: %v,", k, this.UpdatedAnnotations[k])
+	}
+	mapStringForUpdatedAnnotations += "}"
+	s := strings.Join([]string{`&DeploymentRollback{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`UpdatedAnnotations:` + mapStringForUpdatedAnnotations + `,`,
+		`RollbackTo:` + strings.Replace(strings.Replace(this.RollbackTo.String(), "RollbackConfig", "RollbackConfig", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentSpec{`,
+		`Replicas:` + valueToStringGenerated(this.Replicas) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`Strategy:` + strings.Replace(strings.Replace(this.Strategy.String(), "DeploymentStrategy", "DeploymentStrategy", 1), `&`, ``, 1) + `,`,
+		`MinReadySeconds:` + fmt.Sprintf("%v", this.MinReadySeconds) + `,`,
+		`RevisionHistoryLimit:` + valueToStringGenerated(this.RevisionHistoryLimit) + `,`,
+		`Paused:` + fmt.Sprintf("%v", this.Paused) + `,`,
+		`RollbackTo:` + strings.Replace(fmt.Sprintf("%v", this.RollbackTo), "RollbackConfig", "RollbackConfig", 1) + `,`,
+		`ProgressDeadlineSeconds:` + valueToStringGenerated(this.ProgressDeadlineSeconds) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentStatus{`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`UpdatedReplicas:` + fmt.Sprintf("%v", this.UpdatedReplicas) + `,`,
+		`AvailableReplicas:` + fmt.Sprintf("%v", this.AvailableReplicas) + `,`,
+		`UnavailableReplicas:` + fmt.Sprintf("%v", this.UnavailableReplicas) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "DeploymentCondition", "DeploymentCondition", 1), `&`, ``, 1) + `,`,
+		`ReadyReplicas:` + fmt.Sprintf("%v", this.ReadyReplicas) + `,`,
+		`CollisionCount:` + valueToStringGenerated(this.CollisionCount) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeploymentStrategy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeploymentStrategy{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`RollingUpdate:` + strings.Replace(fmt.Sprintf("%v", this.RollingUpdate), "RollingUpdateDeployment", "RollingUpdateDeployment", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *FSGroupStrategyOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&FSGroupStrategyOptions{`,
+		`Rule:` + fmt.Sprintf("%v", this.Rule) + `,`,
+		`Ranges:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ranges), "IDRange", "IDRange", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HTTPIngressPath) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HTTPIngressPath{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`Backend:` + strings.Replace(strings.Replace(this.Backend.String(), "IngressBackend", "IngressBackend", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HTTPIngressRuleValue) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HTTPIngressRuleValue{`,
+		`Paths:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Paths), "HTTPIngressPath", "HTTPIngressPath", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *HostPortRange) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&HostPortRange{`,
+		`Min:` + fmt.Sprintf("%v", this.Min) + `,`,
+		`Max:` + fmt.Sprintf("%v", this.Max) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IDRange) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IDRange{`,
+		`Min:` + fmt.Sprintf("%v", this.Min) + `,`,
+		`Max:` + fmt.Sprintf("%v", this.Max) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IPBlock) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IPBlock{`,
+		`CIDR:` + fmt.Sprintf("%v", this.CIDR) + `,`,
+		`Except:` + fmt.Sprintf("%v", this.Except) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Ingress) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Ingress{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "IngressSpec", "IngressSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "IngressStatus", "IngressStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IngressBackend) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IngressBackend{`,
+		`ServiceName:` + fmt.Sprintf("%v", this.ServiceName) + `,`,
+		`ServicePort:` + strings.Replace(strings.Replace(this.ServicePort.String(), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IngressList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IngressList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Ingress", "Ingress", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IngressRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IngressRule{`,
+		`Host:` + fmt.Sprintf("%v", this.Host) + `,`,
+		`IngressRuleValue:` + strings.Replace(strings.Replace(this.IngressRuleValue.String(), "IngressRuleValue", "IngressRuleValue", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IngressRuleValue) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IngressRuleValue{`,
+		`HTTP:` + strings.Replace(fmt.Sprintf("%v", this.HTTP), "HTTPIngressRuleValue", "HTTPIngressRuleValue", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IngressSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IngressSpec{`,
+		`Backend:` + strings.Replace(fmt.Sprintf("%v", this.Backend), "IngressBackend", "IngressBackend", 1) + `,`,
+		`TLS:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.TLS), "IngressTLS", "IngressTLS", 1), `&`, ``, 1) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "IngressRule", "IngressRule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IngressStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IngressStatus{`,
+		`LoadBalancer:` + strings.Replace(strings.Replace(this.LoadBalancer.String(), "LoadBalancerStatus", "k8s_io_api_core_v1.LoadBalancerStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *IngressTLS) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IngressTLS{`,
+		`Hosts:` + fmt.Sprintf("%v", this.Hosts) + `,`,
+		`SecretName:` + fmt.Sprintf("%v", this.SecretName) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicy{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "NetworkPolicySpec", "NetworkPolicySpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyEgressRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyEgressRule{`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "NetworkPolicyPort", "NetworkPolicyPort", 1), `&`, ``, 1) + `,`,
+		`To:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.To), "NetworkPolicyPeer", "NetworkPolicyPeer", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyIngressRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyIngressRule{`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "NetworkPolicyPort", "NetworkPolicyPort", 1), `&`, ``, 1) + `,`,
+		`From:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.From), "NetworkPolicyPeer", "NetworkPolicyPeer", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "NetworkPolicy", "NetworkPolicy", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyPeer) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyPeer{`,
+		`PodSelector:` + strings.Replace(fmt.Sprintf("%v", this.PodSelector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`NamespaceSelector:` + strings.Replace(fmt.Sprintf("%v", this.NamespaceSelector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`IPBlock:` + strings.Replace(fmt.Sprintf("%v", this.IPBlock), "IPBlock", "IPBlock", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyPort) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyPort{`,
+		`Protocol:` + valueToStringGenerated(this.Protocol) + `,`,
+		`Port:` + strings.Replace(fmt.Sprintf("%v", this.Port), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicySpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicySpec{`,
+		`PodSelector:` + strings.Replace(strings.Replace(this.PodSelector.String(), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1), `&`, ``, 1) + `,`,
+		`Ingress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ingress), "NetworkPolicyIngressRule", "NetworkPolicyIngressRule", 1), `&`, ``, 1) + `,`,
+		`Egress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Egress), "NetworkPolicyEgressRule", "NetworkPolicyEgressRule", 1), `&`, ``, 1) + `,`,
+		`PolicyTypes:` + fmt.Sprintf("%v", this.PolicyTypes) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodSecurityPolicy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodSecurityPolicy{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodSecurityPolicySpec", "PodSecurityPolicySpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodSecurityPolicyList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodSecurityPolicyList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "PodSecurityPolicy", "PodSecurityPolicy", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodSecurityPolicySpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodSecurityPolicySpec{`,
+		`Privileged:` + fmt.Sprintf("%v", this.Privileged) + `,`,
+		`DefaultAddCapabilities:` + fmt.Sprintf("%v", this.DefaultAddCapabilities) + `,`,
+		`RequiredDropCapabilities:` + fmt.Sprintf("%v", this.RequiredDropCapabilities) + `,`,
+		`AllowedCapabilities:` + fmt.Sprintf("%v", this.AllowedCapabilities) + `,`,
+		`Volumes:` + fmt.Sprintf("%v", this.Volumes) + `,`,
+		`HostNetwork:` + fmt.Sprintf("%v", this.HostNetwork) + `,`,
+		`HostPorts:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.HostPorts), "HostPortRange", "HostPortRange", 1), `&`, ``, 1) + `,`,
+		`HostPID:` + fmt.Sprintf("%v", this.HostPID) + `,`,
+		`HostIPC:` + fmt.Sprintf("%v", this.HostIPC) + `,`,
+		`SELinux:` + strings.Replace(strings.Replace(this.SELinux.String(), "SELinuxStrategyOptions", "SELinuxStrategyOptions", 1), `&`, ``, 1) + `,`,
+		`RunAsUser:` + strings.Replace(strings.Replace(this.RunAsUser.String(), "RunAsUserStrategyOptions", "RunAsUserStrategyOptions", 1), `&`, ``, 1) + `,`,
+		`SupplementalGroups:` + strings.Replace(strings.Replace(this.SupplementalGroups.String(), "SupplementalGroupsStrategyOptions", "SupplementalGroupsStrategyOptions", 1), `&`, ``, 1) + `,`,
+		`FSGroup:` + strings.Replace(strings.Replace(this.FSGroup.String(), "FSGroupStrategyOptions", "FSGroupStrategyOptions", 1), `&`, ``, 1) + `,`,
+		`ReadOnlyRootFilesystem:` + fmt.Sprintf("%v", this.ReadOnlyRootFilesystem) + `,`,
+		`DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`,
+		`AllowPrivilegeEscalation:` + valueToStringGenerated(this.AllowPrivilegeEscalation) + `,`,
+		`AllowedHostPaths:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedHostPaths), "AllowedHostPath", "AllowedHostPath", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSet{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ReplicaSetSpec", "ReplicaSetSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ReplicaSetStatus", "ReplicaSetStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSetCondition) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSetCondition{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`LastTransitionTime:` + strings.Replace(strings.Replace(this.LastTransitionTime.String(), "Time", "k8s_io_apimachinery_pkg_apis_meta_v1.Time", 1), `&`, ``, 1) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSetList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ReplicaSet", "ReplicaSet", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSetSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSetSpec{`,
+		`Replicas:` + valueToStringGenerated(this.Replicas) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`Template:` + strings.Replace(strings.Replace(this.Template.String(), "PodTemplateSpec", "k8s_io_api_core_v1.PodTemplateSpec", 1), `&`, ``, 1) + `,`,
+		`MinReadySeconds:` + fmt.Sprintf("%v", this.MinReadySeconds) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicaSetStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicaSetStatus{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`FullyLabeledReplicas:` + fmt.Sprintf("%v", this.FullyLabeledReplicas) + `,`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`ReadyReplicas:` + fmt.Sprintf("%v", this.ReadyReplicas) + `,`,
+		`AvailableReplicas:` + fmt.Sprintf("%v", this.AvailableReplicas) + `,`,
+		`Conditions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Conditions), "ReplicaSetCondition", "ReplicaSetCondition", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ReplicationControllerDummy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ReplicationControllerDummy{`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollbackConfig) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollbackConfig{`,
+		`Revision:` + fmt.Sprintf("%v", this.Revision) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollingUpdateDaemonSet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollingUpdateDaemonSet{`,
+		`MaxUnavailable:` + strings.Replace(fmt.Sprintf("%v", this.MaxUnavailable), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RollingUpdateDeployment) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RollingUpdateDeployment{`,
+		`MaxUnavailable:` + strings.Replace(fmt.Sprintf("%v", this.MaxUnavailable), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`MaxSurge:` + strings.Replace(fmt.Sprintf("%v", this.MaxSurge), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RunAsUserStrategyOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RunAsUserStrategyOptions{`,
+		`Rule:` + fmt.Sprintf("%v", this.Rule) + `,`,
+		`Ranges:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ranges), "IDRange", "IDRange", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SELinuxStrategyOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SELinuxStrategyOptions{`,
+		`Rule:` + fmt.Sprintf("%v", this.Rule) + `,`,
+		`SELinuxOptions:` + strings.Replace(fmt.Sprintf("%v", this.SELinuxOptions), "SELinuxOptions", "k8s_io_api_core_v1.SELinuxOptions", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Scale) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Scale{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "ScaleSpec", "ScaleSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "ScaleStatus", "ScaleStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ScaleSpec{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ScaleStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForSelector := make([]string, 0, len(this.Selector))
+	for k := range this.Selector {
+		keysForSelector = append(keysForSelector, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForSelector)
+	mapStringForSelector := "map[string]string{"
+	for _, k := range keysForSelector {
+		mapStringForSelector += fmt.Sprintf("%v: %v,", k, this.Selector[k])
+	}
+	mapStringForSelector += "}"
+	s := strings.Join([]string{`&ScaleStatus{`,
+		`Replicas:` + fmt.Sprintf("%v", this.Replicas) + `,`,
+		`Selector:` + mapStringForSelector + `,`,
+		`TargetSelector:` + fmt.Sprintf("%v", this.TargetSelector) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *SupplementalGroupsStrategyOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&SupplementalGroupsStrategyOptions{`,
+		`Rule:` + fmt.Sprintf("%v", this.Rule) + `,`,
+		`Ranges:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ranges), "IDRange", "IDRange", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ThirdPartyResource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ThirdPartyResource{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Description:` + fmt.Sprintf("%v", this.Description) + `,`,
+		`Versions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Versions), "APIVersion", "APIVersion", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ThirdPartyResourceData) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ThirdPartyResourceData{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Data:` + valueToStringGenerated(this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ThirdPartyResourceDataList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ThirdPartyResourceDataList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ThirdPartyResourceData", "ThirdPartyResourceData", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ThirdPartyResourceList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ThirdPartyResourceList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ThirdPartyResource", "ThirdPartyResource", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *APIVersion) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: APIVersion: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: APIVersion: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *AllowedHostPath) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: AllowedHostPath: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: AllowedHostPath: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PathPrefix", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PathPrefix = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CustomMetricCurrentStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CustomMetricCurrentStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CustomMetricCurrentStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CurrentValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CustomMetricCurrentStatusList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CustomMetricCurrentStatusList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CustomMetricCurrentStatusList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, CustomMetricCurrentStatus{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CustomMetricTarget) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CustomMetricTarget: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CustomMetricTarget: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.TargetValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CustomMetricTargetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CustomMetricTargetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CustomMetricTargetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, CustomMetricTarget{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, DaemonSet{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSetSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSetSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSetSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdateStrategy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.UpdateStrategy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReadySeconds", wireType)
+			}
+			m.MinReadySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinReadySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TemplateGeneration", wireType)
+			}
+			m.TemplateGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.TemplateGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RevisionHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RevisionHistoryLimit = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSetStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSetStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSetStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentNumberScheduled", wireType)
+			}
+			m.CurrentNumberScheduled = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.CurrentNumberScheduled |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NumberMisscheduled", wireType)
+			}
+			m.NumberMisscheduled = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NumberMisscheduled |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DesiredNumberScheduled", wireType)
+			}
+			m.DesiredNumberScheduled = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.DesiredNumberScheduled |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NumberReady", wireType)
+			}
+			m.NumberReady = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NumberReady |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedNumberScheduled", wireType)
+			}
+			m.UpdatedNumberScheduled = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UpdatedNumberScheduled |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NumberAvailable", wireType)
+			}
+			m.NumberAvailable = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NumberAvailable |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NumberUnavailable", wireType)
+			}
+			m.NumberUnavailable = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.NumberUnavailable |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CollisionCount", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CollisionCount = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DaemonSetUpdateStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DaemonSetUpdateStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DaemonSetUpdateStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = DaemonSetUpdateStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollingUpdate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollingUpdate == nil {
+				m.RollingUpdate = &RollingUpdateDaemonSet{}
+			}
+			if err := m.RollingUpdate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Deployment) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Deployment: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Deployment: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = DeploymentConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastUpdateTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastUpdateTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Deployment{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentRollback) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentRollback: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentRollback: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedAnnotations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.UpdatedAnnotations == nil {
+				m.UpdatedAnnotations = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.UpdatedAnnotations[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.UpdatedAnnotations[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollbackTo", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RollbackTo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Replicas = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Strategy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Strategy.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReadySeconds", wireType)
+			}
+			m.MinReadySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinReadySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RevisionHistoryLimit", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.RevisionHistoryLimit = &v
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Paused", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Paused = bool(v != 0)
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollbackTo", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollbackTo == nil {
+				m.RollbackTo = &RollbackConfig{}
+			}
+			if err := m.RollbackTo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ProgressDeadlineSeconds", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ProgressDeadlineSeconds = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UpdatedReplicas", wireType)
+			}
+			m.UpdatedReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UpdatedReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AvailableReplicas", wireType)
+			}
+			m.AvailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.AvailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UnavailableReplicas", wireType)
+			}
+			m.UnavailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UnavailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, DeploymentCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadyReplicas", wireType)
+			}
+			m.ReadyReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ReadyReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CollisionCount", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.CollisionCount = &v
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeploymentStrategy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeploymentStrategy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeploymentStrategy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = DeploymentStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RollingUpdate", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.RollingUpdate == nil {
+				m.RollingUpdate = &RollingUpdateDeployment{}
+			}
+			if err := m.RollingUpdate.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *FSGroupStrategyOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: FSGroupStrategyOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: FSGroupStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rule", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rule = FSGroupStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ranges", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ranges = append(m.Ranges, IDRange{})
+			if err := m.Ranges[len(m.Ranges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HTTPIngressPath) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HTTPIngressPath: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HTTPIngressPath: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Backend", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Backend.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HTTPIngressRuleValue) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HTTPIngressRuleValue: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HTTPIngressRuleValue: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Paths", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Paths = append(m.Paths, HTTPIngressPath{})
+			if err := m.Paths[len(m.Paths)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *HostPortRange) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: HostPortRange: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: HostPortRange: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Min", wireType)
+			}
+			m.Min = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Min |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Max", wireType)
+			}
+			m.Max = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Max |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IDRange) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IDRange: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IDRange: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Min", wireType)
+			}
+			m.Min = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Min |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Max", wireType)
+			}
+			m.Max = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Max |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IPBlock) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IPBlock: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IPBlock: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CIDR", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CIDR = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Except", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Except = append(m.Except, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Ingress) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Ingress: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Ingress: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IngressBackend) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IngressBackend: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IngressBackend: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServiceName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServiceName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServicePort", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ServicePort.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IngressList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IngressList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IngressList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Ingress{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IngressRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IngressRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IngressRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IngressRuleValue", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.IngressRuleValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IngressRuleValue) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IngressRuleValue: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IngressRuleValue: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HTTP", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.HTTP == nil {
+				m.HTTP = &HTTPIngressRuleValue{}
+			}
+			if err := m.HTTP.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IngressSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IngressSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IngressSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Backend", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Backend == nil {
+				m.Backend = &IngressBackend{}
+			}
+			if err := m.Backend.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TLS", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TLS = append(m.TLS, IngressTLS{})
+			if err := m.TLS[len(m.TLS)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, IngressRule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IngressStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IngressStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IngressStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LoadBalancer", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LoadBalancer.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *IngressTLS) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IngressTLS: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IngressTLS: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hosts", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Hosts = append(m.Hosts, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SecretName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SecretName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyEgressRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyEgressRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyEgressRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, NetworkPolicyPort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field To", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.To = append(m.To, NetworkPolicyPeer{})
+			if err := m.To[len(m.To)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyIngressRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyIngressRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyIngressRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, NetworkPolicyPort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field From", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.From = append(m.From, NetworkPolicyPeer{})
+			if err := m.From[len(m.From)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, NetworkPolicy{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyPeer: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyPeer: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PodSelector == nil {
+				m.PodSelector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.PodSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NamespaceSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NamespaceSelector == nil {
+				m.NamespaceSelector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.NamespaceSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IPBlock", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.IPBlock == nil {
+				m.IPBlock = &IPBlock{}
+			}
+			if err := m.IPBlock.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyPort) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyPort: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyPort: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Protocol", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := k8s_io_api_core_v1.Protocol(dAtA[iNdEx:postIndex])
+			m.Protocol = &s
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Port == nil {
+				m.Port = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.Port.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicySpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicySpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicySpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.PodSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ingress", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ingress = append(m.Ingress, NetworkPolicyIngressRule{})
+			if err := m.Ingress[len(m.Ingress)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Egress", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Egress = append(m.Egress, NetworkPolicyEgressRule{})
+			if err := m.Egress[len(m.Egress)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PolicyTypes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PolicyTypes = append(m.PolicyTypes, PolicyType(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodSecurityPolicy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodSecurityPolicy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodSecurityPolicy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodSecurityPolicyList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodSecurityPolicyList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodSecurityPolicyList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, PodSecurityPolicy{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodSecurityPolicySpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodSecurityPolicySpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodSecurityPolicySpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Privileged", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Privileged = bool(v != 0)
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultAddCapabilities", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DefaultAddCapabilities = append(m.DefaultAddCapabilities, k8s_io_api_core_v1.Capability(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RequiredDropCapabilities", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.RequiredDropCapabilities = append(m.RequiredDropCapabilities, k8s_io_api_core_v1.Capability(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowedCapabilities", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AllowedCapabilities = append(m.AllowedCapabilities, k8s_io_api_core_v1.Capability(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Volumes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Volumes = append(m.Volumes, FSType(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostNetwork", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.HostNetwork = bool(v != 0)
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostPorts", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HostPorts = append(m.HostPorts, HostPortRange{})
+			if err := m.HostPorts[len(m.HostPorts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostPID", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.HostPID = bool(v != 0)
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HostIPC", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.HostIPC = bool(v != 0)
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SELinux", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.SELinux.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RunAsUser", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RunAsUser.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 12:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SupplementalGroups", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.SupplementalGroups.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 13:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FSGroup", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.FSGroup.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 14:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadOnlyRootFilesystem", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.ReadOnlyRootFilesystem = bool(v != 0)
+		case 15:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DefaultAllowPrivilegeEscalation", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.DefaultAllowPrivilegeEscalation = &b
+		case 16:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowPrivilegeEscalation", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.AllowPrivilegeEscalation = &b
+		case 17:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowedHostPaths", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.AllowedHostPaths = append(m.AllowedHostPaths, AllowedHostPath{})
+			if err := m.AllowedHostPaths[len(m.AllowedHostPaths)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSetCondition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSetCondition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSetCondition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = ReplicaSetConditionType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = k8s_io_api_core_v1.ConditionStatus(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastTransitionTime", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.LastTransitionTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ReplicaSet{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSetSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSetSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSetSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			var v int32
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Replicas = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Template", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Template.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinReadySeconds", wireType)
+			}
+			m.MinReadySeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MinReadySeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicaSetStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicaSetStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicaSetStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FullyLabeledReplicas", wireType)
+			}
+			m.FullyLabeledReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.FullyLabeledReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReadyReplicas", wireType)
+			}
+			m.ReadyReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ReadyReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AvailableReplicas", wireType)
+			}
+			m.AvailableReplicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.AvailableReplicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Conditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Conditions = append(m.Conditions, ReplicaSetCondition{})
+			if err := m.Conditions[len(m.Conditions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReplicationControllerDummy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReplicationControllerDummy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReplicationControllerDummy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollbackConfig) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollbackConfig: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollbackConfig: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Revision", wireType)
+			}
+			m.Revision = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Revision |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollingUpdateDaemonSet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollingUpdateDaemonSet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollingUpdateDaemonSet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxUnavailable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxUnavailable == nil {
+				m.MaxUnavailable = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxUnavailable.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RollingUpdateDeployment) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RollingUpdateDeployment: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RollingUpdateDeployment: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxUnavailable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxUnavailable == nil {
+				m.MaxUnavailable = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxUnavailable.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxSurge", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxSurge == nil {
+				m.MaxSurge = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxSurge.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RunAsUserStrategyOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RunAsUserStrategyOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RunAsUserStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rule", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rule = RunAsUserStrategy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ranges", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ranges = append(m.Ranges, IDRange{})
+			if err := m.Ranges[len(m.Ranges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SELinuxStrategyOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SELinuxStrategyOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SELinuxStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rule", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rule = SELinuxStrategy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SELinuxOptions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.SELinuxOptions == nil {
+				m.SELinuxOptions = &k8s_io_api_core_v1.SELinuxOptions{}
+			}
+			if err := m.SELinuxOptions.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Scale) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Scale: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Scale: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ScaleStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ScaleStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ScaleStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Replicas", wireType)
+			}
+			m.Replicas = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Replicas |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Selector == nil {
+				m.Selector = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Selector[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Selector[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TargetSelector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TargetSelector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SupplementalGroupsStrategyOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SupplementalGroupsStrategyOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SupplementalGroupsStrategyOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rule", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rule = SupplementalGroupsStrategyType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ranges", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ranges = append(m.Ranges, IDRange{})
+			if err := m.Ranges[len(m.Ranges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ThirdPartyResource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ThirdPartyResource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ThirdPartyResource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Description = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Versions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Versions = append(m.Versions, APIVersion{})
+			if err := m.Versions[len(m.Versions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ThirdPartyResourceData) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ThirdPartyResourceData: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ThirdPartyResourceData: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ThirdPartyResourceDataList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ThirdPartyResourceDataList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ThirdPartyResourceDataList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ThirdPartyResourceData{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ThirdPartyResourceList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ThirdPartyResourceList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ThirdPartyResourceList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ThirdPartyResource{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/extensions/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 3632 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0xcd, 0x6f, 0x24, 0xc7,
+	0x75, 0xdf, 0x9e, 0x0f, 0xce, 0xf0, 0x71, 0xf9, 0x55, 0x5c, 0x91, 0x63, 0x4a, 0xcb, 0x59, 0xb7,
+	0x80, 0xcd, 0x4a, 0x91, 0x66, 0xb4, 0x94, 0x56, 0x56, 0x24, 0xc4, 0x0e, 0x87, 0xdc, 0x0f, 0x3a,
+	0xfc, 0x18, 0xd5, 0x0c, 0x69, 0x67, 0x91, 0x75, 0xd4, 0x9c, 0x29, 0x0e, 0x7b, 0xd9, 0xd3, 0xdd,
+	0xee, 0xae, 0xa6, 0x39, 0x97, 0x20, 0x87, 0xc0, 0x40, 0x80, 0x04, 0x49, 0x0e, 0x0e, 0x94, 0x5b,
+	0x7c, 0xc9, 0x29, 0x41, 0x7c, 0x4b, 0x0e, 0x86, 0x81, 0x00, 0x0e, 0xb0, 0x08, 0x9c, 0xc0, 0xa7,
+	0xc4, 0x27, 0x22, 0xa2, 0x8e, 0xf9, 0x07, 0x82, 0x3d, 0x04, 0x41, 0x55, 0x57, 0x7f, 0x77, 0x73,
+	0x66, 0xa8, 0x25, 0x11, 0xf8, 0x36, 0x5d, 0xef, 0xbd, 0xdf, 0x7b, 0xf5, 0xaa, 0xea, 0xbd, 0x57,
+	0x1f, 0x03, 0x8f, 0x8e, 0x3f, 0xb2, 0x6b, 0xaa, 0x51, 0x3f, 0x76, 0x0e, 0x88, 0xa5, 0x13, 0x4a,
+	0xec, 0xfa, 0x09, 0xd1, 0xbb, 0x86, 0x55, 0x17, 0x04, 0xc5, 0x54, 0xeb, 0xe4, 0x94, 0x12, 0xdd,
+	0x56, 0x0d, 0xdd, 0xae, 0x9f, 0xdc, 0x3f, 0x20, 0x54, 0xb9, 0x5f, 0xef, 0x11, 0x9d, 0x58, 0x0a,
+	0x25, 0xdd, 0x9a, 0x69, 0x19, 0xd4, 0x40, 0xb7, 0x5d, 0xf6, 0x9a, 0x62, 0xaa, 0xb5, 0x80, 0xbd,
+	0x26, 0xd8, 0x97, 0xdf, 0xed, 0xa9, 0xf4, 0xc8, 0x39, 0xa8, 0x75, 0x8c, 0x7e, 0xbd, 0x67, 0xf4,
+	0x8c, 0x3a, 0x97, 0x3a, 0x70, 0x0e, 0xf9, 0x17, 0xff, 0xe0, 0xbf, 0x5c, 0xb4, 0x65, 0x39, 0xa4,
+	0xbc, 0x63, 0x58, 0xa4, 0x7e, 0x92, 0xd0, 0xb8, 0xfc, 0x56, 0x88, 0xc7, 0x34, 0x34, 0xb5, 0x33,
+	0xc8, 0x32, 0x6e, 0xf9, 0x83, 0x80, 0xb5, 0xaf, 0x74, 0x8e, 0x54, 0x9d, 0x58, 0x83, 0xba, 0x79,
+	0xdc, 0xe3, 0xb2, 0x16, 0xb1, 0x0d, 0xc7, 0xea, 0x90, 0xb1, 0xa4, 0xec, 0x7a, 0x9f, 0x50, 0x25,
+	0xcd, 0xac, 0x7a, 0x96, 0x94, 0xe5, 0xe8, 0x54, 0xed, 0x27, 0xd5, 0x7c, 0x38, 0x4c, 0xc0, 0xee,
+	0x1c, 0x91, 0xbe, 0x92, 0x90, 0x7b, 0x3f, 0x4b, 0xce, 0xa1, 0xaa, 0x56, 0x57, 0x75, 0x6a, 0x53,
+	0x2b, 0x2e, 0x24, 0xd7, 0x00, 0xd6, 0x9a, 0x9b, 0xfb, 0xc4, 0x62, 0xc3, 0x83, 0xee, 0x40, 0x41,
+	0x57, 0xfa, 0xa4, 0x22, 0xdd, 0x91, 0xee, 0x4d, 0x36, 0x6e, 0xbe, 0x38, 0xab, 0xde, 0x38, 0x3f,
+	0xab, 0x16, 0x76, 0x94, 0x3e, 0xc1, 0x9c, 0x22, 0x3f, 0x84, 0xd9, 0x35, 0x4d, 0x33, 0x7e, 0x40,
+	0xba, 0x4f, 0x0c, 0x9b, 0x36, 0x15, 0x7a, 0x84, 0x56, 0x01, 0x4c, 0x85, 0x1e, 0x35, 0x2d, 0x72,
+	0xa8, 0x9e, 0x0a, 0x51, 0x24, 0x44, 0xa1, 0xe9, 0x53, 0x70, 0x88, 0x4b, 0xfe, 0x6b, 0x09, 0xbe,
+	0xb6, 0xee, 0xd8, 0xd4, 0xe8, 0x6f, 0x13, 0x6a, 0xa9, 0x9d, 0x75, 0xc7, 0xb2, 0x88, 0x4e, 0x5b,
+	0x54, 0xa1, 0x8e, 0x3d, 0xdc, 0x0c, 0xf4, 0x14, 0x8a, 0x27, 0x8a, 0xe6, 0x90, 0x4a, 0xee, 0x8e,
+	0x74, 0x6f, 0x6a, 0xb5, 0x56, 0x0b, 0x66, 0x9b, 0xdf, 0xf7, 0x9a, 0x79, 0xdc, 0xe3, 0xd3, 0xcf,
+	0x1b, 0xd0, 0xda, 0xa7, 0x8e, 0xa2, 0x53, 0x95, 0x0e, 0x1a, 0xb7, 0x04, 0xe4, 0x4d, 0xa1, 0x77,
+	0x9f, 0x61, 0x61, 0x17, 0x52, 0xfe, 0x43, 0xb8, 0x9d, 0x69, 0xda, 0x96, 0x6a, 0x53, 0xf4, 0x0c,
+	0x8a, 0x2a, 0x25, 0x7d, 0xbb, 0x22, 0xdd, 0xc9, 0xdf, 0x9b, 0x5a, 0xfd, 0xa8, 0x76, 0xe1, 0x54,
+	0xaf, 0x65, 0x82, 0x35, 0xa6, 0x85, 0x19, 0xc5, 0x4d, 0x06, 0x87, 0x5d, 0x54, 0xf9, 0x2f, 0x25,
+	0x40, 0x61, 0x99, 0xb6, 0x62, 0xf5, 0x08, 0x1d, 0xc1, 0x29, 0xbf, 0xf7, 0xd5, 0x9c, 0xb2, 0x20,
+	0x20, 0xa7, 0x5c, 0x85, 0x11, 0x9f, 0x98, 0xb0, 0x98, 0x34, 0x89, 0x3b, 0x63, 0x3f, 0xea, 0x8c,
+	0xfb, 0x63, 0x38, 0xc3, 0x45, 0xc9, 0xf0, 0xc2, 0x8f, 0x72, 0x30, 0xb9, 0xa1, 0x90, 0xbe, 0xa1,
+	0xb7, 0x08, 0x45, 0x9f, 0x41, 0x99, 0xad, 0xaf, 0xae, 0x42, 0x15, 0xee, 0x80, 0xa9, 0xd5, 0xf7,
+	0x2e, 0xea, 0x9d, 0x5d, 0x63, 0xdc, 0xb5, 0x93, 0xfb, 0xb5, 0xdd, 0x83, 0xe7, 0xa4, 0x43, 0xb7,
+	0x09, 0x55, 0x82, 0x39, 0x19, 0xb4, 0x61, 0x1f, 0x15, 0xed, 0x40, 0xc1, 0x36, 0x49, 0x47, 0xf8,
+	0xee, 0x9d, 0x21, 0xdd, 0xf0, 0x2d, 0x6b, 0x99, 0xa4, 0x13, 0x0c, 0x06, 0xfb, 0xc2, 0x1c, 0x07,
+	0xed, 0xc3, 0x84, 0xcd, 0x47, 0xb9, 0x92, 0x4f, 0x8c, 0xc6, 0xc5, 0x88, 0xee, 0xdc, 0x98, 0x11,
+	0x98, 0x13, 0xee, 0x37, 0x16, 0x68, 0xf2, 0x4f, 0x25, 0x98, 0xf6, 0x79, 0xf9, 0x08, 0xfc, 0x7e,
+	0xc2, 0x37, 0xb5, 0xd1, 0x7c, 0xc3, 0xa4, 0xb9, 0x67, 0xe6, 0x84, 0xae, 0xb2, 0xd7, 0x12, 0xf2,
+	0xcb, 0xb6, 0x37, 0xbe, 0x39, 0x3e, 0xbe, 0xf7, 0x46, 0xed, 0x46, 0xc6, 0xb0, 0xfe, 0x55, 0x21,
+	0x64, 0x3e, 0x73, 0x17, 0x7a, 0x06, 0x65, 0x9b, 0x68, 0xa4, 0x43, 0x0d, 0x4b, 0x98, 0xff, 0xfe,
+	0x88, 0xe6, 0x2b, 0x07, 0x44, 0x6b, 0x09, 0xd1, 0xc6, 0x4d, 0x66, 0xbf, 0xf7, 0x85, 0x7d, 0x48,
+	0xf4, 0x29, 0x94, 0x29, 0xe9, 0x9b, 0x9a, 0x42, 0xbd, 0x75, 0xf1, 0x66, 0xb8, 0x0b, 0x2c, 0x99,
+	0x30, 0xb0, 0xa6, 0xd1, 0x6d, 0x0b, 0x36, 0x3e, 0xa4, 0xbe, 0x4b, 0xbc, 0x56, 0xec, 0xc3, 0xa0,
+	0x13, 0x98, 0x71, 0xcc, 0x2e, 0xe3, 0xa4, 0x2c, 0x94, 0xf6, 0x06, 0x62, 0x88, 0x3f, 0x1c, 0xd5,
+	0x37, 0x7b, 0x11, 0xe9, 0xc6, 0xa2, 0xd0, 0x35, 0x13, 0x6d, 0xc7, 0x31, 0x2d, 0x68, 0x0d, 0x66,
+	0xfb, 0xaa, 0x8e, 0x89, 0xd2, 0x1d, 0xb4, 0x48, 0xc7, 0xd0, 0xbb, 0x76, 0xa5, 0x70, 0x47, 0xba,
+	0x57, 0x6c, 0x2c, 0x09, 0x80, 0xd9, 0xed, 0x28, 0x19, 0xc7, 0xf9, 0xd1, 0xb7, 0x01, 0x79, 0xdd,
+	0x78, 0xec, 0x66, 0x02, 0xd5, 0xd0, 0x2b, 0xc5, 0x3b, 0xd2, 0xbd, 0x7c, 0x63, 0x59, 0xa0, 0xa0,
+	0x76, 0x82, 0x03, 0xa7, 0x48, 0xa1, 0x2d, 0xb8, 0x65, 0x91, 0x13, 0x95, 0xf5, 0xf1, 0x89, 0x6a,
+	0x53, 0xc3, 0x1a, 0x6c, 0xa9, 0x7d, 0x95, 0x56, 0x26, 0xb8, 0x4d, 0x95, 0xf3, 0xb3, 0xea, 0x2d,
+	0x9c, 0x42, 0xc7, 0xa9, 0x52, 0xf2, 0x4f, 0x8a, 0x30, 0x1b, 0x5b, 0x03, 0x68, 0x1f, 0x16, 0x3b,
+	0x6e, 0xc0, 0xdc, 0x71, 0xfa, 0x07, 0xc4, 0x6a, 0x75, 0x8e, 0x48, 0xd7, 0xd1, 0x48, 0x97, 0x4f,
+	0x94, 0x62, 0x63, 0x45, 0x58, 0xbc, 0xb8, 0x9e, 0xca, 0x85, 0x33, 0xa4, 0x99, 0x17, 0x74, 0xde,
+	0xb4, 0xad, 0xda, 0xb6, 0x8f, 0x99, 0xe3, 0x98, 0xbe, 0x17, 0x76, 0x12, 0x1c, 0x38, 0x45, 0x8a,
+	0xd9, 0xd8, 0x25, 0xb6, 0x6a, 0x91, 0x6e, 0xdc, 0xc6, 0x7c, 0xd4, 0xc6, 0x8d, 0x54, 0x2e, 0x9c,
+	0x21, 0x8d, 0x1e, 0xc0, 0x94, 0xab, 0x8d, 0x8f, 0x9f, 0x18, 0x68, 0x3f, 0x44, 0xef, 0x04, 0x24,
+	0x1c, 0xe6, 0x63, 0x5d, 0x33, 0x0e, 0x6c, 0x62, 0x9d, 0x90, 0x6e, 0xf6, 0x00, 0xef, 0x26, 0x38,
+	0x70, 0x8a, 0x14, 0xeb, 0x9a, 0x3b, 0x03, 0x13, 0x5d, 0x9b, 0x88, 0x76, 0x6d, 0x2f, 0x95, 0x0b,
+	0x67, 0x48, 0xb3, 0x79, 0xec, 0x9a, 0xbc, 0x76, 0xa2, 0xa8, 0x9a, 0x72, 0xa0, 0x91, 0x4a, 0x29,
+	0x3a, 0x8f, 0x77, 0xa2, 0x64, 0x1c, 0xe7, 0x47, 0x8f, 0x61, 0xde, 0x6d, 0xda, 0xd3, 0x15, 0x1f,
+	0xa4, 0xcc, 0x41, 0xbe, 0x26, 0x40, 0xe6, 0x77, 0xe2, 0x0c, 0x38, 0x29, 0x83, 0x3e, 0x86, 0x99,
+	0x8e, 0xa1, 0x69, 0x7c, 0x3e, 0xae, 0x1b, 0x8e, 0x4e, 0x2b, 0x93, 0x1c, 0x05, 0xb1, 0xf5, 0xb8,
+	0x1e, 0xa1, 0xe0, 0x18, 0xa7, 0xfc, 0xaf, 0x12, 0x2c, 0x65, 0xac, 0x69, 0xf4, 0x2d, 0x28, 0xd0,
+	0x81, 0xe9, 0x65, 0xeb, 0xdf, 0xf4, 0x12, 0x44, 0x7b, 0x60, 0x92, 0x97, 0x67, 0xd5, 0xd7, 0x33,
+	0xc4, 0x18, 0x19, 0x73, 0x41, 0xa4, 0xc3, 0xb4, 0xc5, 0xd4, 0xe9, 0x3d, 0x97, 0x45, 0x04, 0xaf,
+	0x07, 0x43, 0x62, 0x0c, 0x0e, 0xcb, 0x04, 0xc1, 0x78, 0xfe, 0xfc, 0xac, 0x3a, 0x1d, 0xa1, 0xe1,
+	0x28, 0xbc, 0xfc, 0x79, 0x0e, 0x60, 0x83, 0x98, 0x9a, 0x31, 0xe8, 0x13, 0xfd, 0x3a, 0x12, 0xee,
+	0x6e, 0x24, 0xe1, 0xbe, 0x3b, 0x2c, 0x76, 0xfa, 0xa6, 0x65, 0x66, 0xdc, 0xef, 0xc4, 0x32, 0x6e,
+	0x7d, 0x74, 0xc8, 0x8b, 0x53, 0xee, 0x7f, 0xe6, 0x61, 0x21, 0x60, 0x5e, 0x37, 0xf4, 0xae, 0xca,
+	0xd7, 0xc7, 0x27, 0x91, 0x31, 0xfe, 0x8d, 0xd8, 0x18, 0x2f, 0xa5, 0x88, 0x84, 0xc6, 0x77, 0xcb,
+	0xb7, 0x36, 0xc7, 0xc5, 0x3f, 0x88, 0x2a, 0x7f, 0x79, 0x56, 0x4d, 0xd9, 0xf3, 0xd4, 0x7c, 0xa4,
+	0xa8, 0x89, 0xe8, 0x2e, 0x4c, 0x58, 0x44, 0xb1, 0x0d, 0x9d, 0x07, 0x8a, 0xc9, 0xa0, 0x2b, 0x98,
+	0xb7, 0x62, 0x41, 0x45, 0x6f, 0x41, 0xa9, 0x4f, 0x6c, 0x5b, 0xe9, 0x11, 0x1e, 0x13, 0x26, 0x1b,
+	0xb3, 0x82, 0xb1, 0xb4, 0xed, 0x36, 0x63, 0x8f, 0x8e, 0x9e, 0xc3, 0x8c, 0xa6, 0xd8, 0x62, 0x82,
+	0xb6, 0xd5, 0x3e, 0xe1, 0xab, 0x7e, 0x6a, 0xf5, 0xed, 0xd1, 0xe6, 0x01, 0x93, 0x08, 0x32, 0xdb,
+	0x56, 0x04, 0x09, 0xc7, 0x90, 0xd1, 0x09, 0x20, 0xd6, 0xd2, 0xb6, 0x14, 0xdd, 0x76, 0x1d, 0xc5,
+	0xf4, 0x95, 0xc6, 0xd6, 0xe7, 0x47, 0xb8, 0xad, 0x04, 0x1a, 0x4e, 0xd1, 0x20, 0xff, 0x4c, 0x82,
+	0x99, 0x60, 0x98, 0xae, 0xa1, 0x9a, 0xda, 0x89, 0x56, 0x53, 0x6f, 0x8d, 0x3c, 0x45, 0x33, 0xca,
+	0xa9, 0xff, 0xc9, 0x01, 0x0a, 0x98, 0xd8, 0x02, 0x3f, 0x50, 0x3a, 0xc7, 0x23, 0xec, 0x15, 0x7e,
+	0x24, 0x01, 0x12, 0xe1, 0x79, 0x4d, 0xd7, 0x0d, 0xca, 0x23, 0xbe, 0x67, 0xd6, 0xe6, 0xc8, 0x66,
+	0x79, 0x1a, 0x6b, 0x7b, 0x09, 0xac, 0x87, 0x3a, 0xb5, 0x06, 0xc1, 0x88, 0x24, 0x19, 0x70, 0x8a,
+	0x01, 0x48, 0x01, 0xb0, 0x04, 0x66, 0xdb, 0x10, 0x0b, 0xf9, 0xdd, 0x11, 0x62, 0x1e, 0x13, 0x58,
+	0x37, 0xf4, 0x43, 0xb5, 0x17, 0x84, 0x1d, 0xec, 0x03, 0xe1, 0x10, 0xe8, 0xf2, 0x43, 0x58, 0xca,
+	0xb0, 0x16, 0xcd, 0x41, 0xfe, 0x98, 0x0c, 0x5c, 0xb7, 0x61, 0xf6, 0x13, 0xdd, 0x0a, 0xef, 0xa9,
+	0x26, 0xc5, 0x76, 0xe8, 0xe3, 0xdc, 0x47, 0x92, 0xfc, 0xd3, 0x62, 0x78, 0xee, 0xf0, 0x52, 0xf6,
+	0x1e, 0x94, 0x2d, 0x62, 0x6a, 0x6a, 0x47, 0xb1, 0x45, 0x85, 0xc2, 0xab, 0x52, 0x2c, 0xda, 0xb0,
+	0x4f, 0x8d, 0x14, 0xbd, 0xb9, 0xab, 0x2d, 0x7a, 0xf3, 0xaf, 0xa6, 0xe8, 0xfd, 0x03, 0x28, 0xdb,
+	0x5e, 0xb9, 0x5b, 0xe0, 0x90, 0xf7, 0xc7, 0x88, 0xaf, 0xa2, 0xd2, 0xf5, 0x15, 0xf8, 0x35, 0xae,
+	0x0f, 0x9a, 0x56, 0xdd, 0x16, 0xc7, 0xac, 0x6e, 0x5f, 0x69, 0x45, 0xca, 0x62, 0xaa, 0xa9, 0x38,
+	0x36, 0xe9, 0xf2, 0x40, 0x54, 0x0e, 0x62, 0x6a, 0x93, 0xb7, 0x62, 0x41, 0x45, 0xcf, 0x22, 0x53,
+	0xb6, 0x7c, 0x99, 0x29, 0x3b, 0x93, 0x3d, 0x5d, 0xd1, 0x1e, 0x2c, 0x99, 0x96, 0xd1, 0xb3, 0x88,
+	0x6d, 0x6f, 0x10, 0xa5, 0xab, 0xa9, 0x3a, 0xf1, 0xfc, 0xe3, 0x96, 0x2a, 0xaf, 0x9f, 0x9f, 0x55,
+	0x97, 0x9a, 0xe9, 0x2c, 0x38, 0x4b, 0x56, 0x7e, 0x51, 0x80, 0xb9, 0x78, 0x06, 0xcc, 0xa8, 0x1e,
+	0xa5, 0x4b, 0x55, 0x8f, 0xef, 0x84, 0x16, 0x83, 0x5b, 0x5a, 0xfb, 0xa3, 0x9f, 0xb2, 0x20, 0xd6,
+	0x60, 0x56, 0x44, 0x03, 0x8f, 0x28, 0xea, 0x67, 0x7f, 0xf4, 0xf7, 0xa2, 0x64, 0x1c, 0xe7, 0x67,
+	0x35, 0x61, 0x50, 0xea, 0x79, 0x20, 0x85, 0x68, 0x4d, 0xb8, 0x16, 0x67, 0xc0, 0x49, 0x19, 0xb4,
+	0x0d, 0x0b, 0x8e, 0x9e, 0x84, 0x72, 0x67, 0xe3, 0xeb, 0x02, 0x6a, 0x61, 0x2f, 0xc9, 0x82, 0xd3,
+	0xe4, 0xd0, 0x21, 0x40, 0xc7, 0x4b, 0xdb, 0x76, 0x65, 0x82, 0x47, 0xd8, 0xd5, 0x91, 0xd7, 0x8e,
+	0x9f, 0xf1, 0x83, 0xb8, 0xe6, 0x37, 0xd9, 0x38, 0x84, 0x8c, 0x3e, 0x81, 0x69, 0x8b, 0x6f, 0x08,
+	0x3c, 0x83, 0xdd, 0xa2, 0xfa, 0x35, 0x21, 0x36, 0x8d, 0xc3, 0x44, 0x1c, 0xe5, 0x4d, 0xa9, 0x83,
+	0xcb, 0x23, 0xd7, 0xc1, 0xff, 0x2c, 0x85, 0x93, 0x90, 0x5f, 0x02, 0x7f, 0x1c, 0x29, 0x8f, 0xee,
+	0xc6, 0xca, 0xa3, 0xc5, 0xa4, 0x44, 0xa8, 0x3a, 0x32, 0xd2, 0xab, 0xdf, 0x0f, 0xc7, 0xaa, 0x7e,
+	0x83, 0xe4, 0x39, 0xbc, 0xfc, 0xfd, 0xb1, 0x04, 0x8b, 0x8f, 0x5a, 0x8f, 0x2d, 0xc3, 0x31, 0x3d,
+	0x73, 0x76, 0x4d, 0xd7, 0xaf, 0xdf, 0x80, 0x82, 0xe5, 0x68, 0x5e, 0x3f, 0xde, 0xf4, 0xfa, 0x81,
+	0x1d, 0x8d, 0xf5, 0x63, 0x21, 0x26, 0xe5, 0x76, 0x82, 0x09, 0xa0, 0x1d, 0x98, 0xb0, 0x14, 0xbd,
+	0x47, 0xbc, 0xb4, 0x7a, 0x77, 0x88, 0xf5, 0x9b, 0x1b, 0x98, 0xb1, 0x87, 0x8a, 0x37, 0x2e, 0x8d,
+	0x05, 0x8a, 0xfc, 0x67, 0x12, 0xcc, 0x3e, 0x69, 0xb7, 0x9b, 0x9b, 0x3a, 0x5f, 0xd1, 0xfc, 0xf0,
+	0xf5, 0x0e, 0x14, 0x4c, 0x85, 0x1e, 0xc5, 0x33, 0x3d, 0xa3, 0x61, 0x4e, 0x41, 0xdf, 0x85, 0x12,
+	0x8b, 0x24, 0x44, 0xef, 0x8e, 0x58, 0x6a, 0x0b, 0xf8, 0x86, 0x2b, 0x14, 0x54, 0x88, 0xa2, 0x01,
+	0x7b, 0x70, 0xf2, 0x31, 0xdc, 0x0a, 0x99, 0xc3, 0xfc, 0xc1, 0xcf, 0x0c, 0x51, 0x0b, 0x8a, 0x4c,
+	0xb3, 0x77, 0x24, 0x38, 0xec, 0xe4, 0x2b, 0xd6, 0xa5, 0xa0, 0xd2, 0x61, 0x5f, 0x36, 0x76, 0xb1,
+	0xe4, 0x6d, 0x98, 0xe6, 0x27, 0xce, 0x86, 0x45, 0xb9, 0x5b, 0xd0, 0x6d, 0xc8, 0xf7, 0x55, 0x5d,
+	0xe4, 0xd9, 0x29, 0x21, 0x93, 0x67, 0x39, 0x82, 0xb5, 0x73, 0xb2, 0x72, 0x2a, 0x22, 0x4f, 0x40,
+	0x56, 0x4e, 0x31, 0x6b, 0x97, 0x1f, 0x43, 0x49, 0xb8, 0x3b, 0x0c, 0x94, 0xbf, 0x18, 0x28, 0x9f,
+	0x02, 0xb4, 0x0b, 0xa5, 0xcd, 0x66, 0x43, 0x33, 0xdc, 0xaa, 0xab, 0xa3, 0x76, 0xad, 0xf8, 0x58,
+	0xac, 0x6f, 0x6e, 0x60, 0xcc, 0x29, 0x48, 0x86, 0x09, 0x72, 0xda, 0x21, 0x26, 0xe5, 0x33, 0x62,
+	0xb2, 0x01, 0x6c, 0x94, 0x1f, 0xf2, 0x16, 0x2c, 0x28, 0xf2, 0x9f, 0xe7, 0xa0, 0x24, 0xdc, 0x71,
+	0x0d, 0xbb, 0xb0, 0xad, 0xc8, 0x2e, 0xec, 0xed, 0xd1, 0xa6, 0x46, 0xe6, 0x16, 0xac, 0x1d, 0xdb,
+	0x82, 0xbd, 0x33, 0x22, 0xde, 0xc5, 0xfb, 0xaf, 0x9f, 0x48, 0x30, 0x13, 0x9d, 0x94, 0xe8, 0x01,
+	0x4c, 0xb1, 0x84, 0xa3, 0x76, 0xc8, 0x4e, 0x50, 0xe7, 0xfa, 0xa7, 0x23, 0xad, 0x80, 0x84, 0xc3,
+	0x7c, 0xa8, 0xe7, 0x8b, 0xb1, 0x79, 0x24, 0x3a, 0x9d, 0xed, 0x52, 0x87, 0xaa, 0x5a, 0xcd, 0xbd,
+	0x38, 0xa9, 0x6d, 0xea, 0x74, 0xd7, 0x6a, 0x51, 0x4b, 0xd5, 0x7b, 0x09, 0x45, 0x7c, 0x52, 0x86,
+	0x91, 0xe5, 0x7f, 0x92, 0x60, 0x4a, 0x98, 0x7c, 0x0d, 0xbb, 0x8a, 0xdf, 0x8d, 0xee, 0x2a, 0xee,
+	0x8e, 0xb8, 0xc0, 0xd3, 0xb7, 0x14, 0x7f, 0x1b, 0x98, 0xce, 0x96, 0x34, 0x9b, 0xd5, 0x47, 0x86,
+	0x4d, 0xe3, 0xb3, 0x9a, 0x2d, 0x46, 0xcc, 0x29, 0xc8, 0x81, 0x39, 0x35, 0x16, 0x03, 0x84, 0x6b,
+	0xeb, 0xa3, 0x59, 0xe2, 0x8b, 0x35, 0x2a, 0x02, 0x7e, 0x2e, 0x4e, 0xc1, 0x09, 0x15, 0x32, 0x81,
+	0x04, 0x17, 0xfa, 0x14, 0x0a, 0x47, 0x94, 0x9a, 0x29, 0x07, 0xc9, 0x43, 0x22, 0x4f, 0x60, 0x42,
+	0x99, 0xf7, 0xae, 0xdd, 0x6e, 0x62, 0x0e, 0x25, 0xff, 0x6f, 0xe0, 0x8f, 0x96, 0x3b, 0xc7, 0xfd,
+	0x78, 0x2a, 0x5d, 0x26, 0x9e, 0x4e, 0xa5, 0xc5, 0x52, 0xf4, 0x04, 0xf2, 0x54, 0x1b, 0x75, 0x5b,
+	0x28, 0x10, 0xdb, 0x5b, 0xad, 0x20, 0x20, 0xb5, 0xb7, 0x5a, 0x98, 0x41, 0xa0, 0x5d, 0x28, 0xb2,
+	0xec, 0xc3, 0x96, 0x60, 0x7e, 0xf4, 0x25, 0xcd, 0xfa, 0x1f, 0x4c, 0x08, 0xf6, 0x65, 0x63, 0x17,
+	0x47, 0xfe, 0x3e, 0x4c, 0x47, 0xd6, 0x29, 0xfa, 0x0c, 0x6e, 0x6a, 0x86, 0xd2, 0x6d, 0x28, 0x9a,
+	0xa2, 0x77, 0x88, 0x77, 0x6a, 0x7f, 0x37, 0x6d, 0x87, 0xb1, 0x15, 0xe2, 0x13, 0xab, 0xdc, 0xbf,
+	0x7b, 0x0b, 0xd3, 0x70, 0x04, 0x51, 0x56, 0x00, 0x82, 0x3e, 0xa2, 0x2a, 0x14, 0xd9, 0x3c, 0x73,
+	0xf3, 0xc9, 0x64, 0x63, 0x92, 0x59, 0xc8, 0xa6, 0x9f, 0x8d, 0xdd, 0x76, 0xb4, 0x0a, 0x60, 0x93,
+	0x8e, 0x45, 0x28, 0x0f, 0x06, 0xb9, 0xe8, 0x0d, 0x64, 0xcb, 0xa7, 0xe0, 0x10, 0x97, 0xfc, 0x2f,
+	0x12, 0x4c, 0xef, 0x10, 0xfa, 0x03, 0xc3, 0x3a, 0x6e, 0xf2, 0xcb, 0xe2, 0x6b, 0x08, 0xb6, 0x38,
+	0x12, 0x6c, 0xdf, 0x1b, 0x32, 0x32, 0x11, 0xeb, 0xb2, 0x42, 0xae, 0xfc, 0x33, 0x09, 0x96, 0x22,
+	0x9c, 0x0f, 0x83, 0xa5, 0xbb, 0x07, 0x45, 0xd3, 0xb0, 0xa8, 0x97, 0x88, 0xc7, 0x52, 0xc8, 0xc2,
+	0x58, 0x28, 0x15, 0x33, 0x18, 0xec, 0xa2, 0xa1, 0x2d, 0xc8, 0x51, 0x43, 0x4c, 0xd5, 0xf1, 0x30,
+	0x09, 0xb1, 0x1a, 0x20, 0x30, 0x73, 0x6d, 0x03, 0xe7, 0xa8, 0xc1, 0x06, 0xa2, 0x12, 0xe1, 0x0a,
+	0x07, 0x9f, 0x2b, 0xea, 0x01, 0x86, 0xc2, 0xa1, 0x65, 0xf4, 0x2f, 0xdd, 0x07, 0x7f, 0x20, 0x1e,
+	0x59, 0x46, 0x1f, 0x73, 0x2c, 0xf9, 0xe7, 0x12, 0xcc, 0x47, 0x38, 0xaf, 0x21, 0xf0, 0x7f, 0x1a,
+	0x0d, 0xfc, 0xef, 0x8c, 0xd3, 0x91, 0x8c, 0xf0, 0xff, 0xf3, 0x5c, 0xac, 0x1b, 0xac, 0xc3, 0xe8,
+	0x10, 0xa6, 0x4c, 0xa3, 0xdb, 0x7a, 0x05, 0xf7, 0x74, 0xb3, 0x2c, 0x6f, 0x36, 0x03, 0x2c, 0x1c,
+	0x06, 0x46, 0xa7, 0x30, 0xaf, 0x2b, 0x7d, 0x62, 0x9b, 0x4a, 0x87, 0xb4, 0x5e, 0xc1, 0x01, 0xc9,
+	0x6b, 0xfc, 0x22, 0x20, 0x8e, 0x88, 0x93, 0x4a, 0xd0, 0x36, 0x94, 0x54, 0x93, 0xd7, 0x71, 0xa2,
+	0x76, 0x19, 0x9a, 0x45, 0xdd, 0xaa, 0xcf, 0x8d, 0xe7, 0xe2, 0x03, 0x7b, 0x18, 0xf2, 0xdf, 0xc5,
+	0x67, 0x03, 0x9b, 0x7f, 0xe8, 0x31, 0x94, 0xf9, 0xb3, 0x8b, 0x8e, 0xa1, 0x79, 0x37, 0x03, 0x6c,
+	0x64, 0x9b, 0xa2, 0xed, 0xe5, 0x59, 0xf5, 0xf5, 0x94, 0x43, 0x5f, 0x8f, 0x8c, 0x7d, 0x61, 0xb4,
+	0x03, 0x05, 0xf3, 0xab, 0x54, 0x30, 0x3c, 0xc9, 0xf1, 0xb2, 0x85, 0xe3, 0xc8, 0x7f, 0x9c, 0x8f,
+	0x99, 0xcb, 0x53, 0xdd, 0xf3, 0x57, 0x36, 0xea, 0x7e, 0xc5, 0x94, 0x39, 0xf2, 0x07, 0x50, 0x12,
+	0x19, 0x5e, 0x4c, 0xe6, 0x6f, 0x8c, 0x33, 0x99, 0xc3, 0x59, 0xcc, 0xdf, 0xb0, 0x78, 0x8d, 0x1e,
+	0x30, 0xfa, 0x1e, 0x4c, 0x10, 0x57, 0x85, 0x9b, 0x1b, 0x3f, 0x1c, 0x47, 0x45, 0x10, 0x57, 0x83,
+	0x42, 0x55, 0xb4, 0x09, 0x54, 0xf4, 0x2d, 0xe6, 0x2f, 0xc6, 0xcb, 0x36, 0x81, 0x76, 0xa5, 0xc0,
+	0xd3, 0xd5, 0x6d, 0xb7, 0xdb, 0x7e, 0xf3, 0xcb, 0xb3, 0x2a, 0x04, 0x9f, 0x38, 0x2c, 0x21, 0xff,
+	0x9b, 0x04, 0xf3, 0xdc, 0x43, 0x1d, 0xc7, 0x52, 0xe9, 0xe0, 0xda, 0x12, 0xd3, 0x7e, 0x24, 0x31,
+	0x7d, 0x30, 0xc4, 0x2d, 0x09, 0x0b, 0x33, 0x93, 0xd3, 0x2f, 0x24, 0x78, 0x2d, 0xc1, 0x7d, 0x0d,
+	0x71, 0x71, 0x2f, 0x1a, 0x17, 0xdf, 0x1b, 0xb7, 0x43, 0x19, 0xb1, 0xf1, 0xf3, 0x9b, 0x29, 0xdd,
+	0xe1, 0x2b, 0x65, 0x15, 0xc0, 0xb4, 0xd4, 0x13, 0x55, 0x23, 0x3d, 0x71, 0x3b, 0x5d, 0x0e, 0xbd,
+	0x81, 0xf2, 0x29, 0x38, 0xc4, 0x85, 0x6c, 0x58, 0xec, 0x92, 0x43, 0xc5, 0xd1, 0xe8, 0x5a, 0xb7,
+	0xbb, 0xae, 0x98, 0xca, 0x81, 0xaa, 0xa9, 0x54, 0x15, 0xc7, 0x05, 0x93, 0x8d, 0x4f, 0xdc, 0x5b,
+	0xe3, 0x34, 0x8e, 0x97, 0x67, 0xd5, 0xdb, 0x69, 0xb7, 0x43, 0x1e, 0xcb, 0x00, 0x67, 0x40, 0xa3,
+	0x01, 0x54, 0x2c, 0xf2, 0x7d, 0x47, 0xb5, 0x48, 0x77, 0xc3, 0x32, 0xcc, 0x88, 0xda, 0x3c, 0x57,
+	0xfb, 0xdb, 0xe7, 0x67, 0xd5, 0x0a, 0xce, 0xe0, 0x19, 0xae, 0x38, 0x13, 0x1e, 0x3d, 0x87, 0x05,
+	0xc5, 0x7d, 0x3a, 0x16, 0xd1, 0xea, 0xae, 0x92, 0x8f, 0xce, 0xcf, 0xaa, 0x0b, 0x6b, 0x49, 0xf2,
+	0x70, 0x85, 0x69, 0xa0, 0xa8, 0x0e, 0xa5, 0x13, 0x43, 0x73, 0xfa, 0xc4, 0xae, 0x14, 0x39, 0x3e,
+	0x4b, 0x04, 0xa5, 0x7d, 0xb7, 0xe9, 0xe5, 0x59, 0x75, 0xe2, 0x51, 0x8b, 0xaf, 0x3e, 0x8f, 0x8b,
+	0x6d, 0x28, 0x59, 0x2d, 0x29, 0x56, 0x3c, 0x3f, 0x31, 0x2e, 0x07, 0x51, 0xeb, 0x49, 0x40, 0xc2,
+	0x61, 0x3e, 0xf4, 0x0c, 0x26, 0x8f, 0xc4, 0xa9, 0x84, 0x5d, 0x29, 0x8d, 0x94, 0x84, 0x23, 0xa7,
+	0x18, 0x8d, 0x79, 0xa1, 0x62, 0xd2, 0x6b, 0xb6, 0x71, 0x80, 0x88, 0xde, 0x82, 0x12, 0xff, 0xd8,
+	0xdc, 0xe0, 0xc7, 0x71, 0xe5, 0x20, 0xb6, 0x3d, 0x71, 0x9b, 0xb1, 0x47, 0xf7, 0x58, 0x37, 0x9b,
+	0xeb, 0xfc, 0x58, 0x38, 0xc6, 0xba, 0xd9, 0x5c, 0xc7, 0x1e, 0x1d, 0x7d, 0x06, 0x25, 0x9b, 0x6c,
+	0xa9, 0xba, 0x73, 0x5a, 0x81, 0x91, 0x2e, 0x95, 0x5b, 0x0f, 0x39, 0x77, 0xec, 0x60, 0x2c, 0xd0,
+	0x20, 0xe8, 0xd8, 0x83, 0x45, 0x47, 0x30, 0x69, 0x39, 0xfa, 0x9a, 0xbd, 0x67, 0x13, 0xab, 0x32,
+	0xc5, 0x75, 0x0c, 0x0b, 0xe7, 0xd8, 0xe3, 0x8f, 0x6b, 0xf1, 0x3d, 0xe4, 0x73, 0xe0, 0x00, 0x1c,
+	0xfd, 0xa9, 0x04, 0xc8, 0x76, 0x4c, 0x53, 0x23, 0x7d, 0xa2, 0x53, 0x45, 0xe3, 0x67, 0x71, 0x76,
+	0xe5, 0x26, 0xd7, 0xf9, 0x3b, 0xc3, 0xfa, 0x95, 0x10, 0x8c, 0x2b, 0xf7, 0x0f, 0xbd, 0x93, 0xac,
+	0x38, 0x45, 0x2f, 0x73, 0xed, 0xa1, 0xcd, 0x7f, 0x57, 0xa6, 0x47, 0x72, 0x6d, 0xfa, 0x99, 0x63,
+	0xe0, 0x5a, 0x41, 0xc7, 0x1e, 0x2c, 0xda, 0x87, 0x45, 0x8b, 0x28, 0xdd, 0x5d, 0x5d, 0x1b, 0x60,
+	0xc3, 0xa0, 0x8f, 0x54, 0x8d, 0xd8, 0x03, 0x9b, 0x92, 0x7e, 0x65, 0x86, 0x0f, 0xbb, 0xff, 0x28,
+	0x03, 0xa7, 0x72, 0xe1, 0x0c, 0x69, 0xd4, 0x87, 0xaa, 0x17, 0x32, 0xd8, 0x7a, 0xf2, 0x63, 0xd6,
+	0x43, 0xbb, 0xa3, 0x68, 0xee, 0x3d, 0xc0, 0x2c, 0x57, 0xf0, 0xe6, 0xf9, 0x59, 0xb5, 0xba, 0x71,
+	0x31, 0x2b, 0x1e, 0x86, 0x85, 0xbe, 0x0b, 0x15, 0x25, 0x4b, 0xcf, 0x1c, 0xd7, 0xf3, 0x06, 0x8b,
+	0x43, 0x99, 0x0a, 0x32, 0xa5, 0x11, 0x85, 0x39, 0x25, 0xfa, 0x42, 0xd5, 0xae, 0xcc, 0x8f, 0x74,
+	0x10, 0x19, 0x7b, 0xd8, 0x1a, 0x1c, 0x46, 0xc4, 0x08, 0x36, 0x4e, 0x68, 0xe0, 0xcf, 0x27, 0xc4,
+	0x61, 0xfa, 0xf5, 0xbc, 0x57, 0x1c, 0xef, 0xf9, 0x44, 0x60, 0xda, 0x2b, 0x7b, 0x3e, 0x11, 0x82,
+	0xbc, 0xf8, 0xf8, 0xee, 0xbf, 0x73, 0xb0, 0x10, 0x30, 0x8f, 0xfc, 0x7c, 0x22, 0x45, 0xe4, 0xca,
+	0x9e, 0x4f, 0xa4, 0xbf, 0x3f, 0xc8, 0x5f, 0xf5, 0xfb, 0x83, 0x2b, 0x78, 0xb6, 0xc1, 0x9f, 0x34,
+	0x04, 0xae, 0xfb, 0xff, 0xf7, 0xa4, 0x21, 0xb0, 0x2d, 0xa3, 0xc8, 0xfa, 0x87, 0x5c, 0xb8, 0x03,
+	0xbf, 0xf6, 0xf7, 0xea, 0x5f, 0xfd, 0x51, 0xa7, 0xfc, 0x8b, 0x3c, 0xcc, 0xc5, 0x57, 0x63, 0xe4,
+	0xfa, 0x55, 0x1a, 0x7a, 0xfd, 0xda, 0x84, 0x5b, 0x87, 0x8e, 0xa6, 0x0d, 0xb8, 0x1b, 0x42, 0x77,
+	0xb0, 0xee, 0xf5, 0xc9, 0x1b, 0x42, 0xf2, 0xd6, 0xa3, 0x14, 0x1e, 0x9c, 0x2a, 0x99, 0x71, 0x95,
+	0x9c, 0xbf, 0xd4, 0x55, 0x72, 0xe2, 0x66, 0xb3, 0x30, 0xc6, 0xcd, 0x66, 0xea, 0xb5, 0x70, 0xf1,
+	0x12, 0xd7, 0xc2, 0x97, 0xb9, 0xc7, 0x4d, 0x09, 0x62, 0xc3, 0xee, 0x71, 0xe5, 0x37, 0x60, 0x59,
+	0x88, 0x51, 0x7e, 0xc5, 0xaa, 0x53, 0xcb, 0xd0, 0x34, 0x62, 0x6d, 0x38, 0xfd, 0xfe, 0x40, 0xfe,
+	0x26, 0xcc, 0x44, 0x1f, 0x0f, 0xb8, 0x23, 0xed, 0xbe, 0x5f, 0x10, 0x97, 0x58, 0xa1, 0x91, 0x76,
+	0xdb, 0xb1, 0xcf, 0x21, 0xff, 0x50, 0x82, 0xc5, 0xf4, 0x47, 0x82, 0x48, 0x83, 0x99, 0xbe, 0x72,
+	0x1a, 0x7e, 0x51, 0x29, 0x5d, 0xf2, 0x78, 0x81, 0xdf, 0x1a, 0x6f, 0x47, 0xb0, 0x70, 0x0c, 0x5b,
+	0xfe, 0x52, 0x82, 0xa5, 0x8c, 0xfb, 0xda, 0xeb, 0xb5, 0x04, 0x3d, 0x85, 0x72, 0x5f, 0x39, 0x6d,
+	0x39, 0x56, 0x8f, 0x5c, 0xfa, 0x40, 0x85, 0x47, 0x8c, 0x6d, 0x81, 0x82, 0x7d, 0x3c, 0xf9, 0xc7,
+	0x12, 0x54, 0xb2, 0x4a, 0x5b, 0xf4, 0x20, 0x72, 0xb3, 0xfc, 0xf5, 0xd8, 0xcd, 0xf2, 0x7c, 0x42,
+	0xee, 0x8a, 0xee, 0x95, 0xff, 0x5e, 0x82, 0xc5, 0xf4, 0x12, 0x1f, 0xbd, 0x1f, 0xb1, 0xb0, 0x1a,
+	0xb3, 0x70, 0x36, 0x26, 0x25, 0xec, 0xfb, 0x1e, 0xcc, 0x88, 0x8d, 0x80, 0x80, 0x11, 0x5e, 0x95,
+	0xd3, 0x62, 0xa5, 0x80, 0xf0, 0x0a, 0x5f, 0x3e, 0x5e, 0xd1, 0x36, 0x1c, 0x43, 0x93, 0xff, 0x24,
+	0x07, 0xc5, 0x56, 0x47, 0xd1, 0xc8, 0x35, 0x94, 0x59, 0xdf, 0x8e, 0x94, 0x59, 0xc3, 0xfe, 0xfd,
+	0xc0, 0xad, 0xca, 0xac, 0xb0, 0x70, 0xac, 0xc2, 0x7a, 0x7b, 0x24, 0xb4, 0x8b, 0x8b, 0xab, 0xdf,
+	0x82, 0x49, 0x5f, 0xe9, 0x78, 0x31, 0x5f, 0xfe, 0x9b, 0x1c, 0x4c, 0x85, 0x54, 0x8c, 0x99, 0x31,
+	0x0e, 0x23, 0x99, 0x76, 0x94, 0xff, 0x41, 0x85, 0x74, 0xd5, 0xbc, 0xdc, 0xea, 0x3e, 0x12, 0x0c,
+	0x9e, 0x85, 0x25, 0x53, 0xee, 0x37, 0x61, 0x86, 0xf2, 0xff, 0x09, 0xf9, 0xc7, 0x90, 0x79, 0x3e,
+	0x17, 0xfd, 0xa7, 0xa5, 0xed, 0x08, 0x15, 0xc7, 0xb8, 0x97, 0x3f, 0x81, 0xe9, 0x88, 0xb2, 0xb1,
+	0xde, 0xf8, 0xfd, 0xa3, 0x04, 0x5f, 0x1f, 0xba, 0x49, 0x44, 0x8d, 0xc8, 0x22, 0xa9, 0xc5, 0x16,
+	0xc9, 0x4a, 0x36, 0xc0, 0x15, 0xbe, 0x15, 0xf9, 0x61, 0x0e, 0x50, 0xfb, 0x48, 0xb5, 0xba, 0x4d,
+	0xc5, 0xa2, 0x03, 0x2c, 0xfe, 0xec, 0x75, 0x0d, 0x0b, 0xe6, 0x01, 0x4c, 0x75, 0x89, 0xdd, 0xb1,
+	0x54, 0xee, 0x1c, 0x51, 0x9d, 0xfb, 0x07, 0x29, 0x1b, 0x01, 0x09, 0x87, 0xf9, 0xd0, 0x77, 0xa0,
+	0x7c, 0xe2, 0xfe, 0x09, 0xd1, 0x3b, 0x9c, 0x1d, 0x56, 0x48, 0x06, 0x7f, 0x5b, 0x0c, 0xe6, 0x8f,
+	0x68, 0xb0, 0xb1, 0x0f, 0x26, 0x7f, 0x2e, 0xc1, 0x62, 0xd2, 0x11, 0x1b, 0xcc, 0xd4, 0xab, 0x77,
+	0xc6, 0x1b, 0x50, 0xe0, 0xe8, 0xcc, 0x0b, 0x37, 0xdd, 0x43, 0x77, 0xa6, 0x19, 0xf3, 0x56, 0xf9,
+	0x3f, 0x24, 0x58, 0x4e, 0x37, 0xed, 0x1a, 0xca, 0xf6, 0xa7, 0xd1, 0xb2, 0x7d, 0xd8, 0x39, 0x45,
+	0xba, 0x9d, 0x19, 0x25, 0xfc, 0xbf, 0xa7, 0xfa, 0xfc, 0x1a, 0x3a, 0xb5, 0x1f, 0xed, 0xd4, 0xfd,
+	0xb1, 0x3b, 0x95, 0xde, 0xa1, 0xc6, 0xbb, 0x2f, 0xbe, 0x58, 0xb9, 0xf1, 0xcb, 0x2f, 0x56, 0x6e,
+	0xfc, 0xea, 0x8b, 0x95, 0x1b, 0x7f, 0x74, 0xbe, 0x22, 0xbd, 0x38, 0x5f, 0x91, 0x7e, 0x79, 0xbe,
+	0x22, 0xfd, 0xea, 0x7c, 0x45, 0xfa, 0xaf, 0xf3, 0x15, 0xe9, 0x2f, 0xbe, 0x5c, 0xb9, 0xf1, 0xb4,
+	0x24, 0x70, 0xff, 0x2f, 0x00, 0x00, 0xff, 0xff, 0x55, 0xc4, 0x0b, 0x53, 0x44, 0x3d, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/extensions/v1beta1/generated.proto b/cli/vendor/k8s.io/api/extensions/v1beta1/generated.proto
new file mode 100644
index 00000000..3fb55337
--- /dev/null
+++ b/cli/vendor/k8s.io/api/extensions/v1beta1/generated.proto
@@ -0,0 +1,1124 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.extensions.v1beta1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/api/policy/v1beta1/generated.proto";
+import "k8s.io/apimachinery/pkg/api/resource/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// An APIVersion represents a single concrete version of an object model.
+message APIVersion {
+  // Name of this version (e.g. 'v1').
+  // +optional
+  optional string name = 1;
+}
+
+// defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+message AllowedHostPath {
+  // is the path prefix that the host volume must match.
+  // It does not support `*`.
+  // Trailing slashes are trimmed when validating the path prefix with a host path.
+  // 
+  // Examples:
+  // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+  // `/foo` would not allow `/food` or `/etc/foo`
+  optional string pathPrefix = 1;
+}
+
+message CustomMetricCurrentStatus {
+  // Custom Metric name.
+  optional string name = 1;
+
+  // Custom Metric value (average).
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity value = 2;
+}
+
+message CustomMetricCurrentStatusList {
+  repeated CustomMetricCurrentStatus items = 1;
+}
+
+// Alpha-level support for Custom Metrics in HPA (as annotations).
+message CustomMetricTarget {
+  // Custom Metric name.
+  optional string name = 1;
+
+  // Custom Metric value (average).
+  optional k8s.io.apimachinery.pkg.api.resource.Quantity value = 2;
+}
+
+message CustomMetricTargetList {
+  repeated CustomMetricTarget items = 1;
+}
+
+// DEPRECATED - This group version of DaemonSet is deprecated by apps/v1beta2/DaemonSet. See the release notes for
+// more information.
+// DaemonSet represents the configuration of a daemon set.
+message DaemonSet {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // The desired behavior of this daemon set.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional DaemonSetSpec spec = 2;
+
+  // The current status of this daemon set. This data may be
+  // out of date by some window of time.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional DaemonSetStatus status = 3;
+}
+
+// DaemonSetList is a collection of daemon sets.
+message DaemonSetList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // A list of daemon sets.
+  repeated DaemonSet items = 2;
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+message DaemonSetSpec {
+  // A label query over pods that are managed by the daemon set.
+  // Must match in order to be controlled.
+  // If empty, defaulted to labels on Pod template.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 1;
+
+  // An object that describes the pod that will be created.
+  // The DaemonSet will create exactly one copy of this pod on every node
+  // that matches the template's node selector (or on every node if no node
+  // selector is specified).
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 2;
+
+  // An update strategy to replace existing DaemonSet pods with new pods.
+  // +optional
+  optional DaemonSetUpdateStrategy updateStrategy = 3;
+
+  // The minimum number of seconds for which a newly created DaemonSet pod should
+  // be ready without any of its container crashing, for it to be considered
+  // available. Defaults to 0 (pod will be considered available as soon as it
+  // is ready).
+  // +optional
+  optional int32 minReadySeconds = 4;
+
+  // DEPRECATED.
+  // A sequence number representing a specific generation of the template.
+  // Populated by the system. It can be set only during the creation.
+  // +optional
+  optional int64 templateGeneration = 5;
+
+  // The number of old history to retain to allow rollback.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // Defaults to 10.
+  // +optional
+  optional int32 revisionHistoryLimit = 6;
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+message DaemonSetStatus {
+  // The number of nodes that are running at least 1
+  // daemon pod and are supposed to run the daemon pod.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+  optional int32 currentNumberScheduled = 1;
+
+  // The number of nodes that are running the daemon pod, but are
+  // not supposed to run the daemon pod.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+  optional int32 numberMisscheduled = 2;
+
+  // The total number of nodes that should be running the daemon
+  // pod (including nodes correctly running the daemon pod).
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+  optional int32 desiredNumberScheduled = 3;
+
+  // The number of nodes that should be running the daemon pod and have one
+  // or more of the daemon pod running and ready.
+  optional int32 numberReady = 4;
+
+  // The most recent generation observed by the daemon set controller.
+  // +optional
+  optional int64 observedGeneration = 5;
+
+  // The total number of nodes that are running updated daemon pod
+  // +optional
+  optional int32 updatedNumberScheduled = 6;
+
+  // The number of nodes that should be running the
+  // daemon pod and have one or more of the daemon pod running and
+  // available (ready for at least spec.minReadySeconds)
+  // +optional
+  optional int32 numberAvailable = 7;
+
+  // The number of nodes that should be running the
+  // daemon pod and have none of the daemon pod running and available
+  // (ready for at least spec.minReadySeconds)
+  // +optional
+  optional int32 numberUnavailable = 8;
+
+  // Count of hash collisions for the DaemonSet. The DaemonSet controller
+  // uses this field as a collision avoidance mechanism when it needs to
+  // create the name for the newest ControllerRevision.
+  // +optional
+  optional int32 collisionCount = 9;
+}
+
+message DaemonSetUpdateStrategy {
+  // Type of daemon set update. Can be "RollingUpdate" or "OnDelete".
+  // Default is OnDelete.
+  // +optional
+  optional string type = 1;
+
+  // Rolling update config params. Present only if type = "RollingUpdate".
+  // ---
+  // TODO: Update this to follow our convention for oneOf, whatever we decide it
+  // to be. Same as Deployment `strategy.rollingUpdate`.
+  // See https://github.com/kubernetes/kubernetes/issues/35345
+  // +optional
+  optional RollingUpdateDaemonSet rollingUpdate = 2;
+}
+
+// DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for
+// more information.
+// Deployment enables declarative updates for Pods and ReplicaSets.
+message Deployment {
+  // Standard object metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of the Deployment.
+  // +optional
+  optional DeploymentSpec spec = 2;
+
+  // Most recently observed status of the Deployment.
+  // +optional
+  optional DeploymentStatus status = 3;
+}
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+message DeploymentCondition {
+  // Type of deployment condition.
+  optional string type = 1;
+
+  // Status of the condition, one of True, False, Unknown.
+  optional string status = 2;
+
+  // The last time this condition was updated.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastUpdateTime = 6;
+
+  // Last time the condition transitioned from one status to another.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 7;
+
+  // The reason for the condition's last transition.
+  optional string reason = 4;
+
+  // A human readable message indicating details about the transition.
+  optional string message = 5;
+}
+
+// DeploymentList is a list of Deployments.
+message DeploymentList {
+  // Standard list metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of Deployments.
+  repeated Deployment items = 2;
+}
+
+// DEPRECATED.
+// DeploymentRollback stores the information required to rollback a deployment.
+message DeploymentRollback {
+  // Required: This must match the Name of a deployment.
+  optional string name = 1;
+
+  // The annotations to be updated to a deployment
+  // +optional
+  map<string, string> updatedAnnotations = 2;
+
+  // The config of this deployment rollback.
+  optional RollbackConfig rollbackTo = 3;
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+message DeploymentSpec {
+  // Number of desired pods. This is a pointer to distinguish between explicit
+  // zero and not specified. Defaults to 1.
+  // +optional
+  optional int32 replicas = 1;
+
+  // Label selector for pods. Existing ReplicaSets whose pods are
+  // selected by this will be the ones affected by this deployment.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+  // Template describes the pods that will be created.
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
+
+  // The deployment strategy to use to replace existing pods with new ones.
+  // +optional
+  // +patchStrategy=retainKeys
+  optional DeploymentStrategy strategy = 4;
+
+  // Minimum number of seconds for which a newly created pod should be ready
+  // without any of its container crashing, for it to be considered available.
+  // Defaults to 0 (pod will be considered available as soon as it is ready)
+  // +optional
+  optional int32 minReadySeconds = 5;
+
+  // The number of old ReplicaSets to retain to allow rollback.
+  // This is a pointer to distinguish between explicit zero and not specified.
+  // +optional
+  optional int32 revisionHistoryLimit = 6;
+
+  // Indicates that the deployment is paused and will not be processed by the
+  // deployment controller.
+  // +optional
+  optional bool paused = 7;
+
+  // DEPRECATED.
+  // The config this deployment is rolling back to. Will be cleared after rollback is done.
+  // +optional
+  optional RollbackConfig rollbackTo = 8;
+
+  // The maximum time in seconds for a deployment to make progress before it
+  // is considered to be failed. The deployment controller will continue to
+  // process failed deployments and a condition with a ProgressDeadlineExceeded
+  // reason will be surfaced in the deployment status. Note that progress will
+  // not be estimated during the time a deployment is paused. This is not set
+  // by default.
+  // +optional
+  optional int32 progressDeadlineSeconds = 9;
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+message DeploymentStatus {
+  // The generation observed by the deployment controller.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+  // +optional
+  optional int32 replicas = 2;
+
+  // Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+  // +optional
+  optional int32 updatedReplicas = 3;
+
+  // Total number of ready pods targeted by this deployment.
+  // +optional
+  optional int32 readyReplicas = 7;
+
+  // Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+  // +optional
+  optional int32 availableReplicas = 4;
+
+  // Total number of unavailable pods targeted by this deployment. This is the total number of
+  // pods that are still required for the deployment to have 100% available capacity. They may
+  // either be pods that are running but not yet available or pods that still have not been created.
+  // +optional
+  optional int32 unavailableReplicas = 5;
+
+  // Represents the latest available observations of a deployment's current state.
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated DeploymentCondition conditions = 6;
+
+  // Count of hash collisions for the Deployment. The Deployment controller uses this
+  // field as a collision avoidance mechanism when it needs to create the name for the
+  // newest ReplicaSet.
+  // +optional
+  optional int32 collisionCount = 8;
+}
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+message DeploymentStrategy {
+  // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+  // +optional
+  optional string type = 1;
+
+  // Rolling update config params. Present only if DeploymentStrategyType =
+  // RollingUpdate.
+  // ---
+  // TODO: Update this to follow our convention for oneOf, whatever we decide it
+  // to be.
+  // +optional
+  optional RollingUpdateDeployment rollingUpdate = 2;
+}
+
+// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
+message FSGroupStrategyOptions {
+  // Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
+  // +optional
+  optional string rule = 1;
+
+  // Ranges are the allowed ranges of fs groups.  If you would like to force a single
+  // fs group then supply a single range with the same start and end.
+  // +optional
+  repeated IDRange ranges = 2;
+}
+
+// HTTPIngressPath associates a path regex with a backend. Incoming urls matching
+// the path are forwarded to the backend.
+message HTTPIngressPath {
+  // Path is an extended POSIX regex as defined by IEEE Std 1003.1,
+  // (i.e this follows the egrep/unix syntax, not the perl syntax)
+  // matched against the path of an incoming request. Currently it can
+  // contain characters disallowed from the conventional "path"
+  // part of a URL as defined by RFC 3986. Paths must begin with
+  // a '/'. If unspecified, the path defaults to a catch all sending
+  // traffic to the backend.
+  // +optional
+  optional string path = 1;
+
+  // Backend defines the referenced service endpoint to which the traffic
+  // will be forwarded to.
+  optional IngressBackend backend = 2;
+}
+
+// HTTPIngressRuleValue is a list of http selectors pointing to backends.
+// In the example: http://<host>/<path>?<searchpart> -> backend where
+// where parts of the url correspond to RFC 3986, this resource will be used
+// to match against everything after the last '/' and before the first '?'
+// or '#'.
+message HTTPIngressRuleValue {
+  // A collection of paths that map requests to backends.
+  repeated HTTPIngressPath paths = 1;
+}
+
+// Host Port Range defines a range of host ports that will be enabled by a policy
+// for pods to use.  It requires both the start and end to be defined.
+message HostPortRange {
+  // min is the start of the range, inclusive.
+  optional int32 min = 1;
+
+  // max is the end of the range, inclusive.
+  optional int32 max = 2;
+}
+
+// ID Range provides a min/max of an allowed range of IDs.
+message IDRange {
+  // Min is the start of the range, inclusive.
+  optional int64 min = 1;
+
+  // Max is the end of the range, inclusive.
+  optional int64 max = 2;
+}
+
+// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should
+// not be included within this rule.
+message IPBlock {
+  // CIDR is a string representing the IP Block
+  // Valid examples are "192.168.1.1/24"
+  optional string cidr = 1;
+
+  // Except is a slice of CIDRs that should not be included within an IP Block
+  // Valid examples are "192.168.1.1/24"
+  // Except values will be rejected if they are outside the CIDR range
+  // +optional
+  repeated string except = 2;
+}
+
+// Ingress is a collection of rules that allow inbound connections to reach the
+// endpoints defined by a backend. An Ingress can be configured to give services
+// externally-reachable urls, load balance traffic, terminate SSL, offer name
+// based virtual hosting etc.
+message Ingress {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec is the desired state of the Ingress.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional IngressSpec spec = 2;
+
+  // Status is the current state of the Ingress.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional IngressStatus status = 3;
+}
+
+// IngressBackend describes all endpoints for a given service and port.
+message IngressBackend {
+  // Specifies the name of the referenced service.
+  optional string serviceName = 1;
+
+  // Specifies the port of the referenced service.
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString servicePort = 2;
+}
+
+// IngressList is a collection of Ingress.
+message IngressList {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of Ingress.
+  repeated Ingress items = 2;
+}
+
+// IngressRule represents the rules mapping the paths under a specified host to
+// the related backend services. Incoming requests are first evaluated for a host
+// match, then routed to the backend associated with the matching IngressRuleValue.
+message IngressRule {
+  // Host is the fully qualified domain name of a network host, as defined
+  // by RFC 3986. Note the following deviations from the "host" part of the
+  // URI as defined in the RFC:
+  // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the
+  // 	  IP in the Spec of the parent Ingress.
+  // 2. The `:` delimiter is not respected because ports are not allowed.
+  // 	  Currently the port of an Ingress is implicitly :80 for http and
+  // 	  :443 for https.
+  // Both these may change in the future.
+  // Incoming requests are matched against the host before the IngressRuleValue.
+  // If the host is unspecified, the Ingress routes all traffic based on the
+  // specified IngressRuleValue.
+  // +optional
+  optional string host = 1;
+
+  // IngressRuleValue represents a rule to route requests for this IngressRule.
+  // If unspecified, the rule defaults to a http catch-all. Whether that sends
+  // just traffic matching the host to the default backend or all traffic to the
+  // default backend, is left to the controller fulfilling the Ingress. Http is
+  // currently the only supported IngressRuleValue.
+  // +optional
+  optional IngressRuleValue ingressRuleValue = 2;
+}
+
+// IngressRuleValue represents a rule to apply against incoming requests. If the
+// rule is satisfied, the request is routed to the specified backend. Currently
+// mixing different types of rules in a single Ingress is disallowed, so exactly
+// one of the following must be set.
+message IngressRuleValue {
+  // +optional
+  optional HTTPIngressRuleValue http = 1;
+}
+
+// IngressSpec describes the Ingress the user wishes to exist.
+message IngressSpec {
+  // A default backend capable of servicing requests that don't match any
+  // rule. At least one of 'backend' or 'rules' must be specified. This field
+  // is optional to allow the loadbalancer controller or defaulting logic to
+  // specify a global default.
+  // +optional
+  optional IngressBackend backend = 1;
+
+  // TLS configuration. Currently the Ingress only supports a single TLS
+  // port, 443. If multiple members of this list specify different hosts, they
+  // will be multiplexed on the same port according to the hostname specified
+  // through the SNI TLS extension, if the ingress controller fulfilling the
+  // ingress supports SNI.
+  // +optional
+  repeated IngressTLS tls = 2;
+
+  // A list of host rules used to configure the Ingress. If unspecified, or
+  // no rule matches, all traffic is sent to the default backend.
+  // +optional
+  repeated IngressRule rules = 3;
+}
+
+// IngressStatus describe the current state of the Ingress.
+message IngressStatus {
+  // LoadBalancer contains the current status of the load-balancer.
+  // +optional
+  optional k8s.io.api.core.v1.LoadBalancerStatus loadBalancer = 1;
+}
+
+// IngressTLS describes the transport layer security associated with an Ingress.
+message IngressTLS {
+  // Hosts are a list of hosts included in the TLS certificate. The values in
+  // this list must match the name/s used in the tlsSecret. Defaults to the
+  // wildcard host setting for the loadbalancer controller fulfilling this
+  // Ingress, if left unspecified.
+  // +optional
+  repeated string hosts = 1;
+
+  // SecretName is the name of the secret used to terminate SSL traffic on 443.
+  // Field is left optional to allow SSL routing based on SNI hostname alone.
+  // If the SNI host in a listener conflicts with the "Host" header field used
+  // by an IngressRule, the SNI host is used for termination and value of the
+  // Host header is used for routing.
+  // +optional
+  optional string secretName = 2;
+}
+
+// NetworkPolicy describes what network traffic is allowed for a set of Pods
+message NetworkPolicy {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior for this NetworkPolicy.
+  // +optional
+  optional NetworkPolicySpec spec = 2;
+}
+
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+message NetworkPolicyEgressRule {
+  // List of destination ports for outgoing traffic.
+  // Each item in this list is combined using a logical OR. If this field is
+  // empty or missing, this rule matches all ports (traffic not restricted by port).
+  // If this field is present and contains at least one item, then this rule allows
+  // traffic only if the traffic matches at least one port in the list.
+  // +optional
+  repeated NetworkPolicyPort ports = 1;
+
+  // List of destinations for outgoing traffic of pods selected for this rule.
+  // Items in this list are combined using a logical OR operation. If this field is
+  // empty or missing, this rule matches all destinations (traffic not restricted by
+  // destination). If this field is present and contains at least one item, this rule
+  // allows traffic only if the traffic matches at least one item in the to list.
+  // +optional
+  repeated NetworkPolicyPeer to = 2;
+}
+
+// This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
+message NetworkPolicyIngressRule {
+  // List of ports which should be made accessible on the pods selected for this rule.
+  // Each item in this list is combined using a logical OR.
+  // If this field is empty or missing, this rule matches all ports (traffic not restricted by port).
+  // If this field is present and contains at least one item, then this rule allows traffic
+  // only if the traffic matches at least one port in the list.
+  // +optional
+  repeated NetworkPolicyPort ports = 1;
+
+  // List of sources which should be able to access the pods selected for this rule.
+  // Items in this list are combined using a logical OR operation.
+  // If this field is empty or missing, this rule matches all sources (traffic not restricted by source).
+  // If this field is present and contains at least on item, this rule allows traffic only if the
+  // traffic matches at least one item in the from list.
+  // +optional
+  repeated NetworkPolicyPeer from = 2;
+}
+
+// Network Policy List is a list of NetworkPolicy objects.
+message NetworkPolicyList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of schema objects.
+  repeated NetworkPolicy items = 2;
+}
+
+message NetworkPolicyPeer {
+  // This is a label selector which selects Pods in this namespace.
+  // This field follows standard label selector semantics.
+  // If present but empty, this selector selects all pods in this namespace.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector podSelector = 1;
+
+  // Selects Namespaces using cluster scoped-labels.  This
+  // matches all pods in all namespaces selected by this label selector.
+  // This field follows standard label selector semantics.
+  // If present but empty, this selector selects all namespaces.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 2;
+
+  // IPBlock defines policy on a particular IPBlock
+  // +optional
+  optional IPBlock ipBlock = 3;
+}
+
+message NetworkPolicyPort {
+  // Optional.  The protocol (TCP or UDP) which traffic must match.
+  // If not specified, this field defaults to TCP.
+  // +optional
+  optional string protocol = 1;
+
+  // If specified, the port on the given protocol.  This can
+  // either be a numerical or named port on a pod.  If this field is not provided,
+  // this matches all port names and numbers.
+  // If present, only traffic on the specified protocol AND port
+  // will be matched.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString port = 2;
+}
+
+message NetworkPolicySpec {
+  // Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules
+  // is applied to any pods selected by this field. Multiple network policies can select the
+  // same set of pods.  In this case, the ingress rules for each are combined additively.
+  // This field is NOT optional and follows standard label selector semantics.
+  // An empty podSelector matches all pods in this namespace.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector podSelector = 1;
+
+  // List of ingress rules to be applied to the selected pods.
+  // Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
+  // OR if the traffic source is the pod's local node,
+  // OR if the traffic matches at least one ingress rule across all of the NetworkPolicy
+  // objects whose podSelector matches the pod.
+  // If this field is empty then this NetworkPolicy does not allow any traffic
+  // (and serves solely to ensure that the pods it selects are isolated by default).
+  // +optional
+  repeated NetworkPolicyIngressRule ingress = 2;
+
+  // List of egress rules to be applied to the selected pods. Outgoing traffic is
+  // allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+  // otherwise allows the traffic), OR if the traffic matches at least one egress rule
+  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
+  // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+  // solely to ensure that the pods it selects are isolated by default).
+  // This field is beta-level in 1.8
+  // +optional
+  repeated NetworkPolicyEgressRule egress = 3;
+
+  // List of rule types that the NetworkPolicy relates to.
+  // Valid options are Ingress, Egress, or Ingress,Egress.
+  // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+  // policies that contain an Egress section are assumed to affect Egress, and all policies
+  // (whether or not they contain an Ingress section) are assumed to affect Ingress.
+  // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+  // Likewise, if you want to write a policy that specifies that no egress is allowed,
+  // you must specify a policyTypes value that include "Egress" (since such a policy would not include
+  // an Egress section and would otherwise default to just [ "Ingress" ]).
+  // This field is beta-level in 1.8
+  // +optional
+  repeated string policyTypes = 4;
+}
+
+// Pod Security Policy governs the ability to make requests that affect the Security Context
+// that will be applied to a pod and container.
+message PodSecurityPolicy {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // spec defines the policy enforced.
+  // +optional
+  optional PodSecurityPolicySpec spec = 2;
+}
+
+// Pod Security Policy List is a list of PodSecurityPolicy objects.
+message PodSecurityPolicyList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of schema objects.
+  repeated PodSecurityPolicy items = 2;
+}
+
+// Pod Security Policy Spec defines the policy enforced.
+message PodSecurityPolicySpec {
+  // privileged determines if a pod can request to be run as privileged.
+  // +optional
+  optional bool privileged = 1;
+
+  // DefaultAddCapabilities is the default set of capabilities that will be added to the container
+  // unless the pod spec specifically drops the capability.  You may not list a capabiility in both
+  // DefaultAddCapabilities and RequiredDropCapabilities.
+  // +optional
+  repeated string defaultAddCapabilities = 2;
+
+  // RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
+  // are required to be dropped and cannot be added.
+  // +optional
+  repeated string requiredDropCapabilities = 3;
+
+  // AllowedCapabilities is a list of capabilities that can be requested to add to the container.
+  // Capabilities in this field may be added at the pod author's discretion.
+  // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
+  // +optional
+  repeated string allowedCapabilities = 4;
+
+  // volumes is a white list of allowed volume plugins.  Empty indicates that all plugins
+  // may be used.
+  // +optional
+  repeated string volumes = 5;
+
+  // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
+  // +optional
+  optional bool hostNetwork = 6;
+
+  // hostPorts determines which host port ranges are allowed to be exposed.
+  // +optional
+  repeated HostPortRange hostPorts = 7;
+
+  // hostPID determines if the policy allows the use of HostPID in the pod spec.
+  // +optional
+  optional bool hostPID = 8;
+
+  // hostIPC determines if the policy allows the use of HostIPC in the pod spec.
+  // +optional
+  optional bool hostIPC = 9;
+
+  // seLinux is the strategy that will dictate the allowable labels that may be set.
+  optional SELinuxStrategyOptions seLinux = 10;
+
+  // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
+  optional RunAsUserStrategyOptions runAsUser = 11;
+
+  // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+  optional SupplementalGroupsStrategyOptions supplementalGroups = 12;
+
+  // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+  optional FSGroupStrategyOptions fsGroup = 13;
+
+  // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
+  // system.  If the container specifically requests to run with a non-read only root file system
+  // the PSP should deny the pod.
+  // If set to false the container may run with a read only root file system if it wishes but it
+  // will not be forced to.
+  // +optional
+  optional bool readOnlyRootFilesystem = 14;
+
+  // DefaultAllowPrivilegeEscalation controls the default setting for whether a
+  // process can gain more privileges than its parent process.
+  // +optional
+  optional bool defaultAllowPrivilegeEscalation = 15;
+
+  // AllowPrivilegeEscalation determines if a pod can request to allow
+  // privilege escalation. If unspecified, defaults to true.
+  // +optional
+  optional bool allowPrivilegeEscalation = 16;
+
+  // is a white list of allowed host paths. Empty indicates that all host paths may be used.
+  // +optional
+  repeated AllowedHostPath allowedHostPaths = 17;
+}
+
+// DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1beta2/ReplicaSet. See the release notes for
+// more information.
+// ReplicaSet represents the configuration of a ReplicaSet.
+message ReplicaSet {
+  // If the Labels of a ReplicaSet are empty, they are defaulted to
+  // be the same as the Pod(s) that the ReplicaSet manages.
+  // Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec defines the specification of the desired behavior of the ReplicaSet.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ReplicaSetSpec spec = 2;
+
+  // Status is the most recently observed status of the ReplicaSet.
+  // This data may be out of date by some window of time.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional ReplicaSetStatus status = 3;
+}
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+message ReplicaSetCondition {
+  // Type of replica set condition.
+  optional string type = 1;
+
+  // Status of the condition, one of True, False, Unknown.
+  optional string status = 2;
+
+  // The last time the condition transitioned from one status to another.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
+
+  // The reason for the condition's last transition.
+  // +optional
+  optional string reason = 4;
+
+  // A human readable message indicating details about the transition.
+  // +optional
+  optional string message = 5;
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+message ReplicaSetList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of ReplicaSets.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+  repeated ReplicaSet items = 2;
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+message ReplicaSetSpec {
+  // Replicas is the number of desired replicas.
+  // This is a pointer to distinguish between explicit zero and unspecified.
+  // Defaults to 1.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+  // +optional
+  optional int32 replicas = 1;
+
+  // Minimum number of seconds for which a newly created pod should be ready
+  // without any of its container crashing, for it to be considered available.
+  // Defaults to 0 (pod will be considered available as soon as it is ready)
+  // +optional
+  optional int32 minReadySeconds = 4;
+
+  // Selector is a label query over pods that should match the replica count.
+  // If the selector is empty, it is defaulted to the labels present on the pod template.
+  // Label keys and values that must match in order to be controlled by this replica set.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+  // Template is the object that describes the pod that will be created if
+  // insufficient replicas are detected.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+  // +optional
+  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+message ReplicaSetStatus {
+  // Replicas is the most recently oberved number of replicas.
+  // More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+  optional int32 replicas = 1;
+
+  // The number of pods that have labels matching the labels of the pod template of the replicaset.
+  // +optional
+  optional int32 fullyLabeledReplicas = 2;
+
+  // The number of ready replicas for this replica set.
+  // +optional
+  optional int32 readyReplicas = 4;
+
+  // The number of available replicas (ready for at least minReadySeconds) for this replica set.
+  // +optional
+  optional int32 availableReplicas = 5;
+
+  // ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+  // +optional
+  optional int64 observedGeneration = 3;
+
+  // Represents the latest available observations of a replica set's current state.
+  // +optional
+  // +patchMergeKey=type
+  // +patchStrategy=merge
+  repeated ReplicaSetCondition conditions = 6;
+}
+
+// Dummy definition
+message ReplicationControllerDummy {
+}
+
+// DEPRECATED.
+message RollbackConfig {
+  // The revision to rollback to. If set to 0, rollback to the last revision.
+  // +optional
+  optional int64 revision = 1;
+}
+
+// Spec to control the desired behavior of daemon set rolling update.
+message RollingUpdateDaemonSet {
+  // The maximum number of DaemonSet pods that can be unavailable during the
+  // update. Value can be an absolute number (ex: 5) or a percentage of total
+  // number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+  // number is calculated from percentage by rounding up.
+  // This cannot be 0.
+  // Default value is 1.
+  // Example: when this is set to 30%, at most 30% of the total number of nodes
+  // that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+  // can have their pods stopped for an update at any given
+  // time. The update starts by stopping at most 30% of those DaemonSet pods
+  // and then brings up new DaemonSet pods in their place. Once the new pods
+  // are available, it then proceeds onto other DaemonSet pods, thus ensuring
+  // that at least 70% of original number of DaemonSet pods are available at
+  // all times during the update.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
+}
+
+// Spec to control the desired behavior of rolling update.
+message RollingUpdateDeployment {
+  // The maximum number of pods that can be unavailable during the update.
+  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+  // Absolute number is calculated from percentage by rounding down.
+  // This can not be 0 if MaxSurge is 0.
+  // By default, a fixed value of 1 is used.
+  // Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods
+  // immediately when the rolling update starts. Once new pods are ready, old RC
+  // can be scaled down further, followed by scaling up the new RC, ensuring
+  // that the total number of pods available at all times during the update is at
+  // least 70% of desired pods.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 1;
+
+  // The maximum number of pods that can be scheduled above the desired number of
+  // pods.
+  // Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+  // This can not be 0 if MaxUnavailable is 0.
+  // Absolute number is calculated from percentage by rounding up.
+  // By default, a value of 1 is used.
+  // Example: when this is set to 30%, the new RC can be scaled up immediately when
+  // the rolling update starts, such that the total number of old and new pods do not exceed
+  // 130% of desired pods. Once old pods have been killed,
+  // new RC can be scaled up further, ensuring that total number of pods running
+  // at any time during the update is atmost 130% of desired pods.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
+}
+
+// Run A sUser Strategy Options defines the strategy type and any options used to create the strategy.
+message RunAsUserStrategyOptions {
+  // Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
+  optional string rule = 1;
+
+  // Ranges are the allowed ranges of uids that may be used.
+  // +optional
+  repeated IDRange ranges = 2;
+}
+
+// SELinux  Strategy Options defines the strategy type and any options used to create the strategy.
+message SELinuxStrategyOptions {
+  // type is the strategy that will dictate the allowable labels that may be set.
+  optional string rule = 1;
+
+  // seLinuxOptions required to run as; required for MustRunAs
+  // More info: https://git.k8s.io/community/contributors/design-proposals/security_context.md
+  // +optional
+  optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
+}
+
+// represents a scaling request for a resource.
+message Scale {
+  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+  // +optional
+  optional ScaleSpec spec = 2;
+
+  // current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.
+  // +optional
+  optional ScaleStatus status = 3;
+}
+
+// describes the attributes of a scale subresource
+message ScaleSpec {
+  // desired number of instances for the scaled object.
+  // +optional
+  optional int32 replicas = 1;
+}
+
+// represents the current status of a scale subresource.
+message ScaleStatus {
+  // actual number of observed instances of the scaled object.
+  optional int32 replicas = 1;
+
+  // label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
+  // +optional
+  map<string, string> selector = 2;
+
+  // label selector for pods that should match the replicas count. This is a serializated
+  // version of both map-based and more expressive set-based selectors. This is done to
+  // avoid introspection in the clients. The string will be in the same format as the
+  // query-param syntax. If the target type only supports map-based selectors, both this
+  // field and map-based selector field are populated.
+  // More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+  // +optional
+  optional string targetSelector = 3;
+}
+
+// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
+message SupplementalGroupsStrategyOptions {
+  // Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
+  // +optional
+  optional string rule = 1;
+
+  // Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
+  // supplemental group then supply a single range with the same start and end.
+  // +optional
+  repeated IDRange ranges = 2;
+}
+
+// A ThirdPartyResource is a generic representation of a resource, it is used by add-ons and plugins to add new resource
+// types to the API.  It consists of one or more Versions of the api.
+message ThirdPartyResource {
+  // Standard object metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Description is the description of this object.
+  // +optional
+  optional string description = 2;
+
+  // Versions are versions for this third party object
+  // +optional
+  repeated APIVersion versions = 3;
+}
+
+// An internal object, used for versioned storage in etcd.  Not exposed to the end user.
+message ThirdPartyResourceData {
+  // Standard object metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Data is the raw JSON data for this data.
+  // +optional
+  optional bytes data = 2;
+}
+
+// ThirdPartyResrouceDataList is a list of ThirdPartyResourceData.
+message ThirdPartyResourceDataList {
+  // Standard list metadata
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of ThirdpartyResourceData.
+  repeated ThirdPartyResourceData items = 2;
+}
+
+// ThirdPartyResourceList is a list of ThirdPartyResources.
+message ThirdPartyResourceList {
+  // Standard list metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of ThirdPartyResources.
+  repeated ThirdPartyResource items = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/extensions/v1beta1/register.go b/cli/vendor/k8s.io/api/extensions/v1beta1/register.go
new file mode 100644
index 00000000..626701cf
--- /dev/null
+++ b/cli/vendor/k8s.io/api/extensions/v1beta1/register.go
@@ -0,0 +1,70 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "extensions"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Deployment{},
+		&DeploymentList{},
+		&DeploymentRollback{},
+		&ReplicationControllerDummy{},
+		&Scale{},
+		&ThirdPartyResource{},
+		&ThirdPartyResourceList{},
+		&DaemonSetList{},
+		&DaemonSet{},
+		&ThirdPartyResourceData{},
+		&ThirdPartyResourceDataList{},
+		&Ingress{},
+		&IngressList{},
+		&ReplicaSet{},
+		&ReplicaSetList{},
+		&PodSecurityPolicy{},
+		&PodSecurityPolicyList{},
+		&NetworkPolicy{},
+		&NetworkPolicyList{},
+	)
+	// Add the watch version that applies
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/extensions/v1beta1/types.go b/cli/vendor/k8s.io/api/extensions/v1beta1/types.go
new file mode 100644
index 00000000..a41f1350
--- /dev/null
+++ b/cli/vendor/k8s.io/api/extensions/v1beta1/types.go
@@ -0,0 +1,1315 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	appsv1beta1 "k8s.io/api/apps/v1beta1"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// describes the attributes of a scale subresource
+type ScaleSpec struct {
+	// desired number of instances for the scaled object.
+	// +optional
+	Replicas int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+}
+
+// represents the current status of a scale subresource.
+type ScaleStatus struct {
+	// actual number of observed instances of the scaled object.
+	Replicas int32 `json:"replicas" protobuf:"varint,1,opt,name=replicas"`
+
+	// label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
+	// +optional
+	Selector map[string]string `json:"selector,omitempty" protobuf:"bytes,2,rep,name=selector"`
+
+	// label selector for pods that should match the replicas count. This is a serializated
+	// version of both map-based and more expressive set-based selectors. This is done to
+	// avoid introspection in the clients. The string will be in the same format as the
+	// query-param syntax. If the target type only supports map-based selectors, both this
+	// field and map-based selector field are populated.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	TargetSelector string `json:"targetSelector,omitempty" protobuf:"bytes,3,opt,name=targetSelector"`
+}
+
+// +genclient
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// represents a scaling request for a resource.
+type Scale struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.
+	// +optional
+	Spec ScaleSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.
+	// +optional
+	Status ScaleStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Dummy definition
+type ReplicationControllerDummy struct {
+	metav1.TypeMeta `json:",inline"`
+}
+
+// Alpha-level support for Custom Metrics in HPA (as annotations).
+type CustomMetricTarget struct {
+	// Custom Metric name.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// Custom Metric value (average).
+	TargetValue resource.Quantity `json:"value" protobuf:"bytes,2,opt,name=value"`
+}
+
+type CustomMetricTargetList struct {
+	Items []CustomMetricTarget `json:"items" protobuf:"bytes,1,rep,name=items"`
+}
+
+type CustomMetricCurrentStatus struct {
+	// Custom Metric name.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// Custom Metric value (average).
+	CurrentValue resource.Quantity `json:"value" protobuf:"bytes,2,opt,name=value"`
+}
+
+type CustomMetricCurrentStatusList struct {
+	Items []CustomMetricCurrentStatus `json:"items" protobuf:"bytes,1,rep,name=items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// A ThirdPartyResource is a generic representation of a resource, it is used by add-ons and plugins to add new resource
+// types to the API.  It consists of one or more Versions of the api.
+type ThirdPartyResource struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Standard object metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Description is the description of this object.
+	// +optional
+	Description string `json:"description,omitempty" protobuf:"bytes,2,opt,name=description"`
+
+	// Versions are versions for this third party object
+	// +optional
+	Versions []APIVersion `json:"versions,omitempty" protobuf:"bytes,3,rep,name=versions"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ThirdPartyResourceList is a list of ThirdPartyResources.
+type ThirdPartyResourceList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// Standard list metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of ThirdPartyResources.
+	Items []ThirdPartyResource `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// An APIVersion represents a single concrete version of an object model.
+type APIVersion struct {
+	// Name of this version (e.g. 'v1').
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// An internal object, used for versioned storage in etcd.  Not exposed to the end user.
+type ThirdPartyResourceData struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Data is the raw JSON data for this data.
+	// +optional
+	Data []byte `json:"data,omitempty" protobuf:"bytes,2,opt,name=data"`
+}
+
+// +genclient
+// +genclient:method=GetScale,verb=get,subresource=scale,result=Scale
+// +genclient:method=UpdateScale,verb=update,subresource=scale,input=Scale,result=Scale
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for
+// more information.
+// Deployment enables declarative updates for Pods and ReplicaSets.
+type Deployment struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	Spec DeploymentSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	Status DeploymentStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+type DeploymentSpec struct {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"`
+
+	// Template describes the pods that will be created.
+	Template v1.PodTemplateSpec `json:"template" protobuf:"bytes,3,opt,name=template"`
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	// +patchStrategy=retainKeys
+	Strategy DeploymentStrategy `json:"strategy,omitempty" patchStrategy:"retainKeys" protobuf:"bytes,4,opt,name=strategy"`
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,5,opt,name=minReadySeconds"`
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// +optional
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty" protobuf:"varint,6,opt,name=revisionHistoryLimit"`
+
+	// Indicates that the deployment is paused and will not be processed by the
+	// deployment controller.
+	// +optional
+	Paused bool `json:"paused,omitempty" protobuf:"varint,7,opt,name=paused"`
+
+	// DEPRECATED.
+	// The config this deployment is rolling back to. Will be cleared after rollback is done.
+	// +optional
+	RollbackTo *RollbackConfig `json:"rollbackTo,omitempty" protobuf:"bytes,8,opt,name=rollbackTo"`
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. This is not set
+	// by default.
+	// +optional
+	ProgressDeadlineSeconds *int32 `json:"progressDeadlineSeconds,omitempty" protobuf:"varint,9,opt,name=progressDeadlineSeconds"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DEPRECATED.
+// DeploymentRollback stores the information required to rollback a deployment.
+type DeploymentRollback struct {
+	metav1.TypeMeta `json:",inline"`
+	// Required: This must match the Name of a deployment.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// The annotations to be updated to a deployment
+	// +optional
+	UpdatedAnnotations map[string]string `json:"updatedAnnotations,omitempty" protobuf:"bytes,2,rep,name=updatedAnnotations"`
+	// The config of this deployment rollback.
+	RollbackTo RollbackConfig `json:"rollbackTo" protobuf:"bytes,3,opt,name=rollbackTo"`
+}
+
+// DEPRECATED.
+type RollbackConfig struct {
+	// The revision to rollback to. If set to 0, rollback to the last revision.
+	// +optional
+	Revision int64 `json:"revision,omitempty" protobuf:"varint,1,opt,name=revision"`
+}
+
+const (
+	// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+	// to existing RCs (and label key that is added to its pods) to prevent the existing RCs
+	// to select new pods (and old pods being select by new RC).
+	DefaultDeploymentUniqueLabelKey string = "pod-template-hash"
+)
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+type DeploymentStrategy struct {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	Type DeploymentStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=DeploymentStrategyType"`
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	RollingUpdate *RollingUpdateDeployment `json:"rollingUpdate,omitempty" protobuf:"bytes,2,opt,name=rollingUpdate"`
+}
+
+type DeploymentStrategyType string
+
+const (
+	// Kill all existing pods before creating new ones.
+	RecreateDeploymentStrategyType DeploymentStrategyType = "Recreate"
+
+	// Replace the old RCs by new one using rolling update i.e gradually scale down the old RCs and scale up the new one.
+	RollingUpdateDeploymentStrategyType DeploymentStrategyType = "RollingUpdate"
+)
+
+// Spec to control the desired behavior of rolling update.
+type RollingUpdateDeployment struct {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// By default, a fixed value of 1 is used.
+	// Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old RC
+	// can be scaled down further, followed by scaling up the new RC, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,1,opt,name=maxUnavailable"`
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// By default, a value of 1 is used.
+	// Example: when this is set to 30%, the new RC can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new RC can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is atmost 130% of desired pods.
+	// +optional
+	MaxSurge *intstr.IntOrString `json:"maxSurge,omitempty" protobuf:"bytes,2,opt,name=maxSurge"`
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+type DeploymentStatus struct {
+	// The generation observed by the deployment controller.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	Replicas int32 `json:"replicas,omitempty" protobuf:"varint,2,opt,name=replicas"`
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	UpdatedReplicas int32 `json:"updatedReplicas,omitempty" protobuf:"varint,3,opt,name=updatedReplicas"`
+
+	// Total number of ready pods targeted by this deployment.
+	// +optional
+	ReadyReplicas int32 `json:"readyReplicas,omitempty" protobuf:"varint,7,opt,name=readyReplicas"`
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	AvailableReplicas int32 `json:"availableReplicas,omitempty" protobuf:"varint,4,opt,name=availableReplicas"`
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	UnavailableReplicas int32 `json:"unavailableReplicas,omitempty" protobuf:"varint,5,opt,name=unavailableReplicas"`
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []DeploymentCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,6,rep,name=conditions"`
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	CollisionCount *int32 `json:"collisionCount,omitempty" protobuf:"varint,8,opt,name=collisionCount"`
+}
+
+type DeploymentConditionType string
+
+// These are valid conditions of a deployment.
+const (
+	// Available means the deployment is available, ie. at least the minimum available
+	// replicas required are up and running for at least minReadySeconds.
+	DeploymentAvailable DeploymentConditionType = "Available"
+	// Progressing means the deployment is progressing. Progress for a deployment is
+	// considered when a new replica set is created or adopted, and when new pods scale
+	// up or old pods scale down. Progress is not estimated for paused deployments or
+	// when progressDeadlineSeconds is not specified.
+	DeploymentProgressing DeploymentConditionType = "Progressing"
+	// ReplicaFailure is added in a deployment when one of its pods fails to be created
+	// or deleted.
+	DeploymentReplicaFailure DeploymentConditionType = "ReplicaFailure"
+)
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+type DeploymentCondition struct {
+	// Type of deployment condition.
+	Type DeploymentConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=DeploymentConditionType"`
+	// Status of the condition, one of True, False, Unknown.
+	Status v1.ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"`
+	// The last time this condition was updated.
+	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,6,opt,name=lastUpdateTime"`
+	// Last time the condition transitioned from one status to another.
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,7,opt,name=lastTransitionTime"`
+	// The reason for the condition's last transition.
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+	// A human readable message indicating details about the transition.
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DeploymentList is a list of Deployments.
+type DeploymentList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of Deployments.
+	Items []Deployment `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+type DaemonSetUpdateStrategy struct {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete".
+	// Default is OnDelete.
+	// +optional
+	Type DaemonSetUpdateStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type"`
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	RollingUpdate *RollingUpdateDaemonSet `json:"rollingUpdate,omitempty" protobuf:"bytes,2,opt,name=rollingUpdate"`
+}
+
+type DaemonSetUpdateStrategyType string
+
+const (
+	// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+	RollingUpdateDaemonSetStrategyType DaemonSetUpdateStrategyType = "RollingUpdate"
+
+	// Replace the old daemons only when it's killed
+	OnDeleteDaemonSetStrategyType DaemonSetUpdateStrategyType = "OnDelete"
+)
+
+// Spec to control the desired behavior of daemon set rolling update.
+type RollingUpdateDaemonSet struct {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0.
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given
+	// time. The update starts by stopping at most 30% of those DaemonSet pods
+	// and then brings up new DaemonSet pods in their place. Once the new pods
+	// are available, it then proceeds onto other DaemonSet pods, thus ensuring
+	// that at least 70% of original number of DaemonSet pods are available at
+	// all times during the update.
+	// +optional
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,1,opt,name=maxUnavailable"`
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+type DaemonSetSpec struct {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// If empty, defaulted to labels on Pod template.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,1,opt,name=selector"`
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	Template v1.PodTemplateSpec `json:"template" protobuf:"bytes,2,opt,name=template"`
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	UpdateStrategy DaemonSetUpdateStrategy `json:"updateStrategy,omitempty" protobuf:"bytes,3,opt,name=updateStrategy"`
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,4,opt,name=minReadySeconds"`
+
+	// DEPRECATED.
+	// A sequence number representing a specific generation of the template.
+	// Populated by the system. It can be set only during the creation.
+	// +optional
+	TemplateGeneration int64 `json:"templateGeneration,omitempty" protobuf:"varint,5,opt,name=templateGeneration"`
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty" protobuf:"varint,6,opt,name=revisionHistoryLimit"`
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+type DaemonSetStatus struct {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	CurrentNumberScheduled int32 `json:"currentNumberScheduled" protobuf:"varint,1,opt,name=currentNumberScheduled"`
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	NumberMisscheduled int32 `json:"numberMisscheduled" protobuf:"varint,2,opt,name=numberMisscheduled"`
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	DesiredNumberScheduled int32 `json:"desiredNumberScheduled" protobuf:"varint,3,opt,name=desiredNumberScheduled"`
+
+	// The number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running and ready.
+	NumberReady int32 `json:"numberReady" protobuf:"varint,4,opt,name=numberReady"`
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,5,opt,name=observedGeneration"`
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	UpdatedNumberScheduled int32 `json:"updatedNumberScheduled,omitempty" protobuf:"varint,6,opt,name=updatedNumberScheduled"`
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	NumberAvailable int32 `json:"numberAvailable,omitempty" protobuf:"varint,7,opt,name=numberAvailable"`
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	NumberUnavailable int32 `json:"numberUnavailable,omitempty" protobuf:"varint,8,opt,name=numberUnavailable"`
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	CollisionCount *int32 `json:"collisionCount,omitempty" protobuf:"varint,9,opt,name=collisionCount"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DEPRECATED - This group version of DaemonSet is deprecated by apps/v1beta2/DaemonSet. See the release notes for
+// more information.
+// DaemonSet represents the configuration of a daemon set.
+type DaemonSet struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec DaemonSetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status DaemonSetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+const (
+	// DEPRECATED: DefaultDaemonSetUniqueLabelKey is used instead.
+	// DaemonSetTemplateGenerationKey is the key of the labels that is added
+	// to daemon set pods to distinguish between old and new pod templates
+	// during DaemonSet template update.
+	DaemonSetTemplateGenerationKey string = "pod-template-generation"
+
+	// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+	// to existing DaemonSet pods to distinguish between old and new
+	// DaemonSet pods during DaemonSet template updates.
+	DefaultDaemonSetUniqueLabelKey = appsv1beta1.ControllerRevisionHashLabelKey
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DaemonSetList is a collection of daemon sets.
+type DaemonSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// A list of daemon sets.
+	Items []DaemonSet `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ThirdPartyResrouceDataList is a list of ThirdPartyResourceData.
+type ThirdPartyResourceDataList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of ThirdpartyResourceData.
+	Items []ThirdPartyResourceData `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Ingress is a collection of rules that allow inbound connections to reach the
+// endpoints defined by a backend. An Ingress can be configured to give services
+// externally-reachable urls, load balance traffic, terminate SSL, offer name
+// based virtual hosting etc.
+type Ingress struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec is the desired state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec IngressSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is the current state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status IngressStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// IngressList is a collection of Ingress.
+type IngressList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of Ingress.
+	Items []Ingress `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// IngressSpec describes the Ingress the user wishes to exist.
+type IngressSpec struct {
+	// A default backend capable of servicing requests that don't match any
+	// rule. At least one of 'backend' or 'rules' must be specified. This field
+	// is optional to allow the loadbalancer controller or defaulting logic to
+	// specify a global default.
+	// +optional
+	Backend *IngressBackend `json:"backend,omitempty" protobuf:"bytes,1,opt,name=backend"`
+
+	// TLS configuration. Currently the Ingress only supports a single TLS
+	// port, 443. If multiple members of this list specify different hosts, they
+	// will be multiplexed on the same port according to the hostname specified
+	// through the SNI TLS extension, if the ingress controller fulfilling the
+	// ingress supports SNI.
+	// +optional
+	TLS []IngressTLS `json:"tls,omitempty" protobuf:"bytes,2,rep,name=tls"`
+
+	// A list of host rules used to configure the Ingress. If unspecified, or
+	// no rule matches, all traffic is sent to the default backend.
+	// +optional
+	Rules []IngressRule `json:"rules,omitempty" protobuf:"bytes,3,rep,name=rules"`
+	// TODO: Add the ability to specify load-balancer IP through claims
+}
+
+// IngressTLS describes the transport layer security associated with an Ingress.
+type IngressTLS struct {
+	// Hosts are a list of hosts included in the TLS certificate. The values in
+	// this list must match the name/s used in the tlsSecret. Defaults to the
+	// wildcard host setting for the loadbalancer controller fulfilling this
+	// Ingress, if left unspecified.
+	// +optional
+	Hosts []string `json:"hosts,omitempty" protobuf:"bytes,1,rep,name=hosts"`
+	// SecretName is the name of the secret used to terminate SSL traffic on 443.
+	// Field is left optional to allow SSL routing based on SNI hostname alone.
+	// If the SNI host in a listener conflicts with the "Host" header field used
+	// by an IngressRule, the SNI host is used for termination and value of the
+	// Host header is used for routing.
+	// +optional
+	SecretName string `json:"secretName,omitempty" protobuf:"bytes,2,opt,name=secretName"`
+	// TODO: Consider specifying different modes of termination, protocols etc.
+}
+
+// IngressStatus describe the current state of the Ingress.
+type IngressStatus struct {
+	// LoadBalancer contains the current status of the load-balancer.
+	// +optional
+	LoadBalancer v1.LoadBalancerStatus `json:"loadBalancer,omitempty" protobuf:"bytes,1,opt,name=loadBalancer"`
+}
+
+// IngressRule represents the rules mapping the paths under a specified host to
+// the related backend services. Incoming requests are first evaluated for a host
+// match, then routed to the backend associated with the matching IngressRuleValue.
+type IngressRule struct {
+	// Host is the fully qualified domain name of a network host, as defined
+	// by RFC 3986. Note the following deviations from the "host" part of the
+	// URI as defined in the RFC:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the
+	//	  IP in the Spec of the parent Ingress.
+	// 2. The `:` delimiter is not respected because ports are not allowed.
+	//	  Currently the port of an Ingress is implicitly :80 for http and
+	//	  :443 for https.
+	// Both these may change in the future.
+	// Incoming requests are matched against the host before the IngressRuleValue.
+	// If the host is unspecified, the Ingress routes all traffic based on the
+	// specified IngressRuleValue.
+	// +optional
+	Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=host"`
+	// IngressRuleValue represents a rule to route requests for this IngressRule.
+	// If unspecified, the rule defaults to a http catch-all. Whether that sends
+	// just traffic matching the host to the default backend or all traffic to the
+	// default backend, is left to the controller fulfilling the Ingress. Http is
+	// currently the only supported IngressRuleValue.
+	// +optional
+	IngressRuleValue `json:",inline,omitempty" protobuf:"bytes,2,opt,name=ingressRuleValue"`
+}
+
+// IngressRuleValue represents a rule to apply against incoming requests. If the
+// rule is satisfied, the request is routed to the specified backend. Currently
+// mixing different types of rules in a single Ingress is disallowed, so exactly
+// one of the following must be set.
+type IngressRuleValue struct {
+	//TODO:
+	// 1. Consider renaming this resource and the associated rules so they
+	// aren't tied to Ingress. They can be used to route intra-cluster traffic.
+	// 2. Consider adding fields for ingress-type specific global options
+	// usable by a loadbalancer, like http keep-alive.
+
+	// +optional
+	HTTP *HTTPIngressRuleValue `json:"http,omitempty" protobuf:"bytes,1,opt,name=http"`
+}
+
+// HTTPIngressRuleValue is a list of http selectors pointing to backends.
+// In the example: http://<host>/<path>?<searchpart> -> backend where
+// where parts of the url correspond to RFC 3986, this resource will be used
+// to match against everything after the last '/' and before the first '?'
+// or '#'.
+type HTTPIngressRuleValue struct {
+	// A collection of paths that map requests to backends.
+	Paths []HTTPIngressPath `json:"paths" protobuf:"bytes,1,rep,name=paths"`
+	// TODO: Consider adding fields for ingress-type specific global
+	// options usable by a loadbalancer, like http keep-alive.
+}
+
+// HTTPIngressPath associates a path regex with a backend. Incoming urls matching
+// the path are forwarded to the backend.
+type HTTPIngressPath struct {
+	// Path is an extended POSIX regex as defined by IEEE Std 1003.1,
+	// (i.e this follows the egrep/unix syntax, not the perl syntax)
+	// matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path"
+	// part of a URL as defined by RFC 3986. Paths must begin with
+	// a '/'. If unspecified, the path defaults to a catch all sending
+	// traffic to the backend.
+	// +optional
+	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
+
+	// Backend defines the referenced service endpoint to which the traffic
+	// will be forwarded to.
+	Backend IngressBackend `json:"backend" protobuf:"bytes,2,opt,name=backend"`
+}
+
+// IngressBackend describes all endpoints for a given service and port.
+type IngressBackend struct {
+	// Specifies the name of the referenced service.
+	ServiceName string `json:"serviceName" protobuf:"bytes,1,opt,name=serviceName"`
+
+	// Specifies the port of the referenced service.
+	ServicePort intstr.IntOrString `json:"servicePort" protobuf:"bytes,2,opt,name=servicePort"`
+}
+
+// +genclient
+// +genclient:method=GetScale,verb=get,subresource=scale,result=Scale
+// +genclient:method=UpdateScale,verb=update,subresource=scale,input=Scale,result=Scale
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1beta2/ReplicaSet. See the release notes for
+// more information.
+// ReplicaSet represents the configuration of a ReplicaSet.
+type ReplicaSet struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Spec ReplicaSetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status ReplicaSetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ReplicaSetList is a collection of ReplicaSets.
+type ReplicaSetList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	Items []ReplicaSet `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+type ReplicaSetSpec struct {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"`
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	MinReadySeconds int32 `json:"minReadySeconds,omitempty" protobuf:"varint,4,opt,name=minReadySeconds"`
+
+	// Selector is a label query over pods that should match the replica count.
+	// If the selector is empty, it is defaulted to the labels present on the pod template.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"`
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	Template v1.PodTemplateSpec `json:"template,omitempty" protobuf:"bytes,3,opt,name=template"`
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+type ReplicaSetStatus struct {
+	// Replicas is the most recently oberved number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	Replicas int32 `json:"replicas" protobuf:"varint,1,opt,name=replicas"`
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	FullyLabeledReplicas int32 `json:"fullyLabeledReplicas,omitempty" protobuf:"varint,2,opt,name=fullyLabeledReplicas"`
+
+	// The number of ready replicas for this replica set.
+	// +optional
+	ReadyReplicas int32 `json:"readyReplicas,omitempty" protobuf:"varint,4,opt,name=readyReplicas"`
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	AvailableReplicas int32 `json:"availableReplicas,omitempty" protobuf:"varint,5,opt,name=availableReplicas"`
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,3,opt,name=observedGeneration"`
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	Conditions []ReplicaSetCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,6,rep,name=conditions"`
+}
+
+type ReplicaSetConditionType string
+
+// These are valid conditions of a replica set.
+const (
+	// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+	// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+	// due to kubelet being down or finalizers are failing.
+	ReplicaSetReplicaFailure ReplicaSetConditionType = "ReplicaFailure"
+)
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+type ReplicaSetCondition struct {
+	// Type of replica set condition.
+	Type ReplicaSetConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=ReplicaSetConditionType"`
+	// Status of the condition, one of True, False, Unknown.
+	Status v1.ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"`
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,3,opt,name=lastTransitionTime"`
+	// The reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason"`
+	// A human readable message indicating details about the transition.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Pod Security Policy governs the ability to make requests that affect the Security Context
+// that will be applied to a pod and container.
+type PodSecurityPolicy struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// spec defines the policy enforced.
+	// +optional
+	Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// Pod Security Policy Spec defines the policy enforced.
+type PodSecurityPolicySpec struct {
+	// privileged determines if a pod can request to be run as privileged.
+	// +optional
+	Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"`
+	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
+	// unless the pod spec specifically drops the capability.  You may not list a capabiility in both
+	// DefaultAddCapabilities and RequiredDropCapabilities.
+	// +optional
+	DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"`
+	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
+	// are required to be dropped and cannot be added.
+	// +optional
+	RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"`
+	// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
+	// Capabilities in this field may be added at the pod author's discretion.
+	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
+	// +optional
+	AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"`
+	// volumes is a white list of allowed volume plugins.  Empty indicates that all plugins
+	// may be used.
+	// +optional
+	Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"`
+	// hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
+	// +optional
+	HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,6,opt,name=hostNetwork"`
+	// hostPorts determines which host port ranges are allowed to be exposed.
+	// +optional
+	HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,7,rep,name=hostPorts"`
+	// hostPID determines if the policy allows the use of HostPID in the pod spec.
+	// +optional
+	HostPID bool `json:"hostPID,omitempty" protobuf:"varint,8,opt,name=hostPID"`
+	// hostIPC determines if the policy allows the use of HostIPC in the pod spec.
+	// +optional
+	HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,9,opt,name=hostIPC"`
+	// seLinux is the strategy that will dictate the allowable labels that may be set.
+	SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"`
+	// runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
+	RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"`
+	// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+	SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"`
+	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+	FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"`
+	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
+	// system.  If the container specifically requests to run with a non-read only root file system
+	// the PSP should deny the pod.
+	// If set to false the container may run with a read only root file system if it wishes but it
+	// will not be forced to.
+	// +optional
+	ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"`
+	// DefaultAllowPrivilegeEscalation controls the default setting for whether a
+	// process can gain more privileges than its parent process.
+	// +optional
+	DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"`
+	// AllowPrivilegeEscalation determines if a pod can request to allow
+	// privilege escalation. If unspecified, defaults to true.
+	// +optional
+	AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
+	// is a white list of allowed host paths. Empty indicates that all host paths may be used.
+	// +optional
+	AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"`
+}
+
+// defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+type AllowedHostPath struct {
+	// is the path prefix that the host volume must match.
+	// It does not support `*`.
+	// Trailing slashes are trimmed when validating the path prefix with a host path.
+	//
+	// Examples:
+	// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+	// `/foo` would not allow `/food` or `/etc/foo`
+	PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"`
+}
+
+// FS Type gives strong typing to different file systems that are used by volumes.
+type FSType string
+
+var (
+	AzureFile             FSType = "azureFile"
+	Flocker               FSType = "flocker"
+	FlexVolume            FSType = "flexVolume"
+	HostPath              FSType = "hostPath"
+	EmptyDir              FSType = "emptyDir"
+	GCEPersistentDisk     FSType = "gcePersistentDisk"
+	AWSElasticBlockStore  FSType = "awsElasticBlockStore"
+	GitRepo               FSType = "gitRepo"
+	Secret                FSType = "secret"
+	NFS                   FSType = "nfs"
+	ISCSI                 FSType = "iscsi"
+	Glusterfs             FSType = "glusterfs"
+	PersistentVolumeClaim FSType = "persistentVolumeClaim"
+	RBD                   FSType = "rbd"
+	Cinder                FSType = "cinder"
+	CephFS                FSType = "cephFS"
+	DownwardAPI           FSType = "downwardAPI"
+	FC                    FSType = "fc"
+	ConfigMap             FSType = "configMap"
+	Quobyte               FSType = "quobyte"
+	AzureDisk             FSType = "azureDisk"
+	All                   FSType = "*"
+)
+
+// Host Port Range defines a range of host ports that will be enabled by a policy
+// for pods to use.  It requires both the start and end to be defined.
+type HostPortRange struct {
+	// min is the start of the range, inclusive.
+	Min int32 `json:"min" protobuf:"varint,1,opt,name=min"`
+	// max is the end of the range, inclusive.
+	Max int32 `json:"max" protobuf:"varint,2,opt,name=max"`
+}
+
+// SELinux  Strategy Options defines the strategy type and any options used to create the strategy.
+type SELinuxStrategyOptions struct {
+	// type is the strategy that will dictate the allowable labels that may be set.
+	Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"`
+	// seLinuxOptions required to run as; required for MustRunAs
+	// More info: https://git.k8s.io/community/contributors/design-proposals/security_context.md
+	// +optional
+	SELinuxOptions *v1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"`
+}
+
+// SELinuxStrategy denotes strategy types for generating SELinux options for a
+// Security Context.
+type SELinuxStrategy string
+
+const (
+	// container must have SELinux labels of X applied.
+	SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
+	// container may make requests for any SELinux context labels.
+	SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
+)
+
+// Run A sUser Strategy Options defines the strategy type and any options used to create the strategy.
+type RunAsUserStrategyOptions struct {
+	// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
+	Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"`
+	// Ranges are the allowed ranges of uids that may be used.
+	// +optional
+	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
+}
+
+// ID Range provides a min/max of an allowed range of IDs.
+type IDRange struct {
+	// Min is the start of the range, inclusive.
+	Min int64 `json:"min" protobuf:"varint,1,opt,name=min"`
+	// Max is the end of the range, inclusive.
+	Max int64 `json:"max" protobuf:"varint,2,opt,name=max"`
+}
+
+// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
+// Security Context.
+type RunAsUserStrategy string
+
+const (
+	// container must run as a particular uid.
+	RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
+	// container must run as a non-root uid
+	RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
+	// container may make requests for any uid.
+	RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
+)
+
+// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
+type FSGroupStrategyOptions struct {
+	// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
+	// +optional
+	Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"`
+	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
+	// fs group then supply a single range with the same start and end.
+	// +optional
+	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
+}
+
+// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
+// SecurityContext
+type FSGroupStrategyType string
+
+const (
+	// container must have FSGroup of X applied.
+	FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
+	// container may make requests for any FSGroup labels.
+	FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
+)
+
+// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
+type SupplementalGroupsStrategyOptions struct {
+	// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
+	// +optional
+	Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"`
+	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
+	// supplemental group then supply a single range with the same start and end.
+	// +optional
+	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
+}
+
+// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
+// groups for a SecurityContext.
+type SupplementalGroupsStrategyType string
+
+const (
+	// container must run as a particular gid.
+	SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
+	// container may make requests for any gid.
+	SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Pod Security Policy List is a list of PodSecurityPolicy objects.
+type PodSecurityPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of schema objects.
+	Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkPolicy describes what network traffic is allowed for a set of Pods
+type NetworkPolicy struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior for this NetworkPolicy.
+	// +optional
+	Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// Policy Type string describes the NetworkPolicy type
+// This type is beta-level in 1.8
+type PolicyType string
+
+const (
+	// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
+	PolicyTypeIngress PolicyType = "Ingress"
+	// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
+	PolicyTypeEgress PolicyType = "Egress"
+)
+
+type NetworkPolicySpec struct {
+	// Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules
+	// is applied to any pods selected by this field. Multiple network policies can select the
+	// same set of pods.  In this case, the ingress rules for each are combined additively.
+	// This field is NOT optional and follows standard label selector semantics.
+	// An empty podSelector matches all pods in this namespace.
+	PodSelector metav1.LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"`
+
+	// List of ingress rules to be applied to the selected pods.
+	// Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
+	// OR if the traffic source is the pod's local node,
+	// OR if the traffic matches at least one ingress rule across all of the NetworkPolicy
+	// objects whose podSelector matches the pod.
+	// If this field is empty then this NetworkPolicy does not allow any traffic
+	// (and serves solely to ensure that the pods it selects are isolated by default).
+	// +optional
+	Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`
+
+	// List of egress rules to be applied to the selected pods. Outgoing traffic is
+	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	// +optional
+	Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
+
+	// List of rule types that the NetworkPolicy relates to.
+	// Valid options are Ingress, Egress, or Ingress,Egress.
+	// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+	// policies that contain an Egress section are assumed to affect Egress, and all policies
+	// (whether or not they contain an Ingress section) are assumed to affect Ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an Egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	// +optional
+	PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"`
+}
+
+// This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
+type NetworkPolicyIngressRule struct {
+	// List of ports which should be made accessible on the pods selected for this rule.
+	// Each item in this list is combined using a logical OR.
+	// If this field is empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows traffic
+	// only if the traffic matches at least one port in the list.
+	// +optional
+	Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
+
+	// List of sources which should be able to access the pods selected for this rule.
+	// Items in this list are combined using a logical OR operation.
+	// If this field is empty or missing, this rule matches all sources (traffic not restricted by source).
+	// If this field is present and contains at least on item, this rule allows traffic only if the
+	// traffic matches at least one item in the from list.
+	// +optional
+	From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
+}
+
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+type NetworkPolicyEgressRule struct {
+	// List of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
+
+	// List of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	// +optional
+	To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"`
+}
+
+type NetworkPolicyPort struct {
+	// Optional.  The protocol (TCP or UDP) which traffic must match.
+	// If not specified, this field defaults to TCP.
+	// +optional
+	Protocol *v1.Protocol `json:"protocol,omitempty" protobuf:"bytes,1,opt,name=protocol,casttype=k8s.io/api/core/v1.Protocol"`
+
+	// If specified, the port on the given protocol.  This can
+	// either be a numerical or named port on a pod.  If this field is not provided,
+	// this matches all port names and numbers.
+	// If present, only traffic on the specified protocol AND port
+	// will be matched.
+	// +optional
+	Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"`
+}
+
+// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should
+// not be included within this rule.
+type IPBlock struct {
+	// CIDR is a string representing the IP Block
+	// Valid examples are "192.168.1.1/24"
+	CIDR string `json:"cidr" protobuf:"bytes,1,name=cidr"`
+	// Except is a slice of CIDRs that should not be included within an IP Block
+	// Valid examples are "192.168.1.1/24"
+	// Except values will be rejected if they are outside the CIDR range
+	// +optional
+	Except []string `json:"except,omitempty" protobuf:"bytes,2,rep,name=except"`
+}
+
+type NetworkPolicyPeer struct {
+	// Exactly one of the following must be specified.
+
+	// This is a label selector which selects Pods in this namespace.
+	// This field follows standard label selector semantics.
+	// If present but empty, this selector selects all pods in this namespace.
+	// +optional
+	PodSelector *metav1.LabelSelector `json:"podSelector,omitempty" protobuf:"bytes,1,opt,name=podSelector"`
+
+	// Selects Namespaces using cluster scoped-labels.  This
+	// matches all pods in all namespaces selected by this label selector.
+	// This field follows standard label selector semantics.
+	// If present but empty, this selector selects all namespaces.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,2,opt,name=namespaceSelector"`
+
+	// IPBlock defines policy on a particular IPBlock
+	// +optional
+	IPBlock *IPBlock `json:"ipBlock,omitempty" protobuf:"bytes,3,rep,name=ipBlock"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Network Policy List is a list of NetworkPolicy objects.
+type NetworkPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of schema objects.
+	Items []NetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..6465ea23
--- /dev/null
+++ b/cli/vendor/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,667 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_APIVersion = map[string]string{
+	"":     "An APIVersion represents a single concrete version of an object model.",
+	"name": "Name of this version (e.g. 'v1').",
+}
+
+func (APIVersion) SwaggerDoc() map[string]string {
+	return map_APIVersion
+}
+
+var map_AllowedHostPath = map[string]string{
+	"":           "defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.",
+	"pathPrefix": "is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.\n\nExamples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`",
+}
+
+func (AllowedHostPath) SwaggerDoc() map[string]string {
+	return map_AllowedHostPath
+}
+
+var map_CustomMetricCurrentStatus = map[string]string{
+	"name":  "Custom Metric name.",
+	"value": "Custom Metric value (average).",
+}
+
+func (CustomMetricCurrentStatus) SwaggerDoc() map[string]string {
+	return map_CustomMetricCurrentStatus
+}
+
+var map_CustomMetricTarget = map[string]string{
+	"":      "Alpha-level support for Custom Metrics in HPA (as annotations).",
+	"name":  "Custom Metric name.",
+	"value": "Custom Metric value (average).",
+}
+
+func (CustomMetricTarget) SwaggerDoc() map[string]string {
+	return map_CustomMetricTarget
+}
+
+var map_DaemonSet = map[string]string{
+	"":         "DEPRECATED - This group version of DaemonSet is deprecated by apps/v1beta2/DaemonSet. See the release notes for more information. DaemonSet represents the configuration of a daemon set.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "The current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (DaemonSet) SwaggerDoc() map[string]string {
+	return map_DaemonSet
+}
+
+var map_DaemonSetList = map[string]string{
+	"":         "DaemonSetList is a collection of daemon sets.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "A list of daemon sets.",
+}
+
+func (DaemonSetList) SwaggerDoc() map[string]string {
+	return map_DaemonSetList
+}
+
+var map_DaemonSetSpec = map[string]string{
+	"":                     "DaemonSetSpec is the specification of a daemon set.",
+	"selector":             "A label query over pods that are managed by the daemon set. Must match in order to be controlled. If empty, defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+	"template":             "An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
+	"updateStrategy":       "An update strategy to replace existing DaemonSet pods with new pods.",
+	"minReadySeconds":      "The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).",
+	"templateGeneration":   "DEPRECATED. A sequence number representing a specific generation of the template. Populated by the system. It can be set only during the creation.",
+	"revisionHistoryLimit": "The number of old history to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.",
+}
+
+func (DaemonSetSpec) SwaggerDoc() map[string]string {
+	return map_DaemonSetSpec
+}
+
+var map_DaemonSetStatus = map[string]string{
+	"": "DaemonSetStatus represents the current status of a daemon set.",
+	"currentNumberScheduled": "The number of nodes that are running at least 1 daemon pod and are supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",
+	"numberMisscheduled":     "The number of nodes that are running the daemon pod, but are not supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",
+	"desiredNumberScheduled": "The total number of nodes that should be running the daemon pod (including nodes correctly running the daemon pod). More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/",
+	"numberReady":            "The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and ready.",
+	"observedGeneration":     "The most recent generation observed by the daemon set controller.",
+	"updatedNumberScheduled": "The total number of nodes that are running updated daemon pod",
+	"numberAvailable":        "The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and available (ready for at least spec.minReadySeconds)",
+	"numberUnavailable":      "The number of nodes that should be running the daemon pod and have none of the daemon pod running and available (ready for at least spec.minReadySeconds)",
+	"collisionCount":         "Count of hash collisions for the DaemonSet. The DaemonSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.",
+}
+
+func (DaemonSetStatus) SwaggerDoc() map[string]string {
+	return map_DaemonSetStatus
+}
+
+var map_DaemonSetUpdateStrategy = map[string]string{
+	"type":          "Type of daemon set update. Can be \"RollingUpdate\" or \"OnDelete\". Default is OnDelete.",
+	"rollingUpdate": "Rolling update config params. Present only if type = \"RollingUpdate\".",
+}
+
+func (DaemonSetUpdateStrategy) SwaggerDoc() map[string]string {
+	return map_DaemonSetUpdateStrategy
+}
+
+var map_Deployment = map[string]string{
+	"":         "DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for more information. Deployment enables declarative updates for Pods and ReplicaSets.",
+	"metadata": "Standard object metadata.",
+	"spec":     "Specification of the desired behavior of the Deployment.",
+	"status":   "Most recently observed status of the Deployment.",
+}
+
+func (Deployment) SwaggerDoc() map[string]string {
+	return map_Deployment
+}
+
+var map_DeploymentCondition = map[string]string{
+	"":                   "DeploymentCondition describes the state of a deployment at a certain point.",
+	"type":               "Type of deployment condition.",
+	"status":             "Status of the condition, one of True, False, Unknown.",
+	"lastUpdateTime":     "The last time this condition was updated.",
+	"lastTransitionTime": "Last time the condition transitioned from one status to another.",
+	"reason":             "The reason for the condition's last transition.",
+	"message":            "A human readable message indicating details about the transition.",
+}
+
+func (DeploymentCondition) SwaggerDoc() map[string]string {
+	return map_DeploymentCondition
+}
+
+var map_DeploymentList = map[string]string{
+	"":         "DeploymentList is a list of Deployments.",
+	"metadata": "Standard list metadata.",
+	"items":    "Items is the list of Deployments.",
+}
+
+func (DeploymentList) SwaggerDoc() map[string]string {
+	return map_DeploymentList
+}
+
+var map_DeploymentRollback = map[string]string{
+	"":                   "DEPRECATED. DeploymentRollback stores the information required to rollback a deployment.",
+	"name":               "Required: This must match the Name of a deployment.",
+	"updatedAnnotations": "The annotations to be updated to a deployment",
+	"rollbackTo":         "The config of this deployment rollback.",
+}
+
+func (DeploymentRollback) SwaggerDoc() map[string]string {
+	return map_DeploymentRollback
+}
+
+var map_DeploymentSpec = map[string]string{
+	"":                        "DeploymentSpec is the specification of the desired behavior of the Deployment.",
+	"replicas":                "Number of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.",
+	"selector":                "Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment.",
+	"template":                "Template describes the pods that will be created.",
+	"strategy":                "The deployment strategy to use to replace existing pods with new ones.",
+	"minReadySeconds":         "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)",
+	"revisionHistoryLimit":    "The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified.",
+	"paused":                  "Indicates that the deployment is paused and will not be processed by the deployment controller.",
+	"rollbackTo":              "DEPRECATED. The config this deployment is rolling back to. Will be cleared after rollback is done.",
+	"progressDeadlineSeconds": "The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. This is not set by default.",
+}
+
+func (DeploymentSpec) SwaggerDoc() map[string]string {
+	return map_DeploymentSpec
+}
+
+var map_DeploymentStatus = map[string]string{
+	"":                    "DeploymentStatus is the most recently observed status of the Deployment.",
+	"observedGeneration":  "The generation observed by the deployment controller.",
+	"replicas":            "Total number of non-terminated pods targeted by this deployment (their labels match the selector).",
+	"updatedReplicas":     "Total number of non-terminated pods targeted by this deployment that have the desired template spec.",
+	"readyReplicas":       "Total number of ready pods targeted by this deployment.",
+	"availableReplicas":   "Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.",
+	"unavailableReplicas": "Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.",
+	"conditions":          "Represents the latest available observations of a deployment's current state.",
+	"collisionCount":      "Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.",
+}
+
+func (DeploymentStatus) SwaggerDoc() map[string]string {
+	return map_DeploymentStatus
+}
+
+var map_DeploymentStrategy = map[string]string{
+	"":              "DeploymentStrategy describes how to replace existing pods with new ones.",
+	"type":          "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.",
+	"rollingUpdate": "Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.",
+}
+
+func (DeploymentStrategy) SwaggerDoc() map[string]string {
+	return map_DeploymentStrategy
+}
+
+var map_FSGroupStrategyOptions = map[string]string{
+	"":       "FSGroupStrategyOptions defines the strategy type and options used to create the strategy.",
+	"rule":   "Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.",
+	"ranges": "Ranges are the allowed ranges of fs groups.  If you would like to force a single fs group then supply a single range with the same start and end.",
+}
+
+func (FSGroupStrategyOptions) SwaggerDoc() map[string]string {
+	return map_FSGroupStrategyOptions
+}
+
+var map_HTTPIngressPath = map[string]string{
+	"":        "HTTPIngressPath associates a path regex with a backend. Incoming urls matching the path are forwarded to the backend.",
+	"path":    "Path is an extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend.",
+	"backend": "Backend defines the referenced service endpoint to which the traffic will be forwarded to.",
+}
+
+func (HTTPIngressPath) SwaggerDoc() map[string]string {
+	return map_HTTPIngressPath
+}
+
+var map_HTTPIngressRuleValue = map[string]string{
+	"":      "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.",
+	"paths": "A collection of paths that map requests to backends.",
+}
+
+func (HTTPIngressRuleValue) SwaggerDoc() map[string]string {
+	return map_HTTPIngressRuleValue
+}
+
+var map_HostPortRange = map[string]string{
+	"":    "Host Port Range defines a range of host ports that will be enabled by a policy for pods to use.  It requires both the start and end to be defined.",
+	"min": "min is the start of the range, inclusive.",
+	"max": "max is the end of the range, inclusive.",
+}
+
+func (HostPortRange) SwaggerDoc() map[string]string {
+	return map_HostPortRange
+}
+
+var map_IDRange = map[string]string{
+	"":    "ID Range provides a min/max of an allowed range of IDs.",
+	"min": "Min is the start of the range, inclusive.",
+	"max": "Max is the end of the range, inclusive.",
+}
+
+func (IDRange) SwaggerDoc() map[string]string {
+	return map_IDRange
+}
+
+var map_IPBlock = map[string]string{
+	"":       "IPBlock describes a particular CIDR (Ex. \"192.168.1.1/24\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.",
+	"cidr":   "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\"",
+	"except": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" Except values will be rejected if they are outside the CIDR range",
+}
+
+func (IPBlock) SwaggerDoc() map[string]string {
+	return map_IPBlock
+}
+
+var map_Ingress = map[string]string{
+	"":         "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (Ingress) SwaggerDoc() map[string]string {
+	return map_Ingress
+}
+
+var map_IngressBackend = map[string]string{
+	"":            "IngressBackend describes all endpoints for a given service and port.",
+	"serviceName": "Specifies the name of the referenced service.",
+	"servicePort": "Specifies the port of the referenced service.",
+}
+
+func (IngressBackend) SwaggerDoc() map[string]string {
+	return map_IngressBackend
+}
+
+var map_IngressList = map[string]string{
+	"":         "IngressList is a collection of Ingress.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is the list of Ingress.",
+}
+
+func (IngressList) SwaggerDoc() map[string]string {
+	return map_IngressList
+}
+
+var map_IngressRule = map[string]string{
+	"":     "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.",
+	"host": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the\n\t  IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t  Currently the port of an Ingress is implicitly :80 for http and\n\t  :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.",
+}
+
+func (IngressRule) SwaggerDoc() map[string]string {
+	return map_IngressRule
+}
+
+var map_IngressRuleValue = map[string]string{
+	"": "IngressRuleValue represents a rule to apply against incoming requests. If the rule is satisfied, the request is routed to the specified backend. Currently mixing different types of rules in a single Ingress is disallowed, so exactly one of the following must be set.",
+}
+
+func (IngressRuleValue) SwaggerDoc() map[string]string {
+	return map_IngressRuleValue
+}
+
+var map_IngressSpec = map[string]string{
+	"":        "IngressSpec describes the Ingress the user wishes to exist.",
+	"backend": "A default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default.",
+	"tls":     "TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.",
+	"rules":   "A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.",
+}
+
+func (IngressSpec) SwaggerDoc() map[string]string {
+	return map_IngressSpec
+}
+
+var map_IngressStatus = map[string]string{
+	"":             "IngressStatus describe the current state of the Ingress.",
+	"loadBalancer": "LoadBalancer contains the current status of the load-balancer.",
+}
+
+func (IngressStatus) SwaggerDoc() map[string]string {
+	return map_IngressStatus
+}
+
+var map_IngressTLS = map[string]string{
+	"":           "IngressTLS describes the transport layer security associated with an Ingress.",
+	"hosts":      "Hosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.",
+	"secretName": "SecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.",
+}
+
+func (IngressTLS) SwaggerDoc() map[string]string {
+	return map_IngressTLS
+}
+
+var map_NetworkPolicy = map[string]string{
+	"":         "NetworkPolicy describes what network traffic is allowed for a set of Pods",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior for this NetworkPolicy.",
+}
+
+func (NetworkPolicy) SwaggerDoc() map[string]string {
+	return map_NetworkPolicy
+}
+
+var map_NetworkPolicyEgressRule = map[string]string{
+	"":      "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
+	"ports": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+	"to":    "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.",
+}
+
+func (NetworkPolicyEgressRule) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyEgressRule
+}
+
+var map_NetworkPolicyIngressRule = map[string]string{
+	"":      "This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.",
+	"ports": "List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+	"from":  "List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least on item, this rule allows traffic only if the traffic matches at least one item in the from list.",
+}
+
+func (NetworkPolicyIngressRule) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyIngressRule
+}
+
+var map_NetworkPolicyList = map[string]string{
+	"":         "Network Policy List is a list of NetworkPolicy objects.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is a list of schema objects.",
+}
+
+func (NetworkPolicyList) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyList
+}
+
+var map_NetworkPolicyPeer = map[string]string{
+	"podSelector":       "This is a label selector which selects Pods in this namespace. This field follows standard label selector semantics. If present but empty, this selector selects all pods in this namespace.",
+	"namespaceSelector": "Selects Namespaces using cluster scoped-labels.  This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces.",
+	"ipBlock":           "IPBlock defines policy on a particular IPBlock",
+}
+
+func (NetworkPolicyPeer) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyPeer
+}
+
+var map_NetworkPolicyPort = map[string]string{
+	"protocol": "Optional.  The protocol (TCP or UDP) which traffic must match. If not specified, this field defaults to TCP.",
+	"port":     "If specified, the port on the given protocol.  This can either be a numerical or named port on a pod.  If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.",
+}
+
+func (NetworkPolicyPort) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyPort
+}
+
+var map_NetworkPolicySpec = map[string]string{
+	"podSelector": "Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods.  In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.",
+	"ingress":     "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default).",
+	"egress":      "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8",
+	"policyTypes": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8",
+}
+
+func (NetworkPolicySpec) SwaggerDoc() map[string]string {
+	return map_NetworkPolicySpec
+}
+
+var map_PodSecurityPolicy = map[string]string{
+	"":         "Pod Security Policy governs the ability to make requests that affect the Security Context that will be applied to a pod and container.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "spec defines the policy enforced.",
+}
+
+func (PodSecurityPolicy) SwaggerDoc() map[string]string {
+	return map_PodSecurityPolicy
+}
+
+var map_PodSecurityPolicyList = map[string]string{
+	"":         "Pod Security Policy List is a list of PodSecurityPolicy objects.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is a list of schema objects.",
+}
+
+func (PodSecurityPolicyList) SwaggerDoc() map[string]string {
+	return map_PodSecurityPolicyList
+}
+
+var map_PodSecurityPolicySpec = map[string]string{
+	"":                                "Pod Security Policy Spec defines the policy enforced.",
+	"privileged":                      "privileged determines if a pod can request to be run as privileged.",
+	"defaultAddCapabilities":          "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
+	"requiredDropCapabilities":        "RequiredDropCapabilities are the capabilities that will be dropped from the container.  These are required to be dropped and cannot be added.",
+	"allowedCapabilities":             "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
+	"volumes":                         "volumes is a white list of allowed volume plugins.  Empty indicates that all plugins may be used.",
+	"hostNetwork":                     "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
+	"hostPorts":                       "hostPorts determines which host port ranges are allowed to be exposed.",
+	"hostPID":                         "hostPID determines if the policy allows the use of HostPID in the pod spec.",
+	"hostIPC":                         "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
+	"seLinux":                         "seLinux is the strategy that will dictate the allowable labels that may be set.",
+	"runAsUser":                       "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
+	"supplementalGroups":              "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
+	"fsGroup":                         "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
+	"readOnlyRootFilesystem":          "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
+	"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.",
+	"allowPrivilegeEscalation":        "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.",
+	"allowedHostPaths":                "is a white list of allowed host paths. Empty indicates that all host paths may be used.",
+}
+
+func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {
+	return map_PodSecurityPolicySpec
+}
+
+var map_ReplicaSet = map[string]string{
+	"":         "DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1beta2/ReplicaSet. See the release notes for more information. ReplicaSet represents the configuration of a ReplicaSet.",
+	"metadata": "If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"status":   "Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+}
+
+func (ReplicaSet) SwaggerDoc() map[string]string {
+	return map_ReplicaSet
+}
+
+var map_ReplicaSetCondition = map[string]string{
+	"":                   "ReplicaSetCondition describes the state of a replica set at a certain point.",
+	"type":               "Type of replica set condition.",
+	"status":             "Status of the condition, one of True, False, Unknown.",
+	"lastTransitionTime": "The last time the condition transitioned from one status to another.",
+	"reason":             "The reason for the condition's last transition.",
+	"message":            "A human readable message indicating details about the transition.",
+}
+
+func (ReplicaSetCondition) SwaggerDoc() map[string]string {
+	return map_ReplicaSetCondition
+}
+
+var map_ReplicaSetList = map[string]string{
+	"":         "ReplicaSetList is a collection of ReplicaSets.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of ReplicaSets. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller",
+}
+
+func (ReplicaSetList) SwaggerDoc() map[string]string {
+	return map_ReplicaSetList
+}
+
+var map_ReplicaSetSpec = map[string]string{
+	"":                "ReplicaSetSpec is the specification of a ReplicaSet.",
+	"replicas":        "Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller",
+	"minReadySeconds": "Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)",
+	"selector":        "Selector is a label query over pods that should match the replica count. If the selector is empty, it is defaulted to the labels present on the pod template. Label keys and values that must match in order to be controlled by this replica set. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+	"template":        "Template is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template",
+}
+
+func (ReplicaSetSpec) SwaggerDoc() map[string]string {
+	return map_ReplicaSetSpec
+}
+
+var map_ReplicaSetStatus = map[string]string{
+	"":                     "ReplicaSetStatus represents the current status of a ReplicaSet.",
+	"replicas":             "Replicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller",
+	"fullyLabeledReplicas": "The number of pods that have labels matching the labels of the pod template of the replicaset.",
+	"readyReplicas":        "The number of ready replicas for this replica set.",
+	"availableReplicas":    "The number of available replicas (ready for at least minReadySeconds) for this replica set.",
+	"observedGeneration":   "ObservedGeneration reflects the generation of the most recently observed ReplicaSet.",
+	"conditions":           "Represents the latest available observations of a replica set's current state.",
+}
+
+func (ReplicaSetStatus) SwaggerDoc() map[string]string {
+	return map_ReplicaSetStatus
+}
+
+var map_ReplicationControllerDummy = map[string]string{
+	"": "Dummy definition",
+}
+
+func (ReplicationControllerDummy) SwaggerDoc() map[string]string {
+	return map_ReplicationControllerDummy
+}
+
+var map_RollbackConfig = map[string]string{
+	"":         "DEPRECATED.",
+	"revision": "The revision to rollback to. If set to 0, rollback to the last revision.",
+}
+
+func (RollbackConfig) SwaggerDoc() map[string]string {
+	return map_RollbackConfig
+}
+
+var map_RollingUpdateDaemonSet = map[string]string{
+	"":               "Spec to control the desired behavior of daemon set rolling update.",
+	"maxUnavailable": "The maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding up. This cannot be 0. Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.",
+}
+
+func (RollingUpdateDaemonSet) SwaggerDoc() map[string]string {
+	return map_RollingUpdateDaemonSet
+}
+
+var map_RollingUpdateDeployment = map[string]string{
+	"":               "Spec to control the desired behavior of rolling update.",
+	"maxUnavailable": "The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. By default, a fixed value of 1 is used. Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old RC can be scaled down further, followed by scaling up the new RC, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.",
+	"maxSurge":       "The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. By default, a value of 1 is used. Example: when this is set to 30%, the new RC can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new RC can be scaled up further, ensuring that total number of pods running at any time during the update is atmost 130% of desired pods.",
+}
+
+func (RollingUpdateDeployment) SwaggerDoc() map[string]string {
+	return map_RollingUpdateDeployment
+}
+
+var map_RunAsUserStrategyOptions = map[string]string{
+	"":       "Run A sUser Strategy Options defines the strategy type and any options used to create the strategy.",
+	"rule":   "Rule is the strategy that will dictate the allowable RunAsUser values that may be set.",
+	"ranges": "Ranges are the allowed ranges of uids that may be used.",
+}
+
+func (RunAsUserStrategyOptions) SwaggerDoc() map[string]string {
+	return map_RunAsUserStrategyOptions
+}
+
+var map_SELinuxStrategyOptions = map[string]string{
+	"":               "SELinux  Strategy Options defines the strategy type and any options used to create the strategy.",
+	"rule":           "type is the strategy that will dictate the allowable labels that may be set.",
+	"seLinuxOptions": "seLinuxOptions required to run as; required for MustRunAs More info: https://git.k8s.io/community/contributors/design-proposals/security_context.md",
+}
+
+func (SELinuxStrategyOptions) SwaggerDoc() map[string]string {
+	return map_SELinuxStrategyOptions
+}
+
+var map_Scale = map[string]string{
+	"":         "represents a scaling request for a resource.",
+	"metadata": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.",
+	"spec":     "defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.",
+	"status":   "current status of the scale. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status. Read-only.",
+}
+
+func (Scale) SwaggerDoc() map[string]string {
+	return map_Scale
+}
+
+var map_ScaleSpec = map[string]string{
+	"":         "describes the attributes of a scale subresource",
+	"replicas": "desired number of instances for the scaled object.",
+}
+
+func (ScaleSpec) SwaggerDoc() map[string]string {
+	return map_ScaleSpec
+}
+
+var map_ScaleStatus = map[string]string{
+	"":               "represents the current status of a scale subresource.",
+	"replicas":       "actual number of observed instances of the scaled object.",
+	"selector":       "label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors",
+	"targetSelector": "label selector for pods that should match the replicas count. This is a serializated version of both map-based and more expressive set-based selectors. This is done to avoid introspection in the clients. The string will be in the same format as the query-param syntax. If the target type only supports map-based selectors, both this field and map-based selector field are populated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors",
+}
+
+func (ScaleStatus) SwaggerDoc() map[string]string {
+	return map_ScaleStatus
+}
+
+var map_SupplementalGroupsStrategyOptions = map[string]string{
+	"":       "SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.",
+	"rule":   "Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.",
+	"ranges": "Ranges are the allowed ranges of supplemental groups.  If you would like to force a single supplemental group then supply a single range with the same start and end.",
+}
+
+func (SupplementalGroupsStrategyOptions) SwaggerDoc() map[string]string {
+	return map_SupplementalGroupsStrategyOptions
+}
+
+var map_ThirdPartyResource = map[string]string{
+	"":            "A ThirdPartyResource is a generic representation of a resource, it is used by add-ons and plugins to add new resource types to the API.  It consists of one or more Versions of the api.",
+	"metadata":    "Standard object metadata",
+	"description": "Description is the description of this object.",
+	"versions":    "Versions are versions for this third party object",
+}
+
+func (ThirdPartyResource) SwaggerDoc() map[string]string {
+	return map_ThirdPartyResource
+}
+
+var map_ThirdPartyResourceData = map[string]string{
+	"":         "An internal object, used for versioned storage in etcd.  Not exposed to the end user.",
+	"metadata": "Standard object metadata.",
+	"data":     "Data is the raw JSON data for this data.",
+}
+
+func (ThirdPartyResourceData) SwaggerDoc() map[string]string {
+	return map_ThirdPartyResourceData
+}
+
+var map_ThirdPartyResourceDataList = map[string]string{
+	"":         "ThirdPartyResrouceDataList is a list of ThirdPartyResourceData.",
+	"metadata": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is the list of ThirdpartyResourceData.",
+}
+
+func (ThirdPartyResourceDataList) SwaggerDoc() map[string]string {
+	return map_ThirdPartyResourceDataList
+}
+
+var map_ThirdPartyResourceList = map[string]string{
+	"":         "ThirdPartyResourceList is a list of ThirdPartyResources.",
+	"metadata": "Standard list metadata.",
+	"items":    "Items is the list of ThirdPartyResources.",
+}
+
+func (ThirdPartyResourceList) SwaggerDoc() map[string]string {
+	return map_ThirdPartyResourceList
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..c87f90d0
--- /dev/null
+++ b/cli/vendor/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,1965 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	core_v1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	intstr "k8s.io/apimachinery/pkg/util/intstr"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*APIVersion).DeepCopyInto(out.(*APIVersion))
+			return nil
+		}, InType: reflect.TypeOf(&APIVersion{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AllowedHostPath).DeepCopyInto(out.(*AllowedHostPath))
+			return nil
+		}, InType: reflect.TypeOf(&AllowedHostPath{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CustomMetricCurrentStatus).DeepCopyInto(out.(*CustomMetricCurrentStatus))
+			return nil
+		}, InType: reflect.TypeOf(&CustomMetricCurrentStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CustomMetricCurrentStatusList).DeepCopyInto(out.(*CustomMetricCurrentStatusList))
+			return nil
+		}, InType: reflect.TypeOf(&CustomMetricCurrentStatusList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CustomMetricTarget).DeepCopyInto(out.(*CustomMetricTarget))
+			return nil
+		}, InType: reflect.TypeOf(&CustomMetricTarget{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*CustomMetricTargetList).DeepCopyInto(out.(*CustomMetricTargetList))
+			return nil
+		}, InType: reflect.TypeOf(&CustomMetricTargetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSet).DeepCopyInto(out.(*DaemonSet))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSet{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSetList).DeepCopyInto(out.(*DaemonSetList))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSetSpec).DeepCopyInto(out.(*DaemonSetSpec))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSetSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSetStatus).DeepCopyInto(out.(*DaemonSetStatus))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSetStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DaemonSetUpdateStrategy).DeepCopyInto(out.(*DaemonSetUpdateStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&DaemonSetUpdateStrategy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Deployment).DeepCopyInto(out.(*Deployment))
+			return nil
+		}, InType: reflect.TypeOf(&Deployment{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentCondition).DeepCopyInto(out.(*DeploymentCondition))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentList).DeepCopyInto(out.(*DeploymentList))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentRollback).DeepCopyInto(out.(*DeploymentRollback))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentRollback{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentSpec).DeepCopyInto(out.(*DeploymentSpec))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentStatus).DeepCopyInto(out.(*DeploymentStatus))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeploymentStrategy).DeepCopyInto(out.(*DeploymentStrategy))
+			return nil
+		}, InType: reflect.TypeOf(&DeploymentStrategy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*FSGroupStrategyOptions).DeepCopyInto(out.(*FSGroupStrategyOptions))
+			return nil
+		}, InType: reflect.TypeOf(&FSGroupStrategyOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HTTPIngressPath).DeepCopyInto(out.(*HTTPIngressPath))
+			return nil
+		}, InType: reflect.TypeOf(&HTTPIngressPath{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HTTPIngressRuleValue).DeepCopyInto(out.(*HTTPIngressRuleValue))
+			return nil
+		}, InType: reflect.TypeOf(&HTTPIngressRuleValue{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*HostPortRange).DeepCopyInto(out.(*HostPortRange))
+			return nil
+		}, InType: reflect.TypeOf(&HostPortRange{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IDRange).DeepCopyInto(out.(*IDRange))
+			return nil
+		}, InType: reflect.TypeOf(&IDRange{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IPBlock).DeepCopyInto(out.(*IPBlock))
+			return nil
+		}, InType: reflect.TypeOf(&IPBlock{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Ingress).DeepCopyInto(out.(*Ingress))
+			return nil
+		}, InType: reflect.TypeOf(&Ingress{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IngressBackend).DeepCopyInto(out.(*IngressBackend))
+			return nil
+		}, InType: reflect.TypeOf(&IngressBackend{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IngressList).DeepCopyInto(out.(*IngressList))
+			return nil
+		}, InType: reflect.TypeOf(&IngressList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IngressRule).DeepCopyInto(out.(*IngressRule))
+			return nil
+		}, InType: reflect.TypeOf(&IngressRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IngressRuleValue).DeepCopyInto(out.(*IngressRuleValue))
+			return nil
+		}, InType: reflect.TypeOf(&IngressRuleValue{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IngressSpec).DeepCopyInto(out.(*IngressSpec))
+			return nil
+		}, InType: reflect.TypeOf(&IngressSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IngressStatus).DeepCopyInto(out.(*IngressStatus))
+			return nil
+		}, InType: reflect.TypeOf(&IngressStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IngressTLS).DeepCopyInto(out.(*IngressTLS))
+			return nil
+		}, InType: reflect.TypeOf(&IngressTLS{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicy).DeepCopyInto(out.(*NetworkPolicy))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyEgressRule).DeepCopyInto(out.(*NetworkPolicyEgressRule))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyEgressRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyIngressRule).DeepCopyInto(out.(*NetworkPolicyIngressRule))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyIngressRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyList).DeepCopyInto(out.(*NetworkPolicyList))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyPeer).DeepCopyInto(out.(*NetworkPolicyPeer))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyPeer{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyPort).DeepCopyInto(out.(*NetworkPolicyPort))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyPort{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicySpec).DeepCopyInto(out.(*NetworkPolicySpec))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicySpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodSecurityPolicy).DeepCopyInto(out.(*PodSecurityPolicy))
+			return nil
+		}, InType: reflect.TypeOf(&PodSecurityPolicy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodSecurityPolicyList).DeepCopyInto(out.(*PodSecurityPolicyList))
+			return nil
+		}, InType: reflect.TypeOf(&PodSecurityPolicyList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodSecurityPolicySpec).DeepCopyInto(out.(*PodSecurityPolicySpec))
+			return nil
+		}, InType: reflect.TypeOf(&PodSecurityPolicySpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSet).DeepCopyInto(out.(*ReplicaSet))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSet{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSetCondition).DeepCopyInto(out.(*ReplicaSetCondition))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSetCondition{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSetList).DeepCopyInto(out.(*ReplicaSetList))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSetSpec).DeepCopyInto(out.(*ReplicaSetSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSetSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicaSetStatus).DeepCopyInto(out.(*ReplicaSetStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicaSetStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ReplicationControllerDummy).DeepCopyInto(out.(*ReplicationControllerDummy))
+			return nil
+		}, InType: reflect.TypeOf(&ReplicationControllerDummy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollbackConfig).DeepCopyInto(out.(*RollbackConfig))
+			return nil
+		}, InType: reflect.TypeOf(&RollbackConfig{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollingUpdateDaemonSet).DeepCopyInto(out.(*RollingUpdateDaemonSet))
+			return nil
+		}, InType: reflect.TypeOf(&RollingUpdateDaemonSet{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RollingUpdateDeployment).DeepCopyInto(out.(*RollingUpdateDeployment))
+			return nil
+		}, InType: reflect.TypeOf(&RollingUpdateDeployment{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RunAsUserStrategyOptions).DeepCopyInto(out.(*RunAsUserStrategyOptions))
+			return nil
+		}, InType: reflect.TypeOf(&RunAsUserStrategyOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SELinuxStrategyOptions).DeepCopyInto(out.(*SELinuxStrategyOptions))
+			return nil
+		}, InType: reflect.TypeOf(&SELinuxStrategyOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Scale).DeepCopyInto(out.(*Scale))
+			return nil
+		}, InType: reflect.TypeOf(&Scale{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleSpec).DeepCopyInto(out.(*ScaleSpec))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ScaleStatus).DeepCopyInto(out.(*ScaleStatus))
+			return nil
+		}, InType: reflect.TypeOf(&ScaleStatus{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*SupplementalGroupsStrategyOptions).DeepCopyInto(out.(*SupplementalGroupsStrategyOptions))
+			return nil
+		}, InType: reflect.TypeOf(&SupplementalGroupsStrategyOptions{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ThirdPartyResource).DeepCopyInto(out.(*ThirdPartyResource))
+			return nil
+		}, InType: reflect.TypeOf(&ThirdPartyResource{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ThirdPartyResourceData).DeepCopyInto(out.(*ThirdPartyResourceData))
+			return nil
+		}, InType: reflect.TypeOf(&ThirdPartyResourceData{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ThirdPartyResourceDataList).DeepCopyInto(out.(*ThirdPartyResourceDataList))
+			return nil
+		}, InType: reflect.TypeOf(&ThirdPartyResourceDataList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ThirdPartyResourceList).DeepCopyInto(out.(*ThirdPartyResourceList))
+			return nil
+		}, InType: reflect.TypeOf(&ThirdPartyResourceList{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIVersion) DeepCopyInto(out *APIVersion) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIVersion.
+func (in *APIVersion) DeepCopy() *APIVersion {
+	if in == nil {
+		return nil
+	}
+	out := new(APIVersion)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
+func (in *AllowedHostPath) DeepCopy() *AllowedHostPath {
+	if in == nil {
+		return nil
+	}
+	out := new(AllowedHostPath)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomMetricCurrentStatus) DeepCopyInto(out *CustomMetricCurrentStatus) {
+	*out = *in
+	out.CurrentValue = in.CurrentValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomMetricCurrentStatus.
+func (in *CustomMetricCurrentStatus) DeepCopy() *CustomMetricCurrentStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomMetricCurrentStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomMetricCurrentStatusList) DeepCopyInto(out *CustomMetricCurrentStatusList) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CustomMetricCurrentStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomMetricCurrentStatusList.
+func (in *CustomMetricCurrentStatusList) DeepCopy() *CustomMetricCurrentStatusList {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomMetricCurrentStatusList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomMetricTarget) DeepCopyInto(out *CustomMetricTarget) {
+	*out = *in
+	out.TargetValue = in.TargetValue.DeepCopy()
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomMetricTarget.
+func (in *CustomMetricTarget) DeepCopy() *CustomMetricTarget {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomMetricTarget)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomMetricTargetList) DeepCopyInto(out *CustomMetricTargetList) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CustomMetricTarget, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomMetricTargetList.
+func (in *CustomMetricTargetList) DeepCopy() *CustomMetricTargetList {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomMetricTargetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSet) DeepCopyInto(out *DaemonSet) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSet.
+func (in *DaemonSet) DeepCopy() *DaemonSet {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DaemonSet) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSetList) DeepCopyInto(out *DaemonSetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]DaemonSet, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSetList.
+func (in *DaemonSetList) DeepCopy() *DaemonSetList {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DaemonSetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSetSpec) DeepCopyInto(out *DaemonSetSpec) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	in.UpdateStrategy.DeepCopyInto(&out.UpdateStrategy)
+	if in.RevisionHistoryLimit != nil {
+		in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSetSpec.
+func (in *DaemonSetSpec) DeepCopy() *DaemonSetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSetStatus) DeepCopyInto(out *DaemonSetStatus) {
+	*out = *in
+	if in.CollisionCount != nil {
+		in, out := &in.CollisionCount, &out.CollisionCount
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSetStatus.
+func (in *DaemonSetStatus) DeepCopy() *DaemonSetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DaemonSetUpdateStrategy) DeepCopyInto(out *DaemonSetUpdateStrategy) {
+	*out = *in
+	if in.RollingUpdate != nil {
+		in, out := &in.RollingUpdate, &out.RollingUpdate
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollingUpdateDaemonSet)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DaemonSetUpdateStrategy.
+func (in *DaemonSetUpdateStrategy) DeepCopy() *DaemonSetUpdateStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(DaemonSetUpdateStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Deployment) DeepCopyInto(out *Deployment) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deployment.
+func (in *Deployment) DeepCopy() *Deployment {
+	if in == nil {
+		return nil
+	}
+	out := new(Deployment)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Deployment) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentCondition) DeepCopyInto(out *DeploymentCondition) {
+	*out = *in
+	in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentCondition.
+func (in *DeploymentCondition) DeepCopy() *DeploymentCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentList) DeepCopyInto(out *DeploymentList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Deployment, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentList.
+func (in *DeploymentList) DeepCopy() *DeploymentList {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeploymentList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentRollback) DeepCopyInto(out *DeploymentRollback) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.UpdatedAnnotations != nil {
+		in, out := &in.UpdatedAnnotations, &out.UpdatedAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	out.RollbackTo = in.RollbackTo
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentRollback.
+func (in *DeploymentRollback) DeepCopy() *DeploymentRollback {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentRollback)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeploymentRollback) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentSpec) DeepCopyInto(out *DeploymentSpec) {
+	*out = *in
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	in.Strategy.DeepCopyInto(&out.Strategy)
+	if in.RevisionHistoryLimit != nil {
+		in, out := &in.RevisionHistoryLimit, &out.RevisionHistoryLimit
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.RollbackTo != nil {
+		in, out := &in.RollbackTo, &out.RollbackTo
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollbackConfig)
+			**out = **in
+		}
+	}
+	if in.ProgressDeadlineSeconds != nil {
+		in, out := &in.ProgressDeadlineSeconds, &out.ProgressDeadlineSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentSpec.
+func (in *DeploymentSpec) DeepCopy() *DeploymentSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentStatus) DeepCopyInto(out *DeploymentStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]DeploymentCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CollisionCount != nil {
+		in, out := &in.CollisionCount, &out.CollisionCount
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStatus.
+func (in *DeploymentStatus) DeepCopy() *DeploymentStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeploymentStrategy) DeepCopyInto(out *DeploymentStrategy) {
+	*out = *in
+	if in.RollingUpdate != nil {
+		in, out := &in.RollingUpdate, &out.RollingUpdate
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(RollingUpdateDeployment)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStrategy.
+func (in *DeploymentStrategy) DeepCopy() *DeploymentStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(DeploymentStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions) {
+	*out = *in
+	if in.Ranges != nil {
+		in, out := &in.Ranges, &out.Ranges
+		*out = make([]IDRange, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
+func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(FSGroupStrategyOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPIngressPath) DeepCopyInto(out *HTTPIngressPath) {
+	*out = *in
+	out.Backend = in.Backend
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPIngressPath.
+func (in *HTTPIngressPath) DeepCopy() *HTTPIngressPath {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPIngressPath)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPIngressRuleValue) DeepCopyInto(out *HTTPIngressRuleValue) {
+	*out = *in
+	if in.Paths != nil {
+		in, out := &in.Paths, &out.Paths
+		*out = make([]HTTPIngressPath, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPIngressRuleValue.
+func (in *HTTPIngressRuleValue) DeepCopy() *HTTPIngressRuleValue {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPIngressRuleValue)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HostPortRange) DeepCopyInto(out *HostPortRange) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.
+func (in *HostPortRange) DeepCopy() *HostPortRange {
+	if in == nil {
+		return nil
+	}
+	out := new(HostPortRange)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IDRange) DeepCopyInto(out *IDRange) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange.
+func (in *IDRange) DeepCopy() *IDRange {
+	if in == nil {
+		return nil
+	}
+	out := new(IDRange)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IPBlock) DeepCopyInto(out *IPBlock) {
+	*out = *in
+	if in.Except != nil {
+		in, out := &in.Except, &out.Except
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPBlock.
+func (in *IPBlock) DeepCopy() *IPBlock {
+	if in == nil {
+		return nil
+	}
+	out := new(IPBlock)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Ingress) DeepCopyInto(out *Ingress) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Ingress.
+func (in *Ingress) DeepCopy() *Ingress {
+	if in == nil {
+		return nil
+	}
+	out := new(Ingress)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Ingress) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressBackend) DeepCopyInto(out *IngressBackend) {
+	*out = *in
+	out.ServicePort = in.ServicePort
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressBackend.
+func (in *IngressBackend) DeepCopy() *IngressBackend {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressBackend)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressList) DeepCopyInto(out *IngressList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Ingress, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressList.
+func (in *IngressList) DeepCopy() *IngressList {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *IngressList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressRule) DeepCopyInto(out *IngressRule) {
+	*out = *in
+	in.IngressRuleValue.DeepCopyInto(&out.IngressRuleValue)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressRule.
+func (in *IngressRule) DeepCopy() *IngressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressRuleValue) DeepCopyInto(out *IngressRuleValue) {
+	*out = *in
+	if in.HTTP != nil {
+		in, out := &in.HTTP, &out.HTTP
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(HTTPIngressRuleValue)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressRuleValue.
+func (in *IngressRuleValue) DeepCopy() *IngressRuleValue {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressRuleValue)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressSpec) DeepCopyInto(out *IngressSpec) {
+	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(IngressBackend)
+			**out = **in
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = make([]IngressTLS, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]IngressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressSpec.
+func (in *IngressSpec) DeepCopy() *IngressSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressStatus) DeepCopyInto(out *IngressStatus) {
+	*out = *in
+	in.LoadBalancer.DeepCopyInto(&out.LoadBalancer)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressStatus.
+func (in *IngressStatus) DeepCopy() *IngressStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressTLS) DeepCopyInto(out *IngressTLS) {
+	*out = *in
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressTLS.
+func (in *IngressTLS) DeepCopy() *IngressTLS {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressTLS)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicy.
+func (in *NetworkPolicy) DeepCopy() *NetworkPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NetworkPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyEgressRule) DeepCopyInto(out *NetworkPolicyEgressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]NetworkPolicyPort, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.To != nil {
+		in, out := &in.To, &out.To
+		*out = make([]NetworkPolicyPeer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEgressRule.
+func (in *NetworkPolicyEgressRule) DeepCopy() *NetworkPolicyEgressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyEgressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyIngressRule) DeepCopyInto(out *NetworkPolicyIngressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]NetworkPolicyPort, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.From != nil {
+		in, out := &in.From, &out.From
+		*out = make([]NetworkPolicyPeer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyIngressRule.
+func (in *NetworkPolicyIngressRule) DeepCopy() *NetworkPolicyIngressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyIngressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyList) DeepCopyInto(out *NetworkPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]NetworkPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyList.
+func (in *NetworkPolicyList) DeepCopy() *NetworkPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NetworkPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyPeer) DeepCopyInto(out *NetworkPolicyPeer) {
+	*out = *in
+	if in.PodSelector != nil {
+		in, out := &in.PodSelector, &out.PodSelector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.IPBlock != nil {
+		in, out := &in.IPBlock, &out.IPBlock
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(IPBlock)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyPeer.
+func (in *NetworkPolicyPeer) DeepCopy() *NetworkPolicyPeer {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyPeer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyPort) DeepCopyInto(out *NetworkPolicyPort) {
+	*out = *in
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(core_v1.Protocol)
+			**out = **in
+		}
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyPort.
+func (in *NetworkPolicyPort) DeepCopy() *NetworkPolicyPort {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyPort)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) {
+	*out = *in
+	in.PodSelector.DeepCopyInto(&out.PodSelector)
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]NetworkPolicyIngressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]NetworkPolicyEgressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PolicyTypes != nil {
+		in, out := &in.PolicyTypes, &out.PolicyTypes
+		*out = make([]PolicyType, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicySpec.
+func (in *NetworkPolicySpec) DeepCopy() *NetworkPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.
+func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PodSecurityPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.
+func (in *PodSecurityPolicyList) DeepCopy() *PodSecurityPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec) {
+	*out = *in
+	if in.DefaultAddCapabilities != nil {
+		in, out := &in.DefaultAddCapabilities, &out.DefaultAddCapabilities
+		*out = make([]core_v1.Capability, len(*in))
+		copy(*out, *in)
+	}
+	if in.RequiredDropCapabilities != nil {
+		in, out := &in.RequiredDropCapabilities, &out.RequiredDropCapabilities
+		*out = make([]core_v1.Capability, len(*in))
+		copy(*out, *in)
+	}
+	if in.AllowedCapabilities != nil {
+		in, out := &in.AllowedCapabilities, &out.AllowedCapabilities
+		*out = make([]core_v1.Capability, len(*in))
+		copy(*out, *in)
+	}
+	if in.Volumes != nil {
+		in, out := &in.Volumes, &out.Volumes
+		*out = make([]FSType, len(*in))
+		copy(*out, *in)
+	}
+	if in.HostPorts != nil {
+		in, out := &in.HostPorts, &out.HostPorts
+		*out = make([]HostPortRange, len(*in))
+		copy(*out, *in)
+	}
+	in.SELinux.DeepCopyInto(&out.SELinux)
+	in.RunAsUser.DeepCopyInto(&out.RunAsUser)
+	in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
+	in.FSGroup.DeepCopyInto(&out.FSGroup)
+	if in.DefaultAllowPrivilegeEscalation != nil {
+		in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.AllowPrivilegeEscalation != nil {
+		in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.AllowedHostPaths != nil {
+		in, out := &in.AllowedHostPaths, &out.AllowedHostPaths
+		*out = make([]AllowedHostPath, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.
+func (in *PodSecurityPolicySpec) DeepCopy() *PodSecurityPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PodSecurityPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSet) DeepCopyInto(out *ReplicaSet) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSet.
+func (in *ReplicaSet) DeepCopy() *ReplicaSet {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReplicaSet) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSetCondition) DeepCopyInto(out *ReplicaSetCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSetCondition.
+func (in *ReplicaSetCondition) DeepCopy() *ReplicaSetCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSetCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSetList) DeepCopyInto(out *ReplicaSetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ReplicaSet, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSetList.
+func (in *ReplicaSetList) DeepCopy() *ReplicaSetList {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReplicaSetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSetSpec) DeepCopyInto(out *ReplicaSetSpec) {
+	*out = *in
+	if in.Replicas != nil {
+		in, out := &in.Replicas, &out.Replicas
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int32)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	in.Template.DeepCopyInto(&out.Template)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSetSpec.
+func (in *ReplicaSetSpec) DeepCopy() *ReplicaSetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicaSetStatus) DeepCopyInto(out *ReplicaSetStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ReplicaSetCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaSetStatus.
+func (in *ReplicaSetStatus) DeepCopy() *ReplicaSetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicaSetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicationControllerDummy) DeepCopyInto(out *ReplicationControllerDummy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationControllerDummy.
+func (in *ReplicationControllerDummy) DeepCopy() *ReplicationControllerDummy {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicationControllerDummy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReplicationControllerDummy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollbackConfig) DeepCopyInto(out *RollbackConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollbackConfig.
+func (in *RollbackConfig) DeepCopy() *RollbackConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(RollbackConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollingUpdateDaemonSet) DeepCopyInto(out *RollingUpdateDaemonSet) {
+	*out = *in
+	if in.MaxUnavailable != nil {
+		in, out := &in.MaxUnavailable, &out.MaxUnavailable
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollingUpdateDaemonSet.
+func (in *RollingUpdateDaemonSet) DeepCopy() *RollingUpdateDaemonSet {
+	if in == nil {
+		return nil
+	}
+	out := new(RollingUpdateDaemonSet)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RollingUpdateDeployment) DeepCopyInto(out *RollingUpdateDeployment) {
+	*out = *in
+	if in.MaxUnavailable != nil {
+		in, out := &in.MaxUnavailable, &out.MaxUnavailable
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	if in.MaxSurge != nil {
+		in, out := &in.MaxSurge, &out.MaxSurge
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RollingUpdateDeployment.
+func (in *RollingUpdateDeployment) DeepCopy() *RollingUpdateDeployment {
+	if in == nil {
+		return nil
+	}
+	out := new(RollingUpdateDeployment)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) {
+	*out = *in
+	if in.Ranges != nil {
+		in, out := &in.Ranges, &out.Ranges
+		*out = make([]IDRange, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
+func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(RunAsUserStrategyOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions) {
+	*out = *in
+	if in.SELinuxOptions != nil {
+		in, out := &in.SELinuxOptions, &out.SELinuxOptions
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(core_v1.SELinuxOptions)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.
+func (in *SELinuxStrategyOptions) DeepCopy() *SELinuxStrategyOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(SELinuxStrategyOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Scale) DeepCopyInto(out *Scale) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.Spec = in.Spec
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Scale.
+func (in *Scale) DeepCopy() *Scale {
+	if in == nil {
+		return nil
+	}
+	out := new(Scale)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Scale) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleSpec) DeepCopyInto(out *ScaleSpec) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleSpec.
+func (in *ScaleSpec) DeepCopy() *ScaleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScaleStatus) DeepCopyInto(out *ScaleStatus) {
+	*out = *in
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScaleStatus.
+func (in *ScaleStatus) DeepCopy() *ScaleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ScaleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions) {
+	*out = *in
+	if in.Ranges != nil {
+		in, out := &in.Ranges, &out.Ranges
+		*out = make([]IDRange, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
+func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(SupplementalGroupsStrategyOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ThirdPartyResource) DeepCopyInto(out *ThirdPartyResource) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Versions != nil {
+		in, out := &in.Versions, &out.Versions
+		*out = make([]APIVersion, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThirdPartyResource.
+func (in *ThirdPartyResource) DeepCopy() *ThirdPartyResource {
+	if in == nil {
+		return nil
+	}
+	out := new(ThirdPartyResource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ThirdPartyResource) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ThirdPartyResourceData) DeepCopyInto(out *ThirdPartyResourceData) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThirdPartyResourceData.
+func (in *ThirdPartyResourceData) DeepCopy() *ThirdPartyResourceData {
+	if in == nil {
+		return nil
+	}
+	out := new(ThirdPartyResourceData)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ThirdPartyResourceData) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ThirdPartyResourceDataList) DeepCopyInto(out *ThirdPartyResourceDataList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ThirdPartyResourceData, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThirdPartyResourceDataList.
+func (in *ThirdPartyResourceDataList) DeepCopy() *ThirdPartyResourceDataList {
+	if in == nil {
+		return nil
+	}
+	out := new(ThirdPartyResourceDataList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ThirdPartyResourceDataList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ThirdPartyResourceList) DeepCopyInto(out *ThirdPartyResourceList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ThirdPartyResource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThirdPartyResourceList.
+func (in *ThirdPartyResourceList) DeepCopy() *ThirdPartyResourceList {
+	if in == nil {
+		return nil
+	}
+	out := new(ThirdPartyResourceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ThirdPartyResourceList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/api/networking/v1/doc.go b/cli/vendor/k8s.io/api/networking/v1/doc.go
new file mode 100644
index 00000000..8bcc30b0
--- /dev/null
+++ b/cli/vendor/k8s.io/api/networking/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+// +groupName=networking.k8s.io
+package v1 // import "k8s.io/api/networking/v1"
diff --git a/cli/vendor/k8s.io/api/networking/v1/generated.pb.go b/cli/vendor/k8s.io/api/networking/v1/generated.pb.go
new file mode 100644
index 00000000..05aaf1d9
--- /dev/null
+++ b/cli/vendor/k8s.io/api/networking/v1/generated.pb.go
@@ -0,0 +1,1869 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/networking/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/networking/v1/generated.proto
+
+	It has these top-level messages:
+		IPBlock
+		NetworkPolicy
+		NetworkPolicyEgressRule
+		NetworkPolicyIngressRule
+		NetworkPolicyList
+		NetworkPolicyPeer
+		NetworkPolicyPort
+		NetworkPolicySpec
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import k8s_io_apimachinery_pkg_util_intstr "k8s.io/apimachinery/pkg/util/intstr"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *IPBlock) Reset()                    { *m = IPBlock{} }
+func (*IPBlock) ProtoMessage()               {}
+func (*IPBlock) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *NetworkPolicy) Reset()                    { *m = NetworkPolicy{} }
+func (*NetworkPolicy) ProtoMessage()               {}
+func (*NetworkPolicy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *NetworkPolicyEgressRule) Reset()                    { *m = NetworkPolicyEgressRule{} }
+func (*NetworkPolicyEgressRule) ProtoMessage()               {}
+func (*NetworkPolicyEgressRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *NetworkPolicyIngressRule) Reset()      { *m = NetworkPolicyIngressRule{} }
+func (*NetworkPolicyIngressRule) ProtoMessage() {}
+func (*NetworkPolicyIngressRule) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{3}
+}
+
+func (m *NetworkPolicyList) Reset()                    { *m = NetworkPolicyList{} }
+func (*NetworkPolicyList) ProtoMessage()               {}
+func (*NetworkPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *NetworkPolicyPeer) Reset()                    { *m = NetworkPolicyPeer{} }
+func (*NetworkPolicyPeer) ProtoMessage()               {}
+func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *NetworkPolicyPort) Reset()                    { *m = NetworkPolicyPort{} }
+func (*NetworkPolicyPort) ProtoMessage()               {}
+func (*NetworkPolicyPort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *NetworkPolicySpec) Reset()                    { *m = NetworkPolicySpec{} }
+func (*NetworkPolicySpec) ProtoMessage()               {}
+func (*NetworkPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func init() {
+	proto.RegisterType((*IPBlock)(nil), "k8s.io.api.networking.v1.IPBlock")
+	proto.RegisterType((*NetworkPolicy)(nil), "k8s.io.api.networking.v1.NetworkPolicy")
+	proto.RegisterType((*NetworkPolicyEgressRule)(nil), "k8s.io.api.networking.v1.NetworkPolicyEgressRule")
+	proto.RegisterType((*NetworkPolicyIngressRule)(nil), "k8s.io.api.networking.v1.NetworkPolicyIngressRule")
+	proto.RegisterType((*NetworkPolicyList)(nil), "k8s.io.api.networking.v1.NetworkPolicyList")
+	proto.RegisterType((*NetworkPolicyPeer)(nil), "k8s.io.api.networking.v1.NetworkPolicyPeer")
+	proto.RegisterType((*NetworkPolicyPort)(nil), "k8s.io.api.networking.v1.NetworkPolicyPort")
+	proto.RegisterType((*NetworkPolicySpec)(nil), "k8s.io.api.networking.v1.NetworkPolicySpec")
+}
+func (m *IPBlock) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IPBlock) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.CIDR)))
+	i += copy(dAtA[i:], m.CIDR)
+	if len(m.Except) > 0 {
+		for _, s := range m.Except {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicy) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicy) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	return i, nil
+}
+
+func (m *NetworkPolicyEgressRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyEgressRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.To) > 0 {
+		for _, msg := range m.To {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicyIngressRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyIngressRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.From) > 0 {
+		for _, msg := range m.From {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicyList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n3, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicyPeer) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyPeer) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.PodSelector != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.PodSelector.Size()))
+		n4, err := m.PodSelector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n4
+	}
+	if m.NamespaceSelector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.NamespaceSelector.Size()))
+		n5, err := m.NamespaceSelector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n5
+	}
+	if m.IPBlock != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.IPBlock.Size()))
+		n6, err := m.IPBlock.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicyPort) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyPort) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Protocol != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Protocol)))
+		i += copy(dAtA[i:], *m.Protocol)
+	}
+	if m.Port != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Port.Size()))
+		n7, err := m.Port.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	return i, nil
+}
+
+func (m *NetworkPolicySpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicySpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.PodSelector.Size()))
+	n8, err := m.PodSelector.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	if len(m.Ingress) > 0 {
+		for _, msg := range m.Ingress {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Egress) > 0 {
+		for _, msg := range m.Egress {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.PolicyTypes) > 0 {
+		for _, s := range m.PolicyTypes {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *IPBlock) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.CIDR)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Except) > 0 {
+		for _, s := range m.Except {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NetworkPolicy) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *NetworkPolicyEgressRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.To) > 0 {
+		for _, e := range m.To {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NetworkPolicyIngressRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.From) > 0 {
+		for _, e := range m.From {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NetworkPolicyList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *NetworkPolicyPeer) Size() (n int) {
+	var l int
+	_ = l
+	if m.PodSelector != nil {
+		l = m.PodSelector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.NamespaceSelector != nil {
+		l = m.NamespaceSelector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.IPBlock != nil {
+		l = m.IPBlock.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *NetworkPolicyPort) Size() (n int) {
+	var l int
+	_ = l
+	if m.Protocol != nil {
+		l = len(*m.Protocol)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Port != nil {
+		l = m.Port.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *NetworkPolicySpec) Size() (n int) {
+	var l int
+	_ = l
+	l = m.PodSelector.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Ingress) > 0 {
+		for _, e := range m.Ingress {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Egress) > 0 {
+		for _, e := range m.Egress {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.PolicyTypes) > 0 {
+		for _, s := range m.PolicyTypes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *IPBlock) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&IPBlock{`,
+		`CIDR:` + fmt.Sprintf("%v", this.CIDR) + `,`,
+		`Except:` + fmt.Sprintf("%v", this.Except) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicy) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicy{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "NetworkPolicySpec", "NetworkPolicySpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyEgressRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyEgressRule{`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "NetworkPolicyPort", "NetworkPolicyPort", 1), `&`, ``, 1) + `,`,
+		`To:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.To), "NetworkPolicyPeer", "NetworkPolicyPeer", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyIngressRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyIngressRule{`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "NetworkPolicyPort", "NetworkPolicyPort", 1), `&`, ``, 1) + `,`,
+		`From:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.From), "NetworkPolicyPeer", "NetworkPolicyPeer", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "NetworkPolicy", "NetworkPolicy", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyPeer) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyPeer{`,
+		`PodSelector:` + strings.Replace(fmt.Sprintf("%v", this.PodSelector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`NamespaceSelector:` + strings.Replace(fmt.Sprintf("%v", this.NamespaceSelector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`IPBlock:` + strings.Replace(fmt.Sprintf("%v", this.IPBlock), "IPBlock", "IPBlock", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicyPort) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyPort{`,
+		`Protocol:` + valueToStringGenerated(this.Protocol) + `,`,
+		`Port:` + strings.Replace(fmt.Sprintf("%v", this.Port), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *NetworkPolicySpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicySpec{`,
+		`PodSelector:` + strings.Replace(strings.Replace(this.PodSelector.String(), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1), `&`, ``, 1) + `,`,
+		`Ingress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ingress), "NetworkPolicyIngressRule", "NetworkPolicyIngressRule", 1), `&`, ``, 1) + `,`,
+		`Egress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Egress), "NetworkPolicyEgressRule", "NetworkPolicyEgressRule", 1), `&`, ``, 1) + `,`,
+		`PolicyTypes:` + fmt.Sprintf("%v", this.PolicyTypes) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *IPBlock) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IPBlock: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IPBlock: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CIDR", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.CIDR = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Except", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Except = append(m.Except, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicy) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicy: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicy: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyEgressRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyEgressRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyEgressRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, NetworkPolicyPort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field To", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.To = append(m.To, NetworkPolicyPeer{})
+			if err := m.To[len(m.To)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyIngressRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyIngressRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyIngressRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, NetworkPolicyPort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field From", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.From = append(m.From, NetworkPolicyPeer{})
+			if err := m.From[len(m.From)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, NetworkPolicy{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyPeer) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyPeer: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyPeer: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.PodSelector == nil {
+				m.PodSelector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.PodSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NamespaceSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.NamespaceSelector == nil {
+				m.NamespaceSelector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.NamespaceSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IPBlock", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.IPBlock == nil {
+				m.IPBlock = &IPBlock{}
+			}
+			if err := m.IPBlock.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicyPort) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyPort: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyPort: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Protocol", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := k8s_io_api_core_v1.Protocol(dAtA[iNdEx:postIndex])
+			m.Protocol = &s
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Port", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Port == nil {
+				m.Port = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.Port.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *NetworkPolicySpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicySpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicySpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.PodSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ingress", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ingress = append(m.Ingress, NetworkPolicyIngressRule{})
+			if err := m.Ingress[len(m.Ingress)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Egress", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Egress = append(m.Egress, NetworkPolicyEgressRule{})
+			if err := m.Egress[len(m.Egress)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PolicyTypes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PolicyTypes = append(m.PolicyTypes, PolicyType(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/networking/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 829 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x4d, 0x6f, 0x1b, 0x45,
+	0x18, 0xf6, 0x3a, 0xce, 0x47, 0x27, 0x94, 0x92, 0x41, 0x08, 0x2b, 0x88, 0x75, 0xd8, 0x0b, 0x41,
+	0x55, 0x67, 0x71, 0x8b, 0x10, 0x37, 0xc4, 0x42, 0x29, 0x96, 0x9a, 0xc4, 0x9a, 0xf4, 0x02, 0x02,
+	0x89, 0xf5, 0xfa, 0xcd, 0x66, 0x6a, 0xef, 0xce, 0x6a, 0x66, 0x6c, 0x92, 0x1b, 0x3f, 0x81, 0x1f,
+	0xc2, 0x91, 0x1b, 0x87, 0x72, 0xcc, 0xb1, 0xc7, 0x9e, 0x56, 0x64, 0xf9, 0x17, 0x39, 0xa1, 0x99,
+	0x1d, 0x7b, 0xfd, 0x51, 0x0b, 0xb7, 0xa2, 0x37, 0xcf, 0x3b, 0xcf, 0xf3, 0xbc, 0x1f, 0xf3, 0xf8,
+	0x5d, 0xf4, 0xd5, 0xe0, 0x0b, 0x49, 0x18, 0xf7, 0x07, 0xa3, 0x1e, 0x88, 0x14, 0x14, 0x48, 0x7f,
+	0x0c, 0x69, 0x9f, 0x0b, 0xdf, 0x5e, 0x84, 0x19, 0xf3, 0x53, 0x50, 0xbf, 0x70, 0x31, 0x60, 0x69,
+	0xec, 0x8f, 0xdb, 0x7e, 0x0c, 0x29, 0x88, 0x50, 0x41, 0x9f, 0x64, 0x82, 0x2b, 0x8e, 0x9b, 0x25,
+	0x92, 0x84, 0x19, 0x23, 0x15, 0x92, 0x8c, 0xdb, 0xfb, 0xf7, 0x62, 0xa6, 0xce, 0x47, 0x3d, 0x12,
+	0xf1, 0xc4, 0x8f, 0x79, 0xcc, 0x7d, 0x43, 0xe8, 0x8d, 0xce, 0xcc, 0xc9, 0x1c, 0xcc, 0xaf, 0x52,
+	0x68, 0xdf, 0x9b, 0x49, 0x19, 0x71, 0x01, 0x2f, 0x49, 0xb6, 0x7f, 0x6f, 0x06, 0x03, 0x17, 0x0a,
+	0x52, 0xc9, 0x78, 0x2a, 0xfd, 0x71, 0xbb, 0x07, 0x2a, 0x5c, 0x86, 0x7f, 0x32, 0x03, 0xcf, 0xf8,
+	0x90, 0x45, 0x97, 0x2b, 0xa1, 0x9f, 0x55, 0xd0, 0x24, 0x8c, 0xce, 0x59, 0x0a, 0xe2, 0xd2, 0xcf,
+	0x06, 0xb1, 0x0e, 0x48, 0x3f, 0x01, 0x15, 0xbe, 0xac, 0x1e, 0x7f, 0x15, 0x4b, 0x8c, 0x52, 0xc5,
+	0x12, 0x58, 0x22, 0x7c, 0xfe, 0x5f, 0x04, 0x19, 0x9d, 0x43, 0x12, 0x2e, 0xf1, 0x1e, 0xac, 0xe2,
+	0x8d, 0x14, 0x1b, 0xfa, 0x2c, 0x55, 0x52, 0x89, 0x45, 0x92, 0x77, 0x82, 0xb6, 0x3b, 0xdd, 0x60,
+	0xc8, 0xa3, 0x01, 0x3e, 0x40, 0x8d, 0x88, 0xf5, 0x45, 0xd3, 0x39, 0x70, 0x0e, 0x6f, 0x05, 0x6f,
+	0x5d, 0xe5, 0xad, 0x5a, 0x91, 0xb7, 0x1a, 0x5f, 0x77, 0xbe, 0xa1, 0xd4, 0xdc, 0x60, 0x0f, 0x6d,
+	0xc1, 0x45, 0x04, 0x99, 0x6a, 0xd6, 0x0f, 0x36, 0x0e, 0x6f, 0x05, 0xa8, 0xc8, 0x5b, 0x5b, 0x0f,
+	0x4d, 0x84, 0xda, 0x1b, 0xef, 0x2f, 0x07, 0xdd, 0x3e, 0x2e, 0xdf, 0xb8, 0x6b, 0xc6, 0x89, 0x7f,
+	0x46, 0x3b, 0x7a, 0x36, 0xfd, 0x50, 0x85, 0x46, 0x7b, 0xf7, 0xfe, 0xa7, 0xa4, 0x32, 0xc4, 0xb4,
+	0x54, 0x92, 0x0d, 0x62, 0x1d, 0x90, 0x44, 0xa3, 0xc9, 0xb8, 0x4d, 0x4e, 0x7a, 0x4f, 0x21, 0x52,
+	0x47, 0xa0, 0xc2, 0x00, 0xdb, 0x6a, 0x50, 0x15, 0xa3, 0x53, 0x55, 0x7c, 0x84, 0x1a, 0x32, 0x83,
+	0xa8, 0x59, 0x37, 0xea, 0x77, 0xc9, 0x2a, 0xbb, 0x91, 0xb9, 0xc2, 0x4e, 0x33, 0x88, 0xaa, 0x36,
+	0xf5, 0x89, 0x1a, 0x19, 0xef, 0x0f, 0x07, 0xbd, 0x3f, 0x87, 0x7c, 0x18, 0x0b, 0x90, 0x92, 0x8e,
+	0x86, 0x80, 0xbb, 0x68, 0x33, 0xe3, 0x42, 0xc9, 0xa6, 0x73, 0xb0, 0xf1, 0x0a, 0xb9, 0xba, 0x5c,
+	0xa8, 0xe0, 0xb6, 0xcd, 0xb5, 0xa9, 0x4f, 0x92, 0x96, 0x42, 0xf8, 0x11, 0xaa, 0x2b, 0x6e, 0x06,
+	0xfa, 0x0a, 0x72, 0x00, 0x22, 0x40, 0x56, 0xae, 0xfe, 0x84, 0xd3, 0xba, 0xe2, 0xde, 0x9f, 0x0e,
+	0x6a, 0xce, 0xa1, 0x3a, 0xe9, 0x9b, 0xac, 0xfb, 0x08, 0x35, 0xce, 0x04, 0x4f, 0x5e, 0xa7, 0xf2,
+	0xe9, 0xd0, 0xbf, 0x15, 0x3c, 0xa1, 0x46, 0xc6, 0x7b, 0xe6, 0xa0, 0xbd, 0x39, 0xe4, 0x63, 0x26,
+	0x15, 0xfe, 0x71, 0xc9, 0x3b, 0x64, 0x3d, 0xef, 0x68, 0xb6, 0x71, 0xce, 0x3b, 0x36, 0xd7, 0xce,
+	0x24, 0x32, 0xe3, 0x9b, 0xc7, 0x68, 0x93, 0x29, 0x48, 0xa4, 0xed, 0xe1, 0xe3, 0x35, 0x7b, 0xa8,
+	0x06, 0xd2, 0xd1, 0x6c, 0x5a, 0x8a, 0x78, 0xcf, 0xea, 0x0b, 0x1d, 0xe8, 0x5e, 0xf1, 0x19, 0xda,
+	0xcd, 0x78, 0xff, 0x14, 0x86, 0x10, 0x29, 0x2e, 0x6c, 0x13, 0x0f, 0xd6, 0x6c, 0x22, 0xec, 0xc1,
+	0x70, 0x42, 0x0d, 0xee, 0x14, 0x79, 0x6b, 0xb7, 0x5b, 0x69, 0xd1, 0x59, 0x61, 0x7c, 0x81, 0xf6,
+	0xd2, 0x30, 0x01, 0x99, 0x85, 0x11, 0x4c, 0xb3, 0xd5, 0x5f, 0x3f, 0xdb, 0x7b, 0x45, 0xde, 0xda,
+	0x3b, 0x5e, 0x54, 0xa4, 0xcb, 0x49, 0xf0, 0x77, 0x68, 0x9b, 0x65, 0x66, 0x85, 0x34, 0x37, 0x4c,
+	0xbe, 0x8f, 0x56, 0xcf, 0xd1, 0xee, 0x9a, 0x60, 0xb7, 0xc8, 0x5b, 0x93, 0xc5, 0x43, 0x27, 0x74,
+	0xef, 0xf7, 0x45, 0x0f, 0x68, 0xc3, 0xe1, 0x47, 0x68, 0xc7, 0xec, 0xaa, 0x88, 0x0f, 0xed, 0x6e,
+	0xba, 0xab, 0xdf, 0xb3, 0x6b, 0x63, 0x37, 0x79, 0xeb, 0x83, 0xe5, 0xcf, 0x02, 0x99, 0x5c, 0xd3,
+	0x29, 0x19, 0x1f, 0xa3, 0x86, 0xb6, 0xae, 0x9d, 0xca, 0xea, 0x25, 0xa4, 0xf7, 0x25, 0x29, 0xf7,
+	0x25, 0xe9, 0xa4, 0xea, 0x44, 0x9c, 0x2a, 0xc1, 0xd2, 0x38, 0xd8, 0xd1, 0x96, 0xd5, 0x25, 0x51,
+	0xa3, 0xe3, 0xdd, 0x2c, 0x3e, 0xb8, 0xde, 0x21, 0xf8, 0xe9, 0xff, 0xf6, 0xe0, 0xef, 0x5a, 0x9b,
+	0xad, 0x7e, 0xf4, 0x9f, 0xd0, 0x36, 0x2b, 0xff, 0xe4, 0xd6, 0xc2, 0xf7, 0xd7, 0xb4, 0xf0, 0xcc,
+	0x6a, 0x08, 0xee, 0xd8, 0x34, 0xdb, 0x93, 0xe0, 0x44, 0x13, 0x7f, 0x8f, 0xb6, 0xa0, 0x54, 0xdf,
+	0x30, 0xea, 0xed, 0x35, 0xd5, 0xab, 0x7d, 0x19, 0xbc, 0x6d, 0xc5, 0xb7, 0x6c, 0xcc, 0x0a, 0xe2,
+	0x2f, 0xf5, 0x94, 0x34, 0xf6, 0xc9, 0x65, 0x06, 0xb2, 0xd9, 0x30, 0xdf, 0x93, 0x0f, 0xcb, 0x66,
+	0xa7, 0xe1, 0x9b, 0xbc, 0x85, 0xaa, 0x23, 0x9d, 0x65, 0x04, 0x87, 0x57, 0xd7, 0x6e, 0xed, 0xf9,
+	0xb5, 0x5b, 0x7b, 0x71, 0xed, 0xd6, 0x7e, 0x2d, 0x5c, 0xe7, 0xaa, 0x70, 0x9d, 0xe7, 0x85, 0xeb,
+	0xbc, 0x28, 0x5c, 0xe7, 0xef, 0xc2, 0x75, 0x7e, 0xfb, 0xc7, 0xad, 0xfd, 0x50, 0x1f, 0xb7, 0xff,
+	0x0d, 0x00, 0x00, 0xff, 0xff, 0x48, 0x47, 0x24, 0xc9, 0xc1, 0x08, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/networking/v1/generated.proto b/cli/vendor/k8s.io/api/networking/v1/generated.proto
new file mode 100644
index 00000000..06365ebe
--- /dev/null
+++ b/cli/vendor/k8s.io/api/networking/v1/generated.proto
@@ -0,0 +1,190 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.networking.v1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/api/extensions/v1beta1/generated.proto";
+import "k8s.io/api/policy/v1beta1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should
+// not be included within this rule.
+message IPBlock {
+  // CIDR is a string representing the IP Block
+  // Valid examples are "192.168.1.1/24"
+  optional string cidr = 1;
+
+  // Except is a slice of CIDRs that should not be included within an IP Block
+  // Valid examples are "192.168.1.1/24"
+  // Except values will be rejected if they are outside the CIDR range
+  // +optional
+  repeated string except = 2;
+}
+
+// NetworkPolicy describes what network traffic is allowed for a set of Pods
+message NetworkPolicy {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior for this NetworkPolicy.
+  // +optional
+  optional NetworkPolicySpec spec = 2;
+}
+
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+message NetworkPolicyEgressRule {
+  // List of destination ports for outgoing traffic.
+  // Each item in this list is combined using a logical OR. If this field is
+  // empty or missing, this rule matches all ports (traffic not restricted by port).
+  // If this field is present and contains at least one item, then this rule allows
+  // traffic only if the traffic matches at least one port in the list.
+  // +optional
+  repeated NetworkPolicyPort ports = 1;
+
+  // List of destinations for outgoing traffic of pods selected for this rule.
+  // Items in this list are combined using a logical OR operation. If this field is
+  // empty or missing, this rule matches all destinations (traffic not restricted by
+  // destination). If this field is present and contains at least one item, this rule
+  // allows traffic only if the traffic matches at least one item in the to list.
+  // +optional
+  repeated NetworkPolicyPeer to = 2;
+}
+
+// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+message NetworkPolicyIngressRule {
+  // List of ports which should be made accessible on the pods selected for this
+  // rule. Each item in this list is combined using a logical OR. If this field is
+  // empty or missing, this rule matches all ports (traffic not restricted by port).
+  // If this field is present and contains at least one item, then this rule allows
+  // traffic only if the traffic matches at least one port in the list.
+  // +optional
+  repeated NetworkPolicyPort ports = 1;
+
+  // List of sources which should be able to access the pods selected for this rule.
+  // Items in this list are combined using a logical OR operation. If this field is
+  // empty or missing, this rule matches all sources (traffic not restricted by
+  // source). If this field is present and contains at least on item, this rule
+  // allows traffic only if the traffic matches at least one item in the from list.
+  // +optional
+  repeated NetworkPolicyPeer from = 2;
+}
+
+// NetworkPolicyList is a list of NetworkPolicy objects.
+message NetworkPolicyList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of schema objects.
+  repeated NetworkPolicy items = 2;
+}
+
+// NetworkPolicyPeer describes a peer to allow traffic from. Exactly one of its fields
+// must be specified.
+message NetworkPolicyPeer {
+  // This is a label selector which selects Pods in this namespace. This field
+  // follows standard label selector semantics. If present but empty, this selector
+  // selects all pods in this namespace.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector podSelector = 1;
+
+  // Selects Namespaces using cluster scoped-labels. This matches all pods in all
+  // namespaces selected by this label selector. This field follows standard label
+  // selector semantics. If present but empty, this selector selects all namespaces.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 2;
+
+  // IPBlock defines policy on a particular IPBlock
+  // +optional
+  optional IPBlock ipBlock = 3;
+}
+
+// NetworkPolicyPort describes a port to allow traffic on
+message NetworkPolicyPort {
+  // The protocol (TCP or UDP) which traffic must match. If not specified, this
+  // field defaults to TCP.
+  // +optional
+  optional string protocol = 1;
+
+  // The port on the given protocol. This can either be a numerical or named port on
+  // a pod. If this field is not provided, this matches all port names and numbers.
+  // +optional
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString port = 2;
+}
+
+// NetworkPolicySpec provides the specification of a NetworkPolicy
+message NetworkPolicySpec {
+  // Selects the pods to which this NetworkPolicy object applies. The array of
+  // ingress rules is applied to any pods selected by this field. Multiple network
+  // policies can select the same set of pods. In this case, the ingress rules for
+  // each are combined additively. This field is NOT optional and follows standard
+  // label selector semantics. An empty podSelector matches all pods in this
+  // namespace.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector podSelector = 1;
+
+  // List of ingress rules to be applied to the selected pods. Traffic is allowed to
+  // a pod if there are no NetworkPolicies selecting the pod
+  // (and cluster policy otherwise allows the traffic), OR if the traffic source is
+  // the pod's local node, OR if the traffic matches at least one ingress rule
+  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
+  // this field is empty then this NetworkPolicy does not allow any traffic (and serves
+  // solely to ensure that the pods it selects are isolated by default)
+  // +optional
+  repeated NetworkPolicyIngressRule ingress = 2;
+
+  // List of egress rules to be applied to the selected pods. Outgoing traffic is
+  // allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+  // otherwise allows the traffic), OR if the traffic matches at least one egress rule
+  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
+  // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+  // solely to ensure that the pods it selects are isolated by default).
+  // This field is beta-level in 1.8
+  // +optional
+  repeated NetworkPolicyEgressRule egress = 3;
+
+  // List of rule types that the NetworkPolicy relates to.
+  // Valid options are Ingress, Egress, or Ingress,Egress.
+  // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+  // policies that contain an Egress section are assumed to affect Egress, and all policies
+  // (whether or not they contain an Ingress section) are assumed to affect Ingress.
+  // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+  // Likewise, if you want to write a policy that specifies that no egress is allowed,
+  // you must specify a policyTypes value that include "Egress" (since such a policy would not include
+  // an Egress section and would otherwise default to just [ "Ingress" ]).
+  // This field is beta-level in 1.8
+  // +optional
+  repeated string policyTypes = 4;
+}
+
diff --git a/cli/vendor/k8s.io/api/networking/v1/register.go b/cli/vendor/k8s.io/api/networking/v1/register.go
new file mode 100644
index 00000000..2ba9951d
--- /dev/null
+++ b/cli/vendor/k8s.io/api/networking/v1/register.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "networking.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&NetworkPolicy{},
+		&NetworkPolicyList{},
+	)
+
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/networking/v1/types.go b/cli/vendor/k8s.io/api/networking/v1/types.go
new file mode 100644
index 00000000..57bc8005
--- /dev/null
+++ b/cli/vendor/k8s.io/api/networking/v1/types.go
@@ -0,0 +1,196 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkPolicy describes what network traffic is allowed for a set of Pods
+type NetworkPolicy struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior for this NetworkPolicy.
+	// +optional
+	Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// Policy Type string describes the NetworkPolicy type
+// This type is beta-level in 1.8
+type PolicyType string
+
+const (
+	// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
+	PolicyTypeIngress PolicyType = "Ingress"
+	// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
+	PolicyTypeEgress PolicyType = "Egress"
+)
+
+// NetworkPolicySpec provides the specification of a NetworkPolicy
+type NetworkPolicySpec struct {
+	// Selects the pods to which this NetworkPolicy object applies. The array of
+	// ingress rules is applied to any pods selected by this field. Multiple network
+	// policies can select the same set of pods. In this case, the ingress rules for
+	// each are combined additively. This field is NOT optional and follows standard
+	// label selector semantics. An empty podSelector matches all pods in this
+	// namespace.
+	PodSelector metav1.LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"`
+
+	// List of ingress rules to be applied to the selected pods. Traffic is allowed to
+	// a pod if there are no NetworkPolicies selecting the pod
+	// (and cluster policy otherwise allows the traffic), OR if the traffic source is
+	// the pod's local node, OR if the traffic matches at least one ingress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy does not allow any traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default)
+	// +optional
+	Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`
+
+	// List of egress rules to be applied to the selected pods. Outgoing traffic is
+	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	// +optional
+	Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
+
+	// List of rule types that the NetworkPolicy relates to.
+	// Valid options are Ingress, Egress, or Ingress,Egress.
+	// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+	// policies that contain an Egress section are assumed to affect Egress, and all policies
+	// (whether or not they contain an Ingress section) are assumed to affect Ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an Egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	// +optional
+	PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"`
+}
+
+// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+type NetworkPolicyIngressRule struct {
+	// List of ports which should be made accessible on the pods selected for this
+	// rule. Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
+
+	// List of sources which should be able to access the pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all sources (traffic not restricted by
+	// source). If this field is present and contains at least on item, this rule
+	// allows traffic only if the traffic matches at least one item in the from list.
+	// +optional
+	From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
+}
+
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+type NetworkPolicyEgressRule struct {
+	// List of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
+
+	// List of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	// +optional
+	To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"`
+}
+
+// NetworkPolicyPort describes a port to allow traffic on
+type NetworkPolicyPort struct {
+	// The protocol (TCP or UDP) which traffic must match. If not specified, this
+	// field defaults to TCP.
+	// +optional
+	Protocol *v1.Protocol `json:"protocol,omitempty" protobuf:"bytes,1,opt,name=protocol,casttype=k8s.io/api/core/v1.Protocol"`
+
+	// The port on the given protocol. This can either be a numerical or named port on
+	// a pod. If this field is not provided, this matches all port names and numbers.
+	// +optional
+	Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"`
+}
+
+// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should
+// not be included within this rule.
+type IPBlock struct {
+	// CIDR is a string representing the IP Block
+	// Valid examples are "192.168.1.1/24"
+	CIDR string `json:"cidr" protobuf:"bytes,1,name=cidr"`
+	// Except is a slice of CIDRs that should not be included within an IP Block
+	// Valid examples are "192.168.1.1/24"
+	// Except values will be rejected if they are outside the CIDR range
+	// +optional
+	Except []string `json:"except,omitempty" protobuf:"bytes,2,rep,name=except"`
+}
+
+// NetworkPolicyPeer describes a peer to allow traffic from. Exactly one of its fields
+// must be specified.
+type NetworkPolicyPeer struct {
+	// This is a label selector which selects Pods in this namespace. This field
+	// follows standard label selector semantics. If present but empty, this selector
+	// selects all pods in this namespace.
+	// +optional
+	PodSelector *metav1.LabelSelector `json:"podSelector,omitempty" protobuf:"bytes,1,opt,name=podSelector"`
+
+	// Selects Namespaces using cluster scoped-labels. This matches all pods in all
+	// namespaces selected by this label selector. This field follows standard label
+	// selector semantics. If present but empty, this selector selects all namespaces.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,2,opt,name=namespaceSelector"`
+
+	// IPBlock defines policy on a particular IPBlock
+	// +optional
+	IPBlock *IPBlock `json:"ipBlock,omitempty" protobuf:"bytes,3,rep,name=ipBlock"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// NetworkPolicyList is a list of NetworkPolicy objects.
+type NetworkPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of schema objects.
+	Items []NetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/networking/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/networking/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..ad0bafea
--- /dev/null
+++ b/cli/vendor/k8s.io/api/networking/v1/types_swagger_doc_generated.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_IPBlock = map[string]string{
+	"":       "IPBlock describes a particular CIDR (Ex. \"192.168.1.1/24\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.",
+	"cidr":   "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\"",
+	"except": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" Except values will be rejected if they are outside the CIDR range",
+}
+
+func (IPBlock) SwaggerDoc() map[string]string {
+	return map_IPBlock
+}
+
+var map_NetworkPolicy = map[string]string{
+	"":         "NetworkPolicy describes what network traffic is allowed for a set of Pods",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior for this NetworkPolicy.",
+}
+
+func (NetworkPolicy) SwaggerDoc() map[string]string {
+	return map_NetworkPolicy
+}
+
+var map_NetworkPolicyEgressRule = map[string]string{
+	"":      "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
+	"ports": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+	"to":    "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.",
+}
+
+func (NetworkPolicyEgressRule) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyEgressRule
+}
+
+var map_NetworkPolicyIngressRule = map[string]string{
+	"":      "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.",
+	"ports": "List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+	"from":  "List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least on item, this rule allows traffic only if the traffic matches at least one item in the from list.",
+}
+
+func (NetworkPolicyIngressRule) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyIngressRule
+}
+
+var map_NetworkPolicyList = map[string]string{
+	"":         "NetworkPolicyList is a list of NetworkPolicy objects.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is a list of schema objects.",
+}
+
+func (NetworkPolicyList) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyList
+}
+
+var map_NetworkPolicyPeer = map[string]string{
+	"":                  "NetworkPolicyPeer describes a peer to allow traffic from. Exactly one of its fields must be specified.",
+	"podSelector":       "This is a label selector which selects Pods in this namespace. This field follows standard label selector semantics. If present but empty, this selector selects all pods in this namespace.",
+	"namespaceSelector": "Selects Namespaces using cluster scoped-labels. This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If present but empty, this selector selects all namespaces.",
+	"ipBlock":           "IPBlock defines policy on a particular IPBlock",
+}
+
+func (NetworkPolicyPeer) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyPeer
+}
+
+var map_NetworkPolicyPort = map[string]string{
+	"":         "NetworkPolicyPort describes a port to allow traffic on",
+	"protocol": "The protocol (TCP or UDP) which traffic must match. If not specified, this field defaults to TCP.",
+	"port":     "The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.",
+}
+
+func (NetworkPolicyPort) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyPort
+}
+
+var map_NetworkPolicySpec = map[string]string{
+	"":            "NetworkPolicySpec provides the specification of a NetworkPolicy",
+	"podSelector": "Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.",
+	"ingress":     "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)",
+	"egress":      "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8",
+	"policyTypes": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8",
+}
+
+func (NetworkPolicySpec) SwaggerDoc() map[string]string {
+	return map_NetworkPolicySpec
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/networking/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/networking/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..e91ca350
--- /dev/null
+++ b/cli/vendor/k8s.io/api/networking/v1/zz_generated.deepcopy.go
@@ -0,0 +1,331 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	core_v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	intstr "k8s.io/apimachinery/pkg/util/intstr"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*IPBlock).DeepCopyInto(out.(*IPBlock))
+			return nil
+		}, InType: reflect.TypeOf(&IPBlock{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicy).DeepCopyInto(out.(*NetworkPolicy))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyEgressRule).DeepCopyInto(out.(*NetworkPolicyEgressRule))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyEgressRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyIngressRule).DeepCopyInto(out.(*NetworkPolicyIngressRule))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyIngressRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyList).DeepCopyInto(out.(*NetworkPolicyList))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyPeer).DeepCopyInto(out.(*NetworkPolicyPeer))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyPeer{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyPort).DeepCopyInto(out.(*NetworkPolicyPort))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyPort{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicySpec).DeepCopyInto(out.(*NetworkPolicySpec))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicySpec{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IPBlock) DeepCopyInto(out *IPBlock) {
+	*out = *in
+	if in.Except != nil {
+		in, out := &in.Except, &out.Except
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPBlock.
+func (in *IPBlock) DeepCopy() *IPBlock {
+	if in == nil {
+		return nil
+	}
+	out := new(IPBlock)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicy) DeepCopyInto(out *NetworkPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicy.
+func (in *NetworkPolicy) DeepCopy() *NetworkPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NetworkPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyEgressRule) DeepCopyInto(out *NetworkPolicyEgressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]NetworkPolicyPort, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.To != nil {
+		in, out := &in.To, &out.To
+		*out = make([]NetworkPolicyPeer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEgressRule.
+func (in *NetworkPolicyEgressRule) DeepCopy() *NetworkPolicyEgressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyEgressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyIngressRule) DeepCopyInto(out *NetworkPolicyIngressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]NetworkPolicyPort, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.From != nil {
+		in, out := &in.From, &out.From
+		*out = make([]NetworkPolicyPeer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyIngressRule.
+func (in *NetworkPolicyIngressRule) DeepCopy() *NetworkPolicyIngressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyIngressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyList) DeepCopyInto(out *NetworkPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]NetworkPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyList.
+func (in *NetworkPolicyList) DeepCopy() *NetworkPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NetworkPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyPeer) DeepCopyInto(out *NetworkPolicyPeer) {
+	*out = *in
+	if in.PodSelector != nil {
+		in, out := &in.PodSelector, &out.PodSelector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(meta_v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.IPBlock != nil {
+		in, out := &in.IPBlock, &out.IPBlock
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(IPBlock)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyPeer.
+func (in *NetworkPolicyPeer) DeepCopy() *NetworkPolicyPeer {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyPeer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyPort) DeepCopyInto(out *NetworkPolicyPort) {
+	*out = *in
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(core_v1.Protocol)
+			**out = **in
+		}
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyPort.
+func (in *NetworkPolicyPort) DeepCopy() *NetworkPolicyPort {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyPort)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) {
+	*out = *in
+	in.PodSelector.DeepCopyInto(&out.PodSelector)
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]NetworkPolicyIngressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]NetworkPolicyEgressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PolicyTypes != nil {
+		in, out := &in.PolicyTypes, &out.PolicyTypes
+		*out = make([]PolicyType, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicySpec.
+func (in *NetworkPolicySpec) DeepCopy() *NetworkPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/policy/v1beta1/doc.go b/cli/vendor/k8s.io/api/policy/v1beta1/doc.go
new file mode 100644
index 00000000..1e9f4974
--- /dev/null
+++ b/cli/vendor/k8s.io/api/policy/v1beta1/doc.go
@@ -0,0 +1,23 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+
+// Package policy is for any kind of policy object.  Suitable examples, even if
+// they aren't all here, are PodDisruptionBudget, PodSecurityPolicy,
+// NetworkPolicy, etc.
+// +k8s:openapi-gen=true
+package v1beta1 // import "k8s.io/api/policy/v1beta1"
diff --git a/cli/vendor/k8s.io/api/policy/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/policy/v1beta1/generated.pb.go
new file mode 100644
index 00000000..4ed4d29c
--- /dev/null
+++ b/cli/vendor/k8s.io/api/policy/v1beta1/generated.pb.go
@@ -0,0 +1,1454 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/policy/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/policy/v1beta1/generated.proto
+
+	It has these top-level messages:
+		Eviction
+		PodDisruptionBudget
+		PodDisruptionBudgetList
+		PodDisruptionBudgetSpec
+		PodDisruptionBudgetStatus
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+import k8s_io_apimachinery_pkg_util_intstr "k8s.io/apimachinery/pkg/util/intstr"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *Eviction) Reset()                    { *m = Eviction{} }
+func (*Eviction) ProtoMessage()               {}
+func (*Eviction) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *PodDisruptionBudget) Reset()                    { *m = PodDisruptionBudget{} }
+func (*PodDisruptionBudget) ProtoMessage()               {}
+func (*PodDisruptionBudget) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *PodDisruptionBudgetList) Reset()                    { *m = PodDisruptionBudgetList{} }
+func (*PodDisruptionBudgetList) ProtoMessage()               {}
+func (*PodDisruptionBudgetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *PodDisruptionBudgetSpec) Reset()                    { *m = PodDisruptionBudgetSpec{} }
+func (*PodDisruptionBudgetSpec) ProtoMessage()               {}
+func (*PodDisruptionBudgetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *PodDisruptionBudgetStatus) Reset()      { *m = PodDisruptionBudgetStatus{} }
+func (*PodDisruptionBudgetStatus) ProtoMessage() {}
+func (*PodDisruptionBudgetStatus) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{4}
+}
+
+func init() {
+	proto.RegisterType((*Eviction)(nil), "k8s.io.api.policy.v1beta1.Eviction")
+	proto.RegisterType((*PodDisruptionBudget)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudget")
+	proto.RegisterType((*PodDisruptionBudgetList)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudgetList")
+	proto.RegisterType((*PodDisruptionBudgetSpec)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudgetSpec")
+	proto.RegisterType((*PodDisruptionBudgetStatus)(nil), "k8s.io.api.policy.v1beta1.PodDisruptionBudgetStatus")
+}
+func (m *Eviction) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Eviction) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if m.DeleteOptions != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.DeleteOptions.Size()))
+		n2, err := m.DeleteOptions.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	return i, nil
+}
+
+func (m *PodDisruptionBudget) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodDisruptionBudget) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n3, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n4, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Status.Size()))
+	n5, err := m.Status.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	return i, nil
+}
+
+func (m *PodDisruptionBudgetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodDisruptionBudgetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n6, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PodDisruptionBudgetSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodDisruptionBudgetSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.MinAvailable != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MinAvailable.Size()))
+		n7, err := m.MinAvailable.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	if m.Selector != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+		n8, err := m.Selector.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	if m.MaxUnavailable != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.MaxUnavailable.Size()))
+		n9, err := m.MaxUnavailable.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n9
+	}
+	return i, nil
+}
+
+func (m *PodDisruptionBudgetStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodDisruptionBudgetStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObservedGeneration))
+	if len(m.DisruptedPods) > 0 {
+		keysForDisruptedPods := make([]string, 0, len(m.DisruptedPods))
+		for k := range m.DisruptedPods {
+			keysForDisruptedPods = append(keysForDisruptedPods, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForDisruptedPods)
+		for _, k := range keysForDisruptedPods {
+			dAtA[i] = 0x12
+			i++
+			v := m.DisruptedPods[string(k)]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovGenerated(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + msgSize
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64((&v).Size()))
+			n10, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n10
+		}
+	}
+	dAtA[i] = 0x18
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.PodDisruptionsAllowed))
+	dAtA[i] = 0x20
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CurrentHealthy))
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.DesiredHealthy))
+	dAtA[i] = 0x30
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ExpectedPods))
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Eviction) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.DeleteOptions != nil {
+		l = m.DeleteOptions.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *PodDisruptionBudget) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Status.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodDisruptionBudgetList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodDisruptionBudgetSpec) Size() (n int) {
+	var l int
+	_ = l
+	if m.MinAvailable != nil {
+		l = m.MinAvailable.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Selector != nil {
+		l = m.Selector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.MaxUnavailable != nil {
+		l = m.MaxUnavailable.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *PodDisruptionBudgetStatus) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.ObservedGeneration))
+	if len(m.DisruptedPods) > 0 {
+		for k, v := range m.DisruptedPods {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + l + sovGenerated(uint64(l))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	n += 1 + sovGenerated(uint64(m.PodDisruptionsAllowed))
+	n += 1 + sovGenerated(uint64(m.CurrentHealthy))
+	n += 1 + sovGenerated(uint64(m.DesiredHealthy))
+	n += 1 + sovGenerated(uint64(m.ExpectedPods))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *Eviction) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Eviction{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`DeleteOptions:` + strings.Replace(fmt.Sprintf("%v", this.DeleteOptions), "DeleteOptions", "k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodDisruptionBudget) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodDisruptionBudget{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodDisruptionBudgetSpec", "PodDisruptionBudgetSpec", 1), `&`, ``, 1) + `,`,
+		`Status:` + strings.Replace(strings.Replace(this.Status.String(), "PodDisruptionBudgetStatus", "PodDisruptionBudgetStatus", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodDisruptionBudgetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodDisruptionBudgetList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "PodDisruptionBudget", "PodDisruptionBudget", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodDisruptionBudgetSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodDisruptionBudgetSpec{`,
+		`MinAvailable:` + strings.Replace(fmt.Sprintf("%v", this.MinAvailable), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`Selector:` + strings.Replace(fmt.Sprintf("%v", this.Selector), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1) + `,`,
+		`MaxUnavailable:` + strings.Replace(fmt.Sprintf("%v", this.MaxUnavailable), "IntOrString", "k8s_io_apimachinery_pkg_util_intstr.IntOrString", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodDisruptionBudgetStatus) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForDisruptedPods := make([]string, 0, len(this.DisruptedPods))
+	for k := range this.DisruptedPods {
+		keysForDisruptedPods = append(keysForDisruptedPods, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForDisruptedPods)
+	mapStringForDisruptedPods := "map[string]k8s_io_apimachinery_pkg_apis_meta_v1.Time{"
+	for _, k := range keysForDisruptedPods {
+		mapStringForDisruptedPods += fmt.Sprintf("%v: %v,", k, this.DisruptedPods[k])
+	}
+	mapStringForDisruptedPods += "}"
+	s := strings.Join([]string{`&PodDisruptionBudgetStatus{`,
+		`ObservedGeneration:` + fmt.Sprintf("%v", this.ObservedGeneration) + `,`,
+		`DisruptedPods:` + mapStringForDisruptedPods + `,`,
+		`PodDisruptionsAllowed:` + fmt.Sprintf("%v", this.PodDisruptionsAllowed) + `,`,
+		`CurrentHealthy:` + fmt.Sprintf("%v", this.CurrentHealthy) + `,`,
+		`DesiredHealthy:` + fmt.Sprintf("%v", this.DesiredHealthy) + `,`,
+		`ExpectedPods:` + fmt.Sprintf("%v", this.ExpectedPods) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *Eviction) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Eviction: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Eviction: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DeleteOptions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.DeleteOptions == nil {
+				m.DeleteOptions = &k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions{}
+			}
+			if err := m.DeleteOptions.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodDisruptionBudget) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodDisruptionBudget: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodDisruptionBudget: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodDisruptionBudgetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodDisruptionBudgetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodDisruptionBudgetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, PodDisruptionBudget{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodDisruptionBudgetSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodDisruptionBudgetSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodDisruptionBudgetSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MinAvailable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MinAvailable == nil {
+				m.MinAvailable = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MinAvailable.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Selector == nil {
+				m.Selector = &k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector{}
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MaxUnavailable", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.MaxUnavailable == nil {
+				m.MaxUnavailable = &k8s_io_apimachinery_pkg_util_intstr.IntOrString{}
+			}
+			if err := m.MaxUnavailable.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodDisruptionBudgetStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodDisruptionBudgetStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodDisruptionBudgetStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObservedGeneration", wireType)
+			}
+			m.ObservedGeneration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ObservedGeneration |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DisruptedPods", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.DisruptedPods == nil {
+				m.DisruptedPods = make(map[string]k8s_io_apimachinery_pkg_apis_meta_v1.Time)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapmsglen int
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapmsglen |= (int(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postmsgIndex := iNdEx + mapmsglen
+				if mapmsglen < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				if postmsgIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := &k8s_io_apimachinery_pkg_apis_meta_v1.Time{}
+				if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+					return err
+				}
+				iNdEx = postmsgIndex
+				m.DisruptedPods[mapkey] = *mapvalue
+			} else {
+				var mapvalue k8s_io_apimachinery_pkg_apis_meta_v1.Time
+				m.DisruptedPods[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PodDisruptionsAllowed", wireType)
+			}
+			m.PodDisruptionsAllowed = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.PodDisruptionsAllowed |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CurrentHealthy", wireType)
+			}
+			m.CurrentHealthy = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.CurrentHealthy |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DesiredHealthy", wireType)
+			}
+			m.DesiredHealthy = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.DesiredHealthy |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExpectedPods", wireType)
+			}
+			m.ExpectedPods = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ExpectedPods |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/policy/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 795 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x94, 0x41, 0x6f, 0xdc, 0x44,
+	0x14, 0xc7, 0xd7, 0xd9, 0x6c, 0x08, 0xc3, 0xee, 0x2a, 0x0c, 0x14, 0xd2, 0x95, 0xf0, 0xa2, 0x3d,
+	0x21, 0xa4, 0x8e, 0x49, 0x5b, 0xa1, 0x88, 0x03, 0xa2, 0x26, 0x51, 0x29, 0x6a, 0x94, 0x6a, 0x52,
+	0x2e, 0xa8, 0x48, 0x8c, 0xed, 0x57, 0x67, 0x58, 0xdb, 0x63, 0xcd, 0x8c, 0x4d, 0xf7, 0xc6, 0x81,
+	0x0f, 0xc0, 0xf7, 0xe0, 0x8b, 0xe4, 0x80, 0x50, 0x8f, 0x15, 0x87, 0x15, 0x31, 0xe2, 0x7b, 0x20,
+	0xdb, 0xb3, 0x9b, 0xf5, 0xee, 0x46, 0xdd, 0xe6, 0xc0, 0xcd, 0xf3, 0xde, 0xfb, 0xff, 0x9e, 0xdf,
+	0x7f, 0x9e, 0x8d, 0xdc, 0xf1, 0xa1, 0x22, 0x5c, 0x38, 0xe3, 0xcc, 0x03, 0x99, 0x80, 0x06, 0xe5,
+	0xe4, 0x90, 0x04, 0x42, 0x3a, 0x26, 0xc1, 0x52, 0xee, 0xa4, 0x22, 0xe2, 0xfe, 0xc4, 0xc9, 0x0f,
+	0x3c, 0xd0, 0xec, 0xc0, 0x09, 0x21, 0x01, 0xc9, 0x34, 0x04, 0x24, 0x95, 0x42, 0x0b, 0x7c, 0xbb,
+	0x2e, 0x25, 0x2c, 0xe5, 0xa4, 0x2e, 0x25, 0xa6, 0x74, 0x70, 0x27, 0xe4, 0xfa, 0x3c, 0xf3, 0x88,
+	0x2f, 0x62, 0x27, 0x14, 0xa1, 0x70, 0x2a, 0x85, 0x97, 0x3d, 0xaf, 0x4e, 0xd5, 0xa1, 0x7a, 0xaa,
+	0x49, 0x83, 0xd1, 0x42, 0x53, 0x5f, 0x48, 0x70, 0xf2, 0x95, 0x6e, 0x83, 0xfb, 0x57, 0x35, 0x31,
+	0xf3, 0xcf, 0x79, 0x02, 0x72, 0xe2, 0xa4, 0xe3, 0xb0, 0x0c, 0x28, 0x27, 0x06, 0xcd, 0xd6, 0xa9,
+	0x9c, 0xeb, 0x54, 0x32, 0x4b, 0x34, 0x8f, 0x61, 0x45, 0xf0, 0xf9, 0xeb, 0x04, 0xca, 0x3f, 0x87,
+	0x98, 0xad, 0xe8, 0xee, 0x5d, 0xa7, 0xcb, 0x34, 0x8f, 0x1c, 0x9e, 0x68, 0xa5, 0xe5, 0xb2, 0x68,
+	0xf4, 0x97, 0x85, 0x76, 0x8f, 0x73, 0xee, 0x6b, 0x2e, 0x12, 0xfc, 0x23, 0xda, 0x2d, 0xa7, 0x08,
+	0x98, 0x66, 0xfb, 0xd6, 0xc7, 0xd6, 0x27, 0xef, 0xdc, 0xfd, 0x8c, 0x5c, 0x39, 0x3c, 0x87, 0x92,
+	0x74, 0x1c, 0x96, 0x01, 0x45, 0xca, 0x6a, 0x92, 0x1f, 0x90, 0x53, 0xef, 0x27, 0xf0, 0xf5, 0x09,
+	0x68, 0xe6, 0xe2, 0x8b, 0xe9, 0xb0, 0x55, 0x4c, 0x87, 0xe8, 0x2a, 0x46, 0xe7, 0x54, 0x1c, 0xa1,
+	0x5e, 0x00, 0x11, 0x68, 0x38, 0x4d, 0xcb, 0x8e, 0x6a, 0x7f, 0xab, 0x6a, 0x73, 0x6f, 0xb3, 0x36,
+	0x47, 0x8b, 0x52, 0xf7, 0xdd, 0x62, 0x3a, 0xec, 0x35, 0x42, 0xb4, 0x09, 0x1f, 0xfd, 0xbe, 0x85,
+	0xde, 0x7b, 0x22, 0x82, 0x23, 0xae, 0x64, 0x56, 0x85, 0xdc, 0x2c, 0x08, 0x41, 0xff, 0x0f, 0x73,
+	0x3e, 0x45, 0xdb, 0x2a, 0x05, 0xdf, 0x8c, 0x77, 0x97, 0x5c, 0xbb, 0xa7, 0x64, 0xcd, 0xfb, 0x9d,
+	0xa5, 0xe0, 0xbb, 0x5d, 0xc3, 0xdf, 0x2e, 0x4f, 0xb4, 0xa2, 0xe1, 0x67, 0x68, 0x47, 0x69, 0xa6,
+	0x33, 0xb5, 0xdf, 0xae, 0xb8, 0xf7, 0xdf, 0x90, 0x5b, 0x69, 0xdd, 0xbe, 0x21, 0xef, 0xd4, 0x67,
+	0x6a, 0x98, 0xa3, 0x3f, 0x2c, 0xf4, 0xe1, 0x1a, 0xd5, 0x63, 0xae, 0x34, 0x7e, 0xb6, 0xe2, 0x18,
+	0xd9, 0xcc, 0xb1, 0x52, 0x5d, 0xf9, 0xb5, 0x67, 0xba, 0xee, 0xce, 0x22, 0x0b, 0x6e, 0x9d, 0xa1,
+	0x0e, 0xd7, 0x10, 0x97, 0xdb, 0xd0, 0x5e, 0x42, 0x6f, 0x30, 0x96, 0xdb, 0x33, 0xe8, 0xce, 0xa3,
+	0x12, 0x42, 0x6b, 0xd6, 0xe8, 0xcf, 0xad, 0xb5, 0xe3, 0x94, 0x76, 0xe2, 0xe7, 0xa8, 0x1b, 0xf3,
+	0xe4, 0x41, 0xce, 0x78, 0xc4, 0xbc, 0x08, 0x5e, 0xbb, 0x04, 0xe5, 0x17, 0x44, 0xea, 0x2f, 0x88,
+	0x3c, 0x4a, 0xf4, 0xa9, 0x3c, 0xd3, 0x92, 0x27, 0xa1, 0xbb, 0x57, 0x4c, 0x87, 0xdd, 0x93, 0x05,
+	0x12, 0x6d, 0x70, 0xf1, 0x0f, 0x68, 0x57, 0x41, 0x04, 0xbe, 0x16, 0xf2, 0xcd, 0x36, 0xfd, 0x31,
+	0xf3, 0x20, 0x3a, 0x33, 0x52, 0xb7, 0x5b, 0xfa, 0x36, 0x3b, 0xd1, 0x39, 0x12, 0x47, 0xa8, 0x1f,
+	0xb3, 0x17, 0xdf, 0x25, 0x6c, 0x3e, 0x48, 0xfb, 0x86, 0x83, 0xe0, 0x62, 0x3a, 0xec, 0x9f, 0x34,
+	0x58, 0x74, 0x89, 0x3d, 0xfa, 0x77, 0x1b, 0xdd, 0xbe, 0x76, 0xab, 0xf0, 0xb7, 0x08, 0x0b, 0x4f,
+	0x81, 0xcc, 0x21, 0x78, 0x58, 0xff, 0x63, 0xb8, 0x48, 0x2a, 0x63, 0xdb, 0xee, 0xc0, 0x5c, 0x10,
+	0x3e, 0x5d, 0xa9, 0xa0, 0x6b, 0x54, 0xf8, 0x57, 0x0b, 0xf5, 0x82, 0xba, 0x0d, 0x04, 0x4f, 0x44,
+	0x30, 0x5b, 0x8c, 0x87, 0x37, 0xd9, 0x77, 0x72, 0xb4, 0x48, 0x3a, 0x4e, 0xb4, 0x9c, 0xb8, 0xb7,
+	0xcc, 0x0b, 0xf5, 0x1a, 0x39, 0xda, 0x6c, 0x8a, 0x4f, 0x10, 0x0e, 0xe6, 0x48, 0xf5, 0x20, 0x8a,
+	0xc4, 0xcf, 0x10, 0x54, 0x16, 0x77, 0xdc, 0x8f, 0x0c, 0xe1, 0x56, 0xa3, 0xef, 0xac, 0x88, 0xae,
+	0x11, 0xe2, 0x2f, 0x51, 0xdf, 0xcf, 0xa4, 0x84, 0x44, 0x7f, 0x03, 0x2c, 0xd2, 0xe7, 0x93, 0xfd,
+	0xed, 0x0a, 0xf5, 0x81, 0x41, 0xf5, 0xbf, 0x6e, 0x64, 0xe9, 0x52, 0x75, 0xa9, 0x0f, 0x40, 0x71,
+	0x09, 0xc1, 0x4c, 0xdf, 0x69, 0xea, 0x8f, 0x1a, 0x59, 0xba, 0x54, 0x8d, 0x0f, 0x51, 0x17, 0x5e,
+	0xa4, 0xe0, 0xcf, 0x3c, 0xdd, 0xa9, 0xd4, 0xef, 0x1b, 0x75, 0xf7, 0x78, 0x21, 0x47, 0x1b, 0x95,
+	0x83, 0x08, 0xe1, 0x55, 0x13, 0xf1, 0x1e, 0x6a, 0x8f, 0x61, 0x52, 0x5d, 0xf1, 0xdb, 0xb4, 0x7c,
+	0xc4, 0x5f, 0xa1, 0x4e, 0xce, 0xa2, 0x0c, 0xcc, 0xae, 0x7f, 0xba, 0xd9, 0xae, 0x3f, 0xe5, 0x31,
+	0xd0, 0x5a, 0xf8, 0xc5, 0xd6, 0xa1, 0xe5, 0xde, 0xb9, 0xb8, 0xb4, 0x5b, 0x2f, 0x2f, 0xed, 0xd6,
+	0xab, 0x4b, 0xbb, 0xf5, 0x4b, 0x61, 0x5b, 0x17, 0x85, 0x6d, 0xbd, 0x2c, 0x6c, 0xeb, 0x55, 0x61,
+	0x5b, 0x7f, 0x17, 0xb6, 0xf5, 0xdb, 0x3f, 0x76, 0xeb, 0xfb, 0xb7, 0xcc, 0xc5, 0xff, 0x17, 0x00,
+	0x00, 0xff, 0xff, 0x00, 0xc0, 0xac, 0xb5, 0x48, 0x08, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/policy/v1beta1/generated.proto b/cli/vendor/k8s.io/api/policy/v1beta1/generated.proto
new file mode 100644
index 00000000..2e01cf3d
--- /dev/null
+++ b/cli/vendor/k8s.io/api/policy/v1beta1/generated.proto
@@ -0,0 +1,114 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.policy.v1beta1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// Eviction evicts a pod from its node subject to certain policies and safety constraints.
+// This is a subresource of Pod.  A request to cause such an eviction is
+// created by POSTing to .../pods/<pod name>/evictions.
+message Eviction {
+  // ObjectMeta describes the pod that is being evicted.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // DeleteOptions may be provided
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.DeleteOptions deleteOptions = 2;
+}
+
+// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
+message PodDisruptionBudget {
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior of the PodDisruptionBudget.
+  optional PodDisruptionBudgetSpec spec = 2;
+
+  // Most recently observed status of the PodDisruptionBudget.
+  optional PodDisruptionBudgetStatus status = 3;
+}
+
+// PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
+message PodDisruptionBudgetList {
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  repeated PodDisruptionBudget items = 2;
+}
+
+// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
+message PodDisruptionBudgetSpec {
+  // An eviction is allowed if at least "minAvailable" pods selected by
+  // "selector" will still be available after the eviction, i.e. even in the
+  // absence of the evicted pod.  So for example you can prevent all voluntary
+  // evictions by specifying "100%".
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString minAvailable = 1;
+
+  // Label query over pods whose evictions are managed by the disruption
+  // budget.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+  // An eviction is allowed if at most "maxUnavailable" pods selected by
+  // "selector" are unavailable after the eviction, i.e. even in absence of
+  // the evicted pod. For example, one can prevent all voluntary evictions
+  // by specifying 0. This is a mutually exclusive setting with "minAvailable".
+  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 3;
+}
+
+// PodDisruptionBudgetStatus represents information about the status of a
+// PodDisruptionBudget. Status may trail the actual state of a system.
+message PodDisruptionBudgetStatus {
+  // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other
+  // status informatio is valid only if observedGeneration equals to PDB's object generation.
+  // +optional
+  optional int64 observedGeneration = 1;
+
+  // DisruptedPods contains information about pods whose eviction was
+  // processed by the API server eviction subresource handler but has not
+  // yet been observed by the PodDisruptionBudget controller.
+  // A pod will be in this map from the time when the API server processed the
+  // eviction request to the time when the pod is seen by PDB controller
+  // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
+  // and the value is the time when the API server processed the eviction request. If
+  // the deletion didn't occur and a pod is still there it will be removed from
+  // the list automatically by PodDisruptionBudget controller after some time.
+  // If everything goes smooth this map should be empty for the most of the time.
+  // Large number of entries in the map may indicate problems with pod deletions.
+  map<string, k8s.io.apimachinery.pkg.apis.meta.v1.Time> disruptedPods = 2;
+
+  // Number of pod disruptions that are currently allowed.
+  optional int32 disruptionsAllowed = 3;
+
+  // current number of healthy pods
+  optional int32 currentHealthy = 4;
+
+  // minimum desired number of healthy pods
+  optional int32 desiredHealthy = 5;
+
+  // total number of pods counted by this disruption budget
+  optional int32 expectedPods = 6;
+}
+
diff --git a/cli/vendor/k8s.io/api/policy/v1beta1/register.go b/cli/vendor/k8s.io/api/policy/v1beta1/register.go
new file mode 100644
index 00000000..e0c6247a
--- /dev/null
+++ b/cli/vendor/k8s.io/api/policy/v1beta1/register.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "policy"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&PodDisruptionBudget{},
+		&PodDisruptionBudgetList{},
+		&Eviction{},
+	)
+	// Add the watch version that applies
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/policy/v1beta1/types.go b/cli/vendor/k8s.io/api/policy/v1beta1/types.go
new file mode 100644
index 00000000..a69a5720
--- /dev/null
+++ b/cli/vendor/k8s.io/api/policy/v1beta1/types.go
@@ -0,0 +1,115 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
+type PodDisruptionBudgetSpec struct {
+	// An eviction is allowed if at least "minAvailable" pods selected by
+	// "selector" will still be available after the eviction, i.e. even in the
+	// absence of the evicted pod.  So for example you can prevent all voluntary
+	// evictions by specifying "100%".
+	MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty" protobuf:"bytes,1,opt,name=minAvailable"`
+
+	// Label query over pods whose evictions are managed by the disruption
+	// budget.
+	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"`
+
+	// An eviction is allowed if at most "maxUnavailable" pods selected by
+	// "selector" are unavailable after the eviction, i.e. even in absence of
+	// the evicted pod. For example, one can prevent all voluntary evictions
+	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
+	MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,3,opt,name=maxUnavailable"`
+}
+
+// PodDisruptionBudgetStatus represents information about the status of a
+// PodDisruptionBudget. Status may trail the actual state of a system.
+type PodDisruptionBudgetStatus struct {
+	// Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other
+	// status informatio is valid only if observedGeneration equals to PDB's object generation.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
+
+	// DisruptedPods contains information about pods whose eviction was
+	// processed by the API server eviction subresource handler but has not
+	// yet been observed by the PodDisruptionBudget controller.
+	// A pod will be in this map from the time when the API server processed the
+	// eviction request to the time when the pod is seen by PDB controller
+	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
+	// and the value is the time when the API server processed the eviction request. If
+	// the deletion didn't occur and a pod is still there it will be removed from
+	// the list automatically by PodDisruptionBudget controller after some time.
+	// If everything goes smooth this map should be empty for the most of the time.
+	// Large number of entries in the map may indicate problems with pod deletions.
+	DisruptedPods map[string]metav1.Time `json:"disruptedPods" protobuf:"bytes,2,rep,name=disruptedPods"`
+
+	// Number of pod disruptions that are currently allowed.
+	PodDisruptionsAllowed int32 `json:"disruptionsAllowed" protobuf:"varint,3,opt,name=disruptionsAllowed"`
+
+	// current number of healthy pods
+	CurrentHealthy int32 `json:"currentHealthy" protobuf:"varint,4,opt,name=currentHealthy"`
+
+	// minimum desired number of healthy pods
+	DesiredHealthy int32 `json:"desiredHealthy" protobuf:"varint,5,opt,name=desiredHealthy"`
+
+	// total number of pods counted by this disruption budget
+	ExpectedPods int32 `json:"expectedPods" protobuf:"varint,6,opt,name=expectedPods"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
+type PodDisruptionBudget struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior of the PodDisruptionBudget.
+	Spec PodDisruptionBudgetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+	// Most recently observed status of the PodDisruptionBudget.
+	Status PodDisruptionBudgetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
+type PodDisruptionBudgetList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	Items           []PodDisruptionBudget `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +genclient:noVerbs
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Eviction evicts a pod from its node subject to certain policies and safety constraints.
+// This is a subresource of Pod.  A request to cause such an eviction is
+// created by POSTing to .../pods/<pod name>/evictions.
+type Eviction struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// ObjectMeta describes the pod that is being evicted.
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// DeleteOptions may be provided
+	DeleteOptions *metav1.DeleteOptions `json:"deleteOptions,omitempty" protobuf:"bytes,2,opt,name=deleteOptions"`
+}
diff --git a/cli/vendor/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..29432506
--- /dev/null
+++ b/cli/vendor/k8s.io/api/policy/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_Eviction = map[string]string{
+	"":              "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod.  A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.",
+	"metadata":      "ObjectMeta describes the pod that is being evicted.",
+	"deleteOptions": "DeleteOptions may be provided",
+}
+
+func (Eviction) SwaggerDoc() map[string]string {
+	return map_Eviction
+}
+
+var map_PodDisruptionBudget = map[string]string{
+	"":       "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods",
+	"spec":   "Specification of the desired behavior of the PodDisruptionBudget.",
+	"status": "Most recently observed status of the PodDisruptionBudget.",
+}
+
+func (PodDisruptionBudget) SwaggerDoc() map[string]string {
+	return map_PodDisruptionBudget
+}
+
+var map_PodDisruptionBudgetList = map[string]string{
+	"": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.",
+}
+
+func (PodDisruptionBudgetList) SwaggerDoc() map[string]string {
+	return map_PodDisruptionBudgetList
+}
+
+var map_PodDisruptionBudgetSpec = map[string]string{
+	"":               "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.",
+	"minAvailable":   "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod.  So for example you can prevent all voluntary evictions by specifying \"100%\".",
+	"selector":       "Label query over pods whose evictions are managed by the disruption budget.",
+	"maxUnavailable": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\".",
+}
+
+func (PodDisruptionBudgetSpec) SwaggerDoc() map[string]string {
+	return map_PodDisruptionBudgetSpec
+}
+
+var map_PodDisruptionBudgetStatus = map[string]string{
+	"":                   "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.",
+	"observedGeneration": "Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other status informatio is valid only if observedGeneration equals to PDB's object generation.",
+	"disruptedPods":      "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.",
+	"disruptionsAllowed": "Number of pod disruptions that are currently allowed.",
+	"currentHealthy":     "current number of healthy pods",
+	"desiredHealthy":     "minimum desired number of healthy pods",
+	"expectedPods":       "total number of pods counted by this disruption budget",
+}
+
+func (PodDisruptionBudgetStatus) SwaggerDoc() map[string]string {
+	return map_PodDisruptionBudgetStatus
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/policy/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/policy/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..b0f355c6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/policy/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,227 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	intstr "k8s.io/apimachinery/pkg/util/intstr"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Eviction).DeepCopyInto(out.(*Eviction))
+			return nil
+		}, InType: reflect.TypeOf(&Eviction{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodDisruptionBudget).DeepCopyInto(out.(*PodDisruptionBudget))
+			return nil
+		}, InType: reflect.TypeOf(&PodDisruptionBudget{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodDisruptionBudgetList).DeepCopyInto(out.(*PodDisruptionBudgetList))
+			return nil
+		}, InType: reflect.TypeOf(&PodDisruptionBudgetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodDisruptionBudgetSpec).DeepCopyInto(out.(*PodDisruptionBudgetSpec))
+			return nil
+		}, InType: reflect.TypeOf(&PodDisruptionBudgetSpec{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodDisruptionBudgetStatus).DeepCopyInto(out.(*PodDisruptionBudgetStatus))
+			return nil
+		}, InType: reflect.TypeOf(&PodDisruptionBudgetStatus{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Eviction) DeepCopyInto(out *Eviction) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.DeleteOptions != nil {
+		in, out := &in.DeleteOptions, &out.DeleteOptions
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.DeleteOptions)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eviction.
+func (in *Eviction) DeepCopy() *Eviction {
+	if in == nil {
+		return nil
+	}
+	out := new(Eviction)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Eviction) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudget.
+func (in *PodDisruptionBudget) DeepCopy() *PodDisruptionBudget {
+	if in == nil {
+		return nil
+	}
+	out := new(PodDisruptionBudget)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodDisruptionBudget) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodDisruptionBudgetList) DeepCopyInto(out *PodDisruptionBudgetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PodDisruptionBudget, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetList.
+func (in *PodDisruptionBudgetList) DeepCopy() *PodDisruptionBudgetList {
+	if in == nil {
+		return nil
+	}
+	out := new(PodDisruptionBudgetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodDisruptionBudgetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodDisruptionBudgetSpec) DeepCopyInto(out *PodDisruptionBudgetSpec) {
+	*out = *in
+	if in.MinAvailable != nil {
+		in, out := &in.MinAvailable, &out.MinAvailable
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.LabelSelector)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.MaxUnavailable != nil {
+		in, out := &in.MaxUnavailable, &out.MaxUnavailable
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(intstr.IntOrString)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetSpec.
+func (in *PodDisruptionBudgetSpec) DeepCopy() *PodDisruptionBudgetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PodDisruptionBudgetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodDisruptionBudgetStatus) DeepCopyInto(out *PodDisruptionBudgetStatus) {
+	*out = *in
+	if in.DisruptedPods != nil {
+		in, out := &in.DisruptedPods, &out.DisruptedPods
+		*out = make(map[string]v1.Time, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetStatus.
+func (in *PodDisruptionBudgetStatus) DeepCopy() *PodDisruptionBudgetStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(PodDisruptionBudgetStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1/doc.go b/cli/vendor/k8s.io/api/rbac/v1/doc.go
new file mode 100644
index 00000000..737261a0
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// +groupName=rbac.authorization.k8s.io
+package v1 // import "k8s.io/api/rbac/v1"
diff --git a/cli/vendor/k8s.io/api/rbac/v1/generated.pb.go b/cli/vendor/k8s.io/api/rbac/v1/generated.pb.go
new file mode 100644
index 00000000..44abc170
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1/generated.pb.go
@@ -0,0 +1,2555 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1/generated.proto
+
+	It has these top-level messages:
+		ClusterRole
+		ClusterRoleBinding
+		ClusterRoleBindingList
+		ClusterRoleList
+		PolicyRule
+		Role
+		RoleBinding
+		RoleBindingList
+		RoleList
+		RoleRef
+		Subject
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ClusterRole) Reset()                    { *m = ClusterRole{} }
+func (*ClusterRole) ProtoMessage()               {}
+func (*ClusterRole) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *ClusterRoleBinding) Reset()                    { *m = ClusterRoleBinding{} }
+func (*ClusterRoleBinding) ProtoMessage()               {}
+func (*ClusterRoleBinding) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *ClusterRoleBindingList) Reset()                    { *m = ClusterRoleBindingList{} }
+func (*ClusterRoleBindingList) ProtoMessage()               {}
+func (*ClusterRoleBindingList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *ClusterRoleList) Reset()                    { *m = ClusterRoleList{} }
+func (*ClusterRoleList) ProtoMessage()               {}
+func (*ClusterRoleList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *PolicyRule) Reset()                    { *m = PolicyRule{} }
+func (*PolicyRule) ProtoMessage()               {}
+func (*PolicyRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *Role) Reset()                    { *m = Role{} }
+func (*Role) ProtoMessage()               {}
+func (*Role) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *RoleBinding) Reset()                    { *m = RoleBinding{} }
+func (*RoleBinding) ProtoMessage()               {}
+func (*RoleBinding) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *RoleBindingList) Reset()                    { *m = RoleBindingList{} }
+func (*RoleBindingList) ProtoMessage()               {}
+func (*RoleBindingList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *RoleList) Reset()                    { *m = RoleList{} }
+func (*RoleList) ProtoMessage()               {}
+func (*RoleList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *RoleRef) Reset()                    { *m = RoleRef{} }
+func (*RoleRef) ProtoMessage()               {}
+func (*RoleRef) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *Subject) Reset()                    { *m = Subject{} }
+func (*Subject) ProtoMessage()               {}
+func (*Subject) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func init() {
+	proto.RegisterType((*ClusterRole)(nil), "k8s.io.api.rbac.v1.ClusterRole")
+	proto.RegisterType((*ClusterRoleBinding)(nil), "k8s.io.api.rbac.v1.ClusterRoleBinding")
+	proto.RegisterType((*ClusterRoleBindingList)(nil), "k8s.io.api.rbac.v1.ClusterRoleBindingList")
+	proto.RegisterType((*ClusterRoleList)(nil), "k8s.io.api.rbac.v1.ClusterRoleList")
+	proto.RegisterType((*PolicyRule)(nil), "k8s.io.api.rbac.v1.PolicyRule")
+	proto.RegisterType((*Role)(nil), "k8s.io.api.rbac.v1.Role")
+	proto.RegisterType((*RoleBinding)(nil), "k8s.io.api.rbac.v1.RoleBinding")
+	proto.RegisterType((*RoleBindingList)(nil), "k8s.io.api.rbac.v1.RoleBindingList")
+	proto.RegisterType((*RoleList)(nil), "k8s.io.api.rbac.v1.RoleList")
+	proto.RegisterType((*RoleRef)(nil), "k8s.io.api.rbac.v1.RoleRef")
+	proto.RegisterType((*Subject)(nil), "k8s.io.api.rbac.v1.Subject")
+}
+func (m *ClusterRole) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRole) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ClusterRoleBinding) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleBinding) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n2, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	if len(m.Subjects) > 0 {
+		for _, msg := range m.Subjects {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RoleRef.Size()))
+	n3, err := m.RoleRef.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *ClusterRoleBindingList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleBindingList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n4, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ClusterRoleList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n5, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PolicyRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *Role) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Role) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n6, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleBinding) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleBinding) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n7, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	if len(m.Subjects) > 0 {
+		for _, msg := range m.Subjects {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RoleRef.Size()))
+	n8, err := m.RoleRef.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	return i, nil
+}
+
+func (m *RoleBindingList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleBindingList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n9, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n10, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleRef) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleRef) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIGroup)))
+	i += copy(dAtA[i:], m.APIGroup)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func (m *Subject) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Subject) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIGroup)))
+	i += copy(dAtA[i:], m.APIGroup)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *ClusterRole) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ClusterRoleBinding) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Subjects) > 0 {
+		for _, e := range m.Subjects {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.RoleRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ClusterRoleBindingList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ClusterRoleList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PolicyRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Role) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleBinding) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Subjects) > 0 {
+		for _, e := range m.Subjects {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.RoleRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *RoleBindingList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleRef) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.APIGroup)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Subject) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.APIGroup)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *ClusterRole) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRole{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "PolicyRule", "PolicyRule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleBinding) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleBinding{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Subjects:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subjects), "Subject", "Subject", 1), `&`, ``, 1) + `,`,
+		`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "RoleRef", "RoleRef", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleBindingList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleBindingList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ClusterRoleBinding", "ClusterRoleBinding", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ClusterRole", "ClusterRole", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PolicyRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PolicyRule{`,
+		`Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`,
+		`APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`,
+		`Resources:` + fmt.Sprintf("%v", this.Resources) + `,`,
+		`ResourceNames:` + fmt.Sprintf("%v", this.ResourceNames) + `,`,
+		`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Role) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Role{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "PolicyRule", "PolicyRule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleBinding) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleBinding{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Subjects:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subjects), "Subject", "Subject", 1), `&`, ``, 1) + `,`,
+		`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "RoleRef", "RoleRef", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleBindingList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleBindingList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "RoleBinding", "RoleBinding", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Role", "Role", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleRef) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleRef{`,
+		`APIGroup:` + fmt.Sprintf("%v", this.APIGroup) + `,`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Subject) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Subject{`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`APIGroup:` + fmt.Sprintf("%v", this.APIGroup) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ClusterRole) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRole: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRole: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, PolicyRule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleBinding) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleBinding: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleBinding: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subjects", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subjects = append(m.Subjects, Subject{})
+			if err := m.Subjects[len(m.Subjects)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RoleRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RoleRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleBindingList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleBindingList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleBindingList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ClusterRoleBinding{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ClusterRole{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PolicyRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PolicyRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PolicyRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroups = append(m.APIGroups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceNames", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceNames = append(m.ResourceNames, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceURLs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Role) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Role: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Role: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, PolicyRule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleBinding) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleBinding: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleBinding: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subjects", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subjects = append(m.Subjects, Subject{})
+			if err := m.Subjects[len(m.Subjects)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RoleRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RoleRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleBindingList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleBindingList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleBindingList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, RoleBinding{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Role{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleRef) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleRef: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleRef: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroup", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroup = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Subject) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Subject: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Subject: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroup", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroup = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 743 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe4, 0x94, 0x4f, 0x6b, 0x13, 0x4f,
+	0x18, 0xc7, 0x33, 0xf9, 0x43, 0xb3, 0x93, 0x5f, 0xc8, 0xaf, 0x2b, 0xc8, 0x52, 0x61, 0x13, 0x72,
+	0x90, 0x80, 0xba, 0x6b, 0xaa, 0xa8, 0x20, 0x3d, 0xb8, 0x15, 0xa5, 0xb4, 0xd6, 0x32, 0xa2, 0x07,
+	0xf1, 0xe0, 0x66, 0x33, 0x4d, 0xc7, 0x64, 0xff, 0x30, 0x33, 0x1b, 0x28, 0x5e, 0xc4, 0x9b, 0x37,
+	0xdf, 0x85, 0x17, 0xbd, 0xe9, 0x2b, 0xf0, 0xd2, 0x63, 0x8f, 0x3d, 0x05, 0xbb, 0xbe, 0x10, 0x65,
+	0x66, 0x77, 0xb3, 0x49, 0x93, 0xd8, 0x9e, 0x02, 0xe2, 0x29, 0x99, 0xe7, 0xf9, 0x7c, 0x9f, 0xf9,
+	0xce, 0xb3, 0x33, 0x0f, 0xbc, 0xdf, 0xbf, 0xc7, 0x0c, 0xe2, 0x9b, 0xfd, 0xb0, 0x83, 0xa9, 0x87,
+	0x39, 0x66, 0xe6, 0x10, 0x7b, 0x5d, 0x9f, 0x9a, 0x49, 0xc2, 0x0e, 0x88, 0x49, 0x3b, 0xb6, 0x63,
+	0x0e, 0xdb, 0x66, 0x0f, 0x7b, 0x98, 0xda, 0x1c, 0x77, 0x8d, 0x80, 0xfa, 0xdc, 0x57, 0xd5, 0x98,
+	0x31, 0xec, 0x80, 0x18, 0x82, 0x31, 0x86, 0xed, 0xb5, 0x1b, 0x3d, 0xc2, 0x0f, 0xc2, 0x8e, 0xe1,
+	0xf8, 0xae, 0xd9, 0xf3, 0x7b, 0xbe, 0x29, 0xd1, 0x4e, 0xb8, 0x2f, 0x57, 0x72, 0x21, 0xff, 0xc5,
+	0x25, 0xd6, 0x6e, 0x67, 0xdb, 0xb8, 0xb6, 0x73, 0x40, 0x3c, 0x4c, 0x0f, 0xcd, 0xa0, 0xdf, 0x13,
+	0x01, 0x66, 0xba, 0x98, 0xdb, 0x73, 0x36, 0x5e, 0x33, 0x17, 0xa9, 0x68, 0xe8, 0x71, 0xe2, 0xe2,
+	0x19, 0xc1, 0x9d, 0xf3, 0x04, 0xcc, 0x39, 0xc0, 0xae, 0x3d, 0xa3, 0xbb, 0xb5, 0x48, 0x17, 0x72,
+	0x32, 0x30, 0x89, 0xc7, 0x19, 0xa7, 0x67, 0x45, 0xcd, 0xaf, 0x00, 0x56, 0x36, 0x07, 0x21, 0xe3,
+	0x98, 0x22, 0x7f, 0x80, 0xd5, 0xd7, 0xb0, 0x2c, 0x0e, 0xd2, 0xb5, 0xb9, 0xad, 0x81, 0x06, 0x68,
+	0x55, 0xd6, 0x6f, 0x1a, 0x59, 0xe7, 0xc6, 0x75, 0x8d, 0xa0, 0xdf, 0x13, 0x01, 0x66, 0x08, 0xda,
+	0x18, 0xb6, 0x8d, 0xa7, 0x9d, 0x37, 0xd8, 0xe1, 0x4f, 0x30, 0xb7, 0x2d, 0xf5, 0x68, 0x54, 0xcf,
+	0x45, 0xa3, 0x3a, 0xcc, 0x62, 0x68, 0x5c, 0x55, 0xdd, 0x84, 0x25, 0x1a, 0x0e, 0x30, 0xd3, 0xf2,
+	0x8d, 0x42, 0xab, 0xb2, 0xae, 0x1b, 0xb3, 0x1f, 0xc6, 0xd8, 0xf3, 0x07, 0xc4, 0x39, 0x44, 0xe1,
+	0x00, 0x5b, 0xd5, 0xa4, 0x58, 0x49, 0xac, 0x18, 0x8a, 0xb5, 0xcd, 0x0f, 0x79, 0xa8, 0x4e, 0xd8,
+	0xb6, 0x88, 0xd7, 0x25, 0x5e, 0x6f, 0x09, 0xee, 0xb7, 0x60, 0x99, 0x85, 0x32, 0x91, 0x1e, 0xe0,
+	0xca, 0xbc, 0x03, 0x3c, 0x8b, 0x19, 0xeb, 0xff, 0xa4, 0x58, 0x39, 0x09, 0x30, 0x34, 0x96, 0xab,
+	0x8f, 0xe0, 0x0a, 0xf5, 0x07, 0x18, 0xe1, 0x7d, 0xad, 0x20, 0xbd, 0xce, 0xad, 0x84, 0x62, 0xc4,
+	0xaa, 0x25, 0x95, 0x56, 0x92, 0x00, 0x4a, 0xc5, 0xcd, 0xef, 0x00, 0x5e, 0x9e, 0xed, 0xc5, 0x0e,
+	0x61, 0x5c, 0x7d, 0x35, 0xd3, 0x0f, 0xe3, 0x62, 0xfd, 0x10, 0x6a, 0xd9, 0x8d, 0xf1, 0x01, 0xd2,
+	0xc8, 0x44, 0x2f, 0xb6, 0x61, 0x89, 0x70, 0xec, 0xa6, 0x8d, 0xb8, 0x3a, 0xcf, 0xfe, 0xac, 0xb1,
+	0xec, 0x8b, 0x6e, 0x09, 0x31, 0x8a, 0x6b, 0x34, 0xbf, 0x01, 0x58, 0x9b, 0x80, 0x97, 0x60, 0xff,
+	0xe1, 0xb4, 0xfd, 0xfa, 0x79, 0xf6, 0xe7, 0xfb, 0xfe, 0x05, 0x20, 0xcc, 0xae, 0xab, 0x5a, 0x87,
+	0xa5, 0x21, 0xa6, 0x1d, 0xa6, 0x81, 0x46, 0xa1, 0xa5, 0x58, 0x8a, 0xe0, 0x5f, 0x88, 0x00, 0x8a,
+	0xe3, 0xea, 0x35, 0xa8, 0xd8, 0x01, 0x79, 0x4c, 0xfd, 0x30, 0x88, 0x77, 0x56, 0xac, 0x6a, 0x34,
+	0xaa, 0x2b, 0x0f, 0xf6, 0xb6, 0xe2, 0x20, 0xca, 0xf2, 0x02, 0xa6, 0x98, 0xf9, 0x21, 0x75, 0x30,
+	0xd3, 0x0a, 0x19, 0x8c, 0xd2, 0x20, 0xca, 0xf2, 0xea, 0x5d, 0x58, 0x4d, 0x17, 0xbb, 0xb6, 0x8b,
+	0x99, 0x56, 0x94, 0x82, 0xd5, 0x68, 0x54, 0xaf, 0xa2, 0xc9, 0x04, 0x9a, 0xe6, 0xd4, 0x0d, 0x58,
+	0xf3, 0x7c, 0x2f, 0x45, 0x9e, 0xa3, 0x1d, 0xa6, 0x95, 0xa4, 0xf4, 0x52, 0x34, 0xaa, 0xd7, 0x76,
+	0xa7, 0x53, 0xe8, 0x2c, 0xdb, 0xfc, 0x02, 0x60, 0xf1, 0x6f, 0x9a, 0x1d, 0xef, 0xf3, 0xb0, 0xf2,
+	0xcf, 0x0f, 0x0d, 0xf1, 0xdc, 0x96, 0x3b, 0x2d, 0x2e, 0xf2, 0xdc, 0xce, 0x1f, 0x13, 0x9f, 0x00,
+	0x2c, 0x2f, 0x69, 0x3e, 0x6c, 0x4c, 0x1b, 0xd6, 0x16, 0x1a, 0x9e, 0xef, 0xf4, 0x2d, 0x4c, 0xbb,
+	0xae, 0x5e, 0x87, 0xe5, 0xf4, 0x4d, 0x4b, 0x9f, 0x4a, 0xb6, 0x6f, 0xfa, 0xec, 0xd1, 0x98, 0x50,
+	0x1b, 0xb0, 0xd8, 0x27, 0x5e, 0x57, 0xcb, 0x4b, 0xf2, 0xbf, 0x84, 0x2c, 0x6e, 0x13, 0xaf, 0x8b,
+	0x64, 0x46, 0x10, 0x9e, 0xed, 0x62, 0x79, 0x03, 0x26, 0x08, 0xf1, 0x9a, 0x91, 0xcc, 0x34, 0x3f,
+	0x03, 0xb8, 0x92, 0xdc, 0x9e, 0x71, 0x3d, 0xb0, 0xb0, 0xde, 0xa4, 0xbf, 0xfc, 0x45, 0xfc, 0xfd,
+	0x79, 0x77, 0xd5, 0x84, 0x8a, 0xf8, 0x65, 0x81, 0xed, 0x60, 0xad, 0x28, 0xb1, 0xd5, 0x04, 0x53,
+	0x76, 0xd3, 0x04, 0xca, 0x18, 0xab, 0x75, 0x74, 0xaa, 0xe7, 0x8e, 0x4f, 0xf5, 0xdc, 0xc9, 0xa9,
+	0x9e, 0x7b, 0x17, 0xe9, 0xe0, 0x28, 0xd2, 0xc1, 0x71, 0xa4, 0x83, 0x93, 0x48, 0x07, 0x3f, 0x22,
+	0x1d, 0x7c, 0xfc, 0xa9, 0xe7, 0x5e, 0xe6, 0x87, 0xed, 0xdf, 0x01, 0x00, 0x00, 0xff, 0xff, 0x66,
+	0x92, 0x08, 0x1d, 0x04, 0x0a, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1/generated.proto b/cli/vendor/k8s.io/api/rbac/v1/generated.proto
new file mode 100644
index 00000000..c35e5fec
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1/generated.proto
@@ -0,0 +1,182 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.rbac.v1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+message ClusterRole {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Rules holds all the PolicyRules for this ClusterRole
+  repeated PolicyRule rules = 2;
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+message ClusterRoleBinding {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Subjects holds references to the objects the role applies to.
+  repeated Subject subjects = 2;
+
+  // RoleRef can only reference a ClusterRole in the global namespace.
+  // If the RoleRef cannot be resolved, the Authorizer must return an error.
+  optional RoleRef roleRef = 3;
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+message ClusterRoleBindingList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of ClusterRoleBindings
+  repeated ClusterRoleBinding items = 2;
+}
+
+// ClusterRoleList is a collection of ClusterRoles
+message ClusterRoleList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of ClusterRoles
+  repeated ClusterRole items = 2;
+}
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+message PolicyRule {
+  // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+  repeated string verbs = 1;
+
+  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+  // the enumerated resources in any API group will be allowed.
+  // +optional
+  repeated string apiGroups = 2;
+
+  // Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+  // +optional
+  repeated string resources = 3;
+
+  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+  // +optional
+  repeated string resourceNames = 4;
+
+  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+  // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+  // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+  // +optional
+  repeated string nonResourceURLs = 5;
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+message Role {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Rules holds all the PolicyRules for this Role
+  repeated PolicyRule rules = 2;
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+message RoleBinding {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Subjects holds references to the objects the role applies to.
+  repeated Subject subjects = 2;
+
+  // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+  // If the RoleRef cannot be resolved, the Authorizer must return an error.
+  optional RoleRef roleRef = 3;
+}
+
+// RoleBindingList is a collection of RoleBindings
+message RoleBindingList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of RoleBindings
+  repeated RoleBinding items = 2;
+}
+
+// RoleList is a collection of Roles
+message RoleList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of Roles
+  repeated Role items = 2;
+}
+
+// RoleRef contains information that points to the role being used
+message RoleRef {
+  // APIGroup is the group for the resource being referenced
+  optional string apiGroup = 1;
+
+  // Kind is the type of resource being referenced
+  optional string kind = 2;
+
+  // Name is the name of resource being referenced
+  optional string name = 3;
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+message Subject {
+  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+  optional string kind = 1;
+
+  // APIGroup holds the API group of the referenced subject.
+  // Defaults to "" for ServiceAccount subjects.
+  // Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+  // +optional
+  optional string apiGroup = 2;
+
+  // Name of the object being referenced.
+  optional string name = 3;
+
+  // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+  // the Authorizer should report an error.
+  // +optional
+  optional string namespace = 4;
+}
+
diff --git a/cli/vendor/k8s.io/api/rbac/v1/register.go b/cli/vendor/k8s.io/api/rbac/v1/register.go
new file mode 100644
index 00000000..7336b545
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1/register.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "rbac.authorization.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Role{},
+		&RoleBinding{},
+		&RoleBindingList{},
+		&RoleList{},
+
+		&ClusterRole{},
+		&ClusterRoleBinding{},
+		&ClusterRoleBindingList{},
+		&ClusterRoleList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1/types.go b/cli/vendor/k8s.io/api/rbac/v1/types.go
new file mode 100644
index 00000000..8dbd1a8b
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1/types.go
@@ -0,0 +1,219 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+
+const (
+	APIGroupAll    = "*"
+	ResourceAll    = "*"
+	VerbAll        = "*"
+	NonResourceAll = "*"
+
+	GroupKind          = "Group"
+	ServiceAccountKind = "ServiceAccount"
+	UserKind           = "User"
+
+	// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
+	AutoUpdateAnnotationKey = "rbac.authorization.kubernetes.io/autoupdate"
+)
+
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+type PolicyRule struct {
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+	Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed.
+	// +optional
+	APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
+	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+	// +optional
+	Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	// +optional
+	ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+	// +optional
+	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,5,rep,name=nonResourceURLs"`
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+type Subject struct {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
+	// APIGroup holds the API group of the referenced subject.
+	// Defaults to "" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+	// +optional
+	APIGroup string `json:"apiGroup,omitempty" protobuf:"bytes,2,opt.name=apiGroup"`
+	// Name of the object being referenced.
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"`
+}
+
+// RoleRef contains information that points to the role being used
+type RoleRef struct {
+	// APIGroup is the group for the resource being referenced
+	APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"`
+	// Kind is the type of resource being referenced
+	Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	// Name is the name of resource being referenced
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+type Role struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Rules holds all the PolicyRules for this Role
+	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+type RoleBinding struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleBindingList is a collection of RoleBindings
+type RoleBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of RoleBindings
+	Items []RoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleList is a collection of Roles
+type RoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of Roles
+	Items []Role `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+type ClusterRole struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+type ClusterRoleBinding struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+type ClusterRoleBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ClusterRoleBindings
+	Items []ClusterRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleList is a collection of ClusterRoles
+type ClusterRoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ClusterRoles
+	Items []ClusterRole `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/rbac/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..7770d408
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1/types_swagger_doc_generated.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_ClusterRole = map[string]string{
+	"":         "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.",
+	"metadata": "Standard object's metadata.",
+	"rules":    "Rules holds all the PolicyRules for this ClusterRole",
+}
+
+func (ClusterRole) SwaggerDoc() map[string]string {
+	return map_ClusterRole
+}
+
+var map_ClusterRoleBinding = map[string]string{
+	"":         "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
+	"metadata": "Standard object's metadata.",
+	"subjects": "Subjects holds references to the objects the role applies to.",
+	"roleRef":  "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
+}
+
+func (ClusterRoleBinding) SwaggerDoc() map[string]string {
+	return map_ClusterRoleBinding
+}
+
+var map_ClusterRoleBindingList = map[string]string{
+	"":         "ClusterRoleBindingList is a collection of ClusterRoleBindings",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of ClusterRoleBindings",
+}
+
+func (ClusterRoleBindingList) SwaggerDoc() map[string]string {
+	return map_ClusterRoleBindingList
+}
+
+var map_ClusterRoleList = map[string]string{
+	"":         "ClusterRoleList is a collection of ClusterRoles",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of ClusterRoles",
+}
+
+func (ClusterRoleList) SwaggerDoc() map[string]string {
+	return map_ClusterRoleList
+}
+
+var map_PolicyRule = map[string]string{
+	"":                "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.",
+	"verbs":           "Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.",
+	"apiGroups":       "APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.",
+	"resources":       "Resources is a list of resources this rule applies to.  ResourceAll represents all resources.",
+	"resourceNames":   "ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.",
+	"nonResourceURLs": "NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"),  but not both.",
+}
+
+func (PolicyRule) SwaggerDoc() map[string]string {
+	return map_PolicyRule
+}
+
+var map_Role = map[string]string{
+	"":         "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.",
+	"metadata": "Standard object's metadata.",
+	"rules":    "Rules holds all the PolicyRules for this Role",
+}
+
+func (Role) SwaggerDoc() map[string]string {
+	return map_Role
+}
+
+var map_RoleBinding = map[string]string{
+	"":         "RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace.",
+	"metadata": "Standard object's metadata.",
+	"subjects": "Subjects holds references to the objects the role applies to.",
+	"roleRef":  "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
+}
+
+func (RoleBinding) SwaggerDoc() map[string]string {
+	return map_RoleBinding
+}
+
+var map_RoleBindingList = map[string]string{
+	"":         "RoleBindingList is a collection of RoleBindings",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of RoleBindings",
+}
+
+func (RoleBindingList) SwaggerDoc() map[string]string {
+	return map_RoleBindingList
+}
+
+var map_RoleList = map[string]string{
+	"":         "RoleList is a collection of Roles",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of Roles",
+}
+
+func (RoleList) SwaggerDoc() map[string]string {
+	return map_RoleList
+}
+
+var map_RoleRef = map[string]string{
+	"":         "RoleRef contains information that points to the role being used",
+	"apiGroup": "APIGroup is the group for the resource being referenced",
+	"kind":     "Kind is the type of resource being referenced",
+	"name":     "Name is the name of resource being referenced",
+}
+
+func (RoleRef) SwaggerDoc() map[string]string {
+	return map_RoleRef
+}
+
+var map_Subject = map[string]string{
+	"":          "Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
+	"kind":      "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
+	"apiGroup":  "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
+	"name":      "Name of the object being referenced.",
+	"namespace": "Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
+}
+
+func (Subject) SwaggerDoc() map[string]string {
+	return map_Subject
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/rbac/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/rbac/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..2ceee7ec
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1/zz_generated.deepcopy.go
@@ -0,0 +1,427 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRole).DeepCopyInto(out.(*ClusterRole))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRole{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleBinding).DeepCopyInto(out.(*ClusterRoleBinding))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleBinding{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleBindingList).DeepCopyInto(out.(*ClusterRoleBindingList))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleBindingList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleList).DeepCopyInto(out.(*ClusterRoleList))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PolicyRule).DeepCopyInto(out.(*PolicyRule))
+			return nil
+		}, InType: reflect.TypeOf(&PolicyRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Role).DeepCopyInto(out.(*Role))
+			return nil
+		}, InType: reflect.TypeOf(&Role{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleBinding).DeepCopyInto(out.(*RoleBinding))
+			return nil
+		}, InType: reflect.TypeOf(&RoleBinding{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleBindingList).DeepCopyInto(out.(*RoleBindingList))
+			return nil
+		}, InType: reflect.TypeOf(&RoleBindingList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleList).DeepCopyInto(out.(*RoleList))
+			return nil
+		}, InType: reflect.TypeOf(&RoleList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleRef).DeepCopyInto(out.(*RoleRef))
+			return nil
+		}, InType: reflect.TypeOf(&RoleRef{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Subject).DeepCopyInto(out.(*Subject))
+			return nil
+		}, InType: reflect.TypeOf(&Subject{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRole) DeepCopyInto(out *ClusterRole) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRole.
+func (in *ClusterRole) DeepCopy() *ClusterRole {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRole) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleBinding) DeepCopyInto(out *ClusterRoleBinding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		copy(*out, *in)
+	}
+	out.RoleRef = in.RoleRef
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleBinding.
+func (in *ClusterRoleBinding) DeepCopy() *ClusterRoleBinding {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleBinding)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleBinding) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleBindingList) DeepCopyInto(out *ClusterRoleBindingList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterRoleBinding, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleBindingList.
+func (in *ClusterRoleBindingList) DeepCopy() *ClusterRoleBindingList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleBindingList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleBindingList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleList) DeepCopyInto(out *ClusterRoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterRole, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleList.
+func (in *ClusterRoleList) DeepCopy() *ClusterRoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
+	*out = *in
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.APIGroups != nil {
+		in, out := &in.APIGroups, &out.APIGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceNames != nil {
+		in, out := &in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.NonResourceURLs != nil {
+		in, out := &in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRule.
+func (in *PolicyRule) DeepCopy() *PolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Role) DeepCopyInto(out *Role) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Role.
+func (in *Role) DeepCopy() *Role {
+	if in == nil {
+		return nil
+	}
+	out := new(Role)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Role) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBinding) DeepCopyInto(out *RoleBinding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		copy(*out, *in)
+	}
+	out.RoleRef = in.RoleRef
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBinding.
+func (in *RoleBinding) DeepCopy() *RoleBinding {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBinding)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBinding) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBindingList) DeepCopyInto(out *RoleBindingList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RoleBinding, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBindingList.
+func (in *RoleBindingList) DeepCopy() *RoleBindingList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBindingList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBindingList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleList) DeepCopyInto(out *RoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Role, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleList.
+func (in *RoleList) DeepCopy() *RoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleRef) DeepCopyInto(out *RoleRef) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleRef.
+func (in *RoleRef) DeepCopy() *RoleRef {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Subject) DeepCopyInto(out *Subject) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.
+func (in *Subject) DeepCopy() *Subject {
+	if in == nil {
+		return nil
+	}
+	out := new(Subject)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1alpha1/doc.go b/cli/vendor/k8s.io/api/rbac/v1alpha1/doc.go
new file mode 100644
index 00000000..619b47bf
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1alpha1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// +groupName=rbac.authorization.k8s.io
+package v1alpha1 // import "k8s.io/api/rbac/v1alpha1"
diff --git a/cli/vendor/k8s.io/api/rbac/v1alpha1/generated.pb.go b/cli/vendor/k8s.io/api/rbac/v1alpha1/generated.pb.go
new file mode 100644
index 00000000..d4b2ddaa
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1alpha1/generated.pb.go
@@ -0,0 +1,2556 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1alpha1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1alpha1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1alpha1/generated.proto
+
+	It has these top-level messages:
+		ClusterRole
+		ClusterRoleBinding
+		ClusterRoleBindingList
+		ClusterRoleList
+		PolicyRule
+		Role
+		RoleBinding
+		RoleBindingList
+		RoleList
+		RoleRef
+		Subject
+*/
+package v1alpha1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ClusterRole) Reset()                    { *m = ClusterRole{} }
+func (*ClusterRole) ProtoMessage()               {}
+func (*ClusterRole) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *ClusterRoleBinding) Reset()                    { *m = ClusterRoleBinding{} }
+func (*ClusterRoleBinding) ProtoMessage()               {}
+func (*ClusterRoleBinding) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *ClusterRoleBindingList) Reset()                    { *m = ClusterRoleBindingList{} }
+func (*ClusterRoleBindingList) ProtoMessage()               {}
+func (*ClusterRoleBindingList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *ClusterRoleList) Reset()                    { *m = ClusterRoleList{} }
+func (*ClusterRoleList) ProtoMessage()               {}
+func (*ClusterRoleList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *PolicyRule) Reset()                    { *m = PolicyRule{} }
+func (*PolicyRule) ProtoMessage()               {}
+func (*PolicyRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *Role) Reset()                    { *m = Role{} }
+func (*Role) ProtoMessage()               {}
+func (*Role) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *RoleBinding) Reset()                    { *m = RoleBinding{} }
+func (*RoleBinding) ProtoMessage()               {}
+func (*RoleBinding) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *RoleBindingList) Reset()                    { *m = RoleBindingList{} }
+func (*RoleBindingList) ProtoMessage()               {}
+func (*RoleBindingList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *RoleList) Reset()                    { *m = RoleList{} }
+func (*RoleList) ProtoMessage()               {}
+func (*RoleList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *RoleRef) Reset()                    { *m = RoleRef{} }
+func (*RoleRef) ProtoMessage()               {}
+func (*RoleRef) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *Subject) Reset()                    { *m = Subject{} }
+func (*Subject) ProtoMessage()               {}
+func (*Subject) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func init() {
+	proto.RegisterType((*ClusterRole)(nil), "k8s.io.api.rbac.v1alpha1.ClusterRole")
+	proto.RegisterType((*ClusterRoleBinding)(nil), "k8s.io.api.rbac.v1alpha1.ClusterRoleBinding")
+	proto.RegisterType((*ClusterRoleBindingList)(nil), "k8s.io.api.rbac.v1alpha1.ClusterRoleBindingList")
+	proto.RegisterType((*ClusterRoleList)(nil), "k8s.io.api.rbac.v1alpha1.ClusterRoleList")
+	proto.RegisterType((*PolicyRule)(nil), "k8s.io.api.rbac.v1alpha1.PolicyRule")
+	proto.RegisterType((*Role)(nil), "k8s.io.api.rbac.v1alpha1.Role")
+	proto.RegisterType((*RoleBinding)(nil), "k8s.io.api.rbac.v1alpha1.RoleBinding")
+	proto.RegisterType((*RoleBindingList)(nil), "k8s.io.api.rbac.v1alpha1.RoleBindingList")
+	proto.RegisterType((*RoleList)(nil), "k8s.io.api.rbac.v1alpha1.RoleList")
+	proto.RegisterType((*RoleRef)(nil), "k8s.io.api.rbac.v1alpha1.RoleRef")
+	proto.RegisterType((*Subject)(nil), "k8s.io.api.rbac.v1alpha1.Subject")
+}
+func (m *ClusterRole) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRole) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ClusterRoleBinding) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleBinding) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n2, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	if len(m.Subjects) > 0 {
+		for _, msg := range m.Subjects {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RoleRef.Size()))
+	n3, err := m.RoleRef.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *ClusterRoleBindingList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleBindingList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n4, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ClusterRoleList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n5, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PolicyRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			dAtA[i] = 0x32
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *Role) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Role) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n6, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleBinding) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleBinding) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n7, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	if len(m.Subjects) > 0 {
+		for _, msg := range m.Subjects {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RoleRef.Size()))
+	n8, err := m.RoleRef.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	return i, nil
+}
+
+func (m *RoleBindingList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleBindingList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n9, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n10, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleRef) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleRef) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIGroup)))
+	i += copy(dAtA[i:], m.APIGroup)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func (m *Subject) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Subject) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i += copy(dAtA[i:], m.APIVersion)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *ClusterRole) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ClusterRoleBinding) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Subjects) > 0 {
+		for _, e := range m.Subjects {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.RoleRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ClusterRoleBindingList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ClusterRoleList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PolicyRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Role) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleBinding) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Subjects) > 0 {
+		for _, e := range m.Subjects {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.RoleRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *RoleBindingList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleRef) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.APIGroup)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Subject) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.APIVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *ClusterRole) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRole{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "PolicyRule", "PolicyRule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleBinding) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleBinding{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Subjects:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subjects), "Subject", "Subject", 1), `&`, ``, 1) + `,`,
+		`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "RoleRef", "RoleRef", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleBindingList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleBindingList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ClusterRoleBinding", "ClusterRoleBinding", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ClusterRole", "ClusterRole", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PolicyRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PolicyRule{`,
+		`Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`,
+		`APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`,
+		`Resources:` + fmt.Sprintf("%v", this.Resources) + `,`,
+		`ResourceNames:` + fmt.Sprintf("%v", this.ResourceNames) + `,`,
+		`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Role) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Role{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "PolicyRule", "PolicyRule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleBinding) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleBinding{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Subjects:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subjects), "Subject", "Subject", 1), `&`, ``, 1) + `,`,
+		`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "RoleRef", "RoleRef", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleBindingList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleBindingList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "RoleBinding", "RoleBinding", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Role", "Role", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleRef) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleRef{`,
+		`APIGroup:` + fmt.Sprintf("%v", this.APIGroup) + `,`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Subject) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Subject{`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`APIVersion:` + fmt.Sprintf("%v", this.APIVersion) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ClusterRole) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRole: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRole: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, PolicyRule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleBinding) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleBinding: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleBinding: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subjects", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subjects = append(m.Subjects, Subject{})
+			if err := m.Subjects[len(m.Subjects)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RoleRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RoleRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleBindingList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleBindingList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleBindingList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ClusterRoleBinding{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ClusterRole{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PolicyRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PolicyRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PolicyRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroups = append(m.APIGroups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceNames", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceNames = append(m.ResourceNames, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceURLs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Role) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Role: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Role: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, PolicyRule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleBinding) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleBinding: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleBinding: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subjects", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subjects = append(m.Subjects, Subject{})
+			if err := m.Subjects[len(m.Subjects)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RoleRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RoleRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleBindingList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleBindingList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleBindingList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, RoleBinding{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Role{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleRef) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleRef: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleRef: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroup", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroup = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Subject) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Subject: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Subject: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1alpha1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 766 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x94, 0xcd, 0x6e, 0xd3, 0x40,
+	0x10, 0xc7, 0xb3, 0xf9, 0xa0, 0xc9, 0x86, 0x28, 0xd4, 0x48, 0xc8, 0xea, 0xc1, 0x09, 0x11, 0x48,
+	0x95, 0x28, 0x36, 0x2d, 0x08, 0xb8, 0x70, 0x68, 0x7a, 0x40, 0x81, 0xd2, 0x96, 0x45, 0xf4, 0x80,
+	0x38, 0xb0, 0x71, 0xb6, 0xc9, 0x12, 0x7f, 0x69, 0xd7, 0x8e, 0x54, 0x71, 0xe1, 0x09, 0x10, 0x17,
+	0x1e, 0x83, 0x0b, 0xdc, 0xe0, 0x05, 0xca, 0xad, 0xc7, 0x9e, 0x22, 0x6a, 0x1e, 0x04, 0xb4, 0x6b,
+	0x3b, 0x4e, 0x9a, 0x86, 0xf4, 0x14, 0x09, 0x89, 0x93, 0xbd, 0x33, 0xbf, 0xf9, 0xef, 0xcc, 0xec,
+	0xee, 0xc0, 0xcd, 0xfe, 0x43, 0xae, 0x53, 0xd7, 0xe8, 0x07, 0x6d, 0xc2, 0x1c, 0xe2, 0x13, 0x6e,
+	0x0c, 0x88, 0xd3, 0x71, 0x99, 0x11, 0x3b, 0xb0, 0x47, 0x0d, 0xd6, 0xc6, 0xa6, 0x31, 0x58, 0xc7,
+	0x96, 0xd7, 0xc3, 0xeb, 0x46, 0x97, 0x38, 0x84, 0x61, 0x9f, 0x74, 0x74, 0x8f, 0xb9, 0xbe, 0xab,
+	0xa8, 0x11, 0xa9, 0x63, 0x8f, 0xea, 0x82, 0xd4, 0x13, 0x72, 0xe5, 0x76, 0x97, 0xfa, 0xbd, 0xa0,
+	0xad, 0x9b, 0xae, 0x6d, 0x74, 0xdd, 0xae, 0x6b, 0xc8, 0x80, 0x76, 0x70, 0x20, 0x57, 0x72, 0x21,
+	0xff, 0x22, 0xa1, 0x95, 0x7b, 0xe9, 0x96, 0x36, 0x36, 0x7b, 0xd4, 0x21, 0xec, 0xd0, 0xf0, 0xfa,
+	0x5d, 0x61, 0xe0, 0x86, 0x4d, 0x7c, 0x6c, 0x0c, 0xa6, 0xb6, 0x5f, 0x31, 0x66, 0x45, 0xb1, 0xc0,
+	0xf1, 0xa9, 0x4d, 0xa6, 0x02, 0xee, 0xcf, 0x0b, 0xe0, 0x66, 0x8f, 0xd8, 0x78, 0x2a, 0xee, 0xee,
+	0xac, 0xb8, 0xc0, 0xa7, 0x96, 0x41, 0x1d, 0x9f, 0xfb, 0xec, 0x6c, 0x50, 0xe3, 0x1b, 0x80, 0xe5,
+	0x2d, 0x2b, 0xe0, 0x3e, 0x61, 0xc8, 0xb5, 0x88, 0xf2, 0x06, 0x16, 0x45, 0x21, 0x1d, 0xec, 0x63,
+	0x15, 0xd4, 0xc1, 0x6a, 0x79, 0xe3, 0x8e, 0x9e, 0xf6, 0x6f, 0xa4, 0xab, 0x7b, 0xfd, 0xae, 0x30,
+	0x70, 0x5d, 0xd0, 0xfa, 0x60, 0x5d, 0xdf, 0x6d, 0xbf, 0x25, 0xa6, 0xff, 0x8c, 0xf8, 0xb8, 0xa9,
+	0x1c, 0x0d, 0x6b, 0x99, 0x70, 0x58, 0x83, 0xa9, 0x0d, 0x8d, 0x54, 0x95, 0x16, 0x2c, 0xb0, 0xc0,
+	0x22, 0x5c, 0xcd, 0xd6, 0x73, 0xab, 0xe5, 0x8d, 0x1b, 0xfa, 0xac, 0xe3, 0xd1, 0xf7, 0x5c, 0x8b,
+	0x9a, 0x87, 0x28, 0xb0, 0x48, 0xb3, 0x12, 0x4b, 0x16, 0xc4, 0x8a, 0xa3, 0x48, 0xa1, 0xf1, 0x29,
+	0x0b, 0x95, 0xb1, 0xe4, 0x9b, 0xd4, 0xe9, 0x50, 0xa7, 0xbb, 0x80, 0x1a, 0x76, 0x61, 0x91, 0x07,
+	0xd2, 0x91, 0x94, 0x71, 0x7d, 0x76, 0x19, 0x2f, 0x22, 0xb2, 0x79, 0x25, 0x96, 0x2c, 0xc6, 0x06,
+	0x8e, 0x46, 0x22, 0xca, 0x36, 0x5c, 0x62, 0xae, 0x45, 0x10, 0x39, 0x50, 0x73, 0x32, 0xe3, 0xbf,
+	0xe8, 0xa1, 0x08, 0x6c, 0x56, 0x63, 0xbd, 0xa5, 0xd8, 0x80, 0x12, 0x89, 0xc6, 0x0f, 0x00, 0xaf,
+	0x4d, 0xf7, 0x65, 0x9b, 0x72, 0x5f, 0x79, 0x3d, 0xd5, 0x1b, 0xfd, 0x62, 0xbd, 0x11, 0xd1, 0xb2,
+	0x33, 0xa3, 0x32, 0x12, 0xcb, 0x58, 0x5f, 0x9e, 0xc3, 0x02, 0xf5, 0x89, 0x9d, 0x34, 0x65, 0x6d,
+	0x76, 0x11, 0xd3, 0xe9, 0xa5, 0x67, 0xdc, 0x12, 0x12, 0x28, 0x52, 0x6a, 0x7c, 0x07, 0xb0, 0x3a,
+	0x06, 0x2f, 0xa0, 0x88, 0x27, 0x93, 0x45, 0xdc, 0xbc, 0x58, 0x11, 0xe7, 0x67, 0xff, 0x1b, 0x40,
+	0x98, 0x5e, 0x63, 0xa5, 0x06, 0x0b, 0x03, 0xc2, 0xda, 0x5c, 0x05, 0xf5, 0xdc, 0x6a, 0xa9, 0x59,
+	0x12, 0xfc, 0xbe, 0x30, 0xa0, 0xc8, 0xae, 0xdc, 0x82, 0x25, 0xec, 0xd1, 0xc7, 0xcc, 0x0d, 0x3c,
+	0xae, 0xe6, 0x24, 0x54, 0x09, 0x87, 0xb5, 0xd2, 0xe6, 0x5e, 0x2b, 0x32, 0xa2, 0xd4, 0x2f, 0x60,
+	0x46, 0xb8, 0x1b, 0x30, 0x93, 0x70, 0x35, 0x9f, 0xc2, 0x28, 0x31, 0xa2, 0xd4, 0xaf, 0x3c, 0x80,
+	0x95, 0x64, 0xb1, 0x83, 0x6d, 0xc2, 0xd5, 0x82, 0x0c, 0x58, 0x0e, 0x87, 0xb5, 0x0a, 0x1a, 0x77,
+	0xa0, 0x49, 0x4e, 0x79, 0x04, 0xab, 0x8e, 0xeb, 0x24, 0xc8, 0x4b, 0xb4, 0xcd, 0xd5, 0x4b, 0x32,
+	0xf4, 0x6a, 0x38, 0xac, 0x55, 0x77, 0x26, 0x5d, 0xe8, 0x2c, 0xdb, 0xf8, 0x0a, 0x60, 0xfe, 0xdf,
+	0x9b, 0x2c, 0x1f, 0xb2, 0xb0, 0xfc, 0x7f, 0xa4, 0x8c, 0x8d, 0x14, 0xf1, 0x0c, 0x17, 0x3b, 0x4b,
+	0x2e, 0xfe, 0x0c, 0xe7, 0x0f, 0x91, 0xcf, 0x00, 0x16, 0x17, 0x34, 0x3d, 0xb6, 0x26, 0xd3, 0xd6,
+	0xe6, 0xa4, 0x7d, 0x7e, 0xbe, 0xef, 0x60, 0x72, 0x02, 0xca, 0x1a, 0x2c, 0x26, 0x2f, 0x5e, 0x66,
+	0x5b, 0x4a, 0x77, 0x4f, 0x86, 0x02, 0x1a, 0x11, 0x4a, 0x1d, 0xe6, 0xfb, 0xd4, 0xe9, 0xa8, 0x59,
+	0x49, 0x5e, 0x8e, 0xc9, 0xfc, 0x53, 0xea, 0x74, 0x90, 0xf4, 0x08, 0xc2, 0xc1, 0x36, 0x91, 0x77,
+	0x62, 0x8c, 0x10, 0x6f, 0x1d, 0x49, 0x4f, 0xe3, 0x0b, 0x80, 0x4b, 0xf1, 0x7d, 0x1a, 0xe9, 0x81,
+	0x99, 0x7a, 0x1b, 0x10, 0x62, 0x8f, 0xee, 0x13, 0xc6, 0xa9, 0xeb, 0xc4, 0xfb, 0x8e, 0x6e, 0xfa,
+	0xe6, 0x5e, 0x2b, 0xf6, 0xa0, 0x31, 0x6a, 0x7e, 0x0e, 0x8a, 0x01, 0x4b, 0xe2, 0xcb, 0x3d, 0x6c,
+	0x12, 0x35, 0x2f, 0xb1, 0xe5, 0x18, 0x2b, 0xed, 0x24, 0x0e, 0x94, 0x32, 0x4d, 0xfd, 0xe8, 0x54,
+	0xcb, 0x1c, 0x9f, 0x6a, 0x99, 0x93, 0x53, 0x2d, 0xf3, 0x3e, 0xd4, 0xc0, 0x51, 0xa8, 0x81, 0xe3,
+	0x50, 0x03, 0x27, 0xa1, 0x06, 0x7e, 0x86, 0x1a, 0xf8, 0xf8, 0x4b, 0xcb, 0xbc, 0x2a, 0x26, 0xcd,
+	0xff, 0x13, 0x00, 0x00, 0xff, 0xff, 0x1d, 0x38, 0x05, 0x46, 0x58, 0x0a, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1alpha1/generated.proto b/cli/vendor/k8s.io/api/rbac/v1alpha1/generated.proto
new file mode 100644
index 00000000..d9b6c6d9
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1alpha1/generated.proto
@@ -0,0 +1,184 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.rbac.v1alpha1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1alpha1";
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+message ClusterRole {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Rules holds all the PolicyRules for this ClusterRole
+  repeated PolicyRule rules = 2;
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+message ClusterRoleBinding {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Subjects holds references to the objects the role applies to.
+  repeated Subject subjects = 2;
+
+  // RoleRef can only reference a ClusterRole in the global namespace.
+  // If the RoleRef cannot be resolved, the Authorizer must return an error.
+  optional RoleRef roleRef = 3;
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+message ClusterRoleBindingList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of ClusterRoleBindings
+  repeated ClusterRoleBinding items = 2;
+}
+
+// ClusterRoleList is a collection of ClusterRoles
+message ClusterRoleList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of ClusterRoles
+  repeated ClusterRole items = 2;
+}
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+message PolicyRule {
+  // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+  repeated string verbs = 1;
+
+  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+  // the enumerated resources in any API group will be allowed.
+  // +optional
+  repeated string apiGroups = 3;
+
+  // Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+  // +optional
+  repeated string resources = 4;
+
+  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+  // +optional
+  repeated string resourceNames = 5;
+
+  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+  // This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different.
+  // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+  // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+  // +optional
+  repeated string nonResourceURLs = 6;
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+message Role {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Rules holds all the PolicyRules for this Role
+  repeated PolicyRule rules = 2;
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+message RoleBinding {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Subjects holds references to the objects the role applies to.
+  repeated Subject subjects = 2;
+
+  // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+  // If the RoleRef cannot be resolved, the Authorizer must return an error.
+  optional RoleRef roleRef = 3;
+}
+
+// RoleBindingList is a collection of RoleBindings
+message RoleBindingList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of RoleBindings
+  repeated RoleBinding items = 2;
+}
+
+// RoleList is a collection of Roles
+message RoleList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of Roles
+  repeated Role items = 2;
+}
+
+// RoleRef contains information that points to the role being used
+message RoleRef {
+  // APIGroup is the group for the resource being referenced
+  optional string apiGroup = 1;
+
+  // Kind is the type of resource being referenced
+  optional string kind = 2;
+
+  // Name is the name of resource being referenced
+  optional string name = 3;
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+message Subject {
+  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+  optional string kind = 1;
+
+  // APIVersion holds the API group and version of the referenced subject.
+  // Defaults to "v1" for ServiceAccount subjects.
+  // Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.
+  // +k8s:conversion-gen=false
+  // +optional
+  optional string apiVersion = 2;
+
+  // Name of the object being referenced.
+  optional string name = 3;
+
+  // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+  // the Authorizer should report an error.
+  // +optional
+  optional string namespace = 4;
+}
+
diff --git a/cli/vendor/k8s.io/api/rbac/v1alpha1/register.go b/cli/vendor/k8s.io/api/rbac/v1alpha1/register.go
new file mode 100644
index 00000000..9cfd71f4
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1alpha1/register.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "rbac.authorization.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Role{},
+		&RoleBinding{},
+		&RoleBindingList{},
+		&RoleList{},
+
+		&ClusterRole{},
+		&ClusterRoleBinding{},
+		&ClusterRoleBindingList{},
+		&ClusterRoleList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1alpha1/types.go b/cli/vendor/k8s.io/api/rbac/v1alpha1/types.go
new file mode 100644
index 00000000..06fa6ce8
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1alpha1/types.go
@@ -0,0 +1,221 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+
+const (
+	APIGroupAll    = "*"
+	ResourceAll    = "*"
+	VerbAll        = "*"
+	NonResourceAll = "*"
+
+	GroupKind          = "Group"
+	ServiceAccountKind = "ServiceAccount"
+	UserKind           = "User"
+
+	// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
+	AutoUpdateAnnotationKey = "rbac.authorization.kubernetes.io/autoupdate"
+)
+
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+type PolicyRule struct {
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+	Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed.
+	// +optional
+	APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,3,rep,name=apiGroups"`
+	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+	// +optional
+	Resources []string `json:"resources,omitempty" protobuf:"bytes,4,rep,name=resources"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	// +optional
+	ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,5,rep,name=resourceNames"`
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different.
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+	// +optional
+	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,6,rep,name=nonResourceURLs"`
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+type Subject struct {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
+	// APIVersion holds the API group and version of the referenced subject.
+	// Defaults to "v1" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io/v1alpha1" for User and Group subjects.
+	// +k8s:conversion-gen=false
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt.name=apiVersion"`
+	// Name of the object being referenced.
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"`
+}
+
+// RoleRef contains information that points to the role being used
+type RoleRef struct {
+	// APIGroup is the group for the resource being referenced
+	APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"`
+	// Kind is the type of resource being referenced
+	Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	// Name is the name of resource being referenced
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+type Role struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Rules holds all the PolicyRules for this Role
+	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+type RoleBinding struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleBindingList is a collection of RoleBindings
+type RoleBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of RoleBindings
+	Items []RoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleList is a collection of Roles
+type RoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of Roles
+	Items []Role `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+type ClusterRole struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+type ClusterRoleBinding struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+type ClusterRoleBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ClusterRoleBindings
+	Items []ClusterRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleList is a collection of ClusterRoles
+type ClusterRoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ClusterRoles
+	Items []ClusterRole `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1alpha1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/rbac/v1alpha1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..d58a722a
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1alpha1/types_swagger_doc_generated.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_ClusterRole = map[string]string{
+	"":         "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.",
+	"metadata": "Standard object's metadata.",
+	"rules":    "Rules holds all the PolicyRules for this ClusterRole",
+}
+
+func (ClusterRole) SwaggerDoc() map[string]string {
+	return map_ClusterRole
+}
+
+var map_ClusterRoleBinding = map[string]string{
+	"":         "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
+	"metadata": "Standard object's metadata.",
+	"subjects": "Subjects holds references to the objects the role applies to.",
+	"roleRef":  "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
+}
+
+func (ClusterRoleBinding) SwaggerDoc() map[string]string {
+	return map_ClusterRoleBinding
+}
+
+var map_ClusterRoleBindingList = map[string]string{
+	"":         "ClusterRoleBindingList is a collection of ClusterRoleBindings",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of ClusterRoleBindings",
+}
+
+func (ClusterRoleBindingList) SwaggerDoc() map[string]string {
+	return map_ClusterRoleBindingList
+}
+
+var map_ClusterRoleList = map[string]string{
+	"":         "ClusterRoleList is a collection of ClusterRoles",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of ClusterRoles",
+}
+
+func (ClusterRoleList) SwaggerDoc() map[string]string {
+	return map_ClusterRoleList
+}
+
+var map_PolicyRule = map[string]string{
+	"":                "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.",
+	"verbs":           "Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.",
+	"apiGroups":       "APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.",
+	"resources":       "Resources is a list of resources this rule applies to.  ResourceAll represents all resources.",
+	"resourceNames":   "ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.",
+	"nonResourceURLs": "NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path This name is intentionally different than the internal type so that the DefaultConvert works nicely and because the ordering may be different. Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"),  but not both.",
+}
+
+func (PolicyRule) SwaggerDoc() map[string]string {
+	return map_PolicyRule
+}
+
+var map_Role = map[string]string{
+	"":         "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.",
+	"metadata": "Standard object's metadata.",
+	"rules":    "Rules holds all the PolicyRules for this Role",
+}
+
+func (Role) SwaggerDoc() map[string]string {
+	return map_Role
+}
+
+var map_RoleBinding = map[string]string{
+	"":         "RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace.",
+	"metadata": "Standard object's metadata.",
+	"subjects": "Subjects holds references to the objects the role applies to.",
+	"roleRef":  "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
+}
+
+func (RoleBinding) SwaggerDoc() map[string]string {
+	return map_RoleBinding
+}
+
+var map_RoleBindingList = map[string]string{
+	"":         "RoleBindingList is a collection of RoleBindings",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of RoleBindings",
+}
+
+func (RoleBindingList) SwaggerDoc() map[string]string {
+	return map_RoleBindingList
+}
+
+var map_RoleList = map[string]string{
+	"":         "RoleList is a collection of Roles",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of Roles",
+}
+
+func (RoleList) SwaggerDoc() map[string]string {
+	return map_RoleList
+}
+
+var map_RoleRef = map[string]string{
+	"":         "RoleRef contains information that points to the role being used",
+	"apiGroup": "APIGroup is the group for the resource being referenced",
+	"kind":     "Kind is the type of resource being referenced",
+	"name":     "Name is the name of resource being referenced",
+}
+
+func (RoleRef) SwaggerDoc() map[string]string {
+	return map_RoleRef
+}
+
+var map_Subject = map[string]string{
+	"":           "Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
+	"kind":       "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
+	"apiVersion": "APIVersion holds the API group and version of the referenced subject. Defaults to \"v1\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io/v1alpha1\" for User and Group subjects.",
+	"name":       "Name of the object being referenced.",
+	"namespace":  "Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
+}
+
+func (Subject) SwaggerDoc() map[string]string {
+	return map_Subject
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/rbac/v1alpha1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/rbac/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..a2dcaf3e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,427 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRole).DeepCopyInto(out.(*ClusterRole))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRole{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleBinding).DeepCopyInto(out.(*ClusterRoleBinding))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleBinding{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleBindingList).DeepCopyInto(out.(*ClusterRoleBindingList))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleBindingList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleList).DeepCopyInto(out.(*ClusterRoleList))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PolicyRule).DeepCopyInto(out.(*PolicyRule))
+			return nil
+		}, InType: reflect.TypeOf(&PolicyRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Role).DeepCopyInto(out.(*Role))
+			return nil
+		}, InType: reflect.TypeOf(&Role{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleBinding).DeepCopyInto(out.(*RoleBinding))
+			return nil
+		}, InType: reflect.TypeOf(&RoleBinding{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleBindingList).DeepCopyInto(out.(*RoleBindingList))
+			return nil
+		}, InType: reflect.TypeOf(&RoleBindingList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleList).DeepCopyInto(out.(*RoleList))
+			return nil
+		}, InType: reflect.TypeOf(&RoleList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleRef).DeepCopyInto(out.(*RoleRef))
+			return nil
+		}, InType: reflect.TypeOf(&RoleRef{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Subject).DeepCopyInto(out.(*Subject))
+			return nil
+		}, InType: reflect.TypeOf(&Subject{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRole) DeepCopyInto(out *ClusterRole) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRole.
+func (in *ClusterRole) DeepCopy() *ClusterRole {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRole) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleBinding) DeepCopyInto(out *ClusterRoleBinding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		copy(*out, *in)
+	}
+	out.RoleRef = in.RoleRef
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleBinding.
+func (in *ClusterRoleBinding) DeepCopy() *ClusterRoleBinding {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleBinding)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleBinding) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleBindingList) DeepCopyInto(out *ClusterRoleBindingList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterRoleBinding, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleBindingList.
+func (in *ClusterRoleBindingList) DeepCopy() *ClusterRoleBindingList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleBindingList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleBindingList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleList) DeepCopyInto(out *ClusterRoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterRole, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleList.
+func (in *ClusterRoleList) DeepCopy() *ClusterRoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
+	*out = *in
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.APIGroups != nil {
+		in, out := &in.APIGroups, &out.APIGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceNames != nil {
+		in, out := &in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.NonResourceURLs != nil {
+		in, out := &in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRule.
+func (in *PolicyRule) DeepCopy() *PolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Role) DeepCopyInto(out *Role) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Role.
+func (in *Role) DeepCopy() *Role {
+	if in == nil {
+		return nil
+	}
+	out := new(Role)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Role) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBinding) DeepCopyInto(out *RoleBinding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		copy(*out, *in)
+	}
+	out.RoleRef = in.RoleRef
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBinding.
+func (in *RoleBinding) DeepCopy() *RoleBinding {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBinding)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBinding) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBindingList) DeepCopyInto(out *RoleBindingList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RoleBinding, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBindingList.
+func (in *RoleBindingList) DeepCopy() *RoleBindingList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBindingList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBindingList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleList) DeepCopyInto(out *RoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Role, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleList.
+func (in *RoleList) DeepCopy() *RoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleRef) DeepCopyInto(out *RoleRef) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleRef.
+func (in *RoleRef) DeepCopy() *RoleRef {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Subject) DeepCopyInto(out *Subject) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.
+func (in *Subject) DeepCopy() *Subject {
+	if in == nil {
+		return nil
+	}
+	out := new(Subject)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1beta1/doc.go b/cli/vendor/k8s.io/api/rbac/v1beta1/doc.go
new file mode 100644
index 00000000..bb7d47df
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1beta1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// +groupName=rbac.authorization.k8s.io
+package v1beta1 // import "k8s.io/api/rbac/v1beta1"
diff --git a/cli/vendor/k8s.io/api/rbac/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/rbac/v1beta1/generated.pb.go
new file mode 100644
index 00000000..ddc78730
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1beta1/generated.pb.go
@@ -0,0 +1,2555 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1beta1/generated.proto
+
+	It has these top-level messages:
+		ClusterRole
+		ClusterRoleBinding
+		ClusterRoleBindingList
+		ClusterRoleList
+		PolicyRule
+		Role
+		RoleBinding
+		RoleBindingList
+		RoleList
+		RoleRef
+		Subject
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *ClusterRole) Reset()                    { *m = ClusterRole{} }
+func (*ClusterRole) ProtoMessage()               {}
+func (*ClusterRole) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *ClusterRoleBinding) Reset()                    { *m = ClusterRoleBinding{} }
+func (*ClusterRoleBinding) ProtoMessage()               {}
+func (*ClusterRoleBinding) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *ClusterRoleBindingList) Reset()                    { *m = ClusterRoleBindingList{} }
+func (*ClusterRoleBindingList) ProtoMessage()               {}
+func (*ClusterRoleBindingList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *ClusterRoleList) Reset()                    { *m = ClusterRoleList{} }
+func (*ClusterRoleList) ProtoMessage()               {}
+func (*ClusterRoleList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *PolicyRule) Reset()                    { *m = PolicyRule{} }
+func (*PolicyRule) ProtoMessage()               {}
+func (*PolicyRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *Role) Reset()                    { *m = Role{} }
+func (*Role) ProtoMessage()               {}
+func (*Role) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *RoleBinding) Reset()                    { *m = RoleBinding{} }
+func (*RoleBinding) ProtoMessage()               {}
+func (*RoleBinding) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *RoleBindingList) Reset()                    { *m = RoleBindingList{} }
+func (*RoleBindingList) ProtoMessage()               {}
+func (*RoleBindingList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *RoleList) Reset()                    { *m = RoleList{} }
+func (*RoleList) ProtoMessage()               {}
+func (*RoleList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *RoleRef) Reset()                    { *m = RoleRef{} }
+func (*RoleRef) ProtoMessage()               {}
+func (*RoleRef) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *Subject) Reset()                    { *m = Subject{} }
+func (*Subject) ProtoMessage()               {}
+func (*Subject) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func init() {
+	proto.RegisterType((*ClusterRole)(nil), "k8s.io.api.rbac.v1beta1.ClusterRole")
+	proto.RegisterType((*ClusterRoleBinding)(nil), "k8s.io.api.rbac.v1beta1.ClusterRoleBinding")
+	proto.RegisterType((*ClusterRoleBindingList)(nil), "k8s.io.api.rbac.v1beta1.ClusterRoleBindingList")
+	proto.RegisterType((*ClusterRoleList)(nil), "k8s.io.api.rbac.v1beta1.ClusterRoleList")
+	proto.RegisterType((*PolicyRule)(nil), "k8s.io.api.rbac.v1beta1.PolicyRule")
+	proto.RegisterType((*Role)(nil), "k8s.io.api.rbac.v1beta1.Role")
+	proto.RegisterType((*RoleBinding)(nil), "k8s.io.api.rbac.v1beta1.RoleBinding")
+	proto.RegisterType((*RoleBindingList)(nil), "k8s.io.api.rbac.v1beta1.RoleBindingList")
+	proto.RegisterType((*RoleList)(nil), "k8s.io.api.rbac.v1beta1.RoleList")
+	proto.RegisterType((*RoleRef)(nil), "k8s.io.api.rbac.v1beta1.RoleRef")
+	proto.RegisterType((*Subject)(nil), "k8s.io.api.rbac.v1beta1.Subject")
+}
+func (m *ClusterRole) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRole) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ClusterRoleBinding) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleBinding) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n2, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	if len(m.Subjects) > 0 {
+		for _, msg := range m.Subjects {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RoleRef.Size()))
+	n3, err := m.RoleRef.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	return i, nil
+}
+
+func (m *ClusterRoleBindingList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleBindingList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n4, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ClusterRoleList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ClusterRoleList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n5, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PolicyRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PolicyRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *Role) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Role) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n6, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if len(m.Rules) > 0 {
+		for _, msg := range m.Rules {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleBinding) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleBinding) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n7, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	if len(m.Subjects) > 0 {
+		for _, msg := range m.Subjects {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RoleRef.Size()))
+	n8, err := m.RoleRef.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n8
+	return i, nil
+}
+
+func (m *RoleBindingList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleBindingList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n9, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n10, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *RoleRef) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RoleRef) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIGroup)))
+	i += copy(dAtA[i:], m.APIGroup)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func (m *Subject) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Subject) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIGroup)))
+	i += copy(dAtA[i:], m.APIGroup)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *ClusterRole) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ClusterRoleBinding) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Subjects) > 0 {
+		for _, e := range m.Subjects {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.RoleRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ClusterRoleBindingList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ClusterRoleList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PolicyRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Verbs) > 0 {
+		for _, s := range m.Verbs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.APIGroups) > 0 {
+		for _, s := range m.APIGroups {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Resources) > 0 {
+		for _, s := range m.Resources {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.ResourceNames) > 0 {
+		for _, s := range m.ResourceNames {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.NonResourceURLs) > 0 {
+		for _, s := range m.NonResourceURLs {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Role) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Rules) > 0 {
+		for _, e := range m.Rules {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleBinding) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Subjects) > 0 {
+		for _, e := range m.Subjects {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.RoleRef.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *RoleBindingList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *RoleRef) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.APIGroup)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Subject) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.APIGroup)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *ClusterRole) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRole{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "PolicyRule", "PolicyRule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleBinding) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleBinding{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Subjects:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subjects), "Subject", "Subject", 1), `&`, ``, 1) + `,`,
+		`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "RoleRef", "RoleRef", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleBindingList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleBindingList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ClusterRoleBinding", "ClusterRoleBinding", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ClusterRoleList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ClusterRoleList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "ClusterRole", "ClusterRole", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PolicyRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PolicyRule{`,
+		`Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`,
+		`APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`,
+		`Resources:` + fmt.Sprintf("%v", this.Resources) + `,`,
+		`ResourceNames:` + fmt.Sprintf("%v", this.ResourceNames) + `,`,
+		`NonResourceURLs:` + fmt.Sprintf("%v", this.NonResourceURLs) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Role) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Role{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Rules:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Rules), "PolicyRule", "PolicyRule", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleBinding) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleBinding{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Subjects:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Subjects), "Subject", "Subject", 1), `&`, ``, 1) + `,`,
+		`RoleRef:` + strings.Replace(strings.Replace(this.RoleRef.String(), "RoleRef", "RoleRef", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleBindingList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleBindingList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "RoleBinding", "RoleBinding", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "Role", "Role", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RoleRef) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RoleRef{`,
+		`APIGroup:` + fmt.Sprintf("%v", this.APIGroup) + `,`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Subject) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Subject{`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`APIGroup:` + fmt.Sprintf("%v", this.APIGroup) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *ClusterRole) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRole: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRole: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, PolicyRule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleBinding) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleBinding: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleBinding: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subjects", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subjects = append(m.Subjects, Subject{})
+			if err := m.Subjects[len(m.Subjects)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RoleRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RoleRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleBindingList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleBindingList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleBindingList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ClusterRoleBinding{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ClusterRoleList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ClusterRoleList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ClusterRoleList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, ClusterRole{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PolicyRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PolicyRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PolicyRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Verbs = append(m.Verbs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroups", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroups = append(m.APIGroups, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceNames", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceNames = append(m.ResourceNames, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NonResourceURLs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NonResourceURLs = append(m.NonResourceURLs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Role) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Role: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Role: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Rules = append(m.Rules, PolicyRule{})
+			if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleBinding) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleBinding: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleBinding: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subjects", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subjects = append(m.Subjects, Subject{})
+			if err := m.Subjects[len(m.Subjects)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RoleRef", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.RoleRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleBindingList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleBindingList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleBindingList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, RoleBinding{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, Role{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RoleRef) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RoleRef: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RoleRef: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroup", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroup = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Subject) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Subject: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Subject: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIGroup", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIGroup = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/rbac/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 751 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x94, 0xcd, 0x6e, 0xd3, 0x4a,
+	0x14, 0xc7, 0xe3, 0x7c, 0x28, 0xf1, 0xe4, 0x46, 0xb9, 0xf5, 0x95, 0xee, 0xb5, 0x2a, 0x5d, 0x27,
+	0x0a, 0x2c, 0x2a, 0x95, 0xda, 0xb4, 0x20, 0x60, 0x83, 0x04, 0x66, 0x01, 0x55, 0x4b, 0xa8, 0x06,
+	0xc1, 0x02, 0xb1, 0x60, 0xe2, 0x4c, 0xd3, 0x21, 0xf1, 0x87, 0x66, 0xc6, 0x91, 0x2a, 0x36, 0x3c,
+	0x00, 0x0b, 0x24, 0x5e, 0x83, 0x15, 0x3b, 0x78, 0x82, 0x2c, 0xbb, 0xec, 0x2a, 0xa2, 0xe6, 0x41,
+	0x40, 0x33, 0xb6, 0xe3, 0xa4, 0x69, 0xda, 0xac, 0x22, 0x21, 0xb1, 0x4a, 0xe6, 0x9c, 0xdf, 0xf9,
+	0x9f, 0x0f, 0xcf, 0x1c, 0xf0, 0xa0, 0x7f, 0x8f, 0x99, 0xc4, 0xb7, 0xfa, 0x61, 0x07, 0x53, 0x0f,
+	0x73, 0xcc, 0xac, 0x21, 0xf6, 0xba, 0x3e, 0xb5, 0x12, 0x07, 0x0a, 0x88, 0x45, 0x3b, 0xc8, 0xb1,
+	0x86, 0xdb, 0x1d, 0xcc, 0xd1, 0xb6, 0xd5, 0xc3, 0x1e, 0xa6, 0x88, 0xe3, 0xae, 0x19, 0x50, 0x9f,
+	0xfb, 0xda, 0x7f, 0x31, 0x68, 0xa2, 0x80, 0x98, 0x02, 0x34, 0x13, 0x70, 0x7d, 0xab, 0x47, 0xf8,
+	0x51, 0xd8, 0x31, 0x1d, 0xdf, 0xb5, 0x7a, 0x7e, 0xcf, 0xb7, 0x24, 0xdf, 0x09, 0x0f, 0xe5, 0x49,
+	0x1e, 0xe4, 0xbf, 0x58, 0x67, 0xfd, 0x76, 0x96, 0xd0, 0x45, 0xce, 0x11, 0xf1, 0x30, 0x3d, 0xb6,
+	0x82, 0x7e, 0x4f, 0x18, 0x98, 0xe5, 0x62, 0x8e, 0xac, 0xe1, 0x5c, 0xf6, 0x75, 0x6b, 0x51, 0x14,
+	0x0d, 0x3d, 0x4e, 0x5c, 0x3c, 0x17, 0x70, 0xe7, 0xaa, 0x00, 0xe6, 0x1c, 0x61, 0x17, 0xcd, 0xc5,
+	0xdd, 0x5a, 0x14, 0x17, 0x72, 0x32, 0xb0, 0x88, 0xc7, 0x19, 0xa7, 0xe7, 0x83, 0x5a, 0x5f, 0x15,
+	0x50, 0x7d, 0x34, 0x08, 0x19, 0xc7, 0x14, 0xfa, 0x03, 0xac, 0xbd, 0x01, 0x15, 0xd1, 0x48, 0x17,
+	0x71, 0xa4, 0x2b, 0x4d, 0x65, 0xa3, 0xba, 0x73, 0xd3, 0xcc, 0xc6, 0x37, 0xd1, 0x35, 0x83, 0x7e,
+	0x4f, 0x18, 0x98, 0x29, 0x68, 0x73, 0xb8, 0x6d, 0x3e, 0xeb, 0xbc, 0xc5, 0x0e, 0x7f, 0x8a, 0x39,
+	0xb2, 0xb5, 0xd1, 0xb8, 0x91, 0x8b, 0xc6, 0x0d, 0x90, 0xd9, 0xe0, 0x44, 0x55, 0x7b, 0x02, 0x4a,
+	0x34, 0x1c, 0x60, 0xa6, 0xe7, 0x9b, 0x85, 0x8d, 0xea, 0xce, 0x35, 0x73, 0xc1, 0xd7, 0x31, 0x0f,
+	0xfc, 0x01, 0x71, 0x8e, 0x61, 0x38, 0xc0, 0x76, 0x2d, 0x51, 0x2c, 0x89, 0x13, 0x83, 0xb1, 0x40,
+	0xeb, 0x53, 0x1e, 0x68, 0x53, 0xb5, 0xdb, 0xc4, 0xeb, 0x12, 0xaf, 0xb7, 0x82, 0x16, 0xda, 0xa0,
+	0xc2, 0x42, 0xe9, 0x48, 0xbb, 0x68, 0x2e, 0xec, 0xe2, 0x79, 0x0c, 0xda, 0x7f, 0x27, 0x8a, 0x95,
+	0xc4, 0xc0, 0xe0, 0x44, 0x43, 0xdb, 0x03, 0x65, 0xea, 0x0f, 0x30, 0xc4, 0x87, 0x7a, 0x41, 0x16,
+	0xbc, 0x58, 0x0e, 0xc6, 0x9c, 0x5d, 0x4f, 0xe4, 0xca, 0x89, 0x01, 0xa6, 0x0a, 0xad, 0x91, 0x02,
+	0xfe, 0x9d, 0x9f, 0xca, 0x3e, 0x61, 0x5c, 0x7b, 0x3d, 0x37, 0x19, 0x73, 0xb9, 0xc9, 0x88, 0x68,
+	0x39, 0x97, 0x49, 0x17, 0xa9, 0x65, 0x6a, 0x2a, 0x07, 0xa0, 0x44, 0x38, 0x76, 0xd3, 0x91, 0x6c,
+	0x2e, 0xec, 0x61, 0xbe, 0xba, 0xec, 0x03, 0xef, 0x0a, 0x05, 0x18, 0x0b, 0xb5, 0xbe, 0x29, 0xa0,
+	0x3e, 0x05, 0xaf, 0xa0, 0x87, 0xdd, 0xd9, 0x1e, 0xae, 0x2f, 0xd5, 0xc3, 0xc5, 0xc5, 0xff, 0x54,
+	0x00, 0xc8, 0xae, 0xb0, 0xd6, 0x00, 0xa5, 0x21, 0xa6, 0x1d, 0xa6, 0x2b, 0xcd, 0xc2, 0x86, 0x6a,
+	0xab, 0x82, 0x7f, 0x29, 0x0c, 0x30, 0xb6, 0x6b, 0x9b, 0x40, 0x45, 0x01, 0x79, 0x4c, 0xfd, 0x30,
+	0x88, 0xd3, 0xab, 0x76, 0x2d, 0x1a, 0x37, 0xd4, 0x87, 0x07, 0xbb, 0xb1, 0x11, 0x66, 0x7e, 0x01,
+	0x53, 0xcc, 0xfc, 0x90, 0x3a, 0x98, 0xe9, 0x85, 0x0c, 0x86, 0xa9, 0x11, 0x66, 0x7e, 0xed, 0x2e,
+	0xa8, 0xa5, 0x87, 0x36, 0x72, 0x31, 0xd3, 0x8b, 0x32, 0x60, 0x2d, 0x1a, 0x37, 0x6a, 0x70, 0xda,
+	0x01, 0x67, 0x39, 0xed, 0x3e, 0xa8, 0x7b, 0xbe, 0x97, 0x22, 0x2f, 0xe0, 0x3e, 0xd3, 0x4b, 0x32,
+	0xf4, 0x9f, 0x68, 0xdc, 0xa8, 0xb7, 0x67, 0x5d, 0xf0, 0x3c, 0xdb, 0xfa, 0xa2, 0x80, 0xe2, 0x6f,
+	0xb7, 0x54, 0x3e, 0xe4, 0x41, 0xf5, 0xcf, 0x36, 0x99, 0x6c, 0x13, 0xf1, 0x04, 0x57, 0xbb, 0x46,
+	0x96, 0x7e, 0x82, 0x57, 0xef, 0x8f, 0xcf, 0x0a, 0xa8, 0xac, 0x68, 0x71, 0xd8, 0xb3, 0x55, 0xff,
+	0x7f, 0x79, 0xd5, 0x17, 0x97, 0xfb, 0x0e, 0xa4, 0xf3, 0xd7, 0x6e, 0x80, 0x4a, 0xfa, 0xd8, 0x65,
+	0xb1, 0x6a, 0x96, 0x3c, 0xdd, 0x07, 0x70, 0x42, 0x68, 0x4d, 0x50, 0xec, 0x13, 0xaf, 0xab, 0xe7,
+	0x25, 0xf9, 0x57, 0x42, 0x16, 0xf7, 0x88, 0xd7, 0x85, 0xd2, 0x23, 0x08, 0x0f, 0xb9, 0x58, 0x5e,
+	0x88, 0x29, 0x42, 0x3c, 0x73, 0x28, 0x3d, 0x62, 0x56, 0xe5, 0xe4, 0x32, 0x4d, 0xf4, 0x94, 0x85,
+	0x7a, 0xd3, 0xf5, 0xe5, 0x97, 0xa9, 0xef, 0xf2, 0xec, 0x9a, 0x05, 0x54, 0xf1, 0xcb, 0x02, 0xe4,
+	0x60, 0xbd, 0x28, 0xb1, 0xb5, 0x04, 0x53, 0xdb, 0xa9, 0x03, 0x66, 0x8c, 0xbd, 0x35, 0x3a, 0x33,
+	0x72, 0x27, 0x67, 0x46, 0xee, 0xf4, 0xcc, 0xc8, 0xbd, 0x8f, 0x0c, 0x65, 0x14, 0x19, 0xca, 0x49,
+	0x64, 0x28, 0xa7, 0x91, 0xa1, 0x7c, 0x8f, 0x0c, 0xe5, 0xe3, 0x0f, 0x23, 0xf7, 0xaa, 0x9c, 0x4c,
+	0xfd, 0x57, 0x00, 0x00, 0x00, 0xff, 0xff, 0x74, 0x24, 0x6a, 0xfa, 0x45, 0x0a, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1beta1/generated.proto b/cli/vendor/k8s.io/api/rbac/v1beta1/generated.proto
new file mode 100644
index 00000000..d97ce1fb
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1beta1/generated.proto
@@ -0,0 +1,182 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.rbac.v1beta1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+message ClusterRole {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Rules holds all the PolicyRules for this ClusterRole
+  repeated PolicyRule rules = 2;
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+message ClusterRoleBinding {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Subjects holds references to the objects the role applies to.
+  repeated Subject subjects = 2;
+
+  // RoleRef can only reference a ClusterRole in the global namespace.
+  // If the RoleRef cannot be resolved, the Authorizer must return an error.
+  optional RoleRef roleRef = 3;
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+message ClusterRoleBindingList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of ClusterRoleBindings
+  repeated ClusterRoleBinding items = 2;
+}
+
+// ClusterRoleList is a collection of ClusterRoles
+message ClusterRoleList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of ClusterRoles
+  repeated ClusterRole items = 2;
+}
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+message PolicyRule {
+  // Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+  repeated string verbs = 1;
+
+  // APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+  // the enumerated resources in any API group will be allowed.
+  // +optional
+  repeated string apiGroups = 2;
+
+  // Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+  // +optional
+  repeated string resources = 3;
+
+  // ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+  // +optional
+  repeated string resourceNames = 4;
+
+  // NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+  // Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+  // Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+  // +optional
+  repeated string nonResourceURLs = 5;
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+message Role {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Rules holds all the PolicyRules for this Role
+  repeated PolicyRule rules = 2;
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+message RoleBinding {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Subjects holds references to the objects the role applies to.
+  repeated Subject subjects = 2;
+
+  // RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+  // If the RoleRef cannot be resolved, the Authorizer must return an error.
+  optional RoleRef roleRef = 3;
+}
+
+// RoleBindingList is a collection of RoleBindings
+message RoleBindingList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of RoleBindings
+  repeated RoleBinding items = 2;
+}
+
+// RoleList is a collection of Roles
+message RoleList {
+  // Standard object's metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of Roles
+  repeated Role items = 2;
+}
+
+// RoleRef contains information that points to the role being used
+message RoleRef {
+  // APIGroup is the group for the resource being referenced
+  optional string apiGroup = 1;
+
+  // Kind is the type of resource being referenced
+  optional string kind = 2;
+
+  // Name is the name of resource being referenced
+  optional string name = 3;
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+message Subject {
+  // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+  // If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+  optional string kind = 1;
+
+  // APIGroup holds the API group of the referenced subject.
+  // Defaults to "" for ServiceAccount subjects.
+  // Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+  // +optional
+  optional string apiGroup = 2;
+
+  // Name of the object being referenced.
+  optional string name = 3;
+
+  // Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+  // the Authorizer should report an error.
+  // +optional
+  optional string namespace = 4;
+}
+
diff --git a/cli/vendor/k8s.io/api/rbac/v1beta1/register.go b/cli/vendor/k8s.io/api/rbac/v1beta1/register.go
new file mode 100644
index 00000000..8f60f019
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1beta1/register.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const GroupName = "rbac.authorization.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Role{},
+		&RoleBinding{},
+		&RoleBindingList{},
+		&RoleList{},
+
+		&ClusterRole{},
+		&ClusterRoleBinding{},
+		&ClusterRoleBindingList{},
+		&ClusterRoleList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1beta1/types.go b/cli/vendor/k8s.io/api/rbac/v1beta1/types.go
new file mode 100644
index 00000000..30f95a77
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1beta1/types.go
@@ -0,0 +1,219 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+
+const (
+	APIGroupAll    = "*"
+	ResourceAll    = "*"
+	VerbAll        = "*"
+	NonResourceAll = "*"
+
+	GroupKind          = "Group"
+	ServiceAccountKind = "ServiceAccount"
+	UserKind           = "User"
+
+	// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
+	AutoUpdateAnnotationKey = "rbac.authorization.kubernetes.io/autoupdate"
+)
+
+// Authorization is calculated against
+// 1. evaluation of ClusterRoleBindings - short circuit on match
+// 2. evaluation of RoleBindings in the namespace requested - short circuit on match
+// 3. deny by default
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+type PolicyRule struct {
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.
+	Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed.
+	// +optional
+	APIGroups []string `json:"apiGroups,omitempty" protobuf:"bytes,2,rep,name=apiGroups"`
+	// Resources is a list of resources this rule applies to.  ResourceAll represents all resources.
+	// +optional
+	Resources []string `json:"resources,omitempty" protobuf:"bytes,3,rep,name=resources"`
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	// +optional
+	ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,4,rep,name=resourceNames"`
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+	// +optional
+	NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,5,rep,name=nonResourceURLs"`
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+type Subject struct {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
+	// APIGroup holds the API group of the referenced subject.
+	// Defaults to "" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+	// +optional
+	APIGroup string `json:"apiGroup,omitempty" protobuf:"bytes,2,opt.name=apiGroup"`
+	// Name of the object being referenced.
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,4,opt,name=namespace"`
+}
+
+// RoleRef contains information that points to the role being used
+type RoleRef struct {
+	// APIGroup is the group for the resource being referenced
+	APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"`
+	// Kind is the type of resource being referenced
+	Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	// Name is the name of resource being referenced
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+type Role struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Rules holds all the PolicyRules for this Role
+	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+type RoleBinding struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleBindingList is a collection of RoleBindings
+type RoleBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of RoleBindings
+	Items []RoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleList is a collection of Roles
+type RoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of Roles
+	Items []Role `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+type ClusterRole struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Rules holds all the PolicyRules for this ClusterRole
+	Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+type ClusterRoleBinding struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Subjects holds references to the objects the role applies to.
+	Subjects []Subject `json:"subjects" protobuf:"bytes,2,rep,name=subjects"`
+
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	RoleRef RoleRef `json:"roleRef" protobuf:"bytes,3,opt,name=roleRef"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+type ClusterRoleBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ClusterRoleBindings
+	Items []ClusterRoleBinding `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterRoleList is a collection of ClusterRoles
+type ClusterRoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of ClusterRoles
+	Items []ClusterRole `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/rbac/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/rbac/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..1463d8fe
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_ClusterRole = map[string]string{
+	"":         "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.",
+	"metadata": "Standard object's metadata.",
+	"rules":    "Rules holds all the PolicyRules for this ClusterRole",
+}
+
+func (ClusterRole) SwaggerDoc() map[string]string {
+	return map_ClusterRole
+}
+
+var map_ClusterRoleBinding = map[string]string{
+	"":         "ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace, and adds who information via Subject.",
+	"metadata": "Standard object's metadata.",
+	"subjects": "Subjects holds references to the objects the role applies to.",
+	"roleRef":  "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
+}
+
+func (ClusterRoleBinding) SwaggerDoc() map[string]string {
+	return map_ClusterRoleBinding
+}
+
+var map_ClusterRoleBindingList = map[string]string{
+	"":         "ClusterRoleBindingList is a collection of ClusterRoleBindings",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of ClusterRoleBindings",
+}
+
+func (ClusterRoleBindingList) SwaggerDoc() map[string]string {
+	return map_ClusterRoleBindingList
+}
+
+var map_ClusterRoleList = map[string]string{
+	"":         "ClusterRoleList is a collection of ClusterRoles",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of ClusterRoles",
+}
+
+func (ClusterRoleList) SwaggerDoc() map[string]string {
+	return map_ClusterRoleList
+}
+
+var map_PolicyRule = map[string]string{
+	"":                "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.",
+	"verbs":           "Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule.  VerbAll represents all kinds.",
+	"apiGroups":       "APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.",
+	"resources":       "Resources is a list of resources this rule applies to.  ResourceAll represents all resources.",
+	"resourceNames":   "ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.",
+	"nonResourceURLs": "NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"),  but not both.",
+}
+
+func (PolicyRule) SwaggerDoc() map[string]string {
+	return map_PolicyRule
+}
+
+var map_Role = map[string]string{
+	"":         "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.",
+	"metadata": "Standard object's metadata.",
+	"rules":    "Rules holds all the PolicyRules for this Role",
+}
+
+func (Role) SwaggerDoc() map[string]string {
+	return map_Role
+}
+
+var map_RoleBinding = map[string]string{
+	"":         "RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given namespace only have effect in that namespace.",
+	"metadata": "Standard object's metadata.",
+	"subjects": "Subjects holds references to the objects the role applies to.",
+	"roleRef":  "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.",
+}
+
+func (RoleBinding) SwaggerDoc() map[string]string {
+	return map_RoleBinding
+}
+
+var map_RoleBindingList = map[string]string{
+	"":         "RoleBindingList is a collection of RoleBindings",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of RoleBindings",
+}
+
+func (RoleBindingList) SwaggerDoc() map[string]string {
+	return map_RoleBindingList
+}
+
+var map_RoleList = map[string]string{
+	"":         "RoleList is a collection of Roles",
+	"metadata": "Standard object's metadata.",
+	"items":    "Items is a list of Roles",
+}
+
+func (RoleList) SwaggerDoc() map[string]string {
+	return map_RoleList
+}
+
+var map_RoleRef = map[string]string{
+	"":         "RoleRef contains information that points to the role being used",
+	"apiGroup": "APIGroup is the group for the resource being referenced",
+	"kind":     "Kind is the type of resource being referenced",
+	"name":     "Name is the name of resource being referenced",
+}
+
+func (RoleRef) SwaggerDoc() map[string]string {
+	return map_RoleRef
+}
+
+var map_Subject = map[string]string{
+	"":          "Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
+	"kind":      "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
+	"apiGroup":  "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
+	"name":      "Name of the object being referenced.",
+	"namespace": "Namespace of the referenced object.  If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
+}
+
+func (Subject) SwaggerDoc() map[string]string {
+	return map_Subject
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/rbac/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/rbac/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..2bed5c94
--- /dev/null
+++ b/cli/vendor/k8s.io/api/rbac/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,427 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRole).DeepCopyInto(out.(*ClusterRole))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRole{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleBinding).DeepCopyInto(out.(*ClusterRoleBinding))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleBinding{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleBindingList).DeepCopyInto(out.(*ClusterRoleBindingList))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleBindingList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ClusterRoleList).DeepCopyInto(out.(*ClusterRoleList))
+			return nil
+		}, InType: reflect.TypeOf(&ClusterRoleList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PolicyRule).DeepCopyInto(out.(*PolicyRule))
+			return nil
+		}, InType: reflect.TypeOf(&PolicyRule{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Role).DeepCopyInto(out.(*Role))
+			return nil
+		}, InType: reflect.TypeOf(&Role{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleBinding).DeepCopyInto(out.(*RoleBinding))
+			return nil
+		}, InType: reflect.TypeOf(&RoleBinding{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleBindingList).DeepCopyInto(out.(*RoleBindingList))
+			return nil
+		}, InType: reflect.TypeOf(&RoleBindingList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleList).DeepCopyInto(out.(*RoleList))
+			return nil
+		}, InType: reflect.TypeOf(&RoleList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RoleRef).DeepCopyInto(out.(*RoleRef))
+			return nil
+		}, InType: reflect.TypeOf(&RoleRef{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Subject).DeepCopyInto(out.(*Subject))
+			return nil
+		}, InType: reflect.TypeOf(&Subject{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRole) DeepCopyInto(out *ClusterRole) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRole.
+func (in *ClusterRole) DeepCopy() *ClusterRole {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRole) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleBinding) DeepCopyInto(out *ClusterRoleBinding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		copy(*out, *in)
+	}
+	out.RoleRef = in.RoleRef
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleBinding.
+func (in *ClusterRoleBinding) DeepCopy() *ClusterRoleBinding {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleBinding)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleBinding) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleBindingList) DeepCopyInto(out *ClusterRoleBindingList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterRoleBinding, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleBindingList.
+func (in *ClusterRoleBindingList) DeepCopy() *ClusterRoleBindingList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleBindingList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleBindingList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterRoleList) DeepCopyInto(out *ClusterRoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterRole, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleList.
+func (in *ClusterRoleList) DeepCopy() *ClusterRoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterRoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterRoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
+	*out = *in
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.APIGroups != nil {
+		in, out := &in.APIGroups, &out.APIGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ResourceNames != nil {
+		in, out := &in.ResourceNames, &out.ResourceNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.NonResourceURLs != nil {
+		in, out := &in.NonResourceURLs, &out.NonResourceURLs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRule.
+func (in *PolicyRule) DeepCopy() *PolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Role) DeepCopyInto(out *Role) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Role.
+func (in *Role) DeepCopy() *Role {
+	if in == nil {
+		return nil
+	}
+	out := new(Role)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Role) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBinding) DeepCopyInto(out *RoleBinding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		copy(*out, *in)
+	}
+	out.RoleRef = in.RoleRef
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBinding.
+func (in *RoleBinding) DeepCopy() *RoleBinding {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBinding)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBinding) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBindingList) DeepCopyInto(out *RoleBindingList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RoleBinding, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBindingList.
+func (in *RoleBindingList) DeepCopy() *RoleBindingList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBindingList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBindingList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleList) DeepCopyInto(out *RoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Role, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleList.
+func (in *RoleList) DeepCopy() *RoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleRef) DeepCopyInto(out *RoleRef) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleRef.
+func (in *RoleRef) DeepCopy() *RoleRef {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Subject) DeepCopyInto(out *Subject) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.
+func (in *Subject) DeepCopy() *Subject {
+	if in == nil {
+		return nil
+	}
+	out := new(Subject)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/scheduling/v1alpha1/doc.go b/cli/vendor/k8s.io/api/scheduling/v1alpha1/doc.go
new file mode 100644
index 00000000..bf901598
--- /dev/null
+++ b/cli/vendor/k8s.io/api/scheduling/v1alpha1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// +groupName=scheduling.k8s.io
+package v1alpha1 // import "k8s.io/api/scheduling/v1alpha1"
diff --git a/cli/vendor/k8s.io/api/scheduling/v1alpha1/generated.pb.go b/cli/vendor/k8s.io/api/scheduling/v1alpha1/generated.pb.go
new file mode 100644
index 00000000..39c0b9e6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/scheduling/v1alpha1/generated.pb.go
@@ -0,0 +1,641 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/scheduling/v1alpha1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1alpha1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/scheduling/v1alpha1/generated.proto
+
+	It has these top-level messages:
+		PriorityClass
+		PriorityClassList
+*/
+package v1alpha1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *PriorityClass) Reset()                    { *m = PriorityClass{} }
+func (*PriorityClass) ProtoMessage()               {}
+func (*PriorityClass) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *PriorityClassList) Reset()                    { *m = PriorityClassList{} }
+func (*PriorityClassList) ProtoMessage()               {}
+func (*PriorityClassList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func init() {
+	proto.RegisterType((*PriorityClass)(nil), "k8s.io.api.scheduling.v1alpha1.PriorityClass")
+	proto.RegisterType((*PriorityClassList)(nil), "k8s.io.api.scheduling.v1alpha1.PriorityClassList")
+}
+func (m *PriorityClass) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PriorityClass) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Value))
+	dAtA[i] = 0x18
+	i++
+	if m.GlobalDefault {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Description)))
+	i += copy(dAtA[i:], m.Description)
+	return i, nil
+}
+
+func (m *PriorityClassList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PriorityClassList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n2, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *PriorityClass) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Value))
+	n += 2
+	l = len(m.Description)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PriorityClassList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *PriorityClass) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PriorityClass{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`GlobalDefault:` + fmt.Sprintf("%v", this.GlobalDefault) + `,`,
+		`Description:` + fmt.Sprintf("%v", this.Description) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PriorityClassList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PriorityClassList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "PriorityClass", "PriorityClass", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *PriorityClass) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PriorityClass: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PriorityClass: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			m.Value = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Value |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GlobalDefault", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.GlobalDefault = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Description = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PriorityClassList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PriorityClassList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PriorityClassList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, PriorityClass{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/scheduling/v1alpha1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 460 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0x4f, 0x8b, 0xd3, 0x40,
+	0x18, 0xc6, 0x33, 0x5d, 0x0b, 0x75, 0x4a, 0x41, 0x23, 0x42, 0xe8, 0x61, 0x36, 0xac, 0x97, 0x5c,
+	0x76, 0xc6, 0xae, 0x7f, 0x10, 0xbc, 0xc5, 0x85, 0x45, 0x50, 0x94, 0x1c, 0x3c, 0x88, 0x07, 0x27,
+	0xc9, 0x6c, 0x3a, 0x36, 0xc9, 0x84, 0x99, 0x37, 0x81, 0xbd, 0x79, 0xf6, 0xe4, 0x97, 0x12, 0x7a,
+	0xdc, 0xe3, 0x9e, 0x16, 0x1b, 0xbf, 0x88, 0x24, 0x4d, 0x37, 0xad, 0x65, 0xd5, 0x5b, 0xe6, 0x79,
+	0x9f, 0xdf, 0x33, 0xf3, 0x3e, 0x04, 0x9f, 0x2d, 0x5e, 0x18, 0x2a, 0x15, 0x5b, 0x94, 0xa1, 0xd0,
+	0xb9, 0x00, 0x61, 0x58, 0x25, 0xf2, 0x58, 0x69, 0xd6, 0x0d, 0x78, 0x21, 0x99, 0x89, 0xe6, 0x22,
+	0x2e, 0x53, 0x99, 0x27, 0xac, 0x9a, 0xf1, 0xb4, 0x98, 0xf3, 0x19, 0x4b, 0x44, 0x2e, 0x34, 0x07,
+	0x11, 0xd3, 0x42, 0x2b, 0x50, 0x36, 0x59, 0xfb, 0x29, 0x2f, 0x24, 0xed, 0xfd, 0x74, 0xe3, 0x9f,
+	0x1e, 0x27, 0x12, 0xe6, 0x65, 0x48, 0x23, 0x95, 0xb1, 0x44, 0x25, 0x8a, 0xb5, 0x58, 0x58, 0x9e,
+	0xb7, 0xa7, 0xf6, 0xd0, 0x7e, 0xad, 0xe3, 0xa6, 0x4f, 0xfb, 0xeb, 0x33, 0x1e, 0xcd, 0x65, 0x2e,
+	0xf4, 0x05, 0x2b, 0x16, 0x49, 0x23, 0x18, 0x96, 0x09, 0xe0, 0xac, 0xda, 0x7b, 0xc4, 0x94, 0xdd,
+	0x46, 0xe9, 0x32, 0x07, 0x99, 0x89, 0x3d, 0xe0, 0xf9, 0xbf, 0x80, 0x66, 0x95, 0x8c, 0xef, 0x71,
+	0x4f, 0x6e, 0xe3, 0x4a, 0x90, 0x29, 0x93, 0x39, 0x18, 0xd0, 0x7f, 0x42, 0x47, 0xdf, 0x06, 0x78,
+	0xf2, 0x5e, 0x4b, 0xa5, 0x25, 0x5c, 0xbc, 0x4a, 0xb9, 0x31, 0xf6, 0x67, 0x3c, 0x6a, 0x56, 0x89,
+	0x39, 0x70, 0x07, 0xb9, 0xc8, 0x1b, 0x9f, 0x3c, 0xa6, 0x7d, 0x8f, 0x37, 0xc9, 0xb4, 0x58, 0x24,
+	0x8d, 0x60, 0x68, 0xe3, 0xa6, 0xd5, 0x8c, 0xbe, 0x0b, 0xbf, 0x88, 0x08, 0xde, 0x0a, 0xe0, 0xbe,
+	0xbd, 0xbc, 0x3e, 0xb4, 0xea, 0xeb, 0x43, 0xdc, 0x6b, 0xc1, 0x4d, 0xaa, 0xfd, 0x08, 0x0f, 0x2b,
+	0x9e, 0x96, 0xc2, 0x19, 0xb8, 0xc8, 0x1b, 0xfa, 0x93, 0xce, 0x3c, 0xfc, 0xd0, 0x88, 0xc1, 0x7a,
+	0x66, 0xbf, 0xc4, 0x93, 0x24, 0x55, 0x21, 0x4f, 0x4f, 0xc5, 0x39, 0x2f, 0x53, 0x70, 0x0e, 0x5c,
+	0xe4, 0x8d, 0xfc, 0x87, 0x9d, 0x79, 0x72, 0xb6, 0x3d, 0x0c, 0x76, 0xbd, 0xf6, 0x33, 0x3c, 0x8e,
+	0x85, 0x89, 0xb4, 0x2c, 0x40, 0xaa, 0xdc, 0xb9, 0xe3, 0x22, 0xef, 0xae, 0xff, 0xa0, 0x43, 0xc7,
+	0xa7, 0xfd, 0x28, 0xd8, 0xf6, 0x1d, 0xfd, 0x40, 0xf8, 0xfe, 0x4e, 0x19, 0x6f, 0xa4, 0x01, 0xfb,
+	0xd3, 0x5e, 0x21, 0xf4, 0xff, 0x0a, 0x69, 0xe8, 0xb6, 0x8e, 0x7b, 0xdd, 0xcd, 0xa3, 0x8d, 0xb2,
+	0x55, 0x46, 0x80, 0x87, 0x12, 0x44, 0x66, 0x9c, 0x81, 0x7b, 0xe0, 0x8d, 0x4f, 0x8e, 0xe9, 0xdf,
+	0xff, 0x59, 0xba, 0xf3, 0xbe, 0xbe, 0xbb, 0xd7, 0x4d, 0x46, 0xb0, 0x8e, 0xf2, 0xe9, 0x72, 0x45,
+	0xac, 0xcb, 0x15, 0xb1, 0xae, 0x56, 0xc4, 0xfa, 0x5a, 0x13, 0xb4, 0xac, 0x09, 0xba, 0xac, 0x09,
+	0xba, 0xaa, 0x09, 0xfa, 0x59, 0x13, 0xf4, 0xfd, 0x17, 0xb1, 0x3e, 0x8e, 0x36, 0x99, 0xbf, 0x03,
+	0x00, 0x00, 0xff, 0xff, 0x44, 0x05, 0xba, 0x7b, 0x71, 0x03, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/scheduling/v1alpha1/generated.proto b/cli/vendor/k8s.io/api/scheduling/v1alpha1/generated.proto
new file mode 100644
index 00000000..75b4968c
--- /dev/null
+++ b/cli/vendor/k8s.io/api/scheduling/v1alpha1/generated.proto
@@ -0,0 +1,65 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.scheduling.v1alpha1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1alpha1";
+
+// PriorityClass defines mapping from a priority class name to the priority
+// integer value. The value can be any valid integer.
+message PriorityClass {
+  // Standard object's metadata.
+  // More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // The value of this priority class. This is the actual priority that pods
+  // receive when they have the name of this class in their pod spec.
+  optional int32 value = 2;
+
+  // globalDefault specifies whether this PriorityClass should be considered as
+  // the default priority for pods that do not have any priority class.
+  // +optional
+  optional bool globalDefault = 3;
+
+  // description is an arbitrary string that usually provides guidelines on
+  // when this priority class should be used.
+  // +optional
+  optional string description = 4;
+}
+
+// PriorityClassList is a collection of priority classes.
+message PriorityClassList {
+  // Standard list metadata
+  // More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // items is the list of PriorityClasses
+  repeated PriorityClass items = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/scheduling/v1alpha1/register.go b/cli/vendor/k8s.io/api/scheduling/v1alpha1/register.go
new file mode 100644
index 00000000..91ce6e0c
--- /dev/null
+++ b/cli/vendor/k8s.io/api/scheduling/v1alpha1/register.go
@@ -0,0 +1,52 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "scheduling.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&PriorityClass{},
+		&PriorityClassList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/scheduling/v1alpha1/types.go b/cli/vendor/k8s.io/api/scheduling/v1alpha1/types.go
new file mode 100644
index 00000000..bca0f347
--- /dev/null
+++ b/cli/vendor/k8s.io/api/scheduling/v1alpha1/types.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PriorityClass defines mapping from a priority class name to the priority
+// integer value. The value can be any valid integer.
+type PriorityClass struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// The value of this priority class. This is the actual priority that pods
+	// receive when they have the name of this class in their pod spec.
+	Value int32 `json:"value" protobuf:"bytes,2,opt,name=value"`
+
+	// globalDefault specifies whether this PriorityClass should be considered as
+	// the default priority for pods that do not have any priority class.
+	// +optional
+	GlobalDefault bool `json:"globalDefault,omitempty" protobuf:"bytes,3,opt,name=globalDefault"`
+
+	// description is an arbitrary string that usually provides guidelines on
+	// when this priority class should be used.
+	// +optional
+	Description string `json:"description,omitempty" protobuf:"bytes,4,opt,name=description"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PriorityClassList is a collection of priority classes.
+type PriorityClassList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// items is the list of PriorityClasses
+	Items []PriorityClass `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/scheduling/v1alpha1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/scheduling/v1alpha1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..c6187398
--- /dev/null
+++ b/cli/vendor/k8s.io/api/scheduling/v1alpha1/types_swagger_doc_generated.go
@@ -0,0 +1,52 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_PriorityClass = map[string]string{
+	"":              "PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.",
+	"metadata":      "Standard object's metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata",
+	"value":         "The value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.",
+	"globalDefault": "globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class.",
+	"description":   "description is an arbitrary string that usually provides guidelines on when this priority class should be used.",
+}
+
+func (PriorityClass) SwaggerDoc() map[string]string {
+	return map_PriorityClass
+}
+
+var map_PriorityClassList = map[string]string{
+	"":         "PriorityClassList is a collection of priority classes.",
+	"metadata": "Standard list metadata More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata",
+	"items":    "items is the list of PriorityClasses",
+}
+
+func (PriorityClassList) SwaggerDoc() map[string]string {
+	return map_PriorityClassList
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/scheduling/v1alpha1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/scheduling/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..da01848a
--- /dev/null
+++ b/cli/vendor/k8s.io/api/scheduling/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,109 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PriorityClass).DeepCopyInto(out.(*PriorityClass))
+			return nil
+		}, InType: reflect.TypeOf(&PriorityClass{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PriorityClassList).DeepCopyInto(out.(*PriorityClassList))
+			return nil
+		}, InType: reflect.TypeOf(&PriorityClassList{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PriorityClass) DeepCopyInto(out *PriorityClass) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PriorityClass.
+func (in *PriorityClass) DeepCopy() *PriorityClass {
+	if in == nil {
+		return nil
+	}
+	out := new(PriorityClass)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PriorityClass) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PriorityClassList) DeepCopyInto(out *PriorityClassList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PriorityClass, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PriorityClassList.
+func (in *PriorityClassList) DeepCopy() *PriorityClassList {
+	if in == nil {
+		return nil
+	}
+	out := new(PriorityClassList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PriorityClassList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/api/settings/v1alpha1/doc.go b/cli/vendor/k8s.io/api/settings/v1alpha1/doc.go
new file mode 100644
index 00000000..ae1bfb91
--- /dev/null
+++ b/cli/vendor/k8s.io/api/settings/v1alpha1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +k8s:openapi-gen=true
+
+// +groupName=settings.k8s.io
+package v1alpha1 // import "k8s.io/api/settings/v1alpha1"
diff --git a/cli/vendor/k8s.io/api/settings/v1alpha1/generated.pb.go b/cli/vendor/k8s.io/api/settings/v1alpha1/generated.pb.go
new file mode 100644
index 00000000..bfc6a5a1
--- /dev/null
+++ b/cli/vendor/k8s.io/api/settings/v1alpha1/generated.pb.go
@@ -0,0 +1,930 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/settings/v1alpha1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1alpha1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/settings/v1alpha1/generated.proto
+
+	It has these top-level messages:
+		PodPreset
+		PodPresetList
+		PodPresetSpec
+*/
+package v1alpha1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *PodPreset) Reset()                    { *m = PodPreset{} }
+func (*PodPreset) ProtoMessage()               {}
+func (*PodPreset) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *PodPresetList) Reset()                    { *m = PodPresetList{} }
+func (*PodPresetList) ProtoMessage()               {}
+func (*PodPresetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *PodPresetSpec) Reset()                    { *m = PodPresetSpec{} }
+func (*PodPresetSpec) ProtoMessage()               {}
+func (*PodPresetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func init() {
+	proto.RegisterType((*PodPreset)(nil), "k8s.io.api.settings.v1alpha1.PodPreset")
+	proto.RegisterType((*PodPresetList)(nil), "k8s.io.api.settings.v1alpha1.PodPresetList")
+	proto.RegisterType((*PodPresetSpec)(nil), "k8s.io.api.settings.v1alpha1.PodPresetSpec")
+}
+func (m *PodPreset) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodPreset) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Spec.Size()))
+	n2, err := m.Spec.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	return i, nil
+}
+
+func (m *PodPresetList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodPresetList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n3, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n3
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *PodPresetSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PodPresetSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Selector.Size()))
+	n4, err := m.Selector.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	if len(m.Env) > 0 {
+		for _, msg := range m.Env {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.EnvFrom) > 0 {
+		for _, msg := range m.EnvFrom {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Volumes) > 0 {
+		for _, msg := range m.Volumes {
+			dAtA[i] = 0x22
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.VolumeMounts) > 0 {
+		for _, msg := range m.VolumeMounts {
+			dAtA[i] = 0x2a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *PodPreset) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PodPresetList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *PodPresetSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = m.Selector.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Env) > 0 {
+		for _, e := range m.Env {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.EnvFrom) > 0 {
+		for _, e := range m.EnvFrom {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Volumes) > 0 {
+		for _, e := range m.Volumes {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.VolumeMounts) > 0 {
+		for _, e := range m.VolumeMounts {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *PodPreset) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodPreset{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "PodPresetSpec", "PodPresetSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodPresetList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodPresetList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "PodPreset", "PodPreset", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PodPresetSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PodPresetSpec{`,
+		`Selector:` + strings.Replace(strings.Replace(this.Selector.String(), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1), `&`, ``, 1) + `,`,
+		`Env:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Env), "EnvVar", "k8s_io_api_core_v1.EnvVar", 1), `&`, ``, 1) + `,`,
+		`EnvFrom:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.EnvFrom), "EnvFromSource", "k8s_io_api_core_v1.EnvFromSource", 1), `&`, ``, 1) + `,`,
+		`Volumes:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Volumes), "Volume", "k8s_io_api_core_v1.Volume", 1), `&`, ``, 1) + `,`,
+		`VolumeMounts:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.VolumeMounts), "VolumeMount", "k8s_io_api_core_v1.VolumeMount", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *PodPreset) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodPreset: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodPreset: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodPresetList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodPresetList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodPresetList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, PodPreset{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PodPresetSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PodPresetSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PodPresetSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Selector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Env", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Env = append(m.Env, k8s_io_api_core_v1.EnvVar{})
+			if err := m.Env[len(m.Env)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EnvFrom", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.EnvFrom = append(m.EnvFrom, k8s_io_api_core_v1.EnvFromSource{})
+			if err := m.EnvFrom[len(m.EnvFrom)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Volumes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Volumes = append(m.Volumes, k8s_io_api_core_v1.Volume{})
+			if err := m.Volumes[len(m.Volumes)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field VolumeMounts", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.VolumeMounts = append(m.VolumeMounts, k8s_io_api_core_v1.VolumeMount{})
+			if err := m.VolumeMounts[len(m.VolumeMounts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/settings/v1alpha1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 556 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0xc1, 0x8e, 0xd2, 0x4e,
+	0x1c, 0xc7, 0xe9, 0xb2, 0x04, 0xfe, 0x03, 0x9b, 0xbf, 0x69, 0x3c, 0x34, 0xc4, 0x94, 0x95, 0x8b,
+	0x9b, 0x18, 0x67, 0x64, 0xd7, 0x18, 0xbd, 0x36, 0xc1, 0xc4, 0x04, 0xe2, 0xa6, 0x24, 0x9b, 0x68,
+	0x3c, 0x38, 0x94, 0x9f, 0xa5, 0x42, 0x67, 0x9a, 0x99, 0x69, 0x13, 0x6f, 0x3e, 0x82, 0x2f, 0xe0,
+	0x93, 0xe8, 0x03, 0x70, 0xdc, 0xe3, 0x9e, 0x36, 0x52, 0x5f, 0xc4, 0x4c, 0x99, 0x02, 0x8a, 0x28,
+	0xb7, 0xce, 0x8f, 0xef, 0xe7, 0x33, 0xbf, 0x2f, 0x2d, 0xea, 0xcf, 0x9e, 0x49, 0x1c, 0x71, 0x32,
+	0x4b, 0xc7, 0x20, 0x18, 0x28, 0x90, 0x24, 0x03, 0x36, 0xe1, 0x82, 0x98, 0x1f, 0x68, 0x12, 0x11,
+	0x09, 0x4a, 0x45, 0x2c, 0x94, 0x24, 0xeb, 0xd1, 0x79, 0x32, 0xa5, 0x3d, 0x12, 0x02, 0x03, 0x41,
+	0x15, 0x4c, 0x70, 0x22, 0xb8, 0xe2, 0xf6, 0xbd, 0x55, 0x1a, 0xd3, 0x24, 0xc2, 0x65, 0x1a, 0x97,
+	0xe9, 0xf6, 0xa3, 0x30, 0x52, 0xd3, 0x74, 0x8c, 0x03, 0x1e, 0x93, 0x90, 0x87, 0x9c, 0x14, 0xd0,
+	0x38, 0x7d, 0x5f, 0x9c, 0x8a, 0x43, 0xf1, 0xb4, 0x92, 0xb5, 0xbb, 0x5b, 0x57, 0x07, 0x5c, 0x00,
+	0xc9, 0x76, 0x2e, 0x6c, 0x3f, 0xd9, 0x64, 0x62, 0x1a, 0x4c, 0x23, 0x06, 0xe2, 0x23, 0x49, 0x66,
+	0xa1, 0x1e, 0x48, 0x12, 0x83, 0xa2, 0x7f, 0xa2, 0xc8, 0x3e, 0x4a, 0xa4, 0x4c, 0x45, 0x31, 0xec,
+	0x00, 0x4f, 0xff, 0x05, 0xc8, 0x60, 0x0a, 0x31, 0xdd, 0xe1, 0x2e, 0xf6, 0x71, 0xa9, 0x8a, 0xe6,
+	0x24, 0x62, 0x4a, 0x2a, 0xf1, 0x3b, 0xd4, 0xfd, 0x66, 0xa1, 0xff, 0x2e, 0xf9, 0xe4, 0x52, 0x80,
+	0x04, 0x65, 0xbf, 0x43, 0x0d, 0x5d, 0x63, 0x42, 0x15, 0x75, 0xac, 0x53, 0xeb, 0xac, 0x79, 0xfe,
+	0x18, 0x6f, 0xfe, 0xe5, 0xb5, 0x15, 0x27, 0xb3, 0x50, 0x0f, 0x24, 0xd6, 0x69, 0x9c, 0xf5, 0xf0,
+	0xab, 0xf1, 0x07, 0x08, 0xd4, 0x10, 0x14, 0xf5, 0xec, 0xc5, 0x6d, 0xa7, 0x92, 0xdf, 0x76, 0xd0,
+	0x66, 0xe6, 0xaf, 0xad, 0xf6, 0x10, 0x1d, 0xcb, 0x04, 0x02, 0xe7, 0xa8, 0xb0, 0x3f, 0xc4, 0x7f,
+	0x7b, 0x87, 0x78, 0xbd, 0xd8, 0x28, 0x81, 0xc0, 0x6b, 0x19, 0xf1, 0xb1, 0x3e, 0xf9, 0x85, 0xa6,
+	0xfb, 0xd5, 0x42, 0x27, 0xeb, 0xd4, 0x20, 0x92, 0xca, 0x7e, 0xbb, 0x53, 0x01, 0x1f, 0x56, 0x41,
+	0xd3, 0x45, 0x81, 0x3b, 0xe6, 0x9e, 0x46, 0x39, 0xd9, 0x5a, 0x7f, 0x80, 0x6a, 0x91, 0x82, 0x58,
+	0x3a, 0x47, 0xa7, 0xd5, 0xb3, 0xe6, 0xf9, 0x83, 0x03, 0xf7, 0xf7, 0x4e, 0x8c, 0xb3, 0xf6, 0x52,
+	0xd3, 0xfe, 0x4a, 0xd2, 0xfd, 0x52, 0xdd, 0xda, 0x5e, 0xb7, 0xb2, 0x29, 0x6a, 0x48, 0x98, 0x43,
+	0xa0, 0xb8, 0x30, 0xdb, 0x5f, 0x1c, 0xb8, 0x3d, 0x1d, 0xc3, 0x7c, 0x64, 0xd0, 0x4d, 0x85, 0x72,
+	0xe2, 0xaf, 0xb5, 0xf6, 0x73, 0x54, 0x05, 0x96, 0x99, 0x02, 0xed, 0xed, 0x02, 0xfa, 0xbb, 0xd7,
+	0xae, 0x3e, 0xcb, 0xae, 0xa8, 0xf0, 0x9a, 0x46, 0x52, 0xed, 0xb3, 0xcc, 0xd7, 0x8c, 0x3d, 0x40,
+	0x75, 0x60, 0xd9, 0x0b, 0xc1, 0x63, 0xa7, 0x5a, 0xe0, 0xf7, 0xf7, 0xe0, 0x3a, 0x32, 0xe2, 0xa9,
+	0x08, 0xc0, 0xfb, 0xdf, 0x58, 0xea, 0x66, 0xec, 0x97, 0x0a, 0xbb, 0x8f, 0xea, 0x19, 0x9f, 0xa7,
+	0x31, 0x48, 0xe7, 0x78, 0xff, 0x32, 0x57, 0x45, 0x64, 0xa3, 0x59, 0x9d, 0xa5, 0x5f, 0xb2, 0xf6,
+	0x6b, 0xd4, 0x5a, 0x3d, 0x0e, 0x79, 0xca, 0x94, 0x74, 0x6a, 0x85, 0xab, 0xb3, 0xdf, 0x55, 0xe4,
+	0xbc, 0xbb, 0x46, 0xd8, 0xda, 0x1a, 0x4a, 0xff, 0x17, 0x95, 0x87, 0x17, 0x4b, 0xb7, 0x72, 0xbd,
+	0x74, 0x2b, 0x37, 0x4b, 0xb7, 0xf2, 0x29, 0x77, 0xad, 0x45, 0xee, 0x5a, 0xd7, 0xb9, 0x6b, 0xdd,
+	0xe4, 0xae, 0xf5, 0x3d, 0x77, 0xad, 0xcf, 0x3f, 0xdc, 0xca, 0x9b, 0x46, 0xf9, 0xbe, 0x7f, 0x06,
+	0x00, 0x00, 0xff, 0xff, 0x0e, 0x35, 0x98, 0xb5, 0xd9, 0x04, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/settings/v1alpha1/generated.proto b/cli/vendor/k8s.io/api/settings/v1alpha1/generated.proto
new file mode 100644
index 00000000..098e8dd9
--- /dev/null
+++ b/cli/vendor/k8s.io/api/settings/v1alpha1/generated.proto
@@ -0,0 +1,76 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.settings.v1alpha1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1alpha1";
+
+// PodPreset is a policy resource that defines additional runtime
+// requirements for a Pod.
+message PodPreset {
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // +optional
+  optional PodPresetSpec spec = 2;
+}
+
+// PodPresetList is a list of PodPreset objects.
+message PodPresetList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is a list of schema objects.
+  repeated PodPreset items = 2;
+}
+
+// PodPresetSpec is a description of a pod preset.
+message PodPresetSpec {
+  // Selector is a label query over a set of resources, in this case pods.
+  // Required.
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 1;
+
+  // Env defines the collection of EnvVar to inject into containers.
+  // +optional
+  repeated k8s.io.api.core.v1.EnvVar env = 2;
+
+  // EnvFrom defines the collection of EnvFromSource to inject into containers.
+  // +optional
+  repeated k8s.io.api.core.v1.EnvFromSource envFrom = 3;
+
+  // Volumes defines the collection of Volume to inject into the pod.
+  // +optional
+  repeated k8s.io.api.core.v1.Volume volumes = 4;
+
+  // VolumeMounts defines the collection of VolumeMount to inject into containers.
+  // +optional
+  repeated k8s.io.api.core.v1.VolumeMount volumeMounts = 5;
+}
+
diff --git a/cli/vendor/k8s.io/api/settings/v1alpha1/register.go b/cli/vendor/k8s.io/api/settings/v1alpha1/register.go
new file mode 100644
index 00000000..2f39af0f
--- /dev/null
+++ b/cli/vendor/k8s.io/api/settings/v1alpha1/register.go
@@ -0,0 +1,52 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "settings.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&PodPreset{},
+		&PodPresetList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/settings/v1alpha1/types.go b/cli/vendor/k8s.io/api/settings/v1alpha1/types.go
new file mode 100644
index 00000000..506aacf4
--- /dev/null
+++ b/cli/vendor/k8s.io/api/settings/v1alpha1/types.go
@@ -0,0 +1,70 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodPreset is a policy resource that defines additional runtime
+// requirements for a Pod.
+type PodPreset struct {
+	metav1.TypeMeta `json:",inline"`
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// +optional
+	Spec PodPresetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// PodPresetSpec is a description of a pod preset.
+type PodPresetSpec struct {
+	// Selector is a label query over a set of resources, in this case pods.
+	// Required.
+	Selector metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,1,opt,name=selector"`
+
+	// Env defines the collection of EnvVar to inject into containers.
+	// +optional
+	Env []v1.EnvVar `json:"env,omitempty" protobuf:"bytes,2,rep,name=env"`
+	// EnvFrom defines the collection of EnvFromSource to inject into containers.
+	// +optional
+	EnvFrom []v1.EnvFromSource `json:"envFrom,omitempty" protobuf:"bytes,3,rep,name=envFrom"`
+	// Volumes defines the collection of Volume to inject into the pod.
+	// +optional
+	Volumes []v1.Volume `json:"volumes,omitempty" protobuf:"bytes,4,rep,name=volumes"`
+	// VolumeMounts defines the collection of VolumeMount to inject into containers.
+	// +optional
+	VolumeMounts []v1.VolumeMount `json:"volumeMounts,omitempty" protobuf:"bytes,5,rep,name=volumeMounts"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PodPresetList is a list of PodPreset objects.
+type PodPresetList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of schema objects.
+	Items []PodPreset `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/settings/v1alpha1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/settings/v1alpha1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..2a89e556
--- /dev/null
+++ b/cli/vendor/k8s.io/api/settings/v1alpha1/types_swagger_doc_generated.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_PodPreset = map[string]string{
+	"": "PodPreset is a policy resource that defines additional runtime requirements for a Pod.",
+}
+
+func (PodPreset) SwaggerDoc() map[string]string {
+	return map_PodPreset
+}
+
+var map_PodPresetList = map[string]string{
+	"":         "PodPresetList is a list of PodPreset objects.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is a list of schema objects.",
+}
+
+func (PodPresetList) SwaggerDoc() map[string]string {
+	return map_PodPresetList
+}
+
+var map_PodPresetSpec = map[string]string{
+	"":             "PodPresetSpec is a description of a pod preset.",
+	"selector":     "Selector is a label query over a set of resources, in this case pods. Required.",
+	"env":          "Env defines the collection of EnvVar to inject into containers.",
+	"envFrom":      "EnvFrom defines the collection of EnvFromSource to inject into containers.",
+	"volumes":      "Volumes defines the collection of Volume to inject into the pod.",
+	"volumeMounts": "VolumeMounts defines the collection of VolumeMount to inject into containers.",
+}
+
+func (PodPresetSpec) SwaggerDoc() map[string]string {
+	return map_PodPresetSpec
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/settings/v1alpha1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/settings/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..dba89ff0
--- /dev/null
+++ b/cli/vendor/k8s.io/api/settings/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,160 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodPreset).DeepCopyInto(out.(*PodPreset))
+			return nil
+		}, InType: reflect.TypeOf(&PodPreset{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodPresetList).DeepCopyInto(out.(*PodPresetList))
+			return nil
+		}, InType: reflect.TypeOf(&PodPresetList{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PodPresetSpec).DeepCopyInto(out.(*PodPresetSpec))
+			return nil
+		}, InType: reflect.TypeOf(&PodPresetSpec{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodPreset) DeepCopyInto(out *PodPreset) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodPreset.
+func (in *PodPreset) DeepCopy() *PodPreset {
+	if in == nil {
+		return nil
+	}
+	out := new(PodPreset)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodPreset) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodPresetList) DeepCopyInto(out *PodPresetList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PodPreset, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodPresetList.
+func (in *PodPresetList) DeepCopy() *PodPresetList {
+	if in == nil {
+		return nil
+	}
+	out := new(PodPresetList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PodPresetList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PodPresetSpec) DeepCopyInto(out *PodPresetSpec) {
+	*out = *in
+	in.Selector.DeepCopyInto(&out.Selector)
+	if in.Env != nil {
+		in, out := &in.Env, &out.Env
+		*out = make([]v1.EnvVar, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnvFrom != nil {
+		in, out := &in.EnvFrom, &out.EnvFrom
+		*out = make([]v1.EnvFromSource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Volumes != nil {
+		in, out := &in.Volumes, &out.Volumes
+		*out = make([]v1.Volume, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VolumeMounts != nil {
+		in, out := &in.VolumeMounts, &out.VolumeMounts
+		*out = make([]v1.VolumeMount, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodPresetSpec.
+func (in *PodPresetSpec) DeepCopy() *PodPresetSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PodPresetSpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/api/storage/v1/doc.go b/cli/vendor/k8s.io/api/storage/v1/doc.go
new file mode 100644
index 00000000..0672c58e
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +groupName=storage.k8s.io
+// +k8s:openapi-gen=true
+package v1
diff --git a/cli/vendor/k8s.io/api/storage/v1/generated.pb.go b/cli/vendor/k8s.io/api/storage/v1/generated.pb.go
new file mode 100644
index 00000000..9eee7b94
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1/generated.pb.go
@@ -0,0 +1,884 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/storage/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/storage/v1/generated.proto
+
+	It has these top-level messages:
+		StorageClass
+		StorageClassList
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *StorageClass) Reset()                    { *m = StorageClass{} }
+func (*StorageClass) ProtoMessage()               {}
+func (*StorageClass) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *StorageClassList) Reset()                    { *m = StorageClassList{} }
+func (*StorageClassList) ProtoMessage()               {}
+func (*StorageClassList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func init() {
+	proto.RegisterType((*StorageClass)(nil), "k8s.io.api.storage.v1.StorageClass")
+	proto.RegisterType((*StorageClassList)(nil), "k8s.io.api.storage.v1.StorageClassList")
+}
+func (m *StorageClass) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageClass) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Provisioner)))
+	i += copy(dAtA[i:], m.Provisioner)
+	if len(m.Parameters) > 0 {
+		keysForParameters := make([]string, 0, len(m.Parameters))
+		for k := range m.Parameters {
+			keysForParameters = append(keysForParameters, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+		for _, k := range keysForParameters {
+			dAtA[i] = 0x1a
+			i++
+			v := m.Parameters[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if m.ReclaimPolicy != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.ReclaimPolicy)))
+		i += copy(dAtA[i:], *m.ReclaimPolicy)
+	}
+	if len(m.MountOptions) > 0 {
+		for _, s := range m.MountOptions {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if m.AllowVolumeExpansion != nil {
+		dAtA[i] = 0x30
+		i++
+		if *m.AllowVolumeExpansion {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *StorageClassList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageClassList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n2, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *StorageClass) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Provisioner)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Parameters) > 0 {
+		for k, v := range m.Parameters {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if m.ReclaimPolicy != nil {
+		l = len(*m.ReclaimPolicy)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.MountOptions) > 0 {
+		for _, s := range m.MountOptions {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.AllowVolumeExpansion != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *StorageClassList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *StorageClass) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForParameters := make([]string, 0, len(this.Parameters))
+	for k := range this.Parameters {
+		keysForParameters = append(keysForParameters, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+	mapStringForParameters := "map[string]string{"
+	for _, k := range keysForParameters {
+		mapStringForParameters += fmt.Sprintf("%v: %v,", k, this.Parameters[k])
+	}
+	mapStringForParameters += "}"
+	s := strings.Join([]string{`&StorageClass{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Provisioner:` + fmt.Sprintf("%v", this.Provisioner) + `,`,
+		`Parameters:` + mapStringForParameters + `,`,
+		`ReclaimPolicy:` + valueToStringGenerated(this.ReclaimPolicy) + `,`,
+		`MountOptions:` + fmt.Sprintf("%v", this.MountOptions) + `,`,
+		`AllowVolumeExpansion:` + valueToStringGenerated(this.AllowVolumeExpansion) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StorageClassList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StorageClassList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "StorageClass", "StorageClass", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *StorageClass) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageClass: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageClass: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Provisioner", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Provisioner = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Parameters", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Parameters == nil {
+				m.Parameters = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Parameters[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Parameters[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReclaimPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := k8s_io_api_core_v1.PersistentVolumeReclaimPolicy(dAtA[iNdEx:postIndex])
+			m.ReclaimPolicy = &s
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MountOptions", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MountOptions = append(m.MountOptions, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowVolumeExpansion", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.AllowVolumeExpansion = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StorageClassList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageClassList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageClassList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, StorageClass{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/storage/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 593 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0x41, 0x6f, 0xd3, 0x3e,
+	0x18, 0xc6, 0x9b, 0x76, 0xfd, 0x6b, 0x73, 0x37, 0xfd, 0xab, 0x30, 0xa4, 0xa8, 0x87, 0xb4, 0x1a,
+	0x97, 0x0a, 0x09, 0x7b, 0xdd, 0x06, 0x9a, 0x90, 0x40, 0xa2, 0x68, 0x12, 0x48, 0x9b, 0x56, 0x05,
+	0x89, 0x03, 0xe2, 0x80, 0x9b, 0xbd, 0x64, 0x26, 0x89, 0x1d, 0xd9, 0x4e, 0xa0, 0x37, 0x3e, 0x02,
+	0x9f, 0x87, 0x13, 0xc7, 0x1d, 0x77, 0xdc, 0x29, 0x62, 0xe1, 0x5b, 0x70, 0x42, 0x49, 0xca, 0x92,
+	0xad, 0x9d, 0xd8, 0xcd, 0x7e, 0xdf, 0xe7, 0xf7, 0xd8, 0x7e, 0xfd, 0xa0, 0xe7, 0xfe, 0xbe, 0xc2,
+	0x4c, 0x10, 0x3f, 0x9e, 0x82, 0xe4, 0xa0, 0x41, 0x91, 0x04, 0xf8, 0x89, 0x90, 0x64, 0xde, 0xa0,
+	0x11, 0x23, 0x4a, 0x0b, 0x49, 0x3d, 0x20, 0xc9, 0x88, 0x78, 0xc0, 0x41, 0x52, 0x0d, 0x27, 0x38,
+	0x92, 0x42, 0x0b, 0xf3, 0x7e, 0x29, 0xc3, 0x34, 0x62, 0x78, 0x2e, 0xc3, 0xc9, 0xa8, 0xf7, 0xc8,
+	0x63, 0xfa, 0x34, 0x9e, 0x62, 0x57, 0x84, 0xc4, 0x13, 0x9e, 0x20, 0x85, 0x7a, 0x1a, 0x7f, 0x2c,
+	0x76, 0xc5, 0xa6, 0x58, 0x95, 0x2e, 0xbd, 0x87, 0x4b, 0x0f, 0x9b, 0x82, 0xa6, 0x0b, 0x27, 0xf6,
+	0xf6, 0x2a, 0x6d, 0x48, 0xdd, 0x53, 0xc6, 0x41, 0xce, 0x48, 0xe4, 0x7b, 0x79, 0x41, 0x91, 0x10,
+	0x34, 0x5d, 0x72, 0xcf, 0x1e, 0xb9, 0x8d, 0x92, 0x31, 0xd7, 0x2c, 0x84, 0x05, 0xe0, 0xc9, 0xbf,
+	0x00, 0xe5, 0x9e, 0x42, 0x48, 0x17, 0xb8, 0xdd, 0xdb, 0xb8, 0x58, 0xb3, 0x80, 0x30, 0xae, 0x95,
+	0x96, 0x37, 0xa1, 0xad, 0x1f, 0x2b, 0x68, 0xfd, 0x4d, 0xf9, 0xee, 0x97, 0x01, 0x55, 0xca, 0xfc,
+	0x80, 0x56, 0xf3, 0x97, 0x9c, 0x50, 0x4d, 0x2d, 0x63, 0x60, 0x0c, 0x3b, 0x3b, 0xdb, 0xb8, 0x9a,
+	0xf4, 0x95, 0x31, 0x8e, 0x7c, 0x2f, 0x2f, 0x28, 0x9c, 0xab, 0x71, 0x32, 0xc2, 0xc7, 0xd3, 0x4f,
+	0xe0, 0xea, 0x23, 0xd0, 0x74, 0x6c, 0x9e, 0xa5, 0xfd, 0x46, 0x96, 0xf6, 0x51, 0x55, 0x73, 0xae,
+	0x5c, 0xcd, 0xc7, 0xa8, 0x13, 0x49, 0x91, 0x30, 0xc5, 0x04, 0x07, 0x69, 0x35, 0x07, 0xc6, 0x70,
+	0x6d, 0x7c, 0x6f, 0x8e, 0x74, 0x26, 0x55, 0xcb, 0xa9, 0xeb, 0x4c, 0x0f, 0xa1, 0x88, 0x4a, 0x1a,
+	0x82, 0x06, 0xa9, 0xac, 0xd6, 0xa0, 0x35, 0xec, 0xec, 0xec, 0xe2, 0xa5, 0x21, 0xc0, 0xf5, 0x17,
+	0xe1, 0xc9, 0x15, 0x75, 0xc0, 0xb5, 0x9c, 0x55, 0xb7, 0xab, 0x1a, 0x4e, 0xcd, 0xda, 0xf4, 0xd1,
+	0x86, 0x04, 0x37, 0xa0, 0x2c, 0x9c, 0x88, 0x80, 0xb9, 0x33, 0x6b, 0xa5, 0xb8, 0xe1, 0x41, 0x96,
+	0xf6, 0x37, 0x9c, 0x7a, 0xe3, 0x77, 0xda, 0xdf, 0xae, 0xc5, 0xc7, 0x15, 0x32, 0xcf, 0x0e, 0x9e,
+	0x80, 0x54, 0x4c, 0x69, 0xe0, 0xfa, 0xad, 0x08, 0xe2, 0x10, 0xae, 0x31, 0xce, 0x75, 0x6f, 0x73,
+	0x0f, 0xad, 0x87, 0x22, 0xe6, 0xfa, 0x38, 0xd2, 0x4c, 0x70, 0x65, 0xb5, 0x07, 0xad, 0xe1, 0xda,
+	0xb8, 0x9b, 0xa5, 0xfd, 0xf5, 0xa3, 0x5a, 0xdd, 0xb9, 0xa6, 0x32, 0x0f, 0xd1, 0x26, 0x0d, 0x02,
+	0xf1, 0xb9, 0x3c, 0xe0, 0xe0, 0x4b, 0x44, 0x79, 0x3e, 0x25, 0xeb, 0xbf, 0x81, 0x31, 0x5c, 0x1d,
+	0x5b, 0x59, 0xda, 0xdf, 0x7c, 0xb1, 0xa4, 0xef, 0x2c, 0xa5, 0x7a, 0xcf, 0xd0, 0xff, 0x37, 0x66,
+	0x64, 0x76, 0x51, 0xcb, 0x87, 0x59, 0x11, 0x80, 0x35, 0x27, 0x5f, 0x9a, 0x9b, 0xa8, 0x9d, 0xd0,
+	0x20, 0x86, 0xf2, 0xbf, 0x9c, 0x72, 0xf3, 0xb4, 0xb9, 0x6f, 0x6c, 0x7d, 0x37, 0x50, 0xb7, 0x3e,
+	0xf0, 0x43, 0xa6, 0xb4, 0xf9, 0x7e, 0x21, 0x46, 0xf8, 0x6e, 0x31, 0xca, 0xe9, 0x22, 0x44, 0xdd,
+	0xf9, 0x37, 0xad, 0xfe, 0xad, 0xd4, 0x22, 0xf4, 0x0a, 0xb5, 0x99, 0x86, 0x50, 0x59, 0xcd, 0x22,
+	0x06, 0x0f, 0xee, 0x10, 0x83, 0xf1, 0xc6, 0xdc, 0xaf, 0xfd, 0x3a, 0x27, 0x9d, 0xd2, 0x60, 0x3c,
+	0x3c, 0xbb, 0xb4, 0x1b, 0xe7, 0x97, 0x76, 0xe3, 0xe2, 0xd2, 0x6e, 0x7c, 0xcd, 0x6c, 0xe3, 0x2c,
+	0xb3, 0x8d, 0xf3, 0xcc, 0x36, 0x2e, 0x32, 0xdb, 0xf8, 0x99, 0xd9, 0xc6, 0xb7, 0x5f, 0x76, 0xe3,
+	0x5d, 0x33, 0x19, 0xfd, 0x09, 0x00, 0x00, 0xff, 0xff, 0xbb, 0x57, 0xe7, 0x15, 0xb0, 0x04, 0x00,
+	0x00,
+}
diff --git a/cli/vendor/k8s.io/api/storage/v1/generated.proto b/cli/vendor/k8s.io/api/storage/v1/generated.proto
new file mode 100644
index 00000000..ec2e20a6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1/generated.proto
@@ -0,0 +1,78 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.storage.v1;
+
+import "k8s.io/api/storage/v1beta1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// StorageClass describes the parameters for a class of storage for
+// which PersistentVolumes can be dynamically provisioned.
+// 
+// StorageClasses are non-namespaced; the name of the storage class
+// according to etcd is in ObjectMeta.Name.
+message StorageClass {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Provisioner indicates the type of the provisioner.
+  optional string provisioner = 2;
+
+  // Parameters holds the parameters for the provisioner that should
+  // create volumes of this storage class.
+  // +optional
+  map<string, string> parameters = 3;
+
+  // Dynamically provisioned PersistentVolumes of this storage class are
+  // created with this reclaimPolicy. Defaults to Delete.
+  // +optional
+  optional string reclaimPolicy = 4;
+
+  // Dynamically provisioned PersistentVolumes of this storage class are
+  // created with these mountOptions, e.g. ["ro", "soft"]. Not validated -
+  // mount of the PVs will simply fail if one is invalid.
+  // +optional
+  repeated string mountOptions = 5;
+
+  // AllowVolumeExpansion shows whether the storage class allow volume expand
+  // +optional
+  optional bool allowVolumeExpansion = 6;
+}
+
+// StorageClassList is a collection of storage classes.
+message StorageClassList {
+  // Standard list metadata
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of StorageClasses
+  repeated StorageClass items = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/storage/v1/register.go b/cli/vendor/k8s.io/api/storage/v1/register.go
new file mode 100644
index 00000000..59c4e59b
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1/register.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "storage.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&StorageClass{},
+		&StorageClassList{},
+	)
+
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/storage/v1/types.go b/cli/vendor/k8s.io/api/storage/v1/types.go
new file mode 100644
index 00000000..9afdafb6
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1/types.go
@@ -0,0 +1,76 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// StorageClass describes the parameters for a class of storage for
+// which PersistentVolumes can be dynamically provisioned.
+//
+// StorageClasses are non-namespaced; the name of the storage class
+// according to etcd is in ObjectMeta.Name.
+type StorageClass struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Provisioner indicates the type of the provisioner.
+	Provisioner string `json:"provisioner" protobuf:"bytes,2,opt,name=provisioner"`
+
+	// Parameters holds the parameters for the provisioner that should
+	// create volumes of this storage class.
+	// +optional
+	Parameters map[string]string `json:"parameters,omitempty" protobuf:"bytes,3,rep,name=parameters"`
+
+	// Dynamically provisioned PersistentVolumes of this storage class are
+	// created with this reclaimPolicy. Defaults to Delete.
+	// +optional
+	ReclaimPolicy *v1.PersistentVolumeReclaimPolicy `json:"reclaimPolicy,omitempty" protobuf:"bytes,4,opt,name=reclaimPolicy,casttype=k8s.io/api/core/v1.PersistentVolumeReclaimPolicy"`
+
+	// Dynamically provisioned PersistentVolumes of this storage class are
+	// created with these mountOptions, e.g. ["ro", "soft"]. Not validated -
+	// mount of the PVs will simply fail if one is invalid.
+	// +optional
+	MountOptions []string `json:"mountOptions,omitempty" protobuf:"bytes,5,opt,name=mountOptions"`
+
+	// AllowVolumeExpansion shows whether the storage class allow volume expand
+	// +optional
+	AllowVolumeExpansion *bool `json:"allowVolumeExpansion,omitempty" protobuf:"varint,6,opt,name=allowVolumeExpansion"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// StorageClassList is a collection of storage classes.
+type StorageClassList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of StorageClasses
+	Items []StorageClass `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/storage/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/storage/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..b4be857d
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1/types_swagger_doc_generated.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_StorageClass = map[string]string{
+	"":                     "StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned.\n\nStorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.",
+	"metadata":             "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"provisioner":          "Provisioner indicates the type of the provisioner.",
+	"parameters":           "Parameters holds the parameters for the provisioner that should create volumes of this storage class.",
+	"reclaimPolicy":        "Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.",
+	"mountOptions":         "Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [\"ro\", \"soft\"]. Not validated - mount of the PVs will simply fail if one is invalid.",
+	"allowVolumeExpansion": "AllowVolumeExpansion shows whether the storage class allow volume expand",
+}
+
+func (StorageClass) SwaggerDoc() map[string]string {
+	return map_StorageClass
+}
+
+var map_StorageClassList = map[string]string{
+	"":         "StorageClassList is a collection of storage classes.",
+	"metadata": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is the list of StorageClasses",
+}
+
+func (StorageClassList) SwaggerDoc() map[string]string {
+	return map_StorageClassList
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/storage/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/storage/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..5c83d35b
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1/zz_generated.deepcopy.go
@@ -0,0 +1,140 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	core_v1 "k8s.io/api/core/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StorageClass).DeepCopyInto(out.(*StorageClass))
+			return nil
+		}, InType: reflect.TypeOf(&StorageClass{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StorageClassList).DeepCopyInto(out.(*StorageClassList))
+			return nil
+		}, InType: reflect.TypeOf(&StorageClassList{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageClass) DeepCopyInto(out *StorageClass) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.ReclaimPolicy != nil {
+		in, out := &in.ReclaimPolicy, &out.ReclaimPolicy
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(core_v1.PersistentVolumeReclaimPolicy)
+			**out = **in
+		}
+	}
+	if in.MountOptions != nil {
+		in, out := &in.MountOptions, &out.MountOptions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.AllowVolumeExpansion != nil {
+		in, out := &in.AllowVolumeExpansion, &out.AllowVolumeExpansion
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClass.
+func (in *StorageClass) DeepCopy() *StorageClass {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageClass)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StorageClass) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageClassList) DeepCopyInto(out *StorageClassList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]StorageClass, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassList.
+func (in *StorageClassList) DeepCopy() *StorageClassList {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageClassList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StorageClassList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/api/storage/v1beta1/doc.go b/cli/vendor/k8s.io/api/storage/v1beta1/doc.go
new file mode 100644
index 00000000..6137d7a4
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+// +groupName=storage.k8s.io
+// +k8s:openapi-gen=true
+package v1beta1 // import "k8s.io/api/storage/v1beta1"
diff --git a/cli/vendor/k8s.io/api/storage/v1beta1/generated.pb.go b/cli/vendor/k8s.io/api/storage/v1beta1/generated.pb.go
new file mode 100644
index 00000000..bb1b5dab
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1beta1/generated.pb.go
@@ -0,0 +1,883 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/api/storage/v1beta1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1beta1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/api/storage/v1beta1/generated.proto
+
+	It has these top-level messages:
+		StorageClass
+		StorageClassList
+*/
+package v1beta1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_api_core_v1 "k8s.io/api/core/v1"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *StorageClass) Reset()                    { *m = StorageClass{} }
+func (*StorageClass) ProtoMessage()               {}
+func (*StorageClass) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *StorageClassList) Reset()                    { *m = StorageClassList{} }
+func (*StorageClassList) ProtoMessage()               {}
+func (*StorageClassList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func init() {
+	proto.RegisterType((*StorageClass)(nil), "k8s.io.api.storage.v1beta1.StorageClass")
+	proto.RegisterType((*StorageClassList)(nil), "k8s.io.api.storage.v1beta1.StorageClassList")
+}
+func (m *StorageClass) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageClass) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Provisioner)))
+	i += copy(dAtA[i:], m.Provisioner)
+	if len(m.Parameters) > 0 {
+		keysForParameters := make([]string, 0, len(m.Parameters))
+		for k := range m.Parameters {
+			keysForParameters = append(keysForParameters, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+		for _, k := range keysForParameters {
+			dAtA[i] = 0x1a
+			i++
+			v := m.Parameters[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if m.ReclaimPolicy != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.ReclaimPolicy)))
+		i += copy(dAtA[i:], *m.ReclaimPolicy)
+	}
+	if len(m.MountOptions) > 0 {
+		for _, s := range m.MountOptions {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if m.AllowVolumeExpansion != nil {
+		dAtA[i] = 0x30
+		i++
+		if *m.AllowVolumeExpansion {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *StorageClassList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StorageClassList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n2, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n2
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *StorageClass) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Provisioner)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Parameters) > 0 {
+		for k, v := range m.Parameters {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if m.ReclaimPolicy != nil {
+		l = len(*m.ReclaimPolicy)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.MountOptions) > 0 {
+		for _, s := range m.MountOptions {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.AllowVolumeExpansion != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *StorageClassList) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *StorageClass) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForParameters := make([]string, 0, len(this.Parameters))
+	for k := range this.Parameters {
+		keysForParameters = append(keysForParameters, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForParameters)
+	mapStringForParameters := "map[string]string{"
+	for _, k := range keysForParameters {
+		mapStringForParameters += fmt.Sprintf("%v: %v,", k, this.Parameters[k])
+	}
+	mapStringForParameters += "}"
+	s := strings.Join([]string{`&StorageClass{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Provisioner:` + fmt.Sprintf("%v", this.Provisioner) + `,`,
+		`Parameters:` + mapStringForParameters + `,`,
+		`ReclaimPolicy:` + valueToStringGenerated(this.ReclaimPolicy) + `,`,
+		`MountOptions:` + fmt.Sprintf("%v", this.MountOptions) + `,`,
+		`AllowVolumeExpansion:` + valueToStringGenerated(this.AllowVolumeExpansion) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StorageClassList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StorageClassList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "StorageClass", "StorageClass", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *StorageClass) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageClass: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageClass: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Provisioner", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Provisioner = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Parameters", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Parameters == nil {
+				m.Parameters = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Parameters[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Parameters[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ReclaimPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := k8s_io_api_core_v1.PersistentVolumeReclaimPolicy(dAtA[iNdEx:postIndex])
+			m.ReclaimPolicy = &s
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MountOptions", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MountOptions = append(m.MountOptions, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowVolumeExpansion", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.AllowVolumeExpansion = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StorageClassList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StorageClassList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StorageClassList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, StorageClass{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/api/storage/v1beta1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 589 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x92, 0x4f, 0x4f, 0xd4, 0x40,
+	0x18, 0xc6, 0xb7, 0x2c, 0xab, 0x30, 0x0b, 0x71, 0x53, 0x39, 0x34, 0x7b, 0xe8, 0x6e, 0x38, 0xf5,
+	0xc2, 0x0c, 0x20, 0x1a, 0x62, 0xe2, 0xc1, 0x12, 0x0e, 0x26, 0x10, 0x36, 0x35, 0xf1, 0x60, 0x3c,
+	0x38, 0x5b, 0x5e, 0xcb, 0xd8, 0x76, 0xa6, 0x99, 0x99, 0xae, 0xee, 0xcd, 0x8f, 0xe0, 0x37, 0xf2,
+	0x64, 0xc2, 0x91, 0x23, 0xa7, 0x46, 0xea, 0xb7, 0xf0, 0x64, 0xfa, 0x47, 0x5a, 0x58, 0x88, 0xdc,
+	0x3a, 0xef, 0xfb, 0xfc, 0x9e, 0xb7, 0xf3, 0xce, 0x83, 0x0e, 0xc2, 0x7d, 0x85, 0x99, 0x20, 0x61,
+	0x3a, 0x05, 0xc9, 0x41, 0x83, 0x22, 0x33, 0xe0, 0xa7, 0x42, 0x92, 0xba, 0x41, 0x13, 0x46, 0x94,
+	0x16, 0x92, 0x06, 0x40, 0x66, 0x3b, 0x53, 0xd0, 0x74, 0x87, 0x04, 0xc0, 0x41, 0x52, 0x0d, 0xa7,
+	0x38, 0x91, 0x42, 0x0b, 0x73, 0x58, 0x69, 0x31, 0x4d, 0x18, 0xae, 0xb5, 0xb8, 0xd6, 0x0e, 0xb7,
+	0x02, 0xa6, 0xcf, 0xd2, 0x29, 0xf6, 0x45, 0x4c, 0x02, 0x11, 0x08, 0x52, 0x22, 0xd3, 0xf4, 0x53,
+	0x79, 0x2a, 0x0f, 0xe5, 0x57, 0x65, 0x35, 0xdc, 0x6c, 0x8d, 0xf5, 0x85, 0x2c, 0x66, 0xde, 0x1e,
+	0x37, 0xdc, 0x6b, 0x34, 0x31, 0xf5, 0xcf, 0x18, 0x07, 0x39, 0x27, 0x49, 0x18, 0x14, 0x05, 0x45,
+	0x62, 0xd0, 0xf4, 0x2e, 0x8a, 0xdc, 0x47, 0xc9, 0x94, 0x6b, 0x16, 0xc3, 0x02, 0xf0, 0xe2, 0x7f,
+	0x80, 0xf2, 0xcf, 0x20, 0xa6, 0x0b, 0xdc, 0xb3, 0xfb, 0xb8, 0x54, 0xb3, 0x88, 0x30, 0xae, 0x95,
+	0x96, 0xb7, 0xa1, 0xcd, 0x9f, 0xcb, 0x68, 0xed, 0x6d, 0xb5, 0xba, 0x83, 0x88, 0x2a, 0x65, 0x7e,
+	0x44, 0x2b, 0xc5, 0x4d, 0x4e, 0xa9, 0xa6, 0x96, 0x31, 0x36, 0x9c, 0xfe, 0xee, 0x36, 0x6e, 0xd6,
+	0x7c, 0x6d, 0x8c, 0x93, 0x30, 0x28, 0x0a, 0x0a, 0x17, 0x6a, 0x3c, 0xdb, 0xc1, 0x27, 0xd3, 0xcf,
+	0xe0, 0xeb, 0x63, 0xd0, 0xd4, 0x35, 0xcf, 0xb3, 0x51, 0x27, 0xcf, 0x46, 0xa8, 0xa9, 0x79, 0xd7,
+	0xae, 0xe6, 0x73, 0xd4, 0x4f, 0xa4, 0x98, 0x31, 0xc5, 0x04, 0x07, 0x69, 0x2d, 0x8d, 0x0d, 0x67,
+	0xd5, 0x7d, 0x5a, 0x23, 0xfd, 0x49, 0xd3, 0xf2, 0xda, 0x3a, 0x33, 0x42, 0x28, 0xa1, 0x92, 0xc6,
+	0xa0, 0x41, 0x2a, 0xab, 0x3b, 0xee, 0x3a, 0xfd, 0xdd, 0x7d, 0x7c, 0x7f, 0x02, 0x70, 0xfb, 0x5a,
+	0x78, 0x72, 0x8d, 0x1e, 0x72, 0x2d, 0xe7, 0xcd, 0x2f, 0x36, 0x0d, 0xaf, 0xe5, 0x6f, 0x86, 0x68,
+	0x5d, 0x82, 0x1f, 0x51, 0x16, 0x4f, 0x44, 0xc4, 0xfc, 0xb9, 0xb5, 0x5c, 0xfe, 0xe6, 0x61, 0x9e,
+	0x8d, 0xd6, 0xbd, 0x76, 0xe3, 0x4f, 0x36, 0xda, 0x5e, 0xcc, 0x0e, 0x9e, 0x80, 0x54, 0x4c, 0x69,
+	0xe0, 0xfa, 0x9d, 0x88, 0xd2, 0x18, 0x6e, 0x30, 0xde, 0x4d, 0x6f, 0x73, 0x0f, 0xad, 0xc5, 0x22,
+	0xe5, 0xfa, 0x24, 0xd1, 0x4c, 0x70, 0x65, 0xf5, 0xc6, 0x5d, 0x67, 0xd5, 0x1d, 0xe4, 0xd9, 0x68,
+	0xed, 0xb8, 0x55, 0xf7, 0x6e, 0xa8, 0xcc, 0x23, 0xb4, 0x41, 0xa3, 0x48, 0x7c, 0xa9, 0x06, 0x1c,
+	0x7e, 0x4d, 0x28, 0x2f, 0x56, 0x65, 0x3d, 0x1a, 0x1b, 0xce, 0x8a, 0x6b, 0xe5, 0xd9, 0x68, 0xe3,
+	0xf5, 0x1d, 0x7d, 0xef, 0x4e, 0x6a, 0xf8, 0x0a, 0x3d, 0xb9, 0xb5, 0x23, 0x73, 0x80, 0xba, 0x21,
+	0xcc, 0xcb, 0x14, 0xac, 0x7a, 0xc5, 0xa7, 0xb9, 0x81, 0x7a, 0x33, 0x1a, 0xa5, 0x50, 0x3d, 0x9a,
+	0x57, 0x1d, 0x5e, 0x2e, 0xed, 0x1b, 0x9b, 0x3f, 0x0c, 0x34, 0x68, 0x2f, 0xfc, 0x88, 0x29, 0x6d,
+	0x7e, 0x58, 0xc8, 0x12, 0x7e, 0x58, 0x96, 0x0a, 0xba, 0x4c, 0xd2, 0xa0, 0x7e, 0xa6, 0x95, 0x7f,
+	0x95, 0x56, 0x8e, 0x8e, 0x51, 0x8f, 0x69, 0x88, 0x95, 0xb5, 0x54, 0x66, 0xc1, 0x79, 0x68, 0x16,
+	0xdc, 0xf5, 0xda, 0xb4, 0xf7, 0xa6, 0xc0, 0xbd, 0xca, 0xc5, 0xdd, 0x3a, 0xbf, 0xb2, 0x3b, 0x17,
+	0x57, 0x76, 0xe7, 0xf2, 0xca, 0xee, 0x7c, 0xcb, 0x6d, 0xe3, 0x3c, 0xb7, 0x8d, 0x8b, 0xdc, 0x36,
+	0x2e, 0x73, 0xdb, 0xf8, 0x95, 0xdb, 0xc6, 0xf7, 0xdf, 0x76, 0xe7, 0xfd, 0xe3, 0xda, 0xf1, 0x6f,
+	0x00, 0x00, 0x00, 0xff, 0xff, 0x1b, 0xae, 0x44, 0x72, 0xc1, 0x04, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/api/storage/v1beta1/generated.proto b/cli/vendor/k8s.io/api/storage/v1beta1/generated.proto
new file mode 100644
index 00000000..2594581f
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1beta1/generated.proto
@@ -0,0 +1,78 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.storage.v1beta1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// StorageClass describes the parameters for a class of storage for
+// which PersistentVolumes can be dynamically provisioned.
+// 
+// StorageClasses are non-namespaced; the name of the storage class
+// according to etcd is in ObjectMeta.Name.
+message StorageClass {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Provisioner indicates the type of the provisioner.
+  optional string provisioner = 2;
+
+  // Parameters holds the parameters for the provisioner that should
+  // create volumes of this storage class.
+  // +optional
+  map<string, string> parameters = 3;
+
+  // Dynamically provisioned PersistentVolumes of this storage class are
+  // created with this reclaimPolicy. Defaults to Delete.
+  // +optional
+  optional string reclaimPolicy = 4;
+
+  // Dynamically provisioned PersistentVolumes of this storage class are
+  // created with these mountOptions, e.g. ["ro", "soft"]. Not validated -
+  // mount of the PVs will simply fail if one is invalid.
+  // +optional
+  repeated string mountOptions = 5;
+
+  // AllowVolumeExpansion shows whether the storage class allow volume expand
+  // +optional
+  optional bool allowVolumeExpansion = 6;
+}
+
+// StorageClassList is a collection of storage classes.
+message StorageClassList {
+  // Standard list metadata
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of StorageClasses
+  repeated StorageClass items = 2;
+}
+
diff --git a/cli/vendor/k8s.io/api/storage/v1beta1/register.go b/cli/vendor/k8s.io/api/storage/v1beta1/register.go
new file mode 100644
index 00000000..759ba81a
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1beta1/register.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name use in this package
+const GroupName = "storage.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      = runtime.NewSchemeBuilder(addKnownTypes)
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to api.Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&StorageClass{},
+		&StorageClassList{},
+	)
+
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/api/storage/v1beta1/types.go b/cli/vendor/k8s.io/api/storage/v1beta1/types.go
new file mode 100644
index 00000000..e5036b55
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1beta1/types.go
@@ -0,0 +1,76 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// StorageClass describes the parameters for a class of storage for
+// which PersistentVolumes can be dynamically provisioned.
+//
+// StorageClasses are non-namespaced; the name of the storage class
+// according to etcd is in ObjectMeta.Name.
+type StorageClass struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Provisioner indicates the type of the provisioner.
+	Provisioner string `json:"provisioner" protobuf:"bytes,2,opt,name=provisioner"`
+
+	// Parameters holds the parameters for the provisioner that should
+	// create volumes of this storage class.
+	// +optional
+	Parameters map[string]string `json:"parameters,omitempty" protobuf:"bytes,3,rep,name=parameters"`
+
+	// Dynamically provisioned PersistentVolumes of this storage class are
+	// created with this reclaimPolicy. Defaults to Delete.
+	// +optional
+	ReclaimPolicy *v1.PersistentVolumeReclaimPolicy `json:"reclaimPolicy,omitempty" protobuf:"bytes,4,opt,name=reclaimPolicy,casttype=k8s.io/api/core/v1.PersistentVolumeReclaimPolicy"`
+
+	// Dynamically provisioned PersistentVolumes of this storage class are
+	// created with these mountOptions, e.g. ["ro", "soft"]. Not validated -
+	// mount of the PVs will simply fail if one is invalid.
+	// +optional
+	MountOptions []string `json:"mountOptions,omitempty" protobuf:"bytes,5,opt,name=mountOptions"`
+
+	// AllowVolumeExpansion shows whether the storage class allow volume expand
+	// +optional
+	AllowVolumeExpansion *bool `json:"allowVolumeExpansion,omitempty" protobuf:"varint,6,opt,name=allowVolumeExpansion"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// StorageClassList is a collection of storage classes.
+type StorageClassList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of StorageClasses
+	Items []StorageClass `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..e2148c23
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1beta1/types_swagger_doc_generated.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_StorageClass = map[string]string{
+	"":                     "StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned.\n\nStorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.",
+	"metadata":             "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"provisioner":          "Provisioner indicates the type of the provisioner.",
+	"parameters":           "Parameters holds the parameters for the provisioner that should create volumes of this storage class.",
+	"reclaimPolicy":        "Dynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.",
+	"mountOptions":         "Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. [\"ro\", \"soft\"]. Not validated - mount of the PVs will simply fail if one is invalid.",
+	"allowVolumeExpansion": "AllowVolumeExpansion shows whether the storage class allow volume expand",
+}
+
+func (StorageClass) SwaggerDoc() map[string]string {
+	return map_StorageClass
+}
+
+var map_StorageClassList = map[string]string{
+	"":         "StorageClassList is a collection of storage classes.",
+	"metadata": "Standard list metadata More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"items":    "Items is the list of StorageClasses",
+}
+
+func (StorageClassList) SwaggerDoc() map[string]string {
+	return map_StorageClassList
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/api/storage/v1beta1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/api/storage/v1beta1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..011a5b2b
--- /dev/null
+++ b/cli/vendor/k8s.io/api/storage/v1beta1/zz_generated.deepcopy.go
@@ -0,0 +1,140 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1beta1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StorageClass).DeepCopyInto(out.(*StorageClass))
+			return nil
+		}, InType: reflect.TypeOf(&StorageClass{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StorageClassList).DeepCopyInto(out.(*StorageClassList))
+			return nil
+		}, InType: reflect.TypeOf(&StorageClassList{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageClass) DeepCopyInto(out *StorageClass) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.ReclaimPolicy != nil {
+		in, out := &in.ReclaimPolicy, &out.ReclaimPolicy
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.PersistentVolumeReclaimPolicy)
+			**out = **in
+		}
+	}
+	if in.MountOptions != nil {
+		in, out := &in.MountOptions, &out.MountOptions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.AllowVolumeExpansion != nil {
+		in, out := &in.AllowVolumeExpansion, &out.AllowVolumeExpansion
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClass.
+func (in *StorageClass) DeepCopy() *StorageClass {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageClass)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StorageClass) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StorageClassList) DeepCopyInto(out *StorageClassList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]StorageClass, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassList.
+func (in *StorageClassList) DeepCopy() *StorageClassList {
+	if in == nil {
+		return nil
+	}
+	out := new(StorageClassList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *StorageClassList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/LICENSE b/cli/vendor/k8s.io/apimachinery/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/cli/vendor/k8s.io/apimachinery/README.md b/cli/vendor/k8s.io/apimachinery/README.md
new file mode 100644
index 00000000..98899fb5
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/README.md
@@ -0,0 +1,29 @@
+# apimachinery
+
+Scheme, typing, encoding, decoding, and conversion packages for Kubernetes and Kubernetes-like API objects.
+
+
+## Purpose
+
+This library is a shared dependency for servers and clients to work with Kubernetes API infrastructure without direct 
+type dependencies.  It's first comsumers are `k8s.io/kubernetes`, `k8s.io/client-go`, and `k8s.io/apiserver`.
+
+
+## Compatibility
+
+There are *NO compatibility guarantees* for this repository.  It is in direct support of Kubernetes, so branches
+will track Kubernetes and be compatible with that repo.  As we more cleanly separate the layers, we will review the
+compatibility guarantee.
+
+
+## Where does it come from?
+
+`apimachinery` is synced from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery.
+Code changes are made in that location, merged into `k8s.io/kubernetes` and later synced here.
+
+
+## Things you should *NOT* do
+
+ 1. Add API types to this repo.  This is for the machinery, not for the types.
+ 2. Directly modify any files under `pkg` in this repo.  Those are driven from `k8s.io/kuberenetes/staging/src/k8s.io/apimachinery`.
+ 3. Expect compatibility.  This repo is direct support of Kubernetes and the API isn't yet stable enough for API guarantees.
\ No newline at end of file
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/equality/semantic.go b/cli/vendor/k8s.io/apimachinery/pkg/api/equality/semantic.go
new file mode 100644
index 00000000..f02fa8e4
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/equality/semantic.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package equality
+
+import (
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+)
+
+// Semantic can do semantic deep equality checks for api objects.
+// Example: apiequality.Semantic.DeepEqual(aPod, aPodWithNonNilButEmptyMaps) == true
+var Semantic = conversion.EqualitiesOrDie(
+	func(a, b resource.Quantity) bool {
+		// Ignore formatting, only care that numeric value stayed the same.
+		// TODO: if we decide it's important, it should be safe to start comparing the format.
+		//
+		// Uninitialized quantities are equivalent to 0 quantities.
+		return a.Cmp(b) == 0
+	},
+	func(a, b metav1.MicroTime) bool {
+		return a.UTC() == b.UTC()
+	},
+	func(a, b metav1.Time) bool {
+		return a.UTC() == b.UTC()
+	},
+	func(a, b labels.Selector) bool {
+		return a.String() == b.String()
+	},
+	func(a, b fields.Selector) bool {
+		return a.String() == b.String()
+	},
+)
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/errors/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/api/errors/doc.go
new file mode 100644
index 00000000..167baf68
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/errors/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package errors provides detailed error types for api field validation.
+package errors // import "k8s.io/apimachinery/pkg/api/errors"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/errors/errors.go b/cli/vendor/k8s.io/apimachinery/pkg/api/errors/errors.go
new file mode 100644
index 00000000..d5503fac
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/errors/errors.go
@@ -0,0 +1,545 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errors
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+const (
+	// StatusTooManyRequests means the server experienced too many requests within a
+	// given window and that the client must wait to perform the action again.
+	StatusTooManyRequests = 429
+)
+
+// StatusError is an error intended for consumption by a REST API server; it can also be
+// reconstructed by clients from a REST response. Public to allow easy type switches.
+type StatusError struct {
+	ErrStatus metav1.Status
+}
+
+// APIStatus is exposed by errors that can be converted to an api.Status object
+// for finer grained details.
+type APIStatus interface {
+	Status() metav1.Status
+}
+
+var _ error = &StatusError{}
+
+// Error implements the Error interface.
+func (e *StatusError) Error() string {
+	return e.ErrStatus.Message
+}
+
+// Status allows access to e's status without having to know the detailed workings
+// of StatusError.
+func (e *StatusError) Status() metav1.Status {
+	return e.ErrStatus
+}
+
+// DebugError reports extended info about the error to debug output.
+func (e *StatusError) DebugError() (string, []interface{}) {
+	if out, err := json.MarshalIndent(e.ErrStatus, "", "  "); err == nil {
+		return "server response object: %s", []interface{}{string(out)}
+	}
+	return "server response object: %#v", []interface{}{e.ErrStatus}
+}
+
+// UnexpectedObjectError can be returned by FromObject if it's passed a non-status object.
+type UnexpectedObjectError struct {
+	Object runtime.Object
+}
+
+// Error returns an error message describing 'u'.
+func (u *UnexpectedObjectError) Error() string {
+	return fmt.Sprintf("unexpected object: %v", u.Object)
+}
+
+// FromObject generates an StatusError from an metav1.Status, if that is the type of obj; otherwise,
+// returns an UnexpecteObjectError.
+func FromObject(obj runtime.Object) error {
+	switch t := obj.(type) {
+	case *metav1.Status:
+		return &StatusError{*t}
+	}
+	return &UnexpectedObjectError{obj}
+}
+
+// NewNotFound returns a new error which indicates that the resource of the kind and the name was not found.
+func NewNotFound(qualifiedResource schema.GroupResource, name string) *StatusError {
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   http.StatusNotFound,
+		Reason: metav1.StatusReasonNotFound,
+		Details: &metav1.StatusDetails{
+			Group: qualifiedResource.Group,
+			Kind:  qualifiedResource.Resource,
+			Name:  name,
+		},
+		Message: fmt.Sprintf("%s %q not found", qualifiedResource.String(), name),
+	}}
+}
+
+// NewAlreadyExists returns an error indicating the item requested exists by that identifier.
+func NewAlreadyExists(qualifiedResource schema.GroupResource, name string) *StatusError {
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   http.StatusConflict,
+		Reason: metav1.StatusReasonAlreadyExists,
+		Details: &metav1.StatusDetails{
+			Group: qualifiedResource.Group,
+			Kind:  qualifiedResource.Resource,
+			Name:  name,
+		},
+		Message: fmt.Sprintf("%s %q already exists", qualifiedResource.String(), name),
+	}}
+}
+
+// NewUnauthorized returns an error indicating the client is not authorized to perform the requested
+// action.
+func NewUnauthorized(reason string) *StatusError {
+	message := reason
+	if len(message) == 0 {
+		message = "not authorized"
+	}
+	return &StatusError{metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusUnauthorized,
+		Reason:  metav1.StatusReasonUnauthorized,
+		Message: message,
+	}}
+}
+
+// NewForbidden returns an error indicating the requested action was forbidden
+func NewForbidden(qualifiedResource schema.GroupResource, name string, err error) *StatusError {
+	var message string
+	if qualifiedResource.Empty() {
+		message = fmt.Sprintf("forbidden: %v", err)
+	} else if name == "" {
+		message = fmt.Sprintf("%s is forbidden: %v", qualifiedResource.String(), err)
+	} else {
+		message = fmt.Sprintf("%s %q is forbidden: %v", qualifiedResource.String(), name, err)
+	}
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   http.StatusForbidden,
+		Reason: metav1.StatusReasonForbidden,
+		Details: &metav1.StatusDetails{
+			Group: qualifiedResource.Group,
+			Kind:  qualifiedResource.Resource,
+			Name:  name,
+		},
+		Message: message,
+	}}
+}
+
+// NewConflict returns an error indicating the item can't be updated as provided.
+func NewConflict(qualifiedResource schema.GroupResource, name string, err error) *StatusError {
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   http.StatusConflict,
+		Reason: metav1.StatusReasonConflict,
+		Details: &metav1.StatusDetails{
+			Group: qualifiedResource.Group,
+			Kind:  qualifiedResource.Resource,
+			Name:  name,
+		},
+		Message: fmt.Sprintf("Operation cannot be fulfilled on %s %q: %v", qualifiedResource.String(), name, err),
+	}}
+}
+
+// NewGone returns an error indicating the item no longer available at the server and no forwarding address is known.
+func NewGone(message string) *StatusError {
+	return &StatusError{metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusGone,
+		Reason:  metav1.StatusReasonGone,
+		Message: message,
+	}}
+}
+
+// NewResourceExpired creates an error that indicates that the requested resource content has expired from
+// the server (usually due to a resourceVersion that is too old).
+func NewResourceExpired(message string) *StatusError {
+	return &StatusError{metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusGone,
+		Reason:  metav1.StatusReasonExpired,
+		Message: message,
+	}}
+}
+
+// NewInvalid returns an error indicating the item is invalid and cannot be processed.
+func NewInvalid(qualifiedKind schema.GroupKind, name string, errs field.ErrorList) *StatusError {
+	causes := make([]metav1.StatusCause, 0, len(errs))
+	for i := range errs {
+		err := errs[i]
+		causes = append(causes, metav1.StatusCause{
+			Type:    metav1.CauseType(err.Type),
+			Message: err.ErrorBody(),
+			Field:   err.Field,
+		})
+	}
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   http.StatusUnprocessableEntity,
+		Reason: metav1.StatusReasonInvalid,
+		Details: &metav1.StatusDetails{
+			Group:  qualifiedKind.Group,
+			Kind:   qualifiedKind.Kind,
+			Name:   name,
+			Causes: causes,
+		},
+		Message: fmt.Sprintf("%s %q is invalid: %v", qualifiedKind.String(), name, errs.ToAggregate()),
+	}}
+}
+
+// NewBadRequest creates an error that indicates that the request is invalid and can not be processed.
+func NewBadRequest(reason string) *StatusError {
+	return &StatusError{metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusBadRequest,
+		Reason:  metav1.StatusReasonBadRequest,
+		Message: reason,
+	}}
+}
+
+// NewTooManyRequests creates an error that indicates that the client must try again later because
+// the specified endpoint is not accepting requests. More specific details should be provided
+// if client should know why the failure was limited4.
+func NewTooManyRequests(message string, retryAfterSeconds int) *StatusError {
+	return &StatusError{metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusTooManyRequests,
+		Reason:  metav1.StatusReasonTooManyRequests,
+		Message: message,
+		Details: &metav1.StatusDetails{
+			RetryAfterSeconds: int32(retryAfterSeconds),
+		},
+	}}
+}
+
+// NewServiceUnavailable creates an error that indicates that the requested service is unavailable.
+func NewServiceUnavailable(reason string) *StatusError {
+	return &StatusError{metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusServiceUnavailable,
+		Reason:  metav1.StatusReasonServiceUnavailable,
+		Message: reason,
+	}}
+}
+
+// NewMethodNotSupported returns an error indicating the requested action is not supported on this kind.
+func NewMethodNotSupported(qualifiedResource schema.GroupResource, action string) *StatusError {
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   http.StatusMethodNotAllowed,
+		Reason: metav1.StatusReasonMethodNotAllowed,
+		Details: &metav1.StatusDetails{
+			Group: qualifiedResource.Group,
+			Kind:  qualifiedResource.Resource,
+		},
+		Message: fmt.Sprintf("%s is not supported on resources of kind %q", action, qualifiedResource.String()),
+	}}
+}
+
+// NewServerTimeout returns an error indicating the requested action could not be completed due to a
+// transient error, and the client should try again.
+func NewServerTimeout(qualifiedResource schema.GroupResource, operation string, retryAfterSeconds int) *StatusError {
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   http.StatusInternalServerError,
+		Reason: metav1.StatusReasonServerTimeout,
+		Details: &metav1.StatusDetails{
+			Group:             qualifiedResource.Group,
+			Kind:              qualifiedResource.Resource,
+			Name:              operation,
+			RetryAfterSeconds: int32(retryAfterSeconds),
+		},
+		Message: fmt.Sprintf("The %s operation against %s could not be completed at this time, please try again.", operation, qualifiedResource.String()),
+	}}
+}
+
+// NewServerTimeoutForKind should not exist.  Server timeouts happen when accessing resources, the Kind is just what we
+// happened to be looking at when the request failed.  This delegates to keep code sane, but we should work towards removing this.
+func NewServerTimeoutForKind(qualifiedKind schema.GroupKind, operation string, retryAfterSeconds int) *StatusError {
+	return NewServerTimeout(schema.GroupResource{Group: qualifiedKind.Group, Resource: qualifiedKind.Kind}, operation, retryAfterSeconds)
+}
+
+// NewInternalError returns an error indicating the item is invalid and cannot be processed.
+func NewInternalError(err error) *StatusError {
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   http.StatusInternalServerError,
+		Reason: metav1.StatusReasonInternalError,
+		Details: &metav1.StatusDetails{
+			Causes: []metav1.StatusCause{{Message: err.Error()}},
+		},
+		Message: fmt.Sprintf("Internal error occurred: %v", err),
+	}}
+}
+
+// NewTimeoutError returns an error indicating that a timeout occurred before the request
+// could be completed.  Clients may retry, but the operation may still complete.
+func NewTimeoutError(message string, retryAfterSeconds int) *StatusError {
+	return &StatusError{metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    http.StatusGatewayTimeout,
+		Reason:  metav1.StatusReasonTimeout,
+		Message: fmt.Sprintf("Timeout: %s", message),
+		Details: &metav1.StatusDetails{
+			RetryAfterSeconds: int32(retryAfterSeconds),
+		},
+	}}
+}
+
+// NewTooManyRequestsError returns an error indicating that the request was rejected because
+// the server has received too many requests. Client should wait and retry. But if the request
+// is perishable, then the client should not retry the request.
+func NewTooManyRequestsError(message string) *StatusError {
+	return &StatusError{metav1.Status{
+		Status:  metav1.StatusFailure,
+		Code:    StatusTooManyRequests,
+		Reason:  metav1.StatusReasonTooManyRequests,
+		Message: fmt.Sprintf("Too many requests: %s", message),
+	}}
+}
+
+// NewGenericServerResponse returns a new error for server responses that are not in a recognizable form.
+func NewGenericServerResponse(code int, verb string, qualifiedResource schema.GroupResource, name, serverMessage string, retryAfterSeconds int, isUnexpectedResponse bool) *StatusError {
+	reason := metav1.StatusReasonUnknown
+	message := fmt.Sprintf("the server responded with the status code %d but did not return more information", code)
+	switch code {
+	case http.StatusConflict:
+		if verb == "POST" {
+			reason = metav1.StatusReasonAlreadyExists
+		} else {
+			reason = metav1.StatusReasonConflict
+		}
+		message = "the server reported a conflict"
+	case http.StatusNotFound:
+		reason = metav1.StatusReasonNotFound
+		message = "the server could not find the requested resource"
+	case http.StatusBadRequest:
+		reason = metav1.StatusReasonBadRequest
+		message = "the server rejected our request for an unknown reason"
+	case http.StatusUnauthorized:
+		reason = metav1.StatusReasonUnauthorized
+		message = "the server has asked for the client to provide credentials"
+	case http.StatusForbidden:
+		reason = metav1.StatusReasonForbidden
+		// the server message has details about who is trying to perform what action.  Keep its message.
+		message = serverMessage
+	case http.StatusMethodNotAllowed:
+		reason = metav1.StatusReasonMethodNotAllowed
+		message = "the server does not allow this method on the requested resource"
+	case http.StatusUnprocessableEntity:
+		reason = metav1.StatusReasonInvalid
+		message = "the server rejected our request due to an error in our request"
+	case http.StatusGatewayTimeout:
+		reason = metav1.StatusReasonTimeout
+		message = "the server was unable to return a response in the time allotted, but may still be processing the request"
+	case http.StatusTooManyRequests:
+		reason = metav1.StatusReasonTooManyRequests
+		message = "the server has received too many requests and has asked us to try again later"
+	default:
+		if code >= 500 {
+			reason = metav1.StatusReasonInternalError
+			message = fmt.Sprintf("an error on the server (%q) has prevented the request from succeeding", serverMessage)
+		}
+	}
+	switch {
+	case !qualifiedResource.Empty() && len(name) > 0:
+		message = fmt.Sprintf("%s (%s %s %s)", message, strings.ToLower(verb), qualifiedResource.String(), name)
+	case !qualifiedResource.Empty():
+		message = fmt.Sprintf("%s (%s %s)", message, strings.ToLower(verb), qualifiedResource.String())
+	}
+	var causes []metav1.StatusCause
+	if isUnexpectedResponse {
+		causes = []metav1.StatusCause{
+			{
+				Type:    metav1.CauseTypeUnexpectedServerResponse,
+				Message: serverMessage,
+			},
+		}
+	} else {
+		causes = nil
+	}
+	return &StatusError{metav1.Status{
+		Status: metav1.StatusFailure,
+		Code:   int32(code),
+		Reason: reason,
+		Details: &metav1.StatusDetails{
+			Group: qualifiedResource.Group,
+			Kind:  qualifiedResource.Resource,
+			Name:  name,
+
+			Causes:            causes,
+			RetryAfterSeconds: int32(retryAfterSeconds),
+		},
+		Message: message,
+	}}
+}
+
+// IsNotFound returns true if the specified error was created by NewNotFound.
+func IsNotFound(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonNotFound
+}
+
+// IsAlreadyExists determines if the err is an error which indicates that a specified resource already exists.
+func IsAlreadyExists(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonAlreadyExists
+}
+
+// IsConflict determines if the err is an error which indicates the provided update conflicts.
+func IsConflict(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonConflict
+}
+
+// IsInvalid determines if the err is an error which indicates the provided resource is not valid.
+func IsInvalid(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonInvalid
+}
+
+// IsGone is true if the error indicates the requested resource is no longer available.
+func IsGone(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonGone
+}
+
+// IsResourceExpired is true if the error indicates the resource has expired and the current action is
+// no longer possible.
+func IsResourceExpired(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonExpired
+}
+
+// IsMethodNotSupported determines if the err is an error which indicates the provided action could not
+// be performed because it is not supported by the server.
+func IsMethodNotSupported(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonMethodNotAllowed
+}
+
+// IsServiceUnavailable is true if the error indicates the underlying service is no longer available.
+func IsServiceUnavailable(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonServiceUnavailable
+}
+
+// IsBadRequest determines if err is an error which indicates that the request is invalid.
+func IsBadRequest(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonBadRequest
+}
+
+// IsUnauthorized determines if err is an error which indicates that the request is unauthorized and
+// requires authentication by the user.
+func IsUnauthorized(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonUnauthorized
+}
+
+// IsForbidden determines if err is an error which indicates that the request is forbidden and cannot
+// be completed as requested.
+func IsForbidden(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonForbidden
+}
+
+// IsTimeout determines if err is an error which indicates that request times out due to long
+// processing.
+func IsTimeout(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonTimeout
+}
+
+// IsServerTimeout determines if err is an error which indicates that the request needs to be retried
+// by the client.
+func IsServerTimeout(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonServerTimeout
+}
+
+// IsInternalError determines if err is an error which indicates an internal server error.
+func IsInternalError(err error) bool {
+	return reasonForError(err) == metav1.StatusReasonInternalError
+}
+
+// IsTooManyRequests determines if err is an error which indicates that there are too many requests
+// that the server cannot handle.
+func IsTooManyRequests(err error) bool {
+	if reasonForError(err) == metav1.StatusReasonTooManyRequests {
+		return true
+	}
+	switch t := err.(type) {
+	case APIStatus:
+		return t.Status().Code == http.StatusTooManyRequests
+	}
+	return false
+}
+
+// IsUnexpectedServerError returns true if the server response was not in the expected API format,
+// and may be the result of another HTTP actor.
+func IsUnexpectedServerError(err error) bool {
+	switch t := err.(type) {
+	case APIStatus:
+		if d := t.Status().Details; d != nil {
+			for _, cause := range d.Causes {
+				if cause.Type == metav1.CauseTypeUnexpectedServerResponse {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+// IsUnexpectedObjectError determines if err is due to an unexpected object from the master.
+func IsUnexpectedObjectError(err error) bool {
+	_, ok := err.(*UnexpectedObjectError)
+	return err != nil && ok
+}
+
+// SuggestsClientDelay returns true if this error suggests a client delay as well as the
+// suggested seconds to wait, or false if the error does not imply a wait. It does not
+// address whether the error *should* be retried, since some errors (like a 3xx) may
+// request delay without retry.
+func SuggestsClientDelay(err error) (int, bool) {
+	switch t := err.(type) {
+	case APIStatus:
+		if t.Status().Details != nil {
+			switch t.Status().Reason {
+			// this StatusReason explicitly requests the caller to delay the action
+			case metav1.StatusReasonServerTimeout:
+				return int(t.Status().Details.RetryAfterSeconds), true
+			}
+			// If the client requests that we retry after a certain number of seconds
+			if t.Status().Details.RetryAfterSeconds > 0 {
+				return int(t.Status().Details.RetryAfterSeconds), true
+			}
+		}
+	}
+	return 0, false
+}
+
+func reasonForError(err error) metav1.StatusReason {
+	switch t := err.(type) {
+	case APIStatus:
+		return t.Status().Reason
+	}
+	return metav1.StatusReasonUnknown
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/doc.go
new file mode 100644
index 00000000..b6d42acf
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package meta provides functions for retrieving API metadata from objects
+// belonging to the Kubernetes API
+package meta // import "k8s.io/apimachinery/pkg/api/meta"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/errors.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/errors.go
new file mode 100644
index 00000000..1503bd6d
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/errors.go
@@ -0,0 +1,105 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// AmbiguousResourceError is returned if the RESTMapper finds multiple matches for a resource
+type AmbiguousResourceError struct {
+	PartialResource schema.GroupVersionResource
+
+	MatchingResources []schema.GroupVersionResource
+	MatchingKinds     []schema.GroupVersionKind
+}
+
+func (e *AmbiguousResourceError) Error() string {
+	switch {
+	case len(e.MatchingKinds) > 0 && len(e.MatchingResources) > 0:
+		return fmt.Sprintf("%v matches multiple resources %v and kinds %v", e.PartialResource, e.MatchingResources, e.MatchingKinds)
+	case len(e.MatchingKinds) > 0:
+		return fmt.Sprintf("%v matches multiple kinds %v", e.PartialResource, e.MatchingKinds)
+	case len(e.MatchingResources) > 0:
+		return fmt.Sprintf("%v matches multiple resources %v", e.PartialResource, e.MatchingResources)
+	}
+	return fmt.Sprintf("%v matches multiple resources or kinds", e.PartialResource)
+}
+
+// AmbiguousKindError is returned if the RESTMapper finds multiple matches for a kind
+type AmbiguousKindError struct {
+	PartialKind schema.GroupVersionKind
+
+	MatchingResources []schema.GroupVersionResource
+	MatchingKinds     []schema.GroupVersionKind
+}
+
+func (e *AmbiguousKindError) Error() string {
+	switch {
+	case len(e.MatchingKinds) > 0 && len(e.MatchingResources) > 0:
+		return fmt.Sprintf("%v matches multiple resources %v and kinds %v", e.PartialKind, e.MatchingResources, e.MatchingKinds)
+	case len(e.MatchingKinds) > 0:
+		return fmt.Sprintf("%v matches multiple kinds %v", e.PartialKind, e.MatchingKinds)
+	case len(e.MatchingResources) > 0:
+		return fmt.Sprintf("%v matches multiple resources %v", e.PartialKind, e.MatchingResources)
+	}
+	return fmt.Sprintf("%v matches multiple resources or kinds", e.PartialKind)
+}
+
+func IsAmbiguousError(err error) bool {
+	if err == nil {
+		return false
+	}
+	switch err.(type) {
+	case *AmbiguousResourceError, *AmbiguousKindError:
+		return true
+	default:
+		return false
+	}
+}
+
+// NoResourceMatchError is returned if the RESTMapper can't find any match for a resource
+type NoResourceMatchError struct {
+	PartialResource schema.GroupVersionResource
+}
+
+func (e *NoResourceMatchError) Error() string {
+	return fmt.Sprintf("no matches for %v", e.PartialResource)
+}
+
+// NoKindMatchError is returned if the RESTMapper can't find any match for a kind
+type NoKindMatchError struct {
+	PartialKind schema.GroupVersionKind
+}
+
+func (e *NoKindMatchError) Error() string {
+	return fmt.Sprintf("no matches for %v", e.PartialKind)
+}
+
+func IsNoMatchError(err error) bool {
+	if err == nil {
+		return false
+	}
+	switch err.(type) {
+	case *NoResourceMatchError, *NoKindMatchError:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/firsthit_restmapper.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/firsthit_restmapper.go
new file mode 100644
index 00000000..fd221002
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/firsthit_restmapper.go
@@ -0,0 +1,97 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+)
+
+// FirstHitRESTMapper is a wrapper for multiple RESTMappers which returns the
+// first successful result for the singular requests
+type FirstHitRESTMapper struct {
+	MultiRESTMapper
+}
+
+func (m FirstHitRESTMapper) String() string {
+	return fmt.Sprintf("FirstHitRESTMapper{\n\t%v\n}", m.MultiRESTMapper)
+}
+
+func (m FirstHitRESTMapper) ResourceFor(resource schema.GroupVersionResource) (schema.GroupVersionResource, error) {
+	errors := []error{}
+	for _, t := range m.MultiRESTMapper {
+		ret, err := t.ResourceFor(resource)
+		if err == nil {
+			return ret, nil
+		}
+		errors = append(errors, err)
+	}
+
+	return schema.GroupVersionResource{}, collapseAggregateErrors(errors)
+}
+
+func (m FirstHitRESTMapper) KindFor(resource schema.GroupVersionResource) (schema.GroupVersionKind, error) {
+	errors := []error{}
+	for _, t := range m.MultiRESTMapper {
+		ret, err := t.KindFor(resource)
+		if err == nil {
+			return ret, nil
+		}
+		errors = append(errors, err)
+	}
+
+	return schema.GroupVersionKind{}, collapseAggregateErrors(errors)
+}
+
+// RESTMapping provides the REST mapping for the resource based on the
+// kind and version. This implementation supports multiple REST schemas and
+// return the first match.
+func (m FirstHitRESTMapper) RESTMapping(gk schema.GroupKind, versions ...string) (*RESTMapping, error) {
+	errors := []error{}
+	for _, t := range m.MultiRESTMapper {
+		ret, err := t.RESTMapping(gk, versions...)
+		if err == nil {
+			return ret, nil
+		}
+		errors = append(errors, err)
+	}
+
+	return nil, collapseAggregateErrors(errors)
+}
+
+// collapseAggregateErrors returns the minimal errors.  it handles empty as nil, handles one item in a list
+// by returning the item, and collapses all NoMatchErrors to a single one (since they should all be the same)
+func collapseAggregateErrors(errors []error) error {
+	if len(errors) == 0 {
+		return nil
+	}
+	if len(errors) == 1 {
+		return errors[0]
+	}
+
+	allNoMatchErrors := true
+	for _, err := range errors {
+		allNoMatchErrors = allNoMatchErrors && IsNoMatchError(err)
+	}
+	if allNoMatchErrors {
+		return errors[0]
+	}
+
+	return utilerrors.NewAggregate(errors)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/help.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/help.go
new file mode 100644
index 00000000..c70b3d2b
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/help.go
@@ -0,0 +1,205 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+import (
+	"fmt"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// IsListType returns true if the provided Object has a slice called Items
+func IsListType(obj runtime.Object) bool {
+	// if we're a runtime.Unstructured, check whether this is a list.
+	// TODO: refactor GetItemsPtr to use an interface that returns []runtime.Object
+	if unstructured, ok := obj.(runtime.Unstructured); ok {
+		return unstructured.IsList()
+	}
+
+	_, err := GetItemsPtr(obj)
+	return err == nil
+}
+
+// GetItemsPtr returns a pointer to the list object's Items member.
+// If 'list' doesn't have an Items member, it's not really a list type
+// and an error will be returned.
+// This function will either return a pointer to a slice, or an error, but not both.
+func GetItemsPtr(list runtime.Object) (interface{}, error) {
+	v, err := conversion.EnforcePtr(list)
+	if err != nil {
+		return nil, err
+	}
+
+	items := v.FieldByName("Items")
+	if !items.IsValid() {
+		return nil, fmt.Errorf("no Items field in %#v", list)
+	}
+	switch items.Kind() {
+	case reflect.Interface, reflect.Ptr:
+		target := reflect.TypeOf(items.Interface()).Elem()
+		if target.Kind() != reflect.Slice {
+			return nil, fmt.Errorf("items: Expected slice, got %s", target.Kind())
+		}
+		return items.Interface(), nil
+	case reflect.Slice:
+		return items.Addr().Interface(), nil
+	default:
+		return nil, fmt.Errorf("items: Expected slice, got %s", items.Kind())
+	}
+}
+
+// EachListItem invokes fn on each runtime.Object in the list. Any error immediately terminates
+// the loop.
+func EachListItem(obj runtime.Object, fn func(runtime.Object) error) error {
+	if unstructured, ok := obj.(runtime.Unstructured); ok {
+		return unstructured.EachListItem(fn)
+	}
+	// TODO: Change to an interface call?
+	itemsPtr, err := GetItemsPtr(obj)
+	if err != nil {
+		return err
+	}
+	items, err := conversion.EnforcePtr(itemsPtr)
+	if err != nil {
+		return err
+	}
+	len := items.Len()
+	if len == 0 {
+		return nil
+	}
+	takeAddr := false
+	if elemType := items.Type().Elem(); elemType.Kind() != reflect.Ptr && elemType.Kind() != reflect.Interface {
+		if !items.Index(0).CanAddr() {
+			return fmt.Errorf("unable to take address of items in %T for EachListItem", obj)
+		}
+		takeAddr = true
+	}
+
+	for i := 0; i < len; i++ {
+		raw := items.Index(i)
+		if takeAddr {
+			raw = raw.Addr()
+		}
+		switch item := raw.Interface().(type) {
+		case *runtime.RawExtension:
+			if err := fn(item.Object); err != nil {
+				return err
+			}
+		case runtime.Object:
+			if err := fn(item); err != nil {
+				return err
+			}
+		default:
+			obj, ok := item.(runtime.Object)
+			if !ok {
+				return fmt.Errorf("%v: item[%v]: Expected object, got %#v(%s)", obj, i, raw.Interface(), raw.Kind())
+			}
+			if err := fn(obj); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// ExtractList returns obj's Items element as an array of runtime.Objects.
+// Returns an error if obj is not a List type (does not have an Items member).
+func ExtractList(obj runtime.Object) ([]runtime.Object, error) {
+	itemsPtr, err := GetItemsPtr(obj)
+	if err != nil {
+		return nil, err
+	}
+	items, err := conversion.EnforcePtr(itemsPtr)
+	if err != nil {
+		return nil, err
+	}
+	list := make([]runtime.Object, items.Len())
+	for i := range list {
+		raw := items.Index(i)
+		switch item := raw.Interface().(type) {
+		case runtime.RawExtension:
+			switch {
+			case item.Object != nil:
+				list[i] = item.Object
+			case item.Raw != nil:
+				// TODO: Set ContentEncoding and ContentType correctly.
+				list[i] = &runtime.Unknown{Raw: item.Raw}
+			default:
+				list[i] = nil
+			}
+		case runtime.Object:
+			list[i] = item
+		default:
+			var found bool
+			if list[i], found = raw.Addr().Interface().(runtime.Object); !found {
+				return nil, fmt.Errorf("%v: item[%v]: Expected object, got %#v(%s)", obj, i, raw.Interface(), raw.Kind())
+			}
+		}
+	}
+	return list, nil
+}
+
+// objectSliceType is the type of a slice of Objects
+var objectSliceType = reflect.TypeOf([]runtime.Object{})
+
+// SetList sets the given list object's Items member have the elements given in
+// objects.
+// Returns an error if list is not a List type (does not have an Items member),
+// or if any of the objects are not of the right type.
+func SetList(list runtime.Object, objects []runtime.Object) error {
+	itemsPtr, err := GetItemsPtr(list)
+	if err != nil {
+		return err
+	}
+	items, err := conversion.EnforcePtr(itemsPtr)
+	if err != nil {
+		return err
+	}
+	if items.Type() == objectSliceType {
+		items.Set(reflect.ValueOf(objects))
+		return nil
+	}
+	slice := reflect.MakeSlice(items.Type(), len(objects), len(objects))
+	for i := range objects {
+		dest := slice.Index(i)
+		if dest.Type() == reflect.TypeOf(runtime.RawExtension{}) {
+			dest = dest.FieldByName("Object")
+		}
+
+		// check to see if you're directly assignable
+		if reflect.TypeOf(objects[i]).AssignableTo(dest.Type()) {
+			dest.Set(reflect.ValueOf(objects[i]))
+			continue
+		}
+
+		src, err := conversion.EnforcePtr(objects[i])
+		if err != nil {
+			return err
+		}
+		if src.Type().AssignableTo(dest.Type()) {
+			dest.Set(src)
+		} else if src.Type().ConvertibleTo(dest.Type()) {
+			dest.Set(src.Convert(dest.Type()))
+		} else {
+			return fmt.Errorf("item[%d]: can't assign or convert %v into %v", i, src.Type(), dest.Type())
+		}
+	}
+	items.Set(slice)
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/interfaces.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/interfaces.go
new file mode 100644
index 00000000..bf172369
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/interfaces.go
@@ -0,0 +1,146 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// VersionInterfaces contains the interfaces one should use for dealing with types of a particular version.
+type VersionInterfaces struct {
+	runtime.ObjectConvertor
+	MetadataAccessor
+}
+
+type ListMetaAccessor interface {
+	GetListMeta() List
+}
+
+// List lets you work with list metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+type List metav1.ListInterface
+
+// Type exposes the type and APIVersion of versioned or internal API objects.
+type Type metav1.Type
+
+// MetadataAccessor lets you work with object and list metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field (Name, UID, Namespace on lists) will be a no-op and return
+// a default value.
+//
+// MetadataAccessor exposes Interface in a way that can be used with multiple objects.
+type MetadataAccessor interface {
+	APIVersion(obj runtime.Object) (string, error)
+	SetAPIVersion(obj runtime.Object, version string) error
+
+	Kind(obj runtime.Object) (string, error)
+	SetKind(obj runtime.Object, kind string) error
+
+	Namespace(obj runtime.Object) (string, error)
+	SetNamespace(obj runtime.Object, namespace string) error
+
+	Name(obj runtime.Object) (string, error)
+	SetName(obj runtime.Object, name string) error
+
+	GenerateName(obj runtime.Object) (string, error)
+	SetGenerateName(obj runtime.Object, name string) error
+
+	UID(obj runtime.Object) (types.UID, error)
+	SetUID(obj runtime.Object, uid types.UID) error
+
+	SelfLink(obj runtime.Object) (string, error)
+	SetSelfLink(obj runtime.Object, selfLink string) error
+
+	Labels(obj runtime.Object) (map[string]string, error)
+	SetLabels(obj runtime.Object, labels map[string]string) error
+
+	Annotations(obj runtime.Object) (map[string]string, error)
+	SetAnnotations(obj runtime.Object, annotations map[string]string) error
+
+	runtime.ResourceVersioner
+}
+
+type RESTScopeName string
+
+const (
+	RESTScopeNameNamespace RESTScopeName = "namespace"
+	RESTScopeNameRoot      RESTScopeName = "root"
+)
+
+// RESTScope contains the information needed to deal with REST resources that are in a resource hierarchy
+type RESTScope interface {
+	// Name of the scope
+	Name() RESTScopeName
+	// ParamName is the optional name of the parameter that should be inserted in the resource url
+	// If empty, no param will be inserted
+	ParamName() string
+	// ArgumentName is the optional name that should be used for the variable holding the value.
+	ArgumentName() string
+	// ParamDescription is the optional description to use to document the parameter in api documentation
+	ParamDescription() string
+}
+
+// RESTMapping contains the information needed to deal with objects of a specific
+// resource and kind in a RESTful manner.
+type RESTMapping struct {
+	// Resource is a string representing the name of this resource as a REST client would see it
+	Resource string
+
+	GroupVersionKind schema.GroupVersionKind
+
+	// Scope contains the information needed to deal with REST Resources that are in a resource hierarchy
+	Scope RESTScope
+
+	runtime.ObjectConvertor
+	MetadataAccessor
+}
+
+// RESTMapper allows clients to map resources to kind, and map kind and version
+// to interfaces for manipulating those objects. It is primarily intended for
+// consumers of Kubernetes compatible REST APIs as defined in docs/devel/api-conventions.md.
+//
+// The Kubernetes API provides versioned resources and object kinds which are scoped
+// to API groups. In other words, kinds and resources should not be assumed to be
+// unique across groups.
+//
+// TODO: split into sub-interfaces
+type RESTMapper interface {
+	// KindFor takes a partial resource and returns the single match.  Returns an error if there are multiple matches
+	KindFor(resource schema.GroupVersionResource) (schema.GroupVersionKind, error)
+
+	// KindsFor takes a partial resource and returns the list of potential kinds in priority order
+	KindsFor(resource schema.GroupVersionResource) ([]schema.GroupVersionKind, error)
+
+	// ResourceFor takes a partial resource and returns the single match.  Returns an error if there are multiple matches
+	ResourceFor(input schema.GroupVersionResource) (schema.GroupVersionResource, error)
+
+	// ResourcesFor takes a partial resource and returns the list of potential resource in priority order
+	ResourcesFor(input schema.GroupVersionResource) ([]schema.GroupVersionResource, error)
+
+	// RESTMapping identifies a preferred resource mapping for the provided group kind.
+	RESTMapping(gk schema.GroupKind, versions ...string) (*RESTMapping, error)
+	// RESTMappings returns all resource mappings for the provided group kind if no
+	// version search is provided. Otherwise identifies a preferred resource mapping for
+	// the provided version(s).
+	RESTMappings(gk schema.GroupKind, versions ...string) ([]*RESTMapping, error)
+
+	ResourceSingularizer(resource string) (singular string, err error)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/meta.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/meta.go
new file mode 100644
index 00000000..1889b951
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/meta.go
@@ -0,0 +1,636 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/golang/glog"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1alpha1 "k8s.io/apimachinery/pkg/apis/meta/v1alpha1"
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// errNotList is returned when an object implements the Object style interfaces but not the List style
+// interfaces.
+var errNotList = fmt.Errorf("object does not implement the List interfaces")
+
+var errNotCommon = fmt.Errorf("object does not implement the common interface for accessing the SelfLink")
+
+// CommonAccessor returns a Common interface for the provided object or an error if the object does
+// not provide List.
+// TODO: return bool instead of error
+func CommonAccessor(obj interface{}) (metav1.Common, error) {
+	switch t := obj.(type) {
+	case List:
+		return t, nil
+	case metav1.ListInterface:
+		return t, nil
+	case ListMetaAccessor:
+		if m := t.GetListMeta(); m != nil {
+			return m, nil
+		}
+		return nil, errNotCommon
+	case metav1.ListMetaAccessor:
+		if m := t.GetListMeta(); m != nil {
+			return m, nil
+		}
+		return nil, errNotCommon
+	case metav1.Object:
+		return t, nil
+	case metav1.ObjectMetaAccessor:
+		if m := t.GetObjectMeta(); m != nil {
+			return m, nil
+		}
+		return nil, errNotCommon
+	default:
+		return nil, errNotCommon
+	}
+}
+
+// ListAccessor returns a List interface for the provided object or an error if the object does
+// not provide List.
+// IMPORTANT: Objects are NOT a superset of lists. Do not use this check to determine whether an
+// object *is* a List.
+// TODO: return bool instead of error
+func ListAccessor(obj interface{}) (List, error) {
+	switch t := obj.(type) {
+	case List:
+		return t, nil
+	case metav1.ListInterface:
+		return t, nil
+	case ListMetaAccessor:
+		if m := t.GetListMeta(); m != nil {
+			return m, nil
+		}
+		return nil, errNotList
+	case metav1.ListMetaAccessor:
+		if m := t.GetListMeta(); m != nil {
+			return m, nil
+		}
+		return nil, errNotList
+	default:
+		panic(fmt.Errorf("%T does not implement the List interface", obj))
+	}
+}
+
+// errNotObject is returned when an object implements the List style interfaces but not the Object style
+// interfaces.
+var errNotObject = fmt.Errorf("object does not implement the Object interfaces")
+
+// Accessor takes an arbitrary object pointer and returns meta.Interface.
+// obj must be a pointer to an API type. An error is returned if the minimum
+// required fields are missing. Fields that are not required return the default
+// value and are a no-op if set.
+// TODO: return bool instead of error
+func Accessor(obj interface{}) (metav1.Object, error) {
+	switch t := obj.(type) {
+	case metav1.Object:
+		return t, nil
+	case metav1.ObjectMetaAccessor:
+		if m := t.GetObjectMeta(); m != nil {
+			return m, nil
+		}
+		return nil, errNotObject
+	default:
+		return nil, errNotObject
+	}
+}
+
+// AsPartialObjectMetadata takes the metav1 interface and returns a partial object.
+// TODO: consider making this solely a conversion action.
+func AsPartialObjectMetadata(m metav1.Object) *metav1alpha1.PartialObjectMetadata {
+	switch t := m.(type) {
+	case *metav1.ObjectMeta:
+		return &metav1alpha1.PartialObjectMetadata{ObjectMeta: *t}
+	default:
+		return &metav1alpha1.PartialObjectMetadata{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:                       m.GetName(),
+				GenerateName:               m.GetGenerateName(),
+				Namespace:                  m.GetNamespace(),
+				SelfLink:                   m.GetSelfLink(),
+				UID:                        m.GetUID(),
+				ResourceVersion:            m.GetResourceVersion(),
+				Generation:                 m.GetGeneration(),
+				CreationTimestamp:          m.GetCreationTimestamp(),
+				DeletionTimestamp:          m.GetDeletionTimestamp(),
+				DeletionGracePeriodSeconds: m.GetDeletionGracePeriodSeconds(),
+				Labels:          m.GetLabels(),
+				Annotations:     m.GetAnnotations(),
+				OwnerReferences: m.GetOwnerReferences(),
+				Finalizers:      m.GetFinalizers(),
+				ClusterName:     m.GetClusterName(),
+				Initializers:    m.GetInitializers(),
+			},
+		}
+	}
+}
+
+// TypeAccessor returns an interface that allows retrieving and modifying the APIVersion
+// and Kind of an in-memory internal object.
+// TODO: this interface is used to test code that does not have ObjectMeta or ListMeta
+// in round tripping (objects which can use apiVersion/kind, but do not fit the Kube
+// api conventions).
+func TypeAccessor(obj interface{}) (Type, error) {
+	if typed, ok := obj.(runtime.Object); ok {
+		return objectAccessor{typed}, nil
+	}
+	v, err := conversion.EnforcePtr(obj)
+	if err != nil {
+		return nil, err
+	}
+	t := v.Type()
+	if v.Kind() != reflect.Struct {
+		return nil, fmt.Errorf("expected struct, but got %v: %v (%#v)", v.Kind(), t, v.Interface())
+	}
+
+	typeMeta := v.FieldByName("TypeMeta")
+	if !typeMeta.IsValid() {
+		return nil, fmt.Errorf("struct %v lacks embedded TypeMeta type", t)
+	}
+	a := &genericAccessor{}
+	if err := extractFromTypeMeta(typeMeta, a); err != nil {
+		return nil, fmt.Errorf("unable to find type fields on %#v: %v", typeMeta, err)
+	}
+	return a, nil
+}
+
+type objectAccessor struct {
+	runtime.Object
+}
+
+func (obj objectAccessor) GetKind() string {
+	return obj.GetObjectKind().GroupVersionKind().Kind
+}
+
+func (obj objectAccessor) SetKind(kind string) {
+	gvk := obj.GetObjectKind().GroupVersionKind()
+	gvk.Kind = kind
+	obj.GetObjectKind().SetGroupVersionKind(gvk)
+}
+
+func (obj objectAccessor) GetAPIVersion() string {
+	return obj.GetObjectKind().GroupVersionKind().GroupVersion().String()
+}
+
+func (obj objectAccessor) SetAPIVersion(version string) {
+	gvk := obj.GetObjectKind().GroupVersionKind()
+	gv, err := schema.ParseGroupVersion(version)
+	if err != nil {
+		gv = schema.GroupVersion{Version: version}
+	}
+	gvk.Group, gvk.Version = gv.Group, gv.Version
+	obj.GetObjectKind().SetGroupVersionKind(gvk)
+}
+
+// NewAccessor returns a MetadataAccessor that can retrieve
+// or manipulate resource version on objects derived from core API
+// metadata concepts.
+func NewAccessor() MetadataAccessor {
+	return resourceAccessor{}
+}
+
+// resourceAccessor implements ResourceVersioner and SelfLinker.
+type resourceAccessor struct{}
+
+func (resourceAccessor) Kind(obj runtime.Object) (string, error) {
+	return objectAccessor{obj}.GetKind(), nil
+}
+
+func (resourceAccessor) SetKind(obj runtime.Object, kind string) error {
+	objectAccessor{obj}.SetKind(kind)
+	return nil
+}
+
+func (resourceAccessor) APIVersion(obj runtime.Object) (string, error) {
+	return objectAccessor{obj}.GetAPIVersion(), nil
+}
+
+func (resourceAccessor) SetAPIVersion(obj runtime.Object, version string) error {
+	objectAccessor{obj}.SetAPIVersion(version)
+	return nil
+}
+
+func (resourceAccessor) Namespace(obj runtime.Object) (string, error) {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return "", err
+	}
+	return accessor.GetNamespace(), nil
+}
+
+func (resourceAccessor) SetNamespace(obj runtime.Object, namespace string) error {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return err
+	}
+	accessor.SetNamespace(namespace)
+	return nil
+}
+
+func (resourceAccessor) Name(obj runtime.Object) (string, error) {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return "", err
+	}
+	return accessor.GetName(), nil
+}
+
+func (resourceAccessor) SetName(obj runtime.Object, name string) error {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return err
+	}
+	accessor.SetName(name)
+	return nil
+}
+
+func (resourceAccessor) GenerateName(obj runtime.Object) (string, error) {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return "", err
+	}
+	return accessor.GetGenerateName(), nil
+}
+
+func (resourceAccessor) SetGenerateName(obj runtime.Object, name string) error {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return err
+	}
+	accessor.SetGenerateName(name)
+	return nil
+}
+
+func (resourceAccessor) UID(obj runtime.Object) (types.UID, error) {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return "", err
+	}
+	return accessor.GetUID(), nil
+}
+
+func (resourceAccessor) SetUID(obj runtime.Object, uid types.UID) error {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return err
+	}
+	accessor.SetUID(uid)
+	return nil
+}
+
+func (resourceAccessor) SelfLink(obj runtime.Object) (string, error) {
+	accessor, err := CommonAccessor(obj)
+	if err != nil {
+		return "", err
+	}
+	return accessor.GetSelfLink(), nil
+}
+
+func (resourceAccessor) SetSelfLink(obj runtime.Object, selfLink string) error {
+	accessor, err := CommonAccessor(obj)
+	if err != nil {
+		return err
+	}
+	accessor.SetSelfLink(selfLink)
+	return nil
+}
+
+func (resourceAccessor) Labels(obj runtime.Object) (map[string]string, error) {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return nil, err
+	}
+	return accessor.GetLabels(), nil
+}
+
+func (resourceAccessor) SetLabels(obj runtime.Object, labels map[string]string) error {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return err
+	}
+	accessor.SetLabels(labels)
+	return nil
+}
+
+func (resourceAccessor) Annotations(obj runtime.Object) (map[string]string, error) {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return nil, err
+	}
+	return accessor.GetAnnotations(), nil
+}
+
+func (resourceAccessor) SetAnnotations(obj runtime.Object, annotations map[string]string) error {
+	accessor, err := Accessor(obj)
+	if err != nil {
+		return err
+	}
+	accessor.SetAnnotations(annotations)
+	return nil
+}
+
+func (resourceAccessor) ResourceVersion(obj runtime.Object) (string, error) {
+	accessor, err := CommonAccessor(obj)
+	if err != nil {
+		return "", err
+	}
+	return accessor.GetResourceVersion(), nil
+}
+
+func (resourceAccessor) SetResourceVersion(obj runtime.Object, version string) error {
+	accessor, err := CommonAccessor(obj)
+	if err != nil {
+		return err
+	}
+	accessor.SetResourceVersion(version)
+	return nil
+}
+
+// extractFromOwnerReference extracts v to o. v is the OwnerReferences field of an object.
+func extractFromOwnerReference(v reflect.Value, o *metav1.OwnerReference) error {
+	if err := runtime.Field(v, "APIVersion", &o.APIVersion); err != nil {
+		return err
+	}
+	if err := runtime.Field(v, "Kind", &o.Kind); err != nil {
+		return err
+	}
+	if err := runtime.Field(v, "Name", &o.Name); err != nil {
+		return err
+	}
+	if err := runtime.Field(v, "UID", &o.UID); err != nil {
+		return err
+	}
+	var controllerPtr *bool
+	if err := runtime.Field(v, "Controller", &controllerPtr); err != nil {
+		return err
+	}
+	if controllerPtr != nil {
+		controller := *controllerPtr
+		o.Controller = &controller
+	}
+	var blockOwnerDeletionPtr *bool
+	if err := runtime.Field(v, "BlockOwnerDeletion", &blockOwnerDeletionPtr); err != nil {
+		return err
+	}
+	if blockOwnerDeletionPtr != nil {
+		block := *blockOwnerDeletionPtr
+		o.BlockOwnerDeletion = &block
+	}
+	return nil
+}
+
+// setOwnerReference sets v to o. v is the OwnerReferences field of an object.
+func setOwnerReference(v reflect.Value, o *metav1.OwnerReference) error {
+	if err := runtime.SetField(o.APIVersion, v, "APIVersion"); err != nil {
+		return err
+	}
+	if err := runtime.SetField(o.Kind, v, "Kind"); err != nil {
+		return err
+	}
+	if err := runtime.SetField(o.Name, v, "Name"); err != nil {
+		return err
+	}
+	if err := runtime.SetField(o.UID, v, "UID"); err != nil {
+		return err
+	}
+	if o.Controller != nil {
+		controller := *(o.Controller)
+		if err := runtime.SetField(&controller, v, "Controller"); err != nil {
+			return err
+		}
+	}
+	if o.BlockOwnerDeletion != nil {
+		block := *(o.BlockOwnerDeletion)
+		if err := runtime.SetField(&block, v, "BlockOwnerDeletion"); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// genericAccessor contains pointers to strings that can modify an arbitrary
+// struct and implements the Accessor interface.
+type genericAccessor struct {
+	namespace         *string
+	name              *string
+	generateName      *string
+	uid               *types.UID
+	apiVersion        *string
+	kind              *string
+	resourceVersion   *string
+	selfLink          *string
+	creationTimestamp *metav1.Time
+	deletionTimestamp **metav1.Time
+	labels            *map[string]string
+	annotations       *map[string]string
+	ownerReferences   reflect.Value
+	finalizers        *[]string
+}
+
+func (a genericAccessor) GetNamespace() string {
+	if a.namespace == nil {
+		return ""
+	}
+	return *a.namespace
+}
+
+func (a genericAccessor) SetNamespace(namespace string) {
+	if a.namespace == nil {
+		return
+	}
+	*a.namespace = namespace
+}
+
+func (a genericAccessor) GetName() string {
+	if a.name == nil {
+		return ""
+	}
+	return *a.name
+}
+
+func (a genericAccessor) SetName(name string) {
+	if a.name == nil {
+		return
+	}
+	*a.name = name
+}
+
+func (a genericAccessor) GetGenerateName() string {
+	if a.generateName == nil {
+		return ""
+	}
+	return *a.generateName
+}
+
+func (a genericAccessor) SetGenerateName(generateName string) {
+	if a.generateName == nil {
+		return
+	}
+	*a.generateName = generateName
+}
+
+func (a genericAccessor) GetUID() types.UID {
+	if a.uid == nil {
+		return ""
+	}
+	return *a.uid
+}
+
+func (a genericAccessor) SetUID(uid types.UID) {
+	if a.uid == nil {
+		return
+	}
+	*a.uid = uid
+}
+
+func (a genericAccessor) GetAPIVersion() string {
+	return *a.apiVersion
+}
+
+func (a genericAccessor) SetAPIVersion(version string) {
+	*a.apiVersion = version
+}
+
+func (a genericAccessor) GetKind() string {
+	return *a.kind
+}
+
+func (a genericAccessor) SetKind(kind string) {
+	*a.kind = kind
+}
+
+func (a genericAccessor) GetResourceVersion() string {
+	return *a.resourceVersion
+}
+
+func (a genericAccessor) SetResourceVersion(version string) {
+	*a.resourceVersion = version
+}
+
+func (a genericAccessor) GetSelfLink() string {
+	return *a.selfLink
+}
+
+func (a genericAccessor) SetSelfLink(selfLink string) {
+	*a.selfLink = selfLink
+}
+
+func (a genericAccessor) GetCreationTimestamp() metav1.Time {
+	return *a.creationTimestamp
+}
+
+func (a genericAccessor) SetCreationTimestamp(timestamp metav1.Time) {
+	*a.creationTimestamp = timestamp
+}
+
+func (a genericAccessor) GetDeletionTimestamp() *metav1.Time {
+	return *a.deletionTimestamp
+}
+
+func (a genericAccessor) SetDeletionTimestamp(timestamp *metav1.Time) {
+	*a.deletionTimestamp = timestamp
+}
+
+func (a genericAccessor) GetLabels() map[string]string {
+	if a.labels == nil {
+		return nil
+	}
+	return *a.labels
+}
+
+func (a genericAccessor) SetLabels(labels map[string]string) {
+	*a.labels = labels
+}
+
+func (a genericAccessor) GetAnnotations() map[string]string {
+	if a.annotations == nil {
+		return nil
+	}
+	return *a.annotations
+}
+
+func (a genericAccessor) SetAnnotations(annotations map[string]string) {
+	if a.annotations == nil {
+		emptyAnnotations := make(map[string]string)
+		a.annotations = &emptyAnnotations
+	}
+	*a.annotations = annotations
+}
+
+func (a genericAccessor) GetFinalizers() []string {
+	if a.finalizers == nil {
+		return nil
+	}
+	return *a.finalizers
+}
+
+func (a genericAccessor) SetFinalizers(finalizers []string) {
+	*a.finalizers = finalizers
+}
+
+func (a genericAccessor) GetOwnerReferences() []metav1.OwnerReference {
+	var ret []metav1.OwnerReference
+	s := a.ownerReferences
+	if s.Kind() != reflect.Ptr || s.Elem().Kind() != reflect.Slice {
+		glog.Errorf("expect %v to be a pointer to slice", s)
+		return ret
+	}
+	s = s.Elem()
+	// Set the capacity to one element greater to avoid copy if the caller later append an element.
+	ret = make([]metav1.OwnerReference, s.Len(), s.Len()+1)
+	for i := 0; i < s.Len(); i++ {
+		if err := extractFromOwnerReference(s.Index(i), &ret[i]); err != nil {
+			glog.Errorf("extractFromOwnerReference failed: %v", err)
+			return ret
+		}
+	}
+	return ret
+}
+
+func (a genericAccessor) SetOwnerReferences(references []metav1.OwnerReference) {
+	s := a.ownerReferences
+	if s.Kind() != reflect.Ptr || s.Elem().Kind() != reflect.Slice {
+		glog.Errorf("expect %v to be a pointer to slice", s)
+	}
+	s = s.Elem()
+	newReferences := reflect.MakeSlice(s.Type(), len(references), len(references))
+	for i := 0; i < len(references); i++ {
+		if err := setOwnerReference(newReferences.Index(i), &references[i]); err != nil {
+			glog.Errorf("setOwnerReference failed: %v", err)
+			return
+		}
+	}
+	s.Set(newReferences)
+}
+
+// extractFromTypeMeta extracts pointers to version and kind fields from an object
+func extractFromTypeMeta(v reflect.Value, a *genericAccessor) error {
+	if err := runtime.FieldPtr(v, "APIVersion", &a.apiVersion); err != nil {
+		return err
+	}
+	if err := runtime.FieldPtr(v, "Kind", &a.kind); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/multirestmapper.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/multirestmapper.go
new file mode 100644
index 00000000..679098fe
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/multirestmapper.go
@@ -0,0 +1,210 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+)
+
+// MultiRESTMapper is a wrapper for multiple RESTMappers.
+type MultiRESTMapper []RESTMapper
+
+func (m MultiRESTMapper) String() string {
+	nested := []string{}
+	for _, t := range m {
+		currString := fmt.Sprintf("%v", t)
+		splitStrings := strings.Split(currString, "\n")
+		nested = append(nested, strings.Join(splitStrings, "\n\t"))
+	}
+
+	return fmt.Sprintf("MultiRESTMapper{\n\t%s\n}", strings.Join(nested, "\n\t"))
+}
+
+// ResourceSingularizer converts a REST resource name from plural to singular (e.g., from pods to pod)
+// This implementation supports multiple REST schemas and return the first match.
+func (m MultiRESTMapper) ResourceSingularizer(resource string) (singular string, err error) {
+	for _, t := range m {
+		singular, err = t.ResourceSingularizer(resource)
+		if err == nil {
+			return
+		}
+	}
+	return
+}
+
+func (m MultiRESTMapper) ResourcesFor(resource schema.GroupVersionResource) ([]schema.GroupVersionResource, error) {
+	allGVRs := []schema.GroupVersionResource{}
+	for _, t := range m {
+		gvrs, err := t.ResourcesFor(resource)
+		// ignore "no match" errors, but any other error percolates back up
+		if IsNoMatchError(err) {
+			continue
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		// walk the existing values to de-dup
+		for _, curr := range gvrs {
+			found := false
+			for _, existing := range allGVRs {
+				if curr == existing {
+					found = true
+					break
+				}
+			}
+
+			if !found {
+				allGVRs = append(allGVRs, curr)
+			}
+		}
+	}
+
+	if len(allGVRs) == 0 {
+		return nil, &NoResourceMatchError{PartialResource: resource}
+	}
+
+	return allGVRs, nil
+}
+
+func (m MultiRESTMapper) KindsFor(resource schema.GroupVersionResource) (gvk []schema.GroupVersionKind, err error) {
+	allGVKs := []schema.GroupVersionKind{}
+	for _, t := range m {
+		gvks, err := t.KindsFor(resource)
+		// ignore "no match" errors, but any other error percolates back up
+		if IsNoMatchError(err) {
+			continue
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		// walk the existing values to de-dup
+		for _, curr := range gvks {
+			found := false
+			for _, existing := range allGVKs {
+				if curr == existing {
+					found = true
+					break
+				}
+			}
+
+			if !found {
+				allGVKs = append(allGVKs, curr)
+			}
+		}
+	}
+
+	if len(allGVKs) == 0 {
+		return nil, &NoResourceMatchError{PartialResource: resource}
+	}
+
+	return allGVKs, nil
+}
+
+func (m MultiRESTMapper) ResourceFor(resource schema.GroupVersionResource) (schema.GroupVersionResource, error) {
+	resources, err := m.ResourcesFor(resource)
+	if err != nil {
+		return schema.GroupVersionResource{}, err
+	}
+	if len(resources) == 1 {
+		return resources[0], nil
+	}
+
+	return schema.GroupVersionResource{}, &AmbiguousResourceError{PartialResource: resource, MatchingResources: resources}
+}
+
+func (m MultiRESTMapper) KindFor(resource schema.GroupVersionResource) (schema.GroupVersionKind, error) {
+	kinds, err := m.KindsFor(resource)
+	if err != nil {
+		return schema.GroupVersionKind{}, err
+	}
+	if len(kinds) == 1 {
+		return kinds[0], nil
+	}
+
+	return schema.GroupVersionKind{}, &AmbiguousResourceError{PartialResource: resource, MatchingKinds: kinds}
+}
+
+// RESTMapping provides the REST mapping for the resource based on the
+// kind and version. This implementation supports multiple REST schemas and
+// return the first match.
+func (m MultiRESTMapper) RESTMapping(gk schema.GroupKind, versions ...string) (*RESTMapping, error) {
+	allMappings := []*RESTMapping{}
+	errors := []error{}
+
+	for _, t := range m {
+		currMapping, err := t.RESTMapping(gk, versions...)
+		// ignore "no match" errors, but any other error percolates back up
+		if IsNoMatchError(err) {
+			continue
+		}
+		if err != nil {
+			errors = append(errors, err)
+			continue
+		}
+
+		allMappings = append(allMappings, currMapping)
+	}
+
+	// if we got exactly one mapping, then use it even if other requested failed
+	if len(allMappings) == 1 {
+		return allMappings[0], nil
+	}
+	if len(allMappings) > 1 {
+		var kinds []schema.GroupVersionKind
+		for _, m := range allMappings {
+			kinds = append(kinds, m.GroupVersionKind)
+		}
+		return nil, &AmbiguousKindError{PartialKind: gk.WithVersion(""), MatchingKinds: kinds}
+	}
+	if len(errors) > 0 {
+		return nil, utilerrors.NewAggregate(errors)
+	}
+	return nil, &NoKindMatchError{PartialKind: gk.WithVersion("")}
+}
+
+// RESTMappings returns all possible RESTMappings for the provided group kind, or an error
+// if the type is not recognized.
+func (m MultiRESTMapper) RESTMappings(gk schema.GroupKind, versions ...string) ([]*RESTMapping, error) {
+	var allMappings []*RESTMapping
+	var errors []error
+
+	for _, t := range m {
+		currMappings, err := t.RESTMappings(gk, versions...)
+		// ignore "no match" errors, but any other error percolates back up
+		if IsNoMatchError(err) {
+			continue
+		}
+		if err != nil {
+			errors = append(errors, err)
+			continue
+		}
+		allMappings = append(allMappings, currMappings...)
+	}
+	if len(errors) > 0 {
+		return nil, utilerrors.NewAggregate(errors)
+	}
+	if len(allMappings) == 0 {
+		return nil, &NoKindMatchError{PartialKind: gk.WithVersion("")}
+	}
+	return allMappings, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/priority.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/priority.go
new file mode 100644
index 00000000..2a14aa7a
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/priority.go
@@ -0,0 +1,222 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const (
+	AnyGroup    = "*"
+	AnyVersion  = "*"
+	AnyResource = "*"
+	AnyKind     = "*"
+)
+
+// PriorityRESTMapper is a wrapper for automatically choosing a particular Resource or Kind
+// when multiple matches are possible
+type PriorityRESTMapper struct {
+	// Delegate is the RESTMapper to use to locate all the Kind and Resource matches
+	Delegate RESTMapper
+
+	// ResourcePriority is a list of priority patterns to apply to matching resources.
+	// The list of all matching resources is narrowed based on the patterns until only one remains.
+	// A pattern with no matches is skipped.  A pattern with more than one match uses its
+	// matches as the list to continue matching against.
+	ResourcePriority []schema.GroupVersionResource
+
+	// KindPriority is a list of priority patterns to apply to matching kinds.
+	// The list of all matching kinds is narrowed based on the patterns until only one remains.
+	// A pattern with no matches is skipped.  A pattern with more than one match uses its
+	// matches as the list to continue matching against.
+	KindPriority []schema.GroupVersionKind
+}
+
+func (m PriorityRESTMapper) String() string {
+	return fmt.Sprintf("PriorityRESTMapper{\n\t%v\n\t%v\n\t%v\n}", m.ResourcePriority, m.KindPriority, m.Delegate)
+}
+
+// ResourceFor finds all resources, then passes them through the ResourcePriority patterns to find a single matching hit.
+func (m PriorityRESTMapper) ResourceFor(partiallySpecifiedResource schema.GroupVersionResource) (schema.GroupVersionResource, error) {
+	originalGVRs, err := m.Delegate.ResourcesFor(partiallySpecifiedResource)
+	if err != nil {
+		return schema.GroupVersionResource{}, err
+	}
+	if len(originalGVRs) == 1 {
+		return originalGVRs[0], nil
+	}
+
+	remainingGVRs := append([]schema.GroupVersionResource{}, originalGVRs...)
+	for _, pattern := range m.ResourcePriority {
+		matchedGVRs := []schema.GroupVersionResource{}
+		for _, gvr := range remainingGVRs {
+			if resourceMatches(pattern, gvr) {
+				matchedGVRs = append(matchedGVRs, gvr)
+			}
+		}
+
+		switch len(matchedGVRs) {
+		case 0:
+			// if you have no matches, then nothing matched this pattern just move to the next
+			continue
+		case 1:
+			// one match, return
+			return matchedGVRs[0], nil
+		default:
+			// more than one match, use the matched hits as the list moving to the next pattern.
+			// this way you can have a series of selection criteria
+			remainingGVRs = matchedGVRs
+		}
+	}
+
+	return schema.GroupVersionResource{}, &AmbiguousResourceError{PartialResource: partiallySpecifiedResource, MatchingResources: originalGVRs}
+}
+
+// KindFor finds all kinds, then passes them through the KindPriority patterns to find a single matching hit.
+func (m PriorityRESTMapper) KindFor(partiallySpecifiedResource schema.GroupVersionResource) (schema.GroupVersionKind, error) {
+	originalGVKs, err := m.Delegate.KindsFor(partiallySpecifiedResource)
+	if err != nil {
+		return schema.GroupVersionKind{}, err
+	}
+	if len(originalGVKs) == 1 {
+		return originalGVKs[0], nil
+	}
+
+	remainingGVKs := append([]schema.GroupVersionKind{}, originalGVKs...)
+	for _, pattern := range m.KindPriority {
+		matchedGVKs := []schema.GroupVersionKind{}
+		for _, gvr := range remainingGVKs {
+			if kindMatches(pattern, gvr) {
+				matchedGVKs = append(matchedGVKs, gvr)
+			}
+		}
+
+		switch len(matchedGVKs) {
+		case 0:
+			// if you have no matches, then nothing matched this pattern just move to the next
+			continue
+		case 1:
+			// one match, return
+			return matchedGVKs[0], nil
+		default:
+			// more than one match, use the matched hits as the list moving to the next pattern.
+			// this way you can have a series of selection criteria
+			remainingGVKs = matchedGVKs
+		}
+	}
+
+	return schema.GroupVersionKind{}, &AmbiguousResourceError{PartialResource: partiallySpecifiedResource, MatchingKinds: originalGVKs}
+}
+
+func resourceMatches(pattern schema.GroupVersionResource, resource schema.GroupVersionResource) bool {
+	if pattern.Group != AnyGroup && pattern.Group != resource.Group {
+		return false
+	}
+	if pattern.Version != AnyVersion && pattern.Version != resource.Version {
+		return false
+	}
+	if pattern.Resource != AnyResource && pattern.Resource != resource.Resource {
+		return false
+	}
+
+	return true
+}
+
+func kindMatches(pattern schema.GroupVersionKind, kind schema.GroupVersionKind) bool {
+	if pattern.Group != AnyGroup && pattern.Group != kind.Group {
+		return false
+	}
+	if pattern.Version != AnyVersion && pattern.Version != kind.Version {
+		return false
+	}
+	if pattern.Kind != AnyKind && pattern.Kind != kind.Kind {
+		return false
+	}
+
+	return true
+}
+
+func (m PriorityRESTMapper) RESTMapping(gk schema.GroupKind, versions ...string) (mapping *RESTMapping, err error) {
+	mappings, err := m.Delegate.RESTMappings(gk)
+	if err != nil {
+		return nil, err
+	}
+
+	// any versions the user provides take priority
+	priorities := m.KindPriority
+	if len(versions) > 0 {
+		priorities = make([]schema.GroupVersionKind, 0, len(m.KindPriority)+len(versions))
+		for _, version := range versions {
+			gv := schema.GroupVersion{
+				Version: version,
+				Group:   gk.Group,
+			}
+			priorities = append(priorities, gv.WithKind(AnyKind))
+		}
+		priorities = append(priorities, m.KindPriority...)
+	}
+
+	remaining := append([]*RESTMapping{}, mappings...)
+	for _, pattern := range priorities {
+		var matching []*RESTMapping
+		for _, m := range remaining {
+			if kindMatches(pattern, m.GroupVersionKind) {
+				matching = append(matching, m)
+			}
+		}
+
+		switch len(matching) {
+		case 0:
+			// if you have no matches, then nothing matched this pattern just move to the next
+			continue
+		case 1:
+			// one match, return
+			return matching[0], nil
+		default:
+			// more than one match, use the matched hits as the list moving to the next pattern.
+			// this way you can have a series of selection criteria
+			remaining = matching
+		}
+	}
+	if len(remaining) == 1 {
+		return remaining[0], nil
+	}
+
+	var kinds []schema.GroupVersionKind
+	for _, m := range mappings {
+		kinds = append(kinds, m.GroupVersionKind)
+	}
+	return nil, &AmbiguousKindError{PartialKind: gk.WithVersion(""), MatchingKinds: kinds}
+}
+
+func (m PriorityRESTMapper) RESTMappings(gk schema.GroupKind, versions ...string) ([]*RESTMapping, error) {
+	return m.Delegate.RESTMappings(gk, versions...)
+}
+
+func (m PriorityRESTMapper) ResourceSingularizer(resource string) (singular string, err error) {
+	return m.Delegate.ResourceSingularizer(resource)
+}
+
+func (m PriorityRESTMapper) ResourcesFor(partiallySpecifiedResource schema.GroupVersionResource) ([]schema.GroupVersionResource, error) {
+	return m.Delegate.ResourcesFor(partiallySpecifiedResource)
+}
+
+func (m PriorityRESTMapper) KindsFor(partiallySpecifiedResource schema.GroupVersionResource) (gvk []schema.GroupVersionKind, err error) {
+	return m.Delegate.KindsFor(partiallySpecifiedResource)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/restmapper.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/restmapper.go
new file mode 100644
index 00000000..55155a6e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/restmapper.go
@@ -0,0 +1,548 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// TODO: move everything in this file to pkg/api/rest
+package meta
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// Implements RESTScope interface
+type restScope struct {
+	name             RESTScopeName
+	paramName        string
+	argumentName     string
+	paramDescription string
+}
+
+func (r *restScope) Name() RESTScopeName {
+	return r.name
+}
+func (r *restScope) ParamName() string {
+	return r.paramName
+}
+func (r *restScope) ArgumentName() string {
+	return r.argumentName
+}
+func (r *restScope) ParamDescription() string {
+	return r.paramDescription
+}
+
+var RESTScopeNamespace = &restScope{
+	name:             RESTScopeNameNamespace,
+	paramName:        "namespaces",
+	argumentName:     "namespace",
+	paramDescription: "object name and auth scope, such as for teams and projects",
+}
+
+var RESTScopeRoot = &restScope{
+	name: RESTScopeNameRoot,
+}
+
+// DefaultRESTMapper exposes mappings between the types defined in a
+// runtime.Scheme. It assumes that all types defined the provided scheme
+// can be mapped with the provided MetadataAccessor and Codec interfaces.
+//
+// The resource name of a Kind is defined as the lowercase,
+// English-plural version of the Kind string.
+// When converting from resource to Kind, the singular version of the
+// resource name is also accepted for convenience.
+//
+// TODO: Only accept plural for some operations for increased control?
+// (`get pod bar` vs `get pods bar`)
+type DefaultRESTMapper struct {
+	defaultGroupVersions []schema.GroupVersion
+
+	resourceToKind       map[schema.GroupVersionResource]schema.GroupVersionKind
+	kindToPluralResource map[schema.GroupVersionKind]schema.GroupVersionResource
+	kindToScope          map[schema.GroupVersionKind]RESTScope
+	singularToPlural     map[schema.GroupVersionResource]schema.GroupVersionResource
+	pluralToSingular     map[schema.GroupVersionResource]schema.GroupVersionResource
+
+	interfacesFunc VersionInterfacesFunc
+}
+
+func (m *DefaultRESTMapper) String() string {
+	return fmt.Sprintf("DefaultRESTMapper{kindToPluralResource=%v}", m.kindToPluralResource)
+}
+
+var _ RESTMapper = &DefaultRESTMapper{}
+
+// VersionInterfacesFunc returns the appropriate typer, and metadata accessor for a
+// given api version, or an error if no such api version exists.
+type VersionInterfacesFunc func(version schema.GroupVersion) (*VersionInterfaces, error)
+
+// NewDefaultRESTMapper initializes a mapping between Kind and APIVersion
+// to a resource name and back based on the objects in a runtime.Scheme
+// and the Kubernetes API conventions. Takes a group name, a priority list of the versions
+// to search when an object has no default version (set empty to return an error),
+// and a function that retrieves the correct metadata for a given version.
+func NewDefaultRESTMapper(defaultGroupVersions []schema.GroupVersion, f VersionInterfacesFunc) *DefaultRESTMapper {
+	resourceToKind := make(map[schema.GroupVersionResource]schema.GroupVersionKind)
+	kindToPluralResource := make(map[schema.GroupVersionKind]schema.GroupVersionResource)
+	kindToScope := make(map[schema.GroupVersionKind]RESTScope)
+	singularToPlural := make(map[schema.GroupVersionResource]schema.GroupVersionResource)
+	pluralToSingular := make(map[schema.GroupVersionResource]schema.GroupVersionResource)
+	// TODO: verify name mappings work correctly when versions differ
+
+	return &DefaultRESTMapper{
+		resourceToKind:       resourceToKind,
+		kindToPluralResource: kindToPluralResource,
+		kindToScope:          kindToScope,
+		defaultGroupVersions: defaultGroupVersions,
+		singularToPlural:     singularToPlural,
+		pluralToSingular:     pluralToSingular,
+		interfacesFunc:       f,
+	}
+}
+
+func (m *DefaultRESTMapper) Add(kind schema.GroupVersionKind, scope RESTScope) {
+	plural, singular := UnsafeGuessKindToResource(kind)
+	m.AddSpecific(kind, plural, singular, scope)
+}
+
+func (m *DefaultRESTMapper) AddSpecific(kind schema.GroupVersionKind, plural, singular schema.GroupVersionResource, scope RESTScope) {
+	m.singularToPlural[singular] = plural
+	m.pluralToSingular[plural] = singular
+
+	m.resourceToKind[singular] = kind
+	m.resourceToKind[plural] = kind
+
+	m.kindToPluralResource[kind] = plural
+	m.kindToScope[kind] = scope
+}
+
+// unpluralizedSuffixes is a list of resource suffixes that are the same plural and singular
+// This is only is only necessary because some bits of code are lazy and don't actually use the RESTMapper like they should.
+// TODO eliminate this so that different callers can correctly map to resources.  This probably means updating all
+// callers to use the RESTMapper they mean.
+var unpluralizedSuffixes = []string{
+	"endpoints",
+}
+
+// UnsafeGuessKindToResource converts Kind to a resource name.
+// Broken. This method only "sort of" works when used outside of this package.  It assumes that Kinds and Resources match
+// and they aren't guaranteed to do so.
+func UnsafeGuessKindToResource(kind schema.GroupVersionKind) ( /*plural*/ schema.GroupVersionResource /*singular*/, schema.GroupVersionResource) {
+	kindName := kind.Kind
+	if len(kindName) == 0 {
+		return schema.GroupVersionResource{}, schema.GroupVersionResource{}
+	}
+	singularName := strings.ToLower(kindName)
+	singular := kind.GroupVersion().WithResource(singularName)
+
+	for _, skip := range unpluralizedSuffixes {
+		if strings.HasSuffix(singularName, skip) {
+			return singular, singular
+		}
+	}
+
+	switch string(singularName[len(singularName)-1]) {
+	case "s":
+		return kind.GroupVersion().WithResource(singularName + "es"), singular
+	case "y":
+		return kind.GroupVersion().WithResource(strings.TrimSuffix(singularName, "y") + "ies"), singular
+	}
+
+	return kind.GroupVersion().WithResource(singularName + "s"), singular
+}
+
+// ResourceSingularizer implements RESTMapper
+// It converts a resource name from plural to singular (e.g., from pods to pod)
+func (m *DefaultRESTMapper) ResourceSingularizer(resourceType string) (string, error) {
+	partialResource := schema.GroupVersionResource{Resource: resourceType}
+	resources, err := m.ResourcesFor(partialResource)
+	if err != nil {
+		return resourceType, err
+	}
+
+	singular := schema.GroupVersionResource{}
+	for _, curr := range resources {
+		currSingular, ok := m.pluralToSingular[curr]
+		if !ok {
+			continue
+		}
+		if singular.Empty() {
+			singular = currSingular
+			continue
+		}
+
+		if currSingular.Resource != singular.Resource {
+			return resourceType, fmt.Errorf("multiple possible singular resources (%v) found for %v", resources, resourceType)
+		}
+	}
+
+	if singular.Empty() {
+		return resourceType, fmt.Errorf("no singular of resource %v has been defined", resourceType)
+	}
+
+	return singular.Resource, nil
+}
+
+// coerceResourceForMatching makes the resource lower case and converts internal versions to unspecified (legacy behavior)
+func coerceResourceForMatching(resource schema.GroupVersionResource) schema.GroupVersionResource {
+	resource.Resource = strings.ToLower(resource.Resource)
+	if resource.Version == runtime.APIVersionInternal {
+		resource.Version = ""
+	}
+
+	return resource
+}
+
+func (m *DefaultRESTMapper) ResourcesFor(input schema.GroupVersionResource) ([]schema.GroupVersionResource, error) {
+	resource := coerceResourceForMatching(input)
+
+	hasResource := len(resource.Resource) > 0
+	hasGroup := len(resource.Group) > 0
+	hasVersion := len(resource.Version) > 0
+
+	if !hasResource {
+		return nil, fmt.Errorf("a resource must be present, got: %v", resource)
+	}
+
+	ret := []schema.GroupVersionResource{}
+	switch {
+	case hasGroup && hasVersion:
+		// fully qualified.  Find the exact match
+		for plural, singular := range m.pluralToSingular {
+			if singular == resource {
+				ret = append(ret, plural)
+				break
+			}
+			if plural == resource {
+				ret = append(ret, plural)
+				break
+			}
+		}
+
+	case hasGroup:
+		// given a group, prefer an exact match.  If you don't find one, resort to a prefix match on group
+		foundExactMatch := false
+		requestedGroupResource := resource.GroupResource()
+		for plural, singular := range m.pluralToSingular {
+			if singular.GroupResource() == requestedGroupResource {
+				foundExactMatch = true
+				ret = append(ret, plural)
+			}
+			if plural.GroupResource() == requestedGroupResource {
+				foundExactMatch = true
+				ret = append(ret, plural)
+			}
+		}
+
+		// if you didn't find an exact match, match on group prefixing. This allows storageclass.storage to match
+		// storageclass.storage.k8s.io
+		if !foundExactMatch {
+			for plural, singular := range m.pluralToSingular {
+				if !strings.HasPrefix(plural.Group, requestedGroupResource.Group) {
+					continue
+				}
+				if singular.Resource == requestedGroupResource.Resource {
+					ret = append(ret, plural)
+				}
+				if plural.Resource == requestedGroupResource.Resource {
+					ret = append(ret, plural)
+				}
+			}
+
+		}
+
+	case hasVersion:
+		for plural, singular := range m.pluralToSingular {
+			if singular.Version == resource.Version && singular.Resource == resource.Resource {
+				ret = append(ret, plural)
+			}
+			if plural.Version == resource.Version && plural.Resource == resource.Resource {
+				ret = append(ret, plural)
+			}
+		}
+
+	default:
+		for plural, singular := range m.pluralToSingular {
+			if singular.Resource == resource.Resource {
+				ret = append(ret, plural)
+			}
+			if plural.Resource == resource.Resource {
+				ret = append(ret, plural)
+			}
+		}
+	}
+
+	if len(ret) == 0 {
+		return nil, &NoResourceMatchError{PartialResource: resource}
+	}
+
+	sort.Sort(resourceByPreferredGroupVersion{ret, m.defaultGroupVersions})
+	return ret, nil
+}
+
+func (m *DefaultRESTMapper) ResourceFor(resource schema.GroupVersionResource) (schema.GroupVersionResource, error) {
+	resources, err := m.ResourcesFor(resource)
+	if err != nil {
+		return schema.GroupVersionResource{}, err
+	}
+	if len(resources) == 1 {
+		return resources[0], nil
+	}
+
+	return schema.GroupVersionResource{}, &AmbiguousResourceError{PartialResource: resource, MatchingResources: resources}
+}
+
+func (m *DefaultRESTMapper) KindsFor(input schema.GroupVersionResource) ([]schema.GroupVersionKind, error) {
+	resource := coerceResourceForMatching(input)
+
+	hasResource := len(resource.Resource) > 0
+	hasGroup := len(resource.Group) > 0
+	hasVersion := len(resource.Version) > 0
+
+	if !hasResource {
+		return nil, fmt.Errorf("a resource must be present, got: %v", resource)
+	}
+
+	ret := []schema.GroupVersionKind{}
+	switch {
+	// fully qualified.  Find the exact match
+	case hasGroup && hasVersion:
+		kind, exists := m.resourceToKind[resource]
+		if exists {
+			ret = append(ret, kind)
+		}
+
+	case hasGroup:
+		foundExactMatch := false
+		requestedGroupResource := resource.GroupResource()
+		for currResource, currKind := range m.resourceToKind {
+			if currResource.GroupResource() == requestedGroupResource {
+				foundExactMatch = true
+				ret = append(ret, currKind)
+			}
+		}
+
+		// if you didn't find an exact match, match on group prefixing. This allows storageclass.storage to match
+		// storageclass.storage.k8s.io
+		if !foundExactMatch {
+			for currResource, currKind := range m.resourceToKind {
+				if !strings.HasPrefix(currResource.Group, requestedGroupResource.Group) {
+					continue
+				}
+				if currResource.Resource == requestedGroupResource.Resource {
+					ret = append(ret, currKind)
+				}
+			}
+
+		}
+
+	case hasVersion:
+		for currResource, currKind := range m.resourceToKind {
+			if currResource.Version == resource.Version && currResource.Resource == resource.Resource {
+				ret = append(ret, currKind)
+			}
+		}
+
+	default:
+		for currResource, currKind := range m.resourceToKind {
+			if currResource.Resource == resource.Resource {
+				ret = append(ret, currKind)
+			}
+		}
+	}
+
+	if len(ret) == 0 {
+		return nil, &NoResourceMatchError{PartialResource: input}
+	}
+
+	sort.Sort(kindByPreferredGroupVersion{ret, m.defaultGroupVersions})
+	return ret, nil
+}
+
+func (m *DefaultRESTMapper) KindFor(resource schema.GroupVersionResource) (schema.GroupVersionKind, error) {
+	kinds, err := m.KindsFor(resource)
+	if err != nil {
+		return schema.GroupVersionKind{}, err
+	}
+	if len(kinds) == 1 {
+		return kinds[0], nil
+	}
+
+	return schema.GroupVersionKind{}, &AmbiguousResourceError{PartialResource: resource, MatchingKinds: kinds}
+}
+
+type kindByPreferredGroupVersion struct {
+	list      []schema.GroupVersionKind
+	sortOrder []schema.GroupVersion
+}
+
+func (o kindByPreferredGroupVersion) Len() int      { return len(o.list) }
+func (o kindByPreferredGroupVersion) Swap(i, j int) { o.list[i], o.list[j] = o.list[j], o.list[i] }
+func (o kindByPreferredGroupVersion) Less(i, j int) bool {
+	lhs := o.list[i]
+	rhs := o.list[j]
+	if lhs == rhs {
+		return false
+	}
+
+	if lhs.GroupVersion() == rhs.GroupVersion() {
+		return lhs.Kind < rhs.Kind
+	}
+
+	// otherwise, the difference is in the GroupVersion, so we need to sort with respect to the preferred order
+	lhsIndex := -1
+	rhsIndex := -1
+
+	for i := range o.sortOrder {
+		if o.sortOrder[i] == lhs.GroupVersion() {
+			lhsIndex = i
+		}
+		if o.sortOrder[i] == rhs.GroupVersion() {
+			rhsIndex = i
+		}
+	}
+
+	if rhsIndex == -1 {
+		return true
+	}
+
+	return lhsIndex < rhsIndex
+}
+
+type resourceByPreferredGroupVersion struct {
+	list      []schema.GroupVersionResource
+	sortOrder []schema.GroupVersion
+}
+
+func (o resourceByPreferredGroupVersion) Len() int      { return len(o.list) }
+func (o resourceByPreferredGroupVersion) Swap(i, j int) { o.list[i], o.list[j] = o.list[j], o.list[i] }
+func (o resourceByPreferredGroupVersion) Less(i, j int) bool {
+	lhs := o.list[i]
+	rhs := o.list[j]
+	if lhs == rhs {
+		return false
+	}
+
+	if lhs.GroupVersion() == rhs.GroupVersion() {
+		return lhs.Resource < rhs.Resource
+	}
+
+	// otherwise, the difference is in the GroupVersion, so we need to sort with respect to the preferred order
+	lhsIndex := -1
+	rhsIndex := -1
+
+	for i := range o.sortOrder {
+		if o.sortOrder[i] == lhs.GroupVersion() {
+			lhsIndex = i
+		}
+		if o.sortOrder[i] == rhs.GroupVersion() {
+			rhsIndex = i
+		}
+	}
+
+	if rhsIndex == -1 {
+		return true
+	}
+
+	return lhsIndex < rhsIndex
+}
+
+// RESTMapping returns a struct representing the resource path and conversion interfaces a
+// RESTClient should use to operate on the provided group/kind in order of versions. If a version search
+// order is not provided, the search order provided to DefaultRESTMapper will be used to resolve which
+// version should be used to access the named group/kind.
+func (m *DefaultRESTMapper) RESTMapping(gk schema.GroupKind, versions ...string) (*RESTMapping, error) {
+	mappings, err := m.RESTMappings(gk, versions...)
+	if err != nil {
+		return nil, err
+	}
+	if len(mappings) == 0 {
+		return nil, &NoKindMatchError{PartialKind: gk.WithVersion("")}
+	}
+	// since we rely on RESTMappings method
+	// take the first match and return to the caller
+	// as this was the existing behavior.
+	return mappings[0], nil
+}
+
+// RESTMappings returns the RESTMappings for the provided group kind. If a version search order
+// is not provided, the search order provided to DefaultRESTMapper will be used.
+func (m *DefaultRESTMapper) RESTMappings(gk schema.GroupKind, versions ...string) ([]*RESTMapping, error) {
+	mappings := make([]*RESTMapping, 0)
+	potentialGVK := make([]schema.GroupVersionKind, 0)
+	hadVersion := false
+
+	// Pick an appropriate version
+	for _, version := range versions {
+		if len(version) == 0 || version == runtime.APIVersionInternal {
+			continue
+		}
+		currGVK := gk.WithVersion(version)
+		hadVersion = true
+		if _, ok := m.kindToPluralResource[currGVK]; ok {
+			potentialGVK = append(potentialGVK, currGVK)
+			break
+		}
+	}
+	// Use the default preferred versions
+	if !hadVersion && len(potentialGVK) == 0 {
+		for _, gv := range m.defaultGroupVersions {
+			if gv.Group != gk.Group {
+				continue
+			}
+			potentialGVK = append(potentialGVK, gk.WithVersion(gv.Version))
+		}
+	}
+
+	if len(potentialGVK) == 0 {
+		return nil, &NoKindMatchError{PartialKind: gk.WithVersion("")}
+	}
+
+	for _, gvk := range potentialGVK {
+		//Ensure we have a REST mapping
+		res, ok := m.kindToPluralResource[gvk]
+		if !ok {
+			continue
+		}
+
+		// Ensure we have a REST scope
+		scope, ok := m.kindToScope[gvk]
+		if !ok {
+			return nil, fmt.Errorf("the provided version %q and kind %q cannot be mapped to a supported scope", gvk.GroupVersion(), gvk.Kind)
+		}
+
+		interfaces, err := m.interfacesFunc(gvk.GroupVersion())
+		if err != nil {
+			return nil, fmt.Errorf("the provided version %q has no relevant versions: %v", gvk.GroupVersion().String(), err)
+		}
+
+		mappings = append(mappings, &RESTMapping{
+			Resource:         res.Resource,
+			GroupVersionKind: gvk,
+			Scope:            scope,
+
+			ObjectConvertor:  interfaces.ObjectConvertor,
+			MetadataAccessor: interfaces.MetadataAccessor,
+		})
+	}
+
+	if len(mappings) == 0 {
+		return nil, &NoResourceMatchError{PartialResource: schema.GroupVersionResource{Group: gk.Group, Resource: gk.Kind}}
+	}
+	return mappings, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/meta/unstructured.go b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/unstructured.go
new file mode 100644
index 00000000..3ebf2481
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/meta/unstructured.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package meta
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// InterfacesForUnstructured returns VersionInterfaces suitable for
+// dealing with unstructured.Unstructured objects.
+func InterfacesForUnstructured(schema.GroupVersion) (*VersionInterfaces, error) {
+	return &VersionInterfaces{
+		ObjectConvertor:  &unstructured.UnstructuredObjectConverter{},
+		MetadataAccessor: NewAccessor(),
+	}, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/resource/amount.go b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/amount.go
new file mode 100644
index 00000000..a8866a43
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/amount.go
@@ -0,0 +1,299 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"math/big"
+	"strconv"
+
+	inf "gopkg.in/inf.v0"
+)
+
+// Scale is used for getting and setting the base-10 scaled value.
+// Base-2 scales are omitted for mathematical simplicity.
+// See Quantity.ScaledValue for more details.
+type Scale int32
+
+// infScale adapts a Scale value to an inf.Scale value.
+func (s Scale) infScale() inf.Scale {
+	return inf.Scale(-s) // inf.Scale is upside-down
+}
+
+const (
+	Nano  Scale = -9
+	Micro Scale = -6
+	Milli Scale = -3
+	Kilo  Scale = 3
+	Mega  Scale = 6
+	Giga  Scale = 9
+	Tera  Scale = 12
+	Peta  Scale = 15
+	Exa   Scale = 18
+)
+
+var (
+	Zero = int64Amount{}
+
+	// Used by quantity strings - treat as read only
+	zeroBytes = []byte("0")
+)
+
+// int64Amount represents a fixed precision numerator and arbitrary scale exponent. It is faster
+// than operations on inf.Dec for values that can be represented as int64.
+// +k8s:openapi-gen=true
+type int64Amount struct {
+	value int64
+	scale Scale
+}
+
+// Sign returns 0 if the value is zero, -1 if it is less than 0, or 1 if it is greater than 0.
+func (a int64Amount) Sign() int {
+	switch {
+	case a.value == 0:
+		return 0
+	case a.value > 0:
+		return 1
+	default:
+		return -1
+	}
+}
+
+// AsInt64 returns the current amount as an int64 at scale 0, or false if the value cannot be
+// represented in an int64 OR would result in a loss of precision. This method is intended as
+// an optimization to avoid calling AsDec.
+func (a int64Amount) AsInt64() (int64, bool) {
+	if a.scale == 0 {
+		return a.value, true
+	}
+	if a.scale < 0 {
+		// TODO: attempt to reduce factors, although it is assumed that factors are reduced prior
+		// to the int64Amount being created.
+		return 0, false
+	}
+	return positiveScaleInt64(a.value, a.scale)
+}
+
+// AsScaledInt64 returns an int64 representing the value of this amount at the specified scale,
+// rounding up, or false if that would result in overflow. (1e20).AsScaledInt64(1) would result
+// in overflow because 1e19 is not representable as an int64. Note that setting a scale larger
+// than the current value may result in loss of precision - i.e. (1e-6).AsScaledInt64(0) would
+// return 1, because 0.000001 is rounded up to 1.
+func (a int64Amount) AsScaledInt64(scale Scale) (result int64, ok bool) {
+	if a.scale < scale {
+		result, _ = negativeScaleInt64(a.value, scale-a.scale)
+		return result, true
+	}
+	return positiveScaleInt64(a.value, a.scale-scale)
+}
+
+// AsDec returns an inf.Dec representation of this value.
+func (a int64Amount) AsDec() *inf.Dec {
+	var base inf.Dec
+	base.SetUnscaled(a.value)
+	base.SetScale(inf.Scale(-a.scale))
+	return &base
+}
+
+// Cmp returns 0 if a and b are equal, 1 if a is greater than b, or -1 if a is less than b.
+func (a int64Amount) Cmp(b int64Amount) int {
+	switch {
+	case a.scale == b.scale:
+		// compare only the unscaled portion
+	case a.scale > b.scale:
+		result, remainder, exact := divideByScaleInt64(b.value, a.scale-b.scale)
+		if !exact {
+			return a.AsDec().Cmp(b.AsDec())
+		}
+		if result == a.value {
+			switch {
+			case remainder == 0:
+				return 0
+			case remainder > 0:
+				return -1
+			default:
+				return 1
+			}
+		}
+		b.value = result
+	default:
+		result, remainder, exact := divideByScaleInt64(a.value, b.scale-a.scale)
+		if !exact {
+			return a.AsDec().Cmp(b.AsDec())
+		}
+		if result == b.value {
+			switch {
+			case remainder == 0:
+				return 0
+			case remainder > 0:
+				return 1
+			default:
+				return -1
+			}
+		}
+		a.value = result
+	}
+
+	switch {
+	case a.value == b.value:
+		return 0
+	case a.value < b.value:
+		return -1
+	default:
+		return 1
+	}
+}
+
+// Add adds two int64Amounts together, matching scales. It will return false and not mutate
+// a if overflow or underflow would result.
+func (a *int64Amount) Add(b int64Amount) bool {
+	switch {
+	case b.value == 0:
+		return true
+	case a.value == 0:
+		a.value = b.value
+		a.scale = b.scale
+		return true
+	case a.scale == b.scale:
+		c, ok := int64Add(a.value, b.value)
+		if !ok {
+			return false
+		}
+		a.value = c
+	case a.scale > b.scale:
+		c, ok := positiveScaleInt64(a.value, a.scale-b.scale)
+		if !ok {
+			return false
+		}
+		c, ok = int64Add(c, b.value)
+		if !ok {
+			return false
+		}
+		a.scale = b.scale
+		a.value = c
+	default:
+		c, ok := positiveScaleInt64(b.value, b.scale-a.scale)
+		if !ok {
+			return false
+		}
+		c, ok = int64Add(a.value, c)
+		if !ok {
+			return false
+		}
+		a.value = c
+	}
+	return true
+}
+
+// Sub removes the value of b from the current amount, or returns false if underflow would result.
+func (a *int64Amount) Sub(b int64Amount) bool {
+	return a.Add(int64Amount{value: -b.value, scale: b.scale})
+}
+
+// AsScale adjusts this amount to set a minimum scale, rounding up, and returns true iff no precision
+// was lost. (1.1e5).AsScale(5) would return 1.1e5, but (1.1e5).AsScale(6) would return 1e6.
+func (a int64Amount) AsScale(scale Scale) (int64Amount, bool) {
+	if a.scale >= scale {
+		return a, true
+	}
+	result, exact := negativeScaleInt64(a.value, scale-a.scale)
+	return int64Amount{value: result, scale: scale}, exact
+}
+
+// AsCanonicalBytes accepts a buffer to write the base-10 string value of this field to, and returns
+// either that buffer or a larger buffer and the current exponent of the value. The value is adjusted
+// until the exponent is a multiple of 3 - i.e. 1.1e5 would return "110", 3.
+func (a int64Amount) AsCanonicalBytes(out []byte) (result []byte, exponent int32) {
+	mantissa := a.value
+	exponent = int32(a.scale)
+
+	amount, times := removeInt64Factors(mantissa, 10)
+	exponent += int32(times)
+
+	// make sure exponent is a multiple of 3
+	var ok bool
+	switch exponent % 3 {
+	case 1, -2:
+		amount, ok = int64MultiplyScale10(amount)
+		if !ok {
+			return infDecAmount{a.AsDec()}.AsCanonicalBytes(out)
+		}
+		exponent = exponent - 1
+	case 2, -1:
+		amount, ok = int64MultiplyScale100(amount)
+		if !ok {
+			return infDecAmount{a.AsDec()}.AsCanonicalBytes(out)
+		}
+		exponent = exponent - 2
+	}
+	return strconv.AppendInt(out, amount, 10), exponent
+}
+
+// AsCanonicalBase1024Bytes accepts a buffer to write the base-1024 string value of this field to, and returns
+// either that buffer or a larger buffer and the current exponent of the value. 2048 is 2 * 1024 ^ 1 and would
+// return []byte("2048"), 1.
+func (a int64Amount) AsCanonicalBase1024Bytes(out []byte) (result []byte, exponent int32) {
+	value, ok := a.AsScaledInt64(0)
+	if !ok {
+		return infDecAmount{a.AsDec()}.AsCanonicalBase1024Bytes(out)
+	}
+	amount, exponent := removeInt64Factors(value, 1024)
+	return strconv.AppendInt(out, amount, 10), exponent
+}
+
+// infDecAmount implements common operations over an inf.Dec that are specific to the quantity
+// representation.
+type infDecAmount struct {
+	*inf.Dec
+}
+
+// AsScale adjusts this amount to set a minimum scale, rounding up, and returns true iff no precision
+// was lost. (1.1e5).AsScale(5) would return 1.1e5, but (1.1e5).AsScale(6) would return 1e6.
+func (a infDecAmount) AsScale(scale Scale) (infDecAmount, bool) {
+	tmp := &inf.Dec{}
+	tmp.Round(a.Dec, scale.infScale(), inf.RoundUp)
+	return infDecAmount{tmp}, tmp.Cmp(a.Dec) == 0
+}
+
+// AsCanonicalBytes accepts a buffer to write the base-10 string value of this field to, and returns
+// either that buffer or a larger buffer and the current exponent of the value. The value is adjusted
+// until the exponent is a multiple of 3 - i.e. 1.1e5 would return "110", 3.
+func (a infDecAmount) AsCanonicalBytes(out []byte) (result []byte, exponent int32) {
+	mantissa := a.Dec.UnscaledBig()
+	exponent = int32(-a.Dec.Scale())
+	amount := big.NewInt(0).Set(mantissa)
+	// move all factors of 10 into the exponent for easy reasoning
+	amount, times := removeBigIntFactors(amount, bigTen)
+	exponent += times
+
+	// make sure exponent is a multiple of 3
+	for exponent%3 != 0 {
+		amount.Mul(amount, bigTen)
+		exponent--
+	}
+
+	return append(out, amount.String()...), exponent
+}
+
+// AsCanonicalBase1024Bytes accepts a buffer to write the base-1024 string value of this field to, and returns
+// either that buffer or a larger buffer and the current exponent of the value. 2048 is 2 * 1024 ^ 1 and would
+// return []byte("2048"), 1.
+func (a infDecAmount) AsCanonicalBase1024Bytes(out []byte) (result []byte, exponent int32) {
+	tmp := &inf.Dec{}
+	tmp.Round(a.Dec, 0, inf.RoundUp)
+	amount, exponent := removeBigIntFactors(tmp.UnscaledBig(), big1024)
+	return append(out, amount.String()...), exponent
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/resource/generated.pb.go b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/generated.pb.go
new file mode 100644
index 00000000..6de71e50
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/generated.pb.go
@@ -0,0 +1,77 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package resource is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
+
+	It has these top-level messages:
+		Quantity
+*/
+package resource
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *Quantity) Reset()                    { *m = Quantity{} }
+func (*Quantity) ProtoMessage()               {}
+func (*Quantity) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func init() {
+	proto.RegisterType((*Quantity)(nil), "k8s.io.apimachinery.pkg.api.resource.Quantity")
+}
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 255 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x8f, 0xa1, 0x4e, 0x03, 0x41,
+	0x10, 0x86, 0x77, 0x0d, 0x29, 0x95, 0x0d, 0x21, 0xa4, 0x62, 0xaf, 0x21, 0x08, 0x0c, 0x3b, 0x02,
+	0xd3, 0x20, 0xf1, 0x08, 0x90, 0xb8, 0xbb, 0xeb, 0xb0, 0xdd, 0x1c, 0xdd, 0xbd, 0xcc, 0xce, 0x92,
+	0xd4, 0x55, 0x22, 0x2b, 0x91, 0xbd, 0xb7, 0xa9, 0xac, 0xac, 0x40, 0x70, 0xcb, 0x8b, 0x90, 0x5e,
+	0xdb, 0x84, 0x90, 0xe0, 0xe6, 0xfb, 0x27, 0xdf, 0xe4, 0x9f, 0xfe, 0x43, 0x35, 0x0e, 0xda, 0x7a,
+	0xa8, 0x62, 0x81, 0xe4, 0x90, 0x31, 0xc0, 0x1b, 0xba, 0x89, 0x27, 0x38, 0x2c, 0xf2, 0xda, 0xce,
+	0xf2, 0x72, 0x6a, 0x1d, 0xd2, 0x1c, 0xea, 0xca, 0xec, 0x02, 0x20, 0x0c, 0x3e, 0x52, 0x89, 0x60,
+	0xd0, 0x21, 0xe5, 0x8c, 0x13, 0x5d, 0x93, 0x67, 0x3f, 0xb8, 0xda, 0x5b, 0xfa, 0xb7, 0xa5, 0xeb,
+	0xca, 0xec, 0x02, 0x7d, 0xb4, 0x86, 0x37, 0xc6, 0xf2, 0x34, 0x16, 0xba, 0xf4, 0x33, 0x30, 0xde,
+	0x78, 0xe8, 0xe4, 0x22, 0xbe, 0x74, 0xd4, 0x41, 0x37, 0xed, 0x8f, 0x0e, 0x6f, 0xff, 0xab, 0x12,
+	0xd9, 0xbe, 0x82, 0x75, 0x1c, 0x98, 0xfe, 0x36, 0xb9, 0x1c, 0xf7, 0x7b, 0x8f, 0x31, 0x77, 0x6c,
+	0x79, 0x3e, 0x38, 0xef, 0x9f, 0x04, 0x26, 0xeb, 0xcc, 0x85, 0x1c, 0xc9, 0xeb, 0xd3, 0xa7, 0x03,
+	0xdd, 0x9d, 0x7d, 0xac, 0x32, 0xf1, 0xde, 0x64, 0x62, 0xd9, 0x64, 0x62, 0xd5, 0x64, 0x62, 0xf1,
+	0x39, 0x12, 0xf7, 0x7a, 0xdd, 0x2a, 0xb1, 0x69, 0x95, 0xd8, 0xb6, 0x4a, 0x2c, 0x92, 0x92, 0xeb,
+	0xa4, 0xe4, 0x26, 0x29, 0xb9, 0x4d, 0x4a, 0x7e, 0x25, 0x25, 0x97, 0xdf, 0x4a, 0x3c, 0xf7, 0x8e,
+	0xdf, 0xfc, 0x04, 0x00, 0x00, 0xff, 0xff, 0x5f, 0x5e, 0xda, 0xf9, 0x43, 0x01, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
new file mode 100644
index 00000000..b05e7fd2
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/generated.proto
@@ -0,0 +1,94 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.apimachinery.pkg.api.resource;
+
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "resource";
+
+// Quantity is a fixed-point representation of a number.
+// It provides convenient marshaling/unmarshaling in JSON and YAML,
+// in addition to String() and Int64() accessors.
+// 
+// The serialization format is:
+// 
+// <quantity>        ::= <signedNumber><suffix>
+//   (Note that <suffix> may be empty, from the "" case in <decimalSI>.)
+// <digit>           ::= 0 | 1 | ... | 9
+// <digits>          ::= <digit> | <digit><digits>
+// <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
+// <sign>            ::= "+" | "-"
+// <signedNumber>    ::= <number> | <sign><number>
+// <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
+// <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
+//   (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+// <decimalSI>       ::= m | "" | k | M | G | T | P | E
+//   (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
+// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
+// 
+// No matter which of the three exponent forms is used, no quantity may represent
+// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
+// places. Numbers larger or more precise will be capped or rounded up.
+// (E.g.: 0.1m will rounded up to 1m.)
+// This may be extended in the future if we require larger or smaller quantities.
+// 
+// When a Quantity is parsed from a string, it will remember the type of suffix
+// it had, and will use the same type again when it is serialized.
+// 
+// Before serializing, Quantity will be put in "canonical form".
+// This means that Exponent/suffix will be adjusted up or down (with a
+// corresponding increase or decrease in Mantissa) such that:
+//   a. No precision is lost
+//   b. No fractional digits will be emitted
+//   c. The exponent (or suffix) is as large as possible.
+// The sign will be omitted unless the number is negative.
+// 
+// Examples:
+//   1.5 will be serialized as "1500m"
+//   1.5Gi will be serialized as "1536Mi"
+// 
+// NOTE: We reserve the right to amend this canonical format, perhaps to
+//   allow 1.5 to be canonical.
+// TODO: Remove above disclaimer after all bikeshedding about format is over,
+//   or after March 2015.
+// 
+// Note that the quantity will NEVER be internally represented by a
+// floating point number. That is the whole point of this exercise.
+// 
+// Non-canonical values will still parse as long as they are well formed,
+// but will be re-emitted in their canonical form. (So always use canonical
+// form, or don't diff.)
+// 
+// This format is intended to make it difficult to use these numbers without
+// writing some sort of special handling code in the hopes that that will
+// cause implementors to also use a fixed point implementation.
+// 
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:openapi-gen=true
+message Quantity {
+  optional string string = 1;
+}
+
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/resource/math.go b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/math.go
new file mode 100644
index 00000000..72d3880c
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/math.go
@@ -0,0 +1,314 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"math/big"
+
+	inf "gopkg.in/inf.v0"
+)
+
+const (
+	// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64.
+	// It is also the maximum decimal digits that can be represented with an int64.
+	maxInt64Factors = 18
+)
+
+var (
+	// Commonly needed big.Int values-- treat as read only!
+	bigTen      = big.NewInt(10)
+	bigZero     = big.NewInt(0)
+	bigOne      = big.NewInt(1)
+	bigThousand = big.NewInt(1000)
+	big1024     = big.NewInt(1024)
+
+	// Commonly needed inf.Dec values-- treat as read only!
+	decZero      = inf.NewDec(0, 0)
+	decOne       = inf.NewDec(1, 0)
+	decMinusOne  = inf.NewDec(-1, 0)
+	decThousand  = inf.NewDec(1000, 0)
+	dec1024      = inf.NewDec(1024, 0)
+	decMinus1024 = inf.NewDec(-1024, 0)
+
+	// Largest (in magnitude) number allowed.
+	maxAllowed = infDecAmount{inf.NewDec((1<<63)-1, 0)} // == max int64
+
+	// The maximum value we can represent milli-units for.
+	// Compare with the return value of Quantity.Value() to
+	// see if it's safe to use Quantity.MilliValue().
+	MaxMilliValue = int64(((1 << 63) - 1) / 1000)
+)
+
+const mostNegative = -(mostPositive + 1)
+const mostPositive = 1<<63 - 1
+
+// int64Add returns a+b, or false if that would overflow int64.
+func int64Add(a, b int64) (int64, bool) {
+	c := a + b
+	switch {
+	case a > 0 && b > 0:
+		if c < 0 {
+			return 0, false
+		}
+	case a < 0 && b < 0:
+		if c > 0 {
+			return 0, false
+		}
+		if a == mostNegative && b == mostNegative {
+			return 0, false
+		}
+	}
+	return c, true
+}
+
+// int64Multiply returns a*b, or false if that would overflow or underflow int64.
+func int64Multiply(a, b int64) (int64, bool) {
+	if a == 0 || b == 0 || a == 1 || b == 1 {
+		return a * b, true
+	}
+	if a == mostNegative || b == mostNegative {
+		return 0, false
+	}
+	c := a * b
+	return c, c/b == a
+}
+
+// int64MultiplyScale returns a*b, assuming b is greater than one, or false if that would overflow or underflow int64.
+// Use when b is known to be greater than one.
+func int64MultiplyScale(a int64, b int64) (int64, bool) {
+	if a == 0 || a == 1 {
+		return a * b, true
+	}
+	if a == mostNegative && b != 1 {
+		return 0, false
+	}
+	c := a * b
+	return c, c/b == a
+}
+
+// int64MultiplyScale10 multiplies a by 10, or returns false if that would overflow. This method is faster than
+// int64Multiply(a, 10) because the compiler can optimize constant factor multiplication.
+func int64MultiplyScale10(a int64) (int64, bool) {
+	if a == 0 || a == 1 {
+		return a * 10, true
+	}
+	if a == mostNegative {
+		return 0, false
+	}
+	c := a * 10
+	return c, c/10 == a
+}
+
+// int64MultiplyScale100 multiplies a by 100, or returns false if that would overflow. This method is faster than
+// int64Multiply(a, 100) because the compiler can optimize constant factor multiplication.
+func int64MultiplyScale100(a int64) (int64, bool) {
+	if a == 0 || a == 1 {
+		return a * 100, true
+	}
+	if a == mostNegative {
+		return 0, false
+	}
+	c := a * 100
+	return c, c/100 == a
+}
+
+// int64MultiplyScale1000 multiplies a by 1000, or returns false if that would overflow. This method is faster than
+// int64Multiply(a, 1000) because the compiler can optimize constant factor multiplication.
+func int64MultiplyScale1000(a int64) (int64, bool) {
+	if a == 0 || a == 1 {
+		return a * 1000, true
+	}
+	if a == mostNegative {
+		return 0, false
+	}
+	c := a * 1000
+	return c, c/1000 == a
+}
+
+// positiveScaleInt64 multiplies base by 10^scale, returning false if the
+// value overflows. Passing a negative scale is undefined.
+func positiveScaleInt64(base int64, scale Scale) (int64, bool) {
+	switch scale {
+	case 0:
+		return base, true
+	case 1:
+		return int64MultiplyScale10(base)
+	case 2:
+		return int64MultiplyScale100(base)
+	case 3:
+		return int64MultiplyScale1000(base)
+	case 6:
+		return int64MultiplyScale(base, 1000000)
+	case 9:
+		return int64MultiplyScale(base, 1000000000)
+	default:
+		value := base
+		var ok bool
+		for i := Scale(0); i < scale; i++ {
+			if value, ok = int64MultiplyScale(value, 10); !ok {
+				return 0, false
+			}
+		}
+		return value, true
+	}
+}
+
+// negativeScaleInt64 reduces base by the provided scale, rounding up, until the
+// value is zero or the scale is reached. Passing a negative scale is undefined.
+// The value returned, if not exact, is rounded away from zero.
+func negativeScaleInt64(base int64, scale Scale) (result int64, exact bool) {
+	if scale == 0 {
+		return base, true
+	}
+
+	value := base
+	var fraction bool
+	for i := Scale(0); i < scale; i++ {
+		if !fraction && value%10 != 0 {
+			fraction = true
+		}
+		value = value / 10
+		if value == 0 {
+			if fraction {
+				if base > 0 {
+					return 1, false
+				}
+				return -1, false
+			}
+			return 0, true
+		}
+	}
+	if fraction {
+		if base > 0 {
+			value += 1
+		} else {
+			value += -1
+		}
+	}
+	return value, !fraction
+}
+
+func pow10Int64(b int64) int64 {
+	switch b {
+	case 0:
+		return 1
+	case 1:
+		return 10
+	case 2:
+		return 100
+	case 3:
+		return 1000
+	case 4:
+		return 10000
+	case 5:
+		return 100000
+	case 6:
+		return 1000000
+	case 7:
+		return 10000000
+	case 8:
+		return 100000000
+	case 9:
+		return 1000000000
+	case 10:
+		return 10000000000
+	case 11:
+		return 100000000000
+	case 12:
+		return 1000000000000
+	case 13:
+		return 10000000000000
+	case 14:
+		return 100000000000000
+	case 15:
+		return 1000000000000000
+	case 16:
+		return 10000000000000000
+	case 17:
+		return 100000000000000000
+	case 18:
+		return 1000000000000000000
+	default:
+		return 0
+	}
+}
+
+// negativeScaleInt64 returns the result of dividing base by scale * 10 and the remainder, or
+// false if no such division is possible. Dividing by negative scales is undefined.
+func divideByScaleInt64(base int64, scale Scale) (result, remainder int64, exact bool) {
+	if scale == 0 {
+		return base, 0, true
+	}
+	// the max scale representable in base 10 in an int64 is 18 decimal places
+	if scale >= 18 {
+		return 0, base, false
+	}
+	divisor := pow10Int64(int64(scale))
+	return base / divisor, base % divisor, true
+}
+
+// removeInt64Factors divides in a loop; the return values have the property that
+// value == result * base ^ scale
+func removeInt64Factors(value int64, base int64) (result int64, times int32) {
+	times = 0
+	result = value
+	negative := result < 0
+	if negative {
+		result = -result
+	}
+	switch base {
+	// allow the compiler to optimize the common cases
+	case 10:
+		for result >= 10 && result%10 == 0 {
+			times++
+			result = result / 10
+		}
+	// allow the compiler to optimize the common cases
+	case 1024:
+		for result >= 1024 && result%1024 == 0 {
+			times++
+			result = result / 1024
+		}
+	default:
+		for result >= base && result%base == 0 {
+			times++
+			result = result / base
+		}
+	}
+	if negative {
+		result = -result
+	}
+	return result, times
+}
+
+// removeBigIntFactors divides in a loop; the return values have the property that
+// d == result * factor ^ times
+// d may be modified in place.
+// If d == 0, then the return values will be (0, 0)
+func removeBigIntFactors(d, factor *big.Int) (result *big.Int, times int32) {
+	q := big.NewInt(0)
+	m := big.NewInt(0)
+	for d.Cmp(bigZero) != 0 {
+		q.DivMod(d, factor, m)
+		if m.Cmp(bigZero) != 0 {
+			break
+		}
+		times++
+		d, q = q, d
+	}
+	return d, times
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go
new file mode 100644
index 00000000..1839d78a
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/quantity.go
@@ -0,0 +1,792 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"math/big"
+	"regexp"
+	"strconv"
+	"strings"
+
+	flag "github.com/spf13/pflag"
+
+	"github.com/go-openapi/spec"
+	inf "gopkg.in/inf.v0"
+	openapi "k8s.io/kube-openapi/pkg/common"
+)
+
+// Quantity is a fixed-point representation of a number.
+// It provides convenient marshaling/unmarshaling in JSON and YAML,
+// in addition to String() and Int64() accessors.
+//
+// The serialization format is:
+//
+// <quantity>        ::= <signedNumber><suffix>
+//   (Note that <suffix> may be empty, from the "" case in <decimalSI>.)
+// <digit>           ::= 0 | 1 | ... | 9
+// <digits>          ::= <digit> | <digit><digits>
+// <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
+// <sign>            ::= "+" | "-"
+// <signedNumber>    ::= <number> | <sign><number>
+// <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
+// <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
+//   (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+// <decimalSI>       ::= m | "" | k | M | G | T | P | E
+//   (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
+// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
+//
+// No matter which of the three exponent forms is used, no quantity may represent
+// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
+// places. Numbers larger or more precise will be capped or rounded up.
+// (E.g.: 0.1m will rounded up to 1m.)
+// This may be extended in the future if we require larger or smaller quantities.
+//
+// When a Quantity is parsed from a string, it will remember the type of suffix
+// it had, and will use the same type again when it is serialized.
+//
+// Before serializing, Quantity will be put in "canonical form".
+// This means that Exponent/suffix will be adjusted up or down (with a
+// corresponding increase or decrease in Mantissa) such that:
+//   a. No precision is lost
+//   b. No fractional digits will be emitted
+//   c. The exponent (or suffix) is as large as possible.
+// The sign will be omitted unless the number is negative.
+//
+// Examples:
+//   1.5 will be serialized as "1500m"
+//   1.5Gi will be serialized as "1536Mi"
+//
+// NOTE: We reserve the right to amend this canonical format, perhaps to
+//   allow 1.5 to be canonical.
+// TODO: Remove above disclaimer after all bikeshedding about format is over,
+//   or after March 2015.
+//
+// Note that the quantity will NEVER be internally represented by a
+// floating point number. That is the whole point of this exercise.
+//
+// Non-canonical values will still parse as long as they are well formed,
+// but will be re-emitted in their canonical form. (So always use canonical
+// form, or don't diff.)
+//
+// This format is intended to make it difficult to use these numbers without
+// writing some sort of special handling code in the hopes that that will
+// cause implementors to also use a fixed point implementation.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:openapi-gen=true
+type Quantity struct {
+	// i is the quantity in int64 scaled form, if d.Dec == nil
+	i int64Amount
+	// d is the quantity in inf.Dec form if d.Dec != nil
+	d infDecAmount
+	// s is the generated value of this quantity to avoid recalculation
+	s string
+
+	// Change Format at will. See the comment for Canonicalize for
+	// more details.
+	Format
+}
+
+// CanonicalValue allows a quantity amount to be converted to a string.
+type CanonicalValue interface {
+	// AsCanonicalBytes returns a byte array representing the string representation
+	// of the value mantissa and an int32 representing its exponent in base-10. Callers may
+	// pass a byte slice to the method to avoid allocations.
+	AsCanonicalBytes(out []byte) ([]byte, int32)
+	// AsCanonicalBase1024Bytes returns a byte array representing the string representation
+	// of the value mantissa and an int32 representing its exponent in base-1024. Callers
+	// may pass a byte slice to the method to avoid allocations.
+	AsCanonicalBase1024Bytes(out []byte) ([]byte, int32)
+}
+
+// Format lists the three possible formattings of a quantity.
+type Format string
+
+const (
+	DecimalExponent = Format("DecimalExponent") // e.g., 12e6
+	BinarySI        = Format("BinarySI")        // e.g., 12Mi (12 * 2^20)
+	DecimalSI       = Format("DecimalSI")       // e.g., 12M  (12 * 10^6)
+)
+
+// MustParse turns the given string into a quantity or panics; for tests
+// or others cases where you know the string is valid.
+func MustParse(str string) Quantity {
+	q, err := ParseQuantity(str)
+	if err != nil {
+		panic(fmt.Errorf("cannot parse '%v': %v", str, err))
+	}
+	return q
+}
+
+const (
+	// splitREString is used to separate a number from its suffix; as such,
+	// this is overly permissive, but that's OK-- it will be checked later.
+	splitREString = "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+)
+
+var (
+	// splitRE is used to get the various parts of a number.
+	splitRE = regexp.MustCompile(splitREString)
+
+	// Errors that could happen while parsing a string.
+	ErrFormatWrong = errors.New("quantities must match the regular expression '" + splitREString + "'")
+	ErrNumeric     = errors.New("unable to parse numeric part of quantity")
+	ErrSuffix      = errors.New("unable to parse quantity's suffix")
+)
+
+// parseQuantityString is a fast scanner for quantity values.
+func parseQuantityString(str string) (positive bool, value, num, denom, suffix string, err error) {
+	positive = true
+	pos := 0
+	end := len(str)
+
+	// handle leading sign
+	if pos < end {
+		switch str[0] {
+		case '-':
+			positive = false
+			pos++
+		case '+':
+			pos++
+		}
+	}
+
+	// strip leading zeros
+Zeroes:
+	for i := pos; ; i++ {
+		if i >= end {
+			num = "0"
+			value = num
+			return
+		}
+		switch str[i] {
+		case '0':
+			pos++
+		default:
+			break Zeroes
+		}
+	}
+
+	// extract the numerator
+Num:
+	for i := pos; ; i++ {
+		if i >= end {
+			num = str[pos:end]
+			value = str[0:end]
+			return
+		}
+		switch str[i] {
+		case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9':
+		default:
+			num = str[pos:i]
+			pos = i
+			break Num
+		}
+	}
+
+	// if we stripped all numerator positions, always return 0
+	if len(num) == 0 {
+		num = "0"
+	}
+
+	// handle a denominator
+	if pos < end && str[pos] == '.' {
+		pos++
+	Denom:
+		for i := pos; ; i++ {
+			if i >= end {
+				denom = str[pos:end]
+				value = str[0:end]
+				return
+			}
+			switch str[i] {
+			case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9':
+			default:
+				denom = str[pos:i]
+				pos = i
+				break Denom
+			}
+		}
+		// TODO: we currently allow 1.G, but we may not want to in the future.
+		// if len(denom) == 0 {
+		// 	err = ErrFormatWrong
+		// 	return
+		// }
+	}
+	value = str[0:pos]
+
+	// grab the elements of the suffix
+	suffixStart := pos
+	for i := pos; ; i++ {
+		if i >= end {
+			suffix = str[suffixStart:end]
+			return
+		}
+		if !strings.ContainsAny(str[i:i+1], "eEinumkKMGTP") {
+			pos = i
+			break
+		}
+	}
+	if pos < end {
+		switch str[pos] {
+		case '-', '+':
+			pos++
+		}
+	}
+Suffix:
+	for i := pos; ; i++ {
+		if i >= end {
+			suffix = str[suffixStart:end]
+			return
+		}
+		switch str[i] {
+		case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9':
+		default:
+			break Suffix
+		}
+	}
+	// we encountered a non decimal in the Suffix loop, but the last character
+	// was not a valid exponent
+	err = ErrFormatWrong
+	return
+}
+
+// ParseQuantity turns str into a Quantity, or returns an error.
+func ParseQuantity(str string) (Quantity, error) {
+	if len(str) == 0 {
+		return Quantity{}, ErrFormatWrong
+	}
+	if str == "0" {
+		return Quantity{Format: DecimalSI, s: str}, nil
+	}
+
+	positive, value, num, denom, suf, err := parseQuantityString(str)
+	if err != nil {
+		return Quantity{}, err
+	}
+
+	base, exponent, format, ok := quantitySuffixer.interpret(suffix(suf))
+	if !ok {
+		return Quantity{}, ErrSuffix
+	}
+
+	precision := int32(0)
+	scale := int32(0)
+	mantissa := int64(1)
+	switch format {
+	case DecimalExponent, DecimalSI:
+		scale = exponent
+		precision = maxInt64Factors - int32(len(num)+len(denom))
+	case BinarySI:
+		scale = 0
+		switch {
+		case exponent >= 0 && len(denom) == 0:
+			// only handle positive binary numbers with the fast path
+			mantissa = int64(int64(mantissa) << uint64(exponent))
+			// 1Mi (2^20) has ~6 digits of decimal precision, so exponent*3/10 -1 is roughly the precision
+			precision = 15 - int32(len(num)) - int32(float32(exponent)*3/10) - 1
+		default:
+			precision = -1
+		}
+	}
+
+	if precision >= 0 {
+		// if we have a denominator, shift the entire value to the left by the number of places in the
+		// denominator
+		scale -= int32(len(denom))
+		if scale >= int32(Nano) {
+			shifted := num + denom
+
+			var value int64
+			value, err := strconv.ParseInt(shifted, 10, 64)
+			if err != nil {
+				return Quantity{}, ErrNumeric
+			}
+			if result, ok := int64Multiply(value, int64(mantissa)); ok {
+				if !positive {
+					result = -result
+				}
+				// if the number is in canonical form, reuse the string
+				switch format {
+				case BinarySI:
+					if exponent%10 == 0 && (value&0x07 != 0) {
+						return Quantity{i: int64Amount{value: result, scale: Scale(scale)}, Format: format, s: str}, nil
+					}
+				default:
+					if scale%3 == 0 && !strings.HasSuffix(shifted, "000") && shifted[0] != '0' {
+						return Quantity{i: int64Amount{value: result, scale: Scale(scale)}, Format: format, s: str}, nil
+					}
+				}
+				return Quantity{i: int64Amount{value: result, scale: Scale(scale)}, Format: format}, nil
+			}
+		}
+	}
+
+	amount := new(inf.Dec)
+	if _, ok := amount.SetString(value); !ok {
+		return Quantity{}, ErrNumeric
+	}
+
+	// So that no one but us has to think about suffixes, remove it.
+	if base == 10 {
+		amount.SetScale(amount.Scale() + Scale(exponent).infScale())
+	} else if base == 2 {
+		// numericSuffix = 2 ** exponent
+		numericSuffix := big.NewInt(1).Lsh(bigOne, uint(exponent))
+		ub := amount.UnscaledBig()
+		amount.SetUnscaledBig(ub.Mul(ub, numericSuffix))
+	}
+
+	// Cap at min/max bounds.
+	sign := amount.Sign()
+	if sign == -1 {
+		amount.Neg(amount)
+	}
+
+	// This rounds non-zero values up to the minimum representable value, under the theory that
+	// if you want some resources, you should get some resources, even if you asked for way too small
+	// of an amount.  Arguably, this should be inf.RoundHalfUp (normal rounding), but that would have
+	// the side effect of rounding values < .5n to zero.
+	if v, ok := amount.Unscaled(); v != int64(0) || !ok {
+		amount.Round(amount, Nano.infScale(), inf.RoundUp)
+	}
+
+	// The max is just a simple cap.
+	// TODO: this prevents accumulating quantities greater than int64, for instance quota across a cluster
+	if format == BinarySI && amount.Cmp(maxAllowed.Dec) > 0 {
+		amount.Set(maxAllowed.Dec)
+	}
+
+	if format == BinarySI && amount.Cmp(decOne) < 0 && amount.Cmp(decZero) > 0 {
+		// This avoids rounding and hopefully confusion, too.
+		format = DecimalSI
+	}
+	if sign == -1 {
+		amount.Neg(amount)
+	}
+
+	return Quantity{d: infDecAmount{amount}, Format: format}, nil
+}
+
+// DeepCopy returns a deep-copy of the Quantity value.  Note that the method
+// receiver is a value, so we can mutate it in-place and return it.
+func (q Quantity) DeepCopy() Quantity {
+	if q.d.Dec != nil {
+		tmp := &inf.Dec{}
+		q.d.Dec = tmp.Set(q.d.Dec)
+	}
+	return q
+}
+
+// OpenAPIDefinition returns openAPI definition for this type.
+func (_ Quantity) OpenAPIDefinition() openapi.OpenAPIDefinition {
+	return openapi.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type:   []string{"string"},
+				Format: "",
+			},
+		},
+	}
+}
+
+// CanonicalizeBytes returns the canonical form of q and its suffix (see comment on Quantity).
+//
+// Note about BinarySI:
+// * If q.Format is set to BinarySI and q.Amount represents a non-zero value between
+//   -1 and +1, it will be emitted as if q.Format were DecimalSI.
+// * Otherwise, if q.Format is set to BinarySI, frational parts of q.Amount will be
+//   rounded up. (1.1i becomes 2i.)
+func (q *Quantity) CanonicalizeBytes(out []byte) (result, suffix []byte) {
+	if q.IsZero() {
+		return zeroBytes, nil
+	}
+
+	var rounded CanonicalValue
+	format := q.Format
+	switch format {
+	case DecimalExponent, DecimalSI:
+	case BinarySI:
+		if q.CmpInt64(-1024) > 0 && q.CmpInt64(1024) < 0 {
+			// This avoids rounding and hopefully confusion, too.
+			format = DecimalSI
+		} else {
+			var exact bool
+			if rounded, exact = q.AsScale(0); !exact {
+				// Don't lose precision-- show as DecimalSI
+				format = DecimalSI
+			}
+		}
+	default:
+		format = DecimalExponent
+	}
+
+	// TODO: If BinarySI formatting is requested but would cause rounding, upgrade to
+	// one of the other formats.
+	switch format {
+	case DecimalExponent, DecimalSI:
+		number, exponent := q.AsCanonicalBytes(out)
+		suffix, _ := quantitySuffixer.constructBytes(10, exponent, format)
+		return number, suffix
+	default:
+		// format must be BinarySI
+		number, exponent := rounded.AsCanonicalBase1024Bytes(out)
+		suffix, _ := quantitySuffixer.constructBytes(2, exponent*10, format)
+		return number, suffix
+	}
+}
+
+// AsInt64 returns a representation of the current value as an int64 if a fast conversion
+// is possible. If false is returned, callers must use the inf.Dec form of this quantity.
+func (q *Quantity) AsInt64() (int64, bool) {
+	if q.d.Dec != nil {
+		return 0, false
+	}
+	return q.i.AsInt64()
+}
+
+// ToDec promotes the quantity in place to use an inf.Dec representation and returns itself.
+func (q *Quantity) ToDec() *Quantity {
+	if q.d.Dec == nil {
+		q.d.Dec = q.i.AsDec()
+		q.i = int64Amount{}
+	}
+	return q
+}
+
+// AsDec returns the quantity as represented by a scaled inf.Dec.
+func (q *Quantity) AsDec() *inf.Dec {
+	if q.d.Dec != nil {
+		return q.d.Dec
+	}
+	q.d.Dec = q.i.AsDec()
+	q.i = int64Amount{}
+	return q.d.Dec
+}
+
+// AsCanonicalBytes returns the canonical byte representation of this quantity as a mantissa
+// and base 10 exponent. The out byte slice may be passed to the method to avoid an extra
+// allocation.
+func (q *Quantity) AsCanonicalBytes(out []byte) (result []byte, exponent int32) {
+	if q.d.Dec != nil {
+		return q.d.AsCanonicalBytes(out)
+	}
+	return q.i.AsCanonicalBytes(out)
+}
+
+// IsZero returns true if the quantity is equal to zero.
+func (q *Quantity) IsZero() bool {
+	if q.d.Dec != nil {
+		return q.d.Dec.Sign() == 0
+	}
+	return q.i.value == 0
+}
+
+// Sign returns 0 if the quantity is zero, -1 if the quantity is less than zero, or 1 if the
+// quantity is greater than zero.
+func (q *Quantity) Sign() int {
+	if q.d.Dec != nil {
+		return q.d.Dec.Sign()
+	}
+	return q.i.Sign()
+}
+
+// AsScaled returns the current value, rounded up to the provided scale, and returns
+// false if the scale resulted in a loss of precision.
+func (q *Quantity) AsScale(scale Scale) (CanonicalValue, bool) {
+	if q.d.Dec != nil {
+		return q.d.AsScale(scale)
+	}
+	return q.i.AsScale(scale)
+}
+
+// RoundUp updates the quantity to the provided scale, ensuring that the value is at
+// least 1. False is returned if the rounding operation resulted in a loss of precision.
+// Negative numbers are rounded away from zero (-9 scale 1 rounds to -10).
+func (q *Quantity) RoundUp(scale Scale) bool {
+	if q.d.Dec != nil {
+		q.s = ""
+		d, exact := q.d.AsScale(scale)
+		q.d = d
+		return exact
+	}
+	// avoid clearing the string value if we have already calculated it
+	if q.i.scale >= scale {
+		return true
+	}
+	q.s = ""
+	i, exact := q.i.AsScale(scale)
+	q.i = i
+	return exact
+}
+
+// Add adds the provide y quantity to the current value. If the current value is zero,
+// the format of the quantity will be updated to the format of y.
+func (q *Quantity) Add(y Quantity) {
+	q.s = ""
+	if q.d.Dec == nil && y.d.Dec == nil {
+		if q.i.value == 0 {
+			q.Format = y.Format
+		}
+		if q.i.Add(y.i) {
+			return
+		}
+	} else if q.IsZero() {
+		q.Format = y.Format
+	}
+	q.ToDec().d.Dec.Add(q.d.Dec, y.AsDec())
+}
+
+// Sub subtracts the provided quantity from the current value in place. If the current
+// value is zero, the format of the quantity will be updated to the format of y.
+func (q *Quantity) Sub(y Quantity) {
+	q.s = ""
+	if q.IsZero() {
+		q.Format = y.Format
+	}
+	if q.d.Dec == nil && y.d.Dec == nil && q.i.Sub(y.i) {
+		return
+	}
+	q.ToDec().d.Dec.Sub(q.d.Dec, y.AsDec())
+}
+
+// Cmp returns 0 if the quantity is equal to y, -1 if the quantity is less than y, or 1 if the
+// quantity is greater than y.
+func (q *Quantity) Cmp(y Quantity) int {
+	if q.d.Dec == nil && y.d.Dec == nil {
+		return q.i.Cmp(y.i)
+	}
+	return q.AsDec().Cmp(y.AsDec())
+}
+
+// CmpInt64 returns 0 if the quantity is equal to y, -1 if the quantity is less than y, or 1 if the
+// quantity is greater than y.
+func (q *Quantity) CmpInt64(y int64) int {
+	if q.d.Dec != nil {
+		return q.d.Dec.Cmp(inf.NewDec(y, inf.Scale(0)))
+	}
+	return q.i.Cmp(int64Amount{value: y})
+}
+
+// Neg sets quantity to be the negative value of itself.
+func (q *Quantity) Neg() {
+	q.s = ""
+	if q.d.Dec == nil {
+		q.i.value = -q.i.value
+		return
+	}
+	q.d.Dec.Neg(q.d.Dec)
+}
+
+// int64QuantityExpectedBytes is the expected width in bytes of the canonical string representation
+// of most Quantity values.
+const int64QuantityExpectedBytes = 18
+
+// String formats the Quantity as a string, caching the result if not calculated.
+// String is an expensive operation and caching this result significantly reduces the cost of
+// normal parse / marshal operations on Quantity.
+func (q *Quantity) String() string {
+	if len(q.s) == 0 {
+		result := make([]byte, 0, int64QuantityExpectedBytes)
+		number, suffix := q.CanonicalizeBytes(result)
+		number = append(number, suffix...)
+		q.s = string(number)
+	}
+	return q.s
+}
+
+// MarshalJSON implements the json.Marshaller interface.
+func (q Quantity) MarshalJSON() ([]byte, error) {
+	if len(q.s) > 0 {
+		out := make([]byte, len(q.s)+2)
+		out[0], out[len(out)-1] = '"', '"'
+		copy(out[1:], q.s)
+		return out, nil
+	}
+	result := make([]byte, int64QuantityExpectedBytes, int64QuantityExpectedBytes)
+	result[0] = '"'
+	number, suffix := q.CanonicalizeBytes(result[1:1])
+	// if the same slice was returned to us that we passed in, avoid another allocation by copying number into
+	// the source slice and returning that
+	if len(number) > 0 && &number[0] == &result[1] && (len(number)+len(suffix)+2) <= int64QuantityExpectedBytes {
+		number = append(number, suffix...)
+		number = append(number, '"')
+		return result[:1+len(number)], nil
+	}
+	// if CanonicalizeBytes needed more space than our slice provided, we may need to allocate again so use
+	// append
+	result = result[:1]
+	result = append(result, number...)
+	result = append(result, suffix...)
+	result = append(result, '"')
+	return result, nil
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+// TODO: Remove support for leading/trailing whitespace
+func (q *Quantity) UnmarshalJSON(value []byte) error {
+	l := len(value)
+	if l == 4 && bytes.Equal(value, []byte("null")) {
+		q.d.Dec = nil
+		q.i = int64Amount{}
+		return nil
+	}
+	if l >= 2 && value[0] == '"' && value[l-1] == '"' {
+		value = value[1 : l-1]
+	}
+
+	parsed, err := ParseQuantity(strings.TrimSpace(string(value)))
+	if err != nil {
+		return err
+	}
+
+	// This copy is safe because parsed will not be referred to again.
+	*q = parsed
+	return nil
+}
+
+// NewQuantity returns a new Quantity representing the given
+// value in the given format.
+func NewQuantity(value int64, format Format) *Quantity {
+	return &Quantity{
+		i:      int64Amount{value: value},
+		Format: format,
+	}
+}
+
+// NewMilliQuantity returns a new Quantity representing the given
+// value * 1/1000 in the given format. Note that BinarySI formatting
+// will round fractional values, and will be changed to DecimalSI for
+// values x where (-1 < x < 1) && (x != 0).
+func NewMilliQuantity(value int64, format Format) *Quantity {
+	return &Quantity{
+		i:      int64Amount{value: value, scale: -3},
+		Format: format,
+	}
+}
+
+// NewScaledQuantity returns a new Quantity representing the given
+// value * 10^scale in DecimalSI format.
+func NewScaledQuantity(value int64, scale Scale) *Quantity {
+	return &Quantity{
+		i:      int64Amount{value: value, scale: scale},
+		Format: DecimalSI,
+	}
+}
+
+// Value returns the value of q; any fractional part will be lost.
+func (q *Quantity) Value() int64 {
+	return q.ScaledValue(0)
+}
+
+// MilliValue returns the value of ceil(q * 1000); this could overflow an int64;
+// if that's a concern, call Value() first to verify the number is small enough.
+func (q *Quantity) MilliValue() int64 {
+	return q.ScaledValue(Milli)
+}
+
+// ScaledValue returns the value of ceil(q * 10^scale); this could overflow an int64.
+// To detect overflow, call Value() first and verify the expected magnitude.
+func (q *Quantity) ScaledValue(scale Scale) int64 {
+	if q.d.Dec == nil {
+		i, _ := q.i.AsScaledInt64(scale)
+		return i
+	}
+	dec := q.d.Dec
+	return scaledValue(dec.UnscaledBig(), int(dec.Scale()), int(scale.infScale()))
+}
+
+// Set sets q's value to be value.
+func (q *Quantity) Set(value int64) {
+	q.SetScaled(value, 0)
+}
+
+// SetMilli sets q's value to be value * 1/1000.
+func (q *Quantity) SetMilli(value int64) {
+	q.SetScaled(value, Milli)
+}
+
+// SetScaled sets q's value to be value * 10^scale
+func (q *Quantity) SetScaled(value int64, scale Scale) {
+	q.s = ""
+	q.d.Dec = nil
+	q.i = int64Amount{value: value, scale: scale}
+}
+
+// Copy is a convenience function that makes a deep copy for you. Non-deep
+// copies of quantities share pointers and you will regret that.
+func (q *Quantity) Copy() *Quantity {
+	if q.d.Dec == nil {
+		return &Quantity{
+			s:      q.s,
+			i:      q.i,
+			Format: q.Format,
+		}
+	}
+	tmp := &inf.Dec{}
+	return &Quantity{
+		s:      q.s,
+		d:      infDecAmount{tmp.Set(q.d.Dec)},
+		Format: q.Format,
+	}
+}
+
+// qFlag is a helper type for the Flag function
+type qFlag struct {
+	dest *Quantity
+}
+
+// Sets the value of the internal Quantity. (used by flag & pflag)
+func (qf qFlag) Set(val string) error {
+	q, err := ParseQuantity(val)
+	if err != nil {
+		return err
+	}
+	// This copy is OK because q will not be referenced again.
+	*qf.dest = q
+	return nil
+}
+
+// Converts the value of the internal Quantity to a string. (used by flag & pflag)
+func (qf qFlag) String() string {
+	return qf.dest.String()
+}
+
+// States the type of flag this is (Quantity). (used by pflag)
+func (qf qFlag) Type() string {
+	return "quantity"
+}
+
+// QuantityFlag is a helper that makes a quantity flag (using standard flag package).
+// Will panic if defaultValue is not a valid quantity.
+func QuantityFlag(flagName, defaultValue, description string) *Quantity {
+	q := MustParse(defaultValue)
+	flag.Var(NewQuantityFlagValue(&q), flagName, description)
+	return &q
+}
+
+// NewQuantityFlagValue returns an object that can be used to back a flag,
+// pointing at the given Quantity variable.
+func NewQuantityFlagValue(q *Quantity) flag.Value {
+	return qFlag{q}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
new file mode 100644
index 00000000..74dfb4e4
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/quantity_proto.go
@@ -0,0 +1,284 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/gogo/protobuf/proto"
+)
+
+var _ proto.Sizer = &Quantity{}
+
+func (m *Quantity) Marshal() (data []byte, err error) {
+	size := m.Size()
+	data = make([]byte, size)
+	n, err := m.MarshalTo(data)
+	if err != nil {
+		return nil, err
+	}
+	return data[:n], nil
+}
+
+// MarshalTo is a customized version of the generated Protobuf unmarshaler for a struct
+// with a single string field.
+func (m *Quantity) MarshalTo(data []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+
+	data[i] = 0xa
+	i++
+	// BEGIN CUSTOM MARSHAL
+	out := m.String()
+	i = encodeVarintGenerated(data, i, uint64(len(out)))
+	i += copy(data[i:], out)
+	// END CUSTOM MARSHAL
+
+	return i, nil
+}
+
+func encodeVarintGenerated(data []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		data[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	data[offset] = uint8(v)
+	return offset + 1
+}
+
+func (m *Quantity) Size() (n int) {
+	var l int
+	_ = l
+
+	// BEGIN CUSTOM SIZE
+	l = len(m.String())
+	// END CUSTOM SIZE
+
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+
+// Unmarshal is a customized version of the generated Protobuf unmarshaler for a struct
+// with a single string field.
+func (m *Quantity) Unmarshal(data []byte) error {
+	l := len(data)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := data[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Quantity: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Quantity: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field String_", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := data[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(data[iNdEx:postIndex])
+
+			// BEGIN CUSTOM DECODE
+			p, err := ParseQuantity(s)
+			if err != nil {
+				return err
+			}
+			*m = p
+			// END CUSTOM DECODE
+
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(data[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+
+func skipGenerated(data []byte) (n int, err error) {
+	l := len(data)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := data[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if data[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := data[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := data[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(data[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/resource/scale_int.go b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/scale_int.go
new file mode 100644
index 00000000..55e177b0
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/scale_int.go
@@ -0,0 +1,95 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"math"
+	"math/big"
+	"sync"
+)
+
+var (
+	// A sync pool to reduce allocation.
+	intPool  sync.Pool
+	maxInt64 = big.NewInt(math.MaxInt64)
+)
+
+func init() {
+	intPool.New = func() interface{} {
+		return &big.Int{}
+	}
+}
+
+// scaledValue scales given unscaled value from scale to new Scale and returns
+// an int64. It ALWAYS rounds up the result when scale down. The final result might
+// overflow.
+//
+// scale, newScale represents the scale of the unscaled decimal.
+// The mathematical value of the decimal is unscaled * 10**(-scale).
+func scaledValue(unscaled *big.Int, scale, newScale int) int64 {
+	dif := scale - newScale
+	if dif == 0 {
+		return unscaled.Int64()
+	}
+
+	// Handle scale up
+	// This is an easy case, we do not need to care about rounding and overflow.
+	// If any intermediate operation causes overflow, the result will overflow.
+	if dif < 0 {
+		return unscaled.Int64() * int64(math.Pow10(-dif))
+	}
+
+	// Handle scale down
+	// We have to be careful about the intermediate operations.
+
+	// fast path when unscaled < max.Int64 and exp(10,dif) < max.Int64
+	const log10MaxInt64 = 19
+	if unscaled.Cmp(maxInt64) < 0 && dif < log10MaxInt64 {
+		divide := int64(math.Pow10(dif))
+		result := unscaled.Int64() / divide
+		mod := unscaled.Int64() % divide
+		if mod != 0 {
+			return result + 1
+		}
+		return result
+	}
+
+	// We should only convert back to int64 when getting the result.
+	divisor := intPool.Get().(*big.Int)
+	exp := intPool.Get().(*big.Int)
+	result := intPool.Get().(*big.Int)
+	defer func() {
+		intPool.Put(divisor)
+		intPool.Put(exp)
+		intPool.Put(result)
+	}()
+
+	// divisor = 10^(dif)
+	// TODO: create loop up table if exp costs too much.
+	divisor.Exp(bigTen, exp.SetInt64(int64(dif)), nil)
+	// reuse exp
+	remainder := exp
+
+	// result = unscaled / divisor
+	// remainder = unscaled % divisor
+	result.DivMod(unscaled, divisor, remainder)
+	if remainder.Sign() != 0 {
+		return result.Int64() + 1
+	}
+
+	return result.Int64()
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/api/resource/suffix.go b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/suffix.go
new file mode 100644
index 00000000..5ed7abe6
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/api/resource/suffix.go
@@ -0,0 +1,198 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resource
+
+import (
+	"strconv"
+)
+
+type suffix string
+
+// suffixer can interpret and construct suffixes.
+type suffixer interface {
+	interpret(suffix) (base, exponent int32, fmt Format, ok bool)
+	construct(base, exponent int32, fmt Format) (s suffix, ok bool)
+	constructBytes(base, exponent int32, fmt Format) (s []byte, ok bool)
+}
+
+// quantitySuffixer handles suffixes for all three formats that quantity
+// can handle.
+var quantitySuffixer = newSuffixer()
+
+type bePair struct {
+	base, exponent int32
+}
+
+type listSuffixer struct {
+	suffixToBE      map[suffix]bePair
+	beToSuffix      map[bePair]suffix
+	beToSuffixBytes map[bePair][]byte
+}
+
+func (ls *listSuffixer) addSuffix(s suffix, pair bePair) {
+	if ls.suffixToBE == nil {
+		ls.suffixToBE = map[suffix]bePair{}
+	}
+	if ls.beToSuffix == nil {
+		ls.beToSuffix = map[bePair]suffix{}
+	}
+	if ls.beToSuffixBytes == nil {
+		ls.beToSuffixBytes = map[bePair][]byte{}
+	}
+	ls.suffixToBE[s] = pair
+	ls.beToSuffix[pair] = s
+	ls.beToSuffixBytes[pair] = []byte(s)
+}
+
+func (ls *listSuffixer) lookup(s suffix) (base, exponent int32, ok bool) {
+	pair, ok := ls.suffixToBE[s]
+	if !ok {
+		return 0, 0, false
+	}
+	return pair.base, pair.exponent, true
+}
+
+func (ls *listSuffixer) construct(base, exponent int32) (s suffix, ok bool) {
+	s, ok = ls.beToSuffix[bePair{base, exponent}]
+	return
+}
+
+func (ls *listSuffixer) constructBytes(base, exponent int32) (s []byte, ok bool) {
+	s, ok = ls.beToSuffixBytes[bePair{base, exponent}]
+	return
+}
+
+type suffixHandler struct {
+	decSuffixes listSuffixer
+	binSuffixes listSuffixer
+}
+
+type fastLookup struct {
+	*suffixHandler
+}
+
+func (l fastLookup) interpret(s suffix) (base, exponent int32, format Format, ok bool) {
+	switch s {
+	case "":
+		return 10, 0, DecimalSI, true
+	case "n":
+		return 10, -9, DecimalSI, true
+	case "u":
+		return 10, -6, DecimalSI, true
+	case "m":
+		return 10, -3, DecimalSI, true
+	case "k":
+		return 10, 3, DecimalSI, true
+	case "M":
+		return 10, 6, DecimalSI, true
+	case "G":
+		return 10, 9, DecimalSI, true
+	}
+	return l.suffixHandler.interpret(s)
+}
+
+func newSuffixer() suffixer {
+	sh := &suffixHandler{}
+
+	// IMPORTANT: if you change this section you must change fastLookup
+
+	sh.binSuffixes.addSuffix("Ki", bePair{2, 10})
+	sh.binSuffixes.addSuffix("Mi", bePair{2, 20})
+	sh.binSuffixes.addSuffix("Gi", bePair{2, 30})
+	sh.binSuffixes.addSuffix("Ti", bePair{2, 40})
+	sh.binSuffixes.addSuffix("Pi", bePair{2, 50})
+	sh.binSuffixes.addSuffix("Ei", bePair{2, 60})
+	// Don't emit an error when trying to produce
+	// a suffix for 2^0.
+	sh.decSuffixes.addSuffix("", bePair{2, 0})
+
+	sh.decSuffixes.addSuffix("n", bePair{10, -9})
+	sh.decSuffixes.addSuffix("u", bePair{10, -6})
+	sh.decSuffixes.addSuffix("m", bePair{10, -3})
+	sh.decSuffixes.addSuffix("", bePair{10, 0})
+	sh.decSuffixes.addSuffix("k", bePair{10, 3})
+	sh.decSuffixes.addSuffix("M", bePair{10, 6})
+	sh.decSuffixes.addSuffix("G", bePair{10, 9})
+	sh.decSuffixes.addSuffix("T", bePair{10, 12})
+	sh.decSuffixes.addSuffix("P", bePair{10, 15})
+	sh.decSuffixes.addSuffix("E", bePair{10, 18})
+
+	return fastLookup{sh}
+}
+
+func (sh *suffixHandler) construct(base, exponent int32, fmt Format) (s suffix, ok bool) {
+	switch fmt {
+	case DecimalSI:
+		return sh.decSuffixes.construct(base, exponent)
+	case BinarySI:
+		return sh.binSuffixes.construct(base, exponent)
+	case DecimalExponent:
+		if base != 10 {
+			return "", false
+		}
+		if exponent == 0 {
+			return "", true
+		}
+		return suffix("e" + strconv.FormatInt(int64(exponent), 10)), true
+	}
+	return "", false
+}
+
+func (sh *suffixHandler) constructBytes(base, exponent int32, format Format) (s []byte, ok bool) {
+	switch format {
+	case DecimalSI:
+		return sh.decSuffixes.constructBytes(base, exponent)
+	case BinarySI:
+		return sh.binSuffixes.constructBytes(base, exponent)
+	case DecimalExponent:
+		if base != 10 {
+			return nil, false
+		}
+		if exponent == 0 {
+			return nil, true
+		}
+		result := make([]byte, 8, 8)
+		result[0] = 'e'
+		number := strconv.AppendInt(result[1:1], int64(exponent), 10)
+		if &result[1] == &number[0] {
+			return result[:1+len(number)], true
+		}
+		result = append(result[:1], number...)
+		return result, true
+	}
+	return nil, false
+}
+
+func (sh *suffixHandler) interpret(suffix suffix) (base, exponent int32, fmt Format, ok bool) {
+	// Try lookup tables first
+	if b, e, ok := sh.decSuffixes.lookup(suffix); ok {
+		return b, e, DecimalSI, true
+	}
+	if b, e, ok := sh.binSuffixes.lookup(suffix); ok {
+		return b, e, BinarySI, true
+	}
+
+	if len(suffix) > 1 && (suffix[0] == 'E' || suffix[0] == 'e') {
+		parsed, err := strconv.ParseInt(string(suffix[1:]), 10, 64)
+		if err != nil {
+			return 0, 0, DecimalExponent, false
+		}
+		return 10, int32(parsed), DecimalExponent, true
+	}
+
+	return 0, 0, DecimalExponent, false
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/conversion.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/conversion.go
new file mode 100644
index 00000000..1ea8c137
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/conversion.go
@@ -0,0 +1,77 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internalversion
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Convert_internalversion_ListOptions_To_v1_ListOptions(in *ListOptions, out *metav1.ListOptions, s conversion.Scope) error {
+	if err := metav1.Convert_fields_Selector_To_string(&in.FieldSelector, &out.FieldSelector, s); err != nil {
+		return err
+	}
+	if err := metav1.Convert_labels_Selector_To_string(&in.LabelSelector, &out.LabelSelector, s); err != nil {
+		return err
+	}
+	out.IncludeUninitialized = in.IncludeUninitialized
+	out.ResourceVersion = in.ResourceVersion
+	out.TimeoutSeconds = in.TimeoutSeconds
+	out.Watch = in.Watch
+	out.Limit = in.Limit
+	out.Continue = in.Continue
+	return nil
+}
+
+func Convert_v1_ListOptions_To_internalversion_ListOptions(in *metav1.ListOptions, out *ListOptions, s conversion.Scope) error {
+	if err := metav1.Convert_string_To_fields_Selector(&in.FieldSelector, &out.FieldSelector, s); err != nil {
+		return err
+	}
+	if err := metav1.Convert_string_To_labels_Selector(&in.LabelSelector, &out.LabelSelector, s); err != nil {
+		return err
+	}
+	out.IncludeUninitialized = in.IncludeUninitialized
+	out.ResourceVersion = in.ResourceVersion
+	out.TimeoutSeconds = in.TimeoutSeconds
+	out.Watch = in.Watch
+	out.Limit = in.Limit
+	out.Continue = in.Continue
+	return nil
+}
+
+func Convert_map_to_v1_LabelSelector(in *map[string]string, out *metav1.LabelSelector, s conversion.Scope) error {
+	if in == nil {
+		return nil
+	}
+	out = new(metav1.LabelSelector)
+	for labelKey, labelValue := range *in {
+		metav1.AddLabelToSelector(out, labelKey, labelValue)
+	}
+	return nil
+}
+
+func Convert_v1_LabelSelector_to_map(in *metav1.LabelSelector, out *map[string]string, s conversion.Scope) error {
+	var err error
+	*out, err = metav1.LabelSelectorAsMap(in)
+	if err != nil {
+		err = field.Invalid(field.NewPath("labelSelector"), *in, fmt.Sprintf("cannot convert to old selector: %v", err))
+	}
+	return err
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/doc.go
new file mode 100644
index 00000000..6ee8dd66
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+
+package internalversion
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/register.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/register.go
new file mode 100644
index 00000000..4d45f81e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/register.go
@@ -0,0 +1,108 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internalversion
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	metav1alpha1 "k8s.io/apimachinery/pkg/apis/meta/v1alpha1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "meta.k8s.io"
+
+// Scheme is the registry for any type that adheres to the meta API spec.
+var scheme = runtime.NewScheme()
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+// Copier exposes copying on this scheme.
+var Copier runtime.ObjectCopier = scheme
+
+// Codecs provides access to encoding and decoding for the scheme.
+var Codecs = serializer.NewCodecFactory(scheme)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
+
+// ParameterCodec handles versioning of objects that are converted to query parameters.
+var ParameterCodec = runtime.NewParameterCodec(scheme)
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// addToGroupVersion registers common meta types into schemas.
+func addToGroupVersion(scheme *runtime.Scheme, groupVersion schema.GroupVersion) error {
+	if err := scheme.AddIgnoredConversionType(&metav1.TypeMeta{}, &metav1.TypeMeta{}); err != nil {
+		return err
+	}
+	scheme.AddConversionFuncs(
+		metav1.Convert_string_To_labels_Selector,
+		metav1.Convert_labels_Selector_To_string,
+
+		metav1.Convert_string_To_fields_Selector,
+		metav1.Convert_fields_Selector_To_string,
+
+		Convert_map_to_v1_LabelSelector,
+		Convert_v1_LabelSelector_to_map,
+
+		Convert_internalversion_ListOptions_To_v1_ListOptions,
+		Convert_v1_ListOptions_To_internalversion_ListOptions,
+	)
+	// ListOptions is the only options struct which needs conversion (it exposes labels and fields
+	// as selectors for convenience). The other types have only a single representation today.
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ListOptions{},
+		&metav1.GetOptions{},
+		&metav1.ExportOptions{},
+		&metav1.DeleteOptions{},
+	)
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&metav1alpha1.Table{},
+		&metav1alpha1.TableOptions{},
+		&metav1alpha1.PartialObjectMetadata{},
+		&metav1alpha1.PartialObjectMetadataList{},
+	)
+	scheme.AddKnownTypes(metav1alpha1.SchemeGroupVersion,
+		&metav1alpha1.Table{},
+		&metav1alpha1.TableOptions{},
+		&metav1alpha1.PartialObjectMetadata{},
+		&metav1alpha1.PartialObjectMetadataList{},
+	)
+	// Allow delete options to be decoded across all version in this scheme (we may want to be more clever than this)
+	scheme.AddUnversionedTypes(SchemeGroupVersion, &metav1.DeleteOptions{})
+	metav1.AddToGroupVersion(scheme, metav1.SchemeGroupVersion)
+	return nil
+}
+
+// Unlike other API groups, meta internal knows about all meta external versions, but keeps
+// the logic for conversion private.
+func init() {
+	if err := addToGroupVersion(scheme, SchemeGroupVersion); err != nil {
+		panic(err)
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/types.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/types.go
new file mode 100644
index 00000000..2f6740d3
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/types.go
@@ -0,0 +1,70 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package internalversion
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ListOptions is the query options to a standard REST list call.
+type ListOptions struct {
+	metav1.TypeMeta
+
+	// A selector based on labels
+	LabelSelector labels.Selector
+	// A selector based on fields
+	FieldSelector fields.Selector
+	// If true, partially initialized resources are included in the response.
+	// +optional
+	IncludeUninitialized bool
+	// If true, watch for changes to this list
+	Watch bool
+	// When specified with a watch call, shows changes that occur after that particular version of a resource.
+	// Defaults to changes from the beginning of history.
+	// When specified for list:
+	// - if unset, then the result is returned from remote storage based on quorum-read flag;
+	// - if it's 0, then we simply return what we currently have in cache, no guarantee;
+	// - if set to non zero, then the result is at least as fresh as given rv.
+	ResourceVersion string
+	// Timeout for the list/watch call.
+	TimeoutSeconds *int64
+	// Limit specifies the maximum number of results to return from the server. The server may
+	// not support this field on all resource types, but if it does and more results remain it
+	// will set the continue field on the returned list object.
+	Limit int64
+	// Continue is a token returned by the server that lets a client retrieve chunks of results
+	// from the server by specifying limit. The server may reject requests for continuation tokens
+	// it does not recognize and will return a 410 error if the token can no longer be used because
+	// it has expired.
+	Continue string
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// List holds a list of objects, which may not be known by the server.
+type List struct {
+	metav1.TypeMeta
+	// +optional
+	metav1.ListMeta
+
+	Items []runtime.Object
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.conversion.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.conversion.go
new file mode 100644
index 00000000..a0c2a2aa
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.conversion.go
@@ -0,0 +1,113 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by conversion-gen. Do not edit it manually!
+
+package internalversion
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	unsafe "unsafe"
+)
+
+func init() {
+	localSchemeBuilder.Register(RegisterConversions)
+}
+
+// RegisterConversions adds conversion functions to the given scheme.
+// Public to allow building arbitrary schemes.
+func RegisterConversions(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedConversionFuncs(
+		Convert_internalversion_List_To_v1_List,
+		Convert_v1_List_To_internalversion_List,
+		Convert_internalversion_ListOptions_To_v1_ListOptions,
+		Convert_v1_ListOptions_To_internalversion_ListOptions,
+	)
+}
+
+func autoConvert_internalversion_List_To_v1_List(in *List, out *v1.List, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]runtime.RawExtension, len(*in))
+		for i := range *in {
+			if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = make([]runtime.RawExtension, 0)
+	}
+	return nil
+}
+
+// Convert_internalversion_List_To_v1_List is an autogenerated conversion function.
+func Convert_internalversion_List_To_v1_List(in *List, out *v1.List, s conversion.Scope) error {
+	return autoConvert_internalversion_List_To_v1_List(in, out, s)
+}
+
+func autoConvert_v1_List_To_internalversion_List(in *v1.List, out *List, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]runtime.Object, len(*in))
+		for i := range *in {
+			if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&(*in)[i], &(*out)[i], s); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+// Convert_v1_List_To_internalversion_List is an autogenerated conversion function.
+func Convert_v1_List_To_internalversion_List(in *v1.List, out *List, s conversion.Scope) error {
+	return autoConvert_v1_List_To_internalversion_List(in, out, s)
+}
+
+func autoConvert_internalversion_ListOptions_To_v1_ListOptions(in *ListOptions, out *v1.ListOptions, s conversion.Scope) error {
+	if err := v1.Convert_labels_Selector_To_string(&in.LabelSelector, &out.LabelSelector, s); err != nil {
+		return err
+	}
+	if err := v1.Convert_fields_Selector_To_string(&in.FieldSelector, &out.FieldSelector, s); err != nil {
+		return err
+	}
+	out.IncludeUninitialized = in.IncludeUninitialized
+	out.Watch = in.Watch
+	out.ResourceVersion = in.ResourceVersion
+	out.TimeoutSeconds = (*int64)(unsafe.Pointer(in.TimeoutSeconds))
+	return nil
+}
+
+func autoConvert_v1_ListOptions_To_internalversion_ListOptions(in *v1.ListOptions, out *ListOptions, s conversion.Scope) error {
+	if err := v1.Convert_string_To_labels_Selector(&in.LabelSelector, &out.LabelSelector, s); err != nil {
+		return err
+	}
+	if err := v1.Convert_string_To_fields_Selector(&in.FieldSelector, &out.FieldSelector, s); err != nil {
+		return err
+	}
+	out.IncludeUninitialized = in.IncludeUninitialized
+	out.Watch = in.Watch
+	out.ResourceVersion = in.ResourceVersion
+	out.TimeoutSeconds = (*int64)(unsafe.Pointer(in.TimeoutSeconds))
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.deepcopy.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.deepcopy.go
new file mode 100644
index 00000000..3fe3e8cf
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/internalversion/zz_generated.deepcopy.go
@@ -0,0 +1,126 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package internalversion
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+// GetGeneratedDeepCopyFuncs returns the generated funcs, since we aren't registering them.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func GetGeneratedDeepCopyFuncs() []conversion.GeneratedDeepCopyFunc {
+	return []conversion.GeneratedDeepCopyFunc{
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*List).DeepCopyInto(out.(*List))
+			return nil
+		}, InType: reflect.TypeOf(&List{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ListOptions).DeepCopyInto(out.(*ListOptions))
+			return nil
+		}, InType: reflect.TypeOf(&ListOptions{})},
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *List) DeepCopyInto(out *List) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]runtime.Object, len(*in))
+		for i := range *in {
+			if (*in)[i] == nil {
+				(*out)[i] = nil
+			} else {
+				(*out)[i] = (*in)[i].DeepCopyObject()
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new List.
+func (in *List) DeepCopy() *List {
+	if in == nil {
+		return nil
+	}
+	out := new(List)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *List) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ListOptions) DeepCopyInto(out *ListOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.LabelSelector == nil {
+		out.LabelSelector = nil
+	} else {
+		out.LabelSelector = in.LabelSelector.DeepCopySelector()
+	}
+	if in.FieldSelector == nil {
+		out.FieldSelector = nil
+	} else {
+		out.FieldSelector = in.FieldSelector.DeepCopySelector()
+	}
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListOptions.
+func (in *ListOptions) DeepCopy() *ListOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ListOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ListOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/controller_ref.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/controller_ref.go
new file mode 100644
index 00000000..042cd5b9
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/controller_ref.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// IsControlledBy checks if the  object has a controllerRef set to the given owner
+func IsControlledBy(obj Object, owner Object) bool {
+	ref := GetControllerOf(obj)
+	if ref == nil {
+		return false
+	}
+	return ref.UID == owner.GetUID()
+}
+
+// GetControllerOf returns a pointer to a copy of the controllerRef if controllee has a controller
+func GetControllerOf(controllee Object) *OwnerReference {
+	for _, ref := range controllee.GetOwnerReferences() {
+		if ref.Controller != nil && *ref.Controller {
+			return &ref
+		}
+	}
+	return nil
+}
+
+// NewControllerRef creates an OwnerReference pointing to the given owner.
+func NewControllerRef(owner Object, gvk schema.GroupVersionKind) *OwnerReference {
+	blockOwnerDeletion := true
+	isController := true
+	return &OwnerReference{
+		APIVersion:         gvk.GroupVersion().String(),
+		Kind:               gvk.Kind,
+		Name:               owner.GetName(),
+		UID:                owner.GetUID(),
+		BlockOwnerDeletion: &blockOwnerDeletion,
+		Controller:         &isController,
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/conversion.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/conversion.go
new file mode 100644
index 00000000..7049c9a3
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/conversion.go
@@ -0,0 +1,282 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+func AddConversionFuncs(scheme *runtime.Scheme) error {
+	return scheme.AddConversionFuncs(
+		Convert_v1_TypeMeta_To_v1_TypeMeta,
+
+		Convert_unversioned_ListMeta_To_unversioned_ListMeta,
+
+		Convert_intstr_IntOrString_To_intstr_IntOrString,
+
+		Convert_unversioned_Time_To_unversioned_Time,
+
+		Convert_Pointer_v1_Duration_To_v1_Duration,
+		Convert_v1_Duration_To_Pointer_v1_Duration,
+
+		Convert_Slice_string_To_unversioned_Time,
+
+		Convert_resource_Quantity_To_resource_Quantity,
+
+		Convert_string_To_labels_Selector,
+		Convert_labels_Selector_To_string,
+
+		Convert_string_To_fields_Selector,
+		Convert_fields_Selector_To_string,
+
+		Convert_Pointer_bool_To_bool,
+		Convert_bool_To_Pointer_bool,
+
+		Convert_Pointer_string_To_string,
+		Convert_string_To_Pointer_string,
+
+		Convert_Pointer_int64_To_int,
+		Convert_int_To_Pointer_int64,
+
+		Convert_Pointer_int32_To_int32,
+		Convert_int32_To_Pointer_int32,
+
+		Convert_Pointer_float64_To_float64,
+		Convert_float64_To_Pointer_float64,
+
+		Convert_map_to_unversioned_LabelSelector,
+		Convert_unversioned_LabelSelector_to_map,
+
+		Convert_Slice_string_To_Slice_int32,
+	)
+}
+
+func Convert_Pointer_float64_To_float64(in **float64, out *float64, s conversion.Scope) error {
+	if *in == nil {
+		*out = 0
+		return nil
+	}
+	*out = float64(**in)
+	return nil
+}
+
+func Convert_float64_To_Pointer_float64(in *float64, out **float64, s conversion.Scope) error {
+	temp := float64(*in)
+	*out = &temp
+	return nil
+}
+
+func Convert_Pointer_int32_To_int32(in **int32, out *int32, s conversion.Scope) error {
+	if *in == nil {
+		*out = 0
+		return nil
+	}
+	*out = int32(**in)
+	return nil
+}
+
+func Convert_int32_To_Pointer_int32(in *int32, out **int32, s conversion.Scope) error {
+	temp := int32(*in)
+	*out = &temp
+	return nil
+}
+
+func Convert_Pointer_int64_To_int(in **int64, out *int, s conversion.Scope) error {
+	if *in == nil {
+		*out = 0
+		return nil
+	}
+	*out = int(**in)
+	return nil
+}
+
+func Convert_int_To_Pointer_int64(in *int, out **int64, s conversion.Scope) error {
+	temp := int64(*in)
+	*out = &temp
+	return nil
+}
+
+func Convert_Pointer_string_To_string(in **string, out *string, s conversion.Scope) error {
+	if *in == nil {
+		*out = ""
+		return nil
+	}
+	*out = **in
+	return nil
+}
+
+func Convert_string_To_Pointer_string(in *string, out **string, s conversion.Scope) error {
+	if in == nil {
+		stringVar := ""
+		*out = &stringVar
+		return nil
+	}
+	*out = in
+	return nil
+}
+
+func Convert_Pointer_bool_To_bool(in **bool, out *bool, s conversion.Scope) error {
+	if *in == nil {
+		*out = false
+		return nil
+	}
+	*out = **in
+	return nil
+}
+
+func Convert_bool_To_Pointer_bool(in *bool, out **bool, s conversion.Scope) error {
+	if in == nil {
+		boolVar := false
+		*out = &boolVar
+		return nil
+	}
+	*out = in
+	return nil
+}
+
+// +k8s:conversion-fn=drop
+func Convert_v1_TypeMeta_To_v1_TypeMeta(in, out *TypeMeta, s conversion.Scope) error {
+	// These values are explicitly not copied
+	//out.APIVersion = in.APIVersion
+	//out.Kind = in.Kind
+	return nil
+}
+
+// +k8s:conversion-fn=copy-only
+func Convert_unversioned_ListMeta_To_unversioned_ListMeta(in, out *ListMeta, s conversion.Scope) error {
+	*out = *in
+	return nil
+}
+
+// +k8s:conversion-fn=copy-only
+func Convert_intstr_IntOrString_To_intstr_IntOrString(in, out *intstr.IntOrString, s conversion.Scope) error {
+	*out = *in
+	return nil
+}
+
+// +k8s:conversion-fn=copy-only
+func Convert_unversioned_Time_To_unversioned_Time(in *Time, out *Time, s conversion.Scope) error {
+	// Cannot deep copy these, because time.Time has unexported fields.
+	*out = *in
+	return nil
+}
+
+func Convert_Pointer_v1_Duration_To_v1_Duration(in **Duration, out *Duration, s conversion.Scope) error {
+	if *in == nil {
+		*out = Duration{} // zero duration
+		return nil
+	}
+	*out = **in // copy
+	return nil
+}
+
+func Convert_v1_Duration_To_Pointer_v1_Duration(in *Duration, out **Duration, s conversion.Scope) error {
+	temp := *in //copy
+	*out = &temp
+	return nil
+}
+
+// Convert_Slice_string_To_unversioned_Time allows converting a URL query parameter value
+func Convert_Slice_string_To_unversioned_Time(input *[]string, out *Time, s conversion.Scope) error {
+	str := ""
+	if len(*input) > 0 {
+		str = (*input)[0]
+	}
+	return out.UnmarshalQueryParameter(str)
+}
+
+func Convert_string_To_labels_Selector(in *string, out *labels.Selector, s conversion.Scope) error {
+	selector, err := labels.Parse(*in)
+	if err != nil {
+		return err
+	}
+	*out = selector
+	return nil
+}
+
+func Convert_string_To_fields_Selector(in *string, out *fields.Selector, s conversion.Scope) error {
+	selector, err := fields.ParseSelector(*in)
+	if err != nil {
+		return err
+	}
+	*out = selector
+	return nil
+}
+
+func Convert_labels_Selector_To_string(in *labels.Selector, out *string, s conversion.Scope) error {
+	if *in == nil {
+		return nil
+	}
+	*out = (*in).String()
+	return nil
+}
+
+func Convert_fields_Selector_To_string(in *fields.Selector, out *string, s conversion.Scope) error {
+	if *in == nil {
+		return nil
+	}
+	*out = (*in).String()
+	return nil
+}
+
+// +k8s:conversion-fn=copy-only
+func Convert_resource_Quantity_To_resource_Quantity(in *resource.Quantity, out *resource.Quantity, s conversion.Scope) error {
+	*out = *in
+	return nil
+}
+
+func Convert_map_to_unversioned_LabelSelector(in *map[string]string, out *LabelSelector, s conversion.Scope) error {
+	if in == nil {
+		return nil
+	}
+	out = new(LabelSelector)
+	for labelKey, labelValue := range *in {
+		AddLabelToSelector(out, labelKey, labelValue)
+	}
+	return nil
+}
+
+func Convert_unversioned_LabelSelector_to_map(in *LabelSelector, out *map[string]string, s conversion.Scope) error {
+	var err error
+	*out, err = LabelSelectorAsMap(in)
+	return err
+}
+
+// Convert_Slice_string_To_Slice_int32 converts multiple query parameters or
+// a single query parameter with a comma delimited value to multiple int32.
+// This is used for port forwarding which needs the ports as int32.
+func Convert_Slice_string_To_Slice_int32(in *[]string, out *[]int32, s conversion.Scope) error {
+	for _, s := range *in {
+		for _, v := range strings.Split(s, ",") {
+			x, err := strconv.ParseUint(v, 10, 16)
+			if err != nil {
+				return fmt.Errorf("cannot convert to []int32: %v", err)
+			}
+			*out = append(*out, int32(x))
+		}
+	}
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go
new file mode 100644
index 00000000..61f201cd
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/doc.go
@@ -0,0 +1,22 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:openapi-gen=true
+// +k8s:defaulter-gen=TypeMeta
+
+// +groupName=meta.k8s.io
+package v1 // import "k8s.io/apimachinery/pkg/apis/meta/v1"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/duration.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/duration.go
new file mode 100644
index 00000000..fea458df
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/duration.go
@@ -0,0 +1,47 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"encoding/json"
+	"time"
+)
+
+// Duration is a wrapper around time.Duration which supports correct
+// marshaling to YAML and JSON. In particular, it marshals into strings, which
+// can be used as map keys in json.
+type Duration struct {
+	time.Duration `protobuf:"varint,1,opt,name=duration,casttype=time.Duration"`
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (d *Duration) UnmarshalJSON(b []byte) error {
+	var str string
+	json.Unmarshal(b, &str)
+
+	pd, err := time.ParseDuration(str)
+	if err != nil {
+		return err
+	}
+	d.Duration = pd
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaler interface.
+func (d Duration) MarshalJSON() ([]byte, error) {
+	return json.Marshal(d.Duration.String())
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go
new file mode 100644
index 00000000..a4d1f2d5
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.pb.go
@@ -0,0 +1,7871 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
+
+	It has these top-level messages:
+		APIGroup
+		APIGroupList
+		APIResource
+		APIResourceList
+		APIVersions
+		DeleteOptions
+		Duration
+		ExportOptions
+		GetOptions
+		GroupKind
+		GroupResource
+		GroupVersion
+		GroupVersionForDiscovery
+		GroupVersionKind
+		GroupVersionResource
+		Initializer
+		Initializers
+		LabelSelector
+		LabelSelectorRequirement
+		List
+		ListMeta
+		ListOptions
+		MicroTime
+		ObjectMeta
+		OwnerReference
+		Preconditions
+		RootPaths
+		ServerAddressByClientCIDR
+		Status
+		StatusCause
+		StatusDetails
+		Time
+		Timestamp
+		TypeMeta
+		Verbs
+		WatchEvent
+*/
+package v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import k8s_io_apimachinery_pkg_runtime "k8s.io/apimachinery/pkg/runtime"
+
+import time "time"
+import k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+var _ = time.Kitchen
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *APIGroup) Reset()                    { *m = APIGroup{} }
+func (*APIGroup) ProtoMessage()               {}
+func (*APIGroup) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *APIGroupList) Reset()                    { *m = APIGroupList{} }
+func (*APIGroupList) ProtoMessage()               {}
+func (*APIGroupList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *APIResource) Reset()                    { *m = APIResource{} }
+func (*APIResource) ProtoMessage()               {}
+func (*APIResource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func (m *APIResourceList) Reset()                    { *m = APIResourceList{} }
+func (*APIResourceList) ProtoMessage()               {}
+func (*APIResourceList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+
+func (m *APIVersions) Reset()                    { *m = APIVersions{} }
+func (*APIVersions) ProtoMessage()               {}
+func (*APIVersions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+
+func (m *DeleteOptions) Reset()                    { *m = DeleteOptions{} }
+func (*DeleteOptions) ProtoMessage()               {}
+func (*DeleteOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+
+func (m *Duration) Reset()                    { *m = Duration{} }
+func (*Duration) ProtoMessage()               {}
+func (*Duration) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+
+func (m *ExportOptions) Reset()                    { *m = ExportOptions{} }
+func (*ExportOptions) ProtoMessage()               {}
+func (*ExportOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
+
+func (m *GetOptions) Reset()                    { *m = GetOptions{} }
+func (*GetOptions) ProtoMessage()               {}
+func (*GetOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{8} }
+
+func (m *GroupKind) Reset()                    { *m = GroupKind{} }
+func (*GroupKind) ProtoMessage()               {}
+func (*GroupKind) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{9} }
+
+func (m *GroupResource) Reset()                    { *m = GroupResource{} }
+func (*GroupResource) ProtoMessage()               {}
+func (*GroupResource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{10} }
+
+func (m *GroupVersion) Reset()                    { *m = GroupVersion{} }
+func (*GroupVersion) ProtoMessage()               {}
+func (*GroupVersion) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{11} }
+
+func (m *GroupVersionForDiscovery) Reset()      { *m = GroupVersionForDiscovery{} }
+func (*GroupVersionForDiscovery) ProtoMessage() {}
+func (*GroupVersionForDiscovery) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{12}
+}
+
+func (m *GroupVersionKind) Reset()                    { *m = GroupVersionKind{} }
+func (*GroupVersionKind) ProtoMessage()               {}
+func (*GroupVersionKind) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{13} }
+
+func (m *GroupVersionResource) Reset()                    { *m = GroupVersionResource{} }
+func (*GroupVersionResource) ProtoMessage()               {}
+func (*GroupVersionResource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{14} }
+
+func (m *Initializer) Reset()                    { *m = Initializer{} }
+func (*Initializer) ProtoMessage()               {}
+func (*Initializer) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{15} }
+
+func (m *Initializers) Reset()                    { *m = Initializers{} }
+func (*Initializers) ProtoMessage()               {}
+func (*Initializers) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{16} }
+
+func (m *LabelSelector) Reset()                    { *m = LabelSelector{} }
+func (*LabelSelector) ProtoMessage()               {}
+func (*LabelSelector) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{17} }
+
+func (m *LabelSelectorRequirement) Reset()      { *m = LabelSelectorRequirement{} }
+func (*LabelSelectorRequirement) ProtoMessage() {}
+func (*LabelSelectorRequirement) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{18}
+}
+
+func (m *List) Reset()                    { *m = List{} }
+func (*List) ProtoMessage()               {}
+func (*List) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{19} }
+
+func (m *ListMeta) Reset()                    { *m = ListMeta{} }
+func (*ListMeta) ProtoMessage()               {}
+func (*ListMeta) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{20} }
+
+func (m *ListOptions) Reset()                    { *m = ListOptions{} }
+func (*ListOptions) ProtoMessage()               {}
+func (*ListOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{21} }
+
+func (m *MicroTime) Reset()                    { *m = MicroTime{} }
+func (*MicroTime) ProtoMessage()               {}
+func (*MicroTime) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{22} }
+
+func (m *ObjectMeta) Reset()                    { *m = ObjectMeta{} }
+func (*ObjectMeta) ProtoMessage()               {}
+func (*ObjectMeta) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{23} }
+
+func (m *OwnerReference) Reset()                    { *m = OwnerReference{} }
+func (*OwnerReference) ProtoMessage()               {}
+func (*OwnerReference) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{24} }
+
+func (m *Preconditions) Reset()                    { *m = Preconditions{} }
+func (*Preconditions) ProtoMessage()               {}
+func (*Preconditions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{25} }
+
+func (m *RootPaths) Reset()                    { *m = RootPaths{} }
+func (*RootPaths) ProtoMessage()               {}
+func (*RootPaths) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{26} }
+
+func (m *ServerAddressByClientCIDR) Reset()      { *m = ServerAddressByClientCIDR{} }
+func (*ServerAddressByClientCIDR) ProtoMessage() {}
+func (*ServerAddressByClientCIDR) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{27}
+}
+
+func (m *Status) Reset()                    { *m = Status{} }
+func (*Status) ProtoMessage()               {}
+func (*Status) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{28} }
+
+func (m *StatusCause) Reset()                    { *m = StatusCause{} }
+func (*StatusCause) ProtoMessage()               {}
+func (*StatusCause) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{29} }
+
+func (m *StatusDetails) Reset()                    { *m = StatusDetails{} }
+func (*StatusDetails) ProtoMessage()               {}
+func (*StatusDetails) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{30} }
+
+func (m *Time) Reset()                    { *m = Time{} }
+func (*Time) ProtoMessage()               {}
+func (*Time) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{31} }
+
+func (m *Timestamp) Reset()                    { *m = Timestamp{} }
+func (*Timestamp) ProtoMessage()               {}
+func (*Timestamp) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{32} }
+
+func (m *TypeMeta) Reset()                    { *m = TypeMeta{} }
+func (*TypeMeta) ProtoMessage()               {}
+func (*TypeMeta) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{33} }
+
+func (m *Verbs) Reset()                    { *m = Verbs{} }
+func (*Verbs) ProtoMessage()               {}
+func (*Verbs) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{34} }
+
+func (m *WatchEvent) Reset()                    { *m = WatchEvent{} }
+func (*WatchEvent) ProtoMessage()               {}
+func (*WatchEvent) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{35} }
+
+func init() {
+	proto.RegisterType((*APIGroup)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIGroup")
+	proto.RegisterType((*APIGroupList)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIGroupList")
+	proto.RegisterType((*APIResource)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIResource")
+	proto.RegisterType((*APIResourceList)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIResourceList")
+	proto.RegisterType((*APIVersions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.APIVersions")
+	proto.RegisterType((*DeleteOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.DeleteOptions")
+	proto.RegisterType((*Duration)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Duration")
+	proto.RegisterType((*ExportOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ExportOptions")
+	proto.RegisterType((*GetOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GetOptions")
+	proto.RegisterType((*GroupKind)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupKind")
+	proto.RegisterType((*GroupResource)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupResource")
+	proto.RegisterType((*GroupVersion)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersion")
+	proto.RegisterType((*GroupVersionForDiscovery)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery")
+	proto.RegisterType((*GroupVersionKind)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionKind")
+	proto.RegisterType((*GroupVersionResource)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.GroupVersionResource")
+	proto.RegisterType((*Initializer)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Initializer")
+	proto.RegisterType((*Initializers)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Initializers")
+	proto.RegisterType((*LabelSelector)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector")
+	proto.RegisterType((*LabelSelectorRequirement)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement")
+	proto.RegisterType((*List)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.List")
+	proto.RegisterType((*ListMeta)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta")
+	proto.RegisterType((*ListOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ListOptions")
+	proto.RegisterType((*MicroTime)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime")
+	proto.RegisterType((*ObjectMeta)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta")
+	proto.RegisterType((*OwnerReference)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference")
+	proto.RegisterType((*Preconditions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Preconditions")
+	proto.RegisterType((*RootPaths)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.RootPaths")
+	proto.RegisterType((*ServerAddressByClientCIDR)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR")
+	proto.RegisterType((*Status)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Status")
+	proto.RegisterType((*StatusCause)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.StatusCause")
+	proto.RegisterType((*StatusDetails)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.StatusDetails")
+	proto.RegisterType((*Time)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Time")
+	proto.RegisterType((*Timestamp)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Timestamp")
+	proto.RegisterType((*TypeMeta)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.TypeMeta")
+	proto.RegisterType((*Verbs)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.Verbs")
+	proto.RegisterType((*WatchEvent)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1.WatchEvent")
+}
+func (m *APIGroup) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *APIGroup) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	if len(m.Versions) > 0 {
+		for _, msg := range m.Versions {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.PreferredVersion.Size()))
+	n1, err := m.PreferredVersion.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if len(m.ServerAddressByClientCIDRs) > 0 {
+		for _, msg := range m.ServerAddressByClientCIDRs {
+			dAtA[i] = 0x22
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *APIGroupList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *APIGroupList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Groups) > 0 {
+		for _, msg := range m.Groups {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *APIResource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *APIResource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x10
+	i++
+	if m.Namespaced {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	if m.Verbs != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Verbs.Size()))
+		n2, err := m.Verbs.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	if len(m.ShortNames) > 0 {
+		for _, s := range m.ShortNames {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SingularName)))
+	i += copy(dAtA[i:], m.SingularName)
+	if len(m.Categories) > 0 {
+		for _, s := range m.Categories {
+			dAtA[i] = 0x3a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x4a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Version)))
+	i += copy(dAtA[i:], m.Version)
+	return i, nil
+}
+
+func (m *APIResourceList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *APIResourceList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.GroupVersion)))
+	i += copy(dAtA[i:], m.GroupVersion)
+	if len(m.APIResources) > 0 {
+		for _, msg := range m.APIResources {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *APIVersions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *APIVersions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Versions) > 0 {
+		for _, s := range m.Versions {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.ServerAddressByClientCIDRs) > 0 {
+		for _, msg := range m.ServerAddressByClientCIDRs {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *DeleteOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeleteOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.GracePeriodSeconds != nil {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.GracePeriodSeconds))
+	}
+	if m.Preconditions != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Preconditions.Size()))
+		n3, err := m.Preconditions.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n3
+	}
+	if m.OrphanDependents != nil {
+		dAtA[i] = 0x18
+		i++
+		if *m.OrphanDependents {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.PropagationPolicy != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.PropagationPolicy)))
+		i += copy(dAtA[i:], *m.PropagationPolicy)
+	}
+	return i, nil
+}
+
+func (m *Duration) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Duration) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Duration))
+	return i, nil
+}
+
+func (m *ExportOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExportOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	if m.Export {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x10
+	i++
+	if m.Exact {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *GetOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GetOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
+	i += copy(dAtA[i:], m.ResourceVersion)
+	dAtA[i] = 0x10
+	i++
+	if m.IncludeUninitialized {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	return i, nil
+}
+
+func (m *GroupKind) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GroupKind) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	return i, nil
+}
+
+func (m *GroupResource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GroupResource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Resource)))
+	i += copy(dAtA[i:], m.Resource)
+	return i, nil
+}
+
+func (m *GroupVersion) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GroupVersion) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Version)))
+	i += copy(dAtA[i:], m.Version)
+	return i, nil
+}
+
+func (m *GroupVersionForDiscovery) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GroupVersionForDiscovery) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.GroupVersion)))
+	i += copy(dAtA[i:], m.GroupVersion)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Version)))
+	i += copy(dAtA[i:], m.Version)
+	return i, nil
+}
+
+func (m *GroupVersionKind) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GroupVersionKind) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Version)))
+	i += copy(dAtA[i:], m.Version)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	return i, nil
+}
+
+func (m *GroupVersionResource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *GroupVersionResource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Version)))
+	i += copy(dAtA[i:], m.Version)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Resource)))
+	i += copy(dAtA[i:], m.Resource)
+	return i, nil
+}
+
+func (m *Initializer) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Initializer) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	return i, nil
+}
+
+func (m *Initializers) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Initializers) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Pending) > 0 {
+		for _, msg := range m.Pending {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.Result != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Result.Size()))
+		n4, err := m.Result.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n4
+	}
+	return i, nil
+}
+
+func (m *LabelSelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LabelSelector) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.MatchLabels) > 0 {
+		keysForMatchLabels := make([]string, 0, len(m.MatchLabels))
+		for k := range m.MatchLabels {
+			keysForMatchLabels = append(keysForMatchLabels, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForMatchLabels)
+		for _, k := range keysForMatchLabels {
+			dAtA[i] = 0xa
+			i++
+			v := m.MatchLabels[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.MatchExpressions) > 0 {
+		for _, msg := range m.MatchExpressions {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *LabelSelectorRequirement) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LabelSelectorRequirement) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i += copy(dAtA[i:], m.Key)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Operator)))
+	i += copy(dAtA[i:], m.Operator)
+	if len(m.Values) > 0 {
+		for _, s := range m.Values {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *List) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *List) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n5, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n5
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *ListMeta) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ListMeta) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SelfLink)))
+	i += copy(dAtA[i:], m.SelfLink)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
+	i += copy(dAtA[i:], m.ResourceVersion)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Continue)))
+	i += copy(dAtA[i:], m.Continue)
+	return i, nil
+}
+
+func (m *ListOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ListOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.LabelSelector)))
+	i += copy(dAtA[i:], m.LabelSelector)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.FieldSelector)))
+	i += copy(dAtA[i:], m.FieldSelector)
+	dAtA[i] = 0x18
+	i++
+	if m.Watch {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
+	i += copy(dAtA[i:], m.ResourceVersion)
+	if m.TimeoutSeconds != nil {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TimeoutSeconds))
+	}
+	dAtA[i] = 0x30
+	i++
+	if m.IncludeUninitialized {
+		dAtA[i] = 1
+	} else {
+		dAtA[i] = 0
+	}
+	i++
+	dAtA[i] = 0x38
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Limit))
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Continue)))
+	i += copy(dAtA[i:], m.Continue)
+	return i, nil
+}
+
+func (m *ObjectMeta) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ObjectMeta) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.GenerateName)))
+	i += copy(dAtA[i:], m.GenerateName)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespace)))
+	i += copy(dAtA[i:], m.Namespace)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.SelfLink)))
+	i += copy(dAtA[i:], m.SelfLink)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ResourceVersion)))
+	i += copy(dAtA[i:], m.ResourceVersion)
+	dAtA[i] = 0x38
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Generation))
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.CreationTimestamp.Size()))
+	n6, err := m.CreationTimestamp.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n6
+	if m.DeletionTimestamp != nil {
+		dAtA[i] = 0x4a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.DeletionTimestamp.Size()))
+		n7, err := m.DeletionTimestamp.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	if m.DeletionGracePeriodSeconds != nil {
+		dAtA[i] = 0x50
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.DeletionGracePeriodSeconds))
+	}
+	if len(m.Labels) > 0 {
+		keysForLabels := make([]string, 0, len(m.Labels))
+		for k := range m.Labels {
+			keysForLabels = append(keysForLabels, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
+		for _, k := range keysForLabels {
+			dAtA[i] = 0x5a
+			i++
+			v := m.Labels[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.Annotations) > 0 {
+		keysForAnnotations := make([]string, 0, len(m.Annotations))
+		for k := range m.Annotations {
+			keysForAnnotations = append(keysForAnnotations, string(k))
+		}
+		github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+		for _, k := range keysForAnnotations {
+			dAtA[i] = 0x62
+			i++
+			v := m.Annotations[string(k)]
+			mapSize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			i = encodeVarintGenerated(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.OwnerReferences) > 0 {
+		for _, msg := range m.OwnerReferences {
+			dAtA[i] = 0x6a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Finalizers) > 0 {
+		for _, s := range m.Finalizers {
+			dAtA[i] = 0x72
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	dAtA[i] = 0x7a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ClusterName)))
+	i += copy(dAtA[i:], m.ClusterName)
+	if m.Initializers != nil {
+		dAtA[i] = 0x82
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Initializers.Size()))
+		n8, err := m.Initializers.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	return i, nil
+}
+
+func (m *OwnerReference) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *OwnerReference) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	dAtA[i] = 0x2a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i += copy(dAtA[i:], m.APIVersion)
+	if m.Controller != nil {
+		dAtA[i] = 0x30
+		i++
+		if *m.Controller {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.BlockOwnerDeletion != nil {
+		dAtA[i] = 0x38
+		i++
+		if *m.BlockOwnerDeletion {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *Preconditions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Preconditions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.UID != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.UID)))
+		i += copy(dAtA[i:], *m.UID)
+	}
+	return i, nil
+}
+
+func (m *RootPaths) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RootPaths) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Paths) > 0 {
+		for _, s := range m.Paths {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *ServerAddressByClientCIDR) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ServerAddressByClientCIDR) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ClientCIDR)))
+	i += copy(dAtA[i:], m.ClientCIDR)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ServerAddress)))
+	i += copy(dAtA[i:], m.ServerAddress)
+	return i, nil
+}
+
+func (m *Status) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Status) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ListMeta.Size()))
+	n9, err := m.ListMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n9
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Status)))
+	i += copy(dAtA[i:], m.Status)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Reason)))
+	i += copy(dAtA[i:], m.Reason)
+	if m.Details != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(m.Details.Size()))
+		n10, err := m.Details.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n10
+	}
+	dAtA[i] = 0x30
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Code))
+	return i, nil
+}
+
+func (m *StatusCause) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatusCause) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Message)))
+	i += copy(dAtA[i:], m.Message)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Field)))
+	i += copy(dAtA[i:], m.Field)
+	return i, nil
+}
+
+func (m *StatusDetails) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatusDetails) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Name)))
+	i += copy(dAtA[i:], m.Name)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Group)))
+	i += copy(dAtA[i:], m.Group)
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	if len(m.Causes) > 0 {
+		for _, msg := range m.Causes {
+			dAtA[i] = 0x22
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	dAtA[i] = 0x28
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.RetryAfterSeconds))
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.UID)))
+	i += copy(dAtA[i:], m.UID)
+	return i, nil
+}
+
+func (m *Timestamp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Timestamp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Seconds))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Nanos))
+	return i, nil
+}
+
+func (m *TypeMeta) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TypeMeta) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i += copy(dAtA[i:], m.APIVersion)
+	return i, nil
+}
+
+func (m Verbs) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m Verbs) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *WatchEvent) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WatchEvent) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Type)))
+	i += copy(dAtA[i:], m.Type)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Object.Size()))
+	n11, err := m.Object.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n11
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *APIGroup) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Versions) > 0 {
+		for _, e := range m.Versions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = m.PreferredVersion.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.ServerAddressByClientCIDRs) > 0 {
+		for _, e := range m.ServerAddressByClientCIDRs {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *APIGroupList) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Groups) > 0 {
+		for _, e := range m.Groups {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *APIResource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Verbs != nil {
+		l = m.Verbs.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.ShortNames) > 0 {
+		for _, s := range m.ShortNames {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.SingularName)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Categories) > 0 {
+		for _, s := range m.Categories {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Version)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *APIResourceList) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.GroupVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.APIResources) > 0 {
+		for _, e := range m.APIResources {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *APIVersions) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Versions) > 0 {
+		for _, s := range m.Versions {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.ServerAddressByClientCIDRs) > 0 {
+		for _, e := range m.ServerAddressByClientCIDRs {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeleteOptions) Size() (n int) {
+	var l int
+	_ = l
+	if m.GracePeriodSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.GracePeriodSeconds))
+	}
+	if m.Preconditions != nil {
+		l = m.Preconditions.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.OrphanDependents != nil {
+		n += 2
+	}
+	if m.PropagationPolicy != nil {
+		l = len(*m.PropagationPolicy)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *Duration) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Duration))
+	return n
+}
+
+func (m *ExportOptions) Size() (n int) {
+	var l int
+	_ = l
+	n += 2
+	n += 2
+	return n
+}
+
+func (m *GetOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ResourceVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	return n
+}
+
+func (m *GroupKind) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *GroupResource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Resource)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *GroupVersion) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Version)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *GroupVersionForDiscovery) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.GroupVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Version)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *GroupVersionKind) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Version)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *GroupVersionResource) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Version)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Resource)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Initializer) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Initializers) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Pending) > 0 {
+		for _, e := range m.Pending {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if m.Result != nil {
+		l = m.Result.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *LabelSelector) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.MatchLabels) > 0 {
+		for k, v := range m.MatchLabels {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.MatchExpressions) > 0 {
+		for _, e := range m.MatchExpressions {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *LabelSelectorRequirement) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Operator)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Values) > 0 {
+		for _, s := range m.Values {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *List) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ListMeta) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.SelfLink)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ResourceVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Continue)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ListOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.LabelSelector)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.FieldSelector)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 2
+	l = len(m.ResourceVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TimeoutSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.TimeoutSeconds))
+	}
+	n += 2
+	n += 1 + sovGenerated(uint64(m.Limit))
+	l = len(m.Continue)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *ObjectMeta) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.GenerateName)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Namespace)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.SelfLink)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ResourceVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	n += 1 + sovGenerated(uint64(m.Generation))
+	l = m.CreationTimestamp.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.DeletionTimestamp != nil {
+		l = m.DeletionTimestamp.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.DeletionGracePeriodSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.DeletionGracePeriodSeconds))
+	}
+	if len(m.Labels) > 0 {
+		for k, v := range m.Labels {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Annotations) > 0 {
+		for k, v := range m.Annotations {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGenerated(uint64(len(k))) + 1 + len(v) + sovGenerated(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
+		}
+	}
+	if len(m.OwnerReferences) > 0 {
+		for _, e := range m.OwnerReferences {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.Finalizers) > 0 {
+		for _, s := range m.Finalizers {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	l = len(m.ClusterName)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Initializers != nil {
+		l = m.Initializers.Size()
+		n += 2 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *OwnerReference) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.APIVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Controller != nil {
+		n += 2
+	}
+	if m.BlockOwnerDeletion != nil {
+		n += 2
+	}
+	return n
+}
+
+func (m *Preconditions) Size() (n int) {
+	var l int
+	_ = l
+	if m.UID != nil {
+		l = len(*m.UID)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *RootPaths) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Paths) > 0 {
+		for _, s := range m.Paths {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ServerAddressByClientCIDR) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ClientCIDR)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ServerAddress)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Status) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Status)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Reason)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Details != nil {
+		l = m.Details.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	n += 1 + sovGenerated(uint64(m.Code))
+	return n
+}
+
+func (m *StatusCause) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Message)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Field)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *StatusDetails) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Group)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Causes) > 0 {
+		for _, e := range m.Causes {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	n += 1 + sovGenerated(uint64(m.RetryAfterSeconds))
+	l = len(m.UID)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Timestamp) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Seconds))
+	n += 1 + sovGenerated(uint64(m.Nanos))
+	return n
+}
+
+func (m *TypeMeta) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.APIVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m Verbs) Size() (n int) {
+	var l int
+	_ = l
+	if len(m) > 0 {
+		for _, s := range m {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *WatchEvent) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Type)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Object.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *APIGroup) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&APIGroup{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Versions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Versions), "GroupVersionForDiscovery", "GroupVersionForDiscovery", 1), `&`, ``, 1) + `,`,
+		`PreferredVersion:` + strings.Replace(strings.Replace(this.PreferredVersion.String(), "GroupVersionForDiscovery", "GroupVersionForDiscovery", 1), `&`, ``, 1) + `,`,
+		`ServerAddressByClientCIDRs:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ServerAddressByClientCIDRs), "ServerAddressByClientCIDR", "ServerAddressByClientCIDR", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *APIGroupList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&APIGroupList{`,
+		`Groups:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Groups), "APIGroup", "APIGroup", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *APIResource) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&APIResource{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Namespaced:` + fmt.Sprintf("%v", this.Namespaced) + `,`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Verbs:` + strings.Replace(fmt.Sprintf("%v", this.Verbs), "Verbs", "Verbs", 1) + `,`,
+		`ShortNames:` + fmt.Sprintf("%v", this.ShortNames) + `,`,
+		`SingularName:` + fmt.Sprintf("%v", this.SingularName) + `,`,
+		`Categories:` + fmt.Sprintf("%v", this.Categories) + `,`,
+		`Group:` + fmt.Sprintf("%v", this.Group) + `,`,
+		`Version:` + fmt.Sprintf("%v", this.Version) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *APIResourceList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&APIResourceList{`,
+		`GroupVersion:` + fmt.Sprintf("%v", this.GroupVersion) + `,`,
+		`APIResources:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.APIResources), "APIResource", "APIResource", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeleteOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeleteOptions{`,
+		`GracePeriodSeconds:` + valueToStringGenerated(this.GracePeriodSeconds) + `,`,
+		`Preconditions:` + strings.Replace(fmt.Sprintf("%v", this.Preconditions), "Preconditions", "Preconditions", 1) + `,`,
+		`OrphanDependents:` + valueToStringGenerated(this.OrphanDependents) + `,`,
+		`PropagationPolicy:` + valueToStringGenerated(this.PropagationPolicy) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Duration) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Duration{`,
+		`Duration:` + fmt.Sprintf("%v", this.Duration) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ExportOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ExportOptions{`,
+		`Export:` + fmt.Sprintf("%v", this.Export) + `,`,
+		`Exact:` + fmt.Sprintf("%v", this.Exact) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *GetOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&GetOptions{`,
+		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
+		`IncludeUninitialized:` + fmt.Sprintf("%v", this.IncludeUninitialized) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *GroupVersionForDiscovery) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&GroupVersionForDiscovery{`,
+		`GroupVersion:` + fmt.Sprintf("%v", this.GroupVersion) + `,`,
+		`Version:` + fmt.Sprintf("%v", this.Version) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Initializer) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Initializer{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Initializers) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Initializers{`,
+		`Pending:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Pending), "Initializer", "Initializer", 1), `&`, ``, 1) + `,`,
+		`Result:` + strings.Replace(fmt.Sprintf("%v", this.Result), "Status", "Status", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LabelSelector) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForMatchLabels := make([]string, 0, len(this.MatchLabels))
+	for k := range this.MatchLabels {
+		keysForMatchLabels = append(keysForMatchLabels, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForMatchLabels)
+	mapStringForMatchLabels := "map[string]string{"
+	for _, k := range keysForMatchLabels {
+		mapStringForMatchLabels += fmt.Sprintf("%v: %v,", k, this.MatchLabels[k])
+	}
+	mapStringForMatchLabels += "}"
+	s := strings.Join([]string{`&LabelSelector{`,
+		`MatchLabels:` + mapStringForMatchLabels + `,`,
+		`MatchExpressions:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.MatchExpressions), "LabelSelectorRequirement", "LabelSelectorRequirement", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *LabelSelectorRequirement) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&LabelSelectorRequirement{`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Operator:` + fmt.Sprintf("%v", this.Operator) + `,`,
+		`Values:` + fmt.Sprintf("%v", this.Values) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *List) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&List{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Items), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ListMeta) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ListMeta{`,
+		`SelfLink:` + fmt.Sprintf("%v", this.SelfLink) + `,`,
+		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
+		`Continue:` + fmt.Sprintf("%v", this.Continue) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ListOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ListOptions{`,
+		`LabelSelector:` + fmt.Sprintf("%v", this.LabelSelector) + `,`,
+		`FieldSelector:` + fmt.Sprintf("%v", this.FieldSelector) + `,`,
+		`Watch:` + fmt.Sprintf("%v", this.Watch) + `,`,
+		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
+		`TimeoutSeconds:` + valueToStringGenerated(this.TimeoutSeconds) + `,`,
+		`IncludeUninitialized:` + fmt.Sprintf("%v", this.IncludeUninitialized) + `,`,
+		`Limit:` + fmt.Sprintf("%v", this.Limit) + `,`,
+		`Continue:` + fmt.Sprintf("%v", this.Continue) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ObjectMeta) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForLabels := make([]string, 0, len(this.Labels))
+	for k := range this.Labels {
+		keysForLabels = append(keysForLabels, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
+	mapStringForLabels := "map[string]string{"
+	for _, k := range keysForLabels {
+		mapStringForLabels += fmt.Sprintf("%v: %v,", k, this.Labels[k])
+	}
+	mapStringForLabels += "}"
+	keysForAnnotations := make([]string, 0, len(this.Annotations))
+	for k := range this.Annotations {
+		keysForAnnotations = append(keysForAnnotations, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForAnnotations)
+	mapStringForAnnotations := "map[string]string{"
+	for _, k := range keysForAnnotations {
+		mapStringForAnnotations += fmt.Sprintf("%v: %v,", k, this.Annotations[k])
+	}
+	mapStringForAnnotations += "}"
+	s := strings.Join([]string{`&ObjectMeta{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`GenerateName:` + fmt.Sprintf("%v", this.GenerateName) + `,`,
+		`Namespace:` + fmt.Sprintf("%v", this.Namespace) + `,`,
+		`SelfLink:` + fmt.Sprintf("%v", this.SelfLink) + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`ResourceVersion:` + fmt.Sprintf("%v", this.ResourceVersion) + `,`,
+		`Generation:` + fmt.Sprintf("%v", this.Generation) + `,`,
+		`CreationTimestamp:` + strings.Replace(strings.Replace(this.CreationTimestamp.String(), "Time", "Time", 1), `&`, ``, 1) + `,`,
+		`DeletionTimestamp:` + strings.Replace(fmt.Sprintf("%v", this.DeletionTimestamp), "Time", "Time", 1) + `,`,
+		`DeletionGracePeriodSeconds:` + valueToStringGenerated(this.DeletionGracePeriodSeconds) + `,`,
+		`Labels:` + mapStringForLabels + `,`,
+		`Annotations:` + mapStringForAnnotations + `,`,
+		`OwnerReferences:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.OwnerReferences), "OwnerReference", "OwnerReference", 1), `&`, ``, 1) + `,`,
+		`Finalizers:` + fmt.Sprintf("%v", this.Finalizers) + `,`,
+		`ClusterName:` + fmt.Sprintf("%v", this.ClusterName) + `,`,
+		`Initializers:` + strings.Replace(fmt.Sprintf("%v", this.Initializers), "Initializers", "Initializers", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *OwnerReference) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&OwnerReference{`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`APIVersion:` + fmt.Sprintf("%v", this.APIVersion) + `,`,
+		`Controller:` + valueToStringGenerated(this.Controller) + `,`,
+		`BlockOwnerDeletion:` + valueToStringGenerated(this.BlockOwnerDeletion) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Preconditions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Preconditions{`,
+		`UID:` + valueToStringGenerated(this.UID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *RootPaths) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RootPaths{`,
+		`Paths:` + fmt.Sprintf("%v", this.Paths) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *ServerAddressByClientCIDR) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&ServerAddressByClientCIDR{`,
+		`ClientCIDR:` + fmt.Sprintf("%v", this.ClientCIDR) + `,`,
+		`ServerAddress:` + fmt.Sprintf("%v", this.ServerAddress) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Status) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Status{`,
+		`ListMeta:` + strings.Replace(strings.Replace(this.ListMeta.String(), "ListMeta", "ListMeta", 1), `&`, ``, 1) + `,`,
+		`Status:` + fmt.Sprintf("%v", this.Status) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`Reason:` + fmt.Sprintf("%v", this.Reason) + `,`,
+		`Details:` + strings.Replace(fmt.Sprintf("%v", this.Details), "StatusDetails", "StatusDetails", 1) + `,`,
+		`Code:` + fmt.Sprintf("%v", this.Code) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatusCause) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatusCause{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Message:` + fmt.Sprintf("%v", this.Message) + `,`,
+		`Field:` + fmt.Sprintf("%v", this.Field) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *StatusDetails) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&StatusDetails{`,
+		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
+		`Group:` + fmt.Sprintf("%v", this.Group) + `,`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`Causes:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Causes), "StatusCause", "StatusCause", 1), `&`, ``, 1) + `,`,
+		`RetryAfterSeconds:` + fmt.Sprintf("%v", this.RetryAfterSeconds) + `,`,
+		`UID:` + fmt.Sprintf("%v", this.UID) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Timestamp) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Timestamp{`,
+		`Seconds:` + fmt.Sprintf("%v", this.Seconds) + `,`,
+		`Nanos:` + fmt.Sprintf("%v", this.Nanos) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *TypeMeta) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TypeMeta{`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`APIVersion:` + fmt.Sprintf("%v", this.APIVersion) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *WatchEvent) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&WatchEvent{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Object:` + strings.Replace(strings.Replace(this.Object.String(), "RawExtension", "k8s_io_apimachinery_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *APIGroup) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: APIGroup: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: APIGroup: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Versions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Versions = append(m.Versions, GroupVersionForDiscovery{})
+			if err := m.Versions[len(m.Versions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PreferredVersion", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.PreferredVersion.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServerAddressByClientCIDRs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServerAddressByClientCIDRs = append(m.ServerAddressByClientCIDRs, ServerAddressByClientCIDR{})
+			if err := m.ServerAddressByClientCIDRs[len(m.ServerAddressByClientCIDRs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *APIGroupList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: APIGroupList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: APIGroupList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Groups = append(m.Groups, APIGroup{})
+			if err := m.Groups[len(m.Groups)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *APIResource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: APIResource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: APIResource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespaced", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Namespaced = bool(v != 0)
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Verbs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Verbs == nil {
+				m.Verbs = Verbs{}
+			}
+			if err := m.Verbs.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ShortNames", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ShortNames = append(m.ShortNames, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SingularName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SingularName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Categories", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Categories = append(m.Categories, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Version = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *APIResourceList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: APIResourceList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: APIResourceList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GroupVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.GroupVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIResources", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIResources = append(m.APIResources, APIResource{})
+			if err := m.APIResources[len(m.APIResources)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *APIVersions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: APIVersions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: APIVersions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Versions", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Versions = append(m.Versions, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServerAddressByClientCIDRs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServerAddressByClientCIDRs = append(m.ServerAddressByClientCIDRs, ServerAddressByClientCIDR{})
+			if err := m.ServerAddressByClientCIDRs[len(m.ServerAddressByClientCIDRs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeleteOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeleteOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeleteOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GracePeriodSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.GracePeriodSeconds = &v
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Preconditions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Preconditions == nil {
+				m.Preconditions = &Preconditions{}
+			}
+			if err := m.Preconditions.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OrphanDependents", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.OrphanDependents = &b
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PropagationPolicy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := DeletionPropagation(dAtA[iNdEx:postIndex])
+			m.PropagationPolicy = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Duration) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Duration: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Duration: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Duration", wireType)
+			}
+			m.Duration = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Duration |= (time.Duration(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExportOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExportOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExportOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Export", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Export = bool(v != 0)
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Exact", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Exact = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GetOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GetOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GetOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IncludeUninitialized", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.IncludeUninitialized = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GroupKind) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GroupKind: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GroupKind: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GroupResource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GroupResource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GroupResource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resource = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GroupVersion) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GroupVersion: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GroupVersion: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Version = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GroupVersionForDiscovery) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GroupVersionForDiscovery: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GroupVersionForDiscovery: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GroupVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.GroupVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Version = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GroupVersionKind) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GroupVersionKind: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GroupVersionKind: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Version = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *GroupVersionResource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: GroupVersionResource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: GroupVersionResource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Version = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Resource = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Initializer) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Initializer: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Initializer: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Initializers) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Initializers: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Initializers: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Pending", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Pending = append(m.Pending, Initializer{})
+			if err := m.Pending[len(m.Pending)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Result", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Result == nil {
+				m.Result = &Status{}
+			}
+			if err := m.Result.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LabelSelector) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LabelSelector: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LabelSelector: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MatchLabels", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.MatchLabels == nil {
+				m.MatchLabels = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.MatchLabels[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.MatchLabels[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MatchExpressions", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.MatchExpressions = append(m.MatchExpressions, LabelSelectorRequirement{})
+			if err := m.MatchExpressions[len(m.MatchExpressions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *LabelSelectorRequirement) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LabelSelectorRequirement: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LabelSelectorRequirement: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Operator", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Operator = LabelSelectorOperator(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Values", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Values = append(m.Values, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *List) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: List: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: List: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, k8s_io_apimachinery_pkg_runtime.RawExtension{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ListMeta) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ListMeta: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ListMeta: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SelfLink", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SelfLink = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Continue", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Continue = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ListOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ListOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ListOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LabelSelector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.LabelSelector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FieldSelector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FieldSelector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Watch", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Watch = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TimeoutSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TimeoutSeconds = &v
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IncludeUninitialized", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.IncludeUninitialized = bool(v != 0)
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Limit", wireType)
+			}
+			m.Limit = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Limit |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Continue", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Continue = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ObjectMeta) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ObjectMeta: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ObjectMeta: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field GenerateName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.GenerateName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Namespace", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Namespace = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SelfLink", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SelfLink = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Generation", wireType)
+			}
+			m.Generation = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Generation |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CreationTimestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.CreationTimestamp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DeletionTimestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.DeletionTimestamp == nil {
+				m.DeletionTimestamp = &Time{}
+			}
+			if err := m.DeletionTimestamp.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 10:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DeletionGracePeriodSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.DeletionGracePeriodSeconds = &v
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Labels == nil {
+				m.Labels = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Labels[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Labels[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 12:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Annotations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Annotations == nil {
+				m.Annotations = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthGenerated
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Annotations[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Annotations[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		case 13:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OwnerReferences", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OwnerReferences = append(m.OwnerReferences, OwnerReference{})
+			if err := m.OwnerReferences[len(m.OwnerReferences)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 14:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Finalizers", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Finalizers = append(m.Finalizers, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ClusterName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ClusterName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 16:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Initializers", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Initializers == nil {
+				m.Initializers = &Initializers{}
+			}
+			if err := m.Initializers.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *OwnerReference) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: OwnerReference: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: OwnerReference: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Controller", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.Controller = &b
+		case 7:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field BlockOwnerDeletion", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			b := bool(v != 0)
+			m.BlockOwnerDeletion = &b
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Preconditions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Preconditions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Preconditions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			m.UID = &s
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RootPaths) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RootPaths: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RootPaths: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Paths", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Paths = append(m.Paths, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ServerAddressByClientCIDR) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ServerAddressByClientCIDR: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ServerAddressByClientCIDR: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ClientCIDR", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ClientCIDR = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServerAddress", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServerAddress = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Status) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Status: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Status: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Status = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Reason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Reason = StatusReason(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Details", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Details == nil {
+				m.Details = &StatusDetails{}
+			}
+			if err := m.Details.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Code", wireType)
+			}
+			m.Code = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Code |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatusCause) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatusCause: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatusCause: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = CauseType(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Message", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Message = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Field", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Field = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatusDetails) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatusDetails: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatusDetails: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Group = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Causes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Causes = append(m.Causes, StatusCause{})
+			if err := m.Causes[len(m.Causes)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field RetryAfterSeconds", wireType)
+			}
+			m.RetryAfterSeconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.RetryAfterSeconds |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.UID = k8s_io_apimachinery_pkg_types.UID(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Timestamp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Timestamp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Timestamp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Seconds", wireType)
+			}
+			m.Seconds = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Seconds |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Nanos", wireType)
+			}
+			m.Nanos = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Nanos |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TypeMeta) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TypeMeta: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TypeMeta: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Verbs) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Verbs: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Verbs: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			*m = append(*m, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *WatchEvent) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: WatchEvent: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: WatchEvent: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Type = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Object", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Object.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 2428 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x59, 0x4d, 0x6c, 0x23, 0x49,
+	0x15, 0x4e, 0xdb, 0xb1, 0x63, 0x3f, 0xc7, 0xf9, 0xa9, 0xcd, 0x80, 0x37, 0x02, 0x3b, 0xdb, 0x8b,
+	0x56, 0x59, 0x98, 0xb5, 0x49, 0x16, 0x56, 0xc3, 0x00, 0x03, 0xe9, 0x38, 0x33, 0x8a, 0x76, 0x32,
+	0x63, 0x55, 0x76, 0x06, 0x31, 0x8c, 0x10, 0x9d, 0x76, 0xc5, 0x69, 0xd2, 0xee, 0xf6, 0x56, 0x95,
+	0x33, 0x09, 0x1c, 0xd8, 0x03, 0x48, 0x1c, 0x10, 0x9a, 0x23, 0x27, 0xb4, 0x23, 0xb8, 0x70, 0xe5,
+	0xc4, 0x05, 0x4e, 0x48, 0xcc, 0x71, 0x24, 0x2e, 0x7b, 0x40, 0xd6, 0x8e, 0xf7, 0xc0, 0x09, 0x71,
+	0xcf, 0x09, 0x55, 0x75, 0xf5, 0x9f, 0x1d, 0x4f, 0xda, 0x3b, 0x0b, 0xe2, 0x14, 0xf7, 0xfb, 0xf9,
+	0xde, 0xab, 0xaa, 0xf7, 0x5e, 0xbd, 0x7a, 0x81, 0xbd, 0xe3, 0x6b, 0xac, 0x6e, 0x7b, 0x8d, 0xe3,
+	0xfe, 0x01, 0xa1, 0x2e, 0xe1, 0x84, 0x35, 0x4e, 0x88, 0xdb, 0xf6, 0x68, 0x43, 0x31, 0xcc, 0x9e,
+	0xdd, 0x35, 0xad, 0x23, 0xdb, 0x25, 0xf4, 0xac, 0xd1, 0x3b, 0xee, 0x08, 0x02, 0x6b, 0x74, 0x09,
+	0x37, 0x1b, 0x27, 0x1b, 0x8d, 0x0e, 0x71, 0x09, 0x35, 0x39, 0x69, 0xd7, 0x7b, 0xd4, 0xe3, 0x1e,
+	0xfa, 0x92, 0xaf, 0x55, 0x8f, 0x6b, 0xd5, 0x7b, 0xc7, 0x1d, 0x41, 0x60, 0x75, 0xa1, 0x55, 0x3f,
+	0xd9, 0x58, 0x7d, 0xab, 0x63, 0xf3, 0xa3, 0xfe, 0x41, 0xdd, 0xf2, 0xba, 0x8d, 0x8e, 0xd7, 0xf1,
+	0x1a, 0x52, 0xf9, 0xa0, 0x7f, 0x28, 0xbf, 0xe4, 0x87, 0xfc, 0xe5, 0x83, 0xae, 0x4e, 0x74, 0x85,
+	0xf6, 0x5d, 0x6e, 0x77, 0xc9, 0xa8, 0x17, 0xab, 0xef, 0x5c, 0xa6, 0xc0, 0xac, 0x23, 0xd2, 0x35,
+	0xc7, 0xf4, 0xde, 0x9e, 0xa4, 0xd7, 0xe7, 0xb6, 0xd3, 0xb0, 0x5d, 0xce, 0x38, 0x1d, 0x55, 0xd2,
+	0xff, 0x96, 0x85, 0xc2, 0x56, 0x6b, 0xf7, 0x16, 0xf5, 0xfa, 0x3d, 0xb4, 0x06, 0xb3, 0xae, 0xd9,
+	0x25, 0x15, 0x6d, 0x4d, 0x5b, 0x2f, 0x1a, 0xf3, 0x4f, 0x07, 0xb5, 0x99, 0xe1, 0xa0, 0x36, 0x7b,
+	0xc7, 0xec, 0x12, 0x2c, 0x39, 0xc8, 0x81, 0xc2, 0x09, 0xa1, 0xcc, 0xf6, 0x5c, 0x56, 0xc9, 0xac,
+	0x65, 0xd7, 0x4b, 0x9b, 0x37, 0xea, 0x69, 0x36, 0xad, 0x2e, 0x0d, 0xdc, 0xf7, 0x55, 0x6f, 0x7a,
+	0xb4, 0x69, 0x33, 0xcb, 0x3b, 0x21, 0xf4, 0xcc, 0x58, 0x52, 0x56, 0x0a, 0x8a, 0xc9, 0x70, 0x68,
+	0x01, 0xfd, 0x5c, 0x83, 0xa5, 0x1e, 0x25, 0x87, 0x84, 0x52, 0xd2, 0x56, 0xfc, 0x4a, 0x76, 0x4d,
+	0xfb, 0x0c, 0xcc, 0x56, 0x94, 0xd9, 0xa5, 0xd6, 0x08, 0x3e, 0x1e, 0xb3, 0x88, 0x7e, 0xa7, 0xc1,
+	0x2a, 0x23, 0xf4, 0x84, 0xd0, 0xad, 0x76, 0x9b, 0x12, 0xc6, 0x8c, 0xb3, 0x6d, 0xc7, 0x26, 0x2e,
+	0xdf, 0xde, 0x6d, 0x62, 0x56, 0x99, 0x95, 0xfb, 0xf0, 0x9d, 0x74, 0x0e, 0xed, 0x4f, 0xc2, 0x31,
+	0x74, 0xe5, 0xd1, 0xea, 0x44, 0x11, 0x86, 0x5f, 0xe0, 0x86, 0x7e, 0x08, 0xf3, 0xc1, 0x41, 0xde,
+	0xb6, 0x19, 0x47, 0xf7, 0x21, 0xdf, 0x11, 0x1f, 0xac, 0xa2, 0x49, 0x07, 0xeb, 0xe9, 0x1c, 0x0c,
+	0x30, 0x8c, 0x05, 0xe5, 0x4f, 0x5e, 0x7e, 0x32, 0xac, 0xd0, 0xf4, 0x3f, 0x67, 0xa1, 0xb4, 0xd5,
+	0xda, 0xc5, 0x84, 0x79, 0x7d, 0x6a, 0x91, 0x14, 0x41, 0xb3, 0x09, 0x20, 0xfe, 0xb2, 0x9e, 0x69,
+	0x91, 0x76, 0x25, 0xb3, 0xa6, 0xad, 0x17, 0x0c, 0xa4, 0xe4, 0xe0, 0x4e, 0xc8, 0xc1, 0x31, 0x29,
+	0x81, 0x7a, 0x6c, 0xbb, 0x6d, 0x79, 0xda, 0x31, 0xd4, 0x77, 0x6d, 0xb7, 0x8d, 0x25, 0x07, 0xdd,
+	0x86, 0xdc, 0x09, 0xa1, 0x07, 0x62, 0xff, 0x45, 0x40, 0x7c, 0x25, 0xdd, 0xf2, 0xee, 0x0b, 0x15,
+	0xa3, 0x38, 0x1c, 0xd4, 0x72, 0xf2, 0x27, 0xf6, 0x41, 0x50, 0x1d, 0x80, 0x1d, 0x79, 0x94, 0x4b,
+	0x77, 0x2a, 0xb9, 0xb5, 0xec, 0x7a, 0xd1, 0x58, 0x10, 0xfe, 0xed, 0x87, 0x54, 0x1c, 0x93, 0x40,
+	0xd7, 0x60, 0x9e, 0xd9, 0x6e, 0xa7, 0xef, 0x98, 0x54, 0x10, 0x2a, 0x79, 0xe9, 0xe7, 0x8a, 0xf2,
+	0x73, 0x7e, 0x3f, 0xc6, 0xc3, 0x09, 0x49, 0x61, 0xc9, 0x32, 0x39, 0xe9, 0x78, 0xd4, 0x26, 0xac,
+	0x32, 0x17, 0x59, 0xda, 0x0e, 0xa9, 0x38, 0x26, 0x81, 0x5e, 0x87, 0x9c, 0xdc, 0xf9, 0x4a, 0x41,
+	0x9a, 0x28, 0x2b, 0x13, 0x39, 0x79, 0x2c, 0xd8, 0xe7, 0xa1, 0x37, 0x61, 0x4e, 0x65, 0x4d, 0xa5,
+	0x28, 0xc5, 0x16, 0x95, 0xd8, 0x5c, 0x10, 0xd6, 0x01, 0x5f, 0xff, 0xa3, 0x06, 0x8b, 0xb1, 0xf3,
+	0x93, 0xb1, 0x72, 0x0d, 0xe6, 0x3b, 0xb1, 0x4c, 0x51, 0x67, 0x19, 0xae, 0x26, 0x9e, 0x45, 0x38,
+	0x21, 0x89, 0x08, 0x14, 0xa9, 0x42, 0x0a, 0x2a, 0xc2, 0x46, 0xea, 0x40, 0x0b, 0x7c, 0x88, 0x2c,
+	0xc5, 0x88, 0x0c, 0x47, 0xc8, 0xfa, 0x3f, 0x35, 0x19, 0x74, 0x41, 0x8d, 0x40, 0xeb, 0xb1, 0x3a,
+	0xa4, 0xc9, 0x2d, 0x9c, 0x9f, 0x50, 0x43, 0x2e, 0x49, 0xde, 0xcc, 0xff, 0x45, 0xf2, 0x5e, 0x2f,
+	0xfc, 0xe6, 0xc3, 0xda, 0xcc, 0x07, 0xff, 0x58, 0x9b, 0xd1, 0x3f, 0xc9, 0x40, 0xb9, 0x49, 0x1c,
+	0xc2, 0xc9, 0xdd, 0x1e, 0x97, 0x2b, 0xb8, 0x09, 0xa8, 0x43, 0x4d, 0x8b, 0xb4, 0x08, 0xb5, 0xbd,
+	0xf6, 0x3e, 0xb1, 0x3c, 0xb7, 0xcd, 0xe4, 0x11, 0x65, 0x8d, 0xcf, 0x0d, 0x07, 0x35, 0x74, 0x6b,
+	0x8c, 0x8b, 0x2f, 0xd0, 0x40, 0x0e, 0x94, 0x7b, 0x54, 0xfe, 0xb6, 0xb9, 0x2a, 0xe0, 0x22, 0x71,
+	0xde, 0x4e, 0xb7, 0xf6, 0x56, 0x5c, 0xd5, 0x58, 0x1e, 0x0e, 0x6a, 0xe5, 0x04, 0x09, 0x27, 0xc1,
+	0xd1, 0x77, 0x61, 0xc9, 0xa3, 0xbd, 0x23, 0xd3, 0x6d, 0x92, 0x1e, 0x71, 0xdb, 0xc4, 0xe5, 0x4c,
+	0x26, 0x73, 0xc1, 0x58, 0x11, 0x65, 0xf7, 0xee, 0x08, 0x0f, 0x8f, 0x49, 0xa3, 0x07, 0xb0, 0xdc,
+	0xa3, 0x5e, 0xcf, 0xec, 0x98, 0x02, 0xb1, 0xe5, 0x39, 0xb6, 0x75, 0x26, 0x93, 0xbd, 0x68, 0x5c,
+	0x1d, 0x0e, 0x6a, 0xcb, 0xad, 0x51, 0xe6, 0xf9, 0xa0, 0xf6, 0x8a, 0xdc, 0x3a, 0x41, 0x89, 0x98,
+	0x78, 0x1c, 0x46, 0xdf, 0x85, 0x42, 0xb3, 0x4f, 0x25, 0x05, 0x7d, 0x1b, 0x0a, 0x6d, 0xf5, 0x5b,
+	0xed, 0xea, 0x6b, 0xc1, 0x9d, 0x14, 0xc8, 0x9c, 0x0f, 0x6a, 0x65, 0x71, 0xf5, 0xd6, 0x03, 0x02,
+	0x0e, 0x55, 0xf4, 0x87, 0x50, 0xde, 0x39, 0xed, 0x79, 0x94, 0x07, 0xe7, 0xf5, 0x06, 0xe4, 0x89,
+	0x24, 0x48, 0xb4, 0x42, 0x54, 0x48, 0x7d, 0x31, 0xac, 0xb8, 0x22, 0xb1, 0xc9, 0xa9, 0x69, 0x71,
+	0x55, 0x11, 0xc3, 0xc4, 0xde, 0x11, 0x44, 0xec, 0xf3, 0xf4, 0x27, 0x1a, 0xc0, 0x2d, 0x12, 0x62,
+	0x6f, 0xc1, 0x62, 0x90, 0x14, 0xc9, 0x5c, 0xfd, 0xbc, 0xd2, 0x5e, 0xc4, 0x49, 0x36, 0x1e, 0x95,
+	0x47, 0x2d, 0x58, 0xb1, 0x5d, 0xcb, 0xe9, 0xb7, 0xc9, 0x3d, 0xd7, 0x76, 0x6d, 0x6e, 0x9b, 0x8e,
+	0xfd, 0x93, 0xb0, 0x2e, 0x7f, 0x41, 0xe1, 0xac, 0xec, 0x5e, 0x20, 0x83, 0x2f, 0xd4, 0xd4, 0x1f,
+	0x42, 0x51, 0x56, 0x08, 0x51, 0x9c, 0xa3, 0x72, 0xa5, 0xbd, 0xa0, 0x5c, 0x05, 0xd5, 0x3d, 0x33,
+	0xa9, 0xba, 0xc7, 0x12, 0xc2, 0x81, 0xb2, 0xaf, 0x1b, 0x5c, 0x38, 0xa9, 0x2c, 0x5c, 0x85, 0x42,
+	0xb0, 0x70, 0x65, 0x25, 0x6c, 0x34, 0x02, 0x20, 0x1c, 0x4a, 0xc4, 0xac, 0x1d, 0x41, 0xa2, 0xda,
+	0xa5, 0x33, 0x16, 0xab, 0xbe, 0x99, 0x17, 0x57, 0xdf, 0x98, 0xa5, 0x9f, 0x41, 0x65, 0x52, 0x77,
+	0xf2, 0x12, 0xf5, 0x38, 0xbd, 0x2b, 0xfa, 0xaf, 0x35, 0x58, 0x8a, 0x23, 0xa5, 0x3f, 0xbe, 0xf4,
+	0x46, 0x2e, 0xbf, 0xc7, 0x63, 0x3b, 0xf2, 0x5b, 0x0d, 0x56, 0x12, 0x4b, 0x9b, 0xea, 0xc4, 0xa7,
+	0x70, 0x2a, 0x1e, 0x1c, 0xd9, 0x29, 0x82, 0xa3, 0x01, 0xa5, 0xdd, 0x30, 0xee, 0xe9, 0xe5, 0x9d,
+	0x8f, 0xfe, 0x17, 0x0d, 0xe6, 0x63, 0x1a, 0x0c, 0x3d, 0x84, 0x39, 0x51, 0xdf, 0x6c, 0xb7, 0xa3,
+	0xba, 0xb2, 0x94, 0x97, 0x65, 0x0c, 0x24, 0x5a, 0x57, 0xcb, 0x47, 0xc2, 0x01, 0x24, 0x6a, 0x41,
+	0x9e, 0x12, 0xd6, 0x77, 0xb8, 0x2a, 0xed, 0x57, 0x53, 0x5e, 0x6b, 0xdc, 0xe4, 0x7d, 0x66, 0x80,
+	0xa8, 0x51, 0x58, 0xea, 0x63, 0x85, 0xa3, 0xff, 0x3d, 0x03, 0xe5, 0xdb, 0xe6, 0x01, 0x71, 0xf6,
+	0x89, 0x43, 0x2c, 0xee, 0x51, 0xf4, 0x53, 0x28, 0x75, 0x4d, 0x6e, 0x1d, 0x49, 0x6a, 0xd0, 0x5b,
+	0x36, 0xd3, 0x19, 0x4a, 0x20, 0xd5, 0xf7, 0x22, 0x98, 0x1d, 0x97, 0xd3, 0x33, 0xe3, 0x15, 0xb5,
+	0xb0, 0x52, 0x8c, 0x83, 0xe3, 0xd6, 0xe4, 0x83, 0x40, 0x7e, 0xef, 0x9c, 0xf6, 0xc4, 0x25, 0x3a,
+	0xfd, 0x3b, 0x24, 0xe1, 0x02, 0x26, 0xef, 0xf7, 0x6d, 0x4a, 0xba, 0xc4, 0xe5, 0xd1, 0x83, 0x60,
+	0x6f, 0x04, 0x1f, 0x8f, 0x59, 0x5c, 0xbd, 0x01, 0x4b, 0xa3, 0xce, 0xa3, 0x25, 0xc8, 0x1e, 0x93,
+	0x33, 0x3f, 0x16, 0xb0, 0xf8, 0x89, 0x56, 0x20, 0x77, 0x62, 0x3a, 0x7d, 0x55, 0x7f, 0xb0, 0xff,
+	0x71, 0x3d, 0x73, 0x4d, 0xd3, 0x7f, 0xaf, 0x41, 0x65, 0x92, 0x23, 0xe8, 0x8b, 0x31, 0x20, 0xa3,
+	0xa4, 0xbc, 0xca, 0xbe, 0x4b, 0xce, 0x7c, 0xd4, 0x1d, 0x28, 0x78, 0x3d, 0xf1, 0x84, 0xf3, 0xa8,
+	0x8a, 0xf3, 0x37, 0x83, 0xd8, 0xbd, 0xab, 0xe8, 0xe7, 0x83, 0xda, 0x95, 0x04, 0x7c, 0xc0, 0xc0,
+	0xa1, 0x2a, 0xd2, 0x21, 0x2f, 0xfd, 0x11, 0x97, 0xb2, 0x68, 0x9f, 0xe4, 0xe1, 0xdf, 0x97, 0x14,
+	0xac, 0x38, 0xfa, 0x9f, 0x34, 0x98, 0x95, 0xed, 0xe1, 0x43, 0x28, 0x88, 0xfd, 0x6b, 0x9b, 0xdc,
+	0x94, 0x7e, 0xa5, 0x7e, 0x4c, 0x08, 0xed, 0x3d, 0xc2, 0xcd, 0x28, 0xbf, 0x02, 0x0a, 0x0e, 0x11,
+	0x11, 0x86, 0x9c, 0xcd, 0x49, 0x37, 0x38, 0xc8, 0xb7, 0x26, 0x42, 0xab, 0xf7, 0x6f, 0x1d, 0x9b,
+	0x8f, 0x76, 0x4e, 0x39, 0x71, 0xc5, 0x61, 0x44, 0xc5, 0x60, 0x57, 0x60, 0x60, 0x1f, 0x4a, 0xff,
+	0x83, 0x06, 0xa1, 0x29, 0x91, 0xee, 0x8c, 0x38, 0x87, 0xb7, 0x6d, 0xf7, 0x58, 0x6d, 0x6b, 0xe8,
+	0xce, 0xbe, 0xa2, 0xe3, 0x50, 0xe2, 0xa2, 0x2b, 0x36, 0x33, 0xe5, 0x15, 0x7b, 0x15, 0x0a, 0x96,
+	0xe7, 0x72, 0xdb, 0xed, 0x8f, 0xd5, 0x97, 0x6d, 0x45, 0xc7, 0xa1, 0x84, 0xfe, 0x2c, 0x0b, 0x25,
+	0xe1, 0x6b, 0x70, 0xc7, 0x7f, 0x13, 0xca, 0x4e, 0xfc, 0xf4, 0x94, 0xcf, 0x57, 0x14, 0x44, 0x32,
+	0x1f, 0x71, 0x52, 0x56, 0x28, 0x1f, 0xda, 0xc4, 0x69, 0x87, 0xca, 0x99, 0xa4, 0xf2, 0xcd, 0x38,
+	0x13, 0x27, 0x65, 0x45, 0x9d, 0x7d, 0x24, 0xe2, 0x5a, 0x35, 0x6a, 0xe1, 0xd6, 0x7e, 0x4f, 0x10,
+	0xb1, 0xcf, 0xbb, 0x68, 0x7f, 0x66, 0xa7, 0xdc, 0x9f, 0xeb, 0xb0, 0x20, 0x0e, 0xd2, 0xeb, 0xf3,
+	0xa0, 0x9b, 0xcd, 0xc9, 0xbe, 0x0b, 0x0d, 0x07, 0xb5, 0x85, 0xf7, 0x12, 0x1c, 0x3c, 0x22, 0x39,
+	0xb1, 0x7d, 0xc9, 0x7f, 0xda, 0xf6, 0x45, 0xac, 0xda, 0xb1, 0xbb, 0x36, 0xaf, 0xcc, 0x49, 0x27,
+	0xc2, 0x55, 0xdf, 0x16, 0x44, 0xec, 0xf3, 0x12, 0x47, 0x5a, 0xb8, 0xf4, 0x48, 0xdf, 0x87, 0xe2,
+	0x9e, 0x6d, 0x51, 0x4f, 0xac, 0x45, 0x5c, 0x4c, 0x2c, 0xd1, 0xb4, 0x87, 0x05, 0x3c, 0x58, 0x63,
+	0xc0, 0x17, 0xae, 0xb8, 0xa6, 0xeb, 0xf9, 0xad, 0x79, 0x2e, 0x72, 0xe5, 0x8e, 0x20, 0x62, 0x9f,
+	0x77, 0x7d, 0x45, 0xdc, 0x47, 0xbf, 0x7c, 0x52, 0x9b, 0x79, 0xfc, 0xa4, 0x36, 0xf3, 0xe1, 0x13,
+	0x75, 0x37, 0xfd, 0x0b, 0x00, 0xee, 0x1e, 0xfc, 0x98, 0x58, 0x7e, 0xcc, 0x5f, 0xfe, 0x2a, 0x17,
+	0x3d, 0x86, 0x1a, 0x06, 0xc9, 0x17, 0x6c, 0x66, 0xa4, 0xc7, 0x88, 0xf1, 0x70, 0x42, 0x12, 0x35,
+	0xa0, 0x18, 0xbe, 0xd4, 0x55, 0x7c, 0x2f, 0x2b, 0xb5, 0x62, 0xf8, 0x9c, 0xc7, 0x91, 0x4c, 0x22,
+	0x01, 0x67, 0x2f, 0x4d, 0x40, 0x03, 0xb2, 0x7d, 0xbb, 0x2d, 0x43, 0xa2, 0x68, 0x7c, 0x35, 0x28,
+	0x80, 0xf7, 0x76, 0x9b, 0xe7, 0x83, 0xda, 0x6b, 0x93, 0x66, 0x5c, 0xfc, 0xac, 0x47, 0x58, 0xfd,
+	0xde, 0x6e, 0x13, 0x0b, 0xe5, 0x8b, 0x82, 0x34, 0x3f, 0x65, 0x90, 0x6e, 0x02, 0xa8, 0x55, 0x0b,
+	0x6d, 0x3f, 0x36, 0xc2, 0xa9, 0xc5, 0xad, 0x90, 0x83, 0x63, 0x52, 0x88, 0xc1, 0xb2, 0x45, 0x89,
+	0xfc, 0x2d, 0x8e, 0x9e, 0x71, 0xb3, 0xeb, 0xbf, 0xdb, 0x4b, 0x9b, 0x5f, 0x4e, 0x57, 0x31, 0x85,
+	0x9a, 0xf1, 0xaa, 0x32, 0xb3, 0xbc, 0x3d, 0x0a, 0x86, 0xc7, 0xf1, 0x91, 0x07, 0xcb, 0x6d, 0xf5,
+	0xea, 0x89, 0x8c, 0x16, 0xa7, 0x36, 0x7a, 0x45, 0x18, 0x6c, 0x8e, 0x02, 0xe1, 0x71, 0x6c, 0xf4,
+	0x43, 0x58, 0x0d, 0x88, 0xe3, 0x4f, 0xcf, 0x0a, 0xc8, 0x9d, 0xaa, 0x8a, 0xc7, 0x70, 0x73, 0xa2,
+	0x14, 0x7e, 0x01, 0x02, 0x6a, 0x43, 0xde, 0xf1, 0xbb, 0x8b, 0x92, 0xbc, 0x11, 0xbe, 0x95, 0x6e,
+	0x15, 0x51, 0xf4, 0xd7, 0xe3, 0x5d, 0x45, 0xf8, 0xfc, 0x52, 0x0d, 0x85, 0xc2, 0x46, 0xa7, 0x50,
+	0x32, 0x5d, 0xd7, 0xe3, 0xa6, 0xff, 0x18, 0x9e, 0x97, 0xa6, 0xb6, 0xa6, 0x36, 0xb5, 0x15, 0x61,
+	0x8c, 0x74, 0x31, 0x31, 0x0e, 0x8e, 0x9b, 0x42, 0x8f, 0x60, 0xd1, 0x7b, 0xe4, 0x12, 0x8a, 0xc9,
+	0x21, 0xa1, 0xc4, 0xb5, 0x08, 0xab, 0x94, 0xa5, 0xf5, 0xaf, 0xa5, 0xb4, 0x9e, 0x50, 0x8e, 0x42,
+	0x3a, 0x49, 0x67, 0x78, 0xd4, 0x0a, 0xaa, 0x03, 0x1c, 0xda, 0xae, 0xea, 0x45, 0x2b, 0x0b, 0xd1,
+	0xe8, 0xe9, 0x66, 0x48, 0xc5, 0x31, 0x09, 0xf4, 0x75, 0x28, 0x59, 0x4e, 0x9f, 0x71, 0xe2, 0xcf,
+	0xb8, 0x16, 0x65, 0x06, 0x85, 0xeb, 0xdb, 0x8e, 0x58, 0x38, 0x2e, 0x87, 0x8e, 0x60, 0xde, 0x8e,
+	0x35, 0xbd, 0x95, 0x25, 0x19, 0x8b, 0x9b, 0x53, 0x77, 0xba, 0xcc, 0x58, 0x12, 0x95, 0x28, 0x4e,
+	0xc1, 0x09, 0xe4, 0xd5, 0x6f, 0x40, 0xe9, 0x53, 0xf6, 0x60, 0xa2, 0x87, 0x1b, 0x3d, 0xba, 0xa9,
+	0x7a, 0xb8, 0xbf, 0x66, 0x60, 0x21, 0xb9, 0xe1, 0xe1, 0x5b, 0x47, 0x9b, 0x38, 0xb3, 0x0c, 0xaa,
+	0x72, 0x76, 0x62, 0x55, 0x56, 0xc5, 0x6f, 0xf6, 0x65, 0x8a, 0xdf, 0x26, 0x80, 0xd9, 0xb3, 0x83,
+	0xba, 0xe7, 0xd7, 0xd1, 0xb0, 0x72, 0x45, 0x53, 0x34, 0x1c, 0x93, 0x92, 0x53, 0x49, 0xcf, 0xe5,
+	0xd4, 0x73, 0x1c, 0x42, 0xd5, 0x65, 0xea, 0x4f, 0x25, 0x43, 0x2a, 0x8e, 0x49, 0xa0, 0x9b, 0x80,
+	0x0e, 0x1c, 0xcf, 0x3a, 0x96, 0x5b, 0x10, 0xe4, 0xb9, 0xac, 0x92, 0x05, 0x7f, 0x28, 0x65, 0x8c,
+	0x71, 0xf1, 0x05, 0x1a, 0xfa, 0x5d, 0x48, 0x8e, 0x91, 0xd0, 0x0d, 0x7f, 0x03, 0xb4, 0x70, 0xce,
+	0x33, 0xdd, 0xe2, 0xf5, 0xab, 0x50, 0xc4, 0x9e, 0xc7, 0x5b, 0x26, 0x3f, 0x62, 0xa8, 0x06, 0xb9,
+	0x9e, 0xf8, 0xa1, 0x66, 0x84, 0x72, 0xec, 0x2b, 0x39, 0xd8, 0xa7, 0xeb, 0xbf, 0xd2, 0xe0, 0xd5,
+	0x89, 0x23, 0x3b, 0xb1, 0x91, 0x56, 0xf8, 0xa5, 0x5c, 0x0a, 0x37, 0x32, 0x92, 0xc3, 0x31, 0x29,
+	0xd1, 0x80, 0x25, 0xe6, 0x7c, 0xa3, 0x0d, 0x58, 0xc2, 0x1a, 0x4e, 0xca, 0xea, 0xff, 0xce, 0x40,
+	0xde, 0x7f, 0x8d, 0xfd, 0x97, 0x7b, 0xee, 0x37, 0x20, 0xcf, 0xa4, 0x1d, 0xe5, 0x5e, 0x58, 0x24,
+	0x7d, 0xeb, 0x58, 0x71, 0x45, 0xef, 0xd2, 0x25, 0x8c, 0x99, 0x9d, 0x20, 0x66, 0xc3, 0xde, 0x65,
+	0xcf, 0x27, 0xe3, 0x80, 0x8f, 0xde, 0x11, 0x8f, 0x4f, 0x93, 0x85, 0xed, 0x60, 0x35, 0x80, 0xc4,
+	0x92, 0x7a, 0x3e, 0xa8, 0xcd, 0x2b, 0x70, 0xf9, 0x8d, 0x95, 0x34, 0x7a, 0x00, 0x73, 0x6d, 0xc2,
+	0x4d, 0xdb, 0xf1, 0xbb, 0xc0, 0xd4, 0x03, 0x49, 0x1f, 0xac, 0xe9, 0xab, 0x1a, 0x25, 0xe1, 0x93,
+	0xfa, 0xc0, 0x01, 0xa0, 0xc8, 0x37, 0xcb, 0x6b, 0xfb, 0xd3, 0xf9, 0x5c, 0x94, 0x6f, 0xdb, 0x5e,
+	0x9b, 0x60, 0xc9, 0xd1, 0x1f, 0x6b, 0x50, 0xf2, 0x91, 0xb6, 0xcd, 0x3e, 0x23, 0x68, 0x23, 0x5c,
+	0x85, 0x7f, 0xdc, 0xc1, 0x55, 0x3c, 0xfb, 0xde, 0x59, 0x8f, 0x9c, 0x0f, 0x6a, 0x45, 0x29, 0x26,
+	0x3e, 0xc2, 0x05, 0xc4, 0xf6, 0x28, 0x73, 0xc9, 0x1e, 0xbd, 0x0e, 0x39, 0xd9, 0x71, 0xab, 0xcd,
+	0x0c, 0xfb, 0x3b, 0xd9, 0x95, 0x63, 0x9f, 0xa7, 0x7f, 0x9c, 0x81, 0x72, 0x62, 0x71, 0x29, 0x9a,
+	0xb9, 0x70, 0x42, 0x92, 0x49, 0x31, 0x75, 0x9b, 0xfc, 0x3f, 0x95, 0xef, 0x43, 0xde, 0x12, 0xeb,
+	0x0b, 0xfe, 0xa9, 0xb5, 0x31, 0xcd, 0x51, 0xc8, 0x9d, 0x89, 0x22, 0x49, 0x7e, 0x32, 0xac, 0x00,
+	0xd1, 0x2d, 0x58, 0xa6, 0x84, 0xd3, 0xb3, 0xad, 0x43, 0x4e, 0x68, 0xbc, 0xed, 0xcf, 0x45, 0xed,
+	0x0e, 0x1e, 0x15, 0xc0, 0xe3, 0x3a, 0x41, 0x85, 0xcc, 0xbf, 0x44, 0x85, 0xd4, 0x1d, 0x98, 0xfd,
+	0x1f, 0xb6, 0xe6, 0x3f, 0x80, 0x62, 0xd4, 0x3c, 0x7d, 0xc6, 0x26, 0xf5, 0x1f, 0x41, 0x41, 0x44,
+	0x63, 0xd0, 0xf4, 0x5f, 0x72, 0x01, 0x25, 0xaf, 0x86, 0x4c, 0x9a, 0xab, 0x41, 0xdf, 0x04, 0xff,
+	0x5f, 0x65, 0xa2, 0x9a, 0xfa, 0x0f, 0xf5, 0x58, 0x35, 0x8d, 0xbf, 0xba, 0x63, 0x93, 0xb2, 0x5f,
+	0x68, 0x00, 0xf2, 0xd5, 0xb8, 0x73, 0x42, 0x5c, 0x2e, 0x1c, 0x13, 0x27, 0x30, 0xea, 0x98, 0x4c,
+	0x23, 0xc9, 0x41, 0xf7, 0x20, 0xef, 0xc9, 0xa6, 0x4a, 0x8d, 0xae, 0xa6, 0x9c, 0x02, 0x84, 0x51,
+	0xe7, 0x77, 0x66, 0x58, 0x81, 0x19, 0xeb, 0x4f, 0x9f, 0x57, 0x67, 0x9e, 0x3d, 0xaf, 0xce, 0x7c,
+	0xf4, 0xbc, 0x3a, 0xf3, 0xc1, 0xb0, 0xaa, 0x3d, 0x1d, 0x56, 0xb5, 0x67, 0xc3, 0xaa, 0xf6, 0xd1,
+	0xb0, 0xaa, 0x7d, 0x3c, 0xac, 0x6a, 0x8f, 0x3f, 0xa9, 0xce, 0x3c, 0xc8, 0x9c, 0x6c, 0xfc, 0x27,
+	0x00, 0x00, 0xff, 0xff, 0x66, 0xe7, 0x2a, 0x84, 0x4b, 0x20, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
new file mode 100644
index 00000000..39f257f5
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto
@@ -0,0 +1,828 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.apimachinery.pkg.apis.meta.v1;
+
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1";
+
+// APIGroup contains the name, the supported versions, and the preferred version
+// of a group.
+message APIGroup {
+  // name is the name of the group.
+  optional string name = 1;
+
+  // versions are the versions supported in this group.
+  repeated GroupVersionForDiscovery versions = 2;
+
+  // preferredVersion is the version preferred by the API server, which
+  // probably is the storage version.
+  // +optional
+  optional GroupVersionForDiscovery preferredVersion = 3;
+
+  // a map of client CIDR to server address that is serving this group.
+  // This is to help clients reach servers in the most network-efficient way possible.
+  // Clients can use the appropriate server address as per the CIDR that they match.
+  // In case of multiple matches, clients should use the longest matching CIDR.
+  // The server returns only those CIDRs that it thinks that the client can match.
+  // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
+  // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
+  repeated ServerAddressByClientCIDR serverAddressByClientCIDRs = 4;
+}
+
+// APIGroupList is a list of APIGroup, to allow clients to discover the API at
+// /apis.
+message APIGroupList {
+  // groups is a list of APIGroup.
+  repeated APIGroup groups = 1;
+}
+
+// APIResource specifies the name of a resource and whether it is namespaced.
+message APIResource {
+  // name is the plural name of the resource.
+  optional string name = 1;
+
+  // singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely.
+  // The singularName is more correct for reporting status on a single item and both singular and plural are allowed
+  // from the kubectl CLI interface.
+  optional string singularName = 6;
+
+  // namespaced indicates if a resource is namespaced or not.
+  optional bool namespaced = 2;
+
+  // group is the preferred group of the resource.  Empty implies the group of the containing resource list.
+  // For subresources, this may have a different value, for example: Scale".
+  optional string group = 8;
+
+  // version is the preferred version of the resource.  Empty implies the version of the containing resource list
+  // For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
+  optional string version = 9;
+
+  // kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')
+  optional string kind = 3;
+
+  // verbs is a list of supported kube verbs (this includes get, list, watch, create,
+  // update, patch, delete, deletecollection, and proxy)
+  optional Verbs verbs = 4;
+
+  // shortNames is a list of suggested short names of the resource.
+  repeated string shortNames = 5;
+
+  // categories is a list of the grouped resources this resource belongs to (e.g. 'all')
+  repeated string categories = 7;
+}
+
+// APIResourceList is a list of APIResource, it is used to expose the name of the
+// resources supported in a specific group and version, and if the resource
+// is namespaced.
+message APIResourceList {
+  // groupVersion is the group and version this APIResourceList is for.
+  optional string groupVersion = 1;
+
+  // resources contains the name of the resources and if they are namespaced.
+  repeated APIResource resources = 2;
+}
+
+// APIVersions lists the versions that are available, to allow clients to
+// discover the API at /api, which is the root path of the legacy v1 API.
+// 
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message APIVersions {
+  // versions are the api versions that are available.
+  repeated string versions = 1;
+
+  // a map of client CIDR to server address that is serving this group.
+  // This is to help clients reach servers in the most network-efficient way possible.
+  // Clients can use the appropriate server address as per the CIDR that they match.
+  // In case of multiple matches, clients should use the longest matching CIDR.
+  // The server returns only those CIDRs that it thinks that the client can match.
+  // For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
+  // Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
+  repeated ServerAddressByClientCIDR serverAddressByClientCIDRs = 2;
+}
+
+// DeleteOptions may be provided when deleting an API object.
+message DeleteOptions {
+  // The duration in seconds before the object should be deleted. Value must be non-negative integer.
+  // The value zero indicates delete immediately. If this value is nil, the default grace period for the
+  // specified type will be used.
+  // Defaults to a per object value if not specified. zero means delete immediately.
+  // +optional
+  optional int64 gracePeriodSeconds = 1;
+
+  // Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be
+  // returned.
+  // +optional
+  optional Preconditions preconditions = 2;
+
+  // Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7.
+  // Should the dependent objects be orphaned. If true/false, the "orphan"
+  // finalizer will be added to/removed from the object's finalizers list.
+  // Either this field or PropagationPolicy may be set, but not both.
+  // +optional
+  optional bool orphanDependents = 3;
+
+  // Whether and how garbage collection will be performed.
+  // Either this field or OrphanDependents may be set, but not both.
+  // The default policy is decided by the existing finalizer set in the
+  // metadata.finalizers and the resource-specific default policy.
+  // +optional
+  optional string propagationPolicy = 4;
+}
+
+// Duration is a wrapper around time.Duration which supports correct
+// marshaling to YAML and JSON. In particular, it marshals into strings, which
+// can be used as map keys in json.
+message Duration {
+  optional int64 duration = 1;
+}
+
+// ExportOptions is the query options to the standard REST get call.
+message ExportOptions {
+  // Should this value be exported.  Export strips fields that a user can not specify.
+  optional bool export = 1;
+
+  // Should the export be exact.  Exact export maintains cluster-specific fields like 'Namespace'.
+  optional bool exact = 2;
+}
+
+// GetOptions is the standard query options to the standard REST get call.
+message GetOptions {
+  // When specified:
+  // - if unset, then the result is returned from remote storage based on quorum-read flag;
+  // - if it's 0, then we simply return what we currently have in cache, no guarantee;
+  // - if set to non zero, then the result is at least as fresh as given rv.
+  optional string resourceVersion = 1;
+
+  // If true, partially initialized resources are included in the response.
+  // +optional
+  optional bool includeUninitialized = 2;
+}
+
+// GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+// 
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message GroupKind {
+  optional string group = 1;
+
+  optional string kind = 2;
+}
+
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+// 
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message GroupResource {
+  optional string group = 1;
+
+  optional string resource = 2;
+}
+
+// GroupVersion contains the "group" and the "version", which uniquely identifies the API.
+// 
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message GroupVersion {
+  optional string group = 1;
+
+  optional string version = 2;
+}
+
+// GroupVersion contains the "group/version" and "version" string of a version.
+// It is made a struct to keep extensibility.
+message GroupVersionForDiscovery {
+  // groupVersion specifies the API group and version in the form "group/version"
+  optional string groupVersion = 1;
+
+  // version specifies the version in the form of "version". This is to save
+  // the clients the trouble of splitting the GroupVersion.
+  optional string version = 2;
+}
+
+// GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+// to avoid automatic coersion.  It doesn't use a GroupVersion to avoid custom marshalling
+// 
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message GroupVersionKind {
+  optional string group = 1;
+
+  optional string version = 2;
+
+  optional string kind = 3;
+}
+
+// GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
+// to avoid automatic coersion.  It doesn't use a GroupVersion to avoid custom marshalling
+// 
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message GroupVersionResource {
+  optional string group = 1;
+
+  optional string version = 2;
+
+  optional string resource = 3;
+}
+
+// Initializer is information about an initializer that has not yet completed.
+message Initializer {
+  // name of the process that is responsible for initializing this object.
+  optional string name = 1;
+}
+
+// Initializers tracks the progress of initialization.
+message Initializers {
+  // Pending is a list of initializers that must execute in order before this object is visible.
+  // When the last pending initializer is removed, and no failing result is set, the initializers
+  // struct will be set to nil and the object is considered as initialized and visible to all
+  // clients.
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated Initializer pending = 1;
+
+  // If result is set with the Failure field, the object will be persisted to storage and then deleted,
+  // ensuring that other clients can observe the deletion.
+  optional Status result = 2;
+}
+
+// A label selector is a label query over a set of resources. The result of matchLabels and
+// matchExpressions are ANDed. An empty label selector matches all objects. A null
+// label selector matches no objects.
+message LabelSelector {
+  // matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+  // map is equivalent to an element of matchExpressions, whose key field is "key", the
+  // operator is "In", and the values array contains only "value". The requirements are ANDed.
+  // +optional
+  map<string, string> matchLabels = 1;
+
+  // matchExpressions is a list of label selector requirements. The requirements are ANDed.
+  // +optional
+  repeated LabelSelectorRequirement matchExpressions = 2;
+}
+
+// A label selector requirement is a selector that contains values, a key, and an operator that
+// relates the key and values.
+message LabelSelectorRequirement {
+  // key is the label key that the selector applies to.
+  // +patchMergeKey=key
+  // +patchStrategy=merge
+  optional string key = 1;
+
+  // operator represents a key's relationship to a set of values.
+  // Valid operators are In, NotIn, Exists and DoesNotExist.
+  optional string operator = 2;
+
+  // values is an array of string values. If the operator is In or NotIn,
+  // the values array must be non-empty. If the operator is Exists or DoesNotExist,
+  // the values array must be empty. This array is replaced during a strategic
+  // merge patch.
+  // +optional
+  repeated string values = 3;
+}
+
+// List holds a list of objects, which may not be known by the server.
+message List {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional ListMeta metadata = 1;
+
+  // List of objects
+  repeated k8s.io.apimachinery.pkg.runtime.RawExtension items = 2;
+}
+
+// ListMeta describes metadata that synthetic resources must have, including lists and
+// various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
+message ListMeta {
+  // selfLink is a URL representing this object.
+  // Populated by the system.
+  // Read-only.
+  // +optional
+  optional string selfLink = 1;
+
+  // String that identifies the server's internal version of this object that
+  // can be used by clients to determine when objects have changed.
+  // Value must be treated as opaque by clients and passed unmodified back to the server.
+  // Populated by the system.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
+  // +optional
+  optional string resourceVersion = 2;
+
+  // continue may be set if the user set a limit on the number of items returned, and indicates that
+  // the server has more data available. The value is opaque and may be used to issue another request
+  // to the endpoint that served this list to retrieve the next set of available objects. Continuing a
+  // list may not be possible if the server configuration has changed or more than a few minutes have
+  // passed. The resourceVersion field returned when using this continue value will be identical to
+  // the value in the first response.
+  optional string continue = 3;
+}
+
+// ListOptions is the query options to a standard REST list call.
+message ListOptions {
+  // A selector to restrict the list of returned objects by their labels.
+  // Defaults to everything.
+  // +optional
+  optional string labelSelector = 1;
+
+  // A selector to restrict the list of returned objects by their fields.
+  // Defaults to everything.
+  // +optional
+  optional string fieldSelector = 2;
+
+  // If true, partially initialized resources are included in the response.
+  // +optional
+  optional bool includeUninitialized = 6;
+
+  // Watch for changes to the described resources and return them as a stream of
+  // add, update, and remove notifications. Specify resourceVersion.
+  // +optional
+  optional bool watch = 3;
+
+  // When specified with a watch call, shows changes that occur after that particular version of a resource.
+  // Defaults to changes from the beginning of history.
+  // When specified for list:
+  // - if unset, then the result is returned from remote storage based on quorum-read flag;
+  // - if it's 0, then we simply return what we currently have in cache, no guarantee;
+  // - if set to non zero, then the result is at least as fresh as given rv.
+  // +optional
+  optional string resourceVersion = 4;
+
+  // Timeout for the list/watch call.
+  // +optional
+  optional int64 timeoutSeconds = 5;
+
+  // limit is a maximum number of responses to return for a list call. If more items exist, the
+  // server will set the `continue` field on the list metadata to a value that can be used with the
+  // same initial query to retrieve the next set of results. Setting a limit may return fewer than
+  // the requested amount of items (up to zero items) in the event all requested objects are
+  // filtered out and clients should only use the presence of the continue field to determine whether
+  // more results are available. Servers may choose not to support the limit argument and will return
+  // all of the available results. If limit is specified and the continue field is empty, clients may
+  // assume that no more results are available. This field is not supported if watch is true.
+  // 
+  // The server guarantees that the objects returned when using continue will be identical to issuing
+  // a single list call without a limit - that is, no objects created, modified, or deleted after the
+  // first request is issued will be included in any subsequent continued requests. This is sometimes
+  // referred to as a consistent snapshot, and ensures that a client that is using limit to receive
+  // smaller chunks of a very large result can ensure they see all possible objects. If objects are
+  // updated during a chunked list the version of the object that was present at the time the first list
+  // result was calculated is returned.
+  optional int64 limit = 7;
+
+  // The continue option should be set when retrieving more results from the server. Since this value
+  // is server defined, clients may only use the continue value from a previous query result with
+  // identical query parameters (except for the value of continue) and the server may reject a continue
+  // value it does not recognize. If the specified continue value is no longer valid whether due to
+  // expiration (generally five to fifteen minutes) or a configuration change on the server the server
+  // will respond with a 410 ResourceExpired error indicating the client must restart their list without
+  // the continue field. This field is not supported when watch is true. Clients may start a watch from
+  // the last resourceVersion value returned by the server and not miss any modifications.
+  optional string continue = 8;
+}
+
+// MicroTime is version of Time with microsecond level precision.
+// 
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message MicroTime {
+  // Represents seconds of UTC time since Unix epoch
+  // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+  // 9999-12-31T23:59:59Z inclusive.
+  optional int64 seconds = 1;
+
+  // Non-negative fractions of a second at nanosecond resolution. Negative
+  // second values with fractions must still have non-negative nanos values
+  // that count forward in time. Must be from 0 to 999,999,999
+  // inclusive. This field may be limited in precision depending on context.
+  optional int32 nanos = 2;
+}
+
+// ObjectMeta is metadata that all persisted resources must have, which includes all objects
+// users must create.
+message ObjectMeta {
+  // Name must be unique within a namespace. Is required when creating resources, although
+  // some resources may allow a client to request the generation of an appropriate name
+  // automatically. Name is primarily intended for creation idempotence and configuration
+  // definition.
+  // Cannot be updated.
+  // More info: http://kubernetes.io/docs/user-guide/identifiers#names
+  // +optional
+  optional string name = 1;
+
+  // GenerateName is an optional prefix, used by the server, to generate a unique
+  // name ONLY IF the Name field has not been provided.
+  // If this field is used, the name returned to the client will be different
+  // than the name passed. This value will also be combined with a unique suffix.
+  // The provided value has the same validation rules as the Name field,
+  // and may be truncated by the length of the suffix required to make the value
+  // unique on the server.
+  // 
+  // If this field is specified and the generated name exists, the server will
+  // NOT return a 409 - instead, it will either return 201 Created or 500 with Reason
+  // ServerTimeout indicating a unique name could not be found in the time allotted, and the client
+  // should retry (optionally after the time indicated in the Retry-After header).
+  // 
+  // Applied only if Name is not specified.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency
+  // +optional
+  optional string generateName = 2;
+
+  // Namespace defines the space within each name must be unique. An empty namespace is
+  // equivalent to the "default" namespace, but "default" is the canonical representation.
+  // Not all objects are required to be scoped to a namespace - the value of this field for
+  // those objects will be empty.
+  // 
+  // Must be a DNS_LABEL.
+  // Cannot be updated.
+  // More info: http://kubernetes.io/docs/user-guide/namespaces
+  // +optional
+  optional string namespace = 3;
+
+  // SelfLink is a URL representing this object.
+  // Populated by the system.
+  // Read-only.
+  // +optional
+  optional string selfLink = 4;
+
+  // UID is the unique in time and space value for this object. It is typically generated by
+  // the server on successful creation of a resource and is not allowed to change on PUT
+  // operations.
+  // 
+  // Populated by the system.
+  // Read-only.
+  // More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+  // +optional
+  optional string uid = 5;
+
+  // An opaque value that represents the internal version of this object that can
+  // be used by clients to determine when objects have changed. May be used for optimistic
+  // concurrency, change detection, and the watch operation on a resource or set of resources.
+  // Clients must treat these values as opaque and passed unmodified back to the server.
+  // They may only be valid for a particular resource or set of resources.
+  // 
+  // Populated by the system.
+  // Read-only.
+  // Value must be treated as opaque by clients and .
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
+  // +optional
+  optional string resourceVersion = 6;
+
+  // A sequence number representing a specific generation of the desired state.
+  // Populated by the system. Read-only.
+  // +optional
+  optional int64 generation = 7;
+
+  // CreationTimestamp is a timestamp representing the server time when this object was
+  // created. It is not guaranteed to be set in happens-before order across separate operations.
+  // Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+  // 
+  // Populated by the system.
+  // Read-only.
+  // Null for lists.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional Time creationTimestamp = 8;
+
+  // DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
+  // field is set by the server when a graceful deletion is requested by the user, and is not
+  // directly settable by a client. The resource is expected to be deleted (no longer visible
+  // from resource lists, and not reachable by name) after the time in this field. Once set,
+  // this value may not be unset or be set further into the future, although it may be shortened
+  // or the resource may be deleted prior to this time. For example, a user may request that
+  // a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination
+  // signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard
+  // termination signal (SIGKILL) to the container and after cleanup, remove the pod from the
+  // API. In the presence of network partitions, this object may still exist after this
+  // timestamp, until an administrator or automated process can determine the resource is
+  // fully terminated.
+  // If not set, graceful deletion of the object has not been requested.
+  // 
+  // Populated by the system when a graceful deletion is requested.
+  // Read-only.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional Time deletionTimestamp = 9;
+
+  // Number of seconds allowed for this object to gracefully terminate before
+  // it will be removed from the system. Only set when deletionTimestamp is also set.
+  // May only be shortened.
+  // Read-only.
+  // +optional
+  optional int64 deletionGracePeriodSeconds = 10;
+
+  // Map of string keys and values that can be used to organize and categorize
+  // (scope and select) objects. May match selectors of replication controllers
+  // and services.
+  // More info: http://kubernetes.io/docs/user-guide/labels
+  // +optional
+  map<string, string> labels = 11;
+
+  // Annotations is an unstructured key value map stored with a resource that may be
+  // set by external tools to store and retrieve arbitrary metadata. They are not
+  // queryable and should be preserved when modifying objects.
+  // More info: http://kubernetes.io/docs/user-guide/annotations
+  // +optional
+  map<string, string> annotations = 12;
+
+  // List of objects depended by this object. If ALL objects in the list have
+  // been deleted, this object will be garbage collected. If this object is managed by a controller,
+  // then an entry in this list will point to this controller, with the controller field set to true.
+  // There cannot be more than one managing controller.
+  // +optional
+  // +patchMergeKey=uid
+  // +patchStrategy=merge
+  repeated OwnerReference ownerReferences = 13;
+
+  // An initializer is a controller which enforces some system invariant at object creation time.
+  // This field is a list of initializers that have not yet acted on this object. If nil or empty,
+  // this object has been completely initialized. Otherwise, the object is considered uninitialized
+  // and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to
+  // observe uninitialized objects.
+  // 
+  // When an object is created, the system will populate this list with the current set of initializers.
+  // Only privileged users may set or modify this list. Once it is empty, it may not be modified further
+  // by any user.
+  optional Initializers initializers = 16;
+
+  // Must be empty before the object is deleted from the registry. Each entry
+  // is an identifier for the responsible component that will remove the entry
+  // from the list. If the deletionTimestamp of the object is non-nil, entries
+  // in this list can only be removed.
+  // +optional
+  // +patchStrategy=merge
+  repeated string finalizers = 14;
+
+  // The name of the cluster which the object belongs to.
+  // This is used to distinguish resources with same name and namespace in different clusters.
+  // This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.
+  // +optional
+  optional string clusterName = 15;
+}
+
+// OwnerReference contains enough information to let you identify an owning
+// object. Currently, an owning object must be in the same namespace, so there
+// is no namespace field.
+message OwnerReference {
+  // API version of the referent.
+  optional string apiVersion = 5;
+
+  // Kind of the referent.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  optional string kind = 1;
+
+  // Name of the referent.
+  // More info: http://kubernetes.io/docs/user-guide/identifiers#names
+  optional string name = 3;
+
+  // UID of the referent.
+  // More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+  optional string uid = 4;
+
+  // If true, this reference points to the managing controller.
+  // +optional
+  optional bool controller = 6;
+
+  // If true, AND if the owner has the "foregroundDeletion" finalizer, then
+  // the owner cannot be deleted from the key-value store until this
+  // reference is removed.
+  // Defaults to false.
+  // To set this field, a user needs "delete" permission of the owner,
+  // otherwise 422 (Unprocessable Entity) will be returned.
+  // +optional
+  optional bool blockOwnerDeletion = 7;
+}
+
+// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.
+message Preconditions {
+  // Specifies the target UID.
+  // +optional
+  optional string uid = 1;
+}
+
+// RootPaths lists the paths available at root.
+// For example: "/healthz", "/apis".
+message RootPaths {
+  // paths are the paths available at root.
+  repeated string paths = 1;
+}
+
+// ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.
+message ServerAddressByClientCIDR {
+  // The CIDR with which clients can match their IP to figure out the server address that they should use.
+  optional string clientCIDR = 1;
+
+  // Address of this server, suitable for a client that matches the above CIDR.
+  // This can be a hostname, hostname:port, IP or IP:port.
+  optional string serverAddress = 2;
+}
+
+// Status is a return value for calls that don't return other objects.
+message Status {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional ListMeta metadata = 1;
+
+  // Status of the operation.
+  // One of: "Success" or "Failure".
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+  // +optional
+  optional string status = 2;
+
+  // A human-readable description of the status of this operation.
+  // +optional
+  optional string message = 3;
+
+  // A machine-readable description of why this operation is in the
+  // "Failure" status. If this value is empty there
+  // is no information available. A Reason clarifies an HTTP status
+  // code but does not override it.
+  // +optional
+  optional string reason = 4;
+
+  // Extended data associated with the reason.  Each reason may define its
+  // own extended details. This field is optional and the data returned
+  // is not guaranteed to conform to any schema except that defined by
+  // the reason type.
+  // +optional
+  optional StatusDetails details = 5;
+
+  // Suggested HTTP return code for this status, 0 if not set.
+  // +optional
+  optional int32 code = 6;
+}
+
+// StatusCause provides more information about an api.Status failure, including
+// cases when multiple errors are encountered.
+message StatusCause {
+  // A machine-readable description of the cause of the error. If this value is
+  // empty there is no information available.
+  // +optional
+  optional string reason = 1;
+
+  // A human-readable description of the cause of the error.  This field may be
+  // presented as-is to a reader.
+  // +optional
+  optional string message = 2;
+
+  // The field of the resource that has caused this error, as named by its JSON
+  // serialization. May include dot and postfix notation for nested attributes.
+  // Arrays are zero-indexed.  Fields may appear more than once in an array of
+  // causes due to fields having multiple errors.
+  // Optional.
+  // 
+  // Examples:
+  //   "name" - the field "name" on the current resource
+  //   "items[0].name" - the field "name" on the first array entry in "items"
+  // +optional
+  optional string field = 3;
+}
+
+// StatusDetails is a set of additional properties that MAY be set by the
+// server to provide additional information about a response. The Reason
+// field of a Status object defines what attributes will be set. Clients
+// must ignore fields that do not match the defined type of each attribute,
+// and should assume that any attribute may be empty, invalid, or under
+// defined.
+message StatusDetails {
+  // The name attribute of the resource associated with the status StatusReason
+  // (when there is a single name which can be described).
+  // +optional
+  optional string name = 1;
+
+  // The group attribute of the resource associated with the status StatusReason.
+  // +optional
+  optional string group = 2;
+
+  // The kind attribute of the resource associated with the status StatusReason.
+  // On some operations may differ from the requested resource Kind.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional string kind = 3;
+
+  // UID of the resource.
+  // (when there is a single resource which can be described).
+  // More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+  // +optional
+  optional string uid = 6;
+
+  // The Causes array includes more details associated with the StatusReason
+  // failure. Not all StatusReasons may provide detailed causes.
+  // +optional
+  repeated StatusCause causes = 4;
+
+  // If specified, the time in seconds before the operation should be retried. Some errors may indicate
+  // the client must take an alternate action - for those errors this field may indicate how long to wait
+  // before taking the alternate action.
+  // +optional
+  optional int32 retryAfterSeconds = 5;
+}
+
+// Time is a wrapper around time.Time which supports correct
+// marshaling to YAML and JSON.  Wrappers are provided for many
+// of the factory methods that the time package offers.
+// 
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message Time {
+  // Represents seconds of UTC time since Unix epoch
+  // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+  // 9999-12-31T23:59:59Z inclusive.
+  optional int64 seconds = 1;
+
+  // Non-negative fractions of a second at nanosecond resolution. Negative
+  // second values with fractions must still have non-negative nanos values
+  // that count forward in time. Must be from 0 to 999,999,999
+  // inclusive. This field may be limited in precision depending on context.
+  optional int32 nanos = 2;
+}
+
+// Timestamp is a struct that is equivalent to Time, but intended for
+// protobuf marshalling/unmarshalling. It is generated into a serialization
+// that matches Time. Do not use in Go structs.
+message Timestamp {
+  // Represents seconds of UTC time since Unix epoch
+  // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+  // 9999-12-31T23:59:59Z inclusive.
+  optional int64 seconds = 1;
+
+  // Non-negative fractions of a second at nanosecond resolution. Negative
+  // second values with fractions must still have non-negative nanos values
+  // that count forward in time. Must be from 0 to 999,999,999
+  // inclusive. This field may be limited in precision depending on context.
+  optional int32 nanos = 2;
+}
+
+// TypeMeta describes an individual object in an API response or request
+// with strings representing the type of the object and its API schema version.
+// Structures that are versioned or persisted should inline TypeMeta.
+// 
+// +k8s:deepcopy-gen=false
+message TypeMeta {
+  // Kind is a string value representing the REST resource this object represents.
+  // Servers may infer this from the endpoint the client submits requests to.
+  // Cannot be updated.
+  // In CamelCase.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional string kind = 1;
+
+  // APIVersion defines the versioned schema of this representation of an object.
+  // Servers should convert recognized schemas to the latest internal value, and
+  // may reject unrecognized values.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
+  // +optional
+  optional string apiVersion = 2;
+}
+
+// Verbs masks the value so protobuf can generate
+// 
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message Verbs {
+  // items, if empty, will result in an empty slice
+
+  repeated string items = 1;
+}
+
+// Event represents a single event to a watched resource.
+// 
+// +protobuf=true
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message WatchEvent {
+  optional string type = 1;
+
+  // Object is:
+  //  * If Type is Added or Modified: the new state of the object.
+  //  * If Type is Deleted: the state of the object immediately before deletion.
+  //  * If Type is Error: *Status is recommended; other types may make sense
+  //    depending on context.
+  optional k8s.io.apimachinery.pkg.runtime.RawExtension object = 2;
+}
+
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/group_version.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/group_version.go
new file mode 100644
index 00000000..bd4c6d9b
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/group_version.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type GroupResource struct {
+	Group    string `json:"group" protobuf:"bytes,1,opt,name=group"`
+	Resource string `json:"resource" protobuf:"bytes,2,opt,name=resource"`
+}
+
+func (gr *GroupResource) String() string {
+	if len(gr.Group) == 0 {
+		return gr.Resource
+	}
+	return gr.Resource + "." + gr.Group
+}
+
+// GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
+// to avoid automatic coersion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type GroupVersionResource struct {
+	Group    string `json:"group" protobuf:"bytes,1,opt,name=group"`
+	Version  string `json:"version" protobuf:"bytes,2,opt,name=version"`
+	Resource string `json:"resource" protobuf:"bytes,3,opt,name=resource"`
+}
+
+func (gvr *GroupVersionResource) String() string {
+	return strings.Join([]string{gvr.Group, "/", gvr.Version, ", Resource=", gvr.Resource}, "")
+}
+
+// GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type GroupKind struct {
+	Group string `json:"group" protobuf:"bytes,1,opt,name=group"`
+	Kind  string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+}
+
+func (gk *GroupKind) String() string {
+	if len(gk.Group) == 0 {
+		return gk.Kind
+	}
+	return gk.Kind + "." + gk.Group
+}
+
+// GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+// to avoid automatic coersion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type GroupVersionKind struct {
+	Group   string `json:"group" protobuf:"bytes,1,opt,name=group"`
+	Version string `json:"version" protobuf:"bytes,2,opt,name=version"`
+	Kind    string `json:"kind" protobuf:"bytes,3,opt,name=kind"`
+}
+
+func (gvk GroupVersionKind) String() string {
+	return gvk.Group + "/" + gvk.Version + ", Kind=" + gvk.Kind
+}
+
+// GroupVersion contains the "group" and the "version", which uniquely identifies the API.
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type GroupVersion struct {
+	Group   string `json:"group" protobuf:"bytes,1,opt,name=group"`
+	Version string `json:"version" protobuf:"bytes,2,opt,name=version"`
+}
+
+// Empty returns true if group and version are empty
+func (gv GroupVersion) Empty() bool {
+	return len(gv.Group) == 0 && len(gv.Version) == 0
+}
+
+// String puts "group" and "version" into a single "group/version" string. For the legacy v1
+// it returns "v1".
+func (gv GroupVersion) String() string {
+	// special case the internal apiVersion for the legacy kube types
+	if gv.Empty() {
+		return ""
+	}
+
+	// special case of "v1" for backward compatibility
+	if len(gv.Group) == 0 && gv.Version == "v1" {
+		return gv.Version
+	}
+	if len(gv.Group) > 0 {
+		return gv.Group + "/" + gv.Version
+	}
+	return gv.Version
+}
+
+// MarshalJSON implements the json.Marshaller interface.
+func (gv GroupVersion) MarshalJSON() ([]byte, error) {
+	s := gv.String()
+	if strings.Count(s, "/") > 1 {
+		return []byte{}, fmt.Errorf("illegal GroupVersion %v: contains more than one /", s)
+	}
+	return json.Marshal(s)
+}
+
+func (gv *GroupVersion) unmarshal(value []byte) error {
+	var s string
+	if err := json.Unmarshal(value, &s); err != nil {
+		return err
+	}
+	parsed, err := schema.ParseGroupVersion(s)
+	if err != nil {
+		return err
+	}
+	gv.Group, gv.Version = parsed.Group, parsed.Version
+	return nil
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (gv *GroupVersion) UnmarshalJSON(value []byte) error {
+	return gv.unmarshal(value)
+}
+
+// UnmarshalTEXT implements the Ugorji's encoding.TextUnmarshaler interface.
+func (gv *GroupVersion) UnmarshalText(value []byte) error {
+	return gv.unmarshal(value)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/helpers.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/helpers.go
new file mode 100644
index 00000000..d845d7b0
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/helpers.go
@@ -0,0 +1,234 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// LabelSelectorAsSelector converts the LabelSelector api type into a struct that implements
+// labels.Selector
+// Note: This function should be kept in sync with the selector methods in pkg/labels/selector.go
+func LabelSelectorAsSelector(ps *LabelSelector) (labels.Selector, error) {
+	if ps == nil {
+		return labels.Nothing(), nil
+	}
+	if len(ps.MatchLabels)+len(ps.MatchExpressions) == 0 {
+		return labels.Everything(), nil
+	}
+	selector := labels.NewSelector()
+	for k, v := range ps.MatchLabels {
+		r, err := labels.NewRequirement(k, selection.Equals, []string{v})
+		if err != nil {
+			return nil, err
+		}
+		selector = selector.Add(*r)
+	}
+	for _, expr := range ps.MatchExpressions {
+		var op selection.Operator
+		switch expr.Operator {
+		case LabelSelectorOpIn:
+			op = selection.In
+		case LabelSelectorOpNotIn:
+			op = selection.NotIn
+		case LabelSelectorOpExists:
+			op = selection.Exists
+		case LabelSelectorOpDoesNotExist:
+			op = selection.DoesNotExist
+		default:
+			return nil, fmt.Errorf("%q is not a valid pod selector operator", expr.Operator)
+		}
+		r, err := labels.NewRequirement(expr.Key, op, append([]string(nil), expr.Values...))
+		if err != nil {
+			return nil, err
+		}
+		selector = selector.Add(*r)
+	}
+	return selector, nil
+}
+
+// LabelSelectorAsMap converts the LabelSelector api type into a map of strings, ie. the
+// original structure of a label selector. Operators that cannot be converted into plain
+// labels (Exists, DoesNotExist, NotIn, and In with more than one value) will result in
+// an error.
+func LabelSelectorAsMap(ps *LabelSelector) (map[string]string, error) {
+	if ps == nil {
+		return nil, nil
+	}
+	selector := map[string]string{}
+	for k, v := range ps.MatchLabels {
+		selector[k] = v
+	}
+	for _, expr := range ps.MatchExpressions {
+		switch expr.Operator {
+		case LabelSelectorOpIn:
+			if len(expr.Values) != 1 {
+				return selector, fmt.Errorf("operator %q without a single value cannot be converted into the old label selector format", expr.Operator)
+			}
+			// Should we do anything in case this will override a previous key-value pair?
+			selector[expr.Key] = expr.Values[0]
+		case LabelSelectorOpNotIn, LabelSelectorOpExists, LabelSelectorOpDoesNotExist:
+			return selector, fmt.Errorf("operator %q cannot be converted into the old label selector format", expr.Operator)
+		default:
+			return selector, fmt.Errorf("%q is not a valid selector operator", expr.Operator)
+		}
+	}
+	return selector, nil
+}
+
+// ParseToLabelSelector parses a string representing a selector into a LabelSelector object.
+// Note: This function should be kept in sync with the parser in pkg/labels/selector.go
+func ParseToLabelSelector(selector string) (*LabelSelector, error) {
+	reqs, err := labels.ParseToRequirements(selector)
+	if err != nil {
+		return nil, fmt.Errorf("couldn't parse the selector string \"%s\": %v", selector, err)
+	}
+
+	labelSelector := &LabelSelector{
+		MatchLabels:      map[string]string{},
+		MatchExpressions: []LabelSelectorRequirement{},
+	}
+	for _, req := range reqs {
+		var op LabelSelectorOperator
+		switch req.Operator() {
+		case selection.Equals, selection.DoubleEquals:
+			vals := req.Values()
+			if vals.Len() != 1 {
+				return nil, fmt.Errorf("equals operator must have exactly one value")
+			}
+			val, ok := vals.PopAny()
+			if !ok {
+				return nil, fmt.Errorf("equals operator has exactly one value but it cannot be retrieved")
+			}
+			labelSelector.MatchLabels[req.Key()] = val
+			continue
+		case selection.In:
+			op = LabelSelectorOpIn
+		case selection.NotIn:
+			op = LabelSelectorOpNotIn
+		case selection.Exists:
+			op = LabelSelectorOpExists
+		case selection.DoesNotExist:
+			op = LabelSelectorOpDoesNotExist
+		case selection.GreaterThan, selection.LessThan:
+			// Adding a separate case for these operators to indicate that this is deliberate
+			return nil, fmt.Errorf("%q isn't supported in label selectors", req.Operator())
+		default:
+			return nil, fmt.Errorf("%q is not a valid label selector operator", req.Operator())
+		}
+		labelSelector.MatchExpressions = append(labelSelector.MatchExpressions, LabelSelectorRequirement{
+			Key:      req.Key(),
+			Operator: op,
+			Values:   req.Values().List(),
+		})
+	}
+	return labelSelector, nil
+}
+
+// SetAsLabelSelector converts the labels.Set object into a LabelSelector api object.
+func SetAsLabelSelector(ls labels.Set) *LabelSelector {
+	if ls == nil {
+		return nil
+	}
+
+	selector := &LabelSelector{
+		MatchLabels: make(map[string]string),
+	}
+	for label, value := range ls {
+		selector.MatchLabels[label] = value
+	}
+
+	return selector
+}
+
+// FormatLabelSelector convert labelSelector into plain string
+func FormatLabelSelector(labelSelector *LabelSelector) string {
+	selector, err := LabelSelectorAsSelector(labelSelector)
+	if err != nil {
+		return "<error>"
+	}
+
+	l := selector.String()
+	if len(l) == 0 {
+		l = "<none>"
+	}
+	return l
+}
+
+func ExtractGroupVersions(l *APIGroupList) []string {
+	var groupVersions []string
+	for _, g := range l.Groups {
+		for _, gv := range g.Versions {
+			groupVersions = append(groupVersions, gv.GroupVersion)
+		}
+	}
+	return groupVersions
+}
+
+// HasAnnotation returns a bool if passed in annotation exists
+func HasAnnotation(obj ObjectMeta, ann string) bool {
+	_, found := obj.Annotations[ann]
+	return found
+}
+
+// SetMetaDataAnnotation sets the annotation and value
+func SetMetaDataAnnotation(obj *ObjectMeta, ann string, value string) {
+	if obj.Annotations == nil {
+		obj.Annotations = make(map[string]string)
+	}
+	obj.Annotations[ann] = value
+}
+
+// SingleObject returns a ListOptions for watching a single object.
+func SingleObject(meta ObjectMeta) ListOptions {
+	return ListOptions{
+		FieldSelector:   fields.OneTermEqualSelector("metadata.name", meta.Name).String(),
+		ResourceVersion: meta.ResourceVersion,
+	}
+}
+
+// NewDeleteOptions returns a DeleteOptions indicating the resource should
+// be deleted within the specified grace period. Use zero to indicate
+// immediate deletion. If you would prefer to use the default grace period,
+// use &metav1.DeleteOptions{} directly.
+func NewDeleteOptions(grace int64) *DeleteOptions {
+	return &DeleteOptions{GracePeriodSeconds: &grace}
+}
+
+// NewPreconditionDeleteOptions returns a DeleteOptions with a UID precondition set.
+func NewPreconditionDeleteOptions(uid string) *DeleteOptions {
+	u := types.UID(uid)
+	p := Preconditions{UID: &u}
+	return &DeleteOptions{Preconditions: &p}
+}
+
+// NewUIDPreconditions returns a Preconditions with UID set.
+func NewUIDPreconditions(uid string) *Preconditions {
+	u := types.UID(uid)
+	return &Preconditions{UID: &u}
+}
+
+// HasObjectMetaSystemFieldValues returns true if fields that are managed by the system on ObjectMeta have values.
+func HasObjectMetaSystemFieldValues(meta Object) bool {
+	return !meta.GetCreationTimestamp().Time.IsZero() ||
+		len(meta.GetUID()) != 0
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/labels.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/labels.go
new file mode 100644
index 00000000..8b4c0423
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/labels.go
@@ -0,0 +1,75 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// Clones the given selector and returns a new selector with the given key and value added.
+// Returns the given selector, if labelKey is empty.
+func CloneSelectorAndAddLabel(selector *LabelSelector, labelKey, labelValue string) *LabelSelector {
+	if labelKey == "" {
+		// Don't need to add a label.
+		return selector
+	}
+
+	// Clone.
+	newSelector := new(LabelSelector)
+
+	// TODO(madhusudancs): Check if you can use deepCopy_extensions_LabelSelector here.
+	newSelector.MatchLabels = make(map[string]string)
+	if selector.MatchLabels != nil {
+		for key, val := range selector.MatchLabels {
+			newSelector.MatchLabels[key] = val
+		}
+	}
+	newSelector.MatchLabels[labelKey] = labelValue
+
+	if selector.MatchExpressions != nil {
+		newMExps := make([]LabelSelectorRequirement, len(selector.MatchExpressions))
+		for i, me := range selector.MatchExpressions {
+			newMExps[i].Key = me.Key
+			newMExps[i].Operator = me.Operator
+			if me.Values != nil {
+				newMExps[i].Values = make([]string, len(me.Values))
+				copy(newMExps[i].Values, me.Values)
+			} else {
+				newMExps[i].Values = nil
+			}
+		}
+		newSelector.MatchExpressions = newMExps
+	} else {
+		newSelector.MatchExpressions = nil
+	}
+
+	return newSelector
+}
+
+// AddLabelToSelector returns a selector with the given key and value added to the given selector's MatchLabels.
+func AddLabelToSelector(selector *LabelSelector, labelKey, labelValue string) *LabelSelector {
+	if labelKey == "" {
+		// Don't need to add a label.
+		return selector
+	}
+	if selector.MatchLabels == nil {
+		selector.MatchLabels = make(map[string]string)
+	}
+	selector.MatchLabels[labelKey] = labelValue
+	return selector
+}
+
+// SelectorHasLabel checks if the given selector contains the given label key in its MatchLabels
+func SelectorHasLabel(selector *LabelSelector, labelKey string) bool {
+	return len(selector.MatchLabels[labelKey]) > 0
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/meta.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/meta.go
new file mode 100644
index 00000000..c13fe4af
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/meta.go
@@ -0,0 +1,216 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// TODO: move this, Object, List, and Type to a different package
+type ObjectMetaAccessor interface {
+	GetObjectMeta() Object
+}
+
+// Object lets you work with object metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field (Name, UID, Namespace on lists) will be a no-op and return
+// a default value.
+type Object interface {
+	GetNamespace() string
+	SetNamespace(namespace string)
+	GetName() string
+	SetName(name string)
+	GetGenerateName() string
+	SetGenerateName(name string)
+	GetUID() types.UID
+	SetUID(uid types.UID)
+	GetResourceVersion() string
+	SetResourceVersion(version string)
+	GetGeneration() int64
+	SetGeneration(generation int64)
+	GetSelfLink() string
+	SetSelfLink(selfLink string)
+	GetCreationTimestamp() Time
+	SetCreationTimestamp(timestamp Time)
+	GetDeletionTimestamp() *Time
+	SetDeletionTimestamp(timestamp *Time)
+	GetDeletionGracePeriodSeconds() *int64
+	SetDeletionGracePeriodSeconds(*int64)
+	GetLabels() map[string]string
+	SetLabels(labels map[string]string)
+	GetAnnotations() map[string]string
+	SetAnnotations(annotations map[string]string)
+	GetInitializers() *Initializers
+	SetInitializers(initializers *Initializers)
+	GetFinalizers() []string
+	SetFinalizers(finalizers []string)
+	GetOwnerReferences() []OwnerReference
+	SetOwnerReferences([]OwnerReference)
+	GetClusterName() string
+	SetClusterName(clusterName string)
+}
+
+// ListMetaAccessor retrieves the list interface from an object
+type ListMetaAccessor interface {
+	GetListMeta() ListInterface
+}
+
+// Common lets you work with core metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+type Common interface {
+	GetResourceVersion() string
+	SetResourceVersion(version string)
+	GetSelfLink() string
+	SetSelfLink(selfLink string)
+}
+
+// ListInterface lets you work with list metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+type ListInterface interface {
+	GetResourceVersion() string
+	SetResourceVersion(version string)
+	GetSelfLink() string
+	SetSelfLink(selfLink string)
+	GetContinue() string
+	SetContinue(c string)
+}
+
+// Type exposes the type and APIVersion of versioned or internal API objects.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+type Type interface {
+	GetAPIVersion() string
+	SetAPIVersion(version string)
+	GetKind() string
+	SetKind(kind string)
+}
+
+func (meta *ListMeta) GetResourceVersion() string        { return meta.ResourceVersion }
+func (meta *ListMeta) SetResourceVersion(version string) { meta.ResourceVersion = version }
+func (meta *ListMeta) GetSelfLink() string               { return meta.SelfLink }
+func (meta *ListMeta) SetSelfLink(selfLink string)       { meta.SelfLink = selfLink }
+func (meta *ListMeta) GetContinue() string               { return meta.Continue }
+func (meta *ListMeta) SetContinue(c string)              { meta.Continue = c }
+
+func (obj *TypeMeta) GetObjectKind() schema.ObjectKind { return obj }
+
+// SetGroupVersionKind satisfies the ObjectKind interface for all objects that embed TypeMeta
+func (obj *TypeMeta) SetGroupVersionKind(gvk schema.GroupVersionKind) {
+	obj.APIVersion, obj.Kind = gvk.ToAPIVersionAndKind()
+}
+
+// GroupVersionKind satisfies the ObjectKind interface for all objects that embed TypeMeta
+func (obj *TypeMeta) GroupVersionKind() schema.GroupVersionKind {
+	return schema.FromAPIVersionAndKind(obj.APIVersion, obj.Kind)
+}
+
+func (obj *ListMeta) GetListMeta() ListInterface { return obj }
+
+func (obj *ObjectMeta) GetObjectMeta() Object { return obj }
+
+// Namespace implements metav1.Object for any object with an ObjectMeta typed field. Allows
+// fast, direct access to metadata fields for API objects.
+func (meta *ObjectMeta) GetNamespace() string                { return meta.Namespace }
+func (meta *ObjectMeta) SetNamespace(namespace string)       { meta.Namespace = namespace }
+func (meta *ObjectMeta) GetName() string                     { return meta.Name }
+func (meta *ObjectMeta) SetName(name string)                 { meta.Name = name }
+func (meta *ObjectMeta) GetGenerateName() string             { return meta.GenerateName }
+func (meta *ObjectMeta) SetGenerateName(generateName string) { meta.GenerateName = generateName }
+func (meta *ObjectMeta) GetUID() types.UID                   { return meta.UID }
+func (meta *ObjectMeta) SetUID(uid types.UID)                { meta.UID = uid }
+func (meta *ObjectMeta) GetResourceVersion() string          { return meta.ResourceVersion }
+func (meta *ObjectMeta) SetResourceVersion(version string)   { meta.ResourceVersion = version }
+func (meta *ObjectMeta) GetGeneration() int64                { return meta.Generation }
+func (meta *ObjectMeta) SetGeneration(generation int64)      { meta.Generation = generation }
+func (meta *ObjectMeta) GetSelfLink() string                 { return meta.SelfLink }
+func (meta *ObjectMeta) SetSelfLink(selfLink string)         { meta.SelfLink = selfLink }
+func (meta *ObjectMeta) GetCreationTimestamp() Time          { return meta.CreationTimestamp }
+func (meta *ObjectMeta) SetCreationTimestamp(creationTimestamp Time) {
+	meta.CreationTimestamp = creationTimestamp
+}
+func (meta *ObjectMeta) GetDeletionTimestamp() *Time { return meta.DeletionTimestamp }
+func (meta *ObjectMeta) SetDeletionTimestamp(deletionTimestamp *Time) {
+	meta.DeletionTimestamp = deletionTimestamp
+}
+func (meta *ObjectMeta) GetDeletionGracePeriodSeconds() *int64 { return meta.DeletionGracePeriodSeconds }
+func (meta *ObjectMeta) SetDeletionGracePeriodSeconds(deletionGracePeriodSeconds *int64) {
+	meta.DeletionGracePeriodSeconds = deletionGracePeriodSeconds
+}
+func (meta *ObjectMeta) GetLabels() map[string]string                 { return meta.Labels }
+func (meta *ObjectMeta) SetLabels(labels map[string]string)           { meta.Labels = labels }
+func (meta *ObjectMeta) GetAnnotations() map[string]string            { return meta.Annotations }
+func (meta *ObjectMeta) SetAnnotations(annotations map[string]string) { meta.Annotations = annotations }
+func (meta *ObjectMeta) GetInitializers() *Initializers               { return meta.Initializers }
+func (meta *ObjectMeta) SetInitializers(initializers *Initializers)   { meta.Initializers = initializers }
+func (meta *ObjectMeta) GetFinalizers() []string                      { return meta.Finalizers }
+func (meta *ObjectMeta) SetFinalizers(finalizers []string)            { meta.Finalizers = finalizers }
+
+func (meta *ObjectMeta) GetOwnerReferences() []OwnerReference {
+	if meta.OwnerReferences == nil {
+		return nil
+	}
+	ret := make([]OwnerReference, len(meta.OwnerReferences))
+	for i := 0; i < len(meta.OwnerReferences); i++ {
+		ret[i].Kind = meta.OwnerReferences[i].Kind
+		ret[i].Name = meta.OwnerReferences[i].Name
+		ret[i].UID = meta.OwnerReferences[i].UID
+		ret[i].APIVersion = meta.OwnerReferences[i].APIVersion
+		if meta.OwnerReferences[i].Controller != nil {
+			value := *meta.OwnerReferences[i].Controller
+			ret[i].Controller = &value
+		}
+		if meta.OwnerReferences[i].BlockOwnerDeletion != nil {
+			value := *meta.OwnerReferences[i].BlockOwnerDeletion
+			ret[i].BlockOwnerDeletion = &value
+		}
+	}
+	return ret
+}
+
+func (meta *ObjectMeta) SetOwnerReferences(references []OwnerReference) {
+	if references == nil {
+		meta.OwnerReferences = nil
+		return
+	}
+	newReferences := make([]OwnerReference, len(references))
+	for i := 0; i < len(references); i++ {
+		newReferences[i].Kind = references[i].Kind
+		newReferences[i].Name = references[i].Name
+		newReferences[i].UID = references[i].UID
+		newReferences[i].APIVersion = references[i].APIVersion
+		if references[i].Controller != nil {
+			value := *references[i].Controller
+			newReferences[i].Controller = &value
+		}
+		if references[i].BlockOwnerDeletion != nil {
+			value := *references[i].BlockOwnerDeletion
+			newReferences[i].BlockOwnerDeletion = &value
+		}
+	}
+	meta.OwnerReferences = newReferences
+}
+
+func (meta *ObjectMeta) GetClusterName() string {
+	return meta.ClusterName
+}
+func (meta *ObjectMeta) SetClusterName(clusterName string) {
+	meta.ClusterName = clusterName
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time.go
new file mode 100644
index 00000000..dbe20670
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time.go
@@ -0,0 +1,184 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"encoding/json"
+	"time"
+
+	openapi "k8s.io/kube-openapi/pkg/common"
+
+	"github.com/go-openapi/spec"
+	"github.com/google/gofuzz"
+)
+
+const RFC3339Micro = "2006-01-02T15:04:05.000000Z07:00"
+
+// MicroTime is version of Time with microsecond level precision.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type MicroTime struct {
+	time.Time `protobuf:"-"`
+}
+
+// DeepCopy returns a deep-copy of the MicroTime value.  The underlying time.Time
+// type is effectively immutable in the time API, so it is safe to
+// copy-by-assign, despite the presence of (unexported) Pointer fields.
+func (t *MicroTime) DeepCopyInto(out *MicroTime) {
+	*out = *t
+}
+
+// String returns the representation of the time.
+func (t MicroTime) String() string {
+	return t.Time.String()
+}
+
+// NewMicroTime returns a wrapped instance of the provided time
+func NewMicroTime(time time.Time) MicroTime {
+	return MicroTime{time}
+}
+
+// DateMicro returns the MicroTime corresponding to the supplied parameters
+// by wrapping time.Date.
+func DateMicro(year int, month time.Month, day, hour, min, sec, nsec int, loc *time.Location) MicroTime {
+	return MicroTime{time.Date(year, month, day, hour, min, sec, nsec, loc)}
+}
+
+// NowMicro returns the current local time.
+func NowMicro() MicroTime {
+	return MicroTime{time.Now()}
+}
+
+// IsZero returns true if the value is nil or time is zero.
+func (t *MicroTime) IsZero() bool {
+	if t == nil {
+		return true
+	}
+	return t.Time.IsZero()
+}
+
+// Before reports whether the time instant t is before u.
+func (t *MicroTime) Before(u *MicroTime) bool {
+	return t.Time.Before(u.Time)
+}
+
+// Equal reports whether the time instant t is equal to u.
+func (t *MicroTime) Equal(u *MicroTime) bool {
+	return t.Time.Equal(u.Time)
+}
+
+// BeforeTime reports whether the time instant t is before second-lever precision u.
+func (t *MicroTime) BeforeTime(u *Time) bool {
+	return t.Time.Before(u.Time)
+}
+
+// EqualTime reports whether the time instant t is equal to second-lever precision u.
+func (t *MicroTime) EqualTime(u *Time) bool {
+	return t.Time.Equal(u.Time)
+}
+
+// UnixMicro returns the local time corresponding to the given Unix time
+// by wrapping time.Unix.
+func UnixMicro(sec int64, nsec int64) MicroTime {
+	return MicroTime{time.Unix(sec, nsec)}
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (t *MicroTime) UnmarshalJSON(b []byte) error {
+	if len(b) == 4 && string(b) == "null" {
+		t.Time = time.Time{}
+		return nil
+	}
+
+	var str string
+	json.Unmarshal(b, &str)
+
+	pt, err := time.Parse(RFC3339Micro, str)
+	if err != nil {
+		return err
+	}
+
+	t.Time = pt.Local()
+	return nil
+}
+
+// UnmarshalQueryParameter converts from a URL query parameter value to an object
+func (t *MicroTime) UnmarshalQueryParameter(str string) error {
+	if len(str) == 0 {
+		t.Time = time.Time{}
+		return nil
+	}
+	// Tolerate requests from older clients that used JSON serialization to build query params
+	if len(str) == 4 && str == "null" {
+		t.Time = time.Time{}
+		return nil
+	}
+
+	pt, err := time.Parse(RFC3339Micro, str)
+	if err != nil {
+		return err
+	}
+
+	t.Time = pt.Local()
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaler interface.
+func (t MicroTime) MarshalJSON() ([]byte, error) {
+	if t.IsZero() {
+		// Encode unset/nil objects as JSON's "null".
+		return []byte("null"), nil
+	}
+
+	return json.Marshal(t.UTC().Format(RFC3339Micro))
+}
+
+func (_ MicroTime) OpenAPIDefinition() openapi.OpenAPIDefinition {
+	return openapi.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type:   []string{"string"},
+				Format: "date-time",
+			},
+		},
+	}
+}
+
+// MarshalQueryParameter converts to a URL query parameter value
+func (t MicroTime) MarshalQueryParameter() (string, error) {
+	if t.IsZero() {
+		// Encode unset/nil objects as an empty string
+		return "", nil
+	}
+
+	return t.UTC().Format(RFC3339Micro), nil
+}
+
+// Fuzz satisfies fuzz.Interface.
+func (t *MicroTime) Fuzz(c fuzz.Continue) {
+	if t == nil {
+		return
+	}
+	// Allow for about 1000 years of randomness.  Leave off nanoseconds
+	// because JSON doesn't represent them so they can't round-trip
+	// properly.
+	t.Time = time.Unix(c.Rand.Int63n(1000*365*24*60*60*1000*1000), 0)
+}
+
+var _ fuzz.Interface = &MicroTime{}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_proto.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_proto.go
new file mode 100644
index 00000000..14841be5
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_proto.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+)
+
+// Timestamp is declared in time_proto.go
+
+// Timestamp returns the Time as a new Timestamp value.
+func (m *MicroTime) ProtoMicroTime() *Timestamp {
+	if m == nil {
+		return &Timestamp{}
+	}
+	return &Timestamp{
+		Seconds: m.Time.Unix(),
+		Nanos:   int32(m.Time.Nanosecond()),
+	}
+}
+
+// Size implements the protobuf marshalling interface.
+func (m *MicroTime) Size() (n int) {
+	if m == nil || m.Time.IsZero() {
+		return 0
+	}
+	return m.ProtoMicroTime().Size()
+}
+
+// Reset implements the protobuf marshalling interface.
+func (m *MicroTime) Unmarshal(data []byte) error {
+	if len(data) == 0 {
+		m.Time = time.Time{}
+		return nil
+	}
+	p := Timestamp{}
+	if err := p.Unmarshal(data); err != nil {
+		return err
+	}
+	m.Time = time.Unix(p.Seconds, int64(p.Nanos)).Local()
+	return nil
+}
+
+// Marshal implements the protobuf marshalling interface.
+func (m *MicroTime) Marshal() (data []byte, err error) {
+	if m == nil || m.Time.IsZero() {
+		return nil, nil
+	}
+	return m.ProtoMicroTime().Marshal()
+}
+
+// MarshalTo implements the protobuf marshalling interface.
+func (m *MicroTime) MarshalTo(data []byte) (int, error) {
+	if m == nil || m.Time.IsZero() {
+		return 0, nil
+	}
+	return m.ProtoMicroTime().MarshalTo(data)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/register.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/register.go
new file mode 100644
index 00000000..6e449a43
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/register.go
@@ -0,0 +1,95 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "meta.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Unversioned is group version for unversioned API objects
+// TODO: this should be v1 probably
+var Unversioned = schema.GroupVersion{Group: "", Version: "v1"}
+
+// WatchEventKind is name reserved for serializing watch events.
+const WatchEventKind = "WatchEvent"
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// AddToGroupVersion registers common meta types into schemas.
+func AddToGroupVersion(scheme *runtime.Scheme, groupVersion schema.GroupVersion) {
+	scheme.AddKnownTypeWithName(groupVersion.WithKind(WatchEventKind), &WatchEvent{})
+	scheme.AddKnownTypeWithName(
+		schema.GroupVersion{Group: groupVersion.Group, Version: runtime.APIVersionInternal}.WithKind(WatchEventKind),
+		&InternalEvent{},
+	)
+	// Supports legacy code paths, most callers should use metav1.ParameterCodec for now
+	scheme.AddKnownTypes(groupVersion,
+		&ListOptions{},
+		&ExportOptions{},
+		&GetOptions{},
+		&DeleteOptions{},
+	)
+	scheme.AddConversionFuncs(
+		Convert_versioned_Event_to_watch_Event,
+		Convert_versioned_InternalEvent_to_versioned_Event,
+		Convert_watch_Event_to_versioned_Event,
+		Convert_versioned_Event_to_versioned_InternalEvent,
+	)
+
+	// Register Unversioned types under their own special group
+	scheme.AddUnversionedTypes(Unversioned,
+		&Status{},
+		&APIVersions{},
+		&APIGroupList{},
+		&APIGroup{},
+		&APIResourceList{},
+	)
+
+	// register manually. This usually goes through the SchemeBuilder, which we cannot use here.
+	scheme.AddGeneratedDeepCopyFuncs(GetGeneratedDeepCopyFuncs()...)
+	AddConversionFuncs(scheme)
+	RegisterDefaults(scheme)
+}
+
+// scheme is the registry for the common types that adhere to the meta v1 API spec.
+var scheme = runtime.NewScheme()
+
+// ParameterCodec knows about query parameters used with the meta v1 API spec.
+var ParameterCodec = runtime.NewParameterCodec(scheme)
+
+func init() {
+	scheme.AddUnversionedTypes(SchemeGroupVersion,
+		&ListOptions{},
+		&ExportOptions{},
+		&GetOptions{},
+		&DeleteOptions{},
+	)
+
+	// register manually. This usually goes through the SchemeBuilder, which we cannot use here.
+	scheme.AddGeneratedDeepCopyFuncs(GetGeneratedDeepCopyFuncs()...)
+	RegisterDefaults(scheme)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time.go
new file mode 100644
index 00000000..435f6a8f
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time.go
@@ -0,0 +1,180 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"encoding/json"
+	"time"
+
+	openapi "k8s.io/kube-openapi/pkg/common"
+
+	"github.com/go-openapi/spec"
+	"github.com/google/gofuzz"
+)
+
+// Time is a wrapper around time.Time which supports correct
+// marshaling to YAML and JSON.  Wrappers are provided for many
+// of the factory methods that the time package offers.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type Time struct {
+	time.Time `protobuf:"-"`
+}
+
+// DeepCopyInto creates a deep-copy of the Time value.  The underlying time.Time
+// type is effectively immutable in the time API, so it is safe to
+// copy-by-assign, despite the presence of (unexported) Pointer fields.
+func (t *Time) DeepCopyInto(out *Time) {
+	*out = *t
+}
+
+// String returns the representation of the time.
+func (t Time) String() string {
+	return t.Time.String()
+}
+
+// NewTime returns a wrapped instance of the provided time
+func NewTime(time time.Time) Time {
+	return Time{time}
+}
+
+// Date returns the Time corresponding to the supplied parameters
+// by wrapping time.Date.
+func Date(year int, month time.Month, day, hour, min, sec, nsec int, loc *time.Location) Time {
+	return Time{time.Date(year, month, day, hour, min, sec, nsec, loc)}
+}
+
+// Now returns the current local time.
+func Now() Time {
+	return Time{time.Now()}
+}
+
+// IsZero returns true if the value is nil or time is zero.
+func (t *Time) IsZero() bool {
+	if t == nil {
+		return true
+	}
+	return t.Time.IsZero()
+}
+
+// Before reports whether the time instant t is before u.
+func (t *Time) Before(u *Time) bool {
+	return t.Time.Before(u.Time)
+}
+
+// Equal reports whether the time instant t is equal to u.
+func (t *Time) Equal(u *Time) bool {
+	return t.Time.Equal(u.Time)
+}
+
+// Unix returns the local time corresponding to the given Unix time
+// by wrapping time.Unix.
+func Unix(sec int64, nsec int64) Time {
+	return Time{time.Unix(sec, nsec)}
+}
+
+// Rfc3339Copy returns a copy of the Time at second-level precision.
+func (t Time) Rfc3339Copy() Time {
+	copied, _ := time.Parse(time.RFC3339, t.Format(time.RFC3339))
+	return Time{copied}
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (t *Time) UnmarshalJSON(b []byte) error {
+	if len(b) == 4 && string(b) == "null" {
+		t.Time = time.Time{}
+		return nil
+	}
+
+	var str string
+	json.Unmarshal(b, &str)
+
+	pt, err := time.Parse(time.RFC3339, str)
+	if err != nil {
+		return err
+	}
+
+	t.Time = pt.Local()
+	return nil
+}
+
+// UnmarshalQueryParameter converts from a URL query parameter value to an object
+func (t *Time) UnmarshalQueryParameter(str string) error {
+	if len(str) == 0 {
+		t.Time = time.Time{}
+		return nil
+	}
+	// Tolerate requests from older clients that used JSON serialization to build query params
+	if len(str) == 4 && str == "null" {
+		t.Time = time.Time{}
+		return nil
+	}
+
+	pt, err := time.Parse(time.RFC3339, str)
+	if err != nil {
+		return err
+	}
+
+	t.Time = pt.Local()
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaler interface.
+func (t Time) MarshalJSON() ([]byte, error) {
+	if t.IsZero() {
+		// Encode unset/nil objects as JSON's "null".
+		return []byte("null"), nil
+	}
+
+	return json.Marshal(t.UTC().Format(time.RFC3339))
+}
+
+func (_ Time) OpenAPIDefinition() openapi.OpenAPIDefinition {
+	return openapi.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type:   []string{"string"},
+				Format: "date-time",
+			},
+		},
+	}
+}
+
+// MarshalQueryParameter converts to a URL query parameter value
+func (t Time) MarshalQueryParameter() (string, error) {
+	if t.IsZero() {
+		// Encode unset/nil objects as an empty string
+		return "", nil
+	}
+
+	return t.UTC().Format(time.RFC3339), nil
+}
+
+// Fuzz satisfies fuzz.Interface.
+func (t *Time) Fuzz(c fuzz.Continue) {
+	if t == nil {
+		return
+	}
+	// Allow for about 1000 years of randomness.  Leave off nanoseconds
+	// because JSON doesn't represent them so they can't round-trip
+	// properly.
+	t.Time = time.Unix(c.Rand.Int63n(1000*365*24*60*60), 0)
+}
+
+var _ fuzz.Interface = &Time{}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto.go
new file mode 100644
index 00000000..ed72186b
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto.go
@@ -0,0 +1,92 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"time"
+)
+
+// Timestamp is a struct that is equivalent to Time, but intended for
+// protobuf marshalling/unmarshalling. It is generated into a serialization
+// that matches Time. Do not use in Go structs.
+type Timestamp struct {
+	// Represents seconds of UTC time since Unix epoch
+	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+	// 9999-12-31T23:59:59Z inclusive.
+	Seconds int64 `json:"seconds" protobuf:"varint,1,opt,name=seconds"`
+	// Non-negative fractions of a second at nanosecond resolution. Negative
+	// second values with fractions must still have non-negative nanos values
+	// that count forward in time. Must be from 0 to 999,999,999
+	// inclusive. This field may be limited in precision depending on context.
+	Nanos int32 `json:"nanos" protobuf:"varint,2,opt,name=nanos"`
+}
+
+// Timestamp returns the Time as a new Timestamp value.
+func (m *Time) ProtoTime() *Timestamp {
+	if m == nil {
+		return &Timestamp{}
+	}
+	return &Timestamp{
+		Seconds: m.Time.Unix(),
+		// leaving this here for the record.  our JSON only handled seconds, so this results in writes by
+		// protobuf clients storing values that aren't read by json clients, which results in unexpected
+		// field mutation, which fails various validation and equality code.
+		// Nanos:   int32(m.Time.Nanosecond()),
+	}
+}
+
+// Size implements the protobuf marshalling interface.
+func (m *Time) Size() (n int) {
+	if m == nil || m.Time.IsZero() {
+		return 0
+	}
+	return m.ProtoTime().Size()
+}
+
+// Reset implements the protobuf marshalling interface.
+func (m *Time) Unmarshal(data []byte) error {
+	if len(data) == 0 {
+		m.Time = time.Time{}
+		return nil
+	}
+	p := Timestamp{}
+	if err := p.Unmarshal(data); err != nil {
+		return err
+	}
+	// leaving this here for the record.  our JSON only handled seconds, so this results in writes by
+	// protobuf clients storing values that aren't read by json clients, which results in unexpected
+	// field mutation, which fails various validation and equality code.
+	// m.Time = time.Unix(p.Seconds, int64(p.Nanos)).Local()
+	m.Time = time.Unix(p.Seconds, int64(0)).Local()
+	return nil
+}
+
+// Marshal implements the protobuf marshalling interface.
+func (m *Time) Marshal() (data []byte, err error) {
+	if m == nil || m.Time.IsZero() {
+		return nil, nil
+	}
+	return m.ProtoTime().Marshal()
+}
+
+// MarshalTo implements the protobuf marshalling interface.
+func (m *Time) MarshalTo(data []byte) (int, error) {
+	if m == nil || m.Time.IsZero() {
+		return 0, nil
+	}
+	return m.ProtoTime().MarshalTo(data)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
new file mode 100644
index 00000000..13ae66c6
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types.go
@@ -0,0 +1,931 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1 contains API types that are common to all versions.
+//
+// The package contains two categories of types:
+// - external (serialized) types that lack their own version (e.g TypeMeta)
+// - internal (never-serialized) types that are needed by several different
+//   api groups, and so live here, to avoid duplication and/or import loops
+//   (e.g. LabelSelector).
+// In the future, we will probably move these categories of objects into
+// separate packages.
+package v1
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// TypeMeta describes an individual object in an API response or request
+// with strings representing the type of the object and its API schema version.
+// Structures that are versioned or persisted should inline TypeMeta.
+//
+// +k8s:deepcopy-gen=false
+type TypeMeta struct {
+	// Kind is a string value representing the REST resource this object represents.
+	// Servers may infer this from the endpoint the client submits requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	Kind string `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"`
+
+	// APIVersion defines the versioned schema of this representation of an object.
+	// Servers should convert recognized schemas to the latest internal value, and
+	// may reject unrecognized values.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt,name=apiVersion"`
+}
+
+// ListMeta describes metadata that synthetic resources must have, including lists and
+// various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
+type ListMeta struct {
+	// selfLink is a URL representing this object.
+	// Populated by the system.
+	// Read-only.
+	// +optional
+	SelfLink string `json:"selfLink,omitempty" protobuf:"bytes,1,opt,name=selfLink"`
+
+	// String that identifies the server's internal version of this object that
+	// can be used by clients to determine when objects have changed.
+	// Value must be treated as opaque by clients and passed unmodified back to the server.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
+	// +optional
+	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,2,opt,name=resourceVersion"`
+
+	// continue may be set if the user set a limit on the number of items returned, and indicates that
+	// the server has more data available. The value is opaque and may be used to issue another request
+	// to the endpoint that served this list to retrieve the next set of available objects. Continuing a
+	// list may not be possible if the server configuration has changed or more than a few minutes have
+	// passed. The resourceVersion field returned when using this continue value will be identical to
+	// the value in the first response.
+	Continue string `json:"continue,omitempty" protobuf:"bytes,3,opt,name=continue"`
+}
+
+// These are internal finalizer values for Kubernetes-like APIs, must be qualified name unless defined here
+const (
+	FinalizerOrphanDependents string = "orphan"
+	FinalizerDeleteDependents string = "foregroundDeletion"
+)
+
+// ObjectMeta is metadata that all persisted resources must have, which includes all objects
+// users must create.
+type ObjectMeta struct {
+	// Name must be unique within a namespace. Is required when creating resources, although
+	// some resources may allow a client to request the generation of an appropriate name
+	// automatically. Name is primarily intended for creation idempotence and configuration
+	// definition.
+	// Cannot be updated.
+	// More info: http://kubernetes.io/docs/user-guide/identifiers#names
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+
+	// GenerateName is an optional prefix, used by the server, to generate a unique
+	// name ONLY IF the Name field has not been provided.
+	// If this field is used, the name returned to the client will be different
+	// than the name passed. This value will also be combined with a unique suffix.
+	// The provided value has the same validation rules as the Name field,
+	// and may be truncated by the length of the suffix required to make the value
+	// unique on the server.
+	//
+	// If this field is specified and the generated name exists, the server will
+	// NOT return a 409 - instead, it will either return 201 Created or 500 with Reason
+	// ServerTimeout indicating a unique name could not be found in the time allotted, and the client
+	// should retry (optionally after the time indicated in the Retry-After header).
+	//
+	// Applied only if Name is not specified.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency
+	// +optional
+	GenerateName string `json:"generateName,omitempty" protobuf:"bytes,2,opt,name=generateName"`
+
+	// Namespace defines the space within each name must be unique. An empty namespace is
+	// equivalent to the "default" namespace, but "default" is the canonical representation.
+	// Not all objects are required to be scoped to a namespace - the value of this field for
+	// those objects will be empty.
+	//
+	// Must be a DNS_LABEL.
+	// Cannot be updated.
+	// More info: http://kubernetes.io/docs/user-guide/namespaces
+	// +optional
+	Namespace string `json:"namespace,omitempty" protobuf:"bytes,3,opt,name=namespace"`
+
+	// SelfLink is a URL representing this object.
+	// Populated by the system.
+	// Read-only.
+	// +optional
+	SelfLink string `json:"selfLink,omitempty" protobuf:"bytes,4,opt,name=selfLink"`
+
+	// UID is the unique in time and space value for this object. It is typically generated by
+	// the server on successful creation of a resource and is not allowed to change on PUT
+	// operations.
+	//
+	// Populated by the system.
+	// Read-only.
+	// More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+	// +optional
+	UID types.UID `json:"uid,omitempty" protobuf:"bytes,5,opt,name=uid,casttype=k8s.io/kubernetes/pkg/types.UID"`
+
+	// An opaque value that represents the internal version of this object that can
+	// be used by clients to determine when objects have changed. May be used for optimistic
+	// concurrency, change detection, and the watch operation on a resource or set of resources.
+	// Clients must treat these values as opaque and passed unmodified back to the server.
+	// They may only be valid for a particular resource or set of resources.
+	//
+	// Populated by the system.
+	// Read-only.
+	// Value must be treated as opaque by clients and .
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
+	// +optional
+	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,6,opt,name=resourceVersion"`
+
+	// A sequence number representing a specific generation of the desired state.
+	// Populated by the system. Read-only.
+	// +optional
+	Generation int64 `json:"generation,omitempty" protobuf:"varint,7,opt,name=generation"`
+
+	// CreationTimestamp is a timestamp representing the server time when this object was
+	// created. It is not guaranteed to be set in happens-before order across separate operations.
+	// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+	//
+	// Populated by the system.
+	// Read-only.
+	// Null for lists.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	CreationTimestamp Time `json:"creationTimestamp,omitempty" protobuf:"bytes,8,opt,name=creationTimestamp"`
+
+	// DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
+	// field is set by the server when a graceful deletion is requested by the user, and is not
+	// directly settable by a client. The resource is expected to be deleted (no longer visible
+	// from resource lists, and not reachable by name) after the time in this field. Once set,
+	// this value may not be unset or be set further into the future, although it may be shortened
+	// or the resource may be deleted prior to this time. For example, a user may request that
+	// a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination
+	// signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard
+	// termination signal (SIGKILL) to the container and after cleanup, remove the pod from the
+	// API. In the presence of network partitions, this object may still exist after this
+	// timestamp, until an administrator or automated process can determine the resource is
+	// fully terminated.
+	// If not set, graceful deletion of the object has not been requested.
+	//
+	// Populated by the system when a graceful deletion is requested.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	DeletionTimestamp *Time `json:"deletionTimestamp,omitempty" protobuf:"bytes,9,opt,name=deletionTimestamp"`
+
+	// Number of seconds allowed for this object to gracefully terminate before
+	// it will be removed from the system. Only set when deletionTimestamp is also set.
+	// May only be shortened.
+	// Read-only.
+	// +optional
+	DeletionGracePeriodSeconds *int64 `json:"deletionGracePeriodSeconds,omitempty" protobuf:"varint,10,opt,name=deletionGracePeriodSeconds"`
+
+	// Map of string keys and values that can be used to organize and categorize
+	// (scope and select) objects. May match selectors of replication controllers
+	// and services.
+	// More info: http://kubernetes.io/docs/user-guide/labels
+	// +optional
+	Labels map[string]string `json:"labels,omitempty" protobuf:"bytes,11,rep,name=labels"`
+
+	// Annotations is an unstructured key value map stored with a resource that may be
+	// set by external tools to store and retrieve arbitrary metadata. They are not
+	// queryable and should be preserved when modifying objects.
+	// More info: http://kubernetes.io/docs/user-guide/annotations
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,12,rep,name=annotations"`
+
+	// List of objects depended by this object. If ALL objects in the list have
+	// been deleted, this object will be garbage collected. If this object is managed by a controller,
+	// then an entry in this list will point to this controller, with the controller field set to true.
+	// There cannot be more than one managing controller.
+	// +optional
+	// +patchMergeKey=uid
+	// +patchStrategy=merge
+	OwnerReferences []OwnerReference `json:"ownerReferences,omitempty" patchStrategy:"merge" patchMergeKey:"uid" protobuf:"bytes,13,rep,name=ownerReferences"`
+
+	// An initializer is a controller which enforces some system invariant at object creation time.
+	// This field is a list of initializers that have not yet acted on this object. If nil or empty,
+	// this object has been completely initialized. Otherwise, the object is considered uninitialized
+	// and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to
+	// observe uninitialized objects.
+	//
+	// When an object is created, the system will populate this list with the current set of initializers.
+	// Only privileged users may set or modify this list. Once it is empty, it may not be modified further
+	// by any user.
+	Initializers *Initializers `json:"initializers,omitempty" protobuf:"bytes,16,opt,name=initializers"`
+
+	// Must be empty before the object is deleted from the registry. Each entry
+	// is an identifier for the responsible component that will remove the entry
+	// from the list. If the deletionTimestamp of the object is non-nil, entries
+	// in this list can only be removed.
+	// +optional
+	// +patchStrategy=merge
+	Finalizers []string `json:"finalizers,omitempty" patchStrategy:"merge" protobuf:"bytes,14,rep,name=finalizers"`
+
+	// The name of the cluster which the object belongs to.
+	// This is used to distinguish resources with same name and namespace in different clusters.
+	// This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.
+	// +optional
+	ClusterName string `json:"clusterName,omitempty" protobuf:"bytes,15,opt,name=clusterName"`
+}
+
+// Initializers tracks the progress of initialization.
+type Initializers struct {
+	// Pending is a list of initializers that must execute in order before this object is visible.
+	// When the last pending initializer is removed, and no failing result is set, the initializers
+	// struct will be set to nil and the object is considered as initialized and visible to all
+	// clients.
+	// +patchMergeKey=name
+	// +patchStrategy=merge
+	Pending []Initializer `json:"pending" protobuf:"bytes,1,rep,name=pending" patchStrategy:"merge" patchMergeKey:"name"`
+	// If result is set with the Failure field, the object will be persisted to storage and then deleted,
+	// ensuring that other clients can observe the deletion.
+	Result *Status `json:"result,omitempty" protobuf:"bytes,2,opt,name=result"`
+}
+
+// Initializer is information about an initializer that has not yet completed.
+type Initializer struct {
+	// name of the process that is responsible for initializing this object.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+}
+
+const (
+	// NamespaceDefault means the object is in the default namespace which is applied when not specified by clients
+	NamespaceDefault string = "default"
+	// NamespaceAll is the default argument to specify on a context when you want to list or filter resources across all namespaces
+	NamespaceAll string = ""
+	// NamespaceNone is the argument for a context when there is no namespace.
+	NamespaceNone string = ""
+	// NamespaceSystem is the system namespace where we place system components.
+	NamespaceSystem string = "kube-system"
+	// NamespacePublic is the namespace where we place public info (ConfigMaps)
+	NamespacePublic string = "kube-public"
+)
+
+// OwnerReference contains enough information to let you identify an owning
+// object. Currently, an owning object must be in the same namespace, so there
+// is no namespace field.
+type OwnerReference struct {
+	// API version of the referent.
+	APIVersion string `json:"apiVersion" protobuf:"bytes,5,opt,name=apiVersion"`
+	// Kind of the referent.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"`
+	// Name of the referent.
+	// More info: http://kubernetes.io/docs/user-guide/identifiers#names
+	Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
+	// UID of the referent.
+	// More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+	UID types.UID `json:"uid" protobuf:"bytes,4,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"`
+	// If true, this reference points to the managing controller.
+	// +optional
+	Controller *bool `json:"controller,omitempty" protobuf:"varint,6,opt,name=controller"`
+	// If true, AND if the owner has the "foregroundDeletion" finalizer, then
+	// the owner cannot be deleted from the key-value store until this
+	// reference is removed.
+	// Defaults to false.
+	// To set this field, a user needs "delete" permission of the owner,
+	// otherwise 422 (Unprocessable Entity) will be returned.
+	// +optional
+	BlockOwnerDeletion *bool `json:"blockOwnerDeletion,omitempty" protobuf:"varint,7,opt,name=blockOwnerDeletion"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ListOptions is the query options to a standard REST list call.
+type ListOptions struct {
+	TypeMeta `json:",inline"`
+
+	// A selector to restrict the list of returned objects by their labels.
+	// Defaults to everything.
+	// +optional
+	LabelSelector string `json:"labelSelector,omitempty" protobuf:"bytes,1,opt,name=labelSelector"`
+	// A selector to restrict the list of returned objects by their fields.
+	// Defaults to everything.
+	// +optional
+	FieldSelector string `json:"fieldSelector,omitempty" protobuf:"bytes,2,opt,name=fieldSelector"`
+	// If true, partially initialized resources are included in the response.
+	// +optional
+	IncludeUninitialized bool `json:"includeUninitialized,omitempty" protobuf:"varint,6,opt,name=includeUninitialized"`
+	// Watch for changes to the described resources and return them as a stream of
+	// add, update, and remove notifications. Specify resourceVersion.
+	// +optional
+	Watch bool `json:"watch,omitempty" protobuf:"varint,3,opt,name=watch"`
+	// When specified with a watch call, shows changes that occur after that particular version of a resource.
+	// Defaults to changes from the beginning of history.
+	// When specified for list:
+	// - if unset, then the result is returned from remote storage based on quorum-read flag;
+	// - if it's 0, then we simply return what we currently have in cache, no guarantee;
+	// - if set to non zero, then the result is at least as fresh as given rv.
+	// +optional
+	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,4,opt,name=resourceVersion"`
+	// Timeout for the list/watch call.
+	// +optional
+	TimeoutSeconds *int64 `json:"timeoutSeconds,omitempty" protobuf:"varint,5,opt,name=timeoutSeconds"`
+
+	// limit is a maximum number of responses to return for a list call. If more items exist, the
+	// server will set the `continue` field on the list metadata to a value that can be used with the
+	// same initial query to retrieve the next set of results. Setting a limit may return fewer than
+	// the requested amount of items (up to zero items) in the event all requested objects are
+	// filtered out and clients should only use the presence of the continue field to determine whether
+	// more results are available. Servers may choose not to support the limit argument and will return
+	// all of the available results. If limit is specified and the continue field is empty, clients may
+	// assume that no more results are available. This field is not supported if watch is true.
+	//
+	// The server guarantees that the objects returned when using continue will be identical to issuing
+	// a single list call without a limit - that is, no objects created, modified, or deleted after the
+	// first request is issued will be included in any subsequent continued requests. This is sometimes
+	// referred to as a consistent snapshot, and ensures that a client that is using limit to receive
+	// smaller chunks of a very large result can ensure they see all possible objects. If objects are
+	// updated during a chunked list the version of the object that was present at the time the first list
+	// result was calculated is returned.
+	Limit int64 `json:"limit,omitempty" protobuf:"varint,7,opt,name=limit"`
+	// The continue option should be set when retrieving more results from the server. Since this value
+	// is server defined, clients may only use the continue value from a previous query result with
+	// identical query parameters (except for the value of continue) and the server may reject a continue
+	// value it does not recognize. If the specified continue value is no longer valid whether due to
+	// expiration (generally five to fifteen minutes) or a configuration change on the server the server
+	// will respond with a 410 ResourceExpired error indicating the client must restart their list without
+	// the continue field. This field is not supported when watch is true. Clients may start a watch from
+	// the last resourceVersion value returned by the server and not miss any modifications.
+	Continue string `json:"continue,omitempty" protobuf:"bytes,8,opt,name=continue"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ExportOptions is the query options to the standard REST get call.
+type ExportOptions struct {
+	TypeMeta `json:",inline"`
+	// Should this value be exported.  Export strips fields that a user can not specify.
+	Export bool `json:"export" protobuf:"varint,1,opt,name=export"`
+	// Should the export be exact.  Exact export maintains cluster-specific fields like 'Namespace'.
+	Exact bool `json:"exact" protobuf:"varint,2,opt,name=exact"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// GetOptions is the standard query options to the standard REST get call.
+type GetOptions struct {
+	TypeMeta `json:",inline"`
+	// When specified:
+	// - if unset, then the result is returned from remote storage based on quorum-read flag;
+	// - if it's 0, then we simply return what we currently have in cache, no guarantee;
+	// - if set to non zero, then the result is at least as fresh as given rv.
+	ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,1,opt,name=resourceVersion"`
+	// If true, partially initialized resources are included in the response.
+	// +optional
+	IncludeUninitialized bool `json:"includeUninitialized,omitempty" protobuf:"varint,2,opt,name=includeUninitialized"`
+}
+
+// DeletionPropagation decides if a deletion will propagate to the dependents of
+// the object, and how the garbage collector will handle the propagation.
+type DeletionPropagation string
+
+const (
+	// Orphans the dependents.
+	DeletePropagationOrphan DeletionPropagation = "Orphan"
+	// Deletes the object from the key-value store, the garbage collector will
+	// delete the dependents in the background.
+	DeletePropagationBackground DeletionPropagation = "Background"
+	// The object exists in the key-value store until the garbage collector
+	// deletes all the dependents whose ownerReference.blockOwnerDeletion=true
+	// from the key-value store.  API sever will put the "foregroundDeletion"
+	// finalizer on the object, and sets its deletionTimestamp.  This policy is
+	// cascading, i.e., the dependents will be deleted with Foreground.
+	DeletePropagationForeground DeletionPropagation = "Foreground"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DeleteOptions may be provided when deleting an API object.
+type DeleteOptions struct {
+	TypeMeta `json:",inline"`
+
+	// The duration in seconds before the object should be deleted. Value must be non-negative integer.
+	// The value zero indicates delete immediately. If this value is nil, the default grace period for the
+	// specified type will be used.
+	// Defaults to a per object value if not specified. zero means delete immediately.
+	// +optional
+	GracePeriodSeconds *int64 `json:"gracePeriodSeconds,omitempty" protobuf:"varint,1,opt,name=gracePeriodSeconds"`
+
+	// Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be
+	// returned.
+	// +optional
+	Preconditions *Preconditions `json:"preconditions,omitempty" protobuf:"bytes,2,opt,name=preconditions"`
+
+	// Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7.
+	// Should the dependent objects be orphaned. If true/false, the "orphan"
+	// finalizer will be added to/removed from the object's finalizers list.
+	// Either this field or PropagationPolicy may be set, but not both.
+	// +optional
+	OrphanDependents *bool `json:"orphanDependents,omitempty" protobuf:"varint,3,opt,name=orphanDependents"`
+
+	// Whether and how garbage collection will be performed.
+	// Either this field or OrphanDependents may be set, but not both.
+	// The default policy is decided by the existing finalizer set in the
+	// metadata.finalizers and the resource-specific default policy.
+	// +optional
+	PropagationPolicy *DeletionPropagation `json:"propagationPolicy,omitempty" protobuf:"varint,4,opt,name=propagationPolicy"`
+}
+
+// Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.
+type Preconditions struct {
+	// Specifies the target UID.
+	// +optional
+	UID *types.UID `json:"uid,omitempty" protobuf:"bytes,1,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Status is a return value for calls that don't return other objects.
+type Status struct {
+	TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Status of the operation.
+	// One of: "Success" or "Failure".
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
+	// +optional
+	Status string `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
+	// A human-readable description of the status of this operation.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,3,opt,name=message"`
+	// A machine-readable description of why this operation is in the
+	// "Failure" status. If this value is empty there
+	// is no information available. A Reason clarifies an HTTP status
+	// code but does not override it.
+	// +optional
+	Reason StatusReason `json:"reason,omitempty" protobuf:"bytes,4,opt,name=reason,casttype=StatusReason"`
+	// Extended data associated with the reason.  Each reason may define its
+	// own extended details. This field is optional and the data returned
+	// is not guaranteed to conform to any schema except that defined by
+	// the reason type.
+	// +optional
+	Details *StatusDetails `json:"details,omitempty" protobuf:"bytes,5,opt,name=details"`
+	// Suggested HTTP return code for this status, 0 if not set.
+	// +optional
+	Code int32 `json:"code,omitempty" protobuf:"varint,6,opt,name=code"`
+}
+
+// StatusDetails is a set of additional properties that MAY be set by the
+// server to provide additional information about a response. The Reason
+// field of a Status object defines what attributes will be set. Clients
+// must ignore fields that do not match the defined type of each attribute,
+// and should assume that any attribute may be empty, invalid, or under
+// defined.
+type StatusDetails struct {
+	// The name attribute of the resource associated with the status StatusReason
+	// (when there is a single name which can be described).
+	// +optional
+	Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"`
+	// The group attribute of the resource associated with the status StatusReason.
+	// +optional
+	Group string `json:"group,omitempty" protobuf:"bytes,2,opt,name=group"`
+	// The kind attribute of the resource associated with the status StatusReason.
+	// On some operations may differ from the requested resource Kind.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	Kind string `json:"kind,omitempty" protobuf:"bytes,3,opt,name=kind"`
+	// UID of the resource.
+	// (when there is a single resource which can be described).
+	// More info: http://kubernetes.io/docs/user-guide/identifiers#uids
+	// +optional
+	UID types.UID `json:"uid,omitempty" protobuf:"bytes,6,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"`
+	// The Causes array includes more details associated with the StatusReason
+	// failure. Not all StatusReasons may provide detailed causes.
+	// +optional
+	Causes []StatusCause `json:"causes,omitempty" protobuf:"bytes,4,rep,name=causes"`
+	// If specified, the time in seconds before the operation should be retried. Some errors may indicate
+	// the client must take an alternate action - for those errors this field may indicate how long to wait
+	// before taking the alternate action.
+	// +optional
+	RetryAfterSeconds int32 `json:"retryAfterSeconds,omitempty" protobuf:"varint,5,opt,name=retryAfterSeconds"`
+}
+
+// Values of Status.Status
+const (
+	StatusSuccess = "Success"
+	StatusFailure = "Failure"
+)
+
+// StatusReason is an enumeration of possible failure causes.  Each StatusReason
+// must map to a single HTTP status code, but multiple reasons may map
+// to the same HTTP status code.
+// TODO: move to apiserver
+type StatusReason string
+
+const (
+	// StatusReasonUnknown means the server has declined to indicate a specific reason.
+	// The details field may contain other information about this error.
+	// Status code 500.
+	StatusReasonUnknown StatusReason = ""
+
+	// StatusReasonUnauthorized means the server can be reached and understood the request, but requires
+	// the user to present appropriate authorization credentials (identified by the WWW-Authenticate header)
+	// in order for the action to be completed. If the user has specified credentials on the request, the
+	// server considers them insufficient.
+	// Status code 401
+	StatusReasonUnauthorized StatusReason = "Unauthorized"
+
+	// StatusReasonForbidden means the server can be reached and understood the request, but refuses
+	// to take any further action.  It is the result of the server being configured to deny access for some reason
+	// to the requested resource by the client.
+	// Details (optional):
+	//   "kind" string - the kind attribute of the forbidden resource
+	//                   on some operations may differ from the requested
+	//                   resource.
+	//   "id"   string - the identifier of the forbidden resource
+	// Status code 403
+	StatusReasonForbidden StatusReason = "Forbidden"
+
+	// StatusReasonNotFound means one or more resources required for this operation
+	// could not be found.
+	// Details (optional):
+	//   "kind" string - the kind attribute of the missing resource
+	//                   on some operations may differ from the requested
+	//                   resource.
+	//   "id"   string - the identifier of the missing resource
+	// Status code 404
+	StatusReasonNotFound StatusReason = "NotFound"
+
+	// StatusReasonAlreadyExists means the resource you are creating already exists.
+	// Details (optional):
+	//   "kind" string - the kind attribute of the conflicting resource
+	//   "id"   string - the identifier of the conflicting resource
+	// Status code 409
+	StatusReasonAlreadyExists StatusReason = "AlreadyExists"
+
+	// StatusReasonConflict means the requested operation cannot be completed
+	// due to a conflict in the operation. The client may need to alter the
+	// request. Each resource may define custom details that indicate the
+	// nature of the conflict.
+	// Status code 409
+	StatusReasonConflict StatusReason = "Conflict"
+
+	// StatusReasonGone means the item is no longer available at the server and no
+	// forwarding address is known.
+	// Status code 410
+	StatusReasonGone StatusReason = "Gone"
+
+	// StatusReasonInvalid means the requested create or update operation cannot be
+	// completed due to invalid data provided as part of the request. The client may
+	// need to alter the request. When set, the client may use the StatusDetails
+	// message field as a summary of the issues encountered.
+	// Details (optional):
+	//   "kind" string - the kind attribute of the invalid resource
+	//   "id"   string - the identifier of the invalid resource
+	//   "causes"      - one or more StatusCause entries indicating the data in the
+	//                   provided resource that was invalid.  The code, message, and
+	//                   field attributes will be set.
+	// Status code 422
+	StatusReasonInvalid StatusReason = "Invalid"
+
+	// StatusReasonServerTimeout means the server can be reached and understood the request,
+	// but cannot complete the action in a reasonable time. The client should retry the request.
+	// This is may be due to temporary server load or a transient communication issue with
+	// another server. Status code 500 is used because the HTTP spec provides no suitable
+	// server-requested client retry and the 5xx class represents actionable errors.
+	// Details (optional):
+	//   "kind" string - the kind attribute of the resource being acted on.
+	//   "id"   string - the operation that is being attempted.
+	//   "retryAfterSeconds" int32 - the number of seconds before the operation should be retried
+	// Status code 500
+	StatusReasonServerTimeout StatusReason = "ServerTimeout"
+
+	// StatusReasonTimeout means that the request could not be completed within the given time.
+	// Clients can get this response only when they specified a timeout param in the request,
+	// or if the server cannot complete the operation within a reasonable amount of time.
+	// The request might succeed with an increased value of timeout param. The client *should*
+	// wait at least the number of seconds specified by the retryAfterSeconds field.
+	// Details (optional):
+	//   "retryAfterSeconds" int32 - the number of seconds before the operation should be retried
+	// Status code 504
+	StatusReasonTimeout StatusReason = "Timeout"
+
+	// StatusReasonTooManyRequests means the server experienced too many requests within a
+	// given window and that the client must wait to perform the action again. A client may
+	// always retry the request that led to this error, although the client should wait at least
+	// the number of seconds specified by the retryAfterSeconds field.
+	// Details (optional):
+	//   "retryAfterSeconds" int32 - the number of seconds before the operation should be retried
+	// Status code 429
+	StatusReasonTooManyRequests StatusReason = "TooManyRequests"
+
+	// StatusReasonBadRequest means that the request itself was invalid, because the request
+	// doesn't make any sense, for example deleting a read-only object.  This is different than
+	// StatusReasonInvalid above which indicates that the API call could possibly succeed, but the
+	// data was invalid.  API calls that return BadRequest can never succeed.
+	StatusReasonBadRequest StatusReason = "BadRequest"
+
+	// StatusReasonMethodNotAllowed means that the action the client attempted to perform on the
+	// resource was not supported by the code - for instance, attempting to delete a resource that
+	// can only be created. API calls that return MethodNotAllowed can never succeed.
+	StatusReasonMethodNotAllowed StatusReason = "MethodNotAllowed"
+
+	// StatusReasonInternalError indicates that an internal error occurred, it is unexpected
+	// and the outcome of the call is unknown.
+	// Details (optional):
+	//   "causes" - The original error
+	// Status code 500
+	StatusReasonInternalError StatusReason = "InternalError"
+
+	// StatusReasonExpired indicates that the request is invalid because the content you are requesting
+	// has expired and is no longer available. It is typically associated with watches that can't be
+	// serviced.
+	// Status code 410 (gone)
+	StatusReasonExpired StatusReason = "Expired"
+
+	// StatusReasonServiceUnavailable means that the request itself was valid,
+	// but the requested service is unavailable at this time.
+	// Retrying the request after some time might succeed.
+	// Status code 503
+	StatusReasonServiceUnavailable StatusReason = "ServiceUnavailable"
+)
+
+// StatusCause provides more information about an api.Status failure, including
+// cases when multiple errors are encountered.
+type StatusCause struct {
+	// A machine-readable description of the cause of the error. If this value is
+	// empty there is no information available.
+	// +optional
+	Type CauseType `json:"reason,omitempty" protobuf:"bytes,1,opt,name=reason,casttype=CauseType"`
+	// A human-readable description of the cause of the error.  This field may be
+	// presented as-is to a reader.
+	// +optional
+	Message string `json:"message,omitempty" protobuf:"bytes,2,opt,name=message"`
+	// The field of the resource that has caused this error, as named by its JSON
+	// serialization. May include dot and postfix notation for nested attributes.
+	// Arrays are zero-indexed.  Fields may appear more than once in an array of
+	// causes due to fields having multiple errors.
+	// Optional.
+	//
+	// Examples:
+	//   "name" - the field "name" on the current resource
+	//   "items[0].name" - the field "name" on the first array entry in "items"
+	// +optional
+	Field string `json:"field,omitempty" protobuf:"bytes,3,opt,name=field"`
+}
+
+// CauseType is a machine readable value providing more detail about what
+// occurred in a status response. An operation may have multiple causes for a
+// status (whether Failure or Success).
+type CauseType string
+
+const (
+	// CauseTypeFieldValueNotFound is used to report failure to find a requested value
+	// (e.g. looking up an ID).
+	CauseTypeFieldValueNotFound CauseType = "FieldValueNotFound"
+	// CauseTypeFieldValueRequired is used to report required values that are not
+	// provided (e.g. empty strings, null values, or empty arrays).
+	CauseTypeFieldValueRequired CauseType = "FieldValueRequired"
+	// CauseTypeFieldValueDuplicate is used to report collisions of values that must be
+	// unique (e.g. unique IDs).
+	CauseTypeFieldValueDuplicate CauseType = "FieldValueDuplicate"
+	// CauseTypeFieldValueInvalid is used to report malformed values (e.g. failed regex
+	// match).
+	CauseTypeFieldValueInvalid CauseType = "FieldValueInvalid"
+	// CauseTypeFieldValueNotSupported is used to report valid (as per formatting rules)
+	// values that can not be handled (e.g. an enumerated string).
+	CauseTypeFieldValueNotSupported CauseType = "FieldValueNotSupported"
+	// CauseTypeUnexpectedServerResponse is used to report when the server responded to the client
+	// without the expected return type. The presence of this cause indicates the error may be
+	// due to an intervening proxy or the server software malfunctioning.
+	CauseTypeUnexpectedServerResponse CauseType = "UnexpectedServerResponse"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// List holds a list of objects, which may not be known by the server.
+type List struct {
+	TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// List of objects
+	Items []runtime.RawExtension `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// APIVersions lists the versions that are available, to allow clients to
+// discover the API at /api, which is the root path of the legacy v1 API.
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type APIVersions struct {
+	TypeMeta `json:",inline"`
+	// versions are the api versions that are available.
+	Versions []string `json:"versions" protobuf:"bytes,1,rep,name=versions"`
+	// a map of client CIDR to server address that is serving this group.
+	// This is to help clients reach servers in the most network-efficient way possible.
+	// Clients can use the appropriate server address as per the CIDR that they match.
+	// In case of multiple matches, clients should use the longest matching CIDR.
+	// The server returns only those CIDRs that it thinks that the client can match.
+	// For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
+	// Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
+	ServerAddressByClientCIDRs []ServerAddressByClientCIDR `json:"serverAddressByClientCIDRs" protobuf:"bytes,2,rep,name=serverAddressByClientCIDRs"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// APIGroupList is a list of APIGroup, to allow clients to discover the API at
+// /apis.
+type APIGroupList struct {
+	TypeMeta `json:",inline"`
+	// groups is a list of APIGroup.
+	Groups []APIGroup `json:"groups" protobuf:"bytes,1,rep,name=groups"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// APIGroup contains the name, the supported versions, and the preferred version
+// of a group.
+type APIGroup struct {
+	TypeMeta `json:",inline"`
+	// name is the name of the group.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// versions are the versions supported in this group.
+	Versions []GroupVersionForDiscovery `json:"versions" protobuf:"bytes,2,rep,name=versions"`
+	// preferredVersion is the version preferred by the API server, which
+	// probably is the storage version.
+	// +optional
+	PreferredVersion GroupVersionForDiscovery `json:"preferredVersion,omitempty" protobuf:"bytes,3,opt,name=preferredVersion"`
+	// a map of client CIDR to server address that is serving this group.
+	// This is to help clients reach servers in the most network-efficient way possible.
+	// Clients can use the appropriate server address as per the CIDR that they match.
+	// In case of multiple matches, clients should use the longest matching CIDR.
+	// The server returns only those CIDRs that it thinks that the client can match.
+	// For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP.
+	// Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.
+	ServerAddressByClientCIDRs []ServerAddressByClientCIDR `json:"serverAddressByClientCIDRs" protobuf:"bytes,4,rep,name=serverAddressByClientCIDRs"`
+}
+
+// ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.
+type ServerAddressByClientCIDR struct {
+	// The CIDR with which clients can match their IP to figure out the server address that they should use.
+	ClientCIDR string `json:"clientCIDR" protobuf:"bytes,1,opt,name=clientCIDR"`
+	// Address of this server, suitable for a client that matches the above CIDR.
+	// This can be a hostname, hostname:port, IP or IP:port.
+	ServerAddress string `json:"serverAddress" protobuf:"bytes,2,opt,name=serverAddress"`
+}
+
+// GroupVersion contains the "group/version" and "version" string of a version.
+// It is made a struct to keep extensibility.
+type GroupVersionForDiscovery struct {
+	// groupVersion specifies the API group and version in the form "group/version"
+	GroupVersion string `json:"groupVersion" protobuf:"bytes,1,opt,name=groupVersion"`
+	// version specifies the version in the form of "version". This is to save
+	// the clients the trouble of splitting the GroupVersion.
+	Version string `json:"version" protobuf:"bytes,2,opt,name=version"`
+}
+
+// APIResource specifies the name of a resource and whether it is namespaced.
+type APIResource struct {
+	// name is the plural name of the resource.
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely.
+	// The singularName is more correct for reporting status on a single item and both singular and plural are allowed
+	// from the kubectl CLI interface.
+	SingularName string `json:"singularName" protobuf:"bytes,6,opt,name=singularName"`
+	// namespaced indicates if a resource is namespaced or not.
+	Namespaced bool `json:"namespaced" protobuf:"varint,2,opt,name=namespaced"`
+	// group is the preferred group of the resource.  Empty implies the group of the containing resource list.
+	// For subresources, this may have a different value, for example: Scale".
+	Group string `json:"group,omitempty" protobuf:"bytes,8,opt,name=group"`
+	// version is the preferred version of the resource.  Empty implies the version of the containing resource list
+	// For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
+	Version string `json:"version,omitempty" protobuf:"bytes,9,opt,name=version"`
+	// kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')
+	Kind string `json:"kind" protobuf:"bytes,3,opt,name=kind"`
+	// verbs is a list of supported kube verbs (this includes get, list, watch, create,
+	// update, patch, delete, deletecollection, and proxy)
+	Verbs Verbs `json:"verbs" protobuf:"bytes,4,opt,name=verbs"`
+	// shortNames is a list of suggested short names of the resource.
+	ShortNames []string `json:"shortNames,omitempty" protobuf:"bytes,5,rep,name=shortNames"`
+	// categories is a list of the grouped resources this resource belongs to (e.g. 'all')
+	Categories []string `json:"categories,omitempty" protobuf:"bytes,7,rep,name=categories"`
+}
+
+// Verbs masks the value so protobuf can generate
+//
+// +protobuf.nullable=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type Verbs []string
+
+func (vs Verbs) String() string {
+	return fmt.Sprintf("%v", []string(vs))
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// APIResourceList is a list of APIResource, it is used to expose the name of the
+// resources supported in a specific group and version, and if the resource
+// is namespaced.
+type APIResourceList struct {
+	TypeMeta `json:",inline"`
+	// groupVersion is the group and version this APIResourceList is for.
+	GroupVersion string `json:"groupVersion" protobuf:"bytes,1,opt,name=groupVersion"`
+	// resources contains the name of the resources and if they are namespaced.
+	APIResources []APIResource `json:"resources" protobuf:"bytes,2,rep,name=resources"`
+}
+
+// RootPaths lists the paths available at root.
+// For example: "/healthz", "/apis".
+type RootPaths struct {
+	// paths are the paths available at root.
+	Paths []string `json:"paths" protobuf:"bytes,1,rep,name=paths"`
+}
+
+// TODO: remove me when watch is refactored
+func LabelSelectorQueryParam(version string) string {
+	return "labelSelector"
+}
+
+// TODO: remove me when watch is refactored
+func FieldSelectorQueryParam(version string) string {
+	return "fieldSelector"
+}
+
+// String returns available api versions as a human-friendly version string.
+func (apiVersions APIVersions) String() string {
+	return strings.Join(apiVersions.Versions, ",")
+}
+
+func (apiVersions APIVersions) GoString() string {
+	return apiVersions.String()
+}
+
+// Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.
+type Patch struct{}
+
+// Note:
+// There are two different styles of label selectors used in versioned types:
+// an older style which is represented as just a string in versioned types, and a
+// newer style that is structured.  LabelSelector is an internal representation for the
+// latter style.
+
+// A label selector is a label query over a set of resources. The result of matchLabels and
+// matchExpressions are ANDed. An empty label selector matches all objects. A null
+// label selector matches no objects.
+type LabelSelector struct {
+	// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+	// map is equivalent to an element of matchExpressions, whose key field is "key", the
+	// operator is "In", and the values array contains only "value". The requirements are ANDed.
+	// +optional
+	MatchLabels map[string]string `json:"matchLabels,omitempty" protobuf:"bytes,1,rep,name=matchLabels"`
+	// matchExpressions is a list of label selector requirements. The requirements are ANDed.
+	// +optional
+	MatchExpressions []LabelSelectorRequirement `json:"matchExpressions,omitempty" protobuf:"bytes,2,rep,name=matchExpressions"`
+}
+
+// A label selector requirement is a selector that contains values, a key, and an operator that
+// relates the key and values.
+type LabelSelectorRequirement struct {
+	// key is the label key that the selector applies to.
+	// +patchMergeKey=key
+	// +patchStrategy=merge
+	Key string `json:"key" patchStrategy:"merge" patchMergeKey:"key" protobuf:"bytes,1,opt,name=key"`
+	// operator represents a key's relationship to a set of values.
+	// Valid operators are In, NotIn, Exists and DoesNotExist.
+	Operator LabelSelectorOperator `json:"operator" protobuf:"bytes,2,opt,name=operator,casttype=LabelSelectorOperator"`
+	// values is an array of string values. If the operator is In or NotIn,
+	// the values array must be non-empty. If the operator is Exists or DoesNotExist,
+	// the values array must be empty. This array is replaced during a strategic
+	// merge patch.
+	// +optional
+	Values []string `json:"values,omitempty" protobuf:"bytes,3,rep,name=values"`
+}
+
+// A label selector operator is the set of operators that can be used in a selector requirement.
+type LabelSelectorOperator string
+
+const (
+	LabelSelectorOpIn           LabelSelectorOperator = "In"
+	LabelSelectorOpNotIn        LabelSelectorOperator = "NotIn"
+	LabelSelectorOpExists       LabelSelectorOperator = "Exists"
+	LabelSelectorOpDoesNotExist LabelSelectorOperator = "DoesNotExist"
+)
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..49d2de1e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/types_swagger_doc_generated.go
@@ -0,0 +1,330 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_APIGroup = map[string]string{
+	"":                           "APIGroup contains the name, the supported versions, and the preferred version of a group.",
+	"name":                       "name is the name of the group.",
+	"versions":                   "versions are the versions supported in this group.",
+	"preferredVersion":           "preferredVersion is the version preferred by the API server, which probably is the storage version.",
+	"serverAddressByClientCIDRs": "a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.",
+}
+
+func (APIGroup) SwaggerDoc() map[string]string {
+	return map_APIGroup
+}
+
+var map_APIGroupList = map[string]string{
+	"":       "APIGroupList is a list of APIGroup, to allow clients to discover the API at /apis.",
+	"groups": "groups is a list of APIGroup.",
+}
+
+func (APIGroupList) SwaggerDoc() map[string]string {
+	return map_APIGroupList
+}
+
+var map_APIResource = map[string]string{
+	"":             "APIResource specifies the name of a resource and whether it is namespaced.",
+	"name":         "name is the plural name of the resource.",
+	"singularName": "singularName is the singular name of the resource.  This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.",
+	"namespaced":   "namespaced indicates if a resource is namespaced or not.",
+	"group":        "group is the preferred group of the resource.  Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".",
+	"version":      "version is the preferred version of the resource.  Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".",
+	"kind":         "kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')",
+	"verbs":        "verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)",
+	"shortNames":   "shortNames is a list of suggested short names of the resource.",
+	"categories":   "categories is a list of the grouped resources this resource belongs to (e.g. 'all')",
+}
+
+func (APIResource) SwaggerDoc() map[string]string {
+	return map_APIResource
+}
+
+var map_APIResourceList = map[string]string{
+	"":             "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.",
+	"groupVersion": "groupVersion is the group and version this APIResourceList is for.",
+	"resources":    "resources contains the name of the resources and if they are namespaced.",
+}
+
+func (APIResourceList) SwaggerDoc() map[string]string {
+	return map_APIResourceList
+}
+
+var map_APIVersions = map[string]string{
+	"":                           "APIVersions lists the versions that are available, to allow clients to discover the API at /api, which is the root path of the legacy v1 API.",
+	"versions":                   "versions are the api versions that are available.",
+	"serverAddressByClientCIDRs": "a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.",
+}
+
+func (APIVersions) SwaggerDoc() map[string]string {
+	return map_APIVersions
+}
+
+var map_DeleteOptions = map[string]string{
+	"":                   "DeleteOptions may be provided when deleting an API object.",
+	"gracePeriodSeconds": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+	"preconditions":      "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.",
+	"orphanDependents":   "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+	"propagationPolicy":  "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy.",
+}
+
+func (DeleteOptions) SwaggerDoc() map[string]string {
+	return map_DeleteOptions
+}
+
+var map_ExportOptions = map[string]string{
+	"":       "ExportOptions is the query options to the standard REST get call.",
+	"export": "Should this value be exported.  Export strips fields that a user can not specify.",
+	"exact":  "Should the export be exact.  Exact export maintains cluster-specific fields like 'Namespace'.",
+}
+
+func (ExportOptions) SwaggerDoc() map[string]string {
+	return map_ExportOptions
+}
+
+var map_GetOptions = map[string]string{
+	"":                     "GetOptions is the standard query options to the standard REST get call.",
+	"resourceVersion":      "When specified: - if unset, then the result is returned from remote storage based on quorum-read flag; - if it's 0, then we simply return what we currently have in cache, no guarantee; - if set to non zero, then the result is at least as fresh as given rv.",
+	"includeUninitialized": "If true, partially initialized resources are included in the response.",
+}
+
+func (GetOptions) SwaggerDoc() map[string]string {
+	return map_GetOptions
+}
+
+var map_GroupVersionForDiscovery = map[string]string{
+	"":             "GroupVersion contains the \"group/version\" and \"version\" string of a version. It is made a struct to keep extensibility.",
+	"groupVersion": "groupVersion specifies the API group and version in the form \"group/version\"",
+	"version":      "version specifies the version in the form of \"version\". This is to save the clients the trouble of splitting the GroupVersion.",
+}
+
+func (GroupVersionForDiscovery) SwaggerDoc() map[string]string {
+	return map_GroupVersionForDiscovery
+}
+
+var map_Initializer = map[string]string{
+	"":     "Initializer is information about an initializer that has not yet completed.",
+	"name": "name of the process that is responsible for initializing this object.",
+}
+
+func (Initializer) SwaggerDoc() map[string]string {
+	return map_Initializer
+}
+
+var map_Initializers = map[string]string{
+	"":        "Initializers tracks the progress of initialization.",
+	"pending": "Pending is a list of initializers that must execute in order before this object is visible. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients.",
+	"result":  "If result is set with the Failure field, the object will be persisted to storage and then deleted, ensuring that other clients can observe the deletion.",
+}
+
+func (Initializers) SwaggerDoc() map[string]string {
+	return map_Initializers
+}
+
+var map_LabelSelector = map[string]string{
+	"":                 "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.",
+	"matchLabels":      "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
+	"matchExpressions": "matchExpressions is a list of label selector requirements. The requirements are ANDed.",
+}
+
+func (LabelSelector) SwaggerDoc() map[string]string {
+	return map_LabelSelector
+}
+
+var map_LabelSelectorRequirement = map[string]string{
+	"":         "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
+	"key":      "key is the label key that the selector applies to.",
+	"operator": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.",
+	"values":   "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.",
+}
+
+func (LabelSelectorRequirement) SwaggerDoc() map[string]string {
+	return map_LabelSelectorRequirement
+}
+
+var map_List = map[string]string{
+	"":         "List holds a list of objects, which may not be known by the server.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"items":    "List of objects",
+}
+
+func (List) SwaggerDoc() map[string]string {
+	return map_List
+}
+
+var map_ListMeta = map[string]string{
+	"":                "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.",
+	"selfLink":        "selfLink is a URL representing this object. Populated by the system. Read-only.",
+	"resourceVersion": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency",
+	"continue":        "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response.",
+}
+
+func (ListMeta) SwaggerDoc() map[string]string {
+	return map_ListMeta
+}
+
+var map_ListOptions = map[string]string{
+	"":                     "ListOptions is the query options to a standard REST list call.",
+	"labelSelector":        "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+	"fieldSelector":        "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+	"includeUninitialized": "If true, partially initialized resources are included in the response.",
+	"watch":                "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+	"resourceVersion":      "When specified with a watch call, shows changes that occur after that particular version of a resource. Defaults to changes from the beginning of history. When specified for list: - if unset, then the result is returned from remote storage based on quorum-read flag; - if it's 0, then we simply return what we currently have in cache, no guarantee; - if set to non zero, then the result is at least as fresh as given rv.",
+	"timeoutSeconds":       "Timeout for the list/watch call.",
+	"limit":                "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+	"continue":             "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server the server will respond with a 410 ResourceExpired error indicating the client must restart their list without the continue field. This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+}
+
+func (ListOptions) SwaggerDoc() map[string]string {
+	return map_ListOptions
+}
+
+var map_ObjectMeta = map[string]string{
+	"":                           "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.",
+	"name":                       "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names",
+	"generateName":               "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency",
+	"namespace":                  "Namespace defines the space within each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces",
+	"selfLink":                   "SelfLink is a URL representing this object. Populated by the system. Read-only.",
+	"uid":                        "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
+	"resourceVersion":            "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency",
+	"generation":                 "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.",
+	"creationTimestamp":          "CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"deletionTimestamp":          "DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field. Once set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+	"deletionGracePeriodSeconds": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.",
+	"labels":                     "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels",
+	"annotations":                "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations",
+	"ownerReferences":            "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.",
+	"initializers":               "An initializer is a controller which enforces some system invariant at object creation time. This field is a list of initializers that have not yet acted on this object. If nil or empty, this object has been completely initialized. Otherwise, the object is considered uninitialized and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to observe uninitialized objects.\n\nWhen an object is created, the system will populate this list with the current set of initializers. Only privileged users may set or modify this list. Once it is empty, it may not be modified further by any user.",
+	"finalizers":                 "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.",
+	"clusterName":                "The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.",
+}
+
+func (ObjectMeta) SwaggerDoc() map[string]string {
+	return map_ObjectMeta
+}
+
+var map_OwnerReference = map[string]string{
+	"":                   "OwnerReference contains enough information to let you identify an owning object. Currently, an owning object must be in the same namespace, so there is no namespace field.",
+	"apiVersion":         "API version of the referent.",
+	"kind":               "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"name":               "Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names",
+	"uid":                "UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
+	"controller":         "If true, this reference points to the managing controller.",
+	"blockOwnerDeletion": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.",
+}
+
+func (OwnerReference) SwaggerDoc() map[string]string {
+	return map_OwnerReference
+}
+
+var map_Patch = map[string]string{
+	"": "Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.",
+}
+
+func (Patch) SwaggerDoc() map[string]string {
+	return map_Patch
+}
+
+var map_Preconditions = map[string]string{
+	"":    "Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.",
+	"uid": "Specifies the target UID.",
+}
+
+func (Preconditions) SwaggerDoc() map[string]string {
+	return map_Preconditions
+}
+
+var map_RootPaths = map[string]string{
+	"":      "RootPaths lists the paths available at root. For example: \"/healthz\", \"/apis\".",
+	"paths": "paths are the paths available at root.",
+}
+
+func (RootPaths) SwaggerDoc() map[string]string {
+	return map_RootPaths
+}
+
+var map_ServerAddressByClientCIDR = map[string]string{
+	"":              "ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.",
+	"clientCIDR":    "The CIDR with which clients can match their IP to figure out the server address that they should use.",
+	"serverAddress": "Address of this server, suitable for a client that matches the above CIDR. This can be a hostname, hostname:port, IP or IP:port.",
+}
+
+func (ServerAddressByClientCIDR) SwaggerDoc() map[string]string {
+	return map_ServerAddressByClientCIDR
+}
+
+var map_Status = map[string]string{
+	"":         "Status is a return value for calls that don't return other objects.",
+	"metadata": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"status":   "Status of the operation. One of: \"Success\" or \"Failure\". More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status",
+	"message":  "A human-readable description of the status of this operation.",
+	"reason":   "A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.",
+	"details":  "Extended data associated with the reason.  Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.",
+	"code":     "Suggested HTTP return code for this status, 0 if not set.",
+}
+
+func (Status) SwaggerDoc() map[string]string {
+	return map_Status
+}
+
+var map_StatusCause = map[string]string{
+	"":        "StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.",
+	"reason":  "A machine-readable description of the cause of the error. If this value is empty there is no information available.",
+	"message": "A human-readable description of the cause of the error.  This field may be presented as-is to a reader.",
+	"field":   "The field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed.  Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.\n\nExamples:\n  \"name\" - the field \"name\" on the current resource\n  \"items[0].name\" - the field \"name\" on the first array entry in \"items\"",
+}
+
+func (StatusCause) SwaggerDoc() map[string]string {
+	return map_StatusCause
+}
+
+var map_StatusDetails = map[string]string{
+	"":                  "StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.",
+	"name":              "The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).",
+	"group":             "The group attribute of the resource associated with the status StatusReason.",
+	"kind":              "The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"uid":               "UID of the resource. (when there is a single resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids",
+	"causes":            "The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.",
+	"retryAfterSeconds": "If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.",
+}
+
+func (StatusDetails) SwaggerDoc() map[string]string {
+	return map_StatusDetails
+}
+
+var map_TypeMeta = map[string]string{
+	"":           "TypeMeta describes an individual object in an API response or request with strings representing the type of the object and its API schema version. Structures that are versioned or persisted should inline TypeMeta.",
+	"kind":       "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"apiVersion": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
+}
+
+func (TypeMeta) SwaggerDoc() map[string]string {
+	return map_TypeMeta
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructured.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructured.go
new file mode 100644
index 00000000..588230f4
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/unstructured.go
@@ -0,0 +1,862 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package unstructured
+
+import (
+	"bytes"
+	gojson "encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/golang/glog"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/conversion/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/json"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// Unstructured allows objects that do not have Golang structs registered to be manipulated
+// generically. This can be used to deal with the API objects from a plug-in. Unstructured
+// objects still have functioning TypeMeta features-- kind, version, etc.
+//
+// WARNING: This object has accessors for the v1 standard metadata. You *MUST NOT* use this
+// type if you are dealing with objects that are not in the server meta v1 schema.
+//
+// TODO: make the serialization part of this type distinct from the field accessors.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:deepcopy-gen=true
+type Unstructured struct {
+	// Object is a JSON compatible map with string, float, int, bool, []interface{}, or
+	// map[string]interface{}
+	// children.
+	Object map[string]interface{}
+}
+
+var _ metav1.Object = &Unstructured{}
+var _ runtime.Unstructured = &Unstructured{}
+var _ runtime.Unstructured = &UnstructuredList{}
+
+func (obj *Unstructured) GetObjectKind() schema.ObjectKind     { return obj }
+func (obj *UnstructuredList) GetObjectKind() schema.ObjectKind { return obj }
+
+func (obj *Unstructured) IsUnstructuredObject()     {}
+func (obj *UnstructuredList) IsUnstructuredObject() {}
+
+func (obj *Unstructured) IsList() bool {
+	if obj.Object != nil {
+		_, ok := obj.Object["items"]
+		return ok
+	}
+	return false
+}
+func (obj *UnstructuredList) IsList() bool { return true }
+
+func (obj *Unstructured) EachListItem(fn func(runtime.Object) error) error {
+	if obj.Object == nil {
+		return fmt.Errorf("content is not a list")
+	}
+	field, ok := obj.Object["items"]
+	if !ok {
+		return fmt.Errorf("content is not a list")
+	}
+	items, ok := field.([]interface{})
+	if !ok {
+		return nil
+	}
+	for _, item := range items {
+		child, ok := item.(map[string]interface{})
+		if !ok {
+			return fmt.Errorf("items member is not an object")
+		}
+		if err := fn(&Unstructured{Object: child}); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (obj *UnstructuredList) EachListItem(fn func(runtime.Object) error) error {
+	for i := range obj.Items {
+		if err := fn(&obj.Items[i]); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (obj *Unstructured) UnstructuredContent() map[string]interface{} {
+	if obj.Object == nil {
+		obj.Object = make(map[string]interface{})
+	}
+	return obj.Object
+}
+
+// UnstructuredContent returns a map contain an overlay of the Items field onto
+// the Object field. Items always overwrites overlay. Changing "items" in the
+// returned object will affect items in the underlying Items field, but changing
+// the "items" slice itself will have no effect.
+// TODO: expose SetUnstructuredContent on runtime.Unstructured that allows
+// items to be changed.
+func (obj *UnstructuredList) UnstructuredContent() map[string]interface{} {
+	out := obj.Object
+	if out == nil {
+		out = make(map[string]interface{})
+	}
+	items := make([]interface{}, len(obj.Items))
+	for i, item := range obj.Items {
+		items[i] = item.Object
+	}
+	out["items"] = items
+	return out
+}
+
+// MarshalJSON ensures that the unstructured object produces proper
+// JSON when passed to Go's standard JSON library.
+func (u *Unstructured) MarshalJSON() ([]byte, error) {
+	var buf bytes.Buffer
+	err := UnstructuredJSONScheme.Encode(u, &buf)
+	return buf.Bytes(), err
+}
+
+// UnmarshalJSON ensures that the unstructured object properly decodes
+// JSON when passed to Go's standard JSON library.
+func (u *Unstructured) UnmarshalJSON(b []byte) error {
+	_, _, err := UnstructuredJSONScheme.Decode(b, nil, u)
+	return err
+}
+
+func deepCopyJSON(x interface{}) interface{} {
+	switch x := x.(type) {
+	case map[string]interface{}:
+		clone := make(map[string]interface{}, len(x))
+		for k, v := range x {
+			clone[k] = deepCopyJSON(v)
+		}
+		return clone
+	case []interface{}:
+		clone := make([]interface{}, len(x))
+		for i := range x {
+			clone[i] = deepCopyJSON(x[i])
+		}
+		return clone
+	default:
+		// only non-pointer values (float64, int64, bool, string) are left. These can be copied by-value.
+		return x
+	}
+}
+
+func (in *Unstructured) DeepCopy() *Unstructured {
+	if in == nil {
+		return nil
+	}
+	out := new(Unstructured)
+	*out = *in
+	out.Object = deepCopyJSON(in.Object).(map[string]interface{})
+	return out
+}
+
+func (in *UnstructuredList) DeepCopy() *UnstructuredList {
+	if in == nil {
+		return nil
+	}
+	out := new(UnstructuredList)
+	*out = *in
+	out.Object = deepCopyJSON(in.Object).(map[string]interface{})
+	out.Items = make([]Unstructured, len(in.Items))
+	for i := range in.Items {
+		in.Items[i].DeepCopyInto(&out.Items[i])
+	}
+	return out
+}
+
+func getNestedField(obj map[string]interface{}, fields ...string) interface{} {
+	var val interface{} = obj
+	for _, field := range fields {
+		if _, ok := val.(map[string]interface{}); !ok {
+			return nil
+		}
+		val = val.(map[string]interface{})[field]
+	}
+	return val
+}
+
+func getNestedString(obj map[string]interface{}, fields ...string) string {
+	if str, ok := getNestedField(obj, fields...).(string); ok {
+		return str
+	}
+	return ""
+}
+
+func getNestedInt64(obj map[string]interface{}, fields ...string) int64 {
+	if str, ok := getNestedField(obj, fields...).(int64); ok {
+		return str
+	}
+	return 0
+}
+
+func getNestedInt64Pointer(obj map[string]interface{}, fields ...string) *int64 {
+	nested := getNestedField(obj, fields...)
+	switch n := nested.(type) {
+	case int64:
+		return &n
+	case *int64:
+		return n
+	default:
+		return nil
+	}
+}
+
+func getNestedSlice(obj map[string]interface{}, fields ...string) []string {
+	if m, ok := getNestedField(obj, fields...).([]interface{}); ok {
+		strSlice := make([]string, 0, len(m))
+		for _, v := range m {
+			if str, ok := v.(string); ok {
+				strSlice = append(strSlice, str)
+			}
+		}
+		return strSlice
+	}
+	return nil
+}
+
+func getNestedMap(obj map[string]interface{}, fields ...string) map[string]string {
+	if m, ok := getNestedField(obj, fields...).(map[string]interface{}); ok {
+		strMap := make(map[string]string, len(m))
+		for k, v := range m {
+			if str, ok := v.(string); ok {
+				strMap[k] = str
+			}
+		}
+		return strMap
+	}
+	return nil
+}
+
+func setNestedField(obj map[string]interface{}, value interface{}, fields ...string) {
+	m := obj
+	if len(fields) > 1 {
+		for _, field := range fields[0 : len(fields)-1] {
+			if _, ok := m[field].(map[string]interface{}); !ok {
+				m[field] = make(map[string]interface{})
+			}
+			m = m[field].(map[string]interface{})
+		}
+	}
+	m[fields[len(fields)-1]] = value
+}
+
+func setNestedSlice(obj map[string]interface{}, value []string, fields ...string) {
+	m := make([]interface{}, 0, len(value))
+	for _, v := range value {
+		m = append(m, v)
+	}
+	setNestedField(obj, m, fields...)
+}
+
+func setNestedMap(obj map[string]interface{}, value map[string]string, fields ...string) {
+	m := make(map[string]interface{}, len(value))
+	for k, v := range value {
+		m[k] = v
+	}
+	setNestedField(obj, m, fields...)
+}
+
+func (u *Unstructured) setNestedField(value interface{}, fields ...string) {
+	if u.Object == nil {
+		u.Object = make(map[string]interface{})
+	}
+	setNestedField(u.Object, value, fields...)
+}
+
+func (u *Unstructured) setNestedSlice(value []string, fields ...string) {
+	if u.Object == nil {
+		u.Object = make(map[string]interface{})
+	}
+	setNestedSlice(u.Object, value, fields...)
+}
+
+func (u *Unstructured) setNestedMap(value map[string]string, fields ...string) {
+	if u.Object == nil {
+		u.Object = make(map[string]interface{})
+	}
+	setNestedMap(u.Object, value, fields...)
+}
+
+func extractOwnerReference(src interface{}) metav1.OwnerReference {
+	v := src.(map[string]interface{})
+	// though this field is a *bool, but when decoded from JSON, it's
+	// unmarshalled as bool.
+	var controllerPtr *bool
+	controller, ok := (getNestedField(v, "controller")).(bool)
+	if !ok {
+		controllerPtr = nil
+	} else {
+		controllerCopy := controller
+		controllerPtr = &controllerCopy
+	}
+	var blockOwnerDeletionPtr *bool
+	blockOwnerDeletion, ok := (getNestedField(v, "blockOwnerDeletion")).(bool)
+	if !ok {
+		blockOwnerDeletionPtr = nil
+	} else {
+		blockOwnerDeletionCopy := blockOwnerDeletion
+		blockOwnerDeletionPtr = &blockOwnerDeletionCopy
+	}
+	return metav1.OwnerReference{
+		Kind:               getNestedString(v, "kind"),
+		Name:               getNestedString(v, "name"),
+		APIVersion:         getNestedString(v, "apiVersion"),
+		UID:                (types.UID)(getNestedString(v, "uid")),
+		Controller:         controllerPtr,
+		BlockOwnerDeletion: blockOwnerDeletionPtr,
+	}
+}
+
+func setOwnerReference(src metav1.OwnerReference) map[string]interface{} {
+	ret := make(map[string]interface{})
+	setNestedField(ret, src.Kind, "kind")
+	setNestedField(ret, src.Name, "name")
+	setNestedField(ret, src.APIVersion, "apiVersion")
+	setNestedField(ret, string(src.UID), "uid")
+	// json.Unmarshal() extracts boolean json fields as bool, not as *bool and hence extractOwnerReference()
+	// expects bool or a missing field, not *bool. So if pointer is nil, fields are omitted from the ret object.
+	// If pointer is non-nil, they are set to the referenced value.
+	if src.Controller != nil {
+		setNestedField(ret, *src.Controller, "controller")
+	}
+	if src.BlockOwnerDeletion != nil {
+		setNestedField(ret, *src.BlockOwnerDeletion, "blockOwnerDeletion")
+	}
+	return ret
+}
+
+func getOwnerReferences(object map[string]interface{}) ([]map[string]interface{}, error) {
+	field := getNestedField(object, "metadata", "ownerReferences")
+	if field == nil {
+		return nil, fmt.Errorf("cannot find field metadata.ownerReferences in %v", object)
+	}
+	ownerReferences, ok := field.([]map[string]interface{})
+	if ok {
+		return ownerReferences, nil
+	}
+	// TODO: This is hacky...
+	interfaces, ok := field.([]interface{})
+	if !ok {
+		return nil, fmt.Errorf("expect metadata.ownerReferences to be a slice in %#v", object)
+	}
+	ownerReferences = make([]map[string]interface{}, 0, len(interfaces))
+	for i := 0; i < len(interfaces); i++ {
+		r, ok := interfaces[i].(map[string]interface{})
+		if !ok {
+			return nil, fmt.Errorf("expect element metadata.ownerReferences to be a map[string]interface{} in %#v", object)
+		}
+		ownerReferences = append(ownerReferences, r)
+	}
+	return ownerReferences, nil
+}
+
+func (u *Unstructured) GetOwnerReferences() []metav1.OwnerReference {
+	original, err := getOwnerReferences(u.Object)
+	if err != nil {
+		glog.V(6).Info(err)
+		return nil
+	}
+	ret := make([]metav1.OwnerReference, 0, len(original))
+	for i := 0; i < len(original); i++ {
+		ret = append(ret, extractOwnerReference(original[i]))
+	}
+	return ret
+}
+
+func (u *Unstructured) SetOwnerReferences(references []metav1.OwnerReference) {
+	var newReferences = make([]map[string]interface{}, 0, len(references))
+	for i := 0; i < len(references); i++ {
+		newReferences = append(newReferences, setOwnerReference(references[i]))
+	}
+	u.setNestedField(newReferences, "metadata", "ownerReferences")
+}
+
+func (u *Unstructured) GetAPIVersion() string {
+	return getNestedString(u.Object, "apiVersion")
+}
+
+func (u *Unstructured) SetAPIVersion(version string) {
+	u.setNestedField(version, "apiVersion")
+}
+
+func (u *Unstructured) GetKind() string {
+	return getNestedString(u.Object, "kind")
+}
+
+func (u *Unstructured) SetKind(kind string) {
+	u.setNestedField(kind, "kind")
+}
+
+func (u *Unstructured) GetNamespace() string {
+	return getNestedString(u.Object, "metadata", "namespace")
+}
+
+func (u *Unstructured) SetNamespace(namespace string) {
+	u.setNestedField(namespace, "metadata", "namespace")
+}
+
+func (u *Unstructured) GetName() string {
+	return getNestedString(u.Object, "metadata", "name")
+}
+
+func (u *Unstructured) SetName(name string) {
+	u.setNestedField(name, "metadata", "name")
+}
+
+func (u *Unstructured) GetGenerateName() string {
+	return getNestedString(u.Object, "metadata", "generateName")
+}
+
+func (u *Unstructured) SetGenerateName(name string) {
+	u.setNestedField(name, "metadata", "generateName")
+}
+
+func (u *Unstructured) GetUID() types.UID {
+	return types.UID(getNestedString(u.Object, "metadata", "uid"))
+}
+
+func (u *Unstructured) SetUID(uid types.UID) {
+	u.setNestedField(string(uid), "metadata", "uid")
+}
+
+func (u *Unstructured) GetResourceVersion() string {
+	return getNestedString(u.Object, "metadata", "resourceVersion")
+}
+
+func (u *Unstructured) SetResourceVersion(version string) {
+	u.setNestedField(version, "metadata", "resourceVersion")
+}
+
+func (u *Unstructured) GetGeneration() int64 {
+	return getNestedInt64(u.Object, "metadata", "generation")
+}
+
+func (u *Unstructured) SetGeneration(generation int64) {
+	u.setNestedField(generation, "metadata", "generation")
+}
+
+func (u *Unstructured) GetSelfLink() string {
+	return getNestedString(u.Object, "metadata", "selfLink")
+}
+
+func (u *Unstructured) SetSelfLink(selfLink string) {
+	u.setNestedField(selfLink, "metadata", "selfLink")
+}
+
+func (u *Unstructured) GetContinue() string {
+	return getNestedString(u.Object, "metadata", "continue")
+}
+
+func (u *Unstructured) SetContinue(c string) {
+	u.setNestedField(c, "metadata", "continue")
+}
+
+func (u *Unstructured) GetCreationTimestamp() metav1.Time {
+	var timestamp metav1.Time
+	timestamp.UnmarshalQueryParameter(getNestedString(u.Object, "metadata", "creationTimestamp"))
+	return timestamp
+}
+
+func (u *Unstructured) SetCreationTimestamp(timestamp metav1.Time) {
+	ts, _ := timestamp.MarshalQueryParameter()
+	u.setNestedField(ts, "metadata", "creationTimestamp")
+}
+
+func (u *Unstructured) GetDeletionTimestamp() *metav1.Time {
+	var timestamp metav1.Time
+	timestamp.UnmarshalQueryParameter(getNestedString(u.Object, "metadata", "deletionTimestamp"))
+	if timestamp.IsZero() {
+		return nil
+	}
+	return &timestamp
+}
+
+func (u *Unstructured) SetDeletionTimestamp(timestamp *metav1.Time) {
+	if timestamp == nil {
+		u.setNestedField(nil, "metadata", "deletionTimestamp")
+		return
+	}
+	ts, _ := timestamp.MarshalQueryParameter()
+	u.setNestedField(ts, "metadata", "deletionTimestamp")
+}
+
+func (u *Unstructured) GetDeletionGracePeriodSeconds() *int64 {
+	return getNestedInt64Pointer(u.Object, "metadata", "deletionGracePeriodSeconds")
+}
+
+func (u *Unstructured) SetDeletionGracePeriodSeconds(deletionGracePeriodSeconds *int64) {
+	u.setNestedField(deletionGracePeriodSeconds, "metadata", "deletionGracePeriodSeconds")
+}
+
+func (u *Unstructured) GetLabels() map[string]string {
+	return getNestedMap(u.Object, "metadata", "labels")
+}
+
+func (u *Unstructured) SetLabels(labels map[string]string) {
+	u.setNestedMap(labels, "metadata", "labels")
+}
+
+func (u *Unstructured) GetAnnotations() map[string]string {
+	return getNestedMap(u.Object, "metadata", "annotations")
+}
+
+func (u *Unstructured) SetAnnotations(annotations map[string]string) {
+	u.setNestedMap(annotations, "metadata", "annotations")
+}
+
+func (u *Unstructured) SetGroupVersionKind(gvk schema.GroupVersionKind) {
+	u.SetAPIVersion(gvk.GroupVersion().String())
+	u.SetKind(gvk.Kind)
+}
+
+func (u *Unstructured) GroupVersionKind() schema.GroupVersionKind {
+	gv, err := schema.ParseGroupVersion(u.GetAPIVersion())
+	if err != nil {
+		return schema.GroupVersionKind{}
+	}
+	gvk := gv.WithKind(u.GetKind())
+	return gvk
+}
+
+var converter = unstructured.NewConverter(false)
+
+func (u *Unstructured) GetInitializers() *metav1.Initializers {
+	field := getNestedField(u.Object, "metadata", "initializers")
+	if field == nil {
+		return nil
+	}
+	obj, ok := field.(map[string]interface{})
+	if !ok {
+		return nil
+	}
+	out := &metav1.Initializers{}
+	if err := converter.FromUnstructured(obj, out); err != nil {
+		utilruntime.HandleError(fmt.Errorf("unable to retrieve initializers for object: %v", err))
+	}
+	return out
+}
+
+func (u *Unstructured) SetInitializers(initializers *metav1.Initializers) {
+	if u.Object == nil {
+		u.Object = make(map[string]interface{})
+	}
+	if initializers == nil {
+		setNestedField(u.Object, nil, "metadata", "initializers")
+		return
+	}
+	out, err := converter.ToUnstructured(initializers)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("unable to retrieve initializers for object: %v", err))
+	}
+	setNestedField(u.Object, out, "metadata", "initializers")
+}
+
+func (u *Unstructured) GetFinalizers() []string {
+	return getNestedSlice(u.Object, "metadata", "finalizers")
+}
+
+func (u *Unstructured) SetFinalizers(finalizers []string) {
+	u.setNestedSlice(finalizers, "metadata", "finalizers")
+}
+
+func (u *Unstructured) GetClusterName() string {
+	return getNestedString(u.Object, "metadata", "clusterName")
+}
+
+func (u *Unstructured) SetClusterName(clusterName string) {
+	u.setNestedField(clusterName, "metadata", "clusterName")
+}
+
+// UnstructuredList allows lists that do not have Golang structs
+// registered to be manipulated generically. This can be used to deal
+// with the API lists from a plug-in.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:deepcopy-gen=true
+type UnstructuredList struct {
+	Object map[string]interface{}
+
+	// Items is a list of unstructured objects.
+	Items []Unstructured `json:"items"`
+}
+
+var _ metav1.ListInterface = &UnstructuredList{}
+
+// MarshalJSON ensures that the unstructured list object produces proper
+// JSON when passed to Go's standard JSON library.
+func (u *UnstructuredList) MarshalJSON() ([]byte, error) {
+	var buf bytes.Buffer
+	err := UnstructuredJSONScheme.Encode(u, &buf)
+	return buf.Bytes(), err
+}
+
+// UnmarshalJSON ensures that the unstructured list object properly
+// decodes JSON when passed to Go's standard JSON library.
+func (u *UnstructuredList) UnmarshalJSON(b []byte) error {
+	_, _, err := UnstructuredJSONScheme.Decode(b, nil, u)
+	return err
+}
+
+func (u *UnstructuredList) setNestedField(value interface{}, fields ...string) {
+	if u.Object == nil {
+		u.Object = make(map[string]interface{})
+	}
+	setNestedField(u.Object, value, fields...)
+}
+
+func (u *UnstructuredList) GetAPIVersion() string {
+	return getNestedString(u.Object, "apiVersion")
+}
+
+func (u *UnstructuredList) SetAPIVersion(version string) {
+	u.setNestedField(version, "apiVersion")
+}
+
+func (u *UnstructuredList) GetKind() string {
+	return getNestedString(u.Object, "kind")
+}
+
+func (u *UnstructuredList) SetKind(kind string) {
+	u.setNestedField(kind, "kind")
+}
+
+func (u *UnstructuredList) GetResourceVersion() string {
+	return getNestedString(u.Object, "metadata", "resourceVersion")
+}
+
+func (u *UnstructuredList) SetResourceVersion(version string) {
+	u.setNestedField(version, "metadata", "resourceVersion")
+}
+
+func (u *UnstructuredList) GetSelfLink() string {
+	return getNestedString(u.Object, "metadata", "selfLink")
+}
+
+func (u *UnstructuredList) SetSelfLink(selfLink string) {
+	u.setNestedField(selfLink, "metadata", "selfLink")
+}
+
+func (u *UnstructuredList) GetContinue() string {
+	return getNestedString(u.Object, "metadata", "continue")
+}
+
+func (u *UnstructuredList) SetContinue(c string) {
+	u.setNestedField(c, "metadata", "continue")
+}
+
+func (u *UnstructuredList) SetGroupVersionKind(gvk schema.GroupVersionKind) {
+	u.SetAPIVersion(gvk.GroupVersion().String())
+	u.SetKind(gvk.Kind)
+}
+
+func (u *UnstructuredList) GroupVersionKind() schema.GroupVersionKind {
+	gv, err := schema.ParseGroupVersion(u.GetAPIVersion())
+	if err != nil {
+		return schema.GroupVersionKind{}
+	}
+	gvk := gv.WithKind(u.GetKind())
+	return gvk
+}
+
+// UnstructuredJSONScheme is capable of converting JSON data into the Unstructured
+// type, which can be used for generic access to objects without a predefined scheme.
+// TODO: move into serializer/json.
+var UnstructuredJSONScheme runtime.Codec = unstructuredJSONScheme{}
+
+type unstructuredJSONScheme struct{}
+
+func (s unstructuredJSONScheme) Decode(data []byte, _ *schema.GroupVersionKind, obj runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	var err error
+	if obj != nil {
+		err = s.decodeInto(data, obj)
+	} else {
+		obj, err = s.decode(data)
+	}
+
+	if err != nil {
+		return nil, nil, err
+	}
+
+	gvk := obj.GetObjectKind().GroupVersionKind()
+	if len(gvk.Kind) == 0 {
+		return nil, &gvk, runtime.NewMissingKindErr(string(data))
+	}
+
+	return obj, &gvk, nil
+}
+
+func (unstructuredJSONScheme) Encode(obj runtime.Object, w io.Writer) error {
+	switch t := obj.(type) {
+	case *Unstructured:
+		return json.NewEncoder(w).Encode(t.Object)
+	case *UnstructuredList:
+		items := make([]map[string]interface{}, 0, len(t.Items))
+		for _, i := range t.Items {
+			items = append(items, i.Object)
+		}
+		listObj := make(map[string]interface{}, len(t.Object)+1)
+		for k, v := range t.Object { // Make a shallow copy
+			listObj[k] = v
+		}
+		listObj["items"] = items
+		return json.NewEncoder(w).Encode(listObj)
+	case *runtime.Unknown:
+		// TODO: Unstructured needs to deal with ContentType.
+		_, err := w.Write(t.Raw)
+		return err
+	default:
+		return json.NewEncoder(w).Encode(t)
+	}
+}
+
+func (s unstructuredJSONScheme) decode(data []byte) (runtime.Object, error) {
+	type detector struct {
+		Items gojson.RawMessage
+	}
+	var det detector
+	if err := json.Unmarshal(data, &det); err != nil {
+		return nil, err
+	}
+
+	if det.Items != nil {
+		list := &UnstructuredList{}
+		err := s.decodeToList(data, list)
+		return list, err
+	}
+
+	// No Items field, so it wasn't a list.
+	unstruct := &Unstructured{}
+	err := s.decodeToUnstructured(data, unstruct)
+	return unstruct, err
+}
+
+func (s unstructuredJSONScheme) decodeInto(data []byte, obj runtime.Object) error {
+	switch x := obj.(type) {
+	case *Unstructured:
+		return s.decodeToUnstructured(data, x)
+	case *UnstructuredList:
+		return s.decodeToList(data, x)
+	case *runtime.VersionedObjects:
+		o, err := s.decode(data)
+		if err == nil {
+			x.Objects = []runtime.Object{o}
+		}
+		return err
+	default:
+		return json.Unmarshal(data, x)
+	}
+}
+
+func (unstructuredJSONScheme) decodeToUnstructured(data []byte, unstruct *Unstructured) error {
+	m := make(map[string]interface{})
+	if err := json.Unmarshal(data, &m); err != nil {
+		return err
+	}
+
+	unstruct.Object = m
+
+	return nil
+}
+
+func (s unstructuredJSONScheme) decodeToList(data []byte, list *UnstructuredList) error {
+	type decodeList struct {
+		Items []gojson.RawMessage
+	}
+
+	var dList decodeList
+	if err := json.Unmarshal(data, &dList); err != nil {
+		return err
+	}
+
+	if err := json.Unmarshal(data, &list.Object); err != nil {
+		return err
+	}
+
+	// For typed lists, e.g., a PodList, API server doesn't set each item's
+	// APIVersion and Kind. We need to set it.
+	listAPIVersion := list.GetAPIVersion()
+	listKind := list.GetKind()
+	itemKind := strings.TrimSuffix(listKind, "List")
+
+	delete(list.Object, "items")
+	list.Items = nil
+	for _, i := range dList.Items {
+		unstruct := &Unstructured{}
+		if err := s.decodeToUnstructured([]byte(i), unstruct); err != nil {
+			return err
+		}
+		// This is hacky. Set the item's Kind and APIVersion to those inferred
+		// from the List.
+		if len(unstruct.GetKind()) == 0 && len(unstruct.GetAPIVersion()) == 0 {
+			unstruct.SetKind(itemKind)
+			unstruct.SetAPIVersion(listAPIVersion)
+		}
+		list.Items = append(list.Items, *unstruct)
+	}
+	return nil
+}
+
+// UnstructuredObjectConverter is an ObjectConverter for use with
+// Unstructured objects. Since it has no schema or type information,
+// it will only succeed for no-op conversions. This is provided as a
+// sane implementation for APIs that require an object converter.
+type UnstructuredObjectConverter struct{}
+
+func (UnstructuredObjectConverter) Convert(in, out, context interface{}) error {
+	unstructIn, ok := in.(*Unstructured)
+	if !ok {
+		return fmt.Errorf("input type %T in not valid for unstructured conversion", in)
+	}
+
+	unstructOut, ok := out.(*Unstructured)
+	if !ok {
+		return fmt.Errorf("output type %T in not valid for unstructured conversion", out)
+	}
+
+	// maybe deep copy the map? It is documented in the
+	// ObjectConverter interface that this function is not
+	// guaranteeed to not mutate the input. Or maybe set the input
+	// object to nil.
+	unstructOut.Object = unstructIn.Object
+	return nil
+}
+
+func (UnstructuredObjectConverter) ConvertToVersion(in runtime.Object, target runtime.GroupVersioner) (runtime.Object, error) {
+	if kind := in.GetObjectKind().GroupVersionKind(); !kind.Empty() {
+		gvk, ok := target.KindForGroupVersionKinds([]schema.GroupVersionKind{kind})
+		if !ok {
+			// TODO: should this be a typed error?
+			return nil, fmt.Errorf("%v is unstructured and is not suitable for converting to %q", kind, target)
+		}
+		in.GetObjectKind().SetGroupVersionKind(gvk)
+	}
+	return in, nil
+}
+
+func (UnstructuredObjectConverter) ConvertFieldLabel(version, kind, label, value string) (string, string, error) {
+	return "", "", errors.New("unstructured cannot convert field labels")
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/zz_generated.deepcopy.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/zz_generated.deepcopy.go
new file mode 100644
index 00000000..5cdf1211
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/unstructured/zz_generated.deepcopy.go
@@ -0,0 +1,75 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package unstructured
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+// GetGeneratedDeepCopyFuncs returns the generated funcs, since we aren't registering them.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func GetGeneratedDeepCopyFuncs() []conversion.GeneratedDeepCopyFunc {
+	return []conversion.GeneratedDeepCopyFunc{
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Unstructured).DeepCopyInto(out.(*Unstructured))
+			return nil
+		}, InType: reflect.TypeOf(&Unstructured{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*UnstructuredList).DeepCopyInto(out.(*UnstructuredList))
+			return nil
+		}, InType: reflect.TypeOf(&UnstructuredList{})},
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Unstructured) DeepCopyInto(out *Unstructured) {
+	clone := in.DeepCopy()
+	*out = *clone
+	return
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Unstructured) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UnstructuredList) DeepCopyInto(out *UnstructuredList) {
+	clone := in.DeepCopy()
+	*out = *clone
+	return
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UnstructuredList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/watch.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/watch.go
new file mode 100644
index 00000000..b7ec5031
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/watch.go
@@ -0,0 +1,89 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Event represents a single event to a watched resource.
+//
+// +protobuf=true
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type WatchEvent struct {
+	Type string `json:"type" protobuf:"bytes,1,opt,name=type"`
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Error: *Status is recommended; other types may make sense
+	//    depending on context.
+	Object runtime.RawExtension `json:"object" protobuf:"bytes,2,opt,name=object"`
+}
+
+func Convert_watch_Event_to_versioned_Event(in *watch.Event, out *WatchEvent, s conversion.Scope) error {
+	out.Type = string(in.Type)
+	switch t := in.Object.(type) {
+	case *runtime.Unknown:
+		// TODO: handle other fields on Unknown and detect type
+		out.Object.Raw = t.Raw
+	case nil:
+	default:
+		out.Object.Object = in.Object
+	}
+	return nil
+}
+
+func Convert_versioned_InternalEvent_to_versioned_Event(in *InternalEvent, out *WatchEvent, s conversion.Scope) error {
+	return Convert_watch_Event_to_versioned_Event((*watch.Event)(in), out, s)
+}
+
+func Convert_versioned_Event_to_watch_Event(in *WatchEvent, out *watch.Event, s conversion.Scope) error {
+	out.Type = watch.EventType(in.Type)
+	if in.Object.Object != nil {
+		out.Object = in.Object.Object
+	} else if in.Object.Raw != nil {
+		// TODO: handle other fields on Unknown and detect type
+		out.Object = &runtime.Unknown{
+			Raw:         in.Object.Raw,
+			ContentType: runtime.ContentTypeJSON,
+		}
+	}
+	return nil
+}
+
+func Convert_versioned_Event_to_versioned_InternalEvent(in *WatchEvent, out *InternalEvent, s conversion.Scope) error {
+	return Convert_versioned_Event_to_watch_Event(in, (*watch.Event)(out), s)
+}
+
+// InternalEvent makes watch.Event versioned
+// +protobuf=false
+type InternalEvent watch.Event
+
+func (e *InternalEvent) GetObjectKind() schema.ObjectKind { return schema.EmptyObjectKind }
+func (e *WatchEvent) GetObjectKind() schema.ObjectKind    { return schema.EmptyObjectKind }
+func (e *InternalEvent) DeepCopyObject() runtime.Object {
+	if c := e.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..1b94412e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.deepcopy.go
@@ -0,0 +1,1096 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	types "k8s.io/apimachinery/pkg/types"
+	reflect "reflect"
+)
+
+// GetGeneratedDeepCopyFuncs returns the generated funcs, since we aren't registering them.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func GetGeneratedDeepCopyFuncs() []conversion.GeneratedDeepCopyFunc {
+	return []conversion.GeneratedDeepCopyFunc{
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*APIGroup).DeepCopyInto(out.(*APIGroup))
+			return nil
+		}, InType: reflect.TypeOf(&APIGroup{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*APIGroupList).DeepCopyInto(out.(*APIGroupList))
+			return nil
+		}, InType: reflect.TypeOf(&APIGroupList{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*APIResource).DeepCopyInto(out.(*APIResource))
+			return nil
+		}, InType: reflect.TypeOf(&APIResource{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*APIResourceList).DeepCopyInto(out.(*APIResourceList))
+			return nil
+		}, InType: reflect.TypeOf(&APIResourceList{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*APIVersions).DeepCopyInto(out.(*APIVersions))
+			return nil
+		}, InType: reflect.TypeOf(&APIVersions{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*DeleteOptions).DeepCopyInto(out.(*DeleteOptions))
+			return nil
+		}, InType: reflect.TypeOf(&DeleteOptions{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Duration).DeepCopyInto(out.(*Duration))
+			return nil
+		}, InType: reflect.TypeOf(&Duration{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ExportOptions).DeepCopyInto(out.(*ExportOptions))
+			return nil
+		}, InType: reflect.TypeOf(&ExportOptions{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GetOptions).DeepCopyInto(out.(*GetOptions))
+			return nil
+		}, InType: reflect.TypeOf(&GetOptions{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GroupKind).DeepCopyInto(out.(*GroupKind))
+			return nil
+		}, InType: reflect.TypeOf(&GroupKind{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GroupResource).DeepCopyInto(out.(*GroupResource))
+			return nil
+		}, InType: reflect.TypeOf(&GroupResource{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GroupVersion).DeepCopyInto(out.(*GroupVersion))
+			return nil
+		}, InType: reflect.TypeOf(&GroupVersion{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GroupVersionForDiscovery).DeepCopyInto(out.(*GroupVersionForDiscovery))
+			return nil
+		}, InType: reflect.TypeOf(&GroupVersionForDiscovery{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GroupVersionKind).DeepCopyInto(out.(*GroupVersionKind))
+			return nil
+		}, InType: reflect.TypeOf(&GroupVersionKind{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*GroupVersionResource).DeepCopyInto(out.(*GroupVersionResource))
+			return nil
+		}, InType: reflect.TypeOf(&GroupVersionResource{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Initializer).DeepCopyInto(out.(*Initializer))
+			return nil
+		}, InType: reflect.TypeOf(&Initializer{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Initializers).DeepCopyInto(out.(*Initializers))
+			return nil
+		}, InType: reflect.TypeOf(&Initializers{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*InternalEvent).DeepCopyInto(out.(*InternalEvent))
+			return nil
+		}, InType: reflect.TypeOf(&InternalEvent{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LabelSelector).DeepCopyInto(out.(*LabelSelector))
+			return nil
+		}, InType: reflect.TypeOf(&LabelSelector{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*LabelSelectorRequirement).DeepCopyInto(out.(*LabelSelectorRequirement))
+			return nil
+		}, InType: reflect.TypeOf(&LabelSelectorRequirement{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*List).DeepCopyInto(out.(*List))
+			return nil
+		}, InType: reflect.TypeOf(&List{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ListMeta).DeepCopyInto(out.(*ListMeta))
+			return nil
+		}, InType: reflect.TypeOf(&ListMeta{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ListOptions).DeepCopyInto(out.(*ListOptions))
+			return nil
+		}, InType: reflect.TypeOf(&ListOptions{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*MicroTime).DeepCopyInto(out.(*MicroTime))
+			return nil
+		}, InType: reflect.TypeOf(&MicroTime{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ObjectMeta).DeepCopyInto(out.(*ObjectMeta))
+			return nil
+		}, InType: reflect.TypeOf(&ObjectMeta{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*OwnerReference).DeepCopyInto(out.(*OwnerReference))
+			return nil
+		}, InType: reflect.TypeOf(&OwnerReference{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Patch).DeepCopyInto(out.(*Patch))
+			return nil
+		}, InType: reflect.TypeOf(&Patch{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Preconditions).DeepCopyInto(out.(*Preconditions))
+			return nil
+		}, InType: reflect.TypeOf(&Preconditions{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RootPaths).DeepCopyInto(out.(*RootPaths))
+			return nil
+		}, InType: reflect.TypeOf(&RootPaths{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*ServerAddressByClientCIDR).DeepCopyInto(out.(*ServerAddressByClientCIDR))
+			return nil
+		}, InType: reflect.TypeOf(&ServerAddressByClientCIDR{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Status).DeepCopyInto(out.(*Status))
+			return nil
+		}, InType: reflect.TypeOf(&Status{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatusCause).DeepCopyInto(out.(*StatusCause))
+			return nil
+		}, InType: reflect.TypeOf(&StatusCause{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*StatusDetails).DeepCopyInto(out.(*StatusDetails))
+			return nil
+		}, InType: reflect.TypeOf(&StatusDetails{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Time).DeepCopyInto(out.(*Time))
+			return nil
+		}, InType: reflect.TypeOf(&Time{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Timestamp).DeepCopyInto(out.(*Timestamp))
+			return nil
+		}, InType: reflect.TypeOf(&Timestamp{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*WatchEvent).DeepCopyInto(out.(*WatchEvent))
+			return nil
+		}, InType: reflect.TypeOf(&WatchEvent{})},
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIGroup) DeepCopyInto(out *APIGroup) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Versions != nil {
+		in, out := &in.Versions, &out.Versions
+		*out = make([]GroupVersionForDiscovery, len(*in))
+		copy(*out, *in)
+	}
+	out.PreferredVersion = in.PreferredVersion
+	if in.ServerAddressByClientCIDRs != nil {
+		in, out := &in.ServerAddressByClientCIDRs, &out.ServerAddressByClientCIDRs
+		*out = make([]ServerAddressByClientCIDR, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIGroup.
+func (in *APIGroup) DeepCopy() *APIGroup {
+	if in == nil {
+		return nil
+	}
+	out := new(APIGroup)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *APIGroup) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIGroupList) DeepCopyInto(out *APIGroupList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]APIGroup, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIGroupList.
+func (in *APIGroupList) DeepCopy() *APIGroupList {
+	if in == nil {
+		return nil
+	}
+	out := new(APIGroupList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *APIGroupList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIResource) DeepCopyInto(out *APIResource) {
+	*out = *in
+	if in.Verbs != nil {
+		in, out := &in.Verbs, &out.Verbs
+		*out = make(Verbs, len(*in))
+		copy(*out, *in)
+	}
+	if in.ShortNames != nil {
+		in, out := &in.ShortNames, &out.ShortNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Categories != nil {
+		in, out := &in.Categories, &out.Categories
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIResource.
+func (in *APIResource) DeepCopy() *APIResource {
+	if in == nil {
+		return nil
+	}
+	out := new(APIResource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIResourceList) DeepCopyInto(out *APIResourceList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.APIResources != nil {
+		in, out := &in.APIResources, &out.APIResources
+		*out = make([]APIResource, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIResourceList.
+func (in *APIResourceList) DeepCopy() *APIResourceList {
+	if in == nil {
+		return nil
+	}
+	out := new(APIResourceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *APIResourceList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *APIVersions) DeepCopyInto(out *APIVersions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Versions != nil {
+		in, out := &in.Versions, &out.Versions
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ServerAddressByClientCIDRs != nil {
+		in, out := &in.ServerAddressByClientCIDRs, &out.ServerAddressByClientCIDRs
+		*out = make([]ServerAddressByClientCIDR, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIVersions.
+func (in *APIVersions) DeepCopy() *APIVersions {
+	if in == nil {
+		return nil
+	}
+	out := new(APIVersions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *APIVersions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeleteOptions) DeepCopyInto(out *DeleteOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.GracePeriodSeconds != nil {
+		in, out := &in.GracePeriodSeconds, &out.GracePeriodSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.Preconditions != nil {
+		in, out := &in.Preconditions, &out.Preconditions
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Preconditions)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.OrphanDependents != nil {
+		in, out := &in.OrphanDependents, &out.OrphanDependents
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.PropagationPolicy != nil {
+		in, out := &in.PropagationPolicy, &out.PropagationPolicy
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(DeletionPropagation)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeleteOptions.
+func (in *DeleteOptions) DeepCopy() *DeleteOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(DeleteOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeleteOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Duration) DeepCopyInto(out *Duration) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Duration.
+func (in *Duration) DeepCopy() *Duration {
+	if in == nil {
+		return nil
+	}
+	out := new(Duration)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExportOptions) DeepCopyInto(out *ExportOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExportOptions.
+func (in *ExportOptions) DeepCopy() *ExportOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ExportOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExportOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GetOptions) DeepCopyInto(out *GetOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GetOptions.
+func (in *GetOptions) DeepCopy() *GetOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(GetOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *GetOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupKind) DeepCopyInto(out *GroupKind) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupKind.
+func (in *GroupKind) DeepCopy() *GroupKind {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupKind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupResource) DeepCopyInto(out *GroupResource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupResource.
+func (in *GroupResource) DeepCopy() *GroupResource {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupResource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupVersion) DeepCopyInto(out *GroupVersion) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupVersion.
+func (in *GroupVersion) DeepCopy() *GroupVersion {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupVersion)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupVersionForDiscovery) DeepCopyInto(out *GroupVersionForDiscovery) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupVersionForDiscovery.
+func (in *GroupVersionForDiscovery) DeepCopy() *GroupVersionForDiscovery {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupVersionForDiscovery)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupVersionKind) DeepCopyInto(out *GroupVersionKind) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupVersionKind.
+func (in *GroupVersionKind) DeepCopy() *GroupVersionKind {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupVersionKind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GroupVersionResource) DeepCopyInto(out *GroupVersionResource) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupVersionResource.
+func (in *GroupVersionResource) DeepCopy() *GroupVersionResource {
+	if in == nil {
+		return nil
+	}
+	out := new(GroupVersionResource)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Initializer) DeepCopyInto(out *Initializer) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Initializer.
+func (in *Initializer) DeepCopy() *Initializer {
+	if in == nil {
+		return nil
+	}
+	out := new(Initializer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Initializers) DeepCopyInto(out *Initializers) {
+	*out = *in
+	if in.Pending != nil {
+		in, out := &in.Pending, &out.Pending
+		*out = make([]Initializer, len(*in))
+		copy(*out, *in)
+	}
+	if in.Result != nil {
+		in, out := &in.Result, &out.Result
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Status)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Initializers.
+func (in *Initializers) DeepCopy() *Initializers {
+	if in == nil {
+		return nil
+	}
+	out := new(Initializers)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InternalEvent) DeepCopyInto(out *InternalEvent) {
+	*out = *in
+	if in.Object == nil {
+		out.Object = nil
+	} else {
+		out.Object = in.Object.DeepCopyObject()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InternalEvent.
+func (in *InternalEvent) DeepCopy() *InternalEvent {
+	if in == nil {
+		return nil
+	}
+	out := new(InternalEvent)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LabelSelector) DeepCopyInto(out *LabelSelector) {
+	*out = *in
+	if in.MatchLabels != nil {
+		in, out := &in.MatchLabels, &out.MatchLabels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.MatchExpressions != nil {
+		in, out := &in.MatchExpressions, &out.MatchExpressions
+		*out = make([]LabelSelectorRequirement, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LabelSelector.
+func (in *LabelSelector) DeepCopy() *LabelSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(LabelSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LabelSelectorRequirement) DeepCopyInto(out *LabelSelectorRequirement) {
+	*out = *in
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LabelSelectorRequirement.
+func (in *LabelSelectorRequirement) DeepCopy() *LabelSelectorRequirement {
+	if in == nil {
+		return nil
+	}
+	out := new(LabelSelectorRequirement)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *List) DeepCopyInto(out *List) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]runtime.RawExtension, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new List.
+func (in *List) DeepCopy() *List {
+	if in == nil {
+		return nil
+	}
+	out := new(List)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *List) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ListMeta) DeepCopyInto(out *ListMeta) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListMeta.
+func (in *ListMeta) DeepCopy() *ListMeta {
+	if in == nil {
+		return nil
+	}
+	out := new(ListMeta)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ListOptions) DeepCopyInto(out *ListOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListOptions.
+func (in *ListOptions) DeepCopy() *ListOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(ListOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ListOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MicroTime.
+func (in *MicroTime) DeepCopy() *MicroTime {
+	if in == nil {
+		return nil
+	}
+	out := new(MicroTime)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectMeta) DeepCopyInto(out *ObjectMeta) {
+	*out = *in
+	in.CreationTimestamp.DeepCopyInto(&out.CreationTimestamp)
+	if in.DeletionTimestamp != nil {
+		in, out := &in.DeletionTimestamp, &out.DeletionTimestamp
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.DeletionGracePeriodSeconds != nil {
+		in, out := &in.DeletionGracePeriodSeconds, &out.DeletionGracePeriodSeconds
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(int64)
+			**out = **in
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.OwnerReferences != nil {
+		in, out := &in.OwnerReferences, &out.OwnerReferences
+		*out = make([]OwnerReference, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Initializers != nil {
+		in, out := &in.Initializers, &out.Initializers
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(Initializers)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Finalizers != nil {
+		in, out := &in.Finalizers, &out.Finalizers
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectMeta.
+func (in *ObjectMeta) DeepCopy() *ObjectMeta {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectMeta)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OwnerReference) DeepCopyInto(out *OwnerReference) {
+	*out = *in
+	if in.Controller != nil {
+		in, out := &in.Controller, &out.Controller
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	if in.BlockOwnerDeletion != nil {
+		in, out := &in.BlockOwnerDeletion, &out.BlockOwnerDeletion
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(bool)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerReference.
+func (in *OwnerReference) DeepCopy() *OwnerReference {
+	if in == nil {
+		return nil
+	}
+	out := new(OwnerReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Patch) DeepCopyInto(out *Patch) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Patch.
+func (in *Patch) DeepCopy() *Patch {
+	if in == nil {
+		return nil
+	}
+	out := new(Patch)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Preconditions) DeepCopyInto(out *Preconditions) {
+	*out = *in
+	if in.UID != nil {
+		in, out := &in.UID, &out.UID
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(types.UID)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Preconditions.
+func (in *Preconditions) DeepCopy() *Preconditions {
+	if in == nil {
+		return nil
+	}
+	out := new(Preconditions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RootPaths) DeepCopyInto(out *RootPaths) {
+	*out = *in
+	if in.Paths != nil {
+		in, out := &in.Paths, &out.Paths
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RootPaths.
+func (in *RootPaths) DeepCopy() *RootPaths {
+	if in == nil {
+		return nil
+	}
+	out := new(RootPaths)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServerAddressByClientCIDR) DeepCopyInto(out *ServerAddressByClientCIDR) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerAddressByClientCIDR.
+func (in *ServerAddressByClientCIDR) DeepCopy() *ServerAddressByClientCIDR {
+	if in == nil {
+		return nil
+	}
+	out := new(ServerAddressByClientCIDR)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Status) DeepCopyInto(out *Status) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(StatusDetails)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Status.
+func (in *Status) DeepCopy() *Status {
+	if in == nil {
+		return nil
+	}
+	out := new(Status)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Status) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatusCause) DeepCopyInto(out *StatusCause) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatusCause.
+func (in *StatusCause) DeepCopy() *StatusCause {
+	if in == nil {
+		return nil
+	}
+	out := new(StatusCause)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StatusDetails) DeepCopyInto(out *StatusDetails) {
+	*out = *in
+	if in.Causes != nil {
+		in, out := &in.Causes, &out.Causes
+		*out = make([]StatusCause, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatusDetails.
+func (in *StatusDetails) DeepCopy() *StatusDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(StatusDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Time.
+func (in *Time) DeepCopy() *Time {
+	if in == nil {
+		return nil
+	}
+	out := new(Time)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Timestamp) DeepCopyInto(out *Timestamp) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Timestamp.
+func (in *Timestamp) DeepCopy() *Timestamp {
+	if in == nil {
+		return nil
+	}
+	out := new(Timestamp)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WatchEvent) DeepCopyInto(out *WatchEvent) {
+	*out = *in
+	in.Object.DeepCopyInto(&out.Object)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WatchEvent.
+func (in *WatchEvent) DeepCopy() *WatchEvent {
+	if in == nil {
+		return nil
+	}
+	out := new(WatchEvent)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *WatchEvent) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.defaults.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.defaults.go
new file mode 100644
index 00000000..88d7af08
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1/zz_generated.defaults.go
@@ -0,0 +1,32 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by defaulter-gen. Do not edit it manually!
+
+package v1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/conversion.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/conversion.go
new file mode 100644
index 00000000..f8ecc7c2
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/conversion.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/conversion"
+
+// Convert_Slice_string_To_v1alpha1_IncludeObjectPolicy allows converting a URL query parameter value
+func Convert_Slice_string_To_v1alpha1_IncludeObjectPolicy(input *[]string, out *IncludeObjectPolicy, s conversion.Scope) error {
+	if len(*input) > 0 {
+		*out = IncludeObjectPolicy((*input)[0])
+	}
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/deepcopy.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/deepcopy.go
new file mode 100644
index 00000000..ab6d0485
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/deepcopy.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+func (in *TableRow) DeepCopy() *TableRow {
+	if in == nil {
+		return nil
+	}
+
+	out := new(TableRow)
+
+	if in.Cells != nil {
+		out.Cells = make([]interface{}, len(in.Cells))
+		for i := range in.Cells {
+			out.Cells[i] = deepCopyJSON(in.Cells[i])
+		}
+	}
+
+	if in.Conditions != nil {
+		out.Conditions = make([]TableRowCondition, len(in.Conditions))
+		for i := range in.Conditions {
+			in.Conditions[i].DeepCopyInto(&out.Conditions[i])
+		}
+	}
+
+	in.Object.DeepCopyInto(&out.Object)
+	return out
+}
+
+func deepCopyJSON(x interface{}) interface{} {
+	switch x := x.(type) {
+	case map[string]interface{}:
+		clone := make(map[string]interface{}, len(x))
+		for k, v := range x {
+			clone[k] = deepCopyJSON(v)
+		}
+		return clone
+	case []interface{}:
+		clone := make([]interface{}, len(x))
+		for i := range x {
+			clone[i] = deepCopyJSON(x[i])
+		}
+		return clone
+	default:
+		return x
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/doc.go
new file mode 100644
index 00000000..eea67c5c
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/doc.go
@@ -0,0 +1,22 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +k8s:openapi-gen=true
+// +k8s:defaulter-gen=TypeMeta
+
+// +groupName=meta.k8s.io
+package v1alpha1
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.pb.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.pb.go
new file mode 100644
index 00000000..4fcddb3a
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.pb.go
@@ -0,0 +1,633 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package v1alpha1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.proto
+
+	It has these top-level messages:
+		PartialObjectMetadata
+		PartialObjectMetadataList
+		TableOptions
+*/
+package v1alpha1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *PartialObjectMetadata) Reset()                    { *m = PartialObjectMetadata{} }
+func (*PartialObjectMetadata) ProtoMessage()               {}
+func (*PartialObjectMetadata) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *PartialObjectMetadataList) Reset()      { *m = PartialObjectMetadataList{} }
+func (*PartialObjectMetadataList) ProtoMessage() {}
+func (*PartialObjectMetadataList) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{1}
+}
+
+func (m *TableOptions) Reset()                    { *m = TableOptions{} }
+func (*TableOptions) ProtoMessage()               {}
+func (*TableOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func init() {
+	proto.RegisterType((*PartialObjectMetadata)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1alpha1.PartialObjectMetadata")
+	proto.RegisterType((*PartialObjectMetadataList)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1alpha1.PartialObjectMetadataList")
+	proto.RegisterType((*TableOptions)(nil), "k8s.io.apimachinery.pkg.apis.meta.v1alpha1.TableOptions")
+}
+func (m *PartialObjectMetadata) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PartialObjectMetadata) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.ObjectMeta.Size()))
+	n1, err := m.ObjectMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	return i, nil
+}
+
+func (m *PartialObjectMetadataList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PartialObjectMetadataList) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, msg := range m.Items {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *TableOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TableOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.IncludeObject)))
+	i += copy(dAtA[i:], m.IncludeObject)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *PartialObjectMetadata) Size() (n int) {
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *PartialObjectMetadataList) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *TableOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.IncludeObject)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *PartialObjectMetadata) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PartialObjectMetadata{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(this.ObjectMeta.String(), "ObjectMeta", "k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *PartialObjectMetadataList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&PartialObjectMetadataList{`,
+		`Items:` + strings.Replace(fmt.Sprintf("%v", this.Items), "PartialObjectMetadata", "PartialObjectMetadata", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *TableOptions) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TableOptions{`,
+		`IncludeObject:` + fmt.Sprintf("%v", this.IncludeObject) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *PartialObjectMetadata) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PartialObjectMetadata: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PartialObjectMetadata: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PartialObjectMetadataList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PartialObjectMetadataList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PartialObjectMetadataList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, &PartialObjectMetadata{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TableOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TableOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TableOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IncludeObject", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.IncludeObject = IncludeObjectPolicy(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 392 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x91, 0xbf, 0x6e, 0xd4, 0x40,
+	0x10, 0x87, 0xbd, 0x42, 0x91, 0x92, 0x0d, 0x69, 0x8c, 0x90, 0xc2, 0x15, 0xeb, 0xe8, 0xaa, 0x08,
+	0xc1, 0x2e, 0x09, 0x08, 0xd1, 0xe2, 0x2e, 0x12, 0x28, 0x91, 0xa1, 0xa2, 0x62, 0x6d, 0x0f, 0xf6,
+	0x62, 0x7b, 0xd7, 0xda, 0x1d, 0x47, 0xba, 0x0a, 0x1e, 0x81, 0xc7, 0xba, 0x32, 0x65, 0x2a, 0x8b,
+	0x33, 0x6f, 0x41, 0x85, 0x6c, 0x5f, 0xc8, 0xbf, 0x3b, 0xe5, 0xba, 0x99, 0xdf, 0xe8, 0xfb, 0x3c,
+	0xe3, 0xa5, 0x9f, 0x8a, 0x77, 0x8e, 0x2b, 0x23, 0x8a, 0x26, 0x06, 0xab, 0x01, 0xc1, 0x89, 0x73,
+	0xd0, 0xa9, 0xb1, 0x62, 0x39, 0x90, 0xb5, 0xaa, 0x64, 0x92, 0x2b, 0x0d, 0x76, 0x26, 0xea, 0x22,
+	0xeb, 0x03, 0x27, 0x2a, 0x40, 0x29, 0xce, 0x8f, 0x64, 0x59, 0xe7, 0xf2, 0x48, 0x64, 0xa0, 0xc1,
+	0x4a, 0x84, 0x94, 0xd7, 0xd6, 0xa0, 0xf1, 0x9f, 0x8f, 0x2c, 0xbf, 0xc9, 0xf2, 0xba, 0xc8, 0xfa,
+	0xc0, 0xf1, 0x9e, 0xe5, 0x57, 0xec, 0xe4, 0x65, 0xa6, 0x30, 0x6f, 0x62, 0x9e, 0x98, 0x4a, 0x64,
+	0x26, 0x33, 0x62, 0x50, 0xc4, 0xcd, 0xb7, 0xa1, 0x1b, 0x9a, 0xa1, 0x1a, 0xd5, 0x93, 0x37, 0x9b,
+	0xac, 0x75, 0x77, 0xa1, 0xc9, 0xda, 0x63, 0x6c, 0xa3, 0x51, 0x55, 0x70, 0x0f, 0x78, 0xfb, 0x10,
+	0xe0, 0x92, 0x1c, 0x2a, 0x79, 0x8f, 0x7b, 0xbd, 0x8e, 0x6b, 0x50, 0x95, 0x42, 0x69, 0x74, 0x68,
+	0xef, 0x42, 0xd3, 0x19, 0x7d, 0x7a, 0x26, 0x2d, 0x2a, 0x59, 0x9e, 0xc6, 0xdf, 0x21, 0xc1, 0x8f,
+	0x80, 0x32, 0x95, 0x28, 0xfd, 0xaf, 0x74, 0xbb, 0x5a, 0xd6, 0xfb, 0xe4, 0x80, 0x1c, 0xee, 0x1e,
+	0xbf, 0xe2, 0x9b, 0xfc, 0x5a, 0x7e, 0xed, 0x09, 0xfd, 0x79, 0x1b, 0x78, 0x5d, 0x1b, 0xd0, 0xeb,
+	0x2c, 0xfa, 0x6f, 0x9d, 0xfe, 0xa0, 0xcf, 0x56, 0x7e, 0xfa, 0x83, 0x72, 0xe8, 0xc7, 0x74, 0x4b,
+	0x21, 0x54, 0x6e, 0x9f, 0x1c, 0x3c, 0x3a, 0xdc, 0x3d, 0x7e, 0xcf, 0x37, 0x7f, 0x56, 0xbe, 0xd2,
+	0x1a, 0xee, 0x74, 0x6d, 0xb0, 0x75, 0xd2, 0x3b, 0xa3, 0x51, 0x3d, 0x8d, 0xe9, 0xe3, 0xcf, 0x32,
+	0x2e, 0xe1, 0xb4, 0x46, 0x65, 0xb4, 0xf3, 0x23, 0xba, 0xa7, 0x74, 0x52, 0x36, 0x29, 0x8c, 0xe8,
+	0x70, 0xf7, 0x4e, 0xf8, 0x62, 0x79, 0xc5, 0xde, 0xc9, 0xcd, 0xe1, 0xdf, 0x36, 0x78, 0x72, 0x2b,
+	0x38, 0x33, 0xa5, 0x4a, 0x66, 0xd1, 0x6d, 0x45, 0xc8, 0xe7, 0x0b, 0xe6, 0x5d, 0x2c, 0x98, 0x77,
+	0xb9, 0x60, 0xde, 0xcf, 0x8e, 0x91, 0x79, 0xc7, 0xc8, 0x45, 0xc7, 0xc8, 0x65, 0xc7, 0xc8, 0xef,
+	0x8e, 0x91, 0x5f, 0x7f, 0x98, 0xf7, 0x65, 0xfb, 0x6a, 0xf7, 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff,
+	0x97, 0x95, 0xbb, 0xf9, 0x14, 0x03, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.proto b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.proto
new file mode 100644
index 00000000..7509f6e8
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/generated.proto
@@ -0,0 +1,58 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.apimachinery.pkg.apis.meta.v1alpha1;
+
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1alpha1";
+
+// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients
+// to get access to a particular ObjectMeta schema without knowing the details of the version.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message PartialObjectMetadata {
+  // Standard object's metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+}
+
+// PartialObjectMetadataList contains a list of objects containing only their metadata
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message PartialObjectMetadataList {
+  // items contains each of the included items.
+  repeated PartialObjectMetadata items = 1;
+}
+
+// TableOptions are used when a Table is requested by the caller.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message TableOptions {
+  // includeObject decides whether to include each object along with its columnar information.
+  // Specifying "None" will return no object, specifying "Object" will return the full object contents, and
+  // specifying "Metadata" (the default) will return the object's metadata in the PartialObjectMetadata kind
+  // in version v1alpha1 of the meta.k8s.io API group.
+  optional string includeObject = 1;
+}
+
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/register.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/register.go
new file mode 100644
index 00000000..dab66bf0
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/register.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for this API.
+const GroupName = "meta.k8s.io"
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Kind takes an unqualified kind and returns a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// scheme is the registry for the common types that adhere to the meta v1alpha1 API spec.
+var scheme = runtime.NewScheme()
+
+// ParameterCodec knows about query parameters used with the meta v1alpha1 API spec.
+var ParameterCodec = runtime.NewParameterCodec(scheme)
+
+func init() {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Table{},
+		&TableOptions{},
+		&PartialObjectMetadata{},
+		&PartialObjectMetadataList{},
+	)
+
+	if err := scheme.AddConversionFuncs(
+		Convert_Slice_string_To_v1alpha1_IncludeObjectPolicy,
+	); err != nil {
+		panic(err)
+	}
+
+	// register manually. This usually goes through the SchemeBuilder, which we cannot use here.
+	//scheme.AddGeneratedDeepCopyFuncs(GetGeneratedDeepCopyFuncs()...)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/types.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/types.go
new file mode 100644
index 00000000..9c3c2a35
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/types.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// package v1alpha1 is alpha objects from meta that will be introduced.
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// TODO: Table does not generate to protobuf because of the interface{} - fix protobuf
+//   generation to support a meta type that can accept any valid JSON.
+
+// Table is a tabular representation of a set of API resources. The server transforms the
+// object into a set of preferred columns for quickly reviewing the objects.
+// +protobuf=false
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type Table struct {
+	v1.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+	// +optional
+	v1.ListMeta `json:"metadata,omitempty"`
+
+	// columnDefinitions describes each column in the returned items array. The number of cells per row
+	// will always match the number of column definitions.
+	ColumnDefinitions []TableColumnDefinition `json:"columnDefinitions"`
+	// rows is the list of items in the table.
+	Rows []TableRow `json:"rows"`
+}
+
+// TableColumnDefinition contains information about a column returned in the Table.
+// +protobuf=false
+type TableColumnDefinition struct {
+	// name is a human readable name for the column.
+	Name string `json:"name"`
+	// type is an OpenAPI type definition for this column.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more.
+	Type string `json:"type"`
+	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
+	// to the primary identifier column to assist in clients identifying column is the resource name.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more.
+	Format string `json:"format"`
+	// description is a human readable description of this column.
+	Description string `json:"description"`
+	// priority is an integer defining the relative importance of this column compared to others. Lower
+	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+	// should be given a higher priority.
+	Priority int32 `json:"priority"`
+}
+
+// TableRow is an individual row in a table.
+// +protobuf=false
+type TableRow struct {
+	// cells will be as wide as headers and may contain strings, numbers, booleans, simple maps, or lists, or
+	// null. See the type field of the column definition for a more detailed description.
+	Cells []interface{} `json:"cells"`
+	// conditions describe additional status of a row that are relevant for a human user.
+	// +optional
+	Conditions []TableRowCondition `json:"conditions,omitempty"`
+	// This field contains the requested additional information about each object based on the includeObject
+	// policy when requesting the Table. If "None", this field is empty, if "Object" this will be the
+	// default serialization of the object for the current API version, and if "Metadata" (the default) will
+	// contain the object metadata. Check the returned kind and apiVersion of the object before parsing.
+	// +optional
+	Object runtime.RawExtension `json:"object,omitempty"`
+}
+
+// TableRowCondition allows a row to be marked with additional information.
+// +protobuf=false
+type TableRowCondition struct {
+	// Type of row condition.
+	Type RowConditionType `json:"type"`
+	// Status of the condition, one of True, False, Unknown.
+	Status ConditionStatus `json:"status"`
+	// (brief) machine readable reason for the condition's last transition.
+	// +optional
+	Reason string `json:"reason,omitempty"`
+	// Human readable message indicating details about last transition.
+	// +optional
+	Message string `json:"message,omitempty"`
+}
+
+type RowConditionType string
+
+// These are valid conditions of a row. This list is not exhaustive and new conditions may be
+// inculded by other resources.
+const (
+	// RowCompleted means the underlying resource has reached completion and may be given less
+	// visual priority than other resources.
+	RowCompleted RowConditionType = "Completed"
+)
+
+type ConditionStatus string
+
+// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
+// "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes
+// can't decide if a resource is in the condition or not. In the future, we could add other
+// intermediate conditions, e.g. ConditionDegraded.
+const (
+	ConditionTrue    ConditionStatus = "True"
+	ConditionFalse   ConditionStatus = "False"
+	ConditionUnknown ConditionStatus = "Unknown"
+)
+
+// IncludeObjectPolicy controls which portion of the object is returned with a Table.
+type IncludeObjectPolicy string
+
+const (
+	// IncludeNone returns no object.
+	IncludeNone IncludeObjectPolicy = "None"
+	// IncludeMetadata serializes the object containing only its metadata field.
+	IncludeMetadata IncludeObjectPolicy = "Metadata"
+	// IncludeObject contains the full object.
+	IncludeObject IncludeObjectPolicy = "Object"
+)
+
+// TableOptions are used when a Table is requested by the caller.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type TableOptions struct {
+	v1.TypeMeta `json:",inline"`
+	// includeObject decides whether to include each object along with its columnar information.
+	// Specifying "None" will return no object, specifying "Object" will return the full object contents, and
+	// specifying "Metadata" (the default) will return the object's metadata in the PartialObjectMetadata kind
+	// in version v1alpha1 of the meta.k8s.io API group.
+	IncludeObject IncludeObjectPolicy `json:"includeObject,omitempty" protobuf:"bytes,1,opt,name=includeObject,casttype=IncludeObjectPolicy"`
+}
+
+// PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients
+// to get access to a particular ObjectMeta schema without knowing the details of the version.
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type PartialObjectMetadata struct {
+	v1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+	// +optional
+	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+}
+
+// PartialObjectMetadataList contains a list of objects containing only their metadata
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type PartialObjectMetadataList struct {
+	v1.TypeMeta `json:",inline"`
+
+	// items contains each of the included items.
+	Items []*PartialObjectMetadata `json:"items" protobuf:"bytes,1,rep,name=items"`
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/types_swagger_doc_generated.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/types_swagger_doc_generated.go
new file mode 100644
index 00000000..e8bb6260
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/types_swagger_doc_generated.go
@@ -0,0 +1,104 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+// This file contains a collection of methods that can be used from go-restful to
+// generate Swagger API documentation for its models. Please read this PR for more
+// information on the implementation: https://github.com/emicklei/go-restful/pull/215
+//
+// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
+// they are on one line! For multiple line or blocks that you want to ignore use ---.
+// Any context after a --- is ignored.
+//
+// Those methods can be generated by using hack/update-generated-swagger-docs.sh
+
+// AUTO-GENERATED FUNCTIONS START HERE
+var map_PartialObjectMetadata = map[string]string{
+	"":         "PartialObjectMetadata is a generic representation of any object with ObjectMeta. It allows clients to get access to a particular ObjectMeta schema without knowing the details of the version.",
+	"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata",
+}
+
+func (PartialObjectMetadata) SwaggerDoc() map[string]string {
+	return map_PartialObjectMetadata
+}
+
+var map_PartialObjectMetadataList = map[string]string{
+	"":      "PartialObjectMetadataList contains a list of objects containing only their metadata",
+	"items": "items contains each of the included items.",
+}
+
+func (PartialObjectMetadataList) SwaggerDoc() map[string]string {
+	return map_PartialObjectMetadataList
+}
+
+var map_Table = map[string]string{
+	"":                  "Table is a tabular representation of a set of API resources. The server transforms the object into a set of preferred columns for quickly reviewing the objects.",
+	"metadata":          "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds",
+	"columnDefinitions": "columnDefinitions describes each column in the returned items array. The number of cells per row will always match the number of column definitions.",
+	"rows":              "rows is the list of items in the table.",
+}
+
+func (Table) SwaggerDoc() map[string]string {
+	return map_Table
+}
+
+var map_TableColumnDefinition = map[string]string{
+	"":            "TableColumnDefinition contains information about a column returned in the Table.",
+	"name":        "name is a human readable name for the column.",
+	"type":        "type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more.",
+	"format":      "format is an optional OpenAPI type definition for this column. The 'name' format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for more.",
+	"description": "description is a human readable description of this column.",
+	"priority":    "priority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a higher priority.",
+}
+
+func (TableColumnDefinition) SwaggerDoc() map[string]string {
+	return map_TableColumnDefinition
+}
+
+var map_TableOptions = map[string]string{
+	"":              "TableOptions are used when a Table is requested by the caller.",
+	"includeObject": "includeObject decides whether to include each object along with its columnar information. Specifying \"None\" will return no object, specifying \"Object\" will return the full object contents, and specifying \"Metadata\" (the default) will return the object's metadata in the PartialObjectMetadata kind in version v1alpha1 of the meta.k8s.io API group.",
+}
+
+func (TableOptions) SwaggerDoc() map[string]string {
+	return map_TableOptions
+}
+
+var map_TableRow = map[string]string{
+	"":           "TableRow is an individual row in a table.",
+	"cells":      "cells will be as wide as headers and may contain strings, numbers, booleans, simple maps, or lists, or null. See the type field of the column definition for a more detailed description.",
+	"conditions": "conditions describe additional status of a row that are relevant for a human user.",
+	"object":     "This field contains the requested additional information about each object based on the includeObject policy when requesting the Table. If \"None\", this field is empty, if \"Object\" this will be the default serialization of the object for the current API version, and if \"Metadata\" (the default) will contain the object metadata. Check the returned kind and apiVersion of the object before parsing.",
+}
+
+func (TableRow) SwaggerDoc() map[string]string {
+	return map_TableRow
+}
+
+var map_TableRowCondition = map[string]string{
+	"":        "TableRowCondition allows a row to be marked with additional information.",
+	"type":    "Type of row condition.",
+	"status":  "Status of the condition, one of True, False, Unknown.",
+	"reason":  "(brief) machine readable reason for the condition's last transition.",
+	"message": "Human readable message indicating details about last transition.",
+}
+
+func (TableRowCondition) SwaggerDoc() map[string]string {
+	return map_TableRowCondition
+}
+
+// AUTO-GENERATED FUNCTIONS END HERE
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..4683d8ba
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/zz_generated.deepcopy.go
@@ -0,0 +1,232 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+// GetGeneratedDeepCopyFuncs returns the generated funcs, since we aren't registering them.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func GetGeneratedDeepCopyFuncs() []conversion.GeneratedDeepCopyFunc {
+	return []conversion.GeneratedDeepCopyFunc{
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PartialObjectMetadata).DeepCopyInto(out.(*PartialObjectMetadata))
+			return nil
+		}, InType: reflect.TypeOf(&PartialObjectMetadata{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*PartialObjectMetadataList).DeepCopyInto(out.(*PartialObjectMetadataList))
+			return nil
+		}, InType: reflect.TypeOf(&PartialObjectMetadataList{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Table).DeepCopyInto(out.(*Table))
+			return nil
+		}, InType: reflect.TypeOf(&Table{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TableColumnDefinition).DeepCopyInto(out.(*TableColumnDefinition))
+			return nil
+		}, InType: reflect.TypeOf(&TableColumnDefinition{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TableOptions).DeepCopyInto(out.(*TableOptions))
+			return nil
+		}, InType: reflect.TypeOf(&TableOptions{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TableRow).DeepCopyInto(out.(*TableRow))
+			return nil
+		}, InType: reflect.TypeOf(&TableRow{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TableRowCondition).DeepCopyInto(out.(*TableRowCondition))
+			return nil
+		}, InType: reflect.TypeOf(&TableRowCondition{})},
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PartialObjectMetadata) DeepCopyInto(out *PartialObjectMetadata) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartialObjectMetadata.
+func (in *PartialObjectMetadata) DeepCopy() *PartialObjectMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(PartialObjectMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PartialObjectMetadata) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PartialObjectMetadataList) DeepCopyInto(out *PartialObjectMetadataList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*PartialObjectMetadata, len(*in))
+		for i := range *in {
+			if (*in)[i] == nil {
+				(*out)[i] = nil
+			} else {
+				(*out)[i] = new(PartialObjectMetadata)
+				(*in)[i].DeepCopyInto((*out)[i])
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartialObjectMetadataList.
+func (in *PartialObjectMetadataList) DeepCopy() *PartialObjectMetadataList {
+	if in == nil {
+		return nil
+	}
+	out := new(PartialObjectMetadataList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PartialObjectMetadataList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Table) DeepCopyInto(out *Table) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.ColumnDefinitions != nil {
+		in, out := &in.ColumnDefinitions, &out.ColumnDefinitions
+		*out = make([]TableColumnDefinition, len(*in))
+		copy(*out, *in)
+	}
+	if in.Rows != nil {
+		in, out := &in.Rows, &out.Rows
+		*out = make([]TableRow, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Table.
+func (in *Table) DeepCopy() *Table {
+	if in == nil {
+		return nil
+	}
+	out := new(Table)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Table) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TableColumnDefinition) DeepCopyInto(out *TableColumnDefinition) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TableColumnDefinition.
+func (in *TableColumnDefinition) DeepCopy() *TableColumnDefinition {
+	if in == nil {
+		return nil
+	}
+	out := new(TableColumnDefinition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TableOptions) DeepCopyInto(out *TableOptions) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TableOptions.
+func (in *TableOptions) DeepCopy() *TableOptions {
+	if in == nil {
+		return nil
+	}
+	out := new(TableOptions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *TableOptions) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TableRow) DeepCopyInto(out *TableRow) {
+	clone := in.DeepCopy()
+	*out = *clone
+	return
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TableRowCondition) DeepCopyInto(out *TableRowCondition) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TableRowCondition.
+func (in *TableRowCondition) DeepCopy() *TableRowCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(TableRowCondition)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/zz_generated.defaults.go b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/zz_generated.defaults.go
new file mode 100644
index 00000000..5e24d22c
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/apis/meta/v1alpha1/zz_generated.defaults.go
@@ -0,0 +1,32 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by defaulter-gen. Do not edit it manually!
+
+package v1alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/cloner.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/cloner.go
new file mode 100644
index 00000000..c5dec1f3
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/cloner.go
@@ -0,0 +1,249 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package conversion
+
+import (
+	"fmt"
+	"reflect"
+)
+
+// Cloner knows how to copy one type to another.
+type Cloner struct {
+	// Map from the type to a function which can do the deep copy.
+	deepCopyFuncs          map[reflect.Type]reflect.Value
+	generatedDeepCopyFuncs map[reflect.Type]func(in interface{}, out interface{}, c *Cloner) error
+}
+
+// NewCloner creates a new Cloner object.
+func NewCloner() *Cloner {
+	c := &Cloner{
+		deepCopyFuncs:          map[reflect.Type]reflect.Value{},
+		generatedDeepCopyFuncs: map[reflect.Type]func(in interface{}, out interface{}, c *Cloner) error{},
+	}
+	if err := c.RegisterDeepCopyFunc(byteSliceDeepCopy); err != nil {
+		// If one of the deep-copy functions is malformed, detect it immediately.
+		panic(err)
+	}
+	return c
+}
+
+// Prevent recursing into every byte...
+func byteSliceDeepCopy(in *[]byte, out *[]byte, c *Cloner) error {
+	if *in != nil {
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	} else {
+		*out = nil
+	}
+	return nil
+}
+
+// Verifies whether a deep-copy function has a correct signature.
+func verifyDeepCopyFunctionSignature(ft reflect.Type) error {
+	if ft.Kind() != reflect.Func {
+		return fmt.Errorf("expected func, got: %v", ft)
+	}
+	if ft.NumIn() != 3 {
+		return fmt.Errorf("expected three 'in' params, got %v", ft)
+	}
+	if ft.NumOut() != 1 {
+		return fmt.Errorf("expected one 'out' param, got %v", ft)
+	}
+	if ft.In(0).Kind() != reflect.Ptr {
+		return fmt.Errorf("expected pointer arg for 'in' param 0, got: %v", ft)
+	}
+	if ft.In(1) != ft.In(0) {
+		return fmt.Errorf("expected 'in' param 0 the same as param 1, got: %v", ft)
+	}
+	var forClonerType Cloner
+	if expected := reflect.TypeOf(&forClonerType); ft.In(2) != expected {
+		return fmt.Errorf("expected '%v' arg for 'in' param 2, got: '%v'", expected, ft.In(2))
+	}
+	var forErrorType error
+	// This convolution is necessary, otherwise TypeOf picks up on the fact
+	// that forErrorType is nil
+	errorType := reflect.TypeOf(&forErrorType).Elem()
+	if ft.Out(0) != errorType {
+		return fmt.Errorf("expected error return, got: %v", ft)
+	}
+	return nil
+}
+
+// RegisterGeneratedDeepCopyFunc registers a copying func with the Cloner.
+// deepCopyFunc must take three parameters: a type input, a pointer to a
+// type output, and a pointer to Cloner. It should return an error.
+//
+// Example:
+// c.RegisterGeneratedDeepCopyFunc(
+//         func(in Pod, out *Pod, c *Cloner) error {
+//                 // deep copy logic...
+//                 return nil
+//          })
+func (c *Cloner) RegisterDeepCopyFunc(deepCopyFunc interface{}) error {
+	fv := reflect.ValueOf(deepCopyFunc)
+	ft := fv.Type()
+	if err := verifyDeepCopyFunctionSignature(ft); err != nil {
+		return err
+	}
+	c.deepCopyFuncs[ft.In(0)] = fv
+	return nil
+}
+
+// GeneratedDeepCopyFunc bundles an untyped generated deep-copy function of a type
+// with a reflection type object used as a key to lookup the deep-copy function.
+type GeneratedDeepCopyFunc struct {
+	Fn     func(in interface{}, out interface{}, c *Cloner) error
+	InType reflect.Type
+}
+
+// Similar to RegisterDeepCopyFunc, but registers deep copy function that were
+// automatically generated.
+func (c *Cloner) RegisterGeneratedDeepCopyFunc(fn GeneratedDeepCopyFunc) error {
+	c.generatedDeepCopyFuncs[fn.InType] = fn.Fn
+	return nil
+}
+
+// DeepCopy will perform a deep copy of a given object.
+func (c *Cloner) DeepCopy(in interface{}) (interface{}, error) {
+	// Can be invalid if we run DeepCopy(X) where X is a nil interface type.
+	// For example, we get an invalid value when someone tries to deep-copy
+	// a nil labels.Selector.
+	// This does not occur if X is nil and is a pointer to a concrete type.
+	if in == nil {
+		return nil, nil
+	}
+	inValue := reflect.ValueOf(in)
+	outValue, err := c.deepCopy(inValue)
+	if err != nil {
+		return nil, err
+	}
+	return outValue.Interface(), nil
+}
+
+func (c *Cloner) deepCopy(src reflect.Value) (reflect.Value, error) {
+	inType := src.Type()
+
+	switch src.Kind() {
+	case reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:
+		if src.IsNil() {
+			return src, nil
+		}
+	}
+
+	if fv, ok := c.deepCopyFuncs[inType]; ok {
+		return c.customDeepCopy(src, fv)
+	}
+	if fv, ok := c.generatedDeepCopyFuncs[inType]; ok {
+		var outValue reflect.Value
+		outValue = reflect.New(inType.Elem())
+		err := fv(src.Interface(), outValue.Interface(), c)
+		return outValue, err
+	}
+	return c.defaultDeepCopy(src)
+}
+
+func (c *Cloner) customDeepCopy(src, fv reflect.Value) (reflect.Value, error) {
+	outValue := reflect.New(src.Type().Elem())
+	args := []reflect.Value{src, outValue, reflect.ValueOf(c)}
+	result := fv.Call(args)[0].Interface()
+	// This convolution is necessary because nil interfaces won't convert
+	// to error.
+	if result == nil {
+		return outValue, nil
+	}
+	return outValue, result.(error)
+}
+
+func (c *Cloner) defaultDeepCopy(src reflect.Value) (reflect.Value, error) {
+	switch src.Kind() {
+	case reflect.Chan, reflect.Func, reflect.UnsafePointer, reflect.Uintptr:
+		return src, fmt.Errorf("cannot deep copy kind: %s", src.Kind())
+	case reflect.Array:
+		dst := reflect.New(src.Type())
+		for i := 0; i < src.Len(); i++ {
+			copyVal, err := c.deepCopy(src.Index(i))
+			if err != nil {
+				return src, err
+			}
+			dst.Elem().Index(i).Set(copyVal)
+		}
+		return dst.Elem(), nil
+	case reflect.Interface:
+		if src.IsNil() {
+			return src, nil
+		}
+		return c.deepCopy(src.Elem())
+	case reflect.Map:
+		if src.IsNil() {
+			return src, nil
+		}
+		dst := reflect.MakeMap(src.Type())
+		for _, k := range src.MapKeys() {
+			copyVal, err := c.deepCopy(src.MapIndex(k))
+			if err != nil {
+				return src, err
+			}
+			dst.SetMapIndex(k, copyVal)
+		}
+		return dst, nil
+	case reflect.Ptr:
+		if src.IsNil() {
+			return src, nil
+		}
+		dst := reflect.New(src.Type().Elem())
+		copyVal, err := c.deepCopy(src.Elem())
+		if err != nil {
+			return src, err
+		}
+		dst.Elem().Set(copyVal)
+		return dst, nil
+	case reflect.Slice:
+		if src.IsNil() {
+			return src, nil
+		}
+		dst := reflect.MakeSlice(src.Type(), 0, src.Len())
+		for i := 0; i < src.Len(); i++ {
+			copyVal, err := c.deepCopy(src.Index(i))
+			if err != nil {
+				return src, err
+			}
+			dst = reflect.Append(dst, copyVal)
+		}
+		return dst, nil
+	case reflect.Struct:
+		dst := reflect.New(src.Type())
+		for i := 0; i < src.NumField(); i++ {
+			if !dst.Elem().Field(i).CanSet() {
+				// Can't set private fields. At this point, the
+				// best we can do is a shallow copy. For
+				// example, time.Time is a value type with
+				// private members that can be shallow copied.
+				return src, nil
+			}
+			copyVal, err := c.deepCopy(src.Field(i))
+			if err != nil {
+				return src, err
+			}
+			dst.Elem().Field(i).Set(copyVal)
+		}
+		return dst.Elem(), nil
+
+	default:
+		// Value types like numbers, booleans, and strings.
+		return src, nil
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/converter.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/converter.go
new file mode 100644
index 00000000..7854c207
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/converter.go
@@ -0,0 +1,898 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package conversion
+
+import (
+	"fmt"
+	"reflect"
+)
+
+type typePair struct {
+	source reflect.Type
+	dest   reflect.Type
+}
+
+type typeNamePair struct {
+	fieldType reflect.Type
+	fieldName string
+}
+
+// DebugLogger allows you to get debugging messages if necessary.
+type DebugLogger interface {
+	Logf(format string, args ...interface{})
+}
+
+type NameFunc func(t reflect.Type) string
+
+var DefaultNameFunc = func(t reflect.Type) string { return t.Name() }
+
+type GenericConversionFunc func(a, b interface{}, scope Scope) (bool, error)
+
+// Converter knows how to convert one type to another.
+type Converter struct {
+	// Map from the conversion pair to a function which can
+	// do the conversion.
+	conversionFuncs          ConversionFuncs
+	generatedConversionFuncs ConversionFuncs
+
+	// genericConversions are called during normal conversion to offer a "fast-path"
+	// that avoids all reflection. These methods are not called outside of the .Convert()
+	// method.
+	genericConversions []GenericConversionFunc
+
+	// Set of conversions that should be treated as a no-op
+	ignoredConversions map[typePair]struct{}
+
+	// This is a map from a source field type and name, to a list of destination
+	// field type and name.
+	structFieldDests map[typeNamePair][]typeNamePair
+
+	// Allows for the opposite lookup of structFieldDests. So that SourceFromDest
+	// copy flag also works. So this is a map of destination field name, to potential
+	// source field name and type to look for.
+	structFieldSources map[typeNamePair][]typeNamePair
+
+	// Map from an input type to a function which can apply a key name mapping
+	inputFieldMappingFuncs map[reflect.Type]FieldMappingFunc
+
+	// Map from an input type to a set of default conversion flags.
+	inputDefaultFlags map[reflect.Type]FieldMatchingFlags
+
+	// If non-nil, will be called to print helpful debugging info. Quite verbose.
+	Debug DebugLogger
+
+	// nameFunc is called to retrieve the name of a type; this name is used for the
+	// purpose of deciding whether two types match or not (i.e., will we attempt to
+	// do a conversion). The default returns the go type name.
+	nameFunc func(t reflect.Type) string
+}
+
+// NewConverter creates a new Converter object.
+func NewConverter(nameFn NameFunc) *Converter {
+	c := &Converter{
+		conversionFuncs:          NewConversionFuncs(),
+		generatedConversionFuncs: NewConversionFuncs(),
+		ignoredConversions:       make(map[typePair]struct{}),
+		nameFunc:                 nameFn,
+		structFieldDests:         make(map[typeNamePair][]typeNamePair),
+		structFieldSources:       make(map[typeNamePair][]typeNamePair),
+
+		inputFieldMappingFuncs: make(map[reflect.Type]FieldMappingFunc),
+		inputDefaultFlags:      make(map[reflect.Type]FieldMatchingFlags),
+	}
+	c.RegisterConversionFunc(Convert_Slice_byte_To_Slice_byte)
+	return c
+}
+
+// AddGenericConversionFunc adds a function that accepts the ConversionFunc call pattern
+// (for two conversion types) to the converter. These functions are checked first during
+// a normal conversion, but are otherwise not called. Use AddConversionFuncs when registering
+// typed conversions.
+func (c *Converter) AddGenericConversionFunc(fn GenericConversionFunc) {
+	c.genericConversions = append(c.genericConversions, fn)
+}
+
+// WithConversions returns a Converter that is a copy of c but with the additional
+// fns merged on top.
+func (c *Converter) WithConversions(fns ConversionFuncs) *Converter {
+	copied := *c
+	copied.conversionFuncs = c.conversionFuncs.Merge(fns)
+	return &copied
+}
+
+// DefaultMeta returns the conversion FieldMappingFunc and meta for a given type.
+func (c *Converter) DefaultMeta(t reflect.Type) (FieldMatchingFlags, *Meta) {
+	return c.inputDefaultFlags[t], &Meta{
+		KeyNameMapping: c.inputFieldMappingFuncs[t],
+	}
+}
+
+// Convert_Slice_byte_To_Slice_byte prevents recursing into every byte
+func Convert_Slice_byte_To_Slice_byte(in *[]byte, out *[]byte, s Scope) error {
+	if *in == nil {
+		*out = nil
+		return nil
+	}
+	*out = make([]byte, len(*in))
+	copy(*out, *in)
+	return nil
+}
+
+// Scope is passed to conversion funcs to allow them to continue an ongoing conversion.
+// If multiple converters exist in the system, Scope will allow you to use the correct one
+// from a conversion function--that is, the one your conversion function was called by.
+type Scope interface {
+	// Call Convert to convert sub-objects. Note that if you call it with your own exact
+	// parameters, you'll run out of stack space before anything useful happens.
+	Convert(src, dest interface{}, flags FieldMatchingFlags) error
+
+	// DefaultConvert performs the default conversion, without calling a conversion func
+	// on the current stack frame. This makes it safe to call from a conversion func.
+	DefaultConvert(src, dest interface{}, flags FieldMatchingFlags) error
+
+	// SrcTags and DestTags contain the struct tags that src and dest had, respectively.
+	// If the enclosing object was not a struct, then these will contain no tags, of course.
+	SrcTag() reflect.StructTag
+	DestTag() reflect.StructTag
+
+	// Flags returns the flags with which the conversion was started.
+	Flags() FieldMatchingFlags
+
+	// Meta returns any information originally passed to Convert.
+	Meta() *Meta
+}
+
+// FieldMappingFunc can convert an input field value into different values, depending on
+// the value of the source or destination struct tags.
+type FieldMappingFunc func(key string, sourceTag, destTag reflect.StructTag) (source string, dest string)
+
+func NewConversionFuncs() ConversionFuncs {
+	return ConversionFuncs{fns: make(map[typePair]reflect.Value)}
+}
+
+type ConversionFuncs struct {
+	fns map[typePair]reflect.Value
+}
+
+// Add adds the provided conversion functions to the lookup table - they must have the signature
+// `func(type1, type2, Scope) error`. Functions are added in the order passed and will override
+// previously registered pairs.
+func (c ConversionFuncs) Add(fns ...interface{}) error {
+	for _, fn := range fns {
+		fv := reflect.ValueOf(fn)
+		ft := fv.Type()
+		if err := verifyConversionFunctionSignature(ft); err != nil {
+			return err
+		}
+		c.fns[typePair{ft.In(0).Elem(), ft.In(1).Elem()}] = fv
+	}
+	return nil
+}
+
+// Merge returns a new ConversionFuncs that contains all conversions from
+// both other and c, with other conversions taking precedence.
+func (c ConversionFuncs) Merge(other ConversionFuncs) ConversionFuncs {
+	merged := NewConversionFuncs()
+	for k, v := range c.fns {
+		merged.fns[k] = v
+	}
+	for k, v := range other.fns {
+		merged.fns[k] = v
+	}
+	return merged
+}
+
+// Meta is supplied by Scheme, when it calls Convert.
+type Meta struct {
+	// KeyNameMapping is an optional function which may map the listed key (field name)
+	// into a source and destination value.
+	KeyNameMapping FieldMappingFunc
+	// Context is an optional field that callers may use to pass info to conversion functions.
+	Context interface{}
+}
+
+// scope contains information about an ongoing conversion.
+type scope struct {
+	converter *Converter
+	meta      *Meta
+	flags     FieldMatchingFlags
+
+	// srcStack & destStack are separate because they may not have a 1:1
+	// relationship.
+	srcStack  scopeStack
+	destStack scopeStack
+}
+
+type scopeStackElem struct {
+	tag   reflect.StructTag
+	value reflect.Value
+	key   string
+}
+
+type scopeStack []scopeStackElem
+
+func (s *scopeStack) pop() {
+	n := len(*s)
+	*s = (*s)[:n-1]
+}
+
+func (s *scopeStack) push(e scopeStackElem) {
+	*s = append(*s, e)
+}
+
+func (s *scopeStack) top() *scopeStackElem {
+	return &(*s)[len(*s)-1]
+}
+
+func (s scopeStack) describe() string {
+	desc := ""
+	if len(s) > 1 {
+		desc = "(" + s[1].value.Type().String() + ")"
+	}
+	for i, v := range s {
+		if i < 2 {
+			// First layer on stack is not real; second is handled specially above.
+			continue
+		}
+		if v.key == "" {
+			desc += fmt.Sprintf(".%v", v.value.Type())
+		} else {
+			desc += fmt.Sprintf(".%v", v.key)
+		}
+	}
+	return desc
+}
+
+// Formats src & dest as indices for printing.
+func (s *scope) setIndices(src, dest int) {
+	s.srcStack.top().key = fmt.Sprintf("[%v]", src)
+	s.destStack.top().key = fmt.Sprintf("[%v]", dest)
+}
+
+// Formats src & dest as map keys for printing.
+func (s *scope) setKeys(src, dest interface{}) {
+	s.srcStack.top().key = fmt.Sprintf(`["%v"]`, src)
+	s.destStack.top().key = fmt.Sprintf(`["%v"]`, dest)
+}
+
+// Convert continues a conversion.
+func (s *scope) Convert(src, dest interface{}, flags FieldMatchingFlags) error {
+	return s.converter.Convert(src, dest, flags, s.meta)
+}
+
+// DefaultConvert continues a conversion, performing a default conversion (no conversion func)
+// for the current stack frame.
+func (s *scope) DefaultConvert(src, dest interface{}, flags FieldMatchingFlags) error {
+	return s.converter.DefaultConvert(src, dest, flags, s.meta)
+}
+
+// SrcTag returns the tag of the struct containing the current source item, if any.
+func (s *scope) SrcTag() reflect.StructTag {
+	return s.srcStack.top().tag
+}
+
+// DestTag returns the tag of the struct containing the current dest item, if any.
+func (s *scope) DestTag() reflect.StructTag {
+	return s.destStack.top().tag
+}
+
+// Flags returns the flags with which the current conversion was started.
+func (s *scope) Flags() FieldMatchingFlags {
+	return s.flags
+}
+
+// Meta returns the meta object that was originally passed to Convert.
+func (s *scope) Meta() *Meta {
+	return s.meta
+}
+
+// describe prints the path to get to the current (source, dest) values.
+func (s *scope) describe() (src, dest string) {
+	return s.srcStack.describe(), s.destStack.describe()
+}
+
+// error makes an error that includes information about where we were in the objects
+// we were asked to convert.
+func (s *scope) errorf(message string, args ...interface{}) error {
+	srcPath, destPath := s.describe()
+	where := fmt.Sprintf("converting %v to %v: ", srcPath, destPath)
+	return fmt.Errorf(where+message, args...)
+}
+
+// Verifies whether a conversion function has a correct signature.
+func verifyConversionFunctionSignature(ft reflect.Type) error {
+	if ft.Kind() != reflect.Func {
+		return fmt.Errorf("expected func, got: %v", ft)
+	}
+	if ft.NumIn() != 3 {
+		return fmt.Errorf("expected three 'in' params, got: %v", ft)
+	}
+	if ft.NumOut() != 1 {
+		return fmt.Errorf("expected one 'out' param, got: %v", ft)
+	}
+	if ft.In(0).Kind() != reflect.Ptr {
+		return fmt.Errorf("expected pointer arg for 'in' param 0, got: %v", ft)
+	}
+	if ft.In(1).Kind() != reflect.Ptr {
+		return fmt.Errorf("expected pointer arg for 'in' param 1, got: %v", ft)
+	}
+	scopeType := Scope(nil)
+	if e, a := reflect.TypeOf(&scopeType).Elem(), ft.In(2); e != a {
+		return fmt.Errorf("expected '%v' arg for 'in' param 2, got '%v' (%v)", e, a, ft)
+	}
+	var forErrorType error
+	// This convolution is necessary, otherwise TypeOf picks up on the fact
+	// that forErrorType is nil.
+	errorType := reflect.TypeOf(&forErrorType).Elem()
+	if ft.Out(0) != errorType {
+		return fmt.Errorf("expected error return, got: %v", ft)
+	}
+	return nil
+}
+
+// RegisterConversionFunc registers a conversion func with the
+// Converter. conversionFunc must take three parameters: a pointer to the input
+// type, a pointer to the output type, and a conversion.Scope (which should be
+// used if recursive conversion calls are desired).  It must return an error.
+//
+// Example:
+// c.RegisterConversionFunc(
+//         func(in *Pod, out *v1.Pod, s Scope) error {
+//                 // conversion logic...
+//                 return nil
+//          })
+func (c *Converter) RegisterConversionFunc(conversionFunc interface{}) error {
+	return c.conversionFuncs.Add(conversionFunc)
+}
+
+// Similar to RegisterConversionFunc, but registers conversion function that were
+// automatically generated.
+func (c *Converter) RegisterGeneratedConversionFunc(conversionFunc interface{}) error {
+	return c.generatedConversionFuncs.Add(conversionFunc)
+}
+
+// RegisterIgnoredConversion registers a "no-op" for conversion, where any requested
+// conversion between from and to is ignored.
+func (c *Converter) RegisterIgnoredConversion(from, to interface{}) error {
+	typeFrom := reflect.TypeOf(from)
+	typeTo := reflect.TypeOf(to)
+	if reflect.TypeOf(from).Kind() != reflect.Ptr {
+		return fmt.Errorf("expected pointer arg for 'from' param 0, got: %v", typeFrom)
+	}
+	if typeTo.Kind() != reflect.Ptr {
+		return fmt.Errorf("expected pointer arg for 'to' param 1, got: %v", typeTo)
+	}
+	c.ignoredConversions[typePair{typeFrom.Elem(), typeTo.Elem()}] = struct{}{}
+	return nil
+}
+
+// IsConversionIgnored returns true if the specified objects should be dropped during
+// conversion.
+func (c *Converter) IsConversionIgnored(inType, outType reflect.Type) bool {
+	_, found := c.ignoredConversions[typePair{inType, outType}]
+	return found
+}
+
+func (c *Converter) HasConversionFunc(inType, outType reflect.Type) bool {
+	_, found := c.conversionFuncs.fns[typePair{inType, outType}]
+	return found
+}
+
+func (c *Converter) ConversionFuncValue(inType, outType reflect.Type) (reflect.Value, bool) {
+	value, found := c.conversionFuncs.fns[typePair{inType, outType}]
+	return value, found
+}
+
+// SetStructFieldCopy registers a correspondence. Whenever a struct field is encountered
+// which has a type and name matching srcFieldType and srcFieldName, it wil be copied
+// into the field in the destination struct matching destFieldType & Name, if such a
+// field exists.
+// May be called multiple times, even for the same source field & type--all applicable
+// copies will be performed.
+func (c *Converter) SetStructFieldCopy(srcFieldType interface{}, srcFieldName string, destFieldType interface{}, destFieldName string) error {
+	st := reflect.TypeOf(srcFieldType)
+	dt := reflect.TypeOf(destFieldType)
+	srcKey := typeNamePair{st, srcFieldName}
+	destKey := typeNamePair{dt, destFieldName}
+	c.structFieldDests[srcKey] = append(c.structFieldDests[srcKey], destKey)
+	c.structFieldSources[destKey] = append(c.structFieldSources[destKey], srcKey)
+	return nil
+}
+
+// RegisterInputDefaults registers a field name mapping function, used when converting
+// from maps to structs. Inputs to the conversion methods are checked for this type and a mapping
+// applied automatically if the input matches in. A set of default flags for the input conversion
+// may also be provided, which will be used when no explicit flags are requested.
+func (c *Converter) RegisterInputDefaults(in interface{}, fn FieldMappingFunc, defaultFlags FieldMatchingFlags) error {
+	fv := reflect.ValueOf(in)
+	ft := fv.Type()
+	if ft.Kind() != reflect.Ptr {
+		return fmt.Errorf("expected pointer 'in' argument, got: %v", ft)
+	}
+	c.inputFieldMappingFuncs[ft] = fn
+	c.inputDefaultFlags[ft] = defaultFlags
+	return nil
+}
+
+// FieldMatchingFlags contains a list of ways in which struct fields could be
+// copied. These constants may be | combined.
+type FieldMatchingFlags int
+
+const (
+	// Loop through destination fields, search for matching source
+	// field to copy it from. Source fields with no corresponding
+	// destination field will be ignored. If SourceToDest is
+	// specified, this flag is ignored. If neither is specified,
+	// or no flags are passed, this flag is the default.
+	DestFromSource FieldMatchingFlags = 0
+	// Loop through source fields, search for matching dest field
+	// to copy it into. Destination fields with no corresponding
+	// source field will be ignored.
+	SourceToDest FieldMatchingFlags = 1 << iota
+	// Don't treat it as an error if the corresponding source or
+	// dest field can't be found.
+	IgnoreMissingFields
+	// Don't require type names to match.
+	AllowDifferentFieldTypeNames
+)
+
+// IsSet returns true if the given flag or combination of flags is set.
+func (f FieldMatchingFlags) IsSet(flag FieldMatchingFlags) bool {
+	if flag == DestFromSource {
+		// The bit logic doesn't work on the default value.
+		return f&SourceToDest != SourceToDest
+	}
+	return f&flag == flag
+}
+
+// Convert will translate src to dest if it knows how. Both must be pointers.
+// If no conversion func is registered and the default copying mechanism
+// doesn't work on this type pair, an error will be returned.
+// Read the comments on the various FieldMatchingFlags constants to understand
+// what the 'flags' parameter does.
+// 'meta' is given to allow you to pass information to conversion functions,
+// it is not used by Convert() other than storing it in the scope.
+// Not safe for objects with cyclic references!
+func (c *Converter) Convert(src, dest interface{}, flags FieldMatchingFlags, meta *Meta) error {
+	if len(c.genericConversions) > 0 {
+		// TODO: avoid scope allocation
+		s := &scope{converter: c, flags: flags, meta: meta}
+		for _, fn := range c.genericConversions {
+			if ok, err := fn(src, dest, s); ok {
+				return err
+			}
+		}
+	}
+	return c.doConversion(src, dest, flags, meta, c.convert)
+}
+
+// DefaultConvert will translate src to dest if it knows how. Both must be pointers.
+// No conversion func is used. If the default copying mechanism
+// doesn't work on this type pair, an error will be returned.
+// Read the comments on the various FieldMatchingFlags constants to understand
+// what the 'flags' parameter does.
+// 'meta' is given to allow you to pass information to conversion functions,
+// it is not used by DefaultConvert() other than storing it in the scope.
+// Not safe for objects with cyclic references!
+func (c *Converter) DefaultConvert(src, dest interface{}, flags FieldMatchingFlags, meta *Meta) error {
+	return c.doConversion(src, dest, flags, meta, c.defaultConvert)
+}
+
+type conversionFunc func(sv, dv reflect.Value, scope *scope) error
+
+func (c *Converter) doConversion(src, dest interface{}, flags FieldMatchingFlags, meta *Meta, f conversionFunc) error {
+	dv, err := EnforcePtr(dest)
+	if err != nil {
+		return err
+	}
+	if !dv.CanAddr() && !dv.CanSet() {
+		return fmt.Errorf("can't write to dest")
+	}
+	sv, err := EnforcePtr(src)
+	if err != nil {
+		return err
+	}
+	s := &scope{
+		converter: c,
+		flags:     flags,
+		meta:      meta,
+	}
+	// Leave something on the stack, so that calls to struct tag getters never fail.
+	s.srcStack.push(scopeStackElem{})
+	s.destStack.push(scopeStackElem{})
+	return f(sv, dv, s)
+}
+
+// callCustom calls 'custom' with sv & dv. custom must be a conversion function.
+func (c *Converter) callCustom(sv, dv, custom reflect.Value, scope *scope) error {
+	if !sv.CanAddr() {
+		sv2 := reflect.New(sv.Type())
+		sv2.Elem().Set(sv)
+		sv = sv2
+	} else {
+		sv = sv.Addr()
+	}
+	if !dv.CanAddr() {
+		if !dv.CanSet() {
+			return scope.errorf("can't addr or set dest.")
+		}
+		dvOrig := dv
+		dv := reflect.New(dvOrig.Type())
+		defer func() { dvOrig.Set(dv) }()
+	} else {
+		dv = dv.Addr()
+	}
+	args := []reflect.Value{sv, dv, reflect.ValueOf(scope)}
+	ret := custom.Call(args)[0].Interface()
+	// This convolution is necessary because nil interfaces won't convert
+	// to errors.
+	if ret == nil {
+		return nil
+	}
+	return ret.(error)
+}
+
+// convert recursively copies sv into dv, calling an appropriate conversion function if
+// one is registered.
+func (c *Converter) convert(sv, dv reflect.Value, scope *scope) error {
+	dt, st := dv.Type(), sv.Type()
+	pair := typePair{st, dt}
+
+	// ignore conversions of this type
+	if _, ok := c.ignoredConversions[pair]; ok {
+		if c.Debug != nil {
+			c.Debug.Logf("Ignoring conversion of '%v' to '%v'", st, dt)
+		}
+		return nil
+	}
+
+	// Convert sv to dv.
+	if fv, ok := c.conversionFuncs.fns[pair]; ok {
+		if c.Debug != nil {
+			c.Debug.Logf("Calling custom conversion of '%v' to '%v'", st, dt)
+		}
+		return c.callCustom(sv, dv, fv, scope)
+	}
+	if fv, ok := c.generatedConversionFuncs.fns[pair]; ok {
+		if c.Debug != nil {
+			c.Debug.Logf("Calling generated conversion of '%v' to '%v'", st, dt)
+		}
+		return c.callCustom(sv, dv, fv, scope)
+	}
+
+	return c.defaultConvert(sv, dv, scope)
+}
+
+// defaultConvert recursively copies sv into dv. no conversion function is called
+// for the current stack frame (but conversion functions may be called for nested objects)
+func (c *Converter) defaultConvert(sv, dv reflect.Value, scope *scope) error {
+	dt, st := dv.Type(), sv.Type()
+
+	if !dv.CanSet() {
+		return scope.errorf("Cannot set dest. (Tried to deep copy something with unexported fields?)")
+	}
+
+	if !scope.flags.IsSet(AllowDifferentFieldTypeNames) && c.nameFunc(dt) != c.nameFunc(st) {
+		return scope.errorf(
+			"type names don't match (%v, %v), and no conversion 'func (%v, %v) error' registered.",
+			c.nameFunc(st), c.nameFunc(dt), st, dt)
+	}
+
+	switch st.Kind() {
+	case reflect.Map, reflect.Ptr, reflect.Slice, reflect.Interface, reflect.Struct:
+		// Don't copy these via assignment/conversion!
+	default:
+		// This should handle all simple types.
+		if st.AssignableTo(dt) {
+			dv.Set(sv)
+			return nil
+		}
+		if st.ConvertibleTo(dt) {
+			dv.Set(sv.Convert(dt))
+			return nil
+		}
+	}
+
+	if c.Debug != nil {
+		c.Debug.Logf("Trying to convert '%v' to '%v'", st, dt)
+	}
+
+	scope.srcStack.push(scopeStackElem{value: sv})
+	scope.destStack.push(scopeStackElem{value: dv})
+	defer scope.srcStack.pop()
+	defer scope.destStack.pop()
+
+	switch dv.Kind() {
+	case reflect.Struct:
+		return c.convertKV(toKVValue(sv), toKVValue(dv), scope)
+	case reflect.Slice:
+		if sv.IsNil() {
+			// Don't make a zero-length slice.
+			dv.Set(reflect.Zero(dt))
+			return nil
+		}
+		dv.Set(reflect.MakeSlice(dt, sv.Len(), sv.Cap()))
+		for i := 0; i < sv.Len(); i++ {
+			scope.setIndices(i, i)
+			if err := c.convert(sv.Index(i), dv.Index(i), scope); err != nil {
+				return err
+			}
+		}
+	case reflect.Ptr:
+		if sv.IsNil() {
+			// Don't copy a nil ptr!
+			dv.Set(reflect.Zero(dt))
+			return nil
+		}
+		dv.Set(reflect.New(dt.Elem()))
+		switch st.Kind() {
+		case reflect.Ptr, reflect.Interface:
+			return c.convert(sv.Elem(), dv.Elem(), scope)
+		default:
+			return c.convert(sv, dv.Elem(), scope)
+		}
+	case reflect.Map:
+		if sv.IsNil() {
+			// Don't copy a nil ptr!
+			dv.Set(reflect.Zero(dt))
+			return nil
+		}
+		dv.Set(reflect.MakeMap(dt))
+		for _, sk := range sv.MapKeys() {
+			dk := reflect.New(dt.Key()).Elem()
+			if err := c.convert(sk, dk, scope); err != nil {
+				return err
+			}
+			dkv := reflect.New(dt.Elem()).Elem()
+			scope.setKeys(sk.Interface(), dk.Interface())
+			// TODO:  sv.MapIndex(sk) may return a value with CanAddr() == false,
+			// because a map[string]struct{} does not allow a pointer reference.
+			// Calling a custom conversion function defined for the map value
+			// will panic. Example is PodInfo map[string]ContainerStatus.
+			if err := c.convert(sv.MapIndex(sk), dkv, scope); err != nil {
+				return err
+			}
+			dv.SetMapIndex(dk, dkv)
+		}
+	case reflect.Interface:
+		if sv.IsNil() {
+			// Don't copy a nil interface!
+			dv.Set(reflect.Zero(dt))
+			return nil
+		}
+		tmpdv := reflect.New(sv.Elem().Type()).Elem()
+		if err := c.convert(sv.Elem(), tmpdv, scope); err != nil {
+			return err
+		}
+		dv.Set(reflect.ValueOf(tmpdv.Interface()))
+		return nil
+	default:
+		return scope.errorf("couldn't copy '%v' into '%v'; didn't understand types", st, dt)
+	}
+	return nil
+}
+
+var stringType = reflect.TypeOf("")
+
+func toKVValue(v reflect.Value) kvValue {
+	switch v.Kind() {
+	case reflect.Struct:
+		return structAdaptor(v)
+	case reflect.Map:
+		if v.Type().Key().AssignableTo(stringType) {
+			return stringMapAdaptor(v)
+		}
+	}
+
+	return nil
+}
+
+// kvValue lets us write the same conversion logic to work with both maps
+// and structs. Only maps with string keys make sense for this.
+type kvValue interface {
+	// returns all keys, as a []string.
+	keys() []string
+	// Will just return "" for maps.
+	tagOf(key string) reflect.StructTag
+	// Will return the zero Value if the key doesn't exist.
+	value(key string) reflect.Value
+	// Maps require explicit setting-- will do nothing for structs.
+	// Returns false on failure.
+	confirmSet(key string, v reflect.Value) bool
+}
+
+type stringMapAdaptor reflect.Value
+
+func (a stringMapAdaptor) len() int {
+	return reflect.Value(a).Len()
+}
+
+func (a stringMapAdaptor) keys() []string {
+	v := reflect.Value(a)
+	keys := make([]string, v.Len())
+	for i, v := range v.MapKeys() {
+		if v.IsNil() {
+			continue
+		}
+		switch t := v.Interface().(type) {
+		case string:
+			keys[i] = t
+		}
+	}
+	return keys
+}
+
+func (a stringMapAdaptor) tagOf(key string) reflect.StructTag {
+	return ""
+}
+
+func (a stringMapAdaptor) value(key string) reflect.Value {
+	return reflect.Value(a).MapIndex(reflect.ValueOf(key))
+}
+
+func (a stringMapAdaptor) confirmSet(key string, v reflect.Value) bool {
+	return true
+}
+
+type structAdaptor reflect.Value
+
+func (a structAdaptor) len() int {
+	v := reflect.Value(a)
+	return v.Type().NumField()
+}
+
+func (a structAdaptor) keys() []string {
+	v := reflect.Value(a)
+	t := v.Type()
+	keys := make([]string, t.NumField())
+	for i := range keys {
+		keys[i] = t.Field(i).Name
+	}
+	return keys
+}
+
+func (a structAdaptor) tagOf(key string) reflect.StructTag {
+	v := reflect.Value(a)
+	field, ok := v.Type().FieldByName(key)
+	if ok {
+		return field.Tag
+	}
+	return ""
+}
+
+func (a structAdaptor) value(key string) reflect.Value {
+	v := reflect.Value(a)
+	return v.FieldByName(key)
+}
+
+func (a structAdaptor) confirmSet(key string, v reflect.Value) bool {
+	return true
+}
+
+// convertKV can convert things that consist of key/value pairs, like structs
+// and some maps.
+func (c *Converter) convertKV(skv, dkv kvValue, scope *scope) error {
+	if skv == nil || dkv == nil {
+		// TODO: add keys to stack to support really understandable error messages.
+		return fmt.Errorf("Unable to convert %#v to %#v", skv, dkv)
+	}
+
+	lister := dkv
+	if scope.flags.IsSet(SourceToDest) {
+		lister = skv
+	}
+
+	var mapping FieldMappingFunc
+	if scope.meta != nil && scope.meta.KeyNameMapping != nil {
+		mapping = scope.meta.KeyNameMapping
+	}
+
+	for _, key := range lister.keys() {
+		if found, err := c.checkField(key, skv, dkv, scope); found {
+			if err != nil {
+				return err
+			}
+			continue
+		}
+		stag := skv.tagOf(key)
+		dtag := dkv.tagOf(key)
+		skey := key
+		dkey := key
+		if mapping != nil {
+			skey, dkey = scope.meta.KeyNameMapping(key, stag, dtag)
+		}
+
+		df := dkv.value(dkey)
+		sf := skv.value(skey)
+		if !df.IsValid() || !sf.IsValid() {
+			switch {
+			case scope.flags.IsSet(IgnoreMissingFields):
+				// No error.
+			case scope.flags.IsSet(SourceToDest):
+				return scope.errorf("%v not present in dest", dkey)
+			default:
+				return scope.errorf("%v not present in src", skey)
+			}
+			continue
+		}
+		scope.srcStack.top().key = skey
+		scope.srcStack.top().tag = stag
+		scope.destStack.top().key = dkey
+		scope.destStack.top().tag = dtag
+		if err := c.convert(sf, df, scope); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// checkField returns true if the field name matches any of the struct
+// field copying rules. The error should be ignored if it returns false.
+func (c *Converter) checkField(fieldName string, skv, dkv kvValue, scope *scope) (bool, error) {
+	replacementMade := false
+	if scope.flags.IsSet(DestFromSource) {
+		df := dkv.value(fieldName)
+		if !df.IsValid() {
+			return false, nil
+		}
+		destKey := typeNamePair{df.Type(), fieldName}
+		// Check each of the potential source (type, name) pairs to see if they're
+		// present in sv.
+		for _, potentialSourceKey := range c.structFieldSources[destKey] {
+			sf := skv.value(potentialSourceKey.fieldName)
+			if !sf.IsValid() {
+				continue
+			}
+			if sf.Type() == potentialSourceKey.fieldType {
+				// Both the source's name and type matched, so copy.
+				scope.srcStack.top().key = potentialSourceKey.fieldName
+				scope.destStack.top().key = fieldName
+				if err := c.convert(sf, df, scope); err != nil {
+					return true, err
+				}
+				dkv.confirmSet(fieldName, df)
+				replacementMade = true
+			}
+		}
+		return replacementMade, nil
+	}
+
+	sf := skv.value(fieldName)
+	if !sf.IsValid() {
+		return false, nil
+	}
+	srcKey := typeNamePair{sf.Type(), fieldName}
+	// Check each of the potential dest (type, name) pairs to see if they're
+	// present in dv.
+	for _, potentialDestKey := range c.structFieldDests[srcKey] {
+		df := dkv.value(potentialDestKey.fieldName)
+		if !df.IsValid() {
+			continue
+		}
+		if df.Type() == potentialDestKey.fieldType {
+			// Both the dest's name and type matched, so copy.
+			scope.srcStack.top().key = fieldName
+			scope.destStack.top().key = potentialDestKey.fieldName
+			if err := c.convert(sf, df, scope); err != nil {
+				return true, err
+			}
+			dkv.confirmSet(potentialDestKey.fieldName, df)
+			replacementMade = true
+		}
+	}
+	return replacementMade, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/deep_equal.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/deep_equal.go
new file mode 100644
index 00000000..f21abe1e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/deep_equal.go
@@ -0,0 +1,36 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package conversion
+
+import (
+	"k8s.io/apimachinery/third_party/forked/golang/reflect"
+)
+
+// The code for this type must be located in third_party, since it forks from
+// go std lib. But for convenience, we expose the type here, too.
+type Equalities struct {
+	reflect.Equalities
+}
+
+// For convenience, panics on errors
+func EqualitiesOrDie(funcs ...interface{}) Equalities {
+	e := Equalities{reflect.Equalities{}}
+	if err := e.AddFuncs(funcs...); err != nil {
+		panic(err)
+	}
+	return e
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/doc.go
new file mode 100644
index 00000000..7415d816
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/doc.go
@@ -0,0 +1,24 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package conversion provides go object versioning.
+//
+// Specifically, conversion provides a way for you to define multiple versions
+// of the same object. You may write functions which implement conversion logic,
+// but for the fields which did not change, copying is automated. This makes it
+// easy to modify the structures you use in memory without affecting the format
+// you store on disk or respond to in your external API calls.
+package conversion // import "k8s.io/apimachinery/pkg/conversion"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/helper.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/helper.go
new file mode 100644
index 00000000..4ebc1ebc
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/helper.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package conversion
+
+import (
+	"fmt"
+	"reflect"
+)
+
+// EnforcePtr ensures that obj is a pointer of some sort. Returns a reflect.Value
+// of the dereferenced pointer, ensuring that it is settable/addressable.
+// Returns an error if this is not possible.
+func EnforcePtr(obj interface{}) (reflect.Value, error) {
+	v := reflect.ValueOf(obj)
+	if v.Kind() != reflect.Ptr {
+		if v.Kind() == reflect.Invalid {
+			return reflect.Value{}, fmt.Errorf("expected pointer, but got invalid kind")
+		}
+		return reflect.Value{}, fmt.Errorf("expected pointer, but got %v type", v.Type())
+	}
+	if v.IsNil() {
+		return reflect.Value{}, fmt.Errorf("expected pointer, but got nil")
+	}
+	return v.Elem(), nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/queryparams/convert.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/queryparams/convert.go
new file mode 100644
index 00000000..30f717b2
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/queryparams/convert.go
@@ -0,0 +1,188 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package queryparams
+
+import (
+	"fmt"
+	"net/url"
+	"reflect"
+	"strings"
+)
+
+// Marshaler converts an object to a query parameter string representation
+type Marshaler interface {
+	MarshalQueryParameter() (string, error)
+}
+
+// Unmarshaler converts a string representation to an object
+type Unmarshaler interface {
+	UnmarshalQueryParameter(string) error
+}
+
+func jsonTag(field reflect.StructField) (string, bool) {
+	structTag := field.Tag.Get("json")
+	if len(structTag) == 0 {
+		return "", false
+	}
+	parts := strings.Split(structTag, ",")
+	tag := parts[0]
+	if tag == "-" {
+		tag = ""
+	}
+	omitempty := false
+	parts = parts[1:]
+	for _, part := range parts {
+		if part == "omitempty" {
+			omitempty = true
+			break
+		}
+	}
+	return tag, omitempty
+}
+
+func formatValue(value interface{}) string {
+	return fmt.Sprintf("%v", value)
+}
+
+func isPointerKind(kind reflect.Kind) bool {
+	return kind == reflect.Ptr
+}
+
+func isStructKind(kind reflect.Kind) bool {
+	return kind == reflect.Struct
+}
+
+func isValueKind(kind reflect.Kind) bool {
+	switch kind {
+	case reflect.String, reflect.Bool, reflect.Int, reflect.Int8, reflect.Int16,
+		reflect.Int32, reflect.Int64, reflect.Uint, reflect.Uint8,
+		reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Float32,
+		reflect.Float64, reflect.Complex64, reflect.Complex128:
+		return true
+	default:
+		return false
+	}
+}
+
+func zeroValue(value reflect.Value) bool {
+	return reflect.DeepEqual(reflect.Zero(value.Type()).Interface(), value.Interface())
+}
+
+func customMarshalValue(value reflect.Value) (reflect.Value, bool) {
+	// Return unless we implement a custom query marshaler
+	if !value.CanInterface() {
+		return reflect.Value{}, false
+	}
+
+	marshaler, ok := value.Interface().(Marshaler)
+	if !ok {
+		return reflect.Value{}, false
+	}
+
+	// Don't invoke functions on nil pointers
+	// If the type implements MarshalQueryParameter, AND the tag is not omitempty, AND the value is a nil pointer, "" seems like a reasonable response
+	if isPointerKind(value.Kind()) && zeroValue(value) {
+		return reflect.ValueOf(""), true
+	}
+
+	// Get the custom marshalled value
+	v, err := marshaler.MarshalQueryParameter()
+	if err != nil {
+		return reflect.Value{}, false
+	}
+	return reflect.ValueOf(v), true
+}
+
+func addParam(values url.Values, tag string, omitempty bool, value reflect.Value) {
+	if omitempty && zeroValue(value) {
+		return
+	}
+	val := ""
+	iValue := fmt.Sprintf("%v", value.Interface())
+
+	if iValue != "<nil>" {
+		val = iValue
+	}
+	values.Add(tag, val)
+}
+
+func addListOfParams(values url.Values, tag string, omitempty bool, list reflect.Value) {
+	for i := 0; i < list.Len(); i++ {
+		addParam(values, tag, omitempty, list.Index(i))
+	}
+}
+
+// Convert takes an object and converts it to a url.Values object using JSON tags as
+// parameter names. Only top-level simple values, arrays, and slices are serialized.
+// Embedded structs, maps, etc. will not be serialized.
+func Convert(obj interface{}) (url.Values, error) {
+	result := url.Values{}
+	if obj == nil {
+		return result, nil
+	}
+	var sv reflect.Value
+	switch reflect.TypeOf(obj).Kind() {
+	case reflect.Ptr, reflect.Interface:
+		sv = reflect.ValueOf(obj).Elem()
+	default:
+		return nil, fmt.Errorf("expecting a pointer or interface")
+	}
+	st := sv.Type()
+	if !isStructKind(st.Kind()) {
+		return nil, fmt.Errorf("expecting a pointer to a struct")
+	}
+
+	// Check all object fields
+	convertStruct(result, st, sv)
+
+	return result, nil
+}
+
+func convertStruct(result url.Values, st reflect.Type, sv reflect.Value) {
+	for i := 0; i < st.NumField(); i++ {
+		field := sv.Field(i)
+		tag, omitempty := jsonTag(st.Field(i))
+		if len(tag) == 0 {
+			continue
+		}
+		ft := field.Type()
+
+		kind := ft.Kind()
+		if isPointerKind(kind) {
+			ft = ft.Elem()
+			kind = ft.Kind()
+			if !field.IsNil() {
+				field = reflect.Indirect(field)
+			}
+		}
+
+		switch {
+		case isValueKind(kind):
+			addParam(result, tag, omitempty, field)
+		case kind == reflect.Array || kind == reflect.Slice:
+			if isValueKind(ft.Elem().Kind()) {
+				addListOfParams(result, tag, omitempty, field)
+			}
+		case isStructKind(kind) && !(zeroValue(field) && omitempty):
+			if marshalValue, ok := customMarshalValue(field); ok {
+				addParam(result, tag, omitempty, marshalValue)
+			} else {
+				convertStruct(result, ft, field)
+			}
+		}
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/queryparams/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/queryparams/doc.go
new file mode 100644
index 00000000..7b763de6
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/queryparams/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package queryparams provides conversion from versioned
+// runtime objects to URL query values
+package queryparams // import "k8s.io/apimachinery/pkg/conversion/queryparams"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/unstructured/converter.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/unstructured/converter.go
new file mode 100644
index 00000000..84dca4ac
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/unstructured/converter.go
@@ -0,0 +1,738 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package unstructured
+
+import (
+	"bytes"
+	encodingjson "encoding/json"
+	"fmt"
+	"math"
+	"os"
+	"reflect"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/util/diff"
+	"k8s.io/apimachinery/pkg/util/json"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+
+	"github.com/golang/glog"
+)
+
+// Converter is an interface for converting between interface{}
+// and map[string]interface representation.
+type Converter interface {
+	ToUnstructured(obj interface{}) (map[string]interface{}, error)
+	FromUnstructured(u map[string]interface{}, obj interface{}) error
+}
+
+type structField struct {
+	structType reflect.Type
+	field      int
+}
+
+type fieldInfo struct {
+	name      string
+	nameValue reflect.Value
+	omitempty bool
+}
+
+type fieldsCacheMap map[structField]*fieldInfo
+
+type fieldsCache struct {
+	sync.Mutex
+	value atomic.Value
+}
+
+func newFieldsCache() *fieldsCache {
+	cache := &fieldsCache{}
+	cache.value.Store(make(fieldsCacheMap))
+	return cache
+}
+
+var (
+	marshalerType          = reflect.TypeOf(new(encodingjson.Marshaler)).Elem()
+	unmarshalerType        = reflect.TypeOf(new(encodingjson.Unmarshaler)).Elem()
+	mapStringInterfaceType = reflect.TypeOf(map[string]interface{}{})
+	stringType             = reflect.TypeOf(string(""))
+	int64Type              = reflect.TypeOf(int64(0))
+	uint64Type             = reflect.TypeOf(uint64(0))
+	float64Type            = reflect.TypeOf(float64(0))
+	boolType               = reflect.TypeOf(bool(false))
+	fieldCache             = newFieldsCache()
+	DefaultConverter       = NewConverter(parseBool(os.Getenv("KUBE_PATCH_CONVERSION_DETECTOR")))
+)
+
+func parseBool(key string) bool {
+	if len(key) == 0 {
+		return false
+	}
+	value, err := strconv.ParseBool(key)
+	if err != nil {
+		utilruntime.HandleError(fmt.Errorf("Couldn't parse '%s' as bool for unstructured mismatch detection", key))
+	}
+	return value
+}
+
+// ConverterImpl knows how to convert between interface{} and
+// Unstructured in both ways.
+type converterImpl struct {
+	// If true, we will be additionally running conversion via json
+	// to ensure that the result is true.
+	// This is supposed to be set only in tests.
+	mismatchDetection bool
+}
+
+func NewConverter(mismatchDetection bool) Converter {
+	return &converterImpl{
+		mismatchDetection: mismatchDetection,
+	}
+}
+
+func (c *converterImpl) FromUnstructured(u map[string]interface{}, obj interface{}) error {
+	t := reflect.TypeOf(obj)
+	value := reflect.ValueOf(obj)
+	if t.Kind() != reflect.Ptr || value.IsNil() {
+		return fmt.Errorf("FromUnstructured requires a non-nil pointer to an object, got %v", t)
+	}
+	err := fromUnstructured(reflect.ValueOf(u), value.Elem())
+	if c.mismatchDetection {
+		newObj := reflect.New(t.Elem()).Interface()
+		newErr := fromUnstructuredViaJSON(u, newObj)
+		if (err != nil) != (newErr != nil) {
+			glog.Fatalf("FromUnstructured unexpected error for %v: error: %v", u, err)
+		}
+		if err == nil && !apiequality.Semantic.DeepEqual(obj, newObj) {
+			glog.Fatalf("FromUnstructured mismatch for %#v, diff: %v", obj, diff.ObjectReflectDiff(obj, newObj))
+		}
+	}
+	return err
+}
+
+func fromUnstructuredViaJSON(u map[string]interface{}, obj interface{}) error {
+	data, err := json.Marshal(u)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(data, obj)
+}
+
+func fromUnstructured(sv, dv reflect.Value) error {
+	sv = unwrapInterface(sv)
+	if !sv.IsValid() {
+		dv.Set(reflect.Zero(dv.Type()))
+		return nil
+	}
+	st, dt := sv.Type(), dv.Type()
+
+	switch dt.Kind() {
+	case reflect.Map, reflect.Slice, reflect.Ptr, reflect.Struct, reflect.Interface:
+		// Those require non-trivial conversion.
+	default:
+		// This should handle all simple types.
+		if st.AssignableTo(dt) {
+			dv.Set(sv)
+			return nil
+		}
+		// We cannot simply use "ConvertibleTo", as JSON doesn't support conversions
+		// between those four groups: bools, integers, floats and string. We need to
+		// do the same.
+		if st.ConvertibleTo(dt) {
+			switch st.Kind() {
+			case reflect.String:
+				switch dt.Kind() {
+				case reflect.String:
+					dv.Set(sv.Convert(dt))
+					return nil
+				}
+			case reflect.Bool:
+				switch dt.Kind() {
+				case reflect.Bool:
+					dv.Set(sv.Convert(dt))
+					return nil
+				}
+			case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
+				reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+				switch dt.Kind() {
+				case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
+					reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+					dv.Set(sv.Convert(dt))
+					return nil
+				}
+			case reflect.Float32, reflect.Float64:
+				switch dt.Kind() {
+				case reflect.Float32, reflect.Float64:
+					dv.Set(sv.Convert(dt))
+					return nil
+				}
+				if sv.Float() == math.Trunc(sv.Float()) {
+					dv.Set(sv.Convert(dt))
+					return nil
+				}
+			}
+			return fmt.Errorf("cannot convert %s to %s", st.String(), dt.String())
+		}
+	}
+
+	// Check if the object has a custom JSON marshaller/unmarshaller.
+	if reflect.PtrTo(dt).Implements(unmarshalerType) {
+		data, err := json.Marshal(sv.Interface())
+		if err != nil {
+			return fmt.Errorf("error encoding %s to json: %v", st.String(), err)
+		}
+		unmarshaler := dv.Addr().Interface().(encodingjson.Unmarshaler)
+		return unmarshaler.UnmarshalJSON(data)
+	}
+
+	switch dt.Kind() {
+	case reflect.Map:
+		return mapFromUnstructured(sv, dv)
+	case reflect.Slice:
+		return sliceFromUnstructured(sv, dv)
+	case reflect.Ptr:
+		return pointerFromUnstructured(sv, dv)
+	case reflect.Struct:
+		return structFromUnstructured(sv, dv)
+	case reflect.Interface:
+		return interfaceFromUnstructured(sv, dv)
+	default:
+		return fmt.Errorf("unrecognized type: %v", dt.Kind())
+	}
+}
+
+func fieldInfoFromField(structType reflect.Type, field int) *fieldInfo {
+	fieldCacheMap := fieldCache.value.Load().(fieldsCacheMap)
+	if info, ok := fieldCacheMap[structField{structType, field}]; ok {
+		return info
+	}
+
+	// Cache miss - we need to compute the field name.
+	info := &fieldInfo{}
+	typeField := structType.Field(field)
+	jsonTag := typeField.Tag.Get("json")
+	if len(jsonTag) == 0 {
+		// Make the first character lowercase.
+		if typeField.Name == "" {
+			info.name = typeField.Name
+		} else {
+			info.name = strings.ToLower(typeField.Name[:1]) + typeField.Name[1:]
+		}
+	} else {
+		items := strings.Split(jsonTag, ",")
+		info.name = items[0]
+		for i := range items {
+			if items[i] == "omitempty" {
+				info.omitempty = true
+			}
+		}
+	}
+	info.nameValue = reflect.ValueOf(info.name)
+
+	fieldCache.Lock()
+	defer fieldCache.Unlock()
+	fieldCacheMap = fieldCache.value.Load().(fieldsCacheMap)
+	newFieldCacheMap := make(fieldsCacheMap)
+	for k, v := range fieldCacheMap {
+		newFieldCacheMap[k] = v
+	}
+	newFieldCacheMap[structField{structType, field}] = info
+	fieldCache.value.Store(newFieldCacheMap)
+	return info
+}
+
+func unwrapInterface(v reflect.Value) reflect.Value {
+	for v.Kind() == reflect.Interface {
+		v = v.Elem()
+	}
+	return v
+}
+
+func mapFromUnstructured(sv, dv reflect.Value) error {
+	st, dt := sv.Type(), dv.Type()
+	if st.Kind() != reflect.Map {
+		return fmt.Errorf("cannot restore map from %v", st.Kind())
+	}
+
+	if !st.Key().AssignableTo(dt.Key()) && !st.Key().ConvertibleTo(dt.Key()) {
+		return fmt.Errorf("cannot copy map with non-assignable keys: %v %v", st.Key(), dt.Key())
+	}
+
+	if sv.IsNil() {
+		dv.Set(reflect.Zero(dt))
+		return nil
+	}
+	dv.Set(reflect.MakeMap(dt))
+	for _, key := range sv.MapKeys() {
+		value := reflect.New(dt.Elem()).Elem()
+		if val := unwrapInterface(sv.MapIndex(key)); val.IsValid() {
+			if err := fromUnstructured(val, value); err != nil {
+				return err
+			}
+		} else {
+			value.Set(reflect.Zero(dt.Elem()))
+		}
+		if st.Key().AssignableTo(dt.Key()) {
+			dv.SetMapIndex(key, value)
+		} else {
+			dv.SetMapIndex(key.Convert(dt.Key()), value)
+		}
+	}
+	return nil
+}
+
+func sliceFromUnstructured(sv, dv reflect.Value) error {
+	st, dt := sv.Type(), dv.Type()
+	if st.Kind() == reflect.String && dt.Elem().Kind() == reflect.Uint8 {
+		// We store original []byte representation as string.
+		// This conversion is allowed, but we need to be careful about
+		// marshaling data appropriately.
+		if len(sv.Interface().(string)) > 0 {
+			marshalled, err := json.Marshal(sv.Interface())
+			if err != nil {
+				return fmt.Errorf("error encoding %s to json: %v", st, err)
+			}
+			// TODO: Is this Unmarshal needed?
+			var data []byte
+			err = json.Unmarshal(marshalled, &data)
+			if err != nil {
+				return fmt.Errorf("error decoding from json: %v", err)
+			}
+			dv.SetBytes(data)
+		} else {
+			dv.Set(reflect.Zero(dt))
+		}
+		return nil
+	}
+	if st.Kind() != reflect.Slice {
+		return fmt.Errorf("cannot restore slice from %v", st.Kind())
+	}
+
+	if sv.IsNil() {
+		dv.Set(reflect.Zero(dt))
+		return nil
+	}
+	dv.Set(reflect.MakeSlice(dt, sv.Len(), sv.Cap()))
+	for i := 0; i < sv.Len(); i++ {
+		if err := fromUnstructured(sv.Index(i), dv.Index(i)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func pointerFromUnstructured(sv, dv reflect.Value) error {
+	st, dt := sv.Type(), dv.Type()
+
+	if st.Kind() == reflect.Ptr && sv.IsNil() {
+		dv.Set(reflect.Zero(dt))
+		return nil
+	}
+	dv.Set(reflect.New(dt.Elem()))
+	switch st.Kind() {
+	case reflect.Ptr, reflect.Interface:
+		return fromUnstructured(sv.Elem(), dv.Elem())
+	default:
+		return fromUnstructured(sv, dv.Elem())
+	}
+}
+
+func structFromUnstructured(sv, dv reflect.Value) error {
+	st, dt := sv.Type(), dv.Type()
+	if st.Kind() != reflect.Map {
+		return fmt.Errorf("cannot restore struct from: %v", st.Kind())
+	}
+
+	for i := 0; i < dt.NumField(); i++ {
+		fieldInfo := fieldInfoFromField(dt, i)
+		fv := dv.Field(i)
+
+		if len(fieldInfo.name) == 0 {
+			// This field is inlined.
+			if err := fromUnstructured(sv, fv); err != nil {
+				return err
+			}
+		} else {
+			value := unwrapInterface(sv.MapIndex(fieldInfo.nameValue))
+			if value.IsValid() {
+				if err := fromUnstructured(value, fv); err != nil {
+					return err
+				}
+			} else {
+				fv.Set(reflect.Zero(fv.Type()))
+			}
+		}
+	}
+	return nil
+}
+
+func interfaceFromUnstructured(sv, dv reflect.Value) error {
+	// TODO: Is this conversion safe?
+	dv.Set(sv)
+	return nil
+}
+
+func (c *converterImpl) ToUnstructured(obj interface{}) (map[string]interface{}, error) {
+	t := reflect.TypeOf(obj)
+	value := reflect.ValueOf(obj)
+	if t.Kind() != reflect.Ptr || value.IsNil() {
+		return nil, fmt.Errorf("ToUnstructured requires a non-nil pointer to an object, got %v", t)
+	}
+	u := &map[string]interface{}{}
+	err := toUnstructured(value.Elem(), reflect.ValueOf(u).Elem())
+	if c.mismatchDetection {
+		newUnstr := &map[string]interface{}{}
+		newErr := toUnstructuredViaJSON(obj, newUnstr)
+		if (err != nil) != (newErr != nil) {
+			glog.Fatalf("ToUnstructured unexpected error for %v: error: %v", obj, err)
+		}
+		if err == nil && !apiequality.Semantic.DeepEqual(u, newUnstr) {
+			glog.Fatalf("ToUnstructured mismatch for %#v, diff: %v", u, diff.ObjectReflectDiff(u, newUnstr))
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+	return *u, nil
+}
+
+func toUnstructuredViaJSON(obj interface{}, u *map[string]interface{}) error {
+	data, err := json.Marshal(obj)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(data, u)
+}
+
+var (
+	nullBytes  = []byte("null")
+	trueBytes  = []byte("true")
+	falseBytes = []byte("false")
+)
+
+func getMarshaler(v reflect.Value) (encodingjson.Marshaler, bool) {
+	// Check value receivers if v is not a pointer and pointer receivers if v is a pointer
+	if v.Type().Implements(marshalerType) {
+		return v.Interface().(encodingjson.Marshaler), true
+	}
+	// Check pointer receivers if v is not a pointer
+	if v.Kind() != reflect.Ptr && v.CanAddr() {
+		v = v.Addr()
+		if v.Type().Implements(marshalerType) {
+			return v.Interface().(encodingjson.Marshaler), true
+		}
+	}
+	return nil, false
+}
+
+func toUnstructured(sv, dv reflect.Value) error {
+	// Check if the object has a custom JSON marshaller/unmarshaller.
+	if marshaler, ok := getMarshaler(sv); ok {
+		if sv.Kind() == reflect.Ptr && sv.IsNil() {
+			// We're done - we don't need to store anything.
+			return nil
+		}
+
+		data, err := marshaler.MarshalJSON()
+		if err != nil {
+			return err
+		}
+		switch {
+		case len(data) == 0:
+			return fmt.Errorf("error decoding from json: empty value")
+
+		case bytes.Equal(data, nullBytes):
+			// We're done - we don't need to store anything.
+
+		case bytes.Equal(data, trueBytes):
+			dv.Set(reflect.ValueOf(true))
+
+		case bytes.Equal(data, falseBytes):
+			dv.Set(reflect.ValueOf(false))
+
+		case data[0] == '"':
+			var result string
+			err := json.Unmarshal(data, &result)
+			if err != nil {
+				return fmt.Errorf("error decoding string from json: %v", err)
+			}
+			dv.Set(reflect.ValueOf(result))
+
+		case data[0] == '{':
+			result := make(map[string]interface{})
+			err := json.Unmarshal(data, &result)
+			if err != nil {
+				return fmt.Errorf("error decoding object from json: %v", err)
+			}
+			dv.Set(reflect.ValueOf(result))
+
+		case data[0] == '[':
+			result := make([]interface{}, 0)
+			err := json.Unmarshal(data, &result)
+			if err != nil {
+				return fmt.Errorf("error decoding array from json: %v", err)
+			}
+			dv.Set(reflect.ValueOf(result))
+
+		default:
+			var (
+				resultInt   int64
+				resultFloat float64
+				err         error
+			)
+			if err = json.Unmarshal(data, &resultInt); err == nil {
+				dv.Set(reflect.ValueOf(resultInt))
+			} else if err = json.Unmarshal(data, &resultFloat); err == nil {
+				dv.Set(reflect.ValueOf(resultFloat))
+			} else {
+				return fmt.Errorf("error decoding number from json: %v", err)
+			}
+		}
+
+		return nil
+	}
+
+	st, dt := sv.Type(), dv.Type()
+	switch st.Kind() {
+	case reflect.String:
+		if dt.Kind() == reflect.Interface && dv.NumMethod() == 0 {
+			dv.Set(reflect.New(stringType))
+		}
+		dv.Set(reflect.ValueOf(sv.String()))
+		return nil
+	case reflect.Bool:
+		if dt.Kind() == reflect.Interface && dv.NumMethod() == 0 {
+			dv.Set(reflect.New(boolType))
+		}
+		dv.Set(reflect.ValueOf(sv.Bool()))
+		return nil
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		if dt.Kind() == reflect.Interface && dv.NumMethod() == 0 {
+			dv.Set(reflect.New(int64Type))
+		}
+		dv.Set(reflect.ValueOf(sv.Int()))
+		return nil
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		if dt.Kind() == reflect.Interface && dv.NumMethod() == 0 {
+			dv.Set(reflect.New(uint64Type))
+		}
+		dv.Set(reflect.ValueOf(sv.Uint()))
+		return nil
+	case reflect.Float32, reflect.Float64:
+		if dt.Kind() == reflect.Interface && dv.NumMethod() == 0 {
+			dv.Set(reflect.New(float64Type))
+		}
+		dv.Set(reflect.ValueOf(sv.Float()))
+		return nil
+	case reflect.Map:
+		return mapToUnstructured(sv, dv)
+	case reflect.Slice:
+		return sliceToUnstructured(sv, dv)
+	case reflect.Ptr:
+		return pointerToUnstructured(sv, dv)
+	case reflect.Struct:
+		return structToUnstructured(sv, dv)
+	case reflect.Interface:
+		return interfaceToUnstructured(sv, dv)
+	default:
+		return fmt.Errorf("unrecognized type: %v", st.Kind())
+	}
+}
+
+func mapToUnstructured(sv, dv reflect.Value) error {
+	st, dt := sv.Type(), dv.Type()
+	if sv.IsNil() {
+		dv.Set(reflect.Zero(dt))
+		return nil
+	}
+	if dt.Kind() == reflect.Interface && dv.NumMethod() == 0 {
+		if st.Key().Kind() == reflect.String {
+			switch st.Elem().Kind() {
+			// TODO It should be possible to reuse the slice for primitive types.
+			// However, it is panicing in the following form.
+			// case reflect.String, reflect.Bool,
+			// 	reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
+			// 	reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+			// 	sv.Set(sv)
+			// 	return nil
+			default:
+				// We need to do a proper conversion.
+			}
+		}
+		dv.Set(reflect.MakeMap(mapStringInterfaceType))
+		dv = dv.Elem()
+		dt = dv.Type()
+	}
+	if dt.Kind() != reflect.Map {
+		return fmt.Errorf("cannot convert struct to: %v", dt.Kind())
+	}
+
+	if !st.Key().AssignableTo(dt.Key()) && !st.Key().ConvertibleTo(dt.Key()) {
+		return fmt.Errorf("cannot copy map with non-assignable keys: %v %v", st.Key(), dt.Key())
+	}
+
+	for _, key := range sv.MapKeys() {
+		value := reflect.New(dt.Elem()).Elem()
+		if err := toUnstructured(sv.MapIndex(key), value); err != nil {
+			return err
+		}
+		if st.Key().AssignableTo(dt.Key()) {
+			dv.SetMapIndex(key, value)
+		} else {
+			dv.SetMapIndex(key.Convert(dt.Key()), value)
+		}
+	}
+	return nil
+}
+
+func sliceToUnstructured(sv, dv reflect.Value) error {
+	st, dt := sv.Type(), dv.Type()
+	if sv.IsNil() {
+		dv.Set(reflect.Zero(dt))
+		return nil
+	}
+	if st.Elem().Kind() == reflect.Uint8 {
+		dv.Set(reflect.New(stringType))
+		data, err := json.Marshal(sv.Bytes())
+		if err != nil {
+			return err
+		}
+		var result string
+		if err = json.Unmarshal(data, &result); err != nil {
+			return err
+		}
+		dv.Set(reflect.ValueOf(result))
+		return nil
+	}
+	if dt.Kind() == reflect.Interface && dv.NumMethod() == 0 {
+		switch st.Elem().Kind() {
+		// TODO It should be possible to reuse the slice for primitive types.
+		// However, it is panicing in the following form.
+		// case reflect.String, reflect.Bool,
+		// 	reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
+		// 	reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		// 	sv.Set(sv)
+		// 	return nil
+		default:
+			// We need to do a proper conversion.
+			dv.Set(reflect.MakeSlice(reflect.SliceOf(dt), sv.Len(), sv.Cap()))
+			dv = dv.Elem()
+			dt = dv.Type()
+		}
+	}
+	if dt.Kind() != reflect.Slice {
+		return fmt.Errorf("cannot convert slice to: %v", dt.Kind())
+	}
+	for i := 0; i < sv.Len(); i++ {
+		if err := toUnstructured(sv.Index(i), dv.Index(i)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func pointerToUnstructured(sv, dv reflect.Value) error {
+	if sv.IsNil() {
+		// We're done - we don't need to store anything.
+		return nil
+	}
+	return toUnstructured(sv.Elem(), dv)
+}
+
+func isZero(v reflect.Value) bool {
+	switch v.Kind() {
+	case reflect.Array, reflect.String:
+		return v.Len() == 0
+	case reflect.Bool:
+		return !v.Bool()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return v.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		return v.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return v.Float() == 0
+	case reflect.Map, reflect.Slice:
+		// TODO: It seems that 0-len maps are ignored in it.
+		return v.IsNil() || v.Len() == 0
+	case reflect.Ptr, reflect.Interface:
+		return v.IsNil()
+	}
+	return false
+}
+
+func structToUnstructured(sv, dv reflect.Value) error {
+	st, dt := sv.Type(), dv.Type()
+	if dt.Kind() == reflect.Interface && dv.NumMethod() == 0 {
+		dv.Set(reflect.MakeMap(mapStringInterfaceType))
+		dv = dv.Elem()
+		dt = dv.Type()
+	}
+	if dt.Kind() != reflect.Map {
+		return fmt.Errorf("cannot convert struct to: %v", dt.Kind())
+	}
+	realMap := dv.Interface().(map[string]interface{})
+
+	for i := 0; i < st.NumField(); i++ {
+		fieldInfo := fieldInfoFromField(st, i)
+		fv := sv.Field(i)
+
+		if fieldInfo.name == "-" {
+			// This field should be skipped.
+			continue
+		}
+		if fieldInfo.omitempty && isZero(fv) {
+			// omitempty fields should be ignored.
+			continue
+		}
+		if len(fieldInfo.name) == 0 {
+			// This field is inlined.
+			if err := toUnstructured(fv, dv); err != nil {
+				return err
+			}
+			continue
+		}
+		switch fv.Type().Kind() {
+		case reflect.String:
+			realMap[fieldInfo.name] = fv.String()
+		case reflect.Bool:
+			realMap[fieldInfo.name] = fv.Bool()
+		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+			realMap[fieldInfo.name] = fv.Int()
+		case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+			realMap[fieldInfo.name] = fv.Uint()
+		case reflect.Float32, reflect.Float64:
+			realMap[fieldInfo.name] = fv.Float()
+		default:
+			subv := reflect.New(dt.Elem()).Elem()
+			if err := toUnstructured(fv, subv); err != nil {
+				return err
+			}
+			dv.SetMapIndex(fieldInfo.nameValue, subv)
+		}
+	}
+	return nil
+}
+
+func interfaceToUnstructured(sv, dv reflect.Value) error {
+	if !sv.IsValid() || sv.IsNil() {
+		dv.Set(reflect.Zero(dv.Type()))
+		return nil
+	}
+	return toUnstructured(sv.Elem(), dv)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/conversion/unstructured/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/conversion/unstructured/doc.go
new file mode 100644
index 00000000..cd40e74b
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/conversion/unstructured/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package unstructured provides conversion from runtime objects
+// to map[string]interface{} representation.
+package unstructured // import "k8s.io/apimachinery/pkg/conversion/unstructured"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/fields/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/fields/doc.go
new file mode 100644
index 00000000..c39b8039
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/fields/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package fields implements a simple field system, parsing and matching
+// selectors with sets of fields.
+package fields // import "k8s.io/apimachinery/pkg/fields"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/fields/fields.go b/cli/vendor/k8s.io/apimachinery/pkg/fields/fields.go
new file mode 100644
index 00000000..623b27e9
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/fields/fields.go
@@ -0,0 +1,62 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fields
+
+import (
+	"sort"
+	"strings"
+)
+
+// Fields allows you to present fields independently from their storage.
+type Fields interface {
+	// Has returns whether the provided field exists.
+	Has(field string) (exists bool)
+
+	// Get returns the value for the provided field.
+	Get(field string) (value string)
+}
+
+// Set is a map of field:value. It implements Fields.
+type Set map[string]string
+
+// String returns all fields listed as a human readable string.
+// Conveniently, exactly the format that ParseSelector takes.
+func (ls Set) String() string {
+	selector := make([]string, 0, len(ls))
+	for key, value := range ls {
+		selector = append(selector, key+"="+value)
+	}
+	// Sort for determinism.
+	sort.StringSlice(selector).Sort()
+	return strings.Join(selector, ",")
+}
+
+// Has returns whether the provided field exists in the map.
+func (ls Set) Has(field string) bool {
+	_, exists := ls[field]
+	return exists
+}
+
+// Get returns the value in the map for the provided field.
+func (ls Set) Get(field string) string {
+	return ls[field]
+}
+
+// AsSelector converts fields into a selectors.
+func (ls Set) AsSelector() Selector {
+	return SelectorFromSet(ls)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/fields/requirements.go b/cli/vendor/k8s.io/apimachinery/pkg/fields/requirements.go
new file mode 100644
index 00000000..70d94ded
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/fields/requirements.go
@@ -0,0 +1,30 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fields
+
+import "k8s.io/apimachinery/pkg/selection"
+
+// Requirements is AND of all requirements.
+type Requirements []Requirement
+
+// Requirement contains a field, a value, and an operator that relates the field and value.
+// This is currently for reading internal selection information of field selector.
+type Requirement struct {
+	Operator selection.Operator
+	Field    string
+	Value    string
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/fields/selector.go b/cli/vendor/k8s.io/apimachinery/pkg/fields/selector.go
new file mode 100644
index 00000000..273e9a2c
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/fields/selector.go
@@ -0,0 +1,455 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fields
+
+import (
+	"bytes"
+	"fmt"
+	"sort"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/selection"
+)
+
+// Selector represents a field selector.
+type Selector interface {
+	// Matches returns true if this selector matches the given set of fields.
+	Matches(Fields) bool
+
+	// Empty returns true if this selector does not restrict the selection space.
+	Empty() bool
+
+	// RequiresExactMatch allows a caller to introspect whether a given selector
+	// requires a single specific field to be set, and if so returns the value it
+	// requires.
+	RequiresExactMatch(field string) (value string, found bool)
+
+	// Transform returns a new copy of the selector after TransformFunc has been
+	// applied to the entire selector, or an error if fn returns an error.
+	// If for a given requirement both field and value are transformed to empty
+	// string, the requirement is skipped.
+	Transform(fn TransformFunc) (Selector, error)
+
+	// Requirements converts this interface to Requirements to expose
+	// more detailed selection information.
+	Requirements() Requirements
+
+	// String returns a human readable string that represents this selector.
+	String() string
+
+	// Make a deep copy of the selector.
+	DeepCopySelector() Selector
+}
+
+// Everything returns a selector that matches all fields.
+func Everything() Selector {
+	return andTerm{}
+}
+
+type hasTerm struct {
+	field, value string
+}
+
+func (t *hasTerm) Matches(ls Fields) bool {
+	return ls.Get(t.field) == t.value
+}
+
+func (t *hasTerm) Empty() bool {
+	return false
+}
+
+func (t *hasTerm) RequiresExactMatch(field string) (value string, found bool) {
+	if t.field == field {
+		return t.value, true
+	}
+	return "", false
+}
+
+func (t *hasTerm) Transform(fn TransformFunc) (Selector, error) {
+	field, value, err := fn(t.field, t.value)
+	if err != nil {
+		return nil, err
+	}
+	if len(field) == 0 && len(value) == 0 {
+		return Everything(), nil
+	}
+	return &hasTerm{field, value}, nil
+}
+
+func (t *hasTerm) Requirements() Requirements {
+	return []Requirement{{
+		Field:    t.field,
+		Operator: selection.Equals,
+		Value:    t.value,
+	}}
+}
+
+func (t *hasTerm) String() string {
+	return fmt.Sprintf("%v=%v", t.field, EscapeValue(t.value))
+}
+
+func (t *hasTerm) DeepCopySelector() Selector {
+	if t == nil {
+		return nil
+	}
+	out := new(hasTerm)
+	*out = *t
+	return out
+}
+
+type notHasTerm struct {
+	field, value string
+}
+
+func (t *notHasTerm) Matches(ls Fields) bool {
+	return ls.Get(t.field) != t.value
+}
+
+func (t *notHasTerm) Empty() bool {
+	return false
+}
+
+func (t *notHasTerm) RequiresExactMatch(field string) (value string, found bool) {
+	return "", false
+}
+
+func (t *notHasTerm) Transform(fn TransformFunc) (Selector, error) {
+	field, value, err := fn(t.field, t.value)
+	if err != nil {
+		return nil, err
+	}
+	if len(field) == 0 && len(value) == 0 {
+		return Everything(), nil
+	}
+	return &notHasTerm{field, value}, nil
+}
+
+func (t *notHasTerm) Requirements() Requirements {
+	return []Requirement{{
+		Field:    t.field,
+		Operator: selection.NotEquals,
+		Value:    t.value,
+	}}
+}
+
+func (t *notHasTerm) String() string {
+	return fmt.Sprintf("%v!=%v", t.field, EscapeValue(t.value))
+}
+
+func (t *notHasTerm) DeepCopySelector() Selector {
+	if t == nil {
+		return nil
+	}
+	out := new(notHasTerm)
+	*out = *t
+	return out
+}
+
+type andTerm []Selector
+
+func (t andTerm) Matches(ls Fields) bool {
+	for _, q := range t {
+		if !q.Matches(ls) {
+			return false
+		}
+	}
+	return true
+}
+
+func (t andTerm) Empty() bool {
+	if t == nil {
+		return true
+	}
+	if len([]Selector(t)) == 0 {
+		return true
+	}
+	for i := range t {
+		if !t[i].Empty() {
+			return false
+		}
+	}
+	return true
+}
+
+func (t andTerm) RequiresExactMatch(field string) (string, bool) {
+	if t == nil || len([]Selector(t)) == 0 {
+		return "", false
+	}
+	for i := range t {
+		if value, found := t[i].RequiresExactMatch(field); found {
+			return value, found
+		}
+	}
+	return "", false
+}
+
+func (t andTerm) Transform(fn TransformFunc) (Selector, error) {
+	next := make([]Selector, 0, len([]Selector(t)))
+	for _, s := range []Selector(t) {
+		n, err := s.Transform(fn)
+		if err != nil {
+			return nil, err
+		}
+		if !n.Empty() {
+			next = append(next, n)
+		}
+	}
+	return andTerm(next), nil
+}
+
+func (t andTerm) Requirements() Requirements {
+	reqs := make([]Requirement, 0, len(t))
+	for _, s := range []Selector(t) {
+		rs := s.Requirements()
+		reqs = append(reqs, rs...)
+	}
+	return reqs
+}
+
+func (t andTerm) String() string {
+	var terms []string
+	for _, q := range t {
+		terms = append(terms, q.String())
+	}
+	return strings.Join(terms, ",")
+}
+
+func (t andTerm) DeepCopySelector() Selector {
+	if t == nil {
+		return nil
+	}
+	out := make([]Selector, len(t))
+	for i := range t {
+		out[i] = t[i].DeepCopySelector()
+	}
+	return andTerm(out)
+}
+
+// SelectorFromSet returns a Selector which will match exactly the given Set. A
+// nil Set is considered equivalent to Everything().
+func SelectorFromSet(ls Set) Selector {
+	if ls == nil {
+		return Everything()
+	}
+	items := make([]Selector, 0, len(ls))
+	for field, value := range ls {
+		items = append(items, &hasTerm{field: field, value: value})
+	}
+	if len(items) == 1 {
+		return items[0]
+	}
+	return andTerm(items)
+}
+
+// valueEscaper prefixes \,= characters with a backslash
+var valueEscaper = strings.NewReplacer(
+	// escape \ characters
+	`\`, `\\`,
+	// then escape , and = characters to allow unambiguous parsing of the value in a fieldSelector
+	`,`, `\,`,
+	`=`, `\=`,
+)
+
+// EscapeValue escapes an arbitrary literal string for use as a fieldSelector value
+func EscapeValue(s string) string {
+	return valueEscaper.Replace(s)
+}
+
+// InvalidEscapeSequence indicates an error occurred unescaping a field selector
+type InvalidEscapeSequence struct {
+	sequence string
+}
+
+func (i InvalidEscapeSequence) Error() string {
+	return fmt.Sprintf("invalid field selector: invalid escape sequence: %s", i.sequence)
+}
+
+// UnescapedRune indicates an error occurred unescaping a field selector
+type UnescapedRune struct {
+	r rune
+}
+
+func (i UnescapedRune) Error() string {
+	return fmt.Sprintf("invalid field selector: unescaped character in value: %v", i.r)
+}
+
+// UnescapeValue unescapes a fieldSelector value and returns the original literal value.
+// May return the original string if it contains no escaped or special characters.
+func UnescapeValue(s string) (string, error) {
+	// if there's no escaping or special characters, just return to avoid allocation
+	if !strings.ContainsAny(s, `\,=`) {
+		return s, nil
+	}
+
+	v := bytes.NewBuffer(make([]byte, 0, len(s)))
+	inSlash := false
+	for _, c := range s {
+		if inSlash {
+			switch c {
+			case '\\', ',', '=':
+				// omit the \ for recognized escape sequences
+				v.WriteRune(c)
+			default:
+				// error on unrecognized escape sequences
+				return "", InvalidEscapeSequence{sequence: string([]rune{'\\', c})}
+			}
+			inSlash = false
+			continue
+		}
+
+		switch c {
+		case '\\':
+			inSlash = true
+		case ',', '=':
+			// unescaped , and = characters are not allowed in field selector values
+			return "", UnescapedRune{r: c}
+		default:
+			v.WriteRune(c)
+		}
+	}
+
+	// Ending with a single backslash is an invalid sequence
+	if inSlash {
+		return "", InvalidEscapeSequence{sequence: "\\"}
+	}
+
+	return v.String(), nil
+}
+
+// ParseSelectorOrDie takes a string representing a selector and returns an
+// object suitable for matching, or panic when an error occur.
+func ParseSelectorOrDie(s string) Selector {
+	selector, err := ParseSelector(s)
+	if err != nil {
+		panic(err)
+	}
+	return selector
+}
+
+// ParseSelector takes a string representing a selector and returns an
+// object suitable for matching, or an error.
+func ParseSelector(selector string) (Selector, error) {
+	return parseSelector(selector,
+		func(lhs, rhs string) (newLhs, newRhs string, err error) {
+			return lhs, rhs, nil
+		})
+}
+
+// ParseAndTransformSelector parses the selector and runs them through the given TransformFunc.
+func ParseAndTransformSelector(selector string, fn TransformFunc) (Selector, error) {
+	return parseSelector(selector, fn)
+}
+
+// TransformFunc transforms selectors.
+type TransformFunc func(field, value string) (newField, newValue string, err error)
+
+// splitTerms returns the comma-separated terms contained in the given fieldSelector.
+// Backslash-escaped commas are treated as data instead of delimiters, and are included in the returned terms, with the leading backslash preserved.
+func splitTerms(fieldSelector string) []string {
+	if len(fieldSelector) == 0 {
+		return nil
+	}
+
+	terms := make([]string, 0, 1)
+	startIndex := 0
+	inSlash := false
+	for i, c := range fieldSelector {
+		switch {
+		case inSlash:
+			inSlash = false
+		case c == '\\':
+			inSlash = true
+		case c == ',':
+			terms = append(terms, fieldSelector[startIndex:i])
+			startIndex = i + 1
+		}
+	}
+
+	terms = append(terms, fieldSelector[startIndex:])
+
+	return terms
+}
+
+const (
+	notEqualOperator    = "!="
+	doubleEqualOperator = "=="
+	equalOperator       = "="
+)
+
+// termOperators holds the recognized operators supported in fieldSelectors.
+// doubleEqualOperator and equal are equivalent, but doubleEqualOperator is checked first
+// to avoid leaving a leading = character on the rhs value.
+var termOperators = []string{notEqualOperator, doubleEqualOperator, equalOperator}
+
+// splitTerm returns the lhs, operator, and rhs parsed from the given term, along with an indicator of whether the parse was successful.
+// no escaping of special characters is supported in the lhs value, so the first occurance of a recognized operator is used as the split point.
+// the literal rhs is returned, and the caller is responsible for applying any desired unescaping.
+func splitTerm(term string) (lhs, op, rhs string, ok bool) {
+	for i := range term {
+		remaining := term[i:]
+		for _, op := range termOperators {
+			if strings.HasPrefix(remaining, op) {
+				return term[0:i], op, term[i+len(op):], true
+			}
+		}
+	}
+	return "", "", "", false
+}
+
+func parseSelector(selector string, fn TransformFunc) (Selector, error) {
+	parts := splitTerms(selector)
+	sort.StringSlice(parts).Sort()
+	var items []Selector
+	for _, part := range parts {
+		if part == "" {
+			continue
+		}
+		lhs, op, rhs, ok := splitTerm(part)
+		if !ok {
+			return nil, fmt.Errorf("invalid selector: '%s'; can't understand '%s'", selector, part)
+		}
+		unescapedRHS, err := UnescapeValue(rhs)
+		if err != nil {
+			return nil, err
+		}
+		switch op {
+		case notEqualOperator:
+			items = append(items, &notHasTerm{field: lhs, value: unescapedRHS})
+		case doubleEqualOperator:
+			items = append(items, &hasTerm{field: lhs, value: unescapedRHS})
+		case equalOperator:
+			items = append(items, &hasTerm{field: lhs, value: unescapedRHS})
+		default:
+			return nil, fmt.Errorf("invalid selector: '%s'; can't understand '%s'", selector, part)
+		}
+	}
+	if len(items) == 1 {
+		return items[0].Transform(fn)
+	}
+	return andTerm(items).Transform(fn)
+}
+
+// OneTermEqualSelector returns an object that matches objects where one field/field equals one value.
+// Cannot return an error.
+func OneTermEqualSelector(k, v string) Selector {
+	return &hasTerm{field: k, value: v}
+}
+
+// AndSelectors creates a selector that is the logical AND of all the given selectors
+func AndSelectors(selectors ...Selector) Selector {
+	return andTerm(selectors)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/labels/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/labels/doc.go
new file mode 100644
index 00000000..82de0051
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/labels/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package labels implements a simple label system, parsing and matching
+// selectors with sets of labels.
+package labels // import "k8s.io/apimachinery/pkg/labels"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/labels/labels.go b/cli/vendor/k8s.io/apimachinery/pkg/labels/labels.go
new file mode 100644
index 00000000..32db4d96
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/labels/labels.go
@@ -0,0 +1,181 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package labels
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+)
+
+// Labels allows you to present labels independently from their storage.
+type Labels interface {
+	// Has returns whether the provided label exists.
+	Has(label string) (exists bool)
+
+	// Get returns the value for the provided label.
+	Get(label string) (value string)
+}
+
+// Set is a map of label:value. It implements Labels.
+type Set map[string]string
+
+// String returns all labels listed as a human readable string.
+// Conveniently, exactly the format that ParseSelector takes.
+func (ls Set) String() string {
+	selector := make([]string, 0, len(ls))
+	for key, value := range ls {
+		selector = append(selector, key+"="+value)
+	}
+	// Sort for determinism.
+	sort.StringSlice(selector).Sort()
+	return strings.Join(selector, ",")
+}
+
+// Has returns whether the provided label exists in the map.
+func (ls Set) Has(label string) bool {
+	_, exists := ls[label]
+	return exists
+}
+
+// Get returns the value in the map for the provided label.
+func (ls Set) Get(label string) string {
+	return ls[label]
+}
+
+// AsSelector converts labels into a selectors.
+func (ls Set) AsSelector() Selector {
+	return SelectorFromSet(ls)
+}
+
+// AsSelectorPreValidated converts labels into a selector, but
+// assumes that labels are already validated and thus don't
+// preform any validation.
+// According to our measurements this is significantly faster
+// in codepaths that matter at high scale.
+func (ls Set) AsSelectorPreValidated() Selector {
+	return SelectorFromValidatedSet(ls)
+}
+
+// FormatLabels convert label map into plain string
+func FormatLabels(labelMap map[string]string) string {
+	l := Set(labelMap).String()
+	if l == "" {
+		l = "<none>"
+	}
+	return l
+}
+
+// Conflicts takes 2 maps and returns true if there a key match between
+// the maps but the value doesn't match, and returns false in other cases
+func Conflicts(labels1, labels2 Set) bool {
+	small := labels1
+	big := labels2
+	if len(labels2) < len(labels1) {
+		small = labels2
+		big = labels1
+	}
+
+	for k, v := range small {
+		if val, match := big[k]; match {
+			if val != v {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+// Merge combines given maps, and does not check for any conflicts
+// between the maps. In case of conflicts, second map (labels2) wins
+func Merge(labels1, labels2 Set) Set {
+	mergedMap := Set{}
+
+	for k, v := range labels1 {
+		mergedMap[k] = v
+	}
+	for k, v := range labels2 {
+		mergedMap[k] = v
+	}
+	return mergedMap
+}
+
+// Equals returns true if the given maps are equal
+func Equals(labels1, labels2 Set) bool {
+	if len(labels1) != len(labels2) {
+		return false
+	}
+
+	for k, v := range labels1 {
+		value, ok := labels2[k]
+		if !ok {
+			return false
+		}
+		if value != v {
+			return false
+		}
+	}
+	return true
+}
+
+// AreLabelsInWhiteList verifies if the provided label list
+// is in the provided whitelist and returns true, otherwise false.
+func AreLabelsInWhiteList(labels, whitelist Set) bool {
+	if len(whitelist) == 0 {
+		return true
+	}
+
+	for k, v := range labels {
+		value, ok := whitelist[k]
+		if !ok {
+			return false
+		}
+		if value != v {
+			return false
+		}
+	}
+	return true
+}
+
+// ConvertSelectorToLabelsMap converts selector string to labels map
+// and validates keys and values
+func ConvertSelectorToLabelsMap(selector string) (Set, error) {
+	labelsMap := Set{}
+
+	if len(selector) == 0 {
+		return labelsMap, nil
+	}
+
+	labels := strings.Split(selector, ",")
+	for _, label := range labels {
+		l := strings.Split(label, "=")
+		if len(l) != 2 {
+			return labelsMap, fmt.Errorf("invalid selector: %s", l)
+		}
+		key := strings.TrimSpace(l[0])
+		if err := validateLabelKey(key); err != nil {
+			return labelsMap, err
+		}
+		value := strings.TrimSpace(l[1])
+		if err := validateLabelValue(value); err != nil {
+			return labelsMap, err
+		}
+		labelsMap[key] = value
+	}
+	return labelsMap, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/labels/selector.go b/cli/vendor/k8s.io/apimachinery/pkg/labels/selector.go
new file mode 100644
index 00000000..ac123033
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/labels/selector.go
@@ -0,0 +1,879 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package labels
+
+import (
+	"bytes"
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/golang/glog"
+	"k8s.io/apimachinery/pkg/selection"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation"
+)
+
+// Requirements is AND of all requirements.
+type Requirements []Requirement
+
+// Selector represents a label selector.
+type Selector interface {
+	// Matches returns true if this selector matches the given set of labels.
+	Matches(Labels) bool
+
+	// Empty returns true if this selector does not restrict the selection space.
+	Empty() bool
+
+	// String returns a human readable string that represents this selector.
+	String() string
+
+	// Add adds requirements to the Selector
+	Add(r ...Requirement) Selector
+
+	// Requirements converts this interface into Requirements to expose
+	// more detailed selection information.
+	// If there are querying parameters, it will return converted requirements and selectable=true.
+	// If this selector doesn't want to select anything, it will return selectable=false.
+	Requirements() (requirements Requirements, selectable bool)
+
+	// Make a deep copy of the selector.
+	DeepCopySelector() Selector
+}
+
+// Everything returns a selector that matches all labels.
+func Everything() Selector {
+	return internalSelector{}
+}
+
+type nothingSelector struct{}
+
+func (n nothingSelector) Matches(_ Labels) bool              { return false }
+func (n nothingSelector) Empty() bool                        { return false }
+func (n nothingSelector) String() string                     { return "" }
+func (n nothingSelector) Add(_ ...Requirement) Selector      { return n }
+func (n nothingSelector) Requirements() (Requirements, bool) { return nil, false }
+func (n nothingSelector) DeepCopySelector() Selector         { return n }
+
+// Nothing returns a selector that matches no labels
+func Nothing() Selector {
+	return nothingSelector{}
+}
+
+// NewSelector returns a nil selector
+func NewSelector() Selector {
+	return internalSelector(nil)
+}
+
+type internalSelector []Requirement
+
+func (s internalSelector) DeepCopy() internalSelector {
+	if s == nil {
+		return nil
+	}
+	result := make([]Requirement, len(s))
+	for i := range s {
+		s[i].DeepCopyInto(&result[i])
+	}
+	return result
+}
+
+func (s internalSelector) DeepCopySelector() Selector {
+	return s.DeepCopy()
+}
+
+// ByKey sorts requirements by key to obtain deterministic parser
+type ByKey []Requirement
+
+func (a ByKey) Len() int { return len(a) }
+
+func (a ByKey) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+
+func (a ByKey) Less(i, j int) bool { return a[i].key < a[j].key }
+
+// Requirement contains values, a key, and an operator that relates the key and values.
+// The zero value of Requirement is invalid.
+// Requirement implements both set based match and exact match
+// Requirement should be initialized via NewRequirement constructor for creating a valid Requirement.
+// +k8s:deepcopy-gen=true
+type Requirement struct {
+	key      string
+	operator selection.Operator
+	// In huge majority of cases we have at most one value here.
+	// It is generally faster to operate on a single-element slice
+	// than on a single-element map, so we have a slice here.
+	strValues []string
+}
+
+// NewRequirement is the constructor for a Requirement.
+// If any of these rules is violated, an error is returned:
+// (1) The operator can only be In, NotIn, Equals, DoubleEquals, NotEquals, Exists, or DoesNotExist.
+// (2) If the operator is In or NotIn, the values set must be non-empty.
+// (3) If the operator is Equals, DoubleEquals, or NotEquals, the values set must contain one value.
+// (4) If the operator is Exists or DoesNotExist, the value set must be empty.
+// (5) If the operator is Gt or Lt, the values set must contain only one value, which will be interpreted as an integer.
+// (6) The key is invalid due to its length, or sequence
+//     of characters. See validateLabelKey for more details.
+//
+// The empty string is a valid value in the input values set.
+func NewRequirement(key string, op selection.Operator, vals []string) (*Requirement, error) {
+	if err := validateLabelKey(key); err != nil {
+		return nil, err
+	}
+	switch op {
+	case selection.In, selection.NotIn:
+		if len(vals) == 0 {
+			return nil, fmt.Errorf("for 'in', 'notin' operators, values set can't be empty")
+		}
+	case selection.Equals, selection.DoubleEquals, selection.NotEquals:
+		if len(vals) != 1 {
+			return nil, fmt.Errorf("exact-match compatibility requires one single value")
+		}
+	case selection.Exists, selection.DoesNotExist:
+		if len(vals) != 0 {
+			return nil, fmt.Errorf("values set must be empty for exists and does not exist")
+		}
+	case selection.GreaterThan, selection.LessThan:
+		if len(vals) != 1 {
+			return nil, fmt.Errorf("for 'Gt', 'Lt' operators, exactly one value is required")
+		}
+		for i := range vals {
+			if _, err := strconv.ParseInt(vals[i], 10, 64); err != nil {
+				return nil, fmt.Errorf("for 'Gt', 'Lt' operators, the value must be an integer")
+			}
+		}
+	default:
+		return nil, fmt.Errorf("operator '%v' is not recognized", op)
+	}
+
+	for i := range vals {
+		if err := validateLabelValue(vals[i]); err != nil {
+			return nil, err
+		}
+	}
+	sort.Strings(vals)
+	return &Requirement{key: key, operator: op, strValues: vals}, nil
+}
+
+func (r *Requirement) hasValue(value string) bool {
+	for i := range r.strValues {
+		if r.strValues[i] == value {
+			return true
+		}
+	}
+	return false
+}
+
+// Matches returns true if the Requirement matches the input Labels.
+// There is a match in the following cases:
+// (1) The operator is Exists and Labels has the Requirement's key.
+// (2) The operator is In, Labels has the Requirement's key and Labels'
+//     value for that key is in Requirement's value set.
+// (3) The operator is NotIn, Labels has the Requirement's key and
+//     Labels' value for that key is not in Requirement's value set.
+// (4) The operator is DoesNotExist or NotIn and Labels does not have the
+//     Requirement's key.
+// (5) The operator is GreaterThanOperator or LessThanOperator, and Labels has
+//     the Requirement's key and the corresponding value satisfies mathematical inequality.
+func (r *Requirement) Matches(ls Labels) bool {
+	switch r.operator {
+	case selection.In, selection.Equals, selection.DoubleEquals:
+		if !ls.Has(r.key) {
+			return false
+		}
+		return r.hasValue(ls.Get(r.key))
+	case selection.NotIn, selection.NotEquals:
+		if !ls.Has(r.key) {
+			return true
+		}
+		return !r.hasValue(ls.Get(r.key))
+	case selection.Exists:
+		return ls.Has(r.key)
+	case selection.DoesNotExist:
+		return !ls.Has(r.key)
+	case selection.GreaterThan, selection.LessThan:
+		if !ls.Has(r.key) {
+			return false
+		}
+		lsValue, err := strconv.ParseInt(ls.Get(r.key), 10, 64)
+		if err != nil {
+			glog.V(10).Infof("ParseInt failed for value %+v in label %+v, %+v", ls.Get(r.key), ls, err)
+			return false
+		}
+
+		// There should be only one strValue in r.strValues, and can be converted to a integer.
+		if len(r.strValues) != 1 {
+			glog.V(10).Infof("Invalid values count %+v of requirement %#v, for 'Gt', 'Lt' operators, exactly one value is required", len(r.strValues), r)
+			return false
+		}
+
+		var rValue int64
+		for i := range r.strValues {
+			rValue, err = strconv.ParseInt(r.strValues[i], 10, 64)
+			if err != nil {
+				glog.V(10).Infof("ParseInt failed for value %+v in requirement %#v, for 'Gt', 'Lt' operators, the value must be an integer", r.strValues[i], r)
+				return false
+			}
+		}
+		return (r.operator == selection.GreaterThan && lsValue > rValue) || (r.operator == selection.LessThan && lsValue < rValue)
+	default:
+		return false
+	}
+}
+
+// Key returns requirement key
+func (r *Requirement) Key() string {
+	return r.key
+}
+
+// Operator returns requirement operator
+func (r *Requirement) Operator() selection.Operator {
+	return r.operator
+}
+
+// Values returns requirement values
+func (r *Requirement) Values() sets.String {
+	ret := sets.String{}
+	for i := range r.strValues {
+		ret.Insert(r.strValues[i])
+	}
+	return ret
+}
+
+// Empty returns true if the internalSelector doesn't restrict selection space
+func (lsel internalSelector) Empty() bool {
+	if lsel == nil {
+		return true
+	}
+	return len(lsel) == 0
+}
+
+// String returns a human-readable string that represents this
+// Requirement. If called on an invalid Requirement, an error is
+// returned. See NewRequirement for creating a valid Requirement.
+func (r *Requirement) String() string {
+	var buffer bytes.Buffer
+	if r.operator == selection.DoesNotExist {
+		buffer.WriteString("!")
+	}
+	buffer.WriteString(r.key)
+
+	switch r.operator {
+	case selection.Equals:
+		buffer.WriteString("=")
+	case selection.DoubleEquals:
+		buffer.WriteString("==")
+	case selection.NotEquals:
+		buffer.WriteString("!=")
+	case selection.In:
+		buffer.WriteString(" in ")
+	case selection.NotIn:
+		buffer.WriteString(" notin ")
+	case selection.GreaterThan:
+		buffer.WriteString(">")
+	case selection.LessThan:
+		buffer.WriteString("<")
+	case selection.Exists, selection.DoesNotExist:
+		return buffer.String()
+	}
+
+	switch r.operator {
+	case selection.In, selection.NotIn:
+		buffer.WriteString("(")
+	}
+	if len(r.strValues) == 1 {
+		buffer.WriteString(r.strValues[0])
+	} else { // only > 1 since == 0 prohibited by NewRequirement
+		buffer.WriteString(strings.Join(r.strValues, ","))
+	}
+
+	switch r.operator {
+	case selection.In, selection.NotIn:
+		buffer.WriteString(")")
+	}
+	return buffer.String()
+}
+
+// Add adds requirements to the selector. It copies the current selector returning a new one
+func (lsel internalSelector) Add(reqs ...Requirement) Selector {
+	var sel internalSelector
+	for ix := range lsel {
+		sel = append(sel, lsel[ix])
+	}
+	for _, r := range reqs {
+		sel = append(sel, r)
+	}
+	sort.Sort(ByKey(sel))
+	return sel
+}
+
+// Matches for a internalSelector returns true if all
+// its Requirements match the input Labels. If any
+// Requirement does not match, false is returned.
+func (lsel internalSelector) Matches(l Labels) bool {
+	for ix := range lsel {
+		if matches := lsel[ix].Matches(l); !matches {
+			return false
+		}
+	}
+	return true
+}
+
+func (lsel internalSelector) Requirements() (Requirements, bool) { return Requirements(lsel), true }
+
+// String returns a comma-separated string of all
+// the internalSelector Requirements' human-readable strings.
+func (lsel internalSelector) String() string {
+	var reqs []string
+	for ix := range lsel {
+		reqs = append(reqs, lsel[ix].String())
+	}
+	return strings.Join(reqs, ",")
+}
+
+// Token represents constant definition for lexer token
+type Token int
+
+const (
+	// ErrorToken represents scan error
+	ErrorToken Token = iota
+	// EndOfStringToken represents end of string
+	EndOfStringToken
+	// ClosedParToken represents close parenthesis
+	ClosedParToken
+	// CommaToken represents the comma
+	CommaToken
+	// DoesNotExistToken represents logic not
+	DoesNotExistToken
+	// DoubleEqualsToken represents double equals
+	DoubleEqualsToken
+	// EqualsToken represents equal
+	EqualsToken
+	// GreaterThanToken represents greater than
+	GreaterThanToken
+	// IdentifierToken represents identifier, e.g. keys and values
+	IdentifierToken
+	// InToken represents in
+	InToken
+	// LessThanToken represents less than
+	LessThanToken
+	// NotEqualsToken represents not equal
+	NotEqualsToken
+	// NotInToken represents not in
+	NotInToken
+	// OpenParToken represents open parenthesis
+	OpenParToken
+)
+
+// string2token contains the mapping between lexer Token and token literal
+// (except IdentifierToken, EndOfStringToken and ErrorToken since it makes no sense)
+var string2token = map[string]Token{
+	")":     ClosedParToken,
+	",":     CommaToken,
+	"!":     DoesNotExistToken,
+	"==":    DoubleEqualsToken,
+	"=":     EqualsToken,
+	">":     GreaterThanToken,
+	"in":    InToken,
+	"<":     LessThanToken,
+	"!=":    NotEqualsToken,
+	"notin": NotInToken,
+	"(":     OpenParToken,
+}
+
+// ScannedItem contains the Token and the literal produced by the lexer.
+type ScannedItem struct {
+	tok     Token
+	literal string
+}
+
+// isWhitespace returns true if the rune is a space, tab, or newline.
+func isWhitespace(ch byte) bool {
+	return ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n'
+}
+
+// isSpecialSymbol detect if the character ch can be an operator
+func isSpecialSymbol(ch byte) bool {
+	switch ch {
+	case '=', '!', '(', ')', ',', '>', '<':
+		return true
+	}
+	return false
+}
+
+// Lexer represents the Lexer struct for label selector.
+// It contains necessary informationt to tokenize the input string
+type Lexer struct {
+	// s stores the string to be tokenized
+	s string
+	// pos is the position currently tokenized
+	pos int
+}
+
+// read return the character currently lexed
+// increment the position and check the buffer overflow
+func (l *Lexer) read() (b byte) {
+	b = 0
+	if l.pos < len(l.s) {
+		b = l.s[l.pos]
+		l.pos++
+	}
+	return b
+}
+
+// unread 'undoes' the last read character
+func (l *Lexer) unread() {
+	l.pos--
+}
+
+// scanIDOrKeyword scans string to recognize literal token (for example 'in') or an identifier.
+func (l *Lexer) scanIDOrKeyword() (tok Token, lit string) {
+	var buffer []byte
+IdentifierLoop:
+	for {
+		switch ch := l.read(); {
+		case ch == 0:
+			break IdentifierLoop
+		case isSpecialSymbol(ch) || isWhitespace(ch):
+			l.unread()
+			break IdentifierLoop
+		default:
+			buffer = append(buffer, ch)
+		}
+	}
+	s := string(buffer)
+	if val, ok := string2token[s]; ok { // is a literal token?
+		return val, s
+	}
+	return IdentifierToken, s // otherwise is an identifier
+}
+
+// scanSpecialSymbol scans string starting with special symbol.
+// special symbol identify non literal operators. "!=", "==", "="
+func (l *Lexer) scanSpecialSymbol() (Token, string) {
+	lastScannedItem := ScannedItem{}
+	var buffer []byte
+SpecialSymbolLoop:
+	for {
+		switch ch := l.read(); {
+		case ch == 0:
+			break SpecialSymbolLoop
+		case isSpecialSymbol(ch):
+			buffer = append(buffer, ch)
+			if token, ok := string2token[string(buffer)]; ok {
+				lastScannedItem = ScannedItem{tok: token, literal: string(buffer)}
+			} else if lastScannedItem.tok != 0 {
+				l.unread()
+				break SpecialSymbolLoop
+			}
+		default:
+			l.unread()
+			break SpecialSymbolLoop
+		}
+	}
+	if lastScannedItem.tok == 0 {
+		return ErrorToken, fmt.Sprintf("error expected: keyword found '%s'", buffer)
+	}
+	return lastScannedItem.tok, lastScannedItem.literal
+}
+
+// skipWhiteSpaces consumes all blank characters
+// returning the first non blank character
+func (l *Lexer) skipWhiteSpaces(ch byte) byte {
+	for {
+		if !isWhitespace(ch) {
+			return ch
+		}
+		ch = l.read()
+	}
+}
+
+// Lex returns a pair of Token and the literal
+// literal is meaningfull only for IdentifierToken token
+func (l *Lexer) Lex() (tok Token, lit string) {
+	switch ch := l.skipWhiteSpaces(l.read()); {
+	case ch == 0:
+		return EndOfStringToken, ""
+	case isSpecialSymbol(ch):
+		l.unread()
+		return l.scanSpecialSymbol()
+	default:
+		l.unread()
+		return l.scanIDOrKeyword()
+	}
+}
+
+// Parser data structure contains the label selector parser data structure
+type Parser struct {
+	l            *Lexer
+	scannedItems []ScannedItem
+	position     int
+}
+
+// ParserContext represents context during parsing:
+// some literal for example 'in' and 'notin' can be
+// recognized as operator for example 'x in (a)' but
+// it can be recognized as value for example 'value in (in)'
+type ParserContext int
+
+const (
+	// KeyAndOperator represents key and operator
+	KeyAndOperator ParserContext = iota
+	// Values represents values
+	Values
+)
+
+// lookahead func returns the current token and string. No increment of current position
+func (p *Parser) lookahead(context ParserContext) (Token, string) {
+	tok, lit := p.scannedItems[p.position].tok, p.scannedItems[p.position].literal
+	if context == Values {
+		switch tok {
+		case InToken, NotInToken:
+			tok = IdentifierToken
+		}
+	}
+	return tok, lit
+}
+
+// consume returns current token and string. Increments the the position
+func (p *Parser) consume(context ParserContext) (Token, string) {
+	p.position++
+	tok, lit := p.scannedItems[p.position-1].tok, p.scannedItems[p.position-1].literal
+	if context == Values {
+		switch tok {
+		case InToken, NotInToken:
+			tok = IdentifierToken
+		}
+	}
+	return tok, lit
+}
+
+// scan runs through the input string and stores the ScannedItem in an array
+// Parser can now lookahead and consume the tokens
+func (p *Parser) scan() {
+	for {
+		token, literal := p.l.Lex()
+		p.scannedItems = append(p.scannedItems, ScannedItem{token, literal})
+		if token == EndOfStringToken {
+			break
+		}
+	}
+}
+
+// parse runs the left recursive descending algorithm
+// on input string. It returns a list of Requirement objects.
+func (p *Parser) parse() (internalSelector, error) {
+	p.scan() // init scannedItems
+
+	var requirements internalSelector
+	for {
+		tok, lit := p.lookahead(Values)
+		switch tok {
+		case IdentifierToken, DoesNotExistToken:
+			r, err := p.parseRequirement()
+			if err != nil {
+				return nil, fmt.Errorf("unable to parse requirement: %v", err)
+			}
+			requirements = append(requirements, *r)
+			t, l := p.consume(Values)
+			switch t {
+			case EndOfStringToken:
+				return requirements, nil
+			case CommaToken:
+				t2, l2 := p.lookahead(Values)
+				if t2 != IdentifierToken && t2 != DoesNotExistToken {
+					return nil, fmt.Errorf("found '%s', expected: identifier after ','", l2)
+				}
+			default:
+				return nil, fmt.Errorf("found '%s', expected: ',' or 'end of string'", l)
+			}
+		case EndOfStringToken:
+			return requirements, nil
+		default:
+			return nil, fmt.Errorf("found '%s', expected: !, identifier, or 'end of string'", lit)
+		}
+	}
+}
+
+func (p *Parser) parseRequirement() (*Requirement, error) {
+	key, operator, err := p.parseKeyAndInferOperator()
+	if err != nil {
+		return nil, err
+	}
+	if operator == selection.Exists || operator == selection.DoesNotExist { // operator found lookahead set checked
+		return NewRequirement(key, operator, []string{})
+	}
+	operator, err = p.parseOperator()
+	if err != nil {
+		return nil, err
+	}
+	var values sets.String
+	switch operator {
+	case selection.In, selection.NotIn:
+		values, err = p.parseValues()
+	case selection.Equals, selection.DoubleEquals, selection.NotEquals, selection.GreaterThan, selection.LessThan:
+		values, err = p.parseExactValue()
+	}
+	if err != nil {
+		return nil, err
+	}
+	return NewRequirement(key, operator, values.List())
+
+}
+
+// parseKeyAndInferOperator parse literals.
+// in case of no operator '!, in, notin, ==, =, !=' are found
+// the 'exists' operator is inferred
+func (p *Parser) parseKeyAndInferOperator() (string, selection.Operator, error) {
+	var operator selection.Operator
+	tok, literal := p.consume(Values)
+	if tok == DoesNotExistToken {
+		operator = selection.DoesNotExist
+		tok, literal = p.consume(Values)
+	}
+	if tok != IdentifierToken {
+		err := fmt.Errorf("found '%s', expected: identifier", literal)
+		return "", "", err
+	}
+	if err := validateLabelKey(literal); err != nil {
+		return "", "", err
+	}
+	if t, _ := p.lookahead(Values); t == EndOfStringToken || t == CommaToken {
+		if operator != selection.DoesNotExist {
+			operator = selection.Exists
+		}
+	}
+	return literal, operator, nil
+}
+
+// parseOperator return operator and eventually matchType
+// matchType can be exact
+func (p *Parser) parseOperator() (op selection.Operator, err error) {
+	tok, lit := p.consume(KeyAndOperator)
+	switch tok {
+	// DoesNotExistToken shouldn't be here because it's a unary operator, not a binary operator
+	case InToken:
+		op = selection.In
+	case EqualsToken:
+		op = selection.Equals
+	case DoubleEqualsToken:
+		op = selection.DoubleEquals
+	case GreaterThanToken:
+		op = selection.GreaterThan
+	case LessThanToken:
+		op = selection.LessThan
+	case NotInToken:
+		op = selection.NotIn
+	case NotEqualsToken:
+		op = selection.NotEquals
+	default:
+		return "", fmt.Errorf("found '%s', expected: '=', '!=', '==', 'in', notin'", lit)
+	}
+	return op, nil
+}
+
+// parseValues parses the values for set based matching (x,y,z)
+func (p *Parser) parseValues() (sets.String, error) {
+	tok, lit := p.consume(Values)
+	if tok != OpenParToken {
+		return nil, fmt.Errorf("found '%s' expected: '('", lit)
+	}
+	tok, lit = p.lookahead(Values)
+	switch tok {
+	case IdentifierToken, CommaToken:
+		s, err := p.parseIdentifiersList() // handles general cases
+		if err != nil {
+			return s, err
+		}
+		if tok, _ = p.consume(Values); tok != ClosedParToken {
+			return nil, fmt.Errorf("found '%s', expected: ')'", lit)
+		}
+		return s, nil
+	case ClosedParToken: // handles "()"
+		p.consume(Values)
+		return sets.NewString(""), nil
+	default:
+		return nil, fmt.Errorf("found '%s', expected: ',', ')' or identifier", lit)
+	}
+}
+
+// parseIdentifiersList parses a (possibly empty) list of
+// of comma separated (possibly empty) identifiers
+func (p *Parser) parseIdentifiersList() (sets.String, error) {
+	s := sets.NewString()
+	for {
+		tok, lit := p.consume(Values)
+		switch tok {
+		case IdentifierToken:
+			s.Insert(lit)
+			tok2, lit2 := p.lookahead(Values)
+			switch tok2 {
+			case CommaToken:
+				continue
+			case ClosedParToken:
+				return s, nil
+			default:
+				return nil, fmt.Errorf("found '%s', expected: ',' or ')'", lit2)
+			}
+		case CommaToken: // handled here since we can have "(,"
+			if s.Len() == 0 {
+				s.Insert("") // to handle (,
+			}
+			tok2, _ := p.lookahead(Values)
+			if tok2 == ClosedParToken {
+				s.Insert("") // to handle ,)  Double "" removed by StringSet
+				return s, nil
+			}
+			if tok2 == CommaToken {
+				p.consume(Values)
+				s.Insert("") // to handle ,, Double "" removed by StringSet
+			}
+		default: // it can be operator
+			return s, fmt.Errorf("found '%s', expected: ',', or identifier", lit)
+		}
+	}
+}
+
+// parseExactValue parses the only value for exact match style
+func (p *Parser) parseExactValue() (sets.String, error) {
+	s := sets.NewString()
+	tok, lit := p.lookahead(Values)
+	if tok == EndOfStringToken || tok == CommaToken {
+		s.Insert("")
+		return s, nil
+	}
+	tok, lit = p.consume(Values)
+	if tok == IdentifierToken {
+		s.Insert(lit)
+		return s, nil
+	}
+	return nil, fmt.Errorf("found '%s', expected: identifier", lit)
+}
+
+// Parse takes a string representing a selector and returns a selector
+// object, or an error. This parsing function differs from ParseSelector
+// as they parse different selectors with different syntaxes.
+// The input will cause an error if it does not follow this form:
+//
+//  <selector-syntax>         ::= <requirement> | <requirement> "," <selector-syntax>
+//  <requirement>             ::= [!] KEY [ <set-based-restriction> | <exact-match-restriction> ]
+//  <set-based-restriction>   ::= "" | <inclusion-exclusion> <value-set>
+//  <inclusion-exclusion>     ::= <inclusion> | <exclusion>
+//  <exclusion>               ::= "notin"
+//  <inclusion>               ::= "in"
+//  <value-set>               ::= "(" <values> ")"
+//  <values>                  ::= VALUE | VALUE "," <values>
+//  <exact-match-restriction> ::= ["="|"=="|"!="] VALUE
+//
+// KEY is a sequence of one or more characters following [ DNS_SUBDOMAIN "/" ] DNS_LABEL. Max length is 63 characters.
+// VALUE is a sequence of zero or more characters "([A-Za-z0-9_-\.])". Max length is 63 characters.
+// Delimiter is white space: (' ', '\t')
+// Example of valid syntax:
+//  "x in (foo,,baz),y,z notin ()"
+//
+// Note:
+//  (1) Inclusion - " in " - denotes that the KEY exists and is equal to any of the
+//      VALUEs in its requirement
+//  (2) Exclusion - " notin " - denotes that the KEY is not equal to any
+//      of the VALUEs in its requirement or does not exist
+//  (3) The empty string is a valid VALUE
+//  (4) A requirement with just a KEY - as in "y" above - denotes that
+//      the KEY exists and can be any VALUE.
+//  (5) A requirement with just !KEY requires that the KEY not exist.
+//
+func Parse(selector string) (Selector, error) {
+	parsedSelector, err := parse(selector)
+	if err == nil {
+		return parsedSelector, nil
+	}
+	return nil, err
+}
+
+// parse parses the string representation of the selector and returns the internalSelector struct.
+// The callers of this method can then decide how to return the internalSelector struct to their
+// callers. This function has two callers now, one returns a Selector interface and the other
+// returns a list of requirements.
+func parse(selector string) (internalSelector, error) {
+	p := &Parser{l: &Lexer{s: selector, pos: 0}}
+	items, err := p.parse()
+	if err != nil {
+		return nil, err
+	}
+	sort.Sort(ByKey(items)) // sort to grant determistic parsing
+	return internalSelector(items), err
+}
+
+func validateLabelKey(k string) error {
+	if errs := validation.IsQualifiedName(k); len(errs) != 0 {
+		return fmt.Errorf("invalid label key %q: %s", k, strings.Join(errs, "; "))
+	}
+	return nil
+}
+
+func validateLabelValue(v string) error {
+	if errs := validation.IsValidLabelValue(v); len(errs) != 0 {
+		return fmt.Errorf("invalid label value: %q: %s", v, strings.Join(errs, "; "))
+	}
+	return nil
+}
+
+// SelectorFromSet returns a Selector which will match exactly the given Set. A
+// nil and empty Sets are considered equivalent to Everything().
+func SelectorFromSet(ls Set) Selector {
+	if ls == nil || len(ls) == 0 {
+		return internalSelector{}
+	}
+	var requirements internalSelector
+	for label, value := range ls {
+		r, err := NewRequirement(label, selection.Equals, []string{value})
+		if err == nil {
+			requirements = append(requirements, *r)
+		} else {
+			//TODO: double check errors when input comes from serialization?
+			return internalSelector{}
+		}
+	}
+	// sort to have deterministic string representation
+	sort.Sort(ByKey(requirements))
+	return requirements
+}
+
+// SelectorFromValidatedSet returns a Selector which will match exactly the given Set.
+// A nil and empty Sets are considered equivalent to Everything().
+// It assumes that Set is already validated and doesn't do any validation.
+func SelectorFromValidatedSet(ls Set) Selector {
+	if ls == nil || len(ls) == 0 {
+		return internalSelector{}
+	}
+	var requirements internalSelector
+	for label, value := range ls {
+		requirements = append(requirements, Requirement{key: label, operator: selection.Equals, strValues: []string{value}})
+	}
+	// sort to have deterministic string representation
+	sort.Sort(ByKey(requirements))
+	return requirements
+}
+
+// ParseToRequirements takes a string representing a selector and returns a list of
+// requirements. This function is suitable for those callers that perform additional
+// processing on selector requirements.
+// See the documentation for Parse() function for more details.
+// TODO: Consider exporting the internalSelector type instead.
+func ParseToRequirements(selector string) ([]Requirement, error) {
+	return parse(selector)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/labels/zz_generated.deepcopy.go b/cli/vendor/k8s.io/apimachinery/pkg/labels/zz_generated.deepcopy.go
new file mode 100644
index 00000000..df2edb03
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/labels/zz_generated.deepcopy.go
@@ -0,0 +1,59 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package labels
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	reflect "reflect"
+)
+
+// GetGeneratedDeepCopyFuncs returns the generated funcs, since we aren't registering them.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func GetGeneratedDeepCopyFuncs() []conversion.GeneratedDeepCopyFunc {
+	return []conversion.GeneratedDeepCopyFunc{
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Requirement).DeepCopyInto(out.(*Requirement))
+			return nil
+		}, InType: reflect.TypeOf(&Requirement{})},
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Requirement) DeepCopyInto(out *Requirement) {
+	*out = *in
+	if in.strValues != nil {
+		in, out := &in.strValues, &out.strValues
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Requirement.
+func (in *Requirement) DeepCopy() *Requirement {
+	if in == nil {
+		return nil
+	}
+	out := new(Requirement)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/codec.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/codec.go
new file mode 100644
index 00000000..d9748f06
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/codec.go
@@ -0,0 +1,316 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"bytes"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net/url"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/conversion/queryparams"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// codec binds an encoder and decoder.
+type codec struct {
+	Encoder
+	Decoder
+}
+
+// NewCodec creates a Codec from an Encoder and Decoder.
+func NewCodec(e Encoder, d Decoder) Codec {
+	return codec{e, d}
+}
+
+// Encode is a convenience wrapper for encoding to a []byte from an Encoder
+func Encode(e Encoder, obj Object) ([]byte, error) {
+	// TODO: reuse buffer
+	buf := &bytes.Buffer{}
+	if err := e.Encode(obj, buf); err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+// Decode is a convenience wrapper for decoding data into an Object.
+func Decode(d Decoder, data []byte) (Object, error) {
+	obj, _, err := d.Decode(data, nil, nil)
+	return obj, err
+}
+
+// DecodeInto performs a Decode into the provided object.
+func DecodeInto(d Decoder, data []byte, into Object) error {
+	out, gvk, err := d.Decode(data, nil, into)
+	if err != nil {
+		return err
+	}
+	if out != into {
+		return fmt.Errorf("unable to decode %s into %v", gvk, reflect.TypeOf(into))
+	}
+	return nil
+}
+
+// EncodeOrDie is a version of Encode which will panic instead of returning an error. For tests.
+func EncodeOrDie(e Encoder, obj Object) string {
+	bytes, err := Encode(e, obj)
+	if err != nil {
+		panic(err)
+	}
+	return string(bytes)
+}
+
+// DefaultingSerializer invokes defaulting after decoding.
+type DefaultingSerializer struct {
+	Defaulter ObjectDefaulter
+	Decoder   Decoder
+	// Encoder is optional to allow this type to be used as both a Decoder and an Encoder
+	Encoder
+}
+
+// Decode performs a decode and then allows the defaulter to act on the provided object.
+func (d DefaultingSerializer) Decode(data []byte, defaultGVK *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error) {
+	obj, gvk, err := d.Decoder.Decode(data, defaultGVK, into)
+	if err != nil {
+		return obj, gvk, err
+	}
+	d.Defaulter.Default(obj)
+	return obj, gvk, nil
+}
+
+// UseOrCreateObject returns obj if the canonical ObjectKind returned by the provided typer matches gvk, or
+// invokes the ObjectCreator to instantiate a new gvk. Returns an error if the typer cannot find the object.
+func UseOrCreateObject(t ObjectTyper, c ObjectCreater, gvk schema.GroupVersionKind, obj Object) (Object, error) {
+	if obj != nil {
+		kinds, _, err := t.ObjectKinds(obj)
+		if err != nil {
+			return nil, err
+		}
+		for _, kind := range kinds {
+			if gvk == kind {
+				return obj, nil
+			}
+		}
+	}
+	return c.New(gvk)
+}
+
+// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding.
+type NoopEncoder struct {
+	Decoder
+}
+
+var _ Serializer = NoopEncoder{}
+
+func (n NoopEncoder) Encode(obj Object, w io.Writer) error {
+	return fmt.Errorf("encoding is not allowed for this codec: %v", reflect.TypeOf(n.Decoder))
+}
+
+// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding.
+type NoopDecoder struct {
+	Encoder
+}
+
+var _ Serializer = NoopDecoder{}
+
+func (n NoopDecoder) Decode(data []byte, gvk *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error) {
+	return nil, nil, fmt.Errorf("decoding is not allowed for this codec: %v", reflect.TypeOf(n.Encoder))
+}
+
+// NewParameterCodec creates a ParameterCodec capable of transforming url values into versioned objects and back.
+func NewParameterCodec(scheme *Scheme) ParameterCodec {
+	return &parameterCodec{
+		typer:     scheme,
+		convertor: scheme,
+		creator:   scheme,
+	}
+}
+
+// parameterCodec implements conversion to and from query parameters and objects.
+type parameterCodec struct {
+	typer     ObjectTyper
+	convertor ObjectConvertor
+	creator   ObjectCreater
+}
+
+var _ ParameterCodec = &parameterCodec{}
+
+// DecodeParameters converts the provided url.Values into an object of type From with the kind of into, and then
+// converts that object to into (if necessary). Returns an error if the operation cannot be completed.
+func (c *parameterCodec) DecodeParameters(parameters url.Values, from schema.GroupVersion, into Object) error {
+	if len(parameters) == 0 {
+		return nil
+	}
+	targetGVKs, _, err := c.typer.ObjectKinds(into)
+	if err != nil {
+		return err
+	}
+	for i := range targetGVKs {
+		if targetGVKs[i].GroupVersion() == from {
+			return c.convertor.Convert(&parameters, into, nil)
+		}
+	}
+	input, err := c.creator.New(from.WithKind(targetGVKs[0].Kind))
+	if err != nil {
+		return err
+	}
+	if err := c.convertor.Convert(&parameters, input, nil); err != nil {
+		return err
+	}
+	return c.convertor.Convert(input, into, nil)
+}
+
+// EncodeParameters converts the provided object into the to version, then converts that object to url.Values.
+// Returns an error if conversion is not possible.
+func (c *parameterCodec) EncodeParameters(obj Object, to schema.GroupVersion) (url.Values, error) {
+	gvks, _, err := c.typer.ObjectKinds(obj)
+	if err != nil {
+		return nil, err
+	}
+	gvk := gvks[0]
+	if to != gvk.GroupVersion() {
+		out, err := c.convertor.ConvertToVersion(obj, to)
+		if err != nil {
+			return nil, err
+		}
+		obj = out
+	}
+	return queryparams.Convert(obj)
+}
+
+type base64Serializer struct {
+	Encoder
+	Decoder
+}
+
+func NewBase64Serializer(e Encoder, d Decoder) Serializer {
+	return &base64Serializer{e, d}
+}
+
+func (s base64Serializer) Encode(obj Object, stream io.Writer) error {
+	e := base64.NewEncoder(base64.StdEncoding, stream)
+	err := s.Encoder.Encode(obj, e)
+	e.Close()
+	return err
+}
+
+func (s base64Serializer) Decode(data []byte, defaults *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error) {
+	out := make([]byte, base64.StdEncoding.DecodedLen(len(data)))
+	n, err := base64.StdEncoding.Decode(out, data)
+	if err != nil {
+		return nil, nil, err
+	}
+	return s.Decoder.Decode(out[:n], defaults, into)
+}
+
+// SerializerInfoForMediaType returns the first info in types that has a matching media type (which cannot
+// include media-type parameters), or the first info with an empty media type, or false if no type matches.
+func SerializerInfoForMediaType(types []SerializerInfo, mediaType string) (SerializerInfo, bool) {
+	for _, info := range types {
+		if info.MediaType == mediaType {
+			return info, true
+		}
+	}
+	for _, info := range types {
+		if len(info.MediaType) == 0 {
+			return info, true
+		}
+	}
+	return SerializerInfo{}, false
+}
+
+var (
+	// InternalGroupVersioner will always prefer the internal version for a given group version kind.
+	InternalGroupVersioner GroupVersioner = internalGroupVersioner{}
+	// DisabledGroupVersioner will reject all kinds passed to it.
+	DisabledGroupVersioner GroupVersioner = disabledGroupVersioner{}
+)
+
+type internalGroupVersioner struct{}
+
+// KindForGroupVersionKinds returns an internal Kind if one is found, or converts the first provided kind to the internal version.
+func (internalGroupVersioner) KindForGroupVersionKinds(kinds []schema.GroupVersionKind) (schema.GroupVersionKind, bool) {
+	for _, kind := range kinds {
+		if kind.Version == APIVersionInternal {
+			return kind, true
+		}
+	}
+	for _, kind := range kinds {
+		return schema.GroupVersionKind{Group: kind.Group, Version: APIVersionInternal, Kind: kind.Kind}, true
+	}
+	return schema.GroupVersionKind{}, false
+}
+
+type disabledGroupVersioner struct{}
+
+// KindForGroupVersionKinds returns false for any input.
+func (disabledGroupVersioner) KindForGroupVersionKinds(kinds []schema.GroupVersionKind) (schema.GroupVersionKind, bool) {
+	return schema.GroupVersionKind{}, false
+}
+
+// GroupVersioners implements GroupVersioner and resolves to the first exact match for any kind.
+type GroupVersioners []GroupVersioner
+
+// KindForGroupVersionKinds returns the first match of any of the group versioners, or false if no match occured.
+func (gvs GroupVersioners) KindForGroupVersionKinds(kinds []schema.GroupVersionKind) (schema.GroupVersionKind, bool) {
+	for _, gv := range gvs {
+		target, ok := gv.KindForGroupVersionKinds(kinds)
+		if !ok {
+			continue
+		}
+		return target, true
+	}
+	return schema.GroupVersionKind{}, false
+}
+
+// Assert that schema.GroupVersion and GroupVersions implement GroupVersioner
+var _ GroupVersioner = schema.GroupVersion{}
+var _ GroupVersioner = schema.GroupVersions{}
+var _ GroupVersioner = multiGroupVersioner{}
+
+type multiGroupVersioner struct {
+	target             schema.GroupVersion
+	acceptedGroupKinds []schema.GroupKind
+}
+
+// NewMultiGroupVersioner returns the provided group version for any kind that matches one of the provided group kinds.
+// Kind may be empty in the provided group kind, in which case any kind will match.
+func NewMultiGroupVersioner(gv schema.GroupVersion, groupKinds ...schema.GroupKind) GroupVersioner {
+	if len(groupKinds) == 0 || (len(groupKinds) == 1 && groupKinds[0].Group == gv.Group) {
+		return gv
+	}
+	return multiGroupVersioner{target: gv, acceptedGroupKinds: groupKinds}
+}
+
+// KindForGroupVersionKinds returns the target group version if any kind matches any of the original group kinds. It will
+// use the originating kind where possible.
+func (v multiGroupVersioner) KindForGroupVersionKinds(kinds []schema.GroupVersionKind) (schema.GroupVersionKind, bool) {
+	for _, src := range kinds {
+		for _, kind := range v.acceptedGroupKinds {
+			if kind.Group != src.Group {
+				continue
+			}
+			if len(kind.Kind) > 0 && kind.Kind != src.Kind {
+				continue
+			}
+			return v.target.WithKind(src.Kind), true
+		}
+	}
+	return schema.GroupVersionKind{}, false
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/codec_check.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/codec_check.go
new file mode 100644
index 00000000..510444a4
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/codec_check.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"fmt"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// CheckCodec makes sure that the codec can encode objects like internalType,
+// decode all of the external types listed, and also decode them into the given
+// object. (Will modify internalObject.) (Assumes JSON serialization.)
+// TODO: verify that the correct external version is chosen on encode...
+func CheckCodec(c Codec, internalType Object, externalTypes ...schema.GroupVersionKind) error {
+	if _, err := Encode(c, internalType); err != nil {
+		return fmt.Errorf("Internal type not encodable: %v", err)
+	}
+	for _, et := range externalTypes {
+		exBytes := []byte(fmt.Sprintf(`{"kind":"%v","apiVersion":"%v"}`, et.Kind, et.GroupVersion().String()))
+		obj, err := Decode(c, exBytes)
+		if err != nil {
+			return fmt.Errorf("external type %s not interpretable: %v", et, err)
+		}
+		if reflect.TypeOf(obj) != reflect.TypeOf(internalType) {
+			return fmt.Errorf("decode of external type %s produced: %#v", et, obj)
+		}
+		if err = DecodeInto(c, exBytes, internalType); err != nil {
+			return fmt.Errorf("external type %s not convertible to internal type: %v", et, err)
+		}
+	}
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/conversion.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/conversion.go
new file mode 100644
index 00000000..afe4fab1
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/conversion.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Defines conversions between generic types and structs to map query strings
+// to struct objects.
+package runtime
+
+import (
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/conversion"
+)
+
+// DefaultFieldSelectorConversion auto-accepts metav1 values for name and namespace.
+// A cluster scoped resource specifying namespace empty works fine and specifying a particular
+// namespace will return no results, as expected.
+func DefaultMetaV1FieldSelectorConversion(label, value string) (string, string, error) {
+	switch label {
+	case "metadata.name":
+		return label, value, nil
+	case "metadata.namespace":
+		return label, value, nil
+	default:
+		return "", "", fmt.Errorf("%q is not a known field selector: only %q, %q", label, "metadata.name", "metadata.namespace")
+	}
+}
+
+// JSONKeyMapper uses the struct tags on a conversion to determine the key value for
+// the other side. Use when mapping from a map[string]* to a struct or vice versa.
+func JSONKeyMapper(key string, sourceTag, destTag reflect.StructTag) (string, string) {
+	if s := destTag.Get("json"); len(s) > 0 {
+		return strings.SplitN(s, ",", 2)[0], key
+	}
+	if s := sourceTag.Get("json"); len(s) > 0 {
+		return key, strings.SplitN(s, ",", 2)[0]
+	}
+	return key, key
+}
+
+// DefaultStringConversions are helpers for converting []string and string to real values.
+var DefaultStringConversions = []interface{}{
+	Convert_Slice_string_To_string,
+	Convert_Slice_string_To_int,
+	Convert_Slice_string_To_bool,
+	Convert_Slice_string_To_int64,
+}
+
+func Convert_Slice_string_To_string(input *[]string, out *string, s conversion.Scope) error {
+	if len(*input) == 0 {
+		*out = ""
+	}
+	*out = (*input)[0]
+	return nil
+}
+
+func Convert_Slice_string_To_int(input *[]string, out *int, s conversion.Scope) error {
+	if len(*input) == 0 {
+		*out = 0
+	}
+	str := (*input)[0]
+	i, err := strconv.Atoi(str)
+	if err != nil {
+		return err
+	}
+	*out = i
+	return nil
+}
+
+// Conver_Slice_string_To_bool will convert a string parameter to boolean.
+// Only the absence of a value, a value of "false", or a value of "0" resolve to false.
+// Any other value (including empty string) resolves to true.
+func Convert_Slice_string_To_bool(input *[]string, out *bool, s conversion.Scope) error {
+	if len(*input) == 0 {
+		*out = false
+		return nil
+	}
+	switch strings.ToLower((*input)[0]) {
+	case "false", "0":
+		*out = false
+	default:
+		*out = true
+	}
+	return nil
+}
+
+func Convert_Slice_string_To_int64(input *[]string, out *int64, s conversion.Scope) error {
+	if len(*input) == 0 {
+		*out = 0
+	}
+	str := (*input)[0]
+	i, err := strconv.ParseInt(str, 10, 64)
+	if err != nil {
+		return err
+	}
+	*out = i
+	return nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/doc.go
new file mode 100644
index 00000000..06b45df6
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/doc.go
@@ -0,0 +1,45 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package runtime includes helper functions for working with API objects
+// that follow the kubernetes API object conventions, which are:
+//
+// 0. Your API objects have a common metadata struct member, TypeMeta.
+// 1. Your code refers to an internal set of API objects.
+// 2. In a separate package, you have an external set of API objects.
+// 3. The external set is considered to be versioned, and no breaking
+//    changes are ever made to it (fields may be added but not changed
+//    or removed).
+// 4. As your api evolves, you'll make an additional versioned package
+//    with every major change.
+// 5. Versioned packages have conversion functions which convert to
+//    and from the internal version.
+// 6. You'll continue to support older versions according to your
+//    deprecation policy, and you can easily provide a program/library
+//    to update old versions into new versions because of 5.
+// 7. All of your serializations and deserializations are handled in a
+//    centralized place.
+//
+// Package runtime provides a conversion helper to make 5 easy, and the
+// Encode/Decode/DecodeInto trio to accomplish 7. You can also register
+// additional "codecs" which use a version of your choice. It's
+// recommended that you register your types with runtime in your
+// package's init function.
+//
+// As a bonus, a few common types useful from all api objects and versions
+// are provided in types.go.
+
+package runtime // import "k8s.io/apimachinery/pkg/runtime"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/embedded.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/embedded.go
new file mode 100644
index 00000000..2cdac9e1
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/embedded.go
@@ -0,0 +1,142 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"errors"
+
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type encodable struct {
+	E        Encoder `json:"-"`
+	obj      Object
+	versions []schema.GroupVersion
+}
+
+func (e encodable) GetObjectKind() schema.ObjectKind { return e.obj.GetObjectKind() }
+func (e encodable) DeepCopyObject() Object {
+	var out encodable = e
+	out.obj = e.obj.DeepCopyObject()
+	copy(out.versions, e.versions)
+	return out
+}
+
+// NewEncodable creates an object that will be encoded with the provided codec on demand.
+// Provided as a convenience for test cases dealing with internal objects.
+func NewEncodable(e Encoder, obj Object, versions ...schema.GroupVersion) Object {
+	if _, ok := obj.(*Unknown); ok {
+		return obj
+	}
+	return encodable{e, obj, versions}
+}
+
+func (re encodable) UnmarshalJSON(in []byte) error {
+	return errors.New("runtime.encodable cannot be unmarshalled from JSON")
+}
+
+// Marshal may get called on pointers or values, so implement MarshalJSON on value.
+// http://stackoverflow.com/questions/21390979/custom-marshaljson-never-gets-called-in-go
+func (re encodable) MarshalJSON() ([]byte, error) {
+	return Encode(re.E, re.obj)
+}
+
+// NewEncodableList creates an object that will be encoded with the provided codec on demand.
+// Provided as a convenience for test cases dealing with internal objects.
+func NewEncodableList(e Encoder, objects []Object, versions ...schema.GroupVersion) []Object {
+	out := make([]Object, len(objects))
+	for i := range objects {
+		if _, ok := objects[i].(*Unknown); ok {
+			out[i] = objects[i]
+			continue
+		}
+		out[i] = NewEncodable(e, objects[i], versions...)
+	}
+	return out
+}
+
+func (re *Unknown) UnmarshalJSON(in []byte) error {
+	if re == nil {
+		return errors.New("runtime.Unknown: UnmarshalJSON on nil pointer")
+	}
+	re.TypeMeta = TypeMeta{}
+	re.Raw = append(re.Raw[0:0], in...)
+	re.ContentEncoding = ""
+	re.ContentType = ContentTypeJSON
+	return nil
+}
+
+// Marshal may get called on pointers or values, so implement MarshalJSON on value.
+// http://stackoverflow.com/questions/21390979/custom-marshaljson-never-gets-called-in-go
+func (re Unknown) MarshalJSON() ([]byte, error) {
+	// If ContentType is unset, we assume this is JSON.
+	if re.ContentType != "" && re.ContentType != ContentTypeJSON {
+		return nil, errors.New("runtime.Unknown: MarshalJSON on non-json data")
+	}
+	if re.Raw == nil {
+		return []byte("null"), nil
+	}
+	return re.Raw, nil
+}
+
+func Convert_runtime_Object_To_runtime_RawExtension(in *Object, out *RawExtension, s conversion.Scope) error {
+	if in == nil {
+		out.Raw = []byte("null")
+		return nil
+	}
+	obj := *in
+	if unk, ok := obj.(*Unknown); ok {
+		if unk.Raw != nil {
+			out.Raw = unk.Raw
+			return nil
+		}
+		obj = out.Object
+	}
+	if obj == nil {
+		out.Raw = nil
+		return nil
+	}
+	out.Object = obj
+	return nil
+}
+
+func Convert_runtime_RawExtension_To_runtime_Object(in *RawExtension, out *Object, s conversion.Scope) error {
+	if in.Object != nil {
+		*out = in.Object
+		return nil
+	}
+	data := in.Raw
+	if len(data) == 0 || (len(data) == 4 && string(data) == "null") {
+		*out = nil
+		return nil
+	}
+	*out = &Unknown{
+		Raw: data,
+		// TODO: Set ContentEncoding and ContentType appropriately.
+		// Currently we set ContentTypeJSON to make tests passing.
+		ContentType: ContentTypeJSON,
+	}
+	return nil
+}
+
+func DefaultEmbeddedConversions() []interface{} {
+	return []interface{}{
+		Convert_runtime_Object_To_runtime_RawExtension,
+		Convert_runtime_RawExtension_To_runtime_Object,
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/error.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/error.go
new file mode 100644
index 00000000..21a35570
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/error.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"fmt"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type notRegisteredErr struct {
+	gvk    schema.GroupVersionKind
+	target GroupVersioner
+	t      reflect.Type
+}
+
+func NewNotRegisteredErrForKind(gvk schema.GroupVersionKind) error {
+	return &notRegisteredErr{gvk: gvk}
+}
+
+func NewNotRegisteredErrForType(t reflect.Type) error {
+	return &notRegisteredErr{t: t}
+}
+
+func NewNotRegisteredErrForTarget(t reflect.Type, target GroupVersioner) error {
+	return &notRegisteredErr{t: t, target: target}
+}
+
+func (k *notRegisteredErr) Error() string {
+	if k.t != nil && k.target != nil {
+		return fmt.Sprintf("%v is not suitable for converting to %q", k.t, k.target)
+	}
+	if k.t != nil {
+		return fmt.Sprintf("no kind is registered for the type %v", k.t)
+	}
+	if len(k.gvk.Kind) == 0 {
+		return fmt.Sprintf("no version %q has been registered", k.gvk.GroupVersion())
+	}
+	if k.gvk.Version == APIVersionInternal {
+		return fmt.Sprintf("no kind %q is registered for the internal version of group %q", k.gvk.Kind, k.gvk.Group)
+	}
+
+	return fmt.Sprintf("no kind %q is registered for version %q", k.gvk.Kind, k.gvk.GroupVersion())
+}
+
+// IsNotRegisteredError returns true if the error indicates the provided
+// object or input data is not registered.
+func IsNotRegisteredError(err error) bool {
+	if err == nil {
+		return false
+	}
+	_, ok := err.(*notRegisteredErr)
+	return ok
+}
+
+type missingKindErr struct {
+	data string
+}
+
+func NewMissingKindErr(data string) error {
+	return &missingKindErr{data}
+}
+
+func (k *missingKindErr) Error() string {
+	return fmt.Sprintf("Object 'Kind' is missing in '%s'", k.data)
+}
+
+// IsMissingKind returns true if the error indicates that the provided object
+// is missing a 'Kind' field.
+func IsMissingKind(err error) bool {
+	if err == nil {
+		return false
+	}
+	_, ok := err.(*missingKindErr)
+	return ok
+}
+
+type missingVersionErr struct {
+	data string
+}
+
+// IsMissingVersion returns true if the error indicates that the provided object
+// is missing a 'Version' field.
+func NewMissingVersionErr(data string) error {
+	return &missingVersionErr{data}
+}
+
+func (k *missingVersionErr) Error() string {
+	return fmt.Sprintf("Object 'apiVersion' is missing in '%s'", k.data)
+}
+
+func IsMissingVersion(err error) bool {
+	if err == nil {
+		return false
+	}
+	_, ok := err.(*missingVersionErr)
+	return ok
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/extension.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/extension.go
new file mode 100644
index 00000000..737e2e9f
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/extension.go
@@ -0,0 +1,51 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+)
+
+func (re *RawExtension) UnmarshalJSON(in []byte) error {
+	if re == nil {
+		return errors.New("runtime.RawExtension: UnmarshalJSON on nil pointer")
+	}
+	if !bytes.Equal(in, []byte("null")) {
+		re.Raw = append(re.Raw[0:0], in...)
+	}
+	return nil
+}
+
+// Marshal may get called on pointers or values, so implement MarshalJSON on value.
+// http://stackoverflow.com/questions/21390979/custom-marshaljson-never-gets-called-in-go
+func (re RawExtension) MarshalJSON() ([]byte, error) {
+	if re.Raw == nil {
+		// TODO: this is to support legacy behavior of JSONPrinter and YAMLPrinter, which
+		// expect to call json.Marshal on arbitrary versioned objects (even those not in
+		// the scheme). pkg/kubectl/resource#AsVersionedObjects and its interaction with
+		// kubectl get on objects not in the scheme needs to be updated to ensure that the
+		// objects that are not part of the scheme are correctly put into the right form.
+		if re.Object != nil {
+			return json.Marshal(re.Object)
+		}
+		return []byte("null"), nil
+	}
+	// TODO: Check whether ContentType is actually JSON before returning it.
+	return re.Raw, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go
new file mode 100644
index 00000000..f561fd47
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/generated.pb.go
@@ -0,0 +1,773 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package runtime is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto
+
+	It has these top-level messages:
+		RawExtension
+		TypeMeta
+		Unknown
+*/
+package runtime
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *RawExtension) Reset()                    { *m = RawExtension{} }
+func (*RawExtension) ProtoMessage()               {}
+func (*RawExtension) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func (m *TypeMeta) Reset()                    { *m = TypeMeta{} }
+func (*TypeMeta) ProtoMessage()               {}
+func (*TypeMeta) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
+
+func (m *Unknown) Reset()                    { *m = Unknown{} }
+func (*Unknown) ProtoMessage()               {}
+func (*Unknown) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
+func init() {
+	proto.RegisterType((*RawExtension)(nil), "k8s.io.apimachinery.pkg.runtime.RawExtension")
+	proto.RegisterType((*TypeMeta)(nil), "k8s.io.apimachinery.pkg.runtime.TypeMeta")
+	proto.RegisterType((*Unknown)(nil), "k8s.io.apimachinery.pkg.runtime.Unknown")
+}
+func (m *RawExtension) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RawExtension) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Raw != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Raw)))
+		i += copy(dAtA[i:], m.Raw)
+	}
+	return i, nil
+}
+
+func (m *TypeMeta) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TypeMeta) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.APIVersion)))
+	i += copy(dAtA[i:], m.APIVersion)
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Kind)))
+	i += copy(dAtA[i:], m.Kind)
+	return i, nil
+}
+
+func (m *Unknown) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Unknown) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.TypeMeta.Size()))
+	n1, err := m.TypeMeta.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if m.Raw != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGenerated(dAtA, i, uint64(len(m.Raw)))
+		i += copy(dAtA[i:], m.Raw)
+	}
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContentEncoding)))
+	i += copy(dAtA[i:], m.ContentEncoding)
+	dAtA[i] = 0x22
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.ContentType)))
+	i += copy(dAtA[i:], m.ContentType)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *RawExtension) Size() (n int) {
+	var l int
+	_ = l
+	if m.Raw != nil {
+		l = len(m.Raw)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *TypeMeta) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.APIVersion)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Kind)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *Unknown) Size() (n int) {
+	var l int
+	_ = l
+	l = m.TypeMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.Raw != nil {
+		l = len(m.Raw)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = len(m.ContentEncoding)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.ContentType)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *RawExtension) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RawExtension{`,
+		`Raw:` + valueToStringGenerated(this.Raw) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *TypeMeta) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&TypeMeta{`,
+		`APIVersion:` + fmt.Sprintf("%v", this.APIVersion) + `,`,
+		`Kind:` + fmt.Sprintf("%v", this.Kind) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *Unknown) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Unknown{`,
+		`TypeMeta:` + strings.Replace(strings.Replace(this.TypeMeta.String(), "TypeMeta", "TypeMeta", 1), `&`, ``, 1) + `,`,
+		`Raw:` + valueToStringGenerated(this.Raw) + `,`,
+		`ContentEncoding:` + fmt.Sprintf("%v", this.ContentEncoding) + `,`,
+		`ContentType:` + fmt.Sprintf("%v", this.ContentType) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringGenerated(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *RawExtension) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RawExtension: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RawExtension: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Raw", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Raw = append(m.Raw[:0], dAtA[iNdEx:postIndex]...)
+			if m.Raw == nil {
+				m.Raw = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *TypeMeta) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TypeMeta: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TypeMeta: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field APIVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.APIVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Kind = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Unknown) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Unknown: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Unknown: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TypeMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.TypeMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Raw", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Raw = append(m.Raw[:0], dAtA[iNdEx:postIndex]...)
+			if m.Raw == nil {
+				m.Raw = []byte{}
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ContentEncoding", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ContentEncoding = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ContentType", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ContentType = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 395 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x90, 0x4f, 0x6f, 0xd3, 0x30,
+	0x18, 0xc6, 0xe3, 0xb5, 0x52, 0x87, 0x5b, 0x69, 0xc8, 0x1c, 0x08, 0x3b, 0x38, 0x53, 0x4f, 0xec,
+	0x30, 0x5b, 0x1a, 0x42, 0xe2, 0xba, 0x4c, 0x93, 0x40, 0x08, 0x09, 0x59, 0xfc, 0x91, 0x38, 0xe1,
+	0x26, 0x26, 0xb3, 0x42, 0x5f, 0x47, 0x8e, 0x43, 0xd8, 0x8d, 0x8f, 0xc0, 0xc7, 0xea, 0x71, 0xc7,
+	0x9e, 0x2a, 0x1a, 0x3e, 0x04, 0x57, 0x54, 0xd7, 0x2d, 0xa5, 0x08, 0xed, 0x16, 0xbf, 0xcf, 0xf3,
+	0x7b, 0xde, 0xe7, 0x0d, 0x7e, 0x5e, 0x3e, 0xab, 0x99, 0x36, 0xbc, 0x6c, 0x26, 0xca, 0x82, 0x72,
+	0xaa, 0xe6, 0x5f, 0x14, 0xe4, 0xc6, 0xf2, 0x20, 0xc8, 0x4a, 0x4f, 0x65, 0x76, 0xad, 0x41, 0xd9,
+	0x1b, 0x5e, 0x95, 0x05, 0xb7, 0x0d, 0x38, 0x3d, 0x55, 0xbc, 0x50, 0xa0, 0xac, 0x74, 0x2a, 0x67,
+	0x95, 0x35, 0xce, 0x90, 0x64, 0x0d, 0xb0, 0x5d, 0x80, 0x55, 0x65, 0xc1, 0x02, 0x70, 0x7c, 0x56,
+	0x68, 0x77, 0xdd, 0x4c, 0x58, 0x66, 0xa6, 0xbc, 0x30, 0x85, 0xe1, 0x9e, 0x9b, 0x34, 0x9f, 0xfc,
+	0xcb, 0x3f, 0xfc, 0xd7, 0x3a, 0xef, 0xf8, 0xc9, 0xff, 0x0a, 0x34, 0x4e, 0x7f, 0xe6, 0x1a, 0x5c,
+	0xed, 0xec, 0x7e, 0x89, 0xf1, 0x29, 0x1e, 0x09, 0xd9, 0x5e, 0x7d, 0x75, 0x0a, 0x6a, 0x6d, 0x80,
+	0x3c, 0xc2, 0x3d, 0x2b, 0xdb, 0x18, 0x9d, 0xa0, 0xc7, 0xa3, 0x74, 0xd0, 0x2d, 0x92, 0x9e, 0x90,
+	0xad, 0x58, 0xcd, 0xc6, 0x1f, 0xf1, 0xe1, 0x9b, 0x9b, 0x4a, 0xbd, 0x52, 0x4e, 0x92, 0x73, 0x8c,
+	0x65, 0xa5, 0xdf, 0x29, 0xbb, 0x82, 0xbc, 0xfb, 0x5e, 0x4a, 0x66, 0x8b, 0x24, 0xea, 0x16, 0x09,
+	0xbe, 0x78, 0xfd, 0x22, 0x28, 0x62, 0xc7, 0x45, 0x4e, 0x70, 0xbf, 0xd4, 0x90, 0xc7, 0x07, 0xde,
+	0x3d, 0x0a, 0xee, 0xfe, 0x4b, 0x0d, 0xb9, 0xf0, 0xca, 0xf8, 0x17, 0xc2, 0x83, 0xb7, 0x50, 0x82,
+	0x69, 0x81, 0xbc, 0xc7, 0x87, 0x2e, 0x6c, 0xf3, 0xf9, 0xc3, 0xf3, 0x53, 0x76, 0xc7, 0x0f, 0x63,
+	0x9b, 0x7a, 0xe9, 0xfd, 0x10, 0xbe, 0x2d, 0x2c, 0xb6, 0x61, 0x9b, 0x0b, 0x0f, 0xfe, 0xbd, 0x90,
+	0x5c, 0xe0, 0xa3, 0xcc, 0x80, 0x53, 0xe0, 0xae, 0x20, 0x33, 0xb9, 0x86, 0x22, 0xee, 0xf9, 0xb2,
+	0x0f, 0x43, 0xde, 0xd1, 0xe5, 0xdf, 0xb2, 0xd8, 0xf7, 0x93, 0xa7, 0x78, 0x18, 0x46, 0xab, 0xd5,
+	0x71, 0xdf, 0xe3, 0x0f, 0x02, 0x3e, 0xbc, 0xfc, 0x23, 0x89, 0x5d, 0x5f, 0x7a, 0x36, 0x5b, 0xd2,
+	0xe8, 0x76, 0x49, 0xa3, 0xf9, 0x92, 0x46, 0xdf, 0x3a, 0x8a, 0x66, 0x1d, 0x45, 0xb7, 0x1d, 0x45,
+	0xf3, 0x8e, 0xa2, 0x1f, 0x1d, 0x45, 0xdf, 0x7f, 0xd2, 0xe8, 0xc3, 0x20, 0x1c, 0xfa, 0x3b, 0x00,
+	0x00, 0xff, 0xff, 0x3f, 0x1e, 0x24, 0x09, 0x85, 0x02, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto b/cli/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto
new file mode 100644
index 00000000..02e388e9
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/generated.proto
@@ -0,0 +1,129 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.apimachinery.pkg.runtime;
+
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "runtime";
+
+// RawExtension is used to hold extensions in external versions.
+// 
+// To use this, make a field which has RawExtension as its type in your external, versioned
+// struct, and Object in your internal struct. You also need to register your
+// various plugin types.
+// 
+// // Internal package:
+// type MyAPIObject struct {
+// 	runtime.TypeMeta `json:",inline"`
+// 	MyPlugin runtime.Object `json:"myPlugin"`
+// }
+// type PluginA struct {
+// 	AOption string `json:"aOption"`
+// }
+// 
+// // External package:
+// type MyAPIObject struct {
+// 	runtime.TypeMeta `json:",inline"`
+// 	MyPlugin runtime.RawExtension `json:"myPlugin"`
+// }
+// type PluginA struct {
+// 	AOption string `json:"aOption"`
+// }
+// 
+// // On the wire, the JSON will look something like this:
+// {
+// 	"kind":"MyAPIObject",
+// 	"apiVersion":"v1",
+// 	"myPlugin": {
+// 		"kind":"PluginA",
+// 		"aOption":"foo",
+// 	},
+// }
+// 
+// So what happens? Decode first uses json or yaml to unmarshal the serialized data into
+// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked.
+// The next step is to copy (using pkg/conversion) into the internal struct. The runtime
+// package's DefaultScheme has conversion functions installed which will unpack the
+// JSON stored in RawExtension, turning it into the correct object type, and storing it
+// in the Object. (TODO: In the case where the object is of an unknown type, a
+// runtime.Unknown object will be created and stored.)
+// 
+// +k8s:deepcopy-gen=true
+// +protobuf=true
+// +k8s:openapi-gen=true
+message RawExtension {
+  // Raw is the underlying serialization of this object.
+  // 
+  // TODO: Determine how to detect ContentType and ContentEncoding of 'Raw' data.
+  optional bytes raw = 1;
+}
+
+// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type,
+// like this:
+// type MyAwesomeAPIObject struct {
+//      runtime.TypeMeta    `json:",inline"`
+//      ... // other fields
+// }
+// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind
+// 
+// TypeMeta is provided here for convenience. You may use it directly from this package or define
+// your own with the same fields.
+// 
+// +k8s:deepcopy-gen=false
+// +protobuf=true
+// +k8s:openapi-gen=true
+message TypeMeta {
+  // +optional
+  optional string apiVersion = 1;
+
+  // +optional
+  optional string kind = 2;
+}
+
+// Unknown allows api objects with unknown types to be passed-through. This can be used
+// to deal with the API objects from a plug-in. Unknown objects still have functioning
+// TypeMeta features-- kind, version, etc.
+// TODO: Make this object have easy access to field based accessors and settors for
+// metadata and field mutatation.
+// 
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +protobuf=true
+// +k8s:openapi-gen=true
+message Unknown {
+  optional TypeMeta typeMeta = 1;
+
+  // Raw will hold the complete serialized object which couldn't be matched
+  // with a registered type. Most likely, nothing should be done with this
+  // except for passing it through the system.
+  optional bytes raw = 2;
+
+  // ContentEncoding is encoding used to encode 'Raw' data.
+  // Unspecified means no encoding.
+  optional string contentEncoding = 3;
+
+  // ContentType  is serialization method used to serialize 'Raw'.
+  // Unspecified means ContentTypeJSON.
+  optional string contentType = 4;
+}
+
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/helper.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/helper.go
new file mode 100644
index 00000000..a6c1a8d3
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/helper.go
@@ -0,0 +1,212 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"fmt"
+	"io"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/errors"
+)
+
+// unsafeObjectConvertor implements ObjectConvertor using the unsafe conversion path.
+type unsafeObjectConvertor struct {
+	*Scheme
+}
+
+var _ ObjectConvertor = unsafeObjectConvertor{}
+
+// ConvertToVersion converts in to the provided outVersion without copying the input first, which
+// is only safe if the output object is not mutated or reused.
+func (c unsafeObjectConvertor) ConvertToVersion(in Object, outVersion GroupVersioner) (Object, error) {
+	return c.Scheme.UnsafeConvertToVersion(in, outVersion)
+}
+
+// UnsafeObjectConvertor performs object conversion without copying the object structure,
+// for use when the converted object will not be reused or mutated. Primarily for use within
+// versioned codecs, which use the external object for serialization but do not return it.
+func UnsafeObjectConvertor(scheme *Scheme) ObjectConvertor {
+	return unsafeObjectConvertor{scheme}
+}
+
+// SetField puts the value of src, into fieldName, which must be a member of v.
+// The value of src must be assignable to the field.
+func SetField(src interface{}, v reflect.Value, fieldName string) error {
+	field := v.FieldByName(fieldName)
+	if !field.IsValid() {
+		return fmt.Errorf("couldn't find %v field in %#v", fieldName, v.Interface())
+	}
+	srcValue := reflect.ValueOf(src)
+	if srcValue.Type().AssignableTo(field.Type()) {
+		field.Set(srcValue)
+		return nil
+	}
+	if srcValue.Type().ConvertibleTo(field.Type()) {
+		field.Set(srcValue.Convert(field.Type()))
+		return nil
+	}
+	return fmt.Errorf("couldn't assign/convert %v to %v", srcValue.Type(), field.Type())
+}
+
+// Field puts the value of fieldName, which must be a member of v, into dest,
+// which must be a variable to which this field's value can be assigned.
+func Field(v reflect.Value, fieldName string, dest interface{}) error {
+	field := v.FieldByName(fieldName)
+	if !field.IsValid() {
+		return fmt.Errorf("couldn't find %v field in %#v", fieldName, v.Interface())
+	}
+	destValue, err := conversion.EnforcePtr(dest)
+	if err != nil {
+		return err
+	}
+	if field.Type().AssignableTo(destValue.Type()) {
+		destValue.Set(field)
+		return nil
+	}
+	if field.Type().ConvertibleTo(destValue.Type()) {
+		destValue.Set(field.Convert(destValue.Type()))
+		return nil
+	}
+	return fmt.Errorf("couldn't assign/convert %v to %v", field.Type(), destValue.Type())
+}
+
+// fieldPtr puts the address of fieldName, which must be a member of v,
+// into dest, which must be an address of a variable to which this field's
+// address can be assigned.
+func FieldPtr(v reflect.Value, fieldName string, dest interface{}) error {
+	field := v.FieldByName(fieldName)
+	if !field.IsValid() {
+		return fmt.Errorf("couldn't find %v field in %#v", fieldName, v.Interface())
+	}
+	v, err := conversion.EnforcePtr(dest)
+	if err != nil {
+		return err
+	}
+	field = field.Addr()
+	if field.Type().AssignableTo(v.Type()) {
+		v.Set(field)
+		return nil
+	}
+	if field.Type().ConvertibleTo(v.Type()) {
+		v.Set(field.Convert(v.Type()))
+		return nil
+	}
+	return fmt.Errorf("couldn't assign/convert %v to %v", field.Type(), v.Type())
+}
+
+// EncodeList ensures that each object in an array is converted to a Unknown{} in serialized form.
+// TODO: accept a content type.
+func EncodeList(e Encoder, objects []Object) error {
+	var errs []error
+	for i := range objects {
+		data, err := Encode(e, objects[i])
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		// TODO: Set ContentEncoding and ContentType.
+		objects[i] = &Unknown{Raw: data}
+	}
+	return errors.NewAggregate(errs)
+}
+
+func decodeListItem(obj *Unknown, decoders []Decoder) (Object, error) {
+	for _, decoder := range decoders {
+		// TODO: Decode based on ContentType.
+		obj, err := Decode(decoder, obj.Raw)
+		if err != nil {
+			if IsNotRegisteredError(err) {
+				continue
+			}
+			return nil, err
+		}
+		return obj, nil
+	}
+	// could not decode, so leave the object as Unknown, but give the decoders the
+	// chance to set Unknown.TypeMeta if it is available.
+	for _, decoder := range decoders {
+		if err := DecodeInto(decoder, obj.Raw, obj); err == nil {
+			return obj, nil
+		}
+	}
+	return obj, nil
+}
+
+// DecodeList alters the list in place, attempting to decode any objects found in
+// the list that have the Unknown type. Any errors that occur are returned
+// after the entire list is processed. Decoders are tried in order.
+func DecodeList(objects []Object, decoders ...Decoder) []error {
+	errs := []error(nil)
+	for i, obj := range objects {
+		switch t := obj.(type) {
+		case *Unknown:
+			decoded, err := decodeListItem(t, decoders)
+			if err != nil {
+				errs = append(errs, err)
+				break
+			}
+			objects[i] = decoded
+		}
+	}
+	return errs
+}
+
+// MultiObjectTyper returns the types of objects across multiple schemes in order.
+type MultiObjectTyper []ObjectTyper
+
+var _ ObjectTyper = MultiObjectTyper{}
+
+func (m MultiObjectTyper) ObjectKinds(obj Object) (gvks []schema.GroupVersionKind, unversionedType bool, err error) {
+	for _, t := range m {
+		gvks, unversionedType, err = t.ObjectKinds(obj)
+		if err == nil {
+			return
+		}
+	}
+	return
+}
+
+func (m MultiObjectTyper) Recognizes(gvk schema.GroupVersionKind) bool {
+	for _, t := range m {
+		if t.Recognizes(gvk) {
+			return true
+		}
+	}
+	return false
+}
+
+// SetZeroValue would set the object of objPtr to zero value of its type.
+func SetZeroValue(objPtr Object) error {
+	v, err := conversion.EnforcePtr(objPtr)
+	if err != nil {
+		return err
+	}
+	v.Set(reflect.Zero(v.Type()))
+	return nil
+}
+
+// DefaultFramer is valid for any stream that can read objects serially without
+// any separation in the stream.
+var DefaultFramer = defaultFramer{}
+
+type defaultFramer struct{}
+
+func (defaultFramer) NewFrameReader(r io.ReadCloser) io.ReadCloser { return r }
+func (defaultFramer) NewFrameWriter(w io.Writer) io.Writer         { return w }
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/interfaces.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/interfaces.go
new file mode 100644
index 00000000..db4c2807
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/interfaces.go
@@ -0,0 +1,256 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"io"
+	"net/url"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+const (
+	// APIVersionInternal may be used if you are registering a type that should not
+	// be considered stable or serialized - it is a convention only and has no
+	// special behavior in this package.
+	APIVersionInternal = "__internal"
+)
+
+// GroupVersioner refines a set of possible conversion targets into a single option.
+type GroupVersioner interface {
+	// KindForGroupVersionKinds returns a desired target group version kind for the given input, or returns ok false if no
+	// target is known. In general, if the return target is not in the input list, the caller is expected to invoke
+	// Scheme.New(target) and then perform a conversion between the current Go type and the destination Go type.
+	// Sophisticated implementations may use additional information about the input kinds to pick a destination kind.
+	KindForGroupVersionKinds(kinds []schema.GroupVersionKind) (target schema.GroupVersionKind, ok bool)
+}
+
+// Encoders write objects to a serialized form
+type Encoder interface {
+	// Encode writes an object to a stream. Implementations may return errors if the versions are
+	// incompatible, or if no conversion is defined.
+	Encode(obj Object, w io.Writer) error
+}
+
+// Decoders attempt to load an object from data.
+type Decoder interface {
+	// Decode attempts to deserialize the provided data using either the innate typing of the scheme or the
+	// default kind, group, and version provided. It returns a decoded object as well as the kind, group, and
+	// version from the serialized data, or an error. If into is non-nil, it will be used as the target type
+	// and implementations may choose to use it rather than reallocating an object. However, the object is not
+	// guaranteed to be populated. The returned object is not guaranteed to match into. If defaults are
+	// provided, they are applied to the data by default. If no defaults or partial defaults are provided, the
+	// type of the into may be used to guide conversion decisions.
+	Decode(data []byte, defaults *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error)
+}
+
+// Serializer is the core interface for transforming objects into a serialized format and back.
+// Implementations may choose to perform conversion of the object, but no assumptions should be made.
+type Serializer interface {
+	Encoder
+	Decoder
+}
+
+// Codec is a Serializer that deals with the details of versioning objects. It offers the same
+// interface as Serializer, so this is a marker to consumers that care about the version of the objects
+// they receive.
+type Codec Serializer
+
+// ParameterCodec defines methods for serializing and deserializing API objects to url.Values and
+// performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing
+// and the desired version must be specified.
+type ParameterCodec interface {
+	// DecodeParameters takes the given url.Values in the specified group version and decodes them
+	// into the provided object, or returns an error.
+	DecodeParameters(parameters url.Values, from schema.GroupVersion, into Object) error
+	// EncodeParameters encodes the provided object as query parameters or returns an error.
+	EncodeParameters(obj Object, to schema.GroupVersion) (url.Values, error)
+}
+
+// Framer is a factory for creating readers and writers that obey a particular framing pattern.
+type Framer interface {
+	NewFrameReader(r io.ReadCloser) io.ReadCloser
+	NewFrameWriter(w io.Writer) io.Writer
+}
+
+// SerializerInfo contains information about a specific serialization format
+type SerializerInfo struct {
+	// MediaType is the value that represents this serializer over the wire.
+	MediaType string
+	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
+	EncodesAsText bool
+	// Serializer is the individual object serializer for this media type.
+	Serializer Serializer
+	// PrettySerializer, if set, can serialize this object in a form biased towards
+	// readability.
+	PrettySerializer Serializer
+	// StreamSerializer, if set, describes the streaming serialization format
+	// for this media type.
+	StreamSerializer *StreamSerializerInfo
+}
+
+// StreamSerializerInfo contains information about a specific stream serialization format
+type StreamSerializerInfo struct {
+	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
+	EncodesAsText bool
+	// Serializer is the top level object serializer for this type when streaming
+	Serializer
+	// Framer is the factory for retrieving streams that separate objects on the wire
+	Framer
+}
+
+// NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers
+// for multiple supported media types. This would commonly be accepted by a server component
+// that performs HTTP content negotiation to accept multiple formats.
+type NegotiatedSerializer interface {
+	// SupportedMediaTypes is the media types supported for reading and writing single objects.
+	SupportedMediaTypes() []SerializerInfo
+
+	// EncoderForVersion returns an encoder that ensures objects being written to the provided
+	// serializer are in the provided group version.
+	EncoderForVersion(serializer Encoder, gv GroupVersioner) Encoder
+	// DecoderForVersion returns a decoder that ensures objects being read by the provided
+	// serializer are in the provided group version by default.
+	DecoderToVersion(serializer Decoder, gv GroupVersioner) Decoder
+}
+
+// StorageSerializer is an interface used for obtaining encoders, decoders, and serializers
+// that can read and write data at rest. This would commonly be used by client tools that must
+// read files, or server side storage interfaces that persist restful objects.
+type StorageSerializer interface {
+	// SupportedMediaTypes are the media types supported for reading and writing objects.
+	SupportedMediaTypes() []SerializerInfo
+
+	// UniversalDeserializer returns a Serializer that can read objects in multiple supported formats
+	// by introspecting the data at rest.
+	UniversalDeserializer() Decoder
+
+	// EncoderForVersion returns an encoder that ensures objects being written to the provided
+	// serializer are in the provided group version.
+	EncoderForVersion(serializer Encoder, gv GroupVersioner) Encoder
+	// DecoderForVersion returns a decoder that ensures objects being read by the provided
+	// serializer are in the provided group version by default.
+	DecoderToVersion(serializer Decoder, gv GroupVersioner) Decoder
+}
+
+// NestedObjectEncoder is an optional interface that objects may implement to be given
+// an opportunity to encode any nested Objects / RawExtensions during serialization.
+type NestedObjectEncoder interface {
+	EncodeNestedObjects(e Encoder) error
+}
+
+// NestedObjectDecoder is an optional interface that objects may implement to be given
+// an opportunity to decode any nested Objects / RawExtensions during serialization.
+type NestedObjectDecoder interface {
+	DecodeNestedObjects(d Decoder) error
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Non-codec interfaces
+
+type ObjectDefaulter interface {
+	// Default takes an object (must be a pointer) and applies any default values.
+	// Defaulters may not error.
+	Default(in Object)
+}
+
+type ObjectVersioner interface {
+	ConvertToVersion(in Object, gv GroupVersioner) (out Object, err error)
+}
+
+// ObjectConvertor converts an object to a different version.
+type ObjectConvertor interface {
+	// Convert attempts to convert one object into another, or returns an error. This method does
+	// not guarantee the in object is not mutated. The context argument will be passed to
+	// all nested conversions.
+	Convert(in, out, context interface{}) error
+	// ConvertToVersion takes the provided object and converts it the provided version. This
+	// method does not guarantee that the in object is not mutated. This method is similar to
+	// Convert() but handles specific details of choosing the correct output version.
+	ConvertToVersion(in Object, gv GroupVersioner) (out Object, err error)
+	ConvertFieldLabel(version, kind, label, value string) (string, string, error)
+}
+
+// ObjectTyper contains methods for extracting the APIVersion and Kind
+// of objects.
+type ObjectTyper interface {
+	// ObjectKinds returns the all possible group,version,kind of the provided object, true if
+	// the object is unversioned, or an error if the object is not recognized
+	// (IsNotRegisteredError will return true).
+	ObjectKinds(Object) ([]schema.GroupVersionKind, bool, error)
+	// Recognizes returns true if the scheme is able to handle the provided version and kind,
+	// or more precisely that the provided version is a possible conversion or decoding
+	// target.
+	Recognizes(gvk schema.GroupVersionKind) bool
+}
+
+// ObjectCreater contains methods for instantiating an object by kind and version.
+type ObjectCreater interface {
+	New(kind schema.GroupVersionKind) (out Object, err error)
+}
+
+// ObjectCopier duplicates an object.
+type ObjectCopier interface {
+	// Copy returns an exact copy of the provided Object, or an error if the
+	// copy could not be completed.
+	Copy(Object) (Object, error)
+}
+
+// ResourceVersioner provides methods for setting and retrieving
+// the resource version from an API object.
+type ResourceVersioner interface {
+	SetResourceVersion(obj Object, version string) error
+	ResourceVersion(obj Object) (string, error)
+}
+
+// SelfLinker provides methods for setting and retrieving the SelfLink field of an API object.
+type SelfLinker interface {
+	SetSelfLink(obj Object, selfLink string) error
+	SelfLink(obj Object) (string, error)
+
+	// Knowing Name is sometimes necessary to use a SelfLinker.
+	Name(obj Object) (string, error)
+	// Knowing Namespace is sometimes necessary to use a SelfLinker
+	Namespace(obj Object) (string, error)
+}
+
+// All API types registered with Scheme must support the Object interface. Since objects in a scheme are
+// expected to be serialized to the wire, the interface an Object must provide to the Scheme allows
+// serializers to set the kind, version, and group the object is represented as. An Object may choose
+// to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized.
+type Object interface {
+	GetObjectKind() schema.ObjectKind
+	DeepCopyObject() Object
+}
+
+// Unstructured objects store values as map[string]interface{}, with only values that can be serialized
+// to JSON allowed.
+type Unstructured interface {
+	// IsUnstructuredObject is a marker interface to allow objects that can be serialized but not introspected
+	// to bypass conversion.
+	IsUnstructuredObject()
+	// UnstructuredContent returns a non-nil, mutable map of the contents of this object. Values may be
+	// []interface{}, map[string]interface{}, or any primitive type. Contents are typically serialized to
+	// and from JSON.
+	UnstructuredContent() map[string]interface{}
+	// IsList returns true if this type is a list or matches the list convention - has an array called "items".
+	IsList() bool
+	// EachListItem should pass a single item out of the list as an Object to the provided function. Any
+	// error should terminate the iteration. If IsList() returns false, this method should return an error
+	// instead of calling the provided function.
+	EachListItem(func(Object) error) error
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/register.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/register.go
new file mode 100644
index 00000000..eeb380c3
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/register.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import "k8s.io/apimachinery/pkg/runtime/schema"
+
+// SetGroupVersionKind satisfies the ObjectKind interface for all objects that embed TypeMeta
+func (obj *TypeMeta) SetGroupVersionKind(gvk schema.GroupVersionKind) {
+	obj.APIVersion, obj.Kind = gvk.ToAPIVersionAndKind()
+}
+
+// GroupVersionKind satisfies the ObjectKind interface for all objects that embed TypeMeta
+func (obj *TypeMeta) GroupVersionKind() schema.GroupVersionKind {
+	return schema.FromAPIVersionAndKind(obj.APIVersion, obj.Kind)
+}
+
+func (obj *TypeMeta) GetObjectKind() schema.ObjectKind { return obj }
+
+// GetObjectKind implements Object for VersionedObjects, returning an empty ObjectKind
+// interface if no objects are provided, or the ObjectKind interface of the object in the
+// highest array position.
+func (obj *VersionedObjects) GetObjectKind() schema.ObjectKind {
+	last := obj.Last()
+	if last == nil {
+		return schema.EmptyObjectKind
+	}
+	return last.GetObjectKind()
+}
+
+// First returns the leftmost object in the VersionedObjects array, which is usually the
+// object as serialized on the wire.
+func (obj *VersionedObjects) First() Object {
+	if len(obj.Objects) == 0 {
+		return nil
+	}
+	return obj.Objects[0]
+}
+
+// Last is the rightmost object in the VersionedObjects array, which is the object after
+// all transformations have been applied. This is the same object that would be returned
+// by Decode in a normal invocation (without VersionedObjects in the into argument).
+func (obj *VersionedObjects) Last() Object {
+	if len(obj.Objects) == 0 {
+		return nil
+	}
+	return obj.Objects[len(obj.Objects)-1]
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go
new file mode 100644
index 00000000..5357628a
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.pb.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package schema is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
+
+	It has these top-level messages:
+*/
+package schema
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 202 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0xce, 0xaf, 0x4e, 0x04, 0x31,
+	0x10, 0xc7, 0xf1, 0xd6, 0x20, 0x90, 0xc8, 0x13, 0x23, 0x51, 0xd0, 0x11, 0x18, 0x34, 0x2f, 0x80,
+	0xc7, 0x75, 0xf7, 0x86, 0x6e, 0x53, 0xfa, 0x27, 0xed, 0x94, 0x04, 0xc7, 0x23, 0xf0, 0x58, 0x27,
+	0x4f, 0xae, 0x64, 0xcb, 0x8b, 0x90, 0xb4, 0x2b, 0x08, 0xc9, 0xb9, 0xfe, 0xd2, 0x7c, 0x26, 0xdf,
+	0xeb, 0x67, 0xf7, 0x58, 0x94, 0x8d, 0xe8, 0xea, 0x44, 0x39, 0x10, 0x53, 0xc1, 0x77, 0x0a, 0xc7,
+	0x98, 0x71, 0xff, 0xd0, 0xc9, 0x7a, 0x3d, 0x2f, 0x36, 0x50, 0xfe, 0xc0, 0xe4, 0x0c, 0xe6, 0x1a,
+	0xd8, 0x7a, 0xc2, 0x32, 0x2f, 0xe4, 0x35, 0x1a, 0x0a, 0x94, 0x35, 0xd3, 0x51, 0xa5, 0x1c, 0x39,
+	0xde, 0xdc, 0x0e, 0xa7, 0xfe, 0x3a, 0x95, 0x9c, 0x51, 0xbb, 0x53, 0xc3, 0x1d, 0xee, 0x8d, 0xe5,
+	0xa5, 0x4e, 0x6a, 0x8e, 0x1e, 0x4d, 0x34, 0x11, 0x3b, 0x9f, 0xea, 0x6b, 0x5f, 0x7d, 0xf4, 0xd7,
+	0x38, 0x7b, 0x78, 0xb8, 0x94, 0x53, 0xd9, 0xbe, 0xa1, 0x0d, 0x5c, 0x38, 0xff, 0x6f, 0x79, 0xba,
+	0x3b, 0x6d, 0x20, 0xce, 0x1b, 0x88, 0x75, 0x03, 0xf1, 0xd9, 0x40, 0x9e, 0x1a, 0xc8, 0x73, 0x03,
+	0xb9, 0x36, 0x90, 0xdf, 0x0d, 0xe4, 0xd7, 0x0f, 0x88, 0x97, 0xab, 0x51, 0xf4, 0x1b, 0x00, 0x00,
+	0xff, 0xff, 0xfd, 0x59, 0x57, 0x93, 0x0b, 0x01, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto b/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
new file mode 100644
index 00000000..50c2f2a6
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/generated.proto
@@ -0,0 +1,28 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.apimachinery.pkg.runtime.schema;
+
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "schema";
+
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/group_version.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/group_version.go
new file mode 100644
index 00000000..1a9bba10
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/group_version.go
@@ -0,0 +1,277 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package schema
+
+import (
+	"fmt"
+	"strings"
+)
+
+// ParseResourceArg takes the common style of string which may be either `resource.group.com` or `resource.version.group.com`
+// and parses it out into both possibilities.  This code takes no responsibility for knowing which representation was intended
+// but with a knowledge of all GroupVersions, calling code can take a very good guess.  If there are only two segments, then
+// `*GroupVersionResource` is nil.
+// `resource.group.com` -> `group=com, version=group, resource=resource` and `group=group.com, resource=resource`
+func ParseResourceArg(arg string) (*GroupVersionResource, GroupResource) {
+	var gvr *GroupVersionResource
+	if strings.Count(arg, ".") >= 2 {
+		s := strings.SplitN(arg, ".", 3)
+		gvr = &GroupVersionResource{Group: s[2], Version: s[1], Resource: s[0]}
+	}
+
+	return gvr, ParseGroupResource(arg)
+}
+
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+type GroupResource struct {
+	Group    string
+	Resource string
+}
+
+func (gr GroupResource) WithVersion(version string) GroupVersionResource {
+	return GroupVersionResource{Group: gr.Group, Version: version, Resource: gr.Resource}
+}
+
+func (gr GroupResource) Empty() bool {
+	return len(gr.Group) == 0 && len(gr.Resource) == 0
+}
+
+func (gr *GroupResource) String() string {
+	if len(gr.Group) == 0 {
+		return gr.Resource
+	}
+	return gr.Resource + "." + gr.Group
+}
+
+// ParseGroupResource turns "resource.group" string into a GroupResource struct.  Empty strings are allowed
+// for each field.
+func ParseGroupResource(gr string) GroupResource {
+	if i := strings.Index(gr, "."); i == -1 {
+		return GroupResource{Resource: gr}
+	} else {
+		return GroupResource{Group: gr[i+1:], Resource: gr[:i]}
+	}
+}
+
+// GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+type GroupVersionResource struct {
+	Group    string
+	Version  string
+	Resource string
+}
+
+func (gvr GroupVersionResource) Empty() bool {
+	return len(gvr.Group) == 0 && len(gvr.Version) == 0 && len(gvr.Resource) == 0
+}
+
+func (gvr GroupVersionResource) GroupResource() GroupResource {
+	return GroupResource{Group: gvr.Group, Resource: gvr.Resource}
+}
+
+func (gvr GroupVersionResource) GroupVersion() GroupVersion {
+	return GroupVersion{Group: gvr.Group, Version: gvr.Version}
+}
+
+func (gvr *GroupVersionResource) String() string {
+	return strings.Join([]string{gvr.Group, "/", gvr.Version, ", Resource=", gvr.Resource}, "")
+}
+
+// GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+type GroupKind struct {
+	Group string
+	Kind  string
+}
+
+func (gk GroupKind) Empty() bool {
+	return len(gk.Group) == 0 && len(gk.Kind) == 0
+}
+
+func (gk GroupKind) WithVersion(version string) GroupVersionKind {
+	return GroupVersionKind{Group: gk.Group, Version: version, Kind: gk.Kind}
+}
+
+func (gk *GroupKind) String() string {
+	if len(gk.Group) == 0 {
+		return gk.Kind
+	}
+	return gk.Kind + "." + gk.Group
+}
+
+// GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+type GroupVersionKind struct {
+	Group   string
+	Version string
+	Kind    string
+}
+
+// Empty returns true if group, version, and kind are empty
+func (gvk GroupVersionKind) Empty() bool {
+	return len(gvk.Group) == 0 && len(gvk.Version) == 0 && len(gvk.Kind) == 0
+}
+
+func (gvk GroupVersionKind) GroupKind() GroupKind {
+	return GroupKind{Group: gvk.Group, Kind: gvk.Kind}
+}
+
+func (gvk GroupVersionKind) GroupVersion() GroupVersion {
+	return GroupVersion{Group: gvk.Group, Version: gvk.Version}
+}
+
+func (gvk GroupVersionKind) String() string {
+	return gvk.Group + "/" + gvk.Version + ", Kind=" + gvk.Kind
+}
+
+// GroupVersion contains the "group" and the "version", which uniquely identifies the API.
+type GroupVersion struct {
+	Group   string
+	Version string
+}
+
+// Empty returns true if group and version are empty
+func (gv GroupVersion) Empty() bool {
+	return len(gv.Group) == 0 && len(gv.Version) == 0
+}
+
+// String puts "group" and "version" into a single "group/version" string. For the legacy v1
+// it returns "v1".
+func (gv GroupVersion) String() string {
+	// special case the internal apiVersion for the legacy kube types
+	if gv.Empty() {
+		return ""
+	}
+
+	// special case of "v1" for backward compatibility
+	if len(gv.Group) == 0 && gv.Version == "v1" {
+		return gv.Version
+	}
+	if len(gv.Group) > 0 {
+		return gv.Group + "/" + gv.Version
+	}
+	return gv.Version
+}
+
+// KindForGroupVersionKinds identifies the preferred GroupVersionKind out of a list. It returns ok false
+// if none of the options match the group. It prefers a match to group and version over just group.
+// TODO: Move GroupVersion to a package under pkg/runtime, since it's used by scheme.
+// TODO: Introduce an adapter type between GroupVersion and runtime.GroupVersioner, and use LegacyCodec(GroupVersion)
+//   in fewer places.
+func (gv GroupVersion) KindForGroupVersionKinds(kinds []GroupVersionKind) (target GroupVersionKind, ok bool) {
+	for _, gvk := range kinds {
+		if gvk.Group == gv.Group && gvk.Version == gv.Version {
+			return gvk, true
+		}
+	}
+	for _, gvk := range kinds {
+		if gvk.Group == gv.Group {
+			return gv.WithKind(gvk.Kind), true
+		}
+	}
+	return GroupVersionKind{}, false
+}
+
+// ParseGroupVersion turns "group/version" string into a GroupVersion struct. It reports error
+// if it cannot parse the string.
+func ParseGroupVersion(gv string) (GroupVersion, error) {
+	// this can be the internal version for the legacy kube types
+	// TODO once we've cleared the last uses as strings, this special case should be removed.
+	if (len(gv) == 0) || (gv == "/") {
+		return GroupVersion{}, nil
+	}
+
+	switch strings.Count(gv, "/") {
+	case 0:
+		return GroupVersion{"", gv}, nil
+	case 1:
+		i := strings.Index(gv, "/")
+		return GroupVersion{gv[:i], gv[i+1:]}, nil
+	default:
+		return GroupVersion{}, fmt.Errorf("unexpected GroupVersion string: %v", gv)
+	}
+}
+
+// WithKind creates a GroupVersionKind based on the method receiver's GroupVersion and the passed Kind.
+func (gv GroupVersion) WithKind(kind string) GroupVersionKind {
+	return GroupVersionKind{Group: gv.Group, Version: gv.Version, Kind: kind}
+}
+
+// WithResource creates a GroupVersionResource based on the method receiver's GroupVersion and the passed Resource.
+func (gv GroupVersion) WithResource(resource string) GroupVersionResource {
+	return GroupVersionResource{Group: gv.Group, Version: gv.Version, Resource: resource}
+}
+
+// GroupVersions can be used to represent a set of desired group versions.
+// TODO: Move GroupVersions to a package under pkg/runtime, since it's used by scheme.
+// TODO: Introduce an adapter type between GroupVersions and runtime.GroupVersioner, and use LegacyCodec(GroupVersion)
+//   in fewer places.
+type GroupVersions []GroupVersion
+
+// KindForGroupVersionKinds identifies the preferred GroupVersionKind out of a list. It returns ok false
+// if none of the options match the group.
+func (gvs GroupVersions) KindForGroupVersionKinds(kinds []GroupVersionKind) (GroupVersionKind, bool) {
+	var targets []GroupVersionKind
+	for _, gv := range gvs {
+		target, ok := gv.KindForGroupVersionKinds(kinds)
+		if !ok {
+			continue
+		}
+		targets = append(targets, target)
+	}
+	if len(targets) == 1 {
+		return targets[0], true
+	}
+	if len(targets) > 1 {
+		return bestMatch(kinds, targets), true
+	}
+	return GroupVersionKind{}, false
+}
+
+// bestMatch tries to pick best matching GroupVersionKind and falls back to the first
+// found if no exact match exists.
+func bestMatch(kinds []GroupVersionKind, targets []GroupVersionKind) GroupVersionKind {
+	for _, gvk := range targets {
+		for _, k := range kinds {
+			if k == gvk {
+				return k
+			}
+		}
+	}
+	return targets[0]
+}
+
+// ToAPIVersionAndKind is a convenience method for satisfying runtime.Object on types that
+// do not use TypeMeta.
+func (gvk *GroupVersionKind) ToAPIVersionAndKind() (string, string) {
+	if gvk == nil {
+		return "", ""
+	}
+	return gvk.GroupVersion().String(), gvk.Kind
+}
+
+// FromAPIVersionAndKind returns a GVK representing the provided fields for types that
+// do not use TypeMeta. This method exists to support test types and legacy serializations
+// that have a distinct group and kind.
+// TODO: further reduce usage of this method.
+func FromAPIVersionAndKind(apiVersion, kind string) GroupVersionKind {
+	if gv, err := ParseGroupVersion(apiVersion); err == nil {
+		return GroupVersionKind{Group: gv.Group, Version: gv.Version, Kind: kind}
+	}
+	return GroupVersionKind{Kind: kind}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/interfaces.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/interfaces.go
new file mode 100644
index 00000000..b5706684
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/schema/interfaces.go
@@ -0,0 +1,40 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package schema
+
+// All objects that are serialized from a Scheme encode their type information. This interface is used
+// by serialization to set type information from the Scheme onto the serialized version of an object.
+// For objects that cannot be serialized or have unique requirements, this interface may be a no-op.
+type ObjectKind interface {
+	// SetGroupVersionKind sets or clears the intended serialized kind of an object. Passing kind nil
+	// should clear the current setting.
+	SetGroupVersionKind(kind GroupVersionKind)
+	// GroupVersionKind returns the stored group, version, and kind of an object, or nil if the object does
+	// not expose or provide these fields.
+	GroupVersionKind() GroupVersionKind
+}
+
+// EmptyObjectKind implements the ObjectKind interface as a noop
+var EmptyObjectKind = emptyObjectKind{}
+
+type emptyObjectKind struct{}
+
+// SetGroupVersionKind implements the ObjectKind interface
+func (emptyObjectKind) SetGroupVersionKind(gvk GroupVersionKind) {}
+
+// GroupVersionKind implements the ObjectKind interface
+func (emptyObjectKind) GroupVersionKind() GroupVersionKind { return GroupVersionKind{} }
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/scheme.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/scheme.go
new file mode 100644
index 00000000..c3d4b7f5
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/scheme.go
@@ -0,0 +1,569 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"fmt"
+	"net/url"
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// Scheme defines methods for serializing and deserializing API objects, a type
+// registry for converting group, version, and kind information to and from Go
+// schemas, and mappings between Go schemas of different versions. A scheme is the
+// foundation for a versioned API and versioned configuration over time.
+//
+// In a Scheme, a Type is a particular Go struct, a Version is a point-in-time
+// identifier for a particular representation of that Type (typically backwards
+// compatible), a Kind is the unique name for that Type within the Version, and a
+// Group identifies a set of Versions, Kinds, and Types that evolve over time. An
+// Unversioned Type is one that is not yet formally bound to a type and is promised
+// to be backwards compatible (effectively a "v1" of a Type that does not expect
+// to break in the future).
+//
+// Schemes are not expected to change at runtime and are only threadsafe after
+// registration is complete.
+type Scheme struct {
+	// versionMap allows one to figure out the go type of an object with
+	// the given version and name.
+	gvkToType map[schema.GroupVersionKind]reflect.Type
+
+	// typeToGroupVersion allows one to find metadata for a given go object.
+	// The reflect.Type we index by should *not* be a pointer.
+	typeToGVK map[reflect.Type][]schema.GroupVersionKind
+
+	// unversionedTypes are transformed without conversion in ConvertToVersion.
+	unversionedTypes map[reflect.Type]schema.GroupVersionKind
+
+	// unversionedKinds are the names of kinds that can be created in the context of any group
+	// or version
+	// TODO: resolve the status of unversioned types.
+	unversionedKinds map[string]reflect.Type
+
+	// Map from version and resource to the corresponding func to convert
+	// resource field labels in that version to internal version.
+	fieldLabelConversionFuncs map[string]map[string]FieldLabelConversionFunc
+
+	// defaulterFuncs is an array of interfaces to be called with an object to provide defaulting
+	// the provided object must be a pointer.
+	defaulterFuncs map[reflect.Type]func(interface{})
+
+	// converter stores all registered conversion functions. It also has
+	// default coverting behavior.
+	converter *conversion.Converter
+
+	// cloner stores all registered copy functions. It also has default
+	// deep copy behavior.
+	cloner *conversion.Cloner
+}
+
+// Function to convert a field selector to internal representation.
+type FieldLabelConversionFunc func(label, value string) (internalLabel, internalValue string, err error)
+
+// NewScheme creates a new Scheme. This scheme is pluggable by default.
+func NewScheme() *Scheme {
+	s := &Scheme{
+		gvkToType:        map[schema.GroupVersionKind]reflect.Type{},
+		typeToGVK:        map[reflect.Type][]schema.GroupVersionKind{},
+		unversionedTypes: map[reflect.Type]schema.GroupVersionKind{},
+		unversionedKinds: map[string]reflect.Type{},
+		cloner:           conversion.NewCloner(),
+		fieldLabelConversionFuncs: map[string]map[string]FieldLabelConversionFunc{},
+		defaulterFuncs:            map[reflect.Type]func(interface{}){},
+	}
+	s.converter = conversion.NewConverter(s.nameFunc)
+
+	s.AddConversionFuncs(DefaultEmbeddedConversions()...)
+
+	// Enable map[string][]string conversions by default
+	if err := s.AddConversionFuncs(DefaultStringConversions...); err != nil {
+		panic(err)
+	}
+	if err := s.RegisterInputDefaults(&map[string][]string{}, JSONKeyMapper, conversion.AllowDifferentFieldTypeNames|conversion.IgnoreMissingFields); err != nil {
+		panic(err)
+	}
+	if err := s.RegisterInputDefaults(&url.Values{}, JSONKeyMapper, conversion.AllowDifferentFieldTypeNames|conversion.IgnoreMissingFields); err != nil {
+		panic(err)
+	}
+	return s
+}
+
+// nameFunc returns the name of the type that we wish to use to determine when two types attempt
+// a conversion. Defaults to the go name of the type if the type is not registered.
+func (s *Scheme) nameFunc(t reflect.Type) string {
+	// find the preferred names for this type
+	gvks, ok := s.typeToGVK[t]
+	if !ok {
+		return t.Name()
+	}
+
+	for _, gvk := range gvks {
+		internalGV := gvk.GroupVersion()
+		internalGV.Version = "__internal" // this is hacky and maybe should be passed in
+		internalGVK := internalGV.WithKind(gvk.Kind)
+
+		if internalType, exists := s.gvkToType[internalGVK]; exists {
+			return s.typeToGVK[internalType][0].Kind
+		}
+	}
+
+	return gvks[0].Kind
+}
+
+// fromScope gets the input version, desired output version, and desired Scheme
+// from a conversion.Scope.
+func (s *Scheme) fromScope(scope conversion.Scope) *Scheme {
+	return s
+}
+
+// Converter allows access to the converter for the scheme
+func (s *Scheme) Converter() *conversion.Converter {
+	return s.converter
+}
+
+// AddUnversionedTypes registers the provided types as "unversioned", which means that they follow special rules.
+// Whenever an object of this type is serialized, it is serialized with the provided group version and is not
+// converted. Thus unversioned objects are expected to remain backwards compatible forever, as if they were in an
+// API group and version that would never be updated.
+//
+// TODO: there is discussion about removing unversioned and replacing it with objects that are manifest into
+//   every version with particular schemas. Resolve this method at that point.
+func (s *Scheme) AddUnversionedTypes(version schema.GroupVersion, types ...Object) {
+	s.AddKnownTypes(version, types...)
+	for _, obj := range types {
+		t := reflect.TypeOf(obj).Elem()
+		gvk := version.WithKind(t.Name())
+		s.unversionedTypes[t] = gvk
+		if old, ok := s.unversionedKinds[gvk.Kind]; ok && t != old {
+			panic(fmt.Sprintf("%v.%v has already been registered as unversioned kind %q - kind name must be unique", old.PkgPath(), old.Name(), gvk))
+		}
+		s.unversionedKinds[gvk.Kind] = t
+	}
+}
+
+// AddKnownTypes registers all types passed in 'types' as being members of version 'version'.
+// All objects passed to types should be pointers to structs. The name that go reports for
+// the struct becomes the "kind" field when encoding. Version may not be empty - use the
+// APIVersionInternal constant if you have a type that does not have a formal version.
+func (s *Scheme) AddKnownTypes(gv schema.GroupVersion, types ...Object) {
+	for _, obj := range types {
+		t := reflect.TypeOf(obj)
+		if t.Kind() != reflect.Ptr {
+			panic("All types must be pointers to structs.")
+		}
+		t = t.Elem()
+		s.AddKnownTypeWithName(gv.WithKind(t.Name()), obj)
+	}
+}
+
+// AddKnownTypeWithName is like AddKnownTypes, but it lets you specify what this type should
+// be encoded as. Useful for testing when you don't want to make multiple packages to define
+// your structs. Version may not be empty - use the APIVersionInternal constant if you have a
+// type that does not have a formal version.
+func (s *Scheme) AddKnownTypeWithName(gvk schema.GroupVersionKind, obj Object) {
+	t := reflect.TypeOf(obj)
+	if len(gvk.Version) == 0 {
+		panic(fmt.Sprintf("version is required on all types: %s %v", gvk, t))
+	}
+	if t.Kind() != reflect.Ptr {
+		panic("All types must be pointers to structs.")
+	}
+	t = t.Elem()
+	if t.Kind() != reflect.Struct {
+		panic("All types must be pointers to structs.")
+	}
+
+	if oldT, found := s.gvkToType[gvk]; found && oldT != t {
+		panic(fmt.Sprintf("Double registration of different types for %v: old=%v.%v, new=%v.%v", gvk, oldT.PkgPath(), oldT.Name(), t.PkgPath(), t.Name()))
+	}
+
+	s.gvkToType[gvk] = t
+
+	for _, existingGvk := range s.typeToGVK[t] {
+		if existingGvk == gvk {
+			return
+		}
+	}
+	s.typeToGVK[t] = append(s.typeToGVK[t], gvk)
+}
+
+// KnownTypes returns the types known for the given version.
+func (s *Scheme) KnownTypes(gv schema.GroupVersion) map[string]reflect.Type {
+	types := make(map[string]reflect.Type)
+	for gvk, t := range s.gvkToType {
+		if gv != gvk.GroupVersion() {
+			continue
+		}
+
+		types[gvk.Kind] = t
+	}
+	return types
+}
+
+// AllKnownTypes returns the all known types.
+func (s *Scheme) AllKnownTypes() map[schema.GroupVersionKind]reflect.Type {
+	return s.gvkToType
+}
+
+// ObjectKind returns the group,version,kind of the go object and true if this object
+// is considered unversioned, or an error if it's not a pointer or is unregistered.
+func (s *Scheme) ObjectKind(obj Object) (schema.GroupVersionKind, bool, error) {
+	gvks, unversionedType, err := s.ObjectKinds(obj)
+	if err != nil {
+		return schema.GroupVersionKind{}, false, err
+	}
+	return gvks[0], unversionedType, nil
+}
+
+// ObjectKinds returns all possible group,version,kind of the go object, true if the
+// object is considered unversioned, or an error if it's not a pointer or is unregistered.
+func (s *Scheme) ObjectKinds(obj Object) ([]schema.GroupVersionKind, bool, error) {
+	v, err := conversion.EnforcePtr(obj)
+	if err != nil {
+		return nil, false, err
+	}
+	t := v.Type()
+
+	gvks, ok := s.typeToGVK[t]
+	if !ok {
+		return nil, false, NewNotRegisteredErrForType(t)
+	}
+	_, unversionedType := s.unversionedTypes[t]
+
+	return gvks, unversionedType, nil
+}
+
+// Recognizes returns true if the scheme is able to handle the provided group,version,kind
+// of an object.
+func (s *Scheme) Recognizes(gvk schema.GroupVersionKind) bool {
+	_, exists := s.gvkToType[gvk]
+	return exists
+}
+
+func (s *Scheme) IsUnversioned(obj Object) (bool, bool) {
+	v, err := conversion.EnforcePtr(obj)
+	if err != nil {
+		return false, false
+	}
+	t := v.Type()
+
+	if _, ok := s.typeToGVK[t]; !ok {
+		return false, false
+	}
+	_, ok := s.unversionedTypes[t]
+	return ok, true
+}
+
+// New returns a new API object of the given version and name, or an error if it hasn't
+// been registered. The version and kind fields must be specified.
+func (s *Scheme) New(kind schema.GroupVersionKind) (Object, error) {
+	if t, exists := s.gvkToType[kind]; exists {
+		return reflect.New(t).Interface().(Object), nil
+	}
+
+	if t, exists := s.unversionedKinds[kind.Kind]; exists {
+		return reflect.New(t).Interface().(Object), nil
+	}
+	return nil, NewNotRegisteredErrForKind(kind)
+}
+
+// AddGenericConversionFunc adds a function that accepts the ConversionFunc call pattern
+// (for two conversion types) to the converter. These functions are checked first during
+// a normal conversion, but are otherwise not called. Use AddConversionFuncs when registering
+// typed conversions.
+func (s *Scheme) AddGenericConversionFunc(fn conversion.GenericConversionFunc) {
+	s.converter.AddGenericConversionFunc(fn)
+}
+
+// Log sets a logger on the scheme. For test purposes only
+func (s *Scheme) Log(l conversion.DebugLogger) {
+	s.converter.Debug = l
+}
+
+// AddIgnoredConversionType identifies a pair of types that should be skipped by
+// conversion (because the data inside them is explicitly dropped during
+// conversion).
+func (s *Scheme) AddIgnoredConversionType(from, to interface{}) error {
+	return s.converter.RegisterIgnoredConversion(from, to)
+}
+
+// AddConversionFuncs adds functions to the list of conversion functions. The given
+// functions should know how to convert between two of your API objects, or their
+// sub-objects. We deduce how to call these functions from the types of their two
+// parameters; see the comment for Converter.Register.
+//
+// Note that, if you need to copy sub-objects that didn't change, you can use the
+// conversion.Scope object that will be passed to your conversion function.
+// Additionally, all conversions started by Scheme will set the SrcVersion and
+// DestVersion fields on the Meta object. Example:
+//
+// s.AddConversionFuncs(
+//	func(in *InternalObject, out *ExternalObject, scope conversion.Scope) error {
+//		// You can depend on Meta() being non-nil, and this being set to
+//		// the source version, e.g., ""
+//		s.Meta().SrcVersion
+//		// You can depend on this being set to the destination version,
+//		// e.g., "v1".
+//		s.Meta().DestVersion
+//		// Call scope.Convert to copy sub-fields.
+//		s.Convert(&in.SubFieldThatMoved, &out.NewLocation.NewName, 0)
+//		return nil
+//	},
+// )
+//
+// (For more detail about conversion functions, see Converter.Register's comment.)
+//
+// Also note that the default behavior, if you don't add a conversion function, is to
+// sanely copy fields that have the same names and same type names. It's OK if the
+// destination type has extra fields, but it must not remove any. So you only need to
+// add conversion functions for things with changed/removed fields.
+func (s *Scheme) AddConversionFuncs(conversionFuncs ...interface{}) error {
+	for _, f := range conversionFuncs {
+		if err := s.converter.RegisterConversionFunc(f); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Similar to AddConversionFuncs, but registers conversion functions that were
+// automatically generated.
+func (s *Scheme) AddGeneratedConversionFuncs(conversionFuncs ...interface{}) error {
+	for _, f := range conversionFuncs {
+		if err := s.converter.RegisterGeneratedConversionFunc(f); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// AddDeepCopyFuncs adds a function to the list of deep-copy functions.
+// For the expected format of deep-copy function, see the comment for
+// Copier.RegisterDeepCopyFunction.
+func (s *Scheme) AddDeepCopyFuncs(deepCopyFuncs ...interface{}) error {
+	for _, f := range deepCopyFuncs {
+		if err := s.cloner.RegisterDeepCopyFunc(f); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Similar to AddDeepCopyFuncs, but registers deep-copy functions that were
+// automatically generated.
+func (s *Scheme) AddGeneratedDeepCopyFuncs(deepCopyFuncs ...conversion.GeneratedDeepCopyFunc) error {
+	for _, fn := range deepCopyFuncs {
+		if err := s.cloner.RegisterGeneratedDeepCopyFunc(fn); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// AddFieldLabelConversionFunc adds a conversion function to convert field selectors
+// of the given kind from the given version to internal version representation.
+func (s *Scheme) AddFieldLabelConversionFunc(version, kind string, conversionFunc FieldLabelConversionFunc) error {
+	if s.fieldLabelConversionFuncs[version] == nil {
+		s.fieldLabelConversionFuncs[version] = map[string]FieldLabelConversionFunc{}
+	}
+
+	s.fieldLabelConversionFuncs[version][kind] = conversionFunc
+	return nil
+}
+
+// AddStructFieldConversion allows you to specify a mechanical copy for a moved
+// or renamed struct field without writing an entire conversion function. See
+// the comment in conversion.Converter.SetStructFieldCopy for parameter details.
+// Call as many times as needed, even on the same fields.
+func (s *Scheme) AddStructFieldConversion(srcFieldType interface{}, srcFieldName string, destFieldType interface{}, destFieldName string) error {
+	return s.converter.SetStructFieldCopy(srcFieldType, srcFieldName, destFieldType, destFieldName)
+}
+
+// RegisterInputDefaults sets the provided field mapping function and field matching
+// as the defaults for the provided input type.  The fn may be nil, in which case no
+// mapping will happen by default. Use this method to register a mechanism for handling
+// a specific input type in conversion, such as a map[string]string to structs.
+func (s *Scheme) RegisterInputDefaults(in interface{}, fn conversion.FieldMappingFunc, defaultFlags conversion.FieldMatchingFlags) error {
+	return s.converter.RegisterInputDefaults(in, fn, defaultFlags)
+}
+
+// AddTypeDefaultingFuncs registers a function that is passed a pointer to an
+// object and can default fields on the object. These functions will be invoked
+// when Default() is called. The function will never be called unless the
+// defaulted object matches srcType. If this function is invoked twice with the
+// same srcType, the fn passed to the later call will be used instead.
+func (s *Scheme) AddTypeDefaultingFunc(srcType Object, fn func(interface{})) {
+	s.defaulterFuncs[reflect.TypeOf(srcType)] = fn
+}
+
+// Default sets defaults on the provided Object.
+func (s *Scheme) Default(src Object) {
+	if fn, ok := s.defaulterFuncs[reflect.TypeOf(src)]; ok {
+		fn(src)
+	}
+}
+
+// Copy does a deep copy of an API object.
+func (s *Scheme) Copy(src Object) (Object, error) {
+	dst, err := s.DeepCopy(src)
+	if err != nil {
+		return nil, err
+	}
+	return dst.(Object), nil
+}
+
+// Performs a deep copy of the given object.
+func (s *Scheme) DeepCopy(src interface{}) (interface{}, error) {
+	return s.cloner.DeepCopy(src)
+}
+
+// Convert will attempt to convert in into out. Both must be pointers. For easy
+// testing of conversion functions. Returns an error if the conversion isn't
+// possible. You can call this with types that haven't been registered (for example,
+// a to test conversion of types that are nested within registered types). The
+// context interface is passed to the convertor.
+// TODO: identify whether context should be hidden, or behind a formal context/scope
+//   interface
+func (s *Scheme) Convert(in, out interface{}, context interface{}) error {
+	flags, meta := s.generateConvertMeta(in)
+	meta.Context = context
+	if flags == 0 {
+		flags = conversion.AllowDifferentFieldTypeNames
+	}
+	return s.converter.Convert(in, out, flags, meta)
+}
+
+// Converts the given field label and value for an kind field selector from
+// versioned representation to an unversioned one.
+func (s *Scheme) ConvertFieldLabel(version, kind, label, value string) (string, string, error) {
+	if s.fieldLabelConversionFuncs[version] == nil {
+		return DefaultMetaV1FieldSelectorConversion(label, value)
+	}
+	conversionFunc, ok := s.fieldLabelConversionFuncs[version][kind]
+	if !ok {
+		return DefaultMetaV1FieldSelectorConversion(label, value)
+	}
+	return conversionFunc(label, value)
+}
+
+// ConvertToVersion attempts to convert an input object to its matching Kind in another
+// version within this scheme. Will return an error if the provided version does not
+// contain the inKind (or a mapping by name defined with AddKnownTypeWithName). Will also
+// return an error if the conversion does not result in a valid Object being
+// returned. Passes target down to the conversion methods as the Context on the scope.
+func (s *Scheme) ConvertToVersion(in Object, target GroupVersioner) (Object, error) {
+	return s.convertToVersion(true, in, target)
+}
+
+// UnsafeConvertToVersion will convert in to the provided target if such a conversion is possible,
+// but does not guarantee the output object does not share fields with the input object. It attempts to be as
+// efficient as possible when doing conversion.
+func (s *Scheme) UnsafeConvertToVersion(in Object, target GroupVersioner) (Object, error) {
+	return s.convertToVersion(false, in, target)
+}
+
+// convertToVersion handles conversion with an optional copy.
+func (s *Scheme) convertToVersion(copy bool, in Object, target GroupVersioner) (Object, error) {
+	// determine the incoming kinds with as few allocations as possible.
+	t := reflect.TypeOf(in)
+	if t.Kind() != reflect.Ptr {
+		return nil, fmt.Errorf("only pointer types may be converted: %v", t)
+	}
+	t = t.Elem()
+	if t.Kind() != reflect.Struct {
+		return nil, fmt.Errorf("only pointers to struct types may be converted: %v", t)
+	}
+	kinds, ok := s.typeToGVK[t]
+	if !ok || len(kinds) == 0 {
+		return nil, NewNotRegisteredErrForType(t)
+	}
+
+	gvk, ok := target.KindForGroupVersionKinds(kinds)
+	if !ok {
+		// try to see if this type is listed as unversioned (for legacy support)
+		// TODO: when we move to server API versions, we should completely remove the unversioned concept
+		if unversionedKind, ok := s.unversionedTypes[t]; ok {
+			if gvk, ok := target.KindForGroupVersionKinds([]schema.GroupVersionKind{unversionedKind}); ok {
+				return copyAndSetTargetKind(copy, s, in, gvk)
+			}
+			return copyAndSetTargetKind(copy, s, in, unversionedKind)
+		}
+
+		return nil, NewNotRegisteredErrForTarget(t, target)
+	}
+
+	// target wants to use the existing type, set kind and return (no conversion necessary)
+	for _, kind := range kinds {
+		if gvk == kind {
+			return copyAndSetTargetKind(copy, s, in, gvk)
+		}
+	}
+
+	// type is unversioned, no conversion necessary
+	if unversionedKind, ok := s.unversionedTypes[t]; ok {
+		if gvk, ok := target.KindForGroupVersionKinds([]schema.GroupVersionKind{unversionedKind}); ok {
+			return copyAndSetTargetKind(copy, s, in, gvk)
+		}
+		return copyAndSetTargetKind(copy, s, in, unversionedKind)
+	}
+
+	out, err := s.New(gvk)
+	if err != nil {
+		return nil, err
+	}
+
+	if copy {
+		in = in.DeepCopyObject()
+	}
+
+	flags, meta := s.generateConvertMeta(in)
+	meta.Context = target
+	if err := s.converter.Convert(in, out, flags, meta); err != nil {
+		return nil, err
+	}
+
+	setTargetKind(out, gvk)
+	return out, nil
+}
+
+// generateConvertMeta constructs the meta value we pass to Convert.
+func (s *Scheme) generateConvertMeta(in interface{}) (conversion.FieldMatchingFlags, *conversion.Meta) {
+	return s.converter.DefaultMeta(reflect.TypeOf(in))
+}
+
+// copyAndSetTargetKind performs a conditional copy before returning the object, or an error if copy was not successful.
+func copyAndSetTargetKind(copy bool, copier ObjectCopier, obj Object, kind schema.GroupVersionKind) (Object, error) {
+	if copy {
+		obj = obj.DeepCopyObject()
+	}
+	setTargetKind(obj, kind)
+	return obj, nil
+}
+
+// setTargetKind sets the kind on an object, taking into account whether the target kind is the internal version.
+func setTargetKind(obj Object, kind schema.GroupVersionKind) {
+	if kind.Version == APIVersionInternal {
+		// internal is a special case
+		// TODO: look at removing the need to special case this
+		obj.GetObjectKind().SetGroupVersionKind(schema.GroupVersionKind{})
+		return
+	}
+	obj.GetObjectKind().SetGroupVersionKind(kind)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/scheme_builder.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/scheme_builder.go
new file mode 100644
index 00000000..944db481
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/scheme_builder.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+// SchemeBuilder collects functions that add things to a scheme. It's to allow
+// code to compile without explicitly referencing generated types. You should
+// declare one in each package that will have generated deep copy or conversion
+// functions.
+type SchemeBuilder []func(*Scheme) error
+
+// AddToScheme applies all the stored functions to the scheme. A non-nil error
+// indicates that one function failed and the attempt was abandoned.
+func (sb *SchemeBuilder) AddToScheme(s *Scheme) error {
+	for _, f := range *sb {
+		if err := f(s); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Register adds a scheme setup function to the list.
+func (sb *SchemeBuilder) Register(funcs ...func(*Scheme) error) {
+	for _, f := range funcs {
+		*sb = append(*sb, f)
+	}
+}
+
+// NewSchemeBuilder calls Register for you.
+func NewSchemeBuilder(funcs ...func(*Scheme) error) SchemeBuilder {
+	var sb SchemeBuilder
+	sb.Register(funcs...)
+	return sb
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go
new file mode 100644
index 00000000..65f45112
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/codec_factory.go
@@ -0,0 +1,237 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serializer
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
+	"k8s.io/apimachinery/pkg/runtime/serializer/recognizer"
+	"k8s.io/apimachinery/pkg/runtime/serializer/versioning"
+)
+
+// serializerExtensions are for serializers that are conditionally compiled in
+var serializerExtensions = []func(*runtime.Scheme) (serializerType, bool){}
+
+type serializerType struct {
+	AcceptContentTypes []string
+	ContentType        string
+	FileExtensions     []string
+	// EncodesAsText should be true if this content type can be represented safely in UTF-8
+	EncodesAsText bool
+
+	Serializer       runtime.Serializer
+	PrettySerializer runtime.Serializer
+
+	AcceptStreamContentTypes []string
+	StreamContentType        string
+
+	Framer           runtime.Framer
+	StreamSerializer runtime.Serializer
+}
+
+func newSerializersForScheme(scheme *runtime.Scheme, mf json.MetaFactory) []serializerType {
+	jsonSerializer := json.NewSerializer(mf, scheme, scheme, false)
+	jsonPrettySerializer := json.NewSerializer(mf, scheme, scheme, true)
+	yamlSerializer := json.NewYAMLSerializer(mf, scheme, scheme)
+
+	serializers := []serializerType{
+		{
+			AcceptContentTypes: []string{"application/json"},
+			ContentType:        "application/json",
+			FileExtensions:     []string{"json"},
+			EncodesAsText:      true,
+			Serializer:         jsonSerializer,
+			PrettySerializer:   jsonPrettySerializer,
+
+			Framer:           json.Framer,
+			StreamSerializer: jsonSerializer,
+		},
+		{
+			AcceptContentTypes: []string{"application/yaml"},
+			ContentType:        "application/yaml",
+			FileExtensions:     []string{"yaml"},
+			EncodesAsText:      true,
+			Serializer:         yamlSerializer,
+		},
+	}
+
+	for _, fn := range serializerExtensions {
+		if serializer, ok := fn(scheme); ok {
+			serializers = append(serializers, serializer)
+		}
+	}
+	return serializers
+}
+
+// CodecFactory provides methods for retrieving codecs and serializers for specific
+// versions and content types.
+type CodecFactory struct {
+	scheme      *runtime.Scheme
+	serializers []serializerType
+	universal   runtime.Decoder
+	accepts     []runtime.SerializerInfo
+
+	legacySerializer runtime.Serializer
+}
+
+// NewCodecFactory provides methods for retrieving serializers for the supported wire formats
+// and conversion wrappers to define preferred internal and external versions. In the future,
+// as the internal version is used less, callers may instead use a defaulting serializer and
+// only convert objects which are shared internally (Status, common API machinery).
+// TODO: allow other codecs to be compiled in?
+// TODO: accept a scheme interface
+func NewCodecFactory(scheme *runtime.Scheme) CodecFactory {
+	serializers := newSerializersForScheme(scheme, json.DefaultMetaFactory)
+	return newCodecFactory(scheme, serializers)
+}
+
+// newCodecFactory is a helper for testing that allows a different metafactory to be specified.
+func newCodecFactory(scheme *runtime.Scheme, serializers []serializerType) CodecFactory {
+	decoders := make([]runtime.Decoder, 0, len(serializers))
+	var accepts []runtime.SerializerInfo
+	alreadyAccepted := make(map[string]struct{})
+
+	var legacySerializer runtime.Serializer
+	for _, d := range serializers {
+		decoders = append(decoders, d.Serializer)
+		for _, mediaType := range d.AcceptContentTypes {
+			if _, ok := alreadyAccepted[mediaType]; ok {
+				continue
+			}
+			alreadyAccepted[mediaType] = struct{}{}
+			info := runtime.SerializerInfo{
+				MediaType:        d.ContentType,
+				EncodesAsText:    d.EncodesAsText,
+				Serializer:       d.Serializer,
+				PrettySerializer: d.PrettySerializer,
+			}
+			if d.StreamSerializer != nil {
+				info.StreamSerializer = &runtime.StreamSerializerInfo{
+					Serializer:    d.StreamSerializer,
+					EncodesAsText: d.EncodesAsText,
+					Framer:        d.Framer,
+				}
+			}
+			accepts = append(accepts, info)
+			if mediaType == runtime.ContentTypeJSON {
+				legacySerializer = d.Serializer
+			}
+		}
+	}
+	if legacySerializer == nil {
+		legacySerializer = serializers[0].Serializer
+	}
+
+	return CodecFactory{
+		scheme:      scheme,
+		serializers: serializers,
+		universal:   recognizer.NewDecoder(decoders...),
+
+		accepts: accepts,
+
+		legacySerializer: legacySerializer,
+	}
+}
+
+// SupportedMediaTypes returns the RFC2046 media types that this factory has serializers for.
+func (f CodecFactory) SupportedMediaTypes() []runtime.SerializerInfo {
+	return f.accepts
+}
+
+// LegacyCodec encodes output to a given API versions, and decodes output into the internal form from
+// any recognized source. The returned codec will always encode output to JSON. If a type is not
+// found in the list of versions an error will be returned.
+//
+// This method is deprecated - clients and servers should negotiate a serializer by mime-type and
+// invoke CodecForVersions. Callers that need only to read data should use UniversalDecoder().
+//
+// TODO: make this call exist only in pkg/api, and initialize it with the set of default versions.
+//   All other callers will be forced to request a Codec directly.
+func (f CodecFactory) LegacyCodec(version ...schema.GroupVersion) runtime.Codec {
+	return versioning.NewDefaultingCodecForScheme(f.scheme, f.legacySerializer, f.universal, schema.GroupVersions(version), runtime.InternalGroupVersioner)
+}
+
+// UniversalDeserializer can convert any stored data recognized by this factory into a Go object that satisfies
+// runtime.Object. It does not perform conversion. It does not perform defaulting.
+func (f CodecFactory) UniversalDeserializer() runtime.Decoder {
+	return f.universal
+}
+
+// UniversalDecoder returns a runtime.Decoder capable of decoding all known API objects in all known formats. Used
+// by clients that do not need to encode objects but want to deserialize API objects stored on disk. Only decodes
+// objects in groups registered with the scheme. The GroupVersions passed may be used to select alternate
+// versions of objects to return - by default, runtime.APIVersionInternal is used. If any versions are specified,
+// unrecognized groups will be returned in the version they are encoded as (no conversion). This decoder performs
+// defaulting.
+//
+// TODO: the decoder will eventually be removed in favor of dealing with objects in their versioned form
+// TODO: only accept a group versioner
+func (f CodecFactory) UniversalDecoder(versions ...schema.GroupVersion) runtime.Decoder {
+	var versioner runtime.GroupVersioner
+	if len(versions) == 0 {
+		versioner = runtime.InternalGroupVersioner
+	} else {
+		versioner = schema.GroupVersions(versions)
+	}
+	return f.CodecForVersions(nil, f.universal, nil, versioner)
+}
+
+// CodecForVersions creates a codec with the provided serializer. If an object is decoded and its group is not in the list,
+// it will default to runtime.APIVersionInternal. If encode is not specified for an object's group, the object is not
+// converted. If encode or decode are nil, no conversion is performed.
+func (f CodecFactory) CodecForVersions(encoder runtime.Encoder, decoder runtime.Decoder, encode runtime.GroupVersioner, decode runtime.GroupVersioner) runtime.Codec {
+	// TODO: these are for backcompat, remove them in the future
+	if encode == nil {
+		encode = runtime.DisabledGroupVersioner
+	}
+	if decode == nil {
+		decode = runtime.InternalGroupVersioner
+	}
+	return versioning.NewDefaultingCodecForScheme(f.scheme, encoder, decoder, encode, decode)
+}
+
+// DecoderToVersion returns a decoder that targets the provided group version.
+func (f CodecFactory) DecoderToVersion(decoder runtime.Decoder, gv runtime.GroupVersioner) runtime.Decoder {
+	return f.CodecForVersions(nil, decoder, nil, gv)
+}
+
+// EncoderForVersion returns an encoder that targets the provided group version.
+func (f CodecFactory) EncoderForVersion(encoder runtime.Encoder, gv runtime.GroupVersioner) runtime.Encoder {
+	return f.CodecForVersions(encoder, nil, gv, nil)
+}
+
+// DirectCodecFactory provides methods for retrieving "DirectCodec"s, which do not do conversion.
+type DirectCodecFactory struct {
+	CodecFactory
+}
+
+// EncoderForVersion returns an encoder that does not do conversion.
+func (f DirectCodecFactory) EncoderForVersion(serializer runtime.Encoder, version runtime.GroupVersioner) runtime.Encoder {
+	return versioning.DirectEncoder{
+		Version:     version,
+		Encoder:     serializer,
+		ObjectTyper: f.CodecFactory.scheme,
+	}
+}
+
+// DecoderToVersion returns an decoder that does not do conversion. gv is ignored.
+func (f DirectCodecFactory) DecoderToVersion(serializer runtime.Decoder, _ runtime.GroupVersioner) runtime.Decoder {
+	return versioning.DirectDecoder{
+		Decoder: serializer,
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/json.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/json.go
new file mode 100644
index 00000000..ce3d77c2
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/json.go
@@ -0,0 +1,277 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package json
+
+import (
+	"encoding/json"
+	"io"
+	"strconv"
+	"unsafe"
+
+	"github.com/ghodss/yaml"
+	jsoniter "github.com/json-iterator/go"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/recognizer"
+	"k8s.io/apimachinery/pkg/util/framer"
+	utilyaml "k8s.io/apimachinery/pkg/util/yaml"
+)
+
+// NewSerializer creates a JSON serializer that handles encoding versioned objects into the proper JSON form. If typer
+// is not nil, the object has the group, version, and kind fields set.
+func NewSerializer(meta MetaFactory, creater runtime.ObjectCreater, typer runtime.ObjectTyper, pretty bool) *Serializer {
+	return &Serializer{
+		meta:    meta,
+		creater: creater,
+		typer:   typer,
+		yaml:    false,
+		pretty:  pretty,
+	}
+}
+
+// NewYAMLSerializer creates a YAML serializer that handles encoding versioned objects into the proper YAML form. If typer
+// is not nil, the object has the group, version, and kind fields set. This serializer supports only the subset of YAML that
+// matches JSON, and will error if constructs are used that do not serialize to JSON.
+func NewYAMLSerializer(meta MetaFactory, creater runtime.ObjectCreater, typer runtime.ObjectTyper) *Serializer {
+	return &Serializer{
+		meta:    meta,
+		creater: creater,
+		typer:   typer,
+		yaml:    true,
+	}
+}
+
+type Serializer struct {
+	meta    MetaFactory
+	creater runtime.ObjectCreater
+	typer   runtime.ObjectTyper
+	yaml    bool
+	pretty  bool
+}
+
+// Serializer implements Serializer
+var _ runtime.Serializer = &Serializer{}
+var _ recognizer.RecognizingDecoder = &Serializer{}
+
+func init() {
+	// Force jsoniter to decode number to interface{} via ints, if possible.
+	decodeNumberAsInt64IfPossible := func(ptr unsafe.Pointer, iter *jsoniter.Iterator) {
+		switch iter.WhatIsNext() {
+		case jsoniter.NumberValue:
+			var number json.Number
+			iter.ReadVal(&number)
+			u64, err := strconv.ParseUint(string(number), 10, 64)
+			if err == nil {
+				*(*interface{})(ptr) = u64
+				return
+			}
+			i64, err := strconv.ParseInt(string(number), 10, 64)
+			if err == nil {
+				*(*interface{})(ptr) = i64
+				return
+			}
+			f64, err := strconv.ParseFloat(string(number), 64)
+			if err == nil {
+				*(*interface{})(ptr) = f64
+				return
+			}
+			// Not much we can do here.
+		default:
+			*(*interface{})(ptr) = iter.Read()
+		}
+	}
+	jsoniter.RegisterTypeDecoderFunc("interface {}", decodeNumberAsInt64IfPossible)
+}
+
+// Decode attempts to convert the provided data into YAML or JSON, extract the stored schema kind, apply the provided default gvk, and then
+// load that data into an object matching the desired schema kind or the provided into. If into is *runtime.Unknown, the raw data will be
+// extracted and no decoding will be performed. If into is not registered with the typer, then the object will be straight decoded using
+// normal JSON/YAML unmarshalling. If into is provided and the original data is not fully qualified with kind/version/group, the type of
+// the into will be used to alter the returned gvk. On success or most errors, the method will return the calculated schema kind.
+func (s *Serializer) Decode(originalData []byte, gvk *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	if versioned, ok := into.(*runtime.VersionedObjects); ok {
+		into = versioned.Last()
+		obj, actual, err := s.Decode(originalData, gvk, into)
+		if err != nil {
+			return nil, actual, err
+		}
+		versioned.Objects = []runtime.Object{obj}
+		return versioned, actual, nil
+	}
+
+	data := originalData
+	if s.yaml {
+		altered, err := yaml.YAMLToJSON(data)
+		if err != nil {
+			return nil, nil, err
+		}
+		data = altered
+	}
+
+	actual, err := s.meta.Interpret(data)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if gvk != nil {
+		// apply kind and version defaulting from provided default
+		if len(actual.Kind) == 0 {
+			actual.Kind = gvk.Kind
+		}
+		if len(actual.Version) == 0 && len(actual.Group) == 0 {
+			actual.Group = gvk.Group
+			actual.Version = gvk.Version
+		}
+		if len(actual.Version) == 0 && actual.Group == gvk.Group {
+			actual.Version = gvk.Version
+		}
+	}
+
+	if unk, ok := into.(*runtime.Unknown); ok && unk != nil {
+		unk.Raw = originalData
+		unk.ContentType = runtime.ContentTypeJSON
+		unk.GetObjectKind().SetGroupVersionKind(*actual)
+		return unk, actual, nil
+	}
+
+	if into != nil {
+		types, _, err := s.typer.ObjectKinds(into)
+		switch {
+		case runtime.IsNotRegisteredError(err):
+			if err := jsoniter.ConfigFastest.Unmarshal(data, into); err != nil {
+				return nil, actual, err
+			}
+			return into, actual, nil
+		case err != nil:
+			return nil, actual, err
+		default:
+			typed := types[0]
+			if len(actual.Kind) == 0 {
+				actual.Kind = typed.Kind
+			}
+			if len(actual.Version) == 0 && len(actual.Group) == 0 {
+				actual.Group = typed.Group
+				actual.Version = typed.Version
+			}
+			if len(actual.Version) == 0 && actual.Group == typed.Group {
+				actual.Version = typed.Version
+			}
+		}
+	}
+
+	if len(actual.Kind) == 0 {
+		return nil, actual, runtime.NewMissingKindErr(string(originalData))
+	}
+	if len(actual.Version) == 0 {
+		return nil, actual, runtime.NewMissingVersionErr(string(originalData))
+	}
+
+	// use the target if necessary
+	obj, err := runtime.UseOrCreateObject(s.typer, s.creater, *actual, into)
+	if err != nil {
+		return nil, actual, err
+	}
+
+	if err := jsoniter.ConfigFastest.Unmarshal(data, obj); err != nil {
+		return nil, actual, err
+	}
+	return obj, actual, nil
+}
+
+// Encode serializes the provided object to the given writer.
+func (s *Serializer) Encode(obj runtime.Object, w io.Writer) error {
+	if s.yaml {
+		json, err := jsoniter.ConfigFastest.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		data, err := yaml.JSONToYAML(json)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		return err
+	}
+
+	if s.pretty {
+		data, err := jsoniter.ConfigFastest.MarshalIndent(obj, "", "  ")
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		return err
+	}
+	encoder := json.NewEncoder(w)
+	return encoder.Encode(obj)
+}
+
+// RecognizesData implements the RecognizingDecoder interface.
+func (s *Serializer) RecognizesData(peek io.Reader) (ok, unknown bool, err error) {
+	if s.yaml {
+		// we could potentially look for '---'
+		return false, true, nil
+	}
+	_, _, ok = utilyaml.GuessJSONStream(peek, 2048)
+	return ok, false, nil
+}
+
+// Framer is the default JSON framing behavior, with newlines delimiting individual objects.
+var Framer = jsonFramer{}
+
+type jsonFramer struct{}
+
+// NewFrameWriter implements stream framing for this serializer
+func (jsonFramer) NewFrameWriter(w io.Writer) io.Writer {
+	// we can write JSON objects directly to the writer, because they are self-framing
+	return w
+}
+
+// NewFrameReader implements stream framing for this serializer
+func (jsonFramer) NewFrameReader(r io.ReadCloser) io.ReadCloser {
+	// we need to extract the JSON chunks of data to pass to Decode()
+	return framer.NewJSONFramedReader(r)
+}
+
+// Framer is the default JSON framing behavior, with newlines delimiting individual objects.
+var YAMLFramer = yamlFramer{}
+
+type yamlFramer struct{}
+
+// NewFrameWriter implements stream framing for this serializer
+func (yamlFramer) NewFrameWriter(w io.Writer) io.Writer {
+	return yamlFrameWriter{w}
+}
+
+// NewFrameReader implements stream framing for this serializer
+func (yamlFramer) NewFrameReader(r io.ReadCloser) io.ReadCloser {
+	// extract the YAML document chunks directly
+	return utilyaml.NewDocumentDecoder(r)
+}
+
+type yamlFrameWriter struct {
+	w io.Writer
+}
+
+// Write separates each document with the YAML document separator (`---` followed by line
+// break). Writers must write well formed YAML documents (include a final line break).
+func (w yamlFrameWriter) Write(data []byte) (n int, err error) {
+	if _, err := w.w.Write([]byte("---\n")); err != nil {
+		return 0, err
+	}
+	return w.w.Write(data)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/meta.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/meta.go
new file mode 100644
index 00000000..df3f5f98
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/json/meta.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package json
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// MetaFactory is used to store and retrieve the version and kind
+// information for JSON objects in a serializer.
+type MetaFactory interface {
+	// Interpret should return the version and kind of the wire-format of
+	// the object.
+	Interpret(data []byte) (*schema.GroupVersionKind, error)
+}
+
+// DefaultMetaFactory is a default factory for versioning objects in JSON. The object
+// in memory and in the default JSON serialization will use the "kind" and "apiVersion"
+// fields.
+var DefaultMetaFactory = SimpleMetaFactory{}
+
+// SimpleMetaFactory provides default methods for retrieving the type and version of objects
+// that are identified with an "apiVersion" and "kind" fields in their JSON
+// serialization. It may be parameterized with the names of the fields in memory, or an
+// optional list of base structs to search for those fields in memory.
+type SimpleMetaFactory struct {
+}
+
+// Interpret will return the APIVersion and Kind of the JSON wire-format
+// encoding of an object, or an error.
+func (SimpleMetaFactory) Interpret(data []byte) (*schema.GroupVersionKind, error) {
+	findKind := struct {
+		// +optional
+		APIVersion string `json:"apiVersion,omitempty"`
+		// +optional
+		Kind string `json:"kind,omitempty"`
+	}{}
+	if err := json.Unmarshal(data, &findKind); err != nil {
+		return nil, fmt.Errorf("couldn't get version/kind; json parse error: %v", err)
+	}
+	gv, err := schema.ParseGroupVersion(findKind.APIVersion)
+	if err != nil {
+		return nil, err
+	}
+	return &schema.GroupVersionKind{Group: gv.Group, Version: gv.Version, Kind: findKind.Kind}, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/negotiated_codec.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/negotiated_codec.go
new file mode 100644
index 00000000..a42b4a41
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/negotiated_codec.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serializer
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// TODO: We should split negotiated serializers that we can change versions on from those we can change
+// serialization formats on
+type negotiatedSerializerWrapper struct {
+	info runtime.SerializerInfo
+}
+
+func NegotiatedSerializerWrapper(info runtime.SerializerInfo) runtime.NegotiatedSerializer {
+	return &negotiatedSerializerWrapper{info}
+}
+
+func (n *negotiatedSerializerWrapper) SupportedMediaTypes() []runtime.SerializerInfo {
+	return []runtime.SerializerInfo{n.info}
+}
+
+func (n *negotiatedSerializerWrapper) EncoderForVersion(e runtime.Encoder, _ runtime.GroupVersioner) runtime.Encoder {
+	return e
+}
+
+func (n *negotiatedSerializerWrapper) DecoderToVersion(d runtime.Decoder, _gv runtime.GroupVersioner) runtime.Decoder {
+	return d
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/doc.go
new file mode 100644
index 00000000..72d0ac79
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package protobuf provides a Kubernetes serializer for the protobuf format.
+package protobuf // import "k8s.io/apimachinery/pkg/runtime/serializer/protobuf"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go
new file mode 100644
index 00000000..8d4ea711
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf/protobuf.go
@@ -0,0 +1,448 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package protobuf
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"reflect"
+
+	"github.com/gogo/protobuf/proto"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/recognizer"
+	"k8s.io/apimachinery/pkg/util/framer"
+)
+
+var (
+	// protoEncodingPrefix serves as a magic number for an encoded protobuf message on this serializer. All
+	// proto messages serialized by this schema will be preceded by the bytes 0x6b 0x38 0x73, with the fourth
+	// byte being reserved for the encoding style. The only encoding style defined is 0x00, which means that
+	// the rest of the byte stream is a message of type k8s.io.kubernetes.pkg.runtime.Unknown (proto2).
+	//
+	// See k8s.io/apimachinery/pkg/runtime/generated.proto for details of the runtime.Unknown message.
+	//
+	// This encoding scheme is experimental, and is subject to change at any time.
+	protoEncodingPrefix = []byte{0x6b, 0x38, 0x73, 0x00}
+)
+
+type errNotMarshalable struct {
+	t reflect.Type
+}
+
+func (e errNotMarshalable) Error() string {
+	return fmt.Sprintf("object %v does not implement the protobuf marshalling interface and cannot be encoded to a protobuf message", e.t)
+}
+
+func IsNotMarshalable(err error) bool {
+	_, ok := err.(errNotMarshalable)
+	return err != nil && ok
+}
+
+// NewSerializer creates a Protobuf serializer that handles encoding versioned objects into the proper wire form. If a typer
+// is passed, the encoded object will have group, version, and kind fields set. If typer is nil, the objects will be written
+// as-is (any type info passed with the object will be used).
+//
+// This encoding scheme is experimental, and is subject to change at any time.
+func NewSerializer(creater runtime.ObjectCreater, typer runtime.ObjectTyper, defaultContentType string) *Serializer {
+	return &Serializer{
+		prefix:      protoEncodingPrefix,
+		creater:     creater,
+		typer:       typer,
+		contentType: defaultContentType,
+	}
+}
+
+type Serializer struct {
+	prefix      []byte
+	creater     runtime.ObjectCreater
+	typer       runtime.ObjectTyper
+	contentType string
+}
+
+var _ runtime.Serializer = &Serializer{}
+var _ recognizer.RecognizingDecoder = &Serializer{}
+
+// Decode attempts to convert the provided data into a protobuf message, extract the stored schema kind, apply the provided default
+// gvk, and then load that data into an object matching the desired schema kind or the provided into. If into is *runtime.Unknown,
+// the raw data will be extracted and no decoding will be performed. If into is not registered with the typer, then the object will
+// be straight decoded using normal protobuf unmarshalling (the MarshalTo interface). If into is provided and the original data is
+// not fully qualified with kind/version/group, the type of the into will be used to alter the returned gvk. On success or most
+// errors, the method will return the calculated schema kind.
+func (s *Serializer) Decode(originalData []byte, gvk *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	if versioned, ok := into.(*runtime.VersionedObjects); ok {
+		into = versioned.Last()
+		obj, actual, err := s.Decode(originalData, gvk, into)
+		if err != nil {
+			return nil, actual, err
+		}
+		// the last item in versioned becomes into, so if versioned was not originally empty we reset the object
+		// array so the first position is the decoded object and the second position is the outermost object.
+		// if there were no objects in the versioned list passed to us, only add ourselves.
+		if into != nil && into != obj {
+			versioned.Objects = []runtime.Object{obj, into}
+		} else {
+			versioned.Objects = []runtime.Object{obj}
+		}
+		return versioned, actual, err
+	}
+
+	prefixLen := len(s.prefix)
+	switch {
+	case len(originalData) == 0:
+		// TODO: treat like decoding {} from JSON with defaulting
+		return nil, nil, fmt.Errorf("empty data")
+	case len(originalData) < prefixLen || !bytes.Equal(s.prefix, originalData[:prefixLen]):
+		return nil, nil, fmt.Errorf("provided data does not appear to be a protobuf message, expected prefix %v", s.prefix)
+	case len(originalData) == prefixLen:
+		// TODO: treat like decoding {} from JSON with defaulting
+		return nil, nil, fmt.Errorf("empty body")
+	}
+
+	data := originalData[prefixLen:]
+	unk := runtime.Unknown{}
+	if err := unk.Unmarshal(data); err != nil {
+		return nil, nil, err
+	}
+
+	actual := unk.GroupVersionKind()
+	copyKindDefaults(&actual, gvk)
+
+	if intoUnknown, ok := into.(*runtime.Unknown); ok && intoUnknown != nil {
+		*intoUnknown = unk
+		if ok, _, _ := s.RecognizesData(bytes.NewBuffer(unk.Raw)); ok {
+			intoUnknown.ContentType = s.contentType
+		}
+		return intoUnknown, &actual, nil
+	}
+
+	if into != nil {
+		types, _, err := s.typer.ObjectKinds(into)
+		switch {
+		case runtime.IsNotRegisteredError(err):
+			pb, ok := into.(proto.Message)
+			if !ok {
+				return nil, &actual, errNotMarshalable{reflect.TypeOf(into)}
+			}
+			if err := proto.Unmarshal(unk.Raw, pb); err != nil {
+				return nil, &actual, err
+			}
+			return into, &actual, nil
+		case err != nil:
+			return nil, &actual, err
+		default:
+			copyKindDefaults(&actual, &types[0])
+			// if the result of defaulting did not set a version or group, ensure that at least group is set
+			// (copyKindDefaults will not assign Group if version is already set). This guarantees that the group
+			// of into is set if there is no better information from the caller or object.
+			if len(actual.Version) == 0 && len(actual.Group) == 0 {
+				actual.Group = types[0].Group
+			}
+		}
+	}
+
+	if len(actual.Kind) == 0 {
+		return nil, &actual, runtime.NewMissingKindErr(fmt.Sprintf("%#v", unk.TypeMeta))
+	}
+	if len(actual.Version) == 0 {
+		return nil, &actual, runtime.NewMissingVersionErr(fmt.Sprintf("%#v", unk.TypeMeta))
+	}
+
+	return unmarshalToObject(s.typer, s.creater, &actual, into, unk.Raw)
+}
+
+// Encode serializes the provided object to the given writer.
+func (s *Serializer) Encode(obj runtime.Object, w io.Writer) error {
+	prefixSize := uint64(len(s.prefix))
+
+	var unk runtime.Unknown
+	switch t := obj.(type) {
+	case *runtime.Unknown:
+		estimatedSize := prefixSize + uint64(t.Size())
+		data := make([]byte, estimatedSize)
+		i, err := t.MarshalTo(data[prefixSize:])
+		if err != nil {
+			return err
+		}
+		copy(data, s.prefix)
+		_, err = w.Write(data[:prefixSize+uint64(i)])
+		return err
+	default:
+		kind := obj.GetObjectKind().GroupVersionKind()
+		unk = runtime.Unknown{
+			TypeMeta: runtime.TypeMeta{
+				Kind:       kind.Kind,
+				APIVersion: kind.GroupVersion().String(),
+			},
+		}
+	}
+
+	switch t := obj.(type) {
+	case bufferedMarshaller:
+		// this path performs a single allocation during write but requires the caller to implement
+		// the more efficient Size and MarshalTo methods
+		encodedSize := uint64(t.Size())
+		estimatedSize := prefixSize + estimateUnknownSize(&unk, encodedSize)
+		data := make([]byte, estimatedSize)
+
+		i, err := unk.NestedMarshalTo(data[prefixSize:], t, encodedSize)
+		if err != nil {
+			return err
+		}
+
+		copy(data, s.prefix)
+
+		_, err = w.Write(data[:prefixSize+uint64(i)])
+		return err
+
+	case proto.Marshaler:
+		// this path performs extra allocations
+		data, err := t.Marshal()
+		if err != nil {
+			return err
+		}
+		unk.Raw = data
+
+		estimatedSize := prefixSize + uint64(unk.Size())
+		data = make([]byte, estimatedSize)
+
+		i, err := unk.MarshalTo(data[prefixSize:])
+		if err != nil {
+			return err
+		}
+
+		copy(data, s.prefix)
+
+		_, err = w.Write(data[:prefixSize+uint64(i)])
+		return err
+
+	default:
+		// TODO: marshal with a different content type and serializer (JSON for third party objects)
+		return errNotMarshalable{reflect.TypeOf(obj)}
+	}
+}
+
+// RecognizesData implements the RecognizingDecoder interface.
+func (s *Serializer) RecognizesData(peek io.Reader) (bool, bool, error) {
+	prefix := make([]byte, 4)
+	n, err := peek.Read(prefix)
+	if err != nil {
+		if err == io.EOF {
+			return false, false, nil
+		}
+		return false, false, err
+	}
+	if n != 4 {
+		return false, false, nil
+	}
+	return bytes.Equal(s.prefix, prefix), false, nil
+}
+
+// copyKindDefaults defaults dst to the value in src if dst does not have a value set.
+func copyKindDefaults(dst, src *schema.GroupVersionKind) {
+	if src == nil {
+		return
+	}
+	// apply kind and version defaulting from provided default
+	if len(dst.Kind) == 0 {
+		dst.Kind = src.Kind
+	}
+	if len(dst.Version) == 0 && len(src.Version) > 0 {
+		dst.Group = src.Group
+		dst.Version = src.Version
+	}
+}
+
+// bufferedMarshaller describes a more efficient marshalling interface that can avoid allocating multiple
+// byte buffers by pre-calculating the size of the final buffer needed.
+type bufferedMarshaller interface {
+	proto.Sizer
+	runtime.ProtobufMarshaller
+}
+
+// estimateUnknownSize returns the expected bytes consumed by a given runtime.Unknown
+// object with a nil RawJSON struct and the expected size of the provided buffer. The
+// returned size will not be correct if RawJSOn is set on unk.
+func estimateUnknownSize(unk *runtime.Unknown, byteSize uint64) uint64 {
+	size := uint64(unk.Size())
+	// protobuf uses 1 byte for the tag, a varint for the length of the array (at most 8 bytes - uint64 - here),
+	// and the size of the array.
+	size += 1 + 8 + byteSize
+	return size
+}
+
+// NewRawSerializer creates a Protobuf serializer that handles encoding versioned objects into the proper wire form. If typer
+// is not nil, the object has the group, version, and kind fields set. This serializer does not provide type information for the
+// encoded object, and thus is not self describing (callers must know what type is being described in order to decode).
+//
+// This encoding scheme is experimental, and is subject to change at any time.
+func NewRawSerializer(creater runtime.ObjectCreater, typer runtime.ObjectTyper, defaultContentType string) *RawSerializer {
+	return &RawSerializer{
+		creater:     creater,
+		typer:       typer,
+		contentType: defaultContentType,
+	}
+}
+
+// RawSerializer encodes and decodes objects without adding a runtime.Unknown wrapper (objects are encoded without identifying
+// type).
+type RawSerializer struct {
+	creater     runtime.ObjectCreater
+	typer       runtime.ObjectTyper
+	contentType string
+}
+
+var _ runtime.Serializer = &RawSerializer{}
+
+// Decode attempts to convert the provided data into a protobuf message, extract the stored schema kind, apply the provided default
+// gvk, and then load that data into an object matching the desired schema kind or the provided into. If into is *runtime.Unknown,
+// the raw data will be extracted and no decoding will be performed. If into is not registered with the typer, then the object will
+// be straight decoded using normal protobuf unmarshalling (the MarshalTo interface). If into is provided and the original data is
+// not fully qualified with kind/version/group, the type of the into will be used to alter the returned gvk. On success or most
+// errors, the method will return the calculated schema kind.
+func (s *RawSerializer) Decode(originalData []byte, gvk *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	if into == nil {
+		return nil, nil, fmt.Errorf("this serializer requires an object to decode into: %#v", s)
+	}
+
+	if versioned, ok := into.(*runtime.VersionedObjects); ok {
+		into = versioned.Last()
+		obj, actual, err := s.Decode(originalData, gvk, into)
+		if err != nil {
+			return nil, actual, err
+		}
+		if into != nil && into != obj {
+			versioned.Objects = []runtime.Object{obj, into}
+		} else {
+			versioned.Objects = []runtime.Object{obj}
+		}
+		return versioned, actual, err
+	}
+
+	if len(originalData) == 0 {
+		// TODO: treat like decoding {} from JSON with defaulting
+		return nil, nil, fmt.Errorf("empty data")
+	}
+	data := originalData
+
+	actual := &schema.GroupVersionKind{}
+	copyKindDefaults(actual, gvk)
+
+	if intoUnknown, ok := into.(*runtime.Unknown); ok && intoUnknown != nil {
+		intoUnknown.Raw = data
+		intoUnknown.ContentEncoding = ""
+		intoUnknown.ContentType = s.contentType
+		intoUnknown.SetGroupVersionKind(*actual)
+		return intoUnknown, actual, nil
+	}
+
+	types, _, err := s.typer.ObjectKinds(into)
+	switch {
+	case runtime.IsNotRegisteredError(err):
+		pb, ok := into.(proto.Message)
+		if !ok {
+			return nil, actual, errNotMarshalable{reflect.TypeOf(into)}
+		}
+		if err := proto.Unmarshal(data, pb); err != nil {
+			return nil, actual, err
+		}
+		return into, actual, nil
+	case err != nil:
+		return nil, actual, err
+	default:
+		copyKindDefaults(actual, &types[0])
+		// if the result of defaulting did not set a version or group, ensure that at least group is set
+		// (copyKindDefaults will not assign Group if version is already set). This guarantees that the group
+		// of into is set if there is no better information from the caller or object.
+		if len(actual.Version) == 0 && len(actual.Group) == 0 {
+			actual.Group = types[0].Group
+		}
+	}
+
+	if len(actual.Kind) == 0 {
+		return nil, actual, runtime.NewMissingKindErr("<protobuf encoded body - must provide default type>")
+	}
+	if len(actual.Version) == 0 {
+		return nil, actual, runtime.NewMissingVersionErr("<protobuf encoded body - must provide default type>")
+	}
+
+	return unmarshalToObject(s.typer, s.creater, actual, into, data)
+}
+
+// unmarshalToObject is the common code between decode in the raw and normal serializer.
+func unmarshalToObject(typer runtime.ObjectTyper, creater runtime.ObjectCreater, actual *schema.GroupVersionKind, into runtime.Object, data []byte) (runtime.Object, *schema.GroupVersionKind, error) {
+	// use the target if necessary
+	obj, err := runtime.UseOrCreateObject(typer, creater, *actual, into)
+	if err != nil {
+		return nil, actual, err
+	}
+
+	pb, ok := obj.(proto.Message)
+	if !ok {
+		return nil, actual, errNotMarshalable{reflect.TypeOf(obj)}
+	}
+	if err := proto.Unmarshal(data, pb); err != nil {
+		return nil, actual, err
+	}
+	return obj, actual, nil
+}
+
+// Encode serializes the provided object to the given writer. Overrides is ignored.
+func (s *RawSerializer) Encode(obj runtime.Object, w io.Writer) error {
+	switch t := obj.(type) {
+	case bufferedMarshaller:
+		// this path performs a single allocation during write but requires the caller to implement
+		// the more efficient Size and MarshalTo methods
+		encodedSize := uint64(t.Size())
+		data := make([]byte, encodedSize)
+
+		n, err := t.MarshalTo(data)
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data[:n])
+		return err
+
+	case proto.Marshaler:
+		// this path performs extra allocations
+		data, err := t.Marshal()
+		if err != nil {
+			return err
+		}
+		_, err = w.Write(data)
+		return err
+
+	default:
+		return errNotMarshalable{reflect.TypeOf(obj)}
+	}
+}
+
+var LengthDelimitedFramer = lengthDelimitedFramer{}
+
+type lengthDelimitedFramer struct{}
+
+// NewFrameWriter implements stream framing for this serializer
+func (lengthDelimitedFramer) NewFrameWriter(w io.Writer) io.Writer {
+	return framer.NewLengthDelimitedFrameWriter(w)
+}
+
+// NewFrameReader implements stream framing for this serializer
+func (lengthDelimitedFramer) NewFrameReader(r io.ReadCloser) io.ReadCloser {
+	return framer.NewLengthDelimitedFrameReader(r)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf_extension.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf_extension.go
new file mode 100644
index 00000000..545cf78d
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/protobuf_extension.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serializer
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer/protobuf"
+)
+
+const (
+	// contentTypeProtobuf is the protobuf type exposed for Kubernetes. It is private to prevent others from
+	// depending on it unintentionally.
+	// TODO: potentially move to pkg/api (since it's part of the Kube public API) and pass it in to the
+	//   CodecFactory on initialization.
+	contentTypeProtobuf = "application/vnd.kubernetes.protobuf"
+)
+
+func protobufSerializer(scheme *runtime.Scheme) (serializerType, bool) {
+	serializer := protobuf.NewSerializer(scheme, scheme, contentTypeProtobuf)
+	raw := protobuf.NewRawSerializer(scheme, scheme, contentTypeProtobuf)
+	return serializerType{
+		AcceptContentTypes: []string{contentTypeProtobuf},
+		ContentType:        contentTypeProtobuf,
+		FileExtensions:     []string{"pb"},
+		Serializer:         serializer,
+
+		Framer:           protobuf.LengthDelimitedFramer,
+		StreamSerializer: raw,
+	}, true
+}
+
+func init() {
+	serializerExtensions = append(serializerExtensions, protobufSerializer)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/recognizer/recognizer.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/recognizer/recognizer.go
new file mode 100644
index 00000000..38497ab5
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/recognizer/recognizer.go
@@ -0,0 +1,127 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package recognizer
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type RecognizingDecoder interface {
+	runtime.Decoder
+	// RecognizesData should return true if the input provided in the provided reader
+	// belongs to this decoder, or an error if the data could not be read or is ambiguous.
+	// Unknown is true if the data could not be determined to match the decoder type.
+	// Decoders should assume that they can read as much of peek as they need (as the caller
+	// provides) and may return unknown if the data provided is not sufficient to make a
+	// a determination. When peek returns EOF that may mean the end of the input or the
+	// end of buffered input - recognizers should return the best guess at that time.
+	RecognizesData(peek io.Reader) (ok, unknown bool, err error)
+}
+
+// NewDecoder creates a decoder that will attempt multiple decoders in an order defined
+// by:
+//
+// 1. The decoder implements RecognizingDecoder and identifies the data
+// 2. All other decoders, and any decoder that returned true for unknown.
+//
+// The order passed to the constructor is preserved within those priorities.
+func NewDecoder(decoders ...runtime.Decoder) runtime.Decoder {
+	return &decoder{
+		decoders: decoders,
+	}
+}
+
+type decoder struct {
+	decoders []runtime.Decoder
+}
+
+var _ RecognizingDecoder = &decoder{}
+
+func (d *decoder) RecognizesData(peek io.Reader) (bool, bool, error) {
+	var (
+		lastErr    error
+		anyUnknown bool
+	)
+	data, _ := bufio.NewReaderSize(peek, 1024).Peek(1024)
+	for _, r := range d.decoders {
+		switch t := r.(type) {
+		case RecognizingDecoder:
+			ok, unknown, err := t.RecognizesData(bytes.NewBuffer(data))
+			if err != nil {
+				lastErr = err
+				continue
+			}
+			anyUnknown = anyUnknown || unknown
+			if !ok {
+				continue
+			}
+			return true, false, nil
+		}
+	}
+	return false, anyUnknown, lastErr
+}
+
+func (d *decoder) Decode(data []byte, gvk *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	var (
+		lastErr error
+		skipped []runtime.Decoder
+	)
+
+	// try recognizers, record any decoders we need to give a chance later
+	for _, r := range d.decoders {
+		switch t := r.(type) {
+		case RecognizingDecoder:
+			buf := bytes.NewBuffer(data)
+			ok, unknown, err := t.RecognizesData(buf)
+			if err != nil {
+				lastErr = err
+				continue
+			}
+			if unknown {
+				skipped = append(skipped, t)
+				continue
+			}
+			if !ok {
+				continue
+			}
+			return r.Decode(data, gvk, into)
+		default:
+			skipped = append(skipped, t)
+		}
+	}
+
+	// try recognizers that returned unknown or didn't recognize their data
+	for _, r := range skipped {
+		out, actual, err := r.Decode(data, gvk, into)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		return out, actual, nil
+	}
+
+	if lastErr == nil {
+		lastErr = fmt.Errorf("no serialization format matched the provided data")
+	}
+	return nil, nil, lastErr
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/streaming/streaming.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/streaming/streaming.go
new file mode 100644
index 00000000..91fd4ed4
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/streaming/streaming.go
@@ -0,0 +1,137 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package streaming implements encoder and decoder for streams
+// of runtime.Objects over io.Writer/Readers.
+package streaming
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// Encoder is a runtime.Encoder on a stream.
+type Encoder interface {
+	// Encode will write the provided object to the stream or return an error. It obeys the same
+	// contract as runtime.VersionedEncoder.
+	Encode(obj runtime.Object) error
+}
+
+// Decoder is a runtime.Decoder from a stream.
+type Decoder interface {
+	// Decode will return io.EOF when no more objects are available.
+	Decode(defaults *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error)
+	// Close closes the underlying stream.
+	Close() error
+}
+
+// Serializer is a factory for creating encoders and decoders that work over streams.
+type Serializer interface {
+	NewEncoder(w io.Writer) Encoder
+	NewDecoder(r io.ReadCloser) Decoder
+}
+
+type decoder struct {
+	reader    io.ReadCloser
+	decoder   runtime.Decoder
+	buf       []byte
+	maxBytes  int
+	resetRead bool
+}
+
+// NewDecoder creates a streaming decoder that reads object chunks from r and decodes them with d.
+// The reader is expected to return ErrShortRead if the provided buffer is not large enough to read
+// an entire object.
+func NewDecoder(r io.ReadCloser, d runtime.Decoder) Decoder {
+	return &decoder{
+		reader:   r,
+		decoder:  d,
+		buf:      make([]byte, 1024),
+		maxBytes: 1024 * 1024,
+	}
+}
+
+var ErrObjectTooLarge = fmt.Errorf("object to decode was longer than maximum allowed size")
+
+// Decode reads the next object from the stream and decodes it.
+func (d *decoder) Decode(defaults *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	base := 0
+	for {
+		n, err := d.reader.Read(d.buf[base:])
+		if err == io.ErrShortBuffer {
+			if n == 0 {
+				return nil, nil, fmt.Errorf("got short buffer with n=0, base=%d, cap=%d", base, cap(d.buf))
+			}
+			if d.resetRead {
+				continue
+			}
+			// double the buffer size up to maxBytes
+			if len(d.buf) < d.maxBytes {
+				base += n
+				d.buf = append(d.buf, make([]byte, len(d.buf))...)
+				continue
+			}
+			// must read the rest of the frame (until we stop getting ErrShortBuffer)
+			d.resetRead = true
+			base = 0
+			return nil, nil, ErrObjectTooLarge
+		}
+		if err != nil {
+			return nil, nil, err
+		}
+		if d.resetRead {
+			// now that we have drained the large read, continue
+			d.resetRead = false
+			continue
+		}
+		base += n
+		break
+	}
+	return d.decoder.Decode(d.buf[:base], defaults, into)
+}
+
+func (d *decoder) Close() error {
+	return d.reader.Close()
+}
+
+type encoder struct {
+	writer  io.Writer
+	encoder runtime.Encoder
+	buf     *bytes.Buffer
+}
+
+// NewEncoder returns a new streaming encoder.
+func NewEncoder(w io.Writer, e runtime.Encoder) Encoder {
+	return &encoder{
+		writer:  w,
+		encoder: e,
+		buf:     &bytes.Buffer{},
+	}
+}
+
+// Encode writes the provided object to the nested writer.
+func (e *encoder) Encode(obj runtime.Object) error {
+	if err := e.encoder.Encode(obj, e.buf); err != nil {
+		return err
+	}
+	_, err := e.writer.Write(e.buf.Bytes())
+	e.buf.Reset()
+	return err
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go
new file mode 100644
index 00000000..74ad84dd
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/serializer/versioning/versioning.go
@@ -0,0 +1,273 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package versioning
+
+import (
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// NewCodecForScheme is a convenience method for callers that are using a scheme.
+func NewCodecForScheme(
+	// TODO: I should be a scheme interface?
+	scheme *runtime.Scheme,
+	encoder runtime.Encoder,
+	decoder runtime.Decoder,
+	encodeVersion runtime.GroupVersioner,
+	decodeVersion runtime.GroupVersioner,
+) runtime.Codec {
+	return NewCodec(encoder, decoder, runtime.UnsafeObjectConvertor(scheme), scheme, scheme, scheme, nil, encodeVersion, decodeVersion)
+}
+
+// NewDefaultingCodecForScheme is a convenience method for callers that are using a scheme.
+func NewDefaultingCodecForScheme(
+	// TODO: I should be a scheme interface?
+	scheme *runtime.Scheme,
+	encoder runtime.Encoder,
+	decoder runtime.Decoder,
+	encodeVersion runtime.GroupVersioner,
+	decodeVersion runtime.GroupVersioner,
+) runtime.Codec {
+	return NewCodec(encoder, decoder, runtime.UnsafeObjectConvertor(scheme), scheme, scheme, scheme, scheme, encodeVersion, decodeVersion)
+}
+
+// NewCodec takes objects in their internal versions and converts them to external versions before
+// serializing them. It assumes the serializer provided to it only deals with external versions.
+// This class is also a serializer, but is generally used with a specific version.
+func NewCodec(
+	encoder runtime.Encoder,
+	decoder runtime.Decoder,
+	convertor runtime.ObjectConvertor,
+	creater runtime.ObjectCreater,
+	copier runtime.ObjectCopier,
+	typer runtime.ObjectTyper,
+	defaulter runtime.ObjectDefaulter,
+	encodeVersion runtime.GroupVersioner,
+	decodeVersion runtime.GroupVersioner,
+) runtime.Codec {
+	internal := &codec{
+		encoder:   encoder,
+		decoder:   decoder,
+		convertor: convertor,
+		creater:   creater,
+		copier:    copier,
+		typer:     typer,
+		defaulter: defaulter,
+
+		encodeVersion: encodeVersion,
+		decodeVersion: decodeVersion,
+	}
+	return internal
+}
+
+type codec struct {
+	encoder   runtime.Encoder
+	decoder   runtime.Decoder
+	convertor runtime.ObjectConvertor
+	creater   runtime.ObjectCreater
+	copier    runtime.ObjectCopier
+	typer     runtime.ObjectTyper
+	defaulter runtime.ObjectDefaulter
+
+	encodeVersion runtime.GroupVersioner
+	decodeVersion runtime.GroupVersioner
+}
+
+// Decode attempts a decode of the object, then tries to convert it to the internal version. If into is provided and the decoding is
+// successful, the returned runtime.Object will be the value passed as into. Note that this may bypass conversion if you pass an
+// into that matches the serialized version.
+func (c *codec) Decode(data []byte, defaultGVK *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	versioned, isVersioned := into.(*runtime.VersionedObjects)
+	if isVersioned {
+		into = versioned.Last()
+	}
+
+	obj, gvk, err := c.decoder.Decode(data, defaultGVK, into)
+	if err != nil {
+		return nil, gvk, err
+	}
+
+	if d, ok := obj.(runtime.NestedObjectDecoder); ok {
+		if err := d.DecodeNestedObjects(DirectDecoder{c.decoder}); err != nil {
+			return nil, gvk, err
+		}
+	}
+
+	// if we specify a target, use generic conversion.
+	if into != nil {
+		if into == obj {
+			if isVersioned {
+				return versioned, gvk, nil
+			}
+			return into, gvk, nil
+		}
+
+		// perform defaulting if requested
+		if c.defaulter != nil {
+			// create a copy to ensure defaulting is not applied to the original versioned objects
+			if isVersioned {
+				copied, err := c.copier.Copy(obj)
+				if err != nil {
+					utilruntime.HandleError(err)
+					copied = obj
+				}
+				versioned.Objects = []runtime.Object{copied}
+			}
+			c.defaulter.Default(obj)
+		} else {
+			if isVersioned {
+				versioned.Objects = []runtime.Object{obj}
+			}
+		}
+
+		if err := c.convertor.Convert(obj, into, c.decodeVersion); err != nil {
+			return nil, gvk, err
+		}
+
+		if isVersioned {
+			versioned.Objects = append(versioned.Objects, into)
+			return versioned, gvk, nil
+		}
+		return into, gvk, nil
+	}
+
+	// Convert if needed.
+	if isVersioned {
+		// create a copy, because ConvertToVersion does not guarantee non-mutation of objects
+		copied, err := c.copier.Copy(obj)
+		if err != nil {
+			utilruntime.HandleError(err)
+			copied = obj
+		}
+		versioned.Objects = []runtime.Object{copied}
+	}
+
+	// perform defaulting if requested
+	if c.defaulter != nil {
+		c.defaulter.Default(obj)
+	}
+
+	out, err := c.convertor.ConvertToVersion(obj, c.decodeVersion)
+	if err != nil {
+		return nil, gvk, err
+	}
+	if isVersioned {
+		if versioned.Last() != out {
+			versioned.Objects = append(versioned.Objects, out)
+		}
+		return versioned, gvk, nil
+	}
+	return out, gvk, nil
+}
+
+// Encode ensures the provided object is output in the appropriate group and version, invoking
+// conversion if necessary. Unversioned objects (according to the ObjectTyper) are output as is.
+func (c *codec) Encode(obj runtime.Object, w io.Writer) error {
+	switch obj.(type) {
+	case *runtime.Unknown, runtime.Unstructured:
+		return c.encoder.Encode(obj, w)
+	}
+
+	gvks, isUnversioned, err := c.typer.ObjectKinds(obj)
+	if err != nil {
+		return err
+	}
+
+	if c.encodeVersion == nil || isUnversioned {
+		if e, ok := obj.(runtime.NestedObjectEncoder); ok {
+			if err := e.EncodeNestedObjects(DirectEncoder{Encoder: c.encoder, ObjectTyper: c.typer}); err != nil {
+				return err
+			}
+		}
+		objectKind := obj.GetObjectKind()
+		old := objectKind.GroupVersionKind()
+		objectKind.SetGroupVersionKind(gvks[0])
+		err = c.encoder.Encode(obj, w)
+		objectKind.SetGroupVersionKind(old)
+		return err
+	}
+
+	// Perform a conversion if necessary
+	objectKind := obj.GetObjectKind()
+	old := objectKind.GroupVersionKind()
+	out, err := c.convertor.ConvertToVersion(obj, c.encodeVersion)
+	if err != nil {
+		return err
+	}
+
+	if e, ok := out.(runtime.NestedObjectEncoder); ok {
+		if err := e.EncodeNestedObjects(DirectEncoder{Version: c.encodeVersion, Encoder: c.encoder, ObjectTyper: c.typer}); err != nil {
+			return err
+		}
+	}
+
+	// Conversion is responsible for setting the proper group, version, and kind onto the outgoing object
+	err = c.encoder.Encode(out, w)
+	// restore the old GVK, in case conversion returned the same object
+	objectKind.SetGroupVersionKind(old)
+	return err
+}
+
+// DirectEncoder serializes an object and ensures the GVK is set.
+type DirectEncoder struct {
+	Version runtime.GroupVersioner
+	runtime.Encoder
+	runtime.ObjectTyper
+}
+
+// Encode does not do conversion. It sets the gvk during serialization.
+func (e DirectEncoder) Encode(obj runtime.Object, stream io.Writer) error {
+	gvks, _, err := e.ObjectTyper.ObjectKinds(obj)
+	if err != nil {
+		if runtime.IsNotRegisteredError(err) {
+			return e.Encoder.Encode(obj, stream)
+		}
+		return err
+	}
+	kind := obj.GetObjectKind()
+	oldGVK := kind.GroupVersionKind()
+	gvk := gvks[0]
+	if e.Version != nil {
+		preferredGVK, ok := e.Version.KindForGroupVersionKinds(gvks)
+		if ok {
+			gvk = preferredGVK
+		}
+	}
+	kind.SetGroupVersionKind(gvk)
+	err = e.Encoder.Encode(obj, stream)
+	kind.SetGroupVersionKind(oldGVK)
+	return err
+}
+
+// DirectDecoder clears the group version kind of a deserialized object.
+type DirectDecoder struct {
+	runtime.Decoder
+}
+
+// Decode does not do conversion. It removes the gvk during deserialization.
+func (d DirectDecoder) Decode(data []byte, defaults *schema.GroupVersionKind, into runtime.Object) (runtime.Object, *schema.GroupVersionKind, error) {
+	obj, gvk, err := d.Decoder.Decode(data, defaults, into)
+	if obj != nil {
+		kind := obj.GetObjectKind()
+		// clearing the gvk is just a convention of a codec
+		kind.SetGroupVersionKind(schema.GroupVersionKind{})
+	}
+	return obj, gvk, err
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator.go
new file mode 100644
index 00000000..5bc642bc
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator.go
@@ -0,0 +1,262 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"bytes"
+	"fmt"
+	"go/ast"
+	"go/doc"
+	"go/parser"
+	"go/token"
+	"io"
+	"reflect"
+	"strings"
+)
+
+// Pair of strings. We keed the name of fields and the doc
+type Pair struct {
+	Name, Doc string
+}
+
+// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself
+type KubeTypes []Pair
+
+func astFrom(filePath string) *doc.Package {
+	fset := token.NewFileSet()
+	m := make(map[string]*ast.File)
+
+	f, err := parser.ParseFile(fset, filePath, nil, parser.ParseComments)
+	if err != nil {
+		fmt.Println(err)
+		return nil
+	}
+
+	m[filePath] = f
+	apkg, _ := ast.NewPackage(fset, m, nil, nil)
+
+	return doc.New(apkg, "", 0)
+}
+
+func fmtRawDoc(rawDoc string) string {
+	var buffer bytes.Buffer
+	delPrevChar := func() {
+		if buffer.Len() > 0 {
+			buffer.Truncate(buffer.Len() - 1) // Delete the last " " or "\n"
+		}
+	}
+
+	// Ignore all lines after ---
+	rawDoc = strings.Split(rawDoc, "---")[0]
+
+	for _, line := range strings.Split(rawDoc, "\n") {
+		line = strings.TrimRight(line, " ")
+		leading := strings.TrimLeft(line, " ")
+		switch {
+		case len(line) == 0: // Keep paragraphs
+			delPrevChar()
+			buffer.WriteString("\n\n")
+		case strings.HasPrefix(leading, "TODO"): // Ignore one line TODOs
+		case strings.HasPrefix(leading, "+"): // Ignore instructions to the generators
+		default:
+			if strings.HasPrefix(line, " ") || strings.HasPrefix(line, "\t") {
+				delPrevChar()
+				line = "\n" + line + "\n" // Replace it with newline. This is useful when we have a line with: "Example:\n\tJSON-someting..."
+			} else {
+				line += " "
+			}
+			buffer.WriteString(line)
+		}
+	}
+
+	postDoc := strings.TrimRight(buffer.String(), "\n")
+	postDoc = strings.Replace(postDoc, "\\\"", "\"", -1) // replace user's \" to "
+	postDoc = strings.Replace(postDoc, "\"", "\\\"", -1) // Escape "
+	postDoc = strings.Replace(postDoc, "\n", "\\n", -1)
+	postDoc = strings.Replace(postDoc, "\t", "\\t", -1)
+
+	return postDoc
+}
+
+// fieldName returns the name of the field as it should appear in JSON format
+// "-" indicates that this field is not part of the JSON representation
+func fieldName(field *ast.Field) string {
+	jsonTag := ""
+	if field.Tag != nil {
+		jsonTag = reflect.StructTag(field.Tag.Value[1 : len(field.Tag.Value)-1]).Get("json") // Delete first and last quotation
+		if strings.Contains(jsonTag, "inline") {
+			return "-"
+		}
+	}
+
+	jsonTag = strings.Split(jsonTag, ",")[0] // This can return "-"
+	if jsonTag == "" {
+		if field.Names != nil {
+			return field.Names[0].Name
+		}
+		return field.Type.(*ast.Ident).Name
+	}
+	return jsonTag
+}
+
+// A buffer of lines that will be written.
+type bufferedLine struct {
+	line        string
+	indentation int
+}
+
+type buffer struct {
+	lines []bufferedLine
+}
+
+func newBuffer() *buffer {
+	return &buffer{
+		lines: make([]bufferedLine, 0),
+	}
+}
+
+func (b *buffer) addLine(line string, indent int) {
+	b.lines = append(b.lines, bufferedLine{line, indent})
+}
+
+func (b *buffer) flushLines(w io.Writer) error {
+	for _, line := range b.lines {
+		indentation := strings.Repeat("\t", line.indentation)
+		fullLine := fmt.Sprintf("%s%s", indentation, line.line)
+		if _, err := io.WriteString(w, fullLine); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func writeFuncHeader(b *buffer, structName string, indent int) {
+	s := fmt.Sprintf("var map_%s = map[string]string {\n", structName)
+	b.addLine(s, indent)
+}
+
+func writeFuncFooter(b *buffer, structName string, indent int) {
+	b.addLine("}\n", indent) // Closes the map definition
+
+	s := fmt.Sprintf("func (%s) SwaggerDoc() map[string]string {\n", structName)
+	b.addLine(s, indent)
+	s = fmt.Sprintf("return map_%s\n", structName)
+	b.addLine(s, indent+1)
+	b.addLine("}\n", indent) // Closes the function definition
+}
+
+func writeMapBody(b *buffer, kubeType []Pair, indent int) {
+	format := "\"%s\": \"%s\",\n"
+	for _, pair := range kubeType {
+		s := fmt.Sprintf(format, pair.Name, pair.Doc)
+		b.addLine(s, indent+2)
+	}
+}
+
+// ParseDocumentationFrom gets all types' documentation and returns them as an
+// array. Each type is again represented as an array (we have to use arrays as we
+// need to be sure for the order of the fields). This function returns fields and
+// struct definitions that have no documentation as {name, ""}.
+func ParseDocumentationFrom(src string) []KubeTypes {
+	var docForTypes []KubeTypes
+
+	pkg := astFrom(src)
+
+	for _, kubType := range pkg.Types {
+		if structType, ok := kubType.Decl.Specs[0].(*ast.TypeSpec).Type.(*ast.StructType); ok {
+			var ks KubeTypes
+			ks = append(ks, Pair{kubType.Name, fmtRawDoc(kubType.Doc)})
+
+			for _, field := range structType.Fields.List {
+				if n := fieldName(field); n != "-" {
+					fieldDoc := fmtRawDoc(field.Doc.Text())
+					ks = append(ks, Pair{n, fieldDoc})
+				}
+			}
+			docForTypes = append(docForTypes, ks)
+		}
+	}
+
+	return docForTypes
+}
+
+// WriteSwaggerDocFunc writes a declaration of a function as a string. This function is used in
+// Swagger as a documentation source for structs and theirs fields
+func WriteSwaggerDocFunc(kubeTypes []KubeTypes, w io.Writer) error {
+	for _, kubeType := range kubeTypes {
+		structName := kubeType[0].Name
+		kubeType[0].Name = ""
+
+		// Ignore empty documentation
+		docfulTypes := make(KubeTypes, 0, len(kubeType))
+		for _, pair := range kubeType {
+			if pair.Doc != "" {
+				docfulTypes = append(docfulTypes, pair)
+			}
+		}
+
+		if len(docfulTypes) == 0 {
+			continue // If no fields and the struct have documentation, skip the function definition
+		}
+
+		indent := 0
+		buffer := newBuffer()
+
+		writeFuncHeader(buffer, structName, indent)
+		writeMapBody(buffer, docfulTypes, indent)
+		writeFuncFooter(buffer, structName, indent)
+		buffer.addLine("\n", 0)
+
+		if err := buffer.flushLines(w); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// VerifySwaggerDocsExist writes in a io.Writer a list of structs and fields that
+// are missing of documentation.
+func VerifySwaggerDocsExist(kubeTypes []KubeTypes, w io.Writer) (int, error) {
+	missingDocs := 0
+	buffer := newBuffer()
+
+	for _, kubeType := range kubeTypes {
+		structName := kubeType[0].Name
+		if kubeType[0].Doc == "" {
+			format := "Missing documentation for the struct itself: %s\n"
+			s := fmt.Sprintf(format, structName)
+			buffer.addLine(s, 0)
+			missingDocs++
+		}
+		kubeType = kubeType[1:] // Skip struct definition
+
+		for _, pair := range kubeType { // Iterate only the fields
+			if pair.Doc == "" {
+				format := "In struct: %s, field documentation is missing: %s\n"
+				s := fmt.Sprintf(format, structName, pair.Name)
+				buffer.addLine(s, 0)
+				missingDocs++
+			}
+		}
+	}
+
+	if err := buffer.flushLines(w); err != nil {
+		return -1, err
+	}
+	return missingDocs, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/types.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/types.go
new file mode 100644
index 00000000..e4515d8e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/types.go
@@ -0,0 +1,137 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+// Note that the types provided in this file are not versioned and are intended to be
+// safe to use from within all versions of every API object.
+
+// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type,
+// like this:
+// type MyAwesomeAPIObject struct {
+//      runtime.TypeMeta    `json:",inline"`
+//      ... // other fields
+// }
+// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind
+//
+// TypeMeta is provided here for convenience. You may use it directly from this package or define
+// your own with the same fields.
+//
+// +k8s:deepcopy-gen=false
+// +protobuf=true
+// +k8s:openapi-gen=true
+type TypeMeta struct {
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty" protobuf:"bytes,1,opt,name=apiVersion"`
+	// +optional
+	Kind string `json:"kind,omitempty" yaml:"kind,omitempty" protobuf:"bytes,2,opt,name=kind"`
+}
+
+const (
+	ContentTypeJSON string = "application/json"
+)
+
+// RawExtension is used to hold extensions in external versions.
+//
+// To use this, make a field which has RawExtension as its type in your external, versioned
+// struct, and Object in your internal struct. You also need to register your
+// various plugin types.
+//
+// // Internal package:
+// type MyAPIObject struct {
+// 	runtime.TypeMeta `json:",inline"`
+//	MyPlugin runtime.Object `json:"myPlugin"`
+// }
+// type PluginA struct {
+//	AOption string `json:"aOption"`
+// }
+//
+// // External package:
+// type MyAPIObject struct {
+// 	runtime.TypeMeta `json:",inline"`
+//	MyPlugin runtime.RawExtension `json:"myPlugin"`
+// }
+// type PluginA struct {
+//	AOption string `json:"aOption"`
+// }
+//
+// // On the wire, the JSON will look something like this:
+// {
+//	"kind":"MyAPIObject",
+//	"apiVersion":"v1",
+//	"myPlugin": {
+//		"kind":"PluginA",
+//		"aOption":"foo",
+//	},
+// }
+//
+// So what happens? Decode first uses json or yaml to unmarshal the serialized data into
+// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked.
+// The next step is to copy (using pkg/conversion) into the internal struct. The runtime
+// package's DefaultScheme has conversion functions installed which will unpack the
+// JSON stored in RawExtension, turning it into the correct object type, and storing it
+// in the Object. (TODO: In the case where the object is of an unknown type, a
+// runtime.Unknown object will be created and stored.)
+//
+// +k8s:deepcopy-gen=true
+// +protobuf=true
+// +k8s:openapi-gen=true
+type RawExtension struct {
+	// Raw is the underlying serialization of this object.
+	//
+	// TODO: Determine how to detect ContentType and ContentEncoding of 'Raw' data.
+	Raw []byte `protobuf:"bytes,1,opt,name=raw"`
+	// Object can hold a representation of this extension - useful for working with versioned
+	// structs.
+	Object Object `json:"-"`
+}
+
+// Unknown allows api objects with unknown types to be passed-through. This can be used
+// to deal with the API objects from a plug-in. Unknown objects still have functioning
+// TypeMeta features-- kind, version, etc.
+// TODO: Make this object have easy access to field based accessors and settors for
+// metadata and field mutatation.
+//
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +protobuf=true
+// +k8s:openapi-gen=true
+type Unknown struct {
+	TypeMeta `json:",inline" protobuf:"bytes,1,opt,name=typeMeta"`
+	// Raw will hold the complete serialized object which couldn't be matched
+	// with a registered type. Most likely, nothing should be done with this
+	// except for passing it through the system.
+	Raw []byte `protobuf:"bytes,2,opt,name=raw"`
+	// ContentEncoding is encoding used to encode 'Raw' data.
+	// Unspecified means no encoding.
+	ContentEncoding string `protobuf:"bytes,3,opt,name=contentEncoding"`
+	// ContentType  is serialization method used to serialize 'Raw'.
+	// Unspecified means ContentTypeJSON.
+	ContentType string `protobuf:"bytes,4,opt,name=contentType"`
+}
+
+// VersionedObjects is used by Decoders to give callers a way to access all versions
+// of an object during the decoding process.
+//
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:deepcopy-gen=true
+type VersionedObjects struct {
+	// Objects is the set of objects retrieved during decoding, in order of conversion.
+	// The 0 index is the object as serialized on the wire. If conversion has occurred,
+	// other objects may be present. The right most object is the same as would be returned
+	// by a normal Decode call.
+	Objects []Object
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/types_proto.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/types_proto.go
new file mode 100644
index 00000000..ead96ee0
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/types_proto.go
@@ -0,0 +1,69 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"fmt"
+)
+
+type ProtobufMarshaller interface {
+	MarshalTo(data []byte) (int, error)
+}
+
+// NestedMarshalTo allows a caller to avoid extra allocations during serialization of an Unknown
+// that will contain an object that implements ProtobufMarshaller.
+func (m *Unknown) NestedMarshalTo(data []byte, b ProtobufMarshaller, size uint64) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	data[i] = 0xa
+	i++
+	i = encodeVarintGenerated(data, i, uint64(m.TypeMeta.Size()))
+	n1, err := m.TypeMeta.MarshalTo(data[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+
+	if b != nil {
+		data[i] = 0x12
+		i++
+		i = encodeVarintGenerated(data, i, size)
+		n2, err := b.MarshalTo(data[i:])
+		if err != nil {
+			return 0, err
+		}
+		if uint64(n2) != size {
+			// programmer error: the Size() method for protobuf does not match the results of MarshalTo, which means the proto
+			// struct returned would be wrong.
+			return 0, fmt.Errorf("the Size() value of %T was %d, but NestedMarshalTo wrote %d bytes to data", b, size, n2)
+		}
+		i += n2
+	}
+
+	data[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(data, i, uint64(len(m.ContentEncoding)))
+	i += copy(data[i:], m.ContentEncoding)
+
+	data[i] = 0x22
+	i++
+	i = encodeVarintGenerated(data, i, uint64(len(m.ContentType)))
+	i += copy(data[i:], m.ContentType)
+	return i, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/runtime/zz_generated.deepcopy.go b/cli/vendor/k8s.io/apimachinery/pkg/runtime/zz_generated.deepcopy.go
new file mode 100644
index 00000000..b2cf3640
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/runtime/zz_generated.deepcopy.go
@@ -0,0 +1,139 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package runtime
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	reflect "reflect"
+)
+
+// GetGeneratedDeepCopyFuncs returns the generated funcs, since we aren't registering them.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func GetGeneratedDeepCopyFuncs() []conversion.GeneratedDeepCopyFunc {
+	return []conversion.GeneratedDeepCopyFunc{
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*RawExtension).DeepCopyInto(out.(*RawExtension))
+			return nil
+		}, InType: reflect.TypeOf(&RawExtension{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Unknown).DeepCopyInto(out.(*Unknown))
+			return nil
+		}, InType: reflect.TypeOf(&Unknown{})},
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*VersionedObjects).DeepCopyInto(out.(*VersionedObjects))
+			return nil
+		}, InType: reflect.TypeOf(&VersionedObjects{})},
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RawExtension) DeepCopyInto(out *RawExtension) {
+	*out = *in
+	if in.Raw != nil {
+		in, out := &in.Raw, &out.Raw
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.Object == nil {
+		out.Object = nil
+	} else {
+		out.Object = in.Object.DeepCopyObject()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RawExtension.
+func (in *RawExtension) DeepCopy() *RawExtension {
+	if in == nil {
+		return nil
+	}
+	out := new(RawExtension)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Unknown) DeepCopyInto(out *Unknown) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	if in.Raw != nil {
+		in, out := &in.Raw, &out.Raw
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Unknown.
+func (in *Unknown) DeepCopy() *Unknown {
+	if in == nil {
+		return nil
+	}
+	out := new(Unknown)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new Object.
+func (in *Unknown) DeepCopyObject() Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VersionedObjects) DeepCopyInto(out *VersionedObjects) {
+	*out = *in
+	if in.Objects != nil {
+		in, out := &in.Objects, &out.Objects
+		*out = make([]Object, len(*in))
+		for i := range *in {
+			if (*in)[i] == nil {
+				(*out)[i] = nil
+			} else {
+				(*out)[i] = (*in)[i].DeepCopyObject()
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VersionedObjects.
+func (in *VersionedObjects) DeepCopy() *VersionedObjects {
+	if in == nil {
+		return nil
+	}
+	out := new(VersionedObjects)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new Object.
+func (in *VersionedObjects) DeepCopyObject() Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/selection/operator.go b/cli/vendor/k8s.io/apimachinery/pkg/selection/operator.go
new file mode 100644
index 00000000..298f798c
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/selection/operator.go
@@ -0,0 +1,33 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package selection
+
+// Operator represents a key/field's relationship to value(s).
+// See labels.Requirement and fields.Requirement for more details.
+type Operator string
+
+const (
+	DoesNotExist Operator = "!"
+	Equals       Operator = "="
+	DoubleEquals Operator = "=="
+	In           Operator = "in"
+	NotEquals    Operator = "!="
+	NotIn        Operator = "notin"
+	Exists       Operator = "exists"
+	GreaterThan  Operator = "gt"
+	LessThan     Operator = "lt"
+)
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/types/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/types/doc.go
new file mode 100644
index 00000000..5667fa99
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/types/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package types implements various generic types used throughout kubernetes.
+package types // import "k8s.io/apimachinery/pkg/types"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/types/namespacedname.go b/cli/vendor/k8s.io/apimachinery/pkg/types/namespacedname.go
new file mode 100644
index 00000000..1e2130da
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/types/namespacedname.go
@@ -0,0 +1,60 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+import (
+	"fmt"
+	"strings"
+)
+
+// NamespacedName comprises a resource name, with a mandatory namespace,
+// rendered as "<namespace>/<name>".  Being a type captures intent and
+// helps make sure that UIDs, namespaced names and non-namespaced names
+// do not get conflated in code.  For most use cases, namespace and name
+// will already have been format validated at the API entry point, so we
+// don't do that here.  Where that's not the case (e.g. in testing),
+// consider using NamespacedNameOrDie() in testing.go in this package.
+
+type NamespacedName struct {
+	Namespace string
+	Name      string
+}
+
+const (
+	Separator = '/'
+)
+
+// String returns the general purpose string representation
+func (n NamespacedName) String() string {
+	return fmt.Sprintf("%s%c%s", n.Namespace, Separator, n.Name)
+}
+
+// NewNamespacedNameFromString parses the provided string and returns a NamespacedName.
+// The expected format is as per String() above.
+// If the input string is invalid, the returned NamespacedName has all empty string field values.
+// This allows a single-value return from this function, while still allowing error checks in the caller.
+// Note that an input string which does not include exactly one Separator is not a valid input (as it could never
+// have neem returned by String() )
+func NewNamespacedNameFromString(s string) NamespacedName {
+	nn := NamespacedName{}
+	result := strings.Split(s, string(Separator))
+	if len(result) == 2 {
+		nn.Namespace = result[0]
+		nn.Name = result[1]
+	}
+	return nn
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/types/nodename.go b/cli/vendor/k8s.io/apimachinery/pkg/types/nodename.go
new file mode 100644
index 00000000..fee348d7
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/types/nodename.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+// NodeName is a type that holds a api.Node's Name identifier.
+// Being a type captures intent and helps make sure that the node name
+// is not confused with similar concepts (the hostname, the cloud provider id,
+// the cloud provider name etc)
+//
+// To clarify the various types:
+//
+// * Node.Name is the Name field of the Node in the API.  This should be stored in a NodeName.
+//   Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level.
+//
+// * Hostname is the hostname of the local machine (from uname -n).
+//   However, some components allow the user to pass in a --hostname-override flag,
+//   which will override this in most places. In the absence of anything more meaningful,
+//   kubelet will use Hostname as the Node.Name when it creates the Node.
+//
+// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId.
+//
+//   For GCE, InstanceName is the Name of an Instance object in the GCE API.  On GCE, Instance.Name becomes the
+//   Hostname, and thus it makes sense also to use it as the Node.Name.  But that is GCE specific, and it is up
+//   to the cloudprovider how to do this mapping.
+//
+//   For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the
+//   PrivateDnsName for the Node.Name.  And this is _not_ always the same as the hostname: if
+//   we are using a custom DHCP domain it won't be.
+type NodeName string
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/types/patch.go b/cli/vendor/k8s.io/apimachinery/pkg/types/patch.go
new file mode 100644
index 00000000..d522d1db
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/types/patch.go
@@ -0,0 +1,28 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+// Similarly to above, these are constants to support HTTP PATCH utilized by
+// both the client and server that didn't make sense for a whole package to be
+// dedicated to.
+type PatchType string
+
+const (
+	JSONPatchType           PatchType = "application/json-patch+json"
+	MergePatchType          PatchType = "application/merge-patch+json"
+	StrategicMergePatchType PatchType = "application/strategic-merge-patch+json"
+)
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/types/uid.go b/cli/vendor/k8s.io/apimachinery/pkg/types/uid.go
new file mode 100644
index 00000000..86933922
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/types/uid.go
@@ -0,0 +1,22 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+// UID is a type that holds unique ID values, including UUIDs.  Because we
+// don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+// intent and helps make sure that UIDs and names do not get conflated.
+type UID string
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/cache/cache.go b/cli/vendor/k8s.io/apimachinery/pkg/util/cache/cache.go
new file mode 100644
index 00000000..9a09fe54
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/cache/cache.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"sync"
+)
+
+const (
+	shardsCount int = 32
+)
+
+type Cache []*cacheShard
+
+func NewCache(maxSize int) Cache {
+	if maxSize < shardsCount {
+		maxSize = shardsCount
+	}
+	cache := make(Cache, shardsCount)
+	for i := 0; i < shardsCount; i++ {
+		cache[i] = &cacheShard{
+			items:   make(map[uint64]interface{}),
+			maxSize: maxSize / shardsCount,
+		}
+	}
+	return cache
+}
+
+func (c Cache) getShard(index uint64) *cacheShard {
+	return c[index%uint64(shardsCount)]
+}
+
+// Returns true if object already existed, false otherwise.
+func (c *Cache) Add(index uint64, obj interface{}) bool {
+	return c.getShard(index).add(index, obj)
+}
+
+func (c *Cache) Get(index uint64) (obj interface{}, found bool) {
+	return c.getShard(index).get(index)
+}
+
+type cacheShard struct {
+	items map[uint64]interface{}
+	sync.RWMutex
+	maxSize int
+}
+
+// Returns true if object already existed, false otherwise.
+func (s *cacheShard) add(index uint64, obj interface{}) bool {
+	s.Lock()
+	defer s.Unlock()
+	_, isOverwrite := s.items[index]
+	if !isOverwrite && len(s.items) >= s.maxSize {
+		var randomKey uint64
+		for randomKey = range s.items {
+			break
+		}
+		delete(s.items, randomKey)
+	}
+	s.items[index] = obj
+	return isOverwrite
+}
+
+func (s *cacheShard) get(index uint64) (obj interface{}, found bool) {
+	s.RLock()
+	defer s.RUnlock()
+	obj, found = s.items[index]
+	return
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/cache/lruexpirecache.go b/cli/vendor/k8s.io/apimachinery/pkg/util/cache/lruexpirecache.go
new file mode 100644
index 00000000..f6b307aa
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/cache/lruexpirecache.go
@@ -0,0 +1,102 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"sync"
+	"time"
+
+	"github.com/hashicorp/golang-lru"
+)
+
+// Clock defines an interface for obtaining the current time
+type Clock interface {
+	Now() time.Time
+}
+
+// realClock implements the Clock interface by calling time.Now()
+type realClock struct{}
+
+func (realClock) Now() time.Time { return time.Now() }
+
+// LRUExpireCache is a cache that ensures the mostly recently accessed keys are returned with
+// a ttl beyond which keys are forcibly expired.
+type LRUExpireCache struct {
+	// clock is used to obtain the current time
+	clock Clock
+
+	cache *lru.Cache
+	lock  sync.Mutex
+}
+
+// NewLRUExpireCache creates an expiring cache with the given size
+func NewLRUExpireCache(maxSize int) *LRUExpireCache {
+	return NewLRUExpireCacheWithClock(maxSize, realClock{})
+}
+
+// NewLRUExpireCacheWithClock creates an expiring cache with the given size, using the specified clock to obtain the current time.
+func NewLRUExpireCacheWithClock(maxSize int, clock Clock) *LRUExpireCache {
+	cache, err := lru.New(maxSize)
+	if err != nil {
+		// if called with an invalid size
+		panic(err)
+	}
+	return &LRUExpireCache{clock: clock, cache: cache}
+}
+
+type cacheEntry struct {
+	value      interface{}
+	expireTime time.Time
+}
+
+// Add adds the value to the cache at key with the specified maximum duration.
+func (c *LRUExpireCache) Add(key interface{}, value interface{}, ttl time.Duration) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	c.cache.Add(key, &cacheEntry{value, c.clock.Now().Add(ttl)})
+}
+
+// Get returns the value at the specified key from the cache if it exists and is not
+// expired, or returns false.
+func (c *LRUExpireCache) Get(key interface{}) (interface{}, bool) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	e, ok := c.cache.Get(key)
+	if !ok {
+		return nil, false
+	}
+	if c.clock.Now().After(e.(*cacheEntry).expireTime) {
+		c.cache.Remove(key)
+		return nil, false
+	}
+	return e.(*cacheEntry).value, true
+}
+
+// Remove removes the specified key from the cache if it exists
+func (c *LRUExpireCache) Remove(key interface{}) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	c.cache.Remove(key)
+}
+
+// Keys returns all the keys in the cache, even if they are expired. Subsequent calls to
+// get may return not found. It returns all keys from oldest to newest.
+func (c *LRUExpireCache) Keys() []interface{} {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	return c.cache.Keys()
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/clock/clock.go b/cli/vendor/k8s.io/apimachinery/pkg/util/clock/clock.go
new file mode 100644
index 00000000..c303a212
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/clock/clock.go
@@ -0,0 +1,327 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clock
+
+import (
+	"sync"
+	"time"
+)
+
+// Clock allows for injecting fake or real clocks into code that
+// needs to do arbitrary things based on time.
+type Clock interface {
+	Now() time.Time
+	Since(time.Time) time.Duration
+	After(d time.Duration) <-chan time.Time
+	NewTimer(d time.Duration) Timer
+	Sleep(d time.Duration)
+	Tick(d time.Duration) <-chan time.Time
+}
+
+var (
+	_ = Clock(RealClock{})
+	_ = Clock(&FakeClock{})
+	_ = Clock(&IntervalClock{})
+)
+
+// RealClock really calls time.Now()
+type RealClock struct{}
+
+// Now returns the current time.
+func (RealClock) Now() time.Time {
+	return time.Now()
+}
+
+// Since returns time since the specified timestamp.
+func (RealClock) Since(ts time.Time) time.Duration {
+	return time.Since(ts)
+}
+
+// Same as time.After(d).
+func (RealClock) After(d time.Duration) <-chan time.Time {
+	return time.After(d)
+}
+
+func (RealClock) NewTimer(d time.Duration) Timer {
+	return &realTimer{
+		timer: time.NewTimer(d),
+	}
+}
+
+func (RealClock) Tick(d time.Duration) <-chan time.Time {
+	return time.Tick(d)
+}
+
+func (RealClock) Sleep(d time.Duration) {
+	time.Sleep(d)
+}
+
+// FakeClock implements Clock, but returns an arbitrary time.
+type FakeClock struct {
+	lock sync.RWMutex
+	time time.Time
+
+	// waiters are waiting for the fake time to pass their specified time
+	waiters []fakeClockWaiter
+}
+
+type fakeClockWaiter struct {
+	targetTime    time.Time
+	stepInterval  time.Duration
+	skipIfBlocked bool
+	destChan      chan time.Time
+	fired         bool
+}
+
+func NewFakeClock(t time.Time) *FakeClock {
+	return &FakeClock{
+		time: t,
+	}
+}
+
+// Now returns f's time.
+func (f *FakeClock) Now() time.Time {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	return f.time
+}
+
+// Since returns time since the time in f.
+func (f *FakeClock) Since(ts time.Time) time.Duration {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	return f.time.Sub(ts)
+}
+
+// Fake version of time.After(d).
+func (f *FakeClock) After(d time.Duration) <-chan time.Time {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	stopTime := f.time.Add(d)
+	ch := make(chan time.Time, 1) // Don't block!
+	f.waiters = append(f.waiters, fakeClockWaiter{
+		targetTime: stopTime,
+		destChan:   ch,
+	})
+	return ch
+}
+
+// Fake version of time.NewTimer(d).
+func (f *FakeClock) NewTimer(d time.Duration) Timer {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	stopTime := f.time.Add(d)
+	ch := make(chan time.Time, 1) // Don't block!
+	timer := &fakeTimer{
+		fakeClock: f,
+		waiter: fakeClockWaiter{
+			targetTime: stopTime,
+			destChan:   ch,
+		},
+	}
+	f.waiters = append(f.waiters, timer.waiter)
+	return timer
+}
+
+func (f *FakeClock) Tick(d time.Duration) <-chan time.Time {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	tickTime := f.time.Add(d)
+	ch := make(chan time.Time, 1) // hold one tick
+	f.waiters = append(f.waiters, fakeClockWaiter{
+		targetTime:    tickTime,
+		stepInterval:  d,
+		skipIfBlocked: true,
+		destChan:      ch,
+	})
+
+	return ch
+}
+
+// Move clock by Duration, notify anyone that's called After, Tick, or NewTimer
+func (f *FakeClock) Step(d time.Duration) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.setTimeLocked(f.time.Add(d))
+}
+
+// Sets the time.
+func (f *FakeClock) SetTime(t time.Time) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.setTimeLocked(t)
+}
+
+// Actually changes the time and checks any waiters. f must be write-locked.
+func (f *FakeClock) setTimeLocked(t time.Time) {
+	f.time = t
+	newWaiters := make([]fakeClockWaiter, 0, len(f.waiters))
+	for i := range f.waiters {
+		w := &f.waiters[i]
+		if !w.targetTime.After(t) {
+
+			if w.skipIfBlocked {
+				select {
+				case w.destChan <- t:
+					w.fired = true
+				default:
+				}
+			} else {
+				w.destChan <- t
+				w.fired = true
+			}
+
+			if w.stepInterval > 0 {
+				for !w.targetTime.After(t) {
+					w.targetTime = w.targetTime.Add(w.stepInterval)
+				}
+				newWaiters = append(newWaiters, *w)
+			}
+
+		} else {
+			newWaiters = append(newWaiters, f.waiters[i])
+		}
+	}
+	f.waiters = newWaiters
+}
+
+// Returns true if After has been called on f but not yet satisfied (so you can
+// write race-free tests).
+func (f *FakeClock) HasWaiters() bool {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	return len(f.waiters) > 0
+}
+
+func (f *FakeClock) Sleep(d time.Duration) {
+	f.Step(d)
+}
+
+// IntervalClock implements Clock, but each invocation of Now steps the clock forward the specified duration
+type IntervalClock struct {
+	Time     time.Time
+	Duration time.Duration
+}
+
+// Now returns i's time.
+func (i *IntervalClock) Now() time.Time {
+	i.Time = i.Time.Add(i.Duration)
+	return i.Time
+}
+
+// Since returns time since the time in i.
+func (i *IntervalClock) Since(ts time.Time) time.Duration {
+	return i.Time.Sub(ts)
+}
+
+// Unimplemented, will panic.
+// TODO: make interval clock use FakeClock so this can be implemented.
+func (*IntervalClock) After(d time.Duration) <-chan time.Time {
+	panic("IntervalClock doesn't implement After")
+}
+
+// Unimplemented, will panic.
+// TODO: make interval clock use FakeClock so this can be implemented.
+func (*IntervalClock) NewTimer(d time.Duration) Timer {
+	panic("IntervalClock doesn't implement NewTimer")
+}
+
+// Unimplemented, will panic.
+// TODO: make interval clock use FakeClock so this can be implemented.
+func (*IntervalClock) Tick(d time.Duration) <-chan time.Time {
+	panic("IntervalClock doesn't implement Tick")
+}
+
+func (*IntervalClock) Sleep(d time.Duration) {
+	panic("IntervalClock doesn't implement Sleep")
+}
+
+// Timer allows for injecting fake or real timers into code that
+// needs to do arbitrary things based on time.
+type Timer interface {
+	C() <-chan time.Time
+	Stop() bool
+	Reset(d time.Duration) bool
+}
+
+var (
+	_ = Timer(&realTimer{})
+	_ = Timer(&fakeTimer{})
+)
+
+// realTimer is backed by an actual time.Timer.
+type realTimer struct {
+	timer *time.Timer
+}
+
+// C returns the underlying timer's channel.
+func (r *realTimer) C() <-chan time.Time {
+	return r.timer.C
+}
+
+// Stop calls Stop() on the underlying timer.
+func (r *realTimer) Stop() bool {
+	return r.timer.Stop()
+}
+
+// Reset calls Reset() on the underlying timer.
+func (r *realTimer) Reset(d time.Duration) bool {
+	return r.timer.Reset(d)
+}
+
+// fakeTimer implements Timer based on a FakeClock.
+type fakeTimer struct {
+	fakeClock *FakeClock
+	waiter    fakeClockWaiter
+}
+
+// C returns the channel that notifies when this timer has fired.
+func (f *fakeTimer) C() <-chan time.Time {
+	return f.waiter.destChan
+}
+
+// Stop stops the timer and returns true if the timer has not yet fired, or false otherwise.
+func (f *fakeTimer) Stop() bool {
+	f.fakeClock.lock.Lock()
+	defer f.fakeClock.lock.Unlock()
+
+	newWaiters := make([]fakeClockWaiter, 0, len(f.fakeClock.waiters))
+	for i := range f.fakeClock.waiters {
+		w := &f.fakeClock.waiters[i]
+		if w != &f.waiter {
+			newWaiters = append(newWaiters, *w)
+		}
+	}
+
+	f.fakeClock.waiters = newWaiters
+
+	return !f.waiter.fired
+}
+
+// Reset resets the timer to the fake clock's "now" + d. It returns true if the timer has not yet
+// fired, or false otherwise.
+func (f *fakeTimer) Reset(d time.Duration) bool {
+	f.fakeClock.lock.Lock()
+	defer f.fakeClock.lock.Unlock()
+
+	active := !f.waiter.fired
+
+	f.waiter.fired = false
+	f.waiter.targetTime = f.fakeClock.time.Add(d)
+
+	return active
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/diff/diff.go b/cli/vendor/k8s.io/apimachinery/pkg/util/diff/diff.go
new file mode 100644
index 00000000..0f730875
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/diff/diff.go
@@ -0,0 +1,280 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package diff
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"sort"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/davecgh/go-spew/spew"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// StringDiff diffs a and b and returns a human readable diff.
+func StringDiff(a, b string) string {
+	ba := []byte(a)
+	bb := []byte(b)
+	out := []byte{}
+	i := 0
+	for ; i < len(ba) && i < len(bb); i++ {
+		if ba[i] != bb[i] {
+			break
+		}
+		out = append(out, ba[i])
+	}
+	out = append(out, []byte("\n\nA: ")...)
+	out = append(out, ba[i:]...)
+	out = append(out, []byte("\n\nB: ")...)
+	out = append(out, bb[i:]...)
+	out = append(out, []byte("\n\n")...)
+	return string(out)
+}
+
+// ObjectDiff writes the two objects out as JSON and prints out the identical part of
+// the objects followed by the remaining part of 'a' and finally the remaining part of 'b'.
+// For debugging tests.
+func ObjectDiff(a, b interface{}) string {
+	ab, err := json.Marshal(a)
+	if err != nil {
+		panic(fmt.Sprintf("a: %v", err))
+	}
+	bb, err := json.Marshal(b)
+	if err != nil {
+		panic(fmt.Sprintf("b: %v", err))
+	}
+	return StringDiff(string(ab), string(bb))
+}
+
+// ObjectGoPrintDiff is like ObjectDiff, but uses go-spew to print the objects,
+// which shows absolutely everything by recursing into every single pointer
+// (go's %#v formatters OTOH stop at a certain point). This is needed when you
+// can't figure out why reflect.DeepEqual is returning false and nothing is
+// showing you differences. This will.
+func ObjectGoPrintDiff(a, b interface{}) string {
+	s := spew.ConfigState{DisableMethods: true}
+	return StringDiff(
+		s.Sprintf("%#v", a),
+		s.Sprintf("%#v", b),
+	)
+}
+
+func ObjectReflectDiff(a, b interface{}) string {
+	vA, vB := reflect.ValueOf(a), reflect.ValueOf(b)
+	if vA.Type() != vB.Type() {
+		return fmt.Sprintf("type A %T and type B %T do not match", a, b)
+	}
+	diffs := objectReflectDiff(field.NewPath("object"), vA, vB)
+	if len(diffs) == 0 {
+		return "<no diffs>"
+	}
+	out := []string{""}
+	for _, d := range diffs {
+		out = append(out,
+			fmt.Sprintf("%s:", d.path),
+			limit(fmt.Sprintf("  a: %#v", d.a), 80),
+			limit(fmt.Sprintf("  b: %#v", d.b), 80),
+		)
+	}
+	return strings.Join(out, "\n")
+}
+
+func limit(s string, max int) string {
+	if len(s) > max {
+		return s[:max]
+	}
+	return s
+}
+
+func public(s string) bool {
+	if len(s) == 0 {
+		return false
+	}
+	return s[:1] == strings.ToUpper(s[:1])
+}
+
+type diff struct {
+	path *field.Path
+	a, b interface{}
+}
+
+type orderedDiffs []diff
+
+func (d orderedDiffs) Len() int      { return len(d) }
+func (d orderedDiffs) Swap(i, j int) { d[i], d[j] = d[j], d[i] }
+func (d orderedDiffs) Less(i, j int) bool {
+	a, b := d[i].path.String(), d[j].path.String()
+	if a < b {
+		return true
+	}
+	return false
+}
+
+func objectReflectDiff(path *field.Path, a, b reflect.Value) []diff {
+	switch a.Type().Kind() {
+	case reflect.Struct:
+		var changes []diff
+		for i := 0; i < a.Type().NumField(); i++ {
+			if !public(a.Type().Field(i).Name) {
+				if reflect.DeepEqual(a.Interface(), b.Interface()) {
+					continue
+				}
+				return []diff{{path: path, a: fmt.Sprintf("%#v", a), b: fmt.Sprintf("%#v", b)}}
+			}
+			if sub := objectReflectDiff(path.Child(a.Type().Field(i).Name), a.Field(i), b.Field(i)); len(sub) > 0 {
+				changes = append(changes, sub...)
+			} else {
+				if !reflect.DeepEqual(a.Field(i).Interface(), b.Field(i).Interface()) {
+					changes = append(changes, diff{path: path, a: a.Field(i).Interface(), b: b.Field(i).Interface()})
+				}
+			}
+		}
+		return changes
+	case reflect.Ptr, reflect.Interface:
+		if a.IsNil() || b.IsNil() {
+			switch {
+			case a.IsNil() && b.IsNil():
+				return nil
+			case a.IsNil():
+				return []diff{{path: path, a: nil, b: b.Interface()}}
+			default:
+				return []diff{{path: path, a: a.Interface(), b: nil}}
+			}
+		}
+		return objectReflectDiff(path, a.Elem(), b.Elem())
+	case reflect.Chan:
+		if !reflect.DeepEqual(a.Interface(), b.Interface()) {
+			return []diff{{path: path, a: a.Interface(), b: b.Interface()}}
+		}
+		return nil
+	case reflect.Slice:
+		lA, lB := a.Len(), b.Len()
+		l := lA
+		if lB < lA {
+			l = lB
+		}
+		if lA == lB && lA == 0 {
+			if a.IsNil() != b.IsNil() {
+				return []diff{{path: path, a: a.Interface(), b: b.Interface()}}
+			}
+			return nil
+		}
+		for i := 0; i < l; i++ {
+			if !reflect.DeepEqual(a.Index(i), b.Index(i)) {
+				return objectReflectDiff(path.Index(i), a.Index(i), b.Index(i))
+			}
+		}
+		var diffs []diff
+		for i := l; i < lA; i++ {
+			diffs = append(diffs, diff{path: path.Index(i), a: a.Index(i), b: nil})
+		}
+		for i := l; i < lB; i++ {
+			diffs = append(diffs, diff{path: path.Index(i), a: nil, b: b.Index(i)})
+		}
+		if len(diffs) == 0 {
+			diffs = append(diffs, diff{path: path, a: a, b: b})
+		}
+		return diffs
+	case reflect.Map:
+		if reflect.DeepEqual(a.Interface(), b.Interface()) {
+			return nil
+		}
+		aKeys := make(map[interface{}]interface{})
+		for _, key := range a.MapKeys() {
+			aKeys[key.Interface()] = a.MapIndex(key).Interface()
+		}
+		var missing []diff
+		for _, key := range b.MapKeys() {
+			if _, ok := aKeys[key.Interface()]; ok {
+				delete(aKeys, key.Interface())
+				if reflect.DeepEqual(a.MapIndex(key).Interface(), b.MapIndex(key).Interface()) {
+					continue
+				}
+				missing = append(missing, objectReflectDiff(path.Key(fmt.Sprintf("%s", key.Interface())), a.MapIndex(key), b.MapIndex(key))...)
+				continue
+			}
+			missing = append(missing, diff{path: path.Key(fmt.Sprintf("%s", key.Interface())), a: nil, b: b.MapIndex(key).Interface()})
+		}
+		for key, value := range aKeys {
+			missing = append(missing, diff{path: path.Key(fmt.Sprintf("%s", key)), a: value, b: nil})
+		}
+		if len(missing) == 0 {
+			missing = append(missing, diff{path: path, a: a.Interface(), b: b.Interface()})
+		}
+		sort.Sort(orderedDiffs(missing))
+		return missing
+	default:
+		if reflect.DeepEqual(a.Interface(), b.Interface()) {
+			return nil
+		}
+		if !a.CanInterface() {
+			return []diff{{path: path, a: fmt.Sprintf("%#v", a), b: fmt.Sprintf("%#v", b)}}
+		}
+		return []diff{{path: path, a: a.Interface(), b: b.Interface()}}
+	}
+}
+
+// ObjectGoPrintSideBySide prints a and b as textual dumps side by side,
+// enabling easy visual scanning for mismatches.
+func ObjectGoPrintSideBySide(a, b interface{}) string {
+	s := spew.ConfigState{
+		Indent: " ",
+		// Extra deep spew.
+		DisableMethods: true,
+	}
+	sA := s.Sdump(a)
+	sB := s.Sdump(b)
+
+	linesA := strings.Split(sA, "\n")
+	linesB := strings.Split(sB, "\n")
+	width := 0
+	for _, s := range linesA {
+		l := len(s)
+		if l > width {
+			width = l
+		}
+	}
+	for _, s := range linesB {
+		l := len(s)
+		if l > width {
+			width = l
+		}
+	}
+	buf := &bytes.Buffer{}
+	w := tabwriter.NewWriter(buf, width, 0, 1, ' ', 0)
+	max := len(linesA)
+	if len(linesB) > max {
+		max = len(linesB)
+	}
+	for i := 0; i < max; i++ {
+		var a, b string
+		if i < len(linesA) {
+			a = linesA[i]
+		}
+		if i < len(linesB) {
+			b = linesB[i]
+		}
+		fmt.Fprintf(w, "%s\t%s\n", a, b)
+	}
+	w.Flush()
+	return buf.String()
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/errors/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/util/errors/doc.go
new file mode 100644
index 00000000..5d4d6250
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/errors/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package errors implements various utility functions and types around errors.
+package errors // import "k8s.io/apimachinery/pkg/util/errors"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/errors/errors.go b/cli/vendor/k8s.io/apimachinery/pkg/util/errors/errors.go
new file mode 100644
index 00000000..26e7eb20
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/errors/errors.go
@@ -0,0 +1,201 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errors
+
+import (
+	"errors"
+	"fmt"
+)
+
+// MessageCountMap contains occurance for each error message.
+type MessageCountMap map[string]int
+
+// Aggregate represents an object that contains multiple errors, but does not
+// necessarily have singular semantic meaning.
+type Aggregate interface {
+	error
+	Errors() []error
+}
+
+// NewAggregate converts a slice of errors into an Aggregate interface, which
+// is itself an implementation of the error interface.  If the slice is empty,
+// this returns nil.
+// It will check if any of the element of input error list is nil, to avoid
+// nil pointer panic when call Error().
+func NewAggregate(errlist []error) Aggregate {
+	if len(errlist) == 0 {
+		return nil
+	}
+	// In case of input error list contains nil
+	var errs []error
+	for _, e := range errlist {
+		if e != nil {
+			errs = append(errs, e)
+		}
+	}
+	if len(errs) == 0 {
+		return nil
+	}
+	return aggregate(errs)
+}
+
+// This helper implements the error and Errors interfaces.  Keeping it private
+// prevents people from making an aggregate of 0 errors, which is not
+// an error, but does satisfy the error interface.
+type aggregate []error
+
+// Error is part of the error interface.
+func (agg aggregate) Error() string {
+	if len(agg) == 0 {
+		// This should never happen, really.
+		return ""
+	}
+	if len(agg) == 1 {
+		return agg[0].Error()
+	}
+	result := fmt.Sprintf("[%s", agg[0].Error())
+	for i := 1; i < len(agg); i++ {
+		result += fmt.Sprintf(", %s", agg[i].Error())
+	}
+	result += "]"
+	return result
+}
+
+// Errors is part of the Aggregate interface.
+func (agg aggregate) Errors() []error {
+	return []error(agg)
+}
+
+// Matcher is used to match errors.  Returns true if the error matches.
+type Matcher func(error) bool
+
+// FilterOut removes all errors that match any of the matchers from the input
+// error.  If the input is a singular error, only that error is tested.  If the
+// input implements the Aggregate interface, the list of errors will be
+// processed recursively.
+//
+// This can be used, for example, to remove known-OK errors (such as io.EOF or
+// os.PathNotFound) from a list of errors.
+func FilterOut(err error, fns ...Matcher) error {
+	if err == nil {
+		return nil
+	}
+	if agg, ok := err.(Aggregate); ok {
+		return NewAggregate(filterErrors(agg.Errors(), fns...))
+	}
+	if !matchesError(err, fns...) {
+		return err
+	}
+	return nil
+}
+
+// matchesError returns true if any Matcher returns true
+func matchesError(err error, fns ...Matcher) bool {
+	for _, fn := range fns {
+		if fn(err) {
+			return true
+		}
+	}
+	return false
+}
+
+// filterErrors returns any errors (or nested errors, if the list contains
+// nested Errors) for which all fns return false. If no errors
+// remain a nil list is returned. The resulting silec will have all
+// nested slices flattened as a side effect.
+func filterErrors(list []error, fns ...Matcher) []error {
+	result := []error{}
+	for _, err := range list {
+		r := FilterOut(err, fns...)
+		if r != nil {
+			result = append(result, r)
+		}
+	}
+	return result
+}
+
+// Flatten takes an Aggregate, which may hold other Aggregates in arbitrary
+// nesting, and flattens them all into a single Aggregate, recursively.
+func Flatten(agg Aggregate) Aggregate {
+	result := []error{}
+	if agg == nil {
+		return nil
+	}
+	for _, err := range agg.Errors() {
+		if a, ok := err.(Aggregate); ok {
+			r := Flatten(a)
+			if r != nil {
+				result = append(result, r.Errors()...)
+			}
+		} else {
+			if err != nil {
+				result = append(result, err)
+			}
+		}
+	}
+	return NewAggregate(result)
+}
+
+// CreateAggregateFromMessageCountMap converts MessageCountMap Aggregate
+func CreateAggregateFromMessageCountMap(m MessageCountMap) Aggregate {
+	if m == nil {
+		return nil
+	}
+	result := make([]error, 0, len(m))
+	for errStr, count := range m {
+		var countStr string
+		if count > 1 {
+			countStr = fmt.Sprintf(" (repeated %v times)", count)
+		}
+		result = append(result, fmt.Errorf("%v%v", errStr, countStr))
+	}
+	return NewAggregate(result)
+}
+
+// Reduce will return err or, if err is an Aggregate and only has one item,
+// the first item in the aggregate.
+func Reduce(err error) error {
+	if agg, ok := err.(Aggregate); ok && err != nil {
+		switch len(agg.Errors()) {
+		case 1:
+			return agg.Errors()[0]
+		case 0:
+			return nil
+		}
+	}
+	return err
+}
+
+// AggregateGoroutines runs the provided functions in parallel, stuffing all
+// non-nil errors into the returned Aggregate.
+// Returns nil if all the functions complete successfully.
+func AggregateGoroutines(funcs ...func() error) Aggregate {
+	errChan := make(chan error, len(funcs))
+	for _, f := range funcs {
+		go func(f func() error) { errChan <- f() }(f)
+	}
+	errs := make([]error, 0)
+	for i := 0; i < cap(errChan); i++ {
+		if err := <-errChan; err != nil {
+			errs = append(errs, err)
+		}
+	}
+	return NewAggregate(errs)
+}
+
+// ErrPreconditionViolated is returned when the precondition is violated
+var ErrPreconditionViolated = errors.New("precondition is violated")
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/framer/framer.go b/cli/vendor/k8s.io/apimachinery/pkg/util/framer/framer.go
new file mode 100644
index 00000000..066680f4
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/framer/framer.go
@@ -0,0 +1,167 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package framer implements simple frame decoding techniques for an io.ReadCloser
+package framer
+
+import (
+	"encoding/binary"
+	"encoding/json"
+	"io"
+)
+
+type lengthDelimitedFrameWriter struct {
+	w io.Writer
+	h [4]byte
+}
+
+func NewLengthDelimitedFrameWriter(w io.Writer) io.Writer {
+	return &lengthDelimitedFrameWriter{w: w}
+}
+
+// Write writes a single frame to the nested writer, prepending it with the length in
+// in bytes of data (as a 4 byte, bigendian uint32).
+func (w *lengthDelimitedFrameWriter) Write(data []byte) (int, error) {
+	binary.BigEndian.PutUint32(w.h[:], uint32(len(data)))
+	n, err := w.w.Write(w.h[:])
+	if err != nil {
+		return 0, err
+	}
+	if n != len(w.h) {
+		return 0, io.ErrShortWrite
+	}
+	return w.w.Write(data)
+}
+
+type lengthDelimitedFrameReader struct {
+	r         io.ReadCloser
+	remaining int
+}
+
+// NewLengthDelimitedFrameReader returns an io.Reader that will decode length-prefixed
+// frames off of a stream.
+//
+// The protocol is:
+//
+//   stream: message ...
+//   message: prefix body
+//   prefix: 4 byte uint32 in BigEndian order, denotes length of body
+//   body: bytes (0..prefix)
+//
+// If the buffer passed to Read is not long enough to contain an entire frame, io.ErrShortRead
+// will be returned along with the number of bytes read.
+func NewLengthDelimitedFrameReader(r io.ReadCloser) io.ReadCloser {
+	return &lengthDelimitedFrameReader{r: r}
+}
+
+// Read attempts to read an entire frame into data. If that is not possible, io.ErrShortBuffer
+// is returned and subsequent calls will attempt to read the last frame. A frame is complete when
+// err is nil.
+func (r *lengthDelimitedFrameReader) Read(data []byte) (int, error) {
+	if r.remaining <= 0 {
+		header := [4]byte{}
+		n, err := io.ReadAtLeast(r.r, header[:4], 4)
+		if err != nil {
+			return 0, err
+		}
+		if n != 4 {
+			return 0, io.ErrUnexpectedEOF
+		}
+		frameLength := int(binary.BigEndian.Uint32(header[:]))
+		r.remaining = frameLength
+	}
+
+	expect := r.remaining
+	max := expect
+	if max > len(data) {
+		max = len(data)
+	}
+	n, err := io.ReadAtLeast(r.r, data[:max], int(max))
+	r.remaining -= n
+	if err == io.ErrShortBuffer || r.remaining > 0 {
+		return n, io.ErrShortBuffer
+	}
+	if err != nil {
+		return n, err
+	}
+	if n != expect {
+		return n, io.ErrUnexpectedEOF
+	}
+
+	return n, nil
+}
+
+func (r *lengthDelimitedFrameReader) Close() error {
+	return r.r.Close()
+}
+
+type jsonFrameReader struct {
+	r         io.ReadCloser
+	decoder   *json.Decoder
+	remaining []byte
+}
+
+// NewJSONFramedReader returns an io.Reader that will decode individual JSON objects off
+// of a wire.
+//
+// The boundaries between each frame are valid JSON objects. A JSON parsing error will terminate
+// the read.
+func NewJSONFramedReader(r io.ReadCloser) io.ReadCloser {
+	return &jsonFrameReader{
+		r:       r,
+		decoder: json.NewDecoder(r),
+	}
+}
+
+// ReadFrame decodes the next JSON object in the stream, or returns an error. The returned
+// byte slice will be modified the next time ReadFrame is invoked and should not be altered.
+func (r *jsonFrameReader) Read(data []byte) (int, error) {
+	// Return whatever remaining data exists from an in progress frame
+	if n := len(r.remaining); n > 0 {
+		if n <= len(data) {
+			data = append(data[0:0], r.remaining...)
+			r.remaining = nil
+			return n, nil
+		}
+
+		n = len(data)
+		data = append(data[0:0], r.remaining[:n]...)
+		r.remaining = r.remaining[n:]
+		return n, io.ErrShortBuffer
+	}
+
+	// RawMessage#Unmarshal appends to data - we reset the slice down to 0 and will either see
+	// data written to data, or be larger than data and a different array.
+	n := len(data)
+	m := json.RawMessage(data[:0])
+	if err := r.decoder.Decode(&m); err != nil {
+		return 0, err
+	}
+
+	// If capacity of data is less than length of the message, decoder will allocate a new slice
+	// and set m to it, which means we need to copy the partial result back into data and preserve
+	// the remaining result for subsequent reads.
+	if len(m) > n {
+		data = append(data[0:0], m[:n]...)
+		r.remaining = m[n:]
+		return n, io.ErrShortBuffer
+	}
+	return len(m), nil
+}
+
+func (r *jsonFrameReader) Close() error {
+	return r.r.Close()
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go b/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go
new file mode 100644
index 00000000..161e9a6f
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.pb.go
@@ -0,0 +1,381 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by protoc-gen-gogo.
+// source: k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
+// DO NOT EDIT!
+
+/*
+	Package intstr is a generated protocol buffer package.
+
+	It is generated from these files:
+		k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
+
+	It has these top-level messages:
+		IntOrString
+*/
+package intstr
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+func (m *IntOrString) Reset()                    { *m = IntOrString{} }
+func (*IntOrString) ProtoMessage()               {}
+func (*IntOrString) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{0} }
+
+func init() {
+	proto.RegisterType((*IntOrString)(nil), "k8s.io.apimachinery.pkg.util.intstr.IntOrString")
+}
+func (m *IntOrString) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *IntOrString) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	dAtA[i] = 0x8
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.Type))
+	dAtA[i] = 0x10
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(m.IntVal))
+	dAtA[i] = 0x1a
+	i++
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.StrVal)))
+	i += copy(dAtA[i:], m.StrVal)
+	return i, nil
+}
+
+func encodeFixed64Generated(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Generated(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintGenerated(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *IntOrString) Size() (n int) {
+	var l int
+	_ = l
+	n += 1 + sovGenerated(uint64(m.Type))
+	n += 1 + sovGenerated(uint64(m.IntVal))
+	l = len(m.StrVal)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func sovGenerated(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGenerated(x uint64) (n int) {
+	return sovGenerated(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *IntOrString) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: IntOrString: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: IntOrString: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			m.Type = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Type |= (Type(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IntVal", wireType)
+			}
+			m.IntVal = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.IntVal |= (int32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field StrVal", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.StrVal = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGenerated(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGenerated
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGenerated
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGenerated(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGenerated = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGenerated   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() {
+	proto.RegisterFile("k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto", fileDescriptorGenerated)
+}
+
+var fileDescriptorGenerated = []byte{
+	// 292 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x4c, 0x8f, 0x31, 0x4b, 0x33, 0x31,
+	0x1c, 0xc6, 0x93, 0xb7, 0x7d, 0x8b, 0x9e, 0xe0, 0x50, 0x1c, 0x8a, 0x43, 0x7a, 0x28, 0xc8, 0x0d,
+	0x9a, 0xac, 0xe2, 0xd8, 0xad, 0x20, 0x08, 0x57, 0x71, 0x70, 0xbb, 0x6b, 0x63, 0x1a, 0xae, 0x4d,
+	0x42, 0xee, 0x7f, 0xc2, 0x6d, 0xfd, 0x08, 0xba, 0x39, 0xfa, 0x71, 0x6e, 0xec, 0xd8, 0x41, 0x8a,
+	0x17, 0xbf, 0x85, 0x93, 0x5c, 0xee, 0x40, 0xa7, 0xe4, 0x79, 0x9e, 0xdf, 0x2f, 0x90, 0xe0, 0x36,
+	0xbb, 0xce, 0xa9, 0xd4, 0x2c, 0x2b, 0x52, 0x6e, 0x15, 0x07, 0x9e, 0xb3, 0x67, 0xae, 0x16, 0xda,
+	0xb2, 0x6e, 0x48, 0x8c, 0x5c, 0x27, 0xf3, 0xa5, 0x54, 0xdc, 0x96, 0xcc, 0x64, 0x82, 0x15, 0x20,
+	0x57, 0x4c, 0x2a, 0xc8, 0xc1, 0x32, 0xc1, 0x15, 0xb7, 0x09, 0xf0, 0x05, 0x35, 0x56, 0x83, 0x1e,
+	0x9e, 0xb7, 0x12, 0xfd, 0x2b, 0x51, 0x93, 0x09, 0xda, 0x48, 0xb4, 0x95, 0x4e, 0xaf, 0x84, 0x84,
+	0x65, 0x91, 0xd2, 0xb9, 0x5e, 0x33, 0xa1, 0x85, 0x66, 0xde, 0x4d, 0x8b, 0x27, 0x9f, 0x7c, 0xf0,
+	0xb7, 0xf6, 0xcd, 0xb3, 0x57, 0x1c, 0x1c, 0x4d, 0x15, 0xdc, 0xd9, 0x19, 0x58, 0xa9, 0xc4, 0x30,
+	0x0a, 0xfa, 0x50, 0x1a, 0x3e, 0xc2, 0x21, 0x8e, 0x7a, 0x93, 0x93, 0x6a, 0x3f, 0x46, 0x6e, 0x3f,
+	0xee, 0xdf, 0x97, 0x86, 0x7f, 0x77, 0x67, 0xec, 0x89, 0xe1, 0x45, 0x30, 0x90, 0x0a, 0x1e, 0x92,
+	0xd5, 0xe8, 0x5f, 0x88, 0xa3, 0xff, 0x93, 0xe3, 0x8e, 0x1d, 0x4c, 0x7d, 0x1b, 0x77, 0x6b, 0xc3,
+	0xe5, 0x60, 0x1b, 0xae, 0x17, 0xe2, 0xe8, 0xf0, 0x97, 0x9b, 0xf9, 0x36, 0xee, 0xd6, 0x9b, 0x83,
+	0xb7, 0xf7, 0x31, 0xda, 0x7c, 0x84, 0x68, 0x72, 0x59, 0xd5, 0x04, 0x6d, 0x6b, 0x82, 0x76, 0x35,
+	0x41, 0x1b, 0x47, 0x70, 0xe5, 0x08, 0xde, 0x3a, 0x82, 0x77, 0x8e, 0xe0, 0x4f, 0x47, 0xf0, 0xcb,
+	0x17, 0x41, 0x8f, 0x83, 0xf6, 0xc3, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x52, 0xa0, 0xb5, 0xc9,
+	0x64, 0x01, 0x00, 0x00,
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto b/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
new file mode 100644
index 00000000..6819d468
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/generated.proto
@@ -0,0 +1,43 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.apimachinery.pkg.util.intstr;
+
+// Package-wide variables from generator "generated".
+option go_package = "intstr";
+
+// IntOrString is a type that can hold an int32 or a string.  When used in
+// JSON or YAML marshalling and unmarshalling, it produces or consumes the
+// inner type.  This allows you to have, for example, a JSON field that can
+// accept a name or number.
+// TODO: Rename to Int32OrString
+// 
+// +protobuf=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:openapi-gen=true
+message IntOrString {
+  optional int64 type = 1;
+
+  optional int32 intVal = 2;
+
+  optional string strVal = 3;
+}
+
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/intstr.go b/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/intstr.go
new file mode 100644
index 00000000..04a77bb6
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/intstr/intstr.go
@@ -0,0 +1,177 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package intstr
+
+import (
+	"encoding/json"
+	"fmt"
+	"math"
+	"runtime/debug"
+	"strconv"
+	"strings"
+
+	openapi "k8s.io/kube-openapi/pkg/common"
+
+	"github.com/go-openapi/spec"
+	"github.com/golang/glog"
+	"github.com/google/gofuzz"
+)
+
+// IntOrString is a type that can hold an int32 or a string.  When used in
+// JSON or YAML marshalling and unmarshalling, it produces or consumes the
+// inner type.  This allows you to have, for example, a JSON field that can
+// accept a name or number.
+// TODO: Rename to Int32OrString
+//
+// +protobuf=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:openapi-gen=true
+type IntOrString struct {
+	Type   Type   `protobuf:"varint,1,opt,name=type,casttype=Type"`
+	IntVal int32  `protobuf:"varint,2,opt,name=intVal"`
+	StrVal string `protobuf:"bytes,3,opt,name=strVal"`
+}
+
+// Type represents the stored type of IntOrString.
+type Type int
+
+const (
+	Int    Type = iota // The IntOrString holds an int.
+	String             // The IntOrString holds a string.
+)
+
+// FromInt creates an IntOrString object with an int32 value. It is
+// your responsibility not to call this method with a value greater
+// than int32.
+// TODO: convert to (val int32)
+func FromInt(val int) IntOrString {
+	if val > math.MaxInt32 || val < math.MinInt32 {
+		glog.Errorf("value: %d overflows int32\n%s\n", val, debug.Stack())
+	}
+	return IntOrString{Type: Int, IntVal: int32(val)}
+}
+
+// FromString creates an IntOrString object with a string value.
+func FromString(val string) IntOrString {
+	return IntOrString{Type: String, StrVal: val}
+}
+
+// Parse the given string and try to convert it to an integer before
+// setting it as a string value.
+func Parse(val string) IntOrString {
+	i, err := strconv.Atoi(val)
+	if err != nil {
+		return FromString(val)
+	}
+	return FromInt(i)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface.
+func (intstr *IntOrString) UnmarshalJSON(value []byte) error {
+	if value[0] == '"' {
+		intstr.Type = String
+		return json.Unmarshal(value, &intstr.StrVal)
+	}
+	intstr.Type = Int
+	return json.Unmarshal(value, &intstr.IntVal)
+}
+
+// String returns the string value, or the Itoa of the int value.
+func (intstr *IntOrString) String() string {
+	if intstr.Type == String {
+		return intstr.StrVal
+	}
+	return strconv.Itoa(intstr.IntValue())
+}
+
+// IntValue returns the IntVal if type Int, or if
+// it is a String, will attempt a conversion to int.
+func (intstr *IntOrString) IntValue() int {
+	if intstr.Type == String {
+		i, _ := strconv.Atoi(intstr.StrVal)
+		return i
+	}
+	return int(intstr.IntVal)
+}
+
+// MarshalJSON implements the json.Marshaller interface.
+func (intstr IntOrString) MarshalJSON() ([]byte, error) {
+	switch intstr.Type {
+	case Int:
+		return json.Marshal(intstr.IntVal)
+	case String:
+		return json.Marshal(intstr.StrVal)
+	default:
+		return []byte{}, fmt.Errorf("impossible IntOrString.Type")
+	}
+}
+
+func (_ IntOrString) OpenAPIDefinition() openapi.OpenAPIDefinition {
+	return openapi.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type:   []string{"string"},
+				Format: "int-or-string",
+			},
+		},
+	}
+}
+
+func (intstr *IntOrString) Fuzz(c fuzz.Continue) {
+	if intstr == nil {
+		return
+	}
+	if c.RandBool() {
+		intstr.Type = Int
+		c.Fuzz(&intstr.IntVal)
+		intstr.StrVal = ""
+	} else {
+		intstr.Type = String
+		intstr.IntVal = 0
+		c.Fuzz(&intstr.StrVal)
+	}
+}
+
+func GetValueFromIntOrPercent(intOrPercent *IntOrString, total int, roundUp bool) (int, error) {
+	value, isPercent, err := getIntOrPercentValue(intOrPercent)
+	if err != nil {
+		return 0, fmt.Errorf("invalid value for IntOrString: %v", err)
+	}
+	if isPercent {
+		if roundUp {
+			value = int(math.Ceil(float64(value) * (float64(total)) / 100))
+		} else {
+			value = int(math.Floor(float64(value) * (float64(total)) / 100))
+		}
+	}
+	return value, nil
+}
+
+func getIntOrPercentValue(intOrStr *IntOrString) (int, bool, error) {
+	switch intOrStr.Type {
+	case Int:
+		return intOrStr.IntValue(), false, nil
+	case String:
+		s := strings.Replace(intOrStr.StrVal, "%", "", -1)
+		v, err := strconv.Atoi(s)
+		if err != nil {
+			return 0, false, fmt.Errorf("invalid value %q: %v", intOrStr.StrVal, err)
+		}
+		return int(v), true, nil
+	}
+	return 0, false, fmt.Errorf("invalid type: neither int nor percentage")
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/json/json.go b/cli/vendor/k8s.io/apimachinery/pkg/util/json/json.go
new file mode 100644
index 00000000..10c8cb83
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/json/json.go
@@ -0,0 +1,119 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package json
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+)
+
+// NewEncoder delegates to json.NewEncoder
+// It is only here so this package can be a drop-in for common encoding/json uses
+func NewEncoder(w io.Writer) *json.Encoder {
+	return json.NewEncoder(w)
+}
+
+// Marshal delegates to json.Marshal
+// It is only here so this package can be a drop-in for common encoding/json uses
+func Marshal(v interface{}) ([]byte, error) {
+	return json.Marshal(v)
+}
+
+// Unmarshal unmarshals the given data
+// If v is a *map[string]interface{}, numbers are converted to int64 or float64
+func Unmarshal(data []byte, v interface{}) error {
+	switch v := v.(type) {
+	case *map[string]interface{}:
+		// Build a decoder from the given data
+		decoder := json.NewDecoder(bytes.NewBuffer(data))
+		// Preserve numbers, rather than casting to float64 automatically
+		decoder.UseNumber()
+		// Run the decode
+		if err := decoder.Decode(v); err != nil {
+			return err
+		}
+		// If the decode succeeds, post-process the map to convert json.Number objects to int64 or float64
+		return convertMapNumbers(*v)
+
+	case *[]interface{}:
+		// Build a decoder from the given data
+		decoder := json.NewDecoder(bytes.NewBuffer(data))
+		// Preserve numbers, rather than casting to float64 automatically
+		decoder.UseNumber()
+		// Run the decode
+		if err := decoder.Decode(v); err != nil {
+			return err
+		}
+		// If the decode succeeds, post-process the map to convert json.Number objects to int64 or float64
+		return convertSliceNumbers(*v)
+
+	default:
+		return json.Unmarshal(data, v)
+	}
+}
+
+// convertMapNumbers traverses the map, converting any json.Number values to int64 or float64.
+// values which are map[string]interface{} or []interface{} are recursively visited
+func convertMapNumbers(m map[string]interface{}) error {
+	var err error
+	for k, v := range m {
+		switch v := v.(type) {
+		case json.Number:
+			m[k], err = convertNumber(v)
+		case map[string]interface{}:
+			err = convertMapNumbers(v)
+		case []interface{}:
+			err = convertSliceNumbers(v)
+		}
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// convertSliceNumbers traverses the slice, converting any json.Number values to int64 or float64.
+// values which are map[string]interface{} or []interface{} are recursively visited
+func convertSliceNumbers(s []interface{}) error {
+	var err error
+	for i, v := range s {
+		switch v := v.(type) {
+		case json.Number:
+			s[i], err = convertNumber(v)
+		case map[string]interface{}:
+			err = convertMapNumbers(v)
+		case []interface{}:
+			err = convertSliceNumbers(v)
+		}
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// convertNumber converts a json.Number to an int64 or float64, or returns an error
+func convertNumber(n json.Number) (interface{}, error) {
+	// Attempt to convert to an int64 first
+	if i, err := n.Int64(); err == nil {
+		return i, nil
+	}
+	// Return a float64 (default json.Decode() behavior)
+	// An overflow will return an error
+	return n.Float64()
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/net/http.go b/cli/vendor/k8s.io/apimachinery/pkg/util/net/http.go
new file mode 100644
index 00000000..41be5b2f
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/net/http.go
@@ -0,0 +1,429 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package net
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+
+	"github.com/golang/glog"
+	"golang.org/x/net/http2"
+)
+
+// JoinPreservingTrailingSlash does a path.Join of the specified elements,
+// preserving any trailing slash on the last non-empty segment
+func JoinPreservingTrailingSlash(elem ...string) string {
+	// do the basic path join
+	result := path.Join(elem...)
+
+	// find the last non-empty segment
+	for i := len(elem) - 1; i >= 0; i-- {
+		if len(elem[i]) > 0 {
+			// if the last segment ended in a slash, ensure our result does as well
+			if strings.HasSuffix(elem[i], "/") && !strings.HasSuffix(result, "/") {
+				result += "/"
+			}
+			break
+		}
+	}
+
+	return result
+}
+
+// IsProbableEOF returns true if the given error resembles a connection termination
+// scenario that would justify assuming that the watch is empty.
+// These errors are what the Go http stack returns back to us which are general
+// connection closure errors (strongly correlated) and callers that need to
+// differentiate probable errors in connection behavior between normal "this is
+// disconnected" should use the method.
+func IsProbableEOF(err error) bool {
+	if uerr, ok := err.(*url.Error); ok {
+		err = uerr.Err
+	}
+	switch {
+	case err == io.EOF:
+		return true
+	case err.Error() == "http: can't write HTTP request on broken connection":
+		return true
+	case strings.Contains(err.Error(), "connection reset by peer"):
+		return true
+	case strings.Contains(strings.ToLower(err.Error()), "use of closed network connection"):
+		return true
+	}
+	return false
+}
+
+var defaultTransport = http.DefaultTransport.(*http.Transport)
+
+// SetOldTransportDefaults applies the defaults from http.DefaultTransport
+// for the Proxy, Dial, and TLSHandshakeTimeout fields if unset
+func SetOldTransportDefaults(t *http.Transport) *http.Transport {
+	if t.Proxy == nil || isDefault(t.Proxy) {
+		// http.ProxyFromEnvironment doesn't respect CIDRs and that makes it impossible to exclude things like pod and service IPs from proxy settings
+		// ProxierWithNoProxyCIDR allows CIDR rules in NO_PROXY
+		t.Proxy = NewProxierWithNoProxyCIDR(http.ProxyFromEnvironment)
+	}
+	if t.Dial == nil {
+		t.Dial = defaultTransport.Dial
+	}
+	if t.TLSHandshakeTimeout == 0 {
+		t.TLSHandshakeTimeout = defaultTransport.TLSHandshakeTimeout
+	}
+	return t
+}
+
+// SetTransportDefaults applies the defaults from http.DefaultTransport
+// for the Proxy, Dial, and TLSHandshakeTimeout fields if unset
+func SetTransportDefaults(t *http.Transport) *http.Transport {
+	t = SetOldTransportDefaults(t)
+	// Allow clients to disable http2 if needed.
+	if s := os.Getenv("DISABLE_HTTP2"); len(s) > 0 {
+		glog.Infof("HTTP2 has been explicitly disabled")
+	} else {
+		if err := http2.ConfigureTransport(t); err != nil {
+			glog.Warningf("Transport failed http2 configuration: %v", err)
+		}
+	}
+	return t
+}
+
+type RoundTripperWrapper interface {
+	http.RoundTripper
+	WrappedRoundTripper() http.RoundTripper
+}
+
+type DialFunc func(net, addr string) (net.Conn, error)
+
+func DialerFor(transport http.RoundTripper) (DialFunc, error) {
+	if transport == nil {
+		return nil, nil
+	}
+
+	switch transport := transport.(type) {
+	case *http.Transport:
+		return transport.Dial, nil
+	case RoundTripperWrapper:
+		return DialerFor(transport.WrappedRoundTripper())
+	default:
+		return nil, fmt.Errorf("unknown transport type: %T", transport)
+	}
+}
+
+type TLSClientConfigHolder interface {
+	TLSClientConfig() *tls.Config
+}
+
+func TLSClientConfig(transport http.RoundTripper) (*tls.Config, error) {
+	if transport == nil {
+		return nil, nil
+	}
+
+	switch transport := transport.(type) {
+	case *http.Transport:
+		return transport.TLSClientConfig, nil
+	case TLSClientConfigHolder:
+		return transport.TLSClientConfig(), nil
+	case RoundTripperWrapper:
+		return TLSClientConfig(transport.WrappedRoundTripper())
+	default:
+		return nil, fmt.Errorf("unknown transport type: %T", transport)
+	}
+}
+
+func FormatURL(scheme string, host string, port int, path string) *url.URL {
+	return &url.URL{
+		Scheme: scheme,
+		Host:   net.JoinHostPort(host, strconv.Itoa(port)),
+		Path:   path,
+	}
+}
+
+func GetHTTPClient(req *http.Request) string {
+	if userAgent, ok := req.Header["User-Agent"]; ok {
+		if len(userAgent) > 0 {
+			return userAgent[0]
+		}
+	}
+	return "unknown"
+}
+
+// SourceIPs splits the comma separated X-Forwarded-For header or returns the X-Real-Ip header or req.RemoteAddr,
+// in that order, ignoring invalid IPs. It returns nil if all of these are empty or invalid.
+func SourceIPs(req *http.Request) []net.IP {
+	hdr := req.Header
+	// First check the X-Forwarded-For header for requests via proxy.
+	hdrForwardedFor := hdr.Get("X-Forwarded-For")
+	forwardedForIPs := []net.IP{}
+	if hdrForwardedFor != "" {
+		// X-Forwarded-For can be a csv of IPs in case of multiple proxies.
+		// Use the first valid one.
+		parts := strings.Split(hdrForwardedFor, ",")
+		for _, part := range parts {
+			ip := net.ParseIP(strings.TrimSpace(part))
+			if ip != nil {
+				forwardedForIPs = append(forwardedForIPs, ip)
+			}
+		}
+	}
+	if len(forwardedForIPs) > 0 {
+		return forwardedForIPs
+	}
+
+	// Try the X-Real-Ip header.
+	hdrRealIp := hdr.Get("X-Real-Ip")
+	if hdrRealIp != "" {
+		ip := net.ParseIP(hdrRealIp)
+		if ip != nil {
+			return []net.IP{ip}
+		}
+	}
+
+	// Fallback to Remote Address in request, which will give the correct client IP when there is no proxy.
+	// Remote Address in Go's HTTP server is in the form host:port so we need to split that first.
+	host, _, err := net.SplitHostPort(req.RemoteAddr)
+	if err == nil {
+		if remoteIP := net.ParseIP(host); remoteIP != nil {
+			return []net.IP{remoteIP}
+		}
+	}
+
+	// Fallback if Remote Address was just IP.
+	if remoteIP := net.ParseIP(req.RemoteAddr); remoteIP != nil {
+		return []net.IP{remoteIP}
+	}
+
+	return nil
+}
+
+// Extracts and returns the clients IP from the given request.
+// Looks at X-Forwarded-For header, X-Real-Ip header and request.RemoteAddr in that order.
+// Returns nil if none of them are set or is set to an invalid value.
+func GetClientIP(req *http.Request) net.IP {
+	ips := SourceIPs(req)
+	if len(ips) == 0 {
+		return nil
+	}
+	return ips[0]
+}
+
+// Prepares the X-Forwarded-For header for another forwarding hop by appending the previous sender's
+// IP address to the X-Forwarded-For chain.
+func AppendForwardedForHeader(req *http.Request) {
+	// Copied from net/http/httputil/reverseproxy.go:
+	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
+		// If we aren't the first proxy retain prior
+		// X-Forwarded-For information as a comma+space
+		// separated list and fold multiple headers into one.
+		if prior, ok := req.Header["X-Forwarded-For"]; ok {
+			clientIP = strings.Join(prior, ", ") + ", " + clientIP
+		}
+		req.Header.Set("X-Forwarded-For", clientIP)
+	}
+}
+
+var defaultProxyFuncPointer = fmt.Sprintf("%p", http.ProxyFromEnvironment)
+
+// isDefault checks to see if the transportProxierFunc is pointing to the default one
+func isDefault(transportProxier func(*http.Request) (*url.URL, error)) bool {
+	transportProxierPointer := fmt.Sprintf("%p", transportProxier)
+	return transportProxierPointer == defaultProxyFuncPointer
+}
+
+// NewProxierWithNoProxyCIDR constructs a Proxier function that respects CIDRs in NO_PROXY and delegates if
+// no matching CIDRs are found
+func NewProxierWithNoProxyCIDR(delegate func(req *http.Request) (*url.URL, error)) func(req *http.Request) (*url.URL, error) {
+	// we wrap the default method, so we only need to perform our check if the NO_PROXY envvar has a CIDR in it
+	noProxyEnv := os.Getenv("NO_PROXY")
+	noProxyRules := strings.Split(noProxyEnv, ",")
+
+	cidrs := []*net.IPNet{}
+	for _, noProxyRule := range noProxyRules {
+		_, cidr, _ := net.ParseCIDR(noProxyRule)
+		if cidr != nil {
+			cidrs = append(cidrs, cidr)
+		}
+	}
+
+	if len(cidrs) == 0 {
+		return delegate
+	}
+
+	return func(req *http.Request) (*url.URL, error) {
+		host := req.URL.Host
+		// for some urls, the Host is already the host, not the host:port
+		if net.ParseIP(host) == nil {
+			var err error
+			host, _, err = net.SplitHostPort(req.URL.Host)
+			if err != nil {
+				return delegate(req)
+			}
+		}
+
+		ip := net.ParseIP(host)
+		if ip == nil {
+			return delegate(req)
+		}
+
+		for _, cidr := range cidrs {
+			if cidr.Contains(ip) {
+				return nil, nil
+			}
+		}
+
+		return delegate(req)
+	}
+}
+
+// DialerFunc implements Dialer for the provided function.
+type DialerFunc func(req *http.Request) (net.Conn, error)
+
+func (fn DialerFunc) Dial(req *http.Request) (net.Conn, error) {
+	return fn(req)
+}
+
+// Dialer dials a host and writes a request to it.
+type Dialer interface {
+	// Dial connects to the host specified by req's URL, writes the request to the connection, and
+	// returns the opened net.Conn.
+	Dial(req *http.Request) (net.Conn, error)
+}
+
+// ConnectWithRedirects uses dialer to send req, following up to 10 redirects (relative to
+// originalLocation). It returns the opened net.Conn and the raw response bytes.
+func ConnectWithRedirects(originalMethod string, originalLocation *url.URL, header http.Header, originalBody io.Reader, dialer Dialer) (net.Conn, []byte, error) {
+	const (
+		maxRedirects    = 10
+		maxResponseSize = 16384 // play it safe to allow the potential for lots of / large headers
+	)
+
+	var (
+		location         = originalLocation
+		method           = originalMethod
+		intermediateConn net.Conn
+		rawResponse      = bytes.NewBuffer(make([]byte, 0, 256))
+		body             = originalBody
+	)
+
+	defer func() {
+		if intermediateConn != nil {
+			intermediateConn.Close()
+		}
+	}()
+
+redirectLoop:
+	for redirects := 0; ; redirects++ {
+		if redirects > maxRedirects {
+			return nil, nil, fmt.Errorf("too many redirects (%d)", redirects)
+		}
+
+		req, err := http.NewRequest(method, location.String(), body)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		req.Header = header
+
+		intermediateConn, err = dialer.Dial(req)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		// Peek at the backend response.
+		rawResponse.Reset()
+		respReader := bufio.NewReader(io.TeeReader(
+			io.LimitReader(intermediateConn, maxResponseSize), // Don't read more than maxResponseSize bytes.
+			rawResponse)) // Save the raw response.
+		resp, err := http.ReadResponse(respReader, nil)
+		if err != nil {
+			// Unable to read the backend response; let the client handle it.
+			glog.Warningf("Error reading backend response: %v", err)
+			break redirectLoop
+		}
+
+		switch resp.StatusCode {
+		case http.StatusFound:
+			// Redirect, continue.
+		default:
+			// Don't redirect.
+			break redirectLoop
+		}
+
+		// Redirected requests switch to "GET" according to the HTTP spec:
+		// https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3
+		method = "GET"
+		// don't send a body when following redirects
+		body = nil
+
+		resp.Body.Close() // not used
+
+		// Reset the connection.
+		intermediateConn.Close()
+		intermediateConn = nil
+
+		// Prepare to follow the redirect.
+		redirectStr := resp.Header.Get("Location")
+		if redirectStr == "" {
+			return nil, nil, fmt.Errorf("%d response missing Location header", resp.StatusCode)
+		}
+		// We have to parse relative to the current location, NOT originalLocation. For example,
+		// if we request http://foo.com/a and get back "http://bar.com/b", the result should be
+		// http://bar.com/b. If we then make that request and get back a redirect to "/c", the result
+		// should be http://bar.com/c, not http://foo.com/c.
+		location, err = location.Parse(redirectStr)
+		if err != nil {
+			return nil, nil, fmt.Errorf("malformed Location header: %v", err)
+		}
+	}
+
+	connToReturn := intermediateConn
+	intermediateConn = nil // Don't close the connection when we return it.
+	return connToReturn, rawResponse.Bytes(), nil
+}
+
+// CloneRequest creates a shallow copy of the request along with a deep copy of the Headers.
+func CloneRequest(req *http.Request) *http.Request {
+	r := new(http.Request)
+
+	// shallow clone
+	*r = *req
+
+	// deep copy headers
+	r.Header = CloneHeader(req.Header)
+
+	return r
+}
+
+// CloneHeader creates a deep copy of an http.Header.
+func CloneHeader(in http.Header) http.Header {
+	out := make(http.Header, len(in))
+	for key, values := range in {
+		newValues := make([]string, len(values))
+		copy(newValues, values)
+		out[key] = newValues
+	}
+	return out
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/net/interface.go b/cli/vendor/k8s.io/apimachinery/pkg/util/net/interface.go
new file mode 100644
index 00000000..42816bd7
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/net/interface.go
@@ -0,0 +1,392 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package net
+
+import (
+	"bufio"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"net"
+	"os"
+
+	"strings"
+
+	"github.com/golang/glog"
+)
+
+type AddressFamily uint
+
+const (
+	familyIPv4 AddressFamily = 4
+	familyIPv6 AddressFamily = 6
+)
+
+const (
+	ipv4RouteFile = "/proc/net/route"
+	ipv6RouteFile = "/proc/net/ipv6_route"
+)
+
+type Route struct {
+	Interface   string
+	Destination net.IP
+	Gateway     net.IP
+	Family      AddressFamily
+}
+
+type RouteFile struct {
+	name  string
+	parse func(input io.Reader) ([]Route, error)
+}
+
+var (
+	v4File = RouteFile{name: ipv4RouteFile, parse: getIPv4DefaultRoutes}
+	v6File = RouteFile{name: ipv6RouteFile, parse: getIPv6DefaultRoutes}
+)
+
+func (rf RouteFile) extract() ([]Route, error) {
+	file, err := os.Open(rf.name)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+	return rf.parse(file)
+}
+
+// getIPv4DefaultRoutes obtains the IPv4 routes, and filters out non-default routes.
+func getIPv4DefaultRoutes(input io.Reader) ([]Route, error) {
+	routes := []Route{}
+	scanner := bufio.NewReader(input)
+	for {
+		line, err := scanner.ReadString('\n')
+		if err == io.EOF {
+			break
+		}
+		//ignore the headers in the route info
+		if strings.HasPrefix(line, "Iface") {
+			continue
+		}
+		fields := strings.Fields(line)
+		// Interested in fields:
+		//  0 - interface name
+		//  1 - destination address
+		//  2 - gateway
+		dest, err := parseIP(fields[1], familyIPv4)
+		if err != nil {
+			return nil, err
+		}
+		gw, err := parseIP(fields[2], familyIPv4)
+		if err != nil {
+			return nil, err
+		}
+		if !dest.Equal(net.IPv4zero) {
+			continue
+		}
+		routes = append(routes, Route{
+			Interface:   fields[0],
+			Destination: dest,
+			Gateway:     gw,
+			Family:      familyIPv4,
+		})
+	}
+	return routes, nil
+}
+
+func getIPv6DefaultRoutes(input io.Reader) ([]Route, error) {
+	routes := []Route{}
+	scanner := bufio.NewReader(input)
+	for {
+		line, err := scanner.ReadString('\n')
+		if err == io.EOF {
+			break
+		}
+		fields := strings.Fields(line)
+		// Interested in fields:
+		//  0 - destination address
+		//  4 - gateway
+		//  9 - interface name
+		dest, err := parseIP(fields[0], familyIPv6)
+		if err != nil {
+			return nil, err
+		}
+		gw, err := parseIP(fields[4], familyIPv6)
+		if err != nil {
+			return nil, err
+		}
+		if !dest.Equal(net.IPv6zero) {
+			continue
+		}
+		if gw.Equal(net.IPv6zero) {
+			continue // loopback
+		}
+		routes = append(routes, Route{
+			Interface:   fields[9],
+			Destination: dest,
+			Gateway:     gw,
+			Family:      familyIPv6,
+		})
+	}
+	return routes, nil
+}
+
+// parseIP takes the hex IP address string from route file and converts it
+// to a net.IP address. For IPv4, the value must be converted to big endian.
+func parseIP(str string, family AddressFamily) (net.IP, error) {
+	if str == "" {
+		return nil, fmt.Errorf("input is nil")
+	}
+	bytes, err := hex.DecodeString(str)
+	if err != nil {
+		return nil, err
+	}
+	if family == familyIPv4 {
+		if len(bytes) != net.IPv4len {
+			return nil, fmt.Errorf("invalid IPv4 address in route")
+		}
+		return net.IP([]byte{bytes[3], bytes[2], bytes[1], bytes[0]}), nil
+	}
+	// Must be IPv6
+	if len(bytes) != net.IPv6len {
+		return nil, fmt.Errorf("invalid IPv6 address in route")
+	}
+	return net.IP(bytes), nil
+}
+
+func isInterfaceUp(intf *net.Interface) bool {
+	if intf == nil {
+		return false
+	}
+	if intf.Flags&net.FlagUp != 0 {
+		glog.V(4).Infof("Interface %v is up", intf.Name)
+		return true
+	}
+	return false
+}
+
+func isLoopbackOrPointToPoint(intf *net.Interface) bool {
+	return intf.Flags&(net.FlagLoopback|net.FlagPointToPoint) != 0
+}
+
+// getMatchingGlobalIP returns the first valid global unicast address of the given
+// 'family' from the list of 'addrs'.
+func getMatchingGlobalIP(addrs []net.Addr, family AddressFamily) (net.IP, error) {
+	if len(addrs) > 0 {
+		for i := range addrs {
+			glog.V(4).Infof("Checking addr  %s.", addrs[i].String())
+			ip, _, err := net.ParseCIDR(addrs[i].String())
+			if err != nil {
+				return nil, err
+			}
+			if memberOf(ip, family) {
+				if ip.IsGlobalUnicast() {
+					glog.V(4).Infof("IP found %v", ip)
+					return ip, nil
+				} else {
+					glog.V(4).Infof("Non-global unicast address found %v", ip)
+				}
+			} else {
+				glog.V(4).Infof("%v is not an IPv%d address", ip, int(family))
+			}
+
+		}
+	}
+	return nil, nil
+}
+
+// getIPFromInterface gets the IPs on an interface and returns a global unicast address, if any. The
+// interface must be up, the IP must in the family requested, and the IP must be a global unicast address.
+func getIPFromInterface(intfName string, forFamily AddressFamily, nw networkInterfacer) (net.IP, error) {
+	intf, err := nw.InterfaceByName(intfName)
+	if err != nil {
+		return nil, err
+	}
+	if isInterfaceUp(intf) {
+		addrs, err := nw.Addrs(intf)
+		if err != nil {
+			return nil, err
+		}
+		glog.V(4).Infof("Interface %q has %d addresses :%v.", intfName, len(addrs), addrs)
+		matchingIP, err := getMatchingGlobalIP(addrs, forFamily)
+		if err != nil {
+			return nil, err
+		}
+		if matchingIP != nil {
+			glog.V(4).Infof("Found valid IPv%d address %v for interface %q.", int(forFamily), matchingIP, intfName)
+			return matchingIP, nil
+		}
+	}
+	return nil, nil
+}
+
+// memberOF tells if the IP is of the desired family. Used for checking interface addresses.
+func memberOf(ip net.IP, family AddressFamily) bool {
+	if ip.To4() != nil {
+		return family == familyIPv4
+	} else {
+		return family == familyIPv6
+	}
+}
+
+// chooseIPFromHostInterfaces looks at all system interfaces, trying to find one that is up that
+// has a global unicast address (non-loopback, non-link local, non-point2point), and returns the IP.
+// Searches for IPv4 addresses, and then IPv6 addresses.
+func chooseIPFromHostInterfaces(nw networkInterfacer) (net.IP, error) {
+	intfs, err := nw.Interfaces()
+	if err != nil {
+		return nil, err
+	}
+	if len(intfs) == 0 {
+		return nil, fmt.Errorf("no interfaces found on host.")
+	}
+	for _, family := range []AddressFamily{familyIPv4, familyIPv6} {
+		glog.V(4).Infof("Looking for system interface with a global IPv%d address", uint(family))
+		for _, intf := range intfs {
+			if !isInterfaceUp(&intf) {
+				glog.V(4).Infof("Skipping: down interface %q", intf.Name)
+				continue
+			}
+			if isLoopbackOrPointToPoint(&intf) {
+				glog.V(4).Infof("Skipping: LB or P2P interface %q", intf.Name)
+				continue
+			}
+			addrs, err := nw.Addrs(&intf)
+			if err != nil {
+				return nil, err
+			}
+			if len(addrs) == 0 {
+				glog.V(4).Infof("Skipping: no addresses on interface %q", intf.Name)
+				continue
+			}
+			for _, addr := range addrs {
+				ip, _, err := net.ParseCIDR(addr.String())
+				if err != nil {
+					return nil, fmt.Errorf("Unable to parse CIDR for interface %q: %s", intf.Name, err)
+				}
+				if !memberOf(ip, family) {
+					glog.V(4).Infof("Skipping: no address family match for %q on interface %q.", ip, intf.Name)
+					continue
+				}
+				// TODO: Decide if should open up to allow IPv6 LLAs in future.
+				if !ip.IsGlobalUnicast() {
+					glog.V(4).Infof("Skipping: non-global address %q on interface %q.", ip, intf.Name)
+					continue
+				}
+				glog.V(4).Infof("Found global unicast address %q on interface %q.", ip, intf.Name)
+				return ip, nil
+			}
+		}
+	}
+	return nil, fmt.Errorf("no acceptable interface with global unicast address found on host")
+}
+
+// ChooseHostInterface is a method used fetch an IP for a daemon.
+// If there is no routing info file, it will choose a global IP from the system
+// interfaces. Otherwise, it will use IPv4 and IPv6 route information to return the
+// IP of the interface with a gateway on it (with priority given to IPv4). For a node
+// with no internet connection, it returns error.
+func ChooseHostInterface() (net.IP, error) {
+	var nw networkInterfacer = networkInterface{}
+	if _, err := os.Stat(ipv4RouteFile); os.IsNotExist(err) {
+		return chooseIPFromHostInterfaces(nw)
+	}
+	routes, err := getAllDefaultRoutes()
+	if err != nil {
+		return nil, err
+	}
+	return chooseHostInterfaceFromRoute(routes, nw)
+}
+
+// networkInterfacer defines an interface for several net library functions. Production
+// code will forward to net library functions, and unit tests will override the methods
+// for testing purposes.
+type networkInterfacer interface {
+	InterfaceByName(intfName string) (*net.Interface, error)
+	Addrs(intf *net.Interface) ([]net.Addr, error)
+	Interfaces() ([]net.Interface, error)
+}
+
+// networkInterface implements the networkInterfacer interface for production code, just
+// wrapping the underlying net library function calls.
+type networkInterface struct{}
+
+func (_ networkInterface) InterfaceByName(intfName string) (*net.Interface, error) {
+	return net.InterfaceByName(intfName)
+}
+
+func (_ networkInterface) Addrs(intf *net.Interface) ([]net.Addr, error) {
+	return intf.Addrs()
+}
+
+func (_ networkInterface) Interfaces() ([]net.Interface, error) {
+	return net.Interfaces()
+}
+
+// getAllDefaultRoutes obtains IPv4 and IPv6 default routes on the node. If unable
+// to read the IPv4 routing info file, we return an error. If unable to read the IPv6
+// routing info file (which is optional), we'll just use the IPv4 route information.
+// Using all the routing info, if no default routes are found, an error is returned.
+func getAllDefaultRoutes() ([]Route, error) {
+	routes, err := v4File.extract()
+	if err != nil {
+		return nil, err
+	}
+	v6Routes, _ := v6File.extract()
+	routes = append(routes, v6Routes...)
+	if len(routes) == 0 {
+		return nil, fmt.Errorf("No default routes.")
+	}
+	return routes, nil
+}
+
+// chooseHostInterfaceFromRoute cycles through each default route provided, looking for a
+// global IP address from the interface for the route. Will first look all each IPv4 route for
+// an IPv4 IP, and then will look at each IPv6 route for an IPv6 IP.
+func chooseHostInterfaceFromRoute(routes []Route, nw networkInterfacer) (net.IP, error) {
+	for _, family := range []AddressFamily{familyIPv4, familyIPv6} {
+		glog.V(4).Infof("Looking for default routes with IPv%d addresses", uint(family))
+		for _, route := range routes {
+			if route.Family != family {
+				continue
+			}
+			glog.V(4).Infof("Default route transits interface %q", route.Interface)
+			finalIP, err := getIPFromInterface(route.Interface, family, nw)
+			if err != nil {
+				return nil, err
+			}
+			if finalIP != nil {
+				glog.V(4).Infof("Found active IP %v ", finalIP)
+				return finalIP, nil
+			}
+		}
+	}
+	glog.V(4).Infof("No active IP found by looking at default routes")
+	return nil, fmt.Errorf("unable to select an IP from default routes.")
+}
+
+// If bind-address is usable, return it directly
+// If bind-address is not usable (unset, 0.0.0.0, or loopback), we will use the host's default
+// interface.
+func ChooseBindAddress(bindAddress net.IP) (net.IP, error) {
+	if bindAddress == nil || bindAddress.IsUnspecified() || bindAddress.IsLoopback() {
+		hostIP, err := ChooseHostInterface()
+		if err != nil {
+			return nil, err
+		}
+		bindAddress = hostIP
+	}
+	return bindAddress, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/net/port_range.go b/cli/vendor/k8s.io/apimachinery/pkg/util/net/port_range.go
new file mode 100644
index 00000000..6a50e618
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/net/port_range.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package net
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+// PortRange represents a range of TCP/UDP ports.  To represent a single port,
+// set Size to 1.
+type PortRange struct {
+	Base int
+	Size int
+}
+
+// Contains tests whether a given port falls within the PortRange.
+func (pr *PortRange) Contains(p int) bool {
+	return (p >= pr.Base) && ((p - pr.Base) < pr.Size)
+}
+
+// String converts the PortRange to a string representation, which can be
+// parsed by PortRange.Set or ParsePortRange.
+func (pr PortRange) String() string {
+	if pr.Size == 0 {
+		return ""
+	}
+	return fmt.Sprintf("%d-%d", pr.Base, pr.Base+pr.Size-1)
+}
+
+// Set parses a string of the form "min-max", inclusive at both ends, and
+// sets the PortRange from it.  This is part of the flag.Value and pflag.Value
+// interfaces.
+func (pr *PortRange) Set(value string) error {
+	value = strings.TrimSpace(value)
+
+	// TODO: Accept "80" syntax
+	// TODO: Accept "80+8" syntax
+
+	if value == "" {
+		pr.Base = 0
+		pr.Size = 0
+		return nil
+	}
+
+	hyphenIndex := strings.Index(value, "-")
+	if hyphenIndex == -1 {
+		return fmt.Errorf("expected hyphen in port range")
+	}
+
+	var err error
+	var low int
+	var high int
+	low, err = strconv.Atoi(value[:hyphenIndex])
+	if err == nil {
+		high, err = strconv.Atoi(value[hyphenIndex+1:])
+	}
+	if err != nil {
+		return fmt.Errorf("unable to parse port range: %s: %v", value, err)
+	}
+
+	if low > 65535 || high > 65535 {
+		return fmt.Errorf("the port range cannot be greater than 65535: %s", value)
+	}
+
+	if high < low {
+		return fmt.Errorf("end port cannot be less than start port: %s", value)
+	}
+
+	pr.Base = low
+	pr.Size = 1 + high - low
+	return nil
+}
+
+// Type returns a descriptive string about this type.  This is part of the
+// pflag.Value interface.
+func (*PortRange) Type() string {
+	return "portRange"
+}
+
+// ParsePortRange parses a string of the form "min-max", inclusive at both
+// ends, and initializs a new PortRange from it.
+func ParsePortRange(value string) (*PortRange, error) {
+	pr := &PortRange{}
+	err := pr.Set(value)
+	if err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
+func ParsePortRangeOrDie(value string) *PortRange {
+	pr, err := ParsePortRange(value)
+	if err != nil {
+		panic(fmt.Sprintf("couldn't parse port range %q: %v", value, err))
+	}
+	return pr
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/net/port_split.go b/cli/vendor/k8s.io/apimachinery/pkg/util/net/port_split.go
new file mode 100644
index 00000000..c0fd4e20
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/net/port_split.go
@@ -0,0 +1,77 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package net
+
+import (
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+var validSchemes = sets.NewString("http", "https", "")
+
+// SplitSchemeNamePort takes a string of the following forms:
+//  * "<name>",                 returns "",        "<name>","",      true
+//  * "<name>:<port>",          returns "",        "<name>","<port>",true
+//  * "<scheme>:<name>:<port>", returns "<scheme>","<name>","<port>",true
+//
+// Name must be non-empty or valid will be returned false.
+// Scheme must be "http" or "https" if specified
+// Port is returned as a string, and it is not required to be numeric (could be
+// used for a named port, for example).
+func SplitSchemeNamePort(id string) (scheme, name, port string, valid bool) {
+	parts := strings.Split(id, ":")
+	switch len(parts) {
+	case 1:
+		name = parts[0]
+	case 2:
+		name = parts[0]
+		port = parts[1]
+	case 3:
+		scheme = parts[0]
+		name = parts[1]
+		port = parts[2]
+	default:
+		return "", "", "", false
+	}
+
+	if len(name) > 0 && validSchemes.Has(scheme) {
+		return scheme, name, port, true
+	} else {
+		return "", "", "", false
+	}
+}
+
+// JoinSchemeNamePort returns a string that specifies the scheme, name, and port:
+//  * "<name>"
+//  * "<name>:<port>"
+//  * "<scheme>:<name>:<port>"
+// None of the parameters may contain a ':' character
+// Name is required
+// Scheme must be "", "http", or "https"
+func JoinSchemeNamePort(scheme, name, port string) string {
+	if len(scheme) > 0 {
+		// Must include three segments to specify scheme
+		return scheme + ":" + name + ":" + port
+	}
+	if len(port) > 0 {
+		// Must include two segments to specify port
+		return name + ":" + port
+	}
+	// Return name alone
+	return name
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/net/util.go b/cli/vendor/k8s.io/apimachinery/pkg/util/net/util.go
new file mode 100644
index 00000000..8344d10c
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/net/util.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package net
+
+import (
+	"net"
+	"net/url"
+	"os"
+	"reflect"
+	"syscall"
+)
+
+// IPNetEqual checks if the two input IPNets are representing the same subnet.
+// For example,
+//	10.0.0.1/24 and 10.0.0.0/24 are the same subnet.
+//	10.0.0.1/24 and 10.0.0.0/25 are not the same subnet.
+func IPNetEqual(ipnet1, ipnet2 *net.IPNet) bool {
+	if ipnet1 == nil || ipnet2 == nil {
+		return false
+	}
+	if reflect.DeepEqual(ipnet1.Mask, ipnet2.Mask) && ipnet1.Contains(ipnet2.IP) && ipnet2.Contains(ipnet1.IP) {
+		return true
+	}
+	return false
+}
+
+// Returns if the given err is "connection reset by peer" error.
+func IsConnectionReset(err error) bool {
+	if urlErr, ok := err.(*url.Error); ok {
+		err = urlErr.Err
+	}
+	if opErr, ok := err.(*net.OpError); ok {
+		err = opErr.Err
+	}
+	if osErr, ok := err.(*os.SyscallError); ok {
+		err = osErr.Err
+	}
+	if errno, ok := err.(syscall.Errno); ok && errno == syscall.ECONNRESET {
+		return true
+	}
+	return false
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/cli/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
new file mode 100644
index 00000000..748174e1
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package runtime
+
+import (
+	"fmt"
+	"runtime"
+	"sync"
+	"time"
+
+	"github.com/golang/glog"
+)
+
+var (
+	// ReallyCrash controls the behavior of HandleCrash and now defaults
+	// true. It's still exposed so components can optionally set to false
+	// to restore prior behavior.
+	ReallyCrash = true
+)
+
+// PanicHandlers is a list of functions which will be invoked when a panic happens.
+var PanicHandlers = []func(interface{}){logPanic}
+
+// HandleCrash simply catches a crash and logs an error. Meant to be called via
+// defer.  Additional context-specific handlers can be provided, and will be
+// called in case of panic.  HandleCrash actually crashes, after calling the
+// handlers and logging the panic message.
+//
+// TODO: remove this function. We are switching to a world where it's safe for
+// apiserver to panic, since it will be restarted by kubelet. At the beginning
+// of the Kubernetes project, nothing was going to restart apiserver and so
+// catching panics was important. But it's actually much simpler for montoring
+// software if we just exit when an unexpected panic happens.
+func HandleCrash(additionalHandlers ...func(interface{})) {
+	if r := recover(); r != nil {
+		for _, fn := range PanicHandlers {
+			fn(r)
+		}
+		for _, fn := range additionalHandlers {
+			fn(r)
+		}
+		if ReallyCrash {
+			// Actually proceed to panic.
+			panic(r)
+		}
+	}
+}
+
+// logPanic logs the caller tree when a panic occurs.
+func logPanic(r interface{}) {
+	callers := getCallers(r)
+	glog.Errorf("Observed a panic: %#v (%v)\n%v", r, r, callers)
+}
+
+func getCallers(r interface{}) string {
+	callers := ""
+	for i := 0; true; i++ {
+		_, file, line, ok := runtime.Caller(i)
+		if !ok {
+			break
+		}
+		callers = callers + fmt.Sprintf("%v:%v\n", file, line)
+	}
+
+	return callers
+}
+
+// ErrorHandlers is a list of functions which will be invoked when an unreturnable
+// error occurs.
+// TODO(lavalamp): for testability, this and the below HandleError function
+// should be packaged up into a testable and reusable object.
+var ErrorHandlers = []func(error){
+	logError,
+	(&rudimentaryErrorBackoff{
+		lastErrorTime: time.Now(),
+		// 1ms was the number folks were able to stomach as a global rate limit.
+		// If you need to log errors more than 1000 times a second you
+		// should probably consider fixing your code instead. :)
+		minPeriod: time.Millisecond,
+	}).OnError,
+}
+
+// HandlerError is a method to invoke when a non-user facing piece of code cannot
+// return an error and needs to indicate it has been ignored. Invoking this method
+// is preferable to logging the error - the default behavior is to log but the
+// errors may be sent to a remote server for analysis.
+func HandleError(err error) {
+	// this is sometimes called with a nil error.  We probably shouldn't fail and should do nothing instead
+	if err == nil {
+		return
+	}
+
+	for _, fn := range ErrorHandlers {
+		fn(err)
+	}
+}
+
+// logError prints an error with the call stack of the location it was reported
+func logError(err error) {
+	glog.ErrorDepth(2, err)
+}
+
+type rudimentaryErrorBackoff struct {
+	minPeriod time.Duration // immutable
+	// TODO(lavalamp): use the clock for testability. Need to move that
+	// package for that to be accessible here.
+	lastErrorTimeLock sync.Mutex
+	lastErrorTime     time.Time
+}
+
+// OnError will block if it is called more often than the embedded period time.
+// This will prevent overly tight hot error loops.
+func (r *rudimentaryErrorBackoff) OnError(error) {
+	r.lastErrorTimeLock.Lock()
+	defer r.lastErrorTimeLock.Unlock()
+	d := time.Since(r.lastErrorTime)
+	if d < r.minPeriod {
+		time.Sleep(r.minPeriod - d)
+	}
+	r.lastErrorTime = time.Now()
+}
+
+// GetCaller returns the caller of the function that calls it.
+func GetCaller() string {
+	var pc [1]uintptr
+	runtime.Callers(3, pc[:])
+	f := runtime.FuncForPC(pc[0])
+	if f == nil {
+		return fmt.Sprintf("Unable to find caller")
+	}
+	return f.Name()
+}
+
+// RecoverFromPanic replaces the specified error with an error containing the
+// original error, and  the call tree when a panic occurs. This enables error
+// handlers to handle errors and panics the same way.
+func RecoverFromPanic(err *error) {
+	if r := recover(); r != nil {
+		callers := getCallers(r)
+
+		*err = fmt.Errorf(
+			"recovered from panic %q. (err=%v) Call stack:\n%v",
+			r,
+			*err,
+			callers)
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/sets/byte.go b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/byte.go
new file mode 100644
index 00000000..a460e4b1
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/byte.go
@@ -0,0 +1,203 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by set-gen. Do not edit it manually!
+
+package sets
+
+import (
+	"reflect"
+	"sort"
+)
+
+// sets.Byte is a set of bytes, implemented via map[byte]struct{} for minimal memory consumption.
+type Byte map[byte]Empty
+
+// New creates a Byte from a list of values.
+func NewByte(items ...byte) Byte {
+	ss := Byte{}
+	ss.Insert(items...)
+	return ss
+}
+
+// ByteKeySet creates a Byte from a keys of a map[byte](? extends interface{}).
+// If the value passed in is not actually a map, this will panic.
+func ByteKeySet(theMap interface{}) Byte {
+	v := reflect.ValueOf(theMap)
+	ret := Byte{}
+
+	for _, keyValue := range v.MapKeys() {
+		ret.Insert(keyValue.Interface().(byte))
+	}
+	return ret
+}
+
+// Insert adds items to the set.
+func (s Byte) Insert(items ...byte) {
+	for _, item := range items {
+		s[item] = Empty{}
+	}
+}
+
+// Delete removes all items from the set.
+func (s Byte) Delete(items ...byte) {
+	for _, item := range items {
+		delete(s, item)
+	}
+}
+
+// Has returns true if and only if item is contained in the set.
+func (s Byte) Has(item byte) bool {
+	_, contained := s[item]
+	return contained
+}
+
+// HasAll returns true if and only if all items are contained in the set.
+func (s Byte) HasAll(items ...byte) bool {
+	for _, item := range items {
+		if !s.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// HasAny returns true if any items are contained in the set.
+func (s Byte) HasAny(items ...byte) bool {
+	for _, item := range items {
+		if s.Has(item) {
+			return true
+		}
+	}
+	return false
+}
+
+// Difference returns a set of objects that are not in s2
+// For example:
+// s1 = {a1, a2, a3}
+// s2 = {a1, a2, a4, a5}
+// s1.Difference(s2) = {a3}
+// s2.Difference(s1) = {a4, a5}
+func (s Byte) Difference(s2 Byte) Byte {
+	result := NewByte()
+	for key := range s {
+		if !s2.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// Union returns a new set which includes items in either s1 or s2.
+// For example:
+// s1 = {a1, a2}
+// s2 = {a3, a4}
+// s1.Union(s2) = {a1, a2, a3, a4}
+// s2.Union(s1) = {a1, a2, a3, a4}
+func (s1 Byte) Union(s2 Byte) Byte {
+	result := NewByte()
+	for key := range s1 {
+		result.Insert(key)
+	}
+	for key := range s2 {
+		result.Insert(key)
+	}
+	return result
+}
+
+// Intersection returns a new set which includes the item in BOTH s1 and s2
+// For example:
+// s1 = {a1, a2}
+// s2 = {a2, a3}
+// s1.Intersection(s2) = {a2}
+func (s1 Byte) Intersection(s2 Byte) Byte {
+	var walk, other Byte
+	result := NewByte()
+	if s1.Len() < s2.Len() {
+		walk = s1
+		other = s2
+	} else {
+		walk = s2
+		other = s1
+	}
+	for key := range walk {
+		if other.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// IsSuperset returns true if and only if s1 is a superset of s2.
+func (s1 Byte) IsSuperset(s2 Byte) bool {
+	for item := range s2 {
+		if !s1.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal returns true if and only if s1 is equal (as a set) to s2.
+// Two sets are equal if their membership is identical.
+// (In practice, this means same elements, order doesn't matter)
+func (s1 Byte) Equal(s2 Byte) bool {
+	return len(s1) == len(s2) && s1.IsSuperset(s2)
+}
+
+type sortableSliceOfByte []byte
+
+func (s sortableSliceOfByte) Len() int           { return len(s) }
+func (s sortableSliceOfByte) Less(i, j int) bool { return lessByte(s[i], s[j]) }
+func (s sortableSliceOfByte) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+
+// List returns the contents as a sorted byte slice.
+func (s Byte) List() []byte {
+	res := make(sortableSliceOfByte, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	sort.Sort(res)
+	return []byte(res)
+}
+
+// UnsortedList returns the slice with contents in random order.
+func (s Byte) UnsortedList() []byte {
+	res := make([]byte, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	return res
+}
+
+// Returns a single element from the set.
+func (s Byte) PopAny() (byte, bool) {
+	for key := range s {
+		s.Delete(key)
+		return key, true
+	}
+	var zeroValue byte
+	return zeroValue, false
+}
+
+// Len returns the size of the set.
+func (s Byte) Len() int {
+	return len(s)
+}
+
+func lessByte(lhs, rhs byte) bool {
+	return lhs < rhs
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/sets/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/doc.go
new file mode 100644
index 00000000..28a6a7d5
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by set-gen. Do not edit it manually!
+
+// Package sets has auto-generated set types.
+package sets
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/sets/empty.go b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/empty.go
new file mode 100644
index 00000000..cd22b953
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/empty.go
@@ -0,0 +1,23 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by set-gen. Do not edit it manually!
+
+package sets
+
+// Empty is public since it is used by some internal API objects for conversions between external
+// string arrays and internal sets, and conversion logic requires public types today.
+type Empty struct{}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/sets/int.go b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/int.go
new file mode 100644
index 00000000..0614e9fb
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/int.go
@@ -0,0 +1,203 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by set-gen. Do not edit it manually!
+
+package sets
+
+import (
+	"reflect"
+	"sort"
+)
+
+// sets.Int is a set of ints, implemented via map[int]struct{} for minimal memory consumption.
+type Int map[int]Empty
+
+// New creates a Int from a list of values.
+func NewInt(items ...int) Int {
+	ss := Int{}
+	ss.Insert(items...)
+	return ss
+}
+
+// IntKeySet creates a Int from a keys of a map[int](? extends interface{}).
+// If the value passed in is not actually a map, this will panic.
+func IntKeySet(theMap interface{}) Int {
+	v := reflect.ValueOf(theMap)
+	ret := Int{}
+
+	for _, keyValue := range v.MapKeys() {
+		ret.Insert(keyValue.Interface().(int))
+	}
+	return ret
+}
+
+// Insert adds items to the set.
+func (s Int) Insert(items ...int) {
+	for _, item := range items {
+		s[item] = Empty{}
+	}
+}
+
+// Delete removes all items from the set.
+func (s Int) Delete(items ...int) {
+	for _, item := range items {
+		delete(s, item)
+	}
+}
+
+// Has returns true if and only if item is contained in the set.
+func (s Int) Has(item int) bool {
+	_, contained := s[item]
+	return contained
+}
+
+// HasAll returns true if and only if all items are contained in the set.
+func (s Int) HasAll(items ...int) bool {
+	for _, item := range items {
+		if !s.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// HasAny returns true if any items are contained in the set.
+func (s Int) HasAny(items ...int) bool {
+	for _, item := range items {
+		if s.Has(item) {
+			return true
+		}
+	}
+	return false
+}
+
+// Difference returns a set of objects that are not in s2
+// For example:
+// s1 = {a1, a2, a3}
+// s2 = {a1, a2, a4, a5}
+// s1.Difference(s2) = {a3}
+// s2.Difference(s1) = {a4, a5}
+func (s Int) Difference(s2 Int) Int {
+	result := NewInt()
+	for key := range s {
+		if !s2.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// Union returns a new set which includes items in either s1 or s2.
+// For example:
+// s1 = {a1, a2}
+// s2 = {a3, a4}
+// s1.Union(s2) = {a1, a2, a3, a4}
+// s2.Union(s1) = {a1, a2, a3, a4}
+func (s1 Int) Union(s2 Int) Int {
+	result := NewInt()
+	for key := range s1 {
+		result.Insert(key)
+	}
+	for key := range s2 {
+		result.Insert(key)
+	}
+	return result
+}
+
+// Intersection returns a new set which includes the item in BOTH s1 and s2
+// For example:
+// s1 = {a1, a2}
+// s2 = {a2, a3}
+// s1.Intersection(s2) = {a2}
+func (s1 Int) Intersection(s2 Int) Int {
+	var walk, other Int
+	result := NewInt()
+	if s1.Len() < s2.Len() {
+		walk = s1
+		other = s2
+	} else {
+		walk = s2
+		other = s1
+	}
+	for key := range walk {
+		if other.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// IsSuperset returns true if and only if s1 is a superset of s2.
+func (s1 Int) IsSuperset(s2 Int) bool {
+	for item := range s2 {
+		if !s1.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal returns true if and only if s1 is equal (as a set) to s2.
+// Two sets are equal if their membership is identical.
+// (In practice, this means same elements, order doesn't matter)
+func (s1 Int) Equal(s2 Int) bool {
+	return len(s1) == len(s2) && s1.IsSuperset(s2)
+}
+
+type sortableSliceOfInt []int
+
+func (s sortableSliceOfInt) Len() int           { return len(s) }
+func (s sortableSliceOfInt) Less(i, j int) bool { return lessInt(s[i], s[j]) }
+func (s sortableSliceOfInt) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+
+// List returns the contents as a sorted int slice.
+func (s Int) List() []int {
+	res := make(sortableSliceOfInt, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	sort.Sort(res)
+	return []int(res)
+}
+
+// UnsortedList returns the slice with contents in random order.
+func (s Int) UnsortedList() []int {
+	res := make([]int, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	return res
+}
+
+// Returns a single element from the set.
+func (s Int) PopAny() (int, bool) {
+	for key := range s {
+		s.Delete(key)
+		return key, true
+	}
+	var zeroValue int
+	return zeroValue, false
+}
+
+// Len returns the size of the set.
+func (s Int) Len() int {
+	return len(s)
+}
+
+func lessInt(lhs, rhs int) bool {
+	return lhs < rhs
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/sets/int64.go b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/int64.go
new file mode 100644
index 00000000..82e1ba78
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/int64.go
@@ -0,0 +1,203 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by set-gen. Do not edit it manually!
+
+package sets
+
+import (
+	"reflect"
+	"sort"
+)
+
+// sets.Int64 is a set of int64s, implemented via map[int64]struct{} for minimal memory consumption.
+type Int64 map[int64]Empty
+
+// New creates a Int64 from a list of values.
+func NewInt64(items ...int64) Int64 {
+	ss := Int64{}
+	ss.Insert(items...)
+	return ss
+}
+
+// Int64KeySet creates a Int64 from a keys of a map[int64](? extends interface{}).
+// If the value passed in is not actually a map, this will panic.
+func Int64KeySet(theMap interface{}) Int64 {
+	v := reflect.ValueOf(theMap)
+	ret := Int64{}
+
+	for _, keyValue := range v.MapKeys() {
+		ret.Insert(keyValue.Interface().(int64))
+	}
+	return ret
+}
+
+// Insert adds items to the set.
+func (s Int64) Insert(items ...int64) {
+	for _, item := range items {
+		s[item] = Empty{}
+	}
+}
+
+// Delete removes all items from the set.
+func (s Int64) Delete(items ...int64) {
+	for _, item := range items {
+		delete(s, item)
+	}
+}
+
+// Has returns true if and only if item is contained in the set.
+func (s Int64) Has(item int64) bool {
+	_, contained := s[item]
+	return contained
+}
+
+// HasAll returns true if and only if all items are contained in the set.
+func (s Int64) HasAll(items ...int64) bool {
+	for _, item := range items {
+		if !s.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// HasAny returns true if any items are contained in the set.
+func (s Int64) HasAny(items ...int64) bool {
+	for _, item := range items {
+		if s.Has(item) {
+			return true
+		}
+	}
+	return false
+}
+
+// Difference returns a set of objects that are not in s2
+// For example:
+// s1 = {a1, a2, a3}
+// s2 = {a1, a2, a4, a5}
+// s1.Difference(s2) = {a3}
+// s2.Difference(s1) = {a4, a5}
+func (s Int64) Difference(s2 Int64) Int64 {
+	result := NewInt64()
+	for key := range s {
+		if !s2.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// Union returns a new set which includes items in either s1 or s2.
+// For example:
+// s1 = {a1, a2}
+// s2 = {a3, a4}
+// s1.Union(s2) = {a1, a2, a3, a4}
+// s2.Union(s1) = {a1, a2, a3, a4}
+func (s1 Int64) Union(s2 Int64) Int64 {
+	result := NewInt64()
+	for key := range s1 {
+		result.Insert(key)
+	}
+	for key := range s2 {
+		result.Insert(key)
+	}
+	return result
+}
+
+// Intersection returns a new set which includes the item in BOTH s1 and s2
+// For example:
+// s1 = {a1, a2}
+// s2 = {a2, a3}
+// s1.Intersection(s2) = {a2}
+func (s1 Int64) Intersection(s2 Int64) Int64 {
+	var walk, other Int64
+	result := NewInt64()
+	if s1.Len() < s2.Len() {
+		walk = s1
+		other = s2
+	} else {
+		walk = s2
+		other = s1
+	}
+	for key := range walk {
+		if other.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// IsSuperset returns true if and only if s1 is a superset of s2.
+func (s1 Int64) IsSuperset(s2 Int64) bool {
+	for item := range s2 {
+		if !s1.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal returns true if and only if s1 is equal (as a set) to s2.
+// Two sets are equal if their membership is identical.
+// (In practice, this means same elements, order doesn't matter)
+func (s1 Int64) Equal(s2 Int64) bool {
+	return len(s1) == len(s2) && s1.IsSuperset(s2)
+}
+
+type sortableSliceOfInt64 []int64
+
+func (s sortableSliceOfInt64) Len() int           { return len(s) }
+func (s sortableSliceOfInt64) Less(i, j int) bool { return lessInt64(s[i], s[j]) }
+func (s sortableSliceOfInt64) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+
+// List returns the contents as a sorted int64 slice.
+func (s Int64) List() []int64 {
+	res := make(sortableSliceOfInt64, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	sort.Sort(res)
+	return []int64(res)
+}
+
+// UnsortedList returns the slice with contents in random order.
+func (s Int64) UnsortedList() []int64 {
+	res := make([]int64, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	return res
+}
+
+// Returns a single element from the set.
+func (s Int64) PopAny() (int64, bool) {
+	for key := range s {
+		s.Delete(key)
+		return key, true
+	}
+	var zeroValue int64
+	return zeroValue, false
+}
+
+// Len returns the size of the set.
+func (s Int64) Len() int {
+	return len(s)
+}
+
+func lessInt64(lhs, rhs int64) bool {
+	return lhs < rhs
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/sets/string.go b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/string.go
new file mode 100644
index 00000000..baef7a6a
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/sets/string.go
@@ -0,0 +1,203 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by set-gen. Do not edit it manually!
+
+package sets
+
+import (
+	"reflect"
+	"sort"
+)
+
+// sets.String is a set of strings, implemented via map[string]struct{} for minimal memory consumption.
+type String map[string]Empty
+
+// New creates a String from a list of values.
+func NewString(items ...string) String {
+	ss := String{}
+	ss.Insert(items...)
+	return ss
+}
+
+// StringKeySet creates a String from a keys of a map[string](? extends interface{}).
+// If the value passed in is not actually a map, this will panic.
+func StringKeySet(theMap interface{}) String {
+	v := reflect.ValueOf(theMap)
+	ret := String{}
+
+	for _, keyValue := range v.MapKeys() {
+		ret.Insert(keyValue.Interface().(string))
+	}
+	return ret
+}
+
+// Insert adds items to the set.
+func (s String) Insert(items ...string) {
+	for _, item := range items {
+		s[item] = Empty{}
+	}
+}
+
+// Delete removes all items from the set.
+func (s String) Delete(items ...string) {
+	for _, item := range items {
+		delete(s, item)
+	}
+}
+
+// Has returns true if and only if item is contained in the set.
+func (s String) Has(item string) bool {
+	_, contained := s[item]
+	return contained
+}
+
+// HasAll returns true if and only if all items are contained in the set.
+func (s String) HasAll(items ...string) bool {
+	for _, item := range items {
+		if !s.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// HasAny returns true if any items are contained in the set.
+func (s String) HasAny(items ...string) bool {
+	for _, item := range items {
+		if s.Has(item) {
+			return true
+		}
+	}
+	return false
+}
+
+// Difference returns a set of objects that are not in s2
+// For example:
+// s1 = {a1, a2, a3}
+// s2 = {a1, a2, a4, a5}
+// s1.Difference(s2) = {a3}
+// s2.Difference(s1) = {a4, a5}
+func (s String) Difference(s2 String) String {
+	result := NewString()
+	for key := range s {
+		if !s2.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// Union returns a new set which includes items in either s1 or s2.
+// For example:
+// s1 = {a1, a2}
+// s2 = {a3, a4}
+// s1.Union(s2) = {a1, a2, a3, a4}
+// s2.Union(s1) = {a1, a2, a3, a4}
+func (s1 String) Union(s2 String) String {
+	result := NewString()
+	for key := range s1 {
+		result.Insert(key)
+	}
+	for key := range s2 {
+		result.Insert(key)
+	}
+	return result
+}
+
+// Intersection returns a new set which includes the item in BOTH s1 and s2
+// For example:
+// s1 = {a1, a2}
+// s2 = {a2, a3}
+// s1.Intersection(s2) = {a2}
+func (s1 String) Intersection(s2 String) String {
+	var walk, other String
+	result := NewString()
+	if s1.Len() < s2.Len() {
+		walk = s1
+		other = s2
+	} else {
+		walk = s2
+		other = s1
+	}
+	for key := range walk {
+		if other.Has(key) {
+			result.Insert(key)
+		}
+	}
+	return result
+}
+
+// IsSuperset returns true if and only if s1 is a superset of s2.
+func (s1 String) IsSuperset(s2 String) bool {
+	for item := range s2 {
+		if !s1.Has(item) {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal returns true if and only if s1 is equal (as a set) to s2.
+// Two sets are equal if their membership is identical.
+// (In practice, this means same elements, order doesn't matter)
+func (s1 String) Equal(s2 String) bool {
+	return len(s1) == len(s2) && s1.IsSuperset(s2)
+}
+
+type sortableSliceOfString []string
+
+func (s sortableSliceOfString) Len() int           { return len(s) }
+func (s sortableSliceOfString) Less(i, j int) bool { return lessString(s[i], s[j]) }
+func (s sortableSliceOfString) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+
+// List returns the contents as a sorted string slice.
+func (s String) List() []string {
+	res := make(sortableSliceOfString, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	sort.Sort(res)
+	return []string(res)
+}
+
+// UnsortedList returns the slice with contents in random order.
+func (s String) UnsortedList() []string {
+	res := make([]string, 0, len(s))
+	for key := range s {
+		res = append(res, key)
+	}
+	return res
+}
+
+// Returns a single element from the set.
+func (s String) PopAny() (string, bool) {
+	for key := range s {
+		s.Delete(key)
+		return key, true
+	}
+	var zeroValue string
+	return zeroValue, false
+}
+
+// Len returns the size of the set.
+func (s String) Len() int {
+	return len(s)
+}
+
+func lessString(lhs, rhs string) bool {
+	return lhs < rhs
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go b/cli/vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go
new file mode 100644
index 00000000..43c779a1
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/validation/field/errors.go
@@ -0,0 +1,254 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package field
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// Error is an implementation of the 'error' interface, which represents a
+// field-level validation error.
+type Error struct {
+	Type     ErrorType
+	Field    string
+	BadValue interface{}
+	Detail   string
+}
+
+var _ error = &Error{}
+
+// Error implements the error interface.
+func (v *Error) Error() string {
+	return fmt.Sprintf("%s: %s", v.Field, v.ErrorBody())
+}
+
+// ErrorBody returns the error message without the field name.  This is useful
+// for building nice-looking higher-level error reporting.
+func (v *Error) ErrorBody() string {
+	var s string
+	switch v.Type {
+	case ErrorTypeRequired, ErrorTypeForbidden, ErrorTypeTooLong, ErrorTypeInternal:
+		s = fmt.Sprintf("%s", v.Type)
+	default:
+		value := v.BadValue
+		valueType := reflect.TypeOf(value)
+		if value == nil || valueType == nil {
+			value = "null"
+		} else if valueType.Kind() == reflect.Ptr {
+			if reflectValue := reflect.ValueOf(value); reflectValue.IsNil() {
+				value = "null"
+			} else {
+				value = reflectValue.Elem().Interface()
+			}
+		}
+		switch t := value.(type) {
+		case int64, int32, float64, float32, bool:
+			// use simple printer for simple types
+			s = fmt.Sprintf("%s: %v", v.Type, value)
+		case string:
+			s = fmt.Sprintf("%s: %q", v.Type, t)
+		case fmt.Stringer:
+			// anything that defines String() is better than raw struct
+			s = fmt.Sprintf("%s: %s", v.Type, t.String())
+		default:
+			// fallback to raw struct
+			// TODO: internal types have panic guards against json.Marshalling to prevent
+			// accidental use of internal types in external serialized form.  For now, use
+			// %#v, although it would be better to show a more expressive output in the future
+			s = fmt.Sprintf("%s: %#v", v.Type, value)
+		}
+	}
+	if len(v.Detail) != 0 {
+		s += fmt.Sprintf(": %s", v.Detail)
+	}
+	return s
+}
+
+// ErrorType is a machine readable value providing more detail about why
+// a field is invalid.  These values are expected to match 1-1 with
+// CauseType in api/types.go.
+type ErrorType string
+
+// TODO: These values are duplicated in api/types.go, but there's a circular dep.  Fix it.
+const (
+	// ErrorTypeNotFound is used to report failure to find a requested value
+	// (e.g. looking up an ID).  See NotFound().
+	ErrorTypeNotFound ErrorType = "FieldValueNotFound"
+	// ErrorTypeRequired is used to report required values that are not
+	// provided (e.g. empty strings, null values, or empty arrays).  See
+	// Required().
+	ErrorTypeRequired ErrorType = "FieldValueRequired"
+	// ErrorTypeDuplicate is used to report collisions of values that must be
+	// unique (e.g. unique IDs).  See Duplicate().
+	ErrorTypeDuplicate ErrorType = "FieldValueDuplicate"
+	// ErrorTypeInvalid is used to report malformed values (e.g. failed regex
+	// match, too long, out of bounds).  See Invalid().
+	ErrorTypeInvalid ErrorType = "FieldValueInvalid"
+	// ErrorTypeNotSupported is used to report unknown values for enumerated
+	// fields (e.g. a list of valid values).  See NotSupported().
+	ErrorTypeNotSupported ErrorType = "FieldValueNotSupported"
+	// ErrorTypeForbidden is used to report valid (as per formatting rules)
+	// values which would be accepted under some conditions, but which are not
+	// permitted by the current conditions (such as security policy).  See
+	// Forbidden().
+	ErrorTypeForbidden ErrorType = "FieldValueForbidden"
+	// ErrorTypeTooLong is used to report that the given value is too long.
+	// This is similar to ErrorTypeInvalid, but the error will not include the
+	// too-long value.  See TooLong().
+	ErrorTypeTooLong ErrorType = "FieldValueTooLong"
+	// ErrorTypeInternal is used to report other errors that are not related
+	// to user input.  See InternalError().
+	ErrorTypeInternal ErrorType = "InternalError"
+)
+
+// String converts a ErrorType into its corresponding canonical error message.
+func (t ErrorType) String() string {
+	switch t {
+	case ErrorTypeNotFound:
+		return "Not found"
+	case ErrorTypeRequired:
+		return "Required value"
+	case ErrorTypeDuplicate:
+		return "Duplicate value"
+	case ErrorTypeInvalid:
+		return "Invalid value"
+	case ErrorTypeNotSupported:
+		return "Unsupported value"
+	case ErrorTypeForbidden:
+		return "Forbidden"
+	case ErrorTypeTooLong:
+		return "Too long"
+	case ErrorTypeInternal:
+		return "Internal error"
+	default:
+		panic(fmt.Sprintf("unrecognized validation error: %q", string(t)))
+	}
+}
+
+// NotFound returns a *Error indicating "value not found".  This is
+// used to report failure to find a requested value (e.g. looking up an ID).
+func NotFound(field *Path, value interface{}) *Error {
+	return &Error{ErrorTypeNotFound, field.String(), value, ""}
+}
+
+// Required returns a *Error indicating "value required".  This is used
+// to report required values that are not provided (e.g. empty strings, null
+// values, or empty arrays).
+func Required(field *Path, detail string) *Error {
+	return &Error{ErrorTypeRequired, field.String(), "", detail}
+}
+
+// Duplicate returns a *Error indicating "duplicate value".  This is
+// used to report collisions of values that must be unique (e.g. names or IDs).
+func Duplicate(field *Path, value interface{}) *Error {
+	return &Error{ErrorTypeDuplicate, field.String(), value, ""}
+}
+
+// Invalid returns a *Error indicating "invalid value".  This is used
+// to report malformed values (e.g. failed regex match, too long, out of bounds).
+func Invalid(field *Path, value interface{}, detail string) *Error {
+	return &Error{ErrorTypeInvalid, field.String(), value, detail}
+}
+
+// NotSupported returns a *Error indicating "unsupported value".
+// This is used to report unknown values for enumerated fields (e.g. a list of
+// valid values).
+func NotSupported(field *Path, value interface{}, validValues []string) *Error {
+	detail := ""
+	if validValues != nil && len(validValues) > 0 {
+		detail = "supported values: " + strings.Join(validValues, ", ")
+	}
+	return &Error{ErrorTypeNotSupported, field.String(), value, detail}
+}
+
+// Forbidden returns a *Error indicating "forbidden".  This is used to
+// report valid (as per formatting rules) values which would be accepted under
+// some conditions, but which are not permitted by current conditions (e.g.
+// security policy).
+func Forbidden(field *Path, detail string) *Error {
+	return &Error{ErrorTypeForbidden, field.String(), "", detail}
+}
+
+// TooLong returns a *Error indicating "too long".  This is used to
+// report that the given value is too long.  This is similar to
+// Invalid, but the returned error will not include the too-long
+// value.
+func TooLong(field *Path, value interface{}, maxLength int) *Error {
+	return &Error{ErrorTypeTooLong, field.String(), value, fmt.Sprintf("must have at most %d characters", maxLength)}
+}
+
+// InternalError returns a *Error indicating "internal error".  This is used
+// to signal that an error was found that was not directly related to user
+// input.  The err argument must be non-nil.
+func InternalError(field *Path, err error) *Error {
+	return &Error{ErrorTypeInternal, field.String(), nil, err.Error()}
+}
+
+// ErrorList holds a set of Errors.  It is plausible that we might one day have
+// non-field errors in this same umbrella package, but for now we don't, so
+// we can keep it simple and leave ErrorList here.
+type ErrorList []*Error
+
+// NewErrorTypeMatcher returns an errors.Matcher that returns true
+// if the provided error is a Error and has the provided ErrorType.
+func NewErrorTypeMatcher(t ErrorType) utilerrors.Matcher {
+	return func(err error) bool {
+		if e, ok := err.(*Error); ok {
+			return e.Type == t
+		}
+		return false
+	}
+}
+
+// ToAggregate converts the ErrorList into an errors.Aggregate.
+func (list ErrorList) ToAggregate() utilerrors.Aggregate {
+	errs := make([]error, 0, len(list))
+	errorMsgs := sets.NewString()
+	for _, err := range list {
+		msg := fmt.Sprintf("%v", err)
+		if errorMsgs.Has(msg) {
+			continue
+		}
+		errorMsgs.Insert(msg)
+		errs = append(errs, err)
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
+func fromAggregate(agg utilerrors.Aggregate) ErrorList {
+	errs := agg.Errors()
+	list := make(ErrorList, len(errs))
+	for i := range errs {
+		list[i] = errs[i].(*Error)
+	}
+	return list
+}
+
+// Filter removes items from the ErrorList that match the provided fns.
+func (list ErrorList) Filter(fns ...utilerrors.Matcher) ErrorList {
+	err := utilerrors.FilterOut(list.ToAggregate(), fns...)
+	if err == nil {
+		return nil
+	}
+	// FilterOut takes an Aggregate and returns an Aggregate
+	return fromAggregate(err.(utilerrors.Aggregate))
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/validation/field/path.go b/cli/vendor/k8s.io/apimachinery/pkg/util/validation/field/path.go
new file mode 100644
index 00000000..2efc8eec
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/validation/field/path.go
@@ -0,0 +1,91 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package field
+
+import (
+	"bytes"
+	"fmt"
+	"strconv"
+)
+
+// Path represents the path from some root to a particular field.
+type Path struct {
+	name   string // the name of this field or "" if this is an index
+	index  string // if name == "", this is a subscript (index or map key) of the previous element
+	parent *Path  // nil if this is the root element
+}
+
+// NewPath creates a root Path object.
+func NewPath(name string, moreNames ...string) *Path {
+	r := &Path{name: name, parent: nil}
+	for _, anotherName := range moreNames {
+		r = &Path{name: anotherName, parent: r}
+	}
+	return r
+}
+
+// Root returns the root element of this Path.
+func (p *Path) Root() *Path {
+	for ; p.parent != nil; p = p.parent {
+		// Do nothing.
+	}
+	return p
+}
+
+// Child creates a new Path that is a child of the method receiver.
+func (p *Path) Child(name string, moreNames ...string) *Path {
+	r := NewPath(name, moreNames...)
+	r.Root().parent = p
+	return r
+}
+
+// Index indicates that the previous Path is to be subscripted by an int.
+// This sets the same underlying value as Key.
+func (p *Path) Index(index int) *Path {
+	return &Path{index: strconv.Itoa(index), parent: p}
+}
+
+// Key indicates that the previous Path is to be subscripted by a string.
+// This sets the same underlying value as Index.
+func (p *Path) Key(key string) *Path {
+	return &Path{index: key, parent: p}
+}
+
+// String produces a string representation of the Path.
+func (p *Path) String() string {
+	// make a slice to iterate
+	elems := []*Path{}
+	for ; p != nil; p = p.parent {
+		elems = append(elems, p)
+	}
+
+	// iterate, but it has to be backwards
+	buf := bytes.NewBuffer(nil)
+	for i := range elems {
+		p := elems[len(elems)-1-i]
+		if p.parent != nil && len(p.name) > 0 {
+			// This is either the root or it is a subscript.
+			buf.WriteString(".")
+		}
+		if len(p.name) > 0 {
+			buf.WriteString(p.name)
+		} else {
+			fmt.Fprintf(buf, "[%s]", p.index)
+		}
+	}
+	return buf.String()
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/validation/validation.go b/cli/vendor/k8s.io/apimachinery/pkg/util/validation/validation.go
new file mode 100644
index 00000000..7da6a17d
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/validation/validation.go
@@ -0,0 +1,391 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"fmt"
+	"math"
+	"net"
+	"regexp"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+const qnameCharFmt string = "[A-Za-z0-9]"
+const qnameExtCharFmt string = "[-A-Za-z0-9_.]"
+const qualifiedNameFmt string = "(" + qnameCharFmt + qnameExtCharFmt + "*)?" + qnameCharFmt
+const qualifiedNameErrMsg string = "must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+const qualifiedNameMaxLength int = 63
+
+var qualifiedNameRegexp = regexp.MustCompile("^" + qualifiedNameFmt + "$")
+
+// IsQualifiedName tests whether the value passed is what Kubernetes calls a
+// "qualified name".  This is a format used in various places throughout the
+// system.  If the value is not valid, a list of error strings is returned.
+// Otherwise an empty list (or nil) is returned.
+func IsQualifiedName(value string) []string {
+	var errs []string
+	parts := strings.Split(value, "/")
+	var name string
+	switch len(parts) {
+	case 1:
+		name = parts[0]
+	case 2:
+		var prefix string
+		prefix, name = parts[0], parts[1]
+		if len(prefix) == 0 {
+			errs = append(errs, "prefix part "+EmptyError())
+		} else if msgs := IsDNS1123Subdomain(prefix); len(msgs) != 0 {
+			errs = append(errs, prefixEach(msgs, "prefix part ")...)
+		}
+	default:
+		return append(errs, "a qualified name "+RegexError(qualifiedNameErrMsg, qualifiedNameFmt, "MyName", "my.name", "123-abc")+
+			" with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')")
+	}
+
+	if len(name) == 0 {
+		errs = append(errs, "name part "+EmptyError())
+	} else if len(name) > qualifiedNameMaxLength {
+		errs = append(errs, "name part "+MaxLenError(qualifiedNameMaxLength))
+	}
+	if !qualifiedNameRegexp.MatchString(name) {
+		errs = append(errs, "name part "+RegexError(qualifiedNameErrMsg, qualifiedNameFmt, "MyName", "my.name", "123-abc"))
+	}
+	return errs
+}
+
+// IsFullyQualifiedName checks if the name is fully qualified.
+func IsFullyQualifiedName(fldPath *field.Path, name string) field.ErrorList {
+	var allErrors field.ErrorList
+	if len(name) == 0 {
+		return append(allErrors, field.Required(fldPath, ""))
+	}
+	if errs := IsDNS1123Subdomain(name); len(errs) > 0 {
+		return append(allErrors, field.Invalid(fldPath, name, strings.Join(errs, ",")))
+	}
+	if len(strings.Split(name, ".")) < 3 {
+		return append(allErrors, field.Invalid(fldPath, name, "should be a domain with at least three segments separated by dots"))
+	}
+	return allErrors
+}
+
+const labelValueFmt string = "(" + qualifiedNameFmt + ")?"
+const labelValueErrMsg string = "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character"
+const LabelValueMaxLength int = 63
+
+var labelValueRegexp = regexp.MustCompile("^" + labelValueFmt + "$")
+
+// IsValidLabelValue tests whether the value passed is a valid label value.  If
+// the value is not valid, a list of error strings is returned.  Otherwise an
+// empty list (or nil) is returned.
+func IsValidLabelValue(value string) []string {
+	var errs []string
+	if len(value) > LabelValueMaxLength {
+		errs = append(errs, MaxLenError(LabelValueMaxLength))
+	}
+	if !labelValueRegexp.MatchString(value) {
+		errs = append(errs, RegexError(labelValueErrMsg, labelValueFmt, "MyValue", "my_value", "12345"))
+	}
+	return errs
+}
+
+const dns1123LabelFmt string = "[a-z0-9]([-a-z0-9]*[a-z0-9])?"
+const dns1123LabelErrMsg string = "a DNS-1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character"
+const DNS1123LabelMaxLength int = 63
+
+var dns1123LabelRegexp = regexp.MustCompile("^" + dns1123LabelFmt + "$")
+
+// IsDNS1123Label tests for a string that conforms to the definition of a label in
+// DNS (RFC 1123).
+func IsDNS1123Label(value string) []string {
+	var errs []string
+	if len(value) > DNS1123LabelMaxLength {
+		errs = append(errs, MaxLenError(DNS1123LabelMaxLength))
+	}
+	if !dns1123LabelRegexp.MatchString(value) {
+		errs = append(errs, RegexError(dns1123LabelErrMsg, dns1123LabelFmt, "my-name", "123-abc"))
+	}
+	return errs
+}
+
+const dns1123SubdomainFmt string = dns1123LabelFmt + "(\\." + dns1123LabelFmt + ")*"
+const dns1123SubdomainErrorMsg string = "a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+const DNS1123SubdomainMaxLength int = 253
+
+var dns1123SubdomainRegexp = regexp.MustCompile("^" + dns1123SubdomainFmt + "$")
+
+// IsDNS1123Subdomain tests for a string that conforms to the definition of a
+// subdomain in DNS (RFC 1123).
+func IsDNS1123Subdomain(value string) []string {
+	var errs []string
+	if len(value) > DNS1123SubdomainMaxLength {
+		errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength))
+	}
+	if !dns1123SubdomainRegexp.MatchString(value) {
+		errs = append(errs, RegexError(dns1123SubdomainErrorMsg, dns1123SubdomainFmt, "example.com"))
+	}
+	return errs
+}
+
+const dns1035LabelFmt string = "[a-z]([-a-z0-9]*[a-z0-9])?"
+const dns1035LabelErrMsg string = "a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character"
+const DNS1035LabelMaxLength int = 63
+
+var dns1035LabelRegexp = regexp.MustCompile("^" + dns1035LabelFmt + "$")
+
+// IsDNS1035Label tests for a string that conforms to the definition of a label in
+// DNS (RFC 1035).
+func IsDNS1035Label(value string) []string {
+	var errs []string
+	if len(value) > DNS1035LabelMaxLength {
+		errs = append(errs, MaxLenError(DNS1035LabelMaxLength))
+	}
+	if !dns1035LabelRegexp.MatchString(value) {
+		errs = append(errs, RegexError(dns1035LabelErrMsg, dns1035LabelFmt, "my-name", "abc-123"))
+	}
+	return errs
+}
+
+// wildcard definition - RFC 1034 section 4.3.3.
+// examples:
+// - valid: *.bar.com, *.foo.bar.com
+// - invalid: *.*.bar.com, *.foo.*.com, *bar.com, f*.bar.com, *
+const wildcardDNS1123SubdomainFmt = "\\*\\." + dns1123SubdomainFmt
+const wildcardDNS1123SubdomainErrMsg = "a wildcard DNS-1123 subdomain must start with '*.', followed by a valid DNS subdomain, which must consist of lower case alphanumeric characters, '-' or '.' and end with an alphanumeric character"
+
+// IsWildcardDNS1123Subdomain tests for a string that conforms to the definition of a
+// wildcard subdomain in DNS (RFC 1034 section 4.3.3).
+func IsWildcardDNS1123Subdomain(value string) []string {
+	wildcardDNS1123SubdomainRegexp := regexp.MustCompile("^" + wildcardDNS1123SubdomainFmt + "$")
+
+	var errs []string
+	if len(value) > DNS1123SubdomainMaxLength {
+		errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength))
+	}
+	if !wildcardDNS1123SubdomainRegexp.MatchString(value) {
+		errs = append(errs, RegexError(wildcardDNS1123SubdomainErrMsg, wildcardDNS1123SubdomainFmt, "*.example.com"))
+	}
+	return errs
+}
+
+const cIdentifierFmt string = "[A-Za-z_][A-Za-z0-9_]*"
+const identifierErrMsg string = "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_'"
+
+var cIdentifierRegexp = regexp.MustCompile("^" + cIdentifierFmt + "$")
+
+// IsCIdentifier tests for a string that conforms the definition of an identifier
+// in C. This checks the format, but not the length.
+func IsCIdentifier(value string) []string {
+	if !cIdentifierRegexp.MatchString(value) {
+		return []string{RegexError(identifierErrMsg, cIdentifierFmt, "my_name", "MY_NAME", "MyName")}
+	}
+	return nil
+}
+
+// IsValidPortNum tests that the argument is a valid, non-zero port number.
+func IsValidPortNum(port int) []string {
+	if 1 <= port && port <= 65535 {
+		return nil
+	}
+	return []string{InclusiveRangeError(1, 65535)}
+}
+
+// IsInRange tests that the argument is in an inclusive range.
+func IsInRange(value int, min int, max int) []string {
+	if value >= min && value <= max {
+		return nil
+	}
+	return []string{InclusiveRangeError(min, max)}
+}
+
+// Now in libcontainer UID/GID limits is 0 ~ 1<<31 - 1
+// TODO: once we have a type for UID/GID we should make these that type.
+const (
+	minUserID  = 0
+	maxUserID  = math.MaxInt32
+	minGroupID = 0
+	maxGroupID = math.MaxInt32
+)
+
+// IsValidGroupID tests that the argument is a valid Unix GID.
+func IsValidGroupID(gid int64) []string {
+	if minGroupID <= gid && gid <= maxGroupID {
+		return nil
+	}
+	return []string{InclusiveRangeError(minGroupID, maxGroupID)}
+}
+
+// IsValidUserID tests that the argument is a valid Unix UID.
+func IsValidUserID(uid int64) []string {
+	if minUserID <= uid && uid <= maxUserID {
+		return nil
+	}
+	return []string{InclusiveRangeError(minUserID, maxUserID)}
+}
+
+var portNameCharsetRegex = regexp.MustCompile("^[-a-z0-9]+$")
+var portNameOneLetterRegexp = regexp.MustCompile("[a-z]")
+
+// IsValidPortName check that the argument is valid syntax. It must be
+// non-empty and no more than 15 characters long. It may contain only [-a-z0-9]
+// and must contain at least one letter [a-z]. It must not start or end with a
+// hyphen, nor contain adjacent hyphens.
+//
+// Note: We only allow lower-case characters, even though RFC 6335 is case
+// insensitive.
+func IsValidPortName(port string) []string {
+	var errs []string
+	if len(port) > 15 {
+		errs = append(errs, MaxLenError(15))
+	}
+	if !portNameCharsetRegex.MatchString(port) {
+		errs = append(errs, "must contain only alpha-numeric characters (a-z, 0-9), and hyphens (-)")
+	}
+	if !portNameOneLetterRegexp.MatchString(port) {
+		errs = append(errs, "must contain at least one letter or number (a-z, 0-9)")
+	}
+	if strings.Contains(port, "--") {
+		errs = append(errs, "must not contain consecutive hyphens")
+	}
+	if len(port) > 0 && (port[0] == '-' || port[len(port)-1] == '-') {
+		errs = append(errs, "must not begin or end with a hyphen")
+	}
+	return errs
+}
+
+// IsValidIP tests that the argument is a valid IP address.
+func IsValidIP(value string) []string {
+	if net.ParseIP(value) == nil {
+		return []string{"must be a valid IP address, (e.g. 10.9.8.7)"}
+	}
+	return nil
+}
+
+const percentFmt string = "[0-9]+%"
+const percentErrMsg string = "a valid percent string must be a numeric string followed by an ending '%'"
+
+var percentRegexp = regexp.MustCompile("^" + percentFmt + "$")
+
+func IsValidPercent(percent string) []string {
+	if !percentRegexp.MatchString(percent) {
+		return []string{RegexError(percentErrMsg, percentFmt, "1%", "93%")}
+	}
+	return nil
+}
+
+const httpHeaderNameFmt string = "[-A-Za-z0-9]+"
+const httpHeaderNameErrMsg string = "a valid HTTP header must consist of alphanumeric characters or '-'"
+
+var httpHeaderNameRegexp = regexp.MustCompile("^" + httpHeaderNameFmt + "$")
+
+// IsHTTPHeaderName checks that a string conforms to the Go HTTP library's
+// definition of a valid header field name (a stricter subset than RFC7230).
+func IsHTTPHeaderName(value string) []string {
+	if !httpHeaderNameRegexp.MatchString(value) {
+		return []string{RegexError(httpHeaderNameErrMsg, httpHeaderNameFmt, "X-Header-Name")}
+	}
+	return nil
+}
+
+const envVarNameFmt = "[-._a-zA-Z][-._a-zA-Z0-9]*"
+const envVarNameFmtErrMsg string = "a valid environment variable name must consist of alphabetic characters, digits, '_', '-', or '.', and must not start with a digit"
+
+var envVarNameRegexp = regexp.MustCompile("^" + envVarNameFmt + "$")
+
+// IsEnvVarName tests if a string is a valid environment variable name.
+func IsEnvVarName(value string) []string {
+	var errs []string
+	if !envVarNameRegexp.MatchString(value) {
+		errs = append(errs, RegexError(envVarNameFmtErrMsg, envVarNameFmt, "my.env-name", "MY_ENV.NAME", "MyEnvName1"))
+	}
+
+	errs = append(errs, hasChDirPrefix(value)...)
+	return errs
+}
+
+const configMapKeyFmt = `[-._a-zA-Z0-9]+`
+const configMapKeyErrMsg string = "a valid config key must consist of alphanumeric characters, '-', '_' or '.'"
+
+var configMapKeyRegexp = regexp.MustCompile("^" + configMapKeyFmt + "$")
+
+// IsConfigMapKey tests for a string that is a valid key for a ConfigMap or Secret
+func IsConfigMapKey(value string) []string {
+	var errs []string
+	if len(value) > DNS1123SubdomainMaxLength {
+		errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength))
+	}
+	if !configMapKeyRegexp.MatchString(value) {
+		errs = append(errs, RegexError(configMapKeyErrMsg, configMapKeyFmt, "key.name", "KEY_NAME", "key-name"))
+	}
+	errs = append(errs, hasChDirPrefix(value)...)
+	return errs
+}
+
+// MaxLenError returns a string explanation of a "string too long" validation
+// failure.
+func MaxLenError(length int) string {
+	return fmt.Sprintf("must be no more than %d characters", length)
+}
+
+// RegexError returns a string explanation of a regex validation failure.
+func RegexError(msg string, fmt string, examples ...string) string {
+	if len(examples) == 0 {
+		return msg + " (regex used for validation is '" + fmt + "')"
+	}
+	msg += " (e.g. "
+	for i := range examples {
+		if i > 0 {
+			msg += " or "
+		}
+		msg += "'" + examples[i] + "', "
+	}
+	msg += "regex used for validation is '" + fmt + "')"
+	return msg
+}
+
+// EmptyError returns a string explanation of a "must not be empty" validation
+// failure.
+func EmptyError() string {
+	return "must be non-empty"
+}
+
+func prefixEach(msgs []string, prefix string) []string {
+	for i := range msgs {
+		msgs[i] = prefix + msgs[i]
+	}
+	return msgs
+}
+
+// InclusiveRangeError returns a string explanation of a numeric "must be
+// between" validation failure.
+func InclusiveRangeError(lo, hi int) string {
+	return fmt.Sprintf(`must be between %d and %d, inclusive`, lo, hi)
+}
+
+func hasChDirPrefix(value string) []string {
+	var errs []string
+	switch {
+	case value == ".":
+		errs = append(errs, `must not be '.'`)
+	case value == "..":
+		errs = append(errs, `must not be '..'`)
+	case strings.HasPrefix(value, ".."):
+		errs = append(errs, `must not start with '..'`)
+	}
+	return errs
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/wait/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/util/wait/doc.go
new file mode 100644
index 00000000..3f0c968e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/wait/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package wait provides tools for polling or listening for changes
+// to a condition.
+package wait // import "k8s.io/apimachinery/pkg/util/wait"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go b/cli/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go
new file mode 100644
index 00000000..0997de80
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go
@@ -0,0 +1,385 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package wait
+
+import (
+	"context"
+	"errors"
+	"math/rand"
+	"sync"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// For any test of the style:
+//   ...
+//   <- time.After(timeout):
+//      t.Errorf("Timed out")
+// The value for timeout should effectively be "forever." Obviously we don't want our tests to truly lock up forever, but 30s
+// is long enough that it is effectively forever for the things that can slow down a run on a heavily contended machine
+// (GC, seeks, etc), but not so long as to make a developer ctrl-c a test run if they do happen to break that test.
+var ForeverTestTimeout = time.Second * 30
+
+// NeverStop may be passed to Until to make it never stop.
+var NeverStop <-chan struct{} = make(chan struct{})
+
+// Group allows to start a group of goroutines and wait for their completion.
+type Group struct {
+	wg sync.WaitGroup
+}
+
+func (g *Group) Wait() {
+	g.wg.Wait()
+}
+
+// StartWithChannel starts f in a new goroutine in the group.
+// stopCh is passed to f as an argument. f should stop when stopCh is available.
+func (g *Group) StartWithChannel(stopCh <-chan struct{}, f func(stopCh <-chan struct{})) {
+	g.Start(func() {
+		f(stopCh)
+	})
+}
+
+// StartWithContext starts f in a new goroutine in the group.
+// ctx is passed to f as an argument. f should stop when ctx.Done() is available.
+func (g *Group) StartWithContext(ctx context.Context, f func(context.Context)) {
+	g.Start(func() {
+		f(ctx)
+	})
+}
+
+// Start starts f in a new goroutine in the group.
+func (g *Group) Start(f func()) {
+	g.wg.Add(1)
+	go func() {
+		defer g.wg.Done()
+		f()
+	}()
+}
+
+// Forever calls f every period for ever.
+//
+// Forever is syntactic sugar on top of Until.
+func Forever(f func(), period time.Duration) {
+	Until(f, period, NeverStop)
+}
+
+// Until loops until stop channel is closed, running f every period.
+//
+// Until is syntactic sugar on top of JitterUntil with zero jitter factor and
+// with sliding = true (which means the timer for period starts after the f
+// completes).
+func Until(f func(), period time.Duration, stopCh <-chan struct{}) {
+	JitterUntil(f, period, 0.0, true, stopCh)
+}
+
+// NonSlidingUntil loops until stop channel is closed, running f every
+// period.
+//
+// NonSlidingUntil is syntactic sugar on top of JitterUntil with zero jitter
+// factor, with sliding = false (meaning the timer for period starts at the same
+// time as the function starts).
+func NonSlidingUntil(f func(), period time.Duration, stopCh <-chan struct{}) {
+	JitterUntil(f, period, 0.0, false, stopCh)
+}
+
+// JitterUntil loops until stop channel is closed, running f every period.
+//
+// If jitterFactor is positive, the period is jittered before every run of f.
+// If jitterFactor is not positive, the period is unchanged and not jittered.
+//
+// If sliding is true, the period is computed after f runs. If it is false then
+// period includes the runtime for f.
+//
+// Close stopCh to stop. f may not be invoked if stop channel is already
+// closed. Pass NeverStop to if you don't want it stop.
+func JitterUntil(f func(), period time.Duration, jitterFactor float64, sliding bool, stopCh <-chan struct{}) {
+	var t *time.Timer
+	var sawTimeout bool
+
+	for {
+		select {
+		case <-stopCh:
+			return
+		default:
+		}
+
+		jitteredPeriod := period
+		if jitterFactor > 0.0 {
+			jitteredPeriod = Jitter(period, jitterFactor)
+		}
+
+		if !sliding {
+			t = resetOrReuseTimer(t, jitteredPeriod, sawTimeout)
+		}
+
+		func() {
+			defer runtime.HandleCrash()
+			f()
+		}()
+
+		if sliding {
+			t = resetOrReuseTimer(t, jitteredPeriod, sawTimeout)
+		}
+
+		// NOTE: b/c there is no priority selection in golang
+		// it is possible for this to race, meaning we could
+		// trigger t.C and stopCh, and t.C select falls through.
+		// In order to mitigate we re-check stopCh at the beginning
+		// of every loop to prevent extra executions of f().
+		select {
+		case <-stopCh:
+			return
+		case <-t.C:
+			sawTimeout = true
+		}
+	}
+}
+
+// Jitter returns a time.Duration between duration and duration + maxFactor *
+// duration.
+//
+// This allows clients to avoid converging on periodic behavior. If maxFactor
+// is 0.0, a suggested default value will be chosen.
+func Jitter(duration time.Duration, maxFactor float64) time.Duration {
+	if maxFactor <= 0.0 {
+		maxFactor = 1.0
+	}
+	wait := duration + time.Duration(rand.Float64()*maxFactor*float64(duration))
+	return wait
+}
+
+// ErrWaitTimeout is returned when the condition exited without success.
+var ErrWaitTimeout = errors.New("timed out waiting for the condition")
+
+// ConditionFunc returns true if the condition is satisfied, or an error
+// if the loop should be aborted.
+type ConditionFunc func() (done bool, err error)
+
+// Backoff holds parameters applied to a Backoff function.
+type Backoff struct {
+	Duration time.Duration // the base duration
+	Factor   float64       // Duration is multiplied by factor each iteration
+	Jitter   float64       // The amount of jitter applied each iteration
+	Steps    int           // Exit with error after this many steps
+}
+
+// ExponentialBackoff repeats a condition check with exponential backoff.
+//
+// It checks the condition up to Steps times, increasing the wait by multiplying
+// the previous duration by Factor.
+//
+// If Jitter is greater than zero, a random amount of each duration is added
+// (between duration and duration*(1+jitter)).
+//
+// If the condition never returns true, ErrWaitTimeout is returned. All other
+// errors terminate immediately.
+func ExponentialBackoff(backoff Backoff, condition ConditionFunc) error {
+	duration := backoff.Duration
+	for i := 0; i < backoff.Steps; i++ {
+		if i != 0 {
+			adjusted := duration
+			if backoff.Jitter > 0.0 {
+				adjusted = Jitter(duration, backoff.Jitter)
+			}
+			time.Sleep(adjusted)
+			duration = time.Duration(float64(duration) * backoff.Factor)
+		}
+		if ok, err := condition(); err != nil || ok {
+			return err
+		}
+	}
+	return ErrWaitTimeout
+}
+
+// Poll tries a condition func until it returns true, an error, or the timeout
+// is reached.
+//
+// Poll always waits the interval before the run of 'condition'.
+// 'condition' will always be invoked at least once.
+//
+// Some intervals may be missed if the condition takes too long or the time
+// window is too short.
+//
+// If you want to Poll something forever, see PollInfinite.
+func Poll(interval, timeout time.Duration, condition ConditionFunc) error {
+	return pollInternal(poller(interval, timeout), condition)
+}
+
+func pollInternal(wait WaitFunc, condition ConditionFunc) error {
+	done := make(chan struct{})
+	defer close(done)
+	return WaitFor(wait, condition, done)
+}
+
+// PollImmediate tries a condition func until it returns true, an error, or the timeout
+// is reached.
+//
+// Poll always checks 'condition' before waiting for the interval. 'condition'
+// will always be invoked at least once.
+//
+// Some intervals may be missed if the condition takes too long or the time
+// window is too short.
+//
+// If you want to Poll something forever, see PollInfinite.
+func PollImmediate(interval, timeout time.Duration, condition ConditionFunc) error {
+	return pollImmediateInternal(poller(interval, timeout), condition)
+}
+
+func pollImmediateInternal(wait WaitFunc, condition ConditionFunc) error {
+	done, err := condition()
+	if err != nil {
+		return err
+	}
+	if done {
+		return nil
+	}
+	return pollInternal(wait, condition)
+}
+
+// PollInfinite tries a condition func until it returns true or an error
+//
+// PollInfinite always waits the interval before the run of 'condition'.
+//
+// Some intervals may be missed if the condition takes too long or the time
+// window is too short.
+func PollInfinite(interval time.Duration, condition ConditionFunc) error {
+	done := make(chan struct{})
+	defer close(done)
+	return PollUntil(interval, condition, done)
+}
+
+// PollImmediateInfinite tries a condition func until it returns true or an error
+//
+// PollImmediateInfinite runs the 'condition' before waiting for the interval.
+//
+// Some intervals may be missed if the condition takes too long or the time
+// window is too short.
+func PollImmediateInfinite(interval time.Duration, condition ConditionFunc) error {
+	done, err := condition()
+	if err != nil {
+		return err
+	}
+	if done {
+		return nil
+	}
+	return PollInfinite(interval, condition)
+}
+
+// PollUntil tries a condition func until it returns true, an error or stopCh is
+// closed.
+//
+// PolUntil always waits interval before the first run of 'condition'.
+// 'condition' will always be invoked at least once.
+func PollUntil(interval time.Duration, condition ConditionFunc, stopCh <-chan struct{}) error {
+	return WaitFor(poller(interval, 0), condition, stopCh)
+}
+
+// WaitFunc creates a channel that receives an item every time a test
+// should be executed and is closed when the last test should be invoked.
+type WaitFunc func(done <-chan struct{}) <-chan struct{}
+
+// WaitFor continually checks 'fn' as driven by 'wait'.
+//
+// WaitFor gets a channel from 'wait()'', and then invokes 'fn' once for every value
+// placed on the channel and once more when the channel is closed.
+//
+// If 'fn' returns an error the loop ends and that error is returned, and if
+// 'fn' returns true the loop ends and nil is returned.
+//
+// ErrWaitTimeout will be returned if the channel is closed without fn ever
+// returning true.
+func WaitFor(wait WaitFunc, fn ConditionFunc, done <-chan struct{}) error {
+	c := wait(done)
+	for {
+		_, open := <-c
+		ok, err := fn()
+		if err != nil {
+			return err
+		}
+		if ok {
+			return nil
+		}
+		if !open {
+			break
+		}
+	}
+	return ErrWaitTimeout
+}
+
+// poller returns a WaitFunc that will send to the channel every interval until
+// timeout has elapsed and then closes the channel.
+//
+// Over very short intervals you may receive no ticks before the channel is
+// closed. A timeout of 0 is interpreted as an infinity.
+//
+// Output ticks are not buffered. If the channel is not ready to receive an
+// item, the tick is skipped.
+func poller(interval, timeout time.Duration) WaitFunc {
+	return WaitFunc(func(done <-chan struct{}) <-chan struct{} {
+		ch := make(chan struct{})
+
+		go func() {
+			defer close(ch)
+
+			tick := time.NewTicker(interval)
+			defer tick.Stop()
+
+			var after <-chan time.Time
+			if timeout != 0 {
+				// time.After is more convenient, but it
+				// potentially leaves timers around much longer
+				// than necessary if we exit early.
+				timer := time.NewTimer(timeout)
+				after = timer.C
+				defer timer.Stop()
+			}
+
+			for {
+				select {
+				case <-tick.C:
+					// If the consumer isn't ready for this signal drop it and
+					// check the other channels.
+					select {
+					case ch <- struct{}{}:
+					default:
+					}
+				case <-after:
+					return
+				case <-done:
+					return
+				}
+			}
+		}()
+
+		return ch
+	})
+}
+
+// resetOrReuseTimer avoids allocating a new timer if one is already in use.
+// Not safe for multiple threads.
+func resetOrReuseTimer(t *time.Timer, d time.Duration, sawTimeout bool) *time.Timer {
+	if t == nil {
+		return time.NewTimer(d)
+	}
+	if !t.Stop() && !sawTimeout {
+		<-t.C
+	}
+	t.Reset(d)
+	return t
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/util/yaml/decoder.go b/cli/vendor/k8s.io/apimachinery/pkg/util/yaml/decoder.go
new file mode 100644
index 00000000..6ebfaea7
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/util/yaml/decoder.go
@@ -0,0 +1,346 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package yaml
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+	"unicode"
+
+	"github.com/ghodss/yaml"
+	"github.com/golang/glog"
+)
+
+// ToJSON converts a single YAML document into a JSON document
+// or returns an error. If the document appears to be JSON the
+// YAML decoding path is not used (so that error messages are
+// JSON specific).
+func ToJSON(data []byte) ([]byte, error) {
+	if hasJSONPrefix(data) {
+		return data, nil
+	}
+	return yaml.YAMLToJSON(data)
+}
+
+// YAMLToJSONDecoder decodes YAML documents from an io.Reader by
+// separating individual documents. It first converts the YAML
+// body to JSON, then unmarshals the JSON.
+type YAMLToJSONDecoder struct {
+	reader Reader
+}
+
+// NewYAMLToJSONDecoder decodes YAML documents from the provided
+// stream in chunks by converting each document (as defined by
+// the YAML spec) into its own chunk, converting it to JSON via
+// yaml.YAMLToJSON, and then passing it to json.Decoder.
+func NewYAMLToJSONDecoder(r io.Reader) *YAMLToJSONDecoder {
+	reader := bufio.NewReader(r)
+	return &YAMLToJSONDecoder{
+		reader: NewYAMLReader(reader),
+	}
+}
+
+// Decode reads a YAML document as JSON from the stream or returns
+// an error. The decoding rules match json.Unmarshal, not
+// yaml.Unmarshal.
+func (d *YAMLToJSONDecoder) Decode(into interface{}) error {
+	bytes, err := d.reader.Read()
+	if err != nil && err != io.EOF {
+		return err
+	}
+
+	if len(bytes) != 0 {
+		err := yaml.Unmarshal(bytes, into)
+		if err != nil {
+			return YAMLSyntaxError{err}
+		}
+	}
+	return err
+}
+
+// YAMLDecoder reads chunks of objects and returns ErrShortBuffer if
+// the data is not sufficient.
+type YAMLDecoder struct {
+	r         io.ReadCloser
+	scanner   *bufio.Scanner
+	remaining []byte
+}
+
+// NewDocumentDecoder decodes YAML documents from the provided
+// stream in chunks by converting each document (as defined by
+// the YAML spec) into its own chunk. io.ErrShortBuffer will be
+// returned if the entire buffer could not be read to assist
+// the caller in framing the chunk.
+func NewDocumentDecoder(r io.ReadCloser) io.ReadCloser {
+	scanner := bufio.NewScanner(r)
+	scanner.Split(splitYAMLDocument)
+	return &YAMLDecoder{
+		r:       r,
+		scanner: scanner,
+	}
+}
+
+// Read reads the previous slice into the buffer, or attempts to read
+// the next chunk.
+// TODO: switch to readline approach.
+func (d *YAMLDecoder) Read(data []byte) (n int, err error) {
+	left := len(d.remaining)
+	if left == 0 {
+		// return the next chunk from the stream
+		if !d.scanner.Scan() {
+			err := d.scanner.Err()
+			if err == nil {
+				err = io.EOF
+			}
+			return 0, err
+		}
+		out := d.scanner.Bytes()
+		d.remaining = out
+		left = len(out)
+	}
+
+	// fits within data
+	if left <= len(data) {
+		copy(data, d.remaining)
+		d.remaining = nil
+		return len(d.remaining), nil
+	}
+
+	// caller will need to reread
+	copy(data, d.remaining[:left])
+	d.remaining = d.remaining[left:]
+	return len(data), io.ErrShortBuffer
+}
+
+func (d *YAMLDecoder) Close() error {
+	return d.r.Close()
+}
+
+const yamlSeparator = "\n---"
+const separator = "---"
+
+// splitYAMLDocument is a bufio.SplitFunc for splitting YAML streams into individual documents.
+func splitYAMLDocument(data []byte, atEOF bool) (advance int, token []byte, err error) {
+	if atEOF && len(data) == 0 {
+		return 0, nil, nil
+	}
+	sep := len([]byte(yamlSeparator))
+	if i := bytes.Index(data, []byte(yamlSeparator)); i >= 0 {
+		// We have a potential document terminator
+		i += sep
+		after := data[i:]
+		if len(after) == 0 {
+			// we can't read any more characters
+			if atEOF {
+				return len(data), data[:len(data)-sep], nil
+			}
+			return 0, nil, nil
+		}
+		if j := bytes.IndexByte(after, '\n'); j >= 0 {
+			return i + j + 1, data[0 : i-sep], nil
+		}
+		return 0, nil, nil
+	}
+	// If we're at EOF, we have a final, non-terminated line. Return it.
+	if atEOF {
+		return len(data), data, nil
+	}
+	// Request more data.
+	return 0, nil, nil
+}
+
+// decoder is a convenience interface for Decode.
+type decoder interface {
+	Decode(into interface{}) error
+}
+
+// YAMLOrJSONDecoder attempts to decode a stream of JSON documents or
+// YAML documents by sniffing for a leading { character.
+type YAMLOrJSONDecoder struct {
+	r          io.Reader
+	bufferSize int
+
+	decoder decoder
+	rawData []byte
+}
+
+type JSONSyntaxError struct {
+	Line int
+	Err  error
+}
+
+func (e JSONSyntaxError) Error() string {
+	return fmt.Sprintf("json: line %d: %s", e.Line, e.Err.Error())
+}
+
+type YAMLSyntaxError struct {
+	err error
+}
+
+func (e YAMLSyntaxError) Error() string {
+	return e.err.Error()
+}
+
+// NewYAMLOrJSONDecoder returns a decoder that will process YAML documents
+// or JSON documents from the given reader as a stream. bufferSize determines
+// how far into the stream the decoder will look to figure out whether this
+// is a JSON stream (has whitespace followed by an open brace).
+func NewYAMLOrJSONDecoder(r io.Reader, bufferSize int) *YAMLOrJSONDecoder {
+	return &YAMLOrJSONDecoder{
+		r:          r,
+		bufferSize: bufferSize,
+	}
+}
+
+// Decode unmarshals the next object from the underlying stream into the
+// provide object, or returns an error.
+func (d *YAMLOrJSONDecoder) Decode(into interface{}) error {
+	if d.decoder == nil {
+		buffer, origData, isJSON := GuessJSONStream(d.r, d.bufferSize)
+		if isJSON {
+			glog.V(4).Infof("decoding stream as JSON")
+			d.decoder = json.NewDecoder(buffer)
+			d.rawData = origData
+		} else {
+			glog.V(4).Infof("decoding stream as YAML")
+			d.decoder = NewYAMLToJSONDecoder(buffer)
+		}
+	}
+	err := d.decoder.Decode(into)
+	if jsonDecoder, ok := d.decoder.(*json.Decoder); ok {
+		if syntax, ok := err.(*json.SyntaxError); ok {
+			data, readErr := ioutil.ReadAll(jsonDecoder.Buffered())
+			if readErr != nil {
+				glog.V(4).Infof("reading stream failed: %v", readErr)
+			}
+			js := string(data)
+
+			// if contents from io.Reader are not complete,
+			// use the original raw data to prevent panic
+			if int64(len(js)) <= syntax.Offset {
+				js = string(d.rawData)
+			}
+
+			start := strings.LastIndex(js[:syntax.Offset], "\n") + 1
+			line := strings.Count(js[:start], "\n")
+			return JSONSyntaxError{
+				Line: line,
+				Err:  fmt.Errorf(syntax.Error()),
+			}
+		}
+	}
+	return err
+}
+
+type Reader interface {
+	Read() ([]byte, error)
+}
+
+type YAMLReader struct {
+	reader Reader
+}
+
+func NewYAMLReader(r *bufio.Reader) *YAMLReader {
+	return &YAMLReader{
+		reader: &LineReader{reader: r},
+	}
+}
+
+// Read returns a full YAML document.
+func (r *YAMLReader) Read() ([]byte, error) {
+	var buffer bytes.Buffer
+	for {
+		line, err := r.reader.Read()
+		if err != nil && err != io.EOF {
+			return nil, err
+		}
+
+		sep := len([]byte(separator))
+		if i := bytes.Index(line, []byte(separator)); i == 0 {
+			// We have a potential document terminator
+			i += sep
+			after := line[i:]
+			if len(strings.TrimRightFunc(string(after), unicode.IsSpace)) == 0 {
+				if buffer.Len() != 0 {
+					return buffer.Bytes(), nil
+				}
+				if err == io.EOF {
+					return nil, err
+				}
+			}
+		}
+		if err == io.EOF {
+			if buffer.Len() != 0 {
+				// If we're at EOF, we have a final, non-terminated line. Return it.
+				return buffer.Bytes(), nil
+			}
+			return nil, err
+		}
+		buffer.Write(line)
+	}
+}
+
+type LineReader struct {
+	reader *bufio.Reader
+}
+
+// Read returns a single line (with '\n' ended) from the underlying reader.
+// An error is returned iff there is an error with the underlying reader.
+func (r *LineReader) Read() ([]byte, error) {
+	var (
+		isPrefix bool  = true
+		err      error = nil
+		line     []byte
+		buffer   bytes.Buffer
+	)
+
+	for isPrefix && err == nil {
+		line, isPrefix, err = r.reader.ReadLine()
+		buffer.Write(line)
+	}
+	buffer.WriteByte('\n')
+	return buffer.Bytes(), err
+}
+
+// GuessJSONStream scans the provided reader up to size, looking
+// for an open brace indicating this is JSON. It will return the
+// bufio.Reader it creates for the consumer.
+func GuessJSONStream(r io.Reader, size int) (io.Reader, []byte, bool) {
+	buffer := bufio.NewReaderSize(r, size)
+	b, _ := buffer.Peek(size)
+	return buffer, b, hasJSONPrefix(b)
+}
+
+var jsonPrefix = []byte("{")
+
+// hasJSONPrefix returns true if the provided buffer appears to start with
+// a JSON open brace.
+func hasJSONPrefix(buf []byte) bool {
+	return hasPrefix(buf, jsonPrefix)
+}
+
+// Return true if the first non-whitespace bytes in buf is
+// prefix.
+func hasPrefix(buf []byte, prefix []byte) bool {
+	trim := bytes.TrimLeftFunc(buf, unicode.IsSpace)
+	return bytes.HasPrefix(trim, prefix)
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/version/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/version/doc.go
new file mode 100644
index 00000000..5e77af7e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/version/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package version supplies the type for version information collected at build time.
+// +k8s:openapi-gen=true
+package version // import "k8s.io/apimachinery/pkg/version"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/version/types.go b/cli/vendor/k8s.io/apimachinery/pkg/version/types.go
new file mode 100644
index 00000000..72727b50
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/version/types.go
@@ -0,0 +1,37 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package version
+
+// Info contains versioning information.
+// TODO: Add []string of api versions supported? It's still unclear
+// how we'll want to distribute that information.
+type Info struct {
+	Major        string `json:"major"`
+	Minor        string `json:"minor"`
+	GitVersion   string `json:"gitVersion"`
+	GitCommit    string `json:"gitCommit"`
+	GitTreeState string `json:"gitTreeState"`
+	BuildDate    string `json:"buildDate"`
+	GoVersion    string `json:"goVersion"`
+	Compiler     string `json:"compiler"`
+	Platform     string `json:"platform"`
+}
+
+// String returns info as a human-friendly version string.
+func (info Info) String() string {
+	return info.GitVersion
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/watch/doc.go b/cli/vendor/k8s.io/apimachinery/pkg/watch/doc.go
new file mode 100644
index 00000000..7e6bf3fb
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/watch/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package watch contains a generic watchable interface, and a fake for
+// testing code that uses the watch interface.
+package watch // import "k8s.io/apimachinery/pkg/watch"
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/watch/filter.go b/cli/vendor/k8s.io/apimachinery/pkg/watch/filter.go
new file mode 100644
index 00000000..3ca27f22
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/watch/filter.go
@@ -0,0 +1,109 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watch
+
+import (
+	"sync"
+)
+
+// FilterFunc should take an event, possibly modify it in some way, and return
+// the modified event. If the event should be ignored, then return keep=false.
+type FilterFunc func(in Event) (out Event, keep bool)
+
+// Filter passes all events through f before allowing them to pass on.
+// Putting a filter on a watch, as an unavoidable side-effect due to the way
+// go channels work, effectively causes the watch's event channel to have its
+// queue length increased by one.
+//
+// WARNING: filter has a fatal flaw, in that it can't properly update the
+// Type field (Add/Modified/Deleted) to reflect items beginning to pass the
+// filter when they previously didn't.
+//
+func Filter(w Interface, f FilterFunc) Interface {
+	fw := &filteredWatch{
+		incoming: w,
+		result:   make(chan Event),
+		f:        f,
+	}
+	go fw.loop()
+	return fw
+}
+
+type filteredWatch struct {
+	incoming Interface
+	result   chan Event
+	f        FilterFunc
+}
+
+// ResultChan returns a channel which will receive filtered events.
+func (fw *filteredWatch) ResultChan() <-chan Event {
+	return fw.result
+}
+
+// Stop stops the upstream watch, which will eventually stop this watch.
+func (fw *filteredWatch) Stop() {
+	fw.incoming.Stop()
+}
+
+// loop waits for new values, filters them, and resends them.
+func (fw *filteredWatch) loop() {
+	defer close(fw.result)
+	for {
+		event, ok := <-fw.incoming.ResultChan()
+		if !ok {
+			break
+		}
+		filtered, keep := fw.f(event)
+		if keep {
+			fw.result <- filtered
+		}
+	}
+}
+
+// Recorder records all events that are sent from the watch until it is closed.
+type Recorder struct {
+	Interface
+
+	lock   sync.Mutex
+	events []Event
+}
+
+var _ Interface = &Recorder{}
+
+// NewRecorder wraps an Interface and records any changes sent across it.
+func NewRecorder(w Interface) *Recorder {
+	r := &Recorder{}
+	r.Interface = Filter(w, r.record)
+	return r
+}
+
+// record is a FilterFunc and tracks each received event.
+func (r *Recorder) record(in Event) (Event, bool) {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+	r.events = append(r.events, in)
+	return in, true
+}
+
+// Events returns a copy of the events sent across this recorder.
+func (r *Recorder) Events() []Event {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+	copied := make([]Event, len(r.events))
+	copy(copied, r.events)
+	return copied
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/watch/mux.go b/cli/vendor/k8s.io/apimachinery/pkg/watch/mux.go
new file mode 100644
index 00000000..a65088c1
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/watch/mux.go
@@ -0,0 +1,264 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watch
+
+import (
+	"sync"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch
+// channel is full.
+type FullChannelBehavior int
+
+const (
+	WaitIfChannelFull FullChannelBehavior = iota
+	DropIfChannelFull
+)
+
+// Buffer the incoming queue a little bit even though it should rarely ever accumulate
+// anything, just in case a few events are received in such a short window that
+// Broadcaster can't move them onto the watchers' queues fast enough.
+const incomingQueueLength = 25
+
+// Broadcaster distributes event notifications among any number of watchers. Every event
+// is delivered to every watcher.
+type Broadcaster struct {
+	// TODO: see if this lock is needed now that new watchers go through
+	// the incoming channel.
+	lock sync.Mutex
+
+	watchers     map[int64]*broadcasterWatcher
+	nextWatcher  int64
+	distributing sync.WaitGroup
+
+	incoming chan Event
+
+	// How large to make watcher's channel.
+	watchQueueLength int
+	// If one of the watch channels is full, don't wait for it to become empty.
+	// Instead just deliver it to the watchers that do have space in their
+	// channels and move on to the next event.
+	// It's more fair to do this on a per-watcher basis than to do it on the
+	// "incoming" channel, which would allow one slow watcher to prevent all
+	// other watchers from getting new events.
+	fullChannelBehavior FullChannelBehavior
+}
+
+// NewBroadcaster creates a new Broadcaster. queueLength is the maximum number of events to queue per watcher.
+// It is guaranteed that events will be distributed in the order in which they occur,
+// but the order in which a single event is distributed among all of the watchers is unspecified.
+func NewBroadcaster(queueLength int, fullChannelBehavior FullChannelBehavior) *Broadcaster {
+	m := &Broadcaster{
+		watchers:            map[int64]*broadcasterWatcher{},
+		incoming:            make(chan Event, incomingQueueLength),
+		watchQueueLength:    queueLength,
+		fullChannelBehavior: fullChannelBehavior,
+	}
+	m.distributing.Add(1)
+	go m.loop()
+	return m
+}
+
+const internalRunFunctionMarker = "internal-do-function"
+
+// a function type we can shoehorn into the queue.
+type functionFakeRuntimeObject func()
+
+func (obj functionFakeRuntimeObject) GetObjectKind() schema.ObjectKind {
+	return schema.EmptyObjectKind
+}
+func (obj functionFakeRuntimeObject) DeepCopyObject() runtime.Object {
+	if obj == nil {
+		return nil
+	}
+	// funcs are immutable. Hence, just return the original func.
+	return obj
+}
+
+// Execute f, blocking the incoming queue (and waiting for it to drain first).
+// The purpose of this terrible hack is so that watchers added after an event
+// won't ever see that event, and will always see any event after they are
+// added.
+func (b *Broadcaster) blockQueue(f func()) {
+	var wg sync.WaitGroup
+	wg.Add(1)
+	b.incoming <- Event{
+		Type: internalRunFunctionMarker,
+		Object: functionFakeRuntimeObject(func() {
+			defer wg.Done()
+			f()
+		}),
+	}
+	wg.Wait()
+}
+
+// Watch adds a new watcher to the list and returns an Interface for it.
+// Note: new watchers will only receive new events. They won't get an entire history
+// of previous events.
+func (m *Broadcaster) Watch() Interface {
+	var w *broadcasterWatcher
+	m.blockQueue(func() {
+		m.lock.Lock()
+		defer m.lock.Unlock()
+		id := m.nextWatcher
+		m.nextWatcher++
+		w = &broadcasterWatcher{
+			result:  make(chan Event, m.watchQueueLength),
+			stopped: make(chan struct{}),
+			id:      id,
+			m:       m,
+		}
+		m.watchers[id] = w
+	})
+	return w
+}
+
+// WatchWithPrefix adds a new watcher to the list and returns an Interface for it. It sends
+// queuedEvents down the new watch before beginning to send ordinary events from Broadcaster.
+// The returned watch will have a queue length that is at least large enough to accommodate
+// all of the items in queuedEvents.
+func (m *Broadcaster) WatchWithPrefix(queuedEvents []Event) Interface {
+	var w *broadcasterWatcher
+	m.blockQueue(func() {
+		m.lock.Lock()
+		defer m.lock.Unlock()
+		id := m.nextWatcher
+		m.nextWatcher++
+		length := m.watchQueueLength
+		if n := len(queuedEvents) + 1; n > length {
+			length = n
+		}
+		w = &broadcasterWatcher{
+			result:  make(chan Event, length),
+			stopped: make(chan struct{}),
+			id:      id,
+			m:       m,
+		}
+		m.watchers[id] = w
+		for _, e := range queuedEvents {
+			w.result <- e
+		}
+	})
+	return w
+}
+
+// stopWatching stops the given watcher and removes it from the list.
+func (m *Broadcaster) stopWatching(id int64) {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	w, ok := m.watchers[id]
+	if !ok {
+		// No need to do anything, it's already been removed from the list.
+		return
+	}
+	delete(m.watchers, id)
+	close(w.result)
+}
+
+// closeAll disconnects all watchers (presumably in response to a Shutdown call).
+func (m *Broadcaster) closeAll() {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	for _, w := range m.watchers {
+		close(w.result)
+	}
+	// Delete everything from the map, since presence/absence in the map is used
+	// by stopWatching to avoid double-closing the channel.
+	m.watchers = map[int64]*broadcasterWatcher{}
+}
+
+// Action distributes the given event among all watchers.
+func (m *Broadcaster) Action(action EventType, obj runtime.Object) {
+	m.incoming <- Event{action, obj}
+}
+
+// Shutdown disconnects all watchers (but any queued events will still be distributed).
+// You must not call Action or Watch* after calling Shutdown. This call blocks
+// until all events have been distributed through the outbound channels. Note
+// that since they can be buffered, this means that the watchers might not
+// have received the data yet as it can remain sitting in the buffered
+// channel.
+func (m *Broadcaster) Shutdown() {
+	close(m.incoming)
+	m.distributing.Wait()
+}
+
+// loop receives from m.incoming and distributes to all watchers.
+func (m *Broadcaster) loop() {
+	// Deliberately not catching crashes here. Yes, bring down the process if there's a
+	// bug in watch.Broadcaster.
+	for {
+		event, ok := <-m.incoming
+		if !ok {
+			break
+		}
+		if event.Type == internalRunFunctionMarker {
+			event.Object.(functionFakeRuntimeObject)()
+			continue
+		}
+		m.distribute(event)
+	}
+	m.closeAll()
+	m.distributing.Done()
+}
+
+// distribute sends event to all watchers. Blocking.
+func (m *Broadcaster) distribute(event Event) {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	if m.fullChannelBehavior == DropIfChannelFull {
+		for _, w := range m.watchers {
+			select {
+			case w.result <- event:
+			case <-w.stopped:
+			default: // Don't block if the event can't be queued.
+			}
+		}
+	} else {
+		for _, w := range m.watchers {
+			select {
+			case w.result <- event:
+			case <-w.stopped:
+			}
+		}
+	}
+}
+
+// broadcasterWatcher handles a single watcher of a broadcaster
+type broadcasterWatcher struct {
+	result  chan Event
+	stopped chan struct{}
+	stop    sync.Once
+	id      int64
+	m       *Broadcaster
+}
+
+// ResultChan returns a channel to use for waiting on events.
+func (mw *broadcasterWatcher) ResultChan() <-chan Event {
+	return mw.result
+}
+
+// Stop stops watching and removes mw from its list.
+func (mw *broadcasterWatcher) Stop() {
+	mw.stop.Do(func() {
+		close(mw.stopped)
+		mw.m.stopWatching(mw.id)
+	})
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/watch/streamwatcher.go b/cli/vendor/k8s.io/apimachinery/pkg/watch/streamwatcher.go
new file mode 100644
index 00000000..93bb1cdf
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/watch/streamwatcher.go
@@ -0,0 +1,119 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watch
+
+import (
+	"io"
+	"sync"
+
+	"github.com/golang/glog"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/net"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+// Decoder allows StreamWatcher to watch any stream for which a Decoder can be written.
+type Decoder interface {
+	// Decode should return the type of event, the decoded object, or an error.
+	// An error will cause StreamWatcher to call Close(). Decode should block until
+	// it has data or an error occurs.
+	Decode() (action EventType, object runtime.Object, err error)
+
+	// Close should close the underlying io.Reader, signalling to the source of
+	// the stream that it is no longer being watched. Close() must cause any
+	// outstanding call to Decode() to return with an error of some sort.
+	Close()
+}
+
+// StreamWatcher turns any stream for which you can write a Decoder interface
+// into a watch.Interface.
+type StreamWatcher struct {
+	sync.Mutex
+	source  Decoder
+	result  chan Event
+	stopped bool
+}
+
+// NewStreamWatcher creates a StreamWatcher from the given decoder.
+func NewStreamWatcher(d Decoder) *StreamWatcher {
+	sw := &StreamWatcher{
+		source: d,
+		// It's easy for a consumer to add buffering via an extra
+		// goroutine/channel, but impossible for them to remove it,
+		// so nonbuffered is better.
+		result: make(chan Event),
+	}
+	go sw.receive()
+	return sw
+}
+
+// ResultChan implements Interface.
+func (sw *StreamWatcher) ResultChan() <-chan Event {
+	return sw.result
+}
+
+// Stop implements Interface.
+func (sw *StreamWatcher) Stop() {
+	// Call Close() exactly once by locking and setting a flag.
+	sw.Lock()
+	defer sw.Unlock()
+	if !sw.stopped {
+		sw.stopped = true
+		sw.source.Close()
+	}
+}
+
+// stopping returns true if Stop() was called previously.
+func (sw *StreamWatcher) stopping() bool {
+	sw.Lock()
+	defer sw.Unlock()
+	return sw.stopped
+}
+
+// receive reads result from the decoder in a loop and sends down the result channel.
+func (sw *StreamWatcher) receive() {
+	defer close(sw.result)
+	defer sw.Stop()
+	defer utilruntime.HandleCrash()
+	for {
+		action, obj, err := sw.source.Decode()
+		if err != nil {
+			// Ignore expected error.
+			if sw.stopping() {
+				return
+			}
+			switch err {
+			case io.EOF:
+				// watch closed normally
+			case io.ErrUnexpectedEOF:
+				glog.V(1).Infof("Unexpected EOF during watch stream event decoding: %v", err)
+			default:
+				msg := "Unable to decode an event from the watch stream: %v"
+				if net.IsProbableEOF(err) {
+					glog.V(5).Infof(msg, err)
+				} else {
+					glog.Errorf(msg, err)
+				}
+			}
+			return
+		}
+		sw.result <- Event{
+			Type:   action,
+			Object: obj,
+		}
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/watch/until.go b/cli/vendor/k8s.io/apimachinery/pkg/watch/until.go
new file mode 100644
index 00000000..c2772ddb
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/watch/until.go
@@ -0,0 +1,87 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watch
+
+import (
+	"errors"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/wait"
+)
+
+// ConditionFunc returns true if the condition has been reached, false if it has not been reached yet,
+// or an error if the condition cannot be checked and should terminate. In general, it is better to define
+// level driven conditions over edge driven conditions (pod has ready=true, vs pod modified and ready changed
+// from false to true).
+type ConditionFunc func(event Event) (bool, error)
+
+// ErrWatchClosed is returned when the watch channel is closed before timeout in Until.
+var ErrWatchClosed = errors.New("watch closed before Until timeout")
+
+// Until reads items from the watch until each provided condition succeeds, and then returns the last watch
+// encountered. The first condition that returns an error terminates the watch (and the event is also returned).
+// If no event has been received, the returned event will be nil.
+// Conditions are satisfied sequentially so as to provide a useful primitive for higher level composition.
+// A zero timeout means to wait forever.
+func Until(timeout time.Duration, watcher Interface, conditions ...ConditionFunc) (*Event, error) {
+	ch := watcher.ResultChan()
+	defer watcher.Stop()
+	var after <-chan time.Time
+	if timeout > 0 {
+		after = time.After(timeout)
+	} else {
+		ch := make(chan time.Time)
+		defer close(ch)
+		after = ch
+	}
+	var lastEvent *Event
+	for _, condition := range conditions {
+		// check the next condition against the previous event and short circuit waiting for the next watch
+		if lastEvent != nil {
+			done, err := condition(*lastEvent)
+			if err != nil {
+				return lastEvent, err
+			}
+			if done {
+				continue
+			}
+		}
+	ConditionSucceeded:
+		for {
+			select {
+			case event, ok := <-ch:
+				if !ok {
+					return lastEvent, ErrWatchClosed
+				}
+				lastEvent = &event
+
+				// TODO: check for watch expired error and retry watch from latest point?
+				done, err := condition(event)
+				if err != nil {
+					return lastEvent, err
+				}
+				if done {
+					break ConditionSucceeded
+				}
+
+			case <-after:
+				return lastEvent, wait.ErrWaitTimeout
+			}
+		}
+	}
+	return lastEvent, nil
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/watch/watch.go b/cli/vendor/k8s.io/apimachinery/pkg/watch/watch.go
new file mode 100644
index 00000000..5c1380b2
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/watch/watch.go
@@ -0,0 +1,270 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watch
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/golang/glog"
+
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// Interface can be implemented by anything that knows how to watch and report changes.
+type Interface interface {
+	// Stops watching. Will close the channel returned by ResultChan(). Releases
+	// any resources used by the watch.
+	Stop()
+
+	// Returns a chan which will receive all the events. If an error occurs
+	// or Stop() is called, this channel will be closed, in which case the
+	// watch should be completely cleaned up.
+	ResultChan() <-chan Event
+}
+
+// EventType defines the possible types of events.
+type EventType string
+
+const (
+	Added    EventType = "ADDED"
+	Modified EventType = "MODIFIED"
+	Deleted  EventType = "DELETED"
+	Error    EventType = "ERROR"
+
+	DefaultChanSize int32 = 100
+)
+
+// Event represents a single event to a watched resource.
+// +k8s:deepcopy-gen=true
+type Event struct {
+	Type EventType
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Error: *api.Status is recommended; other types may make sense
+	//    depending on context.
+	Object runtime.Object
+}
+
+type emptyWatch chan Event
+
+// NewEmptyWatch returns a watch interface that returns no results and is closed.
+// May be used in certain error conditions where no information is available but
+// an error is not warranted.
+func NewEmptyWatch() Interface {
+	ch := make(chan Event)
+	close(ch)
+	return emptyWatch(ch)
+}
+
+// Stop implements Interface
+func (w emptyWatch) Stop() {
+}
+
+// ResultChan implements Interface
+func (w emptyWatch) ResultChan() <-chan Event {
+	return chan Event(w)
+}
+
+// FakeWatcher lets you test anything that consumes a watch.Interface; threadsafe.
+type FakeWatcher struct {
+	result  chan Event
+	Stopped bool
+	sync.Mutex
+}
+
+func NewFake() *FakeWatcher {
+	return &FakeWatcher{
+		result: make(chan Event),
+	}
+}
+
+func NewFakeWithChanSize(size int, blocking bool) *FakeWatcher {
+	return &FakeWatcher{
+		result: make(chan Event, size),
+	}
+}
+
+// Stop implements Interface.Stop().
+func (f *FakeWatcher) Stop() {
+	f.Lock()
+	defer f.Unlock()
+	if !f.Stopped {
+		glog.V(4).Infof("Stopping fake watcher.")
+		close(f.result)
+		f.Stopped = true
+	}
+}
+
+func (f *FakeWatcher) IsStopped() bool {
+	f.Lock()
+	defer f.Unlock()
+	return f.Stopped
+}
+
+// Reset prepares the watcher to be reused.
+func (f *FakeWatcher) Reset() {
+	f.Lock()
+	defer f.Unlock()
+	f.Stopped = false
+	f.result = make(chan Event)
+}
+
+func (f *FakeWatcher) ResultChan() <-chan Event {
+	return f.result
+}
+
+// Add sends an add event.
+func (f *FakeWatcher) Add(obj runtime.Object) {
+	f.result <- Event{Added, obj}
+}
+
+// Modify sends a modify event.
+func (f *FakeWatcher) Modify(obj runtime.Object) {
+	f.result <- Event{Modified, obj}
+}
+
+// Delete sends a delete event.
+func (f *FakeWatcher) Delete(lastValue runtime.Object) {
+	f.result <- Event{Deleted, lastValue}
+}
+
+// Error sends an Error event.
+func (f *FakeWatcher) Error(errValue runtime.Object) {
+	f.result <- Event{Error, errValue}
+}
+
+// Action sends an event of the requested type, for table-based testing.
+func (f *FakeWatcher) Action(action EventType, obj runtime.Object) {
+	f.result <- Event{action, obj}
+}
+
+// RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe.
+type RaceFreeFakeWatcher struct {
+	result  chan Event
+	Stopped bool
+	sync.Mutex
+}
+
+func NewRaceFreeFake() *RaceFreeFakeWatcher {
+	return &RaceFreeFakeWatcher{
+		result: make(chan Event, DefaultChanSize),
+	}
+}
+
+// Stop implements Interface.Stop().
+func (f *RaceFreeFakeWatcher) Stop() {
+	f.Lock()
+	defer f.Unlock()
+	if !f.Stopped {
+		glog.V(4).Infof("Stopping fake watcher.")
+		close(f.result)
+		f.Stopped = true
+	}
+}
+
+func (f *RaceFreeFakeWatcher) IsStopped() bool {
+	f.Lock()
+	defer f.Unlock()
+	return f.Stopped
+}
+
+// Reset prepares the watcher to be reused.
+func (f *RaceFreeFakeWatcher) Reset() {
+	f.Lock()
+	defer f.Unlock()
+	f.Stopped = false
+	f.result = make(chan Event, DefaultChanSize)
+}
+
+func (f *RaceFreeFakeWatcher) ResultChan() <-chan Event {
+	f.Lock()
+	defer f.Unlock()
+	return f.result
+}
+
+// Add sends an add event.
+func (f *RaceFreeFakeWatcher) Add(obj runtime.Object) {
+	f.Lock()
+	defer f.Unlock()
+	if !f.Stopped {
+		select {
+		case f.result <- Event{Added, obj}:
+			return
+		default:
+			panic(fmt.Errorf("channel full"))
+		}
+	}
+}
+
+// Modify sends a modify event.
+func (f *RaceFreeFakeWatcher) Modify(obj runtime.Object) {
+	f.Lock()
+	defer f.Unlock()
+	if !f.Stopped {
+		select {
+		case f.result <- Event{Modified, obj}:
+			return
+		default:
+			panic(fmt.Errorf("channel full"))
+		}
+	}
+}
+
+// Delete sends a delete event.
+func (f *RaceFreeFakeWatcher) Delete(lastValue runtime.Object) {
+	f.Lock()
+	defer f.Unlock()
+	if !f.Stopped {
+		select {
+		case f.result <- Event{Deleted, lastValue}:
+			return
+		default:
+			panic(fmt.Errorf("channel full"))
+		}
+	}
+}
+
+// Error sends an Error event.
+func (f *RaceFreeFakeWatcher) Error(errValue runtime.Object) {
+	f.Lock()
+	defer f.Unlock()
+	if !f.Stopped {
+		select {
+		case f.result <- Event{Error, errValue}:
+			return
+		default:
+			panic(fmt.Errorf("channel full"))
+		}
+	}
+}
+
+// Action sends an event of the requested type, for table-based testing.
+func (f *RaceFreeFakeWatcher) Action(action EventType, obj runtime.Object) {
+	f.Lock()
+	defer f.Unlock()
+	if !f.Stopped {
+		select {
+		case f.result <- Event{action, obj}:
+			return
+		default:
+			panic(fmt.Errorf("channel full"))
+		}
+	}
+}
diff --git a/cli/vendor/k8s.io/apimachinery/pkg/watch/zz_generated.deepcopy.go b/cli/vendor/k8s.io/apimachinery/pkg/watch/zz_generated.deepcopy.go
new file mode 100644
index 00000000..5c7cc08e
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/pkg/watch/zz_generated.deepcopy.go
@@ -0,0 +1,59 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package watch
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	reflect "reflect"
+)
+
+// GetGeneratedDeepCopyFuncs returns the generated funcs, since we aren't registering them.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func GetGeneratedDeepCopyFuncs() []conversion.GeneratedDeepCopyFunc {
+	return []conversion.GeneratedDeepCopyFunc{
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Event).DeepCopyInto(out.(*Event))
+			return nil
+		}, InType: reflect.TypeOf(&Event{})},
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Event) DeepCopyInto(out *Event) {
+	*out = *in
+	if in.Object == nil {
+		out.Object = nil
+	} else {
+		out.Object = in.Object.DeepCopyObject()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Event.
+func (in *Event) DeepCopy() *Event {
+	if in == nil {
+		return nil
+	}
+	out := new(Event)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/apimachinery/third_party/forked/golang/reflect/deep_equal.go b/cli/vendor/k8s.io/apimachinery/third_party/forked/golang/reflect/deep_equal.go
new file mode 100644
index 00000000..9e45dbe1
--- /dev/null
+++ b/cli/vendor/k8s.io/apimachinery/third_party/forked/golang/reflect/deep_equal.go
@@ -0,0 +1,388 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package reflect is a fork of go's standard library reflection package, which
+// allows for deep equal with equality functions defined.
+package reflect
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+)
+
+// Equalities is a map from type to a function comparing two values of
+// that type.
+type Equalities map[reflect.Type]reflect.Value
+
+// For convenience, panics on errrors
+func EqualitiesOrDie(funcs ...interface{}) Equalities {
+	e := Equalities{}
+	if err := e.AddFuncs(funcs...); err != nil {
+		panic(err)
+	}
+	return e
+}
+
+// AddFuncs is a shortcut for multiple calls to AddFunc.
+func (e Equalities) AddFuncs(funcs ...interface{}) error {
+	for _, f := range funcs {
+		if err := e.AddFunc(f); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// AddFunc uses func as an equality function: it must take
+// two parameters of the same type, and return a boolean.
+func (e Equalities) AddFunc(eqFunc interface{}) error {
+	fv := reflect.ValueOf(eqFunc)
+	ft := fv.Type()
+	if ft.Kind() != reflect.Func {
+		return fmt.Errorf("expected func, got: %v", ft)
+	}
+	if ft.NumIn() != 2 {
+		return fmt.Errorf("expected three 'in' params, got: %v", ft)
+	}
+	if ft.NumOut() != 1 {
+		return fmt.Errorf("expected one 'out' param, got: %v", ft)
+	}
+	if ft.In(0) != ft.In(1) {
+		return fmt.Errorf("expected arg 1 and 2 to have same type, but got %v", ft)
+	}
+	var forReturnType bool
+	boolType := reflect.TypeOf(forReturnType)
+	if ft.Out(0) != boolType {
+		return fmt.Errorf("expected bool return, got: %v", ft)
+	}
+	e[ft.In(0)] = fv
+	return nil
+}
+
+// Below here is forked from go's reflect/deepequal.go
+
+// During deepValueEqual, must keep track of checks that are
+// in progress.  The comparison algorithm assumes that all
+// checks in progress are true when it reencounters them.
+// Visited comparisons are stored in a map indexed by visit.
+type visit struct {
+	a1  uintptr
+	a2  uintptr
+	typ reflect.Type
+}
+
+// unexportedTypePanic is thrown when you use this DeepEqual on something that has an
+// unexported type. It indicates a programmer error, so should not occur at runtime,
+// which is why it's not public and thus impossible to catch.
+type unexportedTypePanic []reflect.Type
+
+func (u unexportedTypePanic) Error() string { return u.String() }
+func (u unexportedTypePanic) String() string {
+	strs := make([]string, len(u))
+	for i, t := range u {
+		strs[i] = fmt.Sprintf("%v", t)
+	}
+	return "an unexported field was encountered, nested like this: " + strings.Join(strs, " -> ")
+}
+
+func makeUsefulPanic(v reflect.Value) {
+	if x := recover(); x != nil {
+		if u, ok := x.(unexportedTypePanic); ok {
+			u = append(unexportedTypePanic{v.Type()}, u...)
+			x = u
+		}
+		panic(x)
+	}
+}
+
+// Tests for deep equality using reflected types. The map argument tracks
+// comparisons that have already been seen, which allows short circuiting on
+// recursive types.
+func (e Equalities) deepValueEqual(v1, v2 reflect.Value, visited map[visit]bool, depth int) bool {
+	defer makeUsefulPanic(v1)
+
+	if !v1.IsValid() || !v2.IsValid() {
+		return v1.IsValid() == v2.IsValid()
+	}
+	if v1.Type() != v2.Type() {
+		return false
+	}
+	if fv, ok := e[v1.Type()]; ok {
+		return fv.Call([]reflect.Value{v1, v2})[0].Bool()
+	}
+
+	hard := func(k reflect.Kind) bool {
+		switch k {
+		case reflect.Array, reflect.Map, reflect.Slice, reflect.Struct:
+			return true
+		}
+		return false
+	}
+
+	if v1.CanAddr() && v2.CanAddr() && hard(v1.Kind()) {
+		addr1 := v1.UnsafeAddr()
+		addr2 := v2.UnsafeAddr()
+		if addr1 > addr2 {
+			// Canonicalize order to reduce number of entries in visited.
+			addr1, addr2 = addr2, addr1
+		}
+
+		// Short circuit if references are identical ...
+		if addr1 == addr2 {
+			return true
+		}
+
+		// ... or already seen
+		typ := v1.Type()
+		v := visit{addr1, addr2, typ}
+		if visited[v] {
+			return true
+		}
+
+		// Remember for later.
+		visited[v] = true
+	}
+
+	switch v1.Kind() {
+	case reflect.Array:
+		// We don't need to check length here because length is part of
+		// an array's type, which has already been filtered for.
+		for i := 0; i < v1.Len(); i++ {
+			if !e.deepValueEqual(v1.Index(i), v2.Index(i), visited, depth+1) {
+				return false
+			}
+		}
+		return true
+	case reflect.Slice:
+		if (v1.IsNil() || v1.Len() == 0) != (v2.IsNil() || v2.Len() == 0) {
+			return false
+		}
+		if v1.IsNil() || v1.Len() == 0 {
+			return true
+		}
+		if v1.Len() != v2.Len() {
+			return false
+		}
+		if v1.Pointer() == v2.Pointer() {
+			return true
+		}
+		for i := 0; i < v1.Len(); i++ {
+			if !e.deepValueEqual(v1.Index(i), v2.Index(i), visited, depth+1) {
+				return false
+			}
+		}
+		return true
+	case reflect.Interface:
+		if v1.IsNil() || v2.IsNil() {
+			return v1.IsNil() == v2.IsNil()
+		}
+		return e.deepValueEqual(v1.Elem(), v2.Elem(), visited, depth+1)
+	case reflect.Ptr:
+		return e.deepValueEqual(v1.Elem(), v2.Elem(), visited, depth+1)
+	case reflect.Struct:
+		for i, n := 0, v1.NumField(); i < n; i++ {
+			if !e.deepValueEqual(v1.Field(i), v2.Field(i), visited, depth+1) {
+				return false
+			}
+		}
+		return true
+	case reflect.Map:
+		if (v1.IsNil() || v1.Len() == 0) != (v2.IsNil() || v2.Len() == 0) {
+			return false
+		}
+		if v1.IsNil() || v1.Len() == 0 {
+			return true
+		}
+		if v1.Len() != v2.Len() {
+			return false
+		}
+		if v1.Pointer() == v2.Pointer() {
+			return true
+		}
+		for _, k := range v1.MapKeys() {
+			if !e.deepValueEqual(v1.MapIndex(k), v2.MapIndex(k), visited, depth+1) {
+				return false
+			}
+		}
+		return true
+	case reflect.Func:
+		if v1.IsNil() && v2.IsNil() {
+			return true
+		}
+		// Can't do better than this:
+		return false
+	default:
+		// Normal equality suffices
+		if !v1.CanInterface() || !v2.CanInterface() {
+			panic(unexportedTypePanic{})
+		}
+		return v1.Interface() == v2.Interface()
+	}
+}
+
+// DeepEqual is like reflect.DeepEqual, but focused on semantic equality
+// instead of memory equality.
+//
+// It will use e's equality functions if it finds types that match.
+//
+// An empty slice *is* equal to a nil slice for our purposes; same for maps.
+//
+// Unexported field members cannot be compared and will cause an imformative panic; you must add an Equality
+// function for these types.
+func (e Equalities) DeepEqual(a1, a2 interface{}) bool {
+	if a1 == nil || a2 == nil {
+		return a1 == a2
+	}
+	v1 := reflect.ValueOf(a1)
+	v2 := reflect.ValueOf(a2)
+	if v1.Type() != v2.Type() {
+		return false
+	}
+	return e.deepValueEqual(v1, v2, make(map[visit]bool), 0)
+}
+
+func (e Equalities) deepValueDerive(v1, v2 reflect.Value, visited map[visit]bool, depth int) bool {
+	defer makeUsefulPanic(v1)
+
+	if !v1.IsValid() || !v2.IsValid() {
+		return v1.IsValid() == v2.IsValid()
+	}
+	if v1.Type() != v2.Type() {
+		return false
+	}
+	if fv, ok := e[v1.Type()]; ok {
+		return fv.Call([]reflect.Value{v1, v2})[0].Bool()
+	}
+
+	hard := func(k reflect.Kind) bool {
+		switch k {
+		case reflect.Array, reflect.Map, reflect.Slice, reflect.Struct:
+			return true
+		}
+		return false
+	}
+
+	if v1.CanAddr() && v2.CanAddr() && hard(v1.Kind()) {
+		addr1 := v1.UnsafeAddr()
+		addr2 := v2.UnsafeAddr()
+		if addr1 > addr2 {
+			// Canonicalize order to reduce number of entries in visited.
+			addr1, addr2 = addr2, addr1
+		}
+
+		// Short circuit if references are identical ...
+		if addr1 == addr2 {
+			return true
+		}
+
+		// ... or already seen
+		typ := v1.Type()
+		v := visit{addr1, addr2, typ}
+		if visited[v] {
+			return true
+		}
+
+		// Remember for later.
+		visited[v] = true
+	}
+
+	switch v1.Kind() {
+	case reflect.Array:
+		// We don't need to check length here because length is part of
+		// an array's type, which has already been filtered for.
+		for i := 0; i < v1.Len(); i++ {
+			if !e.deepValueDerive(v1.Index(i), v2.Index(i), visited, depth+1) {
+				return false
+			}
+		}
+		return true
+	case reflect.Slice:
+		if v1.IsNil() || v1.Len() == 0 {
+			return true
+		}
+		if v1.Len() > v2.Len() {
+			return false
+		}
+		if v1.Pointer() == v2.Pointer() {
+			return true
+		}
+		for i := 0; i < v1.Len(); i++ {
+			if !e.deepValueDerive(v1.Index(i), v2.Index(i), visited, depth+1) {
+				return false
+			}
+		}
+		return true
+	case reflect.String:
+		if v1.Len() == 0 {
+			return true
+		}
+		if v1.Len() > v2.Len() {
+			return false
+		}
+		return v1.String() == v2.String()
+	case reflect.Interface:
+		if v1.IsNil() {
+			return true
+		}
+		return e.deepValueDerive(v1.Elem(), v2.Elem(), visited, depth+1)
+	case reflect.Ptr:
+		if v1.IsNil() {
+			return true
+		}
+		return e.deepValueDerive(v1.Elem(), v2.Elem(), visited, depth+1)
+	case reflect.Struct:
+		for i, n := 0, v1.NumField(); i < n; i++ {
+			if !e.deepValueDerive(v1.Field(i), v2.Field(i), visited, depth+1) {
+				return false
+			}
+		}
+		return true
+	case reflect.Map:
+		if v1.IsNil() || v1.Len() == 0 {
+			return true
+		}
+		if v1.Len() > v2.Len() {
+			return false
+		}
+		if v1.Pointer() == v2.Pointer() {
+			return true
+		}
+		for _, k := range v1.MapKeys() {
+			if !e.deepValueDerive(v1.MapIndex(k), v2.MapIndex(k), visited, depth+1) {
+				return false
+			}
+		}
+		return true
+	case reflect.Func:
+		if v1.IsNil() && v2.IsNil() {
+			return true
+		}
+		// Can't do better than this:
+		return false
+	default:
+		// Normal equality suffices
+		if !v1.CanInterface() || !v2.CanInterface() {
+			panic(unexportedTypePanic{})
+		}
+		return v1.Interface() == v2.Interface()
+	}
+}
+
+// DeepDerivative is similar to DeepEqual except that unset fields in a1 are
+// ignored (not compared). This allows us to focus on the fields that matter to
+// the semantic comparison.
+//
+// The unset fields include a nil pointer and an empty string.
+func (e Equalities) DeepDerivative(a1, a2 interface{}) bool {
+	if a1 == nil {
+		return true
+	}
+	v1 := reflect.ValueOf(a1)
+	v2 := reflect.ValueOf(a2)
+	if v1.Type() != v2.Type() {
+		return false
+	}
+	return e.deepValueDerive(v1, v2, make(map[visit]bool), 0)
+}
diff --git a/cli/vendor/k8s.io/client-go/LICENSE b/cli/vendor/k8s.io/client-go/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/cli/vendor/k8s.io/client-go/README.md b/cli/vendor/k8s.io/client-go/README.md
new file mode 100644
index 00000000..afd03ced
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/README.md
@@ -0,0 +1,157 @@
+# client-go
+
+Go clients for talking to a [kubernetes](http://kubernetes.io/) cluster.
+
+We currently recommend using the v4.0.0 tag. See [INSTALL.md](/INSTALL.md) for
+detailed installation instructions. `go get k8s.io/client-go/...` works, but
+will give you head and doesn't handle the dependencies well.
+
+[![Build Status](https://travis-ci.org/kubernetes/client-go.svg?branch=master)](https://travis-ci.org/kubernetes/client-go)
+[![GoDoc](https://godoc.org/k8s.io/client-go?status.svg)](https://godoc.org/k8s.io/client-go)
+
+## Table of Contents
+
+- [What's included](#whats-included)
+- [Versioning](#versioning)
+  - [Compatibility: your code <-> client-go](#compatibility-your-code---client-go)
+  - [Compatibility: client-go <-> Kubernetes clusters](#compatibility-client-go---kubernetes-clusters)
+  - [Compatibility matrix](#compatibility-matrix)
+  - [Why do the 1.4 and 1.5 branch contain top-level folder named after the version?](#why-do-the-14-and-15-branch-contain-top-level-folder-named-after-the-version)
+- [How to get it](#how-to-get-it)
+- [How to use it](#how-to-use-it)
+- [Dependency management](#dependency-management)
+- [Contributing code](#contributing-code)
+
+### What's included
+
+* The `kubernetes` package contains the clientset to access Kubernetes API.
+* The `discovery` package is used to discover APIs supported by a Kubernetes API server.
+* The `dynamic` package contains a dynamic client that can perform generic operations on arbitrary Kubernetes API objects.
+* The `transport` package is used to set up auth and start a connection.
+* The `tools/cache` package is useful for writing controllers.
+
+### Versioning
+
+`client-go` follows [semver](http://semver.org/). We will not make
+backwards-incompatible changes without incrementing the major version number. A
+change is backwards-incompatible either if it *i)* changes the public interfaces
+of `client-go`, or *ii)* makes `client-go` incompatible with otherwise supported
+versions of Kubernetes clusters.
+
+Changes that add features in a backwards-compatible way will result in bumping
+the minor version (second digit) number.
+
+Bugfixes will result in the patch version (third digit) changing. PRs that are
+cherry-picked into an older Kubernetes release branch will result in an update
+to the corresponding branch in `client-go`, with a corresponding new tag
+changing the patch version.
+
+A consequence of this is that `client-go` version numbers will be unrelated to
+Kubernetes version numbers.
+
+#### Branches and tags.
+
+We will create a new branch and tag for each increment in the major version number or
+minor version number. We will create only a new tag for each increment in the patch
+version number. See [semver](http://semver.org/) for definitions of major,
+minor, and patch.
+
+The master branch will track HEAD in the main Kubernetes repo and
+accumulate changes. Consider HEAD to have the version `x.(y+1).0-alpha` or
+`(x+1).0.0-alpha` (depending on whether it has accumulated a breaking change or
+not), where `x` and `y` are the current major and minor versions.
+
+#### Compatibility: your code <-> client-go
+
+`client-go` follows [semver](http://semver.org/), so until the major version of
+client-go gets increased, your code will compile and will continue to work with
+explicitly supported versions of Kubernetes clusters. You must use a dependency
+management system and pin a specific major version of `client-go` to get this
+benefit, as HEAD follows the upstream Kubernetes repo.
+
+#### Compatibility: client-go <-> Kubernetes clusters
+
+Since Kubernetes is backwards compatible with clients, older `client-go`
+versions will work with many different Kubernetes cluster versions.
+
+We will backport bugfixes--but not new features--into older versions of
+`client-go`.
+
+
+#### Compatibility matrix
+
+|                     | Kubernetes 1.3 | Kubernetes 1.4 | Kubernetes 1.5 | Kubernetes 1.6 | Kubernetes 1.7 |
+|---------------------|----------------|----------------|----------------|----------------|----------------|
+| client-go 1.4       | +              | ✓              | -              | -              | -              |
+| client-go 1.5       | +              | +              | -              | -              | -              |
+| client-go 2.0       | +              | +              | ✓              | -              | -              |
+| client-go 3.0       | †              | †              | †              | ✓              | -              |
+| client-go 4.0       | †              | †              | †              | +              | ✓              |
+| client-go HEAD      | †              | †              | †              | +              | +              |
+
+Key:
+
+* `✓` Exactly the same features / API objects in both client-go and the Kubernetes
+  version.
+* `+` client-go has features or api objects that may not be present in the
+  Kubernetes cluster, but everything they have in common will work. Please
+  note that alpha APIs may vanish or change significantly in a single release.
+* `†` client-go has new features or api objects, and some APIs running in the
+  cluster may have been deprecated and removed from client-go. But everything
+  they share in common (i.e., most APIs) will work.
+* `-` The Kubernetes cluster has features the client-go library can't use
+  (additional API objects, etc).
+
+See the [CHANGELOG](./CHANGELOG.md) for a detailed description of changes
+between client-go versions.
+
+| Branch         | Canonical source code location       | Maintenance status            |
+|----------------|--------------------------------------|-------------------------------|
+| client-go 1.4  | Kubernetes main repo, 1.4 branch     | = -                           |
+| client-go 1.5  | Kubernetes main repo, 1.5 branch     | = -                           |
+| client-go 2.0  | Kubernetes main repo, 1.5 branch     | ✓                             |
+| client-go 3.0  | Kubernetes main repo, 1.6 branch     | ✓                             |
+| client-go 4.0  | Kubernetes main repo, 1.7 branch     | ✓                             |
+| client-go HEAD | Kubernetes main repo, master branch  | ✓                             |
+
+Key:
+
+* `✓` Changes in main Kubernetes repo are actively published to client-go by a bot
+* `=` Maintenance is manual, only severe security bugs will be patched.
+* `-` Deprecated; please upgrade.
+
+#### Deprecation policy
+
+We will maintain branches for at least six months after their first stable tag
+is cut. (E.g., the clock for the release-2.0 branch started ticking when we
+tagged v2.0.0, not when we made the first alpha.) This policy applies to
+every version greater than or equal to 2.0.
+
+#### Why do the 1.4 and 1.5 branch contain top-level folder named after the version?
+
+For the initial release of client-go, we thought it would be easiest to keep
+separate directories for each minor version. That soon proved to be a mistake.
+We are keeping the top-level folders in the 1.4 and 1.5 branches so that
+existing users won't be broken.
+
+### How to get it
+
+You can use `go get k8s.io/client-go/...` to get client-go, but **you will get
+the unstable master branch** and `client-go`'s vendored dependencies will not be
+added to your `$GOPATH`. So we think most users will want to use a dependency
+management system. See [INSTALL.md](/INSTALL.md) for detailed instructions.
+
+### How to use it
+
+If your application runs in a Pod in the cluster, please refer to the
+in-cluster [example](examples/in-cluster-client-configuration), otherwise please
+refer to the out-of-cluster [example](examples/out-of-cluster-client-configuration).
+
+### Dependency management
+
+If your application depends on a package that client-go depends on, and you let the Go compiler find the dependency in `GOPATH`, you will end up with duplicated dependencies: one copy from the `GOPATH`, and one from the vendor folder of client-go. This will cause unexpected runtime error like flag redefinition, since the go compiler ends up importing both packages separately, even if they are exactly the same thing. If this happens, you can either
+* run `godep restore` ([godep](https://github.com/tools/godep)) in the client-go/ folder, then remove the vendor folder of client-go. Then the packages in your GOPATH will be the only copy
+* or run `godep save` in your application folder to flatten all dependencies.
+
+### Contributing code
+Please send pull requests against the client packages in the Kubernetes main [repository](https://github.com/kubernetes/kubernetes). Changes in the staging area will be published to this repository every day.
diff --git a/cli/vendor/k8s.io/client-go/discovery/discovery_client.go b/cli/vendor/k8s.io/client-go/discovery/discovery_client.go
new file mode 100644
index 00000000..59c69680
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/discovery/discovery_client.go
@@ -0,0 +1,458 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package discovery
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"sort"
+	"strings"
+
+	"github.com/emicklei/go-restful-swagger12"
+	"github.com/golang/protobuf/proto"
+	"github.com/googleapis/gnostic/OpenAPIv2"
+
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apimachinery/pkg/version"
+	"k8s.io/client-go/kubernetes/scheme"
+	restclient "k8s.io/client-go/rest"
+)
+
+// defaultRetries is the number of times a resource discovery is repeated if an api group disappears on the fly (e.g. ThirdPartyResources).
+const defaultRetries = 2
+
+// DiscoveryInterface holds the methods that discover server-supported API groups,
+// versions and resources.
+type DiscoveryInterface interface {
+	RESTClient() restclient.Interface
+	ServerGroupsInterface
+	ServerResourcesInterface
+	ServerVersionInterface
+	SwaggerSchemaInterface
+	OpenAPISchemaInterface
+}
+
+// CachedDiscoveryInterface is a DiscoveryInterface with cache invalidation and freshness.
+type CachedDiscoveryInterface interface {
+	DiscoveryInterface
+	// Fresh is supposed to tell the caller whether or not to retry if the cache
+	// fails to find something (false = retry, true = no need to retry).
+	//
+	// TODO: this needs to be revisited, this interface can't be locked properly
+	// and doesn't make a lot of sense.
+	Fresh() bool
+	// Invalidate enforces that no cached data is used in the future that is older than the current time.
+	Invalidate()
+}
+
+// ServerGroupsInterface has methods for obtaining supported groups on the API server
+type ServerGroupsInterface interface {
+	// ServerGroups returns the supported groups, with information like supported versions and the
+	// preferred version.
+	ServerGroups() (*metav1.APIGroupList, error)
+}
+
+// ServerResourcesInterface has methods for obtaining supported resources on the API server
+type ServerResourcesInterface interface {
+	// ServerResourcesForGroupVersion returns the supported resources for a group and version.
+	ServerResourcesForGroupVersion(groupVersion string) (*metav1.APIResourceList, error)
+	// ServerResources returns the supported resources for all groups and versions.
+	ServerResources() ([]*metav1.APIResourceList, error)
+	// ServerPreferredResources returns the supported resources with the version preferred by the
+	// server.
+	ServerPreferredResources() ([]*metav1.APIResourceList, error)
+	// ServerPreferredNamespacedResources returns the supported namespaced resources with the
+	// version preferred by the server.
+	ServerPreferredNamespacedResources() ([]*metav1.APIResourceList, error)
+}
+
+// ServerVersionInterface has a method for retrieving the server's version.
+type ServerVersionInterface interface {
+	// ServerVersion retrieves and parses the server's version (git version).
+	ServerVersion() (*version.Info, error)
+}
+
+// SwaggerSchemaInterface has a method to retrieve the swagger schema.
+type SwaggerSchemaInterface interface {
+	// SwaggerSchema retrieves and parses the swagger API schema the server supports.
+	SwaggerSchema(version schema.GroupVersion) (*swagger.ApiDeclaration, error)
+}
+
+// OpenAPISchemaInterface has a method to retrieve the open API schema.
+type OpenAPISchemaInterface interface {
+	// OpenAPISchema retrieves and parses the swagger API schema the server supports.
+	OpenAPISchema() (*openapi_v2.Document, error)
+}
+
+// DiscoveryClient implements the functions that discover server-supported API groups,
+// versions and resources.
+type DiscoveryClient struct {
+	restClient restclient.Interface
+
+	LegacyPrefix string
+}
+
+// Convert metav1.APIVersions to metav1.APIGroup. APIVersions is used by legacy v1, so
+// group would be "".
+func apiVersionsToAPIGroup(apiVersions *metav1.APIVersions) (apiGroup metav1.APIGroup) {
+	groupVersions := []metav1.GroupVersionForDiscovery{}
+	for _, version := range apiVersions.Versions {
+		groupVersion := metav1.GroupVersionForDiscovery{
+			GroupVersion: version,
+			Version:      version,
+		}
+		groupVersions = append(groupVersions, groupVersion)
+	}
+	apiGroup.Versions = groupVersions
+	// There should be only one groupVersion returned at /api
+	apiGroup.PreferredVersion = groupVersions[0]
+	return
+}
+
+// ServerGroups returns the supported groups, with information like supported versions and the
+// preferred version.
+func (d *DiscoveryClient) ServerGroups() (apiGroupList *metav1.APIGroupList, err error) {
+	// Get the groupVersions exposed at /api
+	v := &metav1.APIVersions{}
+	err = d.restClient.Get().AbsPath(d.LegacyPrefix).Do().Into(v)
+	apiGroup := metav1.APIGroup{}
+	if err == nil && len(v.Versions) != 0 {
+		apiGroup = apiVersionsToAPIGroup(v)
+	}
+	if err != nil && !errors.IsNotFound(err) && !errors.IsForbidden(err) {
+		return nil, err
+	}
+
+	// Get the groupVersions exposed at /apis
+	apiGroupList = &metav1.APIGroupList{}
+	err = d.restClient.Get().AbsPath("/apis").Do().Into(apiGroupList)
+	if err != nil && !errors.IsNotFound(err) && !errors.IsForbidden(err) {
+		return nil, err
+	}
+	// to be compatible with a v1.0 server, if it's a 403 or 404, ignore and return whatever we got from /api
+	if err != nil && (errors.IsNotFound(err) || errors.IsForbidden(err)) {
+		apiGroupList = &metav1.APIGroupList{}
+	}
+
+	// append the group retrieved from /api to the list if not empty
+	if len(v.Versions) != 0 {
+		apiGroupList.Groups = append(apiGroupList.Groups, apiGroup)
+	}
+	return apiGroupList, nil
+}
+
+// ServerResourcesForGroupVersion returns the supported resources for a group and version.
+func (d *DiscoveryClient) ServerResourcesForGroupVersion(groupVersion string) (resources *metav1.APIResourceList, err error) {
+	url := url.URL{}
+	if len(groupVersion) == 0 {
+		return nil, fmt.Errorf("groupVersion shouldn't be empty")
+	}
+	if len(d.LegacyPrefix) > 0 && groupVersion == "v1" {
+		url.Path = d.LegacyPrefix + "/" + groupVersion
+	} else {
+		url.Path = "/apis/" + groupVersion
+	}
+	resources = &metav1.APIResourceList{
+		GroupVersion: groupVersion,
+	}
+	err = d.restClient.Get().AbsPath(url.String()).Do().Into(resources)
+	if err != nil {
+		// ignore 403 or 404 error to be compatible with an v1.0 server.
+		if groupVersion == "v1" && (errors.IsNotFound(err) || errors.IsForbidden(err)) {
+			return resources, nil
+		}
+		return nil, err
+	}
+	return resources, nil
+}
+
+// serverResources returns the supported resources for all groups and versions.
+func (d *DiscoveryClient) serverResources() ([]*metav1.APIResourceList, error) {
+	apiGroups, err := d.ServerGroups()
+	if err != nil {
+		return nil, err
+	}
+
+	result := []*metav1.APIResourceList{}
+	failedGroups := make(map[schema.GroupVersion]error)
+
+	for _, apiGroup := range apiGroups.Groups {
+		for _, version := range apiGroup.Versions {
+			gv := schema.GroupVersion{Group: apiGroup.Name, Version: version.Version}
+			resources, err := d.ServerResourcesForGroupVersion(version.GroupVersion)
+			if err != nil {
+				// TODO: maybe restrict this to NotFound errors
+				failedGroups[gv] = err
+				continue
+			}
+
+			result = append(result, resources)
+		}
+	}
+
+	if len(failedGroups) == 0 {
+		return result, nil
+	}
+
+	return result, &ErrGroupDiscoveryFailed{Groups: failedGroups}
+}
+
+// ServerResources returns the supported resources for all groups and versions.
+func (d *DiscoveryClient) ServerResources() ([]*metav1.APIResourceList, error) {
+	return withRetries(defaultRetries, d.serverResources)
+}
+
+// ErrGroupDiscoveryFailed is returned if one or more API groups fail to load.
+type ErrGroupDiscoveryFailed struct {
+	// Groups is a list of the groups that failed to load and the error cause
+	Groups map[schema.GroupVersion]error
+}
+
+// Error implements the error interface
+func (e *ErrGroupDiscoveryFailed) Error() string {
+	var groups []string
+	for k, v := range e.Groups {
+		groups = append(groups, fmt.Sprintf("%s: %v", k, v))
+	}
+	sort.Strings(groups)
+	return fmt.Sprintf("unable to retrieve the complete list of server APIs: %s", strings.Join(groups, ", "))
+}
+
+// IsGroupDiscoveryFailedError returns true if the provided error indicates the server was unable to discover
+// a complete list of APIs for the client to use.
+func IsGroupDiscoveryFailedError(err error) bool {
+	_, ok := err.(*ErrGroupDiscoveryFailed)
+	return err != nil && ok
+}
+
+// serverPreferredResources returns the supported resources with the version preferred by the server.
+func (d *DiscoveryClient) serverPreferredResources() ([]*metav1.APIResourceList, error) {
+	serverGroupList, err := d.ServerGroups()
+	if err != nil {
+		return nil, err
+	}
+
+	result := []*metav1.APIResourceList{}
+	failedGroups := make(map[schema.GroupVersion]error)
+
+	grVersions := map[schema.GroupResource]string{}                         // selected version of a GroupResource
+	grApiResources := map[schema.GroupResource]*metav1.APIResource{}        // selected APIResource for a GroupResource
+	gvApiResourceLists := map[schema.GroupVersion]*metav1.APIResourceList{} // blueprint for a APIResourceList for later grouping
+
+	for _, apiGroup := range serverGroupList.Groups {
+		for _, version := range apiGroup.Versions {
+			groupVersion := schema.GroupVersion{Group: apiGroup.Name, Version: version.Version}
+			apiResourceList, err := d.ServerResourcesForGroupVersion(version.GroupVersion)
+			if err != nil {
+				// TODO: maybe restrict this to NotFound errors
+				failedGroups[groupVersion] = err
+				continue
+			}
+
+			// create empty list which is filled later in another loop
+			emptyApiResourceList := metav1.APIResourceList{
+				GroupVersion: version.GroupVersion,
+			}
+			gvApiResourceLists[groupVersion] = &emptyApiResourceList
+			result = append(result, &emptyApiResourceList)
+
+			for i := range apiResourceList.APIResources {
+				apiResource := &apiResourceList.APIResources[i]
+				if strings.Contains(apiResource.Name, "/") {
+					continue
+				}
+				gv := schema.GroupResource{Group: apiGroup.Name, Resource: apiResource.Name}
+				if _, ok := grApiResources[gv]; ok && version.Version != apiGroup.PreferredVersion.Version {
+					// only override with preferred version
+					continue
+				}
+				grVersions[gv] = version.Version
+				grApiResources[gv] = apiResource
+			}
+		}
+	}
+
+	// group selected APIResources according to GroupVersion into APIResourceLists
+	for groupResource, apiResource := range grApiResources {
+		version := grVersions[groupResource]
+		groupVersion := schema.GroupVersion{Group: groupResource.Group, Version: version}
+		apiResourceList := gvApiResourceLists[groupVersion]
+		apiResourceList.APIResources = append(apiResourceList.APIResources, *apiResource)
+	}
+
+	if len(failedGroups) == 0 {
+		return result, nil
+	}
+
+	return result, &ErrGroupDiscoveryFailed{Groups: failedGroups}
+}
+
+// ServerPreferredResources returns the supported resources with the version preferred by the
+// server.
+func (d *DiscoveryClient) ServerPreferredResources() ([]*metav1.APIResourceList, error) {
+	return withRetries(defaultRetries, d.serverPreferredResources)
+}
+
+// ServerPreferredNamespacedResources returns the supported namespaced resources with the
+// version preferred by the server.
+func (d *DiscoveryClient) ServerPreferredNamespacedResources() ([]*metav1.APIResourceList, error) {
+	all, err := d.ServerPreferredResources()
+	return FilteredBy(ResourcePredicateFunc(func(groupVersion string, r *metav1.APIResource) bool {
+		return r.Namespaced
+	}), all), err
+}
+
+// ServerVersion retrieves and parses the server's version (git version).
+func (d *DiscoveryClient) ServerVersion() (*version.Info, error) {
+	body, err := d.restClient.Get().AbsPath("/version").Do().Raw()
+	if err != nil {
+		return nil, err
+	}
+	var info version.Info
+	err = json.Unmarshal(body, &info)
+	if err != nil {
+		return nil, fmt.Errorf("got '%s': %v", string(body), err)
+	}
+	return &info, nil
+}
+
+// SwaggerSchema retrieves and parses the swagger API schema the server supports.
+// TODO: Replace usages with Open API.  Tracked in https://github.com/kubernetes/kubernetes/issues/44589
+func (d *DiscoveryClient) SwaggerSchema(version schema.GroupVersion) (*swagger.ApiDeclaration, error) {
+	if version.Empty() {
+		return nil, fmt.Errorf("groupVersion cannot be empty")
+	}
+
+	groupList, err := d.ServerGroups()
+	if err != nil {
+		return nil, err
+	}
+	groupVersions := metav1.ExtractGroupVersions(groupList)
+	// This check also takes care the case that kubectl is newer than the running endpoint
+	if stringDoesntExistIn(version.String(), groupVersions) {
+		return nil, fmt.Errorf("API version: %v is not supported by the server. Use one of: %v", version, groupVersions)
+	}
+	var path string
+	if len(d.LegacyPrefix) > 0 && version == v1.SchemeGroupVersion {
+		path = "/swaggerapi" + d.LegacyPrefix + "/" + version.Version
+	} else {
+		path = "/swaggerapi/apis/" + version.Group + "/" + version.Version
+	}
+
+	body, err := d.restClient.Get().AbsPath(path).Do().Raw()
+	if err != nil {
+		return nil, err
+	}
+	var schema swagger.ApiDeclaration
+	err = json.Unmarshal(body, &schema)
+	if err != nil {
+		return nil, fmt.Errorf("got '%s': %v", string(body), err)
+	}
+	return &schema, nil
+}
+
+// OpenAPISchema fetches the open api schema using a rest client and parses the proto.
+func (d *DiscoveryClient) OpenAPISchema() (*openapi_v2.Document, error) {
+	data, err := d.restClient.Get().AbsPath("/swagger-2.0.0.pb-v1").Do().Raw()
+	if err != nil {
+		return nil, err
+	}
+	document := &openapi_v2.Document{}
+	err = proto.Unmarshal(data, document)
+	if err != nil {
+		return nil, err
+	}
+	return document, nil
+}
+
+// withRetries retries the given recovery function in case the groups supported by the server change after ServerGroup() returns.
+func withRetries(maxRetries int, f func() ([]*metav1.APIResourceList, error)) ([]*metav1.APIResourceList, error) {
+	var result []*metav1.APIResourceList
+	var err error
+	for i := 0; i < maxRetries; i++ {
+		result, err = f()
+		if err == nil {
+			return result, nil
+		}
+		if _, ok := err.(*ErrGroupDiscoveryFailed); !ok {
+			return nil, err
+		}
+	}
+	return result, err
+}
+
+func setDiscoveryDefaults(config *restclient.Config) error {
+	config.APIPath = ""
+	config.GroupVersion = nil
+	codec := runtime.NoopEncoder{Decoder: scheme.Codecs.UniversalDecoder()}
+	config.NegotiatedSerializer = serializer.NegotiatedSerializerWrapper(runtime.SerializerInfo{Serializer: codec})
+	if len(config.UserAgent) == 0 {
+		config.UserAgent = restclient.DefaultKubernetesUserAgent()
+	}
+	return nil
+}
+
+// NewDiscoveryClientForConfig creates a new DiscoveryClient for the given config. This client
+// can be used to discover supported resources in the API server.
+func NewDiscoveryClientForConfig(c *restclient.Config) (*DiscoveryClient, error) {
+	config := *c
+	if err := setDiscoveryDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := restclient.UnversionedRESTClientFor(&config)
+	return &DiscoveryClient{restClient: client, LegacyPrefix: "/api"}, err
+}
+
+// NewDiscoveryClientForConfigOrDie creates a new DiscoveryClient for the given config. If
+// there is an error, it panics.
+func NewDiscoveryClientForConfigOrDie(c *restclient.Config) *DiscoveryClient {
+	client, err := NewDiscoveryClientForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+
+}
+
+// NewDiscoveryClient returns  a new DiscoveryClient for the given RESTClient.
+func NewDiscoveryClient(c restclient.Interface) *DiscoveryClient {
+	return &DiscoveryClient{restClient: c, LegacyPrefix: "/api"}
+}
+
+func stringDoesntExistIn(str string, slice []string) bool {
+	for _, s := range slice {
+		if s == str {
+			return false
+		}
+	}
+	return true
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *DiscoveryClient) RESTClient() restclient.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/discovery/helper.go b/cli/vendor/k8s.io/client-go/discovery/helper.go
new file mode 100644
index 00000000..353d34b3
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/discovery/helper.go
@@ -0,0 +1,121 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package discovery
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
+	apimachineryversion "k8s.io/apimachinery/pkg/version"
+)
+
+// MatchesServerVersion queries the server to compares the build version
+// (git hash) of the client with the server's build version. It returns an error
+// if it failed to contact the server or if the versions are not an exact match.
+func MatchesServerVersion(clientVersion apimachineryversion.Info, client DiscoveryInterface) error {
+	sVer, err := client.ServerVersion()
+	if err != nil {
+		return fmt.Errorf("couldn't read version from server: %v\n", err)
+	}
+	// GitVersion includes GitCommit and GitTreeState, but best to be safe?
+	if clientVersion.GitVersion != sVer.GitVersion || clientVersion.GitCommit != sVer.GitCommit || clientVersion.GitTreeState != sVer.GitTreeState {
+		return fmt.Errorf("server version (%#v) differs from client version (%#v)!\n", sVer, clientVersion)
+	}
+
+	return nil
+}
+
+// ServerSupportsVersion returns an error if the server doesn't have the required version
+func ServerSupportsVersion(client DiscoveryInterface, requiredGV schema.GroupVersion) error {
+	groups, err := client.ServerGroups()
+	if err != nil {
+		// This is almost always a connection error, and higher level code should treat this as a generic error,
+		// not a negotiation specific error.
+		return err
+	}
+	versions := metav1.ExtractGroupVersions(groups)
+	serverVersions := sets.String{}
+	for _, v := range versions {
+		serverVersions.Insert(v)
+	}
+
+	if serverVersions.Has(requiredGV.String()) {
+		return nil
+	}
+
+	// If the server supports no versions, then we should pretend it has the version because of old servers.
+	// This can happen because discovery fails due to 403 Forbidden errors
+	if len(serverVersions) == 0 {
+		return nil
+	}
+
+	return fmt.Errorf("server does not support API version %q", requiredGV)
+}
+
+// GroupVersionResources converts APIResourceLists to the GroupVersionResources.
+func GroupVersionResources(rls []*metav1.APIResourceList) (map[schema.GroupVersionResource]struct{}, error) {
+	gvrs := map[schema.GroupVersionResource]struct{}{}
+	for _, rl := range rls {
+		gv, err := schema.ParseGroupVersion(rl.GroupVersion)
+		if err != nil {
+			return nil, err
+		}
+		for i := range rl.APIResources {
+			gvrs[schema.GroupVersionResource{Group: gv.Group, Version: gv.Version, Resource: rl.APIResources[i].Name}] = struct{}{}
+		}
+	}
+	return gvrs, nil
+}
+
+// FilteredBy filters by the given predicate. Empty APIResourceLists are dropped.
+func FilteredBy(pred ResourcePredicate, rls []*metav1.APIResourceList) []*metav1.APIResourceList {
+	result := []*metav1.APIResourceList{}
+	for _, rl := range rls {
+		filtered := *rl
+		filtered.APIResources = nil
+		for i := range rl.APIResources {
+			if pred.Match(rl.GroupVersion, &rl.APIResources[i]) {
+				filtered.APIResources = append(filtered.APIResources, rl.APIResources[i])
+			}
+		}
+		if filtered.APIResources != nil {
+			result = append(result, &filtered)
+		}
+	}
+	return result
+}
+
+type ResourcePredicate interface {
+	Match(groupVersion string, r *metav1.APIResource) bool
+}
+
+type ResourcePredicateFunc func(groupVersion string, r *metav1.APIResource) bool
+
+func (fn ResourcePredicateFunc) Match(groupVersion string, r *metav1.APIResource) bool {
+	return fn(groupVersion, r)
+}
+
+// SupportsAllVerbs is a predicate matching a resource iff all given verbs are supported.
+type SupportsAllVerbs struct {
+	Verbs []string
+}
+
+func (p SupportsAllVerbs) Match(groupVersion string, r *metav1.APIResource) bool {
+	return sets.NewString([]string(r.Verbs)...).HasAll(p.Verbs...)
+}
diff --git a/cli/vendor/k8s.io/client-go/discovery/restmapper.go b/cli/vendor/k8s.io/client-go/discovery/restmapper.go
new file mode 100644
index 00000000..6d1de8c1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/discovery/restmapper.go
@@ -0,0 +1,331 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package discovery
+
+import (
+	"fmt"
+	"sync"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"github.com/golang/glog"
+)
+
+// APIGroupResources is an API group with a mapping of versions to
+// resources.
+type APIGroupResources struct {
+	Group metav1.APIGroup
+	// A mapping of version string to a slice of APIResources for
+	// that version.
+	VersionedResources map[string][]metav1.APIResource
+}
+
+// NewRESTMapper returns a PriorityRESTMapper based on the discovered
+// groups and resources passed in.
+func NewRESTMapper(groupResources []*APIGroupResources, versionInterfaces meta.VersionInterfacesFunc) meta.RESTMapper {
+	unionMapper := meta.MultiRESTMapper{}
+
+	var groupPriority []string
+	// /v1 is special.  It should always come first
+	resourcePriority := []schema.GroupVersionResource{{Group: "", Version: "v1", Resource: meta.AnyResource}}
+	kindPriority := []schema.GroupVersionKind{{Group: "", Version: "v1", Kind: meta.AnyKind}}
+
+	for _, group := range groupResources {
+		groupPriority = append(groupPriority, group.Group.Name)
+
+		// Make sure the preferred version comes first
+		if len(group.Group.PreferredVersion.Version) != 0 {
+			preferred := group.Group.PreferredVersion.Version
+			if _, ok := group.VersionedResources[preferred]; ok {
+				resourcePriority = append(resourcePriority, schema.GroupVersionResource{
+					Group:    group.Group.Name,
+					Version:  group.Group.PreferredVersion.Version,
+					Resource: meta.AnyResource,
+				})
+
+				kindPriority = append(kindPriority, schema.GroupVersionKind{
+					Group:   group.Group.Name,
+					Version: group.Group.PreferredVersion.Version,
+					Kind:    meta.AnyKind,
+				})
+			}
+		}
+
+		for _, discoveryVersion := range group.Group.Versions {
+			resources, ok := group.VersionedResources[discoveryVersion.Version]
+			if !ok {
+				continue
+			}
+
+			// Add non-preferred versions after the preferred version, in case there are resources that only exist in those versions
+			if discoveryVersion.Version != group.Group.PreferredVersion.Version {
+				resourcePriority = append(resourcePriority, schema.GroupVersionResource{
+					Group:    group.Group.Name,
+					Version:  discoveryVersion.Version,
+					Resource: meta.AnyResource,
+				})
+
+				kindPriority = append(kindPriority, schema.GroupVersionKind{
+					Group:   group.Group.Name,
+					Version: discoveryVersion.Version,
+					Kind:    meta.AnyKind,
+				})
+			}
+
+			gv := schema.GroupVersion{Group: group.Group.Name, Version: discoveryVersion.Version}
+			versionMapper := meta.NewDefaultRESTMapper([]schema.GroupVersion{gv}, versionInterfaces)
+
+			for _, resource := range resources {
+				scope := meta.RESTScopeNamespace
+				if !resource.Namespaced {
+					scope = meta.RESTScopeRoot
+				}
+
+				// this is for legacy resources and servers which don't list singular forms.  For those we must still guess.
+				if len(resource.SingularName) == 0 {
+					versionMapper.Add(gv.WithKind(resource.Kind), scope)
+					// TODO this is producing unsafe guesses that don't actually work, but it matches previous behavior
+					versionMapper.Add(gv.WithKind(resource.Kind+"List"), scope)
+					continue
+				}
+
+				plural := gv.WithResource(resource.Name)
+				singular := gv.WithResource(resource.SingularName)
+				versionMapper.AddSpecific(gv.WithKind(resource.Kind), plural, singular, scope)
+				// TODO this is producing unsafe guesses that don't actually work, but it matches previous behavior
+				versionMapper.Add(gv.WithKind(resource.Kind+"List"), scope)
+			}
+			// TODO why is this type not in discovery (at least for "v1")
+			versionMapper.Add(gv.WithKind("List"), meta.RESTScopeRoot)
+			unionMapper = append(unionMapper, versionMapper)
+		}
+	}
+
+	for _, group := range groupPriority {
+		resourcePriority = append(resourcePriority, schema.GroupVersionResource{
+			Group:    group,
+			Version:  meta.AnyVersion,
+			Resource: meta.AnyResource,
+		})
+		kindPriority = append(kindPriority, schema.GroupVersionKind{
+			Group:   group,
+			Version: meta.AnyVersion,
+			Kind:    meta.AnyKind,
+		})
+	}
+
+	return meta.PriorityRESTMapper{
+		Delegate:         unionMapper,
+		ResourcePriority: resourcePriority,
+		KindPriority:     kindPriority,
+	}
+}
+
+// GetAPIGroupResources uses the provided discovery client to gather
+// discovery information and populate a slice of APIGroupResources.
+func GetAPIGroupResources(cl DiscoveryInterface) ([]*APIGroupResources, error) {
+	apiGroups, err := cl.ServerGroups()
+	if err != nil {
+		return nil, err
+	}
+	var result []*APIGroupResources
+	for _, group := range apiGroups.Groups {
+		groupResources := &APIGroupResources{
+			Group:              group,
+			VersionedResources: make(map[string][]metav1.APIResource),
+		}
+		for _, version := range group.Versions {
+			resources, err := cl.ServerResourcesForGroupVersion(version.GroupVersion)
+			if err != nil {
+				// continue as best we can
+				// TODO track the errors and update callers to handle partial errors.
+				continue
+			}
+			groupResources.VersionedResources[version.Version] = resources.APIResources
+		}
+		result = append(result, groupResources)
+	}
+	return result, nil
+}
+
+// DeferredDiscoveryRESTMapper is a RESTMapper that will defer
+// initialization of the RESTMapper until the first mapping is
+// requested.
+type DeferredDiscoveryRESTMapper struct {
+	initMu           sync.Mutex
+	delegate         meta.RESTMapper
+	cl               CachedDiscoveryInterface
+	versionInterface meta.VersionInterfacesFunc
+}
+
+// NewDeferredDiscoveryRESTMapper returns a
+// DeferredDiscoveryRESTMapper that will lazily query the provided
+// client for discovery information to do REST mappings.
+func NewDeferredDiscoveryRESTMapper(cl CachedDiscoveryInterface, versionInterface meta.VersionInterfacesFunc) *DeferredDiscoveryRESTMapper {
+	return &DeferredDiscoveryRESTMapper{
+		cl:               cl,
+		versionInterface: versionInterface,
+	}
+}
+
+func (d *DeferredDiscoveryRESTMapper) getDelegate() (meta.RESTMapper, error) {
+	d.initMu.Lock()
+	defer d.initMu.Unlock()
+
+	if d.delegate != nil {
+		return d.delegate, nil
+	}
+
+	groupResources, err := GetAPIGroupResources(d.cl)
+	if err != nil {
+		return nil, err
+	}
+
+	d.delegate = NewRESTMapper(groupResources, d.versionInterface)
+	return d.delegate, err
+}
+
+// Reset resets the internally cached Discovery information and will
+// cause the next mapping request to re-discover.
+func (d *DeferredDiscoveryRESTMapper) Reset() {
+	glog.V(5).Info("Invalidating discovery information")
+
+	d.initMu.Lock()
+	defer d.initMu.Unlock()
+
+	d.cl.Invalidate()
+	d.delegate = nil
+}
+
+// KindFor takes a partial resource and returns back the single match.
+// It returns an error if there are multiple matches.
+func (d *DeferredDiscoveryRESTMapper) KindFor(resource schema.GroupVersionResource) (gvk schema.GroupVersionKind, err error) {
+	del, err := d.getDelegate()
+	if err != nil {
+		return schema.GroupVersionKind{}, err
+	}
+	gvk, err = del.KindFor(resource)
+	if err != nil && !d.cl.Fresh() {
+		d.Reset()
+		gvk, err = d.KindFor(resource)
+	}
+	return
+}
+
+// KindsFor takes a partial resource and returns back the list of
+// potential kinds in priority order.
+func (d *DeferredDiscoveryRESTMapper) KindsFor(resource schema.GroupVersionResource) (gvks []schema.GroupVersionKind, err error) {
+	del, err := d.getDelegate()
+	if err != nil {
+		return nil, err
+	}
+	gvks, err = del.KindsFor(resource)
+	if len(gvks) == 0 && !d.cl.Fresh() {
+		d.Reset()
+		gvks, err = d.KindsFor(resource)
+	}
+	return
+}
+
+// ResourceFor takes a partial resource and returns back the single
+// match. It returns an error if there are multiple matches.
+func (d *DeferredDiscoveryRESTMapper) ResourceFor(input schema.GroupVersionResource) (gvr schema.GroupVersionResource, err error) {
+	del, err := d.getDelegate()
+	if err != nil {
+		return schema.GroupVersionResource{}, err
+	}
+	gvr, err = del.ResourceFor(input)
+	if err != nil && !d.cl.Fresh() {
+		d.Reset()
+		gvr, err = d.ResourceFor(input)
+	}
+	return
+}
+
+// ResourcesFor takes a partial resource and returns back the list of
+// potential resource in priority order.
+func (d *DeferredDiscoveryRESTMapper) ResourcesFor(input schema.GroupVersionResource) (gvrs []schema.GroupVersionResource, err error) {
+	del, err := d.getDelegate()
+	if err != nil {
+		return nil, err
+	}
+	gvrs, err = del.ResourcesFor(input)
+	if len(gvrs) == 0 && !d.cl.Fresh() {
+		d.Reset()
+		gvrs, err = d.ResourcesFor(input)
+	}
+	return
+}
+
+// RESTMapping identifies a preferred resource mapping for the
+// provided group kind.
+func (d *DeferredDiscoveryRESTMapper) RESTMapping(gk schema.GroupKind, versions ...string) (m *meta.RESTMapping, err error) {
+	del, err := d.getDelegate()
+	if err != nil {
+		return nil, err
+	}
+	m, err = del.RESTMapping(gk, versions...)
+	if err != nil && !d.cl.Fresh() {
+		d.Reset()
+		m, err = d.RESTMapping(gk, versions...)
+	}
+	return
+}
+
+// RESTMappings returns the RESTMappings for the provided group kind
+// in a rough internal preferred order. If no kind is found, it will
+// return a NoResourceMatchError.
+func (d *DeferredDiscoveryRESTMapper) RESTMappings(gk schema.GroupKind, versions ...string) (ms []*meta.RESTMapping, err error) {
+	del, err := d.getDelegate()
+	if err != nil {
+		return nil, err
+	}
+	ms, err = del.RESTMappings(gk, versions...)
+	if len(ms) == 0 && !d.cl.Fresh() {
+		d.Reset()
+		ms, err = d.RESTMappings(gk, versions...)
+	}
+	return
+}
+
+// ResourceSingularizer converts a resource name from plural to
+// singular (e.g., from pods to pod).
+func (d *DeferredDiscoveryRESTMapper) ResourceSingularizer(resource string) (singular string, err error) {
+	del, err := d.getDelegate()
+	if err != nil {
+		return resource, err
+	}
+	singular, err = del.ResourceSingularizer(resource)
+	if err != nil && !d.cl.Fresh() {
+		d.Reset()
+		singular, err = d.ResourceSingularizer(resource)
+	}
+	return
+}
+
+func (d *DeferredDiscoveryRESTMapper) String() string {
+	del, err := d.getDelegate()
+	if err != nil {
+		return fmt.Sprintf("DeferredDiscoveryRESTMapper{%v}", err)
+	}
+	return fmt.Sprintf("DeferredDiscoveryRESTMapper{\n\t%v\n}", del)
+}
+
+// Make sure it satisfies the interface
+var _ meta.RESTMapper = &DeferredDiscoveryRESTMapper{}
diff --git a/cli/vendor/k8s.io/client-go/discovery/unstructured.go b/cli/vendor/k8s.io/client-go/discovery/unstructured.go
new file mode 100644
index 00000000..ee72d668
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/discovery/unstructured.go
@@ -0,0 +1,95 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package discovery
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// UnstructuredObjectTyper provides a runtime.ObjectTyper implmentation for
+// runtime.Unstructured object based on discovery information.
+type UnstructuredObjectTyper struct {
+	registered map[schema.GroupVersionKind]bool
+}
+
+// NewUnstructuredObjectTyper returns a runtime.ObjectTyper for
+// unstructred objects based on discovery information.
+func NewUnstructuredObjectTyper(groupResources []*APIGroupResources) *UnstructuredObjectTyper {
+	dot := &UnstructuredObjectTyper{registered: make(map[schema.GroupVersionKind]bool)}
+	for _, group := range groupResources {
+		for _, discoveryVersion := range group.Group.Versions {
+			resources, ok := group.VersionedResources[discoveryVersion.Version]
+			if !ok {
+				continue
+			}
+
+			gv := schema.GroupVersion{Group: group.Group.Name, Version: discoveryVersion.Version}
+			for _, resource := range resources {
+				dot.registered[gv.WithKind(resource.Kind)] = true
+			}
+		}
+	}
+	return dot
+}
+
+// ObjectKind returns the group,version,kind of the provided object, or an error
+// if the object in not runtime.Unstructured or has no group,version,kind
+// information.
+func (d *UnstructuredObjectTyper) ObjectKind(obj runtime.Object) (schema.GroupVersionKind, error) {
+	if _, ok := obj.(runtime.Unstructured); !ok {
+		return schema.GroupVersionKind{}, fmt.Errorf("type %T is invalid for dynamic object typer", obj)
+	}
+
+	return obj.GetObjectKind().GroupVersionKind(), nil
+}
+
+// ObjectKinds returns a slice of one element with the group,version,kind of the
+// provided object, or an error if the object is not runtime.Unstructured or
+// has no group,version,kind information. unversionedType will always be false
+// because runtime.Unstructured object should always have group,version,kind
+// information set.
+func (d *UnstructuredObjectTyper) ObjectKinds(obj runtime.Object) (gvks []schema.GroupVersionKind, unversionedType bool, err error) {
+	gvk, err := d.ObjectKind(obj)
+	if err != nil {
+		return nil, false, err
+	}
+
+	return []schema.GroupVersionKind{gvk}, false, nil
+}
+
+// Recognizes returns true if the provided group,version,kind was in the
+// discovery information.
+func (d *UnstructuredObjectTyper) Recognizes(gvk schema.GroupVersionKind) bool {
+	return d.registered[gvk]
+}
+
+// IsUnversioned returns false always because runtime.Unstructured objects
+// should always have group,version,kind information set. ok will be true if the
+// object's group,version,kind is api.Registry.
+func (d *UnstructuredObjectTyper) IsUnversioned(obj runtime.Object) (unversioned bool, ok bool) {
+	gvk, err := d.ObjectKind(obj)
+	if err != nil {
+		return false, false
+	}
+
+	return false, d.registered[gvk]
+}
+
+var _ runtime.ObjectTyper = &UnstructuredObjectTyper{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/clientset.go b/cli/vendor/k8s.io/client-go/kubernetes/clientset.go
new file mode 100644
index 00000000..5b012082
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/clientset.go
@@ -0,0 +1,532 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubernetes
+
+import (
+	glog "github.com/golang/glog"
+	discovery "k8s.io/client-go/discovery"
+	admissionregistrationv1alpha1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1"
+	appsv1beta1 "k8s.io/client-go/kubernetes/typed/apps/v1beta1"
+	appsv1beta2 "k8s.io/client-go/kubernetes/typed/apps/v1beta2"
+	authenticationv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
+	authenticationv1beta1 "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
+	authorizationv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
+	authorizationv1beta1 "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
+	autoscalingv1 "k8s.io/client-go/kubernetes/typed/autoscaling/v1"
+	autoscalingv2beta1 "k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1"
+	batchv1 "k8s.io/client-go/kubernetes/typed/batch/v1"
+	batchv1beta1 "k8s.io/client-go/kubernetes/typed/batch/v1beta1"
+	batchv2alpha1 "k8s.io/client-go/kubernetes/typed/batch/v2alpha1"
+	certificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	extensionsv1beta1 "k8s.io/client-go/kubernetes/typed/extensions/v1beta1"
+	networkingv1 "k8s.io/client-go/kubernetes/typed/networking/v1"
+	policyv1beta1 "k8s.io/client-go/kubernetes/typed/policy/v1beta1"
+	rbacv1 "k8s.io/client-go/kubernetes/typed/rbac/v1"
+	rbacv1alpha1 "k8s.io/client-go/kubernetes/typed/rbac/v1alpha1"
+	rbacv1beta1 "k8s.io/client-go/kubernetes/typed/rbac/v1beta1"
+	schedulingv1alpha1 "k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1"
+	settingsv1alpha1 "k8s.io/client-go/kubernetes/typed/settings/v1alpha1"
+	storagev1 "k8s.io/client-go/kubernetes/typed/storage/v1"
+	storagev1beta1 "k8s.io/client-go/kubernetes/typed/storage/v1beta1"
+	rest "k8s.io/client-go/rest"
+	flowcontrol "k8s.io/client-go/util/flowcontrol"
+)
+
+type Interface interface {
+	Discovery() discovery.DiscoveryInterface
+	AdmissionregistrationV1alpha1() admissionregistrationv1alpha1.AdmissionregistrationV1alpha1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Admissionregistration() admissionregistrationv1alpha1.AdmissionregistrationV1alpha1Interface
+	AppsV1beta1() appsv1beta1.AppsV1beta1Interface
+	AppsV1beta2() appsv1beta2.AppsV1beta2Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Apps() appsv1beta2.AppsV1beta2Interface
+	AuthenticationV1() authenticationv1.AuthenticationV1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Authentication() authenticationv1.AuthenticationV1Interface
+	AuthenticationV1beta1() authenticationv1beta1.AuthenticationV1beta1Interface
+	AuthorizationV1() authorizationv1.AuthorizationV1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Authorization() authorizationv1.AuthorizationV1Interface
+	AuthorizationV1beta1() authorizationv1beta1.AuthorizationV1beta1Interface
+	AutoscalingV1() autoscalingv1.AutoscalingV1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Autoscaling() autoscalingv1.AutoscalingV1Interface
+	AutoscalingV2beta1() autoscalingv2beta1.AutoscalingV2beta1Interface
+	BatchV1() batchv1.BatchV1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Batch() batchv1.BatchV1Interface
+	BatchV1beta1() batchv1beta1.BatchV1beta1Interface
+	BatchV2alpha1() batchv2alpha1.BatchV2alpha1Interface
+	CertificatesV1beta1() certificatesv1beta1.CertificatesV1beta1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Certificates() certificatesv1beta1.CertificatesV1beta1Interface
+	CoreV1() corev1.CoreV1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Core() corev1.CoreV1Interface
+	ExtensionsV1beta1() extensionsv1beta1.ExtensionsV1beta1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Extensions() extensionsv1beta1.ExtensionsV1beta1Interface
+	NetworkingV1() networkingv1.NetworkingV1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Networking() networkingv1.NetworkingV1Interface
+	PolicyV1beta1() policyv1beta1.PolicyV1beta1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Policy() policyv1beta1.PolicyV1beta1Interface
+	RbacV1() rbacv1.RbacV1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Rbac() rbacv1.RbacV1Interface
+	RbacV1beta1() rbacv1beta1.RbacV1beta1Interface
+	RbacV1alpha1() rbacv1alpha1.RbacV1alpha1Interface
+	SchedulingV1alpha1() schedulingv1alpha1.SchedulingV1alpha1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Scheduling() schedulingv1alpha1.SchedulingV1alpha1Interface
+	SettingsV1alpha1() settingsv1alpha1.SettingsV1alpha1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Settings() settingsv1alpha1.SettingsV1alpha1Interface
+	StorageV1beta1() storagev1beta1.StorageV1beta1Interface
+	StorageV1() storagev1.StorageV1Interface
+	// Deprecated: please explicitly pick a version if possible.
+	Storage() storagev1.StorageV1Interface
+}
+
+// Clientset contains the clients for groups. Each group has exactly one
+// version included in a Clientset.
+type Clientset struct {
+	*discovery.DiscoveryClient
+	admissionregistrationV1alpha1 *admissionregistrationv1alpha1.AdmissionregistrationV1alpha1Client
+	appsV1beta1                   *appsv1beta1.AppsV1beta1Client
+	appsV1beta2                   *appsv1beta2.AppsV1beta2Client
+	authenticationV1              *authenticationv1.AuthenticationV1Client
+	authenticationV1beta1         *authenticationv1beta1.AuthenticationV1beta1Client
+	authorizationV1               *authorizationv1.AuthorizationV1Client
+	authorizationV1beta1          *authorizationv1beta1.AuthorizationV1beta1Client
+	autoscalingV1                 *autoscalingv1.AutoscalingV1Client
+	autoscalingV2beta1            *autoscalingv2beta1.AutoscalingV2beta1Client
+	batchV1                       *batchv1.BatchV1Client
+	batchV1beta1                  *batchv1beta1.BatchV1beta1Client
+	batchV2alpha1                 *batchv2alpha1.BatchV2alpha1Client
+	certificatesV1beta1           *certificatesv1beta1.CertificatesV1beta1Client
+	coreV1                        *corev1.CoreV1Client
+	extensionsV1beta1             *extensionsv1beta1.ExtensionsV1beta1Client
+	networkingV1                  *networkingv1.NetworkingV1Client
+	policyV1beta1                 *policyv1beta1.PolicyV1beta1Client
+	rbacV1                        *rbacv1.RbacV1Client
+	rbacV1beta1                   *rbacv1beta1.RbacV1beta1Client
+	rbacV1alpha1                  *rbacv1alpha1.RbacV1alpha1Client
+	schedulingV1alpha1            *schedulingv1alpha1.SchedulingV1alpha1Client
+	settingsV1alpha1              *settingsv1alpha1.SettingsV1alpha1Client
+	storageV1beta1                *storagev1beta1.StorageV1beta1Client
+	storageV1                     *storagev1.StorageV1Client
+}
+
+// AdmissionregistrationV1alpha1 retrieves the AdmissionregistrationV1alpha1Client
+func (c *Clientset) AdmissionregistrationV1alpha1() admissionregistrationv1alpha1.AdmissionregistrationV1alpha1Interface {
+	return c.admissionregistrationV1alpha1
+}
+
+// Deprecated: Admissionregistration retrieves the default version of AdmissionregistrationClient.
+// Please explicitly pick a version.
+func (c *Clientset) Admissionregistration() admissionregistrationv1alpha1.AdmissionregistrationV1alpha1Interface {
+	return c.admissionregistrationV1alpha1
+}
+
+// AppsV1beta1 retrieves the AppsV1beta1Client
+func (c *Clientset) AppsV1beta1() appsv1beta1.AppsV1beta1Interface {
+	return c.appsV1beta1
+}
+
+// AppsV1beta2 retrieves the AppsV1beta2Client
+func (c *Clientset) AppsV1beta2() appsv1beta2.AppsV1beta2Interface {
+	return c.appsV1beta2
+}
+
+// Deprecated: Apps retrieves the default version of AppsClient.
+// Please explicitly pick a version.
+func (c *Clientset) Apps() appsv1beta2.AppsV1beta2Interface {
+	return c.appsV1beta2
+}
+
+// AuthenticationV1 retrieves the AuthenticationV1Client
+func (c *Clientset) AuthenticationV1() authenticationv1.AuthenticationV1Interface {
+	return c.authenticationV1
+}
+
+// Deprecated: Authentication retrieves the default version of AuthenticationClient.
+// Please explicitly pick a version.
+func (c *Clientset) Authentication() authenticationv1.AuthenticationV1Interface {
+	return c.authenticationV1
+}
+
+// AuthenticationV1beta1 retrieves the AuthenticationV1beta1Client
+func (c *Clientset) AuthenticationV1beta1() authenticationv1beta1.AuthenticationV1beta1Interface {
+	return c.authenticationV1beta1
+}
+
+// AuthorizationV1 retrieves the AuthorizationV1Client
+func (c *Clientset) AuthorizationV1() authorizationv1.AuthorizationV1Interface {
+	return c.authorizationV1
+}
+
+// Deprecated: Authorization retrieves the default version of AuthorizationClient.
+// Please explicitly pick a version.
+func (c *Clientset) Authorization() authorizationv1.AuthorizationV1Interface {
+	return c.authorizationV1
+}
+
+// AuthorizationV1beta1 retrieves the AuthorizationV1beta1Client
+func (c *Clientset) AuthorizationV1beta1() authorizationv1beta1.AuthorizationV1beta1Interface {
+	return c.authorizationV1beta1
+}
+
+// AutoscalingV1 retrieves the AutoscalingV1Client
+func (c *Clientset) AutoscalingV1() autoscalingv1.AutoscalingV1Interface {
+	return c.autoscalingV1
+}
+
+// Deprecated: Autoscaling retrieves the default version of AutoscalingClient.
+// Please explicitly pick a version.
+func (c *Clientset) Autoscaling() autoscalingv1.AutoscalingV1Interface {
+	return c.autoscalingV1
+}
+
+// AutoscalingV2beta1 retrieves the AutoscalingV2beta1Client
+func (c *Clientset) AutoscalingV2beta1() autoscalingv2beta1.AutoscalingV2beta1Interface {
+	return c.autoscalingV2beta1
+}
+
+// BatchV1 retrieves the BatchV1Client
+func (c *Clientset) BatchV1() batchv1.BatchV1Interface {
+	return c.batchV1
+}
+
+// Deprecated: Batch retrieves the default version of BatchClient.
+// Please explicitly pick a version.
+func (c *Clientset) Batch() batchv1.BatchV1Interface {
+	return c.batchV1
+}
+
+// BatchV1beta1 retrieves the BatchV1beta1Client
+func (c *Clientset) BatchV1beta1() batchv1beta1.BatchV1beta1Interface {
+	return c.batchV1beta1
+}
+
+// BatchV2alpha1 retrieves the BatchV2alpha1Client
+func (c *Clientset) BatchV2alpha1() batchv2alpha1.BatchV2alpha1Interface {
+	return c.batchV2alpha1
+}
+
+// CertificatesV1beta1 retrieves the CertificatesV1beta1Client
+func (c *Clientset) CertificatesV1beta1() certificatesv1beta1.CertificatesV1beta1Interface {
+	return c.certificatesV1beta1
+}
+
+// Deprecated: Certificates retrieves the default version of CertificatesClient.
+// Please explicitly pick a version.
+func (c *Clientset) Certificates() certificatesv1beta1.CertificatesV1beta1Interface {
+	return c.certificatesV1beta1
+}
+
+// CoreV1 retrieves the CoreV1Client
+func (c *Clientset) CoreV1() corev1.CoreV1Interface {
+	return c.coreV1
+}
+
+// Deprecated: Core retrieves the default version of CoreClient.
+// Please explicitly pick a version.
+func (c *Clientset) Core() corev1.CoreV1Interface {
+	return c.coreV1
+}
+
+// ExtensionsV1beta1 retrieves the ExtensionsV1beta1Client
+func (c *Clientset) ExtensionsV1beta1() extensionsv1beta1.ExtensionsV1beta1Interface {
+	return c.extensionsV1beta1
+}
+
+// Deprecated: Extensions retrieves the default version of ExtensionsClient.
+// Please explicitly pick a version.
+func (c *Clientset) Extensions() extensionsv1beta1.ExtensionsV1beta1Interface {
+	return c.extensionsV1beta1
+}
+
+// NetworkingV1 retrieves the NetworkingV1Client
+func (c *Clientset) NetworkingV1() networkingv1.NetworkingV1Interface {
+	return c.networkingV1
+}
+
+// Deprecated: Networking retrieves the default version of NetworkingClient.
+// Please explicitly pick a version.
+func (c *Clientset) Networking() networkingv1.NetworkingV1Interface {
+	return c.networkingV1
+}
+
+// PolicyV1beta1 retrieves the PolicyV1beta1Client
+func (c *Clientset) PolicyV1beta1() policyv1beta1.PolicyV1beta1Interface {
+	return c.policyV1beta1
+}
+
+// Deprecated: Policy retrieves the default version of PolicyClient.
+// Please explicitly pick a version.
+func (c *Clientset) Policy() policyv1beta1.PolicyV1beta1Interface {
+	return c.policyV1beta1
+}
+
+// RbacV1 retrieves the RbacV1Client
+func (c *Clientset) RbacV1() rbacv1.RbacV1Interface {
+	return c.rbacV1
+}
+
+// Deprecated: Rbac retrieves the default version of RbacClient.
+// Please explicitly pick a version.
+func (c *Clientset) Rbac() rbacv1.RbacV1Interface {
+	return c.rbacV1
+}
+
+// RbacV1beta1 retrieves the RbacV1beta1Client
+func (c *Clientset) RbacV1beta1() rbacv1beta1.RbacV1beta1Interface {
+	return c.rbacV1beta1
+}
+
+// RbacV1alpha1 retrieves the RbacV1alpha1Client
+func (c *Clientset) RbacV1alpha1() rbacv1alpha1.RbacV1alpha1Interface {
+	return c.rbacV1alpha1
+}
+
+// SchedulingV1alpha1 retrieves the SchedulingV1alpha1Client
+func (c *Clientset) SchedulingV1alpha1() schedulingv1alpha1.SchedulingV1alpha1Interface {
+	return c.schedulingV1alpha1
+}
+
+// Deprecated: Scheduling retrieves the default version of SchedulingClient.
+// Please explicitly pick a version.
+func (c *Clientset) Scheduling() schedulingv1alpha1.SchedulingV1alpha1Interface {
+	return c.schedulingV1alpha1
+}
+
+// SettingsV1alpha1 retrieves the SettingsV1alpha1Client
+func (c *Clientset) SettingsV1alpha1() settingsv1alpha1.SettingsV1alpha1Interface {
+	return c.settingsV1alpha1
+}
+
+// Deprecated: Settings retrieves the default version of SettingsClient.
+// Please explicitly pick a version.
+func (c *Clientset) Settings() settingsv1alpha1.SettingsV1alpha1Interface {
+	return c.settingsV1alpha1
+}
+
+// StorageV1beta1 retrieves the StorageV1beta1Client
+func (c *Clientset) StorageV1beta1() storagev1beta1.StorageV1beta1Interface {
+	return c.storageV1beta1
+}
+
+// StorageV1 retrieves the StorageV1Client
+func (c *Clientset) StorageV1() storagev1.StorageV1Interface {
+	return c.storageV1
+}
+
+// Deprecated: Storage retrieves the default version of StorageClient.
+// Please explicitly pick a version.
+func (c *Clientset) Storage() storagev1.StorageV1Interface {
+	return c.storageV1
+}
+
+// Discovery retrieves the DiscoveryClient
+func (c *Clientset) Discovery() discovery.DiscoveryInterface {
+	if c == nil {
+		return nil
+	}
+	return c.DiscoveryClient
+}
+
+// NewForConfig creates a new Clientset for the given config.
+func NewForConfig(c *rest.Config) (*Clientset, error) {
+	configShallowCopy := *c
+	if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 {
+		configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst)
+	}
+	var cs Clientset
+	var err error
+	cs.admissionregistrationV1alpha1, err = admissionregistrationv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.appsV1beta1, err = appsv1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.appsV1beta2, err = appsv1beta2.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.authenticationV1, err = authenticationv1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.authenticationV1beta1, err = authenticationv1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.authorizationV1, err = authorizationv1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.authorizationV1beta1, err = authorizationv1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.autoscalingV1, err = autoscalingv1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.autoscalingV2beta1, err = autoscalingv2beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.batchV1, err = batchv1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.batchV1beta1, err = batchv1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.batchV2alpha1, err = batchv2alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.certificatesV1beta1, err = certificatesv1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.coreV1, err = corev1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.extensionsV1beta1, err = extensionsv1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.networkingV1, err = networkingv1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.policyV1beta1, err = policyv1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.rbacV1, err = rbacv1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.rbacV1beta1, err = rbacv1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.rbacV1alpha1, err = rbacv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.schedulingV1alpha1, err = schedulingv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.settingsV1alpha1, err = settingsv1alpha1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.storageV1beta1, err = storagev1beta1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+	cs.storageV1, err = storagev1.NewForConfig(&configShallowCopy)
+	if err != nil {
+		return nil, err
+	}
+
+	cs.DiscoveryClient, err = discovery.NewDiscoveryClientForConfig(&configShallowCopy)
+	if err != nil {
+		glog.Errorf("failed to create the DiscoveryClient: %v", err)
+		return nil, err
+	}
+	return &cs, nil
+}
+
+// NewForConfigOrDie creates a new Clientset for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *Clientset {
+	var cs Clientset
+	cs.admissionregistrationV1alpha1 = admissionregistrationv1alpha1.NewForConfigOrDie(c)
+	cs.appsV1beta1 = appsv1beta1.NewForConfigOrDie(c)
+	cs.appsV1beta2 = appsv1beta2.NewForConfigOrDie(c)
+	cs.authenticationV1 = authenticationv1.NewForConfigOrDie(c)
+	cs.authenticationV1beta1 = authenticationv1beta1.NewForConfigOrDie(c)
+	cs.authorizationV1 = authorizationv1.NewForConfigOrDie(c)
+	cs.authorizationV1beta1 = authorizationv1beta1.NewForConfigOrDie(c)
+	cs.autoscalingV1 = autoscalingv1.NewForConfigOrDie(c)
+	cs.autoscalingV2beta1 = autoscalingv2beta1.NewForConfigOrDie(c)
+	cs.batchV1 = batchv1.NewForConfigOrDie(c)
+	cs.batchV1beta1 = batchv1beta1.NewForConfigOrDie(c)
+	cs.batchV2alpha1 = batchv2alpha1.NewForConfigOrDie(c)
+	cs.certificatesV1beta1 = certificatesv1beta1.NewForConfigOrDie(c)
+	cs.coreV1 = corev1.NewForConfigOrDie(c)
+	cs.extensionsV1beta1 = extensionsv1beta1.NewForConfigOrDie(c)
+	cs.networkingV1 = networkingv1.NewForConfigOrDie(c)
+	cs.policyV1beta1 = policyv1beta1.NewForConfigOrDie(c)
+	cs.rbacV1 = rbacv1.NewForConfigOrDie(c)
+	cs.rbacV1beta1 = rbacv1beta1.NewForConfigOrDie(c)
+	cs.rbacV1alpha1 = rbacv1alpha1.NewForConfigOrDie(c)
+	cs.schedulingV1alpha1 = schedulingv1alpha1.NewForConfigOrDie(c)
+	cs.settingsV1alpha1 = settingsv1alpha1.NewForConfigOrDie(c)
+	cs.storageV1beta1 = storagev1beta1.NewForConfigOrDie(c)
+	cs.storageV1 = storagev1.NewForConfigOrDie(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
+	return &cs
+}
+
+// New creates a new Clientset for the given RESTClient.
+func New(c rest.Interface) *Clientset {
+	var cs Clientset
+	cs.admissionregistrationV1alpha1 = admissionregistrationv1alpha1.New(c)
+	cs.appsV1beta1 = appsv1beta1.New(c)
+	cs.appsV1beta2 = appsv1beta2.New(c)
+	cs.authenticationV1 = authenticationv1.New(c)
+	cs.authenticationV1beta1 = authenticationv1beta1.New(c)
+	cs.authorizationV1 = authorizationv1.New(c)
+	cs.authorizationV1beta1 = authorizationv1beta1.New(c)
+	cs.autoscalingV1 = autoscalingv1.New(c)
+	cs.autoscalingV2beta1 = autoscalingv2beta1.New(c)
+	cs.batchV1 = batchv1.New(c)
+	cs.batchV1beta1 = batchv1beta1.New(c)
+	cs.batchV2alpha1 = batchv2alpha1.New(c)
+	cs.certificatesV1beta1 = certificatesv1beta1.New(c)
+	cs.coreV1 = corev1.New(c)
+	cs.extensionsV1beta1 = extensionsv1beta1.New(c)
+	cs.networkingV1 = networkingv1.New(c)
+	cs.policyV1beta1 = policyv1beta1.New(c)
+	cs.rbacV1 = rbacv1.New(c)
+	cs.rbacV1beta1 = rbacv1beta1.New(c)
+	cs.rbacV1alpha1 = rbacv1alpha1.New(c)
+	cs.schedulingV1alpha1 = schedulingv1alpha1.New(c)
+	cs.settingsV1alpha1 = settingsv1alpha1.New(c)
+	cs.storageV1beta1 = storagev1beta1.New(c)
+	cs.storageV1 = storagev1.New(c)
+
+	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
+	return &cs
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/doc.go
new file mode 100644
index 00000000..e66b91b6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated clientset.
+package kubernetes
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/import.go b/cli/vendor/k8s.io/client-go/kubernetes/import.go
new file mode 100644
index 00000000..c4f9a91b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/import.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file exists to enforce this clientset's vanity import path.
+
+package kubernetes // import "k8s.io/client-go/kubernetes"
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/scheme/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/scheme/doc.go
new file mode 100644
index 00000000..9e5efb25
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/scheme/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package contains the scheme of the automatically generated clientset.
+package scheme
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/scheme/register.go b/cli/vendor/k8s.io/client-go/kubernetes/scheme/register.go
new file mode 100644
index 00000000..14fe264d
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/scheme/register.go
@@ -0,0 +1,99 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package scheme
+
+import (
+	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
+	appsv1beta1 "k8s.io/api/apps/v1beta1"
+	appsv1beta2 "k8s.io/api/apps/v1beta2"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
+	authorizationv1 "k8s.io/api/authorization/v1"
+	authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
+	autoscalingv1 "k8s.io/api/autoscaling/v1"
+	autoscalingv2beta1 "k8s.io/api/autoscaling/v2beta1"
+	batchv1 "k8s.io/api/batch/v1"
+	batchv1beta1 "k8s.io/api/batch/v1beta1"
+	batchv2alpha1 "k8s.io/api/batch/v2alpha1"
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	extensionsv1beta1 "k8s.io/api/extensions/v1beta1"
+	networkingv1 "k8s.io/api/networking/v1"
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	rbacv1alpha1 "k8s.io/api/rbac/v1alpha1"
+	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
+	schedulingv1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	settingsv1alpha1 "k8s.io/api/settings/v1alpha1"
+	storagev1 "k8s.io/api/storage/v1"
+	storagev1beta1 "k8s.io/api/storage/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+var Scheme = runtime.NewScheme()
+var Codecs = serializer.NewCodecFactory(Scheme)
+var ParameterCodec = runtime.NewParameterCodec(Scheme)
+
+func init() {
+	v1.AddToGroupVersion(Scheme, schema.GroupVersion{Version: "v1"})
+	AddToScheme(Scheme)
+}
+
+// AddToScheme adds all types of this clientset into the given scheme. This allows composition
+// of clientsets, like in:
+//
+//   import (
+//     "k8s.io/client-go/kubernetes"
+//     clientsetscheme "k8s.io/client-go/kuberentes/scheme"
+//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+//   )
+//
+//   kclientset, _ := kubernetes.NewForConfig(c)
+//   aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+//
+// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
+// correctly.
+func AddToScheme(scheme *runtime.Scheme) {
+	admissionregistrationv1alpha1.AddToScheme(scheme)
+	appsv1beta1.AddToScheme(scheme)
+	appsv1beta2.AddToScheme(scheme)
+	authenticationv1.AddToScheme(scheme)
+	authenticationv1beta1.AddToScheme(scheme)
+	authorizationv1.AddToScheme(scheme)
+	authorizationv1beta1.AddToScheme(scheme)
+	autoscalingv1.AddToScheme(scheme)
+	autoscalingv2beta1.AddToScheme(scheme)
+	batchv1.AddToScheme(scheme)
+	batchv1beta1.AddToScheme(scheme)
+	batchv2alpha1.AddToScheme(scheme)
+	certificatesv1beta1.AddToScheme(scheme)
+	corev1.AddToScheme(scheme)
+	extensionsv1beta1.AddToScheme(scheme)
+	networkingv1.AddToScheme(scheme)
+	policyv1beta1.AddToScheme(scheme)
+	rbacv1.AddToScheme(scheme)
+	rbacv1beta1.AddToScheme(scheme)
+	rbacv1alpha1.AddToScheme(scheme)
+	schedulingv1alpha1.AddToScheme(scheme)
+	settingsv1alpha1.AddToScheme(scheme)
+	storagev1beta1.AddToScheme(scheme)
+	storagev1.AddToScheme(scheme)
+
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/admissionregistration_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/admissionregistration_client.go
new file mode 100644
index 00000000..43077c3b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/admissionregistration_client.go
@@ -0,0 +1,93 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AdmissionregistrationV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	ExternalAdmissionHookConfigurationsGetter
+	InitializerConfigurationsGetter
+}
+
+// AdmissionregistrationV1alpha1Client is used to interact with features provided by the admissionregistration.k8s.io group.
+type AdmissionregistrationV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AdmissionregistrationV1alpha1Client) ExternalAdmissionHookConfigurations() ExternalAdmissionHookConfigurationInterface {
+	return newExternalAdmissionHookConfigurations(c)
+}
+
+func (c *AdmissionregistrationV1alpha1Client) InitializerConfigurations() InitializerConfigurationInterface {
+	return newInitializerConfigurations(c)
+}
+
+// NewForConfig creates a new AdmissionregistrationV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*AdmissionregistrationV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AdmissionregistrationV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AdmissionregistrationV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AdmissionregistrationV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AdmissionregistrationV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *AdmissionregistrationV1alpha1Client {
+	return &AdmissionregistrationV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AdmissionregistrationV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/doc.go
new file mode 100644
index 00000000..f51751d6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/externaladmissionhookconfiguration.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/externaladmissionhookconfiguration.go
new file mode 100644
index 00000000..6cd283ee
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/externaladmissionhookconfiguration.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ExternalAdmissionHookConfigurationsGetter has a method to return a ExternalAdmissionHookConfigurationInterface.
+// A group's client should implement this interface.
+type ExternalAdmissionHookConfigurationsGetter interface {
+	ExternalAdmissionHookConfigurations() ExternalAdmissionHookConfigurationInterface
+}
+
+// ExternalAdmissionHookConfigurationInterface has methods to work with ExternalAdmissionHookConfiguration resources.
+type ExternalAdmissionHookConfigurationInterface interface {
+	Create(*v1alpha1.ExternalAdmissionHookConfiguration) (*v1alpha1.ExternalAdmissionHookConfiguration, error)
+	Update(*v1alpha1.ExternalAdmissionHookConfiguration) (*v1alpha1.ExternalAdmissionHookConfiguration, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.ExternalAdmissionHookConfiguration, error)
+	List(opts v1.ListOptions) (*v1alpha1.ExternalAdmissionHookConfigurationList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ExternalAdmissionHookConfiguration, err error)
+	ExternalAdmissionHookConfigurationExpansion
+}
+
+// externalAdmissionHookConfigurations implements ExternalAdmissionHookConfigurationInterface
+type externalAdmissionHookConfigurations struct {
+	client rest.Interface
+}
+
+// newExternalAdmissionHookConfigurations returns a ExternalAdmissionHookConfigurations
+func newExternalAdmissionHookConfigurations(c *AdmissionregistrationV1alpha1Client) *externalAdmissionHookConfigurations {
+	return &externalAdmissionHookConfigurations{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the externalAdmissionHookConfiguration, and returns the corresponding externalAdmissionHookConfiguration object, and an error if there is any.
+func (c *externalAdmissionHookConfigurations) Get(name string, options v1.GetOptions) (result *v1alpha1.ExternalAdmissionHookConfiguration, err error) {
+	result = &v1alpha1.ExternalAdmissionHookConfiguration{}
+	err = c.client.Get().
+		Resource("externaladmissionhookconfigurations").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ExternalAdmissionHookConfigurations that match those selectors.
+func (c *externalAdmissionHookConfigurations) List(opts v1.ListOptions) (result *v1alpha1.ExternalAdmissionHookConfigurationList, err error) {
+	result = &v1alpha1.ExternalAdmissionHookConfigurationList{}
+	err = c.client.Get().
+		Resource("externaladmissionhookconfigurations").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested externalAdmissionHookConfigurations.
+func (c *externalAdmissionHookConfigurations) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("externaladmissionhookconfigurations").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a externalAdmissionHookConfiguration and creates it.  Returns the server's representation of the externalAdmissionHookConfiguration, and an error, if there is any.
+func (c *externalAdmissionHookConfigurations) Create(externalAdmissionHookConfiguration *v1alpha1.ExternalAdmissionHookConfiguration) (result *v1alpha1.ExternalAdmissionHookConfiguration, err error) {
+	result = &v1alpha1.ExternalAdmissionHookConfiguration{}
+	err = c.client.Post().
+		Resource("externaladmissionhookconfigurations").
+		Body(externalAdmissionHookConfiguration).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a externalAdmissionHookConfiguration and updates it. Returns the server's representation of the externalAdmissionHookConfiguration, and an error, if there is any.
+func (c *externalAdmissionHookConfigurations) Update(externalAdmissionHookConfiguration *v1alpha1.ExternalAdmissionHookConfiguration) (result *v1alpha1.ExternalAdmissionHookConfiguration, err error) {
+	result = &v1alpha1.ExternalAdmissionHookConfiguration{}
+	err = c.client.Put().
+		Resource("externaladmissionhookconfigurations").
+		Name(externalAdmissionHookConfiguration.Name).
+		Body(externalAdmissionHookConfiguration).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the externalAdmissionHookConfiguration and deletes it. Returns an error if one occurs.
+func (c *externalAdmissionHookConfigurations) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("externaladmissionhookconfigurations").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *externalAdmissionHookConfigurations) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("externaladmissionhookconfigurations").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched externalAdmissionHookConfiguration.
+func (c *externalAdmissionHookConfigurations) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ExternalAdmissionHookConfiguration, err error) {
+	result = &v1alpha1.ExternalAdmissionHookConfiguration{}
+	err = c.client.Patch(pt).
+		Resource("externaladmissionhookconfigurations").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/generated_expansion.go
new file mode 100644
index 00000000..2d9e341b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/generated_expansion.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+type ExternalAdmissionHookConfigurationExpansion interface{}
+
+type InitializerConfigurationExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/initializerconfiguration.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/initializerconfiguration.go
new file mode 100644
index 00000000..11cc502f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/initializerconfiguration.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// InitializerConfigurationsGetter has a method to return a InitializerConfigurationInterface.
+// A group's client should implement this interface.
+type InitializerConfigurationsGetter interface {
+	InitializerConfigurations() InitializerConfigurationInterface
+}
+
+// InitializerConfigurationInterface has methods to work with InitializerConfiguration resources.
+type InitializerConfigurationInterface interface {
+	Create(*v1alpha1.InitializerConfiguration) (*v1alpha1.InitializerConfiguration, error)
+	Update(*v1alpha1.InitializerConfiguration) (*v1alpha1.InitializerConfiguration, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.InitializerConfiguration, error)
+	List(opts v1.ListOptions) (*v1alpha1.InitializerConfigurationList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.InitializerConfiguration, err error)
+	InitializerConfigurationExpansion
+}
+
+// initializerConfigurations implements InitializerConfigurationInterface
+type initializerConfigurations struct {
+	client rest.Interface
+}
+
+// newInitializerConfigurations returns a InitializerConfigurations
+func newInitializerConfigurations(c *AdmissionregistrationV1alpha1Client) *initializerConfigurations {
+	return &initializerConfigurations{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the initializerConfiguration, and returns the corresponding initializerConfiguration object, and an error if there is any.
+func (c *initializerConfigurations) Get(name string, options v1.GetOptions) (result *v1alpha1.InitializerConfiguration, err error) {
+	result = &v1alpha1.InitializerConfiguration{}
+	err = c.client.Get().
+		Resource("initializerconfigurations").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of InitializerConfigurations that match those selectors.
+func (c *initializerConfigurations) List(opts v1.ListOptions) (result *v1alpha1.InitializerConfigurationList, err error) {
+	result = &v1alpha1.InitializerConfigurationList{}
+	err = c.client.Get().
+		Resource("initializerconfigurations").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested initializerConfigurations.
+func (c *initializerConfigurations) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("initializerconfigurations").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a initializerConfiguration and creates it.  Returns the server's representation of the initializerConfiguration, and an error, if there is any.
+func (c *initializerConfigurations) Create(initializerConfiguration *v1alpha1.InitializerConfiguration) (result *v1alpha1.InitializerConfiguration, err error) {
+	result = &v1alpha1.InitializerConfiguration{}
+	err = c.client.Post().
+		Resource("initializerconfigurations").
+		Body(initializerConfiguration).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a initializerConfiguration and updates it. Returns the server's representation of the initializerConfiguration, and an error, if there is any.
+func (c *initializerConfigurations) Update(initializerConfiguration *v1alpha1.InitializerConfiguration) (result *v1alpha1.InitializerConfiguration, err error) {
+	result = &v1alpha1.InitializerConfiguration{}
+	err = c.client.Put().
+		Resource("initializerconfigurations").
+		Name(initializerConfiguration.Name).
+		Body(initializerConfiguration).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the initializerConfiguration and deletes it. Returns an error if one occurs.
+func (c *initializerConfigurations) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("initializerconfigurations").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *initializerConfigurations) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("initializerconfigurations").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched initializerConfiguration.
+func (c *initializerConfigurations) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.InitializerConfiguration, err error) {
+	result = &v1alpha1.InitializerConfiguration{}
+	err = c.client.Patch(pt).
+		Resource("initializerconfigurations").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/apps_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/apps_client.go
new file mode 100644
index 00000000..eaf6c8b4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/apps_client.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/apps/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AppsV1beta1Interface interface {
+	RESTClient() rest.Interface
+	ControllerRevisionsGetter
+	DeploymentsGetter
+	ScalesGetter
+	StatefulSetsGetter
+}
+
+// AppsV1beta1Client is used to interact with features provided by the apps group.
+type AppsV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AppsV1beta1Client) ControllerRevisions(namespace string) ControllerRevisionInterface {
+	return newControllerRevisions(c, namespace)
+}
+
+func (c *AppsV1beta1Client) Deployments(namespace string) DeploymentInterface {
+	return newDeployments(c, namespace)
+}
+
+func (c *AppsV1beta1Client) Scales(namespace string) ScaleInterface {
+	return newScales(c, namespace)
+}
+
+func (c *AppsV1beta1Client) StatefulSets(namespace string) StatefulSetInterface {
+	return newStatefulSets(c, namespace)
+}
+
+// NewForConfig creates a new AppsV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*AppsV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AppsV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AppsV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AppsV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AppsV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *AppsV1beta1Client {
+	return &AppsV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AppsV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/controllerrevision.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/controllerrevision.go
new file mode 100644
index 00000000..86cab3bb
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/controllerrevision.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/apps/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ControllerRevisionsGetter has a method to return a ControllerRevisionInterface.
+// A group's client should implement this interface.
+type ControllerRevisionsGetter interface {
+	ControllerRevisions(namespace string) ControllerRevisionInterface
+}
+
+// ControllerRevisionInterface has methods to work with ControllerRevision resources.
+type ControllerRevisionInterface interface {
+	Create(*v1beta1.ControllerRevision) (*v1beta1.ControllerRevision, error)
+	Update(*v1beta1.ControllerRevision) (*v1beta1.ControllerRevision, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.ControllerRevision, error)
+	List(opts v1.ListOptions) (*v1beta1.ControllerRevisionList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ControllerRevision, err error)
+	ControllerRevisionExpansion
+}
+
+// controllerRevisions implements ControllerRevisionInterface
+type controllerRevisions struct {
+	client rest.Interface
+	ns     string
+}
+
+// newControllerRevisions returns a ControllerRevisions
+func newControllerRevisions(c *AppsV1beta1Client, namespace string) *controllerRevisions {
+	return &controllerRevisions{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the controllerRevision, and returns the corresponding controllerRevision object, and an error if there is any.
+func (c *controllerRevisions) Get(name string, options v1.GetOptions) (result *v1beta1.ControllerRevision, err error) {
+	result = &v1beta1.ControllerRevision{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ControllerRevisions that match those selectors.
+func (c *controllerRevisions) List(opts v1.ListOptions) (result *v1beta1.ControllerRevisionList, err error) {
+	result = &v1beta1.ControllerRevisionList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested controllerRevisions.
+func (c *controllerRevisions) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a controllerRevision and creates it.  Returns the server's representation of the controllerRevision, and an error, if there is any.
+func (c *controllerRevisions) Create(controllerRevision *v1beta1.ControllerRevision) (result *v1beta1.ControllerRevision, err error) {
+	result = &v1beta1.ControllerRevision{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		Body(controllerRevision).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a controllerRevision and updates it. Returns the server's representation of the controllerRevision, and an error, if there is any.
+func (c *controllerRevisions) Update(controllerRevision *v1beta1.ControllerRevision) (result *v1beta1.ControllerRevision, err error) {
+	result = &v1beta1.ControllerRevision{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		Name(controllerRevision.Name).
+		Body(controllerRevision).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the controllerRevision and deletes it. Returns an error if one occurs.
+func (c *controllerRevisions) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *controllerRevisions) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched controllerRevision.
+func (c *controllerRevisions) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ControllerRevision, err error) {
+	result = &v1beta1.ControllerRevision{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/deployment.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/deployment.go
new file mode 100644
index 00000000..1827d92d
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/deployment.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/apps/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// DeploymentsGetter has a method to return a DeploymentInterface.
+// A group's client should implement this interface.
+type DeploymentsGetter interface {
+	Deployments(namespace string) DeploymentInterface
+}
+
+// DeploymentInterface has methods to work with Deployment resources.
+type DeploymentInterface interface {
+	Create(*v1beta1.Deployment) (*v1beta1.Deployment, error)
+	Update(*v1beta1.Deployment) (*v1beta1.Deployment, error)
+	UpdateStatus(*v1beta1.Deployment) (*v1beta1.Deployment, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.Deployment, error)
+	List(opts v1.ListOptions) (*v1beta1.DeploymentList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.Deployment, err error)
+	DeploymentExpansion
+}
+
+// deployments implements DeploymentInterface
+type deployments struct {
+	client rest.Interface
+	ns     string
+}
+
+// newDeployments returns a Deployments
+func newDeployments(c *AppsV1beta1Client, namespace string) *deployments {
+	return &deployments{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the deployment, and returns the corresponding deployment object, and an error if there is any.
+func (c *deployments) Get(name string, options v1.GetOptions) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Deployments that match those selectors.
+func (c *deployments) List(opts v1.ListOptions) (result *v1beta1.DeploymentList, err error) {
+	result = &v1beta1.DeploymentList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested deployments.
+func (c *deployments) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a deployment and creates it.  Returns the server's representation of the deployment, and an error, if there is any.
+func (c *deployments) Create(deployment *v1beta1.Deployment) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("deployments").
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a deployment and updates it. Returns the server's representation of the deployment, and an error, if there is any.
+func (c *deployments) Update(deployment *v1beta1.Deployment) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(deployment.Name).
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *deployments) UpdateStatus(deployment *v1beta1.Deployment) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(deployment.Name).
+		SubResource("status").
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the deployment and deletes it. Returns an error if one occurs.
+func (c *deployments) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *deployments) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched deployment.
+func (c *deployments) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("deployments").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..44edefdc
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/generated_expansion.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+type ControllerRevisionExpansion interface{}
+
+type DeploymentExpansion interface{}
+
+type ScaleExpansion interface{}
+
+type StatefulSetExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/scale.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/scale.go
new file mode 100644
index 00000000..d67f3143
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/scale.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// ScalesGetter has a method to return a ScaleInterface.
+// A group's client should implement this interface.
+type ScalesGetter interface {
+	Scales(namespace string) ScaleInterface
+}
+
+// ScaleInterface has methods to work with Scale resources.
+type ScaleInterface interface {
+	ScaleExpansion
+}
+
+// scales implements ScaleInterface
+type scales struct {
+	client rest.Interface
+	ns     string
+}
+
+// newScales returns a Scales
+func newScales(c *AppsV1beta1Client, namespace string) *scales {
+	return &scales{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/statefulset.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/statefulset.go
new file mode 100644
index 00000000..cf96d006
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta1/statefulset.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/apps/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// StatefulSetsGetter has a method to return a StatefulSetInterface.
+// A group's client should implement this interface.
+type StatefulSetsGetter interface {
+	StatefulSets(namespace string) StatefulSetInterface
+}
+
+// StatefulSetInterface has methods to work with StatefulSet resources.
+type StatefulSetInterface interface {
+	Create(*v1beta1.StatefulSet) (*v1beta1.StatefulSet, error)
+	Update(*v1beta1.StatefulSet) (*v1beta1.StatefulSet, error)
+	UpdateStatus(*v1beta1.StatefulSet) (*v1beta1.StatefulSet, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.StatefulSet, error)
+	List(opts v1.ListOptions) (*v1beta1.StatefulSetList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.StatefulSet, err error)
+	StatefulSetExpansion
+}
+
+// statefulSets implements StatefulSetInterface
+type statefulSets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newStatefulSets returns a StatefulSets
+func newStatefulSets(c *AppsV1beta1Client, namespace string) *statefulSets {
+	return &statefulSets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the statefulSet, and returns the corresponding statefulSet object, and an error if there is any.
+func (c *statefulSets) Get(name string, options v1.GetOptions) (result *v1beta1.StatefulSet, err error) {
+	result = &v1beta1.StatefulSet{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of StatefulSets that match those selectors.
+func (c *statefulSets) List(opts v1.ListOptions) (result *v1beta1.StatefulSetList, err error) {
+	result = &v1beta1.StatefulSetList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested statefulSets.
+func (c *statefulSets) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a statefulSet and creates it.  Returns the server's representation of the statefulSet, and an error, if there is any.
+func (c *statefulSets) Create(statefulSet *v1beta1.StatefulSet) (result *v1beta1.StatefulSet, err error) {
+	result = &v1beta1.StatefulSet{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Body(statefulSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a statefulSet and updates it. Returns the server's representation of the statefulSet, and an error, if there is any.
+func (c *statefulSets) Update(statefulSet *v1beta1.StatefulSet) (result *v1beta1.StatefulSet, err error) {
+	result = &v1beta1.StatefulSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(statefulSet.Name).
+		Body(statefulSet).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *statefulSets) UpdateStatus(statefulSet *v1beta1.StatefulSet) (result *v1beta1.StatefulSet, err error) {
+	result = &v1beta1.StatefulSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(statefulSet.Name).
+		SubResource("status").
+		Body(statefulSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the statefulSet and deletes it. Returns an error if one occurs.
+func (c *statefulSets) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *statefulSets) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched statefulSet.
+func (c *statefulSets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.StatefulSet, err error) {
+	result = &v1beta1.StatefulSet{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("statefulsets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/apps_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/apps_client.go
new file mode 100644
index 00000000..cb44f155
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/apps_client.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	v1beta2 "k8s.io/api/apps/v1beta2"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AppsV1beta2Interface interface {
+	RESTClient() rest.Interface
+	ControllerRevisionsGetter
+	DaemonSetsGetter
+	DeploymentsGetter
+	ReplicaSetsGetter
+	ScalesGetter
+	StatefulSetsGetter
+}
+
+// AppsV1beta2Client is used to interact with features provided by the apps group.
+type AppsV1beta2Client struct {
+	restClient rest.Interface
+}
+
+func (c *AppsV1beta2Client) ControllerRevisions(namespace string) ControllerRevisionInterface {
+	return newControllerRevisions(c, namespace)
+}
+
+func (c *AppsV1beta2Client) DaemonSets(namespace string) DaemonSetInterface {
+	return newDaemonSets(c, namespace)
+}
+
+func (c *AppsV1beta2Client) Deployments(namespace string) DeploymentInterface {
+	return newDeployments(c, namespace)
+}
+
+func (c *AppsV1beta2Client) ReplicaSets(namespace string) ReplicaSetInterface {
+	return newReplicaSets(c, namespace)
+}
+
+func (c *AppsV1beta2Client) Scales(namespace string) ScaleInterface {
+	return newScales(c, namespace)
+}
+
+func (c *AppsV1beta2Client) StatefulSets(namespace string) StatefulSetInterface {
+	return newStatefulSets(c, namespace)
+}
+
+// NewForConfig creates a new AppsV1beta2Client for the given config.
+func NewForConfig(c *rest.Config) (*AppsV1beta2Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AppsV1beta2Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AppsV1beta2Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AppsV1beta2Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AppsV1beta2Client for the given RESTClient.
+func New(c rest.Interface) *AppsV1beta2Client {
+	return &AppsV1beta2Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta2.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AppsV1beta2Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/controllerrevision.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/controllerrevision.go
new file mode 100644
index 00000000..9fe5d129
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/controllerrevision.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	v1beta2 "k8s.io/api/apps/v1beta2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ControllerRevisionsGetter has a method to return a ControllerRevisionInterface.
+// A group's client should implement this interface.
+type ControllerRevisionsGetter interface {
+	ControllerRevisions(namespace string) ControllerRevisionInterface
+}
+
+// ControllerRevisionInterface has methods to work with ControllerRevision resources.
+type ControllerRevisionInterface interface {
+	Create(*v1beta2.ControllerRevision) (*v1beta2.ControllerRevision, error)
+	Update(*v1beta2.ControllerRevision) (*v1beta2.ControllerRevision, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta2.ControllerRevision, error)
+	List(opts v1.ListOptions) (*v1beta2.ControllerRevisionList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.ControllerRevision, err error)
+	ControllerRevisionExpansion
+}
+
+// controllerRevisions implements ControllerRevisionInterface
+type controllerRevisions struct {
+	client rest.Interface
+	ns     string
+}
+
+// newControllerRevisions returns a ControllerRevisions
+func newControllerRevisions(c *AppsV1beta2Client, namespace string) *controllerRevisions {
+	return &controllerRevisions{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the controllerRevision, and returns the corresponding controllerRevision object, and an error if there is any.
+func (c *controllerRevisions) Get(name string, options v1.GetOptions) (result *v1beta2.ControllerRevision, err error) {
+	result = &v1beta2.ControllerRevision{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ControllerRevisions that match those selectors.
+func (c *controllerRevisions) List(opts v1.ListOptions) (result *v1beta2.ControllerRevisionList, err error) {
+	result = &v1beta2.ControllerRevisionList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested controllerRevisions.
+func (c *controllerRevisions) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a controllerRevision and creates it.  Returns the server's representation of the controllerRevision, and an error, if there is any.
+func (c *controllerRevisions) Create(controllerRevision *v1beta2.ControllerRevision) (result *v1beta2.ControllerRevision, err error) {
+	result = &v1beta2.ControllerRevision{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		Body(controllerRevision).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a controllerRevision and updates it. Returns the server's representation of the controllerRevision, and an error, if there is any.
+func (c *controllerRevisions) Update(controllerRevision *v1beta2.ControllerRevision) (result *v1beta2.ControllerRevision, err error) {
+	result = &v1beta2.ControllerRevision{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		Name(controllerRevision.Name).
+		Body(controllerRevision).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the controllerRevision and deletes it. Returns an error if one occurs.
+func (c *controllerRevisions) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *controllerRevisions) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched controllerRevision.
+func (c *controllerRevisions) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.ControllerRevision, err error) {
+	result = &v1beta2.ControllerRevision{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("controllerrevisions").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/daemonset.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/daemonset.go
new file mode 100644
index 00000000..e062d392
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/daemonset.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	v1beta2 "k8s.io/api/apps/v1beta2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// DaemonSetsGetter has a method to return a DaemonSetInterface.
+// A group's client should implement this interface.
+type DaemonSetsGetter interface {
+	DaemonSets(namespace string) DaemonSetInterface
+}
+
+// DaemonSetInterface has methods to work with DaemonSet resources.
+type DaemonSetInterface interface {
+	Create(*v1beta2.DaemonSet) (*v1beta2.DaemonSet, error)
+	Update(*v1beta2.DaemonSet) (*v1beta2.DaemonSet, error)
+	UpdateStatus(*v1beta2.DaemonSet) (*v1beta2.DaemonSet, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta2.DaemonSet, error)
+	List(opts v1.ListOptions) (*v1beta2.DaemonSetList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.DaemonSet, err error)
+	DaemonSetExpansion
+}
+
+// daemonSets implements DaemonSetInterface
+type daemonSets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newDaemonSets returns a DaemonSets
+func newDaemonSets(c *AppsV1beta2Client, namespace string) *daemonSets {
+	return &daemonSets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the daemonSet, and returns the corresponding daemonSet object, and an error if there is any.
+func (c *daemonSets) Get(name string, options v1.GetOptions) (result *v1beta2.DaemonSet, err error) {
+	result = &v1beta2.DaemonSet{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of DaemonSets that match those selectors.
+func (c *daemonSets) List(opts v1.ListOptions) (result *v1beta2.DaemonSetList, err error) {
+	result = &v1beta2.DaemonSetList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested daemonSets.
+func (c *daemonSets) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a daemonSet and creates it.  Returns the server's representation of the daemonSet, and an error, if there is any.
+func (c *daemonSets) Create(daemonSet *v1beta2.DaemonSet) (result *v1beta2.DaemonSet, err error) {
+	result = &v1beta2.DaemonSet{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Body(daemonSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a daemonSet and updates it. Returns the server's representation of the daemonSet, and an error, if there is any.
+func (c *daemonSets) Update(daemonSet *v1beta2.DaemonSet) (result *v1beta2.DaemonSet, err error) {
+	result = &v1beta2.DaemonSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Name(daemonSet.Name).
+		Body(daemonSet).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *daemonSets) UpdateStatus(daemonSet *v1beta2.DaemonSet) (result *v1beta2.DaemonSet, err error) {
+	result = &v1beta2.DaemonSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Name(daemonSet.Name).
+		SubResource("status").
+		Body(daemonSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the daemonSet and deletes it. Returns an error if one occurs.
+func (c *daemonSets) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *daemonSets) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched daemonSet.
+func (c *daemonSets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.DaemonSet, err error) {
+	result = &v1beta2.DaemonSet{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("daemonsets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/deployment.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/deployment.go
new file mode 100644
index 00000000..0e292ca1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/deployment.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	v1beta2 "k8s.io/api/apps/v1beta2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// DeploymentsGetter has a method to return a DeploymentInterface.
+// A group's client should implement this interface.
+type DeploymentsGetter interface {
+	Deployments(namespace string) DeploymentInterface
+}
+
+// DeploymentInterface has methods to work with Deployment resources.
+type DeploymentInterface interface {
+	Create(*v1beta2.Deployment) (*v1beta2.Deployment, error)
+	Update(*v1beta2.Deployment) (*v1beta2.Deployment, error)
+	UpdateStatus(*v1beta2.Deployment) (*v1beta2.Deployment, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta2.Deployment, error)
+	List(opts v1.ListOptions) (*v1beta2.DeploymentList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.Deployment, err error)
+	DeploymentExpansion
+}
+
+// deployments implements DeploymentInterface
+type deployments struct {
+	client rest.Interface
+	ns     string
+}
+
+// newDeployments returns a Deployments
+func newDeployments(c *AppsV1beta2Client, namespace string) *deployments {
+	return &deployments{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the deployment, and returns the corresponding deployment object, and an error if there is any.
+func (c *deployments) Get(name string, options v1.GetOptions) (result *v1beta2.Deployment, err error) {
+	result = &v1beta2.Deployment{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Deployments that match those selectors.
+func (c *deployments) List(opts v1.ListOptions) (result *v1beta2.DeploymentList, err error) {
+	result = &v1beta2.DeploymentList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested deployments.
+func (c *deployments) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a deployment and creates it.  Returns the server's representation of the deployment, and an error, if there is any.
+func (c *deployments) Create(deployment *v1beta2.Deployment) (result *v1beta2.Deployment, err error) {
+	result = &v1beta2.Deployment{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("deployments").
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a deployment and updates it. Returns the server's representation of the deployment, and an error, if there is any.
+func (c *deployments) Update(deployment *v1beta2.Deployment) (result *v1beta2.Deployment, err error) {
+	result = &v1beta2.Deployment{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(deployment.Name).
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *deployments) UpdateStatus(deployment *v1beta2.Deployment) (result *v1beta2.Deployment, err error) {
+	result = &v1beta2.Deployment{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(deployment.Name).
+		SubResource("status").
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the deployment and deletes it. Returns an error if one occurs.
+func (c *deployments) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *deployments) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched deployment.
+func (c *deployments) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.Deployment, err error) {
+	result = &v1beta2.Deployment{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("deployments").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/doc.go
new file mode 100644
index 00000000..7307bcd9
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta2
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/generated_expansion.go
new file mode 100644
index 00000000..98356ca7
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/generated_expansion.go
@@ -0,0 +1,29 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+type ControllerRevisionExpansion interface{}
+
+type DaemonSetExpansion interface{}
+
+type DeploymentExpansion interface{}
+
+type ReplicaSetExpansion interface{}
+
+type ScaleExpansion interface{}
+
+type StatefulSetExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/replicaset.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/replicaset.go
new file mode 100644
index 00000000..e0cd3a28
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/replicaset.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	v1beta2 "k8s.io/api/apps/v1beta2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ReplicaSetsGetter has a method to return a ReplicaSetInterface.
+// A group's client should implement this interface.
+type ReplicaSetsGetter interface {
+	ReplicaSets(namespace string) ReplicaSetInterface
+}
+
+// ReplicaSetInterface has methods to work with ReplicaSet resources.
+type ReplicaSetInterface interface {
+	Create(*v1beta2.ReplicaSet) (*v1beta2.ReplicaSet, error)
+	Update(*v1beta2.ReplicaSet) (*v1beta2.ReplicaSet, error)
+	UpdateStatus(*v1beta2.ReplicaSet) (*v1beta2.ReplicaSet, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta2.ReplicaSet, error)
+	List(opts v1.ListOptions) (*v1beta2.ReplicaSetList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.ReplicaSet, err error)
+	ReplicaSetExpansion
+}
+
+// replicaSets implements ReplicaSetInterface
+type replicaSets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newReplicaSets returns a ReplicaSets
+func newReplicaSets(c *AppsV1beta2Client, namespace string) *replicaSets {
+	return &replicaSets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the replicaSet, and returns the corresponding replicaSet object, and an error if there is any.
+func (c *replicaSets) Get(name string, options v1.GetOptions) (result *v1beta2.ReplicaSet, err error) {
+	result = &v1beta2.ReplicaSet{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ReplicaSets that match those selectors.
+func (c *replicaSets) List(opts v1.ListOptions) (result *v1beta2.ReplicaSetList, err error) {
+	result = &v1beta2.ReplicaSetList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("replicasets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested replicaSets.
+func (c *replicaSets) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("replicasets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a replicaSet and creates it.  Returns the server's representation of the replicaSet, and an error, if there is any.
+func (c *replicaSets) Create(replicaSet *v1beta2.ReplicaSet) (result *v1beta2.ReplicaSet, err error) {
+	result = &v1beta2.ReplicaSet{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Body(replicaSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a replicaSet and updates it. Returns the server's representation of the replicaSet, and an error, if there is any.
+func (c *replicaSets) Update(replicaSet *v1beta2.ReplicaSet) (result *v1beta2.ReplicaSet, err error) {
+	result = &v1beta2.ReplicaSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(replicaSet.Name).
+		Body(replicaSet).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *replicaSets) UpdateStatus(replicaSet *v1beta2.ReplicaSet) (result *v1beta2.ReplicaSet, err error) {
+	result = &v1beta2.ReplicaSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(replicaSet.Name).
+		SubResource("status").
+		Body(replicaSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the replicaSet and deletes it. Returns an error if one occurs.
+func (c *replicaSets) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *replicaSets) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("replicasets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched replicaSet.
+func (c *replicaSets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.ReplicaSet, err error) {
+	result = &v1beta2.ReplicaSet{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("replicasets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/scale.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/scale.go
new file mode 100644
index 00000000..0295d414
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/scale.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// ScalesGetter has a method to return a ScaleInterface.
+// A group's client should implement this interface.
+type ScalesGetter interface {
+	Scales(namespace string) ScaleInterface
+}
+
+// ScaleInterface has methods to work with Scale resources.
+type ScaleInterface interface {
+	ScaleExpansion
+}
+
+// scales implements ScaleInterface
+type scales struct {
+	client rest.Interface
+	ns     string
+}
+
+// newScales returns a Scales
+func newScales(c *AppsV1beta2Client, namespace string) *scales {
+	return &scales{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/statefulset.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/statefulset.go
new file mode 100644
index 00000000..8bac7560
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/apps/v1beta2/statefulset.go
@@ -0,0 +1,203 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import (
+	v1beta2 "k8s.io/api/apps/v1beta2"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// StatefulSetsGetter has a method to return a StatefulSetInterface.
+// A group's client should implement this interface.
+type StatefulSetsGetter interface {
+	StatefulSets(namespace string) StatefulSetInterface
+}
+
+// StatefulSetInterface has methods to work with StatefulSet resources.
+type StatefulSetInterface interface {
+	Create(*v1beta2.StatefulSet) (*v1beta2.StatefulSet, error)
+	Update(*v1beta2.StatefulSet) (*v1beta2.StatefulSet, error)
+	UpdateStatus(*v1beta2.StatefulSet) (*v1beta2.StatefulSet, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta2.StatefulSet, error)
+	List(opts v1.ListOptions) (*v1beta2.StatefulSetList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.StatefulSet, err error)
+	GetScale(statefulSetName string, options v1.GetOptions) (*v1beta2.Scale, error)
+	UpdateScale(statefulSetName string, scale *v1beta2.Scale) (*v1beta2.Scale, error)
+
+	StatefulSetExpansion
+}
+
+// statefulSets implements StatefulSetInterface
+type statefulSets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newStatefulSets returns a StatefulSets
+func newStatefulSets(c *AppsV1beta2Client, namespace string) *statefulSets {
+	return &statefulSets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the statefulSet, and returns the corresponding statefulSet object, and an error if there is any.
+func (c *statefulSets) Get(name string, options v1.GetOptions) (result *v1beta2.StatefulSet, err error) {
+	result = &v1beta2.StatefulSet{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of StatefulSets that match those selectors.
+func (c *statefulSets) List(opts v1.ListOptions) (result *v1beta2.StatefulSetList, err error) {
+	result = &v1beta2.StatefulSetList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested statefulSets.
+func (c *statefulSets) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a statefulSet and creates it.  Returns the server's representation of the statefulSet, and an error, if there is any.
+func (c *statefulSets) Create(statefulSet *v1beta2.StatefulSet) (result *v1beta2.StatefulSet, err error) {
+	result = &v1beta2.StatefulSet{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Body(statefulSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a statefulSet and updates it. Returns the server's representation of the statefulSet, and an error, if there is any.
+func (c *statefulSets) Update(statefulSet *v1beta2.StatefulSet) (result *v1beta2.StatefulSet, err error) {
+	result = &v1beta2.StatefulSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(statefulSet.Name).
+		Body(statefulSet).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *statefulSets) UpdateStatus(statefulSet *v1beta2.StatefulSet) (result *v1beta2.StatefulSet, err error) {
+	result = &v1beta2.StatefulSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(statefulSet.Name).
+		SubResource("status").
+		Body(statefulSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the statefulSet and deletes it. Returns an error if one occurs.
+func (c *statefulSets) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *statefulSets) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched statefulSet.
+func (c *statefulSets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta2.StatefulSet, err error) {
+	result = &v1beta2.StatefulSet{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("statefulsets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
+
+// GetScale takes name of the statefulSet, and returns the corresponding v1beta2.Scale object, and an error if there is any.
+func (c *statefulSets) GetScale(statefulSetName string, options v1.GetOptions) (result *v1beta2.Scale, err error) {
+	result = &v1beta2.Scale{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(statefulSetName).
+		SubResource("scale").
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateScale takes the top resource name and the representation of a scale and updates it. Returns the server's representation of the scale, and an error, if there is any.
+func (c *statefulSets) UpdateScale(statefulSetName string, scale *v1beta2.Scale) (result *v1beta2.Scale, err error) {
+	result = &v1beta2.Scale{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("statefulsets").
+		Name(statefulSetName).
+		SubResource("scale").
+		Body(scale).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go
new file mode 100644
index 00000000..4d0af8c2
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/authentication/v1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AuthenticationV1Interface interface {
+	RESTClient() rest.Interface
+	TokenReviewsGetter
+}
+
+// AuthenticationV1Client is used to interact with features provided by the authentication.k8s.io group.
+type AuthenticationV1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AuthenticationV1Client) TokenReviews() TokenReviewInterface {
+	return newTokenReviews(c)
+}
+
+// NewForConfig creates a new AuthenticationV1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthenticationV1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AuthenticationV1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AuthenticationV1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AuthenticationV1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1Client {
+	return &AuthenticationV1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AuthenticationV1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/doc.go
new file mode 100644
index 00000000..53d7f29a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go
new file mode 100644
index 00000000..94adbfbc
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/tokenreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/tokenreview.go
new file mode 100644
index 00000000..ab95e6a8
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/tokenreview.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// TokenReviewsGetter has a method to return a TokenReviewInterface.
+// A group's client should implement this interface.
+type TokenReviewsGetter interface {
+	TokenReviews() TokenReviewInterface
+}
+
+// TokenReviewInterface has methods to work with TokenReview resources.
+type TokenReviewInterface interface {
+	TokenReviewExpansion
+}
+
+// tokenReviews implements TokenReviewInterface
+type tokenReviews struct {
+	client rest.Interface
+}
+
+// newTokenReviews returns a TokenReviews
+func newTokenReviews(c *AuthenticationV1Client) *tokenReviews {
+	return &tokenReviews{
+		client: c.RESTClient(),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/tokenreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/tokenreview_expansion.go
new file mode 100644
index 00000000..ea21f1b4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1/tokenreview_expansion.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authenticationapi "k8s.io/api/authentication/v1"
+)
+
+type TokenReviewExpansion interface {
+	Create(tokenReview *authenticationapi.TokenReview) (result *authenticationapi.TokenReview, err error)
+}
+
+func (c *tokenReviews) Create(tokenReview *authenticationapi.TokenReview) (result *authenticationapi.TokenReview, err error) {
+	result = &authenticationapi.TokenReview{}
+	err = c.client.Post().
+		Resource("tokenreviews").
+		Body(tokenReview).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/authentication_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/authentication_client.go
new file mode 100644
index 00000000..996de350
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/authentication_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/authentication/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AuthenticationV1beta1Interface interface {
+	RESTClient() rest.Interface
+	TokenReviewsGetter
+}
+
+// AuthenticationV1beta1Client is used to interact with features provided by the authentication.k8s.io group.
+type AuthenticationV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AuthenticationV1beta1Client) TokenReviews() TokenReviewInterface {
+	return newTokenReviews(c)
+}
+
+// NewForConfig creates a new AuthenticationV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthenticationV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AuthenticationV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AuthenticationV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AuthenticationV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AuthenticationV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *AuthenticationV1beta1Client {
+	return &AuthenticationV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AuthenticationV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..74ad7fa9
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/generated_expansion.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/tokenreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/tokenreview.go
new file mode 100644
index 00000000..eef5a968
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/tokenreview.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// TokenReviewsGetter has a method to return a TokenReviewInterface.
+// A group's client should implement this interface.
+type TokenReviewsGetter interface {
+	TokenReviews() TokenReviewInterface
+}
+
+// TokenReviewInterface has methods to work with TokenReview resources.
+type TokenReviewInterface interface {
+	TokenReviewExpansion
+}
+
+// tokenReviews implements TokenReviewInterface
+type tokenReviews struct {
+	client rest.Interface
+}
+
+// newTokenReviews returns a TokenReviews
+func newTokenReviews(c *AuthenticationV1beta1Client) *tokenReviews {
+	return &tokenReviews{
+		client: c.RESTClient(),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/tokenreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/tokenreview_expansion.go
new file mode 100644
index 00000000..8f186fa7
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1/tokenreview_expansion.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	authenticationapi "k8s.io/api/authentication/v1beta1"
+)
+
+type TokenReviewExpansion interface {
+	Create(tokenReview *authenticationapi.TokenReview) (result *authenticationapi.TokenReview, err error)
+}
+
+func (c *tokenReviews) Create(tokenReview *authenticationapi.TokenReview) (result *authenticationapi.TokenReview, err error) {
+	result = &authenticationapi.TokenReview{}
+	err = c.client.Post().
+		Resource("tokenreviews").
+		Body(tokenReview).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/authorization_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/authorization_client.go
new file mode 100644
index 00000000..c75cc05b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/authorization_client.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/authorization/v1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AuthorizationV1Interface interface {
+	RESTClient() rest.Interface
+	LocalSubjectAccessReviewsGetter
+	SelfSubjectAccessReviewsGetter
+	SelfSubjectRulesReviewsGetter
+	SubjectAccessReviewsGetter
+}
+
+// AuthorizationV1Client is used to interact with features provided by the authorization.k8s.io group.
+type AuthorizationV1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AuthorizationV1Client) LocalSubjectAccessReviews(namespace string) LocalSubjectAccessReviewInterface {
+	return newLocalSubjectAccessReviews(c, namespace)
+}
+
+func (c *AuthorizationV1Client) SelfSubjectAccessReviews() SelfSubjectAccessReviewInterface {
+	return newSelfSubjectAccessReviews(c)
+}
+
+func (c *AuthorizationV1Client) SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface {
+	return newSelfSubjectRulesReviews(c)
+}
+
+func (c *AuthorizationV1Client) SubjectAccessReviews() SubjectAccessReviewInterface {
+	return newSubjectAccessReviews(c)
+}
+
+// NewForConfig creates a new AuthorizationV1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthorizationV1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AuthorizationV1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AuthorizationV1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AuthorizationV1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AuthorizationV1Client for the given RESTClient.
+func New(c rest.Interface) *AuthorizationV1Client {
+	return &AuthorizationV1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AuthorizationV1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/doc.go
new file mode 100644
index 00000000..53d7f29a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go
new file mode 100644
index 00000000..94adbfbc
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/generated_expansion.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/localsubjectaccessreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/localsubjectaccessreview.go
new file mode 100644
index 00000000..7c9ff014
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/localsubjectaccessreview.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// LocalSubjectAccessReviewsGetter has a method to return a LocalSubjectAccessReviewInterface.
+// A group's client should implement this interface.
+type LocalSubjectAccessReviewsGetter interface {
+	LocalSubjectAccessReviews(namespace string) LocalSubjectAccessReviewInterface
+}
+
+// LocalSubjectAccessReviewInterface has methods to work with LocalSubjectAccessReview resources.
+type LocalSubjectAccessReviewInterface interface {
+	LocalSubjectAccessReviewExpansion
+}
+
+// localSubjectAccessReviews implements LocalSubjectAccessReviewInterface
+type localSubjectAccessReviews struct {
+	client rest.Interface
+	ns     string
+}
+
+// newLocalSubjectAccessReviews returns a LocalSubjectAccessReviews
+func newLocalSubjectAccessReviews(c *AuthorizationV1Client, namespace string) *localSubjectAccessReviews {
+	return &localSubjectAccessReviews{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/localsubjectaccessreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/localsubjectaccessreview_expansion.go
new file mode 100644
index 00000000..0c123b07
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/localsubjectaccessreview_expansion.go
@@ -0,0 +1,36 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authorizationapi "k8s.io/api/authorization/v1"
+)
+
+type LocalSubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error)
+}
+
+func (c *localSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) {
+	result = &authorizationapi.LocalSubjectAccessReview{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("localsubjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectaccessreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectaccessreview.go
new file mode 100644
index 00000000..0957b231
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectaccessreview.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// SelfSubjectAccessReviewsGetter has a method to return a SelfSubjectAccessReviewInterface.
+// A group's client should implement this interface.
+type SelfSubjectAccessReviewsGetter interface {
+	SelfSubjectAccessReviews() SelfSubjectAccessReviewInterface
+}
+
+// SelfSubjectAccessReviewInterface has methods to work with SelfSubjectAccessReview resources.
+type SelfSubjectAccessReviewInterface interface {
+	SelfSubjectAccessReviewExpansion
+}
+
+// selfSubjectAccessReviews implements SelfSubjectAccessReviewInterface
+type selfSubjectAccessReviews struct {
+	client rest.Interface
+}
+
+// newSelfSubjectAccessReviews returns a SelfSubjectAccessReviews
+func newSelfSubjectAccessReviews(c *AuthorizationV1Client) *selfSubjectAccessReviews {
+	return &selfSubjectAccessReviews{
+		client: c.RESTClient(),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectaccessreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectaccessreview_expansion.go
new file mode 100644
index 00000000..5b70a27d
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectaccessreview_expansion.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authorizationapi "k8s.io/api/authorization/v1"
+)
+
+type SelfSubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error)
+}
+
+func (c *selfSubjectAccessReviews) Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) {
+	result = &authorizationapi.SelfSubjectAccessReview{}
+	err = c.client.Post().
+		Resource("selfsubjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview.go
new file mode 100644
index 00000000..9caaee2a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// SelfSubjectRulesReviewsGetter has a method to return a SelfSubjectRulesReviewInterface.
+// A group's client should implement this interface.
+type SelfSubjectRulesReviewsGetter interface {
+	SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface
+}
+
+// SelfSubjectRulesReviewInterface has methods to work with SelfSubjectRulesReview resources.
+type SelfSubjectRulesReviewInterface interface {
+	SelfSubjectRulesReviewExpansion
+}
+
+// selfSubjectRulesReviews implements SelfSubjectRulesReviewInterface
+type selfSubjectRulesReviews struct {
+	client rest.Interface
+}
+
+// newSelfSubjectRulesReviews returns a SelfSubjectRulesReviews
+func newSelfSubjectRulesReviews(c *AuthorizationV1Client) *selfSubjectRulesReviews {
+	return &selfSubjectRulesReviews{
+		client: c.RESTClient(),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview_expansion.go
new file mode 100644
index 00000000..e2cad880
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/selfsubjectrulesreview_expansion.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authorizationapi "k8s.io/api/authorization/v1"
+)
+
+type SelfSubjectRulesReviewExpansion interface {
+	Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error)
+}
+
+func (c *selfSubjectRulesReviews) Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) {
+	result = &authorizationapi.SelfSubjectRulesReview{}
+	err = c.client.Post().
+		Resource("selfsubjectrulesreviews").
+		Body(srr).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/subjectaccessreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/subjectaccessreview.go
new file mode 100644
index 00000000..f4557d2b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/subjectaccessreview.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// SubjectAccessReviewsGetter has a method to return a SubjectAccessReviewInterface.
+// A group's client should implement this interface.
+type SubjectAccessReviewsGetter interface {
+	SubjectAccessReviews() SubjectAccessReviewInterface
+}
+
+// SubjectAccessReviewInterface has methods to work with SubjectAccessReview resources.
+type SubjectAccessReviewInterface interface {
+	SubjectAccessReviewExpansion
+}
+
+// subjectAccessReviews implements SubjectAccessReviewInterface
+type subjectAccessReviews struct {
+	client rest.Interface
+}
+
+// newSubjectAccessReviews returns a SubjectAccessReviews
+func newSubjectAccessReviews(c *AuthorizationV1Client) *subjectAccessReviews {
+	return &subjectAccessReviews{
+		client: c.RESTClient(),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/subjectaccessreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/subjectaccessreview_expansion.go
new file mode 100644
index 00000000..b5ed87d3
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1/subjectaccessreview_expansion.go
@@ -0,0 +1,36 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	authorizationapi "k8s.io/api/authorization/v1"
+)
+
+// The SubjectAccessReviewExpansion interface allows manually adding extra methods to the AuthorizationInterface.
+type SubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error)
+}
+
+func (c *subjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) {
+	result = &authorizationapi.SubjectAccessReview{}
+	err = c.client.Post().
+		Resource("subjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/authorization_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/authorization_client.go
new file mode 100644
index 00000000..5bf1261a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/authorization_client.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/authorization/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AuthorizationV1beta1Interface interface {
+	RESTClient() rest.Interface
+	LocalSubjectAccessReviewsGetter
+	SelfSubjectAccessReviewsGetter
+	SelfSubjectRulesReviewsGetter
+	SubjectAccessReviewsGetter
+}
+
+// AuthorizationV1beta1Client is used to interact with features provided by the authorization.k8s.io group.
+type AuthorizationV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AuthorizationV1beta1Client) LocalSubjectAccessReviews(namespace string) LocalSubjectAccessReviewInterface {
+	return newLocalSubjectAccessReviews(c, namespace)
+}
+
+func (c *AuthorizationV1beta1Client) SelfSubjectAccessReviews() SelfSubjectAccessReviewInterface {
+	return newSelfSubjectAccessReviews(c)
+}
+
+func (c *AuthorizationV1beta1Client) SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface {
+	return newSelfSubjectRulesReviews(c)
+}
+
+func (c *AuthorizationV1beta1Client) SubjectAccessReviews() SubjectAccessReviewInterface {
+	return newSubjectAccessReviews(c)
+}
+
+// NewForConfig creates a new AuthorizationV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*AuthorizationV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AuthorizationV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AuthorizationV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AuthorizationV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AuthorizationV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *AuthorizationV1beta1Client {
+	return &AuthorizationV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AuthorizationV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..74ad7fa9
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/generated_expansion.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/localsubjectaccessreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/localsubjectaccessreview.go
new file mode 100644
index 00000000..18821d72
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/localsubjectaccessreview.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// LocalSubjectAccessReviewsGetter has a method to return a LocalSubjectAccessReviewInterface.
+// A group's client should implement this interface.
+type LocalSubjectAccessReviewsGetter interface {
+	LocalSubjectAccessReviews(namespace string) LocalSubjectAccessReviewInterface
+}
+
+// LocalSubjectAccessReviewInterface has methods to work with LocalSubjectAccessReview resources.
+type LocalSubjectAccessReviewInterface interface {
+	LocalSubjectAccessReviewExpansion
+}
+
+// localSubjectAccessReviews implements LocalSubjectAccessReviewInterface
+type localSubjectAccessReviews struct {
+	client rest.Interface
+	ns     string
+}
+
+// newLocalSubjectAccessReviews returns a LocalSubjectAccessReviews
+func newLocalSubjectAccessReviews(c *AuthorizationV1beta1Client, namespace string) *localSubjectAccessReviews {
+	return &localSubjectAccessReviews{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/localsubjectaccessreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/localsubjectaccessreview_expansion.go
new file mode 100644
index 00000000..bf1b8a5f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/localsubjectaccessreview_expansion.go
@@ -0,0 +1,36 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	authorizationapi "k8s.io/api/authorization/v1beta1"
+)
+
+type LocalSubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error)
+}
+
+func (c *localSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (result *authorizationapi.LocalSubjectAccessReview, err error) {
+	result = &authorizationapi.LocalSubjectAccessReview{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("localsubjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectaccessreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectaccessreview.go
new file mode 100644
index 00000000..7bc2a021
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectaccessreview.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// SelfSubjectAccessReviewsGetter has a method to return a SelfSubjectAccessReviewInterface.
+// A group's client should implement this interface.
+type SelfSubjectAccessReviewsGetter interface {
+	SelfSubjectAccessReviews() SelfSubjectAccessReviewInterface
+}
+
+// SelfSubjectAccessReviewInterface has methods to work with SelfSubjectAccessReview resources.
+type SelfSubjectAccessReviewInterface interface {
+	SelfSubjectAccessReviewExpansion
+}
+
+// selfSubjectAccessReviews implements SelfSubjectAccessReviewInterface
+type selfSubjectAccessReviews struct {
+	client rest.Interface
+}
+
+// newSelfSubjectAccessReviews returns a SelfSubjectAccessReviews
+func newSelfSubjectAccessReviews(c *AuthorizationV1beta1Client) *selfSubjectAccessReviews {
+	return &selfSubjectAccessReviews{
+		client: c.RESTClient(),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectaccessreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectaccessreview_expansion.go
new file mode 100644
index 00000000..58fecfd8
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectaccessreview_expansion.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	authorizationapi "k8s.io/api/authorization/v1beta1"
+)
+
+type SelfSubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error)
+}
+
+func (c *selfSubjectAccessReviews) Create(sar *authorizationapi.SelfSubjectAccessReview) (result *authorizationapi.SelfSubjectAccessReview, err error) {
+	result = &authorizationapi.SelfSubjectAccessReview{}
+	err = c.client.Post().
+		Resource("selfsubjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview.go
new file mode 100644
index 00000000..7dfd314d
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// SelfSubjectRulesReviewsGetter has a method to return a SelfSubjectRulesReviewInterface.
+// A group's client should implement this interface.
+type SelfSubjectRulesReviewsGetter interface {
+	SelfSubjectRulesReviews() SelfSubjectRulesReviewInterface
+}
+
+// SelfSubjectRulesReviewInterface has methods to work with SelfSubjectRulesReview resources.
+type SelfSubjectRulesReviewInterface interface {
+	SelfSubjectRulesReviewExpansion
+}
+
+// selfSubjectRulesReviews implements SelfSubjectRulesReviewInterface
+type selfSubjectRulesReviews struct {
+	client rest.Interface
+}
+
+// newSelfSubjectRulesReviews returns a SelfSubjectRulesReviews
+func newSelfSubjectRulesReviews(c *AuthorizationV1beta1Client) *selfSubjectRulesReviews {
+	return &selfSubjectRulesReviews{
+		client: c.RESTClient(),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview_expansion.go
new file mode 100644
index 00000000..5f1f37ef
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/selfsubjectrulesreview_expansion.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	authorizationapi "k8s.io/api/authorization/v1beta1"
+)
+
+type SelfSubjectRulesReviewExpansion interface {
+	Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error)
+}
+
+func (c *selfSubjectRulesReviews) Create(srr *authorizationapi.SelfSubjectRulesReview) (result *authorizationapi.SelfSubjectRulesReview, err error) {
+	result = &authorizationapi.SelfSubjectRulesReview{}
+	err = c.client.Post().
+		Resource("selfsubjectrulesreviews").
+		Body(srr).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/subjectaccessreview.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/subjectaccessreview.go
new file mode 100644
index 00000000..aa4dfcaa
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/subjectaccessreview.go
@@ -0,0 +1,44 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// SubjectAccessReviewsGetter has a method to return a SubjectAccessReviewInterface.
+// A group's client should implement this interface.
+type SubjectAccessReviewsGetter interface {
+	SubjectAccessReviews() SubjectAccessReviewInterface
+}
+
+// SubjectAccessReviewInterface has methods to work with SubjectAccessReview resources.
+type SubjectAccessReviewInterface interface {
+	SubjectAccessReviewExpansion
+}
+
+// subjectAccessReviews implements SubjectAccessReviewInterface
+type subjectAccessReviews struct {
+	client rest.Interface
+}
+
+// newSubjectAccessReviews returns a SubjectAccessReviews
+func newSubjectAccessReviews(c *AuthorizationV1beta1Client) *subjectAccessReviews {
+	return &subjectAccessReviews{
+		client: c.RESTClient(),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/subjectaccessreview_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/subjectaccessreview_expansion.go
new file mode 100644
index 00000000..4f93689e
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1/subjectaccessreview_expansion.go
@@ -0,0 +1,36 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	authorizationapi "k8s.io/api/authorization/v1beta1"
+)
+
+// The SubjectAccessReviewExpansion interface allows manually adding extra methods to the AuthorizationInterface.
+type SubjectAccessReviewExpansion interface {
+	Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error)
+}
+
+func (c *subjectAccessReviews) Create(sar *authorizationapi.SubjectAccessReview) (result *authorizationapi.SubjectAccessReview, err error) {
+	result = &authorizationapi.SubjectAccessReview{}
+	err = c.client.Post().
+		Resource("subjectaccessreviews").
+		Body(sar).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/autoscaling_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/autoscaling_client.go
new file mode 100644
index 00000000..1e504bd0
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/autoscaling_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/autoscaling/v1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AutoscalingV1Interface interface {
+	RESTClient() rest.Interface
+	HorizontalPodAutoscalersGetter
+}
+
+// AutoscalingV1Client is used to interact with features provided by the autoscaling group.
+type AutoscalingV1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AutoscalingV1Client) HorizontalPodAutoscalers(namespace string) HorizontalPodAutoscalerInterface {
+	return newHorizontalPodAutoscalers(c, namespace)
+}
+
+// NewForConfig creates a new AutoscalingV1Client for the given config.
+func NewForConfig(c *rest.Config) (*AutoscalingV1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AutoscalingV1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AutoscalingV1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AutoscalingV1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AutoscalingV1Client for the given RESTClient.
+func New(c rest.Interface) *AutoscalingV1Client {
+	return &AutoscalingV1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AutoscalingV1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/doc.go
new file mode 100644
index 00000000..53d7f29a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/generated_expansion.go
new file mode 100644
index 00000000..15ea315c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+type HorizontalPodAutoscalerExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/horizontalpodautoscaler.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/horizontalpodautoscaler.go
new file mode 100644
index 00000000..29da3e74
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v1/horizontalpodautoscaler.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/autoscaling/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// HorizontalPodAutoscalersGetter has a method to return a HorizontalPodAutoscalerInterface.
+// A group's client should implement this interface.
+type HorizontalPodAutoscalersGetter interface {
+	HorizontalPodAutoscalers(namespace string) HorizontalPodAutoscalerInterface
+}
+
+// HorizontalPodAutoscalerInterface has methods to work with HorizontalPodAutoscaler resources.
+type HorizontalPodAutoscalerInterface interface {
+	Create(*v1.HorizontalPodAutoscaler) (*v1.HorizontalPodAutoscaler, error)
+	Update(*v1.HorizontalPodAutoscaler) (*v1.HorizontalPodAutoscaler, error)
+	UpdateStatus(*v1.HorizontalPodAutoscaler) (*v1.HorizontalPodAutoscaler, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.HorizontalPodAutoscaler, error)
+	List(opts meta_v1.ListOptions) (*v1.HorizontalPodAutoscalerList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.HorizontalPodAutoscaler, err error)
+	HorizontalPodAutoscalerExpansion
+}
+
+// horizontalPodAutoscalers implements HorizontalPodAutoscalerInterface
+type horizontalPodAutoscalers struct {
+	client rest.Interface
+	ns     string
+}
+
+// newHorizontalPodAutoscalers returns a HorizontalPodAutoscalers
+func newHorizontalPodAutoscalers(c *AutoscalingV1Client, namespace string) *horizontalPodAutoscalers {
+	return &horizontalPodAutoscalers{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the horizontalPodAutoscaler, and returns the corresponding horizontalPodAutoscaler object, and an error if there is any.
+func (c *horizontalPodAutoscalers) Get(name string, options meta_v1.GetOptions) (result *v1.HorizontalPodAutoscaler, err error) {
+	result = &v1.HorizontalPodAutoscaler{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of HorizontalPodAutoscalers that match those selectors.
+func (c *horizontalPodAutoscalers) List(opts meta_v1.ListOptions) (result *v1.HorizontalPodAutoscalerList, err error) {
+	result = &v1.HorizontalPodAutoscalerList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested horizontalPodAutoscalers.
+func (c *horizontalPodAutoscalers) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a horizontalPodAutoscaler and creates it.  Returns the server's representation of the horizontalPodAutoscaler, and an error, if there is any.
+func (c *horizontalPodAutoscalers) Create(horizontalPodAutoscaler *v1.HorizontalPodAutoscaler) (result *v1.HorizontalPodAutoscaler, err error) {
+	result = &v1.HorizontalPodAutoscaler{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Body(horizontalPodAutoscaler).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a horizontalPodAutoscaler and updates it. Returns the server's representation of the horizontalPodAutoscaler, and an error, if there is any.
+func (c *horizontalPodAutoscalers) Update(horizontalPodAutoscaler *v1.HorizontalPodAutoscaler) (result *v1.HorizontalPodAutoscaler, err error) {
+	result = &v1.HorizontalPodAutoscaler{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Name(horizontalPodAutoscaler.Name).
+		Body(horizontalPodAutoscaler).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *horizontalPodAutoscalers) UpdateStatus(horizontalPodAutoscaler *v1.HorizontalPodAutoscaler) (result *v1.HorizontalPodAutoscaler, err error) {
+	result = &v1.HorizontalPodAutoscaler{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Name(horizontalPodAutoscaler.Name).
+		SubResource("status").
+		Body(horizontalPodAutoscaler).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the horizontalPodAutoscaler and deletes it. Returns an error if one occurs.
+func (c *horizontalPodAutoscalers) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *horizontalPodAutoscalers) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched horizontalPodAutoscaler.
+func (c *horizontalPodAutoscalers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.HorizontalPodAutoscaler, err error) {
+	result = &v1.HorizontalPodAutoscaler{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/autoscaling_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/autoscaling_client.go
new file mode 100644
index 00000000..95eab713
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/autoscaling_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2beta1
+
+import (
+	v2beta1 "k8s.io/api/autoscaling/v2beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type AutoscalingV2beta1Interface interface {
+	RESTClient() rest.Interface
+	HorizontalPodAutoscalersGetter
+}
+
+// AutoscalingV2beta1Client is used to interact with features provided by the autoscaling group.
+type AutoscalingV2beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *AutoscalingV2beta1Client) HorizontalPodAutoscalers(namespace string) HorizontalPodAutoscalerInterface {
+	return newHorizontalPodAutoscalers(c, namespace)
+}
+
+// NewForConfig creates a new AutoscalingV2beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*AutoscalingV2beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &AutoscalingV2beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new AutoscalingV2beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *AutoscalingV2beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new AutoscalingV2beta1Client for the given RESTClient.
+func New(c rest.Interface) *AutoscalingV2beta1Client {
+	return &AutoscalingV2beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v2beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *AutoscalingV2beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/doc.go
new file mode 100644
index 00000000..84233364
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v2beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/generated_expansion.go
new file mode 100644
index 00000000..9101766f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2beta1
+
+type HorizontalPodAutoscalerExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/horizontalpodautoscaler.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/horizontalpodautoscaler.go
new file mode 100644
index 00000000..b625fdaf
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/horizontalpodautoscaler.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2beta1
+
+import (
+	v2beta1 "k8s.io/api/autoscaling/v2beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// HorizontalPodAutoscalersGetter has a method to return a HorizontalPodAutoscalerInterface.
+// A group's client should implement this interface.
+type HorizontalPodAutoscalersGetter interface {
+	HorizontalPodAutoscalers(namespace string) HorizontalPodAutoscalerInterface
+}
+
+// HorizontalPodAutoscalerInterface has methods to work with HorizontalPodAutoscaler resources.
+type HorizontalPodAutoscalerInterface interface {
+	Create(*v2beta1.HorizontalPodAutoscaler) (*v2beta1.HorizontalPodAutoscaler, error)
+	Update(*v2beta1.HorizontalPodAutoscaler) (*v2beta1.HorizontalPodAutoscaler, error)
+	UpdateStatus(*v2beta1.HorizontalPodAutoscaler) (*v2beta1.HorizontalPodAutoscaler, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v2beta1.HorizontalPodAutoscaler, error)
+	List(opts v1.ListOptions) (*v2beta1.HorizontalPodAutoscalerList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v2beta1.HorizontalPodAutoscaler, err error)
+	HorizontalPodAutoscalerExpansion
+}
+
+// horizontalPodAutoscalers implements HorizontalPodAutoscalerInterface
+type horizontalPodAutoscalers struct {
+	client rest.Interface
+	ns     string
+}
+
+// newHorizontalPodAutoscalers returns a HorizontalPodAutoscalers
+func newHorizontalPodAutoscalers(c *AutoscalingV2beta1Client, namespace string) *horizontalPodAutoscalers {
+	return &horizontalPodAutoscalers{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the horizontalPodAutoscaler, and returns the corresponding horizontalPodAutoscaler object, and an error if there is any.
+func (c *horizontalPodAutoscalers) Get(name string, options v1.GetOptions) (result *v2beta1.HorizontalPodAutoscaler, err error) {
+	result = &v2beta1.HorizontalPodAutoscaler{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of HorizontalPodAutoscalers that match those selectors.
+func (c *horizontalPodAutoscalers) List(opts v1.ListOptions) (result *v2beta1.HorizontalPodAutoscalerList, err error) {
+	result = &v2beta1.HorizontalPodAutoscalerList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested horizontalPodAutoscalers.
+func (c *horizontalPodAutoscalers) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a horizontalPodAutoscaler and creates it.  Returns the server's representation of the horizontalPodAutoscaler, and an error, if there is any.
+func (c *horizontalPodAutoscalers) Create(horizontalPodAutoscaler *v2beta1.HorizontalPodAutoscaler) (result *v2beta1.HorizontalPodAutoscaler, err error) {
+	result = &v2beta1.HorizontalPodAutoscaler{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Body(horizontalPodAutoscaler).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a horizontalPodAutoscaler and updates it. Returns the server's representation of the horizontalPodAutoscaler, and an error, if there is any.
+func (c *horizontalPodAutoscalers) Update(horizontalPodAutoscaler *v2beta1.HorizontalPodAutoscaler) (result *v2beta1.HorizontalPodAutoscaler, err error) {
+	result = &v2beta1.HorizontalPodAutoscaler{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Name(horizontalPodAutoscaler.Name).
+		Body(horizontalPodAutoscaler).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *horizontalPodAutoscalers) UpdateStatus(horizontalPodAutoscaler *v2beta1.HorizontalPodAutoscaler) (result *v2beta1.HorizontalPodAutoscaler, err error) {
+	result = &v2beta1.HorizontalPodAutoscaler{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Name(horizontalPodAutoscaler.Name).
+		SubResource("status").
+		Body(horizontalPodAutoscaler).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the horizontalPodAutoscaler and deletes it. Returns an error if one occurs.
+func (c *horizontalPodAutoscalers) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *horizontalPodAutoscalers) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched horizontalPodAutoscaler.
+func (c *horizontalPodAutoscalers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v2beta1.HorizontalPodAutoscaler, err error) {
+	result = &v2beta1.HorizontalPodAutoscaler{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("horizontalpodautoscalers").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/batch_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/batch_client.go
new file mode 100644
index 00000000..0973bdc5
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/batch_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/batch/v1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type BatchV1Interface interface {
+	RESTClient() rest.Interface
+	JobsGetter
+}
+
+// BatchV1Client is used to interact with features provided by the batch group.
+type BatchV1Client struct {
+	restClient rest.Interface
+}
+
+func (c *BatchV1Client) Jobs(namespace string) JobInterface {
+	return newJobs(c, namespace)
+}
+
+// NewForConfig creates a new BatchV1Client for the given config.
+func NewForConfig(c *rest.Config) (*BatchV1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &BatchV1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new BatchV1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *BatchV1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new BatchV1Client for the given RESTClient.
+func New(c rest.Interface) *BatchV1Client {
+	return &BatchV1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *BatchV1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/doc.go
new file mode 100644
index 00000000..53d7f29a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/generated_expansion.go
new file mode 100644
index 00000000..a43cb4a9
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+type JobExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/job.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/job.go
new file mode 100644
index 00000000..8454e576
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1/job.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/batch/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// JobsGetter has a method to return a JobInterface.
+// A group's client should implement this interface.
+type JobsGetter interface {
+	Jobs(namespace string) JobInterface
+}
+
+// JobInterface has methods to work with Job resources.
+type JobInterface interface {
+	Create(*v1.Job) (*v1.Job, error)
+	Update(*v1.Job) (*v1.Job, error)
+	UpdateStatus(*v1.Job) (*v1.Job, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Job, error)
+	List(opts meta_v1.ListOptions) (*v1.JobList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Job, err error)
+	JobExpansion
+}
+
+// jobs implements JobInterface
+type jobs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newJobs returns a Jobs
+func newJobs(c *BatchV1Client, namespace string) *jobs {
+	return &jobs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the job, and returns the corresponding job object, and an error if there is any.
+func (c *jobs) Get(name string, options meta_v1.GetOptions) (result *v1.Job, err error) {
+	result = &v1.Job{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("jobs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Jobs that match those selectors.
+func (c *jobs) List(opts meta_v1.ListOptions) (result *v1.JobList, err error) {
+	result = &v1.JobList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("jobs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested jobs.
+func (c *jobs) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("jobs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a job and creates it.  Returns the server's representation of the job, and an error, if there is any.
+func (c *jobs) Create(job *v1.Job) (result *v1.Job, err error) {
+	result = &v1.Job{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("jobs").
+		Body(job).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a job and updates it. Returns the server's representation of the job, and an error, if there is any.
+func (c *jobs) Update(job *v1.Job) (result *v1.Job, err error) {
+	result = &v1.Job{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("jobs").
+		Name(job.Name).
+		Body(job).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *jobs) UpdateStatus(job *v1.Job) (result *v1.Job, err error) {
+	result = &v1.Job{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("jobs").
+		Name(job.Name).
+		SubResource("status").
+		Body(job).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the job and deletes it. Returns an error if one occurs.
+func (c *jobs) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("jobs").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *jobs) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("jobs").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched job.
+func (c *jobs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Job, err error) {
+	result = &v1.Job{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("jobs").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/batch_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/batch_client.go
new file mode 100644
index 00000000..c46dc6f5
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/batch_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/batch/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type BatchV1beta1Interface interface {
+	RESTClient() rest.Interface
+	CronJobsGetter
+}
+
+// BatchV1beta1Client is used to interact with features provided by the batch group.
+type BatchV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *BatchV1beta1Client) CronJobs(namespace string) CronJobInterface {
+	return newCronJobs(c, namespace)
+}
+
+// NewForConfig creates a new BatchV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*BatchV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &BatchV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new BatchV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *BatchV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new BatchV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *BatchV1beta1Client {
+	return &BatchV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *BatchV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/cronjob.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/cronjob.go
new file mode 100644
index 00000000..2c61fcf6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/cronjob.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/batch/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// CronJobsGetter has a method to return a CronJobInterface.
+// A group's client should implement this interface.
+type CronJobsGetter interface {
+	CronJobs(namespace string) CronJobInterface
+}
+
+// CronJobInterface has methods to work with CronJob resources.
+type CronJobInterface interface {
+	Create(*v1beta1.CronJob) (*v1beta1.CronJob, error)
+	Update(*v1beta1.CronJob) (*v1beta1.CronJob, error)
+	UpdateStatus(*v1beta1.CronJob) (*v1beta1.CronJob, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.CronJob, error)
+	List(opts v1.ListOptions) (*v1beta1.CronJobList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.CronJob, err error)
+	CronJobExpansion
+}
+
+// cronJobs implements CronJobInterface
+type cronJobs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCronJobs returns a CronJobs
+func newCronJobs(c *BatchV1beta1Client, namespace string) *cronJobs {
+	return &cronJobs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the cronJob, and returns the corresponding cronJob object, and an error if there is any.
+func (c *cronJobs) Get(name string, options v1.GetOptions) (result *v1beta1.CronJob, err error) {
+	result = &v1beta1.CronJob{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CronJobs that match those selectors.
+func (c *cronJobs) List(opts v1.ListOptions) (result *v1beta1.CronJobList, err error) {
+	result = &v1beta1.CronJobList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested cronJobs.
+func (c *cronJobs) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a cronJob and creates it.  Returns the server's representation of the cronJob, and an error, if there is any.
+func (c *cronJobs) Create(cronJob *v1beta1.CronJob) (result *v1beta1.CronJob, err error) {
+	result = &v1beta1.CronJob{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Body(cronJob).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a cronJob and updates it. Returns the server's representation of the cronJob, and an error, if there is any.
+func (c *cronJobs) Update(cronJob *v1beta1.CronJob) (result *v1beta1.CronJob, err error) {
+	result = &v1beta1.CronJob{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Name(cronJob.Name).
+		Body(cronJob).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *cronJobs) UpdateStatus(cronJob *v1beta1.CronJob) (result *v1beta1.CronJob, err error) {
+	result = &v1beta1.CronJob{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Name(cronJob.Name).
+		SubResource("status").
+		Body(cronJob).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the cronJob and deletes it. Returns an error if one occurs.
+func (c *cronJobs) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cronJobs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched cronJob.
+func (c *cronJobs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.CronJob, err error) {
+	result = &v1beta1.CronJob{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("cronjobs").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..5b7e871b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v1beta1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+type CronJobExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/batch_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/batch_client.go
new file mode 100644
index 00000000..7d286099
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/batch_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2alpha1
+
+import (
+	v2alpha1 "k8s.io/api/batch/v2alpha1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type BatchV2alpha1Interface interface {
+	RESTClient() rest.Interface
+	CronJobsGetter
+}
+
+// BatchV2alpha1Client is used to interact with features provided by the batch group.
+type BatchV2alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *BatchV2alpha1Client) CronJobs(namespace string) CronJobInterface {
+	return newCronJobs(c, namespace)
+}
+
+// NewForConfig creates a new BatchV2alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*BatchV2alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &BatchV2alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new BatchV2alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *BatchV2alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new BatchV2alpha1Client for the given RESTClient.
+func New(c rest.Interface) *BatchV2alpha1Client {
+	return &BatchV2alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v2alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *BatchV2alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/cronjob.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/cronjob.go
new file mode 100644
index 00000000..5f92d35d
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/cronjob.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2alpha1
+
+import (
+	v2alpha1 "k8s.io/api/batch/v2alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// CronJobsGetter has a method to return a CronJobInterface.
+// A group's client should implement this interface.
+type CronJobsGetter interface {
+	CronJobs(namespace string) CronJobInterface
+}
+
+// CronJobInterface has methods to work with CronJob resources.
+type CronJobInterface interface {
+	Create(*v2alpha1.CronJob) (*v2alpha1.CronJob, error)
+	Update(*v2alpha1.CronJob) (*v2alpha1.CronJob, error)
+	UpdateStatus(*v2alpha1.CronJob) (*v2alpha1.CronJob, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v2alpha1.CronJob, error)
+	List(opts v1.ListOptions) (*v2alpha1.CronJobList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v2alpha1.CronJob, err error)
+	CronJobExpansion
+}
+
+// cronJobs implements CronJobInterface
+type cronJobs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newCronJobs returns a CronJobs
+func newCronJobs(c *BatchV2alpha1Client, namespace string) *cronJobs {
+	return &cronJobs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the cronJob, and returns the corresponding cronJob object, and an error if there is any.
+func (c *cronJobs) Get(name string, options v1.GetOptions) (result *v2alpha1.CronJob, err error) {
+	result = &v2alpha1.CronJob{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CronJobs that match those selectors.
+func (c *cronJobs) List(opts v1.ListOptions) (result *v2alpha1.CronJobList, err error) {
+	result = &v2alpha1.CronJobList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested cronJobs.
+func (c *cronJobs) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a cronJob and creates it.  Returns the server's representation of the cronJob, and an error, if there is any.
+func (c *cronJobs) Create(cronJob *v2alpha1.CronJob) (result *v2alpha1.CronJob, err error) {
+	result = &v2alpha1.CronJob{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Body(cronJob).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a cronJob and updates it. Returns the server's representation of the cronJob, and an error, if there is any.
+func (c *cronJobs) Update(cronJob *v2alpha1.CronJob) (result *v2alpha1.CronJob, err error) {
+	result = &v2alpha1.CronJob{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Name(cronJob.Name).
+		Body(cronJob).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *cronJobs) UpdateStatus(cronJob *v2alpha1.CronJob) (result *v2alpha1.CronJob, err error) {
+	result = &v2alpha1.CronJob{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Name(cronJob.Name).
+		SubResource("status").
+		Body(cronJob).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the cronJob and deletes it. Returns an error if one occurs.
+func (c *cronJobs) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cronJobs) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("cronjobs").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched cronJob.
+func (c *cronJobs) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v2alpha1.CronJob, err error) {
+	result = &v2alpha1.CronJob{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("cronjobs").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/doc.go
new file mode 100644
index 00000000..c251b0d4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v2alpha1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/generated_expansion.go
new file mode 100644
index 00000000..d30c055a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/batch/v2alpha1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2alpha1
+
+type CronJobExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificates_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificates_client.go
new file mode 100644
index 00000000..552056b7
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificates_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/certificates/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type CertificatesV1beta1Interface interface {
+	RESTClient() rest.Interface
+	CertificateSigningRequestsGetter
+}
+
+// CertificatesV1beta1Client is used to interact with features provided by the certificates.k8s.io group.
+type CertificatesV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *CertificatesV1beta1Client) CertificateSigningRequests() CertificateSigningRequestInterface {
+	return newCertificateSigningRequests(c)
+}
+
+// NewForConfig creates a new CertificatesV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*CertificatesV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &CertificatesV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new CertificatesV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *CertificatesV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new CertificatesV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *CertificatesV1beta1Client {
+	return &CertificatesV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *CertificatesV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificatesigningrequest.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificatesigningrequest.go
new file mode 100644
index 00000000..b8c3a5b0
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificatesigningrequest.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/certificates/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// CertificateSigningRequestsGetter has a method to return a CertificateSigningRequestInterface.
+// A group's client should implement this interface.
+type CertificateSigningRequestsGetter interface {
+	CertificateSigningRequests() CertificateSigningRequestInterface
+}
+
+// CertificateSigningRequestInterface has methods to work with CertificateSigningRequest resources.
+type CertificateSigningRequestInterface interface {
+	Create(*v1beta1.CertificateSigningRequest) (*v1beta1.CertificateSigningRequest, error)
+	Update(*v1beta1.CertificateSigningRequest) (*v1beta1.CertificateSigningRequest, error)
+	UpdateStatus(*v1beta1.CertificateSigningRequest) (*v1beta1.CertificateSigningRequest, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.CertificateSigningRequest, error)
+	List(opts v1.ListOptions) (*v1beta1.CertificateSigningRequestList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.CertificateSigningRequest, err error)
+	CertificateSigningRequestExpansion
+}
+
+// certificateSigningRequests implements CertificateSigningRequestInterface
+type certificateSigningRequests struct {
+	client rest.Interface
+}
+
+// newCertificateSigningRequests returns a CertificateSigningRequests
+func newCertificateSigningRequests(c *CertificatesV1beta1Client) *certificateSigningRequests {
+	return &certificateSigningRequests{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the certificateSigningRequest, and returns the corresponding certificateSigningRequest object, and an error if there is any.
+func (c *certificateSigningRequests) Get(name string, options v1.GetOptions) (result *v1beta1.CertificateSigningRequest, err error) {
+	result = &v1beta1.CertificateSigningRequest{}
+	err = c.client.Get().
+		Resource("certificatesigningrequests").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of CertificateSigningRequests that match those selectors.
+func (c *certificateSigningRequests) List(opts v1.ListOptions) (result *v1beta1.CertificateSigningRequestList, err error) {
+	result = &v1beta1.CertificateSigningRequestList{}
+	err = c.client.Get().
+		Resource("certificatesigningrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested certificateSigningRequests.
+func (c *certificateSigningRequests) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("certificatesigningrequests").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a certificateSigningRequest and creates it.  Returns the server's representation of the certificateSigningRequest, and an error, if there is any.
+func (c *certificateSigningRequests) Create(certificateSigningRequest *v1beta1.CertificateSigningRequest) (result *v1beta1.CertificateSigningRequest, err error) {
+	result = &v1beta1.CertificateSigningRequest{}
+	err = c.client.Post().
+		Resource("certificatesigningrequests").
+		Body(certificateSigningRequest).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a certificateSigningRequest and updates it. Returns the server's representation of the certificateSigningRequest, and an error, if there is any.
+func (c *certificateSigningRequests) Update(certificateSigningRequest *v1beta1.CertificateSigningRequest) (result *v1beta1.CertificateSigningRequest, err error) {
+	result = &v1beta1.CertificateSigningRequest{}
+	err = c.client.Put().
+		Resource("certificatesigningrequests").
+		Name(certificateSigningRequest.Name).
+		Body(certificateSigningRequest).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *certificateSigningRequests) UpdateStatus(certificateSigningRequest *v1beta1.CertificateSigningRequest) (result *v1beta1.CertificateSigningRequest, err error) {
+	result = &v1beta1.CertificateSigningRequest{}
+	err = c.client.Put().
+		Resource("certificatesigningrequests").
+		Name(certificateSigningRequest.Name).
+		SubResource("status").
+		Body(certificateSigningRequest).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the certificateSigningRequest and deletes it. Returns an error if one occurs.
+func (c *certificateSigningRequests) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("certificatesigningrequests").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *certificateSigningRequests) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("certificatesigningrequests").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched certificateSigningRequest.
+func (c *certificateSigningRequests) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.CertificateSigningRequest, err error) {
+	result = &v1beta1.CertificateSigningRequest{}
+	err = c.client.Patch(pt).
+		Resource("certificatesigningrequests").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificatesigningrequest_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificatesigningrequest_expansion.go
new file mode 100644
index 00000000..c63b8063
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/certificatesigningrequest_expansion.go
@@ -0,0 +1,37 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	certificates "k8s.io/api/certificates/v1beta1"
+)
+
+type CertificateSigningRequestExpansion interface {
+	UpdateApproval(certificateSigningRequest *certificates.CertificateSigningRequest) (result *certificates.CertificateSigningRequest, err error)
+}
+
+func (c *certificateSigningRequests) UpdateApproval(certificateSigningRequest *certificates.CertificateSigningRequest) (result *certificates.CertificateSigningRequest, err error) {
+	result = &certificates.CertificateSigningRequest{}
+	err = c.client.Put().
+		Resource("certificatesigningrequests").
+		Name(certificateSigningRequest.Name).
+		Body(certificateSigningRequest).
+		SubResource("approval").
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..74ad7fa9
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/certificates/v1beta1/generated_expansion.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/componentstatus.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/componentstatus.go
new file mode 100644
index 00000000..26e0a7f1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/componentstatus.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ComponentStatusesGetter has a method to return a ComponentStatusInterface.
+// A group's client should implement this interface.
+type ComponentStatusesGetter interface {
+	ComponentStatuses() ComponentStatusInterface
+}
+
+// ComponentStatusInterface has methods to work with ComponentStatus resources.
+type ComponentStatusInterface interface {
+	Create(*v1.ComponentStatus) (*v1.ComponentStatus, error)
+	Update(*v1.ComponentStatus) (*v1.ComponentStatus, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.ComponentStatus, error)
+	List(opts meta_v1.ListOptions) (*v1.ComponentStatusList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ComponentStatus, err error)
+	ComponentStatusExpansion
+}
+
+// componentStatuses implements ComponentStatusInterface
+type componentStatuses struct {
+	client rest.Interface
+}
+
+// newComponentStatuses returns a ComponentStatuses
+func newComponentStatuses(c *CoreV1Client) *componentStatuses {
+	return &componentStatuses{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the componentStatus, and returns the corresponding componentStatus object, and an error if there is any.
+func (c *componentStatuses) Get(name string, options meta_v1.GetOptions) (result *v1.ComponentStatus, err error) {
+	result = &v1.ComponentStatus{}
+	err = c.client.Get().
+		Resource("componentstatuses").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ComponentStatuses that match those selectors.
+func (c *componentStatuses) List(opts meta_v1.ListOptions) (result *v1.ComponentStatusList, err error) {
+	result = &v1.ComponentStatusList{}
+	err = c.client.Get().
+		Resource("componentstatuses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested componentStatuses.
+func (c *componentStatuses) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("componentstatuses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a componentStatus and creates it.  Returns the server's representation of the componentStatus, and an error, if there is any.
+func (c *componentStatuses) Create(componentStatus *v1.ComponentStatus) (result *v1.ComponentStatus, err error) {
+	result = &v1.ComponentStatus{}
+	err = c.client.Post().
+		Resource("componentstatuses").
+		Body(componentStatus).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a componentStatus and updates it. Returns the server's representation of the componentStatus, and an error, if there is any.
+func (c *componentStatuses) Update(componentStatus *v1.ComponentStatus) (result *v1.ComponentStatus, err error) {
+	result = &v1.ComponentStatus{}
+	err = c.client.Put().
+		Resource("componentstatuses").
+		Name(componentStatus.Name).
+		Body(componentStatus).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the componentStatus and deletes it. Returns an error if one occurs.
+func (c *componentStatuses) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("componentstatuses").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *componentStatuses) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("componentstatuses").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched componentStatus.
+func (c *componentStatuses) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ComponentStatus, err error) {
+	result = &v1.ComponentStatus{}
+	err = c.client.Patch(pt).
+		Resource("componentstatuses").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/configmap.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/configmap.go
new file mode 100644
index 00000000..df75d2a8
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/configmap.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ConfigMapsGetter has a method to return a ConfigMapInterface.
+// A group's client should implement this interface.
+type ConfigMapsGetter interface {
+	ConfigMaps(namespace string) ConfigMapInterface
+}
+
+// ConfigMapInterface has methods to work with ConfigMap resources.
+type ConfigMapInterface interface {
+	Create(*v1.ConfigMap) (*v1.ConfigMap, error)
+	Update(*v1.ConfigMap) (*v1.ConfigMap, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.ConfigMap, error)
+	List(opts meta_v1.ListOptions) (*v1.ConfigMapList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ConfigMap, err error)
+	ConfigMapExpansion
+}
+
+// configMaps implements ConfigMapInterface
+type configMaps struct {
+	client rest.Interface
+	ns     string
+}
+
+// newConfigMaps returns a ConfigMaps
+func newConfigMaps(c *CoreV1Client, namespace string) *configMaps {
+	return &configMaps{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the configMap, and returns the corresponding configMap object, and an error if there is any.
+func (c *configMaps) Get(name string, options meta_v1.GetOptions) (result *v1.ConfigMap, err error) {
+	result = &v1.ConfigMap{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("configmaps").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ConfigMaps that match those selectors.
+func (c *configMaps) List(opts meta_v1.ListOptions) (result *v1.ConfigMapList, err error) {
+	result = &v1.ConfigMapList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("configmaps").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested configMaps.
+func (c *configMaps) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("configmaps").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a configMap and creates it.  Returns the server's representation of the configMap, and an error, if there is any.
+func (c *configMaps) Create(configMap *v1.ConfigMap) (result *v1.ConfigMap, err error) {
+	result = &v1.ConfigMap{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("configmaps").
+		Body(configMap).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a configMap and updates it. Returns the server's representation of the configMap, and an error, if there is any.
+func (c *configMaps) Update(configMap *v1.ConfigMap) (result *v1.ConfigMap, err error) {
+	result = &v1.ConfigMap{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("configmaps").
+		Name(configMap.Name).
+		Body(configMap).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the configMap and deletes it. Returns an error if one occurs.
+func (c *configMaps) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("configmaps").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *configMaps) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("configmaps").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched configMap.
+func (c *configMaps) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ConfigMap, err error) {
+	result = &v1.ConfigMap{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("configmaps").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/core_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/core_client.go
new file mode 100644
index 00000000..b75a3dc1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/core_client.go
@@ -0,0 +1,163 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type CoreV1Interface interface {
+	RESTClient() rest.Interface
+	ComponentStatusesGetter
+	ConfigMapsGetter
+	EndpointsGetter
+	EventsGetter
+	LimitRangesGetter
+	NamespacesGetter
+	NodesGetter
+	PersistentVolumesGetter
+	PersistentVolumeClaimsGetter
+	PodsGetter
+	PodTemplatesGetter
+	ReplicationControllersGetter
+	ResourceQuotasGetter
+	SecretsGetter
+	ServicesGetter
+	ServiceAccountsGetter
+}
+
+// CoreV1Client is used to interact with features provided by the  group.
+type CoreV1Client struct {
+	restClient rest.Interface
+}
+
+func (c *CoreV1Client) ComponentStatuses() ComponentStatusInterface {
+	return newComponentStatuses(c)
+}
+
+func (c *CoreV1Client) ConfigMaps(namespace string) ConfigMapInterface {
+	return newConfigMaps(c, namespace)
+}
+
+func (c *CoreV1Client) Endpoints(namespace string) EndpointsInterface {
+	return newEndpoints(c, namespace)
+}
+
+func (c *CoreV1Client) Events(namespace string) EventInterface {
+	return newEvents(c, namespace)
+}
+
+func (c *CoreV1Client) LimitRanges(namespace string) LimitRangeInterface {
+	return newLimitRanges(c, namespace)
+}
+
+func (c *CoreV1Client) Namespaces() NamespaceInterface {
+	return newNamespaces(c)
+}
+
+func (c *CoreV1Client) Nodes() NodeInterface {
+	return newNodes(c)
+}
+
+func (c *CoreV1Client) PersistentVolumes() PersistentVolumeInterface {
+	return newPersistentVolumes(c)
+}
+
+func (c *CoreV1Client) PersistentVolumeClaims(namespace string) PersistentVolumeClaimInterface {
+	return newPersistentVolumeClaims(c, namespace)
+}
+
+func (c *CoreV1Client) Pods(namespace string) PodInterface {
+	return newPods(c, namespace)
+}
+
+func (c *CoreV1Client) PodTemplates(namespace string) PodTemplateInterface {
+	return newPodTemplates(c, namespace)
+}
+
+func (c *CoreV1Client) ReplicationControllers(namespace string) ReplicationControllerInterface {
+	return newReplicationControllers(c, namespace)
+}
+
+func (c *CoreV1Client) ResourceQuotas(namespace string) ResourceQuotaInterface {
+	return newResourceQuotas(c, namespace)
+}
+
+func (c *CoreV1Client) Secrets(namespace string) SecretInterface {
+	return newSecrets(c, namespace)
+}
+
+func (c *CoreV1Client) Services(namespace string) ServiceInterface {
+	return newServices(c, namespace)
+}
+
+func (c *CoreV1Client) ServiceAccounts(namespace string) ServiceAccountInterface {
+	return newServiceAccounts(c, namespace)
+}
+
+// NewForConfig creates a new CoreV1Client for the given config.
+func NewForConfig(c *rest.Config) (*CoreV1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &CoreV1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new CoreV1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *CoreV1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new CoreV1Client for the given RESTClient.
+func New(c rest.Interface) *CoreV1Client {
+	return &CoreV1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/api"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *CoreV1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/doc.go
new file mode 100644
index 00000000..53d7f29a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/endpoints.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/endpoints.go
new file mode 100644
index 00000000..f5bc3443
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/endpoints.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// EndpointsGetter has a method to return a EndpointsInterface.
+// A group's client should implement this interface.
+type EndpointsGetter interface {
+	Endpoints(namespace string) EndpointsInterface
+}
+
+// EndpointsInterface has methods to work with Endpoints resources.
+type EndpointsInterface interface {
+	Create(*v1.Endpoints) (*v1.Endpoints, error)
+	Update(*v1.Endpoints) (*v1.Endpoints, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Endpoints, error)
+	List(opts meta_v1.ListOptions) (*v1.EndpointsList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Endpoints, err error)
+	EndpointsExpansion
+}
+
+// endpoints implements EndpointsInterface
+type endpoints struct {
+	client rest.Interface
+	ns     string
+}
+
+// newEndpoints returns a Endpoints
+func newEndpoints(c *CoreV1Client, namespace string) *endpoints {
+	return &endpoints{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the endpoints, and returns the corresponding endpoints object, and an error if there is any.
+func (c *endpoints) Get(name string, options meta_v1.GetOptions) (result *v1.Endpoints, err error) {
+	result = &v1.Endpoints{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("endpoints").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Endpoints that match those selectors.
+func (c *endpoints) List(opts meta_v1.ListOptions) (result *v1.EndpointsList, err error) {
+	result = &v1.EndpointsList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("endpoints").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested endpoints.
+func (c *endpoints) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("endpoints").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a endpoints and creates it.  Returns the server's representation of the endpoints, and an error, if there is any.
+func (c *endpoints) Create(endpoints *v1.Endpoints) (result *v1.Endpoints, err error) {
+	result = &v1.Endpoints{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("endpoints").
+		Body(endpoints).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a endpoints and updates it. Returns the server's representation of the endpoints, and an error, if there is any.
+func (c *endpoints) Update(endpoints *v1.Endpoints) (result *v1.Endpoints, err error) {
+	result = &v1.Endpoints{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("endpoints").
+		Name(endpoints.Name).
+		Body(endpoints).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the endpoints and deletes it. Returns an error if one occurs.
+func (c *endpoints) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("endpoints").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *endpoints) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("endpoints").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched endpoints.
+func (c *endpoints) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Endpoints, err error) {
+	result = &v1.Endpoints{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("endpoints").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/event.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/event.go
new file mode 100644
index 00000000..bec36116
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/event.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// EventsGetter has a method to return a EventInterface.
+// A group's client should implement this interface.
+type EventsGetter interface {
+	Events(namespace string) EventInterface
+}
+
+// EventInterface has methods to work with Event resources.
+type EventInterface interface {
+	Create(*v1.Event) (*v1.Event, error)
+	Update(*v1.Event) (*v1.Event, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Event, error)
+	List(opts meta_v1.ListOptions) (*v1.EventList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Event, err error)
+	EventExpansion
+}
+
+// events implements EventInterface
+type events struct {
+	client rest.Interface
+	ns     string
+}
+
+// newEvents returns a Events
+func newEvents(c *CoreV1Client, namespace string) *events {
+	return &events{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the event, and returns the corresponding event object, and an error if there is any.
+func (c *events) Get(name string, options meta_v1.GetOptions) (result *v1.Event, err error) {
+	result = &v1.Event{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("events").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Events that match those selectors.
+func (c *events) List(opts meta_v1.ListOptions) (result *v1.EventList, err error) {
+	result = &v1.EventList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("events").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested events.
+func (c *events) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("events").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a event and creates it.  Returns the server's representation of the event, and an error, if there is any.
+func (c *events) Create(event *v1.Event) (result *v1.Event, err error) {
+	result = &v1.Event{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("events").
+		Body(event).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a event and updates it. Returns the server's representation of the event, and an error, if there is any.
+func (c *events) Update(event *v1.Event) (result *v1.Event, err error) {
+	result = &v1.Event{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("events").
+		Name(event.Name).
+		Body(event).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the event and deletes it. Returns an error if one occurs.
+func (c *events) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("events").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *events) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("events").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched event.
+func (c *events) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Event, err error) {
+	result = &v1.Event{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("events").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/event_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/event_expansion.go
new file mode 100644
index 00000000..6929ade1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/event_expansion.go
@@ -0,0 +1,164 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	ref "k8s.io/client-go/tools/reference"
+)
+
+// The EventExpansion interface allows manually adding extra methods to the EventInterface.
+type EventExpansion interface {
+	// CreateWithEventNamespace is the same as a Create, except that it sends the request to the event.Namespace.
+	CreateWithEventNamespace(event *v1.Event) (*v1.Event, error)
+	// UpdateWithEventNamespace is the same as a Update, except that it sends the request to the event.Namespace.
+	UpdateWithEventNamespace(event *v1.Event) (*v1.Event, error)
+	PatchWithEventNamespace(event *v1.Event, data []byte) (*v1.Event, error)
+	// Search finds events about the specified object
+	Search(scheme *runtime.Scheme, objOrRef runtime.Object) (*v1.EventList, error)
+	// Returns the appropriate field selector based on the API version being used to communicate with the server.
+	// The returned field selector can be used with List and Watch to filter desired events.
+	GetFieldSelector(involvedObjectName, involvedObjectNamespace, involvedObjectKind, involvedObjectUID *string) fields.Selector
+}
+
+// CreateWithEventNamespace makes a new event. Returns the copy of the event the server returns,
+// or an error. The namespace to create the event within is deduced from the
+// event; it must either match this event client's namespace, or this event
+// client must have been created with the "" namespace.
+func (e *events) CreateWithEventNamespace(event *v1.Event) (*v1.Event, error) {
+	if e.ns != "" && event.Namespace != e.ns {
+		return nil, fmt.Errorf("can't create an event with namespace '%v' in namespace '%v'", event.Namespace, e.ns)
+	}
+	result := &v1.Event{}
+	err := e.client.Post().
+		NamespaceIfScoped(event.Namespace, len(event.Namespace) > 0).
+		Resource("events").
+		Body(event).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// UpdateWithEventNamespace modifies an existing event. It returns the copy of the event that the server returns,
+// or an error. The namespace and key to update the event within is deduced from the event. The
+// namespace must either match this event client's namespace, or this event client must have been
+// created with the "" namespace. Update also requires the ResourceVersion to be set in the event
+// object.
+func (e *events) UpdateWithEventNamespace(event *v1.Event) (*v1.Event, error) {
+	result := &v1.Event{}
+	err := e.client.Put().
+		NamespaceIfScoped(event.Namespace, len(event.Namespace) > 0).
+		Resource("events").
+		Name(event.Name).
+		Body(event).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// PatchWithEventNamespace modifies an existing event. It returns the copy of
+// the event that the server returns, or an error. The namespace and name of the
+// target event is deduced from the incompleteEvent. The namespace must either
+// match this event client's namespace, or this event client must have been
+// created with the "" namespace.
+func (e *events) PatchWithEventNamespace(incompleteEvent *v1.Event, data []byte) (*v1.Event, error) {
+	if e.ns != "" && incompleteEvent.Namespace != e.ns {
+		return nil, fmt.Errorf("can't patch an event with namespace '%v' in namespace '%v'", incompleteEvent.Namespace, e.ns)
+	}
+	result := &v1.Event{}
+	err := e.client.Patch(types.StrategicMergePatchType).
+		NamespaceIfScoped(incompleteEvent.Namespace, len(incompleteEvent.Namespace) > 0).
+		Resource("events").
+		Name(incompleteEvent.Name).
+		Body(data).
+		Do().
+		Into(result)
+	return result, err
+}
+
+// Search finds events about the specified object. The namespace of the
+// object must match this event's client namespace unless the event client
+// was made with the "" namespace.
+func (e *events) Search(scheme *runtime.Scheme, objOrRef runtime.Object) (*v1.EventList, error) {
+	ref, err := ref.GetReference(scheme, objOrRef)
+	if err != nil {
+		return nil, err
+	}
+	if e.ns != "" && ref.Namespace != e.ns {
+		return nil, fmt.Errorf("won't be able to find any events of namespace '%v' in namespace '%v'", ref.Namespace, e.ns)
+	}
+	stringRefKind := string(ref.Kind)
+	var refKind *string
+	if stringRefKind != "" {
+		refKind = &stringRefKind
+	}
+	stringRefUID := string(ref.UID)
+	var refUID *string
+	if stringRefUID != "" {
+		refUID = &stringRefUID
+	}
+	fieldSelector := e.GetFieldSelector(&ref.Name, &ref.Namespace, refKind, refUID)
+	return e.List(metav1.ListOptions{FieldSelector: fieldSelector.String()})
+}
+
+// Returns the appropriate field selector based on the API version being used to communicate with the server.
+// The returned field selector can be used with List and Watch to filter desired events.
+func (e *events) GetFieldSelector(involvedObjectName, involvedObjectNamespace, involvedObjectKind, involvedObjectUID *string) fields.Selector {
+	apiVersion := e.client.APIVersion().String()
+	field := fields.Set{}
+	if involvedObjectName != nil {
+		field[GetInvolvedObjectNameFieldLabel(apiVersion)] = *involvedObjectName
+	}
+	if involvedObjectNamespace != nil {
+		field["involvedObject.namespace"] = *involvedObjectNamespace
+	}
+	if involvedObjectKind != nil {
+		field["involvedObject.kind"] = *involvedObjectKind
+	}
+	if involvedObjectUID != nil {
+		field["involvedObject.uid"] = *involvedObjectUID
+	}
+	return field.AsSelector()
+}
+
+// Returns the appropriate field label to use for name of the involved object as per the given API version.
+func GetInvolvedObjectNameFieldLabel(version string) string {
+	return "involvedObject.name"
+}
+
+// TODO: This is a temporary arrangement and will be removed once all clients are moved to use the clientset.
+type EventSinkImpl struct {
+	Interface EventInterface
+}
+
+func (e *EventSinkImpl) Create(event *v1.Event) (*v1.Event, error) {
+	return e.Interface.CreateWithEventNamespace(event)
+}
+
+func (e *EventSinkImpl) Update(event *v1.Event) (*v1.Event, error) {
+	return e.Interface.UpdateWithEventNamespace(event)
+}
+
+func (e *EventSinkImpl) Patch(event *v1.Event, data []byte) (*v1.Event, error) {
+	return e.Interface.PatchWithEventNamespace(event, data)
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/generated_expansion.go
new file mode 100644
index 00000000..3f4b5f89
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/generated_expansion.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+type ComponentStatusExpansion interface{}
+
+type ConfigMapExpansion interface{}
+
+type EndpointsExpansion interface{}
+
+type LimitRangeExpansion interface{}
+
+type PersistentVolumeExpansion interface{}
+
+type PersistentVolumeClaimExpansion interface{}
+
+type PodTemplateExpansion interface{}
+
+type ReplicationControllerExpansion interface{}
+
+type ResourceQuotaExpansion interface{}
+
+type SecretExpansion interface{}
+
+type ServiceAccountExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/limitrange.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/limitrange.go
new file mode 100644
index 00000000..a21d0927
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/limitrange.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// LimitRangesGetter has a method to return a LimitRangeInterface.
+// A group's client should implement this interface.
+type LimitRangesGetter interface {
+	LimitRanges(namespace string) LimitRangeInterface
+}
+
+// LimitRangeInterface has methods to work with LimitRange resources.
+type LimitRangeInterface interface {
+	Create(*v1.LimitRange) (*v1.LimitRange, error)
+	Update(*v1.LimitRange) (*v1.LimitRange, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.LimitRange, error)
+	List(opts meta_v1.ListOptions) (*v1.LimitRangeList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.LimitRange, err error)
+	LimitRangeExpansion
+}
+
+// limitRanges implements LimitRangeInterface
+type limitRanges struct {
+	client rest.Interface
+	ns     string
+}
+
+// newLimitRanges returns a LimitRanges
+func newLimitRanges(c *CoreV1Client, namespace string) *limitRanges {
+	return &limitRanges{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the limitRange, and returns the corresponding limitRange object, and an error if there is any.
+func (c *limitRanges) Get(name string, options meta_v1.GetOptions) (result *v1.LimitRange, err error) {
+	result = &v1.LimitRange{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("limitranges").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of LimitRanges that match those selectors.
+func (c *limitRanges) List(opts meta_v1.ListOptions) (result *v1.LimitRangeList, err error) {
+	result = &v1.LimitRangeList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("limitranges").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested limitRanges.
+func (c *limitRanges) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("limitranges").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a limitRange and creates it.  Returns the server's representation of the limitRange, and an error, if there is any.
+func (c *limitRanges) Create(limitRange *v1.LimitRange) (result *v1.LimitRange, err error) {
+	result = &v1.LimitRange{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("limitranges").
+		Body(limitRange).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a limitRange and updates it. Returns the server's representation of the limitRange, and an error, if there is any.
+func (c *limitRanges) Update(limitRange *v1.LimitRange) (result *v1.LimitRange, err error) {
+	result = &v1.LimitRange{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("limitranges").
+		Name(limitRange.Name).
+		Body(limitRange).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the limitRange and deletes it. Returns an error if one occurs.
+func (c *limitRanges) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("limitranges").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *limitRanges) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("limitranges").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched limitRange.
+func (c *limitRanges) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.LimitRange, err error) {
+	result = &v1.LimitRange{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("limitranges").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/namespace.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/namespace.go
new file mode 100644
index 00000000..a1c59959
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/namespace.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// NamespacesGetter has a method to return a NamespaceInterface.
+// A group's client should implement this interface.
+type NamespacesGetter interface {
+	Namespaces() NamespaceInterface
+}
+
+// NamespaceInterface has methods to work with Namespace resources.
+type NamespaceInterface interface {
+	Create(*v1.Namespace) (*v1.Namespace, error)
+	Update(*v1.Namespace) (*v1.Namespace, error)
+	UpdateStatus(*v1.Namespace) (*v1.Namespace, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Namespace, error)
+	List(opts meta_v1.ListOptions) (*v1.NamespaceList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Namespace, err error)
+	NamespaceExpansion
+}
+
+// namespaces implements NamespaceInterface
+type namespaces struct {
+	client rest.Interface
+}
+
+// newNamespaces returns a Namespaces
+func newNamespaces(c *CoreV1Client) *namespaces {
+	return &namespaces{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the namespace, and returns the corresponding namespace object, and an error if there is any.
+func (c *namespaces) Get(name string, options meta_v1.GetOptions) (result *v1.Namespace, err error) {
+	result = &v1.Namespace{}
+	err = c.client.Get().
+		Resource("namespaces").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Namespaces that match those selectors.
+func (c *namespaces) List(opts meta_v1.ListOptions) (result *v1.NamespaceList, err error) {
+	result = &v1.NamespaceList{}
+	err = c.client.Get().
+		Resource("namespaces").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested namespaces.
+func (c *namespaces) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("namespaces").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a namespace and creates it.  Returns the server's representation of the namespace, and an error, if there is any.
+func (c *namespaces) Create(namespace *v1.Namespace) (result *v1.Namespace, err error) {
+	result = &v1.Namespace{}
+	err = c.client.Post().
+		Resource("namespaces").
+		Body(namespace).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a namespace and updates it. Returns the server's representation of the namespace, and an error, if there is any.
+func (c *namespaces) Update(namespace *v1.Namespace) (result *v1.Namespace, err error) {
+	result = &v1.Namespace{}
+	err = c.client.Put().
+		Resource("namespaces").
+		Name(namespace.Name).
+		Body(namespace).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *namespaces) UpdateStatus(namespace *v1.Namespace) (result *v1.Namespace, err error) {
+	result = &v1.Namespace{}
+	err = c.client.Put().
+		Resource("namespaces").
+		Name(namespace.Name).
+		SubResource("status").
+		Body(namespace).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the namespace and deletes it. Returns an error if one occurs.
+func (c *namespaces) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("namespaces").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *namespaces) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("namespaces").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched namespace.
+func (c *namespaces) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Namespace, err error) {
+	result = &v1.Namespace{}
+	err = c.client.Patch(pt).
+		Resource("namespaces").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/namespace_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/namespace_expansion.go
new file mode 100644
index 00000000..17effe29
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/namespace_expansion.go
@@ -0,0 +1,31 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import "k8s.io/api/core/v1"
+
+// The NamespaceExpansion interface allows manually adding extra methods to the NamespaceInterface.
+type NamespaceExpansion interface {
+	Finalize(item *v1.Namespace) (*v1.Namespace, error)
+}
+
+// Finalize takes the representation of a namespace to update.  Returns the server's representation of the namespace, and an error, if it occurs.
+func (c *namespaces) Finalize(namespace *v1.Namespace) (result *v1.Namespace, err error) {
+	result = &v1.Namespace{}
+	err = c.client.Put().Resource("namespaces").Name(namespace.Name).SubResource("finalize").Body(namespace).Do().Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/node.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/node.go
new file mode 100644
index 00000000..d7625137
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/node.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// NodesGetter has a method to return a NodeInterface.
+// A group's client should implement this interface.
+type NodesGetter interface {
+	Nodes() NodeInterface
+}
+
+// NodeInterface has methods to work with Node resources.
+type NodeInterface interface {
+	Create(*v1.Node) (*v1.Node, error)
+	Update(*v1.Node) (*v1.Node, error)
+	UpdateStatus(*v1.Node) (*v1.Node, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Node, error)
+	List(opts meta_v1.ListOptions) (*v1.NodeList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Node, err error)
+	NodeExpansion
+}
+
+// nodes implements NodeInterface
+type nodes struct {
+	client rest.Interface
+}
+
+// newNodes returns a Nodes
+func newNodes(c *CoreV1Client) *nodes {
+	return &nodes{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the node, and returns the corresponding node object, and an error if there is any.
+func (c *nodes) Get(name string, options meta_v1.GetOptions) (result *v1.Node, err error) {
+	result = &v1.Node{}
+	err = c.client.Get().
+		Resource("nodes").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Nodes that match those selectors.
+func (c *nodes) List(opts meta_v1.ListOptions) (result *v1.NodeList, err error) {
+	result = &v1.NodeList{}
+	err = c.client.Get().
+		Resource("nodes").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested nodes.
+func (c *nodes) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("nodes").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a node and creates it.  Returns the server's representation of the node, and an error, if there is any.
+func (c *nodes) Create(node *v1.Node) (result *v1.Node, err error) {
+	result = &v1.Node{}
+	err = c.client.Post().
+		Resource("nodes").
+		Body(node).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a node and updates it. Returns the server's representation of the node, and an error, if there is any.
+func (c *nodes) Update(node *v1.Node) (result *v1.Node, err error) {
+	result = &v1.Node{}
+	err = c.client.Put().
+		Resource("nodes").
+		Name(node.Name).
+		Body(node).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *nodes) UpdateStatus(node *v1.Node) (result *v1.Node, err error) {
+	result = &v1.Node{}
+	err = c.client.Put().
+		Resource("nodes").
+		Name(node.Name).
+		SubResource("status").
+		Body(node).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the node and deletes it. Returns an error if one occurs.
+func (c *nodes) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("nodes").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *nodes) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("nodes").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched node.
+func (c *nodes) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Node, err error) {
+	result = &v1.Node{}
+	err = c.client.Patch(pt).
+		Resource("nodes").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/node_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/node_expansion.go
new file mode 100644
index 00000000..5db29c3f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/node_expansion.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// The NodeExpansion interface allows manually adding extra methods to the NodeInterface.
+type NodeExpansion interface {
+	// PatchStatus modifies the status of an existing node. It returns the copy
+	// of the node that the server returns, or an error.
+	PatchStatus(nodeName string, data []byte) (*v1.Node, error)
+}
+
+// PatchStatus modifies the status of an existing node. It returns the copy of
+// the node that the server returns, or an error.
+func (c *nodes) PatchStatus(nodeName string, data []byte) (*v1.Node, error) {
+	result := &v1.Node{}
+	err := c.client.Patch(types.StrategicMergePatchType).
+		Resource("nodes").
+		Name(nodeName).
+		SubResource("status").
+		Body(data).
+		Do().
+		Into(result)
+	return result, err
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/persistentvolume.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/persistentvolume.go
new file mode 100644
index 00000000..36a88177
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/persistentvolume.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// PersistentVolumesGetter has a method to return a PersistentVolumeInterface.
+// A group's client should implement this interface.
+type PersistentVolumesGetter interface {
+	PersistentVolumes() PersistentVolumeInterface
+}
+
+// PersistentVolumeInterface has methods to work with PersistentVolume resources.
+type PersistentVolumeInterface interface {
+	Create(*v1.PersistentVolume) (*v1.PersistentVolume, error)
+	Update(*v1.PersistentVolume) (*v1.PersistentVolume, error)
+	UpdateStatus(*v1.PersistentVolume) (*v1.PersistentVolume, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.PersistentVolume, error)
+	List(opts meta_v1.ListOptions) (*v1.PersistentVolumeList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.PersistentVolume, err error)
+	PersistentVolumeExpansion
+}
+
+// persistentVolumes implements PersistentVolumeInterface
+type persistentVolumes struct {
+	client rest.Interface
+}
+
+// newPersistentVolumes returns a PersistentVolumes
+func newPersistentVolumes(c *CoreV1Client) *persistentVolumes {
+	return &persistentVolumes{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the persistentVolume, and returns the corresponding persistentVolume object, and an error if there is any.
+func (c *persistentVolumes) Get(name string, options meta_v1.GetOptions) (result *v1.PersistentVolume, err error) {
+	result = &v1.PersistentVolume{}
+	err = c.client.Get().
+		Resource("persistentvolumes").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of PersistentVolumes that match those selectors.
+func (c *persistentVolumes) List(opts meta_v1.ListOptions) (result *v1.PersistentVolumeList, err error) {
+	result = &v1.PersistentVolumeList{}
+	err = c.client.Get().
+		Resource("persistentvolumes").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested persistentVolumes.
+func (c *persistentVolumes) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("persistentvolumes").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a persistentVolume and creates it.  Returns the server's representation of the persistentVolume, and an error, if there is any.
+func (c *persistentVolumes) Create(persistentVolume *v1.PersistentVolume) (result *v1.PersistentVolume, err error) {
+	result = &v1.PersistentVolume{}
+	err = c.client.Post().
+		Resource("persistentvolumes").
+		Body(persistentVolume).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a persistentVolume and updates it. Returns the server's representation of the persistentVolume, and an error, if there is any.
+func (c *persistentVolumes) Update(persistentVolume *v1.PersistentVolume) (result *v1.PersistentVolume, err error) {
+	result = &v1.PersistentVolume{}
+	err = c.client.Put().
+		Resource("persistentvolumes").
+		Name(persistentVolume.Name).
+		Body(persistentVolume).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *persistentVolumes) UpdateStatus(persistentVolume *v1.PersistentVolume) (result *v1.PersistentVolume, err error) {
+	result = &v1.PersistentVolume{}
+	err = c.client.Put().
+		Resource("persistentvolumes").
+		Name(persistentVolume.Name).
+		SubResource("status").
+		Body(persistentVolume).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the persistentVolume and deletes it. Returns an error if one occurs.
+func (c *persistentVolumes) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("persistentvolumes").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *persistentVolumes) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("persistentvolumes").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched persistentVolume.
+func (c *persistentVolumes) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.PersistentVolume, err error) {
+	result = &v1.PersistentVolume{}
+	err = c.client.Patch(pt).
+		Resource("persistentvolumes").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/persistentvolumeclaim.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/persistentvolumeclaim.go
new file mode 100644
index 00000000..d60566f8
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/persistentvolumeclaim.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// PersistentVolumeClaimsGetter has a method to return a PersistentVolumeClaimInterface.
+// A group's client should implement this interface.
+type PersistentVolumeClaimsGetter interface {
+	PersistentVolumeClaims(namespace string) PersistentVolumeClaimInterface
+}
+
+// PersistentVolumeClaimInterface has methods to work with PersistentVolumeClaim resources.
+type PersistentVolumeClaimInterface interface {
+	Create(*v1.PersistentVolumeClaim) (*v1.PersistentVolumeClaim, error)
+	Update(*v1.PersistentVolumeClaim) (*v1.PersistentVolumeClaim, error)
+	UpdateStatus(*v1.PersistentVolumeClaim) (*v1.PersistentVolumeClaim, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.PersistentVolumeClaim, error)
+	List(opts meta_v1.ListOptions) (*v1.PersistentVolumeClaimList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.PersistentVolumeClaim, err error)
+	PersistentVolumeClaimExpansion
+}
+
+// persistentVolumeClaims implements PersistentVolumeClaimInterface
+type persistentVolumeClaims struct {
+	client rest.Interface
+	ns     string
+}
+
+// newPersistentVolumeClaims returns a PersistentVolumeClaims
+func newPersistentVolumeClaims(c *CoreV1Client, namespace string) *persistentVolumeClaims {
+	return &persistentVolumeClaims{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the persistentVolumeClaim, and returns the corresponding persistentVolumeClaim object, and an error if there is any.
+func (c *persistentVolumeClaims) Get(name string, options meta_v1.GetOptions) (result *v1.PersistentVolumeClaim, err error) {
+	result = &v1.PersistentVolumeClaim{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of PersistentVolumeClaims that match those selectors.
+func (c *persistentVolumeClaims) List(opts meta_v1.ListOptions) (result *v1.PersistentVolumeClaimList, err error) {
+	result = &v1.PersistentVolumeClaimList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested persistentVolumeClaims.
+func (c *persistentVolumeClaims) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a persistentVolumeClaim and creates it.  Returns the server's representation of the persistentVolumeClaim, and an error, if there is any.
+func (c *persistentVolumeClaims) Create(persistentVolumeClaim *v1.PersistentVolumeClaim) (result *v1.PersistentVolumeClaim, err error) {
+	result = &v1.PersistentVolumeClaim{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		Body(persistentVolumeClaim).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a persistentVolumeClaim and updates it. Returns the server's representation of the persistentVolumeClaim, and an error, if there is any.
+func (c *persistentVolumeClaims) Update(persistentVolumeClaim *v1.PersistentVolumeClaim) (result *v1.PersistentVolumeClaim, err error) {
+	result = &v1.PersistentVolumeClaim{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		Name(persistentVolumeClaim.Name).
+		Body(persistentVolumeClaim).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *persistentVolumeClaims) UpdateStatus(persistentVolumeClaim *v1.PersistentVolumeClaim) (result *v1.PersistentVolumeClaim, err error) {
+	result = &v1.PersistentVolumeClaim{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		Name(persistentVolumeClaim.Name).
+		SubResource("status").
+		Body(persistentVolumeClaim).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the persistentVolumeClaim and deletes it. Returns an error if one occurs.
+func (c *persistentVolumeClaims) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *persistentVolumeClaims) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched persistentVolumeClaim.
+func (c *persistentVolumeClaims) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.PersistentVolumeClaim, err error) {
+	result = &v1.PersistentVolumeClaim{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("persistentvolumeclaims").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/pod.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/pod.go
new file mode 100644
index 00000000..3825a1cc
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/pod.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// PodsGetter has a method to return a PodInterface.
+// A group's client should implement this interface.
+type PodsGetter interface {
+	Pods(namespace string) PodInterface
+}
+
+// PodInterface has methods to work with Pod resources.
+type PodInterface interface {
+	Create(*v1.Pod) (*v1.Pod, error)
+	Update(*v1.Pod) (*v1.Pod, error)
+	UpdateStatus(*v1.Pod) (*v1.Pod, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Pod, error)
+	List(opts meta_v1.ListOptions) (*v1.PodList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Pod, err error)
+	PodExpansion
+}
+
+// pods implements PodInterface
+type pods struct {
+	client rest.Interface
+	ns     string
+}
+
+// newPods returns a Pods
+func newPods(c *CoreV1Client, namespace string) *pods {
+	return &pods{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the pod, and returns the corresponding pod object, and an error if there is any.
+func (c *pods) Get(name string, options meta_v1.GetOptions) (result *v1.Pod, err error) {
+	result = &v1.Pod{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("pods").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Pods that match those selectors.
+func (c *pods) List(opts meta_v1.ListOptions) (result *v1.PodList, err error) {
+	result = &v1.PodList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("pods").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested pods.
+func (c *pods) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("pods").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a pod and creates it.  Returns the server's representation of the pod, and an error, if there is any.
+func (c *pods) Create(pod *v1.Pod) (result *v1.Pod, err error) {
+	result = &v1.Pod{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("pods").
+		Body(pod).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a pod and updates it. Returns the server's representation of the pod, and an error, if there is any.
+func (c *pods) Update(pod *v1.Pod) (result *v1.Pod, err error) {
+	result = &v1.Pod{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("pods").
+		Name(pod.Name).
+		Body(pod).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *pods) UpdateStatus(pod *v1.Pod) (result *v1.Pod, err error) {
+	result = &v1.Pod{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("pods").
+		Name(pod.Name).
+		SubResource("status").
+		Body(pod).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the pod and deletes it. Returns an error if one occurs.
+func (c *pods) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("pods").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *pods) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("pods").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched pod.
+func (c *pods) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Pod, err error) {
+	result = &v1.Pod{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("pods").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/pod_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/pod_expansion.go
new file mode 100644
index 00000000..ed876be8
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/pod_expansion.go
@@ -0,0 +1,45 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/api/core/v1"
+	policy "k8s.io/api/policy/v1beta1"
+	"k8s.io/client-go/kubernetes/scheme"
+	restclient "k8s.io/client-go/rest"
+)
+
+// The PodExpansion interface allows manually adding extra methods to the PodInterface.
+type PodExpansion interface {
+	Bind(binding *v1.Binding) error
+	Evict(eviction *policy.Eviction) error
+	GetLogs(name string, opts *v1.PodLogOptions) *restclient.Request
+}
+
+// Bind applies the provided binding to the named pod in the current namespace (binding.Namespace is ignored).
+func (c *pods) Bind(binding *v1.Binding) error {
+	return c.client.Post().Namespace(c.ns).Resource("pods").Name(binding.Name).SubResource("binding").Body(binding).Do().Error()
+}
+
+func (c *pods) Evict(eviction *policy.Eviction) error {
+	return c.client.Post().Namespace(c.ns).Resource("pods").Name(eviction.Name).SubResource("eviction").Body(eviction).Do().Error()
+}
+
+// Get constructs a request for getting the logs for a pod
+func (c *pods) GetLogs(name string, opts *v1.PodLogOptions) *restclient.Request {
+	return c.client.Get().Namespace(c.ns).Name(name).Resource("pods").SubResource("log").VersionedParams(opts, scheme.ParameterCodec)
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/podtemplate.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/podtemplate.go
new file mode 100644
index 00000000..028423ad
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/podtemplate.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// PodTemplatesGetter has a method to return a PodTemplateInterface.
+// A group's client should implement this interface.
+type PodTemplatesGetter interface {
+	PodTemplates(namespace string) PodTemplateInterface
+}
+
+// PodTemplateInterface has methods to work with PodTemplate resources.
+type PodTemplateInterface interface {
+	Create(*v1.PodTemplate) (*v1.PodTemplate, error)
+	Update(*v1.PodTemplate) (*v1.PodTemplate, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.PodTemplate, error)
+	List(opts meta_v1.ListOptions) (*v1.PodTemplateList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.PodTemplate, err error)
+	PodTemplateExpansion
+}
+
+// podTemplates implements PodTemplateInterface
+type podTemplates struct {
+	client rest.Interface
+	ns     string
+}
+
+// newPodTemplates returns a PodTemplates
+func newPodTemplates(c *CoreV1Client, namespace string) *podTemplates {
+	return &podTemplates{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the podTemplate, and returns the corresponding podTemplate object, and an error if there is any.
+func (c *podTemplates) Get(name string, options meta_v1.GetOptions) (result *v1.PodTemplate, err error) {
+	result = &v1.PodTemplate{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("podtemplates").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of PodTemplates that match those selectors.
+func (c *podTemplates) List(opts meta_v1.ListOptions) (result *v1.PodTemplateList, err error) {
+	result = &v1.PodTemplateList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("podtemplates").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested podTemplates.
+func (c *podTemplates) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("podtemplates").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a podTemplate and creates it.  Returns the server's representation of the podTemplate, and an error, if there is any.
+func (c *podTemplates) Create(podTemplate *v1.PodTemplate) (result *v1.PodTemplate, err error) {
+	result = &v1.PodTemplate{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("podtemplates").
+		Body(podTemplate).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a podTemplate and updates it. Returns the server's representation of the podTemplate, and an error, if there is any.
+func (c *podTemplates) Update(podTemplate *v1.PodTemplate) (result *v1.PodTemplate, err error) {
+	result = &v1.PodTemplate{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("podtemplates").
+		Name(podTemplate.Name).
+		Body(podTemplate).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the podTemplate and deletes it. Returns an error if one occurs.
+func (c *podTemplates) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("podtemplates").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *podTemplates) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("podtemplates").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched podTemplate.
+func (c *podTemplates) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.PodTemplate, err error) {
+	result = &v1.PodTemplate{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("podtemplates").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/replicationcontroller.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/replicationcontroller.go
new file mode 100644
index 00000000..36b3141c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/replicationcontroller.go
@@ -0,0 +1,204 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ReplicationControllersGetter has a method to return a ReplicationControllerInterface.
+// A group's client should implement this interface.
+type ReplicationControllersGetter interface {
+	ReplicationControllers(namespace string) ReplicationControllerInterface
+}
+
+// ReplicationControllerInterface has methods to work with ReplicationController resources.
+type ReplicationControllerInterface interface {
+	Create(*v1.ReplicationController) (*v1.ReplicationController, error)
+	Update(*v1.ReplicationController) (*v1.ReplicationController, error)
+	UpdateStatus(*v1.ReplicationController) (*v1.ReplicationController, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.ReplicationController, error)
+	List(opts meta_v1.ListOptions) (*v1.ReplicationControllerList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ReplicationController, err error)
+	GetScale(replicationControllerName string, options meta_v1.GetOptions) (*v1beta1.Scale, error)
+	UpdateScale(replicationControllerName string, scale *v1beta1.Scale) (*v1beta1.Scale, error)
+
+	ReplicationControllerExpansion
+}
+
+// replicationControllers implements ReplicationControllerInterface
+type replicationControllers struct {
+	client rest.Interface
+	ns     string
+}
+
+// newReplicationControllers returns a ReplicationControllers
+func newReplicationControllers(c *CoreV1Client, namespace string) *replicationControllers {
+	return &replicationControllers{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the replicationController, and returns the corresponding replicationController object, and an error if there is any.
+func (c *replicationControllers) Get(name string, options meta_v1.GetOptions) (result *v1.ReplicationController, err error) {
+	result = &v1.ReplicationController{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ReplicationControllers that match those selectors.
+func (c *replicationControllers) List(opts meta_v1.ListOptions) (result *v1.ReplicationControllerList, err error) {
+	result = &v1.ReplicationControllerList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested replicationControllers.
+func (c *replicationControllers) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a replicationController and creates it.  Returns the server's representation of the replicationController, and an error, if there is any.
+func (c *replicationControllers) Create(replicationController *v1.ReplicationController) (result *v1.ReplicationController, err error) {
+	result = &v1.ReplicationController{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		Body(replicationController).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a replicationController and updates it. Returns the server's representation of the replicationController, and an error, if there is any.
+func (c *replicationControllers) Update(replicationController *v1.ReplicationController) (result *v1.ReplicationController, err error) {
+	result = &v1.ReplicationController{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		Name(replicationController.Name).
+		Body(replicationController).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *replicationControllers) UpdateStatus(replicationController *v1.ReplicationController) (result *v1.ReplicationController, err error) {
+	result = &v1.ReplicationController{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		Name(replicationController.Name).
+		SubResource("status").
+		Body(replicationController).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the replicationController and deletes it. Returns an error if one occurs.
+func (c *replicationControllers) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *replicationControllers) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched replicationController.
+func (c *replicationControllers) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ReplicationController, err error) {
+	result = &v1.ReplicationController{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
+
+// GetScale takes name of the replicationController, and returns the corresponding v1beta1.Scale object, and an error if there is any.
+func (c *replicationControllers) GetScale(replicationControllerName string, options meta_v1.GetOptions) (result *v1beta1.Scale, err error) {
+	result = &v1beta1.Scale{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		Name(replicationControllerName).
+		SubResource("scale").
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateScale takes the top resource name and the representation of a scale and updates it. Returns the server's representation of the scale, and an error, if there is any.
+func (c *replicationControllers) UpdateScale(replicationControllerName string, scale *v1beta1.Scale) (result *v1beta1.Scale, err error) {
+	result = &v1beta1.Scale{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("replicationcontrollers").
+		Name(replicationControllerName).
+		SubResource("scale").
+		Body(scale).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/resourcequota.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/resourcequota.go
new file mode 100644
index 00000000..99032622
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/resourcequota.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ResourceQuotasGetter has a method to return a ResourceQuotaInterface.
+// A group's client should implement this interface.
+type ResourceQuotasGetter interface {
+	ResourceQuotas(namespace string) ResourceQuotaInterface
+}
+
+// ResourceQuotaInterface has methods to work with ResourceQuota resources.
+type ResourceQuotaInterface interface {
+	Create(*v1.ResourceQuota) (*v1.ResourceQuota, error)
+	Update(*v1.ResourceQuota) (*v1.ResourceQuota, error)
+	UpdateStatus(*v1.ResourceQuota) (*v1.ResourceQuota, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.ResourceQuota, error)
+	List(opts meta_v1.ListOptions) (*v1.ResourceQuotaList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ResourceQuota, err error)
+	ResourceQuotaExpansion
+}
+
+// resourceQuotas implements ResourceQuotaInterface
+type resourceQuotas struct {
+	client rest.Interface
+	ns     string
+}
+
+// newResourceQuotas returns a ResourceQuotas
+func newResourceQuotas(c *CoreV1Client, namespace string) *resourceQuotas {
+	return &resourceQuotas{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the resourceQuota, and returns the corresponding resourceQuota object, and an error if there is any.
+func (c *resourceQuotas) Get(name string, options meta_v1.GetOptions) (result *v1.ResourceQuota, err error) {
+	result = &v1.ResourceQuota{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ResourceQuotas that match those selectors.
+func (c *resourceQuotas) List(opts meta_v1.ListOptions) (result *v1.ResourceQuotaList, err error) {
+	result = &v1.ResourceQuotaList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested resourceQuotas.
+func (c *resourceQuotas) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a resourceQuota and creates it.  Returns the server's representation of the resourceQuota, and an error, if there is any.
+func (c *resourceQuotas) Create(resourceQuota *v1.ResourceQuota) (result *v1.ResourceQuota, err error) {
+	result = &v1.ResourceQuota{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		Body(resourceQuota).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a resourceQuota and updates it. Returns the server's representation of the resourceQuota, and an error, if there is any.
+func (c *resourceQuotas) Update(resourceQuota *v1.ResourceQuota) (result *v1.ResourceQuota, err error) {
+	result = &v1.ResourceQuota{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		Name(resourceQuota.Name).
+		Body(resourceQuota).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *resourceQuotas) UpdateStatus(resourceQuota *v1.ResourceQuota) (result *v1.ResourceQuota, err error) {
+	result = &v1.ResourceQuota{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		Name(resourceQuota.Name).
+		SubResource("status").
+		Body(resourceQuota).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the resourceQuota and deletes it. Returns an error if one occurs.
+func (c *resourceQuotas) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *resourceQuotas) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched resourceQuota.
+func (c *resourceQuotas) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ResourceQuota, err error) {
+	result = &v1.ResourceQuota{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("resourcequotas").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/secret.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/secret.go
new file mode 100644
index 00000000..a21a2167
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/secret.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// SecretsGetter has a method to return a SecretInterface.
+// A group's client should implement this interface.
+type SecretsGetter interface {
+	Secrets(namespace string) SecretInterface
+}
+
+// SecretInterface has methods to work with Secret resources.
+type SecretInterface interface {
+	Create(*v1.Secret) (*v1.Secret, error)
+	Update(*v1.Secret) (*v1.Secret, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Secret, error)
+	List(opts meta_v1.ListOptions) (*v1.SecretList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Secret, err error)
+	SecretExpansion
+}
+
+// secrets implements SecretInterface
+type secrets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newSecrets returns a Secrets
+func newSecrets(c *CoreV1Client, namespace string) *secrets {
+	return &secrets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the secret, and returns the corresponding secret object, and an error if there is any.
+func (c *secrets) Get(name string, options meta_v1.GetOptions) (result *v1.Secret, err error) {
+	result = &v1.Secret{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("secrets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Secrets that match those selectors.
+func (c *secrets) List(opts meta_v1.ListOptions) (result *v1.SecretList, err error) {
+	result = &v1.SecretList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("secrets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested secrets.
+func (c *secrets) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("secrets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a secret and creates it.  Returns the server's representation of the secret, and an error, if there is any.
+func (c *secrets) Create(secret *v1.Secret) (result *v1.Secret, err error) {
+	result = &v1.Secret{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("secrets").
+		Body(secret).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a secret and updates it. Returns the server's representation of the secret, and an error, if there is any.
+func (c *secrets) Update(secret *v1.Secret) (result *v1.Secret, err error) {
+	result = &v1.Secret{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("secrets").
+		Name(secret.Name).
+		Body(secret).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the secret and deletes it. Returns an error if one occurs.
+func (c *secrets) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("secrets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *secrets) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("secrets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched secret.
+func (c *secrets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Secret, err error) {
+	result = &v1.Secret{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("secrets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/service.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/service.go
new file mode 100644
index 00000000..74471474
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/service.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ServicesGetter has a method to return a ServiceInterface.
+// A group's client should implement this interface.
+type ServicesGetter interface {
+	Services(namespace string) ServiceInterface
+}
+
+// ServiceInterface has methods to work with Service resources.
+type ServiceInterface interface {
+	Create(*v1.Service) (*v1.Service, error)
+	Update(*v1.Service) (*v1.Service, error)
+	UpdateStatus(*v1.Service) (*v1.Service, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Service, error)
+	List(opts meta_v1.ListOptions) (*v1.ServiceList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Service, err error)
+	ServiceExpansion
+}
+
+// services implements ServiceInterface
+type services struct {
+	client rest.Interface
+	ns     string
+}
+
+// newServices returns a Services
+func newServices(c *CoreV1Client, namespace string) *services {
+	return &services{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the service, and returns the corresponding service object, and an error if there is any.
+func (c *services) Get(name string, options meta_v1.GetOptions) (result *v1.Service, err error) {
+	result = &v1.Service{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("services").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Services that match those selectors.
+func (c *services) List(opts meta_v1.ListOptions) (result *v1.ServiceList, err error) {
+	result = &v1.ServiceList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("services").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested services.
+func (c *services) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("services").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a service and creates it.  Returns the server's representation of the service, and an error, if there is any.
+func (c *services) Create(service *v1.Service) (result *v1.Service, err error) {
+	result = &v1.Service{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("services").
+		Body(service).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a service and updates it. Returns the server's representation of the service, and an error, if there is any.
+func (c *services) Update(service *v1.Service) (result *v1.Service, err error) {
+	result = &v1.Service{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("services").
+		Name(service.Name).
+		Body(service).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *services) UpdateStatus(service *v1.Service) (result *v1.Service, err error) {
+	result = &v1.Service{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("services").
+		Name(service.Name).
+		SubResource("status").
+		Body(service).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the service and deletes it. Returns an error if one occurs.
+func (c *services) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("services").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *services) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("services").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched service.
+func (c *services) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Service, err error) {
+	result = &v1.Service{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("services").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/service_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/service_expansion.go
new file mode 100644
index 00000000..4937fd1a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/service_expansion.go
@@ -0,0 +1,41 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/util/net"
+	restclient "k8s.io/client-go/rest"
+)
+
+// The ServiceExpansion interface allows manually adding extra methods to the ServiceInterface.
+type ServiceExpansion interface {
+	ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper
+}
+
+// ProxyGet returns a response of the service by calling it through the proxy.
+func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper {
+	request := c.client.Get().
+		Namespace(c.ns).
+		Resource("services").
+		SubResource("proxy").
+		Name(net.JoinSchemeNamePort(scheme, name, port)).
+		Suffix(path)
+	for k, v := range params {
+		request = request.Param(k, v)
+	}
+	return request
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/serviceaccount.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/serviceaccount.go
new file mode 100644
index 00000000..c3fbebd5
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/core/v1/serviceaccount.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/core/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ServiceAccountsGetter has a method to return a ServiceAccountInterface.
+// A group's client should implement this interface.
+type ServiceAccountsGetter interface {
+	ServiceAccounts(namespace string) ServiceAccountInterface
+}
+
+// ServiceAccountInterface has methods to work with ServiceAccount resources.
+type ServiceAccountInterface interface {
+	Create(*v1.ServiceAccount) (*v1.ServiceAccount, error)
+	Update(*v1.ServiceAccount) (*v1.ServiceAccount, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.ServiceAccount, error)
+	List(opts meta_v1.ListOptions) (*v1.ServiceAccountList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ServiceAccount, err error)
+	ServiceAccountExpansion
+}
+
+// serviceAccounts implements ServiceAccountInterface
+type serviceAccounts struct {
+	client rest.Interface
+	ns     string
+}
+
+// newServiceAccounts returns a ServiceAccounts
+func newServiceAccounts(c *CoreV1Client, namespace string) *serviceAccounts {
+	return &serviceAccounts{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the serviceAccount, and returns the corresponding serviceAccount object, and an error if there is any.
+func (c *serviceAccounts) Get(name string, options meta_v1.GetOptions) (result *v1.ServiceAccount, err error) {
+	result = &v1.ServiceAccount{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("serviceaccounts").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ServiceAccounts that match those selectors.
+func (c *serviceAccounts) List(opts meta_v1.ListOptions) (result *v1.ServiceAccountList, err error) {
+	result = &v1.ServiceAccountList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("serviceaccounts").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested serviceAccounts.
+func (c *serviceAccounts) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("serviceaccounts").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a serviceAccount and creates it.  Returns the server's representation of the serviceAccount, and an error, if there is any.
+func (c *serviceAccounts) Create(serviceAccount *v1.ServiceAccount) (result *v1.ServiceAccount, err error) {
+	result = &v1.ServiceAccount{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("serviceaccounts").
+		Body(serviceAccount).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a serviceAccount and updates it. Returns the server's representation of the serviceAccount, and an error, if there is any.
+func (c *serviceAccounts) Update(serviceAccount *v1.ServiceAccount) (result *v1.ServiceAccount, err error) {
+	result = &v1.ServiceAccount{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("serviceaccounts").
+		Name(serviceAccount.Name).
+		Body(serviceAccount).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the serviceAccount and deletes it. Returns an error if one occurs.
+func (c *serviceAccounts) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("serviceaccounts").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *serviceAccounts) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("serviceaccounts").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched serviceAccount.
+func (c *serviceAccounts) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ServiceAccount, err error) {
+	result = &v1.ServiceAccount{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("serviceaccounts").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/daemonset.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/daemonset.go
new file mode 100644
index 00000000..f33ce3eb
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/daemonset.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// DaemonSetsGetter has a method to return a DaemonSetInterface.
+// A group's client should implement this interface.
+type DaemonSetsGetter interface {
+	DaemonSets(namespace string) DaemonSetInterface
+}
+
+// DaemonSetInterface has methods to work with DaemonSet resources.
+type DaemonSetInterface interface {
+	Create(*v1beta1.DaemonSet) (*v1beta1.DaemonSet, error)
+	Update(*v1beta1.DaemonSet) (*v1beta1.DaemonSet, error)
+	UpdateStatus(*v1beta1.DaemonSet) (*v1beta1.DaemonSet, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.DaemonSet, error)
+	List(opts v1.ListOptions) (*v1beta1.DaemonSetList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.DaemonSet, err error)
+	DaemonSetExpansion
+}
+
+// daemonSets implements DaemonSetInterface
+type daemonSets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newDaemonSets returns a DaemonSets
+func newDaemonSets(c *ExtensionsV1beta1Client, namespace string) *daemonSets {
+	return &daemonSets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the daemonSet, and returns the corresponding daemonSet object, and an error if there is any.
+func (c *daemonSets) Get(name string, options v1.GetOptions) (result *v1beta1.DaemonSet, err error) {
+	result = &v1beta1.DaemonSet{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of DaemonSets that match those selectors.
+func (c *daemonSets) List(opts v1.ListOptions) (result *v1beta1.DaemonSetList, err error) {
+	result = &v1beta1.DaemonSetList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested daemonSets.
+func (c *daemonSets) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a daemonSet and creates it.  Returns the server's representation of the daemonSet, and an error, if there is any.
+func (c *daemonSets) Create(daemonSet *v1beta1.DaemonSet) (result *v1beta1.DaemonSet, err error) {
+	result = &v1beta1.DaemonSet{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Body(daemonSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a daemonSet and updates it. Returns the server's representation of the daemonSet, and an error, if there is any.
+func (c *daemonSets) Update(daemonSet *v1beta1.DaemonSet) (result *v1beta1.DaemonSet, err error) {
+	result = &v1beta1.DaemonSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Name(daemonSet.Name).
+		Body(daemonSet).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *daemonSets) UpdateStatus(daemonSet *v1beta1.DaemonSet) (result *v1beta1.DaemonSet, err error) {
+	result = &v1beta1.DaemonSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Name(daemonSet.Name).
+		SubResource("status").
+		Body(daemonSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the daemonSet and deletes it. Returns an error if one occurs.
+func (c *daemonSets) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *daemonSets) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("daemonsets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched daemonSet.
+func (c *daemonSets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.DaemonSet, err error) {
+	result = &v1beta1.DaemonSet{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("daemonsets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/deployment.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/deployment.go
new file mode 100644
index 00000000..91eab950
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/deployment.go
@@ -0,0 +1,203 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// DeploymentsGetter has a method to return a DeploymentInterface.
+// A group's client should implement this interface.
+type DeploymentsGetter interface {
+	Deployments(namespace string) DeploymentInterface
+}
+
+// DeploymentInterface has methods to work with Deployment resources.
+type DeploymentInterface interface {
+	Create(*v1beta1.Deployment) (*v1beta1.Deployment, error)
+	Update(*v1beta1.Deployment) (*v1beta1.Deployment, error)
+	UpdateStatus(*v1beta1.Deployment) (*v1beta1.Deployment, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.Deployment, error)
+	List(opts v1.ListOptions) (*v1beta1.DeploymentList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.Deployment, err error)
+	GetScale(deploymentName string, options v1.GetOptions) (*v1beta1.Scale, error)
+	UpdateScale(deploymentName string, scale *v1beta1.Scale) (*v1beta1.Scale, error)
+
+	DeploymentExpansion
+}
+
+// deployments implements DeploymentInterface
+type deployments struct {
+	client rest.Interface
+	ns     string
+}
+
+// newDeployments returns a Deployments
+func newDeployments(c *ExtensionsV1beta1Client, namespace string) *deployments {
+	return &deployments{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the deployment, and returns the corresponding deployment object, and an error if there is any.
+func (c *deployments) Get(name string, options v1.GetOptions) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Deployments that match those selectors.
+func (c *deployments) List(opts v1.ListOptions) (result *v1beta1.DeploymentList, err error) {
+	result = &v1beta1.DeploymentList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested deployments.
+func (c *deployments) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a deployment and creates it.  Returns the server's representation of the deployment, and an error, if there is any.
+func (c *deployments) Create(deployment *v1beta1.Deployment) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("deployments").
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a deployment and updates it. Returns the server's representation of the deployment, and an error, if there is any.
+func (c *deployments) Update(deployment *v1beta1.Deployment) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(deployment.Name).
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *deployments) UpdateStatus(deployment *v1beta1.Deployment) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(deployment.Name).
+		SubResource("status").
+		Body(deployment).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the deployment and deletes it. Returns an error if one occurs.
+func (c *deployments) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *deployments) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("deployments").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched deployment.
+func (c *deployments) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.Deployment, err error) {
+	result = &v1beta1.Deployment{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("deployments").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
+
+// GetScale takes name of the deployment, and returns the corresponding v1beta1.Scale object, and an error if there is any.
+func (c *deployments) GetScale(deploymentName string, options v1.GetOptions) (result *v1beta1.Scale, err error) {
+	result = &v1beta1.Scale{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(deploymentName).
+		SubResource("scale").
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateScale takes the top resource name and the representation of a scale and updates it. Returns the server's representation of the scale, and an error, if there is any.
+func (c *deployments) UpdateScale(deploymentName string, scale *v1beta1.Scale) (result *v1beta1.Scale, err error) {
+	result = &v1beta1.Scale{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("deployments").
+		Name(deploymentName).
+		SubResource("scale").
+		Body(scale).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/deployment_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/deployment_expansion.go
new file mode 100644
index 00000000..24734be6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/deployment_expansion.go
@@ -0,0 +1,29 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import "k8s.io/api/extensions/v1beta1"
+
+// The DeploymentExpansion interface allows manually adding extra methods to the DeploymentInterface.
+type DeploymentExpansion interface {
+	Rollback(*v1beta1.DeploymentRollback) error
+}
+
+// Rollback applied the provided DeploymentRollback to the named deployment in the current namespace.
+func (c *deployments) Rollback(deploymentRollback *v1beta1.DeploymentRollback) error {
+	return c.client.Post().Namespace(c.ns).Resource("deployments").Name(deploymentRollback.Name).SubResource("rollback").Body(deploymentRollback).Do().Error()
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/extensions_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/extensions_client.go
new file mode 100644
index 00000000..78b3671e
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/extensions_client.go
@@ -0,0 +1,118 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type ExtensionsV1beta1Interface interface {
+	RESTClient() rest.Interface
+	DaemonSetsGetter
+	DeploymentsGetter
+	IngressesGetter
+	PodSecurityPoliciesGetter
+	ReplicaSetsGetter
+	ScalesGetter
+	ThirdPartyResourcesGetter
+}
+
+// ExtensionsV1beta1Client is used to interact with features provided by the extensions group.
+type ExtensionsV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *ExtensionsV1beta1Client) DaemonSets(namespace string) DaemonSetInterface {
+	return newDaemonSets(c, namespace)
+}
+
+func (c *ExtensionsV1beta1Client) Deployments(namespace string) DeploymentInterface {
+	return newDeployments(c, namespace)
+}
+
+func (c *ExtensionsV1beta1Client) Ingresses(namespace string) IngressInterface {
+	return newIngresses(c, namespace)
+}
+
+func (c *ExtensionsV1beta1Client) PodSecurityPolicies() PodSecurityPolicyInterface {
+	return newPodSecurityPolicies(c)
+}
+
+func (c *ExtensionsV1beta1Client) ReplicaSets(namespace string) ReplicaSetInterface {
+	return newReplicaSets(c, namespace)
+}
+
+func (c *ExtensionsV1beta1Client) Scales(namespace string) ScaleInterface {
+	return newScales(c, namespace)
+}
+
+func (c *ExtensionsV1beta1Client) ThirdPartyResources() ThirdPartyResourceInterface {
+	return newThirdPartyResources(c)
+}
+
+// NewForConfig creates a new ExtensionsV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*ExtensionsV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &ExtensionsV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new ExtensionsV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *ExtensionsV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new ExtensionsV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *ExtensionsV1beta1Client {
+	return &ExtensionsV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *ExtensionsV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..4b6863fc
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/generated_expansion.go
@@ -0,0 +1,27 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+type DaemonSetExpansion interface{}
+
+type IngressExpansion interface{}
+
+type PodSecurityPolicyExpansion interface{}
+
+type ReplicaSetExpansion interface{}
+
+type ThirdPartyResourceExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/ingress.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/ingress.go
new file mode 100644
index 00000000..e9ba108a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/ingress.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// IngressesGetter has a method to return a IngressInterface.
+// A group's client should implement this interface.
+type IngressesGetter interface {
+	Ingresses(namespace string) IngressInterface
+}
+
+// IngressInterface has methods to work with Ingress resources.
+type IngressInterface interface {
+	Create(*v1beta1.Ingress) (*v1beta1.Ingress, error)
+	Update(*v1beta1.Ingress) (*v1beta1.Ingress, error)
+	UpdateStatus(*v1beta1.Ingress) (*v1beta1.Ingress, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.Ingress, error)
+	List(opts v1.ListOptions) (*v1beta1.IngressList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.Ingress, err error)
+	IngressExpansion
+}
+
+// ingresses implements IngressInterface
+type ingresses struct {
+	client rest.Interface
+	ns     string
+}
+
+// newIngresses returns a Ingresses
+func newIngresses(c *ExtensionsV1beta1Client, namespace string) *ingresses {
+	return &ingresses{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the ingress, and returns the corresponding ingress object, and an error if there is any.
+func (c *ingresses) Get(name string, options v1.GetOptions) (result *v1beta1.Ingress, err error) {
+	result = &v1beta1.Ingress{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("ingresses").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Ingresses that match those selectors.
+func (c *ingresses) List(opts v1.ListOptions) (result *v1beta1.IngressList, err error) {
+	result = &v1beta1.IngressList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("ingresses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested ingresses.
+func (c *ingresses) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("ingresses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a ingress and creates it.  Returns the server's representation of the ingress, and an error, if there is any.
+func (c *ingresses) Create(ingress *v1beta1.Ingress) (result *v1beta1.Ingress, err error) {
+	result = &v1beta1.Ingress{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("ingresses").
+		Body(ingress).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a ingress and updates it. Returns the server's representation of the ingress, and an error, if there is any.
+func (c *ingresses) Update(ingress *v1beta1.Ingress) (result *v1beta1.Ingress, err error) {
+	result = &v1beta1.Ingress{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("ingresses").
+		Name(ingress.Name).
+		Body(ingress).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *ingresses) UpdateStatus(ingress *v1beta1.Ingress) (result *v1beta1.Ingress, err error) {
+	result = &v1beta1.Ingress{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("ingresses").
+		Name(ingress.Name).
+		SubResource("status").
+		Body(ingress).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the ingress and deletes it. Returns an error if one occurs.
+func (c *ingresses) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("ingresses").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *ingresses) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("ingresses").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched ingress.
+func (c *ingresses) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.Ingress, err error) {
+	result = &v1beta1.Ingress{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("ingresses").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/podsecuritypolicy.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/podsecuritypolicy.go
new file mode 100644
index 00000000..a1c274c2
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/podsecuritypolicy.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// PodSecurityPoliciesGetter has a method to return a PodSecurityPolicyInterface.
+// A group's client should implement this interface.
+type PodSecurityPoliciesGetter interface {
+	PodSecurityPolicies() PodSecurityPolicyInterface
+}
+
+// PodSecurityPolicyInterface has methods to work with PodSecurityPolicy resources.
+type PodSecurityPolicyInterface interface {
+	Create(*v1beta1.PodSecurityPolicy) (*v1beta1.PodSecurityPolicy, error)
+	Update(*v1beta1.PodSecurityPolicy) (*v1beta1.PodSecurityPolicy, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.PodSecurityPolicy, error)
+	List(opts v1.ListOptions) (*v1beta1.PodSecurityPolicyList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.PodSecurityPolicy, err error)
+	PodSecurityPolicyExpansion
+}
+
+// podSecurityPolicies implements PodSecurityPolicyInterface
+type podSecurityPolicies struct {
+	client rest.Interface
+}
+
+// newPodSecurityPolicies returns a PodSecurityPolicies
+func newPodSecurityPolicies(c *ExtensionsV1beta1Client) *podSecurityPolicies {
+	return &podSecurityPolicies{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the podSecurityPolicy, and returns the corresponding podSecurityPolicy object, and an error if there is any.
+func (c *podSecurityPolicies) Get(name string, options v1.GetOptions) (result *v1beta1.PodSecurityPolicy, err error) {
+	result = &v1beta1.PodSecurityPolicy{}
+	err = c.client.Get().
+		Resource("podsecuritypolicies").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of PodSecurityPolicies that match those selectors.
+func (c *podSecurityPolicies) List(opts v1.ListOptions) (result *v1beta1.PodSecurityPolicyList, err error) {
+	result = &v1beta1.PodSecurityPolicyList{}
+	err = c.client.Get().
+		Resource("podsecuritypolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested podSecurityPolicies.
+func (c *podSecurityPolicies) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("podsecuritypolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a podSecurityPolicy and creates it.  Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
+func (c *podSecurityPolicies) Create(podSecurityPolicy *v1beta1.PodSecurityPolicy) (result *v1beta1.PodSecurityPolicy, err error) {
+	result = &v1beta1.PodSecurityPolicy{}
+	err = c.client.Post().
+		Resource("podsecuritypolicies").
+		Body(podSecurityPolicy).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a podSecurityPolicy and updates it. Returns the server's representation of the podSecurityPolicy, and an error, if there is any.
+func (c *podSecurityPolicies) Update(podSecurityPolicy *v1beta1.PodSecurityPolicy) (result *v1beta1.PodSecurityPolicy, err error) {
+	result = &v1beta1.PodSecurityPolicy{}
+	err = c.client.Put().
+		Resource("podsecuritypolicies").
+		Name(podSecurityPolicy.Name).
+		Body(podSecurityPolicy).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the podSecurityPolicy and deletes it. Returns an error if one occurs.
+func (c *podSecurityPolicies) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("podsecuritypolicies").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *podSecurityPolicies) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("podsecuritypolicies").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched podSecurityPolicy.
+func (c *podSecurityPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.PodSecurityPolicy, err error) {
+	result = &v1beta1.PodSecurityPolicy{}
+	err = c.client.Patch(pt).
+		Resource("podsecuritypolicies").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/replicaset.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/replicaset.go
new file mode 100644
index 00000000..ed68f458
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/replicaset.go
@@ -0,0 +1,203 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ReplicaSetsGetter has a method to return a ReplicaSetInterface.
+// A group's client should implement this interface.
+type ReplicaSetsGetter interface {
+	ReplicaSets(namespace string) ReplicaSetInterface
+}
+
+// ReplicaSetInterface has methods to work with ReplicaSet resources.
+type ReplicaSetInterface interface {
+	Create(*v1beta1.ReplicaSet) (*v1beta1.ReplicaSet, error)
+	Update(*v1beta1.ReplicaSet) (*v1beta1.ReplicaSet, error)
+	UpdateStatus(*v1beta1.ReplicaSet) (*v1beta1.ReplicaSet, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.ReplicaSet, error)
+	List(opts v1.ListOptions) (*v1beta1.ReplicaSetList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ReplicaSet, err error)
+	GetScale(replicaSetName string, options v1.GetOptions) (*v1beta1.Scale, error)
+	UpdateScale(replicaSetName string, scale *v1beta1.Scale) (*v1beta1.Scale, error)
+
+	ReplicaSetExpansion
+}
+
+// replicaSets implements ReplicaSetInterface
+type replicaSets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newReplicaSets returns a ReplicaSets
+func newReplicaSets(c *ExtensionsV1beta1Client, namespace string) *replicaSets {
+	return &replicaSets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the replicaSet, and returns the corresponding replicaSet object, and an error if there is any.
+func (c *replicaSets) Get(name string, options v1.GetOptions) (result *v1beta1.ReplicaSet, err error) {
+	result = &v1beta1.ReplicaSet{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ReplicaSets that match those selectors.
+func (c *replicaSets) List(opts v1.ListOptions) (result *v1beta1.ReplicaSetList, err error) {
+	result = &v1beta1.ReplicaSetList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("replicasets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested replicaSets.
+func (c *replicaSets) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("replicasets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a replicaSet and creates it.  Returns the server's representation of the replicaSet, and an error, if there is any.
+func (c *replicaSets) Create(replicaSet *v1beta1.ReplicaSet) (result *v1beta1.ReplicaSet, err error) {
+	result = &v1beta1.ReplicaSet{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Body(replicaSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a replicaSet and updates it. Returns the server's representation of the replicaSet, and an error, if there is any.
+func (c *replicaSets) Update(replicaSet *v1beta1.ReplicaSet) (result *v1beta1.ReplicaSet, err error) {
+	result = &v1beta1.ReplicaSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(replicaSet.Name).
+		Body(replicaSet).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *replicaSets) UpdateStatus(replicaSet *v1beta1.ReplicaSet) (result *v1beta1.ReplicaSet, err error) {
+	result = &v1beta1.ReplicaSet{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(replicaSet.Name).
+		SubResource("status").
+		Body(replicaSet).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the replicaSet and deletes it. Returns an error if one occurs.
+func (c *replicaSets) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *replicaSets) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("replicasets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched replicaSet.
+func (c *replicaSets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ReplicaSet, err error) {
+	result = &v1beta1.ReplicaSet{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("replicasets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
+
+// GetScale takes name of the replicaSet, and returns the corresponding v1beta1.Scale object, and an error if there is any.
+func (c *replicaSets) GetScale(replicaSetName string, options v1.GetOptions) (result *v1beta1.Scale, err error) {
+	result = &v1beta1.Scale{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(replicaSetName).
+		SubResource("scale").
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateScale takes the top resource name and the representation of a scale and updates it. Returns the server's representation of the scale, and an error, if there is any.
+func (c *replicaSets) UpdateScale(replicaSetName string, scale *v1beta1.Scale) (result *v1beta1.Scale, err error) {
+	result = &v1beta1.Scale{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("replicasets").
+		Name(replicaSetName).
+		SubResource("scale").
+		Body(scale).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/scale.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/scale.go
new file mode 100644
index 00000000..8d62590c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/scale.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// ScalesGetter has a method to return a ScaleInterface.
+// A group's client should implement this interface.
+type ScalesGetter interface {
+	Scales(namespace string) ScaleInterface
+}
+
+// ScaleInterface has methods to work with Scale resources.
+type ScaleInterface interface {
+	ScaleExpansion
+}
+
+// scales implements ScaleInterface
+type scales struct {
+	client rest.Interface
+	ns     string
+}
+
+// newScales returns a Scales
+func newScales(c *ExtensionsV1beta1Client, namespace string) *scales {
+	return &scales{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/scale_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/scale_expansion.go
new file mode 100644
index 00000000..c9733cb2
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/scale_expansion.go
@@ -0,0 +1,65 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"k8s.io/api/extensions/v1beta1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// The ScaleExpansion interface allows manually adding extra methods to the ScaleInterface.
+type ScaleExpansion interface {
+	Get(kind string, name string) (*v1beta1.Scale, error)
+	Update(kind string, scale *v1beta1.Scale) (*v1beta1.Scale, error)
+}
+
+// Get takes the reference to scale subresource and returns the subresource or error, if one occurs.
+func (c *scales) Get(kind string, name string) (result *v1beta1.Scale, err error) {
+	result = &v1beta1.Scale{}
+
+	// TODO this method needs to take a proper unambiguous kind
+	fullyQualifiedKind := schema.GroupVersionKind{Kind: kind}
+	resource, _ := meta.UnsafeGuessKindToResource(fullyQualifiedKind)
+
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource(resource.Resource).
+		Name(name).
+		SubResource("scale").
+		Do().
+		Into(result)
+	return
+}
+
+func (c *scales) Update(kind string, scale *v1beta1.Scale) (result *v1beta1.Scale, err error) {
+	result = &v1beta1.Scale{}
+
+	// TODO this method needs to take a proper unambiguous kind
+	fullyQualifiedKind := schema.GroupVersionKind{Kind: kind}
+	resource, _ := meta.UnsafeGuessKindToResource(fullyQualifiedKind)
+
+	err = c.client.Put().
+		Namespace(scale.Namespace).
+		Resource(resource.Resource).
+		Name(scale.Name).
+		SubResource("scale").
+		Body(scale).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/thirdpartyresource.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/thirdpartyresource.go
new file mode 100644
index 00000000..64f3b1b3
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/extensions/v1beta1/thirdpartyresource.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/extensions/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ThirdPartyResourcesGetter has a method to return a ThirdPartyResourceInterface.
+// A group's client should implement this interface.
+type ThirdPartyResourcesGetter interface {
+	ThirdPartyResources() ThirdPartyResourceInterface
+}
+
+// ThirdPartyResourceInterface has methods to work with ThirdPartyResource resources.
+type ThirdPartyResourceInterface interface {
+	Create(*v1beta1.ThirdPartyResource) (*v1beta1.ThirdPartyResource, error)
+	Update(*v1beta1.ThirdPartyResource) (*v1beta1.ThirdPartyResource, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.ThirdPartyResource, error)
+	List(opts v1.ListOptions) (*v1beta1.ThirdPartyResourceList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ThirdPartyResource, err error)
+	ThirdPartyResourceExpansion
+}
+
+// thirdPartyResources implements ThirdPartyResourceInterface
+type thirdPartyResources struct {
+	client rest.Interface
+}
+
+// newThirdPartyResources returns a ThirdPartyResources
+func newThirdPartyResources(c *ExtensionsV1beta1Client) *thirdPartyResources {
+	return &thirdPartyResources{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the thirdPartyResource, and returns the corresponding thirdPartyResource object, and an error if there is any.
+func (c *thirdPartyResources) Get(name string, options v1.GetOptions) (result *v1beta1.ThirdPartyResource, err error) {
+	result = &v1beta1.ThirdPartyResource{}
+	err = c.client.Get().
+		Resource("thirdpartyresources").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ThirdPartyResources that match those selectors.
+func (c *thirdPartyResources) List(opts v1.ListOptions) (result *v1beta1.ThirdPartyResourceList, err error) {
+	result = &v1beta1.ThirdPartyResourceList{}
+	err = c.client.Get().
+		Resource("thirdpartyresources").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested thirdPartyResources.
+func (c *thirdPartyResources) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("thirdpartyresources").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a thirdPartyResource and creates it.  Returns the server's representation of the thirdPartyResource, and an error, if there is any.
+func (c *thirdPartyResources) Create(thirdPartyResource *v1beta1.ThirdPartyResource) (result *v1beta1.ThirdPartyResource, err error) {
+	result = &v1beta1.ThirdPartyResource{}
+	err = c.client.Post().
+		Resource("thirdpartyresources").
+		Body(thirdPartyResource).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a thirdPartyResource and updates it. Returns the server's representation of the thirdPartyResource, and an error, if there is any.
+func (c *thirdPartyResources) Update(thirdPartyResource *v1beta1.ThirdPartyResource) (result *v1beta1.ThirdPartyResource, err error) {
+	result = &v1beta1.ThirdPartyResource{}
+	err = c.client.Put().
+		Resource("thirdpartyresources").
+		Name(thirdPartyResource.Name).
+		Body(thirdPartyResource).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the thirdPartyResource and deletes it. Returns an error if one occurs.
+func (c *thirdPartyResources) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("thirdpartyresources").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *thirdPartyResources) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("thirdpartyresources").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched thirdPartyResource.
+func (c *thirdPartyResources) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ThirdPartyResource, err error) {
+	result = &v1beta1.ThirdPartyResource{}
+	err = c.client.Patch(pt).
+		Resource("thirdpartyresources").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/doc.go
new file mode 100644
index 00000000..53d7f29a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/generated_expansion.go
new file mode 100644
index 00000000..6c72ca5c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+type NetworkPolicyExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/networking_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/networking_client.go
new file mode 100644
index 00000000..d1059d02
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/networking_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/networking/v1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type NetworkingV1Interface interface {
+	RESTClient() rest.Interface
+	NetworkPoliciesGetter
+}
+
+// NetworkingV1Client is used to interact with features provided by the networking.k8s.io group.
+type NetworkingV1Client struct {
+	restClient rest.Interface
+}
+
+func (c *NetworkingV1Client) NetworkPolicies(namespace string) NetworkPolicyInterface {
+	return newNetworkPolicies(c, namespace)
+}
+
+// NewForConfig creates a new NetworkingV1Client for the given config.
+func NewForConfig(c *rest.Config) (*NetworkingV1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &NetworkingV1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new NetworkingV1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *NetworkingV1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new NetworkingV1Client for the given RESTClient.
+func New(c rest.Interface) *NetworkingV1Client {
+	return &NetworkingV1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *NetworkingV1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/networkpolicy.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/networkpolicy.go
new file mode 100644
index 00000000..8b151823
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/networking/v1/networkpolicy.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/networking/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// NetworkPoliciesGetter has a method to return a NetworkPolicyInterface.
+// A group's client should implement this interface.
+type NetworkPoliciesGetter interface {
+	NetworkPolicies(namespace string) NetworkPolicyInterface
+}
+
+// NetworkPolicyInterface has methods to work with NetworkPolicy resources.
+type NetworkPolicyInterface interface {
+	Create(*v1.NetworkPolicy) (*v1.NetworkPolicy, error)
+	Update(*v1.NetworkPolicy) (*v1.NetworkPolicy, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.NetworkPolicy, error)
+	List(opts meta_v1.ListOptions) (*v1.NetworkPolicyList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.NetworkPolicy, err error)
+	NetworkPolicyExpansion
+}
+
+// networkPolicies implements NetworkPolicyInterface
+type networkPolicies struct {
+	client rest.Interface
+	ns     string
+}
+
+// newNetworkPolicies returns a NetworkPolicies
+func newNetworkPolicies(c *NetworkingV1Client, namespace string) *networkPolicies {
+	return &networkPolicies{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the networkPolicy, and returns the corresponding networkPolicy object, and an error if there is any.
+func (c *networkPolicies) Get(name string, options meta_v1.GetOptions) (result *v1.NetworkPolicy, err error) {
+	result = &v1.NetworkPolicy{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("networkpolicies").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of NetworkPolicies that match those selectors.
+func (c *networkPolicies) List(opts meta_v1.ListOptions) (result *v1.NetworkPolicyList, err error) {
+	result = &v1.NetworkPolicyList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("networkpolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested networkPolicies.
+func (c *networkPolicies) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("networkpolicies").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a networkPolicy and creates it.  Returns the server's representation of the networkPolicy, and an error, if there is any.
+func (c *networkPolicies) Create(networkPolicy *v1.NetworkPolicy) (result *v1.NetworkPolicy, err error) {
+	result = &v1.NetworkPolicy{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("networkpolicies").
+		Body(networkPolicy).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a networkPolicy and updates it. Returns the server's representation of the networkPolicy, and an error, if there is any.
+func (c *networkPolicies) Update(networkPolicy *v1.NetworkPolicy) (result *v1.NetworkPolicy, err error) {
+	result = &v1.NetworkPolicy{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("networkpolicies").
+		Name(networkPolicy.Name).
+		Body(networkPolicy).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the networkPolicy and deletes it. Returns an error if one occurs.
+func (c *networkPolicies) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("networkpolicies").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *networkPolicies) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("networkpolicies").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched networkPolicy.
+func (c *networkPolicies) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.NetworkPolicy, err error) {
+	result = &v1.NetworkPolicy{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("networkpolicies").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/eviction.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/eviction.go
new file mode 100644
index 00000000..63e3a682
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/eviction.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	rest "k8s.io/client-go/rest"
+)
+
+// EvictionsGetter has a method to return a EvictionInterface.
+// A group's client should implement this interface.
+type EvictionsGetter interface {
+	Evictions(namespace string) EvictionInterface
+}
+
+// EvictionInterface has methods to work with Eviction resources.
+type EvictionInterface interface {
+	EvictionExpansion
+}
+
+// evictions implements EvictionInterface
+type evictions struct {
+	client rest.Interface
+	ns     string
+}
+
+// newEvictions returns a Evictions
+func newEvictions(c *PolicyV1beta1Client, namespace string) *evictions {
+	return &evictions{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/eviction_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/eviction_expansion.go
new file mode 100644
index 00000000..40bad265
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/eviction_expansion.go
@@ -0,0 +1,38 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	policy "k8s.io/api/policy/v1beta1"
+)
+
+// The EvictionExpansion interface allows manually adding extra methods to the ScaleInterface.
+type EvictionExpansion interface {
+	Evict(eviction *policy.Eviction) error
+}
+
+func (c *evictions) Evict(eviction *policy.Eviction) error {
+	return c.client.Post().
+		AbsPath("/api/v1").
+		Namespace(eviction.Namespace).
+		Resource("pods").
+		Name(eviction.Name).
+		SubResource("eviction").
+		Body(eviction).
+		Do().
+		Error()
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..a119239c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+type PodDisruptionBudgetExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/poddisruptionbudget.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/poddisruptionbudget.go
new file mode 100644
index 00000000..45d2c176
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/poddisruptionbudget.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/policy/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// PodDisruptionBudgetsGetter has a method to return a PodDisruptionBudgetInterface.
+// A group's client should implement this interface.
+type PodDisruptionBudgetsGetter interface {
+	PodDisruptionBudgets(namespace string) PodDisruptionBudgetInterface
+}
+
+// PodDisruptionBudgetInterface has methods to work with PodDisruptionBudget resources.
+type PodDisruptionBudgetInterface interface {
+	Create(*v1beta1.PodDisruptionBudget) (*v1beta1.PodDisruptionBudget, error)
+	Update(*v1beta1.PodDisruptionBudget) (*v1beta1.PodDisruptionBudget, error)
+	UpdateStatus(*v1beta1.PodDisruptionBudget) (*v1beta1.PodDisruptionBudget, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.PodDisruptionBudget, error)
+	List(opts v1.ListOptions) (*v1beta1.PodDisruptionBudgetList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.PodDisruptionBudget, err error)
+	PodDisruptionBudgetExpansion
+}
+
+// podDisruptionBudgets implements PodDisruptionBudgetInterface
+type podDisruptionBudgets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newPodDisruptionBudgets returns a PodDisruptionBudgets
+func newPodDisruptionBudgets(c *PolicyV1beta1Client, namespace string) *podDisruptionBudgets {
+	return &podDisruptionBudgets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the podDisruptionBudget, and returns the corresponding podDisruptionBudget object, and an error if there is any.
+func (c *podDisruptionBudgets) Get(name string, options v1.GetOptions) (result *v1beta1.PodDisruptionBudget, err error) {
+	result = &v1beta1.PodDisruptionBudget{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of PodDisruptionBudgets that match those selectors.
+func (c *podDisruptionBudgets) List(opts v1.ListOptions) (result *v1beta1.PodDisruptionBudgetList, err error) {
+	result = &v1beta1.PodDisruptionBudgetList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested podDisruptionBudgets.
+func (c *podDisruptionBudgets) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a podDisruptionBudget and creates it.  Returns the server's representation of the podDisruptionBudget, and an error, if there is any.
+func (c *podDisruptionBudgets) Create(podDisruptionBudget *v1beta1.PodDisruptionBudget) (result *v1beta1.PodDisruptionBudget, err error) {
+	result = &v1beta1.PodDisruptionBudget{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		Body(podDisruptionBudget).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a podDisruptionBudget and updates it. Returns the server's representation of the podDisruptionBudget, and an error, if there is any.
+func (c *podDisruptionBudgets) Update(podDisruptionBudget *v1beta1.PodDisruptionBudget) (result *v1beta1.PodDisruptionBudget, err error) {
+	result = &v1beta1.PodDisruptionBudget{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		Name(podDisruptionBudget.Name).
+		Body(podDisruptionBudget).
+		Do().
+		Into(result)
+	return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+
+func (c *podDisruptionBudgets) UpdateStatus(podDisruptionBudget *v1beta1.PodDisruptionBudget) (result *v1beta1.PodDisruptionBudget, err error) {
+	result = &v1beta1.PodDisruptionBudget{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		Name(podDisruptionBudget.Name).
+		SubResource("status").
+		Body(podDisruptionBudget).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the podDisruptionBudget and deletes it. Returns an error if one occurs.
+func (c *podDisruptionBudgets) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *podDisruptionBudgets) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched podDisruptionBudget.
+func (c *podDisruptionBudgets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.PodDisruptionBudget, err error) {
+	result = &v1beta1.PodDisruptionBudget{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("poddisruptionbudgets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/policy_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/policy_client.go
new file mode 100644
index 00000000..f9020d0b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/policy/v1beta1/policy_client.go
@@ -0,0 +1,93 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/policy/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type PolicyV1beta1Interface interface {
+	RESTClient() rest.Interface
+	EvictionsGetter
+	PodDisruptionBudgetsGetter
+}
+
+// PolicyV1beta1Client is used to interact with features provided by the policy group.
+type PolicyV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *PolicyV1beta1Client) Evictions(namespace string) EvictionInterface {
+	return newEvictions(c, namespace)
+}
+
+func (c *PolicyV1beta1Client) PodDisruptionBudgets(namespace string) PodDisruptionBudgetInterface {
+	return newPodDisruptionBudgets(c, namespace)
+}
+
+// NewForConfig creates a new PolicyV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*PolicyV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &PolicyV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new PolicyV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *PolicyV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new PolicyV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *PolicyV1beta1Client {
+	return &PolicyV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *PolicyV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/clusterrole.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/clusterrole.go
new file mode 100644
index 00000000..ab27fdf4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/clusterrole.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/rbac/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ClusterRolesGetter has a method to return a ClusterRoleInterface.
+// A group's client should implement this interface.
+type ClusterRolesGetter interface {
+	ClusterRoles() ClusterRoleInterface
+}
+
+// ClusterRoleInterface has methods to work with ClusterRole resources.
+type ClusterRoleInterface interface {
+	Create(*v1.ClusterRole) (*v1.ClusterRole, error)
+	Update(*v1.ClusterRole) (*v1.ClusterRole, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.ClusterRole, error)
+	List(opts meta_v1.ListOptions) (*v1.ClusterRoleList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ClusterRole, err error)
+	ClusterRoleExpansion
+}
+
+// clusterRoles implements ClusterRoleInterface
+type clusterRoles struct {
+	client rest.Interface
+}
+
+// newClusterRoles returns a ClusterRoles
+func newClusterRoles(c *RbacV1Client) *clusterRoles {
+	return &clusterRoles{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the clusterRole, and returns the corresponding clusterRole object, and an error if there is any.
+func (c *clusterRoles) Get(name string, options meta_v1.GetOptions) (result *v1.ClusterRole, err error) {
+	result = &v1.ClusterRole{}
+	err = c.client.Get().
+		Resource("clusterroles").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ClusterRoles that match those selectors.
+func (c *clusterRoles) List(opts meta_v1.ListOptions) (result *v1.ClusterRoleList, err error) {
+	result = &v1.ClusterRoleList{}
+	err = c.client.Get().
+		Resource("clusterroles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterRoles.
+func (c *clusterRoles) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("clusterroles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a clusterRole and creates it.  Returns the server's representation of the clusterRole, and an error, if there is any.
+func (c *clusterRoles) Create(clusterRole *v1.ClusterRole) (result *v1.ClusterRole, err error) {
+	result = &v1.ClusterRole{}
+	err = c.client.Post().
+		Resource("clusterroles").
+		Body(clusterRole).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a clusterRole and updates it. Returns the server's representation of the clusterRole, and an error, if there is any.
+func (c *clusterRoles) Update(clusterRole *v1.ClusterRole) (result *v1.ClusterRole, err error) {
+	result = &v1.ClusterRole{}
+	err = c.client.Put().
+		Resource("clusterroles").
+		Name(clusterRole.Name).
+		Body(clusterRole).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the clusterRole and deletes it. Returns an error if one occurs.
+func (c *clusterRoles) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("clusterroles").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterRoles) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("clusterroles").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched clusterRole.
+func (c *clusterRoles) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ClusterRole, err error) {
+	result = &v1.ClusterRole{}
+	err = c.client.Patch(pt).
+		Resource("clusterroles").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/clusterrolebinding.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/clusterrolebinding.go
new file mode 100644
index 00000000..9bd87e91
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/clusterrolebinding.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/rbac/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ClusterRoleBindingsGetter has a method to return a ClusterRoleBindingInterface.
+// A group's client should implement this interface.
+type ClusterRoleBindingsGetter interface {
+	ClusterRoleBindings() ClusterRoleBindingInterface
+}
+
+// ClusterRoleBindingInterface has methods to work with ClusterRoleBinding resources.
+type ClusterRoleBindingInterface interface {
+	Create(*v1.ClusterRoleBinding) (*v1.ClusterRoleBinding, error)
+	Update(*v1.ClusterRoleBinding) (*v1.ClusterRoleBinding, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.ClusterRoleBinding, error)
+	List(opts meta_v1.ListOptions) (*v1.ClusterRoleBindingList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ClusterRoleBinding, err error)
+	ClusterRoleBindingExpansion
+}
+
+// clusterRoleBindings implements ClusterRoleBindingInterface
+type clusterRoleBindings struct {
+	client rest.Interface
+}
+
+// newClusterRoleBindings returns a ClusterRoleBindings
+func newClusterRoleBindings(c *RbacV1Client) *clusterRoleBindings {
+	return &clusterRoleBindings{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the clusterRoleBinding, and returns the corresponding clusterRoleBinding object, and an error if there is any.
+func (c *clusterRoleBindings) Get(name string, options meta_v1.GetOptions) (result *v1.ClusterRoleBinding, err error) {
+	result = &v1.ClusterRoleBinding{}
+	err = c.client.Get().
+		Resource("clusterrolebindings").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ClusterRoleBindings that match those selectors.
+func (c *clusterRoleBindings) List(opts meta_v1.ListOptions) (result *v1.ClusterRoleBindingList, err error) {
+	result = &v1.ClusterRoleBindingList{}
+	err = c.client.Get().
+		Resource("clusterrolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterRoleBindings.
+func (c *clusterRoleBindings) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("clusterrolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a clusterRoleBinding and creates it.  Returns the server's representation of the clusterRoleBinding, and an error, if there is any.
+func (c *clusterRoleBindings) Create(clusterRoleBinding *v1.ClusterRoleBinding) (result *v1.ClusterRoleBinding, err error) {
+	result = &v1.ClusterRoleBinding{}
+	err = c.client.Post().
+		Resource("clusterrolebindings").
+		Body(clusterRoleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a clusterRoleBinding and updates it. Returns the server's representation of the clusterRoleBinding, and an error, if there is any.
+func (c *clusterRoleBindings) Update(clusterRoleBinding *v1.ClusterRoleBinding) (result *v1.ClusterRoleBinding, err error) {
+	result = &v1.ClusterRoleBinding{}
+	err = c.client.Put().
+		Resource("clusterrolebindings").
+		Name(clusterRoleBinding.Name).
+		Body(clusterRoleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the clusterRoleBinding and deletes it. Returns an error if one occurs.
+func (c *clusterRoleBindings) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("clusterrolebindings").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterRoleBindings) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("clusterrolebindings").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched clusterRoleBinding.
+func (c *clusterRoleBindings) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.ClusterRoleBinding, err error) {
+	result = &v1.ClusterRoleBinding{}
+	err = c.client.Patch(pt).
+		Resource("clusterrolebindings").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/doc.go
new file mode 100644
index 00000000..53d7f29a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/generated_expansion.go
new file mode 100644
index 00000000..48b91811
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/generated_expansion.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+type ClusterRoleExpansion interface{}
+
+type ClusterRoleBindingExpansion interface{}
+
+type RoleExpansion interface{}
+
+type RoleBindingExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/rbac_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/rbac_client.go
new file mode 100644
index 00000000..82eb8f1f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/rbac_client.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/rbac/v1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type RbacV1Interface interface {
+	RESTClient() rest.Interface
+	ClusterRolesGetter
+	ClusterRoleBindingsGetter
+	RolesGetter
+	RoleBindingsGetter
+}
+
+// RbacV1Client is used to interact with features provided by the rbac.authorization.k8s.io group.
+type RbacV1Client struct {
+	restClient rest.Interface
+}
+
+func (c *RbacV1Client) ClusterRoles() ClusterRoleInterface {
+	return newClusterRoles(c)
+}
+
+func (c *RbacV1Client) ClusterRoleBindings() ClusterRoleBindingInterface {
+	return newClusterRoleBindings(c)
+}
+
+func (c *RbacV1Client) Roles(namespace string) RoleInterface {
+	return newRoles(c, namespace)
+}
+
+func (c *RbacV1Client) RoleBindings(namespace string) RoleBindingInterface {
+	return newRoleBindings(c, namespace)
+}
+
+// NewForConfig creates a new RbacV1Client for the given config.
+func NewForConfig(c *rest.Config) (*RbacV1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &RbacV1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new RbacV1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *RbacV1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new RbacV1Client for the given RESTClient.
+func New(c rest.Interface) *RbacV1Client {
+	return &RbacV1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *RbacV1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/role.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/role.go
new file mode 100644
index 00000000..1dc65551
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/role.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/rbac/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// RolesGetter has a method to return a RoleInterface.
+// A group's client should implement this interface.
+type RolesGetter interface {
+	Roles(namespace string) RoleInterface
+}
+
+// RoleInterface has methods to work with Role resources.
+type RoleInterface interface {
+	Create(*v1.Role) (*v1.Role, error)
+	Update(*v1.Role) (*v1.Role, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.Role, error)
+	List(opts meta_v1.ListOptions) (*v1.RoleList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Role, err error)
+	RoleExpansion
+}
+
+// roles implements RoleInterface
+type roles struct {
+	client rest.Interface
+	ns     string
+}
+
+// newRoles returns a Roles
+func newRoles(c *RbacV1Client, namespace string) *roles {
+	return &roles{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the role, and returns the corresponding role object, and an error if there is any.
+func (c *roles) Get(name string, options meta_v1.GetOptions) (result *v1.Role, err error) {
+	result = &v1.Role{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Roles that match those selectors.
+func (c *roles) List(opts meta_v1.ListOptions) (result *v1.RoleList, err error) {
+	result = &v1.RoleList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested roles.
+func (c *roles) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a role and creates it.  Returns the server's representation of the role, and an error, if there is any.
+func (c *roles) Create(role *v1.Role) (result *v1.Role, err error) {
+	result = &v1.Role{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("roles").
+		Body(role).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a role and updates it. Returns the server's representation of the role, and an error, if there is any.
+func (c *roles) Update(role *v1.Role) (result *v1.Role, err error) {
+	result = &v1.Role{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(role.Name).
+		Body(role).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the role and deletes it. Returns an error if one occurs.
+func (c *roles) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *roles) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched role.
+func (c *roles) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.Role, err error) {
+	result = &v1.Role{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("roles").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/rolebinding.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/rolebinding.go
new file mode 100644
index 00000000..d1287da7
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1/rolebinding.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/rbac/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// RoleBindingsGetter has a method to return a RoleBindingInterface.
+// A group's client should implement this interface.
+type RoleBindingsGetter interface {
+	RoleBindings(namespace string) RoleBindingInterface
+}
+
+// RoleBindingInterface has methods to work with RoleBinding resources.
+type RoleBindingInterface interface {
+	Create(*v1.RoleBinding) (*v1.RoleBinding, error)
+	Update(*v1.RoleBinding) (*v1.RoleBinding, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.RoleBinding, error)
+	List(opts meta_v1.ListOptions) (*v1.RoleBindingList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.RoleBinding, err error)
+	RoleBindingExpansion
+}
+
+// roleBindings implements RoleBindingInterface
+type roleBindings struct {
+	client rest.Interface
+	ns     string
+}
+
+// newRoleBindings returns a RoleBindings
+func newRoleBindings(c *RbacV1Client, namespace string) *roleBindings {
+	return &roleBindings{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the roleBinding, and returns the corresponding roleBinding object, and an error if there is any.
+func (c *roleBindings) Get(name string, options meta_v1.GetOptions) (result *v1.RoleBinding, err error) {
+	result = &v1.RoleBinding{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of RoleBindings that match those selectors.
+func (c *roleBindings) List(opts meta_v1.ListOptions) (result *v1.RoleBindingList, err error) {
+	result = &v1.RoleBindingList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested roleBindings.
+func (c *roleBindings) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a roleBinding and creates it.  Returns the server's representation of the roleBinding, and an error, if there is any.
+func (c *roleBindings) Create(roleBinding *v1.RoleBinding) (result *v1.RoleBinding, err error) {
+	result = &v1.RoleBinding{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Body(roleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a roleBinding and updates it. Returns the server's representation of the roleBinding, and an error, if there is any.
+func (c *roleBindings) Update(roleBinding *v1.RoleBinding) (result *v1.RoleBinding, err error) {
+	result = &v1.RoleBinding{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(roleBinding.Name).
+		Body(roleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the roleBinding and deletes it. Returns an error if one occurs.
+func (c *roleBindings) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *roleBindings) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched roleBinding.
+func (c *roleBindings) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.RoleBinding, err error) {
+	result = &v1.RoleBinding{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("rolebindings").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/clusterrole.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/clusterrole.go
new file mode 100644
index 00000000..9eb8bc78
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/clusterrole.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/rbac/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ClusterRolesGetter has a method to return a ClusterRoleInterface.
+// A group's client should implement this interface.
+type ClusterRolesGetter interface {
+	ClusterRoles() ClusterRoleInterface
+}
+
+// ClusterRoleInterface has methods to work with ClusterRole resources.
+type ClusterRoleInterface interface {
+	Create(*v1alpha1.ClusterRole) (*v1alpha1.ClusterRole, error)
+	Update(*v1alpha1.ClusterRole) (*v1alpha1.ClusterRole, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.ClusterRole, error)
+	List(opts v1.ListOptions) (*v1alpha1.ClusterRoleList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ClusterRole, err error)
+	ClusterRoleExpansion
+}
+
+// clusterRoles implements ClusterRoleInterface
+type clusterRoles struct {
+	client rest.Interface
+}
+
+// newClusterRoles returns a ClusterRoles
+func newClusterRoles(c *RbacV1alpha1Client) *clusterRoles {
+	return &clusterRoles{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the clusterRole, and returns the corresponding clusterRole object, and an error if there is any.
+func (c *clusterRoles) Get(name string, options v1.GetOptions) (result *v1alpha1.ClusterRole, err error) {
+	result = &v1alpha1.ClusterRole{}
+	err = c.client.Get().
+		Resource("clusterroles").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ClusterRoles that match those selectors.
+func (c *clusterRoles) List(opts v1.ListOptions) (result *v1alpha1.ClusterRoleList, err error) {
+	result = &v1alpha1.ClusterRoleList{}
+	err = c.client.Get().
+		Resource("clusterroles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterRoles.
+func (c *clusterRoles) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("clusterroles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a clusterRole and creates it.  Returns the server's representation of the clusterRole, and an error, if there is any.
+func (c *clusterRoles) Create(clusterRole *v1alpha1.ClusterRole) (result *v1alpha1.ClusterRole, err error) {
+	result = &v1alpha1.ClusterRole{}
+	err = c.client.Post().
+		Resource("clusterroles").
+		Body(clusterRole).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a clusterRole and updates it. Returns the server's representation of the clusterRole, and an error, if there is any.
+func (c *clusterRoles) Update(clusterRole *v1alpha1.ClusterRole) (result *v1alpha1.ClusterRole, err error) {
+	result = &v1alpha1.ClusterRole{}
+	err = c.client.Put().
+		Resource("clusterroles").
+		Name(clusterRole.Name).
+		Body(clusterRole).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the clusterRole and deletes it. Returns an error if one occurs.
+func (c *clusterRoles) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("clusterroles").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterRoles) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("clusterroles").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched clusterRole.
+func (c *clusterRoles) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ClusterRole, err error) {
+	result = &v1alpha1.ClusterRole{}
+	err = c.client.Patch(pt).
+		Resource("clusterroles").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/clusterrolebinding.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/clusterrolebinding.go
new file mode 100644
index 00000000..6cf383b4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/clusterrolebinding.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/rbac/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ClusterRoleBindingsGetter has a method to return a ClusterRoleBindingInterface.
+// A group's client should implement this interface.
+type ClusterRoleBindingsGetter interface {
+	ClusterRoleBindings() ClusterRoleBindingInterface
+}
+
+// ClusterRoleBindingInterface has methods to work with ClusterRoleBinding resources.
+type ClusterRoleBindingInterface interface {
+	Create(*v1alpha1.ClusterRoleBinding) (*v1alpha1.ClusterRoleBinding, error)
+	Update(*v1alpha1.ClusterRoleBinding) (*v1alpha1.ClusterRoleBinding, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.ClusterRoleBinding, error)
+	List(opts v1.ListOptions) (*v1alpha1.ClusterRoleBindingList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ClusterRoleBinding, err error)
+	ClusterRoleBindingExpansion
+}
+
+// clusterRoleBindings implements ClusterRoleBindingInterface
+type clusterRoleBindings struct {
+	client rest.Interface
+}
+
+// newClusterRoleBindings returns a ClusterRoleBindings
+func newClusterRoleBindings(c *RbacV1alpha1Client) *clusterRoleBindings {
+	return &clusterRoleBindings{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the clusterRoleBinding, and returns the corresponding clusterRoleBinding object, and an error if there is any.
+func (c *clusterRoleBindings) Get(name string, options v1.GetOptions) (result *v1alpha1.ClusterRoleBinding, err error) {
+	result = &v1alpha1.ClusterRoleBinding{}
+	err = c.client.Get().
+		Resource("clusterrolebindings").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ClusterRoleBindings that match those selectors.
+func (c *clusterRoleBindings) List(opts v1.ListOptions) (result *v1alpha1.ClusterRoleBindingList, err error) {
+	result = &v1alpha1.ClusterRoleBindingList{}
+	err = c.client.Get().
+		Resource("clusterrolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterRoleBindings.
+func (c *clusterRoleBindings) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("clusterrolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a clusterRoleBinding and creates it.  Returns the server's representation of the clusterRoleBinding, and an error, if there is any.
+func (c *clusterRoleBindings) Create(clusterRoleBinding *v1alpha1.ClusterRoleBinding) (result *v1alpha1.ClusterRoleBinding, err error) {
+	result = &v1alpha1.ClusterRoleBinding{}
+	err = c.client.Post().
+		Resource("clusterrolebindings").
+		Body(clusterRoleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a clusterRoleBinding and updates it. Returns the server's representation of the clusterRoleBinding, and an error, if there is any.
+func (c *clusterRoleBindings) Update(clusterRoleBinding *v1alpha1.ClusterRoleBinding) (result *v1alpha1.ClusterRoleBinding, err error) {
+	result = &v1alpha1.ClusterRoleBinding{}
+	err = c.client.Put().
+		Resource("clusterrolebindings").
+		Name(clusterRoleBinding.Name).
+		Body(clusterRoleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the clusterRoleBinding and deletes it. Returns an error if one occurs.
+func (c *clusterRoleBindings) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("clusterrolebindings").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterRoleBindings) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("clusterrolebindings").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched clusterRoleBinding.
+func (c *clusterRoleBindings) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.ClusterRoleBinding, err error) {
+	result = &v1alpha1.ClusterRoleBinding{}
+	err = c.client.Patch(pt).
+		Resource("clusterrolebindings").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/doc.go
new file mode 100644
index 00000000..f51751d6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/generated_expansion.go
new file mode 100644
index 00000000..9b61a750
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/generated_expansion.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+type ClusterRoleExpansion interface{}
+
+type ClusterRoleBindingExpansion interface{}
+
+type RoleExpansion interface{}
+
+type RoleBindingExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/rbac_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/rbac_client.go
new file mode 100644
index 00000000..76ebf316
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/rbac_client.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/rbac/v1alpha1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type RbacV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	ClusterRolesGetter
+	ClusterRoleBindingsGetter
+	RolesGetter
+	RoleBindingsGetter
+}
+
+// RbacV1alpha1Client is used to interact with features provided by the rbac.authorization.k8s.io group.
+type RbacV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *RbacV1alpha1Client) ClusterRoles() ClusterRoleInterface {
+	return newClusterRoles(c)
+}
+
+func (c *RbacV1alpha1Client) ClusterRoleBindings() ClusterRoleBindingInterface {
+	return newClusterRoleBindings(c)
+}
+
+func (c *RbacV1alpha1Client) Roles(namespace string) RoleInterface {
+	return newRoles(c, namespace)
+}
+
+func (c *RbacV1alpha1Client) RoleBindings(namespace string) RoleBindingInterface {
+	return newRoleBindings(c, namespace)
+}
+
+// NewForConfig creates a new RbacV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*RbacV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &RbacV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new RbacV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *RbacV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new RbacV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *RbacV1alpha1Client {
+	return &RbacV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *RbacV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/role.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/role.go
new file mode 100644
index 00000000..0c7e49f0
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/role.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/rbac/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// RolesGetter has a method to return a RoleInterface.
+// A group's client should implement this interface.
+type RolesGetter interface {
+	Roles(namespace string) RoleInterface
+}
+
+// RoleInterface has methods to work with Role resources.
+type RoleInterface interface {
+	Create(*v1alpha1.Role) (*v1alpha1.Role, error)
+	Update(*v1alpha1.Role) (*v1alpha1.Role, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.Role, error)
+	List(opts v1.ListOptions) (*v1alpha1.RoleList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.Role, err error)
+	RoleExpansion
+}
+
+// roles implements RoleInterface
+type roles struct {
+	client rest.Interface
+	ns     string
+}
+
+// newRoles returns a Roles
+func newRoles(c *RbacV1alpha1Client, namespace string) *roles {
+	return &roles{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the role, and returns the corresponding role object, and an error if there is any.
+func (c *roles) Get(name string, options v1.GetOptions) (result *v1alpha1.Role, err error) {
+	result = &v1alpha1.Role{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Roles that match those selectors.
+func (c *roles) List(opts v1.ListOptions) (result *v1alpha1.RoleList, err error) {
+	result = &v1alpha1.RoleList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested roles.
+func (c *roles) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a role and creates it.  Returns the server's representation of the role, and an error, if there is any.
+func (c *roles) Create(role *v1alpha1.Role) (result *v1alpha1.Role, err error) {
+	result = &v1alpha1.Role{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("roles").
+		Body(role).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a role and updates it. Returns the server's representation of the role, and an error, if there is any.
+func (c *roles) Update(role *v1alpha1.Role) (result *v1alpha1.Role, err error) {
+	result = &v1alpha1.Role{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(role.Name).
+		Body(role).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the role and deletes it. Returns an error if one occurs.
+func (c *roles) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *roles) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched role.
+func (c *roles) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.Role, err error) {
+	result = &v1alpha1.Role{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("roles").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/rolebinding.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/rolebinding.go
new file mode 100644
index 00000000..1bcfaf88
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/rolebinding.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/rbac/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// RoleBindingsGetter has a method to return a RoleBindingInterface.
+// A group's client should implement this interface.
+type RoleBindingsGetter interface {
+	RoleBindings(namespace string) RoleBindingInterface
+}
+
+// RoleBindingInterface has methods to work with RoleBinding resources.
+type RoleBindingInterface interface {
+	Create(*v1alpha1.RoleBinding) (*v1alpha1.RoleBinding, error)
+	Update(*v1alpha1.RoleBinding) (*v1alpha1.RoleBinding, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.RoleBinding, error)
+	List(opts v1.ListOptions) (*v1alpha1.RoleBindingList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.RoleBinding, err error)
+	RoleBindingExpansion
+}
+
+// roleBindings implements RoleBindingInterface
+type roleBindings struct {
+	client rest.Interface
+	ns     string
+}
+
+// newRoleBindings returns a RoleBindings
+func newRoleBindings(c *RbacV1alpha1Client, namespace string) *roleBindings {
+	return &roleBindings{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the roleBinding, and returns the corresponding roleBinding object, and an error if there is any.
+func (c *roleBindings) Get(name string, options v1.GetOptions) (result *v1alpha1.RoleBinding, err error) {
+	result = &v1alpha1.RoleBinding{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of RoleBindings that match those selectors.
+func (c *roleBindings) List(opts v1.ListOptions) (result *v1alpha1.RoleBindingList, err error) {
+	result = &v1alpha1.RoleBindingList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested roleBindings.
+func (c *roleBindings) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a roleBinding and creates it.  Returns the server's representation of the roleBinding, and an error, if there is any.
+func (c *roleBindings) Create(roleBinding *v1alpha1.RoleBinding) (result *v1alpha1.RoleBinding, err error) {
+	result = &v1alpha1.RoleBinding{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Body(roleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a roleBinding and updates it. Returns the server's representation of the roleBinding, and an error, if there is any.
+func (c *roleBindings) Update(roleBinding *v1alpha1.RoleBinding) (result *v1alpha1.RoleBinding, err error) {
+	result = &v1alpha1.RoleBinding{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(roleBinding.Name).
+		Body(roleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the roleBinding and deletes it. Returns an error if one occurs.
+func (c *roleBindings) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *roleBindings) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched roleBinding.
+func (c *roleBindings) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.RoleBinding, err error) {
+	result = &v1alpha1.RoleBinding{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("rolebindings").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/clusterrole.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/clusterrole.go
new file mode 100644
index 00000000..89494ed1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/clusterrole.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/rbac/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ClusterRolesGetter has a method to return a ClusterRoleInterface.
+// A group's client should implement this interface.
+type ClusterRolesGetter interface {
+	ClusterRoles() ClusterRoleInterface
+}
+
+// ClusterRoleInterface has methods to work with ClusterRole resources.
+type ClusterRoleInterface interface {
+	Create(*v1beta1.ClusterRole) (*v1beta1.ClusterRole, error)
+	Update(*v1beta1.ClusterRole) (*v1beta1.ClusterRole, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.ClusterRole, error)
+	List(opts v1.ListOptions) (*v1beta1.ClusterRoleList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ClusterRole, err error)
+	ClusterRoleExpansion
+}
+
+// clusterRoles implements ClusterRoleInterface
+type clusterRoles struct {
+	client rest.Interface
+}
+
+// newClusterRoles returns a ClusterRoles
+func newClusterRoles(c *RbacV1beta1Client) *clusterRoles {
+	return &clusterRoles{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the clusterRole, and returns the corresponding clusterRole object, and an error if there is any.
+func (c *clusterRoles) Get(name string, options v1.GetOptions) (result *v1beta1.ClusterRole, err error) {
+	result = &v1beta1.ClusterRole{}
+	err = c.client.Get().
+		Resource("clusterroles").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ClusterRoles that match those selectors.
+func (c *clusterRoles) List(opts v1.ListOptions) (result *v1beta1.ClusterRoleList, err error) {
+	result = &v1beta1.ClusterRoleList{}
+	err = c.client.Get().
+		Resource("clusterroles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterRoles.
+func (c *clusterRoles) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("clusterroles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a clusterRole and creates it.  Returns the server's representation of the clusterRole, and an error, if there is any.
+func (c *clusterRoles) Create(clusterRole *v1beta1.ClusterRole) (result *v1beta1.ClusterRole, err error) {
+	result = &v1beta1.ClusterRole{}
+	err = c.client.Post().
+		Resource("clusterroles").
+		Body(clusterRole).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a clusterRole and updates it. Returns the server's representation of the clusterRole, and an error, if there is any.
+func (c *clusterRoles) Update(clusterRole *v1beta1.ClusterRole) (result *v1beta1.ClusterRole, err error) {
+	result = &v1beta1.ClusterRole{}
+	err = c.client.Put().
+		Resource("clusterroles").
+		Name(clusterRole.Name).
+		Body(clusterRole).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the clusterRole and deletes it. Returns an error if one occurs.
+func (c *clusterRoles) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("clusterroles").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterRoles) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("clusterroles").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched clusterRole.
+func (c *clusterRoles) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ClusterRole, err error) {
+	result = &v1beta1.ClusterRole{}
+	err = c.client.Patch(pt).
+		Resource("clusterroles").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/clusterrolebinding.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/clusterrolebinding.go
new file mode 100644
index 00000000..1602f7fc
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/clusterrolebinding.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/rbac/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// ClusterRoleBindingsGetter has a method to return a ClusterRoleBindingInterface.
+// A group's client should implement this interface.
+type ClusterRoleBindingsGetter interface {
+	ClusterRoleBindings() ClusterRoleBindingInterface
+}
+
+// ClusterRoleBindingInterface has methods to work with ClusterRoleBinding resources.
+type ClusterRoleBindingInterface interface {
+	Create(*v1beta1.ClusterRoleBinding) (*v1beta1.ClusterRoleBinding, error)
+	Update(*v1beta1.ClusterRoleBinding) (*v1beta1.ClusterRoleBinding, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.ClusterRoleBinding, error)
+	List(opts v1.ListOptions) (*v1beta1.ClusterRoleBindingList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ClusterRoleBinding, err error)
+	ClusterRoleBindingExpansion
+}
+
+// clusterRoleBindings implements ClusterRoleBindingInterface
+type clusterRoleBindings struct {
+	client rest.Interface
+}
+
+// newClusterRoleBindings returns a ClusterRoleBindings
+func newClusterRoleBindings(c *RbacV1beta1Client) *clusterRoleBindings {
+	return &clusterRoleBindings{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the clusterRoleBinding, and returns the corresponding clusterRoleBinding object, and an error if there is any.
+func (c *clusterRoleBindings) Get(name string, options v1.GetOptions) (result *v1beta1.ClusterRoleBinding, err error) {
+	result = &v1beta1.ClusterRoleBinding{}
+	err = c.client.Get().
+		Resource("clusterrolebindings").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of ClusterRoleBindings that match those selectors.
+func (c *clusterRoleBindings) List(opts v1.ListOptions) (result *v1beta1.ClusterRoleBindingList, err error) {
+	result = &v1beta1.ClusterRoleBindingList{}
+	err = c.client.Get().
+		Resource("clusterrolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterRoleBindings.
+func (c *clusterRoleBindings) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("clusterrolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a clusterRoleBinding and creates it.  Returns the server's representation of the clusterRoleBinding, and an error, if there is any.
+func (c *clusterRoleBindings) Create(clusterRoleBinding *v1beta1.ClusterRoleBinding) (result *v1beta1.ClusterRoleBinding, err error) {
+	result = &v1beta1.ClusterRoleBinding{}
+	err = c.client.Post().
+		Resource("clusterrolebindings").
+		Body(clusterRoleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a clusterRoleBinding and updates it. Returns the server's representation of the clusterRoleBinding, and an error, if there is any.
+func (c *clusterRoleBindings) Update(clusterRoleBinding *v1beta1.ClusterRoleBinding) (result *v1beta1.ClusterRoleBinding, err error) {
+	result = &v1beta1.ClusterRoleBinding{}
+	err = c.client.Put().
+		Resource("clusterrolebindings").
+		Name(clusterRoleBinding.Name).
+		Body(clusterRoleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the clusterRoleBinding and deletes it. Returns an error if one occurs.
+func (c *clusterRoleBindings) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("clusterrolebindings").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterRoleBindings) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("clusterrolebindings").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched clusterRoleBinding.
+func (c *clusterRoleBindings) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.ClusterRoleBinding, err error) {
+	result = &v1beta1.ClusterRoleBinding{}
+	err = c.client.Patch(pt).
+		Resource("clusterrolebindings").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..8820cfb4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/generated_expansion.go
@@ -0,0 +1,25 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+type ClusterRoleExpansion interface{}
+
+type ClusterRoleBindingExpansion interface{}
+
+type RoleExpansion interface{}
+
+type RoleBindingExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/rbac_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/rbac_client.go
new file mode 100644
index 00000000..9d4259e4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/rbac_client.go
@@ -0,0 +1,103 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/rbac/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type RbacV1beta1Interface interface {
+	RESTClient() rest.Interface
+	ClusterRolesGetter
+	ClusterRoleBindingsGetter
+	RolesGetter
+	RoleBindingsGetter
+}
+
+// RbacV1beta1Client is used to interact with features provided by the rbac.authorization.k8s.io group.
+type RbacV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *RbacV1beta1Client) ClusterRoles() ClusterRoleInterface {
+	return newClusterRoles(c)
+}
+
+func (c *RbacV1beta1Client) ClusterRoleBindings() ClusterRoleBindingInterface {
+	return newClusterRoleBindings(c)
+}
+
+func (c *RbacV1beta1Client) Roles(namespace string) RoleInterface {
+	return newRoles(c, namespace)
+}
+
+func (c *RbacV1beta1Client) RoleBindings(namespace string) RoleBindingInterface {
+	return newRoleBindings(c, namespace)
+}
+
+// NewForConfig creates a new RbacV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*RbacV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &RbacV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new RbacV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *RbacV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new RbacV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *RbacV1beta1Client {
+	return &RbacV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *RbacV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/role.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/role.go
new file mode 100644
index 00000000..d3d500b5
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/role.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/rbac/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// RolesGetter has a method to return a RoleInterface.
+// A group's client should implement this interface.
+type RolesGetter interface {
+	Roles(namespace string) RoleInterface
+}
+
+// RoleInterface has methods to work with Role resources.
+type RoleInterface interface {
+	Create(*v1beta1.Role) (*v1beta1.Role, error)
+	Update(*v1beta1.Role) (*v1beta1.Role, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.Role, error)
+	List(opts v1.ListOptions) (*v1beta1.RoleList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.Role, err error)
+	RoleExpansion
+}
+
+// roles implements RoleInterface
+type roles struct {
+	client rest.Interface
+	ns     string
+}
+
+// newRoles returns a Roles
+func newRoles(c *RbacV1beta1Client, namespace string) *roles {
+	return &roles{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the role, and returns the corresponding role object, and an error if there is any.
+func (c *roles) Get(name string, options v1.GetOptions) (result *v1beta1.Role, err error) {
+	result = &v1beta1.Role{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of Roles that match those selectors.
+func (c *roles) List(opts v1.ListOptions) (result *v1beta1.RoleList, err error) {
+	result = &v1beta1.RoleList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested roles.
+func (c *roles) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a role and creates it.  Returns the server's representation of the role, and an error, if there is any.
+func (c *roles) Create(role *v1beta1.Role) (result *v1beta1.Role, err error) {
+	result = &v1beta1.Role{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("roles").
+		Body(role).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a role and updates it. Returns the server's representation of the role, and an error, if there is any.
+func (c *roles) Update(role *v1beta1.Role) (result *v1beta1.Role, err error) {
+	result = &v1beta1.Role{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(role.Name).
+		Body(role).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the role and deletes it. Returns an error if one occurs.
+func (c *roles) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("roles").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *roles) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("roles").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched role.
+func (c *roles) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.Role, err error) {
+	result = &v1beta1.Role{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("roles").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/rolebinding.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/rolebinding.go
new file mode 100644
index 00000000..05da7329
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/rbac/v1beta1/rolebinding.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/rbac/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// RoleBindingsGetter has a method to return a RoleBindingInterface.
+// A group's client should implement this interface.
+type RoleBindingsGetter interface {
+	RoleBindings(namespace string) RoleBindingInterface
+}
+
+// RoleBindingInterface has methods to work with RoleBinding resources.
+type RoleBindingInterface interface {
+	Create(*v1beta1.RoleBinding) (*v1beta1.RoleBinding, error)
+	Update(*v1beta1.RoleBinding) (*v1beta1.RoleBinding, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.RoleBinding, error)
+	List(opts v1.ListOptions) (*v1beta1.RoleBindingList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.RoleBinding, err error)
+	RoleBindingExpansion
+}
+
+// roleBindings implements RoleBindingInterface
+type roleBindings struct {
+	client rest.Interface
+	ns     string
+}
+
+// newRoleBindings returns a RoleBindings
+func newRoleBindings(c *RbacV1beta1Client, namespace string) *roleBindings {
+	return &roleBindings{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the roleBinding, and returns the corresponding roleBinding object, and an error if there is any.
+func (c *roleBindings) Get(name string, options v1.GetOptions) (result *v1beta1.RoleBinding, err error) {
+	result = &v1beta1.RoleBinding{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of RoleBindings that match those selectors.
+func (c *roleBindings) List(opts v1.ListOptions) (result *v1beta1.RoleBindingList, err error) {
+	result = &v1beta1.RoleBindingList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested roleBindings.
+func (c *roleBindings) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a roleBinding and creates it.  Returns the server's representation of the roleBinding, and an error, if there is any.
+func (c *roleBindings) Create(roleBinding *v1beta1.RoleBinding) (result *v1beta1.RoleBinding, err error) {
+	result = &v1beta1.RoleBinding{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Body(roleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a roleBinding and updates it. Returns the server's representation of the roleBinding, and an error, if there is any.
+func (c *roleBindings) Update(roleBinding *v1beta1.RoleBinding) (result *v1beta1.RoleBinding, err error) {
+	result = &v1beta1.RoleBinding{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(roleBinding.Name).
+		Body(roleBinding).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the roleBinding and deletes it. Returns an error if one occurs.
+func (c *roleBindings) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *roleBindings) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("rolebindings").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched roleBinding.
+func (c *roleBindings) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.RoleBinding, err error) {
+	result = &v1beta1.RoleBinding{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("rolebindings").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/doc.go
new file mode 100644
index 00000000..f51751d6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/generated_expansion.go
new file mode 100644
index 00000000..832addf0
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+type PriorityClassExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/priorityclass.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/priorityclass.go
new file mode 100644
index 00000000..0422dc96
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/priorityclass.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// PriorityClassesGetter has a method to return a PriorityClassInterface.
+// A group's client should implement this interface.
+type PriorityClassesGetter interface {
+	PriorityClasses() PriorityClassInterface
+}
+
+// PriorityClassInterface has methods to work with PriorityClass resources.
+type PriorityClassInterface interface {
+	Create(*v1alpha1.PriorityClass) (*v1alpha1.PriorityClass, error)
+	Update(*v1alpha1.PriorityClass) (*v1alpha1.PriorityClass, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.PriorityClass, error)
+	List(opts v1.ListOptions) (*v1alpha1.PriorityClassList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.PriorityClass, err error)
+	PriorityClassExpansion
+}
+
+// priorityClasses implements PriorityClassInterface
+type priorityClasses struct {
+	client rest.Interface
+}
+
+// newPriorityClasses returns a PriorityClasses
+func newPriorityClasses(c *SchedulingV1alpha1Client) *priorityClasses {
+	return &priorityClasses{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the priorityClass, and returns the corresponding priorityClass object, and an error if there is any.
+func (c *priorityClasses) Get(name string, options v1.GetOptions) (result *v1alpha1.PriorityClass, err error) {
+	result = &v1alpha1.PriorityClass{}
+	err = c.client.Get().
+		Resource("priorityclasses").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of PriorityClasses that match those selectors.
+func (c *priorityClasses) List(opts v1.ListOptions) (result *v1alpha1.PriorityClassList, err error) {
+	result = &v1alpha1.PriorityClassList{}
+	err = c.client.Get().
+		Resource("priorityclasses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested priorityClasses.
+func (c *priorityClasses) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("priorityclasses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a priorityClass and creates it.  Returns the server's representation of the priorityClass, and an error, if there is any.
+func (c *priorityClasses) Create(priorityClass *v1alpha1.PriorityClass) (result *v1alpha1.PriorityClass, err error) {
+	result = &v1alpha1.PriorityClass{}
+	err = c.client.Post().
+		Resource("priorityclasses").
+		Body(priorityClass).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a priorityClass and updates it. Returns the server's representation of the priorityClass, and an error, if there is any.
+func (c *priorityClasses) Update(priorityClass *v1alpha1.PriorityClass) (result *v1alpha1.PriorityClass, err error) {
+	result = &v1alpha1.PriorityClass{}
+	err = c.client.Put().
+		Resource("priorityclasses").
+		Name(priorityClass.Name).
+		Body(priorityClass).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the priorityClass and deletes it. Returns an error if one occurs.
+func (c *priorityClasses) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("priorityclasses").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *priorityClasses) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("priorityclasses").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched priorityClass.
+func (c *priorityClasses) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.PriorityClass, err error) {
+	result = &v1alpha1.PriorityClass{}
+	err = c.client.Patch(pt).
+		Resource("priorityclasses").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/scheduling_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/scheduling_client.go
new file mode 100644
index 00000000..a36c4492
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/scheduling_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/scheduling/v1alpha1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type SchedulingV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	PriorityClassesGetter
+}
+
+// SchedulingV1alpha1Client is used to interact with features provided by the scheduling.k8s.io group.
+type SchedulingV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *SchedulingV1alpha1Client) PriorityClasses() PriorityClassInterface {
+	return newPriorityClasses(c)
+}
+
+// NewForConfig creates a new SchedulingV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*SchedulingV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &SchedulingV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new SchedulingV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *SchedulingV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new SchedulingV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *SchedulingV1alpha1Client {
+	return &SchedulingV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *SchedulingV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/doc.go
new file mode 100644
index 00000000..f51751d6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1alpha1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/generated_expansion.go
new file mode 100644
index 00000000..dc95d90d
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+type PodPresetExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/podpreset.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/podpreset.go
new file mode 100644
index 00000000..38434cfa
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/podpreset.go
@@ -0,0 +1,155 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/settings/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// PodPresetsGetter has a method to return a PodPresetInterface.
+// A group's client should implement this interface.
+type PodPresetsGetter interface {
+	PodPresets(namespace string) PodPresetInterface
+}
+
+// PodPresetInterface has methods to work with PodPreset resources.
+type PodPresetInterface interface {
+	Create(*v1alpha1.PodPreset) (*v1alpha1.PodPreset, error)
+	Update(*v1alpha1.PodPreset) (*v1alpha1.PodPreset, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.PodPreset, error)
+	List(opts v1.ListOptions) (*v1alpha1.PodPresetList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.PodPreset, err error)
+	PodPresetExpansion
+}
+
+// podPresets implements PodPresetInterface
+type podPresets struct {
+	client rest.Interface
+	ns     string
+}
+
+// newPodPresets returns a PodPresets
+func newPodPresets(c *SettingsV1alpha1Client, namespace string) *podPresets {
+	return &podPresets{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the podPreset, and returns the corresponding podPreset object, and an error if there is any.
+func (c *podPresets) Get(name string, options v1.GetOptions) (result *v1alpha1.PodPreset, err error) {
+	result = &v1alpha1.PodPreset{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("podpresets").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of PodPresets that match those selectors.
+func (c *podPresets) List(opts v1.ListOptions) (result *v1alpha1.PodPresetList, err error) {
+	result = &v1alpha1.PodPresetList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("podpresets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested podPresets.
+func (c *podPresets) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("podpresets").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a podPreset and creates it.  Returns the server's representation of the podPreset, and an error, if there is any.
+func (c *podPresets) Create(podPreset *v1alpha1.PodPreset) (result *v1alpha1.PodPreset, err error) {
+	result = &v1alpha1.PodPreset{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("podpresets").
+		Body(podPreset).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a podPreset and updates it. Returns the server's representation of the podPreset, and an error, if there is any.
+func (c *podPresets) Update(podPreset *v1alpha1.PodPreset) (result *v1alpha1.PodPreset, err error) {
+	result = &v1alpha1.PodPreset{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("podpresets").
+		Name(podPreset.Name).
+		Body(podPreset).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the podPreset and deletes it. Returns an error if one occurs.
+func (c *podPresets) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("podpresets").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *podPresets) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("podpresets").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched podPreset.
+func (c *podPresets) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.PodPreset, err error) {
+	result = &v1alpha1.PodPreset{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("podpresets").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/settings_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/settings_client.go
new file mode 100644
index 00000000..153069db
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/settings/v1alpha1/settings_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	v1alpha1 "k8s.io/api/settings/v1alpha1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type SettingsV1alpha1Interface interface {
+	RESTClient() rest.Interface
+	PodPresetsGetter
+}
+
+// SettingsV1alpha1Client is used to interact with features provided by the settings.k8s.io group.
+type SettingsV1alpha1Client struct {
+	restClient rest.Interface
+}
+
+func (c *SettingsV1alpha1Client) PodPresets(namespace string) PodPresetInterface {
+	return newPodPresets(c, namespace)
+}
+
+// NewForConfig creates a new SettingsV1alpha1Client for the given config.
+func NewForConfig(c *rest.Config) (*SettingsV1alpha1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &SettingsV1alpha1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new SettingsV1alpha1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *SettingsV1alpha1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new SettingsV1alpha1Client for the given RESTClient.
+func New(c rest.Interface) *SettingsV1alpha1Client {
+	return &SettingsV1alpha1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1alpha1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *SettingsV1alpha1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/doc.go
new file mode 100644
index 00000000..53d7f29a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/generated_expansion.go
new file mode 100644
index 00000000..c378b8b2
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+type StorageClassExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/storage_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/storage_client.go
new file mode 100644
index 00000000..b010a58c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/storage_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/storage/v1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type StorageV1Interface interface {
+	RESTClient() rest.Interface
+	StorageClassesGetter
+}
+
+// StorageV1Client is used to interact with features provided by the storage.k8s.io group.
+type StorageV1Client struct {
+	restClient rest.Interface
+}
+
+func (c *StorageV1Client) StorageClasses() StorageClassInterface {
+	return newStorageClasses(c)
+}
+
+// NewForConfig creates a new StorageV1Client for the given config.
+func NewForConfig(c *rest.Config) (*StorageV1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &StorageV1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new StorageV1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *StorageV1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new StorageV1Client for the given RESTClient.
+func New(c rest.Interface) *StorageV1Client {
+	return &StorageV1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *StorageV1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/storageclass.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/storageclass.go
new file mode 100644
index 00000000..6d9da9b4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1/storageclass.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	v1 "k8s.io/api/storage/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// StorageClassesGetter has a method to return a StorageClassInterface.
+// A group's client should implement this interface.
+type StorageClassesGetter interface {
+	StorageClasses() StorageClassInterface
+}
+
+// StorageClassInterface has methods to work with StorageClass resources.
+type StorageClassInterface interface {
+	Create(*v1.StorageClass) (*v1.StorageClass, error)
+	Update(*v1.StorageClass) (*v1.StorageClass, error)
+	Delete(name string, options *meta_v1.DeleteOptions) error
+	DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error
+	Get(name string, options meta_v1.GetOptions) (*v1.StorageClass, error)
+	List(opts meta_v1.ListOptions) (*v1.StorageClassList, error)
+	Watch(opts meta_v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.StorageClass, err error)
+	StorageClassExpansion
+}
+
+// storageClasses implements StorageClassInterface
+type storageClasses struct {
+	client rest.Interface
+}
+
+// newStorageClasses returns a StorageClasses
+func newStorageClasses(c *StorageV1Client) *storageClasses {
+	return &storageClasses{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the storageClass, and returns the corresponding storageClass object, and an error if there is any.
+func (c *storageClasses) Get(name string, options meta_v1.GetOptions) (result *v1.StorageClass, err error) {
+	result = &v1.StorageClass{}
+	err = c.client.Get().
+		Resource("storageclasses").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of StorageClasses that match those selectors.
+func (c *storageClasses) List(opts meta_v1.ListOptions) (result *v1.StorageClassList, err error) {
+	result = &v1.StorageClassList{}
+	err = c.client.Get().
+		Resource("storageclasses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested storageClasses.
+func (c *storageClasses) Watch(opts meta_v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("storageclasses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a storageClass and creates it.  Returns the server's representation of the storageClass, and an error, if there is any.
+func (c *storageClasses) Create(storageClass *v1.StorageClass) (result *v1.StorageClass, err error) {
+	result = &v1.StorageClass{}
+	err = c.client.Post().
+		Resource("storageclasses").
+		Body(storageClass).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a storageClass and updates it. Returns the server's representation of the storageClass, and an error, if there is any.
+func (c *storageClasses) Update(storageClass *v1.StorageClass) (result *v1.StorageClass, err error) {
+	result = &v1.StorageClass{}
+	err = c.client.Put().
+		Resource("storageclasses").
+		Name(storageClass.Name).
+		Body(storageClass).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the storageClass and deletes it. Returns an error if one occurs.
+func (c *storageClasses) Delete(name string, options *meta_v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("storageclasses").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *storageClasses) DeleteCollection(options *meta_v1.DeleteOptions, listOptions meta_v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("storageclasses").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched storageClass.
+func (c *storageClasses) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1.StorageClass, err error) {
+	result = &v1.StorageClass{}
+	err = c.client.Patch(pt).
+		Resource("storageclasses").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/doc.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/doc.go
new file mode 100644
index 00000000..6bd6c583
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This package is generated by client-gen with custom arguments.
+
+// This package has the automatically generated typed clients.
+package v1beta1
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/generated_expansion.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/generated_expansion.go
new file mode 100644
index 00000000..3aec572f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/generated_expansion.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+type StorageClassExpansion interface{}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/storage_client.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/storage_client.go
new file mode 100644
index 00000000..c4d8baa1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/storage_client.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/storage/v1beta1"
+	serializer "k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+type StorageV1beta1Interface interface {
+	RESTClient() rest.Interface
+	StorageClassesGetter
+}
+
+// StorageV1beta1Client is used to interact with features provided by the storage.k8s.io group.
+type StorageV1beta1Client struct {
+	restClient rest.Interface
+}
+
+func (c *StorageV1beta1Client) StorageClasses() StorageClassInterface {
+	return newStorageClasses(c)
+}
+
+// NewForConfig creates a new StorageV1beta1Client for the given config.
+func NewForConfig(c *rest.Config) (*StorageV1beta1Client, error) {
+	config := *c
+	if err := setConfigDefaults(&config); err != nil {
+		return nil, err
+	}
+	client, err := rest.RESTClientFor(&config)
+	if err != nil {
+		return nil, err
+	}
+	return &StorageV1beta1Client{client}, nil
+}
+
+// NewForConfigOrDie creates a new StorageV1beta1Client for the given config and
+// panics if there is an error in the config.
+func NewForConfigOrDie(c *rest.Config) *StorageV1beta1Client {
+	client, err := NewForConfig(c)
+	if err != nil {
+		panic(err)
+	}
+	return client
+}
+
+// New creates a new StorageV1beta1Client for the given RESTClient.
+func New(c rest.Interface) *StorageV1beta1Client {
+	return &StorageV1beta1Client{c}
+}
+
+func setConfigDefaults(config *rest.Config) error {
+	gv := v1beta1.SchemeGroupVersion
+	config.GroupVersion = &gv
+	config.APIPath = "/apis"
+	config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs}
+
+	if config.UserAgent == "" {
+		config.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+
+	return nil
+}
+
+// RESTClient returns a RESTClient that is used to communicate
+// with API server by this client implementation.
+func (c *StorageV1beta1Client) RESTClient() rest.Interface {
+	if c == nil {
+		return nil
+	}
+	return c.restClient
+}
diff --git a/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/storageclass.go b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/storageclass.go
new file mode 100644
index 00000000..bf18a6c8
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/kubernetes/typed/storage/v1beta1/storageclass.go
@@ -0,0 +1,145 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	v1beta1 "k8s.io/api/storage/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+	rest "k8s.io/client-go/rest"
+)
+
+// StorageClassesGetter has a method to return a StorageClassInterface.
+// A group's client should implement this interface.
+type StorageClassesGetter interface {
+	StorageClasses() StorageClassInterface
+}
+
+// StorageClassInterface has methods to work with StorageClass resources.
+type StorageClassInterface interface {
+	Create(*v1beta1.StorageClass) (*v1beta1.StorageClass, error)
+	Update(*v1beta1.StorageClass) (*v1beta1.StorageClass, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1beta1.StorageClass, error)
+	List(opts v1.ListOptions) (*v1beta1.StorageClassList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.StorageClass, err error)
+	StorageClassExpansion
+}
+
+// storageClasses implements StorageClassInterface
+type storageClasses struct {
+	client rest.Interface
+}
+
+// newStorageClasses returns a StorageClasses
+func newStorageClasses(c *StorageV1beta1Client) *storageClasses {
+	return &storageClasses{
+		client: c.RESTClient(),
+	}
+}
+
+// Get takes name of the storageClass, and returns the corresponding storageClass object, and an error if there is any.
+func (c *storageClasses) Get(name string, options v1.GetOptions) (result *v1beta1.StorageClass, err error) {
+	result = &v1beta1.StorageClass{}
+	err = c.client.Get().
+		Resource("storageclasses").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of StorageClasses that match those selectors.
+func (c *storageClasses) List(opts v1.ListOptions) (result *v1beta1.StorageClassList, err error) {
+	result = &v1beta1.StorageClassList{}
+	err = c.client.Get().
+		Resource("storageclasses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested storageClasses.
+func (c *storageClasses) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Resource("storageclasses").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a storageClass and creates it.  Returns the server's representation of the storageClass, and an error, if there is any.
+func (c *storageClasses) Create(storageClass *v1beta1.StorageClass) (result *v1beta1.StorageClass, err error) {
+	result = &v1beta1.StorageClass{}
+	err = c.client.Post().
+		Resource("storageclasses").
+		Body(storageClass).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a storageClass and updates it. Returns the server's representation of the storageClass, and an error, if there is any.
+func (c *storageClasses) Update(storageClass *v1beta1.StorageClass) (result *v1beta1.StorageClass, err error) {
+	result = &v1beta1.StorageClass{}
+	err = c.client.Put().
+		Resource("storageclasses").
+		Name(storageClass.Name).
+		Body(storageClass).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the storageClass and deletes it. Returns an error if one occurs.
+func (c *storageClasses) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Resource("storageclasses").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *storageClasses) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Resource("storageclasses").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched storageClass.
+func (c *storageClasses) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1beta1.StorageClass, err error) {
+	result = &v1beta1.StorageClass{}
+	err = c.client.Patch(pt).
+		Resource("storageclasses").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}
diff --git a/cli/vendor/k8s.io/client-go/pkg/version/base.go b/cli/vendor/k8s.io/client-go/pkg/version/base.go
new file mode 100644
index 00000000..8cfa8288
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/pkg/version/base.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package version
+
+// Base version information.
+//
+// This is the fallback data used when version information from git is not
+// provided via go ldflags. It provides an approximation of the Kubernetes
+// version for ad-hoc builds (e.g. `go build`) that cannot get the version
+// information from git.
+//
+// If you are looking at these fields in the git tree, they look
+// strange. They are modified on the fly by the build process. The
+// in-tree values are dummy values used for "git archive", which also
+// works for GitHub tar downloads.
+//
+// When releasing a new Kubernetes version, this file is updated by
+// build/mark_new_version.sh to reflect the new version, and then a
+// git annotated tag (using format vX.Y where X == Major version and Y
+// == Minor version) is created to point to the commit that updates
+// pkg/version/base.go
+var (
+	// TODO: Deprecate gitMajor and gitMinor, use only gitVersion
+	// instead. First step in deprecation, keep the fields but make
+	// them irrelevant. (Next we'll take it out, which may muck with
+	// scripts consuming the kubectl version output - but most of
+	// these should be looking at gitVersion already anyways.)
+	gitMajor = "1"  // major version, always numeric
+	gitMinor = "8+" // minor version, numeric possibly followed by "+"
+
+	// semantic version, derived by build scripts (see
+	// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/release/versioning.md
+	// for a detailed discussion of this field)
+	//
+	// TODO: This field is still called "gitVersion" for legacy
+	// reasons. For prerelease versions, the build metadata on the
+	// semantic version is a git hash, but the version itself is no
+	// longer the direct output of "git describe", but a slight
+	// translation to be semver compliant.
+
+	// NOTE: The $Format strings are replaced during 'git archive' thanks to the
+	// companion .gitattributes file containing 'export-subst' in this same
+	// directory.  See also https://git-scm.com/docs/gitattributes
+	gitVersion   = "v0.0.0-master+$Format:%h$"
+	gitCommit    = "$Format:%H$" // sha1 from git, output of $(git rev-parse HEAD)
+	gitTreeState = ""            // state of git tree, either "clean" or "dirty"
+
+	buildDate = "1970-01-01T00:00:00Z" // build date in ISO8601 format, output of $(date -u +'%Y-%m-%dT%H:%M:%SZ')
+)
diff --git a/cli/vendor/k8s.io/client-go/pkg/version/doc.go b/cli/vendor/k8s.io/client-go/pkg/version/doc.go
new file mode 100644
index 00000000..30399fb0
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/pkg/version/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package version supplies version information collected at build time to
+// kubernetes components.
+// +k8s:openapi-gen=true
+package version // import "k8s.io/client-go/pkg/version"
diff --git a/cli/vendor/k8s.io/client-go/pkg/version/version.go b/cli/vendor/k8s.io/client-go/pkg/version/version.go
new file mode 100644
index 00000000..8c8350d1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/pkg/version/version.go
@@ -0,0 +1,42 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package version
+
+import (
+	"fmt"
+	"runtime"
+
+	apimachineryversion "k8s.io/apimachinery/pkg/version"
+)
+
+// Get returns the overall codebase version. It's for detecting
+// what code a binary was built from.
+func Get() apimachineryversion.Info {
+	// These variables typically come from -ldflags settings and in
+	// their absence fallback to the settings in pkg/version/base.go
+	return apimachineryversion.Info{
+		Major:        gitMajor,
+		Minor:        gitMinor,
+		GitVersion:   gitVersion,
+		GitCommit:    gitCommit,
+		GitTreeState: gitTreeState,
+		BuildDate:    buildDate,
+		GoVersion:    runtime.Version(),
+		Compiler:     runtime.Compiler,
+		Platform:     fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH),
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/client.go b/cli/vendor/k8s.io/client-go/rest/client.go
new file mode 100644
index 00000000..524e0d8e
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/client.go
@@ -0,0 +1,258 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"mime"
+	"net/http"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/flowcontrol"
+)
+
+const (
+	// Environment variables: Note that the duration should be long enough that the backoff
+	// persists for some reasonable time (i.e. 120 seconds).  The typical base might be "1".
+	envBackoffBase     = "KUBE_CLIENT_BACKOFF_BASE"
+	envBackoffDuration = "KUBE_CLIENT_BACKOFF_DURATION"
+)
+
+// Interface captures the set of operations for generically interacting with Kubernetes REST apis.
+type Interface interface {
+	GetRateLimiter() flowcontrol.RateLimiter
+	Verb(verb string) *Request
+	Post() *Request
+	Put() *Request
+	Patch(pt types.PatchType) *Request
+	Get() *Request
+	Delete() *Request
+	APIVersion() schema.GroupVersion
+}
+
+// RESTClient imposes common Kubernetes API conventions on a set of resource paths.
+// The baseURL is expected to point to an HTTP or HTTPS path that is the parent
+// of one or more resources.  The server should return a decodable API resource
+// object, or an api.Status object which contains information about the reason for
+// any failure.
+//
+// Most consumers should use client.New() to get a Kubernetes API client.
+type RESTClient struct {
+	// base is the root URL for all invocations of the client
+	base *url.URL
+	// versionedAPIPath is a path segment connecting the base URL to the resource root
+	versionedAPIPath string
+
+	// contentConfig is the information used to communicate with the server.
+	contentConfig ContentConfig
+
+	// serializers contain all serializers for underlying content type.
+	serializers Serializers
+
+	// creates BackoffManager that is passed to requests.
+	createBackoffMgr func() BackoffManager
+
+	// TODO extract this into a wrapper interface via the RESTClient interface in kubectl.
+	Throttle flowcontrol.RateLimiter
+
+	// Set specific behavior of the client.  If not set http.DefaultClient will be used.
+	Client *http.Client
+}
+
+type Serializers struct {
+	Encoder             runtime.Encoder
+	Decoder             runtime.Decoder
+	StreamingSerializer runtime.Serializer
+	Framer              runtime.Framer
+	RenegotiatedDecoder func(contentType string, params map[string]string) (runtime.Decoder, error)
+}
+
+// NewRESTClient creates a new RESTClient. This client performs generic REST functions
+// such as Get, Put, Post, and Delete on specified paths.  Codec controls encoding and
+// decoding of responses from the server.
+func NewRESTClient(baseURL *url.URL, versionedAPIPath string, config ContentConfig, maxQPS float32, maxBurst int, rateLimiter flowcontrol.RateLimiter, client *http.Client) (*RESTClient, error) {
+	base := *baseURL
+	if !strings.HasSuffix(base.Path, "/") {
+		base.Path += "/"
+	}
+	base.RawQuery = ""
+	base.Fragment = ""
+
+	if config.GroupVersion == nil {
+		config.GroupVersion = &schema.GroupVersion{}
+	}
+	if len(config.ContentType) == 0 {
+		config.ContentType = "application/json"
+	}
+	serializers, err := createSerializers(config)
+	if err != nil {
+		return nil, err
+	}
+
+	var throttle flowcontrol.RateLimiter
+	if maxQPS > 0 && rateLimiter == nil {
+		throttle = flowcontrol.NewTokenBucketRateLimiter(maxQPS, maxBurst)
+	} else if rateLimiter != nil {
+		throttle = rateLimiter
+	}
+	return &RESTClient{
+		base:             &base,
+		versionedAPIPath: versionedAPIPath,
+		contentConfig:    config,
+		serializers:      *serializers,
+		createBackoffMgr: readExpBackoffConfig,
+		Throttle:         throttle,
+		Client:           client,
+	}, nil
+}
+
+// GetRateLimiter returns rate limier for a given client, or nil if it's called on a nil client
+func (c *RESTClient) GetRateLimiter() flowcontrol.RateLimiter {
+	if c == nil {
+		return nil
+	}
+	return c.Throttle
+}
+
+// readExpBackoffConfig handles the internal logic of determining what the
+// backoff policy is.  By default if no information is available, NoBackoff.
+// TODO Generalize this see #17727 .
+func readExpBackoffConfig() BackoffManager {
+	backoffBase := os.Getenv(envBackoffBase)
+	backoffDuration := os.Getenv(envBackoffDuration)
+
+	backoffBaseInt, errBase := strconv.ParseInt(backoffBase, 10, 64)
+	backoffDurationInt, errDuration := strconv.ParseInt(backoffDuration, 10, 64)
+	if errBase != nil || errDuration != nil {
+		return &NoBackoff{}
+	}
+	return &URLBackoff{
+		Backoff: flowcontrol.NewBackOff(
+			time.Duration(backoffBaseInt)*time.Second,
+			time.Duration(backoffDurationInt)*time.Second)}
+}
+
+// createSerializers creates all necessary serializers for given contentType.
+// TODO: the negotiated serializer passed to this method should probably return
+//   serializers that control decoding and versioning without this package
+//   being aware of the types. Depends on whether RESTClient must deal with
+//   generic infrastructure.
+func createSerializers(config ContentConfig) (*Serializers, error) {
+	mediaTypes := config.NegotiatedSerializer.SupportedMediaTypes()
+	contentType := config.ContentType
+	mediaType, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		return nil, fmt.Errorf("the content type specified in the client configuration is not recognized: %v", err)
+	}
+	info, ok := runtime.SerializerInfoForMediaType(mediaTypes, mediaType)
+	if !ok {
+		if len(contentType) != 0 || len(mediaTypes) == 0 {
+			return nil, fmt.Errorf("no serializers registered for %s", contentType)
+		}
+		info = mediaTypes[0]
+	}
+
+	internalGV := schema.GroupVersions{
+		{
+			Group:   config.GroupVersion.Group,
+			Version: runtime.APIVersionInternal,
+		},
+		// always include the legacy group as a decoding target to handle non-error `Status` return types
+		{
+			Group:   "",
+			Version: runtime.APIVersionInternal,
+		},
+	}
+
+	s := &Serializers{
+		Encoder: config.NegotiatedSerializer.EncoderForVersion(info.Serializer, *config.GroupVersion),
+		Decoder: config.NegotiatedSerializer.DecoderToVersion(info.Serializer, internalGV),
+
+		RenegotiatedDecoder: func(contentType string, params map[string]string) (runtime.Decoder, error) {
+			info, ok := runtime.SerializerInfoForMediaType(mediaTypes, contentType)
+			if !ok {
+				return nil, fmt.Errorf("serializer for %s not registered", contentType)
+			}
+			return config.NegotiatedSerializer.DecoderToVersion(info.Serializer, internalGV), nil
+		},
+	}
+	if info.StreamSerializer != nil {
+		s.StreamingSerializer = info.StreamSerializer.Serializer
+		s.Framer = info.StreamSerializer.Framer
+	}
+
+	return s, nil
+}
+
+// Verb begins a request with a verb (GET, POST, PUT, DELETE).
+//
+// Example usage of RESTClient's request building interface:
+// c, err := NewRESTClient(...)
+// if err != nil { ... }
+// resp, err := c.Verb("GET").
+//  Path("pods").
+//  SelectorParam("labels", "area=staging").
+//  Timeout(10*time.Second).
+//  Do()
+// if err != nil { ... }
+// list, ok := resp.(*api.PodList)
+//
+func (c *RESTClient) Verb(verb string) *Request {
+	backoff := c.createBackoffMgr()
+
+	if c.Client == nil {
+		return NewRequest(nil, verb, c.base, c.versionedAPIPath, c.contentConfig, c.serializers, backoff, c.Throttle)
+	}
+	return NewRequest(c.Client, verb, c.base, c.versionedAPIPath, c.contentConfig, c.serializers, backoff, c.Throttle)
+}
+
+// Post begins a POST request. Short for c.Verb("POST").
+func (c *RESTClient) Post() *Request {
+	return c.Verb("POST")
+}
+
+// Put begins a PUT request. Short for c.Verb("PUT").
+func (c *RESTClient) Put() *Request {
+	return c.Verb("PUT")
+}
+
+// Patch begins a PATCH request. Short for c.Verb("Patch").
+func (c *RESTClient) Patch(pt types.PatchType) *Request {
+	return c.Verb("PATCH").SetHeader("Content-Type", string(pt))
+}
+
+// Get begins a GET request. Short for c.Verb("GET").
+func (c *RESTClient) Get() *Request {
+	return c.Verb("GET")
+}
+
+// Delete begins a DELETE request. Short for c.Verb("DELETE").
+func (c *RESTClient) Delete() *Request {
+	return c.Verb("DELETE")
+}
+
+// APIVersion returns the APIVersion this RESTClient is expected to use.
+func (c *RESTClient) APIVersion() schema.GroupVersion {
+	return *c.contentConfig.GroupVersion
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/config.go b/cli/vendor/k8s.io/client-go/rest/config.go
new file mode 100644
index 00000000..57848c8a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/config.go
@@ -0,0 +1,424 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	gruntime "runtime"
+	"strings"
+	"time"
+
+	"github.com/golang/glog"
+
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/pkg/version"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/client-go/util/flowcontrol"
+)
+
+const (
+	DefaultQPS   float32 = 5.0
+	DefaultBurst int     = 10
+)
+
+// Config holds the common attributes that can be passed to a Kubernetes client on
+// initialization.
+type Config struct {
+	// Host must be a host string, a host:port pair, or a URL to the base of the apiserver.
+	// If a URL is given then the (optional) Path of that URL represents a prefix that must
+	// be appended to all request URIs used to access the apiserver. This allows a frontend
+	// proxy to easily relocate all of the apiserver endpoints.
+	Host string
+	// APIPath is a sub-path that points to an API root.
+	APIPath string
+	// Prefix is the sub path of the server. If not specified, the client will set
+	// a default value.  Use "/" to indicate the server root should be used
+	Prefix string
+
+	// ContentConfig contains settings that affect how objects are transformed when
+	// sent to the server.
+	ContentConfig
+
+	// Server requires Basic authentication
+	Username string
+	Password string
+
+	// Server requires Bearer authentication. This client will not attempt to use
+	// refresh tokens for an OAuth2 flow.
+	// TODO: demonstrate an OAuth2 compatible client.
+	BearerToken string
+
+	// CacheDir is the directory where we'll store HTTP cached responses.
+	// If set to empty string, no caching mechanism will be used.
+	CacheDir string
+
+	// Impersonate is the configuration that RESTClient will use for impersonation.
+	Impersonate ImpersonationConfig
+
+	// Server requires plugin-specified authentication.
+	AuthProvider *clientcmdapi.AuthProviderConfig
+
+	// Callback to persist config for AuthProvider.
+	AuthConfigPersister AuthProviderConfigPersister
+
+	// TLSClientConfig contains settings to enable transport layer security
+	TLSClientConfig
+
+	// UserAgent is an optional field that specifies the caller of this request.
+	UserAgent string
+
+	// Transport may be used for custom HTTP behavior. This attribute may not
+	// be specified with the TLS client certificate options. Use WrapTransport
+	// for most client level operations.
+	Transport http.RoundTripper
+	// WrapTransport will be invoked for custom HTTP behavior after the underlying
+	// transport is initialized (either the transport created from TLSClientConfig,
+	// Transport, or http.DefaultTransport). The config may layer other RoundTrippers
+	// on top of the returned RoundTripper.
+	WrapTransport func(rt http.RoundTripper) http.RoundTripper
+
+	// QPS indicates the maximum QPS to the master from this client.
+	// If it's zero, the created RESTClient will use DefaultQPS: 5
+	QPS float32
+
+	// Maximum burst for throttle.
+	// If it's zero, the created RESTClient will use DefaultBurst: 10.
+	Burst int
+
+	// Rate limiter for limiting connections to the master from this client. If present overwrites QPS/Burst
+	RateLimiter flowcontrol.RateLimiter
+
+	// The maximum length of time to wait before giving up on a server request. A value of zero means no timeout.
+	Timeout time.Duration
+
+	// Dial specifies the dial function for creating unencrypted TCP connections.
+	Dial func(network, addr string) (net.Conn, error)
+
+	// Version forces a specific version to be used (if registered)
+	// Do we need this?
+	// Version string
+}
+
+// ImpersonationConfig has all the available impersonation options
+type ImpersonationConfig struct {
+	// UserName is the username to impersonate on each request.
+	UserName string
+	// Groups are the groups to impersonate on each request.
+	Groups []string
+	// Extra is a free-form field which can be used to link some authentication information
+	// to authorization information.  This field allows you to impersonate it.
+	Extra map[string][]string
+}
+
+// +k8s:deepcopy-gen=true
+// TLSClientConfig contains settings to enable transport layer security
+type TLSClientConfig struct {
+	// Server should be accessed without verifying the TLS certificate. For testing only.
+	Insecure bool
+	// ServerName is passed to the server for SNI and is used in the client to check server
+	// ceritificates against. If ServerName is empty, the hostname used to contact the
+	// server is used.
+	ServerName string
+
+	// Server requires TLS client certificate authentication
+	CertFile string
+	// Server requires TLS client certificate authentication
+	KeyFile string
+	// Trusted root certificates for server
+	CAFile string
+
+	// CertData holds PEM-encoded bytes (typically read from a client certificate file).
+	// CertData takes precedence over CertFile
+	CertData []byte
+	// KeyData holds PEM-encoded bytes (typically read from a client certificate key file).
+	// KeyData takes precedence over KeyFile
+	KeyData []byte
+	// CAData holds PEM-encoded bytes (typically read from a root certificates bundle).
+	// CAData takes precedence over CAFile
+	CAData []byte
+}
+
+type ContentConfig struct {
+	// AcceptContentTypes specifies the types the client will accept and is optional.
+	// If not set, ContentType will be used to define the Accept header
+	AcceptContentTypes string
+	// ContentType specifies the wire format used to communicate with the server.
+	// This value will be set as the Accept header on requests made to the server, and
+	// as the default content type on any object sent to the server. If not set,
+	// "application/json" is used.
+	ContentType string
+	// GroupVersion is the API version to talk to. Must be provided when initializing
+	// a RESTClient directly. When initializing a Client, will be set with the default
+	// code version.
+	GroupVersion *schema.GroupVersion
+	// NegotiatedSerializer is used for obtaining encoders and decoders for multiple
+	// supported media types.
+	NegotiatedSerializer runtime.NegotiatedSerializer
+}
+
+// RESTClientFor returns a RESTClient that satisfies the requested attributes on a client Config
+// object. Note that a RESTClient may require fields that are optional when initializing a Client.
+// A RESTClient created by this method is generic - it expects to operate on an API that follows
+// the Kubernetes conventions, but may not be the Kubernetes API.
+func RESTClientFor(config *Config) (*RESTClient, error) {
+	if config.GroupVersion == nil {
+		return nil, fmt.Errorf("GroupVersion is required when initializing a RESTClient")
+	}
+	if config.NegotiatedSerializer == nil {
+		return nil, fmt.Errorf("NegotiatedSerializer is required when initializing a RESTClient")
+	}
+	qps := config.QPS
+	if config.QPS == 0.0 {
+		qps = DefaultQPS
+	}
+	burst := config.Burst
+	if config.Burst == 0 {
+		burst = DefaultBurst
+	}
+
+	baseURL, versionedAPIPath, err := defaultServerUrlFor(config)
+	if err != nil {
+		return nil, err
+	}
+
+	transport, err := TransportFor(config)
+	if err != nil {
+		return nil, err
+	}
+
+	var httpClient *http.Client
+	if transport != http.DefaultTransport {
+		httpClient = &http.Client{Transport: transport}
+		if config.Timeout > 0 {
+			httpClient.Timeout = config.Timeout
+		}
+	}
+
+	return NewRESTClient(baseURL, versionedAPIPath, config.ContentConfig, qps, burst, config.RateLimiter, httpClient)
+}
+
+// UnversionedRESTClientFor is the same as RESTClientFor, except that it allows
+// the config.Version to be empty.
+func UnversionedRESTClientFor(config *Config) (*RESTClient, error) {
+	if config.NegotiatedSerializer == nil {
+		return nil, fmt.Errorf("NeogitatedSerializer is required when initializing a RESTClient")
+	}
+
+	baseURL, versionedAPIPath, err := defaultServerUrlFor(config)
+	if err != nil {
+		return nil, err
+	}
+
+	transport, err := TransportFor(config)
+	if err != nil {
+		return nil, err
+	}
+
+	var httpClient *http.Client
+	if transport != http.DefaultTransport {
+		httpClient = &http.Client{Transport: transport}
+		if config.Timeout > 0 {
+			httpClient.Timeout = config.Timeout
+		}
+	}
+
+	versionConfig := config.ContentConfig
+	if versionConfig.GroupVersion == nil {
+		v := metav1.SchemeGroupVersion
+		versionConfig.GroupVersion = &v
+	}
+
+	return NewRESTClient(baseURL, versionedAPIPath, versionConfig, config.QPS, config.Burst, config.RateLimiter, httpClient)
+}
+
+// SetKubernetesDefaults sets default values on the provided client config for accessing the
+// Kubernetes API or returns an error if any of the defaults are impossible or invalid.
+func SetKubernetesDefaults(config *Config) error {
+	if len(config.UserAgent) == 0 {
+		config.UserAgent = DefaultKubernetesUserAgent()
+	}
+	return nil
+}
+
+// adjustCommit returns sufficient significant figures of the commit's git hash.
+func adjustCommit(c string) string {
+	if len(c) == 0 {
+		return "unknown"
+	}
+	if len(c) > 7 {
+		return c[:7]
+	}
+	return c
+}
+
+// adjustVersion strips "alpha", "beta", etc. from version in form
+// major.minor.patch-[alpha|beta|etc].
+func adjustVersion(v string) string {
+	if len(v) == 0 {
+		return "unknown"
+	}
+	seg := strings.SplitN(v, "-", 2)
+	return seg[0]
+}
+
+// adjustCommand returns the last component of the
+// OS-specific command path for use in User-Agent.
+func adjustCommand(p string) string {
+	// Unlikely, but better than returning "".
+	if len(p) == 0 {
+		return "unknown"
+	}
+	return filepath.Base(p)
+}
+
+// buildUserAgent builds a User-Agent string from given args.
+func buildUserAgent(command, version, os, arch, commit string) string {
+	return fmt.Sprintf(
+		"%s/%s (%s/%s) kubernetes/%s", command, version, os, arch, commit)
+}
+
+// DefaultKubernetesUserAgent returns a User-Agent string built from static global vars.
+func DefaultKubernetesUserAgent() string {
+	return buildUserAgent(
+		adjustCommand(os.Args[0]),
+		adjustVersion(version.Get().GitVersion),
+		gruntime.GOOS,
+		gruntime.GOARCH,
+		adjustCommit(version.Get().GitCommit))
+}
+
+// InClusterConfig returns a config object which uses the service account
+// kubernetes gives to pods. It's intended for clients that expect to be
+// running inside a pod running on kubernetes. It will return an error if
+// called from a process not running in a kubernetes environment.
+func InClusterConfig() (*Config, error) {
+	host, port := os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT")
+	if len(host) == 0 || len(port) == 0 {
+		return nil, fmt.Errorf("unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined")
+	}
+
+	token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountTokenKey)
+	if err != nil {
+		return nil, err
+	}
+	tlsClientConfig := TLSClientConfig{}
+	rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountRootCAKey
+	if _, err := certutil.NewPool(rootCAFile); err != nil {
+		glog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err)
+	} else {
+		tlsClientConfig.CAFile = rootCAFile
+	}
+
+	return &Config{
+		// TODO: switch to using cluster DNS.
+		Host:            "https://" + net.JoinHostPort(host, port),
+		BearerToken:     string(token),
+		TLSClientConfig: tlsClientConfig,
+	}, nil
+}
+
+// IsConfigTransportTLS returns true if and only if the provided
+// config will result in a protected connection to the server when it
+// is passed to restclient.RESTClientFor().  Use to determine when to
+// send credentials over the wire.
+//
+// Note: the Insecure flag is ignored when testing for this value, so MITM attacks are
+// still possible.
+func IsConfigTransportTLS(config Config) bool {
+	baseURL, _, err := defaultServerUrlFor(&config)
+	if err != nil {
+		return false
+	}
+	return baseURL.Scheme == "https"
+}
+
+// LoadTLSFiles copies the data from the CertFile, KeyFile, and CAFile fields into the CertData,
+// KeyData, and CAFile fields, or returns an error. If no error is returned, all three fields are
+// either populated or were empty to start.
+func LoadTLSFiles(c *Config) error {
+	var err error
+	c.CAData, err = dataFromSliceOrFile(c.CAData, c.CAFile)
+	if err != nil {
+		return err
+	}
+
+	c.CertData, err = dataFromSliceOrFile(c.CertData, c.CertFile)
+	if err != nil {
+		return err
+	}
+
+	c.KeyData, err = dataFromSliceOrFile(c.KeyData, c.KeyFile)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file,
+// or an error if an error occurred reading the file
+func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
+	if len(data) > 0 {
+		return data, nil
+	}
+	if len(file) > 0 {
+		fileData, err := ioutil.ReadFile(file)
+		if err != nil {
+			return []byte{}, err
+		}
+		return fileData, nil
+	}
+	return nil, nil
+}
+
+func AddUserAgent(config *Config, userAgent string) *Config {
+	fullUserAgent := DefaultKubernetesUserAgent() + "/" + userAgent
+	config.UserAgent = fullUserAgent
+	return config
+}
+
+// AnonymousClientConfig returns a copy of the given config with all user credentials (cert/key, bearer token, and username/password) removed
+func AnonymousClientConfig(config *Config) *Config {
+	// copy only known safe fields
+	return &Config{
+		Host:          config.Host,
+		APIPath:       config.APIPath,
+		Prefix:        config.Prefix,
+		ContentConfig: config.ContentConfig,
+		TLSClientConfig: TLSClientConfig{
+			Insecure:   config.Insecure,
+			ServerName: config.ServerName,
+			CAFile:     config.TLSClientConfig.CAFile,
+			CAData:     config.TLSClientConfig.CAData,
+		},
+		RateLimiter:   config.RateLimiter,
+		UserAgent:     config.UserAgent,
+		Transport:     config.Transport,
+		WrapTransport: config.WrapTransport,
+		QPS:           config.QPS,
+		Burst:         config.Burst,
+		Timeout:       config.Timeout,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/plugin.go b/cli/vendor/k8s.io/client-go/rest/plugin.go
new file mode 100644
index 00000000..cf8fbabf
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/plugin.go
@@ -0,0 +1,73 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"net/http"
+	"sync"
+
+	"github.com/golang/glog"
+
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+type AuthProvider interface {
+	// WrapTransport allows the plugin to create a modified RoundTripper that
+	// attaches authorization headers (or other info) to requests.
+	WrapTransport(http.RoundTripper) http.RoundTripper
+	// Login allows the plugin to initialize its configuration. It must not
+	// require direct user interaction.
+	Login() error
+}
+
+// Factory generates an AuthProvider plugin.
+//  clusterAddress is the address of the current cluster.
+//  config is the initial configuration for this plugin.
+//  persister allows the plugin to save updated configuration.
+type Factory func(clusterAddress string, config map[string]string, persister AuthProviderConfigPersister) (AuthProvider, error)
+
+// AuthProviderConfigPersister allows a plugin to persist configuration info
+// for just itself.
+type AuthProviderConfigPersister interface {
+	Persist(map[string]string) error
+}
+
+// All registered auth provider plugins.
+var pluginsLock sync.Mutex
+var plugins = make(map[string]Factory)
+
+func RegisterAuthProviderPlugin(name string, plugin Factory) error {
+	pluginsLock.Lock()
+	defer pluginsLock.Unlock()
+	if _, found := plugins[name]; found {
+		return fmt.Errorf("Auth Provider Plugin %q was registered twice", name)
+	}
+	glog.V(4).Infof("Registered Auth Provider Plugin %q", name)
+	plugins[name] = plugin
+	return nil
+}
+
+func GetAuthProvider(clusterAddress string, apc *clientcmdapi.AuthProviderConfig, persister AuthProviderConfigPersister) (AuthProvider, error) {
+	pluginsLock.Lock()
+	defer pluginsLock.Unlock()
+	p, ok := plugins[apc.Name]
+	if !ok {
+		return nil, fmt.Errorf("No Auth Provider found for name %q", apc.Name)
+	}
+	return p(clusterAddress, apc.Config, persister)
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/request.go b/cli/vendor/k8s.io/client-go/rest/request.go
new file mode 100644
index 00000000..1709824a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/request.go
@@ -0,0 +1,1095 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"bytes"
+	"context"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"mime"
+	"net/http"
+	"net/url"
+	"path"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/golang/glog"
+	"golang.org/x/net/http2"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/streaming"
+	"k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apimachinery/pkg/watch"
+	restclientwatch "k8s.io/client-go/rest/watch"
+	"k8s.io/client-go/tools/metrics"
+	"k8s.io/client-go/util/flowcontrol"
+)
+
+var (
+	// longThrottleLatency defines threshold for logging requests. All requests being
+	// throttle for more than longThrottleLatency will be logged.
+	longThrottleLatency = 50 * time.Millisecond
+)
+
+// HTTPClient is an interface for testing a request object.
+type HTTPClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
+// ResponseWrapper is an interface for getting a response.
+// The response may be either accessed as a raw data (the whole output is put into memory) or as a stream.
+type ResponseWrapper interface {
+	DoRaw() ([]byte, error)
+	Stream() (io.ReadCloser, error)
+}
+
+// RequestConstructionError is returned when there's an error assembling a request.
+type RequestConstructionError struct {
+	Err error
+}
+
+// Error returns a textual description of 'r'.
+func (r *RequestConstructionError) Error() string {
+	return fmt.Sprintf("request construction error: '%v'", r.Err)
+}
+
+// Request allows for building up a request to a server in a chained fashion.
+// Any errors are stored until the end of your call, so you only have to
+// check once.
+type Request struct {
+	// required
+	client HTTPClient
+	verb   string
+
+	baseURL     *url.URL
+	content     ContentConfig
+	serializers Serializers
+
+	// generic components accessible via method setters
+	pathPrefix string
+	subpath    string
+	params     url.Values
+	headers    http.Header
+
+	// structural elements of the request that are part of the Kubernetes API conventions
+	namespace    string
+	namespaceSet bool
+	resource     string
+	resourceName string
+	subresource  string
+	timeout      time.Duration
+
+	// output
+	err  error
+	body io.Reader
+
+	// This is only used for per-request timeouts, deadlines, and cancellations.
+	ctx context.Context
+
+	backoffMgr BackoffManager
+	throttle   flowcontrol.RateLimiter
+}
+
+// NewRequest creates a new request helper object for accessing runtime.Objects on a server.
+func NewRequest(client HTTPClient, verb string, baseURL *url.URL, versionedAPIPath string, content ContentConfig, serializers Serializers, backoff BackoffManager, throttle flowcontrol.RateLimiter) *Request {
+	if backoff == nil {
+		glog.V(2).Infof("Not implementing request backoff strategy.")
+		backoff = &NoBackoff{}
+	}
+
+	pathPrefix := "/"
+	if baseURL != nil {
+		pathPrefix = path.Join(pathPrefix, baseURL.Path)
+	}
+	r := &Request{
+		client:      client,
+		verb:        verb,
+		baseURL:     baseURL,
+		pathPrefix:  path.Join(pathPrefix, versionedAPIPath),
+		content:     content,
+		serializers: serializers,
+		backoffMgr:  backoff,
+		throttle:    throttle,
+	}
+	switch {
+	case len(content.AcceptContentTypes) > 0:
+		r.SetHeader("Accept", content.AcceptContentTypes)
+	case len(content.ContentType) > 0:
+		r.SetHeader("Accept", content.ContentType+", */*")
+	}
+	return r
+}
+
+// Prefix adds segments to the relative beginning to the request path. These
+// items will be placed before the optional Namespace, Resource, or Name sections.
+// Setting AbsPath will clear any previously set Prefix segments
+func (r *Request) Prefix(segments ...string) *Request {
+	if r.err != nil {
+		return r
+	}
+	r.pathPrefix = path.Join(r.pathPrefix, path.Join(segments...))
+	return r
+}
+
+// Suffix appends segments to the end of the path. These items will be placed after the prefix and optional
+// Namespace, Resource, or Name sections.
+func (r *Request) Suffix(segments ...string) *Request {
+	if r.err != nil {
+		return r
+	}
+	r.subpath = path.Join(r.subpath, path.Join(segments...))
+	return r
+}
+
+// Resource sets the resource to access (<resource>/[ns/<namespace>/]<name>)
+func (r *Request) Resource(resource string) *Request {
+	if r.err != nil {
+		return r
+	}
+	if len(r.resource) != 0 {
+		r.err = fmt.Errorf("resource already set to %q, cannot change to %q", r.resource, resource)
+		return r
+	}
+	if msgs := IsValidPathSegmentName(resource); len(msgs) != 0 {
+		r.err = fmt.Errorf("invalid resource %q: %v", resource, msgs)
+		return r
+	}
+	r.resource = resource
+	return r
+}
+
+// SubResource sets a sub-resource path which can be multiple segments segment after the resource
+// name but before the suffix.
+func (r *Request) SubResource(subresources ...string) *Request {
+	if r.err != nil {
+		return r
+	}
+	subresource := path.Join(subresources...)
+	if len(r.subresource) != 0 {
+		r.err = fmt.Errorf("subresource already set to %q, cannot change to %q", r.resource, subresource)
+		return r
+	}
+	for _, s := range subresources {
+		if msgs := IsValidPathSegmentName(s); len(msgs) != 0 {
+			r.err = fmt.Errorf("invalid subresource %q: %v", s, msgs)
+			return r
+		}
+	}
+	r.subresource = subresource
+	return r
+}
+
+// Name sets the name of a resource to access (<resource>/[ns/<namespace>/]<name>)
+func (r *Request) Name(resourceName string) *Request {
+	if r.err != nil {
+		return r
+	}
+	if len(resourceName) == 0 {
+		r.err = fmt.Errorf("resource name may not be empty")
+		return r
+	}
+	if len(r.resourceName) != 0 {
+		r.err = fmt.Errorf("resource name already set to %q, cannot change to %q", r.resourceName, resourceName)
+		return r
+	}
+	if msgs := IsValidPathSegmentName(resourceName); len(msgs) != 0 {
+		r.err = fmt.Errorf("invalid resource name %q: %v", resourceName, msgs)
+		return r
+	}
+	r.resourceName = resourceName
+	return r
+}
+
+// Namespace applies the namespace scope to a request (<resource>/[ns/<namespace>/]<name>)
+func (r *Request) Namespace(namespace string) *Request {
+	if r.err != nil {
+		return r
+	}
+	if r.namespaceSet {
+		r.err = fmt.Errorf("namespace already set to %q, cannot change to %q", r.namespace, namespace)
+		return r
+	}
+	if msgs := IsValidPathSegmentName(namespace); len(msgs) != 0 {
+		r.err = fmt.Errorf("invalid namespace %q: %v", namespace, msgs)
+		return r
+	}
+	r.namespaceSet = true
+	r.namespace = namespace
+	return r
+}
+
+// NamespaceIfScoped is a convenience function to set a namespace if scoped is true
+func (r *Request) NamespaceIfScoped(namespace string, scoped bool) *Request {
+	if scoped {
+		return r.Namespace(namespace)
+	}
+	return r
+}
+
+// AbsPath overwrites an existing path with the segments provided. Trailing slashes are preserved
+// when a single segment is passed.
+func (r *Request) AbsPath(segments ...string) *Request {
+	if r.err != nil {
+		return r
+	}
+	r.pathPrefix = path.Join(r.baseURL.Path, path.Join(segments...))
+	if len(segments) == 1 && (len(r.baseURL.Path) > 1 || len(segments[0]) > 1) && strings.HasSuffix(segments[0], "/") {
+		// preserve any trailing slashes for legacy behavior
+		r.pathPrefix += "/"
+	}
+	return r
+}
+
+// RequestURI overwrites existing path and parameters with the value of the provided server relative
+// URI.
+func (r *Request) RequestURI(uri string) *Request {
+	if r.err != nil {
+		return r
+	}
+	locator, err := url.Parse(uri)
+	if err != nil {
+		r.err = err
+		return r
+	}
+	r.pathPrefix = locator.Path
+	if len(locator.Query()) > 0 {
+		if r.params == nil {
+			r.params = make(url.Values)
+		}
+		for k, v := range locator.Query() {
+			r.params[k] = v
+		}
+	}
+	return r
+}
+
+// Param creates a query parameter with the given string value.
+func (r *Request) Param(paramName, s string) *Request {
+	if r.err != nil {
+		return r
+	}
+	return r.setParam(paramName, s)
+}
+
+// VersionedParams will take the provided object, serialize it to a map[string][]string using the
+// implicit RESTClient API version and the default parameter codec, and then add those as parameters
+// to the request. Use this to provide versioned query parameters from client libraries.
+// VersionedParams will not write query parameters that have omitempty set and are empty. If a
+// parameter has already been set it is appended to (Params and VersionedParams are additive).
+func (r *Request) VersionedParams(obj runtime.Object, codec runtime.ParameterCodec) *Request {
+	if r.err != nil {
+		return r
+	}
+	params, err := codec.EncodeParameters(obj, *r.content.GroupVersion)
+	if err != nil {
+		r.err = err
+		return r
+	}
+	for k, v := range params {
+		if r.params == nil {
+			r.params = make(url.Values)
+		}
+		r.params[k] = append(r.params[k], v...)
+	}
+	return r
+}
+
+func (r *Request) setParam(paramName, value string) *Request {
+	if r.params == nil {
+		r.params = make(url.Values)
+	}
+	r.params[paramName] = append(r.params[paramName], value)
+	return r
+}
+
+func (r *Request) SetHeader(key string, values ...string) *Request {
+	if r.headers == nil {
+		r.headers = http.Header{}
+	}
+	r.headers.Del(key)
+	for _, value := range values {
+		r.headers.Add(key, value)
+	}
+	return r
+}
+
+// Timeout makes the request use the given duration as a timeout. Sets the "timeout"
+// parameter.
+func (r *Request) Timeout(d time.Duration) *Request {
+	if r.err != nil {
+		return r
+	}
+	r.timeout = d
+	return r
+}
+
+// Body makes the request use obj as the body. Optional.
+// If obj is a string, try to read a file of that name.
+// If obj is a []byte, send it directly.
+// If obj is an io.Reader, use it directly.
+// If obj is a runtime.Object, marshal it correctly, and set Content-Type header.
+// If obj is a runtime.Object and nil, do nothing.
+// Otherwise, set an error.
+func (r *Request) Body(obj interface{}) *Request {
+	if r.err != nil {
+		return r
+	}
+	switch t := obj.(type) {
+	case string:
+		data, err := ioutil.ReadFile(t)
+		if err != nil {
+			r.err = err
+			return r
+		}
+		glogBody("Request Body", data)
+		r.body = bytes.NewReader(data)
+	case []byte:
+		glogBody("Request Body", t)
+		r.body = bytes.NewReader(t)
+	case io.Reader:
+		r.body = t
+	case runtime.Object:
+		// callers may pass typed interface pointers, therefore we must check nil with reflection
+		if reflect.ValueOf(t).IsNil() {
+			return r
+		}
+		data, err := runtime.Encode(r.serializers.Encoder, t)
+		if err != nil {
+			r.err = err
+			return r
+		}
+		glogBody("Request Body", data)
+		r.body = bytes.NewReader(data)
+		r.SetHeader("Content-Type", r.content.ContentType)
+	default:
+		r.err = fmt.Errorf("unknown type used for body: %+v", obj)
+	}
+	return r
+}
+
+// Context adds a context to the request. Contexts are only used for
+// timeouts, deadlines, and cancellations.
+func (r *Request) Context(ctx context.Context) *Request {
+	r.ctx = ctx
+	return r
+}
+
+// URL returns the current working URL.
+func (r *Request) URL() *url.URL {
+	p := r.pathPrefix
+	if r.namespaceSet && len(r.namespace) > 0 {
+		p = path.Join(p, "namespaces", r.namespace)
+	}
+	if len(r.resource) != 0 {
+		p = path.Join(p, strings.ToLower(r.resource))
+	}
+	// Join trims trailing slashes, so preserve r.pathPrefix's trailing slash for backwards compatibility if nothing was changed
+	if len(r.resourceName) != 0 || len(r.subpath) != 0 || len(r.subresource) != 0 {
+		p = path.Join(p, r.resourceName, r.subresource, r.subpath)
+	}
+
+	finalURL := &url.URL{}
+	if r.baseURL != nil {
+		*finalURL = *r.baseURL
+	}
+	finalURL.Path = p
+
+	query := url.Values{}
+	for key, values := range r.params {
+		for _, value := range values {
+			query.Add(key, value)
+		}
+	}
+
+	// timeout is handled specially here.
+	if r.timeout != 0 {
+		query.Set("timeout", r.timeout.String())
+	}
+	finalURL.RawQuery = query.Encode()
+	return finalURL
+}
+
+// finalURLTemplate is similar to URL(), but will make all specific parameter values equal
+// - instead of name or namespace, "{name}" and "{namespace}" will be used, and all query
+// parameters will be reset. This creates a copy of the request so as not to change the
+// underlying object.  This means some useful request info (like the types of field
+// selectors in use) will be lost.
+// TODO: preserve field selector keys
+func (r Request) finalURLTemplate() url.URL {
+	if len(r.resourceName) != 0 {
+		r.resourceName = "{name}"
+	}
+	if r.namespaceSet && len(r.namespace) != 0 {
+		r.namespace = "{namespace}"
+	}
+	newParams := url.Values{}
+	v := []string{"{value}"}
+	for k := range r.params {
+		newParams[k] = v
+	}
+	r.params = newParams
+	url := r.URL()
+	return *url
+}
+
+func (r *Request) tryThrottle() {
+	now := time.Now()
+	if r.throttle != nil {
+		r.throttle.Accept()
+	}
+	if latency := time.Since(now); latency > longThrottleLatency {
+		glog.V(4).Infof("Throttling request took %v, request: %s:%s", latency, r.verb, r.URL().String())
+	}
+}
+
+// Watch attempts to begin watching the requested location.
+// Returns a watch.Interface, or an error.
+func (r *Request) Watch() (watch.Interface, error) {
+	// We specifically don't want to rate limit watches, so we
+	// don't use r.throttle here.
+	if r.err != nil {
+		return nil, r.err
+	}
+	if r.serializers.Framer == nil {
+		return nil, fmt.Errorf("watching resources is not possible with this client (content-type: %s)", r.content.ContentType)
+	}
+
+	url := r.URL().String()
+	req, err := http.NewRequest(r.verb, url, r.body)
+	if err != nil {
+		return nil, err
+	}
+	if r.ctx != nil {
+		req = req.WithContext(r.ctx)
+	}
+	req.Header = r.headers
+	client := r.client
+	if client == nil {
+		client = http.DefaultClient
+	}
+	r.backoffMgr.Sleep(r.backoffMgr.CalculateBackoff(r.URL()))
+	resp, err := client.Do(req)
+	updateURLMetrics(r, resp, err)
+	if r.baseURL != nil {
+		if err != nil {
+			r.backoffMgr.UpdateBackoff(r.baseURL, err, 0)
+		} else {
+			r.backoffMgr.UpdateBackoff(r.baseURL, err, resp.StatusCode)
+		}
+	}
+	if err != nil {
+		// The watch stream mechanism handles many common partial data errors, so closed
+		// connections can be retried in many cases.
+		if net.IsProbableEOF(err) {
+			return watch.NewEmptyWatch(), nil
+		}
+		return nil, err
+	}
+	if resp.StatusCode != http.StatusOK {
+		defer resp.Body.Close()
+		if result := r.transformResponse(resp, req); result.err != nil {
+			return nil, result.err
+		}
+		return nil, fmt.Errorf("for request '%+v', got status: %v", url, resp.StatusCode)
+	}
+	framer := r.serializers.Framer.NewFrameReader(resp.Body)
+	decoder := streaming.NewDecoder(framer, r.serializers.StreamingSerializer)
+	return watch.NewStreamWatcher(restclientwatch.NewDecoder(decoder, r.serializers.Decoder)), nil
+}
+
+// updateURLMetrics is a convenience function for pushing metrics.
+// It also handles corner cases for incomplete/invalid request data.
+func updateURLMetrics(req *Request, resp *http.Response, err error) {
+	url := "none"
+	if req.baseURL != nil {
+		url = req.baseURL.Host
+	}
+
+	// Errors can be arbitrary strings. Unbound label cardinality is not suitable for a metric
+	// system so we just report them as `<error>`.
+	if err != nil {
+		metrics.RequestResult.Increment("<error>", req.verb, url)
+	} else {
+		//Metrics for failure codes
+		metrics.RequestResult.Increment(strconv.Itoa(resp.StatusCode), req.verb, url)
+	}
+}
+
+// Stream formats and executes the request, and offers streaming of the response.
+// Returns io.ReadCloser which could be used for streaming of the response, or an error
+// Any non-2xx http status code causes an error.  If we get a non-2xx code, we try to convert the body into an APIStatus object.
+// If we can, we return that as an error.  Otherwise, we create an error that lists the http status and the content of the response.
+func (r *Request) Stream() (io.ReadCloser, error) {
+	if r.err != nil {
+		return nil, r.err
+	}
+
+	r.tryThrottle()
+
+	url := r.URL().String()
+	req, err := http.NewRequest(r.verb, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	if r.ctx != nil {
+		req = req.WithContext(r.ctx)
+	}
+	req.Header = r.headers
+	client := r.client
+	if client == nil {
+		client = http.DefaultClient
+	}
+	r.backoffMgr.Sleep(r.backoffMgr.CalculateBackoff(r.URL()))
+	resp, err := client.Do(req)
+	updateURLMetrics(r, resp, err)
+	if r.baseURL != nil {
+		if err != nil {
+			r.backoffMgr.UpdateBackoff(r.URL(), err, 0)
+		} else {
+			r.backoffMgr.UpdateBackoff(r.URL(), err, resp.StatusCode)
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	switch {
+	case (resp.StatusCode >= 200) && (resp.StatusCode < 300):
+		return resp.Body, nil
+
+	default:
+		// ensure we close the body before returning the error
+		defer resp.Body.Close()
+
+		result := r.transformResponse(resp, req)
+		err := result.Error()
+		if err == nil {
+			err = fmt.Errorf("%d while accessing %v: %s", result.statusCode, url, string(result.body))
+		}
+		return nil, err
+	}
+}
+
+// request connects to the server and invokes the provided function when a server response is
+// received. It handles retry behavior and up front validation of requests. It will invoke
+// fn at most once. It will return an error if a problem occurred prior to connecting to the
+// server - the provided function is responsible for handling server errors.
+func (r *Request) request(fn func(*http.Request, *http.Response)) error {
+	//Metrics for total request latency
+	start := time.Now()
+	defer func() {
+		metrics.RequestLatency.Observe(r.verb, r.finalURLTemplate(), time.Since(start))
+	}()
+
+	if r.err != nil {
+		glog.V(4).Infof("Error in request: %v", r.err)
+		return r.err
+	}
+
+	// TODO: added to catch programmer errors (invoking operations with an object with an empty namespace)
+	if (r.verb == "GET" || r.verb == "PUT" || r.verb == "DELETE") && r.namespaceSet && len(r.resourceName) > 0 && len(r.namespace) == 0 {
+		return fmt.Errorf("an empty namespace may not be set when a resource name is provided")
+	}
+	if (r.verb == "POST") && r.namespaceSet && len(r.namespace) == 0 {
+		return fmt.Errorf("an empty namespace may not be set during creation")
+	}
+
+	client := r.client
+	if client == nil {
+		client = http.DefaultClient
+	}
+
+	// Right now we make about ten retry attempts if we get a Retry-After response.
+	// TODO: Change to a timeout based approach.
+	maxRetries := 10
+	retries := 0
+	for {
+		url := r.URL().String()
+		req, err := http.NewRequest(r.verb, url, r.body)
+		if err != nil {
+			return err
+		}
+		if r.ctx != nil {
+			req = req.WithContext(r.ctx)
+		}
+		req.Header = r.headers
+
+		r.backoffMgr.Sleep(r.backoffMgr.CalculateBackoff(r.URL()))
+		if retries > 0 {
+			// We are retrying the request that we already send to apiserver
+			// at least once before.
+			// This request should also be throttled with the client-internal throttler.
+			r.tryThrottle()
+		}
+		resp, err := client.Do(req)
+		updateURLMetrics(r, resp, err)
+		if err != nil {
+			r.backoffMgr.UpdateBackoff(r.URL(), err, 0)
+		} else {
+			r.backoffMgr.UpdateBackoff(r.URL(), err, resp.StatusCode)
+		}
+		if err != nil {
+			// "Connection reset by peer" is usually a transient error.
+			// Thus in case of "GET" operations, we simply retry it.
+			// We are not automatically retrying "write" operations, as
+			// they are not idempotent.
+			if !net.IsConnectionReset(err) || r.verb != "GET" {
+				return err
+			}
+			// For the purpose of retry, we set the artificial "retry-after" response.
+			// TODO: Should we clean the original response if it exists?
+			resp = &http.Response{
+				StatusCode: http.StatusInternalServerError,
+				Header:     http.Header{"Retry-After": []string{"1"}},
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte{})),
+			}
+		}
+
+		done := func() bool {
+			// Ensure the response body is fully read and closed
+			// before we reconnect, so that we reuse the same TCP
+			// connection.
+			defer func() {
+				const maxBodySlurpSize = 2 << 10
+				if resp.ContentLength <= maxBodySlurpSize {
+					io.Copy(ioutil.Discard, &io.LimitedReader{R: resp.Body, N: maxBodySlurpSize})
+				}
+				resp.Body.Close()
+			}()
+
+			retries++
+			if seconds, wait := checkWait(resp); wait && retries < maxRetries {
+				if seeker, ok := r.body.(io.Seeker); ok && r.body != nil {
+					_, err := seeker.Seek(0, 0)
+					if err != nil {
+						glog.V(4).Infof("Could not retry request, can't Seek() back to beginning of body for %T", r.body)
+						fn(req, resp)
+						return true
+					}
+				}
+
+				glog.V(4).Infof("Got a Retry-After %s response for attempt %d to %v", seconds, retries, url)
+				r.backoffMgr.Sleep(time.Duration(seconds) * time.Second)
+				return false
+			}
+			fn(req, resp)
+			return true
+		}()
+		if done {
+			return nil
+		}
+	}
+}
+
+// Do formats and executes the request. Returns a Result object for easy response
+// processing.
+//
+// Error type:
+//  * If the request can't be constructed, or an error happened earlier while building its
+//    arguments: *RequestConstructionError
+//  * If the server responds with a status: *errors.StatusError or *errors.UnexpectedObjectError
+//  * http.Client.Do errors are returned directly.
+func (r *Request) Do() Result {
+	r.tryThrottle()
+
+	var result Result
+	err := r.request(func(req *http.Request, resp *http.Response) {
+		result = r.transformResponse(resp, req)
+	})
+	if err != nil {
+		return Result{err: err}
+	}
+	return result
+}
+
+// DoRaw executes the request but does not process the response body.
+func (r *Request) DoRaw() ([]byte, error) {
+	r.tryThrottle()
+
+	var result Result
+	err := r.request(func(req *http.Request, resp *http.Response) {
+		result.body, result.err = ioutil.ReadAll(resp.Body)
+		glogBody("Response Body", result.body)
+		if resp.StatusCode < http.StatusOK || resp.StatusCode > http.StatusPartialContent {
+			result.err = r.transformUnstructuredResponseError(resp, req, result.body)
+		}
+	})
+	if err != nil {
+		return nil, err
+	}
+	return result.body, result.err
+}
+
+// transformResponse converts an API response into a structured API object
+func (r *Request) transformResponse(resp *http.Response, req *http.Request) Result {
+	var body []byte
+	if resp.Body != nil {
+		data, err := ioutil.ReadAll(resp.Body)
+		switch err.(type) {
+		case nil:
+			body = data
+		case http2.StreamError:
+			// This is trying to catch the scenario that the server may close the connection when sending the
+			// response body. This can be caused by server timeout due to a slow network connection.
+			// TODO: Add test for this. Steps may be:
+			// 1. client-go (or kubectl) sends a GET request.
+			// 2. Apiserver sends back the headers and then part of the body
+			// 3. Apiserver closes connection.
+			// 4. client-go should catch this and return an error.
+			glog.V(2).Infof("Stream error %#v when reading response body, may be caused by closed connection.", err)
+			streamErr := fmt.Errorf("Stream error %#v when reading response body, may be caused by closed connection. Please retry.", err)
+			return Result{
+				err: streamErr,
+			}
+		default:
+			glog.Errorf("Unexpected error when reading response body: %#v", err)
+			unexpectedErr := fmt.Errorf("Unexpected error %#v when reading response body. Please retry.", err)
+			return Result{
+				err: unexpectedErr,
+			}
+		}
+	}
+
+	glogBody("Response Body", body)
+
+	// verify the content type is accurate
+	contentType := resp.Header.Get("Content-Type")
+	decoder := r.serializers.Decoder
+	if len(contentType) > 0 && (decoder == nil || (len(r.content.ContentType) > 0 && contentType != r.content.ContentType)) {
+		mediaType, params, err := mime.ParseMediaType(contentType)
+		if err != nil {
+			return Result{err: errors.NewInternalError(err)}
+		}
+		decoder, err = r.serializers.RenegotiatedDecoder(mediaType, params)
+		if err != nil {
+			// if we fail to negotiate a decoder, treat this as an unstructured error
+			switch {
+			case resp.StatusCode == http.StatusSwitchingProtocols:
+				// no-op, we've been upgraded
+			case resp.StatusCode < http.StatusOK || resp.StatusCode > http.StatusPartialContent:
+				return Result{err: r.transformUnstructuredResponseError(resp, req, body)}
+			}
+			return Result{
+				body:        body,
+				contentType: contentType,
+				statusCode:  resp.StatusCode,
+			}
+		}
+	}
+
+	switch {
+	case resp.StatusCode == http.StatusSwitchingProtocols:
+		// no-op, we've been upgraded
+	case resp.StatusCode < http.StatusOK || resp.StatusCode > http.StatusPartialContent:
+		// calculate an unstructured error from the response which the Result object may use if the caller
+		// did not return a structured error.
+		retryAfter, _ := retryAfterSeconds(resp)
+		err := r.newUnstructuredResponseError(body, isTextResponse(resp), resp.StatusCode, req.Method, retryAfter)
+		return Result{
+			body:        body,
+			contentType: contentType,
+			statusCode:  resp.StatusCode,
+			decoder:     decoder,
+			err:         err,
+		}
+	}
+
+	return Result{
+		body:        body,
+		contentType: contentType,
+		statusCode:  resp.StatusCode,
+		decoder:     decoder,
+	}
+}
+
+// glogBody logs a body output that could be either JSON or protobuf. It explicitly guards against
+// allocating a new string for the body output unless necessary. Uses a simple heuristic to determine
+// whether the body is printable.
+func glogBody(prefix string, body []byte) {
+	if glog.V(8) {
+		if bytes.IndexFunc(body, func(r rune) bool {
+			return r < 0x0a
+		}) != -1 {
+			glog.Infof("%s:\n%s", prefix, hex.Dump(body))
+		} else {
+			glog.Infof("%s: %s", prefix, string(body))
+		}
+	}
+}
+
+// maxUnstructuredResponseTextBytes is an upper bound on how much output to include in the unstructured error.
+const maxUnstructuredResponseTextBytes = 2048
+
+// transformUnstructuredResponseError handles an error from the server that is not in a structured form.
+// It is expected to transform any response that is not recognizable as a clear server sent error from the
+// K8S API using the information provided with the request. In practice, HTTP proxies and client libraries
+// introduce a level of uncertainty to the responses returned by servers that in common use result in
+// unexpected responses. The rough structure is:
+//
+// 1. Assume the server sends you something sane - JSON + well defined error objects + proper codes
+//    - this is the happy path
+//    - when you get this output, trust what the server sends
+// 2. Guard against empty fields / bodies in received JSON and attempt to cull sufficient info from them to
+//    generate a reasonable facsimile of the original failure.
+//    - Be sure to use a distinct error type or flag that allows a client to distinguish between this and error 1 above
+// 3. Handle true disconnect failures / completely malformed data by moving up to a more generic client error
+// 4. Distinguish between various connection failures like SSL certificates, timeouts, proxy errors, unexpected
+//    initial contact, the presence of mismatched body contents from posted content types
+//    - Give these a separate distinct error type and capture as much as possible of the original message
+//
+// TODO: introduce transformation of generic http.Client.Do() errors that separates 4.
+func (r *Request) transformUnstructuredResponseError(resp *http.Response, req *http.Request, body []byte) error {
+	if body == nil && resp.Body != nil {
+		if data, err := ioutil.ReadAll(&io.LimitedReader{R: resp.Body, N: maxUnstructuredResponseTextBytes}); err == nil {
+			body = data
+		}
+	}
+	retryAfter, _ := retryAfterSeconds(resp)
+	return r.newUnstructuredResponseError(body, isTextResponse(resp), resp.StatusCode, req.Method, retryAfter)
+}
+
+// newUnstructuredResponseError instantiates the appropriate generic error for the provided input. It also logs the body.
+func (r *Request) newUnstructuredResponseError(body []byte, isTextResponse bool, statusCode int, method string, retryAfter int) error {
+	// cap the amount of output we create
+	if len(body) > maxUnstructuredResponseTextBytes {
+		body = body[:maxUnstructuredResponseTextBytes]
+	}
+
+	message := "unknown"
+	if isTextResponse {
+		message = strings.TrimSpace(string(body))
+	}
+	var groupResource schema.GroupResource
+	if len(r.resource) > 0 {
+		groupResource.Group = r.content.GroupVersion.Group
+		groupResource.Resource = r.resource
+	}
+	return errors.NewGenericServerResponse(
+		statusCode,
+		method,
+		groupResource,
+		r.resourceName,
+		message,
+		retryAfter,
+		true,
+	)
+}
+
+// isTextResponse returns true if the response appears to be a textual media type.
+func isTextResponse(resp *http.Response) bool {
+	contentType := resp.Header.Get("Content-Type")
+	if len(contentType) == 0 {
+		return true
+	}
+	media, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		return false
+	}
+	return strings.HasPrefix(media, "text/")
+}
+
+// checkWait returns true along with a number of seconds if the server instructed us to wait
+// before retrying.
+func checkWait(resp *http.Response) (int, bool) {
+	switch r := resp.StatusCode; {
+	// any 500 error code and 429 can trigger a wait
+	case r == http.StatusTooManyRequests, r >= 500:
+	default:
+		return 0, false
+	}
+	i, ok := retryAfterSeconds(resp)
+	return i, ok
+}
+
+// retryAfterSeconds returns the value of the Retry-After header and true, or 0 and false if
+// the header was missing or not a valid number.
+func retryAfterSeconds(resp *http.Response) (int, bool) {
+	if h := resp.Header.Get("Retry-After"); len(h) > 0 {
+		if i, err := strconv.Atoi(h); err == nil {
+			return i, true
+		}
+	}
+	return 0, false
+}
+
+// Result contains the result of calling Request.Do().
+type Result struct {
+	body        []byte
+	contentType string
+	err         error
+	statusCode  int
+
+	decoder runtime.Decoder
+}
+
+// Raw returns the raw result.
+func (r Result) Raw() ([]byte, error) {
+	return r.body, r.err
+}
+
+// Get returns the result as an object, which means it passes through the decoder.
+// If the returned object is of type Status and has .Status != StatusSuccess, the
+// additional information in Status will be used to enrich the error.
+func (r Result) Get() (runtime.Object, error) {
+	if r.err != nil {
+		// Check whether the result has a Status object in the body and prefer that.
+		return nil, r.Error()
+	}
+	if r.decoder == nil {
+		return nil, fmt.Errorf("serializer for %s doesn't exist", r.contentType)
+	}
+
+	// decode, but if the result is Status return that as an error instead.
+	out, _, err := r.decoder.Decode(r.body, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	switch t := out.(type) {
+	case *metav1.Status:
+		// any status besides StatusSuccess is considered an error.
+		if t.Status != metav1.StatusSuccess {
+			return nil, errors.FromObject(t)
+		}
+	}
+	return out, nil
+}
+
+// StatusCode returns the HTTP status code of the request. (Only valid if no
+// error was returned.)
+func (r Result) StatusCode(statusCode *int) Result {
+	*statusCode = r.statusCode
+	return r
+}
+
+// Into stores the result into obj, if possible. If obj is nil it is ignored.
+// If the returned object is of type Status and has .Status != StatusSuccess, the
+// additional information in Status will be used to enrich the error.
+func (r Result) Into(obj runtime.Object) error {
+	if r.err != nil {
+		// Check whether the result has a Status object in the body and prefer that.
+		return r.Error()
+	}
+	if r.decoder == nil {
+		return fmt.Errorf("serializer for %s doesn't exist", r.contentType)
+	}
+	if len(r.body) == 0 {
+		return fmt.Errorf("0-length response")
+	}
+
+	out, _, err := r.decoder.Decode(r.body, nil, obj)
+	if err != nil || out == obj {
+		return err
+	}
+	// if a different object is returned, see if it is Status and avoid double decoding
+	// the object.
+	switch t := out.(type) {
+	case *metav1.Status:
+		// any status besides StatusSuccess is considered an error.
+		if t.Status != metav1.StatusSuccess {
+			return errors.FromObject(t)
+		}
+	}
+	return nil
+}
+
+// WasCreated updates the provided bool pointer to whether the server returned
+// 201 created or a different response.
+func (r Result) WasCreated(wasCreated *bool) Result {
+	*wasCreated = r.statusCode == http.StatusCreated
+	return r
+}
+
+// Error returns the error executing the request, nil if no error occurred.
+// If the returned object is of type Status and has Status != StatusSuccess, the
+// additional information in Status will be used to enrich the error.
+// See the Request.Do() comment for what errors you might get.
+func (r Result) Error() error {
+	// if we have received an unexpected server error, and we have a body and decoder, we can try to extract
+	// a Status object.
+	if r.err == nil || !errors.IsUnexpectedServerError(r.err) || len(r.body) == 0 || r.decoder == nil {
+		return r.err
+	}
+
+	// attempt to convert the body into a Status object
+	// to be backwards compatible with old servers that do not return a version, default to "v1"
+	out, _, err := r.decoder.Decode(r.body, &schema.GroupVersionKind{Version: "v1"}, nil)
+	if err != nil {
+		glog.V(5).Infof("body was not decodable (unable to check for Status): %v", err)
+		return r.err
+	}
+	switch t := out.(type) {
+	case *metav1.Status:
+		// because we default the kind, we *must* check for StatusFailure
+		if t.Status == metav1.StatusFailure {
+			return errors.FromObject(t)
+		}
+	}
+	return r.err
+}
+
+// NameMayNotBe specifies strings that cannot be used as names specified as path segments (like the REST API or etcd store)
+var NameMayNotBe = []string{".", ".."}
+
+// NameMayNotContain specifies substrings that cannot be used in names specified as path segments (like the REST API or etcd store)
+var NameMayNotContain = []string{"/", "%"}
+
+// IsValidPathSegmentName validates the name can be safely encoded as a path segment
+func IsValidPathSegmentName(name string) []string {
+	for _, illegalName := range NameMayNotBe {
+		if name == illegalName {
+			return []string{fmt.Sprintf(`may not be '%s'`, illegalName)}
+		}
+	}
+
+	var errors []string
+	for _, illegalContent := range NameMayNotContain {
+		if strings.Contains(name, illegalContent) {
+			errors = append(errors, fmt.Sprintf(`may not contain '%s'`, illegalContent))
+		}
+	}
+
+	return errors
+}
+
+// IsValidPathSegmentPrefix validates the name can be used as a prefix for a name which will be encoded as a path segment
+// It does not check for exact matches with disallowed names, since an arbitrary suffix might make the name valid
+func IsValidPathSegmentPrefix(name string) []string {
+	var errors []string
+	for _, illegalContent := range NameMayNotContain {
+		if strings.Contains(name, illegalContent) {
+			errors = append(errors, fmt.Sprintf(`may not contain '%s'`, illegalContent))
+		}
+	}
+
+	return errors
+}
+
+// ValidatePathSegmentName validates the name can be safely encoded as a path segment
+func ValidatePathSegmentName(name string, prefix bool) []string {
+	if prefix {
+		return IsValidPathSegmentPrefix(name)
+	} else {
+		return IsValidPathSegmentName(name)
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/transport.go b/cli/vendor/k8s.io/client-go/rest/transport.go
new file mode 100644
index 00000000..f59f8dbe
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/transport.go
@@ -0,0 +1,101 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"crypto/tls"
+	"net/http"
+
+	"k8s.io/client-go/transport"
+)
+
+// TLSConfigFor returns a tls.Config that will provide the transport level security defined
+// by the provided Config. Will return nil if no transport level security is requested.
+func TLSConfigFor(config *Config) (*tls.Config, error) {
+	cfg, err := config.TransportConfig()
+	if err != nil {
+		return nil, err
+	}
+	return transport.TLSConfigFor(cfg)
+}
+
+// TransportFor returns an http.RoundTripper that will provide the authentication
+// or transport level security defined by the provided Config. Will return the
+// default http.DefaultTransport if no special case behavior is needed.
+func TransportFor(config *Config) (http.RoundTripper, error) {
+	cfg, err := config.TransportConfig()
+	if err != nil {
+		return nil, err
+	}
+	return transport.New(cfg)
+}
+
+// HTTPWrappersForConfig wraps a round tripper with any relevant layered behavior from the
+// config. Exposed to allow more clients that need HTTP-like behavior but then must hijack
+// the underlying connection (like WebSocket or HTTP2 clients). Pure HTTP clients should use
+// the higher level TransportFor or RESTClientFor methods.
+func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTripper, error) {
+	cfg, err := config.TransportConfig()
+	if err != nil {
+		return nil, err
+	}
+	return transport.HTTPWrappersForConfig(cfg, rt)
+}
+
+// TransportConfig converts a client config to an appropriate transport config.
+func (c *Config) TransportConfig() (*transport.Config, error) {
+	wt := c.WrapTransport
+	if c.AuthProvider != nil {
+		provider, err := GetAuthProvider(c.Host, c.AuthProvider, c.AuthConfigPersister)
+		if err != nil {
+			return nil, err
+		}
+		if wt != nil {
+			previousWT := wt
+			wt = func(rt http.RoundTripper) http.RoundTripper {
+				return provider.WrapTransport(previousWT(rt))
+			}
+		} else {
+			wt = provider.WrapTransport
+		}
+	}
+	return &transport.Config{
+		UserAgent:     c.UserAgent,
+		Transport:     c.Transport,
+		WrapTransport: wt,
+		TLS: transport.TLSConfig{
+			Insecure:   c.Insecure,
+			ServerName: c.ServerName,
+			CAFile:     c.CAFile,
+			CAData:     c.CAData,
+			CertFile:   c.CertFile,
+			CertData:   c.CertData,
+			KeyFile:    c.KeyFile,
+			KeyData:    c.KeyData,
+		},
+		Username:    c.Username,
+		Password:    c.Password,
+		CacheDir:    c.CacheDir,
+		BearerToken: c.BearerToken,
+		Impersonate: transport.ImpersonationConfig{
+			UserName: c.Impersonate.UserName,
+			Groups:   c.Impersonate.Groups,
+			Extra:    c.Impersonate.Extra,
+		},
+		Dial: c.Dial,
+	}, nil
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/url_utils.go b/cli/vendor/k8s.io/client-go/rest/url_utils.go
new file mode 100644
index 00000000..14f94650
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/url_utils.go
@@ -0,0 +1,90 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"fmt"
+	"net/url"
+	"path"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// DefaultServerURL converts a host, host:port, or URL string to the default base server API path
+// to use with a Client at a given API version following the standard conventions for a
+// Kubernetes API.
+func DefaultServerURL(host, apiPath string, groupVersion schema.GroupVersion, defaultTLS bool) (*url.URL, string, error) {
+	if host == "" {
+		return nil, "", fmt.Errorf("host must be a URL or a host:port pair")
+	}
+	base := host
+	hostURL, err := url.Parse(base)
+	if err != nil || hostURL.Scheme == "" || hostURL.Host == "" {
+		scheme := "http://"
+		if defaultTLS {
+			scheme = "https://"
+		}
+		hostURL, err = url.Parse(scheme + base)
+		if err != nil {
+			return nil, "", err
+		}
+		if hostURL.Path != "" && hostURL.Path != "/" {
+			return nil, "", fmt.Errorf("host must be a URL or a host:port pair: %q", base)
+		}
+	}
+
+	// hostURL.Path is optional; a non-empty Path is treated as a prefix that is to be applied to
+	// all URIs used to access the host. this is useful when there's a proxy in front of the
+	// apiserver that has relocated the apiserver endpoints, forwarding all requests from, for
+	// example, /a/b/c to the apiserver. in this case the Path should be /a/b/c.
+	//
+	// if running without a frontend proxy (that changes the location of the apiserver), then
+	// hostURL.Path should be blank.
+	//
+	// versionedAPIPath, a path relative to baseURL.Path, points to a versioned API base
+	versionedAPIPath := path.Join("/", apiPath)
+
+	// Add the version to the end of the path
+	if len(groupVersion.Group) > 0 {
+		versionedAPIPath = path.Join(versionedAPIPath, groupVersion.Group, groupVersion.Version)
+
+	} else {
+		versionedAPIPath = path.Join(versionedAPIPath, groupVersion.Version)
+
+	}
+
+	return hostURL, versionedAPIPath, nil
+}
+
+// defaultServerUrlFor is shared between IsConfigTransportTLS and RESTClientFor. It
+// requires Host and Version to be set prior to being called.
+func defaultServerUrlFor(config *Config) (*url.URL, string, error) {
+	// TODO: move the default to secure when the apiserver supports TLS by default
+	// config.Insecure is taken to mean "I want HTTPS but don't bother checking the certs against a CA."
+	hasCA := len(config.CAFile) != 0 || len(config.CAData) != 0
+	hasCert := len(config.CertFile) != 0 || len(config.CertData) != 0
+	defaultTLS := hasCA || hasCert || config.Insecure
+	host := config.Host
+	if host == "" {
+		host = "localhost"
+	}
+
+	if config.GroupVersion != nil {
+		return DefaultServerURL(host, config.APIPath, *config.GroupVersion, defaultTLS)
+	}
+	return DefaultServerURL(host, config.APIPath, schema.GroupVersion{}, defaultTLS)
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/urlbackoff.go b/cli/vendor/k8s.io/client-go/rest/urlbackoff.go
new file mode 100644
index 00000000..eff848ab
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/urlbackoff.go
@@ -0,0 +1,107 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"net/url"
+	"time"
+
+	"github.com/golang/glog"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/util/flowcontrol"
+)
+
+// Set of resp. Codes that we backoff for.
+// In general these should be errors that indicate a server is overloaded.
+// These shouldn't be configured by any user, we set them based on conventions
+// described in
+var serverIsOverloadedSet = sets.NewInt(429)
+var maxResponseCode = 499
+
+type BackoffManager interface {
+	UpdateBackoff(actualUrl *url.URL, err error, responseCode int)
+	CalculateBackoff(actualUrl *url.URL) time.Duration
+	Sleep(d time.Duration)
+}
+
+// URLBackoff struct implements the semantics on top of Backoff which
+// we need for URL specific exponential backoff.
+type URLBackoff struct {
+	// Uses backoff as underlying implementation.
+	Backoff *flowcontrol.Backoff
+}
+
+// NoBackoff is a stub implementation, can be used for mocking or else as a default.
+type NoBackoff struct {
+}
+
+func (n *NoBackoff) UpdateBackoff(actualUrl *url.URL, err error, responseCode int) {
+	// do nothing.
+}
+
+func (n *NoBackoff) CalculateBackoff(actualUrl *url.URL) time.Duration {
+	return 0 * time.Second
+}
+
+func (n *NoBackoff) Sleep(d time.Duration) {
+	time.Sleep(d)
+}
+
+// Disable makes the backoff trivial, i.e., sets it to zero.  This might be used
+// by tests which want to run 1000s of mock requests without slowing down.
+func (b *URLBackoff) Disable() {
+	glog.V(4).Infof("Disabling backoff strategy")
+	b.Backoff = flowcontrol.NewBackOff(0*time.Second, 0*time.Second)
+}
+
+// baseUrlKey returns the key which urls will be mapped to.
+// For example, 127.0.0.1:8080/api/v2/abcde -> 127.0.0.1:8080.
+func (b *URLBackoff) baseUrlKey(rawurl *url.URL) string {
+	// Simple implementation for now, just the host.
+	// We may backoff specific paths (i.e. "pods") differentially
+	// in the future.
+	host, err := url.Parse(rawurl.String())
+	if err != nil {
+		glog.V(4).Infof("Error extracting url: %v", rawurl)
+		panic("bad url!")
+	}
+	return host.Host
+}
+
+// UpdateBackoff updates backoff metadata
+func (b *URLBackoff) UpdateBackoff(actualUrl *url.URL, err error, responseCode int) {
+	// range for retry counts that we store is [0,13]
+	if responseCode > maxResponseCode || serverIsOverloadedSet.Has(responseCode) {
+		b.Backoff.Next(b.baseUrlKey(actualUrl), b.Backoff.Clock.Now())
+		return
+	} else if responseCode >= 300 || err != nil {
+		glog.V(4).Infof("Client is returning errors: code %v, error %v", responseCode, err)
+	}
+
+	//If we got this far, there is no backoff required for this URL anymore.
+	b.Backoff.Reset(b.baseUrlKey(actualUrl))
+}
+
+// CalculateBackoff takes a url and back's off exponentially,
+// based on its knowledge of existing failures.
+func (b *URLBackoff) CalculateBackoff(actualUrl *url.URL) time.Duration {
+	return b.Backoff.Get(b.baseUrlKey(actualUrl))
+}
+
+func (b *URLBackoff) Sleep(d time.Duration) {
+	b.Backoff.Clock.Sleep(d)
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/versions.go b/cli/vendor/k8s.io/client-go/rest/versions.go
new file mode 100644
index 00000000..9d41812f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/versions.go
@@ -0,0 +1,88 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"path"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	legacyAPIPath  = "/api"
+	defaultAPIPath = "/apis"
+)
+
+// TODO: Is this obsoleted by the discovery client?
+
+// ServerAPIVersions returns the GroupVersions supported by the API server.
+// It creates a RESTClient based on the passed in config, but it doesn't rely
+// on the Version and Codec of the config, because it uses AbsPath and
+// takes the raw response.
+func ServerAPIVersions(c *Config) (groupVersions []string, err error) {
+	transport, err := TransportFor(c)
+	if err != nil {
+		return nil, err
+	}
+	client := http.Client{Transport: transport}
+
+	configCopy := *c
+	configCopy.GroupVersion = nil
+	configCopy.APIPath = ""
+	baseURL, _, err := defaultServerUrlFor(&configCopy)
+	if err != nil {
+		return nil, err
+	}
+	// Get the groupVersions exposed at /api
+	originalPath := baseURL.Path
+	baseURL.Path = path.Join(originalPath, legacyAPIPath)
+	resp, err := client.Get(baseURL.String())
+	if err != nil {
+		return nil, err
+	}
+	var v metav1.APIVersions
+	defer resp.Body.Close()
+	err = json.NewDecoder(resp.Body).Decode(&v)
+	if err != nil {
+		return nil, fmt.Errorf("unexpected error: %v", err)
+	}
+
+	groupVersions = append(groupVersions, v.Versions...)
+	// Get the groupVersions exposed at /apis
+	baseURL.Path = path.Join(originalPath, defaultAPIPath)
+	resp2, err := client.Get(baseURL.String())
+	if err != nil {
+		return nil, err
+	}
+	var apiGroupList metav1.APIGroupList
+	defer resp2.Body.Close()
+	err = json.NewDecoder(resp2.Body).Decode(&apiGroupList)
+	if err != nil {
+		return nil, fmt.Errorf("unexpected error: %v", err)
+	}
+
+	for _, g := range apiGroupList.Groups {
+		for _, gv := range g.Versions {
+			groupVersions = append(groupVersions, gv.GroupVersion)
+		}
+	}
+
+	return groupVersions, nil
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/watch/decoder.go b/cli/vendor/k8s.io/client-go/rest/watch/decoder.go
new file mode 100644
index 00000000..73bb63ad
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/watch/decoder.go
@@ -0,0 +1,72 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package versioned
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer/streaming"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Decoder implements the watch.Decoder interface for io.ReadClosers that
+// have contents which consist of a series of watchEvent objects encoded
+// with the given streaming decoder. The internal objects will be then
+// decoded by the embedded decoder.
+type Decoder struct {
+	decoder         streaming.Decoder
+	embeddedDecoder runtime.Decoder
+}
+
+// NewDecoder creates an Decoder for the given writer and codec.
+func NewDecoder(decoder streaming.Decoder, embeddedDecoder runtime.Decoder) *Decoder {
+	return &Decoder{
+		decoder:         decoder,
+		embeddedDecoder: embeddedDecoder,
+	}
+}
+
+// Decode blocks until it can return the next object in the reader. Returns an error
+// if the reader is closed or an object can't be decoded.
+func (d *Decoder) Decode() (watch.EventType, runtime.Object, error) {
+	var got metav1.WatchEvent
+	res, _, err := d.decoder.Decode(nil, &got)
+	if err != nil {
+		return "", nil, err
+	}
+	if res != &got {
+		return "", nil, fmt.Errorf("unable to decode to metav1.Event")
+	}
+	switch got.Type {
+	case string(watch.Added), string(watch.Modified), string(watch.Deleted), string(watch.Error):
+	default:
+		return "", nil, fmt.Errorf("got invalid watch event type: %v", got.Type)
+	}
+
+	obj, err := runtime.Decode(d.embeddedDecoder, got.Object.Raw)
+	if err != nil {
+		return "", nil, fmt.Errorf("unable to decode watch event: %v", err)
+	}
+	return watch.EventType(got.Type), obj, nil
+}
+
+// Close closes the underlying r.
+func (d *Decoder) Close() {
+	d.decoder.Close()
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/watch/encoder.go b/cli/vendor/k8s.io/client-go/rest/watch/encoder.go
new file mode 100644
index 00000000..e55aa12d
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/watch/encoder.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package versioned
+
+import (
+	"encoding/json"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer/streaming"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Encoder serializes watch.Events into io.Writer. The internal objects
+// are encoded using embedded encoder, and the outer Event is serialized
+// using encoder.
+// TODO: this type is only used by tests
+type Encoder struct {
+	encoder         streaming.Encoder
+	embeddedEncoder runtime.Encoder
+}
+
+func NewEncoder(encoder streaming.Encoder, embeddedEncoder runtime.Encoder) *Encoder {
+	return &Encoder{
+		encoder:         encoder,
+		embeddedEncoder: embeddedEncoder,
+	}
+}
+
+// Encode writes an event to the writer. Returns an error
+// if the writer is closed or an object can't be encoded.
+func (e *Encoder) Encode(event *watch.Event) error {
+	data, err := runtime.Encode(e.embeddedEncoder, event.Object)
+	if err != nil {
+		return err
+	}
+	// FIXME: get rid of json.RawMessage.
+	return e.encoder.Encode(&metav1.WatchEvent{
+		Type:   string(event.Type),
+		Object: runtime.RawExtension{Raw: json.RawMessage(data)},
+	})
+}
diff --git a/cli/vendor/k8s.io/client-go/rest/zz_generated.deepcopy.go b/cli/vendor/k8s.io/client-go/rest/zz_generated.deepcopy.go
new file mode 100644
index 00000000..75b072cd
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/rest/zz_generated.deepcopy.go
@@ -0,0 +1,69 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package rest
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	reflect "reflect"
+)
+
+// GetGeneratedDeepCopyFuncs returns the generated funcs, since we aren't registering them.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func GetGeneratedDeepCopyFuncs() []conversion.GeneratedDeepCopyFunc {
+	return []conversion.GeneratedDeepCopyFunc{
+		{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*TLSClientConfig).DeepCopyInto(out.(*TLSClientConfig))
+			return nil
+		}, InType: reflect.TypeOf(&TLSClientConfig{})},
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TLSClientConfig) DeepCopyInto(out *TLSClientConfig) {
+	*out = *in
+	if in.CertData != nil {
+		in, out := &in.CertData, &out.CertData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.KeyData != nil {
+		in, out := &in.KeyData, &out.KeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAData != nil {
+		in, out := &in.CAData, &out.CAData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSClientConfig.
+func (in *TLSClientConfig) DeepCopy() *TLSClientConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(TLSClientConfig)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/client-go/testing/actions.go b/cli/vendor/k8s.io/client-go/testing/actions.go
new file mode 100644
index 00000000..6f1c3a89
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/testing/actions.go
@@ -0,0 +1,528 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package testing
+
+import (
+	"fmt"
+	"path"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+func NewRootGetAction(resource schema.GroupVersionResource, name string) GetActionImpl {
+	action := GetActionImpl{}
+	action.Verb = "get"
+	action.Resource = resource
+	action.Name = name
+
+	return action
+}
+
+func NewGetAction(resource schema.GroupVersionResource, namespace, name string) GetActionImpl {
+	action := GetActionImpl{}
+	action.Verb = "get"
+	action.Resource = resource
+	action.Namespace = namespace
+	action.Name = name
+
+	return action
+}
+
+func NewGetSubresourceAction(resource schema.GroupVersionResource, namespace, subresource, name string) GetActionImpl {
+	action := GetActionImpl{}
+	action.Verb = "get"
+	action.Resource = resource
+	action.Subresource = subresource
+	action.Namespace = namespace
+	action.Name = name
+
+	return action
+}
+
+func NewRootListAction(resource schema.GroupVersionResource, kind schema.GroupVersionKind, opts interface{}) ListActionImpl {
+	action := ListActionImpl{}
+	action.Verb = "list"
+	action.Resource = resource
+	action.Kind = kind
+	labelSelector, fieldSelector, _ := ExtractFromListOptions(opts)
+	action.ListRestrictions = ListRestrictions{labelSelector, fieldSelector}
+
+	return action
+}
+
+func NewListAction(resource schema.GroupVersionResource, kind schema.GroupVersionKind, namespace string, opts interface{}) ListActionImpl {
+	action := ListActionImpl{}
+	action.Verb = "list"
+	action.Resource = resource
+	action.Kind = kind
+	action.Namespace = namespace
+	labelSelector, fieldSelector, _ := ExtractFromListOptions(opts)
+	action.ListRestrictions = ListRestrictions{labelSelector, fieldSelector}
+
+	return action
+}
+
+func NewListSubresourceAction(resource schema.GroupVersionResource, name, subresource string, kind schema.GroupVersionKind, namespace string, opts interface{}) ListActionImpl {
+	action := ListActionImpl{}
+	action.Verb = "list"
+	action.Resource = resource
+	action.Subresource = subresource
+	action.Kind = kind
+	action.Namespace = namespace
+	action.Name = name
+	labelSelector, fieldSelector, _ := ExtractFromListOptions(opts)
+	action.ListRestrictions = ListRestrictions{labelSelector, fieldSelector}
+
+	return action
+}
+
+func NewRootCreateAction(resource schema.GroupVersionResource, object runtime.Object) CreateActionImpl {
+	action := CreateActionImpl{}
+	action.Verb = "create"
+	action.Resource = resource
+	action.Object = object
+
+	return action
+}
+
+func NewCreateAction(resource schema.GroupVersionResource, namespace string, object runtime.Object) CreateActionImpl {
+	action := CreateActionImpl{}
+	action.Verb = "create"
+	action.Resource = resource
+	action.Namespace = namespace
+	action.Object = object
+
+	return action
+}
+
+func NewCreateSubresourceAction(resource schema.GroupVersionResource, name, subresource string, namespace string, object runtime.Object) CreateActionImpl {
+	action := CreateActionImpl{}
+	action.Verb = "create"
+	action.Resource = resource
+	action.Subresource = subresource
+	action.Namespace = namespace
+	action.Name = name
+	action.Object = object
+
+	return action
+}
+
+func NewRootUpdateAction(resource schema.GroupVersionResource, object runtime.Object) UpdateActionImpl {
+	action := UpdateActionImpl{}
+	action.Verb = "update"
+	action.Resource = resource
+	action.Object = object
+
+	return action
+}
+
+func NewUpdateAction(resource schema.GroupVersionResource, namespace string, object runtime.Object) UpdateActionImpl {
+	action := UpdateActionImpl{}
+	action.Verb = "update"
+	action.Resource = resource
+	action.Namespace = namespace
+	action.Object = object
+
+	return action
+}
+
+func NewRootPatchAction(resource schema.GroupVersionResource, name string, patch []byte) PatchActionImpl {
+	action := PatchActionImpl{}
+	action.Verb = "patch"
+	action.Resource = resource
+	action.Name = name
+	action.Patch = patch
+
+	return action
+}
+
+func NewPatchAction(resource schema.GroupVersionResource, namespace string, name string, patch []byte) PatchActionImpl {
+	action := PatchActionImpl{}
+	action.Verb = "patch"
+	action.Resource = resource
+	action.Namespace = namespace
+	action.Name = name
+	action.Patch = patch
+
+	return action
+}
+
+func NewRootPatchSubresourceAction(resource schema.GroupVersionResource, name string, patch []byte, subresources ...string) PatchActionImpl {
+	action := PatchActionImpl{}
+	action.Verb = "patch"
+	action.Resource = resource
+	action.Subresource = path.Join(subresources...)
+	action.Name = name
+	action.Patch = patch
+
+	return action
+}
+
+func NewPatchSubresourceAction(resource schema.GroupVersionResource, namespace, name string, patch []byte, subresources ...string) PatchActionImpl {
+	action := PatchActionImpl{}
+	action.Verb = "patch"
+	action.Resource = resource
+	action.Subresource = path.Join(subresources...)
+	action.Namespace = namespace
+	action.Name = name
+	action.Patch = patch
+
+	return action
+}
+
+func NewRootUpdateSubresourceAction(resource schema.GroupVersionResource, subresource string, object runtime.Object) UpdateActionImpl {
+	action := UpdateActionImpl{}
+	action.Verb = "update"
+	action.Resource = resource
+	action.Subresource = subresource
+	action.Object = object
+
+	return action
+}
+func NewUpdateSubresourceAction(resource schema.GroupVersionResource, subresource string, namespace string, object runtime.Object) UpdateActionImpl {
+	action := UpdateActionImpl{}
+	action.Verb = "update"
+	action.Resource = resource
+	action.Subresource = subresource
+	action.Namespace = namespace
+	action.Object = object
+
+	return action
+}
+
+func NewRootDeleteAction(resource schema.GroupVersionResource, name string) DeleteActionImpl {
+	action := DeleteActionImpl{}
+	action.Verb = "delete"
+	action.Resource = resource
+	action.Name = name
+
+	return action
+}
+
+func NewDeleteAction(resource schema.GroupVersionResource, namespace, name string) DeleteActionImpl {
+	action := DeleteActionImpl{}
+	action.Verb = "delete"
+	action.Resource = resource
+	action.Namespace = namespace
+	action.Name = name
+
+	return action
+}
+
+func NewRootDeleteCollectionAction(resource schema.GroupVersionResource, opts interface{}) DeleteCollectionActionImpl {
+	action := DeleteCollectionActionImpl{}
+	action.Verb = "delete-collection"
+	action.Resource = resource
+	labelSelector, fieldSelector, _ := ExtractFromListOptions(opts)
+	action.ListRestrictions = ListRestrictions{labelSelector, fieldSelector}
+
+	return action
+}
+
+func NewDeleteCollectionAction(resource schema.GroupVersionResource, namespace string, opts interface{}) DeleteCollectionActionImpl {
+	action := DeleteCollectionActionImpl{}
+	action.Verb = "delete-collection"
+	action.Resource = resource
+	action.Namespace = namespace
+	labelSelector, fieldSelector, _ := ExtractFromListOptions(opts)
+	action.ListRestrictions = ListRestrictions{labelSelector, fieldSelector}
+
+	return action
+}
+
+func NewRootWatchAction(resource schema.GroupVersionResource, opts interface{}) WatchActionImpl {
+	action := WatchActionImpl{}
+	action.Verb = "watch"
+	action.Resource = resource
+	labelSelector, fieldSelector, resourceVersion := ExtractFromListOptions(opts)
+	action.WatchRestrictions = WatchRestrictions{labelSelector, fieldSelector, resourceVersion}
+
+	return action
+}
+
+func ExtractFromListOptions(opts interface{}) (labelSelector labels.Selector, fieldSelector fields.Selector, resourceVersion string) {
+	var err error
+	switch t := opts.(type) {
+	case metav1.ListOptions:
+		labelSelector, err = labels.Parse(t.LabelSelector)
+		if err != nil {
+			panic(fmt.Errorf("invalid selector %q: %v", t.LabelSelector, err))
+		}
+		fieldSelector, err = fields.ParseSelector(t.FieldSelector)
+		if err != nil {
+			panic(fmt.Errorf("invalid selector %q: %v", t.FieldSelector, err))
+		}
+		resourceVersion = t.ResourceVersion
+	default:
+		panic(fmt.Errorf("expect a ListOptions %T", opts))
+	}
+	if labelSelector == nil {
+		labelSelector = labels.Everything()
+	}
+	if fieldSelector == nil {
+		fieldSelector = fields.Everything()
+	}
+	return labelSelector, fieldSelector, resourceVersion
+}
+
+func NewWatchAction(resource schema.GroupVersionResource, namespace string, opts interface{}) WatchActionImpl {
+	action := WatchActionImpl{}
+	action.Verb = "watch"
+	action.Resource = resource
+	action.Namespace = namespace
+	labelSelector, fieldSelector, resourceVersion := ExtractFromListOptions(opts)
+	action.WatchRestrictions = WatchRestrictions{labelSelector, fieldSelector, resourceVersion}
+
+	return action
+}
+
+func NewProxyGetAction(resource schema.GroupVersionResource, namespace, scheme, name, port, path string, params map[string]string) ProxyGetActionImpl {
+	action := ProxyGetActionImpl{}
+	action.Verb = "get"
+	action.Resource = resource
+	action.Namespace = namespace
+	action.Scheme = scheme
+	action.Name = name
+	action.Port = port
+	action.Path = path
+	action.Params = params
+	return action
+}
+
+type ListRestrictions struct {
+	Labels labels.Selector
+	Fields fields.Selector
+}
+type WatchRestrictions struct {
+	Labels          labels.Selector
+	Fields          fields.Selector
+	ResourceVersion string
+}
+
+type Action interface {
+	GetNamespace() string
+	GetVerb() string
+	GetResource() schema.GroupVersionResource
+	GetSubresource() string
+	Matches(verb, resource string) bool
+}
+
+type GenericAction interface {
+	Action
+	GetValue() interface{}
+}
+
+type GetAction interface {
+	Action
+	GetName() string
+}
+
+type ListAction interface {
+	Action
+	GetListRestrictions() ListRestrictions
+}
+
+type CreateAction interface {
+	Action
+	GetObject() runtime.Object
+}
+
+type UpdateAction interface {
+	Action
+	GetObject() runtime.Object
+}
+
+type DeleteAction interface {
+	Action
+	GetName() string
+}
+
+type DeleteCollectionAction interface {
+	Action
+	GetListRestrictions() ListRestrictions
+}
+
+type PatchAction interface {
+	Action
+	GetName() string
+	GetPatch() []byte
+}
+
+type WatchAction interface {
+	Action
+	GetWatchRestrictions() WatchRestrictions
+}
+
+type ProxyGetAction interface {
+	Action
+	GetScheme() string
+	GetName() string
+	GetPort() string
+	GetPath() string
+	GetParams() map[string]string
+}
+
+type ActionImpl struct {
+	Namespace   string
+	Verb        string
+	Resource    schema.GroupVersionResource
+	Subresource string
+}
+
+func (a ActionImpl) GetNamespace() string {
+	return a.Namespace
+}
+func (a ActionImpl) GetVerb() string {
+	return a.Verb
+}
+func (a ActionImpl) GetResource() schema.GroupVersionResource {
+	return a.Resource
+}
+func (a ActionImpl) GetSubresource() string {
+	return a.Subresource
+}
+func (a ActionImpl) Matches(verb, resource string) bool {
+	return strings.ToLower(verb) == strings.ToLower(a.Verb) &&
+		strings.ToLower(resource) == strings.ToLower(a.Resource.Resource)
+}
+
+type GenericActionImpl struct {
+	ActionImpl
+	Value interface{}
+}
+
+func (a GenericActionImpl) GetValue() interface{} {
+	return a.Value
+}
+
+type GetActionImpl struct {
+	ActionImpl
+	Name string
+}
+
+func (a GetActionImpl) GetName() string {
+	return a.Name
+}
+
+type ListActionImpl struct {
+	ActionImpl
+	Kind             schema.GroupVersionKind
+	Name             string
+	ListRestrictions ListRestrictions
+}
+
+func (a ListActionImpl) GetKind() schema.GroupVersionKind {
+	return a.Kind
+}
+
+func (a ListActionImpl) GetListRestrictions() ListRestrictions {
+	return a.ListRestrictions
+}
+
+type CreateActionImpl struct {
+	ActionImpl
+	Name   string
+	Object runtime.Object
+}
+
+func (a CreateActionImpl) GetObject() runtime.Object {
+	return a.Object
+}
+
+type UpdateActionImpl struct {
+	ActionImpl
+	Object runtime.Object
+}
+
+func (a UpdateActionImpl) GetObject() runtime.Object {
+	return a.Object
+}
+
+type PatchActionImpl struct {
+	ActionImpl
+	Name  string
+	Patch []byte
+}
+
+func (a PatchActionImpl) GetName() string {
+	return a.Name
+}
+
+func (a PatchActionImpl) GetPatch() []byte {
+	return a.Patch
+}
+
+type DeleteActionImpl struct {
+	ActionImpl
+	Name string
+}
+
+func (a DeleteActionImpl) GetName() string {
+	return a.Name
+}
+
+type DeleteCollectionActionImpl struct {
+	ActionImpl
+	ListRestrictions ListRestrictions
+}
+
+func (a DeleteCollectionActionImpl) GetListRestrictions() ListRestrictions {
+	return a.ListRestrictions
+}
+
+type WatchActionImpl struct {
+	ActionImpl
+	WatchRestrictions WatchRestrictions
+}
+
+func (a WatchActionImpl) GetWatchRestrictions() WatchRestrictions {
+	return a.WatchRestrictions
+}
+
+type ProxyGetActionImpl struct {
+	ActionImpl
+	Scheme string
+	Name   string
+	Port   string
+	Path   string
+	Params map[string]string
+}
+
+func (a ProxyGetActionImpl) GetScheme() string {
+	return a.Scheme
+}
+
+func (a ProxyGetActionImpl) GetName() string {
+	return a.Name
+}
+
+func (a ProxyGetActionImpl) GetPort() string {
+	return a.Port
+}
+
+func (a ProxyGetActionImpl) GetPath() string {
+	return a.Path
+}
+
+func (a ProxyGetActionImpl) GetParams() map[string]string {
+	return a.Params
+}
diff --git a/cli/vendor/k8s.io/client-go/testing/fake.go b/cli/vendor/k8s.io/client-go/testing/fake.go
new file mode 100644
index 00000000..da47b23b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/testing/fake.go
@@ -0,0 +1,259 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package testing
+
+import (
+	"fmt"
+	"sync"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/version"
+	"k8s.io/apimachinery/pkg/watch"
+	kubeversion "k8s.io/client-go/pkg/version"
+	restclient "k8s.io/client-go/rest"
+)
+
+// Fake implements client.Interface. Meant to be embedded into a struct to get
+// a default implementation. This makes faking out just the method you want to
+// test easier.
+type Fake struct {
+	sync.RWMutex
+	actions []Action // these may be castable to other types, but "Action" is the minimum
+
+	// ReactionChain is the list of reactors that will be attempted for every
+	// request in the order they are tried.
+	ReactionChain []Reactor
+	// WatchReactionChain is the list of watch reactors that will be attempted
+	// for every request in the order they are tried.
+	WatchReactionChain []WatchReactor
+	// ProxyReactionChain is the list of proxy reactors that will be attempted
+	// for every request in the order they are tried.
+	ProxyReactionChain []ProxyReactor
+
+	Resources []*metav1.APIResourceList
+}
+
+// Reactor is an interface to allow the composition of reaction functions.
+type Reactor interface {
+	// Handles indicates whether or not this Reactor deals with a given
+	// action.
+	Handles(action Action) bool
+	// React handles the action and returns results.  It may choose to
+	// delegate by indicated handled=false.
+	React(action Action) (handled bool, ret runtime.Object, err error)
+}
+
+// WatchReactor is an interface to allow the composition of watch functions.
+type WatchReactor interface {
+	// Handles indicates whether or not this Reactor deals with a given
+	// action.
+	Handles(action Action) bool
+	// React handles a watch action and returns results.  It may choose to
+	// delegate by indicating handled=false.
+	React(action Action) (handled bool, ret watch.Interface, err error)
+}
+
+// ProxyReactor is an interface to allow the composition of proxy get
+// functions.
+type ProxyReactor interface {
+	// Handles indicates whether or not this Reactor deals with a given
+	// action.
+	Handles(action Action) bool
+	// React handles a watch action and returns results.  It may choose to
+	// delegate by indicating handled=false.
+	React(action Action) (handled bool, ret restclient.ResponseWrapper, err error)
+}
+
+// ReactionFunc is a function that returns an object or error for a given
+// Action.  If "handled" is false, then the test client will ignore the
+// results and continue to the next ReactionFunc.  A ReactionFunc can describe
+// reactions on subresources by testing the result of the action's
+// GetSubresource() method.
+type ReactionFunc func(action Action) (handled bool, ret runtime.Object, err error)
+
+// WatchReactionFunc is a function that returns a watch interface.  If
+// "handled" is false, then the test client will ignore the results and
+// continue to the next ReactionFunc.
+type WatchReactionFunc func(action Action) (handled bool, ret watch.Interface, err error)
+
+// ProxyReactionFunc is a function that returns a ResponseWrapper interface
+// for a given Action.  If "handled" is false, then the test client will
+// ignore the results and continue to the next ProxyReactionFunc.
+type ProxyReactionFunc func(action Action) (handled bool, ret restclient.ResponseWrapper, err error)
+
+// AddReactor appends a reactor to the end of the chain.
+func (c *Fake) AddReactor(verb, resource string, reaction ReactionFunc) {
+	c.ReactionChain = append(c.ReactionChain, &SimpleReactor{verb, resource, reaction})
+}
+
+// PrependReactor adds a reactor to the beginning of the chain.
+func (c *Fake) PrependReactor(verb, resource string, reaction ReactionFunc) {
+	c.ReactionChain = append([]Reactor{&SimpleReactor{verb, resource, reaction}}, c.ReactionChain...)
+}
+
+// AddWatchReactor appends a reactor to the end of the chain.
+func (c *Fake) AddWatchReactor(resource string, reaction WatchReactionFunc) {
+	c.WatchReactionChain = append(c.WatchReactionChain, &SimpleWatchReactor{resource, reaction})
+}
+
+// PrependWatchReactor adds a reactor to the beginning of the chain.
+func (c *Fake) PrependWatchReactor(resource string, reaction WatchReactionFunc) {
+	c.WatchReactionChain = append([]WatchReactor{&SimpleWatchReactor{resource, reaction}}, c.WatchReactionChain...)
+}
+
+// AddProxyReactor appends a reactor to the end of the chain.
+func (c *Fake) AddProxyReactor(resource string, reaction ProxyReactionFunc) {
+	c.ProxyReactionChain = append(c.ProxyReactionChain, &SimpleProxyReactor{resource, reaction})
+}
+
+// PrependProxyReactor adds a reactor to the beginning of the chain.
+func (c *Fake) PrependProxyReactor(resource string, reaction ProxyReactionFunc) {
+	c.ProxyReactionChain = append([]ProxyReactor{&SimpleProxyReactor{resource, reaction}}, c.ProxyReactionChain...)
+}
+
+// Invokes records the provided Action and then invokes the ReactionFunc that
+// handles the action if one exists. defaultReturnObj is expected to be of the
+// same type a normal call would return.
+func (c *Fake) Invokes(action Action, defaultReturnObj runtime.Object) (runtime.Object, error) {
+	c.Lock()
+	defer c.Unlock()
+
+	c.actions = append(c.actions, action)
+	for _, reactor := range c.ReactionChain {
+		if !reactor.Handles(action) {
+			continue
+		}
+
+		handled, ret, err := reactor.React(action)
+		if !handled {
+			continue
+		}
+
+		return ret, err
+	}
+
+	return defaultReturnObj, nil
+}
+
+// InvokesWatch records the provided Action and then invokes the ReactionFunc
+// that handles the action if one exists.
+func (c *Fake) InvokesWatch(action Action) (watch.Interface, error) {
+	c.Lock()
+	defer c.Unlock()
+
+	c.actions = append(c.actions, action)
+	for _, reactor := range c.WatchReactionChain {
+		if !reactor.Handles(action) {
+			continue
+		}
+
+		handled, ret, err := reactor.React(action)
+		if !handled {
+			continue
+		}
+
+		return ret, err
+	}
+
+	return nil, fmt.Errorf("unhandled watch: %#v", action)
+}
+
+// InvokesProxy records the provided Action and then invokes the ReactionFunc
+// that handles the action if one exists.
+func (c *Fake) InvokesProxy(action Action) restclient.ResponseWrapper {
+	c.Lock()
+	defer c.Unlock()
+
+	c.actions = append(c.actions, action)
+	for _, reactor := range c.ProxyReactionChain {
+		if !reactor.Handles(action) {
+			continue
+		}
+
+		handled, ret, err := reactor.React(action)
+		if !handled || err != nil {
+			continue
+		}
+
+		return ret
+	}
+
+	return nil
+}
+
+// ClearActions clears the history of actions called on the fake client.
+func (c *Fake) ClearActions() {
+	c.Lock()
+	defer c.Unlock()
+
+	c.actions = make([]Action, 0)
+}
+
+// Actions returns a chronologically ordered slice fake actions called on the
+// fake client.
+func (c *Fake) Actions() []Action {
+	c.RLock()
+	defer c.RUnlock()
+	fa := make([]Action, len(c.actions))
+	copy(fa, c.actions)
+	return fa
+}
+
+// TODO: this probably should be moved to somewhere else.
+type FakeDiscovery struct {
+	*Fake
+}
+
+func (c *FakeDiscovery) ServerResourcesForGroupVersion(groupVersion string) (*metav1.APIResourceList, error) {
+	action := ActionImpl{
+		Verb:     "get",
+		Resource: schema.GroupVersionResource{Resource: "resource"},
+	}
+	c.Invokes(action, nil)
+	for _, rl := range c.Resources {
+		if rl.GroupVersion == groupVersion {
+			return rl, nil
+		}
+	}
+
+	return nil, fmt.Errorf("GroupVersion %q not found", groupVersion)
+}
+
+func (c *FakeDiscovery) ServerResources() ([]*metav1.APIResourceList, error) {
+	action := ActionImpl{
+		Verb:     "get",
+		Resource: schema.GroupVersionResource{Resource: "resource"},
+	}
+	c.Invokes(action, nil)
+	return c.Resources, nil
+}
+
+func (c *FakeDiscovery) ServerGroups() (*metav1.APIGroupList, error) {
+	return nil, nil
+}
+
+func (c *FakeDiscovery) ServerVersion() (*version.Info, error) {
+	action := ActionImpl{}
+	action.Verb = "get"
+	action.Resource = schema.GroupVersionResource{Resource: "version"}
+
+	c.Invokes(action, nil)
+	versionInfo := kubeversion.Get()
+	return &versionInfo, nil
+}
diff --git a/cli/vendor/k8s.io/client-go/testing/fixture.go b/cli/vendor/k8s.io/client-go/testing/fixture.go
new file mode 100644
index 00000000..a53c960c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/testing/fixture.go
@@ -0,0 +1,464 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package testing
+
+import (
+	"fmt"
+	"sync"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/watch"
+	restclient "k8s.io/client-go/rest"
+)
+
+// ObjectTracker keeps track of objects. It is intended to be used to
+// fake calls to a server by returning objects based on their kind,
+// namespace and name.
+type ObjectTracker interface {
+	// Add adds an object to the tracker. If object being added
+	// is a list, its items are added separately.
+	Add(obj runtime.Object) error
+
+	// Get retrieves the object by its kind, namespace and name.
+	Get(gvr schema.GroupVersionResource, ns, name string) (runtime.Object, error)
+
+	// Create adds an object to the tracker in the specified namespace.
+	Create(gvr schema.GroupVersionResource, obj runtime.Object, ns string) error
+
+	// Update updates an existing object in the tracker in the specified namespace.
+	Update(gvr schema.GroupVersionResource, obj runtime.Object, ns string) error
+
+	// List retrieves all objects of a given kind in the given
+	// namespace. Only non-List kinds are accepted.
+	List(gvr schema.GroupVersionResource, gvk schema.GroupVersionKind, ns string) (runtime.Object, error)
+
+	// Delete deletes an existing object from the tracker. If object
+	// didn't exist in the tracker prior to deletion, Delete returns
+	// no error.
+	Delete(gvr schema.GroupVersionResource, ns, name string) error
+}
+
+// ObjectScheme abstracts the implementation of common operations on objects.
+type ObjectScheme interface {
+	runtime.ObjectCreater
+	runtime.ObjectCopier
+	runtime.ObjectTyper
+}
+
+// ObjectReaction returns a ReactionFunc that applies core.Action to
+// the given tracker.
+func ObjectReaction(tracker ObjectTracker) ReactionFunc {
+	return func(action Action) (bool, runtime.Object, error) {
+		ns := action.GetNamespace()
+		gvr := action.GetResource()
+
+		// Here and below we need to switch on implementation types,
+		// not on interfaces, as some interfaces are identical
+		// (e.g. UpdateAction and CreateAction), so if we use them,
+		// updates and creates end up matching the same case branch.
+		switch action := action.(type) {
+
+		case ListActionImpl:
+			obj, err := tracker.List(gvr, action.GetKind(), ns)
+			return true, obj, err
+
+		case GetActionImpl:
+			obj, err := tracker.Get(gvr, ns, action.GetName())
+			return true, obj, err
+
+		case CreateActionImpl:
+			objMeta, err := meta.Accessor(action.GetObject())
+			if err != nil {
+				return true, nil, err
+			}
+			if action.GetSubresource() == "" {
+				err = tracker.Create(gvr, action.GetObject(), ns)
+			} else {
+				// TODO: Currently we're handling subresource creation as an update
+				// on the enclosing resource. This works for some subresources but
+				// might not be generic enough.
+				err = tracker.Update(gvr, action.GetObject(), ns)
+			}
+			if err != nil {
+				return true, nil, err
+			}
+			obj, err := tracker.Get(gvr, ns, objMeta.GetName())
+			return true, obj, err
+
+		case UpdateActionImpl:
+			objMeta, err := meta.Accessor(action.GetObject())
+			if err != nil {
+				return true, nil, err
+			}
+			err = tracker.Update(gvr, action.GetObject(), ns)
+			if err != nil {
+				return true, nil, err
+			}
+			obj, err := tracker.Get(gvr, ns, objMeta.GetName())
+			return true, obj, err
+
+		case DeleteActionImpl:
+			err := tracker.Delete(gvr, ns, action.GetName())
+			if err != nil {
+				return true, nil, err
+			}
+			return true, nil, nil
+
+		default:
+			return false, nil, fmt.Errorf("no reaction implemented for %s", action)
+		}
+	}
+}
+
+type tracker struct {
+	scheme  ObjectScheme
+	decoder runtime.Decoder
+	lock    sync.RWMutex
+	objects map[schema.GroupVersionResource][]runtime.Object
+}
+
+var _ ObjectTracker = &tracker{}
+
+// NewObjectTracker returns an ObjectTracker that can be used to keep track
+// of objects for the fake clientset. Mostly useful for unit tests.
+func NewObjectTracker(scheme ObjectScheme, decoder runtime.Decoder) ObjectTracker {
+	return &tracker{
+		scheme:  scheme,
+		decoder: decoder,
+		objects: make(map[schema.GroupVersionResource][]runtime.Object),
+	}
+}
+
+func (t *tracker) List(gvr schema.GroupVersionResource, gvk schema.GroupVersionKind, ns string) (runtime.Object, error) {
+	// Heuristic for list kind: original kind + List suffix. Might
+	// not always be true but this tracker has a pretty limited
+	// understanding of the actual API model.
+	listGVK := gvk
+	listGVK.Kind = listGVK.Kind + "List"
+	// GVK does have the concept of "internal version". The scheme recognizes
+	// the runtime.APIVersionInternal, but not the empty string.
+	if listGVK.Version == "" {
+		listGVK.Version = runtime.APIVersionInternal
+	}
+
+	list, err := t.scheme.New(listGVK)
+	if err != nil {
+		return nil, err
+	}
+
+	if !meta.IsListType(list) {
+		return nil, fmt.Errorf("%q is not a list type", listGVK.Kind)
+	}
+
+	t.lock.RLock()
+	defer t.lock.RUnlock()
+
+	objs, ok := t.objects[gvr]
+	if !ok {
+		return list, nil
+	}
+
+	matchingObjs, err := filterByNamespaceAndName(objs, ns, "")
+	if err != nil {
+		return nil, err
+	}
+	if err := meta.SetList(list, matchingObjs); err != nil {
+		return nil, err
+	}
+	if list, err = t.scheme.Copy(list); err != nil {
+		return nil, err
+	}
+	return list, nil
+}
+
+func (t *tracker) Get(gvr schema.GroupVersionResource, ns, name string) (runtime.Object, error) {
+	errNotFound := errors.NewNotFound(gvr.GroupResource(), name)
+
+	t.lock.RLock()
+	defer t.lock.RUnlock()
+
+	objs, ok := t.objects[gvr]
+	if !ok {
+		return nil, errNotFound
+	}
+
+	matchingObjs, err := filterByNamespaceAndName(objs, ns, name)
+	if err != nil {
+		return nil, err
+	}
+	if len(matchingObjs) == 0 {
+		return nil, errNotFound
+	}
+	if len(matchingObjs) > 1 {
+		return nil, fmt.Errorf("more than one object matched gvr %s, ns: %q name: %q", gvr, ns, name)
+	}
+
+	// Only one object should match in the tracker if it works
+	// correctly, as Add/Update methods enforce kind/namespace/name
+	// uniqueness.
+	obj, err := t.scheme.Copy(matchingObjs[0])
+	if err != nil {
+		return nil, err
+	}
+
+	if status, ok := obj.(*metav1.Status); ok {
+		if status.Status != metav1.StatusSuccess {
+			return nil, &errors.StatusError{ErrStatus: *status}
+		}
+	}
+
+	return obj, nil
+}
+
+func (t *tracker) Add(obj runtime.Object) error {
+	if meta.IsListType(obj) {
+		return t.addList(obj, false)
+	}
+	objMeta, err := meta.Accessor(obj)
+	if err != nil {
+		return err
+	}
+	gvks, _, err := t.scheme.ObjectKinds(obj)
+	if err != nil {
+		return err
+	}
+	if len(gvks) == 0 {
+		return fmt.Errorf("no registered kinds for %v", obj)
+	}
+	for _, gvk := range gvks {
+		// NOTE: UnsafeGuessKindToResource is a heuristic and default match. The
+		// actual registration in apiserver can specify arbitrary route for a
+		// gvk. If a test uses such objects, it cannot preset the tracker with
+		// objects via Add(). Instead, it should trigger the Create() function
+		// of the tracker, where an arbitrary gvr can be specified.
+		gvr, _ := meta.UnsafeGuessKindToResource(gvk)
+		// Resource doesn't have the concept of "__internal" version, just set it to "".
+		if gvr.Version == runtime.APIVersionInternal {
+			gvr.Version = ""
+		}
+
+		err := t.add(gvr, obj, objMeta.GetNamespace(), false)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (t *tracker) Create(gvr schema.GroupVersionResource, obj runtime.Object, ns string) error {
+	return t.add(gvr, obj, ns, false)
+}
+
+func (t *tracker) Update(gvr schema.GroupVersionResource, obj runtime.Object, ns string) error {
+	return t.add(gvr, obj, ns, true)
+}
+
+func (t *tracker) add(gvr schema.GroupVersionResource, obj runtime.Object, ns string, replaceExisting bool) error {
+	t.lock.Lock()
+	defer t.lock.Unlock()
+
+	gr := gvr.GroupResource()
+
+	// To avoid the object from being accidentally modified by caller
+	// after it's been added to the tracker, we always store the deep
+	// copy.
+	obj, err := t.scheme.Copy(obj)
+	if err != nil {
+		return err
+	}
+
+	newMeta, err := meta.Accessor(obj)
+	if err != nil {
+		return err
+	}
+
+	// Propagate namespace to the new object if hasn't already been set.
+	if len(newMeta.GetNamespace()) == 0 {
+		newMeta.SetNamespace(ns)
+	}
+
+	if ns != newMeta.GetNamespace() {
+		msg := fmt.Sprintf("request namespace does not match object namespace, request: %q object: %q", ns, newMeta.GetNamespace())
+		return errors.NewBadRequest(msg)
+	}
+
+	for i, existingObj := range t.objects[gvr] {
+		oldMeta, err := meta.Accessor(existingObj)
+		if err != nil {
+			return err
+		}
+		if oldMeta.GetNamespace() == newMeta.GetNamespace() && oldMeta.GetName() == newMeta.GetName() {
+			if replaceExisting {
+				t.objects[gvr][i] = obj
+				return nil
+			}
+			return errors.NewAlreadyExists(gr, newMeta.GetName())
+		}
+	}
+
+	if replaceExisting {
+		// Tried to update but no matching object was found.
+		return errors.NewNotFound(gr, newMeta.GetName())
+	}
+
+	t.objects[gvr] = append(t.objects[gvr], obj)
+
+	return nil
+}
+
+func (t *tracker) addList(obj runtime.Object, replaceExisting bool) error {
+	list, err := meta.ExtractList(obj)
+	if err != nil {
+		return err
+	}
+	errs := runtime.DecodeList(list, t.decoder)
+	if len(errs) > 0 {
+		return errs[0]
+	}
+	for _, obj := range list {
+		if err := t.Add(obj); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (t *tracker) Delete(gvr schema.GroupVersionResource, ns, name string) error {
+	t.lock.Lock()
+	defer t.lock.Unlock()
+
+	found := false
+
+	for i, existingObj := range t.objects[gvr] {
+		objMeta, err := meta.Accessor(existingObj)
+		if err != nil {
+			return err
+		}
+		if objMeta.GetNamespace() == ns && objMeta.GetName() == name {
+			t.objects[gvr] = append(t.objects[gvr][:i], t.objects[gvr][i+1:]...)
+			found = true
+			break
+		}
+	}
+
+	if found {
+		return nil
+	}
+
+	return errors.NewNotFound(gvr.GroupResource(), name)
+}
+
+// filterByNamespaceAndName returns all objects in the collection that
+// match provided namespace and name. Empty namespace matches
+// non-namespaced objects.
+func filterByNamespaceAndName(objs []runtime.Object, ns, name string) ([]runtime.Object, error) {
+	var res []runtime.Object
+
+	for _, obj := range objs {
+		acc, err := meta.Accessor(obj)
+		if err != nil {
+			return nil, err
+		}
+		if ns != "" && acc.GetNamespace() != ns {
+			continue
+		}
+		if name != "" && acc.GetName() != name {
+			continue
+		}
+		res = append(res, obj)
+	}
+
+	return res, nil
+}
+
+func DefaultWatchReactor(watchInterface watch.Interface, err error) WatchReactionFunc {
+	return func(action Action) (bool, watch.Interface, error) {
+		return true, watchInterface, err
+	}
+}
+
+// SimpleReactor is a Reactor.  Each reaction function is attached to a given verb,resource tuple.  "*" in either field matches everything for that value.
+// For instance, *,pods matches all verbs on pods.  This allows for easier composition of reaction functions
+type SimpleReactor struct {
+	Verb     string
+	Resource string
+
+	Reaction ReactionFunc
+}
+
+func (r *SimpleReactor) Handles(action Action) bool {
+	verbCovers := r.Verb == "*" || r.Verb == action.GetVerb()
+	if !verbCovers {
+		return false
+	}
+	resourceCovers := r.Resource == "*" || r.Resource == action.GetResource().Resource
+	if !resourceCovers {
+		return false
+	}
+
+	return true
+}
+
+func (r *SimpleReactor) React(action Action) (bool, runtime.Object, error) {
+	return r.Reaction(action)
+}
+
+// SimpleWatchReactor is a WatchReactor.  Each reaction function is attached to a given resource.  "*" matches everything for that value.
+// For instance, *,pods matches all verbs on pods.  This allows for easier composition of reaction functions
+type SimpleWatchReactor struct {
+	Resource string
+
+	Reaction WatchReactionFunc
+}
+
+func (r *SimpleWatchReactor) Handles(action Action) bool {
+	resourceCovers := r.Resource == "*" || r.Resource == action.GetResource().Resource
+	if !resourceCovers {
+		return false
+	}
+
+	return true
+}
+
+func (r *SimpleWatchReactor) React(action Action) (bool, watch.Interface, error) {
+	return r.Reaction(action)
+}
+
+// SimpleProxyReactor is a ProxyReactor.  Each reaction function is attached to a given resource.  "*" matches everything for that value.
+// For instance, *,pods matches all verbs on pods.  This allows for easier composition of reaction functions.
+type SimpleProxyReactor struct {
+	Resource string
+
+	Reaction ProxyReactionFunc
+}
+
+func (r *SimpleProxyReactor) Handles(action Action) bool {
+	resourceCovers := r.Resource == "*" || r.Resource == action.GetResource().Resource
+	if !resourceCovers {
+		return false
+	}
+
+	return true
+}
+
+func (r *SimpleProxyReactor) React(action Action) (bool, restclient.ResponseWrapper, error) {
+	return r.Reaction(action)
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/auth/clientauth.go b/cli/vendor/k8s.io/client-go/tools/auth/clientauth.go
new file mode 100644
index 00000000..2213b987
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/auth/clientauth.go
@@ -0,0 +1,125 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package auth defines a file format for holding authentication
+information needed by clients of Kubernetes.  Typically,
+a Kubernetes cluster will put auth info for the admin in a known
+location when it is created, and will (soon) put it in a known
+location within a Container's file tree for Containers that
+need access to the Kubernetes API.
+
+Having a defined format allows:
+  - clients to be implmented in multiple languages
+  - applications which link clients to be portable across
+    clusters with different authentication styles (e.g.
+    some may use SSL Client certs, others may not, etc)
+  - when the format changes, applications only
+    need to update this code.
+
+The file format is json, marshalled from a struct authcfg.Info.
+
+Clinet libraries in other languages should use the same format.
+
+It is not intended to store general preferences, such as default
+namespace, output options, etc.  CLIs (such as kubectl) and UIs should
+develop their own format and may wish to inline the authcfg.Info type.
+
+The authcfg.Info is just a file format.  It is distinct from
+client.Config which holds options for creating a client.Client.
+Helper functions are provided in this package to fill in a
+client.Client from an authcfg.Info.
+
+Example:
+
+    import (
+        "pkg/client"
+        "pkg/client/auth"
+    )
+
+    info, err := auth.LoadFromFile(filename)
+    if err != nil {
+      // handle error
+    }
+    clientConfig = client.Config{}
+    clientConfig.Host = "example.com:4901"
+    clientConfig = info.MergeWithConfig()
+    client := client.New(clientConfig)
+    client.Pods(ns).List()
+*/
+package auth
+
+// TODO: need a way to rotate Tokens.  Therefore, need a way for client object to be reset when the authcfg is updated.
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+
+	restclient "k8s.io/client-go/rest"
+)
+
+// Info holds Kubernetes API authorization config.  It is intended
+// to be read/written from a file as a JSON object.
+type Info struct {
+	User        string
+	Password    string
+	CAFile      string
+	CertFile    string
+	KeyFile     string
+	BearerToken string
+	Insecure    *bool
+}
+
+// LoadFromFile parses an Info object from a file path.
+// If the file does not exist, then os.IsNotExist(err) == true
+func LoadFromFile(path string) (*Info, error) {
+	var info Info
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		return nil, err
+	}
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(data, &info)
+	if err != nil {
+		return nil, err
+	}
+	return &info, err
+}
+
+// MergeWithConfig returns a copy of a client.Config with values from the Info.
+// The fields of client.Config with a corresponding field in the Info are set
+// with the value from the Info.
+func (info Info) MergeWithConfig(c restclient.Config) (restclient.Config, error) {
+	var config restclient.Config = c
+	config.Username = info.User
+	config.Password = info.Password
+	config.CAFile = info.CAFile
+	config.CertFile = info.CertFile
+	config.KeyFile = info.KeyFile
+	config.BearerToken = info.BearerToken
+	if info.Insecure != nil {
+		config.Insecure = *info.Insecure
+	}
+	return config, nil
+}
+
+func (info Info) Complete() bool {
+	return len(info.User) > 0 ||
+		len(info.CertFile) > 0 ||
+		len(info.BearerToken) > 0
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/controller.go b/cli/vendor/k8s.io/client-go/tools/cache/controller.go
new file mode 100644
index 00000000..e7b98bef
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/controller.go
@@ -0,0 +1,394 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"sync"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/clock"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+)
+
+// Config contains all the settings for a Controller.
+type Config struct {
+	// The queue for your objects; either a FIFO or
+	// a DeltaFIFO. Your Process() function should accept
+	// the output of this Queue's Pop() method.
+	Queue
+
+	// Something that can list and watch your objects.
+	ListerWatcher
+
+	// Something that can process your objects.
+	Process ProcessFunc
+
+	// The type of your objects.
+	ObjectType runtime.Object
+
+	// Reprocess everything at least this often.
+	// Note that if it takes longer for you to clear the queue than this
+	// period, you will end up processing items in the order determined
+	// by FIFO.Replace(). Currently, this is random. If this is a
+	// problem, we can change that replacement policy to append new
+	// things to the end of the queue instead of replacing the entire
+	// queue.
+	FullResyncPeriod time.Duration
+
+	// ShouldResync, if specified, is invoked when the controller's reflector determines the next
+	// periodic sync should occur. If this returns true, it means the reflector should proceed with
+	// the resync.
+	ShouldResync ShouldResyncFunc
+
+	// If true, when Process() returns an error, re-enqueue the object.
+	// TODO: add interface to let you inject a delay/backoff or drop
+	//       the object completely if desired. Pass the object in
+	//       question to this interface as a parameter.
+	RetryOnError bool
+}
+
+// ShouldResyncFunc is a type of function that indicates if a reflector should perform a
+// resync or not. It can be used by a shared informer to support multiple event handlers with custom
+// resync periods.
+type ShouldResyncFunc func() bool
+
+// ProcessFunc processes a single object.
+type ProcessFunc func(obj interface{}) error
+
+// Controller is a generic controller framework.
+type controller struct {
+	config         Config
+	reflector      *Reflector
+	reflectorMutex sync.RWMutex
+	clock          clock.Clock
+}
+
+type Controller interface {
+	Run(stopCh <-chan struct{})
+	HasSynced() bool
+	LastSyncResourceVersion() string
+}
+
+// New makes a new Controller from the given Config.
+func New(c *Config) Controller {
+	ctlr := &controller{
+		config: *c,
+		clock:  &clock.RealClock{},
+	}
+	return ctlr
+}
+
+// Run begins processing items, and will continue until a value is sent down stopCh.
+// It's an error to call Run more than once.
+// Run blocks; call via go.
+func (c *controller) Run(stopCh <-chan struct{}) {
+	defer utilruntime.HandleCrash()
+	go func() {
+		<-stopCh
+		c.config.Queue.Close()
+	}()
+	r := NewReflector(
+		c.config.ListerWatcher,
+		c.config.ObjectType,
+		c.config.Queue,
+		c.config.FullResyncPeriod,
+	)
+	r.ShouldResync = c.config.ShouldResync
+	r.clock = c.clock
+
+	c.reflectorMutex.Lock()
+	c.reflector = r
+	c.reflectorMutex.Unlock()
+
+	var wg wait.Group
+	defer wg.Wait()
+
+	wg.StartWithChannel(stopCh, r.Run)
+
+	wait.Until(c.processLoop, time.Second, stopCh)
+}
+
+// Returns true once this controller has completed an initial resource listing
+func (c *controller) HasSynced() bool {
+	return c.config.Queue.HasSynced()
+}
+
+func (c *controller) LastSyncResourceVersion() string {
+	if c.reflector == nil {
+		return ""
+	}
+	return c.reflector.LastSyncResourceVersion()
+}
+
+// processLoop drains the work queue.
+// TODO: Consider doing the processing in parallel. This will require a little thought
+// to make sure that we don't end up processing the same object multiple times
+// concurrently.
+//
+// TODO: Plumb through the stopCh here (and down to the queue) so that this can
+// actually exit when the controller is stopped. Or just give up on this stuff
+// ever being stoppable. Converting this whole package to use Context would
+// also be helpful.
+func (c *controller) processLoop() {
+	for {
+		obj, err := c.config.Queue.Pop(PopProcessFunc(c.config.Process))
+		if err != nil {
+			if err == FIFOClosedError {
+				return
+			}
+			if c.config.RetryOnError {
+				// This is the safe way to re-enqueue.
+				c.config.Queue.AddIfNotPresent(obj)
+			}
+		}
+	}
+}
+
+// ResourceEventHandler can handle notifications for events that happen to a
+// resource. The events are informational only, so you can't return an
+// error.
+//  * OnAdd is called when an object is added.
+//  * OnUpdate is called when an object is modified. Note that oldObj is the
+//      last known state of the object-- it is possible that several changes
+//      were combined together, so you can't use this to see every single
+//      change. OnUpdate is also called when a re-list happens, and it will
+//      get called even if nothing changed. This is useful for periodically
+//      evaluating or syncing something.
+//  * OnDelete will get the final state of the item if it is known, otherwise
+//      it will get an object of type DeletedFinalStateUnknown. This can
+//      happen if the watch is closed and misses the delete event and we don't
+//      notice the deletion until the subsequent re-list.
+type ResourceEventHandler interface {
+	OnAdd(obj interface{})
+	OnUpdate(oldObj, newObj interface{})
+	OnDelete(obj interface{})
+}
+
+// ResourceEventHandlerFuncs is an adaptor to let you easily specify as many or
+// as few of the notification functions as you want while still implementing
+// ResourceEventHandler.
+type ResourceEventHandlerFuncs struct {
+	AddFunc    func(obj interface{})
+	UpdateFunc func(oldObj, newObj interface{})
+	DeleteFunc func(obj interface{})
+}
+
+// OnAdd calls AddFunc if it's not nil.
+func (r ResourceEventHandlerFuncs) OnAdd(obj interface{}) {
+	if r.AddFunc != nil {
+		r.AddFunc(obj)
+	}
+}
+
+// OnUpdate calls UpdateFunc if it's not nil.
+func (r ResourceEventHandlerFuncs) OnUpdate(oldObj, newObj interface{}) {
+	if r.UpdateFunc != nil {
+		r.UpdateFunc(oldObj, newObj)
+	}
+}
+
+// OnDelete calls DeleteFunc if it's not nil.
+func (r ResourceEventHandlerFuncs) OnDelete(obj interface{}) {
+	if r.DeleteFunc != nil {
+		r.DeleteFunc(obj)
+	}
+}
+
+// FilteringResourceEventHandler applies the provided filter to all events coming
+// in, ensuring the appropriate nested handler method is invoked. An object
+// that starts passing the filter after an update is considered an add, and an
+// object that stops passing the filter after an update is considered a delete.
+type FilteringResourceEventHandler struct {
+	FilterFunc func(obj interface{}) bool
+	Handler    ResourceEventHandler
+}
+
+// OnAdd calls the nested handler only if the filter succeeds
+func (r FilteringResourceEventHandler) OnAdd(obj interface{}) {
+	if !r.FilterFunc(obj) {
+		return
+	}
+	r.Handler.OnAdd(obj)
+}
+
+// OnUpdate ensures the proper handler is called depending on whether the filter matches
+func (r FilteringResourceEventHandler) OnUpdate(oldObj, newObj interface{}) {
+	newer := r.FilterFunc(newObj)
+	older := r.FilterFunc(oldObj)
+	switch {
+	case newer && older:
+		r.Handler.OnUpdate(oldObj, newObj)
+	case newer && !older:
+		r.Handler.OnAdd(newObj)
+	case !newer && older:
+		r.Handler.OnDelete(oldObj)
+	default:
+		// do nothing
+	}
+}
+
+// OnDelete calls the nested handler only if the filter succeeds
+func (r FilteringResourceEventHandler) OnDelete(obj interface{}) {
+	if !r.FilterFunc(obj) {
+		return
+	}
+	r.Handler.OnDelete(obj)
+}
+
+// DeletionHandlingMetaNamespaceKeyFunc checks for
+// DeletedFinalStateUnknown objects before calling
+// MetaNamespaceKeyFunc.
+func DeletionHandlingMetaNamespaceKeyFunc(obj interface{}) (string, error) {
+	if d, ok := obj.(DeletedFinalStateUnknown); ok {
+		return d.Key, nil
+	}
+	return MetaNamespaceKeyFunc(obj)
+}
+
+// NewInformer returns a Store and a controller for populating the store
+// while also providing event notifications. You should only used the returned
+// Store for Get/List operations; Add/Modify/Deletes will cause the event
+// notifications to be faulty.
+//
+// Parameters:
+//  * lw is list and watch functions for the source of the resource you want to
+//    be informed of.
+//  * objType is an object of the type that you expect to receive.
+//  * resyncPeriod: if non-zero, will re-list this often (you will get OnUpdate
+//    calls, even if nothing changed). Otherwise, re-list will be delayed as
+//    long as possible (until the upstream source closes the watch or times out,
+//    or you stop the controller).
+//  * h is the object you want notifications sent to.
+//
+func NewInformer(
+	lw ListerWatcher,
+	objType runtime.Object,
+	resyncPeriod time.Duration,
+	h ResourceEventHandler,
+) (Store, Controller) {
+	// This will hold the client state, as we know it.
+	clientState := NewStore(DeletionHandlingMetaNamespaceKeyFunc)
+
+	// This will hold incoming changes. Note how we pass clientState in as a
+	// KeyLister, that way resync operations will result in the correct set
+	// of update/delete deltas.
+	fifo := NewDeltaFIFO(MetaNamespaceKeyFunc, nil, clientState)
+
+	cfg := &Config{
+		Queue:            fifo,
+		ListerWatcher:    lw,
+		ObjectType:       objType,
+		FullResyncPeriod: resyncPeriod,
+		RetryOnError:     false,
+
+		Process: func(obj interface{}) error {
+			// from oldest to newest
+			for _, d := range obj.(Deltas) {
+				switch d.Type {
+				case Sync, Added, Updated:
+					if old, exists, err := clientState.Get(d.Object); err == nil && exists {
+						if err := clientState.Update(d.Object); err != nil {
+							return err
+						}
+						h.OnUpdate(old, d.Object)
+					} else {
+						if err := clientState.Add(d.Object); err != nil {
+							return err
+						}
+						h.OnAdd(d.Object)
+					}
+				case Deleted:
+					if err := clientState.Delete(d.Object); err != nil {
+						return err
+					}
+					h.OnDelete(d.Object)
+				}
+			}
+			return nil
+		},
+	}
+	return clientState, New(cfg)
+}
+
+// NewIndexerInformer returns a Indexer and a controller for populating the index
+// while also providing event notifications. You should only used the returned
+// Index for Get/List operations; Add/Modify/Deletes will cause the event
+// notifications to be faulty.
+//
+// Parameters:
+//  * lw is list and watch functions for the source of the resource you want to
+//    be informed of.
+//  * objType is an object of the type that you expect to receive.
+//  * resyncPeriod: if non-zero, will re-list this often (you will get OnUpdate
+//    calls, even if nothing changed). Otherwise, re-list will be delayed as
+//    long as possible (until the upstream source closes the watch or times out,
+//    or you stop the controller).
+//  * h is the object you want notifications sent to.
+//  * indexers is the indexer for the received object type.
+//
+func NewIndexerInformer(
+	lw ListerWatcher,
+	objType runtime.Object,
+	resyncPeriod time.Duration,
+	h ResourceEventHandler,
+	indexers Indexers,
+) (Indexer, Controller) {
+	// This will hold the client state, as we know it.
+	clientState := NewIndexer(DeletionHandlingMetaNamespaceKeyFunc, indexers)
+
+	// This will hold incoming changes. Note how we pass clientState in as a
+	// KeyLister, that way resync operations will result in the correct set
+	// of update/delete deltas.
+	fifo := NewDeltaFIFO(MetaNamespaceKeyFunc, nil, clientState)
+
+	cfg := &Config{
+		Queue:            fifo,
+		ListerWatcher:    lw,
+		ObjectType:       objType,
+		FullResyncPeriod: resyncPeriod,
+		RetryOnError:     false,
+
+		Process: func(obj interface{}) error {
+			// from oldest to newest
+			for _, d := range obj.(Deltas) {
+				switch d.Type {
+				case Sync, Added, Updated:
+					if old, exists, err := clientState.Get(d.Object); err == nil && exists {
+						if err := clientState.Update(d.Object); err != nil {
+							return err
+						}
+						h.OnUpdate(old, d.Object)
+					} else {
+						if err := clientState.Add(d.Object); err != nil {
+							return err
+						}
+						h.OnAdd(d.Object)
+					}
+				case Deleted:
+					if err := clientState.Delete(d.Object); err != nil {
+						return err
+					}
+					h.OnDelete(d.Object)
+				}
+			}
+			return nil
+		},
+	}
+	return clientState, New(cfg)
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/delta_fifo.go b/cli/vendor/k8s.io/client-go/tools/cache/delta_fifo.go
new file mode 100644
index 00000000..a71db604
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/delta_fifo.go
@@ -0,0 +1,681 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+
+	"github.com/golang/glog"
+)
+
+// NewDeltaFIFO returns a Store which can be used process changes to items.
+//
+// keyFunc is used to figure out what key an object should have. (It's
+// exposed in the returned DeltaFIFO's KeyOf() method, with bonus features.)
+//
+// 'compressor' may compress as many or as few items as it wants
+// (including returning an empty slice), but it should do what it
+// does quickly since it is called while the queue is locked.
+// 'compressor' may be nil if you don't want any delta compression.
+//
+// 'keyLister' is expected to return a list of keys that the consumer of
+// this queue "knows about". It is used to decide which items are missing
+// when Replace() is called; 'Deleted' deltas are produced for these items.
+// It may be nil if you don't need to detect all deletions.
+// TODO: consider merging keyLister with this object, tracking a list of
+//       "known" keys when Pop() is called. Have to think about how that
+//       affects error retrying.
+// TODO(lavalamp): I believe there is a possible race only when using an
+//                 external known object source that the above TODO would
+//                 fix.
+//
+// Also see the comment on DeltaFIFO.
+func NewDeltaFIFO(keyFunc KeyFunc, compressor DeltaCompressor, knownObjects KeyListerGetter) *DeltaFIFO {
+	f := &DeltaFIFO{
+		items:           map[string]Deltas{},
+		queue:           []string{},
+		keyFunc:         keyFunc,
+		deltaCompressor: compressor,
+		knownObjects:    knownObjects,
+	}
+	f.cond.L = &f.lock
+	return f
+}
+
+// DeltaFIFO is like FIFO, but allows you to process deletes.
+//
+// DeltaFIFO is a producer-consumer queue, where a Reflector is
+// intended to be the producer, and the consumer is whatever calls
+// the Pop() method.
+//
+// DeltaFIFO solves this use case:
+//  * You want to process every object change (delta) at most once.
+//  * When you process an object, you want to see everything
+//    that's happened to it since you last processed it.
+//  * You want to process the deletion of objects.
+//  * You might want to periodically reprocess objects.
+//
+// DeltaFIFO's Pop(), Get(), and GetByKey() methods return
+// interface{} to satisfy the Store/Queue interfaces, but it
+// will always return an object of type Deltas.
+//
+// A note on threading: If you call Pop() in parallel from multiple
+// threads, you could end up with multiple threads processing slightly
+// different versions of the same object.
+//
+// A note on the KeyLister used by the DeltaFIFO: It's main purpose is
+// to list keys that are "known", for the purpose of figuring out which
+// items have been deleted when Replace() or Delete() are called. The deleted
+// object will be included in the DeleteFinalStateUnknown markers. These objects
+// could be stale.
+//
+// You may provide a function to compress deltas (e.g., represent a
+// series of Updates as a single Update).
+type DeltaFIFO struct {
+	// lock/cond protects access to 'items' and 'queue'.
+	lock sync.RWMutex
+	cond sync.Cond
+
+	// We depend on the property that items in the set are in
+	// the queue and vice versa, and that all Deltas in this
+	// map have at least one Delta.
+	items map[string]Deltas
+	queue []string
+
+	// populated is true if the first batch of items inserted by Replace() has been populated
+	// or Delete/Add/Update was called first.
+	populated bool
+	// initialPopulationCount is the number of items inserted by the first call of Replace()
+	initialPopulationCount int
+
+	// keyFunc is used to make the key used for queued item
+	// insertion and retrieval, and should be deterministic.
+	keyFunc KeyFunc
+
+	// deltaCompressor tells us how to combine two or more
+	// deltas. It may be nil.
+	deltaCompressor DeltaCompressor
+
+	// knownObjects list keys that are "known", for the
+	// purpose of figuring out which items have been deleted
+	// when Replace() or Delete() is called.
+	knownObjects KeyListerGetter
+
+	// Indication the queue is closed.
+	// Used to indicate a queue is closed so a control loop can exit when a queue is empty.
+	// Currently, not used to gate any of CRED operations.
+	closed     bool
+	closedLock sync.Mutex
+}
+
+var (
+	_ = Queue(&DeltaFIFO{}) // DeltaFIFO is a Queue
+)
+
+var (
+	// ErrZeroLengthDeltasObject is returned in a KeyError if a Deltas
+	// object with zero length is encountered (should be impossible,
+	// even if such an object is accidentally produced by a DeltaCompressor--
+	// but included for completeness).
+	ErrZeroLengthDeltasObject = errors.New("0 length Deltas object; can't get key")
+)
+
+// Close the queue.
+func (f *DeltaFIFO) Close() {
+	f.closedLock.Lock()
+	defer f.closedLock.Unlock()
+	f.closed = true
+	f.cond.Broadcast()
+}
+
+// KeyOf exposes f's keyFunc, but also detects the key of a Deltas object or
+// DeletedFinalStateUnknown objects.
+func (f *DeltaFIFO) KeyOf(obj interface{}) (string, error) {
+	if d, ok := obj.(Deltas); ok {
+		if len(d) == 0 {
+			return "", KeyError{obj, ErrZeroLengthDeltasObject}
+		}
+		obj = d.Newest().Object
+	}
+	if d, ok := obj.(DeletedFinalStateUnknown); ok {
+		return d.Key, nil
+	}
+	return f.keyFunc(obj)
+}
+
+// Return true if an Add/Update/Delete/AddIfNotPresent are called first,
+// or an Update called first but the first batch of items inserted by Replace() has been popped
+func (f *DeltaFIFO) HasSynced() bool {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	return f.populated && f.initialPopulationCount == 0
+}
+
+// Add inserts an item, and puts it in the queue. The item is only enqueued
+// if it doesn't already exist in the set.
+func (f *DeltaFIFO) Add(obj interface{}) error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.populated = true
+	return f.queueActionLocked(Added, obj)
+}
+
+// Update is just like Add, but makes an Updated Delta.
+func (f *DeltaFIFO) Update(obj interface{}) error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.populated = true
+	return f.queueActionLocked(Updated, obj)
+}
+
+// Delete is just like Add, but makes an Deleted Delta. If the item does not
+// already exist, it will be ignored. (It may have already been deleted by a
+// Replace (re-list), for example.
+func (f *DeltaFIFO) Delete(obj interface{}) error {
+	id, err := f.KeyOf(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.populated = true
+	if f.knownObjects == nil {
+		if _, exists := f.items[id]; !exists {
+			// Presumably, this was deleted when a relist happened.
+			// Don't provide a second report of the same deletion.
+			return nil
+		}
+	} else {
+		// We only want to skip the "deletion" action if the object doesn't
+		// exist in knownObjects and it doesn't have corresponding item in items.
+		// Note that even if there is a "deletion" action in items, we can ignore it,
+		// because it will be deduped automatically in "queueActionLocked"
+		_, exists, err := f.knownObjects.GetByKey(id)
+		_, itemsExist := f.items[id]
+		if err == nil && !exists && !itemsExist {
+			// Presumably, this was deleted when a relist happened.
+			// Don't provide a second report of the same deletion.
+			// TODO(lavalamp): This may be racy-- we aren't properly locked
+			// with knownObjects.
+			return nil
+		}
+	}
+
+	return f.queueActionLocked(Deleted, obj)
+}
+
+// AddIfNotPresent inserts an item, and puts it in the queue. If the item is already
+// present in the set, it is neither enqueued nor added to the set.
+//
+// This is useful in a single producer/consumer scenario so that the consumer can
+// safely retry items without contending with the producer and potentially enqueueing
+// stale items.
+//
+// Important: obj must be a Deltas (the output of the Pop() function). Yes, this is
+// different from the Add/Update/Delete functions.
+func (f *DeltaFIFO) AddIfNotPresent(obj interface{}) error {
+	deltas, ok := obj.(Deltas)
+	if !ok {
+		return fmt.Errorf("object must be of type deltas, but got: %#v", obj)
+	}
+	id, err := f.KeyOf(deltas.Newest().Object)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.addIfNotPresent(id, deltas)
+	return nil
+}
+
+// addIfNotPresent inserts deltas under id if it does not exist, and assumes the caller
+// already holds the fifo lock.
+func (f *DeltaFIFO) addIfNotPresent(id string, deltas Deltas) {
+	f.populated = true
+	if _, exists := f.items[id]; exists {
+		return
+	}
+
+	f.queue = append(f.queue, id)
+	f.items[id] = deltas
+	f.cond.Broadcast()
+}
+
+// re-listing and watching can deliver the same update multiple times in any
+// order. This will combine the most recent two deltas if they are the same.
+func dedupDeltas(deltas Deltas) Deltas {
+	n := len(deltas)
+	if n < 2 {
+		return deltas
+	}
+	a := &deltas[n-1]
+	b := &deltas[n-2]
+	if out := isDup(a, b); out != nil {
+		d := append(Deltas{}, deltas[:n-2]...)
+		return append(d, *out)
+	}
+	return deltas
+}
+
+// If a & b represent the same event, returns the delta that ought to be kept.
+// Otherwise, returns nil.
+// TODO: is there anything other than deletions that need deduping?
+func isDup(a, b *Delta) *Delta {
+	if out := isDeletionDup(a, b); out != nil {
+		return out
+	}
+	// TODO: Detect other duplicate situations? Are there any?
+	return nil
+}
+
+// keep the one with the most information if both are deletions.
+func isDeletionDup(a, b *Delta) *Delta {
+	if b.Type != Deleted || a.Type != Deleted {
+		return nil
+	}
+	// Do more sophisticated checks, or is this sufficient?
+	if _, ok := b.Object.(DeletedFinalStateUnknown); ok {
+		return a
+	}
+	return b
+}
+
+// willObjectBeDeletedLocked returns true only if the last delta for the
+// given object is Delete. Caller must lock first.
+func (f *DeltaFIFO) willObjectBeDeletedLocked(id string) bool {
+	deltas := f.items[id]
+	return len(deltas) > 0 && deltas[len(deltas)-1].Type == Deleted
+}
+
+// queueActionLocked appends to the delta list for the object, calling
+// f.deltaCompressor if needed. Caller must lock first.
+func (f *DeltaFIFO) queueActionLocked(actionType DeltaType, obj interface{}) error {
+	id, err := f.KeyOf(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+
+	// If object is supposed to be deleted (last event is Deleted),
+	// then we should ignore Sync events, because it would result in
+	// recreation of this object.
+	if actionType == Sync && f.willObjectBeDeletedLocked(id) {
+		return nil
+	}
+
+	newDeltas := append(f.items[id], Delta{actionType, obj})
+	newDeltas = dedupDeltas(newDeltas)
+	if f.deltaCompressor != nil {
+		newDeltas = f.deltaCompressor.Compress(newDeltas)
+	}
+
+	_, exists := f.items[id]
+	if len(newDeltas) > 0 {
+		if !exists {
+			f.queue = append(f.queue, id)
+		}
+		f.items[id] = newDeltas
+		f.cond.Broadcast()
+	} else if exists {
+		// The compression step removed all deltas, so
+		// we need to remove this from our map (extra items
+		// in the queue are ignored if they are not in the
+		// map).
+		delete(f.items, id)
+	}
+	return nil
+}
+
+// List returns a list of all the items; it returns the object
+// from the most recent Delta.
+// You should treat the items returned inside the deltas as immutable.
+func (f *DeltaFIFO) List() []interface{} {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	return f.listLocked()
+}
+
+func (f *DeltaFIFO) listLocked() []interface{} {
+	list := make([]interface{}, 0, len(f.items))
+	for _, item := range f.items {
+		// Copy item's slice so operations on this slice (delta
+		// compression) won't interfere with the object we return.
+		item = copyDeltas(item)
+		list = append(list, item.Newest().Object)
+	}
+	return list
+}
+
+// ListKeys returns a list of all the keys of the objects currently
+// in the FIFO.
+func (f *DeltaFIFO) ListKeys() []string {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	list := make([]string, 0, len(f.items))
+	for key := range f.items {
+		list = append(list, key)
+	}
+	return list
+}
+
+// Get returns the complete list of deltas for the requested item,
+// or sets exists=false.
+// You should treat the items returned inside the deltas as immutable.
+func (f *DeltaFIFO) Get(obj interface{}) (item interface{}, exists bool, err error) {
+	key, err := f.KeyOf(obj)
+	if err != nil {
+		return nil, false, KeyError{obj, err}
+	}
+	return f.GetByKey(key)
+}
+
+// GetByKey returns the complete list of deltas for the requested item,
+// setting exists=false if that list is empty.
+// You should treat the items returned inside the deltas as immutable.
+func (f *DeltaFIFO) GetByKey(key string) (item interface{}, exists bool, err error) {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	d, exists := f.items[key]
+	if exists {
+		// Copy item's slice so operations on this slice (delta
+		// compression) won't interfere with the object we return.
+		d = copyDeltas(d)
+	}
+	return d, exists, nil
+}
+
+// Checks if the queue is closed
+func (f *DeltaFIFO) IsClosed() bool {
+	f.closedLock.Lock()
+	defer f.closedLock.Unlock()
+	if f.closed {
+		return true
+	}
+	return false
+}
+
+// Pop blocks until an item is added to the queue, and then returns it.  If
+// multiple items are ready, they are returned in the order in which they were
+// added/updated. The item is removed from the queue (and the store) before it
+// is returned, so if you don't successfully process it, you need to add it back
+// with AddIfNotPresent().
+// process function is called under lock, so it is safe update data structures
+// in it that need to be in sync with the queue (e.g. knownKeys). The PopProcessFunc
+// may return an instance of ErrRequeue with a nested error to indicate the current
+// item should be requeued (equivalent to calling AddIfNotPresent under the lock).
+//
+// Pop returns a 'Deltas', which has a complete list of all the things
+// that happened to the object (deltas) while it was sitting in the queue.
+func (f *DeltaFIFO) Pop(process PopProcessFunc) (interface{}, error) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	for {
+		for len(f.queue) == 0 {
+			// When the queue is empty, invocation of Pop() is blocked until new item is enqueued.
+			// When Close() is called, the f.closed is set and the condition is broadcasted.
+			// Which causes this loop to continue and return from the Pop().
+			if f.IsClosed() {
+				return nil, FIFOClosedError
+			}
+
+			f.cond.Wait()
+		}
+		id := f.queue[0]
+		f.queue = f.queue[1:]
+		item, ok := f.items[id]
+		if f.initialPopulationCount > 0 {
+			f.initialPopulationCount--
+		}
+		if !ok {
+			// Item may have been deleted subsequently.
+			continue
+		}
+		delete(f.items, id)
+		err := process(item)
+		if e, ok := err.(ErrRequeue); ok {
+			f.addIfNotPresent(id, item)
+			err = e.Err
+		}
+		// Don't need to copyDeltas here, because we're transferring
+		// ownership to the caller.
+		return item, err
+	}
+}
+
+// Replace will delete the contents of 'f', using instead the given map.
+// 'f' takes ownership of the map, you should not reference the map again
+// after calling this function. f's queue is reset, too; upon return, it
+// will contain the items in the map, in no particular order.
+func (f *DeltaFIFO) Replace(list []interface{}, resourceVersion string) error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	keys := make(sets.String, len(list))
+
+	for _, item := range list {
+		key, err := f.KeyOf(item)
+		if err != nil {
+			return KeyError{item, err}
+		}
+		keys.Insert(key)
+		if err := f.queueActionLocked(Sync, item); err != nil {
+			return fmt.Errorf("couldn't enqueue object: %v", err)
+		}
+	}
+
+	if f.knownObjects == nil {
+		// Do deletion detection against our own list.
+		for k, oldItem := range f.items {
+			if keys.Has(k) {
+				continue
+			}
+			var deletedObj interface{}
+			if n := oldItem.Newest(); n != nil {
+				deletedObj = n.Object
+			}
+			if err := f.queueActionLocked(Deleted, DeletedFinalStateUnknown{k, deletedObj}); err != nil {
+				return err
+			}
+		}
+
+		if !f.populated {
+			f.populated = true
+			f.initialPopulationCount = len(list)
+		}
+
+		return nil
+	}
+
+	// Detect deletions not already in the queue.
+	// TODO(lavalamp): This may be racy-- we aren't properly locked
+	// with knownObjects. Unproven.
+	knownKeys := f.knownObjects.ListKeys()
+	queuedDeletions := 0
+	for _, k := range knownKeys {
+		if keys.Has(k) {
+			continue
+		}
+
+		deletedObj, exists, err := f.knownObjects.GetByKey(k)
+		if err != nil {
+			deletedObj = nil
+			glog.Errorf("Unexpected error %v during lookup of key %v, placing DeleteFinalStateUnknown marker without object", err, k)
+		} else if !exists {
+			deletedObj = nil
+			glog.Infof("Key %v does not exist in known objects store, placing DeleteFinalStateUnknown marker without object", k)
+		}
+		queuedDeletions++
+		if err := f.queueActionLocked(Deleted, DeletedFinalStateUnknown{k, deletedObj}); err != nil {
+			return err
+		}
+	}
+
+	if !f.populated {
+		f.populated = true
+		f.initialPopulationCount = len(list) + queuedDeletions
+	}
+
+	return nil
+}
+
+// Resync will send a sync event for each item
+func (f *DeltaFIFO) Resync() error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	keys := f.knownObjects.ListKeys()
+	for _, k := range keys {
+		if err := f.syncKeyLocked(k); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (f *DeltaFIFO) syncKey(key string) error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	return f.syncKeyLocked(key)
+}
+
+func (f *DeltaFIFO) syncKeyLocked(key string) error {
+	obj, exists, err := f.knownObjects.GetByKey(key)
+	if err != nil {
+		glog.Errorf("Unexpected error %v during lookup of key %v, unable to queue object for sync", err, key)
+		return nil
+	} else if !exists {
+		glog.Infof("Key %v does not exist in known objects store, unable to queue object for sync", key)
+		return nil
+	}
+
+	// If we are doing Resync() and there is already an event queued for that object,
+	// we ignore the Resync for it. This is to avoid the race, in which the resync
+	// comes with the previous value of object (since queueing an event for the object
+	// doesn't trigger changing the underlying store <knownObjects>.
+	id, err := f.KeyOf(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	if len(f.items[id]) > 0 {
+		return nil
+	}
+
+	if err := f.queueActionLocked(Sync, obj); err != nil {
+		return fmt.Errorf("couldn't queue object: %v", err)
+	}
+	return nil
+}
+
+// A KeyListerGetter is anything that knows how to list its keys and look up by key.
+type KeyListerGetter interface {
+	KeyLister
+	KeyGetter
+}
+
+// A KeyLister is anything that knows how to list its keys.
+type KeyLister interface {
+	ListKeys() []string
+}
+
+// A KeyGetter is anything that knows how to get the value stored under a given key.
+type KeyGetter interface {
+	GetByKey(key string) (interface{}, bool, error)
+}
+
+// DeltaCompressor is an algorithm that removes redundant changes.
+type DeltaCompressor interface {
+	Compress(Deltas) Deltas
+}
+
+// DeltaCompressorFunc should remove redundant changes; but changes that
+// are redundant depend on one's desired semantics, so this is an
+// injectable function.
+//
+// DeltaCompressorFunc adapts a raw function to be a DeltaCompressor.
+type DeltaCompressorFunc func(Deltas) Deltas
+
+// Compress just calls dc.
+func (dc DeltaCompressorFunc) Compress(d Deltas) Deltas {
+	return dc(d)
+}
+
+// DeltaType is the type of a change (addition, deletion, etc)
+type DeltaType string
+
+const (
+	Added   DeltaType = "Added"
+	Updated DeltaType = "Updated"
+	Deleted DeltaType = "Deleted"
+	// The other types are obvious. You'll get Sync deltas when:
+	//  * A watch expires/errors out and a new list/watch cycle is started.
+	//  * You've turned on periodic syncs.
+	// (Anything that trigger's DeltaFIFO's Replace() method.)
+	Sync DeltaType = "Sync"
+)
+
+// Delta is the type stored by a DeltaFIFO. It tells you what change
+// happened, and the object's state after* that change.
+//
+// [*] Unless the change is a deletion, and then you'll get the final
+//     state of the object before it was deleted.
+type Delta struct {
+	Type   DeltaType
+	Object interface{}
+}
+
+// Deltas is a list of one or more 'Delta's to an individual object.
+// The oldest delta is at index 0, the newest delta is the last one.
+type Deltas []Delta
+
+// Oldest is a convenience function that returns the oldest delta, or
+// nil if there are no deltas.
+func (d Deltas) Oldest() *Delta {
+	if len(d) > 0 {
+		return &d[0]
+	}
+	return nil
+}
+
+// Newest is a convenience function that returns the newest delta, or
+// nil if there are no deltas.
+func (d Deltas) Newest() *Delta {
+	if n := len(d); n > 0 {
+		return &d[n-1]
+	}
+	return nil
+}
+
+// copyDeltas returns a shallow copy of d; that is, it copies the slice but not
+// the objects in the slice. This allows Get/List to return an object that we
+// know won't be clobbered by a subsequent call to a delta compressor.
+func copyDeltas(d Deltas) Deltas {
+	d2 := make(Deltas, len(d))
+	copy(d2, d)
+	return d2
+}
+
+// DeletedFinalStateUnknown is placed into a DeltaFIFO in the case where
+// an object was deleted but the watch deletion event was missed. In this
+// case we don't know the final "resting" state of the object, so there's
+// a chance the included `Obj` is stale.
+type DeletedFinalStateUnknown struct {
+	Key string
+	Obj interface{}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/doc.go b/cli/vendor/k8s.io/client-go/tools/cache/doc.go
new file mode 100644
index 00000000..56b61d30
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/doc.go
@@ -0,0 +1,24 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package cache is a client-side caching mechanism. It is useful for
+// reducing the number of server calls you'd otherwise need to make.
+// Reflector watches a server and updates a Store. Two stores are provided;
+// one that simply caches objects (for example, to allow a scheduler to
+// list currently available nodes), and one that additionally acts as
+// a FIFO queue (for example, to allow a scheduler to process incoming
+// pods).
+package cache // import "k8s.io/client-go/tools/cache"
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/expiration_cache.go b/cli/vendor/k8s.io/client-go/tools/cache/expiration_cache.go
new file mode 100644
index 00000000..fa88fc40
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/expiration_cache.go
@@ -0,0 +1,208 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"sync"
+	"time"
+
+	"github.com/golang/glog"
+	"k8s.io/apimachinery/pkg/util/clock"
+)
+
+// ExpirationCache implements the store interface
+//	1. All entries are automatically time stamped on insert
+//		a. The key is computed based off the original item/keyFunc
+//		b. The value inserted under that key is the timestamped item
+//	2. Expiration happens lazily on read based on the expiration policy
+//      a. No item can be inserted into the store while we're expiring
+//		   *any* item in the cache.
+//	3. Time-stamps are stripped off unexpired entries before return
+// Note that the ExpirationCache is inherently slower than a normal
+// threadSafeStore because it takes a write lock every time it checks if
+// an item has expired.
+type ExpirationCache struct {
+	cacheStorage     ThreadSafeStore
+	keyFunc          KeyFunc
+	clock            clock.Clock
+	expirationPolicy ExpirationPolicy
+	// expirationLock is a write lock used to guarantee that we don't clobber
+	// newly inserted objects because of a stale expiration timestamp comparison
+	expirationLock sync.Mutex
+}
+
+// ExpirationPolicy dictates when an object expires. Currently only abstracted out
+// so unittests don't rely on the system clock.
+type ExpirationPolicy interface {
+	IsExpired(obj *timestampedEntry) bool
+}
+
+// TTLPolicy implements a ttl based ExpirationPolicy.
+type TTLPolicy struct {
+	//	 >0: Expire entries with an age > ttl
+	//	<=0: Don't expire any entry
+	Ttl time.Duration
+
+	// Clock used to calculate ttl expiration
+	Clock clock.Clock
+}
+
+// IsExpired returns true if the given object is older than the ttl, or it can't
+// determine its age.
+func (p *TTLPolicy) IsExpired(obj *timestampedEntry) bool {
+	return p.Ttl > 0 && p.Clock.Since(obj.timestamp) > p.Ttl
+}
+
+// timestampedEntry is the only type allowed in a ExpirationCache.
+type timestampedEntry struct {
+	obj       interface{}
+	timestamp time.Time
+}
+
+// getTimestampedEntry returns the timestampedEntry stored under the given key.
+func (c *ExpirationCache) getTimestampedEntry(key string) (*timestampedEntry, bool) {
+	item, _ := c.cacheStorage.Get(key)
+	if tsEntry, ok := item.(*timestampedEntry); ok {
+		return tsEntry, true
+	}
+	return nil, false
+}
+
+// getOrExpire retrieves the object from the timestampedEntry if and only if it hasn't
+// already expired. It holds a write lock across deletion.
+func (c *ExpirationCache) getOrExpire(key string) (interface{}, bool) {
+	// Prevent all inserts from the time we deem an item as "expired" to when we
+	// delete it, so an un-expired item doesn't sneak in under the same key, just
+	// before the Delete.
+	c.expirationLock.Lock()
+	defer c.expirationLock.Unlock()
+	timestampedItem, exists := c.getTimestampedEntry(key)
+	if !exists {
+		return nil, false
+	}
+	if c.expirationPolicy.IsExpired(timestampedItem) {
+		glog.V(4).Infof("Entry %v: %+v has expired", key, timestampedItem.obj)
+		c.cacheStorage.Delete(key)
+		return nil, false
+	}
+	return timestampedItem.obj, true
+}
+
+// GetByKey returns the item stored under the key, or sets exists=false.
+func (c *ExpirationCache) GetByKey(key string) (interface{}, bool, error) {
+	obj, exists := c.getOrExpire(key)
+	return obj, exists, nil
+}
+
+// Get returns unexpired items. It purges the cache of expired items in the
+// process.
+func (c *ExpirationCache) Get(obj interface{}) (interface{}, bool, error) {
+	key, err := c.keyFunc(obj)
+	if err != nil {
+		return nil, false, KeyError{obj, err}
+	}
+	obj, exists := c.getOrExpire(key)
+	return obj, exists, nil
+}
+
+// List retrieves a list of unexpired items. It purges the cache of expired
+// items in the process.
+func (c *ExpirationCache) List() []interface{} {
+	items := c.cacheStorage.List()
+
+	list := make([]interface{}, 0, len(items))
+	for _, item := range items {
+		obj := item.(*timestampedEntry).obj
+		if key, err := c.keyFunc(obj); err != nil {
+			list = append(list, obj)
+		} else if obj, exists := c.getOrExpire(key); exists {
+			list = append(list, obj)
+		}
+	}
+	return list
+}
+
+// ListKeys returns a list of all keys in the expiration cache.
+func (c *ExpirationCache) ListKeys() []string {
+	return c.cacheStorage.ListKeys()
+}
+
+// Add timestamps an item and inserts it into the cache, overwriting entries
+// that might exist under the same key.
+func (c *ExpirationCache) Add(obj interface{}) error {
+	c.expirationLock.Lock()
+	defer c.expirationLock.Unlock()
+
+	key, err := c.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	c.cacheStorage.Add(key, &timestampedEntry{obj, c.clock.Now()})
+	return nil
+}
+
+// Update has not been implemented yet for lack of a use case, so this method
+// simply calls `Add`. This effectively refreshes the timestamp.
+func (c *ExpirationCache) Update(obj interface{}) error {
+	return c.Add(obj)
+}
+
+// Delete removes an item from the cache.
+func (c *ExpirationCache) Delete(obj interface{}) error {
+	c.expirationLock.Lock()
+	defer c.expirationLock.Unlock()
+	key, err := c.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	c.cacheStorage.Delete(key)
+	return nil
+}
+
+// Replace will convert all items in the given list to TimestampedEntries
+// before attempting the replace operation. The replace operation will
+// delete the contents of the ExpirationCache `c`.
+func (c *ExpirationCache) Replace(list []interface{}, resourceVersion string) error {
+	c.expirationLock.Lock()
+	defer c.expirationLock.Unlock()
+	items := map[string]interface{}{}
+	ts := c.clock.Now()
+	for _, item := range list {
+		key, err := c.keyFunc(item)
+		if err != nil {
+			return KeyError{item, err}
+		}
+		items[key] = &timestampedEntry{item, ts}
+	}
+	c.cacheStorage.Replace(items, resourceVersion)
+	return nil
+}
+
+// Resync will touch all objects to put them into the processing queue
+func (c *ExpirationCache) Resync() error {
+	return c.cacheStorage.Resync()
+}
+
+// NewTTLStore creates and returns a ExpirationCache with a TTLPolicy
+func NewTTLStore(keyFunc KeyFunc, ttl time.Duration) Store {
+	return &ExpirationCache{
+		cacheStorage:     NewThreadSafeStore(Indexers{}, Indices{}),
+		keyFunc:          keyFunc,
+		clock:            clock.RealClock{},
+		expirationPolicy: &TTLPolicy{ttl, clock.RealClock{}},
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/expiration_cache_fakes.go b/cli/vendor/k8s.io/client-go/tools/cache/expiration_cache_fakes.go
new file mode 100644
index 00000000..a096765f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/expiration_cache_fakes.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+type fakeThreadSafeMap struct {
+	ThreadSafeStore
+	deletedKeys chan<- string
+}
+
+func (c *fakeThreadSafeMap) Delete(key string) {
+	if c.deletedKeys != nil {
+		c.ThreadSafeStore.Delete(key)
+		c.deletedKeys <- key
+	}
+}
+
+type FakeExpirationPolicy struct {
+	NeverExpire     sets.String
+	RetrieveKeyFunc KeyFunc
+}
+
+func (p *FakeExpirationPolicy) IsExpired(obj *timestampedEntry) bool {
+	key, _ := p.RetrieveKeyFunc(obj)
+	return !p.NeverExpire.Has(key)
+}
+
+func NewFakeExpirationStore(keyFunc KeyFunc, deletedKeys chan<- string, expirationPolicy ExpirationPolicy, cacheClock clock.Clock) Store {
+	cacheStorage := NewThreadSafeStore(Indexers{}, Indices{})
+	return &ExpirationCache{
+		cacheStorage:     &fakeThreadSafeMap{cacheStorage, deletedKeys},
+		keyFunc:          keyFunc,
+		clock:            cacheClock,
+		expirationPolicy: expirationPolicy,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/fake_custom_store.go b/cli/vendor/k8s.io/client-go/tools/cache/fake_custom_store.go
new file mode 100644
index 00000000..8d71c247
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/fake_custom_store.go
@@ -0,0 +1,102 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+// FakeStore lets you define custom functions for store operations
+type FakeCustomStore struct {
+	AddFunc      func(obj interface{}) error
+	UpdateFunc   func(obj interface{}) error
+	DeleteFunc   func(obj interface{}) error
+	ListFunc     func() []interface{}
+	ListKeysFunc func() []string
+	GetFunc      func(obj interface{}) (item interface{}, exists bool, err error)
+	GetByKeyFunc func(key string) (item interface{}, exists bool, err error)
+	ReplaceFunc  func(list []interface{}, resourceVerion string) error
+	ResyncFunc   func() error
+}
+
+// Add calls the custom Add function if defined
+func (f *FakeCustomStore) Add(obj interface{}) error {
+	if f.AddFunc != nil {
+		return f.AddFunc(obj)
+	}
+	return nil
+}
+
+// Update calls the custom Update function if defined
+func (f *FakeCustomStore) Update(obj interface{}) error {
+	if f.UpdateFunc != nil {
+		return f.Update(obj)
+	}
+	return nil
+}
+
+// Delete calls the custom Delete function if defined
+func (f *FakeCustomStore) Delete(obj interface{}) error {
+	if f.DeleteFunc != nil {
+		return f.DeleteFunc(obj)
+	}
+	return nil
+}
+
+// List calls the custom List function if defined
+func (f *FakeCustomStore) List() []interface{} {
+	if f.ListFunc != nil {
+		return f.ListFunc()
+	}
+	return nil
+}
+
+// ListKeys calls the custom ListKeys function if defined
+func (f *FakeCustomStore) ListKeys() []string {
+	if f.ListKeysFunc != nil {
+		return f.ListKeysFunc()
+	}
+	return nil
+}
+
+// Get calls the custom Get function if defined
+func (f *FakeCustomStore) Get(obj interface{}) (item interface{}, exists bool, err error) {
+	if f.GetFunc != nil {
+		return f.GetFunc(obj)
+	}
+	return nil, false, nil
+}
+
+// GetByKey calls the custom GetByKey function if defined
+func (f *FakeCustomStore) GetByKey(key string) (item interface{}, exists bool, err error) {
+	if f.GetByKeyFunc != nil {
+		return f.GetByKeyFunc(key)
+	}
+	return nil, false, nil
+}
+
+// Replace calls the custom Replace function if defined
+func (f *FakeCustomStore) Replace(list []interface{}, resourceVersion string) error {
+	if f.ReplaceFunc != nil {
+		return f.ReplaceFunc(list, resourceVersion)
+	}
+	return nil
+}
+
+// Resync calls the custom Resync function if defined
+func (f *FakeCustomStore) Resync() error {
+	if f.ResyncFunc != nil {
+		return f.ResyncFunc()
+	}
+	return nil
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/fifo.go b/cli/vendor/k8s.io/client-go/tools/cache/fifo.go
new file mode 100644
index 00000000..3f6e2a94
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/fifo.go
@@ -0,0 +1,358 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"errors"
+	"sync"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// PopProcessFunc is passed to Pop() method of Queue interface.
+// It is supposed to process the element popped from the queue.
+type PopProcessFunc func(interface{}) error
+
+// ErrRequeue may be returned by a PopProcessFunc to safely requeue
+// the current item. The value of Err will be returned from Pop.
+type ErrRequeue struct {
+	// Err is returned by the Pop function
+	Err error
+}
+
+var FIFOClosedError error = errors.New("DeltaFIFO: manipulating with closed queue")
+
+func (e ErrRequeue) Error() string {
+	if e.Err == nil {
+		return "the popped item should be requeued without returning an error"
+	}
+	return e.Err.Error()
+}
+
+// Queue is exactly like a Store, but has a Pop() method too.
+type Queue interface {
+	Store
+
+	// Pop blocks until it has something to process.
+	// It returns the object that was process and the result of processing.
+	// The PopProcessFunc may return an ErrRequeue{...} to indicate the item
+	// should be requeued before releasing the lock on the queue.
+	Pop(PopProcessFunc) (interface{}, error)
+
+	// AddIfNotPresent adds a value previously
+	// returned by Pop back into the queue as long
+	// as nothing else (presumably more recent)
+	// has since been added.
+	AddIfNotPresent(interface{}) error
+
+	// Return true if the first batch of items has been popped
+	HasSynced() bool
+
+	// Close queue
+	Close()
+}
+
+// Helper function for popping from Queue.
+// WARNING: Do NOT use this function in non-test code to avoid races
+// unless you really really really really know what you are doing.
+func Pop(queue Queue) interface{} {
+	var result interface{}
+	queue.Pop(func(obj interface{}) error {
+		result = obj
+		return nil
+	})
+	return result
+}
+
+// FIFO receives adds and updates from a Reflector, and puts them in a queue for
+// FIFO order processing. If multiple adds/updates of a single item happen while
+// an item is in the queue before it has been processed, it will only be
+// processed once, and when it is processed, the most recent version will be
+// processed. This can't be done with a channel.
+//
+// FIFO solves this use case:
+//  * You want to process every object (exactly) once.
+//  * You want to process the most recent version of the object when you process it.
+//  * You do not want to process deleted objects, they should be removed from the queue.
+//  * You do not want to periodically reprocess objects.
+// Compare with DeltaFIFO for other use cases.
+type FIFO struct {
+	lock sync.RWMutex
+	cond sync.Cond
+	// We depend on the property that items in the set are in the queue and vice versa.
+	items map[string]interface{}
+	queue []string
+
+	// populated is true if the first batch of items inserted by Replace() has been populated
+	// or Delete/Add/Update was called first.
+	populated bool
+	// initialPopulationCount is the number of items inserted by the first call of Replace()
+	initialPopulationCount int
+
+	// keyFunc is used to make the key used for queued item insertion and retrieval, and
+	// should be deterministic.
+	keyFunc KeyFunc
+
+	// Indication the queue is closed.
+	// Used to indicate a queue is closed so a control loop can exit when a queue is empty.
+	// Currently, not used to gate any of CRED operations.
+	closed     bool
+	closedLock sync.Mutex
+}
+
+var (
+	_ = Queue(&FIFO{}) // FIFO is a Queue
+)
+
+// Close the queue.
+func (f *FIFO) Close() {
+	f.closedLock.Lock()
+	defer f.closedLock.Unlock()
+	f.closed = true
+	f.cond.Broadcast()
+}
+
+// Return true if an Add/Update/Delete/AddIfNotPresent are called first,
+// or an Update called first but the first batch of items inserted by Replace() has been popped
+func (f *FIFO) HasSynced() bool {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	return f.populated && f.initialPopulationCount == 0
+}
+
+// Add inserts an item, and puts it in the queue. The item is only enqueued
+// if it doesn't already exist in the set.
+func (f *FIFO) Add(obj interface{}) error {
+	id, err := f.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.populated = true
+	if _, exists := f.items[id]; !exists {
+		f.queue = append(f.queue, id)
+	}
+	f.items[id] = obj
+	f.cond.Broadcast()
+	return nil
+}
+
+// AddIfNotPresent inserts an item, and puts it in the queue. If the item is already
+// present in the set, it is neither enqueued nor added to the set.
+//
+// This is useful in a single producer/consumer scenario so that the consumer can
+// safely retry items without contending with the producer and potentially enqueueing
+// stale items.
+func (f *FIFO) AddIfNotPresent(obj interface{}) error {
+	id, err := f.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.addIfNotPresent(id, obj)
+	return nil
+}
+
+// addIfNotPresent assumes the fifo lock is already held and adds the the provided
+// item to the queue under id if it does not already exist.
+func (f *FIFO) addIfNotPresent(id string, obj interface{}) {
+	f.populated = true
+	if _, exists := f.items[id]; exists {
+		return
+	}
+
+	f.queue = append(f.queue, id)
+	f.items[id] = obj
+	f.cond.Broadcast()
+}
+
+// Update is the same as Add in this implementation.
+func (f *FIFO) Update(obj interface{}) error {
+	return f.Add(obj)
+}
+
+// Delete removes an item. It doesn't add it to the queue, because
+// this implementation assumes the consumer only cares about the objects,
+// not the order in which they were created/added.
+func (f *FIFO) Delete(obj interface{}) error {
+	id, err := f.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	f.populated = true
+	delete(f.items, id)
+	return err
+}
+
+// List returns a list of all the items.
+func (f *FIFO) List() []interface{} {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	list := make([]interface{}, 0, len(f.items))
+	for _, item := range f.items {
+		list = append(list, item)
+	}
+	return list
+}
+
+// ListKeys returns a list of all the keys of the objects currently
+// in the FIFO.
+func (f *FIFO) ListKeys() []string {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	list := make([]string, 0, len(f.items))
+	for key := range f.items {
+		list = append(list, key)
+	}
+	return list
+}
+
+// Get returns the requested item, or sets exists=false.
+func (f *FIFO) Get(obj interface{}) (item interface{}, exists bool, err error) {
+	key, err := f.keyFunc(obj)
+	if err != nil {
+		return nil, false, KeyError{obj, err}
+	}
+	return f.GetByKey(key)
+}
+
+// GetByKey returns the requested item, or sets exists=false.
+func (f *FIFO) GetByKey(key string) (item interface{}, exists bool, err error) {
+	f.lock.RLock()
+	defer f.lock.RUnlock()
+	item, exists = f.items[key]
+	return item, exists, nil
+}
+
+// Checks if the queue is closed
+func (f *FIFO) IsClosed() bool {
+	f.closedLock.Lock()
+	defer f.closedLock.Unlock()
+	if f.closed {
+		return true
+	}
+	return false
+}
+
+// Pop waits until an item is ready and processes it. If multiple items are
+// ready, they are returned in the order in which they were added/updated.
+// The item is removed from the queue (and the store) before it is processed,
+// so if you don't successfully process it, it should be added back with
+// AddIfNotPresent(). process function is called under lock, so it is safe
+// update data structures in it that need to be in sync with the queue.
+func (f *FIFO) Pop(process PopProcessFunc) (interface{}, error) {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+	for {
+		for len(f.queue) == 0 {
+			// When the queue is empty, invocation of Pop() is blocked until new item is enqueued.
+			// When Close() is called, the f.closed is set and the condition is broadcasted.
+			// Which causes this loop to continue and return from the Pop().
+			if f.IsClosed() {
+				return nil, FIFOClosedError
+			}
+
+			f.cond.Wait()
+		}
+		id := f.queue[0]
+		f.queue = f.queue[1:]
+		if f.initialPopulationCount > 0 {
+			f.initialPopulationCount--
+		}
+		item, ok := f.items[id]
+		if !ok {
+			// Item may have been deleted subsequently.
+			continue
+		}
+		delete(f.items, id)
+		err := process(item)
+		if e, ok := err.(ErrRequeue); ok {
+			f.addIfNotPresent(id, item)
+			err = e.Err
+		}
+		return item, err
+	}
+}
+
+// Replace will delete the contents of 'f', using instead the given map.
+// 'f' takes ownership of the map, you should not reference the map again
+// after calling this function. f's queue is reset, too; upon return, it
+// will contain the items in the map, in no particular order.
+func (f *FIFO) Replace(list []interface{}, resourceVersion string) error {
+	items := map[string]interface{}{}
+	for _, item := range list {
+		key, err := f.keyFunc(item)
+		if err != nil {
+			return KeyError{item, err}
+		}
+		items[key] = item
+	}
+
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	if !f.populated {
+		f.populated = true
+		f.initialPopulationCount = len(items)
+	}
+
+	f.items = items
+	f.queue = f.queue[:0]
+	for id := range items {
+		f.queue = append(f.queue, id)
+	}
+	if len(f.queue) > 0 {
+		f.cond.Broadcast()
+	}
+	return nil
+}
+
+// Resync will touch all objects to put them into the processing queue
+func (f *FIFO) Resync() error {
+	f.lock.Lock()
+	defer f.lock.Unlock()
+
+	inQueue := sets.NewString()
+	for _, id := range f.queue {
+		inQueue.Insert(id)
+	}
+	for id := range f.items {
+		if !inQueue.Has(id) {
+			f.queue = append(f.queue, id)
+		}
+	}
+	if len(f.queue) > 0 {
+		f.cond.Broadcast()
+	}
+	return nil
+}
+
+// NewFIFO returns a Store which can be used to queue up items to
+// process.
+func NewFIFO(keyFunc KeyFunc) *FIFO {
+	f := &FIFO{
+		items:   map[string]interface{}{},
+		queue:   []string{},
+		keyFunc: keyFunc,
+	}
+	f.cond.L = &f.lock
+	return f
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/heap.go b/cli/vendor/k8s.io/client-go/tools/cache/heap.go
new file mode 100644
index 00000000..78e49245
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/heap.go
@@ -0,0 +1,323 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file implements a heap data structure.
+
+package cache
+
+import (
+	"container/heap"
+	"fmt"
+	"sync"
+)
+
+const (
+	closedMsg = "heap is closed"
+)
+
+type LessFunc func(interface{}, interface{}) bool
+type heapItem struct {
+	obj   interface{} // The object which is stored in the heap.
+	index int         // The index of the object's key in the Heap.queue.
+}
+
+type itemKeyValue struct {
+	key string
+	obj interface{}
+}
+
+// heapData is an internal struct that implements the standard heap interface
+// and keeps the data stored in the heap.
+type heapData struct {
+	// items is a map from key of the objects to the objects and their index.
+	// We depend on the property that items in the map are in the queue and vice versa.
+	items map[string]*heapItem
+	// queue implements a heap data structure and keeps the order of elements
+	// according to the heap invariant. The queue keeps the keys of objects stored
+	// in "items".
+	queue []string
+
+	// keyFunc is used to make the key used for queued item insertion and retrieval, and
+	// should be deterministic.
+	keyFunc KeyFunc
+	// lessFunc is used to compare two objects in the heap.
+	lessFunc LessFunc
+}
+
+var (
+	_ = heap.Interface(&heapData{}) // heapData is a standard heap
+)
+
+// Less compares two objects and returns true if the first one should go
+// in front of the second one in the heap.
+func (h *heapData) Less(i, j int) bool {
+	if i > len(h.queue) || j > len(h.queue) {
+		return false
+	}
+	itemi, ok := h.items[h.queue[i]]
+	if !ok {
+		return false
+	}
+	itemj, ok := h.items[h.queue[j]]
+	if !ok {
+		return false
+	}
+	return h.lessFunc(itemi.obj, itemj.obj)
+}
+
+// Len returns the number of items in the Heap.
+func (h *heapData) Len() int { return len(h.queue) }
+
+// Swap implements swapping of two elements in the heap. This is a part of standard
+// heap interface and should never be called directly.
+func (h *heapData) Swap(i, j int) {
+	h.queue[i], h.queue[j] = h.queue[j], h.queue[i]
+	item := h.items[h.queue[i]]
+	item.index = i
+	item = h.items[h.queue[j]]
+	item.index = j
+}
+
+// Push is supposed to be called by heap.Push only.
+func (h *heapData) Push(kv interface{}) {
+	keyValue := kv.(*itemKeyValue)
+	n := len(h.queue)
+	h.items[keyValue.key] = &heapItem{keyValue.obj, n}
+	h.queue = append(h.queue, keyValue.key)
+}
+
+// Pop is supposed to be called by heap.Pop only.
+func (h *heapData) Pop() interface{} {
+	key := h.queue[len(h.queue)-1]
+	h.queue = h.queue[0 : len(h.queue)-1]
+	item, ok := h.items[key]
+	if !ok {
+		// This is an error
+		return nil
+	}
+	delete(h.items, key)
+	return item.obj
+}
+
+// Heap is a thread-safe producer/consumer queue that implements a heap data structure.
+// It can be used to implement priority queues and similar data structures.
+type Heap struct {
+	lock sync.RWMutex
+	cond sync.Cond
+
+	// data stores objects and has a queue that keeps their ordering according
+	// to the heap invariant.
+	data *heapData
+
+	// closed indicates that the queue is closed.
+	// It is mainly used to let Pop() exit its control loop while waiting for an item.
+	closed bool
+}
+
+// Close the Heap and signals condition variables that may be waiting to pop
+// items from the heap.
+func (h *Heap) Close() {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	h.closed = true
+	h.cond.Broadcast()
+}
+
+// Add inserts an item, and puts it in the queue. The item is updated if it
+// already exists.
+func (h *Heap) Add(obj interface{}) error {
+	key, err := h.data.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	if h.closed {
+		return fmt.Errorf(closedMsg)
+	}
+	if _, exists := h.data.items[key]; exists {
+		h.data.items[key].obj = obj
+		heap.Fix(h.data, h.data.items[key].index)
+	} else {
+		h.addIfNotPresentLocked(key, obj)
+	}
+	h.cond.Broadcast()
+	return nil
+}
+
+// Adds all the items in the list to the queue and then signals the condition
+// variable. It is useful when the caller would like to add all of the items
+// to the queue before consumer starts processing them.
+func (h *Heap) BulkAdd(list []interface{}) error {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	if h.closed {
+		return fmt.Errorf(closedMsg)
+	}
+	for _, obj := range list {
+		key, err := h.data.keyFunc(obj)
+		if err != nil {
+			return KeyError{obj, err}
+		}
+		if _, exists := h.data.items[key]; exists {
+			h.data.items[key].obj = obj
+			heap.Fix(h.data, h.data.items[key].index)
+		} else {
+			h.addIfNotPresentLocked(key, obj)
+		}
+	}
+	h.cond.Broadcast()
+	return nil
+}
+
+// AddIfNotPresent inserts an item, and puts it in the queue. If an item with
+// the key is present in the map, no changes is made to the item.
+//
+// This is useful in a single producer/consumer scenario so that the consumer can
+// safely retry items without contending with the producer and potentially enqueueing
+// stale items.
+func (h *Heap) AddIfNotPresent(obj interface{}) error {
+	id, err := h.data.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	if h.closed {
+		return fmt.Errorf(closedMsg)
+	}
+	h.addIfNotPresentLocked(id, obj)
+	h.cond.Broadcast()
+	return nil
+}
+
+// addIfNotPresentLocked assumes the lock is already held and adds the the provided
+// item to the queue if it does not already exist.
+func (h *Heap) addIfNotPresentLocked(key string, obj interface{}) {
+	if _, exists := h.data.items[key]; exists {
+		return
+	}
+	heap.Push(h.data, &itemKeyValue{key, obj})
+}
+
+// Update is the same as Add in this implementation. When the item does not
+// exist, it is added.
+func (h *Heap) Update(obj interface{}) error {
+	return h.Add(obj)
+}
+
+// Delete removes an item.
+func (h *Heap) Delete(obj interface{}) error {
+	key, err := h.data.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	if item, ok := h.data.items[key]; ok {
+		heap.Remove(h.data, item.index)
+		return nil
+	}
+	return fmt.Errorf("object not found")
+}
+
+// Pop waits until an item is ready. If multiple items are
+// ready, they are returned in the order given by Heap.data.lessFunc.
+func (h *Heap) Pop() (interface{}, error) {
+	h.lock.Lock()
+	defer h.lock.Unlock()
+	for len(h.data.queue) == 0 {
+		// When the queue is empty, invocation of Pop() is blocked until new item is enqueued.
+		// When Close() is called, the h.closed is set and the condition is broadcast,
+		// which causes this loop to continue and return from the Pop().
+		if h.closed {
+			return nil, fmt.Errorf("heap is closed")
+		}
+		h.cond.Wait()
+	}
+	obj := heap.Pop(h.data)
+	if obj != nil {
+		return obj, nil
+	} else {
+		return nil, fmt.Errorf("object was removed from heap data")
+	}
+}
+
+// List returns a list of all the items.
+func (h *Heap) List() []interface{} {
+	h.lock.RLock()
+	defer h.lock.RUnlock()
+	list := make([]interface{}, 0, len(h.data.items))
+	for _, item := range h.data.items {
+		list = append(list, item.obj)
+	}
+	return list
+}
+
+// ListKeys returns a list of all the keys of the objects currently in the Heap.
+func (h *Heap) ListKeys() []string {
+	h.lock.RLock()
+	defer h.lock.RUnlock()
+	list := make([]string, 0, len(h.data.items))
+	for key := range h.data.items {
+		list = append(list, key)
+	}
+	return list
+}
+
+// Get returns the requested item, or sets exists=false.
+func (h *Heap) Get(obj interface{}) (interface{}, bool, error) {
+	key, err := h.data.keyFunc(obj)
+	if err != nil {
+		return nil, false, KeyError{obj, err}
+	}
+	return h.GetByKey(key)
+}
+
+// GetByKey returns the requested item, or sets exists=false.
+func (h *Heap) GetByKey(key string) (interface{}, bool, error) {
+	h.lock.RLock()
+	defer h.lock.RUnlock()
+	item, exists := h.data.items[key]
+	if !exists {
+		return nil, false, nil
+	}
+	return item.obj, true, nil
+}
+
+// IsClosed returns true if the queue is closed.
+func (h *Heap) IsClosed() bool {
+	h.lock.RLock()
+	defer h.lock.RUnlock()
+	if h.closed {
+		return true
+	}
+	return false
+}
+
+// NewHeap returns a Heap which can be used to queue up items to process.
+func NewHeap(keyFn KeyFunc, lessFn LessFunc) *Heap {
+	h := &Heap{
+		data: &heapData{
+			items:    map[string]*heapItem{},
+			queue:    []string{},
+			keyFunc:  keyFn,
+			lessFunc: lessFn,
+		},
+	}
+	h.cond.L = &h.lock
+	return h
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/index.go b/cli/vendor/k8s.io/client-go/tools/cache/index.go
new file mode 100644
index 00000000..15acb168
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/index.go
@@ -0,0 +1,87 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// Indexer is a storage interface that lets you list objects using multiple indexing functions
+type Indexer interface {
+	Store
+	// Retrieve list of objects that match on the named indexing function
+	Index(indexName string, obj interface{}) ([]interface{}, error)
+	// IndexKeys returns the set of keys that match on the named indexing function.
+	IndexKeys(indexName, indexKey string) ([]string, error)
+	// ListIndexFuncValues returns the list of generated values of an Index func
+	ListIndexFuncValues(indexName string) []string
+	// ByIndex lists object that match on the named indexing function with the exact key
+	ByIndex(indexName, indexKey string) ([]interface{}, error)
+	// GetIndexer return the indexers
+	GetIndexers() Indexers
+
+	// AddIndexers adds more indexers to this store.  If you call this after you already have data
+	// in the store, the results are undefined.
+	AddIndexers(newIndexers Indexers) error
+}
+
+// IndexFunc knows how to provide an indexed value for an object.
+type IndexFunc func(obj interface{}) ([]string, error)
+
+// IndexFuncToKeyFuncAdapter adapts an indexFunc to a keyFunc.  This is only useful if your index function returns
+// unique values for every object.  This is conversion can create errors when more than one key is found.  You
+// should prefer to make proper key and index functions.
+func IndexFuncToKeyFuncAdapter(indexFunc IndexFunc) KeyFunc {
+	return func(obj interface{}) (string, error) {
+		indexKeys, err := indexFunc(obj)
+		if err != nil {
+			return "", err
+		}
+		if len(indexKeys) > 1 {
+			return "", fmt.Errorf("too many keys: %v", indexKeys)
+		}
+		if len(indexKeys) == 0 {
+			return "", fmt.Errorf("unexpected empty indexKeys")
+		}
+		return indexKeys[0], nil
+	}
+}
+
+const (
+	NamespaceIndex string = "namespace"
+)
+
+// MetaNamespaceIndexFunc is a default index function that indexes based on an object's namespace
+func MetaNamespaceIndexFunc(obj interface{}) ([]string, error) {
+	meta, err := meta.Accessor(obj)
+	if err != nil {
+		return []string{""}, fmt.Errorf("object has no meta: %v", err)
+	}
+	return []string{meta.GetNamespace()}, nil
+}
+
+// Index maps the indexed value to a set of keys in the store that match on that value
+type Index map[string]sets.String
+
+// Indexers maps a name to a IndexFunc
+type Indexers map[string]IndexFunc
+
+// Indices maps a name to an Index
+type Indices map[string]Index
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/listers.go b/cli/vendor/k8s.io/client-go/tools/cache/listers.go
new file mode 100644
index 00000000..27d51a6b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/listers.go
@@ -0,0 +1,160 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"github.com/golang/glog"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// AppendFunc is used to add a matching item to whatever list the caller is using
+type AppendFunc func(interface{})
+
+func ListAll(store Store, selector labels.Selector, appendFn AppendFunc) error {
+	for _, m := range store.List() {
+		metadata, err := meta.Accessor(m)
+		if err != nil {
+			return err
+		}
+		if selector.Matches(labels.Set(metadata.GetLabels())) {
+			appendFn(m)
+		}
+	}
+	return nil
+}
+
+func ListAllByNamespace(indexer Indexer, namespace string, selector labels.Selector, appendFn AppendFunc) error {
+	if namespace == metav1.NamespaceAll {
+		for _, m := range indexer.List() {
+			metadata, err := meta.Accessor(m)
+			if err != nil {
+				return err
+			}
+			if selector.Matches(labels.Set(metadata.GetLabels())) {
+				appendFn(m)
+			}
+		}
+		return nil
+	}
+
+	items, err := indexer.Index(NamespaceIndex, &metav1.ObjectMeta{Namespace: namespace})
+	if err != nil {
+		// Ignore error; do slow search without index.
+		glog.Warningf("can not retrieve list of objects using index : %v", err)
+		for _, m := range indexer.List() {
+			metadata, err := meta.Accessor(m)
+			if err != nil {
+				return err
+			}
+			if metadata.GetNamespace() == namespace && selector.Matches(labels.Set(metadata.GetLabels())) {
+				appendFn(m)
+			}
+
+		}
+		return nil
+	}
+	for _, m := range items {
+		metadata, err := meta.Accessor(m)
+		if err != nil {
+			return err
+		}
+		if selector.Matches(labels.Set(metadata.GetLabels())) {
+			appendFn(m)
+		}
+	}
+
+	return nil
+}
+
+// GenericLister is a lister skin on a generic Indexer
+type GenericLister interface {
+	// List will return all objects across namespaces
+	List(selector labels.Selector) (ret []runtime.Object, err error)
+	// Get will attempt to retrieve assuming that name==key
+	Get(name string) (runtime.Object, error)
+	// ByNamespace will give you a GenericNamespaceLister for one namespace
+	ByNamespace(namespace string) GenericNamespaceLister
+}
+
+// GenericNamespaceLister is a lister skin on a generic Indexer
+type GenericNamespaceLister interface {
+	// List will return all objects in this namespace
+	List(selector labels.Selector) (ret []runtime.Object, err error)
+	// Get will attempt to retrieve by namespace and name
+	Get(name string) (runtime.Object, error)
+}
+
+func NewGenericLister(indexer Indexer, resource schema.GroupResource) GenericLister {
+	return &genericLister{indexer: indexer, resource: resource}
+}
+
+type genericLister struct {
+	indexer  Indexer
+	resource schema.GroupResource
+}
+
+func (s *genericLister) List(selector labels.Selector) (ret []runtime.Object, err error) {
+	err = ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(runtime.Object))
+	})
+	return ret, err
+}
+
+func (s *genericLister) ByNamespace(namespace string) GenericNamespaceLister {
+	return &genericNamespaceLister{indexer: s.indexer, namespace: namespace, resource: s.resource}
+}
+
+func (s *genericLister) Get(name string) (runtime.Object, error) {
+	obj, exists, err := s.indexer.GetByKey(name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(s.resource, name)
+	}
+	return obj.(runtime.Object), nil
+}
+
+type genericNamespaceLister struct {
+	indexer   Indexer
+	namespace string
+	resource  schema.GroupResource
+}
+
+func (s *genericNamespaceLister) List(selector labels.Selector) (ret []runtime.Object, err error) {
+	err = ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(runtime.Object))
+	})
+	return ret, err
+}
+
+func (s *genericNamespaceLister) Get(name string) (runtime.Object, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(s.resource, name)
+	}
+	return obj.(runtime.Object), nil
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/listwatch.go b/cli/vendor/k8s.io/client-go/tools/cache/listwatch.go
new file mode 100644
index 00000000..55a90b63
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/listwatch.go
@@ -0,0 +1,173 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"time"
+
+	"golang.org/x/net/context"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/pager"
+)
+
+// ListerWatcher is any object that knows how to perform an initial list and start a watch on a resource.
+type ListerWatcher interface {
+	// List should return a list type object; the Items field will be extracted, and the
+	// ResourceVersion field will be used to start the watch in the right place.
+	List(options metav1.ListOptions) (runtime.Object, error)
+	// Watch should begin a watch at the specified version.
+	Watch(options metav1.ListOptions) (watch.Interface, error)
+}
+
+// ListFunc knows how to list resources
+type ListFunc func(options metav1.ListOptions) (runtime.Object, error)
+
+// WatchFunc knows how to watch resources
+type WatchFunc func(options metav1.ListOptions) (watch.Interface, error)
+
+// ListWatch knows how to list and watch a set of apiserver resources.  It satisfies the ListerWatcher interface.
+// It is a convenience function for users of NewReflector, etc.
+// ListFunc and WatchFunc must not be nil
+type ListWatch struct {
+	ListFunc  ListFunc
+	WatchFunc WatchFunc
+	// DisableChunking requests no chunking for this list watcher. It has no effect in Kubernetes 1.8, but in
+	// 1.9 will allow a controller to opt out of chunking.
+	DisableChunking bool
+}
+
+// Getter interface knows how to access Get method from RESTClient.
+type Getter interface {
+	Get() *restclient.Request
+}
+
+// NewListWatchFromClient creates a new ListWatch from the specified client, resource, namespace and field selector.
+func NewListWatchFromClient(c Getter, resource string, namespace string, fieldSelector fields.Selector) *ListWatch {
+	listFunc := func(options metav1.ListOptions) (runtime.Object, error) {
+		options.FieldSelector = fieldSelector.String()
+		return c.Get().
+			Namespace(namespace).
+			Resource(resource).
+			VersionedParams(&options, metav1.ParameterCodec).
+			Do().
+			Get()
+	}
+	watchFunc := func(options metav1.ListOptions) (watch.Interface, error) {
+		options.Watch = true
+		options.FieldSelector = fieldSelector.String()
+		return c.Get().
+			Namespace(namespace).
+			Resource(resource).
+			VersionedParams(&options, metav1.ParameterCodec).
+			Watch()
+	}
+	return &ListWatch{ListFunc: listFunc, WatchFunc: watchFunc}
+}
+
+func timeoutFromListOptions(options metav1.ListOptions) time.Duration {
+	if options.TimeoutSeconds != nil {
+		return time.Duration(*options.TimeoutSeconds) * time.Second
+	}
+	return 0
+}
+
+// List a set of apiserver resources
+func (lw *ListWatch) List(options metav1.ListOptions) (runtime.Object, error) {
+	// chunking will become the default for list watchers starting in Kubernetes 1.9, unless
+	// otherwise disabled.
+	if false && !lw.DisableChunking {
+		return pager.New(pager.SimplePageFunc(lw.ListFunc)).List(context.TODO(), options)
+	}
+	return lw.ListFunc(options)
+}
+
+// Watch a set of apiserver resources
+func (lw *ListWatch) Watch(options metav1.ListOptions) (watch.Interface, error) {
+	return lw.WatchFunc(options)
+}
+
+// TODO: check for watch expired error and retry watch from latest point?  Same issue exists for Until.
+func ListWatchUntil(timeout time.Duration, lw ListerWatcher, conditions ...watch.ConditionFunc) (*watch.Event, error) {
+	if len(conditions) == 0 {
+		return nil, nil
+	}
+
+	list, err := lw.List(metav1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	initialItems, err := meta.ExtractList(list)
+	if err != nil {
+		return nil, err
+	}
+
+	// use the initial items as simulated "adds"
+	var lastEvent *watch.Event
+	currIndex := 0
+	passedConditions := 0
+	for _, condition := range conditions {
+		// check the next condition against the previous event and short circuit waiting for the next watch
+		if lastEvent != nil {
+			done, err := condition(*lastEvent)
+			if err != nil {
+				return lastEvent, err
+			}
+			if done {
+				passedConditions = passedConditions + 1
+				continue
+			}
+		}
+
+	ConditionSucceeded:
+		for currIndex < len(initialItems) {
+			lastEvent = &watch.Event{Type: watch.Added, Object: initialItems[currIndex]}
+			currIndex++
+
+			done, err := condition(*lastEvent)
+			if err != nil {
+				return lastEvent, err
+			}
+			if done {
+				passedConditions = passedConditions + 1
+				break ConditionSucceeded
+			}
+		}
+	}
+	if passedConditions == len(conditions) {
+		return lastEvent, nil
+	}
+	remainingConditions := conditions[passedConditions:]
+
+	metaObj, err := meta.ListAccessor(list)
+	if err != nil {
+		return nil, err
+	}
+	currResourceVersion := metaObj.GetResourceVersion()
+
+	watchInterface, err := lw.Watch(metav1.ListOptions{ResourceVersion: currResourceVersion})
+	if err != nil {
+		return nil, err
+	}
+
+	return watch.Until(timeout, watchInterface, remainingConditions...)
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/mutation_cache.go b/cli/vendor/k8s.io/client-go/tools/cache/mutation_cache.go
new file mode 100644
index 00000000..cbb6434e
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/mutation_cache.go
@@ -0,0 +1,261 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"fmt"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/golang/glog"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilcache "k8s.io/apimachinery/pkg/util/cache"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// MutationCache is able to take the result of update operations and stores them in an LRU
+// that can be used to provide a more current view of a requested object.  It requires interpreting
+// resourceVersions for comparisons.
+// Implementations must be thread-safe.
+// TODO find a way to layer this into an informer/lister
+type MutationCache interface {
+	GetByKey(key string) (interface{}, bool, error)
+	ByIndex(indexName, indexKey string) ([]interface{}, error)
+	Mutation(interface{})
+}
+
+type ResourceVersionComparator interface {
+	CompareResourceVersion(lhs, rhs runtime.Object) int
+}
+
+// NewIntegerResourceVersionMutationCache returns a MutationCache that understands how to
+// deal with objects that have a resource version that:
+//
+//   - is an integer
+//   - increases when updated
+//   - is comparable across the same resource in a namespace
+//
+// Most backends will have these semantics. Indexer may be nil. ttl controls how long an item
+// remains in the mutation cache before it is removed.
+//
+// If includeAdds is true, objects in the mutation cache will be returned even if they don't exist
+// in the underlying store. This is only safe if your use of the cache can handle mutation entries
+// remaining in the cache for up to ttl when mutations and deletes occur very closely in time.
+func NewIntegerResourceVersionMutationCache(backingCache Store, indexer Indexer, ttl time.Duration, includeAdds bool) MutationCache {
+	return &mutationCache{
+		backingCache:  backingCache,
+		indexer:       indexer,
+		mutationCache: utilcache.NewLRUExpireCache(100),
+		comparator:    etcdObjectVersioner{},
+		ttl:           ttl,
+		includeAdds:   includeAdds,
+	}
+}
+
+// mutationCache doesn't guarantee that it returns values added via Mutation since they can page out and
+// since you can't distinguish between, "didn't observe create" and "was deleted after create",
+// if the key is missing from the backing cache, we always return it as missing
+type mutationCache struct {
+	lock          sync.Mutex
+	backingCache  Store
+	indexer       Indexer
+	mutationCache *utilcache.LRUExpireCache
+	includeAdds   bool
+	ttl           time.Duration
+
+	comparator ResourceVersionComparator
+}
+
+// GetByKey is never guaranteed to return back the value set in Mutation.  It could be paged out, it could
+// be older than another copy, the backingCache may be more recent or, you might have written twice into the same key.
+// You get a value that was valid at some snapshot of time and will always return the newer of backingCache and mutationCache.
+func (c *mutationCache) GetByKey(key string) (interface{}, bool, error) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	obj, exists, err := c.backingCache.GetByKey(key)
+	if err != nil {
+		return nil, false, err
+	}
+	if !exists {
+		if !c.includeAdds {
+			// we can't distinguish between, "didn't observe create" and "was deleted after create", so
+			// if the key is missing, we always return it as missing
+			return nil, false, nil
+		}
+		obj, exists = c.mutationCache.Get(key)
+		if !exists {
+			return nil, false, nil
+		}
+	}
+	objRuntime, ok := obj.(runtime.Object)
+	if !ok {
+		return obj, true, nil
+	}
+	return c.newerObject(key, objRuntime), true, nil
+}
+
+// ByIndex returns the newer objects that match the provided index and indexer key.
+// Will return an error if no indexer was provided.
+func (c *mutationCache) ByIndex(name string, indexKey string) ([]interface{}, error) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	if c.indexer == nil {
+		return nil, fmt.Errorf("no indexer has been provided to the mutation cache")
+	}
+	keys, err := c.indexer.IndexKeys(name, indexKey)
+	if err != nil {
+		return nil, err
+	}
+	var items []interface{}
+	keySet := sets.NewString()
+	for _, key := range keys {
+		keySet.Insert(key)
+		obj, exists, err := c.indexer.GetByKey(key)
+		if err != nil {
+			return nil, err
+		}
+		if !exists {
+			continue
+		}
+		if objRuntime, ok := obj.(runtime.Object); ok {
+			items = append(items, c.newerObject(key, objRuntime))
+		} else {
+			items = append(items, obj)
+		}
+	}
+
+	if c.includeAdds {
+		fn := c.indexer.GetIndexers()[name]
+		// Keys() is returned oldest to newest, so full traversal does not alter the LRU behavior
+		for _, key := range c.mutationCache.Keys() {
+			updated, ok := c.mutationCache.Get(key)
+			if !ok {
+				continue
+			}
+			if keySet.Has(key.(string)) {
+				continue
+			}
+			elements, err := fn(updated)
+			if err != nil {
+				glog.V(4).Infof("Unable to calculate an index entry for mutation cache entry %s: %v", key, err)
+				continue
+			}
+			for _, inIndex := range elements {
+				if inIndex != indexKey {
+					continue
+				}
+				items = append(items, updated)
+				break
+			}
+		}
+	}
+
+	return items, nil
+}
+
+// newerObject checks the mutation cache for a newer object and returns one if found. If the
+// mutated object is older than the backing object, it is removed from the  Must be
+// called while the lock is held.
+func (c *mutationCache) newerObject(key string, backing runtime.Object) runtime.Object {
+	mutatedObj, exists := c.mutationCache.Get(key)
+	if !exists {
+		return backing
+	}
+	mutatedObjRuntime, ok := mutatedObj.(runtime.Object)
+	if !ok {
+		return backing
+	}
+	if c.comparator.CompareResourceVersion(backing, mutatedObjRuntime) >= 0 {
+		c.mutationCache.Remove(key)
+		return backing
+	}
+	return mutatedObjRuntime
+}
+
+// Mutation adds a change to the cache that can be returned in GetByKey if it is newer than the backingCache
+// copy.  If you call Mutation twice with the same object on different threads, one will win, but its not defined
+// which one.  This doesn't affect correctness, since the GetByKey guaranteed of "later of these two caches" is
+// preserved, but you may not get the version of the object you want.  The object you get is only guaranteed to
+// "one that was valid at some point in time", not "the one that I want".
+func (c *mutationCache) Mutation(obj interface{}) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	key, err := DeletionHandlingMetaNamespaceKeyFunc(obj)
+	if err != nil {
+		// this is a "nice to have", so failures shouldn't do anything weird
+		utilruntime.HandleError(err)
+		return
+	}
+
+	if objRuntime, ok := obj.(runtime.Object); ok {
+		if mutatedObj, exists := c.mutationCache.Get(key); exists {
+			if mutatedObjRuntime, ok := mutatedObj.(runtime.Object); ok {
+				if c.comparator.CompareResourceVersion(objRuntime, mutatedObjRuntime) < 0 {
+					return
+				}
+			}
+		}
+	}
+	c.mutationCache.Add(key, obj, c.ttl)
+}
+
+// etcdObjectVersioner implements versioning and extracting etcd node information
+// for objects that have an embedded ObjectMeta or ListMeta field.
+type etcdObjectVersioner struct{}
+
+// ObjectResourceVersion implements Versioner
+func (a etcdObjectVersioner) ObjectResourceVersion(obj runtime.Object) (uint64, error) {
+	accessor, err := meta.Accessor(obj)
+	if err != nil {
+		return 0, err
+	}
+	version := accessor.GetResourceVersion()
+	if len(version) == 0 {
+		return 0, nil
+	}
+	return strconv.ParseUint(version, 10, 64)
+}
+
+// CompareResourceVersion compares etcd resource versions.  Outside this API they are all strings,
+// but etcd resource versions are special, they're actually ints, so we can easily compare them.
+func (a etcdObjectVersioner) CompareResourceVersion(lhs, rhs runtime.Object) int {
+	lhsVersion, err := a.ObjectResourceVersion(lhs)
+	if err != nil {
+		// coder error
+		panic(err)
+	}
+	rhsVersion, err := a.ObjectResourceVersion(rhs)
+	if err != nil {
+		// coder error
+		panic(err)
+	}
+
+	if lhsVersion == rhsVersion {
+		return 0
+	}
+	if lhsVersion < rhsVersion {
+		return -1
+	}
+
+	return 1
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/mutation_detector.go b/cli/vendor/k8s.io/client-go/tools/cache/mutation_detector.go
new file mode 100644
index 00000000..8c067cab
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/mutation_detector.go
@@ -0,0 +1,133 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"fmt"
+	"os"
+	"reflect"
+	"strconv"
+	"sync"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/diff"
+	"k8s.io/client-go/kubernetes/scheme"
+)
+
+var mutationDetectionEnabled = false
+
+func init() {
+	mutationDetectionEnabled, _ = strconv.ParseBool(os.Getenv("KUBE_CACHE_MUTATION_DETECTOR"))
+}
+
+type CacheMutationDetector interface {
+	AddObject(obj interface{})
+	Run(stopCh <-chan struct{})
+}
+
+func NewCacheMutationDetector(name string) CacheMutationDetector {
+	if !mutationDetectionEnabled {
+		return dummyMutationDetector{}
+	}
+	return &defaultCacheMutationDetector{name: name, period: 1 * time.Second}
+}
+
+type dummyMutationDetector struct{}
+
+func (dummyMutationDetector) Run(stopCh <-chan struct{}) {
+}
+func (dummyMutationDetector) AddObject(obj interface{}) {
+}
+
+// defaultCacheMutationDetector gives a way to detect if a cached object has been mutated
+// It has a list of cached objects and their copies.  I haven't thought of a way
+// to see WHO is mutating it, just that it's getting mutated.
+type defaultCacheMutationDetector struct {
+	name   string
+	period time.Duration
+
+	lock       sync.Mutex
+	cachedObjs []cacheObj
+
+	// failureFunc is injectable for unit testing.  If you don't have it, the process will panic.
+	// This panic is intentional, since turning on this detection indicates you want a strong
+	// failure signal.  This failure is effectively a p0 bug and you can't trust process results
+	// after a mutation anyway.
+	failureFunc func(message string)
+}
+
+// cacheObj holds the actual object and a copy
+type cacheObj struct {
+	cached interface{}
+	copied interface{}
+}
+
+func (d *defaultCacheMutationDetector) Run(stopCh <-chan struct{}) {
+	// we DON'T want protection from panics.  If we're running this code, we want to die
+	for {
+		d.CompareObjects()
+
+		select {
+		case <-stopCh:
+			return
+		case <-time.After(d.period):
+		}
+	}
+}
+
+// AddObject makes a deep copy of the object for later comparison.  It only works on runtime.Object
+// but that covers the vast majority of our cached objects
+func (d *defaultCacheMutationDetector) AddObject(obj interface{}) {
+	if _, ok := obj.(DeletedFinalStateUnknown); ok {
+		return
+	}
+	if _, ok := obj.(runtime.Object); !ok {
+		return
+	}
+
+	copiedObj, err := scheme.Scheme.Copy(obj.(runtime.Object))
+	if err != nil {
+		return
+	}
+
+	d.lock.Lock()
+	defer d.lock.Unlock()
+	d.cachedObjs = append(d.cachedObjs, cacheObj{cached: obj, copied: copiedObj})
+}
+
+func (d *defaultCacheMutationDetector) CompareObjects() {
+	d.lock.Lock()
+	defer d.lock.Unlock()
+
+	altered := false
+	for i, obj := range d.cachedObjs {
+		if !reflect.DeepEqual(obj.cached, obj.copied) {
+			fmt.Printf("CACHE %s[%d] ALTERED!\n%v\n", d.name, i, diff.ObjectDiff(obj.cached, obj.copied))
+			altered = true
+		}
+	}
+
+	if altered {
+		msg := fmt.Sprintf("cache %s modified", d.name)
+		if d.failureFunc != nil {
+			d.failureFunc(msg)
+			return
+		}
+		panic(msg)
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/reflector.go b/cli/vendor/k8s.io/client-go/tools/cache/reflector.go
new file mode 100644
index 00000000..b4865a64
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/reflector.go
@@ -0,0 +1,442 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"math/rand"
+	"net"
+	"net/url"
+	"reflect"
+	"regexp"
+	goruntime "runtime"
+	"runtime/debug"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"syscall"
+	"time"
+
+	"github.com/golang/glog"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/clock"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Reflector watches a specified resource and causes all changes to be reflected in the given store.
+type Reflector struct {
+	// name identifies this reflector. By default it will be a file:line if possible.
+	name string
+	// metrics tracks basic metric information about the reflector
+	metrics *reflectorMetrics
+
+	// The type of object we expect to place in the store.
+	expectedType reflect.Type
+	// The destination to sync up with the watch source
+	store Store
+	// listerWatcher is used to perform lists and watches.
+	listerWatcher ListerWatcher
+	// period controls timing between one watch ending and
+	// the beginning of the next one.
+	period       time.Duration
+	resyncPeriod time.Duration
+	ShouldResync func() bool
+	// clock allows tests to manipulate time
+	clock clock.Clock
+	// lastSyncResourceVersion is the resource version token last
+	// observed when doing a sync with the underlying store
+	// it is thread safe, but not synchronized with the underlying store
+	lastSyncResourceVersion string
+	// lastSyncResourceVersionMutex guards read/write access to lastSyncResourceVersion
+	lastSyncResourceVersionMutex sync.RWMutex
+}
+
+var (
+	// We try to spread the load on apiserver by setting timeouts for
+	// watch requests - it is random in [minWatchTimeout, 2*minWatchTimeout].
+	// However, it can be modified to avoid periodic resync to break the
+	// TCP connection.
+	minWatchTimeout = 5 * time.Minute
+)
+
+// NewNamespaceKeyedIndexerAndReflector creates an Indexer and a Reflector
+// The indexer is configured to key on namespace
+func NewNamespaceKeyedIndexerAndReflector(lw ListerWatcher, expectedType interface{}, resyncPeriod time.Duration) (indexer Indexer, reflector *Reflector) {
+	indexer = NewIndexer(MetaNamespaceKeyFunc, Indexers{"namespace": MetaNamespaceIndexFunc})
+	reflector = NewReflector(lw, expectedType, indexer, resyncPeriod)
+	return indexer, reflector
+}
+
+// NewReflector creates a new Reflector object which will keep the given store up to
+// date with the server's contents for the given resource. Reflector promises to
+// only put things in the store that have the type of expectedType, unless expectedType
+// is nil. If resyncPeriod is non-zero, then lists will be executed after every
+// resyncPeriod, so that you can use reflectors to periodically process everything as
+// well as incrementally processing the things that change.
+func NewReflector(lw ListerWatcher, expectedType interface{}, store Store, resyncPeriod time.Duration) *Reflector {
+	return NewNamedReflector(getDefaultReflectorName(internalPackages...), lw, expectedType, store, resyncPeriod)
+}
+
+// reflectorDisambiguator is used to disambiguate started reflectors.
+// initialized to an unstable value to ensure meaning isn't attributed to the suffix.
+var reflectorDisambiguator = int64(time.Now().UnixNano() % 12345)
+
+// NewNamedReflector same as NewReflector, but with a specified name for logging
+func NewNamedReflector(name string, lw ListerWatcher, expectedType interface{}, store Store, resyncPeriod time.Duration) *Reflector {
+	reflectorSuffix := atomic.AddInt64(&reflectorDisambiguator, 1)
+	r := &Reflector{
+		name: name,
+		// we need this to be unique per process (some names are still the same)but obvious who it belongs to
+		metrics:       newReflectorMetrics(makeValidPromethusMetricLabel(fmt.Sprintf("reflector_"+name+"_%d", reflectorSuffix))),
+		listerWatcher: lw,
+		store:         store,
+		expectedType:  reflect.TypeOf(expectedType),
+		period:        time.Second,
+		resyncPeriod:  resyncPeriod,
+		clock:         &clock.RealClock{},
+	}
+	return r
+}
+
+func makeValidPromethusMetricLabel(in string) string {
+	// this isn't perfect, but it removes our common characters
+	return strings.NewReplacer("/", "_", ".", "_", "-", "_", ":", "_").Replace(in)
+}
+
+// internalPackages are packages that ignored when creating a default reflector name. These packages are in the common
+// call chains to NewReflector, so they'd be low entropy names for reflectors
+var internalPackages = []string{"client-go/tools/cache/", "/runtime/asm_"}
+
+// getDefaultReflectorName walks back through the call stack until we find a caller from outside of the ignoredPackages
+// it returns back a shortpath/filename:line to aid in identification of this reflector when it starts logging
+func getDefaultReflectorName(ignoredPackages ...string) string {
+	name := "????"
+	const maxStack = 10
+	for i := 1; i < maxStack; i++ {
+		_, file, line, ok := goruntime.Caller(i)
+		if !ok {
+			file, line, ok = extractStackCreator()
+			if !ok {
+				break
+			}
+			i += maxStack
+		}
+		if hasPackage(file, ignoredPackages) {
+			continue
+		}
+
+		file = trimPackagePrefix(file)
+		name = fmt.Sprintf("%s:%d", file, line)
+		break
+	}
+	return name
+}
+
+// hasPackage returns true if the file is in one of the ignored packages.
+func hasPackage(file string, ignoredPackages []string) bool {
+	for _, ignoredPackage := range ignoredPackages {
+		if strings.Contains(file, ignoredPackage) {
+			return true
+		}
+	}
+	return false
+}
+
+// trimPackagePrefix reduces duplicate values off the front of a package name.
+func trimPackagePrefix(file string) string {
+	if l := strings.LastIndex(file, "k8s.io/client-go/pkg/"); l >= 0 {
+		return file[l+len("k8s.io/client-go/"):]
+	}
+	if l := strings.LastIndex(file, "/src/"); l >= 0 {
+		return file[l+5:]
+	}
+	if l := strings.LastIndex(file, "/pkg/"); l >= 0 {
+		return file[l+1:]
+	}
+	return file
+}
+
+var stackCreator = regexp.MustCompile(`(?m)^created by (.*)\n\s+(.*):(\d+) \+0x[[:xdigit:]]+$`)
+
+// extractStackCreator retrieves the goroutine file and line that launched this stack. Returns false
+// if the creator cannot be located.
+// TODO: Go does not expose this via runtime https://github.com/golang/go/issues/11440
+func extractStackCreator() (string, int, bool) {
+	stack := debug.Stack()
+	matches := stackCreator.FindStringSubmatch(string(stack))
+	if matches == nil || len(matches) != 4 {
+		return "", 0, false
+	}
+	line, err := strconv.Atoi(matches[3])
+	if err != nil {
+		return "", 0, false
+	}
+	return matches[2], line, true
+}
+
+// Run starts a watch and handles watch events. Will restart the watch if it is closed.
+// Run will exit when stopCh is closed.
+func (r *Reflector) Run(stopCh <-chan struct{}) {
+	glog.V(3).Infof("Starting reflector %v (%s) from %s", r.expectedType, r.resyncPeriod, r.name)
+	wait.Until(func() {
+		if err := r.ListAndWatch(stopCh); err != nil {
+			utilruntime.HandleError(err)
+		}
+	}, r.period, stopCh)
+}
+
+var (
+	// nothing will ever be sent down this channel
+	neverExitWatch <-chan time.Time = make(chan time.Time)
+
+	// Used to indicate that watching stopped so that a resync could happen.
+	errorResyncRequested = errors.New("resync channel fired")
+
+	// Used to indicate that watching stopped because of a signal from the stop
+	// channel passed in from a client of the reflector.
+	errorStopRequested = errors.New("Stop requested")
+)
+
+// resyncChan returns a channel which will receive something when a resync is
+// required, and a cleanup function.
+func (r *Reflector) resyncChan() (<-chan time.Time, func() bool) {
+	if r.resyncPeriod == 0 {
+		return neverExitWatch, func() bool { return false }
+	}
+	// The cleanup function is required: imagine the scenario where watches
+	// always fail so we end up listing frequently. Then, if we don't
+	// manually stop the timer, we could end up with many timers active
+	// concurrently.
+	t := r.clock.NewTimer(r.resyncPeriod)
+	return t.C(), t.Stop
+}
+
+// ListAndWatch first lists all items and get the resource version at the moment of call,
+// and then use the resource version to watch.
+// It returns error if ListAndWatch didn't even try to initialize watch.
+func (r *Reflector) ListAndWatch(stopCh <-chan struct{}) error {
+	glog.V(3).Infof("Listing and watching %v from %s", r.expectedType, r.name)
+	var resourceVersion string
+
+	// Explicitly set "0" as resource version - it's fine for the List()
+	// to be served from cache and potentially be delayed relative to
+	// etcd contents. Reflector framework will catch up via Watch() eventually.
+	options := metav1.ListOptions{ResourceVersion: "0"}
+	r.metrics.numberOfLists.Inc()
+	start := r.clock.Now()
+	list, err := r.listerWatcher.List(options)
+	if err != nil {
+		return fmt.Errorf("%s: Failed to list %v: %v", r.name, r.expectedType, err)
+	}
+	r.metrics.listDuration.Observe(time.Since(start).Seconds())
+	listMetaInterface, err := meta.ListAccessor(list)
+	if err != nil {
+		return fmt.Errorf("%s: Unable to understand list result %#v: %v", r.name, list, err)
+	}
+	resourceVersion = listMetaInterface.GetResourceVersion()
+	items, err := meta.ExtractList(list)
+	if err != nil {
+		return fmt.Errorf("%s: Unable to understand list result %#v (%v)", r.name, list, err)
+	}
+	r.metrics.numberOfItemsInList.Observe(float64(len(items)))
+	if err := r.syncWith(items, resourceVersion); err != nil {
+		return fmt.Errorf("%s: Unable to sync list result: %v", r.name, err)
+	}
+	r.setLastSyncResourceVersion(resourceVersion)
+
+	resyncerrc := make(chan error, 1)
+	cancelCh := make(chan struct{})
+	defer close(cancelCh)
+	go func() {
+		resyncCh, cleanup := r.resyncChan()
+		defer func() {
+			cleanup() // Call the last one written into cleanup
+		}()
+		for {
+			select {
+			case <-resyncCh:
+			case <-stopCh:
+				return
+			case <-cancelCh:
+				return
+			}
+			if r.ShouldResync == nil || r.ShouldResync() {
+				glog.V(4).Infof("%s: forcing resync", r.name)
+				if err := r.store.Resync(); err != nil {
+					resyncerrc <- err
+					return
+				}
+			}
+			cleanup()
+			resyncCh, cleanup = r.resyncChan()
+		}
+	}()
+
+	for {
+		timemoutseconds := int64(minWatchTimeout.Seconds() * (rand.Float64() + 1.0))
+		options = metav1.ListOptions{
+			ResourceVersion: resourceVersion,
+			// We want to avoid situations of hanging watchers. Stop any wachers that do not
+			// receive any events within the timeout window.
+			TimeoutSeconds: &timemoutseconds,
+		}
+
+		r.metrics.numberOfWatches.Inc()
+		w, err := r.listerWatcher.Watch(options)
+		if err != nil {
+			switch err {
+			case io.EOF:
+				// watch closed normally
+			case io.ErrUnexpectedEOF:
+				glog.V(1).Infof("%s: Watch for %v closed with unexpected EOF: %v", r.name, r.expectedType, err)
+			default:
+				utilruntime.HandleError(fmt.Errorf("%s: Failed to watch %v: %v", r.name, r.expectedType, err))
+			}
+			// If this is "connection refused" error, it means that most likely apiserver is not responsive.
+			// It doesn't make sense to re-list all objects because most likely we will be able to restart
+			// watch where we ended.
+			// If that's the case wait and resend watch request.
+			if urlError, ok := err.(*url.Error); ok {
+				if opError, ok := urlError.Err.(*net.OpError); ok {
+					if errno, ok := opError.Err.(syscall.Errno); ok && errno == syscall.ECONNREFUSED {
+						time.Sleep(time.Second)
+						continue
+					}
+				}
+			}
+			return nil
+		}
+
+		if err := r.watchHandler(w, &resourceVersion, resyncerrc, stopCh); err != nil {
+			if err != errorStopRequested {
+				glog.Warningf("%s: watch of %v ended with: %v", r.name, r.expectedType, err)
+			}
+			return nil
+		}
+	}
+}
+
+// syncWith replaces the store's items with the given list.
+func (r *Reflector) syncWith(items []runtime.Object, resourceVersion string) error {
+	found := make([]interface{}, 0, len(items))
+	for _, item := range items {
+		found = append(found, item)
+	}
+	return r.store.Replace(found, resourceVersion)
+}
+
+// watchHandler watches w and keeps *resourceVersion up to date.
+func (r *Reflector) watchHandler(w watch.Interface, resourceVersion *string, errc chan error, stopCh <-chan struct{}) error {
+	start := r.clock.Now()
+	eventCount := 0
+
+	// Stopping the watcher should be idempotent and if we return from this function there's no way
+	// we're coming back in with the same watch interface.
+	defer w.Stop()
+	// update metrics
+	defer func() {
+		r.metrics.numberOfItemsInWatch.Observe(float64(eventCount))
+		r.metrics.watchDuration.Observe(time.Since(start).Seconds())
+	}()
+
+loop:
+	for {
+		select {
+		case <-stopCh:
+			return errorStopRequested
+		case err := <-errc:
+			return err
+		case event, ok := <-w.ResultChan():
+			if !ok {
+				break loop
+			}
+			if event.Type == watch.Error {
+				return apierrs.FromObject(event.Object)
+			}
+			if e, a := r.expectedType, reflect.TypeOf(event.Object); e != nil && e != a {
+				utilruntime.HandleError(fmt.Errorf("%s: expected type %v, but watch event object had type %v", r.name, e, a))
+				continue
+			}
+			meta, err := meta.Accessor(event.Object)
+			if err != nil {
+				utilruntime.HandleError(fmt.Errorf("%s: unable to understand watch event %#v", r.name, event))
+				continue
+			}
+			newResourceVersion := meta.GetResourceVersion()
+			switch event.Type {
+			case watch.Added:
+				err := r.store.Add(event.Object)
+				if err != nil {
+					utilruntime.HandleError(fmt.Errorf("%s: unable to add watch event object (%#v) to store: %v", r.name, event.Object, err))
+				}
+			case watch.Modified:
+				err := r.store.Update(event.Object)
+				if err != nil {
+					utilruntime.HandleError(fmt.Errorf("%s: unable to update watch event object (%#v) to store: %v", r.name, event.Object, err))
+				}
+			case watch.Deleted:
+				// TODO: Will any consumers need access to the "last known
+				// state", which is passed in event.Object? If so, may need
+				// to change this.
+				err := r.store.Delete(event.Object)
+				if err != nil {
+					utilruntime.HandleError(fmt.Errorf("%s: unable to delete watch event object (%#v) from store: %v", r.name, event.Object, err))
+				}
+			default:
+				utilruntime.HandleError(fmt.Errorf("%s: unable to understand watch event %#v", r.name, event))
+			}
+			*resourceVersion = newResourceVersion
+			r.setLastSyncResourceVersion(newResourceVersion)
+			eventCount++
+		}
+	}
+
+	watchDuration := r.clock.Now().Sub(start)
+	if watchDuration < 1*time.Second && eventCount == 0 {
+		r.metrics.numberOfShortWatches.Inc()
+		return fmt.Errorf("very short watch: %s: Unexpected watch close - watch lasted less than a second and no items received", r.name)
+	}
+	glog.V(4).Infof("%s: Watch close - %v total %v items received", r.name, r.expectedType, eventCount)
+	return nil
+}
+
+// LastSyncResourceVersion is the resource version observed when last sync with the underlying store
+// The value returned is not synchronized with access to the underlying store and is not thread-safe
+func (r *Reflector) LastSyncResourceVersion() string {
+	r.lastSyncResourceVersionMutex.RLock()
+	defer r.lastSyncResourceVersionMutex.RUnlock()
+	return r.lastSyncResourceVersion
+}
+
+func (r *Reflector) setLastSyncResourceVersion(v string) {
+	r.lastSyncResourceVersionMutex.Lock()
+	defer r.lastSyncResourceVersionMutex.Unlock()
+	r.lastSyncResourceVersion = v
+
+	rv, err := strconv.Atoi(v)
+	if err == nil {
+		r.metrics.lastResourceVersion.Set(float64(rv))
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/reflector_metrics.go b/cli/vendor/k8s.io/client-go/tools/cache/reflector_metrics.go
new file mode 100644
index 00000000..0945e5c3
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/reflector_metrics.go
@@ -0,0 +1,119 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file provides abstractions for setting the provider (e.g., prometheus)
+// of metrics.
+
+package cache
+
+import (
+	"sync"
+)
+
+// GaugeMetric represents a single numerical value that can arbitrarily go up
+// and down.
+type GaugeMetric interface {
+	Set(float64)
+}
+
+// CounterMetric represents a single numerical value that only ever
+// goes up.
+type CounterMetric interface {
+	Inc()
+}
+
+// SummaryMetric captures individual observations.
+type SummaryMetric interface {
+	Observe(float64)
+}
+
+type noopMetric struct{}
+
+func (noopMetric) Inc()            {}
+func (noopMetric) Dec()            {}
+func (noopMetric) Observe(float64) {}
+func (noopMetric) Set(float64)     {}
+
+type reflectorMetrics struct {
+	numberOfLists       CounterMetric
+	listDuration        SummaryMetric
+	numberOfItemsInList SummaryMetric
+
+	numberOfWatches      CounterMetric
+	numberOfShortWatches CounterMetric
+	watchDuration        SummaryMetric
+	numberOfItemsInWatch SummaryMetric
+
+	lastResourceVersion GaugeMetric
+}
+
+// MetricsProvider generates various metrics used by the reflector.
+type MetricsProvider interface {
+	NewListsMetric(name string) CounterMetric
+	NewListDurationMetric(name string) SummaryMetric
+	NewItemsInListMetric(name string) SummaryMetric
+
+	NewWatchesMetric(name string) CounterMetric
+	NewShortWatchesMetric(name string) CounterMetric
+	NewWatchDurationMetric(name string) SummaryMetric
+	NewItemsInWatchMetric(name string) SummaryMetric
+
+	NewLastResourceVersionMetric(name string) GaugeMetric
+}
+
+type noopMetricsProvider struct{}
+
+func (noopMetricsProvider) NewListsMetric(name string) CounterMetric         { return noopMetric{} }
+func (noopMetricsProvider) NewListDurationMetric(name string) SummaryMetric  { return noopMetric{} }
+func (noopMetricsProvider) NewItemsInListMetric(name string) SummaryMetric   { return noopMetric{} }
+func (noopMetricsProvider) NewWatchesMetric(name string) CounterMetric       { return noopMetric{} }
+func (noopMetricsProvider) NewShortWatchesMetric(name string) CounterMetric  { return noopMetric{} }
+func (noopMetricsProvider) NewWatchDurationMetric(name string) SummaryMetric { return noopMetric{} }
+func (noopMetricsProvider) NewItemsInWatchMetric(name string) SummaryMetric  { return noopMetric{} }
+func (noopMetricsProvider) NewLastResourceVersionMetric(name string) GaugeMetric {
+	return noopMetric{}
+}
+
+var metricsFactory = struct {
+	metricsProvider MetricsProvider
+	setProviders    sync.Once
+}{
+	metricsProvider: noopMetricsProvider{},
+}
+
+func newReflectorMetrics(name string) *reflectorMetrics {
+	var ret *reflectorMetrics
+	if len(name) == 0 {
+		return ret
+	}
+	return &reflectorMetrics{
+		numberOfLists:        metricsFactory.metricsProvider.NewListsMetric(name),
+		listDuration:         metricsFactory.metricsProvider.NewListDurationMetric(name),
+		numberOfItemsInList:  metricsFactory.metricsProvider.NewItemsInListMetric(name),
+		numberOfWatches:      metricsFactory.metricsProvider.NewWatchesMetric(name),
+		numberOfShortWatches: metricsFactory.metricsProvider.NewShortWatchesMetric(name),
+		watchDuration:        metricsFactory.metricsProvider.NewWatchDurationMetric(name),
+		numberOfItemsInWatch: metricsFactory.metricsProvider.NewItemsInWatchMetric(name),
+		lastResourceVersion:  metricsFactory.metricsProvider.NewLastResourceVersionMetric(name),
+	}
+}
+
+// SetReflectorMetricsProvider sets the metrics provider
+func SetReflectorMetricsProvider(metricsProvider MetricsProvider) {
+	metricsFactory.setProviders.Do(func() {
+		metricsFactory.metricsProvider = metricsProvider
+	})
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/shared_informer.go b/cli/vendor/k8s.io/client-go/tools/cache/shared_informer.go
new file mode 100644
index 00000000..255f8722
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/shared_informer.go
@@ -0,0 +1,576 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/clock"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	"github.com/golang/glog"
+)
+
+// SharedInformer has a shared data cache and is capable of distributing notifications for changes
+// to the cache to multiple listeners who registered via AddEventHandler. If you use this, there is
+// one behavior change compared to a standard Informer.  When you receive a notification, the cache
+// will be AT LEAST as fresh as the notification, but it MAY be more fresh.  You should NOT depend
+// on the contents of the cache exactly matching the notification you've received in handler
+// functions.  If there was a create, followed by a delete, the cache may NOT have your item.  This
+// has advantages over the broadcaster since it allows us to share a common cache across many
+// controllers. Extending the broadcaster would have required us keep duplicate caches for each
+// watch.
+type SharedInformer interface {
+	// AddEventHandler adds an event handler to the shared informer using the shared informer's resync
+	// period.  Events to a single handler are delivered sequentially, but there is no coordination
+	// between different handlers.
+	AddEventHandler(handler ResourceEventHandler)
+	// AddEventHandlerWithResyncPeriod adds an event handler to the shared informer using the
+	// specified resync period.  Events to a single handler are delivered sequentially, but there is
+	// no coordination between different handlers.
+	AddEventHandlerWithResyncPeriod(handler ResourceEventHandler, resyncPeriod time.Duration)
+	// GetStore returns the Store.
+	GetStore() Store
+	// GetController gives back a synthetic interface that "votes" to start the informer
+	GetController() Controller
+	// Run starts the shared informer, which will be stopped when stopCh is closed.
+	Run(stopCh <-chan struct{})
+	// HasSynced returns true if the shared informer's store has synced.
+	HasSynced() bool
+	// LastSyncResourceVersion is the resource version observed when last synced with the underlying
+	// store. The value returned is not synchronized with access to the underlying store and is not
+	// thread-safe.
+	LastSyncResourceVersion() string
+}
+
+type SharedIndexInformer interface {
+	SharedInformer
+	// AddIndexers add indexers to the informer before it starts.
+	AddIndexers(indexers Indexers) error
+	GetIndexer() Indexer
+}
+
+// NewSharedInformer creates a new instance for the listwatcher.
+func NewSharedInformer(lw ListerWatcher, objType runtime.Object, resyncPeriod time.Duration) SharedInformer {
+	return NewSharedIndexInformer(lw, objType, resyncPeriod, Indexers{})
+}
+
+// NewSharedIndexInformer creates a new instance for the listwatcher.
+func NewSharedIndexInformer(lw ListerWatcher, objType runtime.Object, defaultEventHandlerResyncPeriod time.Duration, indexers Indexers) SharedIndexInformer {
+	realClock := &clock.RealClock{}
+	sharedIndexInformer := &sharedIndexInformer{
+		processor:                       &sharedProcessor{clock: realClock},
+		indexer:                         NewIndexer(DeletionHandlingMetaNamespaceKeyFunc, indexers),
+		listerWatcher:                   lw,
+		objectType:                      objType,
+		resyncCheckPeriod:               defaultEventHandlerResyncPeriod,
+		defaultEventHandlerResyncPeriod: defaultEventHandlerResyncPeriod,
+		cacheMutationDetector:           NewCacheMutationDetector(fmt.Sprintf("%T", objType)),
+		clock: realClock,
+	}
+	return sharedIndexInformer
+}
+
+// InformerSynced is a function that can be used to determine if an informer has synced.  This is useful for determining if caches have synced.
+type InformerSynced func() bool
+
+// syncedPollPeriod controls how often you look at the status of your sync funcs
+const syncedPollPeriod = 100 * time.Millisecond
+
+// WaitForCacheSync waits for caches to populate.  It returns true if it was successful, false
+// if the controller should shutdown
+func WaitForCacheSync(stopCh <-chan struct{}, cacheSyncs ...InformerSynced) bool {
+	err := wait.PollUntil(syncedPollPeriod,
+		func() (bool, error) {
+			for _, syncFunc := range cacheSyncs {
+				if !syncFunc() {
+					return false, nil
+				}
+			}
+			return true, nil
+		},
+		stopCh)
+	if err != nil {
+		glog.V(2).Infof("stop requested")
+		return false
+	}
+
+	glog.V(4).Infof("caches populated")
+	return true
+}
+
+type sharedIndexInformer struct {
+	indexer    Indexer
+	controller Controller
+
+	processor             *sharedProcessor
+	cacheMutationDetector CacheMutationDetector
+
+	// This block is tracked to handle late initialization of the controller
+	listerWatcher ListerWatcher
+	objectType    runtime.Object
+
+	// resyncCheckPeriod is how often we want the reflector's resync timer to fire so it can call
+	// shouldResync to check if any of our listeners need a resync.
+	resyncCheckPeriod time.Duration
+	// defaultEventHandlerResyncPeriod is the default resync period for any handlers added via
+	// AddEventHandler (i.e. they don't specify one and just want to use the shared informer's default
+	// value).
+	defaultEventHandlerResyncPeriod time.Duration
+	// clock allows for testability
+	clock clock.Clock
+
+	started, stopped bool
+	startedLock      sync.Mutex
+
+	// blockDeltas gives a way to stop all event distribution so that a late event handler
+	// can safely join the shared informer.
+	blockDeltas sync.Mutex
+}
+
+// dummyController hides the fact that a SharedInformer is different from a dedicated one
+// where a caller can `Run`.  The run method is disconnected in this case, because higher
+// level logic will decide when to start the SharedInformer and related controller.
+// Because returning information back is always asynchronous, the legacy callers shouldn't
+// notice any change in behavior.
+type dummyController struct {
+	informer *sharedIndexInformer
+}
+
+func (v *dummyController) Run(stopCh <-chan struct{}) {
+}
+
+func (v *dummyController) HasSynced() bool {
+	return v.informer.HasSynced()
+}
+
+func (c *dummyController) LastSyncResourceVersion() string {
+	return ""
+}
+
+type updateNotification struct {
+	oldObj interface{}
+	newObj interface{}
+}
+
+type addNotification struct {
+	newObj interface{}
+}
+
+type deleteNotification struct {
+	oldObj interface{}
+}
+
+func (s *sharedIndexInformer) Run(stopCh <-chan struct{}) {
+	defer utilruntime.HandleCrash()
+
+	fifo := NewDeltaFIFO(MetaNamespaceKeyFunc, nil, s.indexer)
+
+	cfg := &Config{
+		Queue:            fifo,
+		ListerWatcher:    s.listerWatcher,
+		ObjectType:       s.objectType,
+		FullResyncPeriod: s.resyncCheckPeriod,
+		RetryOnError:     false,
+		ShouldResync:     s.processor.shouldResync,
+
+		Process: s.HandleDeltas,
+	}
+
+	func() {
+		s.startedLock.Lock()
+		defer s.startedLock.Unlock()
+
+		s.controller = New(cfg)
+		s.controller.(*controller).clock = s.clock
+		s.started = true
+	}()
+
+	// Separate stop channel because Processor should be stopped strictly after controller
+	processorStopCh := make(chan struct{})
+	var wg wait.Group
+	defer wg.Wait()              // Wait for Processor to stop
+	defer close(processorStopCh) // Tell Processor to stop
+	wg.StartWithChannel(processorStopCh, s.cacheMutationDetector.Run)
+	wg.StartWithChannel(processorStopCh, s.processor.run)
+
+	defer func() {
+		s.startedLock.Lock()
+		defer s.startedLock.Unlock()
+		s.stopped = true // Don't want any new listeners
+	}()
+	s.controller.Run(stopCh)
+}
+
+func (s *sharedIndexInformer) HasSynced() bool {
+	s.startedLock.Lock()
+	defer s.startedLock.Unlock()
+
+	if s.controller == nil {
+		return false
+	}
+	return s.controller.HasSynced()
+}
+
+func (s *sharedIndexInformer) LastSyncResourceVersion() string {
+	s.startedLock.Lock()
+	defer s.startedLock.Unlock()
+
+	if s.controller == nil {
+		return ""
+	}
+	return s.controller.LastSyncResourceVersion()
+}
+
+func (s *sharedIndexInformer) GetStore() Store {
+	return s.indexer
+}
+
+func (s *sharedIndexInformer) GetIndexer() Indexer {
+	return s.indexer
+}
+
+func (s *sharedIndexInformer) AddIndexers(indexers Indexers) error {
+	s.startedLock.Lock()
+	defer s.startedLock.Unlock()
+
+	if s.started {
+		return fmt.Errorf("informer has already started")
+	}
+
+	return s.indexer.AddIndexers(indexers)
+}
+
+func (s *sharedIndexInformer) GetController() Controller {
+	return &dummyController{informer: s}
+}
+
+func (s *sharedIndexInformer) AddEventHandler(handler ResourceEventHandler) {
+	s.AddEventHandlerWithResyncPeriod(handler, s.defaultEventHandlerResyncPeriod)
+}
+
+func determineResyncPeriod(desired, check time.Duration) time.Duration {
+	if desired == 0 {
+		return desired
+	}
+	if check == 0 {
+		glog.Warningf("The specified resyncPeriod %v is invalid because this shared informer doesn't support resyncing", desired)
+		return 0
+	}
+	if desired < check {
+		glog.Warningf("The specified resyncPeriod %v is being increased to the minimum resyncCheckPeriod %v", desired, check)
+		return check
+	}
+	return desired
+}
+
+const minimumResyncPeriod = 1 * time.Second
+
+func (s *sharedIndexInformer) AddEventHandlerWithResyncPeriod(handler ResourceEventHandler, resyncPeriod time.Duration) {
+	s.startedLock.Lock()
+	defer s.startedLock.Unlock()
+
+	if s.stopped {
+		glog.V(2).Infof("Handler %v was not added to shared informer because it has stopped already", handler)
+		return
+	}
+
+	if resyncPeriod > 0 {
+		if resyncPeriod < minimumResyncPeriod {
+			glog.Warningf("resyncPeriod %d is too small. Changing it to the minimum allowed value of %d", resyncPeriod, minimumResyncPeriod)
+			resyncPeriod = minimumResyncPeriod
+		}
+
+		if resyncPeriod < s.resyncCheckPeriod {
+			if s.started {
+				glog.Warningf("resyncPeriod %d is smaller than resyncCheckPeriod %d and the informer has already started. Changing it to %d", resyncPeriod, s.resyncCheckPeriod, s.resyncCheckPeriod)
+				resyncPeriod = s.resyncCheckPeriod
+			} else {
+				// if the event handler's resyncPeriod is smaller than the current resyncCheckPeriod, update
+				// resyncCheckPeriod to match resyncPeriod and adjust the resync periods of all the listeners
+				// accordingly
+				s.resyncCheckPeriod = resyncPeriod
+				s.processor.resyncCheckPeriodChanged(resyncPeriod)
+			}
+		}
+	}
+
+	listener := newProcessListener(handler, resyncPeriod, determineResyncPeriod(resyncPeriod, s.resyncCheckPeriod), s.clock.Now())
+
+	if !s.started {
+		s.processor.addListener(listener)
+		return
+	}
+
+	// in order to safely join, we have to
+	// 1. stop sending add/update/delete notifications
+	// 2. do a list against the store
+	// 3. send synthetic "Add" events to the new handler
+	// 4. unblock
+	s.blockDeltas.Lock()
+	defer s.blockDeltas.Unlock()
+
+	s.processor.addListener(listener)
+	for _, item := range s.indexer.List() {
+		listener.add(addNotification{newObj: item})
+	}
+}
+
+func (s *sharedIndexInformer) HandleDeltas(obj interface{}) error {
+	s.blockDeltas.Lock()
+	defer s.blockDeltas.Unlock()
+
+	// from oldest to newest
+	for _, d := range obj.(Deltas) {
+		switch d.Type {
+		case Sync, Added, Updated:
+			isSync := d.Type == Sync
+			s.cacheMutationDetector.AddObject(d.Object)
+			if old, exists, err := s.indexer.Get(d.Object); err == nil && exists {
+				if err := s.indexer.Update(d.Object); err != nil {
+					return err
+				}
+				s.processor.distribute(updateNotification{oldObj: old, newObj: d.Object}, isSync)
+			} else {
+				if err := s.indexer.Add(d.Object); err != nil {
+					return err
+				}
+				s.processor.distribute(addNotification{newObj: d.Object}, isSync)
+			}
+		case Deleted:
+			if err := s.indexer.Delete(d.Object); err != nil {
+				return err
+			}
+			s.processor.distribute(deleteNotification{oldObj: d.Object}, false)
+		}
+	}
+	return nil
+}
+
+type sharedProcessor struct {
+	listenersStarted bool
+	listenersLock    sync.RWMutex
+	listeners        []*processorListener
+	syncingListeners []*processorListener
+	clock            clock.Clock
+	wg               wait.Group
+}
+
+func (p *sharedProcessor) addListener(listener *processorListener) {
+	p.listenersLock.Lock()
+	defer p.listenersLock.Unlock()
+
+	p.addListenerLocked(listener)
+	if p.listenersStarted {
+		p.wg.Start(listener.run)
+		p.wg.Start(listener.pop)
+	}
+}
+
+func (p *sharedProcessor) addListenerLocked(listener *processorListener) {
+	p.listeners = append(p.listeners, listener)
+	p.syncingListeners = append(p.syncingListeners, listener)
+}
+
+func (p *sharedProcessor) distribute(obj interface{}, sync bool) {
+	p.listenersLock.RLock()
+	defer p.listenersLock.RUnlock()
+
+	if sync {
+		for _, listener := range p.syncingListeners {
+			listener.add(obj)
+		}
+	} else {
+		for _, listener := range p.listeners {
+			listener.add(obj)
+		}
+	}
+}
+
+func (p *sharedProcessor) run(stopCh <-chan struct{}) {
+	func() {
+		p.listenersLock.RLock()
+		defer p.listenersLock.RUnlock()
+		for _, listener := range p.listeners {
+			p.wg.Start(listener.run)
+			p.wg.Start(listener.pop)
+		}
+		p.listenersStarted = true
+	}()
+	<-stopCh
+	p.listenersLock.RLock()
+	defer p.listenersLock.RUnlock()
+	for _, listener := range p.listeners {
+		close(listener.addCh) // Tell .pop() to stop. .pop() will tell .run() to stop
+	}
+	p.wg.Wait() // Wait for all .pop() and .run() to stop
+}
+
+// shouldResync queries every listener to determine if any of them need a resync, based on each
+// listener's resyncPeriod.
+func (p *sharedProcessor) shouldResync() bool {
+	p.listenersLock.Lock()
+	defer p.listenersLock.Unlock()
+
+	p.syncingListeners = []*processorListener{}
+
+	resyncNeeded := false
+	now := p.clock.Now()
+	for _, listener := range p.listeners {
+		// need to loop through all the listeners to see if they need to resync so we can prepare any
+		// listeners that are going to be resyncing.
+		if listener.shouldResync(now) {
+			resyncNeeded = true
+			p.syncingListeners = append(p.syncingListeners, listener)
+			listener.determineNextResync(now)
+		}
+	}
+	return resyncNeeded
+}
+
+func (p *sharedProcessor) resyncCheckPeriodChanged(resyncCheckPeriod time.Duration) {
+	p.listenersLock.RLock()
+	defer p.listenersLock.RUnlock()
+
+	for _, listener := range p.listeners {
+		resyncPeriod := determineResyncPeriod(listener.requestedResyncPeriod, resyncCheckPeriod)
+		listener.setResyncPeriod(resyncPeriod)
+	}
+}
+
+type processorListener struct {
+	nextCh chan interface{}
+	addCh  chan interface{}
+
+	handler ResourceEventHandler
+
+	// requestedResyncPeriod is how frequently the listener wants a full resync from the shared informer
+	requestedResyncPeriod time.Duration
+	// resyncPeriod is how frequently the listener wants a full resync from the shared informer. This
+	// value may differ from requestedResyncPeriod if the shared informer adjusts it to align with the
+	// informer's overall resync check period.
+	resyncPeriod time.Duration
+	// nextResync is the earliest time the listener should get a full resync
+	nextResync time.Time
+	// resyncLock guards access to resyncPeriod and nextResync
+	resyncLock sync.Mutex
+}
+
+func newProcessListener(handler ResourceEventHandler, requestedResyncPeriod, resyncPeriod time.Duration, now time.Time) *processorListener {
+	ret := &processorListener{
+		nextCh:                make(chan interface{}),
+		addCh:                 make(chan interface{}),
+		handler:               handler,
+		requestedResyncPeriod: requestedResyncPeriod,
+		resyncPeriod:          resyncPeriod,
+	}
+
+	ret.determineNextResync(now)
+
+	return ret
+}
+
+func (p *processorListener) add(notification interface{}) {
+	p.addCh <- notification
+}
+
+func (p *processorListener) pop() {
+	defer utilruntime.HandleCrash()
+	defer close(p.nextCh) // Tell .run() to stop
+
+	// pendingNotifications is an unbounded slice that holds all notifications not yet distributed
+	// there is one per listener, but a failing/stalled listener will have infinite pendingNotifications
+	// added until we OOM.
+	// TODO This is no worse than before, since reflectors were backed by unbounded DeltaFIFOs, but
+	// we should try to do something better
+	var pendingNotifications []interface{}
+	var nextCh chan<- interface{}
+	var notification interface{}
+	for {
+		select {
+		case nextCh <- notification:
+			// Notification dispatched
+			if len(pendingNotifications) == 0 { // Nothing to pop
+				nextCh = nil // Disable this select case
+				notification = nil
+			} else {
+				notification = pendingNotifications[0]
+				pendingNotifications[0] = nil
+				pendingNotifications = pendingNotifications[1:]
+			}
+		case notificationToAdd, ok := <-p.addCh:
+			if !ok {
+				return
+			}
+			if notification == nil { // No notification to pop (and pendingNotifications is empty)
+				// Optimize the case - skip adding to pendingNotifications
+				notification = notificationToAdd
+				nextCh = p.nextCh
+			} else { // There is already a notification waiting to be dispatched
+				pendingNotifications = append(pendingNotifications, notificationToAdd)
+			}
+		}
+	}
+}
+
+func (p *processorListener) run() {
+	defer utilruntime.HandleCrash()
+
+	for next := range p.nextCh {
+		switch notification := next.(type) {
+		case updateNotification:
+			p.handler.OnUpdate(notification.oldObj, notification.newObj)
+		case addNotification:
+			p.handler.OnAdd(notification.newObj)
+		case deleteNotification:
+			p.handler.OnDelete(notification.oldObj)
+		default:
+			utilruntime.HandleError(fmt.Errorf("unrecognized notification: %#v", next))
+		}
+	}
+}
+
+// shouldResync deterimines if the listener needs a resync. If the listener's resyncPeriod is 0,
+// this always returns false.
+func (p *processorListener) shouldResync(now time.Time) bool {
+	p.resyncLock.Lock()
+	defer p.resyncLock.Unlock()
+
+	if p.resyncPeriod == 0 {
+		return false
+	}
+
+	return now.After(p.nextResync) || now.Equal(p.nextResync)
+}
+
+func (p *processorListener) determineNextResync(now time.Time) {
+	p.resyncLock.Lock()
+	defer p.resyncLock.Unlock()
+
+	p.nextResync = now.Add(p.resyncPeriod)
+}
+
+func (p *processorListener) setResyncPeriod(resyncPeriod time.Duration) {
+	p.resyncLock.Lock()
+	defer p.resyncLock.Unlock()
+
+	p.resyncPeriod = resyncPeriod
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/store.go b/cli/vendor/k8s.io/client-go/tools/cache/store.go
new file mode 100755
index 00000000..4958987f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/store.go
@@ -0,0 +1,244 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+)
+
+// Store is a generic object storage interface. Reflector knows how to watch a server
+// and update a store. A generic store is provided, which allows Reflector to be used
+// as a local caching system, and an LRU store, which allows Reflector to work like a
+// queue of items yet to be processed.
+//
+// Store makes no assumptions about stored object identity; it is the responsibility
+// of a Store implementation to provide a mechanism to correctly key objects and to
+// define the contract for obtaining objects by some arbitrary key type.
+type Store interface {
+	Add(obj interface{}) error
+	Update(obj interface{}) error
+	Delete(obj interface{}) error
+	List() []interface{}
+	ListKeys() []string
+	Get(obj interface{}) (item interface{}, exists bool, err error)
+	GetByKey(key string) (item interface{}, exists bool, err error)
+
+	// Replace will delete the contents of the store, using instead the
+	// given list. Store takes ownership of the list, you should not reference
+	// it after calling this function.
+	Replace([]interface{}, string) error
+	Resync() error
+}
+
+// KeyFunc knows how to make a key from an object. Implementations should be deterministic.
+type KeyFunc func(obj interface{}) (string, error)
+
+// KeyError will be returned any time a KeyFunc gives an error; it includes the object
+// at fault.
+type KeyError struct {
+	Obj interface{}
+	Err error
+}
+
+// Error gives a human-readable description of the error.
+func (k KeyError) Error() string {
+	return fmt.Sprintf("couldn't create key for object %+v: %v", k.Obj, k.Err)
+}
+
+// ExplicitKey can be passed to MetaNamespaceKeyFunc if you have the key for
+// the object but not the object itself.
+type ExplicitKey string
+
+// MetaNamespaceKeyFunc is a convenient default KeyFunc which knows how to make
+// keys for API objects which implement meta.Interface.
+// The key uses the format <namespace>/<name> unless <namespace> is empty, then
+// it's just <name>.
+//
+// TODO: replace key-as-string with a key-as-struct so that this
+// packing/unpacking won't be necessary.
+func MetaNamespaceKeyFunc(obj interface{}) (string, error) {
+	if key, ok := obj.(ExplicitKey); ok {
+		return string(key), nil
+	}
+	meta, err := meta.Accessor(obj)
+	if err != nil {
+		return "", fmt.Errorf("object has no meta: %v", err)
+	}
+	if len(meta.GetNamespace()) > 0 {
+		return meta.GetNamespace() + "/" + meta.GetName(), nil
+	}
+	return meta.GetName(), nil
+}
+
+// SplitMetaNamespaceKey returns the namespace and name that
+// MetaNamespaceKeyFunc encoded into key.
+//
+// TODO: replace key-as-string with a key-as-struct so that this
+// packing/unpacking won't be necessary.
+func SplitMetaNamespaceKey(key string) (namespace, name string, err error) {
+	parts := strings.Split(key, "/")
+	switch len(parts) {
+	case 1:
+		// name only, no namespace
+		return "", parts[0], nil
+	case 2:
+		// namespace and name
+		return parts[0], parts[1], nil
+	}
+
+	return "", "", fmt.Errorf("unexpected key format: %q", key)
+}
+
+// cache responsibilities are limited to:
+//	1. Computing keys for objects via keyFunc
+//  2. Invoking methods of a ThreadSafeStorage interface
+type cache struct {
+	// cacheStorage bears the burden of thread safety for the cache
+	cacheStorage ThreadSafeStore
+	// keyFunc is used to make the key for objects stored in and retrieved from items, and
+	// should be deterministic.
+	keyFunc KeyFunc
+}
+
+var _ Store = &cache{}
+
+// Add inserts an item into the cache.
+func (c *cache) Add(obj interface{}) error {
+	key, err := c.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	c.cacheStorage.Add(key, obj)
+	return nil
+}
+
+// Update sets an item in the cache to its updated state.
+func (c *cache) Update(obj interface{}) error {
+	key, err := c.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	c.cacheStorage.Update(key, obj)
+	return nil
+}
+
+// Delete removes an item from the cache.
+func (c *cache) Delete(obj interface{}) error {
+	key, err := c.keyFunc(obj)
+	if err != nil {
+		return KeyError{obj, err}
+	}
+	c.cacheStorage.Delete(key)
+	return nil
+}
+
+// List returns a list of all the items.
+// List is completely threadsafe as long as you treat all items as immutable.
+func (c *cache) List() []interface{} {
+	return c.cacheStorage.List()
+}
+
+// ListKeys returns a list of all the keys of the objects currently
+// in the cache.
+func (c *cache) ListKeys() []string {
+	return c.cacheStorage.ListKeys()
+}
+
+// GetIndexers returns the indexers of cache
+func (c *cache) GetIndexers() Indexers {
+	return c.cacheStorage.GetIndexers()
+}
+
+// Index returns a list of items that match on the index function
+// Index is thread-safe so long as you treat all items as immutable
+func (c *cache) Index(indexName string, obj interface{}) ([]interface{}, error) {
+	return c.cacheStorage.Index(indexName, obj)
+}
+
+func (c *cache) IndexKeys(indexName, indexKey string) ([]string, error) {
+	return c.cacheStorage.IndexKeys(indexName, indexKey)
+}
+
+// ListIndexFuncValues returns the list of generated values of an Index func
+func (c *cache) ListIndexFuncValues(indexName string) []string {
+	return c.cacheStorage.ListIndexFuncValues(indexName)
+}
+
+func (c *cache) ByIndex(indexName, indexKey string) ([]interface{}, error) {
+	return c.cacheStorage.ByIndex(indexName, indexKey)
+}
+
+func (c *cache) AddIndexers(newIndexers Indexers) error {
+	return c.cacheStorage.AddIndexers(newIndexers)
+}
+
+// Get returns the requested item, or sets exists=false.
+// Get is completely threadsafe as long as you treat all items as immutable.
+func (c *cache) Get(obj interface{}) (item interface{}, exists bool, err error) {
+	key, err := c.keyFunc(obj)
+	if err != nil {
+		return nil, false, KeyError{obj, err}
+	}
+	return c.GetByKey(key)
+}
+
+// GetByKey returns the request item, or exists=false.
+// GetByKey is completely threadsafe as long as you treat all items as immutable.
+func (c *cache) GetByKey(key string) (item interface{}, exists bool, err error) {
+	item, exists = c.cacheStorage.Get(key)
+	return item, exists, nil
+}
+
+// Replace will delete the contents of 'c', using instead the given list.
+// 'c' takes ownership of the list, you should not reference the list again
+// after calling this function.
+func (c *cache) Replace(list []interface{}, resourceVersion string) error {
+	items := map[string]interface{}{}
+	for _, item := range list {
+		key, err := c.keyFunc(item)
+		if err != nil {
+			return KeyError{item, err}
+		}
+		items[key] = item
+	}
+	c.cacheStorage.Replace(items, resourceVersion)
+	return nil
+}
+
+// Resync touches all items in the store to force processing
+func (c *cache) Resync() error {
+	return c.cacheStorage.Resync()
+}
+
+// NewStore returns a Store implemented simply with a map and a lock.
+func NewStore(keyFunc KeyFunc) Store {
+	return &cache{
+		cacheStorage: NewThreadSafeStore(Indexers{}, Indices{}),
+		keyFunc:      keyFunc,
+	}
+}
+
+// NewIndexer returns an Indexer implemented simply with a map and a lock.
+func NewIndexer(keyFunc KeyFunc, indexers Indexers) Indexer {
+	return &cache{
+		cacheStorage: NewThreadSafeStore(indexers, Indices{}),
+		keyFunc:      keyFunc,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/thread_safe_store.go b/cli/vendor/k8s.io/client-go/tools/cache/thread_safe_store.go
new file mode 100644
index 00000000..4eb350c4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/thread_safe_store.go
@@ -0,0 +1,306 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+import (
+	"fmt"
+	"sync"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+// ThreadSafeStore is an interface that allows concurrent access to a storage backend.
+// TL;DR caveats: you must not modify anything returned by Get or List as it will break
+// the indexing feature in addition to not being thread safe.
+//
+// The guarantees of thread safety provided by List/Get are only valid if the caller
+// treats returned items as read-only. For example, a pointer inserted in the store
+// through `Add` will be returned as is by `Get`. Multiple clients might invoke `Get`
+// on the same key and modify the pointer in a non-thread-safe way. Also note that
+// modifying objects stored by the indexers (if any) will *not* automatically lead
+// to a re-index. So it's not a good idea to directly modify the objects returned by
+// Get/List, in general.
+type ThreadSafeStore interface {
+	Add(key string, obj interface{})
+	Update(key string, obj interface{})
+	Delete(key string)
+	Get(key string) (item interface{}, exists bool)
+	List() []interface{}
+	ListKeys() []string
+	Replace(map[string]interface{}, string)
+	Index(indexName string, obj interface{}) ([]interface{}, error)
+	IndexKeys(indexName, indexKey string) ([]string, error)
+	ListIndexFuncValues(name string) []string
+	ByIndex(indexName, indexKey string) ([]interface{}, error)
+	GetIndexers() Indexers
+
+	// AddIndexers adds more indexers to this store.  If you call this after you already have data
+	// in the store, the results are undefined.
+	AddIndexers(newIndexers Indexers) error
+	Resync() error
+}
+
+// threadSafeMap implements ThreadSafeStore
+type threadSafeMap struct {
+	lock  sync.RWMutex
+	items map[string]interface{}
+
+	// indexers maps a name to an IndexFunc
+	indexers Indexers
+	// indices maps a name to an Index
+	indices Indices
+}
+
+func (c *threadSafeMap) Add(key string, obj interface{}) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	oldObject := c.items[key]
+	c.items[key] = obj
+	c.updateIndices(oldObject, obj, key)
+}
+
+func (c *threadSafeMap) Update(key string, obj interface{}) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	oldObject := c.items[key]
+	c.items[key] = obj
+	c.updateIndices(oldObject, obj, key)
+}
+
+func (c *threadSafeMap) Delete(key string) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	if obj, exists := c.items[key]; exists {
+		c.deleteFromIndices(obj, key)
+		delete(c.items, key)
+	}
+}
+
+func (c *threadSafeMap) Get(key string) (item interface{}, exists bool) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	item, exists = c.items[key]
+	return item, exists
+}
+
+func (c *threadSafeMap) List() []interface{} {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	list := make([]interface{}, 0, len(c.items))
+	for _, item := range c.items {
+		list = append(list, item)
+	}
+	return list
+}
+
+// ListKeys returns a list of all the keys of the objects currently
+// in the threadSafeMap.
+func (c *threadSafeMap) ListKeys() []string {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+	list := make([]string, 0, len(c.items))
+	for key := range c.items {
+		list = append(list, key)
+	}
+	return list
+}
+
+func (c *threadSafeMap) Replace(items map[string]interface{}, resourceVersion string) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	c.items = items
+
+	// rebuild any index
+	c.indices = Indices{}
+	for key, item := range c.items {
+		c.updateIndices(nil, item, key)
+	}
+}
+
+// Index returns a list of items that match on the index function
+// Index is thread-safe so long as you treat all items as immutable
+func (c *threadSafeMap) Index(indexName string, obj interface{}) ([]interface{}, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+
+	indexFunc := c.indexers[indexName]
+	if indexFunc == nil {
+		return nil, fmt.Errorf("Index with name %s does not exist", indexName)
+	}
+
+	indexKeys, err := indexFunc(obj)
+	if err != nil {
+		return nil, err
+	}
+	index := c.indices[indexName]
+
+	// need to de-dupe the return list.  Since multiple keys are allowed, this can happen.
+	returnKeySet := sets.String{}
+	for _, indexKey := range indexKeys {
+		set := index[indexKey]
+		for _, key := range set.UnsortedList() {
+			returnKeySet.Insert(key)
+		}
+	}
+
+	list := make([]interface{}, 0, returnKeySet.Len())
+	for absoluteKey := range returnKeySet {
+		list = append(list, c.items[absoluteKey])
+	}
+	return list, nil
+}
+
+// ByIndex returns a list of items that match an exact value on the index function
+func (c *threadSafeMap) ByIndex(indexName, indexKey string) ([]interface{}, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+
+	indexFunc := c.indexers[indexName]
+	if indexFunc == nil {
+		return nil, fmt.Errorf("Index with name %s does not exist", indexName)
+	}
+
+	index := c.indices[indexName]
+
+	set := index[indexKey]
+	list := make([]interface{}, 0, set.Len())
+	for _, key := range set.List() {
+		list = append(list, c.items[key])
+	}
+
+	return list, nil
+}
+
+// IndexKeys returns a list of keys that match on the index function.
+// IndexKeys is thread-safe so long as you treat all items as immutable.
+func (c *threadSafeMap) IndexKeys(indexName, indexKey string) ([]string, error) {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+
+	indexFunc := c.indexers[indexName]
+	if indexFunc == nil {
+		return nil, fmt.Errorf("Index with name %s does not exist", indexName)
+	}
+
+	index := c.indices[indexName]
+
+	set := index[indexKey]
+	return set.List(), nil
+}
+
+func (c *threadSafeMap) ListIndexFuncValues(indexName string) []string {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+
+	index := c.indices[indexName]
+	names := make([]string, 0, len(index))
+	for key := range index {
+		names = append(names, key)
+	}
+	return names
+}
+
+func (c *threadSafeMap) GetIndexers() Indexers {
+	return c.indexers
+}
+
+func (c *threadSafeMap) AddIndexers(newIndexers Indexers) error {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	if len(c.items) > 0 {
+		return fmt.Errorf("cannot add indexers to running index")
+	}
+
+	oldKeys := sets.StringKeySet(c.indexers)
+	newKeys := sets.StringKeySet(newIndexers)
+
+	if oldKeys.HasAny(newKeys.List()...) {
+		return fmt.Errorf("indexer conflict: %v", oldKeys.Intersection(newKeys))
+	}
+
+	for k, v := range newIndexers {
+		c.indexers[k] = v
+	}
+	return nil
+}
+
+// updateIndices modifies the objects location in the managed indexes, if this is an update, you must provide an oldObj
+// updateIndices must be called from a function that already has a lock on the cache
+func (c *threadSafeMap) updateIndices(oldObj interface{}, newObj interface{}, key string) error {
+	// if we got an old object, we need to remove it before we add it again
+	if oldObj != nil {
+		c.deleteFromIndices(oldObj, key)
+	}
+	for name, indexFunc := range c.indexers {
+		indexValues, err := indexFunc(newObj)
+		if err != nil {
+			return err
+		}
+		index := c.indices[name]
+		if index == nil {
+			index = Index{}
+			c.indices[name] = index
+		}
+
+		for _, indexValue := range indexValues {
+			set := index[indexValue]
+			if set == nil {
+				set = sets.String{}
+				index[indexValue] = set
+			}
+			set.Insert(key)
+		}
+	}
+	return nil
+}
+
+// deleteFromIndices removes the object from each of the managed indexes
+// it is intended to be called from a function that already has a lock on the cache
+func (c *threadSafeMap) deleteFromIndices(obj interface{}, key string) error {
+	for name, indexFunc := range c.indexers {
+		indexValues, err := indexFunc(obj)
+		if err != nil {
+			return err
+		}
+
+		index := c.indices[name]
+		if index == nil {
+			continue
+		}
+		for _, indexValue := range indexValues {
+			set := index[indexValue]
+			if set != nil {
+				set.Delete(key)
+			}
+		}
+	}
+	return nil
+}
+
+func (c *threadSafeMap) Resync() error {
+	// Nothing to do
+	return nil
+}
+
+func NewThreadSafeStore(indexers Indexers, indices Indices) ThreadSafeStore {
+	return &threadSafeMap{
+		items:    map[string]interface{}{},
+		indexers: indexers,
+		indices:  indices,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/cache/undelta_store.go b/cli/vendor/k8s.io/client-go/tools/cache/undelta_store.go
new file mode 100644
index 00000000..117df46c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/cache/undelta_store.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cache
+
+// UndeltaStore listens to incremental updates and sends complete state on every change.
+// It implements the Store interface so that it can receive a stream of mirrored objects
+// from Reflector.  Whenever it receives any complete (Store.Replace) or incremental change
+// (Store.Add, Store.Update, Store.Delete), it sends the complete state by calling PushFunc.
+// It is thread-safe.  It guarantees that every change (Add, Update, Replace, Delete) results
+// in one call to PushFunc, but sometimes PushFunc may be called twice with the same values.
+// PushFunc should be thread safe.
+type UndeltaStore struct {
+	Store
+	PushFunc func([]interface{})
+}
+
+// Assert that it implements the Store interface.
+var _ Store = &UndeltaStore{}
+
+// Note about thread safety.  The Store implementation (cache.cache) uses a lock for all methods.
+// In the functions below, the lock gets released and reacquired betweend the {Add,Delete,etc}
+// and the List.  So, the following can happen, resulting in two identical calls to PushFunc.
+// time            thread 1                  thread 2
+// 0               UndeltaStore.Add(a)
+// 1                                         UndeltaStore.Add(b)
+// 2               Store.Add(a)
+// 3                                         Store.Add(b)
+// 4               Store.List() -> [a,b]
+// 5                                         Store.List() -> [a,b]
+
+func (u *UndeltaStore) Add(obj interface{}) error {
+	if err := u.Store.Add(obj); err != nil {
+		return err
+	}
+	u.PushFunc(u.Store.List())
+	return nil
+}
+
+func (u *UndeltaStore) Update(obj interface{}) error {
+	if err := u.Store.Update(obj); err != nil {
+		return err
+	}
+	u.PushFunc(u.Store.List())
+	return nil
+}
+
+func (u *UndeltaStore) Delete(obj interface{}) error {
+	if err := u.Store.Delete(obj); err != nil {
+		return err
+	}
+	u.PushFunc(u.Store.List())
+	return nil
+}
+
+func (u *UndeltaStore) Replace(list []interface{}, resourceVersion string) error {
+	if err := u.Store.Replace(list, resourceVersion); err != nil {
+		return err
+	}
+	u.PushFunc(u.Store.List())
+	return nil
+}
+
+// NewUndeltaStore returns an UndeltaStore implemented with a Store.
+func NewUndeltaStore(pushFunc func([]interface{}), keyFunc KeyFunc) *UndeltaStore {
+	return &UndeltaStore{
+		Store:    NewStore(keyFunc),
+		PushFunc: pushFunc,
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/doc.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/doc.go
new file mode 100644
index 00000000..93a891e9
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+package api
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/helpers.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/helpers.go
new file mode 100644
index 00000000..43e26487
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/helpers.go
@@ -0,0 +1,183 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+)
+
+func init() {
+	sDec, _ := base64.StdEncoding.DecodeString("REDACTED+")
+	redactedBytes = []byte(string(sDec))
+}
+
+// IsConfigEmpty returns true if the config is empty.
+func IsConfigEmpty(config *Config) bool {
+	return len(config.AuthInfos) == 0 && len(config.Clusters) == 0 && len(config.Contexts) == 0 &&
+		len(config.CurrentContext) == 0 &&
+		len(config.Preferences.Extensions) == 0 && !config.Preferences.Colors &&
+		len(config.Extensions) == 0
+}
+
+// MinifyConfig read the current context and uses that to keep only the relevant pieces of config
+// This is useful for making secrets based on kubeconfig files
+func MinifyConfig(config *Config) error {
+	if len(config.CurrentContext) == 0 {
+		return errors.New("current-context must exist in order to minify")
+	}
+
+	currContext, exists := config.Contexts[config.CurrentContext]
+	if !exists {
+		return fmt.Errorf("cannot locate context %v", config.CurrentContext)
+	}
+
+	newContexts := map[string]*Context{}
+	newContexts[config.CurrentContext] = currContext
+
+	newClusters := map[string]*Cluster{}
+	if len(currContext.Cluster) > 0 {
+		if _, exists := config.Clusters[currContext.Cluster]; !exists {
+			return fmt.Errorf("cannot locate cluster %v", currContext.Cluster)
+		}
+
+		newClusters[currContext.Cluster] = config.Clusters[currContext.Cluster]
+	}
+
+	newAuthInfos := map[string]*AuthInfo{}
+	if len(currContext.AuthInfo) > 0 {
+		if _, exists := config.AuthInfos[currContext.AuthInfo]; !exists {
+			return fmt.Errorf("cannot locate user %v", currContext.AuthInfo)
+		}
+
+		newAuthInfos[currContext.AuthInfo] = config.AuthInfos[currContext.AuthInfo]
+	}
+
+	config.AuthInfos = newAuthInfos
+	config.Clusters = newClusters
+	config.Contexts = newContexts
+
+	return nil
+}
+
+var redactedBytes []byte
+
+// Flatten redacts raw data entries from the config object for a human-readable view.
+func ShortenConfig(config *Config) {
+	// trick json encoder into printing a human readable string in the raw data
+	// by base64 decoding what we want to print. Relies on implementation of
+	// http://golang.org/pkg/encoding/json/#Marshal using base64 to encode []byte
+	for key, authInfo := range config.AuthInfos {
+		if len(authInfo.ClientKeyData) > 0 {
+			authInfo.ClientKeyData = redactedBytes
+		}
+		if len(authInfo.ClientCertificateData) > 0 {
+			authInfo.ClientCertificateData = redactedBytes
+		}
+		config.AuthInfos[key] = authInfo
+	}
+	for key, cluster := range config.Clusters {
+		if len(cluster.CertificateAuthorityData) > 0 {
+			cluster.CertificateAuthorityData = redactedBytes
+		}
+		config.Clusters[key] = cluster
+	}
+}
+
+// Flatten changes the config object into a self contained config (useful for making secrets)
+func FlattenConfig(config *Config) error {
+	for key, authInfo := range config.AuthInfos {
+		baseDir, err := MakeAbs(path.Dir(authInfo.LocationOfOrigin), "")
+		if err != nil {
+			return err
+		}
+
+		if err := FlattenContent(&authInfo.ClientCertificate, &authInfo.ClientCertificateData, baseDir); err != nil {
+			return err
+		}
+		if err := FlattenContent(&authInfo.ClientKey, &authInfo.ClientKeyData, baseDir); err != nil {
+			return err
+		}
+
+		config.AuthInfos[key] = authInfo
+	}
+	for key, cluster := range config.Clusters {
+		baseDir, err := MakeAbs(path.Dir(cluster.LocationOfOrigin), "")
+		if err != nil {
+			return err
+		}
+
+		if err := FlattenContent(&cluster.CertificateAuthority, &cluster.CertificateAuthorityData, baseDir); err != nil {
+			return err
+		}
+
+		config.Clusters[key] = cluster
+	}
+
+	return nil
+}
+
+func FlattenContent(path *string, contents *[]byte, baseDir string) error {
+	if len(*path) != 0 {
+		if len(*contents) > 0 {
+			return errors.New("cannot have values for both path and contents")
+		}
+
+		var err error
+		absPath := ResolvePath(*path, baseDir)
+		*contents, err = ioutil.ReadFile(absPath)
+		if err != nil {
+			return err
+		}
+
+		*path = ""
+	}
+
+	return nil
+}
+
+// ResolvePath returns the path as an absolute paths, relative to the given base directory
+func ResolvePath(path string, base string) string {
+	// Don't resolve empty paths
+	if len(path) > 0 {
+		// Don't resolve absolute paths
+		if !filepath.IsAbs(path) {
+			return filepath.Join(base, path)
+		}
+	}
+
+	return path
+}
+
+func MakeAbs(path, base string) (string, error) {
+	if filepath.IsAbs(path) {
+		return path, nil
+	}
+	if len(base) == 0 {
+		cwd, err := os.Getwd()
+		if err != nil {
+			return "", err
+		}
+		base = cwd
+	}
+	return filepath.Join(base, path), nil
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/latest/latest.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/latest/latest.go
new file mode 100644
index 00000000..5fbbe3f1
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/latest/latest.go
@@ -0,0 +1,66 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package latest
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
+	"k8s.io/apimachinery/pkg/runtime/serializer/versioning"
+	"k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/client-go/tools/clientcmd/api/v1"
+)
+
+// Version is the string that represents the current external default version.
+const Version = "v1"
+
+var ExternalVersion = schema.GroupVersion{Group: "", Version: "v1"}
+
+// OldestVersion is the string that represents the oldest server version supported,
+// for client code that wants to hardcode the lowest common denominator.
+const OldestVersion = "v1"
+
+// Versions is the list of versions that are recognized in code. The order provided
+// may be assumed to be least feature rich to most feature rich, and clients may
+// choose to prefer the latter items in the list over the former items when presented
+// with a set of versions to choose.
+var Versions = []string{"v1"}
+
+var (
+	Codec  runtime.Codec
+	Scheme *runtime.Scheme
+)
+
+func init() {
+	Scheme = runtime.NewScheme()
+	if err := api.AddToScheme(Scheme); err != nil {
+		// Programmer error, detect immediately
+		panic(err)
+	}
+	if err := v1.AddToScheme(Scheme); err != nil {
+		// Programmer error, detect immediately
+		panic(err)
+	}
+	yamlSerializer := json.NewYAMLSerializer(json.DefaultMetaFactory, Scheme, Scheme)
+	Codec = versioning.NewDefaultingCodecForScheme(
+		Scheme,
+		yamlSerializer,
+		yamlSerializer,
+		schema.GroupVersion{Version: Version},
+		runtime.InternalGroupVersioner,
+	)
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/register.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/register.go
new file mode 100644
index 00000000..2eec3881
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/register.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+// TODO this should be in the "kubeconfig" group
+var SchemeGroupVersion = schema.GroupVersion{Group: "", Version: runtime.APIVersionInternal}
+
+var (
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Config{},
+	)
+	return nil
+}
+
+func (obj *Config) GetObjectKind() schema.ObjectKind { return obj }
+func (obj *Config) SetGroupVersionKind(gvk schema.GroupVersionKind) {
+	obj.APIVersion, obj.Kind = gvk.ToAPIVersionAndKind()
+}
+func (obj *Config) GroupVersionKind() schema.GroupVersionKind {
+	return schema.FromAPIVersionAndKind(obj.APIVersion, obj.Kind)
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/types.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/types.go
new file mode 100644
index 00000000..407dec83
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/types.go
@@ -0,0 +1,186 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package api
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// Where possible, json tags match the cli argument names.
+// Top level config objects and all values required for proper functioning are not "omitempty".  Any truly optional piece of config is allowed to be omitted.
+
+// Config holds the information needed to build connect to remote kubernetes clusters as a given user
+// IMPORTANT if you add fields to this struct, please update IsConfigEmpty()
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type Config struct {
+	// Legacy field from pkg/api/types.go TypeMeta.
+	// TODO(jlowdermilk): remove this after eliminating downstream dependencies.
+	// +optional
+	Kind string `json:"kind,omitempty"`
+	// Legacy field from pkg/api/types.go TypeMeta.
+	// TODO(jlowdermilk): remove this after eliminating downstream dependencies.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+	// Preferences holds general information to be use for cli interactions
+	Preferences Preferences `json:"preferences"`
+	// Clusters is a map of referencable names to cluster configs
+	Clusters map[string]*Cluster `json:"clusters"`
+	// AuthInfos is a map of referencable names to user configs
+	AuthInfos map[string]*AuthInfo `json:"users"`
+	// Contexts is a map of referencable names to context configs
+	Contexts map[string]*Context `json:"contexts"`
+	// CurrentContext is the name of the context that you would like to use by default
+	CurrentContext string `json:"current-context"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
+}
+
+// IMPORTANT if you add fields to this struct, please update IsConfigEmpty()
+type Preferences struct {
+	// +optional
+	Colors bool `json:"colors,omitempty"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
+}
+
+// Cluster contains information about how to communicate with a kubernetes cluster
+type Cluster struct {
+	// LocationOfOrigin indicates where this object came from.  It is used for round tripping config post-merge, but never serialized.
+	LocationOfOrigin string
+	// Server is the address of the kubernetes cluster (https://hostname:port).
+	Server string `json:"server"`
+	// InsecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure.
+	// +optional
+	InsecureSkipTLSVerify bool `json:"insecure-skip-tls-verify,omitempty"`
+	// CertificateAuthority is the path to a cert file for the certificate authority.
+	// +optional
+	CertificateAuthority string `json:"certificate-authority,omitempty"`
+	// CertificateAuthorityData contains PEM-encoded certificate authority certificates. Overrides CertificateAuthority
+	// +optional
+	CertificateAuthorityData []byte `json:"certificate-authority-data,omitempty"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
+}
+
+// AuthInfo contains information that describes identity information.  This is use to tell the kubernetes cluster who you are.
+type AuthInfo struct {
+	// LocationOfOrigin indicates where this object came from.  It is used for round tripping config post-merge, but never serialized.
+	LocationOfOrigin string
+	// ClientCertificate is the path to a client cert file for TLS.
+	// +optional
+	ClientCertificate string `json:"client-certificate,omitempty"`
+	// ClientCertificateData contains PEM-encoded data from a client cert file for TLS. Overrides ClientCertificate
+	// +optional
+	ClientCertificateData []byte `json:"client-certificate-data,omitempty"`
+	// ClientKey is the path to a client key file for TLS.
+	// +optional
+	ClientKey string `json:"client-key,omitempty"`
+	// ClientKeyData contains PEM-encoded data from a client key file for TLS. Overrides ClientKey
+	// +optional
+	ClientKeyData []byte `json:"client-key-data,omitempty"`
+	// Token is the bearer token for authentication to the kubernetes cluster.
+	// +optional
+	Token string `json:"token,omitempty"`
+	// TokenFile is a pointer to a file that contains a bearer token (as described above).  If both Token and TokenFile are present, Token takes precedence.
+	// +optional
+	TokenFile string `json:"tokenFile,omitempty"`
+	// Impersonate is the username to act-as.
+	// +optional
+	Impersonate string `json:"act-as,omitempty"`
+	// ImpersonateGroups is the groups to imperonate.
+	// +optional
+	ImpersonateGroups []string `json:"act-as-groups,omitempty"`
+	// ImpersonateUserExtra contains additional information for impersonated user.
+	// +optional
+	ImpersonateUserExtra map[string][]string `json:"act-as-user-extra,omitempty"`
+	// Username is the username for basic authentication to the kubernetes cluster.
+	// +optional
+	Username string `json:"username,omitempty"`
+	// Password is the password for basic authentication to the kubernetes cluster.
+	// +optional
+	Password string `json:"password,omitempty"`
+	// AuthProvider specifies a custom authentication plugin for the kubernetes cluster.
+	// +optional
+	AuthProvider *AuthProviderConfig `json:"auth-provider,omitempty"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
+}
+
+// Context is a tuple of references to a cluster (how do I communicate with a kubernetes cluster), a user (how do I identify myself), and a namespace (what subset of resources do I want to work with)
+type Context struct {
+	// LocationOfOrigin indicates where this object came from.  It is used for round tripping config post-merge, but never serialized.
+	LocationOfOrigin string
+	// Cluster is the name of the cluster for this context
+	Cluster string `json:"cluster"`
+	// AuthInfo is the name of the authInfo for this context
+	AuthInfo string `json:"user"`
+	// Namespace is the default namespace to use on unspecified requests
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions map[string]runtime.Object `json:"extensions,omitempty"`
+}
+
+// AuthProviderConfig holds the configuration for a specified auth provider.
+type AuthProviderConfig struct {
+	Name string `json:"name"`
+	// +optional
+	Config map[string]string `json:"config,omitempty"`
+}
+
+// NewConfig is a convenience function that returns a new Config object with non-nil maps
+func NewConfig() *Config {
+	return &Config{
+		Preferences: *NewPreferences(),
+		Clusters:    make(map[string]*Cluster),
+		AuthInfos:   make(map[string]*AuthInfo),
+		Contexts:    make(map[string]*Context),
+		Extensions:  make(map[string]runtime.Object),
+	}
+}
+
+// NewContext is a convenience function that returns a new Context
+// object with non-nil maps
+func NewContext() *Context {
+	return &Context{Extensions: make(map[string]runtime.Object)}
+}
+
+// NewCluster is a convenience function that returns a new Cluster
+// object with non-nil maps
+func NewCluster() *Cluster {
+	return &Cluster{Extensions: make(map[string]runtime.Object)}
+}
+
+// NewAuthInfo is a convenience function that returns a new AuthInfo
+// object with non-nil maps
+func NewAuthInfo() *AuthInfo {
+	return &AuthInfo{
+		Extensions:           make(map[string]runtime.Object),
+		ImpersonateUserExtra: make(map[string][]string),
+	}
+}
+
+// NewPreferences is a convenience function that returns a new
+// Preferences object with non-nil maps
+func NewPreferences() *Preferences {
+	return &Preferences{Extensions: make(map[string]runtime.Object)}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/conversion.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/conversion.go
new file mode 100644
index 00000000..b47bfbca
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/conversion.go
@@ -0,0 +1,227 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"sort"
+
+	"k8s.io/apimachinery/pkg/conversion"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/clientcmd/api"
+)
+
+func addConversionFuncs(scheme *runtime.Scheme) error {
+	return scheme.AddConversionFuncs(
+		func(in *Cluster, out *api.Cluster, s conversion.Scope) error {
+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
+		},
+		func(in *api.Cluster, out *Cluster, s conversion.Scope) error {
+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
+		},
+		func(in *Preferences, out *api.Preferences, s conversion.Scope) error {
+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
+		},
+		func(in *api.Preferences, out *Preferences, s conversion.Scope) error {
+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
+		},
+		func(in *AuthInfo, out *api.AuthInfo, s conversion.Scope) error {
+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
+		},
+		func(in *api.AuthInfo, out *AuthInfo, s conversion.Scope) error {
+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
+		},
+		func(in *Context, out *api.Context, s conversion.Scope) error {
+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
+		},
+		func(in *api.Context, out *Context, s conversion.Scope) error {
+			return s.DefaultConvert(in, out, conversion.IgnoreMissingFields)
+		},
+
+		func(in *Config, out *api.Config, s conversion.Scope) error {
+			out.CurrentContext = in.CurrentContext
+			if err := s.Convert(&in.Preferences, &out.Preferences, 0); err != nil {
+				return err
+			}
+
+			out.Clusters = make(map[string]*api.Cluster)
+			if err := s.Convert(&in.Clusters, &out.Clusters, 0); err != nil {
+				return err
+			}
+			out.AuthInfos = make(map[string]*api.AuthInfo)
+			if err := s.Convert(&in.AuthInfos, &out.AuthInfos, 0); err != nil {
+				return err
+			}
+			out.Contexts = make(map[string]*api.Context)
+			if err := s.Convert(&in.Contexts, &out.Contexts, 0); err != nil {
+				return err
+			}
+			out.Extensions = make(map[string]runtime.Object)
+			if err := s.Convert(&in.Extensions, &out.Extensions, 0); err != nil {
+				return err
+			}
+			return nil
+		},
+		func(in *api.Config, out *Config, s conversion.Scope) error {
+			out.CurrentContext = in.CurrentContext
+			if err := s.Convert(&in.Preferences, &out.Preferences, 0); err != nil {
+				return err
+			}
+
+			out.Clusters = make([]NamedCluster, 0, 0)
+			if err := s.Convert(&in.Clusters, &out.Clusters, 0); err != nil {
+				return err
+			}
+			out.AuthInfos = make([]NamedAuthInfo, 0, 0)
+			if err := s.Convert(&in.AuthInfos, &out.AuthInfos, 0); err != nil {
+				return err
+			}
+			out.Contexts = make([]NamedContext, 0, 0)
+			if err := s.Convert(&in.Contexts, &out.Contexts, 0); err != nil {
+				return err
+			}
+			out.Extensions = make([]NamedExtension, 0, 0)
+			if err := s.Convert(&in.Extensions, &out.Extensions, 0); err != nil {
+				return err
+			}
+			return nil
+		},
+		func(in *[]NamedCluster, out *map[string]*api.Cluster, s conversion.Scope) error {
+			for _, curr := range *in {
+				newCluster := api.NewCluster()
+				if err := s.Convert(&curr.Cluster, newCluster, 0); err != nil {
+					return err
+				}
+				(*out)[curr.Name] = newCluster
+			}
+
+			return nil
+		},
+		func(in *map[string]*api.Cluster, out *[]NamedCluster, s conversion.Scope) error {
+			allKeys := make([]string, 0, len(*in))
+			for key := range *in {
+				allKeys = append(allKeys, key)
+			}
+			sort.Strings(allKeys)
+
+			for _, key := range allKeys {
+				newCluster := (*in)[key]
+				oldCluster := &Cluster{}
+				if err := s.Convert(newCluster, oldCluster, 0); err != nil {
+					return err
+				}
+
+				namedCluster := NamedCluster{key, *oldCluster}
+				*out = append(*out, namedCluster)
+			}
+
+			return nil
+		},
+		func(in *[]NamedAuthInfo, out *map[string]*api.AuthInfo, s conversion.Scope) error {
+			for _, curr := range *in {
+				newAuthInfo := api.NewAuthInfo()
+				if err := s.Convert(&curr.AuthInfo, newAuthInfo, 0); err != nil {
+					return err
+				}
+				(*out)[curr.Name] = newAuthInfo
+			}
+
+			return nil
+		},
+		func(in *map[string]*api.AuthInfo, out *[]NamedAuthInfo, s conversion.Scope) error {
+			allKeys := make([]string, 0, len(*in))
+			for key := range *in {
+				allKeys = append(allKeys, key)
+			}
+			sort.Strings(allKeys)
+
+			for _, key := range allKeys {
+				newAuthInfo := (*in)[key]
+				oldAuthInfo := &AuthInfo{}
+				if err := s.Convert(newAuthInfo, oldAuthInfo, 0); err != nil {
+					return err
+				}
+
+				namedAuthInfo := NamedAuthInfo{key, *oldAuthInfo}
+				*out = append(*out, namedAuthInfo)
+			}
+
+			return nil
+		},
+		func(in *[]NamedContext, out *map[string]*api.Context, s conversion.Scope) error {
+			for _, curr := range *in {
+				newContext := api.NewContext()
+				if err := s.Convert(&curr.Context, newContext, 0); err != nil {
+					return err
+				}
+				(*out)[curr.Name] = newContext
+			}
+
+			return nil
+		},
+		func(in *map[string]*api.Context, out *[]NamedContext, s conversion.Scope) error {
+			allKeys := make([]string, 0, len(*in))
+			for key := range *in {
+				allKeys = append(allKeys, key)
+			}
+			sort.Strings(allKeys)
+
+			for _, key := range allKeys {
+				newContext := (*in)[key]
+				oldContext := &Context{}
+				if err := s.Convert(newContext, oldContext, 0); err != nil {
+					return err
+				}
+
+				namedContext := NamedContext{key, *oldContext}
+				*out = append(*out, namedContext)
+			}
+
+			return nil
+		},
+		func(in *[]NamedExtension, out *map[string]runtime.Object, s conversion.Scope) error {
+			for _, curr := range *in {
+				var newExtension runtime.Object
+				if err := s.Convert(&curr.Extension, &newExtension, 0); err != nil {
+					return err
+				}
+				(*out)[curr.Name] = newExtension
+			}
+
+			return nil
+		},
+		func(in *map[string]runtime.Object, out *[]NamedExtension, s conversion.Scope) error {
+			allKeys := make([]string, 0, len(*in))
+			for key := range *in {
+				allKeys = append(allKeys, key)
+			}
+			sort.Strings(allKeys)
+
+			for _, key := range allKeys {
+				newExtension := (*in)[key]
+				oldExtension := &runtime.RawExtension{}
+				if err := s.Convert(newExtension, oldExtension, 0); err != nil {
+					return err
+				}
+
+				namedExtension := NamedExtension{key, *oldExtension}
+				*out = append(*out, namedExtension)
+			}
+
+			return nil
+		},
+	)
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/doc.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/doc.go
new file mode 100644
index 00000000..c8ede58a
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/doc.go
@@ -0,0 +1,18 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package,register
+package v1
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/register.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/register.go
new file mode 100644
index 00000000..7b91d509
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/register.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+// TODO this should be in the "kubeconfig" group
+var SchemeGroupVersion = schema.GroupVersion{Group: "", Version: "v1"}
+
+var (
+	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	AddToScheme        = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes, addConversionFuncs)
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&Config{},
+	)
+	return nil
+}
+
+func (obj *Config) GetObjectKind() schema.ObjectKind { return obj }
+func (obj *Config) SetGroupVersionKind(gvk schema.GroupVersionKind) {
+	obj.APIVersion, obj.Kind = gvk.ToAPIVersionAndKind()
+}
+func (obj *Config) GroupVersionKind() schema.GroupVersionKind {
+	return schema.FromAPIVersionAndKind(obj.APIVersion, obj.Kind)
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/types.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/types.go
new file mode 100644
index 00000000..53568135
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/types.go
@@ -0,0 +1,171 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// Where possible, json tags match the cli argument names.
+// Top level config objects and all values required for proper functioning are not "omitempty".  Any truly optional piece of config is allowed to be omitted.
+
+// Config holds the information needed to build connect to remote kubernetes clusters as a given user
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type Config struct {
+	// Legacy field from pkg/api/types.go TypeMeta.
+	// TODO(jlowdermilk): remove this after eliminating downstream dependencies.
+	// +optional
+	Kind string `json:"kind,omitempty"`
+	// Legacy field from pkg/api/types.go TypeMeta.
+	// TODO(jlowdermilk): remove this after eliminating downstream dependencies.
+	// +optional
+	APIVersion string `json:"apiVersion,omitempty"`
+	// Preferences holds general information to be use for cli interactions
+	Preferences Preferences `json:"preferences"`
+	// Clusters is a map of referencable names to cluster configs
+	Clusters []NamedCluster `json:"clusters"`
+	// AuthInfos is a map of referencable names to user configs
+	AuthInfos []NamedAuthInfo `json:"users"`
+	// Contexts is a map of referencable names to context configs
+	Contexts []NamedContext `json:"contexts"`
+	// CurrentContext is the name of the context that you would like to use by default
+	CurrentContext string `json:"current-context"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions []NamedExtension `json:"extensions,omitempty"`
+}
+
+type Preferences struct {
+	// +optional
+	Colors bool `json:"colors,omitempty"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions []NamedExtension `json:"extensions,omitempty"`
+}
+
+// Cluster contains information about how to communicate with a kubernetes cluster
+type Cluster struct {
+	// Server is the address of the kubernetes cluster (https://hostname:port).
+	Server string `json:"server"`
+	// InsecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure.
+	// +optional
+	InsecureSkipTLSVerify bool `json:"insecure-skip-tls-verify,omitempty"`
+	// CertificateAuthority is the path to a cert file for the certificate authority.
+	// +optional
+	CertificateAuthority string `json:"certificate-authority,omitempty"`
+	// CertificateAuthorityData contains PEM-encoded certificate authority certificates. Overrides CertificateAuthority
+	// +optional
+	CertificateAuthorityData []byte `json:"certificate-authority-data,omitempty"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions []NamedExtension `json:"extensions,omitempty"`
+}
+
+// AuthInfo contains information that describes identity information.  This is use to tell the kubernetes cluster who you are.
+type AuthInfo struct {
+	// ClientCertificate is the path to a client cert file for TLS.
+	// +optional
+	ClientCertificate string `json:"client-certificate,omitempty"`
+	// ClientCertificateData contains PEM-encoded data from a client cert file for TLS. Overrides ClientCertificate
+	// +optional
+	ClientCertificateData []byte `json:"client-certificate-data,omitempty"`
+	// ClientKey is the path to a client key file for TLS.
+	// +optional
+	ClientKey string `json:"client-key,omitempty"`
+	// ClientKeyData contains PEM-encoded data from a client key file for TLS. Overrides ClientKey
+	// +optional
+	ClientKeyData []byte `json:"client-key-data,omitempty"`
+	// Token is the bearer token for authentication to the kubernetes cluster.
+	// +optional
+	Token string `json:"token,omitempty"`
+	// TokenFile is a pointer to a file that contains a bearer token (as described above).  If both Token and TokenFile are present, Token takes precedence.
+	// +optional
+	TokenFile string `json:"tokenFile,omitempty"`
+	// Impersonate is the username to imperonate.  The name matches the flag.
+	// +optional
+	Impersonate string `json:"as,omitempty"`
+	// ImpersonateGroups is the groups to imperonate.
+	// +optional
+	ImpersonateGroups []string `json:"as-groups,omitempty"`
+	// ImpersonateUserExtra contains additional information for impersonated user.
+	// +optional
+	ImpersonateUserExtra map[string][]string `json:"as-user-extra,omitempty"`
+	// Username is the username for basic authentication to the kubernetes cluster.
+	// +optional
+	Username string `json:"username,omitempty"`
+	// Password is the password for basic authentication to the kubernetes cluster.
+	// +optional
+	Password string `json:"password,omitempty"`
+	// AuthProvider specifies a custom authentication plugin for the kubernetes cluster.
+	// +optional
+	AuthProvider *AuthProviderConfig `json:"auth-provider,omitempty"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions []NamedExtension `json:"extensions,omitempty"`
+}
+
+// Context is a tuple of references to a cluster (how do I communicate with a kubernetes cluster), a user (how do I identify myself), and a namespace (what subset of resources do I want to work with)
+type Context struct {
+	// Cluster is the name of the cluster for this context
+	Cluster string `json:"cluster"`
+	// AuthInfo is the name of the authInfo for this context
+	AuthInfo string `json:"user"`
+	// Namespace is the default namespace to use on unspecified requests
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+	// Extensions holds additional information. This is useful for extenders so that reads and writes don't clobber unknown fields
+	// +optional
+	Extensions []NamedExtension `json:"extensions,omitempty"`
+}
+
+// NamedCluster relates nicknames to cluster information
+type NamedCluster struct {
+	// Name is the nickname for this Cluster
+	Name string `json:"name"`
+	// Cluster holds the cluster information
+	Cluster Cluster `json:"cluster"`
+}
+
+// NamedContext relates nicknames to context information
+type NamedContext struct {
+	// Name is the nickname for this Context
+	Name string `json:"name"`
+	// Context holds the context information
+	Context Context `json:"context"`
+}
+
+// NamedAuthInfo relates nicknames to auth information
+type NamedAuthInfo struct {
+	// Name is the nickname for this AuthInfo
+	Name string `json:"name"`
+	// AuthInfo holds the auth information
+	AuthInfo AuthInfo `json:"user"`
+}
+
+// NamedExtension relates nicknames to extension information
+type NamedExtension struct {
+	// Name is the nickname for this Extension
+	Name string `json:"name"`
+	// Extension holds the extension information
+	Extension runtime.RawExtension `json:"extension"`
+}
+
+// AuthProviderConfig holds the configuration for a specified auth provider.
+type AuthProviderConfig struct {
+	Name   string            `json:"name"`
+	Config map[string]string `json:"config"`
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.deepcopy.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.deepcopy.go
new file mode 100644
index 00000000..e54595fd
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/v1/zz_generated.deepcopy.go
@@ -0,0 +1,358 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package v1
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AuthInfo).DeepCopyInto(out.(*AuthInfo))
+			return nil
+		}, InType: reflect.TypeOf(&AuthInfo{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AuthProviderConfig).DeepCopyInto(out.(*AuthProviderConfig))
+			return nil
+		}, InType: reflect.TypeOf(&AuthProviderConfig{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Cluster).DeepCopyInto(out.(*Cluster))
+			return nil
+		}, InType: reflect.TypeOf(&Cluster{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Config).DeepCopyInto(out.(*Config))
+			return nil
+		}, InType: reflect.TypeOf(&Config{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Context).DeepCopyInto(out.(*Context))
+			return nil
+		}, InType: reflect.TypeOf(&Context{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NamedAuthInfo).DeepCopyInto(out.(*NamedAuthInfo))
+			return nil
+		}, InType: reflect.TypeOf(&NamedAuthInfo{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NamedCluster).DeepCopyInto(out.(*NamedCluster))
+			return nil
+		}, InType: reflect.TypeOf(&NamedCluster{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NamedContext).DeepCopyInto(out.(*NamedContext))
+			return nil
+		}, InType: reflect.TypeOf(&NamedContext{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NamedExtension).DeepCopyInto(out.(*NamedExtension))
+			return nil
+		}, InType: reflect.TypeOf(&NamedExtension{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Preferences).DeepCopyInto(out.(*Preferences))
+			return nil
+		}, InType: reflect.TypeOf(&Preferences{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthInfo) DeepCopyInto(out *AuthInfo) {
+	*out = *in
+	if in.ClientCertificateData != nil {
+		in, out := &in.ClientCertificateData, &out.ClientCertificateData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.ClientKeyData != nil {
+		in, out := &in.ClientKeyData, &out.ClientKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.ImpersonateGroups != nil {
+		in, out := &in.ImpersonateGroups, &out.ImpersonateGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ImpersonateUserExtra != nil {
+		in, out := &in.ImpersonateUserExtra, &out.ImpersonateUserExtra
+		*out = make(map[string][]string, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = make([]string, len(val))
+				copy((*out)[key], val)
+			}
+		}
+	}
+	if in.AuthProvider != nil {
+		in, out := &in.AuthProvider, &out.AuthProvider
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AuthProviderConfig)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make([]NamedExtension, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthInfo.
+func (in *AuthInfo) DeepCopy() *AuthInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthProviderConfig) DeepCopyInto(out *AuthProviderConfig) {
+	*out = *in
+	if in.Config != nil {
+		in, out := &in.Config, &out.Config
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthProviderConfig.
+func (in *AuthProviderConfig) DeepCopy() *AuthProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Cluster) DeepCopyInto(out *Cluster) {
+	*out = *in
+	if in.CertificateAuthorityData != nil {
+		in, out := &in.CertificateAuthorityData, &out.CertificateAuthorityData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make([]NamedExtension, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cluster.
+func (in *Cluster) DeepCopy() *Cluster {
+	if in == nil {
+		return nil
+	}
+	out := new(Cluster)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Config) DeepCopyInto(out *Config) {
+	*out = *in
+	in.Preferences.DeepCopyInto(&out.Preferences)
+	if in.Clusters != nil {
+		in, out := &in.Clusters, &out.Clusters
+		*out = make([]NamedCluster, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AuthInfos != nil {
+		in, out := &in.AuthInfos, &out.AuthInfos
+		*out = make([]NamedAuthInfo, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Contexts != nil {
+		in, out := &in.Contexts, &out.Contexts
+		*out = make([]NamedContext, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make([]NamedExtension, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Config.
+func (in *Config) DeepCopy() *Config {
+	if in == nil {
+		return nil
+	}
+	out := new(Config)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Config) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Context) DeepCopyInto(out *Context) {
+	*out = *in
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make([]NamedExtension, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Context.
+func (in *Context) DeepCopy() *Context {
+	if in == nil {
+		return nil
+	}
+	out := new(Context)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamedAuthInfo) DeepCopyInto(out *NamedAuthInfo) {
+	*out = *in
+	in.AuthInfo.DeepCopyInto(&out.AuthInfo)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedAuthInfo.
+func (in *NamedAuthInfo) DeepCopy() *NamedAuthInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(NamedAuthInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamedCluster) DeepCopyInto(out *NamedCluster) {
+	*out = *in
+	in.Cluster.DeepCopyInto(&out.Cluster)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedCluster.
+func (in *NamedCluster) DeepCopy() *NamedCluster {
+	if in == nil {
+		return nil
+	}
+	out := new(NamedCluster)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamedContext) DeepCopyInto(out *NamedContext) {
+	*out = *in
+	in.Context.DeepCopyInto(&out.Context)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedContext.
+func (in *NamedContext) DeepCopy() *NamedContext {
+	if in == nil {
+		return nil
+	}
+	out := new(NamedContext)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NamedExtension) DeepCopyInto(out *NamedExtension) {
+	*out = *in
+	in.Extension.DeepCopyInto(&out.Extension)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedExtension.
+func (in *NamedExtension) DeepCopy() *NamedExtension {
+	if in == nil {
+		return nil
+	}
+	out := new(NamedExtension)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Preferences) DeepCopyInto(out *Preferences) {
+	*out = *in
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make([]NamedExtension, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Preferences.
+func (in *Preferences) DeepCopy() *Preferences {
+	if in == nil {
+		return nil
+	}
+	out := new(Preferences)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/api/zz_generated.deepcopy.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/zz_generated.deepcopy.go
new file mode 100644
index 00000000..31f2967d
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/api/zz_generated.deepcopy.go
@@ -0,0 +1,309 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package api
+
+import (
+	conversion "k8s.io/apimachinery/pkg/conversion"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	reflect "reflect"
+)
+
+func init() {
+	SchemeBuilder.Register(RegisterDeepCopies)
+}
+
+// RegisterDeepCopies adds deep-copy functions to the given scheme. Public
+// to allow building arbitrary schemes.
+//
+// Deprecated: deepcopy registration will go away when static deepcopy is fully implemented.
+func RegisterDeepCopies(scheme *runtime.Scheme) error {
+	return scheme.AddGeneratedDeepCopyFuncs(
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AuthInfo).DeepCopyInto(out.(*AuthInfo))
+			return nil
+		}, InType: reflect.TypeOf(&AuthInfo{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*AuthProviderConfig).DeepCopyInto(out.(*AuthProviderConfig))
+			return nil
+		}, InType: reflect.TypeOf(&AuthProviderConfig{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Cluster).DeepCopyInto(out.(*Cluster))
+			return nil
+		}, InType: reflect.TypeOf(&Cluster{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Config).DeepCopyInto(out.(*Config))
+			return nil
+		}, InType: reflect.TypeOf(&Config{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Context).DeepCopyInto(out.(*Context))
+			return nil
+		}, InType: reflect.TypeOf(&Context{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*Preferences).DeepCopyInto(out.(*Preferences))
+			return nil
+		}, InType: reflect.TypeOf(&Preferences{})},
+	)
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthInfo) DeepCopyInto(out *AuthInfo) {
+	*out = *in
+	if in.ClientCertificateData != nil {
+		in, out := &in.ClientCertificateData, &out.ClientCertificateData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.ClientKeyData != nil {
+		in, out := &in.ClientKeyData, &out.ClientKeyData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.ImpersonateGroups != nil {
+		in, out := &in.ImpersonateGroups, &out.ImpersonateGroups
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ImpersonateUserExtra != nil {
+		in, out := &in.ImpersonateUserExtra, &out.ImpersonateUserExtra
+		*out = make(map[string][]string, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = make([]string, len(val))
+				copy((*out)[key], val)
+			}
+		}
+	}
+	if in.AuthProvider != nil {
+		in, out := &in.AuthProvider, &out.AuthProvider
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AuthProviderConfig)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make(map[string]runtime.Object, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = val.DeepCopyObject()
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthInfo.
+func (in *AuthInfo) DeepCopy() *AuthInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthProviderConfig) DeepCopyInto(out *AuthProviderConfig) {
+	*out = *in
+	if in.Config != nil {
+		in, out := &in.Config, &out.Config
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthProviderConfig.
+func (in *AuthProviderConfig) DeepCopy() *AuthProviderConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthProviderConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Cluster) DeepCopyInto(out *Cluster) {
+	*out = *in
+	if in.CertificateAuthorityData != nil {
+		in, out := &in.CertificateAuthorityData, &out.CertificateAuthorityData
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make(map[string]runtime.Object, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = val.DeepCopyObject()
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cluster.
+func (in *Cluster) DeepCopy() *Cluster {
+	if in == nil {
+		return nil
+	}
+	out := new(Cluster)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Config) DeepCopyInto(out *Config) {
+	*out = *in
+	in.Preferences.DeepCopyInto(&out.Preferences)
+	if in.Clusters != nil {
+		in, out := &in.Clusters, &out.Clusters
+		*out = make(map[string]*Cluster, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = new(Cluster)
+				val.DeepCopyInto((*out)[key])
+			}
+		}
+	}
+	if in.AuthInfos != nil {
+		in, out := &in.AuthInfos, &out.AuthInfos
+		*out = make(map[string]*AuthInfo, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = new(AuthInfo)
+				val.DeepCopyInto((*out)[key])
+			}
+		}
+	}
+	if in.Contexts != nil {
+		in, out := &in.Contexts, &out.Contexts
+		*out = make(map[string]*Context, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = new(Context)
+				val.DeepCopyInto((*out)[key])
+			}
+		}
+	}
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make(map[string]runtime.Object, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = val.DeepCopyObject()
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Config.
+func (in *Config) DeepCopy() *Config {
+	if in == nil {
+		return nil
+	}
+	out := new(Config)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Config) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	} else {
+		return nil
+	}
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Context) DeepCopyInto(out *Context) {
+	*out = *in
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make(map[string]runtime.Object, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = val.DeepCopyObject()
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Context.
+func (in *Context) DeepCopy() *Context {
+	if in == nil {
+		return nil
+	}
+	out := new(Context)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Preferences) DeepCopyInto(out *Preferences) {
+	*out = *in
+	if in.Extensions != nil {
+		in, out := &in.Extensions, &out.Extensions
+		*out = make(map[string]runtime.Object, len(*in))
+		for key, val := range *in {
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				(*out)[key] = val.DeepCopyObject()
+			}
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Preferences.
+func (in *Preferences) DeepCopy() *Preferences {
+	if in == nil {
+		return nil
+	}
+	out := new(Preferences)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/auth_loaders.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/auth_loaders.go
new file mode 100644
index 00000000..12331f6e
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/auth_loaders.go
@@ -0,0 +1,106 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/howeyc/gopass"
+	clientauth "k8s.io/client-go/tools/auth"
+)
+
+// AuthLoaders are used to build clientauth.Info objects.
+type AuthLoader interface {
+	// LoadAuth takes a path to a config file and can then do anything it needs in order to return a valid clientauth.Info
+	LoadAuth(path string) (*clientauth.Info, error)
+}
+
+// default implementation of an AuthLoader
+type defaultAuthLoader struct{}
+
+// LoadAuth for defaultAuthLoader simply delegates to clientauth.LoadFromFile
+func (*defaultAuthLoader) LoadAuth(path string) (*clientauth.Info, error) {
+	return clientauth.LoadFromFile(path)
+}
+
+type PromptingAuthLoader struct {
+	reader io.Reader
+}
+
+// LoadAuth parses an AuthInfo object from a file path. It prompts user and creates file if it doesn't exist.
+func (a *PromptingAuthLoader) LoadAuth(path string) (*clientauth.Info, error) {
+	// Prompt for user/pass and write a file if none exists.
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		authPtr, err := a.Prompt()
+		auth := *authPtr
+		if err != nil {
+			return nil, err
+		}
+		data, err := json.Marshal(auth)
+		if err != nil {
+			return &auth, err
+		}
+		err = ioutil.WriteFile(path, data, 0600)
+		return &auth, err
+	}
+	authPtr, err := clientauth.LoadFromFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return authPtr, nil
+}
+
+// Prompt pulls the user and password from a reader
+func (a *PromptingAuthLoader) Prompt() (*clientauth.Info, error) {
+	var err error
+	auth := &clientauth.Info{}
+	auth.User, err = promptForString("Username", a.reader, true)
+	if err != nil {
+		return nil, err
+	}
+	auth.Password, err = promptForString("Password", nil, false)
+	if err != nil {
+		return nil, err
+	}
+	return auth, nil
+}
+
+func promptForString(field string, r io.Reader, show bool) (result string, err error) {
+	fmt.Printf("Please enter %s: ", field)
+	if show {
+		_, err = fmt.Fscan(r, &result)
+	} else {
+		var data []byte
+		data, err = gopass.GetPasswdMasked()
+		result = string(data)
+	}
+	return result, err
+}
+
+// NewPromptingAuthLoader is an AuthLoader that parses an AuthInfo object from a file path. It prompts user and creates file if it doesn't exist.
+func NewPromptingAuthLoader(reader io.Reader) *PromptingAuthLoader {
+	return &PromptingAuthLoader{reader}
+}
+
+// NewDefaultAuthLoader returns a default implementation of an AuthLoader that only reads from a config file
+func NewDefaultAuthLoader() AuthLoader {
+	return &defaultAuthLoader{}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/client_config.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/client_config.go
new file mode 100644
index 00000000..a8698af2
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/client_config.go
@@ -0,0 +1,549 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/golang/glog"
+	"github.com/imdario/mergo"
+
+	"k8s.io/api/core/v1"
+	restclient "k8s.io/client-go/rest"
+	clientauth "k8s.io/client-go/tools/auth"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+var (
+	// ClusterDefaults has the same behavior as the old EnvVar and DefaultCluster fields
+	// DEPRECATED will be replaced
+	ClusterDefaults = clientcmdapi.Cluster{Server: getDefaultServer()}
+	// DefaultClientConfig represents the legacy behavior of this package for defaulting
+	// DEPRECATED will be replace
+	DefaultClientConfig = DirectClientConfig{*clientcmdapi.NewConfig(), "", &ConfigOverrides{
+		ClusterDefaults: ClusterDefaults,
+	}, nil, NewDefaultClientConfigLoadingRules(), promptedCredentials{}}
+)
+
+// getDefaultServer returns a default setting for DefaultClientConfig
+// DEPRECATED
+func getDefaultServer() string {
+	if server := os.Getenv("KUBERNETES_MASTER"); len(server) > 0 {
+		return server
+	}
+	return "http://localhost:8080"
+}
+
+// ClientConfig is used to make it easy to get an api server client
+type ClientConfig interface {
+	// RawConfig returns the merged result of all overrides
+	RawConfig() (clientcmdapi.Config, error)
+	// ClientConfig returns a complete client config
+	ClientConfig() (*restclient.Config, error)
+	// Namespace returns the namespace resulting from the merged
+	// result of all overrides and a boolean indicating if it was
+	// overridden
+	Namespace() (string, bool, error)
+	// ConfigAccess returns the rules for loading/persisting the config.
+	ConfigAccess() ConfigAccess
+}
+
+type PersistAuthProviderConfigForUser func(user string) restclient.AuthProviderConfigPersister
+
+type promptedCredentials struct {
+	username string
+	password string
+}
+
+// DirectClientConfig is a ClientConfig interface that is backed by a clientcmdapi.Config, options overrides, and an optional fallbackReader for auth information
+type DirectClientConfig struct {
+	config         clientcmdapi.Config
+	contextName    string
+	overrides      *ConfigOverrides
+	fallbackReader io.Reader
+	configAccess   ConfigAccess
+	// promptedCredentials store the credentials input by the user
+	promptedCredentials promptedCredentials
+}
+
+// NewDefaultClientConfig creates a DirectClientConfig using the config.CurrentContext as the context name
+func NewDefaultClientConfig(config clientcmdapi.Config, overrides *ConfigOverrides) ClientConfig {
+	return &DirectClientConfig{config, config.CurrentContext, overrides, nil, NewDefaultClientConfigLoadingRules(), promptedCredentials{}}
+}
+
+// NewNonInteractiveClientConfig creates a DirectClientConfig using the passed context name and does not have a fallback reader for auth information
+func NewNonInteractiveClientConfig(config clientcmdapi.Config, contextName string, overrides *ConfigOverrides, configAccess ConfigAccess) ClientConfig {
+	return &DirectClientConfig{config, contextName, overrides, nil, configAccess, promptedCredentials{}}
+}
+
+// NewInteractiveClientConfig creates a DirectClientConfig using the passed context name and a reader in case auth information is not provided via files or flags
+func NewInteractiveClientConfig(config clientcmdapi.Config, contextName string, overrides *ConfigOverrides, fallbackReader io.Reader, configAccess ConfigAccess) ClientConfig {
+	return &DirectClientConfig{config, contextName, overrides, fallbackReader, configAccess, promptedCredentials{}}
+}
+
+func (config *DirectClientConfig) RawConfig() (clientcmdapi.Config, error) {
+	return config.config, nil
+}
+
+// ClientConfig implements ClientConfig
+func (config *DirectClientConfig) ClientConfig() (*restclient.Config, error) {
+	// check that getAuthInfo, getContext, and getCluster do not return an error.
+	// Do this before checking if the curent config is usable in the event that an
+	// AuthInfo, Context, or Cluster config with user-defined names are not found.
+	// This provides a user with the immediate cause for error if one is found
+	configAuthInfo, err := config.getAuthInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = config.getContext()
+	if err != nil {
+		return nil, err
+	}
+
+	configClusterInfo, err := config.getCluster()
+	if err != nil {
+		return nil, err
+	}
+
+	if err := config.ConfirmUsable(); err != nil {
+		return nil, err
+	}
+
+	clientConfig := &restclient.Config{}
+	clientConfig.Host = configClusterInfo.Server
+
+	if len(config.overrides.Timeout) > 0 {
+		timeout, err := ParseTimeout(config.overrides.Timeout)
+		if err != nil {
+			return nil, err
+		}
+		clientConfig.Timeout = timeout
+	}
+
+	if u, err := url.ParseRequestURI(clientConfig.Host); err == nil && u.Opaque == "" && len(u.Path) > 1 {
+		u.RawQuery = ""
+		u.Fragment = ""
+		clientConfig.Host = u.String()
+	}
+	if len(configAuthInfo.Impersonate) > 0 {
+		clientConfig.Impersonate = restclient.ImpersonationConfig{
+			UserName: configAuthInfo.Impersonate,
+			Groups:   configAuthInfo.ImpersonateGroups,
+			Extra:    configAuthInfo.ImpersonateUserExtra,
+		}
+	}
+
+	// only try to read the auth information if we are secure
+	if restclient.IsConfigTransportTLS(*clientConfig) {
+		var err error
+
+		// mergo is a first write wins for map value and a last writing wins for interface values
+		// NOTE: This behavior changed with https://github.com/imdario/mergo/commit/d304790b2ed594794496464fadd89d2bb266600a.
+		//       Our mergo.Merge version is older than this change.
+		var persister restclient.AuthProviderConfigPersister
+		if config.configAccess != nil {
+			authInfoName, _ := config.getAuthInfoName()
+			persister = PersisterForUser(config.configAccess, authInfoName)
+		}
+		userAuthPartialConfig, err := config.getUserIdentificationPartialConfig(configAuthInfo, config.fallbackReader, persister)
+		if err != nil {
+			return nil, err
+		}
+		mergo.Merge(clientConfig, userAuthPartialConfig)
+
+		serverAuthPartialConfig, err := getServerIdentificationPartialConfig(configAuthInfo, configClusterInfo)
+		if err != nil {
+			return nil, err
+		}
+		mergo.Merge(clientConfig, serverAuthPartialConfig)
+	}
+
+	return clientConfig, nil
+}
+
+// clientauth.Info object contain both user identification and server identification.  We want different precedence orders for
+// both, so we have to split the objects and merge them separately
+// we want this order of precedence for the server identification
+// 1.  configClusterInfo (the final result of command line flags and merged .kubeconfig files)
+// 2.  configAuthInfo.auth-path (this file can contain information that conflicts with #1, and we want #1 to win the priority)
+// 3.  load the ~/.kubernetes_auth file as a default
+func getServerIdentificationPartialConfig(configAuthInfo clientcmdapi.AuthInfo, configClusterInfo clientcmdapi.Cluster) (*restclient.Config, error) {
+	mergedConfig := &restclient.Config{}
+
+	// configClusterInfo holds the information identify the server provided by .kubeconfig
+	configClientConfig := &restclient.Config{}
+	configClientConfig.CAFile = configClusterInfo.CertificateAuthority
+	configClientConfig.CAData = configClusterInfo.CertificateAuthorityData
+	configClientConfig.Insecure = configClusterInfo.InsecureSkipTLSVerify
+	mergo.Merge(mergedConfig, configClientConfig)
+
+	return mergedConfig, nil
+}
+
+// clientauth.Info object contain both user identification and server identification.  We want different precedence orders for
+// both, so we have to split the objects and merge them separately
+// we want this order of precedence for user identifcation
+// 1.  configAuthInfo minus auth-path (the final result of command line flags and merged .kubeconfig files)
+// 2.  configAuthInfo.auth-path (this file can contain information that conflicts with #1, and we want #1 to win the priority)
+// 3.  if there is not enough information to identify the user, load try the ~/.kubernetes_auth file
+// 4.  if there is not enough information to identify the user, prompt if possible
+func (config *DirectClientConfig) getUserIdentificationPartialConfig(configAuthInfo clientcmdapi.AuthInfo, fallbackReader io.Reader, persistAuthConfig restclient.AuthProviderConfigPersister) (*restclient.Config, error) {
+	mergedConfig := &restclient.Config{}
+
+	// blindly overwrite existing values based on precedence
+	if len(configAuthInfo.Token) > 0 {
+		mergedConfig.BearerToken = configAuthInfo.Token
+	} else if len(configAuthInfo.TokenFile) > 0 {
+		tokenBytes, err := ioutil.ReadFile(configAuthInfo.TokenFile)
+		if err != nil {
+			return nil, err
+		}
+		mergedConfig.BearerToken = string(tokenBytes)
+	}
+	if len(configAuthInfo.Impersonate) > 0 {
+		mergedConfig.Impersonate = restclient.ImpersonationConfig{
+			UserName: configAuthInfo.Impersonate,
+			Groups:   configAuthInfo.ImpersonateGroups,
+			Extra:    configAuthInfo.ImpersonateUserExtra,
+		}
+	}
+	if len(configAuthInfo.ClientCertificate) > 0 || len(configAuthInfo.ClientCertificateData) > 0 {
+		mergedConfig.CertFile = configAuthInfo.ClientCertificate
+		mergedConfig.CertData = configAuthInfo.ClientCertificateData
+		mergedConfig.KeyFile = configAuthInfo.ClientKey
+		mergedConfig.KeyData = configAuthInfo.ClientKeyData
+	}
+	if len(configAuthInfo.Username) > 0 || len(configAuthInfo.Password) > 0 {
+		mergedConfig.Username = configAuthInfo.Username
+		mergedConfig.Password = configAuthInfo.Password
+	}
+	if configAuthInfo.AuthProvider != nil {
+		mergedConfig.AuthProvider = configAuthInfo.AuthProvider
+		mergedConfig.AuthConfigPersister = persistAuthConfig
+	}
+
+	// if there still isn't enough information to authenticate the user, try prompting
+	if !canIdentifyUser(*mergedConfig) && (fallbackReader != nil) {
+		if len(config.promptedCredentials.username) > 0 && len(config.promptedCredentials.password) > 0 {
+			mergedConfig.Username = config.promptedCredentials.username
+			mergedConfig.Password = config.promptedCredentials.password
+			return mergedConfig, nil
+		}
+		prompter := NewPromptingAuthLoader(fallbackReader)
+		promptedAuthInfo, err := prompter.Prompt()
+		if err != nil {
+			return nil, err
+		}
+		promptedConfig := makeUserIdentificationConfig(*promptedAuthInfo)
+		previouslyMergedConfig := mergedConfig
+		mergedConfig = &restclient.Config{}
+		mergo.Merge(mergedConfig, promptedConfig)
+		mergo.Merge(mergedConfig, previouslyMergedConfig)
+		config.promptedCredentials.username = mergedConfig.Username
+		config.promptedCredentials.password = mergedConfig.Password
+	}
+
+	return mergedConfig, nil
+}
+
+// makeUserIdentificationFieldsConfig returns a client.Config capable of being merged using mergo for only user identification information
+func makeUserIdentificationConfig(info clientauth.Info) *restclient.Config {
+	config := &restclient.Config{}
+	config.Username = info.User
+	config.Password = info.Password
+	config.CertFile = info.CertFile
+	config.KeyFile = info.KeyFile
+	config.BearerToken = info.BearerToken
+	return config
+}
+
+// makeUserIdentificationFieldsConfig returns a client.Config capable of being merged using mergo for only server identification information
+func makeServerIdentificationConfig(info clientauth.Info) restclient.Config {
+	config := restclient.Config{}
+	config.CAFile = info.CAFile
+	if info.Insecure != nil {
+		config.Insecure = *info.Insecure
+	}
+	return config
+}
+
+func canIdentifyUser(config restclient.Config) bool {
+	return len(config.Username) > 0 ||
+		(len(config.CertFile) > 0 || len(config.CertData) > 0) ||
+		len(config.BearerToken) > 0 ||
+		config.AuthProvider != nil
+}
+
+// Namespace implements ClientConfig
+func (config *DirectClientConfig) Namespace() (string, bool, error) {
+	if config.overrides != nil && config.overrides.Context.Namespace != "" {
+		// In the event we have an empty config but we do have a namespace override, we should return
+		// the namespace override instead of having config.ConfirmUsable() return an error. This allows
+		// things like in-cluster clients to execute `kubectl get pods --namespace=foo` and have the
+		// --namespace flag honored instead of being ignored.
+		return config.overrides.Context.Namespace, true, nil
+	}
+
+	if err := config.ConfirmUsable(); err != nil {
+		return "", false, err
+	}
+
+	configContext, err := config.getContext()
+	if err != nil {
+		return "", false, err
+	}
+
+	if len(configContext.Namespace) == 0 {
+		return v1.NamespaceDefault, false, nil
+	}
+
+	return configContext.Namespace, false, nil
+}
+
+// ConfigAccess implements ClientConfig
+func (config *DirectClientConfig) ConfigAccess() ConfigAccess {
+	return config.configAccess
+}
+
+// ConfirmUsable looks a particular context and determines if that particular part of the config is useable.  There might still be errors in the config,
+// but no errors in the sections requested or referenced.  It does not return early so that it can find as many errors as possible.
+func (config *DirectClientConfig) ConfirmUsable() error {
+	validationErrors := make([]error, 0)
+
+	var contextName string
+	if len(config.contextName) != 0 {
+		contextName = config.contextName
+	} else {
+		contextName = config.config.CurrentContext
+	}
+
+	if len(contextName) > 0 {
+		_, exists := config.config.Contexts[contextName]
+		if !exists {
+			validationErrors = append(validationErrors, &errContextNotFound{contextName})
+		}
+	}
+
+	authInfoName, _ := config.getAuthInfoName()
+	authInfo, _ := config.getAuthInfo()
+	validationErrors = append(validationErrors, validateAuthInfo(authInfoName, authInfo)...)
+	clusterName, _ := config.getClusterName()
+	cluster, _ := config.getCluster()
+	validationErrors = append(validationErrors, validateClusterInfo(clusterName, cluster)...)
+	// when direct client config is specified, and our only error is that no server is defined, we should
+	// return a standard "no config" error
+	if len(validationErrors) == 1 && validationErrors[0] == ErrEmptyCluster {
+		return newErrConfigurationInvalid([]error{ErrEmptyConfig})
+	}
+	return newErrConfigurationInvalid(validationErrors)
+}
+
+// getContextName returns the default, or user-set context name, and a boolean that indicates
+// whether the default context name has been overwritten by a user-set flag, or left as its default value
+func (config *DirectClientConfig) getContextName() (string, bool) {
+	if len(config.overrides.CurrentContext) != 0 {
+		return config.overrides.CurrentContext, true
+	}
+	if len(config.contextName) != 0 {
+		return config.contextName, false
+	}
+
+	return config.config.CurrentContext, false
+}
+
+// getAuthInfoName returns a string containing the current authinfo name for the current context,
+// and a boolean indicating  whether the default authInfo name is overwritten by a user-set flag, or
+// left as its default value
+func (config *DirectClientConfig) getAuthInfoName() (string, bool) {
+	if len(config.overrides.Context.AuthInfo) != 0 {
+		return config.overrides.Context.AuthInfo, true
+	}
+	context, _ := config.getContext()
+	return context.AuthInfo, false
+}
+
+// getClusterName returns a string containing the default, or user-set cluster name, and a boolean
+// indicating whether the default clusterName has been overwritten by a user-set flag, or left as
+// its default value
+func (config *DirectClientConfig) getClusterName() (string, bool) {
+	if len(config.overrides.Context.Cluster) != 0 {
+		return config.overrides.Context.Cluster, true
+	}
+	context, _ := config.getContext()
+	return context.Cluster, false
+}
+
+// getContext returns the clientcmdapi.Context, or an error if a required context is not found.
+func (config *DirectClientConfig) getContext() (clientcmdapi.Context, error) {
+	contexts := config.config.Contexts
+	contextName, required := config.getContextName()
+
+	mergedContext := clientcmdapi.NewContext()
+	if configContext, exists := contexts[contextName]; exists {
+		mergo.Merge(mergedContext, configContext)
+	} else if required {
+		return clientcmdapi.Context{}, fmt.Errorf("context %q does not exist", contextName)
+	}
+	mergo.Merge(mergedContext, config.overrides.Context)
+
+	return *mergedContext, nil
+}
+
+// getAuthInfo returns the clientcmdapi.AuthInfo, or an error if a required auth info is not found.
+func (config *DirectClientConfig) getAuthInfo() (clientcmdapi.AuthInfo, error) {
+	authInfos := config.config.AuthInfos
+	authInfoName, required := config.getAuthInfoName()
+
+	mergedAuthInfo := clientcmdapi.NewAuthInfo()
+	if configAuthInfo, exists := authInfos[authInfoName]; exists {
+		mergo.Merge(mergedAuthInfo, configAuthInfo)
+	} else if required {
+		return clientcmdapi.AuthInfo{}, fmt.Errorf("auth info %q does not exist", authInfoName)
+	}
+	mergo.Merge(mergedAuthInfo, config.overrides.AuthInfo)
+
+	return *mergedAuthInfo, nil
+}
+
+// getCluster returns the clientcmdapi.Cluster, or an error if a required cluster is not found.
+func (config *DirectClientConfig) getCluster() (clientcmdapi.Cluster, error) {
+	clusterInfos := config.config.Clusters
+	clusterInfoName, required := config.getClusterName()
+
+	mergedClusterInfo := clientcmdapi.NewCluster()
+	mergo.Merge(mergedClusterInfo, config.overrides.ClusterDefaults)
+	if configClusterInfo, exists := clusterInfos[clusterInfoName]; exists {
+		mergo.Merge(mergedClusterInfo, configClusterInfo)
+	} else if required {
+		return clientcmdapi.Cluster{}, fmt.Errorf("cluster %q does not exist", clusterInfoName)
+	}
+	mergo.Merge(mergedClusterInfo, config.overrides.ClusterInfo)
+	// An override of --insecure-skip-tls-verify=true and no accompanying CA/CA data should clear already-set CA/CA data
+	// otherwise, a kubeconfig containing a CA reference would return an error that "CA and insecure-skip-tls-verify couldn't both be set"
+	caLen := len(config.overrides.ClusterInfo.CertificateAuthority)
+	caDataLen := len(config.overrides.ClusterInfo.CertificateAuthorityData)
+	if config.overrides.ClusterInfo.InsecureSkipTLSVerify && caLen == 0 && caDataLen == 0 {
+		mergedClusterInfo.CertificateAuthority = ""
+		mergedClusterInfo.CertificateAuthorityData = nil
+	}
+
+	return *mergedClusterInfo, nil
+}
+
+// inClusterClientConfig makes a config that will work from within a kubernetes cluster container environment.
+// Can take options overrides for flags explicitly provided to the command inside the cluster container.
+type inClusterClientConfig struct {
+	overrides               *ConfigOverrides
+	inClusterConfigProvider func() (*restclient.Config, error)
+}
+
+var _ ClientConfig = &inClusterClientConfig{}
+
+func (config *inClusterClientConfig) RawConfig() (clientcmdapi.Config, error) {
+	return clientcmdapi.Config{}, fmt.Errorf("inCluster environment config doesn't support multiple clusters")
+}
+
+func (config *inClusterClientConfig) ClientConfig() (*restclient.Config, error) {
+	if config.inClusterConfigProvider == nil {
+		config.inClusterConfigProvider = restclient.InClusterConfig
+	}
+
+	icc, err := config.inClusterConfigProvider()
+	if err != nil {
+		return nil, err
+	}
+
+	// in-cluster configs only takes a host, token, or CA file
+	// if any of them were individually provided, ovewrite anything else
+	if config.overrides != nil {
+		if server := config.overrides.ClusterInfo.Server; len(server) > 0 {
+			icc.Host = server
+		}
+		if token := config.overrides.AuthInfo.Token; len(token) > 0 {
+			icc.BearerToken = token
+		}
+		if certificateAuthorityFile := config.overrides.ClusterInfo.CertificateAuthority; len(certificateAuthorityFile) > 0 {
+			icc.TLSClientConfig.CAFile = certificateAuthorityFile
+		}
+	}
+
+	return icc, err
+}
+
+func (config *inClusterClientConfig) Namespace() (string, bool, error) {
+	// This way assumes you've set the POD_NAMESPACE environment variable using the downward API.
+	// This check has to be done first for backwards compatibility with the way InClusterConfig was originally set up
+	if ns := os.Getenv("POD_NAMESPACE"); ns != "" {
+		return ns, false, nil
+	}
+
+	// Fall back to the namespace associated with the service account token, if available
+	if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil {
+		if ns := strings.TrimSpace(string(data)); len(ns) > 0 {
+			return ns, false, nil
+		}
+	}
+
+	return "default", false, nil
+}
+
+func (config *inClusterClientConfig) ConfigAccess() ConfigAccess {
+	return NewDefaultClientConfigLoadingRules()
+}
+
+// Possible returns true if loading an inside-kubernetes-cluster is possible.
+func (config *inClusterClientConfig) Possible() bool {
+	fi, err := os.Stat("/var/run/secrets/kubernetes.io/serviceaccount/token")
+	return os.Getenv("KUBERNETES_SERVICE_HOST") != "" &&
+		os.Getenv("KUBERNETES_SERVICE_PORT") != "" &&
+		err == nil && !fi.IsDir()
+}
+
+// BuildConfigFromFlags is a helper function that builds configs from a master
+// url or a kubeconfig filepath. These are passed in as command line flags for cluster
+// components. Warnings should reflect this usage. If neither masterUrl or kubeconfigPath
+// are passed in we fallback to inClusterConfig. If inClusterConfig fails, we fallback
+// to the default config.
+func BuildConfigFromFlags(masterUrl, kubeconfigPath string) (*restclient.Config, error) {
+	if kubeconfigPath == "" && masterUrl == "" {
+		glog.Warningf("Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.")
+		kubeconfig, err := restclient.InClusterConfig()
+		if err == nil {
+			return kubeconfig, nil
+		}
+		glog.Warning("error creating inClusterConfig, falling back to default config: ", err)
+	}
+	return NewNonInteractiveDeferredLoadingClientConfig(
+		&ClientConfigLoadingRules{ExplicitPath: kubeconfigPath},
+		&ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: masterUrl}}).ClientConfig()
+}
+
+// BuildConfigFromKubeconfigGetter is a helper function that builds configs from a master
+// url and a kubeconfigGetter.
+func BuildConfigFromKubeconfigGetter(masterUrl string, kubeconfigGetter KubeconfigGetter) (*restclient.Config, error) {
+	// TODO: We do not need a DeferredLoader here. Refactor code and see if we can use DirectClientConfig here.
+	cc := NewNonInteractiveDeferredLoadingClientConfig(
+		&ClientConfigGetter{kubeconfigGetter: kubeconfigGetter},
+		&ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: masterUrl}})
+	return cc.ClientConfig()
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/config.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/config.go
new file mode 100644
index 00000000..16ccdaf2
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/config.go
@@ -0,0 +1,472 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"errors"
+	"os"
+	"path"
+	"path/filepath"
+	"reflect"
+	"sort"
+
+	"github.com/golang/glog"
+
+	restclient "k8s.io/client-go/rest"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+// ConfigAccess is used by subcommands and methods in this package to load and modify the appropriate config files
+type ConfigAccess interface {
+	// GetLoadingPrecedence returns the slice of files that should be used for loading and inspecting the config
+	GetLoadingPrecedence() []string
+	// GetStartingConfig returns the config that subcommands should being operating against.  It may or may not be merged depending on loading rules
+	GetStartingConfig() (*clientcmdapi.Config, error)
+	// GetDefaultFilename returns the name of the file you should write into (create if necessary), if you're trying to create a new stanza as opposed to updating an existing one.
+	GetDefaultFilename() string
+	// IsExplicitFile indicates whether or not this command is interested in exactly one file.  This implementation only ever does that  via a flag, but implementations that handle local, global, and flags may have more
+	IsExplicitFile() bool
+	// GetExplicitFile returns the particular file this command is operating against.  This implementation only ever has one, but implementations that handle local, global, and flags may have more
+	GetExplicitFile() string
+}
+
+type PathOptions struct {
+	// GlobalFile is the full path to the file to load as the global (final) option
+	GlobalFile string
+	// EnvVar is the env var name that points to the list of kubeconfig files to load
+	EnvVar string
+	// ExplicitFileFlag is the name of the flag to use for prompting for the kubeconfig file
+	ExplicitFileFlag string
+
+	// GlobalFileSubpath is an optional value used for displaying help
+	GlobalFileSubpath string
+
+	LoadingRules *ClientConfigLoadingRules
+}
+
+func (o *PathOptions) GetEnvVarFiles() []string {
+	if len(o.EnvVar) == 0 {
+		return []string{}
+	}
+
+	envVarValue := os.Getenv(o.EnvVar)
+	if len(envVarValue) == 0 {
+		return []string{}
+	}
+
+	return filepath.SplitList(envVarValue)
+}
+
+func (o *PathOptions) GetLoadingPrecedence() []string {
+	if envVarFiles := o.GetEnvVarFiles(); len(envVarFiles) > 0 {
+		return envVarFiles
+	}
+
+	return []string{o.GlobalFile}
+}
+
+func (o *PathOptions) GetStartingConfig() (*clientcmdapi.Config, error) {
+	// don't mutate the original
+	loadingRules := *o.LoadingRules
+	loadingRules.Precedence = o.GetLoadingPrecedence()
+
+	clientConfig := NewNonInteractiveDeferredLoadingClientConfig(&loadingRules, &ConfigOverrides{})
+	rawConfig, err := clientConfig.RawConfig()
+	if os.IsNotExist(err) {
+		return clientcmdapi.NewConfig(), nil
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &rawConfig, nil
+}
+
+func (o *PathOptions) GetDefaultFilename() string {
+	if o.IsExplicitFile() {
+		return o.GetExplicitFile()
+	}
+
+	if envVarFiles := o.GetEnvVarFiles(); len(envVarFiles) > 0 {
+		if len(envVarFiles) == 1 {
+			return envVarFiles[0]
+		}
+
+		// if any of the envvar files already exists, return it
+		for _, envVarFile := range envVarFiles {
+			if _, err := os.Stat(envVarFile); err == nil {
+				return envVarFile
+			}
+		}
+
+		// otherwise, return the last one in the list
+		return envVarFiles[len(envVarFiles)-1]
+	}
+
+	return o.GlobalFile
+}
+
+func (o *PathOptions) IsExplicitFile() bool {
+	if len(o.LoadingRules.ExplicitPath) > 0 {
+		return true
+	}
+
+	return false
+}
+
+func (o *PathOptions) GetExplicitFile() string {
+	return o.LoadingRules.ExplicitPath
+}
+
+func NewDefaultPathOptions() *PathOptions {
+	ret := &PathOptions{
+		GlobalFile:       RecommendedHomeFile,
+		EnvVar:           RecommendedConfigPathEnvVar,
+		ExplicitFileFlag: RecommendedConfigPathFlag,
+
+		GlobalFileSubpath: path.Join(RecommendedHomeDir, RecommendedFileName),
+
+		LoadingRules: NewDefaultClientConfigLoadingRules(),
+	}
+	ret.LoadingRules.DoNotResolvePaths = true
+
+	return ret
+}
+
+// ModifyConfig takes a Config object, iterates through Clusters, AuthInfos, and Contexts, uses the LocationOfOrigin if specified or
+// uses the default destination file to write the results into.  This results in multiple file reads, but it's very easy to follow.
+// Preferences and CurrentContext should always be set in the default destination file.  Since we can't distinguish between empty and missing values
+// (no nil strings), we're forced have separate handling for them.  In the kubeconfig cases, newConfig should have at most one difference,
+// that means that this code will only write into a single file.  If you want to relativizePaths, you must provide a fully qualified path in any
+// modified element.
+func ModifyConfig(configAccess ConfigAccess, newConfig clientcmdapi.Config, relativizePaths bool) error {
+	possibleSources := configAccess.GetLoadingPrecedence()
+	// sort the possible kubeconfig files so we always "lock" in the same order
+	// to avoid deadlock (note: this can fail w/ symlinks, but... come on).
+	sort.Strings(possibleSources)
+	for _, filename := range possibleSources {
+		if err := lockFile(filename); err != nil {
+			return err
+		}
+		defer unlockFile(filename)
+	}
+
+	startingConfig, err := configAccess.GetStartingConfig()
+	if err != nil {
+		return err
+	}
+
+	// We need to find all differences, locate their original files, read a partial config to modify only that stanza and write out the file.
+	// Special case the test for current context and preferences since those always write to the default file.
+	if reflect.DeepEqual(*startingConfig, newConfig) {
+		// nothing to do
+		return nil
+	}
+
+	if startingConfig.CurrentContext != newConfig.CurrentContext {
+		if err := writeCurrentContext(configAccess, newConfig.CurrentContext); err != nil {
+			return err
+		}
+	}
+
+	if !reflect.DeepEqual(startingConfig.Preferences, newConfig.Preferences) {
+		if err := writePreferences(configAccess, newConfig.Preferences); err != nil {
+			return err
+		}
+	}
+
+	// Search every cluster, authInfo, and context.  First from new to old for differences, then from old to new for deletions
+	for key, cluster := range newConfig.Clusters {
+		startingCluster, exists := startingConfig.Clusters[key]
+		if !reflect.DeepEqual(cluster, startingCluster) || !exists {
+			destinationFile := cluster.LocationOfOrigin
+			if len(destinationFile) == 0 {
+				destinationFile = configAccess.GetDefaultFilename()
+			}
+
+			configToWrite, err := getConfigFromFile(destinationFile)
+			if err != nil {
+				return err
+			}
+			t := *cluster
+
+			configToWrite.Clusters[key] = &t
+			configToWrite.Clusters[key].LocationOfOrigin = destinationFile
+			if relativizePaths {
+				if err := RelativizeClusterLocalPaths(configToWrite.Clusters[key]); err != nil {
+					return err
+				}
+			}
+
+			if err := WriteToFile(*configToWrite, destinationFile); err != nil {
+				return err
+			}
+		}
+	}
+
+	for key, context := range newConfig.Contexts {
+		startingContext, exists := startingConfig.Contexts[key]
+		if !reflect.DeepEqual(context, startingContext) || !exists {
+			destinationFile := context.LocationOfOrigin
+			if len(destinationFile) == 0 {
+				destinationFile = configAccess.GetDefaultFilename()
+			}
+
+			configToWrite, err := getConfigFromFile(destinationFile)
+			if err != nil {
+				return err
+			}
+			configToWrite.Contexts[key] = context
+
+			if err := WriteToFile(*configToWrite, destinationFile); err != nil {
+				return err
+			}
+		}
+	}
+
+	for key, authInfo := range newConfig.AuthInfos {
+		startingAuthInfo, exists := startingConfig.AuthInfos[key]
+		if !reflect.DeepEqual(authInfo, startingAuthInfo) || !exists {
+			destinationFile := authInfo.LocationOfOrigin
+			if len(destinationFile) == 0 {
+				destinationFile = configAccess.GetDefaultFilename()
+			}
+
+			configToWrite, err := getConfigFromFile(destinationFile)
+			if err != nil {
+				return err
+			}
+			t := *authInfo
+			configToWrite.AuthInfos[key] = &t
+			configToWrite.AuthInfos[key].LocationOfOrigin = destinationFile
+			if relativizePaths {
+				if err := RelativizeAuthInfoLocalPaths(configToWrite.AuthInfos[key]); err != nil {
+					return err
+				}
+			}
+
+			if err := WriteToFile(*configToWrite, destinationFile); err != nil {
+				return err
+			}
+		}
+	}
+
+	for key, cluster := range startingConfig.Clusters {
+		if _, exists := newConfig.Clusters[key]; !exists {
+			destinationFile := cluster.LocationOfOrigin
+			if len(destinationFile) == 0 {
+				destinationFile = configAccess.GetDefaultFilename()
+			}
+
+			configToWrite, err := getConfigFromFile(destinationFile)
+			if err != nil {
+				return err
+			}
+			delete(configToWrite.Clusters, key)
+
+			if err := WriteToFile(*configToWrite, destinationFile); err != nil {
+				return err
+			}
+		}
+	}
+
+	for key, context := range startingConfig.Contexts {
+		if _, exists := newConfig.Contexts[key]; !exists {
+			destinationFile := context.LocationOfOrigin
+			if len(destinationFile) == 0 {
+				destinationFile = configAccess.GetDefaultFilename()
+			}
+
+			configToWrite, err := getConfigFromFile(destinationFile)
+			if err != nil {
+				return err
+			}
+			delete(configToWrite.Contexts, key)
+
+			if err := WriteToFile(*configToWrite, destinationFile); err != nil {
+				return err
+			}
+		}
+	}
+
+	for key, authInfo := range startingConfig.AuthInfos {
+		if _, exists := newConfig.AuthInfos[key]; !exists {
+			destinationFile := authInfo.LocationOfOrigin
+			if len(destinationFile) == 0 {
+				destinationFile = configAccess.GetDefaultFilename()
+			}
+
+			configToWrite, err := getConfigFromFile(destinationFile)
+			if err != nil {
+				return err
+			}
+			delete(configToWrite.AuthInfos, key)
+
+			if err := WriteToFile(*configToWrite, destinationFile); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func PersisterForUser(configAccess ConfigAccess, user string) restclient.AuthProviderConfigPersister {
+	return &persister{configAccess, user}
+}
+
+type persister struct {
+	configAccess ConfigAccess
+	user         string
+}
+
+func (p *persister) Persist(config map[string]string) error {
+	newConfig, err := p.configAccess.GetStartingConfig()
+	if err != nil {
+		return err
+	}
+	authInfo, ok := newConfig.AuthInfos[p.user]
+	if ok && authInfo.AuthProvider != nil {
+		authInfo.AuthProvider.Config = config
+		ModifyConfig(p.configAccess, *newConfig, false)
+	}
+	return nil
+}
+
+// writeCurrentContext takes three possible paths.
+// If newCurrentContext is the same as the startingConfig's current context, then we exit.
+// If newCurrentContext has a value, then that value is written into the default destination file.
+// If newCurrentContext is empty, then we find the config file that is setting the CurrentContext and clear the value from that file
+func writeCurrentContext(configAccess ConfigAccess, newCurrentContext string) error {
+	if startingConfig, err := configAccess.GetStartingConfig(); err != nil {
+		return err
+	} else if startingConfig.CurrentContext == newCurrentContext {
+		return nil
+	}
+
+	if configAccess.IsExplicitFile() {
+		file := configAccess.GetExplicitFile()
+		currConfig, err := getConfigFromFile(file)
+		if err != nil {
+			return err
+		}
+		currConfig.CurrentContext = newCurrentContext
+		if err := WriteToFile(*currConfig, file); err != nil {
+			return err
+		}
+
+		return nil
+	}
+
+	if len(newCurrentContext) > 0 {
+		destinationFile := configAccess.GetDefaultFilename()
+		config, err := getConfigFromFile(destinationFile)
+		if err != nil {
+			return err
+		}
+		config.CurrentContext = newCurrentContext
+
+		if err := WriteToFile(*config, destinationFile); err != nil {
+			return err
+		}
+
+		return nil
+	}
+
+	// we're supposed to be clearing the current context.  We need to find the first spot in the chain that is setting it and clear it
+	for _, file := range configAccess.GetLoadingPrecedence() {
+		if _, err := os.Stat(file); err == nil {
+			currConfig, err := getConfigFromFile(file)
+			if err != nil {
+				return err
+			}
+
+			if len(currConfig.CurrentContext) > 0 {
+				currConfig.CurrentContext = newCurrentContext
+				if err := WriteToFile(*currConfig, file); err != nil {
+					return err
+				}
+
+				return nil
+			}
+		}
+	}
+
+	return errors.New("no config found to write context")
+}
+
+func writePreferences(configAccess ConfigAccess, newPrefs clientcmdapi.Preferences) error {
+	if startingConfig, err := configAccess.GetStartingConfig(); err != nil {
+		return err
+	} else if reflect.DeepEqual(startingConfig.Preferences, newPrefs) {
+		return nil
+	}
+
+	if configAccess.IsExplicitFile() {
+		file := configAccess.GetExplicitFile()
+		currConfig, err := getConfigFromFile(file)
+		if err != nil {
+			return err
+		}
+		currConfig.Preferences = newPrefs
+		if err := WriteToFile(*currConfig, file); err != nil {
+			return err
+		}
+
+		return nil
+	}
+
+	for _, file := range configAccess.GetLoadingPrecedence() {
+		currConfig, err := getConfigFromFile(file)
+		if err != nil {
+			return err
+		}
+
+		if !reflect.DeepEqual(currConfig.Preferences, newPrefs) {
+			currConfig.Preferences = newPrefs
+			if err := WriteToFile(*currConfig, file); err != nil {
+				return err
+			}
+
+			return nil
+		}
+	}
+
+	return errors.New("no config found to write preferences")
+}
+
+// getConfigFromFile tries to read a kubeconfig file and if it can't, returns an error.  One exception, missing files result in empty configs, not an error.
+func getConfigFromFile(filename string) (*clientcmdapi.Config, error) {
+	config, err := LoadFromFile(filename)
+	if err != nil && !os.IsNotExist(err) {
+		return nil, err
+	}
+	if config == nil {
+		config = clientcmdapi.NewConfig()
+	}
+	return config, nil
+}
+
+// GetConfigFromFileOrDie tries to read a kubeconfig file and if it can't, it calls exit.  One exception, missing files result in empty configs, not an exit
+func GetConfigFromFileOrDie(filename string) *clientcmdapi.Config {
+	config, err := getConfigFromFile(filename)
+	if err != nil {
+		glog.FatalDepth(1, err)
+	}
+
+	return config
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/doc.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/doc.go
new file mode 100644
index 00000000..424311ee
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/doc.go
@@ -0,0 +1,37 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package clientcmd provides one stop shopping for building a working client from a fixed config,
+from a .kubeconfig file, from command line flags, or from any merged combination.
+
+Sample usage from merged .kubeconfig files (local directory, home directory)
+
+	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+	// if you want to change the loading rules (which files in which order), you can do so here
+
+	configOverrides := &clientcmd.ConfigOverrides{}
+	// if you want to change override values or bind them to flags, there are methods to help you
+
+	kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, configOverrides)
+	config, err := kubeConfig.ClientConfig()
+	if err != nil {
+		// Do something
+	}
+	client, err := metav1.New(config)
+	// ...
+*/
+package clientcmd // import "k8s.io/client-go/tools/clientcmd"
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/flag.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/flag.go
new file mode 100644
index 00000000..8d60d201
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/flag.go
@@ -0,0 +1,49 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+// transformingStringValue implements pflag.Value to store string values,
+// allowing transforming them while being set
+type transformingStringValue struct {
+	target      *string
+	transformer func(string) (string, error)
+}
+
+func newTransformingStringValue(val string, target *string, transformer func(string) (string, error)) *transformingStringValue {
+	*target = val
+	return &transformingStringValue{
+		target:      target,
+		transformer: transformer,
+	}
+}
+
+func (t *transformingStringValue) Set(val string) error {
+	val, err := t.transformer(val)
+	if err != nil {
+		return err
+	}
+	*t.target = val
+	return nil
+}
+
+func (t *transformingStringValue) Type() string {
+	return "string"
+}
+
+func (t *transformingStringValue) String() string {
+	return string(*t.target)
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/helpers.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/helpers.go
new file mode 100644
index 00000000..b609d1a7
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/helpers.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"fmt"
+	"strconv"
+	"time"
+)
+
+// ParseTimeout returns a parsed duration from a string
+// A duration string value must be a positive integer, optionally followed by a corresponding time unit (s|m|h).
+func ParseTimeout(duration string) (time.Duration, error) {
+	if i, err := strconv.ParseInt(duration, 10, 64); err == nil && i >= 0 {
+		return (time.Duration(i) * time.Second), nil
+	}
+	if requestTimeout, err := time.ParseDuration(duration); err == nil {
+		return requestTimeout, nil
+	}
+	return 0, fmt.Errorf("Invalid timeout value. Timeout must be a single integer in seconds, or an integer followed by a corresponding time unit (e.g. 1s | 2m | 3h)")
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/loader.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/loader.go
new file mode 100644
index 00000000..6ac83b5c
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/loader.go
@@ -0,0 +1,612 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"reflect"
+	goruntime "runtime"
+	"strings"
+
+	"github.com/golang/glog"
+	"github.com/imdario/mergo"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	restclient "k8s.io/client-go/rest"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+	clientcmdlatest "k8s.io/client-go/tools/clientcmd/api/latest"
+	"k8s.io/client-go/util/homedir"
+)
+
+const (
+	RecommendedConfigPathFlag   = "kubeconfig"
+	RecommendedConfigPathEnvVar = "KUBECONFIG"
+	RecommendedHomeDir          = ".kube"
+	RecommendedFileName         = "config"
+	RecommendedSchemaName       = "schema"
+)
+
+var (
+	RecommendedConfigDir  = path.Join(homedir.HomeDir(), RecommendedHomeDir)
+	RecommendedHomeFile   = path.Join(RecommendedConfigDir, RecommendedFileName)
+	RecommendedSchemaFile = path.Join(RecommendedConfigDir, RecommendedSchemaName)
+)
+
+// currentMigrationRules returns a map that holds the history of recommended home directories used in previous versions.
+// Any future changes to RecommendedHomeFile and related are expected to add a migration rule here, in order to make
+// sure existing config files are migrated to their new locations properly.
+func currentMigrationRules() map[string]string {
+	oldRecommendedHomeFile := path.Join(os.Getenv("HOME"), "/.kube/.kubeconfig")
+	oldRecommendedWindowsHomeFile := path.Join(os.Getenv("HOME"), RecommendedHomeDir, RecommendedFileName)
+
+	migrationRules := map[string]string{}
+	migrationRules[RecommendedHomeFile] = oldRecommendedHomeFile
+	if goruntime.GOOS == "windows" {
+		migrationRules[RecommendedHomeFile] = oldRecommendedWindowsHomeFile
+	}
+	return migrationRules
+}
+
+type ClientConfigLoader interface {
+	ConfigAccess
+	// IsDefaultConfig returns true if the returned config matches the defaults.
+	IsDefaultConfig(*restclient.Config) bool
+	// Load returns the latest config
+	Load() (*clientcmdapi.Config, error)
+}
+
+type KubeconfigGetter func() (*clientcmdapi.Config, error)
+
+type ClientConfigGetter struct {
+	kubeconfigGetter KubeconfigGetter
+}
+
+// ClientConfigGetter implements the ClientConfigLoader interface.
+var _ ClientConfigLoader = &ClientConfigGetter{}
+
+func (g *ClientConfigGetter) Load() (*clientcmdapi.Config, error) {
+	return g.kubeconfigGetter()
+}
+
+func (g *ClientConfigGetter) GetLoadingPrecedence() []string {
+	return nil
+}
+func (g *ClientConfigGetter) GetStartingConfig() (*clientcmdapi.Config, error) {
+	return g.kubeconfigGetter()
+}
+func (g *ClientConfigGetter) GetDefaultFilename() string {
+	return ""
+}
+func (g *ClientConfigGetter) IsExplicitFile() bool {
+	return false
+}
+func (g *ClientConfigGetter) GetExplicitFile() string {
+	return ""
+}
+func (g *ClientConfigGetter) IsDefaultConfig(config *restclient.Config) bool {
+	return false
+}
+
+// ClientConfigLoadingRules is an ExplicitPath and string slice of specific locations that are used for merging together a Config
+// Callers can put the chain together however they want, but we'd recommend:
+// EnvVarPathFiles if set (a list of files if set) OR the HomeDirectoryPath
+// ExplicitPath is special, because if a user specifically requests a certain file be used and error is reported if thie file is not present
+type ClientConfigLoadingRules struct {
+	ExplicitPath string
+	Precedence   []string
+
+	// MigrationRules is a map of destination files to source files.  If a destination file is not present, then the source file is checked.
+	// If the source file is present, then it is copied to the destination file BEFORE any further loading happens.
+	MigrationRules map[string]string
+
+	// DoNotResolvePaths indicates whether or not to resolve paths with respect to the originating files.  This is phrased as a negative so
+	// that a default object that doesn't set this will usually get the behavior it wants.
+	DoNotResolvePaths bool
+
+	// DefaultClientConfig is an optional field indicating what rules to use to calculate a default configuration.
+	// This should match the overrides passed in to ClientConfig loader.
+	DefaultClientConfig ClientConfig
+}
+
+// ClientConfigLoadingRules implements the ClientConfigLoader interface.
+var _ ClientConfigLoader = &ClientConfigLoadingRules{}
+
+// NewDefaultClientConfigLoadingRules returns a ClientConfigLoadingRules object with default fields filled in.  You are not required to
+// use this constructor
+func NewDefaultClientConfigLoadingRules() *ClientConfigLoadingRules {
+	chain := []string{}
+
+	envVarFiles := os.Getenv(RecommendedConfigPathEnvVar)
+	if len(envVarFiles) != 0 {
+		chain = append(chain, filepath.SplitList(envVarFiles)...)
+
+	} else {
+		chain = append(chain, RecommendedHomeFile)
+	}
+
+	return &ClientConfigLoadingRules{
+		Precedence:     chain,
+		MigrationRules: currentMigrationRules(),
+	}
+}
+
+// Load starts by running the MigrationRules and then
+// takes the loading rules and returns a Config object based on following rules.
+//   if the ExplicitPath, return the unmerged explicit file
+//   Otherwise, return a merged config based on the Precedence slice
+// A missing ExplicitPath file produces an error. Empty filenames or other missing files are ignored.
+// Read errors or files with non-deserializable content produce errors.
+// The first file to set a particular map key wins and map key's value is never changed.
+// BUT, if you set a struct value that is NOT contained inside of map, the value WILL be changed.
+// This results in some odd looking logic to merge in one direction, merge in the other, and then merge the two.
+// It also means that if two files specify a "red-user", only values from the first file's red-user are used.  Even
+// non-conflicting entries from the second file's "red-user" are discarded.
+// Relative paths inside of the .kubeconfig files are resolved against the .kubeconfig file's parent folder
+// and only absolute file paths are returned.
+func (rules *ClientConfigLoadingRules) Load() (*clientcmdapi.Config, error) {
+	if err := rules.Migrate(); err != nil {
+		return nil, err
+	}
+
+	errlist := []error{}
+
+	kubeConfigFiles := []string{}
+
+	// Make sure a file we were explicitly told to use exists
+	if len(rules.ExplicitPath) > 0 {
+		if _, err := os.Stat(rules.ExplicitPath); os.IsNotExist(err) {
+			return nil, err
+		}
+		kubeConfigFiles = append(kubeConfigFiles, rules.ExplicitPath)
+
+	} else {
+		kubeConfigFiles = append(kubeConfigFiles, rules.Precedence...)
+	}
+
+	kubeconfigs := []*clientcmdapi.Config{}
+	// read and cache the config files so that we only look at them once
+	for _, filename := range kubeConfigFiles {
+		if len(filename) == 0 {
+			// no work to do
+			continue
+		}
+
+		config, err := LoadFromFile(filename)
+		if os.IsNotExist(err) {
+			// skip missing files
+			continue
+		}
+		if err != nil {
+			errlist = append(errlist, fmt.Errorf("Error loading config file \"%s\": %v", filename, err))
+			continue
+		}
+
+		kubeconfigs = append(kubeconfigs, config)
+	}
+
+	// first merge all of our maps
+	mapConfig := clientcmdapi.NewConfig()
+
+	for _, kubeconfig := range kubeconfigs {
+		mergo.Merge(mapConfig, kubeconfig)
+	}
+
+	// merge all of the struct values in the reverse order so that priority is given correctly
+	// errors are not added to the list the second time
+	nonMapConfig := clientcmdapi.NewConfig()
+	for i := len(kubeconfigs) - 1; i >= 0; i-- {
+		kubeconfig := kubeconfigs[i]
+		mergo.Merge(nonMapConfig, kubeconfig)
+	}
+
+	// since values are overwritten, but maps values are not, we can merge the non-map config on top of the map config and
+	// get the values we expect.
+	config := clientcmdapi.NewConfig()
+	mergo.Merge(config, mapConfig)
+	mergo.Merge(config, nonMapConfig)
+
+	if rules.ResolvePaths() {
+		if err := ResolveLocalPaths(config); err != nil {
+			errlist = append(errlist, err)
+		}
+	}
+	return config, utilerrors.NewAggregate(errlist)
+}
+
+// Migrate uses the MigrationRules map.  If a destination file is not present, then the source file is checked.
+// If the source file is present, then it is copied to the destination file BEFORE any further loading happens.
+func (rules *ClientConfigLoadingRules) Migrate() error {
+	if rules.MigrationRules == nil {
+		return nil
+	}
+
+	for destination, source := range rules.MigrationRules {
+		if _, err := os.Stat(destination); err == nil {
+			// if the destination already exists, do nothing
+			continue
+		} else if os.IsPermission(err) {
+			// if we can't access the file, skip it
+			continue
+		} else if !os.IsNotExist(err) {
+			// if we had an error other than non-existence, fail
+			return err
+		}
+
+		if sourceInfo, err := os.Stat(source); err != nil {
+			if os.IsNotExist(err) || os.IsPermission(err) {
+				// if the source file doesn't exist or we can't access it, there's no work to do.
+				continue
+			}
+
+			// if we had an error other than non-existence, fail
+			return err
+		} else if sourceInfo.IsDir() {
+			return fmt.Errorf("cannot migrate %v to %v because it is a directory", source, destination)
+		}
+
+		in, err := os.Open(source)
+		if err != nil {
+			return err
+		}
+		defer in.Close()
+		out, err := os.Create(destination)
+		if err != nil {
+			return err
+		}
+		defer out.Close()
+
+		if _, err = io.Copy(out, in); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// GetLoadingPrecedence implements ConfigAccess
+func (rules *ClientConfigLoadingRules) GetLoadingPrecedence() []string {
+	return rules.Precedence
+}
+
+// GetStartingConfig implements ConfigAccess
+func (rules *ClientConfigLoadingRules) GetStartingConfig() (*clientcmdapi.Config, error) {
+	clientConfig := NewNonInteractiveDeferredLoadingClientConfig(rules, &ConfigOverrides{})
+	rawConfig, err := clientConfig.RawConfig()
+	if os.IsNotExist(err) {
+		return clientcmdapi.NewConfig(), nil
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &rawConfig, nil
+}
+
+// GetDefaultFilename implements ConfigAccess
+func (rules *ClientConfigLoadingRules) GetDefaultFilename() string {
+	// Explicit file if we have one.
+	if rules.IsExplicitFile() {
+		return rules.GetExplicitFile()
+	}
+	// Otherwise, first existing file from precedence.
+	for _, filename := range rules.GetLoadingPrecedence() {
+		if _, err := os.Stat(filename); err == nil {
+			return filename
+		}
+	}
+	// If none exists, use the first from precedence.
+	if len(rules.Precedence) > 0 {
+		return rules.Precedence[0]
+	}
+	return ""
+}
+
+// IsExplicitFile implements ConfigAccess
+func (rules *ClientConfigLoadingRules) IsExplicitFile() bool {
+	return len(rules.ExplicitPath) > 0
+}
+
+// GetExplicitFile implements ConfigAccess
+func (rules *ClientConfigLoadingRules) GetExplicitFile() string {
+	return rules.ExplicitPath
+}
+
+// IsDefaultConfig returns true if the provided configuration matches the default
+func (rules *ClientConfigLoadingRules) IsDefaultConfig(config *restclient.Config) bool {
+	if rules.DefaultClientConfig == nil {
+		return false
+	}
+	defaultConfig, err := rules.DefaultClientConfig.ClientConfig()
+	if err != nil {
+		return false
+	}
+	return reflect.DeepEqual(config, defaultConfig)
+}
+
+// LoadFromFile takes a filename and deserializes the contents into Config object
+func LoadFromFile(filename string) (*clientcmdapi.Config, error) {
+	kubeconfigBytes, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	config, err := Load(kubeconfigBytes)
+	if err != nil {
+		return nil, err
+	}
+	glog.V(6).Infoln("Config loaded from file", filename)
+
+	// set LocationOfOrigin on every Cluster, User, and Context
+	for key, obj := range config.AuthInfos {
+		obj.LocationOfOrigin = filename
+		config.AuthInfos[key] = obj
+	}
+	for key, obj := range config.Clusters {
+		obj.LocationOfOrigin = filename
+		config.Clusters[key] = obj
+	}
+	for key, obj := range config.Contexts {
+		obj.LocationOfOrigin = filename
+		config.Contexts[key] = obj
+	}
+
+	if config.AuthInfos == nil {
+		config.AuthInfos = map[string]*clientcmdapi.AuthInfo{}
+	}
+	if config.Clusters == nil {
+		config.Clusters = map[string]*clientcmdapi.Cluster{}
+	}
+	if config.Contexts == nil {
+		config.Contexts = map[string]*clientcmdapi.Context{}
+	}
+
+	return config, nil
+}
+
+// Load takes a byte slice and deserializes the contents into Config object.
+// Encapsulates deserialization without assuming the source is a file.
+func Load(data []byte) (*clientcmdapi.Config, error) {
+	config := clientcmdapi.NewConfig()
+	// if there's no data in a file, return the default object instead of failing (DecodeInto reject empty input)
+	if len(data) == 0 {
+		return config, nil
+	}
+	decoded, _, err := clientcmdlatest.Codec.Decode(data, &schema.GroupVersionKind{Version: clientcmdlatest.Version, Kind: "Config"}, config)
+	if err != nil {
+		return nil, err
+	}
+	return decoded.(*clientcmdapi.Config), nil
+}
+
+// WriteToFile serializes the config to yaml and writes it out to a file.  If not present, it creates the file with the mode 0600.  If it is present
+// it stomps the contents
+func WriteToFile(config clientcmdapi.Config, filename string) error {
+	content, err := Write(config)
+	if err != nil {
+		return err
+	}
+	dir := filepath.Dir(filename)
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err = os.MkdirAll(dir, 0755); err != nil {
+			return err
+		}
+	}
+
+	if err := ioutil.WriteFile(filename, content, 0600); err != nil {
+		return err
+	}
+	return nil
+}
+
+func lockFile(filename string) error {
+	// TODO: find a way to do this with actual file locks. Will
+	// probably need seperate solution for windows and linux.
+
+	// Make sure the dir exists before we try to create a lock file.
+	dir := filepath.Dir(filename)
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err = os.MkdirAll(dir, 0755); err != nil {
+			return err
+		}
+	}
+	f, err := os.OpenFile(lockName(filename), os.O_CREATE|os.O_EXCL, 0)
+	if err != nil {
+		return err
+	}
+	f.Close()
+	return nil
+}
+
+func unlockFile(filename string) error {
+	return os.Remove(lockName(filename))
+}
+
+func lockName(filename string) string {
+	return filename + ".lock"
+}
+
+// Write serializes the config to yaml.
+// Encapsulates serialization without assuming the destination is a file.
+func Write(config clientcmdapi.Config) ([]byte, error) {
+	return runtime.Encode(clientcmdlatest.Codec, &config)
+}
+
+func (rules ClientConfigLoadingRules) ResolvePaths() bool {
+	return !rules.DoNotResolvePaths
+}
+
+// ResolveLocalPaths resolves all relative paths in the config object with respect to the stanza's LocationOfOrigin
+// this cannot be done directly inside of LoadFromFile because doing so there would make it impossible to load a file without
+// modification of its contents.
+func ResolveLocalPaths(config *clientcmdapi.Config) error {
+	for _, cluster := range config.Clusters {
+		if len(cluster.LocationOfOrigin) == 0 {
+			continue
+		}
+		base, err := filepath.Abs(filepath.Dir(cluster.LocationOfOrigin))
+		if err != nil {
+			return fmt.Errorf("Could not determine the absolute path of config file %s: %v", cluster.LocationOfOrigin, err)
+		}
+
+		if err := ResolvePaths(GetClusterFileReferences(cluster), base); err != nil {
+			return err
+		}
+	}
+	for _, authInfo := range config.AuthInfos {
+		if len(authInfo.LocationOfOrigin) == 0 {
+			continue
+		}
+		base, err := filepath.Abs(filepath.Dir(authInfo.LocationOfOrigin))
+		if err != nil {
+			return fmt.Errorf("Could not determine the absolute path of config file %s: %v", authInfo.LocationOfOrigin, err)
+		}
+
+		if err := ResolvePaths(GetAuthInfoFileReferences(authInfo), base); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// RelativizeClusterLocalPaths first absolutizes the paths by calling ResolveLocalPaths.  This assumes that any NEW path is already
+// absolute, but any existing path will be resolved relative to LocationOfOrigin
+func RelativizeClusterLocalPaths(cluster *clientcmdapi.Cluster) error {
+	if len(cluster.LocationOfOrigin) == 0 {
+		return fmt.Errorf("no location of origin for %s", cluster.Server)
+	}
+	base, err := filepath.Abs(filepath.Dir(cluster.LocationOfOrigin))
+	if err != nil {
+		return fmt.Errorf("could not determine the absolute path of config file %s: %v", cluster.LocationOfOrigin, err)
+	}
+
+	if err := ResolvePaths(GetClusterFileReferences(cluster), base); err != nil {
+		return err
+	}
+	if err := RelativizePathWithNoBacksteps(GetClusterFileReferences(cluster), base); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// RelativizeAuthInfoLocalPaths first absolutizes the paths by calling ResolveLocalPaths.  This assumes that any NEW path is already
+// absolute, but any existing path will be resolved relative to LocationOfOrigin
+func RelativizeAuthInfoLocalPaths(authInfo *clientcmdapi.AuthInfo) error {
+	if len(authInfo.LocationOfOrigin) == 0 {
+		return fmt.Errorf("no location of origin for %v", authInfo)
+	}
+	base, err := filepath.Abs(filepath.Dir(authInfo.LocationOfOrigin))
+	if err != nil {
+		return fmt.Errorf("could not determine the absolute path of config file %s: %v", authInfo.LocationOfOrigin, err)
+	}
+
+	if err := ResolvePaths(GetAuthInfoFileReferences(authInfo), base); err != nil {
+		return err
+	}
+	if err := RelativizePathWithNoBacksteps(GetAuthInfoFileReferences(authInfo), base); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func RelativizeConfigPaths(config *clientcmdapi.Config, base string) error {
+	return RelativizePathWithNoBacksteps(GetConfigFileReferences(config), base)
+}
+
+func ResolveConfigPaths(config *clientcmdapi.Config, base string) error {
+	return ResolvePaths(GetConfigFileReferences(config), base)
+}
+
+func GetConfigFileReferences(config *clientcmdapi.Config) []*string {
+	refs := []*string{}
+
+	for _, cluster := range config.Clusters {
+		refs = append(refs, GetClusterFileReferences(cluster)...)
+	}
+	for _, authInfo := range config.AuthInfos {
+		refs = append(refs, GetAuthInfoFileReferences(authInfo)...)
+	}
+
+	return refs
+}
+
+func GetClusterFileReferences(cluster *clientcmdapi.Cluster) []*string {
+	return []*string{&cluster.CertificateAuthority}
+}
+
+func GetAuthInfoFileReferences(authInfo *clientcmdapi.AuthInfo) []*string {
+	return []*string{&authInfo.ClientCertificate, &authInfo.ClientKey, &authInfo.TokenFile}
+}
+
+// ResolvePaths updates the given refs to be absolute paths, relative to the given base directory
+func ResolvePaths(refs []*string, base string) error {
+	for _, ref := range refs {
+		// Don't resolve empty paths
+		if len(*ref) > 0 {
+			// Don't resolve absolute paths
+			if !filepath.IsAbs(*ref) {
+				*ref = filepath.Join(base, *ref)
+			}
+		}
+	}
+	return nil
+}
+
+// RelativizePathWithNoBacksteps updates the given refs to be relative paths, relative to the given base directory as long as they do not require backsteps.
+// Any path requiring a backstep is left as-is as long it is absolute.  Any non-absolute path that can't be relativized produces an error
+func RelativizePathWithNoBacksteps(refs []*string, base string) error {
+	for _, ref := range refs {
+		// Don't relativize empty paths
+		if len(*ref) > 0 {
+			rel, err := MakeRelative(*ref, base)
+			if err != nil {
+				return err
+			}
+
+			// if we have a backstep, don't mess with the path
+			if strings.HasPrefix(rel, "../") {
+				if filepath.IsAbs(*ref) {
+					continue
+				}
+
+				return fmt.Errorf("%v requires backsteps and is not absolute", *ref)
+			}
+
+			*ref = rel
+		}
+	}
+	return nil
+}
+
+func MakeRelative(path, base string) (string, error) {
+	if len(path) > 0 {
+		rel, err := filepath.Rel(base, path)
+		if err != nil {
+			return path, err
+		}
+		return rel, nil
+	}
+	return path, nil
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/merged_client_builder.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
new file mode 100644
index 00000000..3f02111b
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
@@ -0,0 +1,169 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"io"
+	"sync"
+
+	"github.com/golang/glog"
+
+	"k8s.io/api/core/v1"
+	restclient "k8s.io/client-go/rest"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+// DeferredLoadingClientConfig is a ClientConfig interface that is backed by a client config loader.
+// It is used in cases where the loading rules may change after you've instantiated them and you want to be sure that
+// the most recent rules are used.  This is useful in cases where you bind flags to loading rule parameters before
+// the parse happens and you want your calling code to be ignorant of how the values are being mutated to avoid
+// passing extraneous information down a call stack
+type DeferredLoadingClientConfig struct {
+	loader         ClientConfigLoader
+	overrides      *ConfigOverrides
+	fallbackReader io.Reader
+
+	clientConfig ClientConfig
+	loadingLock  sync.Mutex
+
+	// provided for testing
+	icc InClusterConfig
+}
+
+// InClusterConfig abstracts details of whether the client is running in a cluster for testing.
+type InClusterConfig interface {
+	ClientConfig
+	Possible() bool
+}
+
+// NewNonInteractiveDeferredLoadingClientConfig creates a ConfigClientClientConfig using the passed context name
+func NewNonInteractiveDeferredLoadingClientConfig(loader ClientConfigLoader, overrides *ConfigOverrides) ClientConfig {
+	return &DeferredLoadingClientConfig{loader: loader, overrides: overrides, icc: &inClusterClientConfig{overrides: overrides}}
+}
+
+// NewInteractiveDeferredLoadingClientConfig creates a ConfigClientClientConfig using the passed context name and the fallback auth reader
+func NewInteractiveDeferredLoadingClientConfig(loader ClientConfigLoader, overrides *ConfigOverrides, fallbackReader io.Reader) ClientConfig {
+	return &DeferredLoadingClientConfig{loader: loader, overrides: overrides, icc: &inClusterClientConfig{overrides: overrides}, fallbackReader: fallbackReader}
+}
+
+func (config *DeferredLoadingClientConfig) createClientConfig() (ClientConfig, error) {
+	if config.clientConfig == nil {
+		config.loadingLock.Lock()
+		defer config.loadingLock.Unlock()
+
+		if config.clientConfig == nil {
+			mergedConfig, err := config.loader.Load()
+			if err != nil {
+				return nil, err
+			}
+
+			var mergedClientConfig ClientConfig
+			if config.fallbackReader != nil {
+				mergedClientConfig = NewInteractiveClientConfig(*mergedConfig, config.overrides.CurrentContext, config.overrides, config.fallbackReader, config.loader)
+			} else {
+				mergedClientConfig = NewNonInteractiveClientConfig(*mergedConfig, config.overrides.CurrentContext, config.overrides, config.loader)
+			}
+
+			config.clientConfig = mergedClientConfig
+		}
+	}
+
+	return config.clientConfig, nil
+}
+
+func (config *DeferredLoadingClientConfig) RawConfig() (clientcmdapi.Config, error) {
+	mergedConfig, err := config.createClientConfig()
+	if err != nil {
+		return clientcmdapi.Config{}, err
+	}
+
+	return mergedConfig.RawConfig()
+}
+
+// ClientConfig implements ClientConfig
+func (config *DeferredLoadingClientConfig) ClientConfig() (*restclient.Config, error) {
+	mergedClientConfig, err := config.createClientConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	// load the configuration and return on non-empty errors and if the
+	// content differs from the default config
+	mergedConfig, err := mergedClientConfig.ClientConfig()
+	switch {
+	case err != nil:
+		if !IsEmptyConfig(err) {
+			// return on any error except empty config
+			return nil, err
+		}
+	case mergedConfig != nil:
+		// the configuration is valid, but if this is equal to the defaults we should try
+		// in-cluster configuration
+		if !config.loader.IsDefaultConfig(mergedConfig) {
+			return mergedConfig, nil
+		}
+	}
+
+	// check for in-cluster configuration and use it
+	if config.icc.Possible() {
+		glog.V(4).Infof("Using in-cluster configuration")
+		return config.icc.ClientConfig()
+	}
+
+	// return the result of the merged client config
+	return mergedConfig, err
+}
+
+// Namespace implements KubeConfig
+func (config *DeferredLoadingClientConfig) Namespace() (string, bool, error) {
+	mergedKubeConfig, err := config.createClientConfig()
+	if err != nil {
+		return "", false, err
+	}
+
+	ns, overridden, err := mergedKubeConfig.Namespace()
+	// if we get an error and it is not empty config, or if the merged config defined an explicit namespace, or
+	// if in-cluster config is not possible, return immediately
+	if (err != nil && !IsEmptyConfig(err)) || overridden || !config.icc.Possible() {
+		// return on any error except empty config
+		return ns, overridden, err
+	}
+
+	if len(ns) > 0 {
+		// if we got a non-default namespace from the kubeconfig, use it
+		if ns != v1.NamespaceDefault {
+			return ns, false, nil
+		}
+
+		// if we got a default namespace, determine whether it was explicit or implicit
+		if raw, err := mergedKubeConfig.RawConfig(); err == nil {
+			if context := raw.Contexts[raw.CurrentContext]; context != nil && len(context.Namespace) > 0 {
+				return ns, false, nil
+			}
+		}
+	}
+
+	glog.V(4).Infof("Using in-cluster namespace")
+
+	// allow the namespace from the service account token directory to be used.
+	return config.icc.Namespace()
+}
+
+// ConfigAccess implements ClientConfig
+func (config *DeferredLoadingClientConfig) ConfigAccess() ConfigAccess {
+	return config.loader
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/overrides.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/overrides.go
new file mode 100644
index 00000000..bfca0328
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/overrides.go
@@ -0,0 +1,247 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"strconv"
+	"strings"
+
+	"github.com/spf13/pflag"
+
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+// ConfigOverrides holds values that should override whatever information is pulled from the actual Config object.  You can't
+// simply use an actual Config object, because Configs hold maps, but overrides are restricted to "at most one"
+type ConfigOverrides struct {
+	AuthInfo clientcmdapi.AuthInfo
+	// ClusterDefaults are applied before the configured cluster info is loaded.
+	ClusterDefaults clientcmdapi.Cluster
+	ClusterInfo     clientcmdapi.Cluster
+	Context         clientcmdapi.Context
+	CurrentContext  string
+	Timeout         string
+}
+
+// ConfigOverrideFlags holds the flag names to be used for binding command line flags. Notice that this structure tightly
+// corresponds to ConfigOverrides
+type ConfigOverrideFlags struct {
+	AuthOverrideFlags    AuthOverrideFlags
+	ClusterOverrideFlags ClusterOverrideFlags
+	ContextOverrideFlags ContextOverrideFlags
+	CurrentContext       FlagInfo
+	Timeout              FlagInfo
+}
+
+// AuthOverrideFlags holds the flag names to be used for binding command line flags for AuthInfo objects
+type AuthOverrideFlags struct {
+	ClientCertificate FlagInfo
+	ClientKey         FlagInfo
+	Token             FlagInfo
+	Impersonate       FlagInfo
+	ImpersonateGroups FlagInfo
+	Username          FlagInfo
+	Password          FlagInfo
+}
+
+// ContextOverrideFlags holds the flag names to be used for binding command line flags for Cluster objects
+type ContextOverrideFlags struct {
+	ClusterName  FlagInfo
+	AuthInfoName FlagInfo
+	Namespace    FlagInfo
+}
+
+// ClusterOverride holds the flag names to be used for binding command line flags for Cluster objects
+type ClusterOverrideFlags struct {
+	APIServer             FlagInfo
+	APIVersion            FlagInfo
+	CertificateAuthority  FlagInfo
+	InsecureSkipTLSVerify FlagInfo
+}
+
+// FlagInfo contains information about how to register a flag.  This struct is useful if you want to provide a way for an extender to
+// get back a set of recommended flag names, descriptions, and defaults, but allow for customization by an extender.  This makes for
+// coherent extension, without full prescription
+type FlagInfo struct {
+	// LongName is the long string for a flag.  If this is empty, then the flag will not be bound
+	LongName string
+	// ShortName is the single character for a flag.  If this is empty, then there will be no short flag
+	ShortName string
+	// Default is the default value for the flag
+	Default string
+	// Description is the description for the flag
+	Description string
+}
+
+// AddSecretAnnotation add secret flag to Annotation.
+func (f FlagInfo) AddSecretAnnotation(flags *pflag.FlagSet) FlagInfo {
+	flags.SetAnnotation(f.LongName, "classified", []string{"true"})
+	return f
+}
+
+// BindStringFlag binds the flag based on the provided info.  If LongName == "", nothing is registered
+func (f FlagInfo) BindStringFlag(flags *pflag.FlagSet, target *string) FlagInfo {
+	// you can't register a flag without a long name
+	if len(f.LongName) > 0 {
+		flags.StringVarP(target, f.LongName, f.ShortName, f.Default, f.Description)
+	}
+	return f
+}
+
+// BindTransformingStringFlag binds the flag based on the provided info.  If LongName == "", nothing is registered
+func (f FlagInfo) BindTransformingStringFlag(flags *pflag.FlagSet, target *string, transformer func(string) (string, error)) FlagInfo {
+	// you can't register a flag without a long name
+	if len(f.LongName) > 0 {
+		flags.VarP(newTransformingStringValue(f.Default, target, transformer), f.LongName, f.ShortName, f.Description)
+	}
+	return f
+}
+
+// BindStringSliceFlag binds the flag based on the provided info.  If LongName == "", nothing is registered
+func (f FlagInfo) BindStringArrayFlag(flags *pflag.FlagSet, target *[]string) FlagInfo {
+	// you can't register a flag without a long name
+	if len(f.LongName) > 0 {
+		sliceVal := []string{}
+		if len(f.Default) > 0 {
+			sliceVal = []string{f.Default}
+		}
+		flags.StringArrayVarP(target, f.LongName, f.ShortName, sliceVal, f.Description)
+	}
+	return f
+}
+
+// BindBoolFlag binds the flag based on the provided info.  If LongName == "", nothing is registered
+func (f FlagInfo) BindBoolFlag(flags *pflag.FlagSet, target *bool) FlagInfo {
+	// you can't register a flag without a long name
+	if len(f.LongName) > 0 {
+		// try to parse Default as a bool.  If it fails, assume false
+		boolVal, err := strconv.ParseBool(f.Default)
+		if err != nil {
+			boolVal = false
+		}
+
+		flags.BoolVarP(target, f.LongName, f.ShortName, boolVal, f.Description)
+	}
+	return f
+}
+
+const (
+	FlagClusterName      = "cluster"
+	FlagAuthInfoName     = "user"
+	FlagContext          = "context"
+	FlagNamespace        = "namespace"
+	FlagAPIServer        = "server"
+	FlagInsecure         = "insecure-skip-tls-verify"
+	FlagCertFile         = "client-certificate"
+	FlagKeyFile          = "client-key"
+	FlagCAFile           = "certificate-authority"
+	FlagEmbedCerts       = "embed-certs"
+	FlagBearerToken      = "token"
+	FlagImpersonate      = "as"
+	FlagImpersonateGroup = "as-group"
+	FlagUsername         = "username"
+	FlagPassword         = "password"
+	FlagTimeout          = "request-timeout"
+)
+
+// RecommendedConfigOverrideFlags is a convenience method to return recommended flag names prefixed with a string of your choosing
+func RecommendedConfigOverrideFlags(prefix string) ConfigOverrideFlags {
+	return ConfigOverrideFlags{
+		AuthOverrideFlags:    RecommendedAuthOverrideFlags(prefix),
+		ClusterOverrideFlags: RecommendedClusterOverrideFlags(prefix),
+		ContextOverrideFlags: RecommendedContextOverrideFlags(prefix),
+
+		CurrentContext: FlagInfo{prefix + FlagContext, "", "", "The name of the kubeconfig context to use"},
+		Timeout:        FlagInfo{prefix + FlagTimeout, "", "0", "The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests."},
+	}
+}
+
+// RecommendedAuthOverrideFlags is a convenience method to return recommended flag names prefixed with a string of your choosing
+func RecommendedAuthOverrideFlags(prefix string) AuthOverrideFlags {
+	return AuthOverrideFlags{
+		ClientCertificate: FlagInfo{prefix + FlagCertFile, "", "", "Path to a client certificate file for TLS"},
+		ClientKey:         FlagInfo{prefix + FlagKeyFile, "", "", "Path to a client key file for TLS"},
+		Token:             FlagInfo{prefix + FlagBearerToken, "", "", "Bearer token for authentication to the API server"},
+		Impersonate:       FlagInfo{prefix + FlagImpersonate, "", "", "Username to impersonate for the operation"},
+		ImpersonateGroups: FlagInfo{prefix + FlagImpersonateGroup, "", "", "Group to impersonate for the operation, this flag can be repeated to specify multiple groups."},
+		Username:          FlagInfo{prefix + FlagUsername, "", "", "Username for basic authentication to the API server"},
+		Password:          FlagInfo{prefix + FlagPassword, "", "", "Password for basic authentication to the API server"},
+	}
+}
+
+// RecommendedClusterOverrideFlags is a convenience method to return recommended flag names prefixed with a string of your choosing
+func RecommendedClusterOverrideFlags(prefix string) ClusterOverrideFlags {
+	return ClusterOverrideFlags{
+		APIServer:             FlagInfo{prefix + FlagAPIServer, "", "", "The address and port of the Kubernetes API server"},
+		CertificateAuthority:  FlagInfo{prefix + FlagCAFile, "", "", "Path to a cert file for the certificate authority"},
+		InsecureSkipTLSVerify: FlagInfo{prefix + FlagInsecure, "", "false", "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure"},
+	}
+}
+
+// RecommendedContextOverrideFlags is a convenience method to return recommended flag names prefixed with a string of your choosing
+func RecommendedContextOverrideFlags(prefix string) ContextOverrideFlags {
+	return ContextOverrideFlags{
+		ClusterName:  FlagInfo{prefix + FlagClusterName, "", "", "The name of the kubeconfig cluster to use"},
+		AuthInfoName: FlagInfo{prefix + FlagAuthInfoName, "", "", "The name of the kubeconfig user to use"},
+		Namespace:    FlagInfo{prefix + FlagNamespace, "n", "", "If present, the namespace scope for this CLI request"},
+	}
+}
+
+// BindOverrideFlags is a convenience method to bind the specified flags to their associated variables
+func BindOverrideFlags(overrides *ConfigOverrides, flags *pflag.FlagSet, flagNames ConfigOverrideFlags) {
+	BindAuthInfoFlags(&overrides.AuthInfo, flags, flagNames.AuthOverrideFlags)
+	BindClusterFlags(&overrides.ClusterInfo, flags, flagNames.ClusterOverrideFlags)
+	BindContextFlags(&overrides.Context, flags, flagNames.ContextOverrideFlags)
+	flagNames.CurrentContext.BindStringFlag(flags, &overrides.CurrentContext)
+	flagNames.Timeout.BindStringFlag(flags, &overrides.Timeout)
+}
+
+// BindAuthInfoFlags is a convenience method to bind the specified flags to their associated variables
+func BindAuthInfoFlags(authInfo *clientcmdapi.AuthInfo, flags *pflag.FlagSet, flagNames AuthOverrideFlags) {
+	flagNames.ClientCertificate.BindStringFlag(flags, &authInfo.ClientCertificate).AddSecretAnnotation(flags)
+	flagNames.ClientKey.BindStringFlag(flags, &authInfo.ClientKey).AddSecretAnnotation(flags)
+	flagNames.Token.BindStringFlag(flags, &authInfo.Token).AddSecretAnnotation(flags)
+	flagNames.Impersonate.BindStringFlag(flags, &authInfo.Impersonate).AddSecretAnnotation(flags)
+	flagNames.ImpersonateGroups.BindStringArrayFlag(flags, &authInfo.ImpersonateGroups).AddSecretAnnotation(flags)
+	flagNames.Username.BindStringFlag(flags, &authInfo.Username).AddSecretAnnotation(flags)
+	flagNames.Password.BindStringFlag(flags, &authInfo.Password).AddSecretAnnotation(flags)
+}
+
+// BindClusterFlags is a convenience method to bind the specified flags to their associated variables
+func BindClusterFlags(clusterInfo *clientcmdapi.Cluster, flags *pflag.FlagSet, flagNames ClusterOverrideFlags) {
+	flagNames.APIServer.BindStringFlag(flags, &clusterInfo.Server)
+	flagNames.CertificateAuthority.BindStringFlag(flags, &clusterInfo.CertificateAuthority)
+	flagNames.InsecureSkipTLSVerify.BindBoolFlag(flags, &clusterInfo.InsecureSkipTLSVerify)
+}
+
+// BindFlags is a convenience method to bind the specified flags to their associated variables
+func BindContextFlags(contextInfo *clientcmdapi.Context, flags *pflag.FlagSet, flagNames ContextOverrideFlags) {
+	flagNames.ClusterName.BindStringFlag(flags, &contextInfo.Cluster)
+	flagNames.AuthInfoName.BindStringFlag(flags, &contextInfo.AuthInfo)
+	flagNames.Namespace.BindTransformingStringFlag(flags, &contextInfo.Namespace, RemoveNamespacesPrefix)
+}
+
+// RemoveNamespacesPrefix is a transformer that strips "ns/", "namespace/" and "namespaces/" prefixes case-insensitively
+func RemoveNamespacesPrefix(value string) (string, error) {
+	for _, prefix := range []string{"namespaces/", "namespace/", "ns/"} {
+		if len(value) > len(prefix) && strings.EqualFold(value[0:len(prefix)], prefix) {
+			value = value[len(prefix):]
+			break
+		}
+	}
+	return value, nil
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/clientcmd/validation.go b/cli/vendor/k8s.io/client-go/tools/clientcmd/validation.go
new file mode 100644
index 00000000..2bae0c39
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/clientcmd/validation.go
@@ -0,0 +1,275 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package clientcmd
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"reflect"
+	"strings"
+
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/validation"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
+)
+
+var (
+	ErrNoContext   = errors.New("no context chosen")
+	ErrEmptyConfig = errors.New("no configuration has been provided")
+	// message is for consistency with old behavior
+	ErrEmptyCluster = errors.New("cluster has no server defined")
+)
+
+type errContextNotFound struct {
+	ContextName string
+}
+
+func (e *errContextNotFound) Error() string {
+	return fmt.Sprintf("context was not found for specified context: %v", e.ContextName)
+}
+
+// IsContextNotFound returns a boolean indicating whether the error is known to
+// report that a context was not found
+func IsContextNotFound(err error) bool {
+	if err == nil {
+		return false
+	}
+	if _, ok := err.(*errContextNotFound); ok || err == ErrNoContext {
+		return true
+	}
+	return strings.Contains(err.Error(), "context was not found for specified context")
+}
+
+// IsEmptyConfig returns true if the provided error indicates the provided configuration
+// is empty.
+func IsEmptyConfig(err error) bool {
+	switch t := err.(type) {
+	case errConfigurationInvalid:
+		return len(t) == 1 && t[0] == ErrEmptyConfig
+	}
+	return err == ErrEmptyConfig
+}
+
+// errConfigurationInvalid is a set of errors indicating the configuration is invalid.
+type errConfigurationInvalid []error
+
+// errConfigurationInvalid implements error and Aggregate
+var _ error = errConfigurationInvalid{}
+var _ utilerrors.Aggregate = errConfigurationInvalid{}
+
+func newErrConfigurationInvalid(errs []error) error {
+	switch len(errs) {
+	case 0:
+		return nil
+	default:
+		return errConfigurationInvalid(errs)
+	}
+}
+
+// Error implements the error interface
+func (e errConfigurationInvalid) Error() string {
+	return fmt.Sprintf("invalid configuration: %v", utilerrors.NewAggregate(e).Error())
+}
+
+// Errors implements the AggregateError interface
+func (e errConfigurationInvalid) Errors() []error {
+	return e
+}
+
+// IsConfigurationInvalid returns true if the provided error indicates the configuration is invalid.
+func IsConfigurationInvalid(err error) bool {
+	switch err.(type) {
+	case *errContextNotFound, errConfigurationInvalid:
+		return true
+	}
+	return IsContextNotFound(err)
+}
+
+// Validate checks for errors in the Config.  It does not return early so that it can find as many errors as possible.
+func Validate(config clientcmdapi.Config) error {
+	validationErrors := make([]error, 0)
+
+	if clientcmdapi.IsConfigEmpty(&config) {
+		return newErrConfigurationInvalid([]error{ErrEmptyConfig})
+	}
+
+	if len(config.CurrentContext) != 0 {
+		if _, exists := config.Contexts[config.CurrentContext]; !exists {
+			validationErrors = append(validationErrors, &errContextNotFound{config.CurrentContext})
+		}
+	}
+
+	for contextName, context := range config.Contexts {
+		validationErrors = append(validationErrors, validateContext(contextName, *context, config)...)
+	}
+
+	for authInfoName, authInfo := range config.AuthInfos {
+		validationErrors = append(validationErrors, validateAuthInfo(authInfoName, *authInfo)...)
+	}
+
+	for clusterName, clusterInfo := range config.Clusters {
+		validationErrors = append(validationErrors, validateClusterInfo(clusterName, *clusterInfo)...)
+	}
+
+	return newErrConfigurationInvalid(validationErrors)
+}
+
+// ConfirmUsable looks a particular context and determines if that particular part of the config is useable.  There might still be errors in the config,
+// but no errors in the sections requested or referenced.  It does not return early so that it can find as many errors as possible.
+func ConfirmUsable(config clientcmdapi.Config, passedContextName string) error {
+	validationErrors := make([]error, 0)
+
+	if clientcmdapi.IsConfigEmpty(&config) {
+		return newErrConfigurationInvalid([]error{ErrEmptyConfig})
+	}
+
+	var contextName string
+	if len(passedContextName) != 0 {
+		contextName = passedContextName
+	} else {
+		contextName = config.CurrentContext
+	}
+
+	if len(contextName) == 0 {
+		return ErrNoContext
+	}
+
+	context, exists := config.Contexts[contextName]
+	if !exists {
+		validationErrors = append(validationErrors, &errContextNotFound{contextName})
+	}
+
+	if exists {
+		validationErrors = append(validationErrors, validateContext(contextName, *context, config)...)
+		validationErrors = append(validationErrors, validateAuthInfo(context.AuthInfo, *config.AuthInfos[context.AuthInfo])...)
+		validationErrors = append(validationErrors, validateClusterInfo(context.Cluster, *config.Clusters[context.Cluster])...)
+	}
+
+	return newErrConfigurationInvalid(validationErrors)
+}
+
+// validateClusterInfo looks for conflicts and errors in the cluster info
+func validateClusterInfo(clusterName string, clusterInfo clientcmdapi.Cluster) []error {
+	validationErrors := make([]error, 0)
+
+	emptyCluster := clientcmdapi.NewCluster()
+	if reflect.DeepEqual(*emptyCluster, clusterInfo) {
+		return []error{ErrEmptyCluster}
+	}
+
+	if len(clusterInfo.Server) == 0 {
+		if len(clusterName) == 0 {
+			validationErrors = append(validationErrors, fmt.Errorf("default cluster has no server defined"))
+		} else {
+			validationErrors = append(validationErrors, fmt.Errorf("no server found for cluster %q", clusterName))
+		}
+	}
+	// Make sure CA data and CA file aren't both specified
+	if len(clusterInfo.CertificateAuthority) != 0 && len(clusterInfo.CertificateAuthorityData) != 0 {
+		validationErrors = append(validationErrors, fmt.Errorf("certificate-authority-data and certificate-authority are both specified for %v. certificate-authority-data will override.", clusterName))
+	}
+	if len(clusterInfo.CertificateAuthority) != 0 {
+		clientCertCA, err := os.Open(clusterInfo.CertificateAuthority)
+		defer clientCertCA.Close()
+		if err != nil {
+			validationErrors = append(validationErrors, fmt.Errorf("unable to read certificate-authority %v for %v due to %v", clusterInfo.CertificateAuthority, clusterName, err))
+		}
+	}
+
+	return validationErrors
+}
+
+// validateAuthInfo looks for conflicts and errors in the auth info
+func validateAuthInfo(authInfoName string, authInfo clientcmdapi.AuthInfo) []error {
+	validationErrors := make([]error, 0)
+
+	usingAuthPath := false
+	methods := make([]string, 0, 3)
+	if len(authInfo.Token) != 0 {
+		methods = append(methods, "token")
+	}
+	if len(authInfo.Username) != 0 || len(authInfo.Password) != 0 {
+		methods = append(methods, "basicAuth")
+	}
+
+	if len(authInfo.ClientCertificate) != 0 || len(authInfo.ClientCertificateData) != 0 {
+		// Make sure cert data and file aren't both specified
+		if len(authInfo.ClientCertificate) != 0 && len(authInfo.ClientCertificateData) != 0 {
+			validationErrors = append(validationErrors, fmt.Errorf("client-cert-data and client-cert are both specified for %v. client-cert-data will override.", authInfoName))
+		}
+		// Make sure key data and file aren't both specified
+		if len(authInfo.ClientKey) != 0 && len(authInfo.ClientKeyData) != 0 {
+			validationErrors = append(validationErrors, fmt.Errorf("client-key-data and client-key are both specified for %v; client-key-data will override", authInfoName))
+		}
+		// Make sure a key is specified
+		if len(authInfo.ClientKey) == 0 && len(authInfo.ClientKeyData) == 0 {
+			validationErrors = append(validationErrors, fmt.Errorf("client-key-data or client-key must be specified for %v to use the clientCert authentication method.", authInfoName))
+		}
+
+		if len(authInfo.ClientCertificate) != 0 {
+			clientCertFile, err := os.Open(authInfo.ClientCertificate)
+			defer clientCertFile.Close()
+			if err != nil {
+				validationErrors = append(validationErrors, fmt.Errorf("unable to read client-cert %v for %v due to %v", authInfo.ClientCertificate, authInfoName, err))
+			}
+		}
+		if len(authInfo.ClientKey) != 0 {
+			clientKeyFile, err := os.Open(authInfo.ClientKey)
+			defer clientKeyFile.Close()
+			if err != nil {
+				validationErrors = append(validationErrors, fmt.Errorf("unable to read client-key %v for %v due to %v", authInfo.ClientKey, authInfoName, err))
+			}
+		}
+	}
+
+	// authPath also provides information for the client to identify the server, so allow multiple auth methods in that case
+	if (len(methods) > 1) && (!usingAuthPath) {
+		validationErrors = append(validationErrors, fmt.Errorf("more than one authentication method found for %v; found %v, only one is allowed", authInfoName, methods))
+	}
+
+	// ImpersonateGroups or ImpersonateUserExtra should be requested with a user
+	if (len(authInfo.ImpersonateGroups) > 0 || len(authInfo.ImpersonateUserExtra) > 0) && (len(authInfo.Impersonate) == 0) {
+		validationErrors = append(validationErrors, fmt.Errorf("requesting groups or user-extra for %v without impersonating a user", authInfoName))
+	}
+	return validationErrors
+}
+
+// validateContext looks for errors in the context.  It is not transitive, so errors in the reference authInfo or cluster configs are not included in this return
+func validateContext(contextName string, context clientcmdapi.Context, config clientcmdapi.Config) []error {
+	validationErrors := make([]error, 0)
+
+	if len(context.AuthInfo) == 0 {
+		validationErrors = append(validationErrors, fmt.Errorf("user was not specified for context %q", contextName))
+	} else if _, exists := config.AuthInfos[context.AuthInfo]; !exists {
+		validationErrors = append(validationErrors, fmt.Errorf("user %q was not found for context %q", context.AuthInfo, contextName))
+	}
+
+	if len(context.Cluster) == 0 {
+		validationErrors = append(validationErrors, fmt.Errorf("cluster was not specified for context %q", contextName))
+	} else if _, exists := config.Clusters[context.Cluster]; !exists {
+		validationErrors = append(validationErrors, fmt.Errorf("cluster %q was not found for context %q", context.Cluster, contextName))
+	}
+
+	if len(context.Namespace) != 0 {
+		if len(validation.IsDNS1123Label(context.Namespace)) != 0 {
+			validationErrors = append(validationErrors, fmt.Errorf("namespace %q for context %q does not conform to the kubernetes DNS_LABEL rules", context.Namespace, contextName))
+		}
+	}
+
+	return validationErrors
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/metrics/metrics.go b/cli/vendor/k8s.io/client-go/tools/metrics/metrics.go
new file mode 100644
index 00000000..a01306c6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/metrics/metrics.go
@@ -0,0 +1,61 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package metrics provides abstractions for registering which metrics
+// to record.
+package metrics
+
+import (
+	"net/url"
+	"sync"
+	"time"
+)
+
+var registerMetrics sync.Once
+
+// LatencyMetric observes client latency partitioned by verb and url.
+type LatencyMetric interface {
+	Observe(verb string, u url.URL, latency time.Duration)
+}
+
+// ResultMetric counts response codes partitioned by method and host.
+type ResultMetric interface {
+	Increment(code string, method string, host string)
+}
+
+var (
+	// RequestLatency is the latency metric that rest clients will update.
+	RequestLatency LatencyMetric = noopLatency{}
+	// RequestResult is the result metric that rest clients will update.
+	RequestResult ResultMetric = noopResult{}
+)
+
+// Register registers metrics for the rest client to use. This can
+// only be called once.
+func Register(lm LatencyMetric, rm ResultMetric) {
+	registerMetrics.Do(func() {
+		RequestLatency = lm
+		RequestResult = rm
+	})
+}
+
+type noopLatency struct{}
+
+func (noopLatency) Observe(string, url.URL, time.Duration) {}
+
+type noopResult struct{}
+
+func (noopResult) Increment(string, string, string) {}
diff --git a/cli/vendor/k8s.io/client-go/tools/pager/pager.go b/cli/vendor/k8s.io/client-go/tools/pager/pager.go
new file mode 100644
index 00000000..2e0874e0
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/pager/pager.go
@@ -0,0 +1,118 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pager
+
+import (
+	"fmt"
+
+	"golang.org/x/net/context"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+const defaultPageSize = 500
+
+// ListPageFunc returns a list object for the given list options.
+type ListPageFunc func(ctx context.Context, opts metav1.ListOptions) (runtime.Object, error)
+
+// SimplePageFunc adapts a context-less list function into one that accepts a context.
+func SimplePageFunc(fn func(opts metav1.ListOptions) (runtime.Object, error)) ListPageFunc {
+	return func(ctx context.Context, opts metav1.ListOptions) (runtime.Object, error) {
+		return fn(opts)
+	}
+}
+
+// ListPager assists client code in breaking large list queries into multiple
+// smaller chunks of PageSize or smaller. PageFn is expected to accept a
+// metav1.ListOptions that supports paging and return a list. The pager does
+// not alter the field or label selectors on the initial options list.
+type ListPager struct {
+	PageSize int64
+	PageFn   ListPageFunc
+
+	FullListIfExpired bool
+}
+
+// New creates a new pager from the provided pager function using the default
+// options. It will fall back to a full list if an expiration error is encountered
+// as a last resort.
+func New(fn ListPageFunc) *ListPager {
+	return &ListPager{
+		PageSize:          defaultPageSize,
+		PageFn:            fn,
+		FullListIfExpired: true,
+	}
+}
+
+// TODO: introduce other types of paging functions - such as those that retrieve from a list
+// of namespaces.
+
+// List returns a single list object, but attempts to retrieve smaller chunks from the
+// server to reduce the impact on the server. If the chunk attempt fails, it will load
+// the full list instead. The Limit field on options, if unset, will default to the page size.
+func (p *ListPager) List(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) {
+	if options.Limit == 0 {
+		options.Limit = p.PageSize
+	}
+	var list *metainternalversion.List
+	for {
+		obj, err := p.PageFn(ctx, options)
+		if err != nil {
+			if !errors.IsResourceExpired(err) || !p.FullListIfExpired {
+				return nil, err
+			}
+			// the list expired while we were processing, fall back to a full list
+			options.Limit = 0
+			options.Continue = ""
+			return p.PageFn(ctx, options)
+		}
+		m, err := meta.ListAccessor(obj)
+		if err != nil {
+			return nil, fmt.Errorf("returned object must be a list: %v", err)
+		}
+
+		// exit early and return the object we got if we haven't processed any pages
+		if len(m.GetContinue()) == 0 && list == nil {
+			return obj, nil
+		}
+
+		// initialize the list and fill its contents
+		if list == nil {
+			list = &metainternalversion.List{Items: make([]runtime.Object, 0, options.Limit+1)}
+			list.ResourceVersion = m.GetResourceVersion()
+			list.SelfLink = m.GetSelfLink()
+		}
+		if err := meta.EachListItem(obj, func(obj runtime.Object) error {
+			list.Items = append(list.Items, obj)
+			return nil
+		}); err != nil {
+			return nil, err
+		}
+
+		// if we have no more items, return the list
+		if len(m.GetContinue()) == 0 {
+			return list, nil
+		}
+
+		// set the next loop up
+		options.Continue = m.GetContinue()
+	}
+}
diff --git a/cli/vendor/k8s.io/client-go/tools/reference/ref.go b/cli/vendor/k8s.io/client-go/tools/reference/ref.go
new file mode 100644
index 00000000..58b60fd5
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/tools/reference/ref.go
@@ -0,0 +1,122 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package reference
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+	"strings"
+
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+var (
+	// Errors that could be returned by GetReference.
+	ErrNilObject  = errors.New("can't reference a nil object")
+	ErrNoSelfLink = errors.New("selfLink was empty, can't make reference")
+)
+
+// GetReference returns an ObjectReference which refers to the given
+// object, or an error if the object doesn't follow the conventions
+// that would allow this.
+// TODO: should take a meta.Interface see http://issue.k8s.io/7127
+func GetReference(scheme *runtime.Scheme, obj runtime.Object) (*v1.ObjectReference, error) {
+	if obj == nil {
+		return nil, ErrNilObject
+	}
+	if ref, ok := obj.(*v1.ObjectReference); ok {
+		// Don't make a reference to a reference.
+		return ref, nil
+	}
+
+	gvk := obj.GetObjectKind().GroupVersionKind()
+
+	// if the object referenced is actually persisted, we can just get kind from meta
+	// if we are building an object reference to something not yet persisted, we should fallback to scheme
+	kind := gvk.Kind
+	if len(kind) == 0 {
+		// TODO: this is wrong
+		gvks, _, err := scheme.ObjectKinds(obj)
+		if err != nil {
+			return nil, err
+		}
+		kind = gvks[0].Kind
+	}
+
+	// An object that implements only List has enough metadata to build a reference
+	var listMeta metav1.Common
+	objectMeta, err := meta.Accessor(obj)
+	if err != nil {
+		listMeta, err = meta.CommonAccessor(obj)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		listMeta = objectMeta
+	}
+
+	// if the object referenced is actually persisted, we can also get version from meta
+	version := gvk.GroupVersion().String()
+	if len(version) == 0 {
+		selfLink := listMeta.GetSelfLink()
+		if len(selfLink) == 0 {
+			return nil, ErrNoSelfLink
+		}
+		selfLinkUrl, err := url.Parse(selfLink)
+		if err != nil {
+			return nil, err
+		}
+		// example paths: /<prefix>/<version>/*
+		parts := strings.Split(selfLinkUrl.Path, "/")
+		if len(parts) < 3 {
+			return nil, fmt.Errorf("unexpected self link format: '%v'; got version '%v'", selfLink, version)
+		}
+		version = parts[2]
+	}
+
+	// only has list metadata
+	if objectMeta == nil {
+		return &v1.ObjectReference{
+			Kind:            kind,
+			APIVersion:      version,
+			ResourceVersion: listMeta.GetResourceVersion(),
+		}, nil
+	}
+
+	return &v1.ObjectReference{
+		Kind:            kind,
+		APIVersion:      version,
+		Name:            objectMeta.GetName(),
+		Namespace:       objectMeta.GetNamespace(),
+		UID:             objectMeta.GetUID(),
+		ResourceVersion: objectMeta.GetResourceVersion(),
+	}, nil
+}
+
+// GetPartialReference is exactly like GetReference, but allows you to set the FieldPath.
+func GetPartialReference(scheme *runtime.Scheme, obj runtime.Object, fieldPath string) (*v1.ObjectReference, error) {
+	ref, err := GetReference(scheme, obj)
+	if err != nil {
+		return nil, err
+	}
+	ref.FieldPath = fieldPath
+	return ref, nil
+}
diff --git a/cli/vendor/k8s.io/client-go/transport/cache.go b/cli/vendor/k8s.io/client-go/transport/cache.go
new file mode 100644
index 00000000..da22cdee
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/transport/cache.go
@@ -0,0 +1,92 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package transport
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"sync"
+	"time"
+
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+)
+
+// TlsTransportCache caches TLS http.RoundTrippers different configurations. The
+// same RoundTripper will be returned for configs with identical TLS options If
+// the config has no custom TLS options, http.DefaultTransport is returned.
+type tlsTransportCache struct {
+	mu         sync.Mutex
+	transports map[string]*http.Transport
+}
+
+const idleConnsPerHost = 25
+
+var tlsCache = &tlsTransportCache{transports: make(map[string]*http.Transport)}
+
+func (c *tlsTransportCache) get(config *Config) (http.RoundTripper, error) {
+	key, err := tlsConfigKey(config)
+	if err != nil {
+		return nil, err
+	}
+
+	// Ensure we only create a single transport for the given TLS options
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	// See if we already have a custom transport for this config
+	if t, ok := c.transports[key]; ok {
+		return t, nil
+	}
+
+	// Get the TLS options for this client config
+	tlsConfig, err := TLSConfigFor(config)
+	if err != nil {
+		return nil, err
+	}
+	// The options didn't require a custom TLS config
+	if tlsConfig == nil {
+		return http.DefaultTransport, nil
+	}
+
+	dial := config.Dial
+	if dial == nil {
+		dial = (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial
+	}
+	// Cache a single transport for these options
+	c.transports[key] = utilnet.SetTransportDefaults(&http.Transport{
+		Proxy:               http.ProxyFromEnvironment,
+		TLSHandshakeTimeout: 10 * time.Second,
+		TLSClientConfig:     tlsConfig,
+		MaxIdleConnsPerHost: idleConnsPerHost,
+		Dial:                dial,
+	})
+	return c.transports[key], nil
+}
+
+// tlsConfigKey returns a unique key for tls.Config objects returned from TLSConfigFor
+func tlsConfigKey(c *Config) (string, error) {
+	// Make sure ca/key/cert content is loaded
+	if err := loadTLSFiles(c); err != nil {
+		return "", err
+	}
+	// Only include the things that actually affect the tls.Config
+	return fmt.Sprintf("%v/%x/%x/%x/%v", c.TLS.Insecure, c.TLS.CAData, c.TLS.CertData, c.TLS.KeyData, c.TLS.ServerName), nil
+}
diff --git a/cli/vendor/k8s.io/client-go/transport/config.go b/cli/vendor/k8s.io/client-go/transport/config.go
new file mode 100644
index 00000000..425f8f87
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/transport/config.go
@@ -0,0 +1,105 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package transport
+
+import (
+	"net"
+	"net/http"
+)
+
+// Config holds various options for establishing a transport.
+type Config struct {
+	// UserAgent is an optional field that specifies the caller of this
+	// request.
+	UserAgent string
+
+	// The base TLS configuration for this transport.
+	TLS TLSConfig
+
+	// Username and password for basic authentication
+	Username string
+	Password string
+
+	// Bearer token for authentication
+	BearerToken string
+
+	// CacheDir is the directory where we'll store HTTP cached responses.
+	// If set to empty string, no caching mechanism will be used.
+	CacheDir string
+
+	// Impersonate is the config that this Config will impersonate using
+	Impersonate ImpersonationConfig
+
+	// Transport may be used for custom HTTP behavior. This attribute may
+	// not be specified with the TLS client certificate options. Use
+	// WrapTransport for most client level operations.
+	Transport http.RoundTripper
+
+	// WrapTransport will be invoked for custom HTTP behavior after the
+	// underlying transport is initialized (either the transport created
+	// from TLSClientConfig, Transport, or http.DefaultTransport). The
+	// config may layer other RoundTrippers on top of the returned
+	// RoundTripper.
+	WrapTransport func(rt http.RoundTripper) http.RoundTripper
+
+	// Dial specifies the dial function for creating unencrypted TCP connections.
+	Dial func(network, addr string) (net.Conn, error)
+}
+
+// ImpersonationConfig has all the available impersonation options
+type ImpersonationConfig struct {
+	// UserName matches user.Info.GetName()
+	UserName string
+	// Groups matches user.Info.GetGroups()
+	Groups []string
+	// Extra matches user.Info.GetExtra()
+	Extra map[string][]string
+}
+
+// HasCA returns whether the configuration has a certificate authority or not.
+func (c *Config) HasCA() bool {
+	return len(c.TLS.CAData) > 0 || len(c.TLS.CAFile) > 0
+}
+
+// HasBasicAuth returns whether the configuration has basic authentication or not.
+func (c *Config) HasBasicAuth() bool {
+	return len(c.Username) != 0
+}
+
+// HasTokenAuth returns whether the configuration has token authentication or not.
+func (c *Config) HasTokenAuth() bool {
+	return len(c.BearerToken) != 0
+}
+
+// HasCertAuth returns whether the configuration has certificate authentication or not.
+func (c *Config) HasCertAuth() bool {
+	return len(c.TLS.CertData) != 0 || len(c.TLS.CertFile) != 0
+}
+
+// TLSConfig holds the information needed to set up a TLS transport.
+type TLSConfig struct {
+	CAFile   string // Path of the PEM-encoded server trusted root certificates.
+	CertFile string // Path of the PEM-encoded client certificate.
+	KeyFile  string // Path of the PEM-encoded client key.
+
+	Insecure   bool   // Server should be accessed without verifying the certificate. For testing only.
+	ServerName string // Override for the server name passed to the server for SNI and used to verify certificates.
+
+	CAData   []byte // Bytes of the PEM-encoded server trusted root certificates. Supercedes CAFile.
+	CertData []byte // Bytes of the PEM-encoded client certificate. Supercedes CertFile.
+	KeyData  []byte // Bytes of the PEM-encoded client key. Supercedes KeyFile.
+}
diff --git a/cli/vendor/k8s.io/client-go/transport/round_trippers.go b/cli/vendor/k8s.io/client-go/transport/round_trippers.go
new file mode 100644
index 00000000..2ee605d7
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/transport/round_trippers.go
@@ -0,0 +1,455 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package transport
+
+import (
+	"fmt"
+	"net/http"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/golang/glog"
+	"github.com/gregjones/httpcache"
+	"github.com/gregjones/httpcache/diskcache"
+	"github.com/peterbourgon/diskv"
+
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+)
+
+// HTTPWrappersForConfig wraps a round tripper with any relevant layered
+// behavior from the config. Exposed to allow more clients that need HTTP-like
+// behavior but then must hijack the underlying connection (like WebSocket or
+// HTTP2 clients). Pure HTTP clients should use the RoundTripper returned from
+// New.
+func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTripper, error) {
+	if config.WrapTransport != nil {
+		rt = config.WrapTransport(rt)
+	}
+
+	rt = DebugWrappers(rt)
+
+	// Set authentication wrappers
+	switch {
+	case config.HasBasicAuth() && config.HasTokenAuth():
+		return nil, fmt.Errorf("username/password or bearer token may be set, but not both")
+	case config.HasTokenAuth():
+		rt = NewBearerAuthRoundTripper(config.BearerToken, rt)
+	case config.HasBasicAuth():
+		rt = NewBasicAuthRoundTripper(config.Username, config.Password, rt)
+	}
+	if len(config.UserAgent) > 0 {
+		rt = NewUserAgentRoundTripper(config.UserAgent, rt)
+	}
+	if len(config.Impersonate.UserName) > 0 ||
+		len(config.Impersonate.Groups) > 0 ||
+		len(config.Impersonate.Extra) > 0 {
+		rt = NewImpersonatingRoundTripper(config.Impersonate, rt)
+	}
+	if len(config.CacheDir) > 0 {
+		rt = NewCacheRoundTripper(config.CacheDir, rt)
+	}
+	return rt, nil
+}
+
+// DebugWrappers wraps a round tripper and logs based on the current log level.
+func DebugWrappers(rt http.RoundTripper) http.RoundTripper {
+	switch {
+	case bool(glog.V(9)):
+		rt = newDebuggingRoundTripper(rt, debugCurlCommand, debugURLTiming, debugResponseHeaders)
+	case bool(glog.V(8)):
+		rt = newDebuggingRoundTripper(rt, debugJustURL, debugRequestHeaders, debugResponseStatus, debugResponseHeaders)
+	case bool(glog.V(7)):
+		rt = newDebuggingRoundTripper(rt, debugJustURL, debugRequestHeaders, debugResponseStatus)
+	case bool(glog.V(6)):
+		rt = newDebuggingRoundTripper(rt, debugURLTiming)
+	}
+
+	return rt
+}
+
+type requestCanceler interface {
+	CancelRequest(*http.Request)
+}
+
+type cacheRoundTripper struct {
+	rt *httpcache.Transport
+}
+
+// NewCacheRoundTripper creates a roundtripper that reads the ETag on
+// response headers and send the If-None-Match header on subsequent
+// corresponding requests.
+func NewCacheRoundTripper(cacheDir string, rt http.RoundTripper) http.RoundTripper {
+	d := diskv.New(diskv.Options{
+		BasePath: cacheDir,
+		TempDir:  filepath.Join(cacheDir, ".diskv-temp"),
+	})
+	t := httpcache.NewTransport(diskcache.NewWithDiskv(d))
+	t.Transport = rt
+
+	return &cacheRoundTripper{rt: t}
+}
+
+func (rt *cacheRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return rt.rt.RoundTrip(req)
+}
+
+func (rt *cacheRoundTripper) WrappedRoundTripper() http.RoundTripper { return rt.rt.Transport }
+
+type authProxyRoundTripper struct {
+	username string
+	groups   []string
+	extra    map[string][]string
+
+	rt http.RoundTripper
+}
+
+// NewAuthProxyRoundTripper provides a roundtripper which will add auth proxy fields to requests for
+// authentication terminating proxy cases
+// assuming you pull the user from the context:
+// username is the user.Info.GetName() of the user
+// groups is the user.Info.GetGroups() of the user
+// extra is the user.Info.GetExtra() of the user
+// extra can contain any additional information that the authenticator
+// thought was interesting, for example authorization scopes.
+// In order to faithfully round-trip through an impersonation flow, these keys
+// MUST be lowercase.
+func NewAuthProxyRoundTripper(username string, groups []string, extra map[string][]string, rt http.RoundTripper) http.RoundTripper {
+	return &authProxyRoundTripper{
+		username: username,
+		groups:   groups,
+		extra:    extra,
+		rt:       rt,
+	}
+}
+
+func (rt *authProxyRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	req = utilnet.CloneRequest(req)
+	SetAuthProxyHeaders(req, rt.username, rt.groups, rt.extra)
+
+	return rt.rt.RoundTrip(req)
+}
+
+// SetAuthProxyHeaders stomps the auth proxy header fields.  It mutates its argument.
+func SetAuthProxyHeaders(req *http.Request, username string, groups []string, extra map[string][]string) {
+	req.Header.Del("X-Remote-User")
+	req.Header.Del("X-Remote-Group")
+	for key := range req.Header {
+		if strings.HasPrefix(strings.ToLower(key), strings.ToLower("X-Remote-Extra-")) {
+			req.Header.Del(key)
+		}
+	}
+
+	req.Header.Set("X-Remote-User", username)
+	for _, group := range groups {
+		req.Header.Add("X-Remote-Group", group)
+	}
+	for key, values := range extra {
+		for _, value := range values {
+			req.Header.Add("X-Remote-Extra-"+key, value)
+		}
+	}
+}
+
+func (rt *authProxyRoundTripper) CancelRequest(req *http.Request) {
+	if canceler, ok := rt.rt.(requestCanceler); ok {
+		canceler.CancelRequest(req)
+	} else {
+		glog.Errorf("CancelRequest not implemented")
+	}
+}
+
+func (rt *authProxyRoundTripper) WrappedRoundTripper() http.RoundTripper { return rt.rt }
+
+type userAgentRoundTripper struct {
+	agent string
+	rt    http.RoundTripper
+}
+
+func NewUserAgentRoundTripper(agent string, rt http.RoundTripper) http.RoundTripper {
+	return &userAgentRoundTripper{agent, rt}
+}
+
+func (rt *userAgentRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if len(req.Header.Get("User-Agent")) != 0 {
+		return rt.rt.RoundTrip(req)
+	}
+	req = utilnet.CloneRequest(req)
+	req.Header.Set("User-Agent", rt.agent)
+	return rt.rt.RoundTrip(req)
+}
+
+func (rt *userAgentRoundTripper) CancelRequest(req *http.Request) {
+	if canceler, ok := rt.rt.(requestCanceler); ok {
+		canceler.CancelRequest(req)
+	} else {
+		glog.Errorf("CancelRequest not implemented")
+	}
+}
+
+func (rt *userAgentRoundTripper) WrappedRoundTripper() http.RoundTripper { return rt.rt }
+
+type basicAuthRoundTripper struct {
+	username string
+	password string
+	rt       http.RoundTripper
+}
+
+// NewBasicAuthRoundTripper will apply a BASIC auth authorization header to a
+// request unless it has already been set.
+func NewBasicAuthRoundTripper(username, password string, rt http.RoundTripper) http.RoundTripper {
+	return &basicAuthRoundTripper{username, password, rt}
+}
+
+func (rt *basicAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if len(req.Header.Get("Authorization")) != 0 {
+		return rt.rt.RoundTrip(req)
+	}
+	req = utilnet.CloneRequest(req)
+	req.SetBasicAuth(rt.username, rt.password)
+	return rt.rt.RoundTrip(req)
+}
+
+func (rt *basicAuthRoundTripper) CancelRequest(req *http.Request) {
+	if canceler, ok := rt.rt.(requestCanceler); ok {
+		canceler.CancelRequest(req)
+	} else {
+		glog.Errorf("CancelRequest not implemented")
+	}
+}
+
+func (rt *basicAuthRoundTripper) WrappedRoundTripper() http.RoundTripper { return rt.rt }
+
+// These correspond to the headers used in pkg/apis/authentication.  We don't want the package dependency,
+// but you must not change the values.
+const (
+	// ImpersonateUserHeader is used to impersonate a particular user during an API server request
+	ImpersonateUserHeader = "Impersonate-User"
+
+	// ImpersonateGroupHeader is used to impersonate a particular group during an API server request.
+	// It can be repeated multiplied times for multiple groups.
+	ImpersonateGroupHeader = "Impersonate-Group"
+
+	// ImpersonateUserExtraHeaderPrefix is a prefix for a header used to impersonate an entry in the
+	// extra map[string][]string for user.Info.  The key for the `extra` map is suffix.
+	// The same key can be repeated multiple times to have multiple elements in the slice under a single key.
+	// For instance:
+	// Impersonate-Extra-Foo: one
+	// Impersonate-Extra-Foo: two
+	// results in extra["Foo"] = []string{"one", "two"}
+	ImpersonateUserExtraHeaderPrefix = "Impersonate-Extra-"
+)
+
+type impersonatingRoundTripper struct {
+	impersonate ImpersonationConfig
+	delegate    http.RoundTripper
+}
+
+// NewImpersonatingRoundTripper will add an Act-As header to a request unless it has already been set.
+func NewImpersonatingRoundTripper(impersonate ImpersonationConfig, delegate http.RoundTripper) http.RoundTripper {
+	return &impersonatingRoundTripper{impersonate, delegate}
+}
+
+func (rt *impersonatingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	// use the user header as marker for the rest.
+	if len(req.Header.Get(ImpersonateUserHeader)) != 0 {
+		return rt.delegate.RoundTrip(req)
+	}
+	req = utilnet.CloneRequest(req)
+	req.Header.Set(ImpersonateUserHeader, rt.impersonate.UserName)
+
+	for _, group := range rt.impersonate.Groups {
+		req.Header.Add(ImpersonateGroupHeader, group)
+	}
+	for k, vv := range rt.impersonate.Extra {
+		for _, v := range vv {
+			req.Header.Add(ImpersonateUserExtraHeaderPrefix+k, v)
+		}
+	}
+
+	return rt.delegate.RoundTrip(req)
+}
+
+func (rt *impersonatingRoundTripper) CancelRequest(req *http.Request) {
+	if canceler, ok := rt.delegate.(requestCanceler); ok {
+		canceler.CancelRequest(req)
+	} else {
+		glog.Errorf("CancelRequest not implemented")
+	}
+}
+
+func (rt *impersonatingRoundTripper) WrappedRoundTripper() http.RoundTripper { return rt.delegate }
+
+type bearerAuthRoundTripper struct {
+	bearer string
+	rt     http.RoundTripper
+}
+
+// NewBearerAuthRoundTripper adds the provided bearer token to a request
+// unless the authorization header has already been set.
+func NewBearerAuthRoundTripper(bearer string, rt http.RoundTripper) http.RoundTripper {
+	return &bearerAuthRoundTripper{bearer, rt}
+}
+
+func (rt *bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if len(req.Header.Get("Authorization")) != 0 {
+		return rt.rt.RoundTrip(req)
+	}
+
+	req = utilnet.CloneRequest(req)
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", rt.bearer))
+	return rt.rt.RoundTrip(req)
+}
+
+func (rt *bearerAuthRoundTripper) CancelRequest(req *http.Request) {
+	if canceler, ok := rt.rt.(requestCanceler); ok {
+		canceler.CancelRequest(req)
+	} else {
+		glog.Errorf("CancelRequest not implemented")
+	}
+}
+
+func (rt *bearerAuthRoundTripper) WrappedRoundTripper() http.RoundTripper { return rt.rt }
+
+// requestInfo keeps track of information about a request/response combination
+type requestInfo struct {
+	RequestHeaders http.Header
+	RequestVerb    string
+	RequestURL     string
+
+	ResponseStatus  string
+	ResponseHeaders http.Header
+	ResponseErr     error
+
+	Duration time.Duration
+}
+
+// newRequestInfo creates a new RequestInfo based on an http request
+func newRequestInfo(req *http.Request) *requestInfo {
+	return &requestInfo{
+		RequestURL:     req.URL.String(),
+		RequestVerb:    req.Method,
+		RequestHeaders: req.Header,
+	}
+}
+
+// complete adds information about the response to the requestInfo
+func (r *requestInfo) complete(response *http.Response, err error) {
+	if err != nil {
+		r.ResponseErr = err
+		return
+	}
+	r.ResponseStatus = response.Status
+	r.ResponseHeaders = response.Header
+}
+
+// toCurl returns a string that can be run as a command in a terminal (minus the body)
+func (r *requestInfo) toCurl() string {
+	headers := ""
+	for key, values := range r.RequestHeaders {
+		for _, value := range values {
+			headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
+		}
+	}
+
+	return fmt.Sprintf("curl -k -v -X%s %s %s", r.RequestVerb, headers, r.RequestURL)
+}
+
+// debuggingRoundTripper will display information about the requests passing
+// through it based on what is configured
+type debuggingRoundTripper struct {
+	delegatedRoundTripper http.RoundTripper
+
+	levels map[debugLevel]bool
+}
+
+type debugLevel int
+
+const (
+	debugJustURL debugLevel = iota
+	debugURLTiming
+	debugCurlCommand
+	debugRequestHeaders
+	debugResponseStatus
+	debugResponseHeaders
+)
+
+func newDebuggingRoundTripper(rt http.RoundTripper, levels ...debugLevel) *debuggingRoundTripper {
+	drt := &debuggingRoundTripper{
+		delegatedRoundTripper: rt,
+		levels:                make(map[debugLevel]bool, len(levels)),
+	}
+	for _, v := range levels {
+		drt.levels[v] = true
+	}
+	return drt
+}
+
+func (rt *debuggingRoundTripper) CancelRequest(req *http.Request) {
+	if canceler, ok := rt.delegatedRoundTripper.(requestCanceler); ok {
+		canceler.CancelRequest(req)
+	} else {
+		glog.Errorf("CancelRequest not implemented")
+	}
+}
+
+func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	reqInfo := newRequestInfo(req)
+
+	if rt.levels[debugJustURL] {
+		glog.Infof("%s %s", reqInfo.RequestVerb, reqInfo.RequestURL)
+	}
+	if rt.levels[debugCurlCommand] {
+		glog.Infof("%s", reqInfo.toCurl())
+
+	}
+	if rt.levels[debugRequestHeaders] {
+		glog.Infof("Request Headers:")
+		for key, values := range reqInfo.RequestHeaders {
+			for _, value := range values {
+				glog.Infof("    %s: %s", key, value)
+			}
+		}
+	}
+
+	startTime := time.Now()
+	response, err := rt.delegatedRoundTripper.RoundTrip(req)
+	reqInfo.Duration = time.Since(startTime)
+
+	reqInfo.complete(response, err)
+
+	if rt.levels[debugURLTiming] {
+		glog.Infof("%s %s %s in %d milliseconds", reqInfo.RequestVerb, reqInfo.RequestURL, reqInfo.ResponseStatus, reqInfo.Duration.Nanoseconds()/int64(time.Millisecond))
+	}
+	if rt.levels[debugResponseStatus] {
+		glog.Infof("Response Status: %s in %d milliseconds", reqInfo.ResponseStatus, reqInfo.Duration.Nanoseconds()/int64(time.Millisecond))
+	}
+	if rt.levels[debugResponseHeaders] {
+		glog.Infof("Response Headers:")
+		for key, values := range reqInfo.ResponseHeaders {
+			for _, value := range values {
+				glog.Infof("    %s: %s", key, value)
+			}
+		}
+	}
+
+	return response, err
+}
+
+func (rt *debuggingRoundTripper) WrappedRoundTripper() http.RoundTripper {
+	return rt.delegatedRoundTripper
+}
diff --git a/cli/vendor/k8s.io/client-go/transport/transport.go b/cli/vendor/k8s.io/client-go/transport/transport.go
new file mode 100644
index 00000000..15be0a3e
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/transport/transport.go
@@ -0,0 +1,141 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package transport
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+)
+
+// New returns an http.RoundTripper that will provide the authentication
+// or transport level security defined by the provided Config.
+func New(config *Config) (http.RoundTripper, error) {
+	// Set transport level security
+	if config.Transport != nil && (config.HasCA() || config.HasCertAuth() || config.TLS.Insecure) {
+		return nil, fmt.Errorf("using a custom transport with TLS certificate options or the insecure flag is not allowed")
+	}
+
+	var (
+		rt  http.RoundTripper
+		err error
+	)
+
+	if config.Transport != nil {
+		rt = config.Transport
+	} else {
+		rt, err = tlsCache.get(config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return HTTPWrappersForConfig(config, rt)
+}
+
+// TLSConfigFor returns a tls.Config that will provide the transport level security defined
+// by the provided Config. Will return nil if no transport level security is requested.
+func TLSConfigFor(c *Config) (*tls.Config, error) {
+	if !(c.HasCA() || c.HasCertAuth() || c.TLS.Insecure) {
+		return nil, nil
+	}
+	if c.HasCA() && c.TLS.Insecure {
+		return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed")
+	}
+	if err := loadTLSFiles(c); err != nil {
+		return nil, err
+	}
+
+	tlsConfig := &tls.Config{
+		// Can't use SSLv3 because of POODLE and BEAST
+		// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
+		// Can't use TLSv1.1 because of RC4 cipher usage
+		MinVersion:         tls.VersionTLS12,
+		InsecureSkipVerify: c.TLS.Insecure,
+		ServerName:         c.TLS.ServerName,
+	}
+
+	if c.HasCA() {
+		tlsConfig.RootCAs = rootCertPool(c.TLS.CAData)
+	}
+
+	if c.HasCertAuth() {
+		cert, err := tls.X509KeyPair(c.TLS.CertData, c.TLS.KeyData)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+
+	return tlsConfig, nil
+}
+
+// loadTLSFiles copies the data from the CertFile, KeyFile, and CAFile fields into the CertData,
+// KeyData, and CAFile fields, or returns an error. If no error is returned, all three fields are
+// either populated or were empty to start.
+func loadTLSFiles(c *Config) error {
+	var err error
+	c.TLS.CAData, err = dataFromSliceOrFile(c.TLS.CAData, c.TLS.CAFile)
+	if err != nil {
+		return err
+	}
+
+	c.TLS.CertData, err = dataFromSliceOrFile(c.TLS.CertData, c.TLS.CertFile)
+	if err != nil {
+		return err
+	}
+
+	c.TLS.KeyData, err = dataFromSliceOrFile(c.TLS.KeyData, c.TLS.KeyFile)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// dataFromSliceOrFile returns data from the slice (if non-empty), or from the file,
+// or an error if an error occurred reading the file
+func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
+	if len(data) > 0 {
+		return data, nil
+	}
+	if len(file) > 0 {
+		fileData, err := ioutil.ReadFile(file)
+		if err != nil {
+			return []byte{}, err
+		}
+		return fileData, nil
+	}
+	return nil, nil
+}
+
+// rootCertPool returns nil if caData is empty.  When passed along, this will mean "use system CAs".
+// When caData is not empty, it will be the ONLY information used in the CertPool.
+func rootCertPool(caData []byte) *x509.CertPool {
+	// What we really want is a copy of x509.systemRootsPool, but that isn't exposed.  It's difficult to build (see the go
+	// code for a look at the platform specific insanity), so we'll use the fact that RootCAs == nil gives us the system values
+	// It doesn't allow trusting either/or, but hopefully that won't be an issue
+	if len(caData) == 0 {
+		return nil
+	}
+
+	// if we have caData, use it
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(caData)
+	return certPool
+}
diff --git a/cli/vendor/k8s.io/client-go/util/cert/cert.go b/cli/vendor/k8s.io/client-go/util/cert/cert.go
new file mode 100644
index 00000000..6854d415
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/util/cert/cert.go
@@ -0,0 +1,215 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	cryptorand "crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"math"
+	"math/big"
+	"net"
+	"time"
+)
+
+const (
+	rsaKeySize   = 2048
+	duration365d = time.Hour * 24 * 365
+)
+
+// Config containes the basic fields required for creating a certificate
+type Config struct {
+	CommonName   string
+	Organization []string
+	AltNames     AltNames
+	Usages       []x509.ExtKeyUsage
+}
+
+// AltNames contains the domain names and IP addresses that will be added
+// to the API Server's x509 certificate SubAltNames field. The values will
+// be passed directly to the x509.Certificate object.
+type AltNames struct {
+	DNSNames []string
+	IPs      []net.IP
+}
+
+// NewPrivateKey creates an RSA private key
+func NewPrivateKey() (*rsa.PrivateKey, error) {
+	return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
+}
+
+// NewSelfSignedCACert creates a CA certificate
+func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) {
+	now := time.Now()
+	tmpl := x509.Certificate{
+		SerialNumber: new(big.Int).SetInt64(0),
+		Subject: pkix.Name{
+			CommonName:   cfg.CommonName,
+			Organization: cfg.Organization,
+		},
+		NotBefore:             now.UTC(),
+		NotAfter:              now.Add(duration365d * 10).UTC(),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+		IsCA: true,
+	}
+
+	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseCertificate(certDERBytes)
+}
+
+// NewSignedCert creates a signed certificate using the given CA certificate and key
+func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) {
+	serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+	if len(cfg.CommonName) == 0 {
+		return nil, errors.New("must specify a CommonName")
+	}
+	if len(cfg.Usages) == 0 {
+		return nil, errors.New("must specify at least one ExtKeyUsage")
+	}
+
+	certTmpl := x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:   cfg.CommonName,
+			Organization: cfg.Organization,
+		},
+		DNSNames:     cfg.AltNames.DNSNames,
+		IPAddresses:  cfg.AltNames.IPs,
+		SerialNumber: serial,
+		NotBefore:    caCert.NotBefore,
+		NotAfter:     time.Now().Add(duration365d).UTC(),
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  cfg.Usages,
+	}
+	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
+	if err != nil {
+		return nil, err
+	}
+	return x509.ParseCertificate(certDERBytes)
+}
+
+// MakeEllipticPrivateKeyPEM creates an ECDSA private key
+func MakeEllipticPrivateKeyPEM() ([]byte, error) {
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
+	if err != nil {
+		return nil, err
+	}
+
+	derBytes, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	privateKeyPemBlock := &pem.Block{
+		Type:  ECPrivateKeyBlockType,
+		Bytes: derBytes,
+	}
+	return pem.EncodeToMemory(privateKeyPemBlock), nil
+}
+
+// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
+// Host may be an IP or a DNS name
+// You may also specify additional subject alt names (either ip or dns names) for the certificate
+func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
+	priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA: true,
+	}
+
+	if ip := net.ParseIP(host); ip != nil {
+		template.IPAddresses = append(template.IPAddresses, ip)
+	} else {
+		template.DNSNames = append(template.DNSNames, host)
+	}
+
+	template.IPAddresses = append(template.IPAddresses, alternateIPs...)
+	template.DNSNames = append(template.DNSNames, alternateDNS...)
+
+	derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Generate cert
+	certBuffer := bytes.Buffer{}
+	if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil {
+		return nil, nil, err
+	}
+
+	// Generate key
+	keyBuffer := bytes.Buffer{}
+	if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+		return nil, nil, err
+	}
+
+	return certBuffer.Bytes(), keyBuffer.Bytes(), nil
+}
+
+// FormatBytesCert receives byte array certificate and formats in human-readable format
+func FormatBytesCert(cert []byte) (string, error) {
+	block, _ := pem.Decode(cert)
+	c, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse certificate [%v]", err)
+	}
+	return FormatCert(c), nil
+}
+
+// FormatCert receives certificate and formats in human-readable format
+func FormatCert(c *x509.Certificate) string {
+	var ips []string
+	for _, ip := range c.IPAddresses {
+		ips = append(ips, ip.String())
+	}
+	altNames := append(ips, c.DNSNames...)
+	res := fmt.Sprintf(
+		"Issuer: CN=%s | Subject: CN=%s | CA: %t\n",
+		c.Issuer.CommonName, c.Subject.CommonName, c.IsCA,
+	)
+	res += fmt.Sprintf("Not before: %s Not After: %s", c.NotBefore, c.NotAfter)
+	if len(altNames) > 0 {
+		res += fmt.Sprintf("\nAlternate Names: %v", altNames)
+	}
+	return res
+}
diff --git a/cli/vendor/k8s.io/client-go/util/cert/csr.go b/cli/vendor/k8s.io/client-go/util/cert/csr.go
new file mode 100644
index 00000000..39a6751f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/util/cert/csr.go
@@ -0,0 +1,75 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	cryptorand "crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"net"
+)
+
+// MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs.
+// All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.)
+func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) {
+	template := &x509.CertificateRequest{
+		Subject:     *subject,
+		DNSNames:    dnsSANs,
+		IPAddresses: ipSANs,
+	}
+
+	return MakeCSRFromTemplate(privateKey, template)
+}
+
+// MakeCSRFromTemplate generates a PEM-encoded CSR using the supplied private
+// key and certificate request as a template. All key types that are
+// implemented via crypto.Signer are supported (This includes *rsa.PrivateKey
+// and *ecdsa.PrivateKey.)
+func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error) {
+	t := *template
+	t.SignatureAlgorithm = sigType(privateKey)
+
+	csrDER, err := x509.CreateCertificateRequest(cryptorand.Reader, &t, privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	csrPemBlock := &pem.Block{
+		Type:  CertificateRequestBlockType,
+		Bytes: csrDER,
+	}
+
+	return pem.EncodeToMemory(csrPemBlock), nil
+}
+
+func sigType(privateKey interface{}) x509.SignatureAlgorithm {
+	// Customize the signature for RSA keys, depending on the key size
+	if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
+		keySize := privateKey.N.BitLen()
+		switch {
+		case keySize >= 4096:
+			return x509.SHA512WithRSA
+		case keySize >= 3072:
+			return x509.SHA384WithRSA
+		default:
+			return x509.SHA256WithRSA
+		}
+	}
+	return x509.UnknownSignatureAlgorithm
+}
diff --git a/cli/vendor/k8s.io/client-go/util/cert/io.go b/cli/vendor/k8s.io/client-go/util/cert/io.go
new file mode 100644
index 00000000..487456b6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/util/cert/io.go
@@ -0,0 +1,164 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// CanReadCertAndKey returns true if the certificate and key files already exists,
+// otherwise returns false. If lost one of cert and key, returns error.
+func CanReadCertAndKey(certPath, keyPath string) (bool, error) {
+	certReadable := canReadFile(certPath)
+	keyReadable := canReadFile(keyPath)
+
+	if certReadable == false && keyReadable == false {
+		return false, nil
+	}
+
+	if certReadable == false {
+		return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath)
+	}
+
+	if keyReadable == false {
+		return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath)
+	}
+
+	return true, nil
+}
+
+// If the file represented by path exists and
+// readable, returns true otherwise returns false.
+func canReadFile(path string) bool {
+	f, err := os.Open(path)
+	if err != nil {
+		return false
+	}
+
+	defer f.Close()
+
+	return true
+}
+
+// WriteCert writes the pem-encoded certificate data to certPath.
+// The certificate file will be created with file mode 0644.
+// If the certificate file already exists, it will be overwritten.
+// The parent directory of the certPath will be created as needed with file mode 0755.
+func WriteCert(certPath string, data []byte) error {
+	if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(certPath, data, os.FileMode(0644)); err != nil {
+		return err
+	}
+	return nil
+}
+
+// WriteKey writes the pem-encoded key data to keyPath.
+// The key file will be created with file mode 0600.
+// If the key file already exists, it will be overwritten.
+// The parent directory of the keyPath will be created as needed with file mode 0755.
+func WriteKey(keyPath string, data []byte) error {
+	if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(keyPath, data, os.FileMode(0600)); err != nil {
+		return err
+	}
+	return nil
+}
+
+// LoadOrGenerateKeyFile looks for a key in the file at the given path. If it
+// can't find one, it will generate a new key and store it there.
+func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) {
+	loadedData, err := ioutil.ReadFile(keyPath)
+	if err == nil {
+		return loadedData, false, err
+	}
+	if !os.IsNotExist(err) {
+		return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
+	}
+
+	generatedData, err := MakeEllipticPrivateKeyPEM()
+	if err != nil {
+		return nil, false, fmt.Errorf("error generating key: %v", err)
+	}
+	if err := WriteKey(keyPath, generatedData); err != nil {
+		return nil, false, fmt.Errorf("error writing key to %s: %v", keyPath, err)
+	}
+	return generatedData, true, nil
+}
+
+// NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file.
+// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
+func NewPool(filename string) (*x509.CertPool, error) {
+	certs, err := CertsFromFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	pool := x509.NewCertPool()
+	for _, cert := range certs {
+		pool.AddCert(cert)
+	}
+	return pool, nil
+}
+
+// CertsFromFile returns the x509.Certificates contained in the given PEM-encoded file.
+// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
+func CertsFromFile(file string) ([]*x509.Certificate, error) {
+	pemBlock, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	certs, err := ParseCertsPEM(pemBlock)
+	if err != nil {
+		return nil, fmt.Errorf("error reading %s: %s", file, err)
+	}
+	return certs, nil
+}
+
+// PrivateKeyFromFile returns the private key in rsa.PrivateKey or ecdsa.PrivateKey format from a given PEM-encoded file.
+// Returns an error if the file could not be read or if the private key could not be parsed.
+func PrivateKeyFromFile(file string) (interface{}, error) {
+	data, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	key, err := ParsePrivateKeyPEM(data)
+	if err != nil {
+		return nil, fmt.Errorf("error reading private key file %s: %v", file, err)
+	}
+	return key, nil
+}
+
+// PublicKeysFromFile returns the public keys in rsa.PublicKey or ecdsa.PublicKey format from a given PEM-encoded file.
+// Reads public keys from both public and private key files.
+func PublicKeysFromFile(file string) ([]interface{}, error) {
+	data, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	keys, err := ParsePublicKeysPEM(data)
+	if err != nil {
+		return nil, fmt.Errorf("error reading public key file %s: %v", file, err)
+	}
+	return keys, nil
+}
diff --git a/cli/vendor/k8s.io/client-go/util/cert/pem.go b/cli/vendor/k8s.io/client-go/util/cert/pem.go
new file mode 100644
index 00000000..b99e3665
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/util/cert/pem.go
@@ -0,0 +1,269 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+)
+
+const (
+	// ECPrivateKeyBlockType is a possible value for pem.Block.Type.
+	ECPrivateKeyBlockType = "EC PRIVATE KEY"
+	// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
+	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
+	// PrivateKeyBlockType is a possible value for pem.Block.Type.
+	PrivateKeyBlockType = "PRIVATE KEY"
+	// PublicKeyBlockType is a possible value for pem.Block.Type.
+	PublicKeyBlockType = "PUBLIC KEY"
+	// CertificateBlockType is a possible value for pem.Block.Type.
+	CertificateBlockType = "CERTIFICATE"
+	// CertificateRequestBlockType is a possible value for pem.Block.Type.
+	CertificateRequestBlockType = "CERTIFICATE REQUEST"
+)
+
+// EncodePublicKeyPEM returns PEM-encoded public data
+func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
+	der, err := x509.MarshalPKIXPublicKey(key)
+	if err != nil {
+		return []byte{}, err
+	}
+	block := pem.Block{
+		Type:  PublicKeyBlockType,
+		Bytes: der,
+	}
+	return pem.EncodeToMemory(&block), nil
+}
+
+// EncodePrivateKeyPEM returns PEM-encoded private key data
+func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
+	block := pem.Block{
+		Type:  RSAPrivateKeyBlockType,
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	}
+	return pem.EncodeToMemory(&block)
+}
+
+// EncodeCertPEM returns PEM-endcoded certificate data
+func EncodeCertPEM(cert *x509.Certificate) []byte {
+	block := pem.Block{
+		Type:  CertificateBlockType,
+		Bytes: cert.Raw,
+	}
+	return pem.EncodeToMemory(&block)
+}
+
+// ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data.
+// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY"
+func ParsePrivateKeyPEM(keyData []byte) (interface{}, error) {
+	var privateKeyPemBlock *pem.Block
+	for {
+		privateKeyPemBlock, keyData = pem.Decode(keyData)
+		if privateKeyPemBlock == nil {
+			break
+		}
+
+		switch privateKeyPemBlock.Type {
+		case ECPrivateKeyBlockType:
+			// ECDSA Private Key in ASN.1 format
+			if key, err := x509.ParseECPrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
+		case RSAPrivateKeyBlockType:
+			// RSA Private Key in PKCS#1 format
+			if key, err := x509.ParsePKCS1PrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
+		case PrivateKeyBlockType:
+			// RSA or ECDSA Private Key in unencrypted PKCS#8 format
+			if key, err := x509.ParsePKCS8PrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
+		}
+
+		// tolerate non-key PEM blocks for compatibility with things like "EC PARAMETERS" blocks
+		// originally, only the first PEM block was parsed and expected to be a key block
+	}
+
+	// we read all the PEM blocks and didn't recognize one
+	return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA private key")
+}
+
+// ParsePublicKeysPEM is a helper function for reading an array of rsa.PublicKey or ecdsa.PublicKey from a PEM-encoded byte array.
+// Reads public keys from both public and private key files.
+func ParsePublicKeysPEM(keyData []byte) ([]interface{}, error) {
+	var block *pem.Block
+	keys := []interface{}{}
+	for {
+		// read the next block
+		block, keyData = pem.Decode(keyData)
+		if block == nil {
+			break
+		}
+
+		// test block against parsing functions
+		if privateKey, err := parseRSAPrivateKey(block.Bytes); err == nil {
+			keys = append(keys, &privateKey.PublicKey)
+			continue
+		}
+		if publicKey, err := parseRSAPublicKey(block.Bytes); err == nil {
+			keys = append(keys, publicKey)
+			continue
+		}
+		if privateKey, err := parseECPrivateKey(block.Bytes); err == nil {
+			keys = append(keys, &privateKey.PublicKey)
+			continue
+		}
+		if publicKey, err := parseECPublicKey(block.Bytes); err == nil {
+			keys = append(keys, publicKey)
+			continue
+		}
+
+		// tolerate non-key PEM blocks for backwards compatibility
+		// originally, only the first PEM block was parsed and expected to be a key block
+	}
+
+	if len(keys) == 0 {
+		return nil, fmt.Errorf("data does not contain any valid RSA or ECDSA public keys")
+	}
+	return keys, nil
+}
+
+// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array
+// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
+func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) {
+	ok := false
+	certs := []*x509.Certificate{}
+	for len(pemCerts) > 0 {
+		var block *pem.Block
+		block, pemCerts = pem.Decode(pemCerts)
+		if block == nil {
+			break
+		}
+		// Only use PEM "CERTIFICATE" blocks without extra headers
+		if block.Type != CertificateBlockType || len(block.Headers) != 0 {
+			continue
+		}
+
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return certs, err
+		}
+
+		certs = append(certs, cert)
+		ok = true
+	}
+
+	if !ok {
+		return certs, errors.New("data does not contain any valid RSA or ECDSA certificates")
+	}
+	return certs, nil
+}
+
+// parseRSAPublicKey parses a single RSA public key from the provided data
+func parseRSAPublicKey(data []byte) (*rsa.PublicKey, error) {
+	var err error
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil {
+		if cert, err := x509.ParseCertificate(data); err == nil {
+			parsedKey = cert.PublicKey
+		} else {
+			return nil, err
+		}
+	}
+
+	// Test if parsed key is an RSA Public Key
+	var pubKey *rsa.PublicKey
+	var ok bool
+	if pubKey, ok = parsedKey.(*rsa.PublicKey); !ok {
+		return nil, fmt.Errorf("data doesn't contain valid RSA Public Key")
+	}
+
+	return pubKey, nil
+}
+
+// parseRSAPrivateKey parses a single RSA private key from the provided data
+func parseRSAPrivateKey(data []byte) (*rsa.PrivateKey, error) {
+	var err error
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParsePKCS1PrivateKey(data); err != nil {
+		if parsedKey, err = x509.ParsePKCS8PrivateKey(data); err != nil {
+			return nil, err
+		}
+	}
+
+	// Test if parsed key is an RSA Private Key
+	var privKey *rsa.PrivateKey
+	var ok bool
+	if privKey, ok = parsedKey.(*rsa.PrivateKey); !ok {
+		return nil, fmt.Errorf("data doesn't contain valid RSA Private Key")
+	}
+
+	return privKey, nil
+}
+
+// parseECPublicKey parses a single ECDSA public key from the provided data
+func parseECPublicKey(data []byte) (*ecdsa.PublicKey, error) {
+	var err error
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil {
+		if cert, err := x509.ParseCertificate(data); err == nil {
+			parsedKey = cert.PublicKey
+		} else {
+			return nil, err
+		}
+	}
+
+	// Test if parsed key is an ECDSA Public Key
+	var pubKey *ecdsa.PublicKey
+	var ok bool
+	if pubKey, ok = parsedKey.(*ecdsa.PublicKey); !ok {
+		return nil, fmt.Errorf("data doesn't contain valid ECDSA Public Key")
+	}
+
+	return pubKey, nil
+}
+
+// parseECPrivateKey parses a single ECDSA private key from the provided data
+func parseECPrivateKey(data []byte) (*ecdsa.PrivateKey, error) {
+	var err error
+
+	// Parse the key
+	var parsedKey interface{}
+	if parsedKey, err = x509.ParseECPrivateKey(data); err != nil {
+		return nil, err
+	}
+
+	// Test if parsed key is an ECDSA Private Key
+	var privKey *ecdsa.PrivateKey
+	var ok bool
+	if privKey, ok = parsedKey.(*ecdsa.PrivateKey); !ok {
+		return nil, fmt.Errorf("data doesn't contain valid ECDSA Private Key")
+	}
+
+	return privKey, nil
+}
diff --git a/cli/vendor/k8s.io/client-go/util/flowcontrol/backoff.go b/cli/vendor/k8s.io/client-go/util/flowcontrol/backoff.go
new file mode 100644
index 00000000..71d442a6
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/util/flowcontrol/backoff.go
@@ -0,0 +1,149 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flowcontrol
+
+import (
+	"sync"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/clock"
+	"k8s.io/client-go/util/integer"
+)
+
+type backoffEntry struct {
+	backoff    time.Duration
+	lastUpdate time.Time
+}
+
+type Backoff struct {
+	sync.Mutex
+	Clock           clock.Clock
+	defaultDuration time.Duration
+	maxDuration     time.Duration
+	perItemBackoff  map[string]*backoffEntry
+}
+
+func NewFakeBackOff(initial, max time.Duration, tc *clock.FakeClock) *Backoff {
+	return &Backoff{
+		perItemBackoff:  map[string]*backoffEntry{},
+		Clock:           tc,
+		defaultDuration: initial,
+		maxDuration:     max,
+	}
+}
+
+func NewBackOff(initial, max time.Duration) *Backoff {
+	return &Backoff{
+		perItemBackoff:  map[string]*backoffEntry{},
+		Clock:           clock.RealClock{},
+		defaultDuration: initial,
+		maxDuration:     max,
+	}
+}
+
+// Get the current backoff Duration
+func (p *Backoff) Get(id string) time.Duration {
+	p.Lock()
+	defer p.Unlock()
+	var delay time.Duration
+	entry, ok := p.perItemBackoff[id]
+	if ok {
+		delay = entry.backoff
+	}
+	return delay
+}
+
+// move backoff to the next mark, capping at maxDuration
+func (p *Backoff) Next(id string, eventTime time.Time) {
+	p.Lock()
+	defer p.Unlock()
+	entry, ok := p.perItemBackoff[id]
+	if !ok || hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
+		entry = p.initEntryUnsafe(id)
+	} else {
+		delay := entry.backoff * 2 // exponential
+		entry.backoff = time.Duration(integer.Int64Min(int64(delay), int64(p.maxDuration)))
+	}
+	entry.lastUpdate = p.Clock.Now()
+}
+
+// Reset forces clearing of all backoff data for a given key.
+func (p *Backoff) Reset(id string) {
+	p.Lock()
+	defer p.Unlock()
+	delete(p.perItemBackoff, id)
+}
+
+// Returns True if the elapsed time since eventTime is smaller than the current backoff window
+func (p *Backoff) IsInBackOffSince(id string, eventTime time.Time) bool {
+	p.Lock()
+	defer p.Unlock()
+	entry, ok := p.perItemBackoff[id]
+	if !ok {
+		return false
+	}
+	if hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
+		return false
+	}
+	return p.Clock.Now().Sub(eventTime) < entry.backoff
+}
+
+// Returns True if time since lastupdate is less than the current backoff window.
+func (p *Backoff) IsInBackOffSinceUpdate(id string, eventTime time.Time) bool {
+	p.Lock()
+	defer p.Unlock()
+	entry, ok := p.perItemBackoff[id]
+	if !ok {
+		return false
+	}
+	if hasExpired(eventTime, entry.lastUpdate, p.maxDuration) {
+		return false
+	}
+	return eventTime.Sub(entry.lastUpdate) < entry.backoff
+}
+
+// Garbage collect records that have aged past maxDuration. Backoff users are expected
+// to invoke this periodically.
+func (p *Backoff) GC() {
+	p.Lock()
+	defer p.Unlock()
+	now := p.Clock.Now()
+	for id, entry := range p.perItemBackoff {
+		if now.Sub(entry.lastUpdate) > p.maxDuration*2 {
+			// GC when entry has not been updated for 2*maxDuration
+			delete(p.perItemBackoff, id)
+		}
+	}
+}
+
+func (p *Backoff) DeleteEntry(id string) {
+	p.Lock()
+	defer p.Unlock()
+	delete(p.perItemBackoff, id)
+}
+
+// Take a lock on *Backoff, before calling initEntryUnsafe
+func (p *Backoff) initEntryUnsafe(id string) *backoffEntry {
+	entry := &backoffEntry{backoff: p.defaultDuration}
+	p.perItemBackoff[id] = entry
+	return entry
+}
+
+// After 2*maxDuration we restart the backoff factor to the beginning
+func hasExpired(eventTime time.Time, lastUpdate time.Time, maxDuration time.Duration) bool {
+	return eventTime.Sub(lastUpdate) > maxDuration*2 // consider stable if it's ok for twice the maxDuration
+}
diff --git a/cli/vendor/k8s.io/client-go/util/flowcontrol/throttle.go b/cli/vendor/k8s.io/client-go/util/flowcontrol/throttle.go
new file mode 100644
index 00000000..c45169c4
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/util/flowcontrol/throttle.go
@@ -0,0 +1,148 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flowcontrol
+
+import (
+	"sync"
+
+	"github.com/juju/ratelimit"
+)
+
+type RateLimiter interface {
+	// TryAccept returns true if a token is taken immediately. Otherwise,
+	// it returns false.
+	TryAccept() bool
+	// Accept returns once a token becomes available.
+	Accept()
+	// Stop stops the rate limiter, subsequent calls to CanAccept will return false
+	Stop()
+	// Saturation returns a percentage number which describes how saturated
+	// this rate limiter is.
+	// Usually we use token bucket rate limiter. In that case,
+	// 1.0 means no tokens are available; 0.0 means we have a full bucket of tokens to use.
+	Saturation() float64
+	// QPS returns QPS of this rate limiter
+	QPS() float32
+}
+
+type tokenBucketRateLimiter struct {
+	limiter *ratelimit.Bucket
+	qps     float32
+}
+
+// NewTokenBucketRateLimiter creates a rate limiter which implements a token bucket approach.
+// The rate limiter allows bursts of up to 'burst' to exceed the QPS, while still maintaining a
+// smoothed qps rate of 'qps'.
+// The bucket is initially filled with 'burst' tokens, and refills at a rate of 'qps'.
+// The maximum number of tokens in the bucket is capped at 'burst'.
+func NewTokenBucketRateLimiter(qps float32, burst int) RateLimiter {
+	limiter := ratelimit.NewBucketWithRate(float64(qps), int64(burst))
+	return newTokenBucketRateLimiter(limiter, qps)
+}
+
+// An injectable, mockable clock interface.
+type Clock interface {
+	ratelimit.Clock
+}
+
+// NewTokenBucketRateLimiterWithClock is identical to NewTokenBucketRateLimiter
+// but allows an injectable clock, for testing.
+func NewTokenBucketRateLimiterWithClock(qps float32, burst int, clock Clock) RateLimiter {
+	limiter := ratelimit.NewBucketWithRateAndClock(float64(qps), int64(burst), clock)
+	return newTokenBucketRateLimiter(limiter, qps)
+}
+
+func newTokenBucketRateLimiter(limiter *ratelimit.Bucket, qps float32) RateLimiter {
+	return &tokenBucketRateLimiter{
+		limiter: limiter,
+		qps:     qps,
+	}
+}
+
+func (t *tokenBucketRateLimiter) TryAccept() bool {
+	return t.limiter.TakeAvailable(1) == 1
+}
+
+func (t *tokenBucketRateLimiter) Saturation() float64 {
+	capacity := t.limiter.Capacity()
+	avail := t.limiter.Available()
+	return float64(capacity-avail) / float64(capacity)
+}
+
+// Accept will block until a token becomes available
+func (t *tokenBucketRateLimiter) Accept() {
+	t.limiter.Wait(1)
+}
+
+func (t *tokenBucketRateLimiter) Stop() {
+}
+
+func (t *tokenBucketRateLimiter) QPS() float32 {
+	return t.qps
+}
+
+type fakeAlwaysRateLimiter struct{}
+
+func NewFakeAlwaysRateLimiter() RateLimiter {
+	return &fakeAlwaysRateLimiter{}
+}
+
+func (t *fakeAlwaysRateLimiter) TryAccept() bool {
+	return true
+}
+
+func (t *fakeAlwaysRateLimiter) Saturation() float64 {
+	return 0
+}
+
+func (t *fakeAlwaysRateLimiter) Stop() {}
+
+func (t *fakeAlwaysRateLimiter) Accept() {}
+
+func (t *fakeAlwaysRateLimiter) QPS() float32 {
+	return 1
+}
+
+type fakeNeverRateLimiter struct {
+	wg sync.WaitGroup
+}
+
+func NewFakeNeverRateLimiter() RateLimiter {
+	rl := fakeNeverRateLimiter{}
+	rl.wg.Add(1)
+	return &rl
+}
+
+func (t *fakeNeverRateLimiter) TryAccept() bool {
+	return false
+}
+
+func (t *fakeNeverRateLimiter) Saturation() float64 {
+	return 1
+}
+
+func (t *fakeNeverRateLimiter) Stop() {
+	t.wg.Done()
+}
+
+func (t *fakeNeverRateLimiter) Accept() {
+	t.wg.Wait()
+}
+
+func (t *fakeNeverRateLimiter) QPS() float32 {
+	return 1
+}
diff --git a/cli/vendor/k8s.io/client-go/util/homedir/homedir.go b/cli/vendor/k8s.io/client-go/util/homedir/homedir.go
new file mode 100644
index 00000000..816db57f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/util/homedir/homedir.go
@@ -0,0 +1,47 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package homedir
+
+import (
+	"os"
+	"runtime"
+)
+
+// HomeDir returns the home directory for the current user
+func HomeDir() string {
+	if runtime.GOOS == "windows" {
+
+		// First prefer the HOME environmental variable
+		if home := os.Getenv("HOME"); len(home) > 0 {
+			if _, err := os.Stat(home); err == nil {
+				return home
+			}
+		}
+		if homeDrive, homePath := os.Getenv("HOMEDRIVE"), os.Getenv("HOMEPATH"); len(homeDrive) > 0 && len(homePath) > 0 {
+			homeDir := homeDrive + homePath
+			if _, err := os.Stat(homeDir); err == nil {
+				return homeDir
+			}
+		}
+		if userProfile := os.Getenv("USERPROFILE"); len(userProfile) > 0 {
+			if _, err := os.Stat(userProfile); err == nil {
+				return userProfile
+			}
+		}
+	}
+	return os.Getenv("HOME")
+}
diff --git a/cli/vendor/k8s.io/client-go/util/integer/integer.go b/cli/vendor/k8s.io/client-go/util/integer/integer.go
new file mode 100644
index 00000000..c6ea106f
--- /dev/null
+++ b/cli/vendor/k8s.io/client-go/util/integer/integer.go
@@ -0,0 +1,67 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package integer
+
+func IntMax(a, b int) int {
+	if b > a {
+		return b
+	}
+	return a
+}
+
+func IntMin(a, b int) int {
+	if b < a {
+		return b
+	}
+	return a
+}
+
+func Int32Max(a, b int32) int32 {
+	if b > a {
+		return b
+	}
+	return a
+}
+
+func Int32Min(a, b int32) int32 {
+	if b < a {
+		return b
+	}
+	return a
+}
+
+func Int64Max(a, b int64) int64 {
+	if b > a {
+		return b
+	}
+	return a
+}
+
+func Int64Min(a, b int64) int64 {
+	if b < a {
+		return b
+	}
+	return a
+}
+
+// RoundToInt32 rounds floats into integer numbers.
+func RoundToInt32(a float64) int32 {
+	if a < 0 {
+		return int32(a - 0.5)
+	}
+	return int32(a + 0.5)
+}
diff --git a/cli/vendor/k8s.io/kube-openapi/LICENSE b/cli/vendor/k8s.io/kube-openapi/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/cli/vendor/k8s.io/kube-openapi/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/cli/vendor/k8s.io/kube-openapi/README.md b/cli/vendor/k8s.io/kube-openapi/README.md
new file mode 100644
index 00000000..babadde1
--- /dev/null
+++ b/cli/vendor/k8s.io/kube-openapi/README.md
@@ -0,0 +1,14 @@
+# Kube OpenAPI
+
+This repo is the home for Kubernetes OpenAPI discovery spec generation. The goal 
+is to support a subset of OpenAPI features to satisfy kubernetes use-cases but 
+implement that subset with little to no assumption about the structure of the 
+code or routes. Thus, there should be no kubernetes specific code in this repo. 
+
+
+There are two main parts: 
+ - A model generator that goes through .go files, find and generate model 
+definitions. 
+ - The spec generator that is responsible for dynamically generate 
+the final OpenAPI spec using web service routes or combining other 
+OpenAPI/Json specs.
diff --git a/cli/vendor/k8s.io/kube-openapi/pkg/common/common.go b/cli/vendor/k8s.io/kube-openapi/pkg/common/common.go
new file mode 100644
index 00000000..94b026ed
--- /dev/null
+++ b/cli/vendor/k8s.io/kube-openapi/pkg/common/common.go
@@ -0,0 +1,167 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package common
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/emicklei/go-restful"
+	"github.com/go-openapi/spec"
+)
+
+// OpenAPIDefinition describes single type. Normally these definitions are auto-generated using gen-openapi.
+type OpenAPIDefinition struct {
+	Schema       spec.Schema
+	Dependencies []string
+}
+
+type ReferenceCallback func(path string) spec.Ref
+
+// OpenAPIDefinitions is collection of all definitions.
+type GetOpenAPIDefinitions func(ReferenceCallback) map[string]OpenAPIDefinition
+
+// OpenAPIDefinitionGetter gets openAPI definitions for a given type. If a type implements this interface,
+// the definition returned by it will be used, otherwise the auto-generated definitions will be used. See
+// GetOpenAPITypeFormat for more information about trade-offs of using this interface or GetOpenAPITypeFormat method when
+// possible.
+type OpenAPIDefinitionGetter interface {
+	OpenAPIDefinition() *OpenAPIDefinition
+}
+
+type PathHandler interface {
+	Handle(path string, handler http.Handler)
+}
+
+// Config is set of configuration for openAPI spec generation.
+type Config struct {
+	// List of supported protocols such as https, http, etc.
+	ProtocolList []string
+
+	// Info is general information about the API.
+	Info *spec.Info
+
+	// DefaultResponse will be used if an operation does not have any responses listed. It
+	// will show up as ... "responses" : {"default" : $DefaultResponse} in the spec.
+	DefaultResponse *spec.Response
+
+	// CommonResponses will be added as a response to all operation specs. This is a good place to add common
+	// responses such as authorization failed.
+	CommonResponses map[int]spec.Response
+
+	// List of webservice's path prefixes to ignore
+	IgnorePrefixes []string
+
+	// OpenAPIDefinitions should provide definition for all models used by routes. Failure to provide this map
+	// or any of the models will result in spec generation failure.
+	GetDefinitions GetOpenAPIDefinitions
+
+	// GetOperationIDAndTags returns operation id and tags for a restful route. It is an optional function to customize operation IDs.
+	GetOperationIDAndTags func(r *restful.Route) (string, []string, error)
+
+	// GetDefinitionName returns a friendly name for a definition base on the serving path. parameter `name` is the full name of the definition.
+	// It is an optional function to customize model names.
+	GetDefinitionName func(name string) (string, spec.Extensions)
+
+	// PostProcessSpec runs after the spec is ready to serve. It allows a final modification to the spec before serving.
+	PostProcessSpec func(*spec.Swagger) (*spec.Swagger, error)
+
+	// SecurityDefinitions is list of all security definitions for OpenAPI service. If this is not nil, the user of config
+	// is responsible to provide DefaultSecurity and (maybe) add unauthorized response to CommonResponses.
+	SecurityDefinitions *spec.SecurityDefinitions
+
+	// DefaultSecurity for all operations. This will pass as spec.SwaggerProps.Security to OpenAPI.
+	// For most cases, this will be list of acceptable definitions in SecurityDefinitions.
+	DefaultSecurity []map[string][]string
+}
+
+// This function is a reference for converting go (or any custom type) to a simple open API type,format pair. There are
+// two ways to customize spec for a type. If you add it here, a type will be converted to a simple type and the type
+// comment (the comment that is added before type definition) will be lost. The spec will still have the property
+// comment. The second way is to implement OpenAPIDefinitionGetter interface. That function can customize the spec (so
+// the spec does not need to be simple type,format) or can even return a simple type,format (e.g. IntOrString). For simple
+// type formats, the benefit of adding OpenAPIDefinitionGetter interface is to keep both type and property documentation.
+// Example:
+// type Sample struct {
+//      ...
+//      // port of the server
+//      port IntOrString
+//      ...
+// }
+// // IntOrString documentation...
+// type IntOrString { ... }
+//
+// Adding IntOrString to this function:
+// "port" : {
+//           format:      "string",
+//           type:        "int-or-string",
+//           Description: "port of the server"
+// }
+//
+// Implement OpenAPIDefinitionGetter for IntOrString:
+//
+// "port" : {
+//           $Ref:    "#/definitions/IntOrString"
+//           Description: "port of the server"
+// }
+// ...
+// definitions:
+// {
+//           "IntOrString": {
+//                     format:      "string",
+//                     type:        "int-or-string",
+//                     Description: "IntOrString documentation..."    // new
+//           }
+// }
+//
+func GetOpenAPITypeFormat(typeName string) (string, string) {
+	schemaTypeFormatMap := map[string][]string{
+		"uint":        {"integer", "int32"},
+		"uint8":       {"integer", "byte"},
+		"uint16":      {"integer", "int32"},
+		"uint32":      {"integer", "int64"},
+		"uint64":      {"integer", "int64"},
+		"int":         {"integer", "int32"},
+		"int8":        {"integer", "byte"},
+		"int16":       {"integer", "int32"},
+		"int32":       {"integer", "int32"},
+		"int64":       {"integer", "int64"},
+		"byte":        {"integer", "byte"},
+		"float64":     {"number", "double"},
+		"float32":     {"number", "float"},
+		"bool":        {"boolean", ""},
+		"time.Time":   {"string", "date-time"},
+		"string":      {"string", ""},
+		"integer":     {"integer", ""},
+		"number":      {"number", ""},
+		"boolean":     {"boolean", ""},
+		"[]byte":      {"string", "byte"}, // base64 encoded characters
+		"interface{}": {"object", ""},
+	}
+	mapped, ok := schemaTypeFormatMap[typeName]
+	if !ok {
+		return "", ""
+	}
+	return mapped[0], mapped[1]
+}
+
+func EscapeJsonPointer(p string) string {
+	// Escaping reference name using rfc6901
+	p = strings.Replace(p, "~", "~0", -1)
+	p = strings.Replace(p, "/", "~1", -1)
+	return p
+}
diff --git a/cli/vendor/k8s.io/kube-openapi/pkg/common/doc.go b/cli/vendor/k8s.io/kube-openapi/pkg/common/doc.go
new file mode 100644
index 00000000..2ba6d247
--- /dev/null
+++ b/cli/vendor/k8s.io/kube-openapi/pkg/common/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// package common holds shared code and types between open API code
+// generator and spec generator.
+package common
diff --git a/cli/vendor/k8s.io/kubernetes/LICENSE b/cli/vendor/k8s.io/kubernetes/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/cli/vendor/k8s.io/kubernetes/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/cli/vendor/k8s.io/kubernetes/README.md b/cli/vendor/k8s.io/kubernetes/README.md
new file mode 100644
index 00000000..a86767b3
--- /dev/null
+++ b/cli/vendor/k8s.io/kubernetes/README.md
@@ -0,0 +1,86 @@
+# Kubernetes
+
+[![Submit Queue Widget]][Submit Queue] [![GoDoc Widget]][GoDoc]
+
+<img src="https://github.com/kubernetes/kubernetes/raw/master/logo/logo.png" width="100">
+
+----
+
+Kubernetes is an open source system for managing [containerized applications]
+across multiple hosts, providing basic mechanisms for deployment, maintenance,
+and scaling of applications.
+
+Kubernetes builds upon a decade and a half of experience at Google running
+production workloads at scale using a system called [Borg],
+combined with best-of-breed ideas and practices from the community.
+
+Kubernetes is hosted by the Cloud Native Computing Foundation ([CNCF]).
+If you are a company that wants to help shape the evolution of
+technologies that are container-packaged, dynamically-scheduled
+and microservices-oriented, consider joining the CNCF.
+For details about who's involved and how Kubernetes plays a role,
+read the CNCF [announcement].
+
+----
+
+## To start using Kubernetes
+
+See our documentation on [kubernetes.io].
+
+Try our [interactive tutorial].
+
+Take a free course on [Scalable Microservices with Kubernetes].
+
+## To start developing Kubernetes
+
+The [community repository] hosts all information about
+building Kubernetes from source, how to contribute code
+and documentation, who to contact about what, etc.
+
+If you want to build Kubernetes right away there are two options:
+
+##### You have a working [Go environment].
+
+```
+$ go get -d k8s.io/kubernetes
+$ cd $GOPATH/src/k8s.io/kubernetes
+$ make
+```
+
+##### You have a working [Docker environment].
+
+```
+$ git clone https://github.com/kubernetes/kubernetes
+$ cd kubernetes
+$ make quick-release
+```
+
+If you are less impatient, head over to the [developer's documentation].
+
+## Support
+
+If you need support, start with the [troubleshooting guide]
+and work your way through the process that we've outlined.
+
+That said, if you have questions, reach out to us
+[one way or another][communication].
+
+[announcement]: https://cncf.io/news/announcement/2015/07/new-cloud-native-computing-foundation-drive-alignment-among-container
+[Borg]: https://research.google.com/pubs/pub43438.html
+[CNCF]: https://www.cncf.io/about
+[communication]: https://github.com/kubernetes/community/blob/master/communication.md
+[community repository]: https://github.com/kubernetes/community
+[containerized applications]: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
+[developer's documentation]: https://github.com/kubernetes/community/tree/master/contributors/devel
+[Docker environment]: https://docs.docker.com/engine
+[Go environment]: https://golang.org/doc/install
+[GoDoc]: https://godoc.org/k8s.io/kubernetes
+[GoDoc Widget]: https://godoc.org/k8s.io/kubernetes?status.svg
+[interactive tutorial]: http://kubernetes.io/docs/tutorials/kubernetes-basics
+[kubernetes.io]: http://kubernetes.io
+[Scalable Microservices with Kubernetes]: https://www.udacity.com/course/scalable-microservices-with-kubernetes--ud615
+[Submit Queue]: http://submit-queue.k8s.io/#/ci
+[Submit Queue Widget]: http://submit-queue.k8s.io/health.svg?v=1
+[troubleshooting guide]: https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/ 
+
+[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/README.md?pixel)]()
diff --git a/cli/vendor/k8s.io/kubernetes/build/README.md b/cli/vendor/k8s.io/kubernetes/build/README.md
new file mode 100644
index 00000000..60f37fb7
--- /dev/null
+++ b/cli/vendor/k8s.io/kubernetes/build/README.md
@@ -0,0 +1,112 @@
+# Building Kubernetes
+
+Building Kubernetes is easy if you take advantage of the containerized build environment. This document will help guide you through understanding this build process.
+
+## Requirements
+
+1. Docker, using one of the following configurations:
+  * **Mac OS X** You can either use Docker for Mac or docker-machine. See installation instructions [here](https://docs.docker.com/docker-for-mac/).
+     **Note**: You will want to set the Docker VM to have at least 3GB of initial memory or building will likely fail. (See: [#11852]( http://issue.k8s.io/11852)).
+  * **Linux with local Docker**  Install Docker according to the [instructions](https://docs.docker.com/installation/#installation) for your OS.
+  * **Remote Docker engine** Use a big machine in the cloud to build faster. This is a little trickier so look at the section later on.
+2. **Optional** [Google Cloud SDK](https://developers.google.com/cloud/sdk/)
+
+You must install and configure Google Cloud SDK if you want to upload your release to Google Cloud Storage and may safely omit this otherwise.
+
+## Overview
+
+While it is possible to build Kubernetes using a local golang installation, we have a build process that runs in a Docker container.  This simplifies initial set up and provides for a very consistent build and test environment.
+
+## Key scripts
+
+The following scripts are found in the `build/` directory. Note that all scripts must be run from the Kubernetes root directory.
+
+* `build/run.sh`: Run a command in a build docker container.  Common invocations:
+  *  `build/run.sh make`: Build just linux binaries in the container.  Pass options and packages as necessary.
+  *  `build/run.sh make cross`: Build all binaries for all platforms
+  *  `build/run.sh make test`: Run all unit tests
+  *  `build/run.sh make test-integration`: Run integration test
+  *  `build/run.sh make test-cmd`: Run CLI tests
+* `build/copy-output.sh`: This will copy the contents of `_output/dockerized/bin` from the Docker container to the local `_output/dockerized/bin`. It will also copy out specific file patterns that are generated as part of the build process. This is run automatically as part of `build/run.sh`.
+* `build/make-clean.sh`: Clean out the contents of `_output`, remove any locally built container images and remove the data container.
+* `/build/shell.sh`: Drop into a `bash` shell in a build container with a snapshot of the current repo code.
+
+## Basic Flow
+
+The scripts directly under `build/` are used to build and test.  They will ensure that the `kube-build` Docker image is built (based on `build/build-image/Dockerfile`) and then execute the appropriate command in that container.  These scripts will both ensure that the right data is cached from run to run for incremental builds and will copy the results back out of the container.
+
+The `kube-build` container image is built by first creating a "context" directory in `_output/images/build-image`.  It is done there instead of at the root of the Kubernetes repo to minimize the amount of data we need to package up when building the image.
+
+There are 3 different containers instances that are run from this image.  The first is a "data" container to store all data that needs to persist across to support incremental builds. Next there is an "rsync" container that is used to transfer data in and out to the data container.  Lastly there is a "build" container that is used for actually doing build actions.  The data container persists across runs while the rsync and build containers are deleted after each use.
+
+`rsync` is used transparently behind the scenes to efficiently move data in and out of the container.  This will use an ephemeral port picked by Docker.  You can modify this by setting the `KUBE_RSYNC_PORT` env variable.
+
+All Docker names are suffixed with a hash derived from the file path (to allow concurrent usage on things like CI machines) and a version number.  When the version number changes all state is cleared and clean build is started.  This allows the build infrastructure to be changed and signal to CI systems that old artifacts need to be deleted.
+
+## Proxy Settings
+
+If you are behind a proxy and you are letting these scripts use `docker-machine` to set up your local VM for you on macOS, you need to export proxy settings for Kubernetes build, the following environment variables should be defined.
+
+```
+export KUBERNETES_HTTP_PROXY=http://username:password@proxyaddr:proxyport
+export KUBERNETES_HTTPS_PROXY=https://username:password@proxyaddr:proxyport
+```
+
+Optionally, you can specify addresses of no proxy for Kubernetes build, for example
+
+```
+export KUBERNETES_NO_PROXY=127.0.0.1
+```
+
+If you are using sudo to make Kubernetes build for example make quick-release, you need run `sudo -E make quick-release` to pass the environment variables.
+
+## Really Remote Docker Engine
+
+It is possible to use a Docker Engine that is running remotely (under your desk or in the cloud).  Docker must be configured to connect to that machine and the local rsync port must be forwarded (via SSH or nc) from localhost to the remote machine.
+
+To do this easily with GCE and `docker-machine`, do something like this:
+```
+# Create the remote docker machine on GCE.  This is a pretty beefy machine with SSD disk.
+KUBE_BUILD_VM=k8s-build
+KUBE_BUILD_GCE_PROJECT=<project>
+docker-machine create \
+  --driver=google \
+  --google-project=${KUBE_BUILD_GCE_PROJECT} \
+  --google-zone=us-west1-a \
+  --google-machine-type=n1-standard-8 \
+  --google-disk-size=50 \
+  --google-disk-type=pd-ssd \
+  ${KUBE_BUILD_VM}
+
+# Set up local docker to talk to that machine
+eval $(docker-machine env ${KUBE_BUILD_VM})
+
+# Pin down the port that rsync will be exposed on on the remote machine
+export KUBE_RSYNC_PORT=8730
+
+# forward local 8730 to that machine so that rsync works
+docker-machine ssh ${KUBE_BUILD_VM} -L ${KUBE_RSYNC_PORT}:localhost:${KUBE_RSYNC_PORT} -N &
+```
+
+Look at `docker-machine stop`, `docker-machine start` and `docker-machine rm` to manage this VM.
+
+## Releasing
+
+The `build/release.sh` script will build a release.  It will build binaries, run tests, (optionally) build runtime Docker images.
+
+The main output is a tar file: `kubernetes.tar.gz`.  This includes:
+* Cross compiled client utilities.
+* Script (`kubectl`) for picking and running the right client binary based on platform.
+* Examples
+* Cluster deployment scripts for various clouds
+* Tar file containing all server binaries
+* Tar file containing salt deployment tree shared across multiple cloud deployments.
+
+In addition, there are some other tar files that are created:
+* `kubernetes-client-*.tar.gz` Client binaries for a specific platform.
+* `kubernetes-server-*.tar.gz` Server binaries for a specific platform.
+* `kubernetes-salt.tar.gz` The salt script/tree shared across multiple deployment scripts.
+
+When building final release tars, they are first staged into `_output/release-stage` before being tar'd up and put into `_output/release-tars`.
+
+[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/build/README.md?pixel)]()
diff --git a/cli/vendor/k8s.io/kubernetes/build/pause/orphan.c b/cli/vendor/k8s.io/kubernetes/build/pause/orphan.c
new file mode 100644
index 00000000..07f490de
--- /dev/null
+++ b/cli/vendor/k8s.io/kubernetes/build/pause/orphan.c
@@ -0,0 +1,36 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/* Creates a zombie to be reaped by init. Useful for testing. */
+
+#include <stdio.h>
+#include <unistd.h>
+
+int main() {
+  pid_t pid;
+  pid = fork();
+  if (pid == 0) {
+    while (getppid() > 1)
+      ;
+    printf("Child exiting: pid=%d ppid=%d\n", getpid(), getppid());
+    return 0;
+  } else if (pid > 0) {
+    printf("Parent exiting: pid=%d ppid=%d\n", getpid(), getppid());
+    return 0;
+  }
+  perror("Could not create child");
+  return 1;
+}
diff --git a/cli/vendor/k8s.io/kubernetes/build/pause/pause.c b/cli/vendor/k8s.io/kubernetes/build/pause/pause.c
new file mode 100644
index 00000000..f2e21b41
--- /dev/null
+++ b/cli/vendor/k8s.io/kubernetes/build/pause/pause.c
@@ -0,0 +1,51 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+static void sigdown(int signo) {
+  psignal(signo, "Shutting down, got signal");
+  exit(0);
+}
+
+static void sigreap(int signo) {
+  while (waitpid(-1, NULL, WNOHANG) > 0);
+}
+
+int main() {
+  if (getpid() != 1)
+    /* Not an error because pause sees use outside of infra containers. */
+    fprintf(stderr, "Warning: pause should be the first process\n");
+
+  if (sigaction(SIGINT, &(struct sigaction){.sa_handler = sigdown}, NULL) < 0)
+    return 1;
+  if (sigaction(SIGTERM, &(struct sigaction){.sa_handler = sigdown}, NULL) < 0)
+    return 2;
+  if (sigaction(SIGCHLD, &(struct sigaction){.sa_handler = sigreap,
+                                             .sa_flags = SA_NOCLDSTOP},
+                NULL) < 0)
+    return 3;
+
+  for (;;)
+    pause();
+  fprintf(stderr, "Error: infinite loop terminated\n");
+  return 42;
+}
diff --git a/cli/vendor/k8s.io/kubernetes/pkg/api/v1/pod/util.go b/cli/vendor/k8s.io/kubernetes/pkg/api/v1/pod/util.go
new file mode 100644
index 00000000..67fc6e5e
--- /dev/null
+++ b/cli/vendor/k8s.io/kubernetes/pkg/api/v1/pod/util.go
@@ -0,0 +1,296 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pod
+
+import (
+	"fmt"
+	"time"
+
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// FindPort locates the container port for the given pod and portName.  If the
+// targetPort is a number, use that.  If the targetPort is a string, look that
+// string up in all named ports in all containers in the target pod.  If no
+// match is found, fail.
+func FindPort(pod *v1.Pod, svcPort *v1.ServicePort) (int, error) {
+	portName := svcPort.TargetPort
+	switch portName.Type {
+	case intstr.String:
+		name := portName.StrVal
+		for _, container := range pod.Spec.Containers {
+			for _, port := range container.Ports {
+				if port.Name == name && port.Protocol == svcPort.Protocol {
+					return int(port.ContainerPort), nil
+				}
+			}
+		}
+	case intstr.Int:
+		return portName.IntValue(), nil
+	}
+
+	return 0, fmt.Errorf("no suitable port for manifest: %s", pod.UID)
+}
+
+// Visitor is called with each object name, and returns true if visiting should continue
+type Visitor func(name string) (shouldContinue bool)
+
+// VisitPodSecretNames invokes the visitor function with the name of every secret
+// referenced by the pod spec. If visitor returns false, visiting is short-circuited.
+// Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
+// Returns true if visiting completed, false if visiting was short-circuited.
+func VisitPodSecretNames(pod *v1.Pod, visitor Visitor) bool {
+	for _, reference := range pod.Spec.ImagePullSecrets {
+		if !visitor(reference.Name) {
+			return false
+		}
+	}
+	for i := range pod.Spec.InitContainers {
+		if !visitContainerSecretNames(&pod.Spec.InitContainers[i], visitor) {
+			return false
+		}
+	}
+	for i := range pod.Spec.Containers {
+		if !visitContainerSecretNames(&pod.Spec.Containers[i], visitor) {
+			return false
+		}
+	}
+	var source *v1.VolumeSource
+
+	for i := range pod.Spec.Volumes {
+		source = &pod.Spec.Volumes[i].VolumeSource
+		switch {
+		case source.AzureFile != nil:
+			if len(source.AzureFile.SecretName) > 0 && !visitor(source.AzureFile.SecretName) {
+				return false
+			}
+		case source.CephFS != nil:
+			if source.CephFS.SecretRef != nil && !visitor(source.CephFS.SecretRef.Name) {
+				return false
+			}
+		case source.FlexVolume != nil:
+			if source.FlexVolume.SecretRef != nil && !visitor(source.FlexVolume.SecretRef.Name) {
+				return false
+			}
+		case source.Projected != nil:
+			for j := range source.Projected.Sources {
+				if source.Projected.Sources[j].Secret != nil {
+					if !visitor(source.Projected.Sources[j].Secret.Name) {
+						return false
+					}
+				}
+			}
+		case source.RBD != nil:
+			if source.RBD.SecretRef != nil && !visitor(source.RBD.SecretRef.Name) {
+				return false
+			}
+		case source.Secret != nil:
+			if !visitor(source.Secret.SecretName) {
+				return false
+			}
+		case source.ScaleIO != nil:
+			if source.ScaleIO.SecretRef != nil && !visitor(source.ScaleIO.SecretRef.Name) {
+				return false
+			}
+		case source.ISCSI != nil:
+			if source.ISCSI.SecretRef != nil && !visitor(source.ISCSI.SecretRef.Name) {
+				return false
+			}
+		case source.StorageOS != nil:
+			if source.StorageOS.SecretRef != nil && !visitor(source.StorageOS.SecretRef.Name) {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+func visitContainerSecretNames(container *v1.Container, visitor Visitor) bool {
+	for _, env := range container.EnvFrom {
+		if env.SecretRef != nil {
+			if !visitor(env.SecretRef.Name) {
+				return false
+			}
+		}
+	}
+	for _, envVar := range container.Env {
+		if envVar.ValueFrom != nil && envVar.ValueFrom.SecretKeyRef != nil {
+			if !visitor(envVar.ValueFrom.SecretKeyRef.Name) {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+// VisitPodConfigmapNames invokes the visitor function with the name of every configmap
+// referenced by the pod spec. If visitor returns false, visiting is short-circuited.
+// Transitive references (e.g. pod -> pvc -> pv -> secret) are not visited.
+// Returns true if visiting completed, false if visiting was short-circuited.
+func VisitPodConfigmapNames(pod *v1.Pod, visitor Visitor) bool {
+	for i := range pod.Spec.InitContainers {
+		if !visitContainerConfigmapNames(&pod.Spec.InitContainers[i], visitor) {
+			return false
+		}
+	}
+	for i := range pod.Spec.Containers {
+		if !visitContainerConfigmapNames(&pod.Spec.Containers[i], visitor) {
+			return false
+		}
+	}
+	var source *v1.VolumeSource
+	for i := range pod.Spec.Volumes {
+		source = &pod.Spec.Volumes[i].VolumeSource
+		switch {
+		case source.Projected != nil:
+			for j := range source.Projected.Sources {
+				if source.Projected.Sources[j].ConfigMap != nil {
+					if !visitor(source.Projected.Sources[j].ConfigMap.Name) {
+						return false
+					}
+				}
+			}
+		case source.ConfigMap != nil:
+			if !visitor(source.ConfigMap.Name) {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+func visitContainerConfigmapNames(container *v1.Container, visitor Visitor) bool {
+	for _, env := range container.EnvFrom {
+		if env.ConfigMapRef != nil {
+			if !visitor(env.ConfigMapRef.Name) {
+				return false
+			}
+		}
+	}
+	for _, envVar := range container.Env {
+		if envVar.ValueFrom != nil && envVar.ValueFrom.ConfigMapKeyRef != nil {
+			if !visitor(envVar.ValueFrom.ConfigMapKeyRef.Name) {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+// GetContainerStatus extracts the status of container "name" from "statuses".
+// It also returns if "name" exists.
+func GetContainerStatus(statuses []v1.ContainerStatus, name string) (v1.ContainerStatus, bool) {
+	for i := range statuses {
+		if statuses[i].Name == name {
+			return statuses[i], true
+		}
+	}
+	return v1.ContainerStatus{}, false
+}
+
+// GetExistingContainerStatus extracts the status of container "name" from "statuses",
+// and returns empty status if "name" does not exist.
+func GetExistingContainerStatus(statuses []v1.ContainerStatus, name string) v1.ContainerStatus {
+	for i := range statuses {
+		if statuses[i].Name == name {
+			return statuses[i]
+		}
+	}
+	return v1.ContainerStatus{}
+}
+
+// IsPodAvailable returns true if a pod is available; false otherwise.
+// Precondition for an available pod is that it must be ready. On top
+// of that, there are two cases when a pod can be considered available:
+// 1. minReadySeconds == 0, or
+// 2. LastTransitionTime (is set) + minReadySeconds < current time
+func IsPodAvailable(pod *v1.Pod, minReadySeconds int32, now metav1.Time) bool {
+	if !IsPodReady(pod) {
+		return false
+	}
+
+	c := GetPodReadyCondition(pod.Status)
+	minReadySecondsDuration := time.Duration(minReadySeconds) * time.Second
+	if minReadySeconds == 0 || !c.LastTransitionTime.IsZero() && c.LastTransitionTime.Add(minReadySecondsDuration).Before(now.Time) {
+		return true
+	}
+	return false
+}
+
+// IsPodReady returns true if a pod is ready; false otherwise.
+func IsPodReady(pod *v1.Pod) bool {
+	return IsPodReadyConditionTrue(pod.Status)
+}
+
+// IsPodReady retruns true if a pod is ready; false otherwise.
+func IsPodReadyConditionTrue(status v1.PodStatus) bool {
+	condition := GetPodReadyCondition(status)
+	return condition != nil && condition.Status == v1.ConditionTrue
+}
+
+// Extracts the pod ready condition from the given status and returns that.
+// Returns nil if the condition is not present.
+func GetPodReadyCondition(status v1.PodStatus) *v1.PodCondition {
+	_, condition := GetPodCondition(&status, v1.PodReady)
+	return condition
+}
+
+// GetPodCondition extracts the provided condition from the given status and returns that.
+// Returns nil and -1 if the condition is not present, and the index of the located condition.
+func GetPodCondition(status *v1.PodStatus, conditionType v1.PodConditionType) (int, *v1.PodCondition) {
+	if status == nil {
+		return -1, nil
+	}
+	for i := range status.Conditions {
+		if status.Conditions[i].Type == conditionType {
+			return i, &status.Conditions[i]
+		}
+	}
+	return -1, nil
+}
+
+// Updates existing pod condition or creates a new one. Sets LastTransitionTime to now if the
+// status has changed.
+// Returns true if pod condition has changed or has been added.
+func UpdatePodCondition(status *v1.PodStatus, condition *v1.PodCondition) bool {
+	condition.LastTransitionTime = metav1.Now()
+	// Try to find this pod condition.
+	conditionIndex, oldCondition := GetPodCondition(status, condition.Type)
+
+	if oldCondition == nil {
+		// We are adding new pod condition.
+		status.Conditions = append(status.Conditions, *condition)
+		return true
+	} else {
+		// We are updating an existing condition, so we need to check if it has changed.
+		if condition.Status == oldCondition.Status {
+			condition.LastTransitionTime = oldCondition.LastTransitionTime
+		}
+
+		isEqual := condition.Status == oldCondition.Status &&
+			condition.Reason == oldCondition.Reason &&
+			condition.Message == oldCondition.Message &&
+			condition.LastProbeTime.Equal(&oldCondition.LastProbeTime) &&
+			condition.LastTransitionTime.Equal(&oldCondition.LastTransitionTime)
+
+		status.Conditions[conditionIndex] = *condition
+		// Return true if one of the fields have changed.
+		return !isEqual
+	}
+}
diff --git a/cli/vendor/k8s.io/kubernetes/third_party/protobuf/google/protobuf/compiler/plugin.proto b/cli/vendor/k8s.io/kubernetes/third_party/protobuf/google/protobuf/compiler/plugin.proto
new file mode 100644
index 00000000..5116167e
--- /dev/null
+++ b/cli/vendor/k8s.io/kubernetes/third_party/protobuf/google/protobuf/compiler/plugin.proto
@@ -0,0 +1,150 @@
+// Protocol Buffers - Google's data interchange format
+// Copyright 2008 Google Inc.  All rights reserved.
+// https://developers.google.com/protocol-buffers/
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Author: kenton@google.com (Kenton Varda)
+//
+// WARNING:  The plugin interface is currently EXPERIMENTAL and is subject to
+//   change.
+//
+// protoc (aka the Protocol Compiler) can be extended via plugins.  A plugin is
+// just a program that reads a CodeGeneratorRequest from stdin and writes a
+// CodeGeneratorResponse to stdout.
+//
+// Plugins written using C++ can use google/protobuf/compiler/plugin.h instead
+// of dealing with the raw protocol defined here.
+//
+// A plugin executable needs only to be placed somewhere in the path.  The
+// plugin should be named "protoc-gen-$NAME", and will then be used when the
+// flag "--${NAME}_out" is passed to protoc.
+
+syntax = "proto2";
+package google.protobuf.compiler;
+option java_package = "com.google.protobuf.compiler";
+option java_outer_classname = "PluginProtos";
+
+option go_package = "plugin_go";
+
+import "google/protobuf/descriptor.proto";
+
+// An encoded CodeGeneratorRequest is written to the plugin's stdin.
+message CodeGeneratorRequest {
+  // The .proto files that were explicitly listed on the command-line.  The
+  // code generator should generate code only for these files.  Each file's
+  // descriptor will be included in proto_file, below.
+  repeated string file_to_generate = 1;
+
+  // The generator parameter passed on the command-line.
+  optional string parameter = 2;
+
+  // FileDescriptorProtos for all files in files_to_generate and everything
+  // they import.  The files will appear in topological order, so each file
+  // appears before any file that imports it.
+  //
+  // protoc guarantees that all proto_files will be written after
+  // the fields above, even though this is not technically guaranteed by the
+  // protobuf wire format.  This theoretically could allow a plugin to stream
+  // in the FileDescriptorProtos and handle them one by one rather than read
+  // the entire set into memory at once.  However, as of this writing, this
+  // is not similarly optimized on protoc's end -- it will store all fields in
+  // memory at once before sending them to the plugin.
+  repeated FileDescriptorProto proto_file = 15;
+}
+
+// The plugin writes an encoded CodeGeneratorResponse to stdout.
+message CodeGeneratorResponse {
+  // Error message.  If non-empty, code generation failed.  The plugin process
+  // should exit with status code zero even if it reports an error in this way.
+  //
+  // This should be used to indicate errors in .proto files which prevent the
+  // code generator from generating correct code.  Errors which indicate a
+  // problem in protoc itself -- such as the input CodeGeneratorRequest being
+  // unparseable -- should be reported by writing a message to stderr and
+  // exiting with a non-zero status code.
+  optional string error = 1;
+
+  // Represents a single generated file.
+  message File {
+    // The file name, relative to the output directory.  The name must not
+    // contain "." or ".." components and must be relative, not be absolute (so,
+    // the file cannot lie outside the output directory).  "/" must be used as
+    // the path separator, not "\".
+    //
+    // If the name is omitted, the content will be appended to the previous
+    // file.  This allows the generator to break large files into small chunks,
+    // and allows the generated text to be streamed back to protoc so that large
+    // files need not reside completely in memory at one time.  Note that as of
+    // this writing protoc does not optimize for this -- it will read the entire
+    // CodeGeneratorResponse before writing files to disk.
+    optional string name = 1;
+
+    // If non-empty, indicates that the named file should already exist, and the
+    // content here is to be inserted into that file at a defined insertion
+    // point.  This feature allows a code generator to extend the output
+    // produced by another code generator.  The original generator may provide
+    // insertion points by placing special annotations in the file that look
+    // like:
+    //   @@protoc_insertion_point(NAME)
+    // The annotation can have arbitrary text before and after it on the line,
+    // which allows it to be placed in a comment.  NAME should be replaced with
+    // an identifier naming the point -- this is what other generators will use
+    // as the insertion_point.  Code inserted at this point will be placed
+    // immediately above the line containing the insertion point (thus multiple
+    // insertions to the same point will come out in the order they were added).
+    // The double-@ is intended to make it unlikely that the generated code
+    // could contain things that look like insertion points by accident.
+    //
+    // For example, the C++ code generator places the following line in the
+    // .pb.h files that it generates:
+    //   // @@protoc_insertion_point(namespace_scope)
+    // This line appears within the scope of the file's package namespace, but
+    // outside of any particular class.  Another plugin can then specify the
+    // insertion_point "namespace_scope" to generate additional classes or
+    // other declarations that should be placed in this scope.
+    //
+    // Note that if the line containing the insertion point begins with
+    // whitespace, the same whitespace will be added to every line of the
+    // inserted text.  This is useful for languages like Python, where
+    // indentation matters.  In these languages, the insertion point comment
+    // should be indented the same amount as any inserted code will need to be
+    // in order to work correctly in that context.
+    //
+    // The code generator that generates the initial file and the one which
+    // inserts into it must both run as part of a single invocation of protoc.
+    // Code generators are executed in the order in which they appear on the
+    // command line.
+    //
+    // If |insertion_point| is present, |name| must also be present.
+    optional string insertion_point = 2;
+
+    // The file contents.
+    optional string content = 15;
+  }
+  repeated File file = 15;
+}
\ No newline at end of file
diff --git a/cli/vendor/k8s.io/kubernetes/third_party/protobuf/google/protobuf/descriptor.proto b/cli/vendor/k8s.io/kubernetes/third_party/protobuf/google/protobuf/descriptor.proto
new file mode 100644
index 00000000..14594a8c
--- /dev/null
+++ b/cli/vendor/k8s.io/kubernetes/third_party/protobuf/google/protobuf/descriptor.proto
@@ -0,0 +1,779 @@
+// Protocol Buffers - Google's data interchange format
+// Copyright 2008 Google Inc.  All rights reserved.
+// https://developers.google.com/protocol-buffers/
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Author: kenton@google.com (Kenton Varda)
+//  Based on original Protocol Buffers design by
+//  Sanjay Ghemawat, Jeff Dean, and others.
+//
+// The messages in this file describe the definitions found in .proto files.
+// A valid .proto file can be translated directly to a FileDescriptorProto
+// without any other information (e.g. without reading its imports).
+
+
+syntax = "proto2";
+
+package google.protobuf;
+option go_package = "descriptor";
+option java_package = "com.google.protobuf";
+option java_outer_classname = "DescriptorProtos";
+option csharp_namespace = "Google.Protobuf.Reflection";
+option objc_class_prefix = "GPB";
+
+// descriptor.proto must be optimized for speed because reflection-based
+// algorithms don't work during bootstrapping.
+option optimize_for = SPEED;
+
+// The protocol compiler can output a FileDescriptorSet containing the .proto
+// files it parses.
+message FileDescriptorSet {
+  repeated FileDescriptorProto file = 1;
+}
+
+// Describes a complete .proto file.
+message FileDescriptorProto {
+  optional string name = 1;       // file name, relative to root of source tree
+  optional string package = 2;    // e.g. "foo", "foo.bar", etc.
+
+  // Names of files imported by this file.
+  repeated string dependency = 3;
+  // Indexes of the public imported files in the dependency list above.
+  repeated int32 public_dependency = 10;
+  // Indexes of the weak imported files in the dependency list.
+  // For Google-internal migration only. Do not use.
+  repeated int32 weak_dependency = 11;
+
+  // All top-level definitions in this file.
+  repeated DescriptorProto message_type = 4;
+  repeated EnumDescriptorProto enum_type = 5;
+  repeated ServiceDescriptorProto service = 6;
+  repeated FieldDescriptorProto extension = 7;
+
+  optional FileOptions options = 8;
+
+  // This field contains optional information about the original source code.
+  // You may safely remove this entire field without harming runtime
+  // functionality of the descriptors -- the information is needed only by
+  // development tools.
+  optional SourceCodeInfo source_code_info = 9;
+
+  // The syntax of the proto file.
+  // The supported values are "proto2" and "proto3".
+  optional string syntax = 12;
+}
+
+// Describes a message type.
+message DescriptorProto {
+  optional string name = 1;
+
+  repeated FieldDescriptorProto field = 2;
+  repeated FieldDescriptorProto extension = 6;
+
+  repeated DescriptorProto nested_type = 3;
+  repeated EnumDescriptorProto enum_type = 4;
+
+  message ExtensionRange {
+    optional int32 start = 1;
+    optional int32 end = 2;
+  }
+  repeated ExtensionRange extension_range = 5;
+
+  repeated OneofDescriptorProto oneof_decl = 8;
+
+  optional MessageOptions options = 7;
+
+  // Range of reserved tag numbers. Reserved tag numbers may not be used by
+  // fields or extension ranges in the same message. Reserved ranges may
+  // not overlap.
+  message ReservedRange {
+    optional int32 start = 1; // Inclusive.
+    optional int32 end = 2;   // Exclusive.
+  }
+  repeated ReservedRange reserved_range = 9;
+  // Reserved field names, which may not be used by fields in the same message.
+  // A given name may only be reserved once.
+  repeated string reserved_name = 10;
+}
+
+// Describes a field within a message.
+message FieldDescriptorProto {
+  enum Type {
+    // 0 is reserved for errors.
+    // Order is weird for historical reasons.
+    TYPE_DOUBLE         = 1;
+    TYPE_FLOAT          = 2;
+    // Not ZigZag encoded.  Negative numbers take 10 bytes.  Use TYPE_SINT64 if
+    // negative values are likely.
+    TYPE_INT64          = 3;
+    TYPE_UINT64         = 4;
+    // Not ZigZag encoded.  Negative numbers take 10 bytes.  Use TYPE_SINT32 if
+    // negative values are likely.
+    TYPE_INT32          = 5;
+    TYPE_FIXED64        = 6;
+    TYPE_FIXED32        = 7;
+    TYPE_BOOL           = 8;
+    TYPE_STRING         = 9;
+    TYPE_GROUP          = 10;  // Tag-delimited aggregate.
+    TYPE_MESSAGE        = 11;  // Length-delimited aggregate.
+
+    // New in version 2.
+    TYPE_BYTES          = 12;
+    TYPE_UINT32         = 13;
+    TYPE_ENUM           = 14;
+    TYPE_SFIXED32       = 15;
+    TYPE_SFIXED64       = 16;
+    TYPE_SINT32         = 17;  // Uses ZigZag encoding.
+    TYPE_SINT64         = 18;  // Uses ZigZag encoding.
+  };
+
+  enum Label {
+    // 0 is reserved for errors
+    LABEL_OPTIONAL      = 1;
+    LABEL_REQUIRED      = 2;
+    LABEL_REPEATED      = 3;
+    // TODO(sanjay): Should we add LABEL_MAP?
+  };
+
+  optional string name = 1;
+  optional int32 number = 3;
+  optional Label label = 4;
+
+  // If type_name is set, this need not be set.  If both this and type_name
+  // are set, this must be one of TYPE_ENUM, TYPE_MESSAGE or TYPE_GROUP.
+  optional Type type = 5;
+
+  // For message and enum types, this is the name of the type.  If the name
+  // starts with a '.', it is fully-qualified.  Otherwise, C++-like scoping
+  // rules are used to find the type (i.e. first the nested types within this
+  // message are searched, then within the parent, on up to the root
+  // namespace).
+  optional string type_name = 6;
+
+  // For extensions, this is the name of the type being extended.  It is
+  // resolved in the same manner as type_name.
+  optional string extendee = 2;
+
+  // For numeric types, contains the original text representation of the value.
+  // For booleans, "true" or "false".
+  // For strings, contains the default text contents (not escaped in any way).
+  // For bytes, contains the C escaped value.  All bytes >= 128 are escaped.
+  // TODO(kenton):  Base-64 encode?
+  optional string default_value = 7;
+
+  // If set, gives the index of a oneof in the containing type's oneof_decl
+  // list.  This field is a member of that oneof.
+  optional int32 oneof_index = 9;
+
+  // JSON name of this field. The value is set by protocol compiler. If the
+  // user has set a "json_name" option on this field, that option's value
+  // will be used. Otherwise, it's deduced from the field's name by converting
+  // it to camelCase.
+  optional string json_name = 10;
+
+  optional FieldOptions options = 8;
+}
+
+// Describes a oneof.
+message OneofDescriptorProto {
+  optional string name = 1;
+}
+
+// Describes an enum type.
+message EnumDescriptorProto {
+  optional string name = 1;
+
+  repeated EnumValueDescriptorProto value = 2;
+
+  optional EnumOptions options = 3;
+}
+
+// Describes a value within an enum.
+message EnumValueDescriptorProto {
+  optional string name = 1;
+  optional int32 number = 2;
+
+  optional EnumValueOptions options = 3;
+}
+
+// Describes a service.
+message ServiceDescriptorProto {
+  optional string name = 1;
+  repeated MethodDescriptorProto method = 2;
+
+  optional ServiceOptions options = 3;
+}
+
+// Describes a method of a service.
+message MethodDescriptorProto {
+  optional string name = 1;
+
+  // Input and output type names.  These are resolved in the same way as
+  // FieldDescriptorProto.type_name, but must refer to a message type.
+  optional string input_type = 2;
+  optional string output_type = 3;
+
+  optional MethodOptions options = 4;
+
+  // Identifies if client streams multiple client messages
+  optional bool client_streaming = 5 [default=false];
+  // Identifies if server streams multiple server messages
+  optional bool server_streaming = 6 [default=false];
+}
+
+
+// ===================================================================
+// Options
+
+// Each of the definitions above may have "options" attached.  These are
+// just annotations which may cause code to be generated slightly differently
+// or may contain hints for code that manipulates protocol messages.
+//
+// Clients may define custom options as extensions of the *Options messages.
+// These extensions may not yet be known at parsing time, so the parser cannot
+// store the values in them.  Instead it stores them in a field in the *Options
+// message called uninterpreted_option. This field must have the same name
+// across all *Options messages. We then use this field to populate the
+// extensions when we build a descriptor, at which point all protos have been
+// parsed and so all extensions are known.
+//
+// Extension numbers for custom options may be chosen as follows:
+// * For options which will only be used within a single application or
+//   organization, or for experimental options, use field numbers 50000
+//   through 99999.  It is up to you to ensure that you do not use the
+//   same number for multiple options.
+// * For options which will be published and used publicly by multiple
+//   independent entities, e-mail protobuf-global-extension-registry@google.com
+//   to reserve extension numbers. Simply provide your project name (e.g.
+//   Objective-C plugin) and your project website (if available) -- there's no
+//   need to explain how you intend to use them. Usually you only need one
+//   extension number. You can declare multiple options with only one extension
+//   number by putting them in a sub-message. See the Custom Options section of
+//   the docs for examples:
+//   https://developers.google.com/protocol-buffers/docs/proto#options
+//   If this turns out to be popular, a web service will be set up
+//   to automatically assign option numbers.
+
+
+message FileOptions {
+
+  // Sets the Java package where classes generated from this .proto will be
+  // placed.  By default, the proto package is used, but this is often
+  // inappropriate because proto packages do not normally start with backwards
+  // domain names.
+  optional string java_package = 1;
+
+
+  // If set, all the classes from the .proto file are wrapped in a single
+  // outer class with the given name.  This applies to both Proto1
+  // (equivalent to the old "--one_java_file" option) and Proto2 (where
+  // a .proto always translates to a single class, but you may want to
+  // explicitly choose the class name).
+  optional string java_outer_classname = 8;
+
+  // If set true, then the Java code generator will generate a separate .java
+  // file for each top-level message, enum, and service defined in the .proto
+  // file.  Thus, these types will *not* be nested inside the outer class
+  // named by java_outer_classname.  However, the outer class will still be
+  // generated to contain the file's getDescriptor() method as well as any
+  // top-level extensions defined in the file.
+  optional bool java_multiple_files = 10 [default=false];
+
+  // If set true, then the Java code generator will generate equals() and
+  // hashCode() methods for all messages defined in the .proto file.
+  // This increases generated code size, potentially substantially for large
+  // protos, which may harm a memory-constrained application.
+  // - In the full runtime this is a speed optimization, as the
+  // AbstractMessage base class includes reflection-based implementations of
+  // these methods.
+  // - In the lite runtime, setting this option changes the semantics of
+  // equals() and hashCode() to more closely match those of the full runtime;
+  // the generated methods compute their results based on field values rather
+  // than object identity. (Implementations should not assume that hashcodes
+  // will be consistent across runtimes or versions of the protocol compiler.)
+  optional bool java_generate_equals_and_hash = 20 [default=false];
+
+  // If set true, then the Java2 code generator will generate code that
+  // throws an exception whenever an attempt is made to assign a non-UTF-8
+  // byte sequence to a string field.
+  // Message reflection will do the same.
+  // However, an extension field still accepts non-UTF-8 byte sequences.
+  // This option has no effect on when used with the lite runtime.
+  optional bool java_string_check_utf8 = 27 [default=false];
+
+
+  // Generated classes can be optimized for speed or code size.
+  enum OptimizeMode {
+    SPEED = 1;        // Generate complete code for parsing, serialization,
+                      // etc.
+    CODE_SIZE = 2;    // Use ReflectionOps to implement these methods.
+    LITE_RUNTIME = 3; // Generate code using MessageLite and the lite runtime.
+  }
+  optional OptimizeMode optimize_for = 9 [default=SPEED];
+
+  // Sets the Go package where structs generated from this .proto will be
+  // placed. If omitted, the Go package will be derived from the following:
+  //   - The basename of the package import path, if provided.
+  //   - Otherwise, the package statement in the .proto file, if present.
+  //   - Otherwise, the basename of the .proto file, without extension.
+  optional string go_package = 11;
+
+
+
+  // Should generic services be generated in each language?  "Generic" services
+  // are not specific to any particular RPC system.  They are generated by the
+  // main code generators in each language (without additional plugins).
+  // Generic services were the only kind of service generation supported by
+  // early versions of google.protobuf.
+  //
+  // Generic services are now considered deprecated in favor of using plugins
+  // that generate code specific to your particular RPC system.  Therefore,
+  // these default to false.  Old code which depends on generic services should
+  // explicitly set them to true.
+  optional bool cc_generic_services = 16 [default=false];
+  optional bool java_generic_services = 17 [default=false];
+  optional bool py_generic_services = 18 [default=false];
+
+  // Is this file deprecated?
+  // Depending on the target platform, this can emit Deprecated annotations
+  // for everything in the file, or it will be completely ignored; in the very
+  // least, this is a formalization for deprecating files.
+  optional bool deprecated = 23 [default=false];
+
+  // Enables the use of arenas for the proto messages in this file. This applies
+  // only to generated classes for C++.
+  optional bool cc_enable_arenas = 31 [default=false];
+
+
+  // Sets the objective c class prefix which is prepended to all objective c
+  // generated classes from this .proto. There is no default.
+  optional string objc_class_prefix = 36;
+
+  // Namespace for generated classes; defaults to the package.
+  optional string csharp_namespace = 37;
+
+  // Whether the nano proto compiler should generate in the deprecated non-nano
+  // suffixed package.
+  optional bool javanano_use_deprecated_package = 38;
+
+  // The parser stores options it doesn't recognize here. See above.
+  repeated UninterpretedOption uninterpreted_option = 999;
+
+  // Clients can define custom options in extensions of this message. See above.
+  extensions 1000 to max;
+}
+
+message MessageOptions {
+  // Set true to use the old proto1 MessageSet wire format for extensions.
+  // This is provided for backwards-compatibility with the MessageSet wire
+  // format.  You should not use this for any other reason:  It's less
+  // efficient, has fewer features, and is more complicated.
+  //
+  // The message must be defined exactly as follows:
+  //   message Foo {
+  //     option message_set_wire_format = true;
+  //     extensions 4 to max;
+  //   }
+  // Note that the message cannot have any defined fields; MessageSets only
+  // have extensions.
+  //
+  // All extensions of your type must be singular messages; e.g. they cannot
+  // be int32s, enums, or repeated messages.
+  //
+  // Because this is an option, the above two restrictions are not enforced by
+  // the protocol compiler.
+  optional bool message_set_wire_format = 1 [default=false];
+
+  // Disables the generation of the standard "descriptor()" accessor, which can
+  // conflict with a field of the same name.  This is meant to make migration
+  // from proto1 easier; new code should avoid fields named "descriptor".
+  optional bool no_standard_descriptor_accessor = 2 [default=false];
+
+  // Is this message deprecated?
+  // Depending on the target platform, this can emit Deprecated annotations
+  // for the message, or it will be completely ignored; in the very least,
+  // this is a formalization for deprecating messages.
+  optional bool deprecated = 3 [default=false];
+
+  // Whether the message is an automatically generated map entry type for the
+  // maps field.
+  //
+  // For maps fields:
+  //     map<KeyType, ValueType> map_field = 1;
+  // The parsed descriptor looks like:
+  //     message MapFieldEntry {
+  //         option map_entry = true;
+  //         optional KeyType key = 1;
+  //         optional ValueType value = 2;
+  //     }
+  //     repeated MapFieldEntry map_field = 1;
+  //
+  // Implementations may choose not to generate the map_entry=true message, but
+  // use a native map in the target language to hold the keys and values.
+  // The reflection APIs in such implementions still need to work as
+  // if the field is a repeated message field.
+  //
+  // NOTE: Do not set the option in .proto files. Always use the maps syntax
+  // instead. The option should only be implicitly set by the proto compiler
+  // parser.
+  optional bool map_entry = 7;
+
+  // The parser stores options it doesn't recognize here. See above.
+  repeated UninterpretedOption uninterpreted_option = 999;
+
+  // Clients can define custom options in extensions of this message. See above.
+  extensions 1000 to max;
+}
+
+message FieldOptions {
+  // The ctype option instructs the C++ code generator to use a different
+  // representation of the field than it normally would.  See the specific
+  // options below.  This option is not yet implemented in the open source
+  // release -- sorry, we'll try to include it in a future version!
+  optional CType ctype = 1 [default = STRING];
+  enum CType {
+    // Default mode.
+    STRING = 0;
+
+    CORD = 1;
+
+    STRING_PIECE = 2;
+  }
+  // The packed option can be enabled for repeated primitive fields to enable
+  // a more efficient representation on the wire. Rather than repeatedly
+  // writing the tag and type for each element, the entire array is encoded as
+  // a single length-delimited blob. In proto3, only explicit setting it to
+  // false will avoid using packed encoding.
+  optional bool packed = 2;
+
+
+  // The jstype option determines the JavaScript type used for values of the
+  // field.  The option is permitted only for 64 bit integral and fixed types
+  // (int64, uint64, sint64, fixed64, sfixed64).  By default these types are
+  // represented as JavaScript strings.  This avoids loss of precision that can
+  // happen when a large value is converted to a floating point JavaScript
+  // numbers.  Specifying JS_NUMBER for the jstype causes the generated
+  // JavaScript code to use the JavaScript "number" type instead of strings.
+  // This option is an enum to permit additional types to be added,
+  // e.g. goog.math.Integer.
+  optional JSType jstype = 6 [default = JS_NORMAL];
+  enum JSType {
+    // Use the default type.
+    JS_NORMAL = 0;
+
+    // Use JavaScript strings.
+    JS_STRING = 1;
+
+    // Use JavaScript numbers.
+    JS_NUMBER = 2;
+  }
+
+  // Should this field be parsed lazily?  Lazy applies only to message-type
+  // fields.  It means that when the outer message is initially parsed, the
+  // inner message's contents will not be parsed but instead stored in encoded
+  // form.  The inner message will actually be parsed when it is first accessed.
+  //
+  // This is only a hint.  Implementations are free to choose whether to use
+  // eager or lazy parsing regardless of the value of this option.  However,
+  // setting this option true suggests that the protocol author believes that
+  // using lazy parsing on this field is worth the additional bookkeeping
+  // overhead typically needed to implement it.
+  //
+  // This option does not affect the public interface of any generated code;
+  // all method signatures remain the same.  Furthermore, thread-safety of the
+  // interface is not affected by this option; const methods remain safe to
+  // call from multiple threads concurrently, while non-const methods continue
+  // to require exclusive access.
+  //
+  //
+  // Note that implementations may choose not to check required fields within
+  // a lazy sub-message.  That is, calling IsInitialized() on the outher message
+  // may return true even if the inner message has missing required fields.
+  // This is necessary because otherwise the inner message would have to be
+  // parsed in order to perform the check, defeating the purpose of lazy
+  // parsing.  An implementation which chooses not to check required fields
+  // must be consistent about it.  That is, for any particular sub-message, the
+  // implementation must either *always* check its required fields, or *never*
+  // check its required fields, regardless of whether or not the message has
+  // been parsed.
+  optional bool lazy = 5 [default=false];
+
+  // Is this field deprecated?
+  // Depending on the target platform, this can emit Deprecated annotations
+  // for accessors, or it will be completely ignored; in the very least, this
+  // is a formalization for deprecating fields.
+  optional bool deprecated = 3 [default=false];
+
+  // For Google-internal migration only. Do not use.
+  optional bool weak = 10 [default=false];
+
+
+  // The parser stores options it doesn't recognize here. See above.
+  repeated UninterpretedOption uninterpreted_option = 999;
+
+  // Clients can define custom options in extensions of this message. See above.
+  extensions 1000 to max;
+}
+
+message EnumOptions {
+
+  // Set this option to true to allow mapping different tag names to the same
+  // value.
+  optional bool allow_alias = 2;
+
+  // Is this enum deprecated?
+  // Depending on the target platform, this can emit Deprecated annotations
+  // for the enum, or it will be completely ignored; in the very least, this
+  // is a formalization for deprecating enums.
+  optional bool deprecated = 3 [default=false];
+
+  // The parser stores options it doesn't recognize here. See above.
+  repeated UninterpretedOption uninterpreted_option = 999;
+
+  // Clients can define custom options in extensions of this message. See above.
+  extensions 1000 to max;
+}
+
+message EnumValueOptions {
+  // Is this enum value deprecated?
+  // Depending on the target platform, this can emit Deprecated annotations
+  // for the enum value, or it will be completely ignored; in the very least,
+  // this is a formalization for deprecating enum values.
+  optional bool deprecated = 1 [default=false];
+
+  // The parser stores options it doesn't recognize here. See above.
+  repeated UninterpretedOption uninterpreted_option = 999;
+
+  // Clients can define custom options in extensions of this message. See above.
+  extensions 1000 to max;
+}
+
+message ServiceOptions {
+
+  // Note:  Field numbers 1 through 32 are reserved for Google's internal RPC
+  //   framework.  We apologize for hoarding these numbers to ourselves, but
+  //   we were already using them long before we decided to release Protocol
+  //   Buffers.
+
+  // Is this service deprecated?
+  // Depending on the target platform, this can emit Deprecated annotations
+  // for the service, or it will be completely ignored; in the very least,
+  // this is a formalization for deprecating services.
+  optional bool deprecated = 33 [default=false];
+
+  // The parser stores options it doesn't recognize here. See above.
+  repeated UninterpretedOption uninterpreted_option = 999;
+
+  // Clients can define custom options in extensions of this message. See above.
+  extensions 1000 to max;
+}
+
+message MethodOptions {
+
+  // Note:  Field numbers 1 through 32 are reserved for Google's internal RPC
+  //   framework.  We apologize for hoarding these numbers to ourselves, but
+  //   we were already using them long before we decided to release Protocol
+  //   Buffers.
+
+  // Is this method deprecated?
+  // Depending on the target platform, this can emit Deprecated annotations
+  // for the method, or it will be completely ignored; in the very least,
+  // this is a formalization for deprecating methods.
+  optional bool deprecated = 33 [default=false];
+
+  // The parser stores options it doesn't recognize here. See above.
+  repeated UninterpretedOption uninterpreted_option = 999;
+
+  // Clients can define custom options in extensions of this message. See above.
+  extensions 1000 to max;
+}
+
+
+// A message representing a option the parser does not recognize. This only
+// appears in options protos created by the compiler::Parser class.
+// DescriptorPool resolves these when building Descriptor objects. Therefore,
+// options protos in descriptor objects (e.g. returned by Descriptor::options(),
+// or produced by Descriptor::CopyTo()) will never have UninterpretedOptions
+// in them.
+message UninterpretedOption {
+  // The name of the uninterpreted option.  Each string represents a segment in
+  // a dot-separated name.  is_extension is true iff a segment represents an
+  // extension (denoted with parentheses in options specs in .proto files).
+  // E.g.,{ ["foo", false], ["bar.baz", true], ["qux", false] } represents
+  // "foo.(bar.baz).qux".
+  message NamePart {
+    required string name_part = 1;
+    required bool is_extension = 2;
+  }
+  repeated NamePart name = 2;
+
+  // The value of the uninterpreted option, in whatever type the tokenizer
+  // identified it as during parsing. Exactly one of these should be set.
+  optional string identifier_value = 3;
+  optional uint64 positive_int_value = 4;
+  optional int64 negative_int_value = 5;
+  optional double double_value = 6;
+  optional bytes string_value = 7;
+  optional string aggregate_value = 8;
+}
+
+// ===================================================================
+// Optional source code info
+
+// Encapsulates information about the original source file from which a
+// FileDescriptorProto was generated.
+message SourceCodeInfo {
+  // A Location identifies a piece of source code in a .proto file which
+  // corresponds to a particular definition.  This information is intended
+  // to be useful to IDEs, code indexers, documentation generators, and similar
+  // tools.
+  //
+  // For example, say we have a file like:
+  //   message Foo {
+  //     optional string foo = 1;
+  //   }
+  // Let's look at just the field definition:
+  //   optional string foo = 1;
+  //   ^       ^^     ^^  ^  ^^^
+  //   a       bc     de  f  ghi
+  // We have the following locations:
+  //   span   path               represents
+  //   [a,i)  [ 4, 0, 2, 0 ]     The whole field definition.
+  //   [a,b)  [ 4, 0, 2, 0, 4 ]  The label (optional).
+  //   [c,d)  [ 4, 0, 2, 0, 5 ]  The type (string).
+  //   [e,f)  [ 4, 0, 2, 0, 1 ]  The name (foo).
+  //   [g,h)  [ 4, 0, 2, 0, 3 ]  The number (1).
+  //
+  // Notes:
+  // - A location may refer to a repeated field itself (i.e. not to any
+  //   particular index within it).  This is used whenever a set of elements are
+  //   logically enclosed in a single code segment.  For example, an entire
+  //   extend block (possibly containing multiple extension definitions) will
+  //   have an outer location whose path refers to the "extensions" repeated
+  //   field without an index.
+  // - Multiple locations may have the same path.  This happens when a single
+  //   logical declaration is spread out across multiple places.  The most
+  //   obvious example is the "extend" block again -- there may be multiple
+  //   extend blocks in the same scope, each of which will have the same path.
+  // - A location's span is not always a subset of its parent's span.  For
+  //   example, the "extendee" of an extension declaration appears at the
+  //   beginning of the "extend" block and is shared by all extensions within
+  //   the block.
+  // - Just because a location's span is a subset of some other location's span
+  //   does not mean that it is a descendent.  For example, a "group" defines
+  //   both a type and a field in a single declaration.  Thus, the locations
+  //   corresponding to the type and field and their components will overlap.
+  // - Code which tries to interpret locations should probably be designed to
+  //   ignore those that it doesn't understand, as more types of locations could
+  //   be recorded in the future.
+  repeated Location location = 1;
+  message Location {
+    // Identifies which part of the FileDescriptorProto was defined at this
+    // location.
+    //
+    // Each element is a field number or an index.  They form a path from
+    // the root FileDescriptorProto to the place where the definition.  For
+    // example, this path:
+    //   [ 4, 3, 2, 7, 1 ]
+    // refers to:
+    //   file.message_type(3)  // 4, 3
+    //       .field(7)         // 2, 7
+    //       .name()           // 1
+    // This is because FileDescriptorProto.message_type has field number 4:
+    //   repeated DescriptorProto message_type = 4;
+    // and DescriptorProto.field has field number 2:
+    //   repeated FieldDescriptorProto field = 2;
+    // and FieldDescriptorProto.name has field number 1:
+    //   optional string name = 1;
+    //
+    // Thus, the above path gives the location of a field name.  If we removed
+    // the last element:
+    //   [ 4, 3, 2, 7 ]
+    // this path refers to the whole field declaration (from the beginning
+    // of the label to the terminating semicolon).
+    repeated int32 path = 1 [packed=true];
+
+    // Always has exactly three or four elements: start line, start column,
+    // end line (optional, otherwise assumed same as start line), end column.
+    // These are packed into a single field for efficiency.  Note that line
+    // and column numbers are zero-based -- typically you will want to add
+    // 1 to each before displaying to a user.
+    repeated int32 span = 2 [packed=true];
+
+    // If this SourceCodeInfo represents a complete declaration, these are any
+    // comments appearing before and after the declaration which appear to be
+    // attached to the declaration.
+    //
+    // A series of line comments appearing on consecutive lines, with no other
+    // tokens appearing on those lines, will be treated as a single comment.
+    //
+    // leading_detached_comments will keep paragraphs of comments that appear
+    // before (but not connected to) the current element. Each paragraph,
+    // separated by empty lines, will be one comment element in the repeated
+    // field.
+    //
+    // Only the comment content is provided; comment markers (e.g. //) are
+    // stripped out.  For block comments, leading whitespace and an asterisk
+    // will be stripped from the beginning of each line other than the first.
+    // Newlines are included in the output.
+    //
+    // Examples:
+    //
+    //   optional int32 foo = 1;  // Comment attached to foo.
+    //   // Comment attached to bar.
+    //   optional int32 bar = 2;
+    //
+    //   optional string baz = 3;
+    //   // Comment attached to baz.
+    //   // Another line attached to baz.
+    //
+    //   // Comment attached to qux.
+    //   //
+    //   // Another line attached to qux.
+    //   optional double qux = 4;
+    //
+    //   // Detached comment for corge. This is not leading or trailing comments
+    //   // to qux or corge because there are blank lines separating it from
+    //   // both.
+    //
+    //   // Detached comment for corge paragraph 2.
+    //
+    //   optional string corge = 5;
+    //   /* Block comment attached
+    //    * to corge.  Leading asterisks
+    //    * will be removed. */
+    //   /* Block comment attached to
+    //    * grault. */
+    //   optional int32 grault = 6;
+    //
+    //   // ignored detached comments.
+    optional string leading_comments = 3;
+    optional string trailing_comments = 4;
+    repeated string leading_detached_comments = 6;
+  }
+}
\ No newline at end of file
diff --git a/cli/vendor/vbom.ml/util/LICENSE b/cli/vendor/vbom.ml/util/LICENSE
new file mode 100644
index 00000000..5c695fb5
--- /dev/null
+++ b/cli/vendor/vbom.ml/util/LICENSE
@@ -0,0 +1,17 @@
+The MIT License (MIT)
+Copyright (c) 2015 Frits van Bommel
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/cli/vendor/vbom.ml/util/README.md b/cli/vendor/vbom.ml/util/README.md
new file mode 100644
index 00000000..72de5079
--- /dev/null
+++ b/cli/vendor/vbom.ml/util/README.md
@@ -0,0 +1,5 @@
+## util [![GoDoc](https://godoc.org/vbom.ml/util?status.svg)](https://godoc.org/vbom.ml/util)
+
+    import "vbom.ml/util"
+
+Go utility packages.
diff --git a/cli/vendor/vbom.ml/util/sortorder/README.md b/cli/vendor/vbom.ml/util/sortorder/README.md
new file mode 100644
index 00000000..ed8da0e2
--- /dev/null
+++ b/cli/vendor/vbom.ml/util/sortorder/README.md
@@ -0,0 +1,5 @@
+## sortorder [![GoDoc](https://godoc.org/vbom.ml/util/sortorder?status.svg)](https://godoc.org/vbom.ml/util/sortorder)
+
+    import "vbom.ml/util/sortorder"
+
+Sort orders and comparison functions.
diff --git a/cli/vendor/vbom.ml/util/sortorder/doc.go b/cli/vendor/vbom.ml/util/sortorder/doc.go
new file mode 100644
index 00000000..61b37a93
--- /dev/null
+++ b/cli/vendor/vbom.ml/util/sortorder/doc.go
@@ -0,0 +1,5 @@
+// Package sortorder implements sort orders and comparison functions.
+//
+// Currently, it only implements so-called "natural order", where integers
+// embedded in strings are compared by value.
+package sortorder // import "vbom.ml/util/sortorder"
diff --git a/cli/vendor/vbom.ml/util/sortorder/natsort.go b/cli/vendor/vbom.ml/util/sortorder/natsort.go
new file mode 100644
index 00000000..1af08c1b
--- /dev/null
+++ b/cli/vendor/vbom.ml/util/sortorder/natsort.go
@@ -0,0 +1,76 @@
+package sortorder
+
+// Natural implements sort.Interface to sort strings in natural order. This
+// means that e.g. "abc2" < "abc12".
+//
+// Non-digit sequences and numbers are compared separately. The former are
+// compared bytewise, while the latter are compared numerically (except that
+// the number of leading zeros is used as a tie-breaker, so e.g. "2" < "02")
+//
+// Limitation: only ASCII digits (0-9) are considered.
+type Natural []string
+
+func (n Natural) Len() int           { return len(n) }
+func (n Natural) Swap(i, j int)      { n[i], n[j] = n[j], n[i] }
+func (n Natural) Less(i, j int) bool { return NaturalLess(n[i], n[j]) }
+
+func isdigit(b byte) bool { return '0' <= b && b <= '9' }
+
+// NaturalLess compares two strings using natural ordering. This means that e.g.
+// "abc2" < "abc12".
+//
+// Non-digit sequences and numbers are compared separately. The former are
+// compared bytewise, while the latter are compared numerically (except that
+// the number of leading zeros is used as a tie-breaker, so e.g. "2" < "02")
+//
+// Limitation: only ASCII digits (0-9) are considered.
+func NaturalLess(str1, str2 string) bool {
+	idx1, idx2 := 0, 0
+	for idx1 < len(str1) && idx2 < len(str2) {
+		c1, c2 := str1[idx1], str2[idx2]
+		dig1, dig2 := isdigit(c1), isdigit(c2)
+		switch {
+		case dig1 != dig2: // Digits before other characters.
+			return dig1 // True if LHS is a digit, false if the RHS is one.
+		case !dig1: // && !dig2, because dig1 == dig2
+			// UTF-8 compares bytewise-lexicographically, no need to decode
+			// codepoints.
+			if c1 != c2 {
+				return c1 < c2
+			}
+			idx1++
+			idx2++
+		default: // Digits
+			// Eat zeros.
+			for ; idx1 < len(str1) && str1[idx1] == '0'; idx1++ {
+			}
+			for ; idx2 < len(str2) && str2[idx2] == '0'; idx2++ {
+			}
+			// Eat all digits.
+			nonZero1, nonZero2 := idx1, idx2
+			for ; idx1 < len(str1) && isdigit(str1[idx1]); idx1++ {
+			}
+			for ; idx2 < len(str2) && isdigit(str2[idx2]); idx2++ {
+			}
+			// If lengths of numbers with non-zero prefix differ, the shorter
+			// one is less.
+			if len1, len2 := idx1-nonZero1, idx2-nonZero2; len1 != len2 {
+				return len1 < len2
+			}
+			// If they're not equal, string comparison is correct.
+			if nr1, nr2 := str1[nonZero1:idx1], str2[nonZero2:idx2]; nr1 != nr2 {
+				return nr1 < nr2
+			}
+			// Otherwise, the one with less zeros is less.
+			// Because everything up to the number is equal, comparing the index
+			// after the zeros is sufficient.
+			if nonZero1 != nonZero2 {
+				return nonZero1 < nonZero2
+			}
+		}
+		// They're identical so far, so continue comparing.
+	}
+	// So far they are identical. At least one is ended. If the other continues,
+	// it sorts last.
+	return len(str1) < len(str2)
+}
diff --git a/components.conf b/components.conf
new file mode 100644
index 00000000..e1fc77ae
--- /dev/null
+++ b/components.conf
@@ -0,0 +1,9 @@
+[component "packaging"]
+	url = git@github.com:docker/docker-ce-packaging
+	branch = 18.06
+[component "engine"]
+	url = git@github.com:docker/engine
+	branch = 18.06
+[component "cli"]
+	url = git@github.com:docker/cli
+	branch = 18.06
diff --git a/engine/.DEREK.yml b/engine/.DEREK.yml
new file mode 100644
index 00000000..3fd67891
--- /dev/null
+++ b/engine/.DEREK.yml
@@ -0,0 +1,17 @@
+curators:
+  - aboch
+  - alexellis
+  - andrewhsu
+  - anonymuse
+  - chanwit
+  - ehazlett
+  - fntlnz
+  - gianarb
+  - mgoelzer
+  - programmerq
+  - rheinwein
+  - ripcurld0
+  - thajeztah
+
+features:
+  - comments
diff --git a/engine/.dockerignore b/engine/.dockerignore
new file mode 100644
index 00000000..4a56f2e0
--- /dev/null
+++ b/engine/.dockerignore
@@ -0,0 +1,7 @@
+bundles
+.gopath
+vendor/pkg
+.go-pkg-cache
+.git
+hack/integration-cli-on-swarm/integration-cli-on-swarm
+
diff --git a/engine/.mailmap b/engine/.mailmap
new file mode 100644
index 00000000..8b62c78d
--- /dev/null
+++ b/engine/.mailmap
@@ -0,0 +1,491 @@
+# Generate AUTHORS: hack/generate-authors.sh
+
+# Tip for finding duplicates (besides scanning the output of AUTHORS for name
+# duplicates that aren't also email duplicates): scan the output of:
+#   git log --format='%aE - %aN' | sort -uf
+#
+# For explanation on this file format: man git-shortlog
+
+<21551195@zju.edu.cn> <hsinko@users.noreply.github.com>
+<mr.wrfly@gmail.com> <wrfly@users.noreply.github.com>
+Aaron L. Xu <liker.xu@foxmail.com>
+Abhinandan Prativadi <abhi@docker.com>
+Adrien Gallouët <adrien@gallouet.fr> <angt@users.noreply.github.com>
+Ahmed Kamal <email.ahmedkamal@googlemail.com>
+Ahmet Alp Balkan <ahmetb@microsoft.com> <ahmetalpbalkan@gmail.com>
+AJ Bowen <aj@soulshake.net>
+AJ Bowen <aj@soulshake.net> <aj@gandi.net>
+AJ Bowen <aj@soulshake.net> <amy@gandi.net>
+Akihiro Matsushima <amatsusbit@gmail.com> <amatsus@users.noreply.github.com>
+Akihiro Suda <suda.akihiro@lab.ntt.co.jp> <suda.kyoto@gmail.com>
+Aleksa Sarai <asarai@suse.de>
+Aleksa Sarai <asarai@suse.de> <asarai@suse.com>
+Aleksa Sarai <asarai@suse.de> <cyphar@cyphar.com>
+Aleksandrs Fadins <aleks@s-ko.net>
+Alessandro Boch <aboch@tetrationanalytics.com> <aboch@docker.com>
+Alex Chen <alexchenunix@gmail.com> <root@localhost.localdomain>
+Alex Ellis <alexellis2@gmail.com>
+Alex Goodman <wagoodman@gmail.com> <wagoodman@users.noreply.github.com>
+Alexander Larsson <alexl@redhat.com> <alexander.larsson@gmail.com>
+Alexander Morozov <lk4d4@docker.com>
+Alexander Morozov <lk4d4@docker.com> <lk4d4math@gmail.com>
+Alexandre Beslic <alexandre.beslic@gmail.com> <abronan@docker.com>
+Alicia Lauerman <alicia@eta.im> <allydevour@me.com>
+Allen Sun <allensun.shl@alibaba-inc.com> <allen.sun@daocloud.io>
+Allen Sun <allensun.shl@alibaba-inc.com> <shlallen1990@gmail.com>
+Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@microsoft.com>
+Andrew Weiss <andrew.weiss@docker.com> <andrew.weiss@outlook.com>
+André Martins  <aanm90@gmail.com> <martins@noironetworks.com>
+Andy Rothfusz <github@developersupport.net> <github@metaliveblog.com>
+Andy Smith <github@anarkystic.com>
+Ankush Agarwal <ankushagarwal11@gmail.com> <ankushagarwal@users.noreply.github.com>
+Antonio Murdaca <antonio.murdaca@gmail.com> <amurdaca@redhat.com>
+Antonio Murdaca <antonio.murdaca@gmail.com> <me@runcom.ninja>
+Antonio Murdaca <antonio.murdaca@gmail.com> <runcom@linux.com>
+Antonio Murdaca <antonio.murdaca@gmail.com> <runcom@redhat.com>
+Antonio Murdaca <antonio.murdaca@gmail.com> <runcom@users.noreply.github.com>
+Anuj Bahuguna <anujbahuguna.dev@gmail.com>
+Anuj Bahuguna <anujbahuguna.dev@gmail.com> <abahuguna@fiberlink.com>
+Anusha Ragunathan <anusha.ragunathan@docker.com> <anusha@docker.com>
+Arnaud Porterie <arnaud.porterie@docker.com>
+Arnaud Porterie <arnaud.porterie@docker.com> <icecrime@gmail.com>
+Arthur Gautier <baloo@gandi.net> <superbaloo+registrations.github@superbaloo.net>
+Avi Miller <avi.miller@oracle.com> <avi.miller@gmail.com>
+Ben Bonnefoy <frenchben@docker.com>
+Ben Golub <ben.golub@dotcloud.com>
+Ben Toews <mastahyeti@gmail.com> <mastahyeti@users.noreply.github.com>
+Benoit Chesneau <bchesneau@gmail.com>
+Bhiraj Butala <abhiraj.butala@gmail.com>
+Bhumika Bayani <bhumikabayani@gmail.com>
+Bilal Amarni <bilal.amarni@gmail.com> <bamarni@users.noreply.github.com>
+Bill Wang <ozbillwang@gmail.com> <SydOps@users.noreply.github.com>
+Bin Liu <liubin0329@gmail.com>
+Bin Liu <liubin0329@gmail.com> <liubin0329@users.noreply.github.com>
+Bingshen Wang <bingshen.wbs@alibaba-inc.com>
+Boaz Shuster <ripcurld.github@gmail.com>
+Brandon Philips <brandon.philips@coreos.com> <brandon@ifup.co>
+Brandon Philips <brandon.philips@coreos.com> <brandon@ifup.org>
+Brent Salisbury <brent.salisbury@docker.com> <brent@docker.com>
+Brian Goff <cpuguy83@gmail.com>
+Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.home>
+Brian Goff <cpuguy83@gmail.com> <bgoff@cpuguy83-mbp.local>
+Chander Govindarajan <chandergovind@gmail.com>
+Chao Wang <wangchao.fnst@cn.fujitsu.com> <chaowang@localhost.localdomain>
+Charles Hooper <charles.hooper@dotcloud.com> <chooper@plumata.com>
+Chen Chao <cc272309126@gmail.com>
+Chen Chuanliang <chen.chuanliang@zte.com.cn>
+Chen Mingjie <chenmingjie0828@163.com>
+Chen Qiu <cheney-90@hotmail.com>
+Chen Qiu <cheney-90@hotmail.com> <21321229@zju.edu.cn>
+Chris Dias <cdias@microsoft.com>
+Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
+Christopher Biscardi <biscarch@sketcht.com>
+Christopher Latham <sudosurootdev@gmail.com>
+Chun Chen <ramichen@tencent.com> <chenchun.feed@gmail.com>
+Corbin Coleman <corbin.coleman@docker.com>
+Cristian Staretu <cristian.staretu@gmail.com>
+Cristian Staretu <cristian.staretu@gmail.com> <unclejack@users.noreply.github.com>
+Cristian Staretu <cristian.staretu@gmail.com> <unclejacksons@gmail.com>
+CUI Wei <ghostplant@qq.com> cuiwei13 <cuiwei13@pku.edu.cn>
+Daehyeok Mun <daehyeok@gmail.com>
+Daehyeok Mun <daehyeok@gmail.com> <daehyeok@daehyeok-ui-MacBook-Air.local>
+Daehyeok Mun <daehyeok@gmail.com> <daehyeok@daehyeokui-MacBook-Air.local>
+Dan Feldman <danf@jfrog.com>
+Daniel Dao <dqminh@cloudflare.com>
+Daniel Dao <dqminh@cloudflare.com> <dqminh89@gmail.com>
+Daniel Garcia <daniel@danielgarcia.info>
+Daniel Gasienica <daniel@gasienica.ch> <dgasienica@zynga.com>
+Daniel Goosen <daniel.goosen@surveysampling.com> <djgoosen@users.noreply.github.com>
+Daniel Grunwell <mwgrunny@gmail.com>
+Daniel J Walsh <dwalsh@redhat.com>
+Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com> <daniel@dotcloud.com>
+Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com> <mzdaniel@glidelink.net>
+Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com> <root@vagrant-ubuntu-12.10.vagrantup.com>
+Daniel Nephin <dnephin@docker.com> <dnephin@gmail.com>
+Daniel Norberg <dano@spotify.com> <daniel.norberg@gmail.com>
+Daniel Watkins <daniel@daniel-watkins.co.uk>
+Danny Yates <danny@codeaholics.org> <Danny.Yates@mailonline.co.uk>
+Darren Shepherd <darren.s.shepherd@gmail.com> <darren@rancher.com>
+Dattatraya Kumbhar <dattatraya.kumbhar@gslab.com>
+Dave Goodchild <buddhamagnet@gmail.com>
+Dave Henderson <dhenderson@gmail.com> <Dave.Henderson@ca.ibm.com>
+Dave Tucker <dt@docker.com> <dave@dtucker.co.uk>
+David M. Karr <davidmichaelkarr@gmail.com>
+David Sheets <dsheets@docker.com> <sheets@alum.mit.edu>
+David Sissitka <me@dsissitka.com>
+David Williamson <david.williamson@docker.com> <davidwilliamson@users.noreply.github.com>
+Deshi Xiao <dxiao@redhat.com> <dsxiao@dataman-inc.com>
+Deshi Xiao <dxiao@redhat.com> <xiaods@gmail.com>
+Diego Siqueira <dieg0@live.com>
+Diogo Monica <diogo@docker.com> <diogo.monica@gmail.com>
+Dominik Honnef <dominik@honnef.co> <dominikh@fork-bomb.org>
+Doug Davis <dug@us.ibm.com> <duglin@users.noreply.github.com>
+Doug Tangren <d.tangren@gmail.com>
+Elan Ruusamäe <glen@pld-linux.org>
+Elan Ruusamäe <glen@pld-linux.org> <glen@delfi.ee>
+Elango Sivanandam <elango.siva@docker.com>
+Eric G. Noriega <enoriega@vizuri.com> <egnoriega@users.noreply.github.com>
+Eric Hanchrow <ehanchrow@ine.com> <eric.hanchrow@gmail.com>
+Eric Rosenberg <ehaydenr@gmail.com> <ehaydenr@users.noreply.github.com>
+Erica Windisch <erica@windisch.us> <eric@windisch.us>
+Erica Windisch <erica@windisch.us> <ewindisch@docker.com>
+Erik Hollensbe <github@hollensbe.org> <erik+github@hollensbe.org>
+Erwin van der Koogh <info@erronis.nl>
+Ethan Bell <ebgamer29@gmail.com>
+Euan Kemp <euan.kemp@coreos.com> <euank@amazon.com>
+Eugen Krizo <eugen.krizo@gmail.com>
+Evan Hazlett <ejhazlett@gmail.com> <ehazlett@users.noreply.github.com>
+Evelyn Xu <evelynhsu21@gmail.com>
+Evgeny Shmarnev <shmarnev@gmail.com>
+Faiz Khan <faizkhan00@gmail.com>
+Fangming Fang <fangming.fang@arm.com>
+Felix Hupfeld <felix@quobyte.com> <quofelix@users.noreply.github.com>
+Felix Ruess <felix.ruess@gmail.com> <felix.ruess@roboception.de>
+Feng Yan <fy2462@gmail.com>
+Fengtu Wang <wangfengtu@huawei.com> <wangfengtu@huawei.com>
+Francisco Carriedo <fcarriedo@gmail.com>
+Frank Rosquin <frank.rosquin+github@gmail.com> <frank.rosquin@gmail.com>
+Frederick F. Kautz IV <fkautz@redhat.com> <fkautz@alumni.cmu.edu>
+Gabriel Nicolas Avellaneda <avellaneda.gabriel@gmail.com>
+Gaetan de Villele <gdevillele@gmail.com>
+Gang Qiao <qiaohai8866@gmail.com> <1373319223@qq.com>
+George Kontridze <george@bugsnag.com>
+Gerwim Feiken <g.feiken@tfe.nl> <gerwim@gmail.com>
+Giampaolo Mancini <giampaolo@trampolineup.com>
+Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
+Gou Rao <gou@portworx.com> <gourao@users.noreply.github.com>
+Greg Stephens <greg@udon.org>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <charmes.guillaume@gmail.com>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume.charmes@dotcloud.com>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@charmes.net>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@docker.com>
+Guillaume J. Charmes <guillaume.charmes@docker.com> <guillaume@dotcloud.com>
+Guri <odg0318@gmail.com>
+Gurjeet Singh <gurjeet@singh.im> <singh.gurjeet@gmail.com>
+Gustav Sinder <gustav.sinder@gmail.com>
+Günther Jungbluth <gunther@gameslabs.net>
+Hakan Özler <hakan.ozler@kodcu.com>
+Hao Shu Wei <haosw@cn.ibm.com>
+Hao Shu Wei <haosw@cn.ibm.com> <haoshuwei1989@163.com>
+Harald Albers <github@albersweb.de> <albers@users.noreply.github.com>
+Harold Cooper <hrldcpr@gmail.com>
+Harry Zhang <harryz@hyper.sh> <harryzhang@zju.edu.cn>
+Harry Zhang <harryz@hyper.sh> <resouer@163.com>
+Harry Zhang <harryz@hyper.sh> <resouer@gmail.com>
+Harry Zhang <resouer@163.com>
+Harshal Patil <harshal.patil@in.ibm.com> <harche@users.noreply.github.com>
+Helen Xie <chenjg@harmonycloud.cn>
+Hollie Teal <hollie@docker.com>
+Hollie Teal <hollie@docker.com> <hollie.teal@docker.com>
+Hollie Teal <hollie@docker.com> <hollietealok@users.noreply.github.com>
+Hu Keping <hukeping@huawei.com>
+Huu Nguyen <huu@prismskylabs.com> <whoshuu@gmail.com>
+Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
+Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com> <1187766782@qq.com>
+Ilya Khlopotov <ilya.khlopotov@gmail.com>
+Ivan Markin <sw@nogoegst.net> <twim@riseup.net>
+Jack Laxson <jackjrabbit@gmail.com>
+Jacob Atzen <jacob@jacobatzen.dk> <jatzen@gmail.com>
+Jacob Tomlinson <jacob@tom.linson.uk> <jacobtomlinson@users.noreply.github.com>
+Jaivish Kothari <janonymous.codevulture@gmail.com>
+Jamie Hannaford <jamie@limetree.org> <jamie.hannaford@rackspace.com>
+Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
+Jean-Baptiste Dalido <jeanbaptiste@appgratis.com>
+Jean-Tiare Le Bigot <jt@yadutaf.fr> <admin@jtlebi.fr>
+Jeff Anderson <jeff@docker.com> <jefferya@programmerq.net>
+Jeff Nickoloff <jeff.nickoloff@gmail.com> <jeff@allingeek.com>
+Jeroen Franse <jeroenfranse@gmail.com>
+Jessica Frazelle <jessfraz@google.com>
+Jessica Frazelle <jessfraz@google.com> <acidburn@docker.com>
+Jessica Frazelle <jessfraz@google.com> <acidburn@google.com>
+Jessica Frazelle <jessfraz@google.com> <jess@docker.com>
+Jessica Frazelle <jessfraz@google.com> <jess@mesosphere.com>
+Jessica Frazelle <jessfraz@google.com> <jfrazelle@users.noreply.github.com>
+Jessica Frazelle <jessfraz@google.com> <me@jessfraz.com>
+Jessica Frazelle <jessfraz@google.com> <princess@docker.com>
+Jim Galasyn <jim.galasyn@docker.com>
+Jiuyue Ma <majiuyue@huawei.com>
+Joey Geiger <jgeiger@gmail.com>
+Joffrey F <joffrey@docker.com>
+Joffrey F <joffrey@docker.com> <f.joffrey@gmail.com>
+Joffrey F <joffrey@docker.com> <joffrey@dotcloud.com>
+Johan Euphrosine <proppy@google.com> <proppy@aminche.com>
+John Harris <john@johnharris.io>
+John Howard (VM) <John.Howard@microsoft.com>
+John Howard (VM) <John.Howard@microsoft.com> <jhoward@microsoft.com>
+John Howard (VM) <John.Howard@microsoft.com> <jhoward@ntdev.microsoft.com>
+John Howard (VM) <John.Howard@microsoft.com> <jhowardmsft@users.noreply.github.com>
+John Howard (VM) <John.Howard@microsoft.com> <john.howard@microsoft.com>
+John Stephens <johnstep@docker.com> <johnstep@users.noreply.github.com>
+Jonathan Choy <jonathan.j.choy@gmail.com>
+Jonathan Choy <jonathan.j.choy@gmail.com> <oni@tetsujinlabs.com>
+Jon Surrell <jon.surrell@gmail.com> <jon.surrell@automattic.com>
+Jordan Arentsen <blissdev@gmail.com>
+Jordan Jennings <jjn2009@gmail.com> <jjn2009@users.noreply.github.com>
+Jorit Kleine-Möllhoff <joppich@bricknet.de> <joppich@users.noreply.github.com>
+Jose Diaz-Gonzalez <jose@seatgeek.com> <josegonzalez@users.noreply.github.com>
+Josh Bonczkowski <josh.bonczkowski@gmail.com>
+Josh Eveleth <joshe@opendns.com> <jeveleth@users.noreply.github.com>
+Josh Hawn <josh.hawn@docker.com> <jlhawn@berkeley.edu>
+Josh Horwitz <horwitz@addthis.com> <horwitzja@gmail.com>
+Josh Soref <jsoref@gmail.com> <jsoref@users.noreply.github.com>
+Josh Wilson <josh.wilson@fivestars.com> <jcwilson@users.noreply.github.com>
+Joyce Jang <mail@joycejang.com>
+Julien Bordellier <julienbordellier@gmail.com> <git@julienbordellier.com>
+Julien Bordellier <julienbordellier@gmail.com> <me@julienbordellier.com>
+Justin Cormack <justin.cormack@docker.com>
+Justin Cormack <justin.cormack@docker.com> <justin.cormack@unikernel.com>
+Justin Cormack <justin.cormack@docker.com> <justin@specialbusservice.com>
+Justin Simonelis <justin.p.simonelis@gmail.com> <justin.simonelis@PTS-JSIMON2.toronto.exclamation.com>
+Jérôme Petazzoni <jerome.petazzoni@docker.com> <jerome.petazzoni@dotcloud.com>
+Jérôme Petazzoni <jerome.petazzoni@docker.com> <jerome.petazzoni@gmail.com>
+Jérôme Petazzoni <jerome.petazzoni@docker.com> <jp@enix.org>
+K. Heller <pestophagous@gmail.com> <pestophagous@users.noreply.github.com>
+Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
+Kai Qiang Wu (Kennan) <wkq5325@gmail.com> <wkqwu@cn.ibm.com>
+Kamil Domański <kamil@domanski.co>
+Kamjar Gerami <kami.gerami@gmail.com>
+Ken Cochrane <kencochrane@gmail.com> <KenCochrane@gmail.com>
+Ken Herner <kherner@progress.com> <chosenken@gmail.com>
+Kenfe-Mickaël Laventure <mickael.laventure@gmail.com>
+Kevin Feyrer <kevin.feyrer@btinternet.com> <kevinfeyrer@users.noreply.github.com>
+Kevin Kern <kaiwentan@harmonycloud.cn>
+Kevin Meredith <kevin.m.meredith@gmail.com>
+Kir Kolyshkin <kolyshkin@gmail.com>
+Kir Kolyshkin <kolyshkin@gmail.com> <kir@openvz.org>
+Kir Kolyshkin <kolyshkin@gmail.com> <kolyshkin@users.noreply.github.com>
+Konrad Kleine <konrad.wilhelm.kleine@gmail.com> <kwk@users.noreply.github.com>
+Konstantin Gribov <grossws@gmail.com>
+Konstantin Pelykh <kpelykh@zettaset.com>
+Kotaro Yoshimatsu <kotaro.yoshimatsu@gmail.com>
+Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp> <kunal.kushwaha@gmail.com>
+Lajos Papp <lajos.papp@sequenceiq.com> <lalyos@yahoo.com>
+Lei Jitang <leijitang@huawei.com>
+Lei Jitang <leijitang@huawei.com> <leijitang@gmail.com>
+Liang Mingqiang <mqliang.zju@gmail.com>
+Liang-Chi Hsieh <viirya@gmail.com>
+Liao Qingwei <liaoqingwei@huawei.com>
+Linus Heckemann <lheckemann@twig-world.com>
+Linus Heckemann <lheckemann@twig-world.com> <anonymouse2048@gmail.com>
+Lokesh Mandvekar <lsm5@fedoraproject.org> <lsm5@redhat.com>
+Lorenzo Fontana <lo@linux.com> <fontanalorenzo@me.com>
+Louis Opter <kalessin@kalessin.fr>
+Louis Opter <kalessin@kalessin.fr> <louis@dotcloud.com>
+Luca Favatella <luca.favatella@erlang-solutions.com> <lucafavatella@users.noreply.github.com>
+Luke Marsden <me@lukemarsden.net> <luke@digital-crocus.com>
+Lyn <energylyn@zju.edu.cn>
+Lynda O'Leary <lyndaoleary29@gmail.com>
+Lynda O'Leary <lyndaoleary29@gmail.com> <lyndaoleary@hotmail.com>
+Ma Müller <mueller-ma@users.noreply.github.com>
+Madhan Raj Mookkandy <MadhanRaj.Mookkandy@microsoft.com> <madhanm@microsoft.com>
+Madhu Venugopal <madhu@socketplane.io> <madhu@docker.com>
+Mageee <fangpuyi@foxmail.com> <21521230.zju.edu.cn>
+Mansi Nahar <mmn4185@rit.edu> <mansi.nahar@macbookpro-mansinahar.local>
+Mansi Nahar <mmn4185@rit.edu> <mansinahar@users.noreply.github.com>
+Marc Abramowitz <marc@marc-abramowitz.com> <msabramo@gmail.com>
+Marcelo Horacio Fortino <info@fortinux.com> <fortinux@users.noreply.github.com>
+Marcus Linke <marcus.linke@gmx.de>
+Marianna Tessel <mtesselh@gmail.com>
+Mark Oates <fl0yd@me.com>
+Markan Patel <mpatel678@gmail.com>
+Markus Kortlang <hyp3rdino@googlemail.com> <markus.kortlang@lhsystems.com>
+Martin Redmond <redmond.martin@gmail.com> <martin@tinychat.com>
+Martin Redmond <redmond.martin@gmail.com> <xgithub@redmond5.com>
+Mary Anthony <mary.anthony@docker.com> <mary@docker.com>
+Mary Anthony <mary.anthony@docker.com> <moxieandmore@gmail.com>
+Mary Anthony <mary.anthony@docker.com> moxiegirl <mary@docker.com>
+Masato Ohba <over.rye@gmail.com>
+Matt Bentley <matt.bentley@docker.com> <mbentley@mbentley.net>
+Matt Schurenko <matt.schurenko@gmail.com>
+Matt Williams <mattyw@me.com>
+Matt Williams <mattyw@me.com> <gh@mattyw.net>
+Matthew Heon <mheon@redhat.com> <mheon@mheonlaptop.redhat.com>
+Matthew Mosesohn <raytrac3r@gmail.com>
+Matthew Mueller <mattmuelle@gmail.com>
+Matthias Kühnle <git.nivoc@neverbox.com> <kuehnle@online.de>
+Mauricio Garavaglia <mauricio@medallia.com> <mauriciogaravaglia@gmail.com>
+Michael Crosby <michael@docker.com> <crosby.michael@gmail.com>
+Michael Crosby <michael@docker.com> <crosbymichael@gmail.com>
+Michael Crosby <michael@docker.com> <michael@crosbymichael.com>
+Michał Gryko <github@odkurzacz.org>
+Michael Hudson-Doyle <michael.hudson@canonical.com> <michael.hudson@linaro.org>
+Michael Huettermann <michael@huettermann.net>
+Michael Käufl <docker@c.michael-kaeufl.de> <michael-k@users.noreply.github.com>
+Michael Nussbaum <michael.nussbaum@getbraintree.com>
+Michael Nussbaum <michael.nussbaum@getbraintree.com> <code@getbraintree.com>
+Michael Spetsiotis <michael_spets@hotmail.com>
+Michal Minář <miminar@redhat.com>
+Miguel Angel Alvarez Cabrerizo <doncicuto@gmail.com> <30386061+doncicuto@users.noreply.github.com>
+Miguel Angel Fernández <elmendalerenda@gmail.com>
+Mihai Borobocea <MihaiBorob@gmail.com> <MihaiBorobocea@gmail.com>
+Mike Casas <mkcsas0@gmail.com> <mikecasas@users.noreply.github.com>
+Mike Goelzer <mike.goelzer@docker.com> <mgoelzer@docker.com>
+Milind Chawre <milindchawre@gmail.com>
+Misty Stanley-Jones <misty@docker.com> <misty@apache.org>
+Mohit Soni <mosoni@ebay.com> <mohitsoni1989@gmail.com>
+Moorthy RS <rsmoorthy@gmail.com> <rsmoorthy@users.noreply.github.com>
+Moysés Borges <moysesb@gmail.com>
+Moysés Borges <moysesb@gmail.com> <moyses.furtado@wplex.com.br>
+Nace Oroz <orkica@gmail.com>
+Nathan LeClaire <nathan.leclaire@docker.com> <nathan.leclaire@gmail.com>
+Nathan LeClaire <nathan.leclaire@docker.com> <nathanleclaire@gmail.com>
+Neil Horman <nhorman@tuxdriver.com> <nhorman@hmswarspite.think-freely.org>
+Nick Russo <nicholasjamesrusso@gmail.com> <nicholasrusso@icloud.com>
+Nicolas Borboën <ponsfrilus@gmail.com> <ponsfrilus@users.noreply.github.com>
+Nigel Poulton <nigelpoulton@hotmail.com>
+Nik Nyby <nikolas@gnu.org> <nnyby@columbia.edu>
+Nolan Darilek <nolan@thewordnerd.info>
+O.S. Tezer <ostezer@gmail.com>
+O.S. Tezer <ostezer@gmail.com> <ostezer@users.noreply.github.com>
+Oh Jinkyun <tintypemolly@gmail.com> <tintypemolly@Ohui-MacBook-Pro.local>
+Ouyang Liduo <oyld0210@163.com>
+Patrick Stapleton <github@gdi2290.com>
+Paul Liljenberg <liljenberg.paul@gmail.com> <letters@paulnotcom.se>
+Pavel Tikhomirov <ptikhomirov@virtuozzo.com> <ptikhomirov@parallels.com>
+Pawel Konczalski <mail@konczalski.de>
+Peter Choi <phkchoi89@gmail.com> <reikani@Peters-MacBook-Pro.local>
+Peter Dave Hello <hsu@peterdavehello.org> <PeterDaveHello@users.noreply.github.com>
+Peter Jaffe <pjaffe@nevo.com>
+Peter Nagy <xificurC@gmail.com> <pnagy@gratex.com>
+Peter Waller <p@pwaller.net> <peter@scraperwiki.com>
+Phil Estes <estesp@linux.vnet.ibm.com> <estesp@gmail.com>
+Philip Alexander Etling <paetling@gmail.com>
+Philipp Gillé <philipp.gille@gmail.com> <philippgille@users.noreply.github.com>
+Qiang Huang <h.huangqiang@huawei.com>
+Qiang Huang <h.huangqiang@huawei.com> <qhuang@10.0.2.15>
+Ray Tsang <rayt@google.com> <saturnism@users.noreply.github.com>
+Renaud Gaubert <rgaubert@nvidia.com> <renaud.gaubert@gmail.com>
+Robert Terhaar <rterhaar@atlanticdynamic.com> <robbyt@users.noreply.github.com>
+Roberto G. Hashioka <roberto.hashioka@docker.com> <roberto_hashioka@hotmail.com>
+Roberto Muñoz Fernández <robertomf@gmail.com> <roberto.munoz.fernandez.contractor@bbva.com>
+Roman Dudin <katrmr@gmail.com> <decadent@users.noreply.github.com>
+Ross Boucher <rboucher@gmail.com>
+Runshen Zhu <runshen.zhu@gmail.com>
+Ryan Stelly <ryan.stelly@live.com>
+Sakeven Jiang <jc5930@sina.cn>
+Sandeep Bansal <sabansal@microsoft.com>
+Sandeep Bansal <sabansal@microsoft.com> <msabansal@microsoft.com>
+Sargun Dhillon <sargun@netflix.com> <sargun@sargun.me>
+Sean Lee <seanlee@tw.ibm.com> <scaleoutsean@users.noreply.github.com>
+Sebastiaan van Stijn <github@gone.nl> <sebastiaan@ws-key-sebas3.dpi1.dpi>
+Sebastiaan van Stijn <github@gone.nl> <thaJeztah@users.noreply.github.com>
+Shaun Kaasten <shaunk@gmail.com>
+Shawn Landden <shawn@churchofgit.com> <shawnlandden@gmail.com>
+Shengbo Song <thomassong@tencent.com>
+Shengbo Song <thomassong@tencent.com> <mymneo@163.com>
+Shih-Yuan Lee <fourdollars@gmail.com>
+Shishir Mahajan <shishir.mahajan@redhat.com> <smahajan@redhat.com>
+Shukui Yang <yangshukui@huawei.com>
+Shuwei Hao <haosw@cn.ibm.com>
+Shuwei Hao <haosw@cn.ibm.com> <haoshuwei24@gmail.com>
+Sidhartha Mani <sidharthamn@gmail.com>
+Sjoerd Langkemper <sjoerd-github@linuxonly.nl> <sjoerd@byte.nl>
+Solomon Hykes <solomon@docker.com> <s@docker.com>
+Solomon Hykes <solomon@docker.com> <solomon.hykes@dotcloud.com>
+Solomon Hykes <solomon@docker.com> <solomon@dotcloud.com>
+Soshi Katsuta <soshi.katsuta@gmail.com>
+Soshi Katsuta <soshi.katsuta@gmail.com> <katsuta_soshi@cyberagent.co.jp>
+Sridhar Ratnakumar <sridharr@activestate.com>
+Sridhar Ratnakumar <sridharr@activestate.com> <github@srid.name>
+Srini Brahmaroutu <srbrahma@us.ibm.com> <sbrahma@us.ibm.com>
+Srinivasan Srivatsan <srinivasan.srivatsan@hpe.com> <srinsriv@users.noreply.github.com>
+Stefan Berger <stefanb@linux.vnet.ibm.com>
+Stefan Berger <stefanb@linux.vnet.ibm.com> <stefanb@us.ibm.com>
+Stefan J. Wernli <swernli@microsoft.com> <swernli@ntdev.microsoft.com>
+Stefan S. <tronicum@user.github.com>
+Stephan Spindler <shutefan@gmail.com> <shutefan@users.noreply.github.com>
+Stephen Day <stephen.day@docker.com>
+Stephen Day <stephen.day@docker.com> <stevvooe@users.noreply.github.com>
+Steve Desmond <steve@vtsv.ca> <stevedesmond-ca@users.noreply.github.com>
+Sun Gengze <690388648@qq.com>
+Sun Jianbo <wonderflow.sun@gmail.com>
+Sun Jianbo <wonderflow.sun@gmail.com> <wonderflow@zju.edu.cn>
+Sven Dowideit <SvenDowideit@home.org.au>
+Sven Dowideit <SvenDowideit@home.org.au> <sven@t440s.home.gateway>
+Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@docker.com>
+Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@fosiki.com>
+Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@home.org.au>
+Sven Dowideit <SvenDowideit@home.org.au> <SvenDowideit@users.noreply.github.com>
+Sven Dowideit <SvenDowideit@home.org.au> <¨SvenDowideit@home.org.au¨>
+Sylvain Bellemare <sylvain@ascribe.io>
+Sylvain Bellemare <sylvain@ascribe.io> <sylvain.bellemare@ezeep.com>
+Tangi Colin <tangicolin@gmail.com>
+Tejesh Mehta <tejesh.mehta@gmail.com> <tj@init.me>
+Thatcher Peskens <thatcher@docker.com>
+Thatcher Peskens <thatcher@docker.com> <thatcher@dotcloud.com>
+Thatcher Peskens <thatcher@docker.com> <thatcher@gmx.net>
+Thomas Gazagnaire <thomas@gazagnaire.org> <thomas@gazagnaire.com>
+Thomas Léveil <thomasleveil@gmail.com>
+Thomas Léveil <thomasleveil@gmail.com> <thomasleveil@users.noreply.github.com>
+Tibor Vass <teabee89@gmail.com> <tibor@docker.com>
+Tibor Vass <teabee89@gmail.com> <tiborvass@users.noreply.github.com>
+Tim Bart <tim@fewagainstmany.com>
+Tim Bosse <taim@bosboot.org> <maztaim@users.noreply.github.com>
+Tim Ruffles <oi@truffles.me.uk> <timruffles@googlemail.com>
+Tim Terhorst <mynamewastaken+git@gmail.com>
+Tim Zju <21651152@zju.edu.cn>
+Timothy Hobbs <timothyhobbs@seznam.cz>
+Toli Kuznets <toli@docker.com>
+Tom Barlow <tomwbarlow@gmail.com>
+Tom Sweeney <tsweeney@redhat.com>
+Tõnis Tiigi <tonistiigi@gmail.com>
+Trishna Guha <trishnaguha17@gmail.com>
+Tristan Carel <tristan@cogniteev.com>
+Tristan Carel <tristan@cogniteev.com> <tristan.carel@gmail.com>
+Umesh Yadav <umesh4257@gmail.com>
+Umesh Yadav <umesh4257@gmail.com> <dungeonmaster18@users.noreply.github.com>
+Victor Lyuboslavsky <victor@victoreda.com>
+Victor Vieux <victor.vieux@docker.com> <dev@vvieux.com>
+Victor Vieux <victor.vieux@docker.com> <victor.vieux@dotcloud.com>
+Victor Vieux <victor.vieux@docker.com> <victor@docker.com>
+Victor Vieux <victor.vieux@docker.com> <victor@dotcloud.com>
+Victor Vieux <victor.vieux@docker.com> <victorvieux@gmail.com>
+Victor Vieux <victor.vieux@docker.com> <vieux@docker.com>
+Viktor Vojnovski <viktor.vojnovski@amadeus.com> <vojnovski@gmail.com>
+Vincent Batts <vbatts@redhat.com> <vbatts@hashbangbash.com>
+Vincent Bernat <Vincent.Bernat@exoscale.ch> <bernat@luffy.cx>
+Vincent Bernat <Vincent.Bernat@exoscale.ch> <vincent@bernat.im>
+Vincent Demeester <vincent.demeester@docker.com> <vincent+github@demeester.fr>
+Vincent Demeester <vincent.demeester@docker.com> <vincent@demeester.fr>
+Vincent Demeester <vincent.demeester@docker.com> <vincent@sbr.pm>
+Vishnu Kannan <vishnuk@google.com>
+Vladimir Rutsky <altsysrq@gmail.com> <iamironbob@gmail.com>
+Walter Stanish <walter@pratyeka.org>
+Wang Chao <chao.wang@ucloud.cn>
+Wang Chao <chao.wang@ucloud.cn> <wcwxyz@gmail.com>
+Wang Guoliang <liangcszzu@163.com>
+Wang Jie <wangjie5@chinaskycloud.com>
+Wang Ping <present.wp@icloud.com>
+Wang Xing <hzwangxing@corp.netease.com> <root@localhost>
+Wang Yuexiao <wang.yuexiao@zte.com.cn>
+Wayne Chang <wayne@neverfear.org>
+Wayne Song <wsong@docker.com> <wsong@users.noreply.github.com>
+Wei Wu <wuwei4455@gmail.com> cizixs <cizixs@163.com>
+Wenjun Tang <tangwj2@lenovo.com> <dodia@163.com>
+Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
+Will Weaver <monkey@buildingbananas.com>
+Xianglin Gao <xlgao@zju.edu.cn>
+Xianlu Bird <xianlubird@gmail.com>
+Xiaoyu Zhang <zhang.xiaoyu33@zte.com.cn>
+Xuecong Liao <satorulogic@gmail.com>
+Yamasaki Masahide <masahide.y@gmail.com>
+Yao Zaiyong <yaozaiyong@hotmail.com>
+Yassine Tijani <yasstij11@gmail.com>
+Yazhong Liu <yorkiefixer@gmail.com>
+Yestin Sun <sunyi0804@gmail.com> <yestin.sun@polyera.com>
+Yi EungJun <eungjun.yi@navercorp.com> <semtlenori@gmail.com>
+Ying Li <ying.li@docker.com>
+Ying Li <ying.li@docker.com> <cyli@twistedmatrix.com>
+Yong Tang <yong.tang.github@outlook.com> <yongtang@users.noreply.github.com>
+Yosef Fertel <yfertel@gmail.com> <frosforever@users.noreply.github.com>
+Yu Changchun <yuchangchun1@huawei.com>
+Yu Chengxia <yuchengxia@huawei.com>
+Yu Peng <yu.peng36@zte.com.cn>
+Yu Peng <yu.peng36@zte.com.cn> <yupeng36@zte.com.cn>
+Zachary Jaffee <zjaffee@us.ibm.com> <zij@case.edu>
+Zachary Jaffee <zjaffee@us.ibm.com> <zjaffee@apache.org>
+ZhangHang <stevezhang2014@gmail.com>
+Zhenkun Bi <bi.zhenkun@zte.com.cn>
+Zhou Hao <zhouhao@cn.fujitsu.com>
+Zhu Kunjia <zhu.kunjia@zte.com.cn>
+Zou Yu <zouyu7@huawei.com>
diff --git a/engine/AUTHORS b/engine/AUTHORS
new file mode 100644
index 00000000..46102d74
--- /dev/null
+++ b/engine/AUTHORS
@@ -0,0 +1,1984 @@
+# This file lists all individuals having contributed content to the repository.
+# For how it is generated, see `hack/generate-authors.sh`.
+
+Aanand Prasad <aanand.prasad@gmail.com>
+Aaron Davidson <aaron@databricks.com>
+Aaron Feng <aaron.feng@gmail.com>
+Aaron Huslage <huslage@gmail.com>
+Aaron L. Xu <liker.xu@foxmail.com>
+Aaron Lehmann <aaron.lehmann@docker.com>
+Aaron Welch <welch@packet.net>
+Aaron.L.Xu <likexu@harmonycloud.cn>
+Abel Muiño <amuino@gmail.com>
+Abhijeet Kasurde <akasurde@redhat.com>
+Abhinandan Prativadi <abhi@docker.com>
+Abhinav Ajgaonkar <abhinav316@gmail.com>
+Abhishek Chanda <abhishek.becs@gmail.com>
+Abhishek Sharma <abhishek@asharma.me>
+Abin Shahab <ashahab@altiscale.com>
+Adam Avilla <aavilla@yp.com>
+Adam Eijdenberg <adam.eijdenberg@gmail.com>
+Adam Kunk <adam.kunk@tiaa-cref.org>
+Adam Miller <admiller@redhat.com>
+Adam Mills <adam@armills.info>
+Adam Pointer <adam.pointer@skybettingandgaming.com>
+Adam Singer <financeCoding@gmail.com>
+Adam Walz <adam@adamwalz.net>
+Addam Hardy <addam.hardy@gmail.com>
+Aditi Rajagopal <arajagopal@us.ibm.com>
+Aditya <aditya@netroy.in>
+Adnan Khan <adnkha@amazon.com>
+Adolfo Ochagavía <aochagavia92@gmail.com>
+Adria Casas <adriacasas88@gmail.com>
+Adrian Moisey <adrian@changeover.za.net>
+Adrian Mouat <adrian.mouat@gmail.com>
+Adrian Oprea <adrian@codesi.nz>
+Adrien Folie <folie.adrien@gmail.com>
+Adrien Gallouët <adrien@gallouet.fr>
+Ahmed Kamal <email.ahmedkamal@googlemail.com>
+Ahmet Alp Balkan <ahmetb@microsoft.com>
+Aidan Feldman <aidan.feldman@gmail.com>
+Aidan Hobson Sayers <aidanhs@cantab.net>
+AJ Bowen <aj@soulshake.net>
+Ajey Charantimath <ajey.charantimath@gmail.com>
+ajneu <ajneu@users.noreply.github.com>
+Akash Gupta <akagup@microsoft.com>
+Akihiro Matsushima <amatsusbit@gmail.com>
+Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
+Akim Demaille <akim.demaille@docker.com>
+Akira Koyasu <mail@akirakoyasu.net>
+Akshay Karle <akshay.a.karle@gmail.com>
+Al Tobey <al@ooyala.com>
+alambike <alambike@gmail.com>
+Alan Scherger <flyinprogrammer@gmail.com>
+Alan Thompson <cloojure@gmail.com>
+Albert Callarisa <shark234@gmail.com>
+Albert Zhang <zhgwenming@gmail.com>
+Alejandro González Hevia <alejandrgh11@gmail.com>
+Aleksa Sarai <asarai@suse.de>
+Aleksandrs Fadins <aleks@s-ko.net>
+Alena Prokharchyk <alena@rancher.com>
+Alessandro Boch <aboch@tetrationanalytics.com>
+Alessio Biancalana <dottorblaster@gmail.com>
+Alex Chan <alex@alexwlchan.net>
+Alex Chen <alexchenunix@gmail.com>
+Alex Coventry <alx@empirical.com>
+Alex Crawford <alex.crawford@coreos.com>
+Alex Ellis <alexellis2@gmail.com>
+Alex Gaynor <alex.gaynor@gmail.com>
+Alex Goodman <wagoodman@gmail.com>
+Alex Olshansky <i@creagenics.com>
+Alex Samorukov <samm@os2.kiev.ua>
+Alex Warhawk <ax.warhawk@gmail.com>
+Alexander Artemenko <svetlyak.40wt@gmail.com>
+Alexander Boyd <alex@opengroove.org>
+Alexander Larsson <alexl@redhat.com>
+Alexander Midlash <amidlash@docker.com>
+Alexander Morozov <lk4d4@docker.com>
+Alexander Shopov <ash@kambanaria.org>
+Alexandre Beslic <alexandre.beslic@gmail.com>
+Alexandre Garnier <zigarn@gmail.com>
+Alexandre González <agonzalezro@gmail.com>
+Alexandre Jomin <alexandrejomin@gmail.com>
+Alexandru Sfirlogea <alexandru.sfirlogea@gmail.com>
+Alexey Guskov <lexag@mail.ru>
+Alexey Kotlyarov <alexey@infoxchange.net.au>
+Alexey Shamrin <shamrin@gmail.com>
+Alexis THOMAS <fr.alexisthomas@gmail.com>
+Alfred Landrum <alfred.landrum@docker.com>
+Ali Dehghani <ali.dehghani.g@gmail.com>
+Alicia Lauerman <alicia@eta.im>
+Alihan Demir <alihan_6153@hotmail.com>
+Allen Madsen <blatyo@gmail.com>
+Allen Sun <allensun.shl@alibaba-inc.com>
+almoehi <almoehi@users.noreply.github.com>
+Alvaro Saurin <alvaro.saurin@gmail.com>
+Alvin Deng <alvin.q.deng@utexas.edu>
+Alvin Richards <alvin.richards@docker.com>
+amangoel <amangoel@gmail.com>
+Amen Belayneh <amenbelayneh@gmail.com>
+Amir Goldstein <amir73il@aquasec.com>
+Amit Bakshi <ambakshi@gmail.com>
+Amit Krishnan <amit.krishnan@oracle.com>
+Amit Shukla <amit.shukla@docker.com>
+Amr Gawish <amr.gawish@gmail.com>
+Amy Lindburg <amy.lindburg@docker.com>
+Anand Patil <anand.prabhakar.patil@gmail.com>
+AnandkumarPatel <anandkumarpatel@gmail.com>
+Anatoly Borodin <anatoly.borodin@gmail.com>
+Anchal Agrawal <aagrawa4@illinois.edu>
+Anda Xu <anda.xu@docker.com>
+Anders Janmyr <anders@janmyr.com>
+Andre Dublin <81dublin@gmail.com>
+Andre Granovsky <robotciti@live.com>
+Andrea Luzzardi <aluzzardi@gmail.com>
+Andrea Turli <andrea.turli@gmail.com>
+Andreas Elvers <andreas@work.de>
+Andreas Köhler <andi5.py@gmx.net>
+Andreas Savvides <andreas@editd.com>
+Andreas Tiefenthaler <at@an-ti.eu>
+Andrei Gherzan <andrei@resin.io>
+Andrew C. Bodine <acbodine@us.ibm.com>
+Andrew Clay Shafer <andrewcshafer@gmail.com>
+Andrew Duckworth <grillopress@gmail.com>
+Andrew France <andrew@avito.co.uk>
+Andrew Gerrand <adg@golang.org>
+Andrew Guenther <guenther.andrew.j@gmail.com>
+Andrew He <he.andrew.mail@gmail.com>
+Andrew Hsu <andrewhsu@docker.com>
+Andrew Kuklewicz <kookster@gmail.com>
+Andrew Macgregor <andrew.macgregor@agworld.com.au>
+Andrew Macpherson <hopscotch23@gmail.com>
+Andrew Martin <sublimino@gmail.com>
+Andrew McDonnell <bugs@andrewmcdonnell.net>
+Andrew Munsell <andrew@wizardapps.net>
+Andrew Pennebaker <andrew.pennebaker@gmail.com>
+Andrew Po <absourd.noise@gmail.com>
+Andrew Weiss <andrew.weiss@docker.com>
+Andrew Williams <williams.andrew@gmail.com>
+Andrews Medina <andrewsmedina@gmail.com>
+Andrey Petrov <andrey.petrov@shazow.net>
+Andrey Stolbovsky <andrey.stolbovsky@gmail.com>
+André Martins <aanm90@gmail.com>
+andy <ztao@tibco-support.com>
+Andy Chambers <anchambers@paypal.com>
+andy diller <dillera@gmail.com>
+Andy Goldstein <agoldste@redhat.com>
+Andy Kipp <andy@rstudio.com>
+Andy Rothfusz <github@developersupport.net>
+Andy Smith <github@anarkystic.com>
+Andy Wilson <wilson.andrew.j+github@gmail.com>
+Anes Hasicic <anes.hasicic@gmail.com>
+Anil Belur <askb23@gmail.com>
+Anil Madhavapeddy <anil@recoil.org>
+Ankush Agarwal <ankushagarwal11@gmail.com>
+Anonmily <michelle@michelleliu.io>
+Anran Qiao <anran.qiao@daocloud.io>
+Anshul Pundir <anshul.pundir@docker.com>
+Anthon van der Neut <anthon@mnt.org>
+Anthony Baire <Anthony.Baire@irisa.fr>
+Anthony Bishopric <git@anthonybishopric.com>
+Anthony Dahanne <anthony.dahanne@gmail.com>
+Anthony Sottile <asottile@umich.edu>
+Anton Löfgren <anton.lofgren@gmail.com>
+Anton Nikitin <anton.k.nikitin@gmail.com>
+Anton Polonskiy <anton.polonskiy@gmail.com>
+Anton Tiurin <noxiouz@yandex.ru>
+Antonio Murdaca <antonio.murdaca@gmail.com>
+Antonis Kalipetis <akalipetis@gmail.com>
+Antony Messerli <amesserl@rackspace.com>
+Anuj Bahuguna <anujbahuguna.dev@gmail.com>
+Anusha Ragunathan <anusha.ragunathan@docker.com>
+apocas <petermdias@gmail.com>
+Arash Deshmeh <adeshmeh@ca.ibm.com>
+ArikaChen <eaglesora@gmail.com>
+Arnaud Lefebvre <a.lefebvre@outlook.fr>
+Arnaud Porterie <arnaud.porterie@docker.com>
+Arthur Barr <arthur.barr@uk.ibm.com>
+Arthur Gautier <baloo@gandi.net>
+Artur Meyster <arthurfbi@yahoo.com>
+Arun Gupta <arun.gupta@gmail.com>
+Asad Saeeduddin <masaeedu@gmail.com>
+Asbjørn Enge <asbjorn@hanafjedle.net>
+averagehuman <averagehuman@users.noreply.github.com>
+Avi Das <andas222@gmail.com>
+Avi Miller <avi.miller@oracle.com>
+Avi Vaid <avaid1996@gmail.com>
+ayoshitake <airandfingers@gmail.com>
+Azat Khuyiyakhmetov <shadow_uz@mail.ru>
+Bardia Keyoumarsi <bkeyouma@ucsc.edu>
+Barnaby Gray <barnaby@pickle.me.uk>
+Barry Allard <barry.allard@gmail.com>
+Bartłomiej Piotrowski <b@bpiotrowski.pl>
+Bastiaan Bakker <bbakker@xebia.com>
+bdevloed <boris.de.vloed@gmail.com>
+Ben Bonnefoy <frenchben@docker.com>
+Ben Firshman <ben@firshman.co.uk>
+Ben Golub <ben.golub@dotcloud.com>
+Ben Hall <ben@benhall.me.uk>
+Ben Sargent <ben@brokendigits.com>
+Ben Severson <BenSeverson@users.noreply.github.com>
+Ben Toews <mastahyeti@gmail.com>
+Ben Wiklund <ben@daisyowl.com>
+Benjamin Atkin <ben@benatkin.com>
+Benjamin Boudreau <boudreau.benjamin@gmail.com>
+Benjamin Yolken <yolken@stripe.com>
+Benoit Chesneau <bchesneau@gmail.com>
+Bernerd Schaefer <bj.schaefer@gmail.com>
+Bernhard M. Wiedemann <bwiedemann@suse.de>
+Bert Goethals <bert@bertg.be>
+Bharath Thiruveedula <bharath_ves@hotmail.com>
+Bhiraj Butala <abhiraj.butala@gmail.com>
+Bhumika Bayani <bhumikabayani@gmail.com>
+Bilal Amarni <bilal.amarni@gmail.com>
+Bill Wang <ozbillwang@gmail.com>
+Bin Liu <liubin0329@gmail.com>
+Bingshen Wang <bingshen.wbs@alibaba-inc.com>
+Blake Geno <blakegeno@gmail.com>
+Boaz Shuster <ripcurld.github@gmail.com>
+bobby abbott <ttobbaybbob@gmail.com>
+Boris Pruessmann <boris@pruessmann.org>
+Boshi Lian <farmer1992@gmail.com>
+Bouke Haarsma <bouke@webatoom.nl>
+Boyd Hemphill <boyd@feedmagnet.com>
+boynux <boynux@gmail.com>
+Bradley Cicenas <bradley.cicenas@gmail.com>
+Bradley Wright <brad@intranation.com>
+Brandon Liu <bdon@bdon.org>
+Brandon Philips <brandon.philips@coreos.com>
+Brandon Rhodes <brandon@rhodesmill.org>
+Brendan Dixon <brendand@microsoft.com>
+Brent Salisbury <brent.salisbury@docker.com>
+Brett Higgins <brhiggins@arbor.net>
+Brett Kochendorfer <brett.kochendorfer@gmail.com>
+Brett Randall <javabrett@gmail.com>
+Brian (bex) Exelbierd <bexelbie@redhat.com>
+Brian Bland <brian.bland@docker.com>
+Brian DeHamer <brian@dehamer.com>
+Brian Dorsey <brian@dorseys.org>
+Brian Flad <bflad417@gmail.com>
+Brian Goff <cpuguy83@gmail.com>
+Brian McCallister <brianm@skife.org>
+Brian Olsen <brian@maven-group.org>
+Brian Schwind <brianmschwind@gmail.com>
+Brian Shumate <brian@couchbase.com>
+Brian Torres-Gil <brian@dralth.com>
+Brian Trump <btrump@yelp.com>
+Brice Jaglin <bjaglin@teads.tv>
+Briehan Lombaard <briehan.lombaard@gmail.com>
+Bruno Bigras <bigras.bruno@gmail.com>
+Bruno Binet <bruno.binet@gmail.com>
+Bruno Gazzera <bgazzera@paginar.com>
+Bruno Renié <brutasse@gmail.com>
+Bruno Tavares <btavare@thoughtworks.com>
+Bryan Bess <squarejaw@bsbess.com>
+Bryan Boreham <bjboreham@gmail.com>
+Bryan Matsuo <bryan.matsuo@gmail.com>
+Bryan Murphy <bmurphy1976@gmail.com>
+Burke Libbey <burke@libbey.me>
+Byung Kang <byung.kang.ctr@amrdec.army.mil>
+Caleb Spare <cespare@gmail.com>
+Calen Pennington <cale@edx.org>
+Cameron Boehmer <cameron.boehmer@gmail.com>
+Cameron Spear <cameronspear@gmail.com>
+Campbell Allen <campbell.allen@gmail.com>
+Candid Dauth <cdauth@cdauth.eu>
+Cao Weiwei <cao.weiwei30@zte.com.cn>
+Carl Henrik Lunde <chlunde@ping.uio.no>
+Carl Loa Odin <carlodin@gmail.com>
+Carl X. Su <bcbcarl@gmail.com>
+Carlo Mion <mion00@gmail.com>
+Carlos Alexandro Becker <caarlos0@gmail.com>
+Carlos Sanchez <carlos@apache.org>
+Carol Fager-Higgins <carol.fager-higgins@docker.com>
+Cary <caryhartline@users.noreply.github.com>
+Casey Bisson <casey.bisson@joyent.com>
+Catalin Pirvu <pirvu.catalin94@gmail.com>
+Ce Gao <ce.gao@outlook.com>
+Cedric Davies <cedricda@microsoft.com>
+Cezar Sa Espinola <cezarsa@gmail.com>
+Chad Swenson <chadswen@gmail.com>
+Chance Zibolski <chance.zibolski@gmail.com>
+Chander Govindarajan <chandergovind@gmail.com>
+Chanhun Jeong <keyolk@gmail.com>
+Chao Wang <wangchao.fnst@cn.fujitsu.com>
+Charles Chan <charleswhchan@users.noreply.github.com>
+Charles Hooper <charles.hooper@dotcloud.com>
+Charles Law <claw@conduce.com>
+Charles Lindsay <chaz@chazomatic.us>
+Charles Merriam <charles.merriam@gmail.com>
+Charles Sarrazin <charles@sarraz.in>
+Charles Smith <charles.smith@docker.com>
+Charlie Drage <charlie@charliedrage.com>
+Charlie Lewis <charliel@lab41.org>
+Chase Bolt <chase.bolt@gmail.com>
+ChaYoung You <yousbe@gmail.com>
+Chen Chao <cc272309126@gmail.com>
+Chen Chuanliang <chen.chuanliang@zte.com.cn>
+Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
+Chen Min <chenmin46@huawei.com>
+Chen Mingjie <chenmingjie0828@163.com>
+Chen Qiu <cheney-90@hotmail.com>
+Cheng-mean Liu <soccerl@microsoft.com>
+Chengguang Xu <cgxu519@gmx.com>
+chenyuzhu <chenyuzhi@oschina.cn>
+Chetan Birajdar <birajdar.chetan@gmail.com>
+Chewey <prosto-chewey@users.noreply.github.com>
+Chia-liang Kao <clkao@clkao.org>
+chli <chli@freewheel.tv>
+Cholerae Hu <choleraehyq@gmail.com>
+Chris Alfonso <calfonso@redhat.com>
+Chris Armstrong <chris@opdemand.com>
+Chris Dias <cdias@microsoft.com>
+Chris Dituri <csdituri@gmail.com>
+Chris Fordham <chris@fordham-nagy.id.au>
+Chris Gavin <chris@chrisgavin.me>
+Chris Gibson <chris@chrisg.io>
+Chris Khoo <chris.khoo@gmail.com>
+Chris McKinnel <chris.mckinnel@tangentlabs.co.uk>
+Chris McKinnel <chrismckinnel@gmail.com>
+Chris Seto <chriskseto@gmail.com>
+Chris Snow <chsnow123@gmail.com>
+Chris St. Pierre <chris.a.st.pierre@gmail.com>
+Chris Stivers <chris@stivers.us>
+Chris Swan <chris.swan@iee.org>
+Chris Telfer <ctelfer@docker.com>
+Chris Wahl <github@wahlnetwork.com>
+Chris Weyl <cweyl@alumni.drew.edu>
+Christian Berendt <berendt@b1-systems.de>
+Christian Brauner <christian.brauner@ubuntu.com>
+Christian Böhme <developement@boehme3d.de>
+Christian Persson <saser@live.se>
+Christian Rotzoll <ch.rotzoll@gmail.com>
+Christian Simon <simon@swine.de>
+Christian Stefanescu <st.chris@gmail.com>
+Christophe Mehay <cmehay@online.net>
+Christophe Troestler <christophe.Troestler@umons.ac.be>
+Christophe Vidal <kriss@krizalys.com>
+Christopher Biscardi <biscarch@sketcht.com>
+Christopher Crone <christopher.crone@docker.com>
+Christopher Currie <codemonkey+github@gmail.com>
+Christopher Jones <tophj@linux.vnet.ibm.com>
+Christopher Latham <sudosurootdev@gmail.com>
+Christopher Rigor <crigor@gmail.com>
+Christy Perez <christy@linux.vnet.ibm.com>
+Chun Chen <ramichen@tencent.com>
+Ciro S. Costa <ciro.costa@usp.br>
+Clayton Coleman <ccoleman@redhat.com>
+Clinton Kitson <clintonskitson@gmail.com>
+Cody Roseborough <crrosebo@amazon.com>
+Coenraad Loubser <coenraad@wish.org.za>
+Colin Dunklau <colin.dunklau@gmail.com>
+Colin Hebert <hebert.colin@gmail.com>
+Colin Rice <colin@daedrum.net>
+Colin Walters <walters@verbum.org>
+Collin Guarino <collin.guarino@gmail.com>
+Colm Hally <colmhally@gmail.com>
+companycy <companycy@gmail.com>
+Corbin Coleman <corbin.coleman@docker.com>
+Corey Farrell <git@cfware.com>
+Cory Forsyth <cory.forsyth@gmail.com>
+cressie176 <github@stephen-cresswell.net>
+CrimsonGlory <CrimsonGlory@users.noreply.github.com>
+Cristian Staretu <cristian.staretu@gmail.com>
+cristiano balducci <cristiano.balducci@gmail.com>
+Cruceru Calin-Cristian <crucerucalincristian@gmail.com>
+CUI Wei <ghostplant@qq.com>
+Cyprian Gracz <cyprian.gracz@micro-jumbo.eu>
+Cyril F <cyrilf7x@gmail.com>
+Daan van Berkel <daan.v.berkel.1980@gmail.com>
+Daehyeok Mun <daehyeok@gmail.com>
+Dafydd Crosby <dtcrsby@gmail.com>
+dalanlan <dalanlan925@gmail.com>
+Damian Smyth <damian@dsau.co>
+Damien Nadé <github@livna.org>
+Damien Nozay <damien.nozay@gmail.com>
+Damjan Georgievski <gdamjan@gmail.com>
+Dan Anolik <dan@anolik.net>
+Dan Buch <d.buch@modcloth.com>
+Dan Cotora <dan@bluevision.ro>
+Dan Feldman <danf@jfrog.com>
+Dan Griffin <dgriffin@peer1.com>
+Dan Hirsch <thequux@upstandinghackers.com>
+Dan Keder <dan.keder@gmail.com>
+Dan Levy <dan@danlevy.net>
+Dan McPherson <dmcphers@redhat.com>
+Dan Stine <sw@stinemail.com>
+Dan Williams <me@deedubs.com>
+Dani Louca <dani.louca@docker.com>
+Daniel Antlinger <d.antlinger@gmx.at>
+Daniel Dao <dqminh@cloudflare.com>
+Daniel Exner <dex@dragonslave.de>
+Daniel Farrell <dfarrell@redhat.com>
+Daniel Garcia <daniel@danielgarcia.info>
+Daniel Gasienica <daniel@gasienica.ch>
+Daniel Grunwell <mwgrunny@gmail.com>
+Daniel Hiltgen <daniel.hiltgen@docker.com>
+Daniel J Walsh <dwalsh@redhat.com>
+Daniel Menet <membership@sontags.ch>
+Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com>
+Daniel Nephin <dnephin@docker.com>
+Daniel Norberg <dano@spotify.com>
+Daniel Nordberg <dnordberg@gmail.com>
+Daniel Robinson <gottagetmac@gmail.com>
+Daniel S <dan.streby@gmail.com>
+Daniel Von Fange <daniel@leancoder.com>
+Daniel Watkins <daniel@daniel-watkins.co.uk>
+Daniel X Moore <yahivin@gmail.com>
+Daniel YC Lin <dlin.tw@gmail.com>
+Daniel Zhang <jmzwcn@gmail.com>
+Danny Berger <dpb587@gmail.com>
+Danny Yates <danny@codeaholics.org>
+Danyal Khaliq <danyal.khaliq@tenpearls.com>
+Darren Coxall <darren@darrencoxall.com>
+Darren Shepherd <darren.s.shepherd@gmail.com>
+Darren Stahl <darst@microsoft.com>
+Dattatraya Kumbhar <dattatraya.kumbhar@gslab.com>
+Davanum Srinivas <davanum@gmail.com>
+Dave Barboza <dbarboza@datto.com>
+Dave Goodchild <buddhamagnet@gmail.com>
+Dave Henderson <dhenderson@gmail.com>
+Dave MacDonald <mindlapse@gmail.com>
+Dave Tucker <dt@docker.com>
+David Anderson <dave@natulte.net>
+David Calavera <david.calavera@gmail.com>
+David Chung <david.chung@docker.com>
+David Corking <dmc-source@dcorking.com>
+David Cramer <davcrame@cisco.com>
+David Currie <david_currie@uk.ibm.com>
+David Davis <daviddavis@redhat.com>
+David Dooling <dooling@gmail.com>
+David Gageot <david@gageot.net>
+David Gebler <davidgebler@gmail.com>
+David Glasser <glasser@davidglasser.net>
+David Lawrence <david.lawrence@docker.com>
+David Lechner <david@lechnology.com>
+David M. Karr <davidmichaelkarr@gmail.com>
+David Mackey <tdmackey@booleanhaiku.com>
+David Mat <david@davidmat.com>
+David Mcanulty <github@hellspark.com>
+David McKay <david@rawkode.com>
+David Pelaez <pelaez89@gmail.com>
+David R. Jenni <david.r.jenni@gmail.com>
+David Röthlisberger <david@rothlis.net>
+David Sheets <dsheets@docker.com>
+David Sissitka <me@dsissitka.com>
+David Trott <github@davidtrott.com>
+David Williamson <david.williamson@docker.com>
+David Xia <dxia@spotify.com>
+David Young <yangboh@cn.ibm.com>
+Davide Ceretti <davide.ceretti@hogarthww.com>
+Dawn Chen <dawnchen@google.com>
+dbdd <wangtong2712@gmail.com>
+dcylabs <dcylabs@gmail.com>
+Deborah Gertrude Digges <deborah.gertrude.digges@gmail.com>
+deed02392 <georgehafiz@gmail.com>
+Deng Guangxing <dengguangxing@huawei.com>
+Deni Bertovic <deni@kset.org>
+Denis Defreyne <denis@soundcloud.com>
+Denis Gladkikh <denis@gladkikh.email>
+Denis Ollier <larchunix@users.noreply.github.com>
+Dennis Chen <barracks510@gmail.com>
+Dennis Chen <dennis.chen@arm.com>
+Dennis Docter <dennis@d23.nl>
+Derek <crq@kernel.org>
+Derek <crquan@gmail.com>
+Derek Ch <denc716@gmail.com>
+Derek McGowan <derek@mcgstyle.net>
+Deric Crago <deric.crago@gmail.com>
+Deshi Xiao <dxiao@redhat.com>
+devmeyster <arthurfbi@yahoo.com>
+Devvyn Murphy <devvyn@devvyn.com>
+Dharmit Shah <shahdharmit@gmail.com>
+Dhawal Yogesh Bhanushali <dbhanushali@vmware.com>
+Diego Romero <idiegoromero@gmail.com>
+Diego Siqueira <dieg0@live.com>
+Dieter Reuter <dieter.reuter@me.com>
+Dillon Dixon <dillondixon@gmail.com>
+Dima Stopel <dima@twistlock.com>
+Dimitri John Ledkov <dimitri.j.ledkov@intel.com>
+Dimitris Rozakis <dimrozakis@gmail.com>
+Dimitry Andric <d.andric@activevideo.com>
+Dinesh Subhraveti <dineshs@altiscale.com>
+Ding Fei <dingfei@stars.org.cn>
+Diogo Monica <diogo@docker.com>
+DiuDiugirl <sophia.wang@pku.edu.cn>
+Djibril Koné <kone.djibril@gmail.com>
+dkumor <daniel@dkumor.com>
+Dmitri Logvinenko <dmitri.logvinenko@gmail.com>
+Dmitri Shuralyov <shurcooL@gmail.com>
+Dmitry Demeshchuk <demeshchuk@gmail.com>
+Dmitry Gusev <dmitry.gusev@gmail.com>
+Dmitry Kononenko <d@dm42.ru>
+Dmitry Shyshkin <dmitry@shyshkin.org.ua>
+Dmitry Smirnov <onlyjob@member.fsf.org>
+Dmitry V. Krivenok <krivenok.dmitry@gmail.com>
+Dmitry Vorobev <dimahabr@gmail.com>
+Dolph Mathews <dolph.mathews@gmail.com>
+Dominik Dingel <dingel@linux.vnet.ibm.com>
+Dominik Finkbeiner <finkes93@gmail.com>
+Dominik Honnef <dominik@honnef.co>
+Don Kirkby <donkirkby@users.noreply.github.com>
+Don Kjer <don.kjer@gmail.com>
+Don Spaulding <donspauldingii@gmail.com>
+Donald Huang <don.hcd@gmail.com>
+Dong Chen <dongluo.chen@docker.com>
+Donovan Jones <git@gamma.net.nz>
+Doron Podoleanu <doronp@il.ibm.com>
+Doug Davis <dug@us.ibm.com>
+Doug MacEachern <dougm@vmware.com>
+Doug Tangren <d.tangren@gmail.com>
+Douglas Curtis <dougcurtis1@gmail.com>
+Dr Nic Williams <drnicwilliams@gmail.com>
+dragon788 <dragon788@users.noreply.github.com>
+Dražen Lučanin <kermit666@gmail.com>
+Drew Erny <drew.erny@docker.com>
+Drew Hubl <drew.hubl@gmail.com>
+Dustin Sallings <dustin@spy.net>
+Ed Costello <epc@epcostello.com>
+Edmund Wagner <edmund-wagner@web.de>
+Eiichi Tsukata <devel@etsukata.com>
+Eike Herzbach <eike@herzbach.net>
+Eivin Giske Skaaren <eivinsn@axis.com>
+Eivind Uggedal <eivind@uggedal.com>
+Elan Ruusamäe <glen@pld-linux.org>
+Elango Sivanandam <elango.siva@docker.com>
+Elena Morozova <lelenanam@gmail.com>
+Eli Uriegas <eli.uriegas@docker.com>
+Elias Faxö <elias.faxo@tre.se>
+Elias Probst <mail@eliasprobst.eu>
+Elijah Zupancic <elijah@zupancic.name>
+eluck <mail@eluck.me>
+Elvir Kuric <elvirkuric@gmail.com>
+Emil Davtyan <emil2k@gmail.com>
+Emil Hernvall <emil@quench.at>
+Emily Maier <emily@emilymaier.net>
+Emily Rose <emily@contactvibe.com>
+Emir Ozer <emirozer@yandex.com>
+Enguerran <engcolson@gmail.com>
+Eohyung Lee <liquidnuker@gmail.com>
+epeterso <epeterson@breakpoint-labs.com>
+Eric Barch <barch@tomesoftware.com>
+Eric Curtin <ericcurtin17@gmail.com>
+Eric G. Noriega <enoriega@vizuri.com>
+Eric Hanchrow <ehanchrow@ine.com>
+Eric Lee <thenorthsecedes@gmail.com>
+Eric Myhre <hash@exultant.us>
+Eric Paris <eparis@redhat.com>
+Eric Rafaloff <erafaloff@gmail.com>
+Eric Rosenberg <ehaydenr@gmail.com>
+Eric Sage <eric.david.sage@gmail.com>
+Eric Soderstrom <ericsoderstrom@gmail.com>
+Eric Yang <windfarer@gmail.com>
+Eric-Olivier Lamey <eo@lamey.me>
+Erica Windisch <erica@windisch.us>
+Erik Bray <erik.m.bray@gmail.com>
+Erik Dubbelboer <erik@dubbelboer.com>
+Erik Hollensbe <github@hollensbe.org>
+Erik Inge Bolsø <knan@redpill-linpro.com>
+Erik Kristensen <erik@erikkristensen.com>
+Erik St. Martin <alakriti@gmail.com>
+Erik Weathers <erikdw@gmail.com>
+Erno Hopearuoho <erno.hopearuoho@gmail.com>
+Erwin van der Koogh <info@erronis.nl>
+Ethan Bell <ebgamer29@gmail.com>
+Euan Kemp <euan.kemp@coreos.com>
+Eugen Krizo <eugen.krizo@gmail.com>
+Eugene Yakubovich <eugene.yakubovich@coreos.com>
+Evan Allrich <evan@unguku.com>
+Evan Carmi <carmi@users.noreply.github.com>
+Evan Hazlett <ejhazlett@gmail.com>
+Evan Krall <krall@yelp.com>
+Evan Phoenix <evan@fallingsnow.net>
+Evan Wies <evan@neomantra.net>
+Evelyn Xu <evelynhsu21@gmail.com>
+Everett Toews <everett.toews@rackspace.com>
+Evgeny Shmarnev <shmarnev@gmail.com>
+Evgeny Vereshchagin <evvers@ya.ru>
+Ewa Czechowska <ewa@ai-traders.com>
+Eystein Måløy Stenberg <eystein.maloy.stenberg@cfengine.com>
+ezbercih <cem.ezberci@gmail.com>
+Ezra Silvera <ezra@il.ibm.com>
+Fabian Lauer <kontakt@softwareschmiede-saar.de>
+Fabiano Rosas <farosas@br.ibm.com>
+Fabio Falci <fabiofalci@gmail.com>
+Fabio Kung <fabio.kung@gmail.com>
+Fabio Rapposelli <fabio@vmware.com>
+Fabio Rehm <fgrehm@gmail.com>
+Fabrizio Regini <freegenie@gmail.com>
+Fabrizio Soppelsa <fsoppelsa@mirantis.com>
+Faiz Khan <faizkhan00@gmail.com>
+falmp <chico.lopes@gmail.com>
+Fangming Fang <fangming.fang@arm.com>
+Fangyuan Gao <21551127@zju.edu.cn>
+Fareed Dudhia <fareeddudhia@googlemail.com>
+Fathi Boudra <fathi.boudra@linaro.org>
+Federico Gimenez <fgimenez@coit.es>
+Felipe Oliveira <felipeweb.programador@gmail.com>
+Felix Abecassis <fabecassis@nvidia.com>
+Felix Geisendörfer <felix@debuggable.com>
+Felix Hupfeld <felix@quobyte.com>
+Felix Rabe <felix@rabe.io>
+Felix Ruess <felix.ruess@gmail.com>
+Felix Schindler <fschindler@weluse.de>
+Feng Yan <fy2462@gmail.com>
+Fengtu Wang <wangfengtu@huawei.com>
+Ferenc Szabo <pragmaticfrank@gmail.com>
+Fernando <fermayo@gmail.com>
+Fero Volar <alian@alian.info>
+Ferran Rodenas <frodenas@gmail.com>
+Filipe Brandenburger <filbranden@google.com>
+Filipe Oliveira <contato@fmoliveira.com.br>
+Flavio Castelli <fcastelli@suse.com>
+Flavio Crisciani <flavio.crisciani@docker.com>
+Florian <FWirtz@users.noreply.github.com>
+Florian Klein <florian.klein@free.fr>
+Florian Maier <marsmensch@users.noreply.github.com>
+Florian Noeding <noeding@adobe.com>
+Florian Weingarten <flo@hackvalue.de>
+Florin Asavoaie <florin.asavoaie@gmail.com>
+Florin Patan <florinpatan@gmail.com>
+fonglh <fonglh@gmail.com>
+Foysal Iqbal <foysal.iqbal.fb@gmail.com>
+Francesc Campoy <campoy@google.com>
+Francis Chuang <francis.chuang@boostport.com>
+Francisco Carriedo <fcarriedo@gmail.com>
+Francisco Souza <f@souza.cc>
+Frank Groeneveld <frank@ivaldi.nl>
+Frank Herrmann <fgh@4gh.tv>
+Frank Macreery <frank@macreery.com>
+Frank Rosquin <frank.rosquin+github@gmail.com>
+Fred Lifton <fred.lifton@docker.com>
+Frederick F. Kautz IV <fkautz@redhat.com>
+Frederik Loeffert <frederik@zitrusmedia.de>
+Frederik Nordahl Jul Sabroe <frederikns@gmail.com>
+Freek Kalter <freek@kalteronline.org>
+Frieder Bluemle <frieder.bluemle@gmail.com>
+Félix Baylac-Jacqué <baylac.felix@gmail.com>
+Félix Cantournet <felix.cantournet@cloudwatt.com>
+Gabe Rosenhouse <gabe@missionst.com>
+Gabor Nagy <mail@aigeruth.hu>
+Gabriel Linder <linder.gabriel@gmail.com>
+Gabriel Monroy <gabriel@opdemand.com>
+Gabriel Nicolas Avellaneda <avellaneda.gabriel@gmail.com>
+Gaetan de Villele <gdevillele@gmail.com>
+Galen Sampson <galen.sampson@gmail.com>
+Gang Qiao <qiaohai8866@gmail.com>
+Gareth Rushgrove <gareth@morethanseven.net>
+Garrett Barboza <garrett@garrettbarboza.com>
+Gary Schaetz <gary@schaetzkc.com>
+Gaurav <gaurav.gosec@gmail.com>
+gautam, prasanna <prasannagautam@gmail.com>
+Gaël PORTAY <gael.portay@savoirfairelinux.com>
+Genki Takiuchi <genki@s21g.com>
+GennadySpb <lipenkov@gmail.com>
+Geoffrey Bachelet <grosfrais@gmail.com>
+George Kontridze <george@bugsnag.com>
+George MacRorie <gmacr31@gmail.com>
+George Xie <georgexsh@gmail.com>
+Georgi Hristozov <georgi@forkbomb.nl>
+Gereon Frey <gereon.frey@dynport.de>
+German DZ <germ@ndz.com.ar>
+Gert van Valkenhoef <g.h.m.van.valkenhoef@rug.nl>
+Gerwim Feiken <g.feiken@tfe.nl>
+Ghislain Bourgeois <ghislain.bourgeois@gmail.com>
+Giampaolo Mancini <giampaolo@trampolineup.com>
+Gianluca Borello <g.borello@gmail.com>
+Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
+gissehel <public-devgit-dantus@gissehel.org>
+Giuseppe Mazzotta <gdm85@users.noreply.github.com>
+Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Gleb M Borisov <borisov.gleb@gmail.com>
+Glyn Normington <gnormington@gopivotal.com>
+GoBella <caili_welcome@163.com>
+Goffert van Gool <goffert@phusion.nl>
+Gopikannan Venugopalsamy <gopikannan.venugopalsamy@gmail.com>
+Gosuke Miyashita <gosukenator@gmail.com>
+Gou Rao <gou@portworx.com>
+Govinda Fichtner <govinda.fichtner@googlemail.com>
+Grant Reaber <grant.reaber@gmail.com>
+Graydon Hoare <graydon@pobox.com>
+Greg Fausak <greg@tacodata.com>
+Greg Pflaum <gpflaum@users.noreply.github.com>
+Greg Stephens <greg@udon.org>
+Greg Thornton <xdissent@me.com>
+Grzegorz Jaśkiewicz <gj.jaskiewicz@gmail.com>
+Guilhem Lettron <guilhem+github@lettron.fr>
+Guilherme Salgado <gsalgado@gmail.com>
+Guillaume Dufour <gdufour.prestataire@voyages-sncf.com>
+Guillaume J. Charmes <guillaume.charmes@docker.com>
+guoxiuyan <guoxiuyan@huawei.com>
+Guri <odg0318@gmail.com>
+Gurjeet Singh <gurjeet@singh.im>
+Guruprasad <lgp171188@gmail.com>
+Gustav Sinder <gustav.sinder@gmail.com>
+gwx296173 <gaojing3@huawei.com>
+Günter Zöchbauer <guenter@gzoechbauer.com>
+Hakan Özler <hakan.ozler@kodcu.com>
+Hans Kristian Flaatten <hans@starefossen.com>
+Hans Rødtang <hansrodtang@gmail.com>
+Hao Shu Wei <haosw@cn.ibm.com>
+Hao Zhang <21521210@zju.edu.cn>
+Harald Albers <github@albersweb.de>
+Harley Laue <losinggeneration@gmail.com>
+Harold Cooper <hrldcpr@gmail.com>
+Harry Zhang <harryz@hyper.sh>
+Harshal Patil <harshal.patil@in.ibm.com>
+Harshal Patil <harshalp@linux.vnet.ibm.com>
+He Simei <hesimei@zju.edu.cn>
+He Xiaoxi <tossmilestone@gmail.com>
+He Xin <he_xinworld@126.com>
+heartlock <21521209@zju.edu.cn>
+Hector Castro <hectcastro@gmail.com>
+Helen Xie <chenjg@harmonycloud.cn>
+Henning Sprang <henning.sprang@gmail.com>
+Hiroshi Hatake <hatake@clear-code.com>
+Hobofan <goisser94@gmail.com>
+Hollie Teal <hollie@docker.com>
+Hong Xu <hong@topbug.net>
+Hongbin Lu <hongbin034@gmail.com>
+hsinko <21551195@zju.edu.cn>
+Hu Keping <hukeping@huawei.com>
+Hu Tao <hutao@cn.fujitsu.com>
+Huanzhong Zhang <zhanghuanzhong90@gmail.com>
+Huayi Zhang <irachex@gmail.com>
+Hugo Duncan <hugo@hugoduncan.org>
+Hugo Marisco <0x6875676f@gmail.com>
+Hunter Blanks <hunter@twilio.com>
+huqun <huqun@zju.edu.cn>
+Huu Nguyen <huu@prismskylabs.com>
+hyeongkyu.lee <hyeongkyu.lee@navercorp.com>
+Hyzhou Zhy <hyzhou.zhy@alibaba-inc.com>
+Iago López Galeiras <iago@kinvolk.io>
+Ian Babrou <ibobrik@gmail.com>
+Ian Bishop <ianbishop@pace7.com>
+Ian Bull <irbull@gmail.com>
+Ian Calvert <ianjcalvert@gmail.com>
+Ian Campbell <ian.campbell@docker.com>
+Ian Lee <IanLee1521@gmail.com>
+Ian Main <imain@redhat.com>
+Ian Philpot <ian.philpot@microsoft.com>
+Ian Truslove <ian.truslove@gmail.com>
+Iavael <iavaelooeyt@gmail.com>
+Icaro Seara <icaro.seara@gmail.com>
+Ignacio Capurro <icapurrofagian@gmail.com>
+Igor Dolzhikov <bluesriverz@gmail.com>
+Igor Karpovich <i.karpovich@currencysolutions.com>
+Iliana Weller <iweller@amazon.com>
+Ilkka Laukkanen <ilkka@ilkka.io>
+Ilya Dmitrichenko <errordeveloper@gmail.com>
+Ilya Gusev <mail@igusev.ru>
+Ilya Khlopotov <ilya.khlopotov@gmail.com>
+imre Fitos <imre.fitos+github@gmail.com>
+inglesp <peter.inglesby@gmail.com>
+Ingo Gottwald <in.gottwald@gmail.com>
+Isaac Dupree <antispam@idupree.com>
+Isabel Jimenez <contact.isabeljimenez@gmail.com>
+Isao Jonas <isao.jonas@gmail.com>
+Ivan Babrou <ibobrik@gmail.com>
+Ivan Fraixedes <ifcdev@gmail.com>
+Ivan Grcic <igrcic@gmail.com>
+Ivan Markin <sw@nogoegst.net>
+J Bruni <joaohbruni@yahoo.com.br>
+J. Nunn <jbnunn@gmail.com>
+Jack Danger Canty <jackdanger@squareup.com>
+Jack Laxson <jackjrabbit@gmail.com>
+Jacob Atzen <jacob@jacobatzen.dk>
+Jacob Edelman <edelman.jd@gmail.com>
+Jacob Tomlinson <jacob@tom.linson.uk>
+Jacob Vallejo <jakeev@amazon.com>
+Jacob Wen <jian.w.wen@oracle.com>
+Jaivish Kothari <janonymous.codevulture@gmail.com>
+Jake Champlin <jake.champlin.27@gmail.com>
+Jake Moshenko <jake@devtable.com>
+Jake Sanders <jsand@google.com>
+jakedt <jake@devtable.com>
+James Allen <jamesallen0108@gmail.com>
+James Carey <jecarey@us.ibm.com>
+James Carr <james.r.carr@gmail.com>
+James DeFelice <james.defelice@ishisystems.com>
+James Harrison Fisher <jameshfisher@gmail.com>
+James Kyburz <james.kyburz@gmail.com>
+James Kyle <james@jameskyle.org>
+James Lal <james@lightsofapollo.com>
+James Mills <prologic@shortcircuit.net.au>
+James Nesbitt <james.nesbitt@wunderkraut.com>
+James Nugent <james@jen20.com>
+James Turnbull <james@lovedthanlost.net>
+Jamie Hannaford <jamie@limetree.org>
+Jamshid Afshar <jafshar@yahoo.com>
+Jan Keromnes <janx@linux.com>
+Jan Koprowski <jan.koprowski@gmail.com>
+Jan Pazdziora <jpazdziora@redhat.com>
+Jan Toebes <jan@toebes.info>
+Jan-Gerd Tenberge <janten@gmail.com>
+Jan-Jaap Driessen <janjaapdriessen@gmail.com>
+Jana Radhakrishnan <mrjana@docker.com>
+Jannick Fahlbusch <git@jf-projects.de>
+Januar Wayong <januar@gmail.com>
+Jared Biel <jared.biel@bolderthinking.com>
+Jared Hocutt <jaredh@netapp.com>
+Jaroslaw Zabiello <hipertracker@gmail.com>
+jaseg <jaseg@jaseg.net>
+Jasmine Hegman <jasmine@jhegman.com>
+Jason Divock <jdivock@gmail.com>
+Jason Giedymin <jasong@apache.org>
+Jason Green <Jason.Green@AverInformatics.Com>
+Jason Hall <imjasonh@gmail.com>
+Jason Heiss <jheiss@aput.net>
+Jason Livesay <ithkuil@gmail.com>
+Jason McVetta <jason.mcvetta@gmail.com>
+Jason Plum <jplum@devonit.com>
+Jason Shepherd <jason@jasonshepherd.net>
+Jason Smith <jasonrichardsmith@gmail.com>
+Jason Sommer <jsdirv@gmail.com>
+Jason Stangroome <jason@codeassassin.com>
+jaxgeller <jacksongeller@gmail.com>
+Jay <imjching@hotmail.com>
+Jay <teguhwpurwanto@gmail.com>
+Jay Kamat <github@jgkamat.33mail.com>
+Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
+Jean-Baptiste Dalido <jeanbaptiste@appgratis.com>
+Jean-Christophe Berthon <huygens@berthon.eu>
+Jean-Paul Calderone <exarkun@twistedmatrix.com>
+Jean-Pierre Huynh <jean-pierre.huynh@ounet.fr>
+Jean-Tiare Le Bigot <jt@yadutaf.fr>
+Jeeva S. Chelladhurai <sjeeva@gmail.com>
+Jeff Anderson <jeff@docker.com>
+Jeff Hajewski <jeff.hajewski@gmail.com>
+Jeff Johnston <jeff.johnston.mn@gmail.com>
+Jeff Lindsay <progrium@gmail.com>
+Jeff Mickey <j@codemac.net>
+Jeff Minard <jeff@creditkarma.com>
+Jeff Nickoloff <jeff.nickoloff@gmail.com>
+Jeff Silberman <jsilberm@gmail.com>
+Jeff Welch <whatthejeff@gmail.com>
+Jeffrey Bolle <jeffreybolle@gmail.com>
+Jeffrey Morgan <jmorganca@gmail.com>
+Jeffrey van Gogh <jvg@google.com>
+Jenny Gebske <jennifer@gebske.de>
+Jeremy Chambers <jeremy@thehipbot.com>
+Jeremy Grosser <jeremy@synack.me>
+Jeremy Price <jprice.rhit@gmail.com>
+Jeremy Qian <vanpire110@163.com>
+Jeremy Unruh <jeremybunruh@gmail.com>
+Jeremy Yallop <yallop@docker.com>
+Jeroen Franse <jeroenfranse@gmail.com>
+Jeroen Jacobs <github@jeroenj.be>
+Jesse Dearing <jesse.dearing@gmail.com>
+Jesse Dubay <jesse@thefortytwo.net>
+Jessica Frazelle <jessfraz@google.com>
+Jezeniel Zapanta <jpzapanta22@gmail.com>
+Jhon Honce <jhonce@redhat.com>
+Ji.Zhilong <zhilongji@gmail.com>
+Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
+Jie Luo <luo612@zju.edu.cn>
+Jihyun Hwang <jhhwang@telcoware.com>
+Jilles Oldenbeuving <ojilles@gmail.com>
+Jim Alateras <jima@comware.com.au>
+Jim Galasyn <jim.galasyn@docker.com>
+Jim Minter <jminter@redhat.com>
+Jim Perrin <jperrin@centos.org>
+Jimmy Cuadra <jimmy@jimmycuadra.com>
+Jimmy Puckett <jimmy.puckett@spinen.com>
+Jimmy Song <rootsongjc@gmail.com>
+jimmyxian <jimmyxian2004@yahoo.com.cn>
+Jinsoo Park <cellpjs@gmail.com>
+Jiri Popelka <jpopelka@redhat.com>
+Jiuyue Ma <majiuyue@huawei.com>
+Jiří Župka <jzupka@redhat.com>
+jjy <jiangjinyang@outlook.com>
+jmzwcn <jmzwcn@gmail.com>
+Joao Fernandes <joao.fernandes@docker.com>
+Joe Beda <joe.github@bedafamily.com>
+Joe Doliner <jdoliner@pachyderm.io>
+Joe Ferguson <joe@infosiftr.com>
+Joe Gordon <joe.gordon0@gmail.com>
+Joe Shaw <joe@joeshaw.org>
+Joe Van Dyk <joe@tanga.com>
+Joel Friedly <joelfriedly@gmail.com>
+Joel Handwell <joelhandwell@gmail.com>
+Joel Hansson <joel.hansson@ecraft.com>
+Joel Wurtz <jwurtz@jolicode.com>
+Joey Geiger <jgeiger@gmail.com>
+Joey Geiger <jgeiger@users.noreply.github.com>
+Joey Gibson <joey@joeygibson.com>
+Joffrey F <joffrey@docker.com>
+Johan Euphrosine <proppy@google.com>
+Johan Rydberg <johan.rydberg@gmail.com>
+Johanan Lieberman <johanan.lieberman@gmail.com>
+Johannes 'fish' Ziemke <github@freigeist.org>
+John Costa <john.costa@gmail.com>
+John Feminella <jxf@jxf.me>
+John Gardiner Myers <jgmyers@proofpoint.com>
+John Gossman <johngos@microsoft.com>
+John Harris <john@johnharris.io>
+John Howard (VM) <John.Howard@microsoft.com>
+John Laswell <john.n.laswell@gmail.com>
+John Maguire <jmaguire@duosecurity.com>
+John Mulhausen <john@docker.com>
+John OBrien III <jobrieniii@yahoo.com>
+John Starks <jostarks@microsoft.com>
+John Stephens <johnstep@docker.com>
+John Tims <john.k.tims@gmail.com>
+John V. Martinez <jvmatl@gmail.com>
+John Warwick <jwarwick@gmail.com>
+John Willis <john.willis@docker.com>
+Jon Johnson <jonjohnson@google.com>
+Jon Surrell <jon.surrell@gmail.com>
+Jon Wedaman <jweede@gmail.com>
+Jonas Pfenniger <jonas@pfenniger.name>
+Jonathan A. Sternberg <jonathansternberg@gmail.com>
+Jonathan Boulle <jonathanboulle@gmail.com>
+Jonathan Camp <jonathan@irondojo.com>
+Jonathan Choy <jonathan.j.choy@gmail.com>
+Jonathan Dowland <jon+github@alcopop.org>
+Jonathan Lebon <jlebon@redhat.com>
+Jonathan Lomas <jonathan@floatinglomas.ca>
+Jonathan McCrohan <jmccrohan@gmail.com>
+Jonathan Mueller <j.mueller@apoveda.ch>
+Jonathan Pares <jonathanpa@users.noreply.github.com>
+Jonathan Rudenberg <jonathan@titanous.com>
+Jonathan Stoppani <jonathan.stoppani@divio.com>
+Jonh Wendell <jonh.wendell@redhat.com>
+Joni Sar <yoni@cocycles.com>
+Joost Cassee <joost@cassee.net>
+Jordan Arentsen <blissdev@gmail.com>
+Jordan Jennings <jjn2009@gmail.com>
+Jordan Sissel <jls@semicomplete.com>
+Jorge Marin <chipironcin@users.noreply.github.com>
+Jorit Kleine-Möllhoff <joppich@bricknet.de>
+Jose Diaz-Gonzalez <jose@seatgeek.com>
+Joseph Anthony Pasquale Holsten <joseph@josephholsten.com>
+Joseph Hager <ajhager@gmail.com>
+Joseph Kern <jkern@semafour.net>
+Joseph Rothrock <rothrock@rothrock.org>
+Josh <jokajak@gmail.com>
+Josh Bodah <jb3689@yahoo.com>
+Josh Bonczkowski <josh.bonczkowski@gmail.com>
+Josh Chorlton <jchorlton@gmail.com>
+Josh Eveleth <joshe@opendns.com>
+Josh Hawn <josh.hawn@docker.com>
+Josh Horwitz <horwitz@addthis.com>
+Josh Poimboeuf <jpoimboe@redhat.com>
+Josh Soref <jsoref@gmail.com>
+Josh Wilson <josh.wilson@fivestars.com>
+Josiah Kiehl <jkiehl@riotgames.com>
+José Tomás Albornoz <jojo@eljojo.net>
+Joyce Jang <mail@joycejang.com>
+JP <jpellerin@leapfrogonline.com>
+Julian Taylor <jtaylor.debian@googlemail.com>
+Julien Barbier <write0@gmail.com>
+Julien Bisconti <veggiemonk@users.noreply.github.com>
+Julien Bordellier <julienbordellier@gmail.com>
+Julien Dubois <julien.dubois@gmail.com>
+Julien Kassar <github@kassisol.com>
+Julien Maitrehenry <julien.maitrehenry@me.com>
+Julien Pervillé <julien.perville@perfect-memory.com>
+Julio Montes <imc.coder@gmail.com>
+Jun-Ru Chang <jrjang@gmail.com>
+Jussi Nummelin <jussi.nummelin@gmail.com>
+Justas Brazauskas <brazauskasjustas@gmail.com>
+Justin Cormack <justin.cormack@docker.com>
+Justin Force <justin.force@gmail.com>
+Justin Menga <justin.menga@gmail.com>
+Justin Plock <jplock@users.noreply.github.com>
+Justin Simonelis <justin.p.simonelis@gmail.com>
+Justin Terry <juterry@microsoft.com>
+Justyn Temme <justyntemme@gmail.com>
+Jyrki Puttonen <jyrkiput@gmail.com>
+Jérôme Petazzoni <jerome.petazzoni@docker.com>
+Jörg Thalheim <joerg@higgsboson.tk>
+K. Heller <pestophagous@gmail.com>
+Kai Blin <kai@samba.org>
+Kai Qiang Wu (Kennan) <wkq5325@gmail.com>
+Kamil Domański <kamil@domanski.co>
+Kamjar Gerami <kami.gerami@gmail.com>
+Kanstantsin Shautsou <kanstantsin.sha@gmail.com>
+Kara Alexandra <kalexandra@us.ibm.com>
+Karan Lyons <karan@karanlyons.com>
+Kareem Khazem <karkhaz@karkhaz.com>
+kargakis <kargakis@users.noreply.github.com>
+Karl Grzeszczak <karlgrz@gmail.com>
+Karol Duleba <mr.fuxi@gmail.com>
+Karthik Karanth <karanth.karthik@gmail.com>
+Karthik Nayak <Karthik.188@gmail.com>
+Kate Heddleston <kate.heddleston@gmail.com>
+Katie McLaughlin <katie@glasnt.com>
+Kato Kazuyoshi <kato.kazuyoshi@gmail.com>
+Katrina Owen <katrina.owen@gmail.com>
+Kawsar Saiyeed <kawsar.saiyeed@projiris.com>
+Kay Yan <kay.yan@daocloud.io>
+kayrus <kay.diam@gmail.com>
+Ke Li <kel@splunk.com>
+Ke Xu <leonhartx.k@gmail.com>
+Kei Ohmura <ohmura.kei@gmail.com>
+Keith Hudgins <greenman@greenman.org>
+Keli Hu <dev@keli.hu>
+Ken Cochrane <kencochrane@gmail.com>
+Ken Herner <kherner@progress.com>
+Ken ICHIKAWA <ichikawa.ken@jp.fujitsu.com>
+Kenfe-Mickaël Laventure <mickael.laventure@gmail.com>
+Kenjiro Nakayama <nakayamakenjiro@gmail.com>
+Kent Johnson <kentoj@gmail.com>
+Kevin "qwazerty" Houdebert <kevin.houdebert@gmail.com>
+Kevin Burke <kev@inburke.com>
+Kevin Clark <kevin.clark@gmail.com>
+Kevin Feyrer <kevin.feyrer@btinternet.com>
+Kevin J. Lynagh <kevin@keminglabs.com>
+Kevin Jing Qiu <kevin@idempotent.ca>
+Kevin Kern <kaiwentan@harmonycloud.cn>
+Kevin Menard <kevin@nirvdrum.com>
+Kevin Meredith <kevin.m.meredith@gmail.com>
+Kevin P. Kucharczyk <kevinkucharczyk@gmail.com>
+Kevin Richardson <kevin@kevinrichardson.co>
+Kevin Shi <kshi@andrew.cmu.edu>
+Kevin Wallace <kevin@pentabarf.net>
+Kevin Yap <me@kevinyap.ca>
+Keyvan Fatehi <keyvanfatehi@gmail.com>
+kies <lleelm@gmail.com>
+Kim BKC Carlbacker <kim.carlbacker@gmail.com>
+Kim Eik <kim@heldig.org>
+Kimbro Staken <kstaken@kstaken.com>
+Kir Kolyshkin <kolyshkin@gmail.com>
+Kiran Gangadharan <kiran.daredevil@gmail.com>
+Kirill SIbirev <l0kix2@gmail.com>
+knappe <tyler.knappe@gmail.com>
+Kohei Tsuruta <coheyxyz@gmail.com>
+Koichi Shiraishi <k@zchee.io>
+Konrad Kleine <konrad.wilhelm.kleine@gmail.com>
+Konstantin Gribov <grossws@gmail.com>
+Konstantin L <sw.double@gmail.com>
+Konstantin Pelykh <kpelykh@zettaset.com>
+Krasi Georgiev <krasi@vip-consult.solutions>
+Krasimir Georgiev <support@vip-consult.co.uk>
+Kris-Mikael Krister <krismikael@protonmail.com>
+Kristian Haugene <kristian.haugene@capgemini.com>
+Kristina Zabunova <triara.xiii@gmail.com>
+krrg <krrgithub@gmail.com>
+Kun Zhang <zkazure@gmail.com>
+Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
+Kyle Conroy <kyle.j.conroy@gmail.com>
+Kyle Linden <linden.kyle@gmail.com>
+kyu <leehk1227@gmail.com>
+Lachlan Coote <lcoote@vmware.com>
+Lai Jiangshan <jiangshanlai@gmail.com>
+Lajos Papp <lajos.papp@sequenceiq.com>
+Lakshan Perera <lakshan@laktek.com>
+Lalatendu Mohanty <lmohanty@redhat.com>
+Lance Chen <cyen0312@gmail.com>
+Lance Kinley <lkinley@loyaltymethods.com>
+Lars Butler <Lars.Butler@gmail.com>
+Lars Kellogg-Stedman <lars@redhat.com>
+Lars R. Damerow <lars@pixar.com>
+Lars-Magnus Skog <ralphtheninja@riseup.net>
+Laszlo Meszaros <lacienator@gmail.com>
+Laura Frank <ljfrank@gmail.com>
+Laurent Erignoux <lerignoux@gmail.com>
+Laurie Voss <github@seldo.com>
+Leandro Siqueira <leandro.siqueira@gmail.com>
+Lee Chao <932819864@qq.com>
+Lee, Meng-Han <sunrisedm4@gmail.com>
+leeplay <hyeongkyu.lee@navercorp.com>
+Lei Jitang <leijitang@huawei.com>
+Len Weincier <len@cloudafrica.net>
+Lennie <github@consolejunkie.net>
+Leo Gallucci <elgalu3@gmail.com>
+Leszek Kowalski <github@leszekkowalski.pl>
+Levi Blackstone <levi.blackstone@rackspace.com>
+Levi Gross <levi@levigross.com>
+Lewis Daly <lewisdaly@me.com>
+Lewis Marshall <lewis@lmars.net>
+Lewis Peckover <lew+github@lew.io>
+Li Yi <denverdino@gmail.com>
+Liam Macgillavry <liam@kumina.nl>
+Liana Lo <liana.lixia@gmail.com>
+Liang Mingqiang <mqliang.zju@gmail.com>
+Liang-Chi Hsieh <viirya@gmail.com>
+Liao Qingwei <liaoqingwei@huawei.com>
+Lily Guo <lily.guo@docker.com>
+limsy <seongyeol37@gmail.com>
+Lin Lu <doraalin@163.com>
+LingFaKe <lingfake@huawei.com>
+Linus Heckemann <lheckemann@twig-world.com>
+Liran Tal <liran.tal@gmail.com>
+Liron Levin <liron@twistlock.com>
+Liu Bo <bo.li.liu@oracle.com>
+Liu Hua <sdu.liu@huawei.com>
+liwenqi <vikilwq@zju.edu.cn>
+lixiaobing10051267 <li.xiaobing1@zte.com.cn>
+Liz Zhang <lizzha@microsoft.com>
+LIZAO LI <lzlarryli@gmail.com>
+Lizzie Dixon <_@lizzie.io>
+Lloyd Dewolf <foolswisdom@gmail.com>
+Lokesh Mandvekar <lsm5@fedoraproject.org>
+longliqiang88 <394564827@qq.com>
+Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
+Lorenzo Fontana <lo@linux.com>
+Louis Opter <kalessin@kalessin.fr>
+Luca Favatella <luca.favatella@erlang-solutions.com>
+Luca Marturana <lucamarturana@gmail.com>
+Luca Orlandi <luca.orlandi@gmail.com>
+Luca-Bogdan Grigorescu <Luca-Bogdan Grigorescu>
+Lucas Chan <lucas-github@lucaschan.com>
+Lucas Chi <lucas@teacherspayteachers.com>
+Lucas Molas <lmolas@fundacionsadosky.org.ar>
+Luciano Mores <leslau@gmail.com>
+Luis Martínez de Bartolomé Izquierdo <lmartinez@biicode.com>
+Luiz Svoboda <luizek@gmail.com>
+Lukas Waslowski <cr7pt0gr4ph7@gmail.com>
+lukaspustina <lukas.pustina@centerdevice.com>
+Lukasz Zajaczkowski <Lukasz.Zajaczkowski@ts.fujitsu.com>
+Luke Marsden <me@lukemarsden.net>
+Lyn <energylyn@zju.edu.cn>
+Lynda O'Leary <lyndaoleary29@gmail.com>
+Lénaïc Huard <lhuard@amadeus.com>
+Ma Müller <mueller-ma@users.noreply.github.com>
+Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
+Mabin <bin.ma@huawei.com>
+Madhan Raj Mookkandy <MadhanRaj.Mookkandy@microsoft.com>
+Madhav Puri <madhav.puri@gmail.com>
+Madhu Venugopal <madhu@socketplane.io>
+Mageee <fangpuyi@foxmail.com>
+Mahesh Tiyyagura <tmahesh@gmail.com>
+malnick <malnick@gmail..com>
+Malte Janduda <mail@janduda.net>
+Manfred Touron <m@42.am>
+Manfred Zabarauskas <manfredas@zabarauskas.com>
+Manjunath A Kumatagi <mkumatag@in.ibm.com>
+Mansi Nahar <mmn4185@rit.edu>
+Manuel Meurer <manuel@krautcomputing.com>
+Manuel Rüger <manuel@rueg.eu>
+Manuel Woelker <github@manuel.woelker.org>
+mapk0y <mapk0y@gmail.com>
+Marc Abramowitz <marc@marc-abramowitz.com>
+Marc Kuo <kuomarc2@gmail.com>
+Marc Tamsky <mtamsky@gmail.com>
+Marcel Edmund Franke <marcel.edmund.franke@gmail.com>
+Marcelo Horacio Fortino <info@fortinux.com>
+Marcelo Salazar <chelosalazar@gmail.com>
+Marco Hennings <marco.hennings@freiheit.com>
+Marcus Cobden <mcobden@cisco.com>
+Marcus Farkas <toothlessgear@finitebox.com>
+Marcus Linke <marcus.linke@gmx.de>
+Marcus Martins <marcus@docker.com>
+Marcus Ramberg <marcus@nordaaker.com>
+Marek Goldmann <marek.goldmann@gmail.com>
+Marian Marinov <mm@yuhu.biz>
+Marianna Tessel <mtesselh@gmail.com>
+Mario Loriedo <mario.loriedo@gmail.com>
+Marius Gundersen <me@mariusgundersen.net>
+Marius Sturm <marius@graylog.com>
+Marius Voila <marius.voila@gmail.com>
+Mark Allen <mrallen1@yahoo.com>
+Mark McGranaghan <mmcgrana@gmail.com>
+Mark McKinstry <mmckinst@umich.edu>
+Mark Milstein <mark@epiloque.com>
+Mark Oates <fl0yd@me.com>
+Mark Parker <godefroi@users.noreply.github.com>
+Mark West <markewest@gmail.com>
+Markan Patel <mpatel678@gmail.com>
+Marko Mikulicic <mmikulicic@gmail.com>
+Marko Tibold <marko@tibold.nl>
+Markus Fix <lispmeister@gmail.com>
+Markus Kortlang <hyp3rdino@googlemail.com>
+Martijn Dwars <ikben@martijndwars.nl>
+Martijn van Oosterhout <kleptog@svana.org>
+Martin Honermeyer <maze@strahlungsfrei.de>
+Martin Kelly <martin@surround.io>
+Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
+Martin Redmond <redmond.martin@gmail.com>
+Mary Anthony <mary.anthony@docker.com>
+Masahito Zembutsu <zembutsu@users.noreply.github.com>
+Masato Ohba <over.rye@gmail.com>
+Masayuki Morita <minamijoyo@gmail.com>
+Mason Malone <mason.malone@gmail.com>
+Mateusz Sulima <sulima.mateusz@gmail.com>
+Mathias Monnerville <mathias@monnerville.com>
+Mathieu Champlon <mathieu.champlon@docker.com>
+Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
+Mathieu Parent <math.parent@gmail.com>
+Matt Apperson <me@mattapperson.com>
+Matt Bachmann <bachmann.matt@gmail.com>
+Matt Bentley <matt.bentley@docker.com>
+Matt Haggard <haggardii@gmail.com>
+Matt Hoyle <matt@deployable.co>
+Matt McCormick <matt.mccormick@kitware.com>
+Matt Moore <mattmoor@google.com>
+Matt Richardson <matt@redgumtech.com.au>
+Matt Rickard <mrick@google.com>
+Matt Robenolt <matt@ydekproductions.com>
+Matt Schurenko <matt.schurenko@gmail.com>
+Matt Williams <mattyw@me.com>
+Matthew Heon <mheon@redhat.com>
+Matthew Lapworth <matthewl@bit-shift.net>
+Matthew Mayer <matthewkmayer@gmail.com>
+Matthew Mosesohn <raytrac3r@gmail.com>
+Matthew Mueller <mattmuelle@gmail.com>
+Matthew Riley <mattdr@google.com>
+Matthias Klumpp <matthias@tenstral.net>
+Matthias Kühnle <git.nivoc@neverbox.com>
+Matthias Rampke <mr@soundcloud.com>
+Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+Mauricio Garavaglia <mauricio@medallia.com>
+mauriyouth <mauriyouth@gmail.com>
+Max Shytikov <mshytikov@gmail.com>
+Maxim Fedchyshyn <sevmax@gmail.com>
+Maxim Ivanov <ivanov.maxim@gmail.com>
+Maxim Kulkin <mkulkin@mirantis.com>
+Maxim Treskin <zerthurd@gmail.com>
+Maxime Petazzoni <max@signalfuse.com>
+Meaglith Ma <genedna@gmail.com>
+meejah <meejah@meejah.ca>
+Megan Kostick <mkostick@us.ibm.com>
+Mehul Kar <mehul.kar@gmail.com>
+Mei ChunTao <mei.chuntao@zte.com.cn>
+Mengdi Gao <usrgdd@gmail.com>
+Mert Yazıcıoğlu <merty@users.noreply.github.com>
+mgniu <mgniu@dataman-inc.com>
+Micah Zoltu <micah@newrelic.com>
+Michael A. Smith <michael@smith-li.com>
+Michael Bridgen <mikeb@squaremobius.net>
+Michael Brown <michael@netdirect.ca>
+Michael Chiang <mchiang@docker.com>
+Michael Crosby <michael@docker.com>
+Michael Currie <mcurrie@bruceforceresearch.com>
+Michael Friis <friism@gmail.com>
+Michael Gorsuch <gorsuch@github.com>
+Michael Grauer <michael.grauer@kitware.com>
+Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Michael Hudson-Doyle <michael.hudson@canonical.com>
+Michael Huettermann <michael@huettermann.net>
+Michael Irwin <mikesir87@gmail.com>
+Michael Käufl <docker@c.michael-kaeufl.de>
+Michael Neale <michael.neale@gmail.com>
+Michael Nussbaum <michael.nussbaum@getbraintree.com>
+Michael Prokop <github@michael-prokop.at>
+Michael Scharf <github@scharf.gr>
+Michael Spetsiotis <michael_spets@hotmail.com>
+Michael Stapelberg <michael+gh@stapelberg.de>
+Michael Steinert <mike.steinert@gmail.com>
+Michael Thies <michaelthies78@gmail.com>
+Michael West <mwest@mdsol.com>
+Michal Fojtik <mfojtik@redhat.com>
+Michal Gebauer <mishak@mishak.net>
+Michal Jemala <michal.jemala@gmail.com>
+Michal Minář <miminar@redhat.com>
+Michal Wieczorek <wieczorek-michal@wp.pl>
+Michaël Pailloncy <mpapo.dev@gmail.com>
+Michał Czeraszkiewicz <czerasz@gmail.com>
+Michał Gryko <github@odkurzacz.org>
+Michiel@unhosted <michiel@unhosted.org>
+Mickaël FORTUNATO <morsi.morsicus@gmail.com>
+Miguel Angel Fernández <elmendalerenda@gmail.com>
+Miguel Morales <mimoralea@gmail.com>
+Mihai Borobocea <MihaiBorob@gmail.com>
+Mihuleacc Sergiu <mihuleac.sergiu@gmail.com>
+Mike Brown <brownwm@us.ibm.com>
+Mike Casas <mkcsas0@gmail.com>
+Mike Chelen <michael.chelen@gmail.com>
+Mike Danese <mikedanese@google.com>
+Mike Dillon <mike@embody.org>
+Mike Dougherty <mike.dougherty@docker.com>
+Mike Estes <mike.estes@logos.com>
+Mike Gaffney <mike@uberu.com>
+Mike Goelzer <mike.goelzer@docker.com>
+Mike Leone <mleone896@gmail.com>
+Mike Lundy <mike@fluffypenguin.org>
+Mike MacCana <mike.maccana@gmail.com>
+Mike Naberezny <mike@naberezny.com>
+Mike Snitzer <snitzer@redhat.com>
+mikelinjie <294893458@qq.com>
+Mikhail Sobolev <mss@mawhrin.net>
+Miklos Szegedi <miklos.szegedi@cloudera.com>
+Milind Chawre <milindchawre@gmail.com>
+Miloslav Trmač <mitr@redhat.com>
+mingqing <limingqing@cyou-inc.com>
+Mingzhen Feng <fmzhen@zju.edu.cn>
+Misty Stanley-Jones <misty@docker.com>
+Mitch Capper <mitch.capper@gmail.com>
+Mizuki Urushida <z11111001011@gmail.com>
+mlarcher <github@ringabell.org>
+Mohammad Banikazemi <mb@us.ibm.com>
+Mohammed Aaqib Ansari <maaquib@gmail.com>
+Mohit Soni <mosoni@ebay.com>
+Moorthy RS <rsmoorthy@gmail.com>
+Morgan Bauer <mbauer@us.ibm.com>
+Morgante Pell <morgante.pell@morgante.net>
+Morgy93 <thomas@ulfertsprygoda.de>
+Morten Siebuhr <sbhr@sbhr.dk>
+Morton Fox <github@qslw.com>
+Moysés Borges <moysesb@gmail.com>
+mrfly <mr.wrfly@gmail.com>
+Mrunal Patel <mrunalp@gmail.com>
+Muayyad Alsadi <alsadi@gmail.com>
+Mustafa Akın <mustafa91@gmail.com>
+Muthukumar R <muthur@gmail.com>
+Máximo Cuadros <mcuadros@gmail.com>
+Médi-Rémi Hashim <medimatrix@users.noreply.github.com>
+Nace Oroz <orkica@gmail.com>
+Nahum Shalman <nshalman@omniti.com>
+Nakul Pathak <nakulpathak3@hotmail.com>
+Nalin Dahyabhai <nalin@redhat.com>
+Nan Monnand Deng <monnand@gmail.com>
+Naoki Orii <norii@cs.cmu.edu>
+Natalie Parker <nparker@omnifone.com>
+Natanael Copa <natanael.copa@docker.com>
+Nate Brennand <nate.brennand@clever.com>
+Nate Eagleson <nate@nateeag.com>
+Nate Jones <nate@endot.org>
+Nathan Hsieh <hsieh.nathan@gmail.com>
+Nathan Kleyn <nathan@nathankleyn.com>
+Nathan LeClaire <nathan.leclaire@docker.com>
+Nathan McCauley <nathan.mccauley@docker.com>
+Nathan Williams <nathan@teamtreehouse.com>
+Naveed Jamil <naveed.jamil@tenpearls.com>
+Neal McBurnett <neal@mcburnett.org>
+Neil Horman <nhorman@tuxdriver.com>
+Neil Peterson <neilpeterson@outlook.com>
+Nelson Chen <crazysim@gmail.com>
+Neyazul Haque <nuhaque@gmail.com>
+Nghia Tran <nghia@google.com>
+Niall O'Higgins <niallo@unworkable.org>
+Nicholas E. Rabenau <nerab@gmx.at>
+Nick DeCoursin <n.decoursin@foodpanda.com>
+Nick Irvine <nfirvine@nfirvine.com>
+Nick Neisen <nwneisen@gmail.com>
+Nick Parker <nikaios@gmail.com>
+Nick Payne <nick@kurai.co.uk>
+Nick Russo <nicholasjamesrusso@gmail.com>
+Nick Stenning <nick.stenning@digital.cabinet-office.gov.uk>
+Nick Stinemates <nick@stinemates.org>
+NickrenREN <yuquan.ren@easystack.cn>
+Nicola Kabar <nicolaka@gmail.com>
+Nicolas Borboën <ponsfrilus@gmail.com>
+Nicolas De Loof <nicolas.deloof@gmail.com>
+Nicolas Dudebout <nicolas.dudebout@gatech.edu>
+Nicolas Goy <kuon@goyman.com>
+Nicolas Kaiser <nikai@nikai.net>
+Nicolas Sterchele <sterchele.nicolas@gmail.com>
+Nicolás Hock Isaza <nhocki@gmail.com>
+Nigel Poulton <nigelpoulton@hotmail.com>
+Nik Nyby <nikolas@gnu.org>
+Nikhil Chawla <chawlanikhil24@gmail.com>
+NikolaMandic <mn080202@gmail.com>
+Nikolas Garofil <nikolas.garofil@uantwerpen.be>
+Nikolay Milovanov <nmil@itransformers.net>
+Nirmal Mehta <nirmalkmehta@gmail.com>
+Nishant Totla <nishanttotla@gmail.com>
+NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
+Noah Meyerhans <nmeyerha@amazon.com>
+Noah Treuhaft <noah.treuhaft@docker.com>
+NobodyOnSE <ich@sektor.selfip.com>
+noducks <onemannoducks@gmail.com>
+Nolan Darilek <nolan@thewordnerd.info>
+nponeccop <andy.melnikov@gmail.com>
+Nuutti Kotivuori <naked@iki.fi>
+nzwsch <hi@nzwsch.com>
+O.S. Tezer <ostezer@gmail.com>
+objectified <objectified@gmail.com>
+Oguz Bilgic <fisyonet@gmail.com>
+Oh Jinkyun <tintypemolly@gmail.com>
+Ohad Schneider <ohadschn@users.noreply.github.com>
+ohmystack <jun.jiang02@ele.me>
+Ole Reifschneider <mail@ole-reifschneider.de>
+Oliver Neal <ItsVeryWindy@users.noreply.github.com>
+Olivier Gambier <dmp42@users.noreply.github.com>
+Olle Jonsson <olle.jonsson@gmail.com>
+Oriol Francès <oriolfa@gmail.com>
+Oskar Niburski <oskarniburski@gmail.com>
+Otto Kekäläinen <otto@seravo.fi>
+Ouyang Liduo <oyld0210@163.com>
+Ovidio Mallo <ovidio.mallo@gmail.com>
+Panagiotis Moustafellos <pmoust@elastic.co>
+Paolo G. Giarrusso <p.giarrusso@gmail.com>
+Pascal <pascalgn@users.noreply.github.com>
+Pascal Borreli <pascal@borreli.com>
+Pascal Hartig <phartig@rdrei.net>
+Patrick Böänziger <patrick.baenziger@bsi-software.com>
+Patrick Devine <patrick.devine@docker.com>
+Patrick Hemmer <patrick.hemmer@gmail.com>
+Patrick Stapleton <github@gdi2290.com>
+Patrik Cyvoct <patrik@ptrk.io>
+pattichen <craftsbear@gmail.com>
+Paul <paul9869@gmail.com>
+paul <paul@inkling.com>
+Paul Annesley <paul@annesley.cc>
+Paul Bellamy <paul.a.bellamy@gmail.com>
+Paul Bowsher <pbowsher@globalpersonals.co.uk>
+Paul Furtado <pfurtado@hubspot.com>
+Paul Hammond <paul@paulhammond.org>
+Paul Jimenez <pj@place.org>
+Paul Kehrer <paul.l.kehrer@gmail.com>
+Paul Lietar <paul@lietar.net>
+Paul Liljenberg <liljenberg.paul@gmail.com>
+Paul Morie <pmorie@gmail.com>
+Paul Nasrat <pnasrat@gmail.com>
+Paul Weaver <pauweave@cisco.com>
+Paulo Ribeiro <paigr.io@gmail.com>
+Pavel Lobashov <ShockwaveNN@gmail.com>
+Pavel Pletenev <cpp.create@gmail.com>
+Pavel Pospisil <pospispa@gmail.com>
+Pavel Sutyrin <pavel.sutyrin@gmail.com>
+Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Pavlos Ratis <dastergon@gentoo.org>
+Pavol Vargovcik <pallly.vargovcik@gmail.com>
+Pawel Konczalski <mail@konczalski.de>
+Peeyush Gupta <gpeeyush@linux.vnet.ibm.com>
+Peggy Li <peggyli.224@gmail.com>
+Pei Su <sillyousu@gmail.com>
+Peng Tao <bergwolf@gmail.com>
+Penghan Wang <ph.wang@daocloud.io>
+Per Weijnitz <per.weijnitz@gmail.com>
+perhapszzy@sina.com <perhapszzy@sina.com>
+Peter Bourgon <peter@bourgon.org>
+Peter Braden <peterbraden@peterbraden.co.uk>
+Peter Bücker <peter.buecker@pressrelations.de>
+Peter Choi <phkchoi89@gmail.com>
+Peter Dave Hello <hsu@peterdavehello.org>
+Peter Edge <peter.edge@gmail.com>
+Peter Ericson <pdericson@gmail.com>
+Peter Esbensen <pkesbensen@gmail.com>
+Peter Jaffe <pjaffe@nevo.com>
+Peter Malmgren <ptmalmgren@gmail.com>
+Peter Salvatore <peter@psftw.com>
+Peter Volpe <petervo@redhat.com>
+Peter Waller <p@pwaller.net>
+Petr Švihlík <svihlik.petr@gmail.com>
+Phil <underscorephil@gmail.com>
+Phil Estes <estesp@linux.vnet.ibm.com>
+Phil Spitler <pspitler@gmail.com>
+Philip Alexander Etling <paetling@gmail.com>
+Philip Monroe <phil@philmonroe.com>
+Philipp Gillé <philipp.gille@gmail.com>
+Philipp Wahala <philipp.wahala@gmail.com>
+Philipp Weissensteiner <mail@philippweissensteiner.com>
+Phillip Alexander <git@phillipalexander.io>
+phineas <phin@phineas.io>
+pidster <pid@pidster.com>
+Piergiuliano Bossi <pgbossi@gmail.com>
+Pierre <py@poujade.org>
+Pierre Carrier <pierre@meteor.com>
+Pierre Dal-Pra <dalpra.pierre@gmail.com>
+Pierre Wacrenier <pierre.wacrenier@gmail.com>
+Pierre-Alain RIVIERE <pariviere@ippon.fr>
+Piotr Bogdan <ppbogdan@gmail.com>
+pixelistik <pixelistik@users.noreply.github.com>
+Porjo <porjo38@yahoo.com.au>
+Poul Kjeldager Sørensen <pks@s-innovations.net>
+Pradeep Chhetri <pradeep@indix.com>
+Pradip Dhara <pradipd@microsoft.com>
+Prasanna Gautam <prasannagautam@gmail.com>
+Pratik Karki <prertik@outlook.com>
+Prayag Verma <prayag.verma@gmail.com>
+Priya Wadhwa <priyawadhwa@google.com>
+Przemek Hejman <przemyslaw.hejman@gmail.com>
+Pure White <daniel48@126.com>
+pysqz <randomq@126.com>
+Qiang Huang <h.huangqiang@huawei.com>
+Qinglan Peng <qinglanpeng@zju.edu.cn>
+qudongfang <qudongfang@gmail.com>
+Quentin Brossard <qbrossard@gmail.com>
+Quentin Perez <qperez@ocs.online.net>
+Quentin Tayssier <qtayssier@gmail.com>
+r0n22 <cameron.regan@gmail.com>
+Rafal Jeczalik <rjeczalik@gmail.com>
+Rafe Colton <rafael.colton@gmail.com>
+Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
+Raghuram Devarakonda <draghuram@gmail.com>
+Raja Sami <raja.sami@tenpearls.com>
+Rajat Pandit <rp@rajatpandit.com>
+Rajdeep Dua <dua_rajdeep@yahoo.com>
+Ralf Sippl <ralf.sippl@gmail.com>
+Ralle <spam@rasmusa.net>
+Ralph Bean <rbean@redhat.com>
+Ramkumar Ramachandra <artagnon@gmail.com>
+Ramon Brooker <rbrooker@aetherealmind.com>
+Ramon van Alteren <ramon@vanalteren.nl>
+Ray Tsang <rayt@google.com>
+ReadmeCritic <frankensteinbot@gmail.com>
+Recursive Madman <recursive.madman@gmx.de>
+Reficul <xuzhenglun@gmail.com>
+Regan McCooey <rmccooey27@aol.com>
+Remi Rampin <remirampin@gmail.com>
+Remy Suen <remy.suen@gmail.com>
+Renato Riccieri Santos Zannon <renato.riccieri@gmail.com>
+Renaud Gaubert <rgaubert@nvidia.com>
+Rhys Hiltner <rhys@twitch.tv>
+Ri Xu <xuri.me@gmail.com>
+Ricardo N Feliciano <FelicianoTech@gmail.com>
+Rich Moyse <rich@moyse.us>
+Rich Seymour <rseymour@gmail.com>
+Richard <richard.scothern@gmail.com>
+Richard Burnison <rburnison@ebay.com>
+Richard Harvey <richard@squarecows.com>
+Richard Mathie <richard.mathie@amey.co.uk>
+Richard Metzler <richard@paadee.com>
+Richard Scothern <richard.scothern@gmail.com>
+Richo Healey <richo@psych0tik.net>
+Rick Bradley <rick@users.noreply.github.com>
+Rick van de Loo <rickvandeloo@gmail.com>
+Rick Wieman <git@rickw.nl>
+Rik Nijessen <rik@keefo.nl>
+Riku Voipio <riku.voipio@linaro.org>
+Riley Guerin <rileytg.dev@gmail.com>
+Ritesh H Shukla <sritesh@vmware.com>
+Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
+Rob Vesse <rvesse@dotnetrdf.org>
+Robert Bachmann <rb@robertbachmann.at>
+Robert Bittle <guywithnose@gmail.com>
+Robert Obryk <robryk@gmail.com>
+Robert Schneider <mail@shakeme.info>
+Robert Stern <lexandro2000@gmail.com>
+Robert Terhaar <rterhaar@atlanticdynamic.com>
+Robert Wallis <smilingrob@gmail.com>
+Roberto G. Hashioka <roberto.hashioka@docker.com>
+Roberto Muñoz Fernández <robertomf@gmail.com>
+Robin Naundorf <r.naundorf@fh-muenster.de>
+Robin Schneider <ypid@riseup.net>
+Robin Speekenbrink <robin@kingsquare.nl>
+robpc <rpcann@gmail.com>
+Rodolfo Carvalho <rhcarvalho@gmail.com>
+Rodrigo Vaz <rodrigo.vaz@gmail.com>
+Roel Van Nyen <roel.vannyen@gmail.com>
+Roger Peppe <rogpeppe@gmail.com>
+Rohit Jnagal <jnagal@google.com>
+Rohit Kadam <rohit.d.kadam@gmail.com>
+Rojin George <rojingeorge@huawei.com>
+Roland Huß <roland@jolokia.org>
+Roland Kammerer <roland.kammerer@linbit.com>
+Roland Moriz <rmoriz@users.noreply.github.com>
+Roma Sokolov <sokolov.r.v@gmail.com>
+Roman Dudin <katrmr@gmail.com>
+Roman Strashkin <roman.strashkin@gmail.com>
+Ron Smits <ron.smits@gmail.com>
+Ron Williams <ron.a.williams@gmail.com>
+root <docker-dummy@example.com>
+root <root@lxdebmas.marist.edu>
+root <root@ubuntu-14.04-amd64-vbox>
+root <root@webm215.cluster016.ha.ovh.net>
+Rory Hunter <roryhunter2@gmail.com>
+Rory McCune <raesene@gmail.com>
+Ross Boucher <rboucher@gmail.com>
+Rovanion Luckey <rovanion.luckey@gmail.com>
+Royce Remer <royceremer@gmail.com>
+Rozhnov Alexandr <nox73@ya.ru>
+Rudolph Gottesheim <r.gottesheim@loot.at>
+Rui Lopes <rgl@ruilopes.com>
+Runshen Zhu <runshen.zhu@gmail.com>
+Ryan Abrams <rdabrams@gmail.com>
+Ryan Anderson <anderson.ryanc@gmail.com>
+Ryan Aslett <github@mixologic.com>
+Ryan Belgrave <rmb1993@gmail.com>
+Ryan Detzel <ryan.detzel@gmail.com>
+Ryan Fowler <rwfowler@gmail.com>
+Ryan Liu <ryanlyy@me.com>
+Ryan McLaughlin <rmclaughlin@insidesales.com>
+Ryan O'Donnell <odonnellryanc@gmail.com>
+Ryan Seto <ryanseto@yak.net>
+Ryan Simmen <ryan.simmen@gmail.com>
+Ryan Stelly <ryan.stelly@live.com>
+Ryan Thomas <rthomas@atlassian.com>
+Ryan Trauntvein <rtrauntvein@novacoast.com>
+Ryan Wallner <ryan.wallner@clusterhq.com>
+Ryan Zhang <ryan.zhang@docker.com>
+ryancooper7 <ryan.cooper7@gmail.com>
+RyanDeng <sheldon.d1018@gmail.com>
+Rémy Greinhofer <remy.greinhofer@livelovely.com>
+s. rannou <mxs@sbrk.org>
+s00318865 <sunyuan3@huawei.com>
+Sabin Basyal <sabin.basyal@gmail.com>
+Sachin Joshi <sachin_jayant_joshi@hotmail.com>
+Sagar Hani <sagarhani33@gmail.com>
+Sainath Grandhi <sainath.grandhi@intel.com>
+Sakeven Jiang <jc5930@sina.cn>
+Sally O'Malley <somalley@redhat.com>
+Sam Abed <sam.abed@gmail.com>
+Sam Alba <sam.alba@gmail.com>
+Sam Bailey <cyprix@cyprix.com.au>
+Sam J Sharpe <sam.sharpe@digital.cabinet-office.gov.uk>
+Sam Neirinck <sam@samneirinck.com>
+Sam Reis <sreis@atlassian.com>
+Sam Rijs <srijs@airpost.net>
+Sambuddha Basu <sambuddhabasu1@gmail.com>
+Sami Wagiaalla <swagiaal@redhat.com>
+Samuel Andaya <samuel@andaya.net>
+Samuel Dion-Girardeau <samuel.diongirardeau@gmail.com>
+Samuel Karp <skarp@amazon.com>
+Samuel PHAN <samuel-phan@users.noreply.github.com>
+Sandeep Bansal <sabansal@microsoft.com>
+Sankar சங்கர் <sankar.curiosity@gmail.com>
+Sanket Saurav <sanketsaurav@gmail.com>
+Santhosh Manohar <santhosh@docker.com>
+sapphiredev <se.imas.kr@gmail.com>
+Sargun Dhillon <sargun@netflix.com>
+Sascha Andres <sascha.andres@outlook.com>
+Satnam Singh <satnam@raintown.org>
+Satoshi Amemiya <satoshi_amemiya@voyagegroup.com>
+Satoshi Tagomori <tagomoris@gmail.com>
+Scott Bessler <scottbessler@gmail.com>
+Scott Collier <emailscottcollier@gmail.com>
+Scott Johnston <scott@docker.com>
+Scott Stamp <scottstamp851@gmail.com>
+Scott Walls <sawalls@umich.edu>
+sdreyesg <sdreyesg@gmail.com>
+Sean Christopherson <sean.j.christopherson@intel.com>
+Sean Cronin <seancron@gmail.com>
+Sean Lee <seanlee@tw.ibm.com>
+Sean McIntyre <s.mcintyre@xverba.ca>
+Sean OMeara <sean@chef.io>
+Sean P. Kane <skane@newrelic.com>
+Sean Rodman <srodman7689@gmail.com>
+Sebastiaan van Steenis <mail@superseb.nl>
+Sebastiaan van Stijn <github@gone.nl>
+Senthil Kumar Selvaraj <senthil.thecoder@gmail.com>
+Senthil Kumaran <senthil@uthcode.com>
+SeongJae Park <sj38.park@gmail.com>
+Seongyeol Lim <seongyeol37@gmail.com>
+Serge Hallyn <serge.hallyn@ubuntu.com>
+Sergey Alekseev <sergey.alekseev.minsk@gmail.com>
+Sergey Evstifeev <sergey.evstifeev@gmail.com>
+Sergii Kabashniuk <skabashnyuk@codenvy.com>
+Serhat Gülçiçek <serhat25@gmail.com>
+Sevki Hasirci <s@sevki.org>
+Shane Canon <scanon@lbl.gov>
+Shane da Silva <shane@dasilva.io>
+Shaun Kaasten <shaunk@gmail.com>
+shaunol <shaunol@gmail.com>
+Shawn Landden <shawn@churchofgit.com>
+Shawn Siefkas <shawn.siefkas@meredith.com>
+shawnhe <shawnhe@shawnhedeMacBook-Pro.local>
+Shayne Wang <shaynexwang@gmail.com>
+Shekhar Gulati <shekhargulati84@gmail.com>
+Sheng Yang <sheng@yasker.org>
+Shengbo Song <thomassong@tencent.com>
+Shev Yan <yandong_8212@163.com>
+Shih-Yuan Lee <fourdollars@gmail.com>
+Shijiang Wei <mountkin@gmail.com>
+Shijun Qin <qinshijun16@mails.ucas.ac.cn>
+Shishir Mahajan <shishir.mahajan@redhat.com>
+Shoubhik Bose <sbose78@gmail.com>
+Shourya Sarcar <shourya.sarcar@gmail.com>
+shuai-z <zs.broccoli@gmail.com>
+Shukui Yang <yangshukui@huawei.com>
+Shuwei Hao <haosw@cn.ibm.com>
+Sian Lerk Lau <kiawin@gmail.com>
+Sidhartha Mani <sidharthamn@gmail.com>
+sidharthamani <sid@rancher.com>
+Silas Sewell <silas@sewell.org>
+Silvan Jegen <s.jegen@gmail.com>
+Simei He <hesimei@zju.edu.cn>
+Simon Eskildsen <sirup@sirupsen.com>
+Simon Ferquel <simon.ferquel@docker.com>
+Simon Leinen <simon.leinen@gmail.com>
+Simon Menke <simon.menke@gmail.com>
+Simon Taranto <simon.taranto@gmail.com>
+Simon Vikstrom <pullreq@devsn.se>
+Sindhu S <sindhus@live.in>
+Sjoerd Langkemper <sjoerd-github@linuxonly.nl>
+Solganik Alexander <solganik@gmail.com>
+Solomon Hykes <solomon@docker.com>
+Song Gao <song@gao.io>
+Soshi Katsuta <soshi.katsuta@gmail.com>
+Soulou <leo@unbekandt.eu>
+Spencer Brown <spencer@spencerbrown.org>
+Spencer Smith <robertspencersmith@gmail.com>
+Sridatta Thatipamala <sthatipamala@gmail.com>
+Sridhar Ratnakumar <sridharr@activestate.com>
+Srini Brahmaroutu <srbrahma@us.ibm.com>
+Srinivasan Srivatsan <srinivasan.srivatsan@hpe.com>
+Stanislav Bondarenko <stanislav.bondarenko@gmail.com>
+Steeve Morin <steeve.morin@gmail.com>
+Stefan Berger <stefanb@linux.vnet.ibm.com>
+Stefan J. Wernli <swernli@microsoft.com>
+Stefan Praszalowicz <stefan@greplin.com>
+Stefan S. <tronicum@user.github.com>
+Stefan Scherer <scherer_stefan@icloud.com>
+Stefan Staudenmeyer <doerte@instana.com>
+Stefan Weil <sw@weilnetz.de>
+Stephan Spindler <shutefan@gmail.com>
+Stephen Crosby <stevecrozz@gmail.com>
+Stephen Day <stephen.day@docker.com>
+Stephen Drake <stephen@xenolith.net>
+Stephen Rust <srust@blockbridge.com>
+Steve Desmond <steve@vtsv.ca>
+Steve Dougherty <steve@asksteved.com>
+Steve Durrheimer <s.durrheimer@gmail.com>
+Steve Francia <steve.francia@gmail.com>
+Steve Koch <stevekochscience@gmail.com>
+Steven Burgess <steven.a.burgess@hotmail.com>
+Steven Erenst <stevenerenst@gmail.com>
+Steven Hartland <steven.hartland@multiplay.co.uk>
+Steven Iveson <sjiveson@outlook.com>
+Steven Merrill <steven.merrill@gmail.com>
+Steven Richards <steven@axiomzen.co>
+Steven Taylor <steven.taylor@me.com>
+Subhajit Ghosh <isubuz.g@gmail.com>
+Sujith Haridasan <sujith.h@gmail.com>
+Sun Gengze <690388648@qq.com>
+Sun Jianbo <wonderflow.sun@gmail.com>
+Sunny Gogoi <indiasuny000@gmail.com>
+Suryakumar Sudar <surya.trunks@gmail.com>
+Sven Dowideit <SvenDowideit@home.org.au>
+Swapnil Daingade <swapnil.daingade@gmail.com>
+Sylvain Baubeau <sbaubeau@redhat.com>
+Sylvain Bellemare <sylvain@ascribe.io>
+Sébastien <sebastien@yoozio.com>
+Sébastien HOUZÉ <cto@verylastroom.com>
+Sébastien Luttringer <seblu@seblu.net>
+Sébastien Stormacq <sebsto@users.noreply.github.com>
+Tabakhase <mail@tabakhase.com>
+Tadej Janež <tadej.j@nez.si>
+TAGOMORI Satoshi <tagomoris@gmail.com>
+tang0th <tang0th@gmx.com>
+Tangi Colin <tangicolin@gmail.com>
+Tatsuki Sugiura <sugi@nemui.org>
+Tatsushi Inagaki <e29253@jp.ibm.com>
+Taylor Jones <monitorjbl@gmail.com>
+tbonza <tylers.pile@gmail.com>
+Ted M. Young <tedyoung@gmail.com>
+Tehmasp Chaudhri <tehmasp@gmail.com>
+Tejesh Mehta <tejesh.mehta@gmail.com>
+terryding77 <550147740@qq.com>
+tgic <farmer1992@gmail.com>
+Thatcher Peskens <thatcher@docker.com>
+theadactyl <thea.lamkin@gmail.com>
+Thell 'Bo' Fowler <thell@tbfowler.name>
+Thermionix <bond711@gmail.com>
+Thijs Terlouw <thijsterlouw@gmail.com>
+Thomas Bikeev <thomas.bikeev@mac.com>
+Thomas Frössman <thomasf@jossystem.se>
+Thomas Gazagnaire <thomas@gazagnaire.org>
+Thomas Grainger <tagrain@gmail.com>
+Thomas Hansen <thomas.hansen@gmail.com>
+Thomas Leonard <thomas.leonard@docker.com>
+Thomas Léveil <thomasleveil@gmail.com>
+Thomas Orozco <thomas@orozco.fr>
+Thomas Riccardi <riccardi@systran.fr>
+Thomas Schroeter <thomas@cliqz.com>
+Thomas Sjögren <konstruktoid@users.noreply.github.com>
+Thomas Swift <tgs242@gmail.com>
+Thomas Tanaka <thomas.tanaka@oracle.com>
+Thomas Texier <sharkone@en-mousse.org>
+Ti Zhou <tizhou1986@gmail.com>
+Tianon Gravi <admwiggin@gmail.com>
+Tianyi Wang <capkurmagati@gmail.com>
+Tibor Vass <teabee89@gmail.com>
+Tiffany Jernigan <tiffany.f.j@gmail.com>
+Tiffany Low <tiffany@box.com>
+Tim Bart <tim@fewagainstmany.com>
+Tim Bosse <taim@bosboot.org>
+Tim Dettrick <t.dettrick@uq.edu.au>
+Tim Düsterhus <tim@bastelstu.be>
+Tim Hockin <thockin@google.com>
+Tim Potter <tpot@hpe.com>
+Tim Ruffles <oi@truffles.me.uk>
+Tim Smith <timbot@google.com>
+Tim Terhorst <mynamewastaken+git@gmail.com>
+Tim Wang <timwangdev@gmail.com>
+Tim Waugh <twaugh@redhat.com>
+Tim Wraight <tim.wraight@tangentlabs.co.uk>
+Tim Zju <21651152@zju.edu.cn>
+timfeirg <kkcocogogo@gmail.com>
+Timothy Hobbs <timothyhobbs@seznam.cz>
+tjwebb123 <tjwebb123@users.noreply.github.com>
+tobe <tobegit3hub@gmail.com>
+Tobias Bieniek <Tobias.Bieniek@gmx.de>
+Tobias Bradtke <webwurst@gmail.com>
+Tobias Gesellchen <tobias@gesellix.de>
+Tobias Klauser <tklauser@distanz.ch>
+Tobias Munk <schmunk@usrbin.de>
+Tobias Schmidt <ts@soundcloud.com>
+Tobias Schwab <tobias.schwab@dynport.de>
+Todd Crane <todd@toddcrane.com>
+Todd Lunter <tlunter@gmail.com>
+Todd Whiteman <todd.whiteman@joyent.com>
+Toli Kuznets <toli@docker.com>
+Tom Barlow <tomwbarlow@gmail.com>
+Tom Booth <tombooth@gmail.com>
+Tom Denham <tom@tomdee.co.uk>
+Tom Fotherby <tom+github@peopleperhour.com>
+Tom Howe <tom.howe@enstratius.com>
+Tom Hulihan <hulihan.tom159@gmail.com>
+Tom Maaswinkel <tom.maaswinkel@12wiki.eu>
+Tom Sweeney <tsweeney@redhat.com>
+Tom Wilkie <tom.wilkie@gmail.com>
+Tom X. Tobin <tomxtobin@tomxtobin.com>
+Tomas Tomecek <ttomecek@redhat.com>
+Tomasz Kopczynski <tomek@kopczynski.net.pl>
+Tomasz Lipinski <tlipinski@users.noreply.github.com>
+Tomasz Nurkiewicz <nurkiewicz@gmail.com>
+Tommaso Visconti <tommaso.visconti@gmail.com>
+Tomáš Hrčka <thrcka@redhat.com>
+Tonny Xu <tonny.xu@gmail.com>
+Tony Abboud <tdabboud@hotmail.com>
+Tony Daws <tony@daws.ca>
+Tony Miller <mcfiredrill@gmail.com>
+toogley <toogley@mailbox.org>
+Torstein Husebø <torstein@huseboe.net>
+Tõnis Tiigi <tonistiigi@gmail.com>
+tpng <benny.tpng@gmail.com>
+tracylihui <793912329@qq.com>
+Trapier Marshall <trapier.marshall@docker.com>
+Travis Cline <travis.cline@gmail.com>
+Travis Thieman <travis.thieman@gmail.com>
+Trent Ogren <tedwardo2@gmail.com>
+Trevor <trevinwoodstock@gmail.com>
+Trevor Pounds <trevor.pounds@gmail.com>
+Trevor Sullivan <pcgeek86@gmail.com>
+Trishna Guha <trishnaguha17@gmail.com>
+Tristan Carel <tristan@cogniteev.com>
+Troy Denton <trdenton@gmail.com>
+Tycho Andersen <tycho@docker.com>
+Tyler Brock <tyler.brock@gmail.com>
+Tzu-Jung Lee <roylee17@gmail.com>
+uhayate <uhayate.gong@daocloud.io>
+Ulysse Carion <ulyssecarion@gmail.com>
+Umesh Yadav <umesh4257@gmail.com>
+Utz Bacher <utz.bacher@de.ibm.com>
+vagrant <vagrant@ubuntu-14.04-amd64-vbox>
+Vaidas Jablonskis <jablonskis@gmail.com>
+vanderliang <lansheng@meili-inc.com>
+Veres Lajos <vlajos@gmail.com>
+Victor Algaze <valgaze@gmail.com>
+Victor Coisne <victor.coisne@dotcloud.com>
+Victor Costan <costan@gmail.com>
+Victor I. Wood <viw@t2am.com>
+Victor Lyuboslavsky <victor@victoreda.com>
+Victor Marmol <vmarmol@google.com>
+Victor Palma <palma.victor@gmail.com>
+Victor Vieux <victor.vieux@docker.com>
+Victoria Bialas <victoria.bialas@docker.com>
+Vijaya Kumar K <vijayak@caviumnetworks.com>
+Viktor Stanchev <me@viktorstanchev.com>
+Viktor Vojnovski <viktor.vojnovski@amadeus.com>
+VinayRaghavanKS <raghavan.vinay@gmail.com>
+Vincent Batts <vbatts@redhat.com>
+Vincent Bernat <Vincent.Bernat@exoscale.ch>
+Vincent Demeester <vincent.demeester@docker.com>
+Vincent Giersch <vincent.giersch@ovh.net>
+Vincent Mayers <vincent.mayers@inbloom.org>
+Vincent Woo <me@vincentwoo.com>
+Vinod Kulkarni <vinod.kulkarni@gmail.com>
+Vishal Doshi <vishal.doshi@gmail.com>
+Vishnu Kannan <vishnuk@google.com>
+Vitaly Ostrosablin <vostrosablin@virtuozzo.com>
+Vitor Monteiro <vmrmonteiro@gmail.com>
+Vivek Agarwal <me@vivek.im>
+Vivek Dasgupta <vdasgupt@redhat.com>
+Vivek Goyal <vgoyal@redhat.com>
+Vladimir Bulyga <xx@ccxx.cc>
+Vladimir Kirillov <proger@wilab.org.ua>
+Vladimir Pouzanov <farcaller@google.com>
+Vladimir Rutsky <altsysrq@gmail.com>
+Vladimir Varankin <nek.narqo+git@gmail.com>
+VladimirAus <v_roudakov@yahoo.com>
+Vlastimil Zeman <vlastimil.zeman@diffblue.com>
+Vojtech Vitek (V-Teq) <vvitek@redhat.com>
+waitingkuo <waitingkuo0527@gmail.com>
+Walter Leibbrandt <github@wrl.co.za>
+Walter Stanish <walter@pratyeka.org>
+Wang Chao <chao.wang@ucloud.cn>
+Wang Guoliang <liangcszzu@163.com>
+Wang Jie <wangjie5@chinaskycloud.com>
+Wang Long <long.wanglong@huawei.com>
+Wang Ping <present.wp@icloud.com>
+Wang Xing <hzwangxing@corp.netease.com>
+Wang Yuexiao <wang.yuexiao@zte.com.cn>
+Ward Vandewege <ward@jhvc.com>
+WarheadsSE <max@warheads.net>
+Wassim Dhif <wassimdhif@gmail.com>
+Wayne Chang <wayne@neverfear.org>
+Wayne Song <wsong@docker.com>
+Weerasak Chongnguluam <singpor@gmail.com>
+Wei Wu <wuwei4455@gmail.com>
+Wei-Ting Kuo <waitingkuo0527@gmail.com>
+weipeng <weipeng@tuscloud.io>
+weiyan <weiyan3@huawei.com>
+Weiyang Zhu <cnresonant@gmail.com>
+Wen Cheng Ma <wenchma@cn.ibm.com>
+Wendel Fleming <wfleming@usc.edu>
+Wenjun Tang <tangwj2@lenovo.com>
+Wenkai Yin <yinw@vmware.com>
+Wentao Zhang <zhangwentao234@huawei.com>
+Wenxuan Zhao <viz@linux.com>
+Wenyu You <21551128@zju.edu.cn>
+Wenzhi Liang <wenzhi.liang@gmail.com>
+Wes Morgan <cap10morgan@gmail.com>
+Wewang Xiaorenfine <wang.xiaoren@zte.com.cn>
+Will Dietz <w@wdtz.org>
+Will Rouesnel <w.rouesnel@gmail.com>
+Will Weaver <monkey@buildingbananas.com>
+willhf <willhf@gmail.com>
+William Delanoue <william.delanoue@gmail.com>
+William Henry <whenry@redhat.com>
+William Hubbs <w.d.hubbs@gmail.com>
+William Martin <wmartin@pivotal.io>
+William Riancho <wr.wllm@gmail.com>
+William Thurston <thurstw@amazon.com>
+WiseTrem <shepelyov.g@gmail.com>
+Wolfgang Powisch <powo@powo.priv.at>
+Wonjun Kim <wonjun.kim@navercorp.com>
+xamyzhao <x.amy.zhao@gmail.com>
+Xianglin Gao <xlgao@zju.edu.cn>
+Xianlu Bird <xianlubird@gmail.com>
+XiaoBing Jiang <s7v7nislands@gmail.com>
+Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
+Xiaoyu Zhang <zhang.xiaoyu33@zte.com.cn>
+xiekeyang <xiekeyang@huawei.com>
+Xinbo Weng <xihuanbo_0521@zju.edu.cn>
+Xinzi Zhou <imdreamrunner@gmail.com>
+Xiuming Chen <cc@cxm.cc>
+Xuecong Liao <satorulogic@gmail.com>
+xuzhaokui <cynicholas@gmail.com>
+Yahya <ya7yaz@gmail.com>
+YAMADA Tsuyoshi <tyamada@minimum2scp.org>
+Yamasaki Masahide <masahide.y@gmail.com>
+Yan Feng <yanfeng2@huawei.com>
+Yang Bai <hamo.by@gmail.com>
+Yang Pengfei <yangpengfei4@huawei.com>
+yangchenliang <yangchenliang@huawei.com>
+Yanqiang Miao <miao.yanqiang@zte.com.cn>
+Yao Zaiyong <yaozaiyong@hotmail.com>
+Yassine Tijani <yasstij11@gmail.com>
+Yasunori Mahata <nori@mahata.net>
+Yazhong Liu <yorkiefixer@gmail.com>
+Yestin Sun <sunyi0804@gmail.com>
+Yi EungJun <eungjun.yi@navercorp.com>
+Yibai Zhang <xm1994@gmail.com>
+Yihang Ho <hoyihang5@gmail.com>
+Ying Li <ying.li@docker.com>
+Yohei Ueda <yohei@jp.ibm.com>
+Yong Tang <yong.tang.github@outlook.com>
+Yongzhi Pan <panyongzhi@gmail.com>
+Yosef Fertel <yfertel@gmail.com>
+You-Sheng Yang (楊有勝) <vicamo@gmail.com>
+Youcef YEKHLEF <yyekhlef@gmail.com>
+Yu Changchun <yuchangchun1@huawei.com>
+Yu Chengxia <yuchengxia@huawei.com>
+Yu Peng <yu.peng36@zte.com.cn>
+Yu-Ju Hong <yjhong@google.com>
+Yuan Sun <sunyuan3@huawei.com>
+Yuanhong Peng <pengyuanhong@huawei.com>
+Yuhao Fang <fangyuhao@gmail.com>
+Yunxiang Huang <hyxqshk@vip.qq.com>
+Yurii Rashkovskii <yrashk@gmail.com>
+Yves Junqueira <yves.junqueira@gmail.com>
+Zac Dover <zdover@redhat.com>
+Zach Borboa <zachborboa@gmail.com>
+Zachary Jaffee <zjaffee@us.ibm.com>
+Zain Memon <zain@inzain.net>
+Zaiste! <oh@zaiste.net>
+Zane DeGraffenried <zane.deg@gmail.com>
+Zefan Li <lizefan@huawei.com>
+Zen Lin(Zhinan Lin) <linzhinan@huawei.com>
+Zhang Kun <zkazure@gmail.com>
+Zhang Wei <zhangwei555@huawei.com>
+Zhang Wentao <zhangwentao234@huawei.com>
+ZhangHang <stevezhang2014@gmail.com>
+zhangxianwei <xianwei.zw@alibaba-inc.com>
+Zhenan Ye <21551168@zju.edu.cn>
+zhenghenghuo <zhenghenghuo@zju.edu.cn>
+Zhenkun Bi <bi.zhenkun@zte.com.cn>
+Zhou Hao <zhouhao@cn.fujitsu.com>
+Zhu Guihua <zhugh.fnst@cn.fujitsu.com>
+Zhu Kunjia <zhu.kunjia@zte.com.cn>
+Zhuoyun Wei <wzyboy@wzyboy.org>
+Zilin Du <zilin.du@gmail.com>
+zimbatm <zimbatm@zimbatm.com>
+Ziming Dong <bnudzm@foxmail.com>
+ZJUshuaizhou <21551191@zju.edu.cn>
+zmarouf <zeid.marouf@gmail.com>
+Zoltan Tombol <zoltan.tombol@gmail.com>
+Zou Yu <zouyu7@huawei.com>
+zqh <zqhxuyuan@gmail.com>
+Zuhayr Elahi <elahi.zuhayr@gmail.com>
+Zunayed Ali <zunayed@gmail.com>
+Álex González <agonzalezro@gmail.com>
+Álvaro Lázaro <alvaro.lazaro.g@gmail.com>
+Átila Camurça Alves <camurca.home@gmail.com>
+尹吉峰 <jifeng.yin@gmail.com>
+徐俊杰 <paco.xu@daocloud.io>
+慕陶 <jihui.xjh@alibaba-inc.com>
+搏通 <yufeng.pyf@alibaba-inc.com>
+黄艳红00139573 <huang.yanhong@zte.com.cn>
diff --git a/engine/CHANGELOG.md b/engine/CHANGELOG.md
new file mode 100644
index 00000000..fec9269b
--- /dev/null
+++ b/engine/CHANGELOG.md
@@ -0,0 +1,3609 @@
+# Changelog
+
+Items starting with `DEPRECATE` are important deprecation notices. For more
+information on the list of deprecated flags and APIs please have a look at
+https://docs.docker.com/engine/deprecated/ where target removal dates can also
+be found.
+
+## 17.03.2-ce (2017-05-29)
+
+### Networking
+
+- Fix a concurrency issue preventing network creation [#33273](https://github.com/moby/moby/pull/33273)
+
+### Runtime
+
+- Relabel secrets path to avoid a Permission Denied on selinux enabled systems [#33236](https://github.com/moby/moby/pull/33236) (ref [#32529](https://github.com/moby/moby/pull/32529)
+- Fix cases where local volume were not properly relabeled if needed [#33236](https://github.com/moby/moby/pull/33236) (ref [#29428](https://github.com/moby/moby/pull/29428))
+- Fix an issue while upgrading if a plugin rootfs was still mounted [#33236](https://github.com/moby/moby/pull/33236) (ref [#32525](https://github.com/moby/moby/pull/32525))
+- Fix an issue where volume wouldn't default to the `rprivate` propagation mode [#33236](https://github.com/moby/moby/pull/33236) (ref [#32851](https://github.com/moby/moby/pull/32851))
+- Fix a panic that could occur when a volume driver could not be retrieved [#33236](https://github.com/moby/moby/pull/33236) (ref [#32347](https://github.com/moby/moby/pull/32347))
++ Add a warning in `docker info` when the `overlay` or `overlay2` graphdriver is used on a filesystem without `d_type` support [#33236](https://github.com/moby/moby/pull/33236) (ref [#31290](https://github.com/moby/moby/pull/31290))
+- Fix an issue with backporting mount spec to older volumes [#33207](https://github.com/moby/moby/pull/33207)
+- Fix issue where a failed unmount can lead to data loss on local volume remove [#33120](https://github.com/moby/moby/pull/33120)
+
+### Swarm Mode
+
+- Fix a case where tasks could get killed unexpectedly [#33118](https://github.com/moby/moby/pull/33118)
+- Fix an issue preventing to deploy services if the registry cannot be reached despite the needed images being locally present [#33117](https://github.com/moby/moby/pull/33117)
+
+## 17.05.0-ce (2017-05-04)
+
+### Builder
+
++ Add multi-stage build support [#31257](https://github.com/docker/docker/pull/31257) [#32063](https://github.com/docker/docker/pull/32063)
++ Allow using build-time args (`ARG`) in `FROM` [#31352](https://github.com/docker/docker/pull/31352)
++ Add an option for specifying build target [#32496](https://github.com/docker/docker/pull/32496)
+* Accept `-f -` to read Dockerfile from `stdin`, but use local context for building [#31236](https://github.com/docker/docker/pull/31236)
+* The values of default build time arguments (e.g `HTTP_PROXY`) are no longer displayed in docker image history unless a corresponding `ARG` instruction is written in the Dockerfile. [#31584](https://github.com/docker/docker/pull/31584)
+- Fix setting command if a custom shell is used in a parent image [#32236](https://github.com/docker/docker/pull/32236)
+- Fix `docker build --label` when the label includes single quotes and a space [#31750](https://github.com/docker/docker/pull/31750)
+
+### Client
+
+* Add `--mount` flag to `docker run` and `docker create` [#32251](https://github.com/docker/docker/pull/32251)
+* Add `--type=secret` to `docker inspect` [#32124](https://github.com/docker/docker/pull/32124)
+* Add `--format` option to `docker secret ls` [#31552](https://github.com/docker/docker/pull/31552)
+* Add `--filter` option to `docker secret ls` [#30810](https://github.com/docker/docker/pull/30810)
+* Add `--filter scope=<swarm|local>` to `docker network ls` [#31529](https://github.com/docker/docker/pull/31529)
+* Add `--cpus` support to `docker update` [#31148](https://github.com/docker/docker/pull/31148)
+* Add label filter to `docker system prune` and other `prune` commands [#30740](https://github.com/docker/docker/pull/30740)
+* `docker stack rm` now accepts multiple stacks as input [#32110](https://github.com/docker/docker/pull/32110)
+* Improve `docker version --format` option when the client has downgraded the API version [#31022](https://github.com/docker/docker/pull/31022)
+* Prompt when using an encrypted client certificate to connect to a docker daemon [#31364](https://github.com/docker/docker/pull/31364)
+* Display created tags on successful `docker build` [#32077](https://github.com/docker/docker/pull/32077)
+* Cleanup compose convert error messages [#32087](https://github.com/moby/moby/pull/32087)
+
+### Contrib
+
++ Add support for building docker debs for Ubuntu 17.04 Zesty on amd64 [#32435](https://github.com/docker/docker/pull/32435)
+
+### Daemon
+
+- Fix `--api-cors-header` being ignored if `--api-enable-cors` is not set [#32174](https://github.com/docker/docker/pull/32174)
+- Cleanup docker tmp dir on start [#31741](https://github.com/docker/docker/pull/31741)
+- Deprecate `--graph` flag in favor or `--data-root`  [#28696](https://github.com/docker/docker/pull/28696)
+
+### Logging
+
++ Add support for logging driver plugins [#28403](https://github.com/docker/docker/pull/28403)
+* Add support for showing logs of individual tasks to `docker service logs`, and add `/task/{id}/logs` REST endpoint [#32015](https://github.com/docker/docker/pull/32015)
+* Add `--log-opt env-regex` option to match environment variables using a regular expression [#27565](https://github.com/docker/docker/pull/27565)
+
+### Networking
+
++ Allow user to replace, and customize the ingress network [#31714](https://github.com/docker/docker/pull/31714)
+- Fix UDP traffic in containers not working after the container is restarted [#32505](https://github.com/docker/docker/pull/32505)
+- Fix files being written to `/var/lib/docker` if a different data-root is set [#32505](https://github.com/docker/docker/pull/32505)
+
+### Runtime
+
+- Ensure health probe is stopped when a container exits [#32274](https://github.com/docker/docker/pull/32274)
+
+### Swarm Mode
+
++ Add update/rollback order for services (`--update-order` / `--rollback-order`) [#30261](https://github.com/docker/docker/pull/30261)
++ Add support for synchronous `service create` and `service update` [#31144](https://github.com/docker/docker/pull/31144)
++ Add support for "grace periods" on healthchecks through the `HEALTHCHECK --start-period` and `--health-start-period` flag to
+  `docker service create`, `docker service update`, `docker create`, and `docker run` to support containers with an initial startup
+  time [#28938](https://github.com/docker/docker/pull/28938)
+* `docker service create` now omits fields that are not specified by the user, when possible. This will allow defaults to be applied inside the manager [#32284](https://github.com/docker/docker/pull/32284)
+* `docker service inspect` now shows default values for fields that are not specified by the user [#32284](https://github.com/docker/docker/pull/32284)
+* Move `docker service logs` out of experimental [#32462](https://github.com/docker/docker/pull/32462)
+* Add support for Credential Spec and SELinux to services to the API [#32339](https://github.com/docker/docker/pull/32339)
+* Add `--entrypoint` flag to `docker service create` and `docker service update` [#29228](https://github.com/docker/docker/pull/29228)
+* Add `--network-add` and `--network-rm` to `docker service update` [#32062](https://github.com/docker/docker/pull/32062)
+* Add `--credential-spec` flag to `docker service create` and `docker service update` [#32339](https://github.com/docker/docker/pull/32339)
+* Add `--filter mode=<global|replicated>` to `docker service ls` [#31538](https://github.com/docker/docker/pull/31538)
+* Resolve network IDs on the client side, instead of in the daemon when creating services [#32062](https://github.com/docker/docker/pull/32062)
+* Add `--format` option to `docker node ls` [#30424](https://github.com/docker/docker/pull/30424)
+* Add `--prune` option to `docker stack deploy` to remove services that are no longer defined in the docker-compose file [#31302](https://github.com/docker/docker/pull/31302)
+* Add `PORTS` column for `docker service ls` when using `ingress` mode [#30813](https://github.com/docker/docker/pull/30813)
+- Fix unnescessary re-deploying of tasks when environment-variables are used [#32364](https://github.com/docker/docker/pull/32364)
+- Fix `docker stack deploy` not supporting `endpoint_mode` when deploying from a docker compose file  [#32333](https://github.com/docker/docker/pull/32333)
+- Proceed with startup if cluster component cannot be created to allow recovering from a broken swarm setup [#31631](https://github.com/docker/docker/pull/31631)
+
+### Security
+
+* Allow setting SELinux type or MCS labels when using `--ipc=container:` or `--ipc=host` [#30652](https://github.com/docker/docker/pull/30652)
+
+
+### Deprecation
+
+- Deprecate `--api-enable-cors` daemon flag. This flag was marked deprecated in Docker 1.6.0 but not listed in deprecated features [#32352](https://github.com/docker/docker/pull/32352)
+- Remove Ubuntu 12.04 (Precise Pangolin) as supported platform. Ubuntu 12.04 is EOL, and no longer receives updates [#32520](https://github.com/docker/docker/pull/32520)
+
+## 17.04.0-ce (2017-04-05)
+
+### Builder
+
+* Disable container logging for build containers [#29552](https://github.com/docker/docker/pull/29552)
+* Fix use of `**/` in `.dockerignore` [#29043](https://github.com/docker/docker/pull/29043)
+
+### Client
+
++ Sort `docker stack ls` by name [#31085](https://github.com/docker/docker/pull/31085)
++ Flags for specifying bind mount consistency [#31047](https://github.com/docker/docker/pull/31047)
+* Output of docker CLI --help is now wrapped to the terminal width [#28751](https://github.com/docker/docker/pull/28751)
+* Suppress image digest in docker ps [#30848](https://github.com/docker/docker/pull/30848)
+* Hide command options that are related to Windows [#30788](https://github.com/docker/docker/pull/30788)
+* Fix `docker plugin install` prompt to accept "enter" for the "N" default [#30769](https://github.com/docker/docker/pull/30769)
++ Add `truncate` function for Go templates [#30484](https://github.com/docker/docker/pull/30484)
+* Support expanded syntax of ports in `stack deploy` [#30476](https://github.com/docker/docker/pull/30476)
+* Support expanded syntax of mounts in `stack deploy` [#30597](https://github.com/docker/docker/pull/30597) [#31795](https://github.com/docker/docker/pull/31795)
++ Add `--add-host` for docker build [#30383](https://github.com/docker/docker/pull/30383)
++ Add `.CreatedAt` placeholder for `docker network ls --format` [#29900](https://github.com/docker/docker/pull/29900)
+* Update order of `--secret-rm` and `--secret-add` [#29802](https://github.com/docker/docker/pull/29802)
++ Add `--filter enabled=true` for `docker plugin ls` [#28627](https://github.com/docker/docker/pull/28627)
++ Add `--format` to `docker service ls` [#28199](https://github.com/docker/docker/pull/28199)
++ Add `publish` and `expose` filter for `docker ps --filter` [#27557](https://github.com/docker/docker/pull/27557)
+* Support multiple service IDs on `docker service ps` [#25234](https://github.com/docker/docker/pull/25234)
++ Allow swarm join with `--availability=drain` [#24993](https://github.com/docker/docker/pull/24993)
+* Docker inspect now shows "docker-default" when AppArmor is enabled and no other profile was defined [#27083](https://github.com/docker/docker/pull/27083)
+
+### Logging
+
++ Implement optional ring buffer for container logs [#28762](https://github.com/docker/docker/pull/28762)
++ Add `--log-opt awslogs-create-group=<true|false>` for awslogs (CloudWatch) to support creation of log groups as needed [#29504](https://github.com/docker/docker/pull/29504)
+- Fix segfault when using the gcplogs logging driver with a "static" binary [#29478](https://github.com/docker/docker/pull/29478)
+
+
+### Networking
+
+* Check parameter `--ip`, `--ip6` and `--link-local-ip` in `docker network connect` [#30807](https://github.com/docker/docker/pull/30807)
++ Added support for `dns-search` [#30117](https://github.com/docker/docker/pull/30117)
++ Added --verbose option for docker network inspect to show task details from all swarm nodes [#31710](https://github.com/docker/docker/pull/31710)
+* Clear stale datapath encryption states when joining the cluster [docker/libnetwork#1354](https://github.com/docker/libnetwork/pull/1354)
++ Ensure iptables initialization only happens once [docker/libnetwork#1676](https://github.com/docker/libnetwork/pull/1676)
+* Fix bad order of iptables filter rules [docker/libnetwork#961](https://github.com/docker/libnetwork/pull/961)
++ Add anonymous container alias to service record on attachable network [docker/libnetwork#1651](https://github.com/docker/libnetwork/pull/1651)
++ Support for `com.docker.network.container_interface_prefix` driver label [docker/libnetwork#1667](https://github.com/docker/libnetwork/pull/1667)
++ Improve network list performance by omitting network details that are not used [#30673](https://github.com/docker/docker/pull/30673)
+
+### Runtime
+
+* Handle paused container when restoring without live-restore set [#31704](https://github.com/docker/docker/pull/31704)
+- Do not allow sub second in healthcheck options in Dockerfile [#31177](https://github.com/docker/docker/pull/31177)
+* Support name and id prefix in  `secret update` [#30856](https://github.com/docker/docker/pull/30856)
+* Use binary frame for websocket attach endpoint [#30460](https://github.com/docker/docker/pull/30460)
+* Fix linux mount calls not applying propagation type changes [#30416](https://github.com/docker/docker/pull/30416)
+* Fix ExecIds leak on failed `exec -i` [#30340](https://github.com/docker/docker/pull/30340)
+* Prune named but untagged images if `danglingOnly=true` [#30330](https://github.com/docker/docker/pull/30330)
++ Add daemon flag to set `no_new_priv` as default for unprivileged containers [#29984](https://github.com/docker/docker/pull/29984)
++ Add daemon option `--default-shm-size` [#29692](https://github.com/docker/docker/pull/29692)
++ Support registry mirror config reload [#29650](https://github.com/docker/docker/pull/29650)
+- Ignore the daemon log config when building images [#29552](https://github.com/docker/docker/pull/29552)
+* Move secret name or ID prefix resolving from client to daemon [#29218](https://github.com/docker/docker/pull/29218)
++ Allow adding rules to `cgroup devices.allow` on container create/run [#22563](https://github.com/docker/docker/pull/22563)
+- Fix `cpu.cfs_quota_us` being reset when running `systemd daemon-reload` [#31736](https://github.com/docker/docker/pull/31736)
+
+### Swarm Mode
+
++ Topology-aware scheduling [#30725](https://github.com/docker/docker/pull/30725)
++ Automatic service rollback on failure [#31108](https://github.com/docker/docker/pull/31108)
++ Worker and manager on the same node are now connected through a UNIX socket [docker/swarmkit#1828](https://github.com/docker/swarmkit/pull/1828), [docker/swarmkit#1850](https://github.com/docker/swarmkit/pull/1850), [docker/swarmkit#1851](https://github.com/docker/swarmkit/pull/1851)
+* Improve raft transport package [docker/swarmkit#1748](https://github.com/docker/swarmkit/pull/1748)
+* No automatic manager shutdown on demotion/removal [docker/swarmkit#1829](https://github.com/docker/swarmkit/pull/1829)
+* Use TransferLeadership to make leader demotion safer [docker/swarmkit#1939](https://github.com/docker/swarmkit/pull/1939)
+* Decrease default monitoring period [docker/swarmkit#1967](https://github.com/docker/swarmkit/pull/1967)
++ Add Service logs formatting [#31672](https://github.com/docker/docker/pull/31672)
+* Fix service logs API to be able to specify stream [#31313](https://github.com/docker/docker/pull/31313)
++ Add `--stop-signal` for `service create` and `service update` [#30754](https://github.com/docker/docker/pull/30754)
++ Add `--read-only` for `service create` and `service update` [#30162](https://github.com/docker/docker/pull/30162)
++ Renew the context after communicating with the registry [#31586](https://github.com/docker/docker/pull/31586)
++ (experimental) Add `--tail` and `--since` options to `docker service logs` [#31500](https://github.com/docker/docker/pull/31500)
++ (experimental) Add `--no-task-ids` and `--no-trunc` options to `docker service logs` [#31672](https://github.com/docker/docker/pull/31672)
+
+### Windows
+
+* Block pulling Windows images on non-Windows daemons [#29001](https://github.com/docker/docker/pull/29001)
+
+## 17.03.1-ce (2017-03-27)
+
+### Remote API (v1.27) & Client
+
+* Fix autoremove on older api [#31692](https://github.com/docker/docker/pull/31692)
+* Fix default network customization for a stack [#31258](https://github.com/docker/docker/pull/31258/)
+* Correct CPU usage calculation in presence of offline CPUs and newer Linux [#31802](https://github.com/docker/docker/pull/31802)
+* Fix issue where service healthcheck is `{}` in remote API [#30197](https://github.com/docker/docker/pull/30197)
+
+### Runtime
+
+* Update runc to 54296cf40ad8143b62dbcaa1d90e520a2136ddfe [#31666](https://github.com/docker/docker/pull/31666)
+ * Ignore cgroup2 mountpoints [opencontainers/runc#1266](https://github.com/opencontainers/runc/pull/1266)
+* Update containerd to 4ab9917febca54791c5f071a9d1f404867857fcc [#31662](https://github.com/docker/docker/pull/31662) [#31852](https://github.com/docker/docker/pull/31852)
+ * Register healthcheck service before calling restore() [docker/containerd#609](https://github.com/docker/containerd/pull/609)
+* Fix `docker exec` not working after unattended upgrades that reload apparmor profiles [#31773](https://github.com/docker/docker/pull/31773)
+* Fix unmounting layer without merge dir with Overlay2 [#31069](https://github.com/docker/docker/pull/31069)
+* Do not ignore "volume in use" errors when force-delete [#31450](https://github.com/docker/docker/pull/31450)
+
+### Swarm Mode
+
+* Update swarmkit to 17756457ad6dc4d8a639a1f0b7a85d1b65a617bb [#31807](https://github.com/docker/docker/pull/31807)
+ * Scheduler now correctly considers tasks which have been assigned to a node but aren't yet running [docker/swarmkit#1980](https://github.com/docker/swarmkit/pull/1980)
+ * Allow removal of a network when only dead tasks reference it [docker/swarmkit#2018](https://github.com/docker/swarmkit/pull/2018)
+ * Retry failed network allocations less aggressively [docker/swarmkit#2021](https://github.com/docker/swarmkit/pull/2021)
+ * Avoid network allocation for tasks that are no longer running [docker/swarmkit#2017](https://github.com/docker/swarmkit/pull/2017)
+ * Bookkeeping fixes inside network allocator allocator [docker/swarmkit#2019](https://github.com/docker/swarmkit/pull/2019) [docker/swarmkit#2020](https://github.com/docker/swarmkit/pull/2020)
+
+### Windows
+
+* Cleanup HCS on restore [#31503](https://github.com/docker/docker/pull/31503)
+
+## 17.03.0-ce (2017-03-01)
+
+**IMPORTANT**: Starting with this release, Docker is on a monthly release cycle and uses a
+new YY.MM versioning scheme to reflect this. Two channels are available: monthly and quarterly.
+Any given monthly release will only receive security and bugfixes until the next monthly
+release is available. Quarterly releases receive security and bugfixes for 4 months after
+initial release. This release includes bugfixes for 1.13.1 but
+there are no major feature additions and the API version stays the same.
+Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk.
+
+### Client
+
+* Fix panic in `docker stats --format` [#30776](https://github.com/docker/docker/pull/30776)
+
+### Contrib
+
+* Update various `bash` and `zsh` completion scripts [#30823](https://github.com/docker/docker/pull/30823), [#30945](https://github.com/docker/docker/pull/30945) and more...
+* Block obsolete socket families in default seccomp profile - mitigates unpatched kernels' CVE-2017-6074 [#29076](https://github.com/docker/docker/pull/29076)
+
+### Networking
+
+* Fix bug on overlay encryption keys rotation in cross-datacenter swarm [#30727](https://github.com/docker/docker/pull/30727)
+* Fix side effect panic in overlay encryption and network control plane communication failure ("No installed keys could decrypt the message") on frequent swarm leader re-election [#25608](https://github.com/docker/docker/pull/25608)
+* Several fixes around system responsiveness and datapath programming when using overlay network with external kv-store [docker/libnetwork#1639](https://github.com/docker/libnetwork/pull/1639), [docker/libnetwork#1632](https://github.com/docker/libnetwork/pull/1632) and more...
+* Discard incoming plain vxlan packets for encrypted overlay network [#31170](https://github.com/docker/docker/pull/31170)
+* Release the network attachment on allocation failure [#31073](https://github.com/docker/docker/pull/31073)
+* Fix port allocation when multiple published ports map to the same target port [docker/swarmkit#1835](https://github.com/docker/swarmkit/pull/1835)
+
+### Runtime
+
+* Fix a deadlock in docker logs [#30223](https://github.com/docker/docker/pull/30223)
+* Fix cpu spin waiting for log write events [#31070](https://github.com/docker/docker/pull/31070)
+* Fix a possible crash when using journald [#31231](https://github.com/docker/docker/pull/31231) [#31263](https://github.com/docker/docker/pull/31263)
+* Fix a panic on close of nil channel [#31274](https://github.com/docker/docker/pull/31274)
+* Fix duplicate mount point for `--volumes-from` in `docker run` [#29563](https://github.com/docker/docker/pull/29563)
+* Fix `--cache-from` does not cache last step [#31189](https://github.com/docker/docker/pull/31189)
+
+### Swarm Mode
+
+* Shutdown leaks an error when the container was never started [#31279](https://github.com/docker/docker/pull/31279)
+* Fix possibility of tasks getting stuck in the "NEW" state during a leader failover [docker/swarmkit#1938](https://github.com/docker/swarmkit/pull/1938)
+* Fix extraneous task creations for global services that led to confusing replica counts in `docker service ls` [docker/swarmkit#1957](https://github.com/docker/swarmkit/pull/1957)
+* Fix problem that made rolling updates slow when `task-history-limit` was set to 1 [docker/swarmkit#1948](https://github.com/docker/swarmkit/pull/1948)
+* Restart tasks elsewhere, if appropriate, when they are shut down as a result of nodes no longer satisfying constraints [docker/swarmkit#1958](https://github.com/docker/swarmkit/pull/1958)
+* (experimental)
+
+## 1.13.1 (2017-02-08)
+
+**IMPORTANT**: On Linux distributions where `devicemapper` was the default storage driver,
+the `overlay2`, or `overlay` is now used by default (if the kernel supports it).
+To use devicemapper, you can manually configure the storage driver to use through
+the `--storage-driver` daemon option, or by setting "storage-driver" in the `daemon.json`
+configuration file.
+
+**IMPORTANT**: In Docker 1.13, the managed plugin api changed, as compared to the experimental
+version introduced in Docker 1.12. You must **uninstall** plugins which you installed with Docker 1.12
+_before_ upgrading to Docker 1.13. You can uninstall plugins using the `docker plugin rm` command.
+
+If you have already upgraded to Docker 1.13 without uninstalling
+previously-installed plugins, you may see this message when the Docker daemon
+starts:
+
+    Error starting daemon: json: cannot unmarshal string into Go value of type types.PluginEnv
+
+To manually remove all plugins and resolve this problem, take the following steps:
+
+1. Remove plugins.json from: `/var/lib/docker/plugins/`.
+2. Restart Docker. Verify that the Docker daemon starts with no errors.
+3. Reinstall your plugins.
+
+### Contrib
+
+* Do not require a custom build of tini [#28454](https://github.com/docker/docker/pull/28454)
+* Upgrade to Go 1.7.5 [#30489](https://github.com/docker/docker/pull/30489)
+
+### Remote API (v1.26) & Client
+
++ Support secrets in docker stack deploy with compose file [#30144](https://github.com/docker/docker/pull/30144)
+
+### Runtime
+
+* Fix size issue in `docker system df` [#30378](https://github.com/docker/docker/pull/30378)
+* Fix error on `docker inspect` when Swarm certificates were expired. [#29246](https://github.com/docker/docker/pull/29246)
+* Fix deadlock on v1 plugin with activate error [#30408](https://github.com/docker/docker/pull/30408)
+* Fix SELinux regression [#30649](https://github.com/docker/docker/pull/30649)
+
+### Plugins
+
+* Support global scoped network plugins (v2) in swarm mode [#30332](https://github.com/docker/docker/pull/30332)
++ Add `docker plugin upgrade` [#29414](https://github.com/docker/docker/pull/29414)
+
+### Windows
+
+* Fix small regression with old plugins in Windows [#30150](https://github.com/docker/docker/pull/30150)
+* Fix warning on Windows [#30730](https://github.com/docker/docker/pull/30730)
+
+## 1.13.0 (2017-01-18)
+
+**IMPORTANT**: On Linux distributions where `devicemapper` was the default storage driver,
+the `overlay2`, or `overlay` is now used by default (if the kernel supports it).
+To use devicemapper, you can manually configure the storage driver to use through
+the `--storage-driver` daemon option, or by setting "storage-driver" in the `daemon.json`
+configuration file.
+
+**IMPORTANT**: In Docker 1.13, the managed plugin api changed, as compared to the experimental
+version introduced in Docker 1.12. You must **uninstall** plugins which you installed with Docker 1.12
+_before_ upgrading to Docker 1.13. You can uninstall plugins using the `docker plugin rm` command.
+
+If you have already upgraded to Docker 1.13 without uninstalling
+previously-installed plugins, you may see this message when the Docker daemon
+starts:
+
+    Error starting daemon: json: cannot unmarshal string into Go value of type types.PluginEnv
+
+To manually remove all plugins and resolve this problem, take the following steps:
+
+1. Remove plugins.json from: `/var/lib/docker/plugins/`.
+2. Restart Docker. Verify that the Docker daemon starts with no errors.
+3. Reinstall your plugins.
+
+### Builder
+
++ Add capability to specify images used as a cache source on build. These images do not need to have local parent chain and can be pulled from other registries [#26839](https://github.com/docker/docker/pull/26839)
++ (experimental) Add option to squash image layers to the FROM image after successful builds [#22641](https://github.com/docker/docker/pull/22641)
+* Fix dockerfile parser with empty line after escape [#24725](https://github.com/docker/docker/pull/24725)
+- Add step number on `docker build` [#24978](https://github.com/docker/docker/pull/24978)
++ Add support for compressing build context during image build [#25837](https://github.com/docker/docker/pull/25837)
++ add `--network` to `docker build` [#27702](https://github.com/docker/docker/pull/27702)
+- Fix inconsistent behavior between `--label` flag on `docker build` and `docker run` [#26027](https://github.com/docker/docker/issues/26027)
+- Fix image layer inconsistencies when using the overlay storage driver [#27209](https://github.com/docker/docker/pull/27209)
+* Unused build-args are now allowed. A warning is presented instead of an error and failed build [#27412](https://github.com/docker/docker/pull/27412)
+- Fix builder cache issue on Windows [#27805](https://github.com/docker/docker/pull/27805)
++ Allow `USER` in builder on Windows [#28415](https://github.com/docker/docker/pull/28415)
++ Handle env case-insensitive on Windows [#28725](https://github.com/docker/docker/pull/28725)
+
+### Contrib
+
++ Add support for building docker debs for Ubuntu 16.04 Xenial on PPC64LE [#23438](https://github.com/docker/docker/pull/23438)
++ Add support for building docker debs for Ubuntu 16.04 Xenial on s390x [#26104](https://github.com/docker/docker/pull/26104)
++ Add support for building docker debs for Ubuntu 16.10 Yakkety Yak on PPC64LE [#28046](https://github.com/docker/docker/pull/28046)
+- Add RPM builder for VMWare Photon OS [#24116](https://github.com/docker/docker/pull/24116)
++ Add shell completions to tgz [#27735](https://github.com/docker/docker/pull/27735)
+* Update the install script to allow using the mirror in China [#27005](https://github.com/docker/docker/pull/27005)
++ Add DEB builder for Ubuntu 16.10 Yakkety Yak [#27993](https://github.com/docker/docker/pull/27993)
++ Add RPM builder for Fedora 25 [#28222](https://github.com/docker/docker/pull/28222)
++ Add `make deb` support for aarch64 [#27625](https://github.com/docker/docker/pull/27625)
+
+### Distribution
+
+* Update notary dependency to 0.4.2 (full changelogs [here](https://github.com/docker/notary/releases/tag/v0.4.2)) [#27074](https://github.com/docker/docker/pull/27074)
+  - Support for compilation on windows [docker/notary#970](https://github.com/docker/notary/pull/970)
+  - Improved error messages for client authentication errors [docker/notary#972](https://github.com/docker/notary/pull/972)
+  - Support for finding keys that are anywhere in the `~/.docker/trust/private` directory, not just under `~/.docker/trust/private/root_keys` or `~/.docker/trust/private/tuf_keys` [docker/notary#981](https://github.com/docker/notary/pull/981)
+  - Previously, on any error updating, the client would fall back on the cache.  Now we only do so if there is a network error or if the server is unavailable or missing the TUF data. Invalid TUF data will cause the update to fail - for example if there was an invalid root rotation. [docker/notary#982](https://github.com/docker/notary/pull/982)
+  - Improve root validation and yubikey debug logging [docker/notary#858](https://github.com/docker/notary/pull/858) [docker/notary#891](https://github.com/docker/notary/pull/891)
+  - Warn if certificates for root or delegations are near expiry [docker/notary#802](https://github.com/docker/notary/pull/802)
+  - Warn if role metadata is near expiry [docker/notary#786](https://github.com/docker/notary/pull/786)
+  - Fix passphrase retrieval attempt counting and terminal detection [docker/notary#906](https://github.com/docker/notary/pull/906)
+- Avoid unnecessary blob uploads when different users push same layers to authenticated registry [#26564](https://github.com/docker/docker/pull/26564)
+* Allow external storage for registry credentials [#26354](https://github.com/docker/docker/pull/26354)
+
+### Logging
+
+* Standardize the default logging tag value in all logging drivers [#22911](https://github.com/docker/docker/pull/22911)
+- Improve performance and memory use when logging of long log lines [#22982](https://github.com/docker/docker/pull/22982)
++ Enable syslog driver for windows [#25736](https://github.com/docker/docker/pull/25736)
++ Add Logentries Driver [#27471](https://github.com/docker/docker/pull/27471)
++ Update of AWS log driver to support tags [#27707](https://github.com/docker/docker/pull/27707)
++ Unix socket support for fluentd [#26088](https://github.com/docker/docker/pull/26088)
+* Enable fluentd logging driver on Windows [#28189](https://github.com/docker/docker/pull/28189)
+- Sanitize docker labels when used as journald field names [#23725](https://github.com/docker/docker/pull/23725)
+- Fix an issue where `docker logs --tail` returned less lines than expected [#28203](https://github.com/docker/docker/pull/28203)
+- Splunk Logging Driver: performance and reliability improvements [#26207](https://github.com/docker/docker/pull/26207)
+- Splunk Logging Driver: configurable formats and skip for verifying connection [#25786](https://github.com/docker/docker/pull/25786)
+
+### Networking
+
++ Add `--attachable` network support to enable `docker run` to work in swarm-mode overlay network [#25962](https://github.com/docker/docker/pull/25962)
++ Add support for host port PublishMode in services using the `--publish` option in `docker service create` [#27917](https://github.com/docker/docker/pull/27917) and [#28943](https://github.com/docker/docker/pull/28943)
++ Add support for Windows server 2016 overlay network driver (requires upcoming ws2016 update) [#28182](https://github.com/docker/docker/pull/28182)
+* Change the default `FORWARD` policy to `DROP` [#28257](https://github.com/docker/docker/pull/28257)
++ Add support for specifying static IP addresses for predefined network on windows [#22208](https://github.com/docker/docker/pull/22208)
+- Fix `--publish` flag on `docker run` not working with IPv6 addresses [#27860](https://github.com/docker/docker/pull/27860)
+- Fix inspect network show gateway with mask [#25564](https://github.com/docker/docker/pull/25564)
+- Fix an issue where multiple addresses in a bridge may cause `--fixed-cidr` to not have the correct addresses [#26659](https://github.com/docker/docker/pull/26659)
++ Add creation timestamp to `docker network inspect` [#26130](https://github.com/docker/docker/pull/26130)
+- Show peer nodes in `docker network inspect` for swarm overlay networks [#28078](https://github.com/docker/docker/pull/28078)
+- Enable ping for service VIP address [#28019](https://github.com/docker/docker/pull/28019)
+
+### Plugins
+
+- Move plugins out of experimental [#28226](https://github.com/docker/docker/pull/28226)
+- Add `--force` on `docker plugin remove` [#25096](https://github.com/docker/docker/pull/25096)
+* Add support for dynamically reloading authorization plugins [#22770](https://github.com/docker/docker/pull/22770)
++ Add description in `docker plugin ls` [#25556](https://github.com/docker/docker/pull/25556)
++ Add `-f`/`--format` to `docker plugin inspect` [#25990](https://github.com/docker/docker/pull/25990)
++ Add `docker plugin create` command [#28164](https://github.com/docker/docker/pull/28164)
+* Send request's TLS peer certificates to authorization plugins [#27383](https://github.com/docker/docker/pull/27383)
+* Support for global-scoped network and ipam plugins in swarm-mode [#27287](https://github.com/docker/docker/pull/27287)
+* Split `docker plugin install` into two API call `/privileges` and `/pull` [#28963](https://github.com/docker/docker/pull/28963)
+
+### Remote API (v1.25) & Client
+
++ Support `docker stack deploy` from a Compose file [#27998](https://github.com/docker/docker/pull/27998)
++ (experimental) Implement checkpoint and restore [#22049](https://github.com/docker/docker/pull/22049)
++ Add `--format` flag to `docker info` [#23808](https://github.com/docker/docker/pull/23808)
+* Remove `--name` from `docker volume create` [#23830](https://github.com/docker/docker/pull/23830)
++ Add `docker stack ls` [#23886](https://github.com/docker/docker/pull/23886)
++ Add a new `is-task` ps filter [#24411](https://github.com/docker/docker/pull/24411)
++ Add `--env-file` flag to `docker service create` [#24844](https://github.com/docker/docker/pull/24844)
++ Add `--format` on `docker stats` [#24987](https://github.com/docker/docker/pull/24987)
++ Make `docker node ps` default to `self` in swarm node [#25214](https://github.com/docker/docker/pull/25214)
++ Add `--group` in `docker service create` [#25317](https://github.com/docker/docker/pull/25317)
++ Add `--no-trunc` to service/node/stack ps output [#25337](https://github.com/docker/docker/pull/25337)
++ Add Logs to `ContainerAttachOptions` so go clients can request to retrieve container logs as part of the attach process [#26718](https://github.com/docker/docker/pull/26718)
++ Allow client to talk to an older server [#27745](https://github.com/docker/docker/pull/27745)
+* Inform user client-side that a container removal is in progress [#26074](https://github.com/docker/docker/pull/26074)
++ Add `Isolation` to the /info endpoint [#26255](https://github.com/docker/docker/pull/26255)
++ Add `userns` to the /info endpoint [#27840](https://github.com/docker/docker/pull/27840)
+- Do not allow more than one mode be requested at once in the services endpoint [#26643](https://github.com/docker/docker/pull/26643)
++ Add capability to /containers/create API to specify mounts in a more granular and safer way [#22373](https://github.com/docker/docker/pull/22373)
++ Add `--format` flag to `network ls` and `volume ls` [#23475](https://github.com/docker/docker/pull/23475)
+* Allow the top-level `docker inspect` command to inspect any kind of resource [#23614](https://github.com/docker/docker/pull/23614)
++ Add --cpus flag to control cpu resources for `docker run` and `docker create`, and add `NanoCPUs` to `HostConfig` [#27958](https://github.com/docker/docker/pull/27958)
+- Allow unsetting the `--entrypoint` in `docker run` or `docker create` [#23718](https://github.com/docker/docker/pull/23718)
+* Restructure CLI commands by adding `docker image` and `docker container` commands for more consistency [#26025](https://github.com/docker/docker/pull/26025)
+- Remove `COMMAND` column from `service ls` output [#28029](https://github.com/docker/docker/pull/28029)
++ Add `--format` to `docker events` [#26268](https://github.com/docker/docker/pull/26268)
+* Allow specifying multiple nodes on `docker node ps` [#26299](https://github.com/docker/docker/pull/26299)
+* Restrict fractional digits to 2 decimals in `docker images` output [#26303](https://github.com/docker/docker/pull/26303)
++ Add `--dns-option` to `docker run` [#28186](https://github.com/docker/docker/pull/28186)
++ Add Image ID to container commit event [#28128](https://github.com/docker/docker/pull/28128)
++ Add external binaries version to docker info [#27955](https://github.com/docker/docker/pull/27955)
++ Add information for `Manager Addresses` in the output of `docker info` [#28042](https://github.com/docker/docker/pull/28042)
++ Add a new reference filter for `docker images` [#27872](https://github.com/docker/docker/pull/27872)
+
+### Runtime
+
++ Add `--experimental` daemon flag to enable experimental features, instead of shipping them in a separate build [#27223](https://github.com/docker/docker/pull/27223)
++ Add a `--shutdown-timeout` daemon flag to specify the default timeout (in seconds) to stop containers gracefully before daemon exit [#23036](https://github.com/docker/docker/pull/23036)
++ Add `--stop-timeout` to specify the timeout value (in seconds) for individual containers to stop [#22566](https://github.com/docker/docker/pull/22566)
++ Add a new daemon flag `--userland-proxy-path` to allow configuring the userland proxy instead of using the hardcoded `docker-proxy` from `$PATH` [#26882](https://github.com/docker/docker/pull/26882)
++ Add boolean flag `--init` on `dockerd` and on `docker run` to use [tini](https://github.com/krallin/tini) a zombie-reaping init process as PID 1 [#26061](https://github.com/docker/docker/pull/26061) [#28037](https://github.com/docker/docker/pull/28037)
++ Add a new daemon flag `--init-path` to allow configuring the path to the `docker-init` binary [#26941](https://github.com/docker/docker/pull/26941)
++ Add support for live reloading insecure registry in configuration [#22337](https://github.com/docker/docker/pull/22337)
++ Add support for storage-opt size on Windows daemons [#23391](https://github.com/docker/docker/pull/23391)
+* Improve reliability of `docker run --rm` by moving it from the client to the daemon  [#20848](https://github.com/docker/docker/pull/20848)
++ Add support for `--cpu-rt-period` and `--cpu-rt-runtime` flags, allowing containers to run real-time threads when `CONFIG_RT_GROUP_SCHED` is enabled in the kernel [#23430](https://github.com/docker/docker/pull/23430)
+* Allow parallel stop, pause, unpause [#24761](https://github.com/docker/docker/pull/24761) / [#26778](https://github.com/docker/docker/pull/26778)
+* Implement XFS quota for overlay2 [#24771](https://github.com/docker/docker/pull/24771)
+- Fix partial/full filter issue in `service tasks --filter` [#24850](https://github.com/docker/docker/pull/24850)
+- Allow engine to run inside a user namespace [#25672](https://github.com/docker/docker/pull/25672)
+- Fix a race condition between device deferred removal and resume device, when using the devicemapper graphdriver [#23497](https://github.com/docker/docker/pull/23497)
+- Add `docker stats` support in Windows [#25737](https://github.com/docker/docker/pull/25737)
+- Allow using `--pid=host` and `--net=host` when `--userns=host` [#25771](https://github.com/docker/docker/pull/25771)
++ (experimental) Add metrics (Prometheus) output for basic `container`, `image`, and `daemon` operations [#25820](https://github.com/docker/docker/pull/25820)
+- Fix issue in `docker stats` with `NetworkDisabled=true` [#25905](https://github.com/docker/docker/pull/25905)
++ Add `docker top` support in Windows [#25891](https://github.com/docker/docker/pull/25891)
++ Record pid of exec'd process [#27470](https://github.com/docker/docker/pull/27470)
++ Add support for looking up user/groups via `getent` [#27599](https://github.com/docker/docker/pull/27599)
++ Add new `docker system` command with `df` and `prune` subcommands for system resource management, as well as `docker {container,image,volume,network} prune` subcommands [#26108](https://github.com/docker/docker/pull/26108) [#27525](https://github.com/docker/docker/pull/27525) / [#27525](https://github.com/docker/docker/pull/27525)
+- Fix an issue where containers could not be stopped or killed by setting xfs max_retries to 0 upon ENOSPC with devicemapper [#26212](https://github.com/docker/docker/pull/26212)
+- Fix `docker cp` failing to copy to a container's volume dir on CentOS with devicemapper [#28047](https://github.com/docker/docker/pull/28047)
+* Promote overlay(2) graphdriver [#27932](https://github.com/docker/docker/pull/27932)
++ Add `--seccomp-profile` daemon flag to specify a path to a seccomp profile that overrides the default [#26276](https://github.com/docker/docker/pull/26276)
+- Fix ulimits in `docker inspect` when `--default-ulimit` is set on daemon [#26405](https://github.com/docker/docker/pull/26405)
+- Add workaround for overlay issues during build in older kernels [#28138](https://github.com/docker/docker/pull/28138)
++ Add `TERM` environment variable on `docker exec -t` [#26461](https://github.com/docker/docker/pull/26461)
+* Honor a container’s `--stop-signal` setting upon `docker kill` [#26464](https://github.com/docker/docker/pull/26464)
+
+### Swarm Mode
+
++ Add secret management [#27794](https://github.com/docker/docker/pull/27794)
++ Add support for templating service options (hostname, mounts, and environment variables) [#28025](https://github.com/docker/docker/pull/28025)
+* Display the endpoint mode in the output of `docker service inspect --pretty` [#26906](https://github.com/docker/docker/pull/26906)
+* Make `docker service ps` output more bearable by shortening service IDs in task names [#28088](https://github.com/docker/docker/pull/28088)
+* Make `docker node ps` default to the current node [#25214](https://github.com/docker/docker/pull/25214)
++ Add `--dns`, -`-dns-opt`, and `--dns-search` to service create. [#27567](https://github.com/docker/docker/pull/27567)
++ Add `--force` to `docker service update` [#27596](https://github.com/docker/docker/pull/27596)
++ Add `--health-*` and `--no-healthcheck` flags to `docker service create` and `docker service update` [#27369](https://github.com/docker/docker/pull/27369)
++ Add `-q` to `docker service ps` [#27654](https://github.com/docker/docker/pull/27654)
+* Display number of global services in `docker service ls` [#27710](https://github.com/docker/docker/pull/27710)
+- Remove `--name` flag from `docker service update`. This flag is only functional on `docker service create`, so was removed from the `update` command [#26988](https://github.com/docker/docker/pull/26988)
+- Fix worker nodes failing to recover because of transient networking issues [#26646](https://github.com/docker/docker/issues/26646)
+* Add support for health aware load balancing and DNS records [#27279](https://github.com/docker/docker/pull/27279)
++ Add `--hostname` to `docker service create` [#27857](https://github.com/docker/docker/pull/27857)
++ Add `--host` to `docker service create`, and `--host-add`, `--host-rm` to `docker service update` [#28031](https://github.com/docker/docker/pull/28031)
++ Add `--tty` flag to `docker service create`/`update` [#28076](https://github.com/docker/docker/pull/28076)
+* Autodetect, store, and expose node IP address as seen by the manager [#27910](https://github.com/docker/docker/pull/27910)
+* Encryption at rest of manager keys and raft data [#27967](https://github.com/docker/docker/pull/27967)
++ Add `--update-max-failure-ratio`, `--update-monitor` and `--rollback` flags to `docker service update` [#26421](https://github.com/docker/docker/pull/26421)
+- Fix an issue with address autodiscovery on `docker swarm init` running inside a container [#26457](https://github.com/docker/docker/pull/26457)
++ (experimental) Add `docker service logs` command to view logs for a service [#28089](https://github.com/docker/docker/pull/28089)
++ Pin images by digest for `docker service create` and `update` [#28173](https://github.com/docker/docker/pull/28173)
+* Add short (`-f`) flag for `docker node rm --force` and `docker swarm leave --force` [#28196](https://github.com/docker/docker/pull/28196)
++ Add options to customize Raft snapshots (`--max-snapshots`, `--snapshot-interval`) [#27997](https://github.com/docker/docker/pull/27997)
+- Don't repull image if pinned by digest [#28265](https://github.com/docker/docker/pull/28265)
++ Swarm-mode support for Windows [#27838](https://github.com/docker/docker/pull/27838)
++ Allow hostname to be updated on service [#28771](https://github.com/docker/docker/pull/28771)
++ Support v2 plugins [#29433](https://github.com/docker/docker/pull/29433)
++ Add content trust for services [#29469](https://github.com/docker/docker/pull/29469)
+
+### Volume
+
++ Add support for labels on volumes [#21270](https://github.com/docker/docker/pull/21270)
++ Add support for filtering volumes by label [#25628](https://github.com/docker/docker/pull/25628)
+* Add a `--force` flag in `docker volume rm` to forcefully purge the data of the volume that has already been deleted [#23436](https://github.com/docker/docker/pull/23436)
+* Enhance `docker volume inspect` to show all options used when creating the volume [#26671](https://github.com/docker/docker/pull/26671)
+* Add support for local NFS volumes to resolve hostnames [#27329](https://github.com/docker/docker/pull/27329)
+
+### Security
+
+- Fix selinux labeling of volumes shared in a container [#23024](https://github.com/docker/docker/pull/23024)
+- Prohibit `/sys/firmware/**` from being accessed with apparmor [#26618](https://github.com/docker/docker/pull/26618)
+
+### Deprecation
+
+- Marked the `docker daemon` command as deprecated. The daemon is moved to a separate binary (`dockerd`), and should be used instead [#26834](https://github.com/docker/docker/pull/26834)
+- Deprecate unversioned API endpoints [#28208](https://github.com/docker/docker/pull/28208)
+- Remove Ubuntu 15.10 (Wily Werewolf) as supported platform. Ubuntu 15.10 is EOL, and no longer receives updates [#27042](https://github.com/docker/docker/pull/27042)
+- Remove Fedora 22 as supported platform. Fedora 22 is EOL, and no longer receives updates [#27432](https://github.com/docker/docker/pull/27432)
+- Remove Fedora 23 as supported platform. Fedora 23 is EOL, and no longer receives updates [#29455](https://github.com/docker/docker/pull/29455)
+- Deprecate the `repo:shortid` syntax on `docker pull` [#27207](https://github.com/docker/docker/pull/27207)
+- Deprecate backing filesystem without `d_type` for overlay and overlay2 storage drivers [#27433](https://github.com/docker/docker/pull/27433)
+- Deprecate `MAINTAINER` in Dockerfile [#25466](https://github.com/docker/docker/pull/25466)
+- Deprecate `filter` param for endpoint `/images/json` [#27872](https://github.com/docker/docker/pull/27872)
+- Deprecate setting duplicate engine labels [#24533](https://github.com/docker/docker/pull/24533)
+- Deprecate "top-level" network information in `NetworkSettings` [#28437](https://github.com/docker/docker/pull/28437)
+
+## 1.12.6 (2017-01-10)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+**NOTE**: Docker 1.12.5 will correctly validate that either an IPv6 subnet is provided or
+that the IPAM driver can provide one when you specify the `--ipv6` option.
+
+If you are currently using the `--ipv6` option _without_ specifying the
+`--fixed-cidr-v6` option, the Docker daemon will refuse to start with the
+following message:
+
+```none
+Error starting daemon: Error initializing network controller: Error creating
+                       default "bridge" network: failed to parse pool request
+                       for address space "LocalDefault" pool " subpool ":
+                       could not find an available, non-overlapping IPv6 address
+                       pool among the defaults to assign to the network
+```
+
+To resolve this error, either remove the `--ipv6` flag (to preserve the same
+behavior as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the
+value of the `--fixed-cidr-v6` flag.
+
+In a similar way, if you specify the `--ipv6` flag when creating a network
+with the default IPAM driver, without providing an IPv6 `--subnet`, network
+creation will fail with the following message:
+
+```none
+Error response from daemon: failed to parse pool request for address space
+                            "LocalDefault" pool "" subpool "": could not find an
+                            available, non-overlapping IPv6 address pool among
+                            the defaults to assign to the network
+```
+
+To resolve this, either remove the `--ipv6` flag (to preserve the same behavior
+as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the value of the
+`--subnet` flag.
+
+The network network creation will instead succeed if you use an external IPAM driver
+which supports automatic allocation of IPv6 subnets.
+
+### Runtime
+
+- Fix runC privilege escalation (CVE-2016-9962)
+
+## 1.12.5 (2016-12-15)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+**NOTE**: Docker 1.12.5 will correctly validate that either an IPv6 subnet is provided or
+that the IPAM driver can provide one when you specify the `--ipv6` option.
+
+If you are currently using the `--ipv6` option _without_ specifying the
+`--fixed-cidr-v6` option, the Docker daemon will refuse to start with the
+following message:
+
+```none
+Error starting daemon: Error initializing network controller: Error creating
+                       default "bridge" network: failed to parse pool request
+                       for address space "LocalDefault" pool " subpool ":
+                       could not find an available, non-overlapping IPv6 address
+                       pool among the defaults to assign to the network
+```
+
+To resolve this error, either remove the `--ipv6` flag (to preserve the same
+behavior as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the
+value of the `--fixed-cidr-v6` flag.
+
+In a similar way, if you specify the `--ipv6` flag when creating a network
+with the default IPAM driver, without providing an IPv6 `--subnet`, network
+creation will fail with the following message:
+
+```none
+Error response from daemon: failed to parse pool request for address space
+                            "LocalDefault" pool "" subpool "": could not find an
+                            available, non-overlapping IPv6 address pool among
+                            the defaults to assign to the network
+```
+
+To resolve this, either remove the `--ipv6` flag (to preserve the same behavior
+as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the value of the
+`--subnet` flag.
+
+The network network creation will instead succeed if you use an external IPAM driver
+which supports automatic allocation of IPv6 subnets.
+
+### Runtime
+
+- Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424)
+
+### Networking
+
+- Fix panic in docker network ls when a network was created with `--ipv6` and no ipv6 `--subnet` in older docker versions [#29416](https://github.com/docker/docker/pull/29416)
+
+### Contrib
+
+- Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370)
+
+## 1.12.4 (2016-12-12)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+
+### Runtime
+
+- Fix issue where volume metadata was not removed [#29083](https://github.com/docker/docker/pull/29083)
+- Asynchronously close streams to prevent holding container lock [#29050](https://github.com/docker/docker/pull/29050)
+- Fix selinux labels for newly created container volumes [#29050](https://github.com/docker/docker/pull/29050)
+- Remove hostname validation [#28990](https://github.com/docker/docker/pull/28990)
+- Fix deadlocks caused by IO races [#29095](https://github.com/docker/docker/pull/29095) [#29141](https://github.com/docker/docker/pull/29141)
+- Return an empty stats if the container is restarting [#29150](https://github.com/docker/docker/pull/29150)
+- Fix volume store locking [#29151](https://github.com/docker/docker/pull/29151)
+- Ensure consistent status code in API [#29150](https://github.com/docker/docker/pull/29150)
+- Fix incorrect opaque directory permission in overlay2 [#29093](https://github.com/docker/docker/pull/29093)
+- Detect plugin content and error out on `docker pull` [#29297](https://github.com/docker/docker/pull/29297)
+
+### Swarm Mode
+
+* Update Swarmkit [#29047](https://github.com/docker/docker/pull/29047)
+  - orchestrator/global: Fix deadlock on updates [docker/swarmkit#1760](https://github.com/docker/swarmkit/pull/1760)
+  - on leader switchover preserve the vxlan id for existing networks [docker/swarmkit#1773](https://github.com/docker/swarmkit/pull/1773)
+- Refuse swarm spec not named "default" [#29152](https://github.com/docker/docker/pull/29152)
+
+### Networking
+
+* Update libnetwork [#29004](https://github.com/docker/docker/pull/29004) [#29146](https://github.com/docker/docker/pull/29146)
+  - Fix panic in embedded DNS [docker/libnetwork#1561](https://github.com/docker/libnetwork/pull/1561)
+  - Fix unmarhalling panic when passing --link-local-ip on global scope network [docker/libnetwork#1564](https://github.com/docker/libnetwork/pull/1564)
+  - Fix panic when network plugin returns nil StaticRoutes [docker/libnetwork#1563](https://github.com/docker/libnetwork/pull/1563)
+  - Fix panic in osl.(*networkNamespace).DeleteNeighbor [docker/libnetwork#1555](https://github.com/docker/libnetwork/pull/1555)
+  - Fix panic in swarm networking concurrent map read/write [docker/libnetwork#1570](https://github.com/docker/libnetwork/pull/1570)
+  * Allow encrypted networks when running docker inside a container [docker/libnetwork#1502](https://github.com/docker/libnetwork/pull/1502)
+  - Do not block autoallocation of IPv6 pool [docker/libnetwork#1538](https://github.com/docker/libnetwork/pull/1538)
+  - Set timeout for netlink calls [docker/libnetwork#1557](https://github.com/docker/libnetwork/pull/1557)
+  - Increase networking local store timeout to one minute [docker/libkv#140](https://github.com/docker/libkv/pull/140)
+  - Fix a panic in libnetwork.(*sandbox).execFunc [docker/libnetwork#1556](https://github.com/docker/libnetwork/pull/1556)
+  - Honor icc=false for internal networks [docker/libnetwork#1525](https://github.com/docker/libnetwork/pull/1525)
+
+### Logging
+
+* Update syslog log driver [#29150](https://github.com/docker/docker/pull/29150)
+
+### Contrib
+
+- Run "dnf upgrade" before installing in fedora [#29150](https://github.com/docker/docker/pull/29150)
+- Add build-date back to RPM packages [#29150](https://github.com/docker/docker/pull/29150)
+- deb package filename changed to include distro to distinguish between distro code names [#27829](https://github.com/docker/docker/pull/27829)
+
+## 1.12.3 (2016-10-26)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+
+### Runtime
+
+- Fix ambient capability usage in containers (CVE-2016-8867) [#27610](https://github.com/docker/docker/pull/27610)
+- Prevent a deadlock in libcontainerd for Windows [#27136](https://github.com/docker/docker/pull/27136)
+- Fix error reporting in CopyFileWithTar [#27075](https://github.com/docker/docker/pull/27075)
+* Reset health status to starting when a container is restarted [#27387](https://github.com/docker/docker/pull/27387)
+* Properly handle shared mount propagation in storage directory [#27609](https://github.com/docker/docker/pull/27609)
+- Fix docker exec [#27610](https://github.com/docker/docker/pull/27610)
+- Fix backward compatibility with containerd’s events log [#27693](https://github.com/docker/docker/pull/27693)
+
+### Swarm Mode
+
+- Fix conversion of restart-policy [#27062](https://github.com/docker/docker/pull/27062)
+* Update Swarmkit [#27554](https://github.com/docker/docker/pull/27554)
+ * Avoid restarting a task that has already been restarted [docker/swarmkit#1305](https://github.com/docker/swarmkit/pull/1305)
+ * Allow duplicate published ports when they use different protocols [docker/swarmkit#1632](https://github.com/docker/swarmkit/pull/1632)
+ * Allow multiple randomly assigned published ports on service [docker/swarmkit#1657](https://github.com/docker/swarmkit/pull/1657)
+ - Fix panic when allocations happen at init time [docker/swarmkit#1651](https://github.com/docker/swarmkit/pull/1651)
+
+### Networking
+
+* Update libnetwork [#27559](https://github.com/docker/docker/pull/27559)
+ - Fix race in serializing sandbox to string [docker/libnetwork#1495](https://github.com/docker/libnetwork/pull/1495)
+ - Fix race during deletion [docker/libnetwork#1503](https://github.com/docker/libnetwork/pull/1503)
+ * Reset endpoint port info on connectivity revoke in bridge driver [docker/libnetwork#1504](https://github.com/docker/libnetwork/pull/1504)
+ - Fix a deadlock in networking code [docker/libnetwork#1507](https://github.com/docker/libnetwork/pull/1507)
+ - Fix a race in load balancer state [docker/libnetwork#1512](https://github.com/docker/libnetwork/pull/1512)
+
+### Logging
+
+* Update fluent-logger-golang to v1.2.1 [#27474](https://github.com/docker/docker/pull/27474)
+
+### Contrib
+
+* Update buildtags for armhf ubuntu-trusty [#27327](https://github.com/docker/docker/pull/27327)
+* Add AppArmor to runc buildtags for armhf [#27421](https://github.com/docker/docker/pull/27421)
+
+## 1.12.2 (2016-10-11)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+
+### Runtime
+
+- Fix a panic due to a race condition filtering `docker ps` [#26049](https://github.com/docker/docker/pull/26049)
+* Implement retry logic to prevent "Unable to remove filesystem" errors when using the aufs storage driver [#26536](https://github.com/docker/docker/pull/26536)
+* Prevent devicemapper from removing device symlinks if `dm.use_deferred_removal` is enabled [#24740](https://github.com/docker/docker/pull/24740)
+- Fix an issue where the CLI did not return correct exit codes if a command was run with invalid options [#26777](https://github.com/docker/docker/pull/26777)
+- Fix a panic due to a bug in stdout / stderr processing in health checks [#26507](https://github.com/docker/docker/pull/26507)
+- Fix exec's children handling [#26874](https://github.com/docker/docker/pull/26874)
+- Fix exec form of HEALTHCHECK CMD [#26208](https://github.com/docker/docker/pull/26208)
+
+### Networking
+
+- Fix a daemon start panic on armv5 [#24315](https://github.com/docker/docker/issues/24315)
+* Vendor libnetwork [#26879](https://github.com/docker/docker/pull/26879) [#26953](https://github.com/docker/docker/pull/26953)
+ * Avoid returning early on agent join failures [docker/libnetwork#1473](https://github.com/docker/libnetwork/pull/1473)
+ - Fix service published port cleanup issues [docker/libetwork#1432](https://github.com/docker/libnetwork/pull/1432) [docker/libnetwork#1433](https://github.com/docker/libnetwork/pull/1433)
+ * Recover properly from transient gossip failures [docker/libnetwork#1446](https://github.com/docker/libnetwork/pull/1446)
+ * Disambiguate node names known to gossip cluster to avoid node name collision [docker/libnetwork#1451](https://github.com/docker/libnetwork/pull/1451)
+ * Honor user provided listen address for gossip  [docker/libnetwork#1460](https://github.com/docker/libnetwork/pull/1460)
+ * Allow reachability via published port across services on the same host [docker/libnetwork#1398](https://github.com/docker/libnetwork/pull/1398)
+ * Change the ingress sandbox name from random id to just `ingress_sbox` [docker/libnetwork#1449](https://github.com/docker/libnetwork/pull/1449)
+ - Disable service discovery in ingress network [docker/libnetwork#1489](https://github.com/docker/libnetwork/pull/1489)
+
+### Swarm Mode
+
+* Fix remote detection of a node's address when it joins the cluster [#26211](https://github.com/docker/docker/pull/26211)
+* Vendor SwarmKit [#26765](https://github.com/docker/docker/pull/26765)
+ * Bounce session after failed status update [docker/swarmkit#1539](https://github.com/docker/swarmkit/pull/1539)
+ - Fix possible raft deadlocks [docker/swarmkit#1537](https://github.com/docker/swarmkit/pull/1537)
+ - Fix panic and endpoint leak when a service is updated with no endpoints [docker/swarmkit#1481](https://github.com/docker/swarmkit/pull/1481)
+ * Produce an error if the same port is published twice on `service create` or `service update` [docker/swarmkit#1495](https://github.com/docker/swarmkit/pull/1495)
+ - Fix an issue where changes to a service were not detected, resulting in the service not being updated [docker/swarmkit#1497](https://github.com/docker/swarmkit/pull/1497)
+ - Do not allow service creation on ingress network [docker/swarmkit#1600](https://github.com/docker/swarmkit/pull/1600)
+
+### Contrib
+
+* Update the debian sysv-init script to use `dockerd` instead of `docker daemon` [#25869](https://github.com/docker/docker/pull/25869)
+* Improve stability when running the docker client on MacOS Sierra [#26875](https://github.com/docker/docker/pull/26875)
+- Fix installation on debian stretch [#27184](https://github.com/docker/docker/pull/27184)
+
+### Windows
+
+- Fix an issue where arrow-navigation did not work when running the docker client in ConEmu [#25578](https://github.com/docker/docker/pull/25578)
+
+## 1.12.1 (2016-08-18)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+
+### Client
+
+* Add `Joined at` information in `node inspect --pretty` [#25512](https://github.com/docker/docker/pull/25512)
+- Fix a crash on `service inspect` [#25454](https://github.com/docker/docker/pull/25454)
+- Fix issue preventing `service update --env-add` to work as intended [#25427](https://github.com/docker/docker/pull/25427)
+- Fix issue preventing `service update --publish-add` to work as intended [#25428](https://github.com/docker/docker/pull/25428)
+- Remove `service update --network-add` and `service update --network-rm` flags
+  because this feature is not yet implemented in 1.12, but was inadvertently added
+  to the client in 1.12.0 [#25646](https://github.com/docker/docker/pull/25646)
+
+### Contrib
+
++ Official ARM installation for Debian Jessie, Ubuntu Trusty, and Raspbian Jessie [#24815](https://github.com/docker/docker/pull/24815) [#25591](https://github.com/docker/docker/pull/25637)
+- Add selinux policy per distro/version, fixing issue preventing successful installation on Fedora 24, and Oracle Linux [#25334](https://github.com/docker/docker/pull/25334) [#25593](https://github.com/docker/docker/pull/25593)
+
+### Networking
+
+- Fix issue that prevented containers to be accessed by hostname with Docker overlay driver in Swarm Mode [#25603](https://github.com/docker/docker/pull/25603) [#25648](https://github.com/docker/docker/pull/25648)
+- Fix random network issues on service with published port [#25603](https://github.com/docker/docker/pull/25603)
+- Fix unreliable inter-service communication after scaling down and up [#25603](https://github.com/docker/docker/pull/25603)
+- Fix issue where removing all tasks on a node and adding them back breaks connectivity with other services [#25603](https://github.com/docker/docker/pull/25603)
+- Fix issue where a task that fails to start results in a race, causing a `network xxx not found` error that masks the actual error [#25550](https://github.com/docker/docker/pull/25550)
+- Relax validation of SRV records for external services that use SRV records not formatted according to RFC 2782 [#25739](https://github.com/docker/docker/pull/25739)
+
+### Plugins (experimental)
+
+* Make daemon events listen for plugin lifecycle events [#24760](https://github.com/docker/docker/pull/24760)
+* Check for plugin state before enabling plugin [#25033](https://github.com/docker/docker/pull/25033)
+- Remove plugin root from filesystem on `plugin rm` [#25187](https://github.com/docker/docker/pull/25187)
+- Prevent deadlock when more than one plugin is installed [#25384](https://github.com/docker/docker/pull/25384)
+
+### Runtime
+
+* Mask join tokens in daemon logs [#25346](https://github.com/docker/docker/pull/25346)
+- Fix `docker ps --filter` causing the results to no longer be sorted by creation time [#25387](https://github.com/docker/docker/pull/25387)
+- Fix various crashes [#25053](https://github.com/docker/docker/pull/25053)
+
+### Security
+
+* Add `/proc/timer_list` to the masked paths list to prevent information leak from the host [#25630](https://github.com/docker/docker/pull/25630)
+* Allow systemd to run with only `--cap-add SYS_ADMIN` rather than having to also add `--cap-add DAC_READ_SEARCH` or disabling seccomp filtering [#25567](https://github.com/docker/docker/pull/25567)
+
+### Swarm
+
+- Fix an issue where the swarm can get stuck electing a new leader after quorum is lost [#25055](https://github.com/docker/docker/issues/25055)
+- Fix unwanted rescheduling of containers after a leader failover [#25017](https://github.com/docker/docker/issues/25017)
+- Change swarm root CA key to P256 curve [swarmkit#1376](https://github.com/docker/swarmkit/pull/1376)
+- Allow forced removal of a node from a swarm [#25159](https://github.com/docker/docker/pull/25159)
+- Fix connection leak when a node leaves a swarm [swarmkit/#1277](https://github.com/docker/swarmkit/pull/1277)
+- Backdate swarm certificates by one hour to tolerate more clock skew [swarmkit/#1243](https://github.com/docker/swarmkit/pull/1243)
+- Avoid high CPU use with many unschedulable tasks [swarmkit/#1287](https://github.com/docker/swarmkit/pull/1287)
+- Fix issue with global tasks not starting up [swarmkit/#1295](https://github.com/docker/swarmkit/pull/1295)
+- Garbage collect raft logs [swarmkit/#1327](https://github.com/docker/swarmkit/pull/1327)
+
+### Volume
+
+- Persist local volume options after a daemon restart [#25316](https://github.com/docker/docker/pull/25316)
+- Fix an issue where the mount ID was not returned on volume unmount [#25333](https://github.com/docker/docker/pull/25333)
+- Fix an issue where a volume mount could inadvertently create a bind mount [#25309](https://github.com/docker/docker/pull/25309)
+- `docker service create --mount type=bind,...` now correctly validates if the source path exists, instead of creating it [#25494](https://github.com/docker/docker/pull/25494)
+
+## 1.12.0 (2016-07-28)
+
+
+**IMPORTANT**: Docker 1.12.0 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+**IMPORTANT**: With Docker 1.12, a Linux docker installation now has two
+additional binaries; `dockerd`, and `docker-proxy`. If you have scripts for
+installing docker, please make sure to update them accordingly.
+
+### Builder
+
++ New `HEALTHCHECK` Dockerfile instruction to support user-defined healthchecks [#23218](https://github.com/docker/docker/pull/23218)
++ New `SHELL` Dockerfile instruction to specify the default shell when using the shell form for commands in a Dockerfile [#22489](https://github.com/docker/docker/pull/22489)
++ Add `#escape=` Dockerfile directive to support platform-specific parsing of file paths in Dockerfile [#22268](https://github.com/docker/docker/pull/22268)
++ Add support for comments in `.dockerignore` [#23111](https://github.com/docker/docker/pull/23111)
+* Support for UTF-8 in Dockerfiles [#23372](https://github.com/docker/docker/pull/23372)
+* Skip UTF-8 BOM bytes from `Dockerfile` and `.dockerignore` if exist [#23234](https://github.com/docker/docker/pull/23234)
+* Windows: support for `ARG` to match Linux [#22508](https://github.com/docker/docker/pull/22508)
+- Fix error message when building using a daemon with the bridge network disabled [#22932](https://github.com/docker/docker/pull/22932)
+
+### Contrib
+
+* Enable seccomp for Centos 7 and Oracle Linux 7 [#22344](https://github.com/docker/docker/pull/22344)
+- Remove MountFlags in systemd unit to allow shared mount propagation [#22806](https://github.com/docker/docker/pull/22806)
+
+### Distribution
+
++ Add `--max-concurrent-downloads` and `--max-concurrent-uploads` daemon flags useful for situations where network connections don't support multiple downloads/uploads [#22445](https://github.com/docker/docker/pull/22445)
+* Registry operations now honor the `ALL_PROXY` environment variable [#22316](https://github.com/docker/docker/pull/22316)
+* Provide more information to the user on `docker load` [#23377](https://github.com/docker/docker/pull/23377)
+* Always save registry digest metadata about images pushed and pulled [#23996](https://github.com/docker/docker/pull/23996)
+
+### Logging
+
++ Syslog logging driver now supports DGRAM sockets [#21613](https://github.com/docker/docker/pull/21613)
++ Add `--details` option to `docker logs` to also display log tags [#21889](https://github.com/docker/docker/pull/21889)
++ Enable syslog logger to have access to env and labels [#21724](https://github.com/docker/docker/pull/21724)
++ An additional syslog-format option `rfc5424micro` to allow microsecond resolution in syslog timestamp [#21844](https://github.com/docker/docker/pull/21844)
+* Inherit the daemon log options when creating containers [#21153](https://github.com/docker/docker/pull/21153)
+* Remove `docker/` prefix from log messages tag and replace it with `{{.DaemonName}}` so that users have the option of changing the prefix [#22384](https://github.com/docker/docker/pull/22384)
+
+### Networking
+
++ Built-in Virtual-IP based  internal and ingress load-balancing using IPVS [#23361](https://github.com/docker/docker/pull/23361)
++ Routing Mesh using ingress overlay network [#23361](https://github.com/docker/docker/pull/23361)
++ Secured multi-host overlay networking using encrypted control-plane and Data-plane [#23361](https://github.com/docker/docker/pull/23361)
++ MacVlan driver is out of experimental [#23524](https://github.com/docker/docker/pull/23524)
++ Add `driver` filter to `network ls` [#22319](https://github.com/docker/docker/pull/22319)
++ Adding `network` filter to `docker ps --filter` [#23300](https://github.com/docker/docker/pull/23300)
++ Add `--link-local-ip` flag to `create`, `run` and `network connect` to specify a container's link-local address [#23415](https://github.com/docker/docker/pull/23415)
++ Add network label filter support [#21495](https://github.com/docker/docker/pull/21495)
+* Removed dependency on external KV-Store for Overlay networking in Swarm-Mode  [#23361](https://github.com/docker/docker/pull/23361)
+* Add container's short-id as default network alias [#21901](https://github.com/docker/docker/pull/21901)
+* `run` options `--dns` and `--net=host` are no longer mutually exclusive [#22408](https://github.com/docker/docker/pull/22408)
+- Fix DNS issue when renaming containers with generated names [#22716](https://github.com/docker/docker/pull/22716)
+- Allow both `network inspect -f {{.Id}}` and `network inspect -f {{.ID}}` to address inconsistency with inspect output [#23226](https://github.com/docker/docker/pull/23226)
+
+### Plugins (experimental)
+
++ New `plugin` command to manager plugins with `install`, `enable`, `disable`, `rm`, `inspect`, `set` subcommands [#23446](https://github.com/docker/docker/pull/23446)
+
+### Remote API (v1.24) & Client
+
++ Split the binary into two: `docker` (client) and `dockerd` (daemon) [#20639](https://github.com/docker/docker/pull/20639)
++ Add `before` and `since` filters to `docker images --filter` [#22908](https://github.com/docker/docker/pull/22908)
++ Add `--limit` option to `docker search` [#23107](https://github.com/docker/docker/pull/23107)
++ Add `--filter` option to `docker search` [#22369](https://github.com/docker/docker/pull/22369)
++ Add security options to `docker info` output [#21172](https://github.com/docker/docker/pull/21172) [#23520](https://github.com/docker/docker/pull/23520)
++ Add insecure registries to `docker info` output [#20410](https://github.com/docker/docker/pull/20410)
++ Extend Docker authorization with TLS user information [#21556](https://github.com/docker/docker/pull/21556)
++ devicemapper: expose Minimum Thin Pool Free Space through `docker info` [#21945](https://github.com/docker/docker/pull/21945)
+* API now returns a JSON object when an error occurs making it more consistent [#22880](https://github.com/docker/docker/pull/22880)
+- Prevent `docker run -i --restart` from hanging on exit [#22777](https://github.com/docker/docker/pull/22777)
+- Fix API/CLI discrepancy on hostname validation [#21641](https://github.com/docker/docker/pull/21641)
+- Fix discrepancy in the format of sizes in `stats` from HumanSize to BytesSize [#21773](https://github.com/docker/docker/pull/21773)
+- authz: when request is denied return forbidden exit code (403) [#22448](https://github.com/docker/docker/pull/22448)
+- Windows: fix tty-related displaying issues [#23878](https://github.com/docker/docker/pull/23878)
+
+### Runtime
+
++ Split the userland proxy to a separate binary (`docker-proxy`) [#23312](https://github.com/docker/docker/pull/23312)
++ Add `--live-restore` daemon flag to keep containers running when daemon shuts down, and regain control on startup [#23213](https://github.com/docker/docker/pull/23213)
++ Ability to add OCI-compatible runtimes (via `--add-runtime` daemon flag) and select one with `--runtime` on `create` and `run` [#22983](https://github.com/docker/docker/pull/22983)
++ New `overlay2` graphdriver for Linux 4.0+ with multiple lower directory support [#22126](https://github.com/docker/docker/pull/22126)
++ New load/save image events [#22137](https://github.com/docker/docker/pull/22137)
++ Add support for reloading daemon configuration through systemd [#22446](https://github.com/docker/docker/pull/22446)
++ Add disk quota support for btrfs [#19651](https://github.com/docker/docker/pull/19651)
++ Add disk quota support for zfs [#21946](https://github.com/docker/docker/pull/21946)
++ Add support for `docker run --pid=container:<id>` [#22481](https://github.com/docker/docker/pull/22481)
++ Align default seccomp profile with selected capabilities [#22554](https://github.com/docker/docker/pull/22554)
++ Add a `daemon reload` event when the daemon reloads its configuration [#22590](https://github.com/docker/docker/pull/22590)
++ Add `trace` capability in the pprof profiler to show execution traces in binary form [#22715](https://github.com/docker/docker/pull/22715)
++ Add a `detach` event [#22898](https://github.com/docker/docker/pull/22898)
++ Add support for setting sysctls with `--sysctl` [#19265](https://github.com/docker/docker/pull/19265)
++ Add `--storage-opt` flag to `create` and `run` allowing to set `size` on devicemapper [#19367](https://github.com/docker/docker/pull/19367)
++ Add `--oom-score-adjust` daemon flag with a default value of `-500` making the daemon less likely to be killed before containers [#24516](https://github.com/docker/docker/pull/24516)
+* Undeprecate the `-c` short alias of `--cpu-shares` on `run`, `build`, `create`, `update` [#22621](https://github.com/docker/docker/pull/22621)
+* Prevent from using aufs and overlay graphdrivers on an eCryptfs mount [#23121](https://github.com/docker/docker/pull/23121)
+- Fix issues with tmpfs mount ordering [#22329](https://github.com/docker/docker/pull/22329)
+- Created containers are no longer listed on `docker ps -a -f exited=0` [#21947](https://github.com/docker/docker/pull/21947)
+- Fix an issue where containers are stuck in a "Removal In Progress" state [#22423](https://github.com/docker/docker/pull/22423)
+- Fix bug that was returning an HTTP 500 instead of a 400 when not specifying a command on run/create [#22762](https://github.com/docker/docker/pull/22762)
+- Fix bug with `--detach-keys` whereby input matching a prefix of the detach key was not preserved [#22943](https://github.com/docker/docker/pull/22943)
+- SELinux labeling is now disabled when using `--privileged` mode [#22993](https://github.com/docker/docker/pull/22993)
+- If volume-mounted into a container, `/etc/hosts`, `/etc/resolv.conf`, `/etc/hostname` are no longer SELinux-relabeled [#22993](https://github.com/docker/docker/pull/22993)
+- Fix inconsistency in `--tmpfs` behavior regarding mount options [#22438](https://github.com/docker/docker/pull/22438)
+- Fix an issue where daemon hangs at startup [#23148](https://github.com/docker/docker/pull/23148)
+- Ignore SIGPIPE events to prevent journald restarts to crash docker in some cases [#22460](https://github.com/docker/docker/pull/22460)
+- Containers are not removed from stats list on error [#20835](https://github.com/docker/docker/pull/20835)
+- Fix `on-failure` restart policy when daemon restarts [#20853](https://github.com/docker/docker/pull/20853)
+- Fix an issue with `stats` when a container is using another container's network [#21904](https://github.com/docker/docker/pull/21904)
+
+### Swarm Mode
+
++ New `swarm` command to manage swarms with `init`, `join`, `join-token`, `leave`, `update` subcommands [#23361](https://github.com/docker/docker/pull/23361) [#24823](https://github.com/docker/docker/pull/24823)
++ New `service` command to manage swarm-wide services with `create`, `inspect`, `update`, `rm`, `ps` subcommands [#23361](https://github.com/docker/docker/pull/23361) [#25140](https://github.com/docker/docker/pull/25140)
++ New `node` command to manage nodes with `accept`, `promote`, `demote`, `inspect`, `update`, `ps`, `ls` and `rm` subcommands [#23361](https://github.com/docker/docker/pull/23361) [#25140](https://github.com/docker/docker/pull/25140)
++ (experimental) New `stack` and `deploy` commands to manage and deploy multi-service applications [#23522](https://github.com/docker/docker/pull/23522) [#25140](https://github.com/docker/docker/pull/25140)
+
+### Volume
+
++ Add support for local and global volume scopes (analogous to network scopes) [#22077](https://github.com/docker/docker/pull/22077)
++ Allow volume drivers to provide a `Status` field [#21006](https://github.com/docker/docker/pull/21006)
++ Add name/driver filter support for volume [#21361](https://github.com/docker/docker/pull/21361)
+* Mount/Unmount operations now receives an opaque ID to allow volume drivers to differentiate between two callers [#21015](https://github.com/docker/docker/pull/21015)
+- Fix issue preventing to remove a volume in a corner case [#22103](https://github.com/docker/docker/pull/22103)
+- Windows: Enable auto-creation of host-path to match Linux [#22094](https://github.com/docker/docker/pull/22094)
+
+
+### Deprecation
+
+* Environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` have been renamed
+  to `DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE` and `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE` respectively [#22574](https://github.com/docker/docker/pull/22574)
+* Remove deprecated `syslog-tag`, `gelf-tag`, `fluentd-tag` log option in favor of the more generic `tag` one [#22620](https://github.com/docker/docker/pull/22620)
+* Remove deprecated feature of passing HostConfig at API container start [#22570](https://github.com/docker/docker/pull/22570)
+* Remove deprecated `-f`/`--force` flag on docker tag [#23090](https://github.com/docker/docker/pull/23090)
+* Remove deprecated `/containers/<id|name>/copy` endpoint [#22149](https://github.com/docker/docker/pull/22149)
+* Remove deprecated `docker ps` flags `--since` and `--before` [#22138](https://github.com/docker/docker/pull/22138)
+* Deprecate the old 3-args form of `docker import` [#23273](https://github.com/docker/docker/pull/23273)
+
+## 1.11.2 (2016-05-31)
+
+### Networking
+
+- Fix a stale endpoint issue on overlay networks during ungraceful restart ([#23015](https://github.com/docker/docker/pull/23015))
+- Fix an issue where the wrong port could be reported by `docker inspect/ps/port` ([#22997](https://github.com/docker/docker/pull/22997))
+
+### Runtime
+
+- Fix a potential panic when running `docker build` ([#23032](https://github.com/docker/docker/pull/23032))
+- Fix interpretation of `--user` parameter ([#22998](https://github.com/docker/docker/pull/22998))
+- Fix a bug preventing container statistics to be correctly reported ([#22955](https://github.com/docker/docker/pull/22955))
+- Fix an issue preventing container to be restarted after daemon restart ([#22947](https://github.com/docker/docker/pull/22947))
+- Fix issues when running 32 bit binaries on Ubuntu 16.04 ([#22922](https://github.com/docker/docker/pull/22922))
+- Fix a possible deadlock on image deletion and container attach ([#22918](https://github.com/docker/docker/pull/22918))
+- Fix an issue where containers fail to start after a daemon restart if they depend on a containerized cluster store ([#22561](https://github.com/docker/docker/pull/22561))
+- Fix an issue causing `docker ps` to hang on CentOS when using devicemapper ([#22168](https://github.com/docker/docker/pull/22168), [#23067](https://github.com/docker/docker/pull/23067))
+- Fix a bug preventing to `docker exec` into a container when using devicemapper ([#22168](https://github.com/docker/docker/pull/22168), [#23067](https://github.com/docker/docker/pull/23067))
+
+
+## 1.11.1 (2016-04-26)
+
+### Distribution
+
+- Fix schema2 manifest media type to be of type `application/vnd.docker.container.image.v1+json` ([#21949](https://github.com/docker/docker/pull/21949))
+
+### Documentation
+
++ Add missing API documentation for changes introduced with 1.11.0 ([#22048](https://github.com/docker/docker/pull/22048))
+
+### Builder
+
+* Append label passed to `docker build` as arguments as an implicit `LABEL` command at the end of the processed `Dockerfile` ([#22184](https://github.com/docker/docker/pull/22184))
+
+### Networking
+
+- Fix a panic that would occur when forwarding DNS query ([#22261](https://github.com/docker/docker/pull/22261))
+- Fix an issue where OS threads could end up within an incorrect network namespace when using user defined networks ([#22261](https://github.com/docker/docker/pull/22261))
+
+### Runtime
+
+- Fix a bug preventing labels configuration to be reloaded via the config file ([#22299](https://github.com/docker/docker/pull/22299))
+- Fix a regression where container mounting `/var/run` would prevent other containers from being removed ([#22256](https://github.com/docker/docker/pull/22256))
+- Fix an issue where it would be impossible to update both `memory-swap` and `memory` value together ([#22255](https://github.com/docker/docker/pull/22255))
+- Fix a regression from 1.11.0 where the `/auth` endpoint would not initialize `serveraddress` if it is not provided ([#22254](https://github.com/docker/docker/pull/22254))
+- Add missing cleanup of container temporary files when cancelling a schedule restart ([#22237](https://github.com/docker/docker/pull/22237))
+- Remove scary error message when no restart policy is specified ([#21993](https://github.com/docker/docker/pull/21993))
+- Fix a panic that would occur when the plugins were activated via the json spec ([#22191](https://github.com/docker/docker/pull/22191))
+- Fix restart backoff logic to correctly reset delay if container ran for at least 10secs ([#22125](https://github.com/docker/docker/pull/22125))
+- Remove error message when a container restart get cancelled ([#22123](https://github.com/docker/docker/pull/22123))
+- Fix an issue where `docker` would not correctly clean up after `docker exec` ([#22121](https://github.com/docker/docker/pull/22121))
+- Fix a panic that could occur when serving concurrent `docker stats` commands ([#22120](https://github.com/docker/docker/pull/22120))`
+- Revert deprecation of non-existent host directories auto-creation ([#22065](https://github.com/docker/docker/pull/22065))
+- Hide misleading rpc error on daemon shutdown ([#22058](https://github.com/docker/docker/pull/22058))
+
+## 1.11.0 (2016-04-13)
+
+**IMPORTANT**: With Docker 1.11, a Linux docker installation is now made of 4 binaries (`docker`, [`docker-containerd`](https://github.com/docker/containerd), [`docker-containerd-shim`](https://github.com/docker/containerd) and [`docker-runc`](https://github.com/opencontainers/runc)). If you have scripts relying on docker being a single static binaries, please make sure to update them. Interaction with the daemon stay the same otherwise, the usage of the other binaries should be transparent. A Windows docker installation remains a single binary, `docker.exe`.
+
+### Builder
+
+- Fix a bug where Docker would not use the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033))
+- Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162))
+
+### Client
+
+* Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232))
++ The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373))
+* Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200))
+* Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128))
+- Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803))
+- Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792))
+* Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587))
+- Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566))
++ Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373))
++ Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107))
+* `docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017))
+* `docker info` now also reports Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986))
+- Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806))
+* Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761))
+* `docker ps` no longer shows exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483))
+- Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849))
+* Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078))
+
+### Distribution
+
+- Fix a panic that occurred when pulling an image with 0 layers ([#21222](https://github.com/docker/docker/pull/21222))
+- Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212))
++ All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046))
++ OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970))
+* `docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832))
+* `docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565))
+* Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241))
+* Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840))
+- Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509))
+- Fix docker requesting additional push credentials when pulling an image if Content Trust is enabled ([#20382](https://github.com/docker/docker/pull/20382))
+
+### Logging
+
+- Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311))
+* Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121))
+* Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831))
+* Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794))
++ Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689))
+* Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564))
++ The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439))
++ Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766))
+
+
+### Misc
+
++ When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/21385))
++ Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325))
++ Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270))
+* The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266))
+- Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258))
+- Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633))
+* `docker info` now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863))
+* `docker info` now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388))
+* Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894))
+* `dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851))
++ Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013))
++ Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348))
+
+### Networking
+
+- Fix panic if a node is forcibly removed from the cluster ([#21671](https://github.com/docker/docker/pull/21671))
+- Fix "error creating vxlan interface" when starting a container in a Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671))
+* `docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160))
++ Experimental support for the MacVlan and IPVlan network drivers has been added ([#21122](https://github.com/docker/docker/pull/21122))
+* Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383))
+- Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431))
+* `docker network inspect` returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357))
++ Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513))
+* Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server ([#21396](https://github.com/docker/docker/pull/21396))
+- Fix to not forward docker domain IPv6 queries to external servers ([#21396](https://github.com/docker/docker/pull/21396))
+* Multiple A/AAAA records from embedded DNS Server for DNS Round robin ([#21019](https://github.com/docker/docker/pull/21019))
+- Fix endpoint count inconsistency after an ungraceful dameon restart ([#21261](https://github.com/docker/docker/pull/21261))
+- Move the ownership of exposed ports and port-mapping options from Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019))
+- Fixed a bug which prevents docker reload when host is configured with ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019))
+- Added inbuilt nil IPAM driver ([#21019](https://github.com/docker/docker/pull/21019))
+- Fixed bug in iptables.Exists() logic [#21019](https://github.com/docker/docker/pull/21019)
+- Fixed a Veth interface leak when using overlay network ([#21019](https://github.com/docker/docker/pull/21019))
+- Fixed a bug which prevents docker reload after a network delete during shutdown ([#20214](https://github.com/docker/docker/pull/20214))
+- Make sure iptables chains are recreated on firewalld reload ([#20419](https://github.com/docker/docker/pull/20419))
+- Allow to pass global datastore during config reload ([#20419](https://github.com/docker/docker/pull/20419))
+- For anonymous containers use the alias name for IP to name mapping, ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019))
+- Fix a panic when deleting an entry from /etc/hosts file  ([#21019](https://github.com/docker/docker/pull/21019))
+- Source the forwarded DNS queries from the container net namespace  ([#21019](https://github.com/docker/docker/pull/21019))
+- Fix to retain the network internal mode config for bridge networks on daemon reload ([#21780] (https://github.com/docker/docker/pull/21780))
+- Fix to retain IPAM driver option configs on daemon reload ([#21914] (https://github.com/docker/docker/pull/21914))
+
+### Plugins
+
+- Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686))
+- Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602))
+
+### Runtime
+
+- Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716))
+- Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692))
+- Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677))
+- Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666))
+  Docker 1.9, but was decided to be too much of a backward-incompatible change, so it was decided to keep the feature.
++ It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383))
++ `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370))
++ Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354))
+* Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345))
+* Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097))
+- Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089))
+- Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048))
+- Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045))
+- Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022))
+- Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013))
+- Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002))
+* Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977))
+- Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967)
+* The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786))
++ Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727))
+- Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684))
++ Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662))
+- Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604))
++ Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177))
++ Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111))
+- Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679))
+* Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517))
+- Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500))
+* `docker update` learned how to change a container restart policy ([#19116](https://github.com/docker/docker/pull/19116))
+* `docker inspect` now also returns a new `State` field containing the container state in a human readable way (i.e. one of `created`, `restarting`, `running`, `paused`, `exited` or `dead`)([#18966](https://github.com/docker/docker/pull/18966))
++ Docker learned to limit the number of active pids (i.e. processes) within the container via the `pids-limit` flags. NOTE: This requires `CGROUP_PIDS=y` to be in the kernel configuration. ([#18697](https://github.com/docker/docker/pull/18697))
+- `docker load` now has a `--quiet` option to suppress the load output ([#20078](https://github.com/docker/docker/pull/20078))
+- Fix a bug in neighbor discovery for IPv6 peers ([#20842](https://github.com/docker/docker/pull/20842))
+- Fix a panic during cleanup if a container was started with invalid options ([#21802](https://github.com/docker/docker/pull/21802))
+- Fix a situation where a container cannot be stopped if the terminal is closed ([#21840](https://github.com/docker/docker/pull/21840))
+
+### Security
+
+* Object with the `pcp_pmcd_t` selinux type were given management access to `/var/lib/docker(/.*)?` ([#21370](https://github.com/docker/docker/pull/21370))
+* `restart_syscall`, `copy_file_range`, `mlock2` joined the list of allowed calls in the default seccomp profile ([#21117](https://github.com/docker/docker/pull/21117), [#21262](https://github.com/docker/docker/pull/21262))
+* `send`, `recv` and `x32` were added to the list of allowed syscalls and arch in the default seccomp profile ([#19432](https://github.com/docker/docker/pull/19432))
+* Docker Content Trust now requests the server to perform snapshot signing ([#21046](https://github.com/docker/docker/pull/21046))
+* Support for using YubiKeys for Content Trust signing has been moved out of experimental ([#21591](https://github.com/docker/docker/pull/21591))
+
+### Volumes
+
+* Output of `docker volume ls` is now sorted by volume name ([#20389](https://github.com/docker/docker/pull/20389))
+* Local volumes can now accept options similar to the unix `mount` tool ([#20262](https://github.com/docker/docker/pull/20262))
+- Fix an issue where one letter directory name could not be used as source for volumes ([#21106](https://github.com/docker/docker/pull/21106))
++ `docker run -v` now accepts a new flag `nocopy`. This tells the runtime not to copy the container path content into the volume (which is the default behavior) ([#21223](https://github.com/docker/docker/pull/21223))
+
+## 1.10.3 (2016-03-10)
+
+### Runtime
+
+- Fix Docker client exiting with an "Unrecognized input header" error [#20706](https://github.com/docker/docker/pull/20706)
+- Fix Docker exiting if Exec is started with both `AttachStdin` and `Detach` [#20647](https://github.com/docker/docker/pull/20647)
+
+### Distribution
+
+- Fix a crash when pushing multiple images sharing the same layers to the same repository in parallel [#20831](https://github.com/docker/docker/pull/20831)
+- Fix a panic when pushing images to a registry which uses a misconfigured token service [#21030](https://github.com/docker/docker/pull/21030)
+
+### Plugin system
+
+- Fix issue preventing volume plugins to start when SELinux is enabled [#20834](https://github.com/docker/docker/pull/20834)
+- Prevent Docker from exiting if a volume plugin returns a null response for Get requests [#20682](https://github.com/docker/docker/pull/20682)
+- Fix plugin system leaking file descriptors if a plugin has an error [#20680](https://github.com/docker/docker/pull/20680)
+
+### Security
+
+- Fix linux32 emulation to fail during docker build [#20672](https://github.com/docker/docker/pull/20672)
+  It was due to the `personality` syscall being blocked by the default seccomp profile.
+- Fix Oracle XE 10g failing to start in a container [#20981](https://github.com/docker/docker/pull/20981)
+  It was due to the `ipc` syscall being blocked by the default seccomp profile.
+- Fix user namespaces not working on Linux From Scratch [#20685](https://github.com/docker/docker/pull/20685)
+- Fix issue preventing daemon to start if userns is enabled and the `subuid` or `subgid` files contain comments [#20725](https://github.com/docker/docker/pull/20725)
+
+## 1.10.2 (2016-02-22)
+
+### Runtime
+
+- Prevent systemd from deleting containers' cgroups when its configuration is reloaded [#20518](https://github.com/docker/docker/pull/20518)
+- Fix SELinux issues by disregarding `--read-only` when mounting `/dev/mqueue` [#20333](https://github.com/docker/docker/pull/20333)
+- Fix chown permissions used during `docker cp` when userns is used [#20446](https://github.com/docker/docker/pull/20446)
+- Fix configuration loading issue with all booleans defaulting to `true` [#20471](https://github.com/docker/docker/pull/20471)
+- Fix occasional panic with `docker logs -f` [#20522](https://github.com/docker/docker/pull/20522)
+
+### Distribution
+
+- Keep layer reference if deletion failed to avoid a badly inconsistent state [#20513](https://github.com/docker/docker/pull/20513)
+- Handle gracefully a corner case when canceling migration [#20372](https://github.com/docker/docker/pull/20372)
+- Fix docker import on compressed data [#20367](https://github.com/docker/docker/pull/20367)
+- Fix tar-split files corruption during migration that later cause docker push and docker save to fail [#20458](https://github.com/docker/docker/pull/20458)
+
+### Networking
+
+- Fix daemon crash if embedded DNS is sent garbage [#20510](https://github.com/docker/docker/pull/20510)
+
+### Volumes
+
+- Fix issue with multiple volume references with same name [#20381](https://github.com/docker/docker/pull/20381)
+
+### Security
+
+- Fix potential cache corruption and delegation conflict issues [#20523](https://github.com/docker/docker/pull/20523)
+
+## 1.10.1 (2016-02-11)
+
+### Runtime
+
+* Do not stop daemon on migration hard failure [#20156](https://github.com/docker/docker/pull/20156)
+- Fix various issues with migration to content-addressable images [#20058](https://github.com/docker/docker/pull/20058)
+- Fix ZFS permission bug with user namespaces [#20045](https://github.com/docker/docker/pull/20045)
+- Do not leak /dev/mqueue from the host to all containers, keep it container-specific [#19876](https://github.com/docker/docker/pull/19876) [#20133](https://github.com/docker/docker/pull/20133)
+- Fix `docker ps --filter before=...` to not show stopped containers without providing `-a` flag [#20135](https://github.com/docker/docker/pull/20135)
+
+### Security
+
+- Fix issue preventing docker events to work properly with authorization plugin [#20002](https://github.com/docker/docker/pull/20002)
+
+### Distribution
+
+* Add additional verifications and prevent from uploading invalid data to registries [#20164](https://github.com/docker/docker/pull/20164)
+- Fix regression preventing uppercase characters in image reference hostname [#20175](https://github.com/docker/docker/pull/20175)
+
+### Networking
+
+- Fix embedded DNS for user-defined networks in the presence of firewalld [#20060](https://github.com/docker/docker/pull/20060)
+- Fix issue where removing a network during shutdown left Docker inoperable [#20181](https://github.com/docker/docker/issues/20181) [#20235](https://github.com/docker/docker/issues/20235)
+- Embedded DNS is now able to return compressed results [#20181](https://github.com/docker/docker/issues/20181)
+- Fix port-mapping issue with `userland-proxy=false` [#20181](https://github.com/docker/docker/issues/20181)
+
+### Logging
+
+- Fix bug where tcp+tls protocol would be rejected [#20109](https://github.com/docker/docker/pull/20109)
+
+### Volumes
+
+- Fix issue whereby older volume drivers would not receive volume options [#19983](https://github.com/docker/docker/pull/19983)
+
+### Misc
+
+- Remove TasksMax from Docker systemd service [#20167](https://github.com/docker/docker/pull/20167)
+
+## 1.10.0 (2016-02-04)
+
+**IMPORTANT**: Docker 1.10 uses a new content-addressable storage for images and layers.
+A migration is performed the first time docker is run, and can take a significant amount of time depending on the number of images present.
+Refer to this page on the wiki for more information: https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
+We also released a cool migration utility that enables you to perform the migration before updating to reduce downtime.
+Engine 1.10 migrator can be found on Docker Hub: https://hub.docker.com/r/docker/v1.10-migrator/
+
+### Runtime
+
++ New `docker update` command that allows updating resource constraints on running containers [#15078](https://github.com/docker/docker/pull/15078)
++ Add `--tmpfs` flag to `docker run` to create a tmpfs mount in a container [#13587](https://github.com/docker/docker/pull/13587)
++ Add `--format` flag to `docker images` command [#17692](https://github.com/docker/docker/pull/17692)
++ Allow to set daemon configuration in a file and hot-reload it with the `SIGHUP` signal [#18587](https://github.com/docker/docker/pull/18587)
++ Updated docker events to include more meta-data and event types [#18888](https://github.com/docker/docker/pull/18888)
+  This change is backward compatible in the API, but not on the CLI.
++ Add `--blkio-weight-device` flag to `docker run` [#13959](https://github.com/docker/docker/pull/13959)
++ Add `--device-read-bps` and `--device-write-bps` flags to `docker run` [#14466](https://github.com/docker/docker/pull/14466)
++ Add `--device-read-iops` and `--device-write-iops` flags to `docker run` [#15879](https://github.com/docker/docker/pull/15879)
++ Add `--oom-score-adj` flag to `docker run` [#16277](https://github.com/docker/docker/pull/16277)
++ Add `--detach-keys` flag to `attach`, `run`, `start` and `exec` commands to override the default key sequence that detaches from a container  [#15666](https://github.com/docker/docker/pull/15666)
++ Add `--shm-size` flag to `run`, `create` and `build` to set the size of `/dev/shm` [#16168](https://github.com/docker/docker/pull/16168)
++ Show the number of running, stopped, and paused containers in `docker info` [#19249](https://github.com/docker/docker/pull/19249)
++ Show the `OSType` and `Architecture` in `docker info` [#17478](https://github.com/docker/docker/pull/17478)
++ Add `--cgroup-parent` flag on `daemon` to set cgroup parent for all containers [#19062](https://github.com/docker/docker/pull/19062)
++ Add `-L` flag to docker cp to follow symlinks [#16613](https://github.com/docker/docker/pull/16613)
++ New `status=dead` filter for `docker ps` [#17908](https://github.com/docker/docker/pull/17908)
+* Change `docker run` exit codes to distinguish between runtime and application errors [#14012](https://github.com/docker/docker/pull/14012)
+* Enhance `docker events --since` and `--until` to support nanoseconds and timezones [#17495](https://github.com/docker/docker/pull/17495)
+* Add `--all`/`-a` flag to `stats` to include both running and stopped containers [#16742](https://github.com/docker/docker/pull/16742)
+* Change the default cgroup-driver to `cgroupfs` [#17704](https://github.com/docker/docker/pull/17704)
+* Emit a "tag" event when tagging an image with `build -t` [#17115](https://github.com/docker/docker/pull/17115)
+* Best effort for linked containers' start order when starting the daemon [#18208](https://github.com/docker/docker/pull/18208)
+* Add ability to add multiple tags on `build` [#15780](https://github.com/docker/docker/pull/15780)
+* Permit `OPTIONS` request against any url, thus fixing issue with CORS [#19569](https://github.com/docker/docker/pull/19569)
+- Fix the `--quiet` flag on `docker build` to actually be quiet [#17428](https://github.com/docker/docker/pull/17428)
+- Fix `docker images --filter dangling=false` to now show all non-dangling images [#19326](https://github.com/docker/docker/pull/19326)
+- Fix race condition causing autorestart turning off on restart [#17629](https://github.com/docker/docker/pull/17629)
+- Recognize GPFS filesystems [#19216](https://github.com/docker/docker/pull/19216)
+- Fix obscure bug preventing to start containers [#19751](https://github.com/docker/docker/pull/19751)
+- Forbid `exec` during container restart [#19722](https://github.com/docker/docker/pull/19722)
+- devicemapper: Increasing `--storage-opt dm.basesize` will now increase the base device size on daemon restart [#19123](https://github.com/docker/docker/pull/19123)
+
+### Security
+
++ Add `--userns-remap` flag to `daemon` to support user namespaces (previously in experimental) [#19187](https://github.com/docker/docker/pull/19187)
++ Add support for custom seccomp profiles in `--security-opt` [#17989](https://github.com/docker/docker/pull/17989)
++ Add default seccomp profile [#18780](https://github.com/docker/docker/pull/18780)
++ Add `--authorization-plugin` flag to `daemon` to customize ACLs [#15365](https://github.com/docker/docker/pull/15365)
++ Docker Content Trust now supports the ability to read and write user delegations [#18887](https://github.com/docker/docker/pull/18887)
+  This is an optional, opt-in feature that requires the explicit use of the Notary command-line utility in order to be enabled.
+  Enabling delegation support in a specific repository will break the ability of Docker 1.9 and 1.8 to pull from that repository, if content trust is enabled.
+* Allow SELinux to run in a container when using the BTRFS storage driver [#16452](https://github.com/docker/docker/pull/16452)
+
+### Distribution
+
+* Use content-addressable storage for images and layers [#17924](https://github.com/docker/docker/pull/17924)
+  Note that a migration is performed the first time docker is run; it can take a significant amount of time depending on the number of images and containers present.
+  Images no longer depend on the parent chain but contain a list of layer references.
+  `docker load`/`docker save` tarballs now also contain content-addressable image configurations.
+  For more information: https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
+* Add support for the new [manifest format ("schema2")](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md) [#18785](https://github.com/docker/docker/pull/18785)
+* Lots of improvements for push and pull: performance++, retries on failed downloads, cancelling on client disconnect [#18353](https://github.com/docker/docker/pull/18353), [#18418](https://github.com/docker/docker/pull/18418), [#19109](https://github.com/docker/docker/pull/19109), [#18353](https://github.com/docker/docker/pull/18353)
+* Limit v1 protocol fallbacks [#18590](https://github.com/docker/docker/pull/18590)
+- Fix issue where docker could hang indefinitely waiting for a nonexistent process to pull an image [#19743](https://github.com/docker/docker/pull/19743)
+
+### Networking
+
++ Use DNS-based discovery instead of `/etc/hosts` [#19198](https://github.com/docker/docker/pull/19198)
++ Support for network-scoped alias using `--net-alias` on `run` and `--alias` on `network connect` [#19242](https://github.com/docker/docker/pull/19242)
++ Add `--ip` and `--ip6` on `run` and `network connect` to support custom IP addresses for a container in a network [#19001](https://github.com/docker/docker/pull/19001)
++ Add `--ipam-opt` to `network create` for passing custom IPAM options [#17316](https://github.com/docker/docker/pull/17316)
++ Add `--internal` flag to `network create` to restrict external access to and from the network [#19276](https://github.com/docker/docker/pull/19276)
++ Add `kv.path` option to `--cluster-store-opt` [#19167](https://github.com/docker/docker/pull/19167)
++ Add `discovery.heartbeat` and `discovery.ttl` options to `--cluster-store-opt` to configure discovery TTL and heartbeat timer [#18204](https://github.com/docker/docker/pull/18204)
++ Add `--format` flag to `network inspect` [#17481](https://github.com/docker/docker/pull/17481)
++ Add `--link` to `network connect` to provide a container-local alias [#19229](https://github.com/docker/docker/pull/19229)
++ Support for Capability exchange with remote IPAM plugins [#18775](https://github.com/docker/docker/pull/18775)
++ Add `--force` to `network disconnect` to force container to be disconnected from network [#19317](https://github.com/docker/docker/pull/19317)
+* Support for multi-host networking using built-in overlay driver for all engine supported kernels: 3.10+ [#18775](https://github.com/docker/docker/pull/18775)
+* `--link` is now supported on `docker run` for containers in user-defined network [#19229](https://github.com/docker/docker/pull/19229)
+* Enhance `docker network rm` to allow removing multiple networks [#17489](https://github.com/docker/docker/pull/17489)
+* Include container names in `network inspect` [#17615](https://github.com/docker/docker/pull/17615)
+* Include auto-generated subnets for user-defined networks in `network inspect` [#17316](https://github.com/docker/docker/pull/17316)
+* Add `--filter` flag to `network ls` to hide predefined networks [#17782](https://github.com/docker/docker/pull/17782)
+* Add support for network connect/disconnect to stopped containers [#18906](https://github.com/docker/docker/pull/18906)
+* Add network ID to container inspect [#19323](https://github.com/docker/docker/pull/19323)
+- Fix MTU issue where Docker would not start with two or more default routes [#18108](https://github.com/docker/docker/pull/18108)
+- Fix duplicate IP address for containers [#18106](https://github.com/docker/docker/pull/18106)
+- Fix issue preventing sometimes docker from creating the bridge network [#19338](https://github.com/docker/docker/pull/19338)
+- Do not substitute 127.0.0.1 name server when using `--net=host` [#19573](https://github.com/docker/docker/pull/19573)
+
+### Logging
+
++ New logging driver for Splunk [#16488](https://github.com/docker/docker/pull/16488)
++ Add support for syslog over TCP+TLS [#18998](https://github.com/docker/docker/pull/18998)
+* Enhance `docker logs --since` and `--until` to support nanoseconds and time [#17495](https://github.com/docker/docker/pull/17495)
+* Enhance AWS logs to auto-detect region [#16640](https://github.com/docker/docker/pull/16640)
+
+### Volumes
+
++ Add support to set the mount propagation mode for a volume [#17034](https://github.com/docker/docker/pull/17034)
+* Add `ls` and `inspect` endpoints to volume plugin API [#16534](https://github.com/docker/docker/pull/16534)
+  Existing plugins need to make use of these new APIs to satisfy users' expectation
+  For that, please use the new MIME type `application/vnd.docker.plugins.v1.2+json` [#19549](https://github.com/docker/docker/pull/19549)
+- Fix data not being copied to named volumes [#19175](https://github.com/docker/docker/pull/19175)
+- Fix issues preventing volume drivers from being containerized [#19500](https://github.com/docker/docker/pull/19500)
+- Fix `docker volumes ls --dangling=false` to now show all non-dangling volumes [#19671](https://github.com/docker/docker/pull/19671)
+- Do not remove named volumes on container removal [#19568](https://github.com/docker/docker/pull/19568)
+- Allow external volume drivers to host anonymous volumes [#19190](https://github.com/docker/docker/pull/19190)
+
+### Builder
+
++ Add support for `**` in `.dockerignore` to wildcard multiple levels of directories [#17090](https://github.com/docker/docker/pull/17090)
+- Fix handling of UTF-8 characters in Dockerfiles [#17055](https://github.com/docker/docker/pull/17055)
+- Fix permissions problem when reading from STDIN [#19283](https://github.com/docker/docker/pull/19283)
+
+### Client
+
++ Add support for overriding the API version to use via an `DOCKER_API_VERSION` environment-variable [#15964](https://github.com/docker/docker/pull/15964)
+- Fix a bug preventing Windows clients to log in to Docker Hub [#19891](https://github.com/docker/docker/pull/19891)
+
+### Misc
+
+* systemd: Set TasksMax in addition to LimitNPROC in systemd service file [#19391](https://github.com/docker/docker/pull/19391)
+
+### Deprecations
+
+* Remove LXC support. The LXC driver was deprecated in Docker 1.8, and has now been removed [#17700](https://github.com/docker/docker/pull/17700)
+* Remove `--exec-driver` daemon flag, because it is no longer in use [#17700](https://github.com/docker/docker/pull/17700)
+* Remove old deprecated single-dashed long CLI flags (such as `-rm`; use `--rm` instead) [#17724](https://github.com/docker/docker/pull/17724)
+* Deprecate HostConfig at API container start [#17799](https://github.com/docker/docker/pull/17799)
+* Deprecate docker packages for newly EOL'd Linux distributions: Fedora 21 and Ubuntu 15.04 (Vivid) [#18794](https://github.com/docker/docker/pull/18794), [#18809](https://github.com/docker/docker/pull/18809)
+* Deprecate `-f` flag for docker tag [#18350](https://github.com/docker/docker/pull/18350)
+
+## 1.9.1 (2015-11-21)
+
+### Runtime
+
+- Do not prevent daemon from booting if images could not be restored (#17695)
+- Force IPC mount to unmount on daemon shutdown/init (#17539)
+- Turn IPC unmount errors into warnings (#17554)
+- Fix `docker stats` performance regression (#17638)
+- Clarify cryptic error message upon `docker logs` if `--log-driver=none` (#17767)
+- Fix seldom panics (#17639, #17634, #17703)
+- Fix opq whiteouts problems for files with dot prefix (#17819)
+- devicemapper: try defaulting to xfs instead of ext4 for performance reasons (#17903, #17918)
+- devicemapper: fix displayed fs in docker info (#17974)
+- selinux: only relabel if user requested so with the `z` option (#17450, #17834)
+- Do not make network calls when normalizing names (#18014)
+
+### Client
+
+- Fix `docker login` on windows (#17738)
+- Fix bug with `docker inspect` output when not connected to daemon (#17715)
+- Fix `docker inspect -f {{.HostConfig.Dns}} somecontainer` (#17680)
+
+### Builder
+
+- Fix regression with symlink behavior in ADD/COPY (#17710)
+
+### Networking
+
+- Allow passing a network ID as an argument for `--net` (#17558)
+- Fix connect to host and prevent disconnect from host for `host` network (#17476)
+- Fix `--fixed-cidr` issue when gateway ip falls in ip-range and ip-range is
+  not the first block in the network (#17853)
+- Restore deterministic `IPv6` generation from `MAC` address on default `bridge` network (#17890)
+- Allow port-mapping only for endpoints created on docker run (#17858)
+- Fixed an endpoint delete issue with a possible stale sbox (#18102)
+
+### Distribution
+
+- Correct parent chain in v2 push when v1Compatibility files on the disk are inconsistent (#18047)
+
+## 1.9.0 (2015-11-03)
+
+### Runtime
+
++ `docker stats` now returns block IO metrics (#15005)
++ `docker stats` now details network stats per interface (#15786)
++ Add `ancestor=<image>` filter to `docker ps --filter` flag to filter
+containers based on their ancestor images (#14570)
++ Add `label=<somelabel>` filter to `docker ps --filter` to filter containers
+based on label (#16530)
++ Add `--kernel-memory` flag to `docker run` (#14006)
++ Add `--message` flag to `docker import` allowing to specify an optional
+message (#15711)
++ Add `--privileged` flag to `docker exec` (#14113)
++ Add `--stop-signal` flag to `docker run` allowing to replace the container
+process stopping signal (#15307)
++ Add a new `unless-stopped` restart policy (#15348)
++ Inspecting an image now returns tags (#13185)
++ Add container size information to `docker inspect` (#15796)
++ Add `RepoTags` and `RepoDigests` field to `/images/{name:.*}/json` (#17275)
+- Remove the deprecated `/container/ps` endpoint from the API (#15972)
+- Send and document correct HTTP codes for `/exec/<name>/start` (#16250)
+- Share shm and mqueue between containers sharing IPC namespace (#15862)
+- Event stream now shows OOM status when `--oom-kill-disable` is set (#16235)
+- Ensure special network files (/etc/hosts etc.) are read-only if bind-mounted
+with `ro` option (#14965)
+- Improve `rmi` performance (#16890)
+- Do not update /etc/hosts for the default bridge network, except for links (#17325)
+- Fix conflict with duplicate container names (#17389)
+- Fix an issue with incorrect template execution in `docker inspect` (#17284)
+- DEPRECATE `-c` short flag variant for `--cpu-shares` in docker run (#16271)
+
+### Client
+
++ Allow `docker import` to import from local files (#11907)
+
+### Builder
+
++ Add a `STOPSIGNAL` Dockerfile instruction allowing to set a different
+stop-signal for the container process (#15307)
++ Add an `ARG` Dockerfile instruction and a `--build-arg` flag to `docker build`
+that allows to add build-time environment variables (#15182)
+- Improve cache miss performance (#16890)
+
+### Storage
+
+- devicemapper: Implement deferred deletion capability (#16381)
+
+### Networking
+
++ `docker network` exits experimental and is part of standard release (#16645)
++ New network top-level concept, with associated subcommands and API (#16645)
+  WARNING: the API is different from the experimental API
++ Support for multiple isolated/micro-segmented networks (#16645)
++ Built-in multihost networking using VXLAN based overlay driver (#14071)
++ Support for third-party network plugins (#13424)
++ Ability to dynamically connect containers to multiple networks (#16645)
++ Support for user-defined IP address management via pluggable IPAM drivers (#16910)
++ Add daemon flags `--cluster-store` and `--cluster-advertise` for built-in nodes discovery (#16229)
++ Add `--cluster-store-opt` for setting up TLS settings (#16644)
++ Add `--dns-opt` to the daemon (#16031)
+- DEPRECATE following container `NetworkSettings` fields in API v1.21: `EndpointID`, `Gateway`,
+  `GlobalIPv6Address`, `GlobalIPv6PrefixLen`, `IPAddress`, `IPPrefixLen`, `IPv6Gateway` and `MacAddress`.
+  Those are now specific to the `bridge` network. Use `NetworkSettings.Networks` to inspect
+  the networking settings of a container per network.
+
+### Volumes
+
++ New top-level `volume` subcommand and API (#14242)
+- Move API volume driver settings to host-specific config (#15798)
+- Print an error message if volume name is not unique (#16009)
+- Ensure volumes created from Dockerfiles always use the local volume driver
+(#15507)
+- DEPRECATE auto-creating missing host paths for bind mounts (#16349)
+
+### Logging
+
++ Add `awslogs` logging driver for Amazon CloudWatch (#15495)
++ Add generic `tag` log option to allow customizing container/image
+information passed to driver (e.g. show container names) (#15384)
+- Implement the `docker logs` endpoint for the journald driver (#13707)
+- DEPRECATE driver-specific log tags (e.g. `syslog-tag`, etc.) (#15384)
+
+### Distribution
+
++ `docker search` now works with partial names (#16509)
+- Push optimization: avoid buffering to file (#15493)
+- The daemon will display progress for images that were already being pulled
+by another client (#15489)
+- Only permissions required for the current action being performed are requested (#)
++ Renaming trust keys (and respective environment variables) from `offline` to
+`root` and `tagging` to `repository` (#16894)
+- DEPRECATE trust key environment variables
+`DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and
+`DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` (#16894)
+
+### Security
+
++ Add SELinux profiles to the rpm package (#15832)
+- Fix various issues with AppArmor profiles provided in the deb package
+(#14609)
+- Add AppArmor policy that prevents writing to /proc (#15571)
+
+## 1.8.3 (2015-10-12)
+
+### Distribution
+
+- Fix layer IDs lead to local graph poisoning (CVE-2014-8178)
+- Fix manifest validation and parsing logic errors allow pull-by-digest validation bypass (CVE-2014-8179)
++ Add `--disable-legacy-registry` to prevent a daemon from using a v1 registry
+
+## 1.8.2 (2015-09-10)
+
+### Distribution
+
+- Fixes rare edge case of handling GNU LongLink and LongName entries.
+- Fix ^C on docker pull.
+- Fix docker pull issues on client disconnection.
+- Fix issue that caused the daemon to panic when loggers weren't configured properly.
+- Fix goroutine leak pulling images from registry V2.
+
+### Runtime
+
+- Fix a bug mounting cgroups for docker daemons running inside docker containers.
+- Initialize log configuration properly.
+
+### Client:
+
+- Handle `-q` flag in `docker ps` properly when there is a default format.
+
+### Networking
+
+- Fix several corner cases with netlink.
+
+### Contrib
+
+- Fix several issues with bash completion.
+
+## 1.8.1 (2015-08-12)
+
+### Distribution
+
+* Fix a bug where pushing multiple tags would result in invalid images
+
+## 1.8.0 (2015-08-11)
+
+### Distribution
+
++ Trusted pull, push and build, disabled by default
+* Make tar layers deterministic between registries
+* Don't allow deleting the image of running containers
+* Check if a tag name to load is a valid digest
+* Allow one character repository names
+* Add a more accurate error description for invalid tag name
+* Make build cache ignore mtime
+
+### Cli
+
++ Add support for DOCKER_CONFIG/--config to specify config file dir
++ Add --type flag  for docker inspect command
++ Add formatting options to `docker ps` with `--format`
++ Replace `docker -d` with new subcommand `docker daemon`
+* Zsh completion updates and improvements
+* Add some missing events to bash completion
+* Support daemon urls with base paths in `docker -H`
+* Validate status= filter to docker ps
+* Display when a container is in --net=host in docker ps
+* Extend docker inspect to export image metadata related to graph driver
+* Restore --default-gateway{,-v6} daemon options
+* Add missing unpublished ports in docker ps
+* Allow duration strings in `docker events` as --since/--until
+* Expose more mounts information in `docker inspect`
+
+### Runtime
+
++ Add new Fluentd logging driver
++ Allow `docker import` to load from local files
++ Add logging driver for GELF via UDP
++ Allow to copy files from host to containers with `docker cp`
++ Promote volume drivers from experimental to master
++ Add rollover options to json-file log driver, and --log-driver-opts flag
++ Add memory swappiness tuning options
+* Remove cgroup read-only flag when privileged
+* Make /proc, /sys, & /dev readonly for readonly containers
+* Add cgroup bind mount by default
+* Overlay: Export metadata for container and image in `docker inspect`
+* Devicemapper: external device activation
+* Devicemapper: Compare uuid of base device on startup
+* Remove RC4 from the list of registry cipher suites
+* Add syslog-facility option
+* LXC execdriver compatibility with recent LXC versions
+* Mark LXC execriver as deprecated (to be removed with the migration to runc)
+
+### Plugins
+
+* Separate plugin sockets and specs locations
+* Allow TLS connections to plugins
+
+### Bug fixes
+
+- Add missing 'Names' field to /containers/json API output
+- Make `docker rmi` of dangling images safe while pulling
+- Devicemapper: Change default basesize to 100G
+- Go Scheduler issue with sync.Mutex and gcc
+- Fix issue where Search API endpoint would panic due to empty AuthConfig
+- Set image canonical names correctly
+- Check dockerinit only if lxc driver is used
+- Fix ulimit usage of nproc
+- Always attach STDIN if -i,--interactive is specified
+- Show error messages when saving container state fails
+- Fixed incorrect assumption on --bridge=none treated as disable network
+- Check for invalid port specifications in host configuration
+- Fix endpoint leave failure for --net=host mode
+- Fix goroutine leak in the stats API if the container is not running
+- Check for apparmor file before reading it
+- Fix DOCKER_TLS_VERIFY being ignored
+- Set umask to the default on startup
+- Correct the message of pause and unpause a non-running container
+- Adjust disallowed CpuShares in container creation
+- ZFS: correctly apply selinux context
+- Display empty string instead of <nil> when IP opt is nil
+- `docker kill` returns error when container is not running
+- Fix COPY/ADD quoted/json form
+- Fix goroutine leak on logs -f with no output
+- Remove panic in nat package on invalid hostport
+- Fix container linking in Fedora 22
+- Fix error caused using default gateways outside of the allocated range
+- Format times in inspect command with a template as RFC3339Nano
+- Make registry client to accept 2xx and 3xx http status responses as successful
+- Fix race issue that caused the daemon to crash with certain layer downloads failed in a specific order.
+- Fix error when the docker ps format was not valid.
+- Remove redundant ip forward check.
+- Fix issue trying to push images to repository mirrors.
+- Fix error cleaning up network entrypoints when there is an initialization issue.
+
+## 1.7.1 (2015-07-14)
+
+#### Runtime
+
+- Fix default user spawning exec process with `docker exec`
+- Make `--bridge=none` not to configure the network bridge
+- Publish networking stats properly
+- Fix implicit devicemapper selection with static binaries
+- Fix socket connections that hung intermittently
+- Fix bridge interface creation on CentOS/RHEL 6.6
+- Fix local dns lookups added to resolv.conf
+- Fix copy command mounting volumes
+- Fix read/write privileges in volumes mounted with --volumes-from
+
+#### Remote API
+
+- Fix unmarshaling of Command and Entrypoint
+- Set limit for minimum client version supported
+- Validate port specification
+- Return proper errors when attach/reattach fail
+
+#### Distribution
+
+- Fix pulling private images
+- Fix fallback between registry V2 and V1
+
+## 1.7.0 (2015-06-16)
+
+#### Runtime
++ Experimental feature: support for out-of-process volume plugins
+* The userland proxy can be disabled in favor of hairpin NAT using the daemon’s `--userland-proxy=false` flag
+* The `exec` command supports the `-u|--user` flag to specify the new process owner
++ Default gateway for containers can be specified daemon-wide using the `--default-gateway` and `--default-gateway-v6` flags
++ The CPU CFS (Completely Fair Scheduler) quota can be set in `docker run` using `--cpu-quota`
++ Container block IO can be controlled in `docker run` using`--blkio-weight`
++ ZFS support
++ The `docker logs` command supports a `--since` argument
++ UTS namespace can be shared with the host with `docker run --uts=host`
+
+#### Quality
+* Networking stack was entirely rewritten as part of the libnetwork effort
+* Engine internals refactoring
+* Volumes code was entirely rewritten to support the plugins effort
++ Sending SIGUSR1 to a daemon will dump all goroutines stacks without exiting
+
+#### Build
++ Support ${variable:-value} and ${variable:+value} syntax for environment variables
++ Support resource management flags `--cgroup-parent`, `--cpu-period`, `--cpu-quota`, `--cpuset-cpus`, `--cpuset-mems`
++ git context changes with branches and directories
+* The .dockerignore file support exclusion rules
+
+#### Distribution
++ Client support for v2 mirroring support for the official registry
+
+#### Bugfixes
+* Firewalld is now supported and will automatically be used when available
+* mounting --device recursively
+
+## 1.6.2 (2015-05-13)
+
+####  Runtime
+- Revert change prohibiting mounting into /sys
+
+## 1.6.1 (2015-05-07)
+
+####  Security
+- Fix read/write /proc paths (CVE-2015-3630)
+- Prohibit VOLUME /proc and VOLUME / (CVE-2015-3631)
+- Fix opening of file-descriptor 1 (CVE-2015-3627)
+- Fix symlink traversal on container respawn allowing local privilege escalation (CVE-2015-3629)
+- Prohibit mount of /sys
+
+#### Runtime
+- Update AppArmor policy to not allow mounts
+
+## 1.6.0 (2015-04-07)
+
+#### Builder
++ Building images from an image ID
++ Build containers with resource constraints, ie `docker build --cpu-shares=100 --memory=1024m...`
++ `commit --change` to apply specified Dockerfile instructions while committing the image
++ `import --change` to apply specified Dockerfile instructions while importing the image
++ Builds no longer continue in the background when canceled with CTRL-C
+
+#### Client
++ Windows Support
+
+#### Runtime
++ Container and image Labels
++ `--cgroup-parent` for specifying a parent cgroup to place container cgroup within
++ Logging drivers, `json-file`, `syslog`, or `none`
++ Pulling images by ID
++ `--ulimit` to set the ulimit on a container
++ `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run)
+
+## 1.5.0 (2015-02-10)
+
+#### Builder
++ Dockerfile to use for a given `docker build` can be specified with the `-f` flag
+* Dockerfile and .dockerignore files can be themselves excluded as part of the .dockerignore file, thus preventing modifications to these files invalidating ADD or COPY instructions cache
+* ADD and COPY instructions accept relative paths
+* Dockerfile `FROM scratch` instruction is now interpreted as a no-base specifier
+* Improve performance when exposing a large number of ports
+
+#### Hack
++ Allow client-side only integration tests for Windows
+* Include docker-py integration tests against Docker daemon as part of our test suites
+
+#### Packaging
++ Support for the new version of the registry HTTP API
+* Speed up `docker push` for images with a majority of already existing layers
+- Fixed contacting a private registry through a proxy
+
+#### Remote API
++ A new endpoint will stream live container resource metrics and can be accessed with the `docker stats` command
++ Containers can be renamed using the new `rename` endpoint and the associated `docker rename` command
+* Container `inspect` endpoint show the ID of `exec` commands running in this container
+* Container `inspect` endpoint show the number of times Docker auto-restarted the container
+* New types of event can be streamed by the `events` endpoint: ‘OOM’ (container died with out of memory), ‘exec_create’, and ‘exec_start'
+- Fixed returned string fields which hold numeric characters incorrectly omitting surrounding double quotes
+
+#### Runtime
++ Docker daemon has full IPv6 support
++ The `docker run` command can take the `--pid=host` flag to use the host PID namespace, which makes it possible for example to debug host processes using containerized debugging tools
++ The `docker run` command can take the `--read-only` flag to make the container’s root filesystem mounted as readonly, which can be used in combination with volumes to force a container’s processes to only write to locations that will be persisted
++ Container total memory usage can be limited for `docker run` using the `--memory-swap` flag
+* Major stability improvements for devicemapper storage driver
+* Better integration with host system: containers will reflect changes to the host's `/etc/resolv.conf` file when restarted
+* Better integration with host system: per-container iptable rules are moved to the DOCKER chain
+- Fixed container exiting on out of memory to return an invalid exit code
+
+#### Other
+* The HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables are properly taken into account by the client when connecting to the Docker daemon
+
+## 1.4.1 (2014-12-15)
+
+#### Runtime
+- Fix issue with volumes-from and bind mounts not being honored after create
+
+## 1.4.0 (2014-12-11)
+
+#### Notable Features since 1.3.0
++ Set key=value labels to the daemon (displayed in `docker info`), applied with
+  new `-label` daemon flag
++ Add support for `ENV` in Dockerfile of the form:
+  `ENV name=value name2=value2...`
++ New Overlayfs Storage Driver
++ `docker info` now returns an `ID` and `Name` field
++ Filter events by event name, container, or image
++ `docker cp` now supports copying from container volumes
+- Fixed `docker tag`, so it honors `--force` when overriding a tag for existing
+  image.
+
+## 1.3.3 (2014-12-11)
+
+#### Security
+- Fix path traversal vulnerability in processing of absolute symbolic links (CVE-2014-9356)
+- Fix decompression of xz image archives, preventing privilege escalation (CVE-2014-9357)
+- Validate image IDs (CVE-2014-9358)
+
+#### Runtime
+- Fix an issue when image archives are being read slowly
+
+#### Client
+- Fix a regression related to stdin redirection
+- Fix a regression with `docker cp` when destination is the current directory
+
+## 1.3.2 (2014-11-20)
+
+#### Security
+- Fix tar breakout vulnerability
+* Extractions are now sandboxed chroot
+- Security options are no longer committed to images
+
+#### Runtime
+- Fix deadlock in `docker ps -f exited=1`
+- Fix a bug when `--volumes-from` references a container that failed to start
+
+#### Registry
++ `--insecure-registry` now accepts CIDR notation such as 10.1.0.0/16
+* Private registries whose IPs fall in the 127.0.0.0/8 range do no need the `--insecure-registry` flag
+- Skip the experimental registry v2 API when mirroring is enabled
+
+## 1.3.1 (2014-10-28)
+
+#### Security
+* Prevent fallback to SSL protocols < TLS 1.0 for client, daemon and registry
++ Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless `--insecure-registry` is specified
+
+#### Runtime
+- Fix issue where volumes would not be shared
+
+#### Client
+- Fix issue with `--iptables=false` not automatically setting `--ip-masq=false`
+- Fix docker run output to non-TTY stdout
+
+#### Builder
+- Fix escaping `$` for environment variables
+- Fix issue with lowercase `onbuild` Dockerfile instruction
+- Restrict environment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`
+
+## 1.3.0 (2014-10-14)
+
+#### Notable features since 1.2.0
++ Docker `exec` allows you to run additional processes inside existing containers
++ Docker `create` gives you the ability to create a container via the CLI without executing a process
++ `--security-opts` options to allow user to customize container labels and apparmor profiles
++ Docker `ps` filters
+- Wildcard support to COPY/ADD
++ Move production URLs to get.docker.com from get.docker.io
++ Allocate IP address on the bridge inside a valid CIDR
++ Use drone.io for PR and CI testing
++ Ability to setup an official registry mirror
++ Ability to save multiple images with docker `save`
+
+## 1.2.0 (2014-08-20)
+
+#### Runtime
++ Make /etc/hosts /etc/resolv.conf and /etc/hostname editable at runtime
++ Auto-restart containers using policies
++ Use /var/lib/docker/tmp for large temporary files
++ `--cap-add` and `--cap-drop` to tweak what linux capability you want
++ `--device` to use devices in containers
+
+#### Client
++ `docker search` on private registries
++ Add `exited` filter to `docker ps --filter`
+* `docker rm -f` now kills instead of stop
++ Support for IPv6 addresses in `--dns` flag
+
+#### Proxy
++ Proxy instances in separate processes
+* Small bug fix on UDP proxy
+
+## 1.1.2 (2014-07-23)
+
+#### Runtime
++ Fix port allocation for existing containers
++ Fix containers restart on daemon restart
+
+#### Packaging
++ Fix /etc/init.d/docker issue on Debian
+
+## 1.1.1 (2014-07-09)
+
+#### Builder
+* Fix issue with ADD
+
+## 1.1.0 (2014-07-03)
+
+#### Notable features since 1.0.1
++ Add `.dockerignore` support
++ Pause containers during `docker commit`
++ Add `--tail` to `docker logs`
+
+#### Builder
++ Allow a tar file as context for `docker build`
+* Fix issue with white-spaces and multi-lines in `Dockerfiles`
+
+#### Runtime
+* Overall performance improvements
+* Allow `/` as source of `docker run -v`
+* Fix port allocation
+* Fix bug in `docker save`
+* Add links information to `docker inspect`
+
+#### Client
+* Improve command line parsing for `docker commit`
+
+#### Remote API
+* Improve status code for the `start` and `stop` endpoints
+
+## 1.0.1 (2014-06-19)
+
+#### Notable features since 1.0.0
+* Enhance security for the LXC driver
+
+#### Builder
+* Fix `ONBUILD` instruction passed to grandchildren
+
+#### Runtime
+* Fix events subscription
+* Fix /etc/hostname file with host networking
+* Allow `-h` and `--net=none`
+* Fix issue with hotplug devices in `--privileged`
+
+#### Client
+* Fix artifacts with events
+* Fix a panic with empty flags
+* Fix `docker cp` on Mac OS X
+
+#### Miscellaneous
+* Fix compilation on Mac OS X
+* Fix several races
+
+## 1.0.0 (2014-06-09)
+
+#### Notable features since 0.12.0
+* Production support
+
+## 0.12.0 (2014-06-05)
+
+#### Notable features since 0.11.0
+* 40+ various improvements to stability, performance and usability
+* New `COPY` Dockerfile instruction to allow copying a local file from the context into the container without ever extracting if the file is a tar file
+* Inherit file permissions from the host on `ADD`
+* New `pause` and `unpause` commands to allow pausing and unpausing of containers using cgroup freezer
+* The `images` command has a `-f`/`--filter` option to filter the list of images
+* Add `--force-rm` to clean up after a failed build
+* Standardize JSON keys in Remote API to CamelCase
+* Pull from a docker run now assumes `latest` tag if not specified
+* Enhance security on Linux capabilities and device nodes
+
+## 0.11.1 (2014-05-07)
+
+#### Registry
+- Fix push and pull to private registry
+
+## 0.11.0 (2014-05-07)
+
+#### Notable features since 0.10.0
+
+* SELinux support for mount and process labels
+* Linked containers can be accessed by hostname
+* Use the net `--net` flag to allow advanced network configuration such as host networking so that containers can use the host's network interfaces
+* Add a ping endpoint to the Remote API to do healthchecks of your docker daemon
+* Logs can now be returned with an optional timestamp
+* Docker now works with registries that support SHA-512
+* Multiple registry endpoints are supported to allow registry mirrors
+
+## 0.10.0 (2014-04-08)
+
+#### Builder
+- Fix printing multiple messages on a single line. Fixes broken output during builds.
+- Follow symlinks inside container's root for ADD build instructions.
+- Fix EXPOSE caching.
+
+#### Documentation
+- Add the new options of `docker ps` to the documentation.
+- Add the options of `docker restart` to the documentation.
+- Update daemon docs and help messages for --iptables and --ip-forward.
+- Updated apt-cacher-ng docs example.
+- Remove duplicate description of --mtu from docs.
+- Add missing -t and -v for `docker images` to the docs.
+- Add fixes to the cli docs.
+- Update libcontainer docs.
+- Update images in docs to remove references to AUFS and LXC.
+- Update the nodejs_web_app in the docs to use the new epel RPM address.
+- Fix external link on security of containers.
+- Update remote API docs.
+- Add image size to history docs.
+- Be explicit about binding to all interfaces in redis example.
+- Document DisableNetwork flag in the 1.10 remote api.
+- Document that `--lxc-conf` is lxc only.
+- Add chef usage documentation.
+- Add example for an image with multiple for `docker load`.
+- Explain what `docker run -a` does in the docs.
+
+#### Contrib
+- Add variable for DOCKER_LOGFILE to sysvinit and use append instead of overwrite in opening the logfile.
+- Fix init script cgroup mounting workarounds to be more similar to cgroupfs-mount and thus work properly.
+- Remove inotifywait hack from the upstart host-integration example because it's not necessary any more.
+- Add check-config script to contrib.
+- Fix fish shell completion.
+
+#### Hack
+* Clean up "go test" output from "make test" to be much more readable/scannable.
+* Exclude more "definitely not unit tested Go source code" directories from hack/make/test.
++ Generate md5 and sha256 hashes when building, and upload them via hack/release.sh.
+- Include contributed completions in Ubuntu PPA.
++ Add cli integration tests.
+* Add tweaks to the hack scripts to make them simpler.
+
+#### Remote API
++ Add TLS auth support for API.
+* Move git clone from daemon to client.
+- Fix content-type detection in docker cp.
+* Split API into 2 go packages.
+
+#### Runtime
+* Support hairpin NAT without going through Docker server.
+- devicemapper: succeed immediately when removing non-existent devices.
+- devicemapper: improve handling of devicemapper devices (add per device lock, increase sleep time and unlock while sleeping).
+- devicemapper: increase timeout in waitClose to 10 seconds.
+- devicemapper: ensure we shut down thin pool cleanly.
+- devicemapper: pass info, rather than hash to activateDeviceIfNeeded, deactivateDevice, setInitialized, deleteDevice.
+- devicemapper: avoid AB-BA deadlock.
+- devicemapper: make shutdown better/faster.
+- improve alpha sorting in mflag.
+- Remove manual http cookie management because the cookiejar is being used.
+- Use BSD raw mode on Darwin. Fixes nano, tmux and others.
+- Add FreeBSD support for the client.
+- Merge auth package into registry.
+- Add deprecation warning for -t on `docker pull`.
+- Remove goroutine leak on error.
+- Update parseLxcInfo to comply with new lxc1.0 format.
+- Fix attach exit on darwin.
+- Improve deprecation message.
+- Retry to retrieve the layer metadata up to 5 times for `docker pull`.
+- Only unshare the mount namespace for execin.
+- Merge existing config when committing.
+- Disable daemon startup timeout.
+- Fix issue #4681: add loopback interface when networking is disabled.
+- Add failing test case for issue #4681.
+- Send SIGTERM to child, instead of SIGKILL.
+- Show the driver and the kernel version in `docker info` even when not in debug mode.
+- Always symlink /dev/ptmx for libcontainer. This fixes console related problems.
+- Fix issue caused by the absence of /etc/apparmor.d.
+- Don't leave empty cidFile behind when failing to create the container.
+- Mount cgroups automatically if they're not mounted already.
+- Use mock for search tests.
+- Update to double-dash everywhere.
+- Move .dockerenv parsing to lxc driver.
+- Move all bind mounts in the container inside the namespace.
+- Don't use separate bind mount for container.
+- Always symlink /dev/ptmx for libcontainer.
+- Don't kill by pid for other drivers.
+- Add initial logging to libcontainer.
+* Sort by port in `docker ps`.
+- Move networking drivers into runtime top level package.
++ Add --no-prune to `docker rmi`.
++ Add time since exit in `docker ps`.
+- graphdriver: add build tags.
+- Prevent allocation of previously allocated ports & prevent improve port allocation.
+* Add support for --since/--before in `docker ps`.
+- Clean up container stop.
++ Add support for configurable dns search domains.
+- Add support for relative WORKDIR instructions.
+- Add --output flag for docker save.
+- Remove duplication of DNS entries in config merging.
+- Add cpuset.cpus to cgroups and native driver options.
+- Remove docker-ci.
+- Promote btrfs. btrfs is no longer considered experimental.
+- Add --input flag to `docker load`.
+- Return error when existing bridge doesn't match IP address.
+- Strip comments before parsing line continuations to avoid interpreting instructions as comments.
+- Fix TestOnlyLoopbackExistsWhenUsingDisableNetworkOption to ignore "DOWN" interfaces.
+- Add systemd implementation of cgroups and make containers show up as systemd units.
+- Fix commit and import when no repository is specified.
+- Remount /var/lib/docker as --private to fix scaling issue.
+- Use the environment's proxy when pinging the remote registry.
+- Reduce error level from harmless errors.
+* Allow --volumes-from to be individual files.
+- Fix expanding buffer in StdCopy.
+- Set error regardless of attach or stdin. This fixes #3364.
+- Add support for --env-file to load environment variables from files.
+- Symlink /etc/mtab and /proc/mounts.
+- Allow pushing a single tag.
+- Shut down containers cleanly at shutdown and wait forever for the containers to shut down. This makes container shutdown on daemon shutdown work properly via SIGTERM.
+- Don't throw error when starting an already running container.
+- Fix dynamic port allocation limit.
+- remove setupDev from libcontainer.
+- Add API version to `docker version`.
+- Return correct exit code when receiving signal and make SIGQUIT quit without cleanup.
+- Fix --volumes-from mount failure.
+- Allow non-privileged containers to create device nodes.
+- Skip login tests because of external dependency on a hosted service.
+- Deprecate `docker images --tree` and `docker images --viz`.
+- Deprecate `docker insert`.
+- Include base abstraction for apparmor. This fixes some apparmor related problems on Ubuntu 14.04.
+- Add specific error message when hitting 401 over HTTP on push.
+- Fix absolute volume check.
+- Remove volumes-from from the config.
+- Move DNS options to hostconfig.
+- Update the apparmor profile for libcontainer.
+- Add deprecation notice for `docker commit -run`.
+
+## 0.9.1 (2014-03-24)
+
+#### Builder
+- Fix printing multiple messages on a single line. Fixes broken output during builds.
+
+#### Documentation
+- Fix external link on security of containers.
+
+#### Contrib
+- Fix init script cgroup mounting workarounds to be more similar to cgroupfs-mount and thus work properly.
+- Add variable for DOCKER_LOGFILE to sysvinit and use append instead of overwrite in opening the logfile.
+
+#### Hack
+- Generate md5 and sha256 hashes when building, and upload them via hack/release.sh.
+
+#### Remote API
+- Fix content-type detection in `docker cp`.
+
+#### Runtime
+- Use BSD raw mode on Darwin. Fixes nano, tmux and others.
+- Only unshare the mount namespace for execin.
+- Retry to retrieve the layer metadata up to 5 times for `docker pull`.
+- Merge existing config when committing.
+- Fix panic in monitor.
+- Disable daemon startup timeout.
+- Fix issue #4681: add loopback interface when networking is disabled.
+- Add failing test case for issue #4681.
+- Send SIGTERM to child, instead of SIGKILL.
+- Show the driver and the kernel version in `docker info` even when not in debug mode.
+- Always symlink /dev/ptmx for libcontainer. This fixes console related problems.
+- Fix issue caused by the absence of /etc/apparmor.d.
+- Don't leave empty cidFile behind when failing to create the container.
+- Improve deprecation message.
+- Fix attach exit on darwin.
+- devicemapper: improve handling of devicemapper devices (add per device lock, increase sleep time, unlock while sleeping).
+- devicemapper: succeed immediately when removing non-existent devices.
+- devicemapper: increase timeout in waitClose to 10 seconds.
+- Remove goroutine leak on error.
+- Update parseLxcInfo to comply with new lxc1.0 format.
+
+## 0.9.0 (2014-03-10)
+
+#### Builder
+- Avoid extra mount/unmount during build. This fixes mount/unmount related errors during build.
+- Add error to docker build --rm. This adds missing error handling.
+- Forbid chained onbuild, `onbuild from` and  `onbuild maintainer` triggers.
+- Make `--rm` the default for `docker build`.
+
+#### Documentation
+- Download the docker client binary for Mac over https.
+- Update the titles of the install instructions & descriptions.
+* Add instructions for upgrading boot2docker.
+* Add port forwarding example in OS X install docs.
+- Attempt to disentangle repository and registry.
+- Update docs to explain more about `docker ps`.
+- Update sshd example to use a Dockerfile.
+- Rework some examples, including the Python examples.
+- Update docs to include instructions for a container's lifecycle.
+- Update docs documentation to discuss the docs branch.
+- Don't skip cert check for an example & use HTTPS.
+- Bring back the memory and swap accounting section which was lost when the kernel page was removed.
+- Explain DNS warnings and how to fix them on systems running and using a local nameserver.
+
+#### Contrib
+- Add Tanglu support for mkimage-debootstrap.
+- Add SteamOS support for mkimage-debootstrap.
+
+#### Hack
+- Get package coverage when running integration tests.
+- Remove the Vagrantfile. This is being replaced with boot2docker.
+- Fix tests on systems where aufs isn't available.
+- Update packaging instructions and remove the dependency on lxc.
+
+#### Remote API
+* Move code specific to the API to the api package.
+- Fix header content type for the API. Makes all endpoints use proper content type.
+- Fix registry auth & remove ping calls from CmdPush and CmdPull.
+- Add newlines to the JSON stream functions.
+
+#### Runtime
+* Do not ping the registry from the CLI. All requests to registries flow through the daemon.
+- Check for nil information return in the lxc driver. This fixes panics with older lxc versions.
+- Devicemapper: cleanups and fix for unmount. Fixes two problems which were causing unmount to fail intermittently.
+- Devicemapper: remove directory when removing device. Directories don't get left behind when removing the device.
+* Devicemapper: enable skip_block_zeroing. Improves performance by not zeroing blocks.
+- Devicemapper: fix shutdown warnings. Fixes shutdown warnings concerning pool device removal.
+- Ensure docker cp stream is closed properly. Fixes problems with files not being copied by `docker cp`.
+- Stop making `tcp://` default to `127.0.0.1:4243` and remove the default port for tcp.
+- Fix `--run` in `docker commit`. This makes `docker commit --run` work again.
+- Fix custom bridge related options. This makes custom bridges work again.
++ Mount-bind the PTY as container console. This allows tmux/screen to run.
++ Add the pure Go libcontainer library to make it possible to run containers using only features of the Linux kernel.
++ Add native exec driver which uses libcontainer and make it the default exec driver.
+- Add support for handling extended attributes in archives.
+* Set the container MTU to be the same as the host MTU.
++ Add simple sha256 checksums for layers to speed up `docker push`.
+* Improve kernel version parsing.
+* Allow flag grouping (`docker run -it`).
+- Remove chroot exec driver.
+- Fix divide by zero to fix panic.
+- Rewrite `docker rmi`.
+- Fix docker info with lxc 1.0.0.
+- Fix fedora tty with apparmor.
+* Don't always append env vars, replace defaults with vars from config.
+* Fix a goroutine leak.
+* Switch to Go 1.2.1.
+- Fix unique constraint error checks.
+* Handle symlinks for Docker's data directory and for TMPDIR.
+- Add deprecation warnings for flags (-flag is deprecated in favor of --flag)
+- Add apparmor profile for the native execution driver.
+* Move system specific code from archive to pkg/system.
+- Fix duplicate signal for `docker run -i -t` (issue #3336).
+- Return correct process pid for lxc.
+- Add a -G option to specify the group which unix sockets belong to.
++ Add `-f` flag to `docker rm` to force removal of running containers.
++ Kill ghost containers and restart all ghost containers when the docker daemon restarts.
++ Add `DOCKER_RAMDISK` environment variable to make Docker work when the root is on a ramdisk.
+
+## 0.8.1 (2014-02-18)
+
+#### Builder
+
+- Avoid extra mount/unmount during build. This removes an unneeded mount/unmount operation which was causing problems with devicemapper
+- Fix regression with ADD of tar files. This stops Docker from decompressing tarballs added via ADD from the local file system
+- Add error to `docker build --rm`. This adds a missing error check to ensure failures to remove containers are detected and reported
+
+#### Documentation
+
+* Update issue filing instructions
+* Warn against the use of symlinks for Docker's storage folder
+* Replace the Firefox example with an IceWeasel example
+* Rewrite the PostgreSQL example using a Dockerfile and add more details to it
+* Improve the OS X documentation
+
+#### Remote API
+
+- Fix broken images API for version less than 1.7
+- Use the right encoding for all API endpoints which return JSON
+- Move remote api client to api/
+- Queue calls to the API using generic socket wait
+
+#### Runtime
+
+- Fix the use of custom settings for bridges and custom bridges
+- Refactor the devicemapper code to avoid many mount/unmount race conditions and failures
+- Remove two panics which could make Docker crash in some situations
+- Don't ping registry from the CLI client
+- Enable skip_block_zeroing for devicemapper. This stops devicemapper from always zeroing entire blocks
+- Fix --run in `docker commit`. This makes docker commit store `--run` in the image configuration
+- Remove directory when removing devicemapper device. This cleans up leftover mount directories
+- Drop NET_ADMIN capability for non-privileged containers. Unprivileged containers can't change their network configuration
+- Ensure `docker cp` stream is closed properly
+- Avoid extra mount/unmount during container registration. This removes an unneeded mount/unmount operation which was causing problems with devicemapper
+- Stop allowing tcp:// as a default tcp bin address which binds to 127.0.0.1:4243 and remove the default port
++ Mount-bind the PTY as container console. This allows tmux and screen to run in a container
+- Clean up archive closing. This fixes and improves archive handling
+- Fix engine tests on systems where temp directories are symlinked
+- Add test methods for save and load
+- Avoid temporarily unmounting the container when restarting it. This fixes a race for devicemapper during restart
+- Support submodules when building from a GitHub repository
+- Quote volume path to allow spaces
+- Fix remote tar ADD behavior. This fixes a regression which was causing Docker to extract tarballs
+
+## 0.8.0 (2014-02-04)
+
+#### Notable features since 0.7.0
+
+* Images and containers can be removed much faster
+* Building an image from source with docker build is now much faster
+* The Docker daemon starts and stops much faster
+* The memory footprint of many common operations has been reduced, by streaming files instead of buffering them in memory, fixing memory leaks, and fixing various suboptimal memory allocations
+* Several race conditions were fixed, making Docker more stable under very high concurrency load. This makes Docker more stable and less likely to crash and reduces the memory footprint of many common operations
+* All packaging operations are now built on the Go language’s standard tar implementation, which is bundled with Docker itself. This makes packaging more portable across host distributions, and solves several issues caused by quirks and incompatibilities between different distributions of tar
+* Docker can now create, remove and modify larger numbers of containers and images graciously thanks to more aggressive releasing of system resources. For example the storage driver API now allows Docker to do reference counting on mounts created by the drivers
+With the ongoing changes to the networking and execution subsystems of docker testing these areas have been a focus of the refactoring.  By moving these subsystems into separate packages we can test, analyze, and monitor coverage and quality of these packages
+* Many components have been separated into smaller sub-packages, each with a dedicated test suite. As a result the code is better-tested, more readable and easier to change
+
+* The ADD instruction now supports caching, which avoids unnecessarily re-uploading the same source content again and again when it hasn’t changed
+* The new ONBUILD instruction adds to your image a “trigger” instruction to be executed at a later time, when the image is used as the base for another build
+* Docker now ships with an experimental storage driver which uses the BTRFS filesystem for copy-on-write
+* Docker is officially supported on Mac OS X
+* The Docker daemon supports systemd socket activation
+
+## 0.7.6 (2014-01-14)
+
+#### Builder
+
+* Do not follow symlink outside of build context
+
+#### Runtime
+
+- Remount bind mounts when ro is specified
+* Use https for fetching docker version
+
+#### Other
+
+* Inline the test.docker.io fingerprint
+* Add ca-certificates to packaging documentation
+
+## 0.7.5 (2014-01-09)
+
+#### Builder
+
+* Disable compression for build. More space usage but a much faster upload
+- Fix ADD caching for certain paths
+- Do not compress archive from git build
+
+#### Documentation
+
+- Fix error in GROUP add example
+* Make sure the GPG fingerprint is inline in the documentation
+* Give more specific advice on setting up signing of commits for DCO
+
+#### Runtime
+
+- Fix misspelled container names
+- Do not add hostname when networking is disabled
+* Return most recent image from the cache by date
+- Return all errors from docker wait
+* Add Content-Type Header "application/json" to GET /version and /info responses
+
+#### Other
+
+* Update DCO to version 1.1
++ Update Makefile to use "docker:GIT_BRANCH" as the generated image name
+* Update Travis to check for new 1.1 DCO version
+
+## 0.7.4 (2014-01-07)
+
+#### Builder
+
+- Fix ADD caching issue with . prefixed path
+- Fix docker build on devicemapper by reverting sparse file tar option
+- Fix issue with file caching and prevent wrong cache hit
+* Use same error handling while unmarshaling CMD and ENTRYPOINT
+
+#### Documentation
+
+* Simplify and streamline Amazon Quickstart
+* Install instructions use unprefixed Fedora image
+* Update instructions for mtu flag for Docker on GCE
++ Add Ubuntu Saucy to installation
+- Fix for wrong version warning on master instead of latest
+
+#### Runtime
+
+- Only get the image's rootfs when we need to calculate the image size
+- Correctly handle unmapping UDP ports
+* Make CopyFileWithTar use a pipe instead of a buffer to save memory on docker build
+- Fix login message to say pull instead of push
+- Fix "docker load" help by removing "SOURCE" prompt and mentioning STDIN
+* Make blank -H option default to the same as no -H was sent
+* Extract cgroups utilities to own submodule
+
+#### Other
+
++ Add Travis CI configuration to validate DCO and gofmt requirements
++ Add Developer Certificate of Origin Text
+* Upgrade VBox Guest Additions
+* Check standalone header when pinging a registry server
+
+## 0.7.3 (2014-01-02)
+
+#### Builder
+
++ Update ADD to use the image cache, based on a hash of the added content
+* Add error message for empty Dockerfile
+
+#### Documentation
+
+- Fix outdated link to the "Introduction" on www.docker.io
++ Update the docs to get wider when the screen does
+- Add information about needing to install LXC when using raw binaries
+* Update Fedora documentation to disentangle the docker and docker.io conflict
+* Add a note about using the new `-mtu` flag in several GCE zones
++ Add FrugalWare installation instructions
++ Add a more complete example of `docker run`
+- Fix API documentation for creating and starting Privileged containers
+- Add missing "name" parameter documentation on "/containers/create"
+* Add a mention of `lxc-checkconfig` as a way to check for some of the necessary kernel configuration
+- Update the 1.8 API documentation with some additions that were added to the docs for 1.7
+
+#### Hack
+
+- Add missing libdevmapper dependency to the packagers documentation
+* Update minimum Go requirement to a hard line at Go 1.2+
+* Many minor improvements to the Vagrantfile
++ Add ability to customize dockerinit search locations when compiling (to be used very sparingly only by packagers of platforms who require a nonstandard location)
++ Add coverprofile generation reporting
+- Add `-a` to our Go build flags, removing the need for recompiling the stdlib manually
+* Update Dockerfile to be more canonical and have less spurious warnings during build
+- Fix some miscellaneous `docker pull` progress bar display issues
+* Migrate more miscellaneous packages under the "pkg" folder
+* Update TextMate highlighting to automatically be enabled for files named "Dockerfile"
+* Reorganize syntax highlighting files under a common "contrib/syntax" directory
+* Update install.sh script (https://get.docker.io/) to not fail if busybox fails to download or run at the end of the Ubuntu/Debian installation
+* Add support for container names in bash completion
+
+#### Packaging
+
++ Add an official Docker client binary for Darwin (Mac OS X)
+* Remove empty "Vendor" string and added "License" on deb package
++ Add a stubbed version of "/etc/default/docker" in the deb package
+
+#### Runtime
+
+* Update layer application to extract tars in place, avoiding file churn while handling whiteouts
+- Fix permissiveness of mtime comparisons in tar handling (since GNU tar and Go tar do not yet support sub-second mtime precision)
+* Reimplement `docker top` in pure Go to work more consistently, and even inside Docker-in-Docker (thus removing the shell injection vulnerability present in some versions of `lxc-ps`)
++ Update `-H unix://` to work similarly to `-H tcp://` by inserting the default values for missing portions
+- Fix more edge cases regarding dockerinit and deleted or replaced docker or dockerinit files
+* Update container name validation to include '.'
+- Fix use of a symlink or non-absolute path as the argument to `-g` to work as expected
+* Update to handle external mounts outside of LXC, fixing many small mounting quirks and making future execution backends and other features simpler
+* Update to use proper box-drawing characters everywhere in `docker images -tree`
+* Move MTU setting from LXC configuration to directly use netlink
+* Add `-S` option to external tar invocation for more efficient spare file handling
++ Add arch/os info to User-Agent string, especially for registry requests
++ Add `-mtu` option to Docker daemon for configuring MTU
+- Fix `docker build` to exit with a non-zero exit code on error
++ Add `DOCKER_HOST` environment variable to configure the client `-H` flag without specifying it manually for every invocation
+
+## 0.7.2 (2013-12-16)
+
+#### Runtime
+
++ Validate container names on creation with standard regex
+* Increase maximum image depth to 127 from 42
+* Continue to move api endpoints to the job api
++ Add -bip flag to allow specification of dynamic bridge IP via CIDR
+- Allow bridge creation when ipv6 is not enabled on certain systems
+* Set hostname and IP address from within dockerinit
+* Drop capabilities from within dockerinit
+- Fix volumes on host when symlink is present the image
+- Prevent deletion of image if ANY container is depending on it even if the container is not running
+* Update docker push to use new progress display
+* Use os.Lstat to allow mounting unix sockets when inspecting volumes
+- Adjust handling of inactive user login
+- Add missing defines in devicemapper for older kernels
+- Allow untag operations with no container validation
+- Add auth config to docker build
+
+#### Documentation
+
+* Add more information about Docker logging
++ Add RHEL documentation
+* Add a direct example for changing the CMD that is run in a container
+* Update Arch installation documentation
++ Add section on Trusted Builds
++ Add Network documentation page
+
+#### Other
+
++ Add new cover bundle for providing code coverage reporting
+* Separate integration tests in bundles
+* Make Tianon the hack maintainer
+* Update mkimage-debootstrap with more tweaks for keeping images small
+* Use https to get the install script
+* Remove vendored dotcloud/tar now that Go 1.2 has been released
+
+## 0.7.1 (2013-12-05)
+
+#### Documentation
+
++ Add @SvenDowideit as documentation maintainer
++ Add links example
++ Add documentation regarding ambassador pattern
++ Add Google Cloud Platform docs
++ Add dockerfile best practices
+* Update doc for RHEL
+* Update doc for registry
+* Update Postgres examples
+* Update doc for Ubuntu install
+* Improve remote api doc
+
+#### Runtime
+
++ Add hostconfig to docker inspect
++ Implement `docker log -f` to stream logs
++ Add env variable to disable kernel version warning
++ Add -format to `docker inspect`
++ Support bind mount for files
+- Fix bridge creation on RHEL
+- Fix image size calculation
+- Make sure iptables are called even if the bridge already exists
+- Fix issue with stderr only attach
+- Remove init layer when destroying a container
+- Fix same port binding on different interfaces
+- `docker build` now returns the correct exit code
+- Fix `docker port` to display correct port
+- `docker build` now check that the dockerfile exists client side
+- `docker attach` now returns the correct exit code
+- Remove the name entry when the container does not exist
+
+#### Registry
+
+* Improve progress bars, add ETA for downloads
+* Simultaneous pulls now waits for the first to finish instead of failing
+- Tag only the top-layer image when pushing to registry
+- Fix issue with offline image transfer
+- Fix issue preventing using ':' in password for registry
+
+#### Other
+
++ Add pprof handler for debug
++ Create a Makefile
+* Use stdlib tar that now includes fix
+* Improve make.sh test script
+* Handle SIGQUIT on the daemon
+* Disable verbose during tests
+* Upgrade to go1.2 for official build
+* Improve unit tests
+* The test suite now runs all tests even if one fails
+* Refactor C in Go (Devmapper)
+- Fix OS X compilation
+
+## 0.7.0 (2013-11-25)
+
+#### Notable features since 0.6.0
+
+* Storage drivers: choose from aufs, device-mapper, or vfs.
+* Standard Linux support: docker now runs on unmodified Linux kernels and all major distributions.
+* Links: compose complex software stacks by connecting containers to each other.
+* Container naming: organize your containers by giving them memorable names.
+* Advanced port redirects: specify port redirects per interface, or keep sensitive ports private.
+* Offline transfer: push and pull images to the filesystem without losing information.
+* Quality: numerous bugfixes and small usability improvements. Significant increase in test coverage.
+
+## 0.6.7 (2013-11-21)
+
+#### Runtime
+
+* Improve stability, fixes some race conditions
+* Skip the volumes mounted when deleting the volumes of container.
+* Fix layer size computation: handle hard links correctly
+* Use the work Path for docker cp CONTAINER:PATH
+* Fix tmp dir never cleanup
+* Speedup docker ps
+* More informative error message on name collisions
+* Fix nameserver regex
+* Always return long id's
+* Fix container restart race condition
+* Keep published ports on docker stop;docker start
+* Fix container networking on Fedora
+* Correctly express "any address" to iptables
+* Fix network setup when reconnecting to ghost container
+* Prevent deletion if image is used by a running container
+* Lock around read operations in graph
+
+#### RemoteAPI
+
+* Return full ID on docker rmi
+
+#### Client
+
++ Add -tree option to images
++ Offline image transfer
+* Exit with status 2 on usage error and display usage on stderr
+* Do not forward SIGCHLD to container
+* Use string timestamp for docker events -since
+
+#### Other
+
+* Update to go 1.2rc5
++ Add /etc/default/docker support to upstart
+
+## 0.6.6 (2013-11-06)
+
+#### Runtime
+
+* Ensure container name on register
+* Fix regression in /etc/hosts
++ Add lock around write operations in graph
+* Check if port is valid
+* Fix restart runtime error with ghost container networking
++ Add some more colors and animals to increase the pool of generated names
+* Fix issues in docker inspect
++ Escape apparmor confinement
++ Set environment variables using a file.
+* Prevent docker insert to erase something
++ Prevent DNS server conflicts in CreateBridgeIface
++ Validate bind mounts on the server side
++ Use parent image config in docker build
+* Fix regression in /etc/hosts
+
+#### Client
+
++ Add -P flag to publish all exposed ports
++ Add -notrunc and -q flags to docker history
+* Fix docker commit, tag and import usage
++ Add stars, trusted builds and library flags in docker search
+* Fix docker logs with tty
+
+#### RemoteAPI
+
+* Make /events API send headers immediately
+* Do not split last column docker top
++ Add size to history
+
+#### Other
+
++ Contrib: Desktop integration. Firefox usecase.
++ Dockerfile: bump to go1.2rc3
+
+## 0.6.5 (2013-10-29)
+
+#### Runtime
+
++ Containers can now be named
++ Containers can now be linked together for service discovery
++ 'run -a', 'start -a' and 'attach' can forward signals to the container for better integration with process supervisors
++ Automatically start crashed containers after a reboot
++ Expose IP, port, and proto as separate environment vars for container links
+* Allow ports to be published to specific ips
+* Prohibit inter-container communication by default
+- Ignore ErrClosedPipe for stdin in Container.Attach
+- Remove unused field kernelVersion
+* Fix issue when mounting subdirectories of /mnt in container
+- Fix untag during removal of images
+* Check return value of syscall.Chdir when changing working directory inside dockerinit
+
+#### Client
+
+- Only pass stdin to hijack when needed to avoid closed pipe errors
+* Use less reflection in command-line method invocation
+- Monitor the tty size after starting the container, not prior
+- Remove useless os.Exit() calls after log.Fatal
+
+#### Hack
+
++ Add initial init scripts library and a safer Ubuntu packaging script that works for Debian
+* Add -p option to invoke debootstrap with http_proxy
+- Update install.sh with $sh_c to get sudo/su for modprobe
+* Update all the mkimage scripts to use --numeric-owner as a tar argument
+* Update hack/release.sh process to automatically invoke hack/make.sh and bail on build and test issues
+
+#### Other
+
+* Documentation: Fix the flags for nc in example
+* Testing: Remove warnings and prevent mount issues
+- Testing: Change logic for tty resize to avoid warning in tests
+- Builder: Fix race condition in docker build with verbose output
+- Registry: Fix content-type for PushImageJSONIndex method
+* Contrib: Improve helper tools to generate debian and Arch linux server images
+
+## 0.6.4 (2013-10-16)
+
+#### Runtime
+
+- Add cleanup of container when Start() fails
+* Add better comments to utils/stdcopy.go
+* Add utils.Errorf for error logging
++ Add -rm to docker run for removing a container on exit
+- Remove error messages which are not actually errors
+- Fix `docker rm` with volumes
+- Fix some error cases where an HTTP body might not be closed
+- Fix panic with wrong dockercfg file
+- Fix the attach behavior with -i
+* Record termination time in state.
+- Use empty string so TempDir uses the OS's temp dir automatically
+- Make sure to close the network allocators
++ Autorestart containers by default
+* Bump vendor kr/pty to commit 3b1f6487b `(syscall.O_NOCTTY)`
+* lxc: Allow set_file_cap capability in container
+- Move run -rm to the cli only
+* Split stdout stderr
+* Always create a new session for the container
+
+#### Testing
+
+- Add aggregated docker-ci email report
+- Add cleanup to remove leftover containers
+* Add nightly release to docker-ci
+* Add more tests around auth.ResolveAuthConfig
+- Remove a few errors in tests
+- Catch errClosing error when TCP and UDP proxies are terminated
+* Only run certain tests with TESTFLAGS='-run TestName' make.sh
+* Prevent docker-ci to test closing PRs
+* Replace panic by log.Fatal in tests
+- Increase TestRunDetach timeout
+
+#### Documentation
+
+* Add initial draft of the Docker infrastructure doc
+* Add devenvironment link to CONTRIBUTING.md
+* Add `apt-get install curl` to Ubuntu docs
+* Add explanation for export restrictions
+* Add .dockercfg doc
+* Remove Gentoo install notes about #1422 workaround
+* Fix help text for -v option
+* Fix Ping endpoint documentation
+- Fix parameter names in docs for ADD command
+- Fix ironic typo in changelog
+* Various command fixes in postgres example
+* Document how to edit and release docs
+- Minor updates to `postgresql_service.rst`
+* Clarify LGTM process to contributors
+- Corrected error in the package name
+* Document what `vagrant up` is actually doing
++ improve doc search results
+* Cleanup whitespace in API 1.5 docs
+* use angle brackets in MAINTAINER example email
+* Update archlinux.rst
++ Changes to a new style for the docs. Includes version switcher.
+* Formatting, add information about multiline json
+* Improve registry and index REST API documentation
+- Replace deprecated upgrading reference to docker-latest.tgz, which hasn't been updated since 0.5.3
+* Update Gentoo installation documentation now that we're in the portage tree proper
+* Cleanup and reorganize docs and tooling for contributors and maintainers
+- Minor spelling correction of protocoll -> protocol
+
+#### Contrib
+
+* Add vim syntax highlighting for Dockerfiles from @honza
+* Add mkimage-arch.sh
+* Reorganize contributed completion scripts to add zsh completion
+
+#### Hack
+
+* Add vagrant user to the docker group
+* Add proper bash completion for "docker push"
+* Add xz utils as a runtime dep
+* Add cleanup/refactor portion of #2010 for hack and Dockerfile updates
++ Add contrib/mkimage-centos.sh back (from #1621), and associated documentation link
+* Add several of the small make.sh fixes from #1920, and make the output more consistent and contributor-friendly
++ Add @tianon to hack/MAINTAINERS
+* Improve network performance for VirtualBox
+* Revamp install.sh to be usable by more people, and to use official install methods whenever possible (apt repo, portage tree, etc.)
+- Fix contrib/mkimage-debian.sh apt caching prevention
++ Add Dockerfile.tmLanguage to contrib
+* Configured FPM to make /etc/init/docker.conf a config file
+* Enable SSH Agent forwarding in Vagrant VM
+* Several small tweaks/fixes for contrib/mkimage-debian.sh
+
+#### Other
+
+- Builder: Abort build if mergeConfig returns an error and fix duplicate error message
+- Packaging: Remove deprecated packaging directory
+- Registry: Use correct auth config when logging in.
+- Registry: Fix the error message so it is the same as the regex
+
+## 0.6.3 (2013-09-23)
+
+#### Packaging
+
+* Add 'docker' group on install for ubuntu package
+* Update tar vendor dependency
+* Download apt key over HTTPS
+
+#### Runtime
+
+- Only copy and change permissions on non-bindmount volumes
+* Allow multiple volumes-from
+- Fix HTTP imports from STDIN
+
+#### Documentation
+
+* Update section on extracting the docker binary after build
+* Update development environment docs for new build process
+* Remove 'base' image from documentation
+
+#### Other
+
+- Client: Fix detach issue
+- Registry: Update regular expression to match index
+
+## 0.6.2 (2013-09-17)
+
+#### Runtime
+
++ Add domainname support
++ Implement image filtering with path.Match
+* Remove unnecessary warnings
+* Remove os/user dependency
+* Only mount the hostname file when the config exists
+* Handle signals within the `docker login` command
+- UID and GID are now also applied to volumes
+- `docker start` set error code upon error
+- `docker run` set the same error code as the process started
+
+#### Builder
+
++ Add -rm option in order to remove intermediate containers
+* Allow multiline for the RUN instruction
+
+#### Registry
+
+* Implement login with private registry
+- Fix push issues
+
+#### Other
+
++ Hack: Vendor all dependencies
+* Remote API: Bump to v1.5
+* Packaging: Break down hack/make.sh into small scripts, one per 'bundle': test, binary, ubuntu etc.
+* Documentation: General improvements
+
+## 0.6.1 (2013-08-23)
+
+#### Registry
+
+* Pass "meta" headers in API calls to the registry
+
+#### Packaging
+
+- Use correct upstart script with new build tool
+- Use libffi-dev, don`t build it from sources
+- Remove duplicate mercurial install command
+
+## 0.6.0 (2013-08-22)
+
+#### Runtime
+
++ Add lxc-conf flag to allow custom lxc options
++ Add an option to set the working directory
+* Add Image name to LogEvent tests
++ Add -privileged flag and relevant tests, docs, and examples
+* Add websocket support to /container/<name>/attach/ws
+* Add warning when net.ipv4.ip_forwarding = 0
+* Add hostname to environment
+* Add last stable version in `docker version`
+- Fix race conditions in parallel pull
+- Fix Graph ByParent() to generate list of child images per parent image.
+- Fix typo: fmt.Sprint -> fmt.Sprintf
+- Fix small \n error un docker build
+* Fix to "Inject dockerinit at /.dockerinit"
+* Fix #910. print user name to docker info output
+* Use Go 1.1.2 for dockerbuilder
+* Use ranged for loop on channels
+- Use utils.ParseRepositoryTag instead of strings.Split(name, ":") in server.ImageDelete
+- Improve CMD, ENTRYPOINT, and attach docs.
+- Improve connect message with socket error
+- Load authConfig only when needed and fix useless WARNING
+- Show tag used when image is missing
+* Apply volumes-from before creating volumes
+- Make docker run handle SIGINT/SIGTERM
+- Prevent crash when .dockercfg not readable
+- Install script should be fetched over https, not http.
+* API, issue 1471: Use groups for socket permissions
+- Correctly detect IPv4 forwarding
+* Mount /dev/shm as a tmpfs
+- Switch from http to https for get.docker.io
+* Let userland proxy handle container-bound traffic
+* Update the Docker CLI to specify a value for the "Host" header.
+- Change network range to avoid conflict with EC2 DNS
+- Reduce connect and read timeout when pinging the registry
+* Parallel pull
+- Handle ip route showing mask-less IP addresses
+* Allow ENTRYPOINT without CMD
+- Always consider localhost as a domain name when parsing the FQN repos name
+* Refactor checksum
+
+#### Documentation
+
+* Add MongoDB image example
+* Add instructions for creating and using the docker group
+* Add sudo to examples and installation to documentation
+* Add ufw doc
+* Add a reference to ps -a
+* Add information about Docker`s high level tools over LXC.
+* Fix typo in docs for docker run -dns
+* Fix a typo in the ubuntu installation guide
+* Fix to docs regarding adding docker groups
+* Update default -H docs
+* Update readme with dependencies for building
+* Update amazon.rst to explain that Vagrant is not necessary for running Docker on ec2
+* PostgreSQL service example in documentation
+* Suggest installing linux-headers by default.
+* Change the twitter handle
+* Clarify Amazon EC2 installation
+* 'Base' image is deprecated and should no longer be referenced in the docs.
+* Move note about officially supported kernel
+- Solved the logo being squished in Safari
+
+#### Builder
+
++ Add USER instruction do Dockerfile
++ Add workdir support for the Buildfile
+* Add no cache for docker build
+- Fix docker build and docker events output
+- Only count known instructions as build steps
+- Make sure ENV instruction within build perform a commit each time
+- Forbid certain paths within docker build ADD
+- Repository name (and optionally a tag) in build usage
+- Make sure ADD will create everything in 0755
+
+#### Remote API
+
+* Sort Images by most recent creation date.
+* Reworking opaque requests in registry module
+* Add image name in /events
+* Use mime pkg to parse Content-Type
+* 650 http utils and user agent field
+
+#### Hack
+
++ Bash Completion: Limit commands to containers of a relevant state
+* Add docker dependencies coverage testing into docker-ci
+
+#### Packaging
+
++ Docker-brew 0.5.2 support and memory footprint reduction
+* Add new docker dependencies into docker-ci
+- Revert "docker.upstart: avoid spawning a `sh` process"
++ Docker-brew and Docker standard library
++ Release docker with docker
+* Fix the upstart script generated by get.docker.io
+* Enabled the docs to generate manpages.
+* Revert Bind daemon to 0.0.0.0 in Vagrant.
+
+#### Register
+
+* Improve auth push
+* Registry unit tests + mock registry
+
+#### Tests
+
+* Improve TestKillDifferentUser to prevent timeout on buildbot
+- Fix typo in TestBindMounts (runContainer called without image)
+* Improve TestGetContainersTop so it does not rely on sleep
+* Relax the lo interface test to allow iface index != 1
+* Add registry functional test to docker-ci
+* Add some tests in server and utils
+
+#### Other
+
+* Contrib: bash completion script
+* Client: Add docker cp command and copy api endpoint to copy container files/folders to the host
+* Don`t read from stdout when only attached to stdin
+
+## 0.5.3 (2013-08-13)
+
+#### Runtime
+
+* Use docker group for socket permissions
+- Spawn shell within upstart script
+- Handle ip route showing mask-less IP addresses
+- Add hostname to environment
+
+#### Builder
+
+- Make sure ENV instruction within build perform a commit each time
+
+## 0.5.2 (2013-08-08)
+
+* Builder: Forbid certain paths within docker build ADD
+- Runtime: Change network range to avoid conflict with EC2 DNS
+* API: Change daemon to listen on unix socket by default
+
+## 0.5.1 (2013-07-30)
+
+#### Runtime
+
++ Add `ps` args to `docker top`
++ Add support for container ID files (pidfile like)
++ Add container=lxc in default env
++ Support networkless containers with `docker run -n` and `docker -d -b=none`
+* Stdout/stderr logs are now stored in the same file as JSON
+* Allocate a /16 IP range by default, with fallback to /24. Try 12 ranges instead of 3.
+* Change .dockercfg format to json and support multiple auth remote
+- Do not override volumes from config
+- Fix issue with EXPOSE override
+
+#### API
+
++ Docker client now sets useragent (RFC 2616)
++ Add /events endpoint
+
+#### Builder
+
++ ADD command now understands URLs
++ CmdAdd and CmdEnv now respect Dockerfile-set ENV variables
+- Create directories with 755 instead of 700 within ADD instruction
+
+#### Hack
+
+* Simplify unit tests with helpers
+* Improve docker.upstart event
+* Add coverage testing into docker-ci
+
+## 0.5.0 (2013-07-17)
+
+#### Runtime
+
++ List all processes running inside a container with 'docker top'
++ Host directories can be mounted as volumes with 'docker run -v'
++ Containers can expose public UDP ports (eg, '-p 123/udp')
++ Optionally specify an exact public port (eg. '-p 80:4500')
+* 'docker login' supports additional options
+- Don't save a container`s hostname when committing an image.
+
+#### Registry
+
++ New image naming scheme inspired by Go packaging convention allows arbitrary combinations of registries
+- Fix issues when uploading images to a private registry
+
+#### Builder
+
++ ENTRYPOINT instruction sets a default binary entry point to a container
++ VOLUME instruction marks a part of the container as persistent data
+* 'docker build' displays the full output of a build by default
+
+## 0.4.8 (2013-07-01)
+
++ Builder: New build operation ENTRYPOINT adds an executable entry point to the container.  - Runtime: Fix a bug which caused 'docker run -d' to no longer print the container ID.
+- Tests: Fix issues in the test suite
+
+## 0.4.7 (2013-06-28)
+
+#### Remote API
+
+* The progress bar updates faster when downloading and uploading large files
+- Fix a bug in the optional unix socket transport
+
+#### Runtime
+
+* Improve detection of kernel version
++ Host directories can be mounted as volumes with 'docker run -b'
+- fix an issue when only attaching to stdin
+* Use 'tar --numeric-owner' to avoid uid mismatch across multiple hosts
+
+#### Hack
+
+* Improve test suite and dev environment
+* Remove dependency on unit tests on 'os/user'
+
+#### Other
+
+* Registry: easier push/pull to a custom registry
++ Documentation: add terminology section
+
+## 0.4.6 (2013-06-22)
+
+- Runtime: fix a bug which caused creation of empty images (and volumes) to crash.
+
+## 0.4.5 (2013-06-21)
+
++ Builder: 'docker build git://URL' fetches and builds a remote git repository
+* Runtime: 'docker ps -s' optionally prints container size
+* Tests: improved and simplified
+- Runtime: fix a regression introduced in 0.4.3 which caused the logs command to fail.
+- Builder: fix a regression when using ADD with single regular file.
+
+## 0.4.4 (2013-06-19)
+
+- Builder: fix a regression introduced in 0.4.3 which caused builds to fail on new clients.
+
+## 0.4.3 (2013-06-19)
+
+#### Builder
+
++ ADD of a local file will detect tar archives and unpack them
+* ADD improvements: use tar for copy + automatically unpack local archives
+* ADD uses tar/untar for copies instead of calling 'cp -ar'
+* Fix the behavior of ADD to be (mostly) reverse-compatible, predictable and well-documented.
+- Fix a bug which caused builds to fail if ADD was the first command
+* Nicer output for 'docker build'
+
+#### Runtime
+
+* Remove bsdtar dependency
+* Add unix socket and multiple -H support
+* Prevent rm of running containers
+* Use go1.1 cookiejar
+- Fix issue detaching from running TTY container
+- Forbid parallel push/pull for a single image/repo. Fixes #311
+- Fix race condition within Run command when attaching.
+
+#### Client
+
+* HumanReadable ProgressBar sizes in pull
+* Fix docker version`s git commit output
+
+#### API
+
+* Send all tags on History API call
+* Add tag lookup to history command. Fixes #882
+
+#### Documentation
+
+- Fix missing command in irc bouncer example
+
+## 0.4.2 (2013-06-17)
+
+- Packaging: Bumped version to work around an Ubuntu bug
+
+## 0.4.1 (2013-06-17)
+
+#### Remote Api
+
++ Add flag to enable cross domain requests
++ Add images and containers sizes in docker ps and docker images
+
+#### Runtime
+
++ Configure dns configuration host-wide with 'docker -d -dns'
++ Detect faulty DNS configuration and replace it with a public default
++ Allow docker run <name>:<id>
++ You can now specify public port (ex: -p 80:4500)
+* Improve image removal to garbage-collect unreferenced parents
+
+#### Client
+
+* Allow multiple params in inspect
+* Print the container id before the hijack in `docker run`
+
+#### Registry
+
+* Add regexp check on repo`s name
+* Move auth to the client
+- Remove login check on pull
+
+#### Other
+
+* Vagrantfile: Add the rest api port to vagrantfile`s port_forward
+* Upgrade to Go 1.1
+- Builder: don`t ignore last line in Dockerfile when it doesn`t end with \n
+
+## 0.4.0 (2013-06-03)
+
+#### Builder
+
++ Introducing Builder
++ 'docker build' builds a container, layer by layer, from a source repository containing a Dockerfile
+
+#### Remote API
+
++ Introducing Remote API
++ control Docker programmatically using a simple HTTP/json API
+
+#### Runtime
+
+* Various reliability and usability improvements
+
+## 0.3.4 (2013-05-30)
+
+#### Builder
+
++ 'docker build' builds a container, layer by layer, from a source repository containing a Dockerfile
++ 'docker build -t FOO' applies the tag FOO to the newly built container.
+
+#### Runtime
+
++ Interactive TTYs correctly handle window resize
+* Fix how configuration is merged between layers
+
+#### Remote API
+
++ Split stdout and stderr on 'docker run'
++ Optionally listen on a different IP and port (use at your own risk)
+
+#### Documentation
+
+* Improve install instructions.
+
+## 0.3.3 (2013-05-23)
+
+- Registry: Fix push regression
+- Various bugfixes
+
+## 0.3.2 (2013-05-09)
+
+#### Registry
+
+* Improve the checksum process
+* Use the size to have a good progress bar while pushing
+* Use the actual archive if it exists in order to speed up the push
+- Fix error 400 on push
+
+#### Runtime
+
+* Store the actual archive on commit
+
+## 0.3.1 (2013-05-08)
+
+#### Builder
+
++ Implement the autorun capability within docker builder
++ Add caching to docker builder
++ Add support for docker builder with native API as top level command
++ Implement ENV within docker builder
+- Check the command existence prior create and add Unit tests for the case
+* use any whitespaces instead of tabs
+
+#### Runtime
+
++ Add go version to debug infos
+* Kernel version - don`t show the dash if flavor is empty
+
+#### Registry
+
++ Add docker search top level command in order to search a repository
+- Fix pull for official images with specific tag
+- Fix issue when login in with a different user and trying to push
+* Improve checksum - async calculation
+
+#### Images
+
++ Output graph of images to dot (graphviz)
+- Fix ByParent function
+
+#### Documentation
+
++ New introduction and high-level overview
++ Add the documentation for docker builder
+- CSS fix for docker documentation to make REST API docs look better.
+- Fix CouchDB example page header mistake
+- Fix README formatting
+* Update www.docker.io website.
+
+#### Other
+
++ Website: new high-level overview
+- Makefile: Swap "go get" for "go get -d", especially to compile on go1.1rc
+* Packaging: packaging ubuntu; issue #510: Use goland-stable PPA package to build docker
+
+## 0.3.0 (2013-05-06)
+
+#### Runtime
+
+- Fix the command existence check
+- strings.Split may return an empty string on no match
+- Fix an index out of range crash if cgroup memory is not
+
+#### Documentation
+
+* Various improvements
++ New example: sharing data between 2 couchdb databases
+
+#### Other
+
+* Vagrant: Use only one deb line in /etc/apt
++ Registry: Implement the new registry
+
+## 0.2.2 (2013-05-03)
+
++ Support for data volumes ('docker run -v=PATH')
++ Share data volumes between containers ('docker run -volumes-from')
++ Improve documentation
+* Upgrade to Go 1.0.3
+* Various upgrades to the dev environment for contributors
+
+## 0.2.1 (2013-05-01)
+
++ 'docker commit -run' bundles a layer with default runtime options: command, ports etc.
+* Improve install process on Vagrant
++ New Dockerfile operation: "maintainer"
++ New Dockerfile operation: "expose"
++ New Dockerfile operation: "cmd"
++ Contrib script to build a Debian base layer
++ 'docker -d -r': restart crashed containers at daemon startup
+* Runtime: improve test coverage
+
+## 0.2.0 (2013-04-23)
+
+- Runtime: ghost containers can be killed and waited for
+* Documentation: update install instructions
+- Packaging: fix Vagrantfile
+- Development: automate releasing binaries and ubuntu packages
++ Add a changelog
+- Various bugfixes
+
+## 0.1.8 (2013-04-22)
+
+- Dynamically detect cgroup capabilities
+- Issue stability warning on kernels <3.8
+- 'docker push' buffers on disk instead of memory
+- Fix 'docker diff' for removed files
+- Fix 'docker stop' for ghost containers
+- Fix handling of pidfile
+- Various bugfixes and stability improvements
+
+## 0.1.7 (2013-04-18)
+
+- Container ports are available on localhost
+- 'docker ps' shows allocated TCP ports
+- Contributors can run 'make hack' to start a continuous integration VM
+- Streamline ubuntu packaging & uploading
+- Various bugfixes and stability improvements
+
+## 0.1.6 (2013-04-17)
+
+- Record the author an image with 'docker commit -author'
+
+## 0.1.5 (2013-04-17)
+
+- Disable standalone mode
+- Use a custom DNS resolver with 'docker -d -dns'
+- Detect ghost containers
+- Improve diagnosis of missing system capabilities
+- Allow disabling memory limits at compile time
+- Add debian packaging
+- Documentation: installing on Arch Linux
+- Documentation: running Redis on docker
+- Fix lxc 0.9 compatibility
+- Automatically load aufs module
+- Various bugfixes and stability improvements
+
+## 0.1.4 (2013-04-09)
+
+- Full support for TTY emulation
+- Detach from a TTY session with the escape sequence `C-p C-q`
+- Various bugfixes and stability improvements
+- Minor UI improvements
+- Automatically create our own bridge interface 'docker0'
+
+## 0.1.3 (2013-04-04)
+
+- Choose TCP frontend port with '-p :PORT'
+- Layer format is versioned
+- Major reliability improvements to the process manager
+- Various bugfixes and stability improvements
+
+## 0.1.2 (2013-04-03)
+
+- Set container hostname with 'docker run -h'
+- Selective attach at run with 'docker run -a [stdin[,stdout[,stderr]]]'
+- Various bugfixes and stability improvements
+- UI polish
+- Progress bar on push/pull
+- Use XZ compression by default
+- Make IP allocator lazy
+
+## 0.1.1 (2013-03-31)
+
+- Display shorthand IDs for convenience
+- Stabilize process management
+- Layers can include a commit message
+- Simplified 'docker attach'
+- Fix support for re-attaching
+- Various bugfixes and stability improvements
+- Auto-download at run
+- Auto-login on push
+- Beefed up documentation
+
+## 0.1.0 (2013-03-23)
+
+Initial public release
+
+- Implement registry in order to push/pull images
+- TCP port allocation
+- Fix termcaps on Linux
+- Add documentation
+- Add Vagrant support with Vagrantfile
+- Add unit tests
+- Add repository/tags to ease image management
+- Improve the layer implementation
diff --git a/engine/CONTRIBUTING.md b/engine/CONTRIBUTING.md
new file mode 100644
index 00000000..daefdada
--- /dev/null
+++ b/engine/CONTRIBUTING.md
@@ -0,0 +1,458 @@
+# Contribute to the Moby Project
+
+Want to hack on the Moby Project? Awesome! We have a contributor's guide that explains
+[setting up a development environment and the contribution
+process](docs/contributing/). 
+
+[![Contributors guide](docs/static_files/contributors.png)](https://docs.docker.com/opensource/project/who-written-for/)
+
+This page contains information about reporting issues as well as some tips and
+guidelines useful to experienced open source contributors. Finally, make sure
+you read our [community guidelines](#moby-community-guidelines) before you
+start participating.
+
+## Topics
+
+* [Reporting Security Issues](#reporting-security-issues)
+* [Design and Cleanup Proposals](#design-and-cleanup-proposals)
+* [Reporting Issues](#reporting-other-issues)
+* [Quick Contribution Tips and Guidelines](#quick-contribution-tips-and-guidelines)
+* [Community Guidelines](#moby-community-guidelines)
+
+## Reporting security issues
+
+The Moby maintainers take security seriously. If you discover a security
+issue, please bring it to their attention right away!
+
+Please **DO NOT** file a public issue, instead send your report privately to
+[security@docker.com](mailto:security@docker.com).
+
+Security reports are greatly appreciated and we will publicly thank you for it.
+We also like to send gifts&mdash;if you're into schwag, make sure to let
+us know. We currently do not offer a paid security bounty program, but are not
+ruling it out in the future.
+
+
+## Reporting other issues
+
+A great way to contribute to the project is to send a detailed report when you
+encounter an issue. We always appreciate a well-written, thorough bug report,
+and will thank you for it!
+
+Check that [our issue database](https://github.com/moby/moby/issues)
+doesn't already include that problem or suggestion before submitting an issue.
+If you find a match, you can use the "subscribe" button to get notified on
+updates. Do *not* leave random "+1" or "I have this too" comments, as they
+only clutter the discussion, and don't help resolving it. However, if you
+have ways to reproduce the issue or have additional information that may help
+resolving the issue, please leave a comment.
+
+When reporting issues, always include:
+
+* The output of `docker version`.
+* The output of `docker info`.
+
+Also include the steps required to reproduce the problem if possible and
+applicable. This information will help us review and fix your issue faster.
+When sending lengthy log-files, consider posting them as a gist (https://gist.github.com).
+Don't forget to remove sensitive data from your logfiles before posting (you can
+replace those parts with "REDACTED").
+
+## Quick contribution tips and guidelines
+
+This section gives the experienced contributor some tips and guidelines.
+
+### Pull requests are always welcome
+
+Not sure if that typo is worth a pull request? Found a bug and know how to fix
+it? Do it! We will appreciate it. Any significant improvement should be
+documented as [a GitHub issue](https://github.com/moby/moby/issues) before
+anybody starts working on it.
+
+We are always thrilled to receive pull requests. We do our best to process them
+quickly. If your pull request is not accepted on the first try,
+don't get discouraged! Our contributor's guide explains [the review process we
+use for simple changes](https://docs.docker.com/opensource/workflow/make-a-contribution/).
+
+### Design and cleanup proposals
+
+You can propose new designs for existing Docker features. You can also design
+entirely new features. We really appreciate contributors who want to refactor or
+otherwise cleanup our project. For information on making these types of
+contributions, see [the advanced contribution
+section](https://docs.docker.com/opensource/workflow/advanced-contributing/) in
+the contributors guide.
+
+### Connect with other Moby Project contributors
+
+<table class="tg">
+  <col width="45%">
+  <col width="65%">
+  <tr>
+    <td>Forums</td>
+    <td>
+      A public forum for users to discuss questions and explore current design patterns and
+      best practices about all the Moby projects. To participate, log in with your Github
+      account or create an account at <a href="https://forums.mobyproject.org" target="_blank">https://forums.mobyproject.org</a>.
+    </td>
+  </tr>
+  <tr>
+    <td>Slack</td>
+    <td>
+      <p>
+        Register for the Docker Community Slack at
+	<a href="https://community.docker.com/registrations/groups/4316" target="_blank">https://community.docker.com/registrations/groups/4316</a>.
+        We use the #moby-project channel for general discussion, and there are separate channels for other Moby projects such as #containerd.
+	Archives are available at <a href="https://dockercommunity.slackarchive.io/" target="_blank">https://dockercommunity.slackarchive.io/</a>.
+      </p>
+    </td>
+  </tr>
+  <tr>
+    <td>Twitter</td>
+    <td>
+      You can follow <a href="https://twitter.com/moby/" target="_blank">Moby Project Twitter feed</a>
+      to get updates on our products. You can also tweet us questions or just
+      share blogs or stories.
+    </td>
+  </tr>
+</table>
+
+
+### Conventions
+
+Fork the repository and make changes on your fork in a feature branch:
+
+- If it's a bug fix branch, name it XXXX-something where XXXX is the number of
+	the issue. 
+- If it's a feature branch, create an enhancement issue to announce
+	your intentions, and name it XXXX-something where XXXX is the number of the
+	issue.
+
+Submit tests for your changes. See [TESTING.md](./TESTING.md) for details.
+
+If your changes need integration tests, write them against the API. The `cli`
+integration tests are slowly either migrated to API tests or moved away as unit
+tests in `docker/cli` and end-to-end tests for Docker.
+
+Update the documentation when creating or modifying features. Test your
+documentation changes for clarity, concision, and correctness, as well as a
+clean documentation build. See our contributors guide for [our style
+guide](https://docs.docker.com/opensource/doc-style) and instructions on [building
+the documentation](https://docs.docker.com/opensource/project/test-and-docs/#build-and-test-the-documentation).
+
+Write clean code. Universally formatted code promotes ease of writing, reading,
+and maintenance. Always run `gofmt -s -w file.go` on each changed file before
+committing your changes. Most editors have plug-ins that do this automatically.
+
+Pull request descriptions should be as clear as possible and include a reference
+to all the issues that they address.
+
+### Successful Changes
+
+Before contributing large or high impact changes, make the effort to coordinate
+with the maintainers of the project before submitting a pull request. This
+prevents you from doing extra work that may or may not be merged.
+
+Large PRs that are just submitted without any prior communication are unlikely
+to be successful.
+
+While pull requests are the methodology for submitting changes to code, changes
+are much more likely to be accepted if they are accompanied by additional
+engineering work. While we don't define this explicitly, most of these goals
+are accomplished through communication of the design goals and subsequent
+solutions. Often times, it helps to first state the problem before presenting
+solutions.
+
+Typically, the best methods of accomplishing this are to submit an issue,
+stating the problem. This issue can include a problem statement and a
+checklist with requirements. If solutions are proposed, alternatives should be
+listed and eliminated. Even if the criteria for elimination of a solution is
+frivolous, say so.
+
+Larger changes typically work best with design documents. These are focused on
+providing context to the design at the time the feature was conceived and can
+inform future documentation contributions.
+
+### Commit Messages
+
+Commit messages must start with a capitalized and short summary (max. 50 chars)
+written in the imperative, followed by an optional, more detailed explanatory
+text which is separated from the summary by an empty line.
+
+Commit messages should follow best practices, including explaining the context
+of the problem and how it was solved, including in caveats or follow up changes
+required. They should tell the story of the change and provide readers
+understanding of what led to it.
+
+If you're lost about what this even means, please see [How to Write a Git
+Commit Message](http://chris.beams.io/posts/git-commit/) for a start.
+
+In practice, the best approach to maintaining a nice commit message is to
+leverage a `git add -p` and `git commit --amend` to formulate a solid
+changeset. This allows one to piece together a change, as information becomes
+available.
+
+If you squash a series of commits, don't just submit that. Re-write the commit
+message, as if the series of commits was a single stroke of brilliance.
+
+That said, there is no requirement to have a single commit for a PR, as long as
+each commit tells the story. For example, if there is a feature that requires a
+package, it might make sense to have the package in a separate commit then have
+a subsequent commit that uses it.
+
+Remember, you're telling part of the story with the commit message. Don't make
+your chapter weird.
+
+### Review
+
+Code review comments may be added to your pull request. Discuss, then make the
+suggested modifications and push additional commits to your feature branch. Post
+a comment after pushing. New commits show up in the pull request automatically,
+but the reviewers are notified only when you comment.
+
+Pull requests must be cleanly rebased on top of master without multiple branches
+mixed into the PR.
+
+**Git tip**: If your PR no longer merges cleanly, use `rebase master` in your
+feature branch to update your pull request rather than `merge master`.
+
+Before you make a pull request, squash your commits into logical units of work
+using `git rebase -i` and `git push -f`. A logical unit of work is a consistent
+set of patches that should be reviewed together: for example, upgrading the
+version of a vendored dependency and taking advantage of its now available new
+feature constitute two separate units of work. Implementing a new function and
+calling it in another file constitute a single logical unit of work. The very
+high majority of submissions should have a single commit, so if in doubt: squash
+down to one.
+
+After every commit, [make sure the test suite passes](./TESTING.md). Include
+documentation changes in the same pull request so that a revert would remove
+all traces of the feature or fix.
+
+Include an issue reference like `Closes #XXXX` or `Fixes #XXXX` in commits that
+close an issue. Including references automatically closes the issue on a merge.
+
+Please do not add yourself to the `AUTHORS` file, as it is regenerated regularly
+from the Git history.
+
+Please see the [Coding Style](#coding-style) for further guidelines.
+
+### Merge approval
+
+Moby maintainers use LGTM (Looks Good To Me) in comments on the code review to
+indicate acceptance, or use the Github review approval feature.
+
+For an explanation of the review and approval process see the
+[REVIEWING](project/REVIEWING.md) page.
+
+### Sign your work
+
+The sign-off is a simple line at the end of the explanation for the patch. Your
+signature certifies that you wrote the patch or otherwise have the right to pass
+it on as an open-source patch. The rules are pretty simple: if you can certify
+the below (from [developercertificate.org](http://developercertificate.org/)):
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+1 Letterman Drive
+Suite D4700
+San Francisco, CA, 94129
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+Then you just add a line to every git commit message:
+
+    Signed-off-by: Joe Smith <joe.smith@email.com>
+
+Use your real name (sorry, no pseudonyms or anonymous contributions.)
+
+If you set your `user.name` and `user.email` git configs, you can sign your
+commit automatically with `git commit -s`.
+
+### How can I become a maintainer?
+
+The procedures for adding new maintainers are explained in the 
+[/project/GOVERNANCE.md](/project/GOVERNANCE.md)
+file in this repository.
+
+Don't forget: being a maintainer is a time investment. Make sure you
+will have time to make yourself available. You don't have to be a
+maintainer to make a difference on the project!
+
+### Manage issues and pull requests using the Derek bot
+
+If you want to help label, assign, close or reopen issues or pull requests
+without commit rights, ask a maintainer to add your Github handle to the 
+`.DEREK.yml` file. [Derek](https://github.com/alexellis/derek) is a bot that extends
+Github's user permissions to help non-committers to manage issues and pull requests simply by commenting.
+
+For example:
+
+* Labels
+
+```
+Derek add label: kind/question
+Derek remove label: status/claimed
+```
+
+* Assign work
+
+```
+Derek assign: username
+Derek unassign: me
+```
+
+* Manage issues and PRs
+
+```
+Derek close
+Derek reopen
+```
+
+## Moby community guidelines
+
+We want to keep the Moby community awesome, growing and collaborative. We need
+your help to keep it that way. To help with this we've come up with some general
+guidelines for the community as a whole:
+
+* Be nice: Be courteous, respectful and polite to fellow community members:
+  no regional, racial, gender, or other abuse will be tolerated. We like
+  nice people way better than mean ones!
+
+* Encourage diversity and participation: Make everyone in our community feel
+  welcome, regardless of their background and the extent of their
+  contributions, and do everything possible to encourage participation in
+  our community.
+
+* Keep it legal: Basically, don't get us in trouble. Share only content that
+  you own, do not share private or sensitive information, and don't break
+  the law.
+
+* Stay on topic: Make sure that you are posting to the correct channel and
+  avoid off-topic discussions. Remember when you update an issue or respond
+  to an email you are potentially sending to a large number of people. Please
+  consider this before you update. Also remember that nobody likes spam.
+
+* Don't send email to the maintainers: There's no need to send email to the
+  maintainers to ask them to investigate an issue or to take a look at a
+  pull request. Instead of sending an email, GitHub mentions should be
+  used to ping maintainers to review a pull request, a proposal or an
+  issue.
+
+The open source governance for this repository is handled via the [Moby Technical Steering Committee (TSC)](https://github.com/moby/tsc)
+charter. For any concerns with the community process regarding technical contributions,
+please contact the TSC. More information on project governance is available in
+our [project/GOVERNANCE.md](/project/GOVERNANCE.md) document.
+
+### Guideline violations — 3 strikes method
+
+The point of this section is not to find opportunities to punish people, but we
+do need a fair way to deal with people who are making our community suck.
+
+1. First occurrence: We'll give you a friendly, but public reminder that the
+   behavior is inappropriate according to our guidelines.
+
+2. Second occurrence: We will send you a private message with a warning that
+   any additional violations will result in removal from the community.
+
+3. Third occurrence: Depending on the violation, we may need to delete or ban
+   your account.
+
+**Notes:**
+
+* Obvious spammers are banned on first occurrence. If we don't do this, we'll
+  have spam all over the place.
+
+* Violations are forgiven after 6 months of good behavior, and we won't hold a
+  grudge.
+
+* People who commit minor infractions will get some education, rather than
+  hammering them in the 3 strikes process.
+
+* The rules apply equally to everyone in the community, no matter how much
+	you've contributed.
+
+* Extreme violations of a threatening, abusive, destructive or illegal nature
+	will be addressed immediately and are not subject to 3 strikes or forgiveness.
+
+* Contact abuse@docker.com to report abuse or appeal violations. In the case of
+	appeals, we know that mistakes happen, and we'll work with you to come up with a
+	fair solution if there has been a misunderstanding.
+
+## Coding Style
+
+Unless explicitly stated, we follow all coding guidelines from the Go
+community. While some of these standards may seem arbitrary, they somehow seem
+to result in a solid, consistent codebase.
+
+It is possible that the code base does not currently comply with these
+guidelines. We are not looking for a massive PR that fixes this, since that
+goes against the spirit of the guidelines. All new contributions should make a
+best effort to clean up and make the code base better than they left it.
+Obviously, apply your best judgement. Remember, the goal here is to make the
+code base easier for humans to navigate and understand. Always keep that in
+mind when nudging others to comply.
+
+The rules:
+
+1. All code should be formatted with `gofmt -s`.
+2. All code should pass the default levels of
+   [`golint`](https://github.com/golang/lint).
+3. All code should follow the guidelines covered in [Effective
+   Go](http://golang.org/doc/effective_go.html) and [Go Code Review
+   Comments](https://github.com/golang/go/wiki/CodeReviewComments).
+4. Comment the code. Tell us the why, the history and the context.
+5. Document _all_ declarations and methods, even private ones. Declare
+   expectations, caveats and anything else that may be important. If a type
+   gets exported, having the comments already there will ensure it's ready.
+6. Variable name length should be proportional to its context and no longer.
+   `noCommaALongVariableNameLikeThisIsNotMoreClearWhenASimpleCommentWouldDo`.
+   In practice, short methods will have short variable names and globals will
+   have longer names.
+7. No underscores in package names. If you need a compound name, step back,
+   and re-examine why you need a compound name. If you still think you need a
+   compound name, lose the underscore.
+8. No utils or helpers packages. If a function is not general enough to
+   warrant its own package, it has not been written generally enough to be a
+   part of a util package. Just leave it unexported and well-documented.
+9. All tests should run with `go test` and outside tooling should not be
+   required. No, we don't need another unit testing framework. Assertion
+   packages are acceptable if they provide _real_ incremental value.
+10. Even though we call these "rules" above, they are actually just
+    guidelines. Since you've read all the rules, you now know that.
+
+If you are having trouble getting into the mood of idiomatic Go, we recommend
+reading through [Effective Go](https://golang.org/doc/effective_go.html). The
+[Go Blog](https://blog.golang.org) is also a great resource. Drinking the
+kool-aid is a lot easier than going thirsty.
diff --git a/engine/Dockerfile b/engine/Dockerfile
new file mode 100644
index 00000000..38ca482a
--- /dev/null
+++ b/engine/Dockerfile
@@ -0,0 +1,240 @@
+# This file describes the standard way to build Docker, using docker
+#
+# Usage:
+#
+# # Use make to build a development environment image and run it in a container.
+# # This is slow the first time.
+# make BIND_DIR=. shell
+#
+# The following commands are executed inside the running container.
+
+# # Make a dockerd binary.
+# # hack/make.sh binary
+#
+# # Install dockerd to /usr/local/bin
+# # make install
+#
+# # Run unit tests
+# # hack/test/unit
+#
+# # Run tests e.g. integration, py
+# # hack/make.sh binary test-integration test-docker-py
+#
+# Note: AppArmor used to mess with privileged mode, but this is no longer
+# the case. Therefore, you don't have to disable it anymore.
+#
+
+FROM golang:1.10.3 AS base
+# FIXME(vdemeester) this is kept for other script depending on it to not fail right away
+# Remove this once the other scripts uses something else to detect the version
+ENV GO_VERSION 1.10.3
+# allow replacing httpredir or deb mirror
+ARG APT_MIRROR=deb.debian.org
+RUN sed -ri "s/(httpredir|deb).debian.org/$APT_MIRROR/g" /etc/apt/sources.list
+
+FROM base AS criu
+# Install CRIU for checkpoint/restore support
+ENV CRIU_VERSION 3.6
+# Install dependancy packages specific to criu
+RUN apt-get update && apt-get install -y \
+	libnet-dev \
+	libprotobuf-c0-dev \
+	libprotobuf-dev \
+	libnl-3-dev \
+	libcap-dev \
+	protobuf-compiler \
+	protobuf-c-compiler \
+	python-protobuf \
+	&& mkdir -p /usr/src/criu \
+	&& curl -sSL https://github.com/checkpoint-restore/criu/archive/v${CRIU_VERSION}.tar.gz | tar -C /usr/src/criu/ -xz --strip-components=1 \
+	&& cd /usr/src/criu \
+	&& make \
+	&& make PREFIX=/build/ install-criu
+
+FROM base AS registry
+# Install two versions of the registry. The first is an older version that
+# only supports schema1 manifests. The second is a newer version that supports
+# both. This allows integration-cli tests to cover push/pull with both schema1
+# and schema2 manifests.
+ENV REGISTRY_COMMIT_SCHEMA1 ec87e9b6971d831f0eff752ddb54fb64693e51cd
+ENV REGISTRY_COMMIT 47a064d4195a9b56133891bbb13620c3ac83a827
+RUN set -x \
+	&& export GOPATH="$(mktemp -d)" \
+	&& git clone https://github.com/docker/distribution.git "$GOPATH/src/github.com/docker/distribution" \
+	&& (cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT") \
+	&& GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH" \
+		go build -buildmode=pie -o /build/registry-v2 github.com/docker/distribution/cmd/registry \
+	&& case $(dpkg --print-architecture) in \
+		amd64|ppc64*|s390x) \
+		(cd "$GOPATH/src/github.com/docker/distribution" && git checkout -q "$REGISTRY_COMMIT_SCHEMA1"); \
+		GOPATH="$GOPATH/src/github.com/docker/distribution/Godeps/_workspace:$GOPATH"; \
+			go build -buildmode=pie -o /build/registry-v2-schema1 github.com/docker/distribution/cmd/registry; \
+		;; \
+	   esac \
+	&& rm -rf "$GOPATH"
+
+
+
+FROM base AS docker-py
+# Get the "docker-py" source so we can run their integration tests
+ENV DOCKER_PY_COMMIT 8b246db271a85d6541dc458838627e89c683e42f
+RUN git clone https://github.com/docker/docker-py.git /build \
+	&& cd /build \
+	&& git checkout -q $DOCKER_PY_COMMIT
+
+
+
+FROM base AS swagger
+# Install go-swagger for validating swagger.yaml
+ENV GO_SWAGGER_COMMIT c28258affb0b6251755d92489ef685af8d4ff3eb
+RUN set -x \
+	&& export GOPATH="$(mktemp -d)" \
+	&& git clone https://github.com/go-swagger/go-swagger.git "$GOPATH/src/github.com/go-swagger/go-swagger" \
+	&& (cd "$GOPATH/src/github.com/go-swagger/go-swagger" && git checkout -q "$GO_SWAGGER_COMMIT") \
+	&& go build -o /build/swagger github.com/go-swagger/go-swagger/cmd/swagger \
+	&& rm -rf "$GOPATH"
+
+
+FROM base AS frozen-images
+RUN apt-get update && apt-get install -y jq ca-certificates --no-install-recommends
+# Get useful and necessary Hub images so we can "docker load" locally instead of pulling
+COPY contrib/download-frozen-image-v2.sh /
+RUN /download-frozen-image-v2.sh /build \
+	buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \
+	busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \
+	busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \
+	debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \
+	hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c
+# See also ensureFrozenImagesLinux() in "integration-cli/fixtures_linux_daemon_test.go" (which needs to be updated when adding images to this list)
+
+# Just a little hack so we don't have to install these deps twice, once for runc and once for dockerd
+FROM base AS runtime-dev
+RUN apt-get update && apt-get install -y \
+	libapparmor-dev \
+	libseccomp-dev
+
+
+FROM base AS tomlv
+ENV INSTALL_BINARY_NAME=tomlv
+COPY hack/dockerfile/install/install.sh ./install.sh
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
+
+FROM base AS vndr
+ENV INSTALL_BINARY_NAME=vndr
+COPY hack/dockerfile/install/install.sh ./install.sh
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
+
+FROM base AS containerd
+RUN apt-get update && apt-get install -y btrfs-tools
+ENV INSTALL_BINARY_NAME=containerd
+COPY hack/dockerfile/install/install.sh ./install.sh
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
+
+FROM base AS proxy
+ENV INSTALL_BINARY_NAME=proxy
+COPY hack/dockerfile/install/install.sh ./install.sh
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
+
+FROM base AS gometalinter
+ENV INSTALL_BINARY_NAME=gometalinter
+COPY hack/dockerfile/install/install.sh ./install.sh
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
+
+FROM base AS dockercli
+ENV INSTALL_BINARY_NAME=dockercli
+COPY hack/dockerfile/install/install.sh ./install.sh
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
+
+FROM runtime-dev AS runc
+ENV INSTALL_BINARY_NAME=runc
+COPY hack/dockerfile/install/install.sh ./install.sh
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
+
+FROM base AS tini
+RUN apt-get update && apt-get install -y cmake vim-common
+COPY hack/dockerfile/install/install.sh ./install.sh
+ENV INSTALL_BINARY_NAME=tini
+COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
+RUN PREFIX=/build/ ./install.sh $INSTALL_BINARY_NAME
+
+
+
+# TODO: Some of this is only really needed for testing, it would be nice to split this up
+FROM runtime-dev AS dev
+RUN groupadd -r docker
+RUN useradd --create-home --gid docker unprivilegeduser
+# Activate bash completion and include Docker's completion if mounted with DOCKER_BASH_COMPLETION_PATH
+RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc
+RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker
+RUN ldconfig
+# This should only install packages that are specifically needed for the dev environment and nothing else
+# Do you really need to add another package here? Can it be done in a different build stage?
+RUN apt-get update && apt-get install -y \
+	apparmor \
+	aufs-tools \
+	bash-completion \
+	btrfs-tools \
+	iptables \
+	jq \
+	libdevmapper-dev \
+	libudev-dev \
+	libsystemd-dev \
+	binutils-mingw-w64 \
+	g++-mingw-w64-x86-64 \
+	net-tools \
+	pigz \
+	python-backports.ssl-match-hostname \
+	python-dev \
+	python-mock \
+	python-pip \
+	python-requests \
+	python-setuptools \
+	python-websocket \
+	python-wheel \
+	thin-provisioning-tools \
+	vim \
+	vim-common \
+	xfsprogs \
+	zip \
+	bzip2 \
+	xz-utils \
+	--no-install-recommends
+COPY --from=swagger /build/swagger* /usr/local/bin/
+COPY --from=frozen-images /build/ /docker-frozen-images
+COPY --from=gometalinter /build/ /usr/local/bin/
+COPY --from=tomlv /build/ /usr/local/bin/
+COPY --from=vndr /build/ /usr/local/bin/
+COPY --from=tini /build/ /usr/local/bin/
+COPY --from=runc /build/ /usr/local/bin/
+COPY --from=containerd /build/ /usr/local/bin/
+COPY --from=proxy /build/ /usr/local/bin/
+COPY --from=dockercli /build/ /usr/local/cli
+COPY --from=registry /build/registry* /usr/local/bin/
+COPY --from=criu /build/ /usr/local/
+COPY --from=docker-py /build/ /docker-py
+# TODO: This is for the docker-py tests, which shouldn't really be needed for
+# this image, but currently CI is expecting to run this image. This should be
+# split out into a separate image, including all the `python-*` deps installed
+# above.
+RUN cd /docker-py \
+	&& pip install docker-pycreds==0.2.1 \
+	&& pip install yamllint==1.5.0 \
+	&& pip install -r test-requirements.txt
+
+ENV PATH=/usr/local/cli:$PATH
+ENV DOCKER_BUILDTAGS apparmor seccomp selinux
+# Options for hack/validate/gometalinter
+ENV GOMETALINTER_OPTS="--deadline=2m"
+WORKDIR /go/src/github.com/docker/docker
+VOLUME /var/lib/docker
+# Wrap all commands in the "docker-in-docker" script to allow nested containers
+ENTRYPOINT ["hack/dind"]
+# Upload docker source
+COPY . /go/src/github.com/docker/docker
diff --git a/engine/Dockerfile.e2e b/engine/Dockerfile.e2e
new file mode 100644
index 00000000..663a58af
--- /dev/null
+++ b/engine/Dockerfile.e2e
@@ -0,0 +1,74 @@
+## Step 1: Build tests
+FROM golang:1.10.3-alpine3.7 as builder
+
+RUN apk add --update \
+    bash \
+    btrfs-progs-dev \
+    build-base \
+    curl \
+    lvm2-dev \
+    jq \
+    && rm -rf /var/cache/apk/*
+
+RUN mkdir -p /go/src/github.com/docker/docker/
+WORKDIR /go/src/github.com/docker/docker/
+
+# Generate frozen images
+COPY contrib/download-frozen-image-v2.sh contrib/download-frozen-image-v2.sh
+RUN contrib/download-frozen-image-v2.sh /output/docker-frozen-images \
+	buildpack-deps:jessie@sha256:dd86dced7c9cd2a724e779730f0a53f93b7ef42228d4344b25ce9a42a1486251 \
+	busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0 \
+	busybox:glibc@sha256:0b55a30394294ab23b9afd58fab94e61a923f5834fba7ddbae7f8e0c11ba85e6 \
+	debian:jessie@sha256:287a20c5f73087ab406e6b364833e3fb7b3ae63ca0eb3486555dc27ed32c6e60 \
+	hello-world:latest@sha256:be0cd392e45be79ffeffa6b05338b98ebb16c87b255f48e297ec7f98e123905c
+
+# Install dockercli
+# Please edit hack/dockerfile/install/<name>.installer to update them.
+COPY hack/dockerfile/install hack/dockerfile/install
+RUN ./hack/dockerfile/install/install.sh dockercli
+
+# Set tag and add sources
+ARG DOCKER_GITCOMMIT
+ENV DOCKER_GITCOMMIT=${DOCKER_GITCOMMIT:-undefined}
+ADD . .
+
+# Build DockerSuite.TestBuild* dependency
+RUN CGO_ENABLED=0 go build -buildmode=pie -o /output/httpserver github.com/docker/docker/contrib/httpserver
+
+# Build the integration tests and copy the resulting binaries to /output/tests
+RUN hack/make.sh build-integration-test-binary
+RUN mkdir -p /output/tests && find . -name test.main -exec cp --parents '{}' /output/tests \;
+
+## Step 2: Generate testing image
+FROM alpine:3.7 as runner
+
+# GNU tar is used for generating the emptyfs image
+RUN apk add --update \
+    bash \
+    ca-certificates \
+    g++ \
+    git \
+    iptables \
+    pigz \
+    tar \
+    xz \
+    && rm -rf /var/cache/apk/*
+
+# Add an unprivileged user to be used for tests which need it
+RUN addgroup docker && adduser -D -G docker unprivilegeduser -s /bin/ash
+
+COPY contrib/httpserver/Dockerfile /tests/contrib/httpserver/Dockerfile
+COPY contrib/syscall-test /tests/contrib/syscall-test
+COPY integration-cli/fixtures /tests/integration-cli/fixtures
+
+COPY hack/test/e2e-run.sh /scripts/run.sh
+COPY hack/make/.ensure-emptyfs /scripts/ensure-emptyfs.sh
+
+COPY --from=builder /output/docker-frozen-images /docker-frozen-images
+COPY --from=builder /output/httpserver /tests/contrib/httpserver/httpserver
+COPY --from=builder /output/tests /tests
+COPY --from=builder /usr/local/bin/docker /usr/bin/docker
+
+ENV DOCKER_REMOTE_DAEMON=1 DOCKER_INTEGRATION_DAEMON_DEST=/
+
+ENTRYPOINT ["/scripts/run.sh"]
diff --git a/engine/Dockerfile.simple b/engine/Dockerfile.simple
new file mode 100644
index 00000000..b0338ac0
--- /dev/null
+++ b/engine/Dockerfile.simple
@@ -0,0 +1,62 @@
+# docker build -t docker:simple -f Dockerfile.simple .
+# docker run --rm docker:simple hack/make.sh dynbinary
+# docker run --rm --privileged docker:simple hack/dind hack/make.sh test-unit
+# docker run --rm --privileged -v /var/lib/docker docker:simple hack/dind hack/make.sh dynbinary test-integration
+
+# This represents the bare minimum required to build and test Docker.
+
+FROM debian:stretch
+
+# allow replacing httpredir or deb mirror
+ARG APT_MIRROR=deb.debian.org
+RUN sed -ri "s/(httpredir|deb).debian.org/$APT_MIRROR/g" /etc/apt/sources.list
+
+# Compile and runtime deps
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+		btrfs-tools \
+		build-essential \
+		curl \
+		cmake \
+		gcc \
+		git \
+		libapparmor-dev \
+		libdevmapper-dev \
+		libseccomp-dev \
+		ca-certificates \
+		e2fsprogs \
+		iptables \
+		pkg-config \
+		pigz \
+		procps \
+		xfsprogs \
+		xz-utils \
+		\
+		aufs-tools \
+		vim-common \
+	&& rm -rf /var/lib/apt/lists/*
+
+# Install Go
+# IMPORTANT: If the version of Go is updated, the Windows to Linux CI machines
+#            will need updating, to avoid errors. Ping #docker-maintainers on IRC
+#            with a heads-up.
+# IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored
+ENV GO_VERSION 1.10.3
+RUN curl -fsSL "https://golang.org/dl/go${GO_VERSION}.linux-amd64.tar.gz" \
+	| tar -xzC /usr/local
+ENV PATH /go/bin:/usr/local/go/bin:$PATH
+ENV GOPATH /go
+ENV CGO_LDFLAGS -L/lib
+
+# Install runc, containerd, tini and docker-proxy
+# Please edit hack/dockerfile/install/<name>.installer to update them.
+COPY hack/dockerfile/install hack/dockerfile/install
+RUN for i in runc containerd tini proxy dockercli; \
+		do hack/dockerfile/install/install.sh $i; \
+	done
+ENV PATH=/usr/local/cli:$PATH
+
+ENV AUTO_GOPATH 1
+WORKDIR /usr/src/docker
+COPY . /usr/src/docker
diff --git a/engine/Dockerfile.windows b/engine/Dockerfile.windows
new file mode 100644
index 00000000..1b2c1f3c
--- /dev/null
+++ b/engine/Dockerfile.windows
@@ -0,0 +1,256 @@
+# escape=`
+
+# -----------------------------------------------------------------------------------------
+# This file describes the standard way to build Docker in a container on Windows
+# Server 2016 or Windows 10.
+#
+# Maintainer: @jhowardmsft
+# -----------------------------------------------------------------------------------------
+
+
+# Prerequisites:
+# --------------
+#
+# 1. Windows Server 2016 or Windows 10 with all Windows updates applied. The major 
+#    build number must be at least 14393. This can be confirmed, for example, by 
+#    running the following from an elevated PowerShell prompt - this sample output 
+#    is from a fully up to date machine as at mid-November 2016:
+#
+#    >> PS C:\> $(gin).WindowsBuildLabEx
+#    >> 14393.447.amd64fre.rs1_release_inmarket.161102-0100
+#
+# 2. Git for Windows (or another git client) must be installed. https://git-scm.com/download/win.
+#
+# 3. The machine must be configured to run containers. For example, by following
+#    the quick start guidance at https://msdn.microsoft.com/en-us/virtualization/windowscontainers/quick_start/quick_start or
+#    https://github.com/docker/labs/blob/master/windows/windows-containers/Setup.md
+#
+# 4. If building in a Hyper-V VM: For Windows Server 2016 using Windows Server
+#    containers as the default option, it is recommended you have at least 1GB 
+#    of memory assigned; For Windows 10 where Hyper-V Containers are employed, you
+#    should have at least 4GB of memory assigned. Note also, to run Hyper-V 
+#    containers in a VM, it is necessary to configure the VM for nested virtualization.
+
+# -----------------------------------------------------------------------------------------
+
+
+# Usage:
+# -----
+#
+#  The following steps should be run from an (elevated*) Windows PowerShell prompt. 
+#
+#  (*In a default installation of containers on Windows following the quick-start guidance at
+#    https://msdn.microsoft.com/en-us/virtualization/windowscontainers/quick_start/quick_start,
+#    the docker.exe client must run elevated to be able to connect to the daemon).
+#
+# 1. Clone the sources from github.com:
+#
+#    >>   git clone https://github.com/docker/docker.git C:\go\src\github.com\docker\docker
+#    >>   Cloning into 'C:\go\src\github.com\docker\docker'...
+#    >>   remote: Counting objects: 186216, done.
+#    >>   remote: Compressing objects: 100% (21/21), done.
+#    >>   remote: Total 186216 (delta 5), reused 0 (delta 0), pack-reused 186195
+#    >>   Receiving objects: 100% (186216/186216), 104.32 MiB | 8.18 MiB/s, done.
+#    >>   Resolving deltas: 100% (123139/123139), done.
+#    >>   Checking connectivity... done.
+#    >>   Checking out files: 100% (3912/3912), done.
+#    >>   PS C:\>
+#
+#
+# 2. Change directory to the cloned docker sources:
+#
+#    >>   cd C:\go\src\github.com\docker\docker 
+#
+#
+# 3. Build a docker image with the components required to build the docker binaries from source
+#    by running one of the following:
+#
+#    >>   docker build -t nativebuildimage -f Dockerfile.windows .          
+#    >>   docker build -t nativebuildimage -f Dockerfile.windows -m 2GB .    (if using Hyper-V containers)
+#
+#
+# 4. Build the docker executable binaries by running one of the following:
+#
+#    >>   $DOCKER_GITCOMMIT=(git rev-parse --short HEAD)
+#    >>   docker run --name binaries -e DOCKER_GITCOMMIT=$DOCKER_GITCOMMIT nativebuildimage hack\make.ps1 -Binary
+#    >>   docker run --name binaries -e DOCKER_GITCOMMIT=$DOCKER_GITCOMMIT -m 2GB nativebuildimage hack\make.ps1 -Binary    (if using Hyper-V containers)
+#
+#
+# 5. Copy the binaries out of the container, replacing HostPath with an appropriate destination 
+#    folder on the host system where you want the binaries to be located.
+#
+#    >>   docker cp binaries:C:\go\src\github.com\docker\docker\bundles\docker.exe C:\HostPath\docker.exe
+#    >>   docker cp binaries:C:\go\src\github.com\docker\docker\bundles\dockerd.exe C:\HostPath\dockerd.exe
+#
+#
+# 6. (Optional) Remove the interim container holding the built executable binaries:
+#
+#    >>    docker rm binaries
+#
+#
+# 7. (Optional) Remove the image used for the container in which the executable
+#    binaries are build. Tip - it may be useful to keep this image around if you need to
+#    build multiple times. Then you can take advantage of the builder cache to have an
+#    image which has all the components required to build the binaries already installed.
+#
+#    >>    docker rmi nativebuildimage
+#
+
+# -----------------------------------------------------------------------------------------
+
+
+#  The validation tests can only run directly on the host. This is because they calculate
+#  information from the git repo, but the .git directory is not passed into the image as
+#  it is excluded via .dockerignore. Run the following from a Windows PowerShell prompt
+#  (elevation is not required): (Note Go must be installed to run these tests)
+#
+#    >>   hack\make.ps1 -DCO -PkgImports -GoFormat
+
+
+# -----------------------------------------------------------------------------------------
+
+
+#  To run unit tests, ensure you have created the nativebuildimage above. Then run one of
+#  the following from an (elevated) Windows PowerShell prompt:
+#
+#    >>   docker run --rm nativebuildimage hack\make.ps1 -TestUnit
+#    >>   docker run --rm -m 2GB nativebuildimage hack\make.ps1 -TestUnit    (if using Hyper-V containers)
+
+
+# -----------------------------------------------------------------------------------------
+
+
+#  To run unit tests and binary build, ensure you have created the nativebuildimage above. Then 
+#  run one of the following from an (elevated) Windows PowerShell prompt:
+#
+#    >>   docker run nativebuildimage hack\make.ps1 -All
+#    >>   docker run -m 2GB nativebuildimage hack\make.ps1 -All    (if using Hyper-V containers)
+
+# -----------------------------------------------------------------------------------------
+
+
+# Important notes:
+# ---------------
+#
+# Don't attempt to use a bind mount to pass a local directory as the bundles target
+# directory. It does not work (golang attempts for follow a mapped folder incorrectly).
+# Instead, use docker cp as per the example.
+#
+# go.zip is not removed from the image as it is used by the Windows CI servers
+# to ensure the host and image are running consistent versions of go.
+#
+# Nanoserver support is a work in progress. Although the image will build if the 
+# FROM statement is updated, it will not work when running autogen through hack\make.ps1. 
+# It is suspected that the required GCC utilities (eg gcc, windres, windmc) silently
+# quit due to the use of console hooks which are not available.
+#
+# The docker integration tests do not currently run in a container on Windows, predominantly
+# due to Windows not supporting privileged mode, so anything using a volume would fail.
+# They (along with the rest of the docker CI suite) can be run using 
+# https://github.com/jhowardmsft/docker-w2wCIScripts/blob/master/runCI/Invoke-DockerCI.ps1.
+#
+# -----------------------------------------------------------------------------------------
+
+
+# The number of build steps below are explicitly minimised to improve performance.
+FROM microsoft/windowsservercore
+
+# Use PowerShell as the default shell
+SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
+
+# Environment variable notes:
+#  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
+#  - FROM_DOCKERFILE is used for detection of building within a container.
+ENV GO_VERSION=1.10.3 `
+    GIT_VERSION=2.11.1 `
+    GOPATH=C:\go `
+    FROM_DOCKERFILE=1
+
+RUN `
+  Function Test-Nano() { `
+    $EditionId = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'EditionID').EditionId; `
+    return (($EditionId -eq 'ServerStandardNano') -or ($EditionId -eq 'ServerDataCenterNano') -or ($EditionId -eq 'NanoServer')); `
+  }`
+  `
+  Function Download-File([string] $source, [string] $target) { `
+    if (Test-Nano) { `
+      $handler = New-Object System.Net.Http.HttpClientHandler; `
+      $client = New-Object System.Net.Http.HttpClient($handler); `
+      $client.Timeout = New-Object System.TimeSpan(0, 30, 0); `
+      $cancelTokenSource = [System.Threading.CancellationTokenSource]::new(); `
+      $responseMsg = $client.GetAsync([System.Uri]::new($source), $cancelTokenSource.Token); `
+      $responseMsg.Wait(); `
+      if (!$responseMsg.IsCanceled) { `
+        $response = $responseMsg.Result; `
+        if ($response.IsSuccessStatusCode) { `
+          $downloadedFileStream = [System.IO.FileStream]::new($target, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write); `
+          $copyStreamOp = $response.Content.CopyToAsync($downloadedFileStream); `
+          $copyStreamOp.Wait(); `
+          $downloadedFileStream.Close(); `
+          if ($copyStreamOp.Exception -ne $null) { throw $copyStreamOp.Exception } `
+        } `
+      } else { `
+      Throw ("Failed to download " + $source) `
+      }`
+    } else { `
+      $webClient = New-Object System.Net.WebClient; `
+      $webClient.DownloadFile($source, $target); `
+    } `
+  } `
+  `
+  setx /M PATH $('C:\git\cmd;C:\git\usr\bin;'+$Env:PATH+';C:\gcc\bin;C:\go\bin'); `
+  `
+  Write-Host INFO: Downloading git...; `
+  $location='https://www.nuget.org/api/v2/package/GitForWindows/'+$Env:GIT_VERSION; `
+  Download-File $location C:\gitsetup.zip; `
+  `
+  Write-Host INFO: Downloading go...; `
+  Download-File $('https://golang.org/dl/go'+$Env:GO_VERSION+'.windows-amd64.zip') C:\go.zip; `
+  `
+  Write-Host INFO: Downloading compiler 1 of 3...; `
+  Download-File https://raw.githubusercontent.com/jhowardmsft/docker-tdmgcc/master/gcc.zip C:\gcc.zip; `
+  `
+  Write-Host INFO: Downloading compiler 2 of 3...; `
+  Download-File https://raw.githubusercontent.com/jhowardmsft/docker-tdmgcc/master/runtime.zip C:\runtime.zip; `
+  `
+  Write-Host INFO: Downloading compiler 3 of 3...; `
+  Download-File https://raw.githubusercontent.com/jhowardmsft/docker-tdmgcc/master/binutils.zip C:\binutils.zip; `
+  `
+  Write-Host INFO: Extracting git...; `
+  Expand-Archive C:\gitsetup.zip C:\git-tmp; `
+  New-Item -Type Directory C:\git | Out-Null; `
+  Move-Item C:\git-tmp\tools\* C:\git\.; `
+  Remove-Item -Recurse -Force C:\git-tmp; `
+  `
+  Write-Host INFO: Expanding go...; `
+  Expand-Archive C:\go.zip -DestinationPath C:\; `
+  `
+  Write-Host INFO: Expanding compiler 1 of 3...; `
+  Expand-Archive C:\gcc.zip -DestinationPath C:\gcc -Force; `
+  Write-Host INFO: Expanding compiler 2 of 3...; `
+  Expand-Archive C:\runtime.zip -DestinationPath C:\gcc -Force; `
+  Write-Host INFO: Expanding compiler 3 of 3...; `
+  Expand-Archive C:\binutils.zip -DestinationPath C:\gcc -Force; `
+  `
+  Write-Host INFO: Removing downloaded files...; `
+  Remove-Item C:\gcc.zip; `
+  Remove-Item C:\runtime.zip; `
+  Remove-Item C:\binutils.zip; `
+  Remove-Item C:\gitsetup.zip; `
+  `
+  Write-Host INFO: Creating source directory...; `
+  New-Item -ItemType Directory -Path C:\go\src\github.com\docker\docker | Out-Null; `
+  `
+  Write-Host INFO: Configuring git core.autocrlf...; `
+  C:\git\cmd\git config --global core.autocrlf true; `
+  `
+  Write-Host INFO: Completed
+
+# Make PowerShell the default entrypoint
+ENTRYPOINT ["powershell.exe"]
+
+# Set the working directory to the location of the sources
+WORKDIR C:\go\src\github.com\docker\docker
+
+# Copy the sources into the container
+COPY . .
diff --git a/engine/LICENSE b/engine/LICENSE
new file mode 100644
index 00000000..9c8e20ab
--- /dev/null
+++ b/engine/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2013-2017 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/engine/MAINTAINERS b/engine/MAINTAINERS
new file mode 100644
index 00000000..3ac06d27
--- /dev/null
+++ b/engine/MAINTAINERS
@@ -0,0 +1,486 @@
+# Moby maintainers file
+#
+# This file describes the maintainer groups within the moby/moby project.
+# More detail on Moby project governance is available in the
+# project/GOVERNANCE.md file found in this repository.
+#
+# It is structured to be consumable by both humans and programs.
+# To extract its contents programmatically, use any TOML-compliant
+# parser.
+#
+# TODO(estesp): This file should not necessarily depend on docker/opensource
+# This file is compiled into the MAINTAINERS file in docker/opensource.
+#
+[Org]
+
+	[Org."Core maintainers"]
+
+	# The Core maintainers are the ghostbusters of the project: when there's a problem others
+	# can't solve, they show up and fix it with bizarre devices and weaponry.
+	# They have final say on technical implementation and coding style.
+	# They are ultimately responsible for quality in all its forms: usability polish,
+	# bugfixes, performance, stability, etc. When ownership  can cleanly be passed to
+	# a subsystem, they are responsible for doing so and holding the
+	# subsystem maintainers accountable. If ownership is unclear, they are the de facto owners.
+
+		people = [
+			"aaronlehmann",
+			"akihirosuda",
+			"anusha",
+			"coolljt0725",
+			"cpuguy83",
+			"crosbymichael",
+			"dnephin",
+			"duglin",
+			"estesp",
+			"jhowardmsft",
+			"johnstep",
+			"justincormack",
+			"mhbauer",
+			"mlaventure",
+			"runcom",
+			"stevvooe",
+			"thajeztah",
+			"tianon",
+			"tibor",
+			"tonistiigi",
+			"unclejack",
+			"vdemeester",
+			"vieux",
+			"yongtang"
+		]
+
+	[Org."Docs maintainers"]
+
+	# TODO Describe the docs maintainers role.
+
+		people = [
+			"misty",
+			"thajeztah"
+		]
+
+	[Org.Curators]
+
+	# The curators help ensure that incoming issues and pull requests are properly triaged and
+	# that our various contribution and reviewing processes are respected. With their knowledge of
+	# the repository activity, they can also guide contributors to relevant material or
+	# discussions.
+	#
+	# They are neither code nor docs reviewers, so they are never expected to merge. They can
+	# however:
+	# - close an issue or pull request when it's an exact duplicate
+	# - close an issue or pull request when it's inappropriate or off-topic
+
+		people = [
+			"alexellis",
+			"andrewhsu",
+			"anonymuse",
+			"chanwit",
+			"fntlnz",
+			"gianarb",
+			"programmerq",
+			"rheinwein",
+			"ripcurld",
+			"thajeztah"
+		]
+
+	[Org.Alumni]
+
+	# This list contains maintainers that are no longer active on the project.
+	# It is thanks to these people that the project has become what it is today.
+	# Thank you!
+
+		people = [
+			# Harald Albers is the mastermind behind the bash completion scripts for the
+			# Docker CLI. The completion scripts moved to the Docker CLI repository, so
+			# you can now find him perform his magic in the https://github.com/docker/cli repository.
+			"albers",
+
+			# Andrea Luzzardi started contributing to the Docker codebase in the "dotCloud"
+			# era, even before it was called "Docker". He is one of the architects of both
+			# Swarm and SwarmKit, and its integration into the Docker engine.
+			"aluzzardi",
+			
+			# David Calavera contributed many features to Docker, such as an improved
+			# event system, dynamic configuration reloading, volume plugins, fancy
+			# new templating options, and an external client credential store. As a
+			# maintainer, David was release captain for Docker 1.8, and competing
+			# with Jess Frazelle to be "top dream killer".
+			# David is now doing amazing stuff as CTO for https://www.netlify.com,
+			# and tweets as @calavera.
+			"calavera",
+
+			# As a maintainer, Erik was responsible for the "builder", and
+			# started the first designs for the new networking model in
+			# Docker. Erik is now working on all kinds of plugins for Docker
+			# (https://github.com/contiv) and various open source projects
+			# in his own repository https://github.com/erikh. You may
+			# still stumble into him in our issue tracker, or on IRC.
+			"erikh",
+
+			# Evan Hazlett is the creator of of the Shipyard and Interlock open source projects,
+			# and the author of "Orca", which became the foundation of Docker Universal Control
+			# Plane (UCP). As a maintainer, Evan helped integrating SwarmKit (secrets, tasks)
+			# into the Docker engine.
+			"ehazlett",
+
+			# Arnaud Porterie (AKA "icecrime") was in charge of maintaining the maintainers.
+			# As a maintainer, he made life easier for contributors to the Docker open-source
+			# projects, bringing order in the chaos by designing a triage- and review workflow
+			# using labels (see https://icecrime.net/technology/a-structured-approach-to-labeling/),
+			# and automating the hell out of things with his buddies GordonTheTurtle and Poule
+			# (a chicken!).
+			# 
+			# A lesser-known fact is that he created the first commit in the libnetwork repository
+			# even though he didn't know anything about it. Some say, he's now selling stuff on
+			# the internet ;-)
+			"icecrime",
+
+			# After a false start with his first PR being rejected, James Turnbull became a frequent
+			# contributor to the documentation, and became a docs maintainer on December 5, 2013. As
+			# a maintainer, James lifted the docs to a higher standard, and introduced the community
+			# guidelines ("three strikes"). James is currently changing the world as CTO of https://www.empatico.org,
+			# meanwhile authoring various books that are worth checking out. You can find him on Twitter,
+			# rambling as @kartar, and although no longer active as a maintainer, he's always "game" to
+			# help out reviewing docs PRs, so you may still see him around in the repository.
+			"jamtur01",
+
+			# Jessica Frazelle, also known as the "Keyser Söze of containers",
+			# runs *everything* in containers. She started contributing to
+			# Docker with a (fun fun) change involving both iptables and regular
+			# expressions (coz, YOLO!) on July 10, 2014
+			# https://github.com/docker/docker/pull/6950/commits/f3a68ffa390fb851115c77783fa4031f1d3b2995.
+			# Jess was Release Captain for Docker 1.4, 1.6 and 1.7, and contributed
+			# many features and improvement, among which "seccomp profiles" (making
+			# containers a lot more secure). Besides being a maintainer, she
+			# set up the CI infrastructure for the project, giving everyone
+			# something to shout at if a PR failed ("noooo Janky!").
+			# Be sure you don't miss her talks at a conference near you (a must-see),
+			# read her blog at https://blog.jessfraz.com (a must-read), and
+			# check out her open source projects on GitHub https://github.com/jessfraz (a must-try).
+			"jessfraz",
+
+			# Alexander Morozov contributed many features to Docker, worked on the premise of 
+			# what later became containerd (and worked on that too), and made a "stupid" Go
+			# vendor tool specificaly for docker/docker needs: vndr (https://github.com/LK4D4/vndr).
+			# Not many know that Alexander is a master negotiator, being able to change course
+			# of action with a single "Nope, we're not gonna do that".
+			"lk4d4",
+
+			# Madhu Venugopal was part of the SocketPlane team that joined Docker.
+			# As a maintainer, he was working with Jana for the Container Network
+			# Model (CNM) implemented through libnetwork, and the "routing mesh" powering
+			# Swarm mode networking.
+			"mavenugo",
+
+			# As a docs maintainer, Mary Anthony contributed greatly to the Docker
+			# docs. She wrote the Docker Contributor Guide and Getting Started
+			# Guides. She helped create a doc build system independent of
+			# docker/docker project, and implemented a new docs.docker.com theme and
+			# nav for 2015 Dockercon. Fun fact: the most inherited layer in DockerHub
+			# public repositories was originally referenced in
+			# maryatdocker/docker-whale back in May 2015.
+			"moxiegirl",
+
+			# Jana Radhakrishnan was part of the SocketPlane team that joined Docker.
+			# As a maintainer, he was the lead architect for the Container Network
+			# Model (CNM) implemented through libnetwork, and the "routing mesh" powering
+			# Swarm mode networking.
+			#
+			# Jana started new adventures in networking, but you can find him tweeting as @mrjana,
+			# coding on GitHub https://github.com/mrjana, and he may be hiding on the Docker Community
+			# slack channel :-)
+			"mrjana",
+
+			# Sven Dowideit became a well known person in the Docker ecosphere, building
+			# boot2docker, and became a regular contributor to the project, starting as
+			# early as October 2013 (https://github.com/docker/docker/pull/2119), to become
+			# a maintainer less than two months later (https://github.com/docker/docker/pull/3061).
+			#
+			# As a maintainer, Sven took on the task to convert the documentation from
+			# ReStructuredText to Markdown, migrate to Hugo for generating the docs, and
+			# writing tooling for building, testing, and publishing them.
+			#
+			# If you're not in the occasion to visit "the Australian office", you
+			# can keep up with Sven on Twitter (@SvenDowideit), his blog http://fosiki.com,
+			# and of course on GitHub.
+			"sven",
+
+			# Vincent "vbatts!" Batts made his first contribution to the project
+			# in November 2013, to become a maintainer a few months later, on
+			# May 10, 2014 (https://github.com/docker/docker/commit/d6e666a87a01a5634c250358a94c814bf26cb778).
+			# As a maintainer, Vincent made important contributions to core elements
+			# of Docker, such as "distribution" (tarsum) and graphdrivers (btrfs, devicemapper).
+			# He also contributed the "tar-split" library, an important element
+			# for the content-addressable store.
+			# Vincent is currently a member of the Open Containers Initiative
+			# Technical Oversight Board (TOB), besides his work at Red Hat and
+			# Project Atomic. You can still find him regularly hanging out in
+			# our repository and the #docker-dev and #docker-maintainers IRC channels
+			# for a chat, as he's always a lot of fun.
+			"vbatts",
+
+			# Vishnu became a maintainer to help out on the daemon codebase and
+			# libcontainer integration. He's currently involved in the
+			# Open Containers Initiative, working on the specifications,
+			# besides his work on cAdvisor and Kubernetes for Google.
+			"vishh"
+		]
+
+[people]
+
+# A reference list of all people associated with the project.
+# All other sections should refer to people by their canonical key
+# in the people section.
+
+	# ADD YOURSELF HERE IN ALPHABETICAL ORDER
+
+	[people.aaronlehmann]
+	Name = "Aaron Lehmann"
+	Email = "aaron.lehmann@docker.com"
+	GitHub = "aaronlehmann"
+
+	[people.alexellis]
+	Name = "Alex Ellis"
+	Email = "alexellis2@gmail.com"
+	GitHub = "alexellis"
+
+	[people.akihirosuda]
+	Name = "Akihiro Suda"
+	Email = "suda.akihiro@lab.ntt.co.jp"
+	GitHub = "AkihiroSuda"
+
+	[people.aluzzardi]
+	Name = "Andrea Luzzardi"
+	Email = "al@docker.com"
+	GitHub = "aluzzardi"
+
+	[people.albers]
+	Name = "Harald Albers"
+	Email = "github@albersweb.de"
+	GitHub = "albers"
+
+	[people.andrewhsu]
+	Name = "Andrew Hsu"
+	Email = "andrewhsu@docker.com"
+	GitHub = "andrewhsu"
+
+	[people.anonymuse]
+	Name = "Jesse White"
+	Email = "anonymuse@gmail.com"
+	GitHub = "anonymuse"
+
+	[people.anusha]
+	Name = "Anusha Ragunathan"
+	Email = "anusha@docker.com"
+	GitHub = "anusha-ragunathan"
+
+	[people.calavera]
+	Name = "David Calavera"
+	Email = "david.calavera@gmail.com"
+	GitHub = "calavera"
+
+	[people.coolljt0725]
+	Name = "Lei Jitang"
+	Email = "leijitang@huawei.com"
+	GitHub = "coolljt0725"
+
+	[people.cpuguy83]
+	Name = "Brian Goff"
+	Email = "cpuguy83@gmail.com"
+	GitHub = "cpuguy83"
+
+	[people.chanwit]
+	Name = "Chanwit Kaewkasi"
+	Email = "chanwit@gmail.com"
+	GitHub = "chanwit"
+
+	[people.crosbymichael]
+	Name = "Michael Crosby"
+	Email = "crosbymichael@gmail.com"
+	GitHub = "crosbymichael"
+
+	[people.dnephin]
+	Name = "Daniel Nephin"
+	Email = "dnephin@gmail.com"
+	GitHub = "dnephin"
+
+	[people.duglin]
+	Name = "Doug Davis"
+	Email = "dug@us.ibm.com"
+	GitHub = "duglin"
+
+	[people.ehazlett]
+	Name = "Evan Hazlett"
+	Email = "ejhazlett@gmail.com"
+	GitHub = "ehazlett"
+
+	[people.erikh]
+	Name = "Erik Hollensbe"
+	Email = "erik@docker.com"
+	GitHub = "erikh"
+
+	[people.estesp]
+	Name = "Phil Estes"
+	Email = "estesp@linux.vnet.ibm.com"
+	GitHub = "estesp"
+
+	[people.fntlnz]
+	Name = "Lorenzo Fontana"
+	Email = "fontanalorenz@gmail.com"
+	GitHub = "fntlnz"
+
+	[people.gianarb]
+	Name = "Gianluca Arbezzano"
+	Email = "ga@thumpflow.com"
+	GitHub = "gianarb"
+
+	[people.icecrime]
+	Name = "Arnaud Porterie"
+	Email = "icecrime@gmail.com"
+	GitHub = "icecrime"
+
+	[people.jamtur01]
+	Name = "James Turnbull"
+	Email = "james@lovedthanlost.net"
+	GitHub = "jamtur01"
+
+	[people.jhowardmsft]
+	Name = "John Howard"
+	Email = "jhoward@microsoft.com"
+	GitHub = "jhowardmsft"
+
+	[people.jessfraz]
+	Name = "Jessie Frazelle"
+	Email = "jess@linux.com"
+	GitHub = "jessfraz"
+
+	[people.johnstep]
+	Name = "John Stephens"
+	Email = "johnstep@docker.com"
+	GitHub = "johnstep"
+
+	[people.justincormack]
+	Name = "Justin Cormack"
+	Email = "justin.cormack@docker.com"
+	GitHub = "justincormack"
+
+	[people.lk4d4]
+	Name = "Alexander Morozov"
+	Email = "lk4d4@docker.com"
+	GitHub = "lk4d4"
+
+	[people.mavenugo]
+	Name = "Madhu Venugopal"
+	Email = "madhu@docker.com"
+	GitHub = "mavenugo"
+
+	[people.mhbauer]
+	Name = "Morgan Bauer"
+	Email = "mbauer@us.ibm.com"
+	GitHub = "mhbauer"
+
+	[people.misty]
+	Name = "Misty Stanley-Jones"
+	Email = "misty@docker.com"
+	GitHub = "mistyhacks"
+
+	[people.mlaventure]
+	Name = "Kenfe-Mickaël Laventure"
+	Email = "mickael.laventure@gmail.com"
+	GitHub = "mlaventure"
+
+	[people.moxiegirl]
+	Name = "Mary Anthony"
+	Email = "mary.anthony@docker.com"
+	GitHub = "moxiegirl"
+
+	[people.mrjana]
+	Name = "Jana Radhakrishnan"
+	Email = "mrjana@docker.com"
+	GitHub = "mrjana"
+
+	[people.programmerq]
+	Name = "Jeff Anderson"
+	Email = "jeff@docker.com"
+	GitHub = "programmerq"
+
+	[people.rheinwein]
+	Name = "Laura Frank"
+	Email = "laura@codeship.com"
+	GitHub = "rheinwein"
+
+	[people.ripcurld]
+	Name = "Boaz Shuster"
+	Email = "ripcurld.github@gmail.com"
+	GitHub = "ripcurld"
+
+	[people.runcom]
+	Name = "Antonio Murdaca"
+	Email = "runcom@redhat.com"
+	GitHub = "runcom"
+
+	[people.shykes]
+	Name = "Solomon Hykes"
+	Email = "solomon@docker.com"
+	GitHub = "shykes"
+
+	[people.stevvooe]
+	Name = "Stephen Day"
+	Email = "stephen.day@docker.com"
+	GitHub = "stevvooe"
+
+	[people.sven]
+	Name = "Sven Dowideit"
+	Email = "SvenDowideit@home.org.au"
+	GitHub = "SvenDowideit"
+
+	[people.thajeztah]
+	Name = "Sebastiaan van Stijn"
+	Email = "github@gone.nl"
+	GitHub = "thaJeztah"
+
+	[people.tianon]
+	Name = "Tianon Gravi"
+	Email = "admwiggin@gmail.com"
+	GitHub = "tianon"
+
+	[people.tibor]
+	Name = "Tibor Vass"
+	Email = "tibor@docker.com"
+	GitHub = "tiborvass"
+
+	[people.tonistiigi]
+	Name = "Tõnis Tiigi"
+	Email = "tonis@docker.com"
+	GitHub = "tonistiigi"
+
+	[people.unclejack]
+	Name = "Cristian Staretu"
+	Email = "cristian.staretu@gmail.com"
+	GitHub = "unclejack"
+
+	[people.vbatts]
+	Name = "Vincent Batts"
+	Email = "vbatts@redhat.com"
+	GitHub = "vbatts"
+
+	[people.vdemeester]
+	Name = "Vincent Demeester"
+	Email = "vincent@sbr.pm"
+	GitHub = "vdemeester"
+
+	[people.vieux]
+	Name = "Victor Vieux"
+	Email = "vieux@docker.com"
+	GitHub = "vieux"
+
+	[people.vishh]
+	Name = "Vishnu Kannan"
+	Email = "vishnuk@google.com"
+	GitHub = "vishh"
+
+	[people.yongtang]
+	Name = "Yong Tang"
+	Email = "yong.tang.github@outlook.com"
+	GitHub = "yongtang"
diff --git a/engine/Makefile b/engine/Makefile
new file mode 100644
index 00000000..fc5b7d99
--- /dev/null
+++ b/engine/Makefile
@@ -0,0 +1,208 @@
+.PHONY: all binary dynbinary build cross help init-go-pkg-cache install manpages run shell test test-docker-py test-integration test-unit validate win
+
+# set the graph driver as the current graphdriver if not set
+DOCKER_GRAPHDRIVER := $(if $(DOCKER_GRAPHDRIVER),$(DOCKER_GRAPHDRIVER),$(shell docker info 2>&1 | grep "Storage Driver" | sed 's/.*: //'))
+export DOCKER_GRAPHDRIVER
+DOCKER_INCREMENTAL_BINARY := $(if $(DOCKER_INCREMENTAL_BINARY),$(DOCKER_INCREMENTAL_BINARY),1)
+export DOCKER_INCREMENTAL_BINARY
+
+# get OS/Arch of docker engine
+DOCKER_OSARCH := $(shell bash -c 'source hack/make/.detect-daemon-osarch && echo $${DOCKER_ENGINE_OSARCH}')
+DOCKERFILE := $(shell bash -c 'source hack/make/.detect-daemon-osarch && echo $${DOCKERFILE}')
+
+DOCKER_GITCOMMIT := $(shell git rev-parse --short HEAD || echo unsupported)
+export DOCKER_GITCOMMIT
+
+# env vars passed through directly to Docker's build scripts
+# to allow things like `make KEEPBUNDLE=1 binary` easily
+# `project/PACKAGERS.md` have some limited documentation of some of these
+#
+# DOCKER_LDFLAGS can be used to pass additional parameters to -ldflags
+# option of "go build". For example, a built-in graphdriver priority list
+# can be changed during build time like this:
+#
+# make DOCKER_LDFLAGS="-X github.com/docker/docker/daemon/graphdriver.priority=overlay2,devicemapper" dynbinary
+#
+DOCKER_ENVS := \
+	-e DOCKER_CROSSPLATFORMS \
+	-e BUILD_APT_MIRROR \
+	-e BUILDFLAGS \
+	-e KEEPBUNDLE \
+	-e DOCKER_BUILD_ARGS \
+	-e DOCKER_BUILD_GOGC \
+	-e DOCKER_BUILD_PKGS \
+	-e DOCKER_BUILDKIT \
+	-e DOCKER_BASH_COMPLETION_PATH \
+	-e DOCKER_CLI_PATH \
+	-e DOCKER_DEBUG \
+	-e DOCKER_EXPERIMENTAL \
+	-e DOCKER_GITCOMMIT \
+	-e DOCKER_GRAPHDRIVER \
+	-e DOCKER_INCREMENTAL_BINARY \
+	-e DOCKER_LDFLAGS \
+	-e DOCKER_PORT \
+	-e DOCKER_REMAP_ROOT \
+	-e DOCKER_STORAGE_OPTS \
+	-e DOCKER_USERLANDPROXY \
+	-e DOCKERD_ARGS \
+	-e TEST_INTEGRATION_DIR \
+	-e TESTDIRS \
+	-e TESTFLAGS \
+	-e TIMEOUT \
+	-e HTTP_PROXY \
+	-e HTTPS_PROXY \
+	-e NO_PROXY \
+	-e http_proxy \
+	-e https_proxy \
+	-e no_proxy \
+	-e VERSION \
+	-e PLATFORM \
+	-e PRODUCT
+# note: we _cannot_ add "-e DOCKER_BUILDTAGS" here because even if it's unset in the shell, that would shadow the "ENV DOCKER_BUILDTAGS" set in our Dockerfile, which is very important for our official builds
+
+# to allow `make BIND_DIR=. shell` or `make BIND_DIR= test`
+# (default to no bind mount if DOCKER_HOST is set)
+# note: BINDDIR is supported for backwards-compatibility here
+BIND_DIR := $(if $(BINDDIR),$(BINDDIR),$(if $(DOCKER_HOST),,bundles))
+DOCKER_MOUNT := $(if $(BIND_DIR),-v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/docker/docker/$(BIND_DIR)")
+
+# This allows the test suite to be able to run without worrying about the underlying fs used by the container running the daemon (e.g. aufs-on-aufs), so long as the host running the container is running a supported fs.
+# The volume will be cleaned up when the container is removed due to `--rm`.
+# Note that `BIND_DIR` will already be set to `bundles` if `DOCKER_HOST` is not set (see above BIND_DIR line), in such case this will do nothing since `DOCKER_MOUNT` will already be set.
+DOCKER_MOUNT := $(if $(DOCKER_MOUNT),$(DOCKER_MOUNT),-v /go/src/github.com/docker/docker/bundles) -v "$(CURDIR)/.git:/go/src/github.com/docker/docker/.git"
+
+# This allows to set the docker-dev container name
+DOCKER_CONTAINER_NAME := $(if $(CONTAINER_NAME),--name $(CONTAINER_NAME),)
+
+# enable package cache if DOCKER_INCREMENTAL_BINARY and DOCKER_MOUNT (i.e.DOCKER_HOST) are set
+PKGCACHE_MAP := gopath:/go/pkg goroot-linux_amd64:/usr/local/go/pkg/linux_amd64 goroot-linux_amd64_netgo:/usr/local/go/pkg/linux_amd64_netgo
+PKGCACHE_VOLROOT := dockerdev-go-pkg-cache
+PKGCACHE_VOL := $(if $(PKGCACHE_DIR),$(CURDIR)/$(PKGCACHE_DIR)/,$(PKGCACHE_VOLROOT)-)
+DOCKER_MOUNT_PKGCACHE := $(if $(DOCKER_INCREMENTAL_BINARY),$(shell echo $(PKGCACHE_MAP) | sed -E 's@([^ ]*)@-v "$(PKGCACHE_VOL)\1"@g'),)
+DOCKER_MOUNT_CLI := $(if $(DOCKER_CLI_PATH),-v $(shell dirname $(DOCKER_CLI_PATH)):/usr/local/cli,)
+DOCKER_MOUNT_BASH_COMPLETION := $(if $(DOCKER_BASH_COMPLETION_PATH),-v $(shell dirname $(DOCKER_BASH_COMPLETION_PATH)):/usr/local/completion/bash,)
+DOCKER_MOUNT := $(DOCKER_MOUNT) $(DOCKER_MOUNT_PKGCACHE) $(DOCKER_MOUNT_CLI) $(DOCKER_MOUNT_BASH_COMPLETION)
+
+GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
+GIT_BRANCH_CLEAN := $(shell echo $(GIT_BRANCH) | sed -e "s/[^[:alnum:]]/-/g")
+DOCKER_IMAGE := docker-dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
+DOCKER_PORT_FORWARD := $(if $(DOCKER_PORT),-p "$(DOCKER_PORT)",)
+
+DOCKER_FLAGS := docker run --rm -i --privileged $(DOCKER_CONTAINER_NAME) $(DOCKER_ENVS) $(DOCKER_MOUNT) $(DOCKER_PORT_FORWARD)
+BUILD_APT_MIRROR := $(if $(DOCKER_BUILD_APT_MIRROR),--build-arg APT_MIRROR=$(DOCKER_BUILD_APT_MIRROR))
+export BUILD_APT_MIRROR
+
+SWAGGER_DOCS_PORT ?= 9000
+
+INTEGRATION_CLI_MASTER_IMAGE := $(if $(INTEGRATION_CLI_MASTER_IMAGE), $(INTEGRATION_CLI_MASTER_IMAGE), integration-cli-master)
+INTEGRATION_CLI_WORKER_IMAGE := $(if $(INTEGRATION_CLI_WORKER_IMAGE), $(INTEGRATION_CLI_WORKER_IMAGE), integration-cli-worker)
+
+define \n
+
+
+endef
+
+# if this session isn't interactive, then we don't want to allocate a
+# TTY, which would fail, but if it is interactive, we do want to attach
+# so that the user can send e.g. ^C through.
+INTERACTIVE := $(shell [ -t 0 ] && echo 1 || echo 0)
+ifeq ($(INTERACTIVE), 1)
+	DOCKER_FLAGS += -t
+endif
+
+DOCKER_RUN_DOCKER := $(DOCKER_FLAGS) "$(DOCKER_IMAGE)"
+
+default: binary
+
+all: build ## validate all checks, build linux binaries, run all tests\ncross build non-linux binaries and generate archives
+	$(DOCKER_RUN_DOCKER) bash -c 'hack/validate/default && hack/make.sh'
+
+binary: build ## build the linux binaries
+	$(DOCKER_RUN_DOCKER) hack/make.sh binary
+
+dynbinary: build ## build the linux dynbinaries
+	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary
+
+build: bundles init-go-pkg-cache
+	$(warning The docker client CLI has moved to github.com/docker/cli. For a dev-test cycle involving the CLI, run:${\n} DOCKER_CLI_PATH=/host/path/to/cli/binary make shell ${\n} then change the cli and compile into a binary at the same location.${\n})
+	docker build ${BUILD_APT_MIRROR} ${DOCKER_BUILD_ARGS} -t "$(DOCKER_IMAGE)" -f "$(DOCKERFILE)" .
+
+bundles:
+	mkdir bundles
+
+clean: clean-pkg-cache-vol ## clean up cached resources
+
+clean-pkg-cache-vol:
+	@- $(foreach mapping,$(PKGCACHE_MAP), \
+		$(shell docker volume rm $(PKGCACHE_VOLROOT)-$(shell echo $(mapping) | awk -F':/' '{ print $$1 }') > /dev/null 2>&1) \
+	)
+
+cross: build ## cross build the binaries for darwin, freebsd and\nwindows
+	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary binary cross
+
+help: ## this help
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+init-go-pkg-cache:
+	$(if $(PKGCACHE_DIR), mkdir -p $(shell echo $(PKGCACHE_MAP) | sed -E 's@([^: ]*):[^ ]*@$(PKGCACHE_DIR)/\1@g'))
+
+install: ## install the linux binaries
+	KEEPBUNDLE=1 hack/make.sh install-binary
+
+run: build ## run the docker daemon in a container
+	$(DOCKER_RUN_DOCKER) sh -c "KEEPBUNDLE=1 hack/make.sh install-binary run"
+
+shell: build ## start a shell inside the build env
+	$(DOCKER_RUN_DOCKER) bash
+
+test: build test-unit ## run the unit, integration and docker-py tests
+	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary cross test-integration test-docker-py
+
+test-docker-py: build ## run the docker-py tests
+	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-docker-py
+
+test-integration-cli: test-integration ## (DEPRECATED) use test-integration
+
+test-integration: build ## run the integration tests
+	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration
+
+test-unit: build ## run the unit tests
+	$(DOCKER_RUN_DOCKER) hack/test/unit
+
+validate: build ## validate DCO, Seccomp profile generation, gofmt,\n./pkg/ isolation, golint, tests, tomls, go vet and vendor
+	$(DOCKER_RUN_DOCKER) hack/validate/all
+
+win: build ## cross build the binary for windows
+	$(DOCKER_RUN_DOCKER) hack/make.sh win
+
+.PHONY: swagger-gen
+swagger-gen:
+	docker run --rm -v $(PWD):/go/src/github.com/docker/docker \
+		-w /go/src/github.com/docker/docker \
+		--entrypoint hack/generate-swagger-api.sh \
+		-e GOPATH=/go \
+		quay.io/goswagger/swagger:0.7.4
+
+.PHONY: swagger-docs
+swagger-docs: ## preview the API documentation
+	@echo "API docs preview will be running at http://localhost:$(SWAGGER_DOCS_PORT)"
+	@docker run --rm -v $(PWD)/api/swagger.yaml:/usr/share/nginx/html/swagger.yaml \
+		-e 'REDOC_OPTIONS=hide-hostname="true" lazy-rendering' \
+		-p $(SWAGGER_DOCS_PORT):80 \
+		bfirsh/redoc:1.6.2
+
+build-integration-cli-on-swarm: build ## build images and binary for running integration-cli on Swarm in parallel
+	@echo "Building hack/integration-cli-on-swarm (if build fails, please refer to hack/integration-cli-on-swarm/README.md)"
+	go build -buildmode=pie -o ./hack/integration-cli-on-swarm/integration-cli-on-swarm ./hack/integration-cli-on-swarm/host
+	@echo "Building $(INTEGRATION_CLI_MASTER_IMAGE)"
+	docker build -t $(INTEGRATION_CLI_MASTER_IMAGE) hack/integration-cli-on-swarm/agent
+# For worker, we don't use `docker build` so as to enable DOCKER_INCREMENTAL_BINARY and so on
+	@echo "Building $(INTEGRATION_CLI_WORKER_IMAGE) from $(DOCKER_IMAGE)"
+	$(eval tmp := integration-cli-worker-tmp)
+# We mount pkgcache, but not bundle (bundle needs to be baked into the image)
+# For avoiding bakings DOCKER_GRAPHDRIVER and so on to image, we cannot use $(DOCKER_ENVS) here
+	docker run -t -d --name $(tmp) -e DOCKER_GITCOMMIT -e BUILDFLAGS -e DOCKER_INCREMENTAL_BINARY --privileged $(DOCKER_MOUNT_PKGCACHE) $(DOCKER_IMAGE) top
+	docker exec $(tmp) hack/make.sh build-integration-test-binary dynbinary
+	docker exec $(tmp) go build -buildmode=pie -o /worker github.com/docker/docker/hack/integration-cli-on-swarm/agent/worker
+	docker commit -c 'ENTRYPOINT ["/worker"]' $(tmp) $(INTEGRATION_CLI_WORKER_IMAGE)
+	docker rm -f $(tmp)
diff --git a/engine/NOTICE b/engine/NOTICE
new file mode 100644
index 00000000..0c74e15b
--- /dev/null
+++ b/engine/NOTICE
@@ -0,0 +1,19 @@
+Docker
+Copyright 2012-2017 Docker, Inc.
+
+This product includes software developed at Docker, Inc. (https://www.docker.com).
+
+This product contains software (https://github.com/kr/pty) developed
+by Keith Rarick, licensed under the MIT License.
+
+The following is courtesy of our legal counsel:
+
+
+Use and transfer of Docker may be subject to certain restrictions by the
+United States and other governments.
+It is your responsibility to ensure that your use and/or transfer does not
+violate applicable laws.
+
+For more information, please see https://www.bis.doc.gov
+
+See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/engine/README.md b/engine/README.md
new file mode 100644
index 00000000..534fd97d
--- /dev/null
+++ b/engine/README.md
@@ -0,0 +1,57 @@
+The Moby Project
+================
+
+![Moby Project logo](docs/static_files/moby-project-logo.png "The Moby Project")
+
+Moby is an open-source project created by Docker to enable and accelerate software containerization.
+
+It provides a "Lego set" of toolkit components, the framework for assembling them into custom container-based systems, and a place for all container enthusiasts and professionals to experiment and exchange ideas.
+Components include container build tools, a container registry, orchestration tools, a runtime and more, and these can be used as building blocks in conjunction with other tools and projects.
+
+## Principles
+
+Moby is an open project guided by strong principles, aiming to be modular, flexible and without too strong an opinion on user experience.
+It is open to the community to help set its direction.
+
+- Modular: the project includes lots of components that have well-defined functions and APIs that work together.
+- Batteries included but swappable: Moby includes enough components to build fully featured container system, but its modular architecture ensures that most of the components can be swapped by different implementations.
+- Usable security: Moby provides secure defaults without compromising usability.
+- Developer focused: The APIs are intended to be functional and useful to build powerful tools.
+They are not necessarily intended as end user tools but as components aimed at developers.
+Documentation and UX is aimed at developers not end users.
+
+## Audience
+
+The Moby Project is intended for engineers, integrators and enthusiasts looking to modify, hack, fix, experiment, invent and build systems based on containers.
+It is not for people looking for a commercially supported system, but for people who want to work and learn with open source code.
+
+## Relationship with Docker
+
+The components and tools in the Moby Project are initially the open source components that Docker and the community have built for the Docker Project.
+New projects can be added if they fit with the community goals. Docker is committed to using Moby as the upstream for the Docker Product.
+However, other projects are also encouraged to use Moby as an upstream, and to reuse the components in diverse ways, and all these uses will be treated in the same way. External maintainers and contributors are welcomed.
+
+The Moby project is not intended as a location for support or feature requests for Docker products, but as a place for contributors to work on open source code, fix bugs, and make the code more useful.
+The releases are supported by the maintainers, community and users, on a best efforts basis only, and are not intended for customers who want enterprise or commercial support; Docker EE is the appropriate product for these use cases.
+
+-----
+
+Legal
+=====
+
+*Brought to you courtesy of our legal counsel. For more context,
+please see the [NOTICE](https://github.com/moby/moby/blob/master/NOTICE) document in this repo.*
+
+Use and transfer of Moby may be subject to certain restrictions by the
+United States and other governments.
+
+It is your responsibility to ensure that your use and/or transfer does not
+violate applicable laws.
+
+For more information, please see https://www.bis.doc.gov
+
+Licensing
+=========
+Moby is licensed under the Apache License, Version 2.0. See
+[LICENSE](https://github.com/moby/moby/blob/master/LICENSE) for the full
+license text.
diff --git a/engine/ROADMAP.md b/engine/ROADMAP.md
new file mode 100644
index 00000000..e2e6b2b9
--- /dev/null
+++ b/engine/ROADMAP.md
@@ -0,0 +1,68 @@
+Moby Project Roadmap
+====================
+
+### How should I use this document?
+
+This document provides description of items that the project decided to prioritize. This should
+serve as a reference point for Moby contributors to understand where the project is going, and
+help determine if a contribution could be conflicting with some longer term plans.
+
+The fact that a feature isn't listed here doesn't mean that a patch for it will automatically be
+refused! We are always happy to receive patches for new cool features we haven't thought about,
+or didn't judge to be a priority. Please however understand that such patches might take longer
+for us to review.
+
+### How can I help?
+
+Short term objectives are listed in
+[Issues](https://github.com/moby/moby/issues?q=is%3Aopen+is%3Aissue+label%3Aroadmap). Our
+goal is to split down the workload in such way that anybody can jump in and help. Please comment on
+issues if you want to work on it to avoid duplicating effort! Similarly, if a maintainer is already
+assigned on an issue you'd like to participate in, pinging him on GitHub to offer your help is
+the best way to go.
+
+### How can I add something to the roadmap?
+
+The roadmap process is new to the Moby Project: we are only beginning to structure and document the
+project objectives. Our immediate goal is to be more transparent, and work with our community to
+focus our efforts on fewer prioritized topics.
+
+We hope to offer in the near future a process allowing anyone to propose a topic to the roadmap, but
+we are not quite there yet. For the time being, it is best to discuss with the maintainers on an
+issue, in the Slack channel, or in person at the Moby Summits that happen every few months.
+
+# 1. Features and refactoring
+
+## 1.1 Runtime improvements
+
+We introduced [`runC`](https://runc.io) as a standalone low-level tool for container
+execution in 2015, the first stage in spinning out parts of the Engine into standalone tools.
+
+As runC continued evolving, and the OCI specification along with it, we created
+[`containerd`](https://github.com/containerd/containerd), a daemon to control and monitor `runC`.
+In late 2016 this was relaunched as the `containerd` 1.0 track, aiming to provide a common runtime
+for the whole spectrum of container systems, including Kubernetes, with wide community support.
+This change meant that there was an increased scope for `containerd`, including image management
+and storage drivers.
+
+Moby will rely on a long-running `containerd` companion daemon for all container execution
+related operations. This could open the door in the future for Engine restarts without interrupting
+running containers. The switch over to containerd 1.0 is an important goal for the project, and
+will result in a significant simplification of the functions implemented in this repository.
+
+## 1.2 Internal decoupling
+
+A lot of work has been done in trying to decouple Moby internals. This process of creating
+standalone projects with a well defined function that attract a dedicated community should continue.
+As well as integrating `containerd` we would like to integrate [BuildKit](https://github.com/moby/buildkit)
+as the next standalone component.
+
+We see gRPC as the natural communication layer between decoupled components.
+
+## 1.3 Custom assembly tooling
+
+We have been prototyping the Moby [assembly tool](https://github.com/moby/tool) which was originally
+developed for LinuxKit and intend to turn it into a more generic packaging and assembly mechanism
+that can build not only the default version of Moby, as distribution packages or other useful forms,
+but can also build very different container systems, themselves built of cooperating daemons built in
+and running in containers. We intend to merge this functionality into this repo.
diff --git a/engine/TESTING.md b/engine/TESTING.md
new file mode 100644
index 00000000..b2c53769
--- /dev/null
+++ b/engine/TESTING.md
@@ -0,0 +1,89 @@
+# Testing
+
+This document contains the Moby code testing guidelines. It should answer any 
+questions you may have as an aspiring Moby contributor.
+
+## Test suites
+
+Moby has two test suites (and one legacy test suite):
+
+* Unit tests - use standard `go test` and
+  [gotest.tools/assert](https://godoc.org/gotest.tools/assert) assertions. They are located in
+  the package they test. Unit tests should be fast and test only their own 
+  package.
+* API integration tests - use standard `go test` and
+  [gotest.tools/assert](https://godoc.org/gotest.tools/assert) assertions. They are located in
+  `./integration/<component>` directories, where `component` is: container,
+  image, volume, etc. These tests perform HTTP requests to an API endpoint and
+  check the HTTP response and daemon state after the call.
+
+The legacy test suite `integration-cli/` is deprecated. No new tests will be 
+added to this suite. Any tests in this suite which require updates should be 
+ported to either the unit test suite or the new API integration test suite.
+
+## Writing new tests
+
+Most code changes will fall into one of the following categories.
+
+### Writing tests for new features
+
+New code should be covered by unit tests. If the code is difficult to test with
+a unit tests then that is a good sign that it should be refactored to make it
+easier to reuse and maintain. Consider accepting unexported interfaces instead
+of structs so that fakes can be provided for dependencies.
+
+If the new feature includes a completely new API endpoint then a new API 
+integration test should be added to cover the success case of that endpoint.
+
+If the new feature does not include a completely new API endpoint consider 
+adding the new API fields to the existing test for that endpoint. A new 
+integration test should **not** be added for every new API field or API error 
+case. Error cases should be handled by unit tests.
+
+### Writing tests for bug fixes
+
+Bugs fixes should include a unit test case which exercises the bug.
+
+A bug fix may also include new assertions in an existing integration tests for the
+API endpoint.
+
+### Integration tests environment considerations
+
+When adding new tests or modifying existing test under `integration/`, testing 
+environment should be properly considered. `skip.If` from 
+[gotest.tools/skip](https://godoc.org/gotest.tools/skip) can be used to make the 
+test run conditionally. Full testing environment conditions can be found at 
+[environment.go](https://github.com/moby/moby/blob/cb37987ee11655ed6bbef663d245e55922354c68/internal/test/environment/environment.go)
+
+Here is a quick example. If the test needs to interact with a docker daemon on 
+the same host, the following condition should be checked within the test code
+
+```go
+skip.If(t, testEnv.IsRemoteDaemon())
+// your integration test code
+```
+
+If a remote daemon is detected, the test will be skipped.
+
+## Running tests
+
+To run the unit test suite:
+
+```
+make test-unit
+```
+
+or `hack/test/unit` from inside a `BINDDIR=. make shell` container or properly
+configured environment.
+
+The following environment variables may be used to run a subset of tests:
+
+* `TESTDIRS` - paths to directories to be tested, defaults to `./...`
+* `TESTFLAGS` - flags passed to `go test`, to run tests which match a pattern
+  use `TESTFLAGS="-test.run TestNameOrPrefix"`
+
+To run the integration test suite:
+
+```
+make test-integration
+```
diff --git a/engine/VENDORING.md b/engine/VENDORING.md
new file mode 100644
index 00000000..8884f885
--- /dev/null
+++ b/engine/VENDORING.md
@@ -0,0 +1,46 @@
+# Vendoring policies
+
+This document outlines recommended Vendoring policies for Docker repositories.
+(Example, libnetwork is a Docker repo and logrus is not.)
+
+## Vendoring using tags
+
+Commit ID based vendoring provides little/no information about the updates
+vendored. To fix this, vendors will now require that repositories use annotated
+tags along with commit ids to snapshot commits. Annotated tags by themselves
+are not sufficient, since the same tag can be force updated to reference
+different commits.
+
+Each tag should:
+- Follow Semantic Versioning rules (refer to section on "Semantic Versioning")
+- Have a corresponding entry in the change tracking document.
+
+Each repo should:
+- Have a change tracking document between tags/releases. Ex: CHANGELOG.md,
+github releases file.
+
+The goal here is for consuming repos to be able to use the tag version and
+changelog updates to determine whether the vendoring will cause any breaking or
+backward incompatible changes. This also means that repos can specify having
+dependency on a package of a specific version or greater up to the next major
+release, without encountering breaking changes.
+
+## Semantic Versioning
+Annotated version tags should follow [Semantic Versioning](http://semver.org) policies:
+
+"Given a version number MAJOR.MINOR.PATCH, increment the:
+
+   1. MAJOR version when you make incompatible API changes,
+   2. MINOR version when you add functionality in a backwards-compatible manner, and
+   3. PATCH version when you make backwards-compatible bug fixes.
+
+Additional labels for pre-release and build metadata are available as extensions
+to the MAJOR.MINOR.PATCH format."
+
+## Vendoring cadence
+In order to avoid huge vendoring changes, it is recommended to have a regular
+cadence for vendoring updates. e.g. monthly.
+
+## Pre-merge vendoring tests
+All related repos will be vendored into docker/docker.
+CI on docker/docker should catch any breaking changes involving multiple repos.
diff --git a/engine/api/README.md b/engine/api/README.md
new file mode 100644
index 00000000..f136c343
--- /dev/null
+++ b/engine/api/README.md
@@ -0,0 +1,42 @@
+# Working on the Engine API
+
+The Engine API is an HTTP API used by the command-line client to communicate with the daemon. It can also be used by third-party software to control the daemon.
+
+It consists of various components in this repository:
+
+- `api/swagger.yaml` A Swagger definition of the API.
+- `api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/docker/docker/issues/27919) for progress on this.
+- `cli/` The command-line client.
+- `client/` The Go client used by the command-line client. It can also be used by third-party Go programs.
+- `daemon/` The daemon, which serves the API.
+
+## Swagger definition
+
+The API is defined by the [Swagger](http://swagger.io/specification/) definition in `api/swagger.yaml`. This definition can be used to:
+
+1. Automatically generate documentation.
+2. Automatically generate the Go server and client. (A work-in-progress.)
+3. Provide a machine readable version of the API for introspecting what it can do, automatically generating clients for other languages, etc.
+
+## Updating the API documentation
+
+The API documentation is generated entirely from `api/swagger.yaml`. If you make updates to the API, edit this file to represent the change in the documentation.
+
+The file is split into two main sections:
+
+- `definitions`, which defines re-usable objects used in requests and responses
+- `paths`, which defines the API endpoints (and some inline objects which don't need to be reusable)
+
+To make an edit, first look for the endpoint you want to edit under `paths`, then make the required edits. Endpoints may reference reusable objects with `$ref`, which can be found in the `definitions` section.
+
+There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/docker/docker/issues/27919).
+
+`swagger.yaml` is validated by `hack/validate/swagger` to ensure it is a valid Swagger definition. This is useful when making edits to ensure you are doing the right thing.
+
+## Viewing the API documentation
+
+When you make edits to `swagger.yaml`, you may want to check the generated API documentation to ensure it renders correctly.
+
+Run `make swagger-docs` and a preview will be running at `http://localhost`. Some of the styling may be incorrect, but you'll be able to ensure that it is generating the correct documentation.
+
+The production documentation is generated by vendoring `swagger.yaml` into [docker/docker.github.io](https://github.com/docker/docker.github.io).
diff --git a/engine/api/common.go b/engine/api/common.go
new file mode 100644
index 00000000..255a81ae
--- /dev/null
+++ b/engine/api/common.go
@@ -0,0 +1,11 @@
+package api // import "github.com/docker/docker/api"
+
+// Common constants for daemon and client.
+const (
+	// DefaultVersion of Current REST API
+	DefaultVersion = "1.38"
+
+	// NoBaseImageSpecifier is the symbol used by the FROM
+	// command to specify that no base image is to be used.
+	NoBaseImageSpecifier = "scratch"
+)
diff --git a/engine/api/common_unix.go b/engine/api/common_unix.go
new file mode 100644
index 00000000..504b0c90
--- /dev/null
+++ b/engine/api/common_unix.go
@@ -0,0 +1,6 @@
+// +build !windows
+
+package api // import "github.com/docker/docker/api"
+
+// MinVersion represents Minimum REST API version supported
+const MinVersion = "1.12"
diff --git a/engine/api/common_windows.go b/engine/api/common_windows.go
new file mode 100644
index 00000000..590ba547
--- /dev/null
+++ b/engine/api/common_windows.go
@@ -0,0 +1,8 @@
+package api // import "github.com/docker/docker/api"
+
+// MinVersion represents Minimum REST API version supported
+// Technically the first daemon API version released on Windows is v1.25 in
+// engine version 1.13. However, some clients are explicitly using downlevel
+// APIs (e.g. docker-compose v2.1 file format) and that is just too restrictive.
+// Hence also allowing 1.24 on Windows.
+const MinVersion string = "1.24"
diff --git a/engine/api/server/backend/build/backend.go b/engine/api/server/backend/build/backend.go
new file mode 100644
index 00000000..5e04e837
--- /dev/null
+++ b/engine/api/server/backend/build/backend.go
@@ -0,0 +1,136 @@
+package build // import "github.com/docker/docker/api/server/backend/build"
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/builder"
+	buildkit "github.com/docker/docker/builder/builder-next"
+	"github.com/docker/docker/builder/fscache"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+// ImageComponent provides an interface for working with images
+type ImageComponent interface {
+	SquashImage(from string, to string) (string, error)
+	TagImageWithReference(image.ID, reference.Named) error
+}
+
+// Builder defines interface for running a build
+type Builder interface {
+	Build(context.Context, backend.BuildConfig) (*builder.Result, error)
+}
+
+// Backend provides build functionality to the API router
+type Backend struct {
+	builder        Builder
+	fsCache        *fscache.FSCache
+	imageComponent ImageComponent
+	buildkit       *buildkit.Builder
+}
+
+// NewBackend creates a new build backend from components
+func NewBackend(components ImageComponent, builder Builder, fsCache *fscache.FSCache, buildkit *buildkit.Builder) (*Backend, error) {
+	return &Backend{imageComponent: components, builder: builder, fsCache: fsCache, buildkit: buildkit}, nil
+}
+
+// Build builds an image from a Source
+func (b *Backend) Build(ctx context.Context, config backend.BuildConfig) (string, error) {
+	options := config.Options
+	useBuildKit := options.Version == types.BuilderBuildKit
+
+	tagger, err := NewTagger(b.imageComponent, config.ProgressWriter.StdoutFormatter, options.Tags)
+	if err != nil {
+		return "", err
+	}
+
+	var build *builder.Result
+	if useBuildKit {
+		build, err = b.buildkit.Build(ctx, config)
+		if err != nil {
+			return "", err
+		}
+	} else {
+		build, err = b.builder.Build(ctx, config)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	if build == nil {
+		return "", nil
+	}
+
+	var imageID = build.ImageID
+	if options.Squash {
+		if imageID, err = squashBuild(build, b.imageComponent); err != nil {
+			return "", err
+		}
+		if config.ProgressWriter.AuxFormatter != nil {
+			if err = config.ProgressWriter.AuxFormatter.Emit("moby.image.id", types.BuildResult{ID: imageID}); err != nil {
+				return "", err
+			}
+		}
+	}
+
+	if !useBuildKit {
+		stdout := config.ProgressWriter.StdoutFormatter
+		fmt.Fprintf(stdout, "Successfully built %s\n", stringid.TruncateID(imageID))
+		err = tagger.TagImages(image.ID(imageID))
+	}
+	return imageID, err
+}
+
+// PruneCache removes all cached build sources
+func (b *Backend) PruneCache(ctx context.Context) (*types.BuildCachePruneReport, error) {
+	eg, ctx := errgroup.WithContext(ctx)
+
+	var fsCacheSize uint64
+	eg.Go(func() error {
+		var err error
+		fsCacheSize, err = b.fsCache.Prune(ctx)
+		if err != nil {
+			return errors.Wrap(err, "failed to prune fscache")
+		}
+		return nil
+	})
+
+	var buildCacheSize int64
+	eg.Go(func() error {
+		var err error
+		buildCacheSize, err = b.buildkit.Prune(ctx)
+		if err != nil {
+			return errors.Wrap(err, "failed to prune build cache")
+		}
+		return nil
+	})
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	return &types.BuildCachePruneReport{SpaceReclaimed: fsCacheSize + uint64(buildCacheSize)}, nil
+}
+
+// Cancel cancels the build by ID
+func (b *Backend) Cancel(ctx context.Context, id string) error {
+	return b.buildkit.Cancel(ctx, id)
+}
+
+func squashBuild(build *builder.Result, imageComponent ImageComponent) (string, error) {
+	var fromID string
+	if build.FromImage != nil {
+		fromID = build.FromImage.ImageID()
+	}
+	imageID, err := imageComponent.SquashImage(build.ImageID, fromID)
+	if err != nil {
+		return "", errors.Wrap(err, "error squashing image")
+	}
+	return imageID, nil
+}
diff --git a/engine/api/server/backend/build/tag.go b/engine/api/server/backend/build/tag.go
new file mode 100644
index 00000000..f840b9d7
--- /dev/null
+++ b/engine/api/server/backend/build/tag.go
@@ -0,0 +1,77 @@
+package build // import "github.com/docker/docker/api/server/backend/build"
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/image"
+	"github.com/pkg/errors"
+)
+
+// Tagger is responsible for tagging an image created by a builder
+type Tagger struct {
+	imageComponent ImageComponent
+	stdout         io.Writer
+	repoAndTags    []reference.Named
+}
+
+// NewTagger returns a new Tagger for tagging the images of a build.
+// If any of the names are invalid tags an error is returned.
+func NewTagger(backend ImageComponent, stdout io.Writer, names []string) (*Tagger, error) {
+	reposAndTags, err := sanitizeRepoAndTags(names)
+	if err != nil {
+		return nil, err
+	}
+	return &Tagger{
+		imageComponent: backend,
+		stdout:         stdout,
+		repoAndTags:    reposAndTags,
+	}, nil
+}
+
+// TagImages creates image tags for the imageID
+func (bt *Tagger) TagImages(imageID image.ID) error {
+	for _, rt := range bt.repoAndTags {
+		if err := bt.imageComponent.TagImageWithReference(imageID, rt); err != nil {
+			return err
+		}
+		fmt.Fprintf(bt.stdout, "Successfully tagged %s\n", reference.FamiliarString(rt))
+	}
+	return nil
+}
+
+// sanitizeRepoAndTags parses the raw "t" parameter received from the client
+// to a slice of repoAndTag.
+// It also validates each repoName and tag.
+func sanitizeRepoAndTags(names []string) ([]reference.Named, error) {
+	var (
+		repoAndTags []reference.Named
+		// This map is used for deduplicating the "-t" parameter.
+		uniqNames = make(map[string]struct{})
+	)
+	for _, repo := range names {
+		if repo == "" {
+			continue
+		}
+
+		ref, err := reference.ParseNormalizedNamed(repo)
+		if err != nil {
+			return nil, err
+		}
+
+		if _, isCanonical := ref.(reference.Canonical); isCanonical {
+			return nil, errors.New("build tag cannot contain a digest")
+		}
+
+		ref = reference.TagNameOnly(ref)
+
+		nameWithTag := ref.String()
+
+		if _, exists := uniqNames[nameWithTag]; !exists {
+			uniqNames[nameWithTag] = struct{}{}
+			repoAndTags = append(repoAndTags, ref)
+		}
+	}
+	return repoAndTags, nil
+}
diff --git a/engine/api/server/httputils/decoder.go b/engine/api/server/httputils/decoder.go
new file mode 100644
index 00000000..8293503c
--- /dev/null
+++ b/engine/api/server/httputils/decoder.go
@@ -0,0 +1,16 @@
+package httputils // import "github.com/docker/docker/api/server/httputils"
+
+import (
+	"io"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+)
+
+// ContainerDecoder specifies how
+// to translate an io.Reader into
+// container configuration.
+type ContainerDecoder interface {
+	DecodeConfig(src io.Reader) (*container.Config, *container.HostConfig, *network.NetworkingConfig, error)
+	DecodeHostConfig(src io.Reader) (*container.HostConfig, error)
+}
diff --git a/engine/api/server/httputils/errors.go b/engine/api/server/httputils/errors.go
new file mode 100644
index 00000000..a21affff
--- /dev/null
+++ b/engine/api/server/httputils/errors.go
@@ -0,0 +1,131 @@
+package httputils // import "github.com/docker/docker/api/server/httputils"
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
+	"github.com/gorilla/mux"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+)
+
+type causer interface {
+	Cause() error
+}
+
+// GetHTTPErrorStatusCode retrieves status code from error message.
+func GetHTTPErrorStatusCode(err error) int {
+	if err == nil {
+		logrus.WithFields(logrus.Fields{"error": err}).Error("unexpected HTTP error handling")
+		return http.StatusInternalServerError
+	}
+
+	var statusCode int
+
+	// Stop right there
+	// Are you sure you should be adding a new error class here? Do one of the existing ones work?
+
+	// Note that the below functions are already checking the error causal chain for matches.
+	switch {
+	case errdefs.IsNotFound(err):
+		statusCode = http.StatusNotFound
+	case errdefs.IsInvalidParameter(err):
+		statusCode = http.StatusBadRequest
+	case errdefs.IsConflict(err) || errdefs.IsAlreadyExists(err):
+		statusCode = http.StatusConflict
+	case errdefs.IsUnauthorized(err):
+		statusCode = http.StatusUnauthorized
+	case errdefs.IsUnavailable(err):
+		statusCode = http.StatusServiceUnavailable
+	case errdefs.IsForbidden(err):
+		statusCode = http.StatusForbidden
+	case errdefs.IsNotModified(err):
+		statusCode = http.StatusNotModified
+	case errdefs.IsNotImplemented(err):
+		statusCode = http.StatusNotImplemented
+	case errdefs.IsSystem(err) || errdefs.IsUnknown(err) || errdefs.IsDataLoss(err) || errdefs.IsDeadline(err) || errdefs.IsCancelled(err):
+		statusCode = http.StatusInternalServerError
+	default:
+		statusCode = statusCodeFromGRPCError(err)
+		if statusCode != http.StatusInternalServerError {
+			return statusCode
+		}
+
+		if e, ok := err.(causer); ok {
+			return GetHTTPErrorStatusCode(e.Cause())
+		}
+
+		logrus.WithFields(logrus.Fields{
+			"module":     "api",
+			"error_type": fmt.Sprintf("%T", err),
+		}).Debugf("FIXME: Got an API for which error does not match any expected type!!!: %+v", err)
+	}
+
+	if statusCode == 0 {
+		statusCode = http.StatusInternalServerError
+	}
+
+	return statusCode
+}
+
+func apiVersionSupportsJSONErrors(version string) bool {
+	const firstAPIVersionWithJSONErrors = "1.23"
+	return version == "" || versions.GreaterThan(version, firstAPIVersionWithJSONErrors)
+}
+
+// MakeErrorHandler makes an HTTP handler that decodes a Docker error and
+// returns it in the response.
+func MakeErrorHandler(err error) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		statusCode := GetHTTPErrorStatusCode(err)
+		vars := mux.Vars(r)
+		if apiVersionSupportsJSONErrors(vars["version"]) {
+			response := &types.ErrorResponse{
+				Message: err.Error(),
+			}
+			WriteJSON(w, statusCode, response)
+		} else {
+			http.Error(w, grpc.ErrorDesc(err), statusCode)
+		}
+	}
+}
+
+// statusCodeFromGRPCError returns status code according to gRPC error
+func statusCodeFromGRPCError(err error) int {
+	switch grpc.Code(err) {
+	case codes.InvalidArgument: // code 3
+		return http.StatusBadRequest
+	case codes.NotFound: // code 5
+		return http.StatusNotFound
+	case codes.AlreadyExists: // code 6
+		return http.StatusConflict
+	case codes.PermissionDenied: // code 7
+		return http.StatusForbidden
+	case codes.FailedPrecondition: // code 9
+		return http.StatusBadRequest
+	case codes.Unauthenticated: // code 16
+		return http.StatusUnauthorized
+	case codes.OutOfRange: // code 11
+		return http.StatusBadRequest
+	case codes.Unimplemented: // code 12
+		return http.StatusNotImplemented
+	case codes.Unavailable: // code 14
+		return http.StatusServiceUnavailable
+	default:
+		if e, ok := err.(causer); ok {
+			return statusCodeFromGRPCError(e.Cause())
+		}
+		// codes.Canceled(1)
+		// codes.Unknown(2)
+		// codes.DeadlineExceeded(4)
+		// codes.ResourceExhausted(8)
+		// codes.Aborted(10)
+		// codes.Internal(13)
+		// codes.DataLoss(15)
+		return http.StatusInternalServerError
+	}
+}
diff --git a/engine/api/server/httputils/form.go b/engine/api/server/httputils/form.go
new file mode 100644
index 00000000..6d166eac
--- /dev/null
+++ b/engine/api/server/httputils/form.go
@@ -0,0 +1,76 @@
+package httputils // import "github.com/docker/docker/api/server/httputils"
+
+import (
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+// BoolValue transforms a form value in different formats into a boolean type.
+func BoolValue(r *http.Request, k string) bool {
+	s := strings.ToLower(strings.TrimSpace(r.FormValue(k)))
+	return !(s == "" || s == "0" || s == "no" || s == "false" || s == "none")
+}
+
+// BoolValueOrDefault returns the default bool passed if the query param is
+// missing, otherwise it's just a proxy to boolValue above.
+func BoolValueOrDefault(r *http.Request, k string, d bool) bool {
+	if _, ok := r.Form[k]; !ok {
+		return d
+	}
+	return BoolValue(r, k)
+}
+
+// Int64ValueOrZero parses a form value into an int64 type.
+// It returns 0 if the parsing fails.
+func Int64ValueOrZero(r *http.Request, k string) int64 {
+	val, err := Int64ValueOrDefault(r, k, 0)
+	if err != nil {
+		return 0
+	}
+	return val
+}
+
+// Int64ValueOrDefault parses a form value into an int64 type. If there is an
+// error, returns the error. If there is no value returns the default value.
+func Int64ValueOrDefault(r *http.Request, field string, def int64) (int64, error) {
+	if r.Form.Get(field) != "" {
+		value, err := strconv.ParseInt(r.Form.Get(field), 10, 64)
+		return value, err
+	}
+	return def, nil
+}
+
+// ArchiveOptions stores archive information for different operations.
+type ArchiveOptions struct {
+	Name string
+	Path string
+}
+
+type badParameterError struct {
+	param string
+}
+
+func (e badParameterError) Error() string {
+	return "bad parameter: " + e.param + "cannot be empty"
+}
+
+func (e badParameterError) InvalidParameter() {}
+
+// ArchiveFormValues parses form values and turns them into ArchiveOptions.
+// It fails if the archive name and path are not in the request.
+func ArchiveFormValues(r *http.Request, vars map[string]string) (ArchiveOptions, error) {
+	if err := ParseForm(r); err != nil {
+		return ArchiveOptions{}, err
+	}
+
+	name := vars["name"]
+	if name == "" {
+		return ArchiveOptions{}, badParameterError{"name"}
+	}
+	path := r.Form.Get("path")
+	if path == "" {
+		return ArchiveOptions{}, badParameterError{"path"}
+	}
+	return ArchiveOptions{name, path}, nil
+}
diff --git a/engine/api/server/httputils/form_test.go b/engine/api/server/httputils/form_test.go
new file mode 100644
index 00000000..e7e2daea
--- /dev/null
+++ b/engine/api/server/httputils/form_test.go
@@ -0,0 +1,105 @@
+package httputils // import "github.com/docker/docker/api/server/httputils"
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+)
+
+func TestBoolValue(t *testing.T) {
+	cases := map[string]bool{
+		"":      false,
+		"0":     false,
+		"no":    false,
+		"false": false,
+		"none":  false,
+		"1":     true,
+		"yes":   true,
+		"true":  true,
+		"one":   true,
+		"100":   true,
+	}
+
+	for c, e := range cases {
+		v := url.Values{}
+		v.Set("test", c)
+		r, _ := http.NewRequest("POST", "", nil)
+		r.Form = v
+
+		a := BoolValue(r, "test")
+		if a != e {
+			t.Fatalf("Value: %s, expected: %v, actual: %v", c, e, a)
+		}
+	}
+}
+
+func TestBoolValueOrDefault(t *testing.T) {
+	r, _ := http.NewRequest("GET", "", nil)
+	if !BoolValueOrDefault(r, "queryparam", true) {
+		t.Fatal("Expected to get true default value, got false")
+	}
+
+	v := url.Values{}
+	v.Set("param", "")
+	r, _ = http.NewRequest("GET", "", nil)
+	r.Form = v
+	if BoolValueOrDefault(r, "param", true) {
+		t.Fatal("Expected not to get true")
+	}
+}
+
+func TestInt64ValueOrZero(t *testing.T) {
+	cases := map[string]int64{
+		"":     0,
+		"asdf": 0,
+		"0":    0,
+		"1":    1,
+	}
+
+	for c, e := range cases {
+		v := url.Values{}
+		v.Set("test", c)
+		r, _ := http.NewRequest("POST", "", nil)
+		r.Form = v
+
+		a := Int64ValueOrZero(r, "test")
+		if a != e {
+			t.Fatalf("Value: %s, expected: %v, actual: %v", c, e, a)
+		}
+	}
+}
+
+func TestInt64ValueOrDefault(t *testing.T) {
+	cases := map[string]int64{
+		"":   -1,
+		"-1": -1,
+		"42": 42,
+	}
+
+	for c, e := range cases {
+		v := url.Values{}
+		v.Set("test", c)
+		r, _ := http.NewRequest("POST", "", nil)
+		r.Form = v
+
+		a, err := Int64ValueOrDefault(r, "test", -1)
+		if a != e {
+			t.Fatalf("Value: %s, expected: %v, actual: %v", c, e, a)
+		}
+		if err != nil {
+			t.Fatalf("Error should be nil, but received: %s", err)
+		}
+	}
+}
+
+func TestInt64ValueOrDefaultWithError(t *testing.T) {
+	v := url.Values{}
+	v.Set("test", "invalid")
+	r, _ := http.NewRequest("POST", "", nil)
+	r.Form = v
+
+	_, err := Int64ValueOrDefault(r, "test", -1)
+	if err == nil {
+		t.Fatal("Expected an error.")
+	}
+}
diff --git a/engine/api/server/httputils/httputils.go b/engine/api/server/httputils/httputils.go
new file mode 100644
index 00000000..5a685441
--- /dev/null
+++ b/engine/api/server/httputils/httputils.go
@@ -0,0 +1,100 @@
+package httputils // import "github.com/docker/docker/api/server/httputils"
+
+import (
+	"context"
+	"io"
+	"mime"
+	"net/http"
+	"strings"
+
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type contextKey string
+
+// APIVersionKey is the client's requested API version.
+const APIVersionKey contextKey = "api-version"
+
+// APIFunc is an adapter to allow the use of ordinary functions as Docker API endpoints.
+// Any function that has the appropriate signature can be registered as an API endpoint (e.g. getVersion).
+type APIFunc func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error
+
+// HijackConnection interrupts the http response writer to get the
+// underlying connection and operate with it.
+func HijackConnection(w http.ResponseWriter) (io.ReadCloser, io.Writer, error) {
+	conn, _, err := w.(http.Hijacker).Hijack()
+	if err != nil {
+		return nil, nil, err
+	}
+	// Flush the options to make sure the client sets the raw mode
+	conn.Write([]byte{})
+	return conn, conn, nil
+}
+
+// CloseStreams ensures that a list for http streams are properly closed.
+func CloseStreams(streams ...interface{}) {
+	for _, stream := range streams {
+		if tcpc, ok := stream.(interface {
+			CloseWrite() error
+		}); ok {
+			tcpc.CloseWrite()
+		} else if closer, ok := stream.(io.Closer); ok {
+			closer.Close()
+		}
+	}
+}
+
+// CheckForJSON makes sure that the request's Content-Type is application/json.
+func CheckForJSON(r *http.Request) error {
+	ct := r.Header.Get("Content-Type")
+
+	// No Content-Type header is ok as long as there's no Body
+	if ct == "" {
+		if r.Body == nil || r.ContentLength == 0 {
+			return nil
+		}
+	}
+
+	// Otherwise it better be json
+	if matchesContentType(ct, "application/json") {
+		return nil
+	}
+	return errdefs.InvalidParameter(errors.Errorf("Content-Type specified (%s) must be 'application/json'", ct))
+}
+
+// ParseForm ensures the request form is parsed even with invalid content types.
+// If we don't do this, POST method without Content-type (even with empty body) will fail.
+func ParseForm(r *http.Request) error {
+	if r == nil {
+		return nil
+	}
+	if err := r.ParseForm(); err != nil && !strings.HasPrefix(err.Error(), "mime:") {
+		return errdefs.InvalidParameter(err)
+	}
+	return nil
+}
+
+// VersionFromContext returns an API version from the context using APIVersionKey.
+// It panics if the context value does not have version.Version type.
+func VersionFromContext(ctx context.Context) string {
+	if ctx == nil {
+		return ""
+	}
+
+	if val := ctx.Value(APIVersionKey); val != nil {
+		return val.(string)
+	}
+
+	return ""
+}
+
+// matchesContentType validates the content type against the expected one
+func matchesContentType(contentType, expectedType string) bool {
+	mimetype, _, err := mime.ParseMediaType(contentType)
+	if err != nil {
+		logrus.Errorf("Error parsing media type: %s error: %v", contentType, err)
+	}
+	return err == nil && mimetype == expectedType
+}
diff --git a/engine/api/server/httputils/httputils_test.go b/engine/api/server/httputils/httputils_test.go
new file mode 100644
index 00000000..97f83188
--- /dev/null
+++ b/engine/api/server/httputils/httputils_test.go
@@ -0,0 +1,18 @@
+package httputils // import "github.com/docker/docker/api/server/httputils"
+
+import "testing"
+
+// matchesContentType
+func TestJsonContentType(t *testing.T) {
+	if !matchesContentType("application/json", "application/json") {
+		t.Fail()
+	}
+
+	if !matchesContentType("application/json; charset=utf-8", "application/json") {
+		t.Fail()
+	}
+
+	if matchesContentType("dockerapplication/json", "application/json") {
+		t.Fail()
+	}
+}
diff --git a/engine/api/server/httputils/httputils_write_json.go b/engine/api/server/httputils/httputils_write_json.go
new file mode 100644
index 00000000..148dd038
--- /dev/null
+++ b/engine/api/server/httputils/httputils_write_json.go
@@ -0,0 +1,15 @@
+package httputils // import "github.com/docker/docker/api/server/httputils"
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+// WriteJSON writes the value v to the http response stream as json with standard json encoding.
+func WriteJSON(w http.ResponseWriter, code int, v interface{}) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(code)
+	enc := json.NewEncoder(w)
+	enc.SetEscapeHTML(false)
+	return enc.Encode(v)
+}
diff --git a/engine/api/server/httputils/write_log_stream.go b/engine/api/server/httputils/write_log_stream.go
new file mode 100644
index 00000000..9e769c8b
--- /dev/null
+++ b/engine/api/server/httputils/write_log_stream.go
@@ -0,0 +1,84 @@
+package httputils // import "github.com/docker/docker/api/server/httputils"
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/url"
+	"sort"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/stdcopy"
+)
+
+// WriteLogStream writes an encoded byte stream of log messages from the
+// messages channel, multiplexing them with a stdcopy.Writer if mux is true
+func WriteLogStream(_ context.Context, w io.Writer, msgs <-chan *backend.LogMessage, config *types.ContainerLogsOptions, mux bool) {
+	wf := ioutils.NewWriteFlusher(w)
+	defer wf.Close()
+
+	wf.Flush()
+
+	outStream := io.Writer(wf)
+	errStream := outStream
+	sysErrStream := errStream
+	if mux {
+		sysErrStream = stdcopy.NewStdWriter(outStream, stdcopy.Systemerr)
+		errStream = stdcopy.NewStdWriter(outStream, stdcopy.Stderr)
+		outStream = stdcopy.NewStdWriter(outStream, stdcopy.Stdout)
+	}
+
+	for {
+		msg, ok := <-msgs
+		if !ok {
+			return
+		}
+		// check if the message contains an error. if so, write that error
+		// and exit
+		if msg.Err != nil {
+			fmt.Fprintf(sysErrStream, "Error grabbing logs: %v\n", msg.Err)
+			continue
+		}
+		logLine := msg.Line
+		if config.Details {
+			logLine = append(attrsByteSlice(msg.Attrs), ' ')
+			logLine = append(logLine, msg.Line...)
+		}
+		if config.Timestamps {
+			logLine = append([]byte(msg.Timestamp.Format(jsonmessage.RFC3339NanoFixed)+" "), logLine...)
+		}
+		if msg.Source == "stdout" && config.ShowStdout {
+			outStream.Write(logLine)
+		}
+		if msg.Source == "stderr" && config.ShowStderr {
+			errStream.Write(logLine)
+		}
+	}
+}
+
+type byKey []backend.LogAttr
+
+func (b byKey) Len() int           { return len(b) }
+func (b byKey) Less(i, j int) bool { return b[i].Key < b[j].Key }
+func (b byKey) Swap(i, j int)      { b[i], b[j] = b[j], b[i] }
+
+func attrsByteSlice(a []backend.LogAttr) []byte {
+	// Note this sorts "a" in-place. That is fine here - nothing else is
+	// going to use Attrs or care about the order.
+	sort.Sort(byKey(a))
+
+	var ret []byte
+	for i, pair := range a {
+		k, v := url.QueryEscape(pair.Key), url.QueryEscape(pair.Value)
+		ret = append(ret, []byte(k)...)
+		ret = append(ret, '=')
+		ret = append(ret, []byte(v)...)
+		if i != len(a)-1 {
+			ret = append(ret, ',')
+		}
+	}
+	return ret
+}
diff --git a/engine/api/server/middleware.go b/engine/api/server/middleware.go
new file mode 100644
index 00000000..3c5683fa
--- /dev/null
+++ b/engine/api/server/middleware.go
@@ -0,0 +1,24 @@
+package server // import "github.com/docker/docker/api/server"
+
+import (
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/server/middleware"
+	"github.com/sirupsen/logrus"
+)
+
+// handlerWithGlobalMiddlewares wraps the handler function for a request with
+// the server's global middlewares. The order of the middlewares is backwards,
+// meaning that the first in the list will be evaluated last.
+func (s *Server) handlerWithGlobalMiddlewares(handler httputils.APIFunc) httputils.APIFunc {
+	next := handler
+
+	for _, m := range s.middlewares {
+		next = m.WrapHandler(next)
+	}
+
+	if s.cfg.Logging && logrus.GetLevel() == logrus.DebugLevel {
+		next = middleware.DebugRequestMiddleware(next)
+	}
+
+	return next
+}
diff --git a/engine/api/server/middleware/cors.go b/engine/api/server/middleware/cors.go
new file mode 100644
index 00000000..54374690
--- /dev/null
+++ b/engine/api/server/middleware/cors.go
@@ -0,0 +1,37 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+)
+
+// CORSMiddleware injects CORS headers to each request
+// when it's configured.
+type CORSMiddleware struct {
+	defaultHeaders string
+}
+
+// NewCORSMiddleware creates a new CORSMiddleware with default headers.
+func NewCORSMiddleware(d string) CORSMiddleware {
+	return CORSMiddleware{defaultHeaders: d}
+}
+
+// WrapHandler returns a new handler function wrapping the previous one in the request chain.
+func (c CORSMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		// If "api-cors-header" is not given, but "api-enable-cors" is true, we set cors to "*"
+		// otherwise, all head values will be passed to HTTP handler
+		corsHeaders := c.defaultHeaders
+		if corsHeaders == "" {
+			corsHeaders = "*"
+		}
+
+		logrus.Debugf("CORS header is enabled and set to: %s", corsHeaders)
+		w.Header().Add("Access-Control-Allow-Origin", corsHeaders)
+		w.Header().Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, X-Registry-Auth")
+		w.Header().Add("Access-Control-Allow-Methods", "HEAD, GET, POST, DELETE, PUT, OPTIONS")
+		return handler(ctx, w, r, vars)
+	}
+}
diff --git a/engine/api/server/middleware/debug.go b/engine/api/server/middleware/debug.go
new file mode 100644
index 00000000..2cef1d46
--- /dev/null
+++ b/engine/api/server/middleware/debug.go
@@ -0,0 +1,94 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"bufio"
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/sirupsen/logrus"
+)
+
+// DebugRequestMiddleware dumps the request to logger
+func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		logrus.Debugf("Calling %s %s", r.Method, r.RequestURI)
+
+		if r.Method != "POST" {
+			return handler(ctx, w, r, vars)
+		}
+		if err := httputils.CheckForJSON(r); err != nil {
+			return handler(ctx, w, r, vars)
+		}
+		maxBodySize := 4096 // 4KB
+		if r.ContentLength > int64(maxBodySize) {
+			return handler(ctx, w, r, vars)
+		}
+
+		body := r.Body
+		bufReader := bufio.NewReaderSize(body, maxBodySize)
+		r.Body = ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
+
+		b, err := bufReader.Peek(maxBodySize)
+		if err != io.EOF {
+			// either there was an error reading, or the buffer is full (in which case the request is too large)
+			return handler(ctx, w, r, vars)
+		}
+
+		var postForm map[string]interface{}
+		if err := json.Unmarshal(b, &postForm); err == nil {
+			maskSecretKeys(postForm, r.RequestURI)
+			formStr, errMarshal := json.Marshal(postForm)
+			if errMarshal == nil {
+				logrus.Debugf("form data: %s", string(formStr))
+			} else {
+				logrus.Debugf("form data: %q", postForm)
+			}
+		}
+
+		return handler(ctx, w, r, vars)
+	}
+}
+
+func maskSecretKeys(inp interface{}, path string) {
+	// Remove any query string from the path
+	idx := strings.Index(path, "?")
+	if idx != -1 {
+		path = path[:idx]
+	}
+	// Remove trailing / characters
+	path = strings.TrimRight(path, "/")
+
+	if arr, ok := inp.([]interface{}); ok {
+		for _, f := range arr {
+			maskSecretKeys(f, path)
+		}
+		return
+	}
+
+	if form, ok := inp.(map[string]interface{}); ok {
+	loop0:
+		for k, v := range form {
+			for _, m := range []string{"password", "secret", "jointoken", "unlockkey", "signingcakey"} {
+				if strings.EqualFold(m, k) {
+					form[k] = "*****"
+					continue loop0
+				}
+			}
+			maskSecretKeys(v, path)
+		}
+
+		// Route-specific redactions
+		if strings.HasSuffix(path, "/secrets/create") {
+			for k := range form {
+				if k == "Data" {
+					form[k] = "*****"
+				}
+			}
+		}
+	}
+}
diff --git a/engine/api/server/middleware/debug_test.go b/engine/api/server/middleware/debug_test.go
new file mode 100644
index 00000000..a64b73e0
--- /dev/null
+++ b/engine/api/server/middleware/debug_test.go
@@ -0,0 +1,59 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestMaskSecretKeys(t *testing.T) {
+	tests := []struct {
+		path     string
+		input    map[string]interface{}
+		expected map[string]interface{}
+	}{
+		{
+			path:     "/v1.30/secrets/create",
+			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
+			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
+		},
+		{
+			path:     "/v1.30/secrets/create//",
+			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
+			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
+		},
+
+		{
+			path:     "/secrets/create?key=val",
+			input:    map[string]interface{}{"Data": "foo", "Name": "name", "Labels": map[string]interface{}{}},
+			expected: map[string]interface{}{"Data": "*****", "Name": "name", "Labels": map[string]interface{}{}},
+		},
+		{
+			path: "/v1.30/some/other/path",
+			input: map[string]interface{}{
+				"password": "pass",
+				"other": map[string]interface{}{
+					"secret":       "secret",
+					"jointoken":    "jointoken",
+					"unlockkey":    "unlockkey",
+					"signingcakey": "signingcakey",
+				},
+			},
+			expected: map[string]interface{}{
+				"password": "*****",
+				"other": map[string]interface{}{
+					"secret":       "*****",
+					"jointoken":    "*****",
+					"unlockkey":    "*****",
+					"signingcakey": "*****",
+				},
+			},
+		},
+	}
+
+	for _, testcase := range tests {
+		maskSecretKeys(testcase.input, testcase.path)
+		assert.Check(t, is.DeepEqual(testcase.expected, testcase.input))
+	}
+}
diff --git a/engine/api/server/middleware/experimental.go b/engine/api/server/middleware/experimental.go
new file mode 100644
index 00000000..4df5decc
--- /dev/null
+++ b/engine/api/server/middleware/experimental.go
@@ -0,0 +1,28 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"context"
+	"net/http"
+)
+
+// ExperimentalMiddleware is a the middleware in charge of adding the
+// 'Docker-Experimental' header to every outgoing request
+type ExperimentalMiddleware struct {
+	experimental string
+}
+
+// NewExperimentalMiddleware creates a new ExperimentalMiddleware
+func NewExperimentalMiddleware(experimentalEnabled bool) ExperimentalMiddleware {
+	if experimentalEnabled {
+		return ExperimentalMiddleware{"true"}
+	}
+	return ExperimentalMiddleware{"false"}
+}
+
+// WrapHandler returns a new handler function wrapping the previous one in the request chain.
+func (e ExperimentalMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		w.Header().Set("Docker-Experimental", e.experimental)
+		return handler(ctx, w, r, vars)
+	}
+}
diff --git a/engine/api/server/middleware/middleware.go b/engine/api/server/middleware/middleware.go
new file mode 100644
index 00000000..43483f1e
--- /dev/null
+++ b/engine/api/server/middleware/middleware.go
@@ -0,0 +1,12 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"context"
+	"net/http"
+)
+
+// Middleware is an interface to allow the use of ordinary functions as Docker API filters.
+// Any struct that has the appropriate signature can be registered as a middleware.
+type Middleware interface {
+	WrapHandler(func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error
+}
diff --git a/engine/api/server/middleware/version.go b/engine/api/server/middleware/version.go
new file mode 100644
index 00000000..88b11ca3
--- /dev/null
+++ b/engine/api/server/middleware/version.go
@@ -0,0 +1,65 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"runtime"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types/versions"
+)
+
+// VersionMiddleware is a middleware that
+// validates the client and server versions.
+type VersionMiddleware struct {
+	serverVersion  string
+	defaultVersion string
+	minVersion     string
+}
+
+// NewVersionMiddleware creates a new VersionMiddleware
+// with the default versions.
+func NewVersionMiddleware(s, d, m string) VersionMiddleware {
+	return VersionMiddleware{
+		serverVersion:  s,
+		defaultVersion: d,
+		minVersion:     m,
+	}
+}
+
+type versionUnsupportedError struct {
+	version, minVersion, maxVersion string
+}
+
+func (e versionUnsupportedError) Error() string {
+	if e.minVersion != "" {
+		return fmt.Sprintf("client version %s is too old. Minimum supported API version is %s, please upgrade your client to a newer version", e.version, e.minVersion)
+	}
+	return fmt.Sprintf("client version %s is too new. Maximum supported API version is %s", e.version, e.maxVersion)
+}
+
+func (e versionUnsupportedError) InvalidParameter() {}
+
+// WrapHandler returns a new handler function wrapping the previous one in the request chain.
+func (v VersionMiddleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		w.Header().Set("Server", fmt.Sprintf("Docker/%s (%s)", v.serverVersion, runtime.GOOS))
+		w.Header().Set("API-Version", v.defaultVersion)
+		w.Header().Set("OSType", runtime.GOOS)
+
+		apiVersion := vars["version"]
+		if apiVersion == "" {
+			apiVersion = v.defaultVersion
+		}
+		if versions.LessThan(apiVersion, v.minVersion) {
+			return versionUnsupportedError{version: apiVersion, minVersion: v.minVersion}
+		}
+		if versions.GreaterThan(apiVersion, v.defaultVersion) {
+			return versionUnsupportedError{version: apiVersion, maxVersion: v.defaultVersion}
+		}
+		ctx = context.WithValue(ctx, httputils.APIVersionKey, apiVersion)
+		return handler(ctx, w, r, vars)
+	}
+
+}
diff --git a/engine/api/server/middleware/version_test.go b/engine/api/server/middleware/version_test.go
new file mode 100644
index 00000000..edbc0bca
--- /dev/null
+++ b/engine/api/server/middleware/version_test.go
@@ -0,0 +1,92 @@
+package middleware // import "github.com/docker/docker/api/server/middleware"
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/api/server/httputils"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestVersionMiddlewareVersion(t *testing.T) {
+	defaultVersion := "1.10.0"
+	minVersion := "1.2.0"
+	expectedVersion := defaultVersion
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		v := httputils.VersionFromContext(ctx)
+		assert.Check(t, is.Equal(expectedVersion, v))
+		return nil
+	}
+
+	m := NewVersionMiddleware(defaultVersion, defaultVersion, minVersion)
+	h := m.WrapHandler(handler)
+
+	req, _ := http.NewRequest("GET", "/containers/json", nil)
+	resp := httptest.NewRecorder()
+	ctx := context.Background()
+
+	tests := []struct {
+		reqVersion      string
+		expectedVersion string
+		errString       string
+	}{
+		{
+			expectedVersion: "1.10.0",
+		},
+		{
+			reqVersion:      "1.9.0",
+			expectedVersion: "1.9.0",
+		},
+		{
+			reqVersion: "0.1",
+			errString:  "client version 0.1 is too old. Minimum supported API version is 1.2.0, please upgrade your client to a newer version",
+		},
+		{
+			reqVersion: "9999.9999",
+			errString:  "client version 9999.9999 is too new. Maximum supported API version is 1.10.0",
+		},
+	}
+
+	for _, test := range tests {
+		expectedVersion = test.expectedVersion
+
+		err := h(ctx, resp, req, map[string]string{"version": test.reqVersion})
+
+		if test.errString != "" {
+			assert.Check(t, is.Error(err, test.errString))
+		} else {
+			assert.Check(t, err)
+		}
+	}
+}
+
+func TestVersionMiddlewareWithErrorsReturnsHeaders(t *testing.T) {
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		v := httputils.VersionFromContext(ctx)
+		assert.Check(t, len(v) != 0)
+		return nil
+	}
+
+	defaultVersion := "1.10.0"
+	minVersion := "1.2.0"
+	m := NewVersionMiddleware(defaultVersion, defaultVersion, minVersion)
+	h := m.WrapHandler(handler)
+
+	req, _ := http.NewRequest("GET", "/containers/json", nil)
+	resp := httptest.NewRecorder()
+	ctx := context.Background()
+
+	vars := map[string]string{"version": "0.1"}
+	err := h(ctx, resp, req, vars)
+	assert.Check(t, is.ErrorContains(err, ""))
+
+	hdr := resp.Result().Header
+	assert.Check(t, is.Contains(hdr.Get("Server"), "Docker/"+defaultVersion))
+	assert.Check(t, is.Contains(hdr.Get("Server"), runtime.GOOS))
+	assert.Check(t, is.Equal(hdr.Get("API-Version"), defaultVersion))
+	assert.Check(t, is.Equal(hdr.Get("OSType"), runtime.GOOS))
+}
diff --git a/engine/api/server/router/build/backend.go b/engine/api/server/router/build/backend.go
new file mode 100644
index 00000000..2ceae9d9
--- /dev/null
+++ b/engine/api/server/router/build/backend.go
@@ -0,0 +1,24 @@
+package build // import "github.com/docker/docker/api/server/router/build"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+)
+
+// Backend abstracts an image builder whose only purpose is to build an image referenced by an imageID.
+type Backend interface {
+	// Build a Docker image returning the id of the image
+	// TODO: make this return a reference instead of string
+	Build(context.Context, backend.BuildConfig) (string, error)
+
+	// Prune build cache
+	PruneCache(context.Context) (*types.BuildCachePruneReport, error)
+
+	Cancel(context.Context, string) error
+}
+
+type experimentalProvider interface {
+	HasExperimental() bool
+}
diff --git a/engine/api/server/router/build/build.go b/engine/api/server/router/build/build.go
new file mode 100644
index 00000000..811cd391
--- /dev/null
+++ b/engine/api/server/router/build/build.go
@@ -0,0 +1,30 @@
+package build // import "github.com/docker/docker/api/server/router/build"
+
+import "github.com/docker/docker/api/server/router"
+
+// buildRouter is a router to talk with the build controller
+type buildRouter struct {
+	backend Backend
+	daemon  experimentalProvider
+	routes  []router.Route
+}
+
+// NewRouter initializes a new build router
+func NewRouter(b Backend, d experimentalProvider) router.Router {
+	r := &buildRouter{backend: b, daemon: d}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routers to the build controller
+func (r *buildRouter) Routes() []router.Route {
+	return r.routes
+}
+
+func (r *buildRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.NewPostRoute("/build", r.postBuild, router.WithCancel),
+		router.NewPostRoute("/build/prune", r.postPrune, router.WithCancel),
+		router.NewPostRoute("/build/cancel", r.postCancel),
+	}
+}
diff --git a/engine/api/server/router/build/build_routes.go b/engine/api/server/router/build/build_routes.go
new file mode 100644
index 00000000..3073479c
--- /dev/null
+++ b/engine/api/server/router/build/build_routes.go
@@ -0,0 +1,409 @@
+package build // import "github.com/docker/docker/api/server/router/build"
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	units "github.com/docker/go-units"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type invalidIsolationError string
+
+func (e invalidIsolationError) Error() string {
+	return fmt.Sprintf("Unsupported isolation: %q", string(e))
+}
+
+func (e invalidIsolationError) InvalidParameter() {}
+
+func newImageBuildOptions(ctx context.Context, r *http.Request) (*types.ImageBuildOptions, error) {
+	version := httputils.VersionFromContext(ctx)
+	options := &types.ImageBuildOptions{}
+	if httputils.BoolValue(r, "forcerm") && versions.GreaterThanOrEqualTo(version, "1.12") {
+		options.Remove = true
+	} else if r.FormValue("rm") == "" && versions.GreaterThanOrEqualTo(version, "1.12") {
+		options.Remove = true
+	} else {
+		options.Remove = httputils.BoolValue(r, "rm")
+	}
+	if httputils.BoolValue(r, "pull") && versions.GreaterThanOrEqualTo(version, "1.16") {
+		options.PullParent = true
+	}
+
+	options.Dockerfile = r.FormValue("dockerfile")
+	options.SuppressOutput = httputils.BoolValue(r, "q")
+	options.NoCache = httputils.BoolValue(r, "nocache")
+	options.ForceRemove = httputils.BoolValue(r, "forcerm")
+	options.MemorySwap = httputils.Int64ValueOrZero(r, "memswap")
+	options.Memory = httputils.Int64ValueOrZero(r, "memory")
+	options.CPUShares = httputils.Int64ValueOrZero(r, "cpushares")
+	options.CPUPeriod = httputils.Int64ValueOrZero(r, "cpuperiod")
+	options.CPUQuota = httputils.Int64ValueOrZero(r, "cpuquota")
+	options.CPUSetCPUs = r.FormValue("cpusetcpus")
+	options.CPUSetMems = r.FormValue("cpusetmems")
+	options.CgroupParent = r.FormValue("cgroupparent")
+	options.NetworkMode = r.FormValue("networkmode")
+	options.Tags = r.Form["t"]
+	options.ExtraHosts = r.Form["extrahosts"]
+	options.SecurityOpt = r.Form["securityopt"]
+	options.Squash = httputils.BoolValue(r, "squash")
+	options.Target = r.FormValue("target")
+	options.RemoteContext = r.FormValue("remote")
+	if versions.GreaterThanOrEqualTo(version, "1.32") {
+		options.Platform = r.FormValue("platform")
+	}
+
+	if r.Form.Get("shmsize") != "" {
+		shmSize, err := strconv.ParseInt(r.Form.Get("shmsize"), 10, 64)
+		if err != nil {
+			return nil, err
+		}
+		options.ShmSize = shmSize
+	}
+
+	if i := container.Isolation(r.FormValue("isolation")); i != "" {
+		if !container.Isolation.IsValid(i) {
+			return nil, invalidIsolationError(i)
+		}
+		options.Isolation = i
+	}
+
+	if runtime.GOOS != "windows" && options.SecurityOpt != nil {
+		return nil, errdefs.InvalidParameter(errors.New("The daemon on this platform does not support setting security options on build"))
+	}
+
+	var buildUlimits = []*units.Ulimit{}
+	ulimitsJSON := r.FormValue("ulimits")
+	if ulimitsJSON != "" {
+		if err := json.Unmarshal([]byte(ulimitsJSON), &buildUlimits); err != nil {
+			return nil, errors.Wrap(errdefs.InvalidParameter(err), "error reading ulimit settings")
+		}
+		options.Ulimits = buildUlimits
+	}
+
+	// Note that there are two ways a --build-arg might appear in the
+	// json of the query param:
+	//     "foo":"bar"
+	// and "foo":nil
+	// The first is the normal case, ie. --build-arg foo=bar
+	// or  --build-arg foo
+	// where foo's value was picked up from an env var.
+	// The second ("foo":nil) is where they put --build-arg foo
+	// but "foo" isn't set as an env var. In that case we can't just drop
+	// the fact they mentioned it, we need to pass that along to the builder
+	// so that it can print a warning about "foo" being unused if there is
+	// no "ARG foo" in the Dockerfile.
+	buildArgsJSON := r.FormValue("buildargs")
+	if buildArgsJSON != "" {
+		var buildArgs = map[string]*string{}
+		if err := json.Unmarshal([]byte(buildArgsJSON), &buildArgs); err != nil {
+			return nil, errors.Wrap(errdefs.InvalidParameter(err), "error reading build args")
+		}
+		options.BuildArgs = buildArgs
+	}
+
+	labelsJSON := r.FormValue("labels")
+	if labelsJSON != "" {
+		var labels = map[string]string{}
+		if err := json.Unmarshal([]byte(labelsJSON), &labels); err != nil {
+			return nil, errors.Wrap(errdefs.InvalidParameter(err), "error reading labels")
+		}
+		options.Labels = labels
+	}
+
+	cacheFromJSON := r.FormValue("cachefrom")
+	if cacheFromJSON != "" {
+		var cacheFrom = []string{}
+		if err := json.Unmarshal([]byte(cacheFromJSON), &cacheFrom); err != nil {
+			return nil, err
+		}
+		options.CacheFrom = cacheFrom
+	}
+	options.SessionID = r.FormValue("session")
+	options.BuildID = r.FormValue("buildid")
+	builderVersion, err := parseVersion(r.FormValue("version"))
+	if err != nil {
+		return nil, err
+	}
+	options.Version = builderVersion
+
+	return options, nil
+}
+
+func parseVersion(s string) (types.BuilderVersion, error) {
+	if s == "" || s == string(types.BuilderV1) {
+		return types.BuilderV1, nil
+	}
+	if s == string(types.BuilderBuildKit) {
+		return types.BuilderBuildKit, nil
+	}
+	return "", errors.Errorf("invalid version %s", s)
+}
+
+func (br *buildRouter) postPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	report, err := br.backend.PruneCache(ctx)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, report)
+}
+
+func (br *buildRouter) postCancel(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	w.Header().Set("Content-Type", "application/json")
+
+	id := r.FormValue("id")
+	if id == "" {
+		return errors.Errorf("build ID not provided")
+	}
+
+	return br.backend.Cancel(ctx, id)
+}
+
+func (br *buildRouter) postBuild(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var (
+		notVerboseBuffer = bytes.NewBuffer(nil)
+		version          = httputils.VersionFromContext(ctx)
+	)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	body := r.Body
+	var ww io.Writer = w
+	if body != nil {
+		// there is a possibility that output is written before request body
+		// has been fully read so we need to protect against it.
+		// this can be removed when
+		// https://github.com/golang/go/issues/15527
+		// https://github.com/golang/go/issues/22209
+		// has been fixed
+		body, ww = wrapOutputBufferedUntilRequestRead(body, ww)
+	}
+
+	output := ioutils.NewWriteFlusher(ww)
+	defer output.Close()
+
+	errf := func(err error) error {
+
+		if httputils.BoolValue(r, "q") && notVerboseBuffer.Len() > 0 {
+			output.Write(notVerboseBuffer.Bytes())
+		}
+
+		// Do not write the error in the http output if it's still empty.
+		// This prevents from writing a 200(OK) when there is an internal error.
+		if !output.Flushed() {
+			return err
+		}
+		_, err = output.Write(streamformatter.FormatError(err))
+		if err != nil {
+			logrus.Warnf("could not write error response: %v", err)
+		}
+		return nil
+	}
+
+	buildOptions, err := newImageBuildOptions(ctx, r)
+	if err != nil {
+		return errf(err)
+	}
+	buildOptions.AuthConfigs = getAuthConfigs(r.Header)
+
+	if buildOptions.Squash && !br.daemon.HasExperimental() {
+		return errdefs.InvalidParameter(errors.New("squash is only supported with experimental mode"))
+	}
+
+	if buildOptions.Version == types.BuilderBuildKit && !br.daemon.HasExperimental() {
+		return errdefs.InvalidParameter(errors.New("buildkit is only supported with experimental mode"))
+	}
+
+	out := io.Writer(output)
+	if buildOptions.SuppressOutput {
+		out = notVerboseBuffer
+	}
+
+	// Currently, only used if context is from a remote url.
+	// Look at code in DetectContextFromRemoteURL for more information.
+	createProgressReader := func(in io.ReadCloser) io.ReadCloser {
+		progressOutput := streamformatter.NewJSONProgressOutput(out, true)
+		return progress.NewProgressReader(in, progressOutput, r.ContentLength, "Downloading context", buildOptions.RemoteContext)
+	}
+
+	wantAux := versions.GreaterThanOrEqualTo(version, "1.30")
+
+	imgID, err := br.backend.Build(ctx, backend.BuildConfig{
+		Source:         body,
+		Options:        buildOptions,
+		ProgressWriter: buildProgressWriter(out, wantAux, createProgressReader),
+	})
+	if err != nil {
+		return errf(err)
+	}
+
+	// Everything worked so if -q was provided the output from the daemon
+	// should be just the image ID and we'll print that to stdout.
+	if buildOptions.SuppressOutput {
+		fmt.Fprintln(streamformatter.NewStdoutWriter(output), imgID)
+	}
+	return nil
+}
+
+func getAuthConfigs(header http.Header) map[string]types.AuthConfig {
+	authConfigs := map[string]types.AuthConfig{}
+	authConfigsEncoded := header.Get("X-Registry-Config")
+
+	if authConfigsEncoded == "" {
+		return authConfigs
+	}
+
+	authConfigsJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authConfigsEncoded))
+	// Pulling an image does not error when no auth is provided so to remain
+	// consistent with the existing api decode errors are ignored
+	json.NewDecoder(authConfigsJSON).Decode(&authConfigs)
+	return authConfigs
+}
+
+type syncWriter struct {
+	w  io.Writer
+	mu sync.Mutex
+}
+
+func (s *syncWriter) Write(b []byte) (count int, err error) {
+	s.mu.Lock()
+	count, err = s.w.Write(b)
+	s.mu.Unlock()
+	return
+}
+
+func buildProgressWriter(out io.Writer, wantAux bool, createProgressReader func(io.ReadCloser) io.ReadCloser) backend.ProgressWriter {
+	out = &syncWriter{w: out}
+
+	var aux *streamformatter.AuxFormatter
+	if wantAux {
+		aux = &streamformatter.AuxFormatter{Writer: out}
+	}
+
+	return backend.ProgressWriter{
+		Output:             out,
+		StdoutFormatter:    streamformatter.NewStdoutWriter(out),
+		StderrFormatter:    streamformatter.NewStderrWriter(out),
+		AuxFormatter:       aux,
+		ProgressReaderFunc: createProgressReader,
+	}
+}
+
+type flusher interface {
+	Flush()
+}
+
+func wrapOutputBufferedUntilRequestRead(rc io.ReadCloser, out io.Writer) (io.ReadCloser, io.Writer) {
+	var fl flusher = &ioutils.NopFlusher{}
+	if f, ok := out.(flusher); ok {
+		fl = f
+	}
+
+	w := &wcf{
+		buf:     bytes.NewBuffer(nil),
+		Writer:  out,
+		flusher: fl,
+	}
+	r := bufio.NewReader(rc)
+	_, err := r.Peek(1)
+	if err != nil {
+		return rc, out
+	}
+	rc = &rcNotifier{
+		Reader: r,
+		Closer: rc,
+		notify: w.notify,
+	}
+	return rc, w
+}
+
+type rcNotifier struct {
+	io.Reader
+	io.Closer
+	notify func()
+}
+
+func (r *rcNotifier) Read(b []byte) (int, error) {
+	n, err := r.Reader.Read(b)
+	if err != nil {
+		r.notify()
+	}
+	return n, err
+}
+
+func (r *rcNotifier) Close() error {
+	r.notify()
+	return r.Closer.Close()
+}
+
+type wcf struct {
+	io.Writer
+	flusher
+	mu      sync.Mutex
+	ready   bool
+	buf     *bytes.Buffer
+	flushed bool
+}
+
+func (w *wcf) Flush() {
+	w.mu.Lock()
+	w.flushed = true
+	if !w.ready {
+		w.mu.Unlock()
+		return
+	}
+	w.mu.Unlock()
+	w.flusher.Flush()
+}
+
+func (w *wcf) Flushed() bool {
+	w.mu.Lock()
+	b := w.flushed
+	w.mu.Unlock()
+	return b
+}
+
+func (w *wcf) Write(b []byte) (int, error) {
+	w.mu.Lock()
+	if !w.ready {
+		n, err := w.buf.Write(b)
+		w.mu.Unlock()
+		return n, err
+	}
+	w.mu.Unlock()
+	return w.Writer.Write(b)
+}
+
+func (w *wcf) notify() {
+	w.mu.Lock()
+	if !w.ready {
+		if w.buf.Len() > 0 {
+			io.Copy(w.Writer, w.buf)
+		}
+		if w.flushed {
+			w.flusher.Flush()
+		}
+		w.ready = true
+	}
+	w.mu.Unlock()
+}
diff --git a/engine/api/server/router/checkpoint/backend.go b/engine/api/server/router/checkpoint/backend.go
new file mode 100644
index 00000000..90c5d1a9
--- /dev/null
+++ b/engine/api/server/router/checkpoint/backend.go
@@ -0,0 +1,10 @@
+package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+
+import "github.com/docker/docker/api/types"
+
+// Backend for Checkpoint
+type Backend interface {
+	CheckpointCreate(container string, config types.CheckpointCreateOptions) error
+	CheckpointDelete(container string, config types.CheckpointDeleteOptions) error
+	CheckpointList(container string, config types.CheckpointListOptions) ([]types.Checkpoint, error)
+}
diff --git a/engine/api/server/router/checkpoint/checkpoint.go b/engine/api/server/router/checkpoint/checkpoint.go
new file mode 100644
index 00000000..37bd0bda
--- /dev/null
+++ b/engine/api/server/router/checkpoint/checkpoint.go
@@ -0,0 +1,36 @@
+package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+
+import (
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/server/router"
+)
+
+// checkpointRouter is a router to talk with the checkpoint controller
+type checkpointRouter struct {
+	backend Backend
+	decoder httputils.ContainerDecoder
+	routes  []router.Route
+}
+
+// NewRouter initializes a new checkpoint router
+func NewRouter(b Backend, decoder httputils.ContainerDecoder) router.Router {
+	r := &checkpointRouter{
+		backend: b,
+		decoder: decoder,
+	}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routers to the checkpoint controller
+func (r *checkpointRouter) Routes() []router.Route {
+	return r.routes
+}
+
+func (r *checkpointRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.NewGetRoute("/containers/{name:.*}/checkpoints", r.getContainerCheckpoints, router.Experimental),
+		router.NewPostRoute("/containers/{name:.*}/checkpoints", r.postContainerCheckpoint, router.Experimental),
+		router.NewDeleteRoute("/containers/{name}/checkpoints/{checkpoint}", r.deleteContainerCheckpoint, router.Experimental),
+	}
+}
diff --git a/engine/api/server/router/checkpoint/checkpoint_routes.go b/engine/api/server/router/checkpoint/checkpoint_routes.go
new file mode 100644
index 00000000..6c03f976
--- /dev/null
+++ b/engine/api/server/router/checkpoint/checkpoint_routes.go
@@ -0,0 +1,65 @@
+package checkpoint // import "github.com/docker/docker/api/server/router/checkpoint"
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+)
+
+func (s *checkpointRouter) postContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	var options types.CheckpointCreateOptions
+
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&options); err != nil {
+		return err
+	}
+
+	err := s.backend.CheckpointCreate(vars["name"], options)
+	if err != nil {
+		return err
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	return nil
+}
+
+func (s *checkpointRouter) getContainerCheckpoints(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	checkpoints, err := s.backend.CheckpointList(vars["name"], types.CheckpointListOptions{
+		CheckpointDir: r.Form.Get("dir"),
+	})
+
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, checkpoints)
+}
+
+func (s *checkpointRouter) deleteContainerCheckpoint(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	err := s.backend.CheckpointDelete(vars["name"], types.CheckpointDeleteOptions{
+		CheckpointDir: r.Form.Get("dir"),
+		CheckpointID:  vars["checkpoint"],
+	})
+
+	if err != nil {
+		return err
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}
diff --git a/engine/api/server/router/container/backend.go b/engine/api/server/router/container/backend.go
new file mode 100644
index 00000000..75ea1d82
--- /dev/null
+++ b/engine/api/server/router/container/backend.go
@@ -0,0 +1,83 @@
+package container // import "github.com/docker/docker/api/server/router/container"
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/archive"
+)
+
+// execBackend includes functions to implement to provide exec functionality.
+type execBackend interface {
+	ContainerExecCreate(name string, config *types.ExecConfig) (string, error)
+	ContainerExecInspect(id string) (*backend.ExecInspect, error)
+	ContainerExecResize(name string, height, width int) error
+	ContainerExecStart(ctx context.Context, name string, stdin io.Reader, stdout io.Writer, stderr io.Writer) error
+	ExecExists(name string) (bool, error)
+}
+
+// copyBackend includes functions to implement to provide container copy functionality.
+type copyBackend interface {
+	ContainerArchivePath(name string, path string) (content io.ReadCloser, stat *types.ContainerPathStat, err error)
+	ContainerCopy(name string, res string) (io.ReadCloser, error)
+	ContainerExport(name string, out io.Writer) error
+	ContainerExtractToDir(name, path string, copyUIDGID, noOverwriteDirNonDir bool, content io.Reader) error
+	ContainerStatPath(name string, path string) (stat *types.ContainerPathStat, err error)
+}
+
+// stateBackend includes functions to implement to provide container state lifecycle functionality.
+type stateBackend interface {
+	ContainerCreate(config types.ContainerCreateConfig) (container.ContainerCreateCreatedBody, error)
+	ContainerKill(name string, sig uint64) error
+	ContainerPause(name string) error
+	ContainerRename(oldName, newName string) error
+	ContainerResize(name string, height, width int) error
+	ContainerRestart(name string, seconds *int) error
+	ContainerRm(name string, config *types.ContainerRmConfig) error
+	ContainerStart(name string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error
+	ContainerStop(name string, seconds *int) error
+	ContainerUnpause(name string) error
+	ContainerUpdate(name string, hostConfig *container.HostConfig) (container.ContainerUpdateOKBody, error)
+	ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
+}
+
+// monitorBackend includes functions to implement to provide containers monitoring functionality.
+type monitorBackend interface {
+	ContainerChanges(name string) ([]archive.Change, error)
+	ContainerInspect(name string, size bool, version string) (interface{}, error)
+	ContainerLogs(ctx context.Context, name string, config *types.ContainerLogsOptions) (msgs <-chan *backend.LogMessage, tty bool, err error)
+	ContainerStats(ctx context.Context, name string, config *backend.ContainerStatsConfig) error
+	ContainerTop(name string, psArgs string) (*container.ContainerTopOKBody, error)
+
+	Containers(config *types.ContainerListOptions) ([]*types.Container, error)
+}
+
+// attachBackend includes function to implement to provide container attaching functionality.
+type attachBackend interface {
+	ContainerAttach(name string, c *backend.ContainerAttachConfig) error
+}
+
+// systemBackend includes functions to implement to provide system wide containers functionality
+type systemBackend interface {
+	ContainersPrune(ctx context.Context, pruneFilters filters.Args) (*types.ContainersPruneReport, error)
+}
+
+type commitBackend interface {
+	CreateImageFromContainer(name string, config *backend.CreateImageConfig) (imageID string, err error)
+}
+
+// Backend is all the methods that need to be implemented to provide container specific functionality.
+type Backend interface {
+	commitBackend
+	execBackend
+	copyBackend
+	stateBackend
+	monitorBackend
+	attachBackend
+	systemBackend
+}
diff --git a/engine/api/server/router/container/container.go b/engine/api/server/router/container/container.go
new file mode 100644
index 00000000..358f2bc2
--- /dev/null
+++ b/engine/api/server/router/container/container.go
@@ -0,0 +1,70 @@
+package container // import "github.com/docker/docker/api/server/router/container"
+
+import (
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/server/router"
+)
+
+// containerRouter is a router to talk with the container controller
+type containerRouter struct {
+	backend Backend
+	decoder httputils.ContainerDecoder
+	routes  []router.Route
+}
+
+// NewRouter initializes a new container router
+func NewRouter(b Backend, decoder httputils.ContainerDecoder) router.Router {
+	r := &containerRouter{
+		backend: b,
+		decoder: decoder,
+	}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routes to the container controller
+func (r *containerRouter) Routes() []router.Route {
+	return r.routes
+}
+
+// initRoutes initializes the routes in container router
+func (r *containerRouter) initRoutes() {
+	r.routes = []router.Route{
+		// HEAD
+		router.NewHeadRoute("/containers/{name:.*}/archive", r.headContainersArchive),
+		// GET
+		router.NewGetRoute("/containers/json", r.getContainersJSON),
+		router.NewGetRoute("/containers/{name:.*}/export", r.getContainersExport),
+		router.NewGetRoute("/containers/{name:.*}/changes", r.getContainersChanges),
+		router.NewGetRoute("/containers/{name:.*}/json", r.getContainersByName),
+		router.NewGetRoute("/containers/{name:.*}/top", r.getContainersTop),
+		router.NewGetRoute("/containers/{name:.*}/logs", r.getContainersLogs, router.WithCancel),
+		router.NewGetRoute("/containers/{name:.*}/stats", r.getContainersStats, router.WithCancel),
+		router.NewGetRoute("/containers/{name:.*}/attach/ws", r.wsContainersAttach),
+		router.NewGetRoute("/exec/{id:.*}/json", r.getExecByID),
+		router.NewGetRoute("/containers/{name:.*}/archive", r.getContainersArchive),
+		// POST
+		router.NewPostRoute("/containers/create", r.postContainersCreate),
+		router.NewPostRoute("/containers/{name:.*}/kill", r.postContainersKill),
+		router.NewPostRoute("/containers/{name:.*}/pause", r.postContainersPause),
+		router.NewPostRoute("/containers/{name:.*}/unpause", r.postContainersUnpause),
+		router.NewPostRoute("/containers/{name:.*}/restart", r.postContainersRestart),
+		router.NewPostRoute("/containers/{name:.*}/start", r.postContainersStart),
+		router.NewPostRoute("/containers/{name:.*}/stop", r.postContainersStop),
+		router.NewPostRoute("/containers/{name:.*}/wait", r.postContainersWait, router.WithCancel),
+		router.NewPostRoute("/containers/{name:.*}/resize", r.postContainersResize),
+		router.NewPostRoute("/containers/{name:.*}/attach", r.postContainersAttach),
+		router.NewPostRoute("/containers/{name:.*}/copy", r.postContainersCopy), // Deprecated since 1.8, Errors out since 1.12
+		router.NewPostRoute("/containers/{name:.*}/exec", r.postContainerExecCreate),
+		router.NewPostRoute("/exec/{name:.*}/start", r.postContainerExecStart),
+		router.NewPostRoute("/exec/{name:.*}/resize", r.postContainerExecResize),
+		router.NewPostRoute("/containers/{name:.*}/rename", r.postContainerRename),
+		router.NewPostRoute("/containers/{name:.*}/update", r.postContainerUpdate),
+		router.NewPostRoute("/containers/prune", r.postContainersPrune, router.WithCancel),
+		router.NewPostRoute("/commit", r.postCommit),
+		// PUT
+		router.NewPutRoute("/containers/{name:.*}/archive", r.putContainersArchive),
+		// DELETE
+		router.NewDeleteRoute("/containers/{name:.*}", r.deleteContainers),
+	}
+}
diff --git a/engine/api/server/router/container/container_routes.go b/engine/api/server/router/container/container_routes.go
new file mode 100644
index 00000000..9282cea0
--- /dev/null
+++ b/engine/api/server/router/container/container_routes.go
@@ -0,0 +1,661 @@
+package container // import "github.com/docker/docker/api/server/router/container"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+	"syscall"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/versions"
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/websocket"
+)
+
+func (s *containerRouter) postCommit(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+
+	// TODO: remove pause arg, and always pause in backend
+	pause := httputils.BoolValue(r, "pause")
+	version := httputils.VersionFromContext(ctx)
+	if r.FormValue("pause") == "" && versions.GreaterThanOrEqualTo(version, "1.13") {
+		pause = true
+	}
+
+	config, _, _, err := s.decoder.DecodeConfig(r.Body)
+	if err != nil && err != io.EOF { //Do not fail if body is empty.
+		return err
+	}
+
+	commitCfg := &backend.CreateImageConfig{
+		Pause:   pause,
+		Repo:    r.Form.Get("repo"),
+		Tag:     r.Form.Get("tag"),
+		Author:  r.Form.Get("author"),
+		Comment: r.Form.Get("comment"),
+		Config:  config,
+		Changes: r.Form["changes"],
+	}
+
+	imgID, err := s.backend.CreateImageFromContainer(r.Form.Get("container"), commitCfg)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusCreated, &types.IDResponse{ID: imgID})
+}
+
+func (s *containerRouter) getContainersJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	filter, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	config := &types.ContainerListOptions{
+		All:     httputils.BoolValue(r, "all"),
+		Size:    httputils.BoolValue(r, "size"),
+		Since:   r.Form.Get("since"),
+		Before:  r.Form.Get("before"),
+		Filters: filter,
+	}
+
+	if tmpLimit := r.Form.Get("limit"); tmpLimit != "" {
+		limit, err := strconv.Atoi(tmpLimit)
+		if err != nil {
+			return err
+		}
+		config.Limit = limit
+	}
+
+	containers, err := s.backend.Containers(config)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, containers)
+}
+
+func (s *containerRouter) getContainersStats(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	stream := httputils.BoolValueOrDefault(r, "stream", true)
+	if !stream {
+		w.Header().Set("Content-Type", "application/json")
+	}
+
+	config := &backend.ContainerStatsConfig{
+		Stream:    stream,
+		OutStream: w,
+		Version:   httputils.VersionFromContext(ctx),
+	}
+
+	return s.backend.ContainerStats(ctx, vars["name"], config)
+}
+
+func (s *containerRouter) getContainersLogs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	// Args are validated before the stream starts because when it starts we're
+	// sending HTTP 200 by writing an empty chunk of data to tell the client that
+	// daemon is going to stream. By sending this initial HTTP 200 we can't report
+	// any error after the stream starts (i.e. container not found, wrong parameters)
+	// with the appropriate status code.
+	stdout, stderr := httputils.BoolValue(r, "stdout"), httputils.BoolValue(r, "stderr")
+	if !(stdout || stderr) {
+		return errdefs.InvalidParameter(errors.New("Bad parameters: you must choose at least one stream"))
+	}
+
+	containerName := vars["name"]
+	logsConfig := &types.ContainerLogsOptions{
+		Follow:     httputils.BoolValue(r, "follow"),
+		Timestamps: httputils.BoolValue(r, "timestamps"),
+		Since:      r.Form.Get("since"),
+		Until:      r.Form.Get("until"),
+		Tail:       r.Form.Get("tail"),
+		ShowStdout: stdout,
+		ShowStderr: stderr,
+		Details:    httputils.BoolValue(r, "details"),
+	}
+
+	msgs, tty, err := s.backend.ContainerLogs(ctx, containerName, logsConfig)
+	if err != nil {
+		return err
+	}
+
+	// if has a tty, we're not muxing streams. if it doesn't, we are. simple.
+	// this is the point of no return for writing a response. once we call
+	// WriteLogStream, the response has been started and errors will be
+	// returned in band by WriteLogStream
+	httputils.WriteLogStream(ctx, w, msgs, logsConfig, !tty)
+	return nil
+}
+
+func (s *containerRouter) getContainersExport(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return s.backend.ContainerExport(vars["name"], w)
+}
+
+type bodyOnStartError struct{}
+
+func (bodyOnStartError) Error() string {
+	return "starting container with non-empty request body was deprecated since API v1.22 and removed in v1.24"
+}
+
+func (bodyOnStartError) InvalidParameter() {}
+
+func (s *containerRouter) postContainersStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	// If contentLength is -1, we can assumed chunked encoding
+	// or more technically that the length is unknown
+	// https://golang.org/src/pkg/net/http/request.go#L139
+	// net/http otherwise seems to swallow any headers related to chunked encoding
+	// including r.TransferEncoding
+	// allow a nil body for backwards compatibility
+
+	version := httputils.VersionFromContext(ctx)
+	var hostConfig *container.HostConfig
+	// A non-nil json object is at least 7 characters.
+	if r.ContentLength > 7 || r.ContentLength == -1 {
+		if versions.GreaterThanOrEqualTo(version, "1.24") {
+			return bodyOnStartError{}
+		}
+
+		if err := httputils.CheckForJSON(r); err != nil {
+			return err
+		}
+
+		c, err := s.decoder.DecodeHostConfig(r.Body)
+		if err != nil {
+			return err
+		}
+		hostConfig = c
+	}
+
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	checkpoint := r.Form.Get("checkpoint")
+	checkpointDir := r.Form.Get("checkpoint-dir")
+	if err := s.backend.ContainerStart(vars["name"], hostConfig, checkpoint, checkpointDir); err != nil {
+		return err
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}
+
+func (s *containerRouter) postContainersStop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	var seconds *int
+	if tmpSeconds := r.Form.Get("t"); tmpSeconds != "" {
+		valSeconds, err := strconv.Atoi(tmpSeconds)
+		if err != nil {
+			return err
+		}
+		seconds = &valSeconds
+	}
+
+	if err := s.backend.ContainerStop(vars["name"], seconds); err != nil {
+		return err
+	}
+	w.WriteHeader(http.StatusNoContent)
+
+	return nil
+}
+
+func (s *containerRouter) postContainersKill(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	var sig syscall.Signal
+	name := vars["name"]
+
+	// If we have a signal, look at it. Otherwise, do nothing
+	if sigStr := r.Form.Get("signal"); sigStr != "" {
+		var err error
+		if sig, err = signal.ParseSignal(sigStr); err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+	}
+
+	if err := s.backend.ContainerKill(name, uint64(sig)); err != nil {
+		var isStopped bool
+		if errdefs.IsConflict(err) {
+			isStopped = true
+		}
+
+		// Return error that's not caused because the container is stopped.
+		// Return error if the container is not running and the api is >= 1.20
+		// to keep backwards compatibility.
+		version := httputils.VersionFromContext(ctx)
+		if versions.GreaterThanOrEqualTo(version, "1.20") || !isStopped {
+			return errors.Wrapf(err, "Cannot kill container: %s", name)
+		}
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}
+
+func (s *containerRouter) postContainersRestart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	var seconds *int
+	if tmpSeconds := r.Form.Get("t"); tmpSeconds != "" {
+		valSeconds, err := strconv.Atoi(tmpSeconds)
+		if err != nil {
+			return err
+		}
+		seconds = &valSeconds
+	}
+
+	if err := s.backend.ContainerRestart(vars["name"], seconds); err != nil {
+		return err
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+
+	return nil
+}
+
+func (s *containerRouter) postContainersPause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	if err := s.backend.ContainerPause(vars["name"]); err != nil {
+		return err
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+
+	return nil
+}
+
+func (s *containerRouter) postContainersUnpause(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	if err := s.backend.ContainerUnpause(vars["name"]); err != nil {
+		return err
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+
+	return nil
+}
+
+func (s *containerRouter) postContainersWait(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	// Behavior changed in version 1.30 to handle wait condition and to
+	// return headers immediately.
+	version := httputils.VersionFromContext(ctx)
+	legacyBehaviorPre130 := versions.LessThan(version, "1.30")
+	legacyRemovalWaitPre134 := false
+
+	// The wait condition defaults to "not-running".
+	waitCondition := containerpkg.WaitConditionNotRunning
+	if !legacyBehaviorPre130 {
+		if err := httputils.ParseForm(r); err != nil {
+			return err
+		}
+		switch container.WaitCondition(r.Form.Get("condition")) {
+		case container.WaitConditionNextExit:
+			waitCondition = containerpkg.WaitConditionNextExit
+		case container.WaitConditionRemoved:
+			waitCondition = containerpkg.WaitConditionRemoved
+			legacyRemovalWaitPre134 = versions.LessThan(version, "1.34")
+		}
+	}
+
+	// Note: the context should get canceled if the client closes the
+	// connection since this handler has been wrapped by the
+	// router.WithCancel() wrapper.
+	waitC, err := s.backend.ContainerWait(ctx, vars["name"], waitCondition)
+	if err != nil {
+		return err
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if !legacyBehaviorPre130 {
+		// Write response header immediately.
+		w.WriteHeader(http.StatusOK)
+		if flusher, ok := w.(http.Flusher); ok {
+			flusher.Flush()
+		}
+	}
+
+	// Block on the result of the wait operation.
+	status := <-waitC
+
+	// With API < 1.34, wait on WaitConditionRemoved did not return
+	// in case container removal failed. The only way to report an
+	// error back to the client is to not write anything (i.e. send
+	// an empty response which will be treated as an error).
+	if legacyRemovalWaitPre134 && status.Err() != nil {
+		return nil
+	}
+
+	var waitError *container.ContainerWaitOKBodyError
+	if status.Err() != nil {
+		waitError = &container.ContainerWaitOKBodyError{Message: status.Err().Error()}
+	}
+
+	return json.NewEncoder(w).Encode(&container.ContainerWaitOKBody{
+		StatusCode: int64(status.ExitCode()),
+		Error:      waitError,
+	})
+}
+
+func (s *containerRouter) getContainersChanges(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	changes, err := s.backend.ContainerChanges(vars["name"])
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, changes)
+}
+
+func (s *containerRouter) getContainersTop(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	procList, err := s.backend.ContainerTop(vars["name"], r.Form.Get("ps_args"))
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, procList)
+}
+
+func (s *containerRouter) postContainerRename(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	name := vars["name"]
+	newName := r.Form.Get("name")
+	if err := s.backend.ContainerRename(name, newName); err != nil {
+		return err
+	}
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}
+
+func (s *containerRouter) postContainerUpdate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+
+	var updateConfig container.UpdateConfig
+
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&updateConfig); err != nil {
+		return err
+	}
+
+	hostConfig := &container.HostConfig{
+		Resources:     updateConfig.Resources,
+		RestartPolicy: updateConfig.RestartPolicy,
+	}
+
+	name := vars["name"]
+	resp, err := s.backend.ContainerUpdate(name, hostConfig)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, resp)
+}
+
+func (s *containerRouter) postContainersCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+
+	name := r.Form.Get("name")
+
+	config, hostConfig, networkingConfig, err := s.decoder.DecodeConfig(r.Body)
+	if err != nil {
+		return err
+	}
+	version := httputils.VersionFromContext(ctx)
+	adjustCPUShares := versions.LessThan(version, "1.19")
+
+	// When using API 1.24 and under, the client is responsible for removing the container
+	if hostConfig != nil && versions.LessThan(version, "1.25") {
+		hostConfig.AutoRemove = false
+	}
+
+	ccr, err := s.backend.ContainerCreate(types.ContainerCreateConfig{
+		Name:             name,
+		Config:           config,
+		HostConfig:       hostConfig,
+		NetworkingConfig: networkingConfig,
+		AdjustCPUShares:  adjustCPUShares,
+	})
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusCreated, ccr)
+}
+
+func (s *containerRouter) deleteContainers(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	name := vars["name"]
+	config := &types.ContainerRmConfig{
+		ForceRemove:  httputils.BoolValue(r, "force"),
+		RemoveVolume: httputils.BoolValue(r, "v"),
+		RemoveLink:   httputils.BoolValue(r, "link"),
+	}
+
+	if err := s.backend.ContainerRm(name, config); err != nil {
+		return err
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+
+	return nil
+}
+
+func (s *containerRouter) postContainersResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	height, err := strconv.Atoi(r.Form.Get("h"))
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+	width, err := strconv.Atoi(r.Form.Get("w"))
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	return s.backend.ContainerResize(vars["name"], height, width)
+}
+
+func (s *containerRouter) postContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	err := httputils.ParseForm(r)
+	if err != nil {
+		return err
+	}
+	containerName := vars["name"]
+
+	_, upgrade := r.Header["Upgrade"]
+	detachKeys := r.FormValue("detachKeys")
+
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		return errdefs.InvalidParameter(errors.Errorf("error attaching to container %s, hijack connection missing", containerName))
+	}
+
+	setupStreams := func() (io.ReadCloser, io.Writer, io.Writer, error) {
+		conn, _, err := hijacker.Hijack()
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		// set raw mode
+		conn.Write([]byte{})
+
+		if upgrade {
+			fmt.Fprintf(conn, "HTTP/1.1 101 UPGRADED\r\nContent-Type: application/vnd.docker.raw-stream\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n\r\n")
+		} else {
+			fmt.Fprintf(conn, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n")
+		}
+
+		closer := func() error {
+			httputils.CloseStreams(conn)
+			return nil
+		}
+		return ioutils.NewReadCloserWrapper(conn, closer), conn, conn, nil
+	}
+
+	attachConfig := &backend.ContainerAttachConfig{
+		GetStreams: setupStreams,
+		UseStdin:   httputils.BoolValue(r, "stdin"),
+		UseStdout:  httputils.BoolValue(r, "stdout"),
+		UseStderr:  httputils.BoolValue(r, "stderr"),
+		Logs:       httputils.BoolValue(r, "logs"),
+		Stream:     httputils.BoolValue(r, "stream"),
+		DetachKeys: detachKeys,
+		MuxStreams: true,
+	}
+
+	if err = s.backend.ContainerAttach(containerName, attachConfig); err != nil {
+		logrus.Errorf("Handler for %s %s returned error: %v", r.Method, r.URL.Path, err)
+		// Remember to close stream if error happens
+		conn, _, errHijack := hijacker.Hijack()
+		if errHijack == nil {
+			statusCode := httputils.GetHTTPErrorStatusCode(err)
+			statusText := http.StatusText(statusCode)
+			fmt.Fprintf(conn, "HTTP/1.1 %d %s\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n%s\r\n", statusCode, statusText, err.Error())
+			httputils.CloseStreams(conn)
+		} else {
+			logrus.Errorf("Error Hijacking: %v", err)
+		}
+	}
+	return nil
+}
+
+func (s *containerRouter) wsContainersAttach(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	containerName := vars["name"]
+
+	var err error
+	detachKeys := r.FormValue("detachKeys")
+
+	done := make(chan struct{})
+	started := make(chan struct{})
+
+	version := httputils.VersionFromContext(ctx)
+
+	setupStreams := func() (io.ReadCloser, io.Writer, io.Writer, error) {
+		wsChan := make(chan *websocket.Conn)
+		h := func(conn *websocket.Conn) {
+			wsChan <- conn
+			<-done
+		}
+
+		srv := websocket.Server{Handler: h, Handshake: nil}
+		go func() {
+			close(started)
+			srv.ServeHTTP(w, r)
+		}()
+
+		conn := <-wsChan
+		// In case version 1.28 and above, a binary frame will be sent.
+		// See 28176 for details.
+		if versions.GreaterThanOrEqualTo(version, "1.28") {
+			conn.PayloadType = websocket.BinaryFrame
+		}
+		return conn, conn, conn, nil
+	}
+
+	attachConfig := &backend.ContainerAttachConfig{
+		GetStreams: setupStreams,
+		Logs:       httputils.BoolValue(r, "logs"),
+		Stream:     httputils.BoolValue(r, "stream"),
+		DetachKeys: detachKeys,
+		UseStdin:   true,
+		UseStdout:  true,
+		UseStderr:  true,
+		MuxStreams: false, // TODO: this should be true since it's a single stream for both stdout and stderr
+	}
+
+	err = s.backend.ContainerAttach(containerName, attachConfig)
+	close(done)
+	select {
+	case <-started:
+		if err != nil {
+			logrus.Errorf("Error attaching websocket: %s", err)
+		} else {
+			logrus.Debug("websocket connection was closed by client")
+		}
+		return nil
+	default:
+	}
+	return err
+}
+
+func (s *containerRouter) postContainersPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	pruneFilters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	pruneReport, err := s.backend.ContainersPrune(ctx, pruneFilters)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, pruneReport)
+}
diff --git a/engine/api/server/router/container/copy.go b/engine/api/server/router/container/copy.go
new file mode 100644
index 00000000..837836d0
--- /dev/null
+++ b/engine/api/server/router/container/copy.go
@@ -0,0 +1,140 @@
+package container // import "github.com/docker/docker/api/server/router/container"
+
+import (
+	"compress/flate"
+	"compress/gzip"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	gddohttputil "github.com/golang/gddo/httputil"
+)
+
+type pathError struct{}
+
+func (pathError) Error() string {
+	return "Path cannot be empty"
+}
+
+func (pathError) InvalidParameter() {}
+
+// postContainersCopy is deprecated in favor of getContainersArchive.
+func (s *containerRouter) postContainersCopy(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	// Deprecated since 1.8, Errors out since 1.12
+	version := httputils.VersionFromContext(ctx)
+	if versions.GreaterThanOrEqualTo(version, "1.24") {
+		w.WriteHeader(http.StatusNotFound)
+		return nil
+	}
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+
+	cfg := types.CopyConfig{}
+	if err := json.NewDecoder(r.Body).Decode(&cfg); err != nil {
+		return err
+	}
+
+	if cfg.Resource == "" {
+		return pathError{}
+	}
+
+	data, err := s.backend.ContainerCopy(vars["name"], cfg.Resource)
+	if err != nil {
+		return err
+	}
+	defer data.Close()
+
+	w.Header().Set("Content-Type", "application/x-tar")
+	_, err = io.Copy(w, data)
+	return err
+}
+
+// // Encode the stat to JSON, base64 encode, and place in a header.
+func setContainerPathStatHeader(stat *types.ContainerPathStat, header http.Header) error {
+	statJSON, err := json.Marshal(stat)
+	if err != nil {
+		return err
+	}
+
+	header.Set(
+		"X-Docker-Container-Path-Stat",
+		base64.StdEncoding.EncodeToString(statJSON),
+	)
+
+	return nil
+}
+
+func (s *containerRouter) headContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	v, err := httputils.ArchiveFormValues(r, vars)
+	if err != nil {
+		return err
+	}
+
+	stat, err := s.backend.ContainerStatPath(v.Name, v.Path)
+	if err != nil {
+		return err
+	}
+
+	return setContainerPathStatHeader(stat, w.Header())
+}
+
+func writeCompressedResponse(w http.ResponseWriter, r *http.Request, body io.Reader) error {
+	var cw io.Writer
+	switch gddohttputil.NegotiateContentEncoding(r, []string{"gzip", "deflate"}) {
+	case "gzip":
+		gw := gzip.NewWriter(w)
+		defer gw.Close()
+		cw = gw
+		w.Header().Set("Content-Encoding", "gzip")
+	case "deflate":
+		fw, err := flate.NewWriter(w, flate.DefaultCompression)
+		if err != nil {
+			return err
+		}
+		defer fw.Close()
+		cw = fw
+		w.Header().Set("Content-Encoding", "deflate")
+	default:
+		cw = w
+	}
+	_, err := io.Copy(cw, body)
+	return err
+}
+
+func (s *containerRouter) getContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	v, err := httputils.ArchiveFormValues(r, vars)
+	if err != nil {
+		return err
+	}
+
+	tarArchive, stat, err := s.backend.ContainerArchivePath(v.Name, v.Path)
+	if err != nil {
+		return err
+	}
+	defer tarArchive.Close()
+
+	if err := setContainerPathStatHeader(stat, w.Header()); err != nil {
+		return err
+	}
+
+	w.Header().Set("Content-Type", "application/x-tar")
+	return writeCompressedResponse(w, r, tarArchive)
+}
+
+func (s *containerRouter) putContainersArchive(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	v, err := httputils.ArchiveFormValues(r, vars)
+	if err != nil {
+		return err
+	}
+
+	noOverwriteDirNonDir := httputils.BoolValue(r, "noOverwriteDirNonDir")
+	copyUIDGID := httputils.BoolValue(r, "copyUIDGID")
+
+	return s.backend.ContainerExtractToDir(v.Name, v.Path, copyUIDGID, noOverwriteDirNonDir, r.Body)
+}
diff --git a/engine/api/server/router/container/exec.go b/engine/api/server/router/container/exec.go
new file mode 100644
index 00000000..25125edb
--- /dev/null
+++ b/engine/api/server/router/container/exec.go
@@ -0,0 +1,149 @@
+package container // import "github.com/docker/docker/api/server/router/container"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/sirupsen/logrus"
+)
+
+func (s *containerRouter) getExecByID(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	eConfig, err := s.backend.ContainerExecInspect(vars["id"])
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, eConfig)
+}
+
+type execCommandError struct{}
+
+func (execCommandError) Error() string {
+	return "No exec command specified"
+}
+
+func (execCommandError) InvalidParameter() {}
+
+func (s *containerRouter) postContainerExecCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+	name := vars["name"]
+
+	execConfig := &types.ExecConfig{}
+	if err := json.NewDecoder(r.Body).Decode(execConfig); err != nil {
+		return err
+	}
+
+	if len(execConfig.Cmd) == 0 {
+		return execCommandError{}
+	}
+
+	// Register an instance of Exec in container.
+	id, err := s.backend.ContainerExecCreate(name, execConfig)
+	if err != nil {
+		logrus.Errorf("Error setting up exec command in container %s: %v", name, err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusCreated, &types.IDResponse{
+		ID: id,
+	})
+}
+
+// TODO(vishh): Refactor the code to avoid having to specify stream config as part of both create and start.
+func (s *containerRouter) postContainerExecStart(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	version := httputils.VersionFromContext(ctx)
+	if versions.GreaterThan(version, "1.21") {
+		if err := httputils.CheckForJSON(r); err != nil {
+			return err
+		}
+	}
+
+	var (
+		execName                  = vars["name"]
+		stdin, inStream           io.ReadCloser
+		stdout, stderr, outStream io.Writer
+	)
+
+	execStartCheck := &types.ExecStartCheck{}
+	if err := json.NewDecoder(r.Body).Decode(execStartCheck); err != nil {
+		return err
+	}
+
+	if exists, err := s.backend.ExecExists(execName); !exists {
+		return err
+	}
+
+	if !execStartCheck.Detach {
+		var err error
+		// Setting up the streaming http interface.
+		inStream, outStream, err = httputils.HijackConnection(w)
+		if err != nil {
+			return err
+		}
+		defer httputils.CloseStreams(inStream, outStream)
+
+		if _, ok := r.Header["Upgrade"]; ok {
+			fmt.Fprint(outStream, "HTTP/1.1 101 UPGRADED\r\nContent-Type: application/vnd.docker.raw-stream\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n")
+		} else {
+			fmt.Fprint(outStream, "HTTP/1.1 200 OK\r\nContent-Type: application/vnd.docker.raw-stream\r\n")
+		}
+
+		// copy headers that were removed as part of hijack
+		if err := w.Header().WriteSubset(outStream, nil); err != nil {
+			return err
+		}
+		fmt.Fprint(outStream, "\r\n")
+
+		stdin = inStream
+		stdout = outStream
+		if !execStartCheck.Tty {
+			stderr = stdcopy.NewStdWriter(outStream, stdcopy.Stderr)
+			stdout = stdcopy.NewStdWriter(outStream, stdcopy.Stdout)
+		}
+	}
+
+	// Now run the user process in container.
+	// Maybe we should we pass ctx here if we're not detaching?
+	if err := s.backend.ContainerExecStart(context.Background(), execName, stdin, stdout, stderr); err != nil {
+		if execStartCheck.Detach {
+			return err
+		}
+		stdout.Write([]byte(err.Error() + "\r\n"))
+		logrus.Errorf("Error running exec %s in container: %v", execName, err)
+	}
+	return nil
+}
+
+func (s *containerRouter) postContainerExecResize(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	height, err := strconv.Atoi(r.Form.Get("h"))
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+	width, err := strconv.Atoi(r.Form.Get("w"))
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	return s.backend.ContainerExecResize(vars["name"], height, width)
+}
diff --git a/engine/api/server/router/container/inspect.go b/engine/api/server/router/container/inspect.go
new file mode 100644
index 00000000..5c78d15b
--- /dev/null
+++ b/engine/api/server/router/container/inspect.go
@@ -0,0 +1,21 @@
+package container // import "github.com/docker/docker/api/server/router/container"
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/docker/docker/api/server/httputils"
+)
+
+// getContainersByName inspects container's configuration and serializes it as json.
+func (s *containerRouter) getContainersByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	displaySize := httputils.BoolValue(r, "size")
+
+	version := httputils.VersionFromContext(ctx)
+	json, err := s.backend.ContainerInspect(vars["name"], displaySize, version)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, json)
+}
diff --git a/engine/api/server/router/debug/debug.go b/engine/api/server/router/debug/debug.go
new file mode 100644
index 00000000..ad05b68e
--- /dev/null
+++ b/engine/api/server/router/debug/debug.go
@@ -0,0 +1,53 @@
+package debug // import "github.com/docker/docker/api/server/router/debug"
+
+import (
+	"context"
+	"expvar"
+	"net/http"
+	"net/http/pprof"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/server/router"
+)
+
+// NewRouter creates a new debug router
+// The debug router holds endpoints for debug the daemon, such as those for pprof.
+func NewRouter() router.Router {
+	r := &debugRouter{}
+	r.initRoutes()
+	return r
+}
+
+type debugRouter struct {
+	routes []router.Route
+}
+
+func (r *debugRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.NewGetRoute("/vars", frameworkAdaptHandler(expvar.Handler())),
+		router.NewGetRoute("/pprof/", frameworkAdaptHandlerFunc(pprof.Index)),
+		router.NewGetRoute("/pprof/cmdline", frameworkAdaptHandlerFunc(pprof.Cmdline)),
+		router.NewGetRoute("/pprof/profile", frameworkAdaptHandlerFunc(pprof.Profile)),
+		router.NewGetRoute("/pprof/symbol", frameworkAdaptHandlerFunc(pprof.Symbol)),
+		router.NewGetRoute("/pprof/trace", frameworkAdaptHandlerFunc(pprof.Trace)),
+		router.NewGetRoute("/pprof/{name}", handlePprof),
+	}
+}
+
+func (r *debugRouter) Routes() []router.Route {
+	return r.routes
+}
+
+func frameworkAdaptHandler(handler http.Handler) httputils.APIFunc {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		handler.ServeHTTP(w, r)
+		return nil
+	}
+}
+
+func frameworkAdaptHandlerFunc(handler http.HandlerFunc) httputils.APIFunc {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		handler(w, r)
+		return nil
+	}
+}
diff --git a/engine/api/server/router/debug/debug_routes.go b/engine/api/server/router/debug/debug_routes.go
new file mode 100644
index 00000000..125bed72
--- /dev/null
+++ b/engine/api/server/router/debug/debug_routes.go
@@ -0,0 +1,12 @@
+package debug // import "github.com/docker/docker/api/server/router/debug"
+
+import (
+	"context"
+	"net/http"
+	"net/http/pprof"
+)
+
+func handlePprof(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	pprof.Handler(vars["name"]).ServeHTTP(w, r)
+	return nil
+}
diff --git a/engine/api/server/router/distribution/backend.go b/engine/api/server/router/distribution/backend.go
new file mode 100644
index 00000000..5b881f03
--- /dev/null
+++ b/engine/api/server/router/distribution/backend.go
@@ -0,0 +1,15 @@
+package distribution // import "github.com/docker/docker/api/server/router/distribution"
+
+import (
+	"context"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+)
+
+// Backend is all the methods that need to be implemented
+// to provide image specific functionality.
+type Backend interface {
+	GetRepository(context.Context, reference.Named, *types.AuthConfig) (distribution.Repository, bool, error)
+}
diff --git a/engine/api/server/router/distribution/distribution.go b/engine/api/server/router/distribution/distribution.go
new file mode 100644
index 00000000..1e9e5ff8
--- /dev/null
+++ b/engine/api/server/router/distribution/distribution.go
@@ -0,0 +1,31 @@
+package distribution // import "github.com/docker/docker/api/server/router/distribution"
+
+import "github.com/docker/docker/api/server/router"
+
+// distributionRouter is a router to talk with the registry
+type distributionRouter struct {
+	backend Backend
+	routes  []router.Route
+}
+
+// NewRouter initializes a new distribution router
+func NewRouter(backend Backend) router.Router {
+	r := &distributionRouter{
+		backend: backend,
+	}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routes
+func (r *distributionRouter) Routes() []router.Route {
+	return r.routes
+}
+
+// initRoutes initializes the routes in the distribution router
+func (r *distributionRouter) initRoutes() {
+	r.routes = []router.Route{
+		// GET
+		router.NewGetRoute("/distribution/{name:.*}/json", r.getDistributionInfo),
+	}
+}
diff --git a/engine/api/server/router/distribution/distribution_routes.go b/engine/api/server/router/distribution/distribution_routes.go
new file mode 100644
index 00000000..531dba69
--- /dev/null
+++ b/engine/api/server/router/distribution/distribution_routes.go
@@ -0,0 +1,138 @@
+package distribution // import "github.com/docker/docker/api/server/router/distribution"
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"strings"
+
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/manifest/schema1"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+func (s *distributionRouter) getDistributionInfo(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+
+	var (
+		config              = &types.AuthConfig{}
+		authEncoded         = r.Header.Get("X-Registry-Auth")
+		distributionInspect registrytypes.DistributionInspect
+	)
+
+	if authEncoded != "" {
+		authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))
+		if err := json.NewDecoder(authJSON).Decode(&config); err != nil {
+			// for a search it is not an error if no auth was given
+			// to increase compatibility with the existing api it is defaulting to be empty
+			config = &types.AuthConfig{}
+		}
+	}
+
+	image := vars["name"]
+
+	ref, err := reference.ParseAnyReference(image)
+	if err != nil {
+		return err
+	}
+	namedRef, ok := ref.(reference.Named)
+	if !ok {
+		if _, ok := ref.(reference.Digested); ok {
+			// full image ID
+			return errors.Errorf("no manifest found for full image ID")
+		}
+		return errors.Errorf("unknown image reference format: %s", image)
+	}
+
+	distrepo, _, err := s.backend.GetRepository(ctx, namedRef, config)
+	if err != nil {
+		return err
+	}
+	blobsrvc := distrepo.Blobs(ctx)
+
+	if canonicalRef, ok := namedRef.(reference.Canonical); !ok {
+		namedRef = reference.TagNameOnly(namedRef)
+
+		taggedRef, ok := namedRef.(reference.NamedTagged)
+		if !ok {
+			return errors.Errorf("image reference not tagged: %s", image)
+		}
+
+		descriptor, err := distrepo.Tags(ctx).Get(ctx, taggedRef.Tag())
+		if err != nil {
+			return err
+		}
+		distributionInspect.Descriptor = v1.Descriptor{
+			MediaType: descriptor.MediaType,
+			Digest:    descriptor.Digest,
+			Size:      descriptor.Size,
+		}
+	} else {
+		// TODO(nishanttotla): Once manifests can be looked up as a blob, the
+		// descriptor should be set using blobsrvc.Stat(ctx, canonicalRef.Digest())
+		// instead of having to manually fill in the fields
+		distributionInspect.Descriptor.Digest = canonicalRef.Digest()
+	}
+
+	// we have a digest, so we can retrieve the manifest
+	mnfstsrvc, err := distrepo.Manifests(ctx)
+	if err != nil {
+		return err
+	}
+	mnfst, err := mnfstsrvc.Get(ctx, distributionInspect.Descriptor.Digest)
+	if err != nil {
+		return err
+	}
+
+	mediaType, payload, err := mnfst.Payload()
+	if err != nil {
+		return err
+	}
+	// update MediaType because registry might return something incorrect
+	distributionInspect.Descriptor.MediaType = mediaType
+	if distributionInspect.Descriptor.Size == 0 {
+		distributionInspect.Descriptor.Size = int64(len(payload))
+	}
+
+	// retrieve platform information depending on the type of manifest
+	switch mnfstObj := mnfst.(type) {
+	case *manifestlist.DeserializedManifestList:
+		for _, m := range mnfstObj.Manifests {
+			distributionInspect.Platforms = append(distributionInspect.Platforms, v1.Platform{
+				Architecture: m.Platform.Architecture,
+				OS:           m.Platform.OS,
+				OSVersion:    m.Platform.OSVersion,
+				OSFeatures:   m.Platform.OSFeatures,
+				Variant:      m.Platform.Variant,
+			})
+		}
+	case *schema2.DeserializedManifest:
+		configJSON, err := blobsrvc.Get(ctx, mnfstObj.Config.Digest)
+		var platform v1.Platform
+		if err == nil {
+			err := json.Unmarshal(configJSON, &platform)
+			if err == nil && (platform.OS != "" || platform.Architecture != "") {
+				distributionInspect.Platforms = append(distributionInspect.Platforms, platform)
+			}
+		}
+	case *schema1.SignedManifest:
+		platform := v1.Platform{
+			Architecture: mnfstObj.Architecture,
+			OS:           "linux",
+		}
+		distributionInspect.Platforms = append(distributionInspect.Platforms, platform)
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, distributionInspect)
+}
diff --git a/engine/api/server/router/experimental.go b/engine/api/server/router/experimental.go
new file mode 100644
index 00000000..c42e53a3
--- /dev/null
+++ b/engine/api/server/router/experimental.go
@@ -0,0 +1,68 @@
+package router // import "github.com/docker/docker/api/server/router"
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/docker/docker/api/server/httputils"
+)
+
+// ExperimentalRoute defines an experimental API route that can be enabled or disabled.
+type ExperimentalRoute interface {
+	Route
+
+	Enable()
+	Disable()
+}
+
+// experimentalRoute defines an experimental API route that can be enabled or disabled.
+// It implements ExperimentalRoute
+type experimentalRoute struct {
+	local   Route
+	handler httputils.APIFunc
+}
+
+// Enable enables this experimental route
+func (r *experimentalRoute) Enable() {
+	r.handler = r.local.Handler()
+}
+
+// Disable disables the experimental route
+func (r *experimentalRoute) Disable() {
+	r.handler = experimentalHandler
+}
+
+type notImplementedError struct{}
+
+func (notImplementedError) Error() string {
+	return "This experimental feature is disabled by default. Start the Docker daemon in experimental mode in order to enable it."
+}
+
+func (notImplementedError) NotImplemented() {}
+
+func experimentalHandler(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return notImplementedError{}
+}
+
+// Handler returns returns the APIFunc to let the server wrap it in middlewares.
+func (r *experimentalRoute) Handler() httputils.APIFunc {
+	return r.handler
+}
+
+// Method returns the http method that the route responds to.
+func (r *experimentalRoute) Method() string {
+	return r.local.Method()
+}
+
+// Path returns the subpath where the route responds to.
+func (r *experimentalRoute) Path() string {
+	return r.local.Path()
+}
+
+// Experimental will mark a route as experimental.
+func Experimental(r Route) Route {
+	return &experimentalRoute{
+		local:   r,
+		handler: experimentalHandler,
+	}
+}
diff --git a/engine/api/server/router/image/backend.go b/engine/api/server/router/image/backend.go
new file mode 100644
index 00000000..5837f9a9
--- /dev/null
+++ b/engine/api/server/router/image/backend.go
@@ -0,0 +1,41 @@
+package image // import "github.com/docker/docker/api/server/router/image"
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/registry"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Backend is all the methods that need to be implemented
+// to provide image specific functionality.
+type Backend interface {
+	imageBackend
+	importExportBackend
+	registryBackend
+}
+
+type imageBackend interface {
+	ImageDelete(imageRef string, force, prune bool) ([]types.ImageDeleteResponseItem, error)
+	ImageHistory(imageName string) ([]*image.HistoryResponseItem, error)
+	Images(imageFilters filters.Args, all bool, withExtraAttrs bool) ([]*types.ImageSummary, error)
+	LookupImage(name string) (*types.ImageInspect, error)
+	TagImage(imageName, repository, tag string) (string, error)
+	ImagesPrune(ctx context.Context, pruneFilters filters.Args) (*types.ImagesPruneReport, error)
+}
+
+type importExportBackend interface {
+	LoadImage(inTar io.ReadCloser, outStream io.Writer, quiet bool) error
+	ImportImage(src string, repository, platform string, tag string, msg string, inConfig io.ReadCloser, outStream io.Writer, changes []string) error
+	ExportImage(names []string, outStream io.Writer) error
+}
+
+type registryBackend interface {
+	PullImage(ctx context.Context, image, tag string, platform *specs.Platform, metaHeaders map[string][]string, authConfig *types.AuthConfig, outStream io.Writer) error
+	PushImage(ctx context.Context, image, tag string, metaHeaders map[string][]string, authConfig *types.AuthConfig, outStream io.Writer) error
+	SearchRegistryForImages(ctx context.Context, filtersArgs string, term string, limit int, authConfig *types.AuthConfig, metaHeaders map[string][]string) (*registry.SearchResults, error)
+}
diff --git a/engine/api/server/router/image/image.go b/engine/api/server/router/image/image.go
new file mode 100644
index 00000000..6d5d87f6
--- /dev/null
+++ b/engine/api/server/router/image/image.go
@@ -0,0 +1,44 @@
+package image // import "github.com/docker/docker/api/server/router/image"
+
+import (
+	"github.com/docker/docker/api/server/router"
+)
+
+// imageRouter is a router to talk with the image controller
+type imageRouter struct {
+	backend Backend
+	routes  []router.Route
+}
+
+// NewRouter initializes a new image router
+func NewRouter(backend Backend) router.Router {
+	r := &imageRouter{backend: backend}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routes to the image controller
+func (r *imageRouter) Routes() []router.Route {
+	return r.routes
+}
+
+// initRoutes initializes the routes in the image router
+func (r *imageRouter) initRoutes() {
+	r.routes = []router.Route{
+		// GET
+		router.NewGetRoute("/images/json", r.getImagesJSON),
+		router.NewGetRoute("/images/search", r.getImagesSearch),
+		router.NewGetRoute("/images/get", r.getImagesGet),
+		router.NewGetRoute("/images/{name:.*}/get", r.getImagesGet),
+		router.NewGetRoute("/images/{name:.*}/history", r.getImagesHistory),
+		router.NewGetRoute("/images/{name:.*}/json", r.getImagesByName),
+		// POST
+		router.NewPostRoute("/images/load", r.postImagesLoad),
+		router.NewPostRoute("/images/create", r.postImagesCreate, router.WithCancel),
+		router.NewPostRoute("/images/{name:.*}/push", r.postImagesPush, router.WithCancel),
+		router.NewPostRoute("/images/{name:.*}/tag", r.postImagesTag),
+		router.NewPostRoute("/images/prune", r.postImagesPrune, router.WithCancel),
+		// DELETE
+		router.NewDeleteRoute("/images/{name:.*}", r.deleteImages),
+	}
+}
diff --git a/engine/api/server/router/image/image_routes.go b/engine/api/server/router/image/image_routes.go
new file mode 100644
index 00000000..85707c06
--- /dev/null
+++ b/engine/api/server/router/image/image_routes.go
@@ -0,0 +1,324 @@
+package image // import "github.com/docker/docker/api/server/router/image"
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/registry"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// Creates an image from Pull or from Import
+func (s *imageRouter) postImagesCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	var (
+		image    = r.Form.Get("fromImage")
+		repo     = r.Form.Get("repo")
+		tag      = r.Form.Get("tag")
+		message  = r.Form.Get("message")
+		err      error
+		output   = ioutils.NewWriteFlusher(w)
+		platform *specs.Platform
+	)
+	defer output.Close()
+
+	w.Header().Set("Content-Type", "application/json")
+
+	version := httputils.VersionFromContext(ctx)
+	if versions.GreaterThanOrEqualTo(version, "1.32") {
+		apiPlatform := r.FormValue("platform")
+		if apiPlatform != "" {
+			sp, err := platforms.Parse(apiPlatform)
+			if err != nil {
+				return err
+			}
+			if err := system.ValidatePlatform(sp); err != nil {
+				return err
+			}
+			platform = &sp
+		}
+	}
+
+	if err == nil {
+		if image != "" { //pull
+			metaHeaders := map[string][]string{}
+			for k, v := range r.Header {
+				if strings.HasPrefix(k, "X-Meta-") {
+					metaHeaders[k] = v
+				}
+			}
+
+			authEncoded := r.Header.Get("X-Registry-Auth")
+			authConfig := &types.AuthConfig{}
+			if authEncoded != "" {
+				authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))
+				if err := json.NewDecoder(authJSON).Decode(authConfig); err != nil {
+					// for a pull it is not an error if no auth was given
+					// to increase compatibility with the existing api it is defaulting to be empty
+					authConfig = &types.AuthConfig{}
+				}
+			}
+			err = s.backend.PullImage(ctx, image, tag, platform, metaHeaders, authConfig, output)
+		} else { //import
+			src := r.Form.Get("fromSrc")
+			// 'err' MUST NOT be defined within this block, we need any error
+			// generated from the download to be available to the output
+			// stream processing below
+			os := ""
+			if platform != nil {
+				os = platform.OS
+			}
+			err = s.backend.ImportImage(src, repo, os, tag, message, r.Body, output, r.Form["changes"])
+		}
+	}
+	if err != nil {
+		if !output.Flushed() {
+			return err
+		}
+		output.Write(streamformatter.FormatError(err))
+	}
+
+	return nil
+}
+
+func (s *imageRouter) postImagesPush(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	metaHeaders := map[string][]string{}
+	for k, v := range r.Header {
+		if strings.HasPrefix(k, "X-Meta-") {
+			metaHeaders[k] = v
+		}
+	}
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	authConfig := &types.AuthConfig{}
+
+	authEncoded := r.Header.Get("X-Registry-Auth")
+	if authEncoded != "" {
+		// the new format is to handle the authConfig as a header
+		authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))
+		if err := json.NewDecoder(authJSON).Decode(authConfig); err != nil {
+			// to increase compatibility to existing api it is defaulting to be empty
+			authConfig = &types.AuthConfig{}
+		}
+	} else {
+		// the old format is supported for compatibility if there was no authConfig header
+		if err := json.NewDecoder(r.Body).Decode(authConfig); err != nil {
+			return errors.Wrap(errdefs.InvalidParameter(err), "Bad parameters and missing X-Registry-Auth")
+		}
+	}
+
+	image := vars["name"]
+	tag := r.Form.Get("tag")
+
+	output := ioutils.NewWriteFlusher(w)
+	defer output.Close()
+
+	w.Header().Set("Content-Type", "application/json")
+
+	if err := s.backend.PushImage(ctx, image, tag, metaHeaders, authConfig, output); err != nil {
+		if !output.Flushed() {
+			return err
+		}
+		output.Write(streamformatter.FormatError(err))
+	}
+	return nil
+}
+
+func (s *imageRouter) getImagesGet(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	w.Header().Set("Content-Type", "application/x-tar")
+
+	output := ioutils.NewWriteFlusher(w)
+	defer output.Close()
+	var names []string
+	if name, ok := vars["name"]; ok {
+		names = []string{name}
+	} else {
+		names = r.Form["names"]
+	}
+
+	if err := s.backend.ExportImage(names, output); err != nil {
+		if !output.Flushed() {
+			return err
+		}
+		output.Write(streamformatter.FormatError(err))
+	}
+	return nil
+}
+
+func (s *imageRouter) postImagesLoad(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	quiet := httputils.BoolValueOrDefault(r, "quiet", true)
+
+	w.Header().Set("Content-Type", "application/json")
+
+	output := ioutils.NewWriteFlusher(w)
+	defer output.Close()
+	if err := s.backend.LoadImage(r.Body, output, quiet); err != nil {
+		output.Write(streamformatter.FormatError(err))
+	}
+	return nil
+}
+
+type missingImageError struct{}
+
+func (missingImageError) Error() string {
+	return "image name cannot be blank"
+}
+
+func (missingImageError) InvalidParameter() {}
+
+func (s *imageRouter) deleteImages(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	name := vars["name"]
+
+	if strings.TrimSpace(name) == "" {
+		return missingImageError{}
+	}
+
+	force := httputils.BoolValue(r, "force")
+	prune := !httputils.BoolValue(r, "noprune")
+
+	list, err := s.backend.ImageDelete(name, force, prune)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, list)
+}
+
+func (s *imageRouter) getImagesByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	imageInspect, err := s.backend.LookupImage(vars["name"])
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, imageInspect)
+}
+
+func (s *imageRouter) getImagesJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	imageFilters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	filterParam := r.Form.Get("filter")
+	// FIXME(vdemeester) This has been deprecated in 1.13, and is target for removal for v17.12
+	if filterParam != "" {
+		imageFilters.Add("reference", filterParam)
+	}
+
+	images, err := s.backend.Images(imageFilters, httputils.BoolValue(r, "all"), false)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, images)
+}
+
+func (s *imageRouter) getImagesHistory(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	name := vars["name"]
+	history, err := s.backend.ImageHistory(name)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, history)
+}
+
+func (s *imageRouter) postImagesTag(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	if _, err := s.backend.TagImage(vars["name"], r.Form.Get("repo"), r.Form.Get("tag")); err != nil {
+		return err
+	}
+	w.WriteHeader(http.StatusCreated)
+	return nil
+}
+
+func (s *imageRouter) getImagesSearch(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	var (
+		config      *types.AuthConfig
+		authEncoded = r.Header.Get("X-Registry-Auth")
+		headers     = map[string][]string{}
+	)
+
+	if authEncoded != "" {
+		authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))
+		if err := json.NewDecoder(authJSON).Decode(&config); err != nil {
+			// for a search it is not an error if no auth was given
+			// to increase compatibility with the existing api it is defaulting to be empty
+			config = &types.AuthConfig{}
+		}
+	}
+	for k, v := range r.Header {
+		if strings.HasPrefix(k, "X-Meta-") {
+			headers[k] = v
+		}
+	}
+	limit := registry.DefaultSearchLimit
+	if r.Form.Get("limit") != "" {
+		limitValue, err := strconv.Atoi(r.Form.Get("limit"))
+		if err != nil {
+			return err
+		}
+		limit = limitValue
+	}
+	query, err := s.backend.SearchRegistryForImages(ctx, r.Form.Get("filters"), r.Form.Get("term"), limit, config, headers)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, query.Results)
+}
+
+func (s *imageRouter) postImagesPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	pruneFilters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	pruneReport, err := s.backend.ImagesPrune(ctx, pruneFilters)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, pruneReport)
+}
diff --git a/engine/api/server/router/local.go b/engine/api/server/router/local.go
new file mode 100644
index 00000000..79a32392
--- /dev/null
+++ b/engine/api/server/router/local.go
@@ -0,0 +1,104 @@
+package router // import "github.com/docker/docker/api/server/router"
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/docker/docker/api/server/httputils"
+)
+
+// RouteWrapper wraps a route with extra functionality.
+// It is passed in when creating a new route.
+type RouteWrapper func(r Route) Route
+
+// localRoute defines an individual API route to connect
+// with the docker daemon. It implements Route.
+type localRoute struct {
+	method  string
+	path    string
+	handler httputils.APIFunc
+}
+
+// Handler returns the APIFunc to let the server wrap it in middlewares.
+func (l localRoute) Handler() httputils.APIFunc {
+	return l.handler
+}
+
+// Method returns the http method that the route responds to.
+func (l localRoute) Method() string {
+	return l.method
+}
+
+// Path returns the subpath where the route responds to.
+func (l localRoute) Path() string {
+	return l.path
+}
+
+// NewRoute initializes a new local route for the router.
+func NewRoute(method, path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
+	var r Route = localRoute{method, path, handler}
+	for _, o := range opts {
+		r = o(r)
+	}
+	return r
+}
+
+// NewGetRoute initializes a new route with the http method GET.
+func NewGetRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
+	return NewRoute("GET", path, handler, opts...)
+}
+
+// NewPostRoute initializes a new route with the http method POST.
+func NewPostRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
+	return NewRoute("POST", path, handler, opts...)
+}
+
+// NewPutRoute initializes a new route with the http method PUT.
+func NewPutRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
+	return NewRoute("PUT", path, handler, opts...)
+}
+
+// NewDeleteRoute initializes a new route with the http method DELETE.
+func NewDeleteRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
+	return NewRoute("DELETE", path, handler, opts...)
+}
+
+// NewOptionsRoute initializes a new route with the http method OPTIONS.
+func NewOptionsRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
+	return NewRoute("OPTIONS", path, handler, opts...)
+}
+
+// NewHeadRoute initializes a new route with the http method HEAD.
+func NewHeadRoute(path string, handler httputils.APIFunc, opts ...RouteWrapper) Route {
+	return NewRoute("HEAD", path, handler, opts...)
+}
+
+func cancellableHandler(h httputils.APIFunc) httputils.APIFunc {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		if notifier, ok := w.(http.CloseNotifier); ok {
+			notify := notifier.CloseNotify()
+			notifyCtx, cancel := context.WithCancel(ctx)
+			finished := make(chan struct{})
+			defer close(finished)
+			ctx = notifyCtx
+			go func() {
+				select {
+				case <-notify:
+					cancel()
+				case <-finished:
+				}
+			}()
+		}
+		return h(ctx, w, r, vars)
+	}
+}
+
+// WithCancel makes new route which embeds http.CloseNotifier feature to
+// context.Context of handler.
+func WithCancel(r Route) Route {
+	return localRoute{
+		method:  r.Method(),
+		path:    r.Path(),
+		handler: cancellableHandler(r.Handler()),
+	}
+}
diff --git a/engine/api/server/router/network/backend.go b/engine/api/server/router/network/backend.go
new file mode 100644
index 00000000..1bab353a
--- /dev/null
+++ b/engine/api/server/router/network/backend.go
@@ -0,0 +1,32 @@
+package network // import "github.com/docker/docker/api/server/router/network"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/libnetwork"
+)
+
+// Backend is all the methods that need to be implemented
+// to provide network specific functionality.
+type Backend interface {
+	FindNetwork(idName string) (libnetwork.Network, error)
+	GetNetworks() []libnetwork.Network
+	CreateNetwork(nc types.NetworkCreateRequest) (*types.NetworkCreateResponse, error)
+	ConnectContainerToNetwork(containerName, networkName string, endpointConfig *network.EndpointSettings) error
+	DisconnectContainerFromNetwork(containerName string, networkName string, force bool) error
+	DeleteNetwork(networkID string) error
+	NetworksPrune(ctx context.Context, pruneFilters filters.Args) (*types.NetworksPruneReport, error)
+}
+
+// ClusterBackend is all the methods that need to be implemented
+// to provide cluster network specific functionality.
+type ClusterBackend interface {
+	GetNetworks() ([]types.NetworkResource, error)
+	GetNetwork(name string) (types.NetworkResource, error)
+	GetNetworksByName(name string) ([]types.NetworkResource, error)
+	CreateNetwork(nc types.NetworkCreateRequest) (string, error)
+	RemoveNetwork(name string) error
+}
diff --git a/engine/api/server/router/network/filter.go b/engine/api/server/router/network/filter.go
new file mode 100644
index 00000000..02683e80
--- /dev/null
+++ b/engine/api/server/router/network/filter.go
@@ -0,0 +1,93 @@
+package network // import "github.com/docker/docker/api/server/router/network"
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/runconfig"
+)
+
+func filterNetworkByType(nws []types.NetworkResource, netType string) ([]types.NetworkResource, error) {
+	retNws := []types.NetworkResource{}
+	switch netType {
+	case "builtin":
+		for _, nw := range nws {
+			if runconfig.IsPreDefinedNetwork(nw.Name) {
+				retNws = append(retNws, nw)
+			}
+		}
+	case "custom":
+		for _, nw := range nws {
+			if !runconfig.IsPreDefinedNetwork(nw.Name) {
+				retNws = append(retNws, nw)
+			}
+		}
+	default:
+		return nil, invalidFilter(netType)
+	}
+	return retNws, nil
+}
+
+type invalidFilter string
+
+func (e invalidFilter) Error() string {
+	return "Invalid filter: 'type'='" + string(e) + "'"
+}
+
+func (e invalidFilter) InvalidParameter() {}
+
+// filterNetworks filters network list according to user specified filter
+// and returns user chosen networks
+func filterNetworks(nws []types.NetworkResource, filter filters.Args) ([]types.NetworkResource, error) {
+	// if filter is empty, return original network list
+	if filter.Len() == 0 {
+		return nws, nil
+	}
+
+	displayNet := []types.NetworkResource{}
+	for _, nw := range nws {
+		if filter.Contains("driver") {
+			if !filter.ExactMatch("driver", nw.Driver) {
+				continue
+			}
+		}
+		if filter.Contains("name") {
+			if !filter.Match("name", nw.Name) {
+				continue
+			}
+		}
+		if filter.Contains("id") {
+			if !filter.Match("id", nw.ID) {
+				continue
+			}
+		}
+		if filter.Contains("label") {
+			if !filter.MatchKVList("label", nw.Labels) {
+				continue
+			}
+		}
+		if filter.Contains("scope") {
+			if !filter.ExactMatch("scope", nw.Scope) {
+				continue
+			}
+		}
+		displayNet = append(displayNet, nw)
+	}
+
+	if filter.Contains("type") {
+		typeNet := []types.NetworkResource{}
+		errFilter := filter.WalkValues("type", func(fval string) error {
+			passList, err := filterNetworkByType(displayNet, fval)
+			if err != nil {
+				return err
+			}
+			typeNet = append(typeNet, passList...)
+			return nil
+		})
+		if errFilter != nil {
+			return nil, errFilter
+		}
+		displayNet = typeNet
+	}
+
+	return displayNet, nil
+}
diff --git a/engine/api/server/router/network/filter_test.go b/engine/api/server/router/network/filter_test.go
new file mode 100644
index 00000000..8a84fd16
--- /dev/null
+++ b/engine/api/server/router/network/filter_test.go
@@ -0,0 +1,149 @@
+// +build !windows
+
+package network // import "github.com/docker/docker/api/server/router/network"
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+func TestFilterNetworks(t *testing.T) {
+	networks := []types.NetworkResource{
+		{
+			Name:   "host",
+			Driver: "host",
+			Scope:  "local",
+		},
+		{
+			Name:   "bridge",
+			Driver: "bridge",
+			Scope:  "local",
+		},
+		{
+			Name:   "none",
+			Driver: "null",
+			Scope:  "local",
+		},
+		{
+			Name:   "myoverlay",
+			Driver: "overlay",
+			Scope:  "swarm",
+		},
+		{
+			Name:   "mydrivernet",
+			Driver: "mydriver",
+			Scope:  "local",
+		},
+		{
+			Name:   "mykvnet",
+			Driver: "mykvdriver",
+			Scope:  "global",
+		},
+	}
+
+	bridgeDriverFilters := filters.NewArgs()
+	bridgeDriverFilters.Add("driver", "bridge")
+
+	overlayDriverFilters := filters.NewArgs()
+	overlayDriverFilters.Add("driver", "overlay")
+
+	nonameDriverFilters := filters.NewArgs()
+	nonameDriverFilters.Add("driver", "noname")
+
+	customDriverFilters := filters.NewArgs()
+	customDriverFilters.Add("type", "custom")
+
+	builtinDriverFilters := filters.NewArgs()
+	builtinDriverFilters.Add("type", "builtin")
+
+	invalidDriverFilters := filters.NewArgs()
+	invalidDriverFilters.Add("type", "invalid")
+
+	localScopeFilters := filters.NewArgs()
+	localScopeFilters.Add("scope", "local")
+
+	swarmScopeFilters := filters.NewArgs()
+	swarmScopeFilters.Add("scope", "swarm")
+
+	globalScopeFilters := filters.NewArgs()
+	globalScopeFilters.Add("scope", "global")
+
+	testCases := []struct {
+		filter      filters.Args
+		resultCount int
+		err         string
+	}{
+		{
+			filter:      bridgeDriverFilters,
+			resultCount: 1,
+			err:         "",
+		},
+		{
+			filter:      overlayDriverFilters,
+			resultCount: 1,
+			err:         "",
+		},
+		{
+			filter:      nonameDriverFilters,
+			resultCount: 0,
+			err:         "",
+		},
+		{
+			filter:      customDriverFilters,
+			resultCount: 3,
+			err:         "",
+		},
+		{
+			filter:      builtinDriverFilters,
+			resultCount: 3,
+			err:         "",
+		},
+		{
+			filter:      invalidDriverFilters,
+			resultCount: 0,
+			err:         "Invalid filter: 'type'='invalid'",
+		},
+		{
+			filter:      localScopeFilters,
+			resultCount: 4,
+			err:         "",
+		},
+		{
+			filter:      swarmScopeFilters,
+			resultCount: 1,
+			err:         "",
+		},
+		{
+			filter:      globalScopeFilters,
+			resultCount: 1,
+			err:         "",
+		},
+	}
+
+	for _, testCase := range testCases {
+		result, err := filterNetworks(networks, testCase.filter)
+		if testCase.err != "" {
+			if err == nil {
+				t.Fatalf("expect error '%s', got no error", testCase.err)
+
+			} else if !strings.Contains(err.Error(), testCase.err) {
+				t.Fatalf("expect error '%s', got '%s'", testCase.err, err)
+			}
+		} else {
+			if err != nil {
+				t.Fatalf("expect no error, got error '%s'", err)
+			}
+			// Make sure result is not nil
+			if result == nil {
+				t.Fatal("filterNetworks should not return nil")
+			}
+
+			if len(result) != testCase.resultCount {
+				t.Fatalf("expect '%d' networks, got '%d' networks", testCase.resultCount, len(result))
+			}
+		}
+	}
+}
diff --git a/engine/api/server/router/network/network.go b/engine/api/server/router/network/network.go
new file mode 100644
index 00000000..4eee9707
--- /dev/null
+++ b/engine/api/server/router/network/network.go
@@ -0,0 +1,43 @@
+package network // import "github.com/docker/docker/api/server/router/network"
+
+import (
+	"github.com/docker/docker/api/server/router"
+)
+
+// networkRouter is a router to talk with the network controller
+type networkRouter struct {
+	backend Backend
+	cluster ClusterBackend
+	routes  []router.Route
+}
+
+// NewRouter initializes a new network router
+func NewRouter(b Backend, c ClusterBackend) router.Router {
+	r := &networkRouter{
+		backend: b,
+		cluster: c,
+	}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routes to the network controller
+func (r *networkRouter) Routes() []router.Route {
+	return r.routes
+}
+
+func (r *networkRouter) initRoutes() {
+	r.routes = []router.Route{
+		// GET
+		router.NewGetRoute("/networks", r.getNetworksList),
+		router.NewGetRoute("/networks/", r.getNetworksList),
+		router.NewGetRoute("/networks/{id:.+}", r.getNetwork),
+		// POST
+		router.NewPostRoute("/networks/create", r.postNetworkCreate),
+		router.NewPostRoute("/networks/{id:.*}/connect", r.postNetworkConnect),
+		router.NewPostRoute("/networks/{id:.*}/disconnect", r.postNetworkDisconnect),
+		router.NewPostRoute("/networks/prune", r.postNetworksPrune, router.WithCancel),
+		// DELETE
+		router.NewDeleteRoute("/networks/{id:.*}", r.deleteNetwork),
+	}
+}
diff --git a/engine/api/server/router/network/network_routes.go b/engine/api/server/router/network/network_routes.go
new file mode 100644
index 00000000..0248662a
--- /dev/null
+++ b/engine/api/server/router/network/network_routes.go
@@ -0,0 +1,597 @@
+package network // import "github.com/docker/docker/api/server/router/network"
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/libnetwork"
+	netconst "github.com/docker/libnetwork/datastore"
+	"github.com/docker/libnetwork/networkdb"
+	"github.com/pkg/errors"
+)
+
+var (
+	// acceptedNetworkFilters is a list of acceptable filters
+	acceptedNetworkFilters = map[string]bool{
+		"driver": true,
+		"type":   true,
+		"name":   true,
+		"id":     true,
+		"label":  true,
+		"scope":  true,
+	}
+)
+
+func (n *networkRouter) getNetworksList(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	filter := r.Form.Get("filters")
+	netFilters, err := filters.FromJSON(filter)
+	if err != nil {
+		return err
+	}
+
+	if err := netFilters.Validate(acceptedNetworkFilters); err != nil {
+		return err
+	}
+
+	list := []types.NetworkResource{}
+
+	if nr, err := n.cluster.GetNetworks(); err == nil {
+		list = append(list, nr...)
+	}
+
+	// Combine the network list returned by Docker daemon if it is not already
+	// returned by the cluster manager
+SKIP:
+	for _, nw := range n.backend.GetNetworks() {
+		for _, nl := range list {
+			if nl.ID == nw.ID() {
+				continue SKIP
+			}
+		}
+
+		var nr *types.NetworkResource
+		// Versions < 1.28 fetches all the containers attached to a network
+		// in a network list api call. It is a heavy weight operation when
+		// run across all the networks. Starting API version 1.28, this detailed
+		// info is available for network specific GET API (equivalent to inspect)
+		if versions.LessThan(httputils.VersionFromContext(ctx), "1.28") {
+			nr = n.buildDetailedNetworkResources(nw, false)
+		} else {
+			nr = n.buildNetworkResource(nw)
+		}
+		list = append(list, *nr)
+	}
+
+	list, err = filterNetworks(list, netFilters)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, list)
+}
+
+type invalidRequestError struct {
+	cause error
+}
+
+func (e invalidRequestError) Error() string {
+	return e.cause.Error()
+}
+
+func (e invalidRequestError) InvalidParameter() {}
+
+type ambigousResultsError string
+
+func (e ambigousResultsError) Error() string {
+	return "network " + string(e) + " is ambiguous"
+}
+
+func (ambigousResultsError) InvalidParameter() {}
+
+func nameConflict(name string) error {
+	return errdefs.Conflict(libnetwork.NetworkNameError(name))
+}
+
+func (n *networkRouter) getNetwork(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	term := vars["id"]
+	var (
+		verbose bool
+		err     error
+	)
+	if v := r.URL.Query().Get("verbose"); v != "" {
+		if verbose, err = strconv.ParseBool(v); err != nil {
+			return errors.Wrapf(invalidRequestError{err}, "invalid value for verbose: %s", v)
+		}
+	}
+	scope := r.URL.Query().Get("scope")
+
+	isMatchingScope := func(scope, term string) bool {
+		if term != "" {
+			return scope == term
+		}
+		return true
+	}
+
+	// In case multiple networks have duplicate names, return error.
+	// TODO (yongtang): should we wrap with version here for backward compatibility?
+
+	// First find based on full ID, return immediately once one is found.
+	// If a network appears both in swarm and local, assume it is in local first
+
+	// For full name and partial ID, save the result first, and process later
+	// in case multiple records was found based on the same term
+	listByFullName := map[string]types.NetworkResource{}
+	listByPartialID := map[string]types.NetworkResource{}
+
+	nw := n.backend.GetNetworks()
+	for _, network := range nw {
+		if network.ID() == term && isMatchingScope(network.Info().Scope(), scope) {
+			return httputils.WriteJSON(w, http.StatusOK, *n.buildDetailedNetworkResources(network, verbose))
+		}
+		if network.Name() == term && isMatchingScope(network.Info().Scope(), scope) {
+			// No need to check the ID collision here as we are still in
+			// local scope and the network ID is unique in this scope.
+			listByFullName[network.ID()] = *n.buildDetailedNetworkResources(network, verbose)
+		}
+		if strings.HasPrefix(network.ID(), term) && isMatchingScope(network.Info().Scope(), scope) {
+			// No need to check the ID collision here as we are still in
+			// local scope and the network ID is unique in this scope.
+			listByPartialID[network.ID()] = *n.buildDetailedNetworkResources(network, verbose)
+		}
+	}
+
+	nwk, err := n.cluster.GetNetwork(term)
+	if err == nil {
+		// If the get network is passed with a specific network ID / partial network ID
+		// or if the get network was passed with a network name and scope as swarm
+		// return the network. Skipped using isMatchingScope because it is true if the scope
+		// is not set which would be case if the client API v1.30
+		if strings.HasPrefix(nwk.ID, term) || (netconst.SwarmScope == scope) {
+			// If we have a previous match "backend", return it, we need verbose when enabled
+			// ex: overlay/partial_ID or name/swarm_scope
+			if nwv, ok := listByPartialID[nwk.ID]; ok {
+				nwk = nwv
+			} else if nwv, ok := listByFullName[nwk.ID]; ok {
+				nwk = nwv
+			}
+			return httputils.WriteJSON(w, http.StatusOK, nwk)
+		}
+	}
+
+	nr, _ := n.cluster.GetNetworks()
+	for _, network := range nr {
+		if network.ID == term && isMatchingScope(network.Scope, scope) {
+			return httputils.WriteJSON(w, http.StatusOK, network)
+		}
+		if network.Name == term && isMatchingScope(network.Scope, scope) {
+			// Check the ID collision as we are in swarm scope here, and
+			// the map (of the listByFullName) may have already had a
+			// network with the same ID (from local scope previously)
+			if _, ok := listByFullName[network.ID]; !ok {
+				listByFullName[network.ID] = network
+			}
+		}
+		if strings.HasPrefix(network.ID, term) && isMatchingScope(network.Scope, scope) {
+			// Check the ID collision as we are in swarm scope here, and
+			// the map (of the listByPartialID) may have already had a
+			// network with the same ID (from local scope previously)
+			if _, ok := listByPartialID[network.ID]; !ok {
+				listByPartialID[network.ID] = network
+			}
+		}
+	}
+
+	// Find based on full name, returns true only if no duplicates
+	if len(listByFullName) == 1 {
+		for _, v := range listByFullName {
+			return httputils.WriteJSON(w, http.StatusOK, v)
+		}
+	}
+	if len(listByFullName) > 1 {
+		return errors.Wrapf(ambigousResultsError(term), "%d matches found based on name", len(listByFullName))
+	}
+
+	// Find based on partial ID, returns true only if no duplicates
+	if len(listByPartialID) == 1 {
+		for _, v := range listByPartialID {
+			return httputils.WriteJSON(w, http.StatusOK, v)
+		}
+	}
+	if len(listByPartialID) > 1 {
+		return errors.Wrapf(ambigousResultsError(term), "%d matches found based on ID prefix", len(listByPartialID))
+	}
+
+	return libnetwork.ErrNoSuchNetwork(term)
+}
+
+func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var create types.NetworkCreateRequest
+
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&create); err != nil {
+		return err
+	}
+
+	if nws, err := n.cluster.GetNetworksByName(create.Name); err == nil && len(nws) > 0 {
+		return nameConflict(create.Name)
+	}
+
+	nw, err := n.backend.CreateNetwork(create)
+	if err != nil {
+		var warning string
+		if _, ok := err.(libnetwork.NetworkNameError); ok {
+			// check if user defined CheckDuplicate, if set true, return err
+			// otherwise prepare a warning message
+			if create.CheckDuplicate {
+				return nameConflict(create.Name)
+			}
+			warning = libnetwork.NetworkNameError(create.Name).Error()
+		}
+
+		if _, ok := err.(libnetwork.ManagerRedirectError); !ok {
+			return err
+		}
+		id, err := n.cluster.CreateNetwork(create)
+		if err != nil {
+			return err
+		}
+		nw = &types.NetworkCreateResponse{
+			ID:      id,
+			Warning: warning,
+		}
+	}
+
+	return httputils.WriteJSON(w, http.StatusCreated, nw)
+}
+
+func (n *networkRouter) postNetworkConnect(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var connect types.NetworkConnect
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&connect); err != nil {
+		return err
+	}
+
+	// Unlike other operations, we does not check ambiguity of the name/ID here.
+	// The reason is that, In case of attachable network in swarm scope, the actual local network
+	// may not be available at the time. At the same time, inside daemon `ConnectContainerToNetwork`
+	// does the ambiguity check anyway. Therefore, passing the name to daemon would be enough.
+	return n.backend.ConnectContainerToNetwork(connect.Container, vars["id"], connect.EndpointConfig)
+}
+
+func (n *networkRouter) postNetworkDisconnect(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var disconnect types.NetworkDisconnect
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&disconnect); err != nil {
+		return err
+	}
+
+	return n.backend.DisconnectContainerFromNetwork(disconnect.Container, vars["id"], disconnect.Force)
+}
+
+func (n *networkRouter) deleteNetwork(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	nw, err := n.findUniqueNetwork(vars["id"])
+	if err != nil {
+		return err
+	}
+	if nw.Scope == "swarm" {
+		if err = n.cluster.RemoveNetwork(nw.ID); err != nil {
+			return err
+		}
+	} else {
+		if err := n.backend.DeleteNetwork(nw.ID); err != nil {
+			return err
+		}
+	}
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}
+
+func (n *networkRouter) buildNetworkResource(nw libnetwork.Network) *types.NetworkResource {
+	r := &types.NetworkResource{}
+	if nw == nil {
+		return r
+	}
+
+	info := nw.Info()
+	r.Name = nw.Name()
+	r.ID = nw.ID()
+	r.Created = info.Created()
+	r.Scope = info.Scope()
+	r.Driver = nw.Type()
+	r.EnableIPv6 = info.IPv6Enabled()
+	r.Internal = info.Internal()
+	r.Attachable = info.Attachable()
+	r.Ingress = info.Ingress()
+	r.Options = info.DriverOptions()
+	r.Containers = make(map[string]types.EndpointResource)
+	buildIpamResources(r, info)
+	r.Labels = info.Labels()
+	r.ConfigOnly = info.ConfigOnly()
+
+	if cn := info.ConfigFrom(); cn != "" {
+		r.ConfigFrom = network.ConfigReference{Network: cn}
+	}
+
+	peers := info.Peers()
+	if len(peers) != 0 {
+		r.Peers = buildPeerInfoResources(peers)
+	}
+
+	return r
+}
+
+func (n *networkRouter) buildDetailedNetworkResources(nw libnetwork.Network, verbose bool) *types.NetworkResource {
+	if nw == nil {
+		return &types.NetworkResource{}
+	}
+
+	r := n.buildNetworkResource(nw)
+	epl := nw.Endpoints()
+	for _, e := range epl {
+		ei := e.Info()
+		if ei == nil {
+			continue
+		}
+		sb := ei.Sandbox()
+		tmpID := e.ID()
+		key := "ep-" + tmpID
+		if sb != nil {
+			key = sb.ContainerID()
+		}
+
+		r.Containers[key] = buildEndpointResource(tmpID, e.Name(), ei)
+	}
+	if !verbose {
+		return r
+	}
+	services := nw.Info().Services()
+	r.Services = make(map[string]network.ServiceInfo)
+	for name, service := range services {
+		tasks := []network.Task{}
+		for _, t := range service.Tasks {
+			tasks = append(tasks, network.Task{
+				Name:       t.Name,
+				EndpointID: t.EndpointID,
+				EndpointIP: t.EndpointIP,
+				Info:       t.Info,
+			})
+		}
+		r.Services[name] = network.ServiceInfo{
+			VIP:          service.VIP,
+			Ports:        service.Ports,
+			Tasks:        tasks,
+			LocalLBIndex: service.LocalLBIndex,
+		}
+	}
+	return r
+}
+
+func buildPeerInfoResources(peers []networkdb.PeerInfo) []network.PeerInfo {
+	peerInfo := make([]network.PeerInfo, 0, len(peers))
+	for _, peer := range peers {
+		peerInfo = append(peerInfo, network.PeerInfo{
+			Name: peer.Name,
+			IP:   peer.IP,
+		})
+	}
+	return peerInfo
+}
+
+func buildIpamResources(r *types.NetworkResource, nwInfo libnetwork.NetworkInfo) {
+	id, opts, ipv4conf, ipv6conf := nwInfo.IpamConfig()
+
+	ipv4Info, ipv6Info := nwInfo.IpamInfo()
+
+	r.IPAM.Driver = id
+
+	r.IPAM.Options = opts
+
+	r.IPAM.Config = []network.IPAMConfig{}
+	for _, ip4 := range ipv4conf {
+		if ip4.PreferredPool == "" {
+			continue
+		}
+		iData := network.IPAMConfig{}
+		iData.Subnet = ip4.PreferredPool
+		iData.IPRange = ip4.SubPool
+		iData.Gateway = ip4.Gateway
+		iData.AuxAddress = ip4.AuxAddresses
+		r.IPAM.Config = append(r.IPAM.Config, iData)
+	}
+
+	if len(r.IPAM.Config) == 0 {
+		for _, ip4Info := range ipv4Info {
+			iData := network.IPAMConfig{}
+			iData.Subnet = ip4Info.IPAMData.Pool.String()
+			if ip4Info.IPAMData.Gateway != nil {
+				iData.Gateway = ip4Info.IPAMData.Gateway.IP.String()
+			}
+			r.IPAM.Config = append(r.IPAM.Config, iData)
+		}
+	}
+
+	hasIpv6Conf := false
+	for _, ip6 := range ipv6conf {
+		if ip6.PreferredPool == "" {
+			continue
+		}
+		hasIpv6Conf = true
+		iData := network.IPAMConfig{}
+		iData.Subnet = ip6.PreferredPool
+		iData.IPRange = ip6.SubPool
+		iData.Gateway = ip6.Gateway
+		iData.AuxAddress = ip6.AuxAddresses
+		r.IPAM.Config = append(r.IPAM.Config, iData)
+	}
+
+	if !hasIpv6Conf {
+		for _, ip6Info := range ipv6Info {
+			if ip6Info.IPAMData.Pool == nil {
+				continue
+			}
+			iData := network.IPAMConfig{}
+			iData.Subnet = ip6Info.IPAMData.Pool.String()
+			iData.Gateway = ip6Info.IPAMData.Gateway.String()
+			r.IPAM.Config = append(r.IPAM.Config, iData)
+		}
+	}
+}
+
+func buildEndpointResource(id string, name string, info libnetwork.EndpointInfo) types.EndpointResource {
+	er := types.EndpointResource{}
+
+	er.EndpointID = id
+	er.Name = name
+	ei := info
+	if ei == nil {
+		return er
+	}
+
+	if iface := ei.Iface(); iface != nil {
+		if mac := iface.MacAddress(); mac != nil {
+			er.MacAddress = mac.String()
+		}
+		if ip := iface.Address(); ip != nil && len(ip.IP) > 0 {
+			er.IPv4Address = ip.String()
+		}
+
+		if ipv6 := iface.AddressIPv6(); ipv6 != nil && len(ipv6.IP) > 0 {
+			er.IPv6Address = ipv6.String()
+		}
+	}
+	return er
+}
+
+func (n *networkRouter) postNetworksPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	pruneFilters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	pruneReport, err := n.backend.NetworksPrune(ctx, pruneFilters)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, pruneReport)
+}
+
+// findUniqueNetwork will search network across different scopes (both local and swarm).
+// NOTE: This findUniqueNetwork is different from FindNetwork in the daemon.
+// In case multiple networks have duplicate names, return error.
+// First find based on full ID, return immediately once one is found.
+// If a network appears both in swarm and local, assume it is in local first
+// For full name and partial ID, save the result first, and process later
+// in case multiple records was found based on the same term
+// TODO (yongtang): should we wrap with version here for backward compatibility?
+func (n *networkRouter) findUniqueNetwork(term string) (types.NetworkResource, error) {
+	listByFullName := map[string]types.NetworkResource{}
+	listByPartialID := map[string]types.NetworkResource{}
+
+	nw := n.backend.GetNetworks()
+	for _, network := range nw {
+		if network.ID() == term {
+			return *n.buildDetailedNetworkResources(network, false), nil
+
+		}
+		if network.Name() == term && !network.Info().Ingress() {
+			// No need to check the ID collision here as we are still in
+			// local scope and the network ID is unique in this scope.
+			listByFullName[network.ID()] = *n.buildDetailedNetworkResources(network, false)
+		}
+		if strings.HasPrefix(network.ID(), term) {
+			// No need to check the ID collision here as we are still in
+			// local scope and the network ID is unique in this scope.
+			listByPartialID[network.ID()] = *n.buildDetailedNetworkResources(network, false)
+		}
+	}
+
+	nr, _ := n.cluster.GetNetworks()
+	for _, network := range nr {
+		if network.ID == term {
+			return network, nil
+		}
+		if network.Name == term {
+			// Check the ID collision as we are in swarm scope here, and
+			// the map (of the listByFullName) may have already had a
+			// network with the same ID (from local scope previously)
+			if _, ok := listByFullName[network.ID]; !ok {
+				listByFullName[network.ID] = network
+			}
+		}
+		if strings.HasPrefix(network.ID, term) {
+			// Check the ID collision as we are in swarm scope here, and
+			// the map (of the listByPartialID) may have already had a
+			// network with the same ID (from local scope previously)
+			if _, ok := listByPartialID[network.ID]; !ok {
+				listByPartialID[network.ID] = network
+			}
+		}
+	}
+
+	// Find based on full name, returns true only if no duplicates
+	if len(listByFullName) == 1 {
+		for _, v := range listByFullName {
+			return v, nil
+		}
+	}
+	if len(listByFullName) > 1 {
+		return types.NetworkResource{}, errdefs.InvalidParameter(errors.Errorf("network %s is ambiguous (%d matches found based on name)", term, len(listByFullName)))
+	}
+
+	// Find based on partial ID, returns true only if no duplicates
+	if len(listByPartialID) == 1 {
+		for _, v := range listByPartialID {
+			return v, nil
+		}
+	}
+	if len(listByPartialID) > 1 {
+		return types.NetworkResource{}, errdefs.InvalidParameter(errors.Errorf("network %s is ambiguous (%d matches found based on ID prefix)", term, len(listByPartialID)))
+	}
+
+	return types.NetworkResource{}, errdefs.NotFound(libnetwork.ErrNoSuchNetwork(term))
+}
diff --git a/engine/api/server/router/plugin/backend.go b/engine/api/server/router/plugin/backend.go
new file mode 100644
index 00000000..d885ebb3
--- /dev/null
+++ b/engine/api/server/router/plugin/backend.go
@@ -0,0 +1,27 @@
+package plugin // import "github.com/docker/docker/api/server/router/plugin"
+
+import (
+	"context"
+	"io"
+	"net/http"
+
+	"github.com/docker/distribution/reference"
+	enginetypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/plugin"
+)
+
+// Backend for Plugin
+type Backend interface {
+	Disable(name string, config *enginetypes.PluginDisableConfig) error
+	Enable(name string, config *enginetypes.PluginEnableConfig) error
+	List(filters.Args) ([]enginetypes.Plugin, error)
+	Inspect(name string) (*enginetypes.Plugin, error)
+	Remove(name string, config *enginetypes.PluginRmConfig) error
+	Set(name string, args []string) error
+	Privileges(ctx context.Context, ref reference.Named, metaHeaders http.Header, authConfig *enginetypes.AuthConfig) (enginetypes.PluginPrivileges, error)
+	Pull(ctx context.Context, ref reference.Named, name string, metaHeaders http.Header, authConfig *enginetypes.AuthConfig, privileges enginetypes.PluginPrivileges, outStream io.Writer, opts ...plugin.CreateOpt) error
+	Push(ctx context.Context, name string, metaHeaders http.Header, authConfig *enginetypes.AuthConfig, outStream io.Writer) error
+	Upgrade(ctx context.Context, ref reference.Named, name string, metaHeaders http.Header, authConfig *enginetypes.AuthConfig, privileges enginetypes.PluginPrivileges, outStream io.Writer) error
+	CreateFromContext(ctx context.Context, tarCtx io.ReadCloser, options *enginetypes.PluginCreateOptions) error
+}
diff --git a/engine/api/server/router/plugin/plugin.go b/engine/api/server/router/plugin/plugin.go
new file mode 100644
index 00000000..7a4f987a
--- /dev/null
+++ b/engine/api/server/router/plugin/plugin.go
@@ -0,0 +1,39 @@
+package plugin // import "github.com/docker/docker/api/server/router/plugin"
+
+import "github.com/docker/docker/api/server/router"
+
+// pluginRouter is a router to talk with the plugin controller
+type pluginRouter struct {
+	backend Backend
+	routes  []router.Route
+}
+
+// NewRouter initializes a new plugin router
+func NewRouter(b Backend) router.Router {
+	r := &pluginRouter{
+		backend: b,
+	}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routers to the plugin controller
+func (r *pluginRouter) Routes() []router.Route {
+	return r.routes
+}
+
+func (r *pluginRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.NewGetRoute("/plugins", r.listPlugins),
+		router.NewGetRoute("/plugins/{name:.*}/json", r.inspectPlugin),
+		router.NewGetRoute("/plugins/privileges", r.getPrivileges),
+		router.NewDeleteRoute("/plugins/{name:.*}", r.removePlugin),
+		router.NewPostRoute("/plugins/{name:.*}/enable", r.enablePlugin), // PATCH?
+		router.NewPostRoute("/plugins/{name:.*}/disable", r.disablePlugin),
+		router.NewPostRoute("/plugins/pull", r.pullPlugin, router.WithCancel),
+		router.NewPostRoute("/plugins/{name:.*}/push", r.pushPlugin, router.WithCancel),
+		router.NewPostRoute("/plugins/{name:.*}/upgrade", r.upgradePlugin, router.WithCancel),
+		router.NewPostRoute("/plugins/{name:.*}/set", r.setPlugin),
+		router.NewPostRoute("/plugins/create", r.createPlugin),
+	}
+}
diff --git a/engine/api/server/router/plugin/plugin_routes.go b/engine/api/server/router/plugin/plugin_routes.go
new file mode 100644
index 00000000..4e816391
--- /dev/null
+++ b/engine/api/server/router/plugin/plugin_routes.go
@@ -0,0 +1,310 @@
+package plugin // import "github.com/docker/docker/api/server/router/plugin"
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/pkg/errors"
+)
+
+func parseHeaders(headers http.Header) (map[string][]string, *types.AuthConfig) {
+
+	metaHeaders := map[string][]string{}
+	for k, v := range headers {
+		if strings.HasPrefix(k, "X-Meta-") {
+			metaHeaders[k] = v
+		}
+	}
+
+	// Get X-Registry-Auth
+	authEncoded := headers.Get("X-Registry-Auth")
+	authConfig := &types.AuthConfig{}
+	if authEncoded != "" {
+		authJSON := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))
+		if err := json.NewDecoder(authJSON).Decode(authConfig); err != nil {
+			authConfig = &types.AuthConfig{}
+		}
+	}
+
+	return metaHeaders, authConfig
+}
+
+// parseRemoteRef parses the remote reference into a reference.Named
+// returning the tag associated with the reference. In the case the
+// given reference string includes both digest and tag, the returned
+// reference will have the digest without the tag, but the tag will
+// be returned.
+func parseRemoteRef(remote string) (reference.Named, string, error) {
+	// Parse remote reference, supporting remotes with name and tag
+	remoteRef, err := reference.ParseNormalizedNamed(remote)
+	if err != nil {
+		return nil, "", err
+	}
+
+	type canonicalWithTag interface {
+		reference.Canonical
+		Tag() string
+	}
+
+	if canonical, ok := remoteRef.(canonicalWithTag); ok {
+		remoteRef, err = reference.WithDigest(reference.TrimNamed(remoteRef), canonical.Digest())
+		if err != nil {
+			return nil, "", err
+		}
+		return remoteRef, canonical.Tag(), nil
+	}
+
+	remoteRef = reference.TagNameOnly(remoteRef)
+
+	return remoteRef, "", nil
+}
+
+func (pr *pluginRouter) getPrivileges(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	metaHeaders, authConfig := parseHeaders(r.Header)
+
+	ref, _, err := parseRemoteRef(r.FormValue("remote"))
+	if err != nil {
+		return err
+	}
+
+	privileges, err := pr.backend.Privileges(ctx, ref, metaHeaders, authConfig)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, privileges)
+}
+
+func (pr *pluginRouter) upgradePlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return errors.Wrap(err, "failed to parse form")
+	}
+
+	var privileges types.PluginPrivileges
+	dec := json.NewDecoder(r.Body)
+	if err := dec.Decode(&privileges); err != nil {
+		return errors.Wrap(err, "failed to parse privileges")
+	}
+	if dec.More() {
+		return errors.New("invalid privileges")
+	}
+
+	metaHeaders, authConfig := parseHeaders(r.Header)
+	ref, tag, err := parseRemoteRef(r.FormValue("remote"))
+	if err != nil {
+		return err
+	}
+
+	name, err := getName(ref, tag, vars["name"])
+	if err != nil {
+		return err
+	}
+	w.Header().Set("Docker-Plugin-Name", name)
+
+	w.Header().Set("Content-Type", "application/json")
+	output := ioutils.NewWriteFlusher(w)
+
+	if err := pr.backend.Upgrade(ctx, ref, name, metaHeaders, authConfig, privileges, output); err != nil {
+		if !output.Flushed() {
+			return err
+		}
+		output.Write(streamformatter.FormatError(err))
+	}
+
+	return nil
+}
+
+func (pr *pluginRouter) pullPlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return errors.Wrap(err, "failed to parse form")
+	}
+
+	var privileges types.PluginPrivileges
+	dec := json.NewDecoder(r.Body)
+	if err := dec.Decode(&privileges); err != nil {
+		return errors.Wrap(err, "failed to parse privileges")
+	}
+	if dec.More() {
+		return errors.New("invalid privileges")
+	}
+
+	metaHeaders, authConfig := parseHeaders(r.Header)
+	ref, tag, err := parseRemoteRef(r.FormValue("remote"))
+	if err != nil {
+		return err
+	}
+
+	name, err := getName(ref, tag, r.FormValue("name"))
+	if err != nil {
+		return err
+	}
+	w.Header().Set("Docker-Plugin-Name", name)
+
+	w.Header().Set("Content-Type", "application/json")
+	output := ioutils.NewWriteFlusher(w)
+
+	if err := pr.backend.Pull(ctx, ref, name, metaHeaders, authConfig, privileges, output); err != nil {
+		if !output.Flushed() {
+			return err
+		}
+		output.Write(streamformatter.FormatError(err))
+	}
+
+	return nil
+}
+
+func getName(ref reference.Named, tag, name string) (string, error) {
+	if name == "" {
+		if _, ok := ref.(reference.Canonical); ok {
+			trimmed := reference.TrimNamed(ref)
+			if tag != "" {
+				nt, err := reference.WithTag(trimmed, tag)
+				if err != nil {
+					return "", err
+				}
+				name = reference.FamiliarString(nt)
+			} else {
+				name = reference.FamiliarString(reference.TagNameOnly(trimmed))
+			}
+		} else {
+			name = reference.FamiliarString(ref)
+		}
+	} else {
+		localRef, err := reference.ParseNormalizedNamed(name)
+		if err != nil {
+			return "", err
+		}
+		if _, ok := localRef.(reference.Canonical); ok {
+			return "", errors.New("cannot use digest in plugin tag")
+		}
+		if reference.IsNameOnly(localRef) {
+			// TODO: log change in name to out stream
+			name = reference.FamiliarString(reference.TagNameOnly(localRef))
+		}
+	}
+	return name, nil
+}
+
+func (pr *pluginRouter) createPlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	options := &types.PluginCreateOptions{
+		RepoName: r.FormValue("name")}
+
+	if err := pr.backend.CreateFromContext(ctx, r.Body, options); err != nil {
+		return err
+	}
+	//TODO: send progress bar
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}
+
+func (pr *pluginRouter) enablePlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	name := vars["name"]
+	timeout, err := strconv.Atoi(r.Form.Get("timeout"))
+	if err != nil {
+		return err
+	}
+	config := &types.PluginEnableConfig{Timeout: timeout}
+
+	return pr.backend.Enable(name, config)
+}
+
+func (pr *pluginRouter) disablePlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	name := vars["name"]
+	config := &types.PluginDisableConfig{
+		ForceDisable: httputils.BoolValue(r, "force"),
+	}
+
+	return pr.backend.Disable(name, config)
+}
+
+func (pr *pluginRouter) removePlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	name := vars["name"]
+	config := &types.PluginRmConfig{
+		ForceRemove: httputils.BoolValue(r, "force"),
+	}
+	return pr.backend.Remove(name, config)
+}
+
+func (pr *pluginRouter) pushPlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return errors.Wrap(err, "failed to parse form")
+	}
+
+	metaHeaders, authConfig := parseHeaders(r.Header)
+
+	w.Header().Set("Content-Type", "application/json")
+	output := ioutils.NewWriteFlusher(w)
+
+	if err := pr.backend.Push(ctx, vars["name"], metaHeaders, authConfig, output); err != nil {
+		if !output.Flushed() {
+			return err
+		}
+		output.Write(streamformatter.FormatError(err))
+	}
+	return nil
+}
+
+func (pr *pluginRouter) setPlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var args []string
+	if err := json.NewDecoder(r.Body).Decode(&args); err != nil {
+		return err
+	}
+	if err := pr.backend.Set(vars["name"], args); err != nil {
+		return err
+	}
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}
+
+func (pr *pluginRouter) listPlugins(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	pluginFilters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+	l, err := pr.backend.List(pluginFilters)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, l)
+}
+
+func (pr *pluginRouter) inspectPlugin(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	result, err := pr.backend.Inspect(vars["name"])
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, result)
+}
diff --git a/engine/api/server/router/router.go b/engine/api/server/router/router.go
new file mode 100644
index 00000000..e62faed7
--- /dev/null
+++ b/engine/api/server/router/router.go
@@ -0,0 +1,19 @@
+package router // import "github.com/docker/docker/api/server/router"
+
+import "github.com/docker/docker/api/server/httputils"
+
+// Router defines an interface to specify a group of routes to add to the docker server.
+type Router interface {
+	// Routes returns the list of routes to add to the docker server.
+	Routes() []Route
+}
+
+// Route defines an individual API route in the docker server.
+type Route interface {
+	// Handler returns the raw function to create the http handler.
+	Handler() httputils.APIFunc
+	// Method returns the http method that the route responds to.
+	Method() string
+	// Path returns the subpath where the route responds to.
+	Path() string
+}
diff --git a/engine/api/server/router/session/backend.go b/engine/api/server/router/session/backend.go
new file mode 100644
index 00000000..d9b14d48
--- /dev/null
+++ b/engine/api/server/router/session/backend.go
@@ -0,0 +1,11 @@
+package session // import "github.com/docker/docker/api/server/router/session"
+
+import (
+	"context"
+	"net/http"
+)
+
+// Backend abstracts an session receiver from an http request.
+type Backend interface {
+	HandleHTTPRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) error
+}
diff --git a/engine/api/server/router/session/session.go b/engine/api/server/router/session/session.go
new file mode 100644
index 00000000..de6d6300
--- /dev/null
+++ b/engine/api/server/router/session/session.go
@@ -0,0 +1,29 @@
+package session // import "github.com/docker/docker/api/server/router/session"
+
+import "github.com/docker/docker/api/server/router"
+
+// sessionRouter is a router to talk with the session controller
+type sessionRouter struct {
+	backend Backend
+	routes  []router.Route
+}
+
+// NewRouter initializes a new session router
+func NewRouter(b Backend) router.Router {
+	r := &sessionRouter{
+		backend: b,
+	}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routers to the session controller
+func (r *sessionRouter) Routes() []router.Route {
+	return r.routes
+}
+
+func (r *sessionRouter) initRoutes() {
+	r.routes = []router.Route{
+		router.Experimental(router.NewPostRoute("/session", r.startSession)),
+	}
+}
diff --git a/engine/api/server/router/session/session_routes.go b/engine/api/server/router/session/session_routes.go
new file mode 100644
index 00000000..691ac622
--- /dev/null
+++ b/engine/api/server/router/session/session_routes.go
@@ -0,0 +1,16 @@
+package session // import "github.com/docker/docker/api/server/router/session"
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/docker/docker/errdefs"
+)
+
+func (sr *sessionRouter) startSession(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	err := sr.backend.HandleHTTPRequest(ctx, w, r)
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+	return nil
+}
diff --git a/engine/api/server/router/swarm/backend.go b/engine/api/server/router/swarm/backend.go
new file mode 100644
index 00000000..d0c7e60f
--- /dev/null
+++ b/engine/api/server/router/swarm/backend.go
@@ -0,0 +1,48 @@
+package swarm // import "github.com/docker/docker/api/server/router/swarm"
+
+import (
+	"context"
+
+	basictypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	types "github.com/docker/docker/api/types/swarm"
+)
+
+// Backend abstracts a swarm manager.
+type Backend interface {
+	Init(req types.InitRequest) (string, error)
+	Join(req types.JoinRequest) error
+	Leave(force bool) error
+	Inspect() (types.Swarm, error)
+	Update(uint64, types.Spec, types.UpdateFlags) error
+	GetUnlockKey() (string, error)
+	UnlockSwarm(req types.UnlockRequest) error
+
+	GetServices(basictypes.ServiceListOptions) ([]types.Service, error)
+	GetService(idOrName string, insertDefaults bool) (types.Service, error)
+	CreateService(types.ServiceSpec, string, bool) (*basictypes.ServiceCreateResponse, error)
+	UpdateService(string, uint64, types.ServiceSpec, basictypes.ServiceUpdateOptions, bool) (*basictypes.ServiceUpdateResponse, error)
+	RemoveService(string) error
+
+	ServiceLogs(context.Context, *backend.LogSelector, *basictypes.ContainerLogsOptions) (<-chan *backend.LogMessage, error)
+
+	GetNodes(basictypes.NodeListOptions) ([]types.Node, error)
+	GetNode(string) (types.Node, error)
+	UpdateNode(string, uint64, types.NodeSpec) error
+	RemoveNode(string, bool) error
+
+	GetTasks(basictypes.TaskListOptions) ([]types.Task, error)
+	GetTask(string) (types.Task, error)
+
+	GetSecrets(opts basictypes.SecretListOptions) ([]types.Secret, error)
+	CreateSecret(s types.SecretSpec) (string, error)
+	RemoveSecret(idOrName string) error
+	GetSecret(id string) (types.Secret, error)
+	UpdateSecret(idOrName string, version uint64, spec types.SecretSpec) error
+
+	GetConfigs(opts basictypes.ConfigListOptions) ([]types.Config, error)
+	CreateConfig(s types.ConfigSpec) (string, error)
+	RemoveConfig(id string) error
+	GetConfig(id string) (types.Config, error)
+	UpdateConfig(idOrName string, version uint64, spec types.ConfigSpec) error
+}
diff --git a/engine/api/server/router/swarm/cluster.go b/engine/api/server/router/swarm/cluster.go
new file mode 100644
index 00000000..52f950a3
--- /dev/null
+++ b/engine/api/server/router/swarm/cluster.go
@@ -0,0 +1,63 @@
+package swarm // import "github.com/docker/docker/api/server/router/swarm"
+
+import "github.com/docker/docker/api/server/router"
+
+// swarmRouter is a router to talk with the build controller
+type swarmRouter struct {
+	backend Backend
+	routes  []router.Route
+}
+
+// NewRouter initializes a new build router
+func NewRouter(b Backend) router.Router {
+	r := &swarmRouter{
+		backend: b,
+	}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routers to the swarm controller
+func (sr *swarmRouter) Routes() []router.Route {
+	return sr.routes
+}
+
+func (sr *swarmRouter) initRoutes() {
+	sr.routes = []router.Route{
+		router.NewPostRoute("/swarm/init", sr.initCluster),
+		router.NewPostRoute("/swarm/join", sr.joinCluster),
+		router.NewPostRoute("/swarm/leave", sr.leaveCluster),
+		router.NewGetRoute("/swarm", sr.inspectCluster),
+		router.NewGetRoute("/swarm/unlockkey", sr.getUnlockKey),
+		router.NewPostRoute("/swarm/update", sr.updateCluster),
+		router.NewPostRoute("/swarm/unlock", sr.unlockCluster),
+
+		router.NewGetRoute("/services", sr.getServices),
+		router.NewGetRoute("/services/{id}", sr.getService),
+		router.NewPostRoute("/services/create", sr.createService),
+		router.NewPostRoute("/services/{id}/update", sr.updateService),
+		router.NewDeleteRoute("/services/{id}", sr.removeService),
+		router.NewGetRoute("/services/{id}/logs", sr.getServiceLogs, router.WithCancel),
+
+		router.NewGetRoute("/nodes", sr.getNodes),
+		router.NewGetRoute("/nodes/{id}", sr.getNode),
+		router.NewDeleteRoute("/nodes/{id}", sr.removeNode),
+		router.NewPostRoute("/nodes/{id}/update", sr.updateNode),
+
+		router.NewGetRoute("/tasks", sr.getTasks),
+		router.NewGetRoute("/tasks/{id}", sr.getTask),
+		router.NewGetRoute("/tasks/{id}/logs", sr.getTaskLogs, router.WithCancel),
+
+		router.NewGetRoute("/secrets", sr.getSecrets),
+		router.NewPostRoute("/secrets/create", sr.createSecret),
+		router.NewDeleteRoute("/secrets/{id}", sr.removeSecret),
+		router.NewGetRoute("/secrets/{id}", sr.getSecret),
+		router.NewPostRoute("/secrets/{id}/update", sr.updateSecret),
+
+		router.NewGetRoute("/configs", sr.getConfigs),
+		router.NewPostRoute("/configs/create", sr.createConfig),
+		router.NewDeleteRoute("/configs/{id}", sr.removeConfig),
+		router.NewGetRoute("/configs/{id}", sr.getConfig),
+		router.NewPostRoute("/configs/{id}/update", sr.updateConfig),
+	}
+}
diff --git a/engine/api/server/router/swarm/cluster_routes.go b/engine/api/server/router/swarm/cluster_routes.go
new file mode 100644
index 00000000..a7024886
--- /dev/null
+++ b/engine/api/server/router/swarm/cluster_routes.go
@@ -0,0 +1,494 @@
+package swarm // import "github.com/docker/docker/api/server/router/swarm"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"github.com/docker/docker/api/server/httputils"
+	basictypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/filters"
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+func (sr *swarmRouter) initCluster(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var req types.InitRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		return err
+	}
+	nodeID, err := sr.backend.Init(req)
+	if err != nil {
+		logrus.Errorf("Error initializing swarm: %v", err)
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, nodeID)
+}
+
+func (sr *swarmRouter) joinCluster(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var req types.JoinRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		return err
+	}
+	return sr.backend.Join(req)
+}
+
+func (sr *swarmRouter) leaveCluster(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	force := httputils.BoolValue(r, "force")
+	return sr.backend.Leave(force)
+}
+
+func (sr *swarmRouter) inspectCluster(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	swarm, err := sr.backend.Inspect()
+	if err != nil {
+		logrus.Errorf("Error getting swarm: %v", err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, swarm)
+}
+
+func (sr *swarmRouter) updateCluster(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var swarm types.Spec
+	if err := json.NewDecoder(r.Body).Decode(&swarm); err != nil {
+		return err
+	}
+
+	rawVersion := r.URL.Query().Get("version")
+	version, err := strconv.ParseUint(rawVersion, 10, 64)
+	if err != nil {
+		err := fmt.Errorf("invalid swarm version '%s': %v", rawVersion, err)
+		return errdefs.InvalidParameter(err)
+	}
+
+	var flags types.UpdateFlags
+
+	if value := r.URL.Query().Get("rotateWorkerToken"); value != "" {
+		rot, err := strconv.ParseBool(value)
+		if err != nil {
+			err := fmt.Errorf("invalid value for rotateWorkerToken: %s", value)
+			return errdefs.InvalidParameter(err)
+		}
+
+		flags.RotateWorkerToken = rot
+	}
+
+	if value := r.URL.Query().Get("rotateManagerToken"); value != "" {
+		rot, err := strconv.ParseBool(value)
+		if err != nil {
+			err := fmt.Errorf("invalid value for rotateManagerToken: %s", value)
+			return errdefs.InvalidParameter(err)
+		}
+
+		flags.RotateManagerToken = rot
+	}
+
+	if value := r.URL.Query().Get("rotateManagerUnlockKey"); value != "" {
+		rot, err := strconv.ParseBool(value)
+		if err != nil {
+			return errdefs.InvalidParameter(fmt.Errorf("invalid value for rotateManagerUnlockKey: %s", value))
+		}
+
+		flags.RotateManagerUnlockKey = rot
+	}
+
+	if err := sr.backend.Update(version, swarm, flags); err != nil {
+		logrus.Errorf("Error configuring swarm: %v", err)
+		return err
+	}
+	return nil
+}
+
+func (sr *swarmRouter) unlockCluster(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var req types.UnlockRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		return err
+	}
+
+	if err := sr.backend.UnlockSwarm(req); err != nil {
+		logrus.Errorf("Error unlocking swarm: %v", err)
+		return err
+	}
+	return nil
+}
+
+func (sr *swarmRouter) getUnlockKey(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	unlockKey, err := sr.backend.GetUnlockKey()
+	if err != nil {
+		logrus.WithError(err).Errorf("Error retrieving swarm unlock key")
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, &basictypes.SwarmUnlockKeyResponse{
+		UnlockKey: unlockKey,
+	})
+}
+
+func (sr *swarmRouter) getServices(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	filter, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	services, err := sr.backend.GetServices(basictypes.ServiceListOptions{Filters: filter})
+	if err != nil {
+		logrus.Errorf("Error getting services: %v", err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, services)
+}
+
+func (sr *swarmRouter) getService(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var insertDefaults bool
+	if value := r.URL.Query().Get("insertDefaults"); value != "" {
+		var err error
+		insertDefaults, err = strconv.ParseBool(value)
+		if err != nil {
+			err := fmt.Errorf("invalid value for insertDefaults: %s", value)
+			return errors.Wrapf(errdefs.InvalidParameter(err), "invalid value for insertDefaults: %s", value)
+		}
+	}
+
+	service, err := sr.backend.GetService(vars["id"], insertDefaults)
+	if err != nil {
+		logrus.Errorf("Error getting service %s: %v", vars["id"], err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, service)
+}
+
+func (sr *swarmRouter) createService(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var service types.ServiceSpec
+	if err := json.NewDecoder(r.Body).Decode(&service); err != nil {
+		return err
+	}
+
+	// Get returns "" if the header does not exist
+	encodedAuth := r.Header.Get("X-Registry-Auth")
+	cliVersion := r.Header.Get("version")
+	queryRegistry := false
+	if cliVersion != "" && versions.LessThan(cliVersion, "1.30") {
+		queryRegistry = true
+	}
+
+	resp, err := sr.backend.CreateService(service, encodedAuth, queryRegistry)
+	if err != nil {
+		logrus.Errorf("Error creating service %s: %v", service.Name, err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusCreated, resp)
+}
+
+func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var service types.ServiceSpec
+	if err := json.NewDecoder(r.Body).Decode(&service); err != nil {
+		return err
+	}
+
+	rawVersion := r.URL.Query().Get("version")
+	version, err := strconv.ParseUint(rawVersion, 10, 64)
+	if err != nil {
+		err := fmt.Errorf("invalid service version '%s': %v", rawVersion, err)
+		return errdefs.InvalidParameter(err)
+	}
+
+	var flags basictypes.ServiceUpdateOptions
+
+	// Get returns "" if the header does not exist
+	flags.EncodedRegistryAuth = r.Header.Get("X-Registry-Auth")
+	flags.RegistryAuthFrom = r.URL.Query().Get("registryAuthFrom")
+	flags.Rollback = r.URL.Query().Get("rollback")
+	cliVersion := r.Header.Get("version")
+	queryRegistry := false
+	if cliVersion != "" && versions.LessThan(cliVersion, "1.30") {
+		queryRegistry = true
+	}
+
+	resp, err := sr.backend.UpdateService(vars["id"], version, service, flags, queryRegistry)
+	if err != nil {
+		logrus.Errorf("Error updating service %s: %v", vars["id"], err)
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, resp)
+}
+
+func (sr *swarmRouter) removeService(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := sr.backend.RemoveService(vars["id"]); err != nil {
+		logrus.Errorf("Error removing service %s: %v", vars["id"], err)
+		return err
+	}
+	return nil
+}
+
+func (sr *swarmRouter) getTaskLogs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	// make a selector to pass to the helper function
+	selector := &backend.LogSelector{
+		Tasks: []string{vars["id"]},
+	}
+	return sr.swarmLogs(ctx, w, r, selector)
+}
+
+func (sr *swarmRouter) getServiceLogs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	// make a selector to pass to the helper function
+	selector := &backend.LogSelector{
+		Services: []string{vars["id"]},
+	}
+	return sr.swarmLogs(ctx, w, r, selector)
+}
+
+func (sr *swarmRouter) getNodes(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	filter, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	nodes, err := sr.backend.GetNodes(basictypes.NodeListOptions{Filters: filter})
+	if err != nil {
+		logrus.Errorf("Error getting nodes: %v", err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, nodes)
+}
+
+func (sr *swarmRouter) getNode(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	node, err := sr.backend.GetNode(vars["id"])
+	if err != nil {
+		logrus.Errorf("Error getting node %s: %v", vars["id"], err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, node)
+}
+
+func (sr *swarmRouter) updateNode(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var node types.NodeSpec
+	if err := json.NewDecoder(r.Body).Decode(&node); err != nil {
+		return err
+	}
+
+	rawVersion := r.URL.Query().Get("version")
+	version, err := strconv.ParseUint(rawVersion, 10, 64)
+	if err != nil {
+		err := fmt.Errorf("invalid node version '%s': %v", rawVersion, err)
+		return errdefs.InvalidParameter(err)
+	}
+
+	if err := sr.backend.UpdateNode(vars["id"], version, node); err != nil {
+		logrus.Errorf("Error updating node %s: %v", vars["id"], err)
+		return err
+	}
+	return nil
+}
+
+func (sr *swarmRouter) removeNode(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	force := httputils.BoolValue(r, "force")
+
+	if err := sr.backend.RemoveNode(vars["id"], force); err != nil {
+		logrus.Errorf("Error removing node %s: %v", vars["id"], err)
+		return err
+	}
+	return nil
+}
+
+func (sr *swarmRouter) getTasks(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	filter, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	tasks, err := sr.backend.GetTasks(basictypes.TaskListOptions{Filters: filter})
+	if err != nil {
+		logrus.Errorf("Error getting tasks: %v", err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, tasks)
+}
+
+func (sr *swarmRouter) getTask(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	task, err := sr.backend.GetTask(vars["id"])
+	if err != nil {
+		logrus.Errorf("Error getting task %s: %v", vars["id"], err)
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, task)
+}
+
+func (sr *swarmRouter) getSecrets(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	filters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	secrets, err := sr.backend.GetSecrets(basictypes.SecretListOptions{Filters: filters})
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, secrets)
+}
+
+func (sr *swarmRouter) createSecret(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var secret types.SecretSpec
+	if err := json.NewDecoder(r.Body).Decode(&secret); err != nil {
+		return err
+	}
+	version := httputils.VersionFromContext(ctx)
+	if secret.Templating != nil && versions.LessThan(version, "1.37") {
+		return errdefs.InvalidParameter(errors.Errorf("secret templating is not supported on the specified API version: %s", version))
+	}
+
+	id, err := sr.backend.CreateSecret(secret)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusCreated, &basictypes.SecretCreateResponse{
+		ID: id,
+	})
+}
+
+func (sr *swarmRouter) removeSecret(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := sr.backend.RemoveSecret(vars["id"]); err != nil {
+		return err
+	}
+	w.WriteHeader(http.StatusNoContent)
+
+	return nil
+}
+
+func (sr *swarmRouter) getSecret(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	secret, err := sr.backend.GetSecret(vars["id"])
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, secret)
+}
+
+func (sr *swarmRouter) updateSecret(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var secret types.SecretSpec
+	if err := json.NewDecoder(r.Body).Decode(&secret); err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	rawVersion := r.URL.Query().Get("version")
+	version, err := strconv.ParseUint(rawVersion, 10, 64)
+	if err != nil {
+		return errdefs.InvalidParameter(fmt.Errorf("invalid secret version"))
+	}
+
+	id := vars["id"]
+	return sr.backend.UpdateSecret(id, version, secret)
+}
+
+func (sr *swarmRouter) getConfigs(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	filters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	configs, err := sr.backend.GetConfigs(basictypes.ConfigListOptions{Filters: filters})
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, configs)
+}
+
+func (sr *swarmRouter) createConfig(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var config types.ConfigSpec
+	if err := json.NewDecoder(r.Body).Decode(&config); err != nil {
+		return err
+	}
+
+	version := httputils.VersionFromContext(ctx)
+	if config.Templating != nil && versions.LessThan(version, "1.37") {
+		return errdefs.InvalidParameter(errors.Errorf("config templating is not supported on the specified API version: %s", version))
+	}
+
+	id, err := sr.backend.CreateConfig(config)
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusCreated, &basictypes.ConfigCreateResponse{
+		ID: id,
+	})
+}
+
+func (sr *swarmRouter) removeConfig(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := sr.backend.RemoveConfig(vars["id"]); err != nil {
+		return err
+	}
+	w.WriteHeader(http.StatusNoContent)
+
+	return nil
+}
+
+func (sr *swarmRouter) getConfig(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	config, err := sr.backend.GetConfig(vars["id"])
+	if err != nil {
+		return err
+	}
+
+	return httputils.WriteJSON(w, http.StatusOK, config)
+}
+
+func (sr *swarmRouter) updateConfig(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var config types.ConfigSpec
+	if err := json.NewDecoder(r.Body).Decode(&config); err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	rawVersion := r.URL.Query().Get("version")
+	version, err := strconv.ParseUint(rawVersion, 10, 64)
+	if err != nil {
+		return errdefs.InvalidParameter(fmt.Errorf("invalid config version"))
+	}
+
+	id := vars["id"]
+	return sr.backend.UpdateConfig(id, version, config)
+}
diff --git a/engine/api/server/router/swarm/helpers.go b/engine/api/server/router/swarm/helpers.go
new file mode 100644
index 00000000..1f57074f
--- /dev/null
+++ b/engine/api/server/router/swarm/helpers.go
@@ -0,0 +1,66 @@
+package swarm // import "github.com/docker/docker/api/server/router/swarm"
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/docker/docker/api/server/httputils"
+	basictypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+)
+
+// swarmLogs takes an http response, request, and selector, and writes the logs
+// specified by the selector to the response
+func (sr *swarmRouter) swarmLogs(ctx context.Context, w io.Writer, r *http.Request, selector *backend.LogSelector) error {
+	// Args are validated before the stream starts because when it starts we're
+	// sending HTTP 200 by writing an empty chunk of data to tell the client that
+	// daemon is going to stream. By sending this initial HTTP 200 we can't report
+	// any error after the stream starts (i.e. container not found, wrong parameters)
+	// with the appropriate status code.
+	stdout, stderr := httputils.BoolValue(r, "stdout"), httputils.BoolValue(r, "stderr")
+	if !(stdout || stderr) {
+		return fmt.Errorf("Bad parameters: you must choose at least one stream")
+	}
+
+	// there is probably a neater way to manufacture the ContainerLogsOptions
+	// struct, probably in the caller, to eliminate the dependency on net/http
+	logsConfig := &basictypes.ContainerLogsOptions{
+		Follow:     httputils.BoolValue(r, "follow"),
+		Timestamps: httputils.BoolValue(r, "timestamps"),
+		Since:      r.Form.Get("since"),
+		Tail:       r.Form.Get("tail"),
+		ShowStdout: stdout,
+		ShowStderr: stderr,
+		Details:    httputils.BoolValue(r, "details"),
+	}
+
+	tty := false
+	// checking for whether logs are TTY involves iterating over every service
+	// and task. idk if there is a better way
+	for _, service := range selector.Services {
+		s, err := sr.backend.GetService(service, false)
+		if err != nil {
+			// maybe should return some context with this error?
+			return err
+		}
+		tty = (s.Spec.TaskTemplate.ContainerSpec != nil && s.Spec.TaskTemplate.ContainerSpec.TTY) || tty
+	}
+	for _, task := range selector.Tasks {
+		t, err := sr.backend.GetTask(task)
+		if err != nil {
+			// as above
+			return err
+		}
+		tty = t.Spec.ContainerSpec.TTY || tty
+	}
+
+	msgs, err := sr.backend.ServiceLogs(ctx, selector, logsConfig)
+	if err != nil {
+		return err
+	}
+
+	httputils.WriteLogStream(ctx, w, msgs, logsConfig, !tty)
+	return nil
+}
diff --git a/engine/api/server/router/system/backend.go b/engine/api/server/router/system/backend.go
new file mode 100644
index 00000000..f5d2d981
--- /dev/null
+++ b/engine/api/server/router/system/backend.go
@@ -0,0 +1,28 @@
+package system // import "github.com/docker/docker/api/server/router/system"
+
+import (
+	"context"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// Backend is the methods that need to be implemented to provide
+// system specific functionality.
+type Backend interface {
+	SystemInfo() (*types.Info, error)
+	SystemVersion() types.Version
+	SystemDiskUsage(ctx context.Context) (*types.DiskUsage, error)
+	SubscribeToEvents(since, until time.Time, ef filters.Args) ([]events.Message, chan interface{})
+	UnsubscribeFromEvents(chan interface{})
+	AuthenticateToRegistry(ctx context.Context, authConfig *types.AuthConfig) (string, string, error)
+}
+
+// ClusterBackend is all the methods that need to be implemented
+// to provide cluster system specific functionality.
+type ClusterBackend interface {
+	Info() swarm.Info
+}
diff --git a/engine/api/server/router/system/system.go b/engine/api/server/router/system/system.go
new file mode 100644
index 00000000..11370584
--- /dev/null
+++ b/engine/api/server/router/system/system.go
@@ -0,0 +1,44 @@
+package system // import "github.com/docker/docker/api/server/router/system"
+
+import (
+	"github.com/docker/docker/api/server/router"
+	buildkit "github.com/docker/docker/builder/builder-next"
+	"github.com/docker/docker/builder/fscache"
+)
+
+// systemRouter provides information about the Docker system overall.
+// It gathers information about host, daemon and container events.
+type systemRouter struct {
+	backend Backend
+	cluster ClusterBackend
+	routes  []router.Route
+	fscache *fscache.FSCache // legacy
+	builder *buildkit.Builder
+}
+
+// NewRouter initializes a new system router
+func NewRouter(b Backend, c ClusterBackend, fscache *fscache.FSCache, builder *buildkit.Builder) router.Router {
+	r := &systemRouter{
+		backend: b,
+		cluster: c,
+		fscache: fscache,
+		builder: builder,
+	}
+
+	r.routes = []router.Route{
+		router.NewOptionsRoute("/{anyroute:.*}", optionsHandler),
+		router.NewGetRoute("/_ping", pingHandler),
+		router.NewGetRoute("/events", r.getEvents, router.WithCancel),
+		router.NewGetRoute("/info", r.getInfo),
+		router.NewGetRoute("/version", r.getVersion),
+		router.NewGetRoute("/system/df", r.getDiskUsage, router.WithCancel),
+		router.NewPostRoute("/auth", r.postAuth),
+	}
+
+	return r
+}
+
+// Routes returns all the API routes dedicated to the docker system
+func (s *systemRouter) Routes() []router.Route {
+	return s.routes
+}
diff --git a/engine/api/server/router/system/system_routes.go b/engine/api/server/router/system/system_routes.go
new file mode 100644
index 00000000..82b649e9
--- /dev/null
+++ b/engine/api/server/router/system/system_routes.go
@@ -0,0 +1,230 @@
+package system // import "github.com/docker/docker/api/server/router/system"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/registry"
+	timetypes "github.com/docker/docker/api/types/time"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/pkg/ioutils"
+	pkgerrors "github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+func optionsHandler(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	w.WriteHeader(http.StatusOK)
+	return nil
+}
+
+func pingHandler(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	_, err := w.Write([]byte{'O', 'K'})
+	return err
+}
+
+func (s *systemRouter) getInfo(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	info, err := s.backend.SystemInfo()
+	if err != nil {
+		return err
+	}
+	if s.cluster != nil {
+		info.Swarm = s.cluster.Info()
+	}
+
+	if versions.LessThan(httputils.VersionFromContext(ctx), "1.25") {
+		// TODO: handle this conversion in engine-api
+		type oldInfo struct {
+			*types.Info
+			ExecutionDriver string
+		}
+		old := &oldInfo{
+			Info:            info,
+			ExecutionDriver: "<not supported>",
+		}
+		nameOnlySecurityOptions := []string{}
+		kvSecOpts, err := types.DecodeSecurityOptions(old.SecurityOptions)
+		if err != nil {
+			return err
+		}
+		for _, s := range kvSecOpts {
+			nameOnlySecurityOptions = append(nameOnlySecurityOptions, s.Name)
+		}
+		old.SecurityOptions = nameOnlySecurityOptions
+		return httputils.WriteJSON(w, http.StatusOK, old)
+	}
+	return httputils.WriteJSON(w, http.StatusOK, info)
+}
+
+func (s *systemRouter) getVersion(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	info := s.backend.SystemVersion()
+
+	return httputils.WriteJSON(w, http.StatusOK, info)
+}
+
+func (s *systemRouter) getDiskUsage(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	eg, ctx := errgroup.WithContext(ctx)
+
+	var du *types.DiskUsage
+	eg.Go(func() error {
+		var err error
+		du, err = s.backend.SystemDiskUsage(ctx)
+		return err
+	})
+
+	var builderSize int64 // legacy
+	eg.Go(func() error {
+		var err error
+		builderSize, err = s.fscache.DiskUsage(ctx)
+		if err != nil {
+			return pkgerrors.Wrap(err, "error getting fscache build cache usage")
+		}
+		return nil
+	})
+
+	var buildCache []*types.BuildCache
+	eg.Go(func() error {
+		var err error
+		buildCache, err = s.builder.DiskUsage(ctx)
+		if err != nil {
+			return pkgerrors.Wrap(err, "error getting build cache usage")
+		}
+		return nil
+	})
+
+	if err := eg.Wait(); err != nil {
+		return err
+	}
+
+	for _, b := range buildCache {
+		builderSize += b.Size
+	}
+
+	du.BuilderSize = builderSize
+	du.BuildCache = buildCache
+
+	return httputils.WriteJSON(w, http.StatusOK, du)
+}
+
+type invalidRequestError struct {
+	Err error
+}
+
+func (e invalidRequestError) Error() string {
+	return e.Err.Error()
+}
+
+func (e invalidRequestError) InvalidParameter() {}
+
+func (s *systemRouter) getEvents(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	since, err := eventTime(r.Form.Get("since"))
+	if err != nil {
+		return err
+	}
+	until, err := eventTime(r.Form.Get("until"))
+	if err != nil {
+		return err
+	}
+
+	var (
+		timeout        <-chan time.Time
+		onlyPastEvents bool
+	)
+	if !until.IsZero() {
+		if until.Before(since) {
+			return invalidRequestError{fmt.Errorf("`since` time (%s) cannot be after `until` time (%s)", r.Form.Get("since"), r.Form.Get("until"))}
+		}
+
+		now := time.Now()
+
+		onlyPastEvents = until.Before(now)
+
+		if !onlyPastEvents {
+			dur := until.Sub(now)
+			timeout = time.After(dur)
+		}
+	}
+
+	ef, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	output := ioutils.NewWriteFlusher(w)
+	defer output.Close()
+	output.Flush()
+
+	enc := json.NewEncoder(output)
+
+	buffered, l := s.backend.SubscribeToEvents(since, until, ef)
+	defer s.backend.UnsubscribeFromEvents(l)
+
+	for _, ev := range buffered {
+		if err := enc.Encode(ev); err != nil {
+			return err
+		}
+	}
+
+	if onlyPastEvents {
+		return nil
+	}
+
+	for {
+		select {
+		case ev := <-l:
+			jev, ok := ev.(events.Message)
+			if !ok {
+				logrus.Warnf("unexpected event message: %q", ev)
+				continue
+			}
+			if err := enc.Encode(jev); err != nil {
+				return err
+			}
+		case <-timeout:
+			return nil
+		case <-ctx.Done():
+			logrus.Debug("Client context cancelled, stop sending events")
+			return nil
+		}
+	}
+}
+
+func (s *systemRouter) postAuth(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	var config *types.AuthConfig
+	err := json.NewDecoder(r.Body).Decode(&config)
+	r.Body.Close()
+	if err != nil {
+		return err
+	}
+	status, token, err := s.backend.AuthenticateToRegistry(ctx, config)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, &registry.AuthenticateOKBody{
+		Status:        status,
+		IdentityToken: token,
+	})
+}
+
+func eventTime(formTime string) (time.Time, error) {
+	t, tNano, err := timetypes.ParseTimestamps(formTime, -1)
+	if err != nil {
+		return time.Time{}, err
+	}
+	if t == -1 {
+		return time.Time{}, nil
+	}
+	return time.Unix(t, tNano), nil
+}
diff --git a/engine/api/server/router/volume/backend.go b/engine/api/server/router/volume/backend.go
new file mode 100644
index 00000000..31558c17
--- /dev/null
+++ b/engine/api/server/router/volume/backend.go
@@ -0,0 +1,20 @@
+package volume // import "github.com/docker/docker/api/server/router/volume"
+
+import (
+	"context"
+
+	"github.com/docker/docker/volume/service/opts"
+	// TODO return types need to be refactored into pkg
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// Backend is the methods that need to be implemented to provide
+// volume specific functionality
+type Backend interface {
+	List(ctx context.Context, filter filters.Args) ([]*types.Volume, []string, error)
+	Get(ctx context.Context, name string, opts ...opts.GetOption) (*types.Volume, error)
+	Create(ctx context.Context, name, driverName string, opts ...opts.CreateOption) (*types.Volume, error)
+	Remove(ctx context.Context, name string, opts ...opts.RemoveOption) error
+	Prune(ctx context.Context, pruneFilters filters.Args) (*types.VolumesPruneReport, error)
+}
diff --git a/engine/api/server/router/volume/volume.go b/engine/api/server/router/volume/volume.go
new file mode 100644
index 00000000..04f365e3
--- /dev/null
+++ b/engine/api/server/router/volume/volume.go
@@ -0,0 +1,36 @@
+package volume // import "github.com/docker/docker/api/server/router/volume"
+
+import "github.com/docker/docker/api/server/router"
+
+// volumeRouter is a router to talk with the volumes controller
+type volumeRouter struct {
+	backend Backend
+	routes  []router.Route
+}
+
+// NewRouter initializes a new volume router
+func NewRouter(b Backend) router.Router {
+	r := &volumeRouter{
+		backend: b,
+	}
+	r.initRoutes()
+	return r
+}
+
+// Routes returns the available routes to the volumes controller
+func (r *volumeRouter) Routes() []router.Route {
+	return r.routes
+}
+
+func (r *volumeRouter) initRoutes() {
+	r.routes = []router.Route{
+		// GET
+		router.NewGetRoute("/volumes", r.getVolumesList),
+		router.NewGetRoute("/volumes/{name:.*}", r.getVolumeByName),
+		// POST
+		router.NewPostRoute("/volumes/create", r.postVolumesCreate),
+		router.NewPostRoute("/volumes/prune", r.postVolumesPrune, router.WithCancel),
+		// DELETE
+		router.NewDeleteRoute("/volumes/{name:.*}", r.deleteVolumes),
+	}
+}
diff --git a/engine/api/server/router/volume/volume_routes.go b/engine/api/server/router/volume/volume_routes.go
new file mode 100644
index 00000000..e892d1a5
--- /dev/null
+++ b/engine/api/server/router/volume/volume_routes.go
@@ -0,0 +1,96 @@
+package volume // import "github.com/docker/docker/api/server/router/volume"
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types/filters"
+	volumetypes "github.com/docker/docker/api/types/volume"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/volume/service/opts"
+	"github.com/pkg/errors"
+)
+
+func (v *volumeRouter) getVolumesList(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	filters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return errdefs.InvalidParameter(errors.Wrap(err, "error reading volume filters"))
+	}
+	volumes, warnings, err := v.backend.List(ctx, filters)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, &volumetypes.VolumeListOKBody{Volumes: volumes, Warnings: warnings})
+}
+
+func (v *volumeRouter) getVolumeByName(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	volume, err := v.backend.Get(ctx, vars["name"], opts.WithGetResolveStatus)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, volume)
+}
+
+func (v *volumeRouter) postVolumesCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	if err := httputils.CheckForJSON(r); err != nil {
+		return err
+	}
+
+	var req volumetypes.VolumeCreateBody
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		if err == io.EOF {
+			return errdefs.InvalidParameter(errors.New("got EOF while reading request body"))
+		}
+		return err
+	}
+
+	volume, err := v.backend.Create(ctx, req.Name, req.Driver, opts.WithCreateOptions(req.DriverOpts), opts.WithCreateLabels(req.Labels))
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusCreated, volume)
+}
+
+func (v *volumeRouter) deleteVolumes(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+	force := httputils.BoolValue(r, "force")
+	if err := v.backend.Remove(ctx, vars["name"], opts.WithPurgeOnError(force)); err != nil {
+		return err
+	}
+	w.WriteHeader(http.StatusNoContent)
+	return nil
+}
+
+func (v *volumeRouter) postVolumesPrune(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	if err := httputils.ParseForm(r); err != nil {
+		return err
+	}
+
+	pruneFilters, err := filters.FromJSON(r.Form.Get("filters"))
+	if err != nil {
+		return err
+	}
+
+	pruneReport, err := v.backend.Prune(ctx, pruneFilters)
+	if err != nil {
+		return err
+	}
+	return httputils.WriteJSON(w, http.StatusOK, pruneReport)
+}
diff --git a/engine/api/server/router_swapper.go b/engine/api/server/router_swapper.go
new file mode 100644
index 00000000..e8087492
--- /dev/null
+++ b/engine/api/server/router_swapper.go
@@ -0,0 +1,30 @@
+package server // import "github.com/docker/docker/api/server"
+
+import (
+	"net/http"
+	"sync"
+
+	"github.com/gorilla/mux"
+)
+
+// routerSwapper is an http.Handler that allows you to swap
+// mux routers.
+type routerSwapper struct {
+	mu     sync.Mutex
+	router *mux.Router
+}
+
+// Swap changes the old router with the new one.
+func (rs *routerSwapper) Swap(newRouter *mux.Router) {
+	rs.mu.Lock()
+	rs.router = newRouter
+	rs.mu.Unlock()
+}
+
+// ServeHTTP makes the routerSwapper to implement the http.Handler interface.
+func (rs *routerSwapper) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	rs.mu.Lock()
+	router := rs.router
+	rs.mu.Unlock()
+	router.ServeHTTP(w, r)
+}
diff --git a/engine/api/server/server.go b/engine/api/server/server.go
new file mode 100644
index 00000000..c3640082
--- /dev/null
+++ b/engine/api/server/server.go
@@ -0,0 +1,209 @@
+package server // import "github.com/docker/docker/api/server"
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+	"strings"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/server/middleware"
+	"github.com/docker/docker/api/server/router"
+	"github.com/docker/docker/api/server/router/debug"
+	"github.com/docker/docker/dockerversion"
+	"github.com/gorilla/mux"
+	"github.com/sirupsen/logrus"
+)
+
+// versionMatcher defines a variable matcher to be parsed by the router
+// when a request is about to be served.
+const versionMatcher = "/v{version:[0-9.]+}"
+
+// Config provides the configuration for the API server
+type Config struct {
+	Logging     bool
+	CorsHeaders string
+	Version     string
+	SocketGroup string
+	TLSConfig   *tls.Config
+}
+
+// Server contains instance details for the server
+type Server struct {
+	cfg           *Config
+	servers       []*HTTPServer
+	routers       []router.Router
+	routerSwapper *routerSwapper
+	middlewares   []middleware.Middleware
+}
+
+// New returns a new instance of the server based on the specified configuration.
+// It allocates resources which will be needed for ServeAPI(ports, unix-sockets).
+func New(cfg *Config) *Server {
+	return &Server{
+		cfg: cfg,
+	}
+}
+
+// UseMiddleware appends a new middleware to the request chain.
+// This needs to be called before the API routes are configured.
+func (s *Server) UseMiddleware(m middleware.Middleware) {
+	s.middlewares = append(s.middlewares, m)
+}
+
+// Accept sets a listener the server accepts connections into.
+func (s *Server) Accept(addr string, listeners ...net.Listener) {
+	for _, listener := range listeners {
+		httpServer := &HTTPServer{
+			srv: &http.Server{
+				Addr: addr,
+			},
+			l: listener,
+		}
+		s.servers = append(s.servers, httpServer)
+	}
+}
+
+// Close closes servers and thus stop receiving requests
+func (s *Server) Close() {
+	for _, srv := range s.servers {
+		if err := srv.Close(); err != nil {
+			logrus.Error(err)
+		}
+	}
+}
+
+// serveAPI loops through all initialized servers and spawns goroutine
+// with Serve method for each. It sets createMux() as Handler also.
+func (s *Server) serveAPI() error {
+	var chErrors = make(chan error, len(s.servers))
+	for _, srv := range s.servers {
+		srv.srv.Handler = s.routerSwapper
+		go func(srv *HTTPServer) {
+			var err error
+			logrus.Infof("API listen on %s", srv.l.Addr())
+			if err = srv.Serve(); err != nil && strings.Contains(err.Error(), "use of closed network connection") {
+				err = nil
+			}
+			chErrors <- err
+		}(srv)
+	}
+
+	for range s.servers {
+		err := <-chErrors
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// HTTPServer contains an instance of http server and the listener.
+// srv *http.Server, contains configuration to create an http server and a mux router with all api end points.
+// l   net.Listener, is a TCP or Socket listener that dispatches incoming request to the router.
+type HTTPServer struct {
+	srv *http.Server
+	l   net.Listener
+}
+
+// Serve starts listening for inbound requests.
+func (s *HTTPServer) Serve() error {
+	return s.srv.Serve(s.l)
+}
+
+// Close closes the HTTPServer from listening for the inbound requests.
+func (s *HTTPServer) Close() error {
+	return s.l.Close()
+}
+
+func (s *Server) makeHTTPHandler(handler httputils.APIFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Define the context that we'll pass around to share info
+		// like the docker-request-id.
+		//
+		// The 'context' will be used for global data that should
+		// apply to all requests. Data that is specific to the
+		// immediate function being called should still be passed
+		// as 'args' on the function call.
+
+		// use intermediate variable to prevent "should not use basic type
+		// string as key in context.WithValue" golint errors
+		var ki interface{} = dockerversion.UAStringKey
+		ctx := context.WithValue(context.Background(), ki, r.Header.Get("User-Agent"))
+		handlerFunc := s.handlerWithGlobalMiddlewares(handler)
+
+		vars := mux.Vars(r)
+		if vars == nil {
+			vars = make(map[string]string)
+		}
+
+		if err := handlerFunc(ctx, w, r, vars); err != nil {
+			statusCode := httputils.GetHTTPErrorStatusCode(err)
+			if statusCode >= 500 {
+				logrus.Errorf("Handler for %s %s returned error: %v", r.Method, r.URL.Path, err)
+			}
+			httputils.MakeErrorHandler(err)(w, r)
+		}
+	}
+}
+
+// InitRouter initializes the list of routers for the server.
+// This method also enables the Go profiler.
+func (s *Server) InitRouter(routers ...router.Router) {
+	s.routers = append(s.routers, routers...)
+
+	m := s.createMux()
+	s.routerSwapper = &routerSwapper{
+		router: m,
+	}
+}
+
+type pageNotFoundError struct{}
+
+func (pageNotFoundError) Error() string {
+	return "page not found"
+}
+
+func (pageNotFoundError) NotFound() {}
+
+// createMux initializes the main router the server uses.
+func (s *Server) createMux() *mux.Router {
+	m := mux.NewRouter()
+
+	logrus.Debug("Registering routers")
+	for _, apiRouter := range s.routers {
+		for _, r := range apiRouter.Routes() {
+			f := s.makeHTTPHandler(r.Handler())
+
+			logrus.Debugf("Registering %s, %s", r.Method(), r.Path())
+			m.Path(versionMatcher + r.Path()).Methods(r.Method()).Handler(f)
+			m.Path(r.Path()).Methods(r.Method()).Handler(f)
+		}
+	}
+
+	debugRouter := debug.NewRouter()
+	s.routers = append(s.routers, debugRouter)
+	for _, r := range debugRouter.Routes() {
+		f := s.makeHTTPHandler(r.Handler())
+		m.Path("/debug" + r.Path()).Handler(f)
+	}
+
+	notFoundHandler := httputils.MakeErrorHandler(pageNotFoundError{})
+	m.HandleFunc(versionMatcher+"/{path:.*}", notFoundHandler)
+	m.NotFoundHandler = notFoundHandler
+
+	return m
+}
+
+// Wait blocks the server goroutine until it exits.
+// It sends an error message if there is any error during
+// the API execution.
+func (s *Server) Wait(waitChan chan error) {
+	if err := s.serveAPI(); err != nil {
+		logrus.Errorf("ServeAPI error: %v", err)
+		waitChan <- err
+		return
+	}
+	waitChan <- nil
+}
diff --git a/engine/api/server/server_test.go b/engine/api/server/server_test.go
new file mode 100644
index 00000000..e0fac30a
--- /dev/null
+++ b/engine/api/server/server_test.go
@@ -0,0 +1,45 @@
+package server // import "github.com/docker/docker/api/server"
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/server/middleware"
+)
+
+func TestMiddlewares(t *testing.T) {
+	cfg := &Config{
+		Version: "0.1omega2",
+	}
+	srv := &Server{
+		cfg: cfg,
+	}
+
+	srv.UseMiddleware(middleware.NewVersionMiddleware("0.1omega2", api.DefaultVersion, api.MinVersion))
+
+	req, _ := http.NewRequest("GET", "/containers/json", nil)
+	resp := httptest.NewRecorder()
+	ctx := context.Background()
+
+	localHandler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		if httputils.VersionFromContext(ctx) == "" {
+			t.Fatal("Expected version, got empty string")
+		}
+
+		if sv := w.Header().Get("Server"); !strings.Contains(sv, "Docker/0.1omega2") {
+			t.Fatalf("Expected server version in the header `Docker/0.1omega2`, got %s", sv)
+		}
+
+		return nil
+	}
+
+	handlerFunc := srv.handlerWithGlobalMiddlewares(localHandler)
+	if err := handlerFunc(ctx, resp, req, map[string]string{}); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/api/swagger-gen.yaml b/engine/api/swagger-gen.yaml
new file mode 100644
index 00000000..f07a0273
--- /dev/null
+++ b/engine/api/swagger-gen.yaml
@@ -0,0 +1,12 @@
+
+layout:
+  models:
+    - name: definition
+      source: asset:model
+      target: "{{ joinFilePath .Target .ModelPackage }}"
+      file_name: "{{ (snakize (pascalize .Name)) }}.go"
+  operations:
+    - name: handler
+      source: asset:serverOperation
+      target: "{{ joinFilePath .Target .APIPackage .Package }}"
+      file_name: "{{ (snakize (pascalize .Name)) }}.go"
diff --git a/engine/api/swagger.yaml b/engine/api/swagger.yaml
new file mode 100644
index 00000000..86374415
--- /dev/null
+++ b/engine/api/swagger.yaml
@@ -0,0 +1,10136 @@
+# A Swagger 2.0 (a.k.a. OpenAPI) definition of the Engine API.
+#
+# This is used for generating API documentation and the types used by the
+# client/server. See api/README.md for more information.
+#
+# Some style notes:
+# - This file is used by ReDoc, which allows GitHub Flavored Markdown in
+#   descriptions.
+# - There is no maximum line length, for ease of editing and pretty diffs.
+# - operationIds are in the format "NounVerb", with a singular noun.
+
+swagger: "2.0"
+schemes:
+  - "http"
+  - "https"
+produces:
+  - "application/json"
+  - "text/plain"
+consumes:
+  - "application/json"
+  - "text/plain"
+basePath: "/v1.38"
+info:
+  title: "Docker Engine API"
+  version: "1.38"
+  x-logo:
+    url: "https://docs.docker.com/images/logo-docker-main.png"
+  description: |
+    The Engine API is an HTTP API served by Docker Engine. It is the API the Docker client uses to communicate with the Engine, so everything the Docker client can do can be done with the API.
+
+    Most of the client's commands map directly to API endpoints (e.g. `docker ps` is `GET /containers/json`). The notable exception is running containers, which consists of several API calls.
+
+    # Errors
+
+    The API uses standard HTTP status codes to indicate the success or failure of the API call. The body of the response will be JSON in the following format:
+
+    ```
+    {
+      "message": "page not found"
+    }
+    ```
+
+    # Versioning
+
+    The API is usually changed in each release, so API calls are versioned to
+    ensure that clients don't break. To lock to a specific version of the API,
+    you prefix the URL with its version, for example, call `/v1.30/info` to use
+    the v1.30 version of the `/info` endpoint. If the API version specified in
+    the URL is not supported by the daemon, a HTTP `400 Bad Request` error message
+    is returned.
+
+    If you omit the version-prefix, the current version of the API (v1.38) is used.
+    For example, calling `/info` is the same as calling `/v1.38/info`. Using the
+    API without a version-prefix is deprecated and will be removed in a future release.
+
+    Engine releases in the near future should support this version of the API,
+    so your client will continue to work even if it is talking to a newer Engine.
+
+    The API uses an open schema model, which means server may add extra properties
+    to responses. Likewise, the server will ignore any extra query parameters and
+    request body properties. When you write clients, you need to ignore additional
+    properties in responses to ensure they do not break when talking to newer
+    daemons.
+
+
+    # Authentication
+
+    Authentication for registries is handled client side. The client has to send authentication details to various endpoints that need to communicate with registries, such as `POST /images/(name)/push`. These are sent as `X-Registry-Auth` header as a Base64 encoded (JSON) string with the following structure:
+
+    ```
+    {
+      "username": "string",
+      "password": "string",
+      "email": "string",
+      "serveraddress": "string"
+    }
+    ```
+
+    The `serveraddress` is a domain/IP without a protocol. Throughout this structure, double quotes are required.
+
+    If you have already got an identity token from the [`/auth` endpoint](#operation/SystemAuth), you can just pass this instead of credentials:
+
+    ```
+    {
+      "identitytoken": "9cbaf023786cd7..."
+    }
+    ```
+
+# The tags on paths define the menu sections in the ReDoc documentation, so
+# the usage of tags must make sense for that:
+# - They should be singular, not plural.
+# - There should not be too many tags, or the menu becomes unwieldy. For
+#   example, it is preferable to add a path to the "System" tag instead of
+#   creating a tag with a single path in it.
+# - The order of tags in this list defines the order in the menu.
+tags:
+  # Primary objects
+  - name: "Container"
+    x-displayName: "Containers"
+    description: |
+      Create and manage containers.
+  - name: "Image"
+    x-displayName: "Images"
+  - name: "Network"
+    x-displayName: "Networks"
+    description: |
+      Networks are user-defined networks that containers can be attached to. See the [networking documentation](https://docs.docker.com/engine/userguide/networking/) for more information.
+  - name: "Volume"
+    x-displayName: "Volumes"
+    description: |
+      Create and manage persistent storage that can be attached to containers.
+  - name: "Exec"
+    x-displayName: "Exec"
+    description: |
+      Run new commands inside running containers. See the [command-line reference](https://docs.docker.com/engine/reference/commandline/exec/) for more information.
+
+      To exec a command in a container, you first need to create an exec instance, then start it. These two API endpoints are wrapped up in a single command-line command, `docker exec`.
+  # Swarm things
+  - name: "Swarm"
+    x-displayName: "Swarm"
+    description: |
+      Engines can be clustered together in a swarm. See [the swarm mode documentation](https://docs.docker.com/engine/swarm/) for more information.
+  - name: "Node"
+    x-displayName: "Nodes"
+    description: |
+      Nodes are instances of the Engine participating in a swarm. Swarm mode must be enabled for these endpoints to work.
+  - name: "Service"
+    x-displayName: "Services"
+    description: |
+      Services are the definitions of tasks to run on a swarm. Swarm mode must be enabled for these endpoints to work.
+  - name: "Task"
+    x-displayName: "Tasks"
+    description: |
+      A task is a container running on a swarm. It is the atomic scheduling unit of swarm. Swarm mode must be enabled for these endpoints to work.
+  - name: "Secret"
+    x-displayName: "Secrets"
+    description: |
+      Secrets are sensitive data that can be used by services. Swarm mode must be enabled for these endpoints to work.
+  - name: "Config"
+    x-displayName: "Configs"
+    description: |
+      Configs are application configurations that can be used by services. Swarm mode must be enabled for these endpoints to work.
+  # System things
+  - name: "Plugin"
+    x-displayName: "Plugins"
+  - name: "System"
+    x-displayName: "System"
+
+definitions:
+  Port:
+    type: "object"
+    description: "An open port on a container"
+    required: [PrivatePort, Type]
+    properties:
+      IP:
+        type: "string"
+        format: "ip-address"
+        description: "Host IP address that the container's port is mapped to"
+      PrivatePort:
+        type: "integer"
+        format: "uint16"
+        x-nullable: false
+        description: "Port on the container"
+      PublicPort:
+        type: "integer"
+        format: "uint16"
+        description: "Port exposed on the host"
+      Type:
+        type: "string"
+        x-nullable: false
+        enum: ["tcp", "udp", "sctp"]
+    example:
+      PrivatePort: 8080
+      PublicPort: 80
+      Type: "tcp"
+
+  MountPoint:
+    type: "object"
+    description: "A mount point inside a container"
+    properties:
+      Type:
+        type: "string"
+      Name:
+        type: "string"
+      Source:
+        type: "string"
+      Destination:
+        type: "string"
+      Driver:
+        type: "string"
+      Mode:
+        type: "string"
+      RW:
+        type: "boolean"
+      Propagation:
+        type: "string"
+
+  DeviceMapping:
+    type: "object"
+    description: "A device mapping between the host and container"
+    properties:
+      PathOnHost:
+        type: "string"
+      PathInContainer:
+        type: "string"
+      CgroupPermissions:
+        type: "string"
+    example:
+      PathOnHost: "/dev/deviceName"
+      PathInContainer: "/dev/deviceName"
+      CgroupPermissions: "mrw"
+
+  ThrottleDevice:
+    type: "object"
+    properties:
+      Path:
+        description: "Device path"
+        type: "string"
+      Rate:
+        description: "Rate"
+        type: "integer"
+        format: "int64"
+        minimum: 0
+
+  Mount:
+    type: "object"
+    properties:
+      Target:
+        description: "Container path."
+        type: "string"
+      Source:
+        description: "Mount source (e.g. a volume name, a host path)."
+        type: "string"
+      Type:
+        description: |
+          The mount type. Available types:
+
+          - `bind` Mounts a file or directory from the host into the container. Must exist prior to creating the container.
+          - `volume` Creates a volume with the given name and options (or uses a pre-existing volume with the same name and options). These are **not** removed when the container is removed.
+          - `tmpfs` Create a tmpfs with the given options. The mount source cannot be specified for tmpfs.
+        type: "string"
+        enum:
+          - "bind"
+          - "volume"
+          - "tmpfs"
+      ReadOnly:
+        description: "Whether the mount should be read-only."
+        type: "boolean"
+      Consistency:
+        description: "The consistency requirement for the mount: `default`, `consistent`, `cached`, or `delegated`."
+        type: "string"
+      BindOptions:
+        description: "Optional configuration for the `bind` type."
+        type: "object"
+        properties:
+          Propagation:
+            description: "A propagation mode with the value `[r]private`, `[r]shared`, or `[r]slave`."
+            type: "string"
+            enum:
+              - "private"
+              - "rprivate"
+              - "shared"
+              - "rshared"
+              - "slave"
+              - "rslave"
+      VolumeOptions:
+        description: "Optional configuration for the `volume` type."
+        type: "object"
+        properties:
+          NoCopy:
+            description: "Populate volume with data from the target."
+            type: "boolean"
+            default: false
+          Labels:
+            description: "User-defined key/value metadata."
+            type: "object"
+            additionalProperties:
+              type: "string"
+          DriverConfig:
+            description: "Map of driver specific options"
+            type: "object"
+            properties:
+              Name:
+                description: "Name of the driver to use to create the volume."
+                type: "string"
+              Options:
+                description: "key/value map of driver specific options."
+                type: "object"
+                additionalProperties:
+                  type: "string"
+      TmpfsOptions:
+        description: "Optional configuration for the `tmpfs` type."
+        type: "object"
+        properties:
+          SizeBytes:
+            description: "The size for the tmpfs mount in bytes."
+            type: "integer"
+            format: "int64"
+          Mode:
+            description: "The permission mode for the tmpfs mount in an integer."
+            type: "integer"
+
+  RestartPolicy:
+    description: |
+      The behavior to apply when the container exits. The default is not to restart.
+
+      An ever increasing delay (double the previous delay, starting at 100ms) is added before each restart to prevent flooding the server.
+    type: "object"
+    properties:
+      Name:
+        type: "string"
+        description: |
+          - Empty string means not to restart
+          - `always` Always restart
+          - `unless-stopped` Restart always except when the user has manually stopped the container
+          - `on-failure` Restart only when the container exit code is non-zero
+        enum:
+          - ""
+          - "always"
+          - "unless-stopped"
+          - "on-failure"
+      MaximumRetryCount:
+        type: "integer"
+        description: "If `on-failure` is used, the number of times to retry before giving up"
+
+  Resources:
+    description: "A container's resources (cgroups config, ulimits, etc)"
+    type: "object"
+    properties:
+      # Applicable to all platforms
+      CpuShares:
+        description: "An integer value representing this container's relative CPU weight versus other containers."
+        type: "integer"
+      Memory:
+        description: "Memory limit in bytes."
+        type: "integer"
+        format: "int64"
+        default: 0
+      # Applicable to UNIX platforms
+      CgroupParent:
+        description: "Path to `cgroups` under which the container's `cgroup` is created. If the path is not absolute, the path is considered to be relative to the `cgroups` path of the init process. Cgroups are created if they do not already exist."
+        type: "string"
+      BlkioWeight:
+        description: "Block IO weight (relative weight)."
+        type: "integer"
+        minimum: 0
+        maximum: 1000
+      BlkioWeightDevice:
+        description: |
+          Block IO weight (relative device weight) in the form `[{"Path": "device_path", "Weight": weight}]`.
+        type: "array"
+        items:
+          type: "object"
+          properties:
+            Path:
+              type: "string"
+            Weight:
+              type: "integer"
+              minimum: 0
+      BlkioDeviceReadBps:
+        description: |
+          Limit read rate (bytes per second) from a device, in the form `[{"Path": "device_path", "Rate": rate}]`.
+        type: "array"
+        items:
+          $ref: "#/definitions/ThrottleDevice"
+      BlkioDeviceWriteBps:
+        description: |
+          Limit write rate (bytes per second) to a device, in the form `[{"Path": "device_path", "Rate": rate}]`.
+        type: "array"
+        items:
+          $ref: "#/definitions/ThrottleDevice"
+      BlkioDeviceReadIOps:
+        description: |
+          Limit read rate (IO per second) from a device, in the form `[{"Path": "device_path", "Rate": rate}]`.
+        type: "array"
+        items:
+          $ref: "#/definitions/ThrottleDevice"
+      BlkioDeviceWriteIOps:
+        description: |
+          Limit write rate (IO per second) to a device, in the form `[{"Path": "device_path", "Rate": rate}]`.
+        type: "array"
+        items:
+          $ref: "#/definitions/ThrottleDevice"
+      CpuPeriod:
+        description: "The length of a CPU period in microseconds."
+        type: "integer"
+        format: "int64"
+      CpuQuota:
+        description: "Microseconds of CPU time that the container can get in a CPU period."
+        type: "integer"
+        format: "int64"
+      CpuRealtimePeriod:
+        description: "The length of a CPU real-time period in microseconds. Set to 0 to allocate no time allocated to real-time tasks."
+        type: "integer"
+        format: "int64"
+      CpuRealtimeRuntime:
+        description: "The length of a CPU real-time runtime in microseconds. Set to 0 to allocate no time allocated to real-time tasks."
+        type: "integer"
+        format: "int64"
+      CpusetCpus:
+        description: "CPUs in which to allow execution (e.g., `0-3`, `0,1`)"
+        type: "string"
+        example: "0-3"
+      CpusetMems:
+        description: "Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems."
+        type: "string"
+      Devices:
+        description: "A list of devices to add to the container."
+        type: "array"
+        items:
+          $ref: "#/definitions/DeviceMapping"
+      DeviceCgroupRules:
+        description: "a list of cgroup rules to apply to the container"
+        type: "array"
+        items:
+          type: "string"
+          example: "c 13:* rwm"
+      DiskQuota:
+        description: "Disk limit (in bytes)."
+        type: "integer"
+        format: "int64"
+      KernelMemory:
+        description: "Kernel memory limit in bytes."
+        type: "integer"
+        format: "int64"
+      MemoryReservation:
+        description: "Memory soft limit in bytes."
+        type: "integer"
+        format: "int64"
+      MemorySwap:
+        description: "Total memory limit (memory + swap). Set as `-1` to enable unlimited swap."
+        type: "integer"
+        format: "int64"
+      MemorySwappiness:
+        description: "Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100."
+        type: "integer"
+        format: "int64"
+        minimum: 0
+        maximum: 100
+      NanoCPUs:
+        description: "CPU quota in units of 10<sup>-9</sup> CPUs."
+        type: "integer"
+        format: "int64"
+      OomKillDisable:
+        description: "Disable OOM Killer for the container."
+        type: "boolean"
+      Init:
+        description: "Run an init inside the container that forwards signals and reaps processes. This field is omitted if empty, and the default (as configured on the daemon) is used."
+        type: "boolean"
+        x-nullable: true
+      PidsLimit:
+        description: "Tune a container's pids limit. Set -1 for unlimited."
+        type: "integer"
+        format: "int64"
+      Ulimits:
+        description: |
+          A list of resource limits to set in the container. For example: `{"Name": "nofile", "Soft": 1024, "Hard": 2048}`"
+        type: "array"
+        items:
+          type: "object"
+          properties:
+            Name:
+              description: "Name of ulimit"
+              type: "string"
+            Soft:
+              description: "Soft limit"
+              type: "integer"
+            Hard:
+              description: "Hard limit"
+              type: "integer"
+      # Applicable to Windows
+      CpuCount:
+        description: |
+          The number of usable CPUs (Windows only).
+
+          On Windows Server containers, the processor resource controls are mutually exclusive. The order of precedence is `CPUCount` first, then `CPUShares`, and `CPUPercent` last.
+        type: "integer"
+        format: "int64"
+      CpuPercent:
+        description: |
+          The usable percentage of the available CPUs (Windows only).
+
+          On Windows Server containers, the processor resource controls are mutually exclusive. The order of precedence is `CPUCount` first, then `CPUShares`, and `CPUPercent` last.
+        type: "integer"
+        format: "int64"
+      IOMaximumIOps:
+        description: "Maximum IOps for the container system drive (Windows only)"
+        type: "integer"
+        format: "int64"
+      IOMaximumBandwidth:
+        description: "Maximum IO in bytes per second for the container system drive (Windows only)"
+        type: "integer"
+        format: "int64"
+
+  ResourceObject:
+    description: "An object describing the resources which can be advertised by a node and requested by a task"
+    type: "object"
+    properties:
+      NanoCPUs:
+        type: "integer"
+        format: "int64"
+        example: 4000000000
+      MemoryBytes:
+        type: "integer"
+        format: "int64"
+        example: 8272408576
+      GenericResources:
+        $ref: "#/definitions/GenericResources"
+
+  GenericResources:
+    description: "User-defined resources can be either Integer resources (e.g, `SSD=3`) or String resources (e.g, `GPU=UUID1`)"
+    type: "array"
+    items:
+      type: "object"
+      properties:
+        NamedResourceSpec:
+          type: "object"
+          properties:
+            Kind:
+              type: "string"
+            Value:
+              type: "string"
+        DiscreteResourceSpec:
+          type: "object"
+          properties:
+            Kind:
+              type: "string"
+            Value:
+              type: "integer"
+              format: "int64"
+    example:
+      - DiscreteResourceSpec:
+          Kind: "SSD"
+          Value: 3
+      - NamedResourceSpec:
+          Kind: "GPU"
+          Value: "UUID1"
+      - NamedResourceSpec:
+          Kind: "GPU"
+          Value: "UUID2"
+
+  HealthConfig:
+    description: "A test to perform to check that the container is healthy."
+    type: "object"
+    properties:
+      Test:
+        description: |
+          The test to perform. Possible values are:
+
+          - `[]` inherit healthcheck from image or parent image
+          - `["NONE"]` disable healthcheck
+          - `["CMD", args...]` exec arguments directly
+          - `["CMD-SHELL", command]` run command with system's default shell
+        type: "array"
+        items:
+          type: "string"
+      Interval:
+        description: "The time to wait between checks in nanoseconds. It should be 0 or at least 1000000 (1 ms). 0 means inherit."
+        type: "integer"
+      Timeout:
+        description: "The time to wait before considering the check to have hung. It should be 0 or at least 1000000 (1 ms). 0 means inherit."
+        type: "integer"
+      Retries:
+        description: "The number of consecutive failures needed to consider a container as unhealthy. 0 means inherit."
+        type: "integer"
+      StartPeriod:
+        description: "Start period for the container to initialize before starting health-retries countdown in nanoseconds. It should be 0 or at least 1000000 (1 ms). 0 means inherit."
+        type: "integer"
+
+  HostConfig:
+    description: "Container configuration that depends on the host we are running on"
+    allOf:
+      - $ref: "#/definitions/Resources"
+      - type: "object"
+        properties:
+          # Applicable to all platforms
+          Binds:
+            type: "array"
+            description: |
+              A list of volume bindings for this container. Each volume binding is a string in one of these forms:
+
+              - `host-src:container-dest` to bind-mount a host path into the container. Both `host-src`, and `container-dest` must be an _absolute_ path.
+              - `host-src:container-dest:ro` to make the bind mount read-only inside the container. Both `host-src`, and `container-dest` must be an _absolute_ path.
+              - `volume-name:container-dest` to bind-mount a volume managed by a volume driver into the container. `container-dest` must be an _absolute_ path.
+              - `volume-name:container-dest:ro` to mount the volume read-only inside the container.  `container-dest` must be an _absolute_ path.
+            items:
+              type: "string"
+          ContainerIDFile:
+            type: "string"
+            description: "Path to a file where the container ID is written"
+          LogConfig:
+            type: "object"
+            description: "The logging configuration for this container"
+            properties:
+              Type:
+                type: "string"
+                enum:
+                  - "json-file"
+                  - "syslog"
+                  - "journald"
+                  - "gelf"
+                  - "fluentd"
+                  - "awslogs"
+                  - "splunk"
+                  - "etwlogs"
+                  - "none"
+              Config:
+                type: "object"
+                additionalProperties:
+                  type: "string"
+          NetworkMode:
+            type: "string"
+            description: "Network mode to use for this container. Supported standard values are: `bridge`, `host`, `none`, and `container:<name|id>`. Any other value is taken
+              as a custom network's name to which this container should connect to."
+          PortBindings:
+            $ref: "#/definitions/PortMap"
+          RestartPolicy:
+            $ref: "#/definitions/RestartPolicy"
+          AutoRemove:
+            type: "boolean"
+            description: "Automatically remove the container when the container's process exits. This has no effect if `RestartPolicy` is set."
+          VolumeDriver:
+            type: "string"
+            description: "Driver that this container uses to mount volumes."
+          VolumesFrom:
+            type: "array"
+            description: "A list of volumes to inherit from another container, specified in the form `<container name>[:<ro|rw>]`."
+            items:
+              type: "string"
+          Mounts:
+            description: "Specification for mounts to be added to the container."
+            type: "array"
+            items:
+              $ref: "#/definitions/Mount"
+
+          # Applicable to UNIX platforms
+          CapAdd:
+            type: "array"
+            description: "A list of kernel capabilities to add to the container."
+            items:
+              type: "string"
+          CapDrop:
+            type: "array"
+            description: "A list of kernel capabilities to drop from the container."
+            items:
+              type: "string"
+          Dns:
+            type: "array"
+            description: "A list of DNS servers for the container to use."
+            items:
+              type: "string"
+          DnsOptions:
+            type: "array"
+            description: "A list of DNS options."
+            items:
+              type: "string"
+          DnsSearch:
+            type: "array"
+            description: "A list of DNS search domains."
+            items:
+              type: "string"
+          ExtraHosts:
+            type: "array"
+            description: |
+              A list of hostnames/IP mappings to add to the container's `/etc/hosts` file. Specified in the form `["hostname:IP"]`.
+            items:
+              type: "string"
+          GroupAdd:
+            type: "array"
+            description: "A list of additional groups that the container process will run as."
+            items:
+              type: "string"
+          IpcMode:
+            type: "string"
+            description: |
+                    IPC sharing mode for the container. Possible values are:
+
+                    - `"none"`: own private IPC namespace, with /dev/shm not mounted
+                    - `"private"`: own private IPC namespace
+                    - `"shareable"`: own private IPC namespace, with a possibility to share it with other containers
+                    - `"container:<name|id>"`: join another (shareable) container's IPC namespace
+                    - `"host"`: use the host system's IPC namespace
+
+                    If not specified, daemon default is used, which can either be `"private"`
+                    or `"shareable"`, depending on daemon version and configuration.
+          Cgroup:
+            type: "string"
+            description: "Cgroup to use for the container."
+          Links:
+            type: "array"
+            description: "A list of links for the container in the form `container_name:alias`."
+            items:
+              type: "string"
+          OomScoreAdj:
+            type: "integer"
+            description: "An integer value containing the score given to the container in order to tune OOM killer preferences."
+            example: 500
+          PidMode:
+            type: "string"
+            description: |
+              Set the PID (Process) Namespace mode for the container. It can be either:
+
+              - `"container:<name|id>"`: joins another container's PID namespace
+              - `"host"`: use the host's PID namespace inside the container
+          Privileged:
+            type: "boolean"
+            description: "Gives the container full access to the host."
+          PublishAllPorts:
+            type: "boolean"
+            description: |
+              Allocates an ephemeral host port for all of a container's
+              exposed ports.
+
+              Ports are de-allocated when the container stops and allocated when the container starts.
+              The allocated port might be changed when restarting the container.
+
+              The port is selected from the ephemeral port range that depends on the kernel.
+              For example, on Linux the range is defined by `/proc/sys/net/ipv4/ip_local_port_range`.
+          ReadonlyRootfs:
+            type: "boolean"
+            description: "Mount the container's root filesystem as read only."
+          SecurityOpt:
+            type: "array"
+            description: "A list of string values to customize labels for MLS
+            systems, such as SELinux."
+            items:
+              type: "string"
+          StorageOpt:
+            type: "object"
+            description: |
+              Storage driver options for this container, in the form `{"size": "120G"}`.
+            additionalProperties:
+              type: "string"
+          Tmpfs:
+            type: "object"
+            description: |
+              A map of container directories which should be replaced by tmpfs mounts, and their corresponding mount options. For example: `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
+            additionalProperties:
+              type: "string"
+          UTSMode:
+            type: "string"
+            description: "UTS namespace to use for the container."
+          UsernsMode:
+            type: "string"
+            description: "Sets the usernamespace mode for the container when usernamespace remapping option is enabled."
+          ShmSize:
+            type: "integer"
+            description: "Size of `/dev/shm` in bytes. If omitted, the system uses 64MB."
+            minimum: 0
+          Sysctls:
+            type: "object"
+            description: |
+              A list of kernel parameters (sysctls) to set in the container. For example: `{"net.ipv4.ip_forward": "1"}`
+            additionalProperties:
+              type: "string"
+          Runtime:
+            type: "string"
+            description: "Runtime to use with this container."
+          # Applicable to Windows
+          ConsoleSize:
+            type: "array"
+            description: "Initial console size, as an `[height, width]` array. (Windows only)"
+            minItems: 2
+            maxItems: 2
+            items:
+              type: "integer"
+              minimum: 0
+          Isolation:
+            type: "string"
+            description: "Isolation technology of the container. (Windows only)"
+            enum:
+              - "default"
+              - "process"
+              - "hyperv"
+          MaskedPaths:
+            type: "array"
+            description: "The list of paths to be masked inside the container (this overrides the default set of paths)"
+            items:
+              type: "string"
+          ReadonlyPaths:
+            type: "array"
+            description: "The list of paths to be set as read-only inside the container (this overrides the default set of paths)"
+            items:
+              type: "string"
+
+  ContainerConfig:
+    description: "Configuration for a container that is portable between hosts"
+    type: "object"
+    properties:
+      Hostname:
+        description: "The hostname to use for the container, as a valid RFC 1123 hostname."
+        type: "string"
+      Domainname:
+        description: "The domain name to use for the container."
+        type: "string"
+      User:
+        description: "The user that commands are run as inside the container."
+        type: "string"
+      AttachStdin:
+        description: "Whether to attach to `stdin`."
+        type: "boolean"
+        default: false
+      AttachStdout:
+        description: "Whether to attach to `stdout`."
+        type: "boolean"
+        default: true
+      AttachStderr:
+        description: "Whether to attach to `stderr`."
+        type: "boolean"
+        default: true
+      ExposedPorts:
+        description: |
+          An object mapping ports to an empty object in the form:
+
+          `{"<port>/<tcp|udp|sctp>": {}}`
+        type: "object"
+        additionalProperties:
+          type: "object"
+          enum:
+            - {}
+          default: {}
+      Tty:
+        description: "Attach standard streams to a TTY, including `stdin` if it is not closed."
+        type: "boolean"
+        default: false
+      OpenStdin:
+        description: "Open `stdin`"
+        type: "boolean"
+        default: false
+      StdinOnce:
+        description: "Close `stdin` after one attached client disconnects"
+        type: "boolean"
+        default: false
+      Env:
+        description: |
+          A list of environment variables to set inside the container in the form `["VAR=value", ...]`. A variable without `=` is removed from the environment, rather than to have an empty value.
+        type: "array"
+        items:
+          type: "string"
+      Cmd:
+        description: "Command to run specified as a string or an array of strings."
+        type: "array"
+        items:
+          type: "string"
+      Healthcheck:
+        $ref: "#/definitions/HealthConfig"
+      ArgsEscaped:
+        description: "Command is already escaped (Windows only)"
+        type: "boolean"
+      Image:
+        description: "The name of the image to use when creating the container"
+        type: "string"
+      Volumes:
+        description: "An object mapping mount point paths inside the container to empty objects."
+        type: "object"
+        additionalProperties:
+          type: "object"
+          enum:
+            - {}
+          default: {}
+      WorkingDir:
+        description: "The working directory for commands to run in."
+        type: "string"
+      Entrypoint:
+        description: |
+          The entry point for the container as a string or an array of strings.
+
+          If the array consists of exactly one empty string (`[""]`) then the entry point is reset to system default (i.e., the entry point used by docker when there is no `ENTRYPOINT` instruction in the `Dockerfile`).
+        type: "array"
+        items:
+          type: "string"
+      NetworkDisabled:
+        description: "Disable networking for the container."
+        type: "boolean"
+      MacAddress:
+        description: "MAC address of the container."
+        type: "string"
+      OnBuild:
+        description: "`ONBUILD` metadata that were defined in the image's `Dockerfile`."
+        type: "array"
+        items:
+          type: "string"
+      Labels:
+        description: "User-defined key/value metadata."
+        type: "object"
+        additionalProperties:
+          type: "string"
+      StopSignal:
+        description: "Signal to stop a container as a string or unsigned integer."
+        type: "string"
+        default: "SIGTERM"
+      StopTimeout:
+        description: "Timeout to stop a container in seconds."
+        type: "integer"
+        default: 10
+      Shell:
+        description: "Shell for when `RUN`, `CMD`, and `ENTRYPOINT` uses a shell."
+        type: "array"
+        items:
+          type: "string"
+
+  NetworkSettings:
+    description: "NetworkSettings exposes the network settings in the API"
+    type: "object"
+    properties:
+      Bridge:
+        description: Name of the network'a bridge (for example, `docker0`).
+        type: "string"
+        example: "docker0"
+      SandboxID:
+        description: SandboxID uniquely represents a container's network stack.
+        type: "string"
+        example: "9d12daf2c33f5959c8bf90aa513e4f65b561738661003029ec84830cd503a0c3"
+      HairpinMode:
+        description: |
+          Indicates if hairpin NAT should be enabled on the virtual interface.
+        type: "boolean"
+        example: false
+      LinkLocalIPv6Address:
+        description: IPv6 unicast address using the link-local prefix.
+        type: "string"
+        example: "fe80::42:acff:fe11:1"
+      LinkLocalIPv6PrefixLen:
+        description: Prefix length of the IPv6 unicast address.
+        type: "integer"
+        example: "64"
+      Ports:
+        $ref: "#/definitions/PortMap"
+      SandboxKey:
+        description: SandboxKey identifies the sandbox
+        type: "string"
+        example: "/var/run/docker/netns/8ab54b426c38"
+
+      # TODO is SecondaryIPAddresses actually used?
+      SecondaryIPAddresses:
+        description: ""
+        type: "array"
+        items:
+          $ref: "#/definitions/Address"
+        x-nullable: true
+
+      # TODO is SecondaryIPv6Addresses actually used?
+      SecondaryIPv6Addresses:
+        description: ""
+        type: "array"
+        items:
+          $ref: "#/definitions/Address"
+        x-nullable: true
+
+      # TODO properties below are part of DefaultNetworkSettings, which is
+      # marked as deprecated since Docker 1.9 and to be removed in Docker v17.12
+      EndpointID:
+        description: |
+          EndpointID uniquely represents a service endpoint in a Sandbox.
+
+          <p><br /></p>
+
+          > **Deprecated**: This field is only propagated when attached to the
+          > default "bridge" network. Use the information from the "bridge"
+          > network inside the `Networks` map instead, which contains the same
+          > information. This field was deprecated in Docker 1.9 and is scheduled
+          > to be removed in Docker 17.12.0
+        type: "string"
+        example: "b88f5b905aabf2893f3cbc4ee42d1ea7980bbc0a92e2c8922b1e1795298afb0b"
+      Gateway:
+        description: |
+          Gateway address for the default "bridge" network.
+
+          <p><br /></p>
+
+          > **Deprecated**: This field is only propagated when attached to the
+          > default "bridge" network. Use the information from the "bridge"
+          > network inside the `Networks` map instead, which contains the same
+          > information. This field was deprecated in Docker 1.9 and is scheduled
+          > to be removed in Docker 17.12.0
+        type: "string"
+        example: "172.17.0.1"
+      GlobalIPv6Address:
+        description: |
+          Global IPv6 address for the default "bridge" network.
+
+          <p><br /></p>
+
+          > **Deprecated**: This field is only propagated when attached to the
+          > default "bridge" network. Use the information from the "bridge"
+          > network inside the `Networks` map instead, which contains the same
+          > information. This field was deprecated in Docker 1.9 and is scheduled
+          > to be removed in Docker 17.12.0
+        type: "string"
+        example: "2001:db8::5689"
+      GlobalIPv6PrefixLen:
+        description: |
+          Mask length of the global IPv6 address.
+
+          <p><br /></p>
+
+          > **Deprecated**: This field is only propagated when attached to the
+          > default "bridge" network. Use the information from the "bridge"
+          > network inside the `Networks` map instead, which contains the same
+          > information. This field was deprecated in Docker 1.9 and is scheduled
+          > to be removed in Docker 17.12.0
+        type: "integer"
+        example: 64
+      IPAddress:
+        description: |
+          IPv4 address for the default "bridge" network.
+
+          <p><br /></p>
+
+          > **Deprecated**: This field is only propagated when attached to the
+          > default "bridge" network. Use the information from the "bridge"
+          > network inside the `Networks` map instead, which contains the same
+          > information. This field was deprecated in Docker 1.9 and is scheduled
+          > to be removed in Docker 17.12.0
+        type: "string"
+        example: "172.17.0.4"
+      IPPrefixLen:
+        description: |
+          Mask length of the IPv4 address.
+
+          <p><br /></p>
+
+          > **Deprecated**: This field is only propagated when attached to the
+          > default "bridge" network. Use the information from the "bridge"
+          > network inside the `Networks` map instead, which contains the same
+          > information. This field was deprecated in Docker 1.9 and is scheduled
+          > to be removed in Docker 17.12.0
+        type: "integer"
+        example: 16
+      IPv6Gateway:
+        description: |
+          IPv6 gateway address for this network.
+
+          <p><br /></p>
+
+          > **Deprecated**: This field is only propagated when attached to the
+          > default "bridge" network. Use the information from the "bridge"
+          > network inside the `Networks` map instead, which contains the same
+          > information. This field was deprecated in Docker 1.9 and is scheduled
+          > to be removed in Docker 17.12.0
+        type: "string"
+        example: "2001:db8:2::100"
+      MacAddress:
+        description: |
+          MAC address for the container on the default "bridge" network.
+
+          <p><br /></p>
+
+          > **Deprecated**: This field is only propagated when attached to the
+          > default "bridge" network. Use the information from the "bridge"
+          > network inside the `Networks` map instead, which contains the same
+          > information. This field was deprecated in Docker 1.9 and is scheduled
+          > to be removed in Docker 17.12.0
+        type: "string"
+        example: "02:42:ac:11:00:04"
+      Networks:
+        description: |
+          Information about all networks that the container is connected to.
+        type: "object"
+        additionalProperties:
+          $ref: "#/definitions/EndpointSettings"
+
+  Address:
+    description: Address represents an IPv4 or IPv6 IP address.
+    type: "object"
+    properties:
+      Addr:
+        description: IP address.
+        type: "string"
+      PrefixLen:
+        description: Mask length of the IP address.
+        type: "integer"
+
+  PortMap:
+    description: |
+      PortMap describes the mapping of container ports to host ports, using the
+      container's port-number and protocol as key in the format `<port>/<protocol>`,
+      for example, `80/udp`.
+
+      If a container's port is mapped for multiple protocols, separate entries
+      are added to the mapping table.
+    type: "object"
+    additionalProperties:
+      type: "array"
+      items:
+        $ref: "#/definitions/PortBinding"
+    example:
+      "443/tcp":
+        - HostIp: "127.0.0.1"
+          HostPort: "4443"
+      "80/tcp":
+        - HostIp: "0.0.0.0"
+          HostPort: "80"
+        - HostIp: "0.0.0.0"
+          HostPort: "8080"
+      "80/udp":
+        - HostIp: "0.0.0.0"
+          HostPort: "80"
+      "53/udp":
+        - HostIp: "0.0.0.0"
+          HostPort: "53"
+      "2377/tcp": null
+
+  PortBinding:
+    description: |
+      PortBinding represents a binding between a host IP address and a host
+      port.
+    type: "object"
+    x-nullable: true
+    properties:
+      HostIp:
+        description: "Host IP address that the container's port is mapped to."
+        type: "string"
+        example: "127.0.0.1"
+      HostPort:
+        description: "Host port number that the container's port is mapped to."
+        type: "string"
+        example: "4443"
+
+  GraphDriverData:
+    description: "Information about a container's graph driver."
+    type: "object"
+    required: [Name, Data]
+    properties:
+      Name:
+        type: "string"
+        x-nullable: false
+      Data:
+        type: "object"
+        x-nullable: false
+        additionalProperties:
+          type: "string"
+
+  Image:
+    type: "object"
+    required:
+      - Id
+      - Parent
+      - Comment
+      - Created
+      - Container
+      - DockerVersion
+      - Author
+      - Architecture
+      - Os
+      - Size
+      - VirtualSize
+      - GraphDriver
+      - RootFS
+    properties:
+      Id:
+        type: "string"
+        x-nullable: false
+      RepoTags:
+        type: "array"
+        items:
+          type: "string"
+      RepoDigests:
+        type: "array"
+        items:
+          type: "string"
+      Parent:
+        type: "string"
+        x-nullable: false
+      Comment:
+        type: "string"
+        x-nullable: false
+      Created:
+        type: "string"
+        x-nullable: false
+      Container:
+        type: "string"
+        x-nullable: false
+      ContainerConfig:
+        $ref: "#/definitions/ContainerConfig"
+      DockerVersion:
+        type: "string"
+        x-nullable: false
+      Author:
+        type: "string"
+        x-nullable: false
+      Config:
+        $ref: "#/definitions/ContainerConfig"
+      Architecture:
+        type: "string"
+        x-nullable: false
+      Os:
+        type: "string"
+        x-nullable: false
+      OsVersion:
+        type: "string"
+      Size:
+        type: "integer"
+        format: "int64"
+        x-nullable: false
+      VirtualSize:
+        type: "integer"
+        format: "int64"
+        x-nullable: false
+      GraphDriver:
+        $ref: "#/definitions/GraphDriverData"
+      RootFS:
+        type: "object"
+        required: [Type]
+        properties:
+          Type:
+            type: "string"
+            x-nullable: false
+          Layers:
+            type: "array"
+            items:
+              type: "string"
+          BaseLayer:
+            type: "string"
+      Metadata:
+        type: "object"
+        properties:
+          LastTagTime:
+            type: "string"
+            format: "dateTime"
+
+  ImageSummary:
+    type: "object"
+    required:
+      - Id
+      - ParentId
+      - RepoTags
+      - RepoDigests
+      - Created
+      - Size
+      - SharedSize
+      - VirtualSize
+      - Labels
+      - Containers
+    properties:
+      Id:
+        type: "string"
+        x-nullable: false
+      ParentId:
+        type: "string"
+        x-nullable: false
+      RepoTags:
+        type: "array"
+        x-nullable: false
+        items:
+          type: "string"
+      RepoDigests:
+        type: "array"
+        x-nullable: false
+        items:
+          type: "string"
+      Created:
+        type: "integer"
+        x-nullable: false
+      Size:
+        type: "integer"
+        x-nullable: false
+      SharedSize:
+        type: "integer"
+        x-nullable: false
+      VirtualSize:
+        type: "integer"
+        x-nullable: false
+      Labels:
+        type: "object"
+        x-nullable: false
+        additionalProperties:
+          type: "string"
+      Containers:
+        x-nullable: false
+        type: "integer"
+
+  AuthConfig:
+    type: "object"
+    properties:
+      username:
+        type: "string"
+      password:
+        type: "string"
+      email:
+        type: "string"
+      serveraddress:
+        type: "string"
+    example:
+      username: "hannibal"
+      password: "xxxx"
+      serveraddress: "https://index.docker.io/v1/"
+
+  ProcessConfig:
+    type: "object"
+    properties:
+      privileged:
+        type: "boolean"
+      user:
+        type: "string"
+      tty:
+        type: "boolean"
+      entrypoint:
+        type: "string"
+      arguments:
+        type: "array"
+        items:
+          type: "string"
+
+  Volume:
+    type: "object"
+    required: [Name, Driver, Mountpoint, Labels, Scope, Options]
+    properties:
+      Name:
+        type: "string"
+        description: "Name of the volume."
+        x-nullable: false
+      Driver:
+        type: "string"
+        description: "Name of the volume driver used by the volume."
+        x-nullable: false
+      Mountpoint:
+        type: "string"
+        description: "Mount path of the volume on the host."
+        x-nullable: false
+      CreatedAt:
+        type: "string"
+        format: "dateTime"
+        description: "Date/Time the volume was created."
+      Status:
+        type: "object"
+        description: |
+          Low-level details about the volume, provided by the volume driver.
+          Details are returned as a map with key/value pairs:
+          `{"key":"value","key2":"value2"}`.
+
+          The `Status` field is optional, and is omitted if the volume driver
+          does not support this feature.
+        additionalProperties:
+          type: "object"
+      Labels:
+        type: "object"
+        description: "User-defined key/value metadata."
+        x-nullable: false
+        additionalProperties:
+          type: "string"
+      Scope:
+        type: "string"
+        description: "The level at which the volume exists. Either `global` for cluster-wide, or `local` for machine level."
+        default: "local"
+        x-nullable: false
+        enum: ["local", "global"]
+      Options:
+        type: "object"
+        description: "The driver specific options used when creating the volume."
+        additionalProperties:
+          type: "string"
+      UsageData:
+        type: "object"
+        x-nullable: true
+        required: [Size, RefCount]
+        description: |
+          Usage details about the volume. This information is used by the
+          `GET /system/df` endpoint, and omitted in other endpoints.
+        properties:
+          Size:
+            type: "integer"
+            default: -1
+            description: |
+              Amount of disk space used by the volume (in bytes). This information
+              is only available for volumes created with the `"local"` volume
+              driver. For volumes created with other volume drivers, this field
+              is set to `-1` ("not available")
+            x-nullable: false
+          RefCount:
+            type: "integer"
+            default: -1
+            description: |
+              The number of containers referencing this volume. This field
+              is set to `-1` if the reference-count is not available.
+            x-nullable: false
+
+    example:
+      Name: "tardis"
+      Driver: "custom"
+      Mountpoint: "/var/lib/docker/volumes/tardis"
+      Status:
+        hello: "world"
+      Labels:
+        com.example.some-label: "some-value"
+        com.example.some-other-label: "some-other-value"
+      Scope: "local"
+      CreatedAt: "2016-06-07T20:31:11.853781916Z"
+
+  Network:
+    type: "object"
+    properties:
+      Name:
+        type: "string"
+      Id:
+        type: "string"
+      Created:
+        type: "string"
+        format: "dateTime"
+      Scope:
+        type: "string"
+      Driver:
+        type: "string"
+      EnableIPv6:
+        type: "boolean"
+      IPAM:
+        $ref: "#/definitions/IPAM"
+      Internal:
+        type: "boolean"
+      Attachable:
+        type: "boolean"
+      Ingress:
+        type: "boolean"
+      Containers:
+        type: "object"
+        additionalProperties:
+          $ref: "#/definitions/NetworkContainer"
+      Options:
+        type: "object"
+        additionalProperties:
+          type: "string"
+      Labels:
+        type: "object"
+        additionalProperties:
+          type: "string"
+    example:
+      Name: "net01"
+      Id: "7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99"
+      Created: "2016-10-19T04:33:30.360899459Z"
+      Scope: "local"
+      Driver: "bridge"
+      EnableIPv6: false
+      IPAM:
+        Driver: "default"
+        Config:
+          - Subnet: "172.19.0.0/16"
+            Gateway: "172.19.0.1"
+        Options:
+          foo: "bar"
+      Internal: false
+      Attachable: false
+      Ingress: false
+      Containers:
+        19a4d5d687db25203351ed79d478946f861258f018fe384f229f2efa4b23513c:
+          Name: "test"
+          EndpointID: "628cadb8bcb92de107b2a1e516cbffe463e321f548feb37697cce00ad694f21a"
+          MacAddress: "02:42:ac:13:00:02"
+          IPv4Address: "172.19.0.2/16"
+          IPv6Address: ""
+      Options:
+        com.docker.network.bridge.default_bridge: "true"
+        com.docker.network.bridge.enable_icc: "true"
+        com.docker.network.bridge.enable_ip_masquerade: "true"
+        com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
+        com.docker.network.bridge.name: "docker0"
+        com.docker.network.driver.mtu: "1500"
+      Labels:
+        com.example.some-label: "some-value"
+        com.example.some-other-label: "some-other-value"
+  IPAM:
+    type: "object"
+    properties:
+      Driver:
+        description: "Name of the IPAM driver to use."
+        type: "string"
+        default: "default"
+      Config:
+        description: "List of IPAM configuration options, specified as a map: `{\"Subnet\": <CIDR>, \"IPRange\": <CIDR>, \"Gateway\": <IP address>, \"AuxAddress\": <device_name:IP address>}`"
+        type: "array"
+        items:
+          type: "object"
+          additionalProperties:
+            type: "string"
+      Options:
+        description: "Driver-specific options, specified as a map."
+        type: "array"
+        items:
+          type: "object"
+          additionalProperties:
+            type: "string"
+
+  NetworkContainer:
+    type: "object"
+    properties:
+      Name:
+        type: "string"
+      EndpointID:
+        type: "string"
+      MacAddress:
+        type: "string"
+      IPv4Address:
+        type: "string"
+      IPv6Address:
+        type: "string"
+
+  BuildInfo:
+    type: "object"
+    properties:
+      id:
+        type: "string"
+      stream:
+        type: "string"
+      error:
+        type: "string"
+      errorDetail:
+        $ref: "#/definitions/ErrorDetail"
+      status:
+        type: "string"
+      progress:
+        type: "string"
+      progressDetail:
+        $ref: "#/definitions/ProgressDetail"
+      aux:
+        $ref: "#/definitions/ImageID"
+
+  ImageID:
+    type: "object"
+    description: "Image ID or Digest"
+    properties:
+      ID:
+        type: "string"
+    example:
+      ID: "sha256:85f05633ddc1c50679be2b16a0479ab6f7637f8884e0cfe0f4d20e1ebb3d6e7c"
+
+  CreateImageInfo:
+    type: "object"
+    properties:
+      id:
+        type: "string"
+      error:
+        type: "string"
+      status:
+        type: "string"
+      progress:
+        type: "string"
+      progressDetail:
+        $ref: "#/definitions/ProgressDetail"
+
+  PushImageInfo:
+    type: "object"
+    properties:
+      error:
+        type: "string"
+      status:
+        type: "string"
+      progress:
+        type: "string"
+      progressDetail:
+        $ref: "#/definitions/ProgressDetail"
+
+  ErrorDetail:
+    type: "object"
+    properties:
+      code:
+        type: "integer"
+      message:
+        type: "string"
+
+  ProgressDetail:
+    type: "object"
+    properties:
+      current:
+        type: "integer"
+      total:
+        type: "integer"
+
+  ErrorResponse:
+    description: "Represents an error."
+    type: "object"
+    required: ["message"]
+    properties:
+      message:
+        description: "The error message."
+        type: "string"
+        x-nullable: false
+    example:
+      message: "Something went wrong."
+
+  IdResponse:
+    description: "Response to an API call that returns just an Id"
+    type: "object"
+    required: ["Id"]
+    properties:
+      Id:
+        description: "The id of the newly created object."
+        type: "string"
+        x-nullable: false
+
+  EndpointSettings:
+    description: "Configuration for a network endpoint."
+    type: "object"
+    properties:
+      # Configurations
+      IPAMConfig:
+        $ref: "#/definitions/EndpointIPAMConfig"
+      Links:
+        type: "array"
+        items:
+          type: "string"
+        example:
+          - "container_1"
+          - "container_2"
+      Aliases:
+        type: "array"
+        items:
+          type: "string"
+        example:
+          - "server_x"
+          - "server_y"
+
+      # Operational data
+      NetworkID:
+        description: |
+          Unique ID of the network.
+        type: "string"
+        example: "08754567f1f40222263eab4102e1c733ae697e8e354aa9cd6e18d7402835292a"
+      EndpointID:
+        description: |
+          Unique ID for the service endpoint in a Sandbox.
+        type: "string"
+        example: "b88f5b905aabf2893f3cbc4ee42d1ea7980bbc0a92e2c8922b1e1795298afb0b"
+      Gateway:
+        description: |
+          Gateway address for this network.
+        type: "string"
+        example: "172.17.0.1"
+      IPAddress:
+        description: |
+          IPv4 address.
+        type: "string"
+        example: "172.17.0.4"
+      IPPrefixLen:
+        description: |
+          Mask length of the IPv4 address.
+        type: "integer"
+        example: 16
+      IPv6Gateway:
+        description: |
+          IPv6 gateway address.
+        type: "string"
+        example: "2001:db8:2::100"
+      GlobalIPv6Address:
+        description: |
+          Global IPv6 address.
+        type: "string"
+        example: "2001:db8::5689"
+      GlobalIPv6PrefixLen:
+        description: |
+          Mask length of the global IPv6 address.
+        type: "integer"
+        format: "int64"
+        example: 64
+      MacAddress:
+        description: |
+          MAC address for the endpoint on this network.
+        type: "string"
+        example: "02:42:ac:11:00:04"
+      DriverOpts:
+        description: |
+          DriverOpts is a mapping of driver options and values. These options
+          are passed directly to the driver and are driver specific.
+        type: "object"
+        x-nullable: true
+        additionalProperties:
+          type: "string"
+        example:
+          com.example.some-label: "some-value"
+          com.example.some-other-label: "some-other-value"
+
+  EndpointIPAMConfig:
+    description: |
+      EndpointIPAMConfig represents an endpoint's IPAM configuration.
+    type: "object"
+    x-nullable: true
+    properties:
+      IPv4Address:
+        type: "string"
+        example: "172.20.30.33"
+      IPv6Address:
+        type: "string"
+        example: "2001:db8:abcd::3033"
+      LinkLocalIPs:
+        type: "array"
+        items:
+          type: "string"
+        example:
+          - "169.254.34.68"
+          - "fe80::3468"
+
+  PluginMount:
+    type: "object"
+    x-nullable: false
+    required: [Name, Description, Settable, Source, Destination, Type, Options]
+    properties:
+      Name:
+        type: "string"
+        x-nullable: false
+        example: "some-mount"
+      Description:
+        type: "string"
+        x-nullable: false
+        example: "This is a mount that's used by the plugin."
+      Settable:
+        type: "array"
+        items:
+          type: "string"
+      Source:
+        type: "string"
+        example: "/var/lib/docker/plugins/"
+      Destination:
+        type: "string"
+        x-nullable: false
+        example: "/mnt/state"
+      Type:
+        type: "string"
+        x-nullable: false
+        example: "bind"
+      Options:
+        type: "array"
+        items:
+          type: "string"
+        example:
+          - "rbind"
+          - "rw"
+
+  PluginDevice:
+    type: "object"
+    required: [Name, Description, Settable, Path]
+    x-nullable: false
+    properties:
+      Name:
+        type: "string"
+        x-nullable: false
+      Description:
+        type: "string"
+        x-nullable: false
+      Settable:
+        type: "array"
+        items:
+          type: "string"
+      Path:
+        type: "string"
+        example: "/dev/fuse"
+
+  PluginEnv:
+    type: "object"
+    x-nullable: false
+    required: [Name, Description, Settable, Value]
+    properties:
+      Name:
+        x-nullable: false
+        type: "string"
+      Description:
+        x-nullable: false
+        type: "string"
+      Settable:
+        type: "array"
+        items:
+          type: "string"
+      Value:
+        type: "string"
+
+  PluginInterfaceType:
+    type: "object"
+    x-nullable: false
+    required: [Prefix, Capability, Version]
+    properties:
+      Prefix:
+        type: "string"
+        x-nullable: false
+      Capability:
+        type: "string"
+        x-nullable: false
+      Version:
+        type: "string"
+        x-nullable: false
+
+  Plugin:
+    description: "A plugin for the Engine API"
+    type: "object"
+    required: [Settings, Enabled, Config, Name]
+    properties:
+      Id:
+        type: "string"
+        example: "5724e2c8652da337ab2eedd19fc6fc0ec908e4bd907c7421bf6a8dfc70c4c078"
+      Name:
+        type: "string"
+        x-nullable: false
+        example: "tiborvass/sample-volume-plugin"
+      Enabled:
+        description: "True if the plugin is running. False if the plugin is not running, only installed."
+        type: "boolean"
+        x-nullable: false
+        example: true
+      Settings:
+        description: "Settings that can be modified by users."
+        type: "object"
+        x-nullable: false
+        required: [Args, Devices, Env, Mounts]
+        properties:
+          Mounts:
+            type: "array"
+            items:
+              $ref: "#/definitions/PluginMount"
+          Env:
+            type: "array"
+            items:
+              type: "string"
+            example:
+              - "DEBUG=0"
+          Args:
+            type: "array"
+            items:
+              type: "string"
+          Devices:
+            type: "array"
+            items:
+              $ref: "#/definitions/PluginDevice"
+      PluginReference:
+        description: "plugin remote reference used to push/pull the plugin"
+        type: "string"
+        x-nullable: false
+        example: "localhost:5000/tiborvass/sample-volume-plugin:latest"
+      Config:
+        description: "The config of a plugin."
+        type: "object"
+        x-nullable: false
+        required:
+          - Description
+          - Documentation
+          - Interface
+          - Entrypoint
+          - WorkDir
+          - Network
+          - Linux
+          - PidHost
+          - PropagatedMount
+          - IpcHost
+          - Mounts
+          - Env
+          - Args
+        properties:
+          DockerVersion:
+            description: "Docker Version used to create the plugin"
+            type: "string"
+            x-nullable: false
+            example: "17.06.0-ce"
+          Description:
+            type: "string"
+            x-nullable: false
+            example: "A sample volume plugin for Docker"
+          Documentation:
+            type: "string"
+            x-nullable: false
+            example: "https://docs.docker.com/engine/extend/plugins/"
+          Interface:
+            description: "The interface between Docker and the plugin"
+            x-nullable: false
+            type: "object"
+            required: [Types, Socket]
+            properties:
+              Types:
+                type: "array"
+                items:
+                  $ref: "#/definitions/PluginInterfaceType"
+                example:
+                  - "docker.volumedriver/1.0"
+              Socket:
+                type: "string"
+                x-nullable: false
+                example: "plugins.sock"
+              ProtocolScheme:
+                type: "string"
+                example: "some.protocol/v1.0"
+                description: "Protocol to use for clients connecting to the plugin."
+                enum:
+                  - ""
+                  - "moby.plugins.http/v1"
+          Entrypoint:
+            type: "array"
+            items:
+              type: "string"
+            example:
+              - "/usr/bin/sample-volume-plugin"
+              - "/data"
+          WorkDir:
+            type: "string"
+            x-nullable: false
+            example: "/bin/"
+          User:
+            type: "object"
+            x-nullable: false
+            properties:
+              UID:
+                type: "integer"
+                format: "uint32"
+                example: 1000
+              GID:
+                type: "integer"
+                format: "uint32"
+                example: 1000
+          Network:
+            type: "object"
+            x-nullable: false
+            required: [Type]
+            properties:
+              Type:
+                x-nullable: false
+                type: "string"
+                example: "host"
+          Linux:
+            type: "object"
+            x-nullable: false
+            required: [Capabilities, AllowAllDevices, Devices]
+            properties:
+              Capabilities:
+                type: "array"
+                items:
+                  type: "string"
+                example:
+                  - "CAP_SYS_ADMIN"
+                  - "CAP_SYSLOG"
+              AllowAllDevices:
+                type: "boolean"
+                x-nullable: false
+                example: false
+              Devices:
+                type: "array"
+                items:
+                  $ref: "#/definitions/PluginDevice"
+          PropagatedMount:
+            type: "string"
+            x-nullable: false
+            example: "/mnt/volumes"
+          IpcHost:
+            type: "boolean"
+            x-nullable: false
+            example: false
+          PidHost:
+            type: "boolean"
+            x-nullable: false
+            example: false
+          Mounts:
+            type: "array"
+            items:
+              $ref: "#/definitions/PluginMount"
+          Env:
+            type: "array"
+            items:
+              $ref: "#/definitions/PluginEnv"
+            example:
+              - Name: "DEBUG"
+                Description: "If set, prints debug messages"
+                Settable: null
+                Value: "0"
+          Args:
+            type: "object"
+            x-nullable: false
+            required: [Name, Description, Settable, Value]
+            properties:
+              Name:
+                x-nullable: false
+                type: "string"
+                example: "args"
+              Description:
+                x-nullable: false
+                type: "string"
+                example: "command line arguments"
+              Settable:
+                type: "array"
+                items:
+                  type: "string"
+              Value:
+                type: "array"
+                items:
+                  type: "string"
+          rootfs:
+            type: "object"
+            properties:
+              type:
+                type: "string"
+                example: "layers"
+              diff_ids:
+                type: "array"
+                items:
+                  type: "string"
+                example:
+                  - "sha256:675532206fbf3030b8458f88d6e26d4eb1577688a25efec97154c94e8b6b4887"
+                  - "sha256:e216a057b1cb1efc11f8a268f37ef62083e70b1b38323ba252e25ac88904a7e8"
+
+  ObjectVersion:
+    description: |
+      The version number of the object such as node, service, etc. This is needed to avoid conflicting writes.
+      The client must send the version number along with the modified specification when updating these objects.
+      This approach ensures safe concurrency and determinism in that the change on the object
+      may not be applied if the version number has changed from the last read. In other words,
+      if two update requests specify the same base version, only one of the requests can succeed.
+      As a result, two separate update requests that happen at the same time will not
+      unintentionally overwrite each other.
+    type: "object"
+    properties:
+      Index:
+        type: "integer"
+        format: "uint64"
+        example: 373531
+
+  NodeSpec:
+    type: "object"
+    properties:
+      Name:
+        description: "Name for the node."
+        type: "string"
+        example: "my-node"
+      Labels:
+        description: "User-defined key/value metadata."
+        type: "object"
+        additionalProperties:
+          type: "string"
+      Role:
+        description: "Role of the node."
+        type: "string"
+        enum:
+          - "worker"
+          - "manager"
+        example: "manager"
+      Availability:
+        description: "Availability of the node."
+        type: "string"
+        enum:
+          - "active"
+          - "pause"
+          - "drain"
+        example: "active"
+    example:
+      Availability: "active"
+      Name: "node-name"
+      Role: "manager"
+      Labels:
+        foo: "bar"
+
+  Node:
+    type: "object"
+    properties:
+      ID:
+        type: "string"
+        example: "24ifsmvkjbyhk"
+      Version:
+        $ref: "#/definitions/ObjectVersion"
+      CreatedAt:
+        description: |
+          Date and time at which the node was added to the swarm in
+          [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
+        type: "string"
+        format: "dateTime"
+        example: "2016-08-18T10:44:24.496525531Z"
+      UpdatedAt:
+        description: |
+          Date and time at which the node was last updated in
+          [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
+        type: "string"
+        format: "dateTime"
+        example: "2017-08-09T07:09:37.632105588Z"
+      Spec:
+        $ref: "#/definitions/NodeSpec"
+      Description:
+        $ref: "#/definitions/NodeDescription"
+      Status:
+        $ref: "#/definitions/NodeStatus"
+      ManagerStatus:
+        $ref: "#/definitions/ManagerStatus"
+
+  NodeDescription:
+    description: |
+      NodeDescription encapsulates the properties of the Node as reported by the
+      agent.
+    type: "object"
+    properties:
+      Hostname:
+        type: "string"
+        example: "bf3067039e47"
+      Platform:
+        $ref: "#/definitions/Platform"
+      Resources:
+        $ref: "#/definitions/ResourceObject"
+      Engine:
+        $ref: "#/definitions/EngineDescription"
+      TLSInfo:
+        $ref: "#/definitions/TLSInfo"
+
+  Platform:
+    description: |
+      Platform represents the platform (Arch/OS).
+    type: "object"
+    properties:
+      Architecture:
+        description: |
+          Architecture represents the hardware architecture (for example,
+          `x86_64`).
+        type: "string"
+        example: "x86_64"
+      OS:
+        description: |
+          OS represents the Operating System (for example, `linux` or `windows`).
+        type: "string"
+        example: "linux"
+
+  EngineDescription:
+    description: "EngineDescription provides information about an engine."
+    type: "object"
+    properties:
+      EngineVersion:
+        type: "string"
+        example: "17.06.0"
+      Labels:
+        type: "object"
+        additionalProperties:
+          type: "string"
+        example:
+          foo: "bar"
+      Plugins:
+        type: "array"
+        items:
+          type: "object"
+          properties:
+            Type:
+              type: "string"
+            Name:
+              type: "string"
+        example:
+          - Type: "Log"
+            Name: "awslogs"
+          - Type: "Log"
+            Name: "fluentd"
+          - Type: "Log"
+            Name: "gcplogs"
+          - Type: "Log"
+            Name: "gelf"
+          - Type: "Log"
+            Name: "journald"
+          - Type: "Log"
+            Name: "json-file"
+          - Type: "Log"
+            Name: "logentries"
+          - Type: "Log"
+            Name: "splunk"
+          - Type: "Log"
+            Name: "syslog"
+          - Type: "Network"
+            Name: "bridge"
+          - Type: "Network"
+            Name: "host"
+          - Type: "Network"
+            Name: "ipvlan"
+          - Type: "Network"
+            Name: "macvlan"
+          - Type: "Network"
+            Name: "null"
+          - Type: "Network"
+            Name: "overlay"
+          - Type: "Volume"
+            Name: "local"
+          - Type: "Volume"
+            Name: "localhost:5000/vieux/sshfs:latest"
+          - Type: "Volume"
+            Name: "vieux/sshfs:latest"
+
+  TLSInfo:
+    description: "Information about the issuer of leaf TLS certificates and the trusted root CA certificate"
+    type: "object"
+    properties:
+      TrustRoot:
+        description: "The root CA certificate(s) that are used to validate leaf TLS certificates"
+        type: "string"
+      CertIssuerSubject:
+        description: "The base64-url-safe-encoded raw subject bytes of the issuer"
+        type: "string"
+      CertIssuerPublicKey:
+        description: "The base64-url-safe-encoded raw public key bytes of the issuer"
+        type: "string"
+    example:
+      TrustRoot: |
+        -----BEGIN CERTIFICATE-----
+        MIIBajCCARCgAwIBAgIUbYqrLSOSQHoxD8CwG6Bi2PJi9c8wCgYIKoZIzj0EAwIw
+        EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNDI0MjE0MzAwWhcNMzcwNDE5MjE0
+        MzAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+        A0IABJk/VyMPYdaqDXJb/VXh5n/1Yuv7iNrxV3Qb3l06XD46seovcDWs3IZNV1lf
+        3Skyr0ofcchipoiHkXBODojJydSjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+        Af8EBTADAQH/MB0GA1UdDgQWBBRUXxuRcnFjDfR/RIAUQab8ZV/n4jAKBggqhkjO
+        PQQDAgNIADBFAiAy+JTe6Uc3KyLCMiqGl2GyWGQqQDEcO3/YG36x7om65AIhAJvz
+        pxv6zFeVEkAEEkqIYi0omA9+CjanB/6Bz4n1uw8H
+        -----END CERTIFICATE-----
+      CertIssuerSubject: "MBMxETAPBgNVBAMTCHN3YXJtLWNh"
+      CertIssuerPublicKey: "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmT9XIw9h1qoNclv9VeHmf/Vi6/uI2vFXdBveXTpcPjqx6i9wNazchk1XWV/dKTKvSh9xyGKmiIeRcE4OiMnJ1A=="
+
+  NodeStatus:
+    description: |
+      NodeStatus represents the status of a node.
+
+      It provides the current status of the node, as seen by the manager.
+    type: "object"
+    properties:
+      State:
+        $ref: "#/definitions/NodeState"
+      Message:
+        type: "string"
+        example: ""
+      Addr:
+        description: "IP address of the node."
+        type: "string"
+        example: "172.17.0.2"
+
+  NodeState:
+    description: "NodeState represents the state of a node."
+    type: "string"
+    enum:
+      - "unknown"
+      - "down"
+      - "ready"
+      - "disconnected"
+    example: "ready"
+
+  ManagerStatus:
+    description: |
+      ManagerStatus represents the status of a manager.
+
+      It provides the current status of a node's manager component, if the node
+      is a manager.
+    x-nullable: true
+    type: "object"
+    properties:
+      Leader:
+        type: "boolean"
+        default: false
+        example: true
+      Reachability:
+        $ref: "#/definitions/Reachability"
+      Addr:
+        description: |
+          The IP address and port at which the manager is reachable.
+        type: "string"
+        example: "10.0.0.46:2377"
+
+  Reachability:
+    description: "Reachability represents the reachability of a node."
+    type: "string"
+    enum:
+      - "unknown"
+      - "unreachable"
+      - "reachable"
+    example: "reachable"
+
+  SwarmSpec:
+    description: "User modifiable swarm configuration."
+    type: "object"
+    properties:
+      Name:
+        description: "Name of the swarm."
+        type: "string"
+        example: "default"
+      Labels:
+        description: "User-defined key/value metadata."
+        type: "object"
+        additionalProperties:
+          type: "string"
+        example:
+          com.example.corp.type: "production"
+          com.example.corp.department: "engineering"
+      Orchestration:
+        description: "Orchestration configuration."
+        type: "object"
+        x-nullable: true
+        properties:
+          TaskHistoryRetentionLimit:
+            description: "The number of historic tasks to keep per instance or node. If negative, never remove completed or failed tasks."
+            type: "integer"
+            format: "int64"
+            example: 10
+      Raft:
+        description: "Raft configuration."
+        type: "object"
+        properties:
+          SnapshotInterval:
+            description: "The number of log entries between snapshots."
+            type: "integer"
+            format: "uint64"
+            example: 10000
+          KeepOldSnapshots:
+            description: "The number of snapshots to keep beyond the current snapshot."
+            type: "integer"
+            format: "uint64"
+          LogEntriesForSlowFollowers:
+            description: "The number of log entries to keep around to sync up slow followers after a snapshot is created."
+            type: "integer"
+            format: "uint64"
+            example: 500
+          ElectionTick:
+            description: |
+              The number of ticks that a follower will wait for a message from the leader before becoming a candidate and starting an election. `ElectionTick` must be greater than `HeartbeatTick`.
+
+              A tick currently defaults to one second, so these translate directly to seconds currently, but this is NOT guaranteed.
+            type: "integer"
+            example: 3
+          HeartbeatTick:
+            description: |
+              The number of ticks between heartbeats. Every HeartbeatTick ticks, the leader will send a heartbeat to the followers.
+
+              A tick currently defaults to one second, so these translate directly to seconds currently, but this is NOT guaranteed.
+            type: "integer"
+            example: 1
+      Dispatcher:
+        description: "Dispatcher configuration."
+        type: "object"
+        x-nullable: true
+        properties:
+          HeartbeatPeriod:
+            description: "The delay for an agent to send a heartbeat to the dispatcher."
+            type: "integer"
+            format: "int64"
+            example: 5000000000
+      CAConfig:
+        description: "CA configuration."
+        type: "object"
+        x-nullable: true
+        properties:
+          NodeCertExpiry:
+            description: "The duration node certificates are issued for."
+            type: "integer"
+            format: "int64"
+            example: 7776000000000000
+          ExternalCAs:
+            description: "Configuration for forwarding signing requests to an external certificate authority."
+            type: "array"
+            items:
+              type: "object"
+              properties:
+                Protocol:
+                  description: "Protocol for communication with the external CA (currently only `cfssl` is supported)."
+                  type: "string"
+                  enum:
+                    - "cfssl"
+                  default: "cfssl"
+                URL:
+                  description: "URL where certificate signing requests should be sent."
+                  type: "string"
+                Options:
+                  description: "An object with key/value pairs that are interpreted as protocol-specific options for the external CA driver."
+                  type: "object"
+                  additionalProperties:
+                    type: "string"
+                CACert:
+                  description: "The root CA certificate (in PEM format) this external CA uses to issue TLS certificates (assumed to be to the current swarm root CA certificate if not provided)."
+                  type: "string"
+          SigningCACert:
+            description: "The desired signing CA certificate for all swarm node TLS leaf certificates, in PEM format."
+            type: "string"
+          SigningCAKey:
+            description: "The desired signing CA key for all swarm node TLS leaf certificates, in PEM format."
+            type: "string"
+          ForceRotate:
+            description: "An integer whose purpose is to force swarm to generate a new signing CA certificate and key, if none have been specified in `SigningCACert` and `SigningCAKey`"
+            format: "uint64"
+            type: "integer"
+      EncryptionConfig:
+        description: "Parameters related to encryption-at-rest."
+        type: "object"
+        properties:
+          AutoLockManagers:
+            description: "If set, generate a key and use it to lock data stored on the managers."
+            type: "boolean"
+            example: false
+      TaskDefaults:
+        description: "Defaults for creating tasks in this cluster."
+        type: "object"
+        properties:
+          LogDriver:
+            description: |
+              The log driver to use for tasks created in the orchestrator if
+              unspecified by a service.
+
+              Updating this value only affects new tasks. Existing tasks continue
+              to use their previously configured log driver until recreated.
+            type: "object"
+            properties:
+              Name:
+                description: |
+                  The log driver to use as a default for new tasks.
+                type: "string"
+                example: "json-file"
+              Options:
+                description: |
+                  Driver-specific options for the selectd log driver, specified
+                  as key/value pairs.
+                type: "object"
+                additionalProperties:
+                  type: "string"
+                example:
+                  "max-file": "10"
+                  "max-size": "100m"
+
+  # The Swarm information for `GET /info`. It is the same as `GET /swarm`, but
+  # without `JoinTokens`.
+  ClusterInfo:
+    description: |
+      ClusterInfo represents information about the swarm as is returned by the
+      "/info" endpoint. Join-tokens are not included.
+    x-nullable: true
+    type: "object"
+    properties:
+      ID:
+        description: "The ID of the swarm."
+        type: "string"
+        example: "abajmipo7b4xz5ip2nrla6b11"
+      Version:
+        $ref: "#/definitions/ObjectVersion"
+      CreatedAt:
+        description: |
+          Date and time at which the swarm was initialised in
+          [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
+        type: "string"
+        format: "dateTime"
+        example: "2016-08-18T10:44:24.496525531Z"
+      UpdatedAt:
+        description: |
+          Date and time at which the swarm was last updated in
+          [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
+        type: "string"
+        format: "dateTime"
+        example: "2017-08-09T07:09:37.632105588Z"
+      Spec:
+        $ref: "#/definitions/SwarmSpec"
+      TLSInfo:
+        $ref: "#/definitions/TLSInfo"
+      RootRotationInProgress:
+        description: "Whether there is currently a root CA rotation in progress for the swarm"
+        type: "boolean"
+        example: false
+
+  JoinTokens:
+    description: |
+      JoinTokens contains the tokens workers and managers need to join the swarm.
+    type: "object"
+    properties:
+      Worker:
+        description: |
+          The token workers can use to join the swarm.
+        type: "string"
+        example: "SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx"
+      Manager:
+        description: |
+          The token managers can use to join the swarm.
+        type: "string"
+        example: "SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2"
+
+  Swarm:
+    type: "object"
+    allOf:
+      - $ref: "#/definitions/ClusterInfo"
+      - type: "object"
+        properties:
+          JoinTokens:
+            $ref: "#/definitions/JoinTokens"
+
+  TaskSpec:
+    description: "User modifiable task configuration."
+    type: "object"
+    properties:
+      PluginSpec:
+        type: "object"
+        description: |
+          Plugin spec for the service.  *(Experimental release only.)*
+
+          <p><br /></p>
+
+          > **Note**: ContainerSpec, NetworkAttachmentSpec, and PluginSpec are
+          > mutually exclusive. PluginSpec is only used when the Runtime field
+          > is set to `plugin`. NetworkAttachmentSpec is used when the Runtime
+          > field is set to `attachment`.
+        properties:
+          Name:
+            description: "The name or 'alias' to use for the plugin."
+            type: "string"
+          Remote:
+            description: "The plugin image reference to use."
+            type: "string"
+          Disabled:
+            description: "Disable the plugin once scheduled."
+            type: "boolean"
+          PluginPrivilege:
+            type: "array"
+            items:
+              description: "Describes a permission accepted by the user upon installing the plugin."
+              type: "object"
+              properties:
+                Name:
+                  type: "string"
+                Description:
+                  type: "string"
+                Value:
+                  type: "array"
+                  items:
+                    type: "string"
+      ContainerSpec:
+        type: "object"
+        description: |
+          Container spec for the service.
+
+          <p><br /></p>
+
+          > **Note**: ContainerSpec, NetworkAttachmentSpec, and PluginSpec are
+          > mutually exclusive. PluginSpec is only used when the Runtime field
+          > is set to `plugin`. NetworkAttachmentSpec is used when the Runtime
+          > field is set to `attachment`.
+        properties:
+          Image:
+            description: "The image name to use for the container"
+            type: "string"
+          Labels:
+            description: "User-defined key/value data."
+            type: "object"
+            additionalProperties:
+              type: "string"
+          Command:
+            description: "The command to be run in the image."
+            type: "array"
+            items:
+              type: "string"
+          Args:
+            description: "Arguments to the command."
+            type: "array"
+            items:
+              type: "string"
+          Hostname:
+            description: "The hostname to use for the container, as a valid RFC 1123 hostname."
+            type: "string"
+          Env:
+            description: "A list of environment variables in the form `VAR=value`."
+            type: "array"
+            items:
+              type: "string"
+          Dir:
+            description: "The working directory for commands to run in."
+            type: "string"
+          User:
+            description: "The user inside the container."
+            type: "string"
+          Groups:
+            type: "array"
+            description: "A list of additional groups that the container process will run as."
+            items:
+              type: "string"
+          Privileges:
+            type: "object"
+            description: "Security options for the container"
+            properties:
+              CredentialSpec:
+                type: "object"
+                description: "CredentialSpec for managed service account (Windows only)"
+                properties:
+                  File:
+                    type: "string"
+                    description: |
+                      Load credential spec from this file. The file is read by the daemon, and must be present in the
+                      `CredentialSpecs` subdirectory in the docker data directory, which defaults to
+                      `C:\ProgramData\Docker\` on Windows.
+
+                      For example, specifying `spec.json` loads `C:\ProgramData\Docker\CredentialSpecs\spec.json`.
+
+                      <p><br /></p>
+
+                      > **Note**: `CredentialSpec.File` and `CredentialSpec.Registry` are mutually exclusive.
+                  Registry:
+                    type: "string"
+                    description: |
+                      Load credential spec from this value in the Windows registry. The specified registry value must be
+                      located in:
+
+                      `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Containers\CredentialSpecs`
+
+                      <p><br /></p>
+
+
+                      > **Note**: `CredentialSpec.File` and `CredentialSpec.Registry` are mutually exclusive.
+              SELinuxContext:
+                type: "object"
+                description: "SELinux labels of the container"
+                properties:
+                  Disable:
+                    type: "boolean"
+                    description: "Disable SELinux"
+                  User:
+                    type: "string"
+                    description: "SELinux user label"
+                  Role:
+                    type: "string"
+                    description: "SELinux role label"
+                  Type:
+                    type: "string"
+                    description: "SELinux type label"
+                  Level:
+                    type: "string"
+                    description: "SELinux level label"
+          TTY:
+            description: "Whether a pseudo-TTY should be allocated."
+            type: "boolean"
+          OpenStdin:
+            description: "Open `stdin`"
+            type: "boolean"
+          ReadOnly:
+            description: "Mount the container's root filesystem as read only."
+            type: "boolean"
+          Mounts:
+            description: "Specification for mounts to be added to containers created as part of the service."
+            type: "array"
+            items:
+              $ref: "#/definitions/Mount"
+          StopSignal:
+            description: "Signal to stop the container."
+            type: "string"
+          StopGracePeriod:
+            description: "Amount of time to wait for the container to terminate before forcefully killing it."
+            type: "integer"
+            format: "int64"
+          HealthCheck:
+            $ref: "#/definitions/HealthConfig"
+          Hosts:
+            type: "array"
+            description: |
+              A list of hostname/IP mappings to add to the container's `hosts`
+              file. The format of extra hosts is specified in the
+              [hosts(5)](http://man7.org/linux/man-pages/man5/hosts.5.html)
+              man page:
+
+                  IP_address canonical_hostname [aliases...]
+            items:
+              type: "string"
+          DNSConfig:
+            description: "Specification for DNS related configurations in resolver configuration file (`resolv.conf`)."
+            type: "object"
+            properties:
+              Nameservers:
+                description: "The IP addresses of the name servers."
+                type: "array"
+                items:
+                  type: "string"
+              Search:
+                description: "A search list for host-name lookup."
+                type: "array"
+                items:
+                  type: "string"
+              Options:
+                description: "A list of internal resolver variables to be modified (e.g., `debug`, `ndots:3`, etc.)."
+                type: "array"
+                items:
+                  type: "string"
+          Secrets:
+            description: "Secrets contains references to zero or more secrets that will be exposed to the service."
+            type: "array"
+            items:
+              type: "object"
+              properties:
+                File:
+                  description: "File represents a specific target that is backed by a file."
+                  type: "object"
+                  properties:
+                    Name:
+                      description: "Name represents the final filename in the filesystem."
+                      type: "string"
+                    UID:
+                      description: "UID represents the file UID."
+                      type: "string"
+                    GID:
+                      description: "GID represents the file GID."
+                      type: "string"
+                    Mode:
+                      description: "Mode represents the FileMode of the file."
+                      type: "integer"
+                      format: "uint32"
+                SecretID:
+                  description: "SecretID represents the ID of the specific secret that we're referencing."
+                  type: "string"
+                SecretName:
+                  description: |
+                    SecretName is the name of the secret that this references, but this is just provided for
+                    lookup/display purposes. The secret in the reference will be identified by its ID.
+                  type: "string"
+          Configs:
+            description: "Configs contains references to zero or more configs that will be exposed to the service."
+            type: "array"
+            items:
+              type: "object"
+              properties:
+                File:
+                  description: "File represents a specific target that is backed by a file."
+                  type: "object"
+                  properties:
+                    Name:
+                      description: "Name represents the final filename in the filesystem."
+                      type: "string"
+                    UID:
+                      description: "UID represents the file UID."
+                      type: "string"
+                    GID:
+                      description: "GID represents the file GID."
+                      type: "string"
+                    Mode:
+                      description: "Mode represents the FileMode of the file."
+                      type: "integer"
+                      format: "uint32"
+                ConfigID:
+                  description: "ConfigID represents the ID of the specific config that we're referencing."
+                  type: "string"
+                ConfigName:
+                  description: |
+                    ConfigName is the name of the config that this references, but this is just provided for
+                    lookup/display purposes. The config in the reference will be identified by its ID.
+                  type: "string"
+          Isolation:
+            type: "string"
+            description: "Isolation technology of the containers running the service. (Windows only)"
+            enum:
+              - "default"
+              - "process"
+              - "hyperv"
+          Init:
+            description: "Run an init inside the container that forwards signals and reaps processes. This field is omitted if empty, and the default (as configured on the daemon) is used."
+            type: "boolean"
+            x-nullable: true
+      NetworkAttachmentSpec:
+        description: |
+          Read-only spec type for non-swarm containers attached to swarm overlay
+          networks.
+
+          <p><br /></p>
+
+          > **Note**: ContainerSpec, NetworkAttachmentSpec, and PluginSpec are
+          > mutually exclusive. PluginSpec is only used when the Runtime field
+          > is set to `plugin`. NetworkAttachmentSpec is used when the Runtime
+          > field is set to `attachment`.
+        type: "object"
+        properties:
+          ContainerID:
+            description: "ID of the container represented by this task"
+            type: "string"
+      Resources:
+        description: "Resource requirements which apply to each individual container created as part of the service."
+        type: "object"
+        properties:
+          Limits:
+            description: "Define resources limits."
+            $ref: "#/definitions/ResourceObject"
+          Reservation:
+            description: "Define resources reservation."
+            $ref: "#/definitions/ResourceObject"
+      RestartPolicy:
+        description: "Specification for the restart policy which applies to containers created as part of this service."
+        type: "object"
+        properties:
+          Condition:
+            description: "Condition for restart."
+            type: "string"
+            enum:
+              - "none"
+              - "on-failure"
+              - "any"
+          Delay:
+            description: "Delay between restart attempts."
+            type: "integer"
+            format: "int64"
+          MaxAttempts:
+            description: "Maximum attempts to restart a given container before giving up (default value is 0, which is ignored)."
+            type: "integer"
+            format: "int64"
+            default: 0
+          Window:
+            description: "Windows is the time window used to evaluate the restart policy (default value is 0, which is unbounded)."
+            type: "integer"
+            format: "int64"
+            default: 0
+      Placement:
+        type: "object"
+        properties:
+          Constraints:
+            description: "An array of constraints."
+            type: "array"
+            items:
+              type: "string"
+            example:
+              - "node.hostname!=node3.corp.example.com"
+              - "node.role!=manager"
+              - "node.labels.type==production"
+          Preferences:
+            description: "Preferences provide a way to make the scheduler aware of factors such as topology. They are provided in order from highest to lowest precedence."
+            type: "array"
+            items:
+              type: "object"
+              properties:
+                Spread:
+                  type: "object"
+                  properties:
+                    SpreadDescriptor:
+                      description: "label descriptor, such as engine.labels.az"
+                      type: "string"
+            example:
+              - Spread:
+                  SpreadDescriptor: "node.labels.datacenter"
+              - Spread:
+                  SpreadDescriptor: "node.labels.rack"
+          Platforms:
+            description: |
+              Platforms stores all the platforms that the service's image can
+              run on. This field is used in the platform filter for scheduling.
+              If empty, then the platform filter is off, meaning there are no
+              scheduling restrictions.
+            type: "array"
+            items:
+              $ref: "#/definitions/Platform"
+      ForceUpdate:
+        description: "A counter that triggers an update even if no relevant parameters have been changed."
+        type: "integer"
+      Runtime:
+        description: "Runtime is the type of runtime specified for the task executor."
+        type: "string"
+      Networks:
+        type: "array"
+        items:
+          type: "object"
+          properties:
+            Target:
+              type: "string"
+            Aliases:
+              type: "array"
+              items:
+                type: "string"
+      LogDriver:
+        description: "Specifies the log driver to use for tasks created from this spec. If not present, the default one for the swarm will be used, finally falling back to the engine default if not specified."
+        type: "object"
+        properties:
+          Name:
+            type: "string"
+          Options:
+            type: "object"
+            additionalProperties:
+              type: "string"
+
+  TaskState:
+    type: "string"
+    enum:
+      - "new"
+      - "allocated"
+      - "pending"
+      - "assigned"
+      - "accepted"
+      - "preparing"
+      - "ready"
+      - "starting"
+      - "running"
+      - "complete"
+      - "shutdown"
+      - "failed"
+      - "rejected"
+      - "remove"
+      - "orphaned"
+
+  Task:
+    type: "object"
+    properties:
+      ID:
+        description: "The ID of the task."
+        type: "string"
+      Version:
+        $ref: "#/definitions/ObjectVersion"
+      CreatedAt:
+        type: "string"
+        format: "dateTime"
+      UpdatedAt:
+        type: "string"
+        format: "dateTime"
+      Name:
+        description: "Name of the task."
+        type: "string"
+      Labels:
+        description: "User-defined key/value metadata."
+        type: "object"
+        additionalProperties:
+          type: "string"
+      Spec:
+        $ref: "#/definitions/TaskSpec"
+      ServiceID:
+        description: "The ID of the service this task is part of."
+        type: "string"
+      Slot:
+        type: "integer"
+      NodeID:
+        description: "The ID of the node that this task is on."
+        type: "string"
+      AssignedGenericResources:
+        $ref: "#/definitions/GenericResources"
+      Status:
+        type: "object"
+        properties:
+          Timestamp:
+            type: "string"
+            format: "dateTime"
+          State:
+            $ref: "#/definitions/TaskState"
+          Message:
+            type: "string"
+          Err:
+            type: "string"
+          ContainerStatus:
+            type: "object"
+            properties:
+              ContainerID:
+                type: "string"
+              PID:
+                type: "integer"
+              ExitCode:
+                type: "integer"
+      DesiredState:
+        $ref: "#/definitions/TaskState"
+    example:
+      ID: "0kzzo1i0y4jz6027t0k7aezc7"
+      Version:
+        Index: 71
+      CreatedAt: "2016-06-07T21:07:31.171892745Z"
+      UpdatedAt: "2016-06-07T21:07:31.376370513Z"
+      Spec:
+        ContainerSpec:
+          Image: "redis"
+        Resources:
+          Limits: {}
+          Reservations: {}
+        RestartPolicy:
+          Condition: "any"
+          MaxAttempts: 0
+        Placement: {}
+      ServiceID: "9mnpnzenvg8p8tdbtq4wvbkcz"
+      Slot: 1
+      NodeID: "60gvrl6tm78dmak4yl7srz94v"
+      Status:
+        Timestamp: "2016-06-07T21:07:31.290032978Z"
+        State: "running"
+        Message: "started"
+        ContainerStatus:
+          ContainerID: "e5d62702a1b48d01c3e02ca1e0212a250801fa8d67caca0b6f35919ebc12f035"
+          PID: 677
+      DesiredState: "running"
+      NetworksAttachments:
+        - Network:
+            ID: "4qvuz4ko70xaltuqbt8956gd1"
+            Version:
+              Index: 18
+            CreatedAt: "2016-06-07T20:31:11.912919752Z"
+            UpdatedAt: "2016-06-07T21:07:29.955277358Z"
+            Spec:
+              Name: "ingress"
+              Labels:
+                com.docker.swarm.internal: "true"
+              DriverConfiguration: {}
+              IPAMOptions:
+                Driver: {}
+                Configs:
+                  - Subnet: "10.255.0.0/16"
+                    Gateway: "10.255.0.1"
+            DriverState:
+              Name: "overlay"
+              Options:
+                com.docker.network.driver.overlay.vxlanid_list: "256"
+            IPAMOptions:
+              Driver:
+                Name: "default"
+              Configs:
+                - Subnet: "10.255.0.0/16"
+                  Gateway: "10.255.0.1"
+          Addresses:
+            - "10.255.0.10/16"
+      AssignedGenericResources:
+        - DiscreteResourceSpec:
+            Kind: "SSD"
+            Value: 3
+        - NamedResourceSpec:
+            Kind: "GPU"
+            Value: "UUID1"
+        - NamedResourceSpec:
+            Kind: "GPU"
+            Value: "UUID2"
+
+  ServiceSpec:
+    description: "User modifiable configuration for a service."
+    properties:
+      Name:
+        description: "Name of the service."
+        type: "string"
+      Labels:
+        description: "User-defined key/value metadata."
+        type: "object"
+        additionalProperties:
+          type: "string"
+      TaskTemplate:
+        $ref: "#/definitions/TaskSpec"
+      Mode:
+        description: "Scheduling mode for the service."
+        type: "object"
+        properties:
+          Replicated:
+            type: "object"
+            properties:
+              Replicas:
+                type: "integer"
+                format: "int64"
+          Global:
+            type: "object"
+      UpdateConfig:
+        description: "Specification for the update strategy of the service."
+        type: "object"
+        properties:
+          Parallelism:
+            description: "Maximum number of tasks to be updated in one iteration (0 means unlimited parallelism)."
+            type: "integer"
+            format: "int64"
+          Delay:
+            description: "Amount of time between updates, in nanoseconds."
+            type: "integer"
+            format: "int64"
+          FailureAction:
+            description: "Action to take if an updated task fails to run, or stops running during the update."
+            type: "string"
+            enum:
+              - "continue"
+              - "pause"
+              - "rollback"
+          Monitor:
+            description: "Amount of time to monitor each updated task for failures, in nanoseconds."
+            type: "integer"
+            format: "int64"
+          MaxFailureRatio:
+            description: "The fraction of tasks that may fail during an update before the failure action is invoked, specified as a floating point number between 0 and 1."
+            type: "number"
+            default: 0
+          Order:
+            description: "The order of operations when rolling out an updated task. Either the old task is shut down before the new task is started, or the new task is started before the old task is shut down."
+            type: "string"
+            enum:
+              - "stop-first"
+              - "start-first"
+      RollbackConfig:
+        description: "Specification for the rollback strategy of the service."
+        type: "object"
+        properties:
+          Parallelism:
+            description: "Maximum number of tasks to be rolled back in one iteration (0 means unlimited parallelism)."
+            type: "integer"
+            format: "int64"
+          Delay:
+            description: "Amount of time between rollback iterations, in nanoseconds."
+            type: "integer"
+            format: "int64"
+          FailureAction:
+            description: "Action to take if an rolled back task fails to run, or stops running during the rollback."
+            type: "string"
+            enum:
+              - "continue"
+              - "pause"
+          Monitor:
+            description: "Amount of time to monitor each rolled back task for failures, in nanoseconds."
+            type: "integer"
+            format: "int64"
+          MaxFailureRatio:
+            description: "The fraction of tasks that may fail during a rollback before the failure action is invoked, specified as a floating point number between 0 and 1."
+            type: "number"
+            default: 0
+          Order:
+            description: "The order of operations when rolling back a task. Either the old task is shut down before the new task is started, or the new task is started before the old task is shut down."
+            type: "string"
+            enum:
+              - "stop-first"
+              - "start-first"
+      Networks:
+        description: "Array of network names or IDs to attach the service to."
+        type: "array"
+        items:
+          type: "object"
+          properties:
+            Target:
+              type: "string"
+            Aliases:
+              type: "array"
+              items:
+                type: "string"
+      EndpointSpec:
+        $ref: "#/definitions/EndpointSpec"
+
+  EndpointPortConfig:
+    type: "object"
+    properties:
+      Name:
+        type: "string"
+      Protocol:
+        type: "string"
+        enum:
+          - "tcp"
+          - "udp"
+          - "sctp"
+      TargetPort:
+        description: "The port inside the container."
+        type: "integer"
+      PublishedPort:
+        description: "The port on the swarm hosts."
+        type: "integer"
+      PublishMode:
+        description: |
+          The mode in which port is published.
+
+          <p><br /></p>
+
+          - "ingress" makes the target port accessible on on every node,
+            regardless of whether there is a task for the service running on
+            that node or not.
+          - "host" bypasses the routing mesh and publish the port directly on
+            the swarm node where that service is running.
+
+        type: "string"
+        enum:
+          - "ingress"
+          - "host"
+        default: "ingress"
+        example: "ingress"
+
+  EndpointSpec:
+    description: "Properties that can be configured to access and load balance a service."
+    type: "object"
+    properties:
+      Mode:
+        description: "The mode of resolution to use for internal load balancing
+      between tasks."
+        type: "string"
+        enum:
+          - "vip"
+          - "dnsrr"
+        default: "vip"
+      Ports:
+        description: "List of exposed ports that this service is accessible on from the outside. Ports can only be provided if `vip` resolution mode is used."
+        type: "array"
+        items:
+          $ref: "#/definitions/EndpointPortConfig"
+
+  Service:
+    type: "object"
+    properties:
+      ID:
+        type: "string"
+      Version:
+        $ref: "#/definitions/ObjectVersion"
+      CreatedAt:
+        type: "string"
+        format: "dateTime"
+      UpdatedAt:
+        type: "string"
+        format: "dateTime"
+      Spec:
+        $ref: "#/definitions/ServiceSpec"
+      Endpoint:
+        type: "object"
+        properties:
+          Spec:
+            $ref: "#/definitions/EndpointSpec"
+          Ports:
+            type: "array"
+            items:
+              $ref: "#/definitions/EndpointPortConfig"
+          VirtualIPs:
+            type: "array"
+            items:
+              type: "object"
+              properties:
+                NetworkID:
+                  type: "string"
+                Addr:
+                  type: "string"
+      UpdateStatus:
+        description: "The status of a service update."
+        type: "object"
+        properties:
+          State:
+            type: "string"
+            enum:
+              - "updating"
+              - "paused"
+              - "completed"
+          StartedAt:
+            type: "string"
+            format: "dateTime"
+          CompletedAt:
+            type: "string"
+            format: "dateTime"
+          Message:
+            type: "string"
+    example:
+      ID: "9mnpnzenvg8p8tdbtq4wvbkcz"
+      Version:
+        Index: 19
+      CreatedAt: "2016-06-07T21:05:51.880065305Z"
+      UpdatedAt: "2016-06-07T21:07:29.962229872Z"
+      Spec:
+        Name: "hopeful_cori"
+        TaskTemplate:
+          ContainerSpec:
+            Image: "redis"
+          Resources:
+            Limits: {}
+            Reservations: {}
+          RestartPolicy:
+            Condition: "any"
+            MaxAttempts: 0
+          Placement: {}
+          ForceUpdate: 0
+        Mode:
+          Replicated:
+            Replicas: 1
+        UpdateConfig:
+          Parallelism: 1
+          Delay: 1000000000
+          FailureAction: "pause"
+          Monitor: 15000000000
+          MaxFailureRatio: 0.15
+        RollbackConfig:
+          Parallelism: 1
+          Delay: 1000000000
+          FailureAction: "pause"
+          Monitor: 15000000000
+          MaxFailureRatio: 0.15
+        EndpointSpec:
+          Mode: "vip"
+          Ports:
+            -
+              Protocol: "tcp"
+              TargetPort: 6379
+              PublishedPort: 30001
+      Endpoint:
+        Spec:
+          Mode: "vip"
+          Ports:
+            -
+              Protocol: "tcp"
+              TargetPort: 6379
+              PublishedPort: 30001
+        Ports:
+          -
+            Protocol: "tcp"
+            TargetPort: 6379
+            PublishedPort: 30001
+        VirtualIPs:
+          -
+            NetworkID: "4qvuz4ko70xaltuqbt8956gd1"
+            Addr: "10.255.0.2/16"
+          -
+            NetworkID: "4qvuz4ko70xaltuqbt8956gd1"
+            Addr: "10.255.0.3/16"
+
+  ImageDeleteResponseItem:
+    type: "object"
+    properties:
+      Untagged:
+        description: "The image ID of an image that was untagged"
+        type: "string"
+      Deleted:
+        description: "The image ID of an image that was deleted"
+        type: "string"
+
+  ServiceUpdateResponse:
+    type: "object"
+    properties:
+      Warnings:
+        description: "Optional warning messages"
+        type: "array"
+        items:
+          type: "string"
+    example:
+      Warning: "unable to pin image doesnotexist:latest to digest: image library/doesnotexist:latest not found"
+
+  ContainerSummary:
+    type: "array"
+    items:
+      type: "object"
+      properties:
+        Id:
+          description: "The ID of this container"
+          type: "string"
+          x-go-name: "ID"
+        Names:
+          description: "The names that this container has been given"
+          type: "array"
+          items:
+            type: "string"
+        Image:
+          description: "The name of the image used when creating this container"
+          type: "string"
+        ImageID:
+          description: "The ID of the image that this container was created from"
+          type: "string"
+        Command:
+          description: "Command to run when starting the container"
+          type: "string"
+        Created:
+          description: "When the container was created"
+          type: "integer"
+          format: "int64"
+        Ports:
+          description: "The ports exposed by this container"
+          type: "array"
+          items:
+            $ref: "#/definitions/Port"
+        SizeRw:
+          description: "The size of files that have been created or changed by this container"
+          type: "integer"
+          format: "int64"
+        SizeRootFs:
+          description: "The total size of all the files in this container"
+          type: "integer"
+          format: "int64"
+        Labels:
+          description: "User-defined key/value metadata."
+          type: "object"
+          additionalProperties:
+            type: "string"
+        State:
+          description: "The state of this container (e.g. `Exited`)"
+          type: "string"
+        Status:
+          description: "Additional human-readable status of this container (e.g. `Exit 0`)"
+          type: "string"
+        HostConfig:
+          type: "object"
+          properties:
+            NetworkMode:
+              type: "string"
+        NetworkSettings:
+          description: "A summary of the container's network settings"
+          type: "object"
+          properties:
+            Networks:
+              type: "object"
+              additionalProperties:
+                $ref: "#/definitions/EndpointSettings"
+        Mounts:
+          type: "array"
+          items:
+            $ref: "#/definitions/Mount"
+
+  Driver:
+    description: "Driver represents a driver (network, logging, secrets)."
+    type: "object"
+    required: [Name]
+    properties:
+      Name:
+        description: "Name of the driver."
+        type: "string"
+        x-nullable: false
+        example: "some-driver"
+      Options:
+        description: "Key/value map of driver-specific options."
+        type: "object"
+        x-nullable: false
+        additionalProperties:
+          type: "string"
+        example:
+          OptionA: "value for driver-specific option A"
+          OptionB: "value for driver-specific option B"
+
+  SecretSpec:
+    type: "object"
+    properties:
+      Name:
+        description: "User-defined name of the secret."
+        type: "string"
+      Labels:
+        description: "User-defined key/value metadata."
+        type: "object"
+        additionalProperties:
+          type: "string"
+        example:
+          com.example.some-label: "some-value"
+          com.example.some-other-label: "some-other-value"
+      Data:
+        description: |
+          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
+          data to store as secret.
+
+          This field is only used to _create_ a secret, and is not returned by
+          other endpoints.
+        type: "string"
+        example: ""
+      Driver:
+        description: "Name of the secrets driver used to fetch the secret's value from an external secret store"
+        $ref: "#/definitions/Driver"
+      Templating:
+        description: |
+          Templating driver, if applicable
+
+          Templating controls whether and how to evaluate the config payload as
+          a template. If no driver is set, no templating is used.
+        $ref: "#/definitions/Driver"
+
+  Secret:
+    type: "object"
+    properties:
+      ID:
+        type: "string"
+        example: "blt1owaxmitz71s9v5zh81zun"
+      Version:
+        $ref: "#/definitions/ObjectVersion"
+      CreatedAt:
+        type: "string"
+        format: "dateTime"
+        example: "2017-07-20T13:55:28.678958722Z"
+      UpdatedAt:
+        type: "string"
+        format: "dateTime"
+        example: "2017-07-20T13:55:28.678958722Z"
+      Spec:
+        $ref: "#/definitions/SecretSpec"
+
+  ConfigSpec:
+    type: "object"
+    properties:
+      Name:
+        description: "User-defined name of the config."
+        type: "string"
+      Labels:
+        description: "User-defined key/value metadata."
+        type: "object"
+        additionalProperties:
+          type: "string"
+      Data:
+        description: |
+          Base64-url-safe-encoded ([RFC 4648](https://tools.ietf.org/html/rfc4648#section-3.2))
+          config data.
+        type: "string"
+      Templating:
+        description: |
+          Templating driver, if applicable
+
+          Templating controls whether and how to evaluate the config payload as
+          a template. If no driver is set, no templating is used.
+        $ref: "#/definitions/Driver"
+
+  Config:
+    type: "object"
+    properties:
+      ID:
+        type: "string"
+      Version:
+        $ref: "#/definitions/ObjectVersion"
+      CreatedAt:
+        type: "string"
+        format: "dateTime"
+      UpdatedAt:
+        type: "string"
+        format: "dateTime"
+      Spec:
+        $ref: "#/definitions/ConfigSpec"
+
+  SystemInfo:
+    type: "object"
+    properties:
+      ID:
+        description: |
+          Unique identifier of the daemon.
+
+          <p><br /></p>
+
+          > **Note**: The format of the ID itself is not part of the API, and
+          > should not be considered stable.
+        type: "string"
+        example: "7TRN:IPZB:QYBB:VPBQ:UMPP:KARE:6ZNR:XE6T:7EWV:PKF4:ZOJD:TPYS"
+      Containers:
+        description: "Total number of containers on the host."
+        type: "integer"
+        example: 14
+      ContainersRunning:
+        description: |
+          Number of containers with status `"running"`.
+        type: "integer"
+        example: 3
+      ContainersPaused:
+        description: |
+          Number of containers with status `"paused"`.
+        type: "integer"
+        example: 1
+      ContainersStopped:
+        description: |
+          Number of containers with status `"stopped"`.
+        type: "integer"
+        example: 10
+      Images:
+        description: |
+          Total number of images on the host.
+
+          Both _tagged_ and _untagged_ (dangling) images are counted.
+        type: "integer"
+        example: 508
+      Driver:
+        description: "Name of the storage driver in use."
+        type: "string"
+        example: "overlay2"
+      DriverStatus:
+        description: |
+          Information specific to the storage driver, provided as
+          "label" / "value" pairs.
+
+          This information is provided by the storage driver, and formatted
+          in a way consistent with the output of `docker info` on the command
+          line.
+
+          <p><br /></p>
+
+          > **Note**: The information returned in this field, including the
+          > formatting of values and labels, should not be considered stable,
+          > and may change without notice.
+        type: "array"
+        items:
+          type: "array"
+          items:
+            type: "string"
+        example:
+          - ["Backing Filesystem", "extfs"]
+          - ["Supports d_type", "true"]
+          - ["Native Overlay Diff", "true"]
+      DockerRootDir:
+        description: |
+          Root directory of persistent Docker state.
+
+          Defaults to `/var/lib/docker` on Linux, and `C:\ProgramData\docker`
+          on Windows.
+        type: "string"
+        example: "/var/lib/docker"
+      SystemStatus:
+        description: |
+          Status information about this node (standalone Swarm API).
+
+          <p><br /></p>
+
+          > **Note**: The information returned in this field is only propagated
+          > by the Swarm standalone API, and is empty (`null`) when using
+          > built-in swarm mode.
+        type: "array"
+        items:
+          type: "array"
+          items:
+            type: "string"
+        example:
+          - ["Role", "primary"]
+          - ["State", "Healthy"]
+          - ["Strategy", "spread"]
+          - ["Filters", "health, port, containerslots, dependency, affinity, constraint, whitelist"]
+          - ["Nodes", "2"]
+          - [" swarm-agent-00", "192.168.99.102:2376"]
+          - ["  └ ID", "5CT6:FBGO:RVGO:CZL4:PB2K:WCYN:2JSV:KSHH:GGFW:QOPG:6J5Q:IOZ2|192.168.99.102:2376"]
+          - ["  └ Status", "Healthy"]
+          - ["  └ Containers", "1 (1 Running, 0 Paused, 0 Stopped)"]
+          - ["  └ Reserved CPUs", "0 / 1"]
+          - ["  └ Reserved Memory", "0 B / 1.021 GiB"]
+          - ["  └ Labels", "kernelversion=4.4.74-boot2docker, operatingsystem=Boot2Docker 17.06.0-ce (TCL 7.2); HEAD : 0672754 - Thu Jun 29 00:06:31 UTC 2017, ostype=linux, provider=virtualbox, storagedriver=aufs"]
+          - ["  └ UpdatedAt", "2017-08-09T10:03:46Z"]
+          - ["  └ ServerVersion", "17.06.0-ce"]
+          - [" swarm-manager", "192.168.99.101:2376"]
+          - ["  └ ID", "TAMD:7LL3:SEF7:LW2W:4Q2X:WVFH:RTXX:JSYS:XY2P:JEHL:ZMJK:JGIW|192.168.99.101:2376"]
+          - ["  └ Status", "Healthy"]
+          - ["  └ Containers", "2 (2 Running, 0 Paused, 0 Stopped)"]
+          - ["  └ Reserved CPUs", "0 / 1"]
+          - ["  └ Reserved Memory", "0 B / 1.021 GiB"]
+          - ["  └ Labels", "kernelversion=4.4.74-boot2docker, operatingsystem=Boot2Docker 17.06.0-ce (TCL 7.2); HEAD : 0672754 - Thu Jun 29 00:06:31 UTC 2017, ostype=linux, provider=virtualbox, storagedriver=aufs"]
+          - ["  └ UpdatedAt", "2017-08-09T10:04:11Z"]
+          - ["  └ ServerVersion", "17.06.0-ce"]
+      Plugins:
+        $ref: "#/definitions/PluginsInfo"
+      MemoryLimit:
+        description: "Indicates if the host has memory limit support enabled."
+        type: "boolean"
+        example: true
+      SwapLimit:
+        description: "Indicates if the host has memory swap limit support enabled."
+        type: "boolean"
+        example: true
+      KernelMemory:
+        description: "Indicates if the host has kernel memory limit support enabled."
+        type: "boolean"
+        example: true
+      CpuCfsPeriod:
+        description: "Indicates if CPU CFS(Completely Fair Scheduler) period is supported by the host."
+        type: "boolean"
+        example: true
+      CpuCfsQuota:
+        description: "Indicates if CPU CFS(Completely Fair Scheduler) quota is supported by the host."
+        type: "boolean"
+        example: true
+      CPUShares:
+        description: "Indicates if CPU Shares limiting is supported by the host."
+        type: "boolean"
+        example: true
+      CPUSet:
+        description: |
+          Indicates if CPUsets (cpuset.cpus, cpuset.mems) are supported by the host.
+
+          See [cpuset(7)](https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt)
+        type: "boolean"
+        example: true
+      OomKillDisable:
+        description: "Indicates if OOM killer disable is supported on the host."
+        type: "boolean"
+      IPv4Forwarding:
+        description: "Indicates IPv4 forwarding is enabled."
+        type: "boolean"
+        example: true
+      BridgeNfIptables:
+        description: "Indicates if `bridge-nf-call-iptables` is available on the host."
+        type: "boolean"
+        example: true
+      BridgeNfIp6tables:
+        description: "Indicates if `bridge-nf-call-ip6tables` is available on the host."
+        type: "boolean"
+        example: true
+      Debug:
+        description: "Indicates if the daemon is running in debug-mode / with debug-level logging enabled."
+        type: "boolean"
+        example: true
+      NFd:
+        description: |
+          The total number of file Descriptors in use by the daemon process.
+
+          This information is only returned if debug-mode is enabled.
+        type: "integer"
+        example: 64
+      NGoroutines:
+        description: |
+          The  number of goroutines that currently exist.
+
+          This information is only returned if debug-mode is enabled.
+        type: "integer"
+        example: 174
+      SystemTime:
+        description: |
+          Current system-time in [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt)
+          format with nano-seconds.
+        type: "string"
+        example: "2017-08-08T20:28:29.06202363Z"
+      LoggingDriver:
+        description: |
+          The logging driver to use as a default for new containers.
+        type: "string"
+      CgroupDriver:
+        description: |
+          The driver to use for managing cgroups.
+        type: "string"
+        enum: ["cgroupfs", "systemd"]
+        default: "cgroupfs"
+        example: "cgroupfs"
+      NEventsListener:
+        description: "Number of event listeners subscribed."
+        type: "integer"
+        example: 30
+      KernelVersion:
+        description: |
+          Kernel version of the host.
+
+          On Linux, this information obtained from `uname`. On Windows this
+          information is queried from the <kbd>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\</kbd>
+          registry value, for example _"10.0 14393 (14393.1198.amd64fre.rs1_release_sec.170427-1353)"_.
+        type: "string"
+        example: "4.9.38-moby"
+      OperatingSystem:
+        description: |
+          Name of the host's operating system, for example: "Ubuntu 16.04.2 LTS"
+          or "Windows Server 2016 Datacenter"
+        type: "string"
+        example: "Alpine Linux v3.5"
+      OSType:
+        description: |
+          Generic type of the operating system of the host, as returned by the
+          Go runtime (`GOOS`).
+
+          Currently returned values are "linux" and "windows". A full list of
+          possible values can be found in the [Go documentation](https://golang.org/doc/install/source#environment).
+        type: "string"
+        example: "linux"
+      Architecture:
+        description: |
+          Hardware architecture of the host, as returned by the Go runtime
+          (`GOARCH`).
+
+          A full list of possible values can be found in the [Go documentation](https://golang.org/doc/install/source#environment).
+        type: "string"
+        example: "x86_64"
+      NCPU:
+        description: |
+          The number of logical CPUs usable by the daemon.
+
+          The number of available CPUs is checked by querying the operating
+          system when the daemon starts. Changes to operating system CPU
+          allocation after the daemon is started are not reflected.
+        type: "integer"
+        example: 4
+      MemTotal:
+        description: |
+          Total amount of physical memory available on the host, in kilobytes (kB).
+        type: "integer"
+        format: "int64"
+        example: 2095882240
+
+      IndexServerAddress:
+        description: |
+          Address / URL of the index server that is used for image search,
+          and as a default for user authentication for Docker Hub and Docker Cloud.
+        default: "https://index.docker.io/v1/"
+        type: "string"
+        example: "https://index.docker.io/v1/"
+      RegistryConfig:
+        $ref: "#/definitions/RegistryServiceConfig"
+      GenericResources:
+        $ref: "#/definitions/GenericResources"
+      HttpProxy:
+        description: |
+          HTTP-proxy configured for the daemon. This value is obtained from the
+          [`HTTP_PROXY`](https://www.gnu.org/software/wget/manual/html_node/Proxies.html) environment variable.
+
+          Containers do not automatically inherit this configuration.
+        type: "string"
+        example: "http://user:pass@proxy.corp.example.com:8080"
+      HttpsProxy:
+        description: |
+          HTTPS-proxy configured for the daemon. This value is obtained from the
+          [`HTTPS_PROXY`](https://www.gnu.org/software/wget/manual/html_node/Proxies.html) environment variable.
+
+          Containers do not automatically inherit this configuration.
+        type: "string"
+        example: "https://user:pass@proxy.corp.example.com:4443"
+      NoProxy:
+        description: |
+          Comma-separated list of domain extensions for which no proxy should be
+          used. This value is obtained from the [`NO_PROXY`](https://www.gnu.org/software/wget/manual/html_node/Proxies.html)
+          environment variable.
+
+          Containers do not automatically inherit this configuration.
+        type: "string"
+        example: "*.local, 169.254/16"
+      Name:
+        description: "Hostname of the host."
+        type: "string"
+        example: "node5.corp.example.com"
+      Labels:
+        description: |
+          User-defined labels (key/value metadata) as set on the daemon.
+
+          <p><br /></p>
+
+          > **Note**: When part of a Swarm, nodes can both have _daemon_ labels,
+          > set through the daemon configuration, and _node_ labels, set from a
+          > manager node in the Swarm. Node labels are not included in this
+          > field. Node labels can be retrieved using the `/nodes/(id)` endpoint
+          > on a manager node in the Swarm.
+        type: "array"
+        items:
+          type: "string"
+        example: ["storage=ssd", "production"]
+      ExperimentalBuild:
+        description: |
+          Indicates if experimental features are enabled on the daemon.
+        type: "boolean"
+        example: true
+      ServerVersion:
+        description: |
+          Version string of the daemon.
+
+          > **Note**: the [standalone Swarm API](https://docs.docker.com/swarm/swarm-api/)
+          > returns the Swarm version instead of the daemon  version, for example
+          > `swarm/1.2.8`.
+        type: "string"
+        example: "17.06.0-ce"
+      ClusterStore:
+        description: |
+          URL of the distributed storage backend.
+
+
+          The storage backend is used for multihost networking (to store
+          network and endpoint information) and by the node discovery mechanism.
+
+          <p><br /></p>
+
+          > **Note**: This field is only propagated when using standalone Swarm
+          > mode, and overlay networking using an external k/v store. Overlay
+          > networks with Swarm mode enabled use the built-in raft store, and
+          > this field will be empty.
+        type: "string"
+        example: "consul://consul.corp.example.com:8600/some/path"
+      ClusterAdvertise:
+        description: |
+          The network endpoint that the Engine advertises for the purpose of
+          node discovery. ClusterAdvertise is a `host:port` combination on which
+          the daemon is reachable by other hosts.
+
+          <p><br /></p>
+
+          > **Note**: This field is only propagated when using standalone Swarm
+          > mode, and overlay networking using an external k/v store. Overlay
+          > networks with Swarm mode enabled use the built-in raft store, and
+          > this field will be empty.
+        type: "string"
+        example: "node5.corp.example.com:8000"
+      Runtimes:
+        description: |
+          List of [OCI compliant](https://github.com/opencontainers/runtime-spec)
+          runtimes configured on the daemon. Keys hold the "name" used to
+          reference the runtime.
+
+          The Docker daemon relies on an OCI compliant runtime (invoked via the
+          `containerd` daemon) as its interface to the Linux kernel namespaces,
+          cgroups, and SELinux.
+
+          The default runtime is `runc`, and automatically configured. Additional
+          runtimes can be configured by the user and will be listed here.
+        type: "object"
+        additionalProperties:
+          $ref: "#/definitions/Runtime"
+        default:
+          runc:
+            path: "docker-runc"
+        example:
+          runc:
+            path: "docker-runc"
+          runc-master:
+            path: "/go/bin/runc"
+          custom:
+            path: "/usr/local/bin/my-oci-runtime"
+            runtimeArgs: ["--debug", "--systemd-cgroup=false"]
+      DefaultRuntime:
+        description: |
+          Name of the default OCI runtime that is used when starting containers.
+
+          The default can be overridden per-container at create time.
+        type: "string"
+        default: "runc"
+        example: "runc"
+      Swarm:
+        $ref: "#/definitions/SwarmInfo"
+      LiveRestoreEnabled:
+        description: |
+          Indicates if live restore is enabled.
+
+          If enabled, containers are kept running when the daemon is shutdown
+          or upon daemon start if running containers are detected.
+        type: "boolean"
+        default: false
+        example: false
+      Isolation:
+        description: |
+          Represents the isolation technology to use as a default for containers.
+          The supported values are platform-specific.
+
+          If no isolation value is specified on daemon start, on Windows client,
+          the default is `hyperv`, and on Windows server, the default is `process`.
+
+          This option is currently not used on other platforms.
+        default: "default"
+        type: "string"
+        enum:
+          - "default"
+          - "hyperv"
+          - "process"
+      InitBinary:
+        description: |
+          Name and, optional, path of the `docker-init` binary.
+
+          If the path is omitted, the daemon searches the host's `$PATH` for the
+          binary and uses the first result.
+        type: "string"
+        example: "docker-init"
+      ContainerdCommit:
+        $ref: "#/definitions/Commit"
+      RuncCommit:
+        $ref: "#/definitions/Commit"
+      InitCommit:
+        $ref: "#/definitions/Commit"
+      SecurityOptions:
+        description: |
+          List of security features that are enabled on the daemon, such as
+          apparmor, seccomp, SELinux, and user-namespaces (userns).
+
+          Additional configuration options for each security feature may
+          be present, and are included as a comma-separated list of key/value
+          pairs.
+        type: "array"
+        items:
+          type: "string"
+        example:
+          - "name=apparmor"
+          - "name=seccomp,profile=default"
+          - "name=selinux"
+          - "name=userns"
+
+
+  # PluginsInfo is a temp struct holding Plugins name
+  # registered with docker daemon. It is used by Info struct
+  PluginsInfo:
+    description: |
+      Available plugins per type.
+
+      <p><br /></p>
+
+      > **Note**: Only unmanaged (V1) plugins are included in this list.
+      > V1 plugins are "lazily" loaded, and are not returned in this list
+      > if there is no resource using the plugin.
+    type: "object"
+    properties:
+      Volume:
+        description: "Names of available volume-drivers, and network-driver plugins."
+        type: "array"
+        items:
+          type: "string"
+        example: ["local"]
+      Network:
+        description: "Names of available network-drivers, and network-driver plugins."
+        type: "array"
+        items:
+          type: "string"
+        example: ["bridge", "host", "ipvlan", "macvlan", "null", "overlay"]
+      Authorization:
+        description: "Names of available authorization plugins."
+        type: "array"
+        items:
+          type: "string"
+        example: ["img-authz-plugin", "hbm"]
+      Log:
+        description: "Names of available logging-drivers, and logging-driver plugins."
+        type: "array"
+        items:
+          type: "string"
+        example: ["awslogs", "fluentd", "gcplogs", "gelf", "journald", "json-file", "logentries", "splunk", "syslog"]
+
+
+  RegistryServiceConfig:
+    description: |
+      RegistryServiceConfig stores daemon registry services configuration.
+    type: "object"
+    x-nullable: true
+    properties:
+      AllowNondistributableArtifactsCIDRs:
+        description: |
+          List of IP ranges to which nondistributable artifacts can be pushed,
+          using the CIDR syntax [RFC 4632](https://tools.ietf.org/html/4632).
+
+          Some images (for example, Windows base images) contain artifacts
+          whose distribution is restricted by license. When these images are
+          pushed to a registry, restricted artifacts are not included.
+
+          This configuration override this behavior, and enables the daemon to
+          push nondistributable artifacts to all registries whose resolved IP
+          address is within the subnet described by the CIDR syntax.
+
+          This option is useful when pushing images containing
+          nondistributable artifacts to a registry on an air-gapped network so
+          hosts on that network can pull the images without connecting to
+          another server.
+
+          > **Warning**: Nondistributable artifacts typically have restrictions
+          > on how and where they can be distributed and shared. Only use this
+          > feature to push artifacts to private registries and ensure that you
+          > are in compliance with any terms that cover redistributing
+          > nondistributable artifacts.
+
+        type: "array"
+        items:
+          type: "string"
+        example: ["::1/128", "127.0.0.0/8"]
+      AllowNondistributableArtifactsHostnames:
+        description: |
+          List of registry hostnames to which nondistributable artifacts can be
+          pushed, using the format `<hostname>[:<port>]` or `<IP address>[:<port>]`.
+
+          Some images (for example, Windows base images) contain artifacts
+          whose distribution is restricted by license. When these images are
+          pushed to a registry, restricted artifacts are not included.
+
+          This configuration override this behavior for the specified
+          registries.
+
+          This option is useful when pushing images containing
+          nondistributable artifacts to a registry on an air-gapped network so
+          hosts on that network can pull the images without connecting to
+          another server.
+
+          > **Warning**: Nondistributable artifacts typically have restrictions
+          > on how and where they can be distributed and shared. Only use this
+          > feature to push artifacts to private registries and ensure that you
+          > are in compliance with any terms that cover redistributing
+          > nondistributable artifacts.
+        type: "array"
+        items:
+          type: "string"
+        example: ["registry.internal.corp.example.com:3000", "[2001:db8:a0b:12f0::1]:443"]
+      InsecureRegistryCIDRs:
+        description: |
+          List of IP ranges of insecure registries, using the CIDR syntax
+          ([RFC 4632](https://tools.ietf.org/html/4632)). Insecure registries
+          accept un-encrypted (HTTP) and/or untrusted (HTTPS with certificates
+          from unknown CAs) communication.
+
+          By default, local registries (`127.0.0.0/8`) are configured as
+          insecure. All other registries are secure. Communicating with an
+          insecure registry is not possible if the daemon assumes that registry
+          is secure.
+
+          This configuration override this behavior, insecure communication with
+          registries whose resolved IP address is within the subnet described by
+          the CIDR syntax.
+
+          Registries can also be marked insecure by hostname. Those registries
+          are listed under `IndexConfigs` and have their `Secure` field set to
+          `false`.
+
+          > **Warning**: Using this option can be useful when running a local
+          > registry, but introduces security vulnerabilities. This option
+          > should therefore ONLY be used for testing purposes. For increased
+          > security, users should add their CA to their system's list of trusted
+          > CAs instead of enabling this option.
+        type: "array"
+        items:
+          type: "string"
+        example: ["::1/128", "127.0.0.0/8"]
+      IndexConfigs:
+        type: "object"
+        additionalProperties:
+          $ref: "#/definitions/IndexInfo"
+        example:
+          "127.0.0.1:5000":
+            "Name": "127.0.0.1:5000"
+            "Mirrors": []
+            "Secure": false
+            "Official": false
+          "[2001:db8:a0b:12f0::1]:80":
+            "Name": "[2001:db8:a0b:12f0::1]:80"
+            "Mirrors": []
+            "Secure": false
+            "Official": false
+          "docker.io":
+            Name: "docker.io"
+            Mirrors: ["https://hub-mirror.corp.example.com:5000/"]
+            Secure: true
+            Official: true
+          "registry.internal.corp.example.com:3000":
+            Name: "registry.internal.corp.example.com:3000"
+            Mirrors: []
+            Secure: false
+            Official: false
+      Mirrors:
+        description: |
+          List of registry URLs that act as a mirror for the official
+          (`docker.io`) registry.
+
+        type: "array"
+        items:
+          type: "string"
+        example:
+          - "https://hub-mirror.corp.example.com:5000/"
+          - "https://[2001:db8:a0b:12f0::1]/"
+
+  IndexInfo:
+    description:
+      IndexInfo contains information about a registry.
+    type: "object"
+    x-nullable: true
+    properties:
+      Name:
+        description: |
+          Name of the registry, such as "docker.io".
+        type: "string"
+        example: "docker.io"
+      Mirrors:
+        description: |
+          List of mirrors, expressed as URIs.
+        type: "array"
+        items:
+          type: "string"
+        example:
+          - "https://hub-mirror.corp.example.com:5000/"
+          - "https://registry-2.docker.io/"
+          - "https://registry-3.docker.io/"
+      Secure:
+        description: |
+          Indicates if the registry is part of the list of insecure
+          registries.
+
+          If `false`, the registry is insecure. Insecure registries accept
+          un-encrypted (HTTP) and/or untrusted (HTTPS with certificates from
+          unknown CAs) communication.
+
+          > **Warning**: Insecure registries can be useful when running a local
+          > registry. However, because its use creates security vulnerabilities
+          > it should ONLY be enabled for testing purposes. For increased
+          > security, users should add their CA to their system's list of
+          > trusted CAs instead of enabling this option.
+        type: "boolean"
+        example: true
+      Official:
+        description: |
+          Indicates whether this is an official registry (i.e., Docker Hub / docker.io)
+        type: "boolean"
+        example: true
+
+  Runtime:
+    description: |
+      Runtime describes an [OCI compliant](https://github.com/opencontainers/runtime-spec)
+      runtime.
+
+      The runtime is invoked by the daemon via the `containerd` daemon. OCI
+      runtimes act as an interface to the Linux kernel namespaces, cgroups,
+      and SELinux.
+    type: "object"
+    properties:
+      path:
+        description: |
+          Name and, optional, path, of the OCI executable binary.
+
+          If the path is omitted, the daemon searches the host's `$PATH` for the
+          binary and uses the first result.
+        type: "string"
+        example: "/usr/local/bin/my-oci-runtime"
+      runtimeArgs:
+        description: |
+          List of command-line arguments to pass to the runtime when invoked.
+        type: "array"
+        x-nullable: true
+        items:
+          type: "string"
+        example: ["--debug", "--systemd-cgroup=false"]
+
+  Commit:
+    description: |
+      Commit holds the Git-commit (SHA1) that a binary was built from, as
+      reported in the version-string of external tools, such as `containerd`,
+      or `runC`.
+    type: "object"
+    properties:
+      ID:
+        description: "Actual commit ID of external tool."
+        type: "string"
+        example: "cfb82a876ecc11b5ca0977d1733adbe58599088a"
+      Expected:
+        description: |
+          Commit ID of external tool expected by dockerd as set at build time.
+        type: "string"
+        example: "2d41c047c83e09a6d61d464906feb2a2f3c52aa4"
+
+  SwarmInfo:
+    description: |
+      Represents generic information about swarm.
+    type: "object"
+    properties:
+      NodeID:
+        description: "Unique identifier of for this node in the swarm."
+        type: "string"
+        default: ""
+        example: "k67qz4598weg5unwwffg6z1m1"
+      NodeAddr:
+        description: |
+          IP address at which this node can be reached by other nodes in the
+          swarm.
+        type: "string"
+        default: ""
+        example: "10.0.0.46"
+      LocalNodeState:
+        $ref: "#/definitions/LocalNodeState"
+      ControlAvailable:
+        type: "boolean"
+        default: false
+        example: true
+      Error:
+        type: "string"
+        default: ""
+      RemoteManagers:
+        description: |
+          List of ID's and addresses of other managers in the swarm.
+        type: "array"
+        default: null
+        x-nullable: true
+        items:
+          $ref: "#/definitions/PeerNode"
+        example:
+          - NodeID: "71izy0goik036k48jg985xnds"
+            Addr: "10.0.0.158:2377"
+          - NodeID: "79y6h1o4gv8n120drcprv5nmc"
+            Addr: "10.0.0.159:2377"
+          - NodeID: "k67qz4598weg5unwwffg6z1m1"
+            Addr: "10.0.0.46:2377"
+      Nodes:
+        description: "Total number of nodes in the swarm."
+        type: "integer"
+        x-nullable: true
+        example: 4
+      Managers:
+        description: "Total number of managers in the swarm."
+        type: "integer"
+        x-nullable: true
+        example: 3
+      Cluster:
+        $ref: "#/definitions/ClusterInfo"
+
+  LocalNodeState:
+    description: "Current local status of this node."
+    type: "string"
+    default: ""
+    enum:
+      - ""
+      - "inactive"
+      - "pending"
+      - "active"
+      - "error"
+      - "locked"
+    example: "active"
+
+  PeerNode:
+    description: "Represents a peer-node in the swarm"
+    properties:
+      NodeID:
+        description: "Unique identifier of for this node in the swarm."
+        type: "string"
+      Addr:
+        description: |
+          IP address and ports at which this node can be reached.
+        type: "string"
+
+paths:
+  /containers/json:
+    get:
+      summary: "List containers"
+      description: |
+        Returns a list of containers. For details on the format, see [the inspect endpoint](#operation/ContainerInspect).
+
+        Note that it uses a different, smaller representation of a container than inspecting a single container. For example,
+        the list of linked containers is not propagated .
+      operationId: "ContainerList"
+      produces:
+        - "application/json"
+      parameters:
+        - name: "all"
+          in: "query"
+          description: "Return all containers. By default, only running containers are shown"
+          type: "boolean"
+          default: false
+        - name: "limit"
+          in: "query"
+          description: "Return this number of most recently created containers, including non-running ones."
+          type: "integer"
+        - name: "size"
+          in: "query"
+          description: "Return the size of container as fields `SizeRw` and `SizeRootFs`."
+          type: "boolean"
+          default: false
+        - name: "filters"
+          in: "query"
+          description: |
+            Filters to process on the container list, encoded as JSON (a `map[string][]string`). For example, `{"status": ["paused"]}` will only return paused containers. Available filters:
+
+            - `ancestor`=(`<image-name>[:<tag>]`, `<image id>`, or `<image@digest>`)
+            - `before`=(`<container id>` or `<container name>`)
+            - `expose`=(`<port>[/<proto>]`|`<startport-endport>/[<proto>]`)
+            - `exited=<int>` containers with exit code of `<int>`
+            - `health`=(`starting`|`healthy`|`unhealthy`|`none`)
+            - `id=<ID>` a container's ID
+            - `isolation=`(`default`|`process`|`hyperv`) (Windows daemon only)
+            - `is-task=`(`true`|`false`)
+            - `label=key` or `label="key=value"` of a container label
+            - `name=<name>` a container's name
+            - `network`=(`<network id>` or `<network name>`)
+            - `publish`=(`<port>[/<proto>]`|`<startport-endport>/[<proto>]`)
+            - `since`=(`<container id>` or `<container name>`)
+            - `status=`(`created`|`restarting`|`running`|`removing`|`paused`|`exited`|`dead`)
+            - `volume`=(`<volume name>` or `<mount point destination>`)
+          type: "string"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/ContainerSummary"
+          examples:
+            application/json:
+              - Id: "8dfafdbc3a40"
+                Names:
+                  - "/boring_feynman"
+                Image: "ubuntu:latest"
+                ImageID: "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82"
+                Command: "echo 1"
+                Created: 1367854155
+                State: "Exited"
+                Status: "Exit 0"
+                Ports:
+                  - PrivatePort: 2222
+                    PublicPort: 3333
+                    Type: "tcp"
+                Labels:
+                  com.example.vendor: "Acme"
+                  com.example.license: "GPL"
+                  com.example.version: "1.0"
+                SizeRw: 12288
+                SizeRootFs: 0
+                HostConfig:
+                  NetworkMode: "default"
+                NetworkSettings:
+                  Networks:
+                    bridge:
+                      NetworkID: "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812"
+                      EndpointID: "2cdc4edb1ded3631c81f57966563e5c8525b81121bb3706a9a9a3ae102711f3f"
+                      Gateway: "172.17.0.1"
+                      IPAddress: "172.17.0.2"
+                      IPPrefixLen: 16
+                      IPv6Gateway: ""
+                      GlobalIPv6Address: ""
+                      GlobalIPv6PrefixLen: 0
+                      MacAddress: "02:42:ac:11:00:02"
+                Mounts:
+                  - Name: "fac362...80535"
+                    Source: "/data"
+                    Destination: "/data"
+                    Driver: "local"
+                    Mode: "ro,Z"
+                    RW: false
+                    Propagation: ""
+              - Id: "9cd87474be90"
+                Names:
+                  - "/coolName"
+                Image: "ubuntu:latest"
+                ImageID: "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82"
+                Command: "echo 222222"
+                Created: 1367854155
+                State: "Exited"
+                Status: "Exit 0"
+                Ports: []
+                Labels: {}
+                SizeRw: 12288
+                SizeRootFs: 0
+                HostConfig:
+                  NetworkMode: "default"
+                NetworkSettings:
+                  Networks:
+                    bridge:
+                      NetworkID: "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812"
+                      EndpointID: "88eaed7b37b38c2a3f0c4bc796494fdf51b270c2d22656412a2ca5d559a64d7a"
+                      Gateway: "172.17.0.1"
+                      IPAddress: "172.17.0.8"
+                      IPPrefixLen: 16
+                      IPv6Gateway: ""
+                      GlobalIPv6Address: ""
+                      GlobalIPv6PrefixLen: 0
+                      MacAddress: "02:42:ac:11:00:08"
+                Mounts: []
+              - Id: "3176a2479c92"
+                Names:
+                  - "/sleepy_dog"
+                Image: "ubuntu:latest"
+                ImageID: "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82"
+                Command: "echo 3333333333333333"
+                Created: 1367854154
+                State: "Exited"
+                Status: "Exit 0"
+                Ports: []
+                Labels: {}
+                SizeRw: 12288
+                SizeRootFs: 0
+                HostConfig:
+                  NetworkMode: "default"
+                NetworkSettings:
+                  Networks:
+                    bridge:
+                      NetworkID: "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812"
+                      EndpointID: "8b27c041c30326d59cd6e6f510d4f8d1d570a228466f956edf7815508f78e30d"
+                      Gateway: "172.17.0.1"
+                      IPAddress: "172.17.0.6"
+                      IPPrefixLen: 16
+                      IPv6Gateway: ""
+                      GlobalIPv6Address: ""
+                      GlobalIPv6PrefixLen: 0
+                      MacAddress: "02:42:ac:11:00:06"
+                Mounts: []
+              - Id: "4cb07b47f9fb"
+                Names:
+                  - "/running_cat"
+                Image: "ubuntu:latest"
+                ImageID: "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82"
+                Command: "echo 444444444444444444444444444444444"
+                Created: 1367854152
+                State: "Exited"
+                Status: "Exit 0"
+                Ports: []
+                Labels: {}
+                SizeRw: 12288
+                SizeRootFs: 0
+                HostConfig:
+                  NetworkMode: "default"
+                NetworkSettings:
+                  Networks:
+                    bridge:
+                      NetworkID: "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812"
+                      EndpointID: "d91c7b2f0644403d7ef3095985ea0e2370325cd2332ff3a3225c4247328e66e9"
+                      Gateway: "172.17.0.1"
+                      IPAddress: "172.17.0.5"
+                      IPPrefixLen: 16
+                      IPv6Gateway: ""
+                      GlobalIPv6Address: ""
+                      GlobalIPv6PrefixLen: 0
+                      MacAddress: "02:42:ac:11:00:05"
+                Mounts: []
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Container"]
+  /containers/create:
+    post:
+      summary: "Create a container"
+      operationId: "ContainerCreate"
+      consumes:
+        - "application/json"
+        - "application/octet-stream"
+      produces:
+        - "application/json"
+      parameters:
+        - name: "name"
+          in: "query"
+          description: "Assign the specified name to the container. Must match `/?[a-zA-Z0-9_-]+`."
+          type: "string"
+          pattern: "/?[a-zA-Z0-9_-]+"
+        - name: "body"
+          in: "body"
+          description: "Container to create"
+          schema:
+            allOf:
+              - $ref: "#/definitions/ContainerConfig"
+              - type: "object"
+                properties:
+                  HostConfig:
+                    $ref: "#/definitions/HostConfig"
+                  NetworkingConfig:
+                    description: "This container's networking configuration."
+                    type: "object"
+                    properties:
+                      EndpointsConfig:
+                        description: "A mapping of network name to endpoint configuration for that network."
+                        type: "object"
+                        additionalProperties:
+                          $ref: "#/definitions/EndpointSettings"
+            example:
+              Hostname: ""
+              Domainname: ""
+              User: ""
+              AttachStdin: false
+              AttachStdout: true
+              AttachStderr: true
+              Tty: false
+              OpenStdin: false
+              StdinOnce: false
+              Env:
+                - "FOO=bar"
+                - "BAZ=quux"
+              Cmd:
+                - "date"
+              Entrypoint: ""
+              Image: "ubuntu"
+              Labels:
+                com.example.vendor: "Acme"
+                com.example.license: "GPL"
+                com.example.version: "1.0"
+              Volumes:
+                /volumes/data: {}
+              WorkingDir: ""
+              NetworkDisabled: false
+              MacAddress: "12:34:56:78:9a:bc"
+              ExposedPorts:
+                22/tcp: {}
+              StopSignal: "SIGTERM"
+              StopTimeout: 10
+              HostConfig:
+                Binds:
+                  - "/tmp:/tmp"
+                Links:
+                  - "redis3:redis"
+                Memory: 0
+                MemorySwap: 0
+                MemoryReservation: 0
+                KernelMemory: 0
+                NanoCPUs: 500000
+                CpuPercent: 80
+                CpuShares: 512
+                CpuPeriod: 100000
+                CpuRealtimePeriod: 1000000
+                CpuRealtimeRuntime: 10000
+                CpuQuota: 50000
+                CpusetCpus: "0,1"
+                CpusetMems: "0,1"
+                MaximumIOps: 0
+                MaximumIOBps: 0
+                BlkioWeight: 300
+                BlkioWeightDevice:
+                  - {}
+                BlkioDeviceReadBps:
+                  - {}
+                BlkioDeviceReadIOps:
+                  - {}
+                BlkioDeviceWriteBps:
+                  - {}
+                BlkioDeviceWriteIOps:
+                  - {}
+                MemorySwappiness: 60
+                OomKillDisable: false
+                OomScoreAdj: 500
+                PidMode: ""
+                PidsLimit: -1
+                PortBindings:
+                  22/tcp:
+                    - HostPort: "11022"
+                PublishAllPorts: false
+                Privileged: false
+                ReadonlyRootfs: false
+                Dns:
+                  - "8.8.8.8"
+                DnsOptions:
+                  - ""
+                DnsSearch:
+                  - ""
+                VolumesFrom:
+                  - "parent"
+                  - "other:ro"
+                CapAdd:
+                  - "NET_ADMIN"
+                CapDrop:
+                  - "MKNOD"
+                GroupAdd:
+                  - "newgroup"
+                RestartPolicy:
+                  Name: ""
+                  MaximumRetryCount: 0
+                AutoRemove: true
+                NetworkMode: "bridge"
+                Devices: []
+                Ulimits:
+                  - {}
+                LogConfig:
+                  Type: "json-file"
+                  Config: {}
+                SecurityOpt: []
+                StorageOpt: {}
+                CgroupParent: ""
+                VolumeDriver: ""
+                ShmSize: 67108864
+              NetworkingConfig:
+                EndpointsConfig:
+                  isolated_nw:
+                    IPAMConfig:
+                      IPv4Address: "172.20.30.33"
+                      IPv6Address: "2001:db8:abcd::3033"
+                      LinkLocalIPs:
+                        - "169.254.34.68"
+                        - "fe80::3468"
+                    Links:
+                      - "container_1"
+                      - "container_2"
+                    Aliases:
+                      - "server_x"
+                      - "server_y"
+
+          required: true
+      responses:
+        201:
+          description: "Container created successfully"
+          schema:
+            type: "object"
+            title: "ContainerCreateResponse"
+            description: "OK response to ContainerCreate operation"
+            required: [Id, Warnings]
+            properties:
+              Id:
+                description: "The ID of the created container"
+                type: "string"
+                x-nullable: false
+              Warnings:
+                description: "Warnings encountered when creating the container"
+                type: "array"
+                x-nullable: false
+                items:
+                  type: "string"
+          examples:
+            application/json:
+              Id: "e90e34656806"
+              Warnings: []
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        409:
+          description: "conflict"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Container"]
+  /containers/{id}/json:
+    get:
+      summary: "Inspect a container"
+      description: "Return low-level information about a container."
+      operationId: "ContainerInspect"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "object"
+            title: "ContainerInspectResponse"
+            properties:
+              Id:
+                description: "The ID of the container"
+                type: "string"
+              Created:
+                description: "The time the container was created"
+                type: "string"
+              Path:
+                description: "The path to the command being run"
+                type: "string"
+              Args:
+                description: "The arguments to the command being run"
+                type: "array"
+                items:
+                  type: "string"
+              State:
+                description: "The state of the container."
+                type: "object"
+                properties:
+                  Status:
+                    description: |
+                      The status of the container. For example, `"running"` or `"exited"`.
+                    type: "string"
+                    enum: ["created", "running", "paused", "restarting", "removing", "exited", "dead"]
+                  Running:
+                    description: |
+                      Whether this container is running.
+
+                      Note that a running container can be _paused_. The `Running` and `Paused`
+                      booleans are not mutually exclusive:
+
+                      When pausing a container (on Linux), the cgroups freezer is used to suspend
+                      all processes in the container. Freezing the process requires the process to
+                      be running. As a result, paused containers are both `Running` _and_ `Paused`.
+
+                      Use the `Status` field instead to determine if a container's state is "running".
+                    type: "boolean"
+                  Paused:
+                    description: "Whether this container is paused."
+                    type: "boolean"
+                  Restarting:
+                    description: "Whether this container is restarting."
+                    type: "boolean"
+                  OOMKilled:
+                    description: "Whether this container has been killed because it ran out of memory."
+                    type: "boolean"
+                  Dead:
+                    type: "boolean"
+                  Pid:
+                    description: "The process ID of this container"
+                    type: "integer"
+                  ExitCode:
+                    description: "The last exit code of this container"
+                    type: "integer"
+                  Error:
+                    type: "string"
+                  StartedAt:
+                    description: "The time when this container was last started."
+                    type: "string"
+                  FinishedAt:
+                    description: "The time when this container last exited."
+                    type: "string"
+              Image:
+                description: "The container's image"
+                type: "string"
+              ResolvConfPath:
+                type: "string"
+              HostnamePath:
+                type: "string"
+              HostsPath:
+                type: "string"
+              LogPath:
+                type: "string"
+              Node:
+                description: "TODO"
+                type: "object"
+              Name:
+                type: "string"
+              RestartCount:
+                type: "integer"
+              Driver:
+                type: "string"
+              MountLabel:
+                type: "string"
+              ProcessLabel:
+                type: "string"
+              AppArmorProfile:
+                type: "string"
+              ExecIDs:
+                description: "IDs of exec instances that are running in the container."
+                type: "array"
+                items:
+                  type: "string"
+                x-nullable: true
+              HostConfig:
+                $ref: "#/definitions/HostConfig"
+              GraphDriver:
+                $ref: "#/definitions/GraphDriverData"
+              SizeRw:
+                description: "The size of files that have been created or changed by this container."
+                type: "integer"
+                format: "int64"
+              SizeRootFs:
+                description: "The total size of all the files in this container."
+                type: "integer"
+                format: "int64"
+              Mounts:
+                type: "array"
+                items:
+                  $ref: "#/definitions/MountPoint"
+              Config:
+                $ref: "#/definitions/ContainerConfig"
+              NetworkSettings:
+                $ref: "#/definitions/NetworkSettings"
+          examples:
+            application/json:
+              AppArmorProfile: ""
+              Args:
+                - "-c"
+                - "exit 9"
+              Config:
+                AttachStderr: true
+                AttachStdin: false
+                AttachStdout: true
+                Cmd:
+                  - "/bin/sh"
+                  - "-c"
+                  - "exit 9"
+                Domainname: ""
+                Env:
+                  - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+                Hostname: "ba033ac44011"
+                Image: "ubuntu"
+                Labels:
+                  com.example.vendor: "Acme"
+                  com.example.license: "GPL"
+                  com.example.version: "1.0"
+                MacAddress: ""
+                NetworkDisabled: false
+                OpenStdin: false
+                StdinOnce: false
+                Tty: false
+                User: ""
+                Volumes:
+                  /volumes/data: {}
+                WorkingDir: ""
+                StopSignal: "SIGTERM"
+                StopTimeout: 10
+              Created: "2015-01-06T15:47:31.485331387Z"
+              Driver: "devicemapper"
+              ExecIDs:
+                - "b35395de42bc8abd327f9dd65d913b9ba28c74d2f0734eeeae84fa1c616a0fca"
+                - "3fc1232e5cd20c8de182ed81178503dc6437f4e7ef12b52cc5e8de020652f1c4"
+              HostConfig:
+                MaximumIOps: 0
+                MaximumIOBps: 0
+                BlkioWeight: 0
+                BlkioWeightDevice:
+                  - {}
+                BlkioDeviceReadBps:
+                  - {}
+                BlkioDeviceWriteBps:
+                  - {}
+                BlkioDeviceReadIOps:
+                  - {}
+                BlkioDeviceWriteIOps:
+                  - {}
+                ContainerIDFile: ""
+                CpusetCpus: ""
+                CpusetMems: ""
+                CpuPercent: 80
+                CpuShares: 0
+                CpuPeriod: 100000
+                CpuRealtimePeriod: 1000000
+                CpuRealtimeRuntime: 10000
+                Devices: []
+                IpcMode: ""
+                LxcConf: []
+                Memory: 0
+                MemorySwap: 0
+                MemoryReservation: 0
+                KernelMemory: 0
+                OomKillDisable: false
+                OomScoreAdj: 500
+                NetworkMode: "bridge"
+                PidMode: ""
+                PortBindings: {}
+                Privileged: false
+                ReadonlyRootfs: false
+                PublishAllPorts: false
+                RestartPolicy:
+                  MaximumRetryCount: 2
+                  Name: "on-failure"
+                LogConfig:
+                  Type: "json-file"
+                Sysctls:
+                  net.ipv4.ip_forward: "1"
+                Ulimits:
+                  - {}
+                VolumeDriver: ""
+                ShmSize: 67108864
+              HostnamePath: "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hostname"
+              HostsPath: "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hosts"
+              LogPath: "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log"
+              Id: "ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39"
+              Image: "04c5d3b7b0656168630d3ba35d8889bd0e9caafcaeb3004d2bfbc47e7c5d35d2"
+              MountLabel: ""
+              Name: "/boring_euclid"
+              NetworkSettings:
+                Bridge: ""
+                SandboxID: ""
+                HairpinMode: false
+                LinkLocalIPv6Address: ""
+                LinkLocalIPv6PrefixLen: 0
+                SandboxKey: ""
+                EndpointID: ""
+                Gateway: ""
+                GlobalIPv6Address: ""
+                GlobalIPv6PrefixLen: 0
+                IPAddress: ""
+                IPPrefixLen: 0
+                IPv6Gateway: ""
+                MacAddress: ""
+                Networks:
+                  bridge:
+                    NetworkID: "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812"
+                    EndpointID: "7587b82f0dada3656fda26588aee72630c6fab1536d36e394b2bfbcf898c971d"
+                    Gateway: "172.17.0.1"
+                    IPAddress: "172.17.0.2"
+                    IPPrefixLen: 16
+                    IPv6Gateway: ""
+                    GlobalIPv6Address: ""
+                    GlobalIPv6PrefixLen: 0
+                    MacAddress: "02:42:ac:12:00:02"
+              Path: "/bin/sh"
+              ProcessLabel: ""
+              ResolvConfPath: "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/resolv.conf"
+              RestartCount: 1
+              State:
+                Error: ""
+                ExitCode: 9
+                FinishedAt: "2015-01-06T15:47:32.080254511Z"
+                OOMKilled: false
+                Dead: false
+                Paused: false
+                Pid: 0
+                Restarting: false
+                Running: true
+                StartedAt: "2015-01-06T15:47:32.072697474Z"
+                Status: "running"
+              Mounts:
+                - Name: "fac362...80535"
+                  Source: "/data"
+                  Destination: "/data"
+                  Driver: "local"
+                  Mode: "ro,Z"
+                  RW: false
+                  Propagation: ""
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "size"
+          in: "query"
+          type: "boolean"
+          default: false
+          description: "Return the size of container as fields `SizeRw` and `SizeRootFs`"
+      tags: ["Container"]
+  /containers/{id}/top:
+    get:
+      summary: "List processes running inside a container"
+      description: "On Unix systems, this is done by running the `ps` command. This endpoint is not supported on Windows."
+      operationId: "ContainerTop"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "object"
+            title: "ContainerTopResponse"
+            description: "OK response to ContainerTop operation"
+            properties:
+              Titles:
+                description: "The ps column titles"
+                type: "array"
+                items:
+                  type: "string"
+              Processes:
+                description: "Each process running in the container, where each is process is an array of values corresponding to the titles"
+                type: "array"
+                items:
+                  type: "array"
+                  items:
+                    type: "string"
+          examples:
+            application/json:
+              Titles:
+                - "UID"
+                - "PID"
+                - "PPID"
+                - "C"
+                - "STIME"
+                - "TTY"
+                - "TIME"
+                - "CMD"
+              Processes:
+                -
+                  - "root"
+                  - "13642"
+                  - "882"
+                  - "0"
+                  - "17:03"
+                  - "pts/0"
+                  - "00:00:00"
+                  - "/bin/bash"
+                -
+                  - "root"
+                  - "13735"
+                  - "13642"
+                  - "0"
+                  - "17:06"
+                  - "pts/0"
+                  - "00:00:00"
+                  - "sleep 10"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "ps_args"
+          in: "query"
+          description: "The arguments to pass to `ps`. For example, `aux`"
+          type: "string"
+          default: "-ef"
+      tags: ["Container"]
+  /containers/{id}/logs:
+    get:
+      summary: "Get container logs"
+      description: |
+        Get `stdout` and `stderr` logs from a container.
+
+        Note: This endpoint works only for containers with the `json-file` or `journald` logging driver.
+      operationId: "ContainerLogs"
+      responses:
+        101:
+          description: "logs returned as a stream"
+          schema:
+            type: "string"
+            format: "binary"
+        200:
+          description: "logs returned as a string in response body"
+          schema:
+            type: "string"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "follow"
+          in: "query"
+          description: |
+            Return the logs as a stream.
+
+            This will return a `101` HTTP response with a `Connection: upgrade` header, then hijack the HTTP connection to send raw output. For more information about hijacking and the stream format, [see the documentation for the attach endpoint](#operation/ContainerAttach).
+          type: "boolean"
+          default: false
+        - name: "stdout"
+          in: "query"
+          description: "Return logs from `stdout`"
+          type: "boolean"
+          default: false
+        - name: "stderr"
+          in: "query"
+          description: "Return logs from `stderr`"
+          type: "boolean"
+          default: false
+        - name: "since"
+          in: "query"
+          description: "Only return logs since this time, as a UNIX timestamp"
+          type: "integer"
+          default: 0
+        - name: "until"
+          in: "query"
+          description: "Only return logs before this time, as a UNIX timestamp"
+          type: "integer"
+          default: 0
+        - name: "timestamps"
+          in: "query"
+          description: "Add timestamps to every log line"
+          type: "boolean"
+          default: false
+        - name: "tail"
+          in: "query"
+          description: "Only return this number of log lines from the end of the logs. Specify as an integer or `all` to output all log lines."
+          type: "string"
+          default: "all"
+      tags: ["Container"]
+  /containers/{id}/changes:
+    get:
+      summary: "Get changes on a container’s filesystem"
+      description: |
+        Returns which files in a container's filesystem have been added, deleted,
+        or modified. The `Kind` of modification can be one of:
+
+        - `0`: Modified
+        - `1`: Added
+        - `2`: Deleted
+      operationId: "ContainerChanges"
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "The list of changes"
+          schema:
+            type: "array"
+            items:
+              type: "object"
+              x-go-name: "ContainerChangeResponseItem"
+              title: "ContainerChangeResponseItem"
+              description: "change item in response to ContainerChanges operation"
+              required: [Path, Kind]
+              properties:
+                Path:
+                  description: "Path to file that has changed"
+                  type: "string"
+                  x-nullable: false
+                Kind:
+                  description: "Kind of change"
+                  type: "integer"
+                  format: "uint8"
+                  enum: [0, 1, 2]
+                  x-nullable: false
+          examples:
+            application/json:
+              - Path: "/dev"
+                Kind: 0
+              - Path: "/dev/kmsg"
+                Kind: 1
+              - Path: "/test"
+                Kind: 1
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+      tags: ["Container"]
+  /containers/{id}/export:
+    get:
+      summary: "Export a container"
+      description: "Export the contents of a container as a tarball."
+      operationId: "ContainerExport"
+      produces:
+        - "application/octet-stream"
+      responses:
+        200:
+          description: "no error"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+      tags: ["Container"]
+  /containers/{id}/stats:
+    get:
+      summary: "Get container stats based on resource usage"
+      description: |
+        This endpoint returns a live stream of a container’s resource usage
+        statistics.
+
+        The `precpu_stats` is the CPU statistic of the *previous* read, and is
+        used to calculate the CPU usage percentage. It is not an exact copy
+        of the `cpu_stats` field.
+
+        If either `precpu_stats.online_cpus` or `cpu_stats.online_cpus` is
+        nil then for compatibility with older daemons the length of the
+        corresponding `cpu_usage.percpu_usage` array should be used.
+      operationId: "ContainerStats"
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "object"
+          examples:
+            application/json:
+              read: "2015-01-08T22:57:31.547920715Z"
+              pids_stats:
+                current: 3
+              networks:
+                eth0:
+                  rx_bytes: 5338
+                  rx_dropped: 0
+                  rx_errors: 0
+                  rx_packets: 36
+                  tx_bytes: 648
+                  tx_dropped: 0
+                  tx_errors: 0
+                  tx_packets: 8
+                eth5:
+                  rx_bytes: 4641
+                  rx_dropped: 0
+                  rx_errors: 0
+                  rx_packets: 26
+                  tx_bytes: 690
+                  tx_dropped: 0
+                  tx_errors: 0
+                  tx_packets: 9
+              memory_stats:
+                stats:
+                  total_pgmajfault: 0
+                  cache: 0
+                  mapped_file: 0
+                  total_inactive_file: 0
+                  pgpgout: 414
+                  rss: 6537216
+                  total_mapped_file: 0
+                  writeback: 0
+                  unevictable: 0
+                  pgpgin: 477
+                  total_unevictable: 0
+                  pgmajfault: 0
+                  total_rss: 6537216
+                  total_rss_huge: 6291456
+                  total_writeback: 0
+                  total_inactive_anon: 0
+                  rss_huge: 6291456
+                  hierarchical_memory_limit: 67108864
+                  total_pgfault: 964
+                  total_active_file: 0
+                  active_anon: 6537216
+                  total_active_anon: 6537216
+                  total_pgpgout: 414
+                  total_cache: 0
+                  inactive_anon: 0
+                  active_file: 0
+                  pgfault: 964
+                  inactive_file: 0
+                  total_pgpgin: 477
+                max_usage: 6651904
+                usage: 6537216
+                failcnt: 0
+                limit: 67108864
+              blkio_stats: {}
+              cpu_stats:
+                cpu_usage:
+                  percpu_usage:
+                    - 8646879
+                    - 24472255
+                    - 36438778
+                    - 30657443
+                  usage_in_usermode: 50000000
+                  total_usage: 100215355
+                  usage_in_kernelmode: 30000000
+                system_cpu_usage: 739306590000000
+                online_cpus: 4
+                throttling_data:
+                  periods: 0
+                  throttled_periods: 0
+                  throttled_time: 0
+              precpu_stats:
+                cpu_usage:
+                  percpu_usage:
+                    - 8646879
+                    - 24350896
+                    - 36438778
+                    - 30657443
+                  usage_in_usermode: 50000000
+                  total_usage: 100093996
+                  usage_in_kernelmode: 30000000
+                system_cpu_usage: 9492140000000
+                online_cpus: 4
+                throttling_data:
+                  periods: 0
+                  throttled_periods: 0
+                  throttled_time: 0
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "stream"
+          in: "query"
+          description: "Stream the output. If false, the stats will be output once and then it will disconnect."
+          type: "boolean"
+          default: true
+      tags: ["Container"]
+  /containers/{id}/resize:
+    post:
+      summary: "Resize a container TTY"
+      description: "Resize the TTY for a container. You must restart the container for the resize to take effect."
+      operationId: "ContainerResize"
+      consumes:
+        - "application/octet-stream"
+      produces:
+        - "text/plain"
+      responses:
+        200:
+          description: "no error"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "cannot resize container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "h"
+          in: "query"
+          description: "Height of the tty session in characters"
+          type: "integer"
+        - name: "w"
+          in: "query"
+          description: "Width of the tty session in characters"
+          type: "integer"
+      tags: ["Container"]
+  /containers/{id}/start:
+    post:
+      summary: "Start a container"
+      operationId: "ContainerStart"
+      responses:
+        204:
+          description: "no error"
+        304:
+          description: "container already started"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "detachKeys"
+          in: "query"
+          description: "Override the key sequence for detaching a container. Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`."
+          type: "string"
+      tags: ["Container"]
+  /containers/{id}/stop:
+    post:
+      summary: "Stop a container"
+      operationId: "ContainerStop"
+      responses:
+        204:
+          description: "no error"
+        304:
+          description: "container already stopped"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "t"
+          in: "query"
+          description: "Number of seconds to wait before killing the container"
+          type: "integer"
+      tags: ["Container"]
+  /containers/{id}/restart:
+    post:
+      summary: "Restart a container"
+      operationId: "ContainerRestart"
+      responses:
+        204:
+          description: "no error"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "t"
+          in: "query"
+          description: "Number of seconds to wait before killing the container"
+          type: "integer"
+      tags: ["Container"]
+  /containers/{id}/kill:
+    post:
+      summary: "Kill a container"
+      description: "Send a POSIX signal to a container, defaulting to killing to the container."
+      operationId: "ContainerKill"
+      responses:
+        204:
+          description: "no error"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        409:
+          description: "container is not running"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "Container d37cde0fe4ad63c3a7252023b2f9800282894247d145cb5933ddf6e52cc03a28 is not running"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "signal"
+          in: "query"
+          description: "Signal to send to the container as an integer or string (e.g. `SIGINT`)"
+          type: "string"
+          default: "SIGKILL"
+      tags: ["Container"]
+  /containers/{id}/update:
+    post:
+      summary: "Update a container"
+      description: "Change various configuration options of a container without having to recreate it."
+      operationId: "ContainerUpdate"
+      consumes: ["application/json"]
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "The container has been updated."
+          schema:
+            type: "object"
+            title: "ContainerUpdateResponse"
+            description: "OK response to ContainerUpdate operation"
+            properties:
+              Warnings:
+                type: "array"
+                items:
+                  type: "string"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "update"
+          in: "body"
+          required: true
+          schema:
+            allOf:
+              - $ref: "#/definitions/Resources"
+              - type: "object"
+                properties:
+                  RestartPolicy:
+                    $ref: "#/definitions/RestartPolicy"
+            example:
+              BlkioWeight: 300
+              CpuShares: 512
+              CpuPeriod: 100000
+              CpuQuota: 50000
+              CpuRealtimePeriod: 1000000
+              CpuRealtimeRuntime: 10000
+              CpusetCpus: "0,1"
+              CpusetMems: "0"
+              Memory: 314572800
+              MemorySwap: 514288000
+              MemoryReservation: 209715200
+              KernelMemory: 52428800
+              RestartPolicy:
+                MaximumRetryCount: 4
+                Name: "on-failure"
+      tags: ["Container"]
+  /containers/{id}/rename:
+    post:
+      summary: "Rename a container"
+      operationId: "ContainerRename"
+      responses:
+        204:
+          description: "no error"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        409:
+          description: "name already in use"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "name"
+          in: "query"
+          required: true
+          description: "New name for the container"
+          type: "string"
+      tags: ["Container"]
+  /containers/{id}/pause:
+    post:
+      summary: "Pause a container"
+      description: |
+        Use the cgroups freezer to suspend all processes in a container.
+
+        Traditionally, when suspending a process the `SIGSTOP` signal is used, which is observable by the process being suspended. With the cgroups freezer the process is unaware, and unable to capture, that it is being suspended, and subsequently resumed.
+      operationId: "ContainerPause"
+      responses:
+        204:
+          description: "no error"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+      tags: ["Container"]
+  /containers/{id}/unpause:
+    post:
+      summary: "Unpause a container"
+      description: "Resume a container which has been paused."
+      operationId: "ContainerUnpause"
+      responses:
+        204:
+          description: "no error"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+      tags: ["Container"]
+  /containers/{id}/attach:
+    post:
+      summary: "Attach to a container"
+      description: |
+        Attach to a container to read its output or send it input. You can attach to the same container multiple times and you can reattach to containers that have been detached.
+
+        Either the `stream` or `logs` parameter must be `true` for this endpoint to do anything.
+
+        See [the documentation for the `docker attach` command](https://docs.docker.com/engine/reference/commandline/attach/) for more details.
+
+        ### Hijacking
+
+        This endpoint hijacks the HTTP connection to transport `stdin`, `stdout`, and `stderr` on the same socket.
+
+        This is the response from the daemon for an attach request:
+
+        ```
+        HTTP/1.1 200 OK
+        Content-Type: application/vnd.docker.raw-stream
+
+        [STREAM]
+        ```
+
+        After the headers and two new lines, the TCP connection can now be used for raw, bidirectional communication between the client and server.
+
+        To hint potential proxies about connection hijacking, the Docker client can also optionally send connection upgrade headers.
+
+        For example, the client sends this request to upgrade the connection:
+
+        ```
+        POST /containers/16253994b7c4/attach?stream=1&stdout=1 HTTP/1.1
+        Upgrade: tcp
+        Connection: Upgrade
+        ```
+
+        The Docker daemon will respond with a `101 UPGRADED` response, and will similarly follow with the raw stream:
+
+        ```
+        HTTP/1.1 101 UPGRADED
+        Content-Type: application/vnd.docker.raw-stream
+        Connection: Upgrade
+        Upgrade: tcp
+
+        [STREAM]
+        ```
+
+        ### Stream format
+
+        When the TTY setting is disabled in [`POST /containers/create`](#operation/ContainerCreate), the stream over the hijacked connected is multiplexed to separate out `stdout` and `stderr`. The stream consists of a series of frames, each containing a header and a payload.
+
+        The header contains the information which the stream writes (`stdout` or `stderr`). It also contains the size of the associated frame encoded in the last four bytes (`uint32`).
+
+        It is encoded on the first eight bytes like this:
+
+        ```go
+        header := [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}
+        ```
+
+        `STREAM_TYPE` can be:
+
+        - 0: `stdin` (is written on `stdout`)
+        - 1: `stdout`
+        - 2: `stderr`
+
+        `SIZE1, SIZE2, SIZE3, SIZE4` are the four bytes of the `uint32` size encoded as big endian.
+
+        Following the header is the payload, which is the specified number of bytes of `STREAM_TYPE`.
+
+        The simplest way to implement this protocol is the following:
+
+        1. Read 8 bytes.
+        2. Choose `stdout` or `stderr` depending on the first byte.
+        3. Extract the frame size from the last four bytes.
+        4. Read the extracted size and output it on the correct output.
+        5. Goto 1.
+
+        ### Stream format when using a TTY
+
+        When the TTY setting is enabled in [`POST /containers/create`](#operation/ContainerCreate), the stream is not multiplexed. The data exchanged over the hijacked connection is simply the raw data from the process PTY and client's `stdin`.
+
+      operationId: "ContainerAttach"
+      produces:
+        - "application/vnd.docker.raw-stream"
+      responses:
+        101:
+          description: "no error, hints proxy about hijacking"
+        200:
+          description: "no error, no upgrade header found"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "detachKeys"
+          in: "query"
+          description: "Override the key sequence for detaching a container.Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`."
+          type: "string"
+        - name: "logs"
+          in: "query"
+          description: |
+            Replay previous logs from the container.
+
+            This is useful for attaching to a container that has started and you want to output everything since the container started.
+
+            If `stream` is also enabled, once all the previous output has been returned, it will seamlessly transition into streaming current output.
+          type: "boolean"
+          default: false
+        - name: "stream"
+          in: "query"
+          description: "Stream attached streams from the time the request was made onwards"
+          type: "boolean"
+          default: false
+        - name: "stdin"
+          in: "query"
+          description: "Attach to `stdin`"
+          type: "boolean"
+          default: false
+        - name: "stdout"
+          in: "query"
+          description: "Attach to `stdout`"
+          type: "boolean"
+          default: false
+        - name: "stderr"
+          in: "query"
+          description: "Attach to `stderr`"
+          type: "boolean"
+          default: false
+      tags: ["Container"]
+  /containers/{id}/attach/ws:
+    get:
+      summary: "Attach to a container via a websocket"
+      operationId: "ContainerAttachWebsocket"
+      responses:
+        101:
+          description: "no error, hints proxy about hijacking"
+        200:
+          description: "no error, no upgrade header found"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "detachKeys"
+          in: "query"
+          description: "Override the key sequence for detaching a container.Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,`, or `_`."
+          type: "string"
+        - name: "logs"
+          in: "query"
+          description: "Return logs"
+          type: "boolean"
+          default: false
+        - name: "stream"
+          in: "query"
+          description: "Return stream"
+          type: "boolean"
+          default: false
+        - name: "stdin"
+          in: "query"
+          description: "Attach to `stdin`"
+          type: "boolean"
+          default: false
+        - name: "stdout"
+          in: "query"
+          description: "Attach to `stdout`"
+          type: "boolean"
+          default: false
+        - name: "stderr"
+          in: "query"
+          description: "Attach to `stderr`"
+          type: "boolean"
+          default: false
+      tags: ["Container"]
+  /containers/{id}/wait:
+    post:
+      summary: "Wait for a container"
+      description: "Block until a container stops, then returns the exit code."
+      operationId: "ContainerWait"
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "The container has exit."
+          schema:
+            type: "object"
+            title: "ContainerWaitResponse"
+            description: "OK response to ContainerWait operation"
+            required: [StatusCode]
+            properties:
+              StatusCode:
+                description: "Exit code of the container"
+                type: "integer"
+                x-nullable: false
+              Error:
+                description: "container waiting error, if any"
+                type: "object"
+                properties:
+                  Message:
+                    description: "Details of an error"
+                    type: "string"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "condition"
+          in: "query"
+          description: "Wait until a container state reaches the given condition, either 'not-running' (default), 'next-exit', or 'removed'."
+          type: "string"
+          default: "not-running"
+      tags: ["Container"]
+  /containers/{id}:
+    delete:
+      summary: "Remove a container"
+      operationId: "ContainerDelete"
+      responses:
+        204:
+          description: "no error"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        409:
+          description: "conflict"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "You cannot remove a running container: c2ada9df5af8. Stop the container before attempting removal or force remove"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "v"
+          in: "query"
+          description: "Remove the volumes associated with the container."
+          type: "boolean"
+          default: false
+        - name: "force"
+          in: "query"
+          description: "If the container is running, kill it before removing it."
+          type: "boolean"
+          default: false
+        - name: "link"
+          in: "query"
+          description: "Remove the specified link associated with the container."
+          type: "boolean"
+          default: false
+      tags: ["Container"]
+  /containers/{id}/archive:
+    head:
+      summary: "Get information about files in a container"
+      description: "A response header `X-Docker-Container-Path-Stat` is return containing a base64 - encoded JSON object with some filesystem header information about the path."
+      operationId: "ContainerArchiveInfo"
+      responses:
+        200:
+          description: "no error"
+          headers:
+            X-Docker-Container-Path-Stat:
+              type: "string"
+              description: "TODO"
+        400:
+          description: "Bad parameter"
+          schema:
+            allOf:
+              - $ref: "#/definitions/ErrorResponse"
+              - type: "object"
+                properties:
+                  message:
+                    description: "The error message. Either \"must specify path parameter\" (path cannot be empty) or \"not a directory\" (path was asserted to be a directory but exists as a file)."
+                    type: "string"
+                    x-nullable: false
+        404:
+          description: "Container or path does not exist"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "path"
+          in: "query"
+          required: true
+          description: "Resource in the container’s filesystem to archive."
+          type: "string"
+      tags: ["Container"]
+    get:
+      summary: "Get an archive of a filesystem resource in a container"
+      description: "Get a tar archive of a resource in the filesystem of container id."
+      operationId: "ContainerArchive"
+      produces: ["application/x-tar"]
+      responses:
+        200:
+          description: "no error"
+        400:
+          description: "Bad parameter"
+          schema:
+            allOf:
+              - $ref: "#/definitions/ErrorResponse"
+              - type: "object"
+                properties:
+                  message:
+                    description: "The error message. Either \"must specify path parameter\" (path cannot be empty) or \"not a directory\" (path was asserted to be a directory but exists as a file)."
+                    type: "string"
+                    x-nullable: false
+        404:
+          description: "Container or path does not exist"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "path"
+          in: "query"
+          required: true
+          description: "Resource in the container’s filesystem to archive."
+          type: "string"
+      tags: ["Container"]
+    put:
+      summary: "Extract an archive of files or folders to a directory in a container"
+      description: "Upload a tar archive to be extracted to a path in the filesystem of container id."
+      operationId: "PutContainerArchive"
+      consumes: ["application/x-tar", "application/octet-stream"]
+      responses:
+        200:
+          description: "The content was extracted successfully"
+        400:
+          description: "Bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        403:
+          description: "Permission denied, the volume or container rootfs is marked as read-only."
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "No such container or path does not exist inside the container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the container"
+          type: "string"
+        - name: "path"
+          in: "query"
+          required: true
+          description: "Path to a directory in the container to extract the archive’s contents into. "
+          type: "string"
+        - name: "noOverwriteDirNonDir"
+          in: "query"
+          description: "If “1”, “true”, or “True” then it will be an error if unpacking the given content would cause an existing directory to be replaced with a non-directory and vice versa."
+          type: "string"
+        - name: "inputStream"
+          in: "body"
+          required: true
+          description: "The input stream must be a tar archive compressed with one of the following algorithms: identity (no compression), gzip, bzip2, xz."
+          schema:
+            type: "string"
+      tags: ["Container"]
+  /containers/prune:
+    post:
+      summary: "Delete stopped containers"
+      produces:
+        - "application/json"
+      operationId: "ContainerPrune"
+      parameters:
+        - name: "filters"
+          in: "query"
+          description: |
+            Filters to process on the prune list, encoded as JSON (a `map[string][]string`).
+
+            Available filters:
+            - `until=<timestamp>` Prune containers created before this timestamp. The `<timestamp>` can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed relative to the daemon machine’s time.
+            - `label` (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) Prune containers with (or without, in case `label!=...` is used) the specified labels.
+          type: "string"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "object"
+            title: "ContainerPruneResponse"
+            properties:
+              ContainersDeleted:
+                description: "Container IDs that were deleted"
+                type: "array"
+                items:
+                  type: "string"
+              SpaceReclaimed:
+                description: "Disk space reclaimed in bytes"
+                type: "integer"
+                format: "int64"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Container"]
+  /images/json:
+    get:
+      summary: "List Images"
+      description: "Returns a list of images on the server. Note that it uses a different, smaller representation of an image than inspecting a single image."
+      operationId: "ImageList"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "Summary image data for the images matching the query"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/ImageSummary"
+          examples:
+            application/json:
+              - Id: "sha256:e216a057b1cb1efc11f8a268f37ef62083e70b1b38323ba252e25ac88904a7e8"
+                ParentId: ""
+                RepoTags:
+                  - "ubuntu:12.04"
+                  - "ubuntu:precise"
+                RepoDigests:
+                  - "ubuntu@sha256:992069aee4016783df6345315302fa59681aae51a8eeb2f889dea59290f21787"
+                Created: 1474925151
+                Size: 103579269
+                VirtualSize: 103579269
+                SharedSize: 0
+                Labels: {}
+                Containers: 2
+              - Id: "sha256:3e314f95dcace0f5e4fd37b10862fe8398e3c60ed36600bc0ca5fda78b087175"
+                ParentId: ""
+                RepoTags:
+                  - "ubuntu:12.10"
+                  - "ubuntu:quantal"
+                RepoDigests:
+                  - "ubuntu@sha256:002fba3e3255af10be97ea26e476692a7ebed0bb074a9ab960b2e7a1526b15d7"
+                  - "ubuntu@sha256:68ea0200f0b90df725d99d823905b04cf844f6039ef60c60bf3e019915017bd3"
+                Created: 1403128455
+                Size: 172064416
+                VirtualSize: 172064416
+                SharedSize: 0
+                Labels: {}
+                Containers: 5
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "all"
+          in: "query"
+          description: "Show all images. Only images from a final layer (no children) are shown by default."
+          type: "boolean"
+          default: false
+        - name: "filters"
+          in: "query"
+          description: |
+            A JSON encoded value of the filters (a `map[string][]string`) to process on the images list. Available filters:
+
+            - `before`=(`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`)
+            - `dangling=true`
+            - `label=key` or `label="key=value"` of an image label
+            - `reference`=(`<image-name>[:<tag>]`)
+            - `since`=(`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`)
+          type: "string"
+        - name: "digests"
+          in: "query"
+          description: "Show digest information as a `RepoDigests` field on each image."
+          type: "boolean"
+          default: false
+      tags: ["Image"]
+  /build:
+    post:
+      summary: "Build an image"
+      description: |
+        Build an image from a tar archive with a `Dockerfile` in it.
+
+        The `Dockerfile` specifies how the image is built from the tar archive. It is typically in the archive's root, but can be at a different path or have a different name by specifying the `dockerfile` parameter. [See the `Dockerfile` reference for more information](https://docs.docker.com/engine/reference/builder/).
+
+        The Docker daemon performs a preliminary validation of the `Dockerfile` before starting the build, and returns an error if the syntax is incorrect. After that, each instruction is run one-by-one until the ID of the new image is output.
+
+        The build is canceled if the client drops the connection by quitting or being killed.
+      operationId: "ImageBuild"
+      consumes:
+        - "application/octet-stream"
+      produces:
+        - "application/json"
+      parameters:
+        - name: "inputStream"
+          in: "body"
+          description: "A tar archive compressed with one of the following algorithms: identity (no compression), gzip, bzip2, xz."
+          schema:
+            type: "string"
+            format: "binary"
+        - name: "dockerfile"
+          in: "query"
+          description: "Path within the build context to the `Dockerfile`. This is ignored if `remote` is specified and points to an external `Dockerfile`."
+          type: "string"
+          default: "Dockerfile"
+        - name: "t"
+          in: "query"
+          description: "A name and optional tag to apply to the image in the `name:tag` format. If you omit the tag the default `latest` value is assumed. You can provide several `t` parameters."
+          type: "string"
+        - name: "extrahosts"
+          in: "query"
+          description: "Extra hosts to add to /etc/hosts"
+          type: "string"
+        - name: "remote"
+          in: "query"
+          description: "A Git repository URI or HTTP/HTTPS context URI. If the URI points to a single text file, the file’s contents are placed into a file called `Dockerfile` and the image is built from that file. If the URI points to a tarball, the file is downloaded by the daemon and the contents therein used as the context for the build. If the URI points to a tarball and the `dockerfile` parameter is also specified, there must be a file with the corresponding path inside the tarball."
+          type: "string"
+        - name: "q"
+          in: "query"
+          description: "Suppress verbose build output."
+          type: "boolean"
+          default: false
+        - name: "nocache"
+          in: "query"
+          description: "Do not use the cache when building the image."
+          type: "boolean"
+          default: false
+        - name: "cachefrom"
+          in: "query"
+          description: "JSON array of images used for build cache resolution."
+          type: "string"
+        - name: "pull"
+          in: "query"
+          description: "Attempt to pull the image even if an older image exists locally."
+          type: "string"
+        - name: "rm"
+          in: "query"
+          description: "Remove intermediate containers after a successful build."
+          type: "boolean"
+          default: true
+        - name: "forcerm"
+          in: "query"
+          description: "Always remove intermediate containers, even upon failure."
+          type: "boolean"
+          default: false
+        - name: "memory"
+          in: "query"
+          description: "Set memory limit for build."
+          type: "integer"
+        - name: "memswap"
+          in: "query"
+          description: "Total memory (memory + swap). Set as `-1` to disable swap."
+          type: "integer"
+        - name: "cpushares"
+          in: "query"
+          description: "CPU shares (relative weight)."
+          type: "integer"
+        - name: "cpusetcpus"
+          in: "query"
+          description: "CPUs in which to allow execution (e.g., `0-3`, `0,1`)."
+          type: "string"
+        - name: "cpuperiod"
+          in: "query"
+          description: "The length of a CPU period in microseconds."
+          type: "integer"
+        - name: "cpuquota"
+          in: "query"
+          description: "Microseconds of CPU time that the container can get in a CPU period."
+          type: "integer"
+        - name: "buildargs"
+          in: "query"
+          description: >
+            JSON map of string pairs for build-time variables. Users pass these values at build-time. Docker
+            uses the buildargs as the environment context for commands run via the `Dockerfile` RUN
+            instruction, or for variable expansion in other `Dockerfile` instructions. This is not meant for
+            passing secret values.
+
+
+            For example, the build arg `FOO=bar` would become `{"FOO":"bar"}` in JSON. This would result in the
+            the query parameter `buildargs={"FOO":"bar"}`. Note that `{"FOO":"bar"}` should be URI component encoded.
+
+
+            [Read more about the buildargs instruction.](https://docs.docker.com/engine/reference/builder/#arg)
+          type: "string"
+        - name: "shmsize"
+          in: "query"
+          description: "Size of `/dev/shm` in bytes. The size must be greater than 0. If omitted the system uses 64MB."
+          type: "integer"
+        - name: "squash"
+          in: "query"
+          description: "Squash the resulting images layers into a single layer. *(Experimental release only.)*"
+          type: "boolean"
+        - name: "labels"
+          in: "query"
+          description: "Arbitrary key/value labels to set on the image, as a JSON map of string pairs."
+          type: "string"
+        - name: "networkmode"
+          in: "query"
+          description: "Sets the networking mode for the run commands during
+        build. Supported standard values are: `bridge`, `host`, `none`, and
+        `container:<name|id>`. Any other value is taken as a custom network's
+        name to which this container should connect to."
+          type: "string"
+        - name: "Content-type"
+          in: "header"
+          type: "string"
+          enum:
+            - "application/x-tar"
+          default: "application/x-tar"
+        - name: "X-Registry-Config"
+          in: "header"
+          description: |
+            This is a base64-encoded JSON object with auth configurations for multiple registries that a build may refer to.
+
+            The key is a registry URL, and the value is an auth configuration object, [as described in the authentication section](#section/Authentication). For example:
+
+            ```
+            {
+              "docker.example.com": {
+                "username": "janedoe",
+                "password": "hunter2"
+              },
+              "https://index.docker.io/v1/": {
+                "username": "mobydock",
+                "password": "conta1n3rize14"
+              }
+            }
+            ```
+
+            Only the registry domain name (and port if not the default 443) are required. However, for legacy reasons, the Docker Hub registry must be specified with both a `https://` prefix and a `/v1/` suffix even though Docker will prefer to use the v2 registry API.
+          type: "string"
+        - name: "platform"
+          in: "query"
+          description: "Platform in the format os[/arch[/variant]]"
+          type: "string"
+          default: ""
+        - name: "target"
+          in: "query"
+          description: "Target build stage"
+          type: "string"
+          default: ""
+      responses:
+        200:
+          description: "no error"
+        400:
+          description: "Bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Image"]
+  /build/prune:
+    post:
+      summary: "Delete builder cache"
+      produces:
+        - "application/json"
+      operationId: "BuildPrune"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "object"
+            title: "BuildPruneResponse"
+            properties:
+              SpaceReclaimed:
+                description: "Disk space reclaimed in bytes"
+                type: "integer"
+                format: "int64"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Image"]
+  /images/create:
+    post:
+      summary: "Create an image"
+      description: "Create an image by either pulling it from a registry or importing it."
+      operationId: "ImageCreate"
+      consumes:
+        - "text/plain"
+        - "application/octet-stream"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+        404:
+          description: "repository does not exist or no read access"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "fromImage"
+          in: "query"
+          description: "Name of the image to pull. The name may include a tag or digest. This parameter may only be used when pulling an image. The pull is cancelled if the HTTP connection is closed."
+          type: "string"
+        - name: "fromSrc"
+          in: "query"
+          description: "Source to import. The value may be a URL from which the image can be retrieved or `-` to read the image from the request body. This parameter may only be used when importing an image."
+          type: "string"
+        - name: "repo"
+          in: "query"
+          description: "Repository name given to an image when it is imported. The repo may include a tag. This parameter may only be used when importing an image."
+          type: "string"
+        - name: "tag"
+          in: "query"
+          description: "Tag or digest. If empty when pulling an image, this causes all tags for the given image to be pulled."
+          type: "string"
+        - name: "inputImage"
+          in: "body"
+          description: "Image content if the value `-` has been specified in fromSrc query parameter"
+          schema:
+            type: "string"
+          required: false
+        - name: "X-Registry-Auth"
+          in: "header"
+          description: "A base64-encoded auth configuration. [See the authentication section for details.](#section/Authentication)"
+          type: "string"
+        - name: "platform"
+          in: "query"
+          description: "Platform in the format os[/arch[/variant]]"
+          type: "string"
+          default: ""
+      tags: ["Image"]
+  /images/{name}/json:
+    get:
+      summary: "Inspect an image"
+      description: "Return low-level information about an image."
+      operationId: "ImageInspect"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            $ref: "#/definitions/Image"
+          examples:
+            application/json:
+              Id: "sha256:85f05633ddc1c50679be2b16a0479ab6f7637f8884e0cfe0f4d20e1ebb3d6e7c"
+              Container: "cb91e48a60d01f1e27028b4fc6819f4f290b3cf12496c8176ec714d0d390984a"
+              Comment: ""
+              Os: "linux"
+              Architecture: "amd64"
+              Parent: "sha256:91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c"
+              ContainerConfig:
+                Tty: false
+                Hostname: "e611e15f9c9d"
+                Domainname: ""
+                AttachStdout: false
+                PublishService: ""
+                AttachStdin: false
+                OpenStdin: false
+                StdinOnce: false
+                NetworkDisabled: false
+                OnBuild: []
+                Image: "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c"
+                User: ""
+                WorkingDir: ""
+                MacAddress: ""
+                AttachStderr: false
+                Labels:
+                  com.example.license: "GPL"
+                  com.example.version: "1.0"
+                  com.example.vendor: "Acme"
+                Env:
+                  - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+                Cmd:
+                  - "/bin/sh"
+                  - "-c"
+                  - "#(nop) LABEL com.example.vendor=Acme com.example.license=GPL com.example.version=1.0"
+              DockerVersion: "1.9.0-dev"
+              VirtualSize: 188359297
+              Size: 0
+              Author: ""
+              Created: "2015-09-10T08:30:53.26995814Z"
+              GraphDriver:
+                Name: "aufs"
+                Data: {}
+              RepoDigests:
+                - "localhost:5000/test/busybox/example@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+              RepoTags:
+                - "example:1.0"
+                - "example:latest"
+                - "example:stable"
+              Config:
+                Image: "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c"
+                NetworkDisabled: false
+                OnBuild: []
+                StdinOnce: false
+                PublishService: ""
+                AttachStdin: false
+                OpenStdin: false
+                Domainname: ""
+                AttachStdout: false
+                Tty: false
+                Hostname: "e611e15f9c9d"
+                Cmd:
+                  - "/bin/bash"
+                Env:
+                  - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+                Labels:
+                  com.example.vendor: "Acme"
+                  com.example.version: "1.0"
+                  com.example.license: "GPL"
+                MacAddress: ""
+                AttachStderr: false
+                WorkingDir: ""
+                User: ""
+              RootFS:
+                Type: "layers"
+                Layers:
+                  - "sha256:1834950e52ce4d5a88a1bbd131c537f4d0e56d10ff0dd69e66be3b7dfa9df7e6"
+                  - "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+        404:
+          description: "No such image"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such image: someimage (tag: latest)"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "Image name or id"
+          type: "string"
+          required: true
+      tags: ["Image"]
+  /images/{name}/history:
+    get:
+      summary: "Get the history of an image"
+      description: "Return parent layers of an image."
+      operationId: "ImageHistory"
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "List of image layers"
+          schema:
+            type: "array"
+            items:
+              type: "object"
+              x-go-name: HistoryResponseItem
+              title: "HistoryResponseItem"
+              description: "individual image layer information in response to ImageHistory operation"
+              required: [Id, Created, CreatedBy, Tags, Size, Comment]
+              properties:
+                Id:
+                  type: "string"
+                  x-nullable: false
+                Created:
+                  type: "integer"
+                  format: "int64"
+                  x-nullable: false
+                CreatedBy:
+                  type: "string"
+                  x-nullable: false
+                Tags:
+                  type: "array"
+                  items:
+                    type: "string"
+                Size:
+                  type: "integer"
+                  format: "int64"
+                  x-nullable: false
+                Comment:
+                  type: "string"
+                  x-nullable: false
+          examples:
+            application/json:
+              - Id: "3db9c44f45209632d6050b35958829c3a2aa256d81b9a7be45b362ff85c54710"
+                Created: 1398108230
+                CreatedBy: "/bin/sh -c #(nop) ADD file:eb15dbd63394e063b805a3c32ca7bf0266ef64676d5a6fab4801f2e81e2a5148 in /"
+                Tags:
+                  - "ubuntu:lucid"
+                  - "ubuntu:10.04"
+                Size: 182964289
+                Comment: ""
+              - Id: "6cfa4d1f33fb861d4d114f43b25abd0ac737509268065cdfd69d544a59c85ab8"
+                Created: 1398108222
+                CreatedBy: "/bin/sh -c #(nop) MAINTAINER Tianon Gravi <admwiggin@gmail.com> - mkimage-debootstrap.sh -i iproute,iputils-ping,ubuntu-minimal -t lucid.tar.xz lucid http://archive.ubuntu.com/ubuntu/"
+                Tags: []
+                Size: 0
+                Comment: ""
+              - Id: "511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158"
+                Created: 1371157430
+                CreatedBy: ""
+                Tags:
+                  - "scratch12:latest"
+                  - "scratch:latest"
+                Size: 0
+                Comment: "Imported from -"
+        404:
+          description: "No such image"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "Image name or ID"
+          type: "string"
+          required: true
+      tags: ["Image"]
+  /images/{name}/push:
+    post:
+      summary: "Push an image"
+      description: |
+        Push an image to a registry.
+
+        If you wish to push an image on to a private registry, that image must already have a tag which references the registry. For example, `registry.example.com/myimage:latest`.
+
+        The push is cancelled if the HTTP connection is closed.
+      operationId: "ImagePush"
+      consumes:
+        - "application/octet-stream"
+      responses:
+        200:
+          description: "No error"
+        404:
+          description: "No such image"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "Image name or ID."
+          type: "string"
+          required: true
+        - name: "tag"
+          in: "query"
+          description: "The tag to associate with the image on the registry."
+          type: "string"
+        - name: "X-Registry-Auth"
+          in: "header"
+          description: "A base64-encoded auth configuration. [See the authentication section for details.](#section/Authentication)"
+          type: "string"
+          required: true
+      tags: ["Image"]
+  /images/{name}/tag:
+    post:
+      summary: "Tag an image"
+      description: "Tag an image so that it becomes part of a repository."
+      operationId: "ImageTag"
+      responses:
+        201:
+          description: "No error"
+        400:
+          description: "Bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "No such image"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        409:
+          description: "Conflict"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "Image name or ID to tag."
+          type: "string"
+          required: true
+        - name: "repo"
+          in: "query"
+          description: "The repository to tag in. For example, `someuser/someimage`."
+          type: "string"
+        - name: "tag"
+          in: "query"
+          description: "The name of the new tag."
+          type: "string"
+      tags: ["Image"]
+  /images/{name}:
+    delete:
+      summary: "Remove an image"
+      description: |
+        Remove an image, along with any untagged parent images that were
+        referenced by that image.
+
+        Images can't be removed if they have descendant images, are being
+        used by a running container or are being used by a build.
+      operationId: "ImageDelete"
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "The image was deleted successfully"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/ImageDeleteResponseItem"
+          examples:
+            application/json:
+              - Untagged: "3e2f21a89f"
+              - Deleted: "3e2f21a89f"
+              - Deleted: "53b4f83ac9"
+        404:
+          description: "No such image"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        409:
+          description: "Conflict"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "Image name or ID"
+          type: "string"
+          required: true
+        - name: "force"
+          in: "query"
+          description: "Remove the image even if it is being used by stopped containers or has other tags"
+          type: "boolean"
+          default: false
+        - name: "noprune"
+          in: "query"
+          description: "Do not delete untagged parent images"
+          type: "boolean"
+          default: false
+      tags: ["Image"]
+  /images/search:
+    get:
+      summary: "Search images"
+      description: "Search for an image on Docker Hub."
+      operationId: "ImageSearch"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "array"
+            items:
+              type: "object"
+              title: "ImageSearchResponseItem"
+              properties:
+                description:
+                  type: "string"
+                is_official:
+                  type: "boolean"
+                is_automated:
+                  type: "boolean"
+                name:
+                  type: "string"
+                star_count:
+                  type: "integer"
+          examples:
+            application/json:
+              - description: ""
+                is_official: false
+                is_automated: false
+                name: "wma55/u1210sshd"
+                star_count: 0
+              - description: ""
+                is_official: false
+                is_automated: false
+                name: "jdswinbank/sshd"
+                star_count: 0
+              - description: ""
+                is_official: false
+                is_automated: false
+                name: "vgauthier/sshd"
+                star_count: 0
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "term"
+          in: "query"
+          description: "Term to search"
+          type: "string"
+          required: true
+        - name: "limit"
+          in: "query"
+          description: "Maximum number of results to return"
+          type: "integer"
+        - name: "filters"
+          in: "query"
+          description: |
+            A JSON encoded value of the filters (a `map[string][]string`) to process on the images list. Available filters:
+
+            - `is-automated=(true|false)`
+            - `is-official=(true|false)`
+            - `stars=<number>` Matches images that has at least 'number' stars.
+          type: "string"
+      tags: ["Image"]
+  /images/prune:
+    post:
+      summary: "Delete unused images"
+      produces:
+        - "application/json"
+      operationId: "ImagePrune"
+      parameters:
+        - name: "filters"
+          in: "query"
+          description: |
+            Filters to process on the prune list, encoded as JSON (a `map[string][]string`). Available filters:
+
+            - `dangling=<boolean>` When set to `true` (or `1`), prune only
+               unused *and* untagged images. When set to `false`
+               (or `0`), all unused images are pruned.
+            - `until=<string>` Prune images created before this timestamp. The `<timestamp>` can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed relative to the daemon machine’s time.
+            - `label` (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) Prune images with (or without, in case `label!=...` is used) the specified labels.
+          type: "string"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "object"
+            title: "ImagePruneResponse"
+            properties:
+              ImagesDeleted:
+                description: "Images that were deleted"
+                type: "array"
+                items:
+                  $ref: "#/definitions/ImageDeleteResponseItem"
+              SpaceReclaimed:
+                description: "Disk space reclaimed in bytes"
+                type: "integer"
+                format: "int64"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Image"]
+  /auth:
+    post:
+      summary: "Check auth configuration"
+      description: "Validate credentials for a registry and, if available, get an identity token for accessing the registry without password."
+      operationId: "SystemAuth"
+      consumes: ["application/json"]
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "An identity token was generated successfully."
+          schema:
+            type: "object"
+            title: "SystemAuthResponse"
+            required: [Status]
+            properties:
+              Status:
+                description: "The status of the authentication"
+                type: "string"
+                x-nullable: false
+              IdentityToken:
+                description: "An opaque token used to authenticate a user after a successful login"
+                type: "string"
+                x-nullable: false
+          examples:
+            application/json:
+              Status: "Login Succeeded"
+              IdentityToken: "9cbaf023786cd7..."
+        204:
+          description: "No error"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "authConfig"
+          in: "body"
+          description: "Authentication to check"
+          schema:
+            $ref: "#/definitions/AuthConfig"
+      tags: ["System"]
+  /info:
+    get:
+      summary: "Get system information"
+      operationId: "SystemInfo"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            $ref: "#/definitions/SystemInfo"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["System"]
+  /version:
+    get:
+      summary: "Get version"
+      description: "Returns the version of Docker that is running and various information about the system that Docker is running on."
+      operationId: "SystemVersion"
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "object"
+            title: "SystemVersionResponse"
+            properties:
+              Platform:
+                type: "object"
+                required: [Name]
+                properties:
+                  Name:
+                    type: "string"
+              Components:
+                type: "array"
+                items:
+                  type: "object"
+                  x-go-name: ComponentVersion
+                  required: [Name, Version]
+                  properties:
+                    Name:
+                      type: "string"
+                    Version:
+                      type: "string"
+                      x-nullable: false
+                    Details:
+                      type: "object"
+                      x-nullable: true
+
+              Version:
+                type: "string"
+              ApiVersion:
+                type: "string"
+              MinAPIVersion:
+                type: "string"
+              GitCommit:
+                type: "string"
+              GoVersion:
+                type: "string"
+              Os:
+                type: "string"
+              Arch:
+                type: "string"
+              KernelVersion:
+                type: "string"
+              Experimental:
+                type: "boolean"
+              BuildTime:
+                type: "string"
+          examples:
+            application/json:
+              Version: "17.04.0"
+              Os: "linux"
+              KernelVersion: "3.19.0-23-generic"
+              GoVersion: "go1.7.5"
+              GitCommit: "deadbee"
+              Arch: "amd64"
+              ApiVersion: "1.27"
+              MinAPIVersion: "1.12"
+              BuildTime: "2016-06-14T07:09:13.444803460+00:00"
+              Experimental: true
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["System"]
+  /_ping:
+    get:
+      summary: "Ping"
+      description: "This is a dummy endpoint you can use to test if the server is accessible."
+      operationId: "SystemPing"
+      produces: ["text/plain"]
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "string"
+            example: "OK"
+          headers:
+            API-Version:
+              type: "string"
+              description: "Max API Version the server supports"
+            Docker-Experimental:
+              type: "boolean"
+              description: "If the server is running with experimental mode enabled"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["System"]
+  /commit:
+    post:
+      summary: "Create a new image from a container"
+      operationId: "ImageCommit"
+      consumes:
+        - "application/json"
+      produces:
+        - "application/json"
+      responses:
+        201:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/IdResponse"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "containerConfig"
+          in: "body"
+          description: "The container configuration"
+          schema:
+            $ref: "#/definitions/ContainerConfig"
+        - name: "container"
+          in: "query"
+          description: "The ID or name of the container to commit"
+          type: "string"
+        - name: "repo"
+          in: "query"
+          description: "Repository name for the created image"
+          type: "string"
+        - name: "tag"
+          in: "query"
+          description: "Tag name for the create image"
+          type: "string"
+        - name: "comment"
+          in: "query"
+          description: "Commit message"
+          type: "string"
+        - name: "author"
+          in: "query"
+          description: "Author of the image (e.g., `John Hannibal Smith <hannibal@a-team.com>`)"
+          type: "string"
+        - name: "pause"
+          in: "query"
+          description: "Whether to pause the container before committing"
+          type: "boolean"
+          default: true
+        - name: "changes"
+          in: "query"
+          description: "`Dockerfile` instructions to apply while committing"
+          type: "string"
+      tags: ["Image"]
+  /events:
+    get:
+      summary: "Monitor events"
+      description: |
+        Stream real-time events from the server.
+
+        Various objects within Docker report events when something happens to them.
+
+        Containers report these events: `attach`, `commit`, `copy`, `create`, `destroy`, `detach`, `die`, `exec_create`, `exec_detach`, `exec_start`, `exec_die`, `export`, `health_status`, `kill`, `oom`, `pause`, `rename`, `resize`, `restart`, `start`, `stop`, `top`, `unpause`, and `update`
+
+        Images report these events: `delete`, `import`, `load`, `pull`, `push`, `save`, `tag`, and `untag`
+
+        Volumes report these events: `create`, `mount`, `unmount`, and `destroy`
+
+        Networks report these events: `create`, `connect`, `disconnect`, `destroy`, `update`, and `remove`
+
+        The Docker daemon reports these events: `reload`
+
+        Services report these events: `create`, `update`, and `remove`
+
+        Nodes report these events: `create`, `update`, and `remove`
+
+        Secrets report these events: `create`, `update`, and `remove`
+
+        Configs report these events: `create`, `update`, and `remove`
+
+      operationId: "SystemEvents"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "object"
+            title: "SystemEventsResponse"
+            properties:
+              Type:
+                description: "The type of object emitting the event"
+                type: "string"
+              Action:
+                description: "The type of event"
+                type: "string"
+              Actor:
+                type: "object"
+                properties:
+                  ID:
+                    description: "The ID of the object emitting the event"
+                    type: "string"
+                  Attributes:
+                    description: "Various key/value attributes of the object, depending on its type"
+                    type: "object"
+                    additionalProperties:
+                      type: "string"
+              time:
+                description: "Timestamp of event"
+                type: "integer"
+              timeNano:
+                description: "Timestamp of event, with nanosecond accuracy"
+                type: "integer"
+                format: "int64"
+          examples:
+            application/json:
+              Type: "container"
+              Action: "create"
+              Actor:
+                ID: "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743"
+                Attributes:
+                  com.example.some-label: "some-label-value"
+                  image: "alpine"
+                  name: "my-container"
+              time: 1461943101
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "since"
+          in: "query"
+          description: "Show events created since this timestamp then stream new events."
+          type: "string"
+        - name: "until"
+          in: "query"
+          description: "Show events created until this timestamp then stop streaming."
+          type: "string"
+        - name: "filters"
+          in: "query"
+          description: |
+            A JSON encoded value of filters (a `map[string][]string`) to process on the event list. Available filters:
+
+            - `config=<string>` config name or ID
+            - `container=<string>` container name or ID
+            - `daemon=<string>` daemon name or ID
+            - `event=<string>` event type
+            - `image=<string>` image name or ID
+            - `label=<string>` image or container label
+            - `network=<string>` network name or ID
+            - `node=<string>` node ID
+            - `plugin`=<string> plugin name or ID
+            - `scope`=<string> local or swarm
+            - `secret=<string>` secret name or ID
+            - `service=<string>` service name or ID
+            - `type=<string>` object to filter by, one of `container`, `image`, `volume`, `network`, `daemon`, `plugin`, `node`, `service`, `secret` or `config`
+            - `volume=<string>` volume name
+          type: "string"
+      tags: ["System"]
+  /system/df:
+    get:
+      summary: "Get data usage information"
+      operationId: "SystemDataUsage"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "object"
+            title: "SystemDataUsageResponse"
+            properties:
+              LayersSize:
+                type: "integer"
+                format: "int64"
+              Images:
+                type: "array"
+                items:
+                  $ref: "#/definitions/ImageSummary"
+              Containers:
+                type: "array"
+                items:
+                  $ref: "#/definitions/ContainerSummary"
+              Volumes:
+                type: "array"
+                items:
+                  $ref: "#/definitions/Volume"
+            example:
+              LayersSize: 1092588
+              Images:
+                -
+                  Id: "sha256:2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749"
+                  ParentId: ""
+                  RepoTags:
+                    - "busybox:latest"
+                  RepoDigests:
+                    - "busybox@sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6"
+                  Created: 1466724217
+                  Size: 1092588
+                  SharedSize: 0
+                  VirtualSize: 1092588
+                  Labels: {}
+                  Containers: 1
+              Containers:
+                -
+                  Id: "e575172ed11dc01bfce087fb27bee502db149e1a0fad7c296ad300bbff178148"
+                  Names:
+                    - "/top"
+                  Image: "busybox"
+                  ImageID: "sha256:2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749"
+                  Command: "top"
+                  Created: 1472592424
+                  Ports: []
+                  SizeRootFs: 1092588
+                  Labels: {}
+                  State: "exited"
+                  Status: "Exited (0) 56 minutes ago"
+                  HostConfig:
+                    NetworkMode: "default"
+                  NetworkSettings:
+                    Networks:
+                      bridge:
+                        IPAMConfig: null
+                        Links: null
+                        Aliases: null
+                        NetworkID: "d687bc59335f0e5c9ee8193e5612e8aee000c8c62ea170cfb99c098f95899d92"
+                        EndpointID: "8ed5115aeaad9abb174f68dcf135b49f11daf597678315231a32ca28441dec6a"
+                        Gateway: "172.18.0.1"
+                        IPAddress: "172.18.0.2"
+                        IPPrefixLen: 16
+                        IPv6Gateway: ""
+                        GlobalIPv6Address: ""
+                        GlobalIPv6PrefixLen: 0
+                        MacAddress: "02:42:ac:12:00:02"
+                  Mounts: []
+              Volumes:
+                -
+                  Name: "my-volume"
+                  Driver: "local"
+                  Mountpoint: "/var/lib/docker/volumes/my-volume/_data"
+                  Labels: null
+                  Scope: "local"
+                  Options: null
+                  UsageData:
+                    Size: 10920104
+                    RefCount: 2
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["System"]
+  /images/{name}/get:
+    get:
+      summary: "Export an image"
+      description: |
+        Get a tarball containing all images and metadata for a repository.
+
+        If `name` is a specific name and tag (e.g. `ubuntu:latest`), then only that image (and its parents) are returned. If `name` is an image ID, similarly only that image (and its parents) are returned, but with the exclusion of the `repositories` file in the tarball, as there were no image names referenced.
+
+        ### Image tarball format
+
+        An image tarball contains one directory per image layer (named using its long ID), each containing these files:
+
+        - `VERSION`: currently `1.0` - the file format version
+        - `json`: detailed layer information, similar to `docker inspect layer_id`
+        - `layer.tar`: A tarfile containing the filesystem changes in this layer
+
+        The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories for storing attribute changes and deletions.
+
+        If the tarball defines a repository, the tarball should also include a `repositories` file at the root that contains a list of repository and tag names mapped to layer IDs.
+
+        ```json
+        {
+          "hello-world": {
+            "latest": "565a9d68a73f6706862bfe8409a7f659776d4d60a8d096eb4a3cbce6999cc2a1"
+          }
+        }
+        ```
+      operationId: "ImageGet"
+      produces:
+        - "application/x-tar"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "string"
+            format: "binary"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "Image name or ID"
+          type: "string"
+          required: true
+      tags: ["Image"]
+  /images/get:
+    get:
+      summary: "Export several images"
+      description: |
+        Get a tarball containing all images and metadata for several image repositories.
+
+        For each value of the `names` parameter: if it is a specific name and tag (e.g. `ubuntu:latest`), then only that image (and its parents) are returned; if it is an image ID, similarly only that image (and its parents) are returned and there would be no names referenced in the 'repositories' file for this image ID.
+
+        For details on the format, see [the export image endpoint](#operation/ImageGet).
+      operationId: "ImageGetAll"
+      produces:
+        - "application/x-tar"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "string"
+            format: "binary"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "names"
+          in: "query"
+          description: "Image names to filter by"
+          type: "array"
+          items:
+            type: "string"
+      tags: ["Image"]
+  /images/load:
+    post:
+      summary: "Import images"
+      description: |
+        Load a set of images and tags into a repository.
+
+        For details on the format, see [the export image endpoint](#operation/ImageGet).
+      operationId: "ImageLoad"
+      consumes:
+        - "application/x-tar"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "imagesTarball"
+          in: "body"
+          description: "Tar archive containing images"
+          schema:
+            type: "string"
+            format: "binary"
+        - name: "quiet"
+          in: "query"
+          description: "Suppress progress details during load."
+          type: "boolean"
+          default: false
+      tags: ["Image"]
+  /containers/{id}/exec:
+    post:
+      summary: "Create an exec instance"
+      description: "Run a command inside a running container."
+      operationId: "ContainerExec"
+      consumes:
+        - "application/json"
+      produces:
+        - "application/json"
+      responses:
+        201:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/IdResponse"
+        404:
+          description: "no such container"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such container: c2ada9df5af8"
+        409:
+          description: "container is paused"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "execConfig"
+          in: "body"
+          description: "Exec configuration"
+          schema:
+            type: "object"
+            properties:
+              AttachStdin:
+                type: "boolean"
+                description: "Attach to `stdin` of the exec command."
+              AttachStdout:
+                type: "boolean"
+                description: "Attach to `stdout` of the exec command."
+              AttachStderr:
+                type: "boolean"
+                description: "Attach to `stderr` of the exec command."
+              DetachKeys:
+                type: "string"
+                description: "Override the key sequence for detaching a container. Format is a single character `[a-Z]` or `ctrl-<value>` where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`."
+              Tty:
+                type: "boolean"
+                description: "Allocate a pseudo-TTY."
+              Env:
+                description: "A list of environment variables in the form `[\"VAR=value\", ...]`."
+                type: "array"
+                items:
+                  type: "string"
+              Cmd:
+                type: "array"
+                description: "Command to run, as a string or array of strings."
+                items:
+                  type: "string"
+              Privileged:
+                type: "boolean"
+                description: "Runs the exec process with extended privileges."
+                default: false
+              User:
+                type: "string"
+                description: "The user, and optionally, group to run the exec process inside the container. Format is one of: `user`, `user:group`, `uid`, or `uid:gid`."
+              WorkingDir:
+                type: "string"
+                description: "The working directory for the exec process inside the container."
+            example:
+              AttachStdin: false
+              AttachStdout: true
+              AttachStderr: true
+              DetachKeys: "ctrl-p,ctrl-q"
+              Tty: false
+              Cmd:
+                - "date"
+              Env:
+                - "FOO=bar"
+                - "BAZ=quux"
+          required: true
+        - name: "id"
+          in: "path"
+          description: "ID or name of container"
+          type: "string"
+          required: true
+      tags: ["Exec"]
+  /exec/{id}/start:
+    post:
+      summary: "Start an exec instance"
+      description: "Starts a previously set up exec instance. If detach is true, this endpoint returns immediately after starting the command. Otherwise, it sets up an interactive session with the command."
+      operationId: "ExecStart"
+      consumes:
+        - "application/json"
+      produces:
+        - "application/vnd.docker.raw-stream"
+      responses:
+        200:
+          description: "No error"
+        404:
+          description: "No such exec instance"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        409:
+          description: "Container is stopped or paused"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "execStartConfig"
+          in: "body"
+          schema:
+            type: "object"
+            properties:
+              Detach:
+                type: "boolean"
+                description: "Detach from the command."
+              Tty:
+                type: "boolean"
+                description: "Allocate a pseudo-TTY."
+            example:
+              Detach: false
+              Tty: false
+        - name: "id"
+          in: "path"
+          description: "Exec instance ID"
+          required: true
+          type: "string"
+      tags: ["Exec"]
+  /exec/{id}/resize:
+    post:
+      summary: "Resize an exec instance"
+      description: "Resize the TTY session used by an exec instance. This endpoint only works if `tty` was specified as part of creating and starting the exec instance."
+      operationId: "ExecResize"
+      responses:
+        201:
+          description: "No error"
+        404:
+          description: "No such exec instance"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "Exec instance ID"
+          required: true
+          type: "string"
+        - name: "h"
+          in: "query"
+          description: "Height of the TTY session in characters"
+          type: "integer"
+        - name: "w"
+          in: "query"
+          description: "Width of the TTY session in characters"
+          type: "integer"
+      tags: ["Exec"]
+  /exec/{id}/json:
+    get:
+      summary: "Inspect an exec instance"
+      description: "Return low-level information about an exec instance."
+      operationId: "ExecInspect"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "object"
+            title: "ExecInspectResponse"
+            properties:
+              CanRemove:
+                type: "boolean"
+              DetachKeys:
+                type: "string"
+              ID:
+                type: "string"
+              Running:
+                type: "boolean"
+              ExitCode:
+                type: "integer"
+              ProcessConfig:
+                $ref: "#/definitions/ProcessConfig"
+              OpenStdin:
+                type: "boolean"
+              OpenStderr:
+                type: "boolean"
+              OpenStdout:
+                type: "boolean"
+              ContainerID:
+                type: "string"
+              Pid:
+                type: "integer"
+                description: "The system process ID for the exec process."
+          examples:
+            application/json:
+              CanRemove: false
+              ContainerID: "b53ee82b53a40c7dca428523e34f741f3abc51d9f297a14ff874bf761b995126"
+              DetachKeys: ""
+              ExitCode: 2
+              ID: "f33bbfb39f5b142420f4759b2348913bd4a8d1a6d7fd56499cb41a1bb91d7b3b"
+              OpenStderr: true
+              OpenStdin: true
+              OpenStdout: true
+              ProcessConfig:
+                arguments:
+                  - "-c"
+                  - "exit 2"
+                entrypoint: "sh"
+                privileged: false
+                tty: true
+                user: "1000"
+              Running: false
+              Pid: 42000
+        404:
+          description: "No such exec instance"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "Exec instance ID"
+          required: true
+          type: "string"
+      tags: ["Exec"]
+
+  /volumes:
+    get:
+      summary: "List volumes"
+      operationId: "VolumeList"
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "Summary volume data that matches the query"
+          schema:
+            type: "object"
+            title: "VolumeListResponse"
+            required: [Volumes, Warnings]
+            properties:
+              Volumes:
+                type: "array"
+                x-nullable: false
+                description: "List of volumes"
+                items:
+                  $ref: "#/definitions/Volume"
+              Warnings:
+                type: "array"
+                x-nullable: false
+                description: "Warnings that occurred when fetching the list of volumes"
+                items:
+                  type: "string"
+
+          examples:
+            application/json:
+              Volumes:
+                - CreatedAt: "2017-07-19T12:00:26Z"
+                  Name: "tardis"
+                  Driver: "local"
+                  Mountpoint: "/var/lib/docker/volumes/tardis"
+                  Labels:
+                    com.example.some-label: "some-value"
+                    com.example.some-other-label: "some-other-value"
+                  Scope: "local"
+                  Options:
+                    device: "tmpfs"
+                    o: "size=100m,uid=1000"
+                    type: "tmpfs"
+              Warnings: []
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "filters"
+          in: "query"
+          description: |
+            JSON encoded value of the filters (a `map[string][]string`) to
+            process on the volumes list. Available filters:
+
+            - `dangling=<boolean>` When set to `true` (or `1`), returns all
+               volumes that are not in use by a container. When set to `false`
+               (or `0`), only volumes that are in use by one or more
+               containers are returned.
+            - `driver=<volume-driver-name>` Matches volumes based on their driver.
+            - `label=<key>` or `label=<key>:<value>` Matches volumes based on
+               the presence of a `label` alone or a `label` and a value.
+            - `name=<volume-name>` Matches all or part of a volume name.
+          type: "string"
+          format: "json"
+      tags: ["Volume"]
+
+  /volumes/create:
+    post:
+      summary: "Create a volume"
+      operationId: "VolumeCreate"
+      consumes: ["application/json"]
+      produces: ["application/json"]
+      responses:
+        201:
+          description: "The volume was created successfully"
+          schema:
+            $ref: "#/definitions/Volume"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "volumeConfig"
+          in: "body"
+          required: true
+          description: "Volume configuration"
+          schema:
+            type: "object"
+            properties:
+              Name:
+                description: "The new volume's name. If not specified, Docker generates a name."
+                type: "string"
+                x-nullable: false
+              Driver:
+                description: "Name of the volume driver to use."
+                type: "string"
+                default: "local"
+                x-nullable: false
+              DriverOpts:
+                description: "A mapping of driver options and values. These options are passed directly to the driver and are driver specific."
+                type: "object"
+                additionalProperties:
+                  type: "string"
+              Labels:
+                description: "User-defined key/value metadata."
+                type: "object"
+                additionalProperties:
+                  type: "string"
+            example:
+              Name: "tardis"
+              Labels:
+                com.example.some-label: "some-value"
+                com.example.some-other-label: "some-other-value"
+              Driver: "custom"
+      tags: ["Volume"]
+
+  /volumes/{name}:
+    get:
+      summary: "Inspect a volume"
+      operationId: "VolumeInspect"
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "No error"
+          schema:
+            $ref: "#/definitions/Volume"
+        404:
+          description: "No such volume"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          required: true
+          description: "Volume name or ID"
+          type: "string"
+      tags: ["Volume"]
+
+    delete:
+      summary: "Remove a volume"
+      description: "Instruct the driver to remove the volume."
+      operationId: "VolumeDelete"
+      responses:
+        204:
+          description: "The volume was removed"
+        404:
+          description: "No such volume or volume driver"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        409:
+          description: "Volume is in use and cannot be removed"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          required: true
+          description: "Volume name or ID"
+          type: "string"
+        - name: "force"
+          in: "query"
+          description: "Force the removal of the volume"
+          type: "boolean"
+          default: false
+      tags: ["Volume"]
+  /volumes/prune:
+    post:
+      summary: "Delete unused volumes"
+      produces:
+        - "application/json"
+      operationId: "VolumePrune"
+      parameters:
+        - name: "filters"
+          in: "query"
+          description: |
+            Filters to process on the prune list, encoded as JSON (a `map[string][]string`).
+
+            Available filters:
+            - `label` (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) Prune volumes with (or without, in case `label!=...` is used) the specified labels.
+          type: "string"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "object"
+            title: "VolumePruneResponse"
+            properties:
+              VolumesDeleted:
+                description: "Volumes that were deleted"
+                type: "array"
+                items:
+                  type: "string"
+              SpaceReclaimed:
+                description: "Disk space reclaimed in bytes"
+                type: "integer"
+                format: "int64"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Volume"]
+  /networks:
+    get:
+      summary: "List networks"
+      description: |
+        Returns a list of networks. For details on the format, see [the network inspect endpoint](#operation/NetworkInspect).
+
+        Note that it uses a different, smaller representation of a network than inspecting a single network. For example,
+        the list of containers attached to the network is not propagated in API versions 1.28 and up.
+      operationId: "NetworkList"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/Network"
+          examples:
+            application/json:
+              - Name: "bridge"
+                Id: "f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566"
+                Created: "2016-10-19T06:21:00.416543526Z"
+                Scope: "local"
+                Driver: "bridge"
+                EnableIPv6: false
+                Internal: false
+                Attachable: false
+                Ingress: false
+                IPAM:
+                  Driver: "default"
+                  Config:
+                    -
+                      Subnet: "172.17.0.0/16"
+                Options:
+                  com.docker.network.bridge.default_bridge: "true"
+                  com.docker.network.bridge.enable_icc: "true"
+                  com.docker.network.bridge.enable_ip_masquerade: "true"
+                  com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
+                  com.docker.network.bridge.name: "docker0"
+                  com.docker.network.driver.mtu: "1500"
+              - Name: "none"
+                Id: "e086a3893b05ab69242d3c44e49483a3bbbd3a26b46baa8f61ab797c1088d794"
+                Created: "0001-01-01T00:00:00Z"
+                Scope: "local"
+                Driver: "null"
+                EnableIPv6: false
+                Internal: false
+                Attachable: false
+                Ingress: false
+                IPAM:
+                  Driver: "default"
+                  Config: []
+                Containers: {}
+                Options: {}
+              - Name: "host"
+                Id: "13e871235c677f196c4e1ecebb9dc733b9b2d2ab589e30c539efeda84a24215e"
+                Created: "0001-01-01T00:00:00Z"
+                Scope: "local"
+                Driver: "host"
+                EnableIPv6: false
+                Internal: false
+                Attachable: false
+                Ingress: false
+                IPAM:
+                  Driver: "default"
+                  Config: []
+                Containers: {}
+                Options: {}
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "filters"
+          in: "query"
+          description: |
+            JSON encoded value of the filters (a `map[string][]string`) to process on the networks list. Available filters:
+
+            - `driver=<driver-name>` Matches a network's driver.
+            - `id=<network-id>` Matches all or part of a network ID.
+            - `label=<key>` or `label=<key>=<value>` of a network label.
+            - `name=<network-name>` Matches all or part of a network name.
+            - `scope=["swarm"|"global"|"local"]` Filters networks by scope (`swarm`, `global`, or `local`).
+            - `type=["custom"|"builtin"]` Filters networks by type. The `custom` keyword returns all user-defined networks.
+          type: "string"
+      tags: ["Network"]
+
+  /networks/{id}:
+    get:
+      summary: "Inspect a network"
+      operationId: "NetworkInspect"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            $ref: "#/definitions/Network"
+        404:
+          description: "Network not found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "Network ID or name"
+          required: true
+          type: "string"
+        - name: "verbose"
+          in: "query"
+          description: "Detailed inspect output for troubleshooting"
+          type: "boolean"
+          default: false
+        - name: "scope"
+          in: "query"
+          description: "Filter the network by scope (swarm, global, or local)"
+          type: "string"
+      tags: ["Network"]
+
+    delete:
+      summary: "Remove a network"
+      operationId: "NetworkDelete"
+      responses:
+        204:
+          description: "No error"
+        403:
+          description: "operation not supported for pre-defined networks"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such network"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "Network ID or name"
+          required: true
+          type: "string"
+      tags: ["Network"]
+
+  /networks/create:
+    post:
+      summary: "Create a network"
+      operationId: "NetworkCreate"
+      consumes:
+        - "application/json"
+      produces:
+        - "application/json"
+      responses:
+        201:
+          description: "No error"
+          schema:
+            type: "object"
+            title: "NetworkCreateResponse"
+            properties:
+              Id:
+                description: "The ID of the created network."
+                type: "string"
+              Warning:
+                type: "string"
+            example:
+              Id: "22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30"
+              Warning: ""
+        403:
+          description: "operation not supported for pre-defined networks"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "plugin not found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "networkConfig"
+          in: "body"
+          description: "Network configuration"
+          required: true
+          schema:
+            type: "object"
+            required: ["Name"]
+            properties:
+              Name:
+                description: "The network's name."
+                type: "string"
+              CheckDuplicate:
+                description: "Check for networks with duplicate names. Since Network is primarily keyed based on a random ID and not on the name, and network name is strictly a user-friendly alias to the network which is uniquely identified using ID, there is no guaranteed way to check for duplicates. CheckDuplicate is there to provide a best effort checking of any networks which has the same name but it is not guaranteed to catch all name collisions."
+                type: "boolean"
+              Driver:
+                description: "Name of the network driver plugin to use."
+                type: "string"
+                default: "bridge"
+              Internal:
+                description: "Restrict external access to the network."
+                type: "boolean"
+              Attachable:
+                description: "Globally scoped network is manually attachable by regular containers from workers in swarm mode."
+                type: "boolean"
+              Ingress:
+                description: "Ingress network is the network which provides the routing-mesh in swarm mode."
+                type: "boolean"
+              IPAM:
+                description: "Optional custom IP scheme for the network."
+                $ref: "#/definitions/IPAM"
+              EnableIPv6:
+                description: "Enable IPv6 on the network."
+                type: "boolean"
+              Options:
+                description: "Network specific options to be used by the drivers."
+                type: "object"
+                additionalProperties:
+                  type: "string"
+              Labels:
+                description: "User-defined key/value metadata."
+                type: "object"
+                additionalProperties:
+                  type: "string"
+            example:
+              Name: "isolated_nw"
+              CheckDuplicate: false
+              Driver: "bridge"
+              EnableIPv6: true
+              IPAM:
+                Driver: "default"
+                Config:
+                  - Subnet: "172.20.0.0/16"
+                    IPRange: "172.20.10.0/24"
+                    Gateway: "172.20.10.11"
+                  - Subnet: "2001:db8:abcd::/64"
+                    Gateway: "2001:db8:abcd::1011"
+                Options:
+                  foo: "bar"
+              Internal: true
+              Attachable: false
+              Ingress: false
+              Options:
+                com.docker.network.bridge.default_bridge: "true"
+                com.docker.network.bridge.enable_icc: "true"
+                com.docker.network.bridge.enable_ip_masquerade: "true"
+                com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
+                com.docker.network.bridge.name: "docker0"
+                com.docker.network.driver.mtu: "1500"
+              Labels:
+                com.example.some-label: "some-value"
+                com.example.some-other-label: "some-other-value"
+      tags: ["Network"]
+
+  /networks/{id}/connect:
+    post:
+      summary: "Connect a container to a network"
+      operationId: "NetworkConnect"
+      consumes:
+        - "application/json"
+      responses:
+        200:
+          description: "No error"
+        403:
+          description: "Operation not supported for swarm scoped networks"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "Network or container not found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "Network ID or name"
+          required: true
+          type: "string"
+        - name: "container"
+          in: "body"
+          required: true
+          schema:
+            type: "object"
+            properties:
+              Container:
+                type: "string"
+                description: "The ID or name of the container to connect to the network."
+              EndpointConfig:
+                $ref: "#/definitions/EndpointSettings"
+            example:
+              Container: "3613f73ba0e4"
+              EndpointConfig:
+                IPAMConfig:
+                  IPv4Address: "172.24.56.89"
+                  IPv6Address: "2001:db8::5689"
+      tags: ["Network"]
+
+  /networks/{id}/disconnect:
+    post:
+      summary: "Disconnect a container from a network"
+      operationId: "NetworkDisconnect"
+      consumes:
+        - "application/json"
+      responses:
+        200:
+          description: "No error"
+        403:
+          description: "Operation not supported for swarm scoped networks"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "Network or container not found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "Network ID or name"
+          required: true
+          type: "string"
+        - name: "container"
+          in: "body"
+          required: true
+          schema:
+            type: "object"
+            properties:
+              Container:
+                type: "string"
+                description: "The ID or name of the container to disconnect from the network."
+              Force:
+                type: "boolean"
+                description: "Force the container to disconnect from the network."
+      tags: ["Network"]
+  /networks/prune:
+    post:
+      summary: "Delete unused networks"
+      produces:
+        - "application/json"
+      operationId: "NetworkPrune"
+      parameters:
+        - name: "filters"
+          in: "query"
+          description: |
+            Filters to process on the prune list, encoded as JSON (a `map[string][]string`).
+
+            Available filters:
+            - `until=<timestamp>` Prune networks created before this timestamp. The `<timestamp>` can be Unix timestamps, date formatted timestamps, or Go duration strings (e.g. `10m`, `1h30m`) computed relative to the daemon machine’s time.
+            - `label` (`label=<key>`, `label=<key>=<value>`, `label!=<key>`, or `label!=<key>=<value>`) Prune networks with (or without, in case `label!=...` is used) the specified labels.
+          type: "string"
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "object"
+            title: "NetworkPruneResponse"
+            properties:
+              NetworksDeleted:
+                description: "Networks that were deleted"
+                type: "array"
+                items:
+                  type: "string"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Network"]
+  /plugins:
+    get:
+      summary: "List plugins"
+      operationId: "PluginList"
+      description: "Returns information about installed plugins."
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "No error"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/Plugin"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "filters"
+          in: "query"
+          type: "string"
+          description: |
+            A JSON encoded value of the filters (a `map[string][]string`) to process on the plugin list. Available filters:
+
+            - `capability=<capability name>`
+            - `enable=<true>|<false>`
+      tags: ["Plugin"]
+
+  /plugins/privileges:
+    get:
+      summary: "Get plugin privileges"
+      operationId: "GetPluginPrivileges"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "array"
+            items:
+              description: "Describes a permission the user has to accept upon installing the plugin."
+              type: "object"
+              title: "PluginPrivilegeItem"
+              properties:
+                Name:
+                  type: "string"
+                Description:
+                  type: "string"
+                Value:
+                  type: "array"
+                  items:
+                    type: "string"
+            example:
+              - Name: "network"
+                Description: ""
+                Value:
+                  - "host"
+              - Name: "mount"
+                Description: ""
+                Value:
+                  - "/data"
+              - Name: "device"
+                Description: ""
+                Value:
+                  - "/dev/cpu_dma_latency"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "remote"
+          in: "query"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+      tags:
+        - "Plugin"
+
+  /plugins/pull:
+    post:
+      summary: "Install a plugin"
+      operationId: "PluginPull"
+      description: |
+        Pulls and installs a plugin. After the plugin is installed, it can be enabled using the [`POST /plugins/{name}/enable` endpoint](#operation/PostPluginsEnable).
+      produces:
+        - "application/json"
+      responses:
+        204:
+          description: "no error"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "remote"
+          in: "query"
+          description: |
+            Remote reference for plugin to install.
+
+            The `:latest` tag is optional, and is used as the default if omitted.
+          required: true
+          type: "string"
+        - name: "name"
+          in: "query"
+          description: |
+            Local name for the pulled plugin.
+
+            The `:latest` tag is optional, and is used as the default if omitted.
+          required: false
+          type: "string"
+        - name: "X-Registry-Auth"
+          in: "header"
+          description: "A base64-encoded auth configuration to use when pulling a plugin from a registry. [See the authentication section for details.](#section/Authentication)"
+          type: "string"
+        - name: "body"
+          in: "body"
+          schema:
+            type: "array"
+            items:
+              description: "Describes a permission accepted by the user upon installing the plugin."
+              type: "object"
+              properties:
+                Name:
+                  type: "string"
+                Description:
+                  type: "string"
+                Value:
+                  type: "array"
+                  items:
+                    type: "string"
+            example:
+              - Name: "network"
+                Description: ""
+                Value:
+                  - "host"
+              - Name: "mount"
+                Description: ""
+                Value:
+                  - "/data"
+              - Name: "device"
+                Description: ""
+                Value:
+                  - "/dev/cpu_dma_latency"
+      tags: ["Plugin"]
+  /plugins/{name}/json:
+    get:
+      summary: "Inspect a plugin"
+      operationId: "PluginInspect"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/Plugin"
+        404:
+          description: "plugin is not installed"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+      tags: ["Plugin"]
+  /plugins/{name}:
+    delete:
+      summary: "Remove a plugin"
+      operationId: "PluginDelete"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/Plugin"
+        404:
+          description: "plugin is not installed"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+        - name: "force"
+          in: "query"
+          description: "Disable the plugin before removing. This may result in issues if the plugin is in use by a container."
+          type: "boolean"
+          default: false
+      tags: ["Plugin"]
+  /plugins/{name}/enable:
+    post:
+      summary: "Enable a plugin"
+      operationId: "PluginEnable"
+      responses:
+        200:
+          description: "no error"
+        404:
+          description: "plugin is not installed"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+        - name: "timeout"
+          in: "query"
+          description: "Set the HTTP client timeout (in seconds)"
+          type: "integer"
+          default: 0
+      tags: ["Plugin"]
+  /plugins/{name}/disable:
+    post:
+      summary: "Disable a plugin"
+      operationId: "PluginDisable"
+      responses:
+        200:
+          description: "no error"
+        404:
+          description: "plugin is not installed"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+      tags: ["Plugin"]
+  /plugins/{name}/upgrade:
+    post:
+      summary: "Upgrade a plugin"
+      operationId: "PluginUpgrade"
+      responses:
+        204:
+          description: "no error"
+        404:
+          description: "plugin not installed"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+        - name: "remote"
+          in: "query"
+          description: |
+            Remote reference to upgrade to.
+
+            The `:latest` tag is optional, and is used as the default if omitted.
+          required: true
+          type: "string"
+        - name: "X-Registry-Auth"
+          in: "header"
+          description: "A base64-encoded auth configuration to use when pulling a plugin from a registry. [See the authentication section for details.](#section/Authentication)"
+          type: "string"
+        - name: "body"
+          in: "body"
+          schema:
+            type: "array"
+            items:
+              description: "Describes a permission accepted by the user upon installing the plugin."
+              type: "object"
+              properties:
+                Name:
+                  type: "string"
+                Description:
+                  type: "string"
+                Value:
+                  type: "array"
+                  items:
+                    type: "string"
+            example:
+              - Name: "network"
+                Description: ""
+                Value:
+                  - "host"
+              - Name: "mount"
+                Description: ""
+                Value:
+                  - "/data"
+              - Name: "device"
+                Description: ""
+                Value:
+                  - "/dev/cpu_dma_latency"
+      tags: ["Plugin"]
+  /plugins/create:
+    post:
+      summary: "Create a plugin"
+      operationId: "PluginCreate"
+      consumes:
+        - "application/x-tar"
+      responses:
+        204:
+          description: "no error"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "query"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+        - name: "tarContext"
+          in: "body"
+          description: "Path to tar containing plugin rootfs and manifest"
+          schema:
+            type: "string"
+            format: "binary"
+      tags: ["Plugin"]
+  /plugins/{name}/push:
+    post:
+      summary: "Push a plugin"
+      operationId: "PluginPush"
+      description: |
+        Push a plugin to the registry.
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+      responses:
+        200:
+          description: "no error"
+        404:
+          description: "plugin not installed"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Plugin"]
+  /plugins/{name}/set:
+    post:
+      summary: "Configure a plugin"
+      operationId: "PluginSet"
+      consumes:
+        - "application/json"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "The name of the plugin. The `:latest` tag is optional, and is the default if omitted."
+          required: true
+          type: "string"
+        - name: "body"
+          in: "body"
+          schema:
+            type: "array"
+            items:
+              type: "string"
+            example: ["DEBUG=1"]
+      responses:
+        204:
+          description: "No error"
+        404:
+          description: "Plugin not installed"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Plugin"]
+  /nodes:
+    get:
+      summary: "List nodes"
+      operationId: "NodeList"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/Node"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "filters"
+          in: "query"
+          description: |
+            Filters to process on the nodes list, encoded as JSON (a `map[string][]string`).
+
+            Available filters:
+            - `id=<node id>`
+            - `label=<engine label>`
+            - `membership=`(`accepted`|`pending`)`
+            - `name=<node name>`
+            - `role=`(`manager`|`worker`)`
+          type: "string"
+      tags: ["Node"]
+  /nodes/{id}:
+    get:
+      summary: "Inspect a node"
+      operationId: "NodeInspect"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/Node"
+        404:
+          description: "no such node"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "The ID or name of the node"
+          type: "string"
+          required: true
+      tags: ["Node"]
+    delete:
+      summary: "Delete a node"
+      operationId: "NodeDelete"
+      responses:
+        200:
+          description: "no error"
+        404:
+          description: "no such node"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "The ID or name of the node"
+          type: "string"
+          required: true
+        - name: "force"
+          in: "query"
+          description: "Force remove a node from the swarm"
+          default: false
+          type: "boolean"
+      tags: ["Node"]
+  /nodes/{id}/update:
+    post:
+      summary: "Update a node"
+      operationId: "NodeUpdate"
+      responses:
+        200:
+          description: "no error"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such node"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "The ID of the node"
+          type: "string"
+          required: true
+        - name: "body"
+          in: "body"
+          schema:
+            $ref: "#/definitions/NodeSpec"
+        - name: "version"
+          in: "query"
+          description: "The version number of the node object being updated. This is required to avoid conflicting writes."
+          type: "integer"
+          format: "int64"
+          required: true
+      tags: ["Node"]
+  /swarm:
+    get:
+      summary: "Inspect swarm"
+      operationId: "SwarmInspect"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/Swarm"
+        404:
+          description: "no such swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Swarm"]
+  /swarm/init:
+    post:
+      summary: "Initialize a new swarm"
+      operationId: "SwarmInit"
+      produces:
+        - "application/json"
+        - "text/plain"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            description: "The node ID"
+            type: "string"
+            example: "7v2t30z9blmxuhnyo6s4cpenp"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is already part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "body"
+          in: "body"
+          required: true
+          schema:
+            type: "object"
+            properties:
+              ListenAddr:
+                description: "Listen address used for inter-manager communication, as well as determining the networking interface used for the VXLAN Tunnel Endpoint (VTEP). This can either be an address/port combination in the form `192.168.1.1:4567`, or an interface followed by a port number, like `eth0:4567`. If the port number is omitted, the default swarm listening port is used."
+                type: "string"
+              AdvertiseAddr:
+                description: "Externally reachable address advertised to other nodes. This can either be an address/port combination in the form `192.168.1.1:4567`, or an interface followed by a port number, like `eth0:4567`. If the port number is omitted, the port number from the listen address is used. If `AdvertiseAddr` is not specified, it will be automatically detected when possible."
+                type: "string"
+              DataPathAddr:
+                description: |
+                  Address or interface to use for data path traffic (format: `<ip|interface>`), for example,  `192.168.1.1`,
+                  or an interface, like `eth0`. If `DataPathAddr` is unspecified, the same address as `AdvertiseAddr`
+                  is used.
+
+                  The `DataPathAddr` specifies the address that global scope network drivers will publish towards other
+                  nodes in order to reach the containers running on this node. Using this parameter it is possible to
+                  separate the container data traffic from the management traffic of the cluster.
+                type: "string"
+              ForceNewCluster:
+                description: "Force creation of a new swarm."
+                type: "boolean"
+              Spec:
+                $ref: "#/definitions/SwarmSpec"
+            example:
+              ListenAddr: "0.0.0.0:2377"
+              AdvertiseAddr: "192.168.1.1:2377"
+              ForceNewCluster: false
+              Spec:
+                Orchestration: {}
+                Raft: {}
+                Dispatcher: {}
+                CAConfig: {}
+                EncryptionConfig:
+                  AutoLockManagers: false
+      tags: ["Swarm"]
+  /swarm/join:
+    post:
+      summary: "Join an existing swarm"
+      operationId: "SwarmJoin"
+      responses:
+        200:
+          description: "no error"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is already part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "body"
+          in: "body"
+          required: true
+          schema:
+            type: "object"
+            properties:
+              ListenAddr:
+                description: "Listen address used for inter-manager communication if the node gets promoted to manager, as well as determining the networking interface used for the VXLAN Tunnel Endpoint (VTEP)."
+                type: "string"
+              AdvertiseAddr:
+                description: "Externally reachable address advertised to other nodes. This can either be an address/port combination in the form `192.168.1.1:4567`, or an interface followed by a port number, like `eth0:4567`. If the port number is omitted, the port number from the listen address is used. If `AdvertiseAddr` is not specified, it will be automatically detected when possible."
+                type: "string"
+              DataPathAddr:
+                description: |
+                  Address or interface to use for data path traffic (format: `<ip|interface>`), for example,  `192.168.1.1`,
+                  or an interface, like `eth0`. If `DataPathAddr` is unspecified, the same address as `AdvertiseAddr`
+                  is used.
+
+                  The `DataPathAddr` specifies the address that global scope network drivers will publish towards other
+                  nodes in order to reach the containers running on this node. Using this parameter it is possible to
+                  separate the container data traffic from the management traffic of the cluster.
+
+                type: "string"
+              RemoteAddrs:
+                description: "Addresses of manager nodes already participating in the swarm."
+                type: "string"
+              JoinToken:
+                description: "Secret token for joining this swarm."
+                type: "string"
+            example:
+              ListenAddr: "0.0.0.0:2377"
+              AdvertiseAddr: "192.168.1.1:2377"
+              RemoteAddrs:
+                - "node1:2377"
+              JoinToken: "SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2"
+      tags: ["Swarm"]
+  /swarm/leave:
+    post:
+      summary: "Leave a swarm"
+      operationId: "SwarmLeave"
+      responses:
+        200:
+          description: "no error"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "force"
+          description: "Force leave swarm, even if this is the last manager or that it will break the cluster."
+          in: "query"
+          type: "boolean"
+          default: false
+      tags: ["Swarm"]
+  /swarm/update:
+    post:
+      summary: "Update a swarm"
+      operationId: "SwarmUpdate"
+      responses:
+        200:
+          description: "no error"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "body"
+          in: "body"
+          required: true
+          schema:
+            $ref: "#/definitions/SwarmSpec"
+        - name: "version"
+          in: "query"
+          description: "The version number of the swarm object being updated. This is required to avoid conflicting writes."
+          type: "integer"
+          format: "int64"
+          required: true
+        - name: "rotateWorkerToken"
+          in: "query"
+          description: "Rotate the worker join token."
+          type: "boolean"
+          default: false
+        - name: "rotateManagerToken"
+          in: "query"
+          description: "Rotate the manager join token."
+          type: "boolean"
+          default: false
+        - name: "rotateManagerUnlockKey"
+          in: "query"
+          description: "Rotate the manager unlock key."
+          type: "boolean"
+          default: false
+      tags: ["Swarm"]
+  /swarm/unlockkey:
+    get:
+      summary: "Get the unlock key"
+      operationId: "SwarmUnlockkey"
+      consumes:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "object"
+            title: "UnlockKeyResponse"
+            properties:
+              UnlockKey:
+                description: "The swarm's unlock key."
+                type: "string"
+            example:
+              UnlockKey: "SWMKEY-1-7c37Cc8654o6p38HnroywCi19pllOnGtbdZEgtKxZu8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Swarm"]
+  /swarm/unlock:
+    post:
+      summary: "Unlock a locked manager"
+      operationId: "SwarmUnlock"
+      consumes:
+        - "application/json"
+      produces:
+        - "application/json"
+      parameters:
+        - name: "body"
+          in: "body"
+          required: true
+          schema:
+            type: "object"
+            properties:
+              UnlockKey:
+                description: "The swarm's unlock key."
+                type: "string"
+            example:
+              UnlockKey: "SWMKEY-1-7c37Cc8654o6p38HnroywCi19pllOnGtbdZEgtKxZu8"
+      responses:
+        200:
+          description: "no error"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Swarm"]
+  /services:
+    get:
+      summary: "List services"
+      operationId: "ServiceList"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/Service"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "filters"
+          in: "query"
+          type: "string"
+          description: |
+            A JSON encoded value of the filters (a `map[string][]string`) to process on the services list. Available filters:
+
+            - `id=<service id>`
+            - `label=<service label>`
+            - `mode=["replicated"|"global"]`
+            - `name=<service name>`
+      tags: ["Service"]
+  /services/create:
+    post:
+      summary: "Create a service"
+      operationId: "ServiceCreate"
+      consumes:
+        - "application/json"
+      produces:
+        - "application/json"
+      responses:
+        201:
+          description: "no error"
+          schema:
+            type: "object"
+            title: "ServiceCreateResponse"
+            properties:
+              ID:
+                description: "The ID of the created service."
+                type: "string"
+              Warning:
+                description: "Optional warning message"
+                type: "string"
+            example:
+              ID: "ak7w3gjqoa3kuz8xcpnyy0pvl"
+              Warning: "unable to pin image doesnotexist:latest to digest: image library/doesnotexist:latest not found"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        403:
+          description: "network is not eligible for services"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        409:
+          description: "name conflicts with an existing service"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "body"
+          in: "body"
+          required: true
+          schema:
+            allOf:
+              - $ref: "#/definitions/ServiceSpec"
+              - type: "object"
+                example:
+                  Name: "web"
+                  TaskTemplate:
+                    ContainerSpec:
+                      Image: "nginx:alpine"
+                      Mounts:
+                        -
+                          ReadOnly: true
+                          Source: "web-data"
+                          Target: "/usr/share/nginx/html"
+                          Type: "volume"
+                          VolumeOptions:
+                            DriverConfig: {}
+                            Labels:
+                              com.example.something: "something-value"
+                      Hosts: ["10.10.10.10 host1", "ABCD:EF01:2345:6789:ABCD:EF01:2345:6789 host2"]
+                      User: "33"
+                      DNSConfig:
+                        Nameservers: ["8.8.8.8"]
+                        Search: ["example.org"]
+                        Options: ["timeout:3"]
+                      Secrets:
+                        -
+                          File:
+                            Name: "www.example.org.key"
+                            UID: "33"
+                            GID: "33"
+                            Mode: 384
+                          SecretID: "fpjqlhnwb19zds35k8wn80lq9"
+                          SecretName: "example_org_domain_key"
+                    LogDriver:
+                      Name: "json-file"
+                      Options:
+                        max-file: "3"
+                        max-size: "10M"
+                    Placement: {}
+                    Resources:
+                      Limits:
+                        MemoryBytes: 104857600
+                      Reservations: {}
+                    RestartPolicy:
+                      Condition: "on-failure"
+                      Delay: 10000000000
+                      MaxAttempts: 10
+                  Mode:
+                    Replicated:
+                      Replicas: 4
+                  UpdateConfig:
+                    Parallelism: 2
+                    Delay: 1000000000
+                    FailureAction: "pause"
+                    Monitor: 15000000000
+                    MaxFailureRatio: 0.15
+                  RollbackConfig:
+                    Parallelism: 1
+                    Delay: 1000000000
+                    FailureAction: "pause"
+                    Monitor: 15000000000
+                    MaxFailureRatio: 0.15
+                  EndpointSpec:
+                    Ports:
+                      -
+                        Protocol: "tcp"
+                        PublishedPort: 8080
+                        TargetPort: 80
+                  Labels:
+                    foo: "bar"
+        - name: "X-Registry-Auth"
+          in: "header"
+          description: "A base64-encoded auth configuration for pulling from private registries. [See the authentication section for details.](#section/Authentication)"
+          type: "string"
+      tags: ["Service"]
+  /services/{id}:
+    get:
+      summary: "Inspect a service"
+      operationId: "ServiceInspect"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/Service"
+        404:
+          description: "no such service"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "ID or name of service."
+          required: true
+          type: "string"
+        - name: "insertDefaults"
+          in: "query"
+          description: "Fill empty fields with default values."
+          type: "boolean"
+          default: false
+      tags: ["Service"]
+    delete:
+      summary: "Delete a service"
+      operationId: "ServiceDelete"
+      responses:
+        200:
+          description: "no error"
+        404:
+          description: "no such service"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "ID or name of service."
+          required: true
+          type: "string"
+      tags: ["Service"]
+  /services/{id}/update:
+    post:
+      summary: "Update a service"
+      operationId: "ServiceUpdate"
+      consumes: ["application/json"]
+      produces: ["application/json"]
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/ServiceUpdateResponse"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such service"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "ID or name of service."
+          required: true
+          type: "string"
+        - name: "body"
+          in: "body"
+          required: true
+          schema:
+            allOf:
+              - $ref: "#/definitions/ServiceSpec"
+              - type: "object"
+                example:
+                  Name: "top"
+                  TaskTemplate:
+                    ContainerSpec:
+                      Image: "busybox"
+                      Args:
+                        - "top"
+                    Resources:
+                      Limits: {}
+                      Reservations: {}
+                    RestartPolicy:
+                      Condition: "any"
+                      MaxAttempts: 0
+                    Placement: {}
+                    ForceUpdate: 0
+                  Mode:
+                    Replicated:
+                      Replicas: 1
+                  UpdateConfig:
+                    Parallelism: 2
+                    Delay: 1000000000
+                    FailureAction: "pause"
+                    Monitor: 15000000000
+                    MaxFailureRatio: 0.15
+                  RollbackConfig:
+                    Parallelism: 1
+                    Delay: 1000000000
+                    FailureAction: "pause"
+                    Monitor: 15000000000
+                    MaxFailureRatio: 0.15
+                  EndpointSpec:
+                    Mode: "vip"
+
+        - name: "version"
+          in: "query"
+          description: "The version number of the service object being updated. This is required to avoid conflicting writes."
+          required: true
+          type: "integer"
+        - name: "registryAuthFrom"
+          in: "query"
+          type: "string"
+          description: "If the X-Registry-Auth header is not specified, this
+  parameter indicates where to find registry authorization credentials. The
+  valid values are `spec` and `previous-spec`."
+          default: "spec"
+        - name: "rollback"
+          in: "query"
+          type: "string"
+          description: "Set to this parameter to `previous` to cause a
+  server-side rollback to the previous service spec. The supplied spec will be
+  ignored in this case."
+        - name: "X-Registry-Auth"
+          in: "header"
+          description: "A base64-encoded auth configuration for pulling from private registries. [See the authentication section for details.](#section/Authentication)"
+          type: "string"
+
+      tags: ["Service"]
+  /services/{id}/logs:
+    get:
+      summary: "Get service logs"
+      description: |
+        Get `stdout` and `stderr` logs from a service.
+
+        **Note**: This endpoint works only for services with the `json-file` or `journald` logging drivers.
+      operationId: "ServiceLogs"
+      produces:
+        - "application/vnd.docker.raw-stream"
+        - "application/json"
+      responses:
+        101:
+          description: "logs returned as a stream"
+          schema:
+            type: "string"
+            format: "binary"
+        200:
+          description: "logs returned as a string in response body"
+          schema:
+            type: "string"
+        404:
+          description: "no such service"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such service: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID or name of the service"
+          type: "string"
+        - name: "details"
+          in: "query"
+          description: "Show service context and extra details provided to logs."
+          type: "boolean"
+          default: false
+        - name: "follow"
+          in: "query"
+          description: |
+            Return the logs as a stream.
+
+            This will return a `101` HTTP response with a `Connection: upgrade` header, then hijack the HTTP connection to send raw output. For more information about hijacking and the stream format, [see the documentation for the attach endpoint](#operation/ContainerAttach).
+          type: "boolean"
+          default: false
+        - name: "stdout"
+          in: "query"
+          description: "Return logs from `stdout`"
+          type: "boolean"
+          default: false
+        - name: "stderr"
+          in: "query"
+          description: "Return logs from `stderr`"
+          type: "boolean"
+          default: false
+        - name: "since"
+          in: "query"
+          description: "Only return logs since this time, as a UNIX timestamp"
+          type: "integer"
+          default: 0
+        - name: "timestamps"
+          in: "query"
+          description: "Add timestamps to every log line"
+          type: "boolean"
+          default: false
+        - name: "tail"
+          in: "query"
+          description: "Only return this number of log lines from the end of the logs. Specify as an integer or `all` to output all log lines."
+          type: "string"
+          default: "all"
+      tags: ["Service"]
+  /tasks:
+    get:
+      summary: "List tasks"
+      operationId: "TaskList"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/Task"
+            example:
+              - ID: "0kzzo1i0y4jz6027t0k7aezc7"
+                Version:
+                  Index: 71
+                CreatedAt: "2016-06-07T21:07:31.171892745Z"
+                UpdatedAt: "2016-06-07T21:07:31.376370513Z"
+                Spec:
+                  ContainerSpec:
+                    Image: "redis"
+                  Resources:
+                    Limits: {}
+                    Reservations: {}
+                  RestartPolicy:
+                    Condition: "any"
+                    MaxAttempts: 0
+                  Placement: {}
+                ServiceID: "9mnpnzenvg8p8tdbtq4wvbkcz"
+                Slot: 1
+                NodeID: "60gvrl6tm78dmak4yl7srz94v"
+                Status:
+                  Timestamp: "2016-06-07T21:07:31.290032978Z"
+                  State: "running"
+                  Message: "started"
+                  ContainerStatus:
+                    ContainerID: "e5d62702a1b48d01c3e02ca1e0212a250801fa8d67caca0b6f35919ebc12f035"
+                    PID: 677
+                DesiredState: "running"
+                NetworksAttachments:
+                  - Network:
+                      ID: "4qvuz4ko70xaltuqbt8956gd1"
+                      Version:
+                        Index: 18
+                      CreatedAt: "2016-06-07T20:31:11.912919752Z"
+                      UpdatedAt: "2016-06-07T21:07:29.955277358Z"
+                      Spec:
+                        Name: "ingress"
+                        Labels:
+                          com.docker.swarm.internal: "true"
+                        DriverConfiguration: {}
+                        IPAMOptions:
+                          Driver: {}
+                          Configs:
+                            - Subnet: "10.255.0.0/16"
+                              Gateway: "10.255.0.1"
+                      DriverState:
+                        Name: "overlay"
+                        Options:
+                          com.docker.network.driver.overlay.vxlanid_list: "256"
+                      IPAMOptions:
+                        Driver:
+                          Name: "default"
+                        Configs:
+                          - Subnet: "10.255.0.0/16"
+                            Gateway: "10.255.0.1"
+                    Addresses:
+                      - "10.255.0.10/16"
+              - ID: "1yljwbmlr8er2waf8orvqpwms"
+                Version:
+                  Index: 30
+                CreatedAt: "2016-06-07T21:07:30.019104782Z"
+                UpdatedAt: "2016-06-07T21:07:30.231958098Z"
+                Name: "hopeful_cori"
+                Spec:
+                  ContainerSpec:
+                    Image: "redis"
+                  Resources:
+                    Limits: {}
+                    Reservations: {}
+                  RestartPolicy:
+                    Condition: "any"
+                    MaxAttempts: 0
+                  Placement: {}
+                ServiceID: "9mnpnzenvg8p8tdbtq4wvbkcz"
+                Slot: 1
+                NodeID: "60gvrl6tm78dmak4yl7srz94v"
+                Status:
+                  Timestamp: "2016-06-07T21:07:30.202183143Z"
+                  State: "shutdown"
+                  Message: "shutdown"
+                  ContainerStatus:
+                    ContainerID: "1cf8d63d18e79668b0004a4be4c6ee58cddfad2dae29506d8781581d0688a213"
+                DesiredState: "shutdown"
+                NetworksAttachments:
+                  - Network:
+                      ID: "4qvuz4ko70xaltuqbt8956gd1"
+                      Version:
+                        Index: 18
+                      CreatedAt: "2016-06-07T20:31:11.912919752Z"
+                      UpdatedAt: "2016-06-07T21:07:29.955277358Z"
+                      Spec:
+                        Name: "ingress"
+                        Labels:
+                          com.docker.swarm.internal: "true"
+                        DriverConfiguration: {}
+                        IPAMOptions:
+                          Driver: {}
+                          Configs:
+                            - Subnet: "10.255.0.0/16"
+                              Gateway: "10.255.0.1"
+                      DriverState:
+                        Name: "overlay"
+                        Options:
+                          com.docker.network.driver.overlay.vxlanid_list: "256"
+                      IPAMOptions:
+                        Driver:
+                          Name: "default"
+                        Configs:
+                          - Subnet: "10.255.0.0/16"
+                            Gateway: "10.255.0.1"
+                    Addresses:
+                      - "10.255.0.5/16"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "filters"
+          in: "query"
+          type: "string"
+          description: |
+            A JSON encoded value of the filters (a `map[string][]string`) to process on the tasks list. Available filters:
+
+            - `desired-state=(running | shutdown | accepted)`
+            - `id=<task id>`
+            - `label=key` or `label="key=value"`
+            - `name=<task name>`
+            - `node=<node id or name>`
+            - `service=<service name>`
+      tags: ["Task"]
+  /tasks/{id}:
+    get:
+      summary: "Inspect a task"
+      operationId: "TaskInspect"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/Task"
+        404:
+          description: "no such task"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "ID of the task"
+          required: true
+          type: "string"
+      tags: ["Task"]
+  /tasks/{id}/logs:
+    get:
+      summary: "Get task logs"
+      description: |
+        Get `stdout` and `stderr` logs from a task.
+
+        **Note**: This endpoint works only for services with the `json-file` or `journald` logging drivers.
+      operationId: "TaskLogs"
+      produces:
+        - "application/vnd.docker.raw-stream"
+        - "application/json"
+      responses:
+        101:
+          description: "logs returned as a stream"
+          schema:
+            type: "string"
+            format: "binary"
+        200:
+          description: "logs returned as a string in response body"
+          schema:
+            type: "string"
+        404:
+          description: "no such task"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such task: c2ada9df5af8"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          description: "ID of the task"
+          type: "string"
+        - name: "details"
+          in: "query"
+          description: "Show task context and extra details provided to logs."
+          type: "boolean"
+          default: false
+        - name: "follow"
+          in: "query"
+          description: |
+            Return the logs as a stream.
+
+            This will return a `101` HTTP response with a `Connection: upgrade` header, then hijack the HTTP connection to send raw output. For more information about hijacking and the stream format, [see the documentation for the attach endpoint](#operation/ContainerAttach).
+          type: "boolean"
+          default: false
+        - name: "stdout"
+          in: "query"
+          description: "Return logs from `stdout`"
+          type: "boolean"
+          default: false
+        - name: "stderr"
+          in: "query"
+          description: "Return logs from `stderr`"
+          type: "boolean"
+          default: false
+        - name: "since"
+          in: "query"
+          description: "Only return logs since this time, as a UNIX timestamp"
+          type: "integer"
+          default: 0
+        - name: "timestamps"
+          in: "query"
+          description: "Add timestamps to every log line"
+          type: "boolean"
+          default: false
+        - name: "tail"
+          in: "query"
+          description: "Only return this number of log lines from the end of the logs. Specify as an integer or `all` to output all log lines."
+          type: "string"
+          default: "all"
+  /secrets:
+    get:
+      summary: "List secrets"
+      operationId: "SecretList"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/Secret"
+            example:
+              - ID: "blt1owaxmitz71s9v5zh81zun"
+                Version:
+                  Index: 85
+                CreatedAt: "2017-07-20T13:55:28.678958722Z"
+                UpdatedAt: "2017-07-20T13:55:28.678958722Z"
+                Spec:
+                  Name: "mysql-passwd"
+                  Labels:
+                    some.label: "some.value"
+                  Driver:
+                    Name: "secret-bucket"
+                    Options:
+                      OptionA: "value for driver option A"
+                      OptionB: "value for driver option B"
+              - ID: "ktnbjxoalbkvbvedmg1urrz8h"
+                Version:
+                  Index: 11
+                CreatedAt: "2016-11-05T01:20:17.327670065Z"
+                UpdatedAt: "2016-11-05T01:20:17.327670065Z"
+                Spec:
+                  Name: "app-dev.crt"
+                  Labels:
+                    foo: "bar"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "filters"
+          in: "query"
+          type: "string"
+          description: |
+            A JSON encoded value of the filters (a `map[string][]string`) to process on the secrets list. Available filters:
+
+            - `id=<secret id>`
+            - `label=<key> or label=<key>=value`
+            - `name=<secret name>`
+            - `names=<secret name>`
+      tags: ["Secret"]
+  /secrets/create:
+    post:
+      summary: "Create a secret"
+      operationId: "SecretCreate"
+      consumes:
+        - "application/json"
+      produces:
+        - "application/json"
+      responses:
+        201:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/IdResponse"
+        409:
+          description: "name conflicts with an existing object"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "body"
+          in: "body"
+          schema:
+            allOf:
+              - $ref: "#/definitions/SecretSpec"
+              - type: "object"
+                example:
+                  Name: "app-key.crt"
+                  Labels:
+                    foo: "bar"
+                  Data: "VEhJUyBJUyBOT1QgQSBSRUFMIENFUlRJRklDQVRFCg=="
+                  Driver:
+                    Name: "secret-bucket"
+                    Options:
+                      OptionA: "value for driver option A"
+                      OptionB: "value for driver option B"
+      tags: ["Secret"]
+  /secrets/{id}:
+    get:
+      summary: "Inspect a secret"
+      operationId: "SecretInspect"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/Secret"
+          examples:
+            application/json:
+              ID: "ktnbjxoalbkvbvedmg1urrz8h"
+              Version:
+                Index: 11
+              CreatedAt: "2016-11-05T01:20:17.327670065Z"
+              UpdatedAt: "2016-11-05T01:20:17.327670065Z"
+              Spec:
+                Name: "app-dev.crt"
+                Labels:
+                  foo: "bar"
+                Driver:
+                  Name: "secret-bucket"
+                  Options:
+                    OptionA: "value for driver option A"
+                    OptionB: "value for driver option B"
+
+        404:
+          description: "secret not found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          type: "string"
+          description: "ID of the secret"
+      tags: ["Secret"]
+    delete:
+      summary: "Delete a secret"
+      operationId: "SecretDelete"
+      produces:
+        - "application/json"
+      responses:
+        204:
+          description: "no error"
+        404:
+          description: "secret not found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          type: "string"
+          description: "ID of the secret"
+      tags: ["Secret"]
+  /secrets/{id}/update:
+    post:
+      summary: "Update a Secret"
+      operationId: "SecretUpdate"
+      responses:
+        200:
+          description: "no error"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such secret"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "The ID or name of the secret"
+          type: "string"
+          required: true
+        - name: "body"
+          in: "body"
+          schema:
+            $ref: "#/definitions/SecretSpec"
+          description: "The spec of the secret to update. Currently, only the Labels field can be updated. All other fields must remain unchanged from the [SecretInspect endpoint](#operation/SecretInspect) response values."
+        - name: "version"
+          in: "query"
+          description: "The version number of the secret object being updated. This is required to avoid conflicting writes."
+          type: "integer"
+          format: "int64"
+          required: true
+      tags: ["Secret"]
+  /configs:
+    get:
+      summary: "List configs"
+      operationId: "ConfigList"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            type: "array"
+            items:
+              $ref: "#/definitions/Config"
+            example:
+              - ID: "ktnbjxoalbkvbvedmg1urrz8h"
+                Version:
+                  Index: 11
+                CreatedAt: "2016-11-05T01:20:17.327670065Z"
+                UpdatedAt: "2016-11-05T01:20:17.327670065Z"
+                Spec:
+                  Name: "server.conf"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "filters"
+          in: "query"
+          type: "string"
+          description: |
+            A JSON encoded value of the filters (a `map[string][]string`) to process on the configs list. Available filters:
+
+            - `id=<config id>`
+            - `label=<key> or label=<key>=value`
+            - `name=<config name>`
+            - `names=<config name>`
+      tags: ["Config"]
+  /configs/create:
+    post:
+      summary: "Create a config"
+      operationId: "ConfigCreate"
+      consumes:
+        - "application/json"
+      produces:
+        - "application/json"
+      responses:
+        201:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/IdResponse"
+        409:
+          description: "name conflicts with an existing object"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "body"
+          in: "body"
+          schema:
+            allOf:
+              - $ref: "#/definitions/ConfigSpec"
+              - type: "object"
+                example:
+                  Name: "server.conf"
+                  Labels:
+                    foo: "bar"
+                  Data: "VEhJUyBJUyBOT1QgQSBSRUFMIENFUlRJRklDQVRFCg=="
+      tags: ["Config"]
+  /configs/{id}:
+    get:
+      summary: "Inspect a config"
+      operationId: "ConfigInspect"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "no error"
+          schema:
+            $ref: "#/definitions/Config"
+          examples:
+            application/json:
+              ID: "ktnbjxoalbkvbvedmg1urrz8h"
+              Version:
+                Index: 11
+              CreatedAt: "2016-11-05T01:20:17.327670065Z"
+              UpdatedAt: "2016-11-05T01:20:17.327670065Z"
+              Spec:
+                Name: "app-dev.crt"
+        404:
+          description: "config not found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          type: "string"
+          description: "ID of the config"
+      tags: ["Config"]
+    delete:
+      summary: "Delete a config"
+      operationId: "ConfigDelete"
+      produces:
+        - "application/json"
+      responses:
+        204:
+          description: "no error"
+        404:
+          description: "config not found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          required: true
+          type: "string"
+          description: "ID of the config"
+      tags: ["Config"]
+  /configs/{id}/update:
+    post:
+      summary: "Update a Config"
+      operationId: "ConfigUpdate"
+      responses:
+        200:
+          description: "no error"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        404:
+          description: "no such config"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        503:
+          description: "node is not part of a swarm"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "id"
+          in: "path"
+          description: "The ID or name of the config"
+          type: "string"
+          required: true
+        - name: "body"
+          in: "body"
+          schema:
+            $ref: "#/definitions/ConfigSpec"
+          description: "The spec of the config to update. Currently, only the Labels field can be updated. All other fields must remain unchanged from the [ConfigInspect endpoint](#operation/ConfigInspect) response values."
+        - name: "version"
+          in: "query"
+          description: "The version number of the config object being updated. This is required to avoid conflicting writes."
+          type: "integer"
+          format: "int64"
+          required: true
+      tags: ["Config"]
+  /distribution/{name}/json:
+    get:
+      summary: "Get image information from the registry"
+      description: "Return image digest and platform information by contacting the registry."
+      operationId: "DistributionInspect"
+      produces:
+        - "application/json"
+      responses:
+        200:
+          description: "descriptor and platform information"
+          schema:
+            type: "object"
+            x-go-name: DistributionInspect
+            title: "DistributionInspectResponse"
+            required: [Descriptor, Platforms]
+            properties:
+              Descriptor:
+                type: "object"
+                description: "A descriptor struct containing digest, media type, and size"
+                properties:
+                  MediaType:
+                    type: "string"
+                  Size:
+                    type: "integer"
+                    format: "int64"
+                  Digest:
+                    type: "string"
+                  URLs:
+                    type: "array"
+                    items:
+                      type: "string"
+              Platforms:
+                type: "array"
+                description: "An array containing all platforms supported by the image"
+                items:
+                  type: "object"
+                  properties:
+                    Architecture:
+                      type: "string"
+                    OS:
+                      type: "string"
+                    OSVersion:
+                      type: "string"
+                    OSFeatures:
+                      type: "array"
+                      items:
+                        type: "string"
+                    Variant:
+                      type: "string"
+                    Features:
+                      type: "array"
+                      items:
+                        type: "string"
+          examples:
+            application/json:
+              Descriptor:
+                MediaType: "application/vnd.docker.distribution.manifest.v2+json"
+                Digest: "sha256:c0537ff6a5218ef531ece93d4984efc99bbf3f7497c0a7726c88e2bb7584dc96"
+                Size: 3987495
+                URLs:
+                  - ""
+              Platforms:
+                - Architecture: "amd64"
+                  OS: "linux"
+                  OSVersion: ""
+                  OSFeatures:
+                    - ""
+                  Variant: ""
+                  Features:
+                    - ""
+        401:
+          description: "Failed authentication or no image found"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+          examples:
+            application/json:
+              message: "No such image: someimage (tag: latest)"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      parameters:
+        - name: "name"
+          in: "path"
+          description: "Image name or id"
+          type: "string"
+          required: true
+      tags: ["Distribution"]
+  /session:
+    post:
+      summary: "Initialize interactive session"
+      description: |
+        Start a new interactive session with a server. Session allows server to call back to the client for advanced capabilities.
+
+        > **Note**: This endpoint is *experimental* and only available if the daemon is started with experimental
+        > features enabled. The specifications for this endpoint may still change in a future version of the API.
+
+        ### Hijacking
+
+        This endpoint hijacks the HTTP connection to HTTP2 transport that allows the client to expose gPRC services on that connection.
+
+        For example, the client sends this request to upgrade the connection:
+
+        ```
+        POST /session HTTP/1.1
+        Upgrade: h2c
+        Connection: Upgrade
+        ```
+
+        The Docker daemon will respond with a `101 UPGRADED` response follow with the raw stream:
+
+        ```
+        HTTP/1.1 101 UPGRADED
+        Connection: Upgrade
+        Upgrade: h2c
+        ```
+      operationId: "Session"
+      produces:
+        - "application/vnd.docker.raw-stream"
+      responses:
+        101:
+          description: "no error, hijacking successful"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
+      tags: ["Session (experimental)"]
diff --git a/engine/api/templates/server/operation.gotmpl b/engine/api/templates/server/operation.gotmpl
new file mode 100644
index 00000000..8bed59d9
--- /dev/null
+++ b/engine/api/templates/server/operation.gotmpl
@@ -0,0 +1,26 @@
+package {{ .Package }}
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+import (
+	"net/http"
+
+	context "golang.org/x/net/context"
+
+  {{ range .DefaultImports }}{{ printf "%q" . }}
+  {{ end }}
+  {{ range $key, $value := .Imports }}{{ $key }} {{ printf "%q" $value }}
+  {{ end }}
+)
+
+
+{{ range .ExtraSchemas }}
+// {{ .Name }} {{ comment .Description }}
+// swagger:model {{ .Name }}
+{{ template "schema" . }}
+{{ end }}
diff --git a/engine/api/types/auth.go b/engine/api/types/auth.go
new file mode 100644
index 00000000..ddf15bb1
--- /dev/null
+++ b/engine/api/types/auth.go
@@ -0,0 +1,22 @@
+package types // import "github.com/docker/docker/api/types"
+
+// AuthConfig contains authorization information for connecting to a Registry
+type AuthConfig struct {
+	Username string `json:"username,omitempty"`
+	Password string `json:"password,omitempty"`
+	Auth     string `json:"auth,omitempty"`
+
+	// Email is an optional value associated with the username.
+	// This field is deprecated and will be removed in a later
+	// version of docker.
+	Email string `json:"email,omitempty"`
+
+	ServerAddress string `json:"serveraddress,omitempty"`
+
+	// IdentityToken is used to authenticate the user and get
+	// an access token for the registry.
+	IdentityToken string `json:"identitytoken,omitempty"`
+
+	// RegistryToken is a bearer token to be sent to a registry
+	RegistryToken string `json:"registrytoken,omitempty"`
+}
diff --git a/engine/api/types/backend/backend.go b/engine/api/types/backend/backend.go
new file mode 100644
index 00000000..ef1e669c
--- /dev/null
+++ b/engine/api/types/backend/backend.go
@@ -0,0 +1,128 @@
+// Package backend includes types to send information to server backends.
+package backend // import "github.com/docker/docker/api/types/backend"
+
+import (
+	"io"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+// ContainerAttachConfig holds the streams to use when connecting to a container to view logs.
+type ContainerAttachConfig struct {
+	GetStreams func() (io.ReadCloser, io.Writer, io.Writer, error)
+	UseStdin   bool
+	UseStdout  bool
+	UseStderr  bool
+	Logs       bool
+	Stream     bool
+	DetachKeys string
+
+	// Used to signify that streams are multiplexed and therefore need a StdWriter to encode stdout/stderr messages accordingly.
+	// TODO @cpuguy83: This shouldn't be needed. It was only added so that http and websocket endpoints can use the same function, and the websocket function was not using a stdwriter prior to this change...
+	// HOWEVER, the websocket endpoint is using a single stream and SHOULD be encoded with stdout/stderr as is done for HTTP since it is still just a single stream.
+	// Since such a change is an API change unrelated to the current changeset we'll keep it as is here and change separately.
+	MuxStreams bool
+}
+
+// PartialLogMetaData provides meta data for a partial log message. Messages
+// exceeding a predefined size are split into chunks with this metadata. The
+// expectation is for the logger endpoints to assemble the chunks using this
+// metadata.
+type PartialLogMetaData struct {
+	Last    bool   //true if this message is last of a partial
+	ID      string // identifies group of messages comprising a single record
+	Ordinal int    // ordering of message in partial group
+}
+
+// LogMessage is datastructure that represents piece of output produced by some
+// container.  The Line member is a slice of an array whose contents can be
+// changed after a log driver's Log() method returns.
+// changes to this struct need to be reflect in the reset method in
+// daemon/logger/logger.go
+type LogMessage struct {
+	Line         []byte
+	Source       string
+	Timestamp    time.Time
+	Attrs        []LogAttr
+	PLogMetaData *PartialLogMetaData
+
+	// Err is an error associated with a message. Completeness of a message
+	// with Err is not expected, tho it may be partially complete (fields may
+	// be missing, gibberish, or nil)
+	Err error
+}
+
+// LogAttr is used to hold the extra attributes available in the log message.
+type LogAttr struct {
+	Key   string
+	Value string
+}
+
+// LogSelector is a list of services and tasks that should be returned as part
+// of a log stream. It is similar to swarmapi.LogSelector, with the difference
+// that the names don't have to be resolved to IDs; this is mostly to avoid
+// accidents later where a swarmapi LogSelector might have been incorrectly
+// used verbatim (and to avoid the handler having to import swarmapi types)
+type LogSelector struct {
+	Services []string
+	Tasks    []string
+}
+
+// ContainerStatsConfig holds information for configuring the runtime
+// behavior of a backend.ContainerStats() call.
+type ContainerStatsConfig struct {
+	Stream    bool
+	OutStream io.Writer
+	Version   string
+}
+
+// ExecInspect holds information about a running process started
+// with docker exec.
+type ExecInspect struct {
+	ID            string
+	Running       bool
+	ExitCode      *int
+	ProcessConfig *ExecProcessConfig
+	OpenStdin     bool
+	OpenStderr    bool
+	OpenStdout    bool
+	CanRemove     bool
+	ContainerID   string
+	DetachKeys    []byte
+	Pid           int
+}
+
+// ExecProcessConfig holds information about the exec process
+// running on the host.
+type ExecProcessConfig struct {
+	Tty        bool     `json:"tty"`
+	Entrypoint string   `json:"entrypoint"`
+	Arguments  []string `json:"arguments"`
+	Privileged *bool    `json:"privileged,omitempty"`
+	User       string   `json:"user,omitempty"`
+}
+
+// CreateImageConfig is the configuration for creating an image from a
+// container.
+type CreateImageConfig struct {
+	Repo    string
+	Tag     string
+	Pause   bool
+	Author  string
+	Comment string
+	Config  *container.Config
+	Changes []string
+}
+
+// CommitConfig is the configuration for creating an image as part of a build.
+type CommitConfig struct {
+	Author              string
+	Comment             string
+	Config              *container.Config
+	ContainerConfig     *container.Config
+	ContainerID         string
+	ContainerMountLabel string
+	ContainerOS         string
+	ParentImageID       string
+}
diff --git a/engine/api/types/backend/build.go b/engine/api/types/backend/build.go
new file mode 100644
index 00000000..1a2e59f2
--- /dev/null
+++ b/engine/api/types/backend/build.go
@@ -0,0 +1,45 @@
+package backend // import "github.com/docker/docker/api/types/backend"
+
+import (
+	"io"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/streamformatter"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// PullOption defines different modes for accessing images
+type PullOption int
+
+const (
+	// PullOptionNoPull only returns local images
+	PullOptionNoPull PullOption = iota
+	// PullOptionForcePull always tries to pull a ref from the registry first
+	PullOptionForcePull
+	// PullOptionPreferLocal uses local image if it exists, otherwise pulls
+	PullOptionPreferLocal
+)
+
+// ProgressWriter is a data object to transport progress streams to the client
+type ProgressWriter struct {
+	Output             io.Writer
+	StdoutFormatter    io.Writer
+	StderrFormatter    io.Writer
+	AuxFormatter       *streamformatter.AuxFormatter
+	ProgressReaderFunc func(io.ReadCloser) io.ReadCloser
+}
+
+// BuildConfig is the configuration used by a BuildManager to start a build
+type BuildConfig struct {
+	Source         io.ReadCloser
+	ProgressWriter ProgressWriter
+	Options        *types.ImageBuildOptions
+}
+
+// GetImageAndLayerOptions are the options supported by GetImageAndReleasableLayer
+type GetImageAndLayerOptions struct {
+	PullOption PullOption
+	AuthConfig map[string]types.AuthConfig
+	Output     io.Writer
+	Platform   *specs.Platform
+}
diff --git a/engine/api/types/blkiodev/blkio.go b/engine/api/types/blkiodev/blkio.go
new file mode 100644
index 00000000..bf3463b9
--- /dev/null
+++ b/engine/api/types/blkiodev/blkio.go
@@ -0,0 +1,23 @@
+package blkiodev // import "github.com/docker/docker/api/types/blkiodev"
+
+import "fmt"
+
+// WeightDevice is a structure that holds device:weight pair
+type WeightDevice struct {
+	Path   string
+	Weight uint16
+}
+
+func (w *WeightDevice) String() string {
+	return fmt.Sprintf("%s:%d", w.Path, w.Weight)
+}
+
+// ThrottleDevice is a structure that holds device:rate_per_second pair
+type ThrottleDevice struct {
+	Path string
+	Rate uint64
+}
+
+func (t *ThrottleDevice) String() string {
+	return fmt.Sprintf("%s:%d", t.Path, t.Rate)
+}
diff --git a/engine/api/types/client.go b/engine/api/types/client.go
new file mode 100644
index 00000000..3b698c2c
--- /dev/null
+++ b/engine/api/types/client.go
@@ -0,0 +1,406 @@
+package types // import "github.com/docker/docker/api/types"
+
+import (
+	"bufio"
+	"io"
+	"net"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+	units "github.com/docker/go-units"
+)
+
+// CheckpointCreateOptions holds parameters to create a checkpoint from a container
+type CheckpointCreateOptions struct {
+	CheckpointID  string
+	CheckpointDir string
+	Exit          bool
+}
+
+// CheckpointListOptions holds parameters to list checkpoints for a container
+type CheckpointListOptions struct {
+	CheckpointDir string
+}
+
+// CheckpointDeleteOptions holds parameters to delete a checkpoint from a container
+type CheckpointDeleteOptions struct {
+	CheckpointID  string
+	CheckpointDir string
+}
+
+// ContainerAttachOptions holds parameters to attach to a container.
+type ContainerAttachOptions struct {
+	Stream     bool
+	Stdin      bool
+	Stdout     bool
+	Stderr     bool
+	DetachKeys string
+	Logs       bool
+}
+
+// ContainerCommitOptions holds parameters to commit changes into a container.
+type ContainerCommitOptions struct {
+	Reference string
+	Comment   string
+	Author    string
+	Changes   []string
+	Pause     bool
+	Config    *container.Config
+}
+
+// ContainerExecInspect holds information returned by exec inspect.
+type ContainerExecInspect struct {
+	ExecID      string
+	ContainerID string
+	Running     bool
+	ExitCode    int
+	Pid         int
+}
+
+// ContainerListOptions holds parameters to list containers with.
+type ContainerListOptions struct {
+	Quiet   bool
+	Size    bool
+	All     bool
+	Latest  bool
+	Since   string
+	Before  string
+	Limit   int
+	Filters filters.Args
+}
+
+// ContainerLogsOptions holds parameters to filter logs with.
+type ContainerLogsOptions struct {
+	ShowStdout bool
+	ShowStderr bool
+	Since      string
+	Until      string
+	Timestamps bool
+	Follow     bool
+	Tail       string
+	Details    bool
+}
+
+// ContainerRemoveOptions holds parameters to remove containers.
+type ContainerRemoveOptions struct {
+	RemoveVolumes bool
+	RemoveLinks   bool
+	Force         bool
+}
+
+// ContainerStartOptions holds parameters to start containers.
+type ContainerStartOptions struct {
+	CheckpointID  string
+	CheckpointDir string
+}
+
+// CopyToContainerOptions holds information
+// about files to copy into a container
+type CopyToContainerOptions struct {
+	AllowOverwriteDirWithFile bool
+	CopyUIDGID                bool
+}
+
+// EventsOptions holds parameters to filter events with.
+type EventsOptions struct {
+	Since   string
+	Until   string
+	Filters filters.Args
+}
+
+// NetworkListOptions holds parameters to filter the list of networks with.
+type NetworkListOptions struct {
+	Filters filters.Args
+}
+
+// HijackedResponse holds connection information for a hijacked request.
+type HijackedResponse struct {
+	Conn   net.Conn
+	Reader *bufio.Reader
+}
+
+// Close closes the hijacked connection and reader.
+func (h *HijackedResponse) Close() {
+	h.Conn.Close()
+}
+
+// CloseWriter is an interface that implements structs
+// that close input streams to prevent from writing.
+type CloseWriter interface {
+	CloseWrite() error
+}
+
+// CloseWrite closes a readWriter for writing.
+func (h *HijackedResponse) CloseWrite() error {
+	if conn, ok := h.Conn.(CloseWriter); ok {
+		return conn.CloseWrite()
+	}
+	return nil
+}
+
+// ImageBuildOptions holds the information
+// necessary to build images.
+type ImageBuildOptions struct {
+	Tags           []string
+	SuppressOutput bool
+	RemoteContext  string
+	NoCache        bool
+	Remove         bool
+	ForceRemove    bool
+	PullParent     bool
+	Isolation      container.Isolation
+	CPUSetCPUs     string
+	CPUSetMems     string
+	CPUShares      int64
+	CPUQuota       int64
+	CPUPeriod      int64
+	Memory         int64
+	MemorySwap     int64
+	CgroupParent   string
+	NetworkMode    string
+	ShmSize        int64
+	Dockerfile     string
+	Ulimits        []*units.Ulimit
+	// BuildArgs needs to be a *string instead of just a string so that
+	// we can tell the difference between "" (empty string) and no value
+	// at all (nil). See the parsing of buildArgs in
+	// api/server/router/build/build_routes.go for even more info.
+	BuildArgs   map[string]*string
+	AuthConfigs map[string]AuthConfig
+	Context     io.Reader
+	Labels      map[string]string
+	// squash the resulting image's layers to the parent
+	// preserves the original image and creates a new one from the parent with all
+	// the changes applied to a single layer
+	Squash bool
+	// CacheFrom specifies images that are used for matching cache. Images
+	// specified here do not need to have a valid parent chain to match cache.
+	CacheFrom   []string
+	SecurityOpt []string
+	ExtraHosts  []string // List of extra hosts
+	Target      string
+	SessionID   string
+	Platform    string
+	// Version specifies the version of the unerlying builder to use
+	Version BuilderVersion
+	// BuildID is an optional identifier that can be passed together with the
+	// build request. The same identifier can be used to gracefully cancel the
+	// build with the cancel request.
+	BuildID string
+}
+
+// BuilderVersion sets the version of underlying builder to use
+type BuilderVersion string
+
+const (
+	// BuilderV1 is the first generation builder in docker daemon
+	BuilderV1 BuilderVersion = "1"
+	// BuilderBuildKit is builder based on moby/buildkit project
+	BuilderBuildKit = "2"
+)
+
+// ImageBuildResponse holds information
+// returned by a server after building
+// an image.
+type ImageBuildResponse struct {
+	Body   io.ReadCloser
+	OSType string
+}
+
+// ImageCreateOptions holds information to create images.
+type ImageCreateOptions struct {
+	RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry.
+	Platform     string // Platform is the target platform of the image if it needs to be pulled from the registry.
+}
+
+// ImageImportSource holds source information for ImageImport
+type ImageImportSource struct {
+	Source     io.Reader // Source is the data to send to the server to create this image from. You must set SourceName to "-" to leverage this.
+	SourceName string    // SourceName is the name of the image to pull. Set to "-" to leverage the Source attribute.
+}
+
+// ImageImportOptions holds information to import images from the client host.
+type ImageImportOptions struct {
+	Tag      string   // Tag is the name to tag this image with. This attribute is deprecated.
+	Message  string   // Message is the message to tag the image with
+	Changes  []string // Changes are the raw changes to apply to this image
+	Platform string   // Platform is the target platform of the image
+}
+
+// ImageListOptions holds parameters to filter the list of images with.
+type ImageListOptions struct {
+	All     bool
+	Filters filters.Args
+}
+
+// ImageLoadResponse returns information to the client about a load process.
+type ImageLoadResponse struct {
+	// Body must be closed to avoid a resource leak
+	Body io.ReadCloser
+	JSON bool
+}
+
+// ImagePullOptions holds information to pull images.
+type ImagePullOptions struct {
+	All           bool
+	RegistryAuth  string // RegistryAuth is the base64 encoded credentials for the registry
+	PrivilegeFunc RequestPrivilegeFunc
+	Platform      string
+}
+
+// RequestPrivilegeFunc is a function interface that
+// clients can supply to retry operations after
+// getting an authorization error.
+// This function returns the registry authentication
+// header value in base 64 format, or an error
+// if the privilege request fails.
+type RequestPrivilegeFunc func() (string, error)
+
+//ImagePushOptions holds information to push images.
+type ImagePushOptions ImagePullOptions
+
+// ImageRemoveOptions holds parameters to remove images.
+type ImageRemoveOptions struct {
+	Force         bool
+	PruneChildren bool
+}
+
+// ImageSearchOptions holds parameters to search images with.
+type ImageSearchOptions struct {
+	RegistryAuth  string
+	PrivilegeFunc RequestPrivilegeFunc
+	Filters       filters.Args
+	Limit         int
+}
+
+// ResizeOptions holds parameters to resize a tty.
+// It can be used to resize container ttys and
+// exec process ttys too.
+type ResizeOptions struct {
+	Height uint
+	Width  uint
+}
+
+// NodeListOptions holds parameters to list nodes with.
+type NodeListOptions struct {
+	Filters filters.Args
+}
+
+// NodeRemoveOptions holds parameters to remove nodes with.
+type NodeRemoveOptions struct {
+	Force bool
+}
+
+// ServiceCreateOptions contains the options to use when creating a service.
+type ServiceCreateOptions struct {
+	// EncodedRegistryAuth is the encoded registry authorization credentials to
+	// use when updating the service.
+	//
+	// This field follows the format of the X-Registry-Auth header.
+	EncodedRegistryAuth string
+
+	// QueryRegistry indicates whether the service update requires
+	// contacting a registry. A registry may be contacted to retrieve
+	// the image digest and manifest, which in turn can be used to update
+	// platform or other information about the service.
+	QueryRegistry bool
+}
+
+// ServiceCreateResponse contains the information returned to a client
+// on the creation of a new service.
+type ServiceCreateResponse struct {
+	// ID is the ID of the created service.
+	ID string
+	// Warnings is a set of non-fatal warning messages to pass on to the user.
+	Warnings []string `json:",omitempty"`
+}
+
+// Values for RegistryAuthFrom in ServiceUpdateOptions
+const (
+	RegistryAuthFromSpec         = "spec"
+	RegistryAuthFromPreviousSpec = "previous-spec"
+)
+
+// ServiceUpdateOptions contains the options to be used for updating services.
+type ServiceUpdateOptions struct {
+	// EncodedRegistryAuth is the encoded registry authorization credentials to
+	// use when updating the service.
+	//
+	// This field follows the format of the X-Registry-Auth header.
+	EncodedRegistryAuth string
+
+	// TODO(stevvooe): Consider moving the version parameter of ServiceUpdate
+	// into this field. While it does open API users up to racy writes, most
+	// users may not need that level of consistency in practice.
+
+	// RegistryAuthFrom specifies where to find the registry authorization
+	// credentials if they are not given in EncodedRegistryAuth. Valid
+	// values are "spec" and "previous-spec".
+	RegistryAuthFrom string
+
+	// Rollback indicates whether a server-side rollback should be
+	// performed. When this is set, the provided spec will be ignored.
+	// The valid values are "previous" and "none". An empty value is the
+	// same as "none".
+	Rollback string
+
+	// QueryRegistry indicates whether the service update requires
+	// contacting a registry. A registry may be contacted to retrieve
+	// the image digest and manifest, which in turn can be used to update
+	// platform or other information about the service.
+	QueryRegistry bool
+}
+
+// ServiceListOptions holds parameters to list services with.
+type ServiceListOptions struct {
+	Filters filters.Args
+}
+
+// ServiceInspectOptions holds parameters related to the "service inspect"
+// operation.
+type ServiceInspectOptions struct {
+	InsertDefaults bool
+}
+
+// TaskListOptions holds parameters to list tasks with.
+type TaskListOptions struct {
+	Filters filters.Args
+}
+
+// PluginRemoveOptions holds parameters to remove plugins.
+type PluginRemoveOptions struct {
+	Force bool
+}
+
+// PluginEnableOptions holds parameters to enable plugins.
+type PluginEnableOptions struct {
+	Timeout int
+}
+
+// PluginDisableOptions holds parameters to disable plugins.
+type PluginDisableOptions struct {
+	Force bool
+}
+
+// PluginInstallOptions holds parameters to install a plugin.
+type PluginInstallOptions struct {
+	Disabled              bool
+	AcceptAllPermissions  bool
+	RegistryAuth          string // RegistryAuth is the base64 encoded credentials for the registry
+	RemoteRef             string // RemoteRef is the plugin name on the registry
+	PrivilegeFunc         RequestPrivilegeFunc
+	AcceptPermissionsFunc func(PluginPrivileges) (bool, error)
+	Args                  []string
+}
+
+// SwarmUnlockKeyResponse contains the response for Engine API:
+// GET /swarm/unlockkey
+type SwarmUnlockKeyResponse struct {
+	// UnlockKey is the unlock key in ASCII-armored format.
+	UnlockKey string
+}
+
+// PluginCreateOptions hold all options to plugin create.
+type PluginCreateOptions struct {
+	RepoName string
+}
diff --git a/engine/api/types/configs.go b/engine/api/types/configs.go
new file mode 100644
index 00000000..f6537a27
--- /dev/null
+++ b/engine/api/types/configs.go
@@ -0,0 +1,57 @@
+package types // import "github.com/docker/docker/api/types"
+
+import (
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+)
+
+// configs holds structs used for internal communication between the
+// frontend (such as an http server) and the backend (such as the
+// docker daemon).
+
+// ContainerCreateConfig is the parameter set to ContainerCreate()
+type ContainerCreateConfig struct {
+	Name             string
+	Config           *container.Config
+	HostConfig       *container.HostConfig
+	NetworkingConfig *network.NetworkingConfig
+	AdjustCPUShares  bool
+}
+
+// ContainerRmConfig holds arguments for the container remove
+// operation. This struct is used to tell the backend what operations
+// to perform.
+type ContainerRmConfig struct {
+	ForceRemove, RemoveVolume, RemoveLink bool
+}
+
+// ExecConfig is a small subset of the Config struct that holds the configuration
+// for the exec feature of docker.
+type ExecConfig struct {
+	User         string   // User that will run the command
+	Privileged   bool     // Is the container in privileged mode
+	Tty          bool     // Attach standard streams to a tty.
+	AttachStdin  bool     // Attach the standard input, makes possible user interaction
+	AttachStderr bool     // Attach the standard error
+	AttachStdout bool     // Attach the standard output
+	Detach       bool     // Execute in detach mode
+	DetachKeys   string   // Escape keys for detach
+	Env          []string // Environment variables
+	WorkingDir   string   // Working directory
+	Cmd          []string // Execution commands and args
+}
+
+// PluginRmConfig holds arguments for plugin remove.
+type PluginRmConfig struct {
+	ForceRemove bool
+}
+
+// PluginEnableConfig holds arguments for plugin enable
+type PluginEnableConfig struct {
+	Timeout int
+}
+
+// PluginDisableConfig holds arguments for plugin disable.
+type PluginDisableConfig struct {
+	ForceDisable bool
+}
diff --git a/engine/api/types/container/config.go b/engine/api/types/container/config.go
new file mode 100644
index 00000000..89ad08c2
--- /dev/null
+++ b/engine/api/types/container/config.go
@@ -0,0 +1,69 @@
+package container // import "github.com/docker/docker/api/types/container"
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/go-connections/nat"
+)
+
+// MinimumDuration puts a minimum on user configured duration.
+// This is to prevent API error on time unit. For example, API may
+// set 3 as healthcheck interval with intention of 3 seconds, but
+// Docker interprets it as 3 nanoseconds.
+const MinimumDuration = 1 * time.Millisecond
+
+// HealthConfig holds configuration settings for the HEALTHCHECK feature.
+type HealthConfig struct {
+	// Test is the test to perform to check that the container is healthy.
+	// An empty slice means to inherit the default.
+	// The options are:
+	// {} : inherit healthcheck
+	// {"NONE"} : disable healthcheck
+	// {"CMD", args...} : exec arguments directly
+	// {"CMD-SHELL", command} : run command with system's default shell
+	Test []string `json:",omitempty"`
+
+	// Zero means to inherit. Durations are expressed as integer nanoseconds.
+	Interval    time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
+	Timeout     time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
+	StartPeriod time.Duration `json:",omitempty"` // The start period for the container to initialize before the retries starts to count down.
+
+	// Retries is the number of consecutive failures needed to consider a container as unhealthy.
+	// Zero means inherit.
+	Retries int `json:",omitempty"`
+}
+
+// Config contains the configuration data about a container.
+// It should hold only portable information about the container.
+// Here, "portable" means "independent from the host we are running on".
+// Non-portable information *should* appear in HostConfig.
+// All fields added to this struct must be marked `omitempty` to keep getting
+// predictable hashes from the old `v1Compatibility` configuration.
+type Config struct {
+	Hostname        string              // Hostname
+	Domainname      string              // Domainname
+	User            string              // User that will run the command(s) inside the container, also support user:group
+	AttachStdin     bool                // Attach the standard input, makes possible user interaction
+	AttachStdout    bool                // Attach the standard output
+	AttachStderr    bool                // Attach the standard error
+	ExposedPorts    nat.PortSet         `json:",omitempty"` // List of exposed ports
+	Tty             bool                // Attach standard streams to a tty, including stdin if it is not closed.
+	OpenStdin       bool                // Open stdin
+	StdinOnce       bool                // If true, close stdin after the 1 attached client disconnects.
+	Env             []string            // List of environment variable to set in the container
+	Cmd             strslice.StrSlice   // Command to run when starting the container
+	Healthcheck     *HealthConfig       `json:",omitempty"` // Healthcheck describes how to check the container is healthy
+	ArgsEscaped     bool                `json:",omitempty"` // True if command is already escaped (Windows specific)
+	Image           string              // Name of the image as it was passed by the operator (e.g. could be symbolic)
+	Volumes         map[string]struct{} // List of volumes (mounts) used for the container
+	WorkingDir      string              // Current directory (PWD) in the command will be launched
+	Entrypoint      strslice.StrSlice   // Entrypoint to run when starting the container
+	NetworkDisabled bool                `json:",omitempty"` // Is network disabled
+	MacAddress      string              `json:",omitempty"` // Mac Address of the container
+	OnBuild         []string            // ONBUILD metadata that were defined on the image Dockerfile
+	Labels          map[string]string   // List of labels set to this container
+	StopSignal      string              `json:",omitempty"` // Signal to stop a container
+	StopTimeout     *int                `json:",omitempty"` // Timeout (in seconds) to stop a container
+	Shell           strslice.StrSlice   `json:",omitempty"` // Shell for shell-form of RUN, CMD, ENTRYPOINT
+}
diff --git a/engine/api/types/container/container_changes.go b/engine/api/types/container/container_changes.go
new file mode 100644
index 00000000..c909d6ca
--- /dev/null
+++ b/engine/api/types/container/container_changes.go
@@ -0,0 +1,21 @@
+package container
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// ContainerChangeResponseItem change item in response to ContainerChanges operation
+// swagger:model ContainerChangeResponseItem
+type ContainerChangeResponseItem struct {
+
+	// Kind of change
+	// Required: true
+	Kind uint8 `json:"Kind"`
+
+	// Path to file that has changed
+	// Required: true
+	Path string `json:"Path"`
+}
diff --git a/engine/api/types/container/container_create.go b/engine/api/types/container/container_create.go
new file mode 100644
index 00000000..49efa0f2
--- /dev/null
+++ b/engine/api/types/container/container_create.go
@@ -0,0 +1,21 @@
+package container
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// ContainerCreateCreatedBody OK response to ContainerCreate operation
+// swagger:model ContainerCreateCreatedBody
+type ContainerCreateCreatedBody struct {
+
+	// The ID of the created container
+	// Required: true
+	ID string `json:"Id"`
+
+	// Warnings encountered when creating the container
+	// Required: true
+	Warnings []string `json:"Warnings"`
+}
diff --git a/engine/api/types/container/container_top.go b/engine/api/types/container/container_top.go
new file mode 100644
index 00000000..ba41edcf
--- /dev/null
+++ b/engine/api/types/container/container_top.go
@@ -0,0 +1,21 @@
+package container
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// ContainerTopOKBody OK response to ContainerTop operation
+// swagger:model ContainerTopOKBody
+type ContainerTopOKBody struct {
+
+	// Each process running in the container, where each is process is an array of values corresponding to the titles
+	// Required: true
+	Processes [][]string `json:"Processes"`
+
+	// The ps column titles
+	// Required: true
+	Titles []string `json:"Titles"`
+}
diff --git a/engine/api/types/container/container_update.go b/engine/api/types/container/container_update.go
new file mode 100644
index 00000000..7630ae54
--- /dev/null
+++ b/engine/api/types/container/container_update.go
@@ -0,0 +1,17 @@
+package container
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// ContainerUpdateOKBody OK response to ContainerUpdate operation
+// swagger:model ContainerUpdateOKBody
+type ContainerUpdateOKBody struct {
+
+	// warnings
+	// Required: true
+	Warnings []string `json:"Warnings"`
+}
diff --git a/engine/api/types/container/container_wait.go b/engine/api/types/container/container_wait.go
new file mode 100644
index 00000000..9e3910a6
--- /dev/null
+++ b/engine/api/types/container/container_wait.go
@@ -0,0 +1,29 @@
+package container
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// ContainerWaitOKBodyError container waiting error, if any
+// swagger:model ContainerWaitOKBodyError
+type ContainerWaitOKBodyError struct {
+
+	// Details of an error
+	Message string `json:"Message,omitempty"`
+}
+
+// ContainerWaitOKBody OK response to ContainerWait operation
+// swagger:model ContainerWaitOKBody
+type ContainerWaitOKBody struct {
+
+	// error
+	// Required: true
+	Error *ContainerWaitOKBodyError `json:"Error"`
+
+	// Exit code of the container
+	// Required: true
+	StatusCode int64 `json:"StatusCode"`
+}
diff --git a/engine/api/types/container/host_config.go b/engine/api/types/container/host_config.go
new file mode 100644
index 00000000..4ef26fa6
--- /dev/null
+++ b/engine/api/types/container/host_config.go
@@ -0,0 +1,412 @@
+package container // import "github.com/docker/docker/api/types/container"
+
+import (
+	"strings"
+
+	"github.com/docker/docker/api/types/blkiodev"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/go-connections/nat"
+	"github.com/docker/go-units"
+)
+
+// Isolation represents the isolation technology of a container. The supported
+// values are platform specific
+type Isolation string
+
+// IsDefault indicates the default isolation technology of a container. On Linux this
+// is the native driver. On Windows, this is a Windows Server Container.
+func (i Isolation) IsDefault() bool {
+	return strings.ToLower(string(i)) == "default" || string(i) == ""
+}
+
+// IsHyperV indicates the use of a Hyper-V partition for isolation
+func (i Isolation) IsHyperV() bool {
+	return strings.ToLower(string(i)) == "hyperv"
+}
+
+// IsProcess indicates the use of process isolation
+func (i Isolation) IsProcess() bool {
+	return strings.ToLower(string(i)) == "process"
+}
+
+const (
+	// IsolationEmpty is unspecified (same behavior as default)
+	IsolationEmpty = Isolation("")
+	// IsolationDefault is the default isolation mode on current daemon
+	IsolationDefault = Isolation("default")
+	// IsolationProcess is process isolation mode
+	IsolationProcess = Isolation("process")
+	// IsolationHyperV is HyperV isolation mode
+	IsolationHyperV = Isolation("hyperv")
+)
+
+// IpcMode represents the container ipc stack.
+type IpcMode string
+
+// IsPrivate indicates whether the container uses its own private ipc namespace which can not be shared.
+func (n IpcMode) IsPrivate() bool {
+	return n == "private"
+}
+
+// IsHost indicates whether the container shares the host's ipc namespace.
+func (n IpcMode) IsHost() bool {
+	return n == "host"
+}
+
+// IsShareable indicates whether the container's ipc namespace can be shared with another container.
+func (n IpcMode) IsShareable() bool {
+	return n == "shareable"
+}
+
+// IsContainer indicates whether the container uses another container's ipc namespace.
+func (n IpcMode) IsContainer() bool {
+	parts := strings.SplitN(string(n), ":", 2)
+	return len(parts) > 1 && parts[0] == "container"
+}
+
+// IsNone indicates whether container IpcMode is set to "none".
+func (n IpcMode) IsNone() bool {
+	return n == "none"
+}
+
+// IsEmpty indicates whether container IpcMode is empty
+func (n IpcMode) IsEmpty() bool {
+	return n == ""
+}
+
+// Valid indicates whether the ipc mode is valid.
+func (n IpcMode) Valid() bool {
+	return n.IsEmpty() || n.IsNone() || n.IsPrivate() || n.IsHost() || n.IsShareable() || n.IsContainer()
+}
+
+// Container returns the name of the container ipc stack is going to be used.
+func (n IpcMode) Container() string {
+	parts := strings.SplitN(string(n), ":", 2)
+	if len(parts) > 1 && parts[0] == "container" {
+		return parts[1]
+	}
+	return ""
+}
+
+// NetworkMode represents the container network stack.
+type NetworkMode string
+
+// IsNone indicates whether container isn't using a network stack.
+func (n NetworkMode) IsNone() bool {
+	return n == "none"
+}
+
+// IsDefault indicates whether container uses the default network stack.
+func (n NetworkMode) IsDefault() bool {
+	return n == "default"
+}
+
+// IsPrivate indicates whether container uses its private network stack.
+func (n NetworkMode) IsPrivate() bool {
+	return !(n.IsHost() || n.IsContainer())
+}
+
+// IsContainer indicates whether container uses a container network stack.
+func (n NetworkMode) IsContainer() bool {
+	parts := strings.SplitN(string(n), ":", 2)
+	return len(parts) > 1 && parts[0] == "container"
+}
+
+// ConnectedContainer is the id of the container which network this container is connected to.
+func (n NetworkMode) ConnectedContainer() string {
+	parts := strings.SplitN(string(n), ":", 2)
+	if len(parts) > 1 {
+		return parts[1]
+	}
+	return ""
+}
+
+//UserDefined indicates user-created network
+func (n NetworkMode) UserDefined() string {
+	if n.IsUserDefined() {
+		return string(n)
+	}
+	return ""
+}
+
+// UsernsMode represents userns mode in the container.
+type UsernsMode string
+
+// IsHost indicates whether the container uses the host's userns.
+func (n UsernsMode) IsHost() bool {
+	return n == "host"
+}
+
+// IsPrivate indicates whether the container uses the a private userns.
+func (n UsernsMode) IsPrivate() bool {
+	return !(n.IsHost())
+}
+
+// Valid indicates whether the userns is valid.
+func (n UsernsMode) Valid() bool {
+	parts := strings.Split(string(n), ":")
+	switch mode := parts[0]; mode {
+	case "", "host":
+	default:
+		return false
+	}
+	return true
+}
+
+// CgroupSpec represents the cgroup to use for the container.
+type CgroupSpec string
+
+// IsContainer indicates whether the container is using another container cgroup
+func (c CgroupSpec) IsContainer() bool {
+	parts := strings.SplitN(string(c), ":", 2)
+	return len(parts) > 1 && parts[0] == "container"
+}
+
+// Valid indicates whether the cgroup spec is valid.
+func (c CgroupSpec) Valid() bool {
+	return c.IsContainer() || c == ""
+}
+
+// Container returns the name of the container whose cgroup will be used.
+func (c CgroupSpec) Container() string {
+	parts := strings.SplitN(string(c), ":", 2)
+	if len(parts) > 1 {
+		return parts[1]
+	}
+	return ""
+}
+
+// UTSMode represents the UTS namespace of the container.
+type UTSMode string
+
+// IsPrivate indicates whether the container uses its private UTS namespace.
+func (n UTSMode) IsPrivate() bool {
+	return !(n.IsHost())
+}
+
+// IsHost indicates whether the container uses the host's UTS namespace.
+func (n UTSMode) IsHost() bool {
+	return n == "host"
+}
+
+// Valid indicates whether the UTS namespace is valid.
+func (n UTSMode) Valid() bool {
+	parts := strings.Split(string(n), ":")
+	switch mode := parts[0]; mode {
+	case "", "host":
+	default:
+		return false
+	}
+	return true
+}
+
+// PidMode represents the pid namespace of the container.
+type PidMode string
+
+// IsPrivate indicates whether the container uses its own new pid namespace.
+func (n PidMode) IsPrivate() bool {
+	return !(n.IsHost() || n.IsContainer())
+}
+
+// IsHost indicates whether the container uses the host's pid namespace.
+func (n PidMode) IsHost() bool {
+	return n == "host"
+}
+
+// IsContainer indicates whether the container uses a container's pid namespace.
+func (n PidMode) IsContainer() bool {
+	parts := strings.SplitN(string(n), ":", 2)
+	return len(parts) > 1 && parts[0] == "container"
+}
+
+// Valid indicates whether the pid namespace is valid.
+func (n PidMode) Valid() bool {
+	parts := strings.Split(string(n), ":")
+	switch mode := parts[0]; mode {
+	case "", "host":
+	case "container":
+		if len(parts) != 2 || parts[1] == "" {
+			return false
+		}
+	default:
+		return false
+	}
+	return true
+}
+
+// Container returns the name of the container whose pid namespace is going to be used.
+func (n PidMode) Container() string {
+	parts := strings.SplitN(string(n), ":", 2)
+	if len(parts) > 1 {
+		return parts[1]
+	}
+	return ""
+}
+
+// DeviceMapping represents the device mapping between the host and the container.
+type DeviceMapping struct {
+	PathOnHost        string
+	PathInContainer   string
+	CgroupPermissions string
+}
+
+// RestartPolicy represents the restart policies of the container.
+type RestartPolicy struct {
+	Name              string
+	MaximumRetryCount int
+}
+
+// IsNone indicates whether the container has the "no" restart policy.
+// This means the container will not automatically restart when exiting.
+func (rp *RestartPolicy) IsNone() bool {
+	return rp.Name == "no" || rp.Name == ""
+}
+
+// IsAlways indicates whether the container has the "always" restart policy.
+// This means the container will automatically restart regardless of the exit status.
+func (rp *RestartPolicy) IsAlways() bool {
+	return rp.Name == "always"
+}
+
+// IsOnFailure indicates whether the container has the "on-failure" restart policy.
+// This means the container will automatically restart of exiting with a non-zero exit status.
+func (rp *RestartPolicy) IsOnFailure() bool {
+	return rp.Name == "on-failure"
+}
+
+// IsUnlessStopped indicates whether the container has the
+// "unless-stopped" restart policy. This means the container will
+// automatically restart unless user has put it to stopped state.
+func (rp *RestartPolicy) IsUnlessStopped() bool {
+	return rp.Name == "unless-stopped"
+}
+
+// IsSame compares two RestartPolicy to see if they are the same
+func (rp *RestartPolicy) IsSame(tp *RestartPolicy) bool {
+	return rp.Name == tp.Name && rp.MaximumRetryCount == tp.MaximumRetryCount
+}
+
+// LogMode is a type to define the available modes for logging
+// These modes affect how logs are handled when log messages start piling up.
+type LogMode string
+
+// Available logging modes
+const (
+	LogModeUnset            = ""
+	LogModeBlocking LogMode = "blocking"
+	LogModeNonBlock LogMode = "non-blocking"
+)
+
+// LogConfig represents the logging configuration of the container.
+type LogConfig struct {
+	Type   string
+	Config map[string]string
+}
+
+// Resources contains container's resources (cgroups config, ulimits...)
+type Resources struct {
+	// Applicable to all platforms
+	CPUShares int64 `json:"CpuShares"` // CPU shares (relative weight vs. other containers)
+	Memory    int64 // Memory limit (in bytes)
+	NanoCPUs  int64 `json:"NanoCpus"` // CPU quota in units of 10<sup>-9</sup> CPUs.
+
+	// Applicable to UNIX platforms
+	CgroupParent         string // Parent cgroup.
+	BlkioWeight          uint16 // Block IO weight (relative weight vs. other containers)
+	BlkioWeightDevice    []*blkiodev.WeightDevice
+	BlkioDeviceReadBps   []*blkiodev.ThrottleDevice
+	BlkioDeviceWriteBps  []*blkiodev.ThrottleDevice
+	BlkioDeviceReadIOps  []*blkiodev.ThrottleDevice
+	BlkioDeviceWriteIOps []*blkiodev.ThrottleDevice
+	CPUPeriod            int64           `json:"CpuPeriod"`          // CPU CFS (Completely Fair Scheduler) period
+	CPUQuota             int64           `json:"CpuQuota"`           // CPU CFS (Completely Fair Scheduler) quota
+	CPURealtimePeriod    int64           `json:"CpuRealtimePeriod"`  // CPU real-time period
+	CPURealtimeRuntime   int64           `json:"CpuRealtimeRuntime"` // CPU real-time runtime
+	CpusetCpus           string          // CpusetCpus 0-2, 0,1
+	CpusetMems           string          // CpusetMems 0-2, 0,1
+	Devices              []DeviceMapping // List of devices to map inside the container
+	DeviceCgroupRules    []string        // List of rule to be added to the device cgroup
+	DiskQuota            int64           // Disk limit (in bytes)
+	KernelMemory         int64           // Kernel memory limit (in bytes)
+	MemoryReservation    int64           // Memory soft limit (in bytes)
+	MemorySwap           int64           // Total memory usage (memory + swap); set `-1` to enable unlimited swap
+	MemorySwappiness     *int64          // Tuning container memory swappiness behaviour
+	OomKillDisable       *bool           // Whether to disable OOM Killer or not
+	PidsLimit            int64           // Setting pids limit for a container
+	Ulimits              []*units.Ulimit // List of ulimits to be set in the container
+
+	// Applicable to Windows
+	CPUCount           int64  `json:"CpuCount"`   // CPU count
+	CPUPercent         int64  `json:"CpuPercent"` // CPU percent
+	IOMaximumIOps      uint64 // Maximum IOps for the container system drive
+	IOMaximumBandwidth uint64 // Maximum IO in bytes per second for the container system drive
+}
+
+// UpdateConfig holds the mutable attributes of a Container.
+// Those attributes can be updated at runtime.
+type UpdateConfig struct {
+	// Contains container's resources (cgroups, ulimits)
+	Resources
+	RestartPolicy RestartPolicy
+}
+
+// HostConfig the non-portable Config structure of a container.
+// Here, "non-portable" means "dependent of the host we are running on".
+// Portable information *should* appear in Config.
+type HostConfig struct {
+	// Applicable to all platforms
+	Binds           []string      // List of volume bindings for this container
+	ContainerIDFile string        // File (path) where the containerId is written
+	LogConfig       LogConfig     // Configuration of the logs for this container
+	NetworkMode     NetworkMode   // Network mode to use for the container
+	PortBindings    nat.PortMap   // Port mapping between the exposed port (container) and the host
+	RestartPolicy   RestartPolicy // Restart policy to be used for the container
+	AutoRemove      bool          // Automatically remove container when it exits
+	VolumeDriver    string        // Name of the volume driver used to mount volumes
+	VolumesFrom     []string      // List of volumes to take from other container
+
+	// Applicable to UNIX platforms
+	CapAdd          strslice.StrSlice // List of kernel capabilities to add to the container
+	CapDrop         strslice.StrSlice // List of kernel capabilities to remove from the container
+	DNS             []string          `json:"Dns"`        // List of DNS server to lookup
+	DNSOptions      []string          `json:"DnsOptions"` // List of DNSOption to look for
+	DNSSearch       []string          `json:"DnsSearch"`  // List of DNSSearch to look for
+	ExtraHosts      []string          // List of extra hosts
+	GroupAdd        []string          // List of additional groups that the container process will run as
+	IpcMode         IpcMode           // IPC namespace to use for the container
+	Cgroup          CgroupSpec        // Cgroup to use for the container
+	Links           []string          // List of links (in the name:alias form)
+	OomScoreAdj     int               // Container preference for OOM-killing
+	PidMode         PidMode           // PID namespace to use for the container
+	Privileged      bool              // Is the container in privileged mode
+	PublishAllPorts bool              // Should docker publish all exposed port for the container
+	ReadonlyRootfs  bool              // Is the container root filesystem in read-only
+	SecurityOpt     []string          // List of string values to customize labels for MLS systems, such as SELinux.
+	StorageOpt      map[string]string `json:",omitempty"` // Storage driver options per container.
+	Tmpfs           map[string]string `json:",omitempty"` // List of tmpfs (mounts) used for the container
+	UTSMode         UTSMode           // UTS namespace to use for the container
+	UsernsMode      UsernsMode        // The user namespace to use for the container
+	ShmSize         int64             // Total shm memory usage
+	Sysctls         map[string]string `json:",omitempty"` // List of Namespaced sysctls used for the container
+	Runtime         string            `json:",omitempty"` // Runtime to use with this container
+
+	// Applicable to Windows
+	ConsoleSize [2]uint   // Initial console size (height,width)
+	Isolation   Isolation // Isolation technology of the container (e.g. default, hyperv)
+
+	// Contains container's resources (cgroups, ulimits)
+	Resources
+
+	// Mounts specs used by the container
+	Mounts []mount.Mount `json:",omitempty"`
+
+	// MaskedPaths is the list of paths to be masked inside the container (this overrides the default set of paths)
+	MaskedPaths []string
+
+	// ReadonlyPaths is the list of paths to be set as read-only inside the container (this overrides the default set of paths)
+	ReadonlyPaths []string
+
+	// Run a custom init inside the container, if null, use the daemon's configured settings
+	Init *bool `json:",omitempty"`
+}
diff --git a/engine/api/types/container/hostconfig_unix.go b/engine/api/types/container/hostconfig_unix.go
new file mode 100644
index 00000000..cf6fdf44
--- /dev/null
+++ b/engine/api/types/container/hostconfig_unix.go
@@ -0,0 +1,41 @@
+// +build !windows
+
+package container // import "github.com/docker/docker/api/types/container"
+
+// IsValid indicates if an isolation technology is valid
+func (i Isolation) IsValid() bool {
+	return i.IsDefault()
+}
+
+// NetworkName returns the name of the network stack.
+func (n NetworkMode) NetworkName() string {
+	if n.IsBridge() {
+		return "bridge"
+	} else if n.IsHost() {
+		return "host"
+	} else if n.IsContainer() {
+		return "container"
+	} else if n.IsNone() {
+		return "none"
+	} else if n.IsDefault() {
+		return "default"
+	} else if n.IsUserDefined() {
+		return n.UserDefined()
+	}
+	return ""
+}
+
+// IsBridge indicates whether container uses the bridge network stack
+func (n NetworkMode) IsBridge() bool {
+	return n == "bridge"
+}
+
+// IsHost indicates whether container uses the host network stack.
+func (n NetworkMode) IsHost() bool {
+	return n == "host"
+}
+
+// IsUserDefined indicates user-created network
+func (n NetworkMode) IsUserDefined() bool {
+	return !n.IsDefault() && !n.IsBridge() && !n.IsHost() && !n.IsNone() && !n.IsContainer()
+}
diff --git a/engine/api/types/container/hostconfig_windows.go b/engine/api/types/container/hostconfig_windows.go
new file mode 100644
index 00000000..99f803a5
--- /dev/null
+++ b/engine/api/types/container/hostconfig_windows.go
@@ -0,0 +1,40 @@
+package container // import "github.com/docker/docker/api/types/container"
+
+// IsBridge indicates whether container uses the bridge network stack
+// in windows it is given the name NAT
+func (n NetworkMode) IsBridge() bool {
+	return n == "nat"
+}
+
+// IsHost indicates whether container uses the host network stack.
+// returns false as this is not supported by windows
+func (n NetworkMode) IsHost() bool {
+	return false
+}
+
+// IsUserDefined indicates user-created network
+func (n NetworkMode) IsUserDefined() bool {
+	return !n.IsDefault() && !n.IsNone() && !n.IsBridge() && !n.IsContainer()
+}
+
+// IsValid indicates if an isolation technology is valid
+func (i Isolation) IsValid() bool {
+	return i.IsDefault() || i.IsHyperV() || i.IsProcess()
+}
+
+// NetworkName returns the name of the network stack.
+func (n NetworkMode) NetworkName() string {
+	if n.IsDefault() {
+		return "default"
+	} else if n.IsBridge() {
+		return "nat"
+	} else if n.IsNone() {
+		return "none"
+	} else if n.IsContainer() {
+		return "container"
+	} else if n.IsUserDefined() {
+		return n.UserDefined()
+	}
+
+	return ""
+}
diff --git a/engine/api/types/container/waitcondition.go b/engine/api/types/container/waitcondition.go
new file mode 100644
index 00000000..cd8311f9
--- /dev/null
+++ b/engine/api/types/container/waitcondition.go
@@ -0,0 +1,22 @@
+package container // import "github.com/docker/docker/api/types/container"
+
+// WaitCondition is a type used to specify a container state for which
+// to wait.
+type WaitCondition string
+
+// Possible WaitCondition Values.
+//
+// WaitConditionNotRunning (default) is used to wait for any of the non-running
+// states: "created", "exited", "dead", "removing", or "removed".
+//
+// WaitConditionNextExit is used to wait for the next time the state changes
+// to a non-running state. If the state is currently "created" or "exited",
+// this would cause Wait() to block until either the container runs and exits
+// or is removed.
+//
+// WaitConditionRemoved is used to wait for the container to be removed.
+const (
+	WaitConditionNotRunning WaitCondition = "not-running"
+	WaitConditionNextExit   WaitCondition = "next-exit"
+	WaitConditionRemoved    WaitCondition = "removed"
+)
diff --git a/engine/api/types/error_response.go b/engine/api/types/error_response.go
new file mode 100644
index 00000000..dc942d9d
--- /dev/null
+++ b/engine/api/types/error_response.go
@@ -0,0 +1,13 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// ErrorResponse Represents an error.
+// swagger:model ErrorResponse
+type ErrorResponse struct {
+
+	// The error message.
+	// Required: true
+	Message string `json:"message"`
+}
diff --git a/engine/api/types/events/events.go b/engine/api/types/events/events.go
new file mode 100644
index 00000000..027c6edb
--- /dev/null
+++ b/engine/api/types/events/events.go
@@ -0,0 +1,52 @@
+package events // import "github.com/docker/docker/api/types/events"
+
+const (
+	// ContainerEventType is the event type that containers generate
+	ContainerEventType = "container"
+	// DaemonEventType is the event type that daemon generate
+	DaemonEventType = "daemon"
+	// ImageEventType is the event type that images generate
+	ImageEventType = "image"
+	// NetworkEventType is the event type that networks generate
+	NetworkEventType = "network"
+	// PluginEventType is the event type that plugins generate
+	PluginEventType = "plugin"
+	// VolumeEventType is the event type that volumes generate
+	VolumeEventType = "volume"
+	// ServiceEventType is the event type that services generate
+	ServiceEventType = "service"
+	// NodeEventType is the event type that nodes generate
+	NodeEventType = "node"
+	// SecretEventType is the event type that secrets generate
+	SecretEventType = "secret"
+	// ConfigEventType is the event type that configs generate
+	ConfigEventType = "config"
+)
+
+// Actor describes something that generates events,
+// like a container, or a network, or a volume.
+// It has a defined name and a set or attributes.
+// The container attributes are its labels, other actors
+// can generate these attributes from other properties.
+type Actor struct {
+	ID         string
+	Attributes map[string]string
+}
+
+// Message represents the information an event contains
+type Message struct {
+	// Deprecated information from JSONMessage.
+	// With data only in container events.
+	Status string `json:"status,omitempty"`
+	ID     string `json:"id,omitempty"`
+	From   string `json:"from,omitempty"`
+
+	Type   string
+	Action string
+	Actor  Actor
+	// Engine events are local scope. Cluster events are swarm scope.
+	Scope string `json:"scope,omitempty"`
+
+	Time     int64 `json:"time,omitempty"`
+	TimeNano int64 `json:"timeNano,omitempty"`
+}
diff --git a/engine/api/types/filters/example_test.go b/engine/api/types/filters/example_test.go
new file mode 100644
index 00000000..c8fec1b9
--- /dev/null
+++ b/engine/api/types/filters/example_test.go
@@ -0,0 +1,24 @@
+package filters // import "github.com/docker/docker/api/types/filters"
+
+func ExampleArgs_MatchKVList() {
+	args := NewArgs(
+		Arg("label", "image=foo"),
+		Arg("label", "state=running"))
+
+	// returns true because there are no values for bogus
+	args.MatchKVList("bogus", nil)
+
+	// returns false because there are no sources
+	args.MatchKVList("label", nil)
+
+	// returns true because all sources are matched
+	args.MatchKVList("label", map[string]string{
+		"image": "foo",
+		"state": "running",
+	})
+
+	// returns false because the values do not match
+	args.MatchKVList("label", map[string]string{
+		"image": "other",
+	})
+}
diff --git a/engine/api/types/filters/parse.go b/engine/api/types/filters/parse.go
new file mode 100644
index 00000000..a41e3d8d
--- /dev/null
+++ b/engine/api/types/filters/parse.go
@@ -0,0 +1,350 @@
+/*Package filters provides tools for encoding a mapping of keys to a set of
+multiple values.
+*/
+package filters // import "github.com/docker/docker/api/types/filters"
+
+import (
+	"encoding/json"
+	"errors"
+	"regexp"
+	"strings"
+
+	"github.com/docker/docker/api/types/versions"
+)
+
+// Args stores a mapping of keys to a set of multiple values.
+type Args struct {
+	fields map[string]map[string]bool
+}
+
+// KeyValuePair are used to initialize a new Args
+type KeyValuePair struct {
+	Key   string
+	Value string
+}
+
+// Arg creates a new KeyValuePair for initializing Args
+func Arg(key, value string) KeyValuePair {
+	return KeyValuePair{Key: key, Value: value}
+}
+
+// NewArgs returns a new Args populated with the initial args
+func NewArgs(initialArgs ...KeyValuePair) Args {
+	args := Args{fields: map[string]map[string]bool{}}
+	for _, arg := range initialArgs {
+		args.Add(arg.Key, arg.Value)
+	}
+	return args
+}
+
+// ParseFlag parses a key=value string and adds it to an Args.
+//
+// Deprecated: Use Args.Add()
+func ParseFlag(arg string, prev Args) (Args, error) {
+	filters := prev
+	if len(arg) == 0 {
+		return filters, nil
+	}
+
+	if !strings.Contains(arg, "=") {
+		return filters, ErrBadFormat
+	}
+
+	f := strings.SplitN(arg, "=", 2)
+
+	name := strings.ToLower(strings.TrimSpace(f[0]))
+	value := strings.TrimSpace(f[1])
+
+	filters.Add(name, value)
+
+	return filters, nil
+}
+
+// ErrBadFormat is an error returned when a filter is not in the form key=value
+//
+// Deprecated: this error will be removed in a future version
+var ErrBadFormat = errors.New("bad format of filter (expected name=value)")
+
+// ToParam encodes the Args as args JSON encoded string
+//
+// Deprecated: use ToJSON
+func ToParam(a Args) (string, error) {
+	return ToJSON(a)
+}
+
+// MarshalJSON returns a JSON byte representation of the Args
+func (args Args) MarshalJSON() ([]byte, error) {
+	if len(args.fields) == 0 {
+		return []byte{}, nil
+	}
+	return json.Marshal(args.fields)
+}
+
+// ToJSON returns the Args as a JSON encoded string
+func ToJSON(a Args) (string, error) {
+	if a.Len() == 0 {
+		return "", nil
+	}
+	buf, err := json.Marshal(a)
+	return string(buf), err
+}
+
+// ToParamWithVersion encodes Args as a JSON string. If version is less than 1.22
+// then the encoded format will use an older legacy format where the values are a
+// list of strings, instead of a set.
+//
+// Deprecated: Use ToJSON
+func ToParamWithVersion(version string, a Args) (string, error) {
+	if a.Len() == 0 {
+		return "", nil
+	}
+
+	if version != "" && versions.LessThan(version, "1.22") {
+		buf, err := json.Marshal(convertArgsToSlice(a.fields))
+		return string(buf), err
+	}
+
+	return ToJSON(a)
+}
+
+// FromParam decodes a JSON encoded string into Args
+//
+// Deprecated: use FromJSON
+func FromParam(p string) (Args, error) {
+	return FromJSON(p)
+}
+
+// FromJSON decodes a JSON encoded string into Args
+func FromJSON(p string) (Args, error) {
+	args := NewArgs()
+
+	if p == "" {
+		return args, nil
+	}
+
+	raw := []byte(p)
+	err := json.Unmarshal(raw, &args)
+	if err == nil {
+		return args, nil
+	}
+
+	// Fallback to parsing arguments in the legacy slice format
+	deprecated := map[string][]string{}
+	if legacyErr := json.Unmarshal(raw, &deprecated); legacyErr != nil {
+		return args, err
+	}
+
+	args.fields = deprecatedArgs(deprecated)
+	return args, nil
+}
+
+// UnmarshalJSON populates the Args from JSON encode bytes
+func (args Args) UnmarshalJSON(raw []byte) error {
+	if len(raw) == 0 {
+		return nil
+	}
+	return json.Unmarshal(raw, &args.fields)
+}
+
+// Get returns the list of values associated with the key
+func (args Args) Get(key string) []string {
+	values := args.fields[key]
+	if values == nil {
+		return make([]string, 0)
+	}
+	slice := make([]string, 0, len(values))
+	for key := range values {
+		slice = append(slice, key)
+	}
+	return slice
+}
+
+// Add a new value to the set of values
+func (args Args) Add(key, value string) {
+	if _, ok := args.fields[key]; ok {
+		args.fields[key][value] = true
+	} else {
+		args.fields[key] = map[string]bool{value: true}
+	}
+}
+
+// Del removes a value from the set
+func (args Args) Del(key, value string) {
+	if _, ok := args.fields[key]; ok {
+		delete(args.fields[key], value)
+		if len(args.fields[key]) == 0 {
+			delete(args.fields, key)
+		}
+	}
+}
+
+// Len returns the number of keys in the mapping
+func (args Args) Len() int {
+	return len(args.fields)
+}
+
+// MatchKVList returns true if all the pairs in sources exist as key=value
+// pairs in the mapping at key, or if there are no values at key.
+func (args Args) MatchKVList(key string, sources map[string]string) bool {
+	fieldValues := args.fields[key]
+
+	//do not filter if there is no filter set or cannot determine filter
+	if len(fieldValues) == 0 {
+		return true
+	}
+
+	if len(sources) == 0 {
+		return false
+	}
+
+	for value := range fieldValues {
+		testKV := strings.SplitN(value, "=", 2)
+
+		v, ok := sources[testKV[0]]
+		if !ok {
+			return false
+		}
+		if len(testKV) == 2 && testKV[1] != v {
+			return false
+		}
+	}
+
+	return true
+}
+
+// Match returns true if any of the values at key match the source string
+func (args Args) Match(field, source string) bool {
+	if args.ExactMatch(field, source) {
+		return true
+	}
+
+	fieldValues := args.fields[field]
+	for name2match := range fieldValues {
+		match, err := regexp.MatchString(name2match, source)
+		if err != nil {
+			continue
+		}
+		if match {
+			return true
+		}
+	}
+	return false
+}
+
+// ExactMatch returns true if the source matches exactly one of the values.
+func (args Args) ExactMatch(key, source string) bool {
+	fieldValues, ok := args.fields[key]
+	//do not filter if there is no filter set or cannot determine filter
+	if !ok || len(fieldValues) == 0 {
+		return true
+	}
+
+	// try to match full name value to avoid O(N) regular expression matching
+	return fieldValues[source]
+}
+
+// UniqueExactMatch returns true if there is only one value and the source
+// matches exactly the value.
+func (args Args) UniqueExactMatch(key, source string) bool {
+	fieldValues := args.fields[key]
+	//do not filter if there is no filter set or cannot determine filter
+	if len(fieldValues) == 0 {
+		return true
+	}
+	if len(args.fields[key]) != 1 {
+		return false
+	}
+
+	// try to match full name value to avoid O(N) regular expression matching
+	return fieldValues[source]
+}
+
+// FuzzyMatch returns true if the source matches exactly one value,  or the
+// source has one of the values as a prefix.
+func (args Args) FuzzyMatch(key, source string) bool {
+	if args.ExactMatch(key, source) {
+		return true
+	}
+
+	fieldValues := args.fields[key]
+	for prefix := range fieldValues {
+		if strings.HasPrefix(source, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+// Include returns true if the key exists in the mapping
+//
+// Deprecated: use Contains
+func (args Args) Include(field string) bool {
+	_, ok := args.fields[field]
+	return ok
+}
+
+// Contains returns true if the key exists in the mapping
+func (args Args) Contains(field string) bool {
+	_, ok := args.fields[field]
+	return ok
+}
+
+type invalidFilter string
+
+func (e invalidFilter) Error() string {
+	return "Invalid filter '" + string(e) + "'"
+}
+
+func (invalidFilter) InvalidParameter() {}
+
+// Validate compared the set of accepted keys against the keys in the mapping.
+// An error is returned if any mapping keys are not in the accepted set.
+func (args Args) Validate(accepted map[string]bool) error {
+	for name := range args.fields {
+		if !accepted[name] {
+			return invalidFilter(name)
+		}
+	}
+	return nil
+}
+
+// WalkValues iterates over the list of values for a key in the mapping and calls
+// op() for each value. If op returns an error the iteration stops and the
+// error is returned.
+func (args Args) WalkValues(field string, op func(value string) error) error {
+	if _, ok := args.fields[field]; !ok {
+		return nil
+	}
+	for v := range args.fields[field] {
+		if err := op(v); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func deprecatedArgs(d map[string][]string) map[string]map[string]bool {
+	m := map[string]map[string]bool{}
+	for k, v := range d {
+		values := map[string]bool{}
+		for _, vv := range v {
+			values[vv] = true
+		}
+		m[k] = values
+	}
+	return m
+}
+
+func convertArgsToSlice(f map[string]map[string]bool) map[string][]string {
+	m := map[string][]string{}
+	for k, v := range f {
+		values := []string{}
+		for kk := range v {
+			if v[kk] {
+				values = append(values, kk)
+			}
+		}
+		m[k] = values
+	}
+	return m
+}
diff --git a/engine/api/types/filters/parse_test.go b/engine/api/types/filters/parse_test.go
new file mode 100644
index 00000000..e8345a1d
--- /dev/null
+++ b/engine/api/types/filters/parse_test.go
@@ -0,0 +1,423 @@
+package filters // import "github.com/docker/docker/api/types/filters"
+
+import (
+	"errors"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestParseArgs(t *testing.T) {
+	// equivalent of `docker ps -f 'created=today' -f 'image.name=ubuntu*' -f 'image.name=*untu'`
+	flagArgs := []string{
+		"created=today",
+		"image.name=ubuntu*",
+		"image.name=*untu",
+	}
+	var (
+		args = NewArgs()
+		err  error
+	)
+
+	for i := range flagArgs {
+		args, err = ParseFlag(flagArgs[i], args)
+		assert.NilError(t, err)
+	}
+	assert.Check(t, is.Len(args.Get("created"), 1))
+	assert.Check(t, is.Len(args.Get("image.name"), 2))
+}
+
+func TestParseArgsEdgeCase(t *testing.T) {
+	var args Args
+	args, err := ParseFlag("", args)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if args.Len() != 0 {
+		t.Fatalf("Expected an empty Args (map), got %v", args)
+	}
+	if args, err = ParseFlag("anything", args); err == nil || err != ErrBadFormat {
+		t.Fatalf("Expected ErrBadFormat, got %v", err)
+	}
+}
+
+func TestToJSON(t *testing.T) {
+	fields := map[string]map[string]bool{
+		"created":    {"today": true},
+		"image.name": {"ubuntu*": true, "*untu": true},
+	}
+	a := Args{fields: fields}
+
+	_, err := ToJSON(a)
+	if err != nil {
+		t.Errorf("failed to marshal the filters: %s", err)
+	}
+}
+
+func TestToParamWithVersion(t *testing.T) {
+	fields := map[string]map[string]bool{
+		"created":    {"today": true},
+		"image.name": {"ubuntu*": true, "*untu": true},
+	}
+	a := Args{fields: fields}
+
+	str1, err := ToParamWithVersion("1.21", a)
+	if err != nil {
+		t.Errorf("failed to marshal the filters with version < 1.22: %s", err)
+	}
+	str2, err := ToParamWithVersion("1.22", a)
+	if err != nil {
+		t.Errorf("failed to marshal the filters with version >= 1.22: %s", err)
+	}
+	if str1 != `{"created":["today"],"image.name":["*untu","ubuntu*"]}` &&
+		str1 != `{"created":["today"],"image.name":["ubuntu*","*untu"]}` {
+		t.Errorf("incorrectly marshaled the filters: %s", str1)
+	}
+	if str2 != `{"created":{"today":true},"image.name":{"*untu":true,"ubuntu*":true}}` &&
+		str2 != `{"created":{"today":true},"image.name":{"ubuntu*":true,"*untu":true}}` {
+		t.Errorf("incorrectly marshaled the filters: %s", str2)
+	}
+}
+
+func TestFromJSON(t *testing.T) {
+	invalids := []string{
+		"anything",
+		"['a','list']",
+		"{'key': 'value'}",
+		`{"key": "value"}`,
+	}
+	valid := map[*Args][]string{
+		{fields: map[string]map[string]bool{"key": {"value": true}}}: {
+			`{"key": ["value"]}`,
+			`{"key": {"value": true}}`,
+		},
+		{fields: map[string]map[string]bool{"key": {"value1": true, "value2": true}}}: {
+			`{"key": ["value1", "value2"]}`,
+			`{"key": {"value1": true, "value2": true}}`,
+		},
+		{fields: map[string]map[string]bool{"key1": {"value1": true}, "key2": {"value2": true}}}: {
+			`{"key1": ["value1"], "key2": ["value2"]}`,
+			`{"key1": {"value1": true}, "key2": {"value2": true}}`,
+		},
+	}
+
+	for _, invalid := range invalids {
+		if _, err := FromJSON(invalid); err == nil {
+			t.Fatalf("Expected an error with %v, got nothing", invalid)
+		}
+	}
+
+	for expectedArgs, matchers := range valid {
+		for _, json := range matchers {
+			args, err := FromJSON(json)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if args.Len() != expectedArgs.Len() {
+				t.Fatalf("Expected %v, go %v", expectedArgs, args)
+			}
+			for key, expectedValues := range expectedArgs.fields {
+				values := args.Get(key)
+
+				if len(values) != len(expectedValues) {
+					t.Fatalf("Expected %v, go %v", expectedArgs, args)
+				}
+
+				for _, v := range values {
+					if !expectedValues[v] {
+						t.Fatalf("Expected %v, go %v", expectedArgs, args)
+					}
+				}
+			}
+		}
+	}
+}
+
+func TestEmpty(t *testing.T) {
+	a := Args{}
+	v, err := ToJSON(a)
+	if err != nil {
+		t.Errorf("failed to marshal the filters: %s", err)
+	}
+	v1, err := FromJSON(v)
+	if err != nil {
+		t.Errorf("%s", err)
+	}
+	if a.Len() != v1.Len() {
+		t.Error("these should both be empty sets")
+	}
+}
+
+func TestArgsMatchKVListEmptySources(t *testing.T) {
+	args := NewArgs()
+	if !args.MatchKVList("created", map[string]string{}) {
+		t.Fatalf("Expected true for (%v,created), got true", args)
+	}
+
+	args = Args{map[string]map[string]bool{"created": {"today": true}}}
+	if args.MatchKVList("created", map[string]string{}) {
+		t.Fatalf("Expected false for (%v,created), got true", args)
+	}
+}
+
+func TestArgsMatchKVList(t *testing.T) {
+	// Not empty sources
+	sources := map[string]string{
+		"key1": "value1",
+		"key2": "value2",
+		"key3": "value3",
+	}
+
+	matches := map[*Args]string{
+		{}: "field",
+		{map[string]map[string]bool{
+			"created": {"today": true},
+			"labels":  {"key1": true}},
+		}: "labels",
+		{map[string]map[string]bool{
+			"created": {"today": true},
+			"labels":  {"key1=value1": true}},
+		}: "labels",
+	}
+
+	for args, field := range matches {
+		if !args.MatchKVList(field, sources) {
+			t.Fatalf("Expected true for %v on %v, got false", sources, args)
+		}
+	}
+
+	differs := map[*Args]string{
+		{map[string]map[string]bool{
+			"created": {"today": true}},
+		}: "created",
+		{map[string]map[string]bool{
+			"created": {"today": true},
+			"labels":  {"key4": true}},
+		}: "labels",
+		{map[string]map[string]bool{
+			"created": {"today": true},
+			"labels":  {"key1=value3": true}},
+		}: "labels",
+	}
+
+	for args, field := range differs {
+		if args.MatchKVList(field, sources) {
+			t.Fatalf("Expected false for %v on %v, got true", sources, args)
+		}
+	}
+}
+
+func TestArgsMatch(t *testing.T) {
+	source := "today"
+
+	matches := map[*Args]string{
+		{}: "field",
+		{map[string]map[string]bool{
+			"created": {"today": true}},
+		}: "today",
+		{map[string]map[string]bool{
+			"created": {"to*": true}},
+		}: "created",
+		{map[string]map[string]bool{
+			"created": {"to(.*)": true}},
+		}: "created",
+		{map[string]map[string]bool{
+			"created": {"tod": true}},
+		}: "created",
+		{map[string]map[string]bool{
+			"created": {"anything": true, "to*": true}},
+		}: "created",
+	}
+
+	for args, field := range matches {
+		assert.Check(t, args.Match(field, source),
+			"Expected field %s to match %s", field, source)
+	}
+
+	differs := map[*Args]string{
+		{map[string]map[string]bool{
+			"created": {"tomorrow": true}},
+		}: "created",
+		{map[string]map[string]bool{
+			"created": {"to(day": true}},
+		}: "created",
+		{map[string]map[string]bool{
+			"created": {"tom(.*)": true}},
+		}: "created",
+		{map[string]map[string]bool{
+			"created": {"tom": true}},
+		}: "created",
+		{map[string]map[string]bool{
+			"created": {"today1": true},
+			"labels":  {"today": true}},
+		}: "created",
+	}
+
+	for args, field := range differs {
+		assert.Check(t, !args.Match(field, source), "Expected field %s to not match %s", field, source)
+	}
+}
+
+func TestAdd(t *testing.T) {
+	f := NewArgs()
+	f.Add("status", "running")
+	v := f.fields["status"]
+	if len(v) != 1 || !v["running"] {
+		t.Fatalf("Expected to include a running status, got %v", v)
+	}
+
+	f.Add("status", "paused")
+	if len(v) != 2 || !v["paused"] {
+		t.Fatalf("Expected to include a paused status, got %v", v)
+	}
+}
+
+func TestDel(t *testing.T) {
+	f := NewArgs()
+	f.Add("status", "running")
+	f.Del("status", "running")
+	v := f.fields["status"]
+	if v["running"] {
+		t.Fatal("Expected to not include a running status filter, got true")
+	}
+}
+
+func TestLen(t *testing.T) {
+	f := NewArgs()
+	if f.Len() != 0 {
+		t.Fatal("Expected to not include any field")
+	}
+	f.Add("status", "running")
+	if f.Len() != 1 {
+		t.Fatal("Expected to include one field")
+	}
+}
+
+func TestExactMatch(t *testing.T) {
+	f := NewArgs()
+
+	if !f.ExactMatch("status", "running") {
+		t.Fatal("Expected to match `running` when there are no filters, got false")
+	}
+
+	f.Add("status", "running")
+	f.Add("status", "pause*")
+
+	if !f.ExactMatch("status", "running") {
+		t.Fatal("Expected to match `running` with one of the filters, got false")
+	}
+
+	if f.ExactMatch("status", "paused") {
+		t.Fatal("Expected to not match `paused` with one of the filters, got true")
+	}
+}
+
+func TestOnlyOneExactMatch(t *testing.T) {
+	f := NewArgs()
+
+	if !f.UniqueExactMatch("status", "running") {
+		t.Fatal("Expected to match `running` when there are no filters, got false")
+	}
+
+	f.Add("status", "running")
+
+	if !f.UniqueExactMatch("status", "running") {
+		t.Fatal("Expected to match `running` with one of the filters, got false")
+	}
+
+	if f.UniqueExactMatch("status", "paused") {
+		t.Fatal("Expected to not match `paused` with one of the filters, got true")
+	}
+
+	f.Add("status", "pause")
+	if f.UniqueExactMatch("status", "running") {
+		t.Fatal("Expected to not match only `running` with two filters, got true")
+	}
+}
+
+func TestContains(t *testing.T) {
+	f := NewArgs()
+	if f.Contains("status") {
+		t.Fatal("Expected to not contain a status key, got true")
+	}
+	f.Add("status", "running")
+	if !f.Contains("status") {
+		t.Fatal("Expected to contain a status key, got false")
+	}
+}
+
+func TestInclude(t *testing.T) {
+	f := NewArgs()
+	if f.Include("status") {
+		t.Fatal("Expected to not include a status key, got true")
+	}
+	f.Add("status", "running")
+	if !f.Include("status") {
+		t.Fatal("Expected to include a status key, got false")
+	}
+}
+
+func TestValidate(t *testing.T) {
+	f := NewArgs()
+	f.Add("status", "running")
+
+	valid := map[string]bool{
+		"status":   true,
+		"dangling": true,
+	}
+
+	if err := f.Validate(valid); err != nil {
+		t.Fatal(err)
+	}
+
+	f.Add("bogus", "running")
+	if err := f.Validate(valid); err == nil {
+		t.Fatal("Expected to return an error, got nil")
+	}
+}
+
+func TestWalkValues(t *testing.T) {
+	f := NewArgs()
+	f.Add("status", "running")
+	f.Add("status", "paused")
+
+	f.WalkValues("status", func(value string) error {
+		if value != "running" && value != "paused" {
+			t.Fatalf("Unexpected value %s", value)
+		}
+		return nil
+	})
+
+	err := f.WalkValues("status", func(value string) error {
+		return errors.New("return")
+	})
+	if err == nil {
+		t.Fatal("Expected to get an error, got nil")
+	}
+
+	err = f.WalkValues("foo", func(value string) error {
+		return errors.New("return")
+	})
+	if err != nil {
+		t.Fatalf("Expected to not iterate when the field doesn't exist, got %v", err)
+	}
+}
+
+func TestFuzzyMatch(t *testing.T) {
+	f := NewArgs()
+	f.Add("container", "foo")
+
+	cases := map[string]bool{
+		"foo":    true,
+		"foobar": true,
+		"barfoo": false,
+		"bar":    false,
+	}
+	for source, match := range cases {
+		got := f.FuzzyMatch("container", source)
+		if got != match {
+			t.Fatalf("Expected %v, got %v: %s", match, got, source)
+		}
+	}
+}
diff --git a/engine/api/types/graph_driver_data.go b/engine/api/types/graph_driver_data.go
new file mode 100644
index 00000000..4d9bf1c6
--- /dev/null
+++ b/engine/api/types/graph_driver_data.go
@@ -0,0 +1,17 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// GraphDriverData Information about a container's graph driver.
+// swagger:model GraphDriverData
+type GraphDriverData struct {
+
+	// data
+	// Required: true
+	Data map[string]string `json:"Data"`
+
+	// name
+	// Required: true
+	Name string `json:"Name"`
+}
diff --git a/engine/api/types/id_response.go b/engine/api/types/id_response.go
new file mode 100644
index 00000000..7592d2f8
--- /dev/null
+++ b/engine/api/types/id_response.go
@@ -0,0 +1,13 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// IDResponse Response to an API call that returns just an Id
+// swagger:model IdResponse
+type IDResponse struct {
+
+	// The id of the newly created object.
+	// Required: true
+	ID string `json:"Id"`
+}
diff --git a/engine/api/types/image/image_history.go b/engine/api/types/image/image_history.go
new file mode 100644
index 00000000..d6b354bc
--- /dev/null
+++ b/engine/api/types/image/image_history.go
@@ -0,0 +1,37 @@
+package image
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// HistoryResponseItem individual image layer information in response to ImageHistory operation
+// swagger:model HistoryResponseItem
+type HistoryResponseItem struct {
+
+	// comment
+	// Required: true
+	Comment string `json:"Comment"`
+
+	// created
+	// Required: true
+	Created int64 `json:"Created"`
+
+	// created by
+	// Required: true
+	CreatedBy string `json:"CreatedBy"`
+
+	// Id
+	// Required: true
+	ID string `json:"Id"`
+
+	// size
+	// Required: true
+	Size int64 `json:"Size"`
+
+	// tags
+	// Required: true
+	Tags []string `json:"Tags"`
+}
diff --git a/engine/api/types/image_delete_response_item.go b/engine/api/types/image_delete_response_item.go
new file mode 100644
index 00000000..b9a65a0d
--- /dev/null
+++ b/engine/api/types/image_delete_response_item.go
@@ -0,0 +1,15 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// ImageDeleteResponseItem image delete response item
+// swagger:model ImageDeleteResponseItem
+type ImageDeleteResponseItem struct {
+
+	// The image ID of an image that was deleted
+	Deleted string `json:"Deleted,omitempty"`
+
+	// The image ID of an image that was untagged
+	Untagged string `json:"Untagged,omitempty"`
+}
diff --git a/engine/api/types/image_summary.go b/engine/api/types/image_summary.go
new file mode 100644
index 00000000..e145b3dc
--- /dev/null
+++ b/engine/api/types/image_summary.go
@@ -0,0 +1,49 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// ImageSummary image summary
+// swagger:model ImageSummary
+type ImageSummary struct {
+
+	// containers
+	// Required: true
+	Containers int64 `json:"Containers"`
+
+	// created
+	// Required: true
+	Created int64 `json:"Created"`
+
+	// Id
+	// Required: true
+	ID string `json:"Id"`
+
+	// labels
+	// Required: true
+	Labels map[string]string `json:"Labels"`
+
+	// parent Id
+	// Required: true
+	ParentID string `json:"ParentId"`
+
+	// repo digests
+	// Required: true
+	RepoDigests []string `json:"RepoDigests"`
+
+	// repo tags
+	// Required: true
+	RepoTags []string `json:"RepoTags"`
+
+	// shared size
+	// Required: true
+	SharedSize int64 `json:"SharedSize"`
+
+	// size
+	// Required: true
+	Size int64 `json:"Size"`
+
+	// virtual size
+	// Required: true
+	VirtualSize int64 `json:"VirtualSize"`
+}
diff --git a/engine/api/types/mount/mount.go b/engine/api/types/mount/mount.go
new file mode 100644
index 00000000..3fef974d
--- /dev/null
+++ b/engine/api/types/mount/mount.go
@@ -0,0 +1,130 @@
+package mount // import "github.com/docker/docker/api/types/mount"
+
+import (
+	"os"
+)
+
+// Type represents the type of a mount.
+type Type string
+
+// Type constants
+const (
+	// TypeBind is the type for mounting host dir
+	TypeBind Type = "bind"
+	// TypeVolume is the type for remote storage volumes
+	TypeVolume Type = "volume"
+	// TypeTmpfs is the type for mounting tmpfs
+	TypeTmpfs Type = "tmpfs"
+	// TypeNamedPipe is the type for mounting Windows named pipes
+	TypeNamedPipe Type = "npipe"
+)
+
+// Mount represents a mount (volume).
+type Mount struct {
+	Type Type `json:",omitempty"`
+	// Source specifies the name of the mount. Depending on mount type, this
+	// may be a volume name or a host path, or even ignored.
+	// Source is not supported for tmpfs (must be an empty value)
+	Source      string      `json:",omitempty"`
+	Target      string      `json:",omitempty"`
+	ReadOnly    bool        `json:",omitempty"`
+	Consistency Consistency `json:",omitempty"`
+
+	BindOptions   *BindOptions   `json:",omitempty"`
+	VolumeOptions *VolumeOptions `json:",omitempty"`
+	TmpfsOptions  *TmpfsOptions  `json:",omitempty"`
+}
+
+// Propagation represents the propagation of a mount.
+type Propagation string
+
+const (
+	// PropagationRPrivate RPRIVATE
+	PropagationRPrivate Propagation = "rprivate"
+	// PropagationPrivate PRIVATE
+	PropagationPrivate Propagation = "private"
+	// PropagationRShared RSHARED
+	PropagationRShared Propagation = "rshared"
+	// PropagationShared SHARED
+	PropagationShared Propagation = "shared"
+	// PropagationRSlave RSLAVE
+	PropagationRSlave Propagation = "rslave"
+	// PropagationSlave SLAVE
+	PropagationSlave Propagation = "slave"
+)
+
+// Propagations is the list of all valid mount propagations
+var Propagations = []Propagation{
+	PropagationRPrivate,
+	PropagationPrivate,
+	PropagationRShared,
+	PropagationShared,
+	PropagationRSlave,
+	PropagationSlave,
+}
+
+// Consistency represents the consistency requirements of a mount.
+type Consistency string
+
+const (
+	// ConsistencyFull guarantees bind mount-like consistency
+	ConsistencyFull Consistency = "consistent"
+	// ConsistencyCached mounts can cache read data and FS structure
+	ConsistencyCached Consistency = "cached"
+	// ConsistencyDelegated mounts can cache read and written data and structure
+	ConsistencyDelegated Consistency = "delegated"
+	// ConsistencyDefault provides "consistent" behavior unless overridden
+	ConsistencyDefault Consistency = "default"
+)
+
+// BindOptions defines options specific to mounts of type "bind".
+type BindOptions struct {
+	Propagation Propagation `json:",omitempty"`
+}
+
+// VolumeOptions represents the options for a mount of type volume.
+type VolumeOptions struct {
+	NoCopy       bool              `json:",omitempty"`
+	Labels       map[string]string `json:",omitempty"`
+	DriverConfig *Driver           `json:",omitempty"`
+}
+
+// Driver represents a volume driver.
+type Driver struct {
+	Name    string            `json:",omitempty"`
+	Options map[string]string `json:",omitempty"`
+}
+
+// TmpfsOptions defines options specific to mounts of type "tmpfs".
+type TmpfsOptions struct {
+	// Size sets the size of the tmpfs, in bytes.
+	//
+	// This will be converted to an operating system specific value
+	// depending on the host. For example, on linux, it will be converted to
+	// use a 'k', 'm' or 'g' syntax. BSD, though not widely supported with
+	// docker, uses a straight byte value.
+	//
+	// Percentages are not supported.
+	SizeBytes int64 `json:",omitempty"`
+	// Mode of the tmpfs upon creation
+	Mode os.FileMode `json:",omitempty"`
+
+	// TODO(stevvooe): There are several more tmpfs flags, specified in the
+	// daemon, that are accepted. Only the most basic are added for now.
+	//
+	// From docker/docker/pkg/mount/flags.go:
+	//
+	// var validFlags = map[string]bool{
+	// 	"":          true,
+	// 	"size":      true, X
+	// 	"mode":      true, X
+	// 	"uid":       true,
+	// 	"gid":       true,
+	// 	"nr_inodes": true,
+	// 	"nr_blocks": true,
+	// 	"mpol":      true,
+	// }
+	//
+	// Some of these may be straightforward to add, but others, such as
+	// uid/gid have implications in a clustered system.
+}
diff --git a/engine/api/types/network/network.go b/engine/api/types/network/network.go
new file mode 100644
index 00000000..761d0b34
--- /dev/null
+++ b/engine/api/types/network/network.go
@@ -0,0 +1,108 @@
+package network // import "github.com/docker/docker/api/types/network"
+
+// Address represents an IP address
+type Address struct {
+	Addr      string
+	PrefixLen int
+}
+
+// IPAM represents IP Address Management
+type IPAM struct {
+	Driver  string
+	Options map[string]string //Per network IPAM driver options
+	Config  []IPAMConfig
+}
+
+// IPAMConfig represents IPAM configurations
+type IPAMConfig struct {
+	Subnet     string            `json:",omitempty"`
+	IPRange    string            `json:",omitempty"`
+	Gateway    string            `json:",omitempty"`
+	AuxAddress map[string]string `json:"AuxiliaryAddresses,omitempty"`
+}
+
+// EndpointIPAMConfig represents IPAM configurations for the endpoint
+type EndpointIPAMConfig struct {
+	IPv4Address  string   `json:",omitempty"`
+	IPv6Address  string   `json:",omitempty"`
+	LinkLocalIPs []string `json:",omitempty"`
+}
+
+// Copy makes a copy of the endpoint ipam config
+func (cfg *EndpointIPAMConfig) Copy() *EndpointIPAMConfig {
+	cfgCopy := *cfg
+	cfgCopy.LinkLocalIPs = make([]string, 0, len(cfg.LinkLocalIPs))
+	cfgCopy.LinkLocalIPs = append(cfgCopy.LinkLocalIPs, cfg.LinkLocalIPs...)
+	return &cfgCopy
+}
+
+// PeerInfo represents one peer of an overlay network
+type PeerInfo struct {
+	Name string
+	IP   string
+}
+
+// EndpointSettings stores the network endpoint details
+type EndpointSettings struct {
+	// Configurations
+	IPAMConfig *EndpointIPAMConfig
+	Links      []string
+	Aliases    []string
+	// Operational data
+	NetworkID           string
+	EndpointID          string
+	Gateway             string
+	IPAddress           string
+	IPPrefixLen         int
+	IPv6Gateway         string
+	GlobalIPv6Address   string
+	GlobalIPv6PrefixLen int
+	MacAddress          string
+	DriverOpts          map[string]string
+}
+
+// Task carries the information about one backend task
+type Task struct {
+	Name       string
+	EndpointID string
+	EndpointIP string
+	Info       map[string]string
+}
+
+// ServiceInfo represents service parameters with the list of service's tasks
+type ServiceInfo struct {
+	VIP          string
+	Ports        []string
+	LocalLBIndex int
+	Tasks        []Task
+}
+
+// Copy makes a deep copy of `EndpointSettings`
+func (es *EndpointSettings) Copy() *EndpointSettings {
+	epCopy := *es
+	if es.IPAMConfig != nil {
+		epCopy.IPAMConfig = es.IPAMConfig.Copy()
+	}
+
+	if es.Links != nil {
+		links := make([]string, 0, len(es.Links))
+		epCopy.Links = append(links, es.Links...)
+	}
+
+	if es.Aliases != nil {
+		aliases := make([]string, 0, len(es.Aliases))
+		epCopy.Aliases = append(aliases, es.Aliases...)
+	}
+	return &epCopy
+}
+
+// NetworkingConfig represents the container's networking configuration for each of its interfaces
+// Carries the networking configs specified in the `docker run` and `docker network connect` commands
+type NetworkingConfig struct {
+	EndpointsConfig map[string]*EndpointSettings // Endpoint configs for each connecting network
+}
+
+// ConfigReference specifies the source which provides a network's configuration
+type ConfigReference struct {
+	Network string
+}
diff --git a/engine/api/types/plugin.go b/engine/api/types/plugin.go
new file mode 100644
index 00000000..abae48b9
--- /dev/null
+++ b/engine/api/types/plugin.go
@@ -0,0 +1,203 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// Plugin A plugin for the Engine API
+// swagger:model Plugin
+type Plugin struct {
+
+	// config
+	// Required: true
+	Config PluginConfig `json:"Config"`
+
+	// True if the plugin is running. False if the plugin is not running, only installed.
+	// Required: true
+	Enabled bool `json:"Enabled"`
+
+	// Id
+	ID string `json:"Id,omitempty"`
+
+	// name
+	// Required: true
+	Name string `json:"Name"`
+
+	// plugin remote reference used to push/pull the plugin
+	PluginReference string `json:"PluginReference,omitempty"`
+
+	// settings
+	// Required: true
+	Settings PluginSettings `json:"Settings"`
+}
+
+// PluginConfig The config of a plugin.
+// swagger:model PluginConfig
+type PluginConfig struct {
+
+	// args
+	// Required: true
+	Args PluginConfigArgs `json:"Args"`
+
+	// description
+	// Required: true
+	Description string `json:"Description"`
+
+	// Docker Version used to create the plugin
+	DockerVersion string `json:"DockerVersion,omitempty"`
+
+	// documentation
+	// Required: true
+	Documentation string `json:"Documentation"`
+
+	// entrypoint
+	// Required: true
+	Entrypoint []string `json:"Entrypoint"`
+
+	// env
+	// Required: true
+	Env []PluginEnv `json:"Env"`
+
+	// interface
+	// Required: true
+	Interface PluginConfigInterface `json:"Interface"`
+
+	// ipc host
+	// Required: true
+	IpcHost bool `json:"IpcHost"`
+
+	// linux
+	// Required: true
+	Linux PluginConfigLinux `json:"Linux"`
+
+	// mounts
+	// Required: true
+	Mounts []PluginMount `json:"Mounts"`
+
+	// network
+	// Required: true
+	Network PluginConfigNetwork `json:"Network"`
+
+	// pid host
+	// Required: true
+	PidHost bool `json:"PidHost"`
+
+	// propagated mount
+	// Required: true
+	PropagatedMount string `json:"PropagatedMount"`
+
+	// user
+	User PluginConfigUser `json:"User,omitempty"`
+
+	// work dir
+	// Required: true
+	WorkDir string `json:"WorkDir"`
+
+	// rootfs
+	Rootfs *PluginConfigRootfs `json:"rootfs,omitempty"`
+}
+
+// PluginConfigArgs plugin config args
+// swagger:model PluginConfigArgs
+type PluginConfigArgs struct {
+
+	// description
+	// Required: true
+	Description string `json:"Description"`
+
+	// name
+	// Required: true
+	Name string `json:"Name"`
+
+	// settable
+	// Required: true
+	Settable []string `json:"Settable"`
+
+	// value
+	// Required: true
+	Value []string `json:"Value"`
+}
+
+// PluginConfigInterface The interface between Docker and the plugin
+// swagger:model PluginConfigInterface
+type PluginConfigInterface struct {
+
+	// Protocol to use for clients connecting to the plugin.
+	ProtocolScheme string `json:"ProtocolScheme,omitempty"`
+
+	// socket
+	// Required: true
+	Socket string `json:"Socket"`
+
+	// types
+	// Required: true
+	Types []PluginInterfaceType `json:"Types"`
+}
+
+// PluginConfigLinux plugin config linux
+// swagger:model PluginConfigLinux
+type PluginConfigLinux struct {
+
+	// allow all devices
+	// Required: true
+	AllowAllDevices bool `json:"AllowAllDevices"`
+
+	// capabilities
+	// Required: true
+	Capabilities []string `json:"Capabilities"`
+
+	// devices
+	// Required: true
+	Devices []PluginDevice `json:"Devices"`
+}
+
+// PluginConfigNetwork plugin config network
+// swagger:model PluginConfigNetwork
+type PluginConfigNetwork struct {
+
+	// type
+	// Required: true
+	Type string `json:"Type"`
+}
+
+// PluginConfigRootfs plugin config rootfs
+// swagger:model PluginConfigRootfs
+type PluginConfigRootfs struct {
+
+	// diff ids
+	DiffIds []string `json:"diff_ids"`
+
+	// type
+	Type string `json:"type,omitempty"`
+}
+
+// PluginConfigUser plugin config user
+// swagger:model PluginConfigUser
+type PluginConfigUser struct {
+
+	// g ID
+	GID uint32 `json:"GID,omitempty"`
+
+	// UID
+	UID uint32 `json:"UID,omitempty"`
+}
+
+// PluginSettings Settings that can be modified by users.
+// swagger:model PluginSettings
+type PluginSettings struct {
+
+	// args
+	// Required: true
+	Args []string `json:"Args"`
+
+	// devices
+	// Required: true
+	Devices []PluginDevice `json:"Devices"`
+
+	// env
+	// Required: true
+	Env []string `json:"Env"`
+
+	// mounts
+	// Required: true
+	Mounts []PluginMount `json:"Mounts"`
+}
diff --git a/engine/api/types/plugin_device.go b/engine/api/types/plugin_device.go
new file mode 100644
index 00000000..56990106
--- /dev/null
+++ b/engine/api/types/plugin_device.go
@@ -0,0 +1,25 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// PluginDevice plugin device
+// swagger:model PluginDevice
+type PluginDevice struct {
+
+	// description
+	// Required: true
+	Description string `json:"Description"`
+
+	// name
+	// Required: true
+	Name string `json:"Name"`
+
+	// path
+	// Required: true
+	Path *string `json:"Path"`
+
+	// settable
+	// Required: true
+	Settable []string `json:"Settable"`
+}
diff --git a/engine/api/types/plugin_env.go b/engine/api/types/plugin_env.go
new file mode 100644
index 00000000..32962dc2
--- /dev/null
+++ b/engine/api/types/plugin_env.go
@@ -0,0 +1,25 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// PluginEnv plugin env
+// swagger:model PluginEnv
+type PluginEnv struct {
+
+	// description
+	// Required: true
+	Description string `json:"Description"`
+
+	// name
+	// Required: true
+	Name string `json:"Name"`
+
+	// settable
+	// Required: true
+	Settable []string `json:"Settable"`
+
+	// value
+	// Required: true
+	Value *string `json:"Value"`
+}
diff --git a/engine/api/types/plugin_interface_type.go b/engine/api/types/plugin_interface_type.go
new file mode 100644
index 00000000..c82f204e
--- /dev/null
+++ b/engine/api/types/plugin_interface_type.go
@@ -0,0 +1,21 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// PluginInterfaceType plugin interface type
+// swagger:model PluginInterfaceType
+type PluginInterfaceType struct {
+
+	// capability
+	// Required: true
+	Capability string `json:"Capability"`
+
+	// prefix
+	// Required: true
+	Prefix string `json:"Prefix"`
+
+	// version
+	// Required: true
+	Version string `json:"Version"`
+}
diff --git a/engine/api/types/plugin_mount.go b/engine/api/types/plugin_mount.go
new file mode 100644
index 00000000..5c031cf8
--- /dev/null
+++ b/engine/api/types/plugin_mount.go
@@ -0,0 +1,37 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// PluginMount plugin mount
+// swagger:model PluginMount
+type PluginMount struct {
+
+	// description
+	// Required: true
+	Description string `json:"Description"`
+
+	// destination
+	// Required: true
+	Destination string `json:"Destination"`
+
+	// name
+	// Required: true
+	Name string `json:"Name"`
+
+	// options
+	// Required: true
+	Options []string `json:"Options"`
+
+	// settable
+	// Required: true
+	Settable []string `json:"Settable"`
+
+	// source
+	// Required: true
+	Source *string `json:"Source"`
+
+	// type
+	// Required: true
+	Type string `json:"Type"`
+}
diff --git a/engine/api/types/plugin_responses.go b/engine/api/types/plugin_responses.go
new file mode 100644
index 00000000..60d1fb5a
--- /dev/null
+++ b/engine/api/types/plugin_responses.go
@@ -0,0 +1,71 @@
+package types // import "github.com/docker/docker/api/types"
+
+import (
+	"encoding/json"
+	"fmt"
+	"sort"
+)
+
+// PluginsListResponse contains the response for the Engine API
+type PluginsListResponse []*Plugin
+
+// UnmarshalJSON implements json.Unmarshaler for PluginInterfaceType
+func (t *PluginInterfaceType) UnmarshalJSON(p []byte) error {
+	versionIndex := len(p)
+	prefixIndex := 0
+	if len(p) < 2 || p[0] != '"' || p[len(p)-1] != '"' {
+		return fmt.Errorf("%q is not a plugin interface type", p)
+	}
+	p = p[1 : len(p)-1]
+loop:
+	for i, b := range p {
+		switch b {
+		case '.':
+			prefixIndex = i
+		case '/':
+			versionIndex = i
+			break loop
+		}
+	}
+	t.Prefix = string(p[:prefixIndex])
+	t.Capability = string(p[prefixIndex+1 : versionIndex])
+	if versionIndex < len(p) {
+		t.Version = string(p[versionIndex+1:])
+	}
+	return nil
+}
+
+// MarshalJSON implements json.Marshaler for PluginInterfaceType
+func (t *PluginInterfaceType) MarshalJSON() ([]byte, error) {
+	return json.Marshal(t.String())
+}
+
+// String implements fmt.Stringer for PluginInterfaceType
+func (t PluginInterfaceType) String() string {
+	return fmt.Sprintf("%s.%s/%s", t.Prefix, t.Capability, t.Version)
+}
+
+// PluginPrivilege describes a permission the user has to accept
+// upon installing a plugin.
+type PluginPrivilege struct {
+	Name        string
+	Description string
+	Value       []string
+}
+
+// PluginPrivileges is a list of PluginPrivilege
+type PluginPrivileges []PluginPrivilege
+
+func (s PluginPrivileges) Len() int {
+	return len(s)
+}
+
+func (s PluginPrivileges) Less(i, j int) bool {
+	return s[i].Name < s[j].Name
+}
+
+func (s PluginPrivileges) Swap(i, j int) {
+	sort.Strings(s[i].Value)
+	sort.Strings(s[j].Value)
+	s[i], s[j] = s[j], s[i]
+}
diff --git a/engine/api/types/plugins/logdriver/entry.pb.go b/engine/api/types/plugins/logdriver/entry.pb.go
new file mode 100644
index 00000000..5d7d8b4c
--- /dev/null
+++ b/engine/api/types/plugins/logdriver/entry.pb.go
@@ -0,0 +1,449 @@
+// Code generated by protoc-gen-gogo.
+// source: entry.proto
+// DO NOT EDIT!
+
+/*
+	Package logdriver is a generated protocol buffer package.
+
+	It is generated from these files:
+		entry.proto
+
+	It has these top-level messages:
+		LogEntry
+*/
+package logdriver
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type LogEntry struct {
+	Source   string `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
+	TimeNano int64  `protobuf:"varint,2,opt,name=time_nano,json=timeNano,proto3" json:"time_nano,omitempty"`
+	Line     []byte `protobuf:"bytes,3,opt,name=line,proto3" json:"line,omitempty"`
+	Partial  bool   `protobuf:"varint,4,opt,name=partial,proto3" json:"partial,omitempty"`
+}
+
+func (m *LogEntry) Reset()                    { *m = LogEntry{} }
+func (m *LogEntry) String() string            { return proto.CompactTextString(m) }
+func (*LogEntry) ProtoMessage()               {}
+func (*LogEntry) Descriptor() ([]byte, []int) { return fileDescriptorEntry, []int{0} }
+
+func (m *LogEntry) GetSource() string {
+	if m != nil {
+		return m.Source
+	}
+	return ""
+}
+
+func (m *LogEntry) GetTimeNano() int64 {
+	if m != nil {
+		return m.TimeNano
+	}
+	return 0
+}
+
+func (m *LogEntry) GetLine() []byte {
+	if m != nil {
+		return m.Line
+	}
+	return nil
+}
+
+func (m *LogEntry) GetPartial() bool {
+	if m != nil {
+		return m.Partial
+	}
+	return false
+}
+
+func init() {
+	proto.RegisterType((*LogEntry)(nil), "LogEntry")
+}
+func (m *LogEntry) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *LogEntry) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Source) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintEntry(dAtA, i, uint64(len(m.Source)))
+		i += copy(dAtA[i:], m.Source)
+	}
+	if m.TimeNano != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintEntry(dAtA, i, uint64(m.TimeNano))
+	}
+	if len(m.Line) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintEntry(dAtA, i, uint64(len(m.Line)))
+		i += copy(dAtA[i:], m.Line)
+	}
+	if m.Partial {
+		dAtA[i] = 0x20
+		i++
+		if m.Partial {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func encodeFixed64Entry(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Entry(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintEntry(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *LogEntry) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Source)
+	if l > 0 {
+		n += 1 + l + sovEntry(uint64(l))
+	}
+	if m.TimeNano != 0 {
+		n += 1 + sovEntry(uint64(m.TimeNano))
+	}
+	l = len(m.Line)
+	if l > 0 {
+		n += 1 + l + sovEntry(uint64(l))
+	}
+	if m.Partial {
+		n += 2
+	}
+	return n
+}
+
+func sovEntry(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozEntry(x uint64) (n int) {
+	return sovEntry(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *LogEntry) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowEntry
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: LogEntry: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: LogEntry: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowEntry
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthEntry
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Source = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TimeNano", wireType)
+			}
+			m.TimeNano = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowEntry
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.TimeNano |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Line", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowEntry
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthEntry
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Line = append(m.Line[:0], dAtA[iNdEx:postIndex]...)
+			if m.Line == nil {
+				m.Line = []byte{}
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Partial", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowEntry
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Partial = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipEntry(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthEntry
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipEntry(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowEntry
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowEntry
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowEntry
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthEntry
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowEntry
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipEntry(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthEntry = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowEntry   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("entry.proto", fileDescriptorEntry) }
+
+var fileDescriptorEntry = []byte{
+	// 149 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xe2, 0xe2, 0x4e, 0xcd, 0x2b, 0x29,
+	0xaa, 0xd4, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x57, 0xca, 0xe5, 0xe2, 0xf0, 0xc9, 0x4f, 0x77, 0x05,
+	0x89, 0x08, 0x89, 0x71, 0xb1, 0x15, 0xe7, 0x97, 0x16, 0x25, 0xa7, 0x4a, 0x30, 0x2a, 0x30, 0x6a,
+	0x70, 0x06, 0x41, 0x79, 0x42, 0xd2, 0x5c, 0x9c, 0x25, 0x99, 0xb9, 0xa9, 0xf1, 0x79, 0x89, 0x79,
+	0xf9, 0x12, 0x4c, 0x0a, 0x8c, 0x1a, 0xcc, 0x41, 0x1c, 0x20, 0x01, 0xbf, 0xc4, 0xbc, 0x7c, 0x21,
+	0x21, 0x2e, 0x96, 0x9c, 0xcc, 0xbc, 0x54, 0x09, 0x66, 0x05, 0x46, 0x0d, 0x9e, 0x20, 0x30, 0x5b,
+	0x48, 0x82, 0x8b, 0xbd, 0x20, 0xb1, 0xa8, 0x24, 0x33, 0x31, 0x47, 0x82, 0x45, 0x81, 0x51, 0x83,
+	0x23, 0x08, 0xc6, 0x75, 0xe2, 0x39, 0xf1, 0x48, 0x8e, 0xf1, 0xc2, 0x23, 0x39, 0xc6, 0x07, 0x8f,
+	0xe4, 0x18, 0x93, 0xd8, 0xc0, 0x6e, 0x30, 0x06, 0x04, 0x00, 0x00, 0xff, 0xff, 0x2d, 0x24, 0x5a,
+	0xd4, 0x92, 0x00, 0x00, 0x00,
+}
diff --git a/engine/api/types/plugins/logdriver/entry.proto b/engine/api/types/plugins/logdriver/entry.proto
new file mode 100644
index 00000000..a4e96ea5
--- /dev/null
+++ b/engine/api/types/plugins/logdriver/entry.proto
@@ -0,0 +1,8 @@
+syntax = "proto3";
+
+message LogEntry {
+	string source = 1;
+	int64 time_nano = 2;
+	bytes line = 3;
+	bool partial = 4;
+}
diff --git a/engine/api/types/plugins/logdriver/gen.go b/engine/api/types/plugins/logdriver/gen.go
new file mode 100644
index 00000000..e5f10b5e
--- /dev/null
+++ b/engine/api/types/plugins/logdriver/gen.go
@@ -0,0 +1,3 @@
+//go:generate protoc --gogofast_out=import_path=github.com/docker/docker/api/types/plugins/logdriver:. entry.proto
+
+package logdriver // import "github.com/docker/docker/api/types/plugins/logdriver"
diff --git a/engine/api/types/plugins/logdriver/io.go b/engine/api/types/plugins/logdriver/io.go
new file mode 100644
index 00000000..9081b3b4
--- /dev/null
+++ b/engine/api/types/plugins/logdriver/io.go
@@ -0,0 +1,87 @@
+package logdriver // import "github.com/docker/docker/api/types/plugins/logdriver"
+
+import (
+	"encoding/binary"
+	"io"
+)
+
+const binaryEncodeLen = 4
+
+// LogEntryEncoder encodes a LogEntry to a protobuf stream
+// The stream should look like:
+//
+// [uint32 binary encoded message size][protobuf message]
+//
+// To decode an entry, read the first 4 bytes to get the size of the entry,
+// then read `size` bytes from the stream.
+type LogEntryEncoder interface {
+	Encode(*LogEntry) error
+}
+
+// NewLogEntryEncoder creates a protobuf stream encoder for log entries.
+// This is used to write out  log entries to a stream.
+func NewLogEntryEncoder(w io.Writer) LogEntryEncoder {
+	return &logEntryEncoder{
+		w:   w,
+		buf: make([]byte, 1024),
+	}
+}
+
+type logEntryEncoder struct {
+	buf []byte
+	w   io.Writer
+}
+
+func (e *logEntryEncoder) Encode(l *LogEntry) error {
+	n := l.Size()
+
+	total := n + binaryEncodeLen
+	if total > len(e.buf) {
+		e.buf = make([]byte, total)
+	}
+	binary.BigEndian.PutUint32(e.buf, uint32(n))
+
+	if _, err := l.MarshalTo(e.buf[binaryEncodeLen:]); err != nil {
+		return err
+	}
+	_, err := e.w.Write(e.buf[:total])
+	return err
+}
+
+// LogEntryDecoder decodes log entries from a stream
+// It is expected that the wire format is as defined by LogEntryEncoder.
+type LogEntryDecoder interface {
+	Decode(*LogEntry) error
+}
+
+// NewLogEntryDecoder creates a new stream decoder for log entries
+func NewLogEntryDecoder(r io.Reader) LogEntryDecoder {
+	return &logEntryDecoder{
+		lenBuf: make([]byte, binaryEncodeLen),
+		buf:    make([]byte, 1024),
+		r:      r,
+	}
+}
+
+type logEntryDecoder struct {
+	r      io.Reader
+	lenBuf []byte
+	buf    []byte
+}
+
+func (d *logEntryDecoder) Decode(l *LogEntry) error {
+	_, err := io.ReadFull(d.r, d.lenBuf)
+	if err != nil {
+		return err
+	}
+
+	size := int(binary.BigEndian.Uint32(d.lenBuf))
+	if len(d.buf) < size {
+		d.buf = make([]byte, size)
+	}
+
+	if _, err := io.ReadFull(d.r, d.buf[:size]); err != nil {
+		return err
+	}
+	return l.Unmarshal(d.buf[:size])
+}
diff --git a/engine/api/types/port.go b/engine/api/types/port.go
new file mode 100644
index 00000000..d9123474
--- /dev/null
+++ b/engine/api/types/port.go
@@ -0,0 +1,23 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// Port An open port on a container
+// swagger:model Port
+type Port struct {
+
+	// Host IP address that the container's port is mapped to
+	IP string `json:"IP,omitempty"`
+
+	// Port on the container
+	// Required: true
+	PrivatePort uint16 `json:"PrivatePort"`
+
+	// Port exposed on the host
+	PublicPort uint16 `json:"PublicPort,omitempty"`
+
+	// type
+	// Required: true
+	Type string `json:"Type"`
+}
diff --git a/engine/api/types/registry/authenticate.go b/engine/api/types/registry/authenticate.go
new file mode 100644
index 00000000..f0a2113e
--- /dev/null
+++ b/engine/api/types/registry/authenticate.go
@@ -0,0 +1,21 @@
+package registry // import "github.com/docker/docker/api/types/registry"
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// AuthenticateOKBody authenticate o k body
+// swagger:model AuthenticateOKBody
+type AuthenticateOKBody struct {
+
+	// An opaque token used to authenticate a user after a successful login
+	// Required: true
+	IdentityToken string `json:"IdentityToken"`
+
+	// The status of the authentication
+	// Required: true
+	Status string `json:"Status"`
+}
diff --git a/engine/api/types/registry/registry.go b/engine/api/types/registry/registry.go
new file mode 100644
index 00000000..8789ad3b
--- /dev/null
+++ b/engine/api/types/registry/registry.go
@@ -0,0 +1,119 @@
+package registry // import "github.com/docker/docker/api/types/registry"
+
+import (
+	"encoding/json"
+	"net"
+
+	"github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// ServiceConfig stores daemon registry services configuration.
+type ServiceConfig struct {
+	AllowNondistributableArtifactsCIDRs     []*NetIPNet
+	AllowNondistributableArtifactsHostnames []string
+	InsecureRegistryCIDRs                   []*NetIPNet           `json:"InsecureRegistryCIDRs"`
+	IndexConfigs                            map[string]*IndexInfo `json:"IndexConfigs"`
+	Mirrors                                 []string
+}
+
+// NetIPNet is the net.IPNet type, which can be marshalled and
+// unmarshalled to JSON
+type NetIPNet net.IPNet
+
+// String returns the CIDR notation of ipnet
+func (ipnet *NetIPNet) String() string {
+	return (*net.IPNet)(ipnet).String()
+}
+
+// MarshalJSON returns the JSON representation of the IPNet
+func (ipnet *NetIPNet) MarshalJSON() ([]byte, error) {
+	return json.Marshal((*net.IPNet)(ipnet).String())
+}
+
+// UnmarshalJSON sets the IPNet from a byte array of JSON
+func (ipnet *NetIPNet) UnmarshalJSON(b []byte) (err error) {
+	var ipnetStr string
+	if err = json.Unmarshal(b, &ipnetStr); err == nil {
+		var cidr *net.IPNet
+		if _, cidr, err = net.ParseCIDR(ipnetStr); err == nil {
+			*ipnet = NetIPNet(*cidr)
+		}
+	}
+	return
+}
+
+// IndexInfo contains information about a registry
+//
+// RepositoryInfo Examples:
+// {
+//   "Index" : {
+//     "Name" : "docker.io",
+//     "Mirrors" : ["https://registry-2.docker.io/v1/", "https://registry-3.docker.io/v1/"],
+//     "Secure" : true,
+//     "Official" : true,
+//   },
+//   "RemoteName" : "library/debian",
+//   "LocalName" : "debian",
+//   "CanonicalName" : "docker.io/debian"
+//   "Official" : true,
+// }
+//
+// {
+//   "Index" : {
+//     "Name" : "127.0.0.1:5000",
+//     "Mirrors" : [],
+//     "Secure" : false,
+//     "Official" : false,
+//   },
+//   "RemoteName" : "user/repo",
+//   "LocalName" : "127.0.0.1:5000/user/repo",
+//   "CanonicalName" : "127.0.0.1:5000/user/repo",
+//   "Official" : false,
+// }
+type IndexInfo struct {
+	// Name is the name of the registry, such as "docker.io"
+	Name string
+	// Mirrors is a list of mirrors, expressed as URIs
+	Mirrors []string
+	// Secure is set to false if the registry is part of the list of
+	// insecure registries. Insecure registries accept HTTP and/or accept
+	// HTTPS with certificates from unknown CAs.
+	Secure bool
+	// Official indicates whether this is an official registry
+	Official bool
+}
+
+// SearchResult describes a search result returned from a registry
+type SearchResult struct {
+	// StarCount indicates the number of stars this repository has
+	StarCount int `json:"star_count"`
+	// IsOfficial is true if the result is from an official repository.
+	IsOfficial bool `json:"is_official"`
+	// Name is the name of the repository
+	Name string `json:"name"`
+	// IsAutomated indicates whether the result is automated
+	IsAutomated bool `json:"is_automated"`
+	// Description is a textual description of the repository
+	Description string `json:"description"`
+}
+
+// SearchResults lists a collection search results returned from a registry
+type SearchResults struct {
+	// Query contains the query string that generated the search results
+	Query string `json:"query"`
+	// NumResults indicates the number of results the query returned
+	NumResults int `json:"num_results"`
+	// Results is a slice containing the actual results for the search
+	Results []SearchResult `json:"results"`
+}
+
+// DistributionInspect describes the result obtained from contacting the
+// registry to retrieve image metadata
+type DistributionInspect struct {
+	// Descriptor contains information about the manifest, including
+	// the content addressable digest
+	Descriptor v1.Descriptor
+	// Platforms contains the list of platforms supported by the image,
+	// obtained by parsing the manifest
+	Platforms []v1.Platform
+}
diff --git a/engine/api/types/seccomp.go b/engine/api/types/seccomp.go
new file mode 100644
index 00000000..67a41e1a
--- /dev/null
+++ b/engine/api/types/seccomp.go
@@ -0,0 +1,93 @@
+package types // import "github.com/docker/docker/api/types"
+
+// Seccomp represents the config for a seccomp profile for syscall restriction.
+type Seccomp struct {
+	DefaultAction Action `json:"defaultAction"`
+	// Architectures is kept to maintain backward compatibility with the old
+	// seccomp profile.
+	Architectures []Arch         `json:"architectures,omitempty"`
+	ArchMap       []Architecture `json:"archMap,omitempty"`
+	Syscalls      []*Syscall     `json:"syscalls"`
+}
+
+// Architecture is used to represent a specific architecture
+// and its sub-architectures
+type Architecture struct {
+	Arch      Arch   `json:"architecture"`
+	SubArches []Arch `json:"subArchitectures"`
+}
+
+// Arch used for architectures
+type Arch string
+
+// Additional architectures permitted to be used for system calls
+// By default only the native architecture of the kernel is permitted
+const (
+	ArchX86         Arch = "SCMP_ARCH_X86"
+	ArchX86_64      Arch = "SCMP_ARCH_X86_64"
+	ArchX32         Arch = "SCMP_ARCH_X32"
+	ArchARM         Arch = "SCMP_ARCH_ARM"
+	ArchAARCH64     Arch = "SCMP_ARCH_AARCH64"
+	ArchMIPS        Arch = "SCMP_ARCH_MIPS"
+	ArchMIPS64      Arch = "SCMP_ARCH_MIPS64"
+	ArchMIPS64N32   Arch = "SCMP_ARCH_MIPS64N32"
+	ArchMIPSEL      Arch = "SCMP_ARCH_MIPSEL"
+	ArchMIPSEL64    Arch = "SCMP_ARCH_MIPSEL64"
+	ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
+	ArchPPC         Arch = "SCMP_ARCH_PPC"
+	ArchPPC64       Arch = "SCMP_ARCH_PPC64"
+	ArchPPC64LE     Arch = "SCMP_ARCH_PPC64LE"
+	ArchS390        Arch = "SCMP_ARCH_S390"
+	ArchS390X       Arch = "SCMP_ARCH_S390X"
+)
+
+// Action taken upon Seccomp rule match
+type Action string
+
+// Define actions for Seccomp rules
+const (
+	ActKill  Action = "SCMP_ACT_KILL"
+	ActTrap  Action = "SCMP_ACT_TRAP"
+	ActErrno Action = "SCMP_ACT_ERRNO"
+	ActTrace Action = "SCMP_ACT_TRACE"
+	ActAllow Action = "SCMP_ACT_ALLOW"
+)
+
+// Operator used to match syscall arguments in Seccomp
+type Operator string
+
+// Define operators for syscall arguments in Seccomp
+const (
+	OpNotEqual     Operator = "SCMP_CMP_NE"
+	OpLessThan     Operator = "SCMP_CMP_LT"
+	OpLessEqual    Operator = "SCMP_CMP_LE"
+	OpEqualTo      Operator = "SCMP_CMP_EQ"
+	OpGreaterEqual Operator = "SCMP_CMP_GE"
+	OpGreaterThan  Operator = "SCMP_CMP_GT"
+	OpMaskedEqual  Operator = "SCMP_CMP_MASKED_EQ"
+)
+
+// Arg used for matching specific syscall arguments in Seccomp
+type Arg struct {
+	Index    uint     `json:"index"`
+	Value    uint64   `json:"value"`
+	ValueTwo uint64   `json:"valueTwo"`
+	Op       Operator `json:"op"`
+}
+
+// Filter is used to conditionally apply Seccomp rules
+type Filter struct {
+	Caps   []string `json:"caps,omitempty"`
+	Arches []string `json:"arches,omitempty"`
+}
+
+// Syscall is used to match a group of syscalls in Seccomp
+type Syscall struct {
+	Name     string   `json:"name,omitempty"`
+	Names    []string `json:"names,omitempty"`
+	Action   Action   `json:"action"`
+	Args     []*Arg   `json:"args"`
+	Comment  string   `json:"comment"`
+	Includes Filter   `json:"includes"`
+	Excludes Filter   `json:"excludes"`
+}
diff --git a/engine/api/types/service_update_response.go b/engine/api/types/service_update_response.go
new file mode 100644
index 00000000..74ea64b1
--- /dev/null
+++ b/engine/api/types/service_update_response.go
@@ -0,0 +1,12 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// ServiceUpdateResponse service update response
+// swagger:model ServiceUpdateResponse
+type ServiceUpdateResponse struct {
+
+	// Optional warning messages
+	Warnings []string `json:"Warnings"`
+}
diff --git a/engine/api/types/stats.go b/engine/api/types/stats.go
new file mode 100644
index 00000000..60175c06
--- /dev/null
+++ b/engine/api/types/stats.go
@@ -0,0 +1,181 @@
+// Package types is used for API stability in the types and response to the
+// consumers of the API stats endpoint.
+package types // import "github.com/docker/docker/api/types"
+
+import "time"
+
+// ThrottlingData stores CPU throttling stats of one running container.
+// Not used on Windows.
+type ThrottlingData struct {
+	// Number of periods with throttling active
+	Periods uint64 `json:"periods"`
+	// Number of periods when the container hits its throttling limit.
+	ThrottledPeriods uint64 `json:"throttled_periods"`
+	// Aggregate time the container was throttled for in nanoseconds.
+	ThrottledTime uint64 `json:"throttled_time"`
+}
+
+// CPUUsage stores All CPU stats aggregated since container inception.
+type CPUUsage struct {
+	// Total CPU time consumed.
+	// Units: nanoseconds (Linux)
+	// Units: 100's of nanoseconds (Windows)
+	TotalUsage uint64 `json:"total_usage"`
+
+	// Total CPU time consumed per core (Linux). Not used on Windows.
+	// Units: nanoseconds.
+	PercpuUsage []uint64 `json:"percpu_usage,omitempty"`
+
+	// Time spent by tasks of the cgroup in kernel mode (Linux).
+	// Time spent by all container processes in kernel mode (Windows).
+	// Units: nanoseconds (Linux).
+	// Units: 100's of nanoseconds (Windows). Not populated for Hyper-V Containers.
+	UsageInKernelmode uint64 `json:"usage_in_kernelmode"`
+
+	// Time spent by tasks of the cgroup in user mode (Linux).
+	// Time spent by all container processes in user mode (Windows).
+	// Units: nanoseconds (Linux).
+	// Units: 100's of nanoseconds (Windows). Not populated for Hyper-V Containers
+	UsageInUsermode uint64 `json:"usage_in_usermode"`
+}
+
+// CPUStats aggregates and wraps all CPU related info of container
+type CPUStats struct {
+	// CPU Usage. Linux and Windows.
+	CPUUsage CPUUsage `json:"cpu_usage"`
+
+	// System Usage. Linux only.
+	SystemUsage uint64 `json:"system_cpu_usage,omitempty"`
+
+	// Online CPUs. Linux only.
+	OnlineCPUs uint32 `json:"online_cpus,omitempty"`
+
+	// Throttling Data. Linux only.
+	ThrottlingData ThrottlingData `json:"throttling_data,omitempty"`
+}
+
+// MemoryStats aggregates all memory stats since container inception on Linux.
+// Windows returns stats for commit and private working set only.
+type MemoryStats struct {
+	// Linux Memory Stats
+
+	// current res_counter usage for memory
+	Usage uint64 `json:"usage,omitempty"`
+	// maximum usage ever recorded.
+	MaxUsage uint64 `json:"max_usage,omitempty"`
+	// TODO(vishh): Export these as stronger types.
+	// all the stats exported via memory.stat.
+	Stats map[string]uint64 `json:"stats,omitempty"`
+	// number of times memory usage hits limits.
+	Failcnt uint64 `json:"failcnt,omitempty"`
+	Limit   uint64 `json:"limit,omitempty"`
+
+	// Windows Memory Stats
+	// See https://technet.microsoft.com/en-us/magazine/ff382715.aspx
+
+	// committed bytes
+	Commit uint64 `json:"commitbytes,omitempty"`
+	// peak committed bytes
+	CommitPeak uint64 `json:"commitpeakbytes,omitempty"`
+	// private working set
+	PrivateWorkingSet uint64 `json:"privateworkingset,omitempty"`
+}
+
+// BlkioStatEntry is one small entity to store a piece of Blkio stats
+// Not used on Windows.
+type BlkioStatEntry struct {
+	Major uint64 `json:"major"`
+	Minor uint64 `json:"minor"`
+	Op    string `json:"op"`
+	Value uint64 `json:"value"`
+}
+
+// BlkioStats stores All IO service stats for data read and write.
+// This is a Linux specific structure as the differences between expressing
+// block I/O on Windows and Linux are sufficiently significant to make
+// little sense attempting to morph into a combined structure.
+type BlkioStats struct {
+	// number of bytes transferred to and from the block device
+	IoServiceBytesRecursive []BlkioStatEntry `json:"io_service_bytes_recursive"`
+	IoServicedRecursive     []BlkioStatEntry `json:"io_serviced_recursive"`
+	IoQueuedRecursive       []BlkioStatEntry `json:"io_queue_recursive"`
+	IoServiceTimeRecursive  []BlkioStatEntry `json:"io_service_time_recursive"`
+	IoWaitTimeRecursive     []BlkioStatEntry `json:"io_wait_time_recursive"`
+	IoMergedRecursive       []BlkioStatEntry `json:"io_merged_recursive"`
+	IoTimeRecursive         []BlkioStatEntry `json:"io_time_recursive"`
+	SectorsRecursive        []BlkioStatEntry `json:"sectors_recursive"`
+}
+
+// StorageStats is the disk I/O stats for read/write on Windows.
+type StorageStats struct {
+	ReadCountNormalized  uint64 `json:"read_count_normalized,omitempty"`
+	ReadSizeBytes        uint64 `json:"read_size_bytes,omitempty"`
+	WriteCountNormalized uint64 `json:"write_count_normalized,omitempty"`
+	WriteSizeBytes       uint64 `json:"write_size_bytes,omitempty"`
+}
+
+// NetworkStats aggregates the network stats of one container
+type NetworkStats struct {
+	// Bytes received. Windows and Linux.
+	RxBytes uint64 `json:"rx_bytes"`
+	// Packets received. Windows and Linux.
+	RxPackets uint64 `json:"rx_packets"`
+	// Received errors. Not used on Windows. Note that we dont `omitempty` this
+	// field as it is expected in the >=v1.21 API stats structure.
+	RxErrors uint64 `json:"rx_errors"`
+	// Incoming packets dropped. Windows and Linux.
+	RxDropped uint64 `json:"rx_dropped"`
+	// Bytes sent. Windows and Linux.
+	TxBytes uint64 `json:"tx_bytes"`
+	// Packets sent. Windows and Linux.
+	TxPackets uint64 `json:"tx_packets"`
+	// Sent errors. Not used on Windows. Note that we dont `omitempty` this
+	// field as it is expected in the >=v1.21 API stats structure.
+	TxErrors uint64 `json:"tx_errors"`
+	// Outgoing packets dropped. Windows and Linux.
+	TxDropped uint64 `json:"tx_dropped"`
+	// Endpoint ID. Not used on Linux.
+	EndpointID string `json:"endpoint_id,omitempty"`
+	// Instance ID. Not used on Linux.
+	InstanceID string `json:"instance_id,omitempty"`
+}
+
+// PidsStats contains the stats of a container's pids
+type PidsStats struct {
+	// Current is the number of pids in the cgroup
+	Current uint64 `json:"current,omitempty"`
+	// Limit is the hard limit on the number of pids in the cgroup.
+	// A "Limit" of 0 means that there is no limit.
+	Limit uint64 `json:"limit,omitempty"`
+}
+
+// Stats is Ultimate struct aggregating all types of stats of one container
+type Stats struct {
+	// Common stats
+	Read    time.Time `json:"read"`
+	PreRead time.Time `json:"preread"`
+
+	// Linux specific stats, not populated on Windows.
+	PidsStats  PidsStats  `json:"pids_stats,omitempty"`
+	BlkioStats BlkioStats `json:"blkio_stats,omitempty"`
+
+	// Windows specific stats, not populated on Linux.
+	NumProcs     uint32       `json:"num_procs"`
+	StorageStats StorageStats `json:"storage_stats,omitempty"`
+
+	// Shared stats
+	CPUStats    CPUStats    `json:"cpu_stats,omitempty"`
+	PreCPUStats CPUStats    `json:"precpu_stats,omitempty"` // "Pre"="Previous"
+	MemoryStats MemoryStats `json:"memory_stats,omitempty"`
+}
+
+// StatsJSON is newly used Networks
+type StatsJSON struct {
+	Stats
+
+	Name string `json:"name,omitempty"`
+	ID   string `json:"id,omitempty"`
+
+	// Networks request version >=1.21
+	Networks map[string]NetworkStats `json:"networks,omitempty"`
+}
diff --git a/engine/api/types/strslice/strslice.go b/engine/api/types/strslice/strslice.go
new file mode 100644
index 00000000..82921ceb
--- /dev/null
+++ b/engine/api/types/strslice/strslice.go
@@ -0,0 +1,30 @@
+package strslice // import "github.com/docker/docker/api/types/strslice"
+
+import "encoding/json"
+
+// StrSlice represents a string or an array of strings.
+// We need to override the json decoder to accept both options.
+type StrSlice []string
+
+// UnmarshalJSON decodes the byte slice whether it's a string or an array of
+// strings. This method is needed to implement json.Unmarshaler.
+func (e *StrSlice) UnmarshalJSON(b []byte) error {
+	if len(b) == 0 {
+		// With no input, we preserve the existing value by returning nil and
+		// leaving the target alone. This allows defining default values for
+		// the type.
+		return nil
+	}
+
+	p := make([]string, 0, 1)
+	if err := json.Unmarshal(b, &p); err != nil {
+		var s string
+		if err := json.Unmarshal(b, &s); err != nil {
+			return err
+		}
+		p = append(p, s)
+	}
+
+	*e = p
+	return nil
+}
diff --git a/engine/api/types/strslice/strslice_test.go b/engine/api/types/strslice/strslice_test.go
new file mode 100644
index 00000000..a065eb55
--- /dev/null
+++ b/engine/api/types/strslice/strslice_test.go
@@ -0,0 +1,86 @@
+package strslice // import "github.com/docker/docker/api/types/strslice"
+
+import (
+	"encoding/json"
+	"reflect"
+	"testing"
+)
+
+func TestStrSliceMarshalJSON(t *testing.T) {
+	for _, testcase := range []struct {
+		input    StrSlice
+		expected string
+	}{
+		// MADNESS(stevvooe): No clue why nil would be "" but empty would be
+		// "null". Had to make a change here that may affect compatibility.
+		{input: nil, expected: "null"},
+		{StrSlice{}, "[]"},
+		{StrSlice{"/bin/sh", "-c", "echo"}, `["/bin/sh","-c","echo"]`},
+	} {
+		data, err := json.Marshal(testcase.input)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(data) != testcase.expected {
+			t.Fatalf("%#v: expected %v, got %v", testcase.input, testcase.expected, string(data))
+		}
+	}
+}
+
+func TestStrSliceUnmarshalJSON(t *testing.T) {
+	parts := map[string][]string{
+		"":   {"default", "values"},
+		"[]": {},
+		`["/bin/sh","-c","echo"]`: {"/bin/sh", "-c", "echo"},
+	}
+	for json, expectedParts := range parts {
+		strs := StrSlice{"default", "values"}
+		if err := strs.UnmarshalJSON([]byte(json)); err != nil {
+			t.Fatal(err)
+		}
+
+		actualParts := []string(strs)
+		if !reflect.DeepEqual(actualParts, expectedParts) {
+			t.Fatalf("%#v: expected %v, got %v", json, expectedParts, actualParts)
+		}
+
+	}
+}
+
+func TestStrSliceUnmarshalString(t *testing.T) {
+	var e StrSlice
+	echo, err := json.Marshal("echo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := json.Unmarshal(echo, &e); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(e) != 1 {
+		t.Fatalf("expected 1 element after unmarshal: %q", e)
+	}
+
+	if e[0] != "echo" {
+		t.Fatalf("expected `echo`, got: %q", e[0])
+	}
+}
+
+func TestStrSliceUnmarshalSlice(t *testing.T) {
+	var e StrSlice
+	echo, err := json.Marshal([]string{"echo"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := json.Unmarshal(echo, &e); err != nil {
+		t.Fatal(err)
+	}
+
+	if len(e) != 1 {
+		t.Fatalf("expected 1 element after unmarshal: %q", e)
+	}
+
+	if e[0] != "echo" {
+		t.Fatalf("expected `echo`, got: %q", e[0])
+	}
+}
diff --git a/engine/api/types/swarm/common.go b/engine/api/types/swarm/common.go
new file mode 100644
index 00000000..ef020f45
--- /dev/null
+++ b/engine/api/types/swarm/common.go
@@ -0,0 +1,40 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+import "time"
+
+// Version represents the internal object version.
+type Version struct {
+	Index uint64 `json:",omitempty"`
+}
+
+// Meta is a base object inherited by most of the other once.
+type Meta struct {
+	Version   Version   `json:",omitempty"`
+	CreatedAt time.Time `json:",omitempty"`
+	UpdatedAt time.Time `json:",omitempty"`
+}
+
+// Annotations represents how to describe an object.
+type Annotations struct {
+	Name   string            `json:",omitempty"`
+	Labels map[string]string `json:"Labels"`
+}
+
+// Driver represents a driver (network, logging, secrets backend).
+type Driver struct {
+	Name    string            `json:",omitempty"`
+	Options map[string]string `json:",omitempty"`
+}
+
+// TLSInfo represents the TLS information about what CA certificate is trusted,
+// and who the issuer for a TLS certificate is
+type TLSInfo struct {
+	// TrustRoot is the trusted CA root certificate in PEM format
+	TrustRoot string `json:",omitempty"`
+
+	// CertIssuer is the raw subject bytes of the issuer
+	CertIssuerSubject []byte `json:",omitempty"`
+
+	// CertIssuerPublicKey is the raw public key bytes of the issuer
+	CertIssuerPublicKey []byte `json:",omitempty"`
+}
diff --git a/engine/api/types/swarm/config.go b/engine/api/types/swarm/config.go
new file mode 100644
index 00000000..a1555cf4
--- /dev/null
+++ b/engine/api/types/swarm/config.go
@@ -0,0 +1,35 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+import "os"
+
+// Config represents a config.
+type Config struct {
+	ID string
+	Meta
+	Spec ConfigSpec
+}
+
+// ConfigSpec represents a config specification from a config in swarm
+type ConfigSpec struct {
+	Annotations
+	Data []byte `json:",omitempty"`
+
+	// Templating controls whether and how to evaluate the config payload as
+	// a template. If it is not set, no templating is used.
+	Templating *Driver `json:",omitempty"`
+}
+
+// ConfigReferenceFileTarget is a file target in a config reference
+type ConfigReferenceFileTarget struct {
+	Name string
+	UID  string
+	GID  string
+	Mode os.FileMode
+}
+
+// ConfigReference is a reference to a config in swarm
+type ConfigReference struct {
+	File       *ConfigReferenceFileTarget
+	ConfigID   string
+	ConfigName string
+}
diff --git a/engine/api/types/swarm/container.go b/engine/api/types/swarm/container.go
new file mode 100644
index 00000000..151211ff
--- /dev/null
+++ b/engine/api/types/swarm/container.go
@@ -0,0 +1,74 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+)
+
+// DNSConfig specifies DNS related configurations in resolver configuration file (resolv.conf)
+// Detailed documentation is available in:
+// http://man7.org/linux/man-pages/man5/resolv.conf.5.html
+// `nameserver`, `search`, `options` have been supported.
+// TODO: `domain` is not supported yet.
+type DNSConfig struct {
+	// Nameservers specifies the IP addresses of the name servers
+	Nameservers []string `json:",omitempty"`
+	// Search specifies the search list for host-name lookup
+	Search []string `json:",omitempty"`
+	// Options allows certain internal resolver variables to be modified
+	Options []string `json:",omitempty"`
+}
+
+// SELinuxContext contains the SELinux labels of the container.
+type SELinuxContext struct {
+	Disable bool
+
+	User  string
+	Role  string
+	Type  string
+	Level string
+}
+
+// CredentialSpec for managed service account (Windows only)
+type CredentialSpec struct {
+	File     string
+	Registry string
+}
+
+// Privileges defines the security options for the container.
+type Privileges struct {
+	CredentialSpec *CredentialSpec
+	SELinuxContext *SELinuxContext
+}
+
+// ContainerSpec represents the spec of a container.
+type ContainerSpec struct {
+	Image           string                  `json:",omitempty"`
+	Labels          map[string]string       `json:",omitempty"`
+	Command         []string                `json:",omitempty"`
+	Args            []string                `json:",omitempty"`
+	Hostname        string                  `json:",omitempty"`
+	Env             []string                `json:",omitempty"`
+	Dir             string                  `json:",omitempty"`
+	User            string                  `json:",omitempty"`
+	Groups          []string                `json:",omitempty"`
+	Privileges      *Privileges             `json:",omitempty"`
+	Init            *bool                   `json:",omitempty"`
+	StopSignal      string                  `json:",omitempty"`
+	TTY             bool                    `json:",omitempty"`
+	OpenStdin       bool                    `json:",omitempty"`
+	ReadOnly        bool                    `json:",omitempty"`
+	Mounts          []mount.Mount           `json:",omitempty"`
+	StopGracePeriod *time.Duration          `json:",omitempty"`
+	Healthcheck     *container.HealthConfig `json:",omitempty"`
+	// The format of extra hosts on swarmkit is specified in:
+	// http://man7.org/linux/man-pages/man5/hosts.5.html
+	//    IP_address canonical_hostname [aliases...]
+	Hosts     []string            `json:",omitempty"`
+	DNSConfig *DNSConfig          `json:",omitempty"`
+	Secrets   []*SecretReference  `json:",omitempty"`
+	Configs   []*ConfigReference  `json:",omitempty"`
+	Isolation container.Isolation `json:",omitempty"`
+}
diff --git a/engine/api/types/swarm/network.go b/engine/api/types/swarm/network.go
new file mode 100644
index 00000000..98ef3284
--- /dev/null
+++ b/engine/api/types/swarm/network.go
@@ -0,0 +1,121 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+import (
+	"github.com/docker/docker/api/types/network"
+)
+
+// Endpoint represents an endpoint.
+type Endpoint struct {
+	Spec       EndpointSpec        `json:",omitempty"`
+	Ports      []PortConfig        `json:",omitempty"`
+	VirtualIPs []EndpointVirtualIP `json:",omitempty"`
+}
+
+// EndpointSpec represents the spec of an endpoint.
+type EndpointSpec struct {
+	Mode  ResolutionMode `json:",omitempty"`
+	Ports []PortConfig   `json:",omitempty"`
+}
+
+// ResolutionMode represents a resolution mode.
+type ResolutionMode string
+
+const (
+	// ResolutionModeVIP VIP
+	ResolutionModeVIP ResolutionMode = "vip"
+	// ResolutionModeDNSRR DNSRR
+	ResolutionModeDNSRR ResolutionMode = "dnsrr"
+)
+
+// PortConfig represents the config of a port.
+type PortConfig struct {
+	Name     string             `json:",omitempty"`
+	Protocol PortConfigProtocol `json:",omitempty"`
+	// TargetPort is the port inside the container
+	TargetPort uint32 `json:",omitempty"`
+	// PublishedPort is the port on the swarm hosts
+	PublishedPort uint32 `json:",omitempty"`
+	// PublishMode is the mode in which port is published
+	PublishMode PortConfigPublishMode `json:",omitempty"`
+}
+
+// PortConfigPublishMode represents the mode in which the port is to
+// be published.
+type PortConfigPublishMode string
+
+const (
+	// PortConfigPublishModeIngress is used for ports published
+	// for ingress load balancing using routing mesh.
+	PortConfigPublishModeIngress PortConfigPublishMode = "ingress"
+	// PortConfigPublishModeHost is used for ports published
+	// for direct host level access on the host where the task is running.
+	PortConfigPublishModeHost PortConfigPublishMode = "host"
+)
+
+// PortConfigProtocol represents the protocol of a port.
+type PortConfigProtocol string
+
+const (
+	// TODO(stevvooe): These should be used generally, not just for PortConfig.
+
+	// PortConfigProtocolTCP TCP
+	PortConfigProtocolTCP PortConfigProtocol = "tcp"
+	// PortConfigProtocolUDP UDP
+	PortConfigProtocolUDP PortConfigProtocol = "udp"
+	// PortConfigProtocolSCTP SCTP
+	PortConfigProtocolSCTP PortConfigProtocol = "sctp"
+)
+
+// EndpointVirtualIP represents the virtual ip of a port.
+type EndpointVirtualIP struct {
+	NetworkID string `json:",omitempty"`
+	Addr      string `json:",omitempty"`
+}
+
+// Network represents a network.
+type Network struct {
+	ID string
+	Meta
+	Spec        NetworkSpec  `json:",omitempty"`
+	DriverState Driver       `json:",omitempty"`
+	IPAMOptions *IPAMOptions `json:",omitempty"`
+}
+
+// NetworkSpec represents the spec of a network.
+type NetworkSpec struct {
+	Annotations
+	DriverConfiguration *Driver                  `json:",omitempty"`
+	IPv6Enabled         bool                     `json:",omitempty"`
+	Internal            bool                     `json:",omitempty"`
+	Attachable          bool                     `json:",omitempty"`
+	Ingress             bool                     `json:",omitempty"`
+	IPAMOptions         *IPAMOptions             `json:",omitempty"`
+	ConfigFrom          *network.ConfigReference `json:",omitempty"`
+	Scope               string                   `json:",omitempty"`
+}
+
+// NetworkAttachmentConfig represents the configuration of a network attachment.
+type NetworkAttachmentConfig struct {
+	Target     string            `json:",omitempty"`
+	Aliases    []string          `json:",omitempty"`
+	DriverOpts map[string]string `json:",omitempty"`
+}
+
+// NetworkAttachment represents a network attachment.
+type NetworkAttachment struct {
+	Network   Network  `json:",omitempty"`
+	Addresses []string `json:",omitempty"`
+}
+
+// IPAMOptions represents ipam options.
+type IPAMOptions struct {
+	Driver  Driver       `json:",omitempty"`
+	Configs []IPAMConfig `json:",omitempty"`
+}
+
+// IPAMConfig represents ipam configuration.
+type IPAMConfig struct {
+	Subnet  string `json:",omitempty"`
+	Range   string `json:",omitempty"`
+	Gateway string `json:",omitempty"`
+}
diff --git a/engine/api/types/swarm/node.go b/engine/api/types/swarm/node.go
new file mode 100644
index 00000000..1e30f5fa
--- /dev/null
+++ b/engine/api/types/swarm/node.go
@@ -0,0 +1,115 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+// Node represents a node.
+type Node struct {
+	ID string
+	Meta
+	// Spec defines the desired state of the node as specified by the user.
+	// The system will honor this and will *never* modify it.
+	Spec NodeSpec `json:",omitempty"`
+	// Description encapsulates the properties of the Node as reported by the
+	// agent.
+	Description NodeDescription `json:",omitempty"`
+	// Status provides the current status of the node, as seen by the manager.
+	Status NodeStatus `json:",omitempty"`
+	// ManagerStatus provides the current status of the node's manager
+	// component, if the node is a manager.
+	ManagerStatus *ManagerStatus `json:",omitempty"`
+}
+
+// NodeSpec represents the spec of a node.
+type NodeSpec struct {
+	Annotations
+	Role         NodeRole         `json:",omitempty"`
+	Availability NodeAvailability `json:",omitempty"`
+}
+
+// NodeRole represents the role of a node.
+type NodeRole string
+
+const (
+	// NodeRoleWorker WORKER
+	NodeRoleWorker NodeRole = "worker"
+	// NodeRoleManager MANAGER
+	NodeRoleManager NodeRole = "manager"
+)
+
+// NodeAvailability represents the availability of a node.
+type NodeAvailability string
+
+const (
+	// NodeAvailabilityActive ACTIVE
+	NodeAvailabilityActive NodeAvailability = "active"
+	// NodeAvailabilityPause PAUSE
+	NodeAvailabilityPause NodeAvailability = "pause"
+	// NodeAvailabilityDrain DRAIN
+	NodeAvailabilityDrain NodeAvailability = "drain"
+)
+
+// NodeDescription represents the description of a node.
+type NodeDescription struct {
+	Hostname  string            `json:",omitempty"`
+	Platform  Platform          `json:",omitempty"`
+	Resources Resources         `json:",omitempty"`
+	Engine    EngineDescription `json:",omitempty"`
+	TLSInfo   TLSInfo           `json:",omitempty"`
+}
+
+// Platform represents the platform (Arch/OS).
+type Platform struct {
+	Architecture string `json:",omitempty"`
+	OS           string `json:",omitempty"`
+}
+
+// EngineDescription represents the description of an engine.
+type EngineDescription struct {
+	EngineVersion string              `json:",omitempty"`
+	Labels        map[string]string   `json:",omitempty"`
+	Plugins       []PluginDescription `json:",omitempty"`
+}
+
+// PluginDescription represents the description of an engine plugin.
+type PluginDescription struct {
+	Type string `json:",omitempty"`
+	Name string `json:",omitempty"`
+}
+
+// NodeStatus represents the status of a node.
+type NodeStatus struct {
+	State   NodeState `json:",omitempty"`
+	Message string    `json:",omitempty"`
+	Addr    string    `json:",omitempty"`
+}
+
+// Reachability represents the reachability of a node.
+type Reachability string
+
+const (
+	// ReachabilityUnknown UNKNOWN
+	ReachabilityUnknown Reachability = "unknown"
+	// ReachabilityUnreachable UNREACHABLE
+	ReachabilityUnreachable Reachability = "unreachable"
+	// ReachabilityReachable REACHABLE
+	ReachabilityReachable Reachability = "reachable"
+)
+
+// ManagerStatus represents the status of a manager.
+type ManagerStatus struct {
+	Leader       bool         `json:",omitempty"`
+	Reachability Reachability `json:",omitempty"`
+	Addr         string       `json:",omitempty"`
+}
+
+// NodeState represents the state of a node.
+type NodeState string
+
+const (
+	// NodeStateUnknown UNKNOWN
+	NodeStateUnknown NodeState = "unknown"
+	// NodeStateDown DOWN
+	NodeStateDown NodeState = "down"
+	// NodeStateReady READY
+	NodeStateReady NodeState = "ready"
+	// NodeStateDisconnected DISCONNECTED
+	NodeStateDisconnected NodeState = "disconnected"
+)
diff --git a/engine/api/types/swarm/runtime.go b/engine/api/types/swarm/runtime.go
new file mode 100644
index 00000000..0c77403c
--- /dev/null
+++ b/engine/api/types/swarm/runtime.go
@@ -0,0 +1,27 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+// RuntimeType is the type of runtime used for the TaskSpec
+type RuntimeType string
+
+// RuntimeURL is the proto type url
+type RuntimeURL string
+
+const (
+	// RuntimeContainer is the container based runtime
+	RuntimeContainer RuntimeType = "container"
+	// RuntimePlugin is the plugin based runtime
+	RuntimePlugin RuntimeType = "plugin"
+	// RuntimeNetworkAttachment is the network attachment runtime
+	RuntimeNetworkAttachment RuntimeType = "attachment"
+
+	// RuntimeURLContainer is the proto url for the container type
+	RuntimeURLContainer RuntimeURL = "types.docker.com/RuntimeContainer"
+	// RuntimeURLPlugin is the proto url for the plugin type
+	RuntimeURLPlugin RuntimeURL = "types.docker.com/RuntimePlugin"
+)
+
+// NetworkAttachmentSpec represents the runtime spec type for network
+// attachment tasks
+type NetworkAttachmentSpec struct {
+	ContainerID string
+}
diff --git a/engine/api/types/swarm/runtime/gen.go b/engine/api/types/swarm/runtime/gen.go
new file mode 100644
index 00000000..98c2806c
--- /dev/null
+++ b/engine/api/types/swarm/runtime/gen.go
@@ -0,0 +1,3 @@
+//go:generate protoc -I . --gogofast_out=import_path=github.com/docker/docker/api/types/swarm/runtime:. plugin.proto
+
+package runtime // import "github.com/docker/docker/api/types/swarm/runtime"
diff --git a/engine/api/types/swarm/runtime/plugin.pb.go b/engine/api/types/swarm/runtime/plugin.pb.go
new file mode 100644
index 00000000..1fdc9b04
--- /dev/null
+++ b/engine/api/types/swarm/runtime/plugin.pb.go
@@ -0,0 +1,712 @@
+// Code generated by protoc-gen-gogo.
+// source: plugin.proto
+// DO NOT EDIT!
+
+/*
+	Package runtime is a generated protocol buffer package.
+
+	It is generated from these files:
+		plugin.proto
+
+	It has these top-level messages:
+		PluginSpec
+		PluginPrivilege
+*/
+package runtime
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// PluginSpec defines the base payload which clients can specify for creating
+// a service with the plugin runtime.
+type PluginSpec struct {
+	Name       string             `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Remote     string             `protobuf:"bytes,2,opt,name=remote,proto3" json:"remote,omitempty"`
+	Privileges []*PluginPrivilege `protobuf:"bytes,3,rep,name=privileges" json:"privileges,omitempty"`
+	Disabled   bool               `protobuf:"varint,4,opt,name=disabled,proto3" json:"disabled,omitempty"`
+}
+
+func (m *PluginSpec) Reset()                    { *m = PluginSpec{} }
+func (m *PluginSpec) String() string            { return proto.CompactTextString(m) }
+func (*PluginSpec) ProtoMessage()               {}
+func (*PluginSpec) Descriptor() ([]byte, []int) { return fileDescriptorPlugin, []int{0} }
+
+func (m *PluginSpec) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *PluginSpec) GetRemote() string {
+	if m != nil {
+		return m.Remote
+	}
+	return ""
+}
+
+func (m *PluginSpec) GetPrivileges() []*PluginPrivilege {
+	if m != nil {
+		return m.Privileges
+	}
+	return nil
+}
+
+func (m *PluginSpec) GetDisabled() bool {
+	if m != nil {
+		return m.Disabled
+	}
+	return false
+}
+
+// PluginPrivilege describes a permission the user has to accept
+// upon installing a plugin.
+type PluginPrivilege struct {
+	Name        string   `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Description string   `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"`
+	Value       []string `protobuf:"bytes,3,rep,name=value" json:"value,omitempty"`
+}
+
+func (m *PluginPrivilege) Reset()                    { *m = PluginPrivilege{} }
+func (m *PluginPrivilege) String() string            { return proto.CompactTextString(m) }
+func (*PluginPrivilege) ProtoMessage()               {}
+func (*PluginPrivilege) Descriptor() ([]byte, []int) { return fileDescriptorPlugin, []int{1} }
+
+func (m *PluginPrivilege) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *PluginPrivilege) GetDescription() string {
+	if m != nil {
+		return m.Description
+	}
+	return ""
+}
+
+func (m *PluginPrivilege) GetValue() []string {
+	if m != nil {
+		return m.Value
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*PluginSpec)(nil), "PluginSpec")
+	proto.RegisterType((*PluginPrivilege)(nil), "PluginPrivilege")
+}
+func (m *PluginSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PluginSpec) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Name) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintPlugin(dAtA, i, uint64(len(m.Name)))
+		i += copy(dAtA[i:], m.Name)
+	}
+	if len(m.Remote) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintPlugin(dAtA, i, uint64(len(m.Remote)))
+		i += copy(dAtA[i:], m.Remote)
+	}
+	if len(m.Privileges) > 0 {
+		for _, msg := range m.Privileges {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintPlugin(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.Disabled {
+		dAtA[i] = 0x20
+		i++
+		if m.Disabled {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *PluginPrivilege) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PluginPrivilege) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Name) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintPlugin(dAtA, i, uint64(len(m.Name)))
+		i += copy(dAtA[i:], m.Name)
+	}
+	if len(m.Description) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintPlugin(dAtA, i, uint64(len(m.Description)))
+		i += copy(dAtA[i:], m.Description)
+	}
+	if len(m.Value) > 0 {
+		for _, s := range m.Value {
+			dAtA[i] = 0x1a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Plugin(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Plugin(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintPlugin(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *PluginSpec) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	if l > 0 {
+		n += 1 + l + sovPlugin(uint64(l))
+	}
+	l = len(m.Remote)
+	if l > 0 {
+		n += 1 + l + sovPlugin(uint64(l))
+	}
+	if len(m.Privileges) > 0 {
+		for _, e := range m.Privileges {
+			l = e.Size()
+			n += 1 + l + sovPlugin(uint64(l))
+		}
+	}
+	if m.Disabled {
+		n += 2
+	}
+	return n
+}
+
+func (m *PluginPrivilege) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Name)
+	if l > 0 {
+		n += 1 + l + sovPlugin(uint64(l))
+	}
+	l = len(m.Description)
+	if l > 0 {
+		n += 1 + l + sovPlugin(uint64(l))
+	}
+	if len(m.Value) > 0 {
+		for _, s := range m.Value {
+			l = len(s)
+			n += 1 + l + sovPlugin(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovPlugin(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozPlugin(x uint64) (n int) {
+	return sovPlugin(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *PluginSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowPlugin
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PluginSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PluginSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Remote", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Remote = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Privileges", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Privileges = append(m.Privileges, &PluginPrivilege{})
+			if err := m.Privileges[len(m.Privileges)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Disabled", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Disabled = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipPlugin(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PluginPrivilege) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowPlugin
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PluginPrivilege: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PluginPrivilege: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Description = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = append(m.Value, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipPlugin(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthPlugin
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipPlugin(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowPlugin
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthPlugin
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowPlugin
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipPlugin(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthPlugin = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowPlugin   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("plugin.proto", fileDescriptorPlugin) }
+
+var fileDescriptorPlugin = []byte{
+	// 196 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xe2, 0xe2, 0x29, 0xc8, 0x29, 0x4d,
+	0xcf, 0xcc, 0xd3, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x57, 0x6a, 0x63, 0xe4, 0xe2, 0x0a, 0x00, 0x0b,
+	0x04, 0x17, 0xa4, 0x26, 0x0b, 0x09, 0x71, 0xb1, 0xe4, 0x25, 0xe6, 0xa6, 0x4a, 0x30, 0x2a, 0x30,
+	0x6a, 0x70, 0x06, 0x81, 0xd9, 0x42, 0x62, 0x5c, 0x6c, 0x45, 0xa9, 0xb9, 0xf9, 0x25, 0xa9, 0x12,
+	0x4c, 0x60, 0x51, 0x28, 0x4f, 0xc8, 0x80, 0x8b, 0xab, 0xa0, 0x28, 0xb3, 0x2c, 0x33, 0x27, 0x35,
+	0x3d, 0xb5, 0x58, 0x82, 0x59, 0x81, 0x59, 0x83, 0xdb, 0x48, 0x40, 0x0f, 0x62, 0x58, 0x00, 0x4c,
+	0x22, 0x08, 0x49, 0x8d, 0x90, 0x14, 0x17, 0x47, 0x4a, 0x66, 0x71, 0x62, 0x52, 0x4e, 0x6a, 0x8a,
+	0x04, 0x8b, 0x02, 0xa3, 0x06, 0x47, 0x10, 0x9c, 0xaf, 0x14, 0xcb, 0xc5, 0x8f, 0xa6, 0x15, 0xab,
+	0x63, 0x14, 0xb8, 0xb8, 0x53, 0x52, 0x8b, 0x93, 0x8b, 0x32, 0x0b, 0x4a, 0x32, 0xf3, 0xf3, 0xa0,
+	0x2e, 0x42, 0x16, 0x12, 0x12, 0xe1, 0x62, 0x2d, 0x4b, 0xcc, 0x29, 0x4d, 0x05, 0xbb, 0x88, 0x33,
+	0x08, 0xc2, 0x71, 0xe2, 0x39, 0xf1, 0x48, 0x8e, 0xf1, 0xc2, 0x23, 0x39, 0xc6, 0x07, 0x8f, 0xe4,
+	0x18, 0x93, 0xd8, 0xc0, 0x9e, 0x37, 0x06, 0x04, 0x00, 0x00, 0xff, 0xff, 0xb8, 0x84, 0xad, 0x79,
+	0x0c, 0x01, 0x00, 0x00,
+}
diff --git a/engine/api/types/swarm/runtime/plugin.proto b/engine/api/types/swarm/runtime/plugin.proto
new file mode 100644
index 00000000..6d63b778
--- /dev/null
+++ b/engine/api/types/swarm/runtime/plugin.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+option go_package = "github.com/docker/docker/api/types/swarm/runtime;runtime";
+
+// PluginSpec defines the base payload which clients can specify for creating
+// a service with the plugin runtime.
+message PluginSpec {
+	string name = 1;
+	string remote = 2;
+	repeated PluginPrivilege privileges = 3;
+	bool disabled = 4;
+}
+
+// PluginPrivilege describes a permission the user has to accept
+// upon installing a plugin.
+message PluginPrivilege {
+	string name = 1;
+	string description = 2;
+	repeated string value = 3;
+}
diff --git a/engine/api/types/swarm/secret.go b/engine/api/types/swarm/secret.go
new file mode 100644
index 00000000..d5213ec9
--- /dev/null
+++ b/engine/api/types/swarm/secret.go
@@ -0,0 +1,36 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+import "os"
+
+// Secret represents a secret.
+type Secret struct {
+	ID string
+	Meta
+	Spec SecretSpec
+}
+
+// SecretSpec represents a secret specification from a secret in swarm
+type SecretSpec struct {
+	Annotations
+	Data   []byte  `json:",omitempty"`
+	Driver *Driver `json:",omitempty"` // name of the secrets driver used to fetch the secret's value from an external secret store
+
+	// Templating controls whether and how to evaluate the secret payload as
+	// a template. If it is not set, no templating is used.
+	Templating *Driver `json:",omitempty"`
+}
+
+// SecretReferenceFileTarget is a file target in a secret reference
+type SecretReferenceFileTarget struct {
+	Name string
+	UID  string
+	GID  string
+	Mode os.FileMode
+}
+
+// SecretReference is a reference to a secret in swarm
+type SecretReference struct {
+	File       *SecretReferenceFileTarget
+	SecretID   string
+	SecretName string
+}
diff --git a/engine/api/types/swarm/service.go b/engine/api/types/swarm/service.go
new file mode 100644
index 00000000..abf192e7
--- /dev/null
+++ b/engine/api/types/swarm/service.go
@@ -0,0 +1,124 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+import "time"
+
+// Service represents a service.
+type Service struct {
+	ID string
+	Meta
+	Spec         ServiceSpec   `json:",omitempty"`
+	PreviousSpec *ServiceSpec  `json:",omitempty"`
+	Endpoint     Endpoint      `json:",omitempty"`
+	UpdateStatus *UpdateStatus `json:",omitempty"`
+}
+
+// ServiceSpec represents the spec of a service.
+type ServiceSpec struct {
+	Annotations
+
+	// TaskTemplate defines how the service should construct new tasks when
+	// orchestrating this service.
+	TaskTemplate   TaskSpec      `json:",omitempty"`
+	Mode           ServiceMode   `json:",omitempty"`
+	UpdateConfig   *UpdateConfig `json:",omitempty"`
+	RollbackConfig *UpdateConfig `json:",omitempty"`
+
+	// Networks field in ServiceSpec is deprecated. The
+	// same field in TaskSpec should be used instead.
+	// This field will be removed in a future release.
+	Networks     []NetworkAttachmentConfig `json:",omitempty"`
+	EndpointSpec *EndpointSpec             `json:",omitempty"`
+}
+
+// ServiceMode represents the mode of a service.
+type ServiceMode struct {
+	Replicated *ReplicatedService `json:",omitempty"`
+	Global     *GlobalService     `json:",omitempty"`
+}
+
+// UpdateState is the state of a service update.
+type UpdateState string
+
+const (
+	// UpdateStateUpdating is the updating state.
+	UpdateStateUpdating UpdateState = "updating"
+	// UpdateStatePaused is the paused state.
+	UpdateStatePaused UpdateState = "paused"
+	// UpdateStateCompleted is the completed state.
+	UpdateStateCompleted UpdateState = "completed"
+	// UpdateStateRollbackStarted is the state with a rollback in progress.
+	UpdateStateRollbackStarted UpdateState = "rollback_started"
+	// UpdateStateRollbackPaused is the state with a rollback in progress.
+	UpdateStateRollbackPaused UpdateState = "rollback_paused"
+	// UpdateStateRollbackCompleted is the state with a rollback in progress.
+	UpdateStateRollbackCompleted UpdateState = "rollback_completed"
+)
+
+// UpdateStatus reports the status of a service update.
+type UpdateStatus struct {
+	State       UpdateState `json:",omitempty"`
+	StartedAt   *time.Time  `json:",omitempty"`
+	CompletedAt *time.Time  `json:",omitempty"`
+	Message     string      `json:",omitempty"`
+}
+
+// ReplicatedService is a kind of ServiceMode.
+type ReplicatedService struct {
+	Replicas *uint64 `json:",omitempty"`
+}
+
+// GlobalService is a kind of ServiceMode.
+type GlobalService struct{}
+
+const (
+	// UpdateFailureActionPause PAUSE
+	UpdateFailureActionPause = "pause"
+	// UpdateFailureActionContinue CONTINUE
+	UpdateFailureActionContinue = "continue"
+	// UpdateFailureActionRollback ROLLBACK
+	UpdateFailureActionRollback = "rollback"
+
+	// UpdateOrderStopFirst STOP_FIRST
+	UpdateOrderStopFirst = "stop-first"
+	// UpdateOrderStartFirst START_FIRST
+	UpdateOrderStartFirst = "start-first"
+)
+
+// UpdateConfig represents the update configuration.
+type UpdateConfig struct {
+	// Maximum number of tasks to be updated in one iteration.
+	// 0 means unlimited parallelism.
+	Parallelism uint64
+
+	// Amount of time between updates.
+	Delay time.Duration `json:",omitempty"`
+
+	// FailureAction is the action to take when an update failures.
+	FailureAction string `json:",omitempty"`
+
+	// Monitor indicates how long to monitor a task for failure after it is
+	// created. If the task fails by ending up in one of the states
+	// REJECTED, COMPLETED, or FAILED, within Monitor from its creation,
+	// this counts as a failure. If it fails after Monitor, it does not
+	// count as a failure. If Monitor is unspecified, a default value will
+	// be used.
+	Monitor time.Duration `json:",omitempty"`
+
+	// MaxFailureRatio is the fraction of tasks that may fail during
+	// an update before the failure action is invoked. Any task created by
+	// the current update which ends up in one of the states REJECTED,
+	// COMPLETED or FAILED within Monitor from its creation counts as a
+	// failure. The number of failures is divided by the number of tasks
+	// being updated, and if this fraction is greater than
+	// MaxFailureRatio, the failure action is invoked.
+	//
+	// If the failure action is CONTINUE, there is no effect.
+	// If the failure action is PAUSE, no more tasks will be updated until
+	// another update is started.
+	MaxFailureRatio float32
+
+	// Order indicates the order of operations when rolling out an updated
+	// task. Either the old task is shut down before the new task is
+	// started, or the new task is started before the old task is shut down.
+	Order string
+}
diff --git a/engine/api/types/swarm/swarm.go b/engine/api/types/swarm/swarm.go
new file mode 100644
index 00000000..1b111d72
--- /dev/null
+++ b/engine/api/types/swarm/swarm.go
@@ -0,0 +1,217 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+import "time"
+
+// ClusterInfo represents info about the cluster for outputting in "info"
+// it contains the same information as "Swarm", but without the JoinTokens
+type ClusterInfo struct {
+	ID string
+	Meta
+	Spec                   Spec
+	TLSInfo                TLSInfo
+	RootRotationInProgress bool
+}
+
+// Swarm represents a swarm.
+type Swarm struct {
+	ClusterInfo
+	JoinTokens JoinTokens
+}
+
+// JoinTokens contains the tokens workers and managers need to join the swarm.
+type JoinTokens struct {
+	// Worker is the join token workers may use to join the swarm.
+	Worker string
+	// Manager is the join token managers may use to join the swarm.
+	Manager string
+}
+
+// Spec represents the spec of a swarm.
+type Spec struct {
+	Annotations
+
+	Orchestration    OrchestrationConfig `json:",omitempty"`
+	Raft             RaftConfig          `json:",omitempty"`
+	Dispatcher       DispatcherConfig    `json:",omitempty"`
+	CAConfig         CAConfig            `json:",omitempty"`
+	TaskDefaults     TaskDefaults        `json:",omitempty"`
+	EncryptionConfig EncryptionConfig    `json:",omitempty"`
+}
+
+// OrchestrationConfig represents orchestration configuration.
+type OrchestrationConfig struct {
+	// TaskHistoryRetentionLimit is the number of historic tasks to keep per instance or
+	// node. If negative, never remove completed or failed tasks.
+	TaskHistoryRetentionLimit *int64 `json:",omitempty"`
+}
+
+// TaskDefaults parameterizes cluster-level task creation with default values.
+type TaskDefaults struct {
+	// LogDriver selects the log driver to use for tasks created in the
+	// orchestrator if unspecified by a service.
+	//
+	// Updating this value will only have an affect on new tasks. Old tasks
+	// will continue use their previously configured log driver until
+	// recreated.
+	LogDriver *Driver `json:",omitempty"`
+}
+
+// EncryptionConfig controls at-rest encryption of data and keys.
+type EncryptionConfig struct {
+	// AutoLockManagers specifies whether or not managers TLS keys and raft data
+	// should be encrypted at rest in such a way that they must be unlocked
+	// before the manager node starts up again.
+	AutoLockManagers bool
+}
+
+// RaftConfig represents raft configuration.
+type RaftConfig struct {
+	// SnapshotInterval is the number of log entries between snapshots.
+	SnapshotInterval uint64 `json:",omitempty"`
+
+	// KeepOldSnapshots is the number of snapshots to keep beyond the
+	// current snapshot.
+	KeepOldSnapshots *uint64 `json:",omitempty"`
+
+	// LogEntriesForSlowFollowers is the number of log entries to keep
+	// around to sync up slow followers after a snapshot is created.
+	LogEntriesForSlowFollowers uint64 `json:",omitempty"`
+
+	// ElectionTick is the number of ticks that a follower will wait for a message
+	// from the leader before becoming a candidate and starting an election.
+	// ElectionTick must be greater than HeartbeatTick.
+	//
+	// A tick currently defaults to one second, so these translate directly to
+	// seconds currently, but this is NOT guaranteed.
+	ElectionTick int
+
+	// HeartbeatTick is the number of ticks between heartbeats. Every
+	// HeartbeatTick ticks, the leader will send a heartbeat to the
+	// followers.
+	//
+	// A tick currently defaults to one second, so these translate directly to
+	// seconds currently, but this is NOT guaranteed.
+	HeartbeatTick int
+}
+
+// DispatcherConfig represents dispatcher configuration.
+type DispatcherConfig struct {
+	// HeartbeatPeriod defines how often agent should send heartbeats to
+	// dispatcher.
+	HeartbeatPeriod time.Duration `json:",omitempty"`
+}
+
+// CAConfig represents CA configuration.
+type CAConfig struct {
+	// NodeCertExpiry is the duration certificates should be issued for
+	NodeCertExpiry time.Duration `json:",omitempty"`
+
+	// ExternalCAs is a list of CAs to which a manager node will make
+	// certificate signing requests for node certificates.
+	ExternalCAs []*ExternalCA `json:",omitempty"`
+
+	// SigningCACert and SigningCAKey specify the desired signing root CA and
+	// root CA key for the swarm.  When inspecting the cluster, the key will
+	// be redacted.
+	SigningCACert string `json:",omitempty"`
+	SigningCAKey  string `json:",omitempty"`
+
+	// If this value changes, and there is no specified signing cert and key,
+	// then the swarm is forced to generate a new root certificate ane key.
+	ForceRotate uint64 `json:",omitempty"`
+}
+
+// ExternalCAProtocol represents type of external CA.
+type ExternalCAProtocol string
+
+// ExternalCAProtocolCFSSL CFSSL
+const ExternalCAProtocolCFSSL ExternalCAProtocol = "cfssl"
+
+// ExternalCA defines external CA to be used by the cluster.
+type ExternalCA struct {
+	// Protocol is the protocol used by this external CA.
+	Protocol ExternalCAProtocol
+
+	// URL is the URL where the external CA can be reached.
+	URL string
+
+	// Options is a set of additional key/value pairs whose interpretation
+	// depends on the specified CA type.
+	Options map[string]string `json:",omitempty"`
+
+	// CACert specifies which root CA is used by this external CA.  This certificate must
+	// be in PEM format.
+	CACert string
+}
+
+// InitRequest is the request used to init a swarm.
+type InitRequest struct {
+	ListenAddr       string
+	AdvertiseAddr    string
+	DataPathAddr     string
+	ForceNewCluster  bool
+	Spec             Spec
+	AutoLockManagers bool
+	Availability     NodeAvailability
+}
+
+// JoinRequest is the request used to join a swarm.
+type JoinRequest struct {
+	ListenAddr    string
+	AdvertiseAddr string
+	DataPathAddr  string
+	RemoteAddrs   []string
+	JoinToken     string // accept by secret
+	Availability  NodeAvailability
+}
+
+// UnlockRequest is the request used to unlock a swarm.
+type UnlockRequest struct {
+	// UnlockKey is the unlock key in ASCII-armored format.
+	UnlockKey string
+}
+
+// LocalNodeState represents the state of the local node.
+type LocalNodeState string
+
+const (
+	// LocalNodeStateInactive INACTIVE
+	LocalNodeStateInactive LocalNodeState = "inactive"
+	// LocalNodeStatePending PENDING
+	LocalNodeStatePending LocalNodeState = "pending"
+	// LocalNodeStateActive ACTIVE
+	LocalNodeStateActive LocalNodeState = "active"
+	// LocalNodeStateError ERROR
+	LocalNodeStateError LocalNodeState = "error"
+	// LocalNodeStateLocked LOCKED
+	LocalNodeStateLocked LocalNodeState = "locked"
+)
+
+// Info represents generic information about swarm.
+type Info struct {
+	NodeID   string
+	NodeAddr string
+
+	LocalNodeState   LocalNodeState
+	ControlAvailable bool
+	Error            string
+
+	RemoteManagers []Peer
+	Nodes          int `json:",omitempty"`
+	Managers       int `json:",omitempty"`
+
+	Cluster *ClusterInfo `json:",omitempty"`
+}
+
+// Peer represents a peer.
+type Peer struct {
+	NodeID string
+	Addr   string
+}
+
+// UpdateFlags contains flags for SwarmUpdate.
+type UpdateFlags struct {
+	RotateWorkerToken      bool
+	RotateManagerToken     bool
+	RotateManagerUnlockKey bool
+}
diff --git a/engine/api/types/swarm/task.go b/engine/api/types/swarm/task.go
new file mode 100644
index 00000000..b35605d1
--- /dev/null
+++ b/engine/api/types/swarm/task.go
@@ -0,0 +1,191 @@
+package swarm // import "github.com/docker/docker/api/types/swarm"
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/swarm/runtime"
+)
+
+// TaskState represents the state of a task.
+type TaskState string
+
+const (
+	// TaskStateNew NEW
+	TaskStateNew TaskState = "new"
+	// TaskStateAllocated ALLOCATED
+	TaskStateAllocated TaskState = "allocated"
+	// TaskStatePending PENDING
+	TaskStatePending TaskState = "pending"
+	// TaskStateAssigned ASSIGNED
+	TaskStateAssigned TaskState = "assigned"
+	// TaskStateAccepted ACCEPTED
+	TaskStateAccepted TaskState = "accepted"
+	// TaskStatePreparing PREPARING
+	TaskStatePreparing TaskState = "preparing"
+	// TaskStateReady READY
+	TaskStateReady TaskState = "ready"
+	// TaskStateStarting STARTING
+	TaskStateStarting TaskState = "starting"
+	// TaskStateRunning RUNNING
+	TaskStateRunning TaskState = "running"
+	// TaskStateComplete COMPLETE
+	TaskStateComplete TaskState = "complete"
+	// TaskStateShutdown SHUTDOWN
+	TaskStateShutdown TaskState = "shutdown"
+	// TaskStateFailed FAILED
+	TaskStateFailed TaskState = "failed"
+	// TaskStateRejected REJECTED
+	TaskStateRejected TaskState = "rejected"
+	// TaskStateRemove REMOVE
+	TaskStateRemove TaskState = "remove"
+	// TaskStateOrphaned ORPHANED
+	TaskStateOrphaned TaskState = "orphaned"
+)
+
+// Task represents a task.
+type Task struct {
+	ID string
+	Meta
+	Annotations
+
+	Spec                TaskSpec            `json:",omitempty"`
+	ServiceID           string              `json:",omitempty"`
+	Slot                int                 `json:",omitempty"`
+	NodeID              string              `json:",omitempty"`
+	Status              TaskStatus          `json:",omitempty"`
+	DesiredState        TaskState           `json:",omitempty"`
+	NetworksAttachments []NetworkAttachment `json:",omitempty"`
+	GenericResources    []GenericResource   `json:",omitempty"`
+}
+
+// TaskSpec represents the spec of a task.
+type TaskSpec struct {
+	// ContainerSpec, NetworkAttachmentSpec, and PluginSpec are mutually exclusive.
+	// PluginSpec is only used when the `Runtime` field is set to `plugin`
+	// NetworkAttachmentSpec is used if the `Runtime` field is set to
+	// `attachment`.
+	ContainerSpec         *ContainerSpec         `json:",omitempty"`
+	PluginSpec            *runtime.PluginSpec    `json:",omitempty"`
+	NetworkAttachmentSpec *NetworkAttachmentSpec `json:",omitempty"`
+
+	Resources     *ResourceRequirements     `json:",omitempty"`
+	RestartPolicy *RestartPolicy            `json:",omitempty"`
+	Placement     *Placement                `json:",omitempty"`
+	Networks      []NetworkAttachmentConfig `json:",omitempty"`
+
+	// LogDriver specifies the LogDriver to use for tasks created from this
+	// spec. If not present, the one on cluster default on swarm.Spec will be
+	// used, finally falling back to the engine default if not specified.
+	LogDriver *Driver `json:",omitempty"`
+
+	// ForceUpdate is a counter that triggers an update even if no relevant
+	// parameters have been changed.
+	ForceUpdate uint64
+
+	Runtime RuntimeType `json:",omitempty"`
+}
+
+// Resources represents resources (CPU/Memory).
+type Resources struct {
+	NanoCPUs         int64             `json:",omitempty"`
+	MemoryBytes      int64             `json:",omitempty"`
+	GenericResources []GenericResource `json:",omitempty"`
+}
+
+// GenericResource represents a "user defined" resource which can
+// be either an integer (e.g: SSD=3) or a string (e.g: SSD=sda1)
+type GenericResource struct {
+	NamedResourceSpec    *NamedGenericResource    `json:",omitempty"`
+	DiscreteResourceSpec *DiscreteGenericResource `json:",omitempty"`
+}
+
+// NamedGenericResource represents a "user defined" resource which is defined
+// as a string.
+// "Kind" is used to describe the Kind of a resource (e.g: "GPU", "FPGA", "SSD", ...)
+// Value is used to identify the resource (GPU="UUID-1", FPGA="/dev/sdb5", ...)
+type NamedGenericResource struct {
+	Kind  string `json:",omitempty"`
+	Value string `json:",omitempty"`
+}
+
+// DiscreteGenericResource represents a "user defined" resource which is defined
+// as an integer
+// "Kind" is used to describe the Kind of a resource (e.g: "GPU", "FPGA", "SSD", ...)
+// Value is used to count the resource (SSD=5, HDD=3, ...)
+type DiscreteGenericResource struct {
+	Kind  string `json:",omitempty"`
+	Value int64  `json:",omitempty"`
+}
+
+// ResourceRequirements represents resources requirements.
+type ResourceRequirements struct {
+	Limits       *Resources `json:",omitempty"`
+	Reservations *Resources `json:",omitempty"`
+}
+
+// Placement represents orchestration parameters.
+type Placement struct {
+	Constraints []string              `json:",omitempty"`
+	Preferences []PlacementPreference `json:",omitempty"`
+
+	// Platforms stores all the platforms that the image can run on.
+	// This field is used in the platform filter for scheduling. If empty,
+	// then the platform filter is off, meaning there are no scheduling restrictions.
+	Platforms []Platform `json:",omitempty"`
+}
+
+// PlacementPreference provides a way to make the scheduler aware of factors
+// such as topology.
+type PlacementPreference struct {
+	Spread *SpreadOver
+}
+
+// SpreadOver is a scheduling preference that instructs the scheduler to spread
+// tasks evenly over groups of nodes identified by labels.
+type SpreadOver struct {
+	// label descriptor, such as engine.labels.az
+	SpreadDescriptor string
+}
+
+// RestartPolicy represents the restart policy.
+type RestartPolicy struct {
+	Condition   RestartPolicyCondition `json:",omitempty"`
+	Delay       *time.Duration         `json:",omitempty"`
+	MaxAttempts *uint64                `json:",omitempty"`
+	Window      *time.Duration         `json:",omitempty"`
+}
+
+// RestartPolicyCondition represents when to restart.
+type RestartPolicyCondition string
+
+const (
+	// RestartPolicyConditionNone NONE
+	RestartPolicyConditionNone RestartPolicyCondition = "none"
+	// RestartPolicyConditionOnFailure ON_FAILURE
+	RestartPolicyConditionOnFailure RestartPolicyCondition = "on-failure"
+	// RestartPolicyConditionAny ANY
+	RestartPolicyConditionAny RestartPolicyCondition = "any"
+)
+
+// TaskStatus represents the status of a task.
+type TaskStatus struct {
+	Timestamp       time.Time        `json:",omitempty"`
+	State           TaskState        `json:",omitempty"`
+	Message         string           `json:",omitempty"`
+	Err             string           `json:",omitempty"`
+	ContainerStatus *ContainerStatus `json:",omitempty"`
+	PortStatus      PortStatus       `json:",omitempty"`
+}
+
+// ContainerStatus represents the status of a container.
+type ContainerStatus struct {
+	ContainerID string
+	PID         int
+	ExitCode    int
+}
+
+// PortStatus represents the port status of a task's host ports whose
+// service has published host ports
+type PortStatus struct {
+	Ports []PortConfig `json:",omitempty"`
+}
diff --git a/engine/api/types/time/duration_convert.go b/engine/api/types/time/duration_convert.go
new file mode 100644
index 00000000..84b6f073
--- /dev/null
+++ b/engine/api/types/time/duration_convert.go
@@ -0,0 +1,12 @@
+package time // import "github.com/docker/docker/api/types/time"
+
+import (
+	"strconv"
+	"time"
+)
+
+// DurationToSecondsString converts the specified duration to the number
+// seconds it represents, formatted as a string.
+func DurationToSecondsString(duration time.Duration) string {
+	return strconv.FormatFloat(duration.Seconds(), 'f', 0, 64)
+}
diff --git a/engine/api/types/time/duration_convert_test.go b/engine/api/types/time/duration_convert_test.go
new file mode 100644
index 00000000..a23be947
--- /dev/null
+++ b/engine/api/types/time/duration_convert_test.go
@@ -0,0 +1,26 @@
+package time // import "github.com/docker/docker/api/types/time"
+
+import (
+	"testing"
+	"time"
+)
+
+func TestDurationToSecondsString(t *testing.T) {
+	cases := []struct {
+		in       time.Duration
+		expected string
+	}{
+		{0 * time.Second, "0"},
+		{1 * time.Second, "1"},
+		{1 * time.Minute, "60"},
+		{24 * time.Hour, "86400"},
+	}
+
+	for _, c := range cases {
+		s := DurationToSecondsString(c.in)
+		if s != c.expected {
+			t.Errorf("wrong value for input `%v`: expected `%s`, got `%s`", c.in, c.expected, s)
+			t.Fail()
+		}
+	}
+}
diff --git a/engine/api/types/time/timestamp.go b/engine/api/types/time/timestamp.go
new file mode 100644
index 00000000..ea3495ef
--- /dev/null
+++ b/engine/api/types/time/timestamp.go
@@ -0,0 +1,129 @@
+package time // import "github.com/docker/docker/api/types/time"
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+	"time"
+)
+
+// These are additional predefined layouts for use in Time.Format and Time.Parse
+// with --since and --until parameters for `docker logs` and `docker events`
+const (
+	rFC3339Local     = "2006-01-02T15:04:05"           // RFC3339 with local timezone
+	rFC3339NanoLocal = "2006-01-02T15:04:05.999999999" // RFC3339Nano with local timezone
+	dateWithZone     = "2006-01-02Z07:00"              // RFC3339 with time at 00:00:00
+	dateLocal        = "2006-01-02"                    // RFC3339 with local timezone and time at 00:00:00
+)
+
+// GetTimestamp tries to parse given string as golang duration,
+// then RFC3339 time and finally as a Unix timestamp. If
+// any of these were successful, it returns a Unix timestamp
+// as string otherwise returns the given value back.
+// In case of duration input, the returned timestamp is computed
+// as the given reference time minus the amount of the duration.
+func GetTimestamp(value string, reference time.Time) (string, error) {
+	if d, err := time.ParseDuration(value); value != "0" && err == nil {
+		return strconv.FormatInt(reference.Add(-d).Unix(), 10), nil
+	}
+
+	var format string
+	// if the string has a Z or a + or three dashes use parse otherwise use parseinlocation
+	parseInLocation := !(strings.ContainsAny(value, "zZ+") || strings.Count(value, "-") == 3)
+
+	if strings.Contains(value, ".") {
+		if parseInLocation {
+			format = rFC3339NanoLocal
+		} else {
+			format = time.RFC3339Nano
+		}
+	} else if strings.Contains(value, "T") {
+		// we want the number of colons in the T portion of the timestamp
+		tcolons := strings.Count(value, ":")
+		// if parseInLocation is off and we have a +/- zone offset (not Z) then
+		// there will be an extra colon in the input for the tz offset subtract that
+		// colon from the tcolons count
+		if !parseInLocation && !strings.ContainsAny(value, "zZ") && tcolons > 0 {
+			tcolons--
+		}
+		if parseInLocation {
+			switch tcolons {
+			case 0:
+				format = "2006-01-02T15"
+			case 1:
+				format = "2006-01-02T15:04"
+			default:
+				format = rFC3339Local
+			}
+		} else {
+			switch tcolons {
+			case 0:
+				format = "2006-01-02T15Z07:00"
+			case 1:
+				format = "2006-01-02T15:04Z07:00"
+			default:
+				format = time.RFC3339
+			}
+		}
+	} else if parseInLocation {
+		format = dateLocal
+	} else {
+		format = dateWithZone
+	}
+
+	var t time.Time
+	var err error
+
+	if parseInLocation {
+		t, err = time.ParseInLocation(format, value, time.FixedZone(reference.Zone()))
+	} else {
+		t, err = time.Parse(format, value)
+	}
+
+	if err != nil {
+		// if there is a `-` then it's an RFC3339 like timestamp
+		if strings.Contains(value, "-") {
+			return "", err // was probably an RFC3339 like timestamp but the parser failed with an error
+		}
+		if _, _, err := parseTimestamp(value); err != nil {
+			return "", fmt.Errorf("failed to parse value as time or duration: %q", value)
+		}
+		return value, nil // unix timestamp in and out case (meaning: the value passed at the command line is already in the right format for passing to the server)
+	}
+
+	return fmt.Sprintf("%d.%09d", t.Unix(), int64(t.Nanosecond())), nil
+}
+
+// ParseTimestamps returns seconds and nanoseconds from a timestamp that has the
+// format "%d.%09d", time.Unix(), int64(time.Nanosecond()))
+// if the incoming nanosecond portion is longer or shorter than 9 digits it is
+// converted to nanoseconds.  The expectation is that the seconds and
+// seconds will be used to create a time variable.  For example:
+//     seconds, nanoseconds, err := ParseTimestamp("1136073600.000000001",0)
+//     if err == nil since := time.Unix(seconds, nanoseconds)
+// returns seconds as def(aultSeconds) if value == ""
+func ParseTimestamps(value string, def int64) (int64, int64, error) {
+	if value == "" {
+		return def, 0, nil
+	}
+	return parseTimestamp(value)
+}
+
+func parseTimestamp(value string) (int64, int64, error) {
+	sa := strings.SplitN(value, ".", 2)
+	s, err := strconv.ParseInt(sa[0], 10, 64)
+	if err != nil {
+		return s, 0, err
+	}
+	if len(sa) != 2 {
+		return s, 0, nil
+	}
+	n, err := strconv.ParseInt(sa[1], 10, 64)
+	if err != nil {
+		return s, n, err
+	}
+	// should already be in nanoseconds but just in case convert n to nanoseconds
+	n = int64(float64(n) * math.Pow(float64(10), float64(9-len(sa[1]))))
+	return s, n, nil
+}
diff --git a/engine/api/types/time/timestamp_test.go b/engine/api/types/time/timestamp_test.go
new file mode 100644
index 00000000..2535d895
--- /dev/null
+++ b/engine/api/types/time/timestamp_test.go
@@ -0,0 +1,93 @@
+package time // import "github.com/docker/docker/api/types/time"
+
+import (
+	"fmt"
+	"testing"
+	"time"
+)
+
+func TestGetTimestamp(t *testing.T) {
+	now := time.Now().In(time.UTC)
+	cases := []struct {
+		in, expected string
+		expectedErr  bool
+	}{
+		// Partial RFC3339 strings get parsed with second precision
+		{"2006-01-02T15:04:05.999999999+07:00", "1136189045.999999999", false},
+		{"2006-01-02T15:04:05.999999999Z", "1136214245.999999999", false},
+		{"2006-01-02T15:04:05.999999999", "1136214245.999999999", false},
+		{"2006-01-02T15:04:05Z", "1136214245.000000000", false},
+		{"2006-01-02T15:04:05", "1136214245.000000000", false},
+		{"2006-01-02T15:04:0Z", "", true},
+		{"2006-01-02T15:04:0", "", true},
+		{"2006-01-02T15:04Z", "1136214240.000000000", false},
+		{"2006-01-02T15:04+00:00", "1136214240.000000000", false},
+		{"2006-01-02T15:04-00:00", "1136214240.000000000", false},
+		{"2006-01-02T15:04", "1136214240.000000000", false},
+		{"2006-01-02T15:0Z", "", true},
+		{"2006-01-02T15:0", "", true},
+		{"2006-01-02T15Z", "1136214000.000000000", false},
+		{"2006-01-02T15+00:00", "1136214000.000000000", false},
+		{"2006-01-02T15-00:00", "1136214000.000000000", false},
+		{"2006-01-02T15", "1136214000.000000000", false},
+		{"2006-01-02T1Z", "1136163600.000000000", false},
+		{"2006-01-02T1", "1136163600.000000000", false},
+		{"2006-01-02TZ", "", true},
+		{"2006-01-02T", "", true},
+		{"2006-01-02+00:00", "1136160000.000000000", false},
+		{"2006-01-02-00:00", "1136160000.000000000", false},
+		{"2006-01-02-00:01", "1136160060.000000000", false},
+		{"2006-01-02Z", "1136160000.000000000", false},
+		{"2006-01-02", "1136160000.000000000", false},
+		{"2015-05-13T20:39:09Z", "1431549549.000000000", false},
+
+		// unix timestamps returned as is
+		{"1136073600", "1136073600", false},
+		{"1136073600.000000001", "1136073600.000000001", false},
+		// Durations
+		{"1m", fmt.Sprintf("%d", now.Add(-1*time.Minute).Unix()), false},
+		{"1.5h", fmt.Sprintf("%d", now.Add(-90*time.Minute).Unix()), false},
+		{"1h30m", fmt.Sprintf("%d", now.Add(-90*time.Minute).Unix()), false},
+
+		{"invalid", "", true},
+		{"", "", true},
+	}
+
+	for _, c := range cases {
+		o, err := GetTimestamp(c.in, now)
+		if o != c.expected ||
+			(err == nil && c.expectedErr) ||
+			(err != nil && !c.expectedErr) {
+			t.Errorf("wrong value for '%s'. expected:'%s' got:'%s' with error: `%s`", c.in, c.expected, o, err)
+			t.Fail()
+		}
+	}
+}
+
+func TestParseTimestamps(t *testing.T) {
+	cases := []struct {
+		in                        string
+		def, expectedS, expectedN int64
+		expectedErr               bool
+	}{
+		// unix timestamps
+		{"1136073600", 0, 1136073600, 0, false},
+		{"1136073600.000000001", 0, 1136073600, 1, false},
+		{"1136073600.0000000010", 0, 1136073600, 1, false},
+		{"1136073600.00000001", 0, 1136073600, 10, false},
+		{"foo.bar", 0, 0, 0, true},
+		{"1136073600.bar", 0, 1136073600, 0, true},
+		{"", -1, -1, 0, false},
+	}
+
+	for _, c := range cases {
+		s, n, err := ParseTimestamps(c.in, c.def)
+		if s != c.expectedS ||
+			n != c.expectedN ||
+			(err == nil && c.expectedErr) ||
+			(err != nil && !c.expectedErr) {
+			t.Errorf("wrong values for input `%s` with default `%d` expected:'%d'seconds and `%d`nanosecond got:'%d'seconds and `%d`nanoseconds with error: `%s`", c.in, c.def, c.expectedS, c.expectedN, s, n, err)
+			t.Fail()
+		}
+	}
+}
diff --git a/engine/api/types/types.go b/engine/api/types/types.go
new file mode 100644
index 00000000..06c0ca3a
--- /dev/null
+++ b/engine/api/types/types.go
@@ -0,0 +1,602 @@
+package types // import "github.com/docker/docker/api/types"
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/go-connections/nat"
+)
+
+// RootFS returns Image's RootFS description including the layer IDs.
+type RootFS struct {
+	Type      string
+	Layers    []string `json:",omitempty"`
+	BaseLayer string   `json:",omitempty"`
+}
+
+// ImageInspect contains response of Engine API:
+// GET "/images/{name:.*}/json"
+type ImageInspect struct {
+	ID              string `json:"Id"`
+	RepoTags        []string
+	RepoDigests     []string
+	Parent          string
+	Comment         string
+	Created         string
+	Container       string
+	ContainerConfig *container.Config
+	DockerVersion   string
+	Author          string
+	Config          *container.Config
+	Architecture    string
+	Os              string
+	OsVersion       string `json:",omitempty"`
+	Size            int64
+	VirtualSize     int64
+	GraphDriver     GraphDriverData
+	RootFS          RootFS
+	Metadata        ImageMetadata
+}
+
+// ImageMetadata contains engine-local data about the image
+type ImageMetadata struct {
+	LastTagTime time.Time `json:",omitempty"`
+}
+
+// Container contains response of Engine API:
+// GET "/containers/json"
+type Container struct {
+	ID         string `json:"Id"`
+	Names      []string
+	Image      string
+	ImageID    string
+	Command    string
+	Created    int64
+	Ports      []Port
+	SizeRw     int64 `json:",omitempty"`
+	SizeRootFs int64 `json:",omitempty"`
+	Labels     map[string]string
+	State      string
+	Status     string
+	HostConfig struct {
+		NetworkMode string `json:",omitempty"`
+	}
+	NetworkSettings *SummaryNetworkSettings
+	Mounts          []MountPoint
+}
+
+// CopyConfig contains request body of Engine API:
+// POST "/containers/"+containerID+"/copy"
+type CopyConfig struct {
+	Resource string
+}
+
+// ContainerPathStat is used to encode the header from
+// GET "/containers/{name:.*}/archive"
+// "Name" is the file or directory name.
+type ContainerPathStat struct {
+	Name       string      `json:"name"`
+	Size       int64       `json:"size"`
+	Mode       os.FileMode `json:"mode"`
+	Mtime      time.Time   `json:"mtime"`
+	LinkTarget string      `json:"linkTarget"`
+}
+
+// ContainerStats contains response of Engine API:
+// GET "/stats"
+type ContainerStats struct {
+	Body   io.ReadCloser `json:"body"`
+	OSType string        `json:"ostype"`
+}
+
+// Ping contains response of Engine API:
+// GET "/_ping"
+type Ping struct {
+	APIVersion   string
+	OSType       string
+	Experimental bool
+}
+
+// ComponentVersion describes the version information for a specific component.
+type ComponentVersion struct {
+	Name    string
+	Version string
+	Details map[string]string `json:",omitempty"`
+}
+
+// Version contains response of Engine API:
+// GET "/version"
+type Version struct {
+	Platform   struct{ Name string } `json:",omitempty"`
+	Components []ComponentVersion    `json:",omitempty"`
+
+	// The following fields are deprecated, they relate to the Engine component and are kept for backwards compatibility
+
+	Version       string
+	APIVersion    string `json:"ApiVersion"`
+	MinAPIVersion string `json:"MinAPIVersion,omitempty"`
+	GitCommit     string
+	GoVersion     string
+	Os            string
+	Arch          string
+	KernelVersion string `json:",omitempty"`
+	Experimental  bool   `json:",omitempty"`
+	BuildTime     string `json:",omitempty"`
+}
+
+// Commit holds the Git-commit (SHA1) that a binary was built from, as reported
+// in the version-string of external tools, such as containerd, or runC.
+type Commit struct {
+	ID       string // ID is the actual commit ID of external tool.
+	Expected string // Expected is the commit ID of external tool expected by dockerd as set at build time.
+}
+
+// Info contains response of Engine API:
+// GET "/info"
+type Info struct {
+	ID                 string
+	Containers         int
+	ContainersRunning  int
+	ContainersPaused   int
+	ContainersStopped  int
+	Images             int
+	Driver             string
+	DriverStatus       [][2]string
+	SystemStatus       [][2]string
+	Plugins            PluginsInfo
+	MemoryLimit        bool
+	SwapLimit          bool
+	KernelMemory       bool
+	CPUCfsPeriod       bool `json:"CpuCfsPeriod"`
+	CPUCfsQuota        bool `json:"CpuCfsQuota"`
+	CPUShares          bool
+	CPUSet             bool
+	IPv4Forwarding     bool
+	BridgeNfIptables   bool
+	BridgeNfIP6tables  bool `json:"BridgeNfIp6tables"`
+	Debug              bool
+	NFd                int
+	OomKillDisable     bool
+	NGoroutines        int
+	SystemTime         string
+	LoggingDriver      string
+	CgroupDriver       string
+	NEventsListener    int
+	KernelVersion      string
+	OperatingSystem    string
+	OSType             string
+	Architecture       string
+	IndexServerAddress string
+	RegistryConfig     *registry.ServiceConfig
+	NCPU               int
+	MemTotal           int64
+	GenericResources   []swarm.GenericResource
+	DockerRootDir      string
+	HTTPProxy          string `json:"HttpProxy"`
+	HTTPSProxy         string `json:"HttpsProxy"`
+	NoProxy            string
+	Name               string
+	Labels             []string
+	ExperimentalBuild  bool
+	ServerVersion      string
+	ClusterStore       string
+	ClusterAdvertise   string
+	Runtimes           map[string]Runtime
+	DefaultRuntime     string
+	Swarm              swarm.Info
+	// LiveRestoreEnabled determines whether containers should be kept
+	// running when the daemon is shutdown or upon daemon start if
+	// running containers are detected
+	LiveRestoreEnabled bool
+	Isolation          container.Isolation
+	InitBinary         string
+	ContainerdCommit   Commit
+	RuncCommit         Commit
+	InitCommit         Commit
+	SecurityOptions    []string
+}
+
+// KeyValue holds a key/value pair
+type KeyValue struct {
+	Key, Value string
+}
+
+// SecurityOpt contains the name and options of a security option
+type SecurityOpt struct {
+	Name    string
+	Options []KeyValue
+}
+
+// DecodeSecurityOptions decodes a security options string slice to a type safe
+// SecurityOpt
+func DecodeSecurityOptions(opts []string) ([]SecurityOpt, error) {
+	so := []SecurityOpt{}
+	for _, opt := range opts {
+		// support output from a < 1.13 docker daemon
+		if !strings.Contains(opt, "=") {
+			so = append(so, SecurityOpt{Name: opt})
+			continue
+		}
+		secopt := SecurityOpt{}
+		split := strings.Split(opt, ",")
+		for _, s := range split {
+			kv := strings.SplitN(s, "=", 2)
+			if len(kv) != 2 {
+				return nil, fmt.Errorf("invalid security option %q", s)
+			}
+			if kv[0] == "" || kv[1] == "" {
+				return nil, errors.New("invalid empty security option")
+			}
+			if kv[0] == "name" {
+				secopt.Name = kv[1]
+				continue
+			}
+			secopt.Options = append(secopt.Options, KeyValue{Key: kv[0], Value: kv[1]})
+		}
+		so = append(so, secopt)
+	}
+	return so, nil
+}
+
+// PluginsInfo is a temp struct holding Plugins name
+// registered with docker daemon. It is used by Info struct
+type PluginsInfo struct {
+	// List of Volume plugins registered
+	Volume []string
+	// List of Network plugins registered
+	Network []string
+	// List of Authorization plugins registered
+	Authorization []string
+	// List of Log plugins registered
+	Log []string
+}
+
+// ExecStartCheck is a temp struct used by execStart
+// Config fields is part of ExecConfig in runconfig package
+type ExecStartCheck struct {
+	// ExecStart will first check if it's detached
+	Detach bool
+	// Check if there's a tty
+	Tty bool
+}
+
+// HealthcheckResult stores information about a single run of a healthcheck probe
+type HealthcheckResult struct {
+	Start    time.Time // Start is the time this check started
+	End      time.Time // End is the time this check ended
+	ExitCode int       // ExitCode meanings: 0=healthy, 1=unhealthy, 2=reserved (considered unhealthy), else=error running probe
+	Output   string    // Output from last check
+}
+
+// Health states
+const (
+	NoHealthcheck = "none"      // Indicates there is no healthcheck
+	Starting      = "starting"  // Starting indicates that the container is not yet ready
+	Healthy       = "healthy"   // Healthy indicates that the container is running correctly
+	Unhealthy     = "unhealthy" // Unhealthy indicates that the container has a problem
+)
+
+// Health stores information about the container's healthcheck results
+type Health struct {
+	Status        string               // Status is one of Starting, Healthy or Unhealthy
+	FailingStreak int                  // FailingStreak is the number of consecutive failures
+	Log           []*HealthcheckResult // Log contains the last few results (oldest first)
+}
+
+// ContainerState stores container's running state
+// it's part of ContainerJSONBase and will return by "inspect" command
+type ContainerState struct {
+	Status     string // String representation of the container state. Can be one of "created", "running", "paused", "restarting", "removing", "exited", or "dead"
+	Running    bool
+	Paused     bool
+	Restarting bool
+	OOMKilled  bool
+	Dead       bool
+	Pid        int
+	ExitCode   int
+	Error      string
+	StartedAt  string
+	FinishedAt string
+	Health     *Health `json:",omitempty"`
+}
+
+// ContainerNode stores information about the node that a container
+// is running on.  It's only available in Docker Swarm
+type ContainerNode struct {
+	ID        string
+	IPAddress string `json:"IP"`
+	Addr      string
+	Name      string
+	Cpus      int
+	Memory    int64
+	Labels    map[string]string
+}
+
+// ContainerJSONBase contains response of Engine API:
+// GET "/containers/{name:.*}/json"
+type ContainerJSONBase struct {
+	ID              string `json:"Id"`
+	Created         string
+	Path            string
+	Args            []string
+	State           *ContainerState
+	Image           string
+	ResolvConfPath  string
+	HostnamePath    string
+	HostsPath       string
+	LogPath         string
+	Node            *ContainerNode `json:",omitempty"`
+	Name            string
+	RestartCount    int
+	Driver          string
+	Platform        string
+	MountLabel      string
+	ProcessLabel    string
+	AppArmorProfile string
+	ExecIDs         []string
+	HostConfig      *container.HostConfig
+	GraphDriver     GraphDriverData
+	SizeRw          *int64 `json:",omitempty"`
+	SizeRootFs      *int64 `json:",omitempty"`
+}
+
+// ContainerJSON is newly used struct along with MountPoint
+type ContainerJSON struct {
+	*ContainerJSONBase
+	Mounts          []MountPoint
+	Config          *container.Config
+	NetworkSettings *NetworkSettings
+}
+
+// NetworkSettings exposes the network settings in the api
+type NetworkSettings struct {
+	NetworkSettingsBase
+	DefaultNetworkSettings
+	Networks map[string]*network.EndpointSettings
+}
+
+// SummaryNetworkSettings provides a summary of container's networks
+// in /containers/json
+type SummaryNetworkSettings struct {
+	Networks map[string]*network.EndpointSettings
+}
+
+// NetworkSettingsBase holds basic information about networks
+type NetworkSettingsBase struct {
+	Bridge                 string      // Bridge is the Bridge name the network uses(e.g. `docker0`)
+	SandboxID              string      // SandboxID uniquely represents a container's network stack
+	HairpinMode            bool        // HairpinMode specifies if hairpin NAT should be enabled on the virtual interface
+	LinkLocalIPv6Address   string      // LinkLocalIPv6Address is an IPv6 unicast address using the link-local prefix
+	LinkLocalIPv6PrefixLen int         // LinkLocalIPv6PrefixLen is the prefix length of an IPv6 unicast address
+	Ports                  nat.PortMap // Ports is a collection of PortBinding indexed by Port
+	SandboxKey             string      // SandboxKey identifies the sandbox
+	SecondaryIPAddresses   []network.Address
+	SecondaryIPv6Addresses []network.Address
+}
+
+// DefaultNetworkSettings holds network information
+// during the 2 release deprecation period.
+// It will be removed in Docker 1.11.
+type DefaultNetworkSettings struct {
+	EndpointID          string // EndpointID uniquely represents a service endpoint in a Sandbox
+	Gateway             string // Gateway holds the gateway address for the network
+	GlobalIPv6Address   string // GlobalIPv6Address holds network's global IPv6 address
+	GlobalIPv6PrefixLen int    // GlobalIPv6PrefixLen represents mask length of network's global IPv6 address
+	IPAddress           string // IPAddress holds the IPv4 address for the network
+	IPPrefixLen         int    // IPPrefixLen represents mask length of network's IPv4 address
+	IPv6Gateway         string // IPv6Gateway holds gateway address specific for IPv6
+	MacAddress          string // MacAddress holds the MAC address for the network
+}
+
+// MountPoint represents a mount point configuration inside the container.
+// This is used for reporting the mountpoints in use by a container.
+type MountPoint struct {
+	Type        mount.Type `json:",omitempty"`
+	Name        string     `json:",omitempty"`
+	Source      string
+	Destination string
+	Driver      string `json:",omitempty"`
+	Mode        string
+	RW          bool
+	Propagation mount.Propagation
+}
+
+// NetworkResource is the body of the "get network" http response message
+type NetworkResource struct {
+	Name       string                         // Name is the requested name of the network
+	ID         string                         `json:"Id"` // ID uniquely identifies a network on a single machine
+	Created    time.Time                      // Created is the time the network created
+	Scope      string                         // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level)
+	Driver     string                         // Driver is the Driver name used to create the network (e.g. `bridge`, `overlay`)
+	EnableIPv6 bool                           // EnableIPv6 represents whether to enable IPv6
+	IPAM       network.IPAM                   // IPAM is the network's IP Address Management
+	Internal   bool                           // Internal represents if the network is used internal only
+	Attachable bool                           // Attachable represents if the global scope is manually attachable by regular containers from workers in swarm mode.
+	Ingress    bool                           // Ingress indicates the network is providing the routing-mesh for the swarm cluster.
+	ConfigFrom network.ConfigReference        // ConfigFrom specifies the source which will provide the configuration for this network.
+	ConfigOnly bool                           // ConfigOnly networks are place-holder networks for network configurations to be used by other networks. ConfigOnly networks cannot be used directly to run containers or services.
+	Containers map[string]EndpointResource    // Containers contains endpoints belonging to the network
+	Options    map[string]string              // Options holds the network specific options to use for when creating the network
+	Labels     map[string]string              // Labels holds metadata specific to the network being created
+	Peers      []network.PeerInfo             `json:",omitempty"` // List of peer nodes for an overlay network
+	Services   map[string]network.ServiceInfo `json:",omitempty"`
+}
+
+// EndpointResource contains network resources allocated and used for a container in a network
+type EndpointResource struct {
+	Name        string
+	EndpointID  string
+	MacAddress  string
+	IPv4Address string
+	IPv6Address string
+}
+
+// NetworkCreate is the expected body of the "create network" http request message
+type NetworkCreate struct {
+	// Check for networks with duplicate names.
+	// Network is primarily keyed based on a random ID and not on the name.
+	// Network name is strictly a user-friendly alias to the network
+	// which is uniquely identified using ID.
+	// And there is no guaranteed way to check for duplicates.
+	// Option CheckDuplicate is there to provide a best effort checking of any networks
+	// which has the same name but it is not guaranteed to catch all name collisions.
+	CheckDuplicate bool
+	Driver         string
+	Scope          string
+	EnableIPv6     bool
+	IPAM           *network.IPAM
+	Internal       bool
+	Attachable     bool
+	Ingress        bool
+	ConfigOnly     bool
+	ConfigFrom     *network.ConfigReference
+	Options        map[string]string
+	Labels         map[string]string
+}
+
+// NetworkCreateRequest is the request message sent to the server for network create call.
+type NetworkCreateRequest struct {
+	NetworkCreate
+	Name string
+}
+
+// NetworkCreateResponse is the response message sent by the server for network create call
+type NetworkCreateResponse struct {
+	ID      string `json:"Id"`
+	Warning string
+}
+
+// NetworkConnect represents the data to be used to connect a container to the network
+type NetworkConnect struct {
+	Container      string
+	EndpointConfig *network.EndpointSettings `json:",omitempty"`
+}
+
+// NetworkDisconnect represents the data to be used to disconnect a container from the network
+type NetworkDisconnect struct {
+	Container string
+	Force     bool
+}
+
+// NetworkInspectOptions holds parameters to inspect network
+type NetworkInspectOptions struct {
+	Scope   string
+	Verbose bool
+}
+
+// Checkpoint represents the details of a checkpoint
+type Checkpoint struct {
+	Name string // Name is the name of the checkpoint
+}
+
+// Runtime describes an OCI runtime
+type Runtime struct {
+	Path string   `json:"path"`
+	Args []string `json:"runtimeArgs,omitempty"`
+}
+
+// DiskUsage contains response of Engine API:
+// GET "/system/df"
+type DiskUsage struct {
+	LayersSize  int64
+	Images      []*ImageSummary
+	Containers  []*Container
+	Volumes     []*Volume
+	BuildCache  []*BuildCache
+	BuilderSize int64 // deprecated
+}
+
+// ContainersPruneReport contains the response for Engine API:
+// POST "/containers/prune"
+type ContainersPruneReport struct {
+	ContainersDeleted []string
+	SpaceReclaimed    uint64
+}
+
+// VolumesPruneReport contains the response for Engine API:
+// POST "/volumes/prune"
+type VolumesPruneReport struct {
+	VolumesDeleted []string
+	SpaceReclaimed uint64
+}
+
+// ImagesPruneReport contains the response for Engine API:
+// POST "/images/prune"
+type ImagesPruneReport struct {
+	ImagesDeleted  []ImageDeleteResponseItem
+	SpaceReclaimed uint64
+}
+
+// BuildCachePruneReport contains the response for Engine API:
+// POST "/build/prune"
+type BuildCachePruneReport struct {
+	SpaceReclaimed uint64
+}
+
+// NetworksPruneReport contains the response for Engine API:
+// POST "/networks/prune"
+type NetworksPruneReport struct {
+	NetworksDeleted []string
+}
+
+// SecretCreateResponse contains the information returned to a client
+// on the creation of a new secret.
+type SecretCreateResponse struct {
+	// ID is the id of the created secret.
+	ID string
+}
+
+// SecretListOptions holds parameters to list secrets
+type SecretListOptions struct {
+	Filters filters.Args
+}
+
+// ConfigCreateResponse contains the information returned to a client
+// on the creation of a new config.
+type ConfigCreateResponse struct {
+	// ID is the id of the created config.
+	ID string
+}
+
+// ConfigListOptions holds parameters to list configs
+type ConfigListOptions struct {
+	Filters filters.Args
+}
+
+// PushResult contains the tag, manifest digest, and manifest size from the
+// push. It's used to signal this information to the trust code in the client
+// so it can sign the manifest if necessary.
+type PushResult struct {
+	Tag    string
+	Digest string
+	Size   int
+}
+
+// BuildResult contains the image id of a successful build
+type BuildResult struct {
+	ID string
+}
+
+// BuildCache contains information about a build cache record
+type BuildCache struct {
+	ID      string
+	Mutable bool
+	InUse   bool
+	Size    int64
+
+	CreatedAt   time.Time
+	LastUsedAt  *time.Time
+	UsageCount  int
+	Parent      string
+	Description string
+}
diff --git a/engine/api/types/versions/README.md b/engine/api/types/versions/README.md
new file mode 100644
index 00000000..1ef911ed
--- /dev/null
+++ b/engine/api/types/versions/README.md
@@ -0,0 +1,14 @@
+# Legacy API type versions
+
+This package includes types for legacy API versions. The stable version of the API types live in `api/types/*.go`.
+
+Consider moving a type here when you need to keep backwards compatibility in the API. This legacy types are organized by the latest API version they appear in. For instance, types in the `v1p19` package are valid for API versions below or equal `1.19`. Types in the `v1p20` package are valid for the API version `1.20`, since the versions below that will use the legacy types in `v1p19`.
+
+## Package name conventions
+
+The package name convention is to use `v` as a prefix for the version number and `p`(patch) as a separator. We use this nomenclature due to a few restrictions in the Go package name convention:
+
+1. We cannot use `.` because it's interpreted by the language, think of `v1.20.CallFunction`.
+2. We cannot use `_` because golint complains about it. The code is actually valid, but it looks probably more weird: `v1_20.CallFunction`.
+
+For instance, if you want to modify a type that was available in the version `1.21` of the API but it will have different fields in the version `1.22`, you want to create a new package under `api/types/versions/v1p21`.
diff --git a/engine/api/types/versions/compare.go b/engine/api/types/versions/compare.go
new file mode 100644
index 00000000..8ccb0aa9
--- /dev/null
+++ b/engine/api/types/versions/compare.go
@@ -0,0 +1,62 @@
+package versions // import "github.com/docker/docker/api/types/versions"
+
+import (
+	"strconv"
+	"strings"
+)
+
+// compare compares two version strings
+// returns -1 if v1 < v2, 1 if v1 > v2, 0 otherwise.
+func compare(v1, v2 string) int {
+	var (
+		currTab  = strings.Split(v1, ".")
+		otherTab = strings.Split(v2, ".")
+	)
+
+	max := len(currTab)
+	if len(otherTab) > max {
+		max = len(otherTab)
+	}
+	for i := 0; i < max; i++ {
+		var currInt, otherInt int
+
+		if len(currTab) > i {
+			currInt, _ = strconv.Atoi(currTab[i])
+		}
+		if len(otherTab) > i {
+			otherInt, _ = strconv.Atoi(otherTab[i])
+		}
+		if currInt > otherInt {
+			return 1
+		}
+		if otherInt > currInt {
+			return -1
+		}
+	}
+	return 0
+}
+
+// LessThan checks if a version is less than another
+func LessThan(v, other string) bool {
+	return compare(v, other) == -1
+}
+
+// LessThanOrEqualTo checks if a version is less than or equal to another
+func LessThanOrEqualTo(v, other string) bool {
+	return compare(v, other) <= 0
+}
+
+// GreaterThan checks if a version is greater than another
+func GreaterThan(v, other string) bool {
+	return compare(v, other) == 1
+}
+
+// GreaterThanOrEqualTo checks if a version is greater than or equal to another
+func GreaterThanOrEqualTo(v, other string) bool {
+	return compare(v, other) >= 0
+}
+
+// Equal checks if a version is equal to another
+func Equal(v, other string) bool {
+	return compare(v, other) == 0
+}
diff --git a/engine/api/types/versions/compare_test.go b/engine/api/types/versions/compare_test.go
new file mode 100644
index 00000000..185e37c1
--- /dev/null
+++ b/engine/api/types/versions/compare_test.go
@@ -0,0 +1,26 @@
+package versions // import "github.com/docker/docker/api/types/versions"
+
+import (
+	"testing"
+)
+
+func assertVersion(t *testing.T, a, b string, result int) {
+	if r := compare(a, b); r != result {
+		t.Fatalf("Unexpected version comparison result. Found %d, expected %d", r, result)
+	}
+}
+
+func TestCompareVersion(t *testing.T) {
+	assertVersion(t, "1.12", "1.12", 0)
+	assertVersion(t, "1.0.0", "1", 0)
+	assertVersion(t, "1", "1.0.0", 0)
+	assertVersion(t, "1.05.00.0156", "1.0.221.9289", 1)
+	assertVersion(t, "1", "1.0.1", -1)
+	assertVersion(t, "1.0.1", "1", 1)
+	assertVersion(t, "1.0.1", "1.0.2", -1)
+	assertVersion(t, "1.0.2", "1.0.3", -1)
+	assertVersion(t, "1.0.3", "1.1", -1)
+	assertVersion(t, "1.1", "1.1.1", -1)
+	assertVersion(t, "1.1.1", "1.1.2", -1)
+	assertVersion(t, "1.1.2", "1.2", -1)
+}
diff --git a/engine/api/types/versions/v1p19/types.go b/engine/api/types/versions/v1p19/types.go
new file mode 100644
index 00000000..58afe32d
--- /dev/null
+++ b/engine/api/types/versions/v1p19/types.go
@@ -0,0 +1,35 @@
+// Package v1p19 provides specific API types for the API version 1, patch 19.
+package v1p19 // import "github.com/docker/docker/api/types/versions/v1p19"
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/versions/v1p20"
+	"github.com/docker/go-connections/nat"
+)
+
+// ContainerJSON is a backcompatibility struct for APIs prior to 1.20.
+// Note this is not used by the Windows daemon.
+type ContainerJSON struct {
+	*types.ContainerJSONBase
+	Volumes         map[string]string
+	VolumesRW       map[string]bool
+	Config          *ContainerConfig
+	NetworkSettings *v1p20.NetworkSettings
+}
+
+// ContainerConfig is a backcompatibility struct for APIs prior to 1.20.
+type ContainerConfig struct {
+	*container.Config
+
+	MacAddress      string
+	NetworkDisabled bool
+	ExposedPorts    map[nat.Port]struct{}
+
+	// backward compatibility, they now live in HostConfig
+	VolumeDriver string
+	Memory       int64
+	MemorySwap   int64
+	CPUShares    int64  `json:"CpuShares"`
+	CPUSet       string `json:"Cpuset"`
+}
diff --git a/engine/api/types/versions/v1p20/types.go b/engine/api/types/versions/v1p20/types.go
new file mode 100644
index 00000000..cc7277b1
--- /dev/null
+++ b/engine/api/types/versions/v1p20/types.go
@@ -0,0 +1,40 @@
+// Package v1p20 provides specific API types for the API version 1, patch 20.
+package v1p20 // import "github.com/docker/docker/api/types/versions/v1p20"
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/go-connections/nat"
+)
+
+// ContainerJSON is a backcompatibility struct for the API 1.20
+type ContainerJSON struct {
+	*types.ContainerJSONBase
+	Mounts          []types.MountPoint
+	Config          *ContainerConfig
+	NetworkSettings *NetworkSettings
+}
+
+// ContainerConfig is a backcompatibility struct used in ContainerJSON for the API 1.20
+type ContainerConfig struct {
+	*container.Config
+
+	MacAddress      string
+	NetworkDisabled bool
+	ExposedPorts    map[nat.Port]struct{}
+
+	// backward compatibility, they now live in HostConfig
+	VolumeDriver string
+}
+
+// StatsJSON is a backcompatibility struct used in Stats for APIs prior to 1.21
+type StatsJSON struct {
+	types.Stats
+	Network types.NetworkStats `json:"network,omitempty"`
+}
+
+// NetworkSettings is a backward compatible struct for APIs prior to 1.21
+type NetworkSettings struct {
+	types.NetworkSettingsBase
+	types.DefaultNetworkSettings
+}
diff --git a/engine/api/types/volume.go b/engine/api/types/volume.go
new file mode 100644
index 00000000..b5ee96a5
--- /dev/null
+++ b/engine/api/types/volume.go
@@ -0,0 +1,69 @@
+package types
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+// Volume volume
+// swagger:model Volume
+type Volume struct {
+
+	// Date/Time the volume was created.
+	CreatedAt string `json:"CreatedAt,omitempty"`
+
+	// Name of the volume driver used by the volume.
+	// Required: true
+	Driver string `json:"Driver"`
+
+	// User-defined key/value metadata.
+	// Required: true
+	Labels map[string]string `json:"Labels"`
+
+	// Mount path of the volume on the host.
+	// Required: true
+	Mountpoint string `json:"Mountpoint"`
+
+	// Name of the volume.
+	// Required: true
+	Name string `json:"Name"`
+
+	// The driver specific options used when creating the volume.
+	// Required: true
+	Options map[string]string `json:"Options"`
+
+	// The level at which the volume exists. Either `global` for cluster-wide, or `local` for machine level.
+	// Required: true
+	Scope string `json:"Scope"`
+
+	// Low-level details about the volume, provided by the volume driver.
+	// Details are returned as a map with key/value pairs:
+	// `{"key":"value","key2":"value2"}`.
+	//
+	// The `Status` field is optional, and is omitted if the volume driver
+	// does not support this feature.
+	//
+	Status map[string]interface{} `json:"Status,omitempty"`
+
+	// usage data
+	UsageData *VolumeUsageData `json:"UsageData,omitempty"`
+}
+
+// VolumeUsageData Usage details about the volume. This information is used by the
+// `GET /system/df` endpoint, and omitted in other endpoints.
+//
+// swagger:model VolumeUsageData
+type VolumeUsageData struct {
+
+	// The number of containers referencing this volume. This field
+	// is set to `-1` if the reference-count is not available.
+	//
+	// Required: true
+	RefCount int64 `json:"RefCount"`
+
+	// Amount of disk space used by the volume (in bytes). This information
+	// is only available for volumes created with the `"local"` volume
+	// driver. For volumes created with other volume drivers, this field
+	// is set to `-1` ("not available")
+	//
+	// Required: true
+	Size int64 `json:"Size"`
+}
diff --git a/engine/api/types/volume/volume_create.go b/engine/api/types/volume/volume_create.go
new file mode 100644
index 00000000..539e9b97
--- /dev/null
+++ b/engine/api/types/volume/volume_create.go
@@ -0,0 +1,29 @@
+package volume
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+// VolumeCreateBody
+// swagger:model VolumeCreateBody
+type VolumeCreateBody struct {
+
+	// Name of the volume driver to use.
+	// Required: true
+	Driver string `json:"Driver"`
+
+	// A mapping of driver options and values. These options are passed directly to the driver and are driver specific.
+	// Required: true
+	DriverOpts map[string]string `json:"DriverOpts"`
+
+	// User-defined key/value metadata.
+	// Required: true
+	Labels map[string]string `json:"Labels"`
+
+	// The new volume's name. If not specified, Docker generates a name.
+	// Required: true
+	Name string `json:"Name"`
+}
diff --git a/engine/api/types/volume/volume_list.go b/engine/api/types/volume/volume_list.go
new file mode 100644
index 00000000..1bb279db
--- /dev/null
+++ b/engine/api/types/volume/volume_list.go
@@ -0,0 +1,23 @@
+package volume
+
+// ----------------------------------------------------------------------------
+// DO NOT EDIT THIS FILE
+// This file was generated by `swagger generate operation`
+//
+// See hack/generate-swagger-api.sh
+// ----------------------------------------------------------------------------
+
+import "github.com/docker/docker/api/types"
+
+// VolumeListOKBody
+// swagger:model VolumeListOKBody
+type VolumeListOKBody struct {
+
+	// List of volumes
+	// Required: true
+	Volumes []*types.Volume `json:"Volumes"`
+
+	// Warnings that occurred when fetching the list of volumes
+	// Required: true
+	Warnings []string `json:"Warnings"`
+}
diff --git a/engine/builder/builder-next/adapters/containerimage/pull.go b/engine/builder/builder-next/adapters/containerimage/pull.go
new file mode 100644
index 00000000..2b6c214b
--- /dev/null
+++ b/engine/builder/builder-next/adapters/containerimage/pull.go
@@ -0,0 +1,733 @@
+package containerimage
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"runtime"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/platforms"
+	ctdreference "github.com/containerd/containerd/reference"
+	"github.com/containerd/containerd/remotes"
+	"github.com/containerd/containerd/remotes/docker"
+	"github.com/containerd/containerd/remotes/docker/schema1"
+	distreference "github.com/docker/distribution/reference"
+	"github.com/docker/docker/distribution"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	pkgprogress "github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/reference"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
+	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/util/flightcontrol"
+	"github.com/moby/buildkit/util/imageutil"
+	"github.com/moby/buildkit/util/progress"
+	"github.com/moby/buildkit/util/tracing"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/opencontainers/image-spec/identity"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"golang.org/x/time/rate"
+)
+
+const preferLocal = true // FIXME: make this optional from the op
+
+// SourceOpt is options for creating the image source
+type SourceOpt struct {
+	SessionManager  *session.Manager
+	ContentStore    content.Store
+	CacheAccessor   cache.Accessor
+	ReferenceStore  reference.Store
+	DownloadManager distribution.RootFSDownloadManager
+	MetadataStore   metadata.V2MetadataService
+	ImageStore      image.Store
+}
+
+type imageSource struct {
+	SourceOpt
+	g flightcontrol.Group
+}
+
+// NewSource creates a new image source
+func NewSource(opt SourceOpt) (source.Source, error) {
+	is := &imageSource{
+		SourceOpt: opt,
+	}
+
+	return is, nil
+}
+
+func (is *imageSource) ID() string {
+	return source.DockerImageScheme
+}
+
+func (is *imageSource) getResolver(ctx context.Context) remotes.Resolver {
+	return docker.NewResolver(docker.ResolverOptions{
+		Client:      tracing.DefaultClient,
+		Credentials: is.getCredentialsFromSession(ctx),
+	})
+}
+
+func (is *imageSource) getCredentialsFromSession(ctx context.Context) func(string) (string, string, error) {
+	id := session.FromContext(ctx)
+	if id == "" {
+		return nil
+	}
+	return func(host string) (string, string, error) {
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		caller, err := is.SessionManager.Get(timeoutCtx, id)
+		if err != nil {
+			return "", "", err
+		}
+
+		return auth.CredentialsFunc(tracing.ContextWithSpanFromContext(context.TODO(), ctx), caller)(host)
+	}
+}
+
+func (is *imageSource) resolveLocal(refStr string) ([]byte, error) {
+	ref, err := distreference.ParseNormalizedNamed(refStr)
+	if err != nil {
+		return nil, err
+	}
+	dgst, err := is.ReferenceStore.Get(ref)
+	if err != nil {
+		return nil, err
+	}
+	img, err := is.ImageStore.Get(image.ID(dgst))
+	if err != nil {
+		return nil, err
+	}
+	return img.RawJSON(), nil
+}
+
+func (is *imageSource) ResolveImageConfig(ctx context.Context, ref string, platform *ocispec.Platform) (digest.Digest, []byte, error) {
+	if preferLocal {
+		dt, err := is.resolveLocal(ref)
+		if err == nil {
+			return "", dt, nil
+		}
+	}
+
+	type t struct {
+		dgst digest.Digest
+		dt   []byte
+	}
+	res, err := is.g.Do(ctx, ref, func(ctx context.Context) (interface{}, error) {
+		dgst, dt, err := imageutil.Config(ctx, ref, is.getResolver(ctx), is.ContentStore, platform)
+		if err != nil {
+			return nil, err
+		}
+		return &t{dgst: dgst, dt: dt}, nil
+	})
+	if err != nil {
+		return "", nil, err
+	}
+	typed := res.(*t)
+	return typed.dgst, typed.dt, nil
+}
+
+func (is *imageSource) Resolve(ctx context.Context, id source.Identifier) (source.SourceInstance, error) {
+	imageIdentifier, ok := id.(*source.ImageIdentifier)
+	if !ok {
+		return nil, errors.Errorf("invalid image identifier %v", id)
+	}
+
+	platform := platforms.DefaultSpec()
+	if imageIdentifier.Platform != nil {
+		platform = *imageIdentifier.Platform
+	}
+
+	p := &puller{
+		src:      imageIdentifier,
+		is:       is,
+		resolver: is.getResolver(ctx),
+		platform: platform,
+	}
+	return p, nil
+}
+
+type puller struct {
+	is               *imageSource
+	resolveOnce      sync.Once
+	resolveLocalOnce sync.Once
+	src              *source.ImageIdentifier
+	desc             ocispec.Descriptor
+	ref              string
+	resolveErr       error
+	resolver         remotes.Resolver
+	config           []byte
+	platform         ocispec.Platform
+}
+
+func (p *puller) mainManifestKey(dgst digest.Digest, platform ocispec.Platform) (digest.Digest, error) {
+	dt, err := json.Marshal(struct {
+		Digest  digest.Digest
+		OS      string
+		Arch    string
+		Variant string `json:",omitempty"`
+	}{
+		Digest:  p.desc.Digest,
+		OS:      platform.OS,
+		Arch:    platform.Architecture,
+		Variant: platform.Variant,
+	})
+	if err != nil {
+		return "", err
+	}
+	return digest.FromBytes(dt), nil
+}
+
+func (p *puller) resolveLocal() {
+	p.resolveLocalOnce.Do(func() {
+		dgst := p.src.Reference.Digest()
+		if dgst != "" {
+			info, err := p.is.ContentStore.Info(context.TODO(), dgst)
+			if err == nil {
+				p.ref = p.src.Reference.String()
+				desc := ocispec.Descriptor{
+					Size:   info.Size,
+					Digest: dgst,
+				}
+				ra, err := p.is.ContentStore.ReaderAt(context.TODO(), desc)
+				if err == nil {
+					mt, err := imageutil.DetectManifestMediaType(ra)
+					if err == nil {
+						desc.MediaType = mt
+						p.desc = desc
+					}
+				}
+			}
+		}
+
+		if preferLocal {
+			dt, err := p.is.resolveLocal(p.src.Reference.String())
+			if err == nil {
+				p.config = dt
+			}
+		}
+	})
+}
+
+func (p *puller) resolve(ctx context.Context) error {
+	p.resolveOnce.Do(func() {
+		resolveProgressDone := oneOffProgress(ctx, "resolve "+p.src.Reference.String())
+
+		ref, err := distreference.ParseNormalizedNamed(p.src.Reference.String())
+		if err != nil {
+			p.resolveErr = err
+			resolveProgressDone(err)
+			return
+		}
+
+		if p.desc.Digest == "" && p.config == nil {
+			origRef, desc, err := p.resolver.Resolve(ctx, ref.String())
+			if err != nil {
+				p.resolveErr = err
+				resolveProgressDone(err)
+				return
+			}
+
+			p.desc = desc
+			p.ref = origRef
+		}
+
+		// Schema 1 manifests cannot be resolved to an image config
+		// since the conversion must take place after all the content
+		// has been read.
+		// It may be possible to have a mapping between schema 1 manifests
+		// and the schema 2 manifests they are converted to.
+		if p.config == nil && p.desc.MediaType != images.MediaTypeDockerSchema1Manifest {
+			ref, err := distreference.WithDigest(ref, p.desc.Digest)
+			if err != nil {
+				p.resolveErr = err
+				resolveProgressDone(err)
+				return
+			}
+
+			_, dt, err := p.is.ResolveImageConfig(ctx, ref.String(), &p.platform)
+			if err != nil {
+				p.resolveErr = err
+				resolveProgressDone(err)
+				return
+			}
+
+			p.config = dt
+		}
+		resolveProgressDone(nil)
+	})
+	return p.resolveErr
+}
+
+func (p *puller) CacheKey(ctx context.Context, index int) (string, bool, error) {
+	p.resolveLocal()
+
+	if p.desc.Digest != "" && index == 0 {
+		dgst, err := p.mainManifestKey(p.desc.Digest, p.platform)
+		if err != nil {
+			return "", false, err
+		}
+		return dgst.String(), false, nil
+	}
+
+	if p.config != nil {
+		return cacheKeyFromConfig(p.config).String(), true, nil
+	}
+
+	if err := p.resolve(ctx); err != nil {
+		return "", false, err
+	}
+
+	if p.desc.Digest != "" && index == 0 {
+		dgst, err := p.mainManifestKey(p.desc.Digest, p.platform)
+		if err != nil {
+			return "", false, err
+		}
+		return dgst.String(), false, nil
+	}
+
+	return cacheKeyFromConfig(p.config).String(), true, nil
+}
+
+func (p *puller) Snapshot(ctx context.Context) (cache.ImmutableRef, error) {
+	p.resolveLocal()
+	if err := p.resolve(ctx); err != nil {
+		return nil, err
+	}
+
+	if p.config != nil {
+		img, err := p.is.ImageStore.Get(image.ID(digest.FromBytes(p.config)))
+		if err == nil {
+			if len(img.RootFS.DiffIDs) == 0 {
+				return nil, nil
+			}
+			ref, err := p.is.CacheAccessor.GetFromSnapshotter(ctx, string(img.RootFS.ChainID()), cache.WithDescription(fmt.Sprintf("from local %s", p.ref)))
+			if err != nil {
+				return nil, err
+			}
+			return ref, nil
+		}
+	}
+
+	ongoing := newJobs(p.ref)
+
+	pctx, stopProgress := context.WithCancel(ctx)
+
+	pw, _, ctx := progress.FromContext(ctx)
+	defer pw.Close()
+
+	progressDone := make(chan struct{})
+	go func() {
+		showProgress(pctx, ongoing, p.is.ContentStore, pw)
+		close(progressDone)
+	}()
+	defer func() {
+		<-progressDone
+	}()
+
+	fetcher, err := p.resolver.Fetcher(ctx, p.ref)
+	if err != nil {
+		stopProgress()
+		return nil, err
+	}
+
+	var (
+		schema1Converter *schema1.Converter
+		handlers         []images.Handler
+	)
+	if p.desc.MediaType == images.MediaTypeDockerSchema1Manifest {
+		schema1Converter = schema1.NewConverter(p.is.ContentStore, fetcher)
+		handlers = append(handlers, schema1Converter)
+
+		// TODO: Optimize to do dispatch and integrate pulling with download manager,
+		// leverage existing blob mapping and layer storage
+	} else {
+
+		// TODO: need a wrapper snapshot interface that combines content
+		// and snapshots as 1) buildkit shouldn't have a dependency on contentstore
+		// or 2) cachemanager should manage the contentstore
+		handlers = append(handlers, images.HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
+			switch desc.MediaType {
+			case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest,
+				images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex,
+				images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:
+			default:
+				return nil, images.ErrSkipDesc
+			}
+			ongoing.add(desc)
+			return nil, nil
+		}))
+
+		// Get all the children for a descriptor
+		childrenHandler := images.ChildrenHandler(p.is.ContentStore)
+		// Set any children labels for that content
+		childrenHandler = images.SetChildrenLabels(p.is.ContentStore, childrenHandler)
+		// Filter the childen by the platform
+		childrenHandler = images.FilterPlatforms(childrenHandler, platforms.Default())
+
+		handlers = append(handlers,
+			remotes.FetchHandler(p.is.ContentStore, fetcher),
+			childrenHandler,
+		)
+	}
+
+	if err := images.Dispatch(ctx, images.Handlers(handlers...), p.desc); err != nil {
+		stopProgress()
+		return nil, err
+	}
+	defer stopProgress()
+
+	if schema1Converter != nil {
+		p.desc, err = schema1Converter.Convert(ctx)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	mfst, err := images.Manifest(ctx, p.is.ContentStore, p.desc, platforms.Default())
+	if err != nil {
+		return nil, err
+	}
+
+	config, err := images.Config(ctx, p.is.ContentStore, p.desc, platforms.Default())
+	if err != nil {
+		return nil, err
+	}
+
+	dt, err := content.ReadBlob(ctx, p.is.ContentStore, config)
+	if err != nil {
+		return nil, err
+	}
+
+	var img ocispec.Image
+	if err := json.Unmarshal(dt, &img); err != nil {
+		return nil, err
+	}
+
+	if len(mfst.Layers) != len(img.RootFS.DiffIDs) {
+		return nil, errors.Errorf("invalid config for manifest")
+	}
+
+	pchan := make(chan pkgprogress.Progress, 10)
+	defer close(pchan)
+
+	go func() {
+		m := map[string]struct {
+			st      time.Time
+			limiter *rate.Limiter
+		}{}
+		for p := range pchan {
+			if p.Action == "Extracting" {
+				st, ok := m[p.ID]
+				if !ok {
+					st.st = time.Now()
+					st.limiter = rate.NewLimiter(rate.Every(100*time.Millisecond), 1)
+					m[p.ID] = st
+				}
+				var end *time.Time
+				if p.LastUpdate || st.limiter.Allow() {
+					if p.LastUpdate {
+						tm := time.Now()
+						end = &tm
+					}
+					pw.Write("extracting "+p.ID, progress.Status{
+						Action:    "extract",
+						Started:   &st.st,
+						Completed: end,
+					})
+				}
+			}
+		}
+	}()
+
+	if len(mfst.Layers) == 0 {
+		return nil, nil
+	}
+
+	layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers))
+
+	for i, desc := range mfst.Layers {
+		ongoing.add(desc)
+		layers = append(layers, &layerDescriptor{
+			desc:    desc,
+			diffID:  layer.DiffID(img.RootFS.DiffIDs[i]),
+			fetcher: fetcher,
+			ref:     p.src.Reference,
+			is:      p.is,
+		})
+	}
+
+	defer func() {
+		<-progressDone
+		for _, desc := range mfst.Layers {
+			p.is.ContentStore.Delete(context.TODO(), desc.Digest)
+		}
+	}()
+
+	r := image.NewRootFS()
+	rootFS, release, err := p.is.DownloadManager.Download(ctx, *r, runtime.GOOS, layers, pkgprogress.ChanOutput(pchan))
+	if err != nil {
+		return nil, err
+	}
+	stopProgress()
+
+	ref, err := p.is.CacheAccessor.GetFromSnapshotter(ctx, string(rootFS.ChainID()), cache.WithDescription(fmt.Sprintf("pulled from %s", p.ref)))
+	release()
+	if err != nil {
+		return nil, err
+	}
+
+	return ref, nil
+}
+
+// Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error)
+type layerDescriptor struct {
+	is      *imageSource
+	fetcher remotes.Fetcher
+	desc    ocispec.Descriptor
+	diffID  layer.DiffID
+	ref     ctdreference.Spec
+}
+
+func (ld *layerDescriptor) Key() string {
+	return "v2:" + ld.desc.Digest.String()
+}
+
+func (ld *layerDescriptor) ID() string {
+	return ld.desc.Digest.String()
+}
+
+func (ld *layerDescriptor) DiffID() (layer.DiffID, error) {
+	return ld.diffID, nil
+}
+
+func (ld *layerDescriptor) Download(ctx context.Context, progressOutput pkgprogress.Output) (io.ReadCloser, int64, error) {
+	rc, err := ld.fetcher.Fetch(ctx, ld.desc)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer rc.Close()
+
+	refKey := remotes.MakeRefKey(ctx, ld.desc)
+
+	ld.is.ContentStore.Abort(ctx, refKey)
+
+	if err := content.WriteBlob(ctx, ld.is.ContentStore, refKey, rc, ld.desc); err != nil {
+		ld.is.ContentStore.Abort(ctx, refKey)
+		return nil, 0, err
+	}
+
+	ra, err := ld.is.ContentStore.ReaderAt(ctx, ld.desc)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return ioutil.NopCloser(content.NewReader(ra)), ld.desc.Size, nil
+}
+
+func (ld *layerDescriptor) Close() {
+	// ld.is.ContentStore.Delete(context.TODO(), ld.desc.Digest))
+}
+
+func (ld *layerDescriptor) Registered(diffID layer.DiffID) {
+	// Cache mapping from this layer's DiffID to the blobsum
+	ld.is.MetadataStore.Add(diffID, metadata.V2Metadata{Digest: ld.desc.Digest, SourceRepository: ld.ref.Locator})
+}
+
+func showProgress(ctx context.Context, ongoing *jobs, cs content.Store, pw progress.Writer) {
+	var (
+		ticker   = time.NewTicker(100 * time.Millisecond)
+		statuses = map[string]statusInfo{}
+		done     bool
+	)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+		case <-ctx.Done():
+			done = true
+		}
+
+		resolved := "resolved"
+		if !ongoing.isResolved() {
+			resolved = "resolving"
+		}
+		statuses[ongoing.name] = statusInfo{
+			Ref:    ongoing.name,
+			Status: resolved,
+		}
+
+		actives := make(map[string]statusInfo)
+
+		if !done {
+			active, err := cs.ListStatuses(ctx)
+			if err != nil {
+				// log.G(ctx).WithError(err).Error("active check failed")
+				continue
+			}
+			// update status of active entries!
+			for _, active := range active {
+				actives[active.Ref] = statusInfo{
+					Ref:       active.Ref,
+					Status:    "downloading",
+					Offset:    active.Offset,
+					Total:     active.Total,
+					StartedAt: active.StartedAt,
+					UpdatedAt: active.UpdatedAt,
+				}
+			}
+		}
+
+		// now, update the items in jobs that are not in active
+		for _, j := range ongoing.jobs() {
+			refKey := remotes.MakeRefKey(ctx, j.Descriptor)
+			if a, ok := actives[refKey]; ok {
+				started := j.started
+				pw.Write(j.Digest.String(), progress.Status{
+					Action:  a.Status,
+					Total:   int(a.Total),
+					Current: int(a.Offset),
+					Started: &started,
+				})
+				continue
+			}
+
+			if !j.done {
+				info, err := cs.Info(context.TODO(), j.Digest)
+				if err != nil {
+					if errdefs.IsNotFound(err) {
+						// pw.Write(j.Digest.String(), progress.Status{
+						// 	Action: "waiting",
+						// })
+						continue
+					}
+				} else {
+					j.done = true
+				}
+
+				if done || j.done {
+					started := j.started
+					createdAt := info.CreatedAt
+					pw.Write(j.Digest.String(), progress.Status{
+						Action:    "done",
+						Current:   int(info.Size),
+						Total:     int(info.Size),
+						Completed: &createdAt,
+						Started:   &started,
+					})
+				}
+			}
+		}
+		if done {
+			return
+		}
+	}
+}
+
+// jobs provides a way of identifying the download keys for a particular task
+// encountering during the pull walk.
+//
+// This is very minimal and will probably be replaced with something more
+// featured.
+type jobs struct {
+	name     string
+	added    map[digest.Digest]*job
+	mu       sync.Mutex
+	resolved bool
+}
+
+type job struct {
+	ocispec.Descriptor
+	done    bool
+	started time.Time
+}
+
+func newJobs(name string) *jobs {
+	return &jobs{
+		name:  name,
+		added: make(map[digest.Digest]*job),
+	}
+}
+
+func (j *jobs) add(desc ocispec.Descriptor) {
+	j.mu.Lock()
+	defer j.mu.Unlock()
+
+	if _, ok := j.added[desc.Digest]; ok {
+		return
+	}
+	j.added[desc.Digest] = &job{
+		Descriptor: desc,
+		started:    time.Now(),
+	}
+}
+
+func (j *jobs) jobs() []*job {
+	j.mu.Lock()
+	defer j.mu.Unlock()
+
+	descs := make([]*job, 0, len(j.added))
+	for _, j := range j.added {
+		descs = append(descs, j)
+	}
+	return descs
+}
+
+func (j *jobs) isResolved() bool {
+	j.mu.Lock()
+	defer j.mu.Unlock()
+	return j.resolved
+}
+
+type statusInfo struct {
+	Ref       string
+	Status    string
+	Offset    int64
+	Total     int64
+	StartedAt time.Time
+	UpdatedAt time.Time
+}
+
+func oneOffProgress(ctx context.Context, id string) func(err error) error {
+	pw, _, _ := progress.FromContext(ctx)
+	now := time.Now()
+	st := progress.Status{
+		Started: &now,
+	}
+	pw.Write(id, st)
+	return func(err error) error {
+		// TODO: set error on status
+		now := time.Now()
+		st.Completed = &now
+		pw.Write(id, st)
+		pw.Close()
+		return err
+	}
+}
+
+// cacheKeyFromConfig returns a stable digest from image config. If image config
+// is a known oci image we will use chainID of layers.
+func cacheKeyFromConfig(dt []byte) digest.Digest {
+	var img ocispec.Image
+	err := json.Unmarshal(dt, &img)
+	if err != nil {
+		return digest.FromBytes(dt)
+	}
+	if img.RootFS.Type != "layers" {
+		return digest.FromBytes(dt)
+	}
+	return identity.ChainID(img.RootFS.DiffIDs)
+}
diff --git a/engine/builder/builder-next/adapters/snapshot/layer.go b/engine/builder/builder-next/adapters/snapshot/layer.go
new file mode 100644
index 00000000..d0aa6f28
--- /dev/null
+++ b/engine/builder/builder-next/adapters/snapshot/layer.go
@@ -0,0 +1,113 @@
+package snapshot
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+
+	"github.com/boltdb/bolt"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
+	if l, err := s.getLayer(key, true); err != nil {
+		return nil, err
+	} else if l != nil {
+		return getDiffChain(l), nil
+	}
+
+	id, committed := s.getGraphDriverID(key)
+	if !committed {
+		return nil, errors.Errorf("can not convert active %s to layer", key)
+	}
+
+	info, err := s.Stat(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+
+	eg, gctx := errgroup.WithContext(ctx)
+
+	// TODO: add flightcontrol
+
+	var parentChainID layer.ChainID
+	if info.Parent != "" {
+		eg.Go(func() error {
+			diffIDs, err := s.EnsureLayer(gctx, info.Parent)
+			if err != nil {
+				return err
+			}
+			parentChainID = layer.CreateChainID(diffIDs)
+			return nil
+		})
+	}
+
+	tmpDir, err := ioutils.TempDir("", "docker-tarsplit")
+	if err != nil {
+		return nil, err
+	}
+	defer os.RemoveAll(tmpDir)
+	tarSplitPath := filepath.Join(tmpDir, "tar-split")
+
+	var diffID layer.DiffID
+	var size int64
+	eg.Go(func() error {
+		parent := ""
+		if p := info.Parent; p != "" {
+			if l, err := s.getLayer(p, true); err != nil {
+				return err
+			} else if l != nil {
+				parent, err = getGraphID(l)
+				if err != nil {
+					return err
+				}
+			} else {
+				parent, _ = s.getGraphDriverID(info.Parent)
+			}
+		}
+		diffID, size, err = s.reg.ChecksumForGraphID(id, parent, "", tarSplitPath)
+		return err
+	})
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	l, err := s.reg.RegisterByGraphID(id, parentChainID, diffID, tarSplitPath, size)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := s.db.Update(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(key))
+		b.Put(keyChainID, []byte(l.ChainID()))
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	s.mu.Lock()
+	s.refs[key] = l
+	s.mu.Unlock()
+
+	return getDiffChain(l), nil
+}
+
+func getDiffChain(l layer.Layer) []layer.DiffID {
+	if p := l.Parent(); p != nil {
+		return append(getDiffChain(p), l.DiffID())
+	}
+	return []layer.DiffID{l.DiffID()}
+}
+
+func getGraphID(l layer.Layer) (string, error) {
+	if l, ok := l.(interface {
+		CacheID() string
+	}); ok {
+		return l.CacheID(), nil
+	}
+	return "", errors.Errorf("couldn't access cacheID for %s", l.ChainID())
+}
diff --git a/engine/builder/builder-next/adapters/snapshot/snapshot.go b/engine/builder/builder-next/adapters/snapshot/snapshot.go
new file mode 100644
index 00000000..5b2c583a
--- /dev/null
+++ b/engine/builder/builder-next/adapters/snapshot/snapshot.go
@@ -0,0 +1,467 @@
+package snapshot
+
+import (
+	"context"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/boltdb/bolt"
+	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/snapshots"
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/layer"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/snapshot"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+var keyParent = []byte("parent")
+var keyCommitted = []byte("committed")
+var keyChainID = []byte("chainid")
+var keySize = []byte("size")
+
+// Opt defines options for creating the snapshotter
+type Opt struct {
+	GraphDriver graphdriver.Driver
+	LayerStore  layer.Store
+	Root        string
+}
+
+type graphIDRegistrar interface {
+	RegisterByGraphID(string, layer.ChainID, layer.DiffID, string, int64) (layer.Layer, error)
+	Release(layer.Layer) ([]layer.Metadata, error)
+	checksumCalculator
+}
+
+type checksumCalculator interface {
+	ChecksumForGraphID(id, parent, oldTarDataPath, newTarDataPath string) (diffID layer.DiffID, size int64, err error)
+}
+
+type snapshotter struct {
+	opt Opt
+
+	refs map[string]layer.Layer
+	db   *bolt.DB
+	mu   sync.Mutex
+	reg  graphIDRegistrar
+}
+
+var _ snapshot.SnapshotterBase = &snapshotter{}
+
+// NewSnapshotter creates a new snapshotter
+func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) {
+	dbPath := filepath.Join(opt.Root, "snapshots.db")
+	db, err := bolt.Open(dbPath, 0600, nil)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to open database file %s", dbPath)
+	}
+
+	reg, ok := opt.LayerStore.(graphIDRegistrar)
+	if !ok {
+		return nil, errors.Errorf("layerstore doesn't support graphID registration")
+	}
+
+	s := &snapshotter{
+		opt:  opt,
+		db:   db,
+		refs: map[string]layer.Layer{},
+		reg:  reg,
+	}
+	return s, nil
+}
+
+func (s *snapshotter) Prepare(ctx context.Context, key, parent string, opts ...snapshots.Opt) error {
+	origParent := parent
+	if parent != "" {
+		if l, err := s.getLayer(parent, false); err != nil {
+			return err
+		} else if l != nil {
+			parent, err = getGraphID(l)
+			if err != nil {
+				return err
+			}
+		} else {
+			parent, _ = s.getGraphDriverID(parent)
+		}
+	}
+	if err := s.opt.GraphDriver.Create(key, parent, nil); err != nil {
+		return err
+	}
+	if err := s.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.CreateBucketIfNotExists([]byte(key))
+		if err != nil {
+			return err
+		}
+
+		if err := b.Put(keyParent, []byte(origParent)); err != nil {
+			return err
+		}
+		return nil
+	}); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *snapshotter) chainID(key string) (layer.ChainID, bool) {
+	if strings.HasPrefix(key, "sha256:") {
+		dgst, err := digest.Parse(key)
+		if err != nil {
+			return "", false
+		}
+		return layer.ChainID(dgst), true
+	}
+	return "", false
+}
+
+func (s *snapshotter) getLayer(key string, withCommitted bool) (layer.Layer, error) {
+	s.mu.Lock()
+	l, ok := s.refs[key]
+	if !ok {
+		id, ok := s.chainID(key)
+		if !ok {
+			if !withCommitted {
+				s.mu.Unlock()
+				return nil, nil
+			}
+			if err := s.db.View(func(tx *bolt.Tx) error {
+				b := tx.Bucket([]byte(key))
+				if b == nil {
+					return nil
+				}
+				v := b.Get(keyChainID)
+				if v != nil {
+					id = layer.ChainID(v)
+				}
+				return nil
+			}); err != nil {
+				s.mu.Unlock()
+				return nil, err
+			}
+			if id == "" {
+				s.mu.Unlock()
+				return nil, nil
+			}
+		}
+		var err error
+		l, err = s.opt.LayerStore.Get(id)
+		if err != nil {
+			s.mu.Unlock()
+			return nil, err
+		}
+		s.refs[key] = l
+		if err := s.db.Update(func(tx *bolt.Tx) error {
+			_, err := tx.CreateBucketIfNotExists([]byte(key))
+			return err
+		}); err != nil {
+			s.mu.Unlock()
+			return nil, err
+		}
+	}
+	s.mu.Unlock()
+
+	return l, nil
+}
+
+func (s *snapshotter) getGraphDriverID(key string) (string, bool) {
+	var gdID string
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(key))
+		if b == nil {
+			return errors.Errorf("not found") // TODO: typed
+		}
+		v := b.Get(keyCommitted)
+		if v != nil {
+			gdID = string(v)
+		}
+		return nil
+	}); err != nil || gdID == "" {
+		return key, false
+	}
+	return gdID, true
+}
+
+func (s *snapshotter) Stat(ctx context.Context, key string) (snapshots.Info, error) {
+	inf := snapshots.Info{
+		Kind: snapshots.KindActive,
+	}
+
+	l, err := s.getLayer(key, false)
+	if err != nil {
+		return snapshots.Info{}, err
+	}
+	if l != nil {
+		if p := l.Parent(); p != nil {
+			inf.Parent = p.ChainID().String()
+		}
+		inf.Kind = snapshots.KindCommitted
+		inf.Name = key
+		return inf, nil
+	}
+
+	l, err = s.getLayer(key, true)
+	if err != nil {
+		return snapshots.Info{}, err
+	}
+
+	id, committed := s.getGraphDriverID(key)
+	if committed {
+		inf.Kind = snapshots.KindCommitted
+	}
+
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(id))
+		if b == nil && l == nil {
+			return errors.Errorf("snapshot %s not found", id) // TODO: typed
+		}
+		inf.Name = key
+		if b != nil {
+			v := b.Get(keyParent)
+			if v != nil {
+				inf.Parent = string(v)
+				return nil
+			}
+		}
+		if l != nil {
+			if p := l.Parent(); p != nil {
+				inf.Parent = p.ChainID().String()
+			}
+			inf.Kind = snapshots.KindCommitted
+		}
+		return nil
+	}); err != nil {
+		return snapshots.Info{}, err
+	}
+	return inf, nil
+}
+
+func (s *snapshotter) Mounts(ctx context.Context, key string) (snapshot.Mountable, error) {
+	l, err := s.getLayer(key, true)
+	if err != nil {
+		return nil, err
+	}
+	if l != nil {
+		id := identity.NewID()
+		var rwlayer layer.RWLayer
+		return &mountable{
+			acquire: func() ([]mount.Mount, error) {
+				rwlayer, err = s.opt.LayerStore.CreateRWLayer(id, l.ChainID(), nil)
+				if err != nil {
+					return nil, err
+				}
+				rootfs, err := rwlayer.Mount("")
+				if err != nil {
+					return nil, err
+				}
+				return []mount.Mount{{
+					Source:  rootfs.Path(),
+					Type:    "bind",
+					Options: []string{"rbind"},
+				}}, nil
+			},
+			release: func() error {
+				_, err := s.opt.LayerStore.ReleaseRWLayer(rwlayer)
+				return err
+			},
+		}, nil
+	}
+
+	id, _ := s.getGraphDriverID(key)
+
+	return &mountable{
+		acquire: func() ([]mount.Mount, error) {
+			rootfs, err := s.opt.GraphDriver.Get(id, "")
+			if err != nil {
+				return nil, err
+			}
+			return []mount.Mount{{
+				Source:  rootfs.Path(),
+				Type:    "bind",
+				Options: []string{"rbind"},
+			}}, nil
+		},
+		release: func() error {
+			return s.opt.GraphDriver.Put(id)
+		},
+	}, nil
+}
+
+func (s *snapshotter) Remove(ctx context.Context, key string) error {
+	l, err := s.getLayer(key, true)
+	if err != nil {
+		return err
+	}
+
+	id, _ := s.getGraphDriverID(key)
+
+	var found bool
+	if err := s.db.Update(func(tx *bolt.Tx) error {
+		found = tx.Bucket([]byte(key)) != nil
+		if found {
+			tx.DeleteBucket([]byte(key))
+			if id != key {
+				tx.DeleteBucket([]byte(id))
+			}
+		}
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	if l != nil {
+		s.mu.Lock()
+		delete(s.refs, key)
+		s.mu.Unlock()
+		_, err := s.opt.LayerStore.Release(l)
+		return err
+	}
+
+	if !found { // this happens when removing views
+		return nil
+	}
+
+	return s.opt.GraphDriver.Remove(id)
+}
+
+func (s *snapshotter) Commit(ctx context.Context, name, key string, opts ...snapshots.Opt) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.CreateBucketIfNotExists([]byte(name))
+		if err != nil {
+			return err
+		}
+		if err := b.Put(keyCommitted, []byte(key)); err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+func (s *snapshotter) View(ctx context.Context, key, parent string, opts ...snapshots.Opt) (snapshot.Mountable, error) {
+	return s.Mounts(ctx, parent)
+}
+
+func (s *snapshotter) Walk(ctx context.Context, fn func(context.Context, snapshots.Info) error) error {
+	return errors.Errorf("not-implemented")
+}
+
+func (s *snapshotter) Update(ctx context.Context, info snapshots.Info, fieldpaths ...string) (snapshots.Info, error) {
+	// not implemented
+	return s.Stat(ctx, info.Name)
+}
+
+func (s *snapshotter) Usage(ctx context.Context, key string) (us snapshots.Usage, retErr error) {
+	usage := snapshots.Usage{}
+	if l, err := s.getLayer(key, true); err != nil {
+		return usage, err
+	} else if l != nil {
+		s, err := l.DiffSize()
+		if err != nil {
+			return usage, err
+		}
+		usage.Size = s
+		return usage, nil
+	}
+
+	size := int64(-1)
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(key))
+		if b == nil {
+			return nil
+		}
+		v := b.Get(keySize)
+		if v != nil {
+			s, err := strconv.Atoi(string(v))
+			if err != nil {
+				return err
+			}
+			size = int64(s)
+		}
+		return nil
+	}); err != nil {
+		return usage, err
+	}
+
+	if size != -1 {
+		usage.Size = size
+		return usage, nil
+	}
+
+	id, _ := s.getGraphDriverID(key)
+
+	info, err := s.Stat(ctx, key)
+	if err != nil {
+		return usage, err
+	}
+	var parent string
+	if info.Parent != "" {
+		if l, err := s.getLayer(info.Parent, false); err != nil {
+			return usage, err
+		} else if l != nil {
+			parent, err = getGraphID(l)
+			if err != nil {
+				return usage, err
+			}
+		} else {
+			parent, _ = s.getGraphDriverID(info.Parent)
+		}
+	}
+
+	diffSize, err := s.opt.GraphDriver.DiffSize(id, parent)
+	if err != nil {
+		return usage, err
+	}
+
+	if err := s.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.CreateBucketIfNotExists([]byte(key))
+		if err != nil {
+			return err
+		}
+		return b.Put(keySize, []byte(strconv.Itoa(int(diffSize))))
+	}); err != nil {
+		return usage, err
+	}
+	usage.Size = diffSize
+	return usage, nil
+}
+
+func (s *snapshotter) Close() error {
+	return s.db.Close()
+}
+
+type mountable struct {
+	mu      sync.Mutex
+	mounts  []mount.Mount
+	acquire func() ([]mount.Mount, error)
+	release func() error
+}
+
+func (m *mountable) Mount() ([]mount.Mount, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.mounts != nil {
+		return m.mounts, nil
+	}
+
+	mounts, err := m.acquire()
+	if err != nil {
+		return nil, err
+	}
+	m.mounts = mounts
+
+	return m.mounts, nil
+}
+
+func (m *mountable) Release() error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if m.release == nil {
+		return nil
+	}
+
+	m.mounts = nil
+	return m.release()
+}
diff --git a/engine/builder/builder-next/builder.go b/engine/builder/builder-next/builder.go
new file mode 100644
index 00000000..dacec0af
--- /dev/null
+++ b/engine/builder/builder-next/builder.go
@@ -0,0 +1,419 @@
+package buildkit
+
+import (
+	"context"
+	"io"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/daemon/images"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/docker/docker/pkg/system"
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/control"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/util/tracing"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+	grpcmetadata "google.golang.org/grpc/metadata"
+)
+
+// Opt is option struct required for creating the builder
+type Opt struct {
+	SessionManager *session.Manager
+	Root           string
+	Dist           images.DistributionServices
+}
+
+// Builder can build using BuildKit backend
+type Builder struct {
+	controller     *control.Controller
+	reqBodyHandler *reqBodyHandler
+
+	mu   sync.Mutex
+	jobs map[string]*buildJob
+}
+
+// New creates a new builder
+func New(opt Opt) (*Builder, error) {
+	reqHandler := newReqBodyHandler(tracing.DefaultTransport)
+
+	c, err := newController(reqHandler, opt)
+	if err != nil {
+		return nil, err
+	}
+	b := &Builder{
+		controller:     c,
+		reqBodyHandler: reqHandler,
+		jobs:           map[string]*buildJob{},
+	}
+	return b, nil
+}
+
+// Cancel cancels a build using ID
+func (b *Builder) Cancel(ctx context.Context, id string) error {
+	b.mu.Lock()
+	if j, ok := b.jobs[id]; ok && j.cancel != nil {
+		j.cancel()
+	}
+	b.mu.Unlock()
+	return nil
+}
+
+// DiskUsage returns a report about space used by build cache
+func (b *Builder) DiskUsage(ctx context.Context) ([]*types.BuildCache, error) {
+	duResp, err := b.controller.DiskUsage(ctx, &controlapi.DiskUsageRequest{})
+	if err != nil {
+		return nil, err
+	}
+
+	var items []*types.BuildCache
+	for _, r := range duResp.Record {
+		items = append(items, &types.BuildCache{
+			ID:      r.ID,
+			Mutable: r.Mutable,
+			InUse:   r.InUse,
+			Size:    r.Size_,
+
+			CreatedAt:   r.CreatedAt,
+			LastUsedAt:  r.LastUsedAt,
+			UsageCount:  int(r.UsageCount),
+			Parent:      r.Parent,
+			Description: r.Description,
+		})
+	}
+	return items, nil
+}
+
+// Prune clears all reclaimable build cache
+func (b *Builder) Prune(ctx context.Context) (int64, error) {
+	ch := make(chan *controlapi.UsageRecord)
+
+	eg, ctx := errgroup.WithContext(ctx)
+
+	eg.Go(func() error {
+		defer close(ch)
+		return b.controller.Prune(&controlapi.PruneRequest{}, &pruneProxy{
+			streamProxy: streamProxy{ctx: ctx},
+			ch:          ch,
+		})
+	})
+
+	var size int64
+	eg.Go(func() error {
+		for r := range ch {
+			size += r.Size_
+		}
+		return nil
+	})
+
+	if err := eg.Wait(); err != nil {
+		return 0, err
+	}
+
+	return size, nil
+}
+
+// Build executes a build request
+func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.Result, error) {
+	var rc = opt.Source
+
+	if buildID := opt.Options.BuildID; buildID != "" {
+		b.mu.Lock()
+
+		upload := false
+		if strings.HasPrefix(buildID, "upload-request:") {
+			upload = true
+			buildID = strings.TrimPrefix(buildID, "upload-request:")
+		}
+
+		if _, ok := b.jobs[buildID]; !ok {
+			b.jobs[buildID] = newBuildJob()
+		}
+		j := b.jobs[buildID]
+		var cancel func()
+		ctx, cancel = context.WithCancel(ctx)
+		j.cancel = cancel
+		b.mu.Unlock()
+
+		if upload {
+			ctx2, cancel := context.WithTimeout(ctx, 5*time.Second)
+			defer cancel()
+			err := j.SetUpload(ctx2, rc)
+			return nil, err
+		}
+
+		if remoteContext := opt.Options.RemoteContext; remoteContext == "upload-request" {
+			ctx2, cancel := context.WithTimeout(ctx, 5*time.Second)
+			defer cancel()
+			var err error
+			rc, err = j.WaitUpload(ctx2)
+			if err != nil {
+				return nil, err
+			}
+			opt.Options.RemoteContext = ""
+		}
+
+		defer func() {
+			delete(b.jobs, buildID)
+		}()
+	}
+
+	var out builder.Result
+
+	id := identity.NewID()
+
+	frontendAttrs := map[string]string{}
+
+	if opt.Options.Target != "" {
+		frontendAttrs["target"] = opt.Options.Target
+	}
+
+	if opt.Options.Dockerfile != "" && opt.Options.Dockerfile != "." {
+		frontendAttrs["filename"] = opt.Options.Dockerfile
+	}
+
+	if opt.Options.RemoteContext != "" {
+		if opt.Options.RemoteContext != "client-session" {
+			frontendAttrs["context"] = opt.Options.RemoteContext
+		}
+	} else {
+		url, cancel := b.reqBodyHandler.newRequest(rc)
+		defer cancel()
+		frontendAttrs["context"] = url
+	}
+
+	cacheFrom := append([]string{}, opt.Options.CacheFrom...)
+
+	frontendAttrs["cache-from"] = strings.Join(cacheFrom, ",")
+
+	for k, v := range opt.Options.BuildArgs {
+		if v == nil {
+			continue
+		}
+		frontendAttrs["build-arg:"+k] = *v
+	}
+
+	for k, v := range opt.Options.Labels {
+		frontendAttrs["label:"+k] = v
+	}
+
+	if opt.Options.NoCache {
+		frontendAttrs["no-cache"] = ""
+	}
+
+	if opt.Options.Platform != "" {
+		// same as in newBuilder in builder/dockerfile.builder.go
+		// TODO: remove once opt.Options.Platform is of type specs.Platform
+		sp, err := platforms.Parse(opt.Options.Platform)
+		if err != nil {
+			return nil, err
+		}
+		if err := system.ValidatePlatform(sp); err != nil {
+			return nil, err
+		}
+		frontendAttrs["platform"] = opt.Options.Platform
+	}
+
+	exporterAttrs := map[string]string{}
+
+	if len(opt.Options.Tags) > 0 {
+		exporterAttrs["name"] = strings.Join(opt.Options.Tags, ",")
+	}
+
+	req := &controlapi.SolveRequest{
+		Ref:           id,
+		Exporter:      "moby",
+		ExporterAttrs: exporterAttrs,
+		Frontend:      "dockerfile.v0",
+		FrontendAttrs: frontendAttrs,
+		Session:       opt.Options.SessionID,
+	}
+
+	aux := streamformatter.AuxFormatter{Writer: opt.ProgressWriter.Output}
+
+	eg, ctx := errgroup.WithContext(ctx)
+
+	eg.Go(func() error {
+		resp, err := b.controller.Solve(ctx, req)
+		if err != nil {
+			return err
+		}
+		id, ok := resp.ExporterResponse["containerimage.digest"]
+		if !ok {
+			return errors.Errorf("missing image id")
+		}
+		out.ImageID = id
+		return aux.Emit("moby.image.id", types.BuildResult{ID: id})
+	})
+
+	ch := make(chan *controlapi.StatusResponse)
+
+	eg.Go(func() error {
+		defer close(ch)
+		return b.controller.Status(&controlapi.StatusRequest{
+			Ref: id,
+		}, &statusProxy{streamProxy: streamProxy{ctx: ctx}, ch: ch})
+	})
+
+	eg.Go(func() error {
+		for sr := range ch {
+			dt, err := sr.Marshal()
+			if err != nil {
+				return err
+			}
+			if err := aux.Emit("moby.buildkit.trace", dt); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	return &out, nil
+}
+
+type streamProxy struct {
+	ctx context.Context
+}
+
+func (sp *streamProxy) SetHeader(_ grpcmetadata.MD) error {
+	return nil
+}
+
+func (sp *streamProxy) SendHeader(_ grpcmetadata.MD) error {
+	return nil
+}
+
+func (sp *streamProxy) SetTrailer(_ grpcmetadata.MD) {
+}
+
+func (sp *streamProxy) Context() context.Context {
+	return sp.ctx
+}
+func (sp *streamProxy) RecvMsg(m interface{}) error {
+	return io.EOF
+}
+
+type statusProxy struct {
+	streamProxy
+	ch chan *controlapi.StatusResponse
+}
+
+func (sp *statusProxy) Send(resp *controlapi.StatusResponse) error {
+	return sp.SendMsg(resp)
+}
+func (sp *statusProxy) SendMsg(m interface{}) error {
+	if sr, ok := m.(*controlapi.StatusResponse); ok {
+		sp.ch <- sr
+	}
+	return nil
+}
+
+type pruneProxy struct {
+	streamProxy
+	ch chan *controlapi.UsageRecord
+}
+
+func (sp *pruneProxy) Send(resp *controlapi.UsageRecord) error {
+	return sp.SendMsg(resp)
+}
+func (sp *pruneProxy) SendMsg(m interface{}) error {
+	if sr, ok := m.(*controlapi.UsageRecord); ok {
+		sp.ch <- sr
+	}
+	return nil
+}
+
+type contentStoreNoLabels struct {
+	content.Store
+}
+
+func (c *contentStoreNoLabels) Update(ctx context.Context, info content.Info, fieldpaths ...string) (content.Info, error) {
+	return content.Info{}, nil
+}
+
+type wrapRC struct {
+	io.ReadCloser
+	once   sync.Once
+	err    error
+	waitCh chan struct{}
+}
+
+func (w *wrapRC) Read(b []byte) (int, error) {
+	n, err := w.ReadCloser.Read(b)
+	if err != nil {
+		e := err
+		if e == io.EOF {
+			e = nil
+		}
+		w.close(e)
+	}
+	return n, err
+}
+
+func (w *wrapRC) Close() error {
+	err := w.ReadCloser.Close()
+	w.close(err)
+	return err
+}
+
+func (w *wrapRC) close(err error) {
+	w.once.Do(func() {
+		w.err = err
+		close(w.waitCh)
+	})
+}
+
+func (w *wrapRC) wait() error {
+	<-w.waitCh
+	return w.err
+}
+
+type buildJob struct {
+	cancel func()
+	waitCh chan func(io.ReadCloser) error
+}
+
+func newBuildJob() *buildJob {
+	return &buildJob{waitCh: make(chan func(io.ReadCloser) error)}
+}
+
+func (j *buildJob) WaitUpload(ctx context.Context) (io.ReadCloser, error) {
+	done := make(chan struct{})
+
+	var upload io.ReadCloser
+	fn := func(rc io.ReadCloser) error {
+		w := &wrapRC{ReadCloser: rc, waitCh: make(chan struct{})}
+		upload = w
+		close(done)
+		return w.wait()
+	}
+
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case j.waitCh <- fn:
+		<-done
+		return upload, nil
+	}
+}
+
+func (j *buildJob) SetUpload(ctx context.Context, rc io.ReadCloser) error {
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case fn := <-j.waitCh:
+		return fn(rc)
+	}
+}
diff --git a/engine/builder/builder-next/controller.go b/engine/builder/builder-next/controller.go
new file mode 100644
index 00000000..c97f941b
--- /dev/null
+++ b/engine/builder/builder-next/controller.go
@@ -0,0 +1,154 @@
+package buildkit
+
+import (
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/containerd/content/local"
+	"github.com/docker/docker/builder/builder-next/adapters/containerimage"
+	"github.com/docker/docker/builder/builder-next/adapters/snapshot"
+	containerimageexp "github.com/docker/docker/builder/builder-next/exporter"
+	mobyworker "github.com/docker/docker/builder/builder-next/worker"
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/metadata"
+	registryremotecache "github.com/moby/buildkit/cache/remotecache/registry"
+	"github.com/moby/buildkit/control"
+	"github.com/moby/buildkit/exporter"
+	"github.com/moby/buildkit/frontend"
+	dockerfile "github.com/moby/buildkit/frontend/dockerfile/builder"
+	"github.com/moby/buildkit/frontend/gateway"
+	"github.com/moby/buildkit/frontend/gateway/forwarder"
+	"github.com/moby/buildkit/snapshot/blobmapping"
+	"github.com/moby/buildkit/solver/boltdbcachestorage"
+	"github.com/moby/buildkit/worker"
+	"github.com/pkg/errors"
+)
+
+func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
+	if err := os.MkdirAll(opt.Root, 0700); err != nil {
+		return nil, err
+	}
+
+	dist := opt.Dist
+	root := opt.Root
+
+	var driver graphdriver.Driver
+	if ls, ok := dist.LayerStore.(interface {
+		Driver() graphdriver.Driver
+	}); ok {
+		driver = ls.Driver()
+	} else {
+		return nil, errors.Errorf("could not access graphdriver")
+	}
+
+	sbase, err := snapshot.NewSnapshotter(snapshot.Opt{
+		GraphDriver: driver,
+		LayerStore:  dist.LayerStore,
+		Root:        root,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	store, err := local.NewStore(filepath.Join(root, "content"))
+	if err != nil {
+		return nil, err
+	}
+	store = &contentStoreNoLabels{store}
+
+	md, err := metadata.NewStore(filepath.Join(root, "metadata.db"))
+	if err != nil {
+		return nil, err
+	}
+
+	snapshotter := blobmapping.NewSnapshotter(blobmapping.Opt{
+		Content:       store,
+		Snapshotter:   sbase,
+		MetadataStore: md,
+	})
+
+	cm, err := cache.NewManager(cache.ManagerOpt{
+		Snapshotter:   snapshotter,
+		MetadataStore: md,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	src, err := containerimage.NewSource(containerimage.SourceOpt{
+		SessionManager:  opt.SessionManager,
+		CacheAccessor:   cm,
+		ContentStore:    store,
+		DownloadManager: dist.DownloadManager,
+		MetadataStore:   dist.V2MetadataService,
+		ImageStore:      dist.ImageStore,
+		ReferenceStore:  dist.ReferenceStore,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	exec, err := newExecutor(root)
+	if err != nil {
+		return nil, err
+	}
+
+	differ, ok := sbase.(containerimageexp.Differ)
+	if !ok {
+		return nil, errors.Errorf("snapshotter doesn't support differ")
+	}
+
+	exp, err := containerimageexp.New(containerimageexp.Opt{
+		ImageStore:     dist.ImageStore,
+		ReferenceStore: dist.ReferenceStore,
+		Differ:         differ,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	cacheStorage, err := boltdbcachestorage.NewStore(filepath.Join(opt.Root, "cache.db"))
+	if err != nil {
+		return nil, err
+	}
+
+	wopt := mobyworker.Opt{
+		ID:                "moby",
+		SessionManager:    opt.SessionManager,
+		MetadataStore:     md,
+		ContentStore:      store,
+		CacheManager:      cm,
+		Snapshotter:       snapshotter,
+		Executor:          exec,
+		ImageSource:       src,
+		DownloadManager:   dist.DownloadManager,
+		V2MetadataService: dist.V2MetadataService,
+		Exporters: map[string]exporter.Exporter{
+			"moby": exp,
+		},
+		Transport: rt,
+	}
+
+	wc := &worker.Controller{}
+	w, err := mobyworker.NewWorker(wopt)
+	if err != nil {
+		return nil, err
+	}
+	wc.Add(w)
+
+	frontends := map[string]frontend.Frontend{
+		"dockerfile.v0": forwarder.NewGatewayForwarder(wc, dockerfile.Build),
+		"gateway.v0":    gateway.NewGatewayFrontend(wc),
+	}
+
+	return control.NewController(control.Opt{
+		SessionManager:           opt.SessionManager,
+		WorkerController:         wc,
+		Frontends:                frontends,
+		CacheKeyStorage:          cacheStorage,
+		ResolveCacheImporterFunc: registryremotecache.ResolveCacheImporterFunc(opt.SessionManager),
+		// TODO: set ResolveCacheExporterFunc for exporting cache
+	})
+}
diff --git a/engine/builder/builder-next/executor_unix.go b/engine/builder/builder-next/executor_unix.go
new file mode 100644
index 00000000..da54473d
--- /dev/null
+++ b/engine/builder/builder-next/executor_unix.go
@@ -0,0 +1,17 @@
+// +build !windows
+
+package buildkit
+
+import (
+	"path/filepath"
+
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/executor/runcexecutor"
+)
+
+func newExecutor(root string) (executor.Executor, error) {
+	return runcexecutor.New(runcexecutor.Opt{
+		Root:              filepath.Join(root, "executor"),
+		CommandCandidates: []string{"docker-runc", "runc"},
+	})
+}
diff --git a/engine/builder/builder-next/executor_windows.go b/engine/builder/builder-next/executor_windows.go
new file mode 100644
index 00000000..7b0c6e64
--- /dev/null
+++ b/engine/builder/builder-next/executor_windows.go
@@ -0,0 +1,21 @@
+package buildkit
+
+import (
+	"context"
+	"errors"
+	"io"
+
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/executor"
+)
+
+func newExecutor(_ string) (executor.Executor, error) {
+	return &winExecutor{}, nil
+}
+
+type winExecutor struct {
+}
+
+func (e *winExecutor) Exec(ctx context.Context, meta executor.Meta, rootfs cache.Mountable, mounts []executor.Mount, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error {
+	return errors.New("buildkit executor not implemented for windows")
+}
diff --git a/engine/builder/builder-next/exporter/export.go b/engine/builder/builder-next/exporter/export.go
new file mode 100644
index 00000000..70e7d6ec
--- /dev/null
+++ b/engine/builder/builder-next/exporter/export.go
@@ -0,0 +1,146 @@
+package containerimage
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	distref "github.com/docker/distribution/reference"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/reference"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/exporter"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	keyImageName        = "name"
+	exporterImageConfig = "containerimage.config"
+)
+
+// Differ can make a moby layer from a snapshot
+type Differ interface {
+	EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error)
+}
+
+// Opt defines a struct for creating new exporter
+type Opt struct {
+	ImageStore     image.Store
+	ReferenceStore reference.Store
+	Differ         Differ
+}
+
+type imageExporter struct {
+	opt Opt
+}
+
+// New creates a new moby imagestore exporter
+func New(opt Opt) (exporter.Exporter, error) {
+	im := &imageExporter{opt: opt}
+	return im, nil
+}
+
+func (e *imageExporter) Resolve(ctx context.Context, opt map[string]string) (exporter.ExporterInstance, error) {
+	i := &imageExporterInstance{imageExporter: e}
+	for k, v := range opt {
+		switch k {
+		case keyImageName:
+			for _, v := range strings.Split(v, ",") {
+				ref, err := distref.ParseNormalizedNamed(v)
+				if err != nil {
+					return nil, err
+				}
+				i.targetNames = append(i.targetNames, ref)
+			}
+		case exporterImageConfig:
+			i.config = []byte(v)
+		default:
+			logrus.Warnf("image exporter: unknown option %s", k)
+		}
+	}
+	return i, nil
+}
+
+type imageExporterInstance struct {
+	*imageExporter
+	targetNames []distref.Named
+	config      []byte
+}
+
+func (e *imageExporterInstance) Name() string {
+	return "exporting to image"
+}
+
+func (e *imageExporterInstance) Export(ctx context.Context, ref cache.ImmutableRef, opt map[string][]byte) (map[string]string, error) {
+	if config, ok := opt[exporterImageConfig]; ok {
+		e.config = config
+	}
+	config := e.config
+
+	var diffs []digest.Digest
+	if ref != nil {
+		layersDone := oneOffProgress(ctx, "exporting layers")
+
+		if err := ref.Finalize(ctx, true); err != nil {
+			return nil, err
+		}
+
+		diffIDs, err := e.opt.Differ.EnsureLayer(ctx, ref.ID())
+		if err != nil {
+			return nil, err
+		}
+
+		diffs = make([]digest.Digest, len(diffIDs))
+		for i := range diffIDs {
+			diffs[i] = digest.Digest(diffIDs[i])
+		}
+
+		layersDone(nil)
+	}
+
+	if len(config) == 0 {
+		var err error
+		config, err = emptyImageConfig()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	history, err := parseHistoryFromConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	diffs, history = normalizeLayersAndHistory(diffs, history, ref)
+
+	config, err = patchImageConfig(config, diffs, history)
+	if err != nil {
+		return nil, err
+	}
+
+	configDigest := digest.FromBytes(config)
+
+	configDone := oneOffProgress(ctx, fmt.Sprintf("writing image %s", configDigest))
+	id, err := e.opt.ImageStore.Create(config)
+	if err != nil {
+		return nil, configDone(err)
+	}
+	configDone(nil)
+
+	if e.opt.ReferenceStore != nil {
+		for _, targetName := range e.targetNames {
+			tagDone := oneOffProgress(ctx, "naming to "+targetName.String())
+
+			if err := e.opt.ReferenceStore.AddTag(targetName, digest.Digest(id), true); err != nil {
+				return nil, tagDone(err)
+			}
+			tagDone(nil)
+		}
+	}
+
+	return map[string]string{
+		"containerimage.digest": id.String(),
+	}, nil
+}
diff --git a/engine/builder/builder-next/exporter/writer.go b/engine/builder/builder-next/exporter/writer.go
new file mode 100644
index 00000000..e8fa143f
--- /dev/null
+++ b/engine/builder/builder-next/exporter/writer.go
@@ -0,0 +1,177 @@
+package containerimage
+
+import (
+	"context"
+	"encoding/json"
+	"runtime"
+	"time"
+
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/util/progress"
+	"github.com/moby/buildkit/util/system"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// const (
+// 	emptyGZLayer = digest.Digest("sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1")
+// )
+
+func emptyImageConfig() ([]byte, error) {
+	img := ocispec.Image{
+		Architecture: runtime.GOARCH,
+		OS:           runtime.GOOS,
+	}
+	img.RootFS.Type = "layers"
+	img.Config.WorkingDir = "/"
+	img.Config.Env = []string{"PATH=" + system.DefaultPathEnv}
+	dt, err := json.Marshal(img)
+	return dt, errors.Wrap(err, "failed to create empty image config")
+}
+
+func parseHistoryFromConfig(dt []byte) ([]ocispec.History, error) {
+	var config struct {
+		History []ocispec.History
+	}
+	if err := json.Unmarshal(dt, &config); err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal history from config")
+	}
+	return config.History, nil
+}
+
+func patchImageConfig(dt []byte, dps []digest.Digest, history []ocispec.History) ([]byte, error) {
+	m := map[string]json.RawMessage{}
+	if err := json.Unmarshal(dt, &m); err != nil {
+		return nil, errors.Wrap(err, "failed to parse image config for patch")
+	}
+
+	var rootFS ocispec.RootFS
+	rootFS.Type = "layers"
+	rootFS.DiffIDs = append(rootFS.DiffIDs, dps...)
+
+	dt, err := json.Marshal(rootFS)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to marshal rootfs")
+	}
+	m["rootfs"] = dt
+
+	dt, err = json.Marshal(history)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to marshal history")
+	}
+	m["history"] = dt
+
+	if _, ok := m["created"]; !ok {
+		var tm *time.Time
+		for _, h := range history {
+			if h.Created != nil {
+				tm = h.Created
+			}
+		}
+		dt, err = json.Marshal(&tm)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to marshal creation time")
+		}
+		m["created"] = dt
+	}
+
+	dt, err = json.Marshal(m)
+	return dt, errors.Wrap(err, "failed to marshal config after patch")
+}
+
+func normalizeLayersAndHistory(diffs []digest.Digest, history []ocispec.History, ref cache.ImmutableRef) ([]digest.Digest, []ocispec.History) {
+	refMeta := getRefMetadata(ref, len(diffs))
+	var historyLayers int
+	for _, h := range history {
+		if !h.EmptyLayer {
+			historyLayers++
+		}
+	}
+	if historyLayers > len(diffs) {
+		// this case shouldn't happen but if it does force set history layers empty
+		// from the bottom
+		logrus.Warn("invalid image config with unaccounted layers")
+		historyCopy := make([]ocispec.History, 0, len(history))
+		var l int
+		for _, h := range history {
+			if l >= len(diffs) {
+				h.EmptyLayer = true
+			}
+			if !h.EmptyLayer {
+				l++
+			}
+			historyCopy = append(historyCopy, h)
+		}
+		history = historyCopy
+	}
+
+	if len(diffs) > historyLayers {
+		// some history items are missing. add them based on the ref metadata
+		for _, md := range refMeta[historyLayers:] {
+			history = append(history, ocispec.History{
+				Created:   &md.createdAt,
+				CreatedBy: md.description,
+				Comment:   "buildkit.exporter.image.v0",
+			})
+		}
+	}
+
+	var layerIndex int
+	for i, h := range history {
+		if !h.EmptyLayer {
+			if h.Created == nil {
+				h.Created = &refMeta[layerIndex].createdAt
+			}
+			layerIndex++
+		}
+		history[i] = h
+	}
+
+	return diffs, history
+}
+
+type refMetadata struct {
+	description string
+	createdAt   time.Time
+}
+
+func getRefMetadata(ref cache.ImmutableRef, limit int) []refMetadata {
+	if limit <= 0 {
+		return nil
+	}
+	meta := refMetadata{
+		description: "created by buildkit", // shouldn't be shown but don't fail build
+		createdAt:   time.Now(),
+	}
+	if ref == nil {
+		return append(getRefMetadata(nil, limit-1), meta)
+	}
+	if descr := cache.GetDescription(ref.Metadata()); descr != "" {
+		meta.description = descr
+	}
+	meta.createdAt = cache.GetCreatedAt(ref.Metadata())
+	p := ref.Parent()
+	if p != nil {
+		defer p.Release(context.TODO())
+	}
+	return append(getRefMetadata(p, limit-1), meta)
+}
+
+func oneOffProgress(ctx context.Context, id string) func(err error) error {
+	pw, _, _ := progress.FromContext(ctx)
+	now := time.Now()
+	st := progress.Status{
+		Started: &now,
+	}
+	pw.Write(id, st)
+	return func(err error) error {
+		// TODO: set error on status
+		now := time.Now()
+		st.Completed = &now
+		pw.Write(id, st)
+		pw.Close()
+		return err
+	}
+}
diff --git a/engine/builder/builder-next/reqbodyhandler.go b/engine/builder/builder-next/reqbodyhandler.go
new file mode 100644
index 00000000..48433908
--- /dev/null
+++ b/engine/builder/builder-next/reqbodyhandler.go
@@ -0,0 +1,67 @@
+package buildkit
+
+import (
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/moby/buildkit/identity"
+	"github.com/pkg/errors"
+)
+
+const urlPrefix = "build-context-"
+
+type reqBodyHandler struct {
+	mu sync.Mutex
+	rt http.RoundTripper
+
+	requests map[string]io.ReadCloser
+}
+
+func newReqBodyHandler(rt http.RoundTripper) *reqBodyHandler {
+	return &reqBodyHandler{
+		rt:       rt,
+		requests: map[string]io.ReadCloser{},
+	}
+}
+
+func (h *reqBodyHandler) newRequest(rc io.ReadCloser) (string, func()) {
+	id := identity.NewID()
+	h.mu.Lock()
+	h.requests[id] = rc
+	h.mu.Unlock()
+	return "http://" + urlPrefix + id, func() {
+		h.mu.Lock()
+		delete(h.requests, id)
+		h.mu.Unlock()
+	}
+}
+
+func (h *reqBodyHandler) RoundTrip(req *http.Request) (*http.Response, error) {
+	host := req.URL.Host
+	if strings.HasPrefix(host, urlPrefix) {
+		if req.Method != "GET" {
+			return nil, errors.Errorf("invalid request")
+		}
+		id := strings.TrimPrefix(host, urlPrefix)
+		h.mu.Lock()
+		rc, ok := h.requests[id]
+		delete(h.requests, id)
+		h.mu.Unlock()
+
+		if !ok {
+			return nil, errors.Errorf("context not found")
+		}
+
+		resp := &http.Response{
+			Status:        "200 OK",
+			StatusCode:    200,
+			Body:          rc,
+			ContentLength: -1,
+		}
+
+		return resp, nil
+	}
+	return h.rt.RoundTrip(req)
+}
diff --git a/engine/builder/builder-next/worker/worker.go b/engine/builder/builder-next/worker/worker.go
new file mode 100644
index 00000000..29e8095c
--- /dev/null
+++ b/engine/builder/builder-next/worker/worker.go
@@ -0,0 +1,331 @@
+package worker
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	nethttp "net/http"
+	"runtime"
+	"time"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/containerd/rootfs"
+	"github.com/docker/docker/distribution"
+	distmetadata "github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	pkgprogress "github.com/docker/docker/pkg/progress"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/exporter"
+	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/llbsolver/ops"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/source/git"
+	"github.com/moby/buildkit/source/http"
+	"github.com/moby/buildkit/source/local"
+	"github.com/moby/buildkit/util/contentutil"
+	"github.com/moby/buildkit/util/progress"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Opt defines a structure for creating a worker.
+type Opt struct {
+	ID                string
+	Labels            map[string]string
+	SessionManager    *session.Manager
+	MetadataStore     *metadata.Store
+	Executor          executor.Executor
+	Snapshotter       snapshot.Snapshotter
+	ContentStore      content.Store
+	CacheManager      cache.Manager
+	ImageSource       source.Source
+	Exporters         map[string]exporter.Exporter
+	DownloadManager   distribution.RootFSDownloadManager
+	V2MetadataService distmetadata.V2MetadataService
+	Transport         nethttp.RoundTripper
+}
+
+// Worker is a local worker instance with dedicated snapshotter, cache, and so on.
+// TODO: s/Worker/OpWorker/g ?
+type Worker struct {
+	Opt
+	SourceManager *source.Manager
+}
+
+// NewWorker instantiates a local worker
+func NewWorker(opt Opt) (*Worker, error) {
+	sm, err := source.NewManager()
+	if err != nil {
+		return nil, err
+	}
+
+	cm := opt.CacheManager
+	sm.Register(opt.ImageSource)
+
+	gs, err := git.NewSource(git.Opt{
+		CacheAccessor: cm,
+		MetadataStore: opt.MetadataStore,
+	})
+	if err == nil {
+		sm.Register(gs)
+	} else {
+		logrus.Warnf("Could not register builder git source: %s", err)
+	}
+
+	hs, err := http.NewSource(http.Opt{
+		CacheAccessor: cm,
+		MetadataStore: opt.MetadataStore,
+		Transport:     opt.Transport,
+	})
+	if err == nil {
+		sm.Register(hs)
+	} else {
+		logrus.Warnf("Could not register builder http source: %s", err)
+	}
+
+	ss, err := local.NewSource(local.Opt{
+		SessionManager: opt.SessionManager,
+		CacheAccessor:  cm,
+		MetadataStore:  opt.MetadataStore,
+	})
+	if err == nil {
+		sm.Register(ss)
+	} else {
+		logrus.Warnf("Could not register builder local source: %s", err)
+	}
+
+	return &Worker{
+		Opt:           opt,
+		SourceManager: sm,
+	}, nil
+}
+
+// ID returns worker ID
+func (w *Worker) ID() string {
+	return w.Opt.ID
+}
+
+// Labels returns map of all worker labels
+func (w *Worker) Labels() map[string]string {
+	return w.Opt.Labels
+}
+
+// Platforms returns one or more platforms supported by the image.
+func (w *Worker) Platforms() []ocispec.Platform {
+	// does not handle lcow
+	return []ocispec.Platform{platforms.DefaultSpec()}
+}
+
+// LoadRef loads a reference by ID
+func (w *Worker) LoadRef(id string) (cache.ImmutableRef, error) {
+	return w.CacheManager.Get(context.TODO(), id)
+}
+
+// ResolveOp converts a LLB vertex into a LLB operation
+func (w *Worker) ResolveOp(v solver.Vertex, s frontend.FrontendLLBBridge) (solver.Op, error) {
+	if baseOp, ok := v.Sys().(*pb.Op); ok {
+		switch op := baseOp.Op.(type) {
+		case *pb.Op_Source:
+			return ops.NewSourceOp(v, op, baseOp.Platform, w.SourceManager, w)
+		case *pb.Op_Exec:
+			return ops.NewExecOp(v, op, w.CacheManager, w.MetadataStore, w.Executor, w)
+		case *pb.Op_Build:
+			return ops.NewBuildOp(v, op, s, w)
+		}
+	}
+	return nil, errors.Errorf("could not resolve %v", v)
+}
+
+// ResolveImageConfig returns image config for an image
+func (w *Worker) ResolveImageConfig(ctx context.Context, ref string, platform *ocispec.Platform) (digest.Digest, []byte, error) {
+	// ImageSource is typically source/containerimage
+	resolveImageConfig, ok := w.ImageSource.(resolveImageConfig)
+	if !ok {
+		return "", nil, errors.Errorf("worker %q does not implement ResolveImageConfig", w.ID())
+	}
+	return resolveImageConfig.ResolveImageConfig(ctx, ref, platform)
+}
+
+// Exec executes a process directly on a worker
+func (w *Worker) Exec(ctx context.Context, meta executor.Meta, rootFS cache.ImmutableRef, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error {
+	active, err := w.CacheManager.New(ctx, rootFS)
+	if err != nil {
+		return err
+	}
+	defer active.Release(context.TODO())
+	return w.Executor.Exec(ctx, meta, active, nil, stdin, stdout, stderr)
+}
+
+// DiskUsage returns disk usage report
+func (w *Worker) DiskUsage(ctx context.Context, opt client.DiskUsageInfo) ([]*client.UsageInfo, error) {
+	return w.CacheManager.DiskUsage(ctx, opt)
+}
+
+// Prune deletes reclaimable build cache
+func (w *Worker) Prune(ctx context.Context, ch chan client.UsageInfo) error {
+	return w.CacheManager.Prune(ctx, ch)
+}
+
+// Exporter returns exporter by name
+func (w *Worker) Exporter(name string) (exporter.Exporter, error) {
+	exp, ok := w.Exporters[name]
+	if !ok {
+		return nil, errors.Errorf("exporter %q could not be found", name)
+	}
+	return exp, nil
+}
+
+// GetRemote returns a remote snapshot reference for a local one
+func (w *Worker) GetRemote(ctx context.Context, ref cache.ImmutableRef, createIfNeeded bool) (*solver.Remote, error) {
+	return nil, errors.Errorf("getremote not implemented")
+}
+
+// FromRemote converts a remote snapshot reference to a local one
+func (w *Worker) FromRemote(ctx context.Context, remote *solver.Remote) (cache.ImmutableRef, error) {
+	rootfs, err := getLayers(ctx, remote.Descriptors)
+	if err != nil {
+		return nil, err
+	}
+
+	layers := make([]xfer.DownloadDescriptor, 0, len(rootfs))
+
+	for _, l := range rootfs {
+		// ongoing.add(desc)
+		layers = append(layers, &layerDescriptor{
+			desc:     l.Blob,
+			diffID:   layer.DiffID(l.Diff.Digest),
+			provider: remote.Provider,
+			w:        w,
+			pctx:     ctx,
+		})
+	}
+
+	defer func() {
+		for _, l := range rootfs {
+			w.ContentStore.Delete(context.TODO(), l.Blob.Digest)
+		}
+	}()
+
+	r := image.NewRootFS()
+	rootFS, release, err := w.DownloadManager.Download(ctx, *r, runtime.GOOS, layers, &discardProgress{})
+	if err != nil {
+		return nil, err
+	}
+	defer release()
+
+	ref, err := w.CacheManager.GetFromSnapshotter(ctx, string(rootFS.ChainID()), cache.WithDescription(fmt.Sprintf("imported %s", remote.Descriptors[len(remote.Descriptors)-1].Digest)))
+	if err != nil {
+		return nil, err
+	}
+	return ref, nil
+}
+
+type discardProgress struct{}
+
+func (*discardProgress) WriteProgress(_ pkgprogress.Progress) error {
+	return nil
+}
+
+// Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error)
+type layerDescriptor struct {
+	provider content.Provider
+	desc     ocispec.Descriptor
+	diffID   layer.DiffID
+	// ref      ctdreference.Spec
+	w    *Worker
+	pctx context.Context
+}
+
+func (ld *layerDescriptor) Key() string {
+	return "v2:" + ld.desc.Digest.String()
+}
+
+func (ld *layerDescriptor) ID() string {
+	return ld.desc.Digest.String()
+}
+
+func (ld *layerDescriptor) DiffID() (layer.DiffID, error) {
+	return ld.diffID, nil
+}
+
+func (ld *layerDescriptor) Download(ctx context.Context, progressOutput pkgprogress.Output) (io.ReadCloser, int64, error) {
+	done := oneOffProgress(ld.pctx, fmt.Sprintf("pulling %s", ld.desc.Digest))
+	if err := contentutil.Copy(ctx, ld.w.ContentStore, ld.provider, ld.desc); err != nil {
+		return nil, 0, done(err)
+	}
+	done(nil)
+
+	ra, err := ld.w.ContentStore.ReaderAt(ctx, ld.desc)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return ioutil.NopCloser(content.NewReader(ra)), ld.desc.Size, nil
+}
+
+func (ld *layerDescriptor) Close() {
+	// ld.is.ContentStore.Delete(context.TODO(), ld.desc.Digest)
+}
+
+func (ld *layerDescriptor) Registered(diffID layer.DiffID) {
+	// Cache mapping from this layer's DiffID to the blobsum
+	ld.w.V2MetadataService.Add(diffID, distmetadata.V2Metadata{Digest: ld.desc.Digest})
+}
+
+func getLayers(ctx context.Context, descs []ocispec.Descriptor) ([]rootfs.Layer, error) {
+	layers := make([]rootfs.Layer, len(descs))
+	for i, desc := range descs {
+		diffIDStr := desc.Annotations["containerd.io/uncompressed"]
+		if diffIDStr == "" {
+			return nil, errors.Errorf("%s missing uncompressed digest", desc.Digest)
+		}
+		diffID, err := digest.Parse(diffIDStr)
+		if err != nil {
+			return nil, err
+		}
+		layers[i].Diff = ocispec.Descriptor{
+			MediaType: ocispec.MediaTypeImageLayer,
+			Digest:    diffID,
+		}
+		layers[i].Blob = ocispec.Descriptor{
+			MediaType: desc.MediaType,
+			Digest:    desc.Digest,
+			Size:      desc.Size,
+		}
+	}
+	return layers, nil
+}
+
+func oneOffProgress(ctx context.Context, id string) func(err error) error {
+	pw, _, _ := progress.FromContext(ctx)
+	now := time.Now()
+	st := progress.Status{
+		Started: &now,
+	}
+	pw.Write(id, st)
+	return func(err error) error {
+		// TODO: set error on status
+		now := time.Now()
+		st.Completed = &now
+		pw.Write(id, st)
+		pw.Close()
+		return err
+	}
+}
+
+type resolveImageConfig interface {
+	ResolveImageConfig(ctx context.Context, ref string, platform *ocispec.Platform) (digest.Digest, []byte, error)
+}
diff --git a/engine/builder/builder.go b/engine/builder/builder.go
new file mode 100644
index 00000000..3eb03414
--- /dev/null
+++ b/engine/builder/builder.go
@@ -0,0 +1,115 @@
+// Package builder defines interfaces for any Docker builder to implement.
+//
+// Historically, only server-side Dockerfile interpreters existed.
+// This package allows for other implementations of Docker builders.
+package builder // import "github.com/docker/docker/builder"
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/containerfs"
+)
+
+const (
+	// DefaultDockerfileName is the Default filename with Docker commands, read by docker build
+	DefaultDockerfileName = "Dockerfile"
+)
+
+// Source defines a location that can be used as a source for the ADD/COPY
+// instructions in the builder.
+type Source interface {
+	// Root returns root path for accessing source
+	Root() containerfs.ContainerFS
+	// Close allows to signal that the filesystem tree won't be used anymore.
+	// For Context implementations using a temporary directory, it is recommended to
+	// delete the temporary directory in Close().
+	Close() error
+	// Hash returns a checksum for a file
+	Hash(path string) (string, error)
+}
+
+// Backend abstracts calls to a Docker Daemon.
+type Backend interface {
+	ImageBackend
+	ExecBackend
+
+	// CommitBuildStep creates a new Docker image from the config generated by
+	// a build step.
+	CommitBuildStep(backend.CommitConfig) (image.ID, error)
+	// ContainerCreateWorkdir creates the workdir
+	ContainerCreateWorkdir(containerID string) error
+
+	CreateImage(config []byte, parent string) (Image, error)
+
+	ImageCacheBuilder
+}
+
+// ImageBackend are the interface methods required from an image component
+type ImageBackend interface {
+	GetImageAndReleasableLayer(ctx context.Context, refOrID string, opts backend.GetImageAndLayerOptions) (Image, ROLayer, error)
+}
+
+// ExecBackend contains the interface methods required for executing containers
+type ExecBackend interface {
+	// ContainerAttachRaw attaches to container.
+	ContainerAttachRaw(cID string, stdin io.ReadCloser, stdout, stderr io.Writer, stream bool, attached chan struct{}) error
+	// ContainerCreate creates a new Docker container and returns potential warnings
+	ContainerCreate(config types.ContainerCreateConfig) (container.ContainerCreateCreatedBody, error)
+	// ContainerRm removes a container specified by `id`.
+	ContainerRm(name string, config *types.ContainerRmConfig) error
+	// ContainerKill stops the container execution abruptly.
+	ContainerKill(containerID string, sig uint64) error
+	// ContainerStart starts a new container
+	ContainerStart(containerID string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error
+	// ContainerWait stops processing until the given container is stopped.
+	ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
+}
+
+// Result is the output produced by a Builder
+type Result struct {
+	ImageID   string
+	FromImage Image
+}
+
+// ImageCacheBuilder represents a generator for stateful image cache.
+type ImageCacheBuilder interface {
+	// MakeImageCache creates a stateful image cache.
+	MakeImageCache(cacheFrom []string) ImageCache
+}
+
+// ImageCache abstracts an image cache.
+// (parent image, child runconfig) -> child image
+type ImageCache interface {
+	// GetCache returns a reference to a cached image whose parent equals `parent`
+	// and runconfig equals `cfg`. A cache miss is expected to return an empty ID and a nil error.
+	GetCache(parentID string, cfg *container.Config) (imageID string, err error)
+}
+
+// Image represents a Docker image used by the builder.
+type Image interface {
+	ImageID() string
+	RunConfig() *container.Config
+	MarshalJSON() ([]byte, error)
+	OperatingSystem() string
+}
+
+// ROLayer is a reference to image rootfs layer
+type ROLayer interface {
+	Release() error
+	NewRWLayer() (RWLayer, error)
+	DiffID() layer.DiffID
+}
+
+// RWLayer is active layer that can be read/modified
+type RWLayer interface {
+	Release() error
+	Root() containerfs.ContainerFS
+	Commit() (ROLayer, error)
+}
diff --git a/engine/builder/dockerfile/buildargs.go b/engine/builder/dockerfile/buildargs.go
new file mode 100644
index 00000000..f9cceaa0
--- /dev/null
+++ b/engine/builder/dockerfile/buildargs.go
@@ -0,0 +1,172 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/docker/docker/runconfig/opts"
+)
+
+// builtinAllowedBuildArgs is list of built-in allowed build args
+// these args are considered transparent and are excluded from the image history.
+// Filtering from history is implemented in dispatchers.go
+var builtinAllowedBuildArgs = map[string]bool{
+	"HTTP_PROXY":  true,
+	"http_proxy":  true,
+	"HTTPS_PROXY": true,
+	"https_proxy": true,
+	"FTP_PROXY":   true,
+	"ftp_proxy":   true,
+	"NO_PROXY":    true,
+	"no_proxy":    true,
+}
+
+// BuildArgs manages arguments used by the builder
+type BuildArgs struct {
+	// args that are allowed for expansion/substitution and passing to commands in 'run'.
+	allowedBuildArgs map[string]*string
+	// args defined before the first `FROM` in a Dockerfile
+	allowedMetaArgs map[string]*string
+	// args referenced by the Dockerfile
+	referencedArgs map[string]struct{}
+	// args provided by the user on the command line
+	argsFromOptions map[string]*string
+}
+
+// NewBuildArgs creates a new BuildArgs type
+func NewBuildArgs(argsFromOptions map[string]*string) *BuildArgs {
+	return &BuildArgs{
+		allowedBuildArgs: make(map[string]*string),
+		allowedMetaArgs:  make(map[string]*string),
+		referencedArgs:   make(map[string]struct{}),
+		argsFromOptions:  argsFromOptions,
+	}
+}
+
+// Clone returns a copy of the BuildArgs type
+func (b *BuildArgs) Clone() *BuildArgs {
+	result := NewBuildArgs(b.argsFromOptions)
+	for k, v := range b.allowedBuildArgs {
+		result.allowedBuildArgs[k] = v
+	}
+	for k, v := range b.allowedMetaArgs {
+		result.allowedMetaArgs[k] = v
+	}
+	for k := range b.referencedArgs {
+		result.referencedArgs[k] = struct{}{}
+	}
+	return result
+}
+
+// MergeReferencedArgs merges referenced args from another BuildArgs
+// object into the current one
+func (b *BuildArgs) MergeReferencedArgs(other *BuildArgs) {
+	for k := range other.referencedArgs {
+		b.referencedArgs[k] = struct{}{}
+	}
+}
+
+// WarnOnUnusedBuildArgs checks if there are any leftover build-args that were
+// passed but not consumed during build. Print a warning, if there are any.
+func (b *BuildArgs) WarnOnUnusedBuildArgs(out io.Writer) {
+	var leftoverArgs []string
+	for arg := range b.argsFromOptions {
+		_, isReferenced := b.referencedArgs[arg]
+		_, isBuiltin := builtinAllowedBuildArgs[arg]
+		if !isBuiltin && !isReferenced {
+			leftoverArgs = append(leftoverArgs, arg)
+		}
+	}
+	if len(leftoverArgs) > 0 {
+		fmt.Fprintf(out, "[Warning] One or more build-args %v were not consumed\n", leftoverArgs)
+	}
+}
+
+// ResetAllowed clears the list of args that are allowed to be used by a
+// directive
+func (b *BuildArgs) ResetAllowed() {
+	b.allowedBuildArgs = make(map[string]*string)
+}
+
+// AddMetaArg adds a new meta arg that can be used by FROM directives
+func (b *BuildArgs) AddMetaArg(key string, value *string) {
+	b.allowedMetaArgs[key] = value
+}
+
+// AddArg adds a new arg that can be used by directives
+func (b *BuildArgs) AddArg(key string, value *string) {
+	b.allowedBuildArgs[key] = value
+	b.referencedArgs[key] = struct{}{}
+}
+
+// IsReferencedOrNotBuiltin checks if the key is a built-in arg, or if it has been
+// referenced by the Dockerfile. Returns true if the arg is not a builtin or
+// if the builtin has been referenced in the Dockerfile.
+func (b *BuildArgs) IsReferencedOrNotBuiltin(key string) bool {
+	_, isBuiltin := builtinAllowedBuildArgs[key]
+	_, isAllowed := b.allowedBuildArgs[key]
+	return isAllowed || !isBuiltin
+}
+
+// GetAllAllowed returns a mapping with all the allowed args
+func (b *BuildArgs) GetAllAllowed() map[string]string {
+	return b.getAllFromMapping(b.allowedBuildArgs)
+}
+
+// GetAllMeta returns a mapping with all the meta meta args
+func (b *BuildArgs) GetAllMeta() map[string]string {
+	return b.getAllFromMapping(b.allowedMetaArgs)
+}
+
+func (b *BuildArgs) getAllFromMapping(source map[string]*string) map[string]string {
+	m := make(map[string]string)
+
+	keys := keysFromMaps(source, builtinAllowedBuildArgs)
+	for _, key := range keys {
+		v, ok := b.getBuildArg(key, source)
+		if ok {
+			m[key] = v
+		}
+	}
+	return m
+}
+
+// FilterAllowed returns all allowed args without the filtered args
+func (b *BuildArgs) FilterAllowed(filter []string) []string {
+	envs := []string{}
+	configEnv := opts.ConvertKVStringsToMap(filter)
+
+	for key, val := range b.GetAllAllowed() {
+		if _, ok := configEnv[key]; !ok {
+			envs = append(envs, fmt.Sprintf("%s=%s", key, val))
+		}
+	}
+	return envs
+}
+
+func (b *BuildArgs) getBuildArg(key string, mapping map[string]*string) (string, bool) {
+	defaultValue, exists := mapping[key]
+	// Return override from options if one is defined
+	if v, ok := b.argsFromOptions[key]; ok && v != nil {
+		return *v, ok
+	}
+
+	if defaultValue == nil {
+		if v, ok := b.allowedMetaArgs[key]; ok && v != nil {
+			return *v, ok
+		}
+		return "", false
+	}
+	return *defaultValue, exists
+}
+
+func keysFromMaps(source map[string]*string, builtin map[string]bool) []string {
+	keys := []string{}
+	for key := range source {
+		keys = append(keys, key)
+	}
+	for key := range builtin {
+		keys = append(keys, key)
+	}
+	return keys
+}
diff --git a/engine/builder/dockerfile/buildargs_test.go b/engine/builder/dockerfile/buildargs_test.go
new file mode 100644
index 00000000..c3b82c83
--- /dev/null
+++ b/engine/builder/dockerfile/buildargs_test.go
@@ -0,0 +1,102 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func strPtr(source string) *string {
+	return &source
+}
+
+func TestGetAllAllowed(t *testing.T) {
+	buildArgs := NewBuildArgs(map[string]*string{
+		"ArgNotUsedInDockerfile":              strPtr("fromopt1"),
+		"ArgOverriddenByOptions":              strPtr("fromopt2"),
+		"ArgNoDefaultInDockerfileFromOptions": strPtr("fromopt3"),
+		"HTTP_PROXY":                          strPtr("theproxy"),
+	})
+
+	buildArgs.AddMetaArg("ArgFromMeta", strPtr("frommeta1"))
+	buildArgs.AddMetaArg("ArgFromMetaOverridden", strPtr("frommeta2"))
+	buildArgs.AddMetaArg("ArgFromMetaNotUsed", strPtr("frommeta3"))
+
+	buildArgs.AddArg("ArgOverriddenByOptions", strPtr("fromdockerfile2"))
+	buildArgs.AddArg("ArgWithDefaultInDockerfile", strPtr("fromdockerfile1"))
+	buildArgs.AddArg("ArgNoDefaultInDockerfile", nil)
+	buildArgs.AddArg("ArgNoDefaultInDockerfileFromOptions", nil)
+	buildArgs.AddArg("ArgFromMeta", nil)
+	buildArgs.AddArg("ArgFromMetaOverridden", strPtr("fromdockerfile3"))
+
+	all := buildArgs.GetAllAllowed()
+	expected := map[string]string{
+		"HTTP_PROXY":                          "theproxy",
+		"ArgOverriddenByOptions":              "fromopt2",
+		"ArgWithDefaultInDockerfile":          "fromdockerfile1",
+		"ArgNoDefaultInDockerfileFromOptions": "fromopt3",
+		"ArgFromMeta":                         "frommeta1",
+		"ArgFromMetaOverridden":               "fromdockerfile3",
+	}
+	assert.Check(t, is.DeepEqual(expected, all))
+}
+
+func TestGetAllMeta(t *testing.T) {
+	buildArgs := NewBuildArgs(map[string]*string{
+		"ArgNotUsedInDockerfile":        strPtr("fromopt1"),
+		"ArgOverriddenByOptions":        strPtr("fromopt2"),
+		"ArgNoDefaultInMetaFromOptions": strPtr("fromopt3"),
+		"HTTP_PROXY":                    strPtr("theproxy"),
+	})
+
+	buildArgs.AddMetaArg("ArgFromMeta", strPtr("frommeta1"))
+	buildArgs.AddMetaArg("ArgOverriddenByOptions", strPtr("frommeta2"))
+	buildArgs.AddMetaArg("ArgNoDefaultInMetaFromOptions", nil)
+
+	all := buildArgs.GetAllMeta()
+	expected := map[string]string{
+		"HTTP_PROXY":                    "theproxy",
+		"ArgFromMeta":                   "frommeta1",
+		"ArgOverriddenByOptions":        "fromopt2",
+		"ArgNoDefaultInMetaFromOptions": "fromopt3",
+	}
+	assert.Check(t, is.DeepEqual(expected, all))
+}
+
+func TestWarnOnUnusedBuildArgs(t *testing.T) {
+	buildArgs := NewBuildArgs(map[string]*string{
+		"ThisArgIsUsed":    strPtr("fromopt1"),
+		"ThisArgIsNotUsed": strPtr("fromopt2"),
+		"HTTPS_PROXY":      strPtr("referenced builtin"),
+		"HTTP_PROXY":       strPtr("unreferenced builtin"),
+	})
+	buildArgs.AddArg("ThisArgIsUsed", nil)
+	buildArgs.AddArg("HTTPS_PROXY", nil)
+
+	buffer := new(bytes.Buffer)
+	buildArgs.WarnOnUnusedBuildArgs(buffer)
+	out := buffer.String()
+	assert.Assert(t, !strings.Contains(out, "ThisArgIsUsed"), out)
+	assert.Assert(t, !strings.Contains(out, "HTTPS_PROXY"), out)
+	assert.Assert(t, !strings.Contains(out, "HTTP_PROXY"), out)
+	assert.Check(t, is.Contains(out, "ThisArgIsNotUsed"))
+}
+
+func TestIsUnreferencedBuiltin(t *testing.T) {
+	buildArgs := NewBuildArgs(map[string]*string{
+		"ThisArgIsUsed":    strPtr("fromopt1"),
+		"ThisArgIsNotUsed": strPtr("fromopt2"),
+		"HTTPS_PROXY":      strPtr("referenced builtin"),
+		"HTTP_PROXY":       strPtr("unreferenced builtin"),
+	})
+	buildArgs.AddArg("ThisArgIsUsed", nil)
+	buildArgs.AddArg("HTTPS_PROXY", nil)
+
+	assert.Check(t, buildArgs.IsReferencedOrNotBuiltin("ThisArgIsUsed"))
+	assert.Check(t, buildArgs.IsReferencedOrNotBuiltin("ThisArgIsNotUsed"))
+	assert.Check(t, buildArgs.IsReferencedOrNotBuiltin("HTTPS_PROXY"))
+	assert.Check(t, !buildArgs.IsReferencedOrNotBuiltin("HTTP_PROXY"))
+}
diff --git a/engine/builder/dockerfile/builder.go b/engine/builder/dockerfile/builder.go
new file mode 100644
index 00000000..ee95f236
--- /dev/null
+++ b/engine/builder/dockerfile/builder.go
@@ -0,0 +1,437 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/builder/fscache"
+	"github.com/docker/docker/builder/remotecontext"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/buildkit/frontend/dockerfile/parser"
+	"github.com/moby/buildkit/frontend/dockerfile/shell"
+	"github.com/moby/buildkit/session"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/syncmap"
+)
+
+var validCommitCommands = map[string]bool{
+	"cmd":         true,
+	"entrypoint":  true,
+	"healthcheck": true,
+	"env":         true,
+	"expose":      true,
+	"label":       true,
+	"onbuild":     true,
+	"user":        true,
+	"volume":      true,
+	"workdir":     true,
+}
+
+const (
+	stepFormat = "Step %d/%d : %v"
+)
+
+// SessionGetter is object used to get access to a session by uuid
+type SessionGetter interface {
+	Get(ctx context.Context, uuid string) (session.Caller, error)
+}
+
+// BuildManager is shared across all Builder objects
+type BuildManager struct {
+	idMappings *idtools.IDMappings
+	backend    builder.Backend
+	pathCache  pathCache // TODO: make this persistent
+	sg         SessionGetter
+	fsCache    *fscache.FSCache
+}
+
+// NewBuildManager creates a BuildManager
+func NewBuildManager(b builder.Backend, sg SessionGetter, fsCache *fscache.FSCache, idMappings *idtools.IDMappings) (*BuildManager, error) {
+	bm := &BuildManager{
+		backend:    b,
+		pathCache:  &syncmap.Map{},
+		sg:         sg,
+		idMappings: idMappings,
+		fsCache:    fsCache,
+	}
+	if err := fsCache.RegisterTransport(remotecontext.ClientSessionRemote, NewClientSessionTransport()); err != nil {
+		return nil, err
+	}
+	return bm, nil
+}
+
+// Build starts a new build from a BuildConfig
+func (bm *BuildManager) Build(ctx context.Context, config backend.BuildConfig) (*builder.Result, error) {
+	buildsTriggered.Inc()
+	if config.Options.Dockerfile == "" {
+		config.Options.Dockerfile = builder.DefaultDockerfileName
+	}
+
+	source, dockerfile, err := remotecontext.Detect(config)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if source != nil {
+			if err := source.Close(); err != nil {
+				logrus.Debugf("[BUILDER] failed to remove temporary context: %v", err)
+			}
+		}
+	}()
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	if src, err := bm.initializeClientSession(ctx, cancel, config.Options); err != nil {
+		return nil, err
+	} else if src != nil {
+		source = src
+	}
+
+	builderOptions := builderOptions{
+		Options:        config.Options,
+		ProgressWriter: config.ProgressWriter,
+		Backend:        bm.backend,
+		PathCache:      bm.pathCache,
+		IDMappings:     bm.idMappings,
+	}
+	b, err := newBuilder(ctx, builderOptions)
+	if err != nil {
+		return nil, err
+	}
+	return b.build(source, dockerfile)
+}
+
+func (bm *BuildManager) initializeClientSession(ctx context.Context, cancel func(), options *types.ImageBuildOptions) (builder.Source, error) {
+	if options.SessionID == "" || bm.sg == nil {
+		return nil, nil
+	}
+	logrus.Debug("client is session enabled")
+
+	connectCtx, cancelCtx := context.WithTimeout(ctx, sessionConnectTimeout)
+	defer cancelCtx()
+
+	c, err := bm.sg.Get(connectCtx, options.SessionID)
+	if err != nil {
+		return nil, err
+	}
+	go func() {
+		<-c.Context().Done()
+		cancel()
+	}()
+	if options.RemoteContext == remotecontext.ClientSessionRemote {
+		st := time.Now()
+		csi, err := NewClientSessionSourceIdentifier(ctx, bm.sg, options.SessionID)
+		if err != nil {
+			return nil, err
+		}
+		src, err := bm.fsCache.SyncFrom(ctx, csi)
+		if err != nil {
+			return nil, err
+		}
+		logrus.Debugf("sync-time: %v", time.Since(st))
+		return src, nil
+	}
+	return nil, nil
+}
+
+// builderOptions are the dependencies required by the builder
+type builderOptions struct {
+	Options        *types.ImageBuildOptions
+	Backend        builder.Backend
+	ProgressWriter backend.ProgressWriter
+	PathCache      pathCache
+	IDMappings     *idtools.IDMappings
+}
+
+// Builder is a Dockerfile builder
+// It implements the builder.Backend interface.
+type Builder struct {
+	options *types.ImageBuildOptions
+
+	Stdout io.Writer
+	Stderr io.Writer
+	Aux    *streamformatter.AuxFormatter
+	Output io.Writer
+
+	docker    builder.Backend
+	clientCtx context.Context
+
+	idMappings       *idtools.IDMappings
+	disableCommit    bool
+	imageSources     *imageSources
+	pathCache        pathCache
+	containerManager *containerManager
+	imageProber      ImageProber
+	platform         *specs.Platform
+}
+
+// newBuilder creates a new Dockerfile builder from an optional dockerfile and a Options.
+func newBuilder(clientCtx context.Context, options builderOptions) (*Builder, error) {
+	config := options.Options
+	if config == nil {
+		config = new(types.ImageBuildOptions)
+	}
+
+	b := &Builder{
+		clientCtx:        clientCtx,
+		options:          config,
+		Stdout:           options.ProgressWriter.StdoutFormatter,
+		Stderr:           options.ProgressWriter.StderrFormatter,
+		Aux:              options.ProgressWriter.AuxFormatter,
+		Output:           options.ProgressWriter.Output,
+		docker:           options.Backend,
+		idMappings:       options.IDMappings,
+		imageSources:     newImageSources(clientCtx, options),
+		pathCache:        options.PathCache,
+		imageProber:      newImageProber(options.Backend, config.CacheFrom, config.NoCache),
+		containerManager: newContainerManager(options.Backend),
+	}
+
+	// same as in Builder.Build in builder/builder-next/builder.go
+	// TODO: remove once config.Platform is of type specs.Platform
+	if config.Platform != "" {
+		sp, err := platforms.Parse(config.Platform)
+		if err != nil {
+			return nil, err
+		}
+		if err := system.ValidatePlatform(sp); err != nil {
+			return nil, err
+		}
+		b.platform = &sp
+	}
+
+	return b, nil
+}
+
+// Build 'LABEL' command(s) from '--label' options and add to the last stage
+func buildLabelOptions(labels map[string]string, stages []instructions.Stage) {
+	keys := []string{}
+	for key := range labels {
+		keys = append(keys, key)
+	}
+
+	// Sort the label to have a repeatable order
+	sort.Strings(keys)
+	for _, key := range keys {
+		value := labels[key]
+		stages[len(stages)-1].AddCommand(instructions.NewLabelCommand(key, value, true))
+	}
+}
+
+// Build runs the Dockerfile builder by parsing the Dockerfile and executing
+// the instructions from the file.
+func (b *Builder) build(source builder.Source, dockerfile *parser.Result) (*builder.Result, error) {
+	defer b.imageSources.Unmount()
+
+	stages, metaArgs, err := instructions.Parse(dockerfile.AST)
+	if err != nil {
+		if instructions.IsUnknownInstruction(err) {
+			buildsFailed.WithValues(metricsUnknownInstructionError).Inc()
+		}
+		return nil, errdefs.InvalidParameter(err)
+	}
+	if b.options.Target != "" {
+		targetIx, found := instructions.HasStage(stages, b.options.Target)
+		if !found {
+			buildsFailed.WithValues(metricsBuildTargetNotReachableError).Inc()
+			return nil, errdefs.InvalidParameter(errors.Errorf("failed to reach build target %s in Dockerfile", b.options.Target))
+		}
+		stages = stages[:targetIx+1]
+	}
+
+	// Add 'LABEL' command specified by '--label' option to the last stage
+	buildLabelOptions(b.options.Labels, stages)
+
+	dockerfile.PrintWarnings(b.Stderr)
+	dispatchState, err := b.dispatchDockerfileWithCancellation(stages, metaArgs, dockerfile.EscapeToken, source)
+	if err != nil {
+		return nil, err
+	}
+	if dispatchState.imageID == "" {
+		buildsFailed.WithValues(metricsDockerfileEmptyError).Inc()
+		return nil, errors.New("No image was generated. Is your Dockerfile empty?")
+	}
+	return &builder.Result{ImageID: dispatchState.imageID, FromImage: dispatchState.baseImage}, nil
+}
+
+func emitImageID(aux *streamformatter.AuxFormatter, state *dispatchState) error {
+	if aux == nil || state.imageID == "" {
+		return nil
+	}
+	return aux.Emit("", types.BuildResult{ID: state.imageID})
+}
+
+func processMetaArg(meta instructions.ArgCommand, shlex *shell.Lex, args *BuildArgs) error {
+	// shell.Lex currently only support the concatenated string format
+	envs := convertMapToEnvList(args.GetAllAllowed())
+	if err := meta.Expand(func(word string) (string, error) {
+		return shlex.ProcessWord(word, envs)
+	}); err != nil {
+		return err
+	}
+	args.AddArg(meta.Key, meta.Value)
+	args.AddMetaArg(meta.Key, meta.Value)
+	return nil
+}
+
+func printCommand(out io.Writer, currentCommandIndex int, totalCommands int, cmd interface{}) int {
+	fmt.Fprintf(out, stepFormat, currentCommandIndex, totalCommands, cmd)
+	fmt.Fprintln(out)
+	return currentCommandIndex + 1
+}
+
+func (b *Builder) dispatchDockerfileWithCancellation(parseResult []instructions.Stage, metaArgs []instructions.ArgCommand, escapeToken rune, source builder.Source) (*dispatchState, error) {
+	dispatchRequest := dispatchRequest{}
+	buildArgs := NewBuildArgs(b.options.BuildArgs)
+	totalCommands := len(metaArgs) + len(parseResult)
+	currentCommandIndex := 1
+	for _, stage := range parseResult {
+		totalCommands += len(stage.Commands)
+	}
+	shlex := shell.NewLex(escapeToken)
+	for _, meta := range metaArgs {
+		currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, &meta)
+
+		err := processMetaArg(meta, shlex, buildArgs)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	stagesResults := newStagesBuildResults()
+
+	for _, stage := range parseResult {
+		if err := stagesResults.checkStageNameAvailable(stage.Name); err != nil {
+			return nil, err
+		}
+		dispatchRequest = newDispatchRequest(b, escapeToken, source, buildArgs, stagesResults)
+
+		currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, stage.SourceCode)
+		if err := initializeStage(dispatchRequest, &stage); err != nil {
+			return nil, err
+		}
+		dispatchRequest.state.updateRunConfig()
+		fmt.Fprintf(b.Stdout, " ---> %s\n", stringid.TruncateID(dispatchRequest.state.imageID))
+		for _, cmd := range stage.Commands {
+			select {
+			case <-b.clientCtx.Done():
+				logrus.Debug("Builder: build cancelled!")
+				fmt.Fprint(b.Stdout, "Build cancelled\n")
+				buildsFailed.WithValues(metricsBuildCanceled).Inc()
+				return nil, errors.New("Build cancelled")
+			default:
+				// Not cancelled yet, keep going...
+			}
+
+			currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, cmd)
+
+			if err := dispatch(dispatchRequest, cmd); err != nil {
+				return nil, err
+			}
+			dispatchRequest.state.updateRunConfig()
+			fmt.Fprintf(b.Stdout, " ---> %s\n", stringid.TruncateID(dispatchRequest.state.imageID))
+
+		}
+		if err := emitImageID(b.Aux, dispatchRequest.state); err != nil {
+			return nil, err
+		}
+		buildArgs.MergeReferencedArgs(dispatchRequest.state.buildArgs)
+		if err := commitStage(dispatchRequest.state, stagesResults); err != nil {
+			return nil, err
+		}
+	}
+	buildArgs.WarnOnUnusedBuildArgs(b.Stdout)
+	return dispatchRequest.state, nil
+}
+
+// BuildFromConfig builds directly from `changes`, treating it as if it were the contents of a Dockerfile
+// It will:
+// - Call parse.Parse() to get an AST root for the concatenated Dockerfile entries.
+// - Do build by calling builder.dispatch() to call all entries' handling routines
+//
+// BuildFromConfig is used by the /commit endpoint, with the changes
+// coming from the query parameter of the same name.
+//
+// TODO: Remove?
+func BuildFromConfig(config *container.Config, changes []string, os string) (*container.Config, error) {
+	if !system.IsOSSupported(os) {
+		return nil, errdefs.InvalidParameter(system.ErrNotSupportedOperatingSystem)
+	}
+	if len(changes) == 0 {
+		return config, nil
+	}
+
+	dockerfile, err := parser.Parse(bytes.NewBufferString(strings.Join(changes, "\n")))
+	if err != nil {
+		return nil, errdefs.InvalidParameter(err)
+	}
+
+	b, err := newBuilder(context.Background(), builderOptions{
+		Options: &types.ImageBuildOptions{NoCache: true},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// ensure that the commands are valid
+	for _, n := range dockerfile.AST.Children {
+		if !validCommitCommands[n.Value] {
+			return nil, errdefs.InvalidParameter(errors.Errorf("%s is not a valid change command", n.Value))
+		}
+	}
+
+	b.Stdout = ioutil.Discard
+	b.Stderr = ioutil.Discard
+	b.disableCommit = true
+
+	var commands []instructions.Command
+	for _, n := range dockerfile.AST.Children {
+		cmd, err := instructions.ParseCommand(n)
+		if err != nil {
+			return nil, errdefs.InvalidParameter(err)
+		}
+		commands = append(commands, cmd)
+	}
+
+	dispatchRequest := newDispatchRequest(b, dockerfile.EscapeToken, nil, NewBuildArgs(b.options.BuildArgs), newStagesBuildResults())
+	// We make mutations to the configuration, ensure we have a copy
+	dispatchRequest.state.runConfig = copyRunConfig(config)
+	dispatchRequest.state.imageID = config.Image
+	dispatchRequest.state.operatingSystem = os
+	for _, cmd := range commands {
+		err := dispatch(dispatchRequest, cmd)
+		if err != nil {
+			return nil, errdefs.InvalidParameter(err)
+		}
+		dispatchRequest.state.updateRunConfig()
+	}
+
+	return dispatchRequest.state.runConfig, nil
+}
+
+func convertMapToEnvList(m map[string]string) []string {
+	result := []string{}
+	for k, v := range m {
+		result = append(result, k+"="+v)
+	}
+	return result
+}
diff --git a/engine/builder/dockerfile/builder_unix.go b/engine/builder/dockerfile/builder_unix.go
new file mode 100644
index 00000000..c4453459
--- /dev/null
+++ b/engine/builder/dockerfile/builder_unix.go
@@ -0,0 +1,7 @@
+// +build !windows
+
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+func defaultShellForOS(os string) []string {
+	return []string{"/bin/sh", "-c"}
+}
diff --git a/engine/builder/dockerfile/builder_windows.go b/engine/builder/dockerfile/builder_windows.go
new file mode 100644
index 00000000..fbafa52a
--- /dev/null
+++ b/engine/builder/dockerfile/builder_windows.go
@@ -0,0 +1,8 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+func defaultShellForOS(os string) []string {
+	if os == "linux" {
+		return []string{"/bin/sh", "-c"}
+	}
+	return []string{"cmd", "/S", "/C"}
+}
diff --git a/engine/builder/dockerfile/clientsession.go b/engine/builder/dockerfile/clientsession.go
new file mode 100644
index 00000000..b48090d7
--- /dev/null
+++ b/engine/builder/dockerfile/clientsession.go
@@ -0,0 +1,76 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"context"
+	"time"
+
+	"github.com/docker/docker/builder/fscache"
+	"github.com/docker/docker/builder/remotecontext"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/filesync"
+	"github.com/pkg/errors"
+)
+
+const sessionConnectTimeout = 5 * time.Second
+
+// ClientSessionTransport is a transport for copying files from docker client
+// to the daemon.
+type ClientSessionTransport struct{}
+
+// NewClientSessionTransport returns new ClientSessionTransport instance
+func NewClientSessionTransport() *ClientSessionTransport {
+	return &ClientSessionTransport{}
+}
+
+// Copy data from a remote to a destination directory.
+func (cst *ClientSessionTransport) Copy(ctx context.Context, id fscache.RemoteIdentifier, dest string, cu filesync.CacheUpdater) error {
+	csi, ok := id.(*ClientSessionSourceIdentifier)
+	if !ok {
+		return errors.New("invalid identifier for client session")
+	}
+
+	return filesync.FSSync(ctx, csi.caller, filesync.FSSendRequestOpt{
+		IncludePatterns: csi.includePatterns,
+		DestDir:         dest,
+		CacheUpdater:    cu,
+	})
+}
+
+// ClientSessionSourceIdentifier is an identifier that can be used for requesting
+// files from remote client
+type ClientSessionSourceIdentifier struct {
+	includePatterns []string
+	caller          session.Caller
+	uuid            string
+}
+
+// NewClientSessionSourceIdentifier returns new ClientSessionSourceIdentifier instance
+func NewClientSessionSourceIdentifier(ctx context.Context, sg SessionGetter, uuid string) (*ClientSessionSourceIdentifier, error) {
+	csi := &ClientSessionSourceIdentifier{
+		uuid: uuid,
+	}
+	caller, err := sg.Get(ctx, uuid)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to get session for %s", uuid)
+	}
+
+	csi.caller = caller
+	return csi, nil
+}
+
+// Transport returns transport identifier for remote identifier
+func (csi *ClientSessionSourceIdentifier) Transport() string {
+	return remotecontext.ClientSessionRemote
+}
+
+// SharedKey returns shared key for remote identifier. Shared key is used
+// for finding the base for a repeated transfer.
+func (csi *ClientSessionSourceIdentifier) SharedKey() string {
+	return csi.caller.SharedKey()
+}
+
+// Key returns unique key for remote identifier. Requests with same key return
+// same data.
+func (csi *ClientSessionSourceIdentifier) Key() string {
+	return csi.uuid
+}
diff --git a/engine/builder/dockerfile/containerbackend.go b/engine/builder/dockerfile/containerbackend.go
new file mode 100644
index 00000000..54adfb13
--- /dev/null
+++ b/engine/builder/dockerfile/containerbackend.go
@@ -0,0 +1,146 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder"
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type containerManager struct {
+	tmpContainers map[string]struct{}
+	backend       builder.ExecBackend
+}
+
+// newContainerManager creates a new container backend
+func newContainerManager(docker builder.ExecBackend) *containerManager {
+	return &containerManager{
+		backend:       docker,
+		tmpContainers: make(map[string]struct{}),
+	}
+}
+
+// Create a container
+func (c *containerManager) Create(runConfig *container.Config, hostConfig *container.HostConfig) (container.ContainerCreateCreatedBody, error) {
+	container, err := c.backend.ContainerCreate(types.ContainerCreateConfig{
+		Config:     runConfig,
+		HostConfig: hostConfig,
+	})
+	if err != nil {
+		return container, err
+	}
+	c.tmpContainers[container.ID] = struct{}{}
+	return container, nil
+}
+
+var errCancelled = errors.New("build cancelled")
+
+// Run a container by ID
+func (c *containerManager) Run(ctx context.Context, cID string, stdout, stderr io.Writer) (err error) {
+	attached := make(chan struct{})
+	errCh := make(chan error)
+	go func() {
+		errCh <- c.backend.ContainerAttachRaw(cID, nil, stdout, stderr, true, attached)
+	}()
+	select {
+	case err := <-errCh:
+		return err
+	case <-attached:
+	}
+
+	finished := make(chan struct{})
+	cancelErrCh := make(chan error, 1)
+	go func() {
+		select {
+		case <-ctx.Done():
+			logrus.Debugln("Build cancelled, killing and removing container:", cID)
+			c.backend.ContainerKill(cID, 0)
+			c.removeContainer(cID, stdout)
+			cancelErrCh <- errCancelled
+		case <-finished:
+			cancelErrCh <- nil
+		}
+	}()
+
+	if err := c.backend.ContainerStart(cID, nil, "", ""); err != nil {
+		close(finished)
+		logCancellationError(cancelErrCh, "error from ContainerStart: "+err.Error())
+		return err
+	}
+
+	// Block on reading output from container, stop on err or chan closed
+	if err := <-errCh; err != nil {
+		close(finished)
+		logCancellationError(cancelErrCh, "error from errCh: "+err.Error())
+		return err
+	}
+
+	waitC, err := c.backend.ContainerWait(ctx, cID, containerpkg.WaitConditionNotRunning)
+	if err != nil {
+		close(finished)
+		logCancellationError(cancelErrCh, fmt.Sprintf("unable to begin ContainerWait: %s", err))
+		return err
+	}
+
+	if status := <-waitC; status.ExitCode() != 0 {
+		close(finished)
+		logCancellationError(cancelErrCh,
+			fmt.Sprintf("a non-zero code from ContainerWait: %d", status.ExitCode()))
+		return &statusCodeError{code: status.ExitCode(), err: status.Err()}
+	}
+
+	close(finished)
+	return <-cancelErrCh
+}
+
+func logCancellationError(cancelErrCh chan error, msg string) {
+	if cancelErr := <-cancelErrCh; cancelErr != nil {
+		logrus.Debugf("Build cancelled (%v): %s", cancelErr, msg)
+	}
+}
+
+type statusCodeError struct {
+	code int
+	err  error
+}
+
+func (e *statusCodeError) Error() string {
+	if e.err == nil {
+		return ""
+	}
+	return e.err.Error()
+}
+
+func (e *statusCodeError) StatusCode() int {
+	return e.code
+}
+
+func (c *containerManager) removeContainer(containerID string, stdout io.Writer) error {
+	rmConfig := &types.ContainerRmConfig{
+		ForceRemove:  true,
+		RemoveVolume: true,
+	}
+	if err := c.backend.ContainerRm(containerID, rmConfig); err != nil {
+		fmt.Fprintf(stdout, "Error removing intermediate container %s: %v\n", stringid.TruncateID(containerID), err)
+		return err
+	}
+	return nil
+}
+
+// RemoveAll containers managed by this container manager
+func (c *containerManager) RemoveAll(stdout io.Writer) {
+	for containerID := range c.tmpContainers {
+		if err := c.removeContainer(containerID, stdout); err != nil {
+			return
+		}
+		delete(c.tmpContainers, containerID)
+		fmt.Fprintf(stdout, "Removing intermediate container %s\n", stringid.TruncateID(containerID))
+	}
+}
diff --git a/engine/builder/dockerfile/copy.go b/engine/builder/dockerfile/copy.go
new file mode 100644
index 00000000..74e245bd
--- /dev/null
+++ b/engine/builder/dockerfile/copy.go
@@ -0,0 +1,567 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"archive/tar"
+	"fmt"
+	"io"
+	"mime"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/builder/remotecontext"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/pkg/urlutil"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+const unnamedFilename = "__unnamed__"
+
+type pathCache interface {
+	Load(key interface{}) (value interface{}, ok bool)
+	Store(key, value interface{})
+}
+
+// copyInfo is a data object which stores the metadata about each source file in
+// a copyInstruction
+type copyInfo struct {
+	root         containerfs.ContainerFS
+	path         string
+	hash         string
+	noDecompress bool
+}
+
+func (c copyInfo) fullPath() (string, error) {
+	return c.root.ResolveScopedPath(c.path, true)
+}
+
+func newCopyInfoFromSource(source builder.Source, path string, hash string) copyInfo {
+	return copyInfo{root: source.Root(), path: path, hash: hash}
+}
+
+func newCopyInfos(copyInfos ...copyInfo) []copyInfo {
+	return copyInfos
+}
+
+// copyInstruction is a fully parsed COPY or ADD command that is passed to
+// Builder.performCopy to copy files into the image filesystem
+type copyInstruction struct {
+	cmdName                 string
+	infos                   []copyInfo
+	dest                    string
+	chownStr                string
+	allowLocalDecompression bool
+}
+
+// copier reads a raw COPY or ADD command, fetches remote sources using a downloader,
+// and creates a copyInstruction
+type copier struct {
+	imageSource *imageMount
+	source      builder.Source
+	pathCache   pathCache
+	download    sourceDownloader
+	platform    *specs.Platform
+	// for cleanup. TODO: having copier.cleanup() is error prone and hard to
+	// follow. Code calling performCopy should manage the lifecycle of its params.
+	// Copier should take override source as input, not imageMount.
+	activeLayer builder.RWLayer
+	tmpPaths    []string
+}
+
+func copierFromDispatchRequest(req dispatchRequest, download sourceDownloader, imageSource *imageMount) copier {
+	return copier{
+		source:      req.source,
+		pathCache:   req.builder.pathCache,
+		download:    download,
+		imageSource: imageSource,
+		platform:    req.builder.platform,
+	}
+}
+
+func (o *copier) createCopyInstruction(args []string, cmdName string) (copyInstruction, error) {
+	inst := copyInstruction{cmdName: cmdName}
+	last := len(args) - 1
+
+	// Work in platform-specific filepath semantics
+	// TODO: This OS switch for paths is NOT correct and should not be supported.
+	// Maintained for backwards compatibility
+	pathOS := runtime.GOOS
+	if o.platform != nil {
+		pathOS = o.platform.OS
+	}
+	inst.dest = fromSlash(args[last], pathOS)
+	separator := string(separator(pathOS))
+	infos, err := o.getCopyInfosForSourcePaths(args[0:last], inst.dest)
+	if err != nil {
+		return inst, errors.Wrapf(err, "%s failed", cmdName)
+	}
+	if len(infos) > 1 && !strings.HasSuffix(inst.dest, separator) {
+		return inst, errors.Errorf("When using %s with more than one source file, the destination must be a directory and end with a /", cmdName)
+	}
+	inst.infos = infos
+	return inst, nil
+}
+
+// getCopyInfosForSourcePaths iterates over the source files and calculate the info
+// needed to copy (e.g. hash value if cached)
+// The dest is used in case source is URL (and ends with "/")
+func (o *copier) getCopyInfosForSourcePaths(sources []string, dest string) ([]copyInfo, error) {
+	var infos []copyInfo
+	for _, orig := range sources {
+		subinfos, err := o.getCopyInfoForSourcePath(orig, dest)
+		if err != nil {
+			return nil, err
+		}
+		infos = append(infos, subinfos...)
+	}
+
+	if len(infos) == 0 {
+		return nil, errors.New("no source files were specified")
+	}
+	return infos, nil
+}
+
+func (o *copier) getCopyInfoForSourcePath(orig, dest string) ([]copyInfo, error) {
+	if !urlutil.IsURL(orig) {
+		return o.calcCopyInfo(orig, true)
+	}
+
+	remote, path, err := o.download(orig)
+	if err != nil {
+		return nil, err
+	}
+	// If path == "" then we are unable to determine filename from src
+	// We have to make sure dest is available
+	if path == "" {
+		if strings.HasSuffix(dest, "/") {
+			return nil, errors.Errorf("cannot determine filename for source %s", orig)
+		}
+		path = unnamedFilename
+	}
+	o.tmpPaths = append(o.tmpPaths, remote.Root().Path())
+
+	hash, err := remote.Hash(path)
+	ci := newCopyInfoFromSource(remote, path, hash)
+	ci.noDecompress = true // data from http shouldn't be extracted even on ADD
+	return newCopyInfos(ci), err
+}
+
+// Cleanup removes any temporary directories created as part of downloading
+// remote files.
+func (o *copier) Cleanup() {
+	for _, path := range o.tmpPaths {
+		os.RemoveAll(path)
+	}
+	o.tmpPaths = []string{}
+	if o.activeLayer != nil {
+		o.activeLayer.Release()
+		o.activeLayer = nil
+	}
+}
+
+// TODO: allowWildcards can probably be removed by refactoring this function further.
+func (o *copier) calcCopyInfo(origPath string, allowWildcards bool) ([]copyInfo, error) {
+	imageSource := o.imageSource
+
+	// TODO: do this when creating copier. Requires validateCopySourcePath
+	// (and other below) to be aware of the difference sources. Why is it only
+	// done on image Source?
+	if imageSource != nil && o.activeLayer == nil {
+		// this needs to be protected against repeated calls as wildcard copy
+		// will call it multiple times for a single COPY
+		var err error
+		rwLayer, err := imageSource.NewRWLayer()
+		if err != nil {
+			return nil, err
+		}
+		o.activeLayer = rwLayer
+
+		o.source, err = remotecontext.NewLazySource(rwLayer.Root())
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to create context for copy from %s", rwLayer.Root().Path())
+		}
+	}
+
+	if o.source == nil {
+		return nil, errors.Errorf("missing build context")
+	}
+
+	root := o.source.Root()
+
+	if err := validateCopySourcePath(imageSource, origPath, root.OS()); err != nil {
+		return nil, err
+	}
+
+	// Work in source OS specific filepath semantics
+	// For LCOW, this is NOT the daemon OS.
+	origPath = root.FromSlash(origPath)
+	origPath = strings.TrimPrefix(origPath, string(root.Separator()))
+	origPath = strings.TrimPrefix(origPath, "."+string(root.Separator()))
+
+	// Deal with wildcards
+	if allowWildcards && containsWildcards(origPath, root.OS()) {
+		return o.copyWithWildcards(origPath)
+	}
+
+	if imageSource != nil && imageSource.ImageID() != "" {
+		// return a cached copy if one exists
+		if h, ok := o.pathCache.Load(imageSource.ImageID() + origPath); ok {
+			return newCopyInfos(newCopyInfoFromSource(o.source, origPath, h.(string))), nil
+		}
+	}
+
+	// Deal with the single file case
+	copyInfo, err := copyInfoForFile(o.source, origPath)
+	switch {
+	case err != nil:
+		return nil, err
+	case copyInfo.hash != "":
+		o.storeInPathCache(imageSource, origPath, copyInfo.hash)
+		return newCopyInfos(copyInfo), err
+	}
+
+	// TODO: remove, handle dirs in Hash()
+	subfiles, err := walkSource(o.source, origPath)
+	if err != nil {
+		return nil, err
+	}
+
+	hash := hashStringSlice("dir", subfiles)
+	o.storeInPathCache(imageSource, origPath, hash)
+	return newCopyInfos(newCopyInfoFromSource(o.source, origPath, hash)), nil
+}
+
+func containsWildcards(name, platform string) bool {
+	isWindows := platform == "windows"
+	for i := 0; i < len(name); i++ {
+		ch := name[i]
+		if ch == '\\' && !isWindows {
+			i++
+		} else if ch == '*' || ch == '?' || ch == '[' {
+			return true
+		}
+	}
+	return false
+}
+
+func (o *copier) storeInPathCache(im *imageMount, path string, hash string) {
+	if im != nil {
+		o.pathCache.Store(im.ImageID()+path, hash)
+	}
+}
+
+func (o *copier) copyWithWildcards(origPath string) ([]copyInfo, error) {
+	root := o.source.Root()
+	var copyInfos []copyInfo
+	if err := root.Walk(root.Path(), func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		rel, err := remotecontext.Rel(root, path)
+		if err != nil {
+			return err
+		}
+
+		if rel == "." {
+			return nil
+		}
+		if match, _ := root.Match(origPath, rel); !match {
+			return nil
+		}
+
+		// Note we set allowWildcards to false in case the name has
+		// a * in it
+		subInfos, err := o.calcCopyInfo(rel, false)
+		if err != nil {
+			return err
+		}
+		copyInfos = append(copyInfos, subInfos...)
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return copyInfos, nil
+}
+
+func copyInfoForFile(source builder.Source, path string) (copyInfo, error) {
+	fi, err := remotecontext.StatAt(source, path)
+	if err != nil {
+		return copyInfo{}, err
+	}
+
+	if fi.IsDir() {
+		return copyInfo{}, nil
+	}
+	hash, err := source.Hash(path)
+	if err != nil {
+		return copyInfo{}, err
+	}
+	return newCopyInfoFromSource(source, path, "file:"+hash), nil
+}
+
+// TODO: dedupe with copyWithWildcards()
+func walkSource(source builder.Source, origPath string) ([]string, error) {
+	fp, err := remotecontext.FullPath(source, origPath)
+	if err != nil {
+		return nil, err
+	}
+	// Must be a dir
+	var subfiles []string
+	err = source.Root().Walk(fp, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		rel, err := remotecontext.Rel(source.Root(), path)
+		if err != nil {
+			return err
+		}
+		if rel == "." {
+			return nil
+		}
+		hash, err := source.Hash(rel)
+		if err != nil {
+			return nil
+		}
+		// we already checked handleHash above
+		subfiles = append(subfiles, hash)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	sort.Strings(subfiles)
+	return subfiles, nil
+}
+
+type sourceDownloader func(string) (builder.Source, string, error)
+
+func newRemoteSourceDownloader(output, stdout io.Writer) sourceDownloader {
+	return func(url string) (builder.Source, string, error) {
+		return downloadSource(output, stdout, url)
+	}
+}
+
+func errOnSourceDownload(_ string) (builder.Source, string, error) {
+	return nil, "", errors.New("source can't be a URL for COPY")
+}
+
+func getFilenameForDownload(path string, resp *http.Response) string {
+	// Guess filename based on source
+	if path != "" && !strings.HasSuffix(path, "/") {
+		if filename := filepath.Base(filepath.FromSlash(path)); filename != "" {
+			return filename
+		}
+	}
+
+	// Guess filename based on Content-Disposition
+	if contentDisposition := resp.Header.Get("Content-Disposition"); contentDisposition != "" {
+		if _, params, err := mime.ParseMediaType(contentDisposition); err == nil {
+			if params["filename"] != "" && !strings.HasSuffix(params["filename"], "/") {
+				if filename := filepath.Base(filepath.FromSlash(params["filename"])); filename != "" {
+					return filename
+				}
+			}
+		}
+	}
+	return ""
+}
+
+func downloadSource(output io.Writer, stdout io.Writer, srcURL string) (remote builder.Source, p string, err error) {
+	u, err := url.Parse(srcURL)
+	if err != nil {
+		return
+	}
+
+	resp, err := remotecontext.GetWithStatusError(srcURL)
+	if err != nil {
+		return
+	}
+
+	filename := getFilenameForDownload(u.Path, resp)
+
+	// Prepare file in a tmp dir
+	tmpDir, err := ioutils.TempDir("", "docker-remote")
+	if err != nil {
+		return
+	}
+	defer func() {
+		if err != nil {
+			os.RemoveAll(tmpDir)
+		}
+	}()
+	// If filename is empty, the returned filename will be "" but
+	// the tmp filename will be created as "__unnamed__"
+	tmpFileName := filename
+	if filename == "" {
+		tmpFileName = unnamedFilename
+	}
+	tmpFileName = filepath.Join(tmpDir, tmpFileName)
+	tmpFile, err := os.OpenFile(tmpFileName, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
+	if err != nil {
+		return
+	}
+
+	progressOutput := streamformatter.NewJSONProgressOutput(output, true)
+	progressReader := progress.NewProgressReader(resp.Body, progressOutput, resp.ContentLength, "", "Downloading")
+	// Download and dump result to tmp file
+	// TODO: add filehash directly
+	if _, err = io.Copy(tmpFile, progressReader); err != nil {
+		tmpFile.Close()
+		return
+	}
+	// TODO: how important is this random blank line to the output?
+	fmt.Fprintln(stdout)
+
+	// Set the mtime to the Last-Modified header value if present
+	// Otherwise just remove atime and mtime
+	mTime := time.Time{}
+
+	lastMod := resp.Header.Get("Last-Modified")
+	if lastMod != "" {
+		// If we can't parse it then just let it default to 'zero'
+		// otherwise use the parsed time value
+		if parsedMTime, err := http.ParseTime(lastMod); err == nil {
+			mTime = parsedMTime
+		}
+	}
+
+	tmpFile.Close()
+
+	if err = system.Chtimes(tmpFileName, mTime, mTime); err != nil {
+		return
+	}
+
+	lc, err := remotecontext.NewLazySource(containerfs.NewLocalContainerFS(tmpDir))
+	return lc, filename, err
+}
+
+type copyFileOptions struct {
+	decompress bool
+	chownPair  idtools.IDPair
+	archiver   Archiver
+}
+
+type copyEndpoint struct {
+	driver containerfs.Driver
+	path   string
+}
+
+func performCopyForInfo(dest copyInfo, source copyInfo, options copyFileOptions) error {
+	srcPath, err := source.fullPath()
+	if err != nil {
+		return err
+	}
+
+	destPath, err := dest.fullPath()
+	if err != nil {
+		return err
+	}
+
+	archiver := options.archiver
+
+	srcEndpoint := &copyEndpoint{driver: source.root, path: srcPath}
+	destEndpoint := &copyEndpoint{driver: dest.root, path: destPath}
+
+	src, err := source.root.Stat(srcPath)
+	if err != nil {
+		return errors.Wrapf(err, "source path not found")
+	}
+	if src.IsDir() {
+		return copyDirectory(archiver, srcEndpoint, destEndpoint, options.chownPair)
+	}
+	if options.decompress && isArchivePath(source.root, srcPath) && !source.noDecompress {
+		return archiver.UntarPath(srcPath, destPath)
+	}
+
+	destExistsAsDir, err := isExistingDirectory(destEndpoint)
+	if err != nil {
+		return err
+	}
+	// dest.path must be used because destPath has already been cleaned of any
+	// trailing slash
+	if endsInSlash(dest.root, dest.path) || destExistsAsDir {
+		// source.path must be used to get the correct filename when the source
+		// is a symlink
+		destPath = dest.root.Join(destPath, source.root.Base(source.path))
+		destEndpoint = &copyEndpoint{driver: dest.root, path: destPath}
+	}
+	return copyFile(archiver, srcEndpoint, destEndpoint, options.chownPair)
+}
+
+func isArchivePath(driver containerfs.ContainerFS, path string) bool {
+	file, err := driver.Open(path)
+	if err != nil {
+		return false
+	}
+	defer file.Close()
+	rdr, err := archive.DecompressStream(file)
+	if err != nil {
+		return false
+	}
+	r := tar.NewReader(rdr)
+	_, err = r.Next()
+	return err == nil
+}
+
+func copyDirectory(archiver Archiver, source, dest *copyEndpoint, chownPair idtools.IDPair) error {
+	destExists, err := isExistingDirectory(dest)
+	if err != nil {
+		return errors.Wrapf(err, "failed to query destination path")
+	}
+
+	if err := archiver.CopyWithTar(source.path, dest.path); err != nil {
+		return errors.Wrapf(err, "failed to copy directory")
+	}
+	// TODO: @gupta-ak. Investigate how LCOW permission mappings will work.
+	return fixPermissions(source.path, dest.path, chownPair, !destExists)
+}
+
+func copyFile(archiver Archiver, source, dest *copyEndpoint, chownPair idtools.IDPair) error {
+	if runtime.GOOS == "windows" && dest.driver.OS() == "linux" {
+		// LCOW
+		if err := dest.driver.MkdirAll(dest.driver.Dir(dest.path), 0755); err != nil {
+			return errors.Wrapf(err, "failed to create new directory")
+		}
+	} else {
+		if err := idtools.MkdirAllAndChownNew(filepath.Dir(dest.path), 0755, chownPair); err != nil {
+			// Normal containers
+			return errors.Wrapf(err, "failed to create new directory")
+		}
+	}
+
+	if err := archiver.CopyFileWithTar(source.path, dest.path); err != nil {
+		return errors.Wrapf(err, "failed to copy file")
+	}
+	// TODO: @gupta-ak. Investigate how LCOW permission mappings will work.
+	return fixPermissions(source.path, dest.path, chownPair, false)
+}
+
+func endsInSlash(driver containerfs.Driver, path string) bool {
+	return strings.HasSuffix(path, string(driver.Separator()))
+}
+
+// isExistingDirectory returns true if the path exists and is a directory
+func isExistingDirectory(point *copyEndpoint) (bool, error) {
+	destStat, err := point.driver.Stat(point.path)
+	switch {
+	case os.IsNotExist(err):
+		return false, nil
+	case err != nil:
+		return false, err
+	}
+	return destStat.IsDir(), nil
+}
diff --git a/engine/builder/dockerfile/copy_test.go b/engine/builder/dockerfile/copy_test.go
new file mode 100644
index 00000000..f559ff4f
--- /dev/null
+++ b/engine/builder/dockerfile/copy_test.go
@@ -0,0 +1,148 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/docker/docker/pkg/containerfs"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func TestIsExistingDirectory(t *testing.T) {
+	tmpfile := fs.NewFile(t, "file-exists-test", fs.WithContent("something"))
+	defer tmpfile.Remove()
+	tmpdir := fs.NewDir(t, "dir-exists-test")
+	defer tmpdir.Remove()
+
+	var testcases = []struct {
+		doc      string
+		path     string
+		expected bool
+	}{
+		{
+			doc:      "directory exists",
+			path:     tmpdir.Path(),
+			expected: true,
+		},
+		{
+			doc:      "path doesn't exist",
+			path:     "/bogus/path/does/not/exist",
+			expected: false,
+		},
+		{
+			doc:      "file exists",
+			path:     tmpfile.Path(),
+			expected: false,
+		},
+	}
+
+	for _, testcase := range testcases {
+		result, err := isExistingDirectory(&copyEndpoint{driver: containerfs.NewLocalDriver(), path: testcase.path})
+		if !assert.Check(t, err) {
+			continue
+		}
+		assert.Check(t, is.Equal(testcase.expected, result), testcase.doc)
+	}
+}
+
+func TestGetFilenameForDownload(t *testing.T) {
+	var testcases = []struct {
+		path        string
+		disposition string
+		expected    string
+	}{
+		{
+			path:     "http://www.example.com/",
+			expected: "",
+		},
+		{
+			path:     "http://www.example.com/xyz",
+			expected: "xyz",
+		},
+		{
+			path:     "http://www.example.com/xyz.html",
+			expected: "xyz.html",
+		},
+		{
+			path:     "http://www.example.com/xyz/",
+			expected: "",
+		},
+		{
+			path:     "http://www.example.com/xyz/uvw",
+			expected: "uvw",
+		},
+		{
+			path:     "http://www.example.com/xyz/uvw.html",
+			expected: "uvw.html",
+		},
+		{
+			path:     "http://www.example.com/xyz/uvw/",
+			expected: "",
+		},
+		{
+			path:     "/",
+			expected: "",
+		},
+		{
+			path:     "/xyz",
+			expected: "xyz",
+		},
+		{
+			path:     "/xyz.html",
+			expected: "xyz.html",
+		},
+		{
+			path:     "/xyz/",
+			expected: "",
+		},
+		{
+			path:        "/xyz/",
+			disposition: "attachment; filename=xyz.html",
+			expected:    "xyz.html",
+		},
+		{
+			disposition: "",
+			expected:    "",
+		},
+		{
+			disposition: "attachment; filename=xyz",
+			expected:    "xyz",
+		},
+		{
+			disposition: "attachment; filename=xyz.html",
+			expected:    "xyz.html",
+		},
+		{
+			disposition: "attachment; filename=\"xyz\"",
+			expected:    "xyz",
+		},
+		{
+			disposition: "attachment; filename=\"xyz.html\"",
+			expected:    "xyz.html",
+		},
+		{
+			disposition: "attachment; filename=\"/xyz.html\"",
+			expected:    "xyz.html",
+		},
+		{
+			disposition: "attachment; filename=\"/xyz/uvw\"",
+			expected:    "uvw",
+		},
+		{
+			disposition: "attachment; filename=\"Naïve file.txt\"",
+			expected:    "Naïve file.txt",
+		},
+	}
+	for _, testcase := range testcases {
+		resp := http.Response{
+			Header: make(map[string][]string),
+		}
+		if testcase.disposition != "" {
+			resp.Header.Add("Content-Disposition", testcase.disposition)
+		}
+		filename := getFilenameForDownload(testcase.path, &resp)
+		assert.Check(t, is.Equal(testcase.expected, filename))
+	}
+}
diff --git a/engine/builder/dockerfile/copy_unix.go b/engine/builder/dockerfile/copy_unix.go
new file mode 100644
index 00000000..15453452
--- /dev/null
+++ b/engine/builder/dockerfile/copy_unix.go
@@ -0,0 +1,48 @@
+// +build !windows
+
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+)
+
+func fixPermissions(source, destination string, rootIDs idtools.IDPair, overrideSkip bool) error {
+	var (
+		skipChownRoot bool
+		err           error
+	)
+	if !overrideSkip {
+		destEndpoint := &copyEndpoint{driver: containerfs.NewLocalDriver(), path: destination}
+		skipChownRoot, err = isExistingDirectory(destEndpoint)
+		if err != nil {
+			return err
+		}
+	}
+
+	// We Walk on the source rather than on the destination because we don't
+	// want to change permissions on things we haven't created or modified.
+	return filepath.Walk(source, func(fullpath string, info os.FileInfo, err error) error {
+		// Do not alter the walk root iff. it existed before, as it doesn't fall under
+		// the domain of "things we should chown".
+		if skipChownRoot && source == fullpath {
+			return nil
+		}
+
+		// Path is prefixed by source: substitute with destination instead.
+		cleaned, err := filepath.Rel(source, fullpath)
+		if err != nil {
+			return err
+		}
+
+		fullpath = filepath.Join(destination, cleaned)
+		return os.Lchown(fullpath, rootIDs.UID, rootIDs.GID)
+	})
+}
+
+func validateCopySourcePath(imageSource *imageMount, origPath, platform string) error {
+	return nil
+}
diff --git a/engine/builder/dockerfile/copy_windows.go b/engine/builder/dockerfile/copy_windows.go
new file mode 100644
index 00000000..907c3440
--- /dev/null
+++ b/engine/builder/dockerfile/copy_windows.go
@@ -0,0 +1,43 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"errors"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/idtools"
+)
+
+var pathBlacklist = map[string]bool{
+	"c:\\":        true,
+	"c:\\windows": true,
+}
+
+func fixPermissions(source, destination string, rootIDs idtools.IDPair, overrideSkip bool) error {
+	// chown is not supported on Windows
+	return nil
+}
+
+func validateCopySourcePath(imageSource *imageMount, origPath, platform string) error {
+	// validate windows paths from other images + LCOW
+	if imageSource == nil || platform != "windows" {
+		return nil
+	}
+
+	origPath = filepath.FromSlash(origPath)
+	p := strings.ToLower(filepath.Clean(origPath))
+	if !filepath.IsAbs(p) {
+		if filepath.VolumeName(p) != "" {
+			if p[len(p)-2:] == ":." { // case where clean returns weird c:. paths
+				p = p[:len(p)-1]
+			}
+			p += "\\"
+		} else {
+			p = filepath.Join("c:\\", p)
+		}
+	}
+	if _, blacklisted := pathBlacklist[p]; blacklisted {
+		return errors.New("copy from c:\\ or c:\\windows is not allowed on windows")
+	}
+	return nil
+}
diff --git a/engine/builder/dockerfile/dispatchers.go b/engine/builder/dockerfile/dispatchers.go
new file mode 100644
index 00000000..d7435e01
--- /dev/null
+++ b/engine/builder/dockerfile/dispatchers.go
@@ -0,0 +1,585 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+// This file contains the dispatchers for each command. Note that
+// `nullDispatch` is not actually a command, but support for commands we parse
+// but do nothing with.
+//
+// See evaluator.go for a higher level discussion of the whole evaluator
+// package.
+
+import (
+	"bytes"
+	"fmt"
+	"runtime"
+	"sort"
+	"strings"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/go-connections/nat"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/buildkit/frontend/dockerfile/parser"
+	"github.com/moby/buildkit/frontend/dockerfile/shell"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// ENV foo bar
+//
+// Sets the environment variable foo to bar, also makes interpolation
+// in the dockerfile available from the next statement on via ${foo}.
+//
+func dispatchEnv(d dispatchRequest, c *instructions.EnvCommand) error {
+	runConfig := d.state.runConfig
+	commitMessage := bytes.NewBufferString("ENV")
+	for _, e := range c.Env {
+		name := e.Key
+		newVar := e.String()
+
+		commitMessage.WriteString(" " + newVar)
+		gotOne := false
+		for i, envVar := range runConfig.Env {
+			envParts := strings.SplitN(envVar, "=", 2)
+			compareFrom := envParts[0]
+			if shell.EqualEnvKeys(compareFrom, name) {
+				runConfig.Env[i] = newVar
+				gotOne = true
+				break
+			}
+		}
+		if !gotOne {
+			runConfig.Env = append(runConfig.Env, newVar)
+		}
+	}
+	return d.builder.commit(d.state, commitMessage.String())
+}
+
+// MAINTAINER some text <maybe@an.email.address>
+//
+// Sets the maintainer metadata.
+func dispatchMaintainer(d dispatchRequest, c *instructions.MaintainerCommand) error {
+
+	d.state.maintainer = c.Maintainer
+	return d.builder.commit(d.state, "MAINTAINER "+c.Maintainer)
+}
+
+// LABEL some json data describing the image
+//
+// Sets the Label variable foo to bar,
+//
+func dispatchLabel(d dispatchRequest, c *instructions.LabelCommand) error {
+	if d.state.runConfig.Labels == nil {
+		d.state.runConfig.Labels = make(map[string]string)
+	}
+	commitStr := "LABEL"
+	for _, v := range c.Labels {
+		d.state.runConfig.Labels[v.Key] = v.Value
+		commitStr += " " + v.String()
+	}
+	return d.builder.commit(d.state, commitStr)
+}
+
+// ADD foo /path
+//
+// Add the file 'foo' to '/path'. Tarball and Remote URL (git, http) handling
+// exist here. If you do not wish to have this automatic handling, use COPY.
+//
+func dispatchAdd(d dispatchRequest, c *instructions.AddCommand) error {
+	downloader := newRemoteSourceDownloader(d.builder.Output, d.builder.Stdout)
+	copier := copierFromDispatchRequest(d, downloader, nil)
+	defer copier.Cleanup()
+
+	copyInstruction, err := copier.createCopyInstruction(c.SourcesAndDest, "ADD")
+	if err != nil {
+		return err
+	}
+	copyInstruction.chownStr = c.Chown
+	copyInstruction.allowLocalDecompression = true
+
+	return d.builder.performCopy(d, copyInstruction)
+}
+
+// COPY foo /path
+//
+// Same as 'ADD' but without the tar and remote url handling.
+//
+func dispatchCopy(d dispatchRequest, c *instructions.CopyCommand) error {
+	var im *imageMount
+	var err error
+	if c.From != "" {
+		im, err = d.getImageMount(c.From)
+		if err != nil {
+			return errors.Wrapf(err, "invalid from flag value %s", c.From)
+		}
+	}
+	copier := copierFromDispatchRequest(d, errOnSourceDownload, im)
+	defer copier.Cleanup()
+	copyInstruction, err := copier.createCopyInstruction(c.SourcesAndDest, "COPY")
+	if err != nil {
+		return err
+	}
+	copyInstruction.chownStr = c.Chown
+
+	return d.builder.performCopy(d, copyInstruction)
+}
+
+func (d *dispatchRequest) getImageMount(imageRefOrID string) (*imageMount, error) {
+	if imageRefOrID == "" {
+		// TODO: this could return the source in the default case as well?
+		return nil, nil
+	}
+
+	var localOnly bool
+	stage, err := d.stages.get(imageRefOrID)
+	if err != nil {
+		return nil, err
+	}
+	if stage != nil {
+		imageRefOrID = stage.Image
+		localOnly = true
+	}
+	return d.builder.imageSources.Get(imageRefOrID, localOnly, d.builder.platform)
+}
+
+// FROM [--platform=platform] imagename[:tag | @digest] [AS build-stage-name]
+//
+func initializeStage(d dispatchRequest, cmd *instructions.Stage) error {
+	d.builder.imageProber.Reset()
+
+	var platform *specs.Platform
+	if v := cmd.Platform; v != "" {
+		v, err := d.getExpandedString(d.shlex, v)
+		if err != nil {
+			return errors.Wrapf(err, "failed to process arguments for platform %s", v)
+		}
+
+		p, err := platforms.Parse(v)
+		if err != nil {
+			return errors.Wrapf(err, "failed to parse platform %s", v)
+		}
+		if err := system.ValidatePlatform(p); err != nil {
+			return err
+		}
+		platform = &p
+	}
+
+	image, err := d.getFromImage(d.shlex, cmd.BaseName, platform)
+	if err != nil {
+		return err
+	}
+	state := d.state
+	if err := state.beginStage(cmd.Name, image); err != nil {
+		return err
+	}
+	if len(state.runConfig.OnBuild) > 0 {
+		triggers := state.runConfig.OnBuild
+		state.runConfig.OnBuild = nil
+		return dispatchTriggeredOnBuild(d, triggers)
+	}
+	return nil
+}
+
+func dispatchTriggeredOnBuild(d dispatchRequest, triggers []string) error {
+	fmt.Fprintf(d.builder.Stdout, "# Executing %d build trigger", len(triggers))
+	if len(triggers) > 1 {
+		fmt.Fprint(d.builder.Stdout, "s")
+	}
+	fmt.Fprintln(d.builder.Stdout)
+	for _, trigger := range triggers {
+		d.state.updateRunConfig()
+		ast, err := parser.Parse(strings.NewReader(trigger))
+		if err != nil {
+			return err
+		}
+		if len(ast.AST.Children) != 1 {
+			return errors.New("onbuild trigger should be a single expression")
+		}
+		cmd, err := instructions.ParseCommand(ast.AST.Children[0])
+		if err != nil {
+			if instructions.IsUnknownInstruction(err) {
+				buildsFailed.WithValues(metricsUnknownInstructionError).Inc()
+			}
+			return err
+		}
+		err = dispatch(d, cmd)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (d *dispatchRequest) getExpandedString(shlex *shell.Lex, str string) (string, error) {
+	substitutionArgs := []string{}
+	for key, value := range d.state.buildArgs.GetAllMeta() {
+		substitutionArgs = append(substitutionArgs, key+"="+value)
+	}
+
+	name, err := shlex.ProcessWord(str, substitutionArgs)
+	if err != nil {
+		return "", err
+	}
+	return name, nil
+}
+
+func (d *dispatchRequest) getImageOrStage(name string, platform *specs.Platform) (builder.Image, error) {
+	var localOnly bool
+	if im, ok := d.stages.getByName(name); ok {
+		name = im.Image
+		localOnly = true
+	}
+
+	if platform == nil {
+		platform = d.builder.platform
+	}
+
+	// Windows cannot support a container with no base image unless it is LCOW.
+	if name == api.NoBaseImageSpecifier {
+		p := platforms.DefaultSpec()
+		if platform != nil {
+			p = *platform
+		}
+		imageImage := &image.Image{}
+		imageImage.OS = p.OS
+
+		// old windows scratch handling
+		// TODO: scratch should not have an os. It should be nil image.
+		// Windows supports scratch. What is not supported is running containers
+		// from it.
+		if runtime.GOOS == "windows" {
+			if platform == nil || platform.OS == "linux" {
+				if !system.LCOWSupported() {
+					return nil, errors.New("Linux containers are not supported on this system")
+				}
+				imageImage.OS = "linux"
+			} else if platform.OS == "windows" {
+				return nil, errors.New("Windows does not support FROM scratch")
+			} else {
+				return nil, errors.Errorf("platform %s is not supported", platforms.Format(p))
+			}
+		}
+		return builder.Image(imageImage), nil
+	}
+	imageMount, err := d.builder.imageSources.Get(name, localOnly, platform)
+	if err != nil {
+		return nil, err
+	}
+	return imageMount.Image(), nil
+}
+func (d *dispatchRequest) getFromImage(shlex *shell.Lex, basename string, platform *specs.Platform) (builder.Image, error) {
+	name, err := d.getExpandedString(shlex, basename)
+	if err != nil {
+		return nil, err
+	}
+	// Empty string is interpreted to FROM scratch by images.GetImageAndReleasableLayer,
+	// so validate expanded result is not empty.
+	if name == "" {
+		return nil, errors.Errorf("base name (%s) should not be blank", basename)
+	}
+
+	return d.getImageOrStage(name, platform)
+}
+
+func dispatchOnbuild(d dispatchRequest, c *instructions.OnbuildCommand) error {
+	d.state.runConfig.OnBuild = append(d.state.runConfig.OnBuild, c.Expression)
+	return d.builder.commit(d.state, "ONBUILD "+c.Expression)
+}
+
+// WORKDIR /tmp
+//
+// Set the working directory for future RUN/CMD/etc statements.
+//
+func dispatchWorkdir(d dispatchRequest, c *instructions.WorkdirCommand) error {
+	runConfig := d.state.runConfig
+	var err error
+	runConfig.WorkingDir, err = normalizeWorkdir(d.state.operatingSystem, runConfig.WorkingDir, c.Path)
+	if err != nil {
+		return err
+	}
+
+	// For performance reasons, we explicitly do a create/mkdir now
+	// This avoids having an unnecessary expensive mount/unmount calls
+	// (on Windows in particular) during each container create.
+	// Prior to 1.13, the mkdir was deferred and not executed at this step.
+	if d.builder.disableCommit {
+		// Don't call back into the daemon if we're going through docker commit --change "WORKDIR /foo".
+		// We've already updated the runConfig and that's enough.
+		return nil
+	}
+
+	comment := "WORKDIR " + runConfig.WorkingDir
+	runConfigWithCommentCmd := copyRunConfig(runConfig, withCmdCommentString(comment, d.state.operatingSystem))
+
+	containerID, err := d.builder.probeAndCreate(d.state, runConfigWithCommentCmd)
+	if err != nil || containerID == "" {
+		return err
+	}
+
+	if err := d.builder.docker.ContainerCreateWorkdir(containerID); err != nil {
+		return err
+	}
+
+	return d.builder.commitContainer(d.state, containerID, runConfigWithCommentCmd)
+}
+
+func resolveCmdLine(cmd instructions.ShellDependantCmdLine, runConfig *container.Config, os string) []string {
+	result := cmd.CmdLine
+	if cmd.PrependShell && result != nil {
+		result = append(getShell(runConfig, os), result...)
+	}
+	return result
+}
+
+// RUN some command yo
+//
+// run a command and commit the image. Args are automatically prepended with
+// the current SHELL which defaults to 'sh -c' under linux or 'cmd /S /C' under
+// Windows, in the event there is only one argument The difference in processing:
+//
+// RUN echo hi          # sh -c echo hi       (Linux and LCOW)
+// RUN echo hi          # cmd /S /C echo hi   (Windows)
+// RUN [ "echo", "hi" ] # echo hi
+//
+func dispatchRun(d dispatchRequest, c *instructions.RunCommand) error {
+	if !system.IsOSSupported(d.state.operatingSystem) {
+		return system.ErrNotSupportedOperatingSystem
+	}
+	stateRunConfig := d.state.runConfig
+	cmdFromArgs := resolveCmdLine(c.ShellDependantCmdLine, stateRunConfig, d.state.operatingSystem)
+	buildArgs := d.state.buildArgs.FilterAllowed(stateRunConfig.Env)
+
+	saveCmd := cmdFromArgs
+	if len(buildArgs) > 0 {
+		saveCmd = prependEnvOnCmd(d.state.buildArgs, buildArgs, cmdFromArgs)
+	}
+
+	runConfigForCacheProbe := copyRunConfig(stateRunConfig,
+		withCmd(saveCmd),
+		withEntrypointOverride(saveCmd, nil))
+	if hit, err := d.builder.probeCache(d.state, runConfigForCacheProbe); err != nil || hit {
+		return err
+	}
+
+	runConfig := copyRunConfig(stateRunConfig,
+		withCmd(cmdFromArgs),
+		withEnv(append(stateRunConfig.Env, buildArgs...)),
+		withEntrypointOverride(saveCmd, strslice.StrSlice{""}),
+		withoutHealthcheck())
+
+	// set config as already being escaped, this prevents double escaping on windows
+	runConfig.ArgsEscaped = true
+
+	cID, err := d.builder.create(runConfig)
+	if err != nil {
+		return err
+	}
+
+	if err := d.builder.containerManager.Run(d.builder.clientCtx, cID, d.builder.Stdout, d.builder.Stderr); err != nil {
+		if err, ok := err.(*statusCodeError); ok {
+			// TODO: change error type, because jsonmessage.JSONError assumes HTTP
+			msg := fmt.Sprintf(
+				"The command '%s' returned a non-zero code: %d",
+				strings.Join(runConfig.Cmd, " "), err.StatusCode())
+			if err.Error() != "" {
+				msg = fmt.Sprintf("%s: %s", msg, err.Error())
+			}
+			return &jsonmessage.JSONError{
+				Message: msg,
+				Code:    err.StatusCode(),
+			}
+		}
+		return err
+	}
+
+	return d.builder.commitContainer(d.state, cID, runConfigForCacheProbe)
+}
+
+// Derive the command to use for probeCache() and to commit in this container.
+// Note that we only do this if there are any build-time env vars.  Also, we
+// use the special argument "|#" at the start of the args array. This will
+// avoid conflicts with any RUN command since commands can not
+// start with | (vertical bar). The "#" (number of build envs) is there to
+// help ensure proper cache matches. We don't want a RUN command
+// that starts with "foo=abc" to be considered part of a build-time env var.
+//
+// remove any unreferenced built-in args from the environment variables.
+// These args are transparent so resulting image should be the same regardless
+// of the value.
+func prependEnvOnCmd(buildArgs *BuildArgs, buildArgVars []string, cmd strslice.StrSlice) strslice.StrSlice {
+	var tmpBuildEnv []string
+	for _, env := range buildArgVars {
+		key := strings.SplitN(env, "=", 2)[0]
+		if buildArgs.IsReferencedOrNotBuiltin(key) {
+			tmpBuildEnv = append(tmpBuildEnv, env)
+		}
+	}
+
+	sort.Strings(tmpBuildEnv)
+	tmpEnv := append([]string{fmt.Sprintf("|%d", len(tmpBuildEnv))}, tmpBuildEnv...)
+	return strslice.StrSlice(append(tmpEnv, cmd...))
+}
+
+// CMD foo
+//
+// Set the default command to run in the container (which may be empty).
+// Argument handling is the same as RUN.
+//
+func dispatchCmd(d dispatchRequest, c *instructions.CmdCommand) error {
+	runConfig := d.state.runConfig
+	cmd := resolveCmdLine(c.ShellDependantCmdLine, runConfig, d.state.operatingSystem)
+	runConfig.Cmd = cmd
+	// set config as already being escaped, this prevents double escaping on windows
+	runConfig.ArgsEscaped = true
+
+	if err := d.builder.commit(d.state, fmt.Sprintf("CMD %q", cmd)); err != nil {
+		return err
+	}
+
+	if len(c.ShellDependantCmdLine.CmdLine) != 0 {
+		d.state.cmdSet = true
+	}
+
+	return nil
+}
+
+// HEALTHCHECK foo
+//
+// Set the default healthcheck command to run in the container (which may be empty).
+// Argument handling is the same as RUN.
+//
+func dispatchHealthcheck(d dispatchRequest, c *instructions.HealthCheckCommand) error {
+	runConfig := d.state.runConfig
+	if runConfig.Healthcheck != nil {
+		oldCmd := runConfig.Healthcheck.Test
+		if len(oldCmd) > 0 && oldCmd[0] != "NONE" {
+			fmt.Fprintf(d.builder.Stdout, "Note: overriding previous HEALTHCHECK: %v\n", oldCmd)
+		}
+	}
+	runConfig.Healthcheck = c.Health
+	return d.builder.commit(d.state, fmt.Sprintf("HEALTHCHECK %q", runConfig.Healthcheck))
+}
+
+// ENTRYPOINT /usr/sbin/nginx
+//
+// Set the entrypoint to /usr/sbin/nginx. Will accept the CMD as the arguments
+// to /usr/sbin/nginx. Uses the default shell if not in JSON format.
+//
+// Handles command processing similar to CMD and RUN, only req.runConfig.Entrypoint
+// is initialized at newBuilder time instead of through argument parsing.
+//
+func dispatchEntrypoint(d dispatchRequest, c *instructions.EntrypointCommand) error {
+	runConfig := d.state.runConfig
+	cmd := resolveCmdLine(c.ShellDependantCmdLine, runConfig, d.state.operatingSystem)
+	runConfig.Entrypoint = cmd
+	if !d.state.cmdSet {
+		runConfig.Cmd = nil
+	}
+
+	return d.builder.commit(d.state, fmt.Sprintf("ENTRYPOINT %q", runConfig.Entrypoint))
+}
+
+// EXPOSE 6667/tcp 7000/tcp
+//
+// Expose ports for links and port mappings. This all ends up in
+// req.runConfig.ExposedPorts for runconfig.
+//
+func dispatchExpose(d dispatchRequest, c *instructions.ExposeCommand, envs []string) error {
+	// custom multi word expansion
+	// expose $FOO with FOO="80 443" is expanded as EXPOSE [80,443]. This is the only command supporting word to words expansion
+	// so the word processing has been de-generalized
+	ports := []string{}
+	for _, p := range c.Ports {
+		ps, err := d.shlex.ProcessWords(p, envs)
+		if err != nil {
+			return err
+		}
+		ports = append(ports, ps...)
+	}
+	c.Ports = ports
+
+	ps, _, err := nat.ParsePortSpecs(ports)
+	if err != nil {
+		return err
+	}
+
+	if d.state.runConfig.ExposedPorts == nil {
+		d.state.runConfig.ExposedPorts = make(nat.PortSet)
+	}
+	for p := range ps {
+		d.state.runConfig.ExposedPorts[p] = struct{}{}
+	}
+
+	return d.builder.commit(d.state, "EXPOSE "+strings.Join(c.Ports, " "))
+}
+
+// USER foo
+//
+// Set the user to 'foo' for future commands and when running the
+// ENTRYPOINT/CMD at container run time.
+//
+func dispatchUser(d dispatchRequest, c *instructions.UserCommand) error {
+	d.state.runConfig.User = c.User
+	return d.builder.commit(d.state, fmt.Sprintf("USER %v", c.User))
+}
+
+// VOLUME /foo
+//
+// Expose the volume /foo for use. Will also accept the JSON array form.
+//
+func dispatchVolume(d dispatchRequest, c *instructions.VolumeCommand) error {
+	if d.state.runConfig.Volumes == nil {
+		d.state.runConfig.Volumes = map[string]struct{}{}
+	}
+	for _, v := range c.Volumes {
+		if v == "" {
+			return errors.New("VOLUME specified can not be an empty string")
+		}
+		d.state.runConfig.Volumes[v] = struct{}{}
+	}
+	return d.builder.commit(d.state, fmt.Sprintf("VOLUME %v", c.Volumes))
+}
+
+// STOPSIGNAL signal
+//
+// Set the signal that will be used to kill the container.
+func dispatchStopSignal(d dispatchRequest, c *instructions.StopSignalCommand) error {
+
+	_, err := signal.ParseSignal(c.Signal)
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+	d.state.runConfig.StopSignal = c.Signal
+	return d.builder.commit(d.state, fmt.Sprintf("STOPSIGNAL %v", c.Signal))
+}
+
+// ARG name[=value]
+//
+// Adds the variable foo to the trusted list of variables that can be passed
+// to builder using the --build-arg flag for expansion/substitution or passing to 'run'.
+// Dockerfile author may optionally set a default value of this variable.
+func dispatchArg(d dispatchRequest, c *instructions.ArgCommand) error {
+
+	commitStr := "ARG " + c.Key
+	if c.Value != nil {
+		commitStr += "=" + *c.Value
+	}
+
+	d.state.buildArgs.AddArg(c.Key, c.Value)
+	return d.builder.commit(d.state, commitStr)
+}
+
+// SHELL powershell -command
+//
+// Set the non-default shell to use.
+func dispatchShell(d dispatchRequest, c *instructions.ShellCommand) error {
+	d.state.runConfig.Shell = c.Shell
+	return d.builder.commit(d.state, fmt.Sprintf("SHELL %v", d.state.runConfig.Shell))
+}
diff --git a/engine/builder/dockerfile/dispatchers_test.go b/engine/builder/dockerfile/dispatchers_test.go
new file mode 100644
index 00000000..d767d318
--- /dev/null
+++ b/engine/builder/dockerfile/dispatchers_test.go
@@ -0,0 +1,552 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"bytes"
+	"context"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/go-connections/nat"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/buildkit/frontend/dockerfile/shell"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func newBuilderWithMockBackend() *Builder {
+	mockBackend := &MockBackend{}
+	opts := &types.ImageBuildOptions{}
+	ctx := context.Background()
+	b := &Builder{
+		options:       opts,
+		docker:        mockBackend,
+		Stdout:        new(bytes.Buffer),
+		clientCtx:     ctx,
+		disableCommit: true,
+		imageSources: newImageSources(ctx, builderOptions{
+			Options: opts,
+			Backend: mockBackend,
+		}),
+		imageProber:      newImageProber(mockBackend, nil, false),
+		containerManager: newContainerManager(mockBackend),
+	}
+	return b
+}
+
+func TestEnv2Variables(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	envCommand := &instructions.EnvCommand{
+		Env: instructions.KeyValuePairs{
+			instructions.KeyValuePair{Key: "var1", Value: "val1"},
+			instructions.KeyValuePair{Key: "var2", Value: "val2"},
+		},
+	}
+	err := dispatch(sb, envCommand)
+	assert.NilError(t, err)
+
+	expected := []string{
+		"var1=val1",
+		"var2=val2",
+	}
+	assert.Check(t, is.DeepEqual(expected, sb.state.runConfig.Env))
+}
+
+func TestEnvValueWithExistingRunConfigEnv(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	sb.state.runConfig.Env = []string{"var1=old", "var2=fromenv"}
+	envCommand := &instructions.EnvCommand{
+		Env: instructions.KeyValuePairs{
+			instructions.KeyValuePair{Key: "var1", Value: "val1"},
+		},
+	}
+	err := dispatch(sb, envCommand)
+	assert.NilError(t, err)
+	expected := []string{
+		"var1=val1",
+		"var2=fromenv",
+	}
+	assert.Check(t, is.DeepEqual(expected, sb.state.runConfig.Env))
+}
+
+func TestMaintainer(t *testing.T) {
+	maintainerEntry := "Some Maintainer <maintainer@example.com>"
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	cmd := &instructions.MaintainerCommand{Maintainer: maintainerEntry}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(maintainerEntry, sb.state.maintainer))
+}
+
+func TestLabel(t *testing.T) {
+	labelName := "label"
+	labelValue := "value"
+
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	cmd := &instructions.LabelCommand{
+		Labels: instructions.KeyValuePairs{
+			instructions.KeyValuePair{Key: labelName, Value: labelValue},
+		},
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+
+	assert.Assert(t, is.Contains(sb.state.runConfig.Labels, labelName))
+	assert.Check(t, is.Equal(sb.state.runConfig.Labels[labelName], labelValue))
+}
+
+func TestFromScratch(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	cmd := &instructions.Stage{
+		BaseName: "scratch",
+	}
+	err := initializeStage(sb, cmd)
+
+	if runtime.GOOS == "windows" && !system.LCOWSupported() {
+		assert.Check(t, is.Error(err, "Linux containers are not supported on this system"))
+		return
+	}
+
+	assert.NilError(t, err)
+	assert.Check(t, sb.state.hasFromImage())
+	assert.Check(t, is.Equal("", sb.state.imageID))
+	expected := "PATH=" + system.DefaultPathEnv(runtime.GOOS)
+	assert.Check(t, is.DeepEqual([]string{expected}, sb.state.runConfig.Env))
+}
+
+func TestFromWithArg(t *testing.T) {
+	tag, expected := ":sometag", "expectedthisid"
+
+	getImage := func(name string) (builder.Image, builder.ROLayer, error) {
+		assert.Check(t, is.Equal("alpine"+tag, name))
+		return &mockImage{id: "expectedthisid"}, nil, nil
+	}
+	b := newBuilderWithMockBackend()
+	b.docker.(*MockBackend).getImageFunc = getImage
+	args := NewBuildArgs(make(map[string]*string))
+
+	val := "sometag"
+	metaArg := instructions.ArgCommand{KeyValuePairOptional: instructions.KeyValuePairOptional{
+		Key:   "THETAG",
+		Value: &val,
+	}}
+	cmd := &instructions.Stage{
+		BaseName: "alpine:${THETAG}",
+	}
+	err := processMetaArg(metaArg, shell.NewLex('\\'), args)
+
+	sb := newDispatchRequest(b, '\\', nil, args, newStagesBuildResults())
+	assert.NilError(t, err)
+	err = initializeStage(sb, cmd)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(expected, sb.state.imageID))
+	assert.Check(t, is.Equal(expected, sb.state.baseImage.ImageID()))
+	assert.Check(t, is.Len(sb.state.buildArgs.GetAllAllowed(), 0))
+	assert.Check(t, is.Len(sb.state.buildArgs.GetAllMeta(), 1))
+}
+
+func TestFromWithArgButBuildArgsNotGiven(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	args := NewBuildArgs(make(map[string]*string))
+
+	metaArg := instructions.ArgCommand{}
+	cmd := &instructions.Stage{
+		BaseName: "${THETAG}",
+	}
+	err := processMetaArg(metaArg, shell.NewLex('\\'), args)
+
+	sb := newDispatchRequest(b, '\\', nil, args, newStagesBuildResults())
+	assert.NilError(t, err)
+	err = initializeStage(sb, cmd)
+	assert.Error(t, err, "base name (${THETAG}) should not be blank")
+}
+
+func TestFromWithUndefinedArg(t *testing.T) {
+	tag, expected := "sometag", "expectedthisid"
+
+	getImage := func(name string) (builder.Image, builder.ROLayer, error) {
+		assert.Check(t, is.Equal("alpine", name))
+		return &mockImage{id: "expectedthisid"}, nil, nil
+	}
+	b := newBuilderWithMockBackend()
+	b.docker.(*MockBackend).getImageFunc = getImage
+	sb := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+
+	b.options.BuildArgs = map[string]*string{"THETAG": &tag}
+
+	cmd := &instructions.Stage{
+		BaseName: "alpine${THETAG}",
+	}
+	err := initializeStage(sb, cmd)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(expected, sb.state.imageID))
+}
+
+func TestFromMultiStageWithNamedStage(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	firstFrom := &instructions.Stage{BaseName: "someimg", Name: "base"}
+	secondFrom := &instructions.Stage{BaseName: "base"}
+	previousResults := newStagesBuildResults()
+	firstSB := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), previousResults)
+	secondSB := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), previousResults)
+	err := initializeStage(firstSB, firstFrom)
+	assert.NilError(t, err)
+	assert.Check(t, firstSB.state.hasFromImage())
+	previousResults.indexed["base"] = firstSB.state.runConfig
+	previousResults.flat = append(previousResults.flat, firstSB.state.runConfig)
+	err = initializeStage(secondSB, secondFrom)
+	assert.NilError(t, err)
+	assert.Check(t, secondSB.state.hasFromImage())
+}
+
+func TestOnbuild(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '\\', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	cmd := &instructions.OnbuildCommand{
+		Expression: "ADD . /app/src",
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("ADD . /app/src", sb.state.runConfig.OnBuild[0]))
+}
+
+func TestWorkdir(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	sb.state.baseImage = &mockImage{}
+	workingDir := "/app"
+	if runtime.GOOS == "windows" {
+		workingDir = "C:\\app"
+	}
+	cmd := &instructions.WorkdirCommand{
+		Path: workingDir,
+	}
+
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(workingDir, sb.state.runConfig.WorkingDir))
+}
+
+func TestCmd(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	sb.state.baseImage = &mockImage{}
+	command := "./executable"
+
+	cmd := &instructions.CmdCommand{
+		ShellDependantCmdLine: instructions.ShellDependantCmdLine{
+			CmdLine:      strslice.StrSlice{command},
+			PrependShell: true,
+		},
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+
+	var expectedCommand strslice.StrSlice
+	if runtime.GOOS == "windows" {
+		expectedCommand = strslice.StrSlice(append([]string{"cmd"}, "/S", "/C", command))
+	} else {
+		expectedCommand = strslice.StrSlice(append([]string{"/bin/sh"}, "-c", command))
+	}
+
+	assert.Check(t, is.DeepEqual(expectedCommand, sb.state.runConfig.Cmd))
+	assert.Check(t, sb.state.cmdSet)
+}
+
+func TestHealthcheckNone(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	cmd := &instructions.HealthCheckCommand{
+		Health: &container.HealthConfig{
+			Test: []string{"NONE"},
+		},
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+
+	assert.Assert(t, sb.state.runConfig.Healthcheck != nil)
+	assert.Check(t, is.DeepEqual([]string{"NONE"}, sb.state.runConfig.Healthcheck.Test))
+}
+
+func TestHealthcheckCmd(t *testing.T) {
+
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	expectedTest := []string{"CMD-SHELL", "curl -f http://localhost/ || exit 1"}
+	cmd := &instructions.HealthCheckCommand{
+		Health: &container.HealthConfig{
+			Test: expectedTest,
+		},
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+
+	assert.Assert(t, sb.state.runConfig.Healthcheck != nil)
+	assert.Check(t, is.DeepEqual(expectedTest, sb.state.runConfig.Healthcheck.Test))
+}
+
+func TestEntrypoint(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	sb.state.baseImage = &mockImage{}
+	entrypointCmd := "/usr/sbin/nginx"
+
+	cmd := &instructions.EntrypointCommand{
+		ShellDependantCmdLine: instructions.ShellDependantCmdLine{
+			CmdLine:      strslice.StrSlice{entrypointCmd},
+			PrependShell: true,
+		},
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+	assert.Assert(t, sb.state.runConfig.Entrypoint != nil)
+
+	var expectedEntrypoint strslice.StrSlice
+	if runtime.GOOS == "windows" {
+		expectedEntrypoint = strslice.StrSlice(append([]string{"cmd"}, "/S", "/C", entrypointCmd))
+	} else {
+		expectedEntrypoint = strslice.StrSlice(append([]string{"/bin/sh"}, "-c", entrypointCmd))
+	}
+	assert.Check(t, is.DeepEqual(expectedEntrypoint, sb.state.runConfig.Entrypoint))
+}
+
+func TestExpose(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+
+	exposedPort := "80"
+	cmd := &instructions.ExposeCommand{
+		Ports: []string{exposedPort},
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+
+	assert.Assert(t, sb.state.runConfig.ExposedPorts != nil)
+	assert.Assert(t, is.Len(sb.state.runConfig.ExposedPorts, 1))
+
+	portsMapping, err := nat.ParsePortSpec(exposedPort)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(sb.state.runConfig.ExposedPorts, portsMapping[0].Port))
+}
+
+func TestUser(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+
+	cmd := &instructions.UserCommand{
+		User: "test",
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("test", sb.state.runConfig.User))
+}
+
+func TestVolume(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+
+	exposedVolume := "/foo"
+
+	cmd := &instructions.VolumeCommand{
+		Volumes: []string{exposedVolume},
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+	assert.Assert(t, sb.state.runConfig.Volumes != nil)
+	assert.Check(t, is.Len(sb.state.runConfig.Volumes, 1))
+	assert.Check(t, is.Contains(sb.state.runConfig.Volumes, exposedVolume))
+}
+
+func TestStopSignal(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("Windows does not support stopsignal")
+		return
+	}
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	sb.state.baseImage = &mockImage{}
+	signal := "SIGKILL"
+
+	cmd := &instructions.StopSignalCommand{
+		Signal: signal,
+	}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(signal, sb.state.runConfig.StopSignal))
+}
+
+func TestArg(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+
+	argName := "foo"
+	argVal := "bar"
+	cmd := &instructions.ArgCommand{KeyValuePairOptional: instructions.KeyValuePairOptional{Key: argName, Value: &argVal}}
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+
+	expected := map[string]string{argName: argVal}
+	assert.Check(t, is.DeepEqual(expected, sb.state.buildArgs.GetAllAllowed()))
+}
+
+func TestShell(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+
+	shellCmd := "powershell"
+	cmd := &instructions.ShellCommand{Shell: strslice.StrSlice{shellCmd}}
+
+	err := dispatch(sb, cmd)
+	assert.NilError(t, err)
+
+	expectedShell := strslice.StrSlice([]string{shellCmd})
+	assert.Check(t, is.DeepEqual(expectedShell, sb.state.runConfig.Shell))
+}
+
+func TestPrependEnvOnCmd(t *testing.T) {
+	buildArgs := NewBuildArgs(nil)
+	buildArgs.AddArg("NO_PROXY", nil)
+
+	args := []string{"sorted=nope", "args=not", "http_proxy=foo", "NO_PROXY=YA"}
+	cmd := []string{"foo", "bar"}
+	cmdWithEnv := prependEnvOnCmd(buildArgs, args, cmd)
+	expected := strslice.StrSlice([]string{
+		"|3", "NO_PROXY=YA", "args=not", "sorted=nope", "foo", "bar"})
+	assert.Check(t, is.DeepEqual(expected, cmdWithEnv))
+}
+
+func TestRunWithBuildArgs(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	args := NewBuildArgs(make(map[string]*string))
+	args.argsFromOptions["HTTP_PROXY"] = strPtr("FOO")
+	b.disableCommit = false
+	sb := newDispatchRequest(b, '`', nil, args, newStagesBuildResults())
+
+	runConfig := &container.Config{}
+	origCmd := strslice.StrSlice([]string{"cmd", "in", "from", "image"})
+	cmdWithShell := strslice.StrSlice(append(getShell(runConfig, runtime.GOOS), "echo foo"))
+	envVars := []string{"|1", "one=two"}
+	cachedCmd := strslice.StrSlice(append(envVars, cmdWithShell...))
+
+	imageCache := &mockImageCache{
+		getCacheFunc: func(parentID string, cfg *container.Config) (string, error) {
+			// Check the runConfig.Cmd sent to probeCache()
+			assert.Check(t, is.DeepEqual(cachedCmd, cfg.Cmd))
+			assert.Check(t, is.DeepEqual(strslice.StrSlice(nil), cfg.Entrypoint))
+			return "", nil
+		},
+	}
+
+	mockBackend := b.docker.(*MockBackend)
+	mockBackend.makeImageCacheFunc = func(_ []string) builder.ImageCache {
+		return imageCache
+	}
+	b.imageProber = newImageProber(mockBackend, nil, false)
+	mockBackend.getImageFunc = func(_ string) (builder.Image, builder.ROLayer, error) {
+		return &mockImage{
+			id:     "abcdef",
+			config: &container.Config{Cmd: origCmd},
+		}, nil, nil
+	}
+	mockBackend.containerCreateFunc = func(config types.ContainerCreateConfig) (container.ContainerCreateCreatedBody, error) {
+		// Check the runConfig.Cmd sent to create()
+		assert.Check(t, is.DeepEqual(cmdWithShell, config.Config.Cmd))
+		assert.Check(t, is.Contains(config.Config.Env, "one=two"))
+		assert.Check(t, is.DeepEqual(strslice.StrSlice{""}, config.Config.Entrypoint))
+		return container.ContainerCreateCreatedBody{ID: "12345"}, nil
+	}
+	mockBackend.commitFunc = func(cfg backend.CommitConfig) (image.ID, error) {
+		// Check the runConfig.Cmd sent to commit()
+		assert.Check(t, is.DeepEqual(origCmd, cfg.Config.Cmd))
+		assert.Check(t, is.DeepEqual(cachedCmd, cfg.ContainerConfig.Cmd))
+		assert.Check(t, is.DeepEqual(strslice.StrSlice(nil), cfg.Config.Entrypoint))
+		return "", nil
+	}
+	from := &instructions.Stage{BaseName: "abcdef"}
+	err := initializeStage(sb, from)
+	assert.NilError(t, err)
+	sb.state.buildArgs.AddArg("one", strPtr("two"))
+	run := &instructions.RunCommand{
+		ShellDependantCmdLine: instructions.ShellDependantCmdLine{
+			CmdLine:      strslice.StrSlice{"echo foo"},
+			PrependShell: true,
+		},
+	}
+	assert.NilError(t, dispatch(sb, run))
+
+	// Check that runConfig.Cmd has not been modified by run
+	assert.Check(t, is.DeepEqual(origCmd, sb.state.runConfig.Cmd))
+}
+
+func TestRunIgnoresHealthcheck(t *testing.T) {
+	b := newBuilderWithMockBackend()
+	args := NewBuildArgs(make(map[string]*string))
+	sb := newDispatchRequest(b, '`', nil, args, newStagesBuildResults())
+	b.disableCommit = false
+
+	origCmd := strslice.StrSlice([]string{"cmd", "in", "from", "image"})
+
+	imageCache := &mockImageCache{
+		getCacheFunc: func(parentID string, cfg *container.Config) (string, error) {
+			return "", nil
+		},
+	}
+
+	mockBackend := b.docker.(*MockBackend)
+	mockBackend.makeImageCacheFunc = func(_ []string) builder.ImageCache {
+		return imageCache
+	}
+	b.imageProber = newImageProber(mockBackend, nil, false)
+	mockBackend.getImageFunc = func(_ string) (builder.Image, builder.ROLayer, error) {
+		return &mockImage{
+			id:     "abcdef",
+			config: &container.Config{Cmd: origCmd},
+		}, nil, nil
+	}
+	mockBackend.containerCreateFunc = func(config types.ContainerCreateConfig) (container.ContainerCreateCreatedBody, error) {
+		return container.ContainerCreateCreatedBody{ID: "12345"}, nil
+	}
+	mockBackend.commitFunc = func(cfg backend.CommitConfig) (image.ID, error) {
+		return "", nil
+	}
+	from := &instructions.Stage{BaseName: "abcdef"}
+	err := initializeStage(sb, from)
+	assert.NilError(t, err)
+
+	expectedTest := []string{"CMD-SHELL", "curl -f http://localhost/ || exit 1"}
+	cmd := &instructions.HealthCheckCommand{
+		Health: &container.HealthConfig{
+			Test: expectedTest,
+		},
+	}
+	assert.NilError(t, dispatch(sb, cmd))
+	assert.Assert(t, sb.state.runConfig.Healthcheck != nil)
+
+	mockBackend.containerCreateFunc = func(config types.ContainerCreateConfig) (container.ContainerCreateCreatedBody, error) {
+		// Check the Healthcheck is disabled.
+		assert.Check(t, is.DeepEqual([]string{"NONE"}, config.Config.Healthcheck.Test))
+		return container.ContainerCreateCreatedBody{ID: "123456"}, nil
+	}
+
+	sb.state.buildArgs.AddArg("one", strPtr("two"))
+	run := &instructions.RunCommand{
+		ShellDependantCmdLine: instructions.ShellDependantCmdLine{
+			CmdLine:      strslice.StrSlice{"echo foo"},
+			PrependShell: true,
+		},
+	}
+	assert.NilError(t, dispatch(sb, run))
+	assert.Check(t, is.DeepEqual(expectedTest, sb.state.runConfig.Healthcheck.Test))
+}
diff --git a/engine/builder/dockerfile/dispatchers_unix.go b/engine/builder/dockerfile/dispatchers_unix.go
new file mode 100644
index 00000000..b3ba3803
--- /dev/null
+++ b/engine/builder/dockerfile/dispatchers_unix.go
@@ -0,0 +1,23 @@
+// +build !windows
+
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+)
+
+// normalizeWorkdir normalizes a user requested working directory in a
+// platform semantically consistent way.
+func normalizeWorkdir(_ string, current string, requested string) (string, error) {
+	if requested == "" {
+		return "", errors.New("cannot normalize nothing")
+	}
+	current = filepath.FromSlash(current)
+	requested = filepath.FromSlash(requested)
+	if !filepath.IsAbs(requested) {
+		return filepath.Join(string(os.PathSeparator), current, requested), nil
+	}
+	return requested, nil
+}
diff --git a/engine/builder/dockerfile/dispatchers_unix_test.go b/engine/builder/dockerfile/dispatchers_unix_test.go
new file mode 100644
index 00000000..c2aebfbb
--- /dev/null
+++ b/engine/builder/dockerfile/dispatchers_unix_test.go
@@ -0,0 +1,34 @@
+// +build !windows
+
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"runtime"
+	"testing"
+)
+
+func TestNormalizeWorkdir(t *testing.T) {
+	testCases := []struct{ current, requested, expected, expectedError string }{
+		{``, ``, ``, `cannot normalize nothing`},
+		{``, `foo`, `/foo`, ``},
+		{``, `/foo`, `/foo`, ``},
+		{`/foo`, `bar`, `/foo/bar`, ``},
+		{`/foo`, `/bar`, `/bar`, ``},
+	}
+
+	for _, test := range testCases {
+		normalized, err := normalizeWorkdir(runtime.GOOS, test.current, test.requested)
+
+		if test.expectedError != "" && err == nil {
+			t.Fatalf("NormalizeWorkdir should return an error %s, got nil", test.expectedError)
+		}
+
+		if test.expectedError != "" && err.Error() != test.expectedError {
+			t.Fatalf("NormalizeWorkdir returned wrong error. Expected %s, got %s", test.expectedError, err.Error())
+		}
+
+		if normalized != test.expected {
+			t.Fatalf("NormalizeWorkdir error. Expected %s for current %s and requested %s, got %s", test.expected, test.current, test.requested, normalized)
+		}
+	}
+}
diff --git a/engine/builder/dockerfile/dispatchers_windows.go b/engine/builder/dockerfile/dispatchers_windows.go
new file mode 100644
index 00000000..7824d116
--- /dev/null
+++ b/engine/builder/dockerfile/dispatchers_windows.go
@@ -0,0 +1,95 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/docker/docker/pkg/system"
+)
+
+var pattern = regexp.MustCompile(`^[a-zA-Z]:\.$`)
+
+// normalizeWorkdir normalizes a user requested working directory in a
+// platform semantically consistent way.
+func normalizeWorkdir(platform string, current string, requested string) (string, error) {
+	if platform == "" {
+		platform = "windows"
+	}
+	if platform == "windows" {
+		return normalizeWorkdirWindows(current, requested)
+	}
+	return normalizeWorkdirUnix(current, requested)
+}
+
+// normalizeWorkdirUnix normalizes a user requested working directory in a
+// platform semantically consistent way.
+func normalizeWorkdirUnix(current string, requested string) (string, error) {
+	if requested == "" {
+		return "", errors.New("cannot normalize nothing")
+	}
+	current = strings.Replace(current, string(os.PathSeparator), "/", -1)
+	requested = strings.Replace(requested, string(os.PathSeparator), "/", -1)
+	if !path.IsAbs(requested) {
+		return path.Join(`/`, current, requested), nil
+	}
+	return requested, nil
+}
+
+// normalizeWorkdirWindows normalizes a user requested working directory in a
+// platform semantically consistent way.
+func normalizeWorkdirWindows(current string, requested string) (string, error) {
+	if requested == "" {
+		return "", errors.New("cannot normalize nothing")
+	}
+
+	// `filepath.Clean` will replace "" with "." so skip in that case
+	if current != "" {
+		current = filepath.Clean(current)
+	}
+	if requested != "" {
+		requested = filepath.Clean(requested)
+	}
+
+	// If either current or requested in Windows is:
+	// C:
+	// C:.
+	// then an error will be thrown as the definition for the above
+	// refers to `current directory on drive C:`
+	// Since filepath.Clean() will automatically normalize the above
+	// to `C:.`, we only need to check the last format
+	if pattern.MatchString(current) {
+		return "", fmt.Errorf("%s is not a directory. If you are specifying a drive letter, please add a trailing '\\'", current)
+	}
+	if pattern.MatchString(requested) {
+		return "", fmt.Errorf("%s is not a directory. If you are specifying a drive letter, please add a trailing '\\'", requested)
+	}
+
+	// Target semantics is C:\somefolder, specifically in the format:
+	// UPPERCASEDriveLetter-Colon-Backslash-FolderName. We are already
+	// guaranteed that `current`, if set, is consistent. This allows us to
+	// cope correctly with any of the following in a Dockerfile:
+	//	WORKDIR a                       --> C:\a
+	//	WORKDIR c:\\foo                 --> C:\foo
+	//	WORKDIR \\foo                   --> C:\foo
+	//	WORKDIR /foo                    --> C:\foo
+	//	WORKDIR c:\\foo \ WORKDIR bar   --> C:\foo --> C:\foo\bar
+	//	WORKDIR C:/foo \ WORKDIR bar    --> C:\foo --> C:\foo\bar
+	//	WORKDIR C:/foo \ WORKDIR \\bar  --> C:\foo --> C:\bar
+	//	WORKDIR /foo \ WORKDIR c:/bar   --> C:\foo --> C:\bar
+	if len(current) == 0 || system.IsAbs(requested) {
+		if (requested[0] == os.PathSeparator) ||
+			(len(requested) > 1 && string(requested[1]) != ":") ||
+			(len(requested) == 1) {
+			requested = filepath.Join(`C:\`, requested)
+		}
+	} else {
+		requested = filepath.Join(current, requested)
+	}
+	// Upper-case drive letter
+	return (strings.ToUpper(string(requested[0])) + requested[1:]), nil
+}
diff --git a/engine/builder/dockerfile/dispatchers_windows_test.go b/engine/builder/dockerfile/dispatchers_windows_test.go
new file mode 100644
index 00000000..ae72092c
--- /dev/null
+++ b/engine/builder/dockerfile/dispatchers_windows_test.go
@@ -0,0 +1,46 @@
+// +build windows
+
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import "testing"
+
+func TestNormalizeWorkdir(t *testing.T) {
+	tests := []struct{ platform, current, requested, expected, etext string }{
+		{"windows", ``, ``, ``, `cannot normalize nothing`},
+		{"windows", ``, `C:`, ``, `C:. is not a directory. If you are specifying a drive letter, please add a trailing '\'`},
+		{"windows", ``, `C:.`, ``, `C:. is not a directory. If you are specifying a drive letter, please add a trailing '\'`},
+		{"windows", `c:`, `\a`, ``, `c:. is not a directory. If you are specifying a drive letter, please add a trailing '\'`},
+		{"windows", `c:.`, `\a`, ``, `c:. is not a directory. If you are specifying a drive letter, please add a trailing '\'`},
+		{"windows", ``, `a`, `C:\a`, ``},
+		{"windows", ``, `c:\foo`, `C:\foo`, ``},
+		{"windows", ``, `c:\\foo`, `C:\foo`, ``},
+		{"windows", ``, `\foo`, `C:\foo`, ``},
+		{"windows", ``, `\\foo`, `C:\foo`, ``},
+		{"windows", ``, `/foo`, `C:\foo`, ``},
+		{"windows", ``, `C:/foo`, `C:\foo`, ``},
+		{"windows", `C:\foo`, `bar`, `C:\foo\bar`, ``},
+		{"windows", `C:\foo`, `/bar`, `C:\bar`, ``},
+		{"windows", `C:\foo`, `\bar`, `C:\bar`, ``},
+		{"linux", ``, ``, ``, `cannot normalize nothing`},
+		{"linux", ``, `foo`, `/foo`, ``},
+		{"linux", ``, `/foo`, `/foo`, ``},
+		{"linux", `/foo`, `bar`, `/foo/bar`, ``},
+		{"linux", `/foo`, `/bar`, `/bar`, ``},
+		{"linux", `\a`, `b\c`, `/a/b/c`, ``},
+	}
+	for _, i := range tests {
+		r, e := normalizeWorkdir(i.platform, i.current, i.requested)
+
+		if i.etext != "" && e == nil {
+			t.Fatalf("TestNormalizeWorkingDir Expected error %s for '%s' '%s', got no error", i.etext, i.current, i.requested)
+		}
+
+		if i.etext != "" && e.Error() != i.etext {
+			t.Fatalf("TestNormalizeWorkingDir Expected error %s for '%s' '%s', got %s", i.etext, i.current, i.requested, e.Error())
+		}
+
+		if r != i.expected {
+			t.Fatalf("TestNormalizeWorkingDir Expected '%s' for '%s' '%s', got '%s'", i.expected, i.current, i.requested, r)
+		}
+	}
+}
diff --git a/engine/builder/dockerfile/evaluator.go b/engine/builder/dockerfile/evaluator.go
new file mode 100644
index 00000000..02e14775
--- /dev/null
+++ b/engine/builder/dockerfile/evaluator.go
@@ -0,0 +1,250 @@
+// Package dockerfile is the evaluation step in the Dockerfile parse/evaluate pipeline.
+//
+// It incorporates a dispatch table based on the parser.Node values (see the
+// parser package for more information) that are yielded from the parser itself.
+// Calling newBuilder with the BuildOpts struct can be used to customize the
+// experience for execution purposes only. Parsing is controlled in the parser
+// package, and this division of responsibility should be respected.
+//
+// Please see the jump table targets for the actual invocations, most of which
+// will call out to the functions in internals.go to deal with their tasks.
+//
+// ONBUILD is a special case, which is covered in the onbuild() func in
+// dispatchers.go.
+//
+// The evaluator uses the concept of "steps", which are usually each processable
+// line in the Dockerfile. Each step is numbered and certain actions are taken
+// before and after each step, such as creating an image ID and removing temporary
+// containers and images. Note that ONBUILD creates a kinda-sorta "sub run" which
+// includes its own set of steps (usually only one of them).
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"reflect"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/runconfig/opts"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/buildkit/frontend/dockerfile/shell"
+	"github.com/pkg/errors"
+)
+
+func dispatch(d dispatchRequest, cmd instructions.Command) (err error) {
+	if c, ok := cmd.(instructions.PlatformSpecific); ok {
+		err := c.CheckPlatform(d.state.operatingSystem)
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+	}
+	runConfigEnv := d.state.runConfig.Env
+	envs := append(runConfigEnv, d.state.buildArgs.FilterAllowed(runConfigEnv)...)
+
+	if ex, ok := cmd.(instructions.SupportsSingleWordExpansion); ok {
+		err := ex.Expand(func(word string) (string, error) {
+			return d.shlex.ProcessWord(word, envs)
+		})
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+	}
+
+	defer func() {
+		if d.builder.options.ForceRemove {
+			d.builder.containerManager.RemoveAll(d.builder.Stdout)
+			return
+		}
+		if d.builder.options.Remove && err == nil {
+			d.builder.containerManager.RemoveAll(d.builder.Stdout)
+			return
+		}
+	}()
+	switch c := cmd.(type) {
+	case *instructions.EnvCommand:
+		return dispatchEnv(d, c)
+	case *instructions.MaintainerCommand:
+		return dispatchMaintainer(d, c)
+	case *instructions.LabelCommand:
+		return dispatchLabel(d, c)
+	case *instructions.AddCommand:
+		return dispatchAdd(d, c)
+	case *instructions.CopyCommand:
+		return dispatchCopy(d, c)
+	case *instructions.OnbuildCommand:
+		return dispatchOnbuild(d, c)
+	case *instructions.WorkdirCommand:
+		return dispatchWorkdir(d, c)
+	case *instructions.RunCommand:
+		return dispatchRun(d, c)
+	case *instructions.CmdCommand:
+		return dispatchCmd(d, c)
+	case *instructions.HealthCheckCommand:
+		return dispatchHealthcheck(d, c)
+	case *instructions.EntrypointCommand:
+		return dispatchEntrypoint(d, c)
+	case *instructions.ExposeCommand:
+		return dispatchExpose(d, c, envs)
+	case *instructions.UserCommand:
+		return dispatchUser(d, c)
+	case *instructions.VolumeCommand:
+		return dispatchVolume(d, c)
+	case *instructions.StopSignalCommand:
+		return dispatchStopSignal(d, c)
+	case *instructions.ArgCommand:
+		return dispatchArg(d, c)
+	case *instructions.ShellCommand:
+		return dispatchShell(d, c)
+	}
+	return errors.Errorf("unsupported command type: %v", reflect.TypeOf(cmd))
+}
+
+// dispatchState is a data object which is modified by dispatchers
+type dispatchState struct {
+	runConfig       *container.Config
+	maintainer      string
+	cmdSet          bool
+	imageID         string
+	baseImage       builder.Image
+	stageName       string
+	buildArgs       *BuildArgs
+	operatingSystem string
+}
+
+func newDispatchState(baseArgs *BuildArgs) *dispatchState {
+	args := baseArgs.Clone()
+	args.ResetAllowed()
+	return &dispatchState{runConfig: &container.Config{}, buildArgs: args}
+}
+
+type stagesBuildResults struct {
+	flat    []*container.Config
+	indexed map[string]*container.Config
+}
+
+func newStagesBuildResults() *stagesBuildResults {
+	return &stagesBuildResults{
+		indexed: make(map[string]*container.Config),
+	}
+}
+
+func (r *stagesBuildResults) getByName(name string) (*container.Config, bool) {
+	c, ok := r.indexed[strings.ToLower(name)]
+	return c, ok
+}
+
+func (r *stagesBuildResults) validateIndex(i int) error {
+	if i == len(r.flat) {
+		return errors.New("refers to current build stage")
+	}
+	if i < 0 || i > len(r.flat) {
+		return errors.New("index out of bounds")
+	}
+	return nil
+}
+
+func (r *stagesBuildResults) get(nameOrIndex string) (*container.Config, error) {
+	if c, ok := r.getByName(nameOrIndex); ok {
+		return c, nil
+	}
+	ix, err := strconv.ParseInt(nameOrIndex, 10, 0)
+	if err != nil {
+		return nil, nil
+	}
+	if err := r.validateIndex(int(ix)); err != nil {
+		return nil, err
+	}
+	return r.flat[ix], nil
+}
+
+func (r *stagesBuildResults) checkStageNameAvailable(name string) error {
+	if name != "" {
+		if _, ok := r.getByName(name); ok {
+			return errors.Errorf("%s stage name already used", name)
+		}
+	}
+	return nil
+}
+
+func (r *stagesBuildResults) commitStage(name string, config *container.Config) error {
+	if name != "" {
+		if _, ok := r.getByName(name); ok {
+			return errors.Errorf("%s stage name already used", name)
+		}
+		r.indexed[strings.ToLower(name)] = config
+	}
+	r.flat = append(r.flat, config)
+	return nil
+}
+
+func commitStage(state *dispatchState, stages *stagesBuildResults) error {
+	return stages.commitStage(state.stageName, state.runConfig)
+}
+
+type dispatchRequest struct {
+	state   *dispatchState
+	shlex   *shell.Lex
+	builder *Builder
+	source  builder.Source
+	stages  *stagesBuildResults
+}
+
+func newDispatchRequest(builder *Builder, escapeToken rune, source builder.Source, buildArgs *BuildArgs, stages *stagesBuildResults) dispatchRequest {
+	return dispatchRequest{
+		state:   newDispatchState(buildArgs),
+		shlex:   shell.NewLex(escapeToken),
+		builder: builder,
+		source:  source,
+		stages:  stages,
+	}
+}
+
+func (s *dispatchState) updateRunConfig() {
+	s.runConfig.Image = s.imageID
+}
+
+// hasFromImage returns true if the builder has processed a `FROM <image>` line
+func (s *dispatchState) hasFromImage() bool {
+	return s.imageID != "" || (s.baseImage != nil && s.baseImage.ImageID() == "")
+}
+
+func (s *dispatchState) beginStage(stageName string, image builder.Image) error {
+	s.stageName = stageName
+	s.imageID = image.ImageID()
+	s.operatingSystem = image.OperatingSystem()
+	if s.operatingSystem == "" { // In case it isn't set
+		s.operatingSystem = runtime.GOOS
+	}
+	if !system.IsOSSupported(s.operatingSystem) {
+		return system.ErrNotSupportedOperatingSystem
+	}
+
+	if image.RunConfig() != nil {
+		// copy avoids referencing the same instance when 2 stages have the same base
+		s.runConfig = copyRunConfig(image.RunConfig())
+	} else {
+		s.runConfig = &container.Config{}
+	}
+	s.baseImage = image
+	s.setDefaultPath()
+	s.runConfig.OpenStdin = false
+	s.runConfig.StdinOnce = false
+	return nil
+}
+
+// Add the default PATH to runConfig.ENV if one exists for the operating system and there
+// is no PATH set. Note that Windows containers on Windows won't have one as it's set by HCS
+func (s *dispatchState) setDefaultPath() {
+	defaultPath := system.DefaultPathEnv(s.operatingSystem)
+	if defaultPath == "" {
+		return
+	}
+	envMap := opts.ConvertKVStringsToMap(s.runConfig.Env)
+	if _, ok := envMap["PATH"]; !ok {
+		s.runConfig.Env = append(s.runConfig.Env, "PATH="+defaultPath)
+	}
+}
diff --git a/engine/builder/dockerfile/evaluator_test.go b/engine/builder/dockerfile/evaluator_test.go
new file mode 100644
index 00000000..fb79b238
--- /dev/null
+++ b/engine/builder/dockerfile/evaluator_test.go
@@ -0,0 +1,144 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"os"
+	"testing"
+
+	"github.com/docker/docker/builder/remotecontext"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/reexec"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+type dispatchTestCase struct {
+	name, expectedError string
+	cmd                 instructions.Command
+	files               map[string]string
+}
+
+func init() {
+	reexec.Init()
+}
+
+func initDispatchTestCases() []dispatchTestCase {
+	dispatchTestCases := []dispatchTestCase{
+		{
+			name: "ADD multiple files to file",
+			cmd: &instructions.AddCommand{SourcesAndDest: instructions.SourcesAndDest{
+				"file1.txt",
+				"file2.txt",
+				"test",
+			}},
+			expectedError: "When using ADD with more than one source file, the destination must be a directory and end with a /",
+			files:         map[string]string{"file1.txt": "test1", "file2.txt": "test2"},
+		},
+		{
+			name: "Wildcard ADD multiple files to file",
+			cmd: &instructions.AddCommand{SourcesAndDest: instructions.SourcesAndDest{
+				"file*.txt",
+				"test",
+			}},
+			expectedError: "When using ADD with more than one source file, the destination must be a directory and end with a /",
+			files:         map[string]string{"file1.txt": "test1", "file2.txt": "test2"},
+		},
+		{
+			name: "COPY multiple files to file",
+			cmd: &instructions.CopyCommand{SourcesAndDest: instructions.SourcesAndDest{
+				"file1.txt",
+				"file2.txt",
+				"test",
+			}},
+			expectedError: "When using COPY with more than one source file, the destination must be a directory and end with a /",
+			files:         map[string]string{"file1.txt": "test1", "file2.txt": "test2"},
+		},
+		{
+			name: "ADD multiple files to file with whitespace",
+			cmd: &instructions.AddCommand{SourcesAndDest: instructions.SourcesAndDest{
+				"test file1.txt",
+				"test file2.txt",
+				"test",
+			}},
+			expectedError: "When using ADD with more than one source file, the destination must be a directory and end with a /",
+			files:         map[string]string{"test file1.txt": "test1", "test file2.txt": "test2"},
+		},
+		{
+			name: "COPY multiple files to file with whitespace",
+			cmd: &instructions.CopyCommand{SourcesAndDest: instructions.SourcesAndDest{
+				"test file1.txt",
+				"test file2.txt",
+				"test",
+			}},
+			expectedError: "When using COPY with more than one source file, the destination must be a directory and end with a /",
+			files:         map[string]string{"test file1.txt": "test1", "test file2.txt": "test2"},
+		},
+		{
+			name: "COPY wildcard no files",
+			cmd: &instructions.CopyCommand{SourcesAndDest: instructions.SourcesAndDest{
+				"file*.txt",
+				"/tmp/",
+			}},
+			expectedError: "COPY failed: no source files were specified",
+			files:         nil,
+		},
+		{
+			name: "COPY url",
+			cmd: &instructions.CopyCommand{SourcesAndDest: instructions.SourcesAndDest{
+				"https://index.docker.io/robots.txt",
+				"/",
+			}},
+			expectedError: "source can't be a URL for COPY",
+			files:         nil,
+		}}
+
+	return dispatchTestCases
+}
+
+func TestDispatch(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	testCases := initDispatchTestCases()
+
+	for _, testCase := range testCases {
+		executeTestCase(t, testCase)
+	}
+}
+
+func executeTestCase(t *testing.T, testCase dispatchTestCase) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+	defer cleanup()
+
+	for filename, content := range testCase.files {
+		createTestTempFile(t, contextDir, filename, content, 0777)
+	}
+
+	tarStream, err := archive.Tar(contextDir, archive.Uncompressed)
+
+	if err != nil {
+		t.Fatalf("Error when creating tar stream: %s", err)
+	}
+
+	defer func() {
+		if err = tarStream.Close(); err != nil {
+			t.Fatalf("Error when closing tar stream: %s", err)
+		}
+	}()
+
+	context, err := remotecontext.FromArchive(tarStream)
+
+	if err != nil {
+		t.Fatalf("Error when creating tar context: %s", err)
+	}
+
+	defer func() {
+		if err = context.Close(); err != nil {
+			t.Fatalf("Error when closing tar context: %s", err)
+		}
+	}()
+
+	b := newBuilderWithMockBackend()
+	sb := newDispatchRequest(b, '`', context, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
+	err = dispatch(sb, testCase.cmd)
+	assert.Check(t, is.ErrorContains(err, testCase.expectedError))
+}
diff --git a/engine/builder/dockerfile/imagecontext.go b/engine/builder/dockerfile/imagecontext.go
new file mode 100644
index 00000000..08cb396a
--- /dev/null
+++ b/engine/builder/dockerfile/imagecontext.go
@@ -0,0 +1,122 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"context"
+	"runtime"
+
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/builder"
+	dockerimage "github.com/docker/docker/image"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type getAndMountFunc func(string, bool, *specs.Platform) (builder.Image, builder.ROLayer, error)
+
+// imageSources mounts images and provides a cache for mounted images. It tracks
+// all images so they can be unmounted at the end of the build.
+type imageSources struct {
+	byImageID map[string]*imageMount
+	mounts    []*imageMount
+	getImage  getAndMountFunc
+}
+
+func newImageSources(ctx context.Context, options builderOptions) *imageSources {
+	getAndMount := func(idOrRef string, localOnly bool, platform *specs.Platform) (builder.Image, builder.ROLayer, error) {
+		pullOption := backend.PullOptionNoPull
+		if !localOnly {
+			if options.Options.PullParent {
+				pullOption = backend.PullOptionForcePull
+			} else {
+				pullOption = backend.PullOptionPreferLocal
+			}
+		}
+		return options.Backend.GetImageAndReleasableLayer(ctx, idOrRef, backend.GetImageAndLayerOptions{
+			PullOption: pullOption,
+			AuthConfig: options.Options.AuthConfigs,
+			Output:     options.ProgressWriter.Output,
+			Platform:   platform,
+		})
+	}
+
+	return &imageSources{
+		byImageID: make(map[string]*imageMount),
+		getImage:  getAndMount,
+	}
+}
+
+func (m *imageSources) Get(idOrRef string, localOnly bool, platform *specs.Platform) (*imageMount, error) {
+	if im, ok := m.byImageID[idOrRef]; ok {
+		return im, nil
+	}
+
+	image, layer, err := m.getImage(idOrRef, localOnly, platform)
+	if err != nil {
+		return nil, err
+	}
+	im := newImageMount(image, layer)
+	m.Add(im)
+	return im, nil
+}
+
+func (m *imageSources) Unmount() (retErr error) {
+	for _, im := range m.mounts {
+		if err := im.unmount(); err != nil {
+			logrus.Error(err)
+			retErr = err
+		}
+	}
+	return
+}
+
+func (m *imageSources) Add(im *imageMount) {
+	switch im.image {
+	case nil:
+		// set the OS for scratch images
+		os := runtime.GOOS
+		// Windows does not support scratch except for LCOW
+		if runtime.GOOS == "windows" {
+			os = "linux"
+		}
+		im.image = &dockerimage.Image{V1Image: dockerimage.V1Image{OS: os}}
+	default:
+		m.byImageID[im.image.ImageID()] = im
+	}
+	m.mounts = append(m.mounts, im)
+}
+
+// imageMount is a reference to an image that can be used as a builder.Source
+type imageMount struct {
+	image  builder.Image
+	source builder.Source
+	layer  builder.ROLayer
+}
+
+func newImageMount(image builder.Image, layer builder.ROLayer) *imageMount {
+	im := &imageMount{image: image, layer: layer}
+	return im
+}
+
+func (im *imageMount) unmount() error {
+	if im.layer == nil {
+		return nil
+	}
+	if err := im.layer.Release(); err != nil {
+		return errors.Wrapf(err, "failed to unmount previous build image %s", im.image.ImageID())
+	}
+	im.layer = nil
+	return nil
+}
+
+func (im *imageMount) Image() builder.Image {
+	return im.image
+}
+
+func (im *imageMount) NewRWLayer() (builder.RWLayer, error) {
+	return im.layer.NewRWLayer()
+}
+
+func (im *imageMount) ImageID() string {
+	return im.image.ImageID()
+}
diff --git a/engine/builder/dockerfile/imageprobe.go b/engine/builder/dockerfile/imageprobe.go
new file mode 100644
index 00000000..6960bf88
--- /dev/null
+++ b/engine/builder/dockerfile/imageprobe.go
@@ -0,0 +1,63 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder"
+	"github.com/sirupsen/logrus"
+)
+
+// ImageProber exposes an Image cache to the Builder. It supports resetting a
+// cache.
+type ImageProber interface {
+	Reset()
+	Probe(parentID string, runConfig *container.Config) (string, error)
+}
+
+type imageProber struct {
+	cache       builder.ImageCache
+	reset       func() builder.ImageCache
+	cacheBusted bool
+}
+
+func newImageProber(cacheBuilder builder.ImageCacheBuilder, cacheFrom []string, noCache bool) ImageProber {
+	if noCache {
+		return &nopProber{}
+	}
+
+	reset := func() builder.ImageCache {
+		return cacheBuilder.MakeImageCache(cacheFrom)
+	}
+	return &imageProber{cache: reset(), reset: reset}
+}
+
+func (c *imageProber) Reset() {
+	c.cache = c.reset()
+	c.cacheBusted = false
+}
+
+// Probe checks if cache match can be found for current build instruction.
+// It returns the cachedID if there is a hit, and the empty string on miss
+func (c *imageProber) Probe(parentID string, runConfig *container.Config) (string, error) {
+	if c.cacheBusted {
+		return "", nil
+	}
+	cacheID, err := c.cache.GetCache(parentID, runConfig)
+	if err != nil {
+		return "", err
+	}
+	if len(cacheID) == 0 {
+		logrus.Debugf("[BUILDER] Cache miss: %s", runConfig.Cmd)
+		c.cacheBusted = true
+		return "", nil
+	}
+	logrus.Debugf("[BUILDER] Use cached version: %s", runConfig.Cmd)
+	return cacheID, nil
+}
+
+type nopProber struct{}
+
+func (c *nopProber) Reset() {}
+
+func (c *nopProber) Probe(_ string, _ *container.Config) (string, error) {
+	return "", nil
+}
diff --git a/engine/builder/dockerfile/internals.go b/engine/builder/dockerfile/internals.go
new file mode 100644
index 00000000..d892285a
--- /dev/null
+++ b/engine/builder/dockerfile/internals.go
@@ -0,0 +1,496 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+// internals for handling commands. Covers many areas and a lot of
+// non-contiguous functionality. Please read the comments.
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/go-connections/nat"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Archiver defines an interface for copying files from one destination to
+// another using Tar/Untar.
+type Archiver interface {
+	TarUntar(src, dst string) error
+	UntarPath(src, dst string) error
+	CopyWithTar(src, dst string) error
+	CopyFileWithTar(src, dst string) error
+	IDMappings() *idtools.IDMappings
+}
+
+// The builder will use the following interfaces if the container fs implements
+// these for optimized copies to and from the container.
+type extractor interface {
+	ExtractArchive(src io.Reader, dst string, opts *archive.TarOptions) error
+}
+
+type archiver interface {
+	ArchivePath(src string, opts *archive.TarOptions) (io.ReadCloser, error)
+}
+
+// helper functions to get tar/untar func
+func untarFunc(i interface{}) containerfs.UntarFunc {
+	if ea, ok := i.(extractor); ok {
+		return ea.ExtractArchive
+	}
+	return chrootarchive.Untar
+}
+
+func tarFunc(i interface{}) containerfs.TarFunc {
+	if ap, ok := i.(archiver); ok {
+		return ap.ArchivePath
+	}
+	return archive.TarWithOptions
+}
+
+func (b *Builder) getArchiver(src, dst containerfs.Driver) Archiver {
+	t, u := tarFunc(src), untarFunc(dst)
+	return &containerfs.Archiver{
+		SrcDriver:     src,
+		DstDriver:     dst,
+		Tar:           t,
+		Untar:         u,
+		IDMappingsVar: b.idMappings,
+	}
+}
+
+func (b *Builder) commit(dispatchState *dispatchState, comment string) error {
+	if b.disableCommit {
+		return nil
+	}
+	if !dispatchState.hasFromImage() {
+		return errors.New("Please provide a source image with `from` prior to commit")
+	}
+
+	runConfigWithCommentCmd := copyRunConfig(dispatchState.runConfig, withCmdComment(comment, dispatchState.operatingSystem))
+	id, err := b.probeAndCreate(dispatchState, runConfigWithCommentCmd)
+	if err != nil || id == "" {
+		return err
+	}
+
+	return b.commitContainer(dispatchState, id, runConfigWithCommentCmd)
+}
+
+func (b *Builder) commitContainer(dispatchState *dispatchState, id string, containerConfig *container.Config) error {
+	if b.disableCommit {
+		return nil
+	}
+
+	commitCfg := backend.CommitConfig{
+		Author: dispatchState.maintainer,
+		// TODO: this copy should be done by Commit()
+		Config:          copyRunConfig(dispatchState.runConfig),
+		ContainerConfig: containerConfig,
+		ContainerID:     id,
+	}
+
+	imageID, err := b.docker.CommitBuildStep(commitCfg)
+	dispatchState.imageID = string(imageID)
+	return err
+}
+
+func (b *Builder) exportImage(state *dispatchState, layer builder.RWLayer, parent builder.Image, runConfig *container.Config) error {
+	newLayer, err := layer.Commit()
+	if err != nil {
+		return err
+	}
+
+	// add an image mount without an image so the layer is properly unmounted
+	// if there is an error before we can add the full mount with image
+	b.imageSources.Add(newImageMount(nil, newLayer))
+
+	parentImage, ok := parent.(*image.Image)
+	if !ok {
+		return errors.Errorf("unexpected image type")
+	}
+
+	newImage := image.NewChildImage(parentImage, image.ChildConfig{
+		Author:          state.maintainer,
+		ContainerConfig: runConfig,
+		DiffID:          newLayer.DiffID(),
+		Config:          copyRunConfig(state.runConfig),
+	}, parentImage.OS)
+
+	// TODO: it seems strange to marshal this here instead of just passing in the
+	// image struct
+	config, err := newImage.MarshalJSON()
+	if err != nil {
+		return errors.Wrap(err, "failed to encode image config")
+	}
+
+	exportedImage, err := b.docker.CreateImage(config, state.imageID)
+	if err != nil {
+		return errors.Wrapf(err, "failed to export image")
+	}
+
+	state.imageID = exportedImage.ImageID()
+	b.imageSources.Add(newImageMount(exportedImage, newLayer))
+	return nil
+}
+
+func (b *Builder) performCopy(req dispatchRequest, inst copyInstruction) error {
+	state := req.state
+	srcHash := getSourceHashFromInfos(inst.infos)
+
+	var chownComment string
+	if inst.chownStr != "" {
+		chownComment = fmt.Sprintf("--chown=%s", inst.chownStr)
+	}
+	commentStr := fmt.Sprintf("%s %s%s in %s ", inst.cmdName, chownComment, srcHash, inst.dest)
+
+	// TODO: should this have been using origPaths instead of srcHash in the comment?
+	runConfigWithCommentCmd := copyRunConfig(
+		state.runConfig,
+		withCmdCommentString(commentStr, state.operatingSystem))
+	hit, err := b.probeCache(state, runConfigWithCommentCmd)
+	if err != nil || hit {
+		return err
+	}
+
+	imageMount, err := b.imageSources.Get(state.imageID, true, req.builder.platform)
+	if err != nil {
+		return errors.Wrapf(err, "failed to get destination image %q", state.imageID)
+	}
+
+	rwLayer, err := imageMount.NewRWLayer()
+	if err != nil {
+		return err
+	}
+	defer rwLayer.Release()
+
+	destInfo, err := createDestInfo(state.runConfig.WorkingDir, inst, rwLayer, state.operatingSystem)
+	if err != nil {
+		return err
+	}
+
+	chownPair := b.idMappings.RootPair()
+	// if a chown was requested, perform the steps to get the uid, gid
+	// translated (if necessary because of user namespaces), and replace
+	// the root pair with the chown pair for copy operations
+	if inst.chownStr != "" {
+		chownPair, err = parseChownFlag(inst.chownStr, destInfo.root.Path(), b.idMappings)
+		if err != nil {
+			return errors.Wrapf(err, "unable to convert uid/gid chown string to host mapping")
+		}
+	}
+
+	for _, info := range inst.infos {
+		opts := copyFileOptions{
+			decompress: inst.allowLocalDecompression,
+			archiver:   b.getArchiver(info.root, destInfo.root),
+			chownPair:  chownPair,
+		}
+		if err := performCopyForInfo(destInfo, info, opts); err != nil {
+			return errors.Wrapf(err, "failed to copy files")
+		}
+	}
+	return b.exportImage(state, rwLayer, imageMount.Image(), runConfigWithCommentCmd)
+}
+
+func createDestInfo(workingDir string, inst copyInstruction, rwLayer builder.RWLayer, platform string) (copyInfo, error) {
+	// Twiddle the destination when it's a relative path - meaning, make it
+	// relative to the WORKINGDIR
+	dest, err := normalizeDest(workingDir, inst.dest, platform)
+	if err != nil {
+		return copyInfo{}, errors.Wrapf(err, "invalid %s", inst.cmdName)
+	}
+
+	return copyInfo{root: rwLayer.Root(), path: dest}, nil
+}
+
+// normalizeDest normalises the destination of a COPY/ADD command in a
+// platform semantically consistent way.
+func normalizeDest(workingDir, requested string, platform string) (string, error) {
+	dest := fromSlash(requested, platform)
+	endsInSlash := strings.HasSuffix(dest, string(separator(platform)))
+
+	if platform != "windows" {
+		if !path.IsAbs(requested) {
+			dest = path.Join("/", filepath.ToSlash(workingDir), dest)
+			// Make sure we preserve any trailing slash
+			if endsInSlash {
+				dest += "/"
+			}
+		}
+		return dest, nil
+	}
+
+	// We are guaranteed that the working directory is already consistent,
+	// However, Windows also has, for now, the limitation that ADD/COPY can
+	// only be done to the system drive, not any drives that might be present
+	// as a result of a bind mount.
+	//
+	// So... if the path requested is Linux-style absolute (/foo or \\foo),
+	// we assume it is the system drive. If it is a Windows-style absolute
+	// (DRIVE:\\foo), error if DRIVE is not C. And finally, ensure we
+	// strip any configured working directories drive letter so that it
+	// can be subsequently legitimately converted to a Windows volume-style
+	// pathname.
+
+	// Not a typo - filepath.IsAbs, not system.IsAbs on this next check as
+	// we only want to validate where the DriveColon part has been supplied.
+	if filepath.IsAbs(dest) {
+		if strings.ToUpper(string(dest[0])) != "C" {
+			return "", fmt.Errorf("Windows does not support destinations not on the system drive (C:)")
+		}
+		dest = dest[2:] // Strip the drive letter
+	}
+
+	// Cannot handle relative where WorkingDir is not the system drive.
+	if len(workingDir) > 0 {
+		if ((len(workingDir) > 1) && !system.IsAbs(workingDir[2:])) || (len(workingDir) == 1) {
+			return "", fmt.Errorf("Current WorkingDir %s is not platform consistent", workingDir)
+		}
+		if !system.IsAbs(dest) {
+			if string(workingDir[0]) != "C" {
+				return "", fmt.Errorf("Windows does not support relative paths when WORKDIR is not the system drive")
+			}
+			dest = filepath.Join(string(os.PathSeparator), workingDir[2:], dest)
+			// Make sure we preserve any trailing slash
+			if endsInSlash {
+				dest += string(os.PathSeparator)
+			}
+		}
+	}
+	return dest, nil
+}
+
+// For backwards compat, if there's just one info then use it as the
+// cache look-up string, otherwise hash 'em all into one
+func getSourceHashFromInfos(infos []copyInfo) string {
+	if len(infos) == 1 {
+		return infos[0].hash
+	}
+	var hashs []string
+	for _, info := range infos {
+		hashs = append(hashs, info.hash)
+	}
+	return hashStringSlice("multi", hashs)
+}
+
+func hashStringSlice(prefix string, slice []string) string {
+	hasher := sha256.New()
+	hasher.Write([]byte(strings.Join(slice, ",")))
+	return prefix + ":" + hex.EncodeToString(hasher.Sum(nil))
+}
+
+type runConfigModifier func(*container.Config)
+
+func withCmd(cmd []string) runConfigModifier {
+	return func(runConfig *container.Config) {
+		runConfig.Cmd = cmd
+	}
+}
+
+// withCmdComment sets Cmd to a nop comment string. See withCmdCommentString for
+// why there are two almost identical versions of this.
+func withCmdComment(comment string, platform string) runConfigModifier {
+	return func(runConfig *container.Config) {
+		runConfig.Cmd = append(getShell(runConfig, platform), "#(nop) ", comment)
+	}
+}
+
+// withCmdCommentString exists to maintain compatibility with older versions.
+// A few instructions (workdir, copy, add) used a nop comment that is a single arg
+// where as all the other instructions used a two arg comment string. This
+// function implements the single arg version.
+func withCmdCommentString(comment string, platform string) runConfigModifier {
+	return func(runConfig *container.Config) {
+		runConfig.Cmd = append(getShell(runConfig, platform), "#(nop) "+comment)
+	}
+}
+
+func withEnv(env []string) runConfigModifier {
+	return func(runConfig *container.Config) {
+		runConfig.Env = env
+	}
+}
+
+// withEntrypointOverride sets an entrypoint on runConfig if the command is
+// not empty. The entrypoint is left unmodified if command is empty.
+//
+// The dockerfile RUN instruction expect to run without an entrypoint
+// so the runConfig entrypoint needs to be modified accordingly. ContainerCreate
+// will change a []string{""} entrypoint to nil, so we probe the cache with the
+// nil entrypoint.
+func withEntrypointOverride(cmd []string, entrypoint []string) runConfigModifier {
+	return func(runConfig *container.Config) {
+		if len(cmd) > 0 {
+			runConfig.Entrypoint = entrypoint
+		}
+	}
+}
+
+// withoutHealthcheck disables healthcheck.
+//
+// The dockerfile RUN instruction expect to run without healthcheck
+// so the runConfig Healthcheck needs to be disabled.
+func withoutHealthcheck() runConfigModifier {
+	return func(runConfig *container.Config) {
+		runConfig.Healthcheck = &container.HealthConfig{
+			Test: []string{"NONE"},
+		}
+	}
+}
+
+func copyRunConfig(runConfig *container.Config, modifiers ...runConfigModifier) *container.Config {
+	copy := *runConfig
+	copy.Cmd = copyStringSlice(runConfig.Cmd)
+	copy.Env = copyStringSlice(runConfig.Env)
+	copy.Entrypoint = copyStringSlice(runConfig.Entrypoint)
+	copy.OnBuild = copyStringSlice(runConfig.OnBuild)
+	copy.Shell = copyStringSlice(runConfig.Shell)
+
+	if copy.Volumes != nil {
+		copy.Volumes = make(map[string]struct{}, len(runConfig.Volumes))
+		for k, v := range runConfig.Volumes {
+			copy.Volumes[k] = v
+		}
+	}
+
+	if copy.ExposedPorts != nil {
+		copy.ExposedPorts = make(nat.PortSet, len(runConfig.ExposedPorts))
+		for k, v := range runConfig.ExposedPorts {
+			copy.ExposedPorts[k] = v
+		}
+	}
+
+	if copy.Labels != nil {
+		copy.Labels = make(map[string]string, len(runConfig.Labels))
+		for k, v := range runConfig.Labels {
+			copy.Labels[k] = v
+		}
+	}
+
+	for _, modifier := range modifiers {
+		modifier(&copy)
+	}
+	return &copy
+}
+
+func copyStringSlice(orig []string) []string {
+	if orig == nil {
+		return nil
+	}
+	return append([]string{}, orig...)
+}
+
+// getShell is a helper function which gets the right shell for prefixing the
+// shell-form of RUN, ENTRYPOINT and CMD instructions
+func getShell(c *container.Config, os string) []string {
+	if 0 == len(c.Shell) {
+		return append([]string{}, defaultShellForOS(os)[:]...)
+	}
+	return append([]string{}, c.Shell[:]...)
+}
+
+func (b *Builder) probeCache(dispatchState *dispatchState, runConfig *container.Config) (bool, error) {
+	cachedID, err := b.imageProber.Probe(dispatchState.imageID, runConfig)
+	if cachedID == "" || err != nil {
+		return false, err
+	}
+	fmt.Fprint(b.Stdout, " ---> Using cache\n")
+
+	dispatchState.imageID = cachedID
+	return true, nil
+}
+
+var defaultLogConfig = container.LogConfig{Type: "none"}
+
+func (b *Builder) probeAndCreate(dispatchState *dispatchState, runConfig *container.Config) (string, error) {
+	if hit, err := b.probeCache(dispatchState, runConfig); err != nil || hit {
+		return "", err
+	}
+	return b.create(runConfig)
+}
+
+func (b *Builder) create(runConfig *container.Config) (string, error) {
+	logrus.Debugf("[BUILDER] Command to be executed: %v", runConfig.Cmd)
+
+	isWCOW := runtime.GOOS == "windows" && b.platform != nil && b.platform.OS == "windows"
+	hostConfig := hostConfigFromOptions(b.options, isWCOW)
+	container, err := b.containerManager.Create(runConfig, hostConfig)
+	if err != nil {
+		return "", err
+	}
+	// TODO: could this be moved into containerManager.Create() ?
+	for _, warning := range container.Warnings {
+		fmt.Fprintf(b.Stdout, " ---> [Warning] %s\n", warning)
+	}
+	fmt.Fprintf(b.Stdout, " ---> Running in %s\n", stringid.TruncateID(container.ID))
+	return container.ID, nil
+}
+
+func hostConfigFromOptions(options *types.ImageBuildOptions, isWCOW bool) *container.HostConfig {
+	resources := container.Resources{
+		CgroupParent: options.CgroupParent,
+		CPUShares:    options.CPUShares,
+		CPUPeriod:    options.CPUPeriod,
+		CPUQuota:     options.CPUQuota,
+		CpusetCpus:   options.CPUSetCPUs,
+		CpusetMems:   options.CPUSetMems,
+		Memory:       options.Memory,
+		MemorySwap:   options.MemorySwap,
+		Ulimits:      options.Ulimits,
+	}
+
+	hc := &container.HostConfig{
+		SecurityOpt: options.SecurityOpt,
+		Isolation:   options.Isolation,
+		ShmSize:     options.ShmSize,
+		Resources:   resources,
+		NetworkMode: container.NetworkMode(options.NetworkMode),
+		// Set a log config to override any default value set on the daemon
+		LogConfig:  defaultLogConfig,
+		ExtraHosts: options.ExtraHosts,
+	}
+
+	// For WCOW, the default of 20GB hard-coded in the platform
+	// is too small for builder scenarios where many users are
+	// using RUN statements to install large amounts of data.
+	// Use 127GB as that's the default size of a VHD in Hyper-V.
+	if isWCOW {
+		hc.StorageOpt = make(map[string]string)
+		hc.StorageOpt["size"] = "127GB"
+	}
+
+	return hc
+}
+
+// fromSlash works like filepath.FromSlash but with a given OS platform field
+func fromSlash(path, platform string) string {
+	if platform == "windows" {
+		return strings.Replace(path, "/", "\\", -1)
+	}
+	return path
+}
+
+// separator returns a OS path separator for the given OS platform
+func separator(platform string) byte {
+	if platform == "windows" {
+		return '\\'
+	}
+	return '/'
+}
diff --git a/engine/builder/dockerfile/internals_linux.go b/engine/builder/dockerfile/internals_linux.go
new file mode 100644
index 00000000..1014b16a
--- /dev/null
+++ b/engine/builder/dockerfile/internals_linux.go
@@ -0,0 +1,88 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/symlink"
+	lcUser "github.com/opencontainers/runc/libcontainer/user"
+	"github.com/pkg/errors"
+)
+
+func parseChownFlag(chown, ctrRootPath string, idMappings *idtools.IDMappings) (idtools.IDPair, error) {
+	var userStr, grpStr string
+	parts := strings.Split(chown, ":")
+	if len(parts) > 2 {
+		return idtools.IDPair{}, errors.New("invalid chown string format: " + chown)
+	}
+	if len(parts) == 1 {
+		// if no group specified, use the user spec as group as well
+		userStr, grpStr = parts[0], parts[0]
+	} else {
+		userStr, grpStr = parts[0], parts[1]
+	}
+
+	passwdPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "passwd"), ctrRootPath)
+	if err != nil {
+		return idtools.IDPair{}, errors.Wrapf(err, "can't resolve /etc/passwd path in container rootfs")
+	}
+	groupPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "group"), ctrRootPath)
+	if err != nil {
+		return idtools.IDPair{}, errors.Wrapf(err, "can't resolve /etc/group path in container rootfs")
+	}
+	uid, err := lookupUser(userStr, passwdPath)
+	if err != nil {
+		return idtools.IDPair{}, errors.Wrapf(err, "can't find uid for user "+userStr)
+	}
+	gid, err := lookupGroup(grpStr, groupPath)
+	if err != nil {
+		return idtools.IDPair{}, errors.Wrapf(err, "can't find gid for group "+grpStr)
+	}
+
+	// convert as necessary because of user namespaces
+	chownPair, err := idMappings.ToHost(idtools.IDPair{UID: uid, GID: gid})
+	if err != nil {
+		return idtools.IDPair{}, errors.Wrapf(err, "unable to convert uid/gid to host mapping")
+	}
+	return chownPair, nil
+}
+
+func lookupUser(userStr, filepath string) (int, error) {
+	// if the string is actually a uid integer, parse to int and return
+	// as we don't need to translate with the help of files
+	uid, err := strconv.Atoi(userStr)
+	if err == nil {
+		return uid, nil
+	}
+	users, err := lcUser.ParsePasswdFileFilter(filepath, func(u lcUser.User) bool {
+		return u.Name == userStr
+	})
+	if err != nil {
+		return 0, err
+	}
+	if len(users) == 0 {
+		return 0, errors.New("no such user: " + userStr)
+	}
+	return users[0].Uid, nil
+}
+
+func lookupGroup(groupStr, filepath string) (int, error) {
+	// if the string is actually a gid integer, parse to int and return
+	// as we don't need to translate with the help of files
+	gid, err := strconv.Atoi(groupStr)
+	if err == nil {
+		return gid, nil
+	}
+	groups, err := lcUser.ParseGroupFileFilter(filepath, func(g lcUser.Group) bool {
+		return g.Name == groupStr
+	})
+	if err != nil {
+		return 0, err
+	}
+	if len(groups) == 0 {
+		return 0, errors.New("no such group: " + groupStr)
+	}
+	return groups[0].Gid, nil
+}
diff --git a/engine/builder/dockerfile/internals_linux_test.go b/engine/builder/dockerfile/internals_linux_test.go
new file mode 100644
index 00000000..1b3a9989
--- /dev/null
+++ b/engine/builder/dockerfile/internals_linux_test.go
@@ -0,0 +1,138 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/pkg/idtools"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestChownFlagParsing(t *testing.T) {
+	testFiles := map[string]string{
+		"passwd": `root:x:0:0::/bin:/bin/false
+bin:x:1:1::/bin:/bin/false
+wwwwww:x:21:33::/bin:/bin/false
+unicorn:x:1001:1002::/bin:/bin/false
+		`,
+		"group": `root:x:0:
+bin:x:1:
+wwwwww:x:33:
+unicorn:x:1002:
+somegrp:x:5555:
+othergrp:x:6666:
+		`,
+	}
+	// test mappings for validating use of maps
+	idMaps := []idtools.IDMap{
+		{
+			ContainerID: 0,
+			HostID:      100000,
+			Size:        65536,
+		},
+	}
+	remapped := idtools.NewIDMappingsFromMaps(idMaps, idMaps)
+	unmapped := &idtools.IDMappings{}
+
+	contextDir, cleanup := createTestTempDir(t, "", "builder-chown-parse-test")
+	defer cleanup()
+
+	if err := os.Mkdir(filepath.Join(contextDir, "etc"), 0755); err != nil {
+		t.Fatalf("error creating test directory: %v", err)
+	}
+
+	for filename, content := range testFiles {
+		createTestTempFile(t, filepath.Join(contextDir, "etc"), filename, content, 0644)
+	}
+
+	// positive tests
+	for _, testcase := range []struct {
+		name      string
+		chownStr  string
+		idMapping *idtools.IDMappings
+		expected  idtools.IDPair
+	}{
+		{
+			name:      "UIDNoMap",
+			chownStr:  "1",
+			idMapping: unmapped,
+			expected:  idtools.IDPair{UID: 1, GID: 1},
+		},
+		{
+			name:      "UIDGIDNoMap",
+			chownStr:  "0:1",
+			idMapping: unmapped,
+			expected:  idtools.IDPair{UID: 0, GID: 1},
+		},
+		{
+			name:      "UIDWithMap",
+			chownStr:  "0",
+			idMapping: remapped,
+			expected:  idtools.IDPair{UID: 100000, GID: 100000},
+		},
+		{
+			name:      "UIDGIDWithMap",
+			chownStr:  "1:33",
+			idMapping: remapped,
+			expected:  idtools.IDPair{UID: 100001, GID: 100033},
+		},
+		{
+			name:      "UserNoMap",
+			chownStr:  "bin:5555",
+			idMapping: unmapped,
+			expected:  idtools.IDPair{UID: 1, GID: 5555},
+		},
+		{
+			name:      "GroupWithMap",
+			chownStr:  "0:unicorn",
+			idMapping: remapped,
+			expected:  idtools.IDPair{UID: 100000, GID: 101002},
+		},
+		{
+			name:      "UserOnlyWithMap",
+			chownStr:  "unicorn",
+			idMapping: remapped,
+			expected:  idtools.IDPair{UID: 101001, GID: 101002},
+		},
+	} {
+		t.Run(testcase.name, func(t *testing.T) {
+			idPair, err := parseChownFlag(testcase.chownStr, contextDir, testcase.idMapping)
+			assert.NilError(t, err, "Failed to parse chown flag: %q", testcase.chownStr)
+			assert.Check(t, is.DeepEqual(testcase.expected, idPair), "chown flag mapping failure")
+		})
+	}
+
+	// error tests
+	for _, testcase := range []struct {
+		name      string
+		chownStr  string
+		idMapping *idtools.IDMappings
+		descr     string
+	}{
+		{
+			name:      "BadChownFlagFormat",
+			chownStr:  "bob:1:555",
+			idMapping: unmapped,
+			descr:     "invalid chown string format: bob:1:555",
+		},
+		{
+			name:      "UserNoExist",
+			chownStr:  "bob",
+			idMapping: unmapped,
+			descr:     "can't find uid for user bob: no such user: bob",
+		},
+		{
+			name:      "GroupNoExist",
+			chownStr:  "root:bob",
+			idMapping: unmapped,
+			descr:     "can't find gid for group bob: no such group: bob",
+		},
+	} {
+		t.Run(testcase.name, func(t *testing.T) {
+			_, err := parseChownFlag(testcase.chownStr, contextDir, testcase.idMapping)
+			assert.Check(t, is.Error(err, testcase.descr), "Expected error string doesn't match")
+		})
+	}
+}
diff --git a/engine/builder/dockerfile/internals_test.go b/engine/builder/dockerfile/internals_test.go
new file mode 100644
index 00000000..1c34fd38
--- /dev/null
+++ b/engine/builder/dockerfile/internals_test.go
@@ -0,0 +1,173 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/builder/remotecontext"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/go-connections/nat"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestEmptyDockerfile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+	defer cleanup()
+
+	createTestTempFile(t, contextDir, builder.DefaultDockerfileName, "", 0777)
+
+	readAndCheckDockerfile(t, "emptyDockerfile", contextDir, "", "the Dockerfile (Dockerfile) cannot be empty")
+}
+
+func TestSymlinkDockerfile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+	defer cleanup()
+
+	createTestSymlink(t, contextDir, builder.DefaultDockerfileName, "/etc/passwd")
+
+	// The reason the error is "Cannot locate specified Dockerfile" is because
+	// in the builder, the symlink is resolved within the context, therefore
+	// Dockerfile -> /etc/passwd becomes etc/passwd from the context which is
+	// a nonexistent file.
+	expectedError := fmt.Sprintf("Cannot locate specified Dockerfile: %s", builder.DefaultDockerfileName)
+
+	readAndCheckDockerfile(t, "symlinkDockerfile", contextDir, builder.DefaultDockerfileName, expectedError)
+}
+
+func TestDockerfileOutsideTheBuildContext(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+	defer cleanup()
+
+	expectedError := "Forbidden path outside the build context: ../../Dockerfile ()"
+
+	readAndCheckDockerfile(t, "DockerfileOutsideTheBuildContext", contextDir, "../../Dockerfile", expectedError)
+}
+
+func TestNonExistingDockerfile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerfile-test")
+	defer cleanup()
+
+	expectedError := "Cannot locate specified Dockerfile: Dockerfile"
+
+	readAndCheckDockerfile(t, "NonExistingDockerfile", contextDir, "Dockerfile", expectedError)
+}
+
+func readAndCheckDockerfile(t *testing.T, testName, contextDir, dockerfilePath, expectedError string) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tarStream, err := archive.Tar(contextDir, archive.Uncompressed)
+	assert.NilError(t, err)
+
+	defer func() {
+		if err = tarStream.Close(); err != nil {
+			t.Fatalf("Error when closing tar stream: %s", err)
+		}
+	}()
+
+	if dockerfilePath == "" { // handled in BuildWithContext
+		dockerfilePath = builder.DefaultDockerfileName
+	}
+
+	config := backend.BuildConfig{
+		Options: &types.ImageBuildOptions{Dockerfile: dockerfilePath},
+		Source:  tarStream,
+	}
+	_, _, err = remotecontext.Detect(config)
+	assert.Check(t, is.Error(err, expectedError))
+}
+
+func TestCopyRunConfig(t *testing.T) {
+	defaultEnv := []string{"foo=1"}
+	defaultCmd := []string{"old"}
+
+	var testcases = []struct {
+		doc       string
+		modifiers []runConfigModifier
+		expected  *container.Config
+	}{
+		{
+			doc:       "Set the command",
+			modifiers: []runConfigModifier{withCmd([]string{"new"})},
+			expected: &container.Config{
+				Cmd: []string{"new"},
+				Env: defaultEnv,
+			},
+		},
+		{
+			doc:       "Set the command to a comment",
+			modifiers: []runConfigModifier{withCmdComment("comment", runtime.GOOS)},
+			expected: &container.Config{
+				Cmd: append(defaultShellForOS(runtime.GOOS), "#(nop) ", "comment"),
+				Env: defaultEnv,
+			},
+		},
+		{
+			doc: "Set the command and env",
+			modifiers: []runConfigModifier{
+				withCmd([]string{"new"}),
+				withEnv([]string{"one", "two"}),
+			},
+			expected: &container.Config{
+				Cmd: []string{"new"},
+				Env: []string{"one", "two"},
+			},
+		},
+	}
+
+	for _, testcase := range testcases {
+		runConfig := &container.Config{
+			Cmd: defaultCmd,
+			Env: defaultEnv,
+		}
+		runConfigCopy := copyRunConfig(runConfig, testcase.modifiers...)
+		assert.Check(t, is.DeepEqual(testcase.expected, runConfigCopy), testcase.doc)
+		// Assert the original was not modified
+		assert.Check(t, runConfig != runConfigCopy, testcase.doc)
+	}
+
+}
+
+func fullMutableRunConfig() *container.Config {
+	return &container.Config{
+		Cmd: []string{"command", "arg1"},
+		Env: []string{"env1=foo", "env2=bar"},
+		ExposedPorts: nat.PortSet{
+			"1000/tcp": {},
+			"1001/tcp": {},
+		},
+		Volumes: map[string]struct{}{
+			"one": {},
+			"two": {},
+		},
+		Entrypoint: []string{"entry", "arg1"},
+		OnBuild:    []string{"first", "next"},
+		Labels: map[string]string{
+			"label1": "value1",
+			"label2": "value2",
+		},
+		Shell: []string{"shell", "-c"},
+	}
+}
+
+func TestDeepCopyRunConfig(t *testing.T) {
+	runConfig := fullMutableRunConfig()
+	copy := copyRunConfig(runConfig)
+	assert.Check(t, is.DeepEqual(fullMutableRunConfig(), copy))
+
+	copy.Cmd[1] = "arg2"
+	copy.Env[1] = "env2=new"
+	copy.ExposedPorts["10002"] = struct{}{}
+	copy.Volumes["three"] = struct{}{}
+	copy.Entrypoint[1] = "arg2"
+	copy.OnBuild[0] = "start"
+	copy.Labels["label3"] = "value3"
+	copy.Shell[0] = "sh"
+	assert.Check(t, is.DeepEqual(fullMutableRunConfig(), runConfig))
+}
diff --git a/engine/builder/dockerfile/internals_windows.go b/engine/builder/dockerfile/internals_windows.go
new file mode 100644
index 00000000..26978b48
--- /dev/null
+++ b/engine/builder/dockerfile/internals_windows.go
@@ -0,0 +1,7 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import "github.com/docker/docker/pkg/idtools"
+
+func parseChownFlag(chown, ctrRootPath string, idMappings *idtools.IDMappings) (idtools.IDPair, error) {
+	return idMappings.RootPair(), nil
+}
diff --git a/engine/builder/dockerfile/internals_windows_test.go b/engine/builder/dockerfile/internals_windows_test.go
new file mode 100644
index 00000000..4f006234
--- /dev/null
+++ b/engine/builder/dockerfile/internals_windows_test.go
@@ -0,0 +1,53 @@
+// +build windows
+
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"fmt"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNormalizeDest(t *testing.T) {
+	tests := []struct{ current, requested, expected, etext string }{
+		{``, `D:\`, ``, `Windows does not support destinations not on the system drive (C:)`},
+		{``, `e:/`, ``, `Windows does not support destinations not on the system drive (C:)`},
+		{`invalid`, `./c1`, ``, `Current WorkingDir invalid is not platform consistent`},
+		{`C:`, ``, ``, `Current WorkingDir C: is not platform consistent`},
+		{`C`, ``, ``, `Current WorkingDir C is not platform consistent`},
+		{`D:\`, `.`, ``, "Windows does not support relative paths when WORKDIR is not the system drive"},
+		{``, `D`, `D`, ``},
+		{``, `./a1`, `.\a1`, ``},
+		{``, `.\b1`, `.\b1`, ``},
+		{``, `/`, `\`, ``},
+		{``, `\`, `\`, ``},
+		{``, `c:/`, `\`, ``},
+		{``, `c:\`, `\`, ``},
+		{``, `.`, `.`, ``},
+		{`C:\wdd`, `./a1`, `\wdd\a1`, ``},
+		{`C:\wde`, `.\b1`, `\wde\b1`, ``},
+		{`C:\wdf`, `/`, `\`, ``},
+		{`C:\wdg`, `\`, `\`, ``},
+		{`C:\wdh`, `c:/`, `\`, ``},
+		{`C:\wdi`, `c:\`, `\`, ``},
+		{`C:\wdj`, `.`, `\wdj`, ``},
+		{`C:\wdk`, `foo/bar`, `\wdk\foo\bar`, ``},
+		{`C:\wdl`, `foo\bar`, `\wdl\foo\bar`, ``},
+		{`C:\wdm`, `foo/bar/`, `\wdm\foo\bar\`, ``},
+		{`C:\wdn`, `foo\bar/`, `\wdn\foo\bar\`, ``},
+	}
+	for _, testcase := range tests {
+		msg := fmt.Sprintf("Input: %s, %s", testcase.current, testcase.requested)
+		actual, err := normalizeDest(testcase.current, testcase.requested, "windows")
+		if testcase.etext == "" {
+			if !assert.Check(t, err, msg) {
+				continue
+			}
+			assert.Check(t, is.Equal(testcase.expected, actual), msg)
+		} else {
+			assert.Check(t, is.ErrorContains(err, testcase.etext))
+		}
+	}
+}
diff --git a/engine/builder/dockerfile/metrics.go b/engine/builder/dockerfile/metrics.go
new file mode 100644
index 00000000..ceafa7ad
--- /dev/null
+++ b/engine/builder/dockerfile/metrics.go
@@ -0,0 +1,44 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"github.com/docker/go-metrics"
+)
+
+var (
+	buildsTriggered metrics.Counter
+	buildsFailed    metrics.LabeledCounter
+)
+
+// Build metrics prometheus messages, these values must be initialized before
+// using them. See the example below in the "builds_failed" metric definition.
+const (
+	metricsDockerfileSyntaxError        = "dockerfile_syntax_error"
+	metricsDockerfileEmptyError         = "dockerfile_empty_error"
+	metricsCommandNotSupportedError     = "command_not_supported_error"
+	metricsErrorProcessingCommandsError = "error_processing_commands_error"
+	metricsBuildTargetNotReachableError = "build_target_not_reachable_error"
+	metricsMissingOnbuildArgumentsError = "missing_onbuild_arguments_error"
+	metricsUnknownInstructionError      = "unknown_instruction_error"
+	metricsBuildCanceled                = "build_canceled"
+)
+
+func init() {
+	buildMetrics := metrics.NewNamespace("builder", "", nil)
+
+	buildsTriggered = buildMetrics.NewCounter("builds_triggered", "Number of triggered image builds")
+	buildsFailed = buildMetrics.NewLabeledCounter("builds_failed", "Number of failed image builds", "reason")
+	for _, r := range []string{
+		metricsDockerfileSyntaxError,
+		metricsDockerfileEmptyError,
+		metricsCommandNotSupportedError,
+		metricsErrorProcessingCommandsError,
+		metricsBuildTargetNotReachableError,
+		metricsMissingOnbuildArgumentsError,
+		metricsUnknownInstructionError,
+		metricsBuildCanceled,
+	} {
+		buildsFailed.WithValues(r)
+	}
+
+	metrics.Register(buildMetrics)
+}
diff --git a/engine/builder/dockerfile/mockbackend_test.go b/engine/builder/dockerfile/mockbackend_test.go
new file mode 100644
index 00000000..45cba00a
--- /dev/null
+++ b/engine/builder/dockerfile/mockbackend_test.go
@@ -0,0 +1,148 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"runtime"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder"
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/containerfs"
+)
+
+// MockBackend implements the builder.Backend interface for unit testing
+type MockBackend struct {
+	containerCreateFunc func(config types.ContainerCreateConfig) (container.ContainerCreateCreatedBody, error)
+	commitFunc          func(backend.CommitConfig) (image.ID, error)
+	getImageFunc        func(string) (builder.Image, builder.ROLayer, error)
+	makeImageCacheFunc  func(cacheFrom []string) builder.ImageCache
+}
+
+func (m *MockBackend) ContainerAttachRaw(cID string, stdin io.ReadCloser, stdout, stderr io.Writer, stream bool, attached chan struct{}) error {
+	return nil
+}
+
+func (m *MockBackend) ContainerCreate(config types.ContainerCreateConfig) (container.ContainerCreateCreatedBody, error) {
+	if m.containerCreateFunc != nil {
+		return m.containerCreateFunc(config)
+	}
+	return container.ContainerCreateCreatedBody{}, nil
+}
+
+func (m *MockBackend) ContainerRm(name string, config *types.ContainerRmConfig) error {
+	return nil
+}
+
+func (m *MockBackend) CommitBuildStep(c backend.CommitConfig) (image.ID, error) {
+	if m.commitFunc != nil {
+		return m.commitFunc(c)
+	}
+	return "", nil
+}
+
+func (m *MockBackend) ContainerKill(containerID string, sig uint64) error {
+	return nil
+}
+
+func (m *MockBackend) ContainerStart(containerID string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error {
+	return nil
+}
+
+func (m *MockBackend) ContainerWait(ctx context.Context, containerID string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error) {
+	return nil, nil
+}
+
+func (m *MockBackend) ContainerCreateWorkdir(containerID string) error {
+	return nil
+}
+
+func (m *MockBackend) CopyOnBuild(containerID string, destPath string, srcRoot string, srcPath string, decompress bool) error {
+	return nil
+}
+
+func (m *MockBackend) GetImageAndReleasableLayer(ctx context.Context, refOrID string, opts backend.GetImageAndLayerOptions) (builder.Image, builder.ROLayer, error) {
+	if m.getImageFunc != nil {
+		return m.getImageFunc(refOrID)
+	}
+
+	return &mockImage{id: "theid"}, &mockLayer{}, nil
+}
+
+func (m *MockBackend) MakeImageCache(cacheFrom []string) builder.ImageCache {
+	if m.makeImageCacheFunc != nil {
+		return m.makeImageCacheFunc(cacheFrom)
+	}
+	return nil
+}
+
+func (m *MockBackend) CreateImage(config []byte, parent string) (builder.Image, error) {
+	return nil, nil
+}
+
+type mockImage struct {
+	id     string
+	config *container.Config
+}
+
+func (i *mockImage) ImageID() string {
+	return i.id
+}
+
+func (i *mockImage) RunConfig() *container.Config {
+	return i.config
+}
+
+func (i *mockImage) OperatingSystem() string {
+	return runtime.GOOS
+}
+
+func (i *mockImage) MarshalJSON() ([]byte, error) {
+	type rawImage mockImage
+	return json.Marshal(rawImage(*i))
+}
+
+type mockImageCache struct {
+	getCacheFunc func(parentID string, cfg *container.Config) (string, error)
+}
+
+func (mic *mockImageCache) GetCache(parentID string, cfg *container.Config) (string, error) {
+	if mic.getCacheFunc != nil {
+		return mic.getCacheFunc(parentID, cfg)
+	}
+	return "", nil
+}
+
+type mockLayer struct{}
+
+func (l *mockLayer) Release() error {
+	return nil
+}
+
+func (l *mockLayer) NewRWLayer() (builder.RWLayer, error) {
+	return &mockRWLayer{}, nil
+}
+
+func (l *mockLayer) DiffID() layer.DiffID {
+	return layer.DiffID("abcdef")
+}
+
+type mockRWLayer struct {
+}
+
+func (l *mockRWLayer) Release() error {
+	return nil
+}
+
+func (l *mockRWLayer) Commit() (builder.ROLayer, error) {
+	return nil, nil
+}
+
+func (l *mockRWLayer) Root() containerfs.ContainerFS {
+	return nil
+}
diff --git a/engine/builder/dockerfile/utils_test.go b/engine/builder/dockerfile/utils_test.go
new file mode 100644
index 00000000..3d615f34
--- /dev/null
+++ b/engine/builder/dockerfile/utils_test.go
@@ -0,0 +1,50 @@
+package dockerfile // import "github.com/docker/docker/builder/dockerfile"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// createTestTempDir creates a temporary directory for testing.
+// It returns the created path and a cleanup function which is meant to be used as deferred call.
+// When an error occurs, it terminates the test.
+func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {
+	path, err := ioutil.TempDir(dir, prefix)
+
+	if err != nil {
+		t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err)
+	}
+
+	return path, func() {
+		err = os.RemoveAll(path)
+
+		if err != nil {
+			t.Fatalf("Error when removing directory %s: %s", path, err)
+		}
+	}
+}
+
+// createTestTempFile creates a temporary file within dir with specific contents and permissions.
+// When an error occurs, it terminates the test
+func createTestTempFile(t *testing.T, dir, filename, contents string, perm os.FileMode) string {
+	filePath := filepath.Join(dir, filename)
+	err := ioutil.WriteFile(filePath, []byte(contents), perm)
+
+	if err != nil {
+		t.Fatalf("Error when creating %s file: %s", filename, err)
+	}
+
+	return filePath
+}
+
+// createTestSymlink creates a symlink file within dir which points to oldname
+func createTestSymlink(t *testing.T, dir, filename, oldname string) string {
+	filePath := filepath.Join(dir, filename)
+	if err := os.Symlink(oldname, filePath); err != nil {
+		t.Fatalf("Error when creating %s symlink to %s: %s", filename, oldname, err)
+	}
+
+	return filePath
+}
diff --git a/engine/builder/dockerignore/dockerignore.go b/engine/builder/dockerignore/dockerignore.go
new file mode 100644
index 00000000..57f224af
--- /dev/null
+++ b/engine/builder/dockerignore/dockerignore.go
@@ -0,0 +1,64 @@
+package dockerignore // import "github.com/docker/docker/builder/dockerignore"
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"path/filepath"
+	"strings"
+)
+
+// ReadAll reads a .dockerignore file and returns the list of file patterns
+// to ignore. Note this will trim whitespace from each line as well
+// as use GO's "clean" func to get the shortest/cleanest path for each.
+func ReadAll(reader io.Reader) ([]string, error) {
+	if reader == nil {
+		return nil, nil
+	}
+
+	scanner := bufio.NewScanner(reader)
+	var excludes []string
+	currentLine := 0
+
+	utf8bom := []byte{0xEF, 0xBB, 0xBF}
+	for scanner.Scan() {
+		scannedBytes := scanner.Bytes()
+		// We trim UTF8 BOM
+		if currentLine == 0 {
+			scannedBytes = bytes.TrimPrefix(scannedBytes, utf8bom)
+		}
+		pattern := string(scannedBytes)
+		currentLine++
+		// Lines starting with # (comments) are ignored before processing
+		if strings.HasPrefix(pattern, "#") {
+			continue
+		}
+		pattern = strings.TrimSpace(pattern)
+		if pattern == "" {
+			continue
+		}
+		// normalize absolute paths to paths relative to the context
+		// (taking care of '!' prefix)
+		invert := pattern[0] == '!'
+		if invert {
+			pattern = strings.TrimSpace(pattern[1:])
+		}
+		if len(pattern) > 0 {
+			pattern = filepath.Clean(pattern)
+			pattern = filepath.ToSlash(pattern)
+			if len(pattern) > 1 && pattern[0] == '/' {
+				pattern = pattern[1:]
+			}
+		}
+		if invert {
+			pattern = "!" + pattern
+		}
+
+		excludes = append(excludes, pattern)
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("Error reading .dockerignore: %v", err)
+	}
+	return excludes, nil
+}
diff --git a/engine/builder/dockerignore/dockerignore_test.go b/engine/builder/dockerignore/dockerignore_test.go
new file mode 100644
index 00000000..06186cc1
--- /dev/null
+++ b/engine/builder/dockerignore/dockerignore_test.go
@@ -0,0 +1,69 @@
+package dockerignore // import "github.com/docker/docker/builder/dockerignore"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestReadAll(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "dockerignore-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	di, err := ReadAll(nil)
+	if err != nil {
+		t.Fatalf("Expected not to have error, got %v", err)
+	}
+
+	if diLen := len(di); diLen != 0 {
+		t.Fatalf("Expected to have zero dockerignore entry, got %d", diLen)
+	}
+
+	diName := filepath.Join(tmpDir, ".dockerignore")
+	content := fmt.Sprintf("test1\n/test2\n/a/file/here\n\nlastfile\n# this is a comment\n! /inverted/abs/path\n!\n! \n")
+	err = ioutil.WriteFile(diName, []byte(content), 0777)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	diFd, err := os.Open(diName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer diFd.Close()
+
+	di, err = ReadAll(diFd)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(di) != 7 {
+		t.Fatalf("Expected 5 entries, got %v", len(di))
+	}
+	if di[0] != "test1" {
+		t.Fatal("First element is not test1")
+	}
+	if di[1] != "test2" { // according to https://docs.docker.com/engine/reference/builder/#dockerignore-file, /foo/bar should be treated as foo/bar
+		t.Fatal("Second element is not test2")
+	}
+	if di[2] != "a/file/here" { // according to https://docs.docker.com/engine/reference/builder/#dockerignore-file, /foo/bar should be treated as foo/bar
+		t.Fatal("Third element is not a/file/here")
+	}
+	if di[3] != "lastfile" {
+		t.Fatal("Fourth element is not lastfile")
+	}
+	if di[4] != "!inverted/abs/path" {
+		t.Fatal("Fifth element is not !inverted/abs/path")
+	}
+	if di[5] != "!" {
+		t.Fatalf("Sixth element is not !, but %s", di[5])
+	}
+	if di[6] != "!" {
+		t.Fatalf("Sixth element is not !, but %s", di[6])
+	}
+}
diff --git a/engine/builder/fscache/fscache.go b/engine/builder/fscache/fscache.go
new file mode 100644
index 00000000..92c3ea4a
--- /dev/null
+++ b/engine/builder/fscache/fscache.go
@@ -0,0 +1,652 @@
+package fscache // import "github.com/docker/docker/builder/fscache"
+
+import (
+	"archive/tar"
+	"context"
+	"crypto/sha256"
+	"encoding/json"
+	"hash"
+	"os"
+	"path/filepath"
+	"sort"
+	"sync"
+	"time"
+
+	"github.com/boltdb/bolt"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/builder/remotecontext"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/directory"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/tarsum"
+	"github.com/moby/buildkit/session/filesync"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/tonistiigi/fsutil"
+	"golang.org/x/sync/singleflight"
+)
+
+const dbFile = "fscache.db"
+const cacheKey = "cache"
+const metaKey = "meta"
+
+// Backend is a backing implementation for FSCache
+type Backend interface {
+	Get(id string) (string, error)
+	Remove(id string) error
+}
+
+// FSCache allows syncing remote resources to cached snapshots
+type FSCache struct {
+	opt        Opt
+	transports map[string]Transport
+	mu         sync.Mutex
+	g          singleflight.Group
+	store      *fsCacheStore
+}
+
+// Opt defines options for initializing FSCache
+type Opt struct {
+	Backend  Backend
+	Root     string // for storing local metadata
+	GCPolicy GCPolicy
+}
+
+// GCPolicy defines policy for garbage collection
+type GCPolicy struct {
+	MaxSize         uint64
+	MaxKeepDuration time.Duration
+}
+
+// NewFSCache returns new FSCache object
+func NewFSCache(opt Opt) (*FSCache, error) {
+	store, err := newFSCacheStore(opt)
+	if err != nil {
+		return nil, err
+	}
+	return &FSCache{
+		store:      store,
+		opt:        opt,
+		transports: make(map[string]Transport),
+	}, nil
+}
+
+// Transport defines a method for syncing remote data to FSCache
+type Transport interface {
+	Copy(ctx context.Context, id RemoteIdentifier, dest string, cs filesync.CacheUpdater) error
+}
+
+// RemoteIdentifier identifies a transfer request
+type RemoteIdentifier interface {
+	Key() string
+	SharedKey() string
+	Transport() string
+}
+
+// RegisterTransport registers a new transport method
+func (fsc *FSCache) RegisterTransport(id string, transport Transport) error {
+	fsc.mu.Lock()
+	defer fsc.mu.Unlock()
+	if _, ok := fsc.transports[id]; ok {
+		return errors.Errorf("transport %v already exists", id)
+	}
+	fsc.transports[id] = transport
+	return nil
+}
+
+// SyncFrom returns a source based on a remote identifier
+func (fsc *FSCache) SyncFrom(ctx context.Context, id RemoteIdentifier) (builder.Source, error) { // cacheOpt
+	trasportID := id.Transport()
+	fsc.mu.Lock()
+	transport, ok := fsc.transports[id.Transport()]
+	if !ok {
+		fsc.mu.Unlock()
+		return nil, errors.Errorf("invalid transport %s", trasportID)
+	}
+
+	logrus.Debugf("SyncFrom %s %s", id.Key(), id.SharedKey())
+	fsc.mu.Unlock()
+	sourceRef, err, _ := fsc.g.Do(id.Key(), func() (interface{}, error) {
+		var sourceRef *cachedSourceRef
+		sourceRef, err := fsc.store.Get(id.Key())
+		if err == nil {
+			return sourceRef, nil
+		}
+
+		// check for unused shared cache
+		sharedKey := id.SharedKey()
+		if sharedKey != "" {
+			r, err := fsc.store.Rebase(sharedKey, id.Key())
+			if err == nil {
+				sourceRef = r
+			}
+		}
+
+		if sourceRef == nil {
+			var err error
+			sourceRef, err = fsc.store.New(id.Key(), sharedKey)
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to create remote context")
+			}
+		}
+
+		if err := syncFrom(ctx, sourceRef, transport, id); err != nil {
+			sourceRef.Release()
+			return nil, err
+		}
+		if err := sourceRef.resetSize(-1); err != nil {
+			return nil, err
+		}
+		return sourceRef, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	ref := sourceRef.(*cachedSourceRef)
+	if ref.src == nil { // failsafe
+		return nil, errors.Errorf("invalid empty pull")
+	}
+	wc := &wrappedContext{Source: ref.src, closer: func() error {
+		ref.Release()
+		return nil
+	}}
+	return wc, nil
+}
+
+// DiskUsage reports how much data is allocated by the cache
+func (fsc *FSCache) DiskUsage(ctx context.Context) (int64, error) {
+	return fsc.store.DiskUsage(ctx)
+}
+
+// Prune allows manually cleaning up the cache
+func (fsc *FSCache) Prune(ctx context.Context) (uint64, error) {
+	return fsc.store.Prune(ctx)
+}
+
+// Close stops the gc and closes the persistent db
+func (fsc *FSCache) Close() error {
+	return fsc.store.Close()
+}
+
+func syncFrom(ctx context.Context, cs *cachedSourceRef, transport Transport, id RemoteIdentifier) (retErr error) {
+	src := cs.src
+	if src == nil {
+		src = remotecontext.NewCachableSource(cs.Dir())
+	}
+
+	if !cs.cached {
+		if err := cs.storage.db.View(func(tx *bolt.Tx) error {
+			b := tx.Bucket([]byte(id.Key()))
+			dt := b.Get([]byte(cacheKey))
+			if dt != nil {
+				if err := src.UnmarshalBinary(dt); err != nil {
+					return err
+				}
+			} else {
+				return errors.Wrap(src.Scan(), "failed to scan cache records")
+			}
+			return nil
+		}); err != nil {
+			return err
+		}
+	}
+
+	dc := &detectChanges{f: src.HandleChange}
+
+	// todo: probably send a bucket to `Copy` and let it return source
+	// but need to make sure that tx is safe
+	if err := transport.Copy(ctx, id, cs.Dir(), dc); err != nil {
+		return errors.Wrapf(err, "failed to copy to %s", cs.Dir())
+	}
+
+	if !dc.supported {
+		if err := src.Scan(); err != nil {
+			return errors.Wrap(err, "failed to scan cache records after transfer")
+		}
+	}
+	cs.cached = true
+	cs.src = src
+	return cs.storage.db.Update(func(tx *bolt.Tx) error {
+		dt, err := src.MarshalBinary()
+		if err != nil {
+			return err
+		}
+		b := tx.Bucket([]byte(id.Key()))
+		return b.Put([]byte(cacheKey), dt)
+	})
+}
+
+type fsCacheStore struct {
+	mu       sync.Mutex
+	sources  map[string]*cachedSource
+	db       *bolt.DB
+	fs       Backend
+	gcTimer  *time.Timer
+	gcPolicy GCPolicy
+}
+
+// CachePolicy defines policy for keeping a resource in cache
+type CachePolicy struct {
+	Priority int
+	LastUsed time.Time
+}
+
+func defaultCachePolicy() CachePolicy {
+	return CachePolicy{Priority: 10, LastUsed: time.Now()}
+}
+
+func newFSCacheStore(opt Opt) (*fsCacheStore, error) {
+	if err := os.MkdirAll(opt.Root, 0700); err != nil {
+		return nil, err
+	}
+	p := filepath.Join(opt.Root, dbFile)
+	db, err := bolt.Open(p, 0600, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to open database file %s")
+	}
+	s := &fsCacheStore{db: db, sources: make(map[string]*cachedSource), fs: opt.Backend, gcPolicy: opt.GCPolicy}
+	db.View(func(tx *bolt.Tx) error {
+		return tx.ForEach(func(name []byte, b *bolt.Bucket) error {
+			dt := b.Get([]byte(metaKey))
+			if dt == nil {
+				return nil
+			}
+			var sm sourceMeta
+			if err := json.Unmarshal(dt, &sm); err != nil {
+				return err
+			}
+			dir, err := s.fs.Get(sm.BackendID)
+			if err != nil {
+				return err // TODO: handle gracefully
+			}
+			source := &cachedSource{
+				refs:       make(map[*cachedSourceRef]struct{}),
+				id:         string(name),
+				dir:        dir,
+				sourceMeta: sm,
+				storage:    s,
+			}
+			s.sources[string(name)] = source
+			return nil
+		})
+	})
+
+	s.gcTimer = s.startPeriodicGC(5 * time.Minute)
+	return s, nil
+}
+
+func (s *fsCacheStore) startPeriodicGC(interval time.Duration) *time.Timer {
+	var t *time.Timer
+	t = time.AfterFunc(interval, func() {
+		if err := s.GC(); err != nil {
+			logrus.Errorf("build gc error: %v", err)
+		}
+		t.Reset(interval)
+	})
+	return t
+}
+
+func (s *fsCacheStore) Close() error {
+	s.gcTimer.Stop()
+	return s.db.Close()
+}
+
+func (s *fsCacheStore) New(id, sharedKey string) (*cachedSourceRef, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	var ret *cachedSource
+	if err := s.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.CreateBucket([]byte(id))
+		if err != nil {
+			return err
+		}
+		backendID := stringid.GenerateRandomID()
+		dir, err := s.fs.Get(backendID)
+		if err != nil {
+			return err
+		}
+		source := &cachedSource{
+			refs: make(map[*cachedSourceRef]struct{}),
+			id:   id,
+			dir:  dir,
+			sourceMeta: sourceMeta{
+				BackendID:   backendID,
+				SharedKey:   sharedKey,
+				CachePolicy: defaultCachePolicy(),
+			},
+			storage: s,
+		}
+		dt, err := json.Marshal(source.sourceMeta)
+		if err != nil {
+			return err
+		}
+		if err := b.Put([]byte(metaKey), dt); err != nil {
+			return err
+		}
+		s.sources[id] = source
+		ret = source
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return ret.getRef(), nil
+}
+
+func (s *fsCacheStore) Rebase(sharedKey, newid string) (*cachedSourceRef, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	var ret *cachedSource
+	for id, snap := range s.sources {
+		if snap.SharedKey == sharedKey && len(snap.refs) == 0 {
+			if err := s.db.Update(func(tx *bolt.Tx) error {
+				if err := tx.DeleteBucket([]byte(id)); err != nil {
+					return err
+				}
+				b, err := tx.CreateBucket([]byte(newid))
+				if err != nil {
+					return err
+				}
+				snap.id = newid
+				snap.CachePolicy = defaultCachePolicy()
+				dt, err := json.Marshal(snap.sourceMeta)
+				if err != nil {
+					return err
+				}
+				if err := b.Put([]byte(metaKey), dt); err != nil {
+					return err
+				}
+				delete(s.sources, id)
+				s.sources[newid] = snap
+				return nil
+			}); err != nil {
+				return nil, err
+			}
+			ret = snap
+			break
+		}
+	}
+	if ret == nil {
+		return nil, errors.Errorf("no candidate for rebase")
+	}
+	return ret.getRef(), nil
+}
+
+func (s *fsCacheStore) Get(id string) (*cachedSourceRef, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	src, ok := s.sources[id]
+	if !ok {
+		return nil, errors.Errorf("not found")
+	}
+	return src.getRef(), nil
+}
+
+// DiskUsage reports how much data is allocated by the cache
+func (s *fsCacheStore) DiskUsage(ctx context.Context) (int64, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	var size int64
+
+	for _, snap := range s.sources {
+		if len(snap.refs) == 0 {
+			ss, err := snap.getSize(ctx)
+			if err != nil {
+				return 0, err
+			}
+			size += ss
+		}
+	}
+	return size, nil
+}
+
+// Prune allows manually cleaning up the cache
+func (s *fsCacheStore) Prune(ctx context.Context) (uint64, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	var size uint64
+
+	for id, snap := range s.sources {
+		select {
+		case <-ctx.Done():
+			logrus.Debugf("Cache prune operation cancelled, pruned size: %d", size)
+			// when the context is cancelled, only return current size and nil
+			return size, nil
+		default:
+		}
+		if len(snap.refs) == 0 {
+			ss, err := snap.getSize(ctx)
+			if err != nil {
+				return size, err
+			}
+			if err := s.delete(id); err != nil {
+				return size, errors.Wrapf(err, "failed to delete %s", id)
+			}
+			size += uint64(ss)
+		}
+	}
+	return size, nil
+}
+
+// GC runs a garbage collector on FSCache
+func (s *fsCacheStore) GC() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	var size uint64
+
+	ctx := context.Background()
+	cutoff := time.Now().Add(-s.gcPolicy.MaxKeepDuration)
+	var blacklist []*cachedSource
+
+	for id, snap := range s.sources {
+		if len(snap.refs) == 0 {
+			if cutoff.After(snap.CachePolicy.LastUsed) {
+				if err := s.delete(id); err != nil {
+					return errors.Wrapf(err, "failed to delete %s", id)
+				}
+			} else {
+				ss, err := snap.getSize(ctx)
+				if err != nil {
+					return err
+				}
+				size += uint64(ss)
+				blacklist = append(blacklist, snap)
+			}
+		}
+	}
+
+	sort.Sort(sortableCacheSources(blacklist))
+	for _, snap := range blacklist {
+		if size <= s.gcPolicy.MaxSize {
+			break
+		}
+		ss, err := snap.getSize(ctx)
+		if err != nil {
+			return err
+		}
+		if err := s.delete(snap.id); err != nil {
+			return errors.Wrapf(err, "failed to delete %s", snap.id)
+		}
+		size -= uint64(ss)
+	}
+	return nil
+}
+
+// keep mu while calling this
+func (s *fsCacheStore) delete(id string) error {
+	src, ok := s.sources[id]
+	if !ok {
+		return nil
+	}
+	if len(src.refs) > 0 {
+		return errors.Errorf("can't delete %s because it has active references", id)
+	}
+	delete(s.sources, id)
+	if err := s.db.Update(func(tx *bolt.Tx) error {
+		return tx.DeleteBucket([]byte(id))
+	}); err != nil {
+		return err
+	}
+	return s.fs.Remove(src.BackendID)
+}
+
+type sourceMeta struct {
+	SharedKey   string
+	BackendID   string
+	CachePolicy CachePolicy
+	Size        int64
+}
+
+type cachedSource struct {
+	sourceMeta
+	refs    map[*cachedSourceRef]struct{}
+	id      string
+	dir     string
+	src     *remotecontext.CachableSource
+	storage *fsCacheStore
+	cached  bool // keep track if cache is up to date
+}
+
+type cachedSourceRef struct {
+	*cachedSource
+}
+
+func (cs *cachedSource) Dir() string {
+	return cs.dir
+}
+
+// hold storage lock before calling
+func (cs *cachedSource) getRef() *cachedSourceRef {
+	ref := &cachedSourceRef{cachedSource: cs}
+	cs.refs[ref] = struct{}{}
+	return ref
+}
+
+// hold storage lock before calling
+func (cs *cachedSource) getSize(ctx context.Context) (int64, error) {
+	if cs.sourceMeta.Size < 0 {
+		ss, err := directory.Size(ctx, cs.dir)
+		if err != nil {
+			return 0, err
+		}
+		if err := cs.resetSize(ss); err != nil {
+			return 0, err
+		}
+		return ss, nil
+	}
+	return cs.sourceMeta.Size, nil
+}
+
+func (cs *cachedSource) resetSize(val int64) error {
+	cs.sourceMeta.Size = val
+	return cs.saveMeta()
+}
+func (cs *cachedSource) saveMeta() error {
+	return cs.storage.db.Update(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(cs.id))
+		dt, err := json.Marshal(cs.sourceMeta)
+		if err != nil {
+			return err
+		}
+		return b.Put([]byte(metaKey), dt)
+	})
+}
+
+func (csr *cachedSourceRef) Release() error {
+	csr.cachedSource.storage.mu.Lock()
+	defer csr.cachedSource.storage.mu.Unlock()
+	delete(csr.cachedSource.refs, csr)
+	if len(csr.cachedSource.refs) == 0 {
+		go csr.cachedSource.storage.GC()
+	}
+	return nil
+}
+
+type detectChanges struct {
+	f         fsutil.ChangeFunc
+	supported bool
+}
+
+func (dc *detectChanges) HandleChange(kind fsutil.ChangeKind, path string, fi os.FileInfo, err error) error {
+	if dc == nil {
+		return nil
+	}
+	return dc.f(kind, path, fi, err)
+}
+
+func (dc *detectChanges) MarkSupported(v bool) {
+	if dc == nil {
+		return
+	}
+	dc.supported = v
+}
+
+func (dc *detectChanges) ContentHasher() fsutil.ContentHasher {
+	return newTarsumHash
+}
+
+type wrappedContext struct {
+	builder.Source
+	closer func() error
+}
+
+func (wc *wrappedContext) Close() error {
+	if err := wc.Source.Close(); err != nil {
+		return err
+	}
+	return wc.closer()
+}
+
+type sortableCacheSources []*cachedSource
+
+// Len is the number of elements in the collection.
+func (s sortableCacheSources) Len() int {
+	return len(s)
+}
+
+// Less reports whether the element with
+// index i should sort before the element with index j.
+func (s sortableCacheSources) Less(i, j int) bool {
+	return s[i].CachePolicy.LastUsed.Before(s[j].CachePolicy.LastUsed)
+}
+
+// Swap swaps the elements with indexes i and j.
+func (s sortableCacheSources) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+func newTarsumHash(stat *fsutil.Stat) (hash.Hash, error) {
+	fi := &fsutil.StatInfo{Stat: stat}
+	p := stat.Path
+	if fi.IsDir() {
+		p += string(os.PathSeparator)
+	}
+	h, err := archive.FileInfoHeader(p, fi, stat.Linkname)
+	if err != nil {
+		return nil, err
+	}
+	h.Name = p
+	h.Uid = int(stat.Uid)
+	h.Gid = int(stat.Gid)
+	h.Linkname = stat.Linkname
+	if stat.Xattrs != nil {
+		h.Xattrs = make(map[string]string)
+		for k, v := range stat.Xattrs {
+			h.Xattrs[k] = string(v)
+		}
+	}
+
+	tsh := &tarsumHash{h: h, Hash: sha256.New()}
+	tsh.Reset()
+	return tsh, nil
+}
+
+// Reset resets the Hash to its initial state.
+func (tsh *tarsumHash) Reset() {
+	tsh.Hash.Reset()
+	tarsum.WriteV1Header(tsh.h, tsh.Hash)
+}
+
+type tarsumHash struct {
+	hash.Hash
+	h *tar.Header
+}
diff --git a/engine/builder/fscache/fscache_test.go b/engine/builder/fscache/fscache_test.go
new file mode 100644
index 00000000..5108d65d
--- /dev/null
+++ b/engine/builder/fscache/fscache_test.go
@@ -0,0 +1,132 @@
+package fscache // import "github.com/docker/docker/builder/fscache"
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/moby/buildkit/session/filesync"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestFSCache(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "fscache")
+	assert.Check(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	backend := NewNaiveCacheBackend(filepath.Join(tmpDir, "backend"))
+
+	opt := Opt{
+		Root:     tmpDir,
+		Backend:  backend,
+		GCPolicy: GCPolicy{MaxSize: 15, MaxKeepDuration: time.Hour},
+	}
+
+	fscache, err := NewFSCache(opt)
+	assert.Check(t, err)
+
+	defer fscache.Close()
+
+	err = fscache.RegisterTransport("test", &testTransport{})
+	assert.Check(t, err)
+
+	src1, err := fscache.SyncFrom(context.TODO(), &testIdentifier{"foo", "data", "bar"})
+	assert.Check(t, err)
+
+	dt, err := ioutil.ReadFile(filepath.Join(src1.Root().Path(), "foo"))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(dt), "data"))
+
+	// same id doesn't recalculate anything
+	src2, err := fscache.SyncFrom(context.TODO(), &testIdentifier{"foo", "data2", "bar"})
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(src1.Root().Path(), src2.Root().Path()))
+
+	dt, err = ioutil.ReadFile(filepath.Join(src1.Root().Path(), "foo"))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(dt), "data"))
+	assert.Check(t, src2.Close())
+
+	src3, err := fscache.SyncFrom(context.TODO(), &testIdentifier{"foo2", "data2", "bar"})
+	assert.Check(t, err)
+	assert.Check(t, src1.Root().Path() != src3.Root().Path())
+
+	dt, err = ioutil.ReadFile(filepath.Join(src3.Root().Path(), "foo2"))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(dt), "data2"))
+
+	s, err := fscache.DiskUsage(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(s, int64(0)))
+
+	assert.Check(t, src3.Close())
+
+	s, err = fscache.DiskUsage(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(s, int64(5)))
+
+	// new upload with the same shared key shoutl overwrite
+	src4, err := fscache.SyncFrom(context.TODO(), &testIdentifier{"foo3", "data3", "bar"})
+	assert.Check(t, err)
+	assert.Check(t, src1.Root().Path() != src3.Root().Path())
+
+	dt, err = ioutil.ReadFile(filepath.Join(src3.Root().Path(), "foo3"))
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(string(dt), "data3"))
+	assert.Check(t, is.Equal(src4.Root().Path(), src3.Root().Path()))
+	assert.Check(t, src4.Close())
+
+	s, err = fscache.DiskUsage(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(s, int64(10)))
+
+	// this one goes over the GC limit
+	src5, err := fscache.SyncFrom(context.TODO(), &testIdentifier{"foo4", "datadata", "baz"})
+	assert.Check(t, err)
+	assert.Check(t, src5.Close())
+
+	// GC happens async
+	time.Sleep(100 * time.Millisecond)
+
+	// only last insertion after GC
+	s, err = fscache.DiskUsage(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(s, int64(8)))
+
+	// prune deletes everything
+	released, err := fscache.Prune(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(released, uint64(8)))
+
+	s, err = fscache.DiskUsage(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(s, int64(0)))
+}
+
+type testTransport struct {
+}
+
+func (t *testTransport) Copy(ctx context.Context, id RemoteIdentifier, dest string, cs filesync.CacheUpdater) error {
+	testid := id.(*testIdentifier)
+	return ioutil.WriteFile(filepath.Join(dest, testid.filename), []byte(testid.data), 0600)
+}
+
+type testIdentifier struct {
+	filename  string
+	data      string
+	sharedKey string
+}
+
+func (t *testIdentifier) Key() string {
+	return t.filename
+}
+func (t *testIdentifier) SharedKey() string {
+	return t.sharedKey
+}
+func (t *testIdentifier) Transport() string {
+	return "test"
+}
diff --git a/engine/builder/fscache/naivedriver.go b/engine/builder/fscache/naivedriver.go
new file mode 100644
index 00000000..053509ae
--- /dev/null
+++ b/engine/builder/fscache/naivedriver.go
@@ -0,0 +1,28 @@
+package fscache // import "github.com/docker/docker/builder/fscache"
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+)
+
+// NewNaiveCacheBackend is a basic backend implementation for fscache
+func NewNaiveCacheBackend(root string) Backend {
+	return &naiveCacheBackend{root: root}
+}
+
+type naiveCacheBackend struct {
+	root string
+}
+
+func (tcb *naiveCacheBackend) Get(id string) (string, error) {
+	d := filepath.Join(tcb.root, id)
+	if err := os.MkdirAll(d, 0700); err != nil {
+		return "", errors.Wrapf(err, "failed to create tmp dir for %s", d)
+	}
+	return d, nil
+}
+func (tcb *naiveCacheBackend) Remove(id string) error {
+	return errors.WithStack(os.RemoveAll(filepath.Join(tcb.root, id)))
+}
diff --git a/engine/builder/remotecontext/archive.go b/engine/builder/remotecontext/archive.go
new file mode 100644
index 00000000..6d247f94
--- /dev/null
+++ b/engine/builder/remotecontext/archive.go
@@ -0,0 +1,125 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/tarsum"
+	"github.com/pkg/errors"
+)
+
+type archiveContext struct {
+	root containerfs.ContainerFS
+	sums tarsum.FileInfoSums
+}
+
+func (c *archiveContext) Close() error {
+	return c.root.RemoveAll(c.root.Path())
+}
+
+func convertPathError(err error, cleanpath string) error {
+	if err, ok := err.(*os.PathError); ok {
+		err.Path = cleanpath
+		return err
+	}
+	return err
+}
+
+type modifiableContext interface {
+	builder.Source
+	// Remove deletes the entry specified by `path`.
+	// It is usual for directory entries to delete all its subentries.
+	Remove(path string) error
+}
+
+// FromArchive returns a build source from a tar stream.
+//
+// It extracts the tar stream to a temporary folder that is deleted as soon as
+// the Context is closed.
+// As the extraction happens, a tarsum is calculated for every file, and the set of
+// all those sums then becomes the source of truth for all operations on this Context.
+//
+// Closing tarStream has to be done by the caller.
+func FromArchive(tarStream io.Reader) (builder.Source, error) {
+	root, err := ioutils.TempDir("", "docker-builder")
+	if err != nil {
+		return nil, err
+	}
+
+	// Assume local file system. Since it's coming from a tar file.
+	tsc := &archiveContext{root: containerfs.NewLocalContainerFS(root)}
+
+	// Make sure we clean-up upon error.  In the happy case the caller
+	// is expected to manage the clean-up
+	defer func() {
+		if err != nil {
+			tsc.Close()
+		}
+	}()
+
+	decompressedStream, err := archive.DecompressStream(tarStream)
+	if err != nil {
+		return nil, err
+	}
+
+	sum, err := tarsum.NewTarSum(decompressedStream, true, tarsum.Version1)
+	if err != nil {
+		return nil, err
+	}
+
+	err = chrootarchive.Untar(sum, root, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	tsc.sums = sum.GetSums()
+	return tsc, nil
+}
+
+func (c *archiveContext) Root() containerfs.ContainerFS {
+	return c.root
+}
+
+func (c *archiveContext) Remove(path string) error {
+	_, fullpath, err := normalize(path, c.root)
+	if err != nil {
+		return err
+	}
+	return c.root.RemoveAll(fullpath)
+}
+
+func (c *archiveContext) Hash(path string) (string, error) {
+	cleanpath, fullpath, err := normalize(path, c.root)
+	if err != nil {
+		return "", err
+	}
+
+	rel, err := c.root.Rel(c.root.Path(), fullpath)
+	if err != nil {
+		return "", convertPathError(err, cleanpath)
+	}
+
+	// Use the checksum of the followed path(not the possible symlink) because
+	// this is the file that is actually copied.
+	if tsInfo := c.sums.GetFile(filepath.ToSlash(rel)); tsInfo != nil {
+		return tsInfo.Sum(), nil
+	}
+	// We set sum to path by default for the case where GetFile returns nil.
+	// The usual case is if relative path is empty.
+	return path, nil // backwards compat TODO: see if really needed
+}
+
+func normalize(path string, root containerfs.ContainerFS) (cleanPath, fullPath string, err error) {
+	cleanPath = root.Clean(string(root.Separator()) + path)[1:]
+	fullPath, err = root.ResolveScopedPath(path, true)
+	if err != nil {
+		return "", "", errors.Wrapf(err, "forbidden path outside the build context: %s (%s)", path, cleanPath)
+	}
+	return
+}
diff --git a/engine/builder/remotecontext/detect.go b/engine/builder/remotecontext/detect.go
new file mode 100644
index 00000000..aaace269
--- /dev/null
+++ b/engine/builder/remotecontext/detect.go
@@ -0,0 +1,180 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/containerd/continuity/driver"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/builder/dockerignore"
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/docker/docker/pkg/urlutil"
+	"github.com/moby/buildkit/frontend/dockerfile/parser"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// ClientSessionRemote is identifier for client-session context transport
+const ClientSessionRemote = "client-session"
+
+// Detect returns a context and dockerfile from remote location or local
+// archive. progressReader is only used if remoteURL is actually a URL
+// (not empty, and not a Git endpoint).
+func Detect(config backend.BuildConfig) (remote builder.Source, dockerfile *parser.Result, err error) {
+	remoteURL := config.Options.RemoteContext
+	dockerfilePath := config.Options.Dockerfile
+
+	switch {
+	case remoteURL == "":
+		remote, dockerfile, err = newArchiveRemote(config.Source, dockerfilePath)
+	case remoteURL == ClientSessionRemote:
+		res, err := parser.Parse(config.Source)
+		if err != nil {
+			return nil, nil, err
+		}
+		return nil, res, nil
+	case urlutil.IsGitURL(remoteURL):
+		remote, dockerfile, err = newGitRemote(remoteURL, dockerfilePath)
+	case urlutil.IsURL(remoteURL):
+		remote, dockerfile, err = newURLRemote(remoteURL, dockerfilePath, config.ProgressWriter.ProgressReaderFunc)
+	default:
+		err = fmt.Errorf("remoteURL (%s) could not be recognized as URL", remoteURL)
+	}
+	return
+}
+
+func newArchiveRemote(rc io.ReadCloser, dockerfilePath string) (builder.Source, *parser.Result, error) {
+	defer rc.Close()
+	c, err := FromArchive(rc)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return withDockerfileFromContext(c.(modifiableContext), dockerfilePath)
+}
+
+func withDockerfileFromContext(c modifiableContext, dockerfilePath string) (builder.Source, *parser.Result, error) {
+	df, err := openAt(c, dockerfilePath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			if dockerfilePath == builder.DefaultDockerfileName {
+				lowercase := strings.ToLower(dockerfilePath)
+				if _, err := StatAt(c, lowercase); err == nil {
+					return withDockerfileFromContext(c, lowercase)
+				}
+			}
+			return nil, nil, errors.Errorf("Cannot locate specified Dockerfile: %s", dockerfilePath) // backwards compatible error
+		}
+		c.Close()
+		return nil, nil, err
+	}
+
+	res, err := readAndParseDockerfile(dockerfilePath, df)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	df.Close()
+
+	if err := removeDockerfile(c, dockerfilePath); err != nil {
+		c.Close()
+		return nil, nil, err
+	}
+
+	return c, res, nil
+}
+
+func newGitRemote(gitURL string, dockerfilePath string) (builder.Source, *parser.Result, error) {
+	c, err := MakeGitContext(gitURL) // TODO: change this to NewLazySource
+	if err != nil {
+		return nil, nil, err
+	}
+	return withDockerfileFromContext(c.(modifiableContext), dockerfilePath)
+}
+
+func newURLRemote(url string, dockerfilePath string, progressReader func(in io.ReadCloser) io.ReadCloser) (builder.Source, *parser.Result, error) {
+	contentType, content, err := downloadRemote(url)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer content.Close()
+
+	switch contentType {
+	case mimeTypes.TextPlain:
+		res, err := parser.Parse(progressReader(content))
+		return nil, res, err
+	default:
+		source, err := FromArchive(progressReader(content))
+		if err != nil {
+			return nil, nil, err
+		}
+		return withDockerfileFromContext(source.(modifiableContext), dockerfilePath)
+	}
+}
+
+func removeDockerfile(c modifiableContext, filesToRemove ...string) error {
+	f, err := openAt(c, ".dockerignore")
+	// Note that a missing .dockerignore file isn't treated as an error
+	switch {
+	case os.IsNotExist(err):
+		return nil
+	case err != nil:
+		return err
+	}
+	excludes, err := dockerignore.ReadAll(f)
+	if err != nil {
+		f.Close()
+		return err
+	}
+	f.Close()
+	filesToRemove = append([]string{".dockerignore"}, filesToRemove...)
+	for _, fileToRemove := range filesToRemove {
+		if rm, _ := fileutils.Matches(fileToRemove, excludes); rm {
+			if err := c.Remove(fileToRemove); err != nil {
+				logrus.Errorf("failed to remove %s: %v", fileToRemove, err)
+			}
+		}
+	}
+	return nil
+}
+
+func readAndParseDockerfile(name string, rc io.Reader) (*parser.Result, error) {
+	br := bufio.NewReader(rc)
+	if _, err := br.Peek(1); err != nil {
+		if err == io.EOF {
+			return nil, errors.Errorf("the Dockerfile (%s) cannot be empty", name)
+		}
+		return nil, errors.Wrap(err, "unexpected error reading Dockerfile")
+	}
+	return parser.Parse(br)
+}
+
+func openAt(remote builder.Source, path string) (driver.File, error) {
+	fullPath, err := FullPath(remote, path)
+	if err != nil {
+		return nil, err
+	}
+	return remote.Root().Open(fullPath)
+}
+
+// StatAt is a helper for calling Stat on a path from a source
+func StatAt(remote builder.Source, path string) (os.FileInfo, error) {
+	fullPath, err := FullPath(remote, path)
+	if err != nil {
+		return nil, err
+	}
+	return remote.Root().Stat(fullPath)
+}
+
+// FullPath is a helper for getting a full path for a path from a source
+func FullPath(remote builder.Source, path string) (string, error) {
+	fullPath, err := remote.Root().ResolveScopedPath(path, true)
+	if err != nil {
+		return "", fmt.Errorf("Forbidden path outside the build context: %s (%s)", path, fullPath) // backwards compat with old error
+	}
+	return fullPath, nil
+}
diff --git a/engine/builder/remotecontext/detect_test.go b/engine/builder/remotecontext/detect_test.go
new file mode 100644
index 00000000..04b7686c
--- /dev/null
+++ b/engine/builder/remotecontext/detect_test.go
@@ -0,0 +1,123 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"errors"
+	"io/ioutil"
+	"log"
+	"os"
+	"sort"
+	"testing"
+
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/pkg/containerfs"
+)
+
+const (
+	dockerfileContents   = "FROM busybox"
+	dockerignoreFilename = ".dockerignore"
+	testfileContents     = "test"
+)
+
+const shouldStayFilename = "should_stay"
+
+func extractFilenames(files []os.FileInfo) []string {
+	filenames := make([]string, len(files))
+
+	for i, file := range files {
+		filenames[i] = file.Name()
+	}
+
+	return filenames
+}
+
+func checkDirectory(t *testing.T, dir string, expectedFiles []string) {
+	files, err := ioutil.ReadDir(dir)
+
+	if err != nil {
+		t.Fatalf("Could not read directory: %s", err)
+	}
+
+	if len(files) != len(expectedFiles) {
+		log.Fatalf("Directory should contain exactly %d file(s), got %d", len(expectedFiles), len(files))
+	}
+
+	filenames := extractFilenames(files)
+	sort.Strings(filenames)
+	sort.Strings(expectedFiles)
+
+	for i, filename := range filenames {
+		if filename != expectedFiles[i] {
+			t.Fatalf("File %s should be in the directory, got: %s", expectedFiles[i], filename)
+		}
+	}
+}
+
+func executeProcess(t *testing.T, contextDir string) {
+	modifiableCtx := &stubRemote{root: containerfs.NewLocalContainerFS(contextDir)}
+
+	err := removeDockerfile(modifiableCtx, builder.DefaultDockerfileName)
+
+	if err != nil {
+		t.Fatalf("Error when executing Process: %s", err)
+	}
+}
+
+func TestProcessShouldRemoveDockerfileDockerignore(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerignore-process-test")
+	defer cleanup()
+
+	createTestTempFile(t, contextDir, shouldStayFilename, testfileContents, 0777)
+	createTestTempFile(t, contextDir, dockerignoreFilename, "Dockerfile\n.dockerignore", 0777)
+	createTestTempFile(t, contextDir, builder.DefaultDockerfileName, dockerfileContents, 0777)
+
+	executeProcess(t, contextDir)
+
+	checkDirectory(t, contextDir, []string{shouldStayFilename})
+
+}
+
+func TestProcessNoDockerignore(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerignore-process-test")
+	defer cleanup()
+
+	createTestTempFile(t, contextDir, shouldStayFilename, testfileContents, 0777)
+	createTestTempFile(t, contextDir, builder.DefaultDockerfileName, dockerfileContents, 0777)
+
+	executeProcess(t, contextDir)
+
+	checkDirectory(t, contextDir, []string{shouldStayFilename, builder.DefaultDockerfileName})
+
+}
+
+func TestProcessShouldLeaveAllFiles(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-dockerignore-process-test")
+	defer cleanup()
+
+	createTestTempFile(t, contextDir, shouldStayFilename, testfileContents, 0777)
+	createTestTempFile(t, contextDir, builder.DefaultDockerfileName, dockerfileContents, 0777)
+	createTestTempFile(t, contextDir, dockerignoreFilename, "input1\ninput2", 0777)
+
+	executeProcess(t, contextDir)
+
+	checkDirectory(t, contextDir, []string{shouldStayFilename, builder.DefaultDockerfileName, dockerignoreFilename})
+
+}
+
+// TODO: remove after moving to a separate pkg
+type stubRemote struct {
+	root containerfs.ContainerFS
+}
+
+func (r *stubRemote) Hash(path string) (string, error) {
+	return "", errors.New("not implemented")
+}
+
+func (r *stubRemote) Root() containerfs.ContainerFS {
+	return r.root
+}
+func (r *stubRemote) Close() error {
+	return errors.New("not implemented")
+}
+func (r *stubRemote) Remove(p string) error {
+	return r.root.Remove(r.root.Join(r.root.Path(), p))
+}
diff --git a/engine/builder/remotecontext/filehash.go b/engine/builder/remotecontext/filehash.go
new file mode 100644
index 00000000..3565dd82
--- /dev/null
+++ b/engine/builder/remotecontext/filehash.go
@@ -0,0 +1,45 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"archive/tar"
+	"crypto/sha256"
+	"hash"
+	"os"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/tarsum"
+)
+
+// NewFileHash returns new hash that is used for the builder cache keys
+func NewFileHash(path, name string, fi os.FileInfo) (hash.Hash, error) {
+	var link string
+	if fi.Mode()&os.ModeSymlink != 0 {
+		var err error
+		link, err = os.Readlink(path)
+		if err != nil {
+			return nil, err
+		}
+	}
+	hdr, err := archive.FileInfoHeader(name, fi, link)
+	if err != nil {
+		return nil, err
+	}
+	if err := archive.ReadSecurityXattrToTarHeader(path, hdr); err != nil {
+		return nil, err
+	}
+	tsh := &tarsumHash{hdr: hdr, Hash: sha256.New()}
+	tsh.Reset() // initialize header
+	return tsh, nil
+}
+
+type tarsumHash struct {
+	hash.Hash
+	hdr *tar.Header
+}
+
+// Reset resets the Hash to its initial state.
+func (tsh *tarsumHash) Reset() {
+	// comply with hash.Hash and reset to the state hash had before any writes
+	tsh.Hash.Reset()
+	tarsum.WriteV1Header(tsh.hdr, tsh.Hash)
+}
diff --git a/engine/builder/remotecontext/generate.go b/engine/builder/remotecontext/generate.go
new file mode 100644
index 00000000..84c1b3b5
--- /dev/null
+++ b/engine/builder/remotecontext/generate.go
@@ -0,0 +1,3 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+//go:generate protoc --gogoslick_out=. tarsum.proto
diff --git a/engine/builder/remotecontext/git.go b/engine/builder/remotecontext/git.go
new file mode 100644
index 00000000..1583ca28
--- /dev/null
+++ b/engine/builder/remotecontext/git.go
@@ -0,0 +1,35 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"os"
+
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/builder/remotecontext/git"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/sirupsen/logrus"
+)
+
+// MakeGitContext returns a Context from gitURL that is cloned in a temporary directory.
+func MakeGitContext(gitURL string) (builder.Source, error) {
+	root, err := git.Clone(gitURL)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := archive.Tar(root, archive.Uncompressed)
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		err := c.Close()
+		if err != nil {
+			logrus.WithField("action", "MakeGitContext").WithField("module", "builder").WithField("url", gitURL).WithError(err).Error("error while closing git context")
+		}
+		err = os.RemoveAll(root)
+		if err != nil {
+			logrus.WithField("action", "MakeGitContext").WithField("module", "builder").WithField("url", gitURL).WithError(err).Error("error while removing path and children of root")
+		}
+	}()
+	return FromArchive(c)
+}
diff --git a/engine/builder/remotecontext/git/gitutils.go b/engine/builder/remotecontext/git/gitutils.go
new file mode 100644
index 00000000..77a45bef
--- /dev/null
+++ b/engine/builder/remotecontext/git/gitutils.go
@@ -0,0 +1,204 @@
+package git // import "github.com/docker/docker/builder/remotecontext/git"
+
+import (
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/symlink"
+	"github.com/docker/docker/pkg/urlutil"
+	"github.com/pkg/errors"
+)
+
+type gitRepo struct {
+	remote string
+	ref    string
+	subdir string
+}
+
+// Clone clones a repository into a newly created directory which
+// will be under "docker-build-git"
+func Clone(remoteURL string) (string, error) {
+	repo, err := parseRemoteURL(remoteURL)
+
+	if err != nil {
+		return "", err
+	}
+
+	return cloneGitRepo(repo)
+}
+
+func cloneGitRepo(repo gitRepo) (checkoutDir string, err error) {
+	fetch := fetchArgs(repo.remote, repo.ref)
+
+	root, err := ioutil.TempDir("", "docker-build-git")
+	if err != nil {
+		return "", err
+	}
+
+	defer func() {
+		if err != nil {
+			os.RemoveAll(root)
+		}
+	}()
+
+	if out, err := gitWithinDir(root, "init"); err != nil {
+		return "", errors.Wrapf(err, "failed to init repo at %s: %s", root, out)
+	}
+
+	// Add origin remote for compatibility with previous implementation that
+	// used "git clone" and also to make sure local refs are created for branches
+	if out, err := gitWithinDir(root, "remote", "add", "origin", repo.remote); err != nil {
+		return "", errors.Wrapf(err, "failed add origin repo at %s: %s", repo.remote, out)
+	}
+
+	if output, err := gitWithinDir(root, fetch...); err != nil {
+		return "", errors.Wrapf(err, "error fetching: %s", output)
+	}
+
+	checkoutDir, err = checkoutGit(root, repo.ref, repo.subdir)
+	if err != nil {
+		return "", err
+	}
+
+	cmd := exec.Command("git", "submodule", "update", "--init", "--recursive", "--depth=1")
+	cmd.Dir = root
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", errors.Wrapf(err, "error initializing submodules: %s", output)
+	}
+
+	return checkoutDir, nil
+}
+
+func parseRemoteURL(remoteURL string) (gitRepo, error) {
+	repo := gitRepo{}
+
+	if !isGitTransport(remoteURL) {
+		remoteURL = "https://" + remoteURL
+	}
+
+	var fragment string
+	if strings.HasPrefix(remoteURL, "git@") {
+		// git@.. is not an URL, so cannot be parsed as URL
+		parts := strings.SplitN(remoteURL, "#", 2)
+
+		repo.remote = parts[0]
+		if len(parts) == 2 {
+			fragment = parts[1]
+		}
+		repo.ref, repo.subdir = getRefAndSubdir(fragment)
+	} else {
+		u, err := url.Parse(remoteURL)
+		if err != nil {
+			return repo, err
+		}
+
+		repo.ref, repo.subdir = getRefAndSubdir(u.Fragment)
+		u.Fragment = ""
+		repo.remote = u.String()
+	}
+	return repo, nil
+}
+
+func getRefAndSubdir(fragment string) (ref string, subdir string) {
+	refAndDir := strings.SplitN(fragment, ":", 2)
+	ref = "master"
+	if len(refAndDir[0]) != 0 {
+		ref = refAndDir[0]
+	}
+	if len(refAndDir) > 1 && len(refAndDir[1]) != 0 {
+		subdir = refAndDir[1]
+	}
+	return
+}
+
+func fetchArgs(remoteURL string, ref string) []string {
+	args := []string{"fetch"}
+
+	if supportsShallowClone(remoteURL) {
+		args = append(args, "--depth", "1")
+	}
+
+	return append(args, "origin", ref)
+}
+
+// Check if a given git URL supports a shallow git clone,
+// i.e. it is a non-HTTP server or a smart HTTP server.
+func supportsShallowClone(remoteURL string) bool {
+	if urlutil.IsURL(remoteURL) {
+		// Check if the HTTP server is smart
+
+		// Smart servers must correctly respond to a query for the git-upload-pack service
+		serviceURL := remoteURL + "/info/refs?service=git-upload-pack"
+
+		// Try a HEAD request and fallback to a Get request on error
+		res, err := http.Head(serviceURL)
+		if err != nil || res.StatusCode != http.StatusOK {
+			res, err = http.Get(serviceURL)
+			if err == nil {
+				res.Body.Close()
+			}
+			if err != nil || res.StatusCode != http.StatusOK {
+				// request failed
+				return false
+			}
+		}
+
+		if res.Header.Get("Content-Type") != "application/x-git-upload-pack-advertisement" {
+			// Fallback, not a smart server
+			return false
+		}
+		return true
+	}
+	// Non-HTTP protocols always support shallow clones
+	return true
+}
+
+func checkoutGit(root, ref, subdir string) (string, error) {
+	// Try checking out by ref name first. This will work on branches and sets
+	// .git/HEAD to the current branch name
+	if output, err := gitWithinDir(root, "checkout", ref); err != nil {
+		// If checking out by branch name fails check out the last fetched ref
+		if _, err2 := gitWithinDir(root, "checkout", "FETCH_HEAD"); err2 != nil {
+			return "", errors.Wrapf(err, "error checking out %s: %s", ref, output)
+		}
+	}
+
+	if subdir != "" {
+		newCtx, err := symlink.FollowSymlinkInScope(filepath.Join(root, subdir), root)
+		if err != nil {
+			return "", errors.Wrapf(err, "error setting git context, %q not within git root", subdir)
+		}
+
+		fi, err := os.Stat(newCtx)
+		if err != nil {
+			return "", err
+		}
+		if !fi.IsDir() {
+			return "", errors.Errorf("error setting git context, not a directory: %s", newCtx)
+		}
+		root = newCtx
+	}
+
+	return root, nil
+}
+
+func gitWithinDir(dir string, args ...string) ([]byte, error) {
+	a := []string{"--work-tree", dir, "--git-dir", filepath.Join(dir, ".git")}
+	return git(append(a, args...)...)
+}
+
+func git(args ...string) ([]byte, error) {
+	return exec.Command("git", args...).CombinedOutput()
+}
+
+// isGitTransport returns true if the provided str is a git transport by inspecting
+// the prefix of the string for known protocols used in git.
+func isGitTransport(str string) bool {
+	return urlutil.IsURL(str) || strings.HasPrefix(str, "git://") || strings.HasPrefix(str, "git@")
+}
diff --git a/engine/builder/remotecontext/git/gitutils_test.go b/engine/builder/remotecontext/git/gitutils_test.go
new file mode 100644
index 00000000..8c396790
--- /dev/null
+++ b/engine/builder/remotecontext/git/gitutils_test.go
@@ -0,0 +1,278 @@
+package git // import "github.com/docker/docker/builder/remotecontext/git"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestParseRemoteURL(t *testing.T) {
+	dir, err := parseRemoteURL("git://github.com/user/repo.git")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(gitRepo{"git://github.com/user/repo.git", "master", ""}, dir, cmpGitRepoOpt))
+
+	dir, err = parseRemoteURL("git://github.com/user/repo.git#mybranch:mydir/mysubdir/")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(gitRepo{"git://github.com/user/repo.git", "mybranch", "mydir/mysubdir/"}, dir, cmpGitRepoOpt))
+
+	dir, err = parseRemoteURL("https://github.com/user/repo.git")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(gitRepo{"https://github.com/user/repo.git", "master", ""}, dir, cmpGitRepoOpt))
+
+	dir, err = parseRemoteURL("https://github.com/user/repo.git#mybranch:mydir/mysubdir/")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(gitRepo{"https://github.com/user/repo.git", "mybranch", "mydir/mysubdir/"}, dir, cmpGitRepoOpt))
+
+	dir, err = parseRemoteURL("git@github.com:user/repo.git")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(gitRepo{"git@github.com:user/repo.git", "master", ""}, dir, cmpGitRepoOpt))
+
+	dir, err = parseRemoteURL("git@github.com:user/repo.git#mybranch:mydir/mysubdir/")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(gitRepo{"git@github.com:user/repo.git", "mybranch", "mydir/mysubdir/"}, dir, cmpGitRepoOpt))
+}
+
+var cmpGitRepoOpt = cmp.AllowUnexported(gitRepo{})
+
+func TestCloneArgsSmartHttp(t *testing.T) {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	serverURL, _ := url.Parse(server.URL)
+
+	serverURL.Path = "/repo.git"
+
+	mux.HandleFunc("/repo.git/info/refs", func(w http.ResponseWriter, r *http.Request) {
+		q := r.URL.Query().Get("service")
+		w.Header().Set("Content-Type", fmt.Sprintf("application/x-%s-advertisement", q))
+	})
+
+	args := fetchArgs(serverURL.String(), "master")
+	exp := []string{"fetch", "--depth", "1", "origin", "master"}
+	assert.Check(t, is.DeepEqual(exp, args))
+}
+
+func TestCloneArgsDumbHttp(t *testing.T) {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	serverURL, _ := url.Parse(server.URL)
+
+	serverURL.Path = "/repo.git"
+
+	mux.HandleFunc("/repo.git/info/refs", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/plain")
+	})
+
+	args := fetchArgs(serverURL.String(), "master")
+	exp := []string{"fetch", "origin", "master"}
+	assert.Check(t, is.DeepEqual(exp, args))
+}
+
+func TestCloneArgsGit(t *testing.T) {
+	args := fetchArgs("git://github.com/docker/docker", "master")
+	exp := []string{"fetch", "--depth", "1", "origin", "master"}
+	assert.Check(t, is.DeepEqual(exp, args))
+}
+
+func gitGetConfig(name string) string {
+	b, err := git([]string{"config", "--get", name}...)
+	if err != nil {
+		// since we are interested in empty or non empty string,
+		// we can safely ignore the err here.
+		return ""
+	}
+	return strings.TrimSpace(string(b))
+}
+
+func TestCheckoutGit(t *testing.T) {
+	root, err := ioutil.TempDir("", "docker-build-git-checkout")
+	assert.NilError(t, err)
+	defer os.RemoveAll(root)
+
+	autocrlf := gitGetConfig("core.autocrlf")
+	if !(autocrlf == "true" || autocrlf == "false" ||
+		autocrlf == "input" || autocrlf == "") {
+		t.Logf("unknown core.autocrlf value: \"%s\"", autocrlf)
+	}
+	eol := "\n"
+	if autocrlf == "true" {
+		eol = "\r\n"
+	}
+
+	gitDir := filepath.Join(root, "repo")
+	_, err = git("init", gitDir)
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(gitDir, "config", "user.email", "test@docker.com")
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(gitDir, "config", "user.name", "Docker test")
+	assert.NilError(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(gitDir, "Dockerfile"), []byte("FROM scratch"), 0644)
+	assert.NilError(t, err)
+
+	subDir := filepath.Join(gitDir, "subdir")
+	assert.NilError(t, os.Mkdir(subDir, 0755))
+
+	err = ioutil.WriteFile(filepath.Join(subDir, "Dockerfile"), []byte("FROM scratch\nEXPOSE 5000"), 0644)
+	assert.NilError(t, err)
+
+	if runtime.GOOS != "windows" {
+		if err = os.Symlink("../subdir", filepath.Join(gitDir, "parentlink")); err != nil {
+			t.Fatal(err)
+		}
+
+		if err = os.Symlink("/subdir", filepath.Join(gitDir, "absolutelink")); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	_, err = gitWithinDir(gitDir, "add", "-A")
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(gitDir, "commit", "-am", "First commit")
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(gitDir, "checkout", "-b", "test")
+	assert.NilError(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(gitDir, "Dockerfile"), []byte("FROM scratch\nEXPOSE 3000"), 0644)
+	assert.NilError(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(subDir, "Dockerfile"), []byte("FROM busybox\nEXPOSE 5000"), 0644)
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(gitDir, "add", "-A")
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(gitDir, "commit", "-am", "Branch commit")
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(gitDir, "checkout", "master")
+	assert.NilError(t, err)
+
+	// set up submodule
+	subrepoDir := filepath.Join(root, "subrepo")
+	_, err = git("init", subrepoDir)
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(subrepoDir, "config", "user.email", "test@docker.com")
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(subrepoDir, "config", "user.name", "Docker test")
+	assert.NilError(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(subrepoDir, "subfile"), []byte("subcontents"), 0644)
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(subrepoDir, "add", "-A")
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(subrepoDir, "commit", "-am", "Subrepo initial")
+	assert.NilError(t, err)
+
+	cmd := exec.Command("git", "submodule", "add", subrepoDir, "sub") // this command doesn't work with --work-tree
+	cmd.Dir = gitDir
+	assert.NilError(t, cmd.Run())
+
+	_, err = gitWithinDir(gitDir, "add", "-A")
+	assert.NilError(t, err)
+
+	_, err = gitWithinDir(gitDir, "commit", "-am", "With submodule")
+	assert.NilError(t, err)
+
+	type singleCase struct {
+		frag      string
+		exp       string
+		fail      bool
+		submodule bool
+	}
+
+	cases := []singleCase{
+		{"", "FROM scratch", false, true},
+		{"master", "FROM scratch", false, true},
+		{":subdir", "FROM scratch" + eol + "EXPOSE 5000", false, false},
+		{":nosubdir", "", true, false},   // missing directory error
+		{":Dockerfile", "", true, false}, // not a directory error
+		{"master:nosubdir", "", true, false},
+		{"master:subdir", "FROM scratch" + eol + "EXPOSE 5000", false, false},
+		{"master:../subdir", "", true, false},
+		{"test", "FROM scratch" + eol + "EXPOSE 3000", false, false},
+		{"test:", "FROM scratch" + eol + "EXPOSE 3000", false, false},
+		{"test:subdir", "FROM busybox" + eol + "EXPOSE 5000", false, false},
+	}
+
+	if runtime.GOOS != "windows" {
+		// Windows GIT (2.7.1 x64) does not support parentlink/absolutelink. Sample output below
+		// 	git --work-tree .\repo --git-dir .\repo\.git add -A
+		//	error: readlink("absolutelink"): Function not implemented
+		// 	error: unable to index file absolutelink
+		// 	fatal: adding files failed
+		cases = append(cases, singleCase{frag: "master:absolutelink", exp: "FROM scratch" + eol + "EXPOSE 5000", fail: false})
+		cases = append(cases, singleCase{frag: "master:parentlink", exp: "FROM scratch" + eol + "EXPOSE 5000", fail: false})
+	}
+
+	for _, c := range cases {
+		ref, subdir := getRefAndSubdir(c.frag)
+		r, err := cloneGitRepo(gitRepo{remote: gitDir, ref: ref, subdir: subdir})
+
+		if c.fail {
+			assert.Check(t, is.ErrorContains(err, ""))
+			continue
+		}
+		assert.NilError(t, err)
+		defer os.RemoveAll(r)
+		if c.submodule {
+			b, err := ioutil.ReadFile(filepath.Join(r, "sub/subfile"))
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal("subcontents", string(b)))
+		} else {
+			_, err := os.Stat(filepath.Join(r, "sub/subfile"))
+			assert.Assert(t, is.ErrorContains(err, ""))
+			assert.Assert(t, os.IsNotExist(err))
+		}
+
+		b, err := ioutil.ReadFile(filepath.Join(r, "Dockerfile"))
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal(c.exp, string(b)))
+	}
+}
+
+func TestValidGitTransport(t *testing.T) {
+	gitUrls := []string{
+		"git://github.com/docker/docker",
+		"git@github.com:docker/docker.git",
+		"git@bitbucket.org:atlassianlabs/atlassian-docker.git",
+		"https://github.com/docker/docker.git",
+		"http://github.com/docker/docker.git",
+		"http://github.com/docker/docker.git#branch",
+		"http://github.com/docker/docker.git#:dir",
+	}
+	incompleteGitUrls := []string{
+		"github.com/docker/docker",
+	}
+
+	for _, url := range gitUrls {
+		if !isGitTransport(url) {
+			t.Fatalf("%q should be detected as valid Git prefix", url)
+		}
+	}
+
+	for _, url := range incompleteGitUrls {
+		if isGitTransport(url) {
+			t.Fatalf("%q should not be detected as valid Git prefix", url)
+		}
+	}
+}
diff --git a/engine/builder/remotecontext/lazycontext.go b/engine/builder/remotecontext/lazycontext.go
new file mode 100644
index 00000000..442cecad
--- /dev/null
+++ b/engine/builder/remotecontext/lazycontext.go
@@ -0,0 +1,102 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"encoding/hex"
+	"os"
+	"strings"
+
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/pkg/errors"
+)
+
+// NewLazySource creates a new LazyContext. LazyContext defines a hashed build
+// context based on a root directory. Individual files are hashed first time
+// they are asked. It is not safe to call methods of LazyContext concurrently.
+func NewLazySource(root containerfs.ContainerFS) (builder.Source, error) {
+	return &lazySource{
+		root: root,
+		sums: make(map[string]string),
+	}, nil
+}
+
+type lazySource struct {
+	root containerfs.ContainerFS
+	sums map[string]string
+}
+
+func (c *lazySource) Root() containerfs.ContainerFS {
+	return c.root
+}
+
+func (c *lazySource) Close() error {
+	return nil
+}
+
+func (c *lazySource) Hash(path string) (string, error) {
+	cleanPath, fullPath, err := normalize(path, c.root)
+	if err != nil {
+		return "", err
+	}
+
+	relPath, err := Rel(c.root, fullPath)
+	if err != nil {
+		return "", errors.WithStack(convertPathError(err, cleanPath))
+	}
+
+	fi, err := os.Lstat(fullPath)
+	if err != nil {
+		// Backwards compatibility: a missing file returns a path as hash.
+		// This is reached in the case of a broken symlink.
+		return relPath, nil
+	}
+
+	sum, ok := c.sums[relPath]
+	if !ok {
+		sum, err = c.prepareHash(relPath, fi)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	return sum, nil
+}
+
+func (c *lazySource) prepareHash(relPath string, fi os.FileInfo) (string, error) {
+	p := c.root.Join(c.root.Path(), relPath)
+	h, err := NewFileHash(p, relPath, fi)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to create hash for %s", relPath)
+	}
+	if fi.Mode().IsRegular() && fi.Size() > 0 {
+		f, err := c.root.Open(p)
+		if err != nil {
+			return "", errors.Wrapf(err, "failed to open %s", relPath)
+		}
+		defer f.Close()
+		if _, err := pools.Copy(h, f); err != nil {
+			return "", errors.Wrapf(err, "failed to copy file data for %s", relPath)
+		}
+	}
+	sum := hex.EncodeToString(h.Sum(nil))
+	c.sums[relPath] = sum
+	return sum, nil
+}
+
+// Rel makes a path relative to base path. Same as `filepath.Rel` but can also
+// handle UUID paths in windows.
+func Rel(basepath containerfs.ContainerFS, targpath string) (string, error) {
+	// filepath.Rel can't handle UUID paths in windows
+	if basepath.OS() == "windows" {
+		pfx := basepath.Path() + `\`
+		if strings.HasPrefix(targpath, pfx) {
+			p := strings.TrimPrefix(targpath, pfx)
+			if p == "" {
+				p = "."
+			}
+			return p, nil
+		}
+	}
+	return basepath.Rel(basepath.Path(), targpath)
+}
diff --git a/engine/builder/remotecontext/mimetype.go b/engine/builder/remotecontext/mimetype.go
new file mode 100644
index 00000000..e8a6210e
--- /dev/null
+++ b/engine/builder/remotecontext/mimetype.go
@@ -0,0 +1,27 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"mime"
+	"net/http"
+)
+
+// mimeTypes stores the MIME content type.
+var mimeTypes = struct {
+	TextPlain   string
+	OctetStream string
+}{"text/plain", "application/octet-stream"}
+
+// detectContentType returns a best guess representation of the MIME
+// content type for the bytes at c.  The value detected by
+// http.DetectContentType is guaranteed not be nil, defaulting to
+// application/octet-stream when a better guess cannot be made. The
+// result of this detection is then run through mime.ParseMediaType()
+// which separates the actual MIME string from any parameters.
+func detectContentType(c []byte) (string, map[string]string, error) {
+	ct := http.DetectContentType(c)
+	contentType, args, err := mime.ParseMediaType(ct)
+	if err != nil {
+		return "", nil, err
+	}
+	return contentType, args, nil
+}
diff --git a/engine/builder/remotecontext/mimetype_test.go b/engine/builder/remotecontext/mimetype_test.go
new file mode 100644
index 00000000..df9c3787
--- /dev/null
+++ b/engine/builder/remotecontext/mimetype_test.go
@@ -0,0 +1,16 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDetectContentType(t *testing.T) {
+	input := []byte("That is just a plain text")
+
+	contentType, _, err := detectContentType(input)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("text/plain", contentType))
+}
diff --git a/engine/builder/remotecontext/remote.go b/engine/builder/remotecontext/remote.go
new file mode 100644
index 00000000..1fb80549
--- /dev/null
+++ b/engine/builder/remotecontext/remote.go
@@ -0,0 +1,127 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"regexp"
+
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/pkg/errors"
+)
+
+// When downloading remote contexts, limit the amount (in bytes)
+// to be read from the response body in order to detect its Content-Type
+const maxPreambleLength = 100
+
+const acceptableRemoteMIME = `(?:application/(?:(?:x\-)?tar|octet\-stream|((?:x\-)?(?:gzip|bzip2?|xz)))|(?:text/plain))`
+
+var mimeRe = regexp.MustCompile(acceptableRemoteMIME)
+
+// downloadRemote context from a url and returns it, along with the parsed content type
+func downloadRemote(remoteURL string) (string, io.ReadCloser, error) {
+	response, err := GetWithStatusError(remoteURL)
+	if err != nil {
+		return "", nil, errors.Wrapf(err, "error downloading remote context %s", remoteURL)
+	}
+
+	contentType, contextReader, err := inspectResponse(
+		response.Header.Get("Content-Type"),
+		response.Body,
+		response.ContentLength)
+	if err != nil {
+		response.Body.Close()
+		return "", nil, errors.Wrapf(err, "error detecting content type for remote %s", remoteURL)
+	}
+
+	return contentType, ioutils.NewReadCloserWrapper(contextReader, response.Body.Close), nil
+}
+
+// GetWithStatusError does an http.Get() and returns an error if the
+// status code is 4xx or 5xx.
+func GetWithStatusError(address string) (resp *http.Response, err error) {
+	if resp, err = http.Get(address); err != nil {
+		if uerr, ok := err.(*url.Error); ok {
+			if derr, ok := uerr.Err.(*net.DNSError); ok && !derr.IsTimeout {
+				return nil, errdefs.NotFound(err)
+			}
+		}
+		return nil, errdefs.System(err)
+	}
+	if resp.StatusCode < 400 {
+		return resp, nil
+	}
+	msg := fmt.Sprintf("failed to GET %s with status %s", address, resp.Status)
+	body, err := ioutil.ReadAll(resp.Body)
+	resp.Body.Close()
+	if err != nil {
+		return nil, errdefs.System(errors.New(msg + ": error reading body"))
+	}
+
+	msg += ": " + string(bytes.TrimSpace(body))
+	switch resp.StatusCode {
+	case http.StatusNotFound:
+		return nil, errdefs.NotFound(errors.New(msg))
+	case http.StatusBadRequest:
+		return nil, errdefs.InvalidParameter(errors.New(msg))
+	case http.StatusUnauthorized:
+		return nil, errdefs.Unauthorized(errors.New(msg))
+	case http.StatusForbidden:
+		return nil, errdefs.Forbidden(errors.New(msg))
+	}
+	return nil, errdefs.Unknown(errors.New(msg))
+}
+
+// inspectResponse looks into the http response data at r to determine whether its
+// content-type is on the list of acceptable content types for remote build contexts.
+// This function returns:
+//    - a string representation of the detected content-type
+//    - an io.Reader for the response body
+//    - an error value which will be non-nil either when something goes wrong while
+//      reading bytes from r or when the detected content-type is not acceptable.
+func inspectResponse(ct string, r io.Reader, clen int64) (string, io.Reader, error) {
+	plen := clen
+	if plen <= 0 || plen > maxPreambleLength {
+		plen = maxPreambleLength
+	}
+
+	preamble := make([]byte, plen)
+	rlen, err := r.Read(preamble)
+	if rlen == 0 {
+		return ct, r, errors.New("empty response")
+	}
+	if err != nil && err != io.EOF {
+		return ct, r, err
+	}
+
+	preambleR := bytes.NewReader(preamble[:rlen])
+	bodyReader := io.MultiReader(preambleR, r)
+	// Some web servers will use application/octet-stream as the default
+	// content type for files without an extension (e.g. 'Dockerfile')
+	// so if we receive this value we better check for text content
+	contentType := ct
+	if len(ct) == 0 || ct == mimeTypes.OctetStream {
+		contentType, _, err = detectContentType(preamble)
+		if err != nil {
+			return contentType, bodyReader, err
+		}
+	}
+
+	contentType = selectAcceptableMIME(contentType)
+	var cterr error
+	if len(contentType) == 0 {
+		cterr = fmt.Errorf("unsupported Content-Type %q", ct)
+		contentType = ct
+	}
+
+	return contentType, bodyReader, cterr
+}
+
+func selectAcceptableMIME(ct string) string {
+	return mimeRe.FindString(ct)
+}
diff --git a/engine/builder/remotecontext/remote_test.go b/engine/builder/remotecontext/remote_test.go
new file mode 100644
index 00000000..a0101f74
--- /dev/null
+++ b/engine/builder/remotecontext/remote_test.go
@@ -0,0 +1,242 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/docker/docker/builder"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+var binaryContext = []byte{0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00} //xz magic
+
+func TestSelectAcceptableMIME(t *testing.T) {
+	validMimeStrings := []string{
+		"application/x-bzip2",
+		"application/bzip2",
+		"application/gzip",
+		"application/x-gzip",
+		"application/x-xz",
+		"application/xz",
+		"application/tar",
+		"application/x-tar",
+		"application/octet-stream",
+		"text/plain",
+	}
+
+	invalidMimeStrings := []string{
+		"",
+		"application/octet",
+		"application/json",
+	}
+
+	for _, m := range invalidMimeStrings {
+		if len(selectAcceptableMIME(m)) > 0 {
+			t.Fatalf("Should not have accepted %q", m)
+		}
+	}
+
+	for _, m := range validMimeStrings {
+		if str := selectAcceptableMIME(m); str == "" {
+			t.Fatalf("Should have accepted %q", m)
+		}
+	}
+}
+
+func TestInspectEmptyResponse(t *testing.T) {
+	ct := "application/octet-stream"
+	br := ioutil.NopCloser(bytes.NewReader([]byte("")))
+	contentType, bReader, err := inspectResponse(ct, br, 0)
+	if err == nil {
+		t.Fatal("Should have generated an error for an empty response")
+	}
+	if contentType != "application/octet-stream" {
+		t.Fatalf("Content type should be 'application/octet-stream' but is %q", contentType)
+	}
+	body, err := ioutil.ReadAll(bReader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(body) != 0 {
+		t.Fatal("response body should remain empty")
+	}
+}
+
+func TestInspectResponseBinary(t *testing.T) {
+	ct := "application/octet-stream"
+	br := ioutil.NopCloser(bytes.NewReader(binaryContext))
+	contentType, bReader, err := inspectResponse(ct, br, int64(len(binaryContext)))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if contentType != "application/octet-stream" {
+		t.Fatalf("Content type should be 'application/octet-stream' but is %q", contentType)
+	}
+	body, err := ioutil.ReadAll(bReader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(body) != len(binaryContext) {
+		t.Fatalf("Wrong response size %d, should be == len(binaryContext)", len(body))
+	}
+	for i := range body {
+		if body[i] != binaryContext[i] {
+			t.Fatalf("Corrupted response body at byte index %d", i)
+		}
+	}
+}
+
+func TestResponseUnsupportedContentType(t *testing.T) {
+	content := []byte(dockerfileContents)
+	ct := "application/json"
+	br := ioutil.NopCloser(bytes.NewReader(content))
+	contentType, bReader, err := inspectResponse(ct, br, int64(len(dockerfileContents)))
+
+	if err == nil {
+		t.Fatal("Should have returned an error on content-type 'application/json'")
+	}
+	if contentType != ct {
+		t.Fatalf("Should not have altered content-type: orig: %s, altered: %s", ct, contentType)
+	}
+	body, err := ioutil.ReadAll(bReader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(body) != dockerfileContents {
+		t.Fatalf("Corrupted response body %s", body)
+	}
+}
+
+func TestInspectResponseTextSimple(t *testing.T) {
+	content := []byte(dockerfileContents)
+	ct := "text/plain"
+	br := ioutil.NopCloser(bytes.NewReader(content))
+	contentType, bReader, err := inspectResponse(ct, br, int64(len(content)))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if contentType != "text/plain" {
+		t.Fatalf("Content type should be 'text/plain' but is %q", contentType)
+	}
+	body, err := ioutil.ReadAll(bReader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(body) != dockerfileContents {
+		t.Fatalf("Corrupted response body %s", body)
+	}
+}
+
+func TestInspectResponseEmptyContentType(t *testing.T) {
+	content := []byte(dockerfileContents)
+	br := ioutil.NopCloser(bytes.NewReader(content))
+	contentType, bodyReader, err := inspectResponse("", br, int64(len(content)))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if contentType != "text/plain" {
+		t.Fatalf("Content type should be 'text/plain' but is %q", contentType)
+	}
+	body, err := ioutil.ReadAll(bodyReader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(body) != dockerfileContents {
+		t.Fatalf("Corrupted response body %s", body)
+	}
+}
+
+func TestUnknownContentLength(t *testing.T) {
+	content := []byte(dockerfileContents)
+	ct := "text/plain"
+	br := ioutil.NopCloser(bytes.NewReader(content))
+	contentType, bReader, err := inspectResponse(ct, br, -1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if contentType != "text/plain" {
+		t.Fatalf("Content type should be 'text/plain' but is %q", contentType)
+	}
+	body, err := ioutil.ReadAll(bReader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(body) != dockerfileContents {
+		t.Fatalf("Corrupted response body %s", body)
+	}
+}
+
+func TestDownloadRemote(t *testing.T) {
+	contextDir := fs.NewDir(t, "test-builder-download-remote",
+		fs.WithFile(builder.DefaultDockerfileName, dockerfileContents))
+	defer contextDir.Remove()
+
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	serverURL, _ := url.Parse(server.URL)
+
+	serverURL.Path = "/" + builder.DefaultDockerfileName
+	remoteURL := serverURL.String()
+
+	mux.Handle("/", http.FileServer(http.Dir(contextDir.Path())))
+
+	contentType, content, err := downloadRemote(remoteURL)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(mimeTypes.TextPlain, contentType))
+	raw, err := ioutil.ReadAll(content)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(dockerfileContents, string(raw)))
+}
+
+func TestGetWithStatusError(t *testing.T) {
+	var testcases = []struct {
+		err          error
+		statusCode   int
+		expectedErr  string
+		expectedBody string
+	}{
+		{
+			statusCode:   200,
+			expectedBody: "THE BODY",
+		},
+		{
+			statusCode:   400,
+			expectedErr:  "with status 400 Bad Request: broke",
+			expectedBody: "broke",
+		},
+	}
+	for _, testcase := range testcases {
+		ts := httptest.NewServer(
+			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				buffer := bytes.NewBufferString(testcase.expectedBody)
+				w.WriteHeader(testcase.statusCode)
+				w.Write(buffer.Bytes())
+			}),
+		)
+		defer ts.Close()
+		response, err := GetWithStatusError(ts.URL)
+
+		if testcase.expectedErr == "" {
+			assert.NilError(t, err)
+
+			body, err := readBody(response.Body)
+			assert.NilError(t, err)
+			assert.Check(t, is.Contains(string(body), testcase.expectedBody))
+		} else {
+			assert.Check(t, is.ErrorContains(err, testcase.expectedErr))
+		}
+	}
+}
+
+func readBody(b io.ReadCloser) ([]byte, error) {
+	defer b.Close()
+	return ioutil.ReadAll(b)
+}
diff --git a/engine/builder/remotecontext/tarsum.go b/engine/builder/remotecontext/tarsum.go
new file mode 100644
index 00000000..b809cfb7
--- /dev/null
+++ b/engine/builder/remotecontext/tarsum.go
@@ -0,0 +1,157 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"os"
+	"sync"
+
+	"github.com/docker/docker/pkg/containerfs"
+	iradix "github.com/hashicorp/go-immutable-radix"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+)
+
+type hashed interface {
+	Digest() digest.Digest
+}
+
+// CachableSource is a source that contains cache records for its contents
+type CachableSource struct {
+	mu   sync.Mutex
+	root containerfs.ContainerFS
+	tree *iradix.Tree
+	txn  *iradix.Txn
+}
+
+// NewCachableSource creates new CachableSource
+func NewCachableSource(root string) *CachableSource {
+	ts := &CachableSource{
+		tree: iradix.New(),
+		root: containerfs.NewLocalContainerFS(root),
+	}
+	return ts
+}
+
+// MarshalBinary marshals current cache information to a byte array
+func (cs *CachableSource) MarshalBinary() ([]byte, error) {
+	b := TarsumBackup{Hashes: make(map[string]string)}
+	root := cs.getRoot()
+	root.Walk(func(k []byte, v interface{}) bool {
+		b.Hashes[string(k)] = v.(*fileInfo).sum
+		return false
+	})
+	return b.Marshal()
+}
+
+// UnmarshalBinary decodes cache information for presented byte array
+func (cs *CachableSource) UnmarshalBinary(data []byte) error {
+	var b TarsumBackup
+	if err := b.Unmarshal(data); err != nil {
+		return err
+	}
+	txn := iradix.New().Txn()
+	for p, v := range b.Hashes {
+		txn.Insert([]byte(p), &fileInfo{sum: v})
+	}
+	cs.mu.Lock()
+	defer cs.mu.Unlock()
+	cs.tree = txn.Commit()
+	return nil
+}
+
+// Scan rescans the cache information from the file system
+func (cs *CachableSource) Scan() error {
+	lc, err := NewLazySource(cs.root)
+	if err != nil {
+		return err
+	}
+	txn := iradix.New().Txn()
+	err = cs.root.Walk(cs.root.Path(), func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return errors.Wrapf(err, "failed to walk %s", path)
+		}
+		rel, err := Rel(cs.root, path)
+		if err != nil {
+			return err
+		}
+		h, err := lc.Hash(rel)
+		if err != nil {
+			return err
+		}
+		txn.Insert([]byte(rel), &fileInfo{sum: h})
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	cs.mu.Lock()
+	defer cs.mu.Unlock()
+	cs.tree = txn.Commit()
+	return nil
+}
+
+// HandleChange notifies the source about a modification operation
+func (cs *CachableSource) HandleChange(kind fsutil.ChangeKind, p string, fi os.FileInfo, err error) (retErr error) {
+	cs.mu.Lock()
+	if cs.txn == nil {
+		cs.txn = cs.tree.Txn()
+	}
+	if kind == fsutil.ChangeKindDelete {
+		cs.txn.Delete([]byte(p))
+		cs.mu.Unlock()
+		return
+	}
+
+	h, ok := fi.(hashed)
+	if !ok {
+		cs.mu.Unlock()
+		return errors.Errorf("invalid fileinfo: %s", p)
+	}
+
+	hfi := &fileInfo{
+		sum: h.Digest().Hex(),
+	}
+	cs.txn.Insert([]byte(p), hfi)
+	cs.mu.Unlock()
+	return nil
+}
+
+func (cs *CachableSource) getRoot() *iradix.Node {
+	cs.mu.Lock()
+	if cs.txn != nil {
+		cs.tree = cs.txn.Commit()
+		cs.txn = nil
+	}
+	t := cs.tree
+	cs.mu.Unlock()
+	return t.Root()
+}
+
+// Close closes the source
+func (cs *CachableSource) Close() error {
+	return nil
+}
+
+// Hash returns a hash for a single file in the source
+func (cs *CachableSource) Hash(path string) (string, error) {
+	n := cs.getRoot()
+	// TODO: check this for symlinks
+	v, ok := n.Get([]byte(path))
+	if !ok {
+		return path, nil
+	}
+	return v.(*fileInfo).sum, nil
+}
+
+// Root returns a root directory for the source
+func (cs *CachableSource) Root() containerfs.ContainerFS {
+	return cs.root
+}
+
+type fileInfo struct {
+	sum string
+}
+
+func (fi *fileInfo) Hash() string {
+	return fi.sum
+}
diff --git a/engine/builder/remotecontext/tarsum.pb.go b/engine/builder/remotecontext/tarsum.pb.go
new file mode 100644
index 00000000..1d23bbe6
--- /dev/null
+++ b/engine/builder/remotecontext/tarsum.pb.go
@@ -0,0 +1,525 @@
+// Code generated by protoc-gen-gogo.
+// source: tarsum.proto
+// DO NOT EDIT!
+
+/*
+Package remotecontext is a generated protocol buffer package.
+
+It is generated from these files:
+	tarsum.proto
+
+It has these top-level messages:
+	TarsumBackup
+*/
+package remotecontext
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type TarsumBackup struct {
+	Hashes map[string]string `protobuf:"bytes,1,rep,name=Hashes" json:"Hashes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *TarsumBackup) Reset()                    { *m = TarsumBackup{} }
+func (*TarsumBackup) ProtoMessage()               {}
+func (*TarsumBackup) Descriptor() ([]byte, []int) { return fileDescriptorTarsum, []int{0} }
+
+func (m *TarsumBackup) GetHashes() map[string]string {
+	if m != nil {
+		return m.Hashes
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*TarsumBackup)(nil), "remotecontext.TarsumBackup")
+}
+func (this *TarsumBackup) Equal(that interface{}) bool {
+	if that == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	}
+
+	that1, ok := that.(*TarsumBackup)
+	if !ok {
+		that2, ok := that.(TarsumBackup)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	} else if this == nil {
+		return false
+	}
+	if len(this.Hashes) != len(that1.Hashes) {
+		return false
+	}
+	for i := range this.Hashes {
+		if this.Hashes[i] != that1.Hashes[i] {
+			return false
+		}
+	}
+	return true
+}
+func (this *TarsumBackup) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&remotecontext.TarsumBackup{")
+	keysForHashes := make([]string, 0, len(this.Hashes))
+	for k := range this.Hashes {
+		keysForHashes = append(keysForHashes, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForHashes)
+	mapStringForHashes := "map[string]string{"
+	for _, k := range keysForHashes {
+		mapStringForHashes += fmt.Sprintf("%#v: %#v,", k, this.Hashes[k])
+	}
+	mapStringForHashes += "}"
+	if this.Hashes != nil {
+		s = append(s, "Hashes: "+mapStringForHashes+",\n")
+	}
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringTarsum(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+func (m *TarsumBackup) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *TarsumBackup) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Hashes) > 0 {
+		for k := range m.Hashes {
+			dAtA[i] = 0xa
+			i++
+			v := m.Hashes[k]
+			mapSize := 1 + len(k) + sovTarsum(uint64(len(k))) + 1 + len(v) + sovTarsum(uint64(len(v)))
+			i = encodeVarintTarsum(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintTarsum(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintTarsum(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Tarsum(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Tarsum(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintTarsum(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *TarsumBackup) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Hashes) > 0 {
+		for k, v := range m.Hashes {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovTarsum(uint64(len(k))) + 1 + len(v) + sovTarsum(uint64(len(v)))
+			n += mapEntrySize + 1 + sovTarsum(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func sovTarsum(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozTarsum(x uint64) (n int) {
+	return sovTarsum(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *TarsumBackup) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForHashes := make([]string, 0, len(this.Hashes))
+	for k := range this.Hashes {
+		keysForHashes = append(keysForHashes, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForHashes)
+	mapStringForHashes := "map[string]string{"
+	for _, k := range keysForHashes {
+		mapStringForHashes += fmt.Sprintf("%v: %v,", k, this.Hashes[k])
+	}
+	mapStringForHashes += "}"
+	s := strings.Join([]string{`&TarsumBackup{`,
+		`Hashes:` + mapStringForHashes + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringTarsum(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *TarsumBackup) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowTarsum
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: TarsumBackup: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: TarsumBackup: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Hashes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTarsum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthTarsum
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTarsum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTarsum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthTarsum
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Hashes == nil {
+				m.Hashes = make(map[string]string)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowTarsum
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var stringLenmapvalue uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowTarsum
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intStringLenmapvalue := int(stringLenmapvalue)
+				if intStringLenmapvalue < 0 {
+					return ErrInvalidLengthTarsum
+				}
+				postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+				if postStringIndexmapvalue > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := string(dAtA[iNdEx:postStringIndexmapvalue])
+				iNdEx = postStringIndexmapvalue
+				m.Hashes[mapkey] = mapvalue
+			} else {
+				var mapvalue string
+				m.Hashes[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipTarsum(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthTarsum
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipTarsum(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowTarsum
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowTarsum
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowTarsum
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthTarsum
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowTarsum
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipTarsum(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthTarsum = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowTarsum   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("tarsum.proto", fileDescriptorTarsum) }
+
+var fileDescriptorTarsum = []byte{
+	// 196 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xe2, 0xe2, 0x29, 0x49, 0x2c, 0x2a,
+	0x2e, 0xcd, 0xd5, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0xe2, 0x2d, 0x4a, 0xcd, 0xcd, 0x2f, 0x49,
+	0x4d, 0xce, 0xcf, 0x2b, 0x49, 0xad, 0x28, 0x51, 0xea, 0x62, 0xe4, 0xe2, 0x09, 0x01, 0xcb, 0x3b,
+	0x25, 0x26, 0x67, 0x97, 0x16, 0x08, 0xd9, 0x73, 0xb1, 0x79, 0x24, 0x16, 0x67, 0xa4, 0x16, 0x4b,
+	0x30, 0x2a, 0x30, 0x6b, 0x70, 0x1b, 0xa9, 0xeb, 0xa1, 0x68, 0xd0, 0x43, 0x56, 0xac, 0x07, 0x51,
+	0xe9, 0x9a, 0x57, 0x52, 0x54, 0x19, 0x04, 0xd5, 0x26, 0x65, 0xc9, 0xc5, 0x8d, 0x24, 0x2c, 0x24,
+	0xc0, 0xc5, 0x9c, 0x9d, 0x5a, 0x29, 0xc1, 0xa8, 0xc0, 0xa8, 0xc1, 0x19, 0x04, 0x62, 0x0a, 0x89,
+	0x70, 0xb1, 0x96, 0x25, 0xe6, 0x94, 0xa6, 0x4a, 0x30, 0x81, 0xc5, 0x20, 0x1c, 0x2b, 0x26, 0x0b,
+	0x46, 0x27, 0x9d, 0x0b, 0x0f, 0xe5, 0x18, 0x6e, 0x3c, 0x94, 0x63, 0xf8, 0xf0, 0x50, 0x8e, 0xb1,
+	0xe1, 0x91, 0x1c, 0xe3, 0x8a, 0x47, 0x72, 0x8c, 0x27, 0x1e, 0xc9, 0x31, 0x5e, 0x78, 0x24, 0xc7,
+	0xf8, 0xe0, 0x91, 0x1c, 0xe3, 0x8b, 0x47, 0x72, 0x0c, 0x1f, 0x1e, 0xc9, 0x31, 0x4e, 0x78, 0x2c,
+	0xc7, 0x90, 0xc4, 0x06, 0xf6, 0x90, 0x31, 0x20, 0x00, 0x00, 0xff, 0xff, 0x89, 0x57, 0x7d, 0x3f,
+	0xe0, 0x00, 0x00, 0x00,
+}
diff --git a/engine/builder/remotecontext/tarsum.proto b/engine/builder/remotecontext/tarsum.proto
new file mode 100644
index 00000000..cb94240b
--- /dev/null
+++ b/engine/builder/remotecontext/tarsum.proto
@@ -0,0 +1,7 @@
+syntax = "proto3";
+
+package remotecontext; // no namespace because only used internally
+
+message TarsumBackup {
+  map<string, string> Hashes = 1;
+}
\ No newline at end of file
diff --git a/engine/builder/remotecontext/tarsum_test.go b/engine/builder/remotecontext/tarsum_test.go
new file mode 100644
index 00000000..46f128d9
--- /dev/null
+++ b/engine/builder/remotecontext/tarsum_test.go
@@ -0,0 +1,151 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/reexec"
+	"github.com/pkg/errors"
+	"gotest.tools/skip"
+)
+
+const (
+	filename = "test"
+	contents = "contents test"
+)
+
+func init() {
+	reexec.Init()
+}
+
+func TestCloseRootDirectory(t *testing.T) {
+	contextDir, err := ioutil.TempDir("", "builder-tarsum-test")
+	defer os.RemoveAll(contextDir)
+	if err != nil {
+		t.Fatalf("Error with creating temporary directory: %s", err)
+	}
+
+	src := makeTestArchiveContext(t, contextDir)
+	err = src.Close()
+
+	if err != nil {
+		t.Fatalf("Error while executing Close: %s", err)
+	}
+
+	_, err = os.Stat(src.Root().Path())
+
+	if !os.IsNotExist(err) {
+		t.Fatal("Directory should not exist at this point")
+	}
+}
+
+func TestHashFile(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test")
+	defer cleanup()
+
+	createTestTempFile(t, contextDir, filename, contents, 0755)
+
+	tarSum := makeTestArchiveContext(t, contextDir)
+
+	sum, err := tarSum.Hash(filename)
+
+	if err != nil {
+		t.Fatalf("Error when executing Stat: %s", err)
+	}
+
+	if len(sum) == 0 {
+		t.Fatalf("Hash returned empty sum")
+	}
+
+	expected := "1149ab94af7be6cc1da1335e398f24ee1cf4926b720044d229969dfc248ae7ec"
+
+	if actual := sum; expected != actual {
+		t.Fatalf("invalid checksum. expected %s, got %s", expected, actual)
+	}
+}
+
+func TestHashSubdir(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test")
+	defer cleanup()
+
+	contextSubdir := filepath.Join(contextDir, "builder-tarsum-test-subdir")
+	err := os.Mkdir(contextSubdir, 0755)
+	if err != nil {
+		t.Fatalf("Failed to make directory: %s", contextSubdir)
+	}
+
+	testFilename := createTestTempFile(t, contextSubdir, filename, contents, 0755)
+
+	tarSum := makeTestArchiveContext(t, contextDir)
+
+	relativePath, err := filepath.Rel(contextDir, testFilename)
+
+	if err != nil {
+		t.Fatalf("Error when getting relative path: %s", err)
+	}
+
+	sum, err := tarSum.Hash(relativePath)
+
+	if err != nil {
+		t.Fatalf("Error when executing Stat: %s", err)
+	}
+
+	if len(sum) == 0 {
+		t.Fatalf("Hash returned empty sum")
+	}
+
+	expected := "d7f8d6353dee4816f9134f4156bf6a9d470fdadfb5d89213721f7e86744a4e69"
+
+	if actual := sum; expected != actual {
+		t.Fatalf("invalid checksum. expected %s, got %s", expected, actual)
+	}
+}
+
+func TestRemoveDirectory(t *testing.T) {
+	contextDir, cleanup := createTestTempDir(t, "", "builder-tarsum-test")
+	defer cleanup()
+
+	contextSubdir := createTestTempSubdir(t, contextDir, "builder-tarsum-test-subdir")
+
+	relativePath, err := filepath.Rel(contextDir, contextSubdir)
+
+	if err != nil {
+		t.Fatalf("Error when getting relative path: %s", err)
+	}
+
+	src := makeTestArchiveContext(t, contextDir)
+
+	_, err = src.Root().Stat(src.Root().Join(src.Root().Path(), relativePath))
+	if err != nil {
+		t.Fatalf("Statting %s shouldn't fail: %+v", relativePath, err)
+	}
+
+	tarSum := src.(modifiableContext)
+	err = tarSum.Remove(relativePath)
+	if err != nil {
+		t.Fatalf("Error when executing Remove: %s", err)
+	}
+
+	_, err = src.Root().Stat(src.Root().Join(src.Root().Path(), relativePath))
+	if !os.IsNotExist(errors.Cause(err)) {
+		t.Fatalf("Directory should not exist at this point: %+v ", err)
+	}
+}
+
+func makeTestArchiveContext(t *testing.T, dir string) builder.Source {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tarStream, err := archive.Tar(dir, archive.Uncompressed)
+	if err != nil {
+		t.Fatalf("error: %s", err)
+	}
+	defer tarStream.Close()
+	tarSum, err := FromArchive(tarStream)
+	if err != nil {
+		t.Fatalf("Error when executing FromArchive: %s", err)
+	}
+	return tarSum
+}
diff --git a/engine/builder/remotecontext/utils_test.go b/engine/builder/remotecontext/utils_test.go
new file mode 100644
index 00000000..6a4c707a
--- /dev/null
+++ b/engine/builder/remotecontext/utils_test.go
@@ -0,0 +1,55 @@
+package remotecontext // import "github.com/docker/docker/builder/remotecontext"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// createTestTempDir creates a temporary directory for testing.
+// It returns the created path and a cleanup function which is meant to be used as deferred call.
+// When an error occurs, it terminates the test.
+func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {
+	path, err := ioutil.TempDir(dir, prefix)
+
+	if err != nil {
+		t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err)
+	}
+
+	return path, func() {
+		err = os.RemoveAll(path)
+
+		if err != nil {
+			t.Fatalf("Error when removing directory %s: %s", path, err)
+		}
+	}
+}
+
+// createTestTempSubdir creates a temporary directory for testing.
+// It returns the created path but doesn't provide a cleanup function,
+// so createTestTempSubdir should be used only for creating temporary subdirectories
+// whose parent directories are properly cleaned up.
+// When an error occurs, it terminates the test.
+func createTestTempSubdir(t *testing.T, dir, prefix string) string {
+	path, err := ioutil.TempDir(dir, prefix)
+
+	if err != nil {
+		t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err)
+	}
+
+	return path
+}
+
+// createTestTempFile creates a temporary file within dir with specific contents and permissions.
+// When an error occurs, it terminates the test
+func createTestTempFile(t *testing.T, dir, filename, contents string, perm os.FileMode) string {
+	filePath := filepath.Join(dir, filename)
+	err := ioutil.WriteFile(filePath, []byte(contents), perm)
+
+	if err != nil {
+		t.Fatalf("Error when creating %s file: %s", filename, err)
+	}
+
+	return filePath
+}
diff --git a/engine/cli/cobra.go b/engine/cli/cobra.go
new file mode 100644
index 00000000..8ed1fddc
--- /dev/null
+++ b/engine/cli/cobra.go
@@ -0,0 +1,131 @@
+package cli // import "github.com/docker/docker/cli"
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/pkg/term"
+	"github.com/spf13/cobra"
+)
+
+// SetupRootCommand sets default usage, help, and error handling for the
+// root command.
+func SetupRootCommand(rootCmd *cobra.Command) {
+	cobra.AddTemplateFunc("hasSubCommands", hasSubCommands)
+	cobra.AddTemplateFunc("hasManagementSubCommands", hasManagementSubCommands)
+	cobra.AddTemplateFunc("operationSubCommands", operationSubCommands)
+	cobra.AddTemplateFunc("managementSubCommands", managementSubCommands)
+	cobra.AddTemplateFunc("wrappedFlagUsages", wrappedFlagUsages)
+
+	rootCmd.SetUsageTemplate(usageTemplate)
+	rootCmd.SetHelpTemplate(helpTemplate)
+	rootCmd.SetFlagErrorFunc(FlagErrorFunc)
+	rootCmd.SetVersionTemplate("Docker version {{.Version}}\n")
+
+	rootCmd.PersistentFlags().BoolP("help", "h", false, "Print usage")
+	rootCmd.PersistentFlags().MarkShorthandDeprecated("help", "please use --help")
+}
+
+// FlagErrorFunc prints an error message which matches the format of the
+// docker/docker/cli error messages
+func FlagErrorFunc(cmd *cobra.Command, err error) error {
+	if err == nil {
+		return nil
+	}
+
+	usage := ""
+	if cmd.HasSubCommands() {
+		usage = "\n\n" + cmd.UsageString()
+	}
+	return StatusError{
+		Status:     fmt.Sprintf("%s\nSee '%s --help'.%s", err, cmd.CommandPath(), usage),
+		StatusCode: 125,
+	}
+}
+
+func hasSubCommands(cmd *cobra.Command) bool {
+	return len(operationSubCommands(cmd)) > 0
+}
+
+func hasManagementSubCommands(cmd *cobra.Command) bool {
+	return len(managementSubCommands(cmd)) > 0
+}
+
+func operationSubCommands(cmd *cobra.Command) []*cobra.Command {
+	var cmds []*cobra.Command
+	for _, sub := range cmd.Commands() {
+		if sub.IsAvailableCommand() && !sub.HasSubCommands() {
+			cmds = append(cmds, sub)
+		}
+	}
+	return cmds
+}
+
+func wrappedFlagUsages(cmd *cobra.Command) string {
+	width := 80
+	if ws, err := term.GetWinsize(0); err == nil {
+		width = int(ws.Width)
+	}
+	return cmd.Flags().FlagUsagesWrapped(width - 1)
+}
+
+func managementSubCommands(cmd *cobra.Command) []*cobra.Command {
+	var cmds []*cobra.Command
+	for _, sub := range cmd.Commands() {
+		if sub.IsAvailableCommand() && sub.HasSubCommands() {
+			cmds = append(cmds, sub)
+		}
+	}
+	return cmds
+}
+
+var usageTemplate = `Usage:
+
+{{- if not .HasSubCommands}}	{{.UseLine}}{{end}}
+{{- if .HasSubCommands}}	{{ .CommandPath}} COMMAND{{end}}
+
+{{ .Short | trim }}
+
+{{- if gt .Aliases 0}}
+
+Aliases:
+  {{.NameAndAliases}}
+
+{{- end}}
+{{- if .HasExample}}
+
+Examples:
+{{ .Example }}
+
+{{- end}}
+{{- if .HasAvailableFlags}}
+
+Options:
+{{ wrappedFlagUsages . | trimRightSpace}}
+
+{{- end}}
+{{- if hasManagementSubCommands . }}
+
+Management Commands:
+
+{{- range managementSubCommands . }}
+  {{rpad .Name .NamePadding }} {{.Short}}
+{{- end}}
+
+{{- end}}
+{{- if hasSubCommands .}}
+
+Commands:
+
+{{- range operationSubCommands . }}
+  {{rpad .Name .NamePadding }} {{.Short}}
+{{- end}}
+{{- end}}
+
+{{- if .HasSubCommands }}
+
+Run '{{.CommandPath}} COMMAND --help' for more information on a command.
+{{- end}}
+`
+
+var helpTemplate = `
+{{if or .Runnable .HasSubCommands}}{{.UsageString}}{{end}}`
diff --git a/engine/cli/config/configdir.go b/engine/cli/config/configdir.go
new file mode 100644
index 00000000..4bef4e10
--- /dev/null
+++ b/engine/cli/config/configdir.go
@@ -0,0 +1,25 @@
+package config // import "github.com/docker/docker/cli/config"
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/homedir"
+)
+
+var (
+	configDir     = os.Getenv("DOCKER_CONFIG")
+	configFileDir = ".docker"
+)
+
+// Dir returns the path to the configuration directory as specified by the DOCKER_CONFIG environment variable.
+// TODO: this was copied from cli/config/configfile and should be removed once cmd/dockerd moves
+func Dir() string {
+	return configDir
+}
+
+func init() {
+	if configDir == "" {
+		configDir = filepath.Join(homedir.Get(), configFileDir)
+	}
+}
diff --git a/engine/cli/debug/debug.go b/engine/cli/debug/debug.go
new file mode 100644
index 00000000..2303e15c
--- /dev/null
+++ b/engine/cli/debug/debug.go
@@ -0,0 +1,26 @@
+package debug // import "github.com/docker/docker/cli/debug"
+
+import (
+	"os"
+
+	"github.com/sirupsen/logrus"
+)
+
+// Enable sets the DEBUG env var to true
+// and makes the logger to log at debug level.
+func Enable() {
+	os.Setenv("DEBUG", "1")
+	logrus.SetLevel(logrus.DebugLevel)
+}
+
+// Disable sets the DEBUG env var to false
+// and makes the logger to log at info level.
+func Disable() {
+	os.Setenv("DEBUG", "")
+	logrus.SetLevel(logrus.InfoLevel)
+}
+
+// IsEnabled checks whether the debug flag is set or not.
+func IsEnabled() bool {
+	return os.Getenv("DEBUG") != ""
+}
diff --git a/engine/cli/debug/debug_test.go b/engine/cli/debug/debug_test.go
new file mode 100644
index 00000000..5b6d788a
--- /dev/null
+++ b/engine/cli/debug/debug_test.go
@@ -0,0 +1,43 @@
+package debug // import "github.com/docker/docker/cli/debug"
+
+import (
+	"os"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+)
+
+func TestEnable(t *testing.T) {
+	defer func() {
+		os.Setenv("DEBUG", "")
+		logrus.SetLevel(logrus.InfoLevel)
+	}()
+	Enable()
+	if os.Getenv("DEBUG") != "1" {
+		t.Fatalf("expected DEBUG=1, got %s\n", os.Getenv("DEBUG"))
+	}
+	if logrus.GetLevel() != logrus.DebugLevel {
+		t.Fatalf("expected log level %v, got %v\n", logrus.DebugLevel, logrus.GetLevel())
+	}
+}
+
+func TestDisable(t *testing.T) {
+	Disable()
+	if os.Getenv("DEBUG") != "" {
+		t.Fatalf("expected DEBUG=\"\", got %s\n", os.Getenv("DEBUG"))
+	}
+	if logrus.GetLevel() != logrus.InfoLevel {
+		t.Fatalf("expected log level %v, got %v\n", logrus.InfoLevel, logrus.GetLevel())
+	}
+}
+
+func TestEnabled(t *testing.T) {
+	Enable()
+	if !IsEnabled() {
+		t.Fatal("expected debug enabled, got false")
+	}
+	Disable()
+	if IsEnabled() {
+		t.Fatal("expected debug disabled, got true")
+	}
+}
diff --git a/engine/cli/error.go b/engine/cli/error.go
new file mode 100644
index 00000000..ea7c0eb5
--- /dev/null
+++ b/engine/cli/error.go
@@ -0,0 +1,33 @@
+package cli // import "github.com/docker/docker/cli"
+
+import (
+	"fmt"
+	"strings"
+)
+
+// Errors is a list of errors.
+// Useful in a loop if you don't want to return the error right away and you want to display after the loop,
+// all the errors that happened during the loop.
+type Errors []error
+
+func (errList Errors) Error() string {
+	if len(errList) < 1 {
+		return ""
+	}
+
+	out := make([]string, len(errList))
+	for i := range errList {
+		out[i] = errList[i].Error()
+	}
+	return strings.Join(out, ", ")
+}
+
+// StatusError reports an unsuccessful exit by a command.
+type StatusError struct {
+	Status     string
+	StatusCode int
+}
+
+func (e StatusError) Error() string {
+	return fmt.Sprintf("Status: %s, Code: %d", e.Status, e.StatusCode)
+}
diff --git a/engine/cli/required.go b/engine/cli/required.go
new file mode 100644
index 00000000..e1ff02d2
--- /dev/null
+++ b/engine/cli/required.go
@@ -0,0 +1,27 @@
+package cli // import "github.com/docker/docker/cli"
+
+import (
+	"strings"
+
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// NoArgs validates args and returns an error if there are any args
+func NoArgs(cmd *cobra.Command, args []string) error {
+	if len(args) == 0 {
+		return nil
+	}
+
+	if cmd.HasSubCommands() {
+		return errors.Errorf("\n" + strings.TrimRight(cmd.UsageString(), "\n"))
+	}
+
+	return errors.Errorf(
+		"\"%s\" accepts no argument(s).\nSee '%s --help'.\n\nUsage:  %s\n\n%s",
+		cmd.CommandPath(),
+		cmd.CommandPath(),
+		cmd.UseLine(),
+		cmd.Short,
+	)
+}
diff --git a/engine/client/README.md b/engine/client/README.md
new file mode 100644
index 00000000..059dfb3c
--- /dev/null
+++ b/engine/client/README.md
@@ -0,0 +1,35 @@
+# Go client for the Docker Engine API
+
+The `docker` command uses this package to communicate with the daemon. It can also be used by your own Go applications to do anything the command-line interface does – running containers, pulling images, managing swarms, etc.
+
+For example, to list running containers (the equivalent of `docker ps`):
+
+```go
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+)
+
+func main() {
+	cli, err := client.NewEnvClient()
+	if err != nil {
+		panic(err)
+	}
+
+	containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{})
+	if err != nil {
+		panic(err)
+	}
+
+	for _, container := range containers {
+		fmt.Printf("%s %s\n", container.ID[:10], container.Image)
+	}
+}
+```
+
+[Full documentation is available on GoDoc.](https://godoc.org/github.com/docker/docker/client)
diff --git a/engine/client/build_cancel.go b/engine/client/build_cancel.go
new file mode 100644
index 00000000..4cf8c980
--- /dev/null
+++ b/engine/client/build_cancel.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"net/url"
+
+	"golang.org/x/net/context"
+)
+
+// BuildCancel requests the daemon to cancel ongoing build request
+func (cli *Client) BuildCancel(ctx context.Context, id string) error {
+	query := url.Values{}
+	query.Set("id", id)
+
+	serverResp, err := cli.post(ctx, "/build/cancel", query, nil, nil)
+	if err != nil {
+		return err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	return nil
+}
diff --git a/engine/client/build_prune.go b/engine/client/build_prune.go
new file mode 100644
index 00000000..c4772a04
--- /dev/null
+++ b/engine/client/build_prune.go
@@ -0,0 +1,30 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+)
+
+// BuildCachePrune requests the daemon to delete unused cache data
+func (cli *Client) BuildCachePrune(ctx context.Context) (*types.BuildCachePruneReport, error) {
+	if err := cli.NewVersionError("1.31", "build prune"); err != nil {
+		return nil, err
+	}
+
+	report := types.BuildCachePruneReport{}
+
+	serverResp, err := cli.post(ctx, "/build/prune", nil, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	if err := json.NewDecoder(serverResp.body).Decode(&report); err != nil {
+		return nil, fmt.Errorf("Error retrieving disk usage: %v", err)
+	}
+
+	return &report, nil
+}
diff --git a/engine/client/checkpoint_create.go b/engine/client/checkpoint_create.go
new file mode 100644
index 00000000..921024fe
--- /dev/null
+++ b/engine/client/checkpoint_create.go
@@ -0,0 +1,14 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+)
+
+// CheckpointCreate creates a checkpoint from the given container with the given name
+func (cli *Client) CheckpointCreate(ctx context.Context, container string, options types.CheckpointCreateOptions) error {
+	resp, err := cli.post(ctx, "/containers/"+container+"/checkpoints", nil, options, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/checkpoint_create_test.go b/engine/client/checkpoint_create_test.go
new file mode 100644
index 00000000..5703c219
--- /dev/null
+++ b/engine/client/checkpoint_create_test.go
@@ -0,0 +1,73 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestCheckpointCreateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.CheckpointCreate(context.Background(), "nothing", types.CheckpointCreateOptions{
+		CheckpointID: "noting",
+		Exit:         true,
+	})
+
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestCheckpointCreate(t *testing.T) {
+	expectedContainerID := "container_id"
+	expectedCheckpointID := "checkpoint_id"
+	expectedURL := "/containers/container_id/checkpoints"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+
+			createOptions := &types.CheckpointCreateOptions{}
+			if err := json.NewDecoder(req.Body).Decode(createOptions); err != nil {
+				return nil, err
+			}
+
+			if createOptions.CheckpointID != expectedCheckpointID {
+				return nil, fmt.Errorf("expected CheckpointID to be 'checkpoint_id', got %v", createOptions.CheckpointID)
+			}
+
+			if !createOptions.Exit {
+				return nil, fmt.Errorf("expected Exit to be true")
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.CheckpointCreate(context.Background(), expectedContainerID, types.CheckpointCreateOptions{
+		CheckpointID: expectedCheckpointID,
+		Exit:         true,
+	})
+
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/checkpoint_delete.go b/engine/client/checkpoint_delete.go
new file mode 100644
index 00000000..54f55fa7
--- /dev/null
+++ b/engine/client/checkpoint_delete.go
@@ -0,0 +1,20 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// CheckpointDelete deletes the checkpoint with the given name from the given container
+func (cli *Client) CheckpointDelete(ctx context.Context, containerID string, options types.CheckpointDeleteOptions) error {
+	query := url.Values{}
+	if options.CheckpointDir != "" {
+		query.Set("dir", options.CheckpointDir)
+	}
+
+	resp, err := cli.delete(ctx, "/containers/"+containerID+"/checkpoints/"+options.CheckpointID, query, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/checkpoint_delete_test.go b/engine/client/checkpoint_delete_test.go
new file mode 100644
index 00000000..117630d6
--- /dev/null
+++ b/engine/client/checkpoint_delete_test.go
@@ -0,0 +1,54 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestCheckpointDeleteError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.CheckpointDelete(context.Background(), "container_id", types.CheckpointDeleteOptions{
+		CheckpointID: "checkpoint_id",
+	})
+
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestCheckpointDelete(t *testing.T) {
+	expectedURL := "/containers/container_id/checkpoints/checkpoint_id"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "DELETE" {
+				return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.CheckpointDelete(context.Background(), "container_id", types.CheckpointDeleteOptions{
+		CheckpointID: "checkpoint_id",
+	})
+
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/checkpoint_list.go b/engine/client/checkpoint_list.go
new file mode 100644
index 00000000..2b73fb55
--- /dev/null
+++ b/engine/client/checkpoint_list.go
@@ -0,0 +1,28 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// CheckpointList returns the checkpoints of the given container in the docker host
+func (cli *Client) CheckpointList(ctx context.Context, container string, options types.CheckpointListOptions) ([]types.Checkpoint, error) {
+	var checkpoints []types.Checkpoint
+
+	query := url.Values{}
+	if options.CheckpointDir != "" {
+		query.Set("dir", options.CheckpointDir)
+	}
+
+	resp, err := cli.get(ctx, "/containers/"+container+"/checkpoints", query, nil)
+	if err != nil {
+		return checkpoints, wrapResponseError(err, resp, "container", container)
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&checkpoints)
+	ensureReaderClosed(resp)
+	return checkpoints, err
+}
diff --git a/engine/client/checkpoint_list_test.go b/engine/client/checkpoint_list_test.go
new file mode 100644
index 00000000..d5cfcda0
--- /dev/null
+++ b/engine/client/checkpoint_list_test.go
@@ -0,0 +1,68 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestCheckpointListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.CheckpointList(context.Background(), "container_id", types.CheckpointListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestCheckpointList(t *testing.T) {
+	expectedURL := "/containers/container_id/checkpoints"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal([]types.Checkpoint{
+				{
+					Name: "checkpoint",
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	checkpoints, err := client.CheckpointList(context.Background(), "container_id", types.CheckpointListOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(checkpoints) != 1 {
+		t.Fatalf("expected 1 checkpoint, got %v", checkpoints)
+	}
+}
+
+func TestCheckpointListContainerNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, err := client.CheckpointList(context.Background(), "unknown", types.CheckpointListOptions{})
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected a containerNotFound error, got %v", err)
+	}
+}
diff --git a/engine/client/client.go b/engine/client/client.go
new file mode 100644
index 00000000..b874b3b5
--- /dev/null
+++ b/engine/client/client.go
@@ -0,0 +1,402 @@
+/*
+Package client is a Go client for the Docker Engine API.
+
+For more information about the Engine API, see the documentation:
+https://docs.docker.com/engine/reference/api/
+
+Usage
+
+You use the library by creating a client object and calling methods on it. The
+client can be created either from environment variables with NewEnvClient, or
+configured manually with NewClient.
+
+For example, to list running containers (the equivalent of "docker ps"):
+
+	package main
+
+	import (
+		"context"
+		"fmt"
+
+		"github.com/docker/docker/api/types"
+		"github.com/docker/docker/client"
+	)
+
+	func main() {
+		cli, err := client.NewEnvClient()
+		if err != nil {
+			panic(err)
+		}
+
+		containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{})
+		if err != nil {
+			panic(err)
+		}
+
+		for _, container := range containers {
+			fmt.Printf("%s %s\n", container.ID[:10], container.Image)
+		}
+	}
+
+*/
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/go-connections/sockets"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
+)
+
+// ErrRedirect is the error returned by checkRedirect when the request is non-GET.
+var ErrRedirect = errors.New("unexpected redirect in response")
+
+// Client is the API client that performs all operations
+// against a docker server.
+type Client struct {
+	// scheme sets the scheme for the client
+	scheme string
+	// host holds the server address to connect to
+	host string
+	// proto holds the client protocol i.e. unix.
+	proto string
+	// addr holds the client address.
+	addr string
+	// basePath holds the path to prepend to the requests.
+	basePath string
+	// client used to send and receive http requests.
+	client *http.Client
+	// version of the server to talk to.
+	version string
+	// custom http headers configured by users.
+	customHTTPHeaders map[string]string
+	// manualOverride is set to true when the version was set by users.
+	manualOverride bool
+}
+
+// CheckRedirect specifies the policy for dealing with redirect responses:
+// If the request is non-GET return `ErrRedirect`. Otherwise use the last response.
+//
+// Go 1.8 changes behavior for HTTP redirects (specifically 301, 307, and 308) in the client .
+// The Docker client (and by extension docker API client) can be made to to send a request
+// like POST /containers//start where what would normally be in the name section of the URL is empty.
+// This triggers an HTTP 301 from the daemon.
+// In go 1.8 this 301 will be converted to a GET request, and ends up getting a 404 from the daemon.
+// This behavior change manifests in the client in that before the 301 was not followed and
+// the client did not generate an error, but now results in a message like Error response from daemon: page not found.
+func CheckRedirect(req *http.Request, via []*http.Request) error {
+	if via[0].Method == http.MethodGet {
+		return http.ErrUseLastResponse
+	}
+	return ErrRedirect
+}
+
+// NewEnvClient initializes a new API client based on environment variables.
+// See FromEnv for a list of support environment variables.
+//
+// Deprecated: use NewClientWithOpts(FromEnv)
+func NewEnvClient() (*Client, error) {
+	return NewClientWithOpts(FromEnv)
+}
+
+// FromEnv configures the client with values from environment variables.
+//
+// Supported environment variables:
+// DOCKER_HOST to set the url to the docker server.
+// DOCKER_API_VERSION to set the version of the API to reach, leave empty for latest.
+// DOCKER_CERT_PATH to load the TLS certificates from.
+// DOCKER_TLS_VERIFY to enable or disable TLS verification, off by default.
+func FromEnv(c *Client) error {
+	if dockerCertPath := os.Getenv("DOCKER_CERT_PATH"); dockerCertPath != "" {
+		options := tlsconfig.Options{
+			CAFile:             filepath.Join(dockerCertPath, "ca.pem"),
+			CertFile:           filepath.Join(dockerCertPath, "cert.pem"),
+			KeyFile:            filepath.Join(dockerCertPath, "key.pem"),
+			InsecureSkipVerify: os.Getenv("DOCKER_TLS_VERIFY") == "",
+		}
+		tlsc, err := tlsconfig.Client(options)
+		if err != nil {
+			return err
+		}
+
+		c.client = &http.Client{
+			Transport:     &http.Transport{TLSClientConfig: tlsc},
+			CheckRedirect: CheckRedirect,
+		}
+	}
+
+	if host := os.Getenv("DOCKER_HOST"); host != "" {
+		if err := WithHost(host)(c); err != nil {
+			return err
+		}
+	}
+
+	if version := os.Getenv("DOCKER_API_VERSION"); version != "" {
+		c.version = version
+		c.manualOverride = true
+	}
+	return nil
+}
+
+// WithTLSClientConfig applies a tls config to the client transport.
+func WithTLSClientConfig(cacertPath, certPath, keyPath string) func(*Client) error {
+	return func(c *Client) error {
+		opts := tlsconfig.Options{
+			CAFile:             cacertPath,
+			CertFile:           certPath,
+			KeyFile:            keyPath,
+			ExclusiveRootPools: true,
+		}
+		config, err := tlsconfig.Client(opts)
+		if err != nil {
+			return errors.Wrap(err, "failed to create tls config")
+		}
+		if transport, ok := c.client.Transport.(*http.Transport); ok {
+			transport.TLSClientConfig = config
+			return nil
+		}
+		return errors.Errorf("cannot apply tls config to transport: %T", c.client.Transport)
+	}
+}
+
+// WithDialer applies the dialer.DialContext to the client transport. This can be
+// used to set the Timeout and KeepAlive settings of the client.
+func WithDialer(dialer *net.Dialer) func(*Client) error {
+	return func(c *Client) error {
+		if transport, ok := c.client.Transport.(*http.Transport); ok {
+			transport.DialContext = dialer.DialContext
+			return nil
+		}
+		return errors.Errorf("cannot apply dialer to transport: %T", c.client.Transport)
+	}
+}
+
+// WithVersion overrides the client version with the specified one
+func WithVersion(version string) func(*Client) error {
+	return func(c *Client) error {
+		c.version = version
+		return nil
+	}
+}
+
+// WithHost overrides the client host with the specified one.
+func WithHost(host string) func(*Client) error {
+	return func(c *Client) error {
+		hostURL, err := ParseHostURL(host)
+		if err != nil {
+			return err
+		}
+		c.host = host
+		c.proto = hostURL.Scheme
+		c.addr = hostURL.Host
+		c.basePath = hostURL.Path
+		if transport, ok := c.client.Transport.(*http.Transport); ok {
+			return sockets.ConfigureTransport(transport, c.proto, c.addr)
+		}
+		return errors.Errorf("cannot apply host to transport: %T", c.client.Transport)
+	}
+}
+
+// WithHTTPClient overrides the client http client with the specified one
+func WithHTTPClient(client *http.Client) func(*Client) error {
+	return func(c *Client) error {
+		if client != nil {
+			c.client = client
+		}
+		return nil
+	}
+}
+
+// WithHTTPHeaders overrides the client default http headers
+func WithHTTPHeaders(headers map[string]string) func(*Client) error {
+	return func(c *Client) error {
+		c.customHTTPHeaders = headers
+		return nil
+	}
+}
+
+// NewClientWithOpts initializes a new API client with default values. It takes functors
+// to modify values when creating it, like `NewClientWithOpts(WithVersion(…))`
+// It also initializes the custom http headers to add to each request.
+//
+// It won't send any version information if the version number is empty. It is
+// highly recommended that you set a version or your client may break if the
+// server is upgraded.
+func NewClientWithOpts(ops ...func(*Client) error) (*Client, error) {
+	client, err := defaultHTTPClient(DefaultDockerHost)
+	if err != nil {
+		return nil, err
+	}
+	c := &Client{
+		host:    DefaultDockerHost,
+		version: api.DefaultVersion,
+		scheme:  "http",
+		client:  client,
+		proto:   defaultProto,
+		addr:    defaultAddr,
+	}
+
+	for _, op := range ops {
+		if err := op(c); err != nil {
+			return nil, err
+		}
+	}
+
+	if _, ok := c.client.Transport.(http.RoundTripper); !ok {
+		return nil, fmt.Errorf("unable to verify TLS configuration, invalid transport %v", c.client.Transport)
+	}
+	tlsConfig := resolveTLSConfig(c.client.Transport)
+	if tlsConfig != nil {
+		// TODO(stevvooe): This isn't really the right way to write clients in Go.
+		// `NewClient` should probably only take an `*http.Client` and work from there.
+		// Unfortunately, the model of having a host-ish/url-thingy as the connection
+		// string has us confusing protocol and transport layers. We continue doing
+		// this to avoid breaking existing clients but this should be addressed.
+		c.scheme = "https"
+	}
+
+	return c, nil
+}
+
+func defaultHTTPClient(host string) (*http.Client, error) {
+	url, err := ParseHostURL(host)
+	if err != nil {
+		return nil, err
+	}
+	transport := new(http.Transport)
+	sockets.ConfigureTransport(transport, url.Scheme, url.Host)
+	return &http.Client{
+		Transport:     transport,
+		CheckRedirect: CheckRedirect,
+	}, nil
+}
+
+// NewClient initializes a new API client for the given host and API version.
+// It uses the given http client as transport.
+// It also initializes the custom http headers to add to each request.
+//
+// It won't send any version information if the version number is empty. It is
+// highly recommended that you set a version or your client may break if the
+// server is upgraded.
+// Deprecated: use NewClientWithOpts
+func NewClient(host string, version string, client *http.Client, httpHeaders map[string]string) (*Client, error) {
+	return NewClientWithOpts(WithHost(host), WithVersion(version), WithHTTPClient(client), WithHTTPHeaders(httpHeaders))
+}
+
+// Close the transport used by the client
+func (cli *Client) Close() error {
+	if t, ok := cli.client.Transport.(*http.Transport); ok {
+		t.CloseIdleConnections()
+	}
+	return nil
+}
+
+// getAPIPath returns the versioned request path to call the api.
+// It appends the query parameters to the path if they are not empty.
+func (cli *Client) getAPIPath(p string, query url.Values) string {
+	var apiPath string
+	if cli.version != "" {
+		v := strings.TrimPrefix(cli.version, "v")
+		apiPath = path.Join(cli.basePath, "/v"+v, p)
+	} else {
+		apiPath = path.Join(cli.basePath, p)
+	}
+	return (&url.URL{Path: apiPath, RawQuery: query.Encode()}).String()
+}
+
+// ClientVersion returns the API version used by this client.
+func (cli *Client) ClientVersion() string {
+	return cli.version
+}
+
+// NegotiateAPIVersion queries the API and updates the version to match the
+// API version. Any errors are silently ignored.
+func (cli *Client) NegotiateAPIVersion(ctx context.Context) {
+	ping, _ := cli.Ping(ctx)
+	cli.NegotiateAPIVersionPing(ping)
+}
+
+// NegotiateAPIVersionPing updates the client version to match the Ping.APIVersion
+// if the ping version is less than the default version.
+func (cli *Client) NegotiateAPIVersionPing(p types.Ping) {
+	if cli.manualOverride {
+		return
+	}
+
+	// try the latest version before versioning headers existed
+	if p.APIVersion == "" {
+		p.APIVersion = "1.24"
+	}
+
+	// if the client is not initialized with a version, start with the latest supported version
+	if cli.version == "" {
+		cli.version = api.DefaultVersion
+	}
+
+	// if server version is lower than the client version, downgrade
+	if versions.LessThan(p.APIVersion, cli.version) {
+		cli.version = p.APIVersion
+	}
+}
+
+// DaemonHost returns the host address used by the client
+func (cli *Client) DaemonHost() string {
+	return cli.host
+}
+
+// HTTPClient returns a copy of the HTTP client bound to the server
+func (cli *Client) HTTPClient() *http.Client {
+	return &*cli.client
+}
+
+// ParseHostURL parses a url string, validates the string is a host url, and
+// returns the parsed URL
+func ParseHostURL(host string) (*url.URL, error) {
+	protoAddrParts := strings.SplitN(host, "://", 2)
+	if len(protoAddrParts) == 1 {
+		return nil, fmt.Errorf("unable to parse docker host `%s`", host)
+	}
+
+	var basePath string
+	proto, addr := protoAddrParts[0], protoAddrParts[1]
+	if proto == "tcp" {
+		parsed, err := url.Parse("tcp://" + addr)
+		if err != nil {
+			return nil, err
+		}
+		addr = parsed.Host
+		basePath = parsed.Path
+	}
+	return &url.URL{
+		Scheme: proto,
+		Host:   addr,
+		Path:   basePath,
+	}, nil
+}
+
+// CustomHTTPHeaders returns the custom http headers stored by the client.
+func (cli *Client) CustomHTTPHeaders() map[string]string {
+	m := make(map[string]string)
+	for k, v := range cli.customHTTPHeaders {
+		m[k] = v
+	}
+	return m
+}
+
+// SetCustomHTTPHeaders that will be set on every HTTP request made by the client.
+// Deprecated: use WithHTTPHeaders when creating the client.
+func (cli *Client) SetCustomHTTPHeaders(headers map[string]string) {
+	cli.customHTTPHeaders = headers
+}
diff --git a/engine/client/client_mock_test.go b/engine/client/client_mock_test.go
new file mode 100644
index 00000000..390a1eed
--- /dev/null
+++ b/engine/client/client_mock_test.go
@@ -0,0 +1,53 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/docker/docker/api/types"
+)
+
+// transportFunc allows us to inject a mock transport for testing. We define it
+// here so we can detect the tlsconfig and return nil for only this type.
+type transportFunc func(*http.Request) (*http.Response, error)
+
+func (tf transportFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return tf(req)
+}
+
+func newMockClient(doer func(*http.Request) (*http.Response, error)) *http.Client {
+	return &http.Client{
+		Transport: transportFunc(doer),
+	}
+}
+
+func errorMock(statusCode int, message string) func(req *http.Request) (*http.Response, error) {
+	return func(req *http.Request) (*http.Response, error) {
+		header := http.Header{}
+		header.Set("Content-Type", "application/json")
+
+		body, err := json.Marshal(&types.ErrorResponse{
+			Message: message,
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		return &http.Response{
+			StatusCode: statusCode,
+			Body:       ioutil.NopCloser(bytes.NewReader(body)),
+			Header:     header,
+		}, nil
+	}
+}
+
+func plainTextErrorMock(statusCode int, message string) func(req *http.Request) (*http.Response, error) {
+	return func(req *http.Request) (*http.Response, error) {
+		return &http.Response{
+			StatusCode: statusCode,
+			Body:       ioutil.NopCloser(bytes.NewReader([]byte(message))),
+		}, nil
+	}
+}
diff --git a/engine/client/client_test.go b/engine/client/client_test.go
new file mode 100644
index 00000000..58bccaa3
--- /dev/null
+++ b/engine/client/client_test.go
@@ -0,0 +1,321 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"net/http"
+	"net/url"
+	"os"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/env"
+	"gotest.tools/skip"
+)
+
+func TestNewEnvClient(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+
+	testcases := []struct {
+		doc             string
+		envs            map[string]string
+		expectedError   string
+		expectedVersion string
+	}{
+		{
+			doc:             "default api version",
+			envs:            map[string]string{},
+			expectedVersion: api.DefaultVersion,
+		},
+		{
+			doc: "invalid cert path",
+			envs: map[string]string{
+				"DOCKER_CERT_PATH": "invalid/path",
+			},
+			expectedError: "Could not load X509 key pair: open invalid/path/cert.pem: no such file or directory",
+		},
+		{
+			doc: "default api version with cert path",
+			envs: map[string]string{
+				"DOCKER_CERT_PATH": "testdata/",
+			},
+			expectedVersion: api.DefaultVersion,
+		},
+		{
+			doc: "default api version with cert path and tls verify",
+			envs: map[string]string{
+				"DOCKER_CERT_PATH":  "testdata/",
+				"DOCKER_TLS_VERIFY": "1",
+			},
+			expectedVersion: api.DefaultVersion,
+		},
+		{
+			doc: "default api version with cert path and host",
+			envs: map[string]string{
+				"DOCKER_CERT_PATH": "testdata/",
+				"DOCKER_HOST":      "https://notaunixsocket",
+			},
+			expectedVersion: api.DefaultVersion,
+		},
+		{
+			doc: "invalid docker host",
+			envs: map[string]string{
+				"DOCKER_HOST": "host",
+			},
+			expectedError: "unable to parse docker host `host`",
+		},
+		{
+			doc: "invalid docker host, with good format",
+			envs: map[string]string{
+				"DOCKER_HOST": "invalid://url",
+			},
+			expectedVersion: api.DefaultVersion,
+		},
+		{
+			doc: "override api version",
+			envs: map[string]string{
+				"DOCKER_API_VERSION": "1.22",
+			},
+			expectedVersion: "1.22",
+		},
+	}
+
+	defer env.PatchAll(t, nil)()
+	for _, c := range testcases {
+		env.PatchAll(t, c.envs)
+		apiclient, err := NewEnvClient()
+		if c.expectedError != "" {
+			assert.Check(t, is.Error(err, c.expectedError), c.doc)
+		} else {
+			assert.Check(t, err, c.doc)
+			version := apiclient.ClientVersion()
+			assert.Check(t, is.Equal(c.expectedVersion, version), c.doc)
+		}
+
+		if c.envs["DOCKER_TLS_VERIFY"] != "" {
+			// pedantic checking that this is handled correctly
+			tr := apiclient.client.Transport.(*http.Transport)
+			assert.Assert(t, tr.TLSClientConfig != nil, c.doc)
+			assert.Check(t, is.Equal(tr.TLSClientConfig.InsecureSkipVerify, false), c.doc)
+		}
+	}
+}
+
+func TestGetAPIPath(t *testing.T) {
+	testcases := []struct {
+		version  string
+		path     string
+		query    url.Values
+		expected string
+	}{
+		{"", "/containers/json", nil, "/containers/json"},
+		{"", "/containers/json", url.Values{}, "/containers/json"},
+		{"", "/containers/json", url.Values{"s": []string{"c"}}, "/containers/json?s=c"},
+		{"1.22", "/containers/json", nil, "/v1.22/containers/json"},
+		{"1.22", "/containers/json", url.Values{}, "/v1.22/containers/json"},
+		{"1.22", "/containers/json", url.Values{"s": []string{"c"}}, "/v1.22/containers/json?s=c"},
+		{"v1.22", "/containers/json", nil, "/v1.22/containers/json"},
+		{"v1.22", "/containers/json", url.Values{}, "/v1.22/containers/json"},
+		{"v1.22", "/containers/json", url.Values{"s": []string{"c"}}, "/v1.22/containers/json?s=c"},
+		{"v1.22", "/networks/kiwl$%^", nil, "/v1.22/networks/kiwl$%25%5E"},
+	}
+
+	for _, testcase := range testcases {
+		c := Client{version: testcase.version, basePath: "/"}
+		actual := c.getAPIPath(testcase.path, testcase.query)
+		assert.Check(t, is.Equal(actual, testcase.expected))
+	}
+}
+
+func TestParseHostURL(t *testing.T) {
+	testcases := []struct {
+		host        string
+		expected    *url.URL
+		expectedErr string
+	}{
+		{
+			host:        "",
+			expectedErr: "unable to parse docker host",
+		},
+		{
+			host:        "foobar",
+			expectedErr: "unable to parse docker host",
+		},
+		{
+			host:     "foo://bar",
+			expected: &url.URL{Scheme: "foo", Host: "bar"},
+		},
+		{
+			host:     "tcp://localhost:2476",
+			expected: &url.URL{Scheme: "tcp", Host: "localhost:2476"},
+		},
+		{
+			host:     "tcp://localhost:2476/path",
+			expected: &url.URL{Scheme: "tcp", Host: "localhost:2476", Path: "/path"},
+		},
+	}
+
+	for _, testcase := range testcases {
+		actual, err := ParseHostURL(testcase.host)
+		if testcase.expectedErr != "" {
+			assert.Check(t, is.ErrorContains(err, testcase.expectedErr))
+		}
+		assert.Check(t, is.DeepEqual(testcase.expected, actual))
+	}
+}
+
+func TestNewEnvClientSetsDefaultVersion(t *testing.T) {
+	defer env.PatchAll(t, map[string]string{
+		"DOCKER_HOST":        "",
+		"DOCKER_API_VERSION": "",
+		"DOCKER_TLS_VERIFY":  "",
+		"DOCKER_CERT_PATH":   "",
+	})()
+
+	client, err := NewEnvClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Check(t, is.Equal(client.version, api.DefaultVersion))
+
+	expected := "1.22"
+	os.Setenv("DOCKER_API_VERSION", expected)
+	client, err = NewEnvClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Check(t, is.Equal(expected, client.version))
+}
+
+// TestNegotiateAPIVersionEmpty asserts that client.Client can
+// negotiate a compatible APIVersion when omitted
+func TestNegotiateAPIVersionEmpty(t *testing.T) {
+	defer env.PatchAll(t, map[string]string{"DOCKER_API_VERSION": ""})()
+
+	client, err := NewEnvClient()
+	assert.NilError(t, err)
+
+	ping := types.Ping{
+		APIVersion:   "",
+		OSType:       "linux",
+		Experimental: false,
+	}
+
+	// set our version to something new
+	client.version = "1.25"
+
+	// if no version from server, expect the earliest
+	// version before APIVersion was implemented
+	expected := "1.24"
+
+	// test downgrade
+	client.NegotiateAPIVersionPing(ping)
+	assert.Check(t, is.Equal(expected, client.version))
+}
+
+// TestNegotiateAPIVersion asserts that client.Client can
+// negotiate a compatible APIVersion with the server
+func TestNegotiateAPIVersion(t *testing.T) {
+	client, err := NewEnvClient()
+	assert.NilError(t, err)
+
+	expected := "1.21"
+	ping := types.Ping{
+		APIVersion:   expected,
+		OSType:       "linux",
+		Experimental: false,
+	}
+
+	// set our version to something new
+	client.version = "1.22"
+
+	// test downgrade
+	client.NegotiateAPIVersionPing(ping)
+	assert.Check(t, is.Equal(expected, client.version))
+
+	// set the client version to something older, and verify that we keep the
+	// original setting.
+	expected = "1.20"
+	client.version = expected
+	client.NegotiateAPIVersionPing(ping)
+	assert.Check(t, is.Equal(expected, client.version))
+
+}
+
+// TestNegotiateAPIVersionOverride asserts that we honor
+// the environment variable DOCKER_API_VERSION when negotiating versions
+func TestNegotiateAPVersionOverride(t *testing.T) {
+	expected := "9.99"
+	defer env.PatchAll(t, map[string]string{"DOCKER_API_VERSION": expected})()
+
+	client, err := NewEnvClient()
+	assert.NilError(t, err)
+
+	ping := types.Ping{
+		APIVersion:   "1.24",
+		OSType:       "linux",
+		Experimental: false,
+	}
+
+	// test that we honored the env var
+	client.NegotiateAPIVersionPing(ping)
+	assert.Check(t, is.Equal(expected, client.version))
+}
+
+type roundTripFunc func(*http.Request) (*http.Response, error)
+
+func (rtf roundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return rtf(req)
+}
+
+type bytesBufferClose struct {
+	*bytes.Buffer
+}
+
+func (bbc bytesBufferClose) Close() error {
+	return nil
+}
+
+func TestClientRedirect(t *testing.T) {
+	client := &http.Client{
+		CheckRedirect: CheckRedirect,
+		Transport: roundTripFunc(func(req *http.Request) (*http.Response, error) {
+			if req.URL.String() == "/bla" {
+				return &http.Response{StatusCode: 404}, nil
+			}
+			return &http.Response{
+				StatusCode: 301,
+				Header:     map[string][]string{"Location": {"/bla"}},
+				Body:       bytesBufferClose{bytes.NewBuffer(nil)},
+			}, nil
+		}),
+	}
+
+	cases := []struct {
+		httpMethod  string
+		expectedErr *url.Error
+		statusCode  int
+	}{
+		{http.MethodGet, nil, 301},
+		{http.MethodPost, &url.Error{Op: "Post", URL: "/bla", Err: ErrRedirect}, 301},
+		{http.MethodPut, &url.Error{Op: "Put", URL: "/bla", Err: ErrRedirect}, 301},
+		{http.MethodDelete, &url.Error{Op: "Delete", URL: "/bla", Err: ErrRedirect}, 301},
+	}
+
+	for _, tc := range cases {
+		req, err := http.NewRequest(tc.httpMethod, "/redirectme", nil)
+		assert.Check(t, err)
+		resp, err := client.Do(req)
+		assert.Check(t, is.Equal(tc.statusCode, resp.StatusCode))
+		if tc.expectedErr == nil {
+			assert.Check(t, is.Nil(err))
+		} else {
+			urlError, ok := err.(*url.Error)
+			assert.Assert(t, ok, "%T is not *url.Error", err)
+			assert.Check(t, is.Equal(*tc.expectedErr, *urlError))
+		}
+	}
+}
diff --git a/engine/client/client_unix.go b/engine/client/client_unix.go
new file mode 100644
index 00000000..3d24470b
--- /dev/null
+++ b/engine/client/client_unix.go
@@ -0,0 +1,9 @@
+// +build linux freebsd openbsd darwin
+
+package client // import "github.com/docker/docker/client"
+
+// DefaultDockerHost defines os specific default if DOCKER_HOST is unset
+const DefaultDockerHost = "unix:///var/run/docker.sock"
+
+const defaultProto = "unix"
+const defaultAddr = "/var/run/docker.sock"
diff --git a/engine/client/client_windows.go b/engine/client/client_windows.go
new file mode 100644
index 00000000..c649e544
--- /dev/null
+++ b/engine/client/client_windows.go
@@ -0,0 +1,7 @@
+package client // import "github.com/docker/docker/client"
+
+// DefaultDockerHost defines os specific default if DOCKER_HOST is unset
+const DefaultDockerHost = "npipe:////./pipe/docker_engine"
+
+const defaultProto = "npipe"
+const defaultAddr = "//./pipe/docker_engine"
diff --git a/engine/client/config_create.go b/engine/client/config_create.go
new file mode 100644
index 00000000..c8b802ad
--- /dev/null
+++ b/engine/client/config_create.go
@@ -0,0 +1,25 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// ConfigCreate creates a new Config.
+func (cli *Client) ConfigCreate(ctx context.Context, config swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+	var response types.ConfigCreateResponse
+	if err := cli.NewVersionError("1.30", "config create"); err != nil {
+		return response, err
+	}
+	resp, err := cli.post(ctx, "/configs/create", nil, config, nil)
+	if err != nil {
+		return response, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&response)
+	ensureReaderClosed(resp)
+	return response, err
+}
diff --git a/engine/client/config_create_test.go b/engine/client/config_create_test.go
new file mode 100644
index 00000000..a6408792
--- /dev/null
+++ b/engine/client/config_create_test.go
@@ -0,0 +1,70 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConfigCreateUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.29",
+		client:  &http.Client{},
+	}
+	_, err := client.ConfigCreate(context.Background(), swarm.ConfigSpec{})
+	assert.Check(t, is.Error(err, `"config create" requires API version 1.30, but the Docker daemon API version is 1.29`))
+}
+
+func TestConfigCreateError(t *testing.T) {
+	client := &Client{
+		version: "1.30",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ConfigCreate(context.Background(), swarm.ConfigSpec{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestConfigCreate(t *testing.T) {
+	expectedURL := "/v1.30/configs/create"
+	client := &Client{
+		version: "1.30",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			b, err := json.Marshal(types.ConfigCreateResponse{
+				ID: "test_config",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusCreated,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	r, err := client.ConfigCreate(context.Background(), swarm.ConfigSpec{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.ID != "test_config" {
+		t.Fatalf("expected `test_config`, got %s", r.ID)
+	}
+}
diff --git a/engine/client/config_inspect.go b/engine/client/config_inspect.go
new file mode 100644
index 00000000..4ac566ad
--- /dev/null
+++ b/engine/client/config_inspect.go
@@ -0,0 +1,36 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// ConfigInspectWithRaw returns the config information with raw data
+func (cli *Client) ConfigInspectWithRaw(ctx context.Context, id string) (swarm.Config, []byte, error) {
+	if id == "" {
+		return swarm.Config{}, nil, objectNotFoundError{object: "config", id: id}
+	}
+	if err := cli.NewVersionError("1.30", "config inspect"); err != nil {
+		return swarm.Config{}, nil, err
+	}
+	resp, err := cli.get(ctx, "/configs/"+id, nil, nil)
+	if err != nil {
+		return swarm.Config{}, nil, wrapResponseError(err, resp, "config", id)
+	}
+	defer ensureReaderClosed(resp)
+
+	body, err := ioutil.ReadAll(resp.body)
+	if err != nil {
+		return swarm.Config{}, nil, err
+	}
+
+	var config swarm.Config
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&config)
+
+	return config, body, err
+}
diff --git a/engine/client/config_inspect_test.go b/engine/client/config_inspect_test.go
new file mode 100644
index 00000000..76a5dae9
--- /dev/null
+++ b/engine/client/config_inspect_test.go
@@ -0,0 +1,103 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConfigInspectNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, _, err := client.ConfigInspectWithRaw(context.Background(), "unknown")
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected a NotFoundError error, got %v", err)
+	}
+}
+
+func TestConfigInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.ConfigInspectWithRaw(context.Background(), "")
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestConfigInspectUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.29",
+		client:  &http.Client{},
+	}
+	_, _, err := client.ConfigInspectWithRaw(context.Background(), "nothing")
+	assert.Check(t, is.Error(err, `"config inspect" requires API version 1.30, but the Docker daemon API version is 1.29`))
+}
+
+func TestConfigInspectError(t *testing.T) {
+	client := &Client{
+		version: "1.30",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, _, err := client.ConfigInspectWithRaw(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestConfigInspectConfigNotFound(t *testing.T) {
+	client := &Client{
+		version: "1.30",
+		client:  newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, _, err := client.ConfigInspectWithRaw(context.Background(), "unknown")
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected a configNotFoundError error, got %v", err)
+	}
+}
+
+func TestConfigInspect(t *testing.T) {
+	expectedURL := "/v1.30/configs/config_id"
+	client := &Client{
+		version: "1.30",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(swarm.Config{
+				ID: "config_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	configInspect, _, err := client.ConfigInspectWithRaw(context.Background(), "config_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if configInspect.ID != "config_id" {
+		t.Fatalf("expected `config_id`, got %s", configInspect.ID)
+	}
+}
diff --git a/engine/client/config_list.go b/engine/client/config_list.go
new file mode 100644
index 00000000..2b9d5460
--- /dev/null
+++ b/engine/client/config_list.go
@@ -0,0 +1,38 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// ConfigList returns the list of configs.
+func (cli *Client) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+	if err := cli.NewVersionError("1.30", "config list"); err != nil {
+		return nil, err
+	}
+	query := url.Values{}
+
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToJSON(options.Filters)
+		if err != nil {
+			return nil, err
+		}
+
+		query.Set("filters", filterJSON)
+	}
+
+	resp, err := cli.get(ctx, "/configs", query, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var configs []swarm.Config
+	err = json.NewDecoder(resp.body).Decode(&configs)
+	ensureReaderClosed(resp)
+	return configs, err
+}
diff --git a/engine/client/config_list_test.go b/engine/client/config_list_test.go
new file mode 100644
index 00000000..b35a5929
--- /dev/null
+++ b/engine/client/config_list_test.go
@@ -0,0 +1,107 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConfigListUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.29",
+		client:  &http.Client{},
+	}
+	_, err := client.ConfigList(context.Background(), types.ConfigListOptions{})
+	assert.Check(t, is.Error(err, `"config list" requires API version 1.30, but the Docker daemon API version is 1.29`))
+}
+
+func TestConfigListError(t *testing.T) {
+	client := &Client{
+		version: "1.30",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.ConfigList(context.Background(), types.ConfigListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestConfigList(t *testing.T) {
+	expectedURL := "/v1.30/configs"
+
+	filters := filters.NewArgs()
+	filters.Add("label", "label1")
+	filters.Add("label", "label2")
+
+	listCases := []struct {
+		options             types.ConfigListOptions
+		expectedQueryParams map[string]string
+	}{
+		{
+			options: types.ConfigListOptions{},
+			expectedQueryParams: map[string]string{
+				"filters": "",
+			},
+		},
+		{
+			options: types.ConfigListOptions{
+				Filters: filters,
+			},
+			expectedQueryParams: map[string]string{
+				"filters": `{"label":{"label1":true,"label2":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			version: "1.30",
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				content, err := json.Marshal([]swarm.Config{
+					{
+						ID: "config_id1",
+					},
+					{
+						ID: "config_id2",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		configs, err := client.ConfigList(context.Background(), listCase.options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(configs) != 2 {
+			t.Fatalf("expected 2 configs, got %v", configs)
+		}
+	}
+}
diff --git a/engine/client/config_remove.go b/engine/client/config_remove.go
new file mode 100644
index 00000000..a96871e9
--- /dev/null
+++ b/engine/client/config_remove.go
@@ -0,0 +1,13 @@
+package client // import "github.com/docker/docker/client"
+
+import "context"
+
+// ConfigRemove removes a Config.
+func (cli *Client) ConfigRemove(ctx context.Context, id string) error {
+	if err := cli.NewVersionError("1.30", "config remove"); err != nil {
+		return err
+	}
+	resp, err := cli.delete(ctx, "/configs/"+id, nil, nil)
+	ensureReaderClosed(resp)
+	return wrapResponseError(err, resp, "config", id)
+}
diff --git a/engine/client/config_remove_test.go b/engine/client/config_remove_test.go
new file mode 100644
index 00000000..9c0c0f93
--- /dev/null
+++ b/engine/client/config_remove_test.go
@@ -0,0 +1,60 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConfigRemoveUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.29",
+		client:  &http.Client{},
+	}
+	err := client.ConfigRemove(context.Background(), "config_id")
+	assert.Check(t, is.Error(err, `"config remove" requires API version 1.30, but the Docker daemon API version is 1.29`))
+}
+
+func TestConfigRemoveError(t *testing.T) {
+	client := &Client{
+		version: "1.30",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.ConfigRemove(context.Background(), "config_id")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestConfigRemove(t *testing.T) {
+	expectedURL := "/v1.30/configs/config_id"
+
+	client := &Client{
+		version: "1.30",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "DELETE" {
+				return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	err := client.ConfigRemove(context.Background(), "config_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/config_update.go b/engine/client/config_update.go
new file mode 100644
index 00000000..39e59cf8
--- /dev/null
+++ b/engine/client/config_update.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+	"strconv"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// ConfigUpdate attempts to update a Config
+func (cli *Client) ConfigUpdate(ctx context.Context, id string, version swarm.Version, config swarm.ConfigSpec) error {
+	if err := cli.NewVersionError("1.30", "config update"); err != nil {
+		return err
+	}
+	query := url.Values{}
+	query.Set("version", strconv.FormatUint(version.Index, 10))
+	resp, err := cli.post(ctx, "/configs/"+id+"/update", query, config, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/config_update_test.go b/engine/client/config_update_test.go
new file mode 100644
index 00000000..1299f827
--- /dev/null
+++ b/engine/client/config_update_test.go
@@ -0,0 +1,61 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestConfigUpdateUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.29",
+		client:  &http.Client{},
+	}
+	err := client.ConfigUpdate(context.Background(), "config_id", swarm.Version{}, swarm.ConfigSpec{})
+	assert.Check(t, is.Error(err, `"config update" requires API version 1.30, but the Docker daemon API version is 1.29`))
+}
+
+func TestConfigUpdateError(t *testing.T) {
+	client := &Client{
+		version: "1.30",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.ConfigUpdate(context.Background(), "config_id", swarm.Version{}, swarm.ConfigSpec{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestConfigUpdate(t *testing.T) {
+	expectedURL := "/v1.30/configs/config_id/update"
+
+	client := &Client{
+		version: "1.30",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	err := client.ConfigUpdate(context.Background(), "config_id", swarm.Version{}, swarm.ConfigSpec{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_attach.go b/engine/client/container_attach.go
new file mode 100644
index 00000000..88ba1ef6
--- /dev/null
+++ b/engine/client/container_attach.go
@@ -0,0 +1,57 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerAttach attaches a connection to a container in the server.
+// It returns a types.HijackedConnection with the hijacked connection
+// and the a reader to get output. It's up to the called to close
+// the hijacked connection by calling types.HijackedResponse.Close.
+//
+// The stream format on the response will be in one of two formats:
+//
+// If the container is using a TTY, there is only a single stream (stdout), and
+// data is copied directly from the container output stream, no extra
+// multiplexing or headers.
+//
+// If the container is *not* using a TTY, streams for stdout and stderr are
+// multiplexed.
+// The format of the multiplexed stream is as follows:
+//
+//    [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}[]byte{OUTPUT}
+//
+// STREAM_TYPE can be 1 for stdout and 2 for stderr
+//
+// SIZE1, SIZE2, SIZE3, and SIZE4 are four bytes of uint32 encoded as big endian.
+// This is the size of OUTPUT.
+//
+// You can use github.com/docker/docker/pkg/stdcopy.StdCopy to demultiplex this
+// stream.
+func (cli *Client) ContainerAttach(ctx context.Context, container string, options types.ContainerAttachOptions) (types.HijackedResponse, error) {
+	query := url.Values{}
+	if options.Stream {
+		query.Set("stream", "1")
+	}
+	if options.Stdin {
+		query.Set("stdin", "1")
+	}
+	if options.Stdout {
+		query.Set("stdout", "1")
+	}
+	if options.Stderr {
+		query.Set("stderr", "1")
+	}
+	if options.DetachKeys != "" {
+		query.Set("detachKeys", options.DetachKeys)
+	}
+	if options.Logs {
+		query.Set("logs", "1")
+	}
+
+	headers := map[string][]string{"Content-Type": {"text/plain"}}
+	return cli.postHijacked(ctx, "/containers/"+container+"/attach", query, nil, headers)
+}
diff --git a/engine/client/container_commit.go b/engine/client/container_commit.go
new file mode 100644
index 00000000..377a2ea6
--- /dev/null
+++ b/engine/client/container_commit.go
@@ -0,0 +1,55 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"net/url"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerCommit applies changes into a container and creates a new tagged image.
+func (cli *Client) ContainerCommit(ctx context.Context, container string, options types.ContainerCommitOptions) (types.IDResponse, error) {
+	var repository, tag string
+	if options.Reference != "" {
+		ref, err := reference.ParseNormalizedNamed(options.Reference)
+		if err != nil {
+			return types.IDResponse{}, err
+		}
+
+		if _, isCanonical := ref.(reference.Canonical); isCanonical {
+			return types.IDResponse{}, errors.New("refusing to create a tag with a digest reference")
+		}
+		ref = reference.TagNameOnly(ref)
+
+		if tagged, ok := ref.(reference.Tagged); ok {
+			tag = tagged.Tag()
+		}
+		repository = reference.FamiliarName(ref)
+	}
+
+	query := url.Values{}
+	query.Set("container", container)
+	query.Set("repo", repository)
+	query.Set("tag", tag)
+	query.Set("comment", options.Comment)
+	query.Set("author", options.Author)
+	for _, change := range options.Changes {
+		query.Add("changes", change)
+	}
+	if !options.Pause {
+		query.Set("pause", "0")
+	}
+
+	var response types.IDResponse
+	resp, err := cli.post(ctx, "/commit", query, options.Config, nil)
+	if err != nil {
+		return response, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&response)
+	ensureReaderClosed(resp)
+	return response, err
+}
diff --git a/engine/client/container_commit_test.go b/engine/client/container_commit_test.go
new file mode 100644
index 00000000..8e3fe8b7
--- /dev/null
+++ b/engine/client/container_commit_test.go
@@ -0,0 +1,96 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestContainerCommitError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerCommit(context.Background(), "nothing", types.ContainerCommitOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerCommit(t *testing.T) {
+	expectedURL := "/commit"
+	expectedContainerID := "container_id"
+	specifiedReference := "repository_name:tag"
+	expectedRepositoryName := "repository_name"
+	expectedTag := "tag"
+	expectedComment := "comment"
+	expectedAuthor := "author"
+	expectedChanges := []string{"change1", "change2"}
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			query := req.URL.Query()
+			containerID := query.Get("container")
+			if containerID != expectedContainerID {
+				return nil, fmt.Errorf("container id not set in URL query properly. Expected '%s', got %s", expectedContainerID, containerID)
+			}
+			repo := query.Get("repo")
+			if repo != expectedRepositoryName {
+				return nil, fmt.Errorf("container repo not set in URL query properly. Expected '%s', got %s", expectedRepositoryName, repo)
+			}
+			tag := query.Get("tag")
+			if tag != expectedTag {
+				return nil, fmt.Errorf("container tag not set in URL query properly. Expected '%s', got %s'", expectedTag, tag)
+			}
+			comment := query.Get("comment")
+			if comment != expectedComment {
+				return nil, fmt.Errorf("container comment not set in URL query properly. Expected '%s', got %s'", expectedComment, comment)
+			}
+			author := query.Get("author")
+			if author != expectedAuthor {
+				return nil, fmt.Errorf("container author not set in URL query properly. Expected '%s', got %s'", expectedAuthor, author)
+			}
+			pause := query.Get("pause")
+			if pause != "0" {
+				return nil, fmt.Errorf("container pause not set in URL query properly. Expected 'true', got %v'", pause)
+			}
+			changes := query["changes"]
+			if len(changes) != len(expectedChanges) {
+				return nil, fmt.Errorf("expected container changes size to be '%d', got %d", len(expectedChanges), len(changes))
+			}
+			b, err := json.Marshal(types.IDResponse{
+				ID: "new_container_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	r, err := client.ContainerCommit(context.Background(), expectedContainerID, types.ContainerCommitOptions{
+		Reference: specifiedReference,
+		Comment:   expectedComment,
+		Author:    expectedAuthor,
+		Changes:   expectedChanges,
+		Pause:     false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.ID != "new_container_id" {
+		t.Fatalf("expected `new_container_id`, got %s", r.ID)
+	}
+}
diff --git a/engine/client/container_copy.go b/engine/client/container_copy.go
new file mode 100644
index 00000000..d706260c
--- /dev/null
+++ b/engine/client/container_copy.go
@@ -0,0 +1,101 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerStatPath returns Stat information about a path inside the container filesystem.
+func (cli *Client) ContainerStatPath(ctx context.Context, containerID, path string) (types.ContainerPathStat, error) {
+	query := url.Values{}
+	query.Set("path", filepath.ToSlash(path)) // Normalize the paths used in the API.
+
+	urlStr := "/containers/" + containerID + "/archive"
+	response, err := cli.head(ctx, urlStr, query, nil)
+	if err != nil {
+		return types.ContainerPathStat{}, wrapResponseError(err, response, "container:path", containerID+":"+path)
+	}
+	defer ensureReaderClosed(response)
+	return getContainerPathStatFromHeader(response.header)
+}
+
+// CopyToContainer copies content into the container filesystem.
+// Note that `content` must be a Reader for a TAR archive
+func (cli *Client) CopyToContainer(ctx context.Context, containerID, dstPath string, content io.Reader, options types.CopyToContainerOptions) error {
+	query := url.Values{}
+	query.Set("path", filepath.ToSlash(dstPath)) // Normalize the paths used in the API.
+	// Do not allow for an existing directory to be overwritten by a non-directory and vice versa.
+	if !options.AllowOverwriteDirWithFile {
+		query.Set("noOverwriteDirNonDir", "true")
+	}
+
+	if options.CopyUIDGID {
+		query.Set("copyUIDGID", "true")
+	}
+
+	apiPath := "/containers/" + containerID + "/archive"
+
+	response, err := cli.putRaw(ctx, apiPath, query, content, nil)
+	if err != nil {
+		return wrapResponseError(err, response, "container:path", containerID+":"+dstPath)
+	}
+	defer ensureReaderClosed(response)
+
+	if response.statusCode != http.StatusOK {
+		return fmt.Errorf("unexpected status code from daemon: %d", response.statusCode)
+	}
+
+	return nil
+}
+
+// CopyFromContainer gets the content from the container and returns it as a Reader
+// for a TAR archive to manipulate it in the host. It's up to the caller to close the reader.
+func (cli *Client) CopyFromContainer(ctx context.Context, containerID, srcPath string) (io.ReadCloser, types.ContainerPathStat, error) {
+	query := make(url.Values, 1)
+	query.Set("path", filepath.ToSlash(srcPath)) // Normalize the paths used in the API.
+
+	apiPath := "/containers/" + containerID + "/archive"
+	response, err := cli.get(ctx, apiPath, query, nil)
+	if err != nil {
+		return nil, types.ContainerPathStat{}, wrapResponseError(err, response, "container:path", containerID+":"+srcPath)
+	}
+
+	if response.statusCode != http.StatusOK {
+		return nil, types.ContainerPathStat{}, fmt.Errorf("unexpected status code from daemon: %d", response.statusCode)
+	}
+
+	// In order to get the copy behavior right, we need to know information
+	// about both the source and the destination. The response headers include
+	// stat info about the source that we can use in deciding exactly how to
+	// copy it locally. Along with the stat info about the local destination,
+	// we have everything we need to handle the multiple possibilities there
+	// can be when copying a file/dir from one location to another file/dir.
+	stat, err := getContainerPathStatFromHeader(response.header)
+	if err != nil {
+		return nil, stat, fmt.Errorf("unable to get resource stat from response: %s", err)
+	}
+	return response.body, stat, err
+}
+
+func getContainerPathStatFromHeader(header http.Header) (types.ContainerPathStat, error) {
+	var stat types.ContainerPathStat
+
+	encodedStat := header.Get("X-Docker-Container-Path-Stat")
+	statDecoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(encodedStat))
+
+	err := json.NewDecoder(statDecoder).Decode(&stat)
+	if err != nil {
+		err = fmt.Errorf("unable to decode container path stat header: %s", err)
+	}
+
+	return stat, err
+}
diff --git a/engine/client/container_copy_test.go b/engine/client/container_copy_test.go
new file mode 100644
index 00000000..efddbef2
--- /dev/null
+++ b/engine/client/container_copy_test.go
@@ -0,0 +1,273 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestContainerStatPathError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerStatPath(context.Background(), "container_id", "path")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server error, got %v", err)
+	}
+}
+
+func TestContainerStatPathNotFoundError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Not found")),
+	}
+	_, err := client.ContainerStatPath(context.Background(), "container_id", "path")
+	if !IsErrNotFound(err) {
+		t.Fatalf("expected a not found error, got %v", err)
+	}
+}
+
+func TestContainerStatPathNoHeaderError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+	_, err := client.ContainerStatPath(context.Background(), "container_id", "path/to/file")
+	if err == nil {
+		t.Fatalf("expected an error, got nothing")
+	}
+}
+
+func TestContainerStatPath(t *testing.T) {
+	expectedURL := "/containers/container_id/archive"
+	expectedPath := "path/to/file"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "HEAD" {
+				return nil, fmt.Errorf("expected HEAD method, got %s", req.Method)
+			}
+			query := req.URL.Query()
+			path := query.Get("path")
+			if path != expectedPath {
+				return nil, fmt.Errorf("path not set in URL query properly")
+			}
+			content, err := json.Marshal(types.ContainerPathStat{
+				Name: "name",
+				Mode: 0700,
+			})
+			if err != nil {
+				return nil, err
+			}
+			base64PathStat := base64.StdEncoding.EncodeToString(content)
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+				Header: http.Header{
+					"X-Docker-Container-Path-Stat": []string{base64PathStat},
+				},
+			}, nil
+		}),
+	}
+	stat, err := client.ContainerStatPath(context.Background(), "container_id", expectedPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if stat.Name != "name" {
+		t.Fatalf("expected container path stat name to be 'name', got '%s'", stat.Name)
+	}
+	if stat.Mode != 0700 {
+		t.Fatalf("expected container path stat mode to be 0700, got '%v'", stat.Mode)
+	}
+}
+
+func TestCopyToContainerError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.CopyToContainer(context.Background(), "container_id", "path/to/file", bytes.NewReader([]byte("")), types.CopyToContainerOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server error, got %v", err)
+	}
+}
+
+func TestCopyToContainerNotFoundError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Not found")),
+	}
+	err := client.CopyToContainer(context.Background(), "container_id", "path/to/file", bytes.NewReader([]byte("")), types.CopyToContainerOptions{})
+	if !IsErrNotFound(err) {
+		t.Fatalf("expected a not found error, got %v", err)
+	}
+}
+
+func TestCopyToContainerNotStatusOKError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNoContent, "No content")),
+	}
+	err := client.CopyToContainer(context.Background(), "container_id", "path/to/file", bytes.NewReader([]byte("")), types.CopyToContainerOptions{})
+	if err == nil || err.Error() != "unexpected status code from daemon: 204" {
+		t.Fatalf("expected an unexpected status code error, got %v", err)
+	}
+}
+
+func TestCopyToContainer(t *testing.T) {
+	expectedURL := "/containers/container_id/archive"
+	expectedPath := "path/to/file"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "PUT" {
+				return nil, fmt.Errorf("expected PUT method, got %s", req.Method)
+			}
+			query := req.URL.Query()
+			path := query.Get("path")
+			if path != expectedPath {
+				return nil, fmt.Errorf("path not set in URL query properly, expected '%s', got %s", expectedPath, path)
+			}
+			noOverwriteDirNonDir := query.Get("noOverwriteDirNonDir")
+			if noOverwriteDirNonDir != "true" {
+				return nil, fmt.Errorf("noOverwriteDirNonDir not set in URL query properly, expected true, got %s", noOverwriteDirNonDir)
+			}
+
+			content, err := ioutil.ReadAll(req.Body)
+			if err != nil {
+				return nil, err
+			}
+			if err := req.Body.Close(); err != nil {
+				return nil, err
+			}
+			if string(content) != "content" {
+				return nil, fmt.Errorf("expected content to be 'content', got %s", string(content))
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+	err := client.CopyToContainer(context.Background(), "container_id", expectedPath, bytes.NewReader([]byte("content")), types.CopyToContainerOptions{
+		AllowOverwriteDirWithFile: false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestCopyFromContainerError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, _, err := client.CopyFromContainer(context.Background(), "container_id", "path/to/file")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server error, got %v", err)
+	}
+}
+
+func TestCopyFromContainerNotFoundError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Not found")),
+	}
+	_, _, err := client.CopyFromContainer(context.Background(), "container_id", "path/to/file")
+	if !IsErrNotFound(err) {
+		t.Fatalf("expected a not found error, got %v", err)
+	}
+}
+
+func TestCopyFromContainerNotStatusOKError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNoContent, "No content")),
+	}
+	_, _, err := client.CopyFromContainer(context.Background(), "container_id", "path/to/file")
+	if err == nil || err.Error() != "unexpected status code from daemon: 204" {
+		t.Fatalf("expected an unexpected status code error, got %v", err)
+	}
+}
+
+func TestCopyFromContainerNoHeaderError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+	_, _, err := client.CopyFromContainer(context.Background(), "container_id", "path/to/file")
+	if err == nil {
+		t.Fatalf("expected an error, got nothing")
+	}
+}
+
+func TestCopyFromContainer(t *testing.T) {
+	expectedURL := "/containers/container_id/archive"
+	expectedPath := "path/to/file"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "GET" {
+				return nil, fmt.Errorf("expected GET method, got %s", req.Method)
+			}
+			query := req.URL.Query()
+			path := query.Get("path")
+			if path != expectedPath {
+				return nil, fmt.Errorf("path not set in URL query properly, expected '%s', got %s", expectedPath, path)
+			}
+
+			headercontent, err := json.Marshal(types.ContainerPathStat{
+				Name: "name",
+				Mode: 0700,
+			})
+			if err != nil {
+				return nil, err
+			}
+			base64PathStat := base64.StdEncoding.EncodeToString(headercontent)
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("content"))),
+				Header: http.Header{
+					"X-Docker-Container-Path-Stat": []string{base64PathStat},
+				},
+			}, nil
+		}),
+	}
+	r, stat, err := client.CopyFromContainer(context.Background(), "container_id", expectedPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if stat.Name != "name" {
+		t.Fatalf("expected container path stat name to be 'name', got '%s'", stat.Name)
+	}
+	if stat.Mode != 0700 {
+		t.Fatalf("expected container path stat mode to be 0700, got '%v'", stat.Mode)
+	}
+	content, err := ioutil.ReadAll(r)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := r.Close(); err != nil {
+		t.Fatal(err)
+	}
+	if string(content) != "content" {
+		t.Fatalf("expected content to be 'content', got %s", string(content))
+	}
+}
diff --git a/engine/client/container_create.go b/engine/client/container_create.go
new file mode 100644
index 00000000..d269a618
--- /dev/null
+++ b/engine/client/container_create.go
@@ -0,0 +1,56 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/versions"
+)
+
+type configWrapper struct {
+	*container.Config
+	HostConfig       *container.HostConfig
+	NetworkingConfig *network.NetworkingConfig
+}
+
+// ContainerCreate creates a new container based in the given configuration.
+// It can be associated with a name, but it's not mandatory.
+func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) (container.ContainerCreateCreatedBody, error) {
+	var response container.ContainerCreateCreatedBody
+
+	if err := cli.NewVersionError("1.25", "stop timeout"); config != nil && config.StopTimeout != nil && err != nil {
+		return response, err
+	}
+
+	// When using API 1.24 and under, the client is responsible for removing the container
+	if hostConfig != nil && versions.LessThan(cli.ClientVersion(), "1.25") {
+		hostConfig.AutoRemove = false
+	}
+
+	query := url.Values{}
+	if containerName != "" {
+		query.Set("name", containerName)
+	}
+
+	body := configWrapper{
+		Config:           config,
+		HostConfig:       hostConfig,
+		NetworkingConfig: networkingConfig,
+	}
+
+	serverResp, err := cli.post(ctx, "/containers/create", query, body, nil)
+	if err != nil {
+		if serverResp.statusCode == 404 && strings.Contains(err.Error(), "No such image") {
+			return response, objectNotFoundError{object: "image", id: config.Image}
+		}
+		return response, err
+	}
+
+	err = json.NewDecoder(serverResp.body).Decode(&response)
+	ensureReaderClosed(serverResp)
+	return response, err
+}
diff --git a/engine/client/container_create_test.go b/engine/client/container_create_test.go
new file mode 100644
index 00000000..d46e7049
--- /dev/null
+++ b/engine/client/container_create_test.go
@@ -0,0 +1,118 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+func TestContainerCreateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerCreate(context.Background(), nil, nil, nil, "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error while testing StatusInternalServerError, got %v", err)
+	}
+
+	// 404 doesn't automatically means an unknown image
+	client = &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+	_, err = client.ContainerCreate(context.Background(), nil, nil, nil, "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error while testing StatusNotFound, got %v", err)
+	}
+}
+
+func TestContainerCreateImageNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "No such image")),
+	}
+	_, err := client.ContainerCreate(context.Background(), &container.Config{Image: "unknown_image"}, nil, nil, "unknown")
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected an imageNotFound error, got %v", err)
+	}
+}
+
+func TestContainerCreateWithName(t *testing.T) {
+	expectedURL := "/containers/create"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			name := req.URL.Query().Get("name")
+			if name != "container_name" {
+				return nil, fmt.Errorf("container name not set in URL query properly. Expected `container_name`, got %s", name)
+			}
+			b, err := json.Marshal(container.ContainerCreateCreatedBody{
+				ID: "container_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	r, err := client.ContainerCreate(context.Background(), nil, nil, nil, "container_name")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.ID != "container_id" {
+		t.Fatalf("expected `container_id`, got %s", r.ID)
+	}
+}
+
+// TestContainerCreateAutoRemove validates that a client using API 1.24 always disables AutoRemove. When using API 1.25
+// or up, AutoRemove should not be disabled.
+func TestContainerCreateAutoRemove(t *testing.T) {
+	autoRemoveValidator := func(expectedValue bool) func(req *http.Request) (*http.Response, error) {
+		return func(req *http.Request) (*http.Response, error) {
+			var config configWrapper
+
+			if err := json.NewDecoder(req.Body).Decode(&config); err != nil {
+				return nil, err
+			}
+			if config.HostConfig.AutoRemove != expectedValue {
+				return nil, fmt.Errorf("expected AutoRemove to be %v, got %v", expectedValue, config.HostConfig.AutoRemove)
+			}
+			b, err := json.Marshal(container.ContainerCreateCreatedBody{
+				ID: "container_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}
+	}
+
+	client := &Client{
+		client:  newMockClient(autoRemoveValidator(false)),
+		version: "1.24",
+	}
+	if _, err := client.ContainerCreate(context.Background(), nil, &container.HostConfig{AutoRemove: true}, nil, ""); err != nil {
+		t.Fatal(err)
+	}
+	client = &Client{
+		client:  newMockClient(autoRemoveValidator(true)),
+		version: "1.25",
+	}
+	if _, err := client.ContainerCreate(context.Background(), nil, &container.HostConfig{AutoRemove: true}, nil, ""); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_diff.go b/engine/client/container_diff.go
new file mode 100644
index 00000000..3b7c90c9
--- /dev/null
+++ b/engine/client/container_diff.go
@@ -0,0 +1,23 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+// ContainerDiff shows differences in a container filesystem since it was started.
+func (cli *Client) ContainerDiff(ctx context.Context, containerID string) ([]container.ContainerChangeResponseItem, error) {
+	var changes []container.ContainerChangeResponseItem
+
+	serverResp, err := cli.get(ctx, "/containers/"+containerID+"/changes", url.Values{}, nil)
+	if err != nil {
+		return changes, err
+	}
+
+	err = json.NewDecoder(serverResp.body).Decode(&changes)
+	ensureReaderClosed(serverResp)
+	return changes, err
+}
diff --git a/engine/client/container_diff_test.go b/engine/client/container_diff_test.go
new file mode 100644
index 00000000..ac215f34
--- /dev/null
+++ b/engine/client/container_diff_test.go
@@ -0,0 +1,61 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+func TestContainerDiffError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerDiff(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+
+}
+
+func TestContainerDiff(t *testing.T) {
+	expectedURL := "/containers/container_id/changes"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			b, err := json.Marshal([]container.ContainerChangeResponseItem{
+				{
+					Kind: 0,
+					Path: "/path/1",
+				},
+				{
+					Kind: 1,
+					Path: "/path/2",
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	changes, err := client.ContainerDiff(context.Background(), "container_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(changes) != 2 {
+		t.Fatalf("expected an array of 2 changes, got %v", changes)
+	}
+}
diff --git a/engine/client/container_exec.go b/engine/client/container_exec.go
new file mode 100644
index 00000000..535536b1
--- /dev/null
+++ b/engine/client/container_exec.go
@@ -0,0 +1,54 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerExecCreate creates a new exec configuration to run an exec process.
+func (cli *Client) ContainerExecCreate(ctx context.Context, container string, config types.ExecConfig) (types.IDResponse, error) {
+	var response types.IDResponse
+
+	if err := cli.NewVersionError("1.25", "env"); len(config.Env) != 0 && err != nil {
+		return response, err
+	}
+
+	resp, err := cli.post(ctx, "/containers/"+container+"/exec", nil, config, nil)
+	if err != nil {
+		return response, err
+	}
+	err = json.NewDecoder(resp.body).Decode(&response)
+	ensureReaderClosed(resp)
+	return response, err
+}
+
+// ContainerExecStart starts an exec process already created in the docker host.
+func (cli *Client) ContainerExecStart(ctx context.Context, execID string, config types.ExecStartCheck) error {
+	resp, err := cli.post(ctx, "/exec/"+execID+"/start", nil, config, nil)
+	ensureReaderClosed(resp)
+	return err
+}
+
+// ContainerExecAttach attaches a connection to an exec process in the server.
+// It returns a types.HijackedConnection with the hijacked connection
+// and the a reader to get output. It's up to the called to close
+// the hijacked connection by calling types.HijackedResponse.Close.
+func (cli *Client) ContainerExecAttach(ctx context.Context, execID string, config types.ExecStartCheck) (types.HijackedResponse, error) {
+	headers := map[string][]string{"Content-Type": {"application/json"}}
+	return cli.postHijacked(ctx, "/exec/"+execID+"/start", nil, config, headers)
+}
+
+// ContainerExecInspect returns information about a specific exec process on the docker host.
+func (cli *Client) ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error) {
+	var response types.ContainerExecInspect
+	resp, err := cli.get(ctx, "/exec/"+execID+"/json", nil, nil)
+	if err != nil {
+		return response, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&response)
+	ensureReaderClosed(resp)
+	return response, err
+}
diff --git a/engine/client/container_exec_test.go b/engine/client/container_exec_test.go
new file mode 100644
index 00000000..68b900bf
--- /dev/null
+++ b/engine/client/container_exec_test.go
@@ -0,0 +1,156 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestContainerExecCreateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerExecCreate(context.Background(), "container_id", types.ExecConfig{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerExecCreate(t *testing.T) {
+	expectedURL := "/containers/container_id/exec"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			// FIXME validate the content is the given ExecConfig ?
+			if err := req.ParseForm(); err != nil {
+				return nil, err
+			}
+			execConfig := &types.ExecConfig{}
+			if err := json.NewDecoder(req.Body).Decode(execConfig); err != nil {
+				return nil, err
+			}
+			if execConfig.User != "user" {
+				return nil, fmt.Errorf("expected an execConfig with User == 'user', got %v", execConfig)
+			}
+			b, err := json.Marshal(types.IDResponse{
+				ID: "exec_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	r, err := client.ContainerExecCreate(context.Background(), "container_id", types.ExecConfig{
+		User: "user",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.ID != "exec_id" {
+		t.Fatalf("expected `exec_id`, got %s", r.ID)
+	}
+}
+
+func TestContainerExecStartError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerExecStart(context.Background(), "nothing", types.ExecStartCheck{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerExecStart(t *testing.T) {
+	expectedURL := "/exec/exec_id/start"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if err := req.ParseForm(); err != nil {
+				return nil, err
+			}
+			execStartCheck := &types.ExecStartCheck{}
+			if err := json.NewDecoder(req.Body).Decode(execStartCheck); err != nil {
+				return nil, err
+			}
+			if execStartCheck.Tty || !execStartCheck.Detach {
+				return nil, fmt.Errorf("expected execStartCheck{Detach:true,Tty:false}, got %v", execStartCheck)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.ContainerExecStart(context.Background(), "exec_id", types.ExecStartCheck{
+		Detach: true,
+		Tty:    false,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestContainerExecInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerExecInspect(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerExecInspect(t *testing.T) {
+	expectedURL := "/exec/exec_id/json"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			b, err := json.Marshal(types.ContainerExecInspect{
+				ExecID:      "exec_id",
+				ContainerID: "container_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	inspect, err := client.ContainerExecInspect(context.Background(), "exec_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if inspect.ExecID != "exec_id" {
+		t.Fatalf("expected ExecID to be `exec_id`, got %s", inspect.ExecID)
+	}
+	if inspect.ContainerID != "container_id" {
+		t.Fatalf("expected ContainerID `container_id`, got %s", inspect.ContainerID)
+	}
+}
diff --git a/engine/client/container_export.go b/engine/client/container_export.go
new file mode 100644
index 00000000..d0c0a5cb
--- /dev/null
+++ b/engine/client/container_export.go
@@ -0,0 +1,19 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+)
+
+// ContainerExport retrieves the raw contents of a container
+// and returns them as an io.ReadCloser. It's up to the caller
+// to close the stream.
+func (cli *Client) ContainerExport(ctx context.Context, containerID string) (io.ReadCloser, error) {
+	serverResp, err := cli.get(ctx, "/containers/"+containerID+"/export", url.Values{}, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return serverResp.body, nil
+}
diff --git a/engine/client/container_export_test.go b/engine/client/container_export_test.go
new file mode 100644
index 00000000..8f6c8dce
--- /dev/null
+++ b/engine/client/container_export_test.go
@@ -0,0 +1,49 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestContainerExportError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerExport(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerExport(t *testing.T) {
+	expectedURL := "/containers/container_id/export"
+	client := &Client{
+		client: newMockClient(func(r *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(r.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, r.URL)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("response"))),
+			}, nil
+		}),
+	}
+	body, err := client.ContainerExport(context.Background(), "container_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer body.Close()
+	content, err := ioutil.ReadAll(body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(content) != "response" {
+		t.Fatalf("expected response to contain 'response', got %s", string(content))
+	}
+}
diff --git a/engine/client/container_inspect.go b/engine/client/container_inspect.go
new file mode 100644
index 00000000..f453064c
--- /dev/null
+++ b/engine/client/container_inspect.go
@@ -0,0 +1,53 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerInspect returns the container information.
+func (cli *Client) ContainerInspect(ctx context.Context, containerID string) (types.ContainerJSON, error) {
+	if containerID == "" {
+		return types.ContainerJSON{}, objectNotFoundError{object: "container", id: containerID}
+	}
+	serverResp, err := cli.get(ctx, "/containers/"+containerID+"/json", nil, nil)
+	if err != nil {
+		return types.ContainerJSON{}, wrapResponseError(err, serverResp, "container", containerID)
+	}
+
+	var response types.ContainerJSON
+	err = json.NewDecoder(serverResp.body).Decode(&response)
+	ensureReaderClosed(serverResp)
+	return response, err
+}
+
+// ContainerInspectWithRaw returns the container information and its raw representation.
+func (cli *Client) ContainerInspectWithRaw(ctx context.Context, containerID string, getSize bool) (types.ContainerJSON, []byte, error) {
+	if containerID == "" {
+		return types.ContainerJSON{}, nil, objectNotFoundError{object: "container", id: containerID}
+	}
+	query := url.Values{}
+	if getSize {
+		query.Set("size", "1")
+	}
+	serverResp, err := cli.get(ctx, "/containers/"+containerID+"/json", query, nil)
+	if err != nil {
+		return types.ContainerJSON{}, nil, wrapResponseError(err, serverResp, "container", containerID)
+	}
+	defer ensureReaderClosed(serverResp)
+
+	body, err := ioutil.ReadAll(serverResp.body)
+	if err != nil {
+		return types.ContainerJSON{}, nil, err
+	}
+
+	var response types.ContainerJSON
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&response)
+	return response, body, err
+}
diff --git a/engine/client/container_inspect_test.go b/engine/client/container_inspect_test.go
new file mode 100644
index 00000000..92a77f6a
--- /dev/null
+++ b/engine/client/container_inspect_test.go
@@ -0,0 +1,138 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+)
+
+func TestContainerInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.ContainerInspect(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerInspectContainerNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, err := client.ContainerInspect(context.Background(), "unknown")
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected a containerNotFound error, got %v", err)
+	}
+}
+
+func TestContainerInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.ContainerInspectWithRaw(context.Background(), "", true)
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestContainerInspect(t *testing.T) {
+	expectedURL := "/containers/container_id/json"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(types.ContainerJSON{
+				ContainerJSONBase: &types.ContainerJSONBase{
+					ID:    "container_id",
+					Image: "image",
+					Name:  "name",
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	r, err := client.ContainerInspect(context.Background(), "container_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.ID != "container_id" {
+		t.Fatalf("expected `container_id`, got %s", r.ID)
+	}
+	if r.Image != "image" {
+		t.Fatalf("expected `image`, got %s", r.Image)
+	}
+	if r.Name != "name" {
+		t.Fatalf("expected `name`, got %s", r.Name)
+	}
+}
+
+func TestContainerInspectNode(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			content, err := json.Marshal(types.ContainerJSON{
+				ContainerJSONBase: &types.ContainerJSONBase{
+					ID:    "container_id",
+					Image: "image",
+					Name:  "name",
+					Node: &types.ContainerNode{
+						ID:     "container_node_id",
+						Addr:   "container_node",
+						Labels: map[string]string{"foo": "bar"},
+					},
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	r, err := client.ContainerInspect(context.Background(), "container_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.ID != "container_id" {
+		t.Fatalf("expected `container_id`, got %s", r.ID)
+	}
+	if r.Image != "image" {
+		t.Fatalf("expected `image`, got %s", r.Image)
+	}
+	if r.Name != "name" {
+		t.Fatalf("expected `name`, got %s", r.Name)
+	}
+	if r.Node.ID != "container_node_id" {
+		t.Fatalf("expected `container_node_id`, got %s", r.Node.ID)
+	}
+	if r.Node.Addr != "container_node" {
+		t.Fatalf("expected `container_node`, got %s", r.Node.Addr)
+	}
+	foo, ok := r.Node.Labels["foo"]
+	if foo != "bar" || !ok {
+		t.Fatalf("expected `bar` for label `foo`")
+	}
+}
diff --git a/engine/client/container_kill.go b/engine/client/container_kill.go
new file mode 100644
index 00000000..4d6f1d23
--- /dev/null
+++ b/engine/client/container_kill.go
@@ -0,0 +1,16 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+)
+
+// ContainerKill terminates the container process but does not remove the container from the docker host.
+func (cli *Client) ContainerKill(ctx context.Context, containerID, signal string) error {
+	query := url.Values{}
+	query.Set("signal", signal)
+
+	resp, err := cli.post(ctx, "/containers/"+containerID+"/kill", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/container_kill_test.go b/engine/client/container_kill_test.go
new file mode 100644
index 00000000..85bb5ee5
--- /dev/null
+++ b/engine/client/container_kill_test.go
@@ -0,0 +1,45 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestContainerKillError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerKill(context.Background(), "nothing", "SIGKILL")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerKill(t *testing.T) {
+	expectedURL := "/containers/container_id/kill"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			signal := req.URL.Query().Get("signal")
+			if signal != "SIGKILL" {
+				return nil, fmt.Errorf("signal not set in URL query properly. Expected 'SIGKILL', got %s", signal)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.ContainerKill(context.Background(), "container_id", "SIGKILL")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_list.go b/engine/client/container_list.go
new file mode 100644
index 00000000..9c218e22
--- /dev/null
+++ b/engine/client/container_list.go
@@ -0,0 +1,56 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+	"strconv"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// ContainerList returns the list of containers in the docker host.
+func (cli *Client) ContainerList(ctx context.Context, options types.ContainerListOptions) ([]types.Container, error) {
+	query := url.Values{}
+
+	if options.All {
+		query.Set("all", "1")
+	}
+
+	if options.Limit != -1 {
+		query.Set("limit", strconv.Itoa(options.Limit))
+	}
+
+	if options.Since != "" {
+		query.Set("since", options.Since)
+	}
+
+	if options.Before != "" {
+		query.Set("before", options.Before)
+	}
+
+	if options.Size {
+		query.Set("size", "1")
+	}
+
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToParamWithVersion(cli.version, options.Filters)
+
+		if err != nil {
+			return nil, err
+		}
+
+		query.Set("filters", filterJSON)
+	}
+
+	resp, err := cli.get(ctx, "/containers/json", query, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var containers []types.Container
+	err = json.NewDecoder(resp.body).Decode(&containers)
+	ensureReaderClosed(resp)
+	return containers, err
+}
diff --git a/engine/client/container_list_test.go b/engine/client/container_list_test.go
new file mode 100644
index 00000000..809f20f5
--- /dev/null
+++ b/engine/client/container_list_test.go
@@ -0,0 +1,96 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+func TestContainerListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerList(context.Background(), types.ContainerListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerList(t *testing.T) {
+	expectedURL := "/containers/json"
+	expectedFilters := `{"before":{"container":true},"label":{"label1":true,"label2":true}}`
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			query := req.URL.Query()
+			all := query.Get("all")
+			if all != "1" {
+				return nil, fmt.Errorf("all not set in URL query properly. Expected '1', got %s", all)
+			}
+			limit := query.Get("limit")
+			if limit != "0" {
+				return nil, fmt.Errorf("limit should have not be present in query. Expected '0', got %s", limit)
+			}
+			since := query.Get("since")
+			if since != "container" {
+				return nil, fmt.Errorf("since not set in URL query properly. Expected 'container', got %s", since)
+			}
+			before := query.Get("before")
+			if before != "" {
+				return nil, fmt.Errorf("before should have not be present in query, go %s", before)
+			}
+			size := query.Get("size")
+			if size != "1" {
+				return nil, fmt.Errorf("size not set in URL query properly. Expected '1', got %s", size)
+			}
+			filters := query.Get("filters")
+			if filters != expectedFilters {
+				return nil, fmt.Errorf("expected filters incoherent '%v' with actual filters %v", expectedFilters, filters)
+			}
+
+			b, err := json.Marshal([]types.Container{
+				{
+					ID: "container_id1",
+				},
+				{
+					ID: "container_id2",
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	filters := filters.NewArgs()
+	filters.Add("label", "label1")
+	filters.Add("label", "label2")
+	filters.Add("before", "container")
+	containers, err := client.ContainerList(context.Background(), types.ContainerListOptions{
+		Size:    true,
+		All:     true,
+		Since:   "container",
+		Filters: filters,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(containers) != 2 {
+		t.Fatalf("expected 2 containers, got %v", containers)
+	}
+}
diff --git a/engine/client/container_logs.go b/engine/client/container_logs.go
new file mode 100644
index 00000000..5b6541f0
--- /dev/null
+++ b/engine/client/container_logs.go
@@ -0,0 +1,80 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	timetypes "github.com/docker/docker/api/types/time"
+	"github.com/pkg/errors"
+)
+
+// ContainerLogs returns the logs generated by a container in an io.ReadCloser.
+// It's up to the caller to close the stream.
+//
+// The stream format on the response will be in one of two formats:
+//
+// If the container is using a TTY, there is only a single stream (stdout), and
+// data is copied directly from the container output stream, no extra
+// multiplexing or headers.
+//
+// If the container is *not* using a TTY, streams for stdout and stderr are
+// multiplexed.
+// The format of the multiplexed stream is as follows:
+//
+//    [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}[]byte{OUTPUT}
+//
+// STREAM_TYPE can be 1 for stdout and 2 for stderr
+//
+// SIZE1, SIZE2, SIZE3, and SIZE4 are four bytes of uint32 encoded as big endian.
+// This is the size of OUTPUT.
+//
+// You can use github.com/docker/docker/pkg/stdcopy.StdCopy to demultiplex this
+// stream.
+func (cli *Client) ContainerLogs(ctx context.Context, container string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
+	query := url.Values{}
+	if options.ShowStdout {
+		query.Set("stdout", "1")
+	}
+
+	if options.ShowStderr {
+		query.Set("stderr", "1")
+	}
+
+	if options.Since != "" {
+		ts, err := timetypes.GetTimestamp(options.Since, time.Now())
+		if err != nil {
+			return nil, errors.Wrap(err, `invalid value for "since"`)
+		}
+		query.Set("since", ts)
+	}
+
+	if options.Until != "" {
+		ts, err := timetypes.GetTimestamp(options.Until, time.Now())
+		if err != nil {
+			return nil, errors.Wrap(err, `invalid value for "until"`)
+		}
+		query.Set("until", ts)
+	}
+
+	if options.Timestamps {
+		query.Set("timestamps", "1")
+	}
+
+	if options.Details {
+		query.Set("details", "1")
+	}
+
+	if options.Follow {
+		query.Set("follow", "1")
+	}
+	query.Set("tail", options.Tail)
+
+	resp, err := cli.get(ctx, "/containers/"+container+"/logs", query, nil)
+	if err != nil {
+		return nil, wrapResponseError(err, resp, "container", container)
+	}
+	return resp.body, nil
+}
diff --git a/engine/client/container_logs_test.go b/engine/client/container_logs_test.go
new file mode 100644
index 00000000..6d6e34e1
--- /dev/null
+++ b/engine/client/container_logs_test.go
@@ -0,0 +1,166 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestContainerLogsNotFoundError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Not found")),
+	}
+	_, err := client.ContainerLogs(context.Background(), "container_id", types.ContainerLogsOptions{})
+	if !IsErrNotFound(err) {
+		t.Fatalf("expected a not found error, got %v", err)
+	}
+}
+
+func TestContainerLogsError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerLogs(context.Background(), "container_id", types.ContainerLogsOptions{})
+	assert.Check(t, is.Error(err, "Error response from daemon: Server error"))
+	_, err = client.ContainerLogs(context.Background(), "container_id", types.ContainerLogsOptions{
+		Since: "2006-01-02TZ",
+	})
+	assert.Check(t, is.ErrorContains(err, `parsing time "2006-01-02TZ"`))
+	_, err = client.ContainerLogs(context.Background(), "container_id", types.ContainerLogsOptions{
+		Until: "2006-01-02TZ",
+	})
+	assert.Check(t, is.ErrorContains(err, `parsing time "2006-01-02TZ"`))
+}
+
+func TestContainerLogs(t *testing.T) {
+	expectedURL := "/containers/container_id/logs"
+	cases := []struct {
+		options             types.ContainerLogsOptions
+		expectedQueryParams map[string]string
+		expectedError       string
+	}{
+		{
+			expectedQueryParams: map[string]string{
+				"tail": "",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				Tail: "any",
+			},
+			expectedQueryParams: map[string]string{
+				"tail": "any",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				ShowStdout: true,
+				ShowStderr: true,
+				Timestamps: true,
+				Details:    true,
+				Follow:     true,
+			},
+			expectedQueryParams: map[string]string{
+				"tail":       "",
+				"stdout":     "1",
+				"stderr":     "1",
+				"timestamps": "1",
+				"details":    "1",
+				"follow":     "1",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				// timestamp will be passed as is
+				Since: "1136073600.000000001",
+			},
+			expectedQueryParams: map[string]string{
+				"tail":  "",
+				"since": "1136073600.000000001",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				// timestamp will be passed as is
+				Until: "1136073600.000000001",
+			},
+			expectedQueryParams: map[string]string{
+				"tail":  "",
+				"until": "1136073600.000000001",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				// An complete invalid date will not be passed
+				Since: "invalid value",
+			},
+			expectedError: `invalid value for "since": failed to parse value as time or duration: "invalid value"`,
+		},
+		{
+			options: types.ContainerLogsOptions{
+				// An complete invalid date will not be passed
+				Until: "invalid value",
+			},
+			expectedError: `invalid value for "until": failed to parse value as time or duration: "invalid value"`,
+		},
+	}
+	for _, logCase := range cases {
+		client := &Client{
+			client: newMockClient(func(r *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(r.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("expected URL '%s', got '%s'", expectedURL, r.URL)
+				}
+				// Check query parameters
+				query := r.URL.Query()
+				for key, expected := range logCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("response"))),
+				}, nil
+			}),
+		}
+		body, err := client.ContainerLogs(context.Background(), "container_id", logCase.options)
+		if logCase.expectedError != "" {
+			assert.Check(t, is.Error(err, logCase.expectedError))
+			continue
+		}
+		assert.NilError(t, err)
+		defer body.Close()
+		content, err := ioutil.ReadAll(body)
+		assert.NilError(t, err)
+		assert.Check(t, is.Contains(string(content), "response"))
+	}
+}
+
+func ExampleClient_ContainerLogs_withTimeout() {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	client, _ := NewEnvClient()
+	reader, err := client.ContainerLogs(ctx, "container_id", types.ContainerLogsOptions{})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	_, err = io.Copy(os.Stdout, reader)
+	if err != nil && err != io.EOF {
+		log.Fatal(err)
+	}
+}
diff --git a/engine/client/container_pause.go b/engine/client/container_pause.go
new file mode 100644
index 00000000..5e7271a3
--- /dev/null
+++ b/engine/client/container_pause.go
@@ -0,0 +1,10 @@
+package client // import "github.com/docker/docker/client"
+
+import "context"
+
+// ContainerPause pauses the main process of a given container without terminating it.
+func (cli *Client) ContainerPause(ctx context.Context, containerID string) error {
+	resp, err := cli.post(ctx, "/containers/"+containerID+"/pause", nil, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/container_pause_test.go b/engine/client/container_pause_test.go
new file mode 100644
index 00000000..d1f73a67
--- /dev/null
+++ b/engine/client/container_pause_test.go
@@ -0,0 +1,40 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestContainerPauseError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerPause(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerPause(t *testing.T) {
+	expectedURL := "/containers/container_id/pause"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+	err := client.ContainerPause(context.Background(), "container_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_prune.go b/engine/client/container_prune.go
new file mode 100644
index 00000000..14f88d93
--- /dev/null
+++ b/engine/client/container_prune.go
@@ -0,0 +1,36 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// ContainersPrune requests the daemon to delete unused data
+func (cli *Client) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error) {
+	var report types.ContainersPruneReport
+
+	if err := cli.NewVersionError("1.25", "container prune"); err != nil {
+		return report, err
+	}
+
+	query, err := getFiltersQuery(pruneFilters)
+	if err != nil {
+		return report, err
+	}
+
+	serverResp, err := cli.post(ctx, "/containers/prune", query, nil, nil)
+	if err != nil {
+		return report, err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	if err := json.NewDecoder(serverResp.body).Decode(&report); err != nil {
+		return report, fmt.Errorf("Error retrieving disk usage: %v", err)
+	}
+
+	return report, nil
+}
diff --git a/engine/client/container_prune_test.go b/engine/client/container_prune_test.go
new file mode 100644
index 00000000..6a830d01
--- /dev/null
+++ b/engine/client/container_prune_test.go
@@ -0,0 +1,125 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestContainersPruneError(t *testing.T) {
+	client := &Client{
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+		version: "1.25",
+	}
+
+	filters := filters.NewArgs()
+
+	_, err := client.ContainersPrune(context.Background(), filters)
+	assert.Check(t, is.Error(err, "Error response from daemon: Server error"))
+}
+
+func TestContainersPrune(t *testing.T) {
+	expectedURL := "/v1.25/containers/prune"
+
+	danglingFilters := filters.NewArgs()
+	danglingFilters.Add("dangling", "true")
+
+	noDanglingFilters := filters.NewArgs()
+	noDanglingFilters.Add("dangling", "false")
+
+	danglingUntilFilters := filters.NewArgs()
+	danglingUntilFilters.Add("dangling", "true")
+	danglingUntilFilters.Add("until", "2016-12-15T14:00")
+
+	labelFilters := filters.NewArgs()
+	labelFilters.Add("dangling", "true")
+	labelFilters.Add("label", "label1=foo")
+	labelFilters.Add("label", "label2!=bar")
+
+	listCases := []struct {
+		filters             filters.Args
+		expectedQueryParams map[string]string
+	}{
+		{
+			filters: filters.Args{},
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": "",
+			},
+		},
+		{
+			filters: danglingFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"true":true}}`,
+			},
+		},
+		{
+			filters: danglingUntilFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"true":true},"until":{"2016-12-15T14:00":true}}`,
+			},
+		},
+		{
+			filters: noDanglingFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"false":true}}`,
+			},
+		},
+		{
+			filters: labelFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"true":true},"label":{"label1=foo":true,"label2!=bar":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					assert.Check(t, is.Equal(expected, actual))
+				}
+				content, err := json.Marshal(types.ContainersPruneReport{
+					ContainersDeleted: []string{"container_id1", "container_id2"},
+					SpaceReclaimed:    9999,
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+			version: "1.25",
+		}
+
+		report, err := client.ContainersPrune(context.Background(), listCase.filters)
+		assert.Check(t, err)
+		assert.Check(t, is.Len(report.ContainersDeleted, 2))
+		assert.Check(t, is.Equal(uint64(9999), report.SpaceReclaimed))
+	}
+}
diff --git a/engine/client/container_remove.go b/engine/client/container_remove.go
new file mode 100644
index 00000000..ab4cfc16
--- /dev/null
+++ b/engine/client/container_remove.go
@@ -0,0 +1,27 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerRemove kills and removes a container from the docker host.
+func (cli *Client) ContainerRemove(ctx context.Context, containerID string, options types.ContainerRemoveOptions) error {
+	query := url.Values{}
+	if options.RemoveVolumes {
+		query.Set("v", "1")
+	}
+	if options.RemoveLinks {
+		query.Set("link", "1")
+	}
+
+	if options.Force {
+		query.Set("force", "1")
+	}
+
+	resp, err := cli.delete(ctx, "/containers/"+containerID, query, nil)
+	ensureReaderClosed(resp)
+	return wrapResponseError(err, resp, "container", containerID)
+}
diff --git a/engine/client/container_remove_test.go b/engine/client/container_remove_test.go
new file mode 100644
index 00000000..d94d8313
--- /dev/null
+++ b/engine/client/container_remove_test.go
@@ -0,0 +1,66 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestContainerRemoveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerRemove(context.Background(), "container_id", types.ContainerRemoveOptions{})
+	assert.Check(t, is.Error(err, "Error response from daemon: Server error"))
+}
+
+func TestContainerRemoveNotFoundError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "missing")),
+	}
+	err := client.ContainerRemove(context.Background(), "container_id", types.ContainerRemoveOptions{})
+	assert.Check(t, is.Error(err, "Error: No such container: container_id"))
+	assert.Check(t, IsErrNotFound(err))
+}
+
+func TestContainerRemove(t *testing.T) {
+	expectedURL := "/containers/container_id"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			query := req.URL.Query()
+			volume := query.Get("v")
+			if volume != "1" {
+				return nil, fmt.Errorf("v (volume) not set in URL query properly. Expected '1', got %s", volume)
+			}
+			force := query.Get("force")
+			if force != "1" {
+				return nil, fmt.Errorf("force not set in URL query properly. Expected '1', got %s", force)
+			}
+			link := query.Get("link")
+			if link != "" {
+				return nil, fmt.Errorf("link should have not be present in query, go %s", link)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.ContainerRemove(context.Background(), "container_id", types.ContainerRemoveOptions{
+		RemoveVolumes: true,
+		Force:         true,
+	})
+	assert.Check(t, err)
+}
diff --git a/engine/client/container_rename.go b/engine/client/container_rename.go
new file mode 100644
index 00000000..240fdf55
--- /dev/null
+++ b/engine/client/container_rename.go
@@ -0,0 +1,15 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+)
+
+// ContainerRename changes the name of a given container.
+func (cli *Client) ContainerRename(ctx context.Context, containerID, newContainerName string) error {
+	query := url.Values{}
+	query.Set("name", newContainerName)
+	resp, err := cli.post(ctx, "/containers/"+containerID+"/rename", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/container_rename_test.go b/engine/client/container_rename_test.go
new file mode 100644
index 00000000..42be6090
--- /dev/null
+++ b/engine/client/container_rename_test.go
@@ -0,0 +1,45 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestContainerRenameError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerRename(context.Background(), "nothing", "newNothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerRename(t *testing.T) {
+	expectedURL := "/containers/container_id/rename"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			name := req.URL.Query().Get("name")
+			if name != "newName" {
+				return nil, fmt.Errorf("name not set in URL query properly. Expected 'newName', got %s", name)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.ContainerRename(context.Background(), "container_id", "newName")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_resize.go b/engine/client/container_resize.go
new file mode 100644
index 00000000..a9d4c0c7
--- /dev/null
+++ b/engine/client/container_resize.go
@@ -0,0 +1,29 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+	"strconv"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerResize changes the size of the tty for a container.
+func (cli *Client) ContainerResize(ctx context.Context, containerID string, options types.ResizeOptions) error {
+	return cli.resize(ctx, "/containers/"+containerID, options.Height, options.Width)
+}
+
+// ContainerExecResize changes the size of the tty for an exec process running inside a container.
+func (cli *Client) ContainerExecResize(ctx context.Context, execID string, options types.ResizeOptions) error {
+	return cli.resize(ctx, "/exec/"+execID, options.Height, options.Width)
+}
+
+func (cli *Client) resize(ctx context.Context, basePath string, height, width uint) error {
+	query := url.Values{}
+	query.Set("h", strconv.Itoa(int(height)))
+	query.Set("w", strconv.Itoa(int(width)))
+
+	resp, err := cli.post(ctx, basePath+"/resize", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/container_resize_test.go b/engine/client/container_resize_test.go
new file mode 100644
index 00000000..3c10fd7e
--- /dev/null
+++ b/engine/client/container_resize_test.go
@@ -0,0 +1,82 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestContainerResizeError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerResize(context.Background(), "container_id", types.ResizeOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerExecResizeError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerExecResize(context.Background(), "exec_id", types.ResizeOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerResize(t *testing.T) {
+	client := &Client{
+		client: newMockClient(resizeTransport("/containers/container_id/resize")),
+	}
+
+	err := client.ContainerResize(context.Background(), "container_id", types.ResizeOptions{
+		Height: 500,
+		Width:  600,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestContainerExecResize(t *testing.T) {
+	client := &Client{
+		client: newMockClient(resizeTransport("/exec/exec_id/resize")),
+	}
+
+	err := client.ContainerExecResize(context.Background(), "exec_id", types.ResizeOptions{
+		Height: 500,
+		Width:  600,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func resizeTransport(expectedURL string) func(req *http.Request) (*http.Response, error) {
+	return func(req *http.Request) (*http.Response, error) {
+		if !strings.HasPrefix(req.URL.Path, expectedURL) {
+			return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+		}
+		query := req.URL.Query()
+		h := query.Get("h")
+		if h != "500" {
+			return nil, fmt.Errorf("h not set in URL query properly. Expected '500', got %s", h)
+		}
+		w := query.Get("w")
+		if w != "600" {
+			return nil, fmt.Errorf("w not set in URL query properly. Expected '600', got %s", w)
+		}
+		return &http.Response{
+			StatusCode: http.StatusOK,
+			Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+		}, nil
+	}
+}
diff --git a/engine/client/container_restart.go b/engine/client/container_restart.go
new file mode 100644
index 00000000..41e42196
--- /dev/null
+++ b/engine/client/container_restart.go
@@ -0,0 +1,22 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+	"time"
+
+	timetypes "github.com/docker/docker/api/types/time"
+)
+
+// ContainerRestart stops and starts a container again.
+// It makes the daemon to wait for the container to be up again for
+// a specific amount of time, given the timeout.
+func (cli *Client) ContainerRestart(ctx context.Context, containerID string, timeout *time.Duration) error {
+	query := url.Values{}
+	if timeout != nil {
+		query.Set("t", timetypes.DurationToSecondsString(*timeout))
+	}
+	resp, err := cli.post(ctx, "/containers/"+containerID+"/restart", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/container_restart_test.go b/engine/client/container_restart_test.go
new file mode 100644
index 00000000..27e81da5
--- /dev/null
+++ b/engine/client/container_restart_test.go
@@ -0,0 +1,47 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestContainerRestartError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	timeout := 0 * time.Second
+	err := client.ContainerRestart(context.Background(), "nothing", &timeout)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerRestart(t *testing.T) {
+	expectedURL := "/containers/container_id/restart"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			t := req.URL.Query().Get("t")
+			if t != "100" {
+				return nil, fmt.Errorf("t (timeout) not set in URL query properly. Expected '100', got %s", t)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+	timeout := 100 * time.Second
+	err := client.ContainerRestart(context.Background(), "container_id", &timeout)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_start.go b/engine/client/container_start.go
new file mode 100644
index 00000000..c2e0b15d
--- /dev/null
+++ b/engine/client/container_start.go
@@ -0,0 +1,23 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerStart sends a request to the docker daemon to start a container.
+func (cli *Client) ContainerStart(ctx context.Context, containerID string, options types.ContainerStartOptions) error {
+	query := url.Values{}
+	if len(options.CheckpointID) != 0 {
+		query.Set("checkpoint", options.CheckpointID)
+	}
+	if len(options.CheckpointDir) != 0 {
+		query.Set("checkpoint-dir", options.CheckpointDir)
+	}
+
+	resp, err := cli.post(ctx, "/containers/"+containerID+"/start", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/container_start_test.go b/engine/client/container_start_test.go
new file mode 100644
index 00000000..277c585c
--- /dev/null
+++ b/engine/client/container_start_test.go
@@ -0,0 +1,57 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestContainerStartError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerStart(context.Background(), "nothing", types.ContainerStartOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerStart(t *testing.T) {
+	expectedURL := "/containers/container_id/start"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			// we're not expecting any payload, but if one is supplied, check it is valid.
+			if req.Header.Get("Content-Type") == "application/json" {
+				var startConfig interface{}
+				if err := json.NewDecoder(req.Body).Decode(&startConfig); err != nil {
+					return nil, fmt.Errorf("Unable to parse json: %s", err)
+				}
+			}
+
+			checkpoint := req.URL.Query().Get("checkpoint")
+			if checkpoint != "checkpoint_id" {
+				return nil, fmt.Errorf("checkpoint not set in URL query properly. Expected 'checkpoint_id', got %s", checkpoint)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.ContainerStart(context.Background(), "container_id", types.ContainerStartOptions{CheckpointID: "checkpoint_id"})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_stats.go b/engine/client/container_stats.go
new file mode 100644
index 00000000..6ef44c77
--- /dev/null
+++ b/engine/client/container_stats.go
@@ -0,0 +1,26 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ContainerStats returns near realtime stats for a given container.
+// It's up to the caller to close the io.ReadCloser returned.
+func (cli *Client) ContainerStats(ctx context.Context, containerID string, stream bool) (types.ContainerStats, error) {
+	query := url.Values{}
+	query.Set("stream", "0")
+	if stream {
+		query.Set("stream", "1")
+	}
+
+	resp, err := cli.get(ctx, "/containers/"+containerID+"/stats", query, nil)
+	if err != nil {
+		return types.ContainerStats{}, err
+	}
+
+	osType := getDockerOS(resp.header.Get("Server"))
+	return types.ContainerStats{Body: resp.body, OSType: osType}, err
+}
diff --git a/engine/client/container_stats_test.go b/engine/client/container_stats_test.go
new file mode 100644
index 00000000..d8859631
--- /dev/null
+++ b/engine/client/container_stats_test.go
@@ -0,0 +1,69 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestContainerStatsError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerStats(context.Background(), "nothing", false)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerStats(t *testing.T) {
+	expectedURL := "/containers/container_id/stats"
+	cases := []struct {
+		stream         bool
+		expectedStream string
+	}{
+		{
+			expectedStream: "0",
+		},
+		{
+			stream:         true,
+			expectedStream: "1",
+		},
+	}
+	for _, c := range cases {
+		client := &Client{
+			client: newMockClient(func(r *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(r.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, r.URL)
+				}
+
+				query := r.URL.Query()
+				stream := query.Get("stream")
+				if stream != c.expectedStream {
+					return nil, fmt.Errorf("stream not set in URL query properly. Expected '%s', got %s", c.expectedStream, stream)
+				}
+
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("response"))),
+				}, nil
+			}),
+		}
+		resp, err := client.ContainerStats(context.Background(), "container_id", c.stream)
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer resp.Body.Close()
+		content, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(content) != "response" {
+			t.Fatalf("expected response to contain 'response', got %s", string(content))
+		}
+	}
+}
diff --git a/engine/client/container_stop.go b/engine/client/container_stop.go
new file mode 100644
index 00000000..629d7ab6
--- /dev/null
+++ b/engine/client/container_stop.go
@@ -0,0 +1,26 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+	"time"
+
+	timetypes "github.com/docker/docker/api/types/time"
+)
+
+// ContainerStop stops a container. In case the container fails to stop
+// gracefully within a time frame specified by the timeout argument,
+// it is forcefully terminated (killed).
+//
+// If the timeout is nil, the container's StopTimeout value is used, if set,
+// otherwise the engine default. A negative timeout value can be specified,
+// meaning no timeout, i.e. no forceful termination is performed.
+func (cli *Client) ContainerStop(ctx context.Context, containerID string, timeout *time.Duration) error {
+	query := url.Values{}
+	if timeout != nil {
+		query.Set("t", timetypes.DurationToSecondsString(*timeout))
+	}
+	resp, err := cli.post(ctx, "/containers/"+containerID+"/stop", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/container_stop_test.go b/engine/client/container_stop_test.go
new file mode 100644
index 00000000..e9af7452
--- /dev/null
+++ b/engine/client/container_stop_test.go
@@ -0,0 +1,47 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestContainerStopError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	timeout := 0 * time.Second
+	err := client.ContainerStop(context.Background(), "nothing", &timeout)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerStop(t *testing.T) {
+	expectedURL := "/containers/container_id/stop"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			t := req.URL.Query().Get("t")
+			if t != "100" {
+				return nil, fmt.Errorf("t (timeout) not set in URL query properly. Expected '100', got %s", t)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+	timeout := 100 * time.Second
+	err := client.ContainerStop(context.Background(), "container_id", &timeout)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_top.go b/engine/client/container_top.go
new file mode 100644
index 00000000..9c9fce7a
--- /dev/null
+++ b/engine/client/container_top.go
@@ -0,0 +1,28 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+// ContainerTop shows process information from within a container.
+func (cli *Client) ContainerTop(ctx context.Context, containerID string, arguments []string) (container.ContainerTopOKBody, error) {
+	var response container.ContainerTopOKBody
+	query := url.Values{}
+	if len(arguments) > 0 {
+		query.Set("ps_args", strings.Join(arguments, " "))
+	}
+
+	resp, err := cli.get(ctx, "/containers/"+containerID+"/top", query, nil)
+	if err != nil {
+		return response, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&response)
+	ensureReaderClosed(resp)
+	return response, err
+}
diff --git a/engine/client/container_top_test.go b/engine/client/container_top_test.go
new file mode 100644
index 00000000..48daba77
--- /dev/null
+++ b/engine/client/container_top_test.go
@@ -0,0 +1,74 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+func TestContainerTopError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerTop(context.Background(), "nothing", []string{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerTop(t *testing.T) {
+	expectedURL := "/containers/container_id/top"
+	expectedProcesses := [][]string{
+		{"p1", "p2"},
+		{"p3"},
+	}
+	expectedTitles := []string{"title1", "title2"}
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			query := req.URL.Query()
+			args := query.Get("ps_args")
+			if args != "arg1 arg2" {
+				return nil, fmt.Errorf("args not set in URL query properly. Expected 'arg1 arg2', got %v", args)
+			}
+
+			b, err := json.Marshal(container.ContainerTopOKBody{
+				Processes: [][]string{
+					{"p1", "p2"},
+					{"p3"},
+				},
+				Titles: []string{"title1", "title2"},
+			})
+			if err != nil {
+				return nil, err
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	processList, err := client.ContainerTop(context.Background(), "container_id", []string{"arg1", "arg2"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(expectedProcesses, processList.Processes) {
+		t.Fatalf("Processes: expected %v, got %v", expectedProcesses, processList.Processes)
+	}
+	if !reflect.DeepEqual(expectedTitles, processList.Titles) {
+		t.Fatalf("Titles: expected %v, got %v", expectedTitles, processList.Titles)
+	}
+}
diff --git a/engine/client/container_unpause.go b/engine/client/container_unpause.go
new file mode 100644
index 00000000..1d8f8731
--- /dev/null
+++ b/engine/client/container_unpause.go
@@ -0,0 +1,10 @@
+package client // import "github.com/docker/docker/client"
+
+import "context"
+
+// ContainerUnpause resumes the process execution within a container
+func (cli *Client) ContainerUnpause(ctx context.Context, containerID string) error {
+	resp, err := cli.post(ctx, "/containers/"+containerID+"/unpause", nil, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/container_unpause_test.go b/engine/client/container_unpause_test.go
new file mode 100644
index 00000000..00069919
--- /dev/null
+++ b/engine/client/container_unpause_test.go
@@ -0,0 +1,40 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestContainerUnpauseError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	err := client.ContainerUnpause(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerUnpause(t *testing.T) {
+	expectedURL := "/containers/container_id/unpause"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+	err := client.ContainerUnpause(context.Background(), "container_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_update.go b/engine/client/container_update.go
new file mode 100644
index 00000000..14e7f23d
--- /dev/null
+++ b/engine/client/container_update.go
@@ -0,0 +1,22 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+// ContainerUpdate updates resources of a container
+func (cli *Client) ContainerUpdate(ctx context.Context, containerID string, updateConfig container.UpdateConfig) (container.ContainerUpdateOKBody, error) {
+	var response container.ContainerUpdateOKBody
+	serverResp, err := cli.post(ctx, "/containers/"+containerID+"/update", nil, updateConfig, nil)
+	if err != nil {
+		return response, err
+	}
+
+	err = json.NewDecoder(serverResp.body).Decode(&response)
+
+	ensureReaderClosed(serverResp)
+	return response, err
+}
diff --git a/engine/client/container_update_test.go b/engine/client/container_update_test.go
new file mode 100644
index 00000000..41c6485e
--- /dev/null
+++ b/engine/client/container_update_test.go
@@ -0,0 +1,58 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+func TestContainerUpdateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerUpdate(context.Background(), "nothing", container.UpdateConfig{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestContainerUpdate(t *testing.T) {
+	expectedURL := "/containers/container_id/update"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+
+			b, err := json.Marshal(container.ContainerUpdateOKBody{})
+			if err != nil {
+				return nil, err
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	_, err := client.ContainerUpdate(context.Background(), "container_id", container.UpdateConfig{
+		Resources: container.Resources{
+			CPUPeriod: 1,
+		},
+		RestartPolicy: container.RestartPolicy{
+			Name: "always",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/container_wait.go b/engine/client/container_wait.go
new file mode 100644
index 00000000..6ab8c1da
--- /dev/null
+++ b/engine/client/container_wait.go
@@ -0,0 +1,83 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/versions"
+)
+
+// ContainerWait waits until the specified container is in a certain state
+// indicated by the given condition, either "not-running" (default),
+// "next-exit", or "removed".
+//
+// If this client's API version is before 1.30, condition is ignored and
+// ContainerWait will return immediately with the two channels, as the server
+// will wait as if the condition were "not-running".
+//
+// If this client's API version is at least 1.30, ContainerWait blocks until
+// the request has been acknowledged by the server (with a response header),
+// then returns two channels on which the caller can wait for the exit status
+// of the container or an error if there was a problem either beginning the
+// wait request or in getting the response. This allows the caller to
+// synchronize ContainerWait with other calls, such as specifying a
+// "next-exit" condition before issuing a ContainerStart request.
+func (cli *Client) ContainerWait(ctx context.Context, containerID string, condition container.WaitCondition) (<-chan container.ContainerWaitOKBody, <-chan error) {
+	if versions.LessThan(cli.ClientVersion(), "1.30") {
+		return cli.legacyContainerWait(ctx, containerID)
+	}
+
+	resultC := make(chan container.ContainerWaitOKBody)
+	errC := make(chan error, 1)
+
+	query := url.Values{}
+	query.Set("condition", string(condition))
+
+	resp, err := cli.post(ctx, "/containers/"+containerID+"/wait", query, nil, nil)
+	if err != nil {
+		defer ensureReaderClosed(resp)
+		errC <- err
+		return resultC, errC
+	}
+
+	go func() {
+		defer ensureReaderClosed(resp)
+		var res container.ContainerWaitOKBody
+		if err := json.NewDecoder(resp.body).Decode(&res); err != nil {
+			errC <- err
+			return
+		}
+
+		resultC <- res
+	}()
+
+	return resultC, errC
+}
+
+// legacyContainerWait returns immediately and doesn't have an option to wait
+// until the container is removed.
+func (cli *Client) legacyContainerWait(ctx context.Context, containerID string) (<-chan container.ContainerWaitOKBody, <-chan error) {
+	resultC := make(chan container.ContainerWaitOKBody)
+	errC := make(chan error)
+
+	go func() {
+		resp, err := cli.post(ctx, "/containers/"+containerID+"/wait", nil, nil, nil)
+		if err != nil {
+			errC <- err
+			return
+		}
+		defer ensureReaderClosed(resp)
+
+		var res container.ContainerWaitOKBody
+		if err := json.NewDecoder(resp.body).Decode(&res); err != nil {
+			errC <- err
+			return
+		}
+
+		resultC <- res
+	}()
+
+	return resultC, errC
+}
diff --git a/engine/client/container_wait_test.go b/engine/client/container_wait_test.go
new file mode 100644
index 00000000..11a9203d
--- /dev/null
+++ b/engine/client/container_wait_test.go
@@ -0,0 +1,73 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+func TestContainerWaitError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	resultC, errC := client.ContainerWait(context.Background(), "nothing", "")
+	select {
+	case result := <-resultC:
+		t.Fatalf("expected to not get a wait result, got %d", result.StatusCode)
+	case err := <-errC:
+		if err.Error() != "Error response from daemon: Server error" {
+			t.Fatalf("expected a Server Error, got %v", err)
+		}
+	}
+}
+
+func TestContainerWait(t *testing.T) {
+	expectedURL := "/containers/container_id/wait"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			b, err := json.Marshal(container.ContainerWaitOKBody{
+				StatusCode: 15,
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	resultC, errC := client.ContainerWait(context.Background(), "container_id", "")
+	select {
+	case err := <-errC:
+		t.Fatal(err)
+	case result := <-resultC:
+		if result.StatusCode != 15 {
+			t.Fatalf("expected a status code equal to '15', got %d", result.StatusCode)
+		}
+	}
+}
+
+func ExampleClient_ContainerWait_withTimeout() {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	client, _ := NewEnvClient()
+	_, errC := client.ContainerWait(ctx, "container_id", "")
+	if err := <-errC; err != nil {
+		log.Fatal(err)
+	}
+}
diff --git a/engine/client/disk_usage.go b/engine/client/disk_usage.go
new file mode 100644
index 00000000..8eb30eb5
--- /dev/null
+++ b/engine/client/disk_usage.go
@@ -0,0 +1,26 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+)
+
+// DiskUsage requests the current data usage from the daemon
+func (cli *Client) DiskUsage(ctx context.Context) (types.DiskUsage, error) {
+	var du types.DiskUsage
+
+	serverResp, err := cli.get(ctx, "/system/df", nil, nil)
+	if err != nil {
+		return du, err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	if err := json.NewDecoder(serverResp.body).Decode(&du); err != nil {
+		return du, fmt.Errorf("Error retrieving disk usage: %v", err)
+	}
+
+	return du, nil
+}
diff --git a/engine/client/disk_usage_test.go b/engine/client/disk_usage_test.go
new file mode 100644
index 00000000..3968f75e
--- /dev/null
+++ b/engine/client/disk_usage_test.go
@@ -0,0 +1,55 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestDiskUsageError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.DiskUsage(context.Background())
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestDiskUsage(t *testing.T) {
+	expectedURL := "/system/df"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+
+			du := types.DiskUsage{
+				LayersSize: int64(100),
+				Images:     nil,
+				Containers: nil,
+				Volumes:    nil,
+			}
+
+			b, err := json.Marshal(du)
+			if err != nil {
+				return nil, err
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+	if _, err := client.DiskUsage(context.Background()); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/distribution_inspect.go b/engine/client/distribution_inspect.go
new file mode 100644
index 00000000..7245bbee
--- /dev/null
+++ b/engine/client/distribution_inspect.go
@@ -0,0 +1,38 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	registrytypes "github.com/docker/docker/api/types/registry"
+)
+
+// DistributionInspect returns the image digest with full Manifest
+func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registrytypes.DistributionInspect, error) {
+	// Contact the registry to retrieve digest and platform information
+	var distributionInspect registrytypes.DistributionInspect
+	if image == "" {
+		return distributionInspect, objectNotFoundError{object: "distribution", id: image}
+	}
+
+	if err := cli.NewVersionError("1.30", "distribution inspect"); err != nil {
+		return distributionInspect, err
+	}
+	var headers map[string][]string
+
+	if encodedRegistryAuth != "" {
+		headers = map[string][]string{
+			"X-Registry-Auth": {encodedRegistryAuth},
+		}
+	}
+
+	resp, err := cli.get(ctx, "/distribution/"+image+"/json", url.Values{}, headers)
+	if err != nil {
+		return distributionInspect, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&distributionInspect)
+	ensureReaderClosed(resp)
+	return distributionInspect, err
+}
diff --git a/engine/client/distribution_inspect_test.go b/engine/client/distribution_inspect_test.go
new file mode 100644
index 00000000..a23d5f55
--- /dev/null
+++ b/engine/client/distribution_inspect_test.go
@@ -0,0 +1,32 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDistributionInspectUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.29",
+		client:  &http.Client{},
+	}
+	_, err := client.DistributionInspect(context.Background(), "foobar:1.0", "")
+	assert.Check(t, is.Error(err, `"distribution inspect" requires API version 1.30, but the Docker daemon API version is 1.29`))
+}
+
+func TestDistributionInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, err := client.DistributionInspect(context.Background(), "", "")
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
diff --git a/engine/client/errors.go b/engine/client/errors.go
new file mode 100644
index 00000000..0461af32
--- /dev/null
+++ b/engine/client/errors.go
@@ -0,0 +1,132 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/docker/docker/api/types/versions"
+	"github.com/pkg/errors"
+)
+
+// errConnectionFailed implements an error returned when connection failed.
+type errConnectionFailed struct {
+	host string
+}
+
+// Error returns a string representation of an errConnectionFailed
+func (err errConnectionFailed) Error() string {
+	if err.host == "" {
+		return "Cannot connect to the Docker daemon. Is the docker daemon running on this host?"
+	}
+	return fmt.Sprintf("Cannot connect to the Docker daemon at %s. Is the docker daemon running?", err.host)
+}
+
+// IsErrConnectionFailed returns true if the error is caused by connection failed.
+func IsErrConnectionFailed(err error) bool {
+	_, ok := errors.Cause(err).(errConnectionFailed)
+	return ok
+}
+
+// ErrorConnectionFailed returns an error with host in the error message when connection to docker daemon failed.
+func ErrorConnectionFailed(host string) error {
+	return errConnectionFailed{host: host}
+}
+
+type notFound interface {
+	error
+	NotFound() bool // Is the error a NotFound error
+}
+
+// IsErrNotFound returns true if the error is a NotFound error, which is returned
+// by the API when some object is not found.
+func IsErrNotFound(err error) bool {
+	te, ok := err.(notFound)
+	return ok && te.NotFound()
+}
+
+type objectNotFoundError struct {
+	object string
+	id     string
+}
+
+func (e objectNotFoundError) NotFound() bool {
+	return true
+}
+
+func (e objectNotFoundError) Error() string {
+	return fmt.Sprintf("Error: No such %s: %s", e.object, e.id)
+}
+
+func wrapResponseError(err error, resp serverResponse, object, id string) error {
+	switch {
+	case err == nil:
+		return nil
+	case resp.statusCode == http.StatusNotFound:
+		return objectNotFoundError{object: object, id: id}
+	case resp.statusCode == http.StatusNotImplemented:
+		return notImplementedError{message: err.Error()}
+	default:
+		return err
+	}
+}
+
+// unauthorizedError represents an authorization error in a remote registry.
+type unauthorizedError struct {
+	cause error
+}
+
+// Error returns a string representation of an unauthorizedError
+func (u unauthorizedError) Error() string {
+	return u.cause.Error()
+}
+
+// IsErrUnauthorized returns true if the error is caused
+// when a remote registry authentication fails
+func IsErrUnauthorized(err error) bool {
+	_, ok := err.(unauthorizedError)
+	return ok
+}
+
+type pluginPermissionDenied struct {
+	name string
+}
+
+func (e pluginPermissionDenied) Error() string {
+	return "Permission denied while installing plugin " + e.name
+}
+
+// IsErrPluginPermissionDenied returns true if the error is caused
+// when a user denies a plugin's permissions
+func IsErrPluginPermissionDenied(err error) bool {
+	_, ok := err.(pluginPermissionDenied)
+	return ok
+}
+
+type notImplementedError struct {
+	message string
+}
+
+func (e notImplementedError) Error() string {
+	return e.message
+}
+
+func (e notImplementedError) NotImplemented() bool {
+	return true
+}
+
+// IsErrNotImplemented returns true if the error is a NotImplemented error.
+// This is returned by the API when a requested feature has not been
+// implemented.
+func IsErrNotImplemented(err error) bool {
+	te, ok := err.(notImplementedError)
+	return ok && te.NotImplemented()
+}
+
+// NewVersionError returns an error if the APIVersion required
+// if less than the current supported version
+func (cli *Client) NewVersionError(APIrequired, feature string) error {
+	if cli.version != "" && versions.LessThan(cli.version, APIrequired) {
+		return fmt.Errorf("%q requires API version %s, but the Docker daemon API version is %s", feature, APIrequired, cli.version)
+	}
+	return nil
+}
diff --git a/engine/client/events.go b/engine/client/events.go
new file mode 100644
index 00000000..6e565389
--- /dev/null
+++ b/engine/client/events.go
@@ -0,0 +1,101 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	timetypes "github.com/docker/docker/api/types/time"
+)
+
+// Events returns a stream of events in the daemon. It's up to the caller to close the stream
+// by cancelling the context. Once the stream has been completely read an io.EOF error will
+// be sent over the error channel. If an error is sent all processing will be stopped. It's up
+// to the caller to reopen the stream in the event of an error by reinvoking this method.
+func (cli *Client) Events(ctx context.Context, options types.EventsOptions) (<-chan events.Message, <-chan error) {
+
+	messages := make(chan events.Message)
+	errs := make(chan error, 1)
+
+	started := make(chan struct{})
+	go func() {
+		defer close(errs)
+
+		query, err := buildEventsQueryParams(cli.version, options)
+		if err != nil {
+			close(started)
+			errs <- err
+			return
+		}
+
+		resp, err := cli.get(ctx, "/events", query, nil)
+		if err != nil {
+			close(started)
+			errs <- err
+			return
+		}
+		defer resp.body.Close()
+
+		decoder := json.NewDecoder(resp.body)
+
+		close(started)
+		for {
+			select {
+			case <-ctx.Done():
+				errs <- ctx.Err()
+				return
+			default:
+				var event events.Message
+				if err := decoder.Decode(&event); err != nil {
+					errs <- err
+					return
+				}
+
+				select {
+				case messages <- event:
+				case <-ctx.Done():
+					errs <- ctx.Err()
+					return
+				}
+			}
+		}
+	}()
+	<-started
+
+	return messages, errs
+}
+
+func buildEventsQueryParams(cliVersion string, options types.EventsOptions) (url.Values, error) {
+	query := url.Values{}
+	ref := time.Now()
+
+	if options.Since != "" {
+		ts, err := timetypes.GetTimestamp(options.Since, ref)
+		if err != nil {
+			return nil, err
+		}
+		query.Set("since", ts)
+	}
+
+	if options.Until != "" {
+		ts, err := timetypes.GetTimestamp(options.Until, ref)
+		if err != nil {
+			return nil, err
+		}
+		query.Set("until", ts)
+	}
+
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToParamWithVersion(cliVersion, options.Filters)
+		if err != nil {
+			return nil, err
+		}
+		query.Set("filters", filterJSON)
+	}
+
+	return query, nil
+}
diff --git a/engine/client/events_test.go b/engine/client/events_test.go
new file mode 100644
index 00000000..4a39901b
--- /dev/null
+++ b/engine/client/events_test.go
@@ -0,0 +1,164 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+)
+
+func TestEventsErrorInOptions(t *testing.T) {
+	errorCases := []struct {
+		options       types.EventsOptions
+		expectedError string
+	}{
+		{
+			options: types.EventsOptions{
+				Since: "2006-01-02TZ",
+			},
+			expectedError: `parsing time "2006-01-02TZ"`,
+		},
+		{
+			options: types.EventsOptions{
+				Until: "2006-01-02TZ",
+			},
+			expectedError: `parsing time "2006-01-02TZ"`,
+		},
+	}
+	for _, e := range errorCases {
+		client := &Client{
+			client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+		}
+		_, errs := client.Events(context.Background(), e.options)
+		err := <-errs
+		if err == nil || !strings.Contains(err.Error(), e.expectedError) {
+			t.Fatalf("expected an error %q, got %v", e.expectedError, err)
+		}
+	}
+}
+
+func TestEventsErrorFromServer(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, errs := client.Events(context.Background(), types.EventsOptions{})
+	err := <-errs
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestEvents(t *testing.T) {
+
+	expectedURL := "/events"
+
+	filters := filters.NewArgs()
+	filters.Add("type", events.ContainerEventType)
+	expectedFiltersJSON := fmt.Sprintf(`{"type":{"%s":true}}`, events.ContainerEventType)
+
+	eventsCases := []struct {
+		options             types.EventsOptions
+		events              []events.Message
+		expectedEvents      map[string]bool
+		expectedQueryParams map[string]string
+	}{
+		{
+			options: types.EventsOptions{
+				Filters: filters,
+			},
+			expectedQueryParams: map[string]string{
+				"filters": expectedFiltersJSON,
+			},
+			events:         []events.Message{},
+			expectedEvents: make(map[string]bool),
+		},
+		{
+			options: types.EventsOptions{
+				Filters: filters,
+			},
+			expectedQueryParams: map[string]string{
+				"filters": expectedFiltersJSON,
+			},
+			events: []events.Message{
+				{
+					Type:   "container",
+					ID:     "1",
+					Action: "create",
+				},
+				{
+					Type:   "container",
+					ID:     "2",
+					Action: "die",
+				},
+				{
+					Type:   "container",
+					ID:     "3",
+					Action: "create",
+				},
+			},
+			expectedEvents: map[string]bool{
+				"1": true,
+				"2": true,
+				"3": true,
+			},
+		},
+	}
+
+	for _, eventsCase := range eventsCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+
+				for key, expected := range eventsCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+
+				buffer := new(bytes.Buffer)
+
+				for _, e := range eventsCase.events {
+					b, _ := json.Marshal(e)
+					buffer.Write(b)
+				}
+
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(buffer),
+				}, nil
+			}),
+		}
+
+		messages, errs := client.Events(context.Background(), eventsCase.options)
+
+	loop:
+		for {
+			select {
+			case err := <-errs:
+				if err != nil && err != io.EOF {
+					t.Fatal(err)
+				}
+
+				break loop
+			case e := <-messages:
+				_, ok := eventsCase.expectedEvents[e.ID]
+				if !ok {
+					t.Fatalf("event received not expected with action %s & id %s", e.Action, e.ID)
+				}
+			}
+		}
+	}
+}
diff --git a/engine/client/hijack.go b/engine/client/hijack.go
new file mode 100644
index 00000000..35f5dd86
--- /dev/null
+++ b/engine/client/hijack.go
@@ -0,0 +1,129 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bufio"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/go-connections/sockets"
+	"github.com/pkg/errors"
+)
+
+// postHijacked sends a POST request and hijacks the connection.
+func (cli *Client) postHijacked(ctx context.Context, path string, query url.Values, body interface{}, headers map[string][]string) (types.HijackedResponse, error) {
+	bodyEncoded, err := encodeData(body)
+	if err != nil {
+		return types.HijackedResponse{}, err
+	}
+
+	apiPath := cli.getAPIPath(path, query)
+	req, err := http.NewRequest("POST", apiPath, bodyEncoded)
+	if err != nil {
+		return types.HijackedResponse{}, err
+	}
+	req = cli.addHeaders(req, headers)
+
+	conn, err := cli.setupHijackConn(req, "tcp")
+	if err != nil {
+		return types.HijackedResponse{}, err
+	}
+
+	return types.HijackedResponse{Conn: conn, Reader: bufio.NewReader(conn)}, err
+}
+
+func dial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
+	if tlsConfig != nil && proto != "unix" && proto != "npipe" {
+		return tls.Dial(proto, addr, tlsConfig)
+	}
+	if proto == "npipe" {
+		return sockets.DialPipe(addr, 32*time.Second)
+	}
+	return net.Dial(proto, addr)
+}
+
+func (cli *Client) setupHijackConn(req *http.Request, proto string) (net.Conn, error) {
+	req.Host = cli.addr
+	req.Header.Set("Connection", "Upgrade")
+	req.Header.Set("Upgrade", proto)
+
+	conn, err := dial(cli.proto, cli.addr, resolveTLSConfig(cli.client.Transport))
+	if err != nil {
+		return nil, errors.Wrap(err, "cannot connect to the Docker daemon. Is 'docker daemon' running on this host?")
+	}
+
+	// When we set up a TCP connection for hijack, there could be long periods
+	// of inactivity (a long running command with no output) that in certain
+	// network setups may cause ECONNTIMEOUT, leaving the client in an unknown
+	// state. Setting TCP KeepAlive on the socket connection will prohibit
+	// ECONNTIMEOUT unless the socket connection truly is broken
+	if tcpConn, ok := conn.(*net.TCPConn); ok {
+		tcpConn.SetKeepAlive(true)
+		tcpConn.SetKeepAlivePeriod(30 * time.Second)
+	}
+
+	clientconn := httputil.NewClientConn(conn, nil)
+	defer clientconn.Close()
+
+	// Server hijacks the connection, error 'connection closed' expected
+	resp, err := clientconn.Do(req)
+	if err != httputil.ErrPersistEOF {
+		if err != nil {
+			return nil, err
+		}
+		if resp.StatusCode != http.StatusSwitchingProtocols {
+			resp.Body.Close()
+			return nil, fmt.Errorf("unable to upgrade to %s, received %d", proto, resp.StatusCode)
+		}
+	}
+
+	c, br := clientconn.Hijack()
+	if br.Buffered() > 0 {
+		// If there is buffered content, wrap the connection.  We return an
+		// object that implements CloseWrite iff the underlying connection
+		// implements it.
+		if _, ok := c.(types.CloseWriter); ok {
+			c = &hijackedConnCloseWriter{&hijackedConn{c, br}}
+		} else {
+			c = &hijackedConn{c, br}
+		}
+	} else {
+		br.Reset(nil)
+	}
+
+	return c, nil
+}
+
+// hijackedConn wraps a net.Conn and is returned by setupHijackConn in the case
+// that a) there was already buffered data in the http layer when Hijack() was
+// called, and b) the underlying net.Conn does *not* implement CloseWrite().
+// hijackedConn does not implement CloseWrite() either.
+type hijackedConn struct {
+	net.Conn
+	r *bufio.Reader
+}
+
+func (c *hijackedConn) Read(b []byte) (int, error) {
+	return c.r.Read(b)
+}
+
+// hijackedConnCloseWriter is a hijackedConn which additionally implements
+// CloseWrite().  It is returned by setupHijackConn in the case that a) there
+// was already buffered data in the http layer when Hijack() was called, and b)
+// the underlying net.Conn *does* implement CloseWrite().
+type hijackedConnCloseWriter struct {
+	*hijackedConn
+}
+
+var _ types.CloseWriter = &hijackedConnCloseWriter{}
+
+func (c *hijackedConnCloseWriter) CloseWrite() error {
+	conn := c.Conn.(types.CloseWriter)
+	return conn.CloseWrite()
+}
diff --git a/engine/client/hijack_test.go b/engine/client/hijack_test.go
new file mode 100644
index 00000000..823bf344
--- /dev/null
+++ b/engine/client/hijack_test.go
@@ -0,0 +1,103 @@
+package client
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"golang.org/x/net/context"
+	"gotest.tools/assert"
+)
+
+func TestTLSCloseWriter(t *testing.T) {
+	t.Parallel()
+
+	var chErr chan error
+	ts := &httptest.Server{Config: &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		chErr = make(chan error, 1)
+		defer close(chErr)
+		if err := httputils.ParseForm(req); err != nil {
+			chErr <- errors.Wrap(err, "error parsing form")
+			http.Error(w, err.Error(), 500)
+			return
+		}
+		r, rw, err := httputils.HijackConnection(w)
+		if err != nil {
+			chErr <- errors.Wrap(err, "error hijacking connection")
+			http.Error(w, err.Error(), 500)
+			return
+		}
+		defer r.Close()
+
+		fmt.Fprint(rw, "HTTP/1.1 101 UPGRADED\r\nContent-Type: application/vnd.docker.raw-stream\r\nConnection: Upgrade\r\nUpgrade: tcp\r\n\n")
+
+		buf := make([]byte, 5)
+		_, err = r.Read(buf)
+		if err != nil {
+			chErr <- errors.Wrap(err, "error reading from client")
+			return
+		}
+		_, err = rw.Write(buf)
+		if err != nil {
+			chErr <- errors.Wrap(err, "error writing to client")
+			return
+		}
+	})}}
+
+	var (
+		l   net.Listener
+		err error
+	)
+	for i := 1024; i < 10000; i++ {
+		l, err = net.Listen("tcp4", fmt.Sprintf("127.0.0.1:%d", i))
+		if err == nil {
+			break
+		}
+	}
+	assert.Assert(t, err)
+
+	ts.Listener = l
+	defer l.Close()
+
+	defer func() {
+		if chErr != nil {
+			assert.Assert(t, <-chErr)
+		}
+	}()
+
+	ts.StartTLS()
+	defer ts.Close()
+
+	serverURL, err := url.Parse(ts.URL)
+	assert.Assert(t, err)
+
+	client, err := NewClient("tcp://"+serverURL.Host, "", ts.Client(), nil)
+	assert.Assert(t, err)
+
+	resp, err := client.postHijacked(context.Background(), "/asdf", url.Values{}, nil, map[string][]string{"Content-Type": {"text/plain"}})
+	assert.Assert(t, err)
+	defer resp.Close()
+
+	if _, ok := resp.Conn.(types.CloseWriter); !ok {
+		t.Fatal("tls conn did not implement the CloseWrite interface")
+	}
+
+	_, err = resp.Conn.Write([]byte("hello"))
+	assert.Assert(t, err)
+
+	b, err := ioutil.ReadAll(resp.Reader)
+	assert.Assert(t, err)
+	assert.Assert(t, string(b) == "hello")
+	assert.Assert(t, resp.CloseWrite())
+
+	// This should error since writes are closed
+	_, err = resp.Conn.Write([]byte("no"))
+	assert.Assert(t, err != nil)
+}
diff --git a/engine/client/image_build.go b/engine/client/image_build.go
new file mode 100644
index 00000000..9add3c10
--- /dev/null
+++ b/engine/client/image_build.go
@@ -0,0 +1,138 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+)
+
+// ImageBuild sends request to the daemon to build images.
+// The Body in the response implement an io.ReadCloser and it's up to the caller to
+// close it.
+func (cli *Client) ImageBuild(ctx context.Context, buildContext io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) {
+	query, err := cli.imageBuildOptionsToQuery(options)
+	if err != nil {
+		return types.ImageBuildResponse{}, err
+	}
+
+	headers := http.Header(make(map[string][]string))
+	buf, err := json.Marshal(options.AuthConfigs)
+	if err != nil {
+		return types.ImageBuildResponse{}, err
+	}
+	headers.Add("X-Registry-Config", base64.URLEncoding.EncodeToString(buf))
+
+	headers.Set("Content-Type", "application/x-tar")
+
+	serverResp, err := cli.postRaw(ctx, "/build", query, buildContext, headers)
+	if err != nil {
+		return types.ImageBuildResponse{}, err
+	}
+
+	osType := getDockerOS(serverResp.header.Get("Server"))
+
+	return types.ImageBuildResponse{
+		Body:   serverResp.body,
+		OSType: osType,
+	}, nil
+}
+
+func (cli *Client) imageBuildOptionsToQuery(options types.ImageBuildOptions) (url.Values, error) {
+	query := url.Values{
+		"t":           options.Tags,
+		"securityopt": options.SecurityOpt,
+		"extrahosts":  options.ExtraHosts,
+	}
+	if options.SuppressOutput {
+		query.Set("q", "1")
+	}
+	if options.RemoteContext != "" {
+		query.Set("remote", options.RemoteContext)
+	}
+	if options.NoCache {
+		query.Set("nocache", "1")
+	}
+	if options.Remove {
+		query.Set("rm", "1")
+	} else {
+		query.Set("rm", "0")
+	}
+
+	if options.ForceRemove {
+		query.Set("forcerm", "1")
+	}
+
+	if options.PullParent {
+		query.Set("pull", "1")
+	}
+
+	if options.Squash {
+		if err := cli.NewVersionError("1.25", "squash"); err != nil {
+			return query, err
+		}
+		query.Set("squash", "1")
+	}
+
+	if !container.Isolation.IsDefault(options.Isolation) {
+		query.Set("isolation", string(options.Isolation))
+	}
+
+	query.Set("cpusetcpus", options.CPUSetCPUs)
+	query.Set("networkmode", options.NetworkMode)
+	query.Set("cpusetmems", options.CPUSetMems)
+	query.Set("cpushares", strconv.FormatInt(options.CPUShares, 10))
+	query.Set("cpuquota", strconv.FormatInt(options.CPUQuota, 10))
+	query.Set("cpuperiod", strconv.FormatInt(options.CPUPeriod, 10))
+	query.Set("memory", strconv.FormatInt(options.Memory, 10))
+	query.Set("memswap", strconv.FormatInt(options.MemorySwap, 10))
+	query.Set("cgroupparent", options.CgroupParent)
+	query.Set("shmsize", strconv.FormatInt(options.ShmSize, 10))
+	query.Set("dockerfile", options.Dockerfile)
+	query.Set("target", options.Target)
+
+	ulimitsJSON, err := json.Marshal(options.Ulimits)
+	if err != nil {
+		return query, err
+	}
+	query.Set("ulimits", string(ulimitsJSON))
+
+	buildArgsJSON, err := json.Marshal(options.BuildArgs)
+	if err != nil {
+		return query, err
+	}
+	query.Set("buildargs", string(buildArgsJSON))
+
+	labelsJSON, err := json.Marshal(options.Labels)
+	if err != nil {
+		return query, err
+	}
+	query.Set("labels", string(labelsJSON))
+
+	cacheFromJSON, err := json.Marshal(options.CacheFrom)
+	if err != nil {
+		return query, err
+	}
+	query.Set("cachefrom", string(cacheFromJSON))
+	if options.SessionID != "" {
+		query.Set("session", options.SessionID)
+	}
+	if options.Platform != "" {
+		if err := cli.NewVersionError("1.32", "platform"); err != nil {
+			return query, err
+		}
+		query.Set("platform", strings.ToLower(options.Platform))
+	}
+	if options.BuildID != "" {
+		query.Set("buildid", options.BuildID)
+	}
+	query.Set("version", string(options.Version))
+	return query, nil
+}
diff --git a/engine/client/image_build_test.go b/engine/client/image_build_test.go
new file mode 100644
index 00000000..95c11bc3
--- /dev/null
+++ b/engine/client/image_build_test.go
@@ -0,0 +1,232 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/go-units"
+)
+
+func TestImageBuildError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ImageBuild(context.Background(), nil, types.ImageBuildOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestImageBuild(t *testing.T) {
+	v1 := "value1"
+	v2 := "value2"
+	emptyRegistryConfig := "bnVsbA=="
+	buildCases := []struct {
+		buildOptions           types.ImageBuildOptions
+		expectedQueryParams    map[string]string
+		expectedTags           []string
+		expectedRegistryConfig string
+	}{
+		{
+			buildOptions: types.ImageBuildOptions{
+				SuppressOutput: true,
+				NoCache:        true,
+				Remove:         true,
+				ForceRemove:    true,
+				PullParent:     true,
+			},
+			expectedQueryParams: map[string]string{
+				"q":       "1",
+				"nocache": "1",
+				"rm":      "1",
+				"forcerm": "1",
+				"pull":    "1",
+			},
+			expectedTags:           []string{},
+			expectedRegistryConfig: emptyRegistryConfig,
+		},
+		{
+			buildOptions: types.ImageBuildOptions{
+				SuppressOutput: false,
+				NoCache:        false,
+				Remove:         false,
+				ForceRemove:    false,
+				PullParent:     false,
+			},
+			expectedQueryParams: map[string]string{
+				"q":       "",
+				"nocache": "",
+				"rm":      "0",
+				"forcerm": "",
+				"pull":    "",
+			},
+			expectedTags:           []string{},
+			expectedRegistryConfig: emptyRegistryConfig,
+		},
+		{
+			buildOptions: types.ImageBuildOptions{
+				RemoteContext: "remoteContext",
+				Isolation:     container.Isolation("isolation"),
+				CPUSetCPUs:    "2",
+				CPUSetMems:    "12",
+				CPUShares:     20,
+				CPUQuota:      10,
+				CPUPeriod:     30,
+				Memory:        256,
+				MemorySwap:    512,
+				ShmSize:       10,
+				CgroupParent:  "cgroup_parent",
+				Dockerfile:    "Dockerfile",
+			},
+			expectedQueryParams: map[string]string{
+				"remote":       "remoteContext",
+				"isolation":    "isolation",
+				"cpusetcpus":   "2",
+				"cpusetmems":   "12",
+				"cpushares":    "20",
+				"cpuquota":     "10",
+				"cpuperiod":    "30",
+				"memory":       "256",
+				"memswap":      "512",
+				"shmsize":      "10",
+				"cgroupparent": "cgroup_parent",
+				"dockerfile":   "Dockerfile",
+				"rm":           "0",
+			},
+			expectedTags:           []string{},
+			expectedRegistryConfig: emptyRegistryConfig,
+		},
+		{
+			buildOptions: types.ImageBuildOptions{
+				BuildArgs: map[string]*string{
+					"ARG1": &v1,
+					"ARG2": &v2,
+					"ARG3": nil,
+				},
+			},
+			expectedQueryParams: map[string]string{
+				"buildargs": `{"ARG1":"value1","ARG2":"value2","ARG3":null}`,
+				"rm":        "0",
+			},
+			expectedTags:           []string{},
+			expectedRegistryConfig: emptyRegistryConfig,
+		},
+		{
+			buildOptions: types.ImageBuildOptions{
+				Ulimits: []*units.Ulimit{
+					{
+						Name: "nproc",
+						Hard: 65557,
+						Soft: 65557,
+					},
+					{
+						Name: "nofile",
+						Hard: 20000,
+						Soft: 40000,
+					},
+				},
+			},
+			expectedQueryParams: map[string]string{
+				"ulimits": `[{"Name":"nproc","Hard":65557,"Soft":65557},{"Name":"nofile","Hard":20000,"Soft":40000}]`,
+				"rm":      "0",
+			},
+			expectedTags:           []string{},
+			expectedRegistryConfig: emptyRegistryConfig,
+		},
+		{
+			buildOptions: types.ImageBuildOptions{
+				AuthConfigs: map[string]types.AuthConfig{
+					"https://index.docker.io/v1/": {
+						Auth: "dG90bwo=",
+					},
+				},
+			},
+			expectedQueryParams: map[string]string{
+				"rm": "0",
+			},
+			expectedTags:           []string{},
+			expectedRegistryConfig: "eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsiYXV0aCI6ImRHOTBid289In19",
+		},
+	}
+	for _, buildCase := range buildCases {
+		expectedURL := "/build"
+		client := &Client{
+			client: newMockClient(func(r *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(r.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, r.URL)
+				}
+				// Check request headers
+				registryConfig := r.Header.Get("X-Registry-Config")
+				if registryConfig != buildCase.expectedRegistryConfig {
+					return nil, fmt.Errorf("X-Registry-Config header not properly set in the request. Expected '%s', got %s", buildCase.expectedRegistryConfig, registryConfig)
+				}
+				contentType := r.Header.Get("Content-Type")
+				if contentType != "application/x-tar" {
+					return nil, fmt.Errorf("Content-type header not properly set in the request. Expected 'application/x-tar', got %s", contentType)
+				}
+
+				// Check query parameters
+				query := r.URL.Query()
+				for key, expected := range buildCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+
+				// Check tags
+				if len(buildCase.expectedTags) > 0 {
+					tags := query["t"]
+					if !reflect.DeepEqual(tags, buildCase.expectedTags) {
+						return nil, fmt.Errorf("t (tags) not set in URL query properly. Expected '%s', got %s", buildCase.expectedTags, tags)
+					}
+				}
+
+				headers := http.Header{}
+				headers.Add("Server", "Docker/v1.23 (MyOS)")
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+					Header:     headers,
+				}, nil
+			}),
+		}
+		buildResponse, err := client.ImageBuild(context.Background(), nil, buildCase.buildOptions)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if buildResponse.OSType != "MyOS" {
+			t.Fatalf("expected OSType to be 'MyOS', got %s", buildResponse.OSType)
+		}
+		response, err := ioutil.ReadAll(buildResponse.Body)
+		if err != nil {
+			t.Fatal(err)
+		}
+		buildResponse.Body.Close()
+		if string(response) != "body" {
+			t.Fatalf("expected Body to contain 'body' string, got %s", response)
+		}
+	}
+}
+
+func TestGetDockerOS(t *testing.T) {
+	cases := map[string]string{
+		"Docker/v1.22 (linux)":   "linux",
+		"Docker/v1.22 (windows)": "windows",
+		"Foo/v1.22 (bar)":        "",
+	}
+	for header, os := range cases {
+		g := getDockerOS(header)
+		if g != os {
+			t.Fatalf("Expected %s, got %s", os, g)
+		}
+	}
+}
diff --git a/engine/client/image_create.go b/engine/client/image_create.go
new file mode 100644
index 00000000..23938047
--- /dev/null
+++ b/engine/client/image_create.go
@@ -0,0 +1,37 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+)
+
+// ImageCreate creates a new image based in the parent options.
+// It returns the JSON content in the response body.
+func (cli *Client) ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
+	ref, err := reference.ParseNormalizedNamed(parentReference)
+	if err != nil {
+		return nil, err
+	}
+
+	query := url.Values{}
+	query.Set("fromImage", reference.FamiliarName(ref))
+	query.Set("tag", getAPITagFromNamedRef(ref))
+	if options.Platform != "" {
+		query.Set("platform", strings.ToLower(options.Platform))
+	}
+	resp, err := cli.tryImageCreate(ctx, query, options.RegistryAuth)
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
+
+func (cli *Client) tryImageCreate(ctx context.Context, query url.Values, registryAuth string) (serverResponse, error) {
+	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}
+	return cli.post(ctx, "/images/create", query, nil, headers)
+}
diff --git a/engine/client/image_create_test.go b/engine/client/image_create_test.go
new file mode 100644
index 00000000..b89f16d2
--- /dev/null
+++ b/engine/client/image_create_test.go
@@ -0,0 +1,75 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestImageCreateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ImageCreate(context.Background(), "reference", types.ImageCreateOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server error, got %v", err)
+	}
+}
+
+func TestImageCreate(t *testing.T) {
+	expectedURL := "/images/create"
+	expectedImage := "test:5000/my_image"
+	expectedTag := "sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+	expectedReference := fmt.Sprintf("%s@%s", expectedImage, expectedTag)
+	expectedRegistryAuth := "eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsiYXV0aCI6ImRHOTBid289IiwiZW1haWwiOiJqb2huQGRvZS5jb20ifX0="
+	client := &Client{
+		client: newMockClient(func(r *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(r.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, r.URL)
+			}
+			registryAuth := r.Header.Get("X-Registry-Auth")
+			if registryAuth != expectedRegistryAuth {
+				return nil, fmt.Errorf("X-Registry-Auth header not properly set in the request. Expected '%s', got %s", expectedRegistryAuth, registryAuth)
+			}
+
+			query := r.URL.Query()
+			fromImage := query.Get("fromImage")
+			if fromImage != expectedImage {
+				return nil, fmt.Errorf("fromImage not set in URL query properly. Expected '%s', got %s", expectedImage, fromImage)
+			}
+
+			tag := query.Get("tag")
+			if tag != expectedTag {
+				return nil, fmt.Errorf("tag not set in URL query properly. Expected '%s', got %s", expectedTag, tag)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	createResponse, err := client.ImageCreate(context.Background(), expectedReference, types.ImageCreateOptions{
+		RegistryAuth: expectedRegistryAuth,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	response, err := ioutil.ReadAll(createResponse)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err = createResponse.Close(); err != nil {
+		t.Fatal(err)
+	}
+	if string(response) != "body" {
+		t.Fatalf("expected Body to contain 'body' string, got %s", response)
+	}
+}
diff --git a/engine/client/image_history.go b/engine/client/image_history.go
new file mode 100644
index 00000000..0151b951
--- /dev/null
+++ b/engine/client/image_history.go
@@ -0,0 +1,22 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types/image"
+)
+
+// ImageHistory returns the changes in an image in history format.
+func (cli *Client) ImageHistory(ctx context.Context, imageID string) ([]image.HistoryResponseItem, error) {
+	var history []image.HistoryResponseItem
+	serverResp, err := cli.get(ctx, "/images/"+imageID+"/history", url.Values{}, nil)
+	if err != nil {
+		return history, err
+	}
+
+	err = json.NewDecoder(serverResp.body).Decode(&history)
+	ensureReaderClosed(serverResp)
+	return history, err
+}
diff --git a/engine/client/image_history_test.go b/engine/client/image_history_test.go
new file mode 100644
index 00000000..0217bf57
--- /dev/null
+++ b/engine/client/image_history_test.go
@@ -0,0 +1,60 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/image"
+)
+
+func TestImageHistoryError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ImageHistory(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server error, got %v", err)
+	}
+}
+
+func TestImageHistory(t *testing.T) {
+	expectedURL := "/images/image_id/history"
+	client := &Client{
+		client: newMockClient(func(r *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(r.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, r.URL)
+			}
+			b, err := json.Marshal([]image.HistoryResponseItem{
+				{
+					ID:   "image_id1",
+					Tags: []string{"tag1", "tag2"},
+				},
+				{
+					ID:   "image_id2",
+					Tags: []string{"tag1", "tag2"},
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+	imageHistories, err := client.ImageHistory(context.Background(), "image_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(imageHistories) != 2 {
+		t.Fatalf("expected 2 containers, got %v", imageHistories)
+	}
+}
diff --git a/engine/client/image_import.go b/engine/client/image_import.go
new file mode 100644
index 00000000..c2972ea9
--- /dev/null
+++ b/engine/client/image_import.go
@@ -0,0 +1,40 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+)
+
+// ImageImport creates a new image based in the source options.
+// It returns the JSON content in the response body.
+func (cli *Client) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+	if ref != "" {
+		//Check if the given image name can be resolved
+		if _, err := reference.ParseNormalizedNamed(ref); err != nil {
+			return nil, err
+		}
+	}
+
+	query := url.Values{}
+	query.Set("fromSrc", source.SourceName)
+	query.Set("repo", ref)
+	query.Set("tag", options.Tag)
+	query.Set("message", options.Message)
+	if options.Platform != "" {
+		query.Set("platform", strings.ToLower(options.Platform))
+	}
+	for _, change := range options.Changes {
+		query.Add("changes", change)
+	}
+
+	resp, err := cli.postRaw(ctx, "/images/create", query, source.Source, nil)
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
diff --git a/engine/client/image_import_test.go b/engine/client/image_import_test.go
new file mode 100644
index 00000000..944cd52f
--- /dev/null
+++ b/engine/client/image_import_test.go
@@ -0,0 +1,81 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestImageImportError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ImageImport(context.Background(), types.ImageImportSource{}, "image:tag", types.ImageImportOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server error, got %v", err)
+	}
+}
+
+func TestImageImport(t *testing.T) {
+	expectedURL := "/images/create"
+	client := &Client{
+		client: newMockClient(func(r *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(r.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, r.URL)
+			}
+			query := r.URL.Query()
+			fromSrc := query.Get("fromSrc")
+			if fromSrc != "image_source" {
+				return nil, fmt.Errorf("fromSrc not set in URL query properly. Expected 'image_source', got %s", fromSrc)
+			}
+			repo := query.Get("repo")
+			if repo != "repository_name:imported" {
+				return nil, fmt.Errorf("repo not set in URL query properly. Expected 'repository_name:imported', got %s", repo)
+			}
+			tag := query.Get("tag")
+			if tag != "imported" {
+				return nil, fmt.Errorf("tag not set in URL query properly. Expected 'imported', got %s", tag)
+			}
+			message := query.Get("message")
+			if message != "A message" {
+				return nil, fmt.Errorf("message not set in URL query properly. Expected 'A message', got %s", message)
+			}
+			changes := query["changes"]
+			expectedChanges := []string{"change1", "change2"}
+			if !reflect.DeepEqual(expectedChanges, changes) {
+				return nil, fmt.Errorf("changes not set in URL query properly. Expected %v, got %v", expectedChanges, changes)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("response"))),
+			}, nil
+		}),
+	}
+	importResponse, err := client.ImageImport(context.Background(), types.ImageImportSource{
+		Source:     strings.NewReader("source"),
+		SourceName: "image_source",
+	}, "repository_name:imported", types.ImageImportOptions{
+		Tag:     "imported",
+		Message: "A message",
+		Changes: []string{"change1", "change2"},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	response, err := ioutil.ReadAll(importResponse)
+	if err != nil {
+		t.Fatal(err)
+	}
+	importResponse.Close()
+	if string(response) != "response" {
+		t.Fatalf("expected response to contain 'response', got %s", string(response))
+	}
+}
diff --git a/engine/client/image_inspect.go b/engine/client/image_inspect.go
new file mode 100644
index 00000000..2f8f6d2f
--- /dev/null
+++ b/engine/client/image_inspect.go
@@ -0,0 +1,32 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ImageInspectWithRaw returns the image information and its raw representation.
+func (cli *Client) ImageInspectWithRaw(ctx context.Context, imageID string) (types.ImageInspect, []byte, error) {
+	if imageID == "" {
+		return types.ImageInspect{}, nil, objectNotFoundError{object: "image", id: imageID}
+	}
+	serverResp, err := cli.get(ctx, "/images/"+imageID+"/json", nil, nil)
+	if err != nil {
+		return types.ImageInspect{}, nil, wrapResponseError(err, serverResp, "image", imageID)
+	}
+	defer ensureReaderClosed(serverResp)
+
+	body, err := ioutil.ReadAll(serverResp.body)
+	if err != nil {
+		return types.ImageInspect{}, nil, err
+	}
+
+	var response types.ImageInspect
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&response)
+	return response, body, err
+}
diff --git a/engine/client/image_inspect_test.go b/engine/client/image_inspect_test.go
new file mode 100644
index 00000000..a910872d
--- /dev/null
+++ b/engine/client/image_inspect_test.go
@@ -0,0 +1,84 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+)
+
+func TestImageInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, _, err := client.ImageInspectWithRaw(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestImageInspectImageNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, _, err := client.ImageInspectWithRaw(context.Background(), "unknown")
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected an imageNotFound error, got %v", err)
+	}
+}
+
+func TestImageInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.ImageInspectWithRaw(context.Background(), "")
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestImageInspect(t *testing.T) {
+	expectedURL := "/images/image_id/json"
+	expectedTags := []string{"tag1", "tag2"}
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(types.ImageInspect{
+				ID:       "image_id",
+				RepoTags: expectedTags,
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	imageInspect, _, err := client.ImageInspectWithRaw(context.Background(), "image_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if imageInspect.ID != "image_id" {
+		t.Fatalf("expected `image_id`, got %s", imageInspect.ID)
+	}
+	if !reflect.DeepEqual(imageInspect.RepoTags, expectedTags) {
+		t.Fatalf("expected `%v`, got %v", expectedTags, imageInspect.RepoTags)
+	}
+}
diff --git a/engine/client/image_list.go b/engine/client/image_list.go
new file mode 100644
index 00000000..32fae27b
--- /dev/null
+++ b/engine/client/image_list.go
@@ -0,0 +1,45 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/versions"
+)
+
+// ImageList returns a list of images in the docker host.
+func (cli *Client) ImageList(ctx context.Context, options types.ImageListOptions) ([]types.ImageSummary, error) {
+	var images []types.ImageSummary
+	query := url.Values{}
+
+	optionFilters := options.Filters
+	referenceFilters := optionFilters.Get("reference")
+	if versions.LessThan(cli.version, "1.25") && len(referenceFilters) > 0 {
+		query.Set("filter", referenceFilters[0])
+		for _, filterValue := range referenceFilters {
+			optionFilters.Del("reference", filterValue)
+		}
+	}
+	if optionFilters.Len() > 0 {
+		filterJSON, err := filters.ToParamWithVersion(cli.version, optionFilters)
+		if err != nil {
+			return images, err
+		}
+		query.Set("filters", filterJSON)
+	}
+	if options.All {
+		query.Set("all", "1")
+	}
+
+	serverResp, err := cli.get(ctx, "/images/json", query, nil)
+	if err != nil {
+		return images, err
+	}
+
+	err = json.NewDecoder(serverResp.body).Decode(&images)
+	ensureReaderClosed(serverResp)
+	return images, err
+}
diff --git a/engine/client/image_list_test.go b/engine/client/image_list_test.go
new file mode 100644
index 00000000..3ba5239a
--- /dev/null
+++ b/engine/client/image_list_test.go
@@ -0,0 +1,159 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+func TestImageListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.ImageList(context.Background(), types.ImageListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestImageList(t *testing.T) {
+	expectedURL := "/images/json"
+
+	noDanglingfilters := filters.NewArgs()
+	noDanglingfilters.Add("dangling", "false")
+
+	filters := filters.NewArgs()
+	filters.Add("label", "label1")
+	filters.Add("label", "label2")
+	filters.Add("dangling", "true")
+
+	listCases := []struct {
+		options             types.ImageListOptions
+		expectedQueryParams map[string]string
+	}{
+		{
+			options: types.ImageListOptions{},
+			expectedQueryParams: map[string]string{
+				"all":     "",
+				"filter":  "",
+				"filters": "",
+			},
+		},
+		{
+			options: types.ImageListOptions{
+				Filters: filters,
+			},
+			expectedQueryParams: map[string]string{
+				"all":     "",
+				"filter":  "",
+				"filters": `{"dangling":{"true":true},"label":{"label1":true,"label2":true}}`,
+			},
+		},
+		{
+			options: types.ImageListOptions{
+				Filters: noDanglingfilters,
+			},
+			expectedQueryParams: map[string]string{
+				"all":     "",
+				"filter":  "",
+				"filters": `{"dangling":{"false":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				content, err := json.Marshal([]types.ImageSummary{
+					{
+						ID: "image_id2",
+					},
+					{
+						ID: "image_id2",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		images, err := client.ImageList(context.Background(), listCase.options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(images) != 2 {
+			t.Fatalf("expected 2 images, got %v", images)
+		}
+	}
+}
+
+func TestImageListApiBefore125(t *testing.T) {
+	expectedFilter := "image:tag"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			query := req.URL.Query()
+			actualFilter := query.Get("filter")
+			if actualFilter != expectedFilter {
+				return nil, fmt.Errorf("filter not set in URL query properly. Expected '%s', got %s", expectedFilter, actualFilter)
+			}
+			actualFilters := query.Get("filters")
+			if actualFilters != "" {
+				return nil, fmt.Errorf("filters should have not been present, were with value: %s", actualFilters)
+			}
+			content, err := json.Marshal([]types.ImageSummary{
+				{
+					ID: "image_id2",
+				},
+				{
+					ID: "image_id2",
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+		version: "1.24",
+	}
+
+	filters := filters.NewArgs()
+	filters.Add("reference", "image:tag")
+
+	options := types.ImageListOptions{
+		Filters: filters,
+	}
+
+	images, err := client.ImageList(context.Background(), options)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(images) != 2 {
+		t.Fatalf("expected 2 images, got %v", images)
+	}
+}
diff --git a/engine/client/image_load.go b/engine/client/image_load.go
new file mode 100644
index 00000000..91016e49
--- /dev/null
+++ b/engine/client/image_load.go
@@ -0,0 +1,29 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ImageLoad loads an image in the docker host from the client host.
+// It's up to the caller to close the io.ReadCloser in the
+// ImageLoadResponse returned by this function.
+func (cli *Client) ImageLoad(ctx context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
+	v := url.Values{}
+	v.Set("quiet", "0")
+	if quiet {
+		v.Set("quiet", "1")
+	}
+	headers := map[string][]string{"Content-Type": {"application/x-tar"}}
+	resp, err := cli.postRaw(ctx, "/images/load", v, input, headers)
+	if err != nil {
+		return types.ImageLoadResponse{}, err
+	}
+	return types.ImageLoadResponse{
+		Body: resp.body,
+		JSON: resp.header.Get("Content-Type") == "application/json",
+	}, nil
+}
diff --git a/engine/client/image_load_test.go b/engine/client/image_load_test.go
new file mode 100644
index 00000000..116317da
--- /dev/null
+++ b/engine/client/image_load_test.go
@@ -0,0 +1,94 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestImageLoadError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.ImageLoad(context.Background(), nil, true)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestImageLoad(t *testing.T) {
+	expectedURL := "/images/load"
+	expectedInput := "inputBody"
+	expectedOutput := "outputBody"
+	loadCases := []struct {
+		quiet                bool
+		responseContentType  string
+		expectedResponseJSON bool
+		expectedQueryParams  map[string]string
+	}{
+		{
+			quiet:                false,
+			responseContentType:  "text/plain",
+			expectedResponseJSON: false,
+			expectedQueryParams: map[string]string{
+				"quiet": "0",
+			},
+		},
+		{
+			quiet:                true,
+			responseContentType:  "application/json",
+			expectedResponseJSON: true,
+			expectedQueryParams: map[string]string{
+				"quiet": "1",
+			},
+		},
+	}
+	for _, loadCase := range loadCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				contentType := req.Header.Get("Content-Type")
+				if contentType != "application/x-tar" {
+					return nil, fmt.Errorf("content-type not set in URL headers properly. Expected 'application/x-tar', got %s", contentType)
+				}
+				query := req.URL.Query()
+				for key, expected := range loadCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				headers := http.Header{}
+				headers.Add("Content-Type", loadCase.responseContentType)
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte(expectedOutput))),
+					Header:     headers,
+				}, nil
+			}),
+		}
+
+		input := bytes.NewReader([]byte(expectedInput))
+		imageLoadResponse, err := client.ImageLoad(context.Background(), input, loadCase.quiet)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if imageLoadResponse.JSON != loadCase.expectedResponseJSON {
+			t.Fatalf("expected a JSON response, was not.")
+		}
+		body, err := ioutil.ReadAll(imageLoadResponse.Body)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(body) != expectedOutput {
+			t.Fatalf("expected %s, got %s", expectedOutput, string(body))
+		}
+	}
+}
diff --git a/engine/client/image_prune.go b/engine/client/image_prune.go
new file mode 100644
index 00000000..78ee3f6c
--- /dev/null
+++ b/engine/client/image_prune.go
@@ -0,0 +1,36 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// ImagesPrune requests the daemon to delete unused data
+func (cli *Client) ImagesPrune(ctx context.Context, pruneFilters filters.Args) (types.ImagesPruneReport, error) {
+	var report types.ImagesPruneReport
+
+	if err := cli.NewVersionError("1.25", "image prune"); err != nil {
+		return report, err
+	}
+
+	query, err := getFiltersQuery(pruneFilters)
+	if err != nil {
+		return report, err
+	}
+
+	serverResp, err := cli.post(ctx, "/images/prune", query, nil, nil)
+	if err != nil {
+		return report, err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	if err := json.NewDecoder(serverResp.body).Decode(&report); err != nil {
+		return report, fmt.Errorf("Error retrieving disk usage: %v", err)
+	}
+
+	return report, nil
+}
diff --git a/engine/client/image_prune_test.go b/engine/client/image_prune_test.go
new file mode 100644
index 00000000..9b0839bb
--- /dev/null
+++ b/engine/client/image_prune_test.go
@@ -0,0 +1,120 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestImagesPruneError(t *testing.T) {
+	client := &Client{
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+		version: "1.25",
+	}
+
+	filters := filters.NewArgs()
+
+	_, err := client.ImagesPrune(context.Background(), filters)
+	assert.Check(t, is.Error(err, "Error response from daemon: Server error"))
+}
+
+func TestImagesPrune(t *testing.T) {
+	expectedURL := "/v1.25/images/prune"
+
+	danglingFilters := filters.NewArgs()
+	danglingFilters.Add("dangling", "true")
+
+	noDanglingFilters := filters.NewArgs()
+	noDanglingFilters.Add("dangling", "false")
+
+	labelFilters := filters.NewArgs()
+	labelFilters.Add("dangling", "true")
+	labelFilters.Add("label", "label1=foo")
+	labelFilters.Add("label", "label2!=bar")
+
+	listCases := []struct {
+		filters             filters.Args
+		expectedQueryParams map[string]string
+	}{
+		{
+			filters: filters.Args{},
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": "",
+			},
+		},
+		{
+			filters: danglingFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"true":true}}`,
+			},
+		},
+		{
+			filters: noDanglingFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"false":true}}`,
+			},
+		},
+		{
+			filters: labelFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"true":true},"label":{"label1=foo":true,"label2!=bar":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					assert.Check(t, is.Equal(expected, actual))
+				}
+				content, err := json.Marshal(types.ImagesPruneReport{
+					ImagesDeleted: []types.ImageDeleteResponseItem{
+						{
+							Deleted: "image_id1",
+						},
+						{
+							Deleted: "image_id2",
+						},
+					},
+					SpaceReclaimed: 9999,
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+			version: "1.25",
+		}
+
+		report, err := client.ImagesPrune(context.Background(), listCase.filters)
+		assert.Check(t, err)
+		assert.Check(t, is.Len(report.ImagesDeleted, 2))
+		assert.Check(t, is.Equal(uint64(9999), report.SpaceReclaimed))
+	}
+}
diff --git a/engine/client/image_pull.go b/engine/client/image_pull.go
new file mode 100644
index 00000000..d97aacf8
--- /dev/null
+++ b/engine/client/image_pull.go
@@ -0,0 +1,64 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+)
+
+// ImagePull requests the docker host to pull an image from a remote registry.
+// It executes the privileged function if the operation is unauthorized
+// and it tries one more time.
+// It's up to the caller to handle the io.ReadCloser and close it properly.
+//
+// FIXME(vdemeester): there is currently used in a few way in docker/docker
+// - if not in trusted content, ref is used to pass the whole reference, and tag is empty
+// - if in trusted content, ref is used to pass the reference name, and tag for the digest
+func (cli *Client) ImagePull(ctx context.Context, refStr string, options types.ImagePullOptions) (io.ReadCloser, error) {
+	ref, err := reference.ParseNormalizedNamed(refStr)
+	if err != nil {
+		return nil, err
+	}
+
+	query := url.Values{}
+	query.Set("fromImage", reference.FamiliarName(ref))
+	if !options.All {
+		query.Set("tag", getAPITagFromNamedRef(ref))
+	}
+	if options.Platform != "" {
+		query.Set("platform", strings.ToLower(options.Platform))
+	}
+
+	resp, err := cli.tryImageCreate(ctx, query, options.RegistryAuth)
+	if resp.statusCode == http.StatusUnauthorized && options.PrivilegeFunc != nil {
+		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		if privilegeErr != nil {
+			return nil, privilegeErr
+		}
+		resp, err = cli.tryImageCreate(ctx, query, newAuthHeader)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
+
+// getAPITagFromNamedRef returns a tag from the specified reference.
+// This function is necessary as long as the docker "server" api expects
+// digests to be sent as tags and makes a distinction between the name
+// and tag/digest part of a reference.
+func getAPITagFromNamedRef(ref reference.Named) string {
+	if digested, ok := ref.(reference.Digested); ok {
+		return digested.Digest().String()
+	}
+	ref = reference.TagNameOnly(ref)
+	if tagged, ok := ref.(reference.Tagged); ok {
+		return tagged.Tag()
+	}
+	return ""
+}
diff --git a/engine/client/image_pull_test.go b/engine/client/image_pull_test.go
new file mode 100644
index 00000000..361c5c2b
--- /dev/null
+++ b/engine/client/image_pull_test.go
@@ -0,0 +1,198 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestImagePullReferenceParseError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, nil
+		}),
+	}
+	// An empty reference is an invalid reference
+	_, err := client.ImagePull(context.Background(), "", types.ImagePullOptions{})
+	if err == nil || !strings.Contains(err.Error(), "invalid reference format") {
+		t.Fatalf("expected an error, got %v", err)
+	}
+}
+
+func TestImagePullAnyError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ImagePull(context.Background(), "myimage", types.ImagePullOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestImagePullStatusUnauthorizedError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	_, err := client.ImagePull(context.Background(), "myimage", types.ImagePullOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Unauthorized error" {
+		t.Fatalf("expected an Unauthorized Error, got %v", err)
+	}
+}
+
+func TestImagePullWithUnauthorizedErrorAndPrivilegeFuncError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	privilegeFunc := func() (string, error) {
+		return "", fmt.Errorf("Error requesting privilege")
+	}
+	_, err := client.ImagePull(context.Background(), "myimage", types.ImagePullOptions{
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err == nil || err.Error() != "Error requesting privilege" {
+		t.Fatalf("expected an error requesting privilege, got %v", err)
+	}
+}
+
+func TestImagePullWithUnauthorizedErrorAndAnotherUnauthorizedError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	privilegeFunc := func() (string, error) {
+		return "a-auth-header", nil
+	}
+	_, err := client.ImagePull(context.Background(), "myimage", types.ImagePullOptions{
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err == nil || err.Error() != "Error response from daemon: Unauthorized error" {
+		t.Fatalf("expected an Unauthorized Error, got %v", err)
+	}
+}
+
+func TestImagePullWithPrivilegedFuncNoError(t *testing.T) {
+	expectedURL := "/images/create"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			auth := req.Header.Get("X-Registry-Auth")
+			if auth == "NotValid" {
+				return &http.Response{
+					StatusCode: http.StatusUnauthorized,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("Invalid credentials"))),
+				}, nil
+			}
+			if auth != "IAmValid" {
+				return nil, fmt.Errorf("Invalid auth header : expected %s, got %s", "IAmValid", auth)
+			}
+			query := req.URL.Query()
+			fromImage := query.Get("fromImage")
+			if fromImage != "myimage" {
+				return nil, fmt.Errorf("fromimage not set in URL query properly. Expected '%s', got %s", "myimage", fromImage)
+			}
+			tag := query.Get("tag")
+			if tag != "latest" {
+				return nil, fmt.Errorf("tag not set in URL query properly. Expected '%s', got %s", "latest", tag)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("hello world"))),
+			}, nil
+		}),
+	}
+	privilegeFunc := func() (string, error) {
+		return "IAmValid", nil
+	}
+	resp, err := client.ImagePull(context.Background(), "myimage", types.ImagePullOptions{
+		RegistryAuth:  "NotValid",
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	body, err := ioutil.ReadAll(resp)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(body) != "hello world" {
+		t.Fatalf("expected 'hello world', got %s", string(body))
+	}
+}
+
+func TestImagePullWithoutErrors(t *testing.T) {
+	expectedURL := "/images/create"
+	expectedOutput := "hello world"
+	pullCases := []struct {
+		all           bool
+		reference     string
+		expectedImage string
+		expectedTag   string
+	}{
+		{
+			all:           false,
+			reference:     "myimage",
+			expectedImage: "myimage",
+			expectedTag:   "latest",
+		},
+		{
+			all:           false,
+			reference:     "myimage:tag",
+			expectedImage: "myimage",
+			expectedTag:   "tag",
+		},
+		{
+			all:           true,
+			reference:     "myimage",
+			expectedImage: "myimage",
+			expectedTag:   "",
+		},
+		{
+			all:           true,
+			reference:     "myimage:anything",
+			expectedImage: "myimage",
+			expectedTag:   "",
+		},
+	}
+	for _, pullCase := range pullCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				fromImage := query.Get("fromImage")
+				if fromImage != pullCase.expectedImage {
+					return nil, fmt.Errorf("fromimage not set in URL query properly. Expected '%s', got %s", pullCase.expectedImage, fromImage)
+				}
+				tag := query.Get("tag")
+				if tag != pullCase.expectedTag {
+					return nil, fmt.Errorf("tag not set in URL query properly. Expected '%s', got %s", pullCase.expectedTag, tag)
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte(expectedOutput))),
+				}, nil
+			}),
+		}
+		resp, err := client.ImagePull(context.Background(), pullCase.reference, types.ImagePullOptions{
+			All: pullCase.all,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		body, err := ioutil.ReadAll(resp)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(body) != expectedOutput {
+			t.Fatalf("expected '%s', got %s", expectedOutput, string(body))
+		}
+	}
+}
diff --git a/engine/client/image_push.go b/engine/client/image_push.go
new file mode 100644
index 00000000..a15871c2
--- /dev/null
+++ b/engine/client/image_push.go
@@ -0,0 +1,55 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+)
+
+// ImagePush requests the docker host to push an image to a remote registry.
+// It executes the privileged function if the operation is unauthorized
+// and it tries one more time.
+// It's up to the caller to handle the io.ReadCloser and close it properly.
+func (cli *Client) ImagePush(ctx context.Context, image string, options types.ImagePushOptions) (io.ReadCloser, error) {
+	ref, err := reference.ParseNormalizedNamed(image)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, isCanonical := ref.(reference.Canonical); isCanonical {
+		return nil, errors.New("cannot push a digest reference")
+	}
+
+	tag := ""
+	name := reference.FamiliarName(ref)
+
+	if nameTaggedRef, isNamedTagged := ref.(reference.NamedTagged); isNamedTagged {
+		tag = nameTaggedRef.Tag()
+	}
+
+	query := url.Values{}
+	query.Set("tag", tag)
+
+	resp, err := cli.tryImagePush(ctx, name, query, options.RegistryAuth)
+	if resp.statusCode == http.StatusUnauthorized && options.PrivilegeFunc != nil {
+		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		if privilegeErr != nil {
+			return nil, privilegeErr
+		}
+		resp, err = cli.tryImagePush(ctx, name, query, newAuthHeader)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
+
+func (cli *Client) tryImagePush(ctx context.Context, imageID string, query url.Values, registryAuth string) (serverResponse, error) {
+	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}
+	return cli.post(ctx, "/images/"+imageID+"/push", query, nil, headers)
+}
diff --git a/engine/client/image_push_test.go b/engine/client/image_push_test.go
new file mode 100644
index 00000000..0693601a
--- /dev/null
+++ b/engine/client/image_push_test.go
@@ -0,0 +1,179 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestImagePushReferenceError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, nil
+		}),
+	}
+	// An empty reference is an invalid reference
+	_, err := client.ImagePush(context.Background(), "", types.ImagePushOptions{})
+	if err == nil || !strings.Contains(err.Error(), "invalid reference format") {
+		t.Fatalf("expected an error, got %v", err)
+	}
+	// An canonical reference cannot be pushed
+	_, err = client.ImagePush(context.Background(), "repo@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", types.ImagePushOptions{})
+	if err == nil || err.Error() != "cannot push a digest reference" {
+		t.Fatalf("expected an error, got %v", err)
+	}
+}
+
+func TestImagePushAnyError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ImagePush(context.Background(), "myimage", types.ImagePushOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestImagePushStatusUnauthorizedError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	_, err := client.ImagePush(context.Background(), "myimage", types.ImagePushOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Unauthorized error" {
+		t.Fatalf("expected an Unauthorized Error, got %v", err)
+	}
+}
+
+func TestImagePushWithUnauthorizedErrorAndPrivilegeFuncError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	privilegeFunc := func() (string, error) {
+		return "", fmt.Errorf("Error requesting privilege")
+	}
+	_, err := client.ImagePush(context.Background(), "myimage", types.ImagePushOptions{
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err == nil || err.Error() != "Error requesting privilege" {
+		t.Fatalf("expected an error requesting privilege, got %v", err)
+	}
+}
+
+func TestImagePushWithUnauthorizedErrorAndAnotherUnauthorizedError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	privilegeFunc := func() (string, error) {
+		return "a-auth-header", nil
+	}
+	_, err := client.ImagePush(context.Background(), "myimage", types.ImagePushOptions{
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err == nil || err.Error() != "Error response from daemon: Unauthorized error" {
+		t.Fatalf("expected an Unauthorized Error, got %v", err)
+	}
+}
+
+func TestImagePushWithPrivilegedFuncNoError(t *testing.T) {
+	expectedURL := "/images/myimage/push"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			auth := req.Header.Get("X-Registry-Auth")
+			if auth == "NotValid" {
+				return &http.Response{
+					StatusCode: http.StatusUnauthorized,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("Invalid credentials"))),
+				}, nil
+			}
+			if auth != "IAmValid" {
+				return nil, fmt.Errorf("Invalid auth header : expected %s, got %s", "IAmValid", auth)
+			}
+			query := req.URL.Query()
+			tag := query.Get("tag")
+			if tag != "tag" {
+				return nil, fmt.Errorf("tag not set in URL query properly. Expected '%s', got %s", "tag", tag)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("hello world"))),
+			}, nil
+		}),
+	}
+	privilegeFunc := func() (string, error) {
+		return "IAmValid", nil
+	}
+	resp, err := client.ImagePush(context.Background(), "myimage:tag", types.ImagePushOptions{
+		RegistryAuth:  "NotValid",
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	body, err := ioutil.ReadAll(resp)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(body) != "hello world" {
+		t.Fatalf("expected 'hello world', got %s", string(body))
+	}
+}
+
+func TestImagePushWithoutErrors(t *testing.T) {
+	expectedOutput := "hello world"
+	expectedURLFormat := "/images/%s/push"
+	pullCases := []struct {
+		reference     string
+		expectedImage string
+		expectedTag   string
+	}{
+		{
+			reference:     "myimage",
+			expectedImage: "myimage",
+			expectedTag:   "",
+		},
+		{
+			reference:     "myimage:tag",
+			expectedImage: "myimage",
+			expectedTag:   "tag",
+		},
+	}
+	for _, pullCase := range pullCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				expectedURL := fmt.Sprintf(expectedURLFormat, pullCase.expectedImage)
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				tag := query.Get("tag")
+				if tag != pullCase.expectedTag {
+					return nil, fmt.Errorf("tag not set in URL query properly. Expected '%s', got %s", pullCase.expectedTag, tag)
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte(expectedOutput))),
+				}, nil
+			}),
+		}
+		resp, err := client.ImagePush(context.Background(), pullCase.reference, types.ImagePushOptions{})
+		if err != nil {
+			t.Fatal(err)
+		}
+		body, err := ioutil.ReadAll(resp)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(body) != expectedOutput {
+			t.Fatalf("expected '%s', got %s", expectedOutput, string(body))
+		}
+	}
+}
diff --git a/engine/client/image_remove.go b/engine/client/image_remove.go
new file mode 100644
index 00000000..45d6e6f0
--- /dev/null
+++ b/engine/client/image_remove.go
@@ -0,0 +1,31 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ImageRemove removes an image from the docker host.
+func (cli *Client) ImageRemove(ctx context.Context, imageID string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
+	query := url.Values{}
+
+	if options.Force {
+		query.Set("force", "1")
+	}
+	if !options.PruneChildren {
+		query.Set("noprune", "1")
+	}
+
+	var dels []types.ImageDeleteResponseItem
+	resp, err := cli.delete(ctx, "/images/"+imageID, query, nil)
+	if err != nil {
+		return dels, wrapResponseError(err, resp, "image", imageID)
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&dels)
+	ensureReaderClosed(resp)
+	return dels, err
+}
diff --git a/engine/client/image_remove_test.go b/engine/client/image_remove_test.go
new file mode 100644
index 00000000..acc6bc91
--- /dev/null
+++ b/engine/client/image_remove_test.go
@@ -0,0 +1,105 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestImageRemoveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.ImageRemove(context.Background(), "image_id", types.ImageRemoveOptions{})
+	assert.Check(t, is.Error(err, "Error response from daemon: Server error"))
+}
+
+func TestImageRemoveImageNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "missing")),
+	}
+
+	_, err := client.ImageRemove(context.Background(), "unknown", types.ImageRemoveOptions{})
+	assert.Check(t, is.Error(err, "Error: No such image: unknown"))
+	assert.Check(t, IsErrNotFound(err))
+}
+
+func TestImageRemove(t *testing.T) {
+	expectedURL := "/images/image_id"
+	removeCases := []struct {
+		force               bool
+		pruneChildren       bool
+		expectedQueryParams map[string]string
+	}{
+		{
+			force:         false,
+			pruneChildren: false,
+			expectedQueryParams: map[string]string{
+				"force":   "",
+				"noprune": "1",
+			},
+		}, {
+			force:         true,
+			pruneChildren: true,
+			expectedQueryParams: map[string]string{
+				"force":   "1",
+				"noprune": "",
+			},
+		},
+	}
+	for _, removeCase := range removeCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				if req.Method != "DELETE" {
+					return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+				}
+				query := req.URL.Query()
+				for key, expected := range removeCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				b, err := json.Marshal([]types.ImageDeleteResponseItem{
+					{
+						Untagged: "image_id1",
+					},
+					{
+						Deleted: "image_id",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(b)),
+				}, nil
+			}),
+		}
+		imageDeletes, err := client.ImageRemove(context.Background(), "image_id", types.ImageRemoveOptions{
+			Force:         removeCase.force,
+			PruneChildren: removeCase.pruneChildren,
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(imageDeletes) != 2 {
+			t.Fatalf("expected 2 deleted images, got %v", imageDeletes)
+		}
+	}
+}
diff --git a/engine/client/image_save.go b/engine/client/image_save.go
new file mode 100644
index 00000000..d1314e4b
--- /dev/null
+++ b/engine/client/image_save.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+)
+
+// ImageSave retrieves one or more images from the docker host as an io.ReadCloser.
+// It's up to the caller to store the images and close the stream.
+func (cli *Client) ImageSave(ctx context.Context, imageIDs []string) (io.ReadCloser, error) {
+	query := url.Values{
+		"names": imageIDs,
+	}
+
+	resp, err := cli.get(ctx, "/images/get", query, nil)
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
diff --git a/engine/client/image_save_test.go b/engine/client/image_save_test.go
new file mode 100644
index 00000000..a40055e5
--- /dev/null
+++ b/engine/client/image_save_test.go
@@ -0,0 +1,56 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestImageSaveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ImageSave(context.Background(), []string{"nothing"})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server error, got %v", err)
+	}
+}
+
+func TestImageSave(t *testing.T) {
+	expectedURL := "/images/get"
+	client := &Client{
+		client: newMockClient(func(r *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(r.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, r.URL)
+			}
+			query := r.URL.Query()
+			names := query["names"]
+			expectedNames := []string{"image_id1", "image_id2"}
+			if !reflect.DeepEqual(names, expectedNames) {
+				return nil, fmt.Errorf("names not set in URL query properly. Expected %v, got %v", names, expectedNames)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("response"))),
+			}, nil
+		}),
+	}
+	saveResponse, err := client.ImageSave(context.Background(), []string{"image_id1", "image_id2"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	response, err := ioutil.ReadAll(saveResponse)
+	if err != nil {
+		t.Fatal(err)
+	}
+	saveResponse.Close()
+	if string(response) != "response" {
+		t.Fatalf("expected response to contain 'response', got %s", string(response))
+	}
+}
diff --git a/engine/client/image_search.go b/engine/client/image_search.go
new file mode 100644
index 00000000..176de3c5
--- /dev/null
+++ b/engine/client/image_search.go
@@ -0,0 +1,51 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/registry"
+)
+
+// ImageSearch makes the docker host to search by a term in a remote registry.
+// The list of results is not sorted in any fashion.
+func (cli *Client) ImageSearch(ctx context.Context, term string, options types.ImageSearchOptions) ([]registry.SearchResult, error) {
+	var results []registry.SearchResult
+	query := url.Values{}
+	query.Set("term", term)
+	query.Set("limit", fmt.Sprintf("%d", options.Limit))
+
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToJSON(options.Filters)
+		if err != nil {
+			return results, err
+		}
+		query.Set("filters", filterJSON)
+	}
+
+	resp, err := cli.tryImageSearch(ctx, query, options.RegistryAuth)
+	if resp.statusCode == http.StatusUnauthorized && options.PrivilegeFunc != nil {
+		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		if privilegeErr != nil {
+			return results, privilegeErr
+		}
+		resp, err = cli.tryImageSearch(ctx, query, newAuthHeader)
+	}
+	if err != nil {
+		return results, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&results)
+	ensureReaderClosed(resp)
+	return results, err
+}
+
+func (cli *Client) tryImageSearch(ctx context.Context, query url.Values, registryAuth string) (serverResponse, error) {
+	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}
+	return cli.get(ctx, "/images/search", query, headers)
+}
diff --git a/engine/client/image_search_test.go b/engine/client/image_search_test.go
new file mode 100644
index 00000000..1456cd60
--- /dev/null
+++ b/engine/client/image_search_test.go
@@ -0,0 +1,164 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/registry"
+)
+
+func TestImageSearchAnyError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestImageSearchStatusUnauthorizedError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	_, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Unauthorized error" {
+		t.Fatalf("expected an Unauthorized Error, got %v", err)
+	}
+}
+
+func TestImageSearchWithUnauthorizedErrorAndPrivilegeFuncError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	privilegeFunc := func() (string, error) {
+		return "", fmt.Errorf("Error requesting privilege")
+	}
+	_, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err == nil || err.Error() != "Error requesting privilege" {
+		t.Fatalf("expected an error requesting privilege, got %v", err)
+	}
+}
+
+func TestImageSearchWithUnauthorizedErrorAndAnotherUnauthorizedError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
+	}
+	privilegeFunc := func() (string, error) {
+		return "a-auth-header", nil
+	}
+	_, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err == nil || err.Error() != "Error response from daemon: Unauthorized error" {
+		t.Fatalf("expected an Unauthorized Error, got %v", err)
+	}
+}
+
+func TestImageSearchWithPrivilegedFuncNoError(t *testing.T) {
+	expectedURL := "/images/search"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			auth := req.Header.Get("X-Registry-Auth")
+			if auth == "NotValid" {
+				return &http.Response{
+					StatusCode: http.StatusUnauthorized,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("Invalid credentials"))),
+				}, nil
+			}
+			if auth != "IAmValid" {
+				return nil, fmt.Errorf("Invalid auth header : expected 'IAmValid', got %s", auth)
+			}
+			query := req.URL.Query()
+			term := query.Get("term")
+			if term != "some-image" {
+				return nil, fmt.Errorf("term not set in URL query properly. Expected 'some-image', got %s", term)
+			}
+			content, err := json.Marshal([]registry.SearchResult{
+				{
+					Name: "anything",
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+	privilegeFunc := func() (string, error) {
+		return "IAmValid", nil
+	}
+	results, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{
+		RegistryAuth:  "NotValid",
+		PrivilegeFunc: privilegeFunc,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(results) != 1 {
+		t.Fatalf("expected 1 result, got %v", results)
+	}
+}
+
+func TestImageSearchWithoutErrors(t *testing.T) {
+	expectedURL := "/images/search"
+	filterArgs := filters.NewArgs()
+	filterArgs.Add("is-automated", "true")
+	filterArgs.Add("stars", "3")
+
+	expectedFilters := `{"is-automated":{"true":true},"stars":{"3":true}}`
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			query := req.URL.Query()
+			term := query.Get("term")
+			if term != "some-image" {
+				return nil, fmt.Errorf("term not set in URL query properly. Expected 'some-image', got %s", term)
+			}
+			filters := query.Get("filters")
+			if filters != expectedFilters {
+				return nil, fmt.Errorf("filters not set in URL query properly. Expected '%s', got %s", expectedFilters, filters)
+			}
+			content, err := json.Marshal([]registry.SearchResult{
+				{
+					Name: "anything",
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+	results, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{
+		Filters: filterArgs,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(results) != 1 {
+		t.Fatalf("expected a result, got %v", results)
+	}
+}
diff --git a/engine/client/image_tag.go b/engine/client/image_tag.go
new file mode 100644
index 00000000..5652bfc2
--- /dev/null
+++ b/engine/client/image_tag.go
@@ -0,0 +1,37 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/distribution/reference"
+	"github.com/pkg/errors"
+)
+
+// ImageTag tags an image in the docker host
+func (cli *Client) ImageTag(ctx context.Context, source, target string) error {
+	if _, err := reference.ParseAnyReference(source); err != nil {
+		return errors.Wrapf(err, "Error parsing reference: %q is not a valid repository/tag", source)
+	}
+
+	ref, err := reference.ParseNormalizedNamed(target)
+	if err != nil {
+		return errors.Wrapf(err, "Error parsing reference: %q is not a valid repository/tag", target)
+	}
+
+	if _, isCanonical := ref.(reference.Canonical); isCanonical {
+		return errors.New("refusing to create a tag with a digest reference")
+	}
+
+	ref = reference.TagNameOnly(ref)
+
+	query := url.Values{}
+	query.Set("repo", reference.FamiliarName(ref))
+	if tagged, ok := ref.(reference.Tagged); ok {
+		query.Set("tag", tagged.Tag())
+	}
+
+	resp, err := cli.post(ctx, "/images/"+source+"/tag", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/image_tag_test.go b/engine/client/image_tag_test.go
new file mode 100644
index 00000000..2923bb99
--- /dev/null
+++ b/engine/client/image_tag_test.go
@@ -0,0 +1,142 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestImageTagError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.ImageTag(context.Background(), "image_id", "repo:tag")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+// Note: this is not testing all the InvalidReference as it's the responsibility
+// of distribution/reference package.
+func TestImageTagInvalidReference(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.ImageTag(context.Background(), "image_id", "aa/asdf$$^/aa")
+	if err == nil || err.Error() != `Error parsing reference: "aa/asdf$$^/aa" is not a valid repository/tag: invalid reference format` {
+		t.Fatalf("expected ErrReferenceInvalidFormat, got %v", err)
+	}
+}
+
+func TestImageTagInvalidSourceImageName(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.ImageTag(context.Background(), "invalid_source_image_name_", "repo:tag")
+	if err == nil || err.Error() != "Error parsing reference: \"invalid_source_image_name_\" is not a valid repository/tag: invalid reference format" {
+		t.Fatalf("expected Parsing Reference Error, got %v", err)
+	}
+}
+
+func TestImageTagHexSource(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusOK, "OK")),
+	}
+
+	err := client.ImageTag(context.Background(), "0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d", "repo:tag")
+	if err != nil {
+		t.Fatalf("got error: %v", err)
+	}
+}
+
+func TestImageTag(t *testing.T) {
+	expectedURL := "/images/image_id/tag"
+	tagCases := []struct {
+		reference           string
+		expectedQueryParams map[string]string
+	}{
+		{
+			reference: "repository:tag1",
+			expectedQueryParams: map[string]string{
+				"repo": "repository",
+				"tag":  "tag1",
+			},
+		}, {
+			reference: "another_repository:latest",
+			expectedQueryParams: map[string]string{
+				"repo": "another_repository",
+				"tag":  "latest",
+			},
+		}, {
+			reference: "another_repository",
+			expectedQueryParams: map[string]string{
+				"repo": "another_repository",
+				"tag":  "latest",
+			},
+		}, {
+			reference: "test/another_repository",
+			expectedQueryParams: map[string]string{
+				"repo": "test/another_repository",
+				"tag":  "latest",
+			},
+		}, {
+			reference: "test/another_repository:tag1",
+			expectedQueryParams: map[string]string{
+				"repo": "test/another_repository",
+				"tag":  "tag1",
+			},
+		}, {
+			reference: "test/test/another_repository:tag1",
+			expectedQueryParams: map[string]string{
+				"repo": "test/test/another_repository",
+				"tag":  "tag1",
+			},
+		}, {
+			reference: "test:5000/test/another_repository:tag1",
+			expectedQueryParams: map[string]string{
+				"repo": "test:5000/test/another_repository",
+				"tag":  "tag1",
+			},
+		}, {
+			reference: "test:5000/test/another_repository",
+			expectedQueryParams: map[string]string{
+				"repo": "test:5000/test/another_repository",
+				"tag":  "latest",
+			},
+		},
+	}
+	for _, tagCase := range tagCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				if req.Method != "POST" {
+					return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+				}
+				query := req.URL.Query()
+				for key, expected := range tagCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+				}, nil
+			}),
+		}
+		err := client.ImageTag(context.Background(), "image_id", tagCase.reference)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+}
diff --git a/engine/client/info.go b/engine/client/info.go
new file mode 100644
index 00000000..121f256a
--- /dev/null
+++ b/engine/client/info.go
@@ -0,0 +1,26 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// Info returns information about the docker server.
+func (cli *Client) Info(ctx context.Context) (types.Info, error) {
+	var info types.Info
+	serverResp, err := cli.get(ctx, "/info", url.Values{}, nil)
+	if err != nil {
+		return info, err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	if err := json.NewDecoder(serverResp.body).Decode(&info); err != nil {
+		return info, fmt.Errorf("Error reading remote info: %v", err)
+	}
+
+	return info, nil
+}
diff --git a/engine/client/info_test.go b/engine/client/info_test.go
new file mode 100644
index 00000000..866d8e88
--- /dev/null
+++ b/engine/client/info_test.go
@@ -0,0 +1,76 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestInfoServerError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.Info(context.Background())
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestInfoInvalidResponseJSONError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("invalid json"))),
+			}, nil
+		}),
+	}
+	_, err := client.Info(context.Background())
+	if err == nil || !strings.Contains(err.Error(), "invalid character") {
+		t.Fatalf("expected a 'invalid character' error, got %v", err)
+	}
+}
+
+func TestInfo(t *testing.T) {
+	expectedURL := "/info"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			info := &types.Info{
+				ID:         "daemonID",
+				Containers: 3,
+			}
+			b, err := json.Marshal(info)
+			if err != nil {
+				return nil, err
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	info, err := client.Info(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if info.ID != "daemonID" {
+		t.Fatalf("expected daemonID, got %s", info.ID)
+	}
+
+	if info.Containers != 3 {
+		t.Fatalf("expected 3 containers, got %d", info.Containers)
+	}
+}
diff --git a/engine/client/interface.go b/engine/client/interface.go
new file mode 100644
index 00000000..9250c468
--- /dev/null
+++ b/engine/client/interface.go
@@ -0,0 +1,198 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/api/types/swarm"
+	volumetypes "github.com/docker/docker/api/types/volume"
+)
+
+// CommonAPIClient is the common methods between stable and experimental versions of APIClient.
+type CommonAPIClient interface {
+	ConfigAPIClient
+	ContainerAPIClient
+	DistributionAPIClient
+	ImageAPIClient
+	NodeAPIClient
+	NetworkAPIClient
+	PluginAPIClient
+	ServiceAPIClient
+	SwarmAPIClient
+	SecretAPIClient
+	SystemAPIClient
+	VolumeAPIClient
+	ClientVersion() string
+	DaemonHost() string
+	HTTPClient() *http.Client
+	ServerVersion(ctx context.Context) (types.Version, error)
+	NegotiateAPIVersion(ctx context.Context)
+	NegotiateAPIVersionPing(types.Ping)
+	DialSession(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error)
+	Close() error
+}
+
+// ContainerAPIClient defines API client methods for the containers
+type ContainerAPIClient interface {
+	ContainerAttach(ctx context.Context, container string, options types.ContainerAttachOptions) (types.HijackedResponse, error)
+	ContainerCommit(ctx context.Context, container string, options types.ContainerCommitOptions) (types.IDResponse, error)
+	ContainerCreate(ctx context.Context, config *containertypes.Config, hostConfig *containertypes.HostConfig, networkingConfig *networktypes.NetworkingConfig, containerName string) (containertypes.ContainerCreateCreatedBody, error)
+	ContainerDiff(ctx context.Context, container string) ([]containertypes.ContainerChangeResponseItem, error)
+	ContainerExecAttach(ctx context.Context, execID string, config types.ExecStartCheck) (types.HijackedResponse, error)
+	ContainerExecCreate(ctx context.Context, container string, config types.ExecConfig) (types.IDResponse, error)
+	ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error)
+	ContainerExecResize(ctx context.Context, execID string, options types.ResizeOptions) error
+	ContainerExecStart(ctx context.Context, execID string, config types.ExecStartCheck) error
+	ContainerExport(ctx context.Context, container string) (io.ReadCloser, error)
+	ContainerInspect(ctx context.Context, container string) (types.ContainerJSON, error)
+	ContainerInspectWithRaw(ctx context.Context, container string, getSize bool) (types.ContainerJSON, []byte, error)
+	ContainerKill(ctx context.Context, container, signal string) error
+	ContainerList(ctx context.Context, options types.ContainerListOptions) ([]types.Container, error)
+	ContainerLogs(ctx context.Context, container string, options types.ContainerLogsOptions) (io.ReadCloser, error)
+	ContainerPause(ctx context.Context, container string) error
+	ContainerRemove(ctx context.Context, container string, options types.ContainerRemoveOptions) error
+	ContainerRename(ctx context.Context, container, newContainerName string) error
+	ContainerResize(ctx context.Context, container string, options types.ResizeOptions) error
+	ContainerRestart(ctx context.Context, container string, timeout *time.Duration) error
+	ContainerStatPath(ctx context.Context, container, path string) (types.ContainerPathStat, error)
+	ContainerStats(ctx context.Context, container string, stream bool) (types.ContainerStats, error)
+	ContainerStart(ctx context.Context, container string, options types.ContainerStartOptions) error
+	ContainerStop(ctx context.Context, container string, timeout *time.Duration) error
+	ContainerTop(ctx context.Context, container string, arguments []string) (containertypes.ContainerTopOKBody, error)
+	ContainerUnpause(ctx context.Context, container string) error
+	ContainerUpdate(ctx context.Context, container string, updateConfig containertypes.UpdateConfig) (containertypes.ContainerUpdateOKBody, error)
+	ContainerWait(ctx context.Context, container string, condition containertypes.WaitCondition) (<-chan containertypes.ContainerWaitOKBody, <-chan error)
+	CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
+	CopyToContainer(ctx context.Context, container, path string, content io.Reader, options types.CopyToContainerOptions) error
+	ContainersPrune(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error)
+}
+
+// DistributionAPIClient defines API client methods for the registry
+type DistributionAPIClient interface {
+	DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registry.DistributionInspect, error)
+}
+
+// ImageAPIClient defines API client methods for the images
+type ImageAPIClient interface {
+	ImageBuild(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error)
+	BuildCachePrune(ctx context.Context) (*types.BuildCachePruneReport, error)
+	BuildCancel(ctx context.Context, id string) error
+	ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
+	ImageHistory(ctx context.Context, image string) ([]image.HistoryResponseItem, error)
+	ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error)
+	ImageInspectWithRaw(ctx context.Context, image string) (types.ImageInspect, []byte, error)
+	ImageList(ctx context.Context, options types.ImageListOptions) ([]types.ImageSummary, error)
+	ImageLoad(ctx context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error)
+	ImagePull(ctx context.Context, ref string, options types.ImagePullOptions) (io.ReadCloser, error)
+	ImagePush(ctx context.Context, ref string, options types.ImagePushOptions) (io.ReadCloser, error)
+	ImageRemove(ctx context.Context, image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error)
+	ImageSearch(ctx context.Context, term string, options types.ImageSearchOptions) ([]registry.SearchResult, error)
+	ImageSave(ctx context.Context, images []string) (io.ReadCloser, error)
+	ImageTag(ctx context.Context, image, ref string) error
+	ImagesPrune(ctx context.Context, pruneFilter filters.Args) (types.ImagesPruneReport, error)
+}
+
+// NetworkAPIClient defines API client methods for the networks
+type NetworkAPIClient interface {
+	NetworkConnect(ctx context.Context, network, container string, config *networktypes.EndpointSettings) error
+	NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error)
+	NetworkDisconnect(ctx context.Context, network, container string, force bool) error
+	NetworkInspect(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, error)
+	NetworkInspectWithRaw(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error)
+	NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error)
+	NetworkRemove(ctx context.Context, network string) error
+	NetworksPrune(ctx context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error)
+}
+
+// NodeAPIClient defines API client methods for the nodes
+type NodeAPIClient interface {
+	NodeInspectWithRaw(ctx context.Context, nodeID string) (swarm.Node, []byte, error)
+	NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error)
+	NodeRemove(ctx context.Context, nodeID string, options types.NodeRemoveOptions) error
+	NodeUpdate(ctx context.Context, nodeID string, version swarm.Version, node swarm.NodeSpec) error
+}
+
+// PluginAPIClient defines API client methods for the plugins
+type PluginAPIClient interface {
+	PluginList(ctx context.Context, filter filters.Args) (types.PluginsListResponse, error)
+	PluginRemove(ctx context.Context, name string, options types.PluginRemoveOptions) error
+	PluginEnable(ctx context.Context, name string, options types.PluginEnableOptions) error
+	PluginDisable(ctx context.Context, name string, options types.PluginDisableOptions) error
+	PluginInstall(ctx context.Context, name string, options types.PluginInstallOptions) (io.ReadCloser, error)
+	PluginUpgrade(ctx context.Context, name string, options types.PluginInstallOptions) (io.ReadCloser, error)
+	PluginPush(ctx context.Context, name string, registryAuth string) (io.ReadCloser, error)
+	PluginSet(ctx context.Context, name string, args []string) error
+	PluginInspectWithRaw(ctx context.Context, name string) (*types.Plugin, []byte, error)
+	PluginCreate(ctx context.Context, createContext io.Reader, options types.PluginCreateOptions) error
+}
+
+// ServiceAPIClient defines API client methods for the services
+type ServiceAPIClient interface {
+	ServiceCreate(ctx context.Context, service swarm.ServiceSpec, options types.ServiceCreateOptions) (types.ServiceCreateResponse, error)
+	ServiceInspectWithRaw(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error)
+	ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error)
+	ServiceRemove(ctx context.Context, serviceID string) error
+	ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error)
+	ServiceLogs(ctx context.Context, serviceID string, options types.ContainerLogsOptions) (io.ReadCloser, error)
+	TaskLogs(ctx context.Context, taskID string, options types.ContainerLogsOptions) (io.ReadCloser, error)
+	TaskInspectWithRaw(ctx context.Context, taskID string) (swarm.Task, []byte, error)
+	TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error)
+}
+
+// SwarmAPIClient defines API client methods for the swarm
+type SwarmAPIClient interface {
+	SwarmInit(ctx context.Context, req swarm.InitRequest) (string, error)
+	SwarmJoin(ctx context.Context, req swarm.JoinRequest) error
+	SwarmGetUnlockKey(ctx context.Context) (types.SwarmUnlockKeyResponse, error)
+	SwarmUnlock(ctx context.Context, req swarm.UnlockRequest) error
+	SwarmLeave(ctx context.Context, force bool) error
+	SwarmInspect(ctx context.Context) (swarm.Swarm, error)
+	SwarmUpdate(ctx context.Context, version swarm.Version, swarm swarm.Spec, flags swarm.UpdateFlags) error
+}
+
+// SystemAPIClient defines API client methods for the system
+type SystemAPIClient interface {
+	Events(ctx context.Context, options types.EventsOptions) (<-chan events.Message, <-chan error)
+	Info(ctx context.Context) (types.Info, error)
+	RegistryLogin(ctx context.Context, auth types.AuthConfig) (registry.AuthenticateOKBody, error)
+	DiskUsage(ctx context.Context) (types.DiskUsage, error)
+	Ping(ctx context.Context) (types.Ping, error)
+}
+
+// VolumeAPIClient defines API client methods for the volumes
+type VolumeAPIClient interface {
+	VolumeCreate(ctx context.Context, options volumetypes.VolumeCreateBody) (types.Volume, error)
+	VolumeInspect(ctx context.Context, volumeID string) (types.Volume, error)
+	VolumeInspectWithRaw(ctx context.Context, volumeID string) (types.Volume, []byte, error)
+	VolumeList(ctx context.Context, filter filters.Args) (volumetypes.VolumeListOKBody, error)
+	VolumeRemove(ctx context.Context, volumeID string, force bool) error
+	VolumesPrune(ctx context.Context, pruneFilter filters.Args) (types.VolumesPruneReport, error)
+}
+
+// SecretAPIClient defines API client methods for secrets
+type SecretAPIClient interface {
+	SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error)
+	SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error)
+	SecretRemove(ctx context.Context, id string) error
+	SecretInspectWithRaw(ctx context.Context, name string) (swarm.Secret, []byte, error)
+	SecretUpdate(ctx context.Context, id string, version swarm.Version, secret swarm.SecretSpec) error
+}
+
+// ConfigAPIClient defines API client methods for configs
+type ConfigAPIClient interface {
+	ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error)
+	ConfigCreate(ctx context.Context, config swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+	ConfigRemove(ctx context.Context, id string) error
+	ConfigInspectWithRaw(ctx context.Context, name string) (swarm.Config, []byte, error)
+	ConfigUpdate(ctx context.Context, id string, version swarm.Version, config swarm.ConfigSpec) error
+}
diff --git a/engine/client/interface_experimental.go b/engine/client/interface_experimental.go
new file mode 100644
index 00000000..402ffb51
--- /dev/null
+++ b/engine/client/interface_experimental.go
@@ -0,0 +1,18 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+)
+
+type apiClientExperimental interface {
+	CheckpointAPIClient
+}
+
+// CheckpointAPIClient defines API client methods for the checkpoints
+type CheckpointAPIClient interface {
+	CheckpointCreate(ctx context.Context, container string, options types.CheckpointCreateOptions) error
+	CheckpointDelete(ctx context.Context, container string, options types.CheckpointDeleteOptions) error
+	CheckpointList(ctx context.Context, container string, options types.CheckpointListOptions) ([]types.Checkpoint, error)
+}
diff --git a/engine/client/interface_stable.go b/engine/client/interface_stable.go
new file mode 100644
index 00000000..5502cd74
--- /dev/null
+++ b/engine/client/interface_stable.go
@@ -0,0 +1,10 @@
+package client // import "github.com/docker/docker/client"
+
+// APIClient is an interface that clients that talk with a docker server must implement.
+type APIClient interface {
+	CommonAPIClient
+	apiClientExperimental
+}
+
+// Ensure that Client always implements APIClient.
+var _ APIClient = &Client{}
diff --git a/engine/client/login.go b/engine/client/login.go
new file mode 100644
index 00000000..7d661819
--- /dev/null
+++ b/engine/client/login.go
@@ -0,0 +1,29 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"
+)
+
+// RegistryLogin authenticates the docker server with a given docker registry.
+// It returns unauthorizedError when the authentication fails.
+func (cli *Client) RegistryLogin(ctx context.Context, auth types.AuthConfig) (registry.AuthenticateOKBody, error) {
+	resp, err := cli.post(ctx, "/auth", url.Values{}, auth, nil)
+
+	if resp.statusCode == http.StatusUnauthorized {
+		return registry.AuthenticateOKBody{}, unauthorizedError{err}
+	}
+	if err != nil {
+		return registry.AuthenticateOKBody{}, err
+	}
+
+	var response registry.AuthenticateOKBody
+	err = json.NewDecoder(resp.body).Decode(&response)
+	ensureReaderClosed(resp)
+	return response, err
+}
diff --git a/engine/client/network_connect.go b/engine/client/network_connect.go
new file mode 100644
index 00000000..57189461
--- /dev/null
+++ b/engine/client/network_connect.go
@@ -0,0 +1,19 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+)
+
+// NetworkConnect connects a container to an existent network in the docker host.
+func (cli *Client) NetworkConnect(ctx context.Context, networkID, containerID string, config *network.EndpointSettings) error {
+	nc := types.NetworkConnect{
+		Container:      containerID,
+		EndpointConfig: config,
+	}
+	resp, err := cli.post(ctx, "/networks/"+networkID+"/connect", nil, nc, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/network_connect_test.go b/engine/client/network_connect_test.go
new file mode 100644
index 00000000..07a3ba69
--- /dev/null
+++ b/engine/client/network_connect_test.go
@@ -0,0 +1,110 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+)
+
+func TestNetworkConnectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.NetworkConnect(context.Background(), "network_id", "container_id", nil)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNetworkConnectEmptyNilEndpointSettings(t *testing.T) {
+	expectedURL := "/networks/network_id/connect"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+
+			var connect types.NetworkConnect
+			if err := json.NewDecoder(req.Body).Decode(&connect); err != nil {
+				return nil, err
+			}
+
+			if connect.Container != "container_id" {
+				return nil, fmt.Errorf("expected 'container_id', got %s", connect.Container)
+			}
+
+			if connect.EndpointConfig != nil {
+				return nil, fmt.Errorf("expected connect.EndpointConfig to be nil, got %v", connect.EndpointConfig)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.NetworkConnect(context.Background(), "network_id", "container_id", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestNetworkConnect(t *testing.T) {
+	expectedURL := "/networks/network_id/connect"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+
+			var connect types.NetworkConnect
+			if err := json.NewDecoder(req.Body).Decode(&connect); err != nil {
+				return nil, err
+			}
+
+			if connect.Container != "container_id" {
+				return nil, fmt.Errorf("expected 'container_id', got %s", connect.Container)
+			}
+
+			if connect.EndpointConfig == nil {
+				return nil, fmt.Errorf("expected connect.EndpointConfig to be not nil, got %v", connect.EndpointConfig)
+			}
+
+			if connect.EndpointConfig.NetworkID != "NetworkID" {
+				return nil, fmt.Errorf("expected 'NetworkID', got %s", connect.EndpointConfig.NetworkID)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.NetworkConnect(context.Background(), "network_id", "container_id", &network.EndpointSettings{
+		NetworkID: "NetworkID",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/network_create.go b/engine/client/network_create.go
new file mode 100644
index 00000000..41da2ac6
--- /dev/null
+++ b/engine/client/network_create.go
@@ -0,0 +1,25 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types"
+)
+
+// NetworkCreate creates a new network in the docker host.
+func (cli *Client) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
+	networkCreateRequest := types.NetworkCreateRequest{
+		NetworkCreate: options,
+		Name:          name,
+	}
+	var response types.NetworkCreateResponse
+	serverResp, err := cli.post(ctx, "/networks/create", nil, networkCreateRequest, nil)
+	if err != nil {
+		return response, err
+	}
+
+	json.NewDecoder(serverResp.body).Decode(&response)
+	ensureReaderClosed(serverResp)
+	return response, err
+}
diff --git a/engine/client/network_create_test.go b/engine/client/network_create_test.go
new file mode 100644
index 00000000..894c98eb
--- /dev/null
+++ b/engine/client/network_create_test.go
@@ -0,0 +1,72 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestNetworkCreateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.NetworkCreate(context.Background(), "mynetwork", types.NetworkCreate{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNetworkCreate(t *testing.T) {
+	expectedURL := "/networks/create"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+
+			content, err := json.Marshal(types.NetworkCreateResponse{
+				ID:      "network_id",
+				Warning: "warning",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	networkResponse, err := client.NetworkCreate(context.Background(), "mynetwork", types.NetworkCreate{
+		CheckDuplicate: true,
+		Driver:         "mydriver",
+		EnableIPv6:     true,
+		Internal:       true,
+		Options: map[string]string{
+			"opt-key": "opt-value",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if networkResponse.ID != "network_id" {
+		t.Fatalf("expected networkResponse.ID to be 'network_id', got %s", networkResponse.ID)
+	}
+	if networkResponse.Warning != "warning" {
+		t.Fatalf("expected networkResponse.Warning to be 'warning', got %s", networkResponse.Warning)
+	}
+}
diff --git a/engine/client/network_disconnect.go b/engine/client/network_disconnect.go
new file mode 100644
index 00000000..dd156766
--- /dev/null
+++ b/engine/client/network_disconnect.go
@@ -0,0 +1,15 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+)
+
+// NetworkDisconnect disconnects a container from an existent network in the docker host.
+func (cli *Client) NetworkDisconnect(ctx context.Context, networkID, containerID string, force bool) error {
+	nd := types.NetworkDisconnect{Container: containerID, Force: force}
+	resp, err := cli.post(ctx, "/networks/"+networkID+"/disconnect", nil, nd, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/network_disconnect_test.go b/engine/client/network_disconnect_test.go
new file mode 100644
index 00000000..b27b955e
--- /dev/null
+++ b/engine/client/network_disconnect_test.go
@@ -0,0 +1,64 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestNetworkDisconnectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.NetworkDisconnect(context.Background(), "network_id", "container_id", false)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNetworkDisconnect(t *testing.T) {
+	expectedURL := "/networks/network_id/disconnect"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+
+			var disconnect types.NetworkDisconnect
+			if err := json.NewDecoder(req.Body).Decode(&disconnect); err != nil {
+				return nil, err
+			}
+
+			if disconnect.Container != "container_id" {
+				return nil, fmt.Errorf("expected 'container_id', got %s", disconnect.Container)
+			}
+
+			if !disconnect.Force {
+				return nil, fmt.Errorf("expected Force to be true, got %v", disconnect.Force)
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.NetworkDisconnect(context.Background(), "network_id", "container_id", true)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/network_inspect.go b/engine/client/network_inspect.go
new file mode 100644
index 00000000..025f6d87
--- /dev/null
+++ b/engine/client/network_inspect.go
@@ -0,0 +1,49 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// NetworkInspect returns the information for a specific network configured in the docker host.
+func (cli *Client) NetworkInspect(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
+	networkResource, _, err := cli.NetworkInspectWithRaw(ctx, networkID, options)
+	return networkResource, err
+}
+
+// NetworkInspectWithRaw returns the information for a specific network configured in the docker host and its raw representation.
+func (cli *Client) NetworkInspectWithRaw(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
+	if networkID == "" {
+		return types.NetworkResource{}, nil, objectNotFoundError{object: "network", id: networkID}
+	}
+	var (
+		networkResource types.NetworkResource
+		resp            serverResponse
+		err             error
+	)
+	query := url.Values{}
+	if options.Verbose {
+		query.Set("verbose", "true")
+	}
+	if options.Scope != "" {
+		query.Set("scope", options.Scope)
+	}
+	resp, err = cli.get(ctx, "/networks/"+networkID, query, nil)
+	if err != nil {
+		return networkResource, nil, wrapResponseError(err, resp, "network", networkID)
+	}
+	defer ensureReaderClosed(resp)
+
+	body, err := ioutil.ReadAll(resp.body)
+	if err != nil {
+		return networkResource, nil, err
+	}
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&networkResource)
+	return networkResource, body, err
+}
diff --git a/engine/client/network_inspect_test.go b/engine/client/network_inspect_test.go
new file mode 100644
index 00000000..699bccba
--- /dev/null
+++ b/engine/client/network_inspect_test.go
@@ -0,0 +1,118 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNetworkInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.NetworkInspect(context.Background(), "nothing", types.NetworkInspectOptions{})
+	assert.Check(t, is.Error(err, "Error response from daemon: Server error"))
+}
+
+func TestNetworkInspectNotFoundError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "missing")),
+	}
+
+	_, err := client.NetworkInspect(context.Background(), "unknown", types.NetworkInspectOptions{})
+	assert.Check(t, is.Error(err, "Error: No such network: unknown"))
+	assert.Check(t, IsErrNotFound(err))
+}
+
+func TestNetworkInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.NetworkInspectWithRaw(context.Background(), "", types.NetworkInspectOptions{})
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestNetworkInspect(t *testing.T) {
+	expectedURL := "/networks/network_id"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "GET" {
+				return nil, fmt.Errorf("expected GET method, got %s", req.Method)
+			}
+
+			var (
+				content []byte
+				err     error
+			)
+			if strings.Contains(req.URL.RawQuery, "scope=global") {
+				return &http.Response{
+					StatusCode: http.StatusNotFound,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}
+
+			if strings.Contains(req.URL.RawQuery, "verbose=true") {
+				s := map[string]network.ServiceInfo{
+					"web": {},
+				}
+				content, err = json.Marshal(types.NetworkResource{
+					Name:     "mynetwork",
+					Services: s,
+				})
+			} else {
+				content, err = json.Marshal(types.NetworkResource{
+					Name: "mynetwork",
+				})
+			}
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	r, err := client.NetworkInspect(context.Background(), "network_id", types.NetworkInspectOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.Name != "mynetwork" {
+		t.Fatalf("expected `mynetwork`, got %s", r.Name)
+	}
+
+	r, err = client.NetworkInspect(context.Background(), "network_id", types.NetworkInspectOptions{Verbose: true})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.Name != "mynetwork" {
+		t.Fatalf("expected `mynetwork`, got %s", r.Name)
+	}
+	_, ok := r.Services["web"]
+	if !ok {
+		t.Fatalf("expected service `web` missing in the verbose output")
+	}
+
+	_, err = client.NetworkInspect(context.Background(), "network_id", types.NetworkInspectOptions{Scope: "global"})
+	assert.Check(t, is.Error(err, "Error: No such network: network_id"))
+}
diff --git a/engine/client/network_list.go b/engine/client/network_list.go
new file mode 100644
index 00000000..f16b2f56
--- /dev/null
+++ b/engine/client/network_list.go
@@ -0,0 +1,31 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// NetworkList returns the list of networks configured in the docker host.
+func (cli *Client) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+	query := url.Values{}
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToParamWithVersion(cli.version, options.Filters)
+		if err != nil {
+			return nil, err
+		}
+
+		query.Set("filters", filterJSON)
+	}
+	var networkResources []types.NetworkResource
+	resp, err := cli.get(ctx, "/networks", query, nil)
+	if err != nil {
+		return networkResources, err
+	}
+	err = json.NewDecoder(resp.body).Decode(&networkResources)
+	ensureReaderClosed(resp)
+	return networkResources, err
+}
diff --git a/engine/client/network_list_test.go b/engine/client/network_list_test.go
new file mode 100644
index 00000000..5263808c
--- /dev/null
+++ b/engine/client/network_list_test.go
@@ -0,0 +1,108 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+func TestNetworkListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.NetworkList(context.Background(), types.NetworkListOptions{
+		Filters: filters.NewArgs(),
+	})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNetworkList(t *testing.T) {
+	expectedURL := "/networks"
+
+	noDanglingFilters := filters.NewArgs()
+	noDanglingFilters.Add("dangling", "false")
+
+	danglingFilters := filters.NewArgs()
+	danglingFilters.Add("dangling", "true")
+
+	labelFilters := filters.NewArgs()
+	labelFilters.Add("label", "label1")
+	labelFilters.Add("label", "label2")
+
+	listCases := []struct {
+		options         types.NetworkListOptions
+		expectedFilters string
+	}{
+		{
+			options: types.NetworkListOptions{
+				Filters: filters.NewArgs(),
+			},
+			expectedFilters: "",
+		}, {
+			options: types.NetworkListOptions{
+				Filters: noDanglingFilters,
+			},
+			expectedFilters: `{"dangling":{"false":true}}`,
+		}, {
+			options: types.NetworkListOptions{
+				Filters: danglingFilters,
+			},
+			expectedFilters: `{"dangling":{"true":true}}`,
+		}, {
+			options: types.NetworkListOptions{
+				Filters: labelFilters,
+			},
+			expectedFilters: `{"label":{"label1":true,"label2":true}}`,
+		},
+	}
+
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				if req.Method != "GET" {
+					return nil, fmt.Errorf("expected GET method, got %s", req.Method)
+				}
+				query := req.URL.Query()
+				actualFilters := query.Get("filters")
+				if actualFilters != listCase.expectedFilters {
+					return nil, fmt.Errorf("filters not set in URL query properly. Expected '%s', got %s", listCase.expectedFilters, actualFilters)
+				}
+				content, err := json.Marshal([]types.NetworkResource{
+					{
+						Name:   "network",
+						Driver: "bridge",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		networkResources, err := client.NetworkList(context.Background(), listCase.options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(networkResources) != 1 {
+			t.Fatalf("expected 1 network resource, got %v", networkResources)
+		}
+	}
+}
diff --git a/engine/client/network_prune.go b/engine/client/network_prune.go
new file mode 100644
index 00000000..6418b8b6
--- /dev/null
+++ b/engine/client/network_prune.go
@@ -0,0 +1,36 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// NetworksPrune requests the daemon to delete unused networks
+func (cli *Client) NetworksPrune(ctx context.Context, pruneFilters filters.Args) (types.NetworksPruneReport, error) {
+	var report types.NetworksPruneReport
+
+	if err := cli.NewVersionError("1.25", "network prune"); err != nil {
+		return report, err
+	}
+
+	query, err := getFiltersQuery(pruneFilters)
+	if err != nil {
+		return report, err
+	}
+
+	serverResp, err := cli.post(ctx, "/networks/prune", query, nil, nil)
+	if err != nil {
+		return report, err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	if err := json.NewDecoder(serverResp.body).Decode(&report); err != nil {
+		return report, fmt.Errorf("Error retrieving network prune report: %v", err)
+	}
+
+	return report, nil
+}
diff --git a/engine/client/network_prune_test.go b/engine/client/network_prune_test.go
new file mode 100644
index 00000000..7a5d340e
--- /dev/null
+++ b/engine/client/network_prune_test.go
@@ -0,0 +1,113 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNetworksPruneError(t *testing.T) {
+	client := &Client{
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+		version: "1.25",
+	}
+
+	filters := filters.NewArgs()
+
+	_, err := client.NetworksPrune(context.Background(), filters)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNetworksPrune(t *testing.T) {
+	expectedURL := "/v1.25/networks/prune"
+
+	danglingFilters := filters.NewArgs()
+	danglingFilters.Add("dangling", "true")
+
+	noDanglingFilters := filters.NewArgs()
+	noDanglingFilters.Add("dangling", "false")
+
+	labelFilters := filters.NewArgs()
+	labelFilters.Add("dangling", "true")
+	labelFilters.Add("label", "label1=foo")
+	labelFilters.Add("label", "label2!=bar")
+
+	listCases := []struct {
+		filters             filters.Args
+		expectedQueryParams map[string]string
+	}{
+		{
+			filters: filters.Args{},
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": "",
+			},
+		},
+		{
+			filters: danglingFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"true":true}}`,
+			},
+		},
+		{
+			filters: noDanglingFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"false":true}}`,
+			},
+		},
+		{
+			filters: labelFilters,
+			expectedQueryParams: map[string]string{
+				"until":   "",
+				"filter":  "",
+				"filters": `{"dangling":{"true":true},"label":{"label1=foo":true,"label2!=bar":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					assert.Check(t, is.Equal(expected, actual))
+				}
+				content, err := json.Marshal(types.NetworksPruneReport{
+					NetworksDeleted: []string{"network_id1", "network_id2"},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+			version: "1.25",
+		}
+
+		report, err := client.NetworksPrune(context.Background(), listCase.filters)
+		assert.Check(t, err)
+		assert.Check(t, is.Len(report.NetworksDeleted, 2))
+	}
+}
diff --git a/engine/client/network_remove.go b/engine/client/network_remove.go
new file mode 100644
index 00000000..12741437
--- /dev/null
+++ b/engine/client/network_remove.go
@@ -0,0 +1,10 @@
+package client // import "github.com/docker/docker/client"
+
+import "context"
+
+// NetworkRemove removes an existent network from the docker host.
+func (cli *Client) NetworkRemove(ctx context.Context, networkID string) error {
+	resp, err := cli.delete(ctx, "/networks/"+networkID, nil, nil)
+	ensureReaderClosed(resp)
+	return wrapResponseError(err, resp, "network", networkID)
+}
diff --git a/engine/client/network_remove_test.go b/engine/client/network_remove_test.go
new file mode 100644
index 00000000..ac40af74
--- /dev/null
+++ b/engine/client/network_remove_test.go
@@ -0,0 +1,46 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestNetworkRemoveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.NetworkRemove(context.Background(), "network_id")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNetworkRemove(t *testing.T) {
+	expectedURL := "/networks/network_id"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "DELETE" {
+				return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	err := client.NetworkRemove(context.Background(), "network_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/node_inspect.go b/engine/client/node_inspect.go
new file mode 100644
index 00000000..593b2e9f
--- /dev/null
+++ b/engine/client/node_inspect.go
@@ -0,0 +1,32 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// NodeInspectWithRaw returns the node information.
+func (cli *Client) NodeInspectWithRaw(ctx context.Context, nodeID string) (swarm.Node, []byte, error) {
+	if nodeID == "" {
+		return swarm.Node{}, nil, objectNotFoundError{object: "node", id: nodeID}
+	}
+	serverResp, err := cli.get(ctx, "/nodes/"+nodeID, nil, nil)
+	if err != nil {
+		return swarm.Node{}, nil, wrapResponseError(err, serverResp, "node", nodeID)
+	}
+	defer ensureReaderClosed(serverResp)
+
+	body, err := ioutil.ReadAll(serverResp.body)
+	if err != nil {
+		return swarm.Node{}, nil, err
+	}
+
+	var response swarm.Node
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&response)
+	return response, body, err
+}
diff --git a/engine/client/node_inspect_test.go b/engine/client/node_inspect_test.go
new file mode 100644
index 00000000..d0fdace7
--- /dev/null
+++ b/engine/client/node_inspect_test.go
@@ -0,0 +1,78 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+)
+
+func TestNodeInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, _, err := client.NodeInspectWithRaw(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNodeInspectNodeNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, _, err := client.NodeInspectWithRaw(context.Background(), "unknown")
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected a nodeNotFoundError error, got %v", err)
+	}
+}
+
+func TestNodeInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.NodeInspectWithRaw(context.Background(), "")
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestNodeInspect(t *testing.T) {
+	expectedURL := "/nodes/node_id"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(swarm.Node{
+				ID: "node_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	nodeInspect, _, err := client.NodeInspectWithRaw(context.Background(), "node_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if nodeInspect.ID != "node_id" {
+		t.Fatalf("expected `node_id`, got %s", nodeInspect.ID)
+	}
+}
diff --git a/engine/client/node_list.go b/engine/client/node_list.go
new file mode 100644
index 00000000..9883f6fc
--- /dev/null
+++ b/engine/client/node_list.go
@@ -0,0 +1,36 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// NodeList returns the list of nodes.
+func (cli *Client) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+	query := url.Values{}
+
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToJSON(options.Filters)
+
+		if err != nil {
+			return nil, err
+		}
+
+		query.Set("filters", filterJSON)
+	}
+
+	resp, err := cli.get(ctx, "/nodes", query, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var nodes []swarm.Node
+	err = json.NewDecoder(resp.body).Decode(&nodes)
+	ensureReaderClosed(resp)
+	return nodes, err
+}
diff --git a/engine/client/node_list_test.go b/engine/client/node_list_test.go
new file mode 100644
index 00000000..784a754a
--- /dev/null
+++ b/engine/client/node_list_test.go
@@ -0,0 +1,94 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestNodeListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.NodeList(context.Background(), types.NodeListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNodeList(t *testing.T) {
+	expectedURL := "/nodes"
+
+	filters := filters.NewArgs()
+	filters.Add("label", "label1")
+	filters.Add("label", "label2")
+
+	listCases := []struct {
+		options             types.NodeListOptions
+		expectedQueryParams map[string]string
+	}{
+		{
+			options: types.NodeListOptions{},
+			expectedQueryParams: map[string]string{
+				"filters": "",
+			},
+		},
+		{
+			options: types.NodeListOptions{
+				Filters: filters,
+			},
+			expectedQueryParams: map[string]string{
+				"filters": `{"label":{"label1":true,"label2":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				content, err := json.Marshal([]swarm.Node{
+					{
+						ID: "node_id1",
+					},
+					{
+						ID: "node_id2",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		nodes, err := client.NodeList(context.Background(), listCase.options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(nodes) != 2 {
+			t.Fatalf("expected 2 nodes, got %v", nodes)
+		}
+	}
+}
diff --git a/engine/client/node_remove.go b/engine/client/node_remove.go
new file mode 100644
index 00000000..e7a75057
--- /dev/null
+++ b/engine/client/node_remove.go
@@ -0,0 +1,20 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// NodeRemove removes a Node.
+func (cli *Client) NodeRemove(ctx context.Context, nodeID string, options types.NodeRemoveOptions) error {
+	query := url.Values{}
+	if options.Force {
+		query.Set("force", "1")
+	}
+
+	resp, err := cli.delete(ctx, "/nodes/"+nodeID, query, nil)
+	ensureReaderClosed(resp)
+	return wrapResponseError(err, resp, "node", nodeID)
+}
diff --git a/engine/client/node_remove_test.go b/engine/client/node_remove_test.go
new file mode 100644
index 00000000..85f828b8
--- /dev/null
+++ b/engine/client/node_remove_test.go
@@ -0,0 +1,68 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestNodeRemoveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.NodeRemove(context.Background(), "node_id", types.NodeRemoveOptions{Force: false})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNodeRemove(t *testing.T) {
+	expectedURL := "/nodes/node_id"
+
+	removeCases := []struct {
+		force         bool
+		expectedForce string
+	}{
+		{
+			expectedForce: "",
+		},
+		{
+			force:         true,
+			expectedForce: "1",
+		},
+	}
+
+	for _, removeCase := range removeCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				if req.Method != "DELETE" {
+					return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+				}
+				force := req.URL.Query().Get("force")
+				if force != removeCase.expectedForce {
+					return nil, fmt.Errorf("force not set in URL query properly. expected '%s', got %s", removeCase.expectedForce, force)
+				}
+
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+				}, nil
+			}),
+		}
+
+		err := client.NodeRemove(context.Background(), "node_id", types.NodeRemoveOptions{Force: removeCase.force})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+}
diff --git a/engine/client/node_update.go b/engine/client/node_update.go
new file mode 100644
index 00000000..de32a617
--- /dev/null
+++ b/engine/client/node_update.go
@@ -0,0 +1,18 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+	"strconv"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// NodeUpdate updates a Node.
+func (cli *Client) NodeUpdate(ctx context.Context, nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+	query := url.Values{}
+	query.Set("version", strconv.FormatUint(version.Index, 10))
+	resp, err := cli.post(ctx, "/nodes/"+nodeID+"/update", query, node, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/node_update_test.go b/engine/client/node_update_test.go
new file mode 100644
index 00000000..d89e1ed8
--- /dev/null
+++ b/engine/client/node_update_test.go
@@ -0,0 +1,48 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestNodeUpdateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.NodeUpdate(context.Background(), "node_id", swarm.Version{}, swarm.NodeSpec{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestNodeUpdate(t *testing.T) {
+	expectedURL := "/nodes/node_id/update"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	err := client.NodeUpdate(context.Background(), "node_id", swarm.Version{}, swarm.NodeSpec{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/ping.go b/engine/client/ping.go
new file mode 100644
index 00000000..85d38adb
--- /dev/null
+++ b/engine/client/ping.go
@@ -0,0 +1,32 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"path"
+
+	"github.com/docker/docker/api/types"
+)
+
+// Ping pings the server and returns the value of the "Docker-Experimental", "OS-Type" & "API-Version" headers
+func (cli *Client) Ping(ctx context.Context) (types.Ping, error) {
+	var ping types.Ping
+	req, err := cli.buildRequest("GET", path.Join(cli.basePath, "/_ping"), nil, nil)
+	if err != nil {
+		return ping, err
+	}
+	serverResp, err := cli.doRequest(ctx, req)
+	if err != nil {
+		return ping, err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	if serverResp.header != nil {
+		ping.APIVersion = serverResp.header.Get("API-Version")
+
+		if serverResp.header.Get("Docker-Experimental") == "true" {
+			ping.Experimental = true
+		}
+		ping.OSType = serverResp.header.Get("OSType")
+	}
+	return ping, cli.checkResponseErr(serverResp)
+}
diff --git a/engine/client/ping_test.go b/engine/client/ping_test.go
new file mode 100644
index 00000000..10bbbe81
--- /dev/null
+++ b/engine/client/ping_test.go
@@ -0,0 +1,83 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"errors"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// TestPingFail tests that when a server sends a non-successful response that we
+// can still grab API details, when set.
+// Some of this is just exercising the code paths to make sure there are no
+// panics.
+func TestPingFail(t *testing.T) {
+	var withHeader bool
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			resp := &http.Response{StatusCode: http.StatusInternalServerError}
+			if withHeader {
+				resp.Header = http.Header{}
+				resp.Header.Set("API-Version", "awesome")
+				resp.Header.Set("Docker-Experimental", "true")
+			}
+			resp.Body = ioutil.NopCloser(strings.NewReader("some error with the server"))
+			return resp, nil
+		}),
+	}
+
+	ping, err := client.Ping(context.Background())
+	assert.Check(t, is.ErrorContains(err, ""))
+	assert.Check(t, is.Equal(false, ping.Experimental))
+	assert.Check(t, is.Equal("", ping.APIVersion))
+
+	withHeader = true
+	ping2, err := client.Ping(context.Background())
+	assert.Check(t, is.ErrorContains(err, ""))
+	assert.Check(t, is.Equal(true, ping2.Experimental))
+	assert.Check(t, is.Equal("awesome", ping2.APIVersion))
+}
+
+// TestPingWithError tests the case where there is a protocol error in the ping.
+// This test is mostly just testing that there are no panics in this code path.
+func TestPingWithError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			resp := &http.Response{StatusCode: http.StatusInternalServerError}
+			resp.Header = http.Header{}
+			resp.Header.Set("API-Version", "awesome")
+			resp.Header.Set("Docker-Experimental", "true")
+			resp.Body = ioutil.NopCloser(strings.NewReader("some error with the server"))
+			return resp, errors.New("some error")
+		}),
+	}
+
+	ping, err := client.Ping(context.Background())
+	assert.Check(t, is.ErrorContains(err, ""))
+	assert.Check(t, is.Equal(false, ping.Experimental))
+	assert.Check(t, is.Equal("", ping.APIVersion))
+}
+
+// TestPingSuccess tests that we are able to get the expected API headers/ping
+// details on success.
+func TestPingSuccess(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			resp := &http.Response{StatusCode: http.StatusInternalServerError}
+			resp.Header = http.Header{}
+			resp.Header.Set("API-Version", "awesome")
+			resp.Header.Set("Docker-Experimental", "true")
+			resp.Body = ioutil.NopCloser(strings.NewReader("some error with the server"))
+			return resp, nil
+		}),
+	}
+	ping, err := client.Ping(context.Background())
+	assert.Check(t, is.ErrorContains(err, ""))
+	assert.Check(t, is.Equal(true, ping.Experimental))
+	assert.Check(t, is.Equal("awesome", ping.APIVersion))
+}
diff --git a/engine/client/plugin_create.go b/engine/client/plugin_create.go
new file mode 100644
index 00000000..4591db50
--- /dev/null
+++ b/engine/client/plugin_create.go
@@ -0,0 +1,26 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// PluginCreate creates a plugin
+func (cli *Client) PluginCreate(ctx context.Context, createContext io.Reader, createOptions types.PluginCreateOptions) error {
+	headers := http.Header(make(map[string][]string))
+	headers.Set("Content-Type", "application/x-tar")
+
+	query := url.Values{}
+	query.Set("name", createOptions.RepoName)
+
+	resp, err := cli.postRaw(ctx, "/plugins/create", query, createContext, headers)
+	if err != nil {
+		return err
+	}
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/plugin_disable.go b/engine/client/plugin_disable.go
new file mode 100644
index 00000000..01f6574f
--- /dev/null
+++ b/engine/client/plugin_disable.go
@@ -0,0 +1,19 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// PluginDisable disables a plugin
+func (cli *Client) PluginDisable(ctx context.Context, name string, options types.PluginDisableOptions) error {
+	query := url.Values{}
+	if options.Force {
+		query.Set("force", "1")
+	}
+	resp, err := cli.post(ctx, "/plugins/"+name+"/disable", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/plugin_disable_test.go b/engine/client/plugin_disable_test.go
new file mode 100644
index 00000000..ac2413d6
--- /dev/null
+++ b/engine/client/plugin_disable_test.go
@@ -0,0 +1,48 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestPluginDisableError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.PluginDisable(context.Background(), "plugin_name", types.PluginDisableOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestPluginDisable(t *testing.T) {
+	expectedURL := "/plugins/plugin_name/disable"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.PluginDisable(context.Background(), "plugin_name", types.PluginDisableOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/plugin_enable.go b/engine/client/plugin_enable.go
new file mode 100644
index 00000000..736da48b
--- /dev/null
+++ b/engine/client/plugin_enable.go
@@ -0,0 +1,19 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+	"strconv"
+
+	"github.com/docker/docker/api/types"
+)
+
+// PluginEnable enables a plugin
+func (cli *Client) PluginEnable(ctx context.Context, name string, options types.PluginEnableOptions) error {
+	query := url.Values{}
+	query.Set("timeout", strconv.Itoa(options.Timeout))
+
+	resp, err := cli.post(ctx, "/plugins/"+name+"/enable", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/plugin_enable_test.go b/engine/client/plugin_enable_test.go
new file mode 100644
index 00000000..911ccaf1
--- /dev/null
+++ b/engine/client/plugin_enable_test.go
@@ -0,0 +1,48 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestPluginEnableError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.PluginEnable(context.Background(), "plugin_name", types.PluginEnableOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestPluginEnable(t *testing.T) {
+	expectedURL := "/plugins/plugin_name/enable"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.PluginEnable(context.Background(), "plugin_name", types.PluginEnableOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/plugin_inspect.go b/engine/client/plugin_inspect.go
new file mode 100644
index 00000000..0ab7beae
--- /dev/null
+++ b/engine/client/plugin_inspect.go
@@ -0,0 +1,31 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/docker/docker/api/types"
+)
+
+// PluginInspectWithRaw inspects an existing plugin
+func (cli *Client) PluginInspectWithRaw(ctx context.Context, name string) (*types.Plugin, []byte, error) {
+	if name == "" {
+		return nil, nil, objectNotFoundError{object: "plugin", id: name}
+	}
+	resp, err := cli.get(ctx, "/plugins/"+name+"/json", nil, nil)
+	if err != nil {
+		return nil, nil, wrapResponseError(err, resp, "plugin", name)
+	}
+
+	defer ensureReaderClosed(resp)
+	body, err := ioutil.ReadAll(resp.body)
+	if err != nil {
+		return nil, nil, err
+	}
+	var p types.Plugin
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&p)
+	return &p, body, err
+}
diff --git a/engine/client/plugin_inspect_test.go b/engine/client/plugin_inspect_test.go
new file mode 100644
index 00000000..74ca0f0f
--- /dev/null
+++ b/engine/client/plugin_inspect_test.go
@@ -0,0 +1,67 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+)
+
+func TestPluginInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, _, err := client.PluginInspectWithRaw(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestPluginInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.PluginInspectWithRaw(context.Background(), "")
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestPluginInspect(t *testing.T) {
+	expectedURL := "/plugins/plugin_name"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(types.Plugin{
+				ID: "plugin_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	pluginInspect, _, err := client.PluginInspectWithRaw(context.Background(), "plugin_name")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if pluginInspect.ID != "plugin_id" {
+		t.Fatalf("expected `plugin_id`, got %s", pluginInspect.ID)
+	}
+}
diff --git a/engine/client/plugin_install.go b/engine/client/plugin_install.go
new file mode 100644
index 00000000..13baa40a
--- /dev/null
+++ b/engine/client/plugin_install.go
@@ -0,0 +1,113 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+)
+
+// PluginInstall installs a plugin
+func (cli *Client) PluginInstall(ctx context.Context, name string, options types.PluginInstallOptions) (rc io.ReadCloser, err error) {
+	query := url.Values{}
+	if _, err := reference.ParseNormalizedNamed(options.RemoteRef); err != nil {
+		return nil, errors.Wrap(err, "invalid remote reference")
+	}
+	query.Set("remote", options.RemoteRef)
+
+	privileges, err := cli.checkPluginPermissions(ctx, query, options)
+	if err != nil {
+		return nil, err
+	}
+
+	// set name for plugin pull, if empty should default to remote reference
+	query.Set("name", name)
+
+	resp, err := cli.tryPluginPull(ctx, query, privileges, options.RegistryAuth)
+	if err != nil {
+		return nil, err
+	}
+
+	name = resp.header.Get("Docker-Plugin-Name")
+
+	pr, pw := io.Pipe()
+	go func() { // todo: the client should probably be designed more around the actual api
+		_, err := io.Copy(pw, resp.body)
+		if err != nil {
+			pw.CloseWithError(err)
+			return
+		}
+		defer func() {
+			if err != nil {
+				delResp, _ := cli.delete(ctx, "/plugins/"+name, nil, nil)
+				ensureReaderClosed(delResp)
+			}
+		}()
+		if len(options.Args) > 0 {
+			if err := cli.PluginSet(ctx, name, options.Args); err != nil {
+				pw.CloseWithError(err)
+				return
+			}
+		}
+
+		if options.Disabled {
+			pw.Close()
+			return
+		}
+
+		enableErr := cli.PluginEnable(ctx, name, types.PluginEnableOptions{Timeout: 0})
+		pw.CloseWithError(enableErr)
+	}()
+	return pr, nil
+}
+
+func (cli *Client) tryPluginPrivileges(ctx context.Context, query url.Values, registryAuth string) (serverResponse, error) {
+	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}
+	return cli.get(ctx, "/plugins/privileges", query, headers)
+}
+
+func (cli *Client) tryPluginPull(ctx context.Context, query url.Values, privileges types.PluginPrivileges, registryAuth string) (serverResponse, error) {
+	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}
+	return cli.post(ctx, "/plugins/pull", query, privileges, headers)
+}
+
+func (cli *Client) checkPluginPermissions(ctx context.Context, query url.Values, options types.PluginInstallOptions) (types.PluginPrivileges, error) {
+	resp, err := cli.tryPluginPrivileges(ctx, query, options.RegistryAuth)
+	if resp.statusCode == http.StatusUnauthorized && options.PrivilegeFunc != nil {
+		// todo: do inspect before to check existing name before checking privileges
+		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		if privilegeErr != nil {
+			ensureReaderClosed(resp)
+			return nil, privilegeErr
+		}
+		options.RegistryAuth = newAuthHeader
+		resp, err = cli.tryPluginPrivileges(ctx, query, options.RegistryAuth)
+	}
+	if err != nil {
+		ensureReaderClosed(resp)
+		return nil, err
+	}
+
+	var privileges types.PluginPrivileges
+	if err := json.NewDecoder(resp.body).Decode(&privileges); err != nil {
+		ensureReaderClosed(resp)
+		return nil, err
+	}
+	ensureReaderClosed(resp)
+
+	if !options.AcceptAllPermissions && options.AcceptPermissionsFunc != nil && len(privileges) > 0 {
+		accept, err := options.AcceptPermissionsFunc(privileges)
+		if err != nil {
+			return nil, err
+		}
+		if !accept {
+			return nil, pluginPermissionDenied{options.RemoteRef}
+		}
+	}
+	return privileges, nil
+}
diff --git a/engine/client/plugin_list.go b/engine/client/plugin_list.go
new file mode 100644
index 00000000..ade1051a
--- /dev/null
+++ b/engine/client/plugin_list.go
@@ -0,0 +1,32 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// PluginList returns the installed plugins
+func (cli *Client) PluginList(ctx context.Context, filter filters.Args) (types.PluginsListResponse, error) {
+	var plugins types.PluginsListResponse
+	query := url.Values{}
+
+	if filter.Len() > 0 {
+		filterJSON, err := filters.ToParamWithVersion(cli.version, filter)
+		if err != nil {
+			return plugins, err
+		}
+		query.Set("filters", filterJSON)
+	}
+	resp, err := cli.get(ctx, "/plugins", query, nil)
+	if err != nil {
+		return plugins, wrapResponseError(err, resp, "plugin", "")
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&plugins)
+	ensureReaderClosed(resp)
+	return plugins, err
+}
diff --git a/engine/client/plugin_list_test.go b/engine/client/plugin_list_test.go
new file mode 100644
index 00000000..7dc351dc
--- /dev/null
+++ b/engine/client/plugin_list_test.go
@@ -0,0 +1,107 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+func TestPluginListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.PluginList(context.Background(), filters.NewArgs())
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestPluginList(t *testing.T) {
+	expectedURL := "/plugins"
+
+	enabledFilters := filters.NewArgs()
+	enabledFilters.Add("enabled", "true")
+
+	capabilityFilters := filters.NewArgs()
+	capabilityFilters.Add("capability", "volumedriver")
+	capabilityFilters.Add("capability", "authz")
+
+	listCases := []struct {
+		filters             filters.Args
+		expectedQueryParams map[string]string
+	}{
+		{
+			filters: filters.NewArgs(),
+			expectedQueryParams: map[string]string{
+				"all":     "",
+				"filter":  "",
+				"filters": "",
+			},
+		},
+		{
+			filters: enabledFilters,
+			expectedQueryParams: map[string]string{
+				"all":     "",
+				"filter":  "",
+				"filters": `{"enabled":{"true":true}}`,
+			},
+		},
+		{
+			filters: capabilityFilters,
+			expectedQueryParams: map[string]string{
+				"all":     "",
+				"filter":  "",
+				"filters": `{"capability":{"authz":true,"volumedriver":true}}`,
+			},
+		},
+	}
+
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				content, err := json.Marshal([]*types.Plugin{
+					{
+						ID: "plugin_id1",
+					},
+					{
+						ID: "plugin_id2",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		plugins, err := client.PluginList(context.Background(), listCase.filters)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(plugins) != 2 {
+			t.Fatalf("expected 2 plugins, got %v", plugins)
+		}
+	}
+}
diff --git a/engine/client/plugin_push.go b/engine/client/plugin_push.go
new file mode 100644
index 00000000..d20bfe84
--- /dev/null
+++ b/engine/client/plugin_push.go
@@ -0,0 +1,16 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+)
+
+// PluginPush pushes a plugin to a registry
+func (cli *Client) PluginPush(ctx context.Context, name string, registryAuth string) (io.ReadCloser, error) {
+	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}
+	resp, err := cli.post(ctx, "/plugins/"+name+"/push", nil, nil, headers)
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
diff --git a/engine/client/plugin_push_test.go b/engine/client/plugin_push_test.go
new file mode 100644
index 00000000..20b23a11
--- /dev/null
+++ b/engine/client/plugin_push_test.go
@@ -0,0 +1,50 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestPluginPushError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.PluginPush(context.Background(), "plugin_name", "")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestPluginPush(t *testing.T) {
+	expectedURL := "/plugins/plugin_name"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			auth := req.Header.Get("X-Registry-Auth")
+			if auth != "authtoken" {
+				return nil, fmt.Errorf("Invalid auth header : expected 'authtoken', got %s", auth)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	_, err := client.PluginPush(context.Background(), "plugin_name", "authtoken")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/plugin_remove.go b/engine/client/plugin_remove.go
new file mode 100644
index 00000000..8563bab0
--- /dev/null
+++ b/engine/client/plugin_remove.go
@@ -0,0 +1,20 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+)
+
+// PluginRemove removes a plugin
+func (cli *Client) PluginRemove(ctx context.Context, name string, options types.PluginRemoveOptions) error {
+	query := url.Values{}
+	if options.Force {
+		query.Set("force", "1")
+	}
+
+	resp, err := cli.delete(ctx, "/plugins/"+name, query, nil)
+	ensureReaderClosed(resp)
+	return wrapResponseError(err, resp, "plugin", name)
+}
diff --git a/engine/client/plugin_remove_test.go b/engine/client/plugin_remove_test.go
new file mode 100644
index 00000000..e6c76342
--- /dev/null
+++ b/engine/client/plugin_remove_test.go
@@ -0,0 +1,48 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestPluginRemoveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.PluginRemove(context.Background(), "plugin_name", types.PluginRemoveOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestPluginRemove(t *testing.T) {
+	expectedURL := "/plugins/plugin_name"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "DELETE" {
+				return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.PluginRemove(context.Background(), "plugin_name", types.PluginRemoveOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/plugin_set.go b/engine/client/plugin_set.go
new file mode 100644
index 00000000..dcf5752c
--- /dev/null
+++ b/engine/client/plugin_set.go
@@ -0,0 +1,12 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+)
+
+// PluginSet modifies settings for an existing plugin
+func (cli *Client) PluginSet(ctx context.Context, name string, args []string) error {
+	resp, err := cli.post(ctx, "/plugins/"+name+"/set", nil, args, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/plugin_set_test.go b/engine/client/plugin_set_test.go
new file mode 100644
index 00000000..2e97904b
--- /dev/null
+++ b/engine/client/plugin_set_test.go
@@ -0,0 +1,46 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestPluginSetError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.PluginSet(context.Background(), "plugin_name", []string{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestPluginSet(t *testing.T) {
+	expectedURL := "/plugins/plugin_name/set"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.PluginSet(context.Background(), "plugin_name", []string{"arg1"})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/plugin_upgrade.go b/engine/client/plugin_upgrade.go
new file mode 100644
index 00000000..115cea94
--- /dev/null
+++ b/engine/client/plugin_upgrade.go
@@ -0,0 +1,39 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+)
+
+// PluginUpgrade upgrades a plugin
+func (cli *Client) PluginUpgrade(ctx context.Context, name string, options types.PluginInstallOptions) (rc io.ReadCloser, err error) {
+	if err := cli.NewVersionError("1.26", "plugin upgrade"); err != nil {
+		return nil, err
+	}
+	query := url.Values{}
+	if _, err := reference.ParseNormalizedNamed(options.RemoteRef); err != nil {
+		return nil, errors.Wrap(err, "invalid remote reference")
+	}
+	query.Set("remote", options.RemoteRef)
+
+	privileges, err := cli.checkPluginPermissions(ctx, query, options)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := cli.tryPluginUpgrade(ctx, query, privileges, name, options.RegistryAuth)
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
+
+func (cli *Client) tryPluginUpgrade(ctx context.Context, query url.Values, privileges types.PluginPrivileges, name, registryAuth string) (serverResponse, error) {
+	headers := map[string][]string{"X-Registry-Auth": {registryAuth}}
+	return cli.post(ctx, "/plugins/"+name+"/upgrade", query, privileges, headers)
+}
diff --git a/engine/client/request.go b/engine/client/request.go
new file mode 100644
index 00000000..a19d62aa
--- /dev/null
+++ b/engine/client/request.go
@@ -0,0 +1,259 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/pkg/errors"
+	"golang.org/x/net/context/ctxhttp"
+)
+
+// serverResponse is a wrapper for http API responses.
+type serverResponse struct {
+	body       io.ReadCloser
+	header     http.Header
+	statusCode int
+	reqURL     *url.URL
+}
+
+// head sends an http request to the docker API using the method HEAD.
+func (cli *Client) head(ctx context.Context, path string, query url.Values, headers map[string][]string) (serverResponse, error) {
+	return cli.sendRequest(ctx, "HEAD", path, query, nil, headers)
+}
+
+// get sends an http request to the docker API using the method GET with a specific Go context.
+func (cli *Client) get(ctx context.Context, path string, query url.Values, headers map[string][]string) (serverResponse, error) {
+	return cli.sendRequest(ctx, "GET", path, query, nil, headers)
+}
+
+// post sends an http request to the docker API using the method POST with a specific Go context.
+func (cli *Client) post(ctx context.Context, path string, query url.Values, obj interface{}, headers map[string][]string) (serverResponse, error) {
+	body, headers, err := encodeBody(obj, headers)
+	if err != nil {
+		return serverResponse{}, err
+	}
+	return cli.sendRequest(ctx, "POST", path, query, body, headers)
+}
+
+func (cli *Client) postRaw(ctx context.Context, path string, query url.Values, body io.Reader, headers map[string][]string) (serverResponse, error) {
+	return cli.sendRequest(ctx, "POST", path, query, body, headers)
+}
+
+// put sends an http request to the docker API using the method PUT.
+func (cli *Client) put(ctx context.Context, path string, query url.Values, obj interface{}, headers map[string][]string) (serverResponse, error) {
+	body, headers, err := encodeBody(obj, headers)
+	if err != nil {
+		return serverResponse{}, err
+	}
+	return cli.sendRequest(ctx, "PUT", path, query, body, headers)
+}
+
+// putRaw sends an http request to the docker API using the method PUT.
+func (cli *Client) putRaw(ctx context.Context, path string, query url.Values, body io.Reader, headers map[string][]string) (serverResponse, error) {
+	return cli.sendRequest(ctx, "PUT", path, query, body, headers)
+}
+
+// delete sends an http request to the docker API using the method DELETE.
+func (cli *Client) delete(ctx context.Context, path string, query url.Values, headers map[string][]string) (serverResponse, error) {
+	return cli.sendRequest(ctx, "DELETE", path, query, nil, headers)
+}
+
+type headers map[string][]string
+
+func encodeBody(obj interface{}, headers headers) (io.Reader, headers, error) {
+	if obj == nil {
+		return nil, headers, nil
+	}
+
+	body, err := encodeData(obj)
+	if err != nil {
+		return nil, headers, err
+	}
+	if headers == nil {
+		headers = make(map[string][]string)
+	}
+	headers["Content-Type"] = []string{"application/json"}
+	return body, headers, nil
+}
+
+func (cli *Client) buildRequest(method, path string, body io.Reader, headers headers) (*http.Request, error) {
+	expectedPayload := (method == "POST" || method == "PUT")
+	if expectedPayload && body == nil {
+		body = bytes.NewReader([]byte{})
+	}
+
+	req, err := http.NewRequest(method, path, body)
+	if err != nil {
+		return nil, err
+	}
+	req = cli.addHeaders(req, headers)
+
+	if cli.proto == "unix" || cli.proto == "npipe" {
+		// For local communications, it doesn't matter what the host is. We just
+		// need a valid and meaningful host name. (See #189)
+		req.Host = "docker"
+	}
+
+	req.URL.Host = cli.addr
+	req.URL.Scheme = cli.scheme
+
+	if expectedPayload && req.Header.Get("Content-Type") == "" {
+		req.Header.Set("Content-Type", "text/plain")
+	}
+	return req, nil
+}
+
+func (cli *Client) sendRequest(ctx context.Context, method, path string, query url.Values, body io.Reader, headers headers) (serverResponse, error) {
+	req, err := cli.buildRequest(method, cli.getAPIPath(path, query), body, headers)
+	if err != nil {
+		return serverResponse{}, err
+	}
+	resp, err := cli.doRequest(ctx, req)
+	if err != nil {
+		return resp, err
+	}
+	return resp, cli.checkResponseErr(resp)
+}
+
+func (cli *Client) doRequest(ctx context.Context, req *http.Request) (serverResponse, error) {
+	serverResp := serverResponse{statusCode: -1, reqURL: req.URL}
+
+	resp, err := ctxhttp.Do(ctx, cli.client, req)
+	if err != nil {
+		if cli.scheme != "https" && strings.Contains(err.Error(), "malformed HTTP response") {
+			return serverResp, fmt.Errorf("%v.\n* Are you trying to connect to a TLS-enabled daemon without TLS?", err)
+		}
+
+		if cli.scheme == "https" && strings.Contains(err.Error(), "bad certificate") {
+			return serverResp, fmt.Errorf("The server probably has client authentication (--tlsverify) enabled. Please check your TLS client certification settings: %v", err)
+		}
+
+		// Don't decorate context sentinel errors; users may be comparing to
+		// them directly.
+		switch err {
+		case context.Canceled, context.DeadlineExceeded:
+			return serverResp, err
+		}
+
+		if nErr, ok := err.(*url.Error); ok {
+			if nErr, ok := nErr.Err.(*net.OpError); ok {
+				if os.IsPermission(nErr.Err) {
+					return serverResp, errors.Wrapf(err, "Got permission denied while trying to connect to the Docker daemon socket at %v", cli.host)
+				}
+			}
+		}
+
+		if err, ok := err.(net.Error); ok {
+			if err.Timeout() {
+				return serverResp, ErrorConnectionFailed(cli.host)
+			}
+			if !err.Temporary() {
+				if strings.Contains(err.Error(), "connection refused") || strings.Contains(err.Error(), "dial unix") {
+					return serverResp, ErrorConnectionFailed(cli.host)
+				}
+			}
+		}
+
+		// Although there's not a strongly typed error for this in go-winio,
+		// lots of people are using the default configuration for the docker
+		// daemon on Windows where the daemon is listening on a named pipe
+		// `//./pipe/docker_engine, and the client must be running elevated.
+		// Give users a clue rather than the not-overly useful message
+		// such as `error during connect: Get http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.26/info:
+		// open //./pipe/docker_engine: The system cannot find the file specified.`.
+		// Note we can't string compare "The system cannot find the file specified" as
+		// this is localised - for example in French the error would be
+		// `open //./pipe/docker_engine: Le fichier spécifié est introuvable.`
+		if strings.Contains(err.Error(), `open //./pipe/docker_engine`) {
+			err = errors.New(err.Error() + " In the default daemon configuration on Windows, the docker client must be run elevated to connect. This error may also indicate that the docker daemon is not running.")
+		}
+
+		return serverResp, errors.Wrap(err, "error during connect")
+	}
+
+	if resp != nil {
+		serverResp.statusCode = resp.StatusCode
+		serverResp.body = resp.Body
+		serverResp.header = resp.Header
+	}
+	return serverResp, nil
+}
+
+func (cli *Client) checkResponseErr(serverResp serverResponse) error {
+	if serverResp.statusCode >= 200 && serverResp.statusCode < 400 {
+		return nil
+	}
+
+	body, err := ioutil.ReadAll(serverResp.body)
+	if err != nil {
+		return err
+	}
+	if len(body) == 0 {
+		return fmt.Errorf("request returned %s for API route and version %s, check if the server supports the requested API version", http.StatusText(serverResp.statusCode), serverResp.reqURL)
+	}
+
+	var ct string
+	if serverResp.header != nil {
+		ct = serverResp.header.Get("Content-Type")
+	}
+
+	var errorMessage string
+	if (cli.version == "" || versions.GreaterThan(cli.version, "1.23")) && ct == "application/json" {
+		var errorResponse types.ErrorResponse
+		if err := json.Unmarshal(body, &errorResponse); err != nil {
+			return fmt.Errorf("Error reading JSON: %v", err)
+		}
+		errorMessage = errorResponse.Message
+	} else {
+		errorMessage = string(body)
+	}
+
+	return fmt.Errorf("Error response from daemon: %s", strings.TrimSpace(errorMessage))
+}
+
+func (cli *Client) addHeaders(req *http.Request, headers headers) *http.Request {
+	// Add CLI Config's HTTP Headers BEFORE we set the Docker headers
+	// then the user can't change OUR headers
+	for k, v := range cli.customHTTPHeaders {
+		if versions.LessThan(cli.version, "1.25") && k == "User-Agent" {
+			continue
+		}
+		req.Header.Set(k, v)
+	}
+
+	if headers != nil {
+		for k, v := range headers {
+			req.Header[k] = v
+		}
+	}
+	return req
+}
+
+func encodeData(data interface{}) (*bytes.Buffer, error) {
+	params := bytes.NewBuffer(nil)
+	if data != nil {
+		if err := json.NewEncoder(params).Encode(data); err != nil {
+			return nil, err
+		}
+	}
+	return params, nil
+}
+
+func ensureReaderClosed(response serverResponse) {
+	if response.body != nil {
+		// Drain up to 512 bytes and close the body to let the Transport reuse the connection
+		io.CopyN(ioutil.Discard, response.body, 512)
+		response.body.Close()
+	}
+}
diff --git a/engine/client/request_test.go b/engine/client/request_test.go
new file mode 100644
index 00000000..fda4d88a
--- /dev/null
+++ b/engine/client/request_test.go
@@ -0,0 +1,89 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+)
+
+// TestSetHostHeader should set fake host for local communications, set real host
+// for normal communications.
+func TestSetHostHeader(t *testing.T) {
+	testURL := "/test"
+	testCases := []struct {
+		host            string
+		expectedHost    string
+		expectedURLHost string
+	}{
+		{
+			"unix:///var/run/docker.sock",
+			"docker",
+			"/var/run/docker.sock",
+		},
+		{
+			"npipe:////./pipe/docker_engine",
+			"docker",
+			"//./pipe/docker_engine",
+		},
+		{
+			"tcp://0.0.0.0:4243",
+			"",
+			"0.0.0.0:4243",
+		},
+		{
+			"tcp://localhost:4243",
+			"",
+			"localhost:4243",
+		},
+	}
+
+	for c, test := range testCases {
+		hostURL, err := ParseHostURL(test.host)
+		assert.NilError(t, err)
+
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, testURL) {
+					return nil, fmt.Errorf("Test Case #%d: Expected URL %q, got %q", c, testURL, req.URL)
+				}
+				if req.Host != test.expectedHost {
+					return nil, fmt.Errorf("Test Case #%d: Expected host %q, got %q", c, test.expectedHost, req.Host)
+				}
+				if req.URL.Host != test.expectedURLHost {
+					return nil, fmt.Errorf("Test Case #%d: Expected URL host %q, got %q", c, test.expectedURLHost, req.URL.Host)
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+				}, nil
+			}),
+
+			proto:    hostURL.Scheme,
+			addr:     hostURL.Host,
+			basePath: hostURL.Path,
+		}
+
+		_, err = client.sendRequest(context.Background(), "GET", testURL, nil, nil, nil)
+		assert.NilError(t, err)
+	}
+}
+
+// TestPlainTextError tests the server returning an error in plain text for
+// backwards compatibility with API versions <1.24. All other tests use
+// errors returned as JSON
+func TestPlainTextError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(plainTextErrorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ContainerList(context.Background(), types.ContainerListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
diff --git a/engine/client/secret_create.go b/engine/client/secret_create.go
new file mode 100644
index 00000000..09fae82f
--- /dev/null
+++ b/engine/client/secret_create.go
@@ -0,0 +1,25 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SecretCreate creates a new Secret.
+func (cli *Client) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error) {
+	var response types.SecretCreateResponse
+	if err := cli.NewVersionError("1.25", "secret create"); err != nil {
+		return response, err
+	}
+	resp, err := cli.post(ctx, "/secrets/create", nil, secret, nil)
+	if err != nil {
+		return response, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&response)
+	ensureReaderClosed(resp)
+	return response, err
+}
diff --git a/engine/client/secret_create_test.go b/engine/client/secret_create_test.go
new file mode 100644
index 00000000..419bdbcb
--- /dev/null
+++ b/engine/client/secret_create_test.go
@@ -0,0 +1,70 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSecretCreateUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.24",
+		client:  &http.Client{},
+	}
+	_, err := client.SecretCreate(context.Background(), swarm.SecretSpec{})
+	assert.Check(t, is.Error(err, `"secret create" requires API version 1.25, but the Docker daemon API version is 1.24`))
+}
+
+func TestSecretCreateError(t *testing.T) {
+	client := &Client{
+		version: "1.25",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.SecretCreate(context.Background(), swarm.SecretSpec{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSecretCreate(t *testing.T) {
+	expectedURL := "/v1.25/secrets/create"
+	client := &Client{
+		version: "1.25",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			b, err := json.Marshal(types.SecretCreateResponse{
+				ID: "test_secret",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusCreated,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	r, err := client.SecretCreate(context.Background(), swarm.SecretSpec{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.ID != "test_secret" {
+		t.Fatalf("expected `test_secret`, got %s", r.ID)
+	}
+}
diff --git a/engine/client/secret_inspect.go b/engine/client/secret_inspect.go
new file mode 100644
index 00000000..e8322f45
--- /dev/null
+++ b/engine/client/secret_inspect.go
@@ -0,0 +1,36 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SecretInspectWithRaw returns the secret information with raw data
+func (cli *Client) SecretInspectWithRaw(ctx context.Context, id string) (swarm.Secret, []byte, error) {
+	if err := cli.NewVersionError("1.25", "secret inspect"); err != nil {
+		return swarm.Secret{}, nil, err
+	}
+	if id == "" {
+		return swarm.Secret{}, nil, objectNotFoundError{object: "secret", id: id}
+	}
+	resp, err := cli.get(ctx, "/secrets/"+id, nil, nil)
+	if err != nil {
+		return swarm.Secret{}, nil, wrapResponseError(err, resp, "secret", id)
+	}
+	defer ensureReaderClosed(resp)
+
+	body, err := ioutil.ReadAll(resp.body)
+	if err != nil {
+		return swarm.Secret{}, nil, err
+	}
+
+	var secret swarm.Secret
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&secret)
+
+	return secret, body, err
+}
diff --git a/engine/client/secret_inspect_test.go b/engine/client/secret_inspect_test.go
new file mode 100644
index 00000000..6c84799b
--- /dev/null
+++ b/engine/client/secret_inspect_test.go
@@ -0,0 +1,92 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSecretInspectUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.24",
+		client:  &http.Client{},
+	}
+	_, _, err := client.SecretInspectWithRaw(context.Background(), "nothing")
+	assert.Check(t, is.Error(err, `"secret inspect" requires API version 1.25, but the Docker daemon API version is 1.24`))
+}
+
+func TestSecretInspectError(t *testing.T) {
+	client := &Client{
+		version: "1.25",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, _, err := client.SecretInspectWithRaw(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSecretInspectSecretNotFound(t *testing.T) {
+	client := &Client{
+		version: "1.25",
+		client:  newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, _, err := client.SecretInspectWithRaw(context.Background(), "unknown")
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected a secretNotFoundError error, got %v", err)
+	}
+}
+
+func TestSecretInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.SecretInspectWithRaw(context.Background(), "")
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestSecretInspect(t *testing.T) {
+	expectedURL := "/v1.25/secrets/secret_id"
+	client := &Client{
+		version: "1.25",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(swarm.Secret{
+				ID: "secret_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	secretInspect, _, err := client.SecretInspectWithRaw(context.Background(), "secret_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secretInspect.ID != "secret_id" {
+		t.Fatalf("expected `secret_id`, got %s", secretInspect.ID)
+	}
+}
diff --git a/engine/client/secret_list.go b/engine/client/secret_list.go
new file mode 100644
index 00000000..f6bf7ba4
--- /dev/null
+++ b/engine/client/secret_list.go
@@ -0,0 +1,38 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SecretList returns the list of secrets.
+func (cli *Client) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+	if err := cli.NewVersionError("1.25", "secret list"); err != nil {
+		return nil, err
+	}
+	query := url.Values{}
+
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToJSON(options.Filters)
+		if err != nil {
+			return nil, err
+		}
+
+		query.Set("filters", filterJSON)
+	}
+
+	resp, err := cli.get(ctx, "/secrets", query, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var secrets []swarm.Secret
+	err = json.NewDecoder(resp.body).Decode(&secrets)
+	ensureReaderClosed(resp)
+	return secrets, err
+}
diff --git a/engine/client/secret_list_test.go b/engine/client/secret_list_test.go
new file mode 100644
index 00000000..72323b05
--- /dev/null
+++ b/engine/client/secret_list_test.go
@@ -0,0 +1,107 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSecretListUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.24",
+		client:  &http.Client{},
+	}
+	_, err := client.SecretList(context.Background(), types.SecretListOptions{})
+	assert.Check(t, is.Error(err, `"secret list" requires API version 1.25, but the Docker daemon API version is 1.24`))
+}
+
+func TestSecretListError(t *testing.T) {
+	client := &Client{
+		version: "1.25",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.SecretList(context.Background(), types.SecretListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSecretList(t *testing.T) {
+	expectedURL := "/v1.25/secrets"
+
+	filters := filters.NewArgs()
+	filters.Add("label", "label1")
+	filters.Add("label", "label2")
+
+	listCases := []struct {
+		options             types.SecretListOptions
+		expectedQueryParams map[string]string
+	}{
+		{
+			options: types.SecretListOptions{},
+			expectedQueryParams: map[string]string{
+				"filters": "",
+			},
+		},
+		{
+			options: types.SecretListOptions{
+				Filters: filters,
+			},
+			expectedQueryParams: map[string]string{
+				"filters": `{"label":{"label1":true,"label2":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			version: "1.25",
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				content, err := json.Marshal([]swarm.Secret{
+					{
+						ID: "secret_id1",
+					},
+					{
+						ID: "secret_id2",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		secrets, err := client.SecretList(context.Background(), listCase.options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(secrets) != 2 {
+			t.Fatalf("expected 2 secrets, got %v", secrets)
+		}
+	}
+}
diff --git a/engine/client/secret_remove.go b/engine/client/secret_remove.go
new file mode 100644
index 00000000..e9d52182
--- /dev/null
+++ b/engine/client/secret_remove.go
@@ -0,0 +1,13 @@
+package client // import "github.com/docker/docker/client"
+
+import "context"
+
+// SecretRemove removes a Secret.
+func (cli *Client) SecretRemove(ctx context.Context, id string) error {
+	if err := cli.NewVersionError("1.25", "secret remove"); err != nil {
+		return err
+	}
+	resp, err := cli.delete(ctx, "/secrets/"+id, nil, nil)
+	ensureReaderClosed(resp)
+	return wrapResponseError(err, resp, "secret", id)
+}
diff --git a/engine/client/secret_remove_test.go b/engine/client/secret_remove_test.go
new file mode 100644
index 00000000..bdfccf6b
--- /dev/null
+++ b/engine/client/secret_remove_test.go
@@ -0,0 +1,60 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSecretRemoveUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.24",
+		client:  &http.Client{},
+	}
+	err := client.SecretRemove(context.Background(), "secret_id")
+	assert.Check(t, is.Error(err, `"secret remove" requires API version 1.25, but the Docker daemon API version is 1.24`))
+}
+
+func TestSecretRemoveError(t *testing.T) {
+	client := &Client{
+		version: "1.25",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.SecretRemove(context.Background(), "secret_id")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSecretRemove(t *testing.T) {
+	expectedURL := "/v1.25/secrets/secret_id"
+
+	client := &Client{
+		version: "1.25",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "DELETE" {
+				return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	err := client.SecretRemove(context.Background(), "secret_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/secret_update.go b/engine/client/secret_update.go
new file mode 100644
index 00000000..164256bb
--- /dev/null
+++ b/engine/client/secret_update.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+	"strconv"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SecretUpdate attempts to update a Secret
+func (cli *Client) SecretUpdate(ctx context.Context, id string, version swarm.Version, secret swarm.SecretSpec) error {
+	if err := cli.NewVersionError("1.25", "secret update"); err != nil {
+		return err
+	}
+	query := url.Values{}
+	query.Set("version", strconv.FormatUint(version.Index, 10))
+	resp, err := cli.post(ctx, "/secrets/"+id+"/update", query, secret, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/secret_update_test.go b/engine/client/secret_update_test.go
new file mode 100644
index 00000000..c7670b44
--- /dev/null
+++ b/engine/client/secret_update_test.go
@@ -0,0 +1,61 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSecretUpdateUnsupported(t *testing.T) {
+	client := &Client{
+		version: "1.24",
+		client:  &http.Client{},
+	}
+	err := client.SecretUpdate(context.Background(), "secret_id", swarm.Version{}, swarm.SecretSpec{})
+	assert.Check(t, is.Error(err, `"secret update" requires API version 1.25, but the Docker daemon API version is 1.24`))
+}
+
+func TestSecretUpdateError(t *testing.T) {
+	client := &Client{
+		version: "1.25",
+		client:  newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.SecretUpdate(context.Background(), "secret_id", swarm.Version{}, swarm.SecretSpec{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSecretUpdate(t *testing.T) {
+	expectedURL := "/v1.25/secrets/secret_id/update"
+
+	client := &Client{
+		version: "1.25",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	err := client.SecretUpdate(context.Background(), "secret_id", swarm.Version{}, swarm.SecretSpec{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/service_create.go b/engine/client/service_create.go
new file mode 100644
index 00000000..8fadda4a
--- /dev/null
+++ b/engine/client/service_create.go
@@ -0,0 +1,166 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+// ServiceCreate creates a new Service.
+func (cli *Client) ServiceCreate(ctx context.Context, service swarm.ServiceSpec, options types.ServiceCreateOptions) (types.ServiceCreateResponse, error) {
+	var distErr error
+
+	headers := map[string][]string{
+		"version": {cli.version},
+	}
+
+	if options.EncodedRegistryAuth != "" {
+		headers["X-Registry-Auth"] = []string{options.EncodedRegistryAuth}
+	}
+
+	// Make sure containerSpec is not nil when no runtime is set or the runtime is set to container
+	if service.TaskTemplate.ContainerSpec == nil && (service.TaskTemplate.Runtime == "" || service.TaskTemplate.Runtime == swarm.RuntimeContainer) {
+		service.TaskTemplate.ContainerSpec = &swarm.ContainerSpec{}
+	}
+
+	if err := validateServiceSpec(service); err != nil {
+		return types.ServiceCreateResponse{}, err
+	}
+
+	// ensure that the image is tagged
+	var imgPlatforms []swarm.Platform
+	if service.TaskTemplate.ContainerSpec != nil {
+		if taggedImg := imageWithTagString(service.TaskTemplate.ContainerSpec.Image); taggedImg != "" {
+			service.TaskTemplate.ContainerSpec.Image = taggedImg
+		}
+		if options.QueryRegistry {
+			var img string
+			img, imgPlatforms, distErr = imageDigestAndPlatforms(ctx, cli, service.TaskTemplate.ContainerSpec.Image, options.EncodedRegistryAuth)
+			if img != "" {
+				service.TaskTemplate.ContainerSpec.Image = img
+			}
+		}
+	}
+
+	// ensure that the image is tagged
+	if service.TaskTemplate.PluginSpec != nil {
+		if taggedImg := imageWithTagString(service.TaskTemplate.PluginSpec.Remote); taggedImg != "" {
+			service.TaskTemplate.PluginSpec.Remote = taggedImg
+		}
+		if options.QueryRegistry {
+			var img string
+			img, imgPlatforms, distErr = imageDigestAndPlatforms(ctx, cli, service.TaskTemplate.PluginSpec.Remote, options.EncodedRegistryAuth)
+			if img != "" {
+				service.TaskTemplate.PluginSpec.Remote = img
+			}
+		}
+	}
+
+	if service.TaskTemplate.Placement == nil && len(imgPlatforms) > 0 {
+		service.TaskTemplate.Placement = &swarm.Placement{}
+	}
+	if len(imgPlatforms) > 0 {
+		service.TaskTemplate.Placement.Platforms = imgPlatforms
+	}
+
+	var response types.ServiceCreateResponse
+	resp, err := cli.post(ctx, "/services/create", nil, service, headers)
+	if err != nil {
+		return response, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&response)
+
+	if distErr != nil {
+		response.Warnings = append(response.Warnings, digestWarning(service.TaskTemplate.ContainerSpec.Image))
+	}
+
+	ensureReaderClosed(resp)
+	return response, err
+}
+
+func imageDigestAndPlatforms(ctx context.Context, cli DistributionAPIClient, image, encodedAuth string) (string, []swarm.Platform, error) {
+	distributionInspect, err := cli.DistributionInspect(ctx, image, encodedAuth)
+	var platforms []swarm.Platform
+	if err != nil {
+		return "", nil, err
+	}
+
+	imageWithDigest := imageWithDigestString(image, distributionInspect.Descriptor.Digest)
+
+	if len(distributionInspect.Platforms) > 0 {
+		platforms = make([]swarm.Platform, 0, len(distributionInspect.Platforms))
+		for _, p := range distributionInspect.Platforms {
+			// clear architecture field for arm. This is a temporary patch to address
+			// https://github.com/docker/swarmkit/issues/2294. The issue is that while
+			// image manifests report "arm" as the architecture, the node reports
+			// something like "armv7l" (includes the variant), which causes arm images
+			// to stop working with swarm mode. This patch removes the architecture
+			// constraint for arm images to ensure tasks get scheduled.
+			arch := p.Architecture
+			if strings.ToLower(arch) == "arm" {
+				arch = ""
+			}
+			platforms = append(platforms, swarm.Platform{
+				Architecture: arch,
+				OS:           p.OS,
+			})
+		}
+	}
+	return imageWithDigest, platforms, err
+}
+
+// imageWithDigestString takes an image string and a digest, and updates
+// the image string if it didn't originally contain a digest. It returns
+// an empty string if there are no updates.
+func imageWithDigestString(image string, dgst digest.Digest) string {
+	namedRef, err := reference.ParseNormalizedNamed(image)
+	if err == nil {
+		if _, isCanonical := namedRef.(reference.Canonical); !isCanonical {
+			// ensure that image gets a default tag if none is provided
+			img, err := reference.WithDigest(namedRef, dgst)
+			if err == nil {
+				return reference.FamiliarString(img)
+			}
+		}
+	}
+	return ""
+}
+
+// imageWithTagString takes an image string, and returns a tagged image
+// string, adding a 'latest' tag if one was not provided. It returns an
+// empty string if a canonical reference was provided
+func imageWithTagString(image string) string {
+	namedRef, err := reference.ParseNormalizedNamed(image)
+	if err == nil {
+		return reference.FamiliarString(reference.TagNameOnly(namedRef))
+	}
+	return ""
+}
+
+// digestWarning constructs a formatted warning string using the
+// image name that could not be pinned by digest. The formatting
+// is hardcoded, but could me made smarter in the future
+func digestWarning(image string) string {
+	return fmt.Sprintf("image %s could not be accessed on a registry to record\nits digest. Each node will access %s independently,\npossibly leading to different nodes running different\nversions of the image.\n", image, image)
+}
+
+func validateServiceSpec(s swarm.ServiceSpec) error {
+	if s.TaskTemplate.ContainerSpec != nil && s.TaskTemplate.PluginSpec != nil {
+		return errors.New("must not specify both a container spec and a plugin spec in the task template")
+	}
+	if s.TaskTemplate.PluginSpec != nil && s.TaskTemplate.Runtime != swarm.RuntimePlugin {
+		return errors.New("mismatched runtime with plugin spec")
+	}
+	if s.TaskTemplate.ContainerSpec != nil && (s.TaskTemplate.Runtime != "" && s.TaskTemplate.Runtime != swarm.RuntimeContainer) {
+		return errors.New("mismatched runtime with container spec")
+	}
+	return nil
+}
diff --git a/engine/client/service_create_test.go b/engine/client/service_create_test.go
new file mode 100644
index 00000000..9f51c182
--- /dev/null
+++ b/engine/client/service_create_test.go
@@ -0,0 +1,211 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/image-spec/specs-go/v1"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestServiceCreateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ServiceCreate(context.Background(), swarm.ServiceSpec{}, types.ServiceCreateOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestServiceCreate(t *testing.T) {
+	expectedURL := "/services/create"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			b, err := json.Marshal(types.ServiceCreateResponse{
+				ID: "service_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	r, err := client.ServiceCreate(context.Background(), swarm.ServiceSpec{}, types.ServiceCreateOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if r.ID != "service_id" {
+		t.Fatalf("expected `service_id`, got %s", r.ID)
+	}
+}
+
+func TestServiceCreateCompatiblePlatforms(t *testing.T) {
+	client := &Client{
+		version: "1.30",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if strings.HasPrefix(req.URL.Path, "/v1.30/services/create") {
+				var serviceSpec swarm.ServiceSpec
+
+				// check if the /distribution endpoint returned correct output
+				err := json.NewDecoder(req.Body).Decode(&serviceSpec)
+				if err != nil {
+					return nil, err
+				}
+
+				assert.Check(t, is.Equal("foobar:1.0@sha256:c0537ff6a5218ef531ece93d4984efc99bbf3f7497c0a7726c88e2bb7584dc96", serviceSpec.TaskTemplate.ContainerSpec.Image))
+				assert.Check(t, is.Len(serviceSpec.TaskTemplate.Placement.Platforms, 1))
+
+				p := serviceSpec.TaskTemplate.Placement.Platforms[0]
+				b, err := json.Marshal(types.ServiceCreateResponse{
+					ID: "service_" + p.OS + "_" + p.Architecture,
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(b)),
+				}, nil
+			} else if strings.HasPrefix(req.URL.Path, "/v1.30/distribution/") {
+				b, err := json.Marshal(registrytypes.DistributionInspect{
+					Descriptor: v1.Descriptor{
+						Digest: "sha256:c0537ff6a5218ef531ece93d4984efc99bbf3f7497c0a7726c88e2bb7584dc96",
+					},
+					Platforms: []v1.Platform{
+						{
+							Architecture: "amd64",
+							OS:           "linux",
+						},
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(b)),
+				}, nil
+			} else {
+				return nil, fmt.Errorf("unexpected URL '%s'", req.URL.Path)
+			}
+		}),
+	}
+
+	spec := swarm.ServiceSpec{TaskTemplate: swarm.TaskSpec{ContainerSpec: &swarm.ContainerSpec{Image: "foobar:1.0"}}}
+
+	r, err := client.ServiceCreate(context.Background(), spec, types.ServiceCreateOptions{QueryRegistry: true})
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("service_linux_amd64", r.ID))
+}
+
+func TestServiceCreateDigestPinning(t *testing.T) {
+	dgst := "sha256:c0537ff6a5218ef531ece93d4984efc99bbf3f7497c0a7726c88e2bb7584dc96"
+	dgstAlt := "sha256:37ffbf3f7497c07584dc9637ffbf3f7497c0758c0537ffbf3f7497c0c88e2bb7"
+	serviceCreateImage := ""
+	pinByDigestTests := []struct {
+		img      string // input image provided by the user
+		expected string // expected image after digest pinning
+	}{
+		// default registry returns familiar string
+		{"docker.io/library/alpine", "alpine:latest@" + dgst},
+		// provided tag is preserved and digest added
+		{"alpine:edge", "alpine:edge@" + dgst},
+		// image with provided alternative digest remains unchanged
+		{"alpine@" + dgstAlt, "alpine@" + dgstAlt},
+		// image with provided tag and alternative digest remains unchanged
+		{"alpine:edge@" + dgstAlt, "alpine:edge@" + dgstAlt},
+		// image on alternative registry does not result in familiar string
+		{"alternate.registry/library/alpine", "alternate.registry/library/alpine:latest@" + dgst},
+		// unresolvable image does not get a digest
+		{"cannotresolve", "cannotresolve:latest"},
+	}
+
+	client := &Client{
+		version: "1.30",
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if strings.HasPrefix(req.URL.Path, "/v1.30/services/create") {
+				// reset and set image received by the service create endpoint
+				serviceCreateImage = ""
+				var service swarm.ServiceSpec
+				if err := json.NewDecoder(req.Body).Decode(&service); err != nil {
+					return nil, fmt.Errorf("could not parse service create request")
+				}
+				serviceCreateImage = service.TaskTemplate.ContainerSpec.Image
+
+				b, err := json.Marshal(types.ServiceCreateResponse{
+					ID: "service_id",
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(b)),
+				}, nil
+			} else if strings.HasPrefix(req.URL.Path, "/v1.30/distribution/cannotresolve") {
+				// unresolvable image
+				return nil, fmt.Errorf("cannot resolve image")
+			} else if strings.HasPrefix(req.URL.Path, "/v1.30/distribution/") {
+				// resolvable images
+				b, err := json.Marshal(registrytypes.DistributionInspect{
+					Descriptor: v1.Descriptor{
+						Digest: digest.Digest(dgst),
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(b)),
+				}, nil
+			}
+			return nil, fmt.Errorf("unexpected URL '%s'", req.URL.Path)
+		}),
+	}
+
+	// run pin by digest tests
+	for _, p := range pinByDigestTests {
+		r, err := client.ServiceCreate(context.Background(), swarm.ServiceSpec{
+			TaskTemplate: swarm.TaskSpec{
+				ContainerSpec: &swarm.ContainerSpec{
+					Image: p.img,
+				},
+			},
+		}, types.ServiceCreateOptions{QueryRegistry: true})
+
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if r.ID != "service_id" {
+			t.Fatalf("expected `service_id`, got %s", r.ID)
+		}
+
+		if p.expected != serviceCreateImage {
+			t.Fatalf("expected image %s, got %s", p.expected, serviceCreateImage)
+		}
+	}
+}
diff --git a/engine/client/service_inspect.go b/engine/client/service_inspect.go
new file mode 100644
index 00000000..de6aa22d
--- /dev/null
+++ b/engine/client/service_inspect.go
@@ -0,0 +1,37 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// ServiceInspectWithRaw returns the service information and the raw data.
+func (cli *Client) ServiceInspectWithRaw(ctx context.Context, serviceID string, opts types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+	if serviceID == "" {
+		return swarm.Service{}, nil, objectNotFoundError{object: "service", id: serviceID}
+	}
+	query := url.Values{}
+	query.Set("insertDefaults", fmt.Sprintf("%v", opts.InsertDefaults))
+	serverResp, err := cli.get(ctx, "/services/"+serviceID, query, nil)
+	if err != nil {
+		return swarm.Service{}, nil, wrapResponseError(err, serverResp, "service", serviceID)
+	}
+	defer ensureReaderClosed(serverResp)
+
+	body, err := ioutil.ReadAll(serverResp.body)
+	if err != nil {
+		return swarm.Service{}, nil, err
+	}
+
+	var response swarm.Service
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&response)
+	return response, body, err
+}
diff --git a/engine/client/service_inspect_test.go b/engine/client/service_inspect_test.go
new file mode 100644
index 00000000..b69332cc
--- /dev/null
+++ b/engine/client/service_inspect_test.go
@@ -0,0 +1,79 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+)
+
+func TestServiceInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, _, err := client.ServiceInspectWithRaw(context.Background(), "nothing", types.ServiceInspectOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestServiceInspectServiceNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, _, err := client.ServiceInspectWithRaw(context.Background(), "unknown", types.ServiceInspectOptions{})
+	if err == nil || !IsErrNotFound(err) {
+		t.Fatalf("expected a serviceNotFoundError error, got %v", err)
+	}
+}
+
+func TestServiceInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.ServiceInspectWithRaw(context.Background(), "", types.ServiceInspectOptions{})
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestServiceInspect(t *testing.T) {
+	expectedURL := "/services/service_id"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(swarm.Service{
+				ID: "service_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	serviceInspect, _, err := client.ServiceInspectWithRaw(context.Background(), "service_id", types.ServiceInspectOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if serviceInspect.ID != "service_id" {
+		t.Fatalf("expected `service_id`, got %s", serviceInspect.ID)
+	}
+}
diff --git a/engine/client/service_list.go b/engine/client/service_list.go
new file mode 100644
index 00000000..7d53e2b9
--- /dev/null
+++ b/engine/client/service_list.go
@@ -0,0 +1,35 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// ServiceList returns the list of services.
+func (cli *Client) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+	query := url.Values{}
+
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToJSON(options.Filters)
+		if err != nil {
+			return nil, err
+		}
+
+		query.Set("filters", filterJSON)
+	}
+
+	resp, err := cli.get(ctx, "/services", query, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var services []swarm.Service
+	err = json.NewDecoder(resp.body).Decode(&services)
+	ensureReaderClosed(resp)
+	return services, err
+}
diff --git a/engine/client/service_list_test.go b/engine/client/service_list_test.go
new file mode 100644
index 00000000..9903f9e7
--- /dev/null
+++ b/engine/client/service_list_test.go
@@ -0,0 +1,94 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestServiceListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.ServiceList(context.Background(), types.ServiceListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestServiceList(t *testing.T) {
+	expectedURL := "/services"
+
+	filters := filters.NewArgs()
+	filters.Add("label", "label1")
+	filters.Add("label", "label2")
+
+	listCases := []struct {
+		options             types.ServiceListOptions
+		expectedQueryParams map[string]string
+	}{
+		{
+			options: types.ServiceListOptions{},
+			expectedQueryParams: map[string]string{
+				"filters": "",
+			},
+		},
+		{
+			options: types.ServiceListOptions{
+				Filters: filters,
+			},
+			expectedQueryParams: map[string]string{
+				"filters": `{"label":{"label1":true,"label2":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				content, err := json.Marshal([]swarm.Service{
+					{
+						ID: "service_id1",
+					},
+					{
+						ID: "service_id2",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		services, err := client.ServiceList(context.Background(), listCase.options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(services) != 2 {
+			t.Fatalf("expected 2 services, got %v", services)
+		}
+	}
+}
diff --git a/engine/client/service_logs.go b/engine/client/service_logs.go
new file mode 100644
index 00000000..906fd405
--- /dev/null
+++ b/engine/client/service_logs.go
@@ -0,0 +1,52 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	timetypes "github.com/docker/docker/api/types/time"
+	"github.com/pkg/errors"
+)
+
+// ServiceLogs returns the logs generated by a service in an io.ReadCloser.
+// It's up to the caller to close the stream.
+func (cli *Client) ServiceLogs(ctx context.Context, serviceID string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
+	query := url.Values{}
+	if options.ShowStdout {
+		query.Set("stdout", "1")
+	}
+
+	if options.ShowStderr {
+		query.Set("stderr", "1")
+	}
+
+	if options.Since != "" {
+		ts, err := timetypes.GetTimestamp(options.Since, time.Now())
+		if err != nil {
+			return nil, errors.Wrap(err, `invalid value for "since"`)
+		}
+		query.Set("since", ts)
+	}
+
+	if options.Timestamps {
+		query.Set("timestamps", "1")
+	}
+
+	if options.Details {
+		query.Set("details", "1")
+	}
+
+	if options.Follow {
+		query.Set("follow", "1")
+	}
+	query.Set("tail", options.Tail)
+
+	resp, err := cli.get(ctx, "/services/"+serviceID+"/logs", query, nil)
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
diff --git a/engine/client/service_logs_test.go b/engine/client/service_logs_test.go
new file mode 100644
index 00000000..28f3ab5c
--- /dev/null
+++ b/engine/client/service_logs_test.go
@@ -0,0 +1,135 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestServiceLogsError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+	_, err := client.ServiceLogs(context.Background(), "service_id", types.ContainerLogsOptions{})
+	assert.Check(t, is.Error(err, "Error response from daemon: Server error"))
+	_, err = client.ServiceLogs(context.Background(), "service_id", types.ContainerLogsOptions{
+		Since: "2006-01-02TZ",
+	})
+	assert.Check(t, is.ErrorContains(err, `parsing time "2006-01-02TZ"`))
+}
+
+func TestServiceLogs(t *testing.T) {
+	expectedURL := "/services/service_id/logs"
+	cases := []struct {
+		options             types.ContainerLogsOptions
+		expectedQueryParams map[string]string
+		expectedError       string
+	}{
+		{
+			expectedQueryParams: map[string]string{
+				"tail": "",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				Tail: "any",
+			},
+			expectedQueryParams: map[string]string{
+				"tail": "any",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				ShowStdout: true,
+				ShowStderr: true,
+				Timestamps: true,
+				Details:    true,
+				Follow:     true,
+			},
+			expectedQueryParams: map[string]string{
+				"tail":       "",
+				"stdout":     "1",
+				"stderr":     "1",
+				"timestamps": "1",
+				"details":    "1",
+				"follow":     "1",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				// timestamp will be passed as is
+				Since: "1136073600.000000001",
+			},
+			expectedQueryParams: map[string]string{
+				"tail":  "",
+				"since": "1136073600.000000001",
+			},
+		},
+		{
+			options: types.ContainerLogsOptions{
+				// An complete invalid date will not be passed
+				Since: "invalid value",
+			},
+			expectedError: `invalid value for "since": failed to parse value as time or duration: "invalid value"`,
+		},
+	}
+	for _, logCase := range cases {
+		client := &Client{
+			client: newMockClient(func(r *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(r.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("expected URL '%s', got '%s'", expectedURL, r.URL)
+				}
+				// Check query parameters
+				query := r.URL.Query()
+				for key, expected := range logCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("response"))),
+				}, nil
+			}),
+		}
+		body, err := client.ServiceLogs(context.Background(), "service_id", logCase.options)
+		if logCase.expectedError != "" {
+			assert.Check(t, is.Error(err, logCase.expectedError))
+			continue
+		}
+		assert.NilError(t, err)
+		defer body.Close()
+		content, err := ioutil.ReadAll(body)
+		assert.NilError(t, err)
+		assert.Check(t, is.Contains(string(content), "response"))
+	}
+}
+
+func ExampleClient_ServiceLogs_withTimeout() {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	client, _ := NewEnvClient()
+	reader, err := client.ServiceLogs(ctx, "service_id", types.ContainerLogsOptions{})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	_, err = io.Copy(os.Stdout, reader)
+	if err != nil && err != io.EOF {
+		log.Fatal(err)
+	}
+}
diff --git a/engine/client/service_remove.go b/engine/client/service_remove.go
new file mode 100644
index 00000000..fe3421be
--- /dev/null
+++ b/engine/client/service_remove.go
@@ -0,0 +1,10 @@
+package client // import "github.com/docker/docker/client"
+
+import "context"
+
+// ServiceRemove kills and removes a service.
+func (cli *Client) ServiceRemove(ctx context.Context, serviceID string) error {
+	resp, err := cli.delete(ctx, "/services/"+serviceID, nil, nil)
+	ensureReaderClosed(resp)
+	return wrapResponseError(err, resp, "service", serviceID)
+}
diff --git a/engine/client/service_remove_test.go b/engine/client/service_remove_test.go
new file mode 100644
index 00000000..d2379a13
--- /dev/null
+++ b/engine/client/service_remove_test.go
@@ -0,0 +1,57 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestServiceRemoveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.ServiceRemove(context.Background(), "service_id")
+	assert.Check(t, is.Error(err, "Error response from daemon: Server error"))
+}
+
+func TestServiceRemoveNotFoundError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "missing")),
+	}
+
+	err := client.ServiceRemove(context.Background(), "service_id")
+	assert.Check(t, is.Error(err, "Error: No such service: service_id"))
+	assert.Check(t, IsErrNotFound(err))
+}
+
+func TestServiceRemove(t *testing.T) {
+	expectedURL := "/services/service_id"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "DELETE" {
+				return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	err := client.ServiceRemove(context.Background(), "service_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/service_update.go b/engine/client/service_update.go
new file mode 100644
index 00000000..5a7a61b0
--- /dev/null
+++ b/engine/client/service_update.go
@@ -0,0 +1,92 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+	"strconv"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// ServiceUpdate updates a Service.
+func (cli *Client) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+	var (
+		query   = url.Values{}
+		distErr error
+	)
+
+	headers := map[string][]string{
+		"version": {cli.version},
+	}
+
+	if options.EncodedRegistryAuth != "" {
+		headers["X-Registry-Auth"] = []string{options.EncodedRegistryAuth}
+	}
+
+	if options.RegistryAuthFrom != "" {
+		query.Set("registryAuthFrom", options.RegistryAuthFrom)
+	}
+
+	if options.Rollback != "" {
+		query.Set("rollback", options.Rollback)
+	}
+
+	query.Set("version", strconv.FormatUint(version.Index, 10))
+
+	if err := validateServiceSpec(service); err != nil {
+		return types.ServiceUpdateResponse{}, err
+	}
+
+	var imgPlatforms []swarm.Platform
+	// ensure that the image is tagged
+	if service.TaskTemplate.ContainerSpec != nil {
+		if taggedImg := imageWithTagString(service.TaskTemplate.ContainerSpec.Image); taggedImg != "" {
+			service.TaskTemplate.ContainerSpec.Image = taggedImg
+		}
+		if options.QueryRegistry {
+			var img string
+			img, imgPlatforms, distErr = imageDigestAndPlatforms(ctx, cli, service.TaskTemplate.ContainerSpec.Image, options.EncodedRegistryAuth)
+			if img != "" {
+				service.TaskTemplate.ContainerSpec.Image = img
+			}
+		}
+	}
+
+	// ensure that the image is tagged
+	if service.TaskTemplate.PluginSpec != nil {
+		if taggedImg := imageWithTagString(service.TaskTemplate.PluginSpec.Remote); taggedImg != "" {
+			service.TaskTemplate.PluginSpec.Remote = taggedImg
+		}
+		if options.QueryRegistry {
+			var img string
+			img, imgPlatforms, distErr = imageDigestAndPlatforms(ctx, cli, service.TaskTemplate.PluginSpec.Remote, options.EncodedRegistryAuth)
+			if img != "" {
+				service.TaskTemplate.PluginSpec.Remote = img
+			}
+		}
+	}
+
+	if service.TaskTemplate.Placement == nil && len(imgPlatforms) > 0 {
+		service.TaskTemplate.Placement = &swarm.Placement{}
+	}
+	if len(imgPlatforms) > 0 {
+		service.TaskTemplate.Placement.Platforms = imgPlatforms
+	}
+
+	var response types.ServiceUpdateResponse
+	resp, err := cli.post(ctx, "/services/"+serviceID+"/update", query, service, headers)
+	if err != nil {
+		return response, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&response)
+
+	if distErr != nil {
+		response.Warnings = append(response.Warnings, digestWarning(service.TaskTemplate.ContainerSpec.Image))
+	}
+
+	ensureReaderClosed(resp)
+	return response, err
+}
diff --git a/engine/client/service_update_test.go b/engine/client/service_update_test.go
new file mode 100644
index 00000000..9a0a9ce0
--- /dev/null
+++ b/engine/client/service_update_test.go
@@ -0,0 +1,76 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestServiceUpdateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.ServiceUpdate(context.Background(), "service_id", swarm.Version{}, swarm.ServiceSpec{}, types.ServiceUpdateOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestServiceUpdate(t *testing.T) {
+	expectedURL := "/services/service_id/update"
+
+	updateCases := []struct {
+		swarmVersion    swarm.Version
+		expectedVersion string
+	}{
+		{
+			expectedVersion: "0",
+		},
+		{
+			swarmVersion: swarm.Version{
+				Index: 0,
+			},
+			expectedVersion: "0",
+		},
+		{
+			swarmVersion: swarm.Version{
+				Index: 10,
+			},
+			expectedVersion: "10",
+		},
+	}
+
+	for _, updateCase := range updateCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				if req.Method != "POST" {
+					return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+				}
+				version := req.URL.Query().Get("version")
+				if version != updateCase.expectedVersion {
+					return nil, fmt.Errorf("version not set in URL query properly, expected '%s', got %s", updateCase.expectedVersion, version)
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte("{}"))),
+				}, nil
+			}),
+		}
+
+		_, err := client.ServiceUpdate(context.Background(), "service_id", updateCase.swarmVersion, swarm.ServiceSpec{}, types.ServiceUpdateOptions{})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+}
diff --git a/engine/client/session.go b/engine/client/session.go
new file mode 100644
index 00000000..c247123b
--- /dev/null
+++ b/engine/client/session.go
@@ -0,0 +1,18 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net"
+	"net/http"
+)
+
+// DialSession returns a connection that can be used communication with daemon
+func (cli *Client) DialSession(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
+	req, err := http.NewRequest("POST", "/session", nil)
+	if err != nil {
+		return nil, err
+	}
+	req = cli.addHeaders(req, meta)
+
+	return cli.setupHijackConn(req, proto)
+}
diff --git a/engine/client/swarm_get_unlock_key.go b/engine/client/swarm_get_unlock_key.go
new file mode 100644
index 00000000..0c50c01a
--- /dev/null
+++ b/engine/client/swarm_get_unlock_key.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types"
+)
+
+// SwarmGetUnlockKey retrieves the swarm's unlock key.
+func (cli *Client) SwarmGetUnlockKey(ctx context.Context) (types.SwarmUnlockKeyResponse, error) {
+	serverResp, err := cli.get(ctx, "/swarm/unlockkey", nil, nil)
+	if err != nil {
+		return types.SwarmUnlockKeyResponse{}, err
+	}
+
+	var response types.SwarmUnlockKeyResponse
+	err = json.NewDecoder(serverResp.body).Decode(&response)
+	ensureReaderClosed(serverResp)
+	return response, err
+}
diff --git a/engine/client/swarm_get_unlock_key_test.go b/engine/client/swarm_get_unlock_key_test.go
new file mode 100644
index 00000000..a1e460c1
--- /dev/null
+++ b/engine/client/swarm_get_unlock_key_test.go
@@ -0,0 +1,59 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSwarmGetUnlockKeyError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.SwarmGetUnlockKey(context.Background())
+	assert.Check(t, is.ErrorContains(err, "Error response from daemon: Server error"))
+}
+
+func TestSwarmGetUnlockKey(t *testing.T) {
+	expectedURL := "/swarm/unlockkey"
+	unlockKey := "SWMKEY-1-y6guTZNTwpQeTL5RhUfOsdBdXoQjiB2GADHSRJvbXeE"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "GET" {
+				return nil, fmt.Errorf("expected GET method, got %s", req.Method)
+			}
+
+			key := types.SwarmUnlockKeyResponse{
+				UnlockKey: unlockKey,
+			}
+
+			b, err := json.Marshal(key)
+			if err != nil {
+				return nil, err
+			}
+
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(b)),
+			}, nil
+		}),
+	}
+
+	resp, err := client.SwarmGetUnlockKey(context.Background())
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(unlockKey, resp.UnlockKey))
+}
diff --git a/engine/client/swarm_init.go b/engine/client/swarm_init.go
new file mode 100644
index 00000000..742ca0f0
--- /dev/null
+++ b/engine/client/swarm_init.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SwarmInit initializes the swarm.
+func (cli *Client) SwarmInit(ctx context.Context, req swarm.InitRequest) (string, error) {
+	serverResp, err := cli.post(ctx, "/swarm/init", nil, req, nil)
+	if err != nil {
+		return "", err
+	}
+
+	var response string
+	err = json.NewDecoder(serverResp.body).Decode(&response)
+	ensureReaderClosed(serverResp)
+	return response, err
+}
diff --git a/engine/client/swarm_init_test.go b/engine/client/swarm_init_test.go
new file mode 100644
index 00000000..1abadc75
--- /dev/null
+++ b/engine/client/swarm_init_test.go
@@ -0,0 +1,53 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestSwarmInitError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.SwarmInit(context.Background(), swarm.InitRequest{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSwarmInit(t *testing.T) {
+	expectedURL := "/swarm/init"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(`"body"`))),
+			}, nil
+		}),
+	}
+
+	resp, err := client.SwarmInit(context.Background(), swarm.InitRequest{
+		ListenAddr: "0.0.0.0:2377",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp != "body" {
+		t.Fatalf("Expected 'body', got %s", resp)
+	}
+}
diff --git a/engine/client/swarm_inspect.go b/engine/client/swarm_inspect.go
new file mode 100644
index 00000000..cfaabb25
--- /dev/null
+++ b/engine/client/swarm_inspect.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SwarmInspect inspects the swarm.
+func (cli *Client) SwarmInspect(ctx context.Context) (swarm.Swarm, error) {
+	serverResp, err := cli.get(ctx, "/swarm", nil, nil)
+	if err != nil {
+		return swarm.Swarm{}, err
+	}
+
+	var response swarm.Swarm
+	err = json.NewDecoder(serverResp.body).Decode(&response)
+	ensureReaderClosed(serverResp)
+	return response, err
+}
diff --git a/engine/client/swarm_inspect_test.go b/engine/client/swarm_inspect_test.go
new file mode 100644
index 00000000..954adc94
--- /dev/null
+++ b/engine/client/swarm_inspect_test.go
@@ -0,0 +1,56 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestSwarmInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.SwarmInspect(context.Background())
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSwarmInspect(t *testing.T) {
+	expectedURL := "/swarm"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(swarm.Swarm{
+				ClusterInfo: swarm.ClusterInfo{
+					ID: "swarm_id",
+				},
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	swarmInspect, err := client.SwarmInspect(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if swarmInspect.ID != "swarm_id" {
+		t.Fatalf("expected `swarm_id`, got %s", swarmInspect.ID)
+	}
+}
diff --git a/engine/client/swarm_join.go b/engine/client/swarm_join.go
new file mode 100644
index 00000000..a1cf0455
--- /dev/null
+++ b/engine/client/swarm_join.go
@@ -0,0 +1,14 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SwarmJoin joins the swarm.
+func (cli *Client) SwarmJoin(ctx context.Context, req swarm.JoinRequest) error {
+	resp, err := cli.post(ctx, "/swarm/join", nil, req, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/swarm_join_test.go b/engine/client/swarm_join_test.go
new file mode 100644
index 00000000..e67f2bde
--- /dev/null
+++ b/engine/client/swarm_join_test.go
@@ -0,0 +1,50 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestSwarmJoinError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.SwarmJoin(context.Background(), swarm.JoinRequest{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSwarmJoin(t *testing.T) {
+	expectedURL := "/swarm/join"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.SwarmJoin(context.Background(), swarm.JoinRequest{
+		ListenAddr: "0.0.0.0:2377",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/swarm_leave.go b/engine/client/swarm_leave.go
new file mode 100644
index 00000000..90ca84b3
--- /dev/null
+++ b/engine/client/swarm_leave.go
@@ -0,0 +1,17 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+)
+
+// SwarmLeave leaves the swarm.
+func (cli *Client) SwarmLeave(ctx context.Context, force bool) error {
+	query := url.Values{}
+	if force {
+		query.Set("force", "1")
+	}
+	resp, err := cli.post(ctx, "/swarm/leave", query, nil, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/swarm_leave_test.go b/engine/client/swarm_leave_test.go
new file mode 100644
index 00000000..3dd3711d
--- /dev/null
+++ b/engine/client/swarm_leave_test.go
@@ -0,0 +1,65 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestSwarmLeaveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.SwarmLeave(context.Background(), false)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSwarmLeave(t *testing.T) {
+	expectedURL := "/swarm/leave"
+
+	leaveCases := []struct {
+		force         bool
+		expectedForce string
+	}{
+		{
+			expectedForce: "",
+		},
+		{
+			force:         true,
+			expectedForce: "1",
+		},
+	}
+
+	for _, leaveCase := range leaveCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				if req.Method != "POST" {
+					return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+				}
+				force := req.URL.Query().Get("force")
+				if force != leaveCase.expectedForce {
+					return nil, fmt.Errorf("force not set in URL query properly. expected '%s', got %s", leaveCase.expectedForce, force)
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+				}, nil
+			}),
+		}
+
+		err := client.SwarmLeave(context.Background(), leaveCase.force)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+}
diff --git a/engine/client/swarm_unlock.go b/engine/client/swarm_unlock.go
new file mode 100644
index 00000000..d2412f7d
--- /dev/null
+++ b/engine/client/swarm_unlock.go
@@ -0,0 +1,14 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SwarmUnlock unlocks locked swarm.
+func (cli *Client) SwarmUnlock(ctx context.Context, req swarm.UnlockRequest) error {
+	serverResp, err := cli.post(ctx, "/swarm/unlock", nil, req, nil)
+	ensureReaderClosed(serverResp)
+	return err
+}
diff --git a/engine/client/swarm_unlock_test.go b/engine/client/swarm_unlock_test.go
new file mode 100644
index 00000000..b3bcc5d9
--- /dev/null
+++ b/engine/client/swarm_unlock_test.go
@@ -0,0 +1,48 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestSwarmUnlockError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.SwarmUnlock(context.Background(), swarm.UnlockRequest{UnlockKey: "SWMKEY-1-y6guTZNTwpQeTL5RhUfOsdBdXoQjiB2GADHSRJvbXeU"})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSwarmUnlock(t *testing.T) {
+	expectedURL := "/swarm/unlock"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.SwarmUnlock(context.Background(), swarm.UnlockRequest{UnlockKey: "SWMKEY-1-y6guTZNTwpQeTL5RhUfOsdBdXoQjiB2GADHSRJvbXeU"})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/swarm_update.go b/engine/client/swarm_update.go
new file mode 100644
index 00000000..56a5bea7
--- /dev/null
+++ b/engine/client/swarm_update.go
@@ -0,0 +1,22 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"strconv"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// SwarmUpdate updates the swarm.
+func (cli *Client) SwarmUpdate(ctx context.Context, version swarm.Version, swarm swarm.Spec, flags swarm.UpdateFlags) error {
+	query := url.Values{}
+	query.Set("version", strconv.FormatUint(version.Index, 10))
+	query.Set("rotateWorkerToken", fmt.Sprintf("%v", flags.RotateWorkerToken))
+	query.Set("rotateManagerToken", fmt.Sprintf("%v", flags.RotateManagerToken))
+	query.Set("rotateManagerUnlockKey", fmt.Sprintf("%v", flags.RotateManagerUnlockKey))
+	resp, err := cli.post(ctx, "/swarm/update", query, swarm, nil)
+	ensureReaderClosed(resp)
+	return err
+}
diff --git a/engine/client/swarm_update_test.go b/engine/client/swarm_update_test.go
new file mode 100644
index 00000000..e908bf78
--- /dev/null
+++ b/engine/client/swarm_update_test.go
@@ -0,0 +1,48 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestSwarmUpdateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.SwarmUpdate(context.Background(), swarm.Version{}, swarm.Spec{}, swarm.UpdateFlags{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestSwarmUpdate(t *testing.T) {
+	expectedURL := "/swarm/update"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte(""))),
+			}, nil
+		}),
+	}
+
+	err := client.SwarmUpdate(context.Background(), swarm.Version{}, swarm.Spec{}, swarm.UpdateFlags{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/client/task_inspect.go b/engine/client/task_inspect.go
new file mode 100644
index 00000000..e1c0a736
--- /dev/null
+++ b/engine/client/task_inspect.go
@@ -0,0 +1,32 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// TaskInspectWithRaw returns the task information and its raw representation..
+func (cli *Client) TaskInspectWithRaw(ctx context.Context, taskID string) (swarm.Task, []byte, error) {
+	if taskID == "" {
+		return swarm.Task{}, nil, objectNotFoundError{object: "task", id: taskID}
+	}
+	serverResp, err := cli.get(ctx, "/tasks/"+taskID, nil, nil)
+	if err != nil {
+		return swarm.Task{}, nil, wrapResponseError(err, serverResp, "task", taskID)
+	}
+	defer ensureReaderClosed(serverResp)
+
+	body, err := ioutil.ReadAll(serverResp.body)
+	if err != nil {
+		return swarm.Task{}, nil, err
+	}
+
+	var response swarm.Task
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&response)
+	return response, body, err
+}
diff --git a/engine/client/task_inspect_test.go b/engine/client/task_inspect_test.go
new file mode 100644
index 00000000..fe5c5bd7
--- /dev/null
+++ b/engine/client/task_inspect_test.go
@@ -0,0 +1,67 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/pkg/errors"
+)
+
+func TestTaskInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, _, err := client.TaskInspectWithRaw(context.Background(), "nothing")
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestTaskInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.TaskInspectWithRaw(context.Background(), "")
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestTaskInspect(t *testing.T) {
+	expectedURL := "/tasks/task_id"
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			content, err := json.Marshal(swarm.Task{
+				ID: "task_id",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	taskInspect, _, err := client.TaskInspectWithRaw(context.Background(), "task_id")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if taskInspect.ID != "task_id" {
+		t.Fatalf("expected `task_id`, got %s", taskInspect.ID)
+	}
+}
diff --git a/engine/client/task_list.go b/engine/client/task_list.go
new file mode 100644
index 00000000..42d20c1b
--- /dev/null
+++ b/engine/client/task_list.go
@@ -0,0 +1,35 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+// TaskList returns the list of tasks.
+func (cli *Client) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+	query := url.Values{}
+
+	if options.Filters.Len() > 0 {
+		filterJSON, err := filters.ToJSON(options.Filters)
+		if err != nil {
+			return nil, err
+		}
+
+		query.Set("filters", filterJSON)
+	}
+
+	resp, err := cli.get(ctx, "/tasks", query, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var tasks []swarm.Task
+	err = json.NewDecoder(resp.body).Decode(&tasks)
+	ensureReaderClosed(resp)
+	return tasks, err
+}
diff --git a/engine/client/task_list_test.go b/engine/client/task_list_test.go
new file mode 100644
index 00000000..16d0edaa
--- /dev/null
+++ b/engine/client/task_list_test.go
@@ -0,0 +1,94 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+func TestTaskListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.TaskList(context.Background(), types.TaskListOptions{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestTaskList(t *testing.T) {
+	expectedURL := "/tasks"
+
+	filters := filters.NewArgs()
+	filters.Add("label", "label1")
+	filters.Add("label", "label2")
+
+	listCases := []struct {
+		options             types.TaskListOptions
+		expectedQueryParams map[string]string
+	}{
+		{
+			options: types.TaskListOptions{},
+			expectedQueryParams: map[string]string{
+				"filters": "",
+			},
+		},
+		{
+			options: types.TaskListOptions{
+				Filters: filters,
+			},
+			expectedQueryParams: map[string]string{
+				"filters": `{"label":{"label1":true,"label2":true}}`,
+			},
+		},
+	}
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				for key, expected := range listCase.expectedQueryParams {
+					actual := query.Get(key)
+					if actual != expected {
+						return nil, fmt.Errorf("%s not set in URL query properly. Expected '%s', got %s", key, expected, actual)
+					}
+				}
+				content, err := json.Marshal([]swarm.Task{
+					{
+						ID: "task_id1",
+					},
+					{
+						ID: "task_id2",
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		tasks, err := client.TaskList(context.Background(), listCase.options)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(tasks) != 2 {
+			t.Fatalf("expected 2 tasks, got %v", tasks)
+		}
+	}
+}
diff --git a/engine/client/task_logs.go b/engine/client/task_logs.go
new file mode 100644
index 00000000..6222fab5
--- /dev/null
+++ b/engine/client/task_logs.go
@@ -0,0 +1,51 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"io"
+	"net/url"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	timetypes "github.com/docker/docker/api/types/time"
+)
+
+// TaskLogs returns the logs generated by a task in an io.ReadCloser.
+// It's up to the caller to close the stream.
+func (cli *Client) TaskLogs(ctx context.Context, taskID string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
+	query := url.Values{}
+	if options.ShowStdout {
+		query.Set("stdout", "1")
+	}
+
+	if options.ShowStderr {
+		query.Set("stderr", "1")
+	}
+
+	if options.Since != "" {
+		ts, err := timetypes.GetTimestamp(options.Since, time.Now())
+		if err != nil {
+			return nil, err
+		}
+		query.Set("since", ts)
+	}
+
+	if options.Timestamps {
+		query.Set("timestamps", "1")
+	}
+
+	if options.Details {
+		query.Set("details", "1")
+	}
+
+	if options.Follow {
+		query.Set("follow", "1")
+	}
+	query.Set("tail", options.Tail)
+
+	resp, err := cli.get(ctx, "/tasks/"+taskID+"/logs", query, nil)
+	if err != nil {
+		return nil, err
+	}
+	return resp.body, nil
+}
diff --git a/engine/client/testdata/ca.pem b/engine/client/testdata/ca.pem
new file mode 100644
index 00000000..ad14d470
--- /dev/null
+++ b/engine/client/testdata/ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAbqgAwIBAgIRAILlP5WWLaHkQ/m2ASHP7SowDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEChMHdmluY2VudDAeFw0xNjAzMjQxMDE5MDBaFw0xOTAzMDkxMDE5
+MDBaMBIxEDAOBgNVBAoTB3ZpbmNlbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQD0yZPKAGncoaxaU/QW9tWEHbrvDoGVF/65L8Si/jBrlAgLjhmmV1di
+vKG9QPzuU8snxHro3/uCwyA6kTqw0U8bGwHxJq2Bpa6JBYj8N2jMJ+M+sjXgSo2t
+E0zIzjTW2Pir3C8qwfrVL6NFp9xClwMD23SFZ0UsEH36NkfyrKBVeM8IOjJd4Wjs
+xIcuvF3BTVkji84IJBW2JIKf9ZrzJwUlSCPgptRp4Evdbyp5d+UPxtwxD7qjW4lM
+yQQ8vfcC4lKkVx5s/RNJ4fzd5uEgLdEbZ20qt7Zt/bLcxFHpUhH2teA0QjmrOWFh
+gbL83s95/+hbSVhsO4hoFW7vTeiCCY4xAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwIC
+rDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBY51RHajuDuhO2
+tcm26jeNROzfffnjhvbOVPjSEdo9vI3JpMU/RuQw+nbNcLwJrdjL6UH7tD/36Y+q
+NXH+xSIjWFH0zXGxrIUsVrvt6f8CbOvw7vD+gygOG+849PDQMbL6czP8rvXY7vZV
+9pdpQfrENk4b5kePRW/6HaGSTvtgN7XOrYD9fp3pm/G534T2e3IxgYMRNwdB9Ul9
+bLwMqQqf4eiqqMs6x4IVmZUkGVMKiFKcvkNg9a+Ozx5pMizHeAezWMcZ5V+QJZVT
+8lElSCKZ2Yy2xkcl7aeQMLwcAeZwfTp+Yu9dVzlqXiiBTLd1+LtAQCuKHzmw4Q8k
+EvD5m49l
+-----END CERTIFICATE-----
diff --git a/engine/client/testdata/cert.pem b/engine/client/testdata/cert.pem
new file mode 100644
index 00000000..9000ffb3
--- /dev/null
+++ b/engine/client/testdata/cert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8DCCAdigAwIBAgIRAJAS1glgcke4q7eCaretwgUwDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEChMHdmluY2VudDAeFw0xNjAzMjQxMDE5MDBaFw0xOTAzMDkxMDE5
+MDBaMB4xHDAaBgNVBAoME3ZpbmNlbnQuPGJvb3RzdHJhcD4wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQClpvG442dGEvrRgmCrqY4kBml1LVlw2Y7ZDn6B
+TKa52+MuGDmfXbO1UhclNqTXjLgAwKjPz/OvnPRxNEUoQEDbBd+Xev7rxTY5TvYI
+27YH3fMH2LL2j62jum649abfhZ6ekD5eD8tCn3mnrEOgqRIlK7efPIVixq/ZqU1H
+7ez0ggB7dmWHlhnUaxyQOCSnAX/7nKYQXqZgVvGhDeR2jp7GcnhbK/qPrZ/mOm83
+2IjCeYN145opYlzTSp64GYIZz7uqMNcnDKK37ZbS8MYcTjrRaHEiqZVVdIC+ghbx
+qYqzbZRVfgztI9jwmifn0mYrN4yt+nhNYwBcRJ4Pv3uLFbo7AgMBAAGjNTAzMA4G
+A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
+MA0GCSqGSIb3DQEBCwUAA4IBAQDg1r7nksjYgDFYEcBbrRrRHddIoK+RVmSBTTrq
+8giC77m0srKdh9XTVWK1PUbGfODV1oD8m9QhPE8zPDyYQ8jeXNRSU5wXdkrTRmmY
+w/T3SREqmE7CObMtusokHidjYFuqqCR07sJzqBKRlzr3o0EGe3tuEhUlF5ARY028
+eipaDcVlT5ChGcDa6LeJ4e05u4cVap0dd6Rp1w3Rx1AYAecdgtgBMnw1iWdl/nrC
+sp26ZXNaAhFOUovlY9VY257AMd9hQV7WvAK4yNEHcckVu3uXTBmDgNSOPtl0QLsL
+Kjlj75ksCx8nCln/hCut/0+kGTsGZqdV5c6ktgcGYRir/5Hs
+-----END CERTIFICATE-----
diff --git a/engine/client/testdata/key.pem b/engine/client/testdata/key.pem
new file mode 100644
index 00000000..c0869dfc
--- /dev/null
+++ b/engine/client/testdata/key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApabxuONnRhL60YJgq6mOJAZpdS1ZcNmO2Q5+gUymudvjLhg5
+n12ztVIXJTak14y4AMCoz8/zr5z0cTRFKEBA2wXfl3r+68U2OU72CNu2B93zB9iy
+9o+to7puuPWm34WenpA+Xg/LQp95p6xDoKkSJSu3nzyFYsav2alNR+3s9IIAe3Zl
+h5YZ1GsckDgkpwF/+5ymEF6mYFbxoQ3kdo6exnJ4Wyv6j62f5jpvN9iIwnmDdeOa
+KWJc00qeuBmCGc+7qjDXJwyit+2W0vDGHE460WhxIqmVVXSAvoIW8amKs22UVX4M
+7SPY8Jon59JmKzeMrfp4TWMAXESeD797ixW6OwIDAQABAoIBAHfyAAleL8NfrtnR
+S+pApbmUIvxD0AWUooispBE/zWG6xC72P5MTqDJctIGvpYCmVf3Fgvamns7EGYN2
+07Sngc6V3Ca1WqyhaffpIuGbJZ1gqr89u6gotRRexBmNVj13ZTlvPJmjWgxtqQsu
+AvHsOkVL+HOGwRaaw24Z1umEcBVCepl7PGTqsLeJUtBUZBiqdJTu4JYLAB6BggBI
+OxhHoTWvlNWwzezo2C/IXkXcXD/tp3i5vTn5rAXHSMQkdMAUh7/xJ73Fl36gxZhp
+W7NoPKaS9qNh8jhs6p54S7tInb6+mrKtvRFKl5XAR3istXrXteT5UaukpuBbQ/5d
+qf4BXuECgYEAzoOKxMee5tG/G9iC6ImNq5xGAZm0OnmteNgIEQj49If1Q68av525
+FioqdC9zV+blfHQqXEIUeum4JAou4xqmB8Lw2H0lYwOJ1IkpUy3QJjU1IrI+U5Qy
+ryZuA9cxSTLf1AJFbROsoZDpjaBh0uUQkD/4PHpwXMgHu/3CaJ4nTEkCgYEAzVjE
+VWgczWJGyRxmHSeR51ft1jrlChZHEd3HwgLfo854JIj+MGUH4KPLSMIkYNuyiwNQ
+W7zdXCB47U8afSL/lPTv1M5+ZsWY6sZAT6gtp/IeU0Va943h9cj10fAOBJaz1H6M
+jnZS4jjWhVInE7wpCDVCwDRoHHJ84kb6JeflamMCgYBDQDcKie9HP3q6uLE4xMKr
+5gIuNz2n5UQGnGNUGNXp2/SVDArr55MEksqsd19aesi01KeOz74XoNDke6R1NJJo
+6KTB+08XhWl3GwuoGL02FBGvsNf3I8W1oBAnlAZqzfRx+CNfuA55ttU318jDgvD3
+6L0QBNdef411PNf4dbhacQKBgAd/e0PHFm4lbYJAaDYeUMSKwGN3KQ/SOmwblgSu
+iC36BwcGfYmU1tHMCUsx05Q50W4kA9Ylskt/4AqCPexdz8lHnE4/7/uesXO5I3YF
+JQ2h2Jufx6+MXbjUyq0Mv+ZI/m3+5PD6vxIFk0ew9T5SO4lSMIrGHxsSzx6QCuhB
+bG4TAoGBAJ5PWG7d2CyCjLtfF8J4NxykRvIQ8l/3kDvDdNrXiXbgonojo2lgRYaM
+5LoK9ApN8KHdedpTRipBaDA22Sp5SjMcUE7A6q42PJCL9r+BRYF0foFQx/rqpCff
+pVWKgwIPoKnfxDqN1RUgyFcx1jbA3XVJZCuT+wbMuDQ9nlvulD1W
+-----END RSA PRIVATE KEY-----
diff --git a/engine/client/transport.go b/engine/client/transport.go
new file mode 100644
index 00000000..55413443
--- /dev/null
+++ b/engine/client/transport.go
@@ -0,0 +1,17 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"crypto/tls"
+	"net/http"
+)
+
+// resolveTLSConfig attempts to resolve the TLS configuration from the
+// RoundTripper.
+func resolveTLSConfig(transport http.RoundTripper) *tls.Config {
+	switch tr := transport.(type) {
+	case *http.Transport:
+		return tr.TLSClientConfig
+	default:
+		return nil
+	}
+}
diff --git a/engine/client/utils.go b/engine/client/utils.go
new file mode 100644
index 00000000..7f3ff44e
--- /dev/null
+++ b/engine/client/utils.go
@@ -0,0 +1,34 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"net/url"
+	"regexp"
+
+	"github.com/docker/docker/api/types/filters"
+)
+
+var headerRegexp = regexp.MustCompile(`\ADocker/.+\s\((.+)\)\z`)
+
+// getDockerOS returns the operating system based on the server header from the daemon.
+func getDockerOS(serverHeader string) string {
+	var osType string
+	matches := headerRegexp.FindStringSubmatch(serverHeader)
+	if len(matches) > 0 {
+		osType = matches[1]
+	}
+	return osType
+}
+
+// getFiltersQuery returns a url query with "filters" query term, based on the
+// filters provided.
+func getFiltersQuery(f filters.Args) (url.Values, error) {
+	query := url.Values{}
+	if f.Len() > 0 {
+		filterJSON, err := filters.ToJSON(f)
+		if err != nil {
+			return query, err
+		}
+		query.Set("filters", filterJSON)
+	}
+	return query, nil
+}
diff --git a/engine/client/version.go b/engine/client/version.go
new file mode 100644
index 00000000..1989f6d6
--- /dev/null
+++ b/engine/client/version.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types"
+)
+
+// ServerVersion returns information of the docker client and server host.
+func (cli *Client) ServerVersion(ctx context.Context) (types.Version, error) {
+	resp, err := cli.get(ctx, "/version", nil, nil)
+	if err != nil {
+		return types.Version{}, err
+	}
+
+	var server types.Version
+	err = json.NewDecoder(resp.body).Decode(&server)
+	ensureReaderClosed(resp)
+	return server, err
+}
diff --git a/engine/client/volume_create.go b/engine/client/volume_create.go
new file mode 100644
index 00000000..f1f6fcdc
--- /dev/null
+++ b/engine/client/volume_create.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/docker/docker/api/types"
+	volumetypes "github.com/docker/docker/api/types/volume"
+)
+
+// VolumeCreate creates a volume in the docker host.
+func (cli *Client) VolumeCreate(ctx context.Context, options volumetypes.VolumeCreateBody) (types.Volume, error) {
+	var volume types.Volume
+	resp, err := cli.post(ctx, "/volumes/create", nil, options, nil)
+	if err != nil {
+		return volume, err
+	}
+	err = json.NewDecoder(resp.body).Decode(&volume)
+	ensureReaderClosed(resp)
+	return volume, err
+}
diff --git a/engine/client/volume_create_test.go b/engine/client/volume_create_test.go
new file mode 100644
index 00000000..cfab1918
--- /dev/null
+++ b/engine/client/volume_create_test.go
@@ -0,0 +1,75 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	volumetypes "github.com/docker/docker/api/types/volume"
+)
+
+func TestVolumeCreateError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.VolumeCreate(context.Background(), volumetypes.VolumeCreateBody{})
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestVolumeCreate(t *testing.T) {
+	expectedURL := "/volumes/create"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+
+			if req.Method != "POST" {
+				return nil, fmt.Errorf("expected POST method, got %s", req.Method)
+			}
+
+			content, err := json.Marshal(types.Volume{
+				Name:       "volume",
+				Driver:     "local",
+				Mountpoint: "mountpoint",
+			})
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	volume, err := client.VolumeCreate(context.Background(), volumetypes.VolumeCreateBody{
+		Name:   "myvolume",
+		Driver: "mydriver",
+		DriverOpts: map[string]string{
+			"opt-key": "opt-value",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if volume.Name != "volume" {
+		t.Fatalf("expected volume.Name to be 'volume', got %s", volume.Name)
+	}
+	if volume.Driver != "local" {
+		t.Fatalf("expected volume.Driver to be 'local', got %s", volume.Driver)
+	}
+	if volume.Mountpoint != "mountpoint" {
+		t.Fatalf("expected volume.Mountpoint to be 'mountpoint', got %s", volume.Mountpoint)
+	}
+}
diff --git a/engine/client/volume_inspect.go b/engine/client/volume_inspect.go
new file mode 100644
index 00000000..f840682d
--- /dev/null
+++ b/engine/client/volume_inspect.go
@@ -0,0 +1,38 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/docker/docker/api/types"
+)
+
+// VolumeInspect returns the information about a specific volume in the docker host.
+func (cli *Client) VolumeInspect(ctx context.Context, volumeID string) (types.Volume, error) {
+	volume, _, err := cli.VolumeInspectWithRaw(ctx, volumeID)
+	return volume, err
+}
+
+// VolumeInspectWithRaw returns the information about a specific volume in the docker host and its raw representation
+func (cli *Client) VolumeInspectWithRaw(ctx context.Context, volumeID string) (types.Volume, []byte, error) {
+	if volumeID == "" {
+		return types.Volume{}, nil, objectNotFoundError{object: "volume", id: volumeID}
+	}
+
+	var volume types.Volume
+	resp, err := cli.get(ctx, "/volumes/"+volumeID, nil, nil)
+	if err != nil {
+		return volume, nil, wrapResponseError(err, resp, "volume", volumeID)
+	}
+	defer ensureReaderClosed(resp)
+
+	body, err := ioutil.ReadAll(resp.body)
+	if err != nil {
+		return volume, nil, err
+	}
+	rdr := bytes.NewReader(body)
+	err = json.NewDecoder(rdr).Decode(&volume)
+	return volume, body, err
+}
diff --git a/engine/client/volume_inspect_test.go b/engine/client/volume_inspect_test.go
new file mode 100644
index 00000000..04f00129
--- /dev/null
+++ b/engine/client/volume_inspect_test.go
@@ -0,0 +1,79 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestVolumeInspectError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.VolumeInspect(context.Background(), "nothing")
+	assert.Check(t, is.ErrorContains(err, "Error response from daemon: Server error"))
+}
+
+func TestVolumeInspectNotFound(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusNotFound, "Server error")),
+	}
+
+	_, err := client.VolumeInspect(context.Background(), "unknown")
+	assert.Check(t, IsErrNotFound(err))
+}
+
+func TestVolumeInspectWithEmptyID(t *testing.T) {
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			return nil, errors.New("should not make request")
+		}),
+	}
+	_, _, err := client.VolumeInspectWithRaw(context.Background(), "")
+	if !IsErrNotFound(err) {
+		t.Fatalf("Expected NotFoundError, got %v", err)
+	}
+}
+
+func TestVolumeInspect(t *testing.T) {
+	expectedURL := "/volumes/volume_id"
+	expected := types.Volume{
+		Name:       "name",
+		Driver:     "driver",
+		Mountpoint: "mountpoint",
+	}
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "GET" {
+				return nil, fmt.Errorf("expected GET method, got %s", req.Method)
+			}
+			content, err := json.Marshal(expected)
+			if err != nil {
+				return nil, err
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader(content)),
+			}, nil
+		}),
+	}
+
+	volume, err := client.VolumeInspect(context.Background(), "volume_id")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(expected, volume))
+}
diff --git a/engine/client/volume_list.go b/engine/client/volume_list.go
new file mode 100644
index 00000000..284554d6
--- /dev/null
+++ b/engine/client/volume_list.go
@@ -0,0 +1,32 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+
+	"github.com/docker/docker/api/types/filters"
+	volumetypes "github.com/docker/docker/api/types/volume"
+)
+
+// VolumeList returns the volumes configured in the docker host.
+func (cli *Client) VolumeList(ctx context.Context, filter filters.Args) (volumetypes.VolumeListOKBody, error) {
+	var volumes volumetypes.VolumeListOKBody
+	query := url.Values{}
+
+	if filter.Len() > 0 {
+		filterJSON, err := filters.ToParamWithVersion(cli.version, filter)
+		if err != nil {
+			return volumes, err
+		}
+		query.Set("filters", filterJSON)
+	}
+	resp, err := cli.get(ctx, "/volumes", query, nil)
+	if err != nil {
+		return volumes, err
+	}
+
+	err = json.NewDecoder(resp.body).Decode(&volumes)
+	ensureReaderClosed(resp)
+	return volumes, err
+}
diff --git a/engine/client/volume_list_test.go b/engine/client/volume_list_test.go
new file mode 100644
index 00000000..2a83823f
--- /dev/null
+++ b/engine/client/volume_list_test.go
@@ -0,0 +1,98 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	volumetypes "github.com/docker/docker/api/types/volume"
+)
+
+func TestVolumeListError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	_, err := client.VolumeList(context.Background(), filters.NewArgs())
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestVolumeList(t *testing.T) {
+	expectedURL := "/volumes"
+
+	noDanglingFilters := filters.NewArgs()
+	noDanglingFilters.Add("dangling", "false")
+
+	danglingFilters := filters.NewArgs()
+	danglingFilters.Add("dangling", "true")
+
+	labelFilters := filters.NewArgs()
+	labelFilters.Add("label", "label1")
+	labelFilters.Add("label", "label2")
+
+	listCases := []struct {
+		filters         filters.Args
+		expectedFilters string
+	}{
+		{
+			filters:         filters.NewArgs(),
+			expectedFilters: "",
+		}, {
+			filters:         noDanglingFilters,
+			expectedFilters: `{"dangling":{"false":true}}`,
+		}, {
+			filters:         danglingFilters,
+			expectedFilters: `{"dangling":{"true":true}}`,
+		}, {
+			filters:         labelFilters,
+			expectedFilters: `{"label":{"label1":true,"label2":true}}`,
+		},
+	}
+
+	for _, listCase := range listCases {
+		client := &Client{
+			client: newMockClient(func(req *http.Request) (*http.Response, error) {
+				if !strings.HasPrefix(req.URL.Path, expectedURL) {
+					return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+				}
+				query := req.URL.Query()
+				actualFilters := query.Get("filters")
+				if actualFilters != listCase.expectedFilters {
+					return nil, fmt.Errorf("filters not set in URL query properly. Expected '%s', got %s", listCase.expectedFilters, actualFilters)
+				}
+				content, err := json.Marshal(volumetypes.VolumeListOKBody{
+					Volumes: []*types.Volume{
+						{
+							Name:   "volume",
+							Driver: "local",
+						},
+					},
+				})
+				if err != nil {
+					return nil, err
+				}
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       ioutil.NopCloser(bytes.NewReader(content)),
+				}, nil
+			}),
+		}
+
+		volumeResponse, err := client.VolumeList(context.Background(), listCase.filters)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(volumeResponse.Volumes) != 1 {
+			t.Fatalf("expected 1 volume, got %v", volumeResponse.Volumes)
+		}
+	}
+}
diff --git a/engine/client/volume_prune.go b/engine/client/volume_prune.go
new file mode 100644
index 00000000..70041efe
--- /dev/null
+++ b/engine/client/volume_prune.go
@@ -0,0 +1,36 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// VolumesPrune requests the daemon to delete unused data
+func (cli *Client) VolumesPrune(ctx context.Context, pruneFilters filters.Args) (types.VolumesPruneReport, error) {
+	var report types.VolumesPruneReport
+
+	if err := cli.NewVersionError("1.25", "volume prune"); err != nil {
+		return report, err
+	}
+
+	query, err := getFiltersQuery(pruneFilters)
+	if err != nil {
+		return report, err
+	}
+
+	serverResp, err := cli.post(ctx, "/volumes/prune", query, nil, nil)
+	if err != nil {
+		return report, err
+	}
+	defer ensureReaderClosed(serverResp)
+
+	if err := json.NewDecoder(serverResp.body).Decode(&report); err != nil {
+		return report, fmt.Errorf("Error retrieving volume prune report: %v", err)
+	}
+
+	return report, nil
+}
diff --git a/engine/client/volume_remove.go b/engine/client/volume_remove.go
new file mode 100644
index 00000000..fc5a71d3
--- /dev/null
+++ b/engine/client/volume_remove.go
@@ -0,0 +1,21 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"context"
+	"net/url"
+
+	"github.com/docker/docker/api/types/versions"
+)
+
+// VolumeRemove removes a volume from the docker host.
+func (cli *Client) VolumeRemove(ctx context.Context, volumeID string, force bool) error {
+	query := url.Values{}
+	if versions.GreaterThanOrEqualTo(cli.version, "1.25") {
+		if force {
+			query.Set("force", "1")
+		}
+	}
+	resp, err := cli.delete(ctx, "/volumes/"+volumeID, query, nil)
+	ensureReaderClosed(resp)
+	return wrapResponseError(err, resp, "volume", volumeID)
+}
diff --git a/engine/client/volume_remove_test.go b/engine/client/volume_remove_test.go
new file mode 100644
index 00000000..31fb3d71
--- /dev/null
+++ b/engine/client/volume_remove_test.go
@@ -0,0 +1,46 @@
+package client // import "github.com/docker/docker/client"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+func TestVolumeRemoveError(t *testing.T) {
+	client := &Client{
+		client: newMockClient(errorMock(http.StatusInternalServerError, "Server error")),
+	}
+
+	err := client.VolumeRemove(context.Background(), "volume_id", false)
+	if err == nil || err.Error() != "Error response from daemon: Server error" {
+		t.Fatalf("expected a Server Error, got %v", err)
+	}
+}
+
+func TestVolumeRemove(t *testing.T) {
+	expectedURL := "/volumes/volume_id"
+
+	client := &Client{
+		client: newMockClient(func(req *http.Request) (*http.Response, error) {
+			if !strings.HasPrefix(req.URL.Path, expectedURL) {
+				return nil, fmt.Errorf("Expected URL '%s', got '%s'", expectedURL, req.URL)
+			}
+			if req.Method != "DELETE" {
+				return nil, fmt.Errorf("expected DELETE method, got %s", req.Method)
+			}
+			return &http.Response{
+				StatusCode: http.StatusOK,
+				Body:       ioutil.NopCloser(bytes.NewReader([]byte("body"))),
+			}, nil
+		}),
+	}
+
+	err := client.VolumeRemove(context.Background(), "volume_id", false)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/cmd/dockerd/README.md b/engine/cmd/dockerd/README.md
new file mode 100644
index 00000000..a8c20b35
--- /dev/null
+++ b/engine/cmd/dockerd/README.md
@@ -0,0 +1,3 @@
+docker.go contains Docker daemon's main function.
+
+This file provides first line CLI argument parsing and environment variable setting.
diff --git a/engine/cmd/dockerd/config.go b/engine/cmd/dockerd/config.go
new file mode 100644
index 00000000..abdac9a7
--- /dev/null
+++ b/engine/cmd/dockerd/config.go
@@ -0,0 +1,99 @@
+package main
+
+import (
+	"runtime"
+
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/registry"
+	"github.com/spf13/pflag"
+)
+
+const (
+	// defaultShutdownTimeout is the default shutdown timeout for the daemon
+	defaultShutdownTimeout = 15
+	// defaultTrustKeyFile is the default filename for the trust key
+	defaultTrustKeyFile = "key.json"
+)
+
+// installCommonConfigFlags adds flags to the pflag.FlagSet to configure the daemon
+func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) {
+	var maxConcurrentDownloads, maxConcurrentUploads int
+
+	installRegistryServiceFlags(&conf.ServiceOptions, flags)
+
+	flags.Var(opts.NewNamedListOptsRef("storage-opts", &conf.GraphOptions, nil), "storage-opt", "Storage driver options")
+	flags.Var(opts.NewNamedListOptsRef("authorization-plugins", &conf.AuthorizationPlugins, nil), "authorization-plugin", "Authorization plugins to load")
+	flags.Var(opts.NewNamedListOptsRef("exec-opts", &conf.ExecOptions, nil), "exec-opt", "Runtime execution options")
+	flags.StringVarP(&conf.Pidfile, "pidfile", "p", defaultPidFile, "Path to use for daemon PID file")
+	flags.StringVarP(&conf.Root, "graph", "g", defaultDataRoot, "Root of the Docker runtime")
+	flags.StringVar(&conf.ExecRoot, "exec-root", defaultExecRoot, "Root directory for execution state files")
+	flags.StringVar(&conf.ContainerdAddr, "containerd", "", "containerd grpc address")
+
+	// "--graph" is "soft-deprecated" in favor of "data-root". This flag was added
+	// before Docker 1.0, so won't be removed, only hidden, to discourage its usage.
+	flags.MarkHidden("graph")
+
+	flags.StringVar(&conf.Root, "data-root", defaultDataRoot, "Root directory of persistent Docker state")
+
+	flags.BoolVarP(&conf.AutoRestart, "restart", "r", true, "--restart on the daemon has been deprecated in favor of --restart policies on docker run")
+	flags.MarkDeprecated("restart", "Please use a restart policy on docker run")
+
+	// Windows doesn't support setting the storage driver - there is no choice as to which ones to use.
+	if runtime.GOOS != "windows" {
+		flags.StringVarP(&conf.GraphDriver, "storage-driver", "s", "", "Storage driver to use")
+	}
+
+	flags.IntVar(&conf.Mtu, "mtu", 0, "Set the containers network MTU")
+	flags.BoolVar(&conf.RawLogs, "raw-logs", false, "Full timestamps without ANSI coloring")
+	flags.Var(opts.NewListOptsRef(&conf.DNS, opts.ValidateIPAddress), "dns", "DNS server to use")
+	flags.Var(opts.NewNamedListOptsRef("dns-opts", &conf.DNSOptions, nil), "dns-opt", "DNS options to use")
+	flags.Var(opts.NewListOptsRef(&conf.DNSSearch, opts.ValidateDNSSearch), "dns-search", "DNS search domains to use")
+	flags.Var(opts.NewNamedListOptsRef("labels", &conf.Labels, opts.ValidateLabel), "label", "Set key=value labels to the daemon")
+	flags.StringVar(&conf.LogConfig.Type, "log-driver", "json-file", "Default driver for container logs")
+	flags.Var(opts.NewNamedMapOpts("log-opts", conf.LogConfig.Config, nil), "log-opt", "Default log driver options for containers")
+	flags.StringVar(&conf.ClusterAdvertise, "cluster-advertise", "", "Address or interface name to advertise")
+	flags.StringVar(&conf.ClusterStore, "cluster-store", "", "URL of the distributed storage backend")
+	flags.Var(opts.NewNamedMapOpts("cluster-store-opts", conf.ClusterOpts, nil), "cluster-store-opt", "Set cluster store options")
+	flags.StringVar(&conf.CorsHeaders, "api-cors-header", "", "Set CORS headers in the Engine API")
+	flags.IntVar(&maxConcurrentDownloads, "max-concurrent-downloads", config.DefaultMaxConcurrentDownloads, "Set the max concurrent downloads for each pull")
+	flags.IntVar(&maxConcurrentUploads, "max-concurrent-uploads", config.DefaultMaxConcurrentUploads, "Set the max concurrent uploads for each push")
+	flags.IntVar(&conf.ShutdownTimeout, "shutdown-timeout", defaultShutdownTimeout, "Set the default shutdown timeout")
+	flags.IntVar(&conf.NetworkDiagnosticPort, "network-diagnostic-port", 0, "TCP port number of the network diagnostic server")
+	flags.MarkHidden("network-diagnostic-port")
+
+	flags.StringVar(&conf.SwarmDefaultAdvertiseAddr, "swarm-default-advertise-addr", "", "Set default address or interface for swarm advertised address")
+	flags.BoolVar(&conf.Experimental, "experimental", false, "Enable experimental features")
+
+	flags.StringVar(&conf.MetricsAddress, "metrics-addr", "", "Set default address and port to serve the metrics api on")
+
+	flags.Var(opts.NewNamedListOptsRef("node-generic-resources", &conf.NodeGenericResources, opts.ValidateSingleGenericResource), "node-generic-resource", "Advertise user-defined resource")
+
+	flags.IntVar(&conf.NetworkControlPlaneMTU, "network-control-plane-mtu", config.DefaultNetworkMtu, "Network Control plane MTU")
+
+	// "--deprecated-key-path" is to allow configuration of the key used
+	// for the daemon ID and the deprecated image signing. It was never
+	// exposed as a command line option but is added here to allow
+	// overriding the default path in configuration.
+	flags.Var(opts.NewQuotedString(&conf.TrustKeyPath), "deprecated-key-path", "Path to key file for ID and image signing")
+	flags.MarkHidden("deprecated-key-path")
+
+	conf.MaxConcurrentDownloads = &maxConcurrentDownloads
+	conf.MaxConcurrentUploads = &maxConcurrentUploads
+}
+
+func installRegistryServiceFlags(options *registry.ServiceOptions, flags *pflag.FlagSet) {
+	ana := opts.NewNamedListOptsRef("allow-nondistributable-artifacts", &options.AllowNondistributableArtifacts, registry.ValidateIndexName)
+	mirrors := opts.NewNamedListOptsRef("registry-mirrors", &options.Mirrors, registry.ValidateMirror)
+	insecureRegistries := opts.NewNamedListOptsRef("insecure-registries", &options.InsecureRegistries, registry.ValidateIndexName)
+
+	flags.Var(ana, "allow-nondistributable-artifacts", "Allow push of nondistributable artifacts to registry")
+	flags.Var(mirrors, "registry-mirror", "Preferred Docker registry mirror")
+	flags.Var(insecureRegistries, "insecure-registry", "Enable insecure registry communication")
+
+	if runtime.GOOS != "windows" {
+		// TODO: Remove this flag after 3 release cycles (18.03)
+		flags.BoolVar(&options.V2Only, "disable-legacy-registry", true, "Disable contacting legacy registries")
+		flags.MarkHidden("disable-legacy-registry")
+	}
+}
diff --git a/engine/cmd/dockerd/config_common_unix.go b/engine/cmd/dockerd/config_common_unix.go
new file mode 100644
index 00000000..febf30ae
--- /dev/null
+++ b/engine/cmd/dockerd/config_common_unix.go
@@ -0,0 +1,34 @@
+// +build linux freebsd
+
+package main
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/opts"
+	"github.com/spf13/pflag"
+)
+
+var (
+	defaultPidFile  = "/var/run/docker.pid"
+	defaultDataRoot = "/var/lib/docker"
+	defaultExecRoot = "/var/run/docker"
+)
+
+// installUnixConfigFlags adds command-line options to the top-level flag parser for
+// the current process that are common across Unix platforms.
+func installUnixConfigFlags(conf *config.Config, flags *pflag.FlagSet) {
+	conf.Runtimes = make(map[string]types.Runtime)
+
+	flags.StringVarP(&conf.SocketGroup, "group", "G", "docker", "Group for the unix socket")
+	flags.StringVar(&conf.BridgeConfig.IP, "bip", "", "Specify network bridge IP")
+	flags.StringVarP(&conf.BridgeConfig.Iface, "bridge", "b", "", "Attach containers to a network bridge")
+	flags.StringVar(&conf.BridgeConfig.FixedCIDR, "fixed-cidr", "", "IPv4 subnet for fixed IPs")
+	flags.Var(opts.NewIPOpt(&conf.BridgeConfig.DefaultGatewayIPv4, ""), "default-gateway", "Container default gateway IPv4 address")
+	flags.Var(opts.NewIPOpt(&conf.BridgeConfig.DefaultGatewayIPv6, ""), "default-gateway-v6", "Container default gateway IPv6 address")
+	flags.BoolVar(&conf.BridgeConfig.InterContainerCommunication, "icc", true, "Enable inter-container communication")
+	flags.Var(opts.NewIPOpt(&conf.BridgeConfig.DefaultIP, "0.0.0.0"), "ip", "Default IP when binding container ports")
+	flags.Var(opts.NewNamedRuntimeOpt("runtimes", &conf.Runtimes, config.StockRuntimeName), "add-runtime", "Register an additional OCI compatible runtime")
+	flags.StringVar(&conf.DefaultRuntime, "default-runtime", config.StockRuntimeName, "Default OCI runtime for containers")
+
+}
diff --git a/engine/cmd/dockerd/config_unix.go b/engine/cmd/dockerd/config_unix.go
new file mode 100644
index 00000000..2dbd84b1
--- /dev/null
+++ b/engine/cmd/dockerd/config_unix.go
@@ -0,0 +1,50 @@
+// +build linux freebsd
+
+package main
+
+import (
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/opts"
+	"github.com/docker/go-units"
+	"github.com/spf13/pflag"
+)
+
+// installConfigFlags adds flags to the pflag.FlagSet to configure the daemon
+func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) {
+	// First handle install flags which are consistent cross-platform
+	installCommonConfigFlags(conf, flags)
+
+	// Then install flags common to unix platforms
+	installUnixConfigFlags(conf, flags)
+
+	conf.Ulimits = make(map[string]*units.Ulimit)
+	conf.NetworkConfig.DefaultAddressPools = opts.PoolsOpt{}
+
+	// Set default value for `--default-shm-size`
+	conf.ShmSize = opts.MemBytes(config.DefaultShmSize)
+
+	// Then platform-specific install flags
+	flags.BoolVar(&conf.EnableSelinuxSupport, "selinux-enabled", false, "Enable selinux support")
+	flags.Var(opts.NewNamedUlimitOpt("default-ulimits", &conf.Ulimits), "default-ulimit", "Default ulimits for containers")
+	flags.BoolVar(&conf.BridgeConfig.EnableIPTables, "iptables", true, "Enable addition of iptables rules")
+	flags.BoolVar(&conf.BridgeConfig.EnableIPForward, "ip-forward", true, "Enable net.ipv4.ip_forward")
+	flags.BoolVar(&conf.BridgeConfig.EnableIPMasq, "ip-masq", true, "Enable IP masquerading")
+	flags.BoolVar(&conf.BridgeConfig.EnableIPv6, "ipv6", false, "Enable IPv6 networking")
+	flags.StringVar(&conf.BridgeConfig.FixedCIDRv6, "fixed-cidr-v6", "", "IPv6 subnet for fixed IPs")
+	flags.BoolVar(&conf.BridgeConfig.EnableUserlandProxy, "userland-proxy", true, "Use userland proxy for loopback traffic")
+	flags.StringVar(&conf.BridgeConfig.UserlandProxyPath, "userland-proxy-path", "", "Path to the userland proxy binary")
+	flags.StringVar(&conf.CgroupParent, "cgroup-parent", "", "Set parent cgroup for all containers")
+	flags.StringVar(&conf.RemappedRoot, "userns-remap", "", "User/Group setting for user namespaces")
+	flags.BoolVar(&conf.LiveRestoreEnabled, "live-restore", false, "Enable live restore of docker when containers are still running")
+	flags.IntVar(&conf.OOMScoreAdjust, "oom-score-adjust", -500, "Set the oom_score_adj for the daemon")
+	flags.BoolVar(&conf.Init, "init", false, "Run an init in the container to forward signals and reap processes")
+	flags.StringVar(&conf.InitPath, "init-path", "", "Path to the docker-init binary")
+	flags.Int64Var(&conf.CPURealtimePeriod, "cpu-rt-period", 0, "Limit the CPU real-time period in microseconds")
+	flags.Int64Var(&conf.CPURealtimeRuntime, "cpu-rt-runtime", 0, "Limit the CPU real-time runtime in microseconds")
+	flags.StringVar(&conf.SeccompProfile, "seccomp-profile", "", "Path to seccomp profile")
+	flags.Var(&conf.ShmSize, "default-shm-size", "Default shm size for containers")
+	flags.BoolVar(&conf.NoNewPrivileges, "no-new-privileges", false, "Set no-new-privileges by default for new containers")
+	flags.StringVar(&conf.IpcMode, "default-ipc-mode", config.DefaultIpcMode, `Default mode for containers ipc ("shareable" | "private")`)
+	flags.Var(&conf.NetworkConfig.DefaultAddressPools, "default-address-pool", "Default address pools for node specific local networks")
+
+}
diff --git a/engine/cmd/dockerd/config_unix_test.go b/engine/cmd/dockerd/config_unix_test.go
new file mode 100644
index 00000000..d7dbf4b4
--- /dev/null
+++ b/engine/cmd/dockerd/config_unix_test.go
@@ -0,0 +1,23 @@
+// +build linux freebsd
+
+package main
+
+import (
+	"testing"
+
+	"github.com/docker/docker/daemon/config"
+	"github.com/spf13/pflag"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDaemonParseShmSize(t *testing.T) {
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+
+	conf := &config.Config{}
+	installConfigFlags(conf, flags)
+	// By default `--default-shm-size=64M`
+	assert.Check(t, is.Equal(int64(64*1024*1024), conf.ShmSize.Value()))
+	assert.Check(t, flags.Set("default-shm-size", "128M"))
+	assert.Check(t, is.Equal(int64(128*1024*1024), conf.ShmSize.Value()))
+}
diff --git a/engine/cmd/dockerd/config_windows.go b/engine/cmd/dockerd/config_windows.go
new file mode 100644
index 00000000..36af7664
--- /dev/null
+++ b/engine/cmd/dockerd/config_windows.go
@@ -0,0 +1,26 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/daemon/config"
+	"github.com/spf13/pflag"
+)
+
+var (
+	defaultPidFile  string
+	defaultDataRoot = filepath.Join(os.Getenv("programdata"), "docker")
+	defaultExecRoot = filepath.Join(os.Getenv("programdata"), "docker", "exec-root")
+)
+
+// installConfigFlags adds flags to the pflag.FlagSet to configure the daemon
+func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) {
+	// First handle install flags which are consistent cross-platform
+	installCommonConfigFlags(conf, flags)
+
+	// Then platform-specific install flags.
+	flags.StringVar(&conf.BridgeConfig.FixedCIDR, "fixed-cidr", "", "IPv4 subnet for fixed IPs")
+	flags.StringVarP(&conf.BridgeConfig.Iface, "bridge", "b", "", "Attach containers to a virtual switch")
+	flags.StringVarP(&conf.SocketGroup, "group", "G", "", "Users or groups that can access the named pipe")
+}
diff --git a/engine/cmd/dockerd/daemon.go b/engine/cmd/dockerd/daemon.go
new file mode 100644
index 00000000..efefaa1a
--- /dev/null
+++ b/engine/cmd/dockerd/daemon.go
@@ -0,0 +1,638 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/uuid"
+	"github.com/docker/docker/api"
+	apiserver "github.com/docker/docker/api/server"
+	buildbackend "github.com/docker/docker/api/server/backend/build"
+	"github.com/docker/docker/api/server/middleware"
+	"github.com/docker/docker/api/server/router"
+	"github.com/docker/docker/api/server/router/build"
+	checkpointrouter "github.com/docker/docker/api/server/router/checkpoint"
+	"github.com/docker/docker/api/server/router/container"
+	distributionrouter "github.com/docker/docker/api/server/router/distribution"
+	"github.com/docker/docker/api/server/router/image"
+	"github.com/docker/docker/api/server/router/network"
+	pluginrouter "github.com/docker/docker/api/server/router/plugin"
+	sessionrouter "github.com/docker/docker/api/server/router/session"
+	swarmrouter "github.com/docker/docker/api/server/router/swarm"
+	systemrouter "github.com/docker/docker/api/server/router/system"
+	"github.com/docker/docker/api/server/router/volume"
+	buildkit "github.com/docker/docker/builder/builder-next"
+	"github.com/docker/docker/builder/dockerfile"
+	"github.com/docker/docker/builder/fscache"
+	"github.com/docker/docker/cli/debug"
+	"github.com/docker/docker/daemon"
+	"github.com/docker/docker/daemon/cluster"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/daemon/listeners"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/libcontainerd"
+	dopts "github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/authorization"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/pidfile"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/plugin"
+	"github.com/docker/docker/registry"
+	"github.com/docker/docker/runconfig"
+	"github.com/docker/go-connections/tlsconfig"
+	swarmapi "github.com/docker/swarmkit/api"
+	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/pflag"
+)
+
+// DaemonCli represents the daemon CLI.
+type DaemonCli struct {
+	*config.Config
+	configFile *string
+	flags      *pflag.FlagSet
+
+	api             *apiserver.Server
+	d               *daemon.Daemon
+	authzMiddleware *authorization.Middleware // authzMiddleware enables to dynamically reload the authorization plugins
+}
+
+// NewDaemonCli returns a daemon CLI
+func NewDaemonCli() *DaemonCli {
+	return &DaemonCli{}
+}
+
+func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
+	stopc := make(chan bool)
+	defer close(stopc)
+
+	// warn from uuid package when running the daemon
+	uuid.Loggerf = logrus.Warnf
+
+	opts.SetDefaultOptions(opts.flags)
+
+	if cli.Config, err = loadDaemonCliConfig(opts); err != nil {
+		return err
+	}
+	cli.configFile = &opts.configFile
+	cli.flags = opts.flags
+
+	if cli.Config.Debug {
+		debug.Enable()
+	}
+
+	if cli.Config.Experimental {
+		logrus.Warn("Running experimental build")
+	}
+
+	logrus.SetFormatter(&logrus.TextFormatter{
+		TimestampFormat: jsonmessage.RFC3339NanoFixed,
+		DisableColors:   cli.Config.RawLogs,
+		FullTimestamp:   true,
+	})
+
+	system.InitLCOW(cli.Config.Experimental)
+
+	if err := setDefaultUmask(); err != nil {
+		return fmt.Errorf("Failed to set umask: %v", err)
+	}
+
+	// Create the daemon root before we create ANY other files (PID, or migrate keys)
+	// to ensure the appropriate ACL is set (particularly relevant on Windows)
+	if err := daemon.CreateDaemonRoot(cli.Config); err != nil {
+		return err
+	}
+
+	if cli.Pidfile != "" {
+		pf, err := pidfile.New(cli.Pidfile)
+		if err != nil {
+			return fmt.Errorf("Error starting daemon: %v", err)
+		}
+		defer func() {
+			if err := pf.Remove(); err != nil {
+				logrus.Error(err)
+			}
+		}()
+	}
+
+	serverConfig, err := newAPIServerConfig(cli)
+	if err != nil {
+		return fmt.Errorf("Failed to create API server: %v", err)
+	}
+	cli.api = apiserver.New(serverConfig)
+
+	hosts, err := loadListeners(cli, serverConfig)
+	if err != nil {
+		return fmt.Errorf("Failed to load listeners: %v", err)
+	}
+
+	registryService, err := registry.NewService(cli.Config.ServiceOptions)
+	if err != nil {
+		return err
+	}
+
+	rOpts, err := cli.getRemoteOptions()
+	if err != nil {
+		return fmt.Errorf("Failed to generate containerd options: %v", err)
+	}
+	containerdRemote, err := libcontainerd.New(filepath.Join(cli.Config.Root, "containerd"), filepath.Join(cli.Config.ExecRoot, "containerd"), rOpts...)
+	if err != nil {
+		return err
+	}
+	signal.Trap(func() {
+		cli.stop()
+		<-stopc // wait for daemonCli.start() to return
+	}, logrus.StandardLogger())
+
+	// Notify that the API is active, but before daemon is set up.
+	preNotifySystem()
+
+	pluginStore := plugin.NewStore()
+
+	if err := cli.initMiddlewares(cli.api, serverConfig, pluginStore); err != nil {
+		logrus.Fatalf("Error creating middlewares: %v", err)
+	}
+
+	d, err := daemon.NewDaemon(cli.Config, registryService, containerdRemote, pluginStore)
+	if err != nil {
+		return fmt.Errorf("Error starting daemon: %v", err)
+	}
+
+	d.StoreHosts(hosts)
+
+	// validate after NewDaemon has restored enabled plugins. Dont change order.
+	if err := validateAuthzPlugins(cli.Config.AuthorizationPlugins, pluginStore); err != nil {
+		return fmt.Errorf("Error validating authorization plugin: %v", err)
+	}
+
+	// TODO: move into startMetricsServer()
+	if cli.Config.MetricsAddress != "" {
+		if !d.HasExperimental() {
+			return fmt.Errorf("metrics-addr is only supported when experimental is enabled")
+		}
+		if err := startMetricsServer(cli.Config.MetricsAddress); err != nil {
+			return err
+		}
+	}
+
+	c, err := createAndStartCluster(cli, d)
+	if err != nil {
+		logrus.Fatalf("Error starting cluster component: %v", err)
+	}
+
+	// Restart all autostart containers which has a swarm endpoint
+	// and is not yet running now that we have successfully
+	// initialized the cluster.
+	d.RestartSwarmContainers()
+
+	logrus.Info("Daemon has completed initialization")
+
+	cli.d = d
+
+	routerOptions, err := newRouterOptions(cli.Config, d)
+	if err != nil {
+		return err
+	}
+	routerOptions.api = cli.api
+	routerOptions.cluster = c
+
+	initRouter(routerOptions)
+
+	// process cluster change notifications
+	watchCtx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go d.ProcessClusterNotifications(watchCtx, c.GetWatchStream())
+
+	cli.setupConfigReloadTrap()
+
+	// The serve API routine never exits unless an error occurs
+	// We need to start it as a goroutine and wait on it so
+	// daemon doesn't exit
+	serveAPIWait := make(chan error)
+	go cli.api.Wait(serveAPIWait)
+
+	// after the daemon is done setting up we can notify systemd api
+	notifySystem()
+
+	// Daemon is fully initialized and handling API traffic
+	// Wait for serve API to complete
+	errAPI := <-serveAPIWait
+	c.Cleanup()
+	shutdownDaemon(d)
+	containerdRemote.Cleanup()
+	if errAPI != nil {
+		return fmt.Errorf("Shutting down due to ServeAPI error: %v", errAPI)
+	}
+
+	return nil
+}
+
+type routerOptions struct {
+	sessionManager *session.Manager
+	buildBackend   *buildbackend.Backend
+	buildCache     *fscache.FSCache // legacy
+	buildkit       *buildkit.Builder
+	daemon         *daemon.Daemon
+	api            *apiserver.Server
+	cluster        *cluster.Cluster
+}
+
+func newRouterOptions(config *config.Config, daemon *daemon.Daemon) (routerOptions, error) {
+	opts := routerOptions{}
+	sm, err := session.NewManager()
+	if err != nil {
+		return opts, errors.Wrap(err, "failed to create sessionmanager")
+	}
+
+	builderStateDir := filepath.Join(config.Root, "builder")
+
+	buildCache, err := fscache.NewFSCache(fscache.Opt{
+		Backend: fscache.NewNaiveCacheBackend(builderStateDir),
+		Root:    builderStateDir,
+		GCPolicy: fscache.GCPolicy{ // TODO: expose this in config
+			MaxSize:         1024 * 1024 * 512,  // 512MB
+			MaxKeepDuration: 7 * 24 * time.Hour, // 1 week
+		},
+	})
+	if err != nil {
+		return opts, errors.Wrap(err, "failed to create fscache")
+	}
+
+	manager, err := dockerfile.NewBuildManager(daemon.BuilderBackend(), sm, buildCache, daemon.IDMappings())
+	if err != nil {
+		return opts, err
+	}
+
+	buildkit, err := buildkit.New(buildkit.Opt{
+		SessionManager: sm,
+		Root:           filepath.Join(config.Root, "buildkit"),
+		Dist:           daemon.DistributionServices(),
+	})
+	if err != nil {
+		return opts, err
+	}
+
+	bb, err := buildbackend.NewBackend(daemon.ImageService(), manager, buildCache, buildkit)
+	if err != nil {
+		return opts, errors.Wrap(err, "failed to create buildmanager")
+	}
+
+	return routerOptions{
+		sessionManager: sm,
+		buildBackend:   bb,
+		buildCache:     buildCache,
+		buildkit:       buildkit,
+		daemon:         daemon,
+	}, nil
+}
+
+func (cli *DaemonCli) reloadConfig() {
+	reload := func(c *config.Config) {
+
+		// Revalidate and reload the authorization plugins
+		if err := validateAuthzPlugins(c.AuthorizationPlugins, cli.d.PluginStore); err != nil {
+			logrus.Fatalf("Error validating authorization plugin: %v", err)
+			return
+		}
+		cli.authzMiddleware.SetPlugins(c.AuthorizationPlugins)
+
+		// The namespaces com.docker.*, io.docker.*, org.dockerproject.* have been documented
+		// to be reserved for Docker's internal use, but this was never enforced.  Allowing
+		// configured labels to use these namespaces are deprecated for 18.05.
+		//
+		// The following will check the usage of such labels, and report a warning for deprecation.
+		//
+		// TODO: At the next stable release, the validation should be folded into the other
+		// configuration validation functions and an error will be returned instead, and this
+		// block should be deleted.
+		if err := config.ValidateReservedNamespaceLabels(c.Labels); err != nil {
+			logrus.Warnf("Configured labels using reserved namespaces is deprecated: %s", err)
+		}
+
+		if err := cli.d.Reload(c); err != nil {
+			logrus.Errorf("Error reconfiguring the daemon: %v", err)
+			return
+		}
+
+		if c.IsValueSet("debug") {
+			debugEnabled := debug.IsEnabled()
+			switch {
+			case debugEnabled && !c.Debug: // disable debug
+				debug.Disable()
+			case c.Debug && !debugEnabled: // enable debug
+				debug.Enable()
+			}
+		}
+	}
+
+	if err := config.Reload(*cli.configFile, cli.flags, reload); err != nil {
+		logrus.Error(err)
+	}
+}
+
+func (cli *DaemonCli) stop() {
+	cli.api.Close()
+}
+
+// shutdownDaemon just wraps daemon.Shutdown() to handle a timeout in case
+// d.Shutdown() is waiting too long to kill container or worst it's
+// blocked there
+func shutdownDaemon(d *daemon.Daemon) {
+	shutdownTimeout := d.ShutdownTimeout()
+	ch := make(chan struct{})
+	go func() {
+		d.Shutdown()
+		close(ch)
+	}()
+	if shutdownTimeout < 0 {
+		<-ch
+		logrus.Debug("Clean shutdown succeeded")
+		return
+	}
+	select {
+	case <-ch:
+		logrus.Debug("Clean shutdown succeeded")
+	case <-time.After(time.Duration(shutdownTimeout) * time.Second):
+		logrus.Error("Force shutdown daemon")
+	}
+}
+
+func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
+	conf := opts.daemonConfig
+	flags := opts.flags
+	conf.Debug = opts.Debug
+	conf.Hosts = opts.Hosts
+	conf.LogLevel = opts.LogLevel
+	conf.TLS = opts.TLS
+	conf.TLSVerify = opts.TLSVerify
+	conf.CommonTLSOptions = config.CommonTLSOptions{}
+
+	if opts.TLSOptions != nil {
+		conf.CommonTLSOptions.CAFile = opts.TLSOptions.CAFile
+		conf.CommonTLSOptions.CertFile = opts.TLSOptions.CertFile
+		conf.CommonTLSOptions.KeyFile = opts.TLSOptions.KeyFile
+	}
+
+	if conf.TrustKeyPath == "" {
+		conf.TrustKeyPath = filepath.Join(
+			getDaemonConfDir(conf.Root),
+			defaultTrustKeyFile)
+	}
+
+	if flags.Changed("graph") && flags.Changed("data-root") {
+		return nil, fmt.Errorf(`cannot specify both "--graph" and "--data-root" option`)
+	}
+
+	if opts.configFile != "" {
+		c, err := config.MergeDaemonConfigurations(conf, flags, opts.configFile)
+		if err != nil {
+			if flags.Changed("config-file") || !os.IsNotExist(err) {
+				return nil, fmt.Errorf("unable to configure the Docker daemon with file %s: %v", opts.configFile, err)
+			}
+		}
+		// the merged configuration can be nil if the config file didn't exist.
+		// leave the current configuration as it is if when that happens.
+		if c != nil {
+			conf = c
+		}
+	}
+
+	if err := config.Validate(conf); err != nil {
+		return nil, err
+	}
+
+	if runtime.GOOS != "windows" {
+		if flags.Changed("disable-legacy-registry") {
+			// TODO: Remove this error after 3 release cycles (18.03)
+			return nil, errors.New("ERROR: The '--disable-legacy-registry' flag has been removed. Interacting with legacy (v1) registries is no longer supported")
+		}
+		if !conf.V2Only {
+			// TODO: Remove this error after 3 release cycles (18.03)
+			return nil, errors.New("ERROR: The 'disable-legacy-registry' configuration option has been removed. Interacting with legacy (v1) registries is no longer supported")
+		}
+	}
+
+	if flags.Changed("graph") {
+		logrus.Warnf(`The "-g / --graph" flag is deprecated. Please use "--data-root" instead`)
+	}
+
+	// Check if duplicate label-keys with different values are found
+	newLabels, err := config.GetConflictFreeLabels(conf.Labels)
+	if err != nil {
+		return nil, err
+	}
+	// The namespaces com.docker.*, io.docker.*, org.dockerproject.* have been documented
+	// to be reserved for Docker's internal use, but this was never enforced.  Allowing
+	// configured labels to use these namespaces are deprecated for 18.05.
+	//
+	// The following will check the usage of such labels, and report a warning for deprecation.
+	//
+	// TODO: At the next stable release, the validation should be folded into the other
+	// configuration validation functions and an error will be returned instead, and this
+	// block should be deleted.
+	if err := config.ValidateReservedNamespaceLabels(newLabels); err != nil {
+		logrus.Warnf("Configured labels using reserved namespaces is deprecated: %s", err)
+	}
+	conf.Labels = newLabels
+
+	// Regardless of whether the user sets it to true or false, if they
+	// specify TLSVerify at all then we need to turn on TLS
+	if conf.IsValueSet(FlagTLSVerify) {
+		conf.TLS = true
+	}
+
+	// ensure that the log level is the one set after merging configurations
+	setLogLevel(conf.LogLevel)
+
+	return conf, nil
+}
+
+func initRouter(opts routerOptions) {
+	decoder := runconfig.ContainerDecoder{}
+
+	routers := []router.Router{
+		// we need to add the checkpoint router before the container router or the DELETE gets masked
+		checkpointrouter.NewRouter(opts.daemon, decoder),
+		container.NewRouter(opts.daemon, decoder),
+		image.NewRouter(opts.daemon.ImageService()),
+		systemrouter.NewRouter(opts.daemon, opts.cluster, opts.buildCache, opts.buildkit),
+		volume.NewRouter(opts.daemon.VolumesService()),
+		build.NewRouter(opts.buildBackend, opts.daemon),
+		sessionrouter.NewRouter(opts.sessionManager),
+		swarmrouter.NewRouter(opts.cluster),
+		pluginrouter.NewRouter(opts.daemon.PluginManager()),
+		distributionrouter.NewRouter(opts.daemon.ImageService()),
+	}
+
+	if opts.daemon.NetworkControllerEnabled() {
+		routers = append(routers, network.NewRouter(opts.daemon, opts.cluster))
+	}
+
+	if opts.daemon.HasExperimental() {
+		for _, r := range routers {
+			for _, route := range r.Routes() {
+				if experimental, ok := route.(router.ExperimentalRoute); ok {
+					experimental.Enable()
+				}
+			}
+		}
+	}
+
+	opts.api.InitRouter(routers...)
+}
+
+// TODO: remove this from cli and return the authzMiddleware
+func (cli *DaemonCli) initMiddlewares(s *apiserver.Server, cfg *apiserver.Config, pluginStore plugingetter.PluginGetter) error {
+	v := cfg.Version
+
+	exp := middleware.NewExperimentalMiddleware(cli.Config.Experimental)
+	s.UseMiddleware(exp)
+
+	vm := middleware.NewVersionMiddleware(v, api.DefaultVersion, api.MinVersion)
+	s.UseMiddleware(vm)
+
+	if cfg.CorsHeaders != "" {
+		c := middleware.NewCORSMiddleware(cfg.CorsHeaders)
+		s.UseMiddleware(c)
+	}
+
+	cli.authzMiddleware = authorization.NewMiddleware(cli.Config.AuthorizationPlugins, pluginStore)
+	cli.Config.AuthzMiddleware = cli.authzMiddleware
+	s.UseMiddleware(cli.authzMiddleware)
+	return nil
+}
+
+func (cli *DaemonCli) getRemoteOptions() ([]libcontainerd.RemoteOption, error) {
+	opts := []libcontainerd.RemoteOption{}
+
+	pOpts, err := cli.getPlatformRemoteOptions()
+	if err != nil {
+		return nil, err
+	}
+	opts = append(opts, pOpts...)
+	return opts, nil
+}
+
+func newAPIServerConfig(cli *DaemonCli) (*apiserver.Config, error) {
+	serverConfig := &apiserver.Config{
+		Logging:     true,
+		SocketGroup: cli.Config.SocketGroup,
+		Version:     dockerversion.Version,
+		CorsHeaders: cli.Config.CorsHeaders,
+	}
+
+	if cli.Config.TLS {
+		tlsOptions := tlsconfig.Options{
+			CAFile:             cli.Config.CommonTLSOptions.CAFile,
+			CertFile:           cli.Config.CommonTLSOptions.CertFile,
+			KeyFile:            cli.Config.CommonTLSOptions.KeyFile,
+			ExclusiveRootPools: true,
+		}
+
+		if cli.Config.TLSVerify {
+			// server requires and verifies client's certificate
+			tlsOptions.ClientAuth = tls.RequireAndVerifyClientCert
+		}
+		tlsConfig, err := tlsconfig.Server(tlsOptions)
+		if err != nil {
+			return nil, err
+		}
+		serverConfig.TLSConfig = tlsConfig
+	}
+
+	if len(cli.Config.Hosts) == 0 {
+		cli.Config.Hosts = make([]string, 1)
+	}
+
+	return serverConfig, nil
+}
+
+func loadListeners(cli *DaemonCli, serverConfig *apiserver.Config) ([]string, error) {
+	var hosts []string
+	for i := 0; i < len(cli.Config.Hosts); i++ {
+		var err error
+		if cli.Config.Hosts[i], err = dopts.ParseHost(cli.Config.TLS, cli.Config.Hosts[i]); err != nil {
+			return nil, fmt.Errorf("error parsing -H %s : %v", cli.Config.Hosts[i], err)
+		}
+
+		protoAddr := cli.Config.Hosts[i]
+		protoAddrParts := strings.SplitN(protoAddr, "://", 2)
+		if len(protoAddrParts) != 2 {
+			return nil, fmt.Errorf("bad format %s, expected PROTO://ADDR", protoAddr)
+		}
+
+		proto := protoAddrParts[0]
+		addr := protoAddrParts[1]
+
+		// It's a bad idea to bind to TCP without tlsverify.
+		if proto == "tcp" && (serverConfig.TLSConfig == nil || serverConfig.TLSConfig.ClientAuth != tls.RequireAndVerifyClientCert) {
+			logrus.Warn("[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]")
+		}
+		ls, err := listeners.Init(proto, addr, serverConfig.SocketGroup, serverConfig.TLSConfig)
+		if err != nil {
+			return nil, err
+		}
+		ls = wrapListeners(proto, ls)
+		// If we're binding to a TCP port, make sure that a container doesn't try to use it.
+		if proto == "tcp" {
+			if err := allocateDaemonPort(addr); err != nil {
+				return nil, err
+			}
+		}
+		logrus.Debugf("Listener created for HTTP on %s (%s)", proto, addr)
+		hosts = append(hosts, protoAddrParts[1])
+		cli.api.Accept(addr, ls...)
+	}
+
+	return hosts, nil
+}
+
+func createAndStartCluster(cli *DaemonCli, d *daemon.Daemon) (*cluster.Cluster, error) {
+	name, _ := os.Hostname()
+
+	// Use a buffered channel to pass changes from store watch API to daemon
+	// A buffer allows store watch API and daemon processing to not wait for each other
+	watchStream := make(chan *swarmapi.WatchMessage, 32)
+
+	c, err := cluster.New(cluster.Config{
+		Root:                   cli.Config.Root,
+		Name:                   name,
+		Backend:                d,
+		VolumeBackend:          d.VolumesService(),
+		ImageBackend:           d.ImageService(),
+		PluginBackend:          d.PluginManager(),
+		NetworkSubnetsProvider: d,
+		DefaultAdvertiseAddr:   cli.Config.SwarmDefaultAdvertiseAddr,
+		RaftHeartbeatTick:      cli.Config.SwarmRaftHeartbeatTick,
+		RaftElectionTick:       cli.Config.SwarmRaftElectionTick,
+		RuntimeRoot:            cli.getSwarmRunRoot(),
+		WatchStream:            watchStream,
+	})
+	if err != nil {
+		return nil, err
+	}
+	d.SetCluster(c)
+	err = c.Start()
+
+	return c, err
+}
+
+// validates that the plugins requested with the --authorization-plugin flag are valid AuthzDriver
+// plugins present on the host and available to the daemon
+func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGetter) error {
+	for _, reqPlugin := range requestedPlugins {
+		if _, err := pg.Get(reqPlugin, authorization.AuthZApiImplements, plugingetter.Lookup); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/engine/cmd/dockerd/daemon_freebsd.go b/engine/cmd/dockerd/daemon_freebsd.go
new file mode 100644
index 00000000..6d013b81
--- /dev/null
+++ b/engine/cmd/dockerd/daemon_freebsd.go
@@ -0,0 +1,9 @@
+package main
+
+// preNotifySystem sends a message to the host when the API is active, but before the daemon is
+func preNotifySystem() {
+}
+
+// notifySystem sends a message to the host when the server is ready to be used
+func notifySystem() {
+}
diff --git a/engine/cmd/dockerd/daemon_linux.go b/engine/cmd/dockerd/daemon_linux.go
new file mode 100644
index 00000000..cf2d6527
--- /dev/null
+++ b/engine/cmd/dockerd/daemon_linux.go
@@ -0,0 +1,13 @@
+package main
+
+import systemdDaemon "github.com/coreos/go-systemd/daemon"
+
+// preNotifySystem sends a message to the host when the API is active, but before the daemon is
+func preNotifySystem() {
+}
+
+// notifySystem sends a message to the host when the server is ready to be used
+func notifySystem() {
+	// Tell the init daemon we are accepting requests
+	go systemdDaemon.SdNotify(false, systemdDaemon.SdNotifyReady)
+}
diff --git a/engine/cmd/dockerd/daemon_test.go b/engine/cmd/dockerd/daemon_test.go
new file mode 100644
index 00000000..ad447e3b
--- /dev/null
+++ b/engine/cmd/dockerd/daemon_test.go
@@ -0,0 +1,182 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/docker/docker/daemon/config"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/pflag"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func defaultOptions(configFile string) *daemonOptions {
+	opts := newDaemonOptions(&config.Config{})
+	opts.flags = &pflag.FlagSet{}
+	opts.InstallFlags(opts.flags)
+	installConfigFlags(opts.daemonConfig, opts.flags)
+	opts.flags.StringVar(&opts.configFile, "config-file", defaultDaemonConfigFile, "")
+	opts.configFile = configFile
+	return opts
+}
+
+func TestLoadDaemonCliConfigWithoutOverriding(t *testing.T) {
+	opts := defaultOptions("")
+	opts.Debug = true
+
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+	if !loadedConfig.Debug {
+		t.Fatalf("expected debug to be copied from the common flags, got false")
+	}
+}
+
+func TestLoadDaemonCliConfigWithTLS(t *testing.T) {
+	opts := defaultOptions("")
+	opts.TLSOptions.CAFile = "/tmp/ca.pem"
+	opts.TLS = true
+
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+	assert.Check(t, is.Equal("/tmp/ca.pem", loadedConfig.CommonTLSOptions.CAFile))
+}
+
+func TestLoadDaemonCliConfigWithConflicts(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{"labels": ["l3=foo"]}`))
+	defer tempFile.Remove()
+	configFile := tempFile.Path()
+
+	opts := defaultOptions(configFile)
+	flags := opts.flags
+
+	assert.Check(t, flags.Set("config-file", configFile))
+	assert.Check(t, flags.Set("label", "l1=bar"))
+	assert.Check(t, flags.Set("label", "l2=baz"))
+
+	_, err := loadDaemonCliConfig(opts)
+	assert.Check(t, is.ErrorContains(err, "as a flag and in the configuration file: labels"))
+}
+
+func TestLoadDaemonCliWithConflictingNodeGenericResources(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{"node-generic-resources": ["foo=bar", "bar=baz"]}`))
+	defer tempFile.Remove()
+	configFile := tempFile.Path()
+
+	opts := defaultOptions(configFile)
+	flags := opts.flags
+
+	assert.Check(t, flags.Set("config-file", configFile))
+	assert.Check(t, flags.Set("node-generic-resource", "r1=bar"))
+	assert.Check(t, flags.Set("node-generic-resource", "r2=baz"))
+
+	_, err := loadDaemonCliConfig(opts)
+	assert.Check(t, is.ErrorContains(err, "as a flag and in the configuration file: node-generic-resources"))
+}
+
+func TestLoadDaemonCliWithConflictingLabels(t *testing.T) {
+	opts := defaultOptions("")
+	flags := opts.flags
+
+	assert.Check(t, flags.Set("label", "foo=bar"))
+	assert.Check(t, flags.Set("label", "foo=baz"))
+
+	_, err := loadDaemonCliConfig(opts)
+	assert.Check(t, is.Error(err, "conflict labels for foo=baz and foo=bar"))
+}
+
+func TestLoadDaemonCliWithDuplicateLabels(t *testing.T) {
+	opts := defaultOptions("")
+	flags := opts.flags
+
+	assert.Check(t, flags.Set("label", "foo=the-same"))
+	assert.Check(t, flags.Set("label", "foo=the-same"))
+
+	_, err := loadDaemonCliConfig(opts)
+	assert.Check(t, err)
+}
+
+func TestLoadDaemonCliConfigWithTLSVerify(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{"tlsverify": true}`))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	opts.TLSOptions.CAFile = "/tmp/ca.pem"
+
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+	assert.Check(t, is.Equal(loadedConfig.TLS, true))
+}
+
+func TestLoadDaemonCliConfigWithExplicitTLSVerifyFalse(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{"tlsverify": false}`))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	opts.TLSOptions.CAFile = "/tmp/ca.pem"
+
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+	assert.Check(t, loadedConfig.TLS)
+}
+
+func TestLoadDaemonCliConfigWithoutTLSVerify(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{}`))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	opts.TLSOptions.CAFile = "/tmp/ca.pem"
+
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+	assert.Check(t, !loadedConfig.TLS)
+}
+
+func TestLoadDaemonCliConfigWithLogLevel(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{"log-level": "warn"}`))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+	assert.Check(t, is.Equal("warn", loadedConfig.LogLevel))
+	assert.Check(t, is.Equal(logrus.WarnLevel, logrus.GetLevel()))
+}
+
+func TestLoadDaemonConfigWithEmbeddedOptions(t *testing.T) {
+	content := `{"tlscacert": "/etc/certs/ca.pem", "log-driver": "syslog"}`
+	tempFile := fs.NewFile(t, "config", fs.WithContent(content))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+	assert.Check(t, is.Equal("/etc/certs/ca.pem", loadedConfig.CommonTLSOptions.CAFile))
+	assert.Check(t, is.Equal("syslog", loadedConfig.LogConfig.Type))
+}
+
+func TestLoadDaemonConfigWithRegistryOptions(t *testing.T) {
+	content := `{
+		"allow-nondistributable-artifacts": ["allow-nondistributable-artifacts.com"],
+		"registry-mirrors": ["https://mirrors.docker.com"],
+		"insecure-registries": ["https://insecure.docker.com"]
+	}`
+	tempFile := fs.NewFile(t, "config", fs.WithContent(content))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+
+	assert.Check(t, is.Len(loadedConfig.AllowNondistributableArtifacts, 1))
+	assert.Check(t, is.Len(loadedConfig.Mirrors, 1))
+	assert.Check(t, is.Len(loadedConfig.InsecureRegistries, 1))
+}
diff --git a/engine/cmd/dockerd/daemon_unix.go b/engine/cmd/dockerd/daemon_unix.go
new file mode 100644
index 00000000..2561baa7
--- /dev/null
+++ b/engine/cmd/dockerd/daemon_unix.go
@@ -0,0 +1,117 @@
+// +build !windows
+
+package main
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strconv"
+
+	"github.com/containerd/containerd/runtime/linux"
+	"github.com/docker/docker/cmd/dockerd/hack"
+	"github.com/docker/docker/daemon"
+	"github.com/docker/docker/libcontainerd"
+	"github.com/docker/libnetwork/portallocator"
+	"golang.org/x/sys/unix"
+)
+
+const defaultDaemonConfigFile = "/etc/docker/daemon.json"
+
+// setDefaultUmask sets the umask to 0022 to avoid problems
+// caused by custom umask
+func setDefaultUmask() error {
+	desiredUmask := 0022
+	unix.Umask(desiredUmask)
+	if umask := unix.Umask(desiredUmask); umask != desiredUmask {
+		return fmt.Errorf("failed to set umask: expected %#o, got %#o", desiredUmask, umask)
+	}
+
+	return nil
+}
+
+func getDaemonConfDir(_ string) string {
+	return "/etc/docker"
+}
+
+func (cli *DaemonCli) getPlatformRemoteOptions() ([]libcontainerd.RemoteOption, error) {
+	opts := []libcontainerd.RemoteOption{
+		libcontainerd.WithOOMScore(cli.Config.OOMScoreAdjust),
+		libcontainerd.WithPlugin("linux", &linux.Config{
+			Shim:        daemon.DefaultShimBinary,
+			Runtime:     daemon.DefaultRuntimeBinary,
+			RuntimeRoot: filepath.Join(cli.Config.Root, "runc"),
+			ShimDebug:   cli.Config.Debug,
+		}),
+	}
+	if cli.Config.Debug {
+		opts = append(opts, libcontainerd.WithLogLevel("debug"))
+	}
+	if cli.Config.ContainerdAddr != "" {
+		opts = append(opts, libcontainerd.WithRemoteAddr(cli.Config.ContainerdAddr))
+	} else {
+		opts = append(opts, libcontainerd.WithStartDaemon(true))
+	}
+
+	return opts, nil
+}
+
+// setupConfigReloadTrap configures the USR2 signal to reload the configuration.
+func (cli *DaemonCli) setupConfigReloadTrap() {
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, unix.SIGHUP)
+	go func() {
+		for range c {
+			cli.reloadConfig()
+		}
+	}()
+}
+
+// getSwarmRunRoot gets the root directory for swarm to store runtime state
+// For example, the control socket
+func (cli *DaemonCli) getSwarmRunRoot() string {
+	return filepath.Join(cli.Config.ExecRoot, "swarm")
+}
+
+// allocateDaemonPort ensures that there are no containers
+// that try to use any port allocated for the docker server.
+func allocateDaemonPort(addr string) error {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return err
+	}
+
+	intPort, err := strconv.Atoi(port)
+	if err != nil {
+		return err
+	}
+
+	var hostIPs []net.IP
+	if parsedIP := net.ParseIP(host); parsedIP != nil {
+		hostIPs = append(hostIPs, parsedIP)
+	} else if hostIPs, err = net.LookupIP(host); err != nil {
+		return fmt.Errorf("failed to lookup %s address in host specification", host)
+	}
+
+	pa := portallocator.Get()
+	for _, hostIP := range hostIPs {
+		if _, err := pa.RequestPort(hostIP, "tcp", intPort); err != nil {
+			return fmt.Errorf("failed to allocate daemon listening port %d (err: %v)", intPort, err)
+		}
+	}
+	return nil
+}
+
+func wrapListeners(proto string, ls []net.Listener) []net.Listener {
+	switch proto {
+	case "unix":
+		ls[0] = &hack.MalformedHostHeaderOverride{Listener: ls[0]}
+	case "fd":
+		for i := range ls {
+			ls[i] = &hack.MalformedHostHeaderOverride{Listener: ls[i]}
+		}
+	}
+	return ls
+}
diff --git a/engine/cmd/dockerd/daemon_unix_test.go b/engine/cmd/dockerd/daemon_unix_test.go
new file mode 100644
index 00000000..692d0328
--- /dev/null
+++ b/engine/cmd/dockerd/daemon_unix_test.go
@@ -0,0 +1,99 @@
+// +build !windows
+
+package main
+
+import (
+	"testing"
+
+	"github.com/docker/docker/daemon/config"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func TestLoadDaemonCliConfigWithDaemonFlags(t *testing.T) {
+	content := `{"log-opts": {"max-size": "1k"}}`
+	tempFile := fs.NewFile(t, "config", fs.WithContent(content))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	opts.Debug = true
+	opts.LogLevel = "info"
+	assert.Check(t, opts.flags.Set("selinux-enabled", "true"))
+
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+
+	assert.Check(t, loadedConfig.Debug)
+	assert.Check(t, is.Equal("info", loadedConfig.LogLevel))
+	assert.Check(t, loadedConfig.EnableSelinuxSupport)
+	assert.Check(t, is.Equal("json-file", loadedConfig.LogConfig.Type))
+	assert.Check(t, is.Equal("1k", loadedConfig.LogConfig.Config["max-size"]))
+}
+
+func TestLoadDaemonConfigWithNetwork(t *testing.T) {
+	content := `{"bip": "127.0.0.2", "ip": "127.0.0.1"}`
+	tempFile := fs.NewFile(t, "config", fs.WithContent(content))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+
+	assert.Check(t, is.Equal("127.0.0.2", loadedConfig.IP))
+	assert.Check(t, is.Equal("127.0.0.1", loadedConfig.DefaultIP.String()))
+}
+
+func TestLoadDaemonConfigWithMapOptions(t *testing.T) {
+	content := `{
+		"cluster-store-opts": {"kv.cacertfile": "/var/lib/docker/discovery_certs/ca.pem"},
+		"log-opts": {"tag": "test"}
+}`
+	tempFile := fs.NewFile(t, "config", fs.WithContent(content))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+	assert.Check(t, loadedConfig.ClusterOpts != nil)
+
+	expectedPath := "/var/lib/docker/discovery_certs/ca.pem"
+	assert.Check(t, is.Equal(expectedPath, loadedConfig.ClusterOpts["kv.cacertfile"]))
+	assert.Check(t, loadedConfig.LogConfig.Config != nil)
+	assert.Check(t, is.Equal("test", loadedConfig.LogConfig.Config["tag"]))
+}
+
+func TestLoadDaemonConfigWithTrueDefaultValues(t *testing.T) {
+	content := `{ "userland-proxy": false }`
+	tempFile := fs.NewFile(t, "config", fs.WithContent(content))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+
+	assert.Check(t, !loadedConfig.EnableUserlandProxy)
+
+	// make sure reloading doesn't generate configuration
+	// conflicts after normalizing boolean values.
+	reload := func(reloadedConfig *config.Config) {
+		assert.Check(t, !reloadedConfig.EnableUserlandProxy)
+	}
+	assert.Check(t, config.Reload(opts.configFile, opts.flags, reload))
+}
+
+func TestLoadDaemonConfigWithTrueDefaultValuesLeaveDefaults(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{}`))
+	defer tempFile.Remove()
+
+	opts := defaultOptions(tempFile.Path())
+	loadedConfig, err := loadDaemonCliConfig(opts)
+	assert.NilError(t, err)
+	assert.Assert(t, loadedConfig != nil)
+
+	assert.Check(t, loadedConfig.EnableUserlandProxy)
+}
diff --git a/engine/cmd/dockerd/daemon_windows.go b/engine/cmd/dockerd/daemon_windows.go
new file mode 100644
index 00000000..224c5094
--- /dev/null
+++ b/engine/cmd/dockerd/daemon_windows.go
@@ -0,0 +1,85 @@
+package main
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/libcontainerd"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+var defaultDaemonConfigFile = ""
+
+// setDefaultUmask doesn't do anything on windows
+func setDefaultUmask() error {
+	return nil
+}
+
+func getDaemonConfDir(root string) string {
+	return filepath.Join(root, `\config`)
+}
+
+// preNotifySystem sends a message to the host when the API is active, but before the daemon is
+func preNotifySystem() {
+	// start the service now to prevent timeouts waiting for daemon to start
+	// but still (eventually) complete all requests that are sent after this
+	if service != nil {
+		err := service.started()
+		if err != nil {
+			logrus.Fatal(err)
+		}
+	}
+}
+
+// notifySystem sends a message to the host when the server is ready to be used
+func notifySystem() {
+}
+
+// notifyShutdown is called after the daemon shuts down but before the process exits.
+func notifyShutdown(err error) {
+	if service != nil {
+		if err != nil {
+			logrus.Fatal(err)
+		}
+		service.stopped(err)
+	}
+}
+
+func (cli *DaemonCli) getPlatformRemoteOptions() ([]libcontainerd.RemoteOption, error) {
+	return nil, nil
+}
+
+// setupConfigReloadTrap configures a Win32 event to reload the configuration.
+func (cli *DaemonCli) setupConfigReloadTrap() {
+	go func() {
+		sa := windows.SecurityAttributes{
+			Length: 0,
+		}
+		event := "Global\\docker-daemon-config-" + fmt.Sprint(os.Getpid())
+		ev, _ := windows.UTF16PtrFromString(event)
+		if h, _ := windows.CreateEvent(&sa, 0, 0, ev); h != 0 {
+			logrus.Debugf("Config reload - waiting signal at %s", event)
+			for {
+				windows.WaitForSingleObject(h, windows.INFINITE)
+				cli.reloadConfig()
+			}
+		}
+	}()
+}
+
+// getSwarmRunRoot gets the root directory for swarm to store runtime state
+// For example, the control socket
+func (cli *DaemonCli) getSwarmRunRoot() string {
+	return ""
+}
+
+func allocateDaemonPort(addr string) error {
+	return nil
+}
+
+func wrapListeners(proto string, ls []net.Listener) []net.Listener {
+	return ls
+}
diff --git a/engine/cmd/dockerd/docker.go b/engine/cmd/dockerd/docker.go
new file mode 100644
index 00000000..197bb49c
--- /dev/null
+++ b/engine/cmd/dockerd/docker.go
@@ -0,0 +1,74 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+
+	"github.com/docker/docker/cli"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/pkg/reexec"
+	"github.com/docker/docker/pkg/term"
+	"github.com/moby/buildkit/util/apicaps"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func newDaemonCommand() *cobra.Command {
+	opts := newDaemonOptions(config.New())
+
+	cmd := &cobra.Command{
+		Use:           "dockerd [OPTIONS]",
+		Short:         "A self-sufficient runtime for containers.",
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		Args:          cli.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.flags = cmd.Flags()
+			return runDaemon(opts)
+		},
+		DisableFlagsInUseLine: true,
+		Version:               fmt.Sprintf("%s, build %s", dockerversion.Version, dockerversion.GitCommit),
+	}
+	cli.SetupRootCommand(cmd)
+
+	flags := cmd.Flags()
+	flags.BoolP("version", "v", false, "Print version information and quit")
+	flags.StringVar(&opts.configFile, "config-file", defaultDaemonConfigFile, "Daemon configuration file")
+	opts.InstallFlags(flags)
+	installConfigFlags(opts.daemonConfig, flags)
+	installServiceFlags(flags)
+
+	return cmd
+}
+
+func init() {
+	if dockerversion.ProductName != "" {
+		apicaps.ExportedProduct = dockerversion.ProductName
+	}
+}
+
+func main() {
+	if reexec.Init() {
+		return
+	}
+
+	// Set terminal emulation based on platform as required.
+	_, stdout, stderr := term.StdStreams()
+
+	// @jhowardmsft - maybe there is a historic reason why on non-Windows, stderr is used
+	// here. However, on Windows it makes no sense and there is no need.
+	if runtime.GOOS == "windows" {
+		logrus.SetOutput(stdout)
+	} else {
+		logrus.SetOutput(stderr)
+	}
+
+	cmd := newDaemonCommand()
+	cmd.SetOutput(stdout)
+	if err := cmd.Execute(); err != nil {
+		fmt.Fprintf(stderr, "%s\n", err)
+		os.Exit(1)
+	}
+}
diff --git a/engine/cmd/dockerd/docker_unix.go b/engine/cmd/dockerd/docker_unix.go
new file mode 100644
index 00000000..0dec4866
--- /dev/null
+++ b/engine/cmd/dockerd/docker_unix.go
@@ -0,0 +1,8 @@
+// +build !windows
+
+package main
+
+func runDaemon(opts *daemonOptions) error {
+	daemonCli := NewDaemonCli()
+	return daemonCli.start(opts)
+}
diff --git a/engine/cmd/dockerd/docker_windows.go b/engine/cmd/dockerd/docker_windows.go
new file mode 100644
index 00000000..bd8bc5a5
--- /dev/null
+++ b/engine/cmd/dockerd/docker_windows.go
@@ -0,0 +1,38 @@
+package main
+
+import (
+	"path/filepath"
+
+	_ "github.com/docker/docker/autogen/winresources/dockerd"
+	"github.com/sirupsen/logrus"
+)
+
+func runDaemon(opts *daemonOptions) error {
+	daemonCli := NewDaemonCli()
+
+	// On Windows, this may be launching as a service or with an option to
+	// register the service.
+	stop, runAsService, err := initService(daemonCli)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	if stop {
+		return nil
+	}
+
+	// Windows specific settings as these are not defaulted.
+	if opts.configFile == "" {
+		opts.configFile = filepath.Join(opts.daemonConfig.Root, `config\daemon.json`)
+	}
+	if runAsService {
+		// If Windows SCM manages the service - no need for PID files
+		opts.daemonConfig.Pidfile = ""
+	} else if opts.daemonConfig.Pidfile == "" {
+		opts.daemonConfig.Pidfile = filepath.Join(opts.daemonConfig.Root, "docker.pid")
+	}
+
+	err = daemonCli.start(opts)
+	notifyShutdown(err)
+	return err
+}
diff --git a/engine/cmd/dockerd/hack/malformed_host_override.go b/engine/cmd/dockerd/hack/malformed_host_override.go
new file mode 100644
index 00000000..ddd5eb9d
--- /dev/null
+++ b/engine/cmd/dockerd/hack/malformed_host_override.go
@@ -0,0 +1,121 @@
+// +build !windows
+
+package hack // import "github.com/docker/docker/cmd/dockerd/hack"
+
+import "net"
+
+// MalformedHostHeaderOverride is a wrapper to be able
+// to overcome the 400 Bad request coming from old docker
+// clients that send an invalid Host header.
+type MalformedHostHeaderOverride struct {
+	net.Listener
+}
+
+// MalformedHostHeaderOverrideConn wraps the underlying unix
+// connection and keeps track of the first read from http.Server
+// which just reads the headers.
+type MalformedHostHeaderOverrideConn struct {
+	net.Conn
+	first bool
+}
+
+var closeConnHeader = []byte("\r\nConnection: close\r")
+
+// Read reads the first *read* request from http.Server to inspect
+// the Host header. If the Host starts with / then we're talking to
+// an old docker client which send an invalid Host header. To not
+// error out in http.Server we rewrite the first bytes of the request
+// to sanitize the Host header itself.
+// In case we're not dealing with old docker clients the data is just passed
+// to the server w/o modification.
+func (l *MalformedHostHeaderOverrideConn) Read(b []byte) (n int, err error) {
+	// http.Server uses a 4k buffer
+	if l.first && len(b) == 4096 {
+		// This keeps track of the first read from http.Server which just reads
+		// the headers
+		l.first = false
+		// The first read of the connection by http.Server is done limited to
+		// DefaultMaxHeaderBytes (usually 1 << 20) + 4096.
+		// Here we do the first read which gets us all the http headers to
+		// be inspected and modified below.
+		c, err := l.Conn.Read(b)
+		if err != nil {
+			return c, err
+		}
+
+		var (
+			start, end    int
+			firstLineFeed = -1
+			buf           []byte
+		)
+		for i := 0; i <= c-1-7; i++ {
+			if b[i] == '\n' && firstLineFeed == -1 {
+				firstLineFeed = i
+			}
+			if b[i] != '\n' {
+				continue
+			}
+
+			if b[i+1] == '\r' && b[i+2] == '\n' {
+				return c, nil
+			}
+
+			if b[i+1] != 'H' {
+				continue
+			}
+			if b[i+2] != 'o' {
+				continue
+			}
+			if b[i+3] != 's' {
+				continue
+			}
+			if b[i+4] != 't' {
+				continue
+			}
+			if b[i+5] != ':' {
+				continue
+			}
+			if b[i+6] != ' ' {
+				continue
+			}
+			if b[i+7] != '/' {
+				continue
+			}
+			// ensure clients other than the docker clients do not get this hack
+			if i != firstLineFeed {
+				return c, nil
+			}
+			start = i + 7
+			// now find where the value ends
+			for ii, bbb := range b[start:c] {
+				if bbb == '\n' {
+					end = start + ii
+					break
+				}
+			}
+			buf = make([]byte, 0, c+len(closeConnHeader)-(end-start))
+			// strip the value of the host header and
+			// inject `Connection: close` to ensure we don't reuse this connection
+			buf = append(buf, b[:start]...)
+			buf = append(buf, closeConnHeader...)
+			buf = append(buf, b[end:c]...)
+			copy(b, buf)
+			break
+		}
+		if len(buf) == 0 {
+			return c, nil
+		}
+		return len(buf), nil
+	}
+	return l.Conn.Read(b)
+}
+
+// Accept makes the listener accepts connections and wraps the connection
+// in a MalformedHostHeaderOverrideConn initializing first to true.
+func (l *MalformedHostHeaderOverride) Accept() (net.Conn, error) {
+	c, err := l.Listener.Accept()
+	if err != nil {
+		return c, err
+	}
+	return &MalformedHostHeaderOverrideConn{c, true}, nil
+}
diff --git a/engine/cmd/dockerd/hack/malformed_host_override_test.go b/engine/cmd/dockerd/hack/malformed_host_override_test.go
new file mode 100644
index 00000000..6874b059
--- /dev/null
+++ b/engine/cmd/dockerd/hack/malformed_host_override_test.go
@@ -0,0 +1,124 @@
+// +build !windows
+
+package hack // import "github.com/docker/docker/cmd/dockerd/hack"
+
+import (
+	"bytes"
+	"io"
+	"net"
+	"strings"
+	"testing"
+)
+
+type bufConn struct {
+	net.Conn
+	buf *bytes.Buffer
+}
+
+func (bc *bufConn) Read(b []byte) (int, error) {
+	return bc.buf.Read(b)
+}
+
+func TestHeaderOverrideHack(t *testing.T) {
+	tests := [][2][]byte{
+		{
+			[]byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\n"),
+			[]byte("GET /foo\nHost: \r\nConnection: close\r\nUser-Agent: Docker\r\n\r\n"),
+		},
+		{
+			[]byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\nFoo: Bar\r\n"),
+			[]byte("GET /foo\nHost: \r\nConnection: close\r\nUser-Agent: Docker\nFoo: Bar\r\n"),
+		},
+		{
+			[]byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\ntest something!"),
+			[]byte("GET /foo\nHost: \r\nConnection: close\r\nUser-Agent: Docker\r\n\r\ntest something!"),
+		},
+		{
+			[]byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\ntest something! " + strings.Repeat("test", 15000)),
+			[]byte("GET /foo\nHost: \r\nConnection: close\r\nUser-Agent: Docker\r\n\r\ntest something! " + strings.Repeat("test", 15000)),
+		},
+		{
+			[]byte("GET /foo\nFoo: Bar\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\n"),
+			[]byte("GET /foo\nFoo: Bar\nHost: /var/run/docker.sock\nUser-Agent: Docker\r\n\r\n"),
+		},
+	}
+
+	// Test for https://github.com/docker/docker/issues/23045
+	h0 := "GET /foo\nUser-Agent: Docker\r\n\r\n"
+	h0 = h0 + strings.Repeat("a", 4096-len(h0)-1) + "\n"
+	tests = append(tests, [2][]byte{[]byte(h0), []byte(h0)})
+
+	for _, pair := range tests {
+		read := make([]byte, 4096)
+		client := &bufConn{
+			buf: bytes.NewBuffer(pair[0]),
+		}
+		l := MalformedHostHeaderOverrideConn{client, true}
+
+		n, err := l.Read(read)
+		if err != nil && err != io.EOF {
+			t.Fatalf("read: %d - %d, err: %v\n%s", n, len(pair[0]), err, string(read[:n]))
+		}
+		if !bytes.Equal(read[:n], pair[1][:n]) {
+			t.Fatalf("\n%s\n%s\n", read[:n], pair[1][:n])
+		}
+	}
+}
+
+func BenchmarkWithHack(b *testing.B) {
+	client, srv := net.Pipe()
+	done := make(chan struct{})
+	req := []byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\n")
+	read := make([]byte, 4096)
+	b.SetBytes(int64(len(req) * 30))
+
+	l := MalformedHostHeaderOverrideConn{client, true}
+	go func() {
+		for {
+			if _, err := srv.Write(req); err != nil {
+				srv.Close()
+				break
+			}
+			l.first = true // make sure each subsequent run uses the hack parsing
+		}
+		close(done)
+	}()
+
+	for i := 0; i < b.N; i++ {
+		for i := 0; i < 30; i++ {
+			if n, err := l.Read(read); err != nil && err != io.EOF {
+				b.Fatalf("read: %d - %d, err: %v\n%s", n, len(req), err, string(read[:n]))
+			}
+		}
+	}
+	l.Close()
+	<-done
+}
+
+func BenchmarkNoHack(b *testing.B) {
+	client, srv := net.Pipe()
+	done := make(chan struct{})
+	req := []byte("GET /foo\nHost: /var/run/docker.sock\nUser-Agent: Docker\n")
+	read := make([]byte, 4096)
+	b.SetBytes(int64(len(req) * 30))
+
+	go func() {
+		for {
+			if _, err := srv.Write(req); err != nil {
+				srv.Close()
+				break
+			}
+		}
+		close(done)
+	}()
+
+	for i := 0; i < b.N; i++ {
+		for i := 0; i < 30; i++ {
+			if _, err := client.Read(read); err != nil && err != io.EOF {
+				b.Fatal(err)
+			}
+		}
+	}
+	client.Close()
+	<-done
+}
diff --git a/engine/cmd/dockerd/metrics.go b/engine/cmd/dockerd/metrics.go
new file mode 100644
index 00000000..20ceaf84
--- /dev/null
+++ b/engine/cmd/dockerd/metrics.go
@@ -0,0 +1,27 @@
+package main
+
+import (
+	"net"
+	"net/http"
+
+	"github.com/docker/go-metrics"
+	"github.com/sirupsen/logrus"
+)
+
+func startMetricsServer(addr string) error {
+	if err := allocateDaemonPort(addr); err != nil {
+		return err
+	}
+	l, err := net.Listen("tcp", addr)
+	if err != nil {
+		return err
+	}
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", metrics.Handler())
+	go func() {
+		if err := http.Serve(l, mux); err != nil {
+			logrus.Errorf("serve metrics api: %s", err)
+		}
+	}()
+	return nil
+}
diff --git a/engine/cmd/dockerd/options.go b/engine/cmd/dockerd/options.go
new file mode 100644
index 00000000..a6276add
--- /dev/null
+++ b/engine/cmd/dockerd/options.go
@@ -0,0 +1,122 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	cliconfig "github.com/docker/docker/cli/config"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/opts"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/pflag"
+)
+
+const (
+	// DefaultCaFile is the default filename for the CA pem file
+	DefaultCaFile = "ca.pem"
+	// DefaultKeyFile is the default filename for the key pem file
+	DefaultKeyFile = "key.pem"
+	// DefaultCertFile is the default filename for the cert pem file
+	DefaultCertFile = "cert.pem"
+	// FlagTLSVerify is the flag name for the TLS verification option
+	FlagTLSVerify = "tlsverify"
+)
+
+var (
+	dockerCertPath  = os.Getenv("DOCKER_CERT_PATH")
+	dockerTLSVerify = os.Getenv("DOCKER_TLS_VERIFY") != ""
+)
+
+type daemonOptions struct {
+	configFile   string
+	daemonConfig *config.Config
+	flags        *pflag.FlagSet
+	Debug        bool
+	Hosts        []string
+	LogLevel     string
+	TLS          bool
+	TLSVerify    bool
+	TLSOptions   *tlsconfig.Options
+}
+
+// newDaemonOptions returns a new daemonFlags
+func newDaemonOptions(config *config.Config) *daemonOptions {
+	return &daemonOptions{
+		daemonConfig: config,
+	}
+}
+
+// InstallFlags adds flags for the common options on the FlagSet
+func (o *daemonOptions) InstallFlags(flags *pflag.FlagSet) {
+	if dockerCertPath == "" {
+		dockerCertPath = cliconfig.Dir()
+	}
+
+	flags.BoolVarP(&o.Debug, "debug", "D", false, "Enable debug mode")
+	flags.StringVarP(&o.LogLevel, "log-level", "l", "info", `Set the logging level ("debug"|"info"|"warn"|"error"|"fatal")`)
+	flags.BoolVar(&o.TLS, "tls", false, "Use TLS; implied by --tlsverify")
+	flags.BoolVar(&o.TLSVerify, FlagTLSVerify, dockerTLSVerify, "Use TLS and verify the remote")
+
+	// TODO use flag flags.String("identity"}, "i", "", "Path to libtrust key file")
+
+	o.TLSOptions = &tlsconfig.Options{
+		CAFile:   filepath.Join(dockerCertPath, DefaultCaFile),
+		CertFile: filepath.Join(dockerCertPath, DefaultCertFile),
+		KeyFile:  filepath.Join(dockerCertPath, DefaultKeyFile),
+	}
+	tlsOptions := o.TLSOptions
+	flags.Var(opts.NewQuotedString(&tlsOptions.CAFile), "tlscacert", "Trust certs signed only by this CA")
+	flags.Var(opts.NewQuotedString(&tlsOptions.CertFile), "tlscert", "Path to TLS certificate file")
+	flags.Var(opts.NewQuotedString(&tlsOptions.KeyFile), "tlskey", "Path to TLS key file")
+
+	hostOpt := opts.NewNamedListOptsRef("hosts", &o.Hosts, opts.ValidateHost)
+	flags.VarP(hostOpt, "host", "H", "Daemon socket(s) to connect to")
+}
+
+// SetDefaultOptions sets default values for options after flag parsing is
+// complete
+func (o *daemonOptions) SetDefaultOptions(flags *pflag.FlagSet) {
+	// Regardless of whether the user sets it to true or false, if they
+	// specify --tlsverify at all then we need to turn on TLS
+	// TLSVerify can be true even if not set due to DOCKER_TLS_VERIFY env var, so we need
+	// to check that here as well
+	if flags.Changed(FlagTLSVerify) || o.TLSVerify {
+		o.TLS = true
+	}
+
+	if !o.TLS {
+		o.TLSOptions = nil
+	} else {
+		tlsOptions := o.TLSOptions
+		tlsOptions.InsecureSkipVerify = !o.TLSVerify
+
+		// Reset CertFile and KeyFile to empty string if the user did not specify
+		// the respective flags and the respective default files were not found.
+		if !flags.Changed("tlscert") {
+			if _, err := os.Stat(tlsOptions.CertFile); os.IsNotExist(err) {
+				tlsOptions.CertFile = ""
+			}
+		}
+		if !flags.Changed("tlskey") {
+			if _, err := os.Stat(tlsOptions.KeyFile); os.IsNotExist(err) {
+				tlsOptions.KeyFile = ""
+			}
+		}
+	}
+}
+
+// setLogLevel sets the logrus logging level
+func setLogLevel(logLevel string) {
+	if logLevel != "" {
+		lvl, err := logrus.ParseLevel(logLevel)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Unable to parse logging level: %s\n", logLevel)
+			os.Exit(1)
+		}
+		logrus.SetLevel(lvl)
+	} else {
+		logrus.SetLevel(logrus.InfoLevel)
+	}
+}
diff --git a/engine/cmd/dockerd/options_test.go b/engine/cmd/dockerd/options_test.go
new file mode 100644
index 00000000..691118f0
--- /dev/null
+++ b/engine/cmd/dockerd/options_test.go
@@ -0,0 +1,44 @@
+package main
+
+import (
+	"path/filepath"
+	"testing"
+
+	cliconfig "github.com/docker/docker/cli/config"
+	"github.com/docker/docker/daemon/config"
+	"github.com/spf13/pflag"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCommonOptionsInstallFlags(t *testing.T) {
+	flags := pflag.NewFlagSet("testing", pflag.ContinueOnError)
+	opts := newDaemonOptions(&config.Config{})
+	opts.InstallFlags(flags)
+
+	err := flags.Parse([]string{
+		"--tlscacert=\"/foo/cafile\"",
+		"--tlscert=\"/foo/cert\"",
+		"--tlskey=\"/foo/key\"",
+	})
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("/foo/cafile", opts.TLSOptions.CAFile))
+	assert.Check(t, is.Equal("/foo/cert", opts.TLSOptions.CertFile))
+	assert.Check(t, is.Equal(opts.TLSOptions.KeyFile, "/foo/key"))
+}
+
+func defaultPath(filename string) string {
+	return filepath.Join(cliconfig.Dir(), filename)
+}
+
+func TestCommonOptionsInstallFlagsWithDefaults(t *testing.T) {
+	flags := pflag.NewFlagSet("testing", pflag.ContinueOnError)
+	opts := newDaemonOptions(&config.Config{})
+	opts.InstallFlags(flags)
+
+	err := flags.Parse([]string{})
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(defaultPath("ca.pem"), opts.TLSOptions.CAFile))
+	assert.Check(t, is.Equal(defaultPath("cert.pem"), opts.TLSOptions.CertFile))
+	assert.Check(t, is.Equal(defaultPath("key.pem"), opts.TLSOptions.KeyFile))
+}
diff --git a/engine/cmd/dockerd/service_unsupported.go b/engine/cmd/dockerd/service_unsupported.go
new file mode 100644
index 00000000..bbcb7f3f
--- /dev/null
+++ b/engine/cmd/dockerd/service_unsupported.go
@@ -0,0 +1,10 @@
+// +build !windows
+
+package main
+
+import (
+	"github.com/spf13/pflag"
+)
+
+func installServiceFlags(flags *pflag.FlagSet) {
+}
diff --git a/engine/cmd/dockerd/service_windows.go b/engine/cmd/dockerd/service_windows.go
new file mode 100644
index 00000000..00432af6
--- /dev/null
+++ b/engine/cmd/dockerd/service_windows.go
@@ -0,0 +1,430 @@
+package main
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+	"unsafe"
+
+	"github.com/docker/docker/pkg/system"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/pflag"
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/svc"
+	"golang.org/x/sys/windows/svc/debug"
+	"golang.org/x/sys/windows/svc/eventlog"
+	"golang.org/x/sys/windows/svc/mgr"
+)
+
+var (
+	flServiceName       *string
+	flRegisterService   *bool
+	flUnregisterService *bool
+	flRunService        *bool
+
+	setStdHandle = windows.NewLazySystemDLL("kernel32.dll").NewProc("SetStdHandle")
+	oldStderr    windows.Handle
+	panicFile    *os.File
+
+	service *handler
+)
+
+const (
+	// These should match the values in event_messages.mc.
+	eventInfo  = 1
+	eventWarn  = 1
+	eventError = 1
+	eventDebug = 2
+	eventPanic = 3
+	eventFatal = 4
+
+	eventExtraOffset = 10 // Add this to any event to get a string that supports extended data
+)
+
+func installServiceFlags(flags *pflag.FlagSet) {
+	flServiceName = flags.String("service-name", "docker", "Set the Windows service name")
+	flRegisterService = flags.Bool("register-service", false, "Register the service and exit")
+	flUnregisterService = flags.Bool("unregister-service", false, "Unregister the service and exit")
+	flRunService = flags.Bool("run-service", false, "")
+	flags.MarkHidden("run-service")
+}
+
+type handler struct {
+	tosvc     chan bool
+	fromsvc   chan error
+	daemonCli *DaemonCli
+}
+
+type etwHook struct {
+	log *eventlog.Log
+}
+
+func (h *etwHook) Levels() []logrus.Level {
+	return []logrus.Level{
+		logrus.PanicLevel,
+		logrus.FatalLevel,
+		logrus.ErrorLevel,
+		logrus.WarnLevel,
+		logrus.InfoLevel,
+		logrus.DebugLevel,
+	}
+}
+
+func (h *etwHook) Fire(e *logrus.Entry) error {
+	var (
+		etype uint16
+		eid   uint32
+	)
+
+	switch e.Level {
+	case logrus.PanicLevel:
+		etype = windows.EVENTLOG_ERROR_TYPE
+		eid = eventPanic
+	case logrus.FatalLevel:
+		etype = windows.EVENTLOG_ERROR_TYPE
+		eid = eventFatal
+	case logrus.ErrorLevel:
+		etype = windows.EVENTLOG_ERROR_TYPE
+		eid = eventError
+	case logrus.WarnLevel:
+		etype = windows.EVENTLOG_WARNING_TYPE
+		eid = eventWarn
+	case logrus.InfoLevel:
+		etype = windows.EVENTLOG_INFORMATION_TYPE
+		eid = eventInfo
+	case logrus.DebugLevel:
+		etype = windows.EVENTLOG_INFORMATION_TYPE
+		eid = eventDebug
+	default:
+		return errors.New("unknown level")
+	}
+
+	// If there is additional data, include it as a second string.
+	exts := ""
+	if len(e.Data) > 0 {
+		fs := bytes.Buffer{}
+		for k, v := range e.Data {
+			fs.WriteString(k)
+			fs.WriteByte('=')
+			fmt.Fprint(&fs, v)
+			fs.WriteByte(' ')
+		}
+
+		exts = fs.String()[:fs.Len()-1]
+		eid += eventExtraOffset
+	}
+
+	if h.log == nil {
+		fmt.Fprintf(os.Stderr, "%s [%s]\n", e.Message, exts)
+		return nil
+	}
+
+	var (
+		ss  [2]*uint16
+		err error
+	)
+
+	ss[0], err = windows.UTF16PtrFromString(e.Message)
+	if err != nil {
+		return err
+	}
+
+	count := uint16(1)
+	if exts != "" {
+		ss[1], err = windows.UTF16PtrFromString(exts)
+		if err != nil {
+			return err
+		}
+
+		count++
+	}
+
+	return windows.ReportEvent(h.log.Handle, etype, 0, eid, 0, count, 0, &ss[0], nil)
+}
+
+func getServicePath() (string, error) {
+	p, err := exec.LookPath(os.Args[0])
+	if err != nil {
+		return "", err
+	}
+	return filepath.Abs(p)
+}
+
+func registerService() error {
+	p, err := getServicePath()
+	if err != nil {
+		return err
+	}
+	m, err := mgr.Connect()
+	if err != nil {
+		return err
+	}
+	defer m.Disconnect()
+
+	depends := []string{}
+
+	// This dependency is required on build 14393 (RS1)
+	// it is added to the platform in newer builds
+	if system.GetOSVersion().Build == 14393 {
+		depends = append(depends, "ConDrv")
+	}
+
+	c := mgr.Config{
+		ServiceType:  windows.SERVICE_WIN32_OWN_PROCESS,
+		StartType:    mgr.StartAutomatic,
+		ErrorControl: mgr.ErrorNormal,
+		Dependencies: depends,
+		DisplayName:  "Docker Engine",
+	}
+
+	// Configure the service to launch with the arguments that were just passed.
+	args := []string{"--run-service"}
+	for _, a := range os.Args[1:] {
+		if a != "--register-service" && a != "--unregister-service" {
+			args = append(args, a)
+		}
+	}
+
+	s, err := m.CreateService(*flServiceName, p, c, args...)
+	if err != nil {
+		return err
+	}
+	defer s.Close()
+
+	// See http://stackoverflow.com/questions/35151052/how-do-i-configure-failure-actions-of-a-windows-service-written-in-go
+	const (
+		scActionNone       = 0
+		scActionRestart    = 1
+		scActionReboot     = 2
+		scActionRunCommand = 3
+
+		serviceConfigFailureActions = 2
+	)
+
+	type serviceFailureActions struct {
+		ResetPeriod  uint32
+		RebootMsg    *uint16
+		Command      *uint16
+		ActionsCount uint32
+		Actions      uintptr
+	}
+
+	type scAction struct {
+		Type  uint32
+		Delay uint32
+	}
+	t := []scAction{
+		{Type: scActionRestart, Delay: uint32(60 * time.Second / time.Millisecond)},
+		{Type: scActionRestart, Delay: uint32(60 * time.Second / time.Millisecond)},
+		{Type: scActionNone},
+	}
+	lpInfo := serviceFailureActions{ResetPeriod: uint32(24 * time.Hour / time.Second), ActionsCount: uint32(3), Actions: uintptr(unsafe.Pointer(&t[0]))}
+	err = windows.ChangeServiceConfig2(s.Handle, serviceConfigFailureActions, (*byte)(unsafe.Pointer(&lpInfo)))
+	if err != nil {
+		return err
+	}
+
+	return eventlog.Install(*flServiceName, p, false, eventlog.Info|eventlog.Warning|eventlog.Error)
+}
+
+func unregisterService() error {
+	m, err := mgr.Connect()
+	if err != nil {
+		return err
+	}
+	defer m.Disconnect()
+
+	s, err := m.OpenService(*flServiceName)
+	if err != nil {
+		return err
+	}
+	defer s.Close()
+
+	eventlog.Remove(*flServiceName)
+	err = s.Delete()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// initService is the entry point for running the daemon as a Windows
+// service. It returns an indication to stop (if registering/un-registering);
+// an indication of whether it is running as a service; and an error.
+func initService(daemonCli *DaemonCli) (bool, bool, error) {
+	if *flUnregisterService {
+		if *flRegisterService {
+			return true, false, errors.New("--register-service and --unregister-service cannot be used together")
+		}
+		return true, false, unregisterService()
+	}
+
+	if *flRegisterService {
+		return true, false, registerService()
+	}
+
+	if !*flRunService {
+		return false, false, nil
+	}
+
+	interactive, err := svc.IsAnInteractiveSession()
+	if err != nil {
+		return false, false, err
+	}
+
+	h := &handler{
+		tosvc:     make(chan bool),
+		fromsvc:   make(chan error),
+		daemonCli: daemonCli,
+	}
+
+	var log *eventlog.Log
+	if !interactive {
+		log, err = eventlog.Open(*flServiceName)
+		if err != nil {
+			return false, false, err
+		}
+	}
+
+	logrus.AddHook(&etwHook{log})
+	logrus.SetOutput(ioutil.Discard)
+
+	service = h
+	go func() {
+		if interactive {
+			err = debug.Run(*flServiceName, h)
+		} else {
+			err = svc.Run(*flServiceName, h)
+		}
+
+		h.fromsvc <- err
+	}()
+
+	// Wait for the first signal from the service handler.
+	err = <-h.fromsvc
+	if err != nil {
+		return false, false, err
+	}
+	return false, true, nil
+}
+
+func (h *handler) started() error {
+	// This must be delayed until daemonCli initializes Config.Root
+	err := initPanicFile(filepath.Join(h.daemonCli.Config.Root, "panic.log"))
+	if err != nil {
+		return err
+	}
+
+	h.tosvc <- false
+	return nil
+}
+
+func (h *handler) stopped(err error) {
+	logrus.Debugf("Stopping service: %v", err)
+	h.tosvc <- err != nil
+	<-h.fromsvc
+}
+
+func (h *handler) Execute(_ []string, r <-chan svc.ChangeRequest, s chan<- svc.Status) (bool, uint32) {
+	s <- svc.Status{State: svc.StartPending, Accepts: 0}
+	// Unblock initService()
+	h.fromsvc <- nil
+
+	// Wait for initialization to complete.
+	failed := <-h.tosvc
+	if failed {
+		logrus.Debug("Aborting service start due to failure during initialization")
+		return true, 1
+	}
+
+	s <- svc.Status{State: svc.Running, Accepts: svc.AcceptStop | svc.AcceptShutdown | svc.Accepted(windows.SERVICE_ACCEPT_PARAMCHANGE)}
+	logrus.Debug("Service running")
+Loop:
+	for {
+		select {
+		case failed = <-h.tosvc:
+			break Loop
+		case c := <-r:
+			switch c.Cmd {
+			case svc.Cmd(windows.SERVICE_CONTROL_PARAMCHANGE):
+				h.daemonCli.reloadConfig()
+			case svc.Interrogate:
+				s <- c.CurrentStatus
+			case svc.Stop, svc.Shutdown:
+				s <- svc.Status{State: svc.StopPending, Accepts: 0}
+				h.daemonCli.stop()
+			}
+		}
+	}
+
+	removePanicFile()
+	if failed {
+		return true, 1
+	}
+	return false, 0
+}
+
+func initPanicFile(path string) error {
+	var err error
+	panicFile, err = os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0)
+	if err != nil {
+		return err
+	}
+
+	st, err := panicFile.Stat()
+	if err != nil {
+		return err
+	}
+
+	// If there are contents in the file already, move the file out of the way
+	// and replace it.
+	if st.Size() > 0 {
+		panicFile.Close()
+		os.Rename(path, path+".old")
+		panicFile, err = os.Create(path)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Update STD_ERROR_HANDLE to point to the panic file so that Go writes to
+	// it when it panics. Remember the old stderr to restore it before removing
+	// the panic file.
+	sh := windows.STD_ERROR_HANDLE
+	h, err := windows.GetStdHandle(uint32(sh))
+	if err != nil {
+		return err
+	}
+
+	oldStderr = h
+
+	r, _, err := setStdHandle.Call(uintptr(sh), uintptr(panicFile.Fd()))
+	if r == 0 && err != nil {
+		return err
+	}
+
+	// Reset os.Stderr to the panic file (so fmt.Fprintf(os.Stderr,...) actually gets redirected)
+	os.Stderr = os.NewFile(uintptr(panicFile.Fd()), "/dev/stderr")
+
+	// Force threads that panic to write to stderr (the panicFile handle now), otherwise it will go into the ether
+	log.SetOutput(os.Stderr)
+
+	return nil
+}
+
+func removePanicFile() {
+	if st, err := panicFile.Stat(); err == nil {
+		if st.Size() == 0 {
+			sh := windows.STD_ERROR_HANDLE
+			setStdHandle.Call(uintptr(sh), uintptr(oldStderr))
+			panicFile.Close()
+			os.Remove(panicFile.Name())
+		}
+	}
+}
diff --git a/engine/codecov.yml b/engine/codecov.yml
new file mode 100644
index 00000000..594265c6
--- /dev/null
+++ b/engine/codecov.yml
@@ -0,0 +1,17 @@
+comment:
+  layout: header, changes, diff, sunburst
+coverage:
+  status:
+    patch:
+      default:
+        target: 50%
+        only_pulls: true
+    # project will give us the diff in the total code coverage between a commit
+    # and its parent
+    project:
+      default:
+        target: auto
+        threshold: "15%"
+    changes: false
+ignore:
+  - "vendor/*"
diff --git a/engine/container/archive.go b/engine/container/archive.go
new file mode 100644
index 00000000..ed72c4a4
--- /dev/null
+++ b/engine/container/archive.go
@@ -0,0 +1,86 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"os"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+)
+
+// ResolvePath resolves the given path in the container to a resource on the
+// host. Returns a resolved path (absolute path to the resource on the host),
+// the absolute path to the resource relative to the container's rootfs, and
+// an error if the path points to outside the container's rootfs.
+func (container *Container) ResolvePath(path string) (resolvedPath, absPath string, err error) {
+	if container.BaseFS == nil {
+		return "", "", errors.New("ResolvePath: BaseFS of container " + container.ID + " is unexpectedly nil")
+	}
+	// Check if a drive letter supplied, it must be the system drive. No-op except on Windows
+	path, err = system.CheckSystemDriveAndRemoveDriveLetter(path, container.BaseFS)
+	if err != nil {
+		return "", "", err
+	}
+
+	// Consider the given path as an absolute path in the container.
+	absPath = archive.PreserveTrailingDotOrSeparator(
+		container.BaseFS.Join(string(container.BaseFS.Separator()), path),
+		path,
+		container.BaseFS.Separator())
+
+	// Split the absPath into its Directory and Base components. We will
+	// resolve the dir in the scope of the container then append the base.
+	dirPath, basePath := container.BaseFS.Split(absPath)
+
+	resolvedDirPath, err := container.GetResourcePath(dirPath)
+	if err != nil {
+		return "", "", err
+	}
+
+	// resolvedDirPath will have been cleaned (no trailing path separators) so
+	// we can manually join it with the base path element.
+	resolvedPath = resolvedDirPath + string(container.BaseFS.Separator()) + basePath
+	return resolvedPath, absPath, nil
+}
+
+// StatPath is the unexported version of StatPath. Locks and mounts should
+// be acquired before calling this method and the given path should be fully
+// resolved to a path on the host corresponding to the given absolute path
+// inside the container.
+func (container *Container) StatPath(resolvedPath, absPath string) (stat *types.ContainerPathStat, err error) {
+	if container.BaseFS == nil {
+		return nil, errors.New("StatPath: BaseFS of container " + container.ID + " is unexpectedly nil")
+	}
+	driver := container.BaseFS
+
+	lstat, err := driver.Lstat(resolvedPath)
+	if err != nil {
+		return nil, err
+	}
+
+	var linkTarget string
+	if lstat.Mode()&os.ModeSymlink != 0 {
+		// Fully evaluate the symlink in the scope of the container rootfs.
+		hostPath, err := container.GetResourcePath(absPath)
+		if err != nil {
+			return nil, err
+		}
+
+		linkTarget, err = driver.Rel(driver.Path(), hostPath)
+		if err != nil {
+			return nil, err
+		}
+
+		// Make it an absolute path.
+		linkTarget = driver.Join(string(driver.Separator()), linkTarget)
+	}
+
+	return &types.ContainerPathStat{
+		Name:       driver.Base(absPath),
+		Size:       lstat.Size(),
+		Mode:       lstat.Mode(),
+		Mtime:      lstat.ModTime(),
+		LinkTarget: linkTarget,
+	}, nil
+}
diff --git a/engine/container/container.go b/engine/container/container.go
new file mode 100644
index 00000000..5f31d8df
--- /dev/null
+++ b/engine/container/container.go
@@ -0,0 +1,720 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/containerd/containerd/cio"
+	containertypes "github.com/docker/docker/api/types/container"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/container/stream"
+	"github.com/docker/docker/daemon/exec"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/jsonfilelog"
+	"github.com/docker/docker/daemon/network"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/docker/pkg/symlink"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/restartmanager"
+	"github.com/docker/docker/volume"
+	volumemounts "github.com/docker/docker/volume/mounts"
+	"github.com/docker/go-units"
+	agentexec "github.com/docker/swarmkit/agent/exec"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const configFileName = "config.v2.json"
+
+// ExitStatus provides exit reasons for a container.
+type ExitStatus struct {
+	// The exit code with which the container exited.
+	ExitCode int
+
+	// Whether the container encountered an OOM.
+	OOMKilled bool
+
+	// Time at which the container died
+	ExitedAt time.Time
+}
+
+// Container holds the structure defining a container object.
+type Container struct {
+	StreamConfig *stream.Config
+	// embed for Container to support states directly.
+	*State          `json:"State"`          // Needed for Engine API version <= 1.11
+	Root            string                  `json:"-"` // Path to the "home" of the container, including metadata.
+	BaseFS          containerfs.ContainerFS `json:"-"` // interface containing graphdriver mount
+	RWLayer         layer.RWLayer           `json:"-"`
+	ID              string
+	Created         time.Time
+	Managed         bool
+	Path            string
+	Args            []string
+	Config          *containertypes.Config
+	ImageID         image.ID `json:"Image"`
+	NetworkSettings *network.Settings
+	LogPath         string
+	Name            string
+	Driver          string
+	OS              string
+	// MountLabel contains the options for the 'mount' command
+	MountLabel             string
+	ProcessLabel           string
+	RestartCount           int
+	HasBeenStartedBefore   bool
+	HasBeenManuallyStopped bool // used for unless-stopped restart policy
+	MountPoints            map[string]*volumemounts.MountPoint
+	HostConfig             *containertypes.HostConfig `json:"-"` // do not serialize the host config in the json, otherwise we'll make the container unportable
+	ExecCommands           *exec.Store                `json:"-"`
+	DependencyStore        agentexec.DependencyGetter `json:"-"`
+	SecretReferences       []*swarmtypes.SecretReference
+	ConfigReferences       []*swarmtypes.ConfigReference
+	// logDriver for closing
+	LogDriver      logger.Logger  `json:"-"`
+	LogCopier      *logger.Copier `json:"-"`
+	restartManager restartmanager.RestartManager
+	attachContext  *attachContext
+
+	// Fields here are specific to Unix platforms
+	AppArmorProfile string
+	HostnamePath    string
+	HostsPath       string
+	ShmPath         string
+	ResolvConfPath  string
+	SeccompProfile  string
+	NoNewPrivileges bool
+
+	// Fields here are specific to Windows
+	NetworkSharedContainerID string   `json:"-"`
+	SharedEndpointList       []string `json:"-"`
+}
+
+// NewBaseContainer creates a new container with its
+// basic configuration.
+func NewBaseContainer(id, root string) *Container {
+	return &Container{
+		ID:            id,
+		State:         NewState(),
+		ExecCommands:  exec.NewStore(),
+		Root:          root,
+		MountPoints:   make(map[string]*volumemounts.MountPoint),
+		StreamConfig:  stream.NewConfig(),
+		attachContext: &attachContext{},
+	}
+}
+
+// FromDisk loads the container configuration stored in the host.
+func (container *Container) FromDisk() error {
+	pth, err := container.ConfigPath()
+	if err != nil {
+		return err
+	}
+
+	jsonSource, err := os.Open(pth)
+	if err != nil {
+		return err
+	}
+	defer jsonSource.Close()
+
+	dec := json.NewDecoder(jsonSource)
+
+	// Load container settings
+	if err := dec.Decode(container); err != nil {
+		return err
+	}
+
+	// Ensure the operating system is set if blank. Assume it is the OS of the
+	// host OS if not, to ensure containers created before multiple-OS
+	// support are migrated
+	if container.OS == "" {
+		container.OS = runtime.GOOS
+	}
+
+	return container.readHostConfig()
+}
+
+// toDisk saves the container configuration on disk and returns a deep copy.
+func (container *Container) toDisk() (*Container, error) {
+	var (
+		buf      bytes.Buffer
+		deepCopy Container
+	)
+	pth, err := container.ConfigPath()
+	if err != nil {
+		return nil, err
+	}
+
+	// Save container settings
+	f, err := ioutils.NewAtomicFileWriter(pth, 0600)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	w := io.MultiWriter(&buf, f)
+	if err := json.NewEncoder(w).Encode(container); err != nil {
+		return nil, err
+	}
+
+	if err := json.NewDecoder(&buf).Decode(&deepCopy); err != nil {
+		return nil, err
+	}
+	deepCopy.HostConfig, err = container.WriteHostConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	return &deepCopy, nil
+}
+
+// CheckpointTo makes the Container's current state visible to queries, and persists state.
+// Callers must hold a Container lock.
+func (container *Container) CheckpointTo(store ViewDB) error {
+	deepCopy, err := container.toDisk()
+	if err != nil {
+		return err
+	}
+	return store.Save(deepCopy)
+}
+
+// readHostConfig reads the host configuration from disk for the container.
+func (container *Container) readHostConfig() error {
+	container.HostConfig = &containertypes.HostConfig{}
+	// If the hostconfig file does not exist, do not read it.
+	// (We still have to initialize container.HostConfig,
+	// but that's OK, since we just did that above.)
+	pth, err := container.HostConfigPath()
+	if err != nil {
+		return err
+	}
+
+	f, err := os.Open(pth)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+	defer f.Close()
+
+	if err := json.NewDecoder(f).Decode(&container.HostConfig); err != nil {
+		return err
+	}
+
+	container.InitDNSHostConfig()
+
+	return nil
+}
+
+// WriteHostConfig saves the host configuration on disk for the container,
+// and returns a deep copy of the saved object. Callers must hold a Container lock.
+func (container *Container) WriteHostConfig() (*containertypes.HostConfig, error) {
+	var (
+		buf      bytes.Buffer
+		deepCopy containertypes.HostConfig
+	)
+
+	pth, err := container.HostConfigPath()
+	if err != nil {
+		return nil, err
+	}
+
+	f, err := ioutils.NewAtomicFileWriter(pth, 0644)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	w := io.MultiWriter(&buf, f)
+	if err := json.NewEncoder(w).Encode(&container.HostConfig); err != nil {
+		return nil, err
+	}
+
+	if err := json.NewDecoder(&buf).Decode(&deepCopy); err != nil {
+		return nil, err
+	}
+	return &deepCopy, nil
+}
+
+// SetupWorkingDirectory sets up the container's working directory as set in container.Config.WorkingDir
+func (container *Container) SetupWorkingDirectory(rootIDs idtools.IDPair) error {
+	// TODO @jhowardmsft, @gupta-ak LCOW Support. This will need revisiting.
+	// We will need to do remote filesystem operations here.
+	if container.OS != runtime.GOOS {
+		return nil
+	}
+
+	if container.Config.WorkingDir == "" {
+		return nil
+	}
+
+	container.Config.WorkingDir = filepath.Clean(container.Config.WorkingDir)
+	pth, err := container.GetResourcePath(container.Config.WorkingDir)
+	if err != nil {
+		return err
+	}
+
+	if err := idtools.MkdirAllAndChownNew(pth, 0755, rootIDs); err != nil {
+		pthInfo, err2 := os.Stat(pth)
+		if err2 == nil && pthInfo != nil && !pthInfo.IsDir() {
+			return errors.Errorf("Cannot mkdir: %s is not a directory", container.Config.WorkingDir)
+		}
+
+		return err
+	}
+
+	return nil
+}
+
+// GetResourcePath evaluates `path` in the scope of the container's BaseFS, with proper path
+// sanitisation. Symlinks are all scoped to the BaseFS of the container, as
+// though the container's BaseFS was `/`.
+//
+// The BaseFS of a container is the host-facing path which is bind-mounted as
+// `/` inside the container. This method is essentially used to access a
+// particular path inside the container as though you were a process in that
+// container.
+//
+// NOTE: The returned path is *only* safely scoped inside the container's BaseFS
+//       if no component of the returned path changes (such as a component
+//       symlinking to a different path) between using this method and using the
+//       path. See symlink.FollowSymlinkInScope for more details.
+func (container *Container) GetResourcePath(path string) (string, error) {
+	if container.BaseFS == nil {
+		return "", errors.New("GetResourcePath: BaseFS of container " + container.ID + " is unexpectedly nil")
+	}
+	// IMPORTANT - These are paths on the OS where the daemon is running, hence
+	// any filepath operations must be done in an OS agnostic way.
+	r, e := container.BaseFS.ResolveScopedPath(path, false)
+
+	// Log this here on the daemon side as there's otherwise no indication apart
+	// from the error being propagated all the way back to the client. This makes
+	// debugging significantly easier and clearly indicates the error comes from the daemon.
+	if e != nil {
+		logrus.Errorf("Failed to ResolveScopedPath BaseFS %s path %s %s\n", container.BaseFS.Path(), path, e)
+	}
+	return r, e
+}
+
+// GetRootResourcePath evaluates `path` in the scope of the container's root, with proper path
+// sanitisation. Symlinks are all scoped to the root of the container, as
+// though the container's root was `/`.
+//
+// The root of a container is the host-facing configuration metadata directory.
+// Only use this method to safely access the container's `container.json` or
+// other metadata files. If in doubt, use container.GetResourcePath.
+//
+// NOTE: The returned path is *only* safely scoped inside the container's root
+//       if no component of the returned path changes (such as a component
+//       symlinking to a different path) between using this method and using the
+//       path. See symlink.FollowSymlinkInScope for more details.
+func (container *Container) GetRootResourcePath(path string) (string, error) {
+	// IMPORTANT - These are paths on the OS where the daemon is running, hence
+	// any filepath operations must be done in an OS agnostic way.
+	cleanPath := filepath.Join(string(os.PathSeparator), path)
+	return symlink.FollowSymlinkInScope(filepath.Join(container.Root, cleanPath), container.Root)
+}
+
+// ExitOnNext signals to the monitor that it should not restart the container
+// after we send the kill signal.
+func (container *Container) ExitOnNext() {
+	container.RestartManager().Cancel()
+}
+
+// HostConfigPath returns the path to the container's JSON hostconfig
+func (container *Container) HostConfigPath() (string, error) {
+	return container.GetRootResourcePath("hostconfig.json")
+}
+
+// ConfigPath returns the path to the container's JSON config
+func (container *Container) ConfigPath() (string, error) {
+	return container.GetRootResourcePath(configFileName)
+}
+
+// CheckpointDir returns the directory checkpoints are stored in
+func (container *Container) CheckpointDir() string {
+	return filepath.Join(container.Root, "checkpoints")
+}
+
+// StartLogger starts a new logger driver for the container.
+func (container *Container) StartLogger() (logger.Logger, error) {
+	cfg := container.HostConfig.LogConfig
+	initDriver, err := logger.GetLogDriver(cfg.Type)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get logging factory")
+	}
+	info := logger.Info{
+		Config:              cfg.Config,
+		ContainerID:         container.ID,
+		ContainerName:       container.Name,
+		ContainerEntrypoint: container.Path,
+		ContainerArgs:       container.Args,
+		ContainerImageID:    container.ImageID.String(),
+		ContainerImageName:  container.Config.Image,
+		ContainerCreated:    container.Created,
+		ContainerEnv:        container.Config.Env,
+		ContainerLabels:     container.Config.Labels,
+		DaemonName:          "docker",
+	}
+
+	// Set logging file for "json-logger"
+	if cfg.Type == jsonfilelog.Name {
+		info.LogPath, err = container.GetRootResourcePath(fmt.Sprintf("%s-json.log", container.ID))
+		if err != nil {
+			return nil, err
+		}
+
+		container.LogPath = info.LogPath
+	}
+
+	l, err := initDriver(info)
+	if err != nil {
+		return nil, err
+	}
+
+	if containertypes.LogMode(cfg.Config["mode"]) == containertypes.LogModeNonBlock {
+		bufferSize := int64(-1)
+		if s, exists := cfg.Config["max-buffer-size"]; exists {
+			bufferSize, err = units.RAMInBytes(s)
+			if err != nil {
+				return nil, err
+			}
+		}
+		l = logger.NewRingLogger(l, info, bufferSize)
+	}
+	return l, nil
+}
+
+// GetProcessLabel returns the process label for the container.
+func (container *Container) GetProcessLabel() string {
+	// even if we have a process label return "" if we are running
+	// in privileged mode
+	if container.HostConfig.Privileged {
+		return ""
+	}
+	return container.ProcessLabel
+}
+
+// GetMountLabel returns the mounting label for the container.
+// This label is empty if the container is privileged.
+func (container *Container) GetMountLabel() string {
+	return container.MountLabel
+}
+
+// GetExecIDs returns the list of exec commands running on the container.
+func (container *Container) GetExecIDs() []string {
+	return container.ExecCommands.List()
+}
+
+// ShouldRestart decides whether the daemon should restart the container or not.
+// This is based on the container's restart policy.
+func (container *Container) ShouldRestart() bool {
+	shouldRestart, _, _ := container.RestartManager().ShouldRestart(uint32(container.ExitCode()), container.HasBeenManuallyStopped, container.FinishedAt.Sub(container.StartedAt))
+	return shouldRestart
+}
+
+// AddMountPointWithVolume adds a new mount point configured with a volume to the container.
+func (container *Container) AddMountPointWithVolume(destination string, vol volume.Volume, rw bool) {
+	operatingSystem := container.OS
+	if operatingSystem == "" {
+		operatingSystem = runtime.GOOS
+	}
+	volumeParser := volumemounts.NewParser(operatingSystem)
+	container.MountPoints[destination] = &volumemounts.MountPoint{
+		Type:        mounttypes.TypeVolume,
+		Name:        vol.Name(),
+		Driver:      vol.DriverName(),
+		Destination: destination,
+		RW:          rw,
+		Volume:      vol,
+		CopyData:    volumeParser.DefaultCopyMode(),
+	}
+}
+
+// UnmountVolumes unmounts all volumes
+func (container *Container) UnmountVolumes(volumeEventLog func(name, action string, attributes map[string]string)) error {
+	var errors []string
+	for _, volumeMount := range container.MountPoints {
+		if volumeMount.Volume == nil {
+			continue
+		}
+
+		if err := volumeMount.Cleanup(); err != nil {
+			errors = append(errors, err.Error())
+			continue
+		}
+
+		attributes := map[string]string{
+			"driver":    volumeMount.Volume.DriverName(),
+			"container": container.ID,
+		}
+		volumeEventLog(volumeMount.Volume.Name(), "unmount", attributes)
+	}
+	if len(errors) > 0 {
+		return fmt.Errorf("error while unmounting volumes for container %s: %s", container.ID, strings.Join(errors, "; "))
+	}
+	return nil
+}
+
+// IsDestinationMounted checks whether a path is mounted on the container or not.
+func (container *Container) IsDestinationMounted(destination string) bool {
+	return container.MountPoints[destination] != nil
+}
+
+// StopSignal returns the signal used to stop the container.
+func (container *Container) StopSignal() int {
+	var stopSignal syscall.Signal
+	if container.Config.StopSignal != "" {
+		stopSignal, _ = signal.ParseSignal(container.Config.StopSignal)
+	}
+
+	if int(stopSignal) == 0 {
+		stopSignal, _ = signal.ParseSignal(signal.DefaultStopSignal)
+	}
+	return int(stopSignal)
+}
+
+// StopTimeout returns the timeout (in seconds) used to stop the container.
+func (container *Container) StopTimeout() int {
+	if container.Config.StopTimeout != nil {
+		return *container.Config.StopTimeout
+	}
+	return DefaultStopTimeout
+}
+
+// InitDNSHostConfig ensures that the dns fields are never nil.
+// New containers don't ever have those fields nil,
+// but pre created containers can still have those nil values.
+// The non-recommended host configuration in the start api can
+// make these fields nil again, this corrects that issue until
+// we remove that behavior for good.
+// See https://github.com/docker/docker/pull/17779
+// for a more detailed explanation on why we don't want that.
+func (container *Container) InitDNSHostConfig() {
+	container.Lock()
+	defer container.Unlock()
+	if container.HostConfig.DNS == nil {
+		container.HostConfig.DNS = make([]string, 0)
+	}
+
+	if container.HostConfig.DNSSearch == nil {
+		container.HostConfig.DNSSearch = make([]string, 0)
+	}
+
+	if container.HostConfig.DNSOptions == nil {
+		container.HostConfig.DNSOptions = make([]string, 0)
+	}
+}
+
+// UpdateMonitor updates monitor configure for running container
+func (container *Container) UpdateMonitor(restartPolicy containertypes.RestartPolicy) {
+	type policySetter interface {
+		SetPolicy(containertypes.RestartPolicy)
+	}
+
+	if rm, ok := container.RestartManager().(policySetter); ok {
+		rm.SetPolicy(restartPolicy)
+	}
+}
+
+// FullHostname returns hostname and optional domain appended to it.
+func (container *Container) FullHostname() string {
+	fullHostname := container.Config.Hostname
+	if container.Config.Domainname != "" {
+		fullHostname = fmt.Sprintf("%s.%s", fullHostname, container.Config.Domainname)
+	}
+	return fullHostname
+}
+
+// RestartManager returns the current restartmanager instance connected to container.
+func (container *Container) RestartManager() restartmanager.RestartManager {
+	if container.restartManager == nil {
+		container.restartManager = restartmanager.New(container.HostConfig.RestartPolicy, container.RestartCount)
+	}
+	return container.restartManager
+}
+
+// ResetRestartManager initializes new restartmanager based on container config
+func (container *Container) ResetRestartManager(resetCount bool) {
+	if container.restartManager != nil {
+		container.restartManager.Cancel()
+	}
+	if resetCount {
+		container.RestartCount = 0
+	}
+	container.restartManager = nil
+}
+
+type attachContext struct {
+	ctx    context.Context
+	cancel context.CancelFunc
+	mu     sync.Mutex
+}
+
+// InitAttachContext initializes or returns existing context for attach calls to
+// track container liveness.
+func (container *Container) InitAttachContext() context.Context {
+	container.attachContext.mu.Lock()
+	defer container.attachContext.mu.Unlock()
+	if container.attachContext.ctx == nil {
+		container.attachContext.ctx, container.attachContext.cancel = context.WithCancel(context.Background())
+	}
+	return container.attachContext.ctx
+}
+
+// CancelAttachContext cancels attach context. All attach calls should detach
+// after this call.
+func (container *Container) CancelAttachContext() {
+	container.attachContext.mu.Lock()
+	if container.attachContext.ctx != nil {
+		container.attachContext.cancel()
+		container.attachContext.ctx = nil
+	}
+	container.attachContext.mu.Unlock()
+}
+
+func (container *Container) startLogging() error {
+	if container.HostConfig.LogConfig.Type == "none" {
+		return nil // do not start logging routines
+	}
+
+	l, err := container.StartLogger()
+	if err != nil {
+		return fmt.Errorf("failed to initialize logging driver: %v", err)
+	}
+
+	copier := logger.NewCopier(map[string]io.Reader{"stdout": container.StdoutPipe(), "stderr": container.StderrPipe()}, l)
+	container.LogCopier = copier
+	copier.Run()
+	container.LogDriver = l
+
+	return nil
+}
+
+// StdinPipe gets the stdin stream of the container
+func (container *Container) StdinPipe() io.WriteCloser {
+	return container.StreamConfig.StdinPipe()
+}
+
+// StdoutPipe gets the stdout stream of the container
+func (container *Container) StdoutPipe() io.ReadCloser {
+	return container.StreamConfig.StdoutPipe()
+}
+
+// StderrPipe gets the stderr stream of the container
+func (container *Container) StderrPipe() io.ReadCloser {
+	return container.StreamConfig.StderrPipe()
+}
+
+// CloseStreams closes the container's stdio streams
+func (container *Container) CloseStreams() error {
+	return container.StreamConfig.CloseStreams()
+}
+
+// InitializeStdio is called by libcontainerd to connect the stdio.
+func (container *Container) InitializeStdio(iop *cio.DirectIO) (cio.IO, error) {
+	if err := container.startLogging(); err != nil {
+		container.Reset(false)
+		return nil, err
+	}
+
+	container.StreamConfig.CopyToPipe(iop)
+
+	if container.StreamConfig.Stdin() == nil && !container.Config.Tty {
+		if iop.Stdin != nil {
+			if err := iop.Stdin.Close(); err != nil {
+				logrus.Warnf("error closing stdin: %+v", err)
+			}
+		}
+	}
+
+	return &rio{IO: iop, sc: container.StreamConfig}, nil
+}
+
+// MountsResourcePath returns the path where mounts are stored for the given mount
+func (container *Container) MountsResourcePath(mount string) (string, error) {
+	return container.GetRootResourcePath(filepath.Join("mounts", mount))
+}
+
+// SecretMountPath returns the path of the secret mount for the container
+func (container *Container) SecretMountPath() (string, error) {
+	return container.MountsResourcePath("secrets")
+}
+
+// SecretFilePath returns the path to the location of a secret on the host.
+func (container *Container) SecretFilePath(secretRef swarmtypes.SecretReference) (string, error) {
+	secrets, err := container.SecretMountPath()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(secrets, secretRef.SecretID), nil
+}
+
+func getSecretTargetPath(r *swarmtypes.SecretReference) string {
+	if filepath.IsAbs(r.File.Name) {
+		return r.File.Name
+	}
+
+	return filepath.Join(containerSecretMountPath, r.File.Name)
+}
+
+// CreateDaemonEnvironment creates a new environment variable slice for this container.
+func (container *Container) CreateDaemonEnvironment(tty bool, linkedEnv []string) []string {
+	// Setup environment
+	os := container.OS
+	if os == "" {
+		os = runtime.GOOS
+	}
+	env := []string{}
+	if runtime.GOOS != "windows" || (runtime.GOOS == "windows" && os == "linux") {
+		env = []string{
+			"PATH=" + system.DefaultPathEnv(os),
+			"HOSTNAME=" + container.Config.Hostname,
+		}
+		if tty {
+			env = append(env, "TERM=xterm")
+		}
+		env = append(env, linkedEnv...)
+	}
+
+	// because the env on the container can override certain default values
+	// we need to replace the 'env' keys where they match and append anything
+	// else.
+	env = ReplaceOrAppendEnvValues(env, container.Config.Env)
+	return env
+}
+
+type rio struct {
+	cio.IO
+
+	sc *stream.Config
+}
+
+func (i *rio) Close() error {
+	i.IO.Close()
+
+	return i.sc.CloseStreams()
+}
+
+func (i *rio) Wait() {
+	i.sc.Wait()
+
+	i.IO.Wait()
+}
diff --git a/engine/container/container_unit_test.go b/engine/container/container_unit_test.go
new file mode 100644
index 00000000..82b58647
--- /dev/null
+++ b/engine/container/container_unit_test.go
@@ -0,0 +1,126 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/logger/jsonfilelog"
+	"github.com/docker/docker/pkg/signal"
+	"gotest.tools/assert"
+)
+
+func TestContainerStopSignal(t *testing.T) {
+	c := &Container{
+		Config: &container.Config{},
+	}
+
+	def, err := signal.ParseSignal(signal.DefaultStopSignal)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	s := c.StopSignal()
+	if s != int(def) {
+		t.Fatalf("Expected %v, got %v", def, s)
+	}
+
+	c = &Container{
+		Config: &container.Config{StopSignal: "SIGKILL"},
+	}
+	s = c.StopSignal()
+	if s != 9 {
+		t.Fatalf("Expected 9, got %v", s)
+	}
+}
+
+func TestContainerStopTimeout(t *testing.T) {
+	c := &Container{
+		Config: &container.Config{},
+	}
+
+	s := c.StopTimeout()
+	if s != DefaultStopTimeout {
+		t.Fatalf("Expected %v, got %v", DefaultStopTimeout, s)
+	}
+
+	stopTimeout := 15
+	c = &Container{
+		Config: &container.Config{StopTimeout: &stopTimeout},
+	}
+	s = c.StopTimeout()
+	if s != stopTimeout {
+		t.Fatalf("Expected %v, got %v", stopTimeout, s)
+	}
+}
+
+func TestContainerSecretReferenceDestTarget(t *testing.T) {
+	ref := &swarmtypes.SecretReference{
+		File: &swarmtypes.SecretReferenceFileTarget{
+			Name: "app",
+		},
+	}
+
+	d := getSecretTargetPath(ref)
+	expected := filepath.Join(containerSecretMountPath, "app")
+	if d != expected {
+		t.Fatalf("expected secret dest %q; received %q", expected, d)
+	}
+}
+
+func TestContainerLogPathSetForJSONFileLogger(t *testing.T) {
+	containerRoot, err := ioutil.TempDir("", "TestContainerLogPathSetForJSONFileLogger")
+	assert.NilError(t, err)
+	defer os.RemoveAll(containerRoot)
+
+	c := &Container{
+		Config: &container.Config{},
+		HostConfig: &container.HostConfig{
+			LogConfig: container.LogConfig{
+				Type: jsonfilelog.Name,
+			},
+		},
+		ID:   "TestContainerLogPathSetForJSONFileLogger",
+		Root: containerRoot,
+	}
+
+	logger, err := c.StartLogger()
+	assert.NilError(t, err)
+	defer logger.Close()
+
+	expectedLogPath, err := filepath.Abs(filepath.Join(containerRoot, fmt.Sprintf("%s-json.log", c.ID)))
+	assert.NilError(t, err)
+	assert.Equal(t, c.LogPath, expectedLogPath)
+}
+
+func TestContainerLogPathSetForRingLogger(t *testing.T) {
+	containerRoot, err := ioutil.TempDir("", "TestContainerLogPathSetForRingLogger")
+	assert.NilError(t, err)
+	defer os.RemoveAll(containerRoot)
+
+	c := &Container{
+		Config: &container.Config{},
+		HostConfig: &container.HostConfig{
+			LogConfig: container.LogConfig{
+				Type: jsonfilelog.Name,
+				Config: map[string]string{
+					"mode": string(container.LogModeNonBlock),
+				},
+			},
+		},
+		ID:   "TestContainerLogPathSetForRingLogger",
+		Root: containerRoot,
+	}
+
+	logger, err := c.StartLogger()
+	assert.NilError(t, err)
+	defer logger.Close()
+
+	expectedLogPath, err := filepath.Abs(filepath.Join(containerRoot, fmt.Sprintf("%s-json.log", c.ID)))
+	assert.NilError(t, err)
+	assert.Equal(t, c.LogPath, expectedLogPath)
+}
diff --git a/engine/container/container_unix.go b/engine/container/container_unix.go
new file mode 100644
index 00000000..ed664f3e
--- /dev/null
+++ b/engine/container/container_unix.go
@@ -0,0 +1,463 @@
+// +build !windows
+
+package container // import "github.com/docker/docker/container"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/continuity/fs"
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/volume"
+	volumemounts "github.com/docker/docker/volume/mounts"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// DefaultStopTimeout sets the default time, in seconds, to wait
+	// for the graceful container stop before forcefully terminating it.
+	DefaultStopTimeout = 10
+
+	containerSecretMountPath = "/run/secrets"
+)
+
+// TrySetNetworkMount attempts to set the network mounts given a provided destination and
+// the path to use for it; return true if the given destination was a network mount file
+func (container *Container) TrySetNetworkMount(destination string, path string) bool {
+	if destination == "/etc/resolv.conf" {
+		container.ResolvConfPath = path
+		return true
+	}
+	if destination == "/etc/hostname" {
+		container.HostnamePath = path
+		return true
+	}
+	if destination == "/etc/hosts" {
+		container.HostsPath = path
+		return true
+	}
+
+	return false
+}
+
+// BuildHostnameFile writes the container's hostname file.
+func (container *Container) BuildHostnameFile() error {
+	hostnamePath, err := container.GetRootResourcePath("hostname")
+	if err != nil {
+		return err
+	}
+	container.HostnamePath = hostnamePath
+	return ioutil.WriteFile(container.HostnamePath, []byte(container.Config.Hostname+"\n"), 0644)
+}
+
+// NetworkMounts returns the list of network mounts.
+func (container *Container) NetworkMounts() []Mount {
+	var mounts []Mount
+	shared := container.HostConfig.NetworkMode.IsContainer()
+	parser := volumemounts.NewParser(container.OS)
+	if container.ResolvConfPath != "" {
+		if _, err := os.Stat(container.ResolvConfPath); err != nil {
+			logrus.Warnf("ResolvConfPath set to %q, but can't stat this filename (err = %v); skipping", container.ResolvConfPath, err)
+		} else {
+			writable := !container.HostConfig.ReadonlyRootfs
+			if m, exists := container.MountPoints["/etc/resolv.conf"]; exists {
+				writable = m.RW
+			} else {
+				label.Relabel(container.ResolvConfPath, container.MountLabel, shared)
+			}
+			mounts = append(mounts, Mount{
+				Source:      container.ResolvConfPath,
+				Destination: "/etc/resolv.conf",
+				Writable:    writable,
+				Propagation: string(parser.DefaultPropagationMode()),
+			})
+		}
+	}
+	if container.HostnamePath != "" {
+		if _, err := os.Stat(container.HostnamePath); err != nil {
+			logrus.Warnf("HostnamePath set to %q, but can't stat this filename (err = %v); skipping", container.HostnamePath, err)
+		} else {
+			writable := !container.HostConfig.ReadonlyRootfs
+			if m, exists := container.MountPoints["/etc/hostname"]; exists {
+				writable = m.RW
+			} else {
+				label.Relabel(container.HostnamePath, container.MountLabel, shared)
+			}
+			mounts = append(mounts, Mount{
+				Source:      container.HostnamePath,
+				Destination: "/etc/hostname",
+				Writable:    writable,
+				Propagation: string(parser.DefaultPropagationMode()),
+			})
+		}
+	}
+	if container.HostsPath != "" {
+		if _, err := os.Stat(container.HostsPath); err != nil {
+			logrus.Warnf("HostsPath set to %q, but can't stat this filename (err = %v); skipping", container.HostsPath, err)
+		} else {
+			writable := !container.HostConfig.ReadonlyRootfs
+			if m, exists := container.MountPoints["/etc/hosts"]; exists {
+				writable = m.RW
+			} else {
+				label.Relabel(container.HostsPath, container.MountLabel, shared)
+			}
+			mounts = append(mounts, Mount{
+				Source:      container.HostsPath,
+				Destination: "/etc/hosts",
+				Writable:    writable,
+				Propagation: string(parser.DefaultPropagationMode()),
+			})
+		}
+	}
+	return mounts
+}
+
+// CopyImagePathContent copies files in destination to the volume.
+func (container *Container) CopyImagePathContent(v volume.Volume, destination string) error {
+	rootfs, err := container.GetResourcePath(destination)
+	if err != nil {
+		return err
+	}
+
+	if _, err := os.Stat(rootfs); err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	id := stringid.GenerateNonCryptoID()
+	path, err := v.Mount(id)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		if err := v.Unmount(id); err != nil {
+			logrus.Warnf("error while unmounting volume %s: %v", v.Name(), err)
+		}
+	}()
+	if err := label.Relabel(path, container.MountLabel, true); err != nil && err != unix.ENOTSUP {
+		return err
+	}
+	return copyExistingContents(rootfs, path)
+}
+
+// ShmResourcePath returns path to shm
+func (container *Container) ShmResourcePath() (string, error) {
+	return container.MountsResourcePath("shm")
+}
+
+// HasMountFor checks if path is a mountpoint
+func (container *Container) HasMountFor(path string) bool {
+	_, exists := container.MountPoints[path]
+	if exists {
+		return true
+	}
+
+	// Also search among the tmpfs mounts
+	for dest := range container.HostConfig.Tmpfs {
+		if dest == path {
+			return true
+		}
+	}
+
+	return false
+}
+
+// UnmountIpcMount uses the provided unmount function to unmount shm if it was mounted
+func (container *Container) UnmountIpcMount(unmount func(pth string) error) error {
+	if container.HasMountFor("/dev/shm") {
+		return nil
+	}
+
+	// container.ShmPath should not be used here as it may point
+	// to the host's or other container's /dev/shm
+	shmPath, err := container.ShmResourcePath()
+	if err != nil {
+		return err
+	}
+	if shmPath == "" {
+		return nil
+	}
+	if err = unmount(shmPath); err != nil && !os.IsNotExist(err) {
+		if mounted, mErr := mount.Mounted(shmPath); mounted || mErr != nil {
+			return errors.Wrapf(err, "umount %s", shmPath)
+		}
+	}
+	return nil
+}
+
+// IpcMounts returns the list of IPC mounts
+func (container *Container) IpcMounts() []Mount {
+	var mounts []Mount
+	parser := volumemounts.NewParser(container.OS)
+
+	if container.HasMountFor("/dev/shm") {
+		return mounts
+	}
+	if container.ShmPath == "" {
+		return mounts
+	}
+
+	label.SetFileLabel(container.ShmPath, container.MountLabel)
+	mounts = append(mounts, Mount{
+		Source:      container.ShmPath,
+		Destination: "/dev/shm",
+		Writable:    true,
+		Propagation: string(parser.DefaultPropagationMode()),
+	})
+
+	return mounts
+}
+
+// SecretMounts returns the mounts for the secret path.
+func (container *Container) SecretMounts() ([]Mount, error) {
+	var mounts []Mount
+	for _, r := range container.SecretReferences {
+		if r.File == nil {
+			continue
+		}
+		src, err := container.SecretFilePath(*r)
+		if err != nil {
+			return nil, err
+		}
+		mounts = append(mounts, Mount{
+			Source:      src,
+			Destination: getSecretTargetPath(r),
+			Writable:    false,
+		})
+	}
+	for _, r := range container.ConfigReferences {
+		fPath, err := container.ConfigFilePath(*r)
+		if err != nil {
+			return nil, err
+		}
+		mounts = append(mounts, Mount{
+			Source:      fPath,
+			Destination: r.File.Name,
+			Writable:    false,
+		})
+	}
+
+	return mounts, nil
+}
+
+// UnmountSecrets unmounts the local tmpfs for secrets
+func (container *Container) UnmountSecrets() error {
+	p, err := container.SecretMountPath()
+	if err != nil {
+		return err
+	}
+	if _, err := os.Stat(p); err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	return mount.RecursiveUnmount(p)
+}
+
+type conflictingUpdateOptions string
+
+func (e conflictingUpdateOptions) Error() string {
+	return string(e)
+}
+
+func (e conflictingUpdateOptions) Conflict() {}
+
+// UpdateContainer updates configuration of a container. Callers must hold a Lock on the Container.
+func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error {
+	// update resources of container
+	resources := hostConfig.Resources
+	cResources := &container.HostConfig.Resources
+
+	// validate NanoCPUs, CPUPeriod, and CPUQuota
+	// Because NanoCPU effectively updates CPUPeriod/CPUQuota,
+	// once NanoCPU is already set, updating CPUPeriod/CPUQuota will be blocked, and vice versa.
+	// In the following we make sure the intended update (resources) does not conflict with the existing (cResource).
+	if resources.NanoCPUs > 0 && cResources.CPUPeriod > 0 {
+		return conflictingUpdateOptions("Conflicting options: Nano CPUs cannot be updated as CPU Period has already been set")
+	}
+	if resources.NanoCPUs > 0 && cResources.CPUQuota > 0 {
+		return conflictingUpdateOptions("Conflicting options: Nano CPUs cannot be updated as CPU Quota has already been set")
+	}
+	if resources.CPUPeriod > 0 && cResources.NanoCPUs > 0 {
+		return conflictingUpdateOptions("Conflicting options: CPU Period cannot be updated as NanoCPUs has already been set")
+	}
+	if resources.CPUQuota > 0 && cResources.NanoCPUs > 0 {
+		return conflictingUpdateOptions("Conflicting options: CPU Quota cannot be updated as NanoCPUs has already been set")
+	}
+
+	if resources.BlkioWeight != 0 {
+		cResources.BlkioWeight = resources.BlkioWeight
+	}
+	if resources.CPUShares != 0 {
+		cResources.CPUShares = resources.CPUShares
+	}
+	if resources.NanoCPUs != 0 {
+		cResources.NanoCPUs = resources.NanoCPUs
+	}
+	if resources.CPUPeriod != 0 {
+		cResources.CPUPeriod = resources.CPUPeriod
+	}
+	if resources.CPUQuota != 0 {
+		cResources.CPUQuota = resources.CPUQuota
+	}
+	if resources.CpusetCpus != "" {
+		cResources.CpusetCpus = resources.CpusetCpus
+	}
+	if resources.CpusetMems != "" {
+		cResources.CpusetMems = resources.CpusetMems
+	}
+	if resources.Memory != 0 {
+		// if memory limit smaller than already set memoryswap limit and doesn't
+		// update the memoryswap limit, then error out.
+		if resources.Memory > cResources.MemorySwap && resources.MemorySwap == 0 {
+			return conflictingUpdateOptions("Memory limit should be smaller than already set memoryswap limit, update the memoryswap at the same time")
+		}
+		cResources.Memory = resources.Memory
+	}
+	if resources.MemorySwap != 0 {
+		cResources.MemorySwap = resources.MemorySwap
+	}
+	if resources.MemoryReservation != 0 {
+		cResources.MemoryReservation = resources.MemoryReservation
+	}
+	if resources.KernelMemory != 0 {
+		cResources.KernelMemory = resources.KernelMemory
+	}
+	if resources.CPURealtimePeriod != 0 {
+		cResources.CPURealtimePeriod = resources.CPURealtimePeriod
+	}
+	if resources.CPURealtimeRuntime != 0 {
+		cResources.CPURealtimeRuntime = resources.CPURealtimeRuntime
+	}
+
+	// update HostConfig of container
+	if hostConfig.RestartPolicy.Name != "" {
+		if container.HostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() {
+			return conflictingUpdateOptions("Restart policy cannot be updated because AutoRemove is enabled for the container")
+		}
+		container.HostConfig.RestartPolicy = hostConfig.RestartPolicy
+	}
+
+	return nil
+}
+
+// DetachAndUnmount uses a detached mount on all mount destinations, then
+// unmounts each volume normally.
+// This is used from daemon/archive for `docker cp`
+func (container *Container) DetachAndUnmount(volumeEventLog func(name, action string, attributes map[string]string)) error {
+	networkMounts := container.NetworkMounts()
+	mountPaths := make([]string, 0, len(container.MountPoints)+len(networkMounts))
+
+	for _, mntPoint := range container.MountPoints {
+		dest, err := container.GetResourcePath(mntPoint.Destination)
+		if err != nil {
+			logrus.Warnf("Failed to get volume destination path for container '%s' at '%s' while lazily unmounting: %v", container.ID, mntPoint.Destination, err)
+			continue
+		}
+		mountPaths = append(mountPaths, dest)
+	}
+
+	for _, m := range networkMounts {
+		dest, err := container.GetResourcePath(m.Destination)
+		if err != nil {
+			logrus.Warnf("Failed to get volume destination path for container '%s' at '%s' while lazily unmounting: %v", container.ID, m.Destination, err)
+			continue
+		}
+		mountPaths = append(mountPaths, dest)
+	}
+
+	for _, mountPath := range mountPaths {
+		if err := mount.Unmount(mountPath); err != nil {
+			logrus.Warnf("%s unmountVolumes: Failed to do lazy umount fo volume '%s': %v", container.ID, mountPath, err)
+		}
+	}
+	return container.UnmountVolumes(volumeEventLog)
+}
+
+// copyExistingContents copies from the source to the destination and
+// ensures the ownership is appropriately set.
+func copyExistingContents(source, destination string) error {
+	dstList, err := ioutil.ReadDir(destination)
+	if err != nil {
+		return err
+	}
+	if len(dstList) != 0 {
+		// destination is not empty, do not copy
+		return nil
+	}
+	return fs.CopyDir(destination, source)
+}
+
+// TmpfsMounts returns the list of tmpfs mounts
+func (container *Container) TmpfsMounts() ([]Mount, error) {
+	parser := volumemounts.NewParser(container.OS)
+	var mounts []Mount
+	for dest, data := range container.HostConfig.Tmpfs {
+		mounts = append(mounts, Mount{
+			Source:      "tmpfs",
+			Destination: dest,
+			Data:        data,
+		})
+	}
+	for dest, mnt := range container.MountPoints {
+		if mnt.Type == mounttypes.TypeTmpfs {
+			data, err := parser.ConvertTmpfsOptions(mnt.Spec.TmpfsOptions, mnt.Spec.ReadOnly)
+			if err != nil {
+				return nil, err
+			}
+			mounts = append(mounts, Mount{
+				Source:      "tmpfs",
+				Destination: dest,
+				Data:        data,
+			})
+		}
+	}
+	return mounts, nil
+}
+
+// EnableServiceDiscoveryOnDefaultNetwork Enable service discovery on default network
+func (container *Container) EnableServiceDiscoveryOnDefaultNetwork() bool {
+	return false
+}
+
+// GetMountPoints gives a platform specific transformation to types.MountPoint. Callers must hold a Container lock.
+func (container *Container) GetMountPoints() []types.MountPoint {
+	mountPoints := make([]types.MountPoint, 0, len(container.MountPoints))
+	for _, m := range container.MountPoints {
+		mountPoints = append(mountPoints, types.MountPoint{
+			Type:        m.Type,
+			Name:        m.Name,
+			Source:      m.Path(),
+			Destination: m.Destination,
+			Driver:      m.Driver,
+			Mode:        m.Mode,
+			RW:          m.RW,
+			Propagation: m.Propagation,
+		})
+	}
+	return mountPoints
+}
+
+// ConfigFilePath returns the path to the on-disk location of a config.
+// On unix, configs are always considered secret
+func (container *Container) ConfigFilePath(configRef swarmtypes.ConfigReference) (string, error) {
+	mounts, err := container.SecretMountPath()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(mounts, configRef.ConfigID), nil
+}
diff --git a/engine/container/container_windows.go b/engine/container/container_windows.go
new file mode 100644
index 00000000..b5bdb5bc
--- /dev/null
+++ b/engine/container/container_windows.go
@@ -0,0 +1,213 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/pkg/system"
+)
+
+const (
+	containerSecretMountPath         = `C:\ProgramData\Docker\secrets`
+	containerInternalSecretMountPath = `C:\ProgramData\Docker\internal\secrets`
+	containerInternalConfigsDirPath  = `C:\ProgramData\Docker\internal\configs`
+
+	// DefaultStopTimeout is the timeout (in seconds) for the shutdown call on a container
+	DefaultStopTimeout = 30
+)
+
+// UnmountIpcMount unmounts Ipc related mounts.
+// This is a NOOP on windows.
+func (container *Container) UnmountIpcMount(unmount func(pth string) error) error {
+	return nil
+}
+
+// IpcMounts returns the list of Ipc related mounts.
+func (container *Container) IpcMounts() []Mount {
+	return nil
+}
+
+// CreateSecretSymlinks creates symlinks to files in the secret mount.
+func (container *Container) CreateSecretSymlinks() error {
+	for _, r := range container.SecretReferences {
+		if r.File == nil {
+			continue
+		}
+		resolvedPath, _, err := container.ResolvePath(getSecretTargetPath(r))
+		if err != nil {
+			return err
+		}
+		if err := system.MkdirAll(filepath.Dir(resolvedPath), 0, ""); err != nil {
+			return err
+		}
+		if err := os.Symlink(filepath.Join(containerInternalSecretMountPath, r.SecretID), resolvedPath); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// SecretMounts returns the mount for the secret path.
+// All secrets are stored in a single mount on Windows. Target symlinks are
+// created for each secret, pointing to the files in this mount.
+func (container *Container) SecretMounts() ([]Mount, error) {
+	var mounts []Mount
+	if len(container.SecretReferences) > 0 {
+		src, err := container.SecretMountPath()
+		if err != nil {
+			return nil, err
+		}
+		mounts = append(mounts, Mount{
+			Source:      src,
+			Destination: containerInternalSecretMountPath,
+			Writable:    false,
+		})
+	}
+
+	return mounts, nil
+}
+
+// UnmountSecrets unmounts the fs for secrets
+func (container *Container) UnmountSecrets() error {
+	p, err := container.SecretMountPath()
+	if err != nil {
+		return err
+	}
+	return os.RemoveAll(p)
+}
+
+// CreateConfigSymlinks creates symlinks to files in the config mount.
+func (container *Container) CreateConfigSymlinks() error {
+	for _, configRef := range container.ConfigReferences {
+		if configRef.File == nil {
+			continue
+		}
+		resolvedPath, _, err := container.ResolvePath(configRef.File.Name)
+		if err != nil {
+			return err
+		}
+		if err := system.MkdirAll(filepath.Dir(resolvedPath), 0, ""); err != nil {
+			return err
+		}
+		if err := os.Symlink(filepath.Join(containerInternalConfigsDirPath, configRef.ConfigID), resolvedPath); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ConfigMounts returns the mount for configs.
+// TODO: Right now Windows doesn't really have a "secure" storage for secrets,
+// however some configs may contain secrets. Once secure storage is worked out,
+// configs and secret handling should be merged.
+func (container *Container) ConfigMounts() []Mount {
+	var mounts []Mount
+	if len(container.ConfigReferences) > 0 {
+		mounts = append(mounts, Mount{
+			Source:      container.ConfigsDirPath(),
+			Destination: containerInternalConfigsDirPath,
+			Writable:    false,
+		})
+	}
+
+	return mounts
+}
+
+// DetachAndUnmount unmounts all volumes.
+// On Windows it only delegates to `UnmountVolumes` since there is nothing to
+// force unmount.
+func (container *Container) DetachAndUnmount(volumeEventLog func(name, action string, attributes map[string]string)) error {
+	return container.UnmountVolumes(volumeEventLog)
+}
+
+// TmpfsMounts returns the list of tmpfs mounts
+func (container *Container) TmpfsMounts() ([]Mount, error) {
+	var mounts []Mount
+	return mounts, nil
+}
+
+// UpdateContainer updates configuration of a container. Callers must hold a Lock on the Container.
+func (container *Container) UpdateContainer(hostConfig *containertypes.HostConfig) error {
+	resources := hostConfig.Resources
+	if resources.CPUShares != 0 ||
+		resources.Memory != 0 ||
+		resources.NanoCPUs != 0 ||
+		resources.CgroupParent != "" ||
+		resources.BlkioWeight != 0 ||
+		len(resources.BlkioWeightDevice) != 0 ||
+		len(resources.BlkioDeviceReadBps) != 0 ||
+		len(resources.BlkioDeviceWriteBps) != 0 ||
+		len(resources.BlkioDeviceReadIOps) != 0 ||
+		len(resources.BlkioDeviceWriteIOps) != 0 ||
+		resources.CPUPeriod != 0 ||
+		resources.CPUQuota != 0 ||
+		resources.CPURealtimePeriod != 0 ||
+		resources.CPURealtimeRuntime != 0 ||
+		resources.CpusetCpus != "" ||
+		resources.CpusetMems != "" ||
+		len(resources.Devices) != 0 ||
+		len(resources.DeviceCgroupRules) != 0 ||
+		resources.DiskQuota != 0 ||
+		resources.KernelMemory != 0 ||
+		resources.MemoryReservation != 0 ||
+		resources.MemorySwap != 0 ||
+		resources.MemorySwappiness != nil ||
+		resources.OomKillDisable != nil ||
+		resources.PidsLimit != 0 ||
+		len(resources.Ulimits) != 0 ||
+		resources.CPUCount != 0 ||
+		resources.CPUPercent != 0 ||
+		resources.IOMaximumIOps != 0 ||
+		resources.IOMaximumBandwidth != 0 {
+		return fmt.Errorf("resource updating isn't supported on Windows")
+	}
+	// update HostConfig of container
+	if hostConfig.RestartPolicy.Name != "" {
+		if container.HostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() {
+			return fmt.Errorf("Restart policy cannot be updated because AutoRemove is enabled for the container")
+		}
+		container.HostConfig.RestartPolicy = hostConfig.RestartPolicy
+	}
+	return nil
+}
+
+// BuildHostnameFile writes the container's hostname file.
+func (container *Container) BuildHostnameFile() error {
+	return nil
+}
+
+// EnableServiceDiscoveryOnDefaultNetwork Enable service discovery on default network
+func (container *Container) EnableServiceDiscoveryOnDefaultNetwork() bool {
+	return true
+}
+
+// GetMountPoints gives a platform specific transformation to types.MountPoint. Callers must hold a Container lock.
+func (container *Container) GetMountPoints() []types.MountPoint {
+	mountPoints := make([]types.MountPoint, 0, len(container.MountPoints))
+	for _, m := range container.MountPoints {
+		mountPoints = append(mountPoints, types.MountPoint{
+			Type:        m.Type,
+			Name:        m.Name,
+			Source:      m.Path(),
+			Destination: m.Destination,
+			Driver:      m.Driver,
+			RW:          m.RW,
+		})
+	}
+	return mountPoints
+}
+
+func (container *Container) ConfigsDirPath() string {
+	return filepath.Join(container.Root, "configs")
+}
+
+// ConfigFilePath returns the path to the on-disk location of a config.
+func (container *Container) ConfigFilePath(configRef swarmtypes.ConfigReference) string {
+	return filepath.Join(container.ConfigsDirPath(), configRef.ConfigID)
+}
diff --git a/engine/container/env.go b/engine/container/env.go
new file mode 100644
index 00000000..d225fd14
--- /dev/null
+++ b/engine/container/env.go
@@ -0,0 +1,43 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"strings"
+)
+
+// ReplaceOrAppendEnvValues returns the defaults with the overrides either
+// replaced by env key or appended to the list
+func ReplaceOrAppendEnvValues(defaults, overrides []string) []string {
+	cache := make(map[string]int, len(defaults))
+	for i, e := range defaults {
+		parts := strings.SplitN(e, "=", 2)
+		cache[parts[0]] = i
+	}
+
+	for _, value := range overrides {
+		// Values w/o = means they want this env to be removed/unset.
+		if !strings.Contains(value, "=") {
+			if i, exists := cache[value]; exists {
+				defaults[i] = "" // Used to indicate it should be removed
+			}
+			continue
+		}
+
+		// Just do a normal set/update
+		parts := strings.SplitN(value, "=", 2)
+		if i, exists := cache[parts[0]]; exists {
+			defaults[i] = value
+		} else {
+			defaults = append(defaults, value)
+		}
+	}
+
+	// Now remove all entries that we want to "unset"
+	for i := 0; i < len(defaults); i++ {
+		if defaults[i] == "" {
+			defaults = append(defaults[:i], defaults[i+1:]...)
+			i--
+		}
+	}
+
+	return defaults
+}
diff --git a/engine/container/env_test.go b/engine/container/env_test.go
new file mode 100644
index 00000000..77856284
--- /dev/null
+++ b/engine/container/env_test.go
@@ -0,0 +1,24 @@
+package container // import "github.com/docker/docker/container"
+
+import "testing"
+
+func TestReplaceAndAppendEnvVars(t *testing.T) {
+	var (
+		d = []string{"HOME=/", "FOO=foo_default"}
+		// remove FOO from env
+		// remove BAR from env (nop)
+		o = []string{"HOME=/root", "TERM=xterm", "FOO", "BAR"}
+	)
+
+	env := ReplaceOrAppendEnvValues(d, o)
+	t.Logf("default=%v, override=%v, result=%v", d, o, env)
+	if len(env) != 2 {
+		t.Fatalf("expected len of 2 got %d", len(env))
+	}
+	if env[0] != "HOME=/root" {
+		t.Fatalf("expected HOME=/root got '%s'", env[0])
+	}
+	if env[1] != "TERM=xterm" {
+		t.Fatalf("expected TERM=xterm got '%s'", env[1])
+	}
+}
diff --git a/engine/container/health.go b/engine/container/health.go
new file mode 100644
index 00000000..167ee9b4
--- /dev/null
+++ b/engine/container/health.go
@@ -0,0 +1,82 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"sync"
+
+	"github.com/docker/docker/api/types"
+	"github.com/sirupsen/logrus"
+)
+
+// Health holds the current container health-check state
+type Health struct {
+	types.Health
+	stop chan struct{} // Write struct{} to stop the monitor
+	mu   sync.Mutex
+}
+
+// String returns a human-readable description of the health-check state
+func (s *Health) String() string {
+	status := s.Status()
+
+	switch status {
+	case types.Starting:
+		return "health: starting"
+	default: // Healthy and Unhealthy are clear on their own
+		return s.Health.Status
+	}
+}
+
+// Status returns the current health status.
+//
+// Note that this takes a lock and the value may change after being read.
+func (s *Health) Status() string {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// This happens when the monitor has yet to be setup.
+	if s.Health.Status == "" {
+		return types.Unhealthy
+	}
+
+	return s.Health.Status
+}
+
+// SetStatus writes the current status to the underlying health structure,
+// obeying the locking semantics.
+//
+// Status may be set directly if another lock is used.
+func (s *Health) SetStatus(new string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.Health.Status = new
+}
+
+// OpenMonitorChannel creates and returns a new monitor channel. If there
+// already is one, it returns nil.
+func (s *Health) OpenMonitorChannel() chan struct{} {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.stop == nil {
+		logrus.Debug("OpenMonitorChannel")
+		s.stop = make(chan struct{})
+		return s.stop
+	}
+	return nil
+}
+
+// CloseMonitorChannel closes any existing monitor channel.
+func (s *Health) CloseMonitorChannel() {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.stop != nil {
+		logrus.Debug("CloseMonitorChannel: waiting for probe to stop")
+		close(s.stop)
+		s.stop = nil
+		// unhealthy when the monitor has stopped for compatibility reasons
+		s.Health.Status = types.Unhealthy
+		logrus.Debug("CloseMonitorChannel done")
+	}
+}
diff --git a/engine/container/history.go b/engine/container/history.go
new file mode 100644
index 00000000..7117d9a4
--- /dev/null
+++ b/engine/container/history.go
@@ -0,0 +1,30 @@
+package container // import "github.com/docker/docker/container"
+
+import "sort"
+
+// History is a convenience type for storing a list of containers,
+// sorted by creation date in descendant order.
+type History []*Container
+
+// Len returns the number of containers in the history.
+func (history *History) Len() int {
+	return len(*history)
+}
+
+// Less compares two containers and returns true if the second one
+// was created before the first one.
+func (history *History) Less(i, j int) bool {
+	containers := *history
+	return containers[j].Created.Before(containers[i].Created)
+}
+
+// Swap switches containers i and j positions in the history.
+func (history *History) Swap(i, j int) {
+	containers := *history
+	containers[i], containers[j] = containers[j], containers[i]
+}
+
+// sort orders the history by creation date in descendant order.
+func (history *History) sort() {
+	sort.Sort(history)
+}
diff --git a/engine/container/memory_store.go b/engine/container/memory_store.go
new file mode 100644
index 00000000..ad4c9e20
--- /dev/null
+++ b/engine/container/memory_store.go
@@ -0,0 +1,95 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"sync"
+)
+
+// memoryStore implements a Store in memory.
+type memoryStore struct {
+	s map[string]*Container
+	sync.RWMutex
+}
+
+// NewMemoryStore initializes a new memory store.
+func NewMemoryStore() Store {
+	return &memoryStore{
+		s: make(map[string]*Container),
+	}
+}
+
+// Add appends a new container to the memory store.
+// It overrides the id if it existed before.
+func (c *memoryStore) Add(id string, cont *Container) {
+	c.Lock()
+	c.s[id] = cont
+	c.Unlock()
+}
+
+// Get returns a container from the store by id.
+func (c *memoryStore) Get(id string) *Container {
+	var res *Container
+	c.RLock()
+	res = c.s[id]
+	c.RUnlock()
+	return res
+}
+
+// Delete removes a container from the store by id.
+func (c *memoryStore) Delete(id string) {
+	c.Lock()
+	delete(c.s, id)
+	c.Unlock()
+}
+
+// List returns a sorted list of containers from the store.
+// The containers are ordered by creation date.
+func (c *memoryStore) List() []*Container {
+	containers := History(c.all())
+	containers.sort()
+	return containers
+}
+
+// Size returns the number of containers in the store.
+func (c *memoryStore) Size() int {
+	c.RLock()
+	defer c.RUnlock()
+	return len(c.s)
+}
+
+// First returns the first container found in the store by a given filter.
+func (c *memoryStore) First(filter StoreFilter) *Container {
+	for _, cont := range c.all() {
+		if filter(cont) {
+			return cont
+		}
+	}
+	return nil
+}
+
+// ApplyAll calls the reducer function with every container in the store.
+// This operation is asynchronous in the memory store.
+// NOTE: Modifications to the store MUST NOT be done by the StoreReducer.
+func (c *memoryStore) ApplyAll(apply StoreReducer) {
+	wg := new(sync.WaitGroup)
+	for _, cont := range c.all() {
+		wg.Add(1)
+		go func(container *Container) {
+			apply(container)
+			wg.Done()
+		}(cont)
+	}
+
+	wg.Wait()
+}
+
+func (c *memoryStore) all() []*Container {
+	c.RLock()
+	containers := make([]*Container, 0, len(c.s))
+	for _, cont := range c.s {
+		containers = append(containers, cont)
+	}
+	c.RUnlock()
+	return containers
+}
+
+var _ Store = &memoryStore{}
diff --git a/engine/container/memory_store_test.go b/engine/container/memory_store_test.go
new file mode 100644
index 00000000..09a8f27e
--- /dev/null
+++ b/engine/container/memory_store_test.go
@@ -0,0 +1,106 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"testing"
+	"time"
+)
+
+func TestNewMemoryStore(t *testing.T) {
+	s := NewMemoryStore()
+	m, ok := s.(*memoryStore)
+	if !ok {
+		t.Fatalf("store is not a memory store %v", s)
+	}
+	if m.s == nil {
+		t.Fatal("expected store map to not be nil")
+	}
+}
+
+func TestAddContainers(t *testing.T) {
+	s := NewMemoryStore()
+	s.Add("id", NewBaseContainer("id", "root"))
+	if s.Size() != 1 {
+		t.Fatalf("expected store size 1, got %v", s.Size())
+	}
+}
+
+func TestGetContainer(t *testing.T) {
+	s := NewMemoryStore()
+	s.Add("id", NewBaseContainer("id", "root"))
+	c := s.Get("id")
+	if c == nil {
+		t.Fatal("expected container to not be nil")
+	}
+}
+
+func TestDeleteContainer(t *testing.T) {
+	s := NewMemoryStore()
+	s.Add("id", NewBaseContainer("id", "root"))
+	s.Delete("id")
+	if c := s.Get("id"); c != nil {
+		t.Fatalf("expected container to be nil after removal, got %v", c)
+	}
+
+	if s.Size() != 0 {
+		t.Fatalf("expected store size to be 0, got %v", s.Size())
+	}
+}
+
+func TestListContainers(t *testing.T) {
+	s := NewMemoryStore()
+
+	cont := NewBaseContainer("id", "root")
+	cont.Created = time.Now()
+	cont2 := NewBaseContainer("id2", "root")
+	cont2.Created = time.Now().Add(24 * time.Hour)
+
+	s.Add("id", cont)
+	s.Add("id2", cont2)
+
+	list := s.List()
+	if len(list) != 2 {
+		t.Fatalf("expected list size 2, got %v", len(list))
+	}
+	if list[0].ID != "id2" {
+		t.Fatalf("expected id2, got %v", list[0].ID)
+	}
+}
+
+func TestFirstContainer(t *testing.T) {
+	s := NewMemoryStore()
+
+	s.Add("id", NewBaseContainer("id", "root"))
+	s.Add("id2", NewBaseContainer("id2", "root"))
+
+	first := s.First(func(cont *Container) bool {
+		return cont.ID == "id2"
+	})
+
+	if first == nil {
+		t.Fatal("expected container to not be nil")
+	}
+	if first.ID != "id2" {
+		t.Fatalf("expected id2, got %v", first)
+	}
+}
+
+func TestApplyAllContainer(t *testing.T) {
+	s := NewMemoryStore()
+
+	s.Add("id", NewBaseContainer("id", "root"))
+	s.Add("id2", NewBaseContainer("id2", "root"))
+
+	s.ApplyAll(func(cont *Container) {
+		if cont.ID == "id2" {
+			cont.ID = "newID"
+		}
+	})
+
+	cont := s.Get("id2")
+	if cont == nil {
+		t.Fatal("expected container to not be nil")
+	}
+	if cont.ID != "newID" {
+		t.Fatalf("expected newID, got %v", cont.ID)
+	}
+}
diff --git a/engine/container/monitor.go b/engine/container/monitor.go
new file mode 100644
index 00000000..1735e348
--- /dev/null
+++ b/engine/container/monitor.go
@@ -0,0 +1,46 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	loggerCloseTimeout = 10 * time.Second
+)
+
+// Reset puts a container into a state where it can be restarted again.
+func (container *Container) Reset(lock bool) {
+	if lock {
+		container.Lock()
+		defer container.Unlock()
+	}
+
+	if err := container.CloseStreams(); err != nil {
+		logrus.Errorf("%s: %s", container.ID, err)
+	}
+
+	// Re-create a brand new stdin pipe once the container exited
+	if container.Config.OpenStdin {
+		container.StreamConfig.NewInputPipes()
+	}
+
+	if container.LogDriver != nil {
+		if container.LogCopier != nil {
+			exit := make(chan struct{})
+			go func() {
+				container.LogCopier.Wait()
+				close(exit)
+			}()
+			select {
+			case <-time.After(loggerCloseTimeout):
+				logrus.Warn("Logger didn't exit in time: logs may be truncated")
+			case <-exit:
+			}
+		}
+		container.LogDriver.Close()
+		container.LogCopier = nil
+		container.LogDriver = nil
+	}
+}
diff --git a/engine/container/mounts_unix.go b/engine/container/mounts_unix.go
new file mode 100644
index 00000000..62f4441d
--- /dev/null
+++ b/engine/container/mounts_unix.go
@@ -0,0 +1,12 @@
+// +build !windows
+
+package container // import "github.com/docker/docker/container"
+
+// Mount contains information for a mount operation.
+type Mount struct {
+	Source      string `json:"source"`
+	Destination string `json:"destination"`
+	Writable    bool   `json:"writable"`
+	Data        string `json:"data"`
+	Propagation string `json:"mountpropagation"`
+}
diff --git a/engine/container/mounts_windows.go b/engine/container/mounts_windows.go
new file mode 100644
index 00000000..8f27e880
--- /dev/null
+++ b/engine/container/mounts_windows.go
@@ -0,0 +1,8 @@
+package container // import "github.com/docker/docker/container"
+
+// Mount contains information for a mount operation.
+type Mount struct {
+	Source      string `json:"source"`
+	Destination string `json:"destination"`
+	Writable    bool   `json:"writable"`
+}
diff --git a/engine/container/state.go b/engine/container/state.go
new file mode 100644
index 00000000..7c2a1ec8
--- /dev/null
+++ b/engine/container/state.go
@@ -0,0 +1,409 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/go-units"
+)
+
+// State holds the current container state, and has methods to get and
+// set the state. Container has an embed, which allows all of the
+// functions defined against State to run against Container.
+type State struct {
+	sync.Mutex
+	// Note that `Running` and `Paused` are not mutually exclusive:
+	// When pausing a container (on Linux), the cgroups freezer is used to suspend
+	// all processes in the container. Freezing the process requires the process to
+	// be running. As a result, paused containers are both `Running` _and_ `Paused`.
+	Running           bool
+	Paused            bool
+	Restarting        bool
+	OOMKilled         bool
+	RemovalInProgress bool // Not need for this to be persistent on disk.
+	Dead              bool
+	Pid               int
+	ExitCodeValue     int    `json:"ExitCode"`
+	ErrorMsg          string `json:"Error"` // contains last known error during container start, stop, or remove
+	StartedAt         time.Time
+	FinishedAt        time.Time
+	Health            *Health
+
+	waitStop   chan struct{}
+	waitRemove chan struct{}
+}
+
+// StateStatus is used to return container wait results.
+// Implements exec.ExitCode interface.
+// This type is needed as State include a sync.Mutex field which make
+// copying it unsafe.
+type StateStatus struct {
+	exitCode int
+	err      error
+}
+
+// ExitCode returns current exitcode for the state.
+func (s StateStatus) ExitCode() int {
+	return s.exitCode
+}
+
+// Err returns current error for the state. Returns nil if the container had
+// exited on its own.
+func (s StateStatus) Err() error {
+	return s.err
+}
+
+// NewState creates a default state object with a fresh channel for state changes.
+func NewState() *State {
+	return &State{
+		waitStop:   make(chan struct{}),
+		waitRemove: make(chan struct{}),
+	}
+}
+
+// String returns a human-readable description of the state
+func (s *State) String() string {
+	if s.Running {
+		if s.Paused {
+			return fmt.Sprintf("Up %s (Paused)", units.HumanDuration(time.Now().UTC().Sub(s.StartedAt)))
+		}
+		if s.Restarting {
+			return fmt.Sprintf("Restarting (%d) %s ago", s.ExitCodeValue, units.HumanDuration(time.Now().UTC().Sub(s.FinishedAt)))
+		}
+
+		if h := s.Health; h != nil {
+			return fmt.Sprintf("Up %s (%s)", units.HumanDuration(time.Now().UTC().Sub(s.StartedAt)), h.String())
+		}
+
+		return fmt.Sprintf("Up %s", units.HumanDuration(time.Now().UTC().Sub(s.StartedAt)))
+	}
+
+	if s.RemovalInProgress {
+		return "Removal In Progress"
+	}
+
+	if s.Dead {
+		return "Dead"
+	}
+
+	if s.StartedAt.IsZero() {
+		return "Created"
+	}
+
+	if s.FinishedAt.IsZero() {
+		return ""
+	}
+
+	return fmt.Sprintf("Exited (%d) %s ago", s.ExitCodeValue, units.HumanDuration(time.Now().UTC().Sub(s.FinishedAt)))
+}
+
+// IsValidHealthString checks if the provided string is a valid container health status or not.
+func IsValidHealthString(s string) bool {
+	return s == types.Starting ||
+		s == types.Healthy ||
+		s == types.Unhealthy ||
+		s == types.NoHealthcheck
+}
+
+// StateString returns a single string to describe state
+func (s *State) StateString() string {
+	if s.Running {
+		if s.Paused {
+			return "paused"
+		}
+		if s.Restarting {
+			return "restarting"
+		}
+		return "running"
+	}
+
+	if s.RemovalInProgress {
+		return "removing"
+	}
+
+	if s.Dead {
+		return "dead"
+	}
+
+	if s.StartedAt.IsZero() {
+		return "created"
+	}
+
+	return "exited"
+}
+
+// IsValidStateString checks if the provided string is a valid container state or not.
+func IsValidStateString(s string) bool {
+	if s != "paused" &&
+		s != "restarting" &&
+		s != "removing" &&
+		s != "running" &&
+		s != "dead" &&
+		s != "created" &&
+		s != "exited" {
+		return false
+	}
+	return true
+}
+
+// WaitCondition is an enum type for different states to wait for.
+type WaitCondition int
+
+// Possible WaitCondition Values.
+//
+// WaitConditionNotRunning (default) is used to wait for any of the non-running
+// states: "created", "exited", "dead", "removing", or "removed".
+//
+// WaitConditionNextExit is used to wait for the next time the state changes
+// to a non-running state. If the state is currently "created" or "exited",
+// this would cause Wait() to block until either the container runs and exits
+// or is removed.
+//
+// WaitConditionRemoved is used to wait for the container to be removed.
+const (
+	WaitConditionNotRunning WaitCondition = iota
+	WaitConditionNextExit
+	WaitConditionRemoved
+)
+
+// Wait waits until the container is in a certain state indicated by the given
+// condition. A context must be used for cancelling the request, controlling
+// timeouts, and avoiding goroutine leaks. Wait must be called without holding
+// the state lock. Returns a channel from which the caller will receive the
+// result. If the container exited on its own, the result's Err() method will
+// be nil and its ExitCode() method will return the container's exit code,
+// otherwise, the results Err() method will return an error indicating why the
+// wait operation failed.
+func (s *State) Wait(ctx context.Context, condition WaitCondition) <-chan StateStatus {
+	s.Lock()
+	defer s.Unlock()
+
+	if condition == WaitConditionNotRunning && !s.Running {
+		// Buffer so we can put it in the channel now.
+		resultC := make(chan StateStatus, 1)
+
+		// Send the current status.
+		resultC <- StateStatus{
+			exitCode: s.ExitCode(),
+			err:      s.Err(),
+		}
+
+		return resultC
+	}
+
+	// If we are waiting only for removal, the waitStop channel should
+	// remain nil and block forever.
+	var waitStop chan struct{}
+	if condition < WaitConditionRemoved {
+		waitStop = s.waitStop
+	}
+
+	// Always wait for removal, just in case the container gets removed
+	// while it is still in a "created" state, in which case it is never
+	// actually stopped.
+	waitRemove := s.waitRemove
+
+	resultC := make(chan StateStatus)
+
+	go func() {
+		select {
+		case <-ctx.Done():
+			// Context timeout or cancellation.
+			resultC <- StateStatus{
+				exitCode: -1,
+				err:      ctx.Err(),
+			}
+			return
+		case <-waitStop:
+		case <-waitRemove:
+		}
+
+		s.Lock()
+		result := StateStatus{
+			exitCode: s.ExitCode(),
+			err:      s.Err(),
+		}
+		s.Unlock()
+
+		resultC <- result
+	}()
+
+	return resultC
+}
+
+// IsRunning returns whether the running flag is set. Used by Container to check whether a container is running.
+func (s *State) IsRunning() bool {
+	s.Lock()
+	res := s.Running
+	s.Unlock()
+	return res
+}
+
+// GetPID holds the process id of a container.
+func (s *State) GetPID() int {
+	s.Lock()
+	res := s.Pid
+	s.Unlock()
+	return res
+}
+
+// ExitCode returns current exitcode for the state. Take lock before if state
+// may be shared.
+func (s *State) ExitCode() int {
+	return s.ExitCodeValue
+}
+
+// SetExitCode sets current exitcode for the state. Take lock before if state
+// may be shared.
+func (s *State) SetExitCode(ec int) {
+	s.ExitCodeValue = ec
+}
+
+// SetRunning sets the state of the container to "running".
+func (s *State) SetRunning(pid int, initial bool) {
+	s.ErrorMsg = ""
+	s.Paused = false
+	s.Running = true
+	s.Restarting = false
+	if initial {
+		s.Paused = false
+	}
+	s.ExitCodeValue = 0
+	s.Pid = pid
+	if initial {
+		s.StartedAt = time.Now().UTC()
+	}
+}
+
+// SetStopped sets the container state to "stopped" without locking.
+func (s *State) SetStopped(exitStatus *ExitStatus) {
+	s.Running = false
+	s.Paused = false
+	s.Restarting = false
+	s.Pid = 0
+	if exitStatus.ExitedAt.IsZero() {
+		s.FinishedAt = time.Now().UTC()
+	} else {
+		s.FinishedAt = exitStatus.ExitedAt
+	}
+	s.ExitCodeValue = exitStatus.ExitCode
+	s.OOMKilled = exitStatus.OOMKilled
+	close(s.waitStop) // fire waiters for stop
+	s.waitStop = make(chan struct{})
+}
+
+// SetRestarting sets the container state to "restarting" without locking.
+// It also sets the container PID to 0.
+func (s *State) SetRestarting(exitStatus *ExitStatus) {
+	// we should consider the container running when it is restarting because of
+	// all the checks in docker around rm/stop/etc
+	s.Running = true
+	s.Restarting = true
+	s.Paused = false
+	s.Pid = 0
+	s.FinishedAt = time.Now().UTC()
+	s.ExitCodeValue = exitStatus.ExitCode
+	s.OOMKilled = exitStatus.OOMKilled
+	close(s.waitStop) // fire waiters for stop
+	s.waitStop = make(chan struct{})
+}
+
+// SetError sets the container's error state. This is useful when we want to
+// know the error that occurred when container transits to another state
+// when inspecting it
+func (s *State) SetError(err error) {
+	s.ErrorMsg = ""
+	if err != nil {
+		s.ErrorMsg = err.Error()
+	}
+}
+
+// IsPaused returns whether the container is paused or not.
+func (s *State) IsPaused() bool {
+	s.Lock()
+	res := s.Paused
+	s.Unlock()
+	return res
+}
+
+// IsRestarting returns whether the container is restarting or not.
+func (s *State) IsRestarting() bool {
+	s.Lock()
+	res := s.Restarting
+	s.Unlock()
+	return res
+}
+
+// SetRemovalInProgress sets the container state as being removed.
+// It returns true if the container was already in that state.
+func (s *State) SetRemovalInProgress() bool {
+	s.Lock()
+	defer s.Unlock()
+	if s.RemovalInProgress {
+		return true
+	}
+	s.RemovalInProgress = true
+	return false
+}
+
+// ResetRemovalInProgress makes the RemovalInProgress state to false.
+func (s *State) ResetRemovalInProgress() {
+	s.Lock()
+	s.RemovalInProgress = false
+	s.Unlock()
+}
+
+// IsRemovalInProgress returns whether the RemovalInProgress flag is set.
+// Used by Container to check whether a container is being removed.
+func (s *State) IsRemovalInProgress() bool {
+	s.Lock()
+	res := s.RemovalInProgress
+	s.Unlock()
+	return res
+}
+
+// SetDead sets the container state to "dead"
+func (s *State) SetDead() {
+	s.Lock()
+	s.Dead = true
+	s.Unlock()
+}
+
+// IsDead returns whether the Dead flag is set. Used by Container to check whether a container is dead.
+func (s *State) IsDead() bool {
+	s.Lock()
+	res := s.Dead
+	s.Unlock()
+	return res
+}
+
+// SetRemoved assumes this container is already in the "dead" state and
+// closes the internal waitRemove channel to unblock callers waiting for a
+// container to be removed.
+func (s *State) SetRemoved() {
+	s.SetRemovalError(nil)
+}
+
+// SetRemovalError is to be called in case a container remove failed.
+// It sets an error and closes the internal waitRemove channel to unblock
+// callers waiting for the container to be removed.
+func (s *State) SetRemovalError(err error) {
+	s.SetError(err)
+	s.Lock()
+	close(s.waitRemove) // Unblock those waiting on remove.
+	// Recreate the channel so next ContainerWait will work
+	s.waitRemove = make(chan struct{})
+	s.Unlock()
+}
+
+// Err returns an error if there is one.
+func (s *State) Err() error {
+	if s.ErrorMsg != "" {
+		return errors.New(s.ErrorMsg)
+	}
+	return nil
+}
diff --git a/engine/container/state_test.go b/engine/container/state_test.go
new file mode 100644
index 00000000..4ad3c805
--- /dev/null
+++ b/engine/container/state_test.go
@@ -0,0 +1,192 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestIsValidHealthString(t *testing.T) {
+	contexts := []struct {
+		Health   string
+		Expected bool
+	}{
+		{types.Healthy, true},
+		{types.Unhealthy, true},
+		{types.Starting, true},
+		{types.NoHealthcheck, true},
+		{"fail", false},
+	}
+
+	for _, c := range contexts {
+		v := IsValidHealthString(c.Health)
+		if v != c.Expected {
+			t.Fatalf("Expected %t, but got %t", c.Expected, v)
+		}
+	}
+}
+
+func TestStateRunStop(t *testing.T) {
+	s := NewState()
+
+	// Begin another wait with WaitConditionRemoved. It should complete
+	// within 200 milliseconds.
+	ctx, cancel := context.WithTimeout(context.Background(), 200*time.Millisecond)
+	defer cancel()
+	removalWait := s.Wait(ctx, WaitConditionRemoved)
+
+	// Full lifecycle two times.
+	for i := 1; i <= 2; i++ {
+		// A wait with WaitConditionNotRunning should return
+		// immediately since the state is now either "created" (on the
+		// first iteration) or "exited" (on the second iteration). It
+		// shouldn't take more than 50 milliseconds.
+		ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
+		defer cancel()
+		// Expectx exit code to be i-1 since it should be the exit
+		// code from the previous loop or 0 for the created state.
+		if status := <-s.Wait(ctx, WaitConditionNotRunning); status.ExitCode() != i-1 {
+			t.Fatalf("ExitCode %v, expected %v, err %q", status.ExitCode(), i-1, status.Err())
+		}
+
+		// A wait with WaitConditionNextExit should block until the
+		// container has started and exited. It shouldn't take more
+		// than 100 milliseconds.
+		ctx, cancel = context.WithTimeout(context.Background(), 100*time.Millisecond)
+		defer cancel()
+		initialWait := s.Wait(ctx, WaitConditionNextExit)
+
+		// Set the state to "Running".
+		s.Lock()
+		s.SetRunning(i, true)
+		s.Unlock()
+
+		// Assert desired state.
+		if !s.IsRunning() {
+			t.Fatal("State not running")
+		}
+		if s.Pid != i {
+			t.Fatalf("Pid %v, expected %v", s.Pid, i)
+		}
+		if s.ExitCode() != 0 {
+			t.Fatalf("ExitCode %v, expected 0", s.ExitCode())
+		}
+
+		// Now that it's running, a wait with WaitConditionNotRunning
+		// should block until we stop the container. It shouldn't take
+		// more than 100 milliseconds.
+		ctx, cancel = context.WithTimeout(context.Background(), 100*time.Millisecond)
+		defer cancel()
+		exitWait := s.Wait(ctx, WaitConditionNotRunning)
+
+		// Set the state to "Exited".
+		s.Lock()
+		s.SetStopped(&ExitStatus{ExitCode: i})
+		s.Unlock()
+
+		// Assert desired state.
+		if s.IsRunning() {
+			t.Fatal("State is running")
+		}
+		if s.ExitCode() != i {
+			t.Fatalf("ExitCode %v, expected %v", s.ExitCode(), i)
+		}
+		if s.Pid != 0 {
+			t.Fatalf("Pid %v, expected 0", s.Pid)
+		}
+
+		// Receive the initialWait result.
+		if status := <-initialWait; status.ExitCode() != i {
+			t.Fatalf("ExitCode %v, expected %v, err %q", status.ExitCode(), i, status.Err())
+		}
+
+		// Receive the exitWait result.
+		if status := <-exitWait; status.ExitCode() != i {
+			t.Fatalf("ExitCode %v, expected %v, err %q", status.ExitCode(), i, status.Err())
+		}
+	}
+
+	// Set the state to dead and removed.
+	s.SetDead()
+	s.SetRemoved()
+
+	// Wait for removed status or timeout.
+	if status := <-removalWait; status.ExitCode() != 2 {
+		// Should have the final exit code from the loop.
+		t.Fatalf("Removal wait exitCode %v, expected %v, err %q", status.ExitCode(), 2, status.Err())
+	}
+}
+
+func TestStateTimeoutWait(t *testing.T) {
+	s := NewState()
+
+	s.Lock()
+	s.SetRunning(0, true)
+	s.Unlock()
+
+	// Start a wait with a timeout.
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+	waitC := s.Wait(ctx, WaitConditionNotRunning)
+
+	// It should timeout *before* this 200ms timer does.
+	select {
+	case <-time.After(200 * time.Millisecond):
+		t.Fatal("Stop callback doesn't fire in 200 milliseconds")
+	case status := <-waitC:
+		t.Log("Stop callback fired")
+		// Should be a timeout error.
+		if status.Err() == nil {
+			t.Fatal("expected timeout error, got nil")
+		}
+		if status.ExitCode() != -1 {
+			t.Fatalf("expected exit code %v, got %v", -1, status.ExitCode())
+		}
+	}
+
+	s.Lock()
+	s.SetStopped(&ExitStatus{ExitCode: 0})
+	s.Unlock()
+
+	// Start another wait with a timeout. This one should return
+	// immediately.
+	ctx, cancel = context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+	waitC = s.Wait(ctx, WaitConditionNotRunning)
+
+	select {
+	case <-time.After(200 * time.Millisecond):
+		t.Fatal("Stop callback doesn't fire in 200 milliseconds")
+	case status := <-waitC:
+		t.Log("Stop callback fired")
+		if status.ExitCode() != 0 {
+			t.Fatalf("expected exit code %v, got %v, err %q", 0, status.ExitCode(), status.Err())
+		}
+	}
+}
+
+func TestIsValidStateString(t *testing.T) {
+	states := []struct {
+		state    string
+		expected bool
+	}{
+		{"paused", true},
+		{"restarting", true},
+		{"running", true},
+		{"dead", true},
+		{"start", false},
+		{"created", true},
+		{"exited", true},
+		{"removing", true},
+		{"stop", false},
+	}
+
+	for _, s := range states {
+		v := IsValidStateString(s.state)
+		if v != s.expected {
+			t.Fatalf("Expected %t, but got %t", s.expected, v)
+		}
+	}
+}
diff --git a/engine/container/store.go b/engine/container/store.go
new file mode 100644
index 00000000..3af03898
--- /dev/null
+++ b/engine/container/store.go
@@ -0,0 +1,28 @@
+package container // import "github.com/docker/docker/container"
+
+// StoreFilter defines a function to filter
+// container in the store.
+type StoreFilter func(*Container) bool
+
+// StoreReducer defines a function to
+// manipulate containers in the store
+type StoreReducer func(*Container)
+
+// Store defines an interface that
+// any container store must implement.
+type Store interface {
+	// Add appends a new container to the store.
+	Add(string, *Container)
+	// Get returns a container from the store by the identifier it was stored with.
+	Get(string) *Container
+	// Delete removes a container from the store by the identifier it was stored with.
+	Delete(string)
+	// List returns a list of containers from the store.
+	List() []*Container
+	// Size returns the number of containers in the store.
+	Size() int
+	// First returns the first container found in the store by a given filter.
+	First(StoreFilter) *Container
+	// ApplyAll calls the reducer function with every container in the store.
+	ApplyAll(StoreReducer)
+}
diff --git a/engine/container/stream/attach.go b/engine/container/stream/attach.go
new file mode 100644
index 00000000..1366dcb4
--- /dev/null
+++ b/engine/container/stream/attach.go
@@ -0,0 +1,175 @@
+package stream // import "github.com/docker/docker/container/stream"
+
+import (
+	"context"
+	"io"
+
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/term"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+var defaultEscapeSequence = []byte{16, 17} // ctrl-p, ctrl-q
+
+// AttachConfig is the config struct used to attach a client to a stream's stdio
+type AttachConfig struct {
+	// Tells the attach copier that the stream's stdin is a TTY and to look for
+	// escape sequences in stdin to detach from the stream.
+	// When true the escape sequence is not passed to the underlying stream
+	TTY bool
+	// Specifies the detach keys the client will be using
+	// Only useful when `TTY` is true
+	DetachKeys []byte
+
+	// CloseStdin signals that once done, stdin for the attached stream should be closed
+	// For example, this would close the attached container's stdin.
+	CloseStdin bool
+
+	// UseStd* indicate whether the client has requested to be connected to the
+	// given stream or not.  These flags are used instead of checking Std* != nil
+	// at points before the client streams Std* are wired up.
+	UseStdin, UseStdout, UseStderr bool
+
+	// CStd* are the streams directly connected to the container
+	CStdin           io.WriteCloser
+	CStdout, CStderr io.ReadCloser
+
+	// Provide client streams to wire up to
+	Stdin          io.ReadCloser
+	Stdout, Stderr io.Writer
+}
+
+// AttachStreams attaches the container's streams to the AttachConfig
+func (c *Config) AttachStreams(cfg *AttachConfig) {
+	if cfg.UseStdin {
+		cfg.CStdin = c.StdinPipe()
+	}
+
+	if cfg.UseStdout {
+		cfg.CStdout = c.StdoutPipe()
+	}
+
+	if cfg.UseStderr {
+		cfg.CStderr = c.StderrPipe()
+	}
+}
+
+// CopyStreams starts goroutines to copy data in and out to/from the container
+func (c *Config) CopyStreams(ctx context.Context, cfg *AttachConfig) <-chan error {
+	var group errgroup.Group
+
+	// Connect stdin of container to the attach stdin stream.
+	if cfg.Stdin != nil {
+		group.Go(func() error {
+			logrus.Debug("attach: stdin: begin")
+			defer logrus.Debug("attach: stdin: end")
+
+			defer func() {
+				if cfg.CloseStdin && !cfg.TTY {
+					cfg.CStdin.Close()
+				} else {
+					// No matter what, when stdin is closed (io.Copy unblock), close stdout and stderr
+					if cfg.CStdout != nil {
+						cfg.CStdout.Close()
+					}
+					if cfg.CStderr != nil {
+						cfg.CStderr.Close()
+					}
+				}
+			}()
+
+			var err error
+			if cfg.TTY {
+				_, err = copyEscapable(cfg.CStdin, cfg.Stdin, cfg.DetachKeys)
+			} else {
+				_, err = pools.Copy(cfg.CStdin, cfg.Stdin)
+			}
+			if err == io.ErrClosedPipe {
+				err = nil
+			}
+			if err != nil {
+				logrus.WithError(err).Debug("error on attach stdin")
+				return errors.Wrap(err, "error on attach stdin")
+			}
+			return nil
+		})
+	}
+
+	attachStream := func(name string, stream io.Writer, streamPipe io.ReadCloser) error {
+		logrus.Debugf("attach: %s: begin", name)
+		defer logrus.Debugf("attach: %s: end", name)
+		defer func() {
+			// Make sure stdin gets closed
+			if cfg.Stdin != nil {
+				cfg.Stdin.Close()
+			}
+			streamPipe.Close()
+		}()
+
+		_, err := pools.Copy(stream, streamPipe)
+		if err == io.ErrClosedPipe {
+			err = nil
+		}
+		if err != nil {
+			logrus.WithError(err).Debugf("attach: %s", name)
+			return errors.Wrapf(err, "error attaching %s stream", name)
+		}
+		return nil
+	}
+
+	if cfg.Stdout != nil {
+		group.Go(func() error {
+			return attachStream("stdout", cfg.Stdout, cfg.CStdout)
+		})
+	}
+	if cfg.Stderr != nil {
+		group.Go(func() error {
+			return attachStream("stderr", cfg.Stderr, cfg.CStderr)
+		})
+	}
+
+	errs := make(chan error, 1)
+	go func() {
+		defer logrus.Debug("attach done")
+		groupErr := make(chan error, 1)
+		go func() {
+			groupErr <- group.Wait()
+		}()
+		select {
+		case <-ctx.Done():
+			// close all pipes
+			if cfg.CStdin != nil {
+				cfg.CStdin.Close()
+			}
+			if cfg.CStdout != nil {
+				cfg.CStdout.Close()
+			}
+			if cfg.CStderr != nil {
+				cfg.CStderr.Close()
+			}
+
+			// Now with these closed, wait should return.
+			if err := group.Wait(); err != nil {
+				errs <- err
+				return
+			}
+			errs <- ctx.Err()
+		case err := <-groupErr:
+			errs <- err
+		}
+	}()
+
+	return errs
+}
+
+func copyEscapable(dst io.Writer, src io.ReadCloser, keys []byte) (written int64, err error) {
+	if len(keys) == 0 {
+		keys = defaultEscapeSequence
+	}
+	pr := term.NewEscapeProxy(src, keys)
+	defer src.Close()
+
+	return pools.Copy(dst, pr)
+}
diff --git a/engine/container/stream/streams.go b/engine/container/stream/streams.go
new file mode 100644
index 00000000..d81867c1
--- /dev/null
+++ b/engine/container/stream/streams.go
@@ -0,0 +1,146 @@
+package stream // import "github.com/docker/docker/container/stream"
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+	"sync"
+
+	"github.com/containerd/containerd/cio"
+	"github.com/docker/docker/pkg/broadcaster"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/sirupsen/logrus"
+)
+
+// Config holds information about I/O streams managed together.
+//
+// config.StdinPipe returns a WriteCloser which can be used to feed data
+// to the standard input of the streamConfig's active process.
+// config.StdoutPipe and streamConfig.StderrPipe each return a ReadCloser
+// which can be used to retrieve the standard output (and error) generated
+// by the container's active process. The output (and error) are actually
+// copied and delivered to all StdoutPipe and StderrPipe consumers, using
+// a kind of "broadcaster".
+type Config struct {
+	sync.WaitGroup
+	stdout    *broadcaster.Unbuffered
+	stderr    *broadcaster.Unbuffered
+	stdin     io.ReadCloser
+	stdinPipe io.WriteCloser
+}
+
+// NewConfig creates a stream config and initializes
+// the standard err and standard out to new unbuffered broadcasters.
+func NewConfig() *Config {
+	return &Config{
+		stderr: new(broadcaster.Unbuffered),
+		stdout: new(broadcaster.Unbuffered),
+	}
+}
+
+// Stdout returns the standard output in the configuration.
+func (c *Config) Stdout() *broadcaster.Unbuffered {
+	return c.stdout
+}
+
+// Stderr returns the standard error in the configuration.
+func (c *Config) Stderr() *broadcaster.Unbuffered {
+	return c.stderr
+}
+
+// Stdin returns the standard input in the configuration.
+func (c *Config) Stdin() io.ReadCloser {
+	return c.stdin
+}
+
+// StdinPipe returns an input writer pipe as an io.WriteCloser.
+func (c *Config) StdinPipe() io.WriteCloser {
+	return c.stdinPipe
+}
+
+// StdoutPipe creates a new io.ReadCloser with an empty bytes pipe.
+// It adds this new out pipe to the Stdout broadcaster.
+// This will block stdout if unconsumed.
+func (c *Config) StdoutPipe() io.ReadCloser {
+	bytesPipe := ioutils.NewBytesPipe()
+	c.stdout.Add(bytesPipe)
+	return bytesPipe
+}
+
+// StderrPipe creates a new io.ReadCloser with an empty bytes pipe.
+// It adds this new err pipe to the Stderr broadcaster.
+// This will block stderr if unconsumed.
+func (c *Config) StderrPipe() io.ReadCloser {
+	bytesPipe := ioutils.NewBytesPipe()
+	c.stderr.Add(bytesPipe)
+	return bytesPipe
+}
+
+// NewInputPipes creates new pipes for both standard inputs, Stdin and StdinPipe.
+func (c *Config) NewInputPipes() {
+	c.stdin, c.stdinPipe = io.Pipe()
+}
+
+// NewNopInputPipe creates a new input pipe that will silently drop all messages in the input.
+func (c *Config) NewNopInputPipe() {
+	c.stdinPipe = ioutils.NopWriteCloser(ioutil.Discard)
+}
+
+// CloseStreams ensures that the configured streams are properly closed.
+func (c *Config) CloseStreams() error {
+	var errors []string
+
+	if c.stdin != nil {
+		if err := c.stdin.Close(); err != nil {
+			errors = append(errors, fmt.Sprintf("error close stdin: %s", err))
+		}
+	}
+
+	if err := c.stdout.Clean(); err != nil {
+		errors = append(errors, fmt.Sprintf("error close stdout: %s", err))
+	}
+
+	if err := c.stderr.Clean(); err != nil {
+		errors = append(errors, fmt.Sprintf("error close stderr: %s", err))
+	}
+
+	if len(errors) > 0 {
+		return fmt.Errorf(strings.Join(errors, "\n"))
+	}
+
+	return nil
+}
+
+// CopyToPipe connects streamconfig with a libcontainerd.IOPipe
+func (c *Config) CopyToPipe(iop *cio.DirectIO) {
+	copyFunc := func(w io.Writer, r io.ReadCloser) {
+		c.Add(1)
+		go func() {
+			if _, err := pools.Copy(w, r); err != nil {
+				logrus.Errorf("stream copy error: %v", err)
+			}
+			r.Close()
+			c.Done()
+		}()
+	}
+
+	if iop.Stdout != nil {
+		copyFunc(c.Stdout(), iop.Stdout)
+	}
+	if iop.Stderr != nil {
+		copyFunc(c.Stderr(), iop.Stderr)
+	}
+
+	if stdin := c.Stdin(); stdin != nil {
+		if iop.Stdin != nil {
+			go func() {
+				pools.Copy(iop.Stdin, stdin)
+				if err := iop.Stdin.Close(); err != nil {
+					logrus.Warnf("failed to close stdin: %v", err)
+				}
+			}()
+		}
+	}
+}
diff --git a/engine/container/view.go b/engine/container/view.go
new file mode 100644
index 00000000..b6314994
--- /dev/null
+++ b/engine/container/view.go
@@ -0,0 +1,494 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/go-connections/nat"
+	"github.com/hashicorp/go-memdb"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	memdbContainersTable  = "containers"
+	memdbNamesTable       = "names"
+	memdbIDIndex          = "id"
+	memdbContainerIDIndex = "containerid"
+)
+
+var (
+	// ErrNameReserved is an error which is returned when a name is requested to be reserved that already is reserved
+	ErrNameReserved = errors.New("name is reserved")
+	// ErrNameNotReserved is an error which is returned when trying to find a name that is not reserved
+	ErrNameNotReserved = errors.New("name is not reserved")
+)
+
+// Snapshot is a read only view for Containers. It holds all information necessary to serve container queries in a
+// versioned ACID in-memory store.
+type Snapshot struct {
+	types.Container
+
+	// additional info queries need to filter on
+	// preserve nanosec resolution for queries
+	CreatedAt    time.Time
+	StartedAt    time.Time
+	Name         string
+	Pid          int
+	ExitCode     int
+	Running      bool
+	Paused       bool
+	Managed      bool
+	ExposedPorts nat.PortSet
+	PortBindings nat.PortSet
+	Health       string
+	HostConfig   struct {
+		Isolation string
+	}
+}
+
+// nameAssociation associates a container id with a name.
+type nameAssociation struct {
+	// name is the name to associate. Note that name is the primary key
+	// ("id" in memdb).
+	name        string
+	containerID string
+}
+
+// ViewDB provides an in-memory transactional (ACID) container Store
+type ViewDB interface {
+	Snapshot() View
+	Save(*Container) error
+	Delete(*Container) error
+
+	ReserveName(name, containerID string) error
+	ReleaseName(name string) error
+}
+
+// View can be used by readers to avoid locking
+type View interface {
+	All() ([]Snapshot, error)
+	Get(id string) (*Snapshot, error)
+
+	GetID(name string) (string, error)
+	GetAllNames() map[string][]string
+}
+
+var schema = &memdb.DBSchema{
+	Tables: map[string]*memdb.TableSchema{
+		memdbContainersTable: {
+			Name: memdbContainersTable,
+			Indexes: map[string]*memdb.IndexSchema{
+				memdbIDIndex: {
+					Name:    memdbIDIndex,
+					Unique:  true,
+					Indexer: &containerByIDIndexer{},
+				},
+			},
+		},
+		memdbNamesTable: {
+			Name: memdbNamesTable,
+			Indexes: map[string]*memdb.IndexSchema{
+				// Used for names, because "id" is the primary key in memdb.
+				memdbIDIndex: {
+					Name:    memdbIDIndex,
+					Unique:  true,
+					Indexer: &namesByNameIndexer{},
+				},
+				memdbContainerIDIndex: {
+					Name:    memdbContainerIDIndex,
+					Indexer: &namesByContainerIDIndexer{},
+				},
+			},
+		},
+	},
+}
+
+type memDB struct {
+	store *memdb.MemDB
+}
+
+// NoSuchContainerError indicates that the container wasn't found in the
+// database.
+type NoSuchContainerError struct {
+	id string
+}
+
+// Error satisfies the error interface.
+func (e NoSuchContainerError) Error() string {
+	return "no such container " + e.id
+}
+
+// NewViewDB provides the default implementation, with the default schema
+func NewViewDB() (ViewDB, error) {
+	store, err := memdb.NewMemDB(schema)
+	if err != nil {
+		return nil, err
+	}
+	return &memDB{store: store}, nil
+}
+
+// Snapshot provides a consistent read-only View of the database
+func (db *memDB) Snapshot() View {
+	return &memdbView{
+		txn: db.store.Txn(false),
+	}
+}
+
+func (db *memDB) withTxn(cb func(*memdb.Txn) error) error {
+	txn := db.store.Txn(true)
+	err := cb(txn)
+	if err != nil {
+		txn.Abort()
+		return err
+	}
+	txn.Commit()
+	return nil
+}
+
+// Save atomically updates the in-memory store state for a Container.
+// Only read only (deep) copies of containers may be passed in.
+func (db *memDB) Save(c *Container) error {
+	return db.withTxn(func(txn *memdb.Txn) error {
+		return txn.Insert(memdbContainersTable, c)
+	})
+}
+
+// Delete removes an item by ID
+func (db *memDB) Delete(c *Container) error {
+	return db.withTxn(func(txn *memdb.Txn) error {
+		view := &memdbView{txn: txn}
+		names := view.getNames(c.ID)
+
+		for _, name := range names {
+			txn.Delete(memdbNamesTable, nameAssociation{name: name})
+		}
+
+		// Ignore error - the container may not actually exist in the
+		// db, but we still need to clean up associated names.
+		txn.Delete(memdbContainersTable, NewBaseContainer(c.ID, c.Root))
+		return nil
+	})
+}
+
+// ReserveName registers a container ID to a name
+// ReserveName is idempotent
+// Attempting to reserve a container ID to a name that already exists results in an `ErrNameReserved`
+// A name reservation is globally unique
+func (db *memDB) ReserveName(name, containerID string) error {
+	return db.withTxn(func(txn *memdb.Txn) error {
+		s, err := txn.First(memdbNamesTable, memdbIDIndex, name)
+		if err != nil {
+			return err
+		}
+		if s != nil {
+			if s.(nameAssociation).containerID != containerID {
+				return ErrNameReserved
+			}
+			return nil
+		}
+		return txn.Insert(memdbNamesTable, nameAssociation{name: name, containerID: containerID})
+	})
+}
+
+// ReleaseName releases the reserved name
+// Once released, a name can be reserved again
+func (db *memDB) ReleaseName(name string) error {
+	return db.withTxn(func(txn *memdb.Txn) error {
+		return txn.Delete(memdbNamesTable, nameAssociation{name: name})
+	})
+}
+
+type memdbView struct {
+	txn *memdb.Txn
+}
+
+// All returns a all items in this snapshot. Returned objects must never be modified.
+func (v *memdbView) All() ([]Snapshot, error) {
+	var all []Snapshot
+	iter, err := v.txn.Get(memdbContainersTable, memdbIDIndex)
+	if err != nil {
+		return nil, err
+	}
+	for {
+		item := iter.Next()
+		if item == nil {
+			break
+		}
+		snapshot := v.transform(item.(*Container))
+		all = append(all, *snapshot)
+	}
+	return all, nil
+}
+
+// Get returns an item by id. Returned objects must never be modified.
+func (v *memdbView) Get(id string) (*Snapshot, error) {
+	s, err := v.txn.First(memdbContainersTable, memdbIDIndex, id)
+	if err != nil {
+		return nil, err
+	}
+	if s == nil {
+		return nil, NoSuchContainerError{id: id}
+	}
+	return v.transform(s.(*Container)), nil
+}
+
+// getNames lists all the reserved names for the given container ID.
+func (v *memdbView) getNames(containerID string) []string {
+	iter, err := v.txn.Get(memdbNamesTable, memdbContainerIDIndex, containerID)
+	if err != nil {
+		return nil
+	}
+
+	var names []string
+	for {
+		item := iter.Next()
+		if item == nil {
+			break
+		}
+		names = append(names, item.(nameAssociation).name)
+	}
+
+	return names
+}
+
+// GetID returns the container ID that the passed in name is reserved to.
+func (v *memdbView) GetID(name string) (string, error) {
+	s, err := v.txn.First(memdbNamesTable, memdbIDIndex, name)
+	if err != nil {
+		return "", err
+	}
+	if s == nil {
+		return "", ErrNameNotReserved
+	}
+	return s.(nameAssociation).containerID, nil
+}
+
+// GetAllNames returns all registered names.
+func (v *memdbView) GetAllNames() map[string][]string {
+	iter, err := v.txn.Get(memdbNamesTable, memdbContainerIDIndex)
+	if err != nil {
+		return nil
+	}
+
+	out := make(map[string][]string)
+	for {
+		item := iter.Next()
+		if item == nil {
+			break
+		}
+		assoc := item.(nameAssociation)
+		out[assoc.containerID] = append(out[assoc.containerID], assoc.name)
+	}
+
+	return out
+}
+
+// transform maps a (deep) copied Container object to what queries need.
+// A lock on the Container is not held because these are immutable deep copies.
+func (v *memdbView) transform(container *Container) *Snapshot {
+	health := types.NoHealthcheck
+	if container.Health != nil {
+		health = container.Health.Status()
+	}
+	snapshot := &Snapshot{
+		Container: types.Container{
+			ID:      container.ID,
+			Names:   v.getNames(container.ID),
+			ImageID: container.ImageID.String(),
+			Ports:   []types.Port{},
+			Mounts:  container.GetMountPoints(),
+			State:   container.State.StateString(),
+			Status:  container.State.String(),
+			Created: container.Created.Unix(),
+		},
+		CreatedAt:    container.Created,
+		StartedAt:    container.StartedAt,
+		Name:         container.Name,
+		Pid:          container.Pid,
+		Managed:      container.Managed,
+		ExposedPorts: make(nat.PortSet),
+		PortBindings: make(nat.PortSet),
+		Health:       health,
+		Running:      container.Running,
+		Paused:       container.Paused,
+		ExitCode:     container.ExitCode(),
+	}
+
+	if snapshot.Names == nil {
+		// Dead containers will often have no name, so make sure the response isn't null
+		snapshot.Names = []string{}
+	}
+
+	if container.HostConfig != nil {
+		snapshot.Container.HostConfig.NetworkMode = string(container.HostConfig.NetworkMode)
+		snapshot.HostConfig.Isolation = string(container.HostConfig.Isolation)
+		for binding := range container.HostConfig.PortBindings {
+			snapshot.PortBindings[binding] = struct{}{}
+		}
+	}
+
+	if container.Config != nil {
+		snapshot.Image = container.Config.Image
+		snapshot.Labels = container.Config.Labels
+		for exposed := range container.Config.ExposedPorts {
+			snapshot.ExposedPorts[exposed] = struct{}{}
+		}
+	}
+
+	if len(container.Args) > 0 {
+		var args []string
+		for _, arg := range container.Args {
+			if strings.Contains(arg, " ") {
+				args = append(args, fmt.Sprintf("'%s'", arg))
+			} else {
+				args = append(args, arg)
+			}
+		}
+		argsAsString := strings.Join(args, " ")
+		snapshot.Command = fmt.Sprintf("%s %s", container.Path, argsAsString)
+	} else {
+		snapshot.Command = container.Path
+	}
+
+	snapshot.Ports = []types.Port{}
+	networks := make(map[string]*network.EndpointSettings)
+	if container.NetworkSettings != nil {
+		for name, netw := range container.NetworkSettings.Networks {
+			if netw == nil || netw.EndpointSettings == nil {
+				continue
+			}
+			networks[name] = &network.EndpointSettings{
+				EndpointID:          netw.EndpointID,
+				Gateway:             netw.Gateway,
+				IPAddress:           netw.IPAddress,
+				IPPrefixLen:         netw.IPPrefixLen,
+				IPv6Gateway:         netw.IPv6Gateway,
+				GlobalIPv6Address:   netw.GlobalIPv6Address,
+				GlobalIPv6PrefixLen: netw.GlobalIPv6PrefixLen,
+				MacAddress:          netw.MacAddress,
+				NetworkID:           netw.NetworkID,
+			}
+			if netw.IPAMConfig != nil {
+				networks[name].IPAMConfig = &network.EndpointIPAMConfig{
+					IPv4Address: netw.IPAMConfig.IPv4Address,
+					IPv6Address: netw.IPAMConfig.IPv6Address,
+				}
+			}
+		}
+		for port, bindings := range container.NetworkSettings.Ports {
+			p, err := nat.ParsePort(port.Port())
+			if err != nil {
+				logrus.Warnf("invalid port map %+v", err)
+				continue
+			}
+			if len(bindings) == 0 {
+				snapshot.Ports = append(snapshot.Ports, types.Port{
+					PrivatePort: uint16(p),
+					Type:        port.Proto(),
+				})
+				continue
+			}
+			for _, binding := range bindings {
+				h, err := nat.ParsePort(binding.HostPort)
+				if err != nil {
+					logrus.Warnf("invalid host port map %+v", err)
+					continue
+				}
+				snapshot.Ports = append(snapshot.Ports, types.Port{
+					PrivatePort: uint16(p),
+					PublicPort:  uint16(h),
+					Type:        port.Proto(),
+					IP:          binding.HostIP,
+				})
+			}
+		}
+	}
+	snapshot.NetworkSettings = &types.SummaryNetworkSettings{Networks: networks}
+
+	return snapshot
+}
+
+// containerByIDIndexer is used to extract the ID field from Container types.
+// memdb.StringFieldIndex can not be used since ID is a field from an embedded struct.
+type containerByIDIndexer struct{}
+
+// FromObject implements the memdb.SingleIndexer interface for Container objects
+func (e *containerByIDIndexer) FromObject(obj interface{}) (bool, []byte, error) {
+	c, ok := obj.(*Container)
+	if !ok {
+		return false, nil, fmt.Errorf("%T is not a Container", obj)
+	}
+	// Add the null character as a terminator
+	v := c.ID + "\x00"
+	return true, []byte(v), nil
+}
+
+// FromArgs implements the memdb.Indexer interface
+func (e *containerByIDIndexer) FromArgs(args ...interface{}) ([]byte, error) {
+	if len(args) != 1 {
+		return nil, fmt.Errorf("must provide only a single argument")
+	}
+	arg, ok := args[0].(string)
+	if !ok {
+		return nil, fmt.Errorf("argument must be a string: %#v", args[0])
+	}
+	// Add the null character as a terminator
+	arg += "\x00"
+	return []byte(arg), nil
+}
+
+// namesByNameIndexer is used to index container name associations by name.
+type namesByNameIndexer struct{}
+
+func (e *namesByNameIndexer) FromObject(obj interface{}) (bool, []byte, error) {
+	n, ok := obj.(nameAssociation)
+	if !ok {
+		return false, nil, fmt.Errorf(`%T does not have type "nameAssociation"`, obj)
+	}
+
+	// Add the null character as a terminator
+	return true, []byte(n.name + "\x00"), nil
+}
+
+func (e *namesByNameIndexer) FromArgs(args ...interface{}) ([]byte, error) {
+	if len(args) != 1 {
+		return nil, fmt.Errorf("must provide only a single argument")
+	}
+	arg, ok := args[0].(string)
+	if !ok {
+		return nil, fmt.Errorf("argument must be a string: %#v", args[0])
+	}
+	// Add the null character as a terminator
+	arg += "\x00"
+	return []byte(arg), nil
+}
+
+// namesByContainerIDIndexer is used to index container names by container ID.
+type namesByContainerIDIndexer struct{}
+
+func (e *namesByContainerIDIndexer) FromObject(obj interface{}) (bool, []byte, error) {
+	n, ok := obj.(nameAssociation)
+	if !ok {
+		return false, nil, fmt.Errorf(`%T does not have type "nameAssocation"`, obj)
+	}
+
+	// Add the null character as a terminator
+	return true, []byte(n.containerID + "\x00"), nil
+}
+
+func (e *namesByContainerIDIndexer) FromArgs(args ...interface{}) ([]byte, error) {
+	if len(args) != 1 {
+		return nil, fmt.Errorf("must provide only a single argument")
+	}
+	arg, ok := args[0].(string)
+	if !ok {
+		return nil, fmt.Errorf("argument must be a string: %#v", args[0])
+	}
+	// Add the null character as a terminator
+	arg += "\x00"
+	return []byte(arg), nil
+}
diff --git a/engine/container/view_test.go b/engine/container/view_test.go
new file mode 100644
index 00000000..434b7c61
--- /dev/null
+++ b/engine/container/view_test.go
@@ -0,0 +1,186 @@
+package container // import "github.com/docker/docker/container"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/pborman/uuid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var root string
+
+func TestMain(m *testing.M) {
+	var err error
+	root, err = ioutil.TempDir("", "docker-container-test-")
+	if err != nil {
+		panic(err)
+	}
+	defer os.RemoveAll(root)
+
+	os.Exit(m.Run())
+}
+
+func newContainer(t *testing.T) *Container {
+	var (
+		id    = uuid.New()
+		cRoot = filepath.Join(root, id)
+	)
+	if err := os.MkdirAll(cRoot, 0755); err != nil {
+		t.Fatal(err)
+	}
+	c := NewBaseContainer(id, cRoot)
+	c.HostConfig = &containertypes.HostConfig{}
+	return c
+}
+
+func TestViewSaveDelete(t *testing.T) {
+	db, err := NewViewDB()
+	if err != nil {
+		t.Fatal(err)
+	}
+	c := newContainer(t)
+	if err := c.CheckpointTo(db); err != nil {
+		t.Fatal(err)
+	}
+	if err := db.Delete(c); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestViewAll(t *testing.T) {
+	var (
+		db, _ = NewViewDB()
+		one   = newContainer(t)
+		two   = newContainer(t)
+	)
+	one.Pid = 10
+	if err := one.CheckpointTo(db); err != nil {
+		t.Fatal(err)
+	}
+	two.Pid = 20
+	if err := two.CheckpointTo(db); err != nil {
+		t.Fatal(err)
+	}
+
+	all, err := db.Snapshot().All()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if l := len(all); l != 2 {
+		t.Fatalf("expected 2 items, got %d", l)
+	}
+	byID := make(map[string]Snapshot)
+	for i := range all {
+		byID[all[i].ID] = all[i]
+	}
+	if s, ok := byID[one.ID]; !ok || s.Pid != 10 {
+		t.Fatalf("expected something different with for id=%s: %v", one.ID, s)
+	}
+	if s, ok := byID[two.ID]; !ok || s.Pid != 20 {
+		t.Fatalf("expected something different with for id=%s: %v", two.ID, s)
+	}
+}
+
+func TestViewGet(t *testing.T) {
+	var (
+		db, _ = NewViewDB()
+		one   = newContainer(t)
+	)
+	one.ImageID = "some-image-123"
+	if err := one.CheckpointTo(db); err != nil {
+		t.Fatal(err)
+	}
+	s, err := db.Snapshot().Get(one.ID)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if s == nil || s.ImageID != "some-image-123" {
+		t.Fatalf("expected ImageID=some-image-123. Got: %v", s)
+	}
+}
+
+func TestNames(t *testing.T) {
+	db, err := NewViewDB()
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Check(t, db.ReserveName("name1", "containerid1"))
+	assert.Check(t, db.ReserveName("name1", "containerid1")) // idempotent
+	assert.Check(t, db.ReserveName("name2", "containerid2"))
+	assert.Check(t, is.Error(db.ReserveName("name2", "containerid3"), ErrNameReserved.Error()))
+
+	// Releasing a name allows the name to point to something else later.
+	assert.Check(t, db.ReleaseName("name2"))
+	assert.Check(t, db.ReserveName("name2", "containerid3"))
+
+	view := db.Snapshot()
+
+	id, err := view.GetID("name1")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("containerid1", id))
+
+	id, err = view.GetID("name2")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("containerid3", id))
+
+	_, err = view.GetID("notreserved")
+	assert.Check(t, is.Error(err, ErrNameNotReserved.Error()))
+
+	// Releasing and re-reserving a name doesn't affect the snapshot.
+	assert.Check(t, db.ReleaseName("name2"))
+	assert.Check(t, db.ReserveName("name2", "containerid4"))
+
+	id, err = view.GetID("name1")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("containerid1", id))
+
+	id, err = view.GetID("name2")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal("containerid3", id))
+
+	// GetAllNames
+	assert.Check(t, is.DeepEqual(map[string][]string{"containerid1": {"name1"}, "containerid3": {"name2"}}, view.GetAllNames()))
+
+	assert.Check(t, db.ReserveName("name3", "containerid1"))
+	assert.Check(t, db.ReserveName("name4", "containerid1"))
+
+	view = db.Snapshot()
+	assert.Check(t, is.DeepEqual(map[string][]string{"containerid1": {"name1", "name3", "name4"}, "containerid4": {"name2"}}, view.GetAllNames()))
+
+	// Release containerid1's names with Delete even though no container exists
+	assert.Check(t, db.Delete(&Container{ID: "containerid1"}))
+
+	// Reusing one of those names should work
+	assert.Check(t, db.ReserveName("name1", "containerid4"))
+	view = db.Snapshot()
+	assert.Check(t, is.DeepEqual(map[string][]string{"containerid4": {"name1", "name2"}}, view.GetAllNames()))
+}
+
+// Test case for GitHub issue 35920
+func TestViewWithHealthCheck(t *testing.T) {
+	var (
+		db, _ = NewViewDB()
+		one   = newContainer(t)
+	)
+	one.Health = &Health{
+		Health: types.Health{
+			Status: "starting",
+		},
+	}
+	if err := one.CheckpointTo(db); err != nil {
+		t.Fatal(err)
+	}
+	s, err := db.Snapshot().Get(one.ID)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if s == nil || s.Health != "starting" {
+		t.Fatalf("expected Health=starting. Got: %+v", s)
+	}
+}
diff --git a/engine/contrib/README.md b/engine/contrib/README.md
new file mode 100644
index 00000000..92b1d944
--- /dev/null
+++ b/engine/contrib/README.md
@@ -0,0 +1,4 @@
+The `contrib` directory contains scripts, images, and other helpful things
+which are not part of the core docker distribution. Please note that they
+could be out of date, since they do not receive the same attention as the
+rest of the repository.
diff --git a/engine/contrib/REVIEWERS b/engine/contrib/REVIEWERS
new file mode 100644
index 00000000..18e05a30
--- /dev/null
+++ b/engine/contrib/REVIEWERS
@@ -0,0 +1 @@
+Tianon Gravi <admwiggin@gmail.com> (@tianon)
diff --git a/engine/contrib/apparmor/main.go b/engine/contrib/apparmor/main.go
new file mode 100644
index 00000000..f4a2978b
--- /dev/null
+++ b/engine/contrib/apparmor/main.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"path"
+	"text/template"
+
+	"github.com/docker/docker/pkg/aaparser"
+)
+
+type profileData struct {
+	Version int
+}
+
+func main() {
+	if len(os.Args) < 2 {
+		log.Fatal("pass a filename to save the profile in.")
+	}
+
+	// parse the arg
+	apparmorProfilePath := os.Args[1]
+
+	version, err := aaparser.GetVersion()
+	if err != nil {
+		log.Fatal(err)
+	}
+	data := profileData{
+		Version: version,
+	}
+	fmt.Printf("apparmor_parser is of version %+v\n", data)
+
+	// parse the template
+	compiled, err := template.New("apparmor_profile").Parse(dockerProfileTemplate)
+	if err != nil {
+		log.Fatalf("parsing template failed: %v", err)
+	}
+
+	// make sure /etc/apparmor.d exists
+	if err := os.MkdirAll(path.Dir(apparmorProfilePath), 0755); err != nil {
+		log.Fatal(err)
+	}
+
+	f, err := os.OpenFile(apparmorProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer f.Close()
+
+	if err := compiled.Execute(f, data); err != nil {
+		log.Fatalf("executing template failed: %v", err)
+	}
+
+	fmt.Printf("created apparmor profile for version %+v at %q\n", data, apparmorProfilePath)
+}
diff --git a/engine/contrib/apparmor/template.go b/engine/contrib/apparmor/template.go
new file mode 100644
index 00000000..e5e1c8be
--- /dev/null
+++ b/engine/contrib/apparmor/template.go
@@ -0,0 +1,268 @@
+package main
+
+const dockerProfileTemplate = `@{DOCKER_GRAPH_PATH}=/var/lib/docker
+
+profile /usr/bin/docker (attach_disconnected, complain) {
+  # Prevent following links to these files during container setup.
+  deny /etc/** mkl,
+  deny /dev/** kl,
+  deny /sys/** mkl,
+  deny /proc/** mkl,
+
+  mount -> @{DOCKER_GRAPH_PATH}/**,
+  mount -> /,
+  mount -> /proc/**,
+  mount -> /sys/**,
+  mount -> /run/docker/netns/**,
+  mount -> /.pivot_root[0-9]*/,
+
+  / r,
+
+  umount,
+  pivot_root,
+{{if ge .Version 209000}}
+  signal (receive) peer=@{profile_name},
+  signal (receive) peer=unconfined,
+  signal (send),
+{{end}}
+  network,
+  capability,
+  owner /** rw,
+  @{DOCKER_GRAPH_PATH}/** rwl,
+  @{DOCKER_GRAPH_PATH}/linkgraph.db k,
+  @{DOCKER_GRAPH_PATH}/network/files/boltdb.db k,
+  @{DOCKER_GRAPH_PATH}/network/files/local-kv.db k,
+  @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/linkgraph.db k,
+
+  # For non-root client use:
+  /dev/urandom r,
+  /dev/null rw,
+  /dev/pts/[0-9]* rw,
+  /run/docker.sock rw,
+  /proc/** r,
+  /proc/[0-9]*/attr/exec w,
+  /sys/kernel/mm/hugepages/ r,
+  /etc/localtime r,
+  /etc/ld.so.cache r,
+  /etc/passwd r,
+
+{{if ge .Version 209000}}
+  ptrace peer=@{profile_name},
+  ptrace (read) peer=docker-default,
+  deny ptrace (trace) peer=docker-default,
+  deny ptrace peer=/usr/bin/docker///bin/ps,
+{{end}}
+
+  /usr/lib/** rm,
+  /lib/** rm,
+
+  /usr/bin/docker pix,
+  /sbin/xtables-multi rCx,
+  /sbin/iptables rCx,
+  /sbin/modprobe rCx,
+  /sbin/auplink rCx,
+  /sbin/mke2fs rCx,
+  /sbin/tune2fs rCx,
+  /sbin/blkid rCx,
+  /bin/kmod rCx,
+  /usr/bin/xz rCx,
+  /bin/ps rCx,
+  /bin/tar rCx,
+  /bin/cat rCx,
+  /sbin/zfs rCx,
+  /sbin/apparmor_parser rCx,
+
+{{if ge .Version 209000}}
+  # Transitions
+  change_profile -> docker-*,
+  change_profile -> unconfined,
+{{end}}
+
+  profile /bin/cat (complain) {
+    /etc/ld.so.cache r,
+    /lib/** rm,
+    /dev/null rw,
+    /proc r,
+    /bin/cat mr,
+
+    # For reading in 'docker stats':
+    /proc/[0-9]*/net/dev r,
+  }
+  profile /bin/ps (complain) {
+    /etc/ld.so.cache r,
+    /etc/localtime r,
+    /etc/passwd r,
+    /etc/nsswitch.conf r,
+    /lib/** rm,
+    /proc/[0-9]*/** r,
+    /dev/null rw,
+    /bin/ps mr,
+
+{{if ge .Version 209000}}
+    # We don't need ptrace so we'll deny and ignore the error.
+    deny ptrace (read, trace),
+{{end}}
+
+    # Quiet dac_override denials
+    deny capability dac_override,
+    deny capability dac_read_search,
+    deny capability sys_ptrace,
+
+    /dev/tty r,
+    /proc/stat r,
+    /proc/cpuinfo r,
+    /proc/meminfo r,
+    /proc/uptime r,
+    /sys/devices/system/cpu/online r,
+    /proc/sys/kernel/pid_max r,
+    /proc/ r,
+    /proc/tty/drivers r,
+  }
+  profile /sbin/iptables (complain) {
+{{if ge .Version 209000}}
+    signal (receive) peer=/usr/bin/docker,
+{{end}}
+    capability net_admin,
+  }
+  profile /sbin/auplink flags=(attach_disconnected, complain) {
+{{if ge .Version 209000}}
+    signal (receive) peer=/usr/bin/docker,
+{{end}}
+    capability sys_admin,
+    capability dac_override,
+
+    @{DOCKER_GRAPH_PATH}/aufs/** rw,
+    @{DOCKER_GRAPH_PATH}/tmp/** rw,
+    # For user namespaces:
+    @{DOCKER_GRAPH_PATH}/[0-9]*.[0-9]*/** rw,
+
+    /sys/fs/aufs/** r,
+    /lib/** rm,
+    /apparmor/.null r,
+    /dev/null rw,
+    /etc/ld.so.cache r,
+    /sbin/auplink rm,
+    /proc/fs/aufs/** rw,
+    /proc/[0-9]*/mounts rw,
+  }
+  profile /sbin/modprobe /bin/kmod (complain) {
+{{if ge .Version 209000}}
+    signal (receive) peer=/usr/bin/docker,
+{{end}}
+    capability sys_module,
+    /etc/ld.so.cache r,
+    /lib/** rm,
+    /dev/null rw,
+    /apparmor/.null rw,
+    /sbin/modprobe rm,
+    /bin/kmod rm,
+    /proc/cmdline r,
+    /sys/module/** r,
+    /etc/modprobe.d{/,/**} r,
+  }
+  # xz works via pipes, so we do not need access to the filesystem.
+  profile /usr/bin/xz (complain) {
+{{if ge .Version 209000}}
+    signal (receive) peer=/usr/bin/docker,
+{{end}}
+    /etc/ld.so.cache r,
+    /lib/** rm,
+    /usr/bin/xz rm,
+    deny /proc/** rw,
+    deny /sys/** rw,
+  }
+  profile /sbin/xtables-multi (attach_disconnected, complain) {
+    /etc/ld.so.cache r,
+    /lib/** rm,
+    /sbin/xtables-multi rm,
+    /apparmor/.null w,
+    /dev/null rw,
+
+    /proc r,
+
+    capability net_raw,
+    capability net_admin,
+    network raw,
+  }
+  profile /sbin/zfs (attach_disconnected, complain) {
+    file,
+    capability,
+  }
+  profile /sbin/mke2fs (complain) {
+    /sbin/mke2fs rm,
+
+    /lib/** rm,
+
+    /apparmor/.null w,
+
+    /etc/ld.so.cache r,
+    /etc/mke2fs.conf r,
+    /etc/mtab r,
+
+    /dev/dm-* rw,
+    /dev/urandom r,
+    /dev/null rw,
+
+    /proc/swaps r,
+    /proc/[0-9]*/mounts r,
+  }
+  profile /sbin/tune2fs (complain) {
+    /sbin/tune2fs rm,
+
+    /lib/** rm,
+
+    /apparmor/.null w,
+
+    /etc/blkid.conf r,
+    /etc/mtab r,
+    /etc/ld.so.cache r,
+
+    /dev/null rw,
+    /dev/.blkid.tab r,
+    /dev/dm-* rw,
+
+    /proc/swaps r,
+    /proc/[0-9]*/mounts r,
+  }
+  profile /sbin/blkid (complain) {
+    /sbin/blkid rm,
+
+    /lib/** rm,
+    /apparmor/.null w,
+
+    /etc/ld.so.cache r,
+    /etc/blkid.conf r,
+
+    /dev/null rw,
+    /dev/.blkid.tab rl,
+    /dev/.blkid.tab* rwl,
+    /dev/dm-* r,
+
+    /sys/devices/virtual/block/** r,
+
+    capability mknod,
+
+    mount -> @{DOCKER_GRAPH_PATH}/**,
+  }
+  profile /sbin/apparmor_parser (complain) {
+    /sbin/apparmor_parser rm,
+
+    /lib/** rm,
+
+    /etc/ld.so.cache r,
+    /etc/apparmor/** r,
+    /etc/apparmor.d/** r,
+    /etc/apparmor.d/cache/** w,
+
+    /dev/null rw,
+
+    /sys/kernel/security/apparmor/** r,
+    /sys/kernel/security/apparmor/.replace w,
+
+    /proc/[0-9]*/mounts r,
+    /proc/sys/kernel/osrelease r,
+    /proc r,
+
+    capability mac_admin,
+  }
+}`
diff --git a/engine/contrib/check-config.sh b/engine/contrib/check-config.sh
new file mode 100755
index 00000000..88eb8aa7
--- /dev/null
+++ b/engine/contrib/check-config.sh
@@ -0,0 +1,360 @@
+#!/usr/bin/env bash
+set -e
+
+EXITCODE=0
+
+# bits of this were adapted from lxc-checkconfig
+# see also https://github.com/lxc/lxc/blob/lxc-1.0.2/src/lxc/lxc-checkconfig.in
+
+possibleConfigs=(
+	'/proc/config.gz'
+	"/boot/config-$(uname -r)"
+	"/usr/src/linux-$(uname -r)/.config"
+	'/usr/src/linux/.config'
+)
+
+if [ $# -gt 0 ]; then
+	CONFIG="$1"
+else
+	: ${CONFIG:="${possibleConfigs[0]}"}
+fi
+
+if ! command -v zgrep &> /dev/null; then
+	zgrep() {
+		zcat "$2" | grep "$1"
+	}
+fi
+
+kernelVersion="$(uname -r)"
+kernelMajor="${kernelVersion%%.*}"
+kernelMinor="${kernelVersion#$kernelMajor.}"
+kernelMinor="${kernelMinor%%.*}"
+
+is_set() {
+	zgrep "CONFIG_$1=[y|m]" "$CONFIG" > /dev/null
+}
+is_set_in_kernel() {
+	zgrep "CONFIG_$1=y" "$CONFIG" > /dev/null
+}
+is_set_as_module() {
+	zgrep "CONFIG_$1=m" "$CONFIG" > /dev/null
+}
+
+color() {
+	local codes=()
+	if [ "$1" = 'bold' ]; then
+		codes=( "${codes[@]}" '1' )
+		shift
+	fi
+	if [ "$#" -gt 0 ]; then
+		local code=
+		case "$1" in
+			# see https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
+			black) code=30 ;;
+			red) code=31 ;;
+			green) code=32 ;;
+			yellow) code=33 ;;
+			blue) code=34 ;;
+			magenta) code=35 ;;
+			cyan) code=36 ;;
+			white) code=37 ;;
+		esac
+		if [ "$code" ]; then
+			codes=( "${codes[@]}" "$code" )
+		fi
+	fi
+	local IFS=';'
+	echo -en '\033['"${codes[*]}"'m'
+}
+wrap_color() {
+	text="$1"
+	shift
+	color "$@"
+	echo -n "$text"
+	color reset
+	echo
+}
+
+wrap_good() {
+	echo "$(wrap_color "$1" white): $(wrap_color "$2" green)"
+}
+wrap_bad() {
+	echo "$(wrap_color "$1" bold): $(wrap_color "$2" bold red)"
+}
+wrap_warning() {
+	wrap_color >&2 "$*" red
+}
+
+check_flag() {
+	if is_set_in_kernel "$1"; then
+		wrap_good "CONFIG_$1" 'enabled'
+	elif is_set_as_module "$1"; then
+		wrap_good "CONFIG_$1" 'enabled (as module)'
+	else
+		wrap_bad "CONFIG_$1" 'missing'
+		EXITCODE=1
+	fi
+}
+
+check_flags() {
+	for flag in "$@"; do
+		echo -n "- "; check_flag "$flag"
+	done
+}
+
+check_command() {
+	if command -v "$1" >/dev/null 2>&1; then
+		wrap_good "$1 command" 'available'
+	else
+		wrap_bad "$1 command" 'missing'
+		EXITCODE=1
+	fi
+}
+
+check_device() {
+	if [ -c "$1" ]; then
+		wrap_good "$1" 'present'
+	else
+		wrap_bad "$1" 'missing'
+		EXITCODE=1
+	fi
+}
+
+check_distro_userns() {
+	source /etc/os-release 2>/dev/null || /bin/true
+	if [[ "${ID}" =~ ^(centos|rhel)$ && "${VERSION_ID}" =~ ^7 ]]; then
+		# this is a CentOS7 or RHEL7 system
+		grep -q "user_namespace.enable=1" /proc/cmdline || {
+			# no user namespace support enabled
+			wrap_bad "  (RHEL7/CentOS7" "User namespaces disabled; add 'user_namespace.enable=1' to boot command line)"
+			EXITCODE=1
+		}
+	fi
+}
+
+if [ ! -e "$CONFIG" ]; then
+	wrap_warning "warning: $CONFIG does not exist, searching other paths for kernel config ..."
+	for tryConfig in "${possibleConfigs[@]}"; do
+		if [ -e "$tryConfig" ]; then
+			CONFIG="$tryConfig"
+			break
+		fi
+	done
+	if [ ! -e "$CONFIG" ]; then
+		wrap_warning "error: cannot find kernel config"
+		wrap_warning "  try running this script again, specifying the kernel config:"
+		wrap_warning "    CONFIG=/path/to/kernel/.config $0 or $0 /path/to/kernel/.config"
+		exit 1
+	fi
+fi
+
+wrap_color "info: reading kernel config from $CONFIG ..." white
+echo
+
+echo 'Generally Necessary:'
+
+echo -n '- '
+cgroupSubsystemDir="$(awk '/[, ](cpu|cpuacct|cpuset|devices|freezer|memory)[, ]/ && $3 == "cgroup" { print $2 }' /proc/mounts | head -n1)"
+cgroupDir="$(dirname "$cgroupSubsystemDir")"
+if [ -d "$cgroupDir/cpu" -o -d "$cgroupDir/cpuacct" -o -d "$cgroupDir/cpuset" -o -d "$cgroupDir/devices" -o -d "$cgroupDir/freezer" -o -d "$cgroupDir/memory" ]; then
+	echo "$(wrap_good 'cgroup hierarchy' 'properly mounted') [$cgroupDir]"
+else
+	if [ "$cgroupSubsystemDir" ]; then
+		echo "$(wrap_bad 'cgroup hierarchy' 'single mountpoint!') [$cgroupSubsystemDir]"
+	else
+		echo "$(wrap_bad 'cgroup hierarchy' 'nonexistent??')"
+	fi
+	EXITCODE=1
+	echo "    $(wrap_color '(see https://github.com/tianon/cgroupfs-mount)' yellow)"
+fi
+
+if [ "$(cat /sys/module/apparmor/parameters/enabled 2>/dev/null)" = 'Y' ]; then
+	echo -n '- '
+	if command -v apparmor_parser &> /dev/null; then
+		echo "$(wrap_good 'apparmor' 'enabled and tools installed')"
+	else
+		echo "$(wrap_bad 'apparmor' 'enabled, but apparmor_parser missing')"
+		echo -n '    '
+		if command -v apt-get &> /dev/null; then
+			echo "$(wrap_color '(use "apt-get install apparmor" to fix this)')"
+		elif command -v yum &> /dev/null; then
+			echo "$(wrap_color '(your best bet is "yum install apparmor-parser")')"
+		else
+			echo "$(wrap_color '(look for an "apparmor" package for your distribution)')"
+		fi
+		EXITCODE=1
+	fi
+fi
+
+flags=(
+	NAMESPACES {NET,PID,IPC,UTS}_NS
+	CGROUPS CGROUP_CPUACCT CGROUP_DEVICE CGROUP_FREEZER CGROUP_SCHED CPUSETS MEMCG
+	KEYS
+	VETH BRIDGE BRIDGE_NETFILTER
+	NF_NAT_IPV4 IP_NF_FILTER IP_NF_TARGET_MASQUERADE
+	NETFILTER_XT_MATCH_{ADDRTYPE,CONNTRACK,IPVS}
+	IP_NF_NAT NF_NAT NF_NAT_NEEDED
+
+	# required for bind-mounting /dev/mqueue into containers
+	POSIX_MQUEUE
+)
+check_flags "${flags[@]}"
+if [ "$kernelMajor" -lt 4 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -lt 8 ]; then
+        check_flags DEVPTS_MULTIPLE_INSTANCES
+fi
+
+echo
+
+echo 'Optional Features:'
+{
+	check_flags USER_NS
+	check_distro_userns
+}
+{
+	check_flags SECCOMP
+}
+{
+	check_flags CGROUP_PIDS
+}
+{
+	CODE=${EXITCODE}
+	check_flags MEMCG_SWAP MEMCG_SWAP_ENABLED
+	if [ -e /sys/fs/cgroup/memory/memory.memsw.limit_in_bytes ]; then
+		echo "    $(wrap_color '(cgroup swap accounting is currently enabled)' bold black)"
+		EXITCODE=${CODE}
+	elif is_set MEMCG_SWAP && ! is_set MEMCG_SWAP_ENABLED; then
+		echo "    $(wrap_color '(cgroup swap accounting is currently not enabled, you can enable it by setting boot option "swapaccount=1")' bold black)"
+	fi
+}
+{
+	if is_set LEGACY_VSYSCALL_NATIVE; then
+		echo -n "- "; wrap_bad "CONFIG_LEGACY_VSYSCALL_NATIVE" 'enabled'
+		echo "    $(wrap_color '(dangerous, provides an ASLR-bypassing target with usable ROP gadgets.)' bold black)"
+	elif is_set LEGACY_VSYSCALL_EMULATE; then
+		echo -n "- "; wrap_good "CONFIG_LEGACY_VSYSCALL_EMULATE" 'enabled'
+	elif is_set LEGACY_VSYSCALL_NONE; then
+		echo -n "- "; wrap_bad "CONFIG_LEGACY_VSYSCALL_NONE" 'enabled'
+		echo "    $(wrap_color '(containers using eglibc <= 2.13 will not work. Switch to' bold black)"
+		echo "    $(wrap_color ' "CONFIG_VSYSCALL_[NATIVE|EMULATE]" or use "vsyscall=[native|emulate]"' bold black)"
+		echo "    $(wrap_color ' on kernel command line. Note that this will disable ASLR for the,' bold black)"
+		echo "    $(wrap_color ' VDSO which may assist in exploiting security vulnerabilities.)' bold black)"
+	# else Older kernels (prior to 3dc33bd30f3e, released in v4.40-rc1) do
+	#      not have these LEGACY_VSYSCALL options and are effectively
+	#      LEGACY_VSYSCALL_EMULATE. Even older kernels are presumably
+	#      effectively LEGACY_VSYSCALL_NATIVE.
+	fi
+}
+
+if [ "$kernelMajor" -lt 4 ] || [ "$kernelMajor" -eq 4 -a "$kernelMinor" -le 5 ]; then
+	check_flags MEMCG_KMEM
+fi
+
+if [ "$kernelMajor" -lt 3 ] || [ "$kernelMajor" -eq 3 -a "$kernelMinor" -le 18 ]; then
+	check_flags RESOURCE_COUNTERS
+fi
+
+if [ "$kernelMajor" -lt 3 ] || [ "$kernelMajor" -eq 3 -a "$kernelMinor" -le 13 ]; then
+	netprio=NETPRIO_CGROUP
+else
+	netprio=CGROUP_NET_PRIO
+fi
+
+flags=(
+	BLK_CGROUP BLK_DEV_THROTTLING IOSCHED_CFQ CFQ_GROUP_IOSCHED
+	CGROUP_PERF
+	CGROUP_HUGETLB
+	NET_CLS_CGROUP $netprio
+	CFS_BANDWIDTH FAIR_GROUP_SCHED RT_GROUP_SCHED
+	IP_VS
+	IP_VS_NFCT
+ 	IP_VS_RR
+)
+check_flags "${flags[@]}"
+
+if ! is_set EXT4_USE_FOR_EXT2; then
+	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	fi
+fi
+
+check_flags EXT4_FS EXT4_FS_POSIX_ACL EXT4_FS_SECURITY
+if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	if is_set EXT4_USE_FOR_EXT2; then
+		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	else
+		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	fi
+fi
+
+echo '- Network Drivers:'
+echo '  - "'$(wrap_color 'overlay' blue)'":'
+check_flags VXLAN | sed 's/^/    /'
+echo '      Optional (for encrypted networks):'
+check_flags CRYPTO CRYPTO_AEAD CRYPTO_GCM CRYPTO_SEQIV CRYPTO_GHASH \
+            XFRM XFRM_USER XFRM_ALGO INET_ESP INET_XFRM_MODE_TRANSPORT | sed 's/^/      /'
+echo '  - "'$(wrap_color 'ipvlan' blue)'":'
+check_flags IPVLAN | sed 's/^/    /'
+echo '  - "'$(wrap_color 'macvlan' blue)'":'
+check_flags MACVLAN DUMMY | sed 's/^/    /'
+echo '  - "'$(wrap_color 'ftp,tftp client in container' blue)'":'
+check_flags NF_NAT_FTP NF_CONNTRACK_FTP NF_NAT_TFTP NF_CONNTRACK_TFTP | sed 's/^/    /'
+
+# only fail if no storage drivers available
+CODE=${EXITCODE}
+EXITCODE=0
+STORAGE=1
+
+echo '- Storage Drivers:'
+echo '  - "'$(wrap_color 'aufs' blue)'":'
+check_flags AUFS_FS | sed 's/^/    /'
+if ! is_set AUFS_FS && grep -q aufs /proc/filesystems; then
+	echo "      $(wrap_color '(note that some kernels include AUFS patches but not the AUFS_FS flag)' bold black)"
+fi
+[ "$EXITCODE" = 0 ] && STORAGE=0
+EXITCODE=0
+
+echo '  - "'$(wrap_color 'btrfs' blue)'":'
+check_flags BTRFS_FS | sed 's/^/    /'
+check_flags BTRFS_FS_POSIX_ACL | sed 's/^/    /'
+[ "$EXITCODE" = 0 ] && STORAGE=0
+EXITCODE=0
+
+echo '  - "'$(wrap_color 'devicemapper' blue)'":'
+check_flags BLK_DEV_DM DM_THIN_PROVISIONING | sed 's/^/    /'
+[ "$EXITCODE" = 0 ] && STORAGE=0
+EXITCODE=0
+
+echo '  - "'$(wrap_color 'overlay' blue)'":'
+check_flags OVERLAY_FS | sed 's/^/    /'
+[ "$EXITCODE" = 0 ] && STORAGE=0
+EXITCODE=0
+
+echo '  - "'$(wrap_color 'zfs' blue)'":'
+echo -n "    - "; check_device /dev/zfs
+echo -n "    - "; check_command zfs
+echo -n "    - "; check_command zpool
+[ "$EXITCODE" = 0 ] && STORAGE=0
+EXITCODE=0
+
+EXITCODE=$CODE
+[ "$STORAGE" = 1 ] && EXITCODE=1
+
+echo
+
+check_limit_over()
+{
+	if [ $(cat "$1") -le "$2" ]; then
+		wrap_bad "- $1" "$(cat $1)"
+		wrap_color "    This should be set to at least $2, for example set: sysctl -w kernel/keys/root_maxkeys=1000000" bold black
+		EXITCODE=1
+	else
+		wrap_good "- $1" "$(cat $1)"
+	fi
+}
+
+echo 'Limits:'
+check_limit_over /proc/sys/kernel/keys/root_maxkeys 10000
+echo
+
+exit $EXITCODE
diff --git a/engine/contrib/desktop-integration/README.md b/engine/contrib/desktop-integration/README.md
new file mode 100644
index 00000000..85a01b9e
--- /dev/null
+++ b/engine/contrib/desktop-integration/README.md
@@ -0,0 +1,11 @@
+Desktop Integration
+===================
+
+The ./contrib/desktop-integration contains examples of typical dockerized
+desktop applications.
+
+Examples
+========
+
+* Chromium: ./chromium/Dockerfile shows a way to dockerize a common application
+* Gparted: ./gparted/Dockerfile shows a way to dockerize a common application w devices
diff --git a/engine/contrib/desktop-integration/chromium/Dockerfile b/engine/contrib/desktop-integration/chromium/Dockerfile
new file mode 100644
index 00000000..18728164
--- /dev/null
+++ b/engine/contrib/desktop-integration/chromium/Dockerfile
@@ -0,0 +1,36 @@
+# VERSION:        0.1
+# DESCRIPTION:    Create chromium container with its dependencies
+# AUTHOR:         Jessica Frazelle <jess@docker.com>
+# COMMENTS:
+#   This file describes how to build a Chromium container with all
+#   dependencies installed. It uses native X11 unix socket.
+#   Tested on Debian Jessie
+# USAGE:
+#   # Download Chromium Dockerfile
+#   wget http://raw.githubusercontent.com/docker/docker/master/contrib/desktop-integration/chromium/Dockerfile
+#
+#   # Build chromium image
+#   docker build -t chromium .
+#
+#   # Run stateful data-on-host chromium. For ephemeral, remove -v /data/chromium:/data
+#   docker run -v /data/chromium:/data -v /tmp/.X11-unix:/tmp/.X11-unix \
+#   -e DISPLAY=unix$DISPLAY chromium
+
+#   # To run stateful dockerized data containers
+#   docker run --volumes-from chromium-data -v /tmp/.X11-unix:/tmp/.X11-unix \
+#   -e DISPLAY=unix$DISPLAY chromium
+
+# Base docker image
+FROM debian:jessie
+LABEL maintainer Jessica Frazelle <jess@docker.com>
+
+# Install Chromium
+RUN apt-get update && apt-get install -y \
+    chromium \
+    chromium-l10n \
+    libcanberra-gtk-module \
+    libexif-dev \
+    --no-install-recommends
+
+# Autorun chromium
+CMD ["/usr/bin/chromium", "--no-sandbox", "--user-data-dir=/data"]
diff --git a/engine/contrib/desktop-integration/gparted/Dockerfile b/engine/contrib/desktop-integration/gparted/Dockerfile
new file mode 100644
index 00000000..8a9b646e
--- /dev/null
+++ b/engine/contrib/desktop-integration/gparted/Dockerfile
@@ -0,0 +1,31 @@
+# VERSION:        0.1
+# DESCRIPTION:    Create gparted container with its dependencies
+# AUTHOR:         Jessica Frazelle <jess@docker.com>
+# COMMENTS:
+#   This file describes how to build a gparted container with all
+#   dependencies installed. It uses native X11 unix socket.
+#   Tested on Debian Jessie
+# USAGE:
+#   # Download gparted Dockerfile
+#   wget http://raw.githubusercontent.com/docker/docker/master/contrib/desktop-integration/gparted/Dockerfile
+#
+#   # Build gparted image
+#   docker build -t gparted .
+#
+#   docker run -v /tmp/.X11-unix:/tmp/.X11-unix \
+#     --device=/dev/sda:/dev/sda \
+#     -e DISPLAY=unix$DISPLAY gparted
+#
+
+# Base docker image
+FROM debian:jessie
+LABEL maintainer Jessica Frazelle <jess@docker.com>
+
+# Install Gparted and its dependencies
+RUN apt-get update && apt-get install -y \
+    gparted \
+    libcanberra-gtk-module \
+    --no-install-recommends
+
+# Autorun gparted
+CMD ["/usr/sbin/gparted"]
diff --git a/engine/contrib/docker-device-tool/README.md b/engine/contrib/docker-device-tool/README.md
new file mode 100644
index 00000000..6c54d599
--- /dev/null
+++ b/engine/contrib/docker-device-tool/README.md
@@ -0,0 +1,14 @@
+Docker device tool for devicemapper storage driver backend
+===================
+
+The ./contrib/docker-device-tool contains a tool to manipulate devicemapper thin-pool.
+
+Compile
+========
+
+    $ make shell
+    ## inside build container
+    $ go build contrib/docker-device-tool/device_tool.go
+
+    # if devicemapper version is old and compilation fails, compile with `libdm_no_deferred_remove` tag
+    $ go build -tags libdm_no_deferred_remove contrib/docker-device-tool/device_tool.go
diff --git a/engine/contrib/docker-device-tool/device_tool.go b/engine/contrib/docker-device-tool/device_tool.go
new file mode 100644
index 00000000..d3ec46a8
--- /dev/null
+++ b/engine/contrib/docker-device-tool/device_tool.go
@@ -0,0 +1,167 @@
+// +build !windows
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"path"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/daemon/graphdriver/devmapper"
+	"github.com/docker/docker/pkg/devicemapper"
+	"github.com/sirupsen/logrus"
+)
+
+func usage() {
+	fmt.Fprintf(os.Stderr, "Usage: %s <flags>  [status] | [list] | [device id]  | [resize new-pool-size] | [snap new-id base-id] | [remove id] | [mount id mountpoint]\n", os.Args[0])
+	flag.PrintDefaults()
+	os.Exit(1)
+}
+
+func byteSizeFromString(arg string) (int64, error) {
+	digits := ""
+	rest := ""
+	last := strings.LastIndexAny(arg, "0123456789")
+	if last >= 0 {
+		digits = arg[:last+1]
+		rest = arg[last+1:]
+	}
+
+	val, err := strconv.ParseInt(digits, 10, 64)
+	if err != nil {
+		return val, err
+	}
+
+	rest = strings.ToLower(strings.TrimSpace(rest))
+
+	var multiplier int64 = 1
+	switch rest {
+	case "":
+		multiplier = 1
+	case "k", "kb":
+		multiplier = 1024
+	case "m", "mb":
+		multiplier = 1024 * 1024
+	case "g", "gb":
+		multiplier = 1024 * 1024 * 1024
+	case "t", "tb":
+		multiplier = 1024 * 1024 * 1024 * 1024
+	default:
+		return 0, fmt.Errorf("Unknown size unit: %s", rest)
+	}
+
+	return val * multiplier, nil
+}
+
+func main() {
+	root := flag.String("r", "/var/lib/docker", "Docker root dir")
+	flDebug := flag.Bool("D", false, "Debug mode")
+
+	flag.Parse()
+
+	if *flDebug {
+		os.Setenv("DEBUG", "1")
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+
+	if flag.NArg() < 1 {
+		usage()
+	}
+
+	args := flag.Args()
+
+	home := path.Join(*root, "devicemapper")
+	devices, err := devmapper.NewDeviceSet(home, false, nil, nil, nil)
+	if err != nil {
+		fmt.Println("Can't initialize device mapper: ", err)
+		os.Exit(1)
+	}
+
+	switch args[0] {
+	case "status":
+		status := devices.Status()
+		fmt.Printf("Pool name: %s\n", status.PoolName)
+		fmt.Printf("Data Loopback file: %s\n", status.DataLoopback)
+		fmt.Printf("Metadata Loopback file: %s\n", status.MetadataLoopback)
+		fmt.Printf("Sector size: %d\n", status.SectorSize)
+		fmt.Printf("Data use: %d of %d (%.1f %%)\n", status.Data.Used, status.Data.Total, 100.0*float64(status.Data.Used)/float64(status.Data.Total))
+		fmt.Printf("Metadata use: %d of %d (%.1f %%)\n", status.Metadata.Used, status.Metadata.Total, 100.0*float64(status.Metadata.Used)/float64(status.Metadata.Total))
+	case "list":
+		ids := devices.List()
+		sort.Strings(ids)
+		for _, id := range ids {
+			fmt.Println(id)
+		}
+	case "device":
+		if flag.NArg() < 2 {
+			usage()
+		}
+		status, err := devices.GetDeviceStatus(args[1])
+		if err != nil {
+			fmt.Println("Can't get device info: ", err)
+			os.Exit(1)
+		}
+		fmt.Printf("Id: %d\n", status.DeviceID)
+		fmt.Printf("Size: %d\n", status.Size)
+		fmt.Printf("Transaction Id: %d\n", status.TransactionID)
+		fmt.Printf("Size in Sectors: %d\n", status.SizeInSectors)
+		fmt.Printf("Mapped Sectors: %d\n", status.MappedSectors)
+		fmt.Printf("Highest Mapped Sector: %d\n", status.HighestMappedSector)
+	case "resize":
+		if flag.NArg() < 2 {
+			usage()
+		}
+
+		size, err := byteSizeFromString(args[1])
+		if err != nil {
+			fmt.Println("Invalid size: ", err)
+			os.Exit(1)
+		}
+
+		err = devices.ResizePool(size)
+		if err != nil {
+			fmt.Println("Error resizing pool: ", err)
+			os.Exit(1)
+		}
+
+	case "snap":
+		if flag.NArg() < 3 {
+			usage()
+		}
+
+		err := devices.AddDevice(args[1], args[2], nil)
+		if err != nil {
+			fmt.Println("Can't create snap device: ", err)
+			os.Exit(1)
+		}
+	case "remove":
+		if flag.NArg() < 2 {
+			usage()
+		}
+
+		err := devicemapper.RemoveDevice(args[1])
+		if err != nil {
+			fmt.Println("Can't remove device: ", err)
+			os.Exit(1)
+		}
+	case "mount":
+		if flag.NArg() < 3 {
+			usage()
+		}
+
+		err := devices.MountDevice(args[1], args[2], "")
+		if err != nil {
+			fmt.Println("Can't mount device: ", err)
+			os.Exit(1)
+		}
+	default:
+		fmt.Printf("Unknown command %s\n", args[0])
+		usage()
+
+		os.Exit(1)
+	}
+}
diff --git a/engine/contrib/docker-device-tool/device_tool_windows.go b/engine/contrib/docker-device-tool/device_tool_windows.go
new file mode 100644
index 00000000..da29a2ca
--- /dev/null
+++ b/engine/contrib/docker-device-tool/device_tool_windows.go
@@ -0,0 +1,4 @@
+package main
+
+func main() {
+}
diff --git a/engine/contrib/docker-machine-install-bundle.sh b/engine/contrib/docker-machine-install-bundle.sh
new file mode 100755
index 00000000..86059894
--- /dev/null
+++ b/engine/contrib/docker-machine-install-bundle.sh
@@ -0,0 +1,111 @@
+#!/usr/bin/env bash
+#
+# This script installs the bundle to Docker Machine instances, for the purpose
+# of testing the latest Docker with Swarm mode enabled.
+# Do not use in production.
+#
+# Requirements (on host to run this script)
+#  - bash is installed
+#  - Docker Machine is installed
+#  - GNU tar is installed
+#
+# Requirements (on Docker machine instances)
+#  - Docker can be managed via one of  `systemctl`, `service`, or `/etc/init.d/docker`
+#
+set -e
+set -o pipefail
+
+errexit() {
+    echo "$1"
+    exit 1
+}
+
+BUNDLE="bundles/$(cat VERSION)"
+
+bundle_files(){
+    # prefer dynbinary if exists
+    for f in dockerd docker-proxy; do
+	if [ -d $BUNDLE/dynbinary-daemon ]; then
+	    echo $BUNDLE/dynbinary-daemon/$f
+	else
+	    echo $BUNDLE/binary-daemon/$f
+	fi
+    done
+    for f in docker-containerd docker-containerd-ctr docker-containerd-shim docker-init docker-runc; do
+	echo $BUNDLE/binary-daemon/$f
+    done
+    if [ -d $BUNDLE/dynbinary-client ]; then
+	echo $BUNDLE/dynbinary-client/docker
+    else
+	echo $BUNDLE/binary-client/docker
+    fi
+}
+
+control_docker(){
+    m=$1; op=$2
+    # NOTE: `docker-machine ssh $m sh -c "foo bar"` does not work
+    #       (but `docker-machine ssh $m sh -c "foo\ bar"` works)
+    #       Anyway we avoid using `sh -c` here for avoiding confusion
+    cat <<EOF | docker-machine ssh $m sudo sh
+if command -v systemctl > /dev/null; then
+  systemctl $op docker
+elif command -v service > /dev/null; then
+  service docker $op
+elif [ -x /etc/init.d/docker ]; then
+  /etc/init.d/docker $op
+else
+  echo "not sure how to control the docker daemon"
+  exit 1
+fi
+EOF
+}
+
+detect_prefix(){
+    m=$1
+    script='dirname $(dirname $(which dockerd))'
+    echo $script | docker-machine ssh $m sh
+}
+
+install_to(){
+    m=$1; shift; files=$@
+    echo "$m: detecting docker"
+    prefix=$(detect_prefix $m)
+    echo "$m: detected docker on $prefix"
+    echo "$m: stopping docker"
+    control_docker $m stop
+    echo "$m: installing docker"
+    # NOTE: GNU tar is required because we use --transform here
+    # TODO: compression (should not be default)
+    tar ch --transform 's/.*\///' $files | docker-machine ssh $m sudo tar Cx $prefix/bin
+    echo "$m: starting docker"
+    control_docker $m start
+    echo "$m: done"
+}
+
+check_prereq(){
+    command -v docker-machine > /dev/null || errexit "docker-machine not installed"
+    ( tar --version | grep GNU > /dev/null ) || errexit "GNU tar not installed"
+}
+
+case "$1" in
+    "install")
+	shift; machines=$@
+	check_prereq
+	files=$(bundle_files)
+	echo "Files to be installed:"
+	for f in $files; do echo $f; done
+	pids=()
+	for m in $machines; do
+	    install_to $m $files &
+	    pids+=($!)
+	done
+	status=0
+	for pid in ${pids[@]}; do
+	    wait $pid || { status=$?; echo "background process $pid failed with exit status $status"; }
+	done
+	exit $status
+	;;
+    *)
+	errexit "Usage: $0 install MACHINES"
+	;;
+esac
diff --git a/engine/contrib/dockerize-disk.sh b/engine/contrib/dockerize-disk.sh
new file mode 100755
index 00000000..444e243a
--- /dev/null
+++ b/engine/contrib/dockerize-disk.sh
@@ -0,0 +1,118 @@
+#!/usr/bin/env bash
+set -e
+
+if ! command -v qemu-nbd &> /dev/null; then
+  echo >&2 'error: "qemu-nbd" not found!'
+  exit 1
+fi
+
+usage() {
+  echo "Convert disk image to docker image"
+  echo ""
+  echo "usage: $0 image-name disk-image-file [ base-image ]"
+  echo "   ie: $0 cirros:0.3.3 cirros-0.3.3-x86_64-disk.img"
+  echo "       $0 ubuntu:cloud ubuntu-14.04-server-cloudimg-amd64-disk1.img ubuntu:14.04"
+}
+
+if [ "$#" -lt 2 ]; then
+  usage
+  exit 1
+fi
+
+CURDIR=$(pwd)
+
+image_name="${1%:*}"
+image_tag="${1#*:}"
+if [ "$image_tag" == "$1" ]; then
+  image_tag="latest"
+fi
+
+disk_image_file="$2"
+docker_base_image="$3"
+
+block_device=/dev/nbd0
+
+builddir=$(mktemp -d)
+
+cleanup() {
+  umount "$builddir/disk_image" || true
+  umount "$builddir/workdir" || true
+  qemu-nbd -d $block_device &> /dev/null || true
+  rm -rf $builddir
+}
+trap cleanup EXIT
+
+# Mount disk image
+modprobe nbd max_part=63
+qemu-nbd -rc ${block_device} -P 1 "$disk_image_file"
+mkdir "$builddir/disk_image"
+mount -o ro ${block_device} "$builddir/disk_image"
+
+mkdir "$builddir/workdir"
+mkdir "$builddir/diff"
+
+base_image_mounts=""
+
+# Unpack base image
+if [ -n "$docker_base_image" ]; then
+  mkdir -p "$builddir/base"
+  docker pull "$docker_base_image"
+  docker save "$docker_base_image" | tar -xC "$builddir/base"
+
+  image_id=$(docker inspect -f "{{.Id}}" "$docker_base_image")
+  while [ -n "$image_id" ]; do
+    mkdir -p "$builddir/base/$image_id/layer"
+    tar -xf "$builddir/base/$image_id/layer.tar" -C "$builddir/base/$image_id/layer"
+
+    base_image_mounts="${base_image_mounts}:$builddir/base/$image_id/layer=ro+wh"
+    image_id=$(docker inspect -f "{{.Parent}}" "$image_id")
+  done
+fi
+
+# Mount work directory
+mount -t aufs -o "br=$builddir/diff=rw${base_image_mounts},dio,xino=/dev/shm/aufs.xino" none "$builddir/workdir"
+
+# Update files
+cd $builddir
+LC_ALL=C diff -rq disk_image workdir \
+  | sed -re "s|Only in workdir(.*?): |DEL \1/|g;s|Only in disk_image(.*?): |ADD \1/|g;s|Files disk_image/(.+) and workdir/(.+) differ|UPDATE /\1|g" \
+  | while read action entry; do
+      case "$action" in
+        ADD|UPDATE)
+          cp -a "disk_image$entry" "workdir$entry"
+          ;;
+        DEL)
+          rm -rf "workdir$entry"
+          ;;
+        *)
+          echo "Error: unknown diff line: $action $entry" >&2
+          ;;
+      esac
+    done
+
+# Pack new image
+new_image_id="$(for i in $(seq 1 32); do printf "%02x" $(($RANDOM % 256)); done)"
+mkdir -p $builddir/result/$new_image_id
+cd diff
+tar -cf $builddir/result/$new_image_id/layer.tar *
+echo "1.0" > $builddir/result/$new_image_id/VERSION
+cat > $builddir/result/$new_image_id/json <<-EOS
+{ "docker_version": "1.4.1"
+, "id": "$new_image_id"
+, "created": "$(date -u +%Y-%m-%dT%H:%M:%S.%NZ)"
+EOS
+
+if [ -n "$docker_base_image" ]; then
+  image_id=$(docker inspect -f "{{.Id}}" "$docker_base_image")
+  echo ", \"parent\": \"$image_id\"" >> $builddir/result/$new_image_id/json
+fi
+
+echo "}" >> $builddir/result/$new_image_id/json
+
+echo "{\"$image_name\":{\"$image_tag\":\"$new_image_id\"}}" > $builddir/result/repositories
+
+cd $builddir/result
+
+# mkdir -p $CURDIR/$image_name
+# cp -r * $CURDIR/$image_name
+tar -c * | docker load
diff --git a/engine/contrib/download-frozen-image-v1.sh b/engine/contrib/download-frozen-image-v1.sh
new file mode 100755
index 00000000..77c91d1f
--- /dev/null
+++ b/engine/contrib/download-frozen-image-v1.sh
@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+set -e
+
+# hello-world                      latest              ef872312fe1b        3 months ago        910 B
+# hello-world                      latest              ef872312fe1bbc5e05aae626791a47ee9b032efa8f3bda39cc0be7b56bfe59b9   3 months ago        910 B
+
+# debian                           latest              f6fab3b798be        10 weeks ago        85.1 MB
+# debian                           latest              f6fab3b798be3174f45aa1eb731f8182705555f89c9026d8c1ef230cbf8301dd   10 weeks ago        85.1 MB
+
+if ! command -v curl &> /dev/null; then
+	echo >&2 'error: "curl" not found!'
+	exit 1
+fi
+
+usage() {
+	echo "usage: $0 dir image[:tag][@image-id] ..."
+	echo "   ie: $0 /tmp/hello-world hello-world"
+	echo "       $0 /tmp/debian-jessie debian:jessie"
+	echo "       $0 /tmp/old-hello-world hello-world@ef872312fe1bbc5e05aae626791a47ee9b032efa8f3bda39cc0be7b56bfe59b9"
+	echo "       $0 /tmp/old-debian debian:latest@f6fab3b798be3174f45aa1eb731f8182705555f89c9026d8c1ef230cbf8301dd"
+	[ -z "$1" ] || exit "$1"
+}
+
+dir="$1" # dir for building tar in
+shift || usage 1 >&2
+
+[ $# -gt 0 -a "$dir" ] || usage 2 >&2
+mkdir -p "$dir"
+
+# hacky workarounds for Bash 3 support (no associative arrays)
+images=()
+rm -f "$dir"/tags-*.tmp
+# repositories[busybox]='"latest": "...", "ubuntu-14.04": "..."'
+
+while [ $# -gt 0 ]; do
+	imageTag="$1"
+	shift
+	image="${imageTag%%[:@]*}"
+	tag="${imageTag#*:}"
+	imageId="${tag##*@}"
+	[ "$imageId" != "$tag" ] || imageId=
+	[ "$tag" != "$imageTag" ] || tag='latest'
+	tag="${tag%@*}"
+
+	imageFile="${image//\//_}" # "/" can't be in filenames :)
+
+	token="$(curl -sSL -o /dev/null -D- -H 'X-Docker-Token: true' "https://index.docker.io/v1/repositories/$image/images" | tr -d '\r' | awk -F ': *' '$1 == "X-Docker-Token" { print $2 }')"
+
+	if [ -z "$imageId" ]; then
+		imageId="$(curl -sSL -H "Authorization: Token $token" "https://registry-1.docker.io/v1/repositories/$image/tags/$tag")"
+		imageId="${imageId//\"/}"
+	fi
+
+	ancestryJson="$(curl -sSL -H "Authorization: Token $token" "https://registry-1.docker.io/v1/images/$imageId/ancestry")"
+	if [ "${ancestryJson:0:1}" != '[' ]; then
+		echo >&2 "error: /v1/images/$imageId/ancestry returned something unexpected:"
+		echo >&2 "  $ancestryJson"
+		exit 1
+	fi
+
+	IFS=','
+	ancestry=( ${ancestryJson//[\[\] \"]/} )
+	unset IFS
+
+	if [ -s "$dir/tags-$imageFile.tmp" ]; then
+		echo -n ', ' >> "$dir/tags-$imageFile.tmp"
+	else
+		images=( "${images[@]}" "$image" )
+	fi
+	echo -n '"'"$tag"'": "'"$imageId"'"' >> "$dir/tags-$imageFile.tmp"
+
+	echo "Downloading '$imageTag' (${#ancestry[@]} layers)..."
+	for imageId in "${ancestry[@]}"; do
+		mkdir -p "$dir/$imageId"
+		echo '1.0' > "$dir/$imageId/VERSION"
+
+		curl -sSL -H "Authorization: Token $token" "https://registry-1.docker.io/v1/images/$imageId/json" -o "$dir/$imageId/json"
+
+		# TODO figure out why "-C -" doesn't work here
+		# "curl: (33) HTTP server doesn't seem to support byte ranges. Cannot resume."
+		# "HTTP/1.1 416 Requested Range Not Satisfiable"
+		if [ -f "$dir/$imageId/layer.tar" ]; then
+			# TODO hackpatch for no -C support :'(
+			echo "skipping existing ${imageId:0:12}"
+			continue
+		fi
+		curl -SL --progress -H "Authorization: Token $token" "https://registry-1.docker.io/v1/images/$imageId/layer" -o "$dir/$imageId/layer.tar" # -C -
+	done
+	echo
+done
+
+echo -n '{' > "$dir/repositories"
+firstImage=1
+for image in "${images[@]}"; do
+	imageFile="${image//\//_}" # "/" can't be in filenames :)
+
+	[ "$firstImage" ] || echo -n ',' >> "$dir/repositories"
+	firstImage=
+	echo -n $'\n\t' >> "$dir/repositories"
+	echo -n '"'"$image"'": { '"$(cat "$dir/tags-$imageFile.tmp")"' }' >> "$dir/repositories"
+done
+echo -n $'\n}\n' >> "$dir/repositories"
+
+rm -f "$dir"/tags-*.tmp
+
+echo "Download of images into '$dir' complete."
+echo "Use something like the following to load the result into a Docker daemon:"
+echo "  tar -cC '$dir' . | docker load"
diff --git a/engine/contrib/download-frozen-image-v2.sh b/engine/contrib/download-frozen-image-v2.sh
new file mode 100755
index 00000000..54b59230
--- /dev/null
+++ b/engine/contrib/download-frozen-image-v2.sh
@@ -0,0 +1,345 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# hello-world                      latest              ef872312fe1b        3 months ago        910 B
+# hello-world                      latest              ef872312fe1bbc5e05aae626791a47ee9b032efa8f3bda39cc0be7b56bfe59b9   3 months ago        910 B
+
+# debian                           latest              f6fab3b798be        10 weeks ago        85.1 MB
+# debian                           latest              f6fab3b798be3174f45aa1eb731f8182705555f89c9026d8c1ef230cbf8301dd   10 weeks ago        85.1 MB
+if ! command -v curl &> /dev/null; then
+	echo >&2 'error: "curl" not found!'
+	exit 1
+fi
+if ! command -v jq &> /dev/null; then
+	echo >&2 'error: "jq" not found!'
+	exit 1
+fi
+
+usage() {
+	echo "usage: $0 dir image[:tag][@digest] ..."
+	echo "       $0 /tmp/old-hello-world hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7"
+	[ -z "$1" ] || exit "$1"
+}
+
+dir="$1" # dir for building tar in
+shift || usage 1 >&2
+
+[ $# -gt 0 -a "$dir" ] || usage 2 >&2
+mkdir -p "$dir"
+
+# hacky workarounds for Bash 3 support (no associative arrays)
+images=()
+rm -f "$dir"/tags-*.tmp
+manifestJsonEntries=()
+doNotGenerateManifestJson=
+# repositories[busybox]='"latest": "...", "ubuntu-14.04": "..."'
+
+# bash v4 on Windows CI requires CRLF separator
+newlineIFS=$'\n'
+if [ "$(go env GOHOSTOS)" = 'windows' ]; then
+	major=$(echo ${BASH_VERSION%%[^0.9]} | cut -d. -f1)
+	if [ "$major" -ge 4 ]; then
+		newlineIFS=$'\r\n'
+	fi
+fi
+
+registryBase='https://registry-1.docker.io'
+authBase='https://auth.docker.io'
+authService='registry.docker.io'
+
+# https://github.com/moby/moby/issues/33700
+fetch_blob() {
+	local token="$1"; shift
+	local image="$1"; shift
+	local digest="$1"; shift
+	local targetFile="$1"; shift
+	local curlArgs=( "$@" )
+
+	local curlHeaders="$(
+		curl -S "${curlArgs[@]}" \
+			-H "Authorization: Bearer $token" \
+			"$registryBase/v2/$image/blobs/$digest" \
+			-o "$targetFile" \
+			-D-
+	)"
+	curlHeaders="$(echo "$curlHeaders" | tr -d '\r')"
+	if grep -qE "^HTTP/[0-9].[0-9] 3" <<<"$curlHeaders"; then
+		rm -f "$targetFile"
+
+		local blobRedirect="$(echo "$curlHeaders" | awk -F ': ' 'tolower($1) == "location" { print $2; exit }')"
+		if [ -z "$blobRedirect" ]; then
+			echo >&2 "error: failed fetching '$image' blob '$digest'"
+			echo "$curlHeaders" | head -1 >&2
+			return 1
+		fi
+
+		curl -fSL "${curlArgs[@]}" \
+			"$blobRedirect" \
+			-o "$targetFile"
+	fi
+}
+
+# handle 'application/vnd.docker.distribution.manifest.v2+json' manifest
+handle_single_manifest_v2() {
+	local manifestJson="$1"; shift
+
+	local configDigest="$(echo "$manifestJson" | jq --raw-output '.config.digest')"
+	local imageId="${configDigest#*:}" # strip off "sha256:"
+
+	local configFile="$imageId.json"
+	fetch_blob "$token" "$image" "$configDigest" "$dir/$configFile" -s
+
+	local layersFs="$(echo "$manifestJson" | jq --raw-output --compact-output '.layers[]')"
+	local IFS="$newlineIFS"
+	local layers=( $layersFs )
+	unset IFS
+
+	echo "Downloading '$imageIdentifier' (${#layers[@]} layers)..."
+	local layerId=
+	local layerFiles=()
+	for i in "${!layers[@]}"; do
+		local layerMeta="${layers[$i]}"
+
+		local layerMediaType="$(echo "$layerMeta" | jq --raw-output '.mediaType')"
+		local layerDigest="$(echo "$layerMeta" | jq --raw-output '.digest')"
+
+		# save the previous layer's ID
+		local parentId="$layerId"
+		# create a new fake layer ID based on this layer's digest and the previous layer's fake ID
+		layerId="$(echo "$parentId"$'\n'"$layerDigest" | sha256sum | cut -d' ' -f1)"
+		# this accounts for the possibility that an image contains the same layer twice (and thus has a duplicate digest value)
+
+		mkdir -p "$dir/$layerId"
+		echo '1.0' > "$dir/$layerId/VERSION"
+
+		if [ ! -s "$dir/$layerId/json" ]; then
+			local parentJson="$(printf ', parent: "%s"' "$parentId")"
+			local addJson="$(printf '{ id: "%s"%s }' "$layerId" "${parentId:+$parentJson}")"
+			# this starter JSON is taken directly from Docker's own "docker save" output for unimportant layers
+			jq "$addJson + ." > "$dir/$layerId/json" <<-'EOJSON'
+				{
+					"created": "0001-01-01T00:00:00Z",
+					"container_config": {
+						"Hostname": "",
+						"Domainname": "",
+						"User": "",
+						"AttachStdin": false,
+						"AttachStdout": false,
+						"AttachStderr": false,
+						"Tty": false,
+						"OpenStdin": false,
+						"StdinOnce": false,
+						"Env": null,
+						"Cmd": null,
+						"Image": "",
+						"Volumes": null,
+						"WorkingDir": "",
+						"Entrypoint": null,
+						"OnBuild": null,
+						"Labels": null
+					}
+				}
+			EOJSON
+		fi
+
+		case "$layerMediaType" in
+			application/vnd.docker.image.rootfs.diff.tar.gzip)
+				local layerTar="$layerId/layer.tar"
+				layerFiles=( "${layerFiles[@]}" "$layerTar" )
+				# TODO figure out why "-C -" doesn't work here
+				# "curl: (33) HTTP server doesn't seem to support byte ranges. Cannot resume."
+				# "HTTP/1.1 416 Requested Range Not Satisfiable"
+				if [ -f "$dir/$layerTar" ]; then
+					# TODO hackpatch for no -C support :'(
+					echo "skipping existing ${layerId:0:12}"
+					continue
+				fi
+				local token="$(curl -fsSL "$authBase/token?service=$authService&scope=repository:$image:pull" | jq --raw-output '.token')"
+				fetch_blob "$token" "$image" "$layerDigest" "$dir/$layerTar" --progress
+				;;
+
+			*)
+				echo >&2 "error: unknown layer mediaType ($imageIdentifier, $layerDigest): '$layerMediaType'"
+				exit 1
+				;;
+		esac
+	done
+
+	# change "$imageId" to be the ID of the last layer we added (needed for old-style "repositories" file which is created later -- specifically for older Docker daemons)
+	imageId="$layerId"
+
+	# munge the top layer image manifest to have the appropriate image configuration for older daemons
+	local imageOldConfig="$(jq --raw-output --compact-output '{ id: .id } + if .parent then { parent: .parent } else {} end' "$dir/$imageId/json")"
+	jq --raw-output "$imageOldConfig + del(.history, .rootfs)" "$dir/$configFile" > "$dir/$imageId/json"
+
+	local manifestJsonEntry="$(
+		echo '{}' | jq --raw-output '. + {
+			Config: "'"$configFile"'",
+			RepoTags: ["'"${image#library\/}:$tag"'"],
+			Layers: '"$(echo '[]' | jq --raw-output ".$(for layerFile in "${layerFiles[@]}"; do echo " + [ \"$layerFile\" ]"; done)")"'
+		}'
+	)"
+	manifestJsonEntries=( "${manifestJsonEntries[@]}" "$manifestJsonEntry" )
+}
+
+while [ $# -gt 0 ]; do
+	imageTag="$1"
+	shift
+	image="${imageTag%%[:@]*}"
+	imageTag="${imageTag#*:}"
+	digest="${imageTag##*@}"
+	tag="${imageTag%%@*}"
+
+	# add prefix library if passed official image
+	if [[ "$image" != *"/"* ]]; then
+		image="library/$image"
+	fi
+
+	imageFile="${image//\//_}" # "/" can't be in filenames :)
+
+	token="$(curl -fsSL "$authBase/token?service=$authService&scope=repository:$image:pull" | jq --raw-output '.token')"
+
+	manifestJson="$(
+		curl -fsSL \
+			-H "Authorization: Bearer $token" \
+			-H 'Accept: application/vnd.docker.distribution.manifest.v2+json' \
+			-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
+			-H 'Accept: application/vnd.docker.distribution.manifest.v1+json' \
+			"$registryBase/v2/$image/manifests/$digest"
+	)"
+	if [ "${manifestJson:0:1}" != '{' ]; then
+		echo >&2 "error: /v2/$image/manifests/$digest returned something unexpected:"
+		echo >&2 "  $manifestJson"
+		exit 1
+	fi
+
+	imageIdentifier="$image:$tag@$digest"
+
+	schemaVersion="$(echo "$manifestJson" | jq --raw-output '.schemaVersion')"
+	case "$schemaVersion" in
+		2)
+			mediaType="$(echo "$manifestJson" | jq --raw-output '.mediaType')"
+
+			case "$mediaType" in
+				application/vnd.docker.distribution.manifest.v2+json)
+					handle_single_manifest_v2 "$manifestJson"
+					;;
+				application/vnd.docker.distribution.manifest.list.v2+json)
+					layersFs="$(echo "$manifestJson" | jq --raw-output --compact-output '.manifests[]')"
+					IFS="$newlineIFS"
+					layers=( $layersFs )
+					unset IFS
+
+					found=""
+					# parse first level multi-arch manifest
+					for i in "${!layers[@]}"; do
+						layerMeta="${layers[$i]}"
+						maniArch="$(echo "$layerMeta" | jq --raw-output '.platform.architecture')"
+						if [ "$maniArch" = "$(go env GOARCH)" ]; then
+							digest="$(echo "$layerMeta" | jq --raw-output '.digest')"
+							# get second level single manifest
+							submanifestJson="$(
+								curl -fsSL \
+									-H "Authorization: Bearer $token" \
+									-H 'Accept: application/vnd.docker.distribution.manifest.v2+json' \
+									-H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
+									-H 'Accept: application/vnd.docker.distribution.manifest.v1+json' \
+									"$registryBase/v2/$image/manifests/$digest"
+							)"
+							handle_single_manifest_v2 "$submanifestJson"
+							found="found"
+							break
+						fi
+					done
+					if [ -z "$found" ]; then
+						echo >&2 "error: manifest for $maniArch is not found"
+						exit 1
+					fi
+					;;
+				*)
+					echo >&2 "error: unknown manifest mediaType ($imageIdentifier): '$mediaType'"
+					exit 1
+					;;
+			esac
+			;;
+
+		1)
+			if [ -z "$doNotGenerateManifestJson" ]; then
+				echo >&2 "warning: '$imageIdentifier' uses schemaVersion '$schemaVersion'"
+				echo >&2 "  this script cannot (currently) recreate the 'image config' to put in a 'manifest.json' (thus any schemaVersion 2+ images will be imported in the old way, and their 'docker history' will suffer)"
+				echo >&2
+				doNotGenerateManifestJson=1
+			fi
+
+			layersFs="$(echo "$manifestJson" | jq --raw-output '.fsLayers | .[] | .blobSum')"
+			IFS="$newlineIFS"
+			layers=( $layersFs )
+			unset IFS
+
+			history="$(echo "$manifestJson" | jq '.history | [.[] | .v1Compatibility]')"
+			imageId="$(echo "$history" | jq --raw-output '.[0]' | jq --raw-output '.id')"
+
+			echo "Downloading '$imageIdentifier' (${#layers[@]} layers)..."
+			for i in "${!layers[@]}"; do
+				imageJson="$(echo "$history" | jq --raw-output ".[${i}]")"
+				layerId="$(echo "$imageJson" | jq --raw-output '.id')"
+				imageLayer="${layers[$i]}"
+
+				mkdir -p "$dir/$layerId"
+				echo '1.0' > "$dir/$layerId/VERSION"
+
+				echo "$imageJson" > "$dir/$layerId/json"
+
+				# TODO figure out why "-C -" doesn't work here
+				# "curl: (33) HTTP server doesn't seem to support byte ranges. Cannot resume."
+				# "HTTP/1.1 416 Requested Range Not Satisfiable"
+				if [ -f "$dir/$layerId/layer.tar" ]; then
+					# TODO hackpatch for no -C support :'(
+					echo "skipping existing ${layerId:0:12}"
+					continue
+				fi
+				token="$(curl -fsSL "$authBase/token?service=$authService&scope=repository:$image:pull" | jq --raw-output '.token')"
+				fetch_blob "$token" "$image" "$imageLayer" "$dir/$layerId/layer.tar" --progress
+			done
+			;;
+
+		*)
+			echo >&2 "error: unknown manifest schemaVersion ($imageIdentifier): '$schemaVersion'"
+			exit 1
+			;;
+	esac
+
+	echo
+
+	if [ -s "$dir/tags-$imageFile.tmp" ]; then
+		echo -n ', ' >> "$dir/tags-$imageFile.tmp"
+	else
+		images=( "${images[@]}" "$image" )
+	fi
+	echo -n '"'"$tag"'": "'"$imageId"'"' >> "$dir/tags-$imageFile.tmp"
+done
+
+echo -n '{' > "$dir/repositories"
+firstImage=1
+for image in "${images[@]}"; do
+	imageFile="${image//\//_}" # "/" can't be in filenames :)
+	image="${image#library\/}"
+
+	[ "$firstImage" ] || echo -n ',' >> "$dir/repositories"
+	firstImage=
+	echo -n $'\n\t' >> "$dir/repositories"
+	echo -n '"'"$image"'": { '"$(cat "$dir/tags-$imageFile.tmp")"' }' >> "$dir/repositories"
+done
+echo -n $'\n}\n' >> "$dir/repositories"
+
+rm -f "$dir"/tags-*.tmp
+
+if [ -z "$doNotGenerateManifestJson" ] && [ "${#manifestJsonEntries[@]}" -gt 0 ]; then
+	echo '[]' | jq --raw-output ".$(for entry in "${manifestJsonEntries[@]}"; do echo " + [ $entry ]"; done)" > "$dir/manifest.json"
+else
+	rm -f "$dir/manifest.json"
+fi
+
+echo "Download of images into '$dir' complete."
+echo "Use something like the following to load the result into a Docker daemon:"
+echo "  tar -cC '$dir' . | docker load"
diff --git a/engine/contrib/editorconfig b/engine/contrib/editorconfig
new file mode 100644
index 00000000..97eda89a
--- /dev/null
+++ b/engine/contrib/editorconfig
@@ -0,0 +1,13 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+indent_style = tab
+indent_size = 4
+trim_trailing_whitespace = true
+
+[*.md]
+indent_size = 2
+indent_style = space
diff --git a/engine/contrib/gitdm/aliases b/engine/contrib/gitdm/aliases
new file mode 100644
index 00000000..dd5dd343
--- /dev/null
+++ b/engine/contrib/gitdm/aliases
@@ -0,0 +1,148 @@
+Danny.Yates@mailonline.co.uk danny@codeaholics.org
+KenCochrane@gmail.com kencochrane@gmail.com
+LÉVEIL thomasleveil@gmail.com
+Vincent.Bernat@exoscale.ch bernat@luffy.cx
+acidburn@docker.com jess@docker.com
+admin@jtlebi.fr jt@yadutaf.fr
+ahmetalpbalkan@gmail.com ahmetb@microsoft.com
+aj@gandi.net aj@gandi.net
+albers@users.noreply.github.com github@albersweb.de
+alexander.larsson@gmail.com alexl@redhat.com
+amurdaca@redhat.com antonio.murdaca@gmail.com
+amy@gandi.net aj@gandi.net
+andrew.weiss@microsoft.com andrew.weiss@outlook.com
+angt@users.noreply.github.com adrien@gallouet.fr
+ankushagarwal@users.noreply.github.com ankushagarwal11@gmail.com
+anonymouse2048@gmail.com lheckemann@twig-world.com
+anusha@docker.com anusha.ragunathan@docker.com
+asarai@suse.com asarai@suse.de
+avi.miller@gmail.com avi.miller@oracle.com
+bernat@luffy.cx Vincent.Bernat@exoscale.ch
+bgoff@cpuguy83-mbp.home cpuguy83@gmail.com
+brandon@ifup.co brandon@ifup.org
+brent@docker.com brent.salisbury@docker.com
+charmes.guillaume@gmail.com guillaume.charmes@docker.com
+chenchun.feed@gmail.com ramichen@tencent.com
+chooper@plumata.com charles.hooper@dotcloud.com
+crosby.michael@gmail.com michael@docker.com
+crosbymichael@gmail.com michael@docker.com
+cyphar@cyphar.com asarai@suse.de
+daehyeok@daehyeok-ui-MacBook-Air.local daehyeok@gmail.com
+daehyeok@daehyeokui-MacBook-Air.local daehyeok@gmail.com
+daniel.norberg@gmail.com dano@spotify.com
+daniel@dotcloud.com daniel.mizyrycki@dotcloud.com
+darren@rancher.com darren.s.shepherd@gmail.com
+dave@dtucker.co.uk dt@docker.com
+dev@vvieux.com victor.vieux@docker.com
+dgasienica@zynga.com daniel@gasienica.ch
+dnephin@gmail.com dnephin@docker.com
+dominikh@fork-bomb.org dominik@honnef.co
+dqminh89@gmail.com dqminh@cloudflare.com
+dsxiao@dataman-inc.com dxiao@redhat.com
+duglin@users.noreply.github.com dug@us.ibm.com
+eric.hanchrow@gmail.com ehanchrow@ine.com
+erik+github@hollensbe.org github@hollensbe.org
+estesp@gmail.com estesp@linux.vnet.ibm.com
+ewindisch@docker.com eric@windisch.us
+f.joffrey@gmail.com joffrey@docker.com
+fkautz@alumni.cmu.edu fkautz@redhat.com
+frank.rosquin@gmail.com frank.rosquin+github@gmail.com
+gh@mattyw.net mattyw@me.com
+git@julienbordellier.com julienbordellier@gmail.com
+github@metaliveblog.com github@developersupport.net
+github@srid.name sridharr@activestate.com
+guillaume.charmes@dotcloud.com guillaume.charmes@docker.com
+guillaume@charmes.net guillaume.charmes@docker.com
+guillaume@docker.com guillaume.charmes@docker.com
+guillaume@dotcloud.com guillaume.charmes@docker.com
+haoshuwei24@gmail.com haosw@cn.ibm.com
+hollie.teal@docker.com hollie@docker.com
+hollietealok@users.noreply.github.com hollie@docker.com
+hsinko@users.noreply.github.com 21551195@zju.edu.cn
+iamironbob@gmail.com altsysrq@gmail.com
+icecrime@gmail.com arnaud.porterie@docker.com
+jatzen@gmail.com jacob@jacobatzen.dk
+jeff@allingeek.com jeff.nickoloff@gmail.com
+jefferya@programmerq.net jeff@docker.com
+jerome.petazzoni@dotcloud.com jerome.petazzoni@dotcloud.com
+jfrazelle@users.noreply.github.com jess@docker.com
+jhoward@microsoft.com John.Howard@microsoft.com
+jlhawn@berkeley.edu josh.hawn@docker.com
+joffrey@dotcloud.com joffrey@docker.com
+john.howard@microsoft.com John.Howard@microsoft.com
+jp@enix.org jerome.petazzoni@dotcloud.com
+justin.cormack@unikernel.com justin.cormack@docker.com
+justin.simonelis@PTS-JSIMON2.toronto.exclamation.com justin.p.simonelis@gmail.com
+justin@specialbusservice.com justin.cormack@docker.com
+katsuta_soshi@cyberagent.co.jp soshi.katsuta@gmail.com
+kuehnle@online.de git.nivoc@neverbox.com
+kwk@users.noreply.github.com konrad.wilhelm.kleine@gmail.com
+leijitang@gmail.com leijitang@huawei.com
+liubin0329@gmail.com liubin0329@users.noreply.github.com
+lk4d4math@gmail.com lk4d4@docker.com
+louis@dotcloud.com kalessin@kalessin.fr
+lsm5@redhat.com lsm5@fedoraproject.org
+lyndaoleary@hotmail.com lyndaoleary29@gmail.com
+madhu@socketplane.io madhu@docker.com
+martins@noironetworks.com aanm90@gmail.com
+mary@docker.com mary.anthony@docker.com
+mastahyeti@users.noreply.github.com mastahyeti@gmail.com
+maztaim@users.noreply.github.com taim@bosboot.org
+me@runcom.ninja antonio.murdaca@gmail.com
+mheon@mheonlaptop.redhat.com mheon@redhat.com
+michael@crosbymichael.com michael@docker.com
+mohitsoni1989@gmail.com mosoni@ebay.com
+moxieandmore@gmail.com mary.anthony@docker.com
+moyses.furtado@wplex.com.br moysesb@gmail.com
+msabramo@gmail.com marc@marc-abramowitz.com
+mzdaniel@glidelink.net daniel.mizyrycki@dotcloud.com
+nathan.leclaire@gmail.com nathan.leclaire@docker.com
+nathanleclaire@gmail.com nathan.leclaire@docker.com
+ostezer@users.noreply.github.com ostezer@gmail.com
+peter@scraperwiki.com p@pwaller.net
+princess@docker.com jess@docker.com
+proppy@aminche.com proppy@google.com
+qhuang@10.0.2.15 h.huangqiang@huawei.com
+resouer@gmail.com resouer@163.com
+roberto_hashioka@hotmail.com roberto.hashioka@docker.com
+root@vagrant-ubuntu-12.10.vagrantup.com daniel.mizyrycki@dotcloud.com
+runcom@linux.com antonio.murdaca@gmail.com
+runcom@redhat.com antonio.murdaca@gmail.com
+runcom@users.noreply.github.com antonio.murdaca@gmail.com
+s@docker.com solomon@docker.com
+shawnlandden@gmail.com shawn@churchofgit.com
+singh.gurjeet@gmail.com gurjeet@singh.im
+sjoerd@byte.nl sjoerd-github@linuxonly.nl
+smahajan@redhat.com shishir.mahajan@redhat.com
+solomon.hykes@dotcloud.com solomon@docker.com
+solomon@dotcloud.com solomon@docker.com
+stefanb@us.ibm.com stefanb@linux.vnet.ibm.com
+stevvooe@users.noreply.github.com stephen.day@docker.com
+superbaloo+registrations.github@superbaloo.net baloo@gandi.net
+tangicolin@gmail.com tangicolin@gmail.com
+thaJeztah@users.noreply.github.com github@gone.nl
+thatcher@dotcloud.com thatcher@docker.com
+thatcher@gmx.net thatcher@docker.com
+tibor@docker.com teabee89@gmail.com
+tiborvass@users.noreply.github.com teabee89@gmail.com
+timruffles@googlemail.com oi@truffles.me.uk
+tintypemolly@Ohui-MacBook-Pro.local tintypemolly@gmail.com
+tj@init.me tejesh.mehta@gmail.com
+tristan.carel@gmail.com tristan@cogniteev.com
+unclejack@users.noreply.github.com cristian.staretu@gmail.com
+unclejacksons@gmail.com cristian.staretu@gmail.com
+vbatts@hashbangbash.com vbatts@redhat.com
+victor.vieux@dotcloud.com victor.vieux@docker.com
+victor@docker.com victor.vieux@docker.com
+victor@dotcloud.com victor.vieux@docker.com
+victorvieux@gmail.com victor.vieux@docker.com
+vieux@docker.com victor.vieux@docker.com
+vincent+github@demeester.fr vincent@sbr.pm
+vincent@bernat.im bernat@luffy.cx
+vojnovski@gmail.com viktor.vojnovski@amadeus.com
+whoshuu@gmail.com huu@prismskylabs.com
+xiaods@gmail.com dxiao@redhat.com
+xlgao@zju.edu.cn xlgao@zju.edu.cn
+yestin.sun@polyera.com sunyi0804@gmail.com
+yuchangchun1@huawei.com yuchangchun1@huawei.com
+zjaffee@us.ibm.com zij@case.edu
diff --git a/engine/contrib/gitdm/domain-map b/engine/contrib/gitdm/domain-map
new file mode 100644
index 00000000..17a287e9
--- /dev/null
+++ b/engine/contrib/gitdm/domain-map
@@ -0,0 +1,47 @@
+#
+# Docker
+#
+
+docker.com                      Docker
+dotcloud.com                    Docker
+
+aluzzardi@gmail.com             Docker
+cpuguy83@gmail.com              Docker
+derek@mcgstyle.net              Docker
+github@gone.nl                  Docker
+kencochrane@gmail.com           Docker
+mickael.laventure@gmail.com     Docker
+sam.alba@gmail.com              Docker
+svendowideit@fosiki.com         Docker
+svendowideit@home.org.au        Docker
+tonistiigi@gmail.com            Docker
+
+cristian.staretu@gmail.com      Docker      < 2015-01-01
+cristian.staretu@gmail.com      Cisco
+
+github@hollensbe.org            Docker      < 2015-01-01
+github@hollensbe.org            Cisco
+
+david.calavera@gmail.com        Docker      < 2016-04-01
+david.calavera@gmail.com        (Unknown)
+
+madhu@socketplane.io            Docker
+ejhazlett@gmail.com             Docker
+ben@firshman.co.uk              Docker
+
+vincent@sbr.pm                  (Unknown)   < 2016-10-24
+vincent@sbr.pm                  Docker
+
+#
+# Others
+#
+
+cisco.com                       Cisco
+google.com                      Google
+ibm.com                         IBM
+huawei.com                      Huawei
+microsoft.com                   Microsoft
+
+redhat.com                      Red Hat
+mrunalp@gmail.com               Red Hat
+antonio.murdaca@gmail.com       Red Hat
diff --git a/engine/contrib/gitdm/generate_aliases.sh b/engine/contrib/gitdm/generate_aliases.sh
new file mode 100755
index 00000000..dfff5ff2
--- /dev/null
+++ b/engine/contrib/gitdm/generate_aliases.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+#
+# This script generates a gitdm compatible email aliases file from a git
+# formatted .mailmap file.
+#
+# Usage:
+#  $> ./generate_aliases <mailmap_file> > aliases
+#
+
+cat $1 | \
+    grep -v '^#' | \
+    sed 's/^[^<]*<\([^>]*\)>/\1/' | \
+    grep '<.*>' | sed -e 's/[<>]/ /g' | \
+    awk '{if ($3 != "") { print $3" "$1 } else {print $2" "$1}}' | \
+    sort | uniq
diff --git a/engine/contrib/gitdm/gitdm.config b/engine/contrib/gitdm/gitdm.config
new file mode 100644
index 00000000..d9b62b0b
--- /dev/null
+++ b/engine/contrib/gitdm/gitdm.config
@@ -0,0 +1,17 @@
+#
+# EmailAliases lets us cope with developers who use more
+# than one address.
+#
+EmailAliases aliases
+
+#
+# EmailMap does the main work of mapping addresses onto 
+# employers.
+#
+EmailMap domain-map
+
+#
+# Use GroupMap to map a file full of addresses to the 
+# same employer
+#
+# GroupMap company-Docker  Docker
diff --git a/engine/contrib/httpserver/Dockerfile b/engine/contrib/httpserver/Dockerfile
new file mode 100644
index 00000000..747dc91b
--- /dev/null
+++ b/engine/contrib/httpserver/Dockerfile
@@ -0,0 +1,4 @@
+FROM busybox
+EXPOSE 80/tcp
+COPY httpserver .
+CMD ["./httpserver"]
diff --git a/engine/contrib/httpserver/server.go b/engine/contrib/httpserver/server.go
new file mode 100644
index 00000000..a75d5abb
--- /dev/null
+++ b/engine/contrib/httpserver/server.go
@@ -0,0 +1,12 @@
+package main
+
+import (
+	"log"
+	"net/http"
+)
+
+func main() {
+	fs := http.FileServer(http.Dir("/static"))
+	http.Handle("/", fs)
+	log.Panic(http.ListenAndServe(":80", nil))
+}
diff --git a/engine/contrib/init/openrc/docker.confd b/engine/contrib/init/openrc/docker.confd
new file mode 100644
index 00000000..89183de4
--- /dev/null
+++ b/engine/contrib/init/openrc/docker.confd
@@ -0,0 +1,23 @@
+# /etc/conf.d/docker: config file for /etc/init.d/docker
+
+# where the docker daemon output gets piped
+# this contains both stdout and stderr. If  you need to separate them,
+# see the settings below
+#DOCKER_LOGFILE="/var/log/docker.log"
+
+# where the docker daemon stdout gets piped
+# if this is not set, DOCKER_LOGFILE is used
+#DOCKER_OUTFILE="/var/log/docker-out.log"
+
+# where the docker daemon stderr gets piped
+# if this is not set, DOCKER_LOGFILE is used
+#DOCKER_ERRFILE="/var/log/docker-err.log"
+
+# where docker's pid get stored
+#DOCKER_PIDFILE="/run/docker.pid"
+
+# where the docker daemon itself is run from
+#DOCKERD_BINARY="/usr/bin/dockerd"
+
+# any other random options you want to pass to docker
+DOCKER_OPTS=""
diff --git a/engine/contrib/init/openrc/docker.initd b/engine/contrib/init/openrc/docker.initd
new file mode 100644
index 00000000..6c968f60
--- /dev/null
+++ b/engine/contrib/init/openrc/docker.initd
@@ -0,0 +1,24 @@
+#!/sbin/openrc-run
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="${DOCKERD_BINARY:-/usr/bin/dockerd}"
+pidfile="${DOCKER_PIDFILE:-/run/${RC_SVCNAME}.pid}"
+command_args="-p \"${pidfile}\" ${DOCKER_OPTS}"
+DOCKER_LOGFILE="${DOCKER_LOGFILE:-/var/log/${RC_SVCNAME}.log}"
+DOCKER_ERRFILE="${DOCKER_ERRFILE:-${DOCKER_LOGFILE}}"
+DOCKER_OUTFILE="${DOCKER_OUTFILE:-${DOCKER_LOGFILE}}"
+start_stop_daemon_args="--background \
+	--stderr \"${DOCKER_ERRFILE}\" --stdout \"${DOCKER_OUTFILE}\""
+
+start_pre() {
+	checkpath -f -m 0644 -o root:docker "$DOCKER_LOGFILE"
+
+	ulimit -n 1048576
+
+	# Having non-zero limits causes performance problems due to accounting overhead
+	# in the kernel. We recommend using cgroups to do container-local accounting.
+	ulimit -u unlimited
+
+	return 0
+}
diff --git a/engine/contrib/init/systemd/REVIEWERS b/engine/contrib/init/systemd/REVIEWERS
new file mode 100644
index 00000000..b9ba55b3
--- /dev/null
+++ b/engine/contrib/init/systemd/REVIEWERS
@@ -0,0 +1,3 @@
+Lokesh Mandvekar <lsm5@fedoraproject.org> (@lsm5)
+Brandon Philips <brandon.philips@coreos.com> (@philips)
+Jessie Frazelle <jess@docker.com> (@jfrazelle)
diff --git a/engine/contrib/init/systemd/docker.service b/engine/contrib/init/systemd/docker.service
new file mode 100644
index 00000000..51746317
--- /dev/null
+++ b/engine/contrib/init/systemd/docker.service
@@ -0,0 +1,34 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=network-online.target docker.socket firewalld.service
+Wants=network-online.target
+Requires=docker.socket
+
+[Service]
+Type=notify
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/bin/dockerd -H fd://
+ExecReload=/bin/kill -s HUP $MAINPID
+LimitNOFILE=1048576
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+# Uncomment TasksMax if your systemd version supports it.
+# Only systemd 226 and above support this version.
+#TasksMax=infinity
+TimeoutStartSec=0
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes
+# kill only the docker process, not all processes in the cgroup
+KillMode=process
+# restart the docker process if it exits prematurely
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/engine/contrib/init/systemd/docker.service.rpm b/engine/contrib/init/systemd/docker.service.rpm
new file mode 100644
index 00000000..6c60646b
--- /dev/null
+++ b/engine/contrib/init/systemd/docker.service.rpm
@@ -0,0 +1,33 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=https://docs.docker.com
+After=network-online.target firewalld.service
+Wants=network-online.target
+
+[Service]
+Type=notify
+# the default is not to use systemd for cgroups because the delegate issues still
+# exists and systemd currently does not support the cgroup feature set required
+# for containers run by docker
+ExecStart=/usr/bin/dockerd
+ExecReload=/bin/kill -s HUP $MAINPID
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=infinity
+LimitNPROC=infinity
+LimitCORE=infinity
+# Uncomment TasksMax if your systemd version supports it.
+# Only systemd 226 and above support this version.
+#TasksMax=infinity
+TimeoutStartSec=0
+# set delegate yes so that systemd does not reset the cgroups of docker containers
+Delegate=yes
+# kill only the docker process, not all processes in the cgroup
+KillMode=process
+# restart the docker process if it exits prematurely
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/engine/contrib/init/systemd/docker.socket b/engine/contrib/init/systemd/docker.socket
new file mode 100644
index 00000000..7dd95098
--- /dev/null
+++ b/engine/contrib/init/systemd/docker.socket
@@ -0,0 +1,12 @@
+[Unit]
+Description=Docker Socket for the API
+PartOf=docker.service
+
+[Socket]
+ListenStream=/var/run/docker.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
diff --git a/engine/contrib/init/sysvinit-debian/docker b/engine/contrib/init/sysvinit-debian/docker
new file mode 100755
index 00000000..9c8fa6be
--- /dev/null
+++ b/engine/contrib/init/sysvinit-debian/docker
@@ -0,0 +1,156 @@
+#!/bin/sh
+set -e
+
+### BEGIN INIT INFO
+# Provides:           docker
+# Required-Start:     $syslog $remote_fs
+# Required-Stop:      $syslog $remote_fs
+# Should-Start:       cgroupfs-mount cgroup-lite
+# Should-Stop:        cgroupfs-mount cgroup-lite
+# Default-Start:      2 3 4 5
+# Default-Stop:       0 1 6
+# Short-Description:  Create lightweight, portable, self-sufficient containers.
+# Description:
+#  Docker is an open-source project to easily create lightweight, portable,
+#  self-sufficient containers from any application. The same container that a
+#  developer builds and tests on a laptop can run at scale, in production, on
+#  VMs, bare metal, OpenStack clusters, public clouds and more.
+### END INIT INFO
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+BASE=docker
+
+# modify these in /etc/default/$BASE (/etc/default/docker)
+DOCKERD=/usr/bin/dockerd
+# This is the pid file managed by docker itself
+DOCKER_PIDFILE=/var/run/$BASE.pid
+# This is the pid file created/managed by start-stop-daemon
+DOCKER_SSD_PIDFILE=/var/run/$BASE-ssd.pid
+DOCKER_LOGFILE=/var/log/$BASE.log
+DOCKER_OPTS=
+DOCKER_DESC="Docker"
+
+# Get lsb functions
+. /lib/lsb/init-functions
+
+if [ -f /etc/default/$BASE ]; then
+	. /etc/default/$BASE
+fi
+
+# Check docker is present
+if [ ! -x $DOCKERD ]; then
+	log_failure_msg "$DOCKERD not present or not executable"
+	exit 1
+fi
+
+check_init() {
+	# see also init_is_upstart in /lib/lsb/init-functions (which isn't available in Ubuntu 12.04, or we'd use it directly)
+	if [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; then
+		log_failure_msg "$DOCKER_DESC is managed via upstart, try using service $BASE $1"
+		exit 1
+	fi
+}
+
+fail_unless_root() {
+	if [ "$(id -u)" != '0' ]; then
+		log_failure_msg "$DOCKER_DESC must be run as root"
+		exit 1
+	fi
+}
+
+cgroupfs_mount() {
+	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
+	if grep -v '^#' /etc/fstab | grep -q cgroup \
+		|| [ ! -e /proc/cgroups ] \
+		|| [ ! -d /sys/fs/cgroup ]; then
+		return
+	fi
+	if ! mountpoint -q /sys/fs/cgroup; then
+		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
+	fi
+	(
+		cd /sys/fs/cgroup
+		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
+			mkdir -p $sys
+			if ! mountpoint -q $sys; then
+				if ! mount -n -t cgroup -o $sys cgroup $sys; then
+					rmdir $sys || true
+				fi
+			fi
+		done
+	)
+}
+
+case "$1" in
+	start)
+		check_init
+		
+		fail_unless_root
+
+		cgroupfs_mount
+
+		touch "$DOCKER_LOGFILE"
+		chgrp docker "$DOCKER_LOGFILE"
+
+		ulimit -n 1048576
+
+		# Having non-zero limits causes performance problems due to accounting overhead
+		# in the kernel. We recommend using cgroups to do container-local accounting.
+		if [ "$BASH" ]; then
+			ulimit -u unlimited
+		else
+			ulimit -p unlimited
+		fi
+
+		log_begin_msg "Starting $DOCKER_DESC: $BASE"
+		start-stop-daemon --start --background \
+			--no-close \
+			--exec "$DOCKERD" \
+			--pidfile "$DOCKER_SSD_PIDFILE" \
+			--make-pidfile \
+			-- \
+				-p "$DOCKER_PIDFILE" \
+				$DOCKER_OPTS \
+					>> "$DOCKER_LOGFILE" 2>&1
+		log_end_msg $?
+		;;
+
+	stop)
+		check_init
+		fail_unless_root
+		if [ -f "$DOCKER_SSD_PIDFILE" ]; then
+			log_begin_msg "Stopping $DOCKER_DESC: $BASE"
+			start-stop-daemon --stop --pidfile "$DOCKER_SSD_PIDFILE" --retry 10
+			log_end_msg $?
+		else
+			log_warning_msg "Docker already stopped - file $DOCKER_SSD_PIDFILE not found."
+		fi
+		;;
+
+	restart)
+		check_init
+		fail_unless_root
+		docker_pid=`cat "$DOCKER_SSD_PIDFILE" 2>/dev/null`
+		[ -n "$docker_pid" ] \
+			&& ps -p $docker_pid > /dev/null 2>&1 \
+			&& $0 stop
+		$0 start
+		;;
+
+	force-reload)
+		check_init
+		fail_unless_root
+		$0 restart
+		;;
+
+	status)
+		check_init
+		status_of_proc -p "$DOCKER_SSD_PIDFILE" "$DOCKERD" "$DOCKER_DESC"
+		;;
+
+	*)
+		echo "Usage: service docker {start|stop|restart|status}"
+		exit 1
+		;;
+esac
diff --git a/engine/contrib/init/sysvinit-debian/docker.default b/engine/contrib/init/sysvinit-debian/docker.default
new file mode 100644
index 00000000..c4e93199
--- /dev/null
+++ b/engine/contrib/init/sysvinit-debian/docker.default
@@ -0,0 +1,20 @@
+# Docker Upstart and SysVinit configuration file
+
+#
+# THIS FILE DOES NOT APPLY TO SYSTEMD
+#
+#   Please see the documentation for "systemd drop-ins":
+#   https://docs.docker.com/engine/admin/systemd/
+#
+
+# Customize location of Docker binary (especially for development testing).
+#DOCKERD="/usr/local/bin/dockerd"
+
+# Use DOCKER_OPTS to modify the daemon startup options.
+#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
+
+# If you need Docker to use an HTTP proxy, it can also be specified here.
+#export http_proxy="http://127.0.0.1:3128/"
+
+# This is also a handy place to tweak where Docker's temporary files go.
+#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"
diff --git a/engine/contrib/init/sysvinit-redhat/docker b/engine/contrib/init/sysvinit-redhat/docker
new file mode 100755
index 00000000..df9b02a2
--- /dev/null
+++ b/engine/contrib/init/sysvinit-redhat/docker
@@ -0,0 +1,153 @@
+#!/bin/sh
+#
+#       /etc/rc.d/init.d/docker
+#
+#       Daemon for docker.com
+#
+# chkconfig:   2345 95 95
+# description: Daemon for docker.com
+
+### BEGIN INIT INFO
+# Provides:       docker
+# Required-Start: $network cgconfig
+# Required-Stop:
+# Should-Start:
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop:  0 1 6
+# Short-Description: start and stop docker
+# Description: Daemon for docker.com
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="docker"
+unshare=/usr/bin/unshare
+exec="/usr/bin/dockerd"
+pidfile="/var/run/$prog.pid"
+lockfile="/var/lock/subsys/$prog"
+logfile="/var/log/$prog"
+
+[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
+
+prestart() {
+	service cgconfig status > /dev/null
+
+	if [[ $? != 0 ]]; then
+		service cgconfig start
+	fi
+
+}
+
+start() {
+	if [ ! -x $exec ]; then
+		if [ ! -e $exec ]; then
+			echo "Docker executable $exec not found"
+		else
+			echo "You do not have permission to execute the Docker executable $exec"
+		fi
+		exit 5
+	fi
+
+	check_for_cleanup
+
+	if ! [ -f $pidfile ]; then
+		prestart
+		printf "Starting $prog:\t"
+		echo "\n$(date)\n" >> $logfile
+		"$unshare" -m -- $exec $other_args >> $logfile 2>&1 &
+		pid=$!
+		touch $lockfile
+		# wait up to 10 seconds for the pidfile to exist.  see
+		# https://github.com/docker/docker/issues/5359
+		tries=0
+		while [ ! -f $pidfile -a $tries -lt 10 ]; do
+			sleep 1
+			tries=$((tries + 1))
+			echo -n '.'
+		done
+		if [ ! -f $pidfile ]; then
+			failure
+			echo
+			exit 1
+		fi
+		success
+		echo
+	else
+		failure
+		echo
+		printf "$pidfile still exists...\n"
+		exit 7
+	fi
+}
+
+stop() {
+	echo -n $"Stopping $prog: "
+	killproc -p $pidfile -d 300 $prog
+	retval=$?
+	echo
+	[ $retval -eq 0 ] && rm -f $lockfile
+	return $retval
+}
+
+restart() {
+	stop
+	start
+}
+
+reload() {
+	restart
+}
+
+force_reload() {
+	restart
+}
+
+rh_status() {
+	status -p $pidfile $prog
+}
+
+rh_status_q() {
+	rh_status >/dev/null 2>&1
+}
+
+
+check_for_cleanup() {
+	if [ -f ${pidfile} ]; then
+		/bin/ps -fp $(cat ${pidfile}) > /dev/null || rm ${pidfile}
+	fi
+}
+
+case "$1" in
+	start)
+		rh_status_q && exit 0
+		$1
+		;;
+	stop)
+		rh_status_q || exit 0
+		$1
+		;;
+	restart)
+		$1
+		;;
+	reload)
+		rh_status_q || exit 7
+		$1
+		;;
+	force-reload)
+		force_reload
+		;;
+	status)
+		rh_status
+		;;
+	condrestart|try-restart)
+		rh_status_q || exit 0
+		restart
+		;;
+	*)
+		echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+		exit 2
+esac
+
+exit $?
diff --git a/engine/contrib/init/sysvinit-redhat/docker.sysconfig b/engine/contrib/init/sysvinit-redhat/docker.sysconfig
new file mode 100644
index 00000000..0864b3d7
--- /dev/null
+++ b/engine/contrib/init/sysvinit-redhat/docker.sysconfig
@@ -0,0 +1,7 @@
+# /etc/sysconfig/docker
+#
+# Other arguments to pass to the docker daemon process
+# These will be parsed by the sysv initscript and appended
+# to the arguments list passed to docker daemon
+
+other_args=""
diff --git a/engine/contrib/init/upstart/REVIEWERS b/engine/contrib/init/upstart/REVIEWERS
new file mode 100644
index 00000000..03ee2dde
--- /dev/null
+++ b/engine/contrib/init/upstart/REVIEWERS
@@ -0,0 +1,2 @@
+Tianon Gravi <admwiggin@gmail.com> (@tianon)
+Jessie Frazelle <jess@docker.com> (@jfrazelle)
diff --git a/engine/contrib/init/upstart/docker.conf b/engine/contrib/init/upstart/docker.conf
new file mode 100644
index 00000000..d58f7d6a
--- /dev/null
+++ b/engine/contrib/init/upstart/docker.conf
@@ -0,0 +1,72 @@
+description "Docker daemon"
+
+start on (filesystem and net-device-up IFACE!=lo)
+stop on runlevel [!2345]
+
+limit nofile 524288 1048576
+
+# Having non-zero limits causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+limit nproc unlimited unlimited
+
+respawn
+
+kill timeout 20
+
+pre-start script
+	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
+	if grep -v '^#' /etc/fstab | grep -q cgroup \
+		|| [ ! -e /proc/cgroups ] \
+		|| [ ! -d /sys/fs/cgroup ]; then
+		exit 0
+	fi
+	if ! mountpoint -q /sys/fs/cgroup; then
+		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
+	fi
+	(
+		cd /sys/fs/cgroup
+		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
+			mkdir -p $sys
+			if ! mountpoint -q $sys; then
+				if ! mount -n -t cgroup -o $sys cgroup $sys; then
+					rmdir $sys || true
+				fi
+			fi
+		done
+	)
+end script
+
+script
+	# modify these in /etc/default/$UPSTART_JOB (/etc/default/docker)
+	DOCKERD=/usr/bin/dockerd
+	DOCKER_OPTS=
+	if [ -f /etc/default/$UPSTART_JOB ]; then
+		. /etc/default/$UPSTART_JOB
+	fi
+	exec "$DOCKERD" $DOCKER_OPTS --raw-logs
+end script
+
+# Don't emit "started" event until docker.sock is ready.
+# See https://github.com/docker/docker/issues/6647
+post-start script
+	DOCKER_OPTS=
+	DOCKER_SOCKET=
+	if [ -f /etc/default/$UPSTART_JOB ]; then
+		. /etc/default/$UPSTART_JOB
+	fi
+
+	if ! printf "%s" "$DOCKER_OPTS" | grep -qE -e '-H|--host'; then
+		DOCKER_SOCKET=/var/run/docker.sock
+	else
+		DOCKER_SOCKET=$(printf "%s" "$DOCKER_OPTS" | grep -oP -e '(-H|--host)\W*unix://\K(\S+)' | sed 1q)
+	fi
+
+	if [ -n "$DOCKER_SOCKET" ]; then
+		while ! [ -e "$DOCKER_SOCKET" ]; do
+			initctl status $UPSTART_JOB | grep -qE "(stop|respawn)/" && exit 1
+			echo "Waiting for $DOCKER_SOCKET"
+			sleep 0.1
+		done
+		echo "$DOCKER_SOCKET is up"
+	fi
+end script
diff --git a/engine/contrib/mac-install-bundle.sh b/engine/contrib/mac-install-bundle.sh
new file mode 100755
index 00000000..2110d044
--- /dev/null
+++ b/engine/contrib/mac-install-bundle.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+set -e
+
+errexit() {
+	echo "$1"
+	exit 1
+}
+
+[ "$(uname -s)" == "Darwin" ] || errexit "This script can only be used on a Mac"
+
+[ $# -eq 1 ] || errexit "Usage: $0 install|undo"
+
+BUNDLE="bundles/$(cat VERSION)"
+BUNDLE_PATH="$PWD/$BUNDLE"
+CLIENT_PATH="$BUNDLE_PATH/cross/darwin/amd64/docker"
+DATABASE="$HOME/Library/Containers/com.docker.docker/Data/database"
+DATABASE_KEY="$DATABASE/com.docker.driver.amd64-linux/bundle"
+
+[ -d "$DATABASE" ] || errexit "Docker for Mac must be installed for this script"
+
+case "$1" in
+"install")
+	[ -d "$BUNDLE" ] || errexit "cannot find bundle $BUNDLE"
+	[ -e "$CLIENT_PATH" ] || errexit "you need to run make cross first"
+	[ -e "$BUNDLE/binary-daemon/dockerd" ] || errexit "you need to build binaries first"
+	[ -f "$BUNDLE/binary-client/docker" ] || errexit "you need to build binaries first"
+	git -C "$DATABASE" reset --hard >/dev/null
+	echo "$BUNDLE_PATH" > "$DATABASE_KEY"
+	git -C "$DATABASE" add "$DATABASE_KEY"
+	git -C "$DATABASE" commit -m "update bundle to $BUNDLE_PATH"
+	rm -f /usr/local/bin/docker
+	cp "$CLIENT_PATH" /usr/local/bin
+	echo "Bundle installed. Restart Docker to use. To uninstall, reset Docker to factory defaults."
+	;;
+"undo")
+	git -C "$DATABASE" reset --hard >/dev/null
+	[ -f "$DATABASE_KEY" ] || errexit "bundle not set"
+	git -C "$DATABASE" rm "$DATABASE_KEY"
+	git -C "$DATABASE" commit -m "remove bundle"
+	rm -f /usr/local/bin/docker
+	ln -s "$HOME/Library/Group Containers/group.com.docker/bin/docker" /usr/local/bin
+	echo "Bundle removed. Using dev versions may cause issues, a reset to factory defaults is recommended."
+	;;
+esac
diff --git a/engine/contrib/mkimage-alpine.sh b/engine/contrib/mkimage-alpine.sh
new file mode 100755
index 00000000..03180e43
--- /dev/null
+++ b/engine/contrib/mkimage-alpine.sh
@@ -0,0 +1,90 @@
+#!/bin/sh
+
+set -e
+
+[ $(id -u) -eq 0 ] || {
+	printf >&2 '%s requires root\n' "$0"
+	exit 1
+}
+
+usage() {
+	printf >&2 '%s: [-r release] [-m mirror] [-s] [-c additional repository] [-a arch]\n' "$0"
+	exit 1
+}
+
+tmp() {
+	TMP=$(mktemp -d ${TMPDIR:-/var/tmp}/alpine-docker-XXXXXXXXXX)
+	ROOTFS=$(mktemp -d ${TMPDIR:-/var/tmp}/alpine-docker-rootfs-XXXXXXXXXX)
+	trap "rm -rf $TMP $ROOTFS" EXIT TERM INT
+}
+
+apkv() {
+	curl -sSL $MAINREPO/$ARCH/APKINDEX.tar.gz | tar -Oxz |
+		grep --text '^P:apk-tools-static$' -A1 | tail -n1 | cut -d: -f2
+}
+
+getapk() {
+	curl -sSL $MAINREPO/$ARCH/apk-tools-static-$(apkv).apk |
+		tar -xz -C $TMP sbin/apk.static
+}
+
+mkbase() {
+	$TMP/sbin/apk.static --repository $MAINREPO --update-cache --allow-untrusted \
+		--root $ROOTFS --initdb add alpine-base
+}
+
+conf() {
+	printf '%s\n' $MAINREPO > $ROOTFS/etc/apk/repositories
+	printf '%s\n' $ADDITIONALREPO >> $ROOTFS/etc/apk/repositories
+}
+
+pack() {
+	local id
+	id=$(tar --numeric-owner -C $ROOTFS -c . | docker import - alpine:$REL)
+
+	docker tag $id alpine:latest
+	docker run -i -t --rm alpine printf 'alpine:%s with id=%s created!\n' $REL $id
+}
+
+save() {
+	[ $SAVE -eq 1 ] || return 0
+
+	tar --numeric-owner -C $ROOTFS -c . | xz > rootfs.tar.xz
+}
+
+while getopts "hr:m:sc:a:" opt; do
+	case $opt in
+		r)
+			REL=$OPTARG
+			;;
+		m)
+			MIRROR=$OPTARG
+			;;
+		s)
+			SAVE=1
+			;;
+		c)
+			ADDITIONALREPO=$OPTARG
+			;;
+		a)
+			ARCH=$OPTARG
+			;;
+		*)
+			usage
+			;;
+	esac
+done
+
+REL=${REL:-edge}
+MIRROR=${MIRROR:-http://nl.alpinelinux.org/alpine}
+SAVE=${SAVE:-0}
+MAINREPO=$MIRROR/$REL/main
+ADDITIONALREPO=$MIRROR/$REL/${ADDITIONALREPO:-community}
+ARCH=${ARCH:-$(uname -m)}
+
+tmp
+getapk
+mkbase
+conf
+pack
+save
diff --git a/engine/contrib/mkimage-arch-pacman.conf b/engine/contrib/mkimage-arch-pacman.conf
new file mode 100644
index 00000000..45fe03dc
--- /dev/null
+++ b/engine/contrib/mkimage-arch-pacman.conf
@@ -0,0 +1,92 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+HoldPkg     = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta    = 0.7
+Architecture = auto
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+# We cannot check disk space from within a chroot environment
+#CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel    = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository.  See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs
+
diff --git a/engine/contrib/mkimage-arch.sh b/engine/contrib/mkimage-arch.sh
new file mode 100755
index 00000000..f9411771
--- /dev/null
+++ b/engine/contrib/mkimage-arch.sh
@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+# Generate a minimal filesystem for archlinux and load it into the local
+# docker as "archlinux"
+# requires root
+set -e
+
+hash pacstrap &>/dev/null || {
+	echo "Could not find pacstrap. Run pacman -S arch-install-scripts"
+	exit 1
+}
+
+hash expect &>/dev/null || {
+	echo "Could not find expect. Run pacman -S expect"
+	exit 1
+}
+
+
+export LANG="C.UTF-8"
+
+ROOTFS=$(mktemp -d ${TMPDIR:-/var/tmp}/rootfs-archlinux-XXXXXXXXXX)
+chmod 755 $ROOTFS
+
+# packages to ignore for space savings
+PKGIGNORE=(
+    cryptsetup
+    device-mapper
+    dhcpcd
+    iproute2
+    jfsutils
+    linux
+    lvm2
+    man-db
+    man-pages
+    mdadm
+    nano
+    netctl
+    openresolv
+    pciutils
+    pcmciautils
+    reiserfsprogs
+    s-nail
+    systemd-sysvcompat
+    usbutils
+    vi
+    xfsprogs
+)
+IFS=','
+PKGIGNORE="${PKGIGNORE[*]}"
+unset IFS
+
+arch="$(uname -m)"
+case "$arch" in
+	armv*)
+		if pacman -Q archlinuxarm-keyring >/dev/null 2>&1; then
+			pacman-key --init
+			pacman-key --populate archlinuxarm
+		else
+			echo "Could not find archlinuxarm-keyring. Please, install it and run pacman-key --populate archlinuxarm"
+			exit 1
+		fi
+		PACMAN_CONF=$(mktemp ${TMPDIR:-/var/tmp}/pacman-conf-archlinux-XXXXXXXXX)
+		version="$(echo $arch | cut -c 5)"
+		sed "s/Architecture = armv/Architecture = armv${version}h/g" './mkimage-archarm-pacman.conf' > "${PACMAN_CONF}"
+		PACMAN_MIRRORLIST='Server = http://mirror.archlinuxarm.org/$arch/$repo'
+		PACMAN_EXTRA_PKGS='archlinuxarm-keyring'
+		EXPECT_TIMEOUT=1800 # Most armv* based devices can be very slow (e.g. RPiv1)
+		ARCH_KEYRING=archlinuxarm
+		DOCKER_IMAGE_NAME="armv${version}h/archlinux"
+		;;
+	*)
+		PACMAN_CONF='./mkimage-arch-pacman.conf'
+		PACMAN_MIRRORLIST='Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch'
+		PACMAN_EXTRA_PKGS=''
+		EXPECT_TIMEOUT=60
+		ARCH_KEYRING=archlinux
+		DOCKER_IMAGE_NAME=archlinux
+		;;
+esac
+
+export PACMAN_MIRRORLIST
+
+expect <<EOF
+	set send_slow {1 .1}
+	proc send {ignore arg} {
+		sleep .1
+		exp_send -s -- \$arg
+	}
+	set timeout $EXPECT_TIMEOUT
+
+	spawn pacstrap -C $PACMAN_CONF -c -d -G -i $ROOTFS base haveged $PACMAN_EXTRA_PKGS --ignore $PKGIGNORE
+	expect {
+		-exact "anyway? \[Y/n\] " { send -- "n\r"; exp_continue }
+		-exact "(default=all): " { send -- "\r"; exp_continue }
+		-exact "installation? \[Y/n\]" { send -- "y\r"; exp_continue }
+		-exact "delete it? \[Y/n\]" { send -- "y\r"; exp_continue }
+	}
+EOF
+
+arch-chroot $ROOTFS /bin/sh -c 'rm -r /usr/share/man/*'
+arch-chroot $ROOTFS /bin/sh -c "haveged -w 1024; pacman-key --init; pkill haveged; pacman -Rs --noconfirm haveged; pacman-key --populate $ARCH_KEYRING; pkill gpg-agent"
+arch-chroot $ROOTFS /bin/sh -c "ln -s /usr/share/zoneinfo/UTC /etc/localtime"
+echo 'en_US.UTF-8 UTF-8' > $ROOTFS/etc/locale.gen
+arch-chroot $ROOTFS locale-gen
+arch-chroot $ROOTFS /bin/sh -c 'echo $PACMAN_MIRRORLIST > /etc/pacman.d/mirrorlist'
+
+# udev doesn't work in containers, rebuild /dev
+DEV=$ROOTFS/dev
+rm -rf $DEV
+mkdir -p $DEV
+mknod -m 666 $DEV/null c 1 3
+mknod -m 666 $DEV/zero c 1 5
+mknod -m 666 $DEV/random c 1 8
+mknod -m 666 $DEV/urandom c 1 9
+mkdir -m 755 $DEV/pts
+mkdir -m 1777 $DEV/shm
+mknod -m 666 $DEV/tty c 5 0
+mknod -m 600 $DEV/console c 5 1
+mknod -m 666 $DEV/tty0 c 4 0
+mknod -m 666 $DEV/full c 1 7
+mknod -m 600 $DEV/initctl p
+mknod -m 666 $DEV/ptmx c 5 2
+ln -sf /proc/self/fd $DEV/fd
+
+tar --numeric-owner --xattrs --acls -C $ROOTFS -c . | docker import - $DOCKER_IMAGE_NAME
+docker run --rm -t $DOCKER_IMAGE_NAME echo Success.
+rm -rf $ROOTFS
diff --git a/engine/contrib/mkimage-archarm-pacman.conf b/engine/contrib/mkimage-archarm-pacman.conf
new file mode 100644
index 00000000..f4b45f54
--- /dev/null
+++ b/engine/contrib/mkimage-archarm-pacman.conf
@@ -0,0 +1,98 @@
+#
+# /etc/pacman.conf
+#
+# See the pacman.conf(5) manpage for option and repository directives
+
+#
+# GENERAL OPTIONS
+#
+[options]
+# The following paths are commented out with their default values listed.
+# If you wish to use different paths, uncomment and update the paths.
+#RootDir     = /
+#DBPath      = /var/lib/pacman/
+#CacheDir    = /var/cache/pacman/pkg/
+#LogFile     = /var/log/pacman.log
+#GPGDir      = /etc/pacman.d/gnupg/
+HoldPkg     = pacman glibc
+#XferCommand = /usr/bin/curl -C - -f %u > %o
+#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
+#CleanMethod = KeepInstalled
+#UseDelta    = 0.7
+Architecture = armv
+
+# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
+#IgnorePkg   =
+#IgnoreGroup =
+
+#NoUpgrade   =
+#NoExtract   =
+
+# Misc options
+#UseSyslog
+#Color
+#TotalDownload
+# We cannot check disk space from within a chroot environment
+#CheckSpace
+#VerbosePkgLists
+
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
+SigLevel    = Required DatabaseOptional
+LocalFileSigLevel = Optional
+#RemoteFileSigLevel = Required
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
+
+#
+# REPOSITORIES
+#   - can be defined here or included from another file
+#   - pacman will search repositories in the order defined here
+#   - local/custom mirrors can be added here or in separate files
+#   - repositories listed first will take precedence when packages
+#     have identical names, regardless of version number
+#   - URLs will have $repo replaced by the name of the current repo
+#   - URLs will have $arch replaced by the name of the architecture
+#
+# Repository entries are of the format:
+#       [repo-name]
+#       Server = ServerName
+#       Include = IncludePath
+#
+# The header [repo-name] is crucial - it must be present and
+# uncommented to enable the repo.
+#
+
+# The testing repositories are disabled by default. To enable, uncomment the
+# repo name header and Include lines. You can add preferred servers immediately
+# after the header, and they will be used before the default mirrors.
+
+#[testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[core]
+Include = /etc/pacman.d/mirrorlist
+
+[extra]
+Include = /etc/pacman.d/mirrorlist
+
+#[community-testing]
+#Include = /etc/pacman.d/mirrorlist
+
+[community]
+Include = /etc/pacman.d/mirrorlist
+
+[alarm]
+Include = /etc/pacman.d/mirrorlist
+
+[aur]
+Include = /etc/pacman.d/mirrorlist
+
+# An example of a custom package repository.  See the pacman manpage for
+# tips on creating your own repositories.
+#[custom]
+#SigLevel = Optional TrustAll
+#Server = file:///home/custompkgs
+
diff --git a/engine/contrib/mkimage-crux.sh b/engine/contrib/mkimage-crux.sh
new file mode 100755
index 00000000..3f0bdcae
--- /dev/null
+++ b/engine/contrib/mkimage-crux.sh
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+# Generate a minimal filesystem for CRUX/Linux and load it into the local
+# docker as "cruxlinux"
+# requires root and the crux iso (http://crux.nu)
+
+set -e
+
+die () {
+    echo >&2 "$@"
+    exit 1
+}
+
+[ "$#" -eq 1 ] || die "1 argument(s) required, $# provided. Usage: ./mkimage-crux.sh /path/to/iso"
+
+ISO=${1}
+
+ROOTFS=$(mktemp -d ${TMPDIR:-/var/tmp}/rootfs-crux-XXXXXXXXXX)
+CRUX=$(mktemp -d ${TMPDIR:-/var/tmp}/crux-XXXXXXXXXX)
+TMP=$(mktemp -d ${TMPDIR:-/var/tmp}/XXXXXXXXXX)
+
+VERSION=$(basename --suffix=.iso $ISO | sed 's/[^0-9.]*\([0-9.]*\).*/\1/')
+
+# Mount the ISO
+mount -o ro,loop $ISO $CRUX
+
+# Extract pkgutils
+tar -C $TMP -xf $CRUX/tools/pkgutils#*.pkg.tar.gz
+
+# Put pkgadd in the $PATH
+export PATH="$TMP/usr/bin:$PATH"
+
+# Install core packages
+mkdir -p $ROOTFS/var/lib/pkg
+touch $ROOTFS/var/lib/pkg/db
+for pkg in $CRUX/crux/core/*; do
+    pkgadd -r $ROOTFS $pkg
+done
+
+# Remove agetty and inittab config
+if (grep agetty ${ROOTFS}/etc/inittab 2>&1 > /dev/null); then
+    echo "Removing agetty from /etc/inittab ..."
+    chroot ${ROOTFS} sed -i -e "/agetty/d" /etc/inittab
+    chroot ${ROOTFS} sed -i -e "/shutdown/d" /etc/inittab
+    chroot ${ROOTFS} sed -i -e "/^$/N;/^\n$/d" /etc/inittab
+fi
+
+# Remove kernel source
+rm -rf $ROOTFS/usr/src/*
+
+# udev doesn't work in containers, rebuild /dev
+DEV=$ROOTFS/dev
+rm -rf $DEV
+mkdir -p $DEV
+mknod -m 666 $DEV/null c 1 3
+mknod -m 666 $DEV/zero c 1 5
+mknod -m 666 $DEV/random c 1 8
+mknod -m 666 $DEV/urandom c 1 9
+mkdir -m 755 $DEV/pts
+mkdir -m 1777 $DEV/shm
+mknod -m 666 $DEV/tty c 5 0
+mknod -m 600 $DEV/console c 5 1
+mknod -m 666 $DEV/tty0 c 4 0
+mknod -m 666 $DEV/full c 1 7
+mknod -m 600 $DEV/initctl p
+mknod -m 666 $DEV/ptmx c 5 2
+
+IMAGE_ID=$(tar --numeric-owner -C $ROOTFS -c . | docker import - crux:$VERSION)
+docker tag $IMAGE_ID crux:latest
+docker run -i -t crux echo Success.
+
+# Cleanup
+umount $CRUX
+rm -rf $ROOTFS
+rm -rf $CRUX
+rm -rf $TMP
diff --git a/engine/contrib/mkimage-pld.sh b/engine/contrib/mkimage-pld.sh
new file mode 100755
index 00000000..615c2030
--- /dev/null
+++ b/engine/contrib/mkimage-pld.sh
@@ -0,0 +1,73 @@
+#!/bin/sh
+#
+# Generate a minimal filesystem for PLD Linux and load it into the local docker as "pld".
+# https://www.pld-linux.org/packages/docker
+#
+set -e
+
+if [ "$(id -u)" != "0" ]; then
+	echo >&2 "$0: requires root"
+	exit 1
+fi
+
+image_name=pld
+
+tmpdir=$(mktemp -d ${TMPDIR:-/var/tmp}/pld-docker-XXXXXX)
+root=$tmpdir/rootfs
+install -d -m 755 $root
+
+# to clean up:
+docker rmi $image_name || :
+
+# build
+rpm -r $root --initdb
+
+set +e
+install -d $root/dev/pts
+mknod $root/dev/random c 1 8 -m 644
+mknod $root/dev/urandom c 1 9 -m 644
+mknod $root/dev/full c 1 7 -m 666
+mknod $root/dev/null c 1 3 -m 666
+mknod $root/dev/zero c 1 5 -m 666
+mknod $root/dev/console c 5 1 -m 660
+set -e
+
+poldek -r $root --up --noask -u \
+	--noignore \
+	-O 'rpmdef=_install_langs C' \
+	-O 'rpmdef=_excludedocs 1' \
+	vserver-packages \
+	bash iproute2 coreutils grep poldek
+
+# fix netsharedpath, so containers would be able to install when some paths are mounted
+sed -i -e 's;^#%_netsharedpath.*;%_netsharedpath /dev/shm:/sys:/proc:/dev:/etc/hostname;' $root/etc/rpm/macros
+
+# no need for alternatives
+poldek-config -c $root/etc/poldek/poldek.conf ignore systemd-init
+
+# this makes initscripts to believe network is up
+touch $root/var/lock/subsys/network
+
+# cleanup large optional packages
+remove_packages="ca-certificates"
+for pkg in $remove_packages; do
+	rpm -r $root -q $pkg && rpm -r $root -e $pkg --nodeps
+done
+
+# cleanup more
+rm -v $root/etc/ld.so.cache
+rm -rfv $root/var/cache/hrmib/*
+rm -rfv $root/usr/share/man/man?/*
+rm -rfv $root/usr/share/locale/*/
+rm -rfv $root/usr/share/help/*/
+rm -rfv $root/usr/share/doc/*
+rm -rfv $root/usr/src/examples/*
+rm -rfv $root/usr/share/pixmaps/*
+
+# and import
+tar --numeric-owner --xattrs --acls -C $root -c . | docker import - $image_name
+
+# and test
+docker run -i -u root $image_name /bin/echo Success.
+
+rm -r $tmpdir
diff --git a/engine/contrib/mkimage-yum.sh b/engine/contrib/mkimage-yum.sh
new file mode 100755
index 00000000..90128045
--- /dev/null
+++ b/engine/contrib/mkimage-yum.sh
@@ -0,0 +1,136 @@
+#!/usr/bin/env bash
+#
+# Create a base CentOS Docker image.
+#
+# This script is useful on systems with yum installed (e.g., building
+# a CentOS image on CentOS).  See contrib/mkimage-rinse.sh for a way
+# to build CentOS images on other systems.
+
+set -e
+
+usage() {
+    cat <<EOOPTS
+$(basename $0) [OPTIONS] <name>
+OPTIONS:
+  -p "<packages>"  The list of packages to install in the container.
+                   The default is blank.
+  -g "<groups>"    The groups of packages to install in the container.
+                   The default is "Core".
+  -y <yumconf>     The path to the yum config to install packages from. The
+                   default is /etc/yum.conf for Centos/RHEL and /etc/dnf/dnf.conf for Fedora
+EOOPTS
+    exit 1
+}
+
+# option defaults
+yum_config=/etc/yum.conf
+if [ -f /etc/dnf/dnf.conf ] && command -v dnf &> /dev/null; then
+	yum_config=/etc/dnf/dnf.conf
+	alias yum=dnf
+fi
+install_groups="Core"
+while getopts ":y:p:g:h" opt; do
+    case $opt in
+        y)
+            yum_config=$OPTARG
+            ;;
+        h)
+            usage
+            ;;
+        p)
+            install_packages="$OPTARG"
+            ;;
+        g)
+            install_groups="$OPTARG"
+            ;;
+        \?)
+            echo "Invalid option: -$OPTARG"
+            usage
+            ;;
+    esac
+done
+shift $((OPTIND - 1))
+name=$1
+
+if [[ -z $name ]]; then
+    usage
+fi
+
+target=$(mktemp -d --tmpdir $(basename $0).XXXXXX)
+
+set -x
+
+mkdir -m 755 "$target"/dev
+mknod -m 600 "$target"/dev/console c 5 1
+mknod -m 600 "$target"/dev/initctl p
+mknod -m 666 "$target"/dev/full c 1 7
+mknod -m 666 "$target"/dev/null c 1 3
+mknod -m 666 "$target"/dev/ptmx c 5 2
+mknod -m 666 "$target"/dev/random c 1 8
+mknod -m 666 "$target"/dev/tty c 5 0
+mknod -m 666 "$target"/dev/tty0 c 4 0
+mknod -m 666 "$target"/dev/urandom c 1 9
+mknod -m 666 "$target"/dev/zero c 1 5
+
+# amazon linux yum will fail without vars set
+if [ -d /etc/yum/vars ]; then
+	mkdir -p -m 755 "$target"/etc/yum
+	cp -a /etc/yum/vars "$target"/etc/yum/
+fi
+
+if [[ -n "$install_groups" ]];
+then
+    yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs \
+        --setopt=group_package_types=mandatory -y groupinstall "$install_groups"
+fi
+
+if [[ -n "$install_packages" ]];
+then
+    yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs \
+        --setopt=group_package_types=mandatory -y install "$install_packages"
+fi
+
+yum -c "$yum_config" --installroot="$target" -y clean all
+
+cat > "$target"/etc/sysconfig/network <<EOF
+NETWORKING=yes
+HOSTNAME=localhost.localdomain
+EOF
+
+# effectively: febootstrap-minimize --keep-zoneinfo --keep-rpmdb --keep-services "$target".
+#  locales
+rm -rf "$target"/usr/{{lib,share}/locale,{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive}
+#  docs and man pages
+rm -rf "$target"/usr/share/{man,doc,info,gnome/help}
+#  cracklib
+rm -rf "$target"/usr/share/cracklib
+#  i18n
+rm -rf "$target"/usr/share/i18n
+#  yum cache
+rm -rf "$target"/var/cache/yum
+mkdir -p --mode=0755 "$target"/var/cache/yum
+#  sln
+rm -rf "$target"/sbin/sln
+#  ldconfig
+rm -rf "$target"/etc/ld.so.cache "$target"/var/cache/ldconfig
+mkdir -p --mode=0755 "$target"/var/cache/ldconfig
+
+version=
+for file in "$target"/etc/{redhat,system}-release
+do
+    if [ -r "$file" ]; then
+        version="$(sed 's/^[^0-9\]*\([0-9.]\+\).*$/\1/' "$file")"
+        break
+    fi
+done
+
+if [ -z "$version" ]; then
+    echo >&2 "warning: cannot autodetect OS version, using '$name' as tag"
+    version=$name
+fi
+
+tar --numeric-owner -c -C "$target" . | docker import - $name:$version
+
+docker run -i -t --rm $name:$version /bin/bash -c 'echo success'
+
+rm -rf "$target"
diff --git a/engine/contrib/mkimage.sh b/engine/contrib/mkimage.sh
new file mode 100755
index 00000000..ae05d139
--- /dev/null
+++ b/engine/contrib/mkimage.sh
@@ -0,0 +1,120 @@
+#!/usr/bin/env bash
+set -e
+
+mkimg="$(basename "$0")"
+
+usage() {
+	echo >&2 "usage: $mkimg [-d dir] [-t tag] [--compression algo| --no-compression] script [script-args]"
+	echo >&2 "   ie: $mkimg -t someuser/debian debootstrap --variant=minbase jessie"
+	echo >&2 "       $mkimg -t someuser/ubuntu debootstrap --include=ubuntu-minimal --components=main,universe trusty"
+	echo >&2 "       $mkimg -t someuser/busybox busybox-static"
+	echo >&2 "       $mkimg -t someuser/centos:5 rinse --distribution centos-5"
+	echo >&2 "       $mkimg -t someuser/mageia:4 mageia-urpmi --version=4"
+	echo >&2 "       $mkimg -t someuser/mageia:4 mageia-urpmi --version=4 --mirror=http://somemirror/"
+	exit 1
+}
+
+scriptDir="$(dirname "$(readlink -f "$BASH_SOURCE")")/mkimage"
+
+os=
+os=$(uname -o)
+
+optTemp=$(getopt --options '+d:t:c:hC' --longoptions 'dir:,tag:,compression:,no-compression,help' --name "$mkimg" -- "$@")
+eval set -- "$optTemp"
+unset optTemp
+
+dir=
+tag=
+compression="auto"
+while true; do
+	case "$1" in
+		-d|--dir) dir="$2" ; shift 2 ;;
+		-t|--tag) tag="$2" ; shift 2 ;;
+		--compression)    compression="$2"   ; shift 2 ;;
+		--no-compression) compression="none" ; shift 1 ;;
+		-h|--help) usage ;;
+		--) shift ; break ;;
+	esac
+done
+
+script="$1"
+[ "$script" ] || usage
+shift
+
+if [ "$compression" == 'auto' ] || [ -z "$compression" ]
+then
+    compression='xz'
+fi
+
+[ "$compression" == 'none' ] && compression=''
+
+if [ ! -x "$scriptDir/$script" ]; then
+	echo >&2 "error: $script does not exist or is not executable"
+	echo >&2 "  see $scriptDir for possible scripts"
+	exit 1
+fi
+
+# don't mistake common scripts like .febootstrap-minimize as image-creators
+if [[ "$script" == .* ]]; then
+	echo >&2 "error: $script is a script helper, not a script"
+	echo >&2 "  see $scriptDir for possible scripts"
+	exit 1
+fi
+
+delDir=
+if [ -z "$dir" ]; then
+	dir="$(mktemp -d ${TMPDIR:-/var/tmp}/docker-mkimage.XXXXXXXXXX)"
+	delDir=1
+fi
+
+rootfsDir="$dir/rootfs"
+( set -x; mkdir -p "$rootfsDir" )
+
+# pass all remaining arguments to $script
+"$scriptDir/$script" "$rootfsDir" "$@"
+
+# Docker mounts tmpfs at /dev and procfs at /proc so we can remove them
+rm -rf "$rootfsDir/dev" "$rootfsDir/proc"
+mkdir -p "$rootfsDir/dev" "$rootfsDir/proc"
+
+# make sure /etc/resolv.conf has something useful in it
+mkdir -p "$rootfsDir/etc"
+cat > "$rootfsDir/etc/resolv.conf" <<'EOF'
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+EOF
+
+tarFile="$dir/rootfs.tar${compression:+.$compression}"
+touch "$tarFile"
+
+(
+	set -x
+	tar --numeric-owner --create --auto-compress --file "$tarFile" --directory "$rootfsDir" --transform='s,^./,,' .
+)
+
+echo >&2 "+ cat > '$dir/Dockerfile'"
+cat > "$dir/Dockerfile" <<EOF
+FROM scratch
+ADD $(basename "$tarFile") /
+EOF
+
+# if our generated image has a decent shell, let's set a default command
+for shell in /bin/bash /usr/bin/fish /usr/bin/zsh /bin/sh; do
+	if [ -x "$rootfsDir/$shell" ]; then
+		( set -x; echo 'CMD ["'"$shell"'"]' >> "$dir/Dockerfile" )
+		break
+	fi
+done
+
+( set -x; rm -rf "$rootfsDir" )
+
+if [ "$tag" ]; then
+	( set -x; docker build -t "$tag" "$dir" )
+elif [ "$delDir" ]; then
+	# if we didn't specify a tag and we're going to delete our dir, let's just build an untagged image so that we did _something_
+	( set -x; docker build "$dir" )
+fi
+
+if [ "$delDir" ]; then
+	( set -x; rm -rf "$dir" )
+fi
diff --git a/engine/contrib/mkimage/.febootstrap-minimize b/engine/contrib/mkimage/.febootstrap-minimize
new file mode 100755
index 00000000..7749e63f
--- /dev/null
+++ b/engine/contrib/mkimage/.febootstrap-minimize
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -e
+
+rootfsDir="$1"
+shift
+
+(
+	cd "$rootfsDir"
+
+	# effectively: febootstrap-minimize --keep-zoneinfo --keep-rpmdb --keep-services "$target"
+	#  locales
+	rm -rf usr/{{lib,share}/locale,{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive}
+	#  docs and man pages
+	rm -rf usr/share/{man,doc,info,gnome/help}
+	#  cracklib
+	rm -rf usr/share/cracklib
+	#  i18n
+	rm -rf usr/share/i18n
+	#  yum cache
+	rm -rf var/cache/yum
+	mkdir -p --mode=0755 var/cache/yum
+	#  sln
+	rm -rf sbin/sln
+	#  ldconfig
+	#rm -rf sbin/ldconfig
+	rm -rf etc/ld.so.cache var/cache/ldconfig
+	mkdir -p --mode=0755 var/cache/ldconfig
+)
diff --git a/engine/contrib/mkimage/busybox-static b/engine/contrib/mkimage/busybox-static
new file mode 100755
index 00000000..e15322b4
--- /dev/null
+++ b/engine/contrib/mkimage/busybox-static
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -e
+
+rootfsDir="$1"
+shift
+
+busybox="$(which busybox 2>/dev/null || true)"
+if [ -z "$busybox" ]; then
+	echo >&2 'error: busybox: not found'
+	echo >&2 '  install it with your distribution "busybox-static" package'
+	exit 1
+fi
+if ! ldd "$busybox" 2>&1 | grep -q 'not a dynamic executable'; then
+	echo >&2 "error: '$busybox' appears to be a dynamic executable"
+	echo >&2 '  you should install your distribution "busybox-static" package instead'
+	exit 1
+fi
+
+mkdir -p "$rootfsDir/bin"
+rm -f "$rootfsDir/bin/busybox" # just in case
+cp "$busybox" "$rootfsDir/bin/busybox"
+
+(
+	cd "$rootfsDir"
+
+	IFS=$'\n'
+	modules=( $(bin/busybox --list-modules) )
+	unset IFS
+
+	for module in "${modules[@]}"; do
+		mkdir -p "$(dirname "$module")"
+		ln -sf /bin/busybox "$module"
+	done
+)
diff --git a/engine/contrib/mkimage/debootstrap b/engine/contrib/mkimage/debootstrap
new file mode 100755
index 00000000..9f7d8987
--- /dev/null
+++ b/engine/contrib/mkimage/debootstrap
@@ -0,0 +1,251 @@
+#!/usr/bin/env bash
+set -e
+
+mkimgdeb="$(basename "$0")"
+mkimg="$(dirname "$0").sh"
+
+usage() {
+	echo >&2 "usage: $mkimgdeb rootfsDir suite [debootstrap-args]"
+	echo >&2 " note: $mkimgdeb meant to be used from $mkimg"
+	exit 1
+}
+
+rootfsDir="$1"
+if [ -z "$rootfsDir" ]; then
+	echo >&2 "error: rootfsDir is missing"
+	echo >&2
+	usage
+fi
+shift
+
+# we have to do a little fancy footwork to make sure "rootfsDir" becomes the second non-option argument to debootstrap
+
+before=()
+while [ $# -gt 0 ] && [[ "$1" == -* ]]; do
+	before+=( "$1" )
+	shift
+done
+
+suite="$1"
+if [ -z "$suite" ]; then
+	echo >&2 "error: suite is missing"
+	echo >&2
+	usage
+fi
+shift
+
+# get path to "chroot" in our current PATH
+chrootPath="$(type -P chroot || :)"
+if [ -z "$chrootPath" ]; then
+	echo >&2 "error: chroot not found. Are you root?"
+	echo >&2
+	usage
+fi
+
+rootfs_chroot() {
+	# "chroot" doesn't set PATH, so we need to set it explicitly to something our new debootstrap chroot can use appropriately!
+
+	# set PATH and chroot away!
+	PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
+		"$chrootPath" "$rootfsDir" "$@"
+}
+
+# allow for DEBOOTSTRAP=qemu-debootstrap ./mkimage.sh ...
+: ${DEBOOTSTRAP:=debootstrap}
+
+(
+	set -x
+	$DEBOOTSTRAP "${before[@]}" "$suite" "$rootfsDir" "$@"
+)
+
+# now for some Docker-specific tweaks
+
+# prevent init scripts from running during install/update
+echo >&2 "+ echo exit 101 > '$rootfsDir/usr/sbin/policy-rc.d'"
+cat > "$rootfsDir/usr/sbin/policy-rc.d" <<-'EOF'
+	#!/bin/sh
+
+	# For most Docker users, "apt-get install" only happens during "docker build",
+	# where starting services doesn't work and often fails in humorous ways. This
+	# prevents those failures by stopping the services from attempting to start.
+
+	exit 101
+EOF
+chmod +x "$rootfsDir/usr/sbin/policy-rc.d"
+
+# prevent upstart scripts from running during install/update
+(
+	set -x
+	rootfs_chroot dpkg-divert --local --rename --add /sbin/initctl
+	cp -a "$rootfsDir/usr/sbin/policy-rc.d" "$rootfsDir/sbin/initctl"
+	sed -i 's/^exit.*/exit 0/' "$rootfsDir/sbin/initctl"
+)
+
+# shrink a little, since apt makes us cache-fat (wheezy: ~157.5MB vs ~120MB)
+( set -x; rootfs_chroot apt-get clean )
+
+# this file is one APT creates to make sure we don't "autoremove" our currently
+# in-use kernel, which doesn't really apply to debootstraps/Docker images that
+# don't even have kernels installed
+rm -f "$rootfsDir/etc/apt/apt.conf.d/01autoremove-kernels"
+
+# Ubuntu 10.04 sucks... :)
+if strings "$rootfsDir/usr/bin/dpkg" | grep -q unsafe-io; then
+	# force dpkg not to call sync() after package extraction (speeding up installs)
+	echo >&2 "+ echo force-unsafe-io > '$rootfsDir/etc/dpkg/dpkg.cfg.d/docker-apt-speedup'"
+	cat > "$rootfsDir/etc/dpkg/dpkg.cfg.d/docker-apt-speedup" <<-'EOF'
+		# For most Docker users, package installs happen during "docker build", which
+		# doesn't survive power loss and gets restarted clean afterwards anyhow, so
+		# this minor tweak gives us a nice speedup (much nicer on spinning disks,
+		# obviously).
+
+		force-unsafe-io
+	EOF
+fi
+
+if [ -d "$rootfsDir/etc/apt/apt.conf.d" ]; then
+	# _keep_ us lean by effectively running "apt-get clean" after every install
+	aptGetClean='"rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true";'
+	echo >&2 "+ cat > '$rootfsDir/etc/apt/apt.conf.d/docker-clean'"
+	cat > "$rootfsDir/etc/apt/apt.conf.d/docker-clean" <<-EOF
+		# Since for most Docker users, package installs happen in "docker build" steps,
+		# they essentially become individual layers due to the way Docker handles
+		# layering, especially using CoW filesystems.  What this means for us is that
+		# the caches that APT keeps end up just wasting space in those layers, making
+		# our layers unnecessarily large (especially since we'll normally never use
+		# these caches again and will instead just "docker build" again and make a brand
+		# new image).
+
+		# Ideally, these would just be invoking "apt-get clean", but in our testing,
+		# that ended up being cyclic and we got stuck on APT's lock, so we get this fun
+		# creation that's essentially just "apt-get clean".
+		DPkg::Post-Invoke { ${aptGetClean} };
+		APT::Update::Post-Invoke { ${aptGetClean} };
+
+		Dir::Cache::pkgcache "";
+		Dir::Cache::srcpkgcache "";
+
+		# Note that we do realize this isn't the ideal way to do this, and are always
+		# open to better suggestions (https://github.com/docker/docker/issues).
+	EOF
+
+	# remove apt-cache translations for fast "apt-get update"
+	echo >&2 "+ echo Acquire::Languages 'none' > '$rootfsDir/etc/apt/apt.conf.d/docker-no-languages'"
+	cat > "$rootfsDir/etc/apt/apt.conf.d/docker-no-languages" <<-'EOF'
+		# In Docker, we don't often need the "Translations" files, so we're just wasting
+		# time and space by downloading them, and this inhibits that.  For users that do
+		# need them, it's a simple matter to delete this file and "apt-get update". :)
+
+		Acquire::Languages "none";
+	EOF
+
+	echo >&2 "+ echo Acquire::GzipIndexes 'true' > '$rootfsDir/etc/apt/apt.conf.d/docker-gzip-indexes'"
+	cat > "$rootfsDir/etc/apt/apt.conf.d/docker-gzip-indexes" <<-'EOF'
+		# Since Docker users using "RUN apt-get update && apt-get install -y ..." in
+		# their Dockerfiles don't go delete the lists files afterwards, we want them to
+		# be as small as possible on-disk, so we explicitly request "gz" versions and
+		# tell Apt to keep them gzipped on-disk.
+
+		# For comparison, an "apt-get update" layer without this on a pristine
+		# "debian:wheezy" base image was "29.88 MB", where with this it was only
+		# "8.273 MB".
+
+		Acquire::GzipIndexes "true";
+		Acquire::CompressionTypes::Order:: "gz";
+	EOF
+
+	# update "autoremove" configuration to be aggressive about removing suggests deps that weren't manually installed
+	echo >&2 "+ echo Apt::AutoRemove::SuggestsImportant 'false' > '$rootfsDir/etc/apt/apt.conf.d/docker-autoremove-suggests'"
+	cat > "$rootfsDir/etc/apt/apt.conf.d/docker-autoremove-suggests" <<-'EOF'
+		# Since Docker users are looking for the smallest possible final images, the
+		# following emerges as a very common pattern:
+
+		#   RUN apt-get update \
+		#       && apt-get install -y <packages> \
+		#       && <do some compilation work> \
+		#       && apt-get purge -y --auto-remove <packages>
+
+		# By default, APT will actually _keep_ packages installed via Recommends or
+		# Depends if another package Suggests them, even and including if the package
+		# that originally caused them to be installed is removed.  Setting this to
+		# "false" ensures that APT is appropriately aggressive about removing the
+		# packages it added.
+
+		# https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant
+		Apt::AutoRemove::SuggestsImportant "false";
+	EOF
+fi
+
+if [ -z "$DONT_TOUCH_SOURCES_LIST" ]; then
+	# tweak sources.list, where appropriate
+	lsbDist=
+	if [ -z "$lsbDist" -a -r "$rootfsDir/etc/os-release" ]; then
+		lsbDist="$(. "$rootfsDir/etc/os-release" && echo "$ID")"
+	fi
+	if [ -z "$lsbDist" -a -r "$rootfsDir/etc/lsb-release" ]; then
+		lsbDist="$(. "$rootfsDir/etc/lsb-release" && echo "$DISTRIB_ID")"
+	fi
+	if [ -z "$lsbDist" -a -r "$rootfsDir/etc/debian_version" ]; then
+		lsbDist='Debian'
+	fi
+	# normalize to lowercase for easier matching
+	lsbDist="$(echo "$lsbDist" | tr '[:upper:]' '[:lower:]')"
+	case "$lsbDist" in
+		debian)
+			# updates and security!
+			if curl -o /dev/null -s --head --fail "http://security.debian.org/dists/$suite/updates/main/binary-$(rootfs_chroot dpkg --print-architecture)/Packages.gz"; then
+				(
+					set -x
+					sed -i "
+						p;
+						s/ $suite / ${suite}-updates /
+					" "$rootfsDir/etc/apt/sources.list"
+					echo "deb http://security.debian.org $suite/updates main" >> "$rootfsDir/etc/apt/sources.list"
+				)
+			fi
+			;;
+		ubuntu)
+			# add the updates and security repositories
+			(
+				set -x
+				sed -i "
+					p;
+					s/ $suite / ${suite}-updates /; p;
+					s/ $suite-updates / ${suite}-security /
+				" "$rootfsDir/etc/apt/sources.list"
+			)
+			;;
+		tanglu)
+			# add the updates repository
+			if [ "$suite" != 'devel' ]; then
+				(
+					set -x
+					sed -i "
+						p;
+						s/ $suite / ${suite}-updates /
+					" "$rootfsDir/etc/apt/sources.list"
+				)
+			fi
+			;;
+		steamos)
+			# add contrib and non-free if "main" is the only component
+			(
+				set -x
+				sed -i "s/ $suite main$/ $suite main contrib non-free/" "$rootfsDir/etc/apt/sources.list"
+			)
+			;;
+	esac
+fi
+
+(
+	set -x
+
+	# make sure we're fully up-to-date
+	rootfs_chroot sh -xc 'apt-get update && apt-get dist-upgrade -y'
+
+	# delete all the apt list files since they're big and get stale quickly
+	rm -rf "$rootfsDir/var/lib/apt/lists"/*
+	# this forces "apt-get update" in dependent images, which is also good
+
+	mkdir "$rootfsDir/var/lib/apt/lists/partial" # Lucid... "E: Lists directory /var/lib/apt/lists/partial is missing."
+)
diff --git a/engine/contrib/mkimage/mageia-urpmi b/engine/contrib/mkimage/mageia-urpmi
new file mode 100755
index 00000000..93fb289c
--- /dev/null
+++ b/engine/contrib/mkimage/mageia-urpmi
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+#
+# Needs to be run from Mageia 4 or greater for kernel support for docker.
+#
+# Mageia 4 does not have docker available in official repos, so please
+# install and run the docker binary manually.
+#
+# Tested working versions are for Mageia 2 onwards (inc. cauldron).
+#
+set -e
+
+rootfsDir="$1"
+shift
+
+optTemp=$(getopt --options '+v:,m:' --longoptions 'version:,mirror:' --name mageia-urpmi -- "$@")
+eval set -- "$optTemp"
+unset optTemp
+
+installversion=
+mirror=
+while true; do
+	case "$1" in
+		-v|--version) installversion="$2" ; shift 2 ;;
+		-m|--mirror) mirror="$2" ; shift 2 ;;
+		--) shift ; break ;;
+	esac
+done
+
+if [ -z $installversion ]; then
+	# Attempt to match host version
+	if [ -r /etc/mageia-release ]; then
+		installversion="$(sed 's/^[^0-9\]*\([0-9.]\+\).*$/\1/' /etc/mageia-release)"
+	else
+		echo "Error: no version supplied and unable to detect host mageia version"
+		exit 1
+	fi
+fi
+
+if [ -z $mirror ]; then
+	# No mirror provided, default to mirrorlist
+	mirror="--mirrorlist https://mirrors.mageia.org/api/mageia.$installversion.x86_64.list"
+fi
+
+(
+	set -x
+	urpmi.addmedia --distrib \
+		$mirror \
+		--urpmi-root "$rootfsDir"
+	urpmi basesystem-minimal urpmi \
+		--auto \
+		--no-suggests \
+		--urpmi-root "$rootfsDir" \
+		--root "$rootfsDir"
+)
+
+"$(dirname "$BASH_SOURCE")/.febootstrap-minimize" "$rootfsDir"
+
+if [ -d "$rootfsDir/etc/sysconfig" ]; then
+	# allow networking init scripts inside the container to work without extra steps
+	echo 'NETWORKING=yes' > "$rootfsDir/etc/sysconfig/network"
+fi
diff --git a/engine/contrib/mkimage/rinse b/engine/contrib/mkimage/rinse
new file mode 100755
index 00000000..75eb4f0d
--- /dev/null
+++ b/engine/contrib/mkimage/rinse
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -e
+
+rootfsDir="$1"
+shift
+
+# specifying --arch below is safe because "$@" can override it and the "latest" one wins :)
+
+(
+	set -x
+	rinse --directory "$rootfsDir" --arch amd64 "$@"
+)
+
+"$(dirname "$BASH_SOURCE")/.febootstrap-minimize" "$rootfsDir"
+
+if [ -d "$rootfsDir/etc/sysconfig" ]; then
+	# allow networking init scripts inside the container to work without extra steps
+	echo 'NETWORKING=yes' > "$rootfsDir/etc/sysconfig/network"
+fi
+
+# make sure we're fully up-to-date, too
+(
+	set -x
+	chroot "$rootfsDir" yum update -y
+)
diff --git a/engine/contrib/nnp-test/Dockerfile b/engine/contrib/nnp-test/Dockerfile
new file mode 100644
index 00000000..026d8695
--- /dev/null
+++ b/engine/contrib/nnp-test/Dockerfile
@@ -0,0 +1,9 @@
+FROM buildpack-deps:jessie
+
+COPY . /usr/src/
+
+WORKDIR /usr/src/
+
+RUN gcc -g -Wall -static nnp-test.c -o /usr/bin/nnp-test
+
+RUN chmod +s /usr/bin/nnp-test
diff --git a/engine/contrib/nnp-test/nnp-test.c b/engine/contrib/nnp-test/nnp-test.c
new file mode 100644
index 00000000..b767da7e
--- /dev/null
+++ b/engine/contrib/nnp-test/nnp-test.c
@@ -0,0 +1,10 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+int main(int argc, char *argv[])
+{
+        printf("EUID=%d\n", geteuid());
+        return 0;
+}
+
diff --git a/engine/contrib/nuke-graph-directory.sh b/engine/contrib/nuke-graph-directory.sh
new file mode 100755
index 00000000..3d2f49e8
--- /dev/null
+++ b/engine/contrib/nuke-graph-directory.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -e
+
+dir="$1"
+
+if [ -z "$dir" ]; then
+	{
+		echo 'This script is for destroying old /var/lib/docker directories more safely than'
+		echo '  "rm -rf", which can cause data loss or other serious issues.'
+		echo
+		echo "usage: $0 directory"
+		echo "   ie: $0 /var/lib/docker"
+	} >&2
+	exit 1
+fi
+
+if [ "$(id -u)" != 0 ]; then
+	echo >&2 "error: $0 must be run as root"
+	exit 1
+fi
+
+if [ ! -d "$dir" ]; then
+	echo >&2 "error: $dir is not a directory"
+	exit 1
+fi
+
+dir="$(readlink -f "$dir")"
+
+echo
+echo "Nuking $dir ..."
+echo '  (if this is wrong, press Ctrl+C NOW!)'
+echo
+
+( set -x; sleep 10 )
+echo
+
+dir_in_dir() {
+	inner="$1"
+	outer="$2"
+	[ "${inner#$outer}" != "$inner" ]
+}
+
+# let's start by unmounting any submounts in $dir
+#   (like -v /home:... for example - DON'T DELETE MY HOME DIRECTORY BRU!)
+for mount in $(awk '{ print $5 }' /proc/self/mountinfo); do
+	mount="$(readlink -f "$mount" || true)"
+	if [ "$dir" != "$mount" ] && dir_in_dir "$mount" "$dir"; then
+		( set -x; umount -f "$mount" )
+	fi
+done
+
+# now, let's go destroy individual btrfs subvolumes, if any exist
+if command -v btrfs > /dev/null 2>&1; then
+	# Find btrfs subvolumes under $dir checking for inode 256
+	# Source: http://stackoverflow.com/a/32865333
+	for subvol in $(find "$dir" -type d -inum 256 | sort -r); do
+		if [ "$dir" != "$subvol" ]; then
+			( set -x; btrfs subvolume delete "$subvol" )
+		fi
+	done
+fi
+
+# finally, DESTROY ALL THINGS
+( shopt -s dotglob; set -x; rm -rf "$dir"/* )
diff --git a/engine/contrib/report-issue.sh b/engine/contrib/report-issue.sh
new file mode 100755
index 00000000..cb54f1a5
--- /dev/null
+++ b/engine/contrib/report-issue.sh
@@ -0,0 +1,105 @@
+#!/bin/sh
+
+# This is a convenience script for reporting issues that include a base
+# template of information. See https://github.com/docker/docker/pull/8845
+
+set -e
+
+DOCKER_ISSUE_URL=${DOCKER_ISSUE_URL:-"https://github.com/docker/docker/issues/new"}
+DOCKER_ISSUE_NAME_PREFIX=${DOCKER_ISSUE_NAME_PREFIX:-"Report: "}
+DOCKER=${DOCKER:-"docker"}
+DOCKER_COMMAND="${DOCKER}"
+export DOCKER_COMMAND
+
+# pulled from https://gist.github.com/cdown/1163649
+function urlencode() {
+	# urlencode <string>
+
+	local length="${#1}"
+	for (( i = 0; i < length; i++ )); do
+			local c="${1:i:1}"
+			case $c in
+					[a-zA-Z0-9.~_-]) printf "$c" ;;
+					*) printf '%%%02X' "'$c"
+			esac
+	done
+}
+
+function template() {
+# this should always match the template from CONTRIBUTING.md
+	cat <<- EOM
+	Description of problem:
+
+
+	\`docker version\`:
+	`${DOCKER_COMMAND} -D version`
+
+
+	\`docker info\`:
+	`${DOCKER_COMMAND} -D info`
+
+
+	\`uname -a\`:
+	`uname -a`
+
+
+	Environment details (AWS, VirtualBox, physical, etc.):
+
+
+	How reproducible:
+
+
+	Steps to Reproduce:
+	1.
+	2.
+	3.
+
+
+	Actual Results:
+
+
+	Expected Results:
+
+
+	Additional info:
+
+
+	EOM
+}
+
+function format_issue_url() {
+	if [ ${#@} -ne 2 ] ; then
+		return 1
+	fi
+	local issue_name=$(urlencode "${DOCKER_ISSUE_NAME_PREFIX}${1}")
+	local issue_body=$(urlencode "${2}")
+	echo "${DOCKER_ISSUE_URL}?title=${issue_name}&body=${issue_body}"
+}
+
+
+echo -ne "Do you use \`sudo\` to call docker? [y|N]: "
+read -r -n 1 use_sudo
+echo ""
+
+if [ "x${use_sudo}" = "xy" -o "x${use_sudo}" = "xY" ]; then
+	export DOCKER_COMMAND="sudo ${DOCKER}"
+fi
+
+echo -ne "Title of new issue?: "
+read -r issue_title
+echo ""
+
+issue_url=$(format_issue_url "${issue_title}" "$(template)")
+
+if which xdg-open 2>/dev/null >/dev/null ; then
+	echo -ne "Would like to launch this report in your browser? [Y|n]: "
+	read -r -n 1 launch_now
+	echo ""
+
+	if [ "${launch_now}" != "n" -a "${launch_now}" != "N" ]; then
+		xdg-open "${issue_url}"
+	fi
+fi
+
+echo "If you would like to manually open the url, you can open this link if your browser: ${issue_url}"
+
diff --git a/engine/contrib/syntax/nano/Dockerfile.nanorc b/engine/contrib/syntax/nano/Dockerfile.nanorc
new file mode 100644
index 00000000..8b63dae9
--- /dev/null
+++ b/engine/contrib/syntax/nano/Dockerfile.nanorc
@@ -0,0 +1,26 @@
+## Syntax highlighting for Dockerfiles
+syntax "Dockerfile" "Dockerfile[^/]*$"
+
+## Keywords
+icolor red "^(ONBUILD\s+)?(ADD|ARG|CMD|COPY|ENTRYPOINT|ENV|EXPOSE|FROM|HEALTHCHECK|LABEL|MAINTAINER|RUN|SHELL|STOPSIGNAL|USER|VOLUME|WORKDIR)[[:space:]]"
+
+## Brackets & parenthesis
+color brightgreen "(\(|\)|\[|\])"
+
+## Double ampersand
+color brightmagenta "&&"
+
+## Comments
+icolor cyan "^[[:space:]]*#.*$"
+
+## Blank space at EOL
+color ,green "[[:space:]]+$"
+
+## Strings, single-quoted
+color brightwhite "'([^']|(\\'))*'" "%[qw]\{[^}]*\}" "%[qw]\([^)]*\)" "%[qw]<[^>]*>" "%[qw]\[[^]]*\]" "%[qw]\$[^$]*\$" "%[qw]\^[^^]*\^" "%[qw]![^!]*!"
+
+## Strings, double-quoted
+color brightwhite ""([^"]|(\\"))*"" "%[QW]?\{[^}]*\}" "%[QW]?\([^)]*\)" "%[QW]?<[^>]*>" "%[QW]?\[[^]]*\]" "%[QW]?\$[^$]*\$" "%[QW]?\^[^^]*\^" "%[QW]?![^!]*!"
+
+## Single and double quotes
+color brightyellow "('|\")"
diff --git a/engine/contrib/syntax/nano/README.md b/engine/contrib/syntax/nano/README.md
new file mode 100644
index 00000000..5985208b
--- /dev/null
+++ b/engine/contrib/syntax/nano/README.md
@@ -0,0 +1,32 @@
+Dockerfile.nanorc
+=================
+
+Dockerfile syntax highlighting for nano
+
+Single User Installation
+------------------------
+1. Create a nano syntax directory in your home directory:
+ * `mkdir -p ~/.nano/syntax`
+
+2. Copy `Dockerfile.nanorc` to` ~/.nano/syntax/`
+ * `cp Dockerfile.nanorc ~/.nano/syntax/`
+
+3. Add the following to your `~/.nanorc` to tell nano where to find the `Dockerfile.nanorc` file
+  ```
+## Dockerfile files
+include "~/.nano/syntax/Dockerfile.nanorc"
+  ```
+
+System Wide Installation
+------------------------
+1. Create a nano syntax directory: 
+  * `mkdir /usr/local/share/nano`
+
+2. Copy `Dockerfile.nanorc` to `/usr/local/share/nano`
+  * `cp Dockerfile.nanorc /usr/local/share/nano/`
+
+3. Add the following to your `/etc/nanorc`:
+  ```
+## Dockerfile files
+include "/usr/local/share/nano/Dockerfile.nanorc"
+  ```
diff --git a/engine/contrib/syntax/textmate/Docker.tmbundle/Preferences/Dockerfile.tmPreferences b/engine/contrib/syntax/textmate/Docker.tmbundle/Preferences/Dockerfile.tmPreferences
new file mode 100644
index 00000000..20f0d04c
--- /dev/null
+++ b/engine/contrib/syntax/textmate/Docker.tmbundle/Preferences/Dockerfile.tmPreferences
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>name</key>
+	<string>Comments</string>
+	<key>scope</key>
+	<string>source.dockerfile</string>
+	<key>settings</key>
+	<dict>
+		<key>shellVariables</key>
+		<array>
+			<dict>
+				<key>name</key>
+				<string>TM_COMMENT_START</string>
+				<key>value</key>
+				<string># </string>
+			</dict>
+		</array>
+	</dict>
+	<key>uuid</key>
+	<string>2B215AC0-A7F3-4090-9FF6-F4842BD56CA7</string>
+</dict>
+</plist>
diff --git a/engine/contrib/syntax/textmate/Docker.tmbundle/Syntaxes/Dockerfile.tmLanguage b/engine/contrib/syntax/textmate/Docker.tmbundle/Syntaxes/Dockerfile.tmLanguage
new file mode 100644
index 00000000..a4a7b7ae
--- /dev/null
+++ b/engine/contrib/syntax/textmate/Docker.tmbundle/Syntaxes/Dockerfile.tmLanguage
@@ -0,0 +1,160 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>fileTypes</key>
+	<array>
+		<string>Dockerfile</string>
+	</array>
+	<key>name</key>
+	<string>Dockerfile</string>
+	<key>patterns</key>
+	<array>
+		<dict>
+			<key>captures</key>
+			<dict>
+				<key>1</key>
+				<dict>
+					<key>name</key>
+					<string>keyword.other.special-method.dockerfile</string>
+				</dict>
+				<key>2</key>
+				<dict>
+					<key>name</key>
+					<string>keyword.other.special-method.dockerfile</string>
+				</dict>
+			</dict>
+			<key>match</key>
+			<string>^\s*\b(?i:(FROM))\b.*?\b(?i:(AS))\b</string>
+		</dict>
+		<dict>
+			<key>captures</key>
+			<dict>
+				<key>1</key>
+				<dict>
+					<key>name</key>
+					<string>keyword.control.dockerfile</string>
+				</dict>
+				<key>2</key>
+				<dict>
+					<key>name</key>
+					<string>keyword.other.special-method.dockerfile</string>
+				</dict>
+			</dict>
+			<key>match</key>
+			<string>^\s*(?i:(ONBUILD)\s+)?(?i:(ADD|ARG|CMD|COPY|ENTRYPOINT|ENV|EXPOSE|FROM|HEALTHCHECK|LABEL|MAINTAINER|RUN|SHELL|STOPSIGNAL|USER|VOLUME|WORKDIR))\s</string>
+		</dict>
+		<dict>
+			<key>captures</key>
+			<dict>
+				<key>1</key>
+				<dict>
+					<key>name</key>
+					<string>keyword.operator.dockerfile</string>
+				</dict>
+				<key>2</key>
+				<dict>
+					<key>name</key>
+					<string>keyword.other.special-method.dockerfile</string>
+				</dict>
+			</dict>
+			<key>match</key>
+			<string>^\s*(?i:(ONBUILD)\s+)?(?i:(CMD|ENTRYPOINT))\s</string>
+		</dict>
+		<dict>
+			<key>begin</key>
+			<string>"</string>
+			<key>beginCaptures</key>
+			<dict>
+				<key>1</key>
+				<dict>
+					<key>name</key>
+					<string>punctuation.definition.string.begin.dockerfile</string>
+				</dict>
+			</dict>
+			<key>end</key>
+			<string>"</string>
+			<key>endCaptures</key>
+			<dict>
+				<key>1</key>
+				<dict>
+					<key>name</key>
+					<string>punctuation.definition.string.end.dockerfile</string>
+				</dict>
+			</dict>
+			<key>name</key>
+			<string>string.quoted.double.dockerfile</string>
+			<key>patterns</key>
+			<array>
+				<dict>
+					<key>match</key>
+					<string>\\.</string>
+					<key>name</key>
+					<string>constant.character.escaped.dockerfile</string>
+				</dict>
+			</array>
+		</dict>
+		<dict>
+			<key>begin</key>
+			<string>'</string>
+			<key>beginCaptures</key>
+			<dict>
+				<key>1</key>
+				<dict>
+					<key>name</key>
+					<string>punctuation.definition.string.begin.dockerfile</string>
+				</dict>
+			</dict>
+			<key>end</key>
+			<string>'</string>
+			<key>endCaptures</key>
+			<dict>
+				<key>1</key>
+				<dict>
+					<key>name</key>
+					<string>punctuation.definition.string.end.dockerfile</string>
+				</dict>
+			</dict>
+			<key>name</key>
+			<string>string.quoted.single.dockerfile</string>
+			<key>patterns</key>
+			<array>
+				<dict>
+					<key>match</key>
+					<string>\\.</string>
+					<key>name</key>
+					<string>constant.character.escaped.dockerfile</string>
+				</dict>
+			</array>
+		</dict>
+		<dict>
+			<key>captures</key>
+			<dict>
+				<key>1</key>
+				<dict>
+					<key>name</key>
+					<string>punctuation.whitespace.comment.leading.dockerfile</string>
+				</dict>
+				<key>2</key>
+				<dict>
+					<key>name</key>
+					<string>comment.line.number-sign.dockerfile</string>
+				</dict>
+				<key>3</key>
+				<dict>
+					<key>name</key>
+					<string>punctuation.definition.comment.dockerfile</string>
+				</dict>
+			</dict>
+			<key>comment</key>
+			<string>comment.line</string>
+			<key>match</key>
+			<string>^(\s*)((#).*$\n?)</string>
+		</dict>
+	</array>
+	<key>scopeName</key>
+	<string>source.dockerfile</string>
+	<key>uuid</key>
+	<string>a39d8795-59d2-49af-aa00-fe74ee29576e</string>
+</dict>
+</plist>
diff --git a/engine/contrib/syntax/textmate/Docker.tmbundle/info.plist b/engine/contrib/syntax/textmate/Docker.tmbundle/info.plist
new file mode 100644
index 00000000..239f4b0a
--- /dev/null
+++ b/engine/contrib/syntax/textmate/Docker.tmbundle/info.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>contactEmailRot13</key>
+	<string>germ@andz.com.ar</string>
+	<key>contactName</key>
+	<string>GermanDZ</string>
+	<key>description</key>
+	<string>Helpers for Docker.</string>
+	<key>name</key>
+	<string>Docker</string>
+	<key>uuid</key>
+	<string>8B9DDBAF-E65C-4E12-FFA7-467D4AA535B1</string>
+</dict>
+</plist>
diff --git a/engine/contrib/syntax/textmate/README.md b/engine/contrib/syntax/textmate/README.md
new file mode 100644
index 00000000..ce611018
--- /dev/null
+++ b/engine/contrib/syntax/textmate/README.md
@@ -0,0 +1,17 @@
+# Docker.tmbundle
+
+Dockerfile syntax highlighting for TextMate and Sublime Text.
+
+## Install
+
+### Sublime Text
+
+Available for Sublime Text under [package control](https://sublime.wbond.net/packages/Dockerfile%20Syntax%20Highlighting).
+Search for *Dockerfile Syntax Highlighting*
+
+### TextMate 2
+
+You can install this bundle in TextMate by opening the preferences and going to the bundles tab. After installation it will be automatically updated for you.
+
+enjoy.
+
diff --git a/engine/contrib/syntax/textmate/REVIEWERS b/engine/contrib/syntax/textmate/REVIEWERS
new file mode 100644
index 00000000..965743df
--- /dev/null
+++ b/engine/contrib/syntax/textmate/REVIEWERS
@@ -0,0 +1 @@
+Asbjorn Enge <asbjorn@hanafjedle.net> (@asbjornenge)
diff --git a/engine/contrib/syntax/vim/LICENSE b/engine/contrib/syntax/vim/LICENSE
new file mode 100644
index 00000000..e67cdabd
--- /dev/null
+++ b/engine/contrib/syntax/vim/LICENSE
@@ -0,0 +1,22 @@
+Copyright (c) 2013 Honza Pokorny
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/engine/contrib/syntax/vim/README.md b/engine/contrib/syntax/vim/README.md
new file mode 100644
index 00000000..5aa9bd82
--- /dev/null
+++ b/engine/contrib/syntax/vim/README.md
@@ -0,0 +1,26 @@
+dockerfile.vim
+==============
+
+Syntax highlighting for Dockerfiles
+
+Installation
+------------
+With [pathogen](https://github.com/tpope/vim-pathogen), the usual way...
+
+With [Vundle](https://github.com/gmarik/Vundle.vim)
+  
+    Plugin 'docker/docker' , {'rtp': '/contrib/syntax/vim/'}
+
+Features
+--------
+
+The syntax highlighting includes:
+
+* The directives (e.g. `FROM`)
+* Strings
+* Comments
+
+License
+-------
+
+BSD, short and sweet
diff --git a/engine/contrib/syntax/vim/doc/dockerfile.txt b/engine/contrib/syntax/vim/doc/dockerfile.txt
new file mode 100644
index 00000000..e69e2b7b
--- /dev/null
+++ b/engine/contrib/syntax/vim/doc/dockerfile.txt
@@ -0,0 +1,18 @@
+*dockerfile.txt*  Syntax highlighting for Dockerfiles
+
+Author: Honza Pokorny <https://honza.ca>
+License: BSD
+
+INSTALLATION                                                     *installation*
+
+Drop it on your Pathogen path and you're all set.
+
+FEATURES                                                             *features*
+
+The syntax highlighting includes:
+
+* The directives (e.g. FROM)
+* Strings
+* Comments
+
+ vim:tw=78:et:ft=help:norl:
diff --git a/engine/contrib/syntax/vim/ftdetect/dockerfile.vim b/engine/contrib/syntax/vim/ftdetect/dockerfile.vim
new file mode 100644
index 00000000..a21dd140
--- /dev/null
+++ b/engine/contrib/syntax/vim/ftdetect/dockerfile.vim
@@ -0,0 +1 @@
+au BufNewFile,BufRead [Dd]ockerfile,[Dd]ockerfile.*,*.[Dd]ockerfile set filetype=dockerfile
diff --git a/engine/contrib/syntax/vim/syntax/dockerfile.vim b/engine/contrib/syntax/vim/syntax/dockerfile.vim
new file mode 100644
index 00000000..a067e6ad
--- /dev/null
+++ b/engine/contrib/syntax/vim/syntax/dockerfile.vim
@@ -0,0 +1,31 @@
+" dockerfile.vim - Syntax highlighting for Dockerfiles
+" Maintainer:   Honza Pokorny <https://honza.ca>
+" Version:      0.5
+
+
+if exists("b:current_syntax")
+    finish
+endif
+
+let b:current_syntax = "dockerfile"
+
+syntax case ignore
+
+syntax match dockerfileKeyword /\v^\s*(ONBUILD\s+)?(ADD|ARG|CMD|COPY|ENTRYPOINT|ENV|EXPOSE|FROM|HEALTHCHECK|LABEL|MAINTAINER|RUN|SHELL|STOPSIGNAL|USER|VOLUME|WORKDIR)\s/
+highlight link dockerfileKeyword Keyword
+
+syntax region dockerfileString start=/\v"/ skip=/\v\\./ end=/\v"/
+highlight link dockerfileString String
+
+syntax match dockerfileComment "\v^\s*#.*$"
+highlight link dockerfileComment Comment
+
+set commentstring=#\ %s
+
+" match "RUN", "CMD", and "ENTRYPOINT" lines, and parse them as shell
+let s:current_syntax = b:current_syntax
+unlet b:current_syntax
+syntax include @SH syntax/sh.vim
+let b:current_syntax = s:current_syntax
+syntax region shLine matchgroup=dockerfileKeyword start=/\v^\s*(RUN|CMD|ENTRYPOINT)\s/ end=/\v$/ contains=@SH
+" since @SH will handle "\" as part of the same line automatically, this "just works" for line continuation too, but with the caveat that it will highlight "RUN echo '" followed by a newline as if it were a block because the "'" is shell line continuation...  not sure how to fix that just yet (TODO)
diff --git a/engine/contrib/syscall-test/Dockerfile b/engine/contrib/syscall-test/Dockerfile
new file mode 100644
index 00000000..f95f1758
--- /dev/null
+++ b/engine/contrib/syscall-test/Dockerfile
@@ -0,0 +1,15 @@
+FROM buildpack-deps:jessie
+
+COPY . /usr/src/
+
+WORKDIR /usr/src/
+
+RUN gcc -g -Wall -static userns.c -o /usr/bin/userns-test \
+	&& gcc -g -Wall -static ns.c -o /usr/bin/ns-test \
+	&& gcc -g -Wall -static acct.c -o /usr/bin/acct-test \
+	&& gcc -g -Wall -static setuid.c -o /usr/bin/setuid-test \
+	&& gcc -g -Wall -static setgid.c -o /usr/bin/setgid-test \
+	&& gcc -g -Wall -static socket.c -o /usr/bin/socket-test \
+	&& gcc -g -Wall -static raw.c -o /usr/bin/raw-test
+
+RUN [ "$(uname -m)" = "x86_64" ] && gcc -s -m32 -nostdlib exit32.s -o /usr/bin/exit32-test || true
diff --git a/engine/contrib/syscall-test/acct.c b/engine/contrib/syscall-test/acct.c
new file mode 100644
index 00000000..88ac2879
--- /dev/null
+++ b/engine/contrib/syscall-test/acct.c
@@ -0,0 +1,16 @@
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+int main(int argc, char **argv)
+{
+	int err = acct("/tmp/t");
+	if (err == -1) {
+		fprintf(stderr, "acct failed: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+	exit(EXIT_SUCCESS);
+}
diff --git a/engine/contrib/syscall-test/exit32.s b/engine/contrib/syscall-test/exit32.s
new file mode 100644
index 00000000..8bbb5c58
--- /dev/null
+++ b/engine/contrib/syscall-test/exit32.s
@@ -0,0 +1,7 @@
+.globl _start
+.text
+_start:
+	xorl	%eax, %eax
+	incl	%eax
+	movb	$0, %bl
+	int	$0x80
diff --git a/engine/contrib/syscall-test/ns.c b/engine/contrib/syscall-test/ns.c
new file mode 100644
index 00000000..62438863
--- /dev/null
+++ b/engine/contrib/syscall-test/ns.c
@@ -0,0 +1,63 @@
+#define _GNU_SOURCE
+#include <errno.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define STACK_SIZE (1024 * 1024)	/* Stack size for cloned child */
+
+struct clone_args {
+	char **argv;
+};
+
+// child_exec is the func that will be executed as the result of clone
+static int child_exec(void *stuff)
+{
+	struct clone_args *args = (struct clone_args *)stuff;
+	if (execvp(args->argv[0], args->argv) != 0) {
+		fprintf(stderr, "failed to execvp arguments %s\n",
+			strerror(errno));
+		exit(-1);
+	}
+	// we should never reach here!
+	exit(EXIT_FAILURE);
+}
+
+int main(int argc, char **argv)
+{
+	struct clone_args args;
+	args.argv = &argv[1];
+
+	int clone_flags = CLONE_NEWNS | CLONE_NEWPID | SIGCHLD;
+
+	// allocate stack for child
+	char *stack;		/* Start of stack buffer */
+	char *child_stack;	/* End of stack buffer */
+	stack =
+	    mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE,
+		 MAP_SHARED | MAP_ANON | MAP_STACK, -1, 0);
+	if (stack == MAP_FAILED) {
+		fprintf(stderr, "mmap failed: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+	child_stack = stack + STACK_SIZE;	/* Assume stack grows downward */
+
+	// the result of this call is that our child_exec will be run in another
+	// process returning its pid
+	pid_t pid = clone(child_exec, child_stack, clone_flags, &args);
+	if (pid < 0) {
+		fprintf(stderr, "clone failed: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+	// lets wait on our child process here before we, the parent, exits
+	if (waitpid(pid, NULL, 0) == -1) {
+		fprintf(stderr, "failed to wait pid %d\n", pid);
+		exit(EXIT_FAILURE);
+	}
+	exit(EXIT_SUCCESS);
+}
diff --git a/engine/contrib/syscall-test/raw.c b/engine/contrib/syscall-test/raw.c
new file mode 100644
index 00000000..7995a0d3
--- /dev/null
+++ b/engine/contrib/syscall-test/raw.c
@@ -0,0 +1,14 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+
+int main() {
+	if (socket(PF_INET, SOCK_RAW, IPPROTO_UDP) == -1) {
+		perror("socket");
+		return 1;
+	}
+
+	return 0;
+}
diff --git a/engine/contrib/syscall-test/setgid.c b/engine/contrib/syscall-test/setgid.c
new file mode 100644
index 00000000..df9680c8
--- /dev/null
+++ b/engine/contrib/syscall-test/setgid.c
@@ -0,0 +1,11 @@
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+
+int main() {
+	if (setgid(1) == -1) {
+		perror("setgid");
+		return 1;
+	}
+	return 0;
+}
diff --git a/engine/contrib/syscall-test/setuid.c b/engine/contrib/syscall-test/setuid.c
new file mode 100644
index 00000000..5b939677
--- /dev/null
+++ b/engine/contrib/syscall-test/setuid.c
@@ -0,0 +1,11 @@
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+
+int main() {
+	if (setuid(1) == -1) {
+		perror("setuid");
+		return 1;
+	}
+	return 0;
+}
diff --git a/engine/contrib/syscall-test/socket.c b/engine/contrib/syscall-test/socket.c
new file mode 100644
index 00000000..d26c82f0
--- /dev/null
+++ b/engine/contrib/syscall-test/socket.c
@@ -0,0 +1,30 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+int main() {
+	int s;
+	struct sockaddr_in sin;
+
+	s = socket(AF_INET, SOCK_STREAM, 0);
+	if (s == -1) {
+		perror("socket");
+		return 1;
+	}
+
+	sin.sin_family = AF_INET;
+	sin.sin_addr.s_addr = INADDR_ANY;
+	sin.sin_port = htons(80);
+
+	if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
+		perror("bind");
+		return 1;
+	}
+
+	close(s);
+
+	return 0;
+}
diff --git a/engine/contrib/syscall-test/userns.c b/engine/contrib/syscall-test/userns.c
new file mode 100644
index 00000000..4c5c8d30
--- /dev/null
+++ b/engine/contrib/syscall-test/userns.c
@@ -0,0 +1,63 @@
+#define _GNU_SOURCE
+#include <errno.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#define STACK_SIZE (1024 * 1024)	/* Stack size for cloned child */
+
+struct clone_args {
+	char **argv;
+};
+
+// child_exec is the func that will be executed as the result of clone
+static int child_exec(void *stuff)
+{
+	struct clone_args *args = (struct clone_args *)stuff;
+	if (execvp(args->argv[0], args->argv) != 0) {
+		fprintf(stderr, "failed to execvp arguments %s\n",
+			strerror(errno));
+		exit(-1);
+	}
+	// we should never reach here!
+	exit(EXIT_FAILURE);
+}
+
+int main(int argc, char **argv)
+{
+	struct clone_args args;
+	args.argv = &argv[1];
+
+	int clone_flags = CLONE_NEWUSER | SIGCHLD;
+
+	// allocate stack for child
+	char *stack;		/* Start of stack buffer */
+	char *child_stack;	/* End of stack buffer */
+	stack =
+	    mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE,
+		 MAP_SHARED | MAP_ANON | MAP_STACK, -1, 0);
+	if (stack == MAP_FAILED) {
+		fprintf(stderr, "mmap failed: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+	child_stack = stack + STACK_SIZE;	/* Assume stack grows downward */
+
+	// the result of this call is that our child_exec will be run in another
+	// process returning its pid
+	pid_t pid = clone(child_exec, child_stack, clone_flags, &args);
+	if (pid < 0) {
+		fprintf(stderr, "clone failed: %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+	// lets wait on our child process here before we, the parent, exits
+	if (waitpid(pid, NULL, 0) == -1) {
+		fprintf(stderr, "failed to wait pid %d\n", pid);
+		exit(EXIT_FAILURE);
+	}
+	exit(EXIT_SUCCESS);
+}
diff --git a/engine/contrib/udev/80-docker.rules b/engine/contrib/udev/80-docker.rules
new file mode 100644
index 00000000..f934c017
--- /dev/null
+++ b/engine/contrib/udev/80-docker.rules
@@ -0,0 +1,3 @@
+# hide docker's loopback devices from udisks, and thus from user desktops
+SUBSYSTEM=="block", ENV{DM_NAME}=="docker-*", ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_IGNORE}="1"
+SUBSYSTEM=="block", DEVPATH=="/devices/virtual/block/loop*", ATTR{loop/backing_file}=="/var/lib/docker/*", ENV{UDISKS_PRESENTATION_HIDE}="1", ENV{UDISKS_IGNORE}="1"
diff --git a/engine/contrib/vagrant-docker/README.md b/engine/contrib/vagrant-docker/README.md
new file mode 100644
index 00000000..736c7899
--- /dev/null
+++ b/engine/contrib/vagrant-docker/README.md
@@ -0,0 +1,50 @@
+# Vagrant integration
+
+Currently there are at least 4 different projects that we are aware of that deals
+with integration with [Vagrant](http://vagrantup.com/) at different levels. One
+approach is to use Docker as a [provisioner](http://docs.vagrantup.com/v2/provisioning/index.html)
+which means you can create containers and pull base images on VMs using Docker's
+CLI and the other is to use Docker as a [provider](http://docs.vagrantup.com/v2/providers/index.html),
+meaning you can use Vagrant to control Docker containers.
+
+
+### Provisioners
+
+* [Vocker](https://github.com/fgrehm/vocker)
+* [Ventriloquist](https://github.com/fgrehm/ventriloquist)
+
+### Providers
+
+* [docker-provider](https://github.com/fgrehm/docker-provider)
+* [vagrant-shell](https://github.com/destructuring/vagrant-shell)
+
+## Setting up Vagrant-docker with the Engine API
+
+The initial Docker upstart script will not work because it runs on `127.0.0.1`, which is not accessible to the host machine. Instead, we need to change the script to connect to `0.0.0.0`. To do this, modify `/etc/init/docker.conf` to look like this:
+
+```
+description     "Docker daemon"
+
+start on filesystem
+stop on runlevel [!2345]
+
+respawn
+
+script
+    /usr/bin/dockerd -H=tcp://0.0.0.0:2375
+end script
+```
+
+Once that's done, you need to set up an SSH tunnel between your host machine and the vagrant machine that's running Docker. This can be done by running the following command in a host terminal:
+
+```
+ssh -L 2375:localhost:2375 -p 2222 vagrant@localhost
+```
+
+(The first 2375 is what your host can connect to, the second 2375 is what port Docker is running on in the vagrant machine, and the 2222 is the port Vagrant is providing for SSH. If VirtualBox is the VM you're using, you can see what value "2222" should be by going to: Network > Adapter 1 > Advanced > Port Forwarding in the VirtualBox GUI.)
+
+Note that because the port has been changed, to run docker commands from within the command line you must run them like this:
+
+```
+sudo docker -H 0.0.0.0:2375 < commands for docker >
+```
diff --git a/engine/daemon/apparmor_default.go b/engine/daemon/apparmor_default.go
new file mode 100644
index 00000000..461f5c7f
--- /dev/null
+++ b/engine/daemon/apparmor_default.go
@@ -0,0 +1,36 @@
+// +build linux
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+
+	aaprofile "github.com/docker/docker/profiles/apparmor"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+)
+
+// Define constants for native driver
+const (
+	defaultApparmorProfile = "docker-default"
+)
+
+func ensureDefaultAppArmorProfile() error {
+	if apparmor.IsEnabled() {
+		loaded, err := aaprofile.IsLoaded(defaultApparmorProfile)
+		if err != nil {
+			return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", defaultApparmorProfile, err)
+		}
+
+		// Nothing to do.
+		if loaded {
+			return nil
+		}
+
+		// Load the profile.
+		if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
+			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultApparmorProfile, err)
+		}
+	}
+
+	return nil
+}
diff --git a/engine/daemon/apparmor_default_unsupported.go b/engine/daemon/apparmor_default_unsupported.go
new file mode 100644
index 00000000..51f9c526
--- /dev/null
+++ b/engine/daemon/apparmor_default_unsupported.go
@@ -0,0 +1,7 @@
+// +build !linux
+
+package daemon // import "github.com/docker/docker/daemon"
+
+func ensureDefaultAppArmorProfile() error {
+	return nil
+}
diff --git a/engine/daemon/archive.go b/engine/daemon/archive.go
new file mode 100644
index 00000000..9c7971b5
--- /dev/null
+++ b/engine/daemon/archive.go
@@ -0,0 +1,449 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"io"
+	"os"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+)
+
+// ErrExtractPointNotDirectory is used to convey that the operation to extract
+// a tar archive to a directory in a container has failed because the specified
+// path does not refer to a directory.
+var ErrExtractPointNotDirectory = errors.New("extraction point is not a directory")
+
+// The daemon will use the following interfaces if the container fs implements
+// these for optimized copies to and from the container.
+type extractor interface {
+	ExtractArchive(src io.Reader, dst string, opts *archive.TarOptions) error
+}
+
+type archiver interface {
+	ArchivePath(src string, opts *archive.TarOptions) (io.ReadCloser, error)
+}
+
+// helper functions to extract or archive
+func extractArchive(i interface{}, src io.Reader, dst string, opts *archive.TarOptions) error {
+	if ea, ok := i.(extractor); ok {
+		return ea.ExtractArchive(src, dst, opts)
+	}
+	return chrootarchive.Untar(src, dst, opts)
+}
+
+func archivePath(i interface{}, src string, opts *archive.TarOptions) (io.ReadCloser, error) {
+	if ap, ok := i.(archiver); ok {
+		return ap.ArchivePath(src, opts)
+	}
+	return archive.TarWithOptions(src, opts)
+}
+
+// ContainerCopy performs a deprecated operation of archiving the resource at
+// the specified path in the container identified by the given name.
+func (daemon *Daemon) ContainerCopy(name string, res string) (io.ReadCloser, error) {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	// Make sure an online file-system operation is permitted.
+	if err := daemon.isOnlineFSOperationPermitted(container); err != nil {
+		return nil, errdefs.System(err)
+	}
+
+	data, err := daemon.containerCopy(container, res)
+	if err == nil {
+		return data, nil
+	}
+
+	if os.IsNotExist(err) {
+		return nil, containerFileNotFound{res, name}
+	}
+	return nil, errdefs.System(err)
+}
+
+// ContainerStatPath stats the filesystem resource at the specified path in the
+// container identified by the given name.
+func (daemon *Daemon) ContainerStatPath(name string, path string) (stat *types.ContainerPathStat, err error) {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	// Make sure an online file-system operation is permitted.
+	if err := daemon.isOnlineFSOperationPermitted(container); err != nil {
+		return nil, errdefs.System(err)
+	}
+
+	stat, err = daemon.containerStatPath(container, path)
+	if err == nil {
+		return stat, nil
+	}
+
+	if os.IsNotExist(err) {
+		return nil, containerFileNotFound{path, name}
+	}
+	return nil, errdefs.System(err)
+}
+
+// ContainerArchivePath creates an archive of the filesystem resource at the
+// specified path in the container identified by the given name. Returns a
+// tar archive of the resource and whether it was a directory or a single file.
+func (daemon *Daemon) ContainerArchivePath(name string, path string) (content io.ReadCloser, stat *types.ContainerPathStat, err error) {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Make sure an online file-system operation is permitted.
+	if err := daemon.isOnlineFSOperationPermitted(container); err != nil {
+		return nil, nil, errdefs.System(err)
+	}
+
+	content, stat, err = daemon.containerArchivePath(container, path)
+	if err == nil {
+		return content, stat, nil
+	}
+
+	if os.IsNotExist(err) {
+		return nil, nil, containerFileNotFound{path, name}
+	}
+	return nil, nil, errdefs.System(err)
+}
+
+// ContainerExtractToDir extracts the given archive to the specified location
+// in the filesystem of the container identified by the given name. The given
+// path must be of a directory in the container. If it is not, the error will
+// be ErrExtractPointNotDirectory. If noOverwriteDirNonDir is true then it will
+// be an error if unpacking the given content would cause an existing directory
+// to be replaced with a non-directory and vice versa.
+func (daemon *Daemon) ContainerExtractToDir(name, path string, copyUIDGID, noOverwriteDirNonDir bool, content io.Reader) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	// Make sure an online file-system operation is permitted.
+	if err := daemon.isOnlineFSOperationPermitted(container); err != nil {
+		return errdefs.System(err)
+	}
+
+	err = daemon.containerExtractToDir(container, path, copyUIDGID, noOverwriteDirNonDir, content)
+	if err == nil {
+		return nil
+	}
+
+	if os.IsNotExist(err) {
+		return containerFileNotFound{path, name}
+	}
+	return errdefs.System(err)
+}
+
+// containerStatPath stats the filesystem resource at the specified path in this
+// container. Returns stat info about the resource.
+func (daemon *Daemon) containerStatPath(container *container.Container, path string) (stat *types.ContainerPathStat, err error) {
+	container.Lock()
+	defer container.Unlock()
+
+	if err = daemon.Mount(container); err != nil {
+		return nil, err
+	}
+	defer daemon.Unmount(container)
+
+	err = daemon.mountVolumes(container)
+	defer container.DetachAndUnmount(daemon.LogVolumeEvent)
+	if err != nil {
+		return nil, err
+	}
+
+	// Normalize path before sending to rootfs
+	path = container.BaseFS.FromSlash(path)
+
+	resolvedPath, absPath, err := container.ResolvePath(path)
+	if err != nil {
+		return nil, err
+	}
+
+	return container.StatPath(resolvedPath, absPath)
+}
+
+// containerArchivePath creates an archive of the filesystem resource at the specified
+// path in this container. Returns a tar archive of the resource and stat info
+// about the resource.
+func (daemon *Daemon) containerArchivePath(container *container.Container, path string) (content io.ReadCloser, stat *types.ContainerPathStat, err error) {
+	container.Lock()
+
+	defer func() {
+		if err != nil {
+			// Wait to unlock the container until the archive is fully read
+			// (see the ReadCloseWrapper func below) or if there is an error
+			// before that occurs.
+			container.Unlock()
+		}
+	}()
+
+	if err = daemon.Mount(container); err != nil {
+		return nil, nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			// unmount any volumes
+			container.DetachAndUnmount(daemon.LogVolumeEvent)
+			// unmount the container's rootfs
+			daemon.Unmount(container)
+		}
+	}()
+
+	if err = daemon.mountVolumes(container); err != nil {
+		return nil, nil, err
+	}
+
+	// Normalize path before sending to rootfs
+	path = container.BaseFS.FromSlash(path)
+
+	resolvedPath, absPath, err := container.ResolvePath(path)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	stat, err = container.StatPath(resolvedPath, absPath)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// We need to rebase the archive entries if the last element of the
+	// resolved path was a symlink that was evaluated and is now different
+	// than the requested path. For example, if the given path was "/foo/bar/",
+	// but it resolved to "/var/lib/docker/containers/{id}/foo/baz/", we want
+	// to ensure that the archive entries start with "bar" and not "baz". This
+	// also catches the case when the root directory of the container is
+	// requested: we want the archive entries to start with "/" and not the
+	// container ID.
+	driver := container.BaseFS
+
+	// Get the source and the base paths of the container resolved path in order
+	// to get the proper tar options for the rebase tar.
+	resolvedPath = driver.Clean(resolvedPath)
+	if driver.Base(resolvedPath) == "." {
+		resolvedPath += string(driver.Separator()) + "."
+	}
+	sourceDir, sourceBase := driver.Dir(resolvedPath), driver.Base(resolvedPath)
+	opts := archive.TarResourceRebaseOpts(sourceBase, driver.Base(absPath))
+
+	data, err := archivePath(driver, sourceDir, opts)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	content = ioutils.NewReadCloserWrapper(data, func() error {
+		err := data.Close()
+		container.DetachAndUnmount(daemon.LogVolumeEvent)
+		daemon.Unmount(container)
+		container.Unlock()
+		return err
+	})
+
+	daemon.LogContainerEvent(container, "archive-path")
+
+	return content, stat, nil
+}
+
+// containerExtractToDir extracts the given tar archive to the specified location in the
+// filesystem of this container. The given path must be of a directory in the
+// container. If it is not, the error will be ErrExtractPointNotDirectory. If
+// noOverwriteDirNonDir is true then it will be an error if unpacking the
+// given content would cause an existing directory to be replaced with a non-
+// directory and vice versa.
+func (daemon *Daemon) containerExtractToDir(container *container.Container, path string, copyUIDGID, noOverwriteDirNonDir bool, content io.Reader) (err error) {
+	container.Lock()
+	defer container.Unlock()
+
+	if err = daemon.Mount(container); err != nil {
+		return err
+	}
+	defer daemon.Unmount(container)
+
+	err = daemon.mountVolumes(container)
+	defer container.DetachAndUnmount(daemon.LogVolumeEvent)
+	if err != nil {
+		return err
+	}
+
+	// Normalize path before sending to rootfs'
+	path = container.BaseFS.FromSlash(path)
+	driver := container.BaseFS
+
+	// Check if a drive letter supplied, it must be the system drive. No-op except on Windows
+	path, err = system.CheckSystemDriveAndRemoveDriveLetter(path, driver)
+	if err != nil {
+		return err
+	}
+
+	// The destination path needs to be resolved to a host path, with all
+	// symbolic links followed in the scope of the container's rootfs. Note
+	// that we do not use `container.ResolvePath(path)` here because we need
+	// to also evaluate the last path element if it is a symlink. This is so
+	// that you can extract an archive to a symlink that points to a directory.
+
+	// Consider the given path as an absolute path in the container.
+	absPath := archive.PreserveTrailingDotOrSeparator(
+		driver.Join(string(driver.Separator()), path),
+		path,
+		driver.Separator())
+
+	// This will evaluate the last path element if it is a symlink.
+	resolvedPath, err := container.GetResourcePath(absPath)
+	if err != nil {
+		return err
+	}
+
+	stat, err := driver.Lstat(resolvedPath)
+	if err != nil {
+		return err
+	}
+
+	if !stat.IsDir() {
+		return ErrExtractPointNotDirectory
+	}
+
+	// Need to check if the path is in a volume. If it is, it cannot be in a
+	// read-only volume. If it is not in a volume, the container cannot be
+	// configured with a read-only rootfs.
+
+	// Use the resolved path relative to the container rootfs as the new
+	// absPath. This way we fully follow any symlinks in a volume that may
+	// lead back outside the volume.
+	//
+	// The Windows implementation of filepath.Rel in golang 1.4 does not
+	// support volume style file path semantics. On Windows when using the
+	// filter driver, we are guaranteed that the path will always be
+	// a volume file path.
+	var baseRel string
+	if strings.HasPrefix(resolvedPath, `\\?\Volume{`) {
+		if strings.HasPrefix(resolvedPath, driver.Path()) {
+			baseRel = resolvedPath[len(driver.Path()):]
+			if baseRel[:1] == `\` {
+				baseRel = baseRel[1:]
+			}
+		}
+	} else {
+		baseRel, err = driver.Rel(driver.Path(), resolvedPath)
+	}
+	if err != nil {
+		return err
+	}
+	// Make it an absolute path.
+	absPath = driver.Join(string(driver.Separator()), baseRel)
+
+	// @ TODO: gupta-ak: Technically, this works since it no-ops
+	// on Windows and the file system is local anyway on linux.
+	// But eventually, it should be made driver aware.
+	toVolume, err := checkIfPathIsInAVolume(container, absPath)
+	if err != nil {
+		return err
+	}
+
+	if !toVolume && container.HostConfig.ReadonlyRootfs {
+		return ErrRootFSReadOnly
+	}
+
+	options := daemon.defaultTarCopyOptions(noOverwriteDirNonDir)
+
+	if copyUIDGID {
+		var err error
+		// tarCopyOptions will appropriately pull in the right uid/gid for the
+		// user/group and will set the options.
+		options, err = daemon.tarCopyOptions(container, noOverwriteDirNonDir)
+		if err != nil {
+			return err
+		}
+	}
+
+	if err := extractArchive(driver, content, resolvedPath, options); err != nil {
+		return err
+	}
+
+	daemon.LogContainerEvent(container, "extract-to-dir")
+
+	return nil
+}
+
+func (daemon *Daemon) containerCopy(container *container.Container, resource string) (rc io.ReadCloser, err error) {
+	if resource[0] == '/' || resource[0] == '\\' {
+		resource = resource[1:]
+	}
+	container.Lock()
+
+	defer func() {
+		if err != nil {
+			// Wait to unlock the container until the archive is fully read
+			// (see the ReadCloseWrapper func below) or if there is an error
+			// before that occurs.
+			container.Unlock()
+		}
+	}()
+
+	if err := daemon.Mount(container); err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			// unmount any volumes
+			container.DetachAndUnmount(daemon.LogVolumeEvent)
+			// unmount the container's rootfs
+			daemon.Unmount(container)
+		}
+	}()
+
+	if err := daemon.mountVolumes(container); err != nil {
+		return nil, err
+	}
+
+	// Normalize path before sending to rootfs
+	resource = container.BaseFS.FromSlash(resource)
+	driver := container.BaseFS
+
+	basePath, err := container.GetResourcePath(resource)
+	if err != nil {
+		return nil, err
+	}
+	stat, err := driver.Stat(basePath)
+	if err != nil {
+		return nil, err
+	}
+	var filter []string
+	if !stat.IsDir() {
+		d, f := driver.Split(basePath)
+		basePath = d
+		filter = []string{f}
+	} else {
+		filter = []string{driver.Base(basePath)}
+		basePath = driver.Dir(basePath)
+	}
+	archive, err := archivePath(driver, basePath, &archive.TarOptions{
+		Compression:  archive.Uncompressed,
+		IncludeFiles: filter,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	reader := ioutils.NewReadCloserWrapper(archive, func() error {
+		err := archive.Close()
+		container.DetachAndUnmount(daemon.LogVolumeEvent)
+		daemon.Unmount(container)
+		container.Unlock()
+		return err
+	})
+	daemon.LogContainerEvent(container, "copy")
+	return reader, nil
+}
diff --git a/engine/daemon/archive_tarcopyoptions.go b/engine/daemon/archive_tarcopyoptions.go
new file mode 100644
index 00000000..766ba9fd
--- /dev/null
+++ b/engine/daemon/archive_tarcopyoptions.go
@@ -0,0 +1,15 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/pkg/archive"
+)
+
+// defaultTarCopyOptions is the setting that is used when unpacking an archive
+// for a copy API event.
+func (daemon *Daemon) defaultTarCopyOptions(noOverwriteDirNonDir bool) *archive.TarOptions {
+	return &archive.TarOptions{
+		NoOverwriteDirNonDir: noOverwriteDirNonDir,
+		UIDMaps:              daemon.idMappings.UIDs(),
+		GIDMaps:              daemon.idMappings.GIDs(),
+	}
+}
diff --git a/engine/daemon/archive_tarcopyoptions_unix.go b/engine/daemon/archive_tarcopyoptions_unix.go
new file mode 100644
index 00000000..d7090456
--- /dev/null
+++ b/engine/daemon/archive_tarcopyoptions_unix.go
@@ -0,0 +1,25 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/idtools"
+)
+
+func (daemon *Daemon) tarCopyOptions(container *container.Container, noOverwriteDirNonDir bool) (*archive.TarOptions, error) {
+	if container.Config.User == "" {
+		return daemon.defaultTarCopyOptions(noOverwriteDirNonDir), nil
+	}
+
+	user, err := idtools.LookupUser(container.Config.User)
+	if err != nil {
+		return nil, err
+	}
+
+	return &archive.TarOptions{
+		NoOverwriteDirNonDir: noOverwriteDirNonDir,
+		ChownOpts:            &idtools.IDPair{UID: user.Uid, GID: user.Gid},
+	}, nil
+}
diff --git a/engine/daemon/archive_tarcopyoptions_windows.go b/engine/daemon/archive_tarcopyoptions_windows.go
new file mode 100644
index 00000000..5142496f
--- /dev/null
+++ b/engine/daemon/archive_tarcopyoptions_windows.go
@@ -0,0 +1,10 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/archive"
+)
+
+func (daemon *Daemon) tarCopyOptions(container *container.Container, noOverwriteDirNonDir bool) (*archive.TarOptions, error) {
+	return daemon.defaultTarCopyOptions(noOverwriteDirNonDir), nil
+}
diff --git a/engine/daemon/archive_unix.go b/engine/daemon/archive_unix.go
new file mode 100644
index 00000000..50e6fe24
--- /dev/null
+++ b/engine/daemon/archive_unix.go
@@ -0,0 +1,31 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/container"
+	volumemounts "github.com/docker/docker/volume/mounts"
+)
+
+// checkIfPathIsInAVolume checks if the path is in a volume. If it is, it
+// cannot be in a read-only volume. If it  is not in a volume, the container
+// cannot be configured with a read-only rootfs.
+func checkIfPathIsInAVolume(container *container.Container, absPath string) (bool, error) {
+	var toVolume bool
+	parser := volumemounts.NewParser(container.OS)
+	for _, mnt := range container.MountPoints {
+		if toVolume = parser.HasResource(mnt, absPath); toVolume {
+			if mnt.RW {
+				break
+			}
+			return false, ErrVolumeReadonly
+		}
+	}
+	return toVolume, nil
+}
+
+// isOnlineFSOperationPermitted returns an error if an online filesystem operation
+// is not permitted.
+func (daemon *Daemon) isOnlineFSOperationPermitted(container *container.Container) error {
+	return nil
+}
diff --git a/engine/daemon/archive_windows.go b/engine/daemon/archive_windows.go
new file mode 100644
index 00000000..8cec39c5
--- /dev/null
+++ b/engine/daemon/archive_windows.go
@@ -0,0 +1,39 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"errors"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+)
+
+// checkIfPathIsInAVolume checks if the path is in a volume. If it is, it
+// cannot be in a read-only volume. If it  is not in a volume, the container
+// cannot be configured with a read-only rootfs.
+//
+// This is a no-op on Windows which does not support read-only volumes, or
+// extracting to a mount point inside a volume. TODO Windows: FIXME Post-TP5
+func checkIfPathIsInAVolume(container *container.Container, absPath string) (bool, error) {
+	return false, nil
+}
+
+// isOnlineFSOperationPermitted returns an error if an online filesystem operation
+// is not permitted (such as stat or for copying). Running Hyper-V containers
+// cannot have their file-system interrogated from the host as the filter is
+// loaded inside the utility VM, not the host.
+// IMPORTANT: The container lock must NOT be held when calling this function.
+func (daemon *Daemon) isOnlineFSOperationPermitted(container *container.Container) error {
+	if !container.IsRunning() {
+		return nil
+	}
+
+	// Determine isolation. If not specified in the hostconfig, use daemon default.
+	actualIsolation := container.HostConfig.Isolation
+	if containertypes.Isolation.IsDefault(containertypes.Isolation(actualIsolation)) {
+		actualIsolation = daemon.defaultIsolation
+	}
+	if containertypes.Isolation.IsHyperV(actualIsolation) {
+		return errors.New("filesystem operations against a running Hyper-V container are not supported")
+	}
+	return nil
+}
diff --git a/engine/daemon/attach.go b/engine/daemon/attach.go
new file mode 100644
index 00000000..fb14691d
--- /dev/null
+++ b/engine/daemon/attach.go
@@ -0,0 +1,187 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/container/stream"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/docker/docker/pkg/term"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerAttach attaches to logs according to the config passed in. See ContainerAttachConfig.
+func (daemon *Daemon) ContainerAttach(prefixOrName string, c *backend.ContainerAttachConfig) error {
+	keys := []byte{}
+	var err error
+	if c.DetachKeys != "" {
+		keys, err = term.ToBytes(c.DetachKeys)
+		if err != nil {
+			return errdefs.InvalidParameter(errors.Errorf("Invalid detach keys (%s) provided", c.DetachKeys))
+		}
+	}
+
+	container, err := daemon.GetContainer(prefixOrName)
+	if err != nil {
+		return err
+	}
+	if container.IsPaused() {
+		err := fmt.Errorf("container %s is paused, unpause the container before attach", prefixOrName)
+		return errdefs.Conflict(err)
+	}
+	if container.IsRestarting() {
+		err := fmt.Errorf("container %s is restarting, wait until the container is running", prefixOrName)
+		return errdefs.Conflict(err)
+	}
+
+	cfg := stream.AttachConfig{
+		UseStdin:   c.UseStdin,
+		UseStdout:  c.UseStdout,
+		UseStderr:  c.UseStderr,
+		TTY:        container.Config.Tty,
+		CloseStdin: container.Config.StdinOnce,
+		DetachKeys: keys,
+	}
+	container.StreamConfig.AttachStreams(&cfg)
+
+	inStream, outStream, errStream, err := c.GetStreams()
+	if err != nil {
+		return err
+	}
+	defer inStream.Close()
+
+	if !container.Config.Tty && c.MuxStreams {
+		errStream = stdcopy.NewStdWriter(errStream, stdcopy.Stderr)
+		outStream = stdcopy.NewStdWriter(outStream, stdcopy.Stdout)
+	}
+
+	if cfg.UseStdin {
+		cfg.Stdin = inStream
+	}
+	if cfg.UseStdout {
+		cfg.Stdout = outStream
+	}
+	if cfg.UseStderr {
+		cfg.Stderr = errStream
+	}
+
+	if err := daemon.containerAttach(container, &cfg, c.Logs, c.Stream); err != nil {
+		fmt.Fprintf(outStream, "Error attaching: %s\n", err)
+	}
+	return nil
+}
+
+// ContainerAttachRaw attaches the provided streams to the container's stdio
+func (daemon *Daemon) ContainerAttachRaw(prefixOrName string, stdin io.ReadCloser, stdout, stderr io.Writer, doStream bool, attached chan struct{}) error {
+	container, err := daemon.GetContainer(prefixOrName)
+	if err != nil {
+		return err
+	}
+	cfg := stream.AttachConfig{
+		UseStdin:   stdin != nil,
+		UseStdout:  stdout != nil,
+		UseStderr:  stderr != nil,
+		TTY:        container.Config.Tty,
+		CloseStdin: container.Config.StdinOnce,
+	}
+	container.StreamConfig.AttachStreams(&cfg)
+	close(attached)
+	if cfg.UseStdin {
+		cfg.Stdin = stdin
+	}
+	if cfg.UseStdout {
+		cfg.Stdout = stdout
+	}
+	if cfg.UseStderr {
+		cfg.Stderr = stderr
+	}
+
+	return daemon.containerAttach(container, &cfg, false, doStream)
+}
+
+func (daemon *Daemon) containerAttach(c *container.Container, cfg *stream.AttachConfig, logs, doStream bool) error {
+	if logs {
+		logDriver, logCreated, err := daemon.getLogger(c)
+		if err != nil {
+			return err
+		}
+		if logCreated {
+			defer func() {
+				if err = logDriver.Close(); err != nil {
+					logrus.Errorf("Error closing logger: %v", err)
+				}
+			}()
+		}
+		cLog, ok := logDriver.(logger.LogReader)
+		if !ok {
+			return logger.ErrReadLogsNotSupported{}
+		}
+		logs := cLog.ReadLogs(logger.ReadConfig{Tail: -1})
+		defer logs.Close()
+
+	LogLoop:
+		for {
+			select {
+			case msg, ok := <-logs.Msg:
+				if !ok {
+					break LogLoop
+				}
+				if msg.Source == "stdout" && cfg.Stdout != nil {
+					cfg.Stdout.Write(msg.Line)
+				}
+				if msg.Source == "stderr" && cfg.Stderr != nil {
+					cfg.Stderr.Write(msg.Line)
+				}
+			case err := <-logs.Err:
+				logrus.Errorf("Error streaming logs: %v", err)
+				break LogLoop
+			}
+		}
+	}
+
+	daemon.LogContainerEvent(c, "attach")
+
+	if !doStream {
+		return nil
+	}
+
+	if cfg.Stdin != nil {
+		r, w := io.Pipe()
+		go func(stdin io.ReadCloser) {
+			defer w.Close()
+			defer logrus.Debug("Closing buffered stdin pipe")
+			io.Copy(w, stdin)
+		}(cfg.Stdin)
+		cfg.Stdin = r
+	}
+
+	if !c.Config.OpenStdin {
+		cfg.Stdin = nil
+	}
+
+	if c.Config.StdinOnce && !c.Config.Tty {
+		// Wait for the container to stop before returning.
+		waitChan := c.Wait(context.Background(), container.WaitConditionNotRunning)
+		defer func() {
+			<-waitChan // Ignore returned exit code.
+		}()
+	}
+
+	ctx := c.InitAttachContext()
+	err := <-c.StreamConfig.CopyStreams(ctx, cfg)
+	if err != nil {
+		if _, ok := errors.Cause(err).(term.EscapeError); ok || err == context.Canceled {
+			daemon.LogContainerEvent(c, "detach")
+		} else {
+			logrus.Errorf("attach failed with error: %v", err)
+		}
+	}
+
+	return nil
+}
diff --git a/engine/daemon/auth.go b/engine/daemon/auth.go
new file mode 100644
index 00000000..d32c28b8
--- /dev/null
+++ b/engine/daemon/auth.go
@@ -0,0 +1,13 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/dockerversion"
+)
+
+// AuthenticateToRegistry checks the validity of credentials in authConfig
+func (daemon *Daemon) AuthenticateToRegistry(ctx context.Context, authConfig *types.AuthConfig) (string, string, error) {
+	return daemon.RegistryService.Auth(ctx, authConfig, dockerversion.DockerUserAgent(ctx))
+}
diff --git a/engine/daemon/bindmount_unix.go b/engine/daemon/bindmount_unix.go
new file mode 100644
index 00000000..028e300b
--- /dev/null
+++ b/engine/daemon/bindmount_unix.go
@@ -0,0 +1,5 @@
+// +build linux freebsd
+
+package daemon // import "github.com/docker/docker/daemon"
+
+const bindMountType = "bind"
diff --git a/engine/daemon/caps/utils.go b/engine/daemon/caps/utils.go
new file mode 100644
index 00000000..c5ded542
--- /dev/null
+++ b/engine/daemon/caps/utils.go
@@ -0,0 +1,139 @@
+package caps // import "github.com/docker/docker/daemon/caps"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/syndtr/gocapability/capability"
+)
+
+var capabilityList Capabilities
+
+func init() {
+	last := capability.CAP_LAST_CAP
+	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
+	}
+	for _, cap := range capability.List() {
+		if cap > last {
+			continue
+		}
+		capabilityList = append(capabilityList,
+			&CapabilityMapping{
+				Key:   "CAP_" + strings.ToUpper(cap.String()),
+				Value: cap,
+			},
+		)
+	}
+}
+
+type (
+	// CapabilityMapping maps linux capability name to its value of capability.Cap type
+	// Capabilities is one of the security systems in Linux Security Module (LSM)
+	// framework provided by the kernel.
+	// For more details on capabilities, see http://man7.org/linux/man-pages/man7/capabilities.7.html
+	CapabilityMapping struct {
+		Key   string         `json:"key,omitempty"`
+		Value capability.Cap `json:"value,omitempty"`
+	}
+	// Capabilities contains all CapabilityMapping
+	Capabilities []*CapabilityMapping
+)
+
+// String returns <key> of CapabilityMapping
+func (c *CapabilityMapping) String() string {
+	return c.Key
+}
+
+// GetCapability returns CapabilityMapping which contains specific key
+func GetCapability(key string) *CapabilityMapping {
+	for _, capp := range capabilityList {
+		if capp.Key == key {
+			cpy := *capp
+			return &cpy
+		}
+	}
+	return nil
+}
+
+// GetAllCapabilities returns all of the capabilities
+func GetAllCapabilities() []string {
+	output := make([]string, len(capabilityList))
+	for i, capability := range capabilityList {
+		output[i] = capability.String()
+	}
+	return output
+}
+
+// inSlice tests whether a string is contained in a slice of strings or not.
+// Comparison is case insensitive
+func inSlice(slice []string, s string) bool {
+	for _, ss := range slice {
+		if strings.ToLower(s) == strings.ToLower(ss) {
+			return true
+		}
+	}
+	return false
+}
+
+// TweakCapabilities can tweak capabilities by adding or dropping capabilities
+// based on the basics capabilities.
+func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
+	var (
+		newCaps []string
+		allCaps = GetAllCapabilities()
+	)
+
+	// FIXME(tonistiigi): docker format is without CAP_ prefix, oci is with prefix
+	// Currently they are mixed in here. We should do conversion in one place.
+
+	// look for invalid cap in the drop list
+	for _, cap := range drops {
+		if strings.ToLower(cap) == "all" {
+			continue
+		}
+
+		if !inSlice(allCaps, "CAP_"+cap) {
+			return nil, fmt.Errorf("Unknown capability drop: %q", cap)
+		}
+	}
+
+	// handle --cap-add=all
+	if inSlice(adds, "all") {
+		basics = allCaps
+	}
+
+	if !inSlice(drops, "all") {
+		for _, cap := range basics {
+			// skip `all` already handled above
+			if strings.ToLower(cap) == "all" {
+				continue
+			}
+
+			// if we don't drop `all`, add back all the non-dropped caps
+			if !inSlice(drops, cap[4:]) {
+				newCaps = append(newCaps, strings.ToUpper(cap))
+			}
+		}
+	}
+
+	for _, cap := range adds {
+		// skip `all` already handled above
+		if strings.ToLower(cap) == "all" {
+			continue
+		}
+
+		cap = "CAP_" + cap
+
+		if !inSlice(allCaps, cap) {
+			return nil, fmt.Errorf("Unknown capability to add: %q", cap)
+		}
+
+		// add cap if not already in the list
+		if !inSlice(newCaps, cap) {
+			newCaps = append(newCaps, strings.ToUpper(cap))
+		}
+	}
+	return newCaps, nil
+}
diff --git a/engine/daemon/changes.go b/engine/daemon/changes.go
new file mode 100644
index 00000000..70b3f6b9
--- /dev/null
+++ b/engine/daemon/changes.go
@@ -0,0 +1,34 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"errors"
+	"runtime"
+	"time"
+
+	"github.com/docker/docker/pkg/archive"
+)
+
+// ContainerChanges returns a list of container fs changes
+func (daemon *Daemon) ContainerChanges(name string) ([]archive.Change, error) {
+	start := time.Now()
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	if runtime.GOOS == "windows" && container.IsRunning() {
+		return nil, errors.New("Windows does not support diff of a running container")
+	}
+
+	container.Lock()
+	defer container.Unlock()
+	if container.RWLayer == nil {
+		return nil, errors.New("RWLayer of container " + name + " is unexpectedly nil")
+	}
+	c, err := container.RWLayer.Changes()
+	if err != nil {
+		return nil, err
+	}
+	containerActions.WithValues("changes").UpdateSince(start)
+	return c, nil
+}
diff --git a/engine/daemon/checkpoint.go b/engine/daemon/checkpoint.go
new file mode 100644
index 00000000..4a1cb0e1
--- /dev/null
+++ b/engine/daemon/checkpoint.go
@@ -0,0 +1,143 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/daemon/names"
+)
+
+var (
+	validCheckpointNameChars   = names.RestrictedNameChars
+	validCheckpointNamePattern = names.RestrictedNamePattern
+)
+
+// getCheckpointDir verifies checkpoint directory for create,remove, list options and checks if checkpoint already exists
+func getCheckpointDir(checkDir, checkpointID, ctrName, ctrID, ctrCheckpointDir string, create bool) (string, error) {
+	var checkpointDir string
+	var err2 error
+	if checkDir != "" {
+		checkpointDir = checkDir
+	} else {
+		checkpointDir = ctrCheckpointDir
+	}
+	checkpointAbsDir := filepath.Join(checkpointDir, checkpointID)
+	stat, err := os.Stat(checkpointAbsDir)
+	if create {
+		switch {
+		case err == nil && stat.IsDir():
+			err2 = fmt.Errorf("checkpoint with name %s already exists for container %s", checkpointID, ctrName)
+		case err != nil && os.IsNotExist(err):
+			err2 = os.MkdirAll(checkpointAbsDir, 0700)
+		case err != nil:
+			err2 = err
+		case err == nil:
+			err2 = fmt.Errorf("%s exists and is not a directory", checkpointAbsDir)
+		}
+	} else {
+		switch {
+		case err != nil:
+			err2 = fmt.Errorf("checkpoint %s does not exists for container %s", checkpointID, ctrName)
+		case err == nil && stat.IsDir():
+			err2 = nil
+		case err == nil:
+			err2 = fmt.Errorf("%s exists and is not a directory", checkpointAbsDir)
+		}
+	}
+	return checkpointAbsDir, err2
+}
+
+// CheckpointCreate checkpoints the process running in a container with CRIU
+func (daemon *Daemon) CheckpointCreate(name string, config types.CheckpointCreateOptions) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	if !container.IsRunning() {
+		return fmt.Errorf("Container %s not running", name)
+	}
+
+	if container.Config.Tty {
+		return fmt.Errorf("checkpoint not support on containers with tty")
+	}
+
+	if !validCheckpointNamePattern.MatchString(config.CheckpointID) {
+		return fmt.Errorf("Invalid checkpoint ID (%s), only %s are allowed", config.CheckpointID, validCheckpointNameChars)
+	}
+
+	checkpointDir, err := getCheckpointDir(config.CheckpointDir, config.CheckpointID, name, container.ID, container.CheckpointDir(), true)
+	if err != nil {
+		return fmt.Errorf("cannot checkpoint container %s: %s", name, err)
+	}
+
+	err = daemon.containerd.CreateCheckpoint(context.Background(), container.ID, checkpointDir, config.Exit)
+	if err != nil {
+		os.RemoveAll(checkpointDir)
+		return fmt.Errorf("Cannot checkpoint container %s: %s", name, err)
+	}
+
+	daemon.LogContainerEvent(container, "checkpoint")
+
+	return nil
+}
+
+// CheckpointDelete deletes the specified checkpoint
+func (daemon *Daemon) CheckpointDelete(name string, config types.CheckpointDeleteOptions) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+	checkpointDir, err := getCheckpointDir(config.CheckpointDir, config.CheckpointID, name, container.ID, container.CheckpointDir(), false)
+	if err == nil {
+		return os.RemoveAll(filepath.Join(checkpointDir, config.CheckpointID))
+	}
+	return err
+}
+
+// CheckpointList lists all checkpoints of the specified container
+func (daemon *Daemon) CheckpointList(name string, config types.CheckpointListOptions) ([]types.Checkpoint, error) {
+	var out []types.Checkpoint
+
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	checkpointDir, err := getCheckpointDir(config.CheckpointDir, "", name, container.ID, container.CheckpointDir(), false)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := os.MkdirAll(checkpointDir, 0755); err != nil {
+		return nil, err
+	}
+
+	dirs, err := ioutil.ReadDir(checkpointDir)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, d := range dirs {
+		if !d.IsDir() {
+			continue
+		}
+		path := filepath.Join(checkpointDir, d.Name(), "config.json")
+		data, err := ioutil.ReadFile(path)
+		if err != nil {
+			return nil, err
+		}
+		var cpt types.Checkpoint
+		if err := json.Unmarshal(data, &cpt); err != nil {
+			return nil, err
+		}
+		out = append(out, cpt)
+	}
+
+	return out, nil
+}
diff --git a/engine/daemon/cluster.go b/engine/daemon/cluster.go
new file mode 100644
index 00000000..b5ac6c48
--- /dev/null
+++ b/engine/daemon/cluster.go
@@ -0,0 +1,26 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	apitypes "github.com/docker/docker/api/types"
+	lncluster "github.com/docker/libnetwork/cluster"
+)
+
+// Cluster is the interface for github.com/docker/docker/daemon/cluster.(*Cluster).
+type Cluster interface {
+	ClusterStatus
+	NetworkManager
+	SendClusterEvent(event lncluster.ConfigEventType)
+}
+
+// ClusterStatus interface provides information about the Swarm status of the Cluster
+type ClusterStatus interface {
+	IsAgent() bool
+	IsManager() bool
+}
+
+// NetworkManager provides methods to manage networks
+type NetworkManager interface {
+	GetNetwork(input string) (apitypes.NetworkResource, error)
+	GetNetworks() ([]apitypes.NetworkResource, error)
+	RemoveNetwork(input string) error
+}
diff --git a/engine/daemon/cluster/cluster.go b/engine/daemon/cluster/cluster.go
new file mode 100644
index 00000000..35ba5a93
--- /dev/null
+++ b/engine/daemon/cluster/cluster.go
@@ -0,0 +1,450 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+//
+// ## Swarmkit integration
+//
+// Cluster - static configurable object for accessing everything swarm related.
+// Contains methods for connecting and controlling the cluster. Exists always,
+// even if swarm mode is not enabled.
+//
+// NodeRunner - Manager for starting the swarmkit node. Is present only and
+// always if swarm mode is enabled. Implements backoff restart loop in case of
+// errors.
+//
+// NodeState - Information about the current node status including access to
+// gRPC clients if a manager is active.
+//
+// ### Locking
+//
+// `cluster.controlMutex` - taken for the whole lifecycle of the processes that
+// can reconfigure cluster(init/join/leave etc). Protects that one
+// reconfiguration action has fully completed before another can start.
+//
+// `cluster.mu` - taken when the actual changes in cluster configurations
+// happen. Different from `controlMutex` because in some cases we need to
+// access current cluster state even if the long-running reconfiguration is
+// going on. For example network stack may ask for the current cluster state in
+// the middle of the shutdown. Any time current cluster state is asked you
+// should take the read lock of `cluster.mu`. If you are writing an API
+// responder that returns synchronously, hold `cluster.mu.RLock()` for the
+// duration of the whole handler function. That ensures that node will not be
+// shut down until the handler has finished.
+//
+// NodeRunner implements its internal locks that should not be used outside of
+// the struct. Instead, you should just call `nodeRunner.State()` method to get
+// the current state of the cluster(still need `cluster.mu.RLock()` to access
+// `cluster.nr` reference itself). Most of the changes in NodeRunner happen
+// because of an external event(network problem, unexpected swarmkit error) and
+// Docker shouldn't take any locks that delay these changes from happening.
+//
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types/network"
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/controllers/plugin"
+	executorpkg "github.com/docker/docker/daemon/cluster/executor"
+	"github.com/docker/docker/pkg/signal"
+	lncluster "github.com/docker/libnetwork/cluster"
+	swarmapi "github.com/docker/swarmkit/api"
+	swarmnode "github.com/docker/swarmkit/node"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const swarmDirName = "swarm"
+const controlSocket = "control.sock"
+const swarmConnectTimeout = 20 * time.Second
+const swarmRequestTimeout = 20 * time.Second
+const stateFile = "docker-state.json"
+const defaultAddr = "0.0.0.0:2377"
+
+const (
+	initialReconnectDelay = 100 * time.Millisecond
+	maxReconnectDelay     = 30 * time.Second
+	contextPrefix         = "com.docker.swarm"
+)
+
+// NetworkSubnetsProvider exposes functions for retrieving the subnets
+// of networks managed by Docker, so they can be filtered.
+type NetworkSubnetsProvider interface {
+	Subnets() ([]net.IPNet, []net.IPNet)
+}
+
+// Config provides values for Cluster.
+type Config struct {
+	Root                   string
+	Name                   string
+	Backend                executorpkg.Backend
+	ImageBackend           executorpkg.ImageBackend
+	PluginBackend          plugin.Backend
+	VolumeBackend          executorpkg.VolumeBackend
+	NetworkSubnetsProvider NetworkSubnetsProvider
+
+	// DefaultAdvertiseAddr is the default host/IP or network interface to use
+	// if no AdvertiseAddr value is specified.
+	DefaultAdvertiseAddr string
+
+	// path to store runtime state, such as the swarm control socket
+	RuntimeRoot string
+
+	// WatchStream is a channel to pass watch API notifications to daemon
+	WatchStream chan *swarmapi.WatchMessage
+
+	// RaftHeartbeatTick is the number of ticks for heartbeat of quorum members
+	RaftHeartbeatTick uint32
+
+	// RaftElectionTick is the number of ticks to elapse before followers propose a new round of leader election
+	// This value should be 10x that of RaftHeartbeatTick
+	RaftElectionTick uint32
+}
+
+// Cluster provides capabilities to participate in a cluster as a worker or a
+// manager.
+type Cluster struct {
+	mu           sync.RWMutex
+	controlMutex sync.RWMutex // protect init/join/leave user operations
+	nr           *nodeRunner
+	root         string
+	runtimeRoot  string
+	config       Config
+	configEvent  chan lncluster.ConfigEventType // todo: make this array and goroutine safe
+	attachers    map[string]*attacher
+	watchStream  chan *swarmapi.WatchMessage
+}
+
+// attacher manages the in-memory attachment state of a container
+// attachment to a global scope network managed by swarm manager. It
+// helps in identifying the attachment ID via the taskID and the
+// corresponding attachment configuration obtained from the manager.
+type attacher struct {
+	taskID           string
+	config           *network.NetworkingConfig
+	inProgress       bool
+	attachWaitCh     chan *network.NetworkingConfig
+	attachCompleteCh chan struct{}
+	detachWaitCh     chan struct{}
+}
+
+// New creates a new Cluster instance using provided config.
+func New(config Config) (*Cluster, error) {
+	root := filepath.Join(config.Root, swarmDirName)
+	if err := os.MkdirAll(root, 0700); err != nil {
+		return nil, err
+	}
+	if config.RuntimeRoot == "" {
+		config.RuntimeRoot = root
+	}
+	if config.RaftHeartbeatTick == 0 {
+		config.RaftHeartbeatTick = 1
+	}
+	if config.RaftElectionTick == 0 {
+		// 10X heartbeat tick is the recommended ratio according to etcd docs.
+		config.RaftElectionTick = 10 * config.RaftHeartbeatTick
+	}
+
+	if err := os.MkdirAll(config.RuntimeRoot, 0700); err != nil {
+		return nil, err
+	}
+	c := &Cluster{
+		root:        root,
+		config:      config,
+		configEvent: make(chan lncluster.ConfigEventType, 10),
+		runtimeRoot: config.RuntimeRoot,
+		attachers:   make(map[string]*attacher),
+		watchStream: config.WatchStream,
+	}
+	return c, nil
+}
+
+// Start the Cluster instance
+// TODO The split between New and Start can be join again when the SendClusterEvent
+// method is no longer required
+func (c *Cluster) Start() error {
+	root := filepath.Join(c.config.Root, swarmDirName)
+
+	nodeConfig, err := loadPersistentState(root)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	nr, err := c.newNodeRunner(*nodeConfig)
+	if err != nil {
+		return err
+	}
+	c.nr = nr
+
+	select {
+	case <-time.After(swarmConnectTimeout):
+		logrus.Error("swarm component could not be started before timeout was reached")
+	case err := <-nr.Ready():
+		if err != nil {
+			logrus.WithError(err).Error("swarm component could not be started")
+			return nil
+		}
+	}
+	return nil
+}
+
+func (c *Cluster) newNodeRunner(conf nodeStartConfig) (*nodeRunner, error) {
+	if err := c.config.Backend.IsSwarmCompatible(); err != nil {
+		return nil, err
+	}
+
+	actualLocalAddr := conf.LocalAddr
+	if actualLocalAddr == "" {
+		// If localAddr was not specified, resolve it automatically
+		// based on the route to joinAddr. localAddr can only be left
+		// empty on "join".
+		listenHost, _, err := net.SplitHostPort(conf.ListenAddr)
+		if err != nil {
+			return nil, fmt.Errorf("could not parse listen address: %v", err)
+		}
+
+		listenAddrIP := net.ParseIP(listenHost)
+		if listenAddrIP == nil || !listenAddrIP.IsUnspecified() {
+			actualLocalAddr = listenHost
+		} else {
+			if conf.RemoteAddr == "" {
+				// Should never happen except using swarms created by
+				// old versions that didn't save remoteAddr.
+				conf.RemoteAddr = "8.8.8.8:53"
+			}
+			conn, err := net.Dial("udp", conf.RemoteAddr)
+			if err != nil {
+				return nil, fmt.Errorf("could not find local IP address: %v", err)
+			}
+			localHostPort := conn.LocalAddr().String()
+			actualLocalAddr, _, _ = net.SplitHostPort(localHostPort)
+			conn.Close()
+		}
+	}
+
+	nr := &nodeRunner{cluster: c}
+	nr.actualLocalAddr = actualLocalAddr
+
+	if err := nr.Start(conf); err != nil {
+		return nil, err
+	}
+
+	c.config.Backend.DaemonJoinsCluster(c)
+
+	return nr, nil
+}
+
+func (c *Cluster) getRequestContext() (context.Context, func()) { // TODO: not needed when requests don't block on qourum lost
+	return context.WithTimeout(context.Background(), swarmRequestTimeout)
+}
+
+// IsManager returns true if Cluster is participating as a manager.
+func (c *Cluster) IsManager() bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.currentNodeState().IsActiveManager()
+}
+
+// IsAgent returns true if Cluster is participating as a worker/agent.
+func (c *Cluster) IsAgent() bool {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.currentNodeState().status == types.LocalNodeStateActive
+}
+
+// GetLocalAddress returns the local address.
+func (c *Cluster) GetLocalAddress() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.currentNodeState().actualLocalAddr
+}
+
+// GetListenAddress returns the listen address.
+func (c *Cluster) GetListenAddress() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	if c.nr != nil {
+		return c.nr.config.ListenAddr
+	}
+	return ""
+}
+
+// GetAdvertiseAddress returns the remotely reachable address of this node.
+func (c *Cluster) GetAdvertiseAddress() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	if c.nr != nil && c.nr.config.AdvertiseAddr != "" {
+		advertiseHost, _, _ := net.SplitHostPort(c.nr.config.AdvertiseAddr)
+		return advertiseHost
+	}
+	return c.currentNodeState().actualLocalAddr
+}
+
+// GetDataPathAddress returns the address to be used for the data path traffic, if specified.
+func (c *Cluster) GetDataPathAddress() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	if c.nr != nil {
+		return c.nr.config.DataPathAddr
+	}
+	return ""
+}
+
+// GetRemoteAddressList returns the advertise address for each of the remote managers if
+// available.
+func (c *Cluster) GetRemoteAddressList() []string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.getRemoteAddressList()
+}
+
+// GetWatchStream returns the channel to pass changes from store watch API
+func (c *Cluster) GetWatchStream() chan *swarmapi.WatchMessage {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.watchStream
+}
+
+func (c *Cluster) getRemoteAddressList() []string {
+	state := c.currentNodeState()
+	if state.swarmNode == nil {
+		return []string{}
+	}
+
+	nodeID := state.swarmNode.NodeID()
+	remotes := state.swarmNode.Remotes()
+	addressList := make([]string, 0, len(remotes))
+	for _, r := range remotes {
+		if r.NodeID != nodeID {
+			addressList = append(addressList, r.Addr)
+		}
+	}
+	return addressList
+}
+
+// ListenClusterEvents returns a channel that receives messages on cluster
+// participation changes.
+// todo: make cancelable and accessible to multiple callers
+func (c *Cluster) ListenClusterEvents() <-chan lncluster.ConfigEventType {
+	return c.configEvent
+}
+
+// currentNodeState should not be called without a read lock
+func (c *Cluster) currentNodeState() nodeState {
+	return c.nr.State()
+}
+
+// errNoManager returns error describing why manager commands can't be used.
+// Call with read lock.
+func (c *Cluster) errNoManager(st nodeState) error {
+	if st.swarmNode == nil {
+		if errors.Cause(st.err) == errSwarmLocked {
+			return errSwarmLocked
+		}
+		if st.err == errSwarmCertificatesExpired {
+			return errSwarmCertificatesExpired
+		}
+		return errors.WithStack(notAvailableError("This node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again."))
+	}
+	if st.swarmNode.Manager() != nil {
+		return errors.WithStack(notAvailableError("This node is not a swarm manager. Manager is being prepared or has trouble connecting to the cluster."))
+	}
+	return errors.WithStack(notAvailableError("This node is not a swarm manager. Worker nodes can't be used to view or modify cluster state. Please run this command on a manager node or promote the current node to a manager."))
+}
+
+// Cleanup stops active swarm node. This is run before daemon shutdown.
+func (c *Cluster) Cleanup() {
+	c.controlMutex.Lock()
+	defer c.controlMutex.Unlock()
+
+	c.mu.Lock()
+	node := c.nr
+	if node == nil {
+		c.mu.Unlock()
+		return
+	}
+	state := c.currentNodeState()
+	c.mu.Unlock()
+
+	if state.IsActiveManager() {
+		active, reachable, unreachable, err := managerStats(state.controlClient, state.NodeID())
+		if err == nil {
+			singlenode := active && isLastManager(reachable, unreachable)
+			if active && !singlenode && removingManagerCausesLossOfQuorum(reachable, unreachable) {
+				logrus.Errorf("Leaving cluster with %v managers left out of %v. Raft quorum will be lost.", reachable-1, reachable+unreachable)
+			}
+		}
+	}
+
+	if err := node.Stop(); err != nil {
+		logrus.Errorf("failed to shut down cluster node: %v", err)
+		signal.DumpStacks("")
+	}
+
+	c.mu.Lock()
+	c.nr = nil
+	c.mu.Unlock()
+}
+
+func managerStats(client swarmapi.ControlClient, currentNodeID string) (current bool, reachable int, unreachable int, err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	nodes, err := client.ListNodes(ctx, &swarmapi.ListNodesRequest{})
+	if err != nil {
+		return false, 0, 0, err
+	}
+	for _, n := range nodes.Nodes {
+		if n.ManagerStatus != nil {
+			if n.ManagerStatus.Reachability == swarmapi.RaftMemberStatus_REACHABLE {
+				reachable++
+				if n.ID == currentNodeID {
+					current = true
+				}
+			}
+			if n.ManagerStatus.Reachability == swarmapi.RaftMemberStatus_UNREACHABLE {
+				unreachable++
+			}
+		}
+	}
+	return
+}
+
+func detectLockedError(err error) error {
+	if err == swarmnode.ErrInvalidUnlockKey {
+		return errors.WithStack(errSwarmLocked)
+	}
+	return err
+}
+
+func (c *Cluster) lockedManagerAction(fn func(ctx context.Context, state nodeState) error) error {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	state := c.currentNodeState()
+	if !state.IsActiveManager() {
+		return c.errNoManager(state)
+	}
+
+	ctx, cancel := c.getRequestContext()
+	defer cancel()
+
+	return fn(ctx, state)
+}
+
+// SendClusterEvent allows to send cluster events on the configEvent channel
+// TODO This method should not be exposed.
+// Currently it is used to notify the network controller that the keys are
+// available
+func (c *Cluster) SendClusterEvent(event lncluster.ConfigEventType) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	c.configEvent <- event
+}
diff --git a/engine/daemon/cluster/configs.go b/engine/daemon/cluster/configs.go
new file mode 100644
index 00000000..6b373e61
--- /dev/null
+++ b/engine/daemon/cluster/configs.go
@@ -0,0 +1,118 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+
+	apitypes "github.com/docker/docker/api/types"
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/convert"
+	swarmapi "github.com/docker/swarmkit/api"
+)
+
+// GetConfig returns a config from a managed swarm cluster
+func (c *Cluster) GetConfig(input string) (types.Config, error) {
+	var config *swarmapi.Config
+
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		s, err := getConfig(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+		config = s
+		return nil
+	}); err != nil {
+		return types.Config{}, err
+	}
+	return convert.ConfigFromGRPC(config), nil
+}
+
+// GetConfigs returns all configs of a managed swarm cluster.
+func (c *Cluster) GetConfigs(options apitypes.ConfigListOptions) ([]types.Config, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	state := c.currentNodeState()
+	if !state.IsActiveManager() {
+		return nil, c.errNoManager(state)
+	}
+
+	filters, err := newListConfigsFilters(options.Filters)
+	if err != nil {
+		return nil, err
+	}
+	ctx, cancel := c.getRequestContext()
+	defer cancel()
+
+	r, err := state.controlClient.ListConfigs(ctx,
+		&swarmapi.ListConfigsRequest{Filters: filters})
+	if err != nil {
+		return nil, err
+	}
+
+	configs := []types.Config{}
+
+	for _, config := range r.Configs {
+		configs = append(configs, convert.ConfigFromGRPC(config))
+	}
+
+	return configs, nil
+}
+
+// CreateConfig creates a new config in a managed swarm cluster.
+func (c *Cluster) CreateConfig(s types.ConfigSpec) (string, error) {
+	var resp *swarmapi.CreateConfigResponse
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		configSpec := convert.ConfigSpecToGRPC(s)
+
+		r, err := state.controlClient.CreateConfig(ctx,
+			&swarmapi.CreateConfigRequest{Spec: &configSpec})
+		if err != nil {
+			return err
+		}
+		resp = r
+		return nil
+	}); err != nil {
+		return "", err
+	}
+	return resp.Config.ID, nil
+}
+
+// RemoveConfig removes a config from a managed swarm cluster.
+func (c *Cluster) RemoveConfig(input string) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		config, err := getConfig(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+
+		req := &swarmapi.RemoveConfigRequest{
+			ConfigID: config.ID,
+		}
+
+		_, err = state.controlClient.RemoveConfig(ctx, req)
+		return err
+	})
+}
+
+// UpdateConfig updates a config in a managed swarm cluster.
+// Note: this is not exposed to the CLI but is available from the API only
+func (c *Cluster) UpdateConfig(input string, version uint64, spec types.ConfigSpec) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		config, err := getConfig(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+
+		configSpec := convert.ConfigSpecToGRPC(spec)
+
+		_, err = state.controlClient.UpdateConfig(ctx,
+			&swarmapi.UpdateConfigRequest{
+				ConfigID: config.ID,
+				ConfigVersion: &swarmapi.Version{
+					Index: version,
+				},
+				Spec: &configSpec,
+			})
+		return err
+	})
+}
diff --git a/engine/daemon/cluster/controllers/plugin/controller.go b/engine/daemon/cluster/controllers/plugin/controller.go
new file mode 100644
index 00000000..6d7606aa
--- /dev/null
+++ b/engine/daemon/cluster/controllers/plugin/controller.go
@@ -0,0 +1,261 @@
+package plugin // import "github.com/docker/docker/daemon/cluster/controllers/plugin"
+
+import (
+	"context"
+	"io"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/docker/distribution/reference"
+	enginetypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm/runtime"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/plugin"
+	"github.com/docker/docker/plugin/v2"
+	"github.com/docker/swarmkit/api"
+	"github.com/gogo/protobuf/proto"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Controller is the controller for the plugin backend.
+// Plugins are managed as a singleton object with a desired state (different from containers).
+// With the plugin controller instead of having a strict create->start->stop->remove
+// task lifecycle like containers, we manage the desired state of the plugin and let
+// the plugin manager do what it already does and monitor the plugin.
+// We'll also end up with many tasks all pointing to the same plugin ID.
+//
+// TODO(@cpuguy83): registry auth is intentionally not supported until we work out
+// the right way to pass registry credentials via secrets.
+type Controller struct {
+	backend Backend
+	spec    runtime.PluginSpec
+	logger  *logrus.Entry
+
+	pluginID  string
+	serviceID string
+	taskID    string
+
+	// hook used to signal tests that `Wait()` is actually ready and waiting
+	signalWaitReady func()
+}
+
+// Backend is the interface for interacting with the plugin manager
+// Controller actions are passed to the configured backend to do the real work.
+type Backend interface {
+	Disable(name string, config *enginetypes.PluginDisableConfig) error
+	Enable(name string, config *enginetypes.PluginEnableConfig) error
+	Remove(name string, config *enginetypes.PluginRmConfig) error
+	Pull(ctx context.Context, ref reference.Named, name string, metaHeaders http.Header, authConfig *enginetypes.AuthConfig, privileges enginetypes.PluginPrivileges, outStream io.Writer, opts ...plugin.CreateOpt) error
+	Upgrade(ctx context.Context, ref reference.Named, name string, metaHeaders http.Header, authConfig *enginetypes.AuthConfig, privileges enginetypes.PluginPrivileges, outStream io.Writer) error
+	Get(name string) (*v2.Plugin, error)
+	SubscribeEvents(buffer int, events ...plugin.Event) (eventCh <-chan interface{}, cancel func())
+}
+
+// NewController returns a new cluster plugin controller
+func NewController(backend Backend, t *api.Task) (*Controller, error) {
+	spec, err := readSpec(t)
+	if err != nil {
+		return nil, err
+	}
+	return &Controller{
+		backend:   backend,
+		spec:      spec,
+		serviceID: t.ServiceID,
+		logger: logrus.WithFields(logrus.Fields{
+			"controller": "plugin",
+			"task":       t.ID,
+			"plugin":     spec.Name,
+		})}, nil
+}
+
+func readSpec(t *api.Task) (runtime.PluginSpec, error) {
+	var cfg runtime.PluginSpec
+
+	generic := t.Spec.GetGeneric()
+	if err := proto.Unmarshal(generic.Payload.Value, &cfg); err != nil {
+		return cfg, errors.Wrap(err, "error reading plugin spec")
+	}
+	return cfg, nil
+}
+
+// Update is the update phase from swarmkit
+func (p *Controller) Update(ctx context.Context, t *api.Task) error {
+	p.logger.Debug("Update")
+	return nil
+}
+
+// Prepare is the prepare phase from swarmkit
+func (p *Controller) Prepare(ctx context.Context) (err error) {
+	p.logger.Debug("Prepare")
+
+	remote, err := reference.ParseNormalizedNamed(p.spec.Remote)
+	if err != nil {
+		return errors.Wrapf(err, "error parsing remote reference %q", p.spec.Remote)
+	}
+
+	if p.spec.Name == "" {
+		p.spec.Name = remote.String()
+	}
+
+	var authConfig enginetypes.AuthConfig
+	privs := convertPrivileges(p.spec.Privileges)
+
+	pl, err := p.backend.Get(p.spec.Name)
+
+	defer func() {
+		if pl != nil && err == nil {
+			pl.Acquire()
+		}
+	}()
+
+	if err == nil && pl != nil {
+		if pl.SwarmServiceID != p.serviceID {
+			return errors.Errorf("plugin already exists: %s", p.spec.Name)
+		}
+		if pl.IsEnabled() {
+			if err := p.backend.Disable(pl.GetID(), &enginetypes.PluginDisableConfig{ForceDisable: true}); err != nil {
+				p.logger.WithError(err).Debug("could not disable plugin before running upgrade")
+			}
+		}
+		p.pluginID = pl.GetID()
+		return p.backend.Upgrade(ctx, remote, p.spec.Name, nil, &authConfig, privs, ioutil.Discard)
+	}
+
+	if err := p.backend.Pull(ctx, remote, p.spec.Name, nil, &authConfig, privs, ioutil.Discard, plugin.WithSwarmService(p.serviceID)); err != nil {
+		return err
+	}
+	pl, err = p.backend.Get(p.spec.Name)
+	if err != nil {
+		return err
+	}
+	p.pluginID = pl.GetID()
+
+	return nil
+}
+
+// Start is the start phase from swarmkit
+func (p *Controller) Start(ctx context.Context) error {
+	p.logger.Debug("Start")
+
+	pl, err := p.backend.Get(p.pluginID)
+	if err != nil {
+		return err
+	}
+
+	if p.spec.Disabled {
+		if pl.IsEnabled() {
+			return p.backend.Disable(p.pluginID, &enginetypes.PluginDisableConfig{ForceDisable: false})
+		}
+		return nil
+	}
+	if !pl.IsEnabled() {
+		return p.backend.Enable(p.pluginID, &enginetypes.PluginEnableConfig{Timeout: 30})
+	}
+	return nil
+}
+
+// Wait causes the task to wait until returned
+func (p *Controller) Wait(ctx context.Context) error {
+	p.logger.Debug("Wait")
+
+	pl, err := p.backend.Get(p.pluginID)
+	if err != nil {
+		return err
+	}
+
+	events, cancel := p.backend.SubscribeEvents(1, plugin.EventDisable{Plugin: pl.PluginObj}, plugin.EventRemove{Plugin: pl.PluginObj}, plugin.EventEnable{Plugin: pl.PluginObj})
+	defer cancel()
+
+	if p.signalWaitReady != nil {
+		p.signalWaitReady()
+	}
+
+	if !p.spec.Disabled != pl.IsEnabled() {
+		return errors.New("mismatched plugin state")
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case e := <-events:
+			p.logger.Debugf("got event %#T", e)
+
+			switch e.(type) {
+			case plugin.EventEnable:
+				if p.spec.Disabled {
+					return errors.New("plugin enabled")
+				}
+			case plugin.EventRemove:
+				return errors.New("plugin removed")
+			case plugin.EventDisable:
+				if !p.spec.Disabled {
+					return errors.New("plugin disabled")
+				}
+			}
+		}
+	}
+}
+
+func isNotFound(err error) bool {
+	return errdefs.IsNotFound(err)
+}
+
+// Shutdown is the shutdown phase from swarmkit
+func (p *Controller) Shutdown(ctx context.Context) error {
+	p.logger.Debug("Shutdown")
+	return nil
+}
+
+// Terminate is the terminate phase from swarmkit
+func (p *Controller) Terminate(ctx context.Context) error {
+	p.logger.Debug("Terminate")
+	return nil
+}
+
+// Remove is the remove phase from swarmkit
+func (p *Controller) Remove(ctx context.Context) error {
+	p.logger.Debug("Remove")
+
+	pl, err := p.backend.Get(p.pluginID)
+	if err != nil {
+		if isNotFound(err) {
+			return nil
+		}
+		return err
+	}
+
+	pl.Release()
+	if pl.GetRefCount() > 0 {
+		p.logger.Debug("skipping remove due to ref count")
+		return nil
+	}
+
+	// This may error because we have exactly 1 plugin, but potentially multiple
+	// tasks which are calling remove.
+	err = p.backend.Remove(p.pluginID, &enginetypes.PluginRmConfig{ForceRemove: true})
+	if isNotFound(err) {
+		return nil
+	}
+	return err
+}
+
+// Close is the close phase from swarmkit
+func (p *Controller) Close() error {
+	p.logger.Debug("Close")
+	return nil
+}
+
+func convertPrivileges(ls []*runtime.PluginPrivilege) enginetypes.PluginPrivileges {
+	var out enginetypes.PluginPrivileges
+	for _, p := range ls {
+		pp := enginetypes.PluginPrivilege{
+			Name:        p.Name,
+			Description: p.Description,
+			Value:       p.Value,
+		}
+		out = append(out, pp)
+	}
+	return out
+}
diff --git a/engine/daemon/cluster/controllers/plugin/controller_test.go b/engine/daemon/cluster/controllers/plugin/controller_test.go
new file mode 100644
index 00000000..8329d447
--- /dev/null
+++ b/engine/daemon/cluster/controllers/plugin/controller_test.go
@@ -0,0 +1,390 @@
+package plugin // import "github.com/docker/docker/daemon/cluster/controllers/plugin"
+
+import (
+	"context"
+	"errors"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	enginetypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm/runtime"
+	"github.com/docker/docker/pkg/pubsub"
+	"github.com/docker/docker/plugin"
+	"github.com/docker/docker/plugin/v2"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	pluginTestName          = "test"
+	pluginTestRemote        = "testremote"
+	pluginTestRemoteUpgrade = "testremote2"
+)
+
+func TestPrepare(t *testing.T) {
+	b := newMockBackend()
+	c := newTestController(b, false)
+	ctx := context.Background()
+
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	if b.p == nil {
+		t.Fatal("pull not performed")
+	}
+
+	c = newTestController(b, false)
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if b.p == nil {
+		t.Fatal("unexpected nil")
+	}
+	if b.p.PluginObj.PluginReference != pluginTestRemoteUpgrade {
+		t.Fatal("upgrade not performed")
+	}
+
+	c = newTestController(b, false)
+	c.serviceID = "1"
+	if err := c.Prepare(ctx); err == nil {
+		t.Fatal("expected error on prepare")
+	}
+}
+
+func TestStart(t *testing.T) {
+	b := newMockBackend()
+	c := newTestController(b, false)
+	ctx := context.Background()
+
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Start(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	if !b.p.IsEnabled() {
+		t.Fatal("expected plugin to be enabled")
+	}
+
+	c = newTestController(b, true)
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.Start(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if b.p.IsEnabled() {
+		t.Fatal("expected plugin to be disabled")
+	}
+
+	c = newTestController(b, false)
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.Start(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if !b.p.IsEnabled() {
+		t.Fatal("expected plugin to be enabled")
+	}
+}
+
+func TestWaitCancel(t *testing.T) {
+	b := newMockBackend()
+	c := newTestController(b, true)
+	ctx := context.Background()
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.Start(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	ctxCancel, cancel := context.WithCancel(ctx)
+	chErr := make(chan error)
+	go func() {
+		chErr <- c.Wait(ctxCancel)
+	}()
+	cancel()
+	select {
+	case err := <-chErr:
+		if err != context.Canceled {
+			t.Fatal(err)
+		}
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for cancelation")
+	}
+}
+
+func TestWaitDisabled(t *testing.T) {
+	b := newMockBackend()
+	c := newTestController(b, true)
+	ctx := context.Background()
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.Start(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	chErr := make(chan error)
+	go func() {
+		chErr <- c.Wait(ctx)
+	}()
+
+	if err := b.Enable("test", nil); err != nil {
+		t.Fatal(err)
+	}
+	select {
+	case err := <-chErr:
+		if err == nil {
+			t.Fatal("expected error")
+		}
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for event")
+	}
+
+	if err := c.Start(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	ctxWaitReady, cancelCtxWaitReady := context.WithTimeout(ctx, 30*time.Second)
+	c.signalWaitReady = cancelCtxWaitReady
+	defer cancelCtxWaitReady()
+
+	go func() {
+		chErr <- c.Wait(ctx)
+	}()
+
+	chEvent, cancel := b.SubscribeEvents(1)
+	defer cancel()
+
+	if err := b.Disable("test", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	select {
+	case <-chEvent:
+		<-ctxWaitReady.Done()
+		if err := ctxWaitReady.Err(); err == context.DeadlineExceeded {
+			t.Fatal(err)
+		}
+		select {
+		case <-chErr:
+			t.Fatal("wait returned unexpectedly")
+		default:
+			// all good
+		}
+	case <-chErr:
+		t.Fatal("wait returned unexpectedly")
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for event")
+	}
+
+	if err := b.Remove("test", nil); err != nil {
+		t.Fatal(err)
+	}
+	select {
+	case err := <-chErr:
+		if err == nil {
+			t.Fatal("expected error")
+		}
+		if !strings.Contains(err.Error(), "removed") {
+			t.Fatal(err)
+		}
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for event")
+	}
+}
+
+func TestWaitEnabled(t *testing.T) {
+	b := newMockBackend()
+	c := newTestController(b, false)
+	ctx := context.Background()
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.Start(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	chErr := make(chan error)
+	go func() {
+		chErr <- c.Wait(ctx)
+	}()
+
+	if err := b.Disable("test", nil); err != nil {
+		t.Fatal(err)
+	}
+	select {
+	case err := <-chErr:
+		if err == nil {
+			t.Fatal("expected error")
+		}
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for event")
+	}
+
+	if err := c.Start(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	ctxWaitReady, ctxWaitCancel := context.WithCancel(ctx)
+	c.signalWaitReady = ctxWaitCancel
+	defer ctxWaitCancel()
+
+	go func() {
+		chErr <- c.Wait(ctx)
+	}()
+
+	chEvent, cancel := b.SubscribeEvents(1)
+	defer cancel()
+
+	if err := b.Enable("test", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	select {
+	case <-chEvent:
+		<-ctxWaitReady.Done()
+		if err := ctxWaitReady.Err(); err == context.DeadlineExceeded {
+			t.Fatal(err)
+		}
+		select {
+		case <-chErr:
+			t.Fatal("wait returned unexpectedly")
+		default:
+			// all good
+		}
+	case <-chErr:
+		t.Fatal("wait returned unexpectedly")
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for event")
+	}
+
+	if err := b.Remove("test", nil); err != nil {
+		t.Fatal(err)
+	}
+	select {
+	case err := <-chErr:
+		if err == nil {
+			t.Fatal("expected error")
+		}
+		if !strings.Contains(err.Error(), "removed") {
+			t.Fatal(err)
+		}
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for event")
+	}
+}
+
+func TestRemove(t *testing.T) {
+	b := newMockBackend()
+	c := newTestController(b, false)
+	ctx := context.Background()
+
+	if err := c.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if err := c.Shutdown(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	c2 := newTestController(b, false)
+	if err := c2.Prepare(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Remove(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if b.p == nil {
+		t.Fatal("plugin removed unexpectedly")
+	}
+	if err := c2.Shutdown(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if err := c2.Remove(ctx); err != nil {
+		t.Fatal(err)
+	}
+	if b.p != nil {
+		t.Fatal("expected plugin to be removed")
+	}
+}
+
+func newTestController(b Backend, disabled bool) *Controller {
+	return &Controller{
+		logger:  &logrus.Entry{Logger: &logrus.Logger{Out: ioutil.Discard}},
+		backend: b,
+		spec: runtime.PluginSpec{
+			Name:     pluginTestName,
+			Remote:   pluginTestRemote,
+			Disabled: disabled,
+		},
+	}
+}
+
+func newMockBackend() *mockBackend {
+	return &mockBackend{
+		pub: pubsub.NewPublisher(0, 0),
+	}
+}
+
+type mockBackend struct {
+	p   *v2.Plugin
+	pub *pubsub.Publisher
+}
+
+func (m *mockBackend) Disable(name string, config *enginetypes.PluginDisableConfig) error {
+	m.p.PluginObj.Enabled = false
+	m.pub.Publish(plugin.EventDisable{})
+	return nil
+}
+
+func (m *mockBackend) Enable(name string, config *enginetypes.PluginEnableConfig) error {
+	m.p.PluginObj.Enabled = true
+	m.pub.Publish(plugin.EventEnable{})
+	return nil
+}
+
+func (m *mockBackend) Remove(name string, config *enginetypes.PluginRmConfig) error {
+	m.p = nil
+	m.pub.Publish(plugin.EventRemove{})
+	return nil
+}
+
+func (m *mockBackend) Pull(ctx context.Context, ref reference.Named, name string, metaHeaders http.Header, authConfig *enginetypes.AuthConfig, privileges enginetypes.PluginPrivileges, outStream io.Writer, opts ...plugin.CreateOpt) error {
+	m.p = &v2.Plugin{
+		PluginObj: enginetypes.Plugin{
+			ID:              "1234",
+			Name:            name,
+			PluginReference: ref.String(),
+		},
+	}
+	return nil
+}
+
+func (m *mockBackend) Upgrade(ctx context.Context, ref reference.Named, name string, metaHeaders http.Header, authConfig *enginetypes.AuthConfig, privileges enginetypes.PluginPrivileges, outStream io.Writer) error {
+	m.p.PluginObj.PluginReference = pluginTestRemoteUpgrade
+	return nil
+}
+
+func (m *mockBackend) Get(name string) (*v2.Plugin, error) {
+	if m.p == nil {
+		return nil, errors.New("not found")
+	}
+	return m.p, nil
+}
+
+func (m *mockBackend) SubscribeEvents(buffer int, events ...plugin.Event) (eventCh <-chan interface{}, cancel func()) {
+	ch := m.pub.SubscribeTopicWithBuffer(nil, buffer)
+	cancel = func() { m.pub.Evict(ch) }
+	return ch, cancel
+}
diff --git a/engine/daemon/cluster/convert/config.go b/engine/daemon/cluster/convert/config.go
new file mode 100644
index 00000000..16b3475a
--- /dev/null
+++ b/engine/daemon/cluster/convert/config.go
@@ -0,0 +1,78 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	types "github.com/docker/docker/api/types/swarm"
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+)
+
+// ConfigFromGRPC converts a grpc Config to a Config.
+func ConfigFromGRPC(s *swarmapi.Config) swarmtypes.Config {
+	config := swarmtypes.Config{
+		ID: s.ID,
+		Spec: swarmtypes.ConfigSpec{
+			Annotations: annotationsFromGRPC(s.Spec.Annotations),
+			Data:        s.Spec.Data,
+		},
+	}
+
+	config.Version.Index = s.Meta.Version.Index
+	// Meta
+	config.CreatedAt, _ = gogotypes.TimestampFromProto(s.Meta.CreatedAt)
+	config.UpdatedAt, _ = gogotypes.TimestampFromProto(s.Meta.UpdatedAt)
+
+	if s.Spec.Templating != nil {
+		config.Spec.Templating = &types.Driver{
+			Name:    s.Spec.Templating.Name,
+			Options: s.Spec.Templating.Options,
+		}
+	}
+
+	return config
+}
+
+// ConfigSpecToGRPC converts Config to a grpc Config.
+func ConfigSpecToGRPC(s swarmtypes.ConfigSpec) swarmapi.ConfigSpec {
+	spec := swarmapi.ConfigSpec{
+		Annotations: swarmapi.Annotations{
+			Name:   s.Name,
+			Labels: s.Labels,
+		},
+		Data: s.Data,
+	}
+
+	if s.Templating != nil {
+		spec.Templating = &swarmapi.Driver{
+			Name:    s.Templating.Name,
+			Options: s.Templating.Options,
+		}
+	}
+
+	return spec
+}
+
+// ConfigReferencesFromGRPC converts a slice of grpc ConfigReference to ConfigReference
+func ConfigReferencesFromGRPC(s []*swarmapi.ConfigReference) []*swarmtypes.ConfigReference {
+	refs := []*swarmtypes.ConfigReference{}
+
+	for _, r := range s {
+		ref := &swarmtypes.ConfigReference{
+			ConfigID:   r.ConfigID,
+			ConfigName: r.ConfigName,
+		}
+
+		if t, ok := r.Target.(*swarmapi.ConfigReference_File); ok {
+			ref.File = &swarmtypes.ConfigReferenceFileTarget{
+				Name: t.File.Name,
+				UID:  t.File.UID,
+				GID:  t.File.GID,
+				Mode: t.File.Mode,
+			}
+		}
+
+		refs = append(refs, ref)
+	}
+
+	return refs
+}
diff --git a/engine/daemon/cluster/convert/container.go b/engine/daemon/cluster/convert/container.go
new file mode 100644
index 00000000..d889b400
--- /dev/null
+++ b/engine/daemon/cluster/convert/container.go
@@ -0,0 +1,398 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	types "github.com/docker/docker/api/types/swarm"
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/sirupsen/logrus"
+)
+
+func containerSpecFromGRPC(c *swarmapi.ContainerSpec) *types.ContainerSpec {
+	if c == nil {
+		return nil
+	}
+	containerSpec := &types.ContainerSpec{
+		Image:      c.Image,
+		Labels:     c.Labels,
+		Command:    c.Command,
+		Args:       c.Args,
+		Hostname:   c.Hostname,
+		Env:        c.Env,
+		Dir:        c.Dir,
+		User:       c.User,
+		Groups:     c.Groups,
+		StopSignal: c.StopSignal,
+		TTY:        c.TTY,
+		OpenStdin:  c.OpenStdin,
+		ReadOnly:   c.ReadOnly,
+		Hosts:      c.Hosts,
+		Secrets:    secretReferencesFromGRPC(c.Secrets),
+		Configs:    configReferencesFromGRPC(c.Configs),
+		Isolation:  IsolationFromGRPC(c.Isolation),
+		Init:       initFromGRPC(c.Init),
+	}
+
+	if c.DNSConfig != nil {
+		containerSpec.DNSConfig = &types.DNSConfig{
+			Nameservers: c.DNSConfig.Nameservers,
+			Search:      c.DNSConfig.Search,
+			Options:     c.DNSConfig.Options,
+		}
+	}
+
+	// Privileges
+	if c.Privileges != nil {
+		containerSpec.Privileges = &types.Privileges{}
+
+		if c.Privileges.CredentialSpec != nil {
+			containerSpec.Privileges.CredentialSpec = &types.CredentialSpec{}
+			switch c.Privileges.CredentialSpec.Source.(type) {
+			case *swarmapi.Privileges_CredentialSpec_File:
+				containerSpec.Privileges.CredentialSpec.File = c.Privileges.CredentialSpec.GetFile()
+			case *swarmapi.Privileges_CredentialSpec_Registry:
+				containerSpec.Privileges.CredentialSpec.Registry = c.Privileges.CredentialSpec.GetRegistry()
+			}
+		}
+
+		if c.Privileges.SELinuxContext != nil {
+			containerSpec.Privileges.SELinuxContext = &types.SELinuxContext{
+				Disable: c.Privileges.SELinuxContext.Disable,
+				User:    c.Privileges.SELinuxContext.User,
+				Type:    c.Privileges.SELinuxContext.Type,
+				Role:    c.Privileges.SELinuxContext.Role,
+				Level:   c.Privileges.SELinuxContext.Level,
+			}
+		}
+	}
+
+	// Mounts
+	for _, m := range c.Mounts {
+		mount := mounttypes.Mount{
+			Target:   m.Target,
+			Source:   m.Source,
+			Type:     mounttypes.Type(strings.ToLower(swarmapi.Mount_MountType_name[int32(m.Type)])),
+			ReadOnly: m.ReadOnly,
+		}
+
+		if m.BindOptions != nil {
+			mount.BindOptions = &mounttypes.BindOptions{
+				Propagation: mounttypes.Propagation(strings.ToLower(swarmapi.Mount_BindOptions_MountPropagation_name[int32(m.BindOptions.Propagation)])),
+			}
+		}
+
+		if m.VolumeOptions != nil {
+			mount.VolumeOptions = &mounttypes.VolumeOptions{
+				NoCopy: m.VolumeOptions.NoCopy,
+				Labels: m.VolumeOptions.Labels,
+			}
+			if m.VolumeOptions.DriverConfig != nil {
+				mount.VolumeOptions.DriverConfig = &mounttypes.Driver{
+					Name:    m.VolumeOptions.DriverConfig.Name,
+					Options: m.VolumeOptions.DriverConfig.Options,
+				}
+			}
+		}
+
+		if m.TmpfsOptions != nil {
+			mount.TmpfsOptions = &mounttypes.TmpfsOptions{
+				SizeBytes: m.TmpfsOptions.SizeBytes,
+				Mode:      m.TmpfsOptions.Mode,
+			}
+		}
+		containerSpec.Mounts = append(containerSpec.Mounts, mount)
+	}
+
+	if c.StopGracePeriod != nil {
+		grace, _ := gogotypes.DurationFromProto(c.StopGracePeriod)
+		containerSpec.StopGracePeriod = &grace
+	}
+
+	if c.Healthcheck != nil {
+		containerSpec.Healthcheck = healthConfigFromGRPC(c.Healthcheck)
+	}
+
+	return containerSpec
+}
+
+func initFromGRPC(v *gogotypes.BoolValue) *bool {
+	if v == nil {
+		return nil
+	}
+	value := v.GetValue()
+	return &value
+}
+
+func initToGRPC(v *bool) *gogotypes.BoolValue {
+	if v == nil {
+		return nil
+	}
+	return &gogotypes.BoolValue{Value: *v}
+}
+
+func secretReferencesToGRPC(sr []*types.SecretReference) []*swarmapi.SecretReference {
+	refs := make([]*swarmapi.SecretReference, 0, len(sr))
+	for _, s := range sr {
+		ref := &swarmapi.SecretReference{
+			SecretID:   s.SecretID,
+			SecretName: s.SecretName,
+		}
+		if s.File != nil {
+			ref.Target = &swarmapi.SecretReference_File{
+				File: &swarmapi.FileTarget{
+					Name: s.File.Name,
+					UID:  s.File.UID,
+					GID:  s.File.GID,
+					Mode: s.File.Mode,
+				},
+			}
+		}
+
+		refs = append(refs, ref)
+	}
+
+	return refs
+}
+
+func secretReferencesFromGRPC(sr []*swarmapi.SecretReference) []*types.SecretReference {
+	refs := make([]*types.SecretReference, 0, len(sr))
+	for _, s := range sr {
+		target := s.GetFile()
+		if target == nil {
+			// not a file target
+			logrus.Warnf("secret target not a file: secret=%s", s.SecretID)
+			continue
+		}
+		refs = append(refs, &types.SecretReference{
+			File: &types.SecretReferenceFileTarget{
+				Name: target.Name,
+				UID:  target.UID,
+				GID:  target.GID,
+				Mode: target.Mode,
+			},
+			SecretID:   s.SecretID,
+			SecretName: s.SecretName,
+		})
+	}
+
+	return refs
+}
+
+func configReferencesToGRPC(sr []*types.ConfigReference) []*swarmapi.ConfigReference {
+	refs := make([]*swarmapi.ConfigReference, 0, len(sr))
+	for _, s := range sr {
+		ref := &swarmapi.ConfigReference{
+			ConfigID:   s.ConfigID,
+			ConfigName: s.ConfigName,
+		}
+		if s.File != nil {
+			ref.Target = &swarmapi.ConfigReference_File{
+				File: &swarmapi.FileTarget{
+					Name: s.File.Name,
+					UID:  s.File.UID,
+					GID:  s.File.GID,
+					Mode: s.File.Mode,
+				},
+			}
+		}
+
+		refs = append(refs, ref)
+	}
+
+	return refs
+}
+
+func configReferencesFromGRPC(sr []*swarmapi.ConfigReference) []*types.ConfigReference {
+	refs := make([]*types.ConfigReference, 0, len(sr))
+	for _, s := range sr {
+		target := s.GetFile()
+		if target == nil {
+			// not a file target
+			logrus.Warnf("config target not a file: config=%s", s.ConfigID)
+			continue
+		}
+		refs = append(refs, &types.ConfigReference{
+			File: &types.ConfigReferenceFileTarget{
+				Name: target.Name,
+				UID:  target.UID,
+				GID:  target.GID,
+				Mode: target.Mode,
+			},
+			ConfigID:   s.ConfigID,
+			ConfigName: s.ConfigName,
+		})
+	}
+
+	return refs
+}
+
+func containerToGRPC(c *types.ContainerSpec) (*swarmapi.ContainerSpec, error) {
+	containerSpec := &swarmapi.ContainerSpec{
+		Image:      c.Image,
+		Labels:     c.Labels,
+		Command:    c.Command,
+		Args:       c.Args,
+		Hostname:   c.Hostname,
+		Env:        c.Env,
+		Dir:        c.Dir,
+		User:       c.User,
+		Groups:     c.Groups,
+		StopSignal: c.StopSignal,
+		TTY:        c.TTY,
+		OpenStdin:  c.OpenStdin,
+		ReadOnly:   c.ReadOnly,
+		Hosts:      c.Hosts,
+		Secrets:    secretReferencesToGRPC(c.Secrets),
+		Configs:    configReferencesToGRPC(c.Configs),
+		Isolation:  isolationToGRPC(c.Isolation),
+		Init:       initToGRPC(c.Init),
+	}
+
+	if c.DNSConfig != nil {
+		containerSpec.DNSConfig = &swarmapi.ContainerSpec_DNSConfig{
+			Nameservers: c.DNSConfig.Nameservers,
+			Search:      c.DNSConfig.Search,
+			Options:     c.DNSConfig.Options,
+		}
+	}
+
+	if c.StopGracePeriod != nil {
+		containerSpec.StopGracePeriod = gogotypes.DurationProto(*c.StopGracePeriod)
+	}
+
+	// Privileges
+	if c.Privileges != nil {
+		containerSpec.Privileges = &swarmapi.Privileges{}
+
+		if c.Privileges.CredentialSpec != nil {
+			containerSpec.Privileges.CredentialSpec = &swarmapi.Privileges_CredentialSpec{}
+
+			if c.Privileges.CredentialSpec.File != "" && c.Privileges.CredentialSpec.Registry != "" {
+				return nil, errors.New("cannot specify both \"file\" and \"registry\" credential specs")
+			}
+			if c.Privileges.CredentialSpec.File != "" {
+				containerSpec.Privileges.CredentialSpec.Source = &swarmapi.Privileges_CredentialSpec_File{
+					File: c.Privileges.CredentialSpec.File,
+				}
+			} else if c.Privileges.CredentialSpec.Registry != "" {
+				containerSpec.Privileges.CredentialSpec.Source = &swarmapi.Privileges_CredentialSpec_Registry{
+					Registry: c.Privileges.CredentialSpec.Registry,
+				}
+			} else {
+				return nil, errors.New("must either provide \"file\" or \"registry\" for credential spec")
+			}
+		}
+
+		if c.Privileges.SELinuxContext != nil {
+			containerSpec.Privileges.SELinuxContext = &swarmapi.Privileges_SELinuxContext{
+				Disable: c.Privileges.SELinuxContext.Disable,
+				User:    c.Privileges.SELinuxContext.User,
+				Type:    c.Privileges.SELinuxContext.Type,
+				Role:    c.Privileges.SELinuxContext.Role,
+				Level:   c.Privileges.SELinuxContext.Level,
+			}
+		}
+	}
+
+	// Mounts
+	for _, m := range c.Mounts {
+		mount := swarmapi.Mount{
+			Target:   m.Target,
+			Source:   m.Source,
+			ReadOnly: m.ReadOnly,
+		}
+
+		if mountType, ok := swarmapi.Mount_MountType_value[strings.ToUpper(string(m.Type))]; ok {
+			mount.Type = swarmapi.Mount_MountType(mountType)
+		} else if string(m.Type) != "" {
+			return nil, fmt.Errorf("invalid MountType: %q", m.Type)
+		}
+
+		if m.BindOptions != nil {
+			if mountPropagation, ok := swarmapi.Mount_BindOptions_MountPropagation_value[strings.ToUpper(string(m.BindOptions.Propagation))]; ok {
+				mount.BindOptions = &swarmapi.Mount_BindOptions{Propagation: swarmapi.Mount_BindOptions_MountPropagation(mountPropagation)}
+			} else if string(m.BindOptions.Propagation) != "" {
+				return nil, fmt.Errorf("invalid MountPropagation: %q", m.BindOptions.Propagation)
+			}
+		}
+
+		if m.VolumeOptions != nil {
+			mount.VolumeOptions = &swarmapi.Mount_VolumeOptions{
+				NoCopy: m.VolumeOptions.NoCopy,
+				Labels: m.VolumeOptions.Labels,
+			}
+			if m.VolumeOptions.DriverConfig != nil {
+				mount.VolumeOptions.DriverConfig = &swarmapi.Driver{
+					Name:    m.VolumeOptions.DriverConfig.Name,
+					Options: m.VolumeOptions.DriverConfig.Options,
+				}
+			}
+		}
+
+		if m.TmpfsOptions != nil {
+			mount.TmpfsOptions = &swarmapi.Mount_TmpfsOptions{
+				SizeBytes: m.TmpfsOptions.SizeBytes,
+				Mode:      m.TmpfsOptions.Mode,
+			}
+		}
+
+		containerSpec.Mounts = append(containerSpec.Mounts, mount)
+	}
+
+	if c.Healthcheck != nil {
+		containerSpec.Healthcheck = healthConfigToGRPC(c.Healthcheck)
+	}
+
+	return containerSpec, nil
+}
+
+func healthConfigFromGRPC(h *swarmapi.HealthConfig) *container.HealthConfig {
+	interval, _ := gogotypes.DurationFromProto(h.Interval)
+	timeout, _ := gogotypes.DurationFromProto(h.Timeout)
+	startPeriod, _ := gogotypes.DurationFromProto(h.StartPeriod)
+	return &container.HealthConfig{
+		Test:        h.Test,
+		Interval:    interval,
+		Timeout:     timeout,
+		Retries:     int(h.Retries),
+		StartPeriod: startPeriod,
+	}
+}
+
+func healthConfigToGRPC(h *container.HealthConfig) *swarmapi.HealthConfig {
+	return &swarmapi.HealthConfig{
+		Test:        h.Test,
+		Interval:    gogotypes.DurationProto(h.Interval),
+		Timeout:     gogotypes.DurationProto(h.Timeout),
+		Retries:     int32(h.Retries),
+		StartPeriod: gogotypes.DurationProto(h.StartPeriod),
+	}
+}
+
+// IsolationFromGRPC converts a swarm api container isolation to a moby isolation representation
+func IsolationFromGRPC(i swarmapi.ContainerSpec_Isolation) container.Isolation {
+	switch i {
+	case swarmapi.ContainerIsolationHyperV:
+		return container.IsolationHyperV
+	case swarmapi.ContainerIsolationProcess:
+		return container.IsolationProcess
+	case swarmapi.ContainerIsolationDefault:
+		return container.IsolationDefault
+	}
+	return container.IsolationEmpty
+}
+
+func isolationToGRPC(i container.Isolation) swarmapi.ContainerSpec_Isolation {
+	if i.IsHyperV() {
+		return swarmapi.ContainerIsolationHyperV
+	}
+	if i.IsProcess() {
+		return swarmapi.ContainerIsolationProcess
+	}
+	return swarmapi.ContainerIsolationDefault
+}
diff --git a/engine/daemon/cluster/convert/network.go b/engine/daemon/cluster/convert/network.go
new file mode 100644
index 00000000..34660fc4
--- /dev/null
+++ b/engine/daemon/cluster/convert/network.go
@@ -0,0 +1,240 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	"strings"
+
+	basictypes "github.com/docker/docker/api/types"
+	networktypes "github.com/docker/docker/api/types/network"
+	types "github.com/docker/docker/api/types/swarm"
+	netconst "github.com/docker/libnetwork/datastore"
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+)
+
+func networkAttachmentFromGRPC(na *swarmapi.NetworkAttachment) types.NetworkAttachment {
+	if na != nil {
+		return types.NetworkAttachment{
+			Network:   networkFromGRPC(na.Network),
+			Addresses: na.Addresses,
+		}
+	}
+	return types.NetworkAttachment{}
+}
+
+func networkFromGRPC(n *swarmapi.Network) types.Network {
+	if n != nil {
+		network := types.Network{
+			ID: n.ID,
+			Spec: types.NetworkSpec{
+				IPv6Enabled: n.Spec.Ipv6Enabled,
+				Internal:    n.Spec.Internal,
+				Attachable:  n.Spec.Attachable,
+				Ingress:     IsIngressNetwork(n),
+				IPAMOptions: ipamFromGRPC(n.Spec.IPAM),
+				Scope:       netconst.SwarmScope,
+			},
+			IPAMOptions: ipamFromGRPC(n.IPAM),
+		}
+
+		if n.Spec.GetNetwork() != "" {
+			network.Spec.ConfigFrom = &networktypes.ConfigReference{
+				Network: n.Spec.GetNetwork(),
+			}
+		}
+
+		// Meta
+		network.Version.Index = n.Meta.Version.Index
+		network.CreatedAt, _ = gogotypes.TimestampFromProto(n.Meta.CreatedAt)
+		network.UpdatedAt, _ = gogotypes.TimestampFromProto(n.Meta.UpdatedAt)
+
+		//Annotations
+		network.Spec.Annotations = annotationsFromGRPC(n.Spec.Annotations)
+
+		//DriverConfiguration
+		if n.Spec.DriverConfig != nil {
+			network.Spec.DriverConfiguration = &types.Driver{
+				Name:    n.Spec.DriverConfig.Name,
+				Options: n.Spec.DriverConfig.Options,
+			}
+		}
+
+		//DriverState
+		if n.DriverState != nil {
+			network.DriverState = types.Driver{
+				Name:    n.DriverState.Name,
+				Options: n.DriverState.Options,
+			}
+		}
+
+		return network
+	}
+	return types.Network{}
+}
+
+func ipamFromGRPC(i *swarmapi.IPAMOptions) *types.IPAMOptions {
+	var ipam *types.IPAMOptions
+	if i != nil {
+		ipam = &types.IPAMOptions{}
+		if i.Driver != nil {
+			ipam.Driver.Name = i.Driver.Name
+			ipam.Driver.Options = i.Driver.Options
+		}
+
+		for _, config := range i.Configs {
+			ipam.Configs = append(ipam.Configs, types.IPAMConfig{
+				Subnet:  config.Subnet,
+				Range:   config.Range,
+				Gateway: config.Gateway,
+			})
+		}
+	}
+	return ipam
+}
+
+func endpointSpecFromGRPC(es *swarmapi.EndpointSpec) *types.EndpointSpec {
+	var endpointSpec *types.EndpointSpec
+	if es != nil {
+		endpointSpec = &types.EndpointSpec{}
+		endpointSpec.Mode = types.ResolutionMode(strings.ToLower(es.Mode.String()))
+
+		for _, portState := range es.Ports {
+			endpointSpec.Ports = append(endpointSpec.Ports, swarmPortConfigToAPIPortConfig(portState))
+		}
+	}
+	return endpointSpec
+}
+
+func endpointFromGRPC(e *swarmapi.Endpoint) types.Endpoint {
+	endpoint := types.Endpoint{}
+	if e != nil {
+		if espec := endpointSpecFromGRPC(e.Spec); espec != nil {
+			endpoint.Spec = *espec
+		}
+
+		for _, portState := range e.Ports {
+			endpoint.Ports = append(endpoint.Ports, swarmPortConfigToAPIPortConfig(portState))
+		}
+
+		for _, v := range e.VirtualIPs {
+			endpoint.VirtualIPs = append(endpoint.VirtualIPs, types.EndpointVirtualIP{
+				NetworkID: v.NetworkID,
+				Addr:      v.Addr})
+		}
+
+	}
+
+	return endpoint
+}
+
+func swarmPortConfigToAPIPortConfig(portConfig *swarmapi.PortConfig) types.PortConfig {
+	return types.PortConfig{
+		Name:          portConfig.Name,
+		Protocol:      types.PortConfigProtocol(strings.ToLower(swarmapi.PortConfig_Protocol_name[int32(portConfig.Protocol)])),
+		PublishMode:   types.PortConfigPublishMode(strings.ToLower(swarmapi.PortConfig_PublishMode_name[int32(portConfig.PublishMode)])),
+		TargetPort:    portConfig.TargetPort,
+		PublishedPort: portConfig.PublishedPort,
+	}
+}
+
+// BasicNetworkFromGRPC converts a grpc Network to a NetworkResource.
+func BasicNetworkFromGRPC(n swarmapi.Network) basictypes.NetworkResource {
+	spec := n.Spec
+	var ipam networktypes.IPAM
+	if n.IPAM != nil {
+		if n.IPAM.Driver != nil {
+			ipam.Driver = n.IPAM.Driver.Name
+			ipam.Options = n.IPAM.Driver.Options
+		}
+		ipam.Config = make([]networktypes.IPAMConfig, 0, len(n.IPAM.Configs))
+		for _, ic := range n.IPAM.Configs {
+			ipamConfig := networktypes.IPAMConfig{
+				Subnet:     ic.Subnet,
+				IPRange:    ic.Range,
+				Gateway:    ic.Gateway,
+				AuxAddress: ic.Reserved,
+			}
+			ipam.Config = append(ipam.Config, ipamConfig)
+		}
+	}
+
+	nr := basictypes.NetworkResource{
+		ID:         n.ID,
+		Name:       n.Spec.Annotations.Name,
+		Scope:      netconst.SwarmScope,
+		EnableIPv6: spec.Ipv6Enabled,
+		IPAM:       ipam,
+		Internal:   spec.Internal,
+		Attachable: spec.Attachable,
+		Ingress:    IsIngressNetwork(&n),
+		Labels:     n.Spec.Annotations.Labels,
+	}
+	nr.Created, _ = gogotypes.TimestampFromProto(n.Meta.CreatedAt)
+
+	if n.Spec.GetNetwork() != "" {
+		nr.ConfigFrom = networktypes.ConfigReference{
+			Network: n.Spec.GetNetwork(),
+		}
+	}
+
+	if n.DriverState != nil {
+		nr.Driver = n.DriverState.Name
+		nr.Options = n.DriverState.Options
+	}
+
+	return nr
+}
+
+// BasicNetworkCreateToGRPC converts a NetworkCreateRequest to a grpc NetworkSpec.
+func BasicNetworkCreateToGRPC(create basictypes.NetworkCreateRequest) swarmapi.NetworkSpec {
+	ns := swarmapi.NetworkSpec{
+		Annotations: swarmapi.Annotations{
+			Name:   create.Name,
+			Labels: create.Labels,
+		},
+		DriverConfig: &swarmapi.Driver{
+			Name:    create.Driver,
+			Options: create.Options,
+		},
+		Ipv6Enabled: create.EnableIPv6,
+		Internal:    create.Internal,
+		Attachable:  create.Attachable,
+		Ingress:     create.Ingress,
+	}
+	if create.IPAM != nil {
+		driver := create.IPAM.Driver
+		if driver == "" {
+			driver = "default"
+		}
+		ns.IPAM = &swarmapi.IPAMOptions{
+			Driver: &swarmapi.Driver{
+				Name:    driver,
+				Options: create.IPAM.Options,
+			},
+		}
+		ipamSpec := make([]*swarmapi.IPAMConfig, 0, len(create.IPAM.Config))
+		for _, ipamConfig := range create.IPAM.Config {
+			ipamSpec = append(ipamSpec, &swarmapi.IPAMConfig{
+				Subnet:  ipamConfig.Subnet,
+				Range:   ipamConfig.IPRange,
+				Gateway: ipamConfig.Gateway,
+			})
+		}
+		ns.IPAM.Configs = ipamSpec
+	}
+	if create.ConfigFrom != nil {
+		ns.ConfigFrom = &swarmapi.NetworkSpec_Network{
+			Network: create.ConfigFrom.Network,
+		}
+	}
+	return ns
+}
+
+// IsIngressNetwork check if the swarm network is an ingress network
+func IsIngressNetwork(n *swarmapi.Network) bool {
+	if n.Spec.Ingress {
+		return true
+	}
+	// Check if legacy defined ingress network
+	_, ok := n.Spec.Annotations.Labels["com.docker.swarm.internal"]
+	return ok && n.Spec.Annotations.Name == "ingress"
+}
diff --git a/engine/daemon/cluster/convert/network_test.go b/engine/daemon/cluster/convert/network_test.go
new file mode 100644
index 00000000..42f70696
--- /dev/null
+++ b/engine/daemon/cluster/convert/network_test.go
@@ -0,0 +1,34 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	"testing"
+	"time"
+
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+)
+
+func TestNetworkConvertBasicNetworkFromGRPCCreatedAt(t *testing.T) {
+	expected, err := time.Parse("Jan 2, 2006 at 3:04pm (MST)", "Jan 10, 2018 at 7:54pm (PST)")
+	if err != nil {
+		t.Fatal(err)
+	}
+	createdAt, err := gogotypes.TimestampProto(expected)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	nw := swarmapi.Network{
+		Meta: swarmapi.Meta{
+			Version: swarmapi.Version{
+				Index: 1,
+			},
+			CreatedAt: createdAt,
+		},
+	}
+
+	n := BasicNetworkFromGRPC(nw)
+	if !n.Created.Equal(expected) {
+		t.Fatalf("expected time %s; received %s", expected, n.Created)
+	}
+}
diff --git a/engine/daemon/cluster/convert/node.go b/engine/daemon/cluster/convert/node.go
new file mode 100644
index 00000000..00636b6a
--- /dev/null
+++ b/engine/daemon/cluster/convert/node.go
@@ -0,0 +1,94 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	"fmt"
+	"strings"
+
+	types "github.com/docker/docker/api/types/swarm"
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+)
+
+// NodeFromGRPC converts a grpc Node to a Node.
+func NodeFromGRPC(n swarmapi.Node) types.Node {
+	node := types.Node{
+		ID: n.ID,
+		Spec: types.NodeSpec{
+			Role:         types.NodeRole(strings.ToLower(n.Spec.DesiredRole.String())),
+			Availability: types.NodeAvailability(strings.ToLower(n.Spec.Availability.String())),
+		},
+		Status: types.NodeStatus{
+			State:   types.NodeState(strings.ToLower(n.Status.State.String())),
+			Message: n.Status.Message,
+			Addr:    n.Status.Addr,
+		},
+	}
+
+	// Meta
+	node.Version.Index = n.Meta.Version.Index
+	node.CreatedAt, _ = gogotypes.TimestampFromProto(n.Meta.CreatedAt)
+	node.UpdatedAt, _ = gogotypes.TimestampFromProto(n.Meta.UpdatedAt)
+
+	//Annotations
+	node.Spec.Annotations = annotationsFromGRPC(n.Spec.Annotations)
+
+	//Description
+	if n.Description != nil {
+		node.Description.Hostname = n.Description.Hostname
+		if n.Description.Platform != nil {
+			node.Description.Platform.Architecture = n.Description.Platform.Architecture
+			node.Description.Platform.OS = n.Description.Platform.OS
+		}
+		if n.Description.Resources != nil {
+			node.Description.Resources.NanoCPUs = n.Description.Resources.NanoCPUs
+			node.Description.Resources.MemoryBytes = n.Description.Resources.MemoryBytes
+			node.Description.Resources.GenericResources = GenericResourcesFromGRPC(n.Description.Resources.Generic)
+		}
+		if n.Description.Engine != nil {
+			node.Description.Engine.EngineVersion = n.Description.Engine.EngineVersion
+			node.Description.Engine.Labels = n.Description.Engine.Labels
+			for _, plugin := range n.Description.Engine.Plugins {
+				node.Description.Engine.Plugins = append(node.Description.Engine.Plugins, types.PluginDescription{Type: plugin.Type, Name: plugin.Name})
+			}
+		}
+		if n.Description.TLSInfo != nil {
+			node.Description.TLSInfo.TrustRoot = string(n.Description.TLSInfo.TrustRoot)
+			node.Description.TLSInfo.CertIssuerPublicKey = n.Description.TLSInfo.CertIssuerPublicKey
+			node.Description.TLSInfo.CertIssuerSubject = n.Description.TLSInfo.CertIssuerSubject
+		}
+	}
+
+	//Manager
+	if n.ManagerStatus != nil {
+		node.ManagerStatus = &types.ManagerStatus{
+			Leader:       n.ManagerStatus.Leader,
+			Reachability: types.Reachability(strings.ToLower(n.ManagerStatus.Reachability.String())),
+			Addr:         n.ManagerStatus.Addr,
+		}
+	}
+
+	return node
+}
+
+// NodeSpecToGRPC converts a NodeSpec to a grpc NodeSpec.
+func NodeSpecToGRPC(s types.NodeSpec) (swarmapi.NodeSpec, error) {
+	spec := swarmapi.NodeSpec{
+		Annotations: swarmapi.Annotations{
+			Name:   s.Name,
+			Labels: s.Labels,
+		},
+	}
+	if role, ok := swarmapi.NodeRole_value[strings.ToUpper(string(s.Role))]; ok {
+		spec.DesiredRole = swarmapi.NodeRole(role)
+	} else {
+		return swarmapi.NodeSpec{}, fmt.Errorf("invalid Role: %q", s.Role)
+	}
+
+	if availability, ok := swarmapi.NodeSpec_Availability_value[strings.ToUpper(string(s.Availability))]; ok {
+		spec.Availability = swarmapi.NodeSpec_Availability(availability)
+	} else {
+		return swarmapi.NodeSpec{}, fmt.Errorf("invalid Availability: %q", s.Availability)
+	}
+
+	return spec, nil
+}
diff --git a/engine/daemon/cluster/convert/secret.go b/engine/daemon/cluster/convert/secret.go
new file mode 100644
index 00000000..d0e5ac45
--- /dev/null
+++ b/engine/daemon/cluster/convert/secret.go
@@ -0,0 +1,80 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	types "github.com/docker/docker/api/types/swarm"
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+)
+
+// SecretFromGRPC converts a grpc Secret to a Secret.
+func SecretFromGRPC(s *swarmapi.Secret) swarmtypes.Secret {
+	secret := swarmtypes.Secret{
+		ID: s.ID,
+		Spec: swarmtypes.SecretSpec{
+			Annotations: annotationsFromGRPC(s.Spec.Annotations),
+			Data:        s.Spec.Data,
+			Driver:      driverFromGRPC(s.Spec.Driver),
+		},
+	}
+
+	secret.Version.Index = s.Meta.Version.Index
+	// Meta
+	secret.CreatedAt, _ = gogotypes.TimestampFromProto(s.Meta.CreatedAt)
+	secret.UpdatedAt, _ = gogotypes.TimestampFromProto(s.Meta.UpdatedAt)
+
+	if s.Spec.Templating != nil {
+		secret.Spec.Templating = &types.Driver{
+			Name:    s.Spec.Templating.Name,
+			Options: s.Spec.Templating.Options,
+		}
+	}
+
+	return secret
+}
+
+// SecretSpecToGRPC converts Secret to a grpc Secret.
+func SecretSpecToGRPC(s swarmtypes.SecretSpec) swarmapi.SecretSpec {
+	spec := swarmapi.SecretSpec{
+		Annotations: swarmapi.Annotations{
+			Name:   s.Name,
+			Labels: s.Labels,
+		},
+		Data:   s.Data,
+		Driver: driverToGRPC(s.Driver),
+	}
+
+	if s.Templating != nil {
+		spec.Templating = &swarmapi.Driver{
+			Name:    s.Templating.Name,
+			Options: s.Templating.Options,
+		}
+	}
+
+	return spec
+}
+
+// SecretReferencesFromGRPC converts a slice of grpc SecretReference to SecretReference
+func SecretReferencesFromGRPC(s []*swarmapi.SecretReference) []*swarmtypes.SecretReference {
+	refs := []*swarmtypes.SecretReference{}
+
+	for _, r := range s {
+		ref := &swarmtypes.SecretReference{
+			SecretID:   r.SecretID,
+			SecretName: r.SecretName,
+		}
+
+		if t, ok := r.Target.(*swarmapi.SecretReference_File); ok {
+			ref.File = &swarmtypes.SecretReferenceFileTarget{
+				Name: t.File.Name,
+				UID:  t.File.UID,
+				GID:  t.File.GID,
+				Mode: t.File.Mode,
+			}
+		}
+
+		refs = append(refs, ref)
+	}
+
+	return refs
+}
diff --git a/engine/daemon/cluster/convert/service.go b/engine/daemon/cluster/convert/service.go
new file mode 100644
index 00000000..5a1609aa
--- /dev/null
+++ b/engine/daemon/cluster/convert/service.go
@@ -0,0 +1,639 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	"fmt"
+	"strings"
+
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/swarm/runtime"
+	"github.com/docker/docker/pkg/namesgenerator"
+	swarmapi "github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/api/genericresource"
+	"github.com/gogo/protobuf/proto"
+	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/pkg/errors"
+)
+
+var (
+	// ErrUnsupportedRuntime returns an error if the runtime is not supported by the daemon
+	ErrUnsupportedRuntime = errors.New("unsupported runtime")
+	// ErrMismatchedRuntime returns an error if the runtime does not match the provided spec
+	ErrMismatchedRuntime = errors.New("mismatched Runtime and *Spec fields")
+)
+
+// ServiceFromGRPC converts a grpc Service to a Service.
+func ServiceFromGRPC(s swarmapi.Service) (types.Service, error) {
+	curSpec, err := serviceSpecFromGRPC(&s.Spec)
+	if err != nil {
+		return types.Service{}, err
+	}
+	prevSpec, err := serviceSpecFromGRPC(s.PreviousSpec)
+	if err != nil {
+		return types.Service{}, err
+	}
+	service := types.Service{
+		ID:           s.ID,
+		Spec:         *curSpec,
+		PreviousSpec: prevSpec,
+
+		Endpoint: endpointFromGRPC(s.Endpoint),
+	}
+
+	// Meta
+	service.Version.Index = s.Meta.Version.Index
+	service.CreatedAt, _ = gogotypes.TimestampFromProto(s.Meta.CreatedAt)
+	service.UpdatedAt, _ = gogotypes.TimestampFromProto(s.Meta.UpdatedAt)
+
+	// UpdateStatus
+	if s.UpdateStatus != nil {
+		service.UpdateStatus = &types.UpdateStatus{}
+		switch s.UpdateStatus.State {
+		case swarmapi.UpdateStatus_UPDATING:
+			service.UpdateStatus.State = types.UpdateStateUpdating
+		case swarmapi.UpdateStatus_PAUSED:
+			service.UpdateStatus.State = types.UpdateStatePaused
+		case swarmapi.UpdateStatus_COMPLETED:
+			service.UpdateStatus.State = types.UpdateStateCompleted
+		case swarmapi.UpdateStatus_ROLLBACK_STARTED:
+			service.UpdateStatus.State = types.UpdateStateRollbackStarted
+		case swarmapi.UpdateStatus_ROLLBACK_PAUSED:
+			service.UpdateStatus.State = types.UpdateStateRollbackPaused
+		case swarmapi.UpdateStatus_ROLLBACK_COMPLETED:
+			service.UpdateStatus.State = types.UpdateStateRollbackCompleted
+		}
+
+		startedAt, _ := gogotypes.TimestampFromProto(s.UpdateStatus.StartedAt)
+		if !startedAt.IsZero() && startedAt.Unix() != 0 {
+			service.UpdateStatus.StartedAt = &startedAt
+		}
+
+		completedAt, _ := gogotypes.TimestampFromProto(s.UpdateStatus.CompletedAt)
+		if !completedAt.IsZero() && completedAt.Unix() != 0 {
+			service.UpdateStatus.CompletedAt = &completedAt
+		}
+
+		service.UpdateStatus.Message = s.UpdateStatus.Message
+	}
+
+	return service, nil
+}
+
+func serviceSpecFromGRPC(spec *swarmapi.ServiceSpec) (*types.ServiceSpec, error) {
+	if spec == nil {
+		return nil, nil
+	}
+
+	serviceNetworks := make([]types.NetworkAttachmentConfig, 0, len(spec.Networks))
+	for _, n := range spec.Networks {
+		netConfig := types.NetworkAttachmentConfig{Target: n.Target, Aliases: n.Aliases, DriverOpts: n.DriverAttachmentOpts}
+		serviceNetworks = append(serviceNetworks, netConfig)
+
+	}
+
+	taskTemplate, err := taskSpecFromGRPC(spec.Task)
+	if err != nil {
+		return nil, err
+	}
+
+	switch t := spec.Task.GetRuntime().(type) {
+	case *swarmapi.TaskSpec_Container:
+		containerConfig := t.Container
+		taskTemplate.ContainerSpec = containerSpecFromGRPC(containerConfig)
+		taskTemplate.Runtime = types.RuntimeContainer
+	case *swarmapi.TaskSpec_Generic:
+		switch t.Generic.Kind {
+		case string(types.RuntimePlugin):
+			taskTemplate.Runtime = types.RuntimePlugin
+		default:
+			return nil, fmt.Errorf("unknown task runtime type: %s", t.Generic.Payload.TypeUrl)
+		}
+
+	default:
+		return nil, fmt.Errorf("error creating service; unsupported runtime %T", t)
+	}
+
+	convertedSpec := &types.ServiceSpec{
+		Annotations:  annotationsFromGRPC(spec.Annotations),
+		TaskTemplate: taskTemplate,
+		Networks:     serviceNetworks,
+		EndpointSpec: endpointSpecFromGRPC(spec.Endpoint),
+	}
+
+	// UpdateConfig
+	convertedSpec.UpdateConfig = updateConfigFromGRPC(spec.Update)
+	convertedSpec.RollbackConfig = updateConfigFromGRPC(spec.Rollback)
+
+	// Mode
+	switch t := spec.GetMode().(type) {
+	case *swarmapi.ServiceSpec_Global:
+		convertedSpec.Mode.Global = &types.GlobalService{}
+	case *swarmapi.ServiceSpec_Replicated:
+		convertedSpec.Mode.Replicated = &types.ReplicatedService{
+			Replicas: &t.Replicated.Replicas,
+		}
+	}
+
+	return convertedSpec, nil
+}
+
+// ServiceSpecToGRPC converts a ServiceSpec to a grpc ServiceSpec.
+func ServiceSpecToGRPC(s types.ServiceSpec) (swarmapi.ServiceSpec, error) {
+	name := s.Name
+	if name == "" {
+		name = namesgenerator.GetRandomName(0)
+	}
+
+	serviceNetworks := make([]*swarmapi.NetworkAttachmentConfig, 0, len(s.Networks))
+	for _, n := range s.Networks {
+		netConfig := &swarmapi.NetworkAttachmentConfig{Target: n.Target, Aliases: n.Aliases, DriverAttachmentOpts: n.DriverOpts}
+		serviceNetworks = append(serviceNetworks, netConfig)
+	}
+
+	taskNetworks := make([]*swarmapi.NetworkAttachmentConfig, 0, len(s.TaskTemplate.Networks))
+	for _, n := range s.TaskTemplate.Networks {
+		netConfig := &swarmapi.NetworkAttachmentConfig{Target: n.Target, Aliases: n.Aliases, DriverAttachmentOpts: n.DriverOpts}
+		taskNetworks = append(taskNetworks, netConfig)
+
+	}
+
+	spec := swarmapi.ServiceSpec{
+		Annotations: swarmapi.Annotations{
+			Name:   name,
+			Labels: s.Labels,
+		},
+		Task: swarmapi.TaskSpec{
+			Resources:   resourcesToGRPC(s.TaskTemplate.Resources),
+			LogDriver:   driverToGRPC(s.TaskTemplate.LogDriver),
+			Networks:    taskNetworks,
+			ForceUpdate: s.TaskTemplate.ForceUpdate,
+		},
+		Networks: serviceNetworks,
+	}
+
+	switch s.TaskTemplate.Runtime {
+	case types.RuntimeContainer, "": // if empty runtime default to container
+		if s.TaskTemplate.ContainerSpec != nil {
+			containerSpec, err := containerToGRPC(s.TaskTemplate.ContainerSpec)
+			if err != nil {
+				return swarmapi.ServiceSpec{}, err
+			}
+			spec.Task.Runtime = &swarmapi.TaskSpec_Container{Container: containerSpec}
+		} else {
+			// If the ContainerSpec is nil, we can't set the task runtime
+			return swarmapi.ServiceSpec{}, ErrMismatchedRuntime
+		}
+	case types.RuntimePlugin:
+		if s.TaskTemplate.PluginSpec != nil {
+			if s.Mode.Replicated != nil {
+				return swarmapi.ServiceSpec{}, errors.New("plugins must not use replicated mode")
+			}
+
+			s.Mode.Global = &types.GlobalService{} // must always be global
+
+			pluginSpec, err := proto.Marshal(s.TaskTemplate.PluginSpec)
+			if err != nil {
+				return swarmapi.ServiceSpec{}, err
+			}
+			spec.Task.Runtime = &swarmapi.TaskSpec_Generic{
+				Generic: &swarmapi.GenericRuntimeSpec{
+					Kind: string(types.RuntimePlugin),
+					Payload: &gogotypes.Any{
+						TypeUrl: string(types.RuntimeURLPlugin),
+						Value:   pluginSpec,
+					},
+				},
+			}
+		} else {
+			return swarmapi.ServiceSpec{}, ErrMismatchedRuntime
+		}
+	case types.RuntimeNetworkAttachment:
+		// NOTE(dperny) I'm leaving this case here for completeness. The actual
+		// code is left out out deliberately, as we should refuse to parse a
+		// Network Attachment runtime; it will cause weird behavior all over
+		// the system if we do. Instead, fallthrough and return
+		// ErrUnsupportedRuntime if we get one.
+		fallthrough
+	default:
+		return swarmapi.ServiceSpec{}, ErrUnsupportedRuntime
+	}
+
+	restartPolicy, err := restartPolicyToGRPC(s.TaskTemplate.RestartPolicy)
+	if err != nil {
+		return swarmapi.ServiceSpec{}, err
+	}
+	spec.Task.Restart = restartPolicy
+
+	if s.TaskTemplate.Placement != nil {
+		var preferences []*swarmapi.PlacementPreference
+		for _, pref := range s.TaskTemplate.Placement.Preferences {
+			if pref.Spread != nil {
+				preferences = append(preferences, &swarmapi.PlacementPreference{
+					Preference: &swarmapi.PlacementPreference_Spread{
+						Spread: &swarmapi.SpreadOver{
+							SpreadDescriptor: pref.Spread.SpreadDescriptor,
+						},
+					},
+				})
+			}
+		}
+		var platforms []*swarmapi.Platform
+		for _, plat := range s.TaskTemplate.Placement.Platforms {
+			platforms = append(platforms, &swarmapi.Platform{
+				Architecture: plat.Architecture,
+				OS:           plat.OS,
+			})
+		}
+		spec.Task.Placement = &swarmapi.Placement{
+			Constraints: s.TaskTemplate.Placement.Constraints,
+			Preferences: preferences,
+			Platforms:   platforms,
+		}
+	}
+
+	spec.Update, err = updateConfigToGRPC(s.UpdateConfig)
+	if err != nil {
+		return swarmapi.ServiceSpec{}, err
+	}
+	spec.Rollback, err = updateConfigToGRPC(s.RollbackConfig)
+	if err != nil {
+		return swarmapi.ServiceSpec{}, err
+	}
+
+	if s.EndpointSpec != nil {
+		if s.EndpointSpec.Mode != "" &&
+			s.EndpointSpec.Mode != types.ResolutionModeVIP &&
+			s.EndpointSpec.Mode != types.ResolutionModeDNSRR {
+			return swarmapi.ServiceSpec{}, fmt.Errorf("invalid resolution mode: %q", s.EndpointSpec.Mode)
+		}
+
+		spec.Endpoint = &swarmapi.EndpointSpec{}
+
+		spec.Endpoint.Mode = swarmapi.EndpointSpec_ResolutionMode(swarmapi.EndpointSpec_ResolutionMode_value[strings.ToUpper(string(s.EndpointSpec.Mode))])
+
+		for _, portConfig := range s.EndpointSpec.Ports {
+			spec.Endpoint.Ports = append(spec.Endpoint.Ports, &swarmapi.PortConfig{
+				Name:          portConfig.Name,
+				Protocol:      swarmapi.PortConfig_Protocol(swarmapi.PortConfig_Protocol_value[strings.ToUpper(string(portConfig.Protocol))]),
+				PublishMode:   swarmapi.PortConfig_PublishMode(swarmapi.PortConfig_PublishMode_value[strings.ToUpper(string(portConfig.PublishMode))]),
+				TargetPort:    portConfig.TargetPort,
+				PublishedPort: portConfig.PublishedPort,
+			})
+		}
+	}
+
+	// Mode
+	if s.Mode.Global != nil && s.Mode.Replicated != nil {
+		return swarmapi.ServiceSpec{}, fmt.Errorf("cannot specify both replicated mode and global mode")
+	}
+
+	if s.Mode.Global != nil {
+		spec.Mode = &swarmapi.ServiceSpec_Global{
+			Global: &swarmapi.GlobalService{},
+		}
+	} else if s.Mode.Replicated != nil && s.Mode.Replicated.Replicas != nil {
+		spec.Mode = &swarmapi.ServiceSpec_Replicated{
+			Replicated: &swarmapi.ReplicatedService{Replicas: *s.Mode.Replicated.Replicas},
+		}
+	} else {
+		spec.Mode = &swarmapi.ServiceSpec_Replicated{
+			Replicated: &swarmapi.ReplicatedService{Replicas: 1},
+		}
+	}
+
+	return spec, nil
+}
+
+func annotationsFromGRPC(ann swarmapi.Annotations) types.Annotations {
+	a := types.Annotations{
+		Name:   ann.Name,
+		Labels: ann.Labels,
+	}
+
+	if a.Labels == nil {
+		a.Labels = make(map[string]string)
+	}
+
+	return a
+}
+
+// GenericResourcesFromGRPC converts a GRPC GenericResource to a GenericResource
+func GenericResourcesFromGRPC(genericRes []*swarmapi.GenericResource) []types.GenericResource {
+	var generic []types.GenericResource
+	for _, res := range genericRes {
+		var current types.GenericResource
+
+		switch r := res.Resource.(type) {
+		case *swarmapi.GenericResource_DiscreteResourceSpec:
+			current.DiscreteResourceSpec = &types.DiscreteGenericResource{
+				Kind:  r.DiscreteResourceSpec.Kind,
+				Value: r.DiscreteResourceSpec.Value,
+			}
+		case *swarmapi.GenericResource_NamedResourceSpec:
+			current.NamedResourceSpec = &types.NamedGenericResource{
+				Kind:  r.NamedResourceSpec.Kind,
+				Value: r.NamedResourceSpec.Value,
+			}
+		}
+
+		generic = append(generic, current)
+	}
+
+	return generic
+}
+
+func resourcesFromGRPC(res *swarmapi.ResourceRequirements) *types.ResourceRequirements {
+	var resources *types.ResourceRequirements
+	if res != nil {
+		resources = &types.ResourceRequirements{}
+		if res.Limits != nil {
+			resources.Limits = &types.Resources{
+				NanoCPUs:    res.Limits.NanoCPUs,
+				MemoryBytes: res.Limits.MemoryBytes,
+			}
+		}
+		if res.Reservations != nil {
+			resources.Reservations = &types.Resources{
+				NanoCPUs:         res.Reservations.NanoCPUs,
+				MemoryBytes:      res.Reservations.MemoryBytes,
+				GenericResources: GenericResourcesFromGRPC(res.Reservations.Generic),
+			}
+		}
+	}
+
+	return resources
+}
+
+// GenericResourcesToGRPC converts a GenericResource to a GRPC GenericResource
+func GenericResourcesToGRPC(genericRes []types.GenericResource) []*swarmapi.GenericResource {
+	var generic []*swarmapi.GenericResource
+	for _, res := range genericRes {
+		var r *swarmapi.GenericResource
+
+		if res.DiscreteResourceSpec != nil {
+			r = genericresource.NewDiscrete(res.DiscreteResourceSpec.Kind, res.DiscreteResourceSpec.Value)
+		} else if res.NamedResourceSpec != nil {
+			r = genericresource.NewString(res.NamedResourceSpec.Kind, res.NamedResourceSpec.Value)
+		}
+
+		generic = append(generic, r)
+	}
+
+	return generic
+}
+
+func resourcesToGRPC(res *types.ResourceRequirements) *swarmapi.ResourceRequirements {
+	var reqs *swarmapi.ResourceRequirements
+	if res != nil {
+		reqs = &swarmapi.ResourceRequirements{}
+		if res.Limits != nil {
+			reqs.Limits = &swarmapi.Resources{
+				NanoCPUs:    res.Limits.NanoCPUs,
+				MemoryBytes: res.Limits.MemoryBytes,
+			}
+		}
+		if res.Reservations != nil {
+			reqs.Reservations = &swarmapi.Resources{
+				NanoCPUs:    res.Reservations.NanoCPUs,
+				MemoryBytes: res.Reservations.MemoryBytes,
+				Generic:     GenericResourcesToGRPC(res.Reservations.GenericResources),
+			}
+
+		}
+	}
+	return reqs
+}
+
+func restartPolicyFromGRPC(p *swarmapi.RestartPolicy) *types.RestartPolicy {
+	var rp *types.RestartPolicy
+	if p != nil {
+		rp = &types.RestartPolicy{}
+
+		switch p.Condition {
+		case swarmapi.RestartOnNone:
+			rp.Condition = types.RestartPolicyConditionNone
+		case swarmapi.RestartOnFailure:
+			rp.Condition = types.RestartPolicyConditionOnFailure
+		case swarmapi.RestartOnAny:
+			rp.Condition = types.RestartPolicyConditionAny
+		default:
+			rp.Condition = types.RestartPolicyConditionAny
+		}
+
+		if p.Delay != nil {
+			delay, _ := gogotypes.DurationFromProto(p.Delay)
+			rp.Delay = &delay
+		}
+		if p.Window != nil {
+			window, _ := gogotypes.DurationFromProto(p.Window)
+			rp.Window = &window
+		}
+
+		rp.MaxAttempts = &p.MaxAttempts
+	}
+	return rp
+}
+
+func restartPolicyToGRPC(p *types.RestartPolicy) (*swarmapi.RestartPolicy, error) {
+	var rp *swarmapi.RestartPolicy
+	if p != nil {
+		rp = &swarmapi.RestartPolicy{}
+
+		switch p.Condition {
+		case types.RestartPolicyConditionNone:
+			rp.Condition = swarmapi.RestartOnNone
+		case types.RestartPolicyConditionOnFailure:
+			rp.Condition = swarmapi.RestartOnFailure
+		case types.RestartPolicyConditionAny:
+			rp.Condition = swarmapi.RestartOnAny
+		default:
+			if string(p.Condition) != "" {
+				return nil, fmt.Errorf("invalid RestartCondition: %q", p.Condition)
+			}
+			rp.Condition = swarmapi.RestartOnAny
+		}
+
+		if p.Delay != nil {
+			rp.Delay = gogotypes.DurationProto(*p.Delay)
+		}
+		if p.Window != nil {
+			rp.Window = gogotypes.DurationProto(*p.Window)
+		}
+		if p.MaxAttempts != nil {
+			rp.MaxAttempts = *p.MaxAttempts
+
+		}
+	}
+	return rp, nil
+}
+
+func placementFromGRPC(p *swarmapi.Placement) *types.Placement {
+	if p == nil {
+		return nil
+	}
+	r := &types.Placement{
+		Constraints: p.Constraints,
+	}
+
+	for _, pref := range p.Preferences {
+		if spread := pref.GetSpread(); spread != nil {
+			r.Preferences = append(r.Preferences, types.PlacementPreference{
+				Spread: &types.SpreadOver{
+					SpreadDescriptor: spread.SpreadDescriptor,
+				},
+			})
+		}
+	}
+
+	for _, plat := range p.Platforms {
+		r.Platforms = append(r.Platforms, types.Platform{
+			Architecture: plat.Architecture,
+			OS:           plat.OS,
+		})
+	}
+
+	return r
+}
+
+func driverFromGRPC(p *swarmapi.Driver) *types.Driver {
+	if p == nil {
+		return nil
+	}
+
+	return &types.Driver{
+		Name:    p.Name,
+		Options: p.Options,
+	}
+}
+
+func driverToGRPC(p *types.Driver) *swarmapi.Driver {
+	if p == nil {
+		return nil
+	}
+
+	return &swarmapi.Driver{
+		Name:    p.Name,
+		Options: p.Options,
+	}
+}
+
+func updateConfigFromGRPC(updateConfig *swarmapi.UpdateConfig) *types.UpdateConfig {
+	if updateConfig == nil {
+		return nil
+	}
+
+	converted := &types.UpdateConfig{
+		Parallelism:     updateConfig.Parallelism,
+		MaxFailureRatio: updateConfig.MaxFailureRatio,
+	}
+
+	converted.Delay = updateConfig.Delay
+	if updateConfig.Monitor != nil {
+		converted.Monitor, _ = gogotypes.DurationFromProto(updateConfig.Monitor)
+	}
+
+	switch updateConfig.FailureAction {
+	case swarmapi.UpdateConfig_PAUSE:
+		converted.FailureAction = types.UpdateFailureActionPause
+	case swarmapi.UpdateConfig_CONTINUE:
+		converted.FailureAction = types.UpdateFailureActionContinue
+	case swarmapi.UpdateConfig_ROLLBACK:
+		converted.FailureAction = types.UpdateFailureActionRollback
+	}
+
+	switch updateConfig.Order {
+	case swarmapi.UpdateConfig_STOP_FIRST:
+		converted.Order = types.UpdateOrderStopFirst
+	case swarmapi.UpdateConfig_START_FIRST:
+		converted.Order = types.UpdateOrderStartFirst
+	}
+
+	return converted
+}
+
+func updateConfigToGRPC(updateConfig *types.UpdateConfig) (*swarmapi.UpdateConfig, error) {
+	if updateConfig == nil {
+		return nil, nil
+	}
+
+	converted := &swarmapi.UpdateConfig{
+		Parallelism:     updateConfig.Parallelism,
+		Delay:           updateConfig.Delay,
+		MaxFailureRatio: updateConfig.MaxFailureRatio,
+	}
+
+	switch updateConfig.FailureAction {
+	case types.UpdateFailureActionPause, "":
+		converted.FailureAction = swarmapi.UpdateConfig_PAUSE
+	case types.UpdateFailureActionContinue:
+		converted.FailureAction = swarmapi.UpdateConfig_CONTINUE
+	case types.UpdateFailureActionRollback:
+		converted.FailureAction = swarmapi.UpdateConfig_ROLLBACK
+	default:
+		return nil, fmt.Errorf("unrecognized update failure action %s", updateConfig.FailureAction)
+	}
+	if updateConfig.Monitor != 0 {
+		converted.Monitor = gogotypes.DurationProto(updateConfig.Monitor)
+	}
+
+	switch updateConfig.Order {
+	case types.UpdateOrderStopFirst, "":
+		converted.Order = swarmapi.UpdateConfig_STOP_FIRST
+	case types.UpdateOrderStartFirst:
+		converted.Order = swarmapi.UpdateConfig_START_FIRST
+	default:
+		return nil, fmt.Errorf("unrecognized update order %s", updateConfig.Order)
+	}
+
+	return converted, nil
+}
+
+func networkAttachmentSpecFromGRPC(attachment swarmapi.NetworkAttachmentSpec) *types.NetworkAttachmentSpec {
+	return &types.NetworkAttachmentSpec{
+		ContainerID: attachment.ContainerID,
+	}
+}
+
+func taskSpecFromGRPC(taskSpec swarmapi.TaskSpec) (types.TaskSpec, error) {
+	taskNetworks := make([]types.NetworkAttachmentConfig, 0, len(taskSpec.Networks))
+	for _, n := range taskSpec.Networks {
+		netConfig := types.NetworkAttachmentConfig{Target: n.Target, Aliases: n.Aliases, DriverOpts: n.DriverAttachmentOpts}
+		taskNetworks = append(taskNetworks, netConfig)
+	}
+
+	t := types.TaskSpec{
+		Resources:     resourcesFromGRPC(taskSpec.Resources),
+		RestartPolicy: restartPolicyFromGRPC(taskSpec.Restart),
+		Placement:     placementFromGRPC(taskSpec.Placement),
+		LogDriver:     driverFromGRPC(taskSpec.LogDriver),
+		Networks:      taskNetworks,
+		ForceUpdate:   taskSpec.ForceUpdate,
+	}
+
+	switch taskSpec.GetRuntime().(type) {
+	case *swarmapi.TaskSpec_Container, nil:
+		c := taskSpec.GetContainer()
+		if c != nil {
+			t.ContainerSpec = containerSpecFromGRPC(c)
+		}
+	case *swarmapi.TaskSpec_Generic:
+		g := taskSpec.GetGeneric()
+		if g != nil {
+			switch g.Kind {
+			case string(types.RuntimePlugin):
+				var p runtime.PluginSpec
+				if err := proto.Unmarshal(g.Payload.Value, &p); err != nil {
+					return t, errors.Wrap(err, "error unmarshalling plugin spec")
+				}
+				t.PluginSpec = &p
+			}
+		}
+	case *swarmapi.TaskSpec_Attachment:
+		a := taskSpec.GetAttachment()
+		if a != nil {
+			t.NetworkAttachmentSpec = networkAttachmentSpecFromGRPC(*a)
+		}
+		t.Runtime = types.RuntimeNetworkAttachment
+	}
+
+	return t, nil
+}
diff --git a/engine/daemon/cluster/convert/service_test.go b/engine/daemon/cluster/convert/service_test.go
new file mode 100644
index 00000000..ad5f0d44
--- /dev/null
+++ b/engine/daemon/cluster/convert/service_test.go
@@ -0,0 +1,308 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/swarm/runtime"
+	swarmapi "github.com/docker/swarmkit/api"
+	google_protobuf3 "github.com/gogo/protobuf/types"
+	"gotest.tools/assert"
+)
+
+func TestServiceConvertFromGRPCRuntimeContainer(t *testing.T) {
+	gs := swarmapi.Service{
+		Meta: swarmapi.Meta{
+			Version: swarmapi.Version{
+				Index: 1,
+			},
+			CreatedAt: nil,
+			UpdatedAt: nil,
+		},
+		SpecVersion: &swarmapi.Version{
+			Index: 1,
+		},
+		Spec: swarmapi.ServiceSpec{
+			Task: swarmapi.TaskSpec{
+				Runtime: &swarmapi.TaskSpec_Container{
+					Container: &swarmapi.ContainerSpec{
+						Image: "alpine:latest",
+					},
+				},
+			},
+		},
+	}
+
+	svc, err := ServiceFromGRPC(gs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if svc.Spec.TaskTemplate.Runtime != swarmtypes.RuntimeContainer {
+		t.Fatalf("expected type %s; received %T", swarmtypes.RuntimeContainer, svc.Spec.TaskTemplate.Runtime)
+	}
+}
+
+func TestServiceConvertFromGRPCGenericRuntimePlugin(t *testing.T) {
+	kind := string(swarmtypes.RuntimePlugin)
+	url := swarmtypes.RuntimeURLPlugin
+	gs := swarmapi.Service{
+		Meta: swarmapi.Meta{
+			Version: swarmapi.Version{
+				Index: 1,
+			},
+			CreatedAt: nil,
+			UpdatedAt: nil,
+		},
+		SpecVersion: &swarmapi.Version{
+			Index: 1,
+		},
+		Spec: swarmapi.ServiceSpec{
+			Task: swarmapi.TaskSpec{
+				Runtime: &swarmapi.TaskSpec_Generic{
+					Generic: &swarmapi.GenericRuntimeSpec{
+						Kind: kind,
+						Payload: &google_protobuf3.Any{
+							TypeUrl: string(url),
+						},
+					},
+				},
+			},
+		},
+	}
+
+	svc, err := ServiceFromGRPC(gs)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if svc.Spec.TaskTemplate.Runtime != swarmtypes.RuntimePlugin {
+		t.Fatalf("expected type %s; received %T", swarmtypes.RuntimePlugin, svc.Spec.TaskTemplate.Runtime)
+	}
+}
+
+func TestServiceConvertToGRPCGenericRuntimePlugin(t *testing.T) {
+	s := swarmtypes.ServiceSpec{
+		TaskTemplate: swarmtypes.TaskSpec{
+			Runtime:    swarmtypes.RuntimePlugin,
+			PluginSpec: &runtime.PluginSpec{},
+		},
+		Mode: swarmtypes.ServiceMode{
+			Global: &swarmtypes.GlobalService{},
+		},
+	}
+
+	svc, err := ServiceSpecToGRPC(s)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	v, ok := svc.Task.Runtime.(*swarmapi.TaskSpec_Generic)
+	if !ok {
+		t.Fatal("expected type swarmapi.TaskSpec_Generic")
+	}
+
+	if v.Generic.Payload.TypeUrl != string(swarmtypes.RuntimeURLPlugin) {
+		t.Fatalf("expected url %s; received %s", swarmtypes.RuntimeURLPlugin, v.Generic.Payload.TypeUrl)
+	}
+}
+
+func TestServiceConvertToGRPCContainerRuntime(t *testing.T) {
+	image := "alpine:latest"
+	s := swarmtypes.ServiceSpec{
+		TaskTemplate: swarmtypes.TaskSpec{
+			ContainerSpec: &swarmtypes.ContainerSpec{
+				Image: image,
+			},
+		},
+		Mode: swarmtypes.ServiceMode{
+			Global: &swarmtypes.GlobalService{},
+		},
+	}
+
+	svc, err := ServiceSpecToGRPC(s)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	v, ok := svc.Task.Runtime.(*swarmapi.TaskSpec_Container)
+	if !ok {
+		t.Fatal("expected type swarmapi.TaskSpec_Container")
+	}
+
+	if v.Container.Image != image {
+		t.Fatalf("expected image %s; received %s", image, v.Container.Image)
+	}
+}
+
+func TestServiceConvertToGRPCGenericRuntimeCustom(t *testing.T) {
+	s := swarmtypes.ServiceSpec{
+		TaskTemplate: swarmtypes.TaskSpec{
+			Runtime: "customruntime",
+		},
+		Mode: swarmtypes.ServiceMode{
+			Global: &swarmtypes.GlobalService{},
+		},
+	}
+
+	if _, err := ServiceSpecToGRPC(s); err != ErrUnsupportedRuntime {
+		t.Fatal(err)
+	}
+}
+
+func TestServiceConvertToGRPCIsolation(t *testing.T) {
+	cases := []struct {
+		name string
+		from containertypes.Isolation
+		to   swarmapi.ContainerSpec_Isolation
+	}{
+		{name: "empty", from: containertypes.IsolationEmpty, to: swarmapi.ContainerIsolationDefault},
+		{name: "default", from: containertypes.IsolationDefault, to: swarmapi.ContainerIsolationDefault},
+		{name: "process", from: containertypes.IsolationProcess, to: swarmapi.ContainerIsolationProcess},
+		{name: "hyperv", from: containertypes.IsolationHyperV, to: swarmapi.ContainerIsolationHyperV},
+		{name: "proCess", from: containertypes.Isolation("proCess"), to: swarmapi.ContainerIsolationProcess},
+		{name: "hypErv", from: containertypes.Isolation("hypErv"), to: swarmapi.ContainerIsolationHyperV},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			s := swarmtypes.ServiceSpec{
+				TaskTemplate: swarmtypes.TaskSpec{
+					ContainerSpec: &swarmtypes.ContainerSpec{
+						Image:     "alpine:latest",
+						Isolation: c.from,
+					},
+				},
+				Mode: swarmtypes.ServiceMode{
+					Global: &swarmtypes.GlobalService{},
+				},
+			}
+			res, err := ServiceSpecToGRPC(s)
+			assert.NilError(t, err)
+			v, ok := res.Task.Runtime.(*swarmapi.TaskSpec_Container)
+			if !ok {
+				t.Fatal("expected type swarmapi.TaskSpec_Container")
+			}
+			assert.Equal(t, c.to, v.Container.Isolation)
+		})
+	}
+}
+
+func TestServiceConvertFromGRPCIsolation(t *testing.T) {
+	cases := []struct {
+		name string
+		from swarmapi.ContainerSpec_Isolation
+		to   containertypes.Isolation
+	}{
+		{name: "default", to: containertypes.IsolationDefault, from: swarmapi.ContainerIsolationDefault},
+		{name: "process", to: containertypes.IsolationProcess, from: swarmapi.ContainerIsolationProcess},
+		{name: "hyperv", to: containertypes.IsolationHyperV, from: swarmapi.ContainerIsolationHyperV},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			gs := swarmapi.Service{
+				Meta: swarmapi.Meta{
+					Version: swarmapi.Version{
+						Index: 1,
+					},
+					CreatedAt: nil,
+					UpdatedAt: nil,
+				},
+				SpecVersion: &swarmapi.Version{
+					Index: 1,
+				},
+				Spec: swarmapi.ServiceSpec{
+					Task: swarmapi.TaskSpec{
+						Runtime: &swarmapi.TaskSpec_Container{
+							Container: &swarmapi.ContainerSpec{
+								Image:     "alpine:latest",
+								Isolation: c.from,
+							},
+						},
+					},
+				},
+			}
+
+			svc, err := ServiceFromGRPC(gs)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			assert.Equal(t, c.to, svc.Spec.TaskTemplate.ContainerSpec.Isolation)
+		})
+	}
+}
+
+func TestServiceConvertToGRPCNetworkAtachmentRuntime(t *testing.T) {
+	someid := "asfjkl"
+	s := swarmtypes.ServiceSpec{
+		TaskTemplate: swarmtypes.TaskSpec{
+			Runtime: swarmtypes.RuntimeNetworkAttachment,
+			NetworkAttachmentSpec: &swarmtypes.NetworkAttachmentSpec{
+				ContainerID: someid,
+			},
+		},
+	}
+
+	// discard the service, which will be empty
+	_, err := ServiceSpecToGRPC(s)
+	if err == nil {
+		t.Fatalf("expected error %v but got no error", ErrUnsupportedRuntime)
+	}
+	if err != ErrUnsupportedRuntime {
+		t.Fatalf("expected error %v but got error %v", ErrUnsupportedRuntime, err)
+	}
+}
+
+func TestServiceConvertToGRPCMismatchedRuntime(t *testing.T) {
+	// NOTE(dperny): an earlier version of this test was for code that also
+	// converted network attachment tasks to GRPC. that conversion code was
+	// removed, so if this loop body seems a bit complicated, that's why.
+	for i, rt := range []swarmtypes.RuntimeType{
+		swarmtypes.RuntimeContainer,
+		swarmtypes.RuntimePlugin,
+	} {
+		for j, spec := range []swarmtypes.TaskSpec{
+			{ContainerSpec: &swarmtypes.ContainerSpec{}},
+			{PluginSpec: &runtime.PluginSpec{}},
+		} {
+			// skip the cases, where the indices match, which would not error
+			if i == j {
+				continue
+			}
+			// set the task spec, then change the runtime
+			s := swarmtypes.ServiceSpec{
+				TaskTemplate: spec,
+			}
+			s.TaskTemplate.Runtime = rt
+
+			if _, err := ServiceSpecToGRPC(s); err != ErrMismatchedRuntime {
+				t.Fatalf("expected %v got %v", ErrMismatchedRuntime, err)
+			}
+		}
+	}
+}
+
+func TestTaskConvertFromGRPCNetworkAttachment(t *testing.T) {
+	containerID := "asdfjkl"
+	s := swarmapi.TaskSpec{
+		Runtime: &swarmapi.TaskSpec_Attachment{
+			Attachment: &swarmapi.NetworkAttachmentSpec{
+				ContainerID: containerID,
+			},
+		},
+	}
+	ts, err := taskSpecFromGRPC(s)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if ts.NetworkAttachmentSpec == nil {
+		t.Fatal("expected task spec to have network attachment spec")
+	}
+	if ts.NetworkAttachmentSpec.ContainerID != containerID {
+		t.Fatalf("expected network attachment spec container id to be %q, was %q", containerID, ts.NetworkAttachmentSpec.ContainerID)
+	}
+	if ts.Runtime != swarmtypes.RuntimeNetworkAttachment {
+		t.Fatalf("expected Runtime to be %v", swarmtypes.RuntimeNetworkAttachment)
+	}
+}
diff --git a/engine/daemon/cluster/convert/swarm.go b/engine/daemon/cluster/convert/swarm.go
new file mode 100644
index 00000000..ae97a4b6
--- /dev/null
+++ b/engine/daemon/cluster/convert/swarm.go
@@ -0,0 +1,147 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	"fmt"
+	"strings"
+
+	types "github.com/docker/docker/api/types/swarm"
+	swarmapi "github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/ca"
+	gogotypes "github.com/gogo/protobuf/types"
+)
+
+// SwarmFromGRPC converts a grpc Cluster to a Swarm.
+func SwarmFromGRPC(c swarmapi.Cluster) types.Swarm {
+	swarm := types.Swarm{
+		ClusterInfo: types.ClusterInfo{
+			ID: c.ID,
+			Spec: types.Spec{
+				Orchestration: types.OrchestrationConfig{
+					TaskHistoryRetentionLimit: &c.Spec.Orchestration.TaskHistoryRetentionLimit,
+				},
+				Raft: types.RaftConfig{
+					SnapshotInterval:           c.Spec.Raft.SnapshotInterval,
+					KeepOldSnapshots:           &c.Spec.Raft.KeepOldSnapshots,
+					LogEntriesForSlowFollowers: c.Spec.Raft.LogEntriesForSlowFollowers,
+					HeartbeatTick:              int(c.Spec.Raft.HeartbeatTick),
+					ElectionTick:               int(c.Spec.Raft.ElectionTick),
+				},
+				EncryptionConfig: types.EncryptionConfig{
+					AutoLockManagers: c.Spec.EncryptionConfig.AutoLockManagers,
+				},
+				CAConfig: types.CAConfig{
+					// do not include the signing CA cert or key (it should already be redacted via the swarm APIs) -
+					// the key because it's secret, and the cert because otherwise doing a get + update on the spec
+					// can cause issues because the key would be missing and the cert wouldn't
+					ForceRotate: c.Spec.CAConfig.ForceRotate,
+				},
+			},
+			TLSInfo: types.TLSInfo{
+				TrustRoot: string(c.RootCA.CACert),
+			},
+			RootRotationInProgress: c.RootCA.RootRotation != nil,
+		},
+		JoinTokens: types.JoinTokens{
+			Worker:  c.RootCA.JoinTokens.Worker,
+			Manager: c.RootCA.JoinTokens.Manager,
+		},
+	}
+
+	issuerInfo, err := ca.IssuerFromAPIRootCA(&c.RootCA)
+	if err == nil && issuerInfo != nil {
+		swarm.TLSInfo.CertIssuerSubject = issuerInfo.Subject
+		swarm.TLSInfo.CertIssuerPublicKey = issuerInfo.PublicKey
+	}
+
+	heartbeatPeriod, _ := gogotypes.DurationFromProto(c.Spec.Dispatcher.HeartbeatPeriod)
+	swarm.Spec.Dispatcher.HeartbeatPeriod = heartbeatPeriod
+
+	swarm.Spec.CAConfig.NodeCertExpiry, _ = gogotypes.DurationFromProto(c.Spec.CAConfig.NodeCertExpiry)
+
+	for _, ca := range c.Spec.CAConfig.ExternalCAs {
+		swarm.Spec.CAConfig.ExternalCAs = append(swarm.Spec.CAConfig.ExternalCAs, &types.ExternalCA{
+			Protocol: types.ExternalCAProtocol(strings.ToLower(ca.Protocol.String())),
+			URL:      ca.URL,
+			Options:  ca.Options,
+			CACert:   string(ca.CACert),
+		})
+	}
+
+	// Meta
+	swarm.Version.Index = c.Meta.Version.Index
+	swarm.CreatedAt, _ = gogotypes.TimestampFromProto(c.Meta.CreatedAt)
+	swarm.UpdatedAt, _ = gogotypes.TimestampFromProto(c.Meta.UpdatedAt)
+
+	// Annotations
+	swarm.Spec.Annotations = annotationsFromGRPC(c.Spec.Annotations)
+
+	return swarm
+}
+
+// SwarmSpecToGRPC converts a Spec to a grpc ClusterSpec.
+func SwarmSpecToGRPC(s types.Spec) (swarmapi.ClusterSpec, error) {
+	return MergeSwarmSpecToGRPC(s, swarmapi.ClusterSpec{})
+}
+
+// MergeSwarmSpecToGRPC merges a Spec with an initial grpc ClusterSpec
+func MergeSwarmSpecToGRPC(s types.Spec, spec swarmapi.ClusterSpec) (swarmapi.ClusterSpec, error) {
+	// We take the initSpec (either created from scratch, or returned by swarmkit),
+	// and will only change the value if the one taken from types.Spec is not nil or 0.
+	// In other words, if the value taken from types.Spec is nil or 0, we will maintain the status quo.
+	if s.Annotations.Name != "" {
+		spec.Annotations.Name = s.Annotations.Name
+	}
+	if len(s.Annotations.Labels) != 0 {
+		spec.Annotations.Labels = s.Annotations.Labels
+	}
+
+	if s.Orchestration.TaskHistoryRetentionLimit != nil {
+		spec.Orchestration.TaskHistoryRetentionLimit = *s.Orchestration.TaskHistoryRetentionLimit
+	}
+	if s.Raft.SnapshotInterval != 0 {
+		spec.Raft.SnapshotInterval = s.Raft.SnapshotInterval
+	}
+	if s.Raft.KeepOldSnapshots != nil {
+		spec.Raft.KeepOldSnapshots = *s.Raft.KeepOldSnapshots
+	}
+	if s.Raft.LogEntriesForSlowFollowers != 0 {
+		spec.Raft.LogEntriesForSlowFollowers = s.Raft.LogEntriesForSlowFollowers
+	}
+	if s.Raft.HeartbeatTick != 0 {
+		spec.Raft.HeartbeatTick = uint32(s.Raft.HeartbeatTick)
+	}
+	if s.Raft.ElectionTick != 0 {
+		spec.Raft.ElectionTick = uint32(s.Raft.ElectionTick)
+	}
+	if s.Dispatcher.HeartbeatPeriod != 0 {
+		spec.Dispatcher.HeartbeatPeriod = gogotypes.DurationProto(s.Dispatcher.HeartbeatPeriod)
+	}
+	if s.CAConfig.NodeCertExpiry != 0 {
+		spec.CAConfig.NodeCertExpiry = gogotypes.DurationProto(s.CAConfig.NodeCertExpiry)
+	}
+	if s.CAConfig.SigningCACert != "" {
+		spec.CAConfig.SigningCACert = []byte(s.CAConfig.SigningCACert)
+	}
+	if s.CAConfig.SigningCAKey != "" {
+		// do propagate the signing CA key here because we want to provide it TO the swarm APIs
+		spec.CAConfig.SigningCAKey = []byte(s.CAConfig.SigningCAKey)
+	}
+	spec.CAConfig.ForceRotate = s.CAConfig.ForceRotate
+
+	for _, ca := range s.CAConfig.ExternalCAs {
+		protocol, ok := swarmapi.ExternalCA_CAProtocol_value[strings.ToUpper(string(ca.Protocol))]
+		if !ok {
+			return swarmapi.ClusterSpec{}, fmt.Errorf("invalid protocol: %q", ca.Protocol)
+		}
+		spec.CAConfig.ExternalCAs = append(spec.CAConfig.ExternalCAs, &swarmapi.ExternalCA{
+			Protocol: swarmapi.ExternalCA_CAProtocol(protocol),
+			URL:      ca.URL,
+			Options:  ca.Options,
+			CACert:   []byte(ca.CACert),
+		})
+	}
+
+	spec.EncryptionConfig.AutoLockManagers = s.EncryptionConfig.AutoLockManagers
+
+	return spec, nil
+}
diff --git a/engine/daemon/cluster/convert/task.go b/engine/daemon/cluster/convert/task.go
new file mode 100644
index 00000000..72e2805e
--- /dev/null
+++ b/engine/daemon/cluster/convert/task.go
@@ -0,0 +1,69 @@
+package convert // import "github.com/docker/docker/daemon/cluster/convert"
+
+import (
+	"strings"
+
+	types "github.com/docker/docker/api/types/swarm"
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+)
+
+// TaskFromGRPC converts a grpc Task to a Task.
+func TaskFromGRPC(t swarmapi.Task) (types.Task, error) {
+	containerStatus := t.Status.GetContainer()
+	taskSpec, err := taskSpecFromGRPC(t.Spec)
+	if err != nil {
+		return types.Task{}, err
+	}
+	task := types.Task{
+		ID:          t.ID,
+		Annotations: annotationsFromGRPC(t.Annotations),
+		ServiceID:   t.ServiceID,
+		Slot:        int(t.Slot),
+		NodeID:      t.NodeID,
+		Spec:        taskSpec,
+		Status: types.TaskStatus{
+			State:   types.TaskState(strings.ToLower(t.Status.State.String())),
+			Message: t.Status.Message,
+			Err:     t.Status.Err,
+		},
+		DesiredState:     types.TaskState(strings.ToLower(t.DesiredState.String())),
+		GenericResources: GenericResourcesFromGRPC(t.AssignedGenericResources),
+	}
+
+	// Meta
+	task.Version.Index = t.Meta.Version.Index
+	task.CreatedAt, _ = gogotypes.TimestampFromProto(t.Meta.CreatedAt)
+	task.UpdatedAt, _ = gogotypes.TimestampFromProto(t.Meta.UpdatedAt)
+
+	task.Status.Timestamp, _ = gogotypes.TimestampFromProto(t.Status.Timestamp)
+
+	if containerStatus != nil {
+		task.Status.ContainerStatus = &types.ContainerStatus{
+			ContainerID: containerStatus.ContainerID,
+			PID:         int(containerStatus.PID),
+			ExitCode:    int(containerStatus.ExitCode),
+		}
+	}
+
+	// NetworksAttachments
+	for _, na := range t.Networks {
+		task.NetworksAttachments = append(task.NetworksAttachments, networkAttachmentFromGRPC(na))
+	}
+
+	if t.Status.PortStatus == nil {
+		return task, nil
+	}
+
+	for _, p := range t.Status.PortStatus.Ports {
+		task.Status.PortStatus.Ports = append(task.Status.PortStatus.Ports, types.PortConfig{
+			Name:          p.Name,
+			Protocol:      types.PortConfigProtocol(strings.ToLower(swarmapi.PortConfig_Protocol_name[int32(p.Protocol)])),
+			PublishMode:   types.PortConfigPublishMode(strings.ToLower(swarmapi.PortConfig_PublishMode_name[int32(p.PublishMode)])),
+			TargetPort:    p.TargetPort,
+			PublishedPort: p.PublishedPort,
+		})
+	}
+
+	return task, nil
+}
diff --git a/engine/daemon/cluster/errors.go b/engine/daemon/cluster/errors.go
new file mode 100644
index 00000000..9ec716b1
--- /dev/null
+++ b/engine/daemon/cluster/errors.go
@@ -0,0 +1,61 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+const (
+	// errNoSwarm is returned on leaving a cluster that was never initialized
+	errNoSwarm notAvailableError = "This node is not part of a swarm"
+
+	// errSwarmExists is returned on initialize or join request for a cluster that has already been activated
+	errSwarmExists notAvailableError = "This node is already part of a swarm. Use \"docker swarm leave\" to leave this swarm and join another one."
+
+	// errSwarmJoinTimeoutReached is returned when cluster join could not complete before timeout was reached.
+	errSwarmJoinTimeoutReached notAvailableError = "Timeout was reached before node joined. The attempt to join the swarm will continue in the background. Use the \"docker info\" command to see the current swarm status of your node."
+
+	// errSwarmLocked is returned if the swarm is encrypted and needs a key to unlock it.
+	errSwarmLocked notAvailableError = "Swarm is encrypted and needs to be unlocked before it can be used. Please use \"docker swarm unlock\" to unlock it."
+
+	// errSwarmCertificatesExpired is returned if docker was not started for the whole validity period and they had no chance to renew automatically.
+	errSwarmCertificatesExpired notAvailableError = "Swarm certificates have expired. To replace them, leave the swarm and join again."
+
+	// errSwarmNotManager is returned if the node is not a swarm manager.
+	errSwarmNotManager notAvailableError = "This node is not a swarm manager. Worker nodes can't be used to view or modify cluster state. Please run this command on a manager node or promote the current node to a manager."
+)
+
+type notAllowedError string
+
+func (e notAllowedError) Error() string {
+	return string(e)
+}
+
+func (e notAllowedError) Forbidden() {}
+
+type notAvailableError string
+
+func (e notAvailableError) Error() string {
+	return string(e)
+}
+
+func (e notAvailableError) Unavailable() {}
+
+type configError string
+
+func (e configError) Error() string {
+	return string(e)
+}
+
+func (e configError) InvalidParameter() {}
+
+type invalidUnlockKey struct{}
+
+func (invalidUnlockKey) Error() string {
+	return "swarm could not be unlocked: invalid key provided"
+}
+
+func (invalidUnlockKey) Unauthorized() {}
+
+type notLockedError struct{}
+
+func (notLockedError) Error() string {
+	return "swarm is not locked"
+}
+
+func (notLockedError) Conflict() {}
diff --git a/engine/daemon/cluster/executor/backend.go b/engine/daemon/cluster/executor/backend.go
new file mode 100644
index 00000000..cfbc86ce
--- /dev/null
+++ b/engine/daemon/cluster/executor/backend.go
@@ -0,0 +1,76 @@
+package executor // import "github.com/docker/docker/daemon/cluster/executor"
+
+import (
+	"context"
+	"io"
+	"time"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	containerpkg "github.com/docker/docker/container"
+	clustertypes "github.com/docker/docker/daemon/cluster/provider"
+	networkSettings "github.com/docker/docker/daemon/network"
+	"github.com/docker/docker/plugin"
+	volumeopts "github.com/docker/docker/volume/service/opts"
+	"github.com/docker/libnetwork"
+	"github.com/docker/libnetwork/cluster"
+	networktypes "github.com/docker/libnetwork/types"
+	"github.com/docker/swarmkit/agent/exec"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Backend defines the executor component for a swarm agent.
+type Backend interface {
+	CreateManagedNetwork(clustertypes.NetworkCreateRequest) error
+	DeleteManagedNetwork(networkID string) error
+	FindNetwork(idName string) (libnetwork.Network, error)
+	SetupIngress(clustertypes.NetworkCreateRequest, string) (<-chan struct{}, error)
+	ReleaseIngress() (<-chan struct{}, error)
+	CreateManagedContainer(config types.ContainerCreateConfig) (container.ContainerCreateCreatedBody, error)
+	ContainerStart(name string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error
+	ContainerStop(name string, seconds *int) error
+	ContainerLogs(context.Context, string, *types.ContainerLogsOptions) (msgs <-chan *backend.LogMessage, tty bool, err error)
+	ConnectContainerToNetwork(containerName, networkName string, endpointConfig *network.EndpointSettings) error
+	ActivateContainerServiceBinding(containerName string) error
+	DeactivateContainerServiceBinding(containerName string) error
+	UpdateContainerServiceConfig(containerName string, serviceConfig *clustertypes.ServiceConfig) error
+	ContainerInspectCurrent(name string, size bool) (*types.ContainerJSON, error)
+	ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
+	ContainerRm(name string, config *types.ContainerRmConfig) error
+	ContainerKill(name string, sig uint64) error
+	SetContainerDependencyStore(name string, store exec.DependencyGetter) error
+	SetContainerSecretReferences(name string, refs []*swarmtypes.SecretReference) error
+	SetContainerConfigReferences(name string, refs []*swarmtypes.ConfigReference) error
+	SystemInfo() (*types.Info, error)
+	Containers(config *types.ContainerListOptions) ([]*types.Container, error)
+	SetNetworkBootstrapKeys([]*networktypes.EncryptionKey) error
+	DaemonJoinsCluster(provider cluster.Provider)
+	DaemonLeavesCluster()
+	IsSwarmCompatible() error
+	SubscribeToEvents(since, until time.Time, filter filters.Args) ([]events.Message, chan interface{})
+	UnsubscribeFromEvents(listener chan interface{})
+	UpdateAttachment(string, string, string, *network.NetworkingConfig) error
+	WaitForDetachment(context.Context, string, string, string, string) error
+	PluginManager() *plugin.Manager
+	PluginGetter() *plugin.Store
+	GetAttachmentStore() *networkSettings.AttachmentStore
+}
+
+// VolumeBackend is used by an executor to perform volume operations
+type VolumeBackend interface {
+	Create(ctx context.Context, name, driverName string, opts ...volumeopts.CreateOption) (*types.Volume, error)
+}
+
+// ImageBackend is used by an executor to perform image operations
+type ImageBackend interface {
+	PullImage(ctx context.Context, image, tag string, platform *specs.Platform, metaHeaders map[string][]string, authConfig *types.AuthConfig, outStream io.Writer) error
+	GetRepository(context.Context, reference.Named, *types.AuthConfig) (distribution.Repository, bool, error)
+	LookupImage(name string) (*types.ImageInspect, error)
+}
diff --git a/engine/daemon/cluster/executor/container/adapter.go b/engine/daemon/cluster/executor/container/adapter.go
new file mode 100644
index 00000000..6b222f20
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/adapter.go
@@ -0,0 +1,475 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/events"
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/daemon"
+	"github.com/docker/docker/daemon/cluster/convert"
+	executorpkg "github.com/docker/docker/daemon/cluster/executor"
+	volumeopts "github.com/docker/docker/volume/service/opts"
+	"github.com/docker/libnetwork"
+	"github.com/docker/swarmkit/agent/exec"
+	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/log"
+	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/time/rate"
+)
+
+// containerAdapter conducts remote operations for a container. All calls
+// are mostly naked calls to the client API, seeded with information from
+// containerConfig.
+type containerAdapter struct {
+	backend       executorpkg.Backend
+	imageBackend  executorpkg.ImageBackend
+	volumeBackend executorpkg.VolumeBackend
+	container     *containerConfig
+	dependencies  exec.DependencyGetter
+}
+
+func newContainerAdapter(b executorpkg.Backend, i executorpkg.ImageBackend, v executorpkg.VolumeBackend, task *api.Task, node *api.NodeDescription, dependencies exec.DependencyGetter) (*containerAdapter, error) {
+	ctnr, err := newContainerConfig(task, node)
+	if err != nil {
+		return nil, err
+	}
+
+	return &containerAdapter{
+		container:     ctnr,
+		backend:       b,
+		imageBackend:  i,
+		volumeBackend: v,
+		dependencies:  dependencies,
+	}, nil
+}
+
+func (c *containerAdapter) pullImage(ctx context.Context) error {
+	spec := c.container.spec()
+
+	// Skip pulling if the image is referenced by image ID.
+	if _, err := digest.Parse(spec.Image); err == nil {
+		return nil
+	}
+
+	// Skip pulling if the image is referenced by digest and already
+	// exists locally.
+	named, err := reference.ParseNormalizedNamed(spec.Image)
+	if err == nil {
+		if _, ok := named.(reference.Canonical); ok {
+			_, err := c.imageBackend.LookupImage(spec.Image)
+			if err == nil {
+				return nil
+			}
+		}
+	}
+
+	// if the image needs to be pulled, the auth config will be retrieved and updated
+	var encodedAuthConfig string
+	if spec.PullOptions != nil {
+		encodedAuthConfig = spec.PullOptions.RegistryAuth
+	}
+
+	authConfig := &types.AuthConfig{}
+	if encodedAuthConfig != "" {
+		if err := json.NewDecoder(base64.NewDecoder(base64.URLEncoding, strings.NewReader(encodedAuthConfig))).Decode(authConfig); err != nil {
+			logrus.Warnf("invalid authconfig: %v", err)
+		}
+	}
+
+	pr, pw := io.Pipe()
+	metaHeaders := map[string][]string{}
+	go func() {
+		// TODO @jhowardmsft LCOW Support: This will need revisiting as
+		// the stack is built up to include LCOW support for swarm.
+		err := c.imageBackend.PullImage(ctx, c.container.image(), "", nil, metaHeaders, authConfig, pw)
+		pw.CloseWithError(err)
+	}()
+
+	dec := json.NewDecoder(pr)
+	dec.UseNumber()
+	m := map[string]interface{}{}
+	spamLimiter := rate.NewLimiter(rate.Every(time.Second), 1)
+
+	lastStatus := ""
+	for {
+		if err := dec.Decode(&m); err != nil {
+			if err == io.EOF {
+				break
+			}
+			return err
+		}
+		l := log.G(ctx)
+		// limit pull progress logs unless the status changes
+		if spamLimiter.Allow() || lastStatus != m["status"] {
+			// if we have progress details, we have everything we need
+			if progress, ok := m["progressDetail"].(map[string]interface{}); ok {
+				// first, log the image and status
+				l = l.WithFields(logrus.Fields{
+					"image":  c.container.image(),
+					"status": m["status"],
+				})
+				// then, if we have progress, log the progress
+				if progress["current"] != nil && progress["total"] != nil {
+					l = l.WithFields(logrus.Fields{
+						"current": progress["current"],
+						"total":   progress["total"],
+					})
+				}
+			}
+			l.Debug("pull in progress")
+		}
+		// sometimes, we get no useful information at all, and add no fields
+		if status, ok := m["status"].(string); ok {
+			lastStatus = status
+		}
+	}
+
+	// if the final stream object contained an error, return it
+	if errMsg, ok := m["error"]; ok {
+		return fmt.Errorf("%v", errMsg)
+	}
+	return nil
+}
+
+func (c *containerAdapter) createNetworks(ctx context.Context) error {
+	for name := range c.container.networksAttachments {
+		ncr, err := c.container.networkCreateRequest(name)
+		if err != nil {
+			return err
+		}
+
+		if err := c.backend.CreateManagedNetwork(ncr); err != nil { // todo name missing
+			if _, ok := err.(libnetwork.NetworkNameError); ok {
+				continue
+			}
+			// We will continue if CreateManagedNetwork returns PredefinedNetworkError error.
+			// Other callers still can treat it as Error.
+			if _, ok := err.(daemon.PredefinedNetworkError); ok {
+				continue
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (c *containerAdapter) removeNetworks(ctx context.Context) error {
+	for name, v := range c.container.networksAttachments {
+		if err := c.backend.DeleteManagedNetwork(v.Network.ID); err != nil {
+			switch err.(type) {
+			case *libnetwork.ActiveEndpointsError:
+				continue
+			case libnetwork.ErrNoSuchNetwork:
+				continue
+			default:
+				log.G(ctx).Errorf("network %s remove failed: %v", name, err)
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func (c *containerAdapter) networkAttach(ctx context.Context) error {
+	config := c.container.createNetworkingConfig(c.backend)
+
+	var (
+		networkName string
+		networkID   string
+	)
+
+	if config != nil {
+		for n, epConfig := range config.EndpointsConfig {
+			networkName = n
+			networkID = epConfig.NetworkID
+			break
+		}
+	}
+
+	return c.backend.UpdateAttachment(networkName, networkID, c.container.networkAttachmentContainerID(), config)
+}
+
+func (c *containerAdapter) waitForDetach(ctx context.Context) error {
+	config := c.container.createNetworkingConfig(c.backend)
+
+	var (
+		networkName string
+		networkID   string
+	)
+
+	if config != nil {
+		for n, epConfig := range config.EndpointsConfig {
+			networkName = n
+			networkID = epConfig.NetworkID
+			break
+		}
+	}
+
+	return c.backend.WaitForDetachment(ctx, networkName, networkID, c.container.taskID(), c.container.networkAttachmentContainerID())
+}
+
+func (c *containerAdapter) create(ctx context.Context) error {
+	var cr containertypes.ContainerCreateCreatedBody
+	var err error
+	if cr, err = c.backend.CreateManagedContainer(types.ContainerCreateConfig{
+		Name:       c.container.name(),
+		Config:     c.container.config(),
+		HostConfig: c.container.hostConfig(),
+		// Use the first network in container create
+		NetworkingConfig: c.container.createNetworkingConfig(c.backend),
+	}); err != nil {
+		return err
+	}
+
+	// Docker daemon currently doesn't support multiple networks in container create
+	// Connect to all other networks
+	nc := c.container.connectNetworkingConfig(c.backend)
+
+	if nc != nil {
+		for n, ep := range nc.EndpointsConfig {
+			if err := c.backend.ConnectContainerToNetwork(cr.ID, n, ep); err != nil {
+				return err
+			}
+		}
+	}
+
+	container := c.container.task.Spec.GetContainer()
+	if container == nil {
+		return errors.New("unable to get container from task spec")
+	}
+
+	if err := c.backend.SetContainerDependencyStore(cr.ID, c.dependencies); err != nil {
+		return err
+	}
+
+	// configure secrets
+	secretRefs := convert.SecretReferencesFromGRPC(container.Secrets)
+	if err := c.backend.SetContainerSecretReferences(cr.ID, secretRefs); err != nil {
+		return err
+	}
+
+	configRefs := convert.ConfigReferencesFromGRPC(container.Configs)
+	if err := c.backend.SetContainerConfigReferences(cr.ID, configRefs); err != nil {
+		return err
+	}
+
+	return c.backend.UpdateContainerServiceConfig(cr.ID, c.container.serviceConfig())
+}
+
+// checkMounts ensures that the provided mounts won't have any host-specific
+// problems at start up. For example, we disallow bind mounts without an
+// existing path, which slightly different from the container API.
+func (c *containerAdapter) checkMounts() error {
+	spec := c.container.spec()
+	for _, mount := range spec.Mounts {
+		switch mount.Type {
+		case api.MountTypeBind:
+			if _, err := os.Stat(mount.Source); os.IsNotExist(err) {
+				return fmt.Errorf("invalid bind mount source, source path not found: %s", mount.Source)
+			}
+		}
+	}
+
+	return nil
+}
+
+func (c *containerAdapter) start(ctx context.Context) error {
+	if err := c.checkMounts(); err != nil {
+		return err
+	}
+
+	return c.backend.ContainerStart(c.container.name(), nil, "", "")
+}
+
+func (c *containerAdapter) inspect(ctx context.Context) (types.ContainerJSON, error) {
+	cs, err := c.backend.ContainerInspectCurrent(c.container.name(), false)
+	if ctx.Err() != nil {
+		return types.ContainerJSON{}, ctx.Err()
+	}
+	if err != nil {
+		return types.ContainerJSON{}, err
+	}
+	return *cs, nil
+}
+
+// events issues a call to the events API and returns a channel with all
+// events. The stream of events can be shutdown by cancelling the context.
+func (c *containerAdapter) events(ctx context.Context) <-chan events.Message {
+	log.G(ctx).Debugf("waiting on events")
+	buffer, l := c.backend.SubscribeToEvents(time.Time{}, time.Time{}, c.container.eventFilter())
+	eventsq := make(chan events.Message, len(buffer))
+
+	for _, event := range buffer {
+		eventsq <- event
+	}
+
+	go func() {
+		defer c.backend.UnsubscribeFromEvents(l)
+
+		for {
+			select {
+			case ev := <-l:
+				jev, ok := ev.(events.Message)
+				if !ok {
+					log.G(ctx).Warnf("unexpected event message: %q", ev)
+					continue
+				}
+				select {
+				case eventsq <- jev:
+				case <-ctx.Done():
+					return
+				}
+			case <-ctx.Done():
+				return
+			}
+		}
+	}()
+
+	return eventsq
+}
+
+func (c *containerAdapter) wait(ctx context.Context) (<-chan containerpkg.StateStatus, error) {
+	return c.backend.ContainerWait(ctx, c.container.nameOrID(), containerpkg.WaitConditionNotRunning)
+}
+
+func (c *containerAdapter) shutdown(ctx context.Context) error {
+	// Default stop grace period to nil (daemon will use the stopTimeout of the container)
+	var stopgrace *int
+	spec := c.container.spec()
+	if spec.StopGracePeriod != nil {
+		stopgraceValue := int(spec.StopGracePeriod.Seconds)
+		stopgrace = &stopgraceValue
+	}
+	return c.backend.ContainerStop(c.container.name(), stopgrace)
+}
+
+func (c *containerAdapter) terminate(ctx context.Context) error {
+	return c.backend.ContainerKill(c.container.name(), uint64(syscall.SIGKILL))
+}
+
+func (c *containerAdapter) remove(ctx context.Context) error {
+	return c.backend.ContainerRm(c.container.name(), &types.ContainerRmConfig{
+		RemoveVolume: true,
+		ForceRemove:  true,
+	})
+}
+
+func (c *containerAdapter) createVolumes(ctx context.Context) error {
+	// Create plugin volumes that are embedded inside a Mount
+	for _, mount := range c.container.task.Spec.GetContainer().Mounts {
+		if mount.Type != api.MountTypeVolume {
+			continue
+		}
+
+		if mount.VolumeOptions == nil {
+			continue
+		}
+
+		if mount.VolumeOptions.DriverConfig == nil {
+			continue
+		}
+
+		req := c.container.volumeCreateRequest(&mount)
+
+		// Check if this volume exists on the engine
+		if _, err := c.volumeBackend.Create(ctx, req.Name, req.Driver,
+			volumeopts.WithCreateOptions(req.DriverOpts),
+			volumeopts.WithCreateLabels(req.Labels),
+		); err != nil {
+			// TODO(amitshukla): Today, volume create through the engine api does not return an error
+			// when the named volume with the same parameters already exists.
+			// It returns an error if the driver name is different - that is a valid error
+			return err
+		}
+
+	}
+
+	return nil
+}
+
+func (c *containerAdapter) activateServiceBinding() error {
+	return c.backend.ActivateContainerServiceBinding(c.container.name())
+}
+
+func (c *containerAdapter) deactivateServiceBinding() error {
+	return c.backend.DeactivateContainerServiceBinding(c.container.name())
+}
+
+func (c *containerAdapter) logs(ctx context.Context, options api.LogSubscriptionOptions) (<-chan *backend.LogMessage, error) {
+	apiOptions := &types.ContainerLogsOptions{
+		Follow: options.Follow,
+
+		// Always say yes to Timestamps and Details. we make the decision
+		// of whether to return these to the user or not way higher up the
+		// stack.
+		Timestamps: true,
+		Details:    true,
+	}
+
+	if options.Since != nil {
+		since, err := gogotypes.TimestampFromProto(options.Since)
+		if err != nil {
+			return nil, err
+		}
+		// print since as this formatted string because the docker container
+		// logs interface expects it like this.
+		// see github.com/docker/docker/api/types/time.ParseTimestamps
+		apiOptions.Since = fmt.Sprintf("%d.%09d", since.Unix(), int64(since.Nanosecond()))
+	}
+
+	if options.Tail < 0 {
+		// See protobuf documentation for details of how this works.
+		apiOptions.Tail = fmt.Sprint(-options.Tail - 1)
+	} else if options.Tail > 0 {
+		return nil, errors.New("tail relative to start of logs not supported via docker API")
+	}
+
+	if len(options.Streams) == 0 {
+		// empty == all
+		apiOptions.ShowStdout, apiOptions.ShowStderr = true, true
+	} else {
+		for _, stream := range options.Streams {
+			switch stream {
+			case api.LogStreamStdout:
+				apiOptions.ShowStdout = true
+			case api.LogStreamStderr:
+				apiOptions.ShowStderr = true
+			}
+		}
+	}
+	msgs, _, err := c.backend.ContainerLogs(ctx, c.container.name(), apiOptions)
+	if err != nil {
+		return nil, err
+	}
+	return msgs, nil
+}
+
+// todo: typed/wrapped errors
+func isContainerCreateNameConflict(err error) bool {
+	return strings.Contains(err.Error(), "Conflict. The name")
+}
+
+func isUnknownContainer(err error) bool {
+	return strings.Contains(err.Error(), "No such container:")
+}
+
+func isStoppedContainer(err error) bool {
+	return strings.Contains(err.Error(), "is already stopped")
+}
diff --git a/engine/daemon/cluster/executor/container/attachment.go b/engine/daemon/cluster/executor/container/attachment.go
new file mode 100644
index 00000000..f0aa0b95
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/attachment.go
@@ -0,0 +1,74 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"context"
+
+	executorpkg "github.com/docker/docker/daemon/cluster/executor"
+	"github.com/docker/swarmkit/agent/exec"
+	"github.com/docker/swarmkit/api"
+)
+
+// networkAttacherController implements agent.Controller against docker's API.
+//
+// networkAttacherController manages the lifecycle of network
+// attachment of a docker unmanaged container managed as a task from
+// agent point of view. It provides network attachment information to
+// the unmanaged container for it to attach to the network and run.
+type networkAttacherController struct {
+	backend executorpkg.Backend
+	task    *api.Task
+	adapter *containerAdapter
+	closed  chan struct{}
+}
+
+func newNetworkAttacherController(b executorpkg.Backend, i executorpkg.ImageBackend, v executorpkg.VolumeBackend, task *api.Task, node *api.NodeDescription, dependencies exec.DependencyGetter) (*networkAttacherController, error) {
+	adapter, err := newContainerAdapter(b, i, v, task, node, dependencies)
+	if err != nil {
+		return nil, err
+	}
+
+	return &networkAttacherController{
+		backend: b,
+		task:    task,
+		adapter: adapter,
+		closed:  make(chan struct{}),
+	}, nil
+}
+
+func (nc *networkAttacherController) Update(ctx context.Context, t *api.Task) error {
+	return nil
+}
+
+func (nc *networkAttacherController) Prepare(ctx context.Context) error {
+	// Make sure all the networks that the task needs are created.
+	return nc.adapter.createNetworks(ctx)
+}
+
+func (nc *networkAttacherController) Start(ctx context.Context) error {
+	return nc.adapter.networkAttach(ctx)
+}
+
+func (nc *networkAttacherController) Wait(pctx context.Context) error {
+	ctx, cancel := context.WithCancel(pctx)
+	defer cancel()
+
+	return nc.adapter.waitForDetach(ctx)
+}
+
+func (nc *networkAttacherController) Shutdown(ctx context.Context) error {
+	return nil
+}
+
+func (nc *networkAttacherController) Terminate(ctx context.Context) error {
+	return nil
+}
+
+func (nc *networkAttacherController) Remove(ctx context.Context) error {
+	// Try removing the network referenced in this task in case this
+	// task is the last one referencing it
+	return nc.adapter.removeNetworks(ctx)
+}
+
+func (nc *networkAttacherController) Close() error {
+	return nil
+}
diff --git a/engine/daemon/cluster/executor/container/container.go b/engine/daemon/cluster/executor/container/container.go
new file mode 100644
index 00000000..77d21d2c
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/container.go
@@ -0,0 +1,680 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	enginecontainer "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	enginemount "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/network"
+	volumetypes "github.com/docker/docker/api/types/volume"
+	"github.com/docker/docker/daemon/cluster/convert"
+	executorpkg "github.com/docker/docker/daemon/cluster/executor"
+	clustertypes "github.com/docker/docker/daemon/cluster/provider"
+	"github.com/docker/go-connections/nat"
+	netconst "github.com/docker/libnetwork/datastore"
+	"github.com/docker/swarmkit/agent/exec"
+	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/api/genericresource"
+	"github.com/docker/swarmkit/template"
+	gogotypes "github.com/gogo/protobuf/types"
+)
+
+const (
+	// Explicitly use the kernel's default setting for CPU quota of 100ms.
+	// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt
+	cpuQuotaPeriod = 100 * time.Millisecond
+
+	// systemLabelPrefix represents the reserved namespace for system labels.
+	systemLabelPrefix = "com.docker.swarm"
+)
+
+// containerConfig converts task properties into docker container compatible
+// components.
+type containerConfig struct {
+	task                *api.Task
+	networksAttachments map[string]*api.NetworkAttachment
+}
+
+// newContainerConfig returns a validated container config. No methods should
+// return an error if this function returns without error.
+func newContainerConfig(t *api.Task, node *api.NodeDescription) (*containerConfig, error) {
+	var c containerConfig
+	return &c, c.setTask(t, node)
+}
+
+func (c *containerConfig) setTask(t *api.Task, node *api.NodeDescription) error {
+	if t.Spec.GetContainer() == nil && t.Spec.GetAttachment() == nil {
+		return exec.ErrRuntimeUnsupported
+	}
+
+	container := t.Spec.GetContainer()
+	if container != nil {
+		if container.Image == "" {
+			return ErrImageRequired
+		}
+
+		if err := validateMounts(container.Mounts); err != nil {
+			return err
+		}
+	}
+
+	// index the networks by name
+	c.networksAttachments = make(map[string]*api.NetworkAttachment, len(t.Networks))
+	for _, attachment := range t.Networks {
+		c.networksAttachments[attachment.Network.Spec.Annotations.Name] = attachment
+	}
+
+	c.task = t
+
+	if t.Spec.GetContainer() != nil {
+		preparedSpec, err := template.ExpandContainerSpec(node, t)
+		if err != nil {
+			return err
+		}
+		c.task.Spec.Runtime = &api.TaskSpec_Container{
+			Container: preparedSpec,
+		}
+	}
+
+	return nil
+}
+
+func (c *containerConfig) networkAttachmentContainerID() string {
+	attachment := c.task.Spec.GetAttachment()
+	if attachment == nil {
+		return ""
+	}
+
+	return attachment.ContainerID
+}
+
+func (c *containerConfig) taskID() string {
+	return c.task.ID
+}
+
+func (c *containerConfig) endpoint() *api.Endpoint {
+	return c.task.Endpoint
+}
+
+func (c *containerConfig) spec() *api.ContainerSpec {
+	return c.task.Spec.GetContainer()
+}
+
+func (c *containerConfig) nameOrID() string {
+	if c.task.Spec.GetContainer() != nil {
+		return c.name()
+	}
+
+	return c.networkAttachmentContainerID()
+}
+
+func (c *containerConfig) name() string {
+	if c.task.Annotations.Name != "" {
+		// if set, use the container Annotations.Name field, set in the orchestrator.
+		return c.task.Annotations.Name
+	}
+
+	slot := fmt.Sprint(c.task.Slot)
+	if slot == "" || c.task.Slot == 0 {
+		slot = c.task.NodeID
+	}
+
+	// fallback to service.slot.id.
+	return fmt.Sprintf("%s.%s.%s", c.task.ServiceAnnotations.Name, slot, c.task.ID)
+}
+
+func (c *containerConfig) image() string {
+	raw := c.spec().Image
+	ref, err := reference.ParseNormalizedNamed(raw)
+	if err != nil {
+		return raw
+	}
+	return reference.FamiliarString(reference.TagNameOnly(ref))
+}
+
+func (c *containerConfig) portBindings() nat.PortMap {
+	portBindings := nat.PortMap{}
+	if c.task.Endpoint == nil {
+		return portBindings
+	}
+
+	for _, portConfig := range c.task.Endpoint.Ports {
+		if portConfig.PublishMode != api.PublishModeHost {
+			continue
+		}
+
+		port := nat.Port(fmt.Sprintf("%d/%s", portConfig.TargetPort, strings.ToLower(portConfig.Protocol.String())))
+		binding := []nat.PortBinding{
+			{},
+		}
+
+		if portConfig.PublishedPort != 0 {
+			binding[0].HostPort = strconv.Itoa(int(portConfig.PublishedPort))
+		}
+		portBindings[port] = binding
+	}
+
+	return portBindings
+}
+
+func (c *containerConfig) isolation() enginecontainer.Isolation {
+	return convert.IsolationFromGRPC(c.spec().Isolation)
+}
+
+func (c *containerConfig) init() *bool {
+	if c.spec().Init == nil {
+		return nil
+	}
+	init := c.spec().Init.GetValue()
+	return &init
+}
+
+func (c *containerConfig) exposedPorts() map[nat.Port]struct{} {
+	exposedPorts := make(map[nat.Port]struct{})
+	if c.task.Endpoint == nil {
+		return exposedPorts
+	}
+
+	for _, portConfig := range c.task.Endpoint.Ports {
+		if portConfig.PublishMode != api.PublishModeHost {
+			continue
+		}
+
+		port := nat.Port(fmt.Sprintf("%d/%s", portConfig.TargetPort, strings.ToLower(portConfig.Protocol.String())))
+		exposedPorts[port] = struct{}{}
+	}
+
+	return exposedPorts
+}
+
+func (c *containerConfig) config() *enginecontainer.Config {
+	genericEnvs := genericresource.EnvFormat(c.task.AssignedGenericResources, "DOCKER_RESOURCE")
+	env := append(c.spec().Env, genericEnvs...)
+
+	config := &enginecontainer.Config{
+		Labels:       c.labels(),
+		StopSignal:   c.spec().StopSignal,
+		Tty:          c.spec().TTY,
+		OpenStdin:    c.spec().OpenStdin,
+		User:         c.spec().User,
+		Env:          env,
+		Hostname:     c.spec().Hostname,
+		WorkingDir:   c.spec().Dir,
+		Image:        c.image(),
+		ExposedPorts: c.exposedPorts(),
+		Healthcheck:  c.healthcheck(),
+	}
+
+	if len(c.spec().Command) > 0 {
+		// If Command is provided, we replace the whole invocation with Command
+		// by replacing Entrypoint and specifying Cmd. Args is ignored in this
+		// case.
+		config.Entrypoint = append(config.Entrypoint, c.spec().Command...)
+		config.Cmd = append(config.Cmd, c.spec().Args...)
+	} else if len(c.spec().Args) > 0 {
+		// In this case, we assume the image has an Entrypoint and Args
+		// specifies the arguments for that entrypoint.
+		config.Cmd = c.spec().Args
+	}
+
+	return config
+}
+
+func (c *containerConfig) labels() map[string]string {
+	var (
+		system = map[string]string{
+			"task":         "", // mark as cluster task
+			"task.id":      c.task.ID,
+			"task.name":    c.name(),
+			"node.id":      c.task.NodeID,
+			"service.id":   c.task.ServiceID,
+			"service.name": c.task.ServiceAnnotations.Name,
+		}
+		labels = make(map[string]string)
+	)
+
+	// base labels are those defined in the spec.
+	for k, v := range c.spec().Labels {
+		labels[k] = v
+	}
+
+	// we then apply the overrides from the task, which may be set via the
+	// orchestrator.
+	for k, v := range c.task.Annotations.Labels {
+		labels[k] = v
+	}
+
+	// finally, we apply the system labels, which override all labels.
+	for k, v := range system {
+		labels[strings.Join([]string{systemLabelPrefix, k}, ".")] = v
+	}
+
+	return labels
+}
+
+func (c *containerConfig) mounts() []enginemount.Mount {
+	var r []enginemount.Mount
+	for _, mount := range c.spec().Mounts {
+		r = append(r, convertMount(mount))
+	}
+	return r
+}
+
+func convertMount(m api.Mount) enginemount.Mount {
+	mount := enginemount.Mount{
+		Source:   m.Source,
+		Target:   m.Target,
+		ReadOnly: m.ReadOnly,
+	}
+
+	switch m.Type {
+	case api.MountTypeBind:
+		mount.Type = enginemount.TypeBind
+	case api.MountTypeVolume:
+		mount.Type = enginemount.TypeVolume
+	case api.MountTypeTmpfs:
+		mount.Type = enginemount.TypeTmpfs
+	}
+
+	if m.BindOptions != nil {
+		mount.BindOptions = &enginemount.BindOptions{}
+		switch m.BindOptions.Propagation {
+		case api.MountPropagationRPrivate:
+			mount.BindOptions.Propagation = enginemount.PropagationRPrivate
+		case api.MountPropagationPrivate:
+			mount.BindOptions.Propagation = enginemount.PropagationPrivate
+		case api.MountPropagationRSlave:
+			mount.BindOptions.Propagation = enginemount.PropagationRSlave
+		case api.MountPropagationSlave:
+			mount.BindOptions.Propagation = enginemount.PropagationSlave
+		case api.MountPropagationRShared:
+			mount.BindOptions.Propagation = enginemount.PropagationRShared
+		case api.MountPropagationShared:
+			mount.BindOptions.Propagation = enginemount.PropagationShared
+		}
+	}
+
+	if m.VolumeOptions != nil {
+		mount.VolumeOptions = &enginemount.VolumeOptions{
+			NoCopy: m.VolumeOptions.NoCopy,
+		}
+		if m.VolumeOptions.Labels != nil {
+			mount.VolumeOptions.Labels = make(map[string]string, len(m.VolumeOptions.Labels))
+			for k, v := range m.VolumeOptions.Labels {
+				mount.VolumeOptions.Labels[k] = v
+			}
+		}
+		if m.VolumeOptions.DriverConfig != nil {
+			mount.VolumeOptions.DriverConfig = &enginemount.Driver{
+				Name: m.VolumeOptions.DriverConfig.Name,
+			}
+			if m.VolumeOptions.DriverConfig.Options != nil {
+				mount.VolumeOptions.DriverConfig.Options = make(map[string]string, len(m.VolumeOptions.DriverConfig.Options))
+				for k, v := range m.VolumeOptions.DriverConfig.Options {
+					mount.VolumeOptions.DriverConfig.Options[k] = v
+				}
+			}
+		}
+	}
+
+	if m.TmpfsOptions != nil {
+		mount.TmpfsOptions = &enginemount.TmpfsOptions{
+			SizeBytes: m.TmpfsOptions.SizeBytes,
+			Mode:      m.TmpfsOptions.Mode,
+		}
+	}
+
+	return mount
+}
+
+func (c *containerConfig) healthcheck() *enginecontainer.HealthConfig {
+	hcSpec := c.spec().Healthcheck
+	if hcSpec == nil {
+		return nil
+	}
+	interval, _ := gogotypes.DurationFromProto(hcSpec.Interval)
+	timeout, _ := gogotypes.DurationFromProto(hcSpec.Timeout)
+	startPeriod, _ := gogotypes.DurationFromProto(hcSpec.StartPeriod)
+	return &enginecontainer.HealthConfig{
+		Test:        hcSpec.Test,
+		Interval:    interval,
+		Timeout:     timeout,
+		Retries:     int(hcSpec.Retries),
+		StartPeriod: startPeriod,
+	}
+}
+
+func (c *containerConfig) hostConfig() *enginecontainer.HostConfig {
+	hc := &enginecontainer.HostConfig{
+		Resources:      c.resources(),
+		GroupAdd:       c.spec().Groups,
+		PortBindings:   c.portBindings(),
+		Mounts:         c.mounts(),
+		ReadonlyRootfs: c.spec().ReadOnly,
+		Isolation:      c.isolation(),
+		Init:           c.init(),
+	}
+
+	if c.spec().DNSConfig != nil {
+		hc.DNS = c.spec().DNSConfig.Nameservers
+		hc.DNSSearch = c.spec().DNSConfig.Search
+		hc.DNSOptions = c.spec().DNSConfig.Options
+	}
+
+	c.applyPrivileges(hc)
+
+	// The format of extra hosts on swarmkit is specified in:
+	// http://man7.org/linux/man-pages/man5/hosts.5.html
+	//    IP_address canonical_hostname [aliases...]
+	// However, the format of ExtraHosts in HostConfig is
+	//    <host>:<ip>
+	// We need to do the conversion here
+	// (Alias is ignored for now)
+	for _, entry := range c.spec().Hosts {
+		parts := strings.Fields(entry)
+		if len(parts) > 1 {
+			hc.ExtraHosts = append(hc.ExtraHosts, fmt.Sprintf("%s:%s", parts[1], parts[0]))
+		}
+	}
+
+	if c.task.LogDriver != nil {
+		hc.LogConfig = enginecontainer.LogConfig{
+			Type:   c.task.LogDriver.Name,
+			Config: c.task.LogDriver.Options,
+		}
+	}
+
+	if len(c.task.Networks) > 0 {
+		labels := c.task.Networks[0].Network.Spec.Annotations.Labels
+		name := c.task.Networks[0].Network.Spec.Annotations.Name
+		if v, ok := labels["com.docker.swarm.predefined"]; ok && v == "true" {
+			hc.NetworkMode = enginecontainer.NetworkMode(name)
+		}
+	}
+
+	return hc
+}
+
+// This handles the case of volumes that are defined inside a service Mount
+func (c *containerConfig) volumeCreateRequest(mount *api.Mount) *volumetypes.VolumeCreateBody {
+	var (
+		driverName string
+		driverOpts map[string]string
+		labels     map[string]string
+	)
+
+	if mount.VolumeOptions != nil && mount.VolumeOptions.DriverConfig != nil {
+		driverName = mount.VolumeOptions.DriverConfig.Name
+		driverOpts = mount.VolumeOptions.DriverConfig.Options
+		labels = mount.VolumeOptions.Labels
+	}
+
+	if mount.VolumeOptions != nil {
+		return &volumetypes.VolumeCreateBody{
+			Name:       mount.Source,
+			Driver:     driverName,
+			DriverOpts: driverOpts,
+			Labels:     labels,
+		}
+	}
+	return nil
+}
+
+func (c *containerConfig) resources() enginecontainer.Resources {
+	resources := enginecontainer.Resources{}
+
+	// If no limits are specified let the engine use its defaults.
+	//
+	// TODO(aluzzardi): We might want to set some limits anyway otherwise
+	// "unlimited" tasks will step over the reservation of other tasks.
+	r := c.task.Spec.Resources
+	if r == nil || r.Limits == nil {
+		return resources
+	}
+
+	if r.Limits.MemoryBytes > 0 {
+		resources.Memory = r.Limits.MemoryBytes
+	}
+
+	if r.Limits.NanoCPUs > 0 {
+		// CPU Period must be set in microseconds.
+		resources.CPUPeriod = int64(cpuQuotaPeriod / time.Microsecond)
+		resources.CPUQuota = r.Limits.NanoCPUs * resources.CPUPeriod / 1e9
+	}
+
+	return resources
+}
+
+// Docker daemon supports just 1 network during container create.
+func (c *containerConfig) createNetworkingConfig(b executorpkg.Backend) *network.NetworkingConfig {
+	var networks []*api.NetworkAttachment
+	if c.task.Spec.GetContainer() != nil || c.task.Spec.GetAttachment() != nil {
+		networks = c.task.Networks
+	}
+
+	epConfig := make(map[string]*network.EndpointSettings)
+	if len(networks) > 0 {
+		epConfig[networks[0].Network.Spec.Annotations.Name] = getEndpointConfig(networks[0], b)
+	}
+
+	return &network.NetworkingConfig{EndpointsConfig: epConfig}
+}
+
+// TODO: Merge this function with createNetworkingConfig after daemon supports multiple networks in container create
+func (c *containerConfig) connectNetworkingConfig(b executorpkg.Backend) *network.NetworkingConfig {
+	var networks []*api.NetworkAttachment
+	if c.task.Spec.GetContainer() != nil {
+		networks = c.task.Networks
+	}
+	// First network is used during container create. Other networks are used in "docker network connect"
+	if len(networks) < 2 {
+		return nil
+	}
+
+	epConfig := make(map[string]*network.EndpointSettings)
+	for _, na := range networks[1:] {
+		epConfig[na.Network.Spec.Annotations.Name] = getEndpointConfig(na, b)
+	}
+	return &network.NetworkingConfig{EndpointsConfig: epConfig}
+}
+
+func getEndpointConfig(na *api.NetworkAttachment, b executorpkg.Backend) *network.EndpointSettings {
+	var ipv4, ipv6 string
+	for _, addr := range na.Addresses {
+		ip, _, err := net.ParseCIDR(addr)
+		if err != nil {
+			continue
+		}
+
+		if ip.To4() != nil {
+			ipv4 = ip.String()
+			continue
+		}
+
+		if ip.To16() != nil {
+			ipv6 = ip.String()
+		}
+	}
+
+	n := &network.EndpointSettings{
+		NetworkID: na.Network.ID,
+		IPAMConfig: &network.EndpointIPAMConfig{
+			IPv4Address: ipv4,
+			IPv6Address: ipv6,
+		},
+		DriverOpts: na.DriverAttachmentOpts,
+	}
+	if v, ok := na.Network.Spec.Annotations.Labels["com.docker.swarm.predefined"]; ok && v == "true" {
+		if ln, err := b.FindNetwork(na.Network.Spec.Annotations.Name); err == nil {
+			n.NetworkID = ln.ID()
+		}
+	}
+	return n
+}
+
+func (c *containerConfig) virtualIP(networkID string) string {
+	if c.task.Endpoint == nil {
+		return ""
+	}
+
+	for _, eVip := range c.task.Endpoint.VirtualIPs {
+		// We only support IPv4 VIPs for now.
+		if eVip.NetworkID == networkID {
+			vip, _, err := net.ParseCIDR(eVip.Addr)
+			if err != nil {
+				return ""
+			}
+
+			return vip.String()
+		}
+	}
+
+	return ""
+}
+
+func (c *containerConfig) serviceConfig() *clustertypes.ServiceConfig {
+	if len(c.task.Networks) == 0 {
+		return nil
+	}
+
+	logrus.Debugf("Creating service config in agent for t = %+v", c.task)
+	svcCfg := &clustertypes.ServiceConfig{
+		Name:             c.task.ServiceAnnotations.Name,
+		Aliases:          make(map[string][]string),
+		ID:               c.task.ServiceID,
+		VirtualAddresses: make(map[string]*clustertypes.VirtualAddress),
+	}
+
+	for _, na := range c.task.Networks {
+		svcCfg.VirtualAddresses[na.Network.ID] = &clustertypes.VirtualAddress{
+			// We support only IPv4 virtual IP for now.
+			IPv4: c.virtualIP(na.Network.ID),
+		}
+		if len(na.Aliases) > 0 {
+			svcCfg.Aliases[na.Network.ID] = na.Aliases
+		}
+	}
+
+	if c.task.Endpoint != nil {
+		for _, ePort := range c.task.Endpoint.Ports {
+			if ePort.PublishMode != api.PublishModeIngress {
+				continue
+			}
+
+			svcCfg.ExposedPorts = append(svcCfg.ExposedPorts, &clustertypes.PortConfig{
+				Name:          ePort.Name,
+				Protocol:      int32(ePort.Protocol),
+				TargetPort:    ePort.TargetPort,
+				PublishedPort: ePort.PublishedPort,
+			})
+		}
+	}
+
+	return svcCfg
+}
+
+func (c *containerConfig) networkCreateRequest(name string) (clustertypes.NetworkCreateRequest, error) {
+	na, ok := c.networksAttachments[name]
+	if !ok {
+		return clustertypes.NetworkCreateRequest{}, errors.New("container: unknown network referenced")
+	}
+
+	options := types.NetworkCreate{
+		// ID:     na.Network.ID,
+		Labels:         na.Network.Spec.Annotations.Labels,
+		Internal:       na.Network.Spec.Internal,
+		Attachable:     na.Network.Spec.Attachable,
+		Ingress:        convert.IsIngressNetwork(na.Network),
+		EnableIPv6:     na.Network.Spec.Ipv6Enabled,
+		CheckDuplicate: true,
+		Scope:          netconst.SwarmScope,
+	}
+
+	if na.Network.Spec.GetNetwork() != "" {
+		options.ConfigFrom = &network.ConfigReference{
+			Network: na.Network.Spec.GetNetwork(),
+		}
+	}
+
+	if na.Network.DriverState != nil {
+		options.Driver = na.Network.DriverState.Name
+		options.Options = na.Network.DriverState.Options
+	}
+	if na.Network.IPAM != nil {
+		options.IPAM = &network.IPAM{
+			Driver:  na.Network.IPAM.Driver.Name,
+			Options: na.Network.IPAM.Driver.Options,
+		}
+		for _, ic := range na.Network.IPAM.Configs {
+			c := network.IPAMConfig{
+				Subnet:  ic.Subnet,
+				IPRange: ic.Range,
+				Gateway: ic.Gateway,
+			}
+			options.IPAM.Config = append(options.IPAM.Config, c)
+		}
+	}
+
+	return clustertypes.NetworkCreateRequest{
+		ID: na.Network.ID,
+		NetworkCreateRequest: types.NetworkCreateRequest{
+			Name:          name,
+			NetworkCreate: options,
+		},
+	}, nil
+}
+
+func (c *containerConfig) applyPrivileges(hc *enginecontainer.HostConfig) {
+	privileges := c.spec().Privileges
+	if privileges == nil {
+		return
+	}
+
+	credentials := privileges.CredentialSpec
+	if credentials != nil {
+		switch credentials.Source.(type) {
+		case *api.Privileges_CredentialSpec_File:
+			hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=file://"+credentials.GetFile())
+		case *api.Privileges_CredentialSpec_Registry:
+			hc.SecurityOpt = append(hc.SecurityOpt, "credentialspec=registry://"+credentials.GetRegistry())
+		}
+	}
+
+	selinux := privileges.SELinuxContext
+	if selinux != nil {
+		if selinux.Disable {
+			hc.SecurityOpt = append(hc.SecurityOpt, "label=disable")
+		}
+		if selinux.User != "" {
+			hc.SecurityOpt = append(hc.SecurityOpt, "label=user:"+selinux.User)
+		}
+		if selinux.Role != "" {
+			hc.SecurityOpt = append(hc.SecurityOpt, "label=role:"+selinux.Role)
+		}
+		if selinux.Level != "" {
+			hc.SecurityOpt = append(hc.SecurityOpt, "label=level:"+selinux.Level)
+		}
+		if selinux.Type != "" {
+			hc.SecurityOpt = append(hc.SecurityOpt, "label=type:"+selinux.Type)
+		}
+	}
+}
+
+func (c containerConfig) eventFilter() filters.Args {
+	filter := filters.NewArgs()
+	filter.Add("type", events.ContainerEventType)
+	filter.Add("name", c.name())
+	filter.Add("label", fmt.Sprintf("%v.task.id=%v", systemLabelPrefix, c.task.ID))
+	return filter
+}
diff --git a/engine/daemon/cluster/executor/container/container_test.go b/engine/daemon/cluster/executor/container/container_test.go
new file mode 100644
index 00000000..1bf6f6cf
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/container_test.go
@@ -0,0 +1,37 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	swarmapi "github.com/docker/swarmkit/api"
+	"gotest.tools/assert"
+)
+
+func TestIsolationConversion(t *testing.T) {
+	cases := []struct {
+		name string
+		from swarmapi.ContainerSpec_Isolation
+		to   container.Isolation
+	}{
+		{name: "default", from: swarmapi.ContainerIsolationDefault, to: container.IsolationDefault},
+		{name: "process", from: swarmapi.ContainerIsolationProcess, to: container.IsolationProcess},
+		{name: "hyperv", from: swarmapi.ContainerIsolationHyperV, to: container.IsolationHyperV},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			task := swarmapi.Task{
+				Spec: swarmapi.TaskSpec{
+					Runtime: &swarmapi.TaskSpec_Container{
+						Container: &swarmapi.ContainerSpec{
+							Image:     "alpine:latest",
+							Isolation: c.from,
+						},
+					},
+				},
+			}
+			config := containerConfig{task: &task}
+			assert.Equal(t, c.to, config.hostConfig().Isolation)
+		})
+	}
+}
diff --git a/engine/daemon/cluster/executor/container/controller.go b/engine/daemon/cluster/executor/container/controller.go
new file mode 100644
index 00000000..bcd426e7
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/controller.go
@@ -0,0 +1,692 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	executorpkg "github.com/docker/docker/daemon/cluster/executor"
+	"github.com/docker/go-connections/nat"
+	"github.com/docker/libnetwork"
+	"github.com/docker/swarmkit/agent/exec"
+	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/log"
+	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/pkg/errors"
+	"golang.org/x/time/rate"
+)
+
+const defaultGossipConvergeDelay = 2 * time.Second
+
+// controller implements agent.Controller against docker's API.
+//
+// Most operations against docker's API are done through the container name,
+// which is unique to the task.
+type controller struct {
+	task       *api.Task
+	adapter    *containerAdapter
+	closed     chan struct{}
+	err        error
+	pulled     chan struct{} // closed after pull
+	cancelPull func()        // cancels pull context if not nil
+	pullErr    error         // pull error, only read after pulled closed
+}
+
+var _ exec.Controller = &controller{}
+
+// NewController returns a docker exec runner for the provided task.
+func newController(b executorpkg.Backend, i executorpkg.ImageBackend, v executorpkg.VolumeBackend, task *api.Task, node *api.NodeDescription, dependencies exec.DependencyGetter) (*controller, error) {
+	adapter, err := newContainerAdapter(b, i, v, task, node, dependencies)
+	if err != nil {
+		return nil, err
+	}
+
+	return &controller{
+		task:    task,
+		adapter: adapter,
+		closed:  make(chan struct{}),
+	}, nil
+}
+
+func (r *controller) Task() (*api.Task, error) {
+	return r.task, nil
+}
+
+// ContainerStatus returns the container-specific status for the task.
+func (r *controller) ContainerStatus(ctx context.Context) (*api.ContainerStatus, error) {
+	ctnr, err := r.adapter.inspect(ctx)
+	if err != nil {
+		if isUnknownContainer(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	return parseContainerStatus(ctnr)
+}
+
+func (r *controller) PortStatus(ctx context.Context) (*api.PortStatus, error) {
+	ctnr, err := r.adapter.inspect(ctx)
+	if err != nil {
+		if isUnknownContainer(err) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return parsePortStatus(ctnr)
+}
+
+// Update tasks a recent task update and applies it to the container.
+func (r *controller) Update(ctx context.Context, t *api.Task) error {
+	// TODO(stevvooe): While assignment of tasks is idempotent, we do allow
+	// updates of metadata, such as labelling, as well as any other properties
+	// that make sense.
+	return nil
+}
+
+// Prepare creates a container and ensures the image is pulled.
+//
+// If the container has already be created, exec.ErrTaskPrepared is returned.
+func (r *controller) Prepare(ctx context.Context) error {
+	if err := r.checkClosed(); err != nil {
+		return err
+	}
+
+	// Make sure all the networks that the task needs are created.
+	if err := r.adapter.createNetworks(ctx); err != nil {
+		return err
+	}
+
+	// Make sure all the volumes that the task needs are created.
+	if err := r.adapter.createVolumes(ctx); err != nil {
+		return err
+	}
+
+	if os.Getenv("DOCKER_SERVICE_PREFER_OFFLINE_IMAGE") != "1" {
+		if r.pulled == nil {
+			// Fork the pull to a different context to allow pull to continue
+			// on re-entrant calls to Prepare. This ensures that Prepare can be
+			// idempotent and not incur the extra cost of pulling when
+			// cancelled on updates.
+			var pctx context.Context
+
+			r.pulled = make(chan struct{})
+			pctx, r.cancelPull = context.WithCancel(context.Background()) // TODO(stevvooe): Bind a context to the entire controller.
+
+			go func() {
+				defer close(r.pulled)
+				r.pullErr = r.adapter.pullImage(pctx) // protected by closing r.pulled
+			}()
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-r.pulled:
+			if r.pullErr != nil {
+				// NOTE(stevvooe): We always try to pull the image to make sure we have
+				// the most up to date version. This will return an error, but we only
+				// log it. If the image truly doesn't exist, the create below will
+				// error out.
+				//
+				// This gives us some nice behavior where we use up to date versions of
+				// mutable tags, but will still run if the old image is available but a
+				// registry is down.
+				//
+				// If you don't want this behavior, lock down your image to an
+				// immutable tag or digest.
+				log.G(ctx).WithError(r.pullErr).Error("pulling image failed")
+			}
+		}
+	}
+	if err := r.adapter.create(ctx); err != nil {
+		if isContainerCreateNameConflict(err) {
+			if _, err := r.adapter.inspect(ctx); err != nil {
+				return err
+			}
+
+			// container is already created. success!
+			return exec.ErrTaskPrepared
+		}
+
+		return err
+	}
+
+	return nil
+}
+
+// Start the container. An error will be returned if the container is already started.
+func (r *controller) Start(ctx context.Context) error {
+	if err := r.checkClosed(); err != nil {
+		return err
+	}
+
+	ctnr, err := r.adapter.inspect(ctx)
+	if err != nil {
+		return err
+	}
+
+	// Detect whether the container has *ever* been started. If so, we don't
+	// issue the start.
+	//
+	// TODO(stevvooe): This is very racy. While reading inspect, another could
+	// start the process and we could end up starting it twice.
+	if ctnr.State.Status != "created" {
+		return exec.ErrTaskStarted
+	}
+
+	for {
+		if err := r.adapter.start(ctx); err != nil {
+			if _, ok := errors.Cause(err).(libnetwork.ErrNoSuchNetwork); ok {
+				// Retry network creation again if we
+				// failed because some of the networks
+				// were not found.
+				if err := r.adapter.createNetworks(ctx); err != nil {
+					return err
+				}
+
+				continue
+			}
+
+			return errors.Wrap(err, "starting container failed")
+		}
+
+		break
+	}
+
+	// no health check
+	if ctnr.Config == nil || ctnr.Config.Healthcheck == nil || len(ctnr.Config.Healthcheck.Test) == 0 || ctnr.Config.Healthcheck.Test[0] == "NONE" {
+		if err := r.adapter.activateServiceBinding(); err != nil {
+			log.G(ctx).WithError(err).Errorf("failed to activate service binding for container %s which has no healthcheck config", r.adapter.container.name())
+			return err
+		}
+		return nil
+	}
+
+	// wait for container to be healthy
+	eventq := r.adapter.events(ctx)
+
+	var healthErr error
+	for {
+		select {
+		case event := <-eventq:
+			if !r.matchevent(event) {
+				continue
+			}
+
+			switch event.Action {
+			case "die": // exit on terminal events
+				ctnr, err := r.adapter.inspect(ctx)
+				if err != nil {
+					return errors.Wrap(err, "die event received")
+				} else if ctnr.State.ExitCode != 0 {
+					return &exitError{code: ctnr.State.ExitCode, cause: healthErr}
+				}
+
+				return nil
+			case "destroy":
+				// If we get here, something has gone wrong but we want to exit
+				// and report anyways.
+				return ErrContainerDestroyed
+			case "health_status: unhealthy":
+				// in this case, we stop the container and report unhealthy status
+				if err := r.Shutdown(ctx); err != nil {
+					return errors.Wrap(err, "unhealthy container shutdown failed")
+				}
+				// set health check error, and wait for container to fully exit ("die" event)
+				healthErr = ErrContainerUnhealthy
+			case "health_status: healthy":
+				if err := r.adapter.activateServiceBinding(); err != nil {
+					log.G(ctx).WithError(err).Errorf("failed to activate service binding for container %s after healthy event", r.adapter.container.name())
+					return err
+				}
+				return nil
+			}
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-r.closed:
+			return r.err
+		}
+	}
+}
+
+// Wait on the container to exit.
+func (r *controller) Wait(pctx context.Context) error {
+	if err := r.checkClosed(); err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithCancel(pctx)
+	defer cancel()
+
+	healthErr := make(chan error, 1)
+	go func() {
+		ectx, cancel := context.WithCancel(ctx) // cancel event context on first event
+		defer cancel()
+		if err := r.checkHealth(ectx); err == ErrContainerUnhealthy {
+			healthErr <- ErrContainerUnhealthy
+			if err := r.Shutdown(ectx); err != nil {
+				log.G(ectx).WithError(err).Debug("shutdown failed on unhealthy")
+			}
+		}
+	}()
+
+	waitC, err := r.adapter.wait(ctx)
+	if err != nil {
+		return err
+	}
+
+	if status := <-waitC; status.ExitCode() != 0 {
+		exitErr := &exitError{
+			code: status.ExitCode(),
+		}
+
+		// Set the cause if it is knowable.
+		select {
+		case e := <-healthErr:
+			exitErr.cause = e
+		default:
+			if status.Err() != nil {
+				exitErr.cause = status.Err()
+			}
+		}
+
+		return exitErr
+	}
+
+	return nil
+}
+
+func (r *controller) hasServiceBinding() bool {
+	if r.task == nil {
+		return false
+	}
+
+	// service is attached to a network besides the default bridge
+	for _, na := range r.task.Networks {
+		if na.Network == nil ||
+			na.Network.DriverState == nil ||
+			na.Network.DriverState.Name == "bridge" && na.Network.Spec.Annotations.Name == "bridge" {
+			continue
+		}
+		return true
+	}
+
+	return false
+}
+
+// Shutdown the container cleanly.
+func (r *controller) Shutdown(ctx context.Context) error {
+	if err := r.checkClosed(); err != nil {
+		return err
+	}
+
+	if r.cancelPull != nil {
+		r.cancelPull()
+	}
+
+	if r.hasServiceBinding() {
+		// remove container from service binding
+		if err := r.adapter.deactivateServiceBinding(); err != nil {
+			log.G(ctx).WithError(err).Warningf("failed to deactivate service binding for container %s", r.adapter.container.name())
+			// Don't return an error here, because failure to deactivate
+			// the service binding is expected if the container was never
+			// started.
+		}
+
+		// add a delay for gossip converge
+		// TODO(dongluochen): this delay should be configurable to fit different cluster size and network delay.
+		time.Sleep(defaultGossipConvergeDelay)
+	}
+
+	if err := r.adapter.shutdown(ctx); err != nil {
+		if isUnknownContainer(err) || isStoppedContainer(err) {
+			return nil
+		}
+
+		return err
+	}
+
+	return nil
+}
+
+// Terminate the container, with force.
+func (r *controller) Terminate(ctx context.Context) error {
+	if err := r.checkClosed(); err != nil {
+		return err
+	}
+
+	if r.cancelPull != nil {
+		r.cancelPull()
+	}
+
+	if err := r.adapter.terminate(ctx); err != nil {
+		if isUnknownContainer(err) {
+			return nil
+		}
+
+		return err
+	}
+
+	return nil
+}
+
+// Remove the container and its resources.
+func (r *controller) Remove(ctx context.Context) error {
+	if err := r.checkClosed(); err != nil {
+		return err
+	}
+
+	if r.cancelPull != nil {
+		r.cancelPull()
+	}
+
+	// It may be necessary to shut down the task before removing it.
+	if err := r.Shutdown(ctx); err != nil {
+		if isUnknownContainer(err) {
+			return nil
+		}
+		// This may fail if the task was already shut down.
+		log.G(ctx).WithError(err).Debug("shutdown failed on removal")
+	}
+
+	// Try removing networks referenced in this task in case this
+	// task is the last one referencing it
+	if err := r.adapter.removeNetworks(ctx); err != nil {
+		if isUnknownContainer(err) {
+			return nil
+		}
+		return err
+	}
+
+	if err := r.adapter.remove(ctx); err != nil {
+		if isUnknownContainer(err) {
+			return nil
+		}
+
+		return err
+	}
+	return nil
+}
+
+// waitReady waits for a container to be "ready".
+// Ready means it's past the started state.
+func (r *controller) waitReady(pctx context.Context) error {
+	if err := r.checkClosed(); err != nil {
+		return err
+	}
+
+	ctx, cancel := context.WithCancel(pctx)
+	defer cancel()
+
+	eventq := r.adapter.events(ctx)
+
+	ctnr, err := r.adapter.inspect(ctx)
+	if err != nil {
+		if !isUnknownContainer(err) {
+			return errors.Wrap(err, "inspect container failed")
+		}
+	} else {
+		switch ctnr.State.Status {
+		case "running", "exited", "dead":
+			return nil
+		}
+	}
+
+	for {
+		select {
+		case event := <-eventq:
+			if !r.matchevent(event) {
+				continue
+			}
+
+			switch event.Action {
+			case "start":
+				return nil
+			}
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-r.closed:
+			return r.err
+		}
+	}
+}
+
+func (r *controller) Logs(ctx context.Context, publisher exec.LogPublisher, options api.LogSubscriptionOptions) error {
+	if err := r.checkClosed(); err != nil {
+		return err
+	}
+
+	// if we're following, wait for this container to be ready. there is a
+	// problem here: if the container will never be ready (for example, it has
+	// been totally deleted) then this will wait forever. however, this doesn't
+	// actually cause any UI issues, and shouldn't be a problem. the stuck wait
+	// will go away when the follow (context) is canceled.
+	if options.Follow {
+		if err := r.waitReady(ctx); err != nil {
+			return errors.Wrap(err, "container not ready for logs")
+		}
+	}
+	// if we're not following, we're not gonna wait for the container to be
+	// ready. just call logs. if the container isn't ready, the call will fail
+	// and return an error. no big deal, we don't care, we only want the logs
+	// we can get RIGHT NOW with no follow
+
+	logsContext, cancel := context.WithCancel(ctx)
+	msgs, err := r.adapter.logs(logsContext, options)
+	defer cancel()
+	if err != nil {
+		return errors.Wrap(err, "failed getting container logs")
+	}
+
+	var (
+		// use a rate limiter to keep things under control but also provides some
+		// ability coalesce messages.
+		limiter = rate.NewLimiter(rate.Every(time.Second), 10<<20) // 10 MB/s
+		msgctx  = api.LogContext{
+			NodeID:    r.task.NodeID,
+			ServiceID: r.task.ServiceID,
+			TaskID:    r.task.ID,
+		}
+	)
+
+	for {
+		msg, ok := <-msgs
+		if !ok {
+			// we're done here, no more messages
+			return nil
+		}
+
+		if msg.Err != nil {
+			// the defered cancel closes the adapter's log stream
+			return msg.Err
+		}
+
+		// wait here for the limiter to catch up
+		if err := limiter.WaitN(ctx, len(msg.Line)); err != nil {
+			return errors.Wrap(err, "failed rate limiter")
+		}
+		tsp, err := gogotypes.TimestampProto(msg.Timestamp)
+		if err != nil {
+			return errors.Wrap(err, "failed to convert timestamp")
+		}
+		var stream api.LogStream
+		if msg.Source == "stdout" {
+			stream = api.LogStreamStdout
+		} else if msg.Source == "stderr" {
+			stream = api.LogStreamStderr
+		}
+
+		// parse the details out of the Attrs map
+		var attrs []api.LogAttr
+		if len(msg.Attrs) != 0 {
+			attrs = make([]api.LogAttr, 0, len(msg.Attrs))
+			for _, attr := range msg.Attrs {
+				attrs = append(attrs, api.LogAttr{Key: attr.Key, Value: attr.Value})
+			}
+		}
+
+		if err := publisher.Publish(ctx, api.LogMessage{
+			Context:   msgctx,
+			Timestamp: tsp,
+			Stream:    stream,
+			Attrs:     attrs,
+			Data:      msg.Line,
+		}); err != nil {
+			return errors.Wrap(err, "failed to publish log message")
+		}
+	}
+}
+
+// Close the runner and clean up any ephemeral resources.
+func (r *controller) Close() error {
+	select {
+	case <-r.closed:
+		return r.err
+	default:
+		if r.cancelPull != nil {
+			r.cancelPull()
+		}
+
+		r.err = exec.ErrControllerClosed
+		close(r.closed)
+	}
+	return nil
+}
+
+func (r *controller) matchevent(event events.Message) bool {
+	if event.Type != events.ContainerEventType {
+		return false
+	}
+	// we can't filter using id since it will have huge chances to introduce a deadlock. see #33377.
+	return event.Actor.Attributes["name"] == r.adapter.container.name()
+}
+
+func (r *controller) checkClosed() error {
+	select {
+	case <-r.closed:
+		return r.err
+	default:
+		return nil
+	}
+}
+
+func parseContainerStatus(ctnr types.ContainerJSON) (*api.ContainerStatus, error) {
+	status := &api.ContainerStatus{
+		ContainerID: ctnr.ID,
+		PID:         int32(ctnr.State.Pid),
+		ExitCode:    int32(ctnr.State.ExitCode),
+	}
+
+	return status, nil
+}
+
+func parsePortStatus(ctnr types.ContainerJSON) (*api.PortStatus, error) {
+	status := &api.PortStatus{}
+
+	if ctnr.NetworkSettings != nil && len(ctnr.NetworkSettings.Ports) > 0 {
+		exposedPorts, err := parsePortMap(ctnr.NetworkSettings.Ports)
+		if err != nil {
+			return nil, err
+		}
+		status.Ports = exposedPorts
+	}
+
+	return status, nil
+}
+
+func parsePortMap(portMap nat.PortMap) ([]*api.PortConfig, error) {
+	exposedPorts := make([]*api.PortConfig, 0, len(portMap))
+
+	for portProtocol, mapping := range portMap {
+		parts := strings.SplitN(string(portProtocol), "/", 2)
+		if len(parts) != 2 {
+			return nil, fmt.Errorf("invalid port mapping: %s", portProtocol)
+		}
+
+		port, err := strconv.ParseUint(parts[0], 10, 16)
+		if err != nil {
+			return nil, err
+		}
+
+		protocol := api.ProtocolTCP
+		switch strings.ToLower(parts[1]) {
+		case "tcp":
+			protocol = api.ProtocolTCP
+		case "udp":
+			protocol = api.ProtocolUDP
+		case "sctp":
+			protocol = api.ProtocolSCTP
+		default:
+			return nil, fmt.Errorf("invalid protocol: %s", parts[1])
+		}
+
+		for _, binding := range mapping {
+			hostPort, err := strconv.ParseUint(binding.HostPort, 10, 16)
+			if err != nil {
+				return nil, err
+			}
+
+			// TODO(aluzzardi): We're losing the port `name` here since
+			// there's no way to retrieve it back from the Engine.
+			exposedPorts = append(exposedPorts, &api.PortConfig{
+				PublishMode:   api.PublishModeHost,
+				Protocol:      protocol,
+				TargetPort:    uint32(port),
+				PublishedPort: uint32(hostPort),
+			})
+		}
+	}
+
+	return exposedPorts, nil
+}
+
+type exitError struct {
+	code  int
+	cause error
+}
+
+func (e *exitError) Error() string {
+	if e.cause != nil {
+		return fmt.Sprintf("task: non-zero exit (%v): %v", e.code, e.cause)
+	}
+
+	return fmt.Sprintf("task: non-zero exit (%v)", e.code)
+}
+
+func (e *exitError) ExitCode() int {
+	return e.code
+}
+
+func (e *exitError) Cause() error {
+	return e.cause
+}
+
+// checkHealth blocks until unhealthy container is detected or ctx exits
+func (r *controller) checkHealth(ctx context.Context) error {
+	eventq := r.adapter.events(ctx)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-r.closed:
+			return nil
+		case event := <-eventq:
+			if !r.matchevent(event) {
+				continue
+			}
+
+			switch event.Action {
+			case "health_status: unhealthy":
+				return ErrContainerUnhealthy
+			}
+		}
+	}
+}
diff --git a/engine/daemon/cluster/executor/container/errors.go b/engine/daemon/cluster/executor/container/errors.go
new file mode 100644
index 00000000..4c90b9e0
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/errors.go
@@ -0,0 +1,17 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"errors"
+)
+
+var (
+	// ErrImageRequired returned if a task is missing the image definition.
+	ErrImageRequired = errors.New("dockerexec: image required")
+
+	// ErrContainerDestroyed returned when a container is prematurely destroyed
+	// during a wait call.
+	ErrContainerDestroyed = errors.New("dockerexec: container destroyed")
+
+	// ErrContainerUnhealthy returned if controller detects the health check failure
+	ErrContainerUnhealthy = errors.New("dockerexec: unhealthy container")
+)
diff --git a/engine/daemon/cluster/executor/container/executor.go b/engine/daemon/cluster/executor/container/executor.go
new file mode 100644
index 00000000..940a943e
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/executor.go
@@ -0,0 +1,293 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"context"
+	"fmt"
+	"sort"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/controllers/plugin"
+	"github.com/docker/docker/daemon/cluster/convert"
+	executorpkg "github.com/docker/docker/daemon/cluster/executor"
+	clustertypes "github.com/docker/docker/daemon/cluster/provider"
+	networktypes "github.com/docker/libnetwork/types"
+	"github.com/docker/swarmkit/agent"
+	"github.com/docker/swarmkit/agent/exec"
+	"github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/api/naming"
+	"github.com/docker/swarmkit/template"
+	"github.com/sirupsen/logrus"
+)
+
+type executor struct {
+	backend       executorpkg.Backend
+	imageBackend  executorpkg.ImageBackend
+	pluginBackend plugin.Backend
+	volumeBackend executorpkg.VolumeBackend
+	dependencies  exec.DependencyManager
+	mutex         sync.Mutex // This mutex protects the following node field
+	node          *api.NodeDescription
+}
+
+// NewExecutor returns an executor from the docker client.
+func NewExecutor(b executorpkg.Backend, p plugin.Backend, i executorpkg.ImageBackend, v executorpkg.VolumeBackend) exec.Executor {
+	return &executor{
+		backend:       b,
+		pluginBackend: p,
+		imageBackend:  i,
+		volumeBackend: v,
+		dependencies:  agent.NewDependencyManager(),
+	}
+}
+
+// Describe returns the underlying node description from the docker client.
+func (e *executor) Describe(ctx context.Context) (*api.NodeDescription, error) {
+	info, err := e.backend.SystemInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	plugins := map[api.PluginDescription]struct{}{}
+	addPlugins := func(typ string, names []string) {
+		for _, name := range names {
+			plugins[api.PluginDescription{
+				Type: typ,
+				Name: name,
+			}] = struct{}{}
+		}
+	}
+
+	// add v1 plugins
+	addPlugins("Volume", info.Plugins.Volume)
+	// Add builtin driver "overlay" (the only builtin multi-host driver) to
+	// the plugin list by default.
+	addPlugins("Network", append([]string{"overlay"}, info.Plugins.Network...))
+	addPlugins("Authorization", info.Plugins.Authorization)
+	addPlugins("Log", info.Plugins.Log)
+
+	// add v2 plugins
+	v2Plugins, err := e.backend.PluginManager().List(filters.NewArgs())
+	if err == nil {
+		for _, plgn := range v2Plugins {
+			for _, typ := range plgn.Config.Interface.Types {
+				if typ.Prefix != "docker" || !plgn.Enabled {
+					continue
+				}
+				plgnTyp := typ.Capability
+				switch typ.Capability {
+				case "volumedriver":
+					plgnTyp = "Volume"
+				case "networkdriver":
+					plgnTyp = "Network"
+				case "logdriver":
+					plgnTyp = "Log"
+				}
+
+				plugins[api.PluginDescription{
+					Type: plgnTyp,
+					Name: plgn.Name,
+				}] = struct{}{}
+			}
+		}
+	}
+
+	pluginFields := make([]api.PluginDescription, 0, len(plugins))
+	for k := range plugins {
+		pluginFields = append(pluginFields, k)
+	}
+
+	sort.Sort(sortedPlugins(pluginFields))
+
+	// parse []string labels into a map[string]string
+	labels := map[string]string{}
+	for _, l := range info.Labels {
+		stringSlice := strings.SplitN(l, "=", 2)
+		// this will take the last value in the list for a given key
+		// ideally, one shouldn't assign multiple values to the same key
+		if len(stringSlice) > 1 {
+			labels[stringSlice[0]] = stringSlice[1]
+		}
+	}
+
+	description := &api.NodeDescription{
+		Hostname: info.Name,
+		Platform: &api.Platform{
+			Architecture: info.Architecture,
+			OS:           info.OSType,
+		},
+		Engine: &api.EngineDescription{
+			EngineVersion: info.ServerVersion,
+			Labels:        labels,
+			Plugins:       pluginFields,
+		},
+		Resources: &api.Resources{
+			NanoCPUs:    int64(info.NCPU) * 1e9,
+			MemoryBytes: info.MemTotal,
+			Generic:     convert.GenericResourcesToGRPC(info.GenericResources),
+		},
+	}
+
+	// Save the node information in the executor field
+	e.mutex.Lock()
+	e.node = description
+	e.mutex.Unlock()
+
+	return description, nil
+}
+
+func (e *executor) Configure(ctx context.Context, node *api.Node) error {
+	var ingressNA *api.NetworkAttachment
+	attachments := make(map[string]string)
+
+	for _, na := range node.Attachments {
+		if na == nil || na.Network == nil || len(na.Addresses) == 0 {
+			// this should not happen, but we got a panic here and don't have a
+			// good idea about what the underlying data structure looks like.
+			logrus.WithField("NetworkAttachment", fmt.Sprintf("%#v", na)).
+				Warnf("skipping nil or malformed node network attachment entry")
+			continue
+		}
+
+		if na.Network.Spec.Ingress {
+			ingressNA = na
+		}
+
+		attachments[na.Network.ID] = na.Addresses[0]
+	}
+
+	if (ingressNA == nil) && (node.Attachment != nil) && (len(node.Attachment.Addresses) > 0) {
+		ingressNA = node.Attachment
+		attachments[ingressNA.Network.ID] = ingressNA.Addresses[0]
+	}
+
+	if ingressNA == nil {
+		e.backend.ReleaseIngress()
+		return e.backend.GetAttachmentStore().ResetAttachments(attachments)
+	}
+
+	options := types.NetworkCreate{
+		Driver: ingressNA.Network.DriverState.Name,
+		IPAM: &network.IPAM{
+			Driver: ingressNA.Network.IPAM.Driver.Name,
+		},
+		Options:        ingressNA.Network.DriverState.Options,
+		Ingress:        true,
+		CheckDuplicate: true,
+	}
+
+	for _, ic := range ingressNA.Network.IPAM.Configs {
+		c := network.IPAMConfig{
+			Subnet:  ic.Subnet,
+			IPRange: ic.Range,
+			Gateway: ic.Gateway,
+		}
+		options.IPAM.Config = append(options.IPAM.Config, c)
+	}
+
+	_, err := e.backend.SetupIngress(clustertypes.NetworkCreateRequest{
+		ID: ingressNA.Network.ID,
+		NetworkCreateRequest: types.NetworkCreateRequest{
+			Name:          ingressNA.Network.Spec.Annotations.Name,
+			NetworkCreate: options,
+		},
+	}, ingressNA.Addresses[0])
+	if err != nil {
+		return err
+	}
+
+	return e.backend.GetAttachmentStore().ResetAttachments(attachments)
+}
+
+// Controller returns a docker container runner.
+func (e *executor) Controller(t *api.Task) (exec.Controller, error) {
+	dependencyGetter := template.NewTemplatedDependencyGetter(agent.Restrict(e.dependencies, t), t, nil)
+
+	// Get the node description from the executor field
+	e.mutex.Lock()
+	nodeDescription := e.node
+	e.mutex.Unlock()
+
+	if t.Spec.GetAttachment() != nil {
+		return newNetworkAttacherController(e.backend, e.imageBackend, e.volumeBackend, t, nodeDescription, dependencyGetter)
+	}
+
+	var ctlr exec.Controller
+	switch r := t.Spec.GetRuntime().(type) {
+	case *api.TaskSpec_Generic:
+		logrus.WithFields(logrus.Fields{
+			"kind":     r.Generic.Kind,
+			"type_url": r.Generic.Payload.TypeUrl,
+		}).Debug("custom runtime requested")
+		runtimeKind, err := naming.Runtime(t.Spec)
+		if err != nil {
+			return ctlr, err
+		}
+		switch runtimeKind {
+		case string(swarmtypes.RuntimePlugin):
+			info, _ := e.backend.SystemInfo()
+			if !info.ExperimentalBuild {
+				return ctlr, fmt.Errorf("runtime type %q only supported in experimental", swarmtypes.RuntimePlugin)
+			}
+			c, err := plugin.NewController(e.pluginBackend, t)
+			if err != nil {
+				return ctlr, err
+			}
+			ctlr = c
+		default:
+			return ctlr, fmt.Errorf("unsupported runtime type: %q", runtimeKind)
+		}
+	case *api.TaskSpec_Container:
+		c, err := newController(e.backend, e.imageBackend, e.volumeBackend, t, nodeDescription, dependencyGetter)
+		if err != nil {
+			return ctlr, err
+		}
+		ctlr = c
+	default:
+		return ctlr, fmt.Errorf("unsupported runtime: %q", r)
+	}
+
+	return ctlr, nil
+}
+
+func (e *executor) SetNetworkBootstrapKeys(keys []*api.EncryptionKey) error {
+	nwKeys := []*networktypes.EncryptionKey{}
+	for _, key := range keys {
+		nwKey := &networktypes.EncryptionKey{
+			Subsystem:   key.Subsystem,
+			Algorithm:   int32(key.Algorithm),
+			Key:         make([]byte, len(key.Key)),
+			LamportTime: key.LamportTime,
+		}
+		copy(nwKey.Key, key.Key)
+		nwKeys = append(nwKeys, nwKey)
+	}
+	e.backend.SetNetworkBootstrapKeys(nwKeys)
+
+	return nil
+}
+
+func (e *executor) Secrets() exec.SecretsManager {
+	return e.dependencies.Secrets()
+}
+
+func (e *executor) Configs() exec.ConfigsManager {
+	return e.dependencies.Configs()
+}
+
+type sortedPlugins []api.PluginDescription
+
+func (sp sortedPlugins) Len() int { return len(sp) }
+
+func (sp sortedPlugins) Swap(i, j int) { sp[i], sp[j] = sp[j], sp[i] }
+
+func (sp sortedPlugins) Less(i, j int) bool {
+	if sp[i].Type != sp[j].Type {
+		return sp[i].Type < sp[j].Type
+	}
+	return sp[i].Name < sp[j].Name
+}
diff --git a/engine/daemon/cluster/executor/container/health_test.go b/engine/daemon/cluster/executor/container/health_test.go
new file mode 100644
index 00000000..03d62736
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/health_test.go
@@ -0,0 +1,100 @@
+// +build !windows
+
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon"
+	"github.com/docker/docker/daemon/events"
+	"github.com/docker/swarmkit/api"
+)
+
+func TestHealthStates(t *testing.T) {
+
+	// set up environment: events, task, container ....
+	e := events.New()
+	_, l, _ := e.Subscribe()
+	defer e.Evict(l)
+
+	task := &api.Task{
+		ID:        "id",
+		ServiceID: "sid",
+		Spec: api.TaskSpec{
+			Runtime: &api.TaskSpec_Container{
+				Container: &api.ContainerSpec{
+					Image: "image_name",
+					Labels: map[string]string{
+						"com.docker.swarm.task.id": "id",
+					},
+				},
+			},
+		},
+		Annotations: api.Annotations{Name: "name"},
+	}
+
+	c := &container.Container{
+		ID:   "id",
+		Name: "name",
+		Config: &containertypes.Config{
+			Image: "image_name",
+			Labels: map[string]string{
+				"com.docker.swarm.task.id": "id",
+			},
+		},
+	}
+
+	daemon := &daemon.Daemon{
+		EventsService: e,
+	}
+
+	controller, err := newController(daemon, nil, nil, task, nil, nil)
+	if err != nil {
+		t.Fatalf("create controller fail %v", err)
+	}
+
+	errChan := make(chan error, 1)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// fire checkHealth
+	go func() {
+		err := controller.checkHealth(ctx)
+		select {
+		case errChan <- err:
+		case <-ctx.Done():
+		}
+	}()
+
+	// send an event and expect to get expectedErr
+	// if expectedErr is nil, shouldn't get any error
+	logAndExpect := func(msg string, expectedErr error) {
+		daemon.LogContainerEvent(c, msg)
+
+		timer := time.NewTimer(1 * time.Second)
+		defer timer.Stop()
+
+		select {
+		case err := <-errChan:
+			if err != expectedErr {
+				t.Fatalf("expect error %v, but get %v", expectedErr, err)
+			}
+		case <-timer.C:
+			if expectedErr != nil {
+				t.Fatal("time limit exceeded, didn't get expected error")
+			}
+		}
+	}
+
+	// events that are ignored by checkHealth
+	logAndExpect("health_status: running", nil)
+	logAndExpect("health_status: healthy", nil)
+	logAndExpect("die", nil)
+
+	// unhealthy event will be caught by checkHealth
+	logAndExpect("health_status: unhealthy", ErrContainerUnhealthy)
+}
diff --git a/engine/daemon/cluster/executor/container/validate.go b/engine/daemon/cluster/executor/container/validate.go
new file mode 100644
index 00000000..cbe1f53c
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/validate.go
@@ -0,0 +1,40 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"errors"
+	"fmt"
+	"path/filepath"
+
+	"github.com/docker/swarmkit/api"
+)
+
+func validateMounts(mounts []api.Mount) error {
+	for _, mount := range mounts {
+		// Target must always be absolute
+		if !filepath.IsAbs(mount.Target) {
+			return fmt.Errorf("invalid mount target, must be an absolute path: %s", mount.Target)
+		}
+
+		switch mount.Type {
+		// The checks on abs paths are required due to the container API confusing
+		// volume mounts as bind mounts when the source is absolute (and vice-versa)
+		// See #25253
+		// TODO: This is probably not necessary once #22373 is merged
+		case api.MountTypeBind:
+			if !filepath.IsAbs(mount.Source) {
+				return fmt.Errorf("invalid bind mount source, must be an absolute path: %s", mount.Source)
+			}
+		case api.MountTypeVolume:
+			if filepath.IsAbs(mount.Source) {
+				return fmt.Errorf("invalid volume mount source, must not be an absolute path: %s", mount.Source)
+			}
+		case api.MountTypeTmpfs:
+			if mount.Source != "" {
+				return errors.New("invalid tmpfs source, source must be empty")
+			}
+		default:
+			return fmt.Errorf("invalid mount type: %s", mount.Type)
+		}
+	}
+	return nil
+}
diff --git a/engine/daemon/cluster/executor/container/validate_test.go b/engine/daemon/cluster/executor/container/validate_test.go
new file mode 100644
index 00000000..5e4694ff
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/validate_test.go
@@ -0,0 +1,142 @@
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+import (
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/daemon"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/swarmkit/api"
+)
+
+func newTestControllerWithMount(m api.Mount) (*controller, error) {
+	return newController(&daemon.Daemon{}, nil, nil, &api.Task{
+		ID:        stringid.GenerateRandomID(),
+		ServiceID: stringid.GenerateRandomID(),
+		Spec: api.TaskSpec{
+			Runtime: &api.TaskSpec_Container{
+				Container: &api.ContainerSpec{
+					Image: "image_name",
+					Labels: map[string]string{
+						"com.docker.swarm.task.id": "id",
+					},
+					Mounts: []api.Mount{m},
+				},
+			},
+		},
+	}, nil,
+		nil)
+}
+
+func TestControllerValidateMountBind(t *testing.T) {
+	// with improper source
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeBind,
+		Source: "foo",
+		Target: testAbsPath,
+	}); err == nil || !strings.Contains(err.Error(), "invalid bind mount source") {
+		t.Fatalf("expected  error, got: %v", err)
+	}
+
+	// with non-existing source
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeBind,
+		Source: testAbsNonExistent,
+		Target: testAbsPath,
+	}); err != nil {
+		t.Fatalf("controller should not error at creation: %v", err)
+	}
+
+	// with proper source
+	tmpdir, err := ioutil.TempDir("", "TestControllerValidateMountBind")
+	if err != nil {
+		t.Fatalf("failed to create temp dir: %v", err)
+	}
+	defer os.Remove(tmpdir)
+
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeBind,
+		Source: tmpdir,
+		Target: testAbsPath,
+	}); err != nil {
+		t.Fatalf("expected  error, got: %v", err)
+	}
+}
+
+func TestControllerValidateMountVolume(t *testing.T) {
+	// with improper source
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeVolume,
+		Source: testAbsPath,
+		Target: testAbsPath,
+	}); err == nil || !strings.Contains(err.Error(), "invalid volume mount source") {
+		t.Fatalf("expected error, got: %v", err)
+	}
+
+	// with proper source
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeVolume,
+		Source: "foo",
+		Target: testAbsPath,
+	}); err != nil {
+		t.Fatalf("expected error, got: %v", err)
+	}
+}
+
+func TestControllerValidateMountTarget(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestControllerValidateMountTarget")
+	if err != nil {
+		t.Fatalf("failed to create temp dir: %v", err)
+	}
+	defer os.Remove(tmpdir)
+
+	// with improper target
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeBind,
+		Source: testAbsPath,
+		Target: "foo",
+	}); err == nil || !strings.Contains(err.Error(), "invalid mount target") {
+		t.Fatalf("expected error, got: %v", err)
+	}
+
+	// with proper target
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeBind,
+		Source: tmpdir,
+		Target: testAbsPath,
+	}); err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+}
+
+func TestControllerValidateMountTmpfs(t *testing.T) {
+	// with improper target
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeTmpfs,
+		Source: "foo",
+		Target: testAbsPath,
+	}); err == nil || !strings.Contains(err.Error(), "invalid tmpfs source") {
+		t.Fatalf("expected error, got: %v", err)
+	}
+
+	// with proper target
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.MountTypeTmpfs,
+		Target: testAbsPath,
+	}); err != nil {
+		t.Fatalf("expected no error, got: %v", err)
+	}
+}
+
+func TestControllerValidateMountInvalidType(t *testing.T) {
+	// with improper target
+	if _, err := newTestControllerWithMount(api.Mount{
+		Type:   api.Mount_MountType(9999),
+		Source: "foo",
+		Target: testAbsPath,
+	}); err == nil || !strings.Contains(err.Error(), "invalid mount type") {
+		t.Fatalf("expected error, got: %v", err)
+	}
+}
diff --git a/engine/daemon/cluster/executor/container/validate_unix_test.go b/engine/daemon/cluster/executor/container/validate_unix_test.go
new file mode 100644
index 00000000..7a3f0536
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/validate_unix_test.go
@@ -0,0 +1,8 @@
+// +build !windows
+
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+const (
+	testAbsPath        = "/foo"
+	testAbsNonExistent = "/some-non-existing-host-path/"
+)
diff --git a/engine/daemon/cluster/executor/container/validate_windows_test.go b/engine/daemon/cluster/executor/container/validate_windows_test.go
new file mode 100644
index 00000000..6ee4c964
--- /dev/null
+++ b/engine/daemon/cluster/executor/container/validate_windows_test.go
@@ -0,0 +1,8 @@
+// +build windows
+
+package container // import "github.com/docker/docker/daemon/cluster/executor/container"
+
+const (
+	testAbsPath        = `c:\foo`
+	testAbsNonExistent = `c:\some-non-existing-host-path\`
+)
diff --git a/engine/daemon/cluster/filters.go b/engine/daemon/cluster/filters.go
new file mode 100644
index 00000000..15469f90
--- /dev/null
+++ b/engine/daemon/cluster/filters.go
@@ -0,0 +1,123 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/api/types/filters"
+	runconfigopts "github.com/docker/docker/runconfig/opts"
+	swarmapi "github.com/docker/swarmkit/api"
+)
+
+func newListNodesFilters(filter filters.Args) (*swarmapi.ListNodesRequest_Filters, error) {
+	accepted := map[string]bool{
+		"name":       true,
+		"id":         true,
+		"label":      true,
+		"role":       true,
+		"membership": true,
+	}
+	if err := filter.Validate(accepted); err != nil {
+		return nil, err
+	}
+	f := &swarmapi.ListNodesRequest_Filters{
+		NamePrefixes: filter.Get("name"),
+		IDPrefixes:   filter.Get("id"),
+		Labels:       runconfigopts.ConvertKVStringsToMap(filter.Get("label")),
+	}
+
+	for _, r := range filter.Get("role") {
+		if role, ok := swarmapi.NodeRole_value[strings.ToUpper(r)]; ok {
+			f.Roles = append(f.Roles, swarmapi.NodeRole(role))
+		} else if r != "" {
+			return nil, fmt.Errorf("Invalid role filter: '%s'", r)
+		}
+	}
+
+	for _, a := range filter.Get("membership") {
+		if membership, ok := swarmapi.NodeSpec_Membership_value[strings.ToUpper(a)]; ok {
+			f.Memberships = append(f.Memberships, swarmapi.NodeSpec_Membership(membership))
+		} else if a != "" {
+			return nil, fmt.Errorf("Invalid membership filter: '%s'", a)
+		}
+	}
+
+	return f, nil
+}
+
+func newListTasksFilters(filter filters.Args, transformFunc func(filters.Args) error) (*swarmapi.ListTasksRequest_Filters, error) {
+	accepted := map[string]bool{
+		"name":          true,
+		"id":            true,
+		"label":         true,
+		"service":       true,
+		"node":          true,
+		"desired-state": true,
+		// UpToDate is not meant to be exposed to users. It's for
+		// internal use in checking create/update progress. Therefore,
+		// we prefix it with a '_'.
+		"_up-to-date": true,
+		"runtime":     true,
+	}
+	if err := filter.Validate(accepted); err != nil {
+		return nil, err
+	}
+	if transformFunc != nil {
+		if err := transformFunc(filter); err != nil {
+			return nil, err
+		}
+	}
+	f := &swarmapi.ListTasksRequest_Filters{
+		NamePrefixes: filter.Get("name"),
+		IDPrefixes:   filter.Get("id"),
+		Labels:       runconfigopts.ConvertKVStringsToMap(filter.Get("label")),
+		ServiceIDs:   filter.Get("service"),
+		NodeIDs:      filter.Get("node"),
+		UpToDate:     len(filter.Get("_up-to-date")) != 0,
+		Runtimes:     filter.Get("runtime"),
+	}
+
+	for _, s := range filter.Get("desired-state") {
+		if state, ok := swarmapi.TaskState_value[strings.ToUpper(s)]; ok {
+			f.DesiredStates = append(f.DesiredStates, swarmapi.TaskState(state))
+		} else if s != "" {
+			return nil, fmt.Errorf("Invalid desired-state filter: '%s'", s)
+		}
+	}
+
+	return f, nil
+}
+
+func newListSecretsFilters(filter filters.Args) (*swarmapi.ListSecretsRequest_Filters, error) {
+	accepted := map[string]bool{
+		"names": true,
+		"name":  true,
+		"id":    true,
+		"label": true,
+	}
+	if err := filter.Validate(accepted); err != nil {
+		return nil, err
+	}
+	return &swarmapi.ListSecretsRequest_Filters{
+		Names:        filter.Get("names"),
+		NamePrefixes: filter.Get("name"),
+		IDPrefixes:   filter.Get("id"),
+		Labels:       runconfigopts.ConvertKVStringsToMap(filter.Get("label")),
+	}, nil
+}
+
+func newListConfigsFilters(filter filters.Args) (*swarmapi.ListConfigsRequest_Filters, error) {
+	accepted := map[string]bool{
+		"name":  true,
+		"id":    true,
+		"label": true,
+	}
+	if err := filter.Validate(accepted); err != nil {
+		return nil, err
+	}
+	return &swarmapi.ListConfigsRequest_Filters{
+		NamePrefixes: filter.Get("name"),
+		IDPrefixes:   filter.Get("id"),
+		Labels:       runconfigopts.ConvertKVStringsToMap(filter.Get("label")),
+	}, nil
+}
diff --git a/engine/daemon/cluster/filters_test.go b/engine/daemon/cluster/filters_test.go
new file mode 100644
index 00000000..a38feeaa
--- /dev/null
+++ b/engine/daemon/cluster/filters_test.go
@@ -0,0 +1,102 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/filters"
+)
+
+func TestNewListSecretsFilters(t *testing.T) {
+	validNameFilter := filters.NewArgs()
+	validNameFilter.Add("name", "test_name")
+
+	validIDFilter := filters.NewArgs()
+	validIDFilter.Add("id", "7c9009d6720f6de3b492f5")
+
+	validLabelFilter := filters.NewArgs()
+	validLabelFilter.Add("label", "type=test")
+	validLabelFilter.Add("label", "storage=ssd")
+	validLabelFilter.Add("label", "memory")
+
+	validNamesFilter := filters.NewArgs()
+	validNamesFilter.Add("names", "test_name")
+
+	validAllFilter := filters.NewArgs()
+	validAllFilter.Add("name", "nodeName")
+	validAllFilter.Add("id", "7c9009d6720f6de3b492f5")
+	validAllFilter.Add("label", "type=test")
+	validAllFilter.Add("label", "memory")
+	validAllFilter.Add("names", "test_name")
+
+	validFilters := []filters.Args{
+		validNameFilter,
+		validIDFilter,
+		validLabelFilter,
+		validNamesFilter,
+		validAllFilter,
+	}
+
+	invalidTypeFilter := filters.NewArgs()
+	invalidTypeFilter.Add("nonexist", "aaaa")
+
+	invalidFilters := []filters.Args{
+		invalidTypeFilter,
+	}
+
+	for _, filter := range validFilters {
+		if _, err := newListSecretsFilters(filter); err != nil {
+			t.Fatalf("Should get no error, got %v", err)
+		}
+	}
+
+	for _, filter := range invalidFilters {
+		if _, err := newListSecretsFilters(filter); err == nil {
+			t.Fatalf("Should get an error for filter %v, while got nil", filter)
+		}
+	}
+}
+
+func TestNewListConfigsFilters(t *testing.T) {
+	validNameFilter := filters.NewArgs()
+	validNameFilter.Add("name", "test_name")
+
+	validIDFilter := filters.NewArgs()
+	validIDFilter.Add("id", "7c9009d6720f6de3b492f5")
+
+	validLabelFilter := filters.NewArgs()
+	validLabelFilter.Add("label", "type=test")
+	validLabelFilter.Add("label", "storage=ssd")
+	validLabelFilter.Add("label", "memory")
+
+	validAllFilter := filters.NewArgs()
+	validAllFilter.Add("name", "nodeName")
+	validAllFilter.Add("id", "7c9009d6720f6de3b492f5")
+	validAllFilter.Add("label", "type=test")
+	validAllFilter.Add("label", "memory")
+
+	validFilters := []filters.Args{
+		validNameFilter,
+		validIDFilter,
+		validLabelFilter,
+		validAllFilter,
+	}
+
+	invalidTypeFilter := filters.NewArgs()
+	invalidTypeFilter.Add("nonexist", "aaaa")
+
+	invalidFilters := []filters.Args{
+		invalidTypeFilter,
+	}
+
+	for _, filter := range validFilters {
+		if _, err := newListConfigsFilters(filter); err != nil {
+			t.Fatalf("Should get no error, got %v", err)
+		}
+	}
+
+	for _, filter := range invalidFilters {
+		if _, err := newListConfigsFilters(filter); err == nil {
+			t.Fatalf("Should get an error for filter %v, while got nil", filter)
+		}
+	}
+}
diff --git a/engine/daemon/cluster/helpers.go b/engine/daemon/cluster/helpers.go
new file mode 100644
index 00000000..653593e1
--- /dev/null
+++ b/engine/daemon/cluster/helpers.go
@@ -0,0 +1,246 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/docker/errdefs"
+	swarmapi "github.com/docker/swarmkit/api"
+	"github.com/pkg/errors"
+)
+
+func getSwarm(ctx context.Context, c swarmapi.ControlClient) (*swarmapi.Cluster, error) {
+	rl, err := c.ListClusters(ctx, &swarmapi.ListClustersRequest{})
+	if err != nil {
+		return nil, err
+	}
+
+	if len(rl.Clusters) == 0 {
+		return nil, errors.WithStack(errNoSwarm)
+	}
+
+	// TODO: assume one cluster only
+	return rl.Clusters[0], nil
+}
+
+func getNode(ctx context.Context, c swarmapi.ControlClient, input string) (*swarmapi.Node, error) {
+	// GetNode to match via full ID.
+	if rg, err := c.GetNode(ctx, &swarmapi.GetNodeRequest{NodeID: input}); err == nil {
+		return rg.Node, nil
+	}
+
+	// If any error (including NotFound), ListNodes to match via full name.
+	rl, err := c.ListNodes(ctx, &swarmapi.ListNodesRequest{
+		Filters: &swarmapi.ListNodesRequest_Filters{
+			Names: []string{input},
+		},
+	})
+	if err != nil || len(rl.Nodes) == 0 {
+		// If any error or 0 result, ListNodes to match via ID prefix.
+		rl, err = c.ListNodes(ctx, &swarmapi.ListNodesRequest{
+			Filters: &swarmapi.ListNodesRequest_Filters{
+				IDPrefixes: []string{input},
+			},
+		})
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(rl.Nodes) == 0 {
+		err := fmt.Errorf("node %s not found", input)
+		return nil, errdefs.NotFound(err)
+	}
+
+	if l := len(rl.Nodes); l > 1 {
+		return nil, errdefs.InvalidParameter(fmt.Errorf("node %s is ambiguous (%d matches found)", input, l))
+	}
+
+	return rl.Nodes[0], nil
+}
+
+func getService(ctx context.Context, c swarmapi.ControlClient, input string, insertDefaults bool) (*swarmapi.Service, error) {
+	// GetService to match via full ID.
+	if rg, err := c.GetService(ctx, &swarmapi.GetServiceRequest{ServiceID: input, InsertDefaults: insertDefaults}); err == nil {
+		return rg.Service, nil
+	}
+
+	// If any error (including NotFound), ListServices to match via full name.
+	rl, err := c.ListServices(ctx, &swarmapi.ListServicesRequest{
+		Filters: &swarmapi.ListServicesRequest_Filters{
+			Names: []string{input},
+		},
+	})
+	if err != nil || len(rl.Services) == 0 {
+		// If any error or 0 result, ListServices to match via ID prefix.
+		rl, err = c.ListServices(ctx, &swarmapi.ListServicesRequest{
+			Filters: &swarmapi.ListServicesRequest_Filters{
+				IDPrefixes: []string{input},
+			},
+		})
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(rl.Services) == 0 {
+		err := fmt.Errorf("service %s not found", input)
+		return nil, errdefs.NotFound(err)
+	}
+
+	if l := len(rl.Services); l > 1 {
+		return nil, errdefs.InvalidParameter(fmt.Errorf("service %s is ambiguous (%d matches found)", input, l))
+	}
+
+	if !insertDefaults {
+		return rl.Services[0], nil
+	}
+
+	rg, err := c.GetService(ctx, &swarmapi.GetServiceRequest{ServiceID: rl.Services[0].ID, InsertDefaults: true})
+	if err == nil {
+		return rg.Service, nil
+	}
+	return nil, err
+}
+
+func getTask(ctx context.Context, c swarmapi.ControlClient, input string) (*swarmapi.Task, error) {
+	// GetTask to match via full ID.
+	if rg, err := c.GetTask(ctx, &swarmapi.GetTaskRequest{TaskID: input}); err == nil {
+		return rg.Task, nil
+	}
+
+	// If any error (including NotFound), ListTasks to match via full name.
+	rl, err := c.ListTasks(ctx, &swarmapi.ListTasksRequest{
+		Filters: &swarmapi.ListTasksRequest_Filters{
+			Names: []string{input},
+		},
+	})
+	if err != nil || len(rl.Tasks) == 0 {
+		// If any error or 0 result, ListTasks to match via ID prefix.
+		rl, err = c.ListTasks(ctx, &swarmapi.ListTasksRequest{
+			Filters: &swarmapi.ListTasksRequest_Filters{
+				IDPrefixes: []string{input},
+			},
+		})
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(rl.Tasks) == 0 {
+		err := fmt.Errorf("task %s not found", input)
+		return nil, errdefs.NotFound(err)
+	}
+
+	if l := len(rl.Tasks); l > 1 {
+		return nil, errdefs.InvalidParameter(fmt.Errorf("task %s is ambiguous (%d matches found)", input, l))
+	}
+
+	return rl.Tasks[0], nil
+}
+
+func getSecret(ctx context.Context, c swarmapi.ControlClient, input string) (*swarmapi.Secret, error) {
+	// attempt to lookup secret by full ID
+	if rg, err := c.GetSecret(ctx, &swarmapi.GetSecretRequest{SecretID: input}); err == nil {
+		return rg.Secret, nil
+	}
+
+	// If any error (including NotFound), ListSecrets to match via full name.
+	rl, err := c.ListSecrets(ctx, &swarmapi.ListSecretsRequest{
+		Filters: &swarmapi.ListSecretsRequest_Filters{
+			Names: []string{input},
+		},
+	})
+	if err != nil || len(rl.Secrets) == 0 {
+		// If any error or 0 result, ListSecrets to match via ID prefix.
+		rl, err = c.ListSecrets(ctx, &swarmapi.ListSecretsRequest{
+			Filters: &swarmapi.ListSecretsRequest_Filters{
+				IDPrefixes: []string{input},
+			},
+		})
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(rl.Secrets) == 0 {
+		err := fmt.Errorf("secret %s not found", input)
+		return nil, errdefs.NotFound(err)
+	}
+
+	if l := len(rl.Secrets); l > 1 {
+		return nil, errdefs.InvalidParameter(fmt.Errorf("secret %s is ambiguous (%d matches found)", input, l))
+	}
+
+	return rl.Secrets[0], nil
+}
+
+func getConfig(ctx context.Context, c swarmapi.ControlClient, input string) (*swarmapi.Config, error) {
+	// attempt to lookup config by full ID
+	if rg, err := c.GetConfig(ctx, &swarmapi.GetConfigRequest{ConfigID: input}); err == nil {
+		return rg.Config, nil
+	}
+
+	// If any error (including NotFound), ListConfigs to match via full name.
+	rl, err := c.ListConfigs(ctx, &swarmapi.ListConfigsRequest{
+		Filters: &swarmapi.ListConfigsRequest_Filters{
+			Names: []string{input},
+		},
+	})
+	if err != nil || len(rl.Configs) == 0 {
+		// If any error or 0 result, ListConfigs to match via ID prefix.
+		rl, err = c.ListConfigs(ctx, &swarmapi.ListConfigsRequest{
+			Filters: &swarmapi.ListConfigsRequest_Filters{
+				IDPrefixes: []string{input},
+			},
+		})
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(rl.Configs) == 0 {
+		err := fmt.Errorf("config %s not found", input)
+		return nil, errdefs.NotFound(err)
+	}
+
+	if l := len(rl.Configs); l > 1 {
+		return nil, errdefs.InvalidParameter(fmt.Errorf("config %s is ambiguous (%d matches found)", input, l))
+	}
+
+	return rl.Configs[0], nil
+}
+
+func getNetwork(ctx context.Context, c swarmapi.ControlClient, input string) (*swarmapi.Network, error) {
+	// GetNetwork to match via full ID.
+	if rg, err := c.GetNetwork(ctx, &swarmapi.GetNetworkRequest{NetworkID: input}); err == nil {
+		return rg.Network, nil
+	}
+
+	// If any error (including NotFound), ListNetworks to match via ID prefix and full name.
+	rl, err := c.ListNetworks(ctx, &swarmapi.ListNetworksRequest{
+		Filters: &swarmapi.ListNetworksRequest_Filters{
+			Names: []string{input},
+		},
+	})
+	if err != nil || len(rl.Networks) == 0 {
+		rl, err = c.ListNetworks(ctx, &swarmapi.ListNetworksRequest{
+			Filters: &swarmapi.ListNetworksRequest_Filters{
+				IDPrefixes: []string{input},
+			},
+		})
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(rl.Networks) == 0 {
+		return nil, fmt.Errorf("network %s not found", input)
+	}
+
+	if l := len(rl.Networks); l > 1 {
+		return nil, errdefs.InvalidParameter(fmt.Errorf("network %s is ambiguous (%d matches found)", input, l))
+	}
+
+	return rl.Networks[0], nil
+}
diff --git a/engine/daemon/cluster/listen_addr.go b/engine/daemon/cluster/listen_addr.go
new file mode 100644
index 00000000..e1ebfec8
--- /dev/null
+++ b/engine/daemon/cluster/listen_addr.go
@@ -0,0 +1,301 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"fmt"
+	"net"
+)
+
+const (
+	errNoSuchInterface         configError = "no such interface"
+	errNoIP                    configError = "could not find the system's IP address"
+	errMustSpecifyListenAddr   configError = "must specify a listening address because the address to advertise is not recognized as a system address, and a system's IP address to use could not be uniquely identified"
+	errBadNetworkIdentifier    configError = "must specify a valid IP address or interface name"
+	errBadListenAddr           configError = "listen address must be an IP address or network interface (with optional port number)"
+	errBadAdvertiseAddr        configError = "advertise address must be a non-zero IP address or network interface (with optional port number)"
+	errBadDataPathAddr         configError = "data path address must be a non-zero IP address or network interface (without a port number)"
+	errBadDefaultAdvertiseAddr configError = "default advertise address must be a non-zero IP address or network interface (without a port number)"
+)
+
+func resolveListenAddr(specifiedAddr string) (string, string, error) {
+	specifiedHost, specifiedPort, err := net.SplitHostPort(specifiedAddr)
+	if err != nil {
+		return "", "", fmt.Errorf("could not parse listen address %s", specifiedAddr)
+	}
+	// Does the host component match any of the interface names on the
+	// system? If so, use the address from that interface.
+	specifiedIP, err := resolveInputIPAddr(specifiedHost, true)
+	if err != nil {
+		if err == errBadNetworkIdentifier {
+			err = errBadListenAddr
+		}
+		return "", "", err
+	}
+
+	return specifiedIP.String(), specifiedPort, nil
+}
+
+func (c *Cluster) resolveAdvertiseAddr(advertiseAddr, listenAddrPort string) (string, string, error) {
+	// Approach:
+	// - If an advertise address is specified, use that. Resolve the
+	//   interface's address if an interface was specified in
+	//   advertiseAddr. Fill in the port from listenAddrPort if necessary.
+	// - If DefaultAdvertiseAddr is not empty, use that with the port from
+	//   listenAddrPort. Resolve the interface's address from
+	//   if an interface name was specified in DefaultAdvertiseAddr.
+	// - Otherwise, try to autodetect the system's address. Use the port in
+	//   listenAddrPort with this address if autodetection succeeds.
+
+	if advertiseAddr != "" {
+		advertiseHost, advertisePort, err := net.SplitHostPort(advertiseAddr)
+		if err != nil {
+			// Not a host:port specification
+			advertiseHost = advertiseAddr
+			advertisePort = listenAddrPort
+		}
+		// Does the host component match any of the interface names on the
+		// system? If so, use the address from that interface.
+		advertiseIP, err := resolveInputIPAddr(advertiseHost, false)
+		if err != nil {
+			if err == errBadNetworkIdentifier {
+				err = errBadAdvertiseAddr
+			}
+			return "", "", err
+		}
+
+		return advertiseIP.String(), advertisePort, nil
+	}
+
+	if c.config.DefaultAdvertiseAddr != "" {
+		// Does the default advertise address component match any of the
+		// interface names on the system? If so, use the address from
+		// that interface.
+		defaultAdvertiseIP, err := resolveInputIPAddr(c.config.DefaultAdvertiseAddr, false)
+		if err != nil {
+			if err == errBadNetworkIdentifier {
+				err = errBadDefaultAdvertiseAddr
+			}
+			return "", "", err
+		}
+
+		return defaultAdvertiseIP.String(), listenAddrPort, nil
+	}
+
+	systemAddr, err := c.resolveSystemAddr()
+	if err != nil {
+		return "", "", err
+	}
+	return systemAddr.String(), listenAddrPort, nil
+}
+
+func resolveDataPathAddr(dataPathAddr string) (string, error) {
+	if dataPathAddr == "" {
+		// dataPathAddr is not defined
+		return "", nil
+	}
+	// If a data path flag is specified try to resolve the IP address.
+	dataPathIP, err := resolveInputIPAddr(dataPathAddr, false)
+	if err != nil {
+		if err == errBadNetworkIdentifier {
+			err = errBadDataPathAddr
+		}
+		return "", err
+	}
+	return dataPathIP.String(), nil
+}
+
+func resolveInterfaceAddr(specifiedInterface string) (net.IP, error) {
+	// Use a specific interface's IP address.
+	intf, err := net.InterfaceByName(specifiedInterface)
+	if err != nil {
+		return nil, errNoSuchInterface
+	}
+
+	addrs, err := intf.Addrs()
+	if err != nil {
+		return nil, err
+	}
+
+	var interfaceAddr4, interfaceAddr6 net.IP
+
+	for _, addr := range addrs {
+		ipAddr, ok := addr.(*net.IPNet)
+
+		if ok {
+			if ipAddr.IP.To4() != nil {
+				// IPv4
+				if interfaceAddr4 != nil {
+					return nil, configError(fmt.Sprintf("interface %s has more than one IPv4 address (%s and %s)", specifiedInterface, interfaceAddr4, ipAddr.IP))
+				}
+				interfaceAddr4 = ipAddr.IP
+			} else {
+				// IPv6
+				if interfaceAddr6 != nil {
+					return nil, configError(fmt.Sprintf("interface %s has more than one IPv6 address (%s and %s)", specifiedInterface, interfaceAddr6, ipAddr.IP))
+				}
+				interfaceAddr6 = ipAddr.IP
+			}
+		}
+	}
+
+	if interfaceAddr4 == nil && interfaceAddr6 == nil {
+		return nil, configError(fmt.Sprintf("interface %s has no usable IPv4 or IPv6 address", specifiedInterface))
+	}
+
+	// In the case that there's exactly one IPv4 address
+	// and exactly one IPv6 address, favor IPv4 over IPv6.
+	if interfaceAddr4 != nil {
+		return interfaceAddr4, nil
+	}
+	return interfaceAddr6, nil
+}
+
+// resolveInputIPAddr tries to resolve the IP address from the string passed as input
+// - tries to match the string as an interface name, if so returns the IP address associated with it
+// - on failure of previous step tries to parse the string as an IP address itself
+//	 if succeeds returns the IP address
+func resolveInputIPAddr(input string, isUnspecifiedValid bool) (net.IP, error) {
+	// Try to see if it is an interface name
+	interfaceAddr, err := resolveInterfaceAddr(input)
+	if err == nil {
+		return interfaceAddr, nil
+	}
+	// String matched interface but there is a potential ambiguity to be resolved
+	if err != errNoSuchInterface {
+		return nil, err
+	}
+
+	// String is not an interface check if it is a valid IP
+	if ip := net.ParseIP(input); ip != nil && (isUnspecifiedValid || !ip.IsUnspecified()) {
+		return ip, nil
+	}
+
+	// Not valid IP found
+	return nil, errBadNetworkIdentifier
+}
+
+func (c *Cluster) resolveSystemAddrViaSubnetCheck() (net.IP, error) {
+	// Use the system's only IP address, or fail if there are
+	// multiple addresses to choose from. Skip interfaces which
+	// are managed by docker via subnet check.
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		return nil, err
+	}
+
+	var systemAddr net.IP
+	var systemInterface string
+
+	// List Docker-managed subnets
+	v4Subnets, v6Subnets := c.config.NetworkSubnetsProvider.Subnets()
+
+ifaceLoop:
+	for _, intf := range interfaces {
+		// Skip inactive interfaces and loopback interfaces
+		if (intf.Flags&net.FlagUp == 0) || (intf.Flags&net.FlagLoopback) != 0 {
+			continue
+		}
+
+		addrs, err := intf.Addrs()
+		if err != nil {
+			continue
+		}
+
+		var interfaceAddr4, interfaceAddr6 net.IP
+
+		for _, addr := range addrs {
+			ipAddr, ok := addr.(*net.IPNet)
+
+			// Skip loopback and link-local addresses
+			if !ok || !ipAddr.IP.IsGlobalUnicast() {
+				continue
+			}
+
+			if ipAddr.IP.To4() != nil {
+				// IPv4
+
+				// Ignore addresses in subnets that are managed by Docker.
+				for _, subnet := range v4Subnets {
+					if subnet.Contains(ipAddr.IP) {
+						continue ifaceLoop
+					}
+				}
+
+				if interfaceAddr4 != nil {
+					return nil, errMultipleIPs(intf.Name, intf.Name, interfaceAddr4, ipAddr.IP)
+				}
+
+				interfaceAddr4 = ipAddr.IP
+			} else {
+				// IPv6
+
+				// Ignore addresses in subnets that are managed by Docker.
+				for _, subnet := range v6Subnets {
+					if subnet.Contains(ipAddr.IP) {
+						continue ifaceLoop
+					}
+				}
+
+				if interfaceAddr6 != nil {
+					return nil, errMultipleIPs(intf.Name, intf.Name, interfaceAddr6, ipAddr.IP)
+				}
+
+				interfaceAddr6 = ipAddr.IP
+			}
+		}
+
+		// In the case that this interface has exactly one IPv4 address
+		// and exactly one IPv6 address, favor IPv4 over IPv6.
+		if interfaceAddr4 != nil {
+			if systemAddr != nil {
+				return nil, errMultipleIPs(systemInterface, intf.Name, systemAddr, interfaceAddr4)
+			}
+			systemAddr = interfaceAddr4
+			systemInterface = intf.Name
+		} else if interfaceAddr6 != nil {
+			if systemAddr != nil {
+				return nil, errMultipleIPs(systemInterface, intf.Name, systemAddr, interfaceAddr6)
+			}
+			systemAddr = interfaceAddr6
+			systemInterface = intf.Name
+		}
+	}
+
+	if systemAddr == nil {
+		return nil, errNoIP
+	}
+
+	return systemAddr, nil
+}
+
+func listSystemIPs() []net.IP {
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		return nil
+	}
+
+	var systemAddrs []net.IP
+
+	for _, intf := range interfaces {
+		addrs, err := intf.Addrs()
+		if err != nil {
+			continue
+		}
+
+		for _, addr := range addrs {
+			ipAddr, ok := addr.(*net.IPNet)
+
+			if ok {
+				systemAddrs = append(systemAddrs, ipAddr.IP)
+			}
+		}
+	}
+
+	return systemAddrs
+}
+
+func errMultipleIPs(interfaceA, interfaceB string, addrA, addrB net.IP) error {
+	if interfaceA == interfaceB {
+		return configError(fmt.Sprintf("could not choose an IP address to advertise since this system has multiple addresses on interface %s (%s and %s)", interfaceA, addrA, addrB))
+	}
+	return configError(fmt.Sprintf("could not choose an IP address to advertise since this system has multiple addresses on different interfaces (%s on %s and %s on %s)", addrA, interfaceA, addrB, interfaceB))
+}
diff --git a/engine/daemon/cluster/listen_addr_linux.go b/engine/daemon/cluster/listen_addr_linux.go
new file mode 100644
index 00000000..62e4f61a
--- /dev/null
+++ b/engine/daemon/cluster/listen_addr_linux.go
@@ -0,0 +1,89 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"net"
+
+	"github.com/vishvananda/netlink"
+)
+
+func (c *Cluster) resolveSystemAddr() (net.IP, error) {
+	// Use the system's only device IP address, or fail if there are
+	// multiple addresses to choose from.
+	interfaces, err := netlink.LinkList()
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		systemAddr      net.IP
+		systemInterface string
+		deviceFound     bool
+	)
+
+	for _, intf := range interfaces {
+		// Skip non device or inactive interfaces
+		if intf.Type() != "device" || intf.Attrs().Flags&net.FlagUp == 0 {
+			continue
+		}
+
+		addrs, err := netlink.AddrList(intf, netlink.FAMILY_ALL)
+		if err != nil {
+			continue
+		}
+
+		var interfaceAddr4, interfaceAddr6 net.IP
+
+		for _, addr := range addrs {
+			ipAddr := addr.IPNet.IP
+
+			// Skip loopback and link-local addresses
+			if !ipAddr.IsGlobalUnicast() {
+				continue
+			}
+
+			// At least one non-loopback device is found and it is administratively up
+			deviceFound = true
+
+			if ipAddr.To4() != nil {
+				if interfaceAddr4 != nil {
+					return nil, errMultipleIPs(intf.Attrs().Name, intf.Attrs().Name, interfaceAddr4, ipAddr)
+				}
+				interfaceAddr4 = ipAddr
+			} else {
+				if interfaceAddr6 != nil {
+					return nil, errMultipleIPs(intf.Attrs().Name, intf.Attrs().Name, interfaceAddr6, ipAddr)
+				}
+				interfaceAddr6 = ipAddr
+			}
+		}
+
+		// In the case that this interface has exactly one IPv4 address
+		// and exactly one IPv6 address, favor IPv4 over IPv6.
+		if interfaceAddr4 != nil {
+			if systemAddr != nil {
+				return nil, errMultipleIPs(systemInterface, intf.Attrs().Name, systemAddr, interfaceAddr4)
+			}
+			systemAddr = interfaceAddr4
+			systemInterface = intf.Attrs().Name
+		} else if interfaceAddr6 != nil {
+			if systemAddr != nil {
+				return nil, errMultipleIPs(systemInterface, intf.Attrs().Name, systemAddr, interfaceAddr6)
+			}
+			systemAddr = interfaceAddr6
+			systemInterface = intf.Attrs().Name
+		}
+	}
+
+	if systemAddr == nil {
+		if !deviceFound {
+			// If no non-loopback device type interface is found,
+			// fall back to the regular auto-detection mechanism.
+			// This is to cover the case where docker is running
+			// inside a container (eths are in fact veths).
+			return c.resolveSystemAddrViaSubnetCheck()
+		}
+		return nil, errNoIP
+	}
+
+	return systemAddr, nil
+}
diff --git a/engine/daemon/cluster/listen_addr_others.go b/engine/daemon/cluster/listen_addr_others.go
new file mode 100644
index 00000000..fe75848e
--- /dev/null
+++ b/engine/daemon/cluster/listen_addr_others.go
@@ -0,0 +1,9 @@
+// +build !linux
+
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import "net"
+
+func (c *Cluster) resolveSystemAddr() (net.IP, error) {
+	return c.resolveSystemAddrViaSubnetCheck()
+}
diff --git a/engine/daemon/cluster/networks.go b/engine/daemon/cluster/networks.go
new file mode 100644
index 00000000..b8e31baa
--- /dev/null
+++ b/engine/daemon/cluster/networks.go
@@ -0,0 +1,316 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+	"fmt"
+
+	apitypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/convert"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/runconfig"
+	swarmapi "github.com/docker/swarmkit/api"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// GetNetworks returns all current cluster managed networks.
+func (c *Cluster) GetNetworks() ([]apitypes.NetworkResource, error) {
+	list, err := c.getNetworks(nil)
+	if err != nil {
+		return nil, err
+	}
+	removePredefinedNetworks(&list)
+	return list, nil
+}
+
+func removePredefinedNetworks(networks *[]apitypes.NetworkResource) {
+	if networks == nil {
+		return
+	}
+	var idxs []int
+	for i, n := range *networks {
+		if v, ok := n.Labels["com.docker.swarm.predefined"]; ok && v == "true" {
+			idxs = append(idxs, i)
+		}
+	}
+	for i, idx := range idxs {
+		idx -= i
+		*networks = append((*networks)[:idx], (*networks)[idx+1:]...)
+	}
+}
+
+func (c *Cluster) getNetworks(filters *swarmapi.ListNetworksRequest_Filters) ([]apitypes.NetworkResource, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	state := c.currentNodeState()
+	if !state.IsActiveManager() {
+		return nil, c.errNoManager(state)
+	}
+
+	ctx, cancel := c.getRequestContext()
+	defer cancel()
+
+	r, err := state.controlClient.ListNetworks(ctx, &swarmapi.ListNetworksRequest{Filters: filters})
+	if err != nil {
+		return nil, err
+	}
+
+	networks := make([]apitypes.NetworkResource, 0, len(r.Networks))
+
+	for _, network := range r.Networks {
+		networks = append(networks, convert.BasicNetworkFromGRPC(*network))
+	}
+
+	return networks, nil
+}
+
+// GetNetwork returns a cluster network by an ID.
+func (c *Cluster) GetNetwork(input string) (apitypes.NetworkResource, error) {
+	var network *swarmapi.Network
+
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		n, err := getNetwork(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+		network = n
+		return nil
+	}); err != nil {
+		return apitypes.NetworkResource{}, err
+	}
+	return convert.BasicNetworkFromGRPC(*network), nil
+}
+
+// GetNetworksByName returns cluster managed networks by name.
+// It is ok to have multiple networks here. #18864
+func (c *Cluster) GetNetworksByName(name string) ([]apitypes.NetworkResource, error) {
+	// Note that swarmapi.GetNetworkRequest.Name is not functional.
+	// So we cannot just use that with c.GetNetwork.
+	return c.getNetworks(&swarmapi.ListNetworksRequest_Filters{
+		Names: []string{name},
+	})
+}
+
+func attacherKey(target, containerID string) string {
+	return containerID + ":" + target
+}
+
+// UpdateAttachment signals the attachment config to the attachment
+// waiter who is trying to start or attach the container to the
+// network.
+func (c *Cluster) UpdateAttachment(target, containerID string, config *network.NetworkingConfig) error {
+	c.mu.Lock()
+	attacher, ok := c.attachers[attacherKey(target, containerID)]
+	if !ok || attacher == nil {
+		c.mu.Unlock()
+		return fmt.Errorf("could not find attacher for container %s to network %s", containerID, target)
+	}
+	if attacher.inProgress {
+		logrus.Debugf("Discarding redundant notice of resource allocation on network %s for task id %s", target, attacher.taskID)
+		c.mu.Unlock()
+		return nil
+	}
+	attacher.inProgress = true
+	c.mu.Unlock()
+
+	attacher.attachWaitCh <- config
+
+	return nil
+}
+
+// WaitForDetachment waits for the container to stop or detach from
+// the network.
+func (c *Cluster) WaitForDetachment(ctx context.Context, networkName, networkID, taskID, containerID string) error {
+	c.mu.RLock()
+	attacher, ok := c.attachers[attacherKey(networkName, containerID)]
+	if !ok {
+		attacher, ok = c.attachers[attacherKey(networkID, containerID)]
+	}
+	state := c.currentNodeState()
+	if state.swarmNode == nil || state.swarmNode.Agent() == nil {
+		c.mu.RUnlock()
+		return errors.New("invalid cluster node while waiting for detachment")
+	}
+
+	c.mu.RUnlock()
+	agent := state.swarmNode.Agent()
+	if ok && attacher != nil &&
+		attacher.detachWaitCh != nil &&
+		attacher.attachCompleteCh != nil {
+		// Attachment may be in progress still so wait for
+		// attachment to complete.
+		select {
+		case <-attacher.attachCompleteCh:
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+
+		if attacher.taskID == taskID {
+			select {
+			case <-attacher.detachWaitCh:
+			case <-ctx.Done():
+				return ctx.Err()
+			}
+		}
+	}
+
+	return agent.ResourceAllocator().DetachNetwork(ctx, taskID)
+}
+
+// AttachNetwork generates an attachment request towards the manager.
+func (c *Cluster) AttachNetwork(target string, containerID string, addresses []string) (*network.NetworkingConfig, error) {
+	aKey := attacherKey(target, containerID)
+	c.mu.Lock()
+	state := c.currentNodeState()
+	if state.swarmNode == nil || state.swarmNode.Agent() == nil {
+		c.mu.Unlock()
+		return nil, errors.New("invalid cluster node while attaching to network")
+	}
+	if attacher, ok := c.attachers[aKey]; ok {
+		c.mu.Unlock()
+		return attacher.config, nil
+	}
+
+	agent := state.swarmNode.Agent()
+	attachWaitCh := make(chan *network.NetworkingConfig)
+	detachWaitCh := make(chan struct{})
+	attachCompleteCh := make(chan struct{})
+	c.attachers[aKey] = &attacher{
+		attachWaitCh:     attachWaitCh,
+		attachCompleteCh: attachCompleteCh,
+		detachWaitCh:     detachWaitCh,
+	}
+	c.mu.Unlock()
+
+	ctx, cancel := c.getRequestContext()
+	defer cancel()
+
+	taskID, err := agent.ResourceAllocator().AttachNetwork(ctx, containerID, target, addresses)
+	if err != nil {
+		c.mu.Lock()
+		delete(c.attachers, aKey)
+		c.mu.Unlock()
+		return nil, fmt.Errorf("Could not attach to network %s: %v", target, err)
+	}
+
+	c.mu.Lock()
+	c.attachers[aKey].taskID = taskID
+	close(attachCompleteCh)
+	c.mu.Unlock()
+
+	logrus.Debugf("Successfully attached to network %s with task id %s", target, taskID)
+
+	release := func() {
+		ctx, cancel := c.getRequestContext()
+		defer cancel()
+		if err := agent.ResourceAllocator().DetachNetwork(ctx, taskID); err != nil {
+			logrus.Errorf("Failed remove network attachment %s to network %s on allocation failure: %v",
+				taskID, target, err)
+		}
+	}
+
+	var config *network.NetworkingConfig
+	select {
+	case config = <-attachWaitCh:
+	case <-ctx.Done():
+		release()
+		return nil, fmt.Errorf("attaching to network failed, make sure your network options are correct and check manager logs: %v", ctx.Err())
+	}
+
+	c.mu.Lock()
+	c.attachers[aKey].config = config
+	c.mu.Unlock()
+
+	logrus.Debugf("Successfully allocated resources on network %s for task id %s", target, taskID)
+
+	return config, nil
+}
+
+// DetachNetwork unblocks the waiters waiting on WaitForDetachment so
+// that a request to detach can be generated towards the manager.
+func (c *Cluster) DetachNetwork(target string, containerID string) error {
+	aKey := attacherKey(target, containerID)
+
+	c.mu.Lock()
+	attacher, ok := c.attachers[aKey]
+	delete(c.attachers, aKey)
+	c.mu.Unlock()
+
+	if !ok {
+		return fmt.Errorf("could not find network attachment for container %s to network %s", containerID, target)
+	}
+
+	close(attacher.detachWaitCh)
+	return nil
+}
+
+// CreateNetwork creates a new cluster managed network.
+func (c *Cluster) CreateNetwork(s apitypes.NetworkCreateRequest) (string, error) {
+	if runconfig.IsPreDefinedNetwork(s.Name) {
+		err := notAllowedError(fmt.Sprintf("%s is a pre-defined network and cannot be created", s.Name))
+		return "", errors.WithStack(err)
+	}
+
+	var resp *swarmapi.CreateNetworkResponse
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		networkSpec := convert.BasicNetworkCreateToGRPC(s)
+		r, err := state.controlClient.CreateNetwork(ctx, &swarmapi.CreateNetworkRequest{Spec: &networkSpec})
+		if err != nil {
+			return err
+		}
+		resp = r
+		return nil
+	}); err != nil {
+		return "", err
+	}
+
+	return resp.Network.ID, nil
+}
+
+// RemoveNetwork removes a cluster network.
+func (c *Cluster) RemoveNetwork(input string) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		network, err := getNetwork(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+
+		_, err = state.controlClient.RemoveNetwork(ctx, &swarmapi.RemoveNetworkRequest{NetworkID: network.ID})
+		return err
+	})
+}
+
+func (c *Cluster) populateNetworkID(ctx context.Context, client swarmapi.ControlClient, s *types.ServiceSpec) error {
+	// Always prefer NetworkAttachmentConfigs from TaskTemplate
+	// but fallback to service spec for backward compatibility
+	networks := s.TaskTemplate.Networks
+	if len(networks) == 0 {
+		networks = s.Networks
+	}
+	for i, n := range networks {
+		apiNetwork, err := getNetwork(ctx, client, n.Target)
+		if err != nil {
+			ln, _ := c.config.Backend.FindNetwork(n.Target)
+			if ln != nil && runconfig.IsPreDefinedNetwork(ln.Name()) {
+				// Need to retrieve the corresponding predefined swarm network
+				// and use its id for the request.
+				apiNetwork, err = getNetwork(ctx, client, ln.Name())
+				if err != nil {
+					return errors.Wrap(errdefs.NotFound(err), "could not find the corresponding predefined swarm network")
+				}
+				goto setid
+			}
+			if ln != nil && !ln.Info().Dynamic() {
+				errMsg := fmt.Sprintf("The network %s cannot be used with services. Only networks scoped to the swarm can be used, such as those created with the overlay driver.", ln.Name())
+				return errors.WithStack(notAllowedError(errMsg))
+			}
+			return err
+		}
+	setid:
+		networks[i].Target = apiNetwork.ID
+	}
+	return nil
+}
diff --git a/engine/daemon/cluster/noderunner.go b/engine/daemon/cluster/noderunner.go
new file mode 100644
index 00000000..87e65aae
--- /dev/null
+++ b/engine/daemon/cluster/noderunner.go
@@ -0,0 +1,388 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/executor/container"
+	lncluster "github.com/docker/libnetwork/cluster"
+	swarmapi "github.com/docker/swarmkit/api"
+	swarmnode "github.com/docker/swarmkit/node"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// nodeRunner implements a manager for continuously running swarmkit node, restarting them with backoff delays if needed.
+type nodeRunner struct {
+	nodeState
+	mu             sync.RWMutex
+	done           chan struct{} // closed when swarmNode exits
+	ready          chan struct{} // closed when swarmNode becomes active
+	reconnectDelay time.Duration
+	config         nodeStartConfig
+
+	repeatedRun     bool
+	cancelReconnect func()
+	stopping        bool
+	cluster         *Cluster // only for accessing config helpers, never call any methods. TODO: change to config struct
+}
+
+// nodeStartConfig holds configuration needed to start a new node. Exported
+// fields of this structure are saved to disk in json. Unexported fields
+// contain data that shouldn't be persisted between daemon reloads.
+type nodeStartConfig struct {
+	// LocalAddr is this machine's local IP or hostname, if specified.
+	LocalAddr string
+	// RemoteAddr is the address that was given to "swarm join". It is used
+	// to find LocalAddr if necessary.
+	RemoteAddr string
+	// ListenAddr is the address we bind to, including a port.
+	ListenAddr string
+	// AdvertiseAddr is the address other nodes should connect to,
+	// including a port.
+	AdvertiseAddr string
+	// DataPathAddr is the address that has to be used for the data path
+	DataPathAddr string
+	// JoinInProgress is set to true if a join operation has started, but
+	// not completed yet.
+	JoinInProgress bool
+
+	joinAddr        string
+	forceNewCluster bool
+	joinToken       string
+	lockKey         []byte
+	autolock        bool
+	availability    types.NodeAvailability
+}
+
+func (n *nodeRunner) Ready() chan error {
+	c := make(chan error, 1)
+	n.mu.RLock()
+	ready, done := n.ready, n.done
+	n.mu.RUnlock()
+	go func() {
+		select {
+		case <-ready:
+		case <-done:
+		}
+		select {
+		case <-ready:
+		default:
+			n.mu.RLock()
+			c <- n.err
+			n.mu.RUnlock()
+		}
+		close(c)
+	}()
+	return c
+}
+
+func (n *nodeRunner) Start(conf nodeStartConfig) error {
+	n.mu.Lock()
+	defer n.mu.Unlock()
+
+	n.reconnectDelay = initialReconnectDelay
+
+	return n.start(conf)
+}
+
+func (n *nodeRunner) start(conf nodeStartConfig) error {
+	var control string
+	if runtime.GOOS == "windows" {
+		control = `\\.\pipe\` + controlSocket
+	} else {
+		control = filepath.Join(n.cluster.runtimeRoot, controlSocket)
+	}
+
+	joinAddr := conf.joinAddr
+	if joinAddr == "" && conf.JoinInProgress {
+		// We must have been restarted while trying to join a cluster.
+		// Continue trying to join instead of forming our own cluster.
+		joinAddr = conf.RemoteAddr
+	}
+
+	// Hostname is not set here. Instead, it is obtained from
+	// the node description that is reported periodically
+	swarmnodeConfig := swarmnode.Config{
+		ForceNewCluster:    conf.forceNewCluster,
+		ListenControlAPI:   control,
+		ListenRemoteAPI:    conf.ListenAddr,
+		AdvertiseRemoteAPI: conf.AdvertiseAddr,
+		JoinAddr:           joinAddr,
+		StateDir:           n.cluster.root,
+		JoinToken:          conf.joinToken,
+		Executor: container.NewExecutor(
+			n.cluster.config.Backend,
+			n.cluster.config.PluginBackend,
+			n.cluster.config.ImageBackend,
+			n.cluster.config.VolumeBackend,
+		),
+		HeartbeatTick: n.cluster.config.RaftHeartbeatTick,
+		// Recommended value in etcd/raft is 10 x (HeartbeatTick).
+		// Lower values were seen to have caused instability because of
+		// frequent leader elections when running on flakey networks.
+		ElectionTick:     n.cluster.config.RaftElectionTick,
+		UnlockKey:        conf.lockKey,
+		AutoLockManagers: conf.autolock,
+		PluginGetter:     n.cluster.config.Backend.PluginGetter(),
+	}
+	if conf.availability != "" {
+		avail, ok := swarmapi.NodeSpec_Availability_value[strings.ToUpper(string(conf.availability))]
+		if !ok {
+			return fmt.Errorf("invalid Availability: %q", conf.availability)
+		}
+		swarmnodeConfig.Availability = swarmapi.NodeSpec_Availability(avail)
+	}
+	node, err := swarmnode.New(&swarmnodeConfig)
+	if err != nil {
+		return err
+	}
+	if err := node.Start(context.Background()); err != nil {
+		return err
+	}
+
+	n.done = make(chan struct{})
+	n.ready = make(chan struct{})
+	n.swarmNode = node
+	if conf.joinAddr != "" {
+		conf.JoinInProgress = true
+	}
+	n.config = conf
+	savePersistentState(n.cluster.root, conf)
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() {
+		n.handleNodeExit(node)
+		cancel()
+	}()
+
+	go n.handleReadyEvent(ctx, node, n.ready)
+	go n.handleControlSocketChange(ctx, node)
+
+	return nil
+}
+
+func (n *nodeRunner) handleControlSocketChange(ctx context.Context, node *swarmnode.Node) {
+	for conn := range node.ListenControlSocket(ctx) {
+		n.mu.Lock()
+		if n.grpcConn != conn {
+			if conn == nil {
+				n.controlClient = nil
+				n.logsClient = nil
+			} else {
+				n.controlClient = swarmapi.NewControlClient(conn)
+				n.logsClient = swarmapi.NewLogsClient(conn)
+				// push store changes to daemon
+				go n.watchClusterEvents(ctx, conn)
+			}
+		}
+		n.grpcConn = conn
+		n.mu.Unlock()
+		n.cluster.SendClusterEvent(lncluster.EventSocketChange)
+	}
+}
+
+func (n *nodeRunner) watchClusterEvents(ctx context.Context, conn *grpc.ClientConn) {
+	client := swarmapi.NewWatchClient(conn)
+	watch, err := client.Watch(ctx, &swarmapi.WatchRequest{
+		Entries: []*swarmapi.WatchRequest_WatchEntry{
+			{
+				Kind:   "node",
+				Action: swarmapi.WatchActionKindCreate | swarmapi.WatchActionKindUpdate | swarmapi.WatchActionKindRemove,
+			},
+			{
+				Kind:   "service",
+				Action: swarmapi.WatchActionKindCreate | swarmapi.WatchActionKindUpdate | swarmapi.WatchActionKindRemove,
+			},
+			{
+				Kind:   "network",
+				Action: swarmapi.WatchActionKindCreate | swarmapi.WatchActionKindUpdate | swarmapi.WatchActionKindRemove,
+			},
+			{
+				Kind:   "secret",
+				Action: swarmapi.WatchActionKindCreate | swarmapi.WatchActionKindUpdate | swarmapi.WatchActionKindRemove,
+			},
+			{
+				Kind:   "config",
+				Action: swarmapi.WatchActionKindCreate | swarmapi.WatchActionKindUpdate | swarmapi.WatchActionKindRemove,
+			},
+		},
+		IncludeOldObject: true,
+	})
+	if err != nil {
+		logrus.WithError(err).Error("failed to watch cluster store")
+		return
+	}
+	for {
+		msg, err := watch.Recv()
+		if err != nil {
+			// store watch is broken
+			errStatus, ok := status.FromError(err)
+			if !ok || errStatus.Code() != codes.Canceled {
+				logrus.WithError(err).Error("failed to receive changes from store watch API")
+			}
+			return
+		}
+		select {
+		case <-ctx.Done():
+			return
+		case n.cluster.watchStream <- msg:
+		}
+	}
+}
+
+func (n *nodeRunner) handleReadyEvent(ctx context.Context, node *swarmnode.Node, ready chan struct{}) {
+	select {
+	case <-node.Ready():
+		n.mu.Lock()
+		n.err = nil
+		if n.config.JoinInProgress {
+			n.config.JoinInProgress = false
+			savePersistentState(n.cluster.root, n.config)
+		}
+		n.mu.Unlock()
+		close(ready)
+	case <-ctx.Done():
+	}
+	n.cluster.SendClusterEvent(lncluster.EventNodeReady)
+}
+
+func (n *nodeRunner) handleNodeExit(node *swarmnode.Node) {
+	err := detectLockedError(node.Err(context.Background()))
+	if err != nil {
+		logrus.Errorf("cluster exited with error: %v", err)
+	}
+	n.mu.Lock()
+	n.swarmNode = nil
+	n.err = err
+	close(n.done)
+	select {
+	case <-n.ready:
+		n.enableReconnectWatcher()
+	default:
+		if n.repeatedRun {
+			n.enableReconnectWatcher()
+		}
+	}
+	n.repeatedRun = true
+	n.mu.Unlock()
+}
+
+// Stop stops the current swarm node if it is running.
+func (n *nodeRunner) Stop() error {
+	n.mu.Lock()
+	if n.cancelReconnect != nil { // between restarts
+		n.cancelReconnect()
+		n.cancelReconnect = nil
+	}
+	if n.swarmNode == nil {
+		n.mu.Unlock()
+		return nil
+	}
+	n.stopping = true
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+	n.mu.Unlock()
+	if err := n.swarmNode.Stop(ctx); err != nil && !strings.Contains(err.Error(), "context canceled") {
+		return err
+	}
+	n.cluster.SendClusterEvent(lncluster.EventNodeLeave)
+	<-n.done
+	return nil
+}
+
+func (n *nodeRunner) State() nodeState {
+	if n == nil {
+		return nodeState{status: types.LocalNodeStateInactive}
+	}
+	n.mu.RLock()
+	defer n.mu.RUnlock()
+
+	ns := n.nodeState
+
+	if ns.err != nil || n.cancelReconnect != nil {
+		if errors.Cause(ns.err) == errSwarmLocked {
+			ns.status = types.LocalNodeStateLocked
+		} else {
+			ns.status = types.LocalNodeStateError
+		}
+	} else {
+		select {
+		case <-n.ready:
+			ns.status = types.LocalNodeStateActive
+		default:
+			ns.status = types.LocalNodeStatePending
+		}
+	}
+
+	return ns
+}
+
+func (n *nodeRunner) enableReconnectWatcher() {
+	if n.stopping {
+		return
+	}
+	n.reconnectDelay *= 2
+	if n.reconnectDelay > maxReconnectDelay {
+		n.reconnectDelay = maxReconnectDelay
+	}
+	logrus.Warnf("Restarting swarm in %.2f seconds", n.reconnectDelay.Seconds())
+	delayCtx, cancel := context.WithTimeout(context.Background(), n.reconnectDelay)
+	n.cancelReconnect = cancel
+
+	go func() {
+		<-delayCtx.Done()
+		if delayCtx.Err() != context.DeadlineExceeded {
+			return
+		}
+		n.mu.Lock()
+		defer n.mu.Unlock()
+		if n.stopping {
+			return
+		}
+
+		if err := n.start(n.config); err != nil {
+			n.err = err
+		}
+	}()
+}
+
+// nodeState represents information about the current state of the cluster and
+// provides access to the grpc clients.
+type nodeState struct {
+	swarmNode       *swarmnode.Node
+	grpcConn        *grpc.ClientConn
+	controlClient   swarmapi.ControlClient
+	logsClient      swarmapi.LogsClient
+	status          types.LocalNodeState
+	actualLocalAddr string
+	err             error
+}
+
+// IsActiveManager returns true if node is a manager ready to accept control requests. It is safe to access the client properties if this returns true.
+func (ns nodeState) IsActiveManager() bool {
+	return ns.controlClient != nil
+}
+
+// IsManager returns true if node is a manager.
+func (ns nodeState) IsManager() bool {
+	return ns.swarmNode != nil && ns.swarmNode.Manager() != nil
+}
+
+// NodeID returns node's ID or empty string if node is inactive.
+func (ns nodeState) NodeID() string {
+	if ns.swarmNode != nil {
+		return ns.swarmNode.NodeID()
+	}
+	return ""
+}
diff --git a/engine/daemon/cluster/nodes.go b/engine/daemon/cluster/nodes.go
new file mode 100644
index 00000000..3c073b0b
--- /dev/null
+++ b/engine/daemon/cluster/nodes.go
@@ -0,0 +1,105 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+
+	apitypes "github.com/docker/docker/api/types"
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/convert"
+	"github.com/docker/docker/errdefs"
+	swarmapi "github.com/docker/swarmkit/api"
+)
+
+// GetNodes returns a list of all nodes known to a cluster.
+func (c *Cluster) GetNodes(options apitypes.NodeListOptions) ([]types.Node, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	state := c.currentNodeState()
+	if !state.IsActiveManager() {
+		return nil, c.errNoManager(state)
+	}
+
+	filters, err := newListNodesFilters(options.Filters)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx, cancel := c.getRequestContext()
+	defer cancel()
+
+	r, err := state.controlClient.ListNodes(
+		ctx,
+		&swarmapi.ListNodesRequest{Filters: filters})
+	if err != nil {
+		return nil, err
+	}
+
+	nodes := make([]types.Node, 0, len(r.Nodes))
+
+	for _, node := range r.Nodes {
+		nodes = append(nodes, convert.NodeFromGRPC(*node))
+	}
+	return nodes, nil
+}
+
+// GetNode returns a node based on an ID.
+func (c *Cluster) GetNode(input string) (types.Node, error) {
+	var node *swarmapi.Node
+
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		n, err := getNode(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+		node = n
+		return nil
+	}); err != nil {
+		return types.Node{}, err
+	}
+
+	return convert.NodeFromGRPC(*node), nil
+}
+
+// UpdateNode updates existing nodes properties.
+func (c *Cluster) UpdateNode(input string, version uint64, spec types.NodeSpec) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		nodeSpec, err := convert.NodeSpecToGRPC(spec)
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+
+		ctx, cancel := c.getRequestContext()
+		defer cancel()
+
+		currentNode, err := getNode(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+
+		_, err = state.controlClient.UpdateNode(
+			ctx,
+			&swarmapi.UpdateNodeRequest{
+				NodeID: currentNode.ID,
+				Spec:   &nodeSpec,
+				NodeVersion: &swarmapi.Version{
+					Index: version,
+				},
+			},
+		)
+		return err
+	})
+}
+
+// RemoveNode removes a node from a cluster
+func (c *Cluster) RemoveNode(input string, force bool) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		node, err := getNode(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+
+		_, err = state.controlClient.RemoveNode(ctx, &swarmapi.RemoveNodeRequest{NodeID: node.ID, Force: force})
+		return err
+	})
+}
diff --git a/engine/daemon/cluster/provider/network.go b/engine/daemon/cluster/provider/network.go
new file mode 100644
index 00000000..533baa0e
--- /dev/null
+++ b/engine/daemon/cluster/provider/network.go
@@ -0,0 +1,37 @@
+package provider // import "github.com/docker/docker/daemon/cluster/provider"
+
+import "github.com/docker/docker/api/types"
+
+// NetworkCreateRequest is a request when creating a network.
+type NetworkCreateRequest struct {
+	ID string
+	types.NetworkCreateRequest
+}
+
+// NetworkCreateResponse is a response when creating a network.
+type NetworkCreateResponse struct {
+	ID string `json:"Id"`
+}
+
+// VirtualAddress represents a virtual address.
+type VirtualAddress struct {
+	IPv4 string
+	IPv6 string
+}
+
+// PortConfig represents a port configuration.
+type PortConfig struct {
+	Name          string
+	Protocol      int32
+	TargetPort    uint32
+	PublishedPort uint32
+}
+
+// ServiceConfig represents a service configuration.
+type ServiceConfig struct {
+	ID               string
+	Name             string
+	Aliases          map[string][]string
+	VirtualAddresses map[string]*VirtualAddress
+	ExposedPorts     []*PortConfig
+}
diff --git a/engine/daemon/cluster/secrets.go b/engine/daemon/cluster/secrets.go
new file mode 100644
index 00000000..c6fd8420
--- /dev/null
+++ b/engine/daemon/cluster/secrets.go
@@ -0,0 +1,118 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+
+	apitypes "github.com/docker/docker/api/types"
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/convert"
+	swarmapi "github.com/docker/swarmkit/api"
+)
+
+// GetSecret returns a secret from a managed swarm cluster
+func (c *Cluster) GetSecret(input string) (types.Secret, error) {
+	var secret *swarmapi.Secret
+
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		s, err := getSecret(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+		secret = s
+		return nil
+	}); err != nil {
+		return types.Secret{}, err
+	}
+	return convert.SecretFromGRPC(secret), nil
+}
+
+// GetSecrets returns all secrets of a managed swarm cluster.
+func (c *Cluster) GetSecrets(options apitypes.SecretListOptions) ([]types.Secret, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	state := c.currentNodeState()
+	if !state.IsActiveManager() {
+		return nil, c.errNoManager(state)
+	}
+
+	filters, err := newListSecretsFilters(options.Filters)
+	if err != nil {
+		return nil, err
+	}
+	ctx, cancel := c.getRequestContext()
+	defer cancel()
+
+	r, err := state.controlClient.ListSecrets(ctx,
+		&swarmapi.ListSecretsRequest{Filters: filters})
+	if err != nil {
+		return nil, err
+	}
+
+	secrets := make([]types.Secret, 0, len(r.Secrets))
+
+	for _, secret := range r.Secrets {
+		secrets = append(secrets, convert.SecretFromGRPC(secret))
+	}
+
+	return secrets, nil
+}
+
+// CreateSecret creates a new secret in a managed swarm cluster.
+func (c *Cluster) CreateSecret(s types.SecretSpec) (string, error) {
+	var resp *swarmapi.CreateSecretResponse
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		secretSpec := convert.SecretSpecToGRPC(s)
+
+		r, err := state.controlClient.CreateSecret(ctx,
+			&swarmapi.CreateSecretRequest{Spec: &secretSpec})
+		if err != nil {
+			return err
+		}
+		resp = r
+		return nil
+	}); err != nil {
+		return "", err
+	}
+	return resp.Secret.ID, nil
+}
+
+// RemoveSecret removes a secret from a managed swarm cluster.
+func (c *Cluster) RemoveSecret(input string) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		secret, err := getSecret(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+
+		req := &swarmapi.RemoveSecretRequest{
+			SecretID: secret.ID,
+		}
+
+		_, err = state.controlClient.RemoveSecret(ctx, req)
+		return err
+	})
+}
+
+// UpdateSecret updates a secret in a managed swarm cluster.
+// Note: this is not exposed to the CLI but is available from the API only
+func (c *Cluster) UpdateSecret(input string, version uint64, spec types.SecretSpec) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		secret, err := getSecret(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+
+		secretSpec := convert.SecretSpecToGRPC(spec)
+
+		_, err = state.controlClient.UpdateSecret(ctx,
+			&swarmapi.UpdateSecretRequest{
+				SecretID: secret.ID,
+				SecretVersion: &swarmapi.Version{
+					Index: version,
+				},
+				Spec: &secretSpec,
+			})
+		return err
+	})
+}
diff --git a/engine/daemon/cluster/services.go b/engine/daemon/cluster/services.go
new file mode 100644
index 00000000..c1403764
--- /dev/null
+++ b/engine/daemon/cluster/services.go
@@ -0,0 +1,602 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	apitypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	types "github.com/docker/docker/api/types/swarm"
+	timetypes "github.com/docker/docker/api/types/time"
+	"github.com/docker/docker/daemon/cluster/convert"
+	"github.com/docker/docker/errdefs"
+	runconfigopts "github.com/docker/docker/runconfig/opts"
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// GetServices returns all services of a managed swarm cluster.
+func (c *Cluster) GetServices(options apitypes.ServiceListOptions) ([]types.Service, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	state := c.currentNodeState()
+	if !state.IsActiveManager() {
+		return nil, c.errNoManager(state)
+	}
+
+	// We move the accepted filter check here as "mode" filter
+	// is processed in the daemon, not in SwarmKit. So it might
+	// be good to have accepted file check in the same file as
+	// the filter processing (in the for loop below).
+	accepted := map[string]bool{
+		"name":    true,
+		"id":      true,
+		"label":   true,
+		"mode":    true,
+		"runtime": true,
+	}
+	if err := options.Filters.Validate(accepted); err != nil {
+		return nil, err
+	}
+
+	if len(options.Filters.Get("runtime")) == 0 {
+		// Default to using the container runtime filter
+		options.Filters.Add("runtime", string(types.RuntimeContainer))
+	}
+
+	filters := &swarmapi.ListServicesRequest_Filters{
+		NamePrefixes: options.Filters.Get("name"),
+		IDPrefixes:   options.Filters.Get("id"),
+		Labels:       runconfigopts.ConvertKVStringsToMap(options.Filters.Get("label")),
+		Runtimes:     options.Filters.Get("runtime"),
+	}
+
+	ctx, cancel := c.getRequestContext()
+	defer cancel()
+
+	r, err := state.controlClient.ListServices(
+		ctx,
+		&swarmapi.ListServicesRequest{Filters: filters})
+	if err != nil {
+		return nil, err
+	}
+
+	services := make([]types.Service, 0, len(r.Services))
+
+	for _, service := range r.Services {
+		if options.Filters.Contains("mode") {
+			var mode string
+			switch service.Spec.GetMode().(type) {
+			case *swarmapi.ServiceSpec_Global:
+				mode = "global"
+			case *swarmapi.ServiceSpec_Replicated:
+				mode = "replicated"
+			}
+
+			if !options.Filters.ExactMatch("mode", mode) {
+				continue
+			}
+		}
+		svcs, err := convert.ServiceFromGRPC(*service)
+		if err != nil {
+			return nil, err
+		}
+		services = append(services, svcs)
+	}
+
+	return services, nil
+}
+
+// GetService returns a service based on an ID or name.
+func (c *Cluster) GetService(input string, insertDefaults bool) (types.Service, error) {
+	var service *swarmapi.Service
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		s, err := getService(ctx, state.controlClient, input, insertDefaults)
+		if err != nil {
+			return err
+		}
+		service = s
+		return nil
+	}); err != nil {
+		return types.Service{}, err
+	}
+	svc, err := convert.ServiceFromGRPC(*service)
+	if err != nil {
+		return types.Service{}, err
+	}
+	return svc, nil
+}
+
+// CreateService creates a new service in a managed swarm cluster.
+func (c *Cluster) CreateService(s types.ServiceSpec, encodedAuth string, queryRegistry bool) (*apitypes.ServiceCreateResponse, error) {
+	var resp *apitypes.ServiceCreateResponse
+	err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		err := c.populateNetworkID(ctx, state.controlClient, &s)
+		if err != nil {
+			return err
+		}
+
+		serviceSpec, err := convert.ServiceSpecToGRPC(s)
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+
+		resp = &apitypes.ServiceCreateResponse{}
+
+		switch serviceSpec.Task.Runtime.(type) {
+		case *swarmapi.TaskSpec_Attachment:
+			return fmt.Errorf("invalid task spec: spec type %q not supported", types.RuntimeNetworkAttachment)
+		// handle other runtimes here
+		case *swarmapi.TaskSpec_Generic:
+			switch serviceSpec.Task.GetGeneric().Kind {
+			case string(types.RuntimePlugin):
+				info, _ := c.config.Backend.SystemInfo()
+				if !info.ExperimentalBuild {
+					return fmt.Errorf("runtime type %q only supported in experimental", types.RuntimePlugin)
+				}
+				if s.TaskTemplate.PluginSpec == nil {
+					return errors.New("plugin spec must be set")
+				}
+
+			default:
+				return fmt.Errorf("unsupported runtime type: %q", serviceSpec.Task.GetGeneric().Kind)
+			}
+
+			r, err := state.controlClient.CreateService(ctx, &swarmapi.CreateServiceRequest{Spec: &serviceSpec})
+			if err != nil {
+				return err
+			}
+
+			resp.ID = r.Service.ID
+		case *swarmapi.TaskSpec_Container:
+			ctnr := serviceSpec.Task.GetContainer()
+			if ctnr == nil {
+				return errors.New("service does not use container tasks")
+			}
+			if encodedAuth != "" {
+				ctnr.PullOptions = &swarmapi.ContainerSpec_PullOptions{RegistryAuth: encodedAuth}
+			}
+
+			// retrieve auth config from encoded auth
+			authConfig := &apitypes.AuthConfig{}
+			if encodedAuth != "" {
+				authReader := strings.NewReader(encodedAuth)
+				dec := json.NewDecoder(base64.NewDecoder(base64.URLEncoding, authReader))
+				if err := dec.Decode(authConfig); err != nil {
+					logrus.Warnf("invalid authconfig: %v", err)
+				}
+			}
+
+			// pin image by digest for API versions < 1.30
+			// TODO(nishanttotla): The check on "DOCKER_SERVICE_PREFER_OFFLINE_IMAGE"
+			// should be removed in the future. Since integration tests only use the
+			// latest API version, so this is no longer required.
+			if os.Getenv("DOCKER_SERVICE_PREFER_OFFLINE_IMAGE") != "1" && queryRegistry {
+				digestImage, err := c.imageWithDigestString(ctx, ctnr.Image, authConfig)
+				if err != nil {
+					logrus.Warnf("unable to pin image %s to digest: %s", ctnr.Image, err.Error())
+					// warning in the client response should be concise
+					resp.Warnings = append(resp.Warnings, digestWarning(ctnr.Image))
+
+				} else if ctnr.Image != digestImage {
+					logrus.Debugf("pinning image %s by digest: %s", ctnr.Image, digestImage)
+					ctnr.Image = digestImage
+
+				} else {
+					logrus.Debugf("creating service using supplied digest reference %s", ctnr.Image)
+
+				}
+
+				// Replace the context with a fresh one.
+				// If we timed out while communicating with the
+				// registry, then "ctx" will already be expired, which
+				// would cause UpdateService below to fail. Reusing
+				// "ctx" could make it impossible to create a service
+				// if the registry is slow or unresponsive.
+				var cancel func()
+				ctx, cancel = c.getRequestContext()
+				defer cancel()
+			}
+
+			r, err := state.controlClient.CreateService(ctx, &swarmapi.CreateServiceRequest{Spec: &serviceSpec})
+			if err != nil {
+				return err
+			}
+
+			resp.ID = r.Service.ID
+		}
+		return nil
+	})
+
+	return resp, err
+}
+
+// UpdateService updates existing service to match new properties.
+func (c *Cluster) UpdateService(serviceIDOrName string, version uint64, spec types.ServiceSpec, flags apitypes.ServiceUpdateOptions, queryRegistry bool) (*apitypes.ServiceUpdateResponse, error) {
+	var resp *apitypes.ServiceUpdateResponse
+
+	err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+
+		err := c.populateNetworkID(ctx, state.controlClient, &spec)
+		if err != nil {
+			return err
+		}
+
+		serviceSpec, err := convert.ServiceSpecToGRPC(spec)
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+
+		currentService, err := getService(ctx, state.controlClient, serviceIDOrName, false)
+		if err != nil {
+			return err
+		}
+
+		resp = &apitypes.ServiceUpdateResponse{}
+
+		switch serviceSpec.Task.Runtime.(type) {
+		case *swarmapi.TaskSpec_Attachment:
+			return fmt.Errorf("invalid task spec: spec type %q not supported", types.RuntimeNetworkAttachment)
+		case *swarmapi.TaskSpec_Generic:
+			switch serviceSpec.Task.GetGeneric().Kind {
+			case string(types.RuntimePlugin):
+				if spec.TaskTemplate.PluginSpec == nil {
+					return errors.New("plugin spec must be set")
+				}
+			}
+		case *swarmapi.TaskSpec_Container:
+			newCtnr := serviceSpec.Task.GetContainer()
+			if newCtnr == nil {
+				return errors.New("service does not use container tasks")
+			}
+
+			encodedAuth := flags.EncodedRegistryAuth
+			if encodedAuth != "" {
+				newCtnr.PullOptions = &swarmapi.ContainerSpec_PullOptions{RegistryAuth: encodedAuth}
+			} else {
+				// this is needed because if the encodedAuth isn't being updated then we
+				// shouldn't lose it, and continue to use the one that was already present
+				var ctnr *swarmapi.ContainerSpec
+				switch flags.RegistryAuthFrom {
+				case apitypes.RegistryAuthFromSpec, "":
+					ctnr = currentService.Spec.Task.GetContainer()
+				case apitypes.RegistryAuthFromPreviousSpec:
+					if currentService.PreviousSpec == nil {
+						return errors.New("service does not have a previous spec")
+					}
+					ctnr = currentService.PreviousSpec.Task.GetContainer()
+				default:
+					return errors.New("unsupported registryAuthFrom value")
+				}
+				if ctnr == nil {
+					return errors.New("service does not use container tasks")
+				}
+				newCtnr.PullOptions = ctnr.PullOptions
+				// update encodedAuth so it can be used to pin image by digest
+				if ctnr.PullOptions != nil {
+					encodedAuth = ctnr.PullOptions.RegistryAuth
+				}
+			}
+
+			// retrieve auth config from encoded auth
+			authConfig := &apitypes.AuthConfig{}
+			if encodedAuth != "" {
+				if err := json.NewDecoder(base64.NewDecoder(base64.URLEncoding, strings.NewReader(encodedAuth))).Decode(authConfig); err != nil {
+					logrus.Warnf("invalid authconfig: %v", err)
+				}
+			}
+
+			// pin image by digest for API versions < 1.30
+			// TODO(nishanttotla): The check on "DOCKER_SERVICE_PREFER_OFFLINE_IMAGE"
+			// should be removed in the future. Since integration tests only use the
+			// latest API version, so this is no longer required.
+			if os.Getenv("DOCKER_SERVICE_PREFER_OFFLINE_IMAGE") != "1" && queryRegistry {
+				digestImage, err := c.imageWithDigestString(ctx, newCtnr.Image, authConfig)
+				if err != nil {
+					logrus.Warnf("unable to pin image %s to digest: %s", newCtnr.Image, err.Error())
+					// warning in the client response should be concise
+					resp.Warnings = append(resp.Warnings, digestWarning(newCtnr.Image))
+				} else if newCtnr.Image != digestImage {
+					logrus.Debugf("pinning image %s by digest: %s", newCtnr.Image, digestImage)
+					newCtnr.Image = digestImage
+				} else {
+					logrus.Debugf("updating service using supplied digest reference %s", newCtnr.Image)
+				}
+
+				// Replace the context with a fresh one.
+				// If we timed out while communicating with the
+				// registry, then "ctx" will already be expired, which
+				// would cause UpdateService below to fail. Reusing
+				// "ctx" could make it impossible to update a service
+				// if the registry is slow or unresponsive.
+				var cancel func()
+				ctx, cancel = c.getRequestContext()
+				defer cancel()
+			}
+		}
+
+		var rollback swarmapi.UpdateServiceRequest_Rollback
+		switch flags.Rollback {
+		case "", "none":
+			rollback = swarmapi.UpdateServiceRequest_NONE
+		case "previous":
+			rollback = swarmapi.UpdateServiceRequest_PREVIOUS
+		default:
+			return fmt.Errorf("unrecognized rollback option %s", flags.Rollback)
+		}
+
+		_, err = state.controlClient.UpdateService(
+			ctx,
+			&swarmapi.UpdateServiceRequest{
+				ServiceID: currentService.ID,
+				Spec:      &serviceSpec,
+				ServiceVersion: &swarmapi.Version{
+					Index: version,
+				},
+				Rollback: rollback,
+			},
+		)
+		return err
+	})
+	return resp, err
+}
+
+// RemoveService removes a service from a managed swarm cluster.
+func (c *Cluster) RemoveService(input string) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		service, err := getService(ctx, state.controlClient, input, false)
+		if err != nil {
+			return err
+		}
+
+		_, err = state.controlClient.RemoveService(ctx, &swarmapi.RemoveServiceRequest{ServiceID: service.ID})
+		return err
+	})
+}
+
+// ServiceLogs collects service logs and writes them back to `config.OutStream`
+func (c *Cluster) ServiceLogs(ctx context.Context, selector *backend.LogSelector, config *apitypes.ContainerLogsOptions) (<-chan *backend.LogMessage, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	state := c.currentNodeState()
+	if !state.IsActiveManager() {
+		return nil, c.errNoManager(state)
+	}
+
+	swarmSelector, err := convertSelector(ctx, state.controlClient, selector)
+	if err != nil {
+		return nil, errors.Wrap(err, "error making log selector")
+	}
+
+	// set the streams we'll use
+	stdStreams := []swarmapi.LogStream{}
+	if config.ShowStdout {
+		stdStreams = append(stdStreams, swarmapi.LogStreamStdout)
+	}
+	if config.ShowStderr {
+		stdStreams = append(stdStreams, swarmapi.LogStreamStderr)
+	}
+
+	// Get tail value squared away - the number of previous log lines we look at
+	var tail int64
+	// in ContainerLogs, if the tail value is ANYTHING non-integer, we just set
+	// it to -1 (all). i don't agree with that, but i also think no tail value
+	// should be legitimate. if you don't pass tail, we assume you want "all"
+	if config.Tail == "all" || config.Tail == "" {
+		// tail of 0 means send all logs on the swarmkit side
+		tail = 0
+	} else {
+		t, err := strconv.Atoi(config.Tail)
+		if err != nil {
+			return nil, errors.New("tail value must be a positive integer or \"all\"")
+		}
+		if t < 0 {
+			return nil, errors.New("negative tail values not supported")
+		}
+		// we actually use negative tail in swarmkit to represent messages
+		// backwards starting from the beginning. also, -1 means no logs. so,
+		// basically, for api compat with docker container logs, add one and
+		// flip the sign. we error above if you try to negative tail, which
+		// isn't supported by docker (and would error deeper in the stack
+		// anyway)
+		//
+		// See the logs protobuf for more information
+		tail = int64(-(t + 1))
+	}
+
+	// get the since value - the time in the past we're looking at logs starting from
+	var sinceProto *gogotypes.Timestamp
+	if config.Since != "" {
+		s, n, err := timetypes.ParseTimestamps(config.Since, 0)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not parse since timestamp")
+		}
+		since := time.Unix(s, n)
+		sinceProto, err = gogotypes.TimestampProto(since)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not parse timestamp to proto")
+		}
+	}
+
+	stream, err := state.logsClient.SubscribeLogs(ctx, &swarmapi.SubscribeLogsRequest{
+		Selector: swarmSelector,
+		Options: &swarmapi.LogSubscriptionOptions{
+			Follow:  config.Follow,
+			Streams: stdStreams,
+			Tail:    tail,
+			Since:   sinceProto,
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	messageChan := make(chan *backend.LogMessage, 1)
+	go func() {
+		defer close(messageChan)
+		for {
+			// Check the context before doing anything.
+			select {
+			case <-ctx.Done():
+				return
+			default:
+			}
+			subscribeMsg, err := stream.Recv()
+			if err == io.EOF {
+				return
+			}
+			// if we're not io.EOF, push the message in and return
+			if err != nil {
+				select {
+				case <-ctx.Done():
+				case messageChan <- &backend.LogMessage{Err: err}:
+				}
+				return
+			}
+
+			for _, msg := range subscribeMsg.Messages {
+				// make a new message
+				m := new(backend.LogMessage)
+				m.Attrs = make([]backend.LogAttr, 0, len(msg.Attrs)+3)
+				// add the timestamp, adding the error if it fails
+				m.Timestamp, err = gogotypes.TimestampFromProto(msg.Timestamp)
+				if err != nil {
+					m.Err = err
+				}
+
+				nodeKey := contextPrefix + ".node.id"
+				serviceKey := contextPrefix + ".service.id"
+				taskKey := contextPrefix + ".task.id"
+
+				// copy over all of the details
+				for _, d := range msg.Attrs {
+					switch d.Key {
+					case nodeKey, serviceKey, taskKey:
+						// we have the final say over context details (in case there
+						// is a conflict (if the user added a detail with a context's
+						// key for some reason))
+					default:
+						m.Attrs = append(m.Attrs, backend.LogAttr{Key: d.Key, Value: d.Value})
+					}
+				}
+				m.Attrs = append(m.Attrs,
+					backend.LogAttr{Key: nodeKey, Value: msg.Context.NodeID},
+					backend.LogAttr{Key: serviceKey, Value: msg.Context.ServiceID},
+					backend.LogAttr{Key: taskKey, Value: msg.Context.TaskID},
+				)
+
+				switch msg.Stream {
+				case swarmapi.LogStreamStdout:
+					m.Source = "stdout"
+				case swarmapi.LogStreamStderr:
+					m.Source = "stderr"
+				}
+				m.Line = msg.Data
+
+				// there could be a case where the reader stops accepting
+				// messages and the context is canceled. we need to check that
+				// here, or otherwise we risk blocking forever on the message
+				// send.
+				select {
+				case <-ctx.Done():
+					return
+				case messageChan <- m:
+				}
+			}
+		}
+	}()
+	return messageChan, nil
+}
+
+// convertSelector takes a backend.LogSelector, which contains raw names that
+// may or may not be valid, and converts them to an api.LogSelector proto. It
+// returns an error if something fails
+func convertSelector(ctx context.Context, cc swarmapi.ControlClient, selector *backend.LogSelector) (*swarmapi.LogSelector, error) {
+	// don't rely on swarmkit to resolve IDs, do it ourselves
+	swarmSelector := &swarmapi.LogSelector{}
+	for _, s := range selector.Services {
+		service, err := getService(ctx, cc, s, false)
+		if err != nil {
+			return nil, err
+		}
+		c := service.Spec.Task.GetContainer()
+		if c == nil {
+			return nil, errors.New("logs only supported on container tasks")
+		}
+		swarmSelector.ServiceIDs = append(swarmSelector.ServiceIDs, service.ID)
+	}
+	for _, t := range selector.Tasks {
+		task, err := getTask(ctx, cc, t)
+		if err != nil {
+			return nil, err
+		}
+		c := task.Spec.GetContainer()
+		if c == nil {
+			return nil, errors.New("logs only supported on container tasks")
+		}
+		swarmSelector.TaskIDs = append(swarmSelector.TaskIDs, task.ID)
+	}
+	return swarmSelector, nil
+}
+
+// imageWithDigestString takes an image such as name or name:tag
+// and returns the image pinned to a digest, such as name@sha256:34234
+func (c *Cluster) imageWithDigestString(ctx context.Context, image string, authConfig *apitypes.AuthConfig) (string, error) {
+	ref, err := reference.ParseAnyReference(image)
+	if err != nil {
+		return "", err
+	}
+	namedRef, ok := ref.(reference.Named)
+	if !ok {
+		if _, ok := ref.(reference.Digested); ok {
+			return image, nil
+		}
+		return "", errors.Errorf("unknown image reference format: %s", image)
+	}
+	// only query registry if not a canonical reference (i.e. with digest)
+	if _, ok := namedRef.(reference.Canonical); !ok {
+		namedRef = reference.TagNameOnly(namedRef)
+
+		taggedRef, ok := namedRef.(reference.NamedTagged)
+		if !ok {
+			return "", errors.Errorf("image reference not tagged: %s", image)
+		}
+
+		repo, _, err := c.config.ImageBackend.GetRepository(ctx, taggedRef, authConfig)
+		if err != nil {
+			return "", err
+		}
+		dscrptr, err := repo.Tags(ctx).Get(ctx, taggedRef.Tag())
+		if err != nil {
+			return "", err
+		}
+
+		namedDigestedRef, err := reference.WithDigest(taggedRef, dscrptr.Digest)
+		if err != nil {
+			return "", err
+		}
+		// return familiar form until interface updated to return type
+		return reference.FamiliarString(namedDigestedRef), nil
+	}
+	// reference already contains a digest, so just return it
+	return reference.FamiliarString(ref), nil
+}
+
+// digestWarning constructs a formatted warning string
+// using the image name that could not be pinned by digest. The
+// formatting is hardcoded, but could me made smarter in the future
+func digestWarning(image string) string {
+	return fmt.Sprintf("image %s could not be accessed on a registry to record\nits digest. Each node will access %s independently,\npossibly leading to different nodes running different\nversions of the image.\n", image, image)
+}
diff --git a/engine/daemon/cluster/swarm.go b/engine/daemon/cluster/swarm.go
new file mode 100644
index 00000000..2f498ce2
--- /dev/null
+++ b/engine/daemon/cluster/swarm.go
@@ -0,0 +1,569 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	apitypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/convert"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/signal"
+	swarmapi "github.com/docker/swarmkit/api"
+	"github.com/docker/swarmkit/manager/encryption"
+	swarmnode "github.com/docker/swarmkit/node"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Init initializes new cluster from user provided request.
+func (c *Cluster) Init(req types.InitRequest) (string, error) {
+	c.controlMutex.Lock()
+	defer c.controlMutex.Unlock()
+	if c.nr != nil {
+		if req.ForceNewCluster {
+
+			// Take c.mu temporarily to wait for presently running
+			// API handlers to finish before shutting down the node.
+			c.mu.Lock()
+			if !c.nr.nodeState.IsManager() {
+				return "", errSwarmNotManager
+			}
+			c.mu.Unlock()
+
+			if err := c.nr.Stop(); err != nil {
+				return "", err
+			}
+		} else {
+			return "", errSwarmExists
+		}
+	}
+
+	if err := validateAndSanitizeInitRequest(&req); err != nil {
+		return "", errdefs.InvalidParameter(err)
+	}
+
+	listenHost, listenPort, err := resolveListenAddr(req.ListenAddr)
+	if err != nil {
+		return "", err
+	}
+
+	advertiseHost, advertisePort, err := c.resolveAdvertiseAddr(req.AdvertiseAddr, listenPort)
+	if err != nil {
+		return "", err
+	}
+
+	dataPathAddr, err := resolveDataPathAddr(req.DataPathAddr)
+	if err != nil {
+		return "", err
+	}
+
+	localAddr := listenHost
+
+	// If the local address is undetermined, the advertise address
+	// will be used as local address, if it belongs to this system.
+	// If the advertise address is not local, then we try to find
+	// a system address to use as local address. If this fails,
+	// we give up and ask the user to pass the listen address.
+	if net.ParseIP(localAddr).IsUnspecified() {
+		advertiseIP := net.ParseIP(advertiseHost)
+
+		found := false
+		for _, systemIP := range listSystemIPs() {
+			if systemIP.Equal(advertiseIP) {
+				localAddr = advertiseIP.String()
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			ip, err := c.resolveSystemAddr()
+			if err != nil {
+				logrus.Warnf("Could not find a local address: %v", err)
+				return "", errMustSpecifyListenAddr
+			}
+			localAddr = ip.String()
+		}
+	}
+
+	nr, err := c.newNodeRunner(nodeStartConfig{
+		forceNewCluster: req.ForceNewCluster,
+		autolock:        req.AutoLockManagers,
+		LocalAddr:       localAddr,
+		ListenAddr:      net.JoinHostPort(listenHost, listenPort),
+		AdvertiseAddr:   net.JoinHostPort(advertiseHost, advertisePort),
+		DataPathAddr:    dataPathAddr,
+		availability:    req.Availability,
+	})
+	if err != nil {
+		return "", err
+	}
+	c.mu.Lock()
+	c.nr = nr
+	c.mu.Unlock()
+
+	if err := <-nr.Ready(); err != nil {
+		c.mu.Lock()
+		c.nr = nil
+		c.mu.Unlock()
+		if !req.ForceNewCluster { // if failure on first attempt don't keep state
+			if err := clearPersistentState(c.root); err != nil {
+				return "", err
+			}
+		}
+		return "", err
+	}
+	state := nr.State()
+	if state.swarmNode == nil { // should never happen but protect from panic
+		return "", errors.New("invalid cluster state for spec initialization")
+	}
+	if err := initClusterSpec(state.swarmNode, req.Spec); err != nil {
+		return "", err
+	}
+	return state.NodeID(), nil
+}
+
+// Join makes current Cluster part of an existing swarm cluster.
+func (c *Cluster) Join(req types.JoinRequest) error {
+	c.controlMutex.Lock()
+	defer c.controlMutex.Unlock()
+	c.mu.Lock()
+	if c.nr != nil {
+		c.mu.Unlock()
+		return errors.WithStack(errSwarmExists)
+	}
+	c.mu.Unlock()
+
+	if err := validateAndSanitizeJoinRequest(&req); err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	listenHost, listenPort, err := resolveListenAddr(req.ListenAddr)
+	if err != nil {
+		return err
+	}
+
+	var advertiseAddr string
+	if req.AdvertiseAddr != "" {
+		advertiseHost, advertisePort, err := c.resolveAdvertiseAddr(req.AdvertiseAddr, listenPort)
+		// For joining, we don't need to provide an advertise address,
+		// since the remote side can detect it.
+		if err == nil {
+			advertiseAddr = net.JoinHostPort(advertiseHost, advertisePort)
+		}
+	}
+
+	dataPathAddr, err := resolveDataPathAddr(req.DataPathAddr)
+	if err != nil {
+		return err
+	}
+
+	nr, err := c.newNodeRunner(nodeStartConfig{
+		RemoteAddr:    req.RemoteAddrs[0],
+		ListenAddr:    net.JoinHostPort(listenHost, listenPort),
+		AdvertiseAddr: advertiseAddr,
+		DataPathAddr:  dataPathAddr,
+		joinAddr:      req.RemoteAddrs[0],
+		joinToken:     req.JoinToken,
+		availability:  req.Availability,
+	})
+	if err != nil {
+		return err
+	}
+
+	c.mu.Lock()
+	c.nr = nr
+	c.mu.Unlock()
+
+	select {
+	case <-time.After(swarmConnectTimeout):
+		return errSwarmJoinTimeoutReached
+	case err := <-nr.Ready():
+		if err != nil {
+			c.mu.Lock()
+			c.nr = nil
+			c.mu.Unlock()
+			if err := clearPersistentState(c.root); err != nil {
+				return err
+			}
+		}
+		return err
+	}
+}
+
+// Inspect retrieves the configuration properties of a managed swarm cluster.
+func (c *Cluster) Inspect() (types.Swarm, error) {
+	var swarm types.Swarm
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		s, err := c.inspect(ctx, state)
+		if err != nil {
+			return err
+		}
+		swarm = s
+		return nil
+	}); err != nil {
+		return types.Swarm{}, err
+	}
+	return swarm, nil
+}
+
+func (c *Cluster) inspect(ctx context.Context, state nodeState) (types.Swarm, error) {
+	s, err := getSwarm(ctx, state.controlClient)
+	if err != nil {
+		return types.Swarm{}, err
+	}
+	return convert.SwarmFromGRPC(*s), nil
+}
+
+// Update updates configuration of a managed swarm cluster.
+func (c *Cluster) Update(version uint64, spec types.Spec, flags types.UpdateFlags) error {
+	return c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		swarm, err := getSwarm(ctx, state.controlClient)
+		if err != nil {
+			return err
+		}
+
+		// Validate spec name.
+		if spec.Annotations.Name == "" {
+			spec.Annotations.Name = "default"
+		} else if spec.Annotations.Name != "default" {
+			return errdefs.InvalidParameter(errors.New(`swarm spec must be named "default"`))
+		}
+
+		// In update, client should provide the complete spec of the swarm, including
+		// Name and Labels. If a field is specified with 0 or nil, then the default value
+		// will be used to swarmkit.
+		clusterSpec, err := convert.SwarmSpecToGRPC(spec)
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+
+		_, err = state.controlClient.UpdateCluster(
+			ctx,
+			&swarmapi.UpdateClusterRequest{
+				ClusterID: swarm.ID,
+				Spec:      &clusterSpec,
+				ClusterVersion: &swarmapi.Version{
+					Index: version,
+				},
+				Rotation: swarmapi.KeyRotation{
+					WorkerJoinToken:  flags.RotateWorkerToken,
+					ManagerJoinToken: flags.RotateManagerToken,
+					ManagerUnlockKey: flags.RotateManagerUnlockKey,
+				},
+			},
+		)
+		return err
+	})
+}
+
+// GetUnlockKey returns the unlock key for the swarm.
+func (c *Cluster) GetUnlockKey() (string, error) {
+	var resp *swarmapi.GetUnlockKeyResponse
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		client := swarmapi.NewCAClient(state.grpcConn)
+
+		r, err := client.GetUnlockKey(ctx, &swarmapi.GetUnlockKeyRequest{})
+		if err != nil {
+			return err
+		}
+		resp = r
+		return nil
+	}); err != nil {
+		return "", err
+	}
+	if len(resp.UnlockKey) == 0 {
+		// no key
+		return "", nil
+	}
+	return encryption.HumanReadableKey(resp.UnlockKey), nil
+}
+
+// UnlockSwarm provides a key to decrypt data that is encrypted at rest.
+func (c *Cluster) UnlockSwarm(req types.UnlockRequest) error {
+	c.controlMutex.Lock()
+	defer c.controlMutex.Unlock()
+
+	c.mu.RLock()
+	state := c.currentNodeState()
+
+	if !state.IsActiveManager() {
+		// when manager is not active,
+		// unless it is locked, otherwise return error.
+		if err := c.errNoManager(state); err != errSwarmLocked {
+			c.mu.RUnlock()
+			return err
+		}
+	} else {
+		// when manager is active, return an error of "not locked"
+		c.mu.RUnlock()
+		return notLockedError{}
+	}
+
+	// only when swarm is locked, code running reaches here
+	nr := c.nr
+	c.mu.RUnlock()
+
+	key, err := encryption.ParseHumanReadableKey(req.UnlockKey)
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	config := nr.config
+	config.lockKey = key
+	if err := nr.Stop(); err != nil {
+		return err
+	}
+	nr, err = c.newNodeRunner(config)
+	if err != nil {
+		return err
+	}
+
+	c.mu.Lock()
+	c.nr = nr
+	c.mu.Unlock()
+
+	if err := <-nr.Ready(); err != nil {
+		if errors.Cause(err) == errSwarmLocked {
+			return invalidUnlockKey{}
+		}
+		return errors.Errorf("swarm component could not be started: %v", err)
+	}
+	return nil
+}
+
+// Leave shuts down Cluster and removes current state.
+func (c *Cluster) Leave(force bool) error {
+	c.controlMutex.Lock()
+	defer c.controlMutex.Unlock()
+
+	c.mu.Lock()
+	nr := c.nr
+	if nr == nil {
+		c.mu.Unlock()
+		return errors.WithStack(errNoSwarm)
+	}
+
+	state := c.currentNodeState()
+
+	c.mu.Unlock()
+
+	if errors.Cause(state.err) == errSwarmLocked && !force {
+		// leave a locked swarm without --force is not allowed
+		return errors.WithStack(notAvailableError("Swarm is encrypted and locked. Please unlock it first or use `--force` to ignore this message."))
+	}
+
+	if state.IsManager() && !force {
+		msg := "You are attempting to leave the swarm on a node that is participating as a manager. "
+		if state.IsActiveManager() {
+			active, reachable, unreachable, err := managerStats(state.controlClient, state.NodeID())
+			if err == nil {
+				if active && removingManagerCausesLossOfQuorum(reachable, unreachable) {
+					if isLastManager(reachable, unreachable) {
+						msg += "Removing the last manager erases all current state of the swarm. Use `--force` to ignore this message. "
+						return errors.WithStack(notAvailableError(msg))
+					}
+					msg += fmt.Sprintf("Removing this node leaves %v managers out of %v. Without a Raft quorum your swarm will be inaccessible. ", reachable-1, reachable+unreachable)
+				}
+			}
+		} else {
+			msg += "Doing so may lose the consensus of your cluster. "
+		}
+
+		msg += "The only way to restore a swarm that has lost consensus is to reinitialize it with `--force-new-cluster`. Use `--force` to suppress this message."
+		return errors.WithStack(notAvailableError(msg))
+	}
+	// release readers in here
+	if err := nr.Stop(); err != nil {
+		logrus.Errorf("failed to shut down cluster node: %v", err)
+		signal.DumpStacks("")
+		return err
+	}
+
+	c.mu.Lock()
+	c.nr = nil
+	c.mu.Unlock()
+
+	if nodeID := state.NodeID(); nodeID != "" {
+		nodeContainers, err := c.listContainerForNode(nodeID)
+		if err != nil {
+			return err
+		}
+		for _, id := range nodeContainers {
+			if err := c.config.Backend.ContainerRm(id, &apitypes.ContainerRmConfig{ForceRemove: true}); err != nil {
+				logrus.Errorf("error removing %v: %v", id, err)
+			}
+		}
+	}
+
+	// todo: cleanup optional?
+	if err := clearPersistentState(c.root); err != nil {
+		return err
+	}
+	c.config.Backend.DaemonLeavesCluster()
+	return nil
+}
+
+// Info returns information about the current cluster state.
+func (c *Cluster) Info() types.Info {
+	info := types.Info{
+		NodeAddr: c.GetAdvertiseAddress(),
+	}
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	state := c.currentNodeState()
+	info.LocalNodeState = state.status
+	if state.err != nil {
+		info.Error = state.err.Error()
+	}
+
+	ctx, cancel := c.getRequestContext()
+	defer cancel()
+
+	if state.IsActiveManager() {
+		info.ControlAvailable = true
+		swarm, err := c.inspect(ctx, state)
+		if err != nil {
+			info.Error = err.Error()
+		}
+
+		info.Cluster = &swarm.ClusterInfo
+
+		if r, err := state.controlClient.ListNodes(ctx, &swarmapi.ListNodesRequest{}); err != nil {
+			info.Error = err.Error()
+		} else {
+			info.Nodes = len(r.Nodes)
+			for _, n := range r.Nodes {
+				if n.ManagerStatus != nil {
+					info.Managers = info.Managers + 1
+				}
+			}
+		}
+	}
+
+	if state.swarmNode != nil {
+		for _, r := range state.swarmNode.Remotes() {
+			info.RemoteManagers = append(info.RemoteManagers, types.Peer{NodeID: r.NodeID, Addr: r.Addr})
+		}
+		info.NodeID = state.swarmNode.NodeID()
+	}
+
+	return info
+}
+
+func validateAndSanitizeInitRequest(req *types.InitRequest) error {
+	var err error
+	req.ListenAddr, err = validateAddr(req.ListenAddr)
+	if err != nil {
+		return fmt.Errorf("invalid ListenAddr %q: %v", req.ListenAddr, err)
+	}
+
+	if req.Spec.Annotations.Name == "" {
+		req.Spec.Annotations.Name = "default"
+	} else if req.Spec.Annotations.Name != "default" {
+		return errors.New(`swarm spec must be named "default"`)
+	}
+
+	return nil
+}
+
+func validateAndSanitizeJoinRequest(req *types.JoinRequest) error {
+	var err error
+	req.ListenAddr, err = validateAddr(req.ListenAddr)
+	if err != nil {
+		return fmt.Errorf("invalid ListenAddr %q: %v", req.ListenAddr, err)
+	}
+	if len(req.RemoteAddrs) == 0 {
+		return errors.New("at least 1 RemoteAddr is required to join")
+	}
+	for i := range req.RemoteAddrs {
+		req.RemoteAddrs[i], err = validateAddr(req.RemoteAddrs[i])
+		if err != nil {
+			return fmt.Errorf("invalid remoteAddr %q: %v", req.RemoteAddrs[i], err)
+		}
+	}
+	return nil
+}
+
+func validateAddr(addr string) (string, error) {
+	if addr == "" {
+		return addr, errors.New("invalid empty address")
+	}
+	newaddr, err := opts.ParseTCPAddr(addr, defaultAddr)
+	if err != nil {
+		return addr, nil
+	}
+	return strings.TrimPrefix(newaddr, "tcp://"), nil
+}
+
+func initClusterSpec(node *swarmnode.Node, spec types.Spec) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	for conn := range node.ListenControlSocket(ctx) {
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		if conn != nil {
+			client := swarmapi.NewControlClient(conn)
+			var cluster *swarmapi.Cluster
+			for i := 0; ; i++ {
+				lcr, err := client.ListClusters(ctx, &swarmapi.ListClustersRequest{})
+				if err != nil {
+					return fmt.Errorf("error on listing clusters: %v", err)
+				}
+				if len(lcr.Clusters) == 0 {
+					if i < 10 {
+						time.Sleep(200 * time.Millisecond)
+						continue
+					}
+					return errors.New("empty list of clusters was returned")
+				}
+				cluster = lcr.Clusters[0]
+				break
+			}
+			// In init, we take the initial default values from swarmkit, and merge
+			// any non nil or 0 value from spec to GRPC spec. This will leave the
+			// default value alone.
+			// Note that this is different from Update(), as in Update() we expect
+			// user to specify the complete spec of the cluster (as they already know
+			// the existing one and knows which field to update)
+			clusterSpec, err := convert.MergeSwarmSpecToGRPC(spec, cluster.Spec)
+			if err != nil {
+				return fmt.Errorf("error updating cluster settings: %v", err)
+			}
+			_, err = client.UpdateCluster(ctx, &swarmapi.UpdateClusterRequest{
+				ClusterID:      cluster.ID,
+				ClusterVersion: &cluster.Meta.Version,
+				Spec:           &clusterSpec,
+			})
+			if err != nil {
+				return fmt.Errorf("error updating cluster settings: %v", err)
+			}
+			return nil
+		}
+	}
+	return ctx.Err()
+}
+
+func (c *Cluster) listContainerForNode(nodeID string) ([]string, error) {
+	var ids []string
+	filters := filters.NewArgs()
+	filters.Add("label", fmt.Sprintf("com.docker.swarm.node.id=%s", nodeID))
+	containers, err := c.config.Backend.Containers(&apitypes.ContainerListOptions{
+		Filters: filters,
+	})
+	if err != nil {
+		return []string{}, err
+	}
+	for _, c := range containers {
+		ids = append(ids, c.ID)
+	}
+	return ids, nil
+}
diff --git a/engine/daemon/cluster/tasks.go b/engine/daemon/cluster/tasks.go
new file mode 100644
index 00000000..de1240df
--- /dev/null
+++ b/engine/daemon/cluster/tasks.go
@@ -0,0 +1,87 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"context"
+
+	apitypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	types "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/convert"
+	swarmapi "github.com/docker/swarmkit/api"
+)
+
+// GetTasks returns a list of tasks matching the filter options.
+func (c *Cluster) GetTasks(options apitypes.TaskListOptions) ([]types.Task, error) {
+	var r *swarmapi.ListTasksResponse
+
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		filterTransform := func(filter filters.Args) error {
+			if filter.Contains("service") {
+				serviceFilters := filter.Get("service")
+				for _, serviceFilter := range serviceFilters {
+					service, err := getService(ctx, state.controlClient, serviceFilter, false)
+					if err != nil {
+						return err
+					}
+					filter.Del("service", serviceFilter)
+					filter.Add("service", service.ID)
+				}
+			}
+			if filter.Contains("node") {
+				nodeFilters := filter.Get("node")
+				for _, nodeFilter := range nodeFilters {
+					node, err := getNode(ctx, state.controlClient, nodeFilter)
+					if err != nil {
+						return err
+					}
+					filter.Del("node", nodeFilter)
+					filter.Add("node", node.ID)
+				}
+			}
+			if !filter.Contains("runtime") {
+				// default to only showing container tasks
+				filter.Add("runtime", "container")
+				filter.Add("runtime", "")
+			}
+			return nil
+		}
+
+		filters, err := newListTasksFilters(options.Filters, filterTransform)
+		if err != nil {
+			return err
+		}
+
+		r, err = state.controlClient.ListTasks(
+			ctx,
+			&swarmapi.ListTasksRequest{Filters: filters})
+		return err
+	}); err != nil {
+		return nil, err
+	}
+
+	tasks := make([]types.Task, 0, len(r.Tasks))
+	for _, task := range r.Tasks {
+		t, err := convert.TaskFromGRPC(*task)
+		if err != nil {
+			return nil, err
+		}
+		tasks = append(tasks, t)
+	}
+	return tasks, nil
+}
+
+// GetTask returns a task by an ID.
+func (c *Cluster) GetTask(input string) (types.Task, error) {
+	var task *swarmapi.Task
+	if err := c.lockedManagerAction(func(ctx context.Context, state nodeState) error {
+		t, err := getTask(ctx, state.controlClient, input)
+		if err != nil {
+			return err
+		}
+		task = t
+		return nil
+	}); err != nil {
+		return types.Task{}, err
+	}
+	return convert.TaskFromGRPC(*task)
+}
diff --git a/engine/daemon/cluster/utils.go b/engine/daemon/cluster/utils.go
new file mode 100644
index 00000000..d55e0012
--- /dev/null
+++ b/engine/daemon/cluster/utils.go
@@ -0,0 +1,63 @@
+package cluster // import "github.com/docker/docker/daemon/cluster"
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/ioutils"
+)
+
+func loadPersistentState(root string) (*nodeStartConfig, error) {
+	dt, err := ioutil.ReadFile(filepath.Join(root, stateFile))
+	if err != nil {
+		return nil, err
+	}
+	// missing certificate means no actual state to restore from
+	if _, err := os.Stat(filepath.Join(root, "certificates/swarm-node.crt")); err != nil {
+		if os.IsNotExist(err) {
+			clearPersistentState(root)
+		}
+		return nil, err
+	}
+	var st nodeStartConfig
+	if err := json.Unmarshal(dt, &st); err != nil {
+		return nil, err
+	}
+	return &st, nil
+}
+
+func savePersistentState(root string, config nodeStartConfig) error {
+	dt, err := json.Marshal(config)
+	if err != nil {
+		return err
+	}
+	return ioutils.AtomicWriteFile(filepath.Join(root, stateFile), dt, 0600)
+}
+
+func clearPersistentState(root string) error {
+	// todo: backup this data instead of removing?
+	// rather than delete the entire swarm directory, delete the contents in order to preserve the inode
+	// (for example, allowing it to be bind-mounted)
+	files, err := ioutil.ReadDir(root)
+	if err != nil {
+		return err
+	}
+
+	for _, f := range files {
+		if err := os.RemoveAll(filepath.Join(root, f.Name())); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func removingManagerCausesLossOfQuorum(reachable, unreachable int) bool {
+	return reachable-2 <= unreachable
+}
+
+func isLastManager(reachable, unreachable int) bool {
+	return reachable == 1 && unreachable == 0
+}
diff --git a/engine/daemon/commit.go b/engine/daemon/commit.go
new file mode 100644
index 00000000..0f6f4405
--- /dev/null
+++ b/engine/daemon/commit.go
@@ -0,0 +1,186 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/backend"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder/dockerfile"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+)
+
+// merge merges two Config, the image container configuration (defaults values),
+// and the user container configuration, either passed by the API or generated
+// by the cli.
+// It will mutate the specified user configuration (userConf) with the image
+// configuration where the user configuration is incomplete.
+func merge(userConf, imageConf *containertypes.Config) error {
+	if userConf.User == "" {
+		userConf.User = imageConf.User
+	}
+	if len(userConf.ExposedPorts) == 0 {
+		userConf.ExposedPorts = imageConf.ExposedPorts
+	} else if imageConf.ExposedPorts != nil {
+		for port := range imageConf.ExposedPorts {
+			if _, exists := userConf.ExposedPorts[port]; !exists {
+				userConf.ExposedPorts[port] = struct{}{}
+			}
+		}
+	}
+
+	if len(userConf.Env) == 0 {
+		userConf.Env = imageConf.Env
+	} else {
+		for _, imageEnv := range imageConf.Env {
+			found := false
+			imageEnvKey := strings.Split(imageEnv, "=")[0]
+			for _, userEnv := range userConf.Env {
+				userEnvKey := strings.Split(userEnv, "=")[0]
+				if runtime.GOOS == "windows" {
+					// Case insensitive environment variables on Windows
+					imageEnvKey = strings.ToUpper(imageEnvKey)
+					userEnvKey = strings.ToUpper(userEnvKey)
+				}
+				if imageEnvKey == userEnvKey {
+					found = true
+					break
+				}
+			}
+			if !found {
+				userConf.Env = append(userConf.Env, imageEnv)
+			}
+		}
+	}
+
+	if userConf.Labels == nil {
+		userConf.Labels = map[string]string{}
+	}
+	for l, v := range imageConf.Labels {
+		if _, ok := userConf.Labels[l]; !ok {
+			userConf.Labels[l] = v
+		}
+	}
+
+	if len(userConf.Entrypoint) == 0 {
+		if len(userConf.Cmd) == 0 {
+			userConf.Cmd = imageConf.Cmd
+			userConf.ArgsEscaped = imageConf.ArgsEscaped
+		}
+
+		if userConf.Entrypoint == nil {
+			userConf.Entrypoint = imageConf.Entrypoint
+		}
+	}
+	if imageConf.Healthcheck != nil {
+		if userConf.Healthcheck == nil {
+			userConf.Healthcheck = imageConf.Healthcheck
+		} else {
+			if len(userConf.Healthcheck.Test) == 0 {
+				userConf.Healthcheck.Test = imageConf.Healthcheck.Test
+			}
+			if userConf.Healthcheck.Interval == 0 {
+				userConf.Healthcheck.Interval = imageConf.Healthcheck.Interval
+			}
+			if userConf.Healthcheck.Timeout == 0 {
+				userConf.Healthcheck.Timeout = imageConf.Healthcheck.Timeout
+			}
+			if userConf.Healthcheck.StartPeriod == 0 {
+				userConf.Healthcheck.StartPeriod = imageConf.Healthcheck.StartPeriod
+			}
+			if userConf.Healthcheck.Retries == 0 {
+				userConf.Healthcheck.Retries = imageConf.Healthcheck.Retries
+			}
+		}
+	}
+
+	if userConf.WorkingDir == "" {
+		userConf.WorkingDir = imageConf.WorkingDir
+	}
+	if len(userConf.Volumes) == 0 {
+		userConf.Volumes = imageConf.Volumes
+	} else {
+		for k, v := range imageConf.Volumes {
+			userConf.Volumes[k] = v
+		}
+	}
+
+	if userConf.StopSignal == "" {
+		userConf.StopSignal = imageConf.StopSignal
+	}
+	return nil
+}
+
+// CreateImageFromContainer creates a new image from a container. The container
+// config will be updated by applying the change set to the custom config, then
+// applying that config over the existing container config.
+func (daemon *Daemon) CreateImageFromContainer(name string, c *backend.CreateImageConfig) (string, error) {
+	start := time.Now()
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return "", err
+	}
+
+	// It is not possible to commit a running container on Windows
+	if (runtime.GOOS == "windows") && container.IsRunning() {
+		return "", errors.Errorf("%+v does not support commit of a running container", runtime.GOOS)
+	}
+
+	if container.IsDead() {
+		err := fmt.Errorf("You cannot commit container %s which is Dead", container.ID)
+		return "", errdefs.Conflict(err)
+	}
+
+	if container.IsRemovalInProgress() {
+		err := fmt.Errorf("You cannot commit container %s which is being removed", container.ID)
+		return "", errdefs.Conflict(err)
+	}
+
+	if c.Pause && !container.IsPaused() {
+		daemon.containerPause(container)
+		defer daemon.containerUnpause(container)
+	}
+
+	if c.Config == nil {
+		c.Config = container.Config
+	}
+	newConfig, err := dockerfile.BuildFromConfig(c.Config, c.Changes, container.OS)
+	if err != nil {
+		return "", err
+	}
+	if err := merge(newConfig, container.Config); err != nil {
+		return "", err
+	}
+
+	id, err := daemon.imageService.CommitImage(backend.CommitConfig{
+		Author:              c.Author,
+		Comment:             c.Comment,
+		Config:              newConfig,
+		ContainerConfig:     container.Config,
+		ContainerID:         container.ID,
+		ContainerMountLabel: container.MountLabel,
+		ContainerOS:         container.OS,
+		ParentImageID:       string(container.ImageID),
+	})
+	if err != nil {
+		return "", err
+	}
+
+	var imageRef string
+	if c.Repo != "" {
+		imageRef, err = daemon.imageService.TagImage(string(id), c.Repo, c.Tag)
+		if err != nil {
+			return "", err
+		}
+	}
+	daemon.LogContainerEventWithAttributes(container, "commit", map[string]string{
+		"comment":  c.Comment,
+		"imageID":  id.String(),
+		"imageRef": imageRef,
+	})
+	containerActions.WithValues("commit").UpdateSince(start)
+	return id.String(), nil
+}
diff --git a/engine/daemon/config/config.go b/engine/daemon/config/config.go
new file mode 100644
index 00000000..6cda223a
--- /dev/null
+++ b/engine/daemon/config/config.go
@@ -0,0 +1,567 @@
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"reflect"
+	"runtime"
+	"strings"
+	"sync"
+
+	daemondiscovery "github.com/docker/docker/daemon/discovery"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/authorization"
+	"github.com/docker/docker/pkg/discovery"
+	"github.com/docker/docker/registry"
+	"github.com/imdario/mergo"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/pflag"
+)
+
+const (
+	// DefaultMaxConcurrentDownloads is the default value for
+	// maximum number of downloads that
+	// may take place at a time for each pull.
+	DefaultMaxConcurrentDownloads = 3
+	// DefaultMaxConcurrentUploads is the default value for
+	// maximum number of uploads that
+	// may take place at a time for each push.
+	DefaultMaxConcurrentUploads = 5
+	// StockRuntimeName is the reserved name/alias used to represent the
+	// OCI runtime being shipped with the docker daemon package.
+	StockRuntimeName = "runc"
+	// DefaultShmSize is the default value for container's shm size
+	DefaultShmSize = int64(67108864)
+	// DefaultNetworkMtu is the default value for network MTU
+	DefaultNetworkMtu = 1500
+	// DisableNetworkBridge is the default value of the option to disable network bridge
+	DisableNetworkBridge = "none"
+	// DefaultInitBinary is the name of the default init binary
+	DefaultInitBinary = "docker-init"
+)
+
+// flatOptions contains configuration keys
+// that MUST NOT be parsed as deep structures.
+// Use this to differentiate these options
+// with others like the ones in CommonTLSOptions.
+var flatOptions = map[string]bool{
+	"cluster-store-opts": true,
+	"log-opts":           true,
+	"runtimes":           true,
+	"default-ulimits":    true,
+}
+
+// LogConfig represents the default log configuration.
+// It includes json tags to deserialize configuration from a file
+// using the same names that the flags in the command line use.
+type LogConfig struct {
+	Type   string            `json:"log-driver,omitempty"`
+	Config map[string]string `json:"log-opts,omitempty"`
+}
+
+// commonBridgeConfig stores all the platform-common bridge driver specific
+// configuration.
+type commonBridgeConfig struct {
+	Iface     string `json:"bridge,omitempty"`
+	FixedCIDR string `json:"fixed-cidr,omitempty"`
+}
+
+// NetworkConfig stores the daemon-wide networking configurations
+type NetworkConfig struct {
+	// Default address pools for docker networks
+	DefaultAddressPools opts.PoolsOpt `json:"default-address-pools,omitempty"`
+}
+
+// CommonTLSOptions defines TLS configuration for the daemon server.
+// It includes json tags to deserialize configuration from a file
+// using the same names that the flags in the command line use.
+type CommonTLSOptions struct {
+	CAFile   string `json:"tlscacert,omitempty"`
+	CertFile string `json:"tlscert,omitempty"`
+	KeyFile  string `json:"tlskey,omitempty"`
+}
+
+// CommonConfig defines the configuration of a docker daemon which is
+// common across platforms.
+// It includes json tags to deserialize configuration from a file
+// using the same names that the flags in the command line use.
+type CommonConfig struct {
+	AuthzMiddleware       *authorization.Middleware `json:"-"`
+	AuthorizationPlugins  []string                  `json:"authorization-plugins,omitempty"` // AuthorizationPlugins holds list of authorization plugins
+	AutoRestart           bool                      `json:"-"`
+	Context               map[string][]string       `json:"-"`
+	DisableBridge         bool                      `json:"-"`
+	DNS                   []string                  `json:"dns,omitempty"`
+	DNSOptions            []string                  `json:"dns-opts,omitempty"`
+	DNSSearch             []string                  `json:"dns-search,omitempty"`
+	ExecOptions           []string                  `json:"exec-opts,omitempty"`
+	GraphDriver           string                    `json:"storage-driver,omitempty"`
+	GraphOptions          []string                  `json:"storage-opts,omitempty"`
+	Labels                []string                  `json:"labels,omitempty"`
+	Mtu                   int                       `json:"mtu,omitempty"`
+	NetworkDiagnosticPort int                       `json:"network-diagnostic-port,omitempty"`
+	Pidfile               string                    `json:"pidfile,omitempty"`
+	RawLogs               bool                      `json:"raw-logs,omitempty"`
+	RootDeprecated        string                    `json:"graph,omitempty"`
+	Root                  string                    `json:"data-root,omitempty"`
+	ExecRoot              string                    `json:"exec-root,omitempty"`
+	SocketGroup           string                    `json:"group,omitempty"`
+	CorsHeaders           string                    `json:"api-cors-header,omitempty"`
+
+	// TrustKeyPath is used to generate the daemon ID and for signing schema 1 manifests
+	// when pushing to a registry which does not support schema 2. This field is marked as
+	// deprecated because schema 1 manifests are deprecated in favor of schema 2 and the
+	// daemon ID will use a dedicated identifier not shared with exported signatures.
+	TrustKeyPath string `json:"deprecated-key-path,omitempty"`
+
+	// LiveRestoreEnabled determines whether we should keep containers
+	// alive upon daemon shutdown/start
+	LiveRestoreEnabled bool `json:"live-restore,omitempty"`
+
+	// ClusterStore is the storage backend used for the cluster information. It is used by both
+	// multihost networking (to store networks and endpoints information) and by the node discovery
+	// mechanism.
+	ClusterStore string `json:"cluster-store,omitempty"`
+
+	// ClusterOpts is used to pass options to the discovery package for tuning libkv settings, such
+	// as TLS configuration settings.
+	ClusterOpts map[string]string `json:"cluster-store-opts,omitempty"`
+
+	// ClusterAdvertise is the network endpoint that the Engine advertises for the purpose of node
+	// discovery. This should be a 'host:port' combination on which that daemon instance is
+	// reachable by other hosts.
+	ClusterAdvertise string `json:"cluster-advertise,omitempty"`
+
+	// MaxConcurrentDownloads is the maximum number of downloads that
+	// may take place at a time for each pull.
+	MaxConcurrentDownloads *int `json:"max-concurrent-downloads,omitempty"`
+
+	// MaxConcurrentUploads is the maximum number of uploads that
+	// may take place at a time for each push.
+	MaxConcurrentUploads *int `json:"max-concurrent-uploads,omitempty"`
+
+	// ShutdownTimeout is the timeout value (in seconds) the daemon will wait for the container
+	// to stop when daemon is being shutdown
+	ShutdownTimeout int `json:"shutdown-timeout,omitempty"`
+
+	Debug     bool     `json:"debug,omitempty"`
+	Hosts     []string `json:"hosts,omitempty"`
+	LogLevel  string   `json:"log-level,omitempty"`
+	TLS       bool     `json:"tls,omitempty"`
+	TLSVerify bool     `json:"tlsverify,omitempty"`
+
+	// Embedded structs that allow config
+	// deserialization without the full struct.
+	CommonTLSOptions
+
+	// SwarmDefaultAdvertiseAddr is the default host/IP or network interface
+	// to use if a wildcard address is specified in the ListenAddr value
+	// given to the /swarm/init endpoint and no advertise address is
+	// specified.
+	SwarmDefaultAdvertiseAddr string `json:"swarm-default-advertise-addr"`
+
+	// SwarmRaftHeartbeatTick is the number of ticks in time for swarm mode raft quorum heartbeat
+	// Typical value is 1
+	SwarmRaftHeartbeatTick uint32 `json:"swarm-raft-heartbeat-tick"`
+
+	// SwarmRaftElectionTick is the number of ticks to elapse before followers in the quorum can propose
+	// a new round of leader election.  Default, recommended value is at least 10X that of Heartbeat tick.
+	// Higher values can make the quorum less sensitive to transient faults in the environment, but this also
+	// means it takes longer for the managers to detect a down leader.
+	SwarmRaftElectionTick uint32 `json:"swarm-raft-election-tick"`
+
+	MetricsAddress string `json:"metrics-addr"`
+
+	LogConfig
+	BridgeConfig // bridgeConfig holds bridge network specific configuration.
+	NetworkConfig
+	registry.ServiceOptions
+
+	sync.Mutex
+	// FIXME(vdemeester) This part is not that clear and is mainly dependent on cli flags
+	// It should probably be handled outside this package.
+	ValuesSet map[string]interface{} `json:"-"`
+
+	Experimental bool `json:"experimental"` // Experimental indicates whether experimental features should be exposed or not
+
+	// Exposed node Generic Resources
+	// e.g: ["orange=red", "orange=green", "orange=blue", "apple=3"]
+	NodeGenericResources []string `json:"node-generic-resources,omitempty"`
+	// NetworkControlPlaneMTU allows to specify the control plane MTU, this will allow to optimize the network use in some components
+	NetworkControlPlaneMTU int `json:"network-control-plane-mtu,omitempty"`
+
+	// ContainerAddr is the address used to connect to containerd if we're
+	// not starting it ourselves
+	ContainerdAddr string `json:"containerd,omitempty"`
+}
+
+// IsValueSet returns true if a configuration value
+// was explicitly set in the configuration file.
+func (conf *Config) IsValueSet(name string) bool {
+	if conf.ValuesSet == nil {
+		return false
+	}
+	_, ok := conf.ValuesSet[name]
+	return ok
+}
+
+// New returns a new fully initialized Config struct
+func New() *Config {
+	config := Config{}
+	config.LogConfig.Config = make(map[string]string)
+	config.ClusterOpts = make(map[string]string)
+
+	if runtime.GOOS != "linux" {
+		config.V2Only = true
+	}
+	return &config
+}
+
+// ParseClusterAdvertiseSettings parses the specified advertise settings
+func ParseClusterAdvertiseSettings(clusterStore, clusterAdvertise string) (string, error) {
+	if clusterAdvertise == "" {
+		return "", daemondiscovery.ErrDiscoveryDisabled
+	}
+	if clusterStore == "" {
+		return "", errors.New("invalid cluster configuration. --cluster-advertise must be accompanied by --cluster-store configuration")
+	}
+
+	advertise, err := discovery.ParseAdvertise(clusterAdvertise)
+	if err != nil {
+		return "", fmt.Errorf("discovery advertise parsing failed (%v)", err)
+	}
+	return advertise, nil
+}
+
+// GetConflictFreeLabels validates Labels for conflict
+// In swarm the duplicates for labels are removed
+// so we only take same values here, no conflict values
+// If the key-value is the same we will only take the last label
+func GetConflictFreeLabels(labels []string) ([]string, error) {
+	labelMap := map[string]string{}
+	for _, label := range labels {
+		stringSlice := strings.SplitN(label, "=", 2)
+		if len(stringSlice) > 1 {
+			// If there is a conflict we will return an error
+			if v, ok := labelMap[stringSlice[0]]; ok && v != stringSlice[1] {
+				return nil, fmt.Errorf("conflict labels for %s=%s and %s=%s", stringSlice[0], stringSlice[1], stringSlice[0], v)
+			}
+			labelMap[stringSlice[0]] = stringSlice[1]
+		}
+	}
+
+	newLabels := []string{}
+	for k, v := range labelMap {
+		newLabels = append(newLabels, fmt.Sprintf("%s=%s", k, v))
+	}
+	return newLabels, nil
+}
+
+// ValidateReservedNamespaceLabels errors if the reserved namespaces com.docker.*,
+// io.docker.*, org.dockerproject.* are used in a configured engine label.
+//
+// TODO: This is a separate function because we need to warn users first of the
+// deprecation.  When we return an error, this logic can be added to Validate
+// or GetConflictFreeLabels instead of being here.
+func ValidateReservedNamespaceLabels(labels []string) error {
+	for _, label := range labels {
+		lowered := strings.ToLower(label)
+		if strings.HasPrefix(lowered, "com.docker.") || strings.HasPrefix(lowered, "io.docker.") ||
+			strings.HasPrefix(lowered, "org.dockerproject.") {
+			return fmt.Errorf(
+				"label %s not allowed: the namespaces com.docker.*, io.docker.*, and org.dockerproject.* are reserved for Docker's internal use",
+				label)
+		}
+	}
+	return nil
+}
+
+// Reload reads the configuration in the host and reloads the daemon and server.
+func Reload(configFile string, flags *pflag.FlagSet, reload func(*Config)) error {
+	logrus.Infof("Got signal to reload configuration, reloading from: %s", configFile)
+	newConfig, err := getConflictFreeConfiguration(configFile, flags)
+	if err != nil {
+		if flags.Changed("config-file") || !os.IsNotExist(err) {
+			return fmt.Errorf("unable to configure the Docker daemon with file %s: %v", configFile, err)
+		}
+		newConfig = New()
+	}
+
+	if err := Validate(newConfig); err != nil {
+		return fmt.Errorf("file configuration validation failed (%v)", err)
+	}
+
+	// Check if duplicate label-keys with different values are found
+	newLabels, err := GetConflictFreeLabels(newConfig.Labels)
+	if err != nil {
+		return err
+	}
+	newConfig.Labels = newLabels
+
+	reload(newConfig)
+	return nil
+}
+
+// boolValue is an interface that boolean value flags implement
+// to tell the command line how to make -name equivalent to -name=true.
+type boolValue interface {
+	IsBoolFlag() bool
+}
+
+// MergeDaemonConfigurations reads a configuration file,
+// loads the file configuration in an isolated structure,
+// and merges the configuration provided from flags on top
+// if there are no conflicts.
+func MergeDaemonConfigurations(flagsConfig *Config, flags *pflag.FlagSet, configFile string) (*Config, error) {
+	fileConfig, err := getConflictFreeConfiguration(configFile, flags)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := Validate(fileConfig); err != nil {
+		return nil, fmt.Errorf("configuration validation from file failed (%v)", err)
+	}
+
+	// merge flags configuration on top of the file configuration
+	if err := mergo.Merge(fileConfig, flagsConfig); err != nil {
+		return nil, err
+	}
+
+	// We need to validate again once both fileConfig and flagsConfig
+	// have been merged
+	if err := Validate(fileConfig); err != nil {
+		return nil, fmt.Errorf("merged configuration validation from file and command line flags failed (%v)", err)
+	}
+
+	return fileConfig, nil
+}
+
+// getConflictFreeConfiguration loads the configuration from a JSON file.
+// It compares that configuration with the one provided by the flags,
+// and returns an error if there are conflicts.
+func getConflictFreeConfiguration(configFile string, flags *pflag.FlagSet) (*Config, error) {
+	b, err := ioutil.ReadFile(configFile)
+	if err != nil {
+		return nil, err
+	}
+
+	var config Config
+	var reader io.Reader
+	if flags != nil {
+		var jsonConfig map[string]interface{}
+		reader = bytes.NewReader(b)
+		if err := json.NewDecoder(reader).Decode(&jsonConfig); err != nil {
+			return nil, err
+		}
+
+		configSet := configValuesSet(jsonConfig)
+
+		if err := findConfigurationConflicts(configSet, flags); err != nil {
+			return nil, err
+		}
+
+		// Override flag values to make sure the values set in the config file with nullable values, like `false`,
+		// are not overridden by default truthy values from the flags that were not explicitly set.
+		// See https://github.com/docker/docker/issues/20289 for an example.
+		//
+		// TODO: Rewrite configuration logic to avoid same issue with other nullable values, like numbers.
+		namedOptions := make(map[string]interface{})
+		for key, value := range configSet {
+			f := flags.Lookup(key)
+			if f == nil { // ignore named flags that don't match
+				namedOptions[key] = value
+				continue
+			}
+
+			if _, ok := f.Value.(boolValue); ok {
+				f.Value.Set(fmt.Sprintf("%v", value))
+			}
+		}
+		if len(namedOptions) > 0 {
+			// set also default for mergeVal flags that are boolValue at the same time.
+			flags.VisitAll(func(f *pflag.Flag) {
+				if opt, named := f.Value.(opts.NamedOption); named {
+					v, set := namedOptions[opt.Name()]
+					_, boolean := f.Value.(boolValue)
+					if set && boolean {
+						f.Value.Set(fmt.Sprintf("%v", v))
+					}
+				}
+			})
+		}
+
+		config.ValuesSet = configSet
+	}
+
+	reader = bytes.NewReader(b)
+	if err := json.NewDecoder(reader).Decode(&config); err != nil {
+		return nil, err
+	}
+
+	if config.RootDeprecated != "" {
+		logrus.Warn(`The "graph" config file option is deprecated. Please use "data-root" instead.`)
+
+		if config.Root != "" {
+			return nil, fmt.Errorf(`cannot specify both "graph" and "data-root" config file options`)
+		}
+
+		config.Root = config.RootDeprecated
+	}
+
+	return &config, nil
+}
+
+// configValuesSet returns the configuration values explicitly set in the file.
+func configValuesSet(config map[string]interface{}) map[string]interface{} {
+	flatten := make(map[string]interface{})
+	for k, v := range config {
+		if m, isMap := v.(map[string]interface{}); isMap && !flatOptions[k] {
+			for km, vm := range m {
+				flatten[km] = vm
+			}
+			continue
+		}
+
+		flatten[k] = v
+	}
+	return flatten
+}
+
+// findConfigurationConflicts iterates over the provided flags searching for
+// duplicated configurations and unknown keys. It returns an error with all the conflicts if
+// it finds any.
+func findConfigurationConflicts(config map[string]interface{}, flags *pflag.FlagSet) error {
+	// 1. Search keys from the file that we don't recognize as flags.
+	unknownKeys := make(map[string]interface{})
+	for key, value := range config {
+		if flag := flags.Lookup(key); flag == nil {
+			unknownKeys[key] = value
+		}
+	}
+
+	// 2. Discard values that implement NamedOption.
+	// Their configuration name differs from their flag name, like `labels` and `label`.
+	if len(unknownKeys) > 0 {
+		unknownNamedConflicts := func(f *pflag.Flag) {
+			if namedOption, ok := f.Value.(opts.NamedOption); ok {
+				if _, valid := unknownKeys[namedOption.Name()]; valid {
+					delete(unknownKeys, namedOption.Name())
+				}
+			}
+		}
+		flags.VisitAll(unknownNamedConflicts)
+	}
+
+	if len(unknownKeys) > 0 {
+		var unknown []string
+		for key := range unknownKeys {
+			unknown = append(unknown, key)
+		}
+		return fmt.Errorf("the following directives don't match any configuration option: %s", strings.Join(unknown, ", "))
+	}
+
+	var conflicts []string
+	printConflict := func(name string, flagValue, fileValue interface{}) string {
+		return fmt.Sprintf("%s: (from flag: %v, from file: %v)", name, flagValue, fileValue)
+	}
+
+	// 3. Search keys that are present as a flag and as a file option.
+	duplicatedConflicts := func(f *pflag.Flag) {
+		// search option name in the json configuration payload if the value is a named option
+		if namedOption, ok := f.Value.(opts.NamedOption); ok {
+			if optsValue, ok := config[namedOption.Name()]; ok {
+				conflicts = append(conflicts, printConflict(namedOption.Name(), f.Value.String(), optsValue))
+			}
+		} else {
+			// search flag name in the json configuration payload
+			for _, name := range []string{f.Name, f.Shorthand} {
+				if value, ok := config[name]; ok {
+					conflicts = append(conflicts, printConflict(name, f.Value.String(), value))
+					break
+				}
+			}
+		}
+	}
+
+	flags.Visit(duplicatedConflicts)
+
+	if len(conflicts) > 0 {
+		return fmt.Errorf("the following directives are specified both as a flag and in the configuration file: %s", strings.Join(conflicts, ", "))
+	}
+	return nil
+}
+
+// Validate validates some specific configs.
+// such as config.DNS, config.Labels, config.DNSSearch,
+// as well as config.MaxConcurrentDownloads, config.MaxConcurrentUploads.
+func Validate(config *Config) error {
+	// validate DNS
+	for _, dns := range config.DNS {
+		if _, err := opts.ValidateIPAddress(dns); err != nil {
+			return err
+		}
+	}
+
+	// validate DNSSearch
+	for _, dnsSearch := range config.DNSSearch {
+		if _, err := opts.ValidateDNSSearch(dnsSearch); err != nil {
+			return err
+		}
+	}
+
+	// validate Labels
+	for _, label := range config.Labels {
+		if _, err := opts.ValidateLabel(label); err != nil {
+			return err
+		}
+	}
+	// validate MaxConcurrentDownloads
+	if config.MaxConcurrentDownloads != nil && *config.MaxConcurrentDownloads < 0 {
+		return fmt.Errorf("invalid max concurrent downloads: %d", *config.MaxConcurrentDownloads)
+	}
+	// validate MaxConcurrentUploads
+	if config.MaxConcurrentUploads != nil && *config.MaxConcurrentUploads < 0 {
+		return fmt.Errorf("invalid max concurrent uploads: %d", *config.MaxConcurrentUploads)
+	}
+
+	// validate that "default" runtime is not reset
+	if runtimes := config.GetAllRuntimes(); len(runtimes) > 0 {
+		if _, ok := runtimes[StockRuntimeName]; ok {
+			return fmt.Errorf("runtime name '%s' is reserved", StockRuntimeName)
+		}
+	}
+
+	if _, err := ParseGenericResources(config.NodeGenericResources); err != nil {
+		return err
+	}
+
+	if defaultRuntime := config.GetDefaultRuntimeName(); defaultRuntime != "" && defaultRuntime != StockRuntimeName {
+		runtimes := config.GetAllRuntimes()
+		if _, ok := runtimes[defaultRuntime]; !ok {
+			return fmt.Errorf("specified default runtime '%s' does not exist", defaultRuntime)
+		}
+	}
+
+	// validate platform-specific settings
+	return config.ValidatePlatformConfig()
+}
+
+// ModifiedDiscoverySettings returns whether the discovery configuration has been modified or not.
+func ModifiedDiscoverySettings(config *Config, backendType, advertise string, clusterOpts map[string]string) bool {
+	if config.ClusterStore != backendType || config.ClusterAdvertise != advertise {
+		return true
+	}
+
+	if (config.ClusterOpts == nil && clusterOpts == nil) ||
+		(config.ClusterOpts == nil && len(clusterOpts) == 0) ||
+		(len(config.ClusterOpts) == 0 && clusterOpts == nil) {
+		return false
+	}
+
+	return !reflect.DeepEqual(config.ClusterOpts, clusterOpts)
+}
diff --git a/engine/daemon/config/config_common_unix.go b/engine/daemon/config/config_common_unix.go
new file mode 100644
index 00000000..4bdf7588
--- /dev/null
+++ b/engine/daemon/config/config_common_unix.go
@@ -0,0 +1,71 @@
+// +build linux freebsd
+
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"net"
+
+	"github.com/docker/docker/api/types"
+)
+
+// CommonUnixConfig defines configuration of a docker daemon that is
+// common across Unix platforms.
+type CommonUnixConfig struct {
+	Runtimes          map[string]types.Runtime `json:"runtimes,omitempty"`
+	DefaultRuntime    string                   `json:"default-runtime,omitempty"`
+	DefaultInitBinary string                   `json:"default-init,omitempty"`
+}
+
+type commonUnixBridgeConfig struct {
+	DefaultIP                   net.IP `json:"ip,omitempty"`
+	IP                          string `json:"bip,omitempty"`
+	DefaultGatewayIPv4          net.IP `json:"default-gateway,omitempty"`
+	DefaultGatewayIPv6          net.IP `json:"default-gateway-v6,omitempty"`
+	InterContainerCommunication bool   `json:"icc,omitempty"`
+}
+
+// GetRuntime returns the runtime path and arguments for a given
+// runtime name
+func (conf *Config) GetRuntime(name string) *types.Runtime {
+	conf.Lock()
+	defer conf.Unlock()
+	if rt, ok := conf.Runtimes[name]; ok {
+		return &rt
+	}
+	return nil
+}
+
+// GetDefaultRuntimeName returns the current default runtime
+func (conf *Config) GetDefaultRuntimeName() string {
+	conf.Lock()
+	rt := conf.DefaultRuntime
+	conf.Unlock()
+
+	return rt
+}
+
+// GetAllRuntimes returns a copy of the runtimes map
+func (conf *Config) GetAllRuntimes() map[string]types.Runtime {
+	conf.Lock()
+	rts := conf.Runtimes
+	conf.Unlock()
+	return rts
+}
+
+// GetExecRoot returns the user configured Exec-root
+func (conf *Config) GetExecRoot() string {
+	return conf.ExecRoot
+}
+
+// GetInitPath returns the configured docker-init path
+func (conf *Config) GetInitPath() string {
+	conf.Lock()
+	defer conf.Unlock()
+	if conf.InitPath != "" {
+		return conf.InitPath
+	}
+	if conf.DefaultInitBinary != "" {
+		return conf.DefaultInitBinary
+	}
+	return DefaultInitBinary
+}
diff --git a/engine/daemon/config/config_common_unix_test.go b/engine/daemon/config/config_common_unix_test.go
new file mode 100644
index 00000000..47774a8e
--- /dev/null
+++ b/engine/daemon/config/config_common_unix_test.go
@@ -0,0 +1,84 @@
+// +build !windows
+
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestCommonUnixValidateConfigurationErrors(t *testing.T) {
+	testCases := []struct {
+		config *Config
+	}{
+		// Can't override the stock runtime
+		{
+			config: &Config{
+				CommonUnixConfig: CommonUnixConfig{
+					Runtimes: map[string]types.Runtime{
+						StockRuntimeName: {},
+					},
+				},
+			},
+		},
+		// Default runtime should be present in runtimes
+		{
+			config: &Config{
+				CommonUnixConfig: CommonUnixConfig{
+					Runtimes: map[string]types.Runtime{
+						"foo": {},
+					},
+					DefaultRuntime: "bar",
+				},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		err := Validate(tc.config)
+		if err == nil {
+			t.Fatalf("expected error, got nil for config %v", tc.config)
+		}
+	}
+}
+
+func TestCommonUnixGetInitPath(t *testing.T) {
+	testCases := []struct {
+		config           *Config
+		expectedInitPath string
+	}{
+		{
+			config: &Config{
+				InitPath: "some-init-path",
+			},
+			expectedInitPath: "some-init-path",
+		},
+		{
+			config: &Config{
+				CommonUnixConfig: CommonUnixConfig{
+					DefaultInitBinary: "foo-init-bin",
+				},
+			},
+			expectedInitPath: "foo-init-bin",
+		},
+		{
+			config: &Config{
+				InitPath: "init-path-A",
+				CommonUnixConfig: CommonUnixConfig{
+					DefaultInitBinary: "init-path-B",
+				},
+			},
+			expectedInitPath: "init-path-A",
+		},
+		{
+			config:           &Config{},
+			expectedInitPath: "docker-init",
+		},
+	}
+	for _, tc := range testCases {
+		initPath := tc.config.GetInitPath()
+		if initPath != tc.expectedInitPath {
+			t.Fatalf("expected initPath to be %v, got %v", tc.expectedInitPath, initPath)
+		}
+	}
+}
diff --git a/engine/daemon/config/config_test.go b/engine/daemon/config/config_test.go
new file mode 100644
index 00000000..6998ed33
--- /dev/null
+++ b/engine/daemon/config/config_test.go
@@ -0,0 +1,518 @@
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/daemon/discovery"
+	"github.com/docker/docker/opts"
+	"github.com/spf13/pflag"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+	"gotest.tools/skip"
+)
+
+func TestDaemonConfigurationNotFound(t *testing.T) {
+	_, err := MergeDaemonConfigurations(&Config{}, nil, "/tmp/foo-bar-baz-docker")
+	if err == nil || !os.IsNotExist(err) {
+		t.Fatalf("expected does not exist error, got %v", err)
+	}
+}
+
+func TestDaemonBrokenConfiguration(t *testing.T) {
+	f, err := ioutil.TempFile("", "docker-config-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	configFile := f.Name()
+	f.Write([]byte(`{"Debug": tru`))
+	f.Close()
+
+	_, err = MergeDaemonConfigurations(&Config{}, nil, configFile)
+	if err == nil {
+		t.Fatalf("expected error, got %v", err)
+	}
+}
+
+func TestParseClusterAdvertiseSettings(t *testing.T) {
+	_, err := ParseClusterAdvertiseSettings("something", "")
+	if err != discovery.ErrDiscoveryDisabled {
+		t.Fatalf("expected discovery disabled error, got %v\n", err)
+	}
+
+	_, err = ParseClusterAdvertiseSettings("", "something")
+	if err == nil {
+		t.Fatalf("expected discovery store error, got %v\n", err)
+	}
+
+	_, err = ParseClusterAdvertiseSettings("etcd", "127.0.0.1:8080")
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFindConfigurationConflicts(t *testing.T) {
+	config := map[string]interface{}{"authorization-plugins": "foobar"}
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+
+	flags.String("authorization-plugins", "", "")
+	assert.Check(t, flags.Set("authorization-plugins", "asdf"))
+	assert.Check(t, is.ErrorContains(findConfigurationConflicts(config, flags), "authorization-plugins: (from flag: asdf, from file: foobar)"))
+}
+
+func TestFindConfigurationConflictsWithNamedOptions(t *testing.T) {
+	config := map[string]interface{}{"hosts": []string{"qwer"}}
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+
+	var hosts []string
+	flags.VarP(opts.NewNamedListOptsRef("hosts", &hosts, opts.ValidateHost), "host", "H", "Daemon socket(s) to connect to")
+	assert.Check(t, flags.Set("host", "tcp://127.0.0.1:4444"))
+	assert.Check(t, flags.Set("host", "unix:///var/run/docker.sock"))
+	assert.Check(t, is.ErrorContains(findConfigurationConflicts(config, flags), "hosts"))
+}
+
+func TestDaemonConfigurationMergeConflicts(t *testing.T) {
+	f, err := ioutil.TempFile("", "docker-config-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	configFile := f.Name()
+	f.Write([]byte(`{"debug": true}`))
+	f.Close()
+
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.Bool("debug", false, "")
+	flags.Set("debug", "false")
+
+	_, err = MergeDaemonConfigurations(&Config{}, flags, configFile)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !strings.Contains(err.Error(), "debug") {
+		t.Fatalf("expected debug conflict, got %v", err)
+	}
+}
+
+func TestDaemonConfigurationMergeConcurrent(t *testing.T) {
+	f, err := ioutil.TempFile("", "docker-config-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	configFile := f.Name()
+	f.Write([]byte(`{"max-concurrent-downloads": 1}`))
+	f.Close()
+
+	_, err = MergeDaemonConfigurations(&Config{}, nil, configFile)
+	if err != nil {
+		t.Fatal("expected error, got nil")
+	}
+}
+
+func TestDaemonConfigurationMergeConcurrentError(t *testing.T) {
+	f, err := ioutil.TempFile("", "docker-config-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	configFile := f.Name()
+	f.Write([]byte(`{"max-concurrent-downloads": -1}`))
+	f.Close()
+
+	_, err = MergeDaemonConfigurations(&Config{}, nil, configFile)
+	if err == nil {
+		t.Fatalf("expected no error, got error %v", err)
+	}
+}
+
+func TestDaemonConfigurationMergeConflictsWithInnerStructs(t *testing.T) {
+	f, err := ioutil.TempFile("", "docker-config-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	configFile := f.Name()
+	f.Write([]byte(`{"tlscacert": "/etc/certificates/ca.pem"}`))
+	f.Close()
+
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.String("tlscacert", "", "")
+	flags.Set("tlscacert", "~/.docker/ca.pem")
+
+	_, err = MergeDaemonConfigurations(&Config{}, flags, configFile)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !strings.Contains(err.Error(), "tlscacert") {
+		t.Fatalf("expected tlscacert conflict, got %v", err)
+	}
+}
+
+func TestFindConfigurationConflictsWithUnknownKeys(t *testing.T) {
+	config := map[string]interface{}{"tls-verify": "true"}
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+
+	flags.Bool("tlsverify", false, "")
+	err := findConfigurationConflicts(config, flags)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !strings.Contains(err.Error(), "the following directives don't match any configuration option: tls-verify") {
+		t.Fatalf("expected tls-verify conflict, got %v", err)
+	}
+}
+
+func TestFindConfigurationConflictsWithMergedValues(t *testing.T) {
+	var hosts []string
+	config := map[string]interface{}{"hosts": "tcp://127.0.0.1:2345"}
+	flags := pflag.NewFlagSet("base", pflag.ContinueOnError)
+	flags.VarP(opts.NewNamedListOptsRef("hosts", &hosts, nil), "host", "H", "")
+
+	err := findConfigurationConflicts(config, flags)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	flags.Set("host", "unix:///var/run/docker.sock")
+	err = findConfigurationConflicts(config, flags)
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+	if !strings.Contains(err.Error(), "hosts: (from flag: [unix:///var/run/docker.sock], from file: tcp://127.0.0.1:2345)") {
+		t.Fatalf("expected hosts conflict, got %v", err)
+	}
+}
+
+func TestValidateReservedNamespaceLabels(t *testing.T) {
+	for _, validLabels := range [][]string{
+		nil, // no error if there are no labels
+		{ // no error if there aren't any reserved namespace labels
+			"hello=world",
+			"label=me",
+		},
+		{ // only reserved namespaces that end with a dot are invalid
+			"com.dockerpsychnotreserved.label=value",
+			"io.dockerproject.not=reserved",
+			"org.docker.not=reserved",
+		},
+	} {
+		assert.Check(t, ValidateReservedNamespaceLabels(validLabels))
+	}
+
+	for _, invalidLabel := range []string{
+		"com.docker.feature=enabled",
+		"io.docker.configuration=0",
+		"org.dockerproject.setting=on",
+		// casing doesn't matter
+		"COM.docker.feature=enabled",
+		"io.DOCKER.CONFIGURATION=0",
+		"Org.Dockerproject.Setting=on",
+	} {
+		err := ValidateReservedNamespaceLabels([]string{
+			"valid=label",
+			invalidLabel,
+			"another=valid",
+		})
+		assert.Check(t, is.ErrorContains(err, invalidLabel))
+	}
+}
+
+func TestValidateConfigurationErrors(t *testing.T) {
+	minusNumber := -10
+	testCases := []struct {
+		config *Config
+	}{
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					Labels: []string{"one"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					Labels: []string{"foo=bar", "one"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					DNS: []string{"1.1.1.1o"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					DNS: []string{"2.2.2.2", "1.1.1.1o"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					DNSSearch: []string{"123456"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					DNSSearch: []string{"a.b.c", "123456"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					MaxConcurrentDownloads: &minusNumber,
+					// This is weird...
+					ValuesSet: map[string]interface{}{
+						"max-concurrent-downloads": -1,
+					},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					MaxConcurrentUploads: &minusNumber,
+					// This is weird...
+					ValuesSet: map[string]interface{}{
+						"max-concurrent-uploads": -1,
+					},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					NodeGenericResources: []string{"foo"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					NodeGenericResources: []string{"foo=bar", "foo=1"},
+				},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		err := Validate(tc.config)
+		if err == nil {
+			t.Fatalf("expected error, got nil for config %v", tc.config)
+		}
+	}
+}
+
+func TestValidateConfiguration(t *testing.T) {
+	minusNumber := 4
+	testCases := []struct {
+		config *Config
+	}{
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					Labels: []string{"one=two"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					DNS: []string{"1.1.1.1"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					DNSSearch: []string{"a.b.c"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					MaxConcurrentDownloads: &minusNumber,
+					// This is weird...
+					ValuesSet: map[string]interface{}{
+						"max-concurrent-downloads": -1,
+					},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					MaxConcurrentUploads: &minusNumber,
+					// This is weird...
+					ValuesSet: map[string]interface{}{
+						"max-concurrent-uploads": -1,
+					},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					NodeGenericResources: []string{"foo=bar", "foo=baz"},
+				},
+			},
+		},
+		{
+			config: &Config{
+				CommonConfig: CommonConfig{
+					NodeGenericResources: []string{"foo=1"},
+				},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		err := Validate(tc.config)
+		if err != nil {
+			t.Fatalf("expected no error, got error %v", err)
+		}
+	}
+}
+
+func TestModifiedDiscoverySettings(t *testing.T) {
+	cases := []struct {
+		current  *Config
+		modified *Config
+		expected bool
+	}{
+		{
+			current:  discoveryConfig("foo", "bar", map[string]string{}),
+			modified: discoveryConfig("foo", "bar", map[string]string{}),
+			expected: false,
+		},
+		{
+			current:  discoveryConfig("foo", "bar", map[string]string{"foo": "bar"}),
+			modified: discoveryConfig("foo", "bar", map[string]string{"foo": "bar"}),
+			expected: false,
+		},
+		{
+			current:  discoveryConfig("foo", "bar", map[string]string{}),
+			modified: discoveryConfig("foo", "bar", nil),
+			expected: false,
+		},
+		{
+			current:  discoveryConfig("foo", "bar", nil),
+			modified: discoveryConfig("foo", "bar", map[string]string{}),
+			expected: false,
+		},
+		{
+			current:  discoveryConfig("foo", "bar", nil),
+			modified: discoveryConfig("baz", "bar", nil),
+			expected: true,
+		},
+		{
+			current:  discoveryConfig("foo", "bar", nil),
+			modified: discoveryConfig("foo", "baz", nil),
+			expected: true,
+		},
+		{
+			current:  discoveryConfig("foo", "bar", nil),
+			modified: discoveryConfig("foo", "bar", map[string]string{"foo": "bar"}),
+			expected: true,
+		},
+	}
+
+	for _, c := range cases {
+		got := ModifiedDiscoverySettings(c.current, c.modified.ClusterStore, c.modified.ClusterAdvertise, c.modified.ClusterOpts)
+		if c.expected != got {
+			t.Fatalf("expected %v, got %v: current config %v, new config %v", c.expected, got, c.current, c.modified)
+		}
+	}
+}
+
+func discoveryConfig(backendAddr, advertiseAddr string, opts map[string]string) *Config {
+	return &Config{
+		CommonConfig: CommonConfig{
+			ClusterStore:     backendAddr,
+			ClusterAdvertise: advertiseAddr,
+			ClusterOpts:      opts,
+		},
+	}
+}
+
+// TestReloadSetConfigFileNotExist tests that when `--config-file` is set
+// and it doesn't exist the `Reload` function returns an error.
+func TestReloadSetConfigFileNotExist(t *testing.T) {
+	configFile := "/tmp/blabla/not/exists/config.json"
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.String("config-file", "", "")
+	flags.Set("config-file", configFile)
+
+	err := Reload(configFile, flags, func(c *Config) {})
+	assert.Check(t, is.ErrorContains(err, "unable to configure the Docker daemon with file"))
+}
+
+// TestReloadDefaultConfigNotExist tests that if the default configuration file
+// doesn't exist the daemon still will be reloaded.
+func TestReloadDefaultConfigNotExist(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	reloaded := false
+	configFile := "/etc/docker/daemon.json"
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.String("config-file", configFile, "")
+	err := Reload(configFile, flags, func(c *Config) {
+		reloaded = true
+	})
+	assert.Check(t, err)
+	assert.Check(t, reloaded)
+}
+
+// TestReloadBadDefaultConfig tests that when `--config-file` is not set
+// and the default configuration file exists and is bad return an error
+func TestReloadBadDefaultConfig(t *testing.T) {
+	f, err := ioutil.TempFile("", "docker-config-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	configFile := f.Name()
+	f.Write([]byte(`{wrong: "configuration"}`))
+	f.Close()
+
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.String("config-file", configFile, "")
+	err = Reload(configFile, flags, func(c *Config) {})
+	assert.Check(t, is.ErrorContains(err, "unable to configure the Docker daemon with file"))
+}
+
+func TestReloadWithConflictingLabels(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{"labels":["foo=bar","foo=baz"]}`))
+	defer tempFile.Remove()
+	configFile := tempFile.Path()
+
+	var lbls []string
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.String("config-file", configFile, "")
+	flags.StringSlice("labels", lbls, "")
+	err := Reload(configFile, flags, func(c *Config) {})
+	assert.Check(t, is.ErrorContains(err, "conflict labels for foo=baz and foo=bar"))
+}
+
+func TestReloadWithDuplicateLabels(t *testing.T) {
+	tempFile := fs.NewFile(t, "config", fs.WithContent(`{"labels":["foo=the-same","foo=the-same"]}`))
+	defer tempFile.Remove()
+	configFile := tempFile.Path()
+
+	var lbls []string
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	flags.String("config-file", configFile, "")
+	flags.StringSlice("labels", lbls, "")
+	err := Reload(configFile, flags, func(c *Config) {})
+	assert.Check(t, err)
+}
diff --git a/engine/daemon/config/config_unix.go b/engine/daemon/config/config_unix.go
new file mode 100644
index 00000000..1970928f
--- /dev/null
+++ b/engine/daemon/config/config_unix.go
@@ -0,0 +1,87 @@
+// +build linux freebsd
+
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"fmt"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/opts"
+	"github.com/docker/go-units"
+)
+
+const (
+	// DefaultIpcMode is default for container's IpcMode, if not set otherwise
+	DefaultIpcMode = "shareable" // TODO: change to private
+)
+
+// Config defines the configuration of a docker daemon.
+// It includes json tags to deserialize configuration from a file
+// using the same names that the flags in the command line uses.
+type Config struct {
+	CommonConfig
+
+	// These fields are common to all unix platforms.
+	CommonUnixConfig
+	// Fields below here are platform specific.
+	CgroupParent         string                   `json:"cgroup-parent,omitempty"`
+	EnableSelinuxSupport bool                     `json:"selinux-enabled,omitempty"`
+	RemappedRoot         string                   `json:"userns-remap,omitempty"`
+	Ulimits              map[string]*units.Ulimit `json:"default-ulimits,omitempty"`
+	CPURealtimePeriod    int64                    `json:"cpu-rt-period,omitempty"`
+	CPURealtimeRuntime   int64                    `json:"cpu-rt-runtime,omitempty"`
+	OOMScoreAdjust       int                      `json:"oom-score-adjust,omitempty"`
+	Init                 bool                     `json:"init,omitempty"`
+	InitPath             string                   `json:"init-path,omitempty"`
+	SeccompProfile       string                   `json:"seccomp-profile,omitempty"`
+	ShmSize              opts.MemBytes            `json:"default-shm-size,omitempty"`
+	NoNewPrivileges      bool                     `json:"no-new-privileges,omitempty"`
+	IpcMode              string                   `json:"default-ipc-mode,omitempty"`
+}
+
+// BridgeConfig stores all the bridge driver specific
+// configuration.
+type BridgeConfig struct {
+	commonBridgeConfig
+
+	// These fields are common to all unix platforms.
+	commonUnixBridgeConfig
+
+	// Fields below here are platform specific.
+	EnableIPv6          bool   `json:"ipv6,omitempty"`
+	EnableIPTables      bool   `json:"iptables,omitempty"`
+	EnableIPForward     bool   `json:"ip-forward,omitempty"`
+	EnableIPMasq        bool   `json:"ip-masq,omitempty"`
+	EnableUserlandProxy bool   `json:"userland-proxy,omitempty"`
+	UserlandProxyPath   string `json:"userland-proxy-path,omitempty"`
+	FixedCIDRv6         string `json:"fixed-cidr-v6,omitempty"`
+}
+
+// IsSwarmCompatible defines if swarm mode can be enabled in this config
+func (conf *Config) IsSwarmCompatible() error {
+	if conf.ClusterStore != "" || conf.ClusterAdvertise != "" {
+		return fmt.Errorf("--cluster-store and --cluster-advertise daemon configurations are incompatible with swarm mode")
+	}
+	if conf.LiveRestoreEnabled {
+		return fmt.Errorf("--live-restore daemon configuration is incompatible with swarm mode")
+	}
+	return nil
+}
+
+func verifyDefaultIpcMode(mode string) error {
+	const hint = "Use \"shareable\" or \"private\"."
+
+	dm := containertypes.IpcMode(mode)
+	if !dm.Valid() {
+		return fmt.Errorf("Default IPC mode setting (%v) is invalid. "+hint, dm)
+	}
+	if dm != "" && !dm.IsPrivate() && !dm.IsShareable() {
+		return fmt.Errorf("IPC mode \"%v\" is not supported as default value. "+hint, dm)
+	}
+	return nil
+}
+
+// ValidatePlatformConfig checks if any platform-specific configuration settings are invalid.
+func (conf *Config) ValidatePlatformConfig() error {
+	return verifyDefaultIpcMode(conf.IpcMode)
+}
diff --git a/engine/daemon/config/config_unix_test.go b/engine/daemon/config/config_unix_test.go
new file mode 100644
index 00000000..529b6777
--- /dev/null
+++ b/engine/daemon/config/config_unix_test.go
@@ -0,0 +1,134 @@
+// +build !windows
+
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/opts"
+	"github.com/docker/go-units"
+	"github.com/spf13/pflag"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func TestGetConflictFreeConfiguration(t *testing.T) {
+	configFileData := `
+		{
+			"debug": true,
+			"default-ulimits": {
+				"nofile": {
+					"Name": "nofile",
+					"Hard": 2048,
+					"Soft": 1024
+				}
+			},
+			"log-opts": {
+				"tag": "test_tag"
+			}
+		}`
+
+	file := fs.NewFile(t, "docker-config", fs.WithContent(configFileData))
+	defer file.Remove()
+
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	var debug bool
+	flags.BoolVarP(&debug, "debug", "D", false, "")
+	flags.Var(opts.NewNamedUlimitOpt("default-ulimits", nil), "default-ulimit", "")
+	flags.Var(opts.NewNamedMapOpts("log-opts", nil, nil), "log-opt", "")
+
+	cc, err := getConflictFreeConfiguration(file.Path(), flags)
+	assert.NilError(t, err)
+
+	assert.Check(t, cc.Debug)
+
+	expectedUlimits := map[string]*units.Ulimit{
+		"nofile": {
+			Name: "nofile",
+			Hard: 2048,
+			Soft: 1024,
+		},
+	}
+
+	assert.Check(t, is.DeepEqual(expectedUlimits, cc.Ulimits))
+}
+
+func TestDaemonConfigurationMerge(t *testing.T) {
+	configFileData := `
+		{
+			"debug": true,
+			"default-ulimits": {
+				"nofile": {
+					"Name": "nofile",
+					"Hard": 2048,
+					"Soft": 1024
+				}
+			},
+			"log-opts": {
+				"tag": "test_tag"
+			}
+		}`
+
+	file := fs.NewFile(t, "docker-config", fs.WithContent(configFileData))
+	defer file.Remove()
+
+	c := &Config{
+		CommonConfig: CommonConfig{
+			AutoRestart: true,
+			LogConfig: LogConfig{
+				Type:   "syslog",
+				Config: map[string]string{"tag": "test"},
+			},
+		},
+	}
+
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+
+	var debug bool
+	flags.BoolVarP(&debug, "debug", "D", false, "")
+	flags.Var(opts.NewNamedUlimitOpt("default-ulimits", nil), "default-ulimit", "")
+	flags.Var(opts.NewNamedMapOpts("log-opts", nil, nil), "log-opt", "")
+
+	cc, err := MergeDaemonConfigurations(c, flags, file.Path())
+	assert.NilError(t, err)
+
+	assert.Check(t, cc.Debug)
+	assert.Check(t, cc.AutoRestart)
+
+	expectedLogConfig := LogConfig{
+		Type:   "syslog",
+		Config: map[string]string{"tag": "test_tag"},
+	}
+
+	assert.Check(t, is.DeepEqual(expectedLogConfig, cc.LogConfig))
+
+	expectedUlimits := map[string]*units.Ulimit{
+		"nofile": {
+			Name: "nofile",
+			Hard: 2048,
+			Soft: 1024,
+		},
+	}
+
+	assert.Check(t, is.DeepEqual(expectedUlimits, cc.Ulimits))
+}
+
+func TestDaemonConfigurationMergeShmSize(t *testing.T) {
+	data := `{"default-shm-size": "1g"}`
+
+	file := fs.NewFile(t, "docker-config", fs.WithContent(data))
+	defer file.Remove()
+
+	c := &Config{}
+
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	shmSize := opts.MemBytes(DefaultShmSize)
+	flags.Var(&shmSize, "default-shm-size", "")
+
+	cc, err := MergeDaemonConfigurations(c, flags, file.Path())
+	assert.NilError(t, err)
+
+	expectedValue := 1 * 1024 * 1024 * 1024
+	assert.Check(t, is.Equal(int64(expectedValue), cc.ShmSize.Value()))
+}
diff --git a/engine/daemon/config/config_windows.go b/engine/daemon/config/config_windows.go
new file mode 100644
index 00000000..0aa7d54b
--- /dev/null
+++ b/engine/daemon/config/config_windows.go
@@ -0,0 +1,57 @@
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"github.com/docker/docker/api/types"
+)
+
+// BridgeConfig stores all the bridge driver specific
+// configuration.
+type BridgeConfig struct {
+	commonBridgeConfig
+}
+
+// Config defines the configuration of a docker daemon.
+// These are the configuration settings that you pass
+// to the docker daemon when you launch it with say: `dockerd -e windows`
+type Config struct {
+	CommonConfig
+
+	// Fields below here are platform specific. (There are none presently
+	// for the Windows daemon.)
+}
+
+// GetRuntime returns the runtime path and arguments for a given
+// runtime name
+func (conf *Config) GetRuntime(name string) *types.Runtime {
+	return nil
+}
+
+// GetInitPath returns the configure docker-init path
+func (conf *Config) GetInitPath() string {
+	return ""
+}
+
+// GetDefaultRuntimeName returns the current default runtime
+func (conf *Config) GetDefaultRuntimeName() string {
+	return StockRuntimeName
+}
+
+// GetAllRuntimes returns a copy of the runtimes map
+func (conf *Config) GetAllRuntimes() map[string]types.Runtime {
+	return map[string]types.Runtime{}
+}
+
+// GetExecRoot returns the user configured Exec-root
+func (conf *Config) GetExecRoot() string {
+	return ""
+}
+
+// IsSwarmCompatible defines if swarm mode can be enabled in this config
+func (conf *Config) IsSwarmCompatible() error {
+	return nil
+}
+
+// ValidatePlatformConfig checks if any platform-specific configuration settings are invalid.
+func (conf *Config) ValidatePlatformConfig() error {
+	return nil
+}
diff --git a/engine/daemon/config/config_windows_test.go b/engine/daemon/config/config_windows_test.go
new file mode 100644
index 00000000..09417ee3
--- /dev/null
+++ b/engine/daemon/config/config_windows_test.go
@@ -0,0 +1,60 @@
+// +build windows
+
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/docker/opts"
+	"github.com/spf13/pflag"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDaemonConfigurationMerge(t *testing.T) {
+	f, err := ioutil.TempFile("", "docker-config-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	configFile := f.Name()
+
+	f.Write([]byte(`
+		{
+			"debug": true,
+			"log-opts": {
+				"tag": "test_tag"
+			}
+		}`))
+
+	f.Close()
+
+	c := &Config{
+		CommonConfig: CommonConfig{
+			AutoRestart: true,
+			LogConfig: LogConfig{
+				Type:   "syslog",
+				Config: map[string]string{"tag": "test"},
+			},
+		},
+	}
+
+	flags := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	var debug bool
+	flags.BoolVarP(&debug, "debug", "D", false, "")
+	flags.Var(opts.NewNamedMapOpts("log-opts", nil, nil), "log-opt", "")
+
+	cc, err := MergeDaemonConfigurations(c, flags, configFile)
+	assert.NilError(t, err)
+
+	assert.Check(t, cc.Debug)
+	assert.Check(t, cc.AutoRestart)
+
+	expectedLogConfig := LogConfig{
+		Type:   "syslog",
+		Config: map[string]string{"tag": "test_tag"},
+	}
+
+	assert.Check(t, is.DeepEqual(expectedLogConfig, cc.LogConfig))
+}
diff --git a/engine/daemon/config/opts.go b/engine/daemon/config/opts.go
new file mode 100644
index 00000000..8b114929
--- /dev/null
+++ b/engine/daemon/config/opts.go
@@ -0,0 +1,22 @@
+package config // import "github.com/docker/docker/daemon/config"
+
+import (
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/convert"
+	"github.com/docker/swarmkit/api/genericresource"
+)
+
+// ParseGenericResources parses and validates the specified string as a list of GenericResource
+func ParseGenericResources(value []string) ([]swarm.GenericResource, error) {
+	if len(value) == 0 {
+		return nil, nil
+	}
+
+	resources, err := genericresource.Parse(value)
+	if err != nil {
+		return nil, err
+	}
+
+	obj := convert.GenericResourcesFromGRPC(resources)
+	return obj, nil
+}
diff --git a/engine/daemon/configs.go b/engine/daemon/configs.go
new file mode 100644
index 00000000..4fd0d227
--- /dev/null
+++ b/engine/daemon/configs.go
@@ -0,0 +1,21 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/sirupsen/logrus"
+)
+
+// SetContainerConfigReferences sets the container config references needed
+func (daemon *Daemon) SetContainerConfigReferences(name string, refs []*swarmtypes.ConfigReference) error {
+	if !configsSupported() && len(refs) > 0 {
+		logrus.Warn("configs are not supported on this platform")
+		return nil
+	}
+
+	c, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+	c.ConfigReferences = append(c.ConfigReferences, refs...)
+	return nil
+}
diff --git a/engine/daemon/configs_linux.go b/engine/daemon/configs_linux.go
new file mode 100644
index 00000000..ceb66633
--- /dev/null
+++ b/engine/daemon/configs_linux.go
@@ -0,0 +1,5 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+func configsSupported() bool {
+	return true
+}
diff --git a/engine/daemon/configs_unsupported.go b/engine/daemon/configs_unsupported.go
new file mode 100644
index 00000000..ae6f14f5
--- /dev/null
+++ b/engine/daemon/configs_unsupported.go
@@ -0,0 +1,7 @@
+// +build !linux,!windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+func configsSupported() bool {
+	return false
+}
diff --git a/engine/daemon/configs_windows.go b/engine/daemon/configs_windows.go
new file mode 100644
index 00000000..ceb66633
--- /dev/null
+++ b/engine/daemon/configs_windows.go
@@ -0,0 +1,5 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+func configsSupported() bool {
+	return true
+}
diff --git a/engine/daemon/container.go b/engine/daemon/container.go
new file mode 100644
index 00000000..c8e20539
--- /dev/null
+++ b/engine/daemon/container.go
@@ -0,0 +1,358 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/network"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/pkg/truncindex"
+	"github.com/docker/docker/runconfig"
+	volumemounts "github.com/docker/docker/volume/mounts"
+	"github.com/docker/go-connections/nat"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+)
+
+// GetContainer looks for a container using the provided information, which could be
+// one of the following inputs from the caller:
+//  - A full container ID, which will exact match a container in daemon's list
+//  - A container name, which will only exact match via the GetByName() function
+//  - A partial container ID prefix (e.g. short ID) of any length that is
+//    unique enough to only return a single container object
+//  If none of these searches succeed, an error is returned
+func (daemon *Daemon) GetContainer(prefixOrName string) (*container.Container, error) {
+	if len(prefixOrName) == 0 {
+		return nil, errors.WithStack(invalidIdentifier(prefixOrName))
+	}
+
+	if containerByID := daemon.containers.Get(prefixOrName); containerByID != nil {
+		// prefix is an exact match to a full container ID
+		return containerByID, nil
+	}
+
+	// GetByName will match only an exact name provided; we ignore errors
+	if containerByName, _ := daemon.GetByName(prefixOrName); containerByName != nil {
+		// prefix is an exact match to a full container Name
+		return containerByName, nil
+	}
+
+	containerID, indexError := daemon.idIndex.Get(prefixOrName)
+	if indexError != nil {
+		// When truncindex defines an error type, use that instead
+		if indexError == truncindex.ErrNotExist {
+			return nil, containerNotFound(prefixOrName)
+		}
+		return nil, errdefs.System(indexError)
+	}
+	return daemon.containers.Get(containerID), nil
+}
+
+// checkContainer make sure the specified container validates the specified conditions
+func (daemon *Daemon) checkContainer(container *container.Container, conditions ...func(*container.Container) error) error {
+	for _, condition := range conditions {
+		if err := condition(container); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Exists returns a true if a container of the specified ID or name exists,
+// false otherwise.
+func (daemon *Daemon) Exists(id string) bool {
+	c, _ := daemon.GetContainer(id)
+	return c != nil
+}
+
+// IsPaused returns a bool indicating if the specified container is paused.
+func (daemon *Daemon) IsPaused(id string) bool {
+	c, _ := daemon.GetContainer(id)
+	return c.State.IsPaused()
+}
+
+func (daemon *Daemon) containerRoot(id string) string {
+	return filepath.Join(daemon.repository, id)
+}
+
+// Load reads the contents of a container from disk
+// This is typically done at startup.
+func (daemon *Daemon) load(id string) (*container.Container, error) {
+	container := daemon.newBaseContainer(id)
+
+	if err := container.FromDisk(); err != nil {
+		return nil, err
+	}
+	if err := label.ReserveLabel(container.ProcessLabel); err != nil {
+		return nil, err
+	}
+
+	if container.ID != id {
+		return container, fmt.Errorf("Container %s is stored at %s", container.ID, id)
+	}
+
+	return container, nil
+}
+
+// Register makes a container object usable by the daemon as <container.ID>
+func (daemon *Daemon) Register(c *container.Container) error {
+	// Attach to stdout and stderr
+	if c.Config.OpenStdin {
+		c.StreamConfig.NewInputPipes()
+	} else {
+		c.StreamConfig.NewNopInputPipe()
+	}
+
+	// once in the memory store it is visible to other goroutines
+	// grab a Lock until it has been checkpointed to avoid races
+	c.Lock()
+	defer c.Unlock()
+
+	daemon.containers.Add(c.ID, c)
+	daemon.idIndex.Add(c.ID)
+	return c.CheckpointTo(daemon.containersReplica)
+}
+
+func (daemon *Daemon) newContainer(name string, operatingSystem string, config *containertypes.Config, hostConfig *containertypes.HostConfig, imgID image.ID, managed bool) (*container.Container, error) {
+	var (
+		id             string
+		err            error
+		noExplicitName = name == ""
+	)
+	id, name, err = daemon.generateIDAndName(name)
+	if err != nil {
+		return nil, err
+	}
+
+	if hostConfig.NetworkMode.IsHost() {
+		if config.Hostname == "" {
+			config.Hostname, err = os.Hostname()
+			if err != nil {
+				return nil, errdefs.System(err)
+			}
+		}
+	} else {
+		daemon.generateHostname(id, config)
+	}
+	entrypoint, args := daemon.getEntrypointAndArgs(config.Entrypoint, config.Cmd)
+
+	base := daemon.newBaseContainer(id)
+	base.Created = time.Now().UTC()
+	base.Managed = managed
+	base.Path = entrypoint
+	base.Args = args //FIXME: de-duplicate from config
+	base.Config = config
+	base.HostConfig = &containertypes.HostConfig{}
+	base.ImageID = imgID
+	base.NetworkSettings = &network.Settings{IsAnonymousEndpoint: noExplicitName}
+	base.Name = name
+	base.Driver = daemon.imageService.GraphDriverForOS(operatingSystem)
+	base.OS = operatingSystem
+	return base, err
+}
+
+// GetByName returns a container given a name.
+func (daemon *Daemon) GetByName(name string) (*container.Container, error) {
+	if len(name) == 0 {
+		return nil, fmt.Errorf("No container name supplied")
+	}
+	fullName := name
+	if name[0] != '/' {
+		fullName = "/" + name
+	}
+	id, err := daemon.containersReplica.Snapshot().GetID(fullName)
+	if err != nil {
+		return nil, fmt.Errorf("Could not find entity for %s", name)
+	}
+	e := daemon.containers.Get(id)
+	if e == nil {
+		return nil, fmt.Errorf("Could not find container for entity id %s", id)
+	}
+	return e, nil
+}
+
+// newBaseContainer creates a new container with its initial
+// configuration based on the root storage from the daemon.
+func (daemon *Daemon) newBaseContainer(id string) *container.Container {
+	return container.NewBaseContainer(id, daemon.containerRoot(id))
+}
+
+func (daemon *Daemon) getEntrypointAndArgs(configEntrypoint strslice.StrSlice, configCmd strslice.StrSlice) (string, []string) {
+	if len(configEntrypoint) != 0 {
+		return configEntrypoint[0], append(configEntrypoint[1:], configCmd...)
+	}
+	return configCmd[0], configCmd[1:]
+}
+
+func (daemon *Daemon) generateHostname(id string, config *containertypes.Config) {
+	// Generate default hostname
+	if config.Hostname == "" {
+		config.Hostname = id[:12]
+	}
+}
+
+func (daemon *Daemon) setSecurityOptions(container *container.Container, hostConfig *containertypes.HostConfig) error {
+	container.Lock()
+	defer container.Unlock()
+	return daemon.parseSecurityOpt(container, hostConfig)
+}
+
+func (daemon *Daemon) setHostConfig(container *container.Container, hostConfig *containertypes.HostConfig) error {
+	// Do not lock while creating volumes since this could be calling out to external plugins
+	// Don't want to block other actions, like `docker ps` because we're waiting on an external plugin
+	if err := daemon.registerMountPoints(container, hostConfig); err != nil {
+		return err
+	}
+
+	container.Lock()
+	defer container.Unlock()
+
+	// Register any links from the host config before starting the container
+	if err := daemon.registerLinks(container, hostConfig); err != nil {
+		return err
+	}
+
+	runconfig.SetDefaultNetModeIfBlank(hostConfig)
+	container.HostConfig = hostConfig
+	return container.CheckpointTo(daemon.containersReplica)
+}
+
+// verifyContainerSettings performs validation of the hostconfig and config
+// structures.
+func (daemon *Daemon) verifyContainerSettings(platform string, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {
+	// First perform verification of settings common across all platforms.
+	if config != nil {
+		if config.WorkingDir != "" {
+			wdInvalid := false
+			if runtime.GOOS == platform {
+				config.WorkingDir = filepath.FromSlash(config.WorkingDir) // Ensure in platform semantics
+				if !system.IsAbs(config.WorkingDir) {
+					wdInvalid = true
+				}
+			} else {
+				// LCOW. Force Unix semantics
+				config.WorkingDir = strings.Replace(config.WorkingDir, string(os.PathSeparator), "/", -1)
+				if !path.IsAbs(config.WorkingDir) {
+					wdInvalid = true
+				}
+			}
+			if wdInvalid {
+				return nil, fmt.Errorf("the working directory '%s' is invalid, it needs to be an absolute path", config.WorkingDir)
+			}
+		}
+
+		if len(config.StopSignal) > 0 {
+			_, err := signal.ParseSignal(config.StopSignal)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// Validate if Env contains empty variable or not (e.g., ``, `=foo`)
+		for _, env := range config.Env {
+			if _, err := opts.ValidateEnv(env); err != nil {
+				return nil, err
+			}
+		}
+
+		// Validate the healthcheck params of Config
+		if config.Healthcheck != nil {
+			if config.Healthcheck.Interval != 0 && config.Healthcheck.Interval < containertypes.MinimumDuration {
+				return nil, errors.Errorf("Interval in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
+			}
+
+			if config.Healthcheck.Timeout != 0 && config.Healthcheck.Timeout < containertypes.MinimumDuration {
+				return nil, errors.Errorf("Timeout in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
+			}
+
+			if config.Healthcheck.Retries < 0 {
+				return nil, errors.Errorf("Retries in Healthcheck cannot be negative")
+			}
+
+			if config.Healthcheck.StartPeriod != 0 && config.Healthcheck.StartPeriod < containertypes.MinimumDuration {
+				return nil, errors.Errorf("StartPeriod in Healthcheck cannot be less than %s", containertypes.MinimumDuration)
+			}
+		}
+	}
+
+	if hostConfig == nil {
+		return nil, nil
+	}
+
+	if hostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() {
+		return nil, errors.Errorf("can't create 'AutoRemove' container with restart policy")
+	}
+
+	// Validate mounts; check if host directories still exist
+	parser := volumemounts.NewParser(platform)
+	for _, cfg := range hostConfig.Mounts {
+		if err := parser.ValidateMountConfig(&cfg); err != nil {
+			return nil, err
+		}
+	}
+
+	for _, extraHost := range hostConfig.ExtraHosts {
+		if _, err := opts.ValidateExtraHost(extraHost); err != nil {
+			return nil, err
+		}
+	}
+
+	for port := range hostConfig.PortBindings {
+		_, portStr := nat.SplitProtoPort(string(port))
+		if _, err := nat.ParsePort(portStr); err != nil {
+			return nil, errors.Errorf("invalid port specification: %q", portStr)
+		}
+		for _, pb := range hostConfig.PortBindings[port] {
+			_, err := nat.NewPort(nat.SplitProtoPort(pb.HostPort))
+			if err != nil {
+				return nil, errors.Errorf("invalid port specification: %q", pb.HostPort)
+			}
+		}
+	}
+
+	p := hostConfig.RestartPolicy
+
+	switch p.Name {
+	case "always", "unless-stopped", "no":
+		if p.MaximumRetryCount != 0 {
+			return nil, errors.Errorf("maximum retry count cannot be used with restart policy '%s'", p.Name)
+		}
+	case "on-failure":
+		if p.MaximumRetryCount < 0 {
+			return nil, errors.Errorf("maximum retry count cannot be negative")
+		}
+	case "":
+		// do nothing
+	default:
+		return nil, errors.Errorf("invalid restart policy '%s'", p.Name)
+	}
+
+	if !hostConfig.Isolation.IsValid() {
+		return nil, errors.Errorf("invalid isolation '%s' on %s", hostConfig.Isolation, runtime.GOOS)
+	}
+
+	var (
+		err      error
+		warnings []string
+	)
+	// Now do platform-specific verification
+	if warnings, err = verifyPlatformContainerSettings(daemon, hostConfig, config, update); err != nil {
+		return warnings, err
+	}
+	if hostConfig.NetworkMode.IsHost() && len(hostConfig.PortBindings) > 0 {
+		warnings = append(warnings, "Published ports are discarded when using host network mode")
+	}
+	return warnings, err
+}
diff --git a/engine/daemon/container_linux.go b/engine/daemon/container_linux.go
new file mode 100644
index 00000000..e6f5bf2c
--- /dev/null
+++ b/engine/daemon/container_linux.go
@@ -0,0 +1,30 @@
+//+build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+)
+
+func (daemon *Daemon) saveApparmorConfig(container *container.Container) error {
+	container.AppArmorProfile = "" //we don't care about the previous value.
+
+	if !daemon.apparmorEnabled {
+		return nil // if apparmor is disabled there is nothing to do here.
+	}
+
+	if err := parseSecurityOpt(container, container.HostConfig); err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	if !container.HostConfig.Privileged {
+		if container.AppArmorProfile == "" {
+			container.AppArmorProfile = defaultApparmorProfile
+		}
+
+	} else {
+		container.AppArmorProfile = "unconfined"
+	}
+	return nil
+}
diff --git a/engine/daemon/container_operations.go b/engine/daemon/container_operations.go
new file mode 100644
index 00000000..df84f88f
--- /dev/null
+++ b/engine/daemon/container_operations.go
@@ -0,0 +1,1150 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"path"
+	"runtime"
+	"strings"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/network"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/runconfig"
+	"github.com/docker/go-connections/nat"
+	"github.com/docker/libnetwork"
+	netconst "github.com/docker/libnetwork/datastore"
+	"github.com/docker/libnetwork/netlabel"
+	"github.com/docker/libnetwork/options"
+	"github.com/docker/libnetwork/types"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// ErrRootFSReadOnly is returned when a container
+	// rootfs is marked readonly.
+	ErrRootFSReadOnly = errors.New("container rootfs is marked read-only")
+	getPortMapInfo    = getSandboxPortMapInfo
+)
+
+func (daemon *Daemon) getDNSSearchSettings(container *container.Container) []string {
+	if len(container.HostConfig.DNSSearch) > 0 {
+		return container.HostConfig.DNSSearch
+	}
+
+	if len(daemon.configStore.DNSSearch) > 0 {
+		return daemon.configStore.DNSSearch
+	}
+
+	return nil
+}
+
+func (daemon *Daemon) buildSandboxOptions(container *container.Container) ([]libnetwork.SandboxOption, error) {
+	var (
+		sboxOptions []libnetwork.SandboxOption
+		err         error
+		dns         []string
+		dnsOptions  []string
+		bindings    = make(nat.PortMap)
+		pbList      []types.PortBinding
+		exposeList  []types.TransportPort
+	)
+
+	defaultNetName := runconfig.DefaultDaemonNetworkMode().NetworkName()
+	sboxOptions = append(sboxOptions, libnetwork.OptionHostname(container.Config.Hostname),
+		libnetwork.OptionDomainname(container.Config.Domainname))
+
+	if container.HostConfig.NetworkMode.IsHost() {
+		sboxOptions = append(sboxOptions, libnetwork.OptionUseDefaultSandbox())
+		if len(container.HostConfig.ExtraHosts) == 0 {
+			sboxOptions = append(sboxOptions, libnetwork.OptionOriginHostsPath("/etc/hosts"))
+		}
+		if len(container.HostConfig.DNS) == 0 && len(daemon.configStore.DNS) == 0 &&
+			len(container.HostConfig.DNSSearch) == 0 && len(daemon.configStore.DNSSearch) == 0 &&
+			len(container.HostConfig.DNSOptions) == 0 && len(daemon.configStore.DNSOptions) == 0 {
+			sboxOptions = append(sboxOptions, libnetwork.OptionOriginResolvConfPath("/etc/resolv.conf"))
+		}
+	} else {
+		// OptionUseExternalKey is mandatory for userns support.
+		// But optional for non-userns support
+		sboxOptions = append(sboxOptions, libnetwork.OptionUseExternalKey())
+	}
+
+	if err = setupPathsAndSandboxOptions(container, &sboxOptions); err != nil {
+		return nil, err
+	}
+
+	if len(container.HostConfig.DNS) > 0 {
+		dns = container.HostConfig.DNS
+	} else if len(daemon.configStore.DNS) > 0 {
+		dns = daemon.configStore.DNS
+	}
+
+	for _, d := range dns {
+		sboxOptions = append(sboxOptions, libnetwork.OptionDNS(d))
+	}
+
+	dnsSearch := daemon.getDNSSearchSettings(container)
+
+	for _, ds := range dnsSearch {
+		sboxOptions = append(sboxOptions, libnetwork.OptionDNSSearch(ds))
+	}
+
+	if len(container.HostConfig.DNSOptions) > 0 {
+		dnsOptions = container.HostConfig.DNSOptions
+	} else if len(daemon.configStore.DNSOptions) > 0 {
+		dnsOptions = daemon.configStore.DNSOptions
+	}
+
+	for _, ds := range dnsOptions {
+		sboxOptions = append(sboxOptions, libnetwork.OptionDNSOptions(ds))
+	}
+
+	if container.NetworkSettings.SecondaryIPAddresses != nil {
+		name := container.Config.Hostname
+		if container.Config.Domainname != "" {
+			name = name + "." + container.Config.Domainname
+		}
+
+		for _, a := range container.NetworkSettings.SecondaryIPAddresses {
+			sboxOptions = append(sboxOptions, libnetwork.OptionExtraHost(name, a.Addr))
+		}
+	}
+
+	for _, extraHost := range container.HostConfig.ExtraHosts {
+		// allow IPv6 addresses in extra hosts; only split on first ":"
+		if _, err := opts.ValidateExtraHost(extraHost); err != nil {
+			return nil, err
+		}
+		parts := strings.SplitN(extraHost, ":", 2)
+		sboxOptions = append(sboxOptions, libnetwork.OptionExtraHost(parts[0], parts[1]))
+	}
+
+	if container.HostConfig.PortBindings != nil {
+		for p, b := range container.HostConfig.PortBindings {
+			bindings[p] = []nat.PortBinding{}
+			for _, bb := range b {
+				bindings[p] = append(bindings[p], nat.PortBinding{
+					HostIP:   bb.HostIP,
+					HostPort: bb.HostPort,
+				})
+			}
+		}
+	}
+
+	portSpecs := container.Config.ExposedPorts
+	ports := make([]nat.Port, len(portSpecs))
+	var i int
+	for p := range portSpecs {
+		ports[i] = p
+		i++
+	}
+	nat.SortPortMap(ports, bindings)
+	for _, port := range ports {
+		expose := types.TransportPort{}
+		expose.Proto = types.ParseProtocol(port.Proto())
+		expose.Port = uint16(port.Int())
+		exposeList = append(exposeList, expose)
+
+		pb := types.PortBinding{Port: expose.Port, Proto: expose.Proto}
+		binding := bindings[port]
+		for i := 0; i < len(binding); i++ {
+			pbCopy := pb.GetCopy()
+			newP, err := nat.NewPort(nat.SplitProtoPort(binding[i].HostPort))
+			var portStart, portEnd int
+			if err == nil {
+				portStart, portEnd, err = newP.Range()
+			}
+			if err != nil {
+				return nil, fmt.Errorf("Error parsing HostPort value(%s):%v", binding[i].HostPort, err)
+			}
+			pbCopy.HostPort = uint16(portStart)
+			pbCopy.HostPortEnd = uint16(portEnd)
+			pbCopy.HostIP = net.ParseIP(binding[i].HostIP)
+			pbList = append(pbList, pbCopy)
+		}
+
+		if container.HostConfig.PublishAllPorts && len(binding) == 0 {
+			pbList = append(pbList, pb)
+		}
+	}
+
+	sboxOptions = append(sboxOptions,
+		libnetwork.OptionPortMapping(pbList),
+		libnetwork.OptionExposedPorts(exposeList))
+
+	// Legacy Link feature is supported only for the default bridge network.
+	// return if this call to build join options is not for default bridge network
+	// Legacy Link is only supported by docker run --link
+	bridgeSettings, ok := container.NetworkSettings.Networks[defaultNetName]
+	if !ok || bridgeSettings.EndpointSettings == nil {
+		return sboxOptions, nil
+	}
+
+	if bridgeSettings.EndpointID == "" {
+		return sboxOptions, nil
+	}
+
+	var (
+		childEndpoints, parentEndpoints []string
+		cEndpointID                     string
+	)
+
+	children := daemon.children(container)
+	for linkAlias, child := range children {
+		if !isLinkable(child) {
+			return nil, fmt.Errorf("Cannot link to %s, as it does not belong to the default network", child.Name)
+		}
+		_, alias := path.Split(linkAlias)
+		// allow access to the linked container via the alias, real name, and container hostname
+		aliasList := alias + " " + child.Config.Hostname
+		// only add the name if alias isn't equal to the name
+		if alias != child.Name[1:] {
+			aliasList = aliasList + " " + child.Name[1:]
+		}
+		sboxOptions = append(sboxOptions, libnetwork.OptionExtraHost(aliasList, child.NetworkSettings.Networks[defaultNetName].IPAddress))
+		cEndpointID = child.NetworkSettings.Networks[defaultNetName].EndpointID
+		if cEndpointID != "" {
+			childEndpoints = append(childEndpoints, cEndpointID)
+		}
+	}
+
+	for alias, parent := range daemon.parents(container) {
+		if daemon.configStore.DisableBridge || !container.HostConfig.NetworkMode.IsPrivate() {
+			continue
+		}
+
+		_, alias = path.Split(alias)
+		logrus.Debugf("Update /etc/hosts of %s for alias %s with ip %s", parent.ID, alias, bridgeSettings.IPAddress)
+		sboxOptions = append(sboxOptions, libnetwork.OptionParentUpdate(
+			parent.ID,
+			alias,
+			bridgeSettings.IPAddress,
+		))
+		if cEndpointID != "" {
+			parentEndpoints = append(parentEndpoints, cEndpointID)
+		}
+	}
+
+	linkOptions := options.Generic{
+		netlabel.GenericData: options.Generic{
+			"ParentEndpoints": parentEndpoints,
+			"ChildEndpoints":  childEndpoints,
+		},
+	}
+
+	sboxOptions = append(sboxOptions, libnetwork.OptionGeneric(linkOptions))
+	return sboxOptions, nil
+}
+
+func (daemon *Daemon) updateNetworkSettings(container *container.Container, n libnetwork.Network, endpointConfig *networktypes.EndpointSettings) error {
+	if container.NetworkSettings == nil {
+		container.NetworkSettings = &network.Settings{Networks: make(map[string]*network.EndpointSettings)}
+	}
+
+	if !container.HostConfig.NetworkMode.IsHost() && containertypes.NetworkMode(n.Type()).IsHost() {
+		return runconfig.ErrConflictHostNetwork
+	}
+
+	for s, v := range container.NetworkSettings.Networks {
+		sn, err := daemon.FindNetwork(getNetworkID(s, v.EndpointSettings))
+		if err != nil {
+			continue
+		}
+
+		if sn.Name() == n.Name() {
+			// If the network scope is swarm, then this
+			// is an attachable network, which may not
+			// be locally available previously.
+			// So always update.
+			if n.Info().Scope() == netconst.SwarmScope {
+				continue
+			}
+			// Avoid duplicate config
+			return nil
+		}
+		if !containertypes.NetworkMode(sn.Type()).IsPrivate() ||
+			!containertypes.NetworkMode(n.Type()).IsPrivate() {
+			return runconfig.ErrConflictSharedNetwork
+		}
+		if containertypes.NetworkMode(sn.Name()).IsNone() ||
+			containertypes.NetworkMode(n.Name()).IsNone() {
+			return runconfig.ErrConflictNoNetwork
+		}
+	}
+
+	container.NetworkSettings.Networks[n.Name()] = &network.EndpointSettings{
+		EndpointSettings: endpointConfig,
+	}
+
+	return nil
+}
+
+func (daemon *Daemon) updateEndpointNetworkSettings(container *container.Container, n libnetwork.Network, ep libnetwork.Endpoint) error {
+	if err := buildEndpointInfo(container.NetworkSettings, n, ep); err != nil {
+		return err
+	}
+
+	if container.HostConfig.NetworkMode == runconfig.DefaultDaemonNetworkMode() {
+		container.NetworkSettings.Bridge = daemon.configStore.BridgeConfig.Iface
+	}
+
+	return nil
+}
+
+// UpdateNetwork is used to update the container's network (e.g. when linked containers
+// get removed/unlinked).
+func (daemon *Daemon) updateNetwork(container *container.Container) error {
+	var (
+		start = time.Now()
+		ctrl  = daemon.netController
+		sid   = container.NetworkSettings.SandboxID
+	)
+
+	sb, err := ctrl.SandboxByID(sid)
+	if err != nil {
+		return fmt.Errorf("error locating sandbox id %s: %v", sid, err)
+	}
+
+	// Find if container is connected to the default bridge network
+	var n libnetwork.Network
+	for name, v := range container.NetworkSettings.Networks {
+		sn, err := daemon.FindNetwork(getNetworkID(name, v.EndpointSettings))
+		if err != nil {
+			continue
+		}
+		if sn.Name() == runconfig.DefaultDaemonNetworkMode().NetworkName() {
+			n = sn
+			break
+		}
+	}
+
+	if n == nil {
+		// Not connected to the default bridge network; Nothing to do
+		return nil
+	}
+
+	options, err := daemon.buildSandboxOptions(container)
+	if err != nil {
+		return fmt.Errorf("Update network failed: %v", err)
+	}
+
+	if err := sb.Refresh(options...); err != nil {
+		return fmt.Errorf("Update network failed: Failure in refresh sandbox %s: %v", sid, err)
+	}
+
+	networkActions.WithValues("update").UpdateSince(start)
+
+	return nil
+}
+
+func (daemon *Daemon) findAndAttachNetwork(container *container.Container, idOrName string, epConfig *networktypes.EndpointSettings) (libnetwork.Network, *networktypes.NetworkingConfig, error) {
+	id := getNetworkID(idOrName, epConfig)
+
+	n, err := daemon.FindNetwork(id)
+	if err != nil {
+		// We should always be able to find the network for a
+		// managed container.
+		if container.Managed {
+			return nil, nil, err
+		}
+	}
+
+	// If we found a network and if it is not dynamically created
+	// we should never attempt to attach to that network here.
+	if n != nil {
+		if container.Managed || !n.Info().Dynamic() {
+			return n, nil, nil
+		}
+	}
+
+	var addresses []string
+	if epConfig != nil && epConfig.IPAMConfig != nil {
+		if epConfig.IPAMConfig.IPv4Address != "" {
+			addresses = append(addresses, epConfig.IPAMConfig.IPv4Address)
+		}
+
+		if epConfig.IPAMConfig.IPv6Address != "" {
+			addresses = append(addresses, epConfig.IPAMConfig.IPv6Address)
+		}
+	}
+
+	var (
+		config     *networktypes.NetworkingConfig
+		retryCount int
+	)
+
+	if n == nil && daemon.attachableNetworkLock != nil {
+		daemon.attachableNetworkLock.Lock(id)
+		defer daemon.attachableNetworkLock.Unlock(id)
+	}
+
+	for {
+		// In all other cases, attempt to attach to the network to
+		// trigger attachment in the swarm cluster manager.
+		if daemon.clusterProvider != nil {
+			var err error
+			config, err = daemon.clusterProvider.AttachNetwork(id, container.ID, addresses)
+			if err != nil {
+				return nil, nil, err
+			}
+		}
+
+		n, err = daemon.FindNetwork(id)
+		if err != nil {
+			if daemon.clusterProvider != nil {
+				if err := daemon.clusterProvider.DetachNetwork(id, container.ID); err != nil {
+					logrus.Warnf("Could not rollback attachment for container %s to network %s: %v", container.ID, idOrName, err)
+				}
+			}
+
+			// Retry network attach again if we failed to
+			// find the network after successful
+			// attachment because the only reason that
+			// would happen is if some other container
+			// attached to the swarm scope network went down
+			// and removed the network while we were in
+			// the process of attaching.
+			if config != nil {
+				if _, ok := err.(libnetwork.ErrNoSuchNetwork); ok {
+					if retryCount >= 5 {
+						return nil, nil, fmt.Errorf("could not find network %s after successful attachment", idOrName)
+					}
+					retryCount++
+					continue
+				}
+			}
+
+			return nil, nil, err
+		}
+
+		break
+	}
+
+	// This container has attachment to a swarm scope
+	// network. Update the container network settings accordingly.
+	container.NetworkSettings.HasSwarmEndpoint = true
+	return n, config, nil
+}
+
+// updateContainerNetworkSettings updates the network settings
+func (daemon *Daemon) updateContainerNetworkSettings(container *container.Container, endpointsConfig map[string]*networktypes.EndpointSettings) {
+	var n libnetwork.Network
+
+	mode := container.HostConfig.NetworkMode
+	if container.Config.NetworkDisabled || mode.IsContainer() {
+		return
+	}
+
+	networkName := mode.NetworkName()
+	if mode.IsDefault() {
+		networkName = daemon.netController.Config().Daemon.DefaultNetwork
+	}
+
+	if mode.IsUserDefined() {
+		var err error
+
+		n, err = daemon.FindNetwork(networkName)
+		if err == nil {
+			networkName = n.Name()
+		}
+	}
+
+	if container.NetworkSettings == nil {
+		container.NetworkSettings = &network.Settings{}
+	}
+
+	if len(endpointsConfig) > 0 {
+		if container.NetworkSettings.Networks == nil {
+			container.NetworkSettings.Networks = make(map[string]*network.EndpointSettings)
+		}
+
+		for name, epConfig := range endpointsConfig {
+			container.NetworkSettings.Networks[name] = &network.EndpointSettings{
+				EndpointSettings: epConfig,
+			}
+		}
+	}
+
+	if container.NetworkSettings.Networks == nil {
+		container.NetworkSettings.Networks = make(map[string]*network.EndpointSettings)
+		container.NetworkSettings.Networks[networkName] = &network.EndpointSettings{
+			EndpointSettings: &networktypes.EndpointSettings{},
+		}
+	}
+
+	// Convert any settings added by client in default name to
+	// engine's default network name key
+	if mode.IsDefault() {
+		if nConf, ok := container.NetworkSettings.Networks[mode.NetworkName()]; ok {
+			container.NetworkSettings.Networks[networkName] = nConf
+			delete(container.NetworkSettings.Networks, mode.NetworkName())
+		}
+	}
+
+	if !mode.IsUserDefined() {
+		return
+	}
+	// Make sure to internally store the per network endpoint config by network name
+	if _, ok := container.NetworkSettings.Networks[networkName]; ok {
+		return
+	}
+
+	if n != nil {
+		if nwConfig, ok := container.NetworkSettings.Networks[n.ID()]; ok {
+			container.NetworkSettings.Networks[networkName] = nwConfig
+			delete(container.NetworkSettings.Networks, n.ID())
+			return
+		}
+	}
+}
+
+func (daemon *Daemon) allocateNetwork(container *container.Container) error {
+	start := time.Now()
+	controller := daemon.netController
+
+	if daemon.netController == nil {
+		return nil
+	}
+
+	// Cleanup any stale sandbox left over due to ungraceful daemon shutdown
+	if err := controller.SandboxDestroy(container.ID); err != nil {
+		logrus.Errorf("failed to cleanup up stale network sandbox for container %s", container.ID)
+	}
+
+	if container.Config.NetworkDisabled || container.HostConfig.NetworkMode.IsContainer() {
+		return nil
+	}
+
+	updateSettings := false
+
+	if len(container.NetworkSettings.Networks) == 0 {
+		daemon.updateContainerNetworkSettings(container, nil)
+		updateSettings = true
+	}
+
+	// always connect default network first since only default
+	// network mode support link and we need do some setting
+	// on sandbox initialize for link, but the sandbox only be initialized
+	// on first network connecting.
+	defaultNetName := runconfig.DefaultDaemonNetworkMode().NetworkName()
+	if nConf, ok := container.NetworkSettings.Networks[defaultNetName]; ok {
+		cleanOperationalData(nConf)
+		if err := daemon.connectToNetwork(container, defaultNetName, nConf.EndpointSettings, updateSettings); err != nil {
+			return err
+		}
+
+	}
+
+	// the intermediate map is necessary because "connectToNetwork" modifies "container.NetworkSettings.Networks"
+	networks := make(map[string]*network.EndpointSettings)
+	for n, epConf := range container.NetworkSettings.Networks {
+		if n == defaultNetName {
+			continue
+		}
+
+		networks[n] = epConf
+	}
+
+	for netName, epConf := range networks {
+		cleanOperationalData(epConf)
+		if err := daemon.connectToNetwork(container, netName, epConf.EndpointSettings, updateSettings); err != nil {
+			return err
+		}
+	}
+
+	// If the container is not to be connected to any network,
+	// create its network sandbox now if not present
+	if len(networks) == 0 {
+		if nil == daemon.getNetworkSandbox(container) {
+			options, err := daemon.buildSandboxOptions(container)
+			if err != nil {
+				return err
+			}
+			sb, err := daemon.netController.NewSandbox(container.ID, options...)
+			if err != nil {
+				return err
+			}
+			updateSandboxNetworkSettings(container, sb)
+			defer func() {
+				if err != nil {
+					sb.Delete()
+				}
+			}()
+		}
+
+	}
+
+	if _, err := container.WriteHostConfig(); err != nil {
+		return err
+	}
+	networkActions.WithValues("allocate").UpdateSince(start)
+	return nil
+}
+
+func (daemon *Daemon) getNetworkSandbox(container *container.Container) libnetwork.Sandbox {
+	var sb libnetwork.Sandbox
+	daemon.netController.WalkSandboxes(func(s libnetwork.Sandbox) bool {
+		if s.ContainerID() == container.ID {
+			sb = s
+			return true
+		}
+		return false
+	})
+	return sb
+}
+
+// hasUserDefinedIPAddress returns whether the passed endpoint configuration contains IP address configuration
+func hasUserDefinedIPAddress(epConfig *networktypes.EndpointSettings) bool {
+	return epConfig != nil && epConfig.IPAMConfig != nil && (len(epConfig.IPAMConfig.IPv4Address) > 0 || len(epConfig.IPAMConfig.IPv6Address) > 0)
+}
+
+// User specified ip address is acceptable only for networks with user specified subnets.
+func validateNetworkingConfig(n libnetwork.Network, epConfig *networktypes.EndpointSettings) error {
+	if n == nil || epConfig == nil {
+		return nil
+	}
+	if !hasUserDefinedIPAddress(epConfig) {
+		return nil
+	}
+	_, _, nwIPv4Configs, nwIPv6Configs := n.Info().IpamConfig()
+	for _, s := range []struct {
+		ipConfigured  bool
+		subnetConfigs []*libnetwork.IpamConf
+	}{
+		{
+			ipConfigured:  len(epConfig.IPAMConfig.IPv4Address) > 0,
+			subnetConfigs: nwIPv4Configs,
+		},
+		{
+			ipConfigured:  len(epConfig.IPAMConfig.IPv6Address) > 0,
+			subnetConfigs: nwIPv6Configs,
+		},
+	} {
+		if s.ipConfigured {
+			foundSubnet := false
+			for _, cfg := range s.subnetConfigs {
+				if len(cfg.PreferredPool) > 0 {
+					foundSubnet = true
+					break
+				}
+			}
+			if !foundSubnet {
+				return runconfig.ErrUnsupportedNetworkNoSubnetAndIP
+			}
+		}
+	}
+
+	return nil
+}
+
+// cleanOperationalData resets the operational data from the passed endpoint settings
+func cleanOperationalData(es *network.EndpointSettings) {
+	es.EndpointID = ""
+	es.Gateway = ""
+	es.IPAddress = ""
+	es.IPPrefixLen = 0
+	es.IPv6Gateway = ""
+	es.GlobalIPv6Address = ""
+	es.GlobalIPv6PrefixLen = 0
+	es.MacAddress = ""
+	if es.IPAMOperational {
+		es.IPAMConfig = nil
+	}
+}
+
+func (daemon *Daemon) updateNetworkConfig(container *container.Container, n libnetwork.Network, endpointConfig *networktypes.EndpointSettings, updateSettings bool) error {
+
+	if !containertypes.NetworkMode(n.Name()).IsUserDefined() {
+		if hasUserDefinedIPAddress(endpointConfig) && !enableIPOnPredefinedNetwork() {
+			return runconfig.ErrUnsupportedNetworkAndIP
+		}
+		if endpointConfig != nil && len(endpointConfig.Aliases) > 0 && !container.EnableServiceDiscoveryOnDefaultNetwork() {
+			return runconfig.ErrUnsupportedNetworkAndAlias
+		}
+	} else {
+		addShortID := true
+		shortID := stringid.TruncateID(container.ID)
+		for _, alias := range endpointConfig.Aliases {
+			if alias == shortID {
+				addShortID = false
+				break
+			}
+		}
+		if addShortID {
+			endpointConfig.Aliases = append(endpointConfig.Aliases, shortID)
+		}
+	}
+
+	if err := validateNetworkingConfig(n, endpointConfig); err != nil {
+		return err
+	}
+
+	if updateSettings {
+		if err := daemon.updateNetworkSettings(container, n, endpointConfig); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (daemon *Daemon) connectToNetwork(container *container.Container, idOrName string, endpointConfig *networktypes.EndpointSettings, updateSettings bool) (err error) {
+	start := time.Now()
+	if container.HostConfig.NetworkMode.IsContainer() {
+		return runconfig.ErrConflictSharedNetwork
+	}
+	if containertypes.NetworkMode(idOrName).IsBridge() &&
+		daemon.configStore.DisableBridge {
+		container.Config.NetworkDisabled = true
+		return nil
+	}
+	if endpointConfig == nil {
+		endpointConfig = &networktypes.EndpointSettings{}
+	}
+
+	n, config, err := daemon.findAndAttachNetwork(container, idOrName, endpointConfig)
+	if err != nil {
+		return err
+	}
+	if n == nil {
+		return nil
+	}
+
+	var operIPAM bool
+	if config != nil {
+		if epConfig, ok := config.EndpointsConfig[n.Name()]; ok {
+			if endpointConfig.IPAMConfig == nil ||
+				(endpointConfig.IPAMConfig.IPv4Address == "" &&
+					endpointConfig.IPAMConfig.IPv6Address == "" &&
+					len(endpointConfig.IPAMConfig.LinkLocalIPs) == 0) {
+				operIPAM = true
+			}
+
+			// copy IPAMConfig and NetworkID from epConfig via AttachNetwork
+			endpointConfig.IPAMConfig = epConfig.IPAMConfig
+			endpointConfig.NetworkID = epConfig.NetworkID
+		}
+	}
+
+	err = daemon.updateNetworkConfig(container, n, endpointConfig, updateSettings)
+	if err != nil {
+		return err
+	}
+
+	controller := daemon.netController
+	sb := daemon.getNetworkSandbox(container)
+	createOptions, err := buildCreateEndpointOptions(container, n, endpointConfig, sb, daemon.configStore.DNS)
+	if err != nil {
+		return err
+	}
+
+	endpointName := strings.TrimPrefix(container.Name, "/")
+	ep, err := n.CreateEndpoint(endpointName, createOptions...)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err != nil {
+			if e := ep.Delete(false); e != nil {
+				logrus.Warnf("Could not rollback container connection to network %s", idOrName)
+			}
+		}
+	}()
+	container.NetworkSettings.Networks[n.Name()] = &network.EndpointSettings{
+		EndpointSettings: endpointConfig,
+		IPAMOperational:  operIPAM,
+	}
+	if _, ok := container.NetworkSettings.Networks[n.ID()]; ok {
+		delete(container.NetworkSettings.Networks, n.ID())
+	}
+
+	if err := daemon.updateEndpointNetworkSettings(container, n, ep); err != nil {
+		return err
+	}
+
+	if sb == nil {
+		options, err := daemon.buildSandboxOptions(container)
+		if err != nil {
+			return err
+		}
+		sb, err = controller.NewSandbox(container.ID, options...)
+		if err != nil {
+			return err
+		}
+
+		updateSandboxNetworkSettings(container, sb)
+	}
+
+	joinOptions, err := buildJoinOptions(container.NetworkSettings, n)
+	if err != nil {
+		return err
+	}
+
+	if err := ep.Join(sb, joinOptions...); err != nil {
+		return err
+	}
+
+	if !container.Managed {
+		// add container name/alias to DNS
+		if err := daemon.ActivateContainerServiceBinding(container.Name); err != nil {
+			return fmt.Errorf("Activate container service binding for %s failed: %v", container.Name, err)
+		}
+	}
+
+	if err := updateJoinInfo(container.NetworkSettings, n, ep); err != nil {
+		return fmt.Errorf("Updating join info failed: %v", err)
+	}
+
+	container.NetworkSettings.Ports = getPortMapInfo(sb)
+
+	daemon.LogNetworkEventWithAttributes(n, "connect", map[string]string{"container": container.ID})
+	networkActions.WithValues("connect").UpdateSince(start)
+	return nil
+}
+
+func updateJoinInfo(networkSettings *network.Settings, n libnetwork.Network, ep libnetwork.Endpoint) error { // nolint: interfacer
+	if ep == nil {
+		return errors.New("invalid enppoint whhile building portmap info")
+	}
+
+	if networkSettings == nil {
+		return errors.New("invalid network settings while building port map info")
+	}
+
+	if len(networkSettings.Ports) == 0 {
+		pm, err := getEndpointPortMapInfo(ep)
+		if err != nil {
+			return err
+		}
+		networkSettings.Ports = pm
+	}
+
+	epInfo := ep.Info()
+	if epInfo == nil {
+		// It is not an error to get an empty endpoint info
+		return nil
+	}
+	if epInfo.Gateway() != nil {
+		networkSettings.Networks[n.Name()].Gateway = epInfo.Gateway().String()
+	}
+	if epInfo.GatewayIPv6().To16() != nil {
+		networkSettings.Networks[n.Name()].IPv6Gateway = epInfo.GatewayIPv6().String()
+	}
+	return nil
+}
+
+// ForceEndpointDelete deletes an endpoint from a network forcefully
+func (daemon *Daemon) ForceEndpointDelete(name string, networkName string) error {
+	n, err := daemon.FindNetwork(networkName)
+	if err != nil {
+		return err
+	}
+
+	ep, err := n.EndpointByName(name)
+	if err != nil {
+		return err
+	}
+	return ep.Delete(true)
+}
+
+func (daemon *Daemon) disconnectFromNetwork(container *container.Container, n libnetwork.Network, force bool) error {
+	var (
+		ep   libnetwork.Endpoint
+		sbox libnetwork.Sandbox
+	)
+
+	s := func(current libnetwork.Endpoint) bool {
+		epInfo := current.Info()
+		if epInfo == nil {
+			return false
+		}
+		if sb := epInfo.Sandbox(); sb != nil {
+			if sb.ContainerID() == container.ID {
+				ep = current
+				sbox = sb
+				return true
+			}
+		}
+		return false
+	}
+	n.WalkEndpoints(s)
+
+	if ep == nil && force {
+		epName := strings.TrimPrefix(container.Name, "/")
+		ep, err := n.EndpointByName(epName)
+		if err != nil {
+			return err
+		}
+		return ep.Delete(force)
+	}
+
+	if ep == nil {
+		return fmt.Errorf("container %s is not connected to network %s", container.ID, n.Name())
+	}
+
+	if err := ep.Leave(sbox); err != nil {
+		return fmt.Errorf("container %s failed to leave network %s: %v", container.ID, n.Name(), err)
+	}
+
+	container.NetworkSettings.Ports = getPortMapInfo(sbox)
+
+	if err := ep.Delete(false); err != nil {
+		return fmt.Errorf("endpoint delete failed for container %s on network %s: %v", container.ID, n.Name(), err)
+	}
+
+	delete(container.NetworkSettings.Networks, n.Name())
+
+	daemon.tryDetachContainerFromClusterNetwork(n, container)
+
+	return nil
+}
+
+func (daemon *Daemon) tryDetachContainerFromClusterNetwork(network libnetwork.Network, container *container.Container) {
+	if daemon.clusterProvider != nil && network.Info().Dynamic() && !container.Managed {
+		if err := daemon.clusterProvider.DetachNetwork(network.Name(), container.ID); err != nil {
+			logrus.Warnf("error detaching from network %s: %v", network.Name(), err)
+			if err := daemon.clusterProvider.DetachNetwork(network.ID(), container.ID); err != nil {
+				logrus.Warnf("error detaching from network %s: %v", network.ID(), err)
+			}
+		}
+	}
+	attributes := map[string]string{
+		"container": container.ID,
+	}
+	daemon.LogNetworkEventWithAttributes(network, "disconnect", attributes)
+}
+
+func (daemon *Daemon) initializeNetworking(container *container.Container) error {
+	var err error
+
+	if container.HostConfig.NetworkMode.IsContainer() {
+		// we need to get the hosts files from the container to join
+		nc, err := daemon.getNetworkedContainer(container.ID, container.HostConfig.NetworkMode.ConnectedContainer())
+		if err != nil {
+			return err
+		}
+
+		err = daemon.initializeNetworkingPaths(container, nc)
+		if err != nil {
+			return err
+		}
+
+		container.Config.Hostname = nc.Config.Hostname
+		container.Config.Domainname = nc.Config.Domainname
+		return nil
+	}
+
+	if container.HostConfig.NetworkMode.IsHost() {
+		if container.Config.Hostname == "" {
+			container.Config.Hostname, err = os.Hostname()
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	if err := daemon.allocateNetwork(container); err != nil {
+		return err
+	}
+
+	return container.BuildHostnameFile()
+}
+
+func (daemon *Daemon) getNetworkedContainer(containerID, connectedContainerID string) (*container.Container, error) {
+	nc, err := daemon.GetContainer(connectedContainerID)
+	if err != nil {
+		return nil, err
+	}
+	if containerID == nc.ID {
+		return nil, fmt.Errorf("cannot join own network")
+	}
+	if !nc.IsRunning() {
+		err := fmt.Errorf("cannot join network of a non running container: %s", connectedContainerID)
+		return nil, errdefs.Conflict(err)
+	}
+	if nc.IsRestarting() {
+		return nil, errContainerIsRestarting(connectedContainerID)
+	}
+	return nc, nil
+}
+
+func (daemon *Daemon) releaseNetwork(container *container.Container) {
+	start := time.Now()
+	if daemon.netController == nil {
+		return
+	}
+	if container.HostConfig.NetworkMode.IsContainer() || container.Config.NetworkDisabled {
+		return
+	}
+
+	sid := container.NetworkSettings.SandboxID
+	settings := container.NetworkSettings.Networks
+	container.NetworkSettings.Ports = nil
+
+	if sid == "" {
+		return
+	}
+
+	var networks []libnetwork.Network
+	for n, epSettings := range settings {
+		if nw, err := daemon.FindNetwork(getNetworkID(n, epSettings.EndpointSettings)); err == nil {
+			networks = append(networks, nw)
+		}
+
+		if epSettings.EndpointSettings == nil {
+			continue
+		}
+
+		cleanOperationalData(epSettings)
+	}
+
+	sb, err := daemon.netController.SandboxByID(sid)
+	if err != nil {
+		logrus.Warnf("error locating sandbox id %s: %v", sid, err)
+		return
+	}
+
+	if err := sb.Delete(); err != nil {
+		logrus.Errorf("Error deleting sandbox id %s for container %s: %v", sid, container.ID, err)
+	}
+
+	for _, nw := range networks {
+		daemon.tryDetachContainerFromClusterNetwork(nw, container)
+	}
+	networkActions.WithValues("release").UpdateSince(start)
+}
+
+func errRemovalContainer(containerID string) error {
+	return fmt.Errorf("Container %s is marked for removal and cannot be connected or disconnected to the network", containerID)
+}
+
+// ConnectToNetwork connects a container to a network
+func (daemon *Daemon) ConnectToNetwork(container *container.Container, idOrName string, endpointConfig *networktypes.EndpointSettings) error {
+	if endpointConfig == nil {
+		endpointConfig = &networktypes.EndpointSettings{}
+	}
+	container.Lock()
+	defer container.Unlock()
+
+	if !container.Running {
+		if container.RemovalInProgress || container.Dead {
+			return errRemovalContainer(container.ID)
+		}
+
+		n, err := daemon.FindNetwork(idOrName)
+		if err == nil && n != nil {
+			if err := daemon.updateNetworkConfig(container, n, endpointConfig, true); err != nil {
+				return err
+			}
+		} else {
+			container.NetworkSettings.Networks[idOrName] = &network.EndpointSettings{
+				EndpointSettings: endpointConfig,
+			}
+		}
+	} else if !daemon.isNetworkHotPluggable() {
+		return fmt.Errorf(runtime.GOOS + " does not support connecting a running container to a network")
+	} else {
+		if err := daemon.connectToNetwork(container, idOrName, endpointConfig, true); err != nil {
+			return err
+		}
+	}
+
+	return container.CheckpointTo(daemon.containersReplica)
+}
+
+// DisconnectFromNetwork disconnects container from network n.
+func (daemon *Daemon) DisconnectFromNetwork(container *container.Container, networkName string, force bool) error {
+	n, err := daemon.FindNetwork(networkName)
+	container.Lock()
+	defer container.Unlock()
+
+	if !container.Running || (err != nil && force) {
+		if container.RemovalInProgress || container.Dead {
+			return errRemovalContainer(container.ID)
+		}
+		// In case networkName is resolved we will use n.Name()
+		// this will cover the case where network id is passed.
+		if n != nil {
+			networkName = n.Name()
+		}
+		if _, ok := container.NetworkSettings.Networks[networkName]; !ok {
+			return fmt.Errorf("container %s is not connected to the network %s", container.ID, networkName)
+		}
+		delete(container.NetworkSettings.Networks, networkName)
+	} else if err == nil && !daemon.isNetworkHotPluggable() {
+		return fmt.Errorf(runtime.GOOS + " does not support connecting a running container to a network")
+	} else if err == nil {
+		if container.HostConfig.NetworkMode.IsHost() && containertypes.NetworkMode(n.Type()).IsHost() {
+			return runconfig.ErrConflictHostNetwork
+		}
+
+		if err := daemon.disconnectFromNetwork(container, n, false); err != nil {
+			return err
+		}
+	} else {
+		return err
+	}
+
+	if err := container.CheckpointTo(daemon.containersReplica); err != nil {
+		return err
+	}
+
+	if n != nil {
+		daemon.LogNetworkEventWithAttributes(n, "disconnect", map[string]string{
+			"container": container.ID,
+		})
+	}
+
+	return nil
+}
+
+// ActivateContainerServiceBinding puts this container into load balancer active rotation and DNS response
+func (daemon *Daemon) ActivateContainerServiceBinding(containerName string) error {
+	container, err := daemon.GetContainer(containerName)
+	if err != nil {
+		return err
+	}
+	sb := daemon.getNetworkSandbox(container)
+	if sb == nil {
+		return fmt.Errorf("network sandbox does not exist for container %s", containerName)
+	}
+	return sb.EnableService()
+}
+
+// DeactivateContainerServiceBinding removes this container from load balancer active rotation, and DNS response
+func (daemon *Daemon) DeactivateContainerServiceBinding(containerName string) error {
+	container, err := daemon.GetContainer(containerName)
+	if err != nil {
+		return err
+	}
+	sb := daemon.getNetworkSandbox(container)
+	if sb == nil {
+		// If the network sandbox is not found, then there is nothing to deactivate
+		logrus.Debugf("Could not find network sandbox for container %s on service binding deactivation request", containerName)
+		return nil
+	}
+	return sb.DisableService()
+}
+
+func getNetworkID(name string, endpointSettings *networktypes.EndpointSettings) string {
+	// We only want to prefer NetworkID for user defined networks.
+	// For systems like bridge, none, etc. the name is preferred (otherwise restart may cause issues)
+	if containertypes.NetworkMode(name).IsUserDefined() && endpointSettings != nil && endpointSettings.NetworkID != "" {
+		return endpointSettings.NetworkID
+	}
+	return name
+}
+
+// updateSandboxNetworkSettings updates the sandbox ID and Key.
+func updateSandboxNetworkSettings(c *container.Container, sb libnetwork.Sandbox) error {
+	c.NetworkSettings.SandboxID = sb.ID()
+	c.NetworkSettings.SandboxKey = sb.Key()
+	return nil
+}
diff --git a/engine/daemon/container_operations_unix.go b/engine/daemon/container_operations_unix.go
new file mode 100644
index 00000000..bc7ee452
--- /dev/null
+++ b/engine/daemon/container_operations_unix.go
@@ -0,0 +1,403 @@
+// +build linux freebsd
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"time"
+
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/links"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/runconfig"
+	"github.com/docker/libnetwork"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func (daemon *Daemon) setupLinkedContainers(container *container.Container) ([]string, error) {
+	var env []string
+	children := daemon.children(container)
+
+	bridgeSettings := container.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()]
+	if bridgeSettings == nil || bridgeSettings.EndpointSettings == nil {
+		return nil, nil
+	}
+
+	for linkAlias, child := range children {
+		if !child.IsRunning() {
+			return nil, fmt.Errorf("Cannot link to a non running container: %s AS %s", child.Name, linkAlias)
+		}
+
+		childBridgeSettings := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()]
+		if childBridgeSettings == nil || childBridgeSettings.EndpointSettings == nil {
+			return nil, fmt.Errorf("container %s not attached to default bridge network", child.ID)
+		}
+
+		link := links.NewLink(
+			bridgeSettings.IPAddress,
+			childBridgeSettings.IPAddress,
+			linkAlias,
+			child.Config.Env,
+			child.Config.ExposedPorts,
+		)
+
+		env = append(env, link.ToEnv()...)
+	}
+
+	return env, nil
+}
+
+func (daemon *Daemon) getIpcContainer(id string) (*container.Container, error) {
+	errMsg := "can't join IPC of container " + id
+	// Check the container exists
+	container, err := daemon.GetContainer(id)
+	if err != nil {
+		return nil, errors.Wrap(err, errMsg)
+	}
+	// Check the container is running and not restarting
+	if err := daemon.checkContainer(container, containerIsRunning, containerIsNotRestarting); err != nil {
+		return nil, errors.Wrap(err, errMsg)
+	}
+	// Check the container ipc is shareable
+	if st, err := os.Stat(container.ShmPath); err != nil || !st.IsDir() {
+		if err == nil || os.IsNotExist(err) {
+			return nil, errors.New(errMsg + ": non-shareable IPC")
+		}
+		// stat() failed?
+		return nil, errors.Wrap(err, errMsg+": unexpected error from stat "+container.ShmPath)
+	}
+
+	return container, nil
+}
+
+func (daemon *Daemon) getPidContainer(container *container.Container) (*container.Container, error) {
+	containerID := container.HostConfig.PidMode.Container()
+	container, err := daemon.GetContainer(containerID)
+	if err != nil {
+		return nil, errors.Wrapf(err, "cannot join PID of a non running container: %s", containerID)
+	}
+	return container, daemon.checkContainer(container, containerIsRunning, containerIsNotRestarting)
+}
+
+func containerIsRunning(c *container.Container) error {
+	if !c.IsRunning() {
+		return errdefs.Conflict(errors.Errorf("container %s is not running", c.ID))
+	}
+	return nil
+}
+
+func containerIsNotRestarting(c *container.Container) error {
+	if c.IsRestarting() {
+		return errContainerIsRestarting(c.ID)
+	}
+	return nil
+}
+
+func (daemon *Daemon) setupIpcDirs(c *container.Container) error {
+	ipcMode := c.HostConfig.IpcMode
+
+	switch {
+	case ipcMode.IsContainer():
+		ic, err := daemon.getIpcContainer(ipcMode.Container())
+		if err != nil {
+			return err
+		}
+		c.ShmPath = ic.ShmPath
+
+	case ipcMode.IsHost():
+		if _, err := os.Stat("/dev/shm"); err != nil {
+			return fmt.Errorf("/dev/shm is not mounted, but must be for --ipc=host")
+		}
+		c.ShmPath = "/dev/shm"
+
+	case ipcMode.IsPrivate(), ipcMode.IsNone():
+		// c.ShmPath will/should not be used, so make it empty.
+		// Container's /dev/shm mount comes from OCI spec.
+		c.ShmPath = ""
+
+	case ipcMode.IsEmpty():
+		// A container was created by an older version of the daemon.
+		// The default behavior used to be what is now called "shareable".
+		fallthrough
+
+	case ipcMode.IsShareable():
+		rootIDs := daemon.idMappings.RootPair()
+		if !c.HasMountFor("/dev/shm") {
+			shmPath, err := c.ShmResourcePath()
+			if err != nil {
+				return err
+			}
+
+			if err := idtools.MkdirAllAndChown(shmPath, 0700, rootIDs); err != nil {
+				return err
+			}
+
+			shmproperty := "mode=1777,size=" + strconv.FormatInt(c.HostConfig.ShmSize, 10)
+			if err := unix.Mount("shm", shmPath, "tmpfs", uintptr(unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV), label.FormatMountLabel(shmproperty, c.GetMountLabel())); err != nil {
+				return fmt.Errorf("mounting shm tmpfs: %s", err)
+			}
+			if err := os.Chown(shmPath, rootIDs.UID, rootIDs.GID); err != nil {
+				return err
+			}
+			c.ShmPath = shmPath
+		}
+
+	default:
+		return fmt.Errorf("invalid IPC mode: %v", ipcMode)
+	}
+
+	return nil
+}
+
+func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+	if len(c.SecretReferences) == 0 && len(c.ConfigReferences) == 0 {
+		return nil
+	}
+
+	if err := daemon.createSecretsDir(c); err != nil {
+		return err
+	}
+	defer func() {
+		if setupErr != nil {
+			daemon.cleanupSecretDir(c)
+		}
+	}()
+
+	if c.DependencyStore == nil {
+		return fmt.Errorf("secret store is not initialized")
+	}
+
+	// retrieve possible remapped range start for root UID, GID
+	rootIDs := daemon.idMappings.RootPair()
+
+	for _, s := range c.SecretReferences {
+		// TODO (ehazlett): use type switch when more are supported
+		if s.File == nil {
+			logrus.Error("secret target type is not a file target")
+			continue
+		}
+
+		// secrets are created in the SecretMountPath on the host, at a
+		// single level
+		fPath, err := c.SecretFilePath(*s)
+		if err != nil {
+			return errors.Wrap(err, "error getting secret file path")
+		}
+		if err := idtools.MkdirAllAndChown(filepath.Dir(fPath), 0700, rootIDs); err != nil {
+			return errors.Wrap(err, "error creating secret mount path")
+		}
+
+		logrus.WithFields(logrus.Fields{
+			"name": s.File.Name,
+			"path": fPath,
+		}).Debug("injecting secret")
+		secret, err := c.DependencyStore.Secrets().Get(s.SecretID)
+		if err != nil {
+			return errors.Wrap(err, "unable to get secret from secret store")
+		}
+		if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
+			return errors.Wrap(err, "error injecting secret")
+		}
+
+		uid, err := strconv.Atoi(s.File.UID)
+		if err != nil {
+			return err
+		}
+		gid, err := strconv.Atoi(s.File.GID)
+		if err != nil {
+			return err
+		}
+
+		if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil {
+			return errors.Wrap(err, "error setting ownership for secret")
+		}
+		if err := os.Chmod(fPath, s.File.Mode); err != nil {
+			return errors.Wrap(err, "error setting file mode for secret")
+		}
+	}
+
+	for _, ref := range c.ConfigReferences {
+		// TODO (ehazlett): use type switch when more are supported
+		if ref.File == nil {
+			logrus.Error("config target type is not a file target")
+			continue
+		}
+
+		fPath, err := c.ConfigFilePath(*ref)
+		if err != nil {
+			return errors.Wrap(err, "error getting config file path for container")
+		}
+		if err := idtools.MkdirAllAndChown(filepath.Dir(fPath), 0700, rootIDs); err != nil {
+			return errors.Wrap(err, "error creating config mount path")
+		}
+
+		logrus.WithFields(logrus.Fields{
+			"name": ref.File.Name,
+			"path": fPath,
+		}).Debug("injecting config")
+		config, err := c.DependencyStore.Configs().Get(ref.ConfigID)
+		if err != nil {
+			return errors.Wrap(err, "unable to get config from config store")
+		}
+		if err := ioutil.WriteFile(fPath, config.Spec.Data, ref.File.Mode); err != nil {
+			return errors.Wrap(err, "error injecting config")
+		}
+
+		uid, err := strconv.Atoi(ref.File.UID)
+		if err != nil {
+			return err
+		}
+		gid, err := strconv.Atoi(ref.File.GID)
+		if err != nil {
+			return err
+		}
+
+		if err := os.Chown(fPath, rootIDs.UID+uid, rootIDs.GID+gid); err != nil {
+			return errors.Wrap(err, "error setting ownership for config")
+		}
+		if err := os.Chmod(fPath, ref.File.Mode); err != nil {
+			return errors.Wrap(err, "error setting file mode for config")
+		}
+	}
+
+	return daemon.remountSecretDir(c)
+}
+
+// createSecretsDir is used to create a dir suitable for storing container secrets.
+// In practice this is using a tmpfs mount and is used for both "configs" and "secrets"
+func (daemon *Daemon) createSecretsDir(c *container.Container) error {
+	// retrieve possible remapped range start for root UID, GID
+	rootIDs := daemon.idMappings.RootPair()
+	dir, err := c.SecretMountPath()
+	if err != nil {
+		return errors.Wrap(err, "error getting container secrets dir")
+	}
+
+	// create tmpfs
+	if err := idtools.MkdirAllAndChown(dir, 0700, rootIDs); err != nil {
+		return errors.Wrap(err, "error creating secret local mount path")
+	}
+
+	tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootIDs.UID, rootIDs.GID)
+	if err := mount.Mount("tmpfs", dir, "tmpfs", "nodev,nosuid,noexec,"+tmpfsOwnership); err != nil {
+		return errors.Wrap(err, "unable to setup secret mount")
+	}
+	return nil
+}
+
+func (daemon *Daemon) remountSecretDir(c *container.Container) error {
+	dir, err := c.SecretMountPath()
+	if err != nil {
+		return errors.Wrap(err, "error getting container secrets path")
+	}
+	if err := label.Relabel(dir, c.MountLabel, false); err != nil {
+		logrus.WithError(err).WithField("dir", dir).Warn("Error while attempting to set selinux label")
+	}
+	rootIDs := daemon.idMappings.RootPair()
+	tmpfsOwnership := fmt.Sprintf("uid=%d,gid=%d", rootIDs.UID, rootIDs.GID)
+
+	// remount secrets ro
+	if err := mount.Mount("tmpfs", dir, "tmpfs", "remount,ro,"+tmpfsOwnership); err != nil {
+		return errors.Wrap(err, "unable to remount dir as readonly")
+	}
+
+	return nil
+}
+
+func (daemon *Daemon) cleanupSecretDir(c *container.Container) {
+	dir, err := c.SecretMountPath()
+	if err != nil {
+		logrus.WithError(err).WithField("container", c.ID).Warn("error getting secrets mount path for container")
+	}
+	if err := mount.RecursiveUnmount(dir); err != nil {
+		logrus.WithField("dir", dir).WithError(err).Warn("Error while attmepting to unmount dir, this may prevent removal of container.")
+	}
+	if err := os.RemoveAll(dir); err != nil && !os.IsNotExist(err) {
+		logrus.WithField("dir", dir).WithError(err).Error("Error removing dir.")
+	}
+}
+
+func killProcessDirectly(cntr *container.Container) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	// Block until the container to stops or timeout.
+	status := <-cntr.Wait(ctx, container.WaitConditionNotRunning)
+	if status.Err() != nil {
+		// Ensure that we don't kill ourselves
+		if pid := cntr.GetPID(); pid != 0 {
+			logrus.Infof("Container %s failed to exit within 10 seconds of kill - trying direct SIGKILL", stringid.TruncateID(cntr.ID))
+			if err := unix.Kill(pid, 9); err != nil {
+				if err != unix.ESRCH {
+					return err
+				}
+				e := errNoSuchProcess{pid, 9}
+				logrus.Debug(e)
+				return e
+			}
+		}
+	}
+	return nil
+}
+
+func detachMounted(path string) error {
+	return unix.Unmount(path, unix.MNT_DETACH)
+}
+
+func isLinkable(child *container.Container) bool {
+	// A container is linkable only if it belongs to the default network
+	_, ok := child.NetworkSettings.Networks[runconfig.DefaultDaemonNetworkMode().NetworkName()]
+	return ok
+}
+
+func enableIPOnPredefinedNetwork() bool {
+	return false
+}
+
+func (daemon *Daemon) isNetworkHotPluggable() bool {
+	return true
+}
+
+func setupPathsAndSandboxOptions(container *container.Container, sboxOptions *[]libnetwork.SandboxOption) error {
+	var err error
+
+	container.HostsPath, err = container.GetRootResourcePath("hosts")
+	if err != nil {
+		return err
+	}
+	*sboxOptions = append(*sboxOptions, libnetwork.OptionHostsPath(container.HostsPath))
+
+	container.ResolvConfPath, err = container.GetRootResourcePath("resolv.conf")
+	if err != nil {
+		return err
+	}
+	*sboxOptions = append(*sboxOptions, libnetwork.OptionResolvConfPath(container.ResolvConfPath))
+	return nil
+}
+
+func (daemon *Daemon) initializeNetworkingPaths(container *container.Container, nc *container.Container) error {
+	container.HostnamePath = nc.HostnamePath
+	container.HostsPath = nc.HostsPath
+	container.ResolvConfPath = nc.ResolvConfPath
+	return nil
+}
+
+func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error {
+	// get the root mount path so we can make it unbindable
+	p, err := c.MountsResourcePath("")
+	if err != nil {
+		return err
+	}
+	return idtools.MkdirAllAndChown(p, 0700, daemon.idMappings.RootPair())
+}
diff --git a/engine/daemon/container_operations_windows.go b/engine/daemon/container_operations_windows.go
new file mode 100644
index 00000000..562528a8
--- /dev/null
+++ b/engine/daemon/container_operations_windows.go
@@ -0,0 +1,201 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/libnetwork"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+func (daemon *Daemon) setupLinkedContainers(container *container.Container) ([]string, error) {
+	return nil, nil
+}
+
+func (daemon *Daemon) setupConfigDir(c *container.Container) (setupErr error) {
+	if len(c.ConfigReferences) == 0 {
+		return nil
+	}
+
+	localPath := c.ConfigsDirPath()
+	logrus.Debugf("configs: setting up config dir: %s", localPath)
+
+	// create local config root
+	if err := system.MkdirAllWithACL(localPath, 0, system.SddlAdministratorsLocalSystem); err != nil {
+		return errors.Wrap(err, "error creating config dir")
+	}
+
+	defer func() {
+		if setupErr != nil {
+			if err := os.RemoveAll(localPath); err != nil {
+				logrus.Errorf("error cleaning up config dir: %s", err)
+			}
+		}
+	}()
+
+	if c.DependencyStore == nil {
+		return fmt.Errorf("config store is not initialized")
+	}
+
+	for _, configRef := range c.ConfigReferences {
+		// TODO (ehazlett): use type switch when more are supported
+		if configRef.File == nil {
+			logrus.Error("config target type is not a file target")
+			continue
+		}
+
+		fPath := c.ConfigFilePath(*configRef)
+		log := logrus.WithFields(logrus.Fields{"name": configRef.File.Name, "path": fPath})
+
+		log.Debug("injecting config")
+		config, err := c.DependencyStore.Configs().Get(configRef.ConfigID)
+		if err != nil {
+			return errors.Wrap(err, "unable to get config from config store")
+		}
+		if err := ioutil.WriteFile(fPath, config.Spec.Data, configRef.File.Mode); err != nil {
+			return errors.Wrap(err, "error injecting config")
+		}
+	}
+
+	return nil
+}
+
+func (daemon *Daemon) setupIpcDirs(container *container.Container) error {
+	return nil
+}
+
+// TODO Windows: Fix Post-TP5. This is a hack to allow docker cp to work
+// against containers which have volumes. You will still be able to cp
+// to somewhere on the container drive, but not to any mounted volumes
+// inside the container. Without this fix, docker cp is broken to any
+// container which has a volume, regardless of where the file is inside the
+// container.
+func (daemon *Daemon) mountVolumes(container *container.Container) error {
+	return nil
+}
+
+func detachMounted(path string) error {
+	return nil
+}
+
+func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+	if len(c.SecretReferences) == 0 {
+		return nil
+	}
+
+	localMountPath, err := c.SecretMountPath()
+	if err != nil {
+		return err
+	}
+	logrus.Debugf("secrets: setting up secret dir: %s", localMountPath)
+
+	// create local secret root
+	if err := system.MkdirAllWithACL(localMountPath, 0, system.SddlAdministratorsLocalSystem); err != nil {
+		return errors.Wrap(err, "error creating secret local directory")
+	}
+
+	defer func() {
+		if setupErr != nil {
+			if err := os.RemoveAll(localMountPath); err != nil {
+				logrus.Errorf("error cleaning up secret mount: %s", err)
+			}
+		}
+	}()
+
+	if c.DependencyStore == nil {
+		return fmt.Errorf("secret store is not initialized")
+	}
+
+	for _, s := range c.SecretReferences {
+		// TODO (ehazlett): use type switch when more are supported
+		if s.File == nil {
+			logrus.Error("secret target type is not a file target")
+			continue
+		}
+
+		// secrets are created in the SecretMountPath on the host, at a
+		// single level
+		fPath, err := c.SecretFilePath(*s)
+		if err != nil {
+			return err
+		}
+		logrus.WithFields(logrus.Fields{
+			"name": s.File.Name,
+			"path": fPath,
+		}).Debug("injecting secret")
+		secret, err := c.DependencyStore.Secrets().Get(s.SecretID)
+		if err != nil {
+			return errors.Wrap(err, "unable to get secret from secret store")
+		}
+		if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
+			return errors.Wrap(err, "error injecting secret")
+		}
+	}
+
+	return nil
+}
+
+func killProcessDirectly(container *container.Container) error {
+	return nil
+}
+
+func isLinkable(child *container.Container) bool {
+	return false
+}
+
+func enableIPOnPredefinedNetwork() bool {
+	return true
+}
+
+func (daemon *Daemon) isNetworkHotPluggable() bool {
+	return true
+}
+
+func setupPathsAndSandboxOptions(container *container.Container, sboxOptions *[]libnetwork.SandboxOption) error {
+	return nil
+}
+
+func (daemon *Daemon) initializeNetworkingPaths(container *container.Container, nc *container.Container) error {
+
+	if nc.HostConfig.Isolation.IsHyperV() {
+		return fmt.Errorf("sharing of hyperv containers network is not supported")
+	}
+
+	container.NetworkSharedContainerID = nc.ID
+
+	if nc.NetworkSettings != nil {
+		for n := range nc.NetworkSettings.Networks {
+			sn, err := daemon.FindNetwork(n)
+			if err != nil {
+				continue
+			}
+
+			ep, err := getEndpointInNetwork(nc.Name, sn)
+			if err != nil {
+				continue
+			}
+
+			data, err := ep.DriverInfo()
+			if err != nil {
+				continue
+			}
+
+			if data["GW_INFO"] != nil {
+				gwInfo := data["GW_INFO"].(map[string]interface{})
+				if gwInfo["hnsid"] != nil {
+					container.SharedEndpointList = append(container.SharedEndpointList, gwInfo["hnsid"].(string))
+				}
+			}
+
+			if data["hnsid"] != nil {
+				container.SharedEndpointList = append(container.SharedEndpointList, data["hnsid"].(string))
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/engine/daemon/container_unix_test.go b/engine/daemon/container_unix_test.go
new file mode 100644
index 00000000..b4c5f84c
--- /dev/null
+++ b/engine/daemon/container_unix_test.go
@@ -0,0 +1,44 @@
+// +build linux freebsd
+
+package daemon
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/go-connections/nat"
+	"gotest.tools/assert"
+)
+
+// TestContainerWarningHostAndPublishPorts that a warning is returned when setting network mode to host and specifying published ports.
+// This should not be tested on Windows because Windows doesn't support "host" network mode.
+func TestContainerWarningHostAndPublishPorts(t *testing.T) {
+	testCases := []struct {
+		ports    nat.PortMap
+		warnings []string
+	}{
+		{ports: nat.PortMap{}},
+		{ports: nat.PortMap{
+			"8080": []nat.PortBinding{{HostPort: "8989"}},
+		}, warnings: []string{"Published ports are discarded when using host network mode"}},
+	}
+
+	for _, tc := range testCases {
+		hostConfig := &containertypes.HostConfig{
+			Runtime:      "runc",
+			NetworkMode:  "host",
+			PortBindings: tc.ports,
+		}
+		cs := &config.Config{
+			CommonUnixConfig: config.CommonUnixConfig{
+				Runtimes: map[string]types.Runtime{"runc": {}},
+			},
+		}
+		d := &Daemon{configStore: cs}
+		wrns, err := d.verifyContainerSettings("", hostConfig, &containertypes.Config{}, false)
+		assert.NilError(t, err)
+		assert.DeepEqual(t, tc.warnings, wrns)
+	}
+}
diff --git a/engine/daemon/container_windows.go b/engine/daemon/container_windows.go
new file mode 100644
index 00000000..0ca8039d
--- /dev/null
+++ b/engine/daemon/container_windows.go
@@ -0,0 +1,9 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/container"
+)
+
+func (daemon *Daemon) saveApparmorConfig(container *container.Container) error {
+	return nil
+}
diff --git a/engine/daemon/create.go b/engine/daemon/create.go
new file mode 100644
index 00000000..6702243f
--- /dev/null
+++ b/engine/daemon/create.go
@@ -0,0 +1,304 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"net"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/runconfig"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// CreateManagedContainer creates a container that is managed by a Service
+func (daemon *Daemon) CreateManagedContainer(params types.ContainerCreateConfig) (containertypes.ContainerCreateCreatedBody, error) {
+	return daemon.containerCreate(params, true)
+}
+
+// ContainerCreate creates a regular container
+func (daemon *Daemon) ContainerCreate(params types.ContainerCreateConfig) (containertypes.ContainerCreateCreatedBody, error) {
+	return daemon.containerCreate(params, false)
+}
+
+func (daemon *Daemon) containerCreate(params types.ContainerCreateConfig, managed bool) (containertypes.ContainerCreateCreatedBody, error) {
+	start := time.Now()
+	if params.Config == nil {
+		return containertypes.ContainerCreateCreatedBody{}, errdefs.InvalidParameter(errors.New("Config cannot be empty in order to create a container"))
+	}
+
+	os := runtime.GOOS
+	if params.Config.Image != "" {
+		img, err := daemon.imageService.GetImage(params.Config.Image)
+		if err == nil {
+			os = img.OS
+		}
+	} else {
+		// This mean scratch. On Windows, we can safely assume that this is a linux
+		// container. On other platforms, it's the host OS (which it already is)
+		if runtime.GOOS == "windows" && system.LCOWSupported() {
+			os = "linux"
+		}
+	}
+
+	warnings, err := daemon.verifyContainerSettings(os, params.HostConfig, params.Config, false)
+	if err != nil {
+		return containertypes.ContainerCreateCreatedBody{Warnings: warnings}, errdefs.InvalidParameter(err)
+	}
+
+	err = verifyNetworkingConfig(params.NetworkingConfig)
+	if err != nil {
+		return containertypes.ContainerCreateCreatedBody{Warnings: warnings}, errdefs.InvalidParameter(err)
+	}
+
+	if params.HostConfig == nil {
+		params.HostConfig = &containertypes.HostConfig{}
+	}
+	err = daemon.adaptContainerSettings(params.HostConfig, params.AdjustCPUShares)
+	if err != nil {
+		return containertypes.ContainerCreateCreatedBody{Warnings: warnings}, errdefs.InvalidParameter(err)
+	}
+
+	container, err := daemon.create(params, managed)
+	if err != nil {
+		return containertypes.ContainerCreateCreatedBody{Warnings: warnings}, err
+	}
+	containerActions.WithValues("create").UpdateSince(start)
+
+	return containertypes.ContainerCreateCreatedBody{ID: container.ID, Warnings: warnings}, nil
+}
+
+// Create creates a new container from the given configuration with a given name.
+func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (retC *container.Container, retErr error) {
+	var (
+		container *container.Container
+		img       *image.Image
+		imgID     image.ID
+		err       error
+	)
+
+	os := runtime.GOOS
+	if params.Config.Image != "" {
+		img, err = daemon.imageService.GetImage(params.Config.Image)
+		if err != nil {
+			return nil, err
+		}
+		if img.OS != "" {
+			os = img.OS
+		} else {
+			// default to the host OS except on Windows with LCOW
+			if runtime.GOOS == "windows" && system.LCOWSupported() {
+				os = "linux"
+			}
+		}
+		imgID = img.ID()
+
+		if runtime.GOOS == "windows" && img.OS == "linux" && !system.LCOWSupported() {
+			return nil, errors.New("operating system on which parent image was created is not Windows")
+		}
+	} else {
+		if runtime.GOOS == "windows" {
+			os = "linux" // 'scratch' case.
+		}
+	}
+
+	if err := daemon.mergeAndVerifyConfig(params.Config, img); err != nil {
+		return nil, errdefs.InvalidParameter(err)
+	}
+
+	if err := daemon.mergeAndVerifyLogConfig(&params.HostConfig.LogConfig); err != nil {
+		return nil, errdefs.InvalidParameter(err)
+	}
+
+	if container, err = daemon.newContainer(params.Name, os, params.Config, params.HostConfig, imgID, managed); err != nil {
+		return nil, err
+	}
+	defer func() {
+		if retErr != nil {
+			if err := daemon.cleanupContainer(container, true, true); err != nil {
+				logrus.Errorf("failed to cleanup container on create error: %v", err)
+			}
+		}
+	}()
+
+	if err := daemon.setSecurityOptions(container, params.HostConfig); err != nil {
+		return nil, err
+	}
+
+	container.HostConfig.StorageOpt = params.HostConfig.StorageOpt
+
+	// Fixes: https://github.com/moby/moby/issues/34074 and
+	// https://github.com/docker/for-win/issues/999.
+	// Merge the daemon's storage options if they aren't already present. We only
+	// do this on Windows as there's no effective sandbox size limit other than
+	// physical on Linux.
+	if runtime.GOOS == "windows" {
+		if container.HostConfig.StorageOpt == nil {
+			container.HostConfig.StorageOpt = make(map[string]string)
+		}
+		for _, v := range daemon.configStore.GraphOptions {
+			opt := strings.SplitN(v, "=", 2)
+			if _, ok := container.HostConfig.StorageOpt[opt[0]]; !ok {
+				container.HostConfig.StorageOpt[opt[0]] = opt[1]
+			}
+		}
+	}
+
+	// Set RWLayer for container after mount labels have been set
+	rwLayer, err := daemon.imageService.CreateLayer(container, setupInitLayer(daemon.idMappings))
+	if err != nil {
+		return nil, errdefs.System(err)
+	}
+	container.RWLayer = rwLayer
+
+	rootIDs := daemon.idMappings.RootPair()
+	if err := idtools.MkdirAndChown(container.Root, 0700, rootIDs); err != nil {
+		return nil, err
+	}
+	if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, rootIDs); err != nil {
+		return nil, err
+	}
+
+	if err := daemon.setHostConfig(container, params.HostConfig); err != nil {
+		return nil, err
+	}
+
+	if err := daemon.createContainerOSSpecificSettings(container, params.Config, params.HostConfig); err != nil {
+		return nil, err
+	}
+
+	var endpointsConfigs map[string]*networktypes.EndpointSettings
+	if params.NetworkingConfig != nil {
+		endpointsConfigs = params.NetworkingConfig.EndpointsConfig
+	}
+	// Make sure NetworkMode has an acceptable value. We do this to ensure
+	// backwards API compatibility.
+	runconfig.SetDefaultNetModeIfBlank(container.HostConfig)
+
+	daemon.updateContainerNetworkSettings(container, endpointsConfigs)
+	if err := daemon.Register(container); err != nil {
+		return nil, err
+	}
+	stateCtr.set(container.ID, "stopped")
+	daemon.LogContainerEvent(container, "create")
+	return container, nil
+}
+
+func toHostConfigSelinuxLabels(labels []string) []string {
+	for i, l := range labels {
+		labels[i] = "label=" + l
+	}
+	return labels
+}
+
+func (daemon *Daemon) generateSecurityOpt(hostConfig *containertypes.HostConfig) ([]string, error) {
+	for _, opt := range hostConfig.SecurityOpt {
+		con := strings.Split(opt, "=")
+		if con[0] == "label" {
+			// Caller overrode SecurityOpts
+			return nil, nil
+		}
+	}
+	ipcMode := hostConfig.IpcMode
+	pidMode := hostConfig.PidMode
+	privileged := hostConfig.Privileged
+	if ipcMode.IsHost() || pidMode.IsHost() || privileged {
+		return toHostConfigSelinuxLabels(label.DisableSecOpt()), nil
+	}
+
+	var ipcLabel []string
+	var pidLabel []string
+	ipcContainer := ipcMode.Container()
+	pidContainer := pidMode.Container()
+	if ipcContainer != "" {
+		c, err := daemon.GetContainer(ipcContainer)
+		if err != nil {
+			return nil, err
+		}
+		ipcLabel = label.DupSecOpt(c.ProcessLabel)
+		if pidContainer == "" {
+			return toHostConfigSelinuxLabels(ipcLabel), err
+		}
+	}
+	if pidContainer != "" {
+		c, err := daemon.GetContainer(pidContainer)
+		if err != nil {
+			return nil, err
+		}
+
+		pidLabel = label.DupSecOpt(c.ProcessLabel)
+		if ipcContainer == "" {
+			return toHostConfigSelinuxLabels(pidLabel), err
+		}
+	}
+
+	if pidLabel != nil && ipcLabel != nil {
+		for i := 0; i < len(pidLabel); i++ {
+			if pidLabel[i] != ipcLabel[i] {
+				return nil, fmt.Errorf("--ipc and --pid containers SELinux labels aren't the same")
+			}
+		}
+		return toHostConfigSelinuxLabels(pidLabel), nil
+	}
+	return nil, nil
+}
+
+func (daemon *Daemon) mergeAndVerifyConfig(config *containertypes.Config, img *image.Image) error {
+	if img != nil && img.Config != nil {
+		if err := merge(config, img.Config); err != nil {
+			return err
+		}
+	}
+	// Reset the Entrypoint if it is [""]
+	if len(config.Entrypoint) == 1 && config.Entrypoint[0] == "" {
+		config.Entrypoint = nil
+	}
+	if len(config.Entrypoint) == 0 && len(config.Cmd) == 0 {
+		return fmt.Errorf("No command specified")
+	}
+	return nil
+}
+
+// Checks if the client set configurations for more than one network while creating a container
+// Also checks if the IPAMConfig is valid
+func verifyNetworkingConfig(nwConfig *networktypes.NetworkingConfig) error {
+	if nwConfig == nil || len(nwConfig.EndpointsConfig) == 0 {
+		return nil
+	}
+	if len(nwConfig.EndpointsConfig) == 1 {
+		for k, v := range nwConfig.EndpointsConfig {
+			if v == nil {
+				return errdefs.InvalidParameter(errors.Errorf("no EndpointSettings for %s", k))
+			}
+			if v.IPAMConfig != nil {
+				if v.IPAMConfig.IPv4Address != "" && net.ParseIP(v.IPAMConfig.IPv4Address).To4() == nil {
+					return errors.Errorf("invalid IPv4 address: %s", v.IPAMConfig.IPv4Address)
+				}
+				if v.IPAMConfig.IPv6Address != "" {
+					n := net.ParseIP(v.IPAMConfig.IPv6Address)
+					// if the address is an invalid network address (ParseIP == nil) or if it is
+					// an IPv4 address (To4() != nil), then it is an invalid IPv6 address
+					if n == nil || n.To4() != nil {
+						return errors.Errorf("invalid IPv6 address: %s", v.IPAMConfig.IPv6Address)
+					}
+				}
+			}
+		}
+		return nil
+	}
+	l := make([]string, 0, len(nwConfig.EndpointsConfig))
+	for k := range nwConfig.EndpointsConfig {
+		l = append(l, k)
+	}
+	return errors.Errorf("Container cannot be connected to network endpoints: %s", strings.Join(l, ", "))
+}
diff --git a/engine/daemon/create_test.go b/engine/daemon/create_test.go
new file mode 100644
index 00000000..3dba847d
--- /dev/null
+++ b/engine/daemon/create_test.go
@@ -0,0 +1,21 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/errdefs"
+	"gotest.tools/assert"
+)
+
+// Test case for 35752
+func TestVerifyNetworkingConfig(t *testing.T) {
+	name := "mynet"
+	endpoints := make(map[string]*network.EndpointSettings, 1)
+	endpoints[name] = nil
+	nwConfig := &network.NetworkingConfig{
+		EndpointsConfig: endpoints,
+	}
+	err := verifyNetworkingConfig(nwConfig)
+	assert.Check(t, errdefs.IsInvalidParameter(err))
+}
diff --git a/engine/daemon/create_unix.go b/engine/daemon/create_unix.go
new file mode 100644
index 00000000..eb9b6537
--- /dev/null
+++ b/engine/daemon/create_unix.go
@@ -0,0 +1,94 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/oci"
+	"github.com/docker/docker/pkg/stringid"
+	volumeopts "github.com/docker/docker/volume/service/opts"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/sirupsen/logrus"
+)
+
+// createContainerOSSpecificSettings performs host-OS specific container create functionality
+func (daemon *Daemon) createContainerOSSpecificSettings(container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error {
+	if err := daemon.Mount(container); err != nil {
+		return err
+	}
+	defer daemon.Unmount(container)
+
+	rootIDs := daemon.idMappings.RootPair()
+	if err := container.SetupWorkingDirectory(rootIDs); err != nil {
+		return err
+	}
+
+	// Set the default masked and readonly paths with regard to the host config options if they are not set.
+	if hostConfig.MaskedPaths == nil && !hostConfig.Privileged {
+		hostConfig.MaskedPaths = oci.DefaultSpec().Linux.MaskedPaths // Set it to the default if nil
+		container.HostConfig.MaskedPaths = hostConfig.MaskedPaths
+	}
+	if hostConfig.ReadonlyPaths == nil && !hostConfig.Privileged {
+		hostConfig.ReadonlyPaths = oci.DefaultSpec().Linux.ReadonlyPaths // Set it to the default if nil
+		container.HostConfig.ReadonlyPaths = hostConfig.ReadonlyPaths
+	}
+
+	for spec := range config.Volumes {
+		name := stringid.GenerateNonCryptoID()
+		destination := filepath.Clean(spec)
+
+		// Skip volumes for which we already have something mounted on that
+		// destination because of a --volume-from.
+		if container.IsDestinationMounted(destination) {
+			continue
+		}
+		path, err := container.GetResourcePath(destination)
+		if err != nil {
+			return err
+		}
+
+		stat, err := os.Stat(path)
+		if err == nil && !stat.IsDir() {
+			return fmt.Errorf("cannot mount volume over existing file, file exists %s", path)
+		}
+
+		v, err := daemon.volumes.Create(context.TODO(), name, hostConfig.VolumeDriver, volumeopts.WithCreateReference(container.ID))
+		if err != nil {
+			return err
+		}
+
+		if err := label.Relabel(v.Mountpoint, container.MountLabel, true); err != nil {
+			return err
+		}
+
+		container.AddMountPointWithVolume(destination, &volumeWrapper{v: v, s: daemon.volumes}, true)
+	}
+	return daemon.populateVolumes(container)
+}
+
+// populateVolumes copies data from the container's rootfs into the volume for non-binds.
+// this is only called when the container is created.
+func (daemon *Daemon) populateVolumes(c *container.Container) error {
+	for _, mnt := range c.MountPoints {
+		if mnt.Volume == nil {
+			continue
+		}
+
+		if mnt.Type != mounttypes.TypeVolume || !mnt.CopyData {
+			continue
+		}
+
+		logrus.Debugf("copying image data from %s:%s, to %s", c.ID, mnt.Destination, mnt.Name)
+		if err := c.CopyImagePathContent(mnt.Volume, mnt.Destination); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/engine/daemon/create_windows.go b/engine/daemon/create_windows.go
new file mode 100644
index 00000000..37e425a0
--- /dev/null
+++ b/engine/daemon/create_windows.go
@@ -0,0 +1,93 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"runtime"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/stringid"
+	volumemounts "github.com/docker/docker/volume/mounts"
+	volumeopts "github.com/docker/docker/volume/service/opts"
+)
+
+// createContainerOSSpecificSettings performs host-OS specific container create functionality
+func (daemon *Daemon) createContainerOSSpecificSettings(container *container.Container, config *containertypes.Config, hostConfig *containertypes.HostConfig) error {
+
+	if container.OS == runtime.GOOS {
+		// Make sure the host config has the default daemon isolation if not specified by caller.
+		if containertypes.Isolation.IsDefault(containertypes.Isolation(hostConfig.Isolation)) {
+			hostConfig.Isolation = daemon.defaultIsolation
+		}
+	} else {
+		// LCOW must be a Hyper-V container as you can't run a shared kernel when one
+		// is a Windows kernel, the other is a Linux kernel.
+		if containertypes.Isolation.IsProcess(containertypes.Isolation(hostConfig.Isolation)) {
+			return fmt.Errorf("process isolation is invalid for Linux containers on Windows")
+		}
+		hostConfig.Isolation = "hyperv"
+	}
+	parser := volumemounts.NewParser(container.OS)
+	for spec := range config.Volumes {
+
+		mp, err := parser.ParseMountRaw(spec, hostConfig.VolumeDriver)
+		if err != nil {
+			return fmt.Errorf("Unrecognised volume spec: %v", err)
+		}
+
+		// If the mountpoint doesn't have a name, generate one.
+		if len(mp.Name) == 0 {
+			mp.Name = stringid.GenerateNonCryptoID()
+		}
+
+		// Skip volumes for which we already have something mounted on that
+		// destination because of a --volume-from.
+		if container.IsDestinationMounted(mp.Destination) {
+			continue
+		}
+
+		volumeDriver := hostConfig.VolumeDriver
+
+		// Create the volume in the volume driver. If it doesn't exist,
+		// a new one will be created.
+		v, err := daemon.volumes.Create(context.TODO(), mp.Name, volumeDriver, volumeopts.WithCreateReference(container.ID))
+		if err != nil {
+			return err
+		}
+
+		// FIXME Windows: This code block is present in the Linux version and
+		// allows the contents to be copied to the container FS prior to it
+		// being started. However, the function utilizes the FollowSymLinkInScope
+		// path which does not cope with Windows volume-style file paths. There
+		// is a separate effort to resolve this (@swernli), so this processing
+		// is deferred for now. A case where this would be useful is when
+		// a dockerfile includes a VOLUME statement, but something is created
+		// in that directory during the dockerfile processing. What this means
+		// on Windows for TP5 is that in that scenario, the contents will not
+		// copied, but that's (somewhat) OK as HCS will bomb out soon after
+		// at it doesn't support mapped directories which have contents in the
+		// destination path anyway.
+		//
+		// Example for repro later:
+		//   FROM windowsservercore
+		//   RUN mkdir c:\myvol
+		//   RUN copy c:\windows\system32\ntdll.dll c:\myvol
+		//   VOLUME "c:\myvol"
+		//
+		// Then
+		//   docker build -t vol .
+		//   docker run -it --rm vol cmd  <-- This is where HCS will error out.
+		//
+		//	// never attempt to copy existing content in a container FS to a shared volume
+		//	if v.DriverName() == volume.DefaultDriverName {
+		//		if err := container.CopyImagePathContent(v, mp.Destination); err != nil {
+		//			return err
+		//		}
+		//	}
+
+		// Add it to container.MountPoints
+		container.AddMountPointWithVolume(mp.Destination, &volumeWrapper{v: v, s: daemon.volumes}, mp.RW)
+	}
+	return nil
+}
diff --git a/engine/daemon/daemon.go b/engine/daemon/daemon.go
new file mode 100644
index 00000000..5e5f586a
--- /dev/null
+++ b/engine/daemon/daemon.go
@@ -0,0 +1,1320 @@
+// Package daemon exposes the functions that occur on the host server
+// that the Docker daemon is running.
+//
+// In implementing the various functions of the daemon, there is often
+// a method-specific struct for configuring the runtime behavior.
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/daemon/discovery"
+	"github.com/docker/docker/daemon/events"
+	"github.com/docker/docker/daemon/exec"
+	"github.com/docker/docker/daemon/images"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/network"
+	"github.com/docker/docker/errdefs"
+	"github.com/sirupsen/logrus"
+	// register graph drivers
+	_ "github.com/docker/docker/daemon/graphdriver/register"
+	"github.com/docker/docker/daemon/stats"
+	dmetadata "github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/libcontainerd"
+	"github.com/docker/docker/migrate/v1"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/sysinfo"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/pkg/truncindex"
+	"github.com/docker/docker/plugin"
+	pluginexec "github.com/docker/docker/plugin/executor/containerd"
+	refstore "github.com/docker/docker/reference"
+	"github.com/docker/docker/registry"
+	"github.com/docker/docker/runconfig"
+	volumesservice "github.com/docker/docker/volume/service"
+	"github.com/docker/libnetwork"
+	"github.com/docker/libnetwork/cluster"
+	nwconfig "github.com/docker/libnetwork/config"
+	"github.com/pkg/errors"
+)
+
+// ContainersNamespace is the name of the namespace used for users containers
+const ContainersNamespace = "moby"
+
+var (
+	errSystemNotSupported = errors.New("the Docker daemon is not supported on this platform")
+)
+
+// Daemon holds information about the Docker daemon.
+type Daemon struct {
+	ID                string
+	repository        string
+	containers        container.Store
+	containersReplica container.ViewDB
+	execCommands      *exec.Store
+	imageService      *images.ImageService
+	idIndex           *truncindex.TruncIndex
+	configStore       *config.Config
+	statsCollector    *stats.Collector
+	defaultLogConfig  containertypes.LogConfig
+	RegistryService   registry.Service
+	EventsService     *events.Events
+	netController     libnetwork.NetworkController
+	volumes           *volumesservice.VolumesService
+	discoveryWatcher  discovery.Reloader
+	root              string
+	seccompEnabled    bool
+	apparmorEnabled   bool
+	shutdown          bool
+	idMappings        *idtools.IDMappings
+	// TODO: move graphDrivers field to an InfoService
+	graphDrivers map[string]string // By operating system
+
+	PluginStore           *plugin.Store // todo: remove
+	pluginManager         *plugin.Manager
+	linkIndex             *linkIndex
+	containerd            libcontainerd.Client
+	defaultIsolation      containertypes.Isolation // Default isolation mode on Windows
+	clusterProvider       cluster.Provider
+	cluster               Cluster
+	genericResources      []swarm.GenericResource
+	metricsPluginListener net.Listener
+
+	machineMemory uint64
+
+	seccompProfile     []byte
+	seccompProfilePath string
+
+	diskUsageRunning int32
+	pruneRunning     int32
+	hosts            map[string]bool // hosts stores the addresses the daemon is listening on
+	startupDone      chan struct{}
+
+	attachmentStore       network.AttachmentStore
+	attachableNetworkLock *locker.Locker
+}
+
+// StoreHosts stores the addresses the daemon is listening on
+func (daemon *Daemon) StoreHosts(hosts []string) {
+	if daemon.hosts == nil {
+		daemon.hosts = make(map[string]bool)
+	}
+	for _, h := range hosts {
+		daemon.hosts[h] = true
+	}
+}
+
+// HasExperimental returns whether the experimental features of the daemon are enabled or not
+func (daemon *Daemon) HasExperimental() bool {
+	return daemon.configStore != nil && daemon.configStore.Experimental
+}
+
+func (daemon *Daemon) restore() error {
+	containers := make(map[string]*container.Container)
+
+	logrus.Info("Loading containers: start.")
+
+	dir, err := ioutil.ReadDir(daemon.repository)
+	if err != nil {
+		return err
+	}
+
+	for _, v := range dir {
+		id := v.Name()
+		container, err := daemon.load(id)
+		if err != nil {
+			logrus.Errorf("Failed to load container %v: %v", id, err)
+			continue
+		}
+		if !system.IsOSSupported(container.OS) {
+			logrus.Errorf("Failed to load container %v: %s (%q)", id, system.ErrNotSupportedOperatingSystem, container.OS)
+			continue
+		}
+		// Ignore the container if it does not support the current driver being used by the graph
+		currentDriverForContainerOS := daemon.graphDrivers[container.OS]
+		if (container.Driver == "" && currentDriverForContainerOS == "aufs") || container.Driver == currentDriverForContainerOS {
+			rwlayer, err := daemon.imageService.GetLayerByID(container.ID, container.OS)
+			if err != nil {
+				logrus.Errorf("Failed to load container mount %v: %v", id, err)
+				continue
+			}
+			container.RWLayer = rwlayer
+			logrus.Debugf("Loaded container %v, isRunning: %v", container.ID, container.IsRunning())
+
+			containers[container.ID] = container
+		} else {
+			logrus.Debugf("Cannot load container %s because it was created with another graph driver.", container.ID)
+		}
+	}
+
+	removeContainers := make(map[string]*container.Container)
+	restartContainers := make(map[*container.Container]chan struct{})
+	activeSandboxes := make(map[string]interface{})
+	for id, c := range containers {
+		if err := daemon.registerName(c); err != nil {
+			logrus.Errorf("Failed to register container name %s: %s", c.ID, err)
+			delete(containers, id)
+			continue
+		}
+		if err := daemon.Register(c); err != nil {
+			logrus.Errorf("Failed to register container %s: %s", c.ID, err)
+			delete(containers, id)
+			continue
+		}
+
+		// The LogConfig.Type is empty if the container was created before docker 1.12 with default log driver.
+		// We should rewrite it to use the daemon defaults.
+		// Fixes https://github.com/docker/docker/issues/22536
+		if c.HostConfig.LogConfig.Type == "" {
+			if err := daemon.mergeAndVerifyLogConfig(&c.HostConfig.LogConfig); err != nil {
+				logrus.Errorf("Failed to verify log config for container %s: %q", c.ID, err)
+				continue
+			}
+		}
+	}
+
+	var (
+		wg      sync.WaitGroup
+		mapLock sync.Mutex
+	)
+	for _, c := range containers {
+		wg.Add(1)
+		go func(c *container.Container) {
+			defer wg.Done()
+			daemon.backportMountSpec(c)
+			if err := daemon.checkpointAndSave(c); err != nil {
+				logrus.WithError(err).WithField("container", c.ID).Error("error saving backported mountspec to disk")
+			}
+
+			daemon.setStateCounter(c)
+
+			logrus.WithFields(logrus.Fields{
+				"container": c.ID,
+				"running":   c.IsRunning(),
+				"paused":    c.IsPaused(),
+			}).Debug("restoring container")
+
+			var (
+				err      error
+				alive    bool
+				ec       uint32
+				exitedAt time.Time
+			)
+
+			alive, _, err = daemon.containerd.Restore(context.Background(), c.ID, c.InitializeStdio)
+			if err != nil && !errdefs.IsNotFound(err) {
+				logrus.Errorf("Failed to restore container %s with containerd: %s", c.ID, err)
+				return
+			}
+			if !alive {
+				ec, exitedAt, err = daemon.containerd.DeleteTask(context.Background(), c.ID)
+				if err != nil && !errdefs.IsNotFound(err) {
+					logrus.WithError(err).Errorf("Failed to delete container %s from containerd", c.ID)
+					return
+				}
+			} else if !daemon.configStore.LiveRestoreEnabled {
+				if err := daemon.kill(c, c.StopSignal()); err != nil && !errdefs.IsNotFound(err) {
+					logrus.WithError(err).WithField("container", c.ID).Error("error shutting down container")
+					return
+				}
+			}
+
+			if c.IsRunning() || c.IsPaused() {
+				c.RestartManager().Cancel() // manually start containers because some need to wait for swarm networking
+
+				if c.IsPaused() && alive {
+					s, err := daemon.containerd.Status(context.Background(), c.ID)
+					if err != nil {
+						logrus.WithError(err).WithField("container", c.ID).
+							Errorf("Failed to get container status")
+					} else {
+						logrus.WithField("container", c.ID).WithField("state", s).
+							Info("restored container paused")
+						switch s {
+						case libcontainerd.StatusPaused, libcontainerd.StatusPausing:
+							// nothing to do
+						case libcontainerd.StatusStopped:
+							alive = false
+						case libcontainerd.StatusUnknown:
+							logrus.WithField("container", c.ID).
+								Error("Unknown status for container during restore")
+						default:
+							// running
+							c.Lock()
+							c.Paused = false
+							daemon.setStateCounter(c)
+							if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+								logrus.WithError(err).WithField("container", c.ID).
+									Error("Failed to update stopped container state")
+							}
+							c.Unlock()
+						}
+					}
+				}
+
+				if !alive {
+					c.Lock()
+					c.SetStopped(&container.ExitStatus{ExitCode: int(ec), ExitedAt: exitedAt})
+					daemon.Cleanup(c)
+					if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+						logrus.Errorf("Failed to update stopped container %s state: %v", c.ID, err)
+					}
+					c.Unlock()
+				}
+
+				// we call Mount and then Unmount to get BaseFs of the container
+				if err := daemon.Mount(c); err != nil {
+					// The mount is unlikely to fail. However, in case mount fails
+					// the container should be allowed to restore here. Some functionalities
+					// (like docker exec -u user) might be missing but container is able to be
+					// stopped/restarted/removed.
+					// See #29365 for related information.
+					// The error is only logged here.
+					logrus.Warnf("Failed to mount container on getting BaseFs path %v: %v", c.ID, err)
+				} else {
+					if err := daemon.Unmount(c); err != nil {
+						logrus.Warnf("Failed to umount container on getting BaseFs path %v: %v", c.ID, err)
+					}
+				}
+
+				c.ResetRestartManager(false)
+				if !c.HostConfig.NetworkMode.IsContainer() && c.IsRunning() {
+					options, err := daemon.buildSandboxOptions(c)
+					if err != nil {
+						logrus.Warnf("Failed build sandbox option to restore container %s: %v", c.ID, err)
+					}
+					mapLock.Lock()
+					activeSandboxes[c.NetworkSettings.SandboxID] = options
+					mapLock.Unlock()
+				}
+			}
+
+			// get list of containers we need to restart
+
+			// Do not autostart containers which
+			// has endpoints in a swarm scope
+			// network yet since the cluster is
+			// not initialized yet. We will start
+			// it after the cluster is
+			// initialized.
+			if daemon.configStore.AutoRestart && c.ShouldRestart() && !c.NetworkSettings.HasSwarmEndpoint && c.HasBeenStartedBefore {
+				mapLock.Lock()
+				restartContainers[c] = make(chan struct{})
+				mapLock.Unlock()
+			} else if c.HostConfig != nil && c.HostConfig.AutoRemove {
+				mapLock.Lock()
+				removeContainers[c.ID] = c
+				mapLock.Unlock()
+			}
+
+			c.Lock()
+			if c.RemovalInProgress {
+				// We probably crashed in the middle of a removal, reset
+				// the flag.
+				//
+				// We DO NOT remove the container here as we do not
+				// know if the user had requested for either the
+				// associated volumes, network links or both to also
+				// be removed. So we put the container in the "dead"
+				// state and leave further processing up to them.
+				logrus.Debugf("Resetting RemovalInProgress flag from %v", c.ID)
+				c.RemovalInProgress = false
+				c.Dead = true
+				if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+					logrus.Errorf("Failed to update RemovalInProgress container %s state: %v", c.ID, err)
+				}
+			}
+			c.Unlock()
+		}(c)
+	}
+	wg.Wait()
+	daemon.netController, err = daemon.initNetworkController(daemon.configStore, activeSandboxes)
+	if err != nil {
+		return fmt.Errorf("Error initializing network controller: %v", err)
+	}
+
+	// Now that all the containers are registered, register the links
+	for _, c := range containers {
+		if err := daemon.registerLinks(c, c.HostConfig); err != nil {
+			logrus.Errorf("failed to register link for container %s: %v", c.ID, err)
+		}
+	}
+
+	group := sync.WaitGroup{}
+	for c, notifier := range restartContainers {
+		group.Add(1)
+
+		go func(c *container.Container, chNotify chan struct{}) {
+			defer group.Done()
+
+			logrus.Debugf("Starting container %s", c.ID)
+
+			// ignore errors here as this is a best effort to wait for children to be
+			//   running before we try to start the container
+			children := daemon.children(c)
+			timeout := time.After(5 * time.Second)
+			for _, child := range children {
+				if notifier, exists := restartContainers[child]; exists {
+					select {
+					case <-notifier:
+					case <-timeout:
+					}
+				}
+			}
+
+			// Make sure networks are available before starting
+			daemon.waitForNetworks(c)
+			if err := daemon.containerStart(c, "", "", true); err != nil {
+				logrus.Errorf("Failed to start container %s: %s", c.ID, err)
+			}
+			close(chNotify)
+		}(c, notifier)
+
+	}
+	group.Wait()
+
+	removeGroup := sync.WaitGroup{}
+	for id := range removeContainers {
+		removeGroup.Add(1)
+		go func(cid string) {
+			if err := daemon.ContainerRm(cid, &types.ContainerRmConfig{ForceRemove: true, RemoveVolume: true}); err != nil {
+				logrus.Errorf("Failed to remove container %s: %s", cid, err)
+			}
+			removeGroup.Done()
+		}(id)
+	}
+	removeGroup.Wait()
+
+	// any containers that were started above would already have had this done,
+	// however we need to now prepare the mountpoints for the rest of the containers as well.
+	// This shouldn't cause any issue running on the containers that already had this run.
+	// This must be run after any containers with a restart policy so that containerized plugins
+	// can have a chance to be running before we try to initialize them.
+	for _, c := range containers {
+		// if the container has restart policy, do not
+		// prepare the mountpoints since it has been done on restarting.
+		// This is to speed up the daemon start when a restart container
+		// has a volume and the volume driver is not available.
+		if _, ok := restartContainers[c]; ok {
+			continue
+		} else if _, ok := removeContainers[c.ID]; ok {
+			// container is automatically removed, skip it.
+			continue
+		}
+
+		group.Add(1)
+		go func(c *container.Container) {
+			defer group.Done()
+			if err := daemon.prepareMountPoints(c); err != nil {
+				logrus.Error(err)
+			}
+		}(c)
+	}
+
+	group.Wait()
+
+	logrus.Info("Loading containers: done.")
+
+	return nil
+}
+
+// RestartSwarmContainers restarts any autostart container which has a
+// swarm endpoint.
+func (daemon *Daemon) RestartSwarmContainers() {
+	group := sync.WaitGroup{}
+	for _, c := range daemon.List() {
+		if !c.IsRunning() && !c.IsPaused() {
+			// Autostart all the containers which has a
+			// swarm endpoint now that the cluster is
+			// initialized.
+			if daemon.configStore.AutoRestart && c.ShouldRestart() && c.NetworkSettings.HasSwarmEndpoint && c.HasBeenStartedBefore {
+				group.Add(1)
+				go func(c *container.Container) {
+					defer group.Done()
+					if err := daemon.containerStart(c, "", "", true); err != nil {
+						logrus.Error(err)
+					}
+				}(c)
+			}
+		}
+
+	}
+	group.Wait()
+}
+
+// waitForNetworks is used during daemon initialization when starting up containers
+// It ensures that all of a container's networks are available before the daemon tries to start the container.
+// In practice it just makes sure the discovery service is available for containers which use a network that require discovery.
+func (daemon *Daemon) waitForNetworks(c *container.Container) {
+	if daemon.discoveryWatcher == nil {
+		return
+	}
+	// Make sure if the container has a network that requires discovery that the discovery service is available before starting
+	for netName := range c.NetworkSettings.Networks {
+		// If we get `ErrNoSuchNetwork` here, we can assume that it is due to discovery not being ready
+		// Most likely this is because the K/V store used for discovery is in a container and needs to be started
+		if _, err := daemon.netController.NetworkByName(netName); err != nil {
+			if _, ok := err.(libnetwork.ErrNoSuchNetwork); !ok {
+				continue
+			}
+			// use a longish timeout here due to some slowdowns in libnetwork if the k/v store is on anything other than --net=host
+			// FIXME: why is this slow???
+			logrus.Debugf("Container %s waiting for network to be ready", c.Name)
+			select {
+			case <-daemon.discoveryWatcher.ReadyCh():
+			case <-time.After(60 * time.Second):
+			}
+			return
+		}
+	}
+}
+
+func (daemon *Daemon) children(c *container.Container) map[string]*container.Container {
+	return daemon.linkIndex.children(c)
+}
+
+// parents returns the names of the parent containers of the container
+// with the given name.
+func (daemon *Daemon) parents(c *container.Container) map[string]*container.Container {
+	return daemon.linkIndex.parents(c)
+}
+
+func (daemon *Daemon) registerLink(parent, child *container.Container, alias string) error {
+	fullName := path.Join(parent.Name, alias)
+	if err := daemon.containersReplica.ReserveName(fullName, child.ID); err != nil {
+		if err == container.ErrNameReserved {
+			logrus.Warnf("error registering link for %s, to %s, as alias %s, ignoring: %v", parent.ID, child.ID, alias, err)
+			return nil
+		}
+		return err
+	}
+	daemon.linkIndex.link(parent, child, fullName)
+	return nil
+}
+
+// DaemonJoinsCluster informs the daemon has joined the cluster and provides
+// the handler to query the cluster component
+func (daemon *Daemon) DaemonJoinsCluster(clusterProvider cluster.Provider) {
+	daemon.setClusterProvider(clusterProvider)
+}
+
+// DaemonLeavesCluster informs the daemon has left the cluster
+func (daemon *Daemon) DaemonLeavesCluster() {
+	// Daemon is in charge of removing the attachable networks with
+	// connected containers when the node leaves the swarm
+	daemon.clearAttachableNetworks()
+	// We no longer need the cluster provider, stop it now so that
+	// the network agent will stop listening to cluster events.
+	daemon.setClusterProvider(nil)
+	// Wait for the networking cluster agent to stop
+	daemon.netController.AgentStopWait()
+	// Daemon is in charge of removing the ingress network when the
+	// node leaves the swarm. Wait for job to be done or timeout.
+	// This is called also on graceful daemon shutdown. We need to
+	// wait, because the ingress release has to happen before the
+	// network controller is stopped.
+	if done, err := daemon.ReleaseIngress(); err == nil {
+		select {
+		case <-done:
+		case <-time.After(5 * time.Second):
+			logrus.Warnf("timeout while waiting for ingress network removal")
+		}
+	} else {
+		logrus.Warnf("failed to initiate ingress network removal: %v", err)
+	}
+
+	daemon.attachmentStore.ClearAttachments()
+}
+
+// setClusterProvider sets a component for querying the current cluster state.
+func (daemon *Daemon) setClusterProvider(clusterProvider cluster.Provider) {
+	daemon.clusterProvider = clusterProvider
+	daemon.netController.SetClusterProvider(clusterProvider)
+	daemon.attachableNetworkLock = locker.New()
+}
+
+// IsSwarmCompatible verifies if the current daemon
+// configuration is compatible with the swarm mode
+func (daemon *Daemon) IsSwarmCompatible() error {
+	if daemon.configStore == nil {
+		return nil
+	}
+	return daemon.configStore.IsSwarmCompatible()
+}
+
+// NewDaemon sets up everything for the daemon to be able to service
+// requests from the webserver.
+func NewDaemon(config *config.Config, registryService registry.Service, containerdRemote libcontainerd.Remote, pluginStore *plugin.Store) (daemon *Daemon, err error) {
+	setDefaultMtu(config)
+
+	// Ensure that we have a correct root key limit for launching containers.
+	if err := ModifyRootKeyLimit(); err != nil {
+		logrus.Warnf("unable to modify root key limit, number of containers could be limited by this quota: %v", err)
+	}
+
+	// Ensure we have compatible and valid configuration options
+	if err := verifyDaemonSettings(config); err != nil {
+		return nil, err
+	}
+
+	// Do we have a disabled network?
+	config.DisableBridge = isBridgeNetworkDisabled(config)
+
+	// Verify the platform is supported as a daemon
+	if !platformSupported {
+		return nil, errSystemNotSupported
+	}
+
+	// Validate platform-specific requirements
+	if err := checkSystem(); err != nil {
+		return nil, err
+	}
+
+	idMappings, err := setupRemappedRoot(config)
+	if err != nil {
+		return nil, err
+	}
+	rootIDs := idMappings.RootPair()
+	if err := setupDaemonProcess(config); err != nil {
+		return nil, err
+	}
+
+	// set up the tmpDir to use a canonical path
+	tmp, err := prepareTempDir(config.Root, rootIDs)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to get the TempDir under %s: %s", config.Root, err)
+	}
+	realTmp, err := getRealPath(tmp)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to get the full path to the TempDir (%s): %s", tmp, err)
+	}
+	if runtime.GOOS == "windows" {
+		if _, err := os.Stat(realTmp); err != nil && os.IsNotExist(err) {
+			if err := system.MkdirAll(realTmp, 0700, ""); err != nil {
+				return nil, fmt.Errorf("Unable to create the TempDir (%s): %s", realTmp, err)
+			}
+		}
+		os.Setenv("TEMP", realTmp)
+		os.Setenv("TMP", realTmp)
+	} else {
+		os.Setenv("TMPDIR", realTmp)
+	}
+
+	d := &Daemon{
+		configStore: config,
+		PluginStore: pluginStore,
+		startupDone: make(chan struct{}),
+	}
+	// Ensure the daemon is properly shutdown if there is a failure during
+	// initialization
+	defer func() {
+		if err != nil {
+			if err := d.Shutdown(); err != nil {
+				logrus.Error(err)
+			}
+		}
+	}()
+
+	if err := d.setGenericResources(config); err != nil {
+		return nil, err
+	}
+	// set up SIGUSR1 handler on Unix-like systems, or a Win32 global event
+	// on Windows to dump Go routine stacks
+	stackDumpDir := config.Root
+	if execRoot := config.GetExecRoot(); execRoot != "" {
+		stackDumpDir = execRoot
+	}
+	d.setupDumpStackTrap(stackDumpDir)
+
+	if err := d.setupSeccompProfile(); err != nil {
+		return nil, err
+	}
+
+	// Set the default isolation mode (only applicable on Windows)
+	if err := d.setDefaultIsolation(); err != nil {
+		return nil, fmt.Errorf("error setting default isolation mode: %v", err)
+	}
+
+	if err := configureMaxThreads(config); err != nil {
+		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
+	}
+
+	if err := ensureDefaultAppArmorProfile(); err != nil {
+		logrus.Errorf(err.Error())
+	}
+
+	daemonRepo := filepath.Join(config.Root, "containers")
+	if err := idtools.MkdirAllAndChown(daemonRepo, 0700, rootIDs); err != nil {
+		return nil, err
+	}
+
+	// Create the directory where we'll store the runtime scripts (i.e. in
+	// order to support runtimeArgs)
+	daemonRuntimes := filepath.Join(config.Root, "runtimes")
+	if err := system.MkdirAll(daemonRuntimes, 0700, ""); err != nil {
+		return nil, err
+	}
+	if err := d.loadRuntimes(); err != nil {
+		return nil, err
+	}
+
+	if runtime.GOOS == "windows" {
+		if err := system.MkdirAll(filepath.Join(config.Root, "credentialspecs"), 0, ""); err != nil {
+			return nil, err
+		}
+	}
+
+	// On Windows we don't support the environment variable, or a user supplied graphdriver
+	// as Windows has no choice in terms of which graphdrivers to use. It's a case of
+	// running Windows containers on Windows - windowsfilter, running Linux containers on Windows,
+	// lcow. Unix platforms however run a single graphdriver for all containers, and it can
+	// be set through an environment variable, a daemon start parameter, or chosen through
+	// initialization of the layerstore through driver priority order for example.
+	d.graphDrivers = make(map[string]string)
+	layerStores := make(map[string]layer.Store)
+	if runtime.GOOS == "windows" {
+		d.graphDrivers[runtime.GOOS] = "windowsfilter"
+		if system.LCOWSupported() {
+			d.graphDrivers["linux"] = "lcow"
+		}
+	} else {
+		driverName := os.Getenv("DOCKER_DRIVER")
+		if driverName == "" {
+			driverName = config.GraphDriver
+		} else {
+			logrus.Infof("Setting the storage driver from the $DOCKER_DRIVER environment variable (%s)", driverName)
+		}
+		d.graphDrivers[runtime.GOOS] = driverName // May still be empty. Layerstore init determines instead.
+	}
+
+	d.RegistryService = registryService
+	logger.RegisterPluginGetter(d.PluginStore)
+
+	metricsSockPath, err := d.listenMetricsSock()
+	if err != nil {
+		return nil, err
+	}
+	registerMetricsPluginCallback(d.PluginStore, metricsSockPath)
+
+	createPluginExec := func(m *plugin.Manager) (plugin.Executor, error) {
+		return pluginexec.New(getPluginExecRoot(config.Root), containerdRemote, m)
+	}
+
+	// Plugin system initialization should happen before restore. Do not change order.
+	d.pluginManager, err = plugin.NewManager(plugin.ManagerConfig{
+		Root:               filepath.Join(config.Root, "plugins"),
+		ExecRoot:           getPluginExecRoot(config.Root),
+		Store:              d.PluginStore,
+		CreateExecutor:     createPluginExec,
+		RegistryService:    registryService,
+		LiveRestoreEnabled: config.LiveRestoreEnabled,
+		LogPluginEvent:     d.LogPluginEvent, // todo: make private
+		AuthzMiddleware:    config.AuthzMiddleware,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "couldn't create plugin manager")
+	}
+
+	if err := d.setupDefaultLogConfig(); err != nil {
+		return nil, err
+	}
+
+	for operatingSystem, gd := range d.graphDrivers {
+		layerStores[operatingSystem], err = layer.NewStoreFromOptions(layer.StoreOptions{
+			Root: config.Root,
+			MetadataStorePathTemplate: filepath.Join(config.Root, "image", "%s", "layerdb"),
+			GraphDriver:               gd,
+			GraphDriverOptions:        config.GraphOptions,
+			IDMappings:                idMappings,
+			PluginGetter:              d.PluginStore,
+			ExperimentalEnabled:       config.Experimental,
+			OS:                        operatingSystem,
+		})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// As layerstore initialization may set the driver
+	for os := range d.graphDrivers {
+		d.graphDrivers[os] = layerStores[os].DriverName()
+	}
+
+	// Configure and validate the kernels security support. Note this is a Linux/FreeBSD
+	// operation only, so it is safe to pass *just* the runtime OS graphdriver.
+	if err := configureKernelSecuritySupport(config, d.graphDrivers[runtime.GOOS]); err != nil {
+		return nil, err
+	}
+
+	imageRoot := filepath.Join(config.Root, "image", d.graphDrivers[runtime.GOOS])
+	ifs, err := image.NewFSStoreBackend(filepath.Join(imageRoot, "imagedb"))
+	if err != nil {
+		return nil, err
+	}
+
+	lgrMap := make(map[string]image.LayerGetReleaser)
+	for os, ls := range layerStores {
+		lgrMap[os] = ls
+	}
+	imageStore, err := image.NewImageStore(ifs, lgrMap)
+	if err != nil {
+		return nil, err
+	}
+
+	d.volumes, err = volumesservice.NewVolumeService(config.Root, d.PluginStore, rootIDs, d)
+	if err != nil {
+		return nil, err
+	}
+
+	trustKey, err := loadOrCreateTrustKey(config.TrustKeyPath)
+	if err != nil {
+		return nil, err
+	}
+
+	trustDir := filepath.Join(config.Root, "trust")
+
+	if err := system.MkdirAll(trustDir, 0700, ""); err != nil {
+		return nil, err
+	}
+
+	// We have a single tag/reference store for the daemon globally. However, it's
+	// stored under the graphdriver. On host platforms which only support a single
+	// container OS, but multiple selectable graphdrivers, this means depending on which
+	// graphdriver is chosen, the global reference store is under there. For
+	// platforms which support multiple container operating systems, this is slightly
+	// more problematic as where does the global ref store get located? Fortunately,
+	// for Windows, which is currently the only daemon supporting multiple container
+	// operating systems, the list of graphdrivers available isn't user configurable.
+	// For backwards compatibility, we just put it under the windowsfilter
+	// directory regardless.
+	refStoreLocation := filepath.Join(imageRoot, `repositories.json`)
+	rs, err := refstore.NewReferenceStore(refStoreLocation)
+	if err != nil {
+		return nil, fmt.Errorf("Couldn't create reference store repository: %s", err)
+	}
+
+	distributionMetadataStore, err := dmetadata.NewFSMetadataStore(filepath.Join(imageRoot, "distribution"))
+	if err != nil {
+		return nil, err
+	}
+
+	// No content-addressability migration on Windows as it never supported pre-CA
+	if runtime.GOOS != "windows" {
+		migrationStart := time.Now()
+		if err := v1.Migrate(config.Root, d.graphDrivers[runtime.GOOS], layerStores[runtime.GOOS], imageStore, rs, distributionMetadataStore); err != nil {
+			logrus.Errorf("Graph migration failed: %q. Your old graph data was found to be too inconsistent for upgrading to content-addressable storage. Some of the old data was probably not upgraded. We recommend starting over with a clean storage directory if possible.", err)
+		}
+		logrus.Infof("Graph migration to content-addressability took %.2f seconds", time.Since(migrationStart).Seconds())
+	}
+
+	// Discovery is only enabled when the daemon is launched with an address to advertise.  When
+	// initialized, the daemon is registered and we can store the discovery backend as it's read-only
+	if err := d.initDiscovery(config); err != nil {
+		return nil, err
+	}
+
+	sysInfo := sysinfo.New(false)
+	// Check if Devices cgroup is mounted, it is hard requirement for container security,
+	// on Linux.
+	if runtime.GOOS == "linux" && !sysInfo.CgroupDevicesEnabled {
+		return nil, errors.New("Devices cgroup isn't mounted")
+	}
+
+	d.ID = trustKey.PublicKey().KeyID()
+	d.repository = daemonRepo
+	d.containers = container.NewMemoryStore()
+	if d.containersReplica, err = container.NewViewDB(); err != nil {
+		return nil, err
+	}
+	d.execCommands = exec.NewStore()
+	d.idIndex = truncindex.NewTruncIndex([]string{})
+	d.statsCollector = d.newStatsCollector(1 * time.Second)
+
+	d.EventsService = events.New()
+	d.root = config.Root
+	d.idMappings = idMappings
+	d.seccompEnabled = sysInfo.Seccomp
+	d.apparmorEnabled = sysInfo.AppArmor
+
+	d.linkIndex = newLinkIndex()
+
+	// TODO: imageStore, distributionMetadataStore, and ReferenceStore are only
+	// used above to run migration. They could be initialized in ImageService
+	// if migration is called from daemon/images. layerStore might move as well.
+	d.imageService = images.NewImageService(images.ImageServiceConfig{
+		ContainerStore:            d.containers,
+		DistributionMetadataStore: distributionMetadataStore,
+		EventsService:             d.EventsService,
+		ImageStore:                imageStore,
+		LayerStores:               layerStores,
+		MaxConcurrentDownloads:    *config.MaxConcurrentDownloads,
+		MaxConcurrentUploads:      *config.MaxConcurrentUploads,
+		ReferenceStore:            rs,
+		RegistryService:           registryService,
+		TrustKey:                  trustKey,
+	})
+
+	go d.execCommandGC()
+
+	d.containerd, err = containerdRemote.NewClient(ContainersNamespace, d)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := d.restore(); err != nil {
+		return nil, err
+	}
+	close(d.startupDone)
+
+	// FIXME: this method never returns an error
+	info, _ := d.SystemInfo()
+
+	engineInfo.WithValues(
+		dockerversion.Version,
+		dockerversion.GitCommit,
+		info.Architecture,
+		info.Driver,
+		info.KernelVersion,
+		info.OperatingSystem,
+		info.OSType,
+		info.ID,
+	).Set(1)
+	engineCpus.Set(float64(info.NCPU))
+	engineMemory.Set(float64(info.MemTotal))
+
+	gd := ""
+	for os, driver := range d.graphDrivers {
+		if len(gd) > 0 {
+			gd += ", "
+		}
+		gd += driver
+		if len(d.graphDrivers) > 1 {
+			gd = fmt.Sprintf("%s (%s)", gd, os)
+		}
+	}
+	logrus.WithFields(logrus.Fields{
+		"version":        dockerversion.Version,
+		"commit":         dockerversion.GitCommit,
+		"graphdriver(s)": gd,
+	}).Info("Docker daemon")
+
+	return d, nil
+}
+
+// DistributionServices returns services controlling daemon storage
+func (daemon *Daemon) DistributionServices() images.DistributionServices {
+	return daemon.imageService.DistributionServices()
+}
+
+func (daemon *Daemon) waitForStartupDone() {
+	<-daemon.startupDone
+}
+
+func (daemon *Daemon) shutdownContainer(c *container.Container) error {
+	stopTimeout := c.StopTimeout()
+
+	// If container failed to exit in stopTimeout seconds of SIGTERM, then using the force
+	if err := daemon.containerStop(c, stopTimeout); err != nil {
+		return fmt.Errorf("Failed to stop container %s with error: %v", c.ID, err)
+	}
+
+	// Wait without timeout for the container to exit.
+	// Ignore the result.
+	<-c.Wait(context.Background(), container.WaitConditionNotRunning)
+	return nil
+}
+
+// ShutdownTimeout returns the timeout (in seconds) before containers are forcibly
+// killed during shutdown. The default timeout can be configured both on the daemon
+// and per container, and the longest timeout will be used. A grace-period of
+// 5 seconds is added to the configured timeout.
+//
+// A negative (-1) timeout means "indefinitely", which means that containers
+// are not forcibly killed, and the daemon shuts down after all containers exit.
+func (daemon *Daemon) ShutdownTimeout() int {
+	shutdownTimeout := daemon.configStore.ShutdownTimeout
+	if shutdownTimeout < 0 {
+		return -1
+	}
+	if daemon.containers == nil {
+		return shutdownTimeout
+	}
+
+	graceTimeout := 5
+	for _, c := range daemon.containers.List() {
+		stopTimeout := c.StopTimeout()
+		if stopTimeout < 0 {
+			return -1
+		}
+		if stopTimeout+graceTimeout > shutdownTimeout {
+			shutdownTimeout = stopTimeout + graceTimeout
+		}
+	}
+	return shutdownTimeout
+}
+
+// Shutdown stops the daemon.
+func (daemon *Daemon) Shutdown() error {
+	daemon.shutdown = true
+	// Keep mounts and networking running on daemon shutdown if
+	// we are to keep containers running and restore them.
+
+	if daemon.configStore.LiveRestoreEnabled && daemon.containers != nil {
+		// check if there are any running containers, if none we should do some cleanup
+		if ls, err := daemon.Containers(&types.ContainerListOptions{}); len(ls) != 0 || err != nil {
+			// metrics plugins still need some cleanup
+			daemon.cleanupMetricsPlugins()
+			return nil
+		}
+	}
+
+	if daemon.containers != nil {
+		logrus.Debugf("daemon configured with a %d seconds minimum shutdown timeout", daemon.configStore.ShutdownTimeout)
+		logrus.Debugf("start clean shutdown of all containers with a %d seconds timeout...", daemon.ShutdownTimeout())
+		daemon.containers.ApplyAll(func(c *container.Container) {
+			if !c.IsRunning() {
+				return
+			}
+			logrus.Debugf("stopping %s", c.ID)
+			if err := daemon.shutdownContainer(c); err != nil {
+				logrus.Errorf("Stop container error: %v", err)
+				return
+			}
+			if mountid, err := daemon.imageService.GetLayerMountID(c.ID, c.OS); err == nil {
+				daemon.cleanupMountsByID(mountid)
+			}
+			logrus.Debugf("container stopped %s", c.ID)
+		})
+	}
+
+	if daemon.volumes != nil {
+		if err := daemon.volumes.Shutdown(); err != nil {
+			logrus.Errorf("Error shutting down volume store: %v", err)
+		}
+	}
+
+	if daemon.imageService != nil {
+		daemon.imageService.Cleanup()
+	}
+
+	// If we are part of a cluster, clean up cluster's stuff
+	if daemon.clusterProvider != nil {
+		logrus.Debugf("start clean shutdown of cluster resources...")
+		daemon.DaemonLeavesCluster()
+	}
+
+	daemon.cleanupMetricsPlugins()
+
+	// Shutdown plugins after containers and layerstore. Don't change the order.
+	daemon.pluginShutdown()
+
+	// trigger libnetwork Stop only if it's initialized
+	if daemon.netController != nil {
+		daemon.netController.Stop()
+	}
+
+	return daemon.cleanupMounts()
+}
+
+// Mount sets container.BaseFS
+// (is it not set coming in? why is it unset?)
+func (daemon *Daemon) Mount(container *container.Container) error {
+	if container.RWLayer == nil {
+		return errors.New("RWLayer of container " + container.ID + " is unexpectedly nil")
+	}
+	dir, err := container.RWLayer.Mount(container.GetMountLabel())
+	if err != nil {
+		return err
+	}
+	logrus.Debugf("container mounted via layerStore: %v", dir)
+
+	if container.BaseFS != nil && container.BaseFS.Path() != dir.Path() {
+		// The mount path reported by the graph driver should always be trusted on Windows, since the
+		// volume path for a given mounted layer may change over time.  This should only be an error
+		// on non-Windows operating systems.
+		if runtime.GOOS != "windows" {
+			daemon.Unmount(container)
+			return fmt.Errorf("Error: driver %s is returning inconsistent paths for container %s ('%s' then '%s')",
+				daemon.imageService.GraphDriverForOS(container.OS), container.ID, container.BaseFS, dir)
+		}
+	}
+	container.BaseFS = dir // TODO: combine these fields
+	return nil
+}
+
+// Unmount unsets the container base filesystem
+func (daemon *Daemon) Unmount(container *container.Container) error {
+	if container.RWLayer == nil {
+		return errors.New("RWLayer of container " + container.ID + " is unexpectedly nil")
+	}
+	if err := container.RWLayer.Unmount(); err != nil {
+		logrus.Errorf("Error unmounting container %s: %s", container.ID, err)
+		return err
+	}
+
+	return nil
+}
+
+// Subnets return the IPv4 and IPv6 subnets of networks that are manager by Docker.
+func (daemon *Daemon) Subnets() ([]net.IPNet, []net.IPNet) {
+	var v4Subnets []net.IPNet
+	var v6Subnets []net.IPNet
+
+	managedNetworks := daemon.netController.Networks()
+
+	for _, managedNetwork := range managedNetworks {
+		v4infos, v6infos := managedNetwork.Info().IpamInfo()
+		for _, info := range v4infos {
+			if info.IPAMData.Pool != nil {
+				v4Subnets = append(v4Subnets, *info.IPAMData.Pool)
+			}
+		}
+		for _, info := range v6infos {
+			if info.IPAMData.Pool != nil {
+				v6Subnets = append(v6Subnets, *info.IPAMData.Pool)
+			}
+		}
+	}
+
+	return v4Subnets, v6Subnets
+}
+
+// prepareTempDir prepares and returns the default directory to use
+// for temporary files.
+// If it doesn't exist, it is created. If it exists, its content is removed.
+func prepareTempDir(rootDir string, rootIDs idtools.IDPair) (string, error) {
+	var tmpDir string
+	if tmpDir = os.Getenv("DOCKER_TMPDIR"); tmpDir == "" {
+		tmpDir = filepath.Join(rootDir, "tmp")
+		newName := tmpDir + "-old"
+		if err := os.Rename(tmpDir, newName); err == nil {
+			go func() {
+				if err := os.RemoveAll(newName); err != nil {
+					logrus.Warnf("failed to delete old tmp directory: %s", newName)
+				}
+			}()
+		} else if !os.IsNotExist(err) {
+			logrus.Warnf("failed to rename %s for background deletion: %s. Deleting synchronously", tmpDir, err)
+			if err := os.RemoveAll(tmpDir); err != nil {
+				logrus.Warnf("failed to delete old tmp directory: %s", tmpDir)
+			}
+		}
+	}
+	// We don't remove the content of tmpdir if it's not the default,
+	// it may hold things that do not belong to us.
+	return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, rootIDs)
+}
+
+func (daemon *Daemon) setGenericResources(conf *config.Config) error {
+	genericResources, err := config.ParseGenericResources(conf.NodeGenericResources)
+	if err != nil {
+		return err
+	}
+
+	daemon.genericResources = genericResources
+
+	return nil
+}
+
+func setDefaultMtu(conf *config.Config) {
+	// do nothing if the config does not have the default 0 value.
+	if conf.Mtu != 0 {
+		return
+	}
+	conf.Mtu = config.DefaultNetworkMtu
+}
+
+// IsShuttingDown tells whether the daemon is shutting down or not
+func (daemon *Daemon) IsShuttingDown() bool {
+	return daemon.shutdown
+}
+
+// initDiscovery initializes the discovery watcher for this daemon.
+func (daemon *Daemon) initDiscovery(conf *config.Config) error {
+	advertise, err := config.ParseClusterAdvertiseSettings(conf.ClusterStore, conf.ClusterAdvertise)
+	if err != nil {
+		if err == discovery.ErrDiscoveryDisabled {
+			return nil
+		}
+		return err
+	}
+
+	conf.ClusterAdvertise = advertise
+	discoveryWatcher, err := discovery.Init(conf.ClusterStore, conf.ClusterAdvertise, conf.ClusterOpts)
+	if err != nil {
+		return fmt.Errorf("discovery initialization failed (%v)", err)
+	}
+
+	daemon.discoveryWatcher = discoveryWatcher
+	return nil
+}
+
+func isBridgeNetworkDisabled(conf *config.Config) bool {
+	return conf.BridgeConfig.Iface == config.DisableNetworkBridge
+}
+
+func (daemon *Daemon) networkOptions(dconfig *config.Config, pg plugingetter.PluginGetter, activeSandboxes map[string]interface{}) ([]nwconfig.Option, error) {
+	options := []nwconfig.Option{}
+	if dconfig == nil {
+		return options, nil
+	}
+
+	options = append(options, nwconfig.OptionExperimental(dconfig.Experimental))
+	options = append(options, nwconfig.OptionDataDir(dconfig.Root))
+	options = append(options, nwconfig.OptionExecRoot(dconfig.GetExecRoot()))
+
+	dd := runconfig.DefaultDaemonNetworkMode()
+	dn := runconfig.DefaultDaemonNetworkMode().NetworkName()
+	options = append(options, nwconfig.OptionDefaultDriver(string(dd)))
+	options = append(options, nwconfig.OptionDefaultNetwork(dn))
+
+	if strings.TrimSpace(dconfig.ClusterStore) != "" {
+		kv := strings.Split(dconfig.ClusterStore, "://")
+		if len(kv) != 2 {
+			return nil, errors.New("kv store daemon config must be of the form KV-PROVIDER://KV-URL")
+		}
+		options = append(options, nwconfig.OptionKVProvider(kv[0]))
+		options = append(options, nwconfig.OptionKVProviderURL(kv[1]))
+	}
+	if len(dconfig.ClusterOpts) > 0 {
+		options = append(options, nwconfig.OptionKVOpts(dconfig.ClusterOpts))
+	}
+
+	if daemon.discoveryWatcher != nil {
+		options = append(options, nwconfig.OptionDiscoveryWatcher(daemon.discoveryWatcher))
+	}
+
+	if dconfig.ClusterAdvertise != "" {
+		options = append(options, nwconfig.OptionDiscoveryAddress(dconfig.ClusterAdvertise))
+	}
+
+	options = append(options, nwconfig.OptionLabels(dconfig.Labels))
+	options = append(options, driverOptions(dconfig)...)
+
+	if len(dconfig.NetworkConfig.DefaultAddressPools.Value()) > 0 {
+		options = append(options, nwconfig.OptionDefaultAddressPoolConfig(dconfig.NetworkConfig.DefaultAddressPools.Value()))
+	}
+
+	if daemon.configStore != nil && daemon.configStore.LiveRestoreEnabled && len(activeSandboxes) != 0 {
+		options = append(options, nwconfig.OptionActiveSandboxes(activeSandboxes))
+	}
+
+	if pg != nil {
+		options = append(options, nwconfig.OptionPluginGetter(pg))
+	}
+
+	options = append(options, nwconfig.OptionNetworkControlPlaneMTU(dconfig.NetworkControlPlaneMTU))
+
+	return options, nil
+}
+
+// GetCluster returns the cluster
+func (daemon *Daemon) GetCluster() Cluster {
+	return daemon.cluster
+}
+
+// SetCluster sets the cluster
+func (daemon *Daemon) SetCluster(cluster Cluster) {
+	daemon.cluster = cluster
+}
+
+func (daemon *Daemon) pluginShutdown() {
+	manager := daemon.pluginManager
+	// Check for a valid manager object. In error conditions, daemon init can fail
+	// and shutdown called, before plugin manager is initialized.
+	if manager != nil {
+		manager.Shutdown()
+	}
+}
+
+// PluginManager returns current pluginManager associated with the daemon
+func (daemon *Daemon) PluginManager() *plugin.Manager { // set up before daemon to avoid this method
+	return daemon.pluginManager
+}
+
+// PluginGetter returns current pluginStore associated with the daemon
+func (daemon *Daemon) PluginGetter() *plugin.Store {
+	return daemon.PluginStore
+}
+
+// CreateDaemonRoot creates the root for the daemon
+func CreateDaemonRoot(config *config.Config) error {
+	// get the canonical path to the Docker root directory
+	var realRoot string
+	if _, err := os.Stat(config.Root); err != nil && os.IsNotExist(err) {
+		realRoot = config.Root
+	} else {
+		realRoot, err = getRealPath(config.Root)
+		if err != nil {
+			return fmt.Errorf("Unable to get the full path to root (%s): %s", config.Root, err)
+		}
+	}
+
+	idMappings, err := setupRemappedRoot(config)
+	if err != nil {
+		return err
+	}
+	return setupDaemonRoot(config, realRoot, idMappings.RootPair())
+}
+
+// checkpointAndSave grabs a container lock to safely call container.CheckpointTo
+func (daemon *Daemon) checkpointAndSave(container *container.Container) error {
+	container.Lock()
+	defer container.Unlock()
+	if err := container.CheckpointTo(daemon.containersReplica); err != nil {
+		return fmt.Errorf("Error saving container state: %v", err)
+	}
+	return nil
+}
+
+// because the CLI sends a -1 when it wants to unset the swappiness value
+// we need to clear it on the server side
+func fixMemorySwappiness(resources *containertypes.Resources) {
+	if resources.MemorySwappiness != nil && *resources.MemorySwappiness == -1 {
+		resources.MemorySwappiness = nil
+	}
+}
+
+// GetAttachmentStore returns current attachment store associated with the daemon
+func (daemon *Daemon) GetAttachmentStore() *network.AttachmentStore {
+	return &daemon.attachmentStore
+}
+
+// IDMappings returns uid/gid mappings for the builder
+func (daemon *Daemon) IDMappings() *idtools.IDMappings {
+	return daemon.idMappings
+}
+
+// ImageService returns the Daemon's ImageService
+func (daemon *Daemon) ImageService() *images.ImageService {
+	return daemon.imageService
+}
+
+// BuilderBackend returns the backend used by builder
+func (daemon *Daemon) BuilderBackend() builder.Backend {
+	return struct {
+		*Daemon
+		*images.ImageService
+	}{daemon, daemon.imageService}
+}
diff --git a/engine/daemon/daemon_linux.go b/engine/daemon/daemon_linux.go
new file mode 100644
index 00000000..7cb67275
--- /dev/null
+++ b/engine/daemon/daemon_linux.go
@@ -0,0 +1,133 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"regexp"
+	"strings"
+
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// On Linux, plugins use a static path for storing execution state,
+// instead of deriving path from daemon's exec-root. This is because
+// plugin socket files are created here and they cannot exceed max
+// path length of 108 bytes.
+func getPluginExecRoot(root string) string {
+	return "/run/docker/plugins"
+}
+
+func (daemon *Daemon) cleanupMountsByID(id string) error {
+	logrus.Debugf("Cleaning up old mountid %s: start.", id)
+	f, err := os.Open("/proc/self/mountinfo")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	return daemon.cleanupMountsFromReaderByID(f, id, mount.Unmount)
+}
+
+func (daemon *Daemon) cleanupMountsFromReaderByID(reader io.Reader, id string, unmount func(target string) error) error {
+	if daemon.root == "" {
+		return nil
+	}
+	var errors []string
+
+	regexps := getCleanPatterns(id)
+	sc := bufio.NewScanner(reader)
+	for sc.Scan() {
+		if fields := strings.Fields(sc.Text()); len(fields) >= 4 {
+			if mnt := fields[4]; strings.HasPrefix(mnt, daemon.root) {
+				for _, p := range regexps {
+					if p.MatchString(mnt) {
+						if err := unmount(mnt); err != nil {
+							logrus.Error(err)
+							errors = append(errors, err.Error())
+						}
+					}
+				}
+			}
+		}
+	}
+
+	if err := sc.Err(); err != nil {
+		return err
+	}
+
+	if len(errors) > 0 {
+		return fmt.Errorf("Error cleaning up mounts:\n%v", strings.Join(errors, "\n"))
+	}
+
+	logrus.Debugf("Cleaning up old mountid %v: done.", id)
+	return nil
+}
+
+// cleanupMounts umounts used by container resources and the daemon root mount
+func (daemon *Daemon) cleanupMounts() error {
+	if err := daemon.cleanupMountsByID(""); err != nil {
+		return err
+	}
+
+	info, err := mount.GetMounts(mount.SingleEntryFilter(daemon.root))
+	if err != nil {
+		return errors.Wrap(err, "error reading mount table for cleanup")
+	}
+
+	if len(info) < 1 {
+		// no mount found, we're done here
+		return nil
+	}
+
+	// `info.Root` here is the root mountpoint of the passed in path (`daemon.root`).
+	// The ony cases that need to be cleaned up is when the daemon has performed a
+	//   `mount --bind /daemon/root /daemon/root && mount --make-shared /daemon/root`
+	// This is only done when the daemon is started up and `/daemon/root` is not
+	// already on a shared mountpoint.
+	if !shouldUnmountRoot(daemon.root, info[0]) {
+		return nil
+	}
+
+	unmountFile := getUnmountOnShutdownPath(daemon.configStore)
+	if _, err := os.Stat(unmountFile); err != nil {
+		return nil
+	}
+
+	logrus.WithField("mountpoint", daemon.root).Debug("unmounting daemon root")
+	if err := mount.Unmount(daemon.root); err != nil {
+		return err
+	}
+	return os.Remove(unmountFile)
+}
+
+func getCleanPatterns(id string) (regexps []*regexp.Regexp) {
+	var patterns []string
+	if id == "" {
+		id = "[0-9a-f]{64}"
+		patterns = append(patterns, "containers/"+id+"/shm")
+	}
+	patterns = append(patterns, "aufs/mnt/"+id+"$", "overlay/"+id+"/merged$", "zfs/graph/"+id+"$")
+	for _, p := range patterns {
+		r, err := regexp.Compile(p)
+		if err == nil {
+			regexps = append(regexps, r)
+		}
+	}
+	return
+}
+
+func getRealPath(path string) (string, error) {
+	return fileutils.ReadSymlinkedDirectory(path)
+}
+
+func shouldUnmountRoot(root string, info *mount.Info) bool {
+	if !strings.HasSuffix(root, info.Root) {
+		return false
+	}
+	return hasMountinfoOption(info.Optional, sharedPropagationOption)
+}
diff --git a/engine/daemon/daemon_linux_test.go b/engine/daemon/daemon_linux_test.go
new file mode 100644
index 00000000..767925e2
--- /dev/null
+++ b/engine/daemon/daemon_linux_test.go
@@ -0,0 +1,322 @@
+// +build linux
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/oci"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/mount"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+const mountsFixture = `142 78 0:38 / / rw,relatime - aufs none rw,si=573b861da0b3a05b,dio
+143 142 0:60 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
+144 142 0:67 / /dev rw,nosuid - tmpfs tmpfs rw,mode=755
+145 144 0:78 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
+146 144 0:49 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
+147 142 0:84 / /sys rw,nosuid,nodev,noexec,relatime - sysfs sysfs rw
+148 147 0:86 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
+149 148 0:22 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
+150 148 0:25 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/cpu rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu
+151 148 0:27 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/cpuacct rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuacct
+152 148 0:28 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
+153 148 0:29 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
+154 148 0:30 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
+155 148 0:31 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
+156 148 0:32 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
+157 148 0:33 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
+158 148 0:35 /docker/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime - cgroup systemd rw,name=systemd
+159 142 8:4 /home/mlaventure/gopath /home/mlaventure/gopath rw,relatime - ext4 /dev/disk/by-uuid/d99e196c-1fc4-4b4f-bab9-9962b2b34e99 rw,errors=remount-ro,data=ordered
+160 142 8:4 /var/lib/docker/volumes/9a428b651ee4c538130143cad8d87f603a4bf31b928afe7ff3ecd65480692b35/_data /var/lib/docker rw,relatime - ext4 /dev/disk/by-uuid/d99e196c-1fc4-4b4f-bab9-9962b2b34e99 rw,errors=remount-ro,data=ordered
+164 142 8:4 /home/mlaventure/gopath/src/github.com/docker/docker /go/src/github.com/docker/docker rw,relatime - ext4 /dev/disk/by-uuid/d99e196c-1fc4-4b4f-bab9-9962b2b34e99 rw,errors=remount-ro,data=ordered
+165 142 8:4 /var/lib/docker/containers/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/disk/by-uuid/d99e196c-1fc4-4b4f-bab9-9962b2b34e99 rw,errors=remount-ro,data=ordered
+166 142 8:4 /var/lib/docker/containers/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a/hostname /etc/hostname rw,relatime - ext4 /dev/disk/by-uuid/d99e196c-1fc4-4b4f-bab9-9962b2b34e99 rw,errors=remount-ro,data=ordered
+167 142 8:4 /var/lib/docker/containers/5425782a95e643181d8a485a2bab3c0bb21f51d7dfc03511f0e6fbf3f3aa356a/hosts /etc/hosts rw,relatime - ext4 /dev/disk/by-uuid/d99e196c-1fc4-4b4f-bab9-9962b2b34e99 rw,errors=remount-ro,data=ordered
+168 144 0:39 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
+169 144 0:12 /14 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000
+83 147 0:10 / /sys/kernel/security rw,relatime - securityfs none rw
+89 142 0:87 / /tmp rw,relatime - tmpfs none rw
+97 142 0:60 / /run/docker/netns/default rw,nosuid,nodev,noexec,relatime - proc proc rw
+100 160 8:4 /var/lib/docker/volumes/9a428b651ee4c538130143cad8d87f603a4bf31b928afe7ff3ecd65480692b35/_data/aufs /var/lib/docker/aufs rw,relatime - ext4 /dev/disk/by-uuid/d99e196c-1fc4-4b4f-bab9-9962b2b34e99 rw,errors=remount-ro,data=ordered
+115 100 0:102 / /var/lib/docker/aufs/mnt/0ecda1c63e5b58b3d89ff380bf646c95cc980252cf0b52466d43619aec7c8432 rw,relatime - aufs none rw,si=573b861dbc01905b,dio
+116 160 0:107 / /var/lib/docker/containers/d045dc441d2e2e1d5b3e328d47e5943811a40819fb47497c5f5a5df2d6d13c37/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
+118 142 0:102 / /run/docker/libcontainerd/d045dc441d2e2e1d5b3e328d47e5943811a40819fb47497c5f5a5df2d6d13c37/rootfs rw,relatime - aufs none rw,si=573b861dbc01905b,dio
+242 142 0:60 / /run/docker/netns/c3664df2a0f7 rw,nosuid,nodev,noexec,relatime - proc proc rw
+120 100 0:122 / /var/lib/docker/aufs/mnt/03ca4b49e71f1e49a41108829f4d5c70ac95934526e2af8984a1f65f1de0715d rw,relatime - aufs none rw,si=573b861eb147805b,dio
+171 142 0:122 / /run/docker/libcontainerd/e406ff6f3e18516d50e03dbca4de54767a69a403a6f7ec1edc2762812824521e/rootfs rw,relatime - aufs none rw,si=573b861eb147805b,dio
+310 142 0:60 / /run/docker/netns/71a18572176b rw,nosuid,nodev,noexec,relatime - proc proc rw
+`
+
+func TestCleanupMounts(t *testing.T) {
+	d := &Daemon{
+		root: "/var/lib/docker/",
+	}
+
+	expected := "/var/lib/docker/containers/d045dc441d2e2e1d5b3e328d47e5943811a40819fb47497c5f5a5df2d6d13c37/shm"
+	var unmounted int
+	unmount := func(target string) error {
+		if target == expected {
+			unmounted++
+		}
+		return nil
+	}
+
+	d.cleanupMountsFromReaderByID(strings.NewReader(mountsFixture), "", unmount)
+
+	if unmounted != 1 {
+		t.Fatal("Expected to unmount the shm (and the shm only)")
+	}
+}
+
+func TestCleanupMountsByID(t *testing.T) {
+	d := &Daemon{
+		root: "/var/lib/docker/",
+	}
+
+	expected := "/var/lib/docker/aufs/mnt/03ca4b49e71f1e49a41108829f4d5c70ac95934526e2af8984a1f65f1de0715d"
+	var unmounted int
+	unmount := func(target string) error {
+		if target == expected {
+			unmounted++
+		}
+		return nil
+	}
+
+	d.cleanupMountsFromReaderByID(strings.NewReader(mountsFixture), "03ca4b49e71f1e49a41108829f4d5c70ac95934526e2af8984a1f65f1de0715d", unmount)
+
+	if unmounted != 1 {
+		t.Fatal("Expected to unmount the auf root (and that only)")
+	}
+}
+
+func TestNotCleanupMounts(t *testing.T) {
+	d := &Daemon{
+		repository: "",
+	}
+	var unmounted bool
+	unmount := func(target string) error {
+		unmounted = true
+		return nil
+	}
+	mountInfo := `234 232 0:59 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k`
+	d.cleanupMountsFromReaderByID(strings.NewReader(mountInfo), "", unmount)
+	if unmounted {
+		t.Fatal("Expected not to clean up /dev/shm")
+	}
+}
+
+// TestTmpfsDevShmSizeOverride checks that user-specified /dev/tmpfs mount
+// size is not overridden by the default shmsize (that should only be used
+// for default /dev/shm (as in "shareable" and "private" ipc modes).
+// https://github.com/moby/moby/issues/35271
+func TestTmpfsDevShmSizeOverride(t *testing.T) {
+	size := "777m"
+	mnt := "/dev/shm"
+
+	d := Daemon{
+		idMappings: &idtools.IDMappings{},
+	}
+	c := &container.Container{
+		HostConfig: &containertypes.HostConfig{
+			ShmSize: 48 * 1024, // size we should NOT end up with
+		},
+	}
+	ms := []container.Mount{
+		{
+			Source:      "tmpfs",
+			Destination: mnt,
+			Data:        "size=" + size,
+		},
+	}
+
+	// convert ms to spec
+	spec := oci.DefaultSpec()
+	err := setMounts(&d, &spec, c, ms)
+	assert.Check(t, err)
+
+	// Check the resulting spec for the correct size
+	found := false
+	for _, m := range spec.Mounts {
+		if m.Destination == mnt {
+			for _, o := range m.Options {
+				if !strings.HasPrefix(o, "size=") {
+					continue
+				}
+				t.Logf("%+v\n", m.Options)
+				assert.Check(t, is.Equal("size="+size, o))
+				found = true
+			}
+		}
+	}
+	if !found {
+		t.Fatal("/dev/shm not found in spec, or size option missing")
+	}
+}
+
+func TestValidateContainerIsolationLinux(t *testing.T) {
+	d := Daemon{}
+
+	_, err := d.verifyContainerSettings("linux", &containertypes.HostConfig{Isolation: containertypes.IsolationHyperV}, nil, false)
+	assert.Check(t, is.Error(err, "invalid isolation 'hyperv' on linux"))
+}
+
+func TestShouldUnmountRoot(t *testing.T) {
+	for _, test := range []struct {
+		desc   string
+		root   string
+		info   *mount.Info
+		expect bool
+	}{
+		{
+			desc:   "root is at /",
+			root:   "/docker",
+			info:   &mount.Info{Root: "/docker", Mountpoint: "/docker"},
+			expect: true,
+		},
+		{
+			desc:   "root is at in a submount from `/`",
+			root:   "/foo/docker",
+			info:   &mount.Info{Root: "/docker", Mountpoint: "/foo/docker"},
+			expect: true,
+		},
+		{
+			desc:   "root is mounted in from a parent mount namespace same root dir", // dind is an example of this
+			root:   "/docker",
+			info:   &mount.Info{Root: "/docker/volumes/1234657/_data", Mountpoint: "/docker"},
+			expect: false,
+		},
+	} {
+		t.Run(test.desc, func(t *testing.T) {
+			for _, options := range []struct {
+				desc     string
+				Optional string
+				expect   bool
+			}{
+				{desc: "shared", Optional: "shared:", expect: true},
+				{desc: "slave", Optional: "slave:", expect: false},
+				{desc: "private", Optional: "private:", expect: false},
+			} {
+				t.Run(options.desc, func(t *testing.T) {
+					expect := options.expect
+					if expect {
+						expect = test.expect
+					}
+					if test.info != nil {
+						test.info.Optional = options.Optional
+					}
+					assert.Check(t, is.Equal(expect, shouldUnmountRoot(test.root, test.info)))
+				})
+			}
+		})
+	}
+}
+
+func checkMounted(t *testing.T, p string, expect bool) {
+	t.Helper()
+	mounted, err := mount.Mounted(p)
+	assert.Check(t, err)
+	assert.Check(t, mounted == expect, "expected %v, actual %v", expect, mounted)
+}
+
+func TestRootMountCleanup(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+
+	t.Parallel()
+
+	testRoot, err := ioutil.TempDir("", t.Name())
+	assert.Assert(t, err)
+	defer os.RemoveAll(testRoot)
+	cfg := &config.Config{}
+
+	err = mount.MakePrivate(testRoot)
+	assert.Assert(t, err)
+	defer mount.Unmount(testRoot)
+
+	cfg.ExecRoot = filepath.Join(testRoot, "exec")
+	cfg.Root = filepath.Join(testRoot, "daemon")
+
+	err = os.Mkdir(cfg.ExecRoot, 0755)
+	assert.Assert(t, err)
+	err = os.Mkdir(cfg.Root, 0755)
+	assert.Assert(t, err)
+
+	d := &Daemon{configStore: cfg, root: cfg.Root}
+	unmountFile := getUnmountOnShutdownPath(cfg)
+
+	t.Run("regular dir no mountpoint", func(t *testing.T) {
+		err = setupDaemonRootPropagation(cfg)
+		assert.Assert(t, err)
+		_, err = os.Stat(unmountFile)
+		assert.Assert(t, err)
+		checkMounted(t, cfg.Root, true)
+
+		assert.Assert(t, d.cleanupMounts())
+		checkMounted(t, cfg.Root, false)
+
+		_, err = os.Stat(unmountFile)
+		assert.Assert(t, os.IsNotExist(err))
+	})
+
+	t.Run("root is a private mountpoint", func(t *testing.T) {
+		err = mount.MakePrivate(cfg.Root)
+		assert.Assert(t, err)
+		defer mount.Unmount(cfg.Root)
+
+		err = setupDaemonRootPropagation(cfg)
+		assert.Assert(t, err)
+		assert.Check(t, ensureShared(cfg.Root))
+
+		_, err = os.Stat(unmountFile)
+		assert.Assert(t, os.IsNotExist(err))
+		assert.Assert(t, d.cleanupMounts())
+		checkMounted(t, cfg.Root, true)
+	})
+
+	// mount is pre-configured with a shared mount
+	t.Run("root is a shared mountpoint", func(t *testing.T) {
+		err = mount.MakeShared(cfg.Root)
+		assert.Assert(t, err)
+		defer mount.Unmount(cfg.Root)
+
+		err = setupDaemonRootPropagation(cfg)
+		assert.Assert(t, err)
+
+		if _, err := os.Stat(unmountFile); err == nil {
+			t.Fatal("unmount file should not exist")
+		}
+
+		assert.Assert(t, d.cleanupMounts())
+		checkMounted(t, cfg.Root, true)
+		assert.Assert(t, mount.Unmount(cfg.Root))
+	})
+
+	// does not need mount but unmount file exists from previous run
+	t.Run("old mount file is cleaned up on setup if not needed", func(t *testing.T) {
+		err = mount.MakeShared(testRoot)
+		assert.Assert(t, err)
+		defer mount.MakePrivate(testRoot)
+		err = ioutil.WriteFile(unmountFile, nil, 0644)
+		assert.Assert(t, err)
+
+		err = setupDaemonRootPropagation(cfg)
+		assert.Assert(t, err)
+
+		_, err = os.Stat(unmountFile)
+		assert.Check(t, os.IsNotExist(err), err)
+		checkMounted(t, cfg.Root, false)
+		assert.Assert(t, d.cleanupMounts())
+	})
+
+}
diff --git a/engine/daemon/daemon_test.go b/engine/daemon/daemon_test.go
new file mode 100644
index 00000000..43f4f504
--- /dev/null
+++ b/engine/daemon/daemon_test.go
@@ -0,0 +1,319 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	_ "github.com/docker/docker/pkg/discovery/memory"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/truncindex"
+	volumesservice "github.com/docker/docker/volume/service"
+	"github.com/docker/go-connections/nat"
+	"github.com/docker/libnetwork"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+//
+// https://github.com/docker/docker/issues/8069
+//
+
+func TestGetContainer(t *testing.T) {
+	c1 := &container.Container{
+		ID:   "5a4ff6a163ad4533d22d69a2b8960bf7fafdcba06e72d2febdba229008b0bf57",
+		Name: "tender_bardeen",
+	}
+
+	c2 := &container.Container{
+		ID:   "3cdbd1aa394fd68559fd1441d6eff2ab7c1e6363582c82febfaa8045df3bd8de",
+		Name: "drunk_hawking",
+	}
+
+	c3 := &container.Container{
+		ID:   "3cdbd1aa394fd68559fd1441d6eff2abfafdcba06e72d2febdba229008b0bf57",
+		Name: "3cdbd1aa",
+	}
+
+	c4 := &container.Container{
+		ID:   "75fb0b800922abdbef2d27e60abcdfaf7fb0698b2a96d22d3354da361a6ff4a5",
+		Name: "5a4ff6a163ad4533d22d69a2b8960bf7fafdcba06e72d2febdba229008b0bf57",
+	}
+
+	c5 := &container.Container{
+		ID:   "d22d69a2b8960bf7fafdcba06e72d2febdba960bf7fafdcba06e72d2f9008b060b",
+		Name: "d22d69a2b896",
+	}
+
+	store := container.NewMemoryStore()
+	store.Add(c1.ID, c1)
+	store.Add(c2.ID, c2)
+	store.Add(c3.ID, c3)
+	store.Add(c4.ID, c4)
+	store.Add(c5.ID, c5)
+
+	index := truncindex.NewTruncIndex([]string{})
+	index.Add(c1.ID)
+	index.Add(c2.ID)
+	index.Add(c3.ID)
+	index.Add(c4.ID)
+	index.Add(c5.ID)
+
+	containersReplica, err := container.NewViewDB()
+	if err != nil {
+		t.Fatalf("could not create ViewDB: %v", err)
+	}
+
+	daemon := &Daemon{
+		containers:        store,
+		containersReplica: containersReplica,
+		idIndex:           index,
+	}
+
+	daemon.reserveName(c1.ID, c1.Name)
+	daemon.reserveName(c2.ID, c2.Name)
+	daemon.reserveName(c3.ID, c3.Name)
+	daemon.reserveName(c4.ID, c4.Name)
+	daemon.reserveName(c5.ID, c5.Name)
+
+	if container, _ := daemon.GetContainer("3cdbd1aa394fd68559fd1441d6eff2ab7c1e6363582c82febfaa8045df3bd8de"); container != c2 {
+		t.Fatal("Should explicitly match full container IDs")
+	}
+
+	if container, _ := daemon.GetContainer("75fb0b8009"); container != c4 {
+		t.Fatal("Should match a partial ID")
+	}
+
+	if container, _ := daemon.GetContainer("drunk_hawking"); container != c2 {
+		t.Fatal("Should match a full name")
+	}
+
+	// c3.Name is a partial match for both c3.ID and c2.ID
+	if c, _ := daemon.GetContainer("3cdbd1aa"); c != c3 {
+		t.Fatal("Should match a full name even though it collides with another container's ID")
+	}
+
+	if container, _ := daemon.GetContainer("d22d69a2b896"); container != c5 {
+		t.Fatal("Should match a container where the provided prefix is an exact match to the its name, and is also a prefix for its ID")
+	}
+
+	if _, err := daemon.GetContainer("3cdbd1"); err == nil {
+		t.Fatal("Should return an error when provided a prefix that partially matches multiple container ID's")
+	}
+
+	if _, err := daemon.GetContainer("nothing"); err == nil {
+		t.Fatal("Should return an error when provided a prefix that is neither a name or a partial match to an ID")
+	}
+}
+
+func initDaemonWithVolumeStore(tmp string) (*Daemon, error) {
+	var err error
+	daemon := &Daemon{
+		repository: tmp,
+		root:       tmp,
+	}
+	daemon.volumes, err = volumesservice.NewVolumeService(tmp, nil, idtools.IDPair{UID: 0, GID: 0}, daemon)
+	if err != nil {
+		return nil, err
+	}
+	return daemon, nil
+}
+
+func TestValidContainerNames(t *testing.T) {
+	invalidNames := []string{"-rm", "&sdfsfd", "safd%sd"}
+	validNames := []string{"word-word", "word_word", "1weoid"}
+
+	for _, name := range invalidNames {
+		if validContainerNamePattern.MatchString(name) {
+			t.Fatalf("%q is not a valid container name and was returned as valid.", name)
+		}
+	}
+
+	for _, name := range validNames {
+		if !validContainerNamePattern.MatchString(name) {
+			t.Fatalf("%q is a valid container name and was returned as invalid.", name)
+		}
+	}
+}
+
+func TestContainerInitDNS(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required") // for chown
+	}
+
+	tmp, err := ioutil.TempDir("", "docker-container-test-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+
+	containerID := "d59df5276e7b219d510fe70565e0404bc06350e0d4b43fe961f22f339980170e"
+	containerPath := filepath.Join(tmp, containerID)
+	if err := os.MkdirAll(containerPath, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	config := `{"State":{"Running":true,"Paused":false,"Restarting":false,"OOMKilled":false,"Dead":false,"Pid":2464,"ExitCode":0,
+"Error":"","StartedAt":"2015-05-26T16:48:53.869308965Z","FinishedAt":"0001-01-01T00:00:00Z"},
+"ID":"d59df5276e7b219d510fe70565e0404bc06350e0d4b43fe961f22f339980170e","Created":"2015-05-26T16:48:53.7987917Z","Path":"top",
+"Args":[],"Config":{"Hostname":"d59df5276e7b","Domainname":"","User":"","Memory":0,"MemorySwap":0,"CpuShares":0,"Cpuset":"",
+"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"PortSpecs":null,"ExposedPorts":null,"Tty":true,"OpenStdin":true,
+"StdinOnce":false,"Env":null,"Cmd":["top"],"Image":"ubuntu:latest","Volumes":null,"WorkingDir":"","Entrypoint":null,
+"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":{}},"Image":"07f8e8c5e66084bef8f848877857537ffe1c47edd01a93af27e7161672ad0e95",
+"NetworkSettings":{"IPAddress":"172.17.0.1","IPPrefixLen":16,"MacAddress":"02:42:ac:11:00:01","LinkLocalIPv6Address":"fe80::42:acff:fe11:1",
+"LinkLocalIPv6PrefixLen":64,"GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"Gateway":"172.17.42.1","IPv6Gateway":"","Bridge":"docker0","Ports":{}},
+"ResolvConfPath":"/var/lib/docker/containers/d59df5276e7b219d510fe70565e0404bc06350e0d4b43fe961f22f339980170e/resolv.conf",
+"HostnamePath":"/var/lib/docker/containers/d59df5276e7b219d510fe70565e0404bc06350e0d4b43fe961f22f339980170e/hostname",
+"HostsPath":"/var/lib/docker/containers/d59df5276e7b219d510fe70565e0404bc06350e0d4b43fe961f22f339980170e/hosts",
+"LogPath":"/var/lib/docker/containers/d59df5276e7b219d510fe70565e0404bc06350e0d4b43fe961f22f339980170e/d59df5276e7b219d510fe70565e0404bc06350e0d4b43fe961f22f339980170e-json.log",
+"Name":"/ubuntu","Driver":"aufs","MountLabel":"","ProcessLabel":"","AppArmorProfile":"","RestartCount":0,
+"UpdateDns":false,"Volumes":{},"VolumesRW":{},"AppliedVolumesFrom":null}`
+
+	// Container struct only used to retrieve path to config file
+	container := &container.Container{Root: containerPath}
+	configPath, err := container.ConfigPath()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err = ioutil.WriteFile(configPath, []byte(config), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	hostConfig := `{"Binds":[],"ContainerIDFile":"","Memory":0,"MemorySwap":0,"CpuShares":0,"CpusetCpus":"",
+"Privileged":false,"PortBindings":{},"Links":null,"PublishAllPorts":false,"Dns":null,"DnsOptions":null,"DnsSearch":null,"ExtraHosts":null,"VolumesFrom":null,
+"Devices":[],"NetworkMode":"bridge","IpcMode":"","PidMode":"","CapAdd":null,"CapDrop":null,"RestartPolicy":{"Name":"no","MaximumRetryCount":0},
+"SecurityOpt":null,"ReadonlyRootfs":false,"Ulimits":null,"LogConfig":{"Type":"","Config":null},"CgroupParent":""}`
+
+	hostConfigPath, err := container.HostConfigPath()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err = ioutil.WriteFile(hostConfigPath, []byte(hostConfig), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	daemon, err := initDaemonWithVolumeStore(tmp)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	c, err := daemon.load(containerID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if c.HostConfig.DNS == nil {
+		t.Fatal("Expected container DNS to not be nil")
+	}
+
+	if c.HostConfig.DNSSearch == nil {
+		t.Fatal("Expected container DNSSearch to not be nil")
+	}
+
+	if c.HostConfig.DNSOptions == nil {
+		t.Fatal("Expected container DNSOptions to not be nil")
+	}
+}
+
+func newPortNoError(proto, port string) nat.Port {
+	p, _ := nat.NewPort(proto, port)
+	return p
+}
+
+func TestMerge(t *testing.T) {
+	volumesImage := make(map[string]struct{})
+	volumesImage["/test1"] = struct{}{}
+	volumesImage["/test2"] = struct{}{}
+	portsImage := make(nat.PortSet)
+	portsImage[newPortNoError("tcp", "1111")] = struct{}{}
+	portsImage[newPortNoError("tcp", "2222")] = struct{}{}
+	configImage := &containertypes.Config{
+		ExposedPorts: portsImage,
+		Env:          []string{"VAR1=1", "VAR2=2"},
+		Volumes:      volumesImage,
+	}
+
+	portsUser := make(nat.PortSet)
+	portsUser[newPortNoError("tcp", "2222")] = struct{}{}
+	portsUser[newPortNoError("tcp", "3333")] = struct{}{}
+	volumesUser := make(map[string]struct{})
+	volumesUser["/test3"] = struct{}{}
+	configUser := &containertypes.Config{
+		ExposedPorts: portsUser,
+		Env:          []string{"VAR2=3", "VAR3=3"},
+		Volumes:      volumesUser,
+	}
+
+	if err := merge(configUser, configImage); err != nil {
+		t.Error(err)
+	}
+
+	if len(configUser.ExposedPorts) != 3 {
+		t.Fatalf("Expected 3 ExposedPorts, 1111, 2222 and 3333, found %d", len(configUser.ExposedPorts))
+	}
+	for portSpecs := range configUser.ExposedPorts {
+		if portSpecs.Port() != "1111" && portSpecs.Port() != "2222" && portSpecs.Port() != "3333" {
+			t.Fatalf("Expected 1111 or 2222 or 3333, found %s", portSpecs)
+		}
+	}
+	if len(configUser.Env) != 3 {
+		t.Fatalf("Expected 3 env var, VAR1=1, VAR2=3 and VAR3=3, found %d", len(configUser.Env))
+	}
+	for _, env := range configUser.Env {
+		if env != "VAR1=1" && env != "VAR2=3" && env != "VAR3=3" {
+			t.Fatalf("Expected VAR1=1 or VAR2=3 or VAR3=3, found %s", env)
+		}
+	}
+
+	if len(configUser.Volumes) != 3 {
+		t.Fatalf("Expected 3 volumes, /test1, /test2 and /test3, found %d", len(configUser.Volumes))
+	}
+	for v := range configUser.Volumes {
+		if v != "/test1" && v != "/test2" && v != "/test3" {
+			t.Fatalf("Expected /test1 or /test2 or /test3, found %s", v)
+		}
+	}
+
+	ports, _, err := nat.ParsePortSpecs([]string{"0000"})
+	if err != nil {
+		t.Error(err)
+	}
+	configImage2 := &containertypes.Config{
+		ExposedPorts: ports,
+	}
+
+	if err := merge(configUser, configImage2); err != nil {
+		t.Error(err)
+	}
+
+	if len(configUser.ExposedPorts) != 4 {
+		t.Fatalf("Expected 4 ExposedPorts, 0000, 1111, 2222 and 3333, found %d", len(configUser.ExposedPorts))
+	}
+	for portSpecs := range configUser.ExposedPorts {
+		if portSpecs.Port() != "0" && portSpecs.Port() != "1111" && portSpecs.Port() != "2222" && portSpecs.Port() != "3333" {
+			t.Fatalf("Expected %q or %q or %q or %q, found %s", 0, 1111, 2222, 3333, portSpecs)
+		}
+	}
+}
+
+func TestValidateContainerIsolation(t *testing.T) {
+	d := Daemon{}
+
+	_, err := d.verifyContainerSettings(runtime.GOOS, &containertypes.HostConfig{Isolation: containertypes.Isolation("invalid")}, nil, false)
+	assert.Check(t, is.Error(err, "invalid isolation 'invalid' on "+runtime.GOOS))
+}
+
+func TestFindNetworkErrorType(t *testing.T) {
+	d := Daemon{}
+	_, err := d.FindNetwork("fakeNet")
+	_, ok := errors.Cause(err).(libnetwork.ErrNoSuchNetwork)
+	if !errdefs.IsNotFound(err) || !ok {
+		t.Error("The FindNetwork method MUST always return an error that implements the NotFound interface and is ErrNoSuchNetwork")
+	}
+}
diff --git a/engine/daemon/daemon_unix.go b/engine/daemon/daemon_unix.go
new file mode 100644
index 00000000..e2c77610
--- /dev/null
+++ b/engine/daemon/daemon_unix.go
@@ -0,0 +1,1523 @@
+// +build linux freebsd
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"runtime/debug"
+	"strconv"
+	"strings"
+	"time"
+
+	containerd_cgroups "github.com/containerd/cgroups"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/blkiodev"
+	pblkiodev "github.com/docker/docker/api/types/blkiodev"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/daemon/initlayer"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/parsers"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/docker/docker/pkg/sysinfo"
+	"github.com/docker/docker/runconfig"
+	volumemounts "github.com/docker/docker/volume/mounts"
+	"github.com/docker/libnetwork"
+	nwconfig "github.com/docker/libnetwork/config"
+	"github.com/docker/libnetwork/drivers/bridge"
+	"github.com/docker/libnetwork/netlabel"
+	"github.com/docker/libnetwork/netutils"
+	"github.com/docker/libnetwork/options"
+	lntypes "github.com/docker/libnetwork/types"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// DefaultShimBinary is the default shim to be used by containerd if none
+	// is specified
+	DefaultShimBinary = "docker-containerd-shim"
+
+	// DefaultRuntimeBinary is the default runtime to be used by
+	// containerd if none is specified
+	DefaultRuntimeBinary = "docker-runc"
+
+	// See https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/tree/kernel/sched/sched.h?id=8cd9234c64c584432f6992fe944ca9e46ca8ea76#n269
+	linuxMinCPUShares = 2
+	linuxMaxCPUShares = 262144
+	platformSupported = true
+	// It's not kernel limit, we want this 4M limit to supply a reasonable functional container
+	linuxMinMemory = 4194304
+	// constants for remapped root settings
+	defaultIDSpecifier = "default"
+	defaultRemappedID  = "dockremap"
+
+	// constant for cgroup drivers
+	cgroupFsDriver      = "cgroupfs"
+	cgroupSystemdDriver = "systemd"
+
+	// DefaultRuntimeName is the default runtime to be used by
+	// containerd if none is specified
+	DefaultRuntimeName = "docker-runc"
+)
+
+type containerGetter interface {
+	GetContainer(string) (*container.Container, error)
+}
+
+func getMemoryResources(config containertypes.Resources) *specs.LinuxMemory {
+	memory := specs.LinuxMemory{}
+
+	if config.Memory > 0 {
+		memory.Limit = &config.Memory
+	}
+
+	if config.MemoryReservation > 0 {
+		memory.Reservation = &config.MemoryReservation
+	}
+
+	if config.MemorySwap > 0 {
+		memory.Swap = &config.MemorySwap
+	}
+
+	if config.MemorySwappiness != nil {
+		swappiness := uint64(*config.MemorySwappiness)
+		memory.Swappiness = &swappiness
+	}
+
+	if config.OomKillDisable != nil {
+		memory.DisableOOMKiller = config.OomKillDisable
+	}
+
+	if config.KernelMemory != 0 {
+		memory.Kernel = &config.KernelMemory
+	}
+
+	return &memory
+}
+
+func getCPUResources(config containertypes.Resources) (*specs.LinuxCPU, error) {
+	cpu := specs.LinuxCPU{}
+
+	if config.CPUShares < 0 {
+		return nil, fmt.Errorf("shares: invalid argument")
+	}
+	if config.CPUShares >= 0 {
+		shares := uint64(config.CPUShares)
+		cpu.Shares = &shares
+	}
+
+	if config.CpusetCpus != "" {
+		cpu.Cpus = config.CpusetCpus
+	}
+
+	if config.CpusetMems != "" {
+		cpu.Mems = config.CpusetMems
+	}
+
+	if config.NanoCPUs > 0 {
+		// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt
+		period := uint64(100 * time.Millisecond / time.Microsecond)
+		quota := config.NanoCPUs * int64(period) / 1e9
+		cpu.Period = &period
+		cpu.Quota = &quota
+	}
+
+	if config.CPUPeriod != 0 {
+		period := uint64(config.CPUPeriod)
+		cpu.Period = &period
+	}
+
+	if config.CPUQuota != 0 {
+		q := config.CPUQuota
+		cpu.Quota = &q
+	}
+
+	if config.CPURealtimePeriod != 0 {
+		period := uint64(config.CPURealtimePeriod)
+		cpu.RealtimePeriod = &period
+	}
+
+	if config.CPURealtimeRuntime != 0 {
+		c := config.CPURealtimeRuntime
+		cpu.RealtimeRuntime = &c
+	}
+
+	return &cpu, nil
+}
+
+func getBlkioWeightDevices(config containertypes.Resources) ([]specs.LinuxWeightDevice, error) {
+	var stat unix.Stat_t
+	var blkioWeightDevices []specs.LinuxWeightDevice
+
+	for _, weightDevice := range config.BlkioWeightDevice {
+		if err := unix.Stat(weightDevice.Path, &stat); err != nil {
+			return nil, err
+		}
+		weight := weightDevice.Weight
+		d := specs.LinuxWeightDevice{Weight: &weight}
+		d.Major = int64(stat.Rdev / 256)
+		d.Minor = int64(stat.Rdev % 256)
+		blkioWeightDevices = append(blkioWeightDevices, d)
+	}
+
+	return blkioWeightDevices, nil
+}
+
+func (daemon *Daemon) parseSecurityOpt(container *container.Container, hostConfig *containertypes.HostConfig) error {
+	container.NoNewPrivileges = daemon.configStore.NoNewPrivileges
+	return parseSecurityOpt(container, hostConfig)
+}
+
+func parseSecurityOpt(container *container.Container, config *containertypes.HostConfig) error {
+	var (
+		labelOpts []string
+		err       error
+	)
+
+	for _, opt := range config.SecurityOpt {
+		if opt == "no-new-privileges" {
+			container.NoNewPrivileges = true
+			continue
+		}
+		if opt == "disable" {
+			labelOpts = append(labelOpts, "disable")
+			continue
+		}
+
+		var con []string
+		if strings.Contains(opt, "=") {
+			con = strings.SplitN(opt, "=", 2)
+		} else if strings.Contains(opt, ":") {
+			con = strings.SplitN(opt, ":", 2)
+			logrus.Warn("Security options with `:` as a separator are deprecated and will be completely unsupported in 17.04, use `=` instead.")
+		}
+		if len(con) != 2 {
+			return fmt.Errorf("invalid --security-opt 1: %q", opt)
+		}
+
+		switch con[0] {
+		case "label":
+			labelOpts = append(labelOpts, con[1])
+		case "apparmor":
+			container.AppArmorProfile = con[1]
+		case "seccomp":
+			container.SeccompProfile = con[1]
+		case "no-new-privileges":
+			noNewPrivileges, err := strconv.ParseBool(con[1])
+			if err != nil {
+				return fmt.Errorf("invalid --security-opt 2: %q", opt)
+			}
+			container.NoNewPrivileges = noNewPrivileges
+		default:
+			return fmt.Errorf("invalid --security-opt 2: %q", opt)
+		}
+	}
+
+	container.ProcessLabel, container.MountLabel, err = label.InitLabels(labelOpts)
+	return err
+}
+
+func getBlkioThrottleDevices(devs []*blkiodev.ThrottleDevice) ([]specs.LinuxThrottleDevice, error) {
+	var throttleDevices []specs.LinuxThrottleDevice
+	var stat unix.Stat_t
+
+	for _, d := range devs {
+		if err := unix.Stat(d.Path, &stat); err != nil {
+			return nil, err
+		}
+		d := specs.LinuxThrottleDevice{Rate: d.Rate}
+		d.Major = int64(stat.Rdev / 256)
+		d.Minor = int64(stat.Rdev % 256)
+		throttleDevices = append(throttleDevices, d)
+	}
+
+	return throttleDevices, nil
+}
+
+func checkKernel() error {
+	// Check for unsupported kernel versions
+	// FIXME: it would be cleaner to not test for specific versions, but rather
+	// test for specific functionalities.
+	// Unfortunately we can't test for the feature "does not cause a kernel panic"
+	// without actually causing a kernel panic, so we need this workaround until
+	// the circumstances of pre-3.10 crashes are clearer.
+	// For details see https://github.com/docker/docker/issues/407
+	// Docker 1.11 and above doesn't actually run on kernels older than 3.4,
+	// due to containerd-shim usage of PR_SET_CHILD_SUBREAPER (introduced in 3.4).
+	if !kernel.CheckKernelVersion(3, 10, 0) {
+		v, _ := kernel.GetKernelVersion()
+		if os.Getenv("DOCKER_NOWARN_KERNEL_VERSION") == "" {
+			logrus.Fatalf("Your Linux kernel version %s is not supported for running docker. Please upgrade your kernel to 3.10.0 or newer.", v.String())
+		}
+	}
+	return nil
+}
+
+// adaptContainerSettings is called during container creation to modify any
+// settings necessary in the HostConfig structure.
+func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConfig, adjustCPUShares bool) error {
+	if adjustCPUShares && hostConfig.CPUShares > 0 {
+		// Handle unsupported CPUShares
+		if hostConfig.CPUShares < linuxMinCPUShares {
+			logrus.Warnf("Changing requested CPUShares of %d to minimum allowed of %d", hostConfig.CPUShares, linuxMinCPUShares)
+			hostConfig.CPUShares = linuxMinCPUShares
+		} else if hostConfig.CPUShares > linuxMaxCPUShares {
+			logrus.Warnf("Changing requested CPUShares of %d to maximum allowed of %d", hostConfig.CPUShares, linuxMaxCPUShares)
+			hostConfig.CPUShares = linuxMaxCPUShares
+		}
+	}
+	if hostConfig.Memory > 0 && hostConfig.MemorySwap == 0 {
+		// By default, MemorySwap is set to twice the size of Memory.
+		hostConfig.MemorySwap = hostConfig.Memory * 2
+	}
+	if hostConfig.ShmSize == 0 {
+		hostConfig.ShmSize = config.DefaultShmSize
+		if daemon.configStore != nil {
+			hostConfig.ShmSize = int64(daemon.configStore.ShmSize)
+		}
+	}
+	// Set default IPC mode, if unset for container
+	if hostConfig.IpcMode.IsEmpty() {
+		m := config.DefaultIpcMode
+		if daemon.configStore != nil {
+			m = daemon.configStore.IpcMode
+		}
+		hostConfig.IpcMode = containertypes.IpcMode(m)
+	}
+
+	adaptSharedNamespaceContainer(daemon, hostConfig)
+
+	var err error
+	opts, err := daemon.generateSecurityOpt(hostConfig)
+	if err != nil {
+		return err
+	}
+	hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, opts...)
+	if hostConfig.OomKillDisable == nil {
+		defaultOomKillDisable := false
+		hostConfig.OomKillDisable = &defaultOomKillDisable
+	}
+
+	return nil
+}
+
+// adaptSharedNamespaceContainer replaces container name with its ID in hostConfig.
+// To be more precisely, it modifies `container:name` to `container:ID` of PidMode, IpcMode
+// and NetworkMode.
+//
+// When a container shares its namespace with another container, use ID can keep the namespace
+// sharing connection between the two containers even the another container is renamed.
+func adaptSharedNamespaceContainer(daemon containerGetter, hostConfig *containertypes.HostConfig) {
+	containerPrefix := "container:"
+	if hostConfig.PidMode.IsContainer() {
+		pidContainer := hostConfig.PidMode.Container()
+		// if there is any error returned here, we just ignore it and leave it to be
+		// handled in the following logic
+		if c, err := daemon.GetContainer(pidContainer); err == nil {
+			hostConfig.PidMode = containertypes.PidMode(containerPrefix + c.ID)
+		}
+	}
+	if hostConfig.IpcMode.IsContainer() {
+		ipcContainer := hostConfig.IpcMode.Container()
+		if c, err := daemon.GetContainer(ipcContainer); err == nil {
+			hostConfig.IpcMode = containertypes.IpcMode(containerPrefix + c.ID)
+		}
+	}
+	if hostConfig.NetworkMode.IsContainer() {
+		netContainer := hostConfig.NetworkMode.ConnectedContainer()
+		if c, err := daemon.GetContainer(netContainer); err == nil {
+			hostConfig.NetworkMode = containertypes.NetworkMode(containerPrefix + c.ID)
+		}
+	}
+}
+
+func verifyContainerResources(resources *containertypes.Resources, sysInfo *sysinfo.SysInfo, update bool) ([]string, error) {
+	warnings := []string{}
+	fixMemorySwappiness(resources)
+
+	// memory subsystem checks and adjustments
+	if resources.Memory != 0 && resources.Memory < linuxMinMemory {
+		return warnings, fmt.Errorf("Minimum memory limit allowed is 4MB")
+	}
+	if resources.Memory > 0 && !sysInfo.MemoryLimit {
+		warnings = append(warnings, "Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		logrus.Warn("Your kernel does not support memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		resources.Memory = 0
+		resources.MemorySwap = -1
+	}
+	if resources.Memory > 0 && resources.MemorySwap != -1 && !sysInfo.SwapLimit {
+		warnings = append(warnings, "Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.")
+		logrus.Warn("Your kernel does not support swap limit capabilities,or the cgroup is not mounted. Memory limited without swap.")
+		resources.MemorySwap = -1
+	}
+	if resources.Memory > 0 && resources.MemorySwap > 0 && resources.MemorySwap < resources.Memory {
+		return warnings, fmt.Errorf("Minimum memoryswap limit should be larger than memory limit, see usage")
+	}
+	if resources.Memory == 0 && resources.MemorySwap > 0 && !update {
+		return warnings, fmt.Errorf("You should always set the Memory limit when using Memoryswap limit, see usage")
+	}
+	if resources.MemorySwappiness != nil && !sysInfo.MemorySwappiness {
+		warnings = append(warnings, "Your kernel does not support memory swappiness capabilities or the cgroup is not mounted. Memory swappiness discarded.")
+		logrus.Warn("Your kernel does not support memory swappiness capabilities, or the cgroup is not mounted. Memory swappiness discarded.")
+		resources.MemorySwappiness = nil
+	}
+	if resources.MemorySwappiness != nil {
+		swappiness := *resources.MemorySwappiness
+		if swappiness < 0 || swappiness > 100 {
+			return warnings, fmt.Errorf("Invalid value: %v, valid memory swappiness range is 0-100", swappiness)
+		}
+	}
+	if resources.MemoryReservation > 0 && !sysInfo.MemoryReservation {
+		warnings = append(warnings, "Your kernel does not support memory soft limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		logrus.Warn("Your kernel does not support memory soft limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		resources.MemoryReservation = 0
+	}
+	if resources.MemoryReservation > 0 && resources.MemoryReservation < linuxMinMemory {
+		return warnings, fmt.Errorf("Minimum memory reservation allowed is 4MB")
+	}
+	if resources.Memory > 0 && resources.MemoryReservation > 0 && resources.Memory < resources.MemoryReservation {
+		return warnings, fmt.Errorf("Minimum memory limit can not be less than memory reservation limit, see usage")
+	}
+	if resources.KernelMemory > 0 && !sysInfo.KernelMemory {
+		warnings = append(warnings, "Your kernel does not support kernel memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		logrus.Warn("Your kernel does not support kernel memory limit capabilities or the cgroup is not mounted. Limitation discarded.")
+		resources.KernelMemory = 0
+	}
+	if resources.KernelMemory > 0 && resources.KernelMemory < linuxMinMemory {
+		return warnings, fmt.Errorf("Minimum kernel memory limit allowed is 4MB")
+	}
+	if resources.KernelMemory > 0 && !kernel.CheckKernelVersion(4, 0, 0) {
+		warnings = append(warnings, "You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable.")
+		logrus.Warn("You specified a kernel memory limit on a kernel older than 4.0. Kernel memory limits are experimental on older kernels, it won't work as expected and can cause your system to be unstable.")
+	}
+	if resources.OomKillDisable != nil && !sysInfo.OomKillDisable {
+		// only produce warnings if the setting wasn't to *disable* the OOM Kill; no point
+		// warning the caller if they already wanted the feature to be off
+		if *resources.OomKillDisable {
+			warnings = append(warnings, "Your kernel does not support OomKillDisable. OomKillDisable discarded.")
+			logrus.Warn("Your kernel does not support OomKillDisable. OomKillDisable discarded.")
+		}
+		resources.OomKillDisable = nil
+	}
+
+	if resources.PidsLimit != 0 && !sysInfo.PidsLimit {
+		warnings = append(warnings, "Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.")
+		logrus.Warn("Your kernel does not support pids limit capabilities or the cgroup is not mounted. PIDs limit discarded.")
+		resources.PidsLimit = 0
+	}
+
+	// cpu subsystem checks and adjustments
+	if resources.NanoCPUs > 0 && resources.CPUPeriod > 0 {
+		return warnings, fmt.Errorf("Conflicting options: Nano CPUs and CPU Period cannot both be set")
+	}
+	if resources.NanoCPUs > 0 && resources.CPUQuota > 0 {
+		return warnings, fmt.Errorf("Conflicting options: Nano CPUs and CPU Quota cannot both be set")
+	}
+	if resources.NanoCPUs > 0 && (!sysInfo.CPUCfsPeriod || !sysInfo.CPUCfsQuota) {
+		return warnings, fmt.Errorf("NanoCPUs can not be set, as your kernel does not support CPU cfs period/quota or the cgroup is not mounted")
+	}
+	// The highest precision we could get on Linux is 0.001, by setting
+	//   cpu.cfs_period_us=1000ms
+	//   cpu.cfs_quota=1ms
+	// See the following link for details:
+	// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt
+	// Here we don't set the lower limit and it is up to the underlying platform (e.g., Linux) to return an error.
+	// The error message is 0.01 so that this is consistent with Windows
+	if resources.NanoCPUs < 0 || resources.NanoCPUs > int64(sysinfo.NumCPU())*1e9 {
+		return warnings, fmt.Errorf("Range of CPUs is from 0.01 to %d.00, as there are only %d CPUs available", sysinfo.NumCPU(), sysinfo.NumCPU())
+	}
+
+	if resources.CPUShares > 0 && !sysInfo.CPUShares {
+		warnings = append(warnings, "Your kernel does not support CPU shares or the cgroup is not mounted. Shares discarded.")
+		logrus.Warn("Your kernel does not support CPU shares or the cgroup is not mounted. Shares discarded.")
+		resources.CPUShares = 0
+	}
+	if resources.CPUPeriod > 0 && !sysInfo.CPUCfsPeriod {
+		warnings = append(warnings, "Your kernel does not support CPU cfs period or the cgroup is not mounted. Period discarded.")
+		logrus.Warn("Your kernel does not support CPU cfs period or the cgroup is not mounted. Period discarded.")
+		resources.CPUPeriod = 0
+	}
+	if resources.CPUPeriod != 0 && (resources.CPUPeriod < 1000 || resources.CPUPeriod > 1000000) {
+		return warnings, fmt.Errorf("CPU cfs period can not be less than 1ms (i.e. 1000) or larger than 1s (i.e. 1000000)")
+	}
+	if resources.CPUQuota > 0 && !sysInfo.CPUCfsQuota {
+		warnings = append(warnings, "Your kernel does not support CPU cfs quota or the cgroup is not mounted. Quota discarded.")
+		logrus.Warn("Your kernel does not support CPU cfs quota or the cgroup is not mounted. Quota discarded.")
+		resources.CPUQuota = 0
+	}
+	if resources.CPUQuota > 0 && resources.CPUQuota < 1000 {
+		return warnings, fmt.Errorf("CPU cfs quota can not be less than 1ms (i.e. 1000)")
+	}
+	if resources.CPUPercent > 0 {
+		warnings = append(warnings, fmt.Sprintf("%s does not support CPU percent. Percent discarded.", runtime.GOOS))
+		logrus.Warnf("%s does not support CPU percent. Percent discarded.", runtime.GOOS)
+		resources.CPUPercent = 0
+	}
+
+	// cpuset subsystem checks and adjustments
+	if (resources.CpusetCpus != "" || resources.CpusetMems != "") && !sysInfo.Cpuset {
+		warnings = append(warnings, "Your kernel does not support cpuset or the cgroup is not mounted. Cpuset discarded.")
+		logrus.Warn("Your kernel does not support cpuset or the cgroup is not mounted. Cpuset discarded.")
+		resources.CpusetCpus = ""
+		resources.CpusetMems = ""
+	}
+	cpusAvailable, err := sysInfo.IsCpusetCpusAvailable(resources.CpusetCpus)
+	if err != nil {
+		return warnings, fmt.Errorf("Invalid value %s for cpuset cpus", resources.CpusetCpus)
+	}
+	if !cpusAvailable {
+		return warnings, fmt.Errorf("Requested CPUs are not available - requested %s, available: %s", resources.CpusetCpus, sysInfo.Cpus)
+	}
+	memsAvailable, err := sysInfo.IsCpusetMemsAvailable(resources.CpusetMems)
+	if err != nil {
+		return warnings, fmt.Errorf("Invalid value %s for cpuset mems", resources.CpusetMems)
+	}
+	if !memsAvailable {
+		return warnings, fmt.Errorf("Requested memory nodes are not available - requested %s, available: %s", resources.CpusetMems, sysInfo.Mems)
+	}
+
+	// blkio subsystem checks and adjustments
+	if resources.BlkioWeight > 0 && !sysInfo.BlkioWeight {
+		warnings = append(warnings, "Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.")
+		logrus.Warn("Your kernel does not support Block I/O weight or the cgroup is not mounted. Weight discarded.")
+		resources.BlkioWeight = 0
+	}
+	if resources.BlkioWeight > 0 && (resources.BlkioWeight < 10 || resources.BlkioWeight > 1000) {
+		return warnings, fmt.Errorf("Range of blkio weight is from 10 to 1000")
+	}
+	if resources.IOMaximumBandwidth != 0 || resources.IOMaximumIOps != 0 {
+		return warnings, fmt.Errorf("Invalid QoS settings: %s does not support Maximum IO Bandwidth or Maximum IO IOps", runtime.GOOS)
+	}
+	if len(resources.BlkioWeightDevice) > 0 && !sysInfo.BlkioWeightDevice {
+		warnings = append(warnings, "Your kernel does not support Block I/O weight_device or the cgroup is not mounted. Weight-device discarded.")
+		logrus.Warn("Your kernel does not support Block I/O weight_device or the cgroup is not mounted. Weight-device discarded.")
+		resources.BlkioWeightDevice = []*pblkiodev.WeightDevice{}
+	}
+	if len(resources.BlkioDeviceReadBps) > 0 && !sysInfo.BlkioReadBpsDevice {
+		warnings = append(warnings, "Your kernel does not support BPS Block I/O read limit or the cgroup is not mounted. Block I/O BPS read limit discarded.")
+		logrus.Warn("Your kernel does not support BPS Block I/O read limit or the cgroup is not mounted. Block I/O BPS read limit discarded")
+		resources.BlkioDeviceReadBps = []*pblkiodev.ThrottleDevice{}
+	}
+	if len(resources.BlkioDeviceWriteBps) > 0 && !sysInfo.BlkioWriteBpsDevice {
+		warnings = append(warnings, "Your kernel does not support BPS Block I/O write limit or the cgroup is not mounted. Block I/O BPS write limit discarded.")
+		logrus.Warn("Your kernel does not support BPS Block I/O write limit or the cgroup is not mounted. Block I/O BPS write limit discarded.")
+		resources.BlkioDeviceWriteBps = []*pblkiodev.ThrottleDevice{}
+
+	}
+	if len(resources.BlkioDeviceReadIOps) > 0 && !sysInfo.BlkioReadIOpsDevice {
+		warnings = append(warnings, "Your kernel does not support IOPS Block read limit or the cgroup is not mounted. Block I/O IOPS read limit discarded.")
+		logrus.Warn("Your kernel does not support IOPS Block I/O read limit in IO or the cgroup is not mounted. Block I/O IOPS read limit discarded.")
+		resources.BlkioDeviceReadIOps = []*pblkiodev.ThrottleDevice{}
+	}
+	if len(resources.BlkioDeviceWriteIOps) > 0 && !sysInfo.BlkioWriteIOpsDevice {
+		warnings = append(warnings, "Your kernel does not support IOPS Block write limit or the cgroup is not mounted. Block I/O IOPS write limit discarded.")
+		logrus.Warn("Your kernel does not support IOPS Block I/O write limit or the cgroup is not mounted. Block I/O IOPS write limit discarded.")
+		resources.BlkioDeviceWriteIOps = []*pblkiodev.ThrottleDevice{}
+	}
+
+	return warnings, nil
+}
+
+func (daemon *Daemon) getCgroupDriver() string {
+	cgroupDriver := cgroupFsDriver
+
+	if UsingSystemd(daemon.configStore) {
+		cgroupDriver = cgroupSystemdDriver
+	}
+	return cgroupDriver
+}
+
+// getCD gets the raw value of the native.cgroupdriver option, if set.
+func getCD(config *config.Config) string {
+	for _, option := range config.ExecOptions {
+		key, val, err := parsers.ParseKeyValueOpt(option)
+		if err != nil || !strings.EqualFold(key, "native.cgroupdriver") {
+			continue
+		}
+		return val
+	}
+	return ""
+}
+
+// VerifyCgroupDriver validates native.cgroupdriver
+func VerifyCgroupDriver(config *config.Config) error {
+	cd := getCD(config)
+	if cd == "" || cd == cgroupFsDriver || cd == cgroupSystemdDriver {
+		return nil
+	}
+	return fmt.Errorf("native.cgroupdriver option %s not supported", cd)
+}
+
+// UsingSystemd returns true if cli option includes native.cgroupdriver=systemd
+func UsingSystemd(config *config.Config) bool {
+	return getCD(config) == cgroupSystemdDriver
+}
+
+// verifyPlatformContainerSettings performs platform-specific validation of the
+// hostconfig and config structures.
+func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {
+	var warnings []string
+	sysInfo := sysinfo.New(true)
+
+	w, err := verifyContainerResources(&hostConfig.Resources, sysInfo, update)
+
+	// no matter err is nil or not, w could have data in itself.
+	warnings = append(warnings, w...)
+
+	if err != nil {
+		return warnings, err
+	}
+
+	if hostConfig.ShmSize < 0 {
+		return warnings, fmt.Errorf("SHM size can not be less than 0")
+	}
+
+	if hostConfig.OomScoreAdj < -1000 || hostConfig.OomScoreAdj > 1000 {
+		return warnings, fmt.Errorf("Invalid value %d, range for oom score adj is [-1000, 1000]", hostConfig.OomScoreAdj)
+	}
+
+	// ip-forwarding does not affect container with '--net=host' (or '--net=none')
+	if sysInfo.IPv4ForwardingDisabled && !(hostConfig.NetworkMode.IsHost() || hostConfig.NetworkMode.IsNone()) {
+		warnings = append(warnings, "IPv4 forwarding is disabled. Networking will not work.")
+		logrus.Warn("IPv4 forwarding is disabled. Networking will not work")
+	}
+	// check for various conflicting options with user namespaces
+	if daemon.configStore.RemappedRoot != "" && hostConfig.UsernsMode.IsPrivate() {
+		if hostConfig.Privileged {
+			return warnings, fmt.Errorf("privileged mode is incompatible with user namespaces.  You must run the container in the host namespace when running privileged mode")
+		}
+		if hostConfig.NetworkMode.IsHost() && !hostConfig.UsernsMode.IsHost() {
+			return warnings, fmt.Errorf("cannot share the host's network namespace when user namespaces are enabled")
+		}
+		if hostConfig.PidMode.IsHost() && !hostConfig.UsernsMode.IsHost() {
+			return warnings, fmt.Errorf("cannot share the host PID namespace when user namespaces are enabled")
+		}
+	}
+	if hostConfig.CgroupParent != "" && UsingSystemd(daemon.configStore) {
+		// CgroupParent for systemd cgroup should be named as "xxx.slice"
+		if len(hostConfig.CgroupParent) <= 6 || !strings.HasSuffix(hostConfig.CgroupParent, ".slice") {
+			return warnings, fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")
+		}
+	}
+	if hostConfig.Runtime == "" {
+		hostConfig.Runtime = daemon.configStore.GetDefaultRuntimeName()
+	}
+
+	if rt := daemon.configStore.GetRuntime(hostConfig.Runtime); rt == nil {
+		return warnings, fmt.Errorf("Unknown runtime specified %s", hostConfig.Runtime)
+	}
+
+	parser := volumemounts.NewParser(runtime.GOOS)
+	for dest := range hostConfig.Tmpfs {
+		if err := parser.ValidateTmpfsMountDestination(dest); err != nil {
+			return warnings, err
+		}
+	}
+
+	return warnings, nil
+}
+
+func (daemon *Daemon) loadRuntimes() error {
+	return daemon.initRuntimes(daemon.configStore.Runtimes)
+}
+
+func (daemon *Daemon) initRuntimes(runtimes map[string]types.Runtime) (err error) {
+	runtimeDir := filepath.Join(daemon.configStore.Root, "runtimes")
+	// Remove old temp directory if any
+	os.RemoveAll(runtimeDir + "-old")
+	tmpDir, err := ioutils.TempDir(daemon.configStore.Root, "gen-runtimes")
+	if err != nil {
+		return errors.Wrapf(err, "failed to get temp dir to generate runtime scripts")
+	}
+	defer func() {
+		if err != nil {
+			if err1 := os.RemoveAll(tmpDir); err1 != nil {
+				logrus.WithError(err1).WithField("dir", tmpDir).
+					Warnf("failed to remove tmp dir")
+			}
+			return
+		}
+
+		if err = os.Rename(runtimeDir, runtimeDir+"-old"); err != nil {
+			return
+		}
+		if err = os.Rename(tmpDir, runtimeDir); err != nil {
+			err = errors.Wrapf(err, "failed to setup runtimes dir, new containers may not start")
+			return
+		}
+		if err = os.RemoveAll(runtimeDir + "-old"); err != nil {
+			logrus.WithError(err).WithField("dir", tmpDir).
+				Warnf("failed to remove old runtimes dir")
+		}
+	}()
+
+	for name, rt := range runtimes {
+		if len(rt.Args) == 0 {
+			continue
+		}
+
+		script := filepath.Join(tmpDir, name)
+		content := fmt.Sprintf("#!/bin/sh\n%s %s $@\n", rt.Path, strings.Join(rt.Args, " "))
+		if err := ioutil.WriteFile(script, []byte(content), 0700); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// verifyDaemonSettings performs validation of daemon config struct
+func verifyDaemonSettings(conf *config.Config) error {
+	// Check for mutually incompatible config options
+	if conf.BridgeConfig.Iface != "" && conf.BridgeConfig.IP != "" {
+		return fmt.Errorf("You specified -b & --bip, mutually exclusive options. Please specify only one")
+	}
+	if !conf.BridgeConfig.EnableIPTables && !conf.BridgeConfig.InterContainerCommunication {
+		return fmt.Errorf("You specified --iptables=false with --icc=false. ICC=false uses iptables to function. Please set --icc or --iptables to true")
+	}
+	if !conf.BridgeConfig.EnableIPTables && conf.BridgeConfig.EnableIPMasq {
+		conf.BridgeConfig.EnableIPMasq = false
+	}
+	if err := VerifyCgroupDriver(conf); err != nil {
+		return err
+	}
+	if conf.CgroupParent != "" && UsingSystemd(conf) {
+		if len(conf.CgroupParent) <= 6 || !strings.HasSuffix(conf.CgroupParent, ".slice") {
+			return fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")
+		}
+	}
+
+	if conf.DefaultRuntime == "" {
+		conf.DefaultRuntime = config.StockRuntimeName
+	}
+	if conf.Runtimes == nil {
+		conf.Runtimes = make(map[string]types.Runtime)
+	}
+	conf.Runtimes[config.StockRuntimeName] = types.Runtime{Path: DefaultRuntimeName}
+
+	return nil
+}
+
+// checkSystem validates platform-specific requirements
+func checkSystem() error {
+	if os.Geteuid() != 0 {
+		return fmt.Errorf("The Docker daemon needs to be run as root")
+	}
+	return checkKernel()
+}
+
+// configureMaxThreads sets the Go runtime max threads threshold
+// which is 90% of the kernel setting from /proc/sys/kernel/threads-max
+func configureMaxThreads(config *config.Config) error {
+	mt, err := ioutil.ReadFile("/proc/sys/kernel/threads-max")
+	if err != nil {
+		return err
+	}
+	mtint, err := strconv.Atoi(strings.TrimSpace(string(mt)))
+	if err != nil {
+		return err
+	}
+	maxThreads := (mtint / 100) * 90
+	debug.SetMaxThreads(maxThreads)
+	logrus.Debugf("Golang's threads limit set to %d", maxThreads)
+	return nil
+}
+
+func overlaySupportsSelinux() (bool, error) {
+	f, err := os.Open("/proc/kallsyms")
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	defer f.Close()
+
+	var symAddr, symType, symName, text string
+
+	s := bufio.NewScanner(f)
+	for s.Scan() {
+		if err := s.Err(); err != nil {
+			return false, err
+		}
+
+		text = s.Text()
+		if _, err := fmt.Sscanf(text, "%s %s %s", &symAddr, &symType, &symName); err != nil {
+			return false, fmt.Errorf("Scanning '%s' failed: %s", text, err)
+		}
+
+		// Check for presence of symbol security_inode_copy_up.
+		if symName == "security_inode_copy_up" {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// configureKernelSecuritySupport configures and validates security support for the kernel
+func configureKernelSecuritySupport(config *config.Config, driverName string) error {
+	if config.EnableSelinuxSupport {
+		if !selinuxEnabled() {
+			logrus.Warn("Docker could not enable SELinux on the host system")
+			return nil
+		}
+
+		if driverName == "overlay" || driverName == "overlay2" {
+			// If driver is overlay or overlay2, make sure kernel
+			// supports selinux with overlay.
+			supported, err := overlaySupportsSelinux()
+			if err != nil {
+				return err
+			}
+
+			if !supported {
+				logrus.Warnf("SELinux is not supported with the %v graph driver on this kernel", driverName)
+			}
+		}
+	} else {
+		selinuxSetDisabled()
+	}
+	return nil
+}
+
+func (daemon *Daemon) initNetworkController(config *config.Config, activeSandboxes map[string]interface{}) (libnetwork.NetworkController, error) {
+	netOptions, err := daemon.networkOptions(config, daemon.PluginStore, activeSandboxes)
+	if err != nil {
+		return nil, err
+	}
+
+	controller, err := libnetwork.New(netOptions...)
+	if err != nil {
+		return nil, fmt.Errorf("error obtaining controller instance: %v", err)
+	}
+
+	if len(activeSandboxes) > 0 {
+		logrus.Info("There are old running containers, the network config will not take affect")
+		return controller, nil
+	}
+
+	// Initialize default network on "null"
+	if n, _ := controller.NetworkByName("none"); n == nil {
+		if _, err := controller.NewNetwork("null", "none", "", libnetwork.NetworkOptionPersist(true)); err != nil {
+			return nil, fmt.Errorf("Error creating default \"null\" network: %v", err)
+		}
+	}
+
+	// Initialize default network on "host"
+	if n, _ := controller.NetworkByName("host"); n == nil {
+		if _, err := controller.NewNetwork("host", "host", "", libnetwork.NetworkOptionPersist(true)); err != nil {
+			return nil, fmt.Errorf("Error creating default \"host\" network: %v", err)
+		}
+	}
+
+	// Clear stale bridge network
+	if n, err := controller.NetworkByName("bridge"); err == nil {
+		if err = n.Delete(); err != nil {
+			return nil, fmt.Errorf("could not delete the default bridge network: %v", err)
+		}
+		if len(config.NetworkConfig.DefaultAddressPools.Value()) > 0 && !daemon.configStore.LiveRestoreEnabled {
+			removeDefaultBridgeInterface()
+		}
+	}
+
+	if !config.DisableBridge {
+		// Initialize default driver "bridge"
+		if err := initBridgeDriver(controller, config); err != nil {
+			return nil, err
+		}
+	} else {
+		removeDefaultBridgeInterface()
+	}
+
+	return controller, nil
+}
+
+func driverOptions(config *config.Config) []nwconfig.Option {
+	bridgeConfig := options.Generic{
+		"EnableIPForwarding":  config.BridgeConfig.EnableIPForward,
+		"EnableIPTables":      config.BridgeConfig.EnableIPTables,
+		"EnableUserlandProxy": config.BridgeConfig.EnableUserlandProxy,
+		"UserlandProxyPath":   config.BridgeConfig.UserlandProxyPath}
+	bridgeOption := options.Generic{netlabel.GenericData: bridgeConfig}
+
+	dOptions := []nwconfig.Option{}
+	dOptions = append(dOptions, nwconfig.OptionDriverConfig("bridge", bridgeOption))
+	return dOptions
+}
+
+func initBridgeDriver(controller libnetwork.NetworkController, config *config.Config) error {
+	bridgeName := bridge.DefaultBridgeName
+	if config.BridgeConfig.Iface != "" {
+		bridgeName = config.BridgeConfig.Iface
+	}
+	netOption := map[string]string{
+		bridge.BridgeName:         bridgeName,
+		bridge.DefaultBridge:      strconv.FormatBool(true),
+		netlabel.DriverMTU:        strconv.Itoa(config.Mtu),
+		bridge.EnableIPMasquerade: strconv.FormatBool(config.BridgeConfig.EnableIPMasq),
+		bridge.EnableICC:          strconv.FormatBool(config.BridgeConfig.InterContainerCommunication),
+	}
+
+	// --ip processing
+	if config.BridgeConfig.DefaultIP != nil {
+		netOption[bridge.DefaultBindingIP] = config.BridgeConfig.DefaultIP.String()
+	}
+
+	var (
+		ipamV4Conf *libnetwork.IpamConf
+		ipamV6Conf *libnetwork.IpamConf
+	)
+
+	ipamV4Conf = &libnetwork.IpamConf{AuxAddresses: make(map[string]string)}
+
+	nwList, nw6List, err := netutils.ElectInterfaceAddresses(bridgeName)
+	if err != nil {
+		return errors.Wrap(err, "list bridge addresses failed")
+	}
+
+	nw := nwList[0]
+	if len(nwList) > 1 && config.BridgeConfig.FixedCIDR != "" {
+		_, fCIDR, err := net.ParseCIDR(config.BridgeConfig.FixedCIDR)
+		if err != nil {
+			return errors.Wrap(err, "parse CIDR failed")
+		}
+		// Iterate through in case there are multiple addresses for the bridge
+		for _, entry := range nwList {
+			if fCIDR.Contains(entry.IP) {
+				nw = entry
+				break
+			}
+		}
+	}
+
+	ipamV4Conf.PreferredPool = lntypes.GetIPNetCanonical(nw).String()
+	hip, _ := lntypes.GetHostPartIP(nw.IP, nw.Mask)
+	if hip.IsGlobalUnicast() {
+		ipamV4Conf.Gateway = nw.IP.String()
+	}
+
+	if config.BridgeConfig.IP != "" {
+		ipamV4Conf.PreferredPool = config.BridgeConfig.IP
+		ip, _, err := net.ParseCIDR(config.BridgeConfig.IP)
+		if err != nil {
+			return err
+		}
+		ipamV4Conf.Gateway = ip.String()
+	} else if bridgeName == bridge.DefaultBridgeName && ipamV4Conf.PreferredPool != "" {
+		logrus.Infof("Default bridge (%s) is assigned with an IP address %s. Daemon option --bip can be used to set a preferred IP address", bridgeName, ipamV4Conf.PreferredPool)
+	}
+
+	if config.BridgeConfig.FixedCIDR != "" {
+		_, fCIDR, err := net.ParseCIDR(config.BridgeConfig.FixedCIDR)
+		if err != nil {
+			return err
+		}
+
+		ipamV4Conf.SubPool = fCIDR.String()
+	}
+
+	if config.BridgeConfig.DefaultGatewayIPv4 != nil {
+		ipamV4Conf.AuxAddresses["DefaultGatewayIPv4"] = config.BridgeConfig.DefaultGatewayIPv4.String()
+	}
+
+	var deferIPv6Alloc bool
+	if config.BridgeConfig.FixedCIDRv6 != "" {
+		_, fCIDRv6, err := net.ParseCIDR(config.BridgeConfig.FixedCIDRv6)
+		if err != nil {
+			return err
+		}
+
+		// In case user has specified the daemon flag --fixed-cidr-v6 and the passed network has
+		// at least 48 host bits, we need to guarantee the current behavior where the containers'
+		// IPv6 addresses will be constructed based on the containers' interface MAC address.
+		// We do so by telling libnetwork to defer the IPv6 address allocation for the endpoints
+		// on this network until after the driver has created the endpoint and returned the
+		// constructed address. Libnetwork will then reserve this address with the ipam driver.
+		ones, _ := fCIDRv6.Mask.Size()
+		deferIPv6Alloc = ones <= 80
+
+		if ipamV6Conf == nil {
+			ipamV6Conf = &libnetwork.IpamConf{AuxAddresses: make(map[string]string)}
+		}
+		ipamV6Conf.PreferredPool = fCIDRv6.String()
+
+		// In case the --fixed-cidr-v6 is specified and the current docker0 bridge IPv6
+		// address belongs to the same network, we need to inform libnetwork about it, so
+		// that it can be reserved with IPAM and it will not be given away to somebody else
+		for _, nw6 := range nw6List {
+			if fCIDRv6.Contains(nw6.IP) {
+				ipamV6Conf.Gateway = nw6.IP.String()
+				break
+			}
+		}
+	}
+
+	if config.BridgeConfig.DefaultGatewayIPv6 != nil {
+		if ipamV6Conf == nil {
+			ipamV6Conf = &libnetwork.IpamConf{AuxAddresses: make(map[string]string)}
+		}
+		ipamV6Conf.AuxAddresses["DefaultGatewayIPv6"] = config.BridgeConfig.DefaultGatewayIPv6.String()
+	}
+
+	v4Conf := []*libnetwork.IpamConf{ipamV4Conf}
+	v6Conf := []*libnetwork.IpamConf{}
+	if ipamV6Conf != nil {
+		v6Conf = append(v6Conf, ipamV6Conf)
+	}
+	// Initialize default network on "bridge" with the same name
+	_, err = controller.NewNetwork("bridge", "bridge", "",
+		libnetwork.NetworkOptionEnableIPv6(config.BridgeConfig.EnableIPv6),
+		libnetwork.NetworkOptionDriverOpts(netOption),
+		libnetwork.NetworkOptionIpam("default", "", v4Conf, v6Conf, nil),
+		libnetwork.NetworkOptionDeferIPv6Alloc(deferIPv6Alloc))
+	if err != nil {
+		return fmt.Errorf("Error creating default \"bridge\" network: %v", err)
+	}
+	return nil
+}
+
+// Remove default bridge interface if present (--bridge=none use case)
+func removeDefaultBridgeInterface() {
+	if lnk, err := netlink.LinkByName(bridge.DefaultBridgeName); err == nil {
+		if err := netlink.LinkDel(lnk); err != nil {
+			logrus.Warnf("Failed to remove bridge interface (%s): %v", bridge.DefaultBridgeName, err)
+		}
+	}
+}
+
+func setupInitLayer(idMappings *idtools.IDMappings) func(containerfs.ContainerFS) error {
+	return func(initPath containerfs.ContainerFS) error {
+		return initlayer.Setup(initPath, idMappings.RootPair())
+	}
+}
+
+// Parse the remapped root (user namespace) option, which can be one of:
+//   username            - valid username from /etc/passwd
+//   username:groupname  - valid username; valid groupname from /etc/group
+//   uid                 - 32-bit unsigned int valid Linux UID value
+//   uid:gid             - uid value; 32-bit unsigned int Linux GID value
+//
+//  If no groupname is specified, and a username is specified, an attempt
+//  will be made to lookup a gid for that username as a groupname
+//
+//  If names are used, they are verified to exist in passwd/group
+func parseRemappedRoot(usergrp string) (string, string, error) {
+
+	var (
+		userID, groupID     int
+		username, groupname string
+	)
+
+	idparts := strings.Split(usergrp, ":")
+	if len(idparts) > 2 {
+		return "", "", fmt.Errorf("Invalid user/group specification in --userns-remap: %q", usergrp)
+	}
+
+	if uid, err := strconv.ParseInt(idparts[0], 10, 32); err == nil {
+		// must be a uid; take it as valid
+		userID = int(uid)
+		luser, err := idtools.LookupUID(userID)
+		if err != nil {
+			return "", "", fmt.Errorf("Uid %d has no entry in /etc/passwd: %v", userID, err)
+		}
+		username = luser.Name
+		if len(idparts) == 1 {
+			// if the uid was numeric and no gid was specified, take the uid as the gid
+			groupID = userID
+			lgrp, err := idtools.LookupGID(groupID)
+			if err != nil {
+				return "", "", fmt.Errorf("Gid %d has no entry in /etc/group: %v", groupID, err)
+			}
+			groupname = lgrp.Name
+		}
+	} else {
+		lookupName := idparts[0]
+		// special case: if the user specified "default", they want Docker to create or
+		// use (after creation) the "dockremap" user/group for root remapping
+		if lookupName == defaultIDSpecifier {
+			lookupName = defaultRemappedID
+		}
+		luser, err := idtools.LookupUser(lookupName)
+		if err != nil && idparts[0] != defaultIDSpecifier {
+			// error if the name requested isn't the special "dockremap" ID
+			return "", "", fmt.Errorf("Error during uid lookup for %q: %v", lookupName, err)
+		} else if err != nil {
+			// special case-- if the username == "default", then we have been asked
+			// to create a new entry pair in /etc/{passwd,group} for which the /etc/sub{uid,gid}
+			// ranges will be used for the user and group mappings in user namespaced containers
+			_, _, err := idtools.AddNamespaceRangesUser(defaultRemappedID)
+			if err == nil {
+				return defaultRemappedID, defaultRemappedID, nil
+			}
+			return "", "", fmt.Errorf("Error during %q user creation: %v", defaultRemappedID, err)
+		}
+		username = luser.Name
+		if len(idparts) == 1 {
+			// we only have a string username, and no group specified; look up gid from username as group
+			group, err := idtools.LookupGroup(lookupName)
+			if err != nil {
+				return "", "", fmt.Errorf("Error during gid lookup for %q: %v", lookupName, err)
+			}
+			groupname = group.Name
+		}
+	}
+
+	if len(idparts) == 2 {
+		// groupname or gid is separately specified and must be resolved
+		// to an unsigned 32-bit gid
+		if gid, err := strconv.ParseInt(idparts[1], 10, 32); err == nil {
+			// must be a gid, take it as valid
+			groupID = int(gid)
+			lgrp, err := idtools.LookupGID(groupID)
+			if err != nil {
+				return "", "", fmt.Errorf("Gid %d has no entry in /etc/passwd: %v", groupID, err)
+			}
+			groupname = lgrp.Name
+		} else {
+			// not a number; attempt a lookup
+			if _, err := idtools.LookupGroup(idparts[1]); err != nil {
+				return "", "", fmt.Errorf("Error during groupname lookup for %q: %v", idparts[1], err)
+			}
+			groupname = idparts[1]
+		}
+	}
+	return username, groupname, nil
+}
+
+func setupRemappedRoot(config *config.Config) (*idtools.IDMappings, error) {
+	if runtime.GOOS != "linux" && config.RemappedRoot != "" {
+		return nil, fmt.Errorf("User namespaces are only supported on Linux")
+	}
+
+	// if the daemon was started with remapped root option, parse
+	// the config option to the int uid,gid values
+	if config.RemappedRoot != "" {
+		username, groupname, err := parseRemappedRoot(config.RemappedRoot)
+		if err != nil {
+			return nil, err
+		}
+		if username == "root" {
+			// Cannot setup user namespaces with a 1-to-1 mapping; "--root=0:0" is a no-op
+			// effectively
+			logrus.Warn("User namespaces: root cannot be remapped with itself; user namespaces are OFF")
+			return &idtools.IDMappings{}, nil
+		}
+		logrus.Infof("User namespaces: ID ranges will be mapped to subuid/subgid ranges of: %s:%s", username, groupname)
+		// update remapped root setting now that we have resolved them to actual names
+		config.RemappedRoot = fmt.Sprintf("%s:%s", username, groupname)
+
+		mappings, err := idtools.NewIDMappings(username, groupname)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Can't create ID mappings: %v")
+		}
+		return mappings, nil
+	}
+	return &idtools.IDMappings{}, nil
+}
+
+func setupDaemonRoot(config *config.Config, rootDir string, rootIDs idtools.IDPair) error {
+	config.Root = rootDir
+	// the docker root metadata directory needs to have execute permissions for all users (g+x,o+x)
+	// so that syscalls executing as non-root, operating on subdirectories of the graph root
+	// (e.g. mounted layers of a container) can traverse this path.
+	// The user namespace support will create subdirectories for the remapped root host uid:gid
+	// pair owned by that same uid:gid pair for proper write access to those needed metadata and
+	// layer content subtrees.
+	if _, err := os.Stat(rootDir); err == nil {
+		// root current exists; verify the access bits are correct by setting them
+		if err = os.Chmod(rootDir, 0711); err != nil {
+			return err
+		}
+	} else if os.IsNotExist(err) {
+		// no root exists yet, create it 0711 with root:root ownership
+		if err := os.MkdirAll(rootDir, 0711); err != nil {
+			return err
+		}
+	}
+
+	// if user namespaces are enabled we will create a subtree underneath the specified root
+	// with any/all specified remapped root uid/gid options on the daemon creating
+	// a new subdirectory with ownership set to the remapped uid/gid (so as to allow
+	// `chdir()` to work for containers namespaced to that uid/gid)
+	if config.RemappedRoot != "" {
+		config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", rootIDs.UID, rootIDs.GID))
+		logrus.Debugf("Creating user namespaced daemon root: %s", config.Root)
+		// Create the root directory if it doesn't exist
+		if err := idtools.MkdirAllAndChown(config.Root, 0700, rootIDs); err != nil {
+			return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err)
+		}
+		// we also need to verify that any pre-existing directories in the path to
+		// the graphroot won't block access to remapped root--if any pre-existing directory
+		// has strict permissions that don't allow "x", container start will fail, so
+		// better to warn and fail now
+		dirPath := config.Root
+		for {
+			dirPath = filepath.Dir(dirPath)
+			if dirPath == "/" {
+				break
+			}
+			if !idtools.CanAccess(dirPath, rootIDs) {
+				return fmt.Errorf("a subdirectory in your graphroot path (%s) restricts access to the remapped root uid/gid; please fix by allowing 'o+x' permissions on existing directories", config.Root)
+			}
+		}
+	}
+
+	if err := setupDaemonRootPropagation(config); err != nil {
+		logrus.WithError(err).WithField("dir", config.Root).Warn("Error while setting daemon root propagation, this is not generally critical but may cause some functionality to not work or fallback to less desirable behavior")
+	}
+	return nil
+}
+
+func setupDaemonRootPropagation(cfg *config.Config) error {
+	rootParentMount, options, err := getSourceMount(cfg.Root)
+	if err != nil {
+		return errors.Wrap(err, "error getting daemon root's parent mount")
+	}
+
+	var cleanupOldFile bool
+	cleanupFile := getUnmountOnShutdownPath(cfg)
+	defer func() {
+		if !cleanupOldFile {
+			return
+		}
+		if err := os.Remove(cleanupFile); err != nil && !os.IsNotExist(err) {
+			logrus.WithError(err).WithField("file", cleanupFile).Warn("could not clean up old root propagation unmount file")
+		}
+	}()
+
+	if hasMountinfoOption(options, sharedPropagationOption, slavePropagationOption) {
+		cleanupOldFile = true
+		return nil
+	}
+
+	if err := mount.MakeShared(cfg.Root); err != nil {
+		return errors.Wrap(err, "could not setup daemon root propagation to shared")
+	}
+
+	// check the case where this may have already been a mount to itself.
+	// If so then the daemon only performed a remount and should not try to unmount this later.
+	if rootParentMount == cfg.Root {
+		cleanupOldFile = true
+		return nil
+	}
+
+	if err := ioutil.WriteFile(cleanupFile, nil, 0600); err != nil {
+		return errors.Wrap(err, "error writing file to signal mount cleanup on shutdown")
+	}
+	return nil
+}
+
+// getUnmountOnShutdownPath generates the path to used when writing the file that signals to the daemon that on shutdown
+// the daemon root should be unmounted.
+func getUnmountOnShutdownPath(config *config.Config) string {
+	return filepath.Join(config.ExecRoot, "unmount-on-shutdown")
+}
+
+// registerLinks writes the links to a file.
+func (daemon *Daemon) registerLinks(container *container.Container, hostConfig *containertypes.HostConfig) error {
+	if hostConfig == nil || hostConfig.NetworkMode.IsUserDefined() {
+		return nil
+	}
+
+	for _, l := range hostConfig.Links {
+		name, alias, err := opts.ParseLink(l)
+		if err != nil {
+			return err
+		}
+		child, err := daemon.GetContainer(name)
+		if err != nil {
+			return errors.Wrapf(err, "could not get container for %s", name)
+		}
+		for child.HostConfig.NetworkMode.IsContainer() {
+			parts := strings.SplitN(string(child.HostConfig.NetworkMode), ":", 2)
+			child, err = daemon.GetContainer(parts[1])
+			if err != nil {
+				return errors.Wrapf(err, "Could not get container for %s", parts[1])
+			}
+		}
+		if child.HostConfig.NetworkMode.IsHost() {
+			return runconfig.ErrConflictHostNetworkAndLinks
+		}
+		if err := daemon.registerLink(container, child, alias); err != nil {
+			return err
+		}
+	}
+
+	// After we load all the links into the daemon
+	// set them to nil on the hostconfig
+	_, err := container.WriteHostConfig()
+	return err
+}
+
+// conditionalMountOnStart is a platform specific helper function during the
+// container start to call mount.
+func (daemon *Daemon) conditionalMountOnStart(container *container.Container) error {
+	return daemon.Mount(container)
+}
+
+// conditionalUnmountOnCleanup is a platform specific helper function called
+// during the cleanup of a container to unmount.
+func (daemon *Daemon) conditionalUnmountOnCleanup(container *container.Container) error {
+	return daemon.Unmount(container)
+}
+
+func copyBlkioEntry(entries []*containerd_cgroups.BlkIOEntry) []types.BlkioStatEntry {
+	out := make([]types.BlkioStatEntry, len(entries))
+	for i, re := range entries {
+		out[i] = types.BlkioStatEntry{
+			Major: re.Major,
+			Minor: re.Minor,
+			Op:    re.Op,
+			Value: re.Value,
+		}
+	}
+	return out
+}
+
+func (daemon *Daemon) stats(c *container.Container) (*types.StatsJSON, error) {
+	if !c.IsRunning() {
+		return nil, errNotRunning(c.ID)
+	}
+	cs, err := daemon.containerd.Stats(context.Background(), c.ID)
+	if err != nil {
+		if strings.Contains(err.Error(), "container not found") {
+			return nil, containerNotFound(c.ID)
+		}
+		return nil, err
+	}
+	s := &types.StatsJSON{}
+	s.Read = cs.Read
+	stats := cs.Metrics
+	if stats.Blkio != nil {
+		s.BlkioStats = types.BlkioStats{
+			IoServiceBytesRecursive: copyBlkioEntry(stats.Blkio.IoServiceBytesRecursive),
+			IoServicedRecursive:     copyBlkioEntry(stats.Blkio.IoServicedRecursive),
+			IoQueuedRecursive:       copyBlkioEntry(stats.Blkio.IoQueuedRecursive),
+			IoServiceTimeRecursive:  copyBlkioEntry(stats.Blkio.IoServiceTimeRecursive),
+			IoWaitTimeRecursive:     copyBlkioEntry(stats.Blkio.IoWaitTimeRecursive),
+			IoMergedRecursive:       copyBlkioEntry(stats.Blkio.IoMergedRecursive),
+			IoTimeRecursive:         copyBlkioEntry(stats.Blkio.IoTimeRecursive),
+			SectorsRecursive:        copyBlkioEntry(stats.Blkio.SectorsRecursive),
+		}
+	}
+	if stats.CPU != nil {
+		s.CPUStats = types.CPUStats{
+			CPUUsage: types.CPUUsage{
+				TotalUsage:        stats.CPU.Usage.Total,
+				PercpuUsage:       stats.CPU.Usage.PerCPU,
+				UsageInKernelmode: stats.CPU.Usage.Kernel,
+				UsageInUsermode:   stats.CPU.Usage.User,
+			},
+			ThrottlingData: types.ThrottlingData{
+				Periods:          stats.CPU.Throttling.Periods,
+				ThrottledPeriods: stats.CPU.Throttling.ThrottledPeriods,
+				ThrottledTime:    stats.CPU.Throttling.ThrottledTime,
+			},
+		}
+	}
+
+	if stats.Memory != nil {
+		raw := make(map[string]uint64)
+		raw["cache"] = stats.Memory.Cache
+		raw["rss"] = stats.Memory.RSS
+		raw["rss_huge"] = stats.Memory.RSSHuge
+		raw["mapped_file"] = stats.Memory.MappedFile
+		raw["dirty"] = stats.Memory.Dirty
+		raw["writeback"] = stats.Memory.Writeback
+		raw["pgpgin"] = stats.Memory.PgPgIn
+		raw["pgpgout"] = stats.Memory.PgPgOut
+		raw["pgfault"] = stats.Memory.PgFault
+		raw["pgmajfault"] = stats.Memory.PgMajFault
+		raw["inactive_anon"] = stats.Memory.InactiveAnon
+		raw["active_anon"] = stats.Memory.ActiveAnon
+		raw["inactive_file"] = stats.Memory.InactiveFile
+		raw["active_file"] = stats.Memory.ActiveFile
+		raw["unevictable"] = stats.Memory.Unevictable
+		raw["hierarchical_memory_limit"] = stats.Memory.HierarchicalMemoryLimit
+		raw["hierarchical_memsw_limit"] = stats.Memory.HierarchicalSwapLimit
+		raw["total_cache"] = stats.Memory.TotalCache
+		raw["total_rss"] = stats.Memory.TotalRSS
+		raw["total_rss_huge"] = stats.Memory.TotalRSSHuge
+		raw["total_mapped_file"] = stats.Memory.TotalMappedFile
+		raw["total_dirty"] = stats.Memory.TotalDirty
+		raw["total_writeback"] = stats.Memory.TotalWriteback
+		raw["total_pgpgin"] = stats.Memory.TotalPgPgIn
+		raw["total_pgpgout"] = stats.Memory.TotalPgPgOut
+		raw["total_pgfault"] = stats.Memory.TotalPgFault
+		raw["total_pgmajfault"] = stats.Memory.TotalPgMajFault
+		raw["total_inactive_anon"] = stats.Memory.TotalInactiveAnon
+		raw["total_active_anon"] = stats.Memory.TotalActiveAnon
+		raw["total_inactive_file"] = stats.Memory.TotalInactiveFile
+		raw["total_active_file"] = stats.Memory.TotalActiveFile
+		raw["total_unevictable"] = stats.Memory.TotalUnevictable
+
+		if stats.Memory.Usage != nil {
+			s.MemoryStats = types.MemoryStats{
+				Stats:    raw,
+				Usage:    stats.Memory.Usage.Usage,
+				MaxUsage: stats.Memory.Usage.Max,
+				Limit:    stats.Memory.Usage.Limit,
+				Failcnt:  stats.Memory.Usage.Failcnt,
+			}
+		} else {
+			s.MemoryStats = types.MemoryStats{
+				Stats: raw,
+			}
+		}
+
+		// if the container does not set memory limit, use the machineMemory
+		if s.MemoryStats.Limit > daemon.machineMemory && daemon.machineMemory > 0 {
+			s.MemoryStats.Limit = daemon.machineMemory
+		}
+	}
+
+	if stats.Pids != nil {
+		s.PidsStats = types.PidsStats{
+			Current: stats.Pids.Current,
+			Limit:   stats.Pids.Limit,
+		}
+	}
+
+	return s, nil
+}
+
+// setDefaultIsolation determines the default isolation mode for the
+// daemon to run in. This is only applicable on Windows
+func (daemon *Daemon) setDefaultIsolation() error {
+	return nil
+}
+
+// setupDaemonProcess sets various settings for the daemon's process
+func setupDaemonProcess(config *config.Config) error {
+	// setup the daemons oom_score_adj
+	if err := setupOOMScoreAdj(config.OOMScoreAdjust); err != nil {
+		return err
+	}
+	if err := setMayDetachMounts(); err != nil {
+		logrus.WithError(err).Warn("Could not set may_detach_mounts kernel parameter")
+	}
+	return nil
+}
+
+// This is used to allow removal of mountpoints that may be mounted in other
+// namespaces on RHEL based kernels starting from RHEL 7.4.
+// Without this setting, removals on these RHEL based kernels may fail with
+// "device or resource busy".
+// This setting is not available in upstream kernels as it is not configurable,
+// but has been in the upstream kernels since 3.15.
+func setMayDetachMounts() error {
+	f, err := os.OpenFile("/proc/sys/fs/may_detach_mounts", os.O_WRONLY, 0)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return errors.Wrap(err, "error opening may_detach_mounts kernel config file")
+	}
+	defer f.Close()
+
+	_, err = f.WriteString("1")
+	if os.IsPermission(err) {
+		// Setting may_detach_mounts does not work in an
+		// unprivileged container. Ignore the error, but log
+		// it if we appear not to be in that situation.
+		if !rsystem.RunningInUserNS() {
+			logrus.Debugf("Permission denied writing %q to /proc/sys/fs/may_detach_mounts", "1")
+		}
+		return nil
+	}
+	return err
+}
+
+func setupOOMScoreAdj(score int) error {
+	f, err := os.OpenFile("/proc/self/oom_score_adj", os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	stringScore := strconv.Itoa(score)
+	_, err = f.WriteString(stringScore)
+	if os.IsPermission(err) {
+		// Setting oom_score_adj does not work in an
+		// unprivileged container. Ignore the error, but log
+		// it if we appear not to be in that situation.
+		if !rsystem.RunningInUserNS() {
+			logrus.Debugf("Permission denied writing %q to /proc/self/oom_score_adj", stringScore)
+		}
+		return nil
+	}
+
+	return err
+}
+
+func (daemon *Daemon) initCgroupsPath(path string) error {
+	if path == "/" || path == "." {
+		return nil
+	}
+
+	if daemon.configStore.CPURealtimePeriod == 0 && daemon.configStore.CPURealtimeRuntime == 0 {
+		return nil
+	}
+
+	// Recursively create cgroup to ensure that the system and all parent cgroups have values set
+	// for the period and runtime as this limits what the children can be set to.
+	daemon.initCgroupsPath(filepath.Dir(path))
+
+	mnt, root, err := cgroups.FindCgroupMountpointAndRoot("cpu")
+	if err != nil {
+		return err
+	}
+	// When docker is run inside docker, the root is based of the host cgroup.
+	// Should this be handled in runc/libcontainer/cgroups ?
+	if strings.HasPrefix(root, "/docker/") {
+		root = "/"
+	}
+
+	path = filepath.Join(mnt, root, path)
+	sysinfo := sysinfo.New(true)
+	if err := maybeCreateCPURealTimeFile(sysinfo.CPURealtimePeriod, daemon.configStore.CPURealtimePeriod, "cpu.rt_period_us", path); err != nil {
+		return err
+	}
+	return maybeCreateCPURealTimeFile(sysinfo.CPURealtimeRuntime, daemon.configStore.CPURealtimeRuntime, "cpu.rt_runtime_us", path)
+}
+
+func maybeCreateCPURealTimeFile(sysinfoPresent bool, configValue int64, file string, path string) error {
+	if sysinfoPresent && configValue != 0 {
+		if err := os.MkdirAll(path, 0755); err != nil {
+			return err
+		}
+		if err := ioutil.WriteFile(filepath.Join(path, file), []byte(strconv.FormatInt(configValue, 10)), 0700); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (daemon *Daemon) setupSeccompProfile() error {
+	if daemon.configStore.SeccompProfile != "" {
+		daemon.seccompProfilePath = daemon.configStore.SeccompProfile
+		b, err := ioutil.ReadFile(daemon.configStore.SeccompProfile)
+		if err != nil {
+			return fmt.Errorf("opening seccomp profile (%s) failed: %v", daemon.configStore.SeccompProfile, err)
+		}
+		daemon.seccompProfile = b
+	}
+	return nil
+}
diff --git a/engine/daemon/daemon_unix_test.go b/engine/daemon/daemon_unix_test.go
new file mode 100644
index 00000000..36c60309
--- /dev/null
+++ b/engine/daemon/daemon_unix_test.go
@@ -0,0 +1,268 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/config"
+)
+
+type fakeContainerGetter struct {
+	containers map[string]*container.Container
+}
+
+func (f *fakeContainerGetter) GetContainer(cid string) (*container.Container, error) {
+	container, ok := f.containers[cid]
+	if !ok {
+		return nil, errors.New("container not found")
+	}
+	return container, nil
+}
+
+// Unix test as uses settings which are not available on Windows
+func TestAdjustSharedNamespaceContainerName(t *testing.T) {
+	fakeID := "abcdef1234567890"
+	hostConfig := &containertypes.HostConfig{
+		IpcMode:     containertypes.IpcMode("container:base"),
+		PidMode:     containertypes.PidMode("container:base"),
+		NetworkMode: containertypes.NetworkMode("container:base"),
+	}
+	containerStore := &fakeContainerGetter{}
+	containerStore.containers = make(map[string]*container.Container)
+	containerStore.containers["base"] = &container.Container{
+		ID: fakeID,
+	}
+
+	adaptSharedNamespaceContainer(containerStore, hostConfig)
+	if hostConfig.IpcMode != containertypes.IpcMode("container:"+fakeID) {
+		t.Errorf("Expected IpcMode to be container:%s", fakeID)
+	}
+	if hostConfig.PidMode != containertypes.PidMode("container:"+fakeID) {
+		t.Errorf("Expected PidMode to be container:%s", fakeID)
+	}
+	if hostConfig.NetworkMode != containertypes.NetworkMode("container:"+fakeID) {
+		t.Errorf("Expected NetworkMode to be container:%s", fakeID)
+	}
+}
+
+// Unix test as uses settings which are not available on Windows
+func TestAdjustCPUShares(t *testing.T) {
+	tmp, err := ioutil.TempDir("", "docker-daemon-unix-test-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+	daemon := &Daemon{
+		repository: tmp,
+		root:       tmp,
+	}
+
+	hostConfig := &containertypes.HostConfig{
+		Resources: containertypes.Resources{CPUShares: linuxMinCPUShares - 1},
+	}
+	daemon.adaptContainerSettings(hostConfig, true)
+	if hostConfig.CPUShares != linuxMinCPUShares {
+		t.Errorf("Expected CPUShares to be %d", linuxMinCPUShares)
+	}
+
+	hostConfig.CPUShares = linuxMaxCPUShares + 1
+	daemon.adaptContainerSettings(hostConfig, true)
+	if hostConfig.CPUShares != linuxMaxCPUShares {
+		t.Errorf("Expected CPUShares to be %d", linuxMaxCPUShares)
+	}
+
+	hostConfig.CPUShares = 0
+	daemon.adaptContainerSettings(hostConfig, true)
+	if hostConfig.CPUShares != 0 {
+		t.Error("Expected CPUShares to be unchanged")
+	}
+
+	hostConfig.CPUShares = 1024
+	daemon.adaptContainerSettings(hostConfig, true)
+	if hostConfig.CPUShares != 1024 {
+		t.Error("Expected CPUShares to be unchanged")
+	}
+}
+
+// Unix test as uses settings which are not available on Windows
+func TestAdjustCPUSharesNoAdjustment(t *testing.T) {
+	tmp, err := ioutil.TempDir("", "docker-daemon-unix-test-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+	daemon := &Daemon{
+		repository: tmp,
+		root:       tmp,
+	}
+
+	hostConfig := &containertypes.HostConfig{
+		Resources: containertypes.Resources{CPUShares: linuxMinCPUShares - 1},
+	}
+	daemon.adaptContainerSettings(hostConfig, false)
+	if hostConfig.CPUShares != linuxMinCPUShares-1 {
+		t.Errorf("Expected CPUShares to be %d", linuxMinCPUShares-1)
+	}
+
+	hostConfig.CPUShares = linuxMaxCPUShares + 1
+	daemon.adaptContainerSettings(hostConfig, false)
+	if hostConfig.CPUShares != linuxMaxCPUShares+1 {
+		t.Errorf("Expected CPUShares to be %d", linuxMaxCPUShares+1)
+	}
+
+	hostConfig.CPUShares = 0
+	daemon.adaptContainerSettings(hostConfig, false)
+	if hostConfig.CPUShares != 0 {
+		t.Error("Expected CPUShares to be unchanged")
+	}
+
+	hostConfig.CPUShares = 1024
+	daemon.adaptContainerSettings(hostConfig, false)
+	if hostConfig.CPUShares != 1024 {
+		t.Error("Expected CPUShares to be unchanged")
+	}
+}
+
+// Unix test as uses settings which are not available on Windows
+func TestParseSecurityOptWithDeprecatedColon(t *testing.T) {
+	container := &container.Container{}
+	config := &containertypes.HostConfig{}
+
+	// test apparmor
+	config.SecurityOpt = []string{"apparmor=test_profile"}
+	if err := parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
+	}
+	if container.AppArmorProfile != "test_profile" {
+		t.Fatalf("Unexpected AppArmorProfile, expected: \"test_profile\", got %q", container.AppArmorProfile)
+	}
+
+	// test seccomp
+	sp := "/path/to/seccomp_test.json"
+	config.SecurityOpt = []string{"seccomp=" + sp}
+	if err := parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
+	}
+	if container.SeccompProfile != sp {
+		t.Fatalf("Unexpected AppArmorProfile, expected: %q, got %q", sp, container.SeccompProfile)
+	}
+
+	// test valid label
+	config.SecurityOpt = []string{"label=user:USER"}
+	if err := parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
+	}
+
+	// test invalid label
+	config.SecurityOpt = []string{"label"}
+	if err := parseSecurityOpt(container, config); err == nil {
+		t.Fatal("Expected parseSecurityOpt error, got nil")
+	}
+
+	// test invalid opt
+	config.SecurityOpt = []string{"test"}
+	if err := parseSecurityOpt(container, config); err == nil {
+		t.Fatal("Expected parseSecurityOpt error, got nil")
+	}
+}
+
+func TestParseSecurityOpt(t *testing.T) {
+	container := &container.Container{}
+	config := &containertypes.HostConfig{}
+
+	// test apparmor
+	config.SecurityOpt = []string{"apparmor=test_profile"}
+	if err := parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
+	}
+	if container.AppArmorProfile != "test_profile" {
+		t.Fatalf("Unexpected AppArmorProfile, expected: \"test_profile\", got %q", container.AppArmorProfile)
+	}
+
+	// test seccomp
+	sp := "/path/to/seccomp_test.json"
+	config.SecurityOpt = []string{"seccomp=" + sp}
+	if err := parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
+	}
+	if container.SeccompProfile != sp {
+		t.Fatalf("Unexpected SeccompProfile, expected: %q, got %q", sp, container.SeccompProfile)
+	}
+
+	// test valid label
+	config.SecurityOpt = []string{"label=user:USER"}
+	if err := parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected parseSecurityOpt error: %v", err)
+	}
+
+	// test invalid label
+	config.SecurityOpt = []string{"label"}
+	if err := parseSecurityOpt(container, config); err == nil {
+		t.Fatal("Expected parseSecurityOpt error, got nil")
+	}
+
+	// test invalid opt
+	config.SecurityOpt = []string{"test"}
+	if err := parseSecurityOpt(container, config); err == nil {
+		t.Fatal("Expected parseSecurityOpt error, got nil")
+	}
+}
+
+func TestParseNNPSecurityOptions(t *testing.T) {
+	daemon := &Daemon{
+		configStore: &config.Config{NoNewPrivileges: true},
+	}
+	container := &container.Container{}
+	config := &containertypes.HostConfig{}
+
+	// test NNP when "daemon:true" and "no-new-privileges=false""
+	config.SecurityOpt = []string{"no-new-privileges=false"}
+
+	if err := daemon.parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected daemon.parseSecurityOpt error: %v", err)
+	}
+	if container.NoNewPrivileges {
+		t.Fatalf("container.NoNewPrivileges should be FALSE: %v", container.NoNewPrivileges)
+	}
+
+	// test NNP when "daemon:false" and "no-new-privileges=true""
+	daemon.configStore.NoNewPrivileges = false
+	config.SecurityOpt = []string{"no-new-privileges=true"}
+
+	if err := daemon.parseSecurityOpt(container, config); err != nil {
+		t.Fatalf("Unexpected daemon.parseSecurityOpt error: %v", err)
+	}
+	if !container.NoNewPrivileges {
+		t.Fatalf("container.NoNewPrivileges should be TRUE: %v", container.NoNewPrivileges)
+	}
+}
+
+func TestNetworkOptions(t *testing.T) {
+	daemon := &Daemon{}
+	dconfigCorrect := &config.Config{
+		CommonConfig: config.CommonConfig{
+			ClusterStore:     "consul://localhost:8500",
+			ClusterAdvertise: "192.168.0.1:8000",
+		},
+	}
+
+	if _, err := daemon.networkOptions(dconfigCorrect, nil, nil); err != nil {
+		t.Fatalf("Expect networkOptions success, got error: %v", err)
+	}
+
+	dconfigWrong := &config.Config{
+		CommonConfig: config.CommonConfig{
+			ClusterStore: "consul://localhost:8500://test://bbb",
+		},
+	}
+
+	if _, err := daemon.networkOptions(dconfigWrong, nil, nil); err == nil {
+		t.Fatal("Expected networkOptions error, got nil")
+	}
+}
diff --git a/engine/daemon/daemon_unsupported.go b/engine/daemon/daemon_unsupported.go
new file mode 100644
index 00000000..ee680b64
--- /dev/null
+++ b/engine/daemon/daemon_unsupported.go
@@ -0,0 +1,5 @@
+// +build !linux,!freebsd,!windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+const platformSupported = false
diff --git a/engine/daemon/daemon_windows.go b/engine/daemon/daemon_windows.go
new file mode 100644
index 00000000..1f801032
--- /dev/null
+++ b/engine/daemon/daemon_windows.go
@@ -0,0 +1,655 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/parsers"
+	"github.com/docker/docker/pkg/platform"
+	"github.com/docker/docker/pkg/sysinfo"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/runconfig"
+	"github.com/docker/libnetwork"
+	nwconfig "github.com/docker/libnetwork/config"
+	"github.com/docker/libnetwork/datastore"
+	winlibnetwork "github.com/docker/libnetwork/drivers/windows"
+	"github.com/docker/libnetwork/netlabel"
+	"github.com/docker/libnetwork/options"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/svc/mgr"
+)
+
+const (
+	defaultNetworkSpace  = "172.16.0.0/12"
+	platformSupported    = true
+	windowsMinCPUShares  = 1
+	windowsMaxCPUShares  = 10000
+	windowsMinCPUPercent = 1
+	windowsMaxCPUPercent = 100
+)
+
+// Windows has no concept of an execution state directory. So use config.Root here.
+func getPluginExecRoot(root string) string {
+	return filepath.Join(root, "plugins")
+}
+
+func (daemon *Daemon) parseSecurityOpt(container *container.Container, hostConfig *containertypes.HostConfig) error {
+	return parseSecurityOpt(container, hostConfig)
+}
+
+func parseSecurityOpt(container *container.Container, config *containertypes.HostConfig) error {
+	return nil
+}
+
+func setupInitLayer(idMappings *idtools.IDMappings) func(containerfs.ContainerFS) error {
+	return nil
+}
+
+func checkKernel() error {
+	return nil
+}
+
+func (daemon *Daemon) getCgroupDriver() string {
+	return ""
+}
+
+// adaptContainerSettings is called during container creation to modify any
+// settings necessary in the HostConfig structure.
+func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConfig, adjustCPUShares bool) error {
+	if hostConfig == nil {
+		return nil
+	}
+
+	return nil
+}
+
+func verifyContainerResources(resources *containertypes.Resources, isHyperv bool) ([]string, error) {
+	warnings := []string{}
+	fixMemorySwappiness(resources)
+	if !isHyperv {
+		// The processor resource controls are mutually exclusive on
+		// Windows Server Containers, the order of precedence is
+		// CPUCount first, then CPUShares, and CPUPercent last.
+		if resources.CPUCount > 0 {
+			if resources.CPUShares > 0 {
+				warnings = append(warnings, "Conflicting options: CPU count takes priority over CPU shares on Windows Server Containers. CPU shares discarded")
+				logrus.Warn("Conflicting options: CPU count takes priority over CPU shares on Windows Server Containers. CPU shares discarded")
+				resources.CPUShares = 0
+			}
+			if resources.CPUPercent > 0 {
+				warnings = append(warnings, "Conflicting options: CPU count takes priority over CPU percent on Windows Server Containers. CPU percent discarded")
+				logrus.Warn("Conflicting options: CPU count takes priority over CPU percent on Windows Server Containers. CPU percent discarded")
+				resources.CPUPercent = 0
+			}
+		} else if resources.CPUShares > 0 {
+			if resources.CPUPercent > 0 {
+				warnings = append(warnings, "Conflicting options: CPU shares takes priority over CPU percent on Windows Server Containers. CPU percent discarded")
+				logrus.Warn("Conflicting options: CPU shares takes priority over CPU percent on Windows Server Containers. CPU percent discarded")
+				resources.CPUPercent = 0
+			}
+		}
+	}
+
+	if resources.CPUShares < 0 || resources.CPUShares > windowsMaxCPUShares {
+		return warnings, fmt.Errorf("range of CPUShares is from %d to %d", windowsMinCPUShares, windowsMaxCPUShares)
+	}
+	if resources.CPUPercent < 0 || resources.CPUPercent > windowsMaxCPUPercent {
+		return warnings, fmt.Errorf("range of CPUPercent is from %d to %d", windowsMinCPUPercent, windowsMaxCPUPercent)
+	}
+	if resources.CPUCount < 0 {
+		return warnings, fmt.Errorf("invalid CPUCount: CPUCount cannot be negative")
+	}
+
+	if resources.NanoCPUs > 0 && resources.CPUPercent > 0 {
+		return warnings, fmt.Errorf("conflicting options: Nano CPUs and CPU Percent cannot both be set")
+	}
+	if resources.NanoCPUs > 0 && resources.CPUShares > 0 {
+		return warnings, fmt.Errorf("conflicting options: Nano CPUs and CPU Shares cannot both be set")
+	}
+	// The precision we could get is 0.01, because on Windows we have to convert to CPUPercent.
+	// We don't set the lower limit here and it is up to the underlying platform (e.g., Windows) to return an error.
+	if resources.NanoCPUs < 0 || resources.NanoCPUs > int64(sysinfo.NumCPU())*1e9 {
+		return warnings, fmt.Errorf("range of CPUs is from 0.01 to %d.00, as there are only %d CPUs available", sysinfo.NumCPU(), sysinfo.NumCPU())
+	}
+
+	osv := system.GetOSVersion()
+	if resources.NanoCPUs > 0 && isHyperv && osv.Build < 16175 {
+		leftoverNanoCPUs := resources.NanoCPUs % 1e9
+		if leftoverNanoCPUs != 0 && resources.NanoCPUs > 1e9 {
+			resources.NanoCPUs = ((resources.NanoCPUs + 1e9/2) / 1e9) * 1e9
+			warningString := fmt.Sprintf("Your current OS version does not support Hyper-V containers with NanoCPUs greater than 1000000000 but not divisible by 1000000000. NanoCPUs rounded to %d", resources.NanoCPUs)
+			warnings = append(warnings, warningString)
+			logrus.Warn(warningString)
+		}
+	}
+
+	if len(resources.BlkioDeviceReadBps) > 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support BlkioDeviceReadBps")
+	}
+	if len(resources.BlkioDeviceReadIOps) > 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support BlkioDeviceReadIOps")
+	}
+	if len(resources.BlkioDeviceWriteBps) > 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support BlkioDeviceWriteBps")
+	}
+	if len(resources.BlkioDeviceWriteIOps) > 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support BlkioDeviceWriteIOps")
+	}
+	if resources.BlkioWeight > 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support BlkioWeight")
+	}
+	if len(resources.BlkioWeightDevice) > 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support BlkioWeightDevice")
+	}
+	if resources.CgroupParent != "" {
+		return warnings, fmt.Errorf("invalid option: Windows does not support CgroupParent")
+	}
+	if resources.CPUPeriod != 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support CPUPeriod")
+	}
+	if resources.CpusetCpus != "" {
+		return warnings, fmt.Errorf("invalid option: Windows does not support CpusetCpus")
+	}
+	if resources.CpusetMems != "" {
+		return warnings, fmt.Errorf("invalid option: Windows does not support CpusetMems")
+	}
+	if resources.KernelMemory != 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support KernelMemory")
+	}
+	if resources.MemoryReservation != 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support MemoryReservation")
+	}
+	if resources.MemorySwap != 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support MemorySwap")
+	}
+	if resources.MemorySwappiness != nil {
+		return warnings, fmt.Errorf("invalid option: Windows does not support MemorySwappiness")
+	}
+	if resources.OomKillDisable != nil && *resources.OomKillDisable {
+		return warnings, fmt.Errorf("invalid option: Windows does not support OomKillDisable")
+	}
+	if resources.PidsLimit != 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support PidsLimit")
+	}
+	if len(resources.Ulimits) != 0 {
+		return warnings, fmt.Errorf("invalid option: Windows does not support Ulimits")
+	}
+	return warnings, nil
+}
+
+// verifyPlatformContainerSettings performs platform-specific validation of the
+// hostconfig and config structures.
+func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.HostConfig, config *containertypes.Config, update bool) ([]string, error) {
+	warnings := []string{}
+
+	hyperv := daemon.runAsHyperVContainer(hostConfig)
+	if !hyperv && system.IsWindowsClient() && !system.IsIoTCore() {
+		// @engine maintainers. This block should not be removed. It partially enforces licensing
+		// restrictions on Windows. Ping @jhowardmsft if there are concerns or PRs to change this.
+		return warnings, fmt.Errorf("Windows client operating systems only support Hyper-V containers")
+	}
+
+	w, err := verifyContainerResources(&hostConfig.Resources, hyperv)
+	warnings = append(warnings, w...)
+	return warnings, err
+}
+
+// verifyDaemonSettings performs validation of daemon config struct
+func verifyDaemonSettings(config *config.Config) error {
+	return nil
+}
+
+// checkSystem validates platform-specific requirements
+func checkSystem() error {
+	// Validate the OS version. Note that docker.exe must be manifested for this
+	// call to return the correct version.
+	osv := system.GetOSVersion()
+	if osv.MajorVersion < 10 {
+		return fmt.Errorf("This version of Windows does not support the docker daemon")
+	}
+	if osv.Build < 14393 {
+		return fmt.Errorf("The docker daemon requires build 14393 or later of Windows Server 2016 or Windows 10")
+	}
+
+	vmcompute := windows.NewLazySystemDLL("vmcompute.dll")
+	if vmcompute.Load() != nil {
+		return fmt.Errorf("failed to load vmcompute.dll, ensure that the Containers feature is installed")
+	}
+
+	// Ensure that the required Host Network Service and vmcompute services
+	// are running. Docker will fail in unexpected ways if this is not present.
+	var requiredServices = []string{"hns", "vmcompute"}
+	if err := ensureServicesInstalled(requiredServices); err != nil {
+		return errors.Wrap(err, "a required service is not installed, ensure the Containers feature is installed")
+	}
+
+	return nil
+}
+
+func ensureServicesInstalled(services []string) error {
+	m, err := mgr.Connect()
+	if err != nil {
+		return err
+	}
+	defer m.Disconnect()
+	for _, service := range services {
+		s, err := m.OpenService(service)
+		if err != nil {
+			return errors.Wrapf(err, "failed to open service %s", service)
+		}
+		s.Close()
+	}
+	return nil
+}
+
+// configureKernelSecuritySupport configures and validate security support for the kernel
+func configureKernelSecuritySupport(config *config.Config, driverName string) error {
+	return nil
+}
+
+// configureMaxThreads sets the Go runtime max threads threshold
+func configureMaxThreads(config *config.Config) error {
+	return nil
+}
+
+func (daemon *Daemon) initNetworkController(config *config.Config, activeSandboxes map[string]interface{}) (libnetwork.NetworkController, error) {
+	netOptions, err := daemon.networkOptions(config, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	controller, err := libnetwork.New(netOptions...)
+	if err != nil {
+		return nil, fmt.Errorf("error obtaining controller instance: %v", err)
+	}
+
+	hnsresponse, err := hcsshim.HNSListNetworkRequest("GET", "", "")
+	if err != nil {
+		return nil, err
+	}
+
+	// Remove networks not present in HNS
+	for _, v := range controller.Networks() {
+		options := v.Info().DriverOptions()
+		hnsid := options[winlibnetwork.HNSID]
+		found := false
+
+		for _, v := range hnsresponse {
+			if v.Id == hnsid {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			// global networks should not be deleted by local HNS
+			if v.Info().Scope() != datastore.GlobalScope {
+				err = v.Delete()
+				if err != nil {
+					logrus.Errorf("Error occurred when removing network %v", err)
+				}
+			}
+		}
+	}
+
+	_, err = controller.NewNetwork("null", "none", "", libnetwork.NetworkOptionPersist(false))
+	if err != nil {
+		return nil, err
+	}
+
+	defaultNetworkExists := false
+
+	if network, err := controller.NetworkByName(runconfig.DefaultDaemonNetworkMode().NetworkName()); err == nil {
+		options := network.Info().DriverOptions()
+		for _, v := range hnsresponse {
+			if options[winlibnetwork.HNSID] == v.Id {
+				defaultNetworkExists = true
+				break
+			}
+		}
+	}
+
+	// discover and add HNS networks to windows
+	// network that exist are removed and added again
+	for _, v := range hnsresponse {
+		if strings.ToLower(v.Type) == "private" {
+			continue // workaround for HNS reporting unsupported networks
+		}
+		var n libnetwork.Network
+		s := func(current libnetwork.Network) bool {
+			options := current.Info().DriverOptions()
+			if options[winlibnetwork.HNSID] == v.Id {
+				n = current
+				return true
+			}
+			return false
+		}
+
+		controller.WalkNetworks(s)
+
+		drvOptions := make(map[string]string)
+
+		if n != nil {
+			// global networks should not be deleted by local HNS
+			if n.Info().Scope() == datastore.GlobalScope {
+				continue
+			}
+			v.Name = n.Name()
+			// This will not cause network delete from HNS as the network
+			// is not yet populated in the libnetwork windows driver
+
+			// restore option if it existed before
+			drvOptions = n.Info().DriverOptions()
+			n.Delete()
+		}
+		netOption := map[string]string{
+			winlibnetwork.NetworkName: v.Name,
+			winlibnetwork.HNSID:       v.Id,
+		}
+
+		// add persisted driver options
+		for k, v := range drvOptions {
+			if k != winlibnetwork.NetworkName && k != winlibnetwork.HNSID {
+				netOption[k] = v
+			}
+		}
+
+		v4Conf := []*libnetwork.IpamConf{}
+		for _, subnet := range v.Subnets {
+			ipamV4Conf := libnetwork.IpamConf{}
+			ipamV4Conf.PreferredPool = subnet.AddressPrefix
+			ipamV4Conf.Gateway = subnet.GatewayAddress
+			v4Conf = append(v4Conf, &ipamV4Conf)
+		}
+
+		name := v.Name
+
+		// If there is no nat network create one from the first NAT network
+		// encountered if it doesn't already exist
+		if !defaultNetworkExists &&
+			runconfig.DefaultDaemonNetworkMode() == containertypes.NetworkMode(strings.ToLower(v.Type)) &&
+			n == nil {
+			name = runconfig.DefaultDaemonNetworkMode().NetworkName()
+			defaultNetworkExists = true
+		}
+
+		v6Conf := []*libnetwork.IpamConf{}
+		_, err := controller.NewNetwork(strings.ToLower(v.Type), name, "",
+			libnetwork.NetworkOptionGeneric(options.Generic{
+				netlabel.GenericData: netOption,
+			}),
+			libnetwork.NetworkOptionIpam("default", "", v4Conf, v6Conf, nil),
+		)
+
+		if err != nil {
+			logrus.Errorf("Error occurred when creating network %v", err)
+		}
+	}
+
+	if !config.DisableBridge {
+		// Initialize default driver "bridge"
+		if err := initBridgeDriver(controller, config); err != nil {
+			return nil, err
+		}
+	}
+
+	return controller, nil
+}
+
+func initBridgeDriver(controller libnetwork.NetworkController, config *config.Config) error {
+	if _, err := controller.NetworkByName(runconfig.DefaultDaemonNetworkMode().NetworkName()); err == nil {
+		return nil
+	}
+
+	netOption := map[string]string{
+		winlibnetwork.NetworkName: runconfig.DefaultDaemonNetworkMode().NetworkName(),
+	}
+
+	var ipamOption libnetwork.NetworkOption
+	var subnetPrefix string
+
+	if config.BridgeConfig.FixedCIDR != "" {
+		subnetPrefix = config.BridgeConfig.FixedCIDR
+	} else {
+		// TP5 doesn't support properly detecting subnet
+		osv := system.GetOSVersion()
+		if osv.Build < 14360 {
+			subnetPrefix = defaultNetworkSpace
+		}
+	}
+
+	if subnetPrefix != "" {
+		ipamV4Conf := libnetwork.IpamConf{}
+		ipamV4Conf.PreferredPool = subnetPrefix
+		v4Conf := []*libnetwork.IpamConf{&ipamV4Conf}
+		v6Conf := []*libnetwork.IpamConf{}
+		ipamOption = libnetwork.NetworkOptionIpam("default", "", v4Conf, v6Conf, nil)
+	}
+
+	_, err := controller.NewNetwork(string(runconfig.DefaultDaemonNetworkMode()), runconfig.DefaultDaemonNetworkMode().NetworkName(), "",
+		libnetwork.NetworkOptionGeneric(options.Generic{
+			netlabel.GenericData: netOption,
+		}),
+		ipamOption,
+	)
+
+	if err != nil {
+		return fmt.Errorf("Error creating default network: %v", err)
+	}
+
+	return nil
+}
+
+// registerLinks sets up links between containers and writes the
+// configuration out for persistence. As of Windows TP4, links are not supported.
+func (daemon *Daemon) registerLinks(container *container.Container, hostConfig *containertypes.HostConfig) error {
+	return nil
+}
+
+func (daemon *Daemon) cleanupMountsByID(in string) error {
+	return nil
+}
+
+func (daemon *Daemon) cleanupMounts() error {
+	return nil
+}
+
+func setupRemappedRoot(config *config.Config) (*idtools.IDMappings, error) {
+	return &idtools.IDMappings{}, nil
+}
+
+func setupDaemonRoot(config *config.Config, rootDir string, rootIDs idtools.IDPair) error {
+	config.Root = rootDir
+	// Create the root directory if it doesn't exists
+	if err := system.MkdirAllWithACL(config.Root, 0, system.SddlAdministratorsLocalSystem); err != nil {
+		return err
+	}
+	return nil
+}
+
+// runasHyperVContainer returns true if we are going to run as a Hyper-V container
+func (daemon *Daemon) runAsHyperVContainer(hostConfig *containertypes.HostConfig) bool {
+	if hostConfig.Isolation.IsDefault() {
+		// Container is set to use the default, so take the default from the daemon configuration
+		return daemon.defaultIsolation.IsHyperV()
+	}
+
+	// Container is requesting an isolation mode. Honour it.
+	return hostConfig.Isolation.IsHyperV()
+
+}
+
+// conditionalMountOnStart is a platform specific helper function during the
+// container start to call mount.
+func (daemon *Daemon) conditionalMountOnStart(container *container.Container) error {
+	// Bail out now for Linux containers. We cannot mount the containers filesystem on the
+	// host as it is a non-Windows filesystem.
+	if system.LCOWSupported() && container.OS != "windows" {
+		return nil
+	}
+
+	// We do not mount if a Hyper-V container as it needs to be mounted inside the
+	// utility VM, not the host.
+	if !daemon.runAsHyperVContainer(container.HostConfig) {
+		return daemon.Mount(container)
+	}
+	return nil
+}
+
+// conditionalUnmountOnCleanup is a platform specific helper function called
+// during the cleanup of a container to unmount.
+func (daemon *Daemon) conditionalUnmountOnCleanup(container *container.Container) error {
+	// Bail out now for Linux containers
+	if system.LCOWSupported() && container.OS != "windows" {
+		return nil
+	}
+
+	// We do not unmount if a Hyper-V container
+	if !daemon.runAsHyperVContainer(container.HostConfig) {
+		return daemon.Unmount(container)
+	}
+	return nil
+}
+
+func driverOptions(config *config.Config) []nwconfig.Option {
+	return []nwconfig.Option{}
+}
+
+func (daemon *Daemon) stats(c *container.Container) (*types.StatsJSON, error) {
+	if !c.IsRunning() {
+		return nil, errNotRunning(c.ID)
+	}
+
+	// Obtain the stats from HCS via libcontainerd
+	stats, err := daemon.containerd.Stats(context.Background(), c.ID)
+	if err != nil {
+		if strings.Contains(err.Error(), "container not found") {
+			return nil, containerNotFound(c.ID)
+		}
+		return nil, err
+	}
+
+	// Start with an empty structure
+	s := &types.StatsJSON{}
+	s.Stats.Read = stats.Read
+	s.Stats.NumProcs = platform.NumProcs()
+
+	if stats.HCSStats != nil {
+		hcss := stats.HCSStats
+		// Populate the CPU/processor statistics
+		s.CPUStats = types.CPUStats{
+			CPUUsage: types.CPUUsage{
+				TotalUsage:        hcss.Processor.TotalRuntime100ns,
+				UsageInKernelmode: hcss.Processor.RuntimeKernel100ns,
+				UsageInUsermode:   hcss.Processor.RuntimeKernel100ns,
+			},
+		}
+
+		// Populate the memory statistics
+		s.MemoryStats = types.MemoryStats{
+			Commit:            hcss.Memory.UsageCommitBytes,
+			CommitPeak:        hcss.Memory.UsageCommitPeakBytes,
+			PrivateWorkingSet: hcss.Memory.UsagePrivateWorkingSetBytes,
+		}
+
+		// Populate the storage statistics
+		s.StorageStats = types.StorageStats{
+			ReadCountNormalized:  hcss.Storage.ReadCountNormalized,
+			ReadSizeBytes:        hcss.Storage.ReadSizeBytes,
+			WriteCountNormalized: hcss.Storage.WriteCountNormalized,
+			WriteSizeBytes:       hcss.Storage.WriteSizeBytes,
+		}
+
+		// Populate the network statistics
+		s.Networks = make(map[string]types.NetworkStats)
+		for _, nstats := range hcss.Network {
+			s.Networks[nstats.EndpointId] = types.NetworkStats{
+				RxBytes:   nstats.BytesReceived,
+				RxPackets: nstats.PacketsReceived,
+				RxDropped: nstats.DroppedPacketsIncoming,
+				TxBytes:   nstats.BytesSent,
+				TxPackets: nstats.PacketsSent,
+				TxDropped: nstats.DroppedPacketsOutgoing,
+			}
+		}
+	}
+	return s, nil
+}
+
+// setDefaultIsolation determine the default isolation mode for the
+// daemon to run in. This is only applicable on Windows
+func (daemon *Daemon) setDefaultIsolation() error {
+	daemon.defaultIsolation = containertypes.Isolation("process")
+	// On client SKUs, default to Hyper-V. Note that IoT reports as a client SKU
+	// but it should not be treated as such.
+	if system.IsWindowsClient() && !system.IsIoTCore() {
+		daemon.defaultIsolation = containertypes.Isolation("hyperv")
+	}
+	for _, option := range daemon.configStore.ExecOptions {
+		key, val, err := parsers.ParseKeyValueOpt(option)
+		if err != nil {
+			return err
+		}
+		key = strings.ToLower(key)
+		switch key {
+
+		case "isolation":
+			if !containertypes.Isolation(val).IsValid() {
+				return fmt.Errorf("Invalid exec-opt value for 'isolation':'%s'", val)
+			}
+			if containertypes.Isolation(val).IsHyperV() {
+				daemon.defaultIsolation = containertypes.Isolation("hyperv")
+			}
+			if containertypes.Isolation(val).IsProcess() {
+				if system.IsWindowsClient() && !system.IsIoTCore() {
+					// @engine maintainers. This block should not be removed. It partially enforces licensing
+					// restrictions on Windows. Ping @jhowardmsft if there are concerns or PRs to change this.
+					return fmt.Errorf("Windows client operating systems only support Hyper-V containers")
+				}
+				daemon.defaultIsolation = containertypes.Isolation("process")
+			}
+		default:
+			return fmt.Errorf("Unrecognised exec-opt '%s'\n", key)
+		}
+	}
+
+	logrus.Infof("Windows default isolation mode: %s", daemon.defaultIsolation)
+	return nil
+}
+
+func setupDaemonProcess(config *config.Config) error {
+	return nil
+}
+
+func (daemon *Daemon) setupSeccompProfile() error {
+	return nil
+}
+
+func getRealPath(path string) (string, error) {
+	if system.IsIoTCore() {
+		// Due to https://github.com/golang/go/issues/20506, path expansion
+		// does not work correctly on the default IoT Core configuration.
+		// TODO @darrenstahlmsft remove this once golang/go/20506 is fixed
+		return path, nil
+	}
+	return fileutils.ReadSymlinkedDirectory(path)
+}
+
+func (daemon *Daemon) loadRuntimes() error {
+	return nil
+}
+
+func (daemon *Daemon) initRuntimes(_ map[string]types.Runtime) error {
+	return nil
+}
diff --git a/engine/daemon/daemon_windows_test.go b/engine/daemon/daemon_windows_test.go
new file mode 100644
index 00000000..a4d8b6a2
--- /dev/null
+++ b/engine/daemon/daemon_windows_test.go
@@ -0,0 +1,72 @@
+// +build windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"strings"
+	"testing"
+
+	"golang.org/x/sys/windows/svc/mgr"
+)
+
+const existingService = "Power"
+
+func TestEnsureServicesExist(t *testing.T) {
+	m, err := mgr.Connect()
+	if err != nil {
+		t.Fatal("failed to connect to service manager, this test needs admin")
+	}
+	defer m.Disconnect()
+	s, err := m.OpenService(existingService)
+	if err != nil {
+		t.Fatalf("expected to find known inbox service %q, this test needs a known inbox service to run correctly", existingService)
+	}
+	defer s.Close()
+
+	input := []string{existingService}
+	err = ensureServicesInstalled(input)
+	if err != nil {
+		t.Fatalf("unexpected error for input %q: %q", input, err)
+	}
+}
+
+func TestEnsureServicesExistErrors(t *testing.T) {
+	m, err := mgr.Connect()
+	if err != nil {
+		t.Fatal("failed to connect to service manager, this test needs admin")
+	}
+	defer m.Disconnect()
+	s, err := m.OpenService(existingService)
+	if err != nil {
+		t.Fatalf("expected to find known inbox service %q, this test needs a known inbox service to run correctly", existingService)
+	}
+	defer s.Close()
+
+	for _, testcase := range []struct {
+		input         []string
+		expectedError string
+	}{
+		{
+			input:         []string{"daemon_windows_test_fakeservice"},
+			expectedError: "failed to open service daemon_windows_test_fakeservice",
+		},
+		{
+			input:         []string{"daemon_windows_test_fakeservice1", "daemon_windows_test_fakeservice2"},
+			expectedError: "failed to open service daemon_windows_test_fakeservice1",
+		},
+		{
+			input:         []string{existingService, "daemon_windows_test_fakeservice"},
+			expectedError: "failed to open service daemon_windows_test_fakeservice",
+		},
+	} {
+		t.Run(strings.Join(testcase.input, ";"), func(t *testing.T) {
+			err := ensureServicesInstalled(testcase.input)
+			if err == nil {
+				t.Fatalf("expected error for input %v", testcase.input)
+			}
+			if !strings.Contains(err.Error(), testcase.expectedError) {
+				t.Fatalf("expected error %q to contain %q", err.Error(), testcase.expectedError)
+			}
+		})
+	}
+}
diff --git a/engine/daemon/debugtrap_unix.go b/engine/daemon/debugtrap_unix.go
new file mode 100644
index 00000000..c8abe69b
--- /dev/null
+++ b/engine/daemon/debugtrap_unix.go
@@ -0,0 +1,27 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"os"
+	"os/signal"
+
+	stackdump "github.com/docker/docker/pkg/signal"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func (d *Daemon) setupDumpStackTrap(root string) {
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, unix.SIGUSR1)
+	go func() {
+		for range c {
+			path, err := stackdump.DumpStacks(root)
+			if err != nil {
+				logrus.WithError(err).Error("failed to write goroutines dump")
+			} else {
+				logrus.Infof("goroutine stacks written to %s", path)
+			}
+		}
+	}()
+}
diff --git a/engine/daemon/debugtrap_unsupported.go b/engine/daemon/debugtrap_unsupported.go
new file mode 100644
index 00000000..e83d51f5
--- /dev/null
+++ b/engine/daemon/debugtrap_unsupported.go
@@ -0,0 +1,7 @@
+// +build !linux,!darwin,!freebsd,!windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+func (d *Daemon) setupDumpStackTrap(_ string) {
+	return
+}
diff --git a/engine/daemon/debugtrap_windows.go b/engine/daemon/debugtrap_windows.go
new file mode 100644
index 00000000..b438d038
--- /dev/null
+++ b/engine/daemon/debugtrap_windows.go
@@ -0,0 +1,46 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"os"
+	"unsafe"
+
+	winio "github.com/Microsoft/go-winio"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+func (d *Daemon) setupDumpStackTrap(root string) {
+	// Windows does not support signals like *nix systems. So instead of
+	// trapping on SIGUSR1 to dump stacks, we wait on a Win32 event to be
+	// signaled. ACL'd to builtin administrators and local system
+	event := "Global\\docker-daemon-" + fmt.Sprint(os.Getpid())
+	ev, _ := windows.UTF16PtrFromString(event)
+	sd, err := winio.SddlToSecurityDescriptor("D:P(A;;GA;;;BA)(A;;GA;;;SY)")
+	if err != nil {
+		logrus.Errorf("failed to get security descriptor for debug stackdump event %s: %s", event, err.Error())
+		return
+	}
+	var sa windows.SecurityAttributes
+	sa.Length = uint32(unsafe.Sizeof(sa))
+	sa.InheritHandle = 1
+	sa.SecurityDescriptor = uintptr(unsafe.Pointer(&sd[0]))
+	h, err := windows.CreateEvent(&sa, 0, 0, ev)
+	if h == 0 || err != nil {
+		logrus.Errorf("failed to create debug stackdump event %s: %s", event, err.Error())
+		return
+	}
+	go func() {
+		logrus.Debugf("Stackdump - waiting signal at %s", event)
+		for {
+			windows.WaitForSingleObject(h, windows.INFINITE)
+			path, err := signal.DumpStacks(root)
+			if err != nil {
+				logrus.WithError(err).Error("failed to write goroutines dump")
+			} else {
+				logrus.Infof("goroutine stacks written to %s", path)
+			}
+		}
+	}()
+}
diff --git a/engine/daemon/delete.go b/engine/daemon/delete.go
new file mode 100644
index 00000000..2ccbff05
--- /dev/null
+++ b/engine/daemon/delete.go
@@ -0,0 +1,152 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"os"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerRm removes the container id from the filesystem. An error
+// is returned if the container is not found, or if the remove
+// fails. If the remove succeeds, the container name is released, and
+// network links are removed.
+func (daemon *Daemon) ContainerRm(name string, config *types.ContainerRmConfig) error {
+	start := time.Now()
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	// Container state RemovalInProgress should be used to avoid races.
+	if inProgress := container.SetRemovalInProgress(); inProgress {
+		err := fmt.Errorf("removal of container %s is already in progress", name)
+		return errdefs.Conflict(err)
+	}
+	defer container.ResetRemovalInProgress()
+
+	// check if container wasn't deregistered by previous rm since Get
+	if c := daemon.containers.Get(container.ID); c == nil {
+		return nil
+	}
+
+	if config.RemoveLink {
+		return daemon.rmLink(container, name)
+	}
+
+	err = daemon.cleanupContainer(container, config.ForceRemove, config.RemoveVolume)
+	containerActions.WithValues("delete").UpdateSince(start)
+
+	return err
+}
+
+func (daemon *Daemon) rmLink(container *container.Container, name string) error {
+	if name[0] != '/' {
+		name = "/" + name
+	}
+	parent, n := path.Split(name)
+	if parent == "/" {
+		return fmt.Errorf("Conflict, cannot remove the default name of the container")
+	}
+
+	parent = strings.TrimSuffix(parent, "/")
+	pe, err := daemon.containersReplica.Snapshot().GetID(parent)
+	if err != nil {
+		return fmt.Errorf("Cannot get parent %s for name %s", parent, name)
+	}
+
+	daemon.releaseName(name)
+	parentContainer, _ := daemon.GetContainer(pe)
+	if parentContainer != nil {
+		daemon.linkIndex.unlink(name, container, parentContainer)
+		if err := daemon.updateNetwork(parentContainer); err != nil {
+			logrus.Debugf("Could not update network to remove link %s: %v", n, err)
+		}
+	}
+	return nil
+}
+
+// cleanupContainer unregisters a container from the daemon, stops stats
+// collection and cleanly removes contents and metadata from the filesystem.
+func (daemon *Daemon) cleanupContainer(container *container.Container, forceRemove, removeVolume bool) (err error) {
+	if container.IsRunning() {
+		if !forceRemove {
+			state := container.StateString()
+			procedure := "Stop the container before attempting removal or force remove"
+			if state == "paused" {
+				procedure = "Unpause and then " + strings.ToLower(procedure)
+			}
+			err := fmt.Errorf("You cannot remove a %s container %s. %s", state, container.ID, procedure)
+			return errdefs.Conflict(err)
+		}
+		if err := daemon.Kill(container); err != nil {
+			return fmt.Errorf("Could not kill running container %s, cannot remove - %v", container.ID, err)
+		}
+	}
+	if !system.IsOSSupported(container.OS) {
+		return fmt.Errorf("cannot remove %s: %s ", container.ID, system.ErrNotSupportedOperatingSystem)
+	}
+
+	// stop collection of stats for the container regardless
+	// if stats are currently getting collected.
+	daemon.statsCollector.StopCollection(container)
+
+	if err = daemon.containerStop(container, 3); err != nil {
+		return err
+	}
+
+	// Mark container dead. We don't want anybody to be restarting it.
+	container.Lock()
+	container.Dead = true
+
+	// Save container state to disk. So that if error happens before
+	// container meta file got removed from disk, then a restart of
+	// docker should not make a dead container alive.
+	if err := container.CheckpointTo(daemon.containersReplica); err != nil && !os.IsNotExist(err) {
+		logrus.Errorf("Error saving dying container to disk: %v", err)
+	}
+	container.Unlock()
+
+	// When container creation fails and `RWLayer` has not been created yet, we
+	// do not call `ReleaseRWLayer`
+	if container.RWLayer != nil {
+		err := daemon.imageService.ReleaseLayer(container.RWLayer, container.OS)
+		if err != nil {
+			err = errors.Wrapf(err, "container %s", container.ID)
+			container.SetRemovalError(err)
+			return err
+		}
+		container.RWLayer = nil
+	}
+
+	if err := system.EnsureRemoveAll(container.Root); err != nil {
+		e := errors.Wrapf(err, "unable to remove filesystem for %s", container.ID)
+		container.SetRemovalError(e)
+		return e
+	}
+
+	linkNames := daemon.linkIndex.delete(container)
+	selinuxFreeLxcContexts(container.ProcessLabel)
+	daemon.idIndex.Delete(container.ID)
+	daemon.containers.Delete(container.ID)
+	daemon.containersReplica.Delete(container)
+	if e := daemon.removeMountPoints(container, removeVolume); e != nil {
+		logrus.Error(e)
+	}
+	for _, name := range linkNames {
+		daemon.releaseName(name)
+	}
+	container.SetRemoved()
+	stateCtr.del(container.ID)
+
+	daemon.LogContainerEvent(container, "destroy")
+	return nil
+}
diff --git a/engine/daemon/delete_test.go b/engine/daemon/delete_test.go
new file mode 100644
index 00000000..d600917b
--- /dev/null
+++ b/engine/daemon/delete_test.go
@@ -0,0 +1,95 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func newDaemonWithTmpRoot(t *testing.T) (*Daemon, func()) {
+	tmp, err := ioutil.TempDir("", "docker-daemon-unix-test-")
+	assert.NilError(t, err)
+	d := &Daemon{
+		repository: tmp,
+		root:       tmp,
+	}
+	d.containers = container.NewMemoryStore()
+	return d, func() { os.RemoveAll(tmp) }
+}
+
+func newContainerWithState(state *container.State) *container.Container {
+	return &container.Container{
+		ID:     "test",
+		State:  state,
+		Config: &containertypes.Config{},
+	}
+}
+
+// TestContainerDelete tests that a useful error message and instructions is
+// given when attempting to remove a container (#30842)
+func TestContainerDelete(t *testing.T) {
+	tt := []struct {
+		errMsg        string
+		fixMsg        string
+		initContainer func() *container.Container
+	}{
+		// a paused container
+		{
+			errMsg: "cannot remove a paused container",
+			fixMsg: "Unpause and then stop the container before attempting removal or force remove",
+			initContainer: func() *container.Container {
+				return newContainerWithState(&container.State{Paused: true, Running: true})
+			}},
+		// a restarting container
+		{
+			errMsg: "cannot remove a restarting container",
+			fixMsg: "Stop the container before attempting removal or force remove",
+			initContainer: func() *container.Container {
+				c := newContainerWithState(container.NewState())
+				c.SetRunning(0, true)
+				c.SetRestarting(&container.ExitStatus{})
+				return c
+			}},
+		// a running container
+		{
+			errMsg: "cannot remove a running container",
+			fixMsg: "Stop the container before attempting removal or force remove",
+			initContainer: func() *container.Container {
+				return newContainerWithState(&container.State{Running: true})
+			}},
+	}
+
+	for _, te := range tt {
+		c := te.initContainer()
+		d, cleanup := newDaemonWithTmpRoot(t)
+		defer cleanup()
+		d.containers.Add(c.ID, c)
+
+		err := d.ContainerRm(c.ID, &types.ContainerRmConfig{ForceRemove: false})
+		assert.Check(t, is.ErrorContains(err, te.errMsg))
+		assert.Check(t, is.ErrorContains(err, te.fixMsg))
+	}
+}
+
+func TestContainerDoubleDelete(t *testing.T) {
+	c := newContainerWithState(container.NewState())
+
+	// Mark the container as having a delete in progress
+	c.SetRemovalInProgress()
+
+	d, cleanup := newDaemonWithTmpRoot(t)
+	defer cleanup()
+	d.containers.Add(c.ID, c)
+
+	// Try to remove the container when its state is removalInProgress.
+	// It should return an error indicating it is under removal progress.
+	err := d.ContainerRm(c.ID, &types.ContainerRmConfig{ForceRemove: true})
+	assert.Check(t, is.ErrorContains(err, fmt.Sprintf("removal of container %s is already in progress", c.ID)))
+}
diff --git a/engine/daemon/dependency.go b/engine/daemon/dependency.go
new file mode 100644
index 00000000..45275dbf
--- /dev/null
+++ b/engine/daemon/dependency.go
@@ -0,0 +1,17 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/swarmkit/agent/exec"
+)
+
+// SetContainerDependencyStore sets the dependency store backend for the container
+func (daemon *Daemon) SetContainerDependencyStore(name string, store exec.DependencyGetter) error {
+	c, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	c.DependencyStore = store
+
+	return nil
+}
diff --git a/engine/daemon/discovery/discovery.go b/engine/daemon/discovery/discovery.go
new file mode 100644
index 00000000..092c5763
--- /dev/null
+++ b/engine/daemon/discovery/discovery.go
@@ -0,0 +1,202 @@
+package discovery // import "github.com/docker/docker/daemon/discovery"
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/docker/docker/pkg/discovery"
+	"github.com/sirupsen/logrus"
+
+	// Register the libkv backends for discovery.
+	_ "github.com/docker/docker/pkg/discovery/kv"
+)
+
+const (
+	// defaultDiscoveryHeartbeat is the default value for discovery heartbeat interval.
+	defaultDiscoveryHeartbeat = 20 * time.Second
+	// defaultDiscoveryTTLFactor is the default TTL factor for discovery
+	defaultDiscoveryTTLFactor = 3
+)
+
+// ErrDiscoveryDisabled is an error returned if the discovery is disabled
+var ErrDiscoveryDisabled = errors.New("discovery is disabled")
+
+// Reloader is the discovery reloader of the daemon
+type Reloader interface {
+	discovery.Watcher
+	Stop()
+	Reload(backend, address string, clusterOpts map[string]string) error
+	ReadyCh() <-chan struct{}
+}
+
+type daemonDiscoveryReloader struct {
+	backend discovery.Backend
+	ticker  *time.Ticker
+	term    chan bool
+	readyCh chan struct{}
+}
+
+func (d *daemonDiscoveryReloader) Watch(stopCh <-chan struct{}) (<-chan discovery.Entries, <-chan error) {
+	return d.backend.Watch(stopCh)
+}
+
+func (d *daemonDiscoveryReloader) ReadyCh() <-chan struct{} {
+	return d.readyCh
+}
+
+func discoveryOpts(clusterOpts map[string]string) (time.Duration, time.Duration, error) {
+	var (
+		heartbeat = defaultDiscoveryHeartbeat
+		ttl       = defaultDiscoveryTTLFactor * defaultDiscoveryHeartbeat
+	)
+
+	if hb, ok := clusterOpts["discovery.heartbeat"]; ok {
+		h, err := strconv.Atoi(hb)
+		if err != nil {
+			return time.Duration(0), time.Duration(0), err
+		}
+
+		if h <= 0 {
+			return time.Duration(0), time.Duration(0),
+				fmt.Errorf("discovery.heartbeat must be positive")
+		}
+
+		heartbeat = time.Duration(h) * time.Second
+		ttl = defaultDiscoveryTTLFactor * heartbeat
+	}
+
+	if tstr, ok := clusterOpts["discovery.ttl"]; ok {
+		t, err := strconv.Atoi(tstr)
+		if err != nil {
+			return time.Duration(0), time.Duration(0), err
+		}
+
+		if t <= 0 {
+			return time.Duration(0), time.Duration(0),
+				fmt.Errorf("discovery.ttl must be positive")
+		}
+
+		ttl = time.Duration(t) * time.Second
+
+		if _, ok := clusterOpts["discovery.heartbeat"]; !ok {
+			heartbeat = time.Duration(t) * time.Second / time.Duration(defaultDiscoveryTTLFactor)
+		}
+
+		if ttl <= heartbeat {
+			return time.Duration(0), time.Duration(0),
+				fmt.Errorf("discovery.ttl timer must be greater than discovery.heartbeat")
+		}
+	}
+
+	return heartbeat, ttl, nil
+}
+
+// Init initializes the nodes discovery subsystem by connecting to the specified backend
+// and starts a registration loop to advertise the current node under the specified address.
+func Init(backendAddress, advertiseAddress string, clusterOpts map[string]string) (Reloader, error) {
+	heartbeat, backend, err := parseDiscoveryOptions(backendAddress, clusterOpts)
+	if err != nil {
+		return nil, err
+	}
+
+	reloader := &daemonDiscoveryReloader{
+		backend: backend,
+		ticker:  time.NewTicker(heartbeat),
+		term:    make(chan bool),
+		readyCh: make(chan struct{}),
+	}
+	// We call Register() on the discovery backend in a loop for the whole lifetime of the daemon,
+	// but we never actually Watch() for nodes appearing and disappearing for the moment.
+	go reloader.advertiseHeartbeat(advertiseAddress)
+	return reloader, nil
+}
+
+// advertiseHeartbeat registers the current node against the discovery backend using the specified
+// address. The function never returns, as registration against the backend comes with a TTL and
+// requires regular heartbeats.
+func (d *daemonDiscoveryReloader) advertiseHeartbeat(address string) {
+	var ready bool
+	if err := d.initHeartbeat(address); err == nil {
+		ready = true
+		close(d.readyCh)
+	} else {
+		logrus.WithError(err).Debug("First discovery heartbeat failed")
+	}
+
+	for {
+		select {
+		case <-d.ticker.C:
+			if err := d.backend.Register(address); err != nil {
+				logrus.Warnf("Registering as %q in discovery failed: %v", address, err)
+			} else {
+				if !ready {
+					close(d.readyCh)
+					ready = true
+				}
+			}
+		case <-d.term:
+			return
+		}
+	}
+}
+
+// initHeartbeat is used to do the first heartbeat. It uses a tight loop until
+// either the timeout period is reached or the heartbeat is successful and returns.
+func (d *daemonDiscoveryReloader) initHeartbeat(address string) error {
+	// Setup a short ticker until the first heartbeat has succeeded
+	t := time.NewTicker(500 * time.Millisecond)
+	defer t.Stop()
+	// timeout makes sure that after a period of time we stop being so aggressive trying to reach the discovery service
+	timeout := time.After(60 * time.Second)
+
+	for {
+		select {
+		case <-timeout:
+			return errors.New("timeout waiting for initial discovery")
+		case <-d.term:
+			return errors.New("terminated")
+		case <-t.C:
+			if err := d.backend.Register(address); err == nil {
+				return nil
+			}
+		}
+	}
+}
+
+// Reload makes the watcher to stop advertising and reconfigures it to advertise in a new address.
+func (d *daemonDiscoveryReloader) Reload(backendAddress, advertiseAddress string, clusterOpts map[string]string) error {
+	d.Stop()
+
+	heartbeat, backend, err := parseDiscoveryOptions(backendAddress, clusterOpts)
+	if err != nil {
+		return err
+	}
+
+	d.backend = backend
+	d.ticker = time.NewTicker(heartbeat)
+	d.readyCh = make(chan struct{})
+
+	go d.advertiseHeartbeat(advertiseAddress)
+	return nil
+}
+
+// Stop terminates the discovery advertising.
+func (d *daemonDiscoveryReloader) Stop() {
+	d.ticker.Stop()
+	d.term <- true
+}
+
+func parseDiscoveryOptions(backendAddress string, clusterOpts map[string]string) (time.Duration, discovery.Backend, error) {
+	heartbeat, ttl, err := discoveryOpts(clusterOpts)
+	if err != nil {
+		return 0, nil, err
+	}
+
+	backend, err := discovery.New(backendAddress, heartbeat, ttl, clusterOpts)
+	if err != nil {
+		return 0, nil, err
+	}
+	return heartbeat, backend, nil
+}
diff --git a/engine/daemon/discovery/discovery_test.go b/engine/daemon/discovery/discovery_test.go
new file mode 100644
index 00000000..c354a291
--- /dev/null
+++ b/engine/daemon/discovery/discovery_test.go
@@ -0,0 +1,96 @@
+package discovery // import "github.com/docker/docker/daemon/discovery"
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDiscoveryOptsErrors(t *testing.T) {
+	var testcases = []struct {
+		doc  string
+		opts map[string]string
+	}{
+		{
+			doc:  "discovery.ttl < discovery.heartbeat",
+			opts: map[string]string{"discovery.heartbeat": "10", "discovery.ttl": "5"},
+		},
+		{
+			doc:  "discovery.ttl == discovery.heartbeat",
+			opts: map[string]string{"discovery.heartbeat": "10", "discovery.ttl": "10"},
+		},
+		{
+			doc:  "negative discovery.heartbeat",
+			opts: map[string]string{"discovery.heartbeat": "-10", "discovery.ttl": "10"},
+		},
+		{
+			doc:  "negative discovery.ttl",
+			opts: map[string]string{"discovery.heartbeat": "10", "discovery.ttl": "-10"},
+		},
+		{
+			doc:  "invalid discovery.heartbeat",
+			opts: map[string]string{"discovery.heartbeat": "invalid"},
+		},
+		{
+			doc:  "invalid discovery.ttl",
+			opts: map[string]string{"discovery.ttl": "invalid"},
+		},
+	}
+
+	for _, testcase := range testcases {
+		_, _, err := discoveryOpts(testcase.opts)
+		assert.Check(t, is.ErrorContains(err, ""), testcase.doc)
+	}
+}
+
+func TestDiscoveryOpts(t *testing.T) {
+	clusterOpts := map[string]string{"discovery.heartbeat": "10", "discovery.ttl": "20"}
+	heartbeat, ttl, err := discoveryOpts(clusterOpts)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(10*time.Second, heartbeat))
+	assert.Check(t, is.Equal(20*time.Second, ttl))
+
+	clusterOpts = map[string]string{"discovery.heartbeat": "10"}
+	heartbeat, ttl, err = discoveryOpts(clusterOpts)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(10*time.Second, heartbeat))
+	assert.Check(t, is.Equal(10*defaultDiscoveryTTLFactor*time.Second, ttl))
+
+	clusterOpts = map[string]string{"discovery.ttl": "30"}
+	heartbeat, ttl, err = discoveryOpts(clusterOpts)
+	assert.NilError(t, err)
+
+	if ttl != 30*time.Second {
+		t.Fatalf("TTL - Expected : %v, Actual : %v", 30*time.Second, ttl)
+	}
+
+	expected := 30 * time.Second / defaultDiscoveryTTLFactor
+	if heartbeat != expected {
+		t.Fatalf("Heartbeat - Expected : %v, Actual : %v", expected, heartbeat)
+	}
+
+	discoveryTTL := fmt.Sprintf("%d", defaultDiscoveryTTLFactor-1)
+	clusterOpts = map[string]string{"discovery.ttl": discoveryTTL}
+	heartbeat, _, err = discoveryOpts(clusterOpts)
+	if err == nil && heartbeat == 0 {
+		t.Fatal("discovery.heartbeat must be positive")
+	}
+
+	clusterOpts = map[string]string{}
+	heartbeat, ttl, err = discoveryOpts(clusterOpts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if heartbeat != defaultDiscoveryHeartbeat {
+		t.Fatalf("Heartbeat - Expected : %v, Actual : %v", defaultDiscoveryHeartbeat, heartbeat)
+	}
+
+	expected = defaultDiscoveryHeartbeat * defaultDiscoveryTTLFactor
+	if ttl != expected {
+		t.Fatalf("TTL - Expected : %v, Actual : %v", expected, ttl)
+	}
+}
diff --git a/engine/daemon/disk_usage.go b/engine/daemon/disk_usage.go
new file mode 100644
index 00000000..5bec60d1
--- /dev/null
+++ b/engine/daemon/disk_usage.go
@@ -0,0 +1,50 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"sync/atomic"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// SystemDiskUsage returns information about the daemon data disk usage
+func (daemon *Daemon) SystemDiskUsage(ctx context.Context) (*types.DiskUsage, error) {
+	if !atomic.CompareAndSwapInt32(&daemon.diskUsageRunning, 0, 1) {
+		return nil, fmt.Errorf("a disk usage operation is already running")
+	}
+	defer atomic.StoreInt32(&daemon.diskUsageRunning, 0)
+
+	// Retrieve container list
+	allContainers, err := daemon.Containers(&types.ContainerListOptions{
+		Size: true,
+		All:  true,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to retrieve container list: %v", err)
+	}
+
+	// Get all top images with extra attributes
+	allImages, err := daemon.imageService.Images(filters.NewArgs(), false, true)
+	if err != nil {
+		return nil, fmt.Errorf("failed to retrieve image list: %v", err)
+	}
+
+	localVolumes, err := daemon.volumes.LocalVolumesSize(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	allLayersSize, err := daemon.imageService.LayerDiskUsage(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return &types.DiskUsage{
+		LayersSize: allLayersSize,
+		Containers: allContainers,
+		Volumes:    localVolumes,
+		Images:     allImages,
+	}, nil
+}
diff --git a/engine/daemon/errors.go b/engine/daemon/errors.go
new file mode 100644
index 00000000..6d02af3d
--- /dev/null
+++ b/engine/daemon/errors.go
@@ -0,0 +1,155 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"strings"
+	"syscall"
+
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+)
+
+func errNotRunning(id string) error {
+	return errdefs.Conflict(errors.Errorf("Container %s is not running", id))
+}
+
+func containerNotFound(id string) error {
+	return objNotFoundError{"container", id}
+}
+
+type objNotFoundError struct {
+	object string
+	id     string
+}
+
+func (e objNotFoundError) Error() string {
+	return "No such " + e.object + ": " + e.id
+}
+
+func (e objNotFoundError) NotFound() {}
+
+func errContainerIsRestarting(containerID string) error {
+	cause := errors.Errorf("Container %s is restarting, wait until the container is running", containerID)
+	return errdefs.Conflict(cause)
+}
+
+func errExecNotFound(id string) error {
+	return objNotFoundError{"exec instance", id}
+}
+
+func errExecPaused(id string) error {
+	cause := errors.Errorf("Container %s is paused, unpause the container before exec", id)
+	return errdefs.Conflict(cause)
+}
+
+func errNotPaused(id string) error {
+	cause := errors.Errorf("Container %s is already paused", id)
+	return errdefs.Conflict(cause)
+}
+
+type nameConflictError struct {
+	id   string
+	name string
+}
+
+func (e nameConflictError) Error() string {
+	return fmt.Sprintf("Conflict. The container name %q is already in use by container %q. You have to remove (or rename) that container to be able to reuse that name.", e.name, e.id)
+}
+
+func (nameConflictError) Conflict() {}
+
+type containerNotModifiedError struct {
+	running bool
+}
+
+func (e containerNotModifiedError) Error() string {
+	if e.running {
+		return "Container is already started"
+	}
+	return "Container is already stopped"
+}
+
+func (e containerNotModifiedError) NotModified() {}
+
+type invalidIdentifier string
+
+func (e invalidIdentifier) Error() string {
+	return fmt.Sprintf("invalid name or ID supplied: %q", string(e))
+}
+
+func (invalidIdentifier) InvalidParameter() {}
+
+type duplicateMountPointError string
+
+func (e duplicateMountPointError) Error() string {
+	return "Duplicate mount point: " + string(e)
+}
+func (duplicateMountPointError) InvalidParameter() {}
+
+type containerFileNotFound struct {
+	file      string
+	container string
+}
+
+func (e containerFileNotFound) Error() string {
+	return "Could not find the file " + e.file + " in container " + e.container
+}
+
+func (containerFileNotFound) NotFound() {}
+
+type invalidFilter struct {
+	filter string
+	value  interface{}
+}
+
+func (e invalidFilter) Error() string {
+	msg := "Invalid filter '" + e.filter
+	if e.value != nil {
+		msg += fmt.Sprintf("=%s", e.value)
+	}
+	return msg + "'"
+}
+
+func (e invalidFilter) InvalidParameter() {}
+
+type startInvalidConfigError string
+
+func (e startInvalidConfigError) Error() string {
+	return string(e)
+}
+
+func (e startInvalidConfigError) InvalidParameter() {} // Is this right???
+
+func translateContainerdStartErr(cmd string, setExitCode func(int), err error) error {
+	errDesc := grpc.ErrorDesc(err)
+	contains := func(s1, s2 string) bool {
+		return strings.Contains(strings.ToLower(s1), s2)
+	}
+	var retErr = errdefs.Unknown(errors.New(errDesc))
+	// if we receive an internal error from the initial start of a container then lets
+	// return it instead of entering the restart loop
+	// set to 127 for container cmd not found/does not exist)
+	if contains(errDesc, cmd) &&
+		(contains(errDesc, "executable file not found") ||
+			contains(errDesc, "no such file or directory") ||
+			contains(errDesc, "system cannot find the file specified")) {
+		setExitCode(127)
+		retErr = startInvalidConfigError(errDesc)
+	}
+	// set to 126 for container cmd can't be invoked errors
+	if contains(errDesc, syscall.EACCES.Error()) {
+		setExitCode(126)
+		retErr = startInvalidConfigError(errDesc)
+	}
+
+	// attempted to mount a file onto a directory, or a directory onto a file, maybe from user specified bind mounts
+	if contains(errDesc, syscall.ENOTDIR.Error()) {
+		errDesc += ": Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type"
+		setExitCode(127)
+		retErr = startInvalidConfigError(errDesc)
+	}
+
+	// TODO: it would be nice to get some better errors from containerd so we can return better errors here
+	return retErr
+}
diff --git a/engine/daemon/events.go b/engine/daemon/events.go
new file mode 100644
index 00000000..cf1634a1
--- /dev/null
+++ b/engine/daemon/events.go
@@ -0,0 +1,308 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/container"
+	daemonevents "github.com/docker/docker/daemon/events"
+	"github.com/docker/libnetwork"
+	swarmapi "github.com/docker/swarmkit/api"
+	gogotypes "github.com/gogo/protobuf/types"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	clusterEventAction = map[swarmapi.WatchActionKind]string{
+		swarmapi.WatchActionKindCreate: "create",
+		swarmapi.WatchActionKindUpdate: "update",
+		swarmapi.WatchActionKindRemove: "remove",
+	}
+)
+
+// LogContainerEvent generates an event related to a container with only the default attributes.
+func (daemon *Daemon) LogContainerEvent(container *container.Container, action string) {
+	daemon.LogContainerEventWithAttributes(container, action, map[string]string{})
+}
+
+// LogContainerEventWithAttributes generates an event related to a container with specific given attributes.
+func (daemon *Daemon) LogContainerEventWithAttributes(container *container.Container, action string, attributes map[string]string) {
+	copyAttributes(attributes, container.Config.Labels)
+	if container.Config.Image != "" {
+		attributes["image"] = container.Config.Image
+	}
+	attributes["name"] = strings.TrimLeft(container.Name, "/")
+
+	actor := events.Actor{
+		ID:         container.ID,
+		Attributes: attributes,
+	}
+	daemon.EventsService.Log(action, events.ContainerEventType, actor)
+}
+
+// LogPluginEvent generates an event related to a plugin with only the default attributes.
+func (daemon *Daemon) LogPluginEvent(pluginID, refName, action string) {
+	daemon.LogPluginEventWithAttributes(pluginID, refName, action, map[string]string{})
+}
+
+// LogPluginEventWithAttributes generates an event related to a plugin with specific given attributes.
+func (daemon *Daemon) LogPluginEventWithAttributes(pluginID, refName, action string, attributes map[string]string) {
+	attributes["name"] = refName
+	actor := events.Actor{
+		ID:         pluginID,
+		Attributes: attributes,
+	}
+	daemon.EventsService.Log(action, events.PluginEventType, actor)
+}
+
+// LogVolumeEvent generates an event related to a volume.
+func (daemon *Daemon) LogVolumeEvent(volumeID, action string, attributes map[string]string) {
+	actor := events.Actor{
+		ID:         volumeID,
+		Attributes: attributes,
+	}
+	daemon.EventsService.Log(action, events.VolumeEventType, actor)
+}
+
+// LogNetworkEvent generates an event related to a network with only the default attributes.
+func (daemon *Daemon) LogNetworkEvent(nw libnetwork.Network, action string) {
+	daemon.LogNetworkEventWithAttributes(nw, action, map[string]string{})
+}
+
+// LogNetworkEventWithAttributes generates an event related to a network with specific given attributes.
+func (daemon *Daemon) LogNetworkEventWithAttributes(nw libnetwork.Network, action string, attributes map[string]string) {
+	attributes["name"] = nw.Name()
+	attributes["type"] = nw.Type()
+	actor := events.Actor{
+		ID:         nw.ID(),
+		Attributes: attributes,
+	}
+	daemon.EventsService.Log(action, events.NetworkEventType, actor)
+}
+
+// LogDaemonEventWithAttributes generates an event related to the daemon itself with specific given attributes.
+func (daemon *Daemon) LogDaemonEventWithAttributes(action string, attributes map[string]string) {
+	if daemon.EventsService != nil {
+		if info, err := daemon.SystemInfo(); err == nil && info.Name != "" {
+			attributes["name"] = info.Name
+		}
+		actor := events.Actor{
+			ID:         daemon.ID,
+			Attributes: attributes,
+		}
+		daemon.EventsService.Log(action, events.DaemonEventType, actor)
+	}
+}
+
+// SubscribeToEvents returns the currently record of events, a channel to stream new events from, and a function to cancel the stream of events.
+func (daemon *Daemon) SubscribeToEvents(since, until time.Time, filter filters.Args) ([]events.Message, chan interface{}) {
+	ef := daemonevents.NewFilter(filter)
+	return daemon.EventsService.SubscribeTopic(since, until, ef)
+}
+
+// UnsubscribeFromEvents stops the event subscription for a client by closing the
+// channel where the daemon sends events to.
+func (daemon *Daemon) UnsubscribeFromEvents(listener chan interface{}) {
+	daemon.EventsService.Evict(listener)
+}
+
+// copyAttributes guarantees that labels are not mutated by event triggers.
+func copyAttributes(attributes, labels map[string]string) {
+	if labels == nil {
+		return
+	}
+	for k, v := range labels {
+		attributes[k] = v
+	}
+}
+
+// ProcessClusterNotifications gets changes from store and add them to event list
+func (daemon *Daemon) ProcessClusterNotifications(ctx context.Context, watchStream chan *swarmapi.WatchMessage) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case message, ok := <-watchStream:
+			if !ok {
+				logrus.Debug("cluster event channel has stopped")
+				return
+			}
+			daemon.generateClusterEvent(message)
+		}
+	}
+}
+
+func (daemon *Daemon) generateClusterEvent(msg *swarmapi.WatchMessage) {
+	for _, event := range msg.Events {
+		if event.Object == nil {
+			logrus.Errorf("event without object: %v", event)
+			continue
+		}
+		switch v := event.Object.GetObject().(type) {
+		case *swarmapi.Object_Node:
+			daemon.logNodeEvent(event.Action, v.Node, event.OldObject.GetNode())
+		case *swarmapi.Object_Service:
+			daemon.logServiceEvent(event.Action, v.Service, event.OldObject.GetService())
+		case *swarmapi.Object_Network:
+			daemon.logNetworkEvent(event.Action, v.Network, event.OldObject.GetNetwork())
+		case *swarmapi.Object_Secret:
+			daemon.logSecretEvent(event.Action, v.Secret, event.OldObject.GetSecret())
+		case *swarmapi.Object_Config:
+			daemon.logConfigEvent(event.Action, v.Config, event.OldObject.GetConfig())
+		default:
+			logrus.Warnf("unrecognized event: %v", event)
+		}
+	}
+}
+
+func (daemon *Daemon) logNetworkEvent(action swarmapi.WatchActionKind, net *swarmapi.Network, oldNet *swarmapi.Network) {
+	attributes := map[string]string{
+		"name": net.Spec.Annotations.Name,
+	}
+	eventTime := eventTimestamp(net.Meta, action)
+	daemon.logClusterEvent(action, net.ID, "network", attributes, eventTime)
+}
+
+func (daemon *Daemon) logSecretEvent(action swarmapi.WatchActionKind, secret *swarmapi.Secret, oldSecret *swarmapi.Secret) {
+	attributes := map[string]string{
+		"name": secret.Spec.Annotations.Name,
+	}
+	eventTime := eventTimestamp(secret.Meta, action)
+	daemon.logClusterEvent(action, secret.ID, "secret", attributes, eventTime)
+}
+
+func (daemon *Daemon) logConfigEvent(action swarmapi.WatchActionKind, config *swarmapi.Config, oldConfig *swarmapi.Config) {
+	attributes := map[string]string{
+		"name": config.Spec.Annotations.Name,
+	}
+	eventTime := eventTimestamp(config.Meta, action)
+	daemon.logClusterEvent(action, config.ID, "config", attributes, eventTime)
+}
+
+func (daemon *Daemon) logNodeEvent(action swarmapi.WatchActionKind, node *swarmapi.Node, oldNode *swarmapi.Node) {
+	name := node.Spec.Annotations.Name
+	if name == "" && node.Description != nil {
+		name = node.Description.Hostname
+	}
+	attributes := map[string]string{
+		"name": name,
+	}
+	eventTime := eventTimestamp(node.Meta, action)
+	// In an update event, display the changes in attributes
+	if action == swarmapi.WatchActionKindUpdate && oldNode != nil {
+		if node.Spec.Availability != oldNode.Spec.Availability {
+			attributes["availability.old"] = strings.ToLower(oldNode.Spec.Availability.String())
+			attributes["availability.new"] = strings.ToLower(node.Spec.Availability.String())
+		}
+		if node.Role != oldNode.Role {
+			attributes["role.old"] = strings.ToLower(oldNode.Role.String())
+			attributes["role.new"] = strings.ToLower(node.Role.String())
+		}
+		if node.Status.State != oldNode.Status.State {
+			attributes["state.old"] = strings.ToLower(oldNode.Status.State.String())
+			attributes["state.new"] = strings.ToLower(node.Status.State.String())
+		}
+		// This handles change within manager role
+		if node.ManagerStatus != nil && oldNode.ManagerStatus != nil {
+			// leader change
+			if node.ManagerStatus.Leader != oldNode.ManagerStatus.Leader {
+				if node.ManagerStatus.Leader {
+					attributes["leader.old"] = "false"
+					attributes["leader.new"] = "true"
+				} else {
+					attributes["leader.old"] = "true"
+					attributes["leader.new"] = "false"
+				}
+			}
+			if node.ManagerStatus.Reachability != oldNode.ManagerStatus.Reachability {
+				attributes["reachability.old"] = strings.ToLower(oldNode.ManagerStatus.Reachability.String())
+				attributes["reachability.new"] = strings.ToLower(node.ManagerStatus.Reachability.String())
+			}
+		}
+	}
+
+	daemon.logClusterEvent(action, node.ID, "node", attributes, eventTime)
+}
+
+func (daemon *Daemon) logServiceEvent(action swarmapi.WatchActionKind, service *swarmapi.Service, oldService *swarmapi.Service) {
+	attributes := map[string]string{
+		"name": service.Spec.Annotations.Name,
+	}
+	eventTime := eventTimestamp(service.Meta, action)
+
+	if action == swarmapi.WatchActionKindUpdate && oldService != nil {
+		// check image
+		if x, ok := service.Spec.Task.GetRuntime().(*swarmapi.TaskSpec_Container); ok {
+			containerSpec := x.Container
+			if y, ok := oldService.Spec.Task.GetRuntime().(*swarmapi.TaskSpec_Container); ok {
+				oldContainerSpec := y.Container
+				if containerSpec.Image != oldContainerSpec.Image {
+					attributes["image.old"] = oldContainerSpec.Image
+					attributes["image.new"] = containerSpec.Image
+				}
+			} else {
+				// This should not happen.
+				logrus.Errorf("service %s runtime changed from %T to %T", service.Spec.Annotations.Name, oldService.Spec.Task.GetRuntime(), service.Spec.Task.GetRuntime())
+			}
+		}
+		// check replicated count change
+		if x, ok := service.Spec.GetMode().(*swarmapi.ServiceSpec_Replicated); ok {
+			replicas := x.Replicated.Replicas
+			if y, ok := oldService.Spec.GetMode().(*swarmapi.ServiceSpec_Replicated); ok {
+				oldReplicas := y.Replicated.Replicas
+				if replicas != oldReplicas {
+					attributes["replicas.old"] = strconv.FormatUint(oldReplicas, 10)
+					attributes["replicas.new"] = strconv.FormatUint(replicas, 10)
+				}
+			} else {
+				// This should not happen.
+				logrus.Errorf("service %s mode changed from %T to %T", service.Spec.Annotations.Name, oldService.Spec.GetMode(), service.Spec.GetMode())
+			}
+		}
+		if service.UpdateStatus != nil {
+			if oldService.UpdateStatus == nil {
+				attributes["updatestate.new"] = strings.ToLower(service.UpdateStatus.State.String())
+			} else if service.UpdateStatus.State != oldService.UpdateStatus.State {
+				attributes["updatestate.old"] = strings.ToLower(oldService.UpdateStatus.State.String())
+				attributes["updatestate.new"] = strings.ToLower(service.UpdateStatus.State.String())
+			}
+		}
+	}
+	daemon.logClusterEvent(action, service.ID, "service", attributes, eventTime)
+}
+
+func (daemon *Daemon) logClusterEvent(action swarmapi.WatchActionKind, id, eventType string, attributes map[string]string, eventTime time.Time) {
+	actor := events.Actor{
+		ID:         id,
+		Attributes: attributes,
+	}
+
+	jm := events.Message{
+		Action:   clusterEventAction[action],
+		Type:     eventType,
+		Actor:    actor,
+		Scope:    "swarm",
+		Time:     eventTime.UTC().Unix(),
+		TimeNano: eventTime.UTC().UnixNano(),
+	}
+	daemon.EventsService.PublishMessage(jm)
+}
+
+func eventTimestamp(meta swarmapi.Meta, action swarmapi.WatchActionKind) time.Time {
+	var eventTime time.Time
+	switch action {
+	case swarmapi.WatchActionKindCreate:
+		eventTime, _ = gogotypes.TimestampFromProto(meta.CreatedAt)
+	case swarmapi.WatchActionKindUpdate:
+		eventTime, _ = gogotypes.TimestampFromProto(meta.UpdatedAt)
+	case swarmapi.WatchActionKindRemove:
+		// There is no timestamp from store message for remove operations.
+		// Use current time.
+		eventTime = time.Now()
+	}
+	return eventTime
+}
diff --git a/engine/daemon/events/events.go b/engine/daemon/events/events.go
new file mode 100644
index 00000000..31af271f
--- /dev/null
+++ b/engine/daemon/events/events.go
@@ -0,0 +1,165 @@
+package events // import "github.com/docker/docker/daemon/events"
+
+import (
+	"sync"
+	"time"
+
+	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/pkg/pubsub"
+)
+
+const (
+	eventsLimit = 256
+	bufferSize  = 1024
+)
+
+// Events is pubsub channel for events generated by the engine.
+type Events struct {
+	mu     sync.Mutex
+	events []eventtypes.Message
+	pub    *pubsub.Publisher
+}
+
+// New returns new *Events instance
+func New() *Events {
+	return &Events{
+		events: make([]eventtypes.Message, 0, eventsLimit),
+		pub:    pubsub.NewPublisher(100*time.Millisecond, bufferSize),
+	}
+}
+
+// Subscribe adds new listener to events, returns slice of 256 stored
+// last events, a channel in which you can expect new events (in form
+// of interface{}, so you need type assertion), and a function to call
+// to stop the stream of events.
+func (e *Events) Subscribe() ([]eventtypes.Message, chan interface{}, func()) {
+	eventSubscribers.Inc()
+	e.mu.Lock()
+	current := make([]eventtypes.Message, len(e.events))
+	copy(current, e.events)
+	l := e.pub.Subscribe()
+	e.mu.Unlock()
+
+	cancel := func() {
+		e.Evict(l)
+	}
+	return current, l, cancel
+}
+
+// SubscribeTopic adds new listener to events, returns slice of 256 stored
+// last events, a channel in which you can expect new events (in form
+// of interface{}, so you need type assertion).
+func (e *Events) SubscribeTopic(since, until time.Time, ef *Filter) ([]eventtypes.Message, chan interface{}) {
+	eventSubscribers.Inc()
+	e.mu.Lock()
+
+	var topic func(m interface{}) bool
+	if ef != nil && ef.filter.Len() > 0 {
+		topic = func(m interface{}) bool { return ef.Include(m.(eventtypes.Message)) }
+	}
+
+	buffered := e.loadBufferedEvents(since, until, topic)
+
+	var ch chan interface{}
+	if topic != nil {
+		ch = e.pub.SubscribeTopic(topic)
+	} else {
+		// Subscribe to all events if there are no filters
+		ch = e.pub.Subscribe()
+	}
+
+	e.mu.Unlock()
+	return buffered, ch
+}
+
+// Evict evicts listener from pubsub
+func (e *Events) Evict(l chan interface{}) {
+	eventSubscribers.Dec()
+	e.pub.Evict(l)
+}
+
+// Log creates a local scope message and publishes it
+func (e *Events) Log(action, eventType string, actor eventtypes.Actor) {
+	now := time.Now().UTC()
+	jm := eventtypes.Message{
+		Action:   action,
+		Type:     eventType,
+		Actor:    actor,
+		Scope:    "local",
+		Time:     now.Unix(),
+		TimeNano: now.UnixNano(),
+	}
+
+	// fill deprecated fields for container and images
+	switch eventType {
+	case eventtypes.ContainerEventType:
+		jm.ID = actor.ID
+		jm.Status = action
+		jm.From = actor.Attributes["image"]
+	case eventtypes.ImageEventType:
+		jm.ID = actor.ID
+		jm.Status = action
+	}
+
+	e.PublishMessage(jm)
+}
+
+// PublishMessage broadcasts event to listeners. Each listener has 100 milliseconds to
+// receive the event or it will be skipped.
+func (e *Events) PublishMessage(jm eventtypes.Message) {
+	eventsCounter.Inc()
+
+	e.mu.Lock()
+	if len(e.events) == cap(e.events) {
+		// discard oldest event
+		copy(e.events, e.events[1:])
+		e.events[len(e.events)-1] = jm
+	} else {
+		e.events = append(e.events, jm)
+	}
+	e.mu.Unlock()
+	e.pub.Publish(jm)
+}
+
+// SubscribersCount returns number of event listeners
+func (e *Events) SubscribersCount() int {
+	return e.pub.Len()
+}
+
+// loadBufferedEvents iterates over the cached events in the buffer
+// and returns those that were emitted between two specific dates.
+// It uses `time.Unix(seconds, nanoseconds)` to generate valid dates with those arguments.
+// It filters those buffered messages with a topic function if it's not nil, otherwise it adds all messages.
+func (e *Events) loadBufferedEvents(since, until time.Time, topic func(interface{}) bool) []eventtypes.Message {
+	var buffered []eventtypes.Message
+	if since.IsZero() && until.IsZero() {
+		return buffered
+	}
+
+	var sinceNanoUnix int64
+	if !since.IsZero() {
+		sinceNanoUnix = since.UnixNano()
+	}
+
+	var untilNanoUnix int64
+	if !until.IsZero() {
+		untilNanoUnix = until.UnixNano()
+	}
+
+	for i := len(e.events) - 1; i >= 0; i-- {
+		ev := e.events[i]
+
+		if ev.TimeNano < sinceNanoUnix {
+			break
+		}
+
+		if untilNanoUnix > 0 && ev.TimeNano > untilNanoUnix {
+			continue
+		}
+
+		if topic == nil || topic(ev) {
+			buffered = append([]eventtypes.Message{ev}, buffered...)
+		}
+	}
+	return buffered
+}
diff --git a/engine/daemon/events/events_test.go b/engine/daemon/events/events_test.go
new file mode 100644
index 00000000..d1152156
--- /dev/null
+++ b/engine/daemon/events/events_test.go
@@ -0,0 +1,282 @@
+package events // import "github.com/docker/docker/daemon/events"
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/events"
+	timetypes "github.com/docker/docker/api/types/time"
+	eventstestutils "github.com/docker/docker/daemon/events/testutils"
+)
+
+func TestEventsLog(t *testing.T) {
+	e := New()
+	_, l1, _ := e.Subscribe()
+	_, l2, _ := e.Subscribe()
+	defer e.Evict(l1)
+	defer e.Evict(l2)
+	count := e.SubscribersCount()
+	if count != 2 {
+		t.Fatalf("Must be 2 subscribers, got %d", count)
+	}
+	actor := events.Actor{
+		ID:         "cont",
+		Attributes: map[string]string{"image": "image"},
+	}
+	e.Log("test", events.ContainerEventType, actor)
+	select {
+	case msg := <-l1:
+		jmsg, ok := msg.(events.Message)
+		if !ok {
+			t.Fatalf("Unexpected type %T", msg)
+		}
+		if len(e.events) != 1 {
+			t.Fatalf("Must be only one event, got %d", len(e.events))
+		}
+		if jmsg.Status != "test" {
+			t.Fatalf("Status should be test, got %s", jmsg.Status)
+		}
+		if jmsg.ID != "cont" {
+			t.Fatalf("ID should be cont, got %s", jmsg.ID)
+		}
+		if jmsg.From != "image" {
+			t.Fatalf("From should be image, got %s", jmsg.From)
+		}
+	case <-time.After(1 * time.Second):
+		t.Fatal("Timeout waiting for broadcasted message")
+	}
+	select {
+	case msg := <-l2:
+		jmsg, ok := msg.(events.Message)
+		if !ok {
+			t.Fatalf("Unexpected type %T", msg)
+		}
+		if len(e.events) != 1 {
+			t.Fatalf("Must be only one event, got %d", len(e.events))
+		}
+		if jmsg.Status != "test" {
+			t.Fatalf("Status should be test, got %s", jmsg.Status)
+		}
+		if jmsg.ID != "cont" {
+			t.Fatalf("ID should be cont, got %s", jmsg.ID)
+		}
+		if jmsg.From != "image" {
+			t.Fatalf("From should be image, got %s", jmsg.From)
+		}
+	case <-time.After(1 * time.Second):
+		t.Fatal("Timeout waiting for broadcasted message")
+	}
+}
+
+func TestEventsLogTimeout(t *testing.T) {
+	e := New()
+	_, l, _ := e.Subscribe()
+	defer e.Evict(l)
+
+	c := make(chan struct{})
+	go func() {
+		actor := events.Actor{
+			ID: "image",
+		}
+		e.Log("test", events.ImageEventType, actor)
+		close(c)
+	}()
+
+	select {
+	case <-c:
+	case <-time.After(time.Second):
+		t.Fatal("Timeout publishing message")
+	}
+}
+
+func TestLogEvents(t *testing.T) {
+	e := New()
+
+	for i := 0; i < eventsLimit+16; i++ {
+		action := fmt.Sprintf("action_%d", i)
+		id := fmt.Sprintf("cont_%d", i)
+		from := fmt.Sprintf("image_%d", i)
+
+		actor := events.Actor{
+			ID:         id,
+			Attributes: map[string]string{"image": from},
+		}
+		e.Log(action, events.ContainerEventType, actor)
+	}
+	time.Sleep(50 * time.Millisecond)
+	current, l, _ := e.Subscribe()
+	for i := 0; i < 10; i++ {
+		num := i + eventsLimit + 16
+		action := fmt.Sprintf("action_%d", num)
+		id := fmt.Sprintf("cont_%d", num)
+		from := fmt.Sprintf("image_%d", num)
+
+		actor := events.Actor{
+			ID:         id,
+			Attributes: map[string]string{"image": from},
+		}
+		e.Log(action, events.ContainerEventType, actor)
+	}
+	if len(e.events) != eventsLimit {
+		t.Fatalf("Must be %d events, got %d", eventsLimit, len(e.events))
+	}
+
+	var msgs []events.Message
+	for len(msgs) < 10 {
+		m := <-l
+		jm, ok := (m).(events.Message)
+		if !ok {
+			t.Fatalf("Unexpected type %T", m)
+		}
+		msgs = append(msgs, jm)
+	}
+	if len(current) != eventsLimit {
+		t.Fatalf("Must be %d events, got %d", eventsLimit, len(current))
+	}
+	first := current[0]
+
+	// TODO remove this once we removed the deprecated `ID`, `Status`, and `From` fields
+	if first.Action != first.Status {
+		// Verify that the (deprecated) Status is set to the expected value
+		t.Fatalf("Action (%s) does not match Status (%s)", first.Action, first.Status)
+	}
+
+	if first.Action != "action_16" {
+		t.Fatalf("First action is %s, must be action_16", first.Action)
+	}
+	last := current[len(current)-1]
+	if last.Action != "action_271" {
+		t.Fatalf("Last action is %s, must be action_271", last.Action)
+	}
+
+	firstC := msgs[0]
+	if firstC.Action != "action_272" {
+		t.Fatalf("First action is %s, must be action_272", firstC.Action)
+	}
+	lastC := msgs[len(msgs)-1]
+	if lastC.Action != "action_281" {
+		t.Fatalf("Last action is %s, must be action_281", lastC.Action)
+	}
+}
+
+// https://github.com/docker/docker/issues/20999
+// Fixtures:
+//
+//2016-03-07T17:28:03.022433271+02:00 container die 0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079 (image=ubuntu, name=small_hoover)
+//2016-03-07T17:28:03.091719377+02:00 network disconnect 19c5ed41acb798f26b751e0035cd7821741ab79e2bbd59a66b5fd8abf954eaa0 (type=bridge, container=0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079, name=bridge)
+//2016-03-07T17:28:03.129014751+02:00 container destroy 0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079 (image=ubuntu, name=small_hoover)
+func TestLoadBufferedEvents(t *testing.T) {
+	now := time.Now()
+	f, err := timetypes.GetTimestamp("2016-03-07T17:28:03.100000000+02:00", now)
+	if err != nil {
+		t.Fatal(err)
+	}
+	s, sNano, err := timetypes.ParseTimestamps(f, -1)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	m1, err := eventstestutils.Scan("2016-03-07T17:28:03.022433271+02:00 container die 0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079 (image=ubuntu, name=small_hoover)")
+	if err != nil {
+		t.Fatal(err)
+	}
+	m2, err := eventstestutils.Scan("2016-03-07T17:28:03.091719377+02:00 network disconnect 19c5ed41acb798f26b751e0035cd7821741ab79e2bbd59a66b5fd8abf954eaa0 (type=bridge, container=0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079, name=bridge)")
+	if err != nil {
+		t.Fatal(err)
+	}
+	m3, err := eventstestutils.Scan("2016-03-07T17:28:03.129014751+02:00 container destroy 0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079 (image=ubuntu, name=small_hoover)")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	events := &Events{
+		events: []events.Message{*m1, *m2, *m3},
+	}
+
+	since := time.Unix(s, sNano)
+	until := time.Time{}
+
+	out := events.loadBufferedEvents(since, until, nil)
+	if len(out) != 1 {
+		t.Fatalf("expected 1 message, got %d: %v", len(out), out)
+	}
+}
+
+func TestLoadBufferedEventsOnlyFromPast(t *testing.T) {
+	now := time.Now()
+	f, err := timetypes.GetTimestamp("2016-03-07T17:28:03.090000000+02:00", now)
+	if err != nil {
+		t.Fatal(err)
+	}
+	s, sNano, err := timetypes.ParseTimestamps(f, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	f, err = timetypes.GetTimestamp("2016-03-07T17:28:03.100000000+02:00", now)
+	if err != nil {
+		t.Fatal(err)
+	}
+	u, uNano, err := timetypes.ParseTimestamps(f, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	m1, err := eventstestutils.Scan("2016-03-07T17:28:03.022433271+02:00 container die 0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079 (image=ubuntu, name=small_hoover)")
+	if err != nil {
+		t.Fatal(err)
+	}
+	m2, err := eventstestutils.Scan("2016-03-07T17:28:03.091719377+02:00 network disconnect 19c5ed41acb798f26b751e0035cd7821741ab79e2bbd59a66b5fd8abf954eaa0 (type=bridge, container=0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079, name=bridge)")
+	if err != nil {
+		t.Fatal(err)
+	}
+	m3, err := eventstestutils.Scan("2016-03-07T17:28:03.129014751+02:00 container destroy 0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079 (image=ubuntu, name=small_hoover)")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	events := &Events{
+		events: []events.Message{*m1, *m2, *m3},
+	}
+
+	since := time.Unix(s, sNano)
+	until := time.Unix(u, uNano)
+
+	out := events.loadBufferedEvents(since, until, nil)
+	if len(out) != 1 {
+		t.Fatalf("expected 1 message, got %d: %v", len(out), out)
+	}
+
+	if out[0].Type != "network" {
+		t.Fatalf("expected network event, got %s", out[0].Type)
+	}
+}
+
+// #13753
+func TestIgnoreBufferedWhenNoTimes(t *testing.T) {
+	m1, err := eventstestutils.Scan("2016-03-07T17:28:03.022433271+02:00 container die 0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079 (image=ubuntu, name=small_hoover)")
+	if err != nil {
+		t.Fatal(err)
+	}
+	m2, err := eventstestutils.Scan("2016-03-07T17:28:03.091719377+02:00 network disconnect 19c5ed41acb798f26b751e0035cd7821741ab79e2bbd59a66b5fd8abf954eaa0 (type=bridge, container=0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079, name=bridge)")
+	if err != nil {
+		t.Fatal(err)
+	}
+	m3, err := eventstestutils.Scan("2016-03-07T17:28:03.129014751+02:00 container destroy 0b863f2a26c18557fc6cdadda007c459f9ec81b874780808138aea78a3595079 (image=ubuntu, name=small_hoover)")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	events := &Events{
+		events: []events.Message{*m1, *m2, *m3},
+	}
+
+	since := time.Time{}
+	until := time.Time{}
+
+	out := events.loadBufferedEvents(since, until, nil)
+	if len(out) != 0 {
+		t.Fatalf("expected 0 buffered events, got %q", out)
+	}
+}
diff --git a/engine/daemon/events/filter.go b/engine/daemon/events/filter.go
new file mode 100644
index 00000000..da06f18b
--- /dev/null
+++ b/engine/daemon/events/filter.go
@@ -0,0 +1,138 @@
+package events // import "github.com/docker/docker/daemon/events"
+
+import (
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+)
+
+// Filter can filter out docker events from a stream
+type Filter struct {
+	filter filters.Args
+}
+
+// NewFilter creates a new Filter
+func NewFilter(filter filters.Args) *Filter {
+	return &Filter{filter: filter}
+}
+
+// Include returns true when the event ev is included by the filters
+func (ef *Filter) Include(ev events.Message) bool {
+	return ef.matchEvent(ev) &&
+		ef.filter.ExactMatch("type", ev.Type) &&
+		ef.matchScope(ev.Scope) &&
+		ef.matchDaemon(ev) &&
+		ef.matchContainer(ev) &&
+		ef.matchPlugin(ev) &&
+		ef.matchVolume(ev) &&
+		ef.matchNetwork(ev) &&
+		ef.matchImage(ev) &&
+		ef.matchNode(ev) &&
+		ef.matchService(ev) &&
+		ef.matchSecret(ev) &&
+		ef.matchConfig(ev) &&
+		ef.matchLabels(ev.Actor.Attributes)
+}
+
+func (ef *Filter) matchEvent(ev events.Message) bool {
+	// #25798 if an event filter contains either health_status, exec_create or exec_start without a colon
+	// Let's to a FuzzyMatch instead of an ExactMatch.
+	if ef.filterContains("event", map[string]struct{}{"health_status": {}, "exec_create": {}, "exec_start": {}}) {
+		return ef.filter.FuzzyMatch("event", ev.Action)
+	}
+	return ef.filter.ExactMatch("event", ev.Action)
+}
+
+func (ef *Filter) filterContains(field string, values map[string]struct{}) bool {
+	for _, v := range ef.filter.Get(field) {
+		if _, ok := values[v]; ok {
+			return true
+		}
+	}
+	return false
+}
+
+func (ef *Filter) matchScope(scope string) bool {
+	if !ef.filter.Contains("scope") {
+		return true
+	}
+	return ef.filter.ExactMatch("scope", scope)
+}
+
+func (ef *Filter) matchLabels(attributes map[string]string) bool {
+	if !ef.filter.Contains("label") {
+		return true
+	}
+	return ef.filter.MatchKVList("label", attributes)
+}
+
+func (ef *Filter) matchDaemon(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.DaemonEventType)
+}
+
+func (ef *Filter) matchContainer(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.ContainerEventType)
+}
+
+func (ef *Filter) matchPlugin(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.PluginEventType)
+}
+
+func (ef *Filter) matchVolume(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.VolumeEventType)
+}
+
+func (ef *Filter) matchNetwork(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.NetworkEventType)
+}
+
+func (ef *Filter) matchService(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.ServiceEventType)
+}
+
+func (ef *Filter) matchNode(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.NodeEventType)
+}
+
+func (ef *Filter) matchSecret(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.SecretEventType)
+}
+
+func (ef *Filter) matchConfig(ev events.Message) bool {
+	return ef.fuzzyMatchName(ev, events.ConfigEventType)
+}
+
+func (ef *Filter) fuzzyMatchName(ev events.Message, eventType string) bool {
+	return ef.filter.FuzzyMatch(eventType, ev.Actor.ID) ||
+		ef.filter.FuzzyMatch(eventType, ev.Actor.Attributes["name"])
+}
+
+// matchImage matches against both event.Actor.ID (for image events)
+// and event.Actor.Attributes["image"] (for container events), so that any container that was created
+// from an image will be included in the image events. Also compare both
+// against the stripped repo name without any tags.
+func (ef *Filter) matchImage(ev events.Message) bool {
+	id := ev.Actor.ID
+	nameAttr := "image"
+	var imageName string
+
+	if ev.Type == events.ImageEventType {
+		nameAttr = "name"
+	}
+
+	if n, ok := ev.Actor.Attributes[nameAttr]; ok {
+		imageName = n
+	}
+	return ef.filter.ExactMatch("image", id) ||
+		ef.filter.ExactMatch("image", imageName) ||
+		ef.filter.ExactMatch("image", stripTag(id)) ||
+		ef.filter.ExactMatch("image", stripTag(imageName))
+}
+
+func stripTag(image string) string {
+	ref, err := reference.ParseNormalizedNamed(image)
+	if err != nil {
+		return image
+	}
+	return reference.FamiliarName(ref)
+}
diff --git a/engine/daemon/events/metrics.go b/engine/daemon/events/metrics.go
new file mode 100644
index 00000000..199858d6
--- /dev/null
+++ b/engine/daemon/events/metrics.go
@@ -0,0 +1,15 @@
+package events // import "github.com/docker/docker/daemon/events"
+
+import "github.com/docker/go-metrics"
+
+var (
+	eventsCounter    metrics.Counter
+	eventSubscribers metrics.Gauge
+)
+
+func init() {
+	ns := metrics.NewNamespace("engine", "daemon", nil)
+	eventsCounter = ns.NewCounter("events", "The number of events logged")
+	eventSubscribers = ns.NewGauge("events_subscribers", "The number of current subscribers to events", metrics.Total)
+	metrics.Register(ns)
+}
diff --git a/engine/daemon/events/testutils/testutils.go b/engine/daemon/events/testutils/testutils.go
new file mode 100644
index 00000000..b6766adb
--- /dev/null
+++ b/engine/daemon/events/testutils/testutils.go
@@ -0,0 +1,76 @@
+package testutils // import "github.com/docker/docker/daemon/events/testutils"
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/events"
+	timetypes "github.com/docker/docker/api/types/time"
+)
+
+var (
+	reTimestamp  = `(?P<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{9}(:?(:?(:?-|\+)\d{2}:\d{2})|Z))`
+	reEventType  = `(?P<eventType>\w+)`
+	reAction     = `(?P<action>\w+)`
+	reID         = `(?P<id>[^\s]+)`
+	reAttributes = `(\s\((?P<attributes>[^\)]+)\))?`
+	reString     = fmt.Sprintf(`\A%s\s%s\s%s\s%s%s\z`, reTimestamp, reEventType, reAction, reID, reAttributes)
+
+	// eventCliRegexp is a regular expression that matches all possible event outputs in the cli
+	eventCliRegexp = regexp.MustCompile(reString)
+)
+
+// ScanMap turns an event string like the default ones formatted in the cli output
+// and turns it into map.
+func ScanMap(text string) map[string]string {
+	matches := eventCliRegexp.FindAllStringSubmatch(text, -1)
+	md := map[string]string{}
+	if len(matches) == 0 {
+		return md
+	}
+
+	names := eventCliRegexp.SubexpNames()
+	for i, n := range matches[0] {
+		md[names[i]] = n
+	}
+	return md
+}
+
+// Scan turns an event string like the default ones formatted in the cli output
+// and turns it into an event message.
+func Scan(text string) (*events.Message, error) {
+	md := ScanMap(text)
+	if len(md) == 0 {
+		return nil, fmt.Errorf("text is not an event: %s", text)
+	}
+
+	f, err := timetypes.GetTimestamp(md["timestamp"], time.Now())
+	if err != nil {
+		return nil, err
+	}
+
+	t, tn, err := timetypes.ParseTimestamps(f, -1)
+	if err != nil {
+		return nil, err
+	}
+
+	attrs := make(map[string]string)
+	for _, a := range strings.SplitN(md["attributes"], ", ", -1) {
+		kv := strings.SplitN(a, "=", 2)
+		attrs[kv[0]] = kv[1]
+	}
+
+	tu := time.Unix(t, tn)
+	return &events.Message{
+		Time:     t,
+		TimeNano: tu.UnixNano(),
+		Type:     md["eventType"],
+		Action:   md["action"],
+		Actor: events.Actor{
+			ID:         md["id"],
+			Attributes: attrs,
+		},
+	}, nil
+}
diff --git a/engine/daemon/events_test.go b/engine/daemon/events_test.go
new file mode 100644
index 00000000..df089976
--- /dev/null
+++ b/engine/daemon/events_test.go
@@ -0,0 +1,90 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"testing"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/events"
+)
+
+func TestLogContainerEventCopyLabels(t *testing.T) {
+	e := events.New()
+	_, l, _ := e.Subscribe()
+	defer e.Evict(l)
+
+	container := &container.Container{
+		ID:   "container_id",
+		Name: "container_name",
+		Config: &containertypes.Config{
+			Image: "image_name",
+			Labels: map[string]string{
+				"node": "1",
+				"os":   "alpine",
+			},
+		},
+	}
+	daemon := &Daemon{
+		EventsService: e,
+	}
+	daemon.LogContainerEvent(container, "create")
+
+	if _, mutated := container.Config.Labels["image"]; mutated {
+		t.Fatalf("Expected to not mutate the container labels, got %q", container.Config.Labels)
+	}
+
+	validateTestAttributes(t, l, map[string]string{
+		"node": "1",
+		"os":   "alpine",
+	})
+}
+
+func TestLogContainerEventWithAttributes(t *testing.T) {
+	e := events.New()
+	_, l, _ := e.Subscribe()
+	defer e.Evict(l)
+
+	container := &container.Container{
+		ID:   "container_id",
+		Name: "container_name",
+		Config: &containertypes.Config{
+			Labels: map[string]string{
+				"node": "1",
+				"os":   "alpine",
+			},
+		},
+	}
+	daemon := &Daemon{
+		EventsService: e,
+	}
+	attributes := map[string]string{
+		"node": "2",
+		"foo":  "bar",
+	}
+	daemon.LogContainerEventWithAttributes(container, "create", attributes)
+
+	validateTestAttributes(t, l, map[string]string{
+		"node": "1",
+		"foo":  "bar",
+	})
+}
+
+func validateTestAttributes(t *testing.T, l chan interface{}, expectedAttributesToTest map[string]string) {
+	select {
+	case ev := <-l:
+		event, ok := ev.(eventtypes.Message)
+		if !ok {
+			t.Fatalf("Unexpected event message: %q", ev)
+		}
+		for key, expected := range expectedAttributesToTest {
+			actual, ok := event.Actor.Attributes[key]
+			if !ok || actual != expected {
+				t.Fatalf("Expected value for key %s to be %s, but was %s (event:%v)", key, expected, actual, event)
+			}
+		}
+	case <-time.After(10 * time.Second):
+		t.Fatal("LogEvent test timed out")
+	}
+}
diff --git a/engine/daemon/exec.go b/engine/daemon/exec.go
new file mode 100644
index 00000000..f0b43d72
--- /dev/null
+++ b/engine/daemon/exec.go
@@ -0,0 +1,324 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/container/stream"
+	"github.com/docker/docker/daemon/exec"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/docker/pkg/term"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Seconds to wait after sending TERM before trying KILL
+const termProcessTimeout = 10
+
+func (d *Daemon) registerExecCommand(container *container.Container, config *exec.Config) {
+	// Storing execs in container in order to kill them gracefully whenever the container is stopped or removed.
+	container.ExecCommands.Add(config.ID, config)
+	// Storing execs in daemon for easy access via Engine API.
+	d.execCommands.Add(config.ID, config)
+}
+
+// ExecExists looks up the exec instance and returns a bool if it exists or not.
+// It will also return the error produced by `getConfig`
+func (d *Daemon) ExecExists(name string) (bool, error) {
+	if _, err := d.getExecConfig(name); err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+// getExecConfig looks up the exec instance by name. If the container associated
+// with the exec instance is stopped or paused, it will return an error.
+func (d *Daemon) getExecConfig(name string) (*exec.Config, error) {
+	ec := d.execCommands.Get(name)
+	if ec == nil {
+		return nil, errExecNotFound(name)
+	}
+
+	// If the exec is found but its container is not in the daemon's list of
+	// containers then it must have been deleted, in which case instead of
+	// saying the container isn't running, we should return a 404 so that
+	// the user sees the same error now that they will after the
+	// 5 minute clean-up loop is run which erases old/dead execs.
+	container := d.containers.Get(ec.ContainerID)
+	if container == nil {
+		return nil, containerNotFound(name)
+	}
+	if !container.IsRunning() {
+		return nil, fmt.Errorf("Container %s is not running: %s", container.ID, container.State.String())
+	}
+	if container.IsPaused() {
+		return nil, errExecPaused(container.ID)
+	}
+	if container.IsRestarting() {
+		return nil, errContainerIsRestarting(container.ID)
+	}
+	return ec, nil
+}
+
+func (d *Daemon) unregisterExecCommand(container *container.Container, execConfig *exec.Config) {
+	container.ExecCommands.Delete(execConfig.ID, execConfig.Pid)
+	d.execCommands.Delete(execConfig.ID, execConfig.Pid)
+}
+
+func (d *Daemon) getActiveContainer(name string) (*container.Container, error) {
+	container, err := d.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	if !container.IsRunning() {
+		return nil, errNotRunning(container.ID)
+	}
+	if container.IsPaused() {
+		return nil, errExecPaused(name)
+	}
+	if container.IsRestarting() {
+		return nil, errContainerIsRestarting(container.ID)
+	}
+	return container, nil
+}
+
+// ContainerExecCreate sets up an exec in a running container.
+func (d *Daemon) ContainerExecCreate(name string, config *types.ExecConfig) (string, error) {
+	cntr, err := d.getActiveContainer(name)
+	if err != nil {
+		return "", err
+	}
+
+	cmd := strslice.StrSlice(config.Cmd)
+	entrypoint, args := d.getEntrypointAndArgs(strslice.StrSlice{}, cmd)
+
+	keys := []byte{}
+	if config.DetachKeys != "" {
+		keys, err = term.ToBytes(config.DetachKeys)
+		if err != nil {
+			err = fmt.Errorf("Invalid escape keys (%s) provided", config.DetachKeys)
+			return "", err
+		}
+	}
+
+	execConfig := exec.NewConfig()
+	execConfig.OpenStdin = config.AttachStdin
+	execConfig.OpenStdout = config.AttachStdout
+	execConfig.OpenStderr = config.AttachStderr
+	execConfig.ContainerID = cntr.ID
+	execConfig.DetachKeys = keys
+	execConfig.Entrypoint = entrypoint
+	execConfig.Args = args
+	execConfig.Tty = config.Tty
+	execConfig.Privileged = config.Privileged
+	execConfig.User = config.User
+	execConfig.WorkingDir = config.WorkingDir
+
+	linkedEnv, err := d.setupLinkedContainers(cntr)
+	if err != nil {
+		return "", err
+	}
+	execConfig.Env = container.ReplaceOrAppendEnvValues(cntr.CreateDaemonEnvironment(config.Tty, linkedEnv), config.Env)
+	if len(execConfig.User) == 0 {
+		execConfig.User = cntr.Config.User
+	}
+	if len(execConfig.WorkingDir) == 0 {
+		execConfig.WorkingDir = cntr.Config.WorkingDir
+	}
+
+	d.registerExecCommand(cntr, execConfig)
+
+	attributes := map[string]string{
+		"execID": execConfig.ID,
+	}
+	d.LogContainerEventWithAttributes(cntr, "exec_create: "+execConfig.Entrypoint+" "+strings.Join(execConfig.Args, " "), attributes)
+
+	return execConfig.ID, nil
+}
+
+// ContainerExecStart starts a previously set up exec instance. The
+// std streams are set up.
+// If ctx is cancelled, the process is terminated.
+func (d *Daemon) ContainerExecStart(ctx context.Context, name string, stdin io.Reader, stdout io.Writer, stderr io.Writer) (err error) {
+	var (
+		cStdin           io.ReadCloser
+		cStdout, cStderr io.Writer
+	)
+
+	ec, err := d.getExecConfig(name)
+	if err != nil {
+		return errExecNotFound(name)
+	}
+
+	ec.Lock()
+	if ec.ExitCode != nil {
+		ec.Unlock()
+		err := fmt.Errorf("Error: Exec command %s has already run", ec.ID)
+		return errdefs.Conflict(err)
+	}
+
+	if ec.Running {
+		ec.Unlock()
+		return errdefs.Conflict(fmt.Errorf("Error: Exec command %s is already running", ec.ID))
+	}
+	ec.Running = true
+	ec.Unlock()
+
+	c := d.containers.Get(ec.ContainerID)
+	logrus.Debugf("starting exec command %s in container %s", ec.ID, c.ID)
+	attributes := map[string]string{
+		"execID": ec.ID,
+	}
+	d.LogContainerEventWithAttributes(c, "exec_start: "+ec.Entrypoint+" "+strings.Join(ec.Args, " "), attributes)
+
+	defer func() {
+		if err != nil {
+			ec.Lock()
+			ec.Running = false
+			exitCode := 126
+			ec.ExitCode = &exitCode
+			if err := ec.CloseStreams(); err != nil {
+				logrus.Errorf("failed to cleanup exec %s streams: %s", c.ID, err)
+			}
+			ec.Unlock()
+			c.ExecCommands.Delete(ec.ID, ec.Pid)
+		}
+	}()
+
+	if ec.OpenStdin && stdin != nil {
+		r, w := io.Pipe()
+		go func() {
+			defer w.Close()
+			defer logrus.Debug("Closing buffered stdin pipe")
+			pools.Copy(w, stdin)
+		}()
+		cStdin = r
+	}
+	if ec.OpenStdout {
+		cStdout = stdout
+	}
+	if ec.OpenStderr {
+		cStderr = stderr
+	}
+
+	if ec.OpenStdin {
+		ec.StreamConfig.NewInputPipes()
+	} else {
+		ec.StreamConfig.NewNopInputPipe()
+	}
+
+	p := &specs.Process{
+		Args:     append([]string{ec.Entrypoint}, ec.Args...),
+		Env:      ec.Env,
+		Terminal: ec.Tty,
+		Cwd:      ec.WorkingDir,
+	}
+	if p.Cwd == "" {
+		p.Cwd = "/"
+	}
+
+	if err := d.execSetPlatformOpt(c, ec, p); err != nil {
+		return err
+	}
+
+	attachConfig := stream.AttachConfig{
+		TTY:        ec.Tty,
+		UseStdin:   cStdin != nil,
+		UseStdout:  cStdout != nil,
+		UseStderr:  cStderr != nil,
+		Stdin:      cStdin,
+		Stdout:     cStdout,
+		Stderr:     cStderr,
+		DetachKeys: ec.DetachKeys,
+		CloseStdin: true,
+	}
+	ec.StreamConfig.AttachStreams(&attachConfig)
+	attachErr := ec.StreamConfig.CopyStreams(ctx, &attachConfig)
+
+	// Synchronize with libcontainerd event loop
+	ec.Lock()
+	c.ExecCommands.Lock()
+	systemPid, err := d.containerd.Exec(ctx, c.ID, ec.ID, p, cStdin != nil, ec.InitializeStdio)
+	// the exec context should be ready, or error happened.
+	// close the chan to notify readiness
+	close(ec.Started)
+	if err != nil {
+		c.ExecCommands.Unlock()
+		ec.Unlock()
+		return translateContainerdStartErr(ec.Entrypoint, ec.SetExitCode, err)
+	}
+	ec.Pid = systemPid
+	c.ExecCommands.Unlock()
+	ec.Unlock()
+
+	select {
+	case <-ctx.Done():
+		logrus.Debugf("Sending TERM signal to process %v in container %v", name, c.ID)
+		d.containerd.SignalProcess(ctx, c.ID, name, int(signal.SignalMap["TERM"]))
+		select {
+		case <-time.After(termProcessTimeout * time.Second):
+			logrus.Infof("Container %v, process %v failed to exit within %d seconds of signal TERM - using the force", c.ID, name, termProcessTimeout)
+			d.containerd.SignalProcess(ctx, c.ID, name, int(signal.SignalMap["KILL"]))
+		case <-attachErr:
+			// TERM signal worked
+		}
+		return ctx.Err()
+	case err := <-attachErr:
+		if err != nil {
+			if _, ok := err.(term.EscapeError); !ok {
+				return errdefs.System(errors.Wrap(err, "exec attach failed"))
+			}
+			attributes := map[string]string{
+				"execID": ec.ID,
+			}
+			d.LogContainerEventWithAttributes(c, "exec_detach", attributes)
+		}
+	}
+	return nil
+}
+
+// execCommandGC runs a ticker to clean up the daemon references
+// of exec configs that are no longer part of the container.
+func (d *Daemon) execCommandGC() {
+	for range time.Tick(5 * time.Minute) {
+		var (
+			cleaned          int
+			liveExecCommands = d.containerExecIds()
+		)
+		for id, config := range d.execCommands.Commands() {
+			if config.CanRemove {
+				cleaned++
+				d.execCommands.Delete(id, config.Pid)
+			} else {
+				if _, exists := liveExecCommands[id]; !exists {
+					config.CanRemove = true
+				}
+			}
+		}
+		if cleaned > 0 {
+			logrus.Debugf("clean %d unused exec commands", cleaned)
+		}
+	}
+}
+
+// containerExecIds returns a list of all the current exec ids that are in use
+// and running inside a container.
+func (d *Daemon) containerExecIds() map[string]struct{} {
+	ids := map[string]struct{}{}
+	for _, c := range d.containers.List() {
+		for _, id := range c.ExecCommands.List() {
+			ids[id] = struct{}{}
+		}
+	}
+	return ids
+}
diff --git a/engine/daemon/exec/exec.go b/engine/daemon/exec/exec.go
new file mode 100644
index 00000000..c036c46a
--- /dev/null
+++ b/engine/daemon/exec/exec.go
@@ -0,0 +1,146 @@
+package exec // import "github.com/docker/docker/daemon/exec"
+
+import (
+	"runtime"
+	"sync"
+
+	"github.com/containerd/containerd/cio"
+	"github.com/docker/docker/container/stream"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/sirupsen/logrus"
+)
+
+// Config holds the configurations for execs. The Daemon keeps
+// track of both running and finished execs so that they can be
+// examined both during and after completion.
+type Config struct {
+	sync.Mutex
+	Started      chan struct{}
+	StreamConfig *stream.Config
+	ID           string
+	Running      bool
+	ExitCode     *int
+	OpenStdin    bool
+	OpenStderr   bool
+	OpenStdout   bool
+	CanRemove    bool
+	ContainerID  string
+	DetachKeys   []byte
+	Entrypoint   string
+	Args         []string
+	Tty          bool
+	Privileged   bool
+	User         string
+	WorkingDir   string
+	Env          []string
+	Pid          int
+}
+
+// NewConfig initializes the a new exec configuration
+func NewConfig() *Config {
+	return &Config{
+		ID:           stringid.GenerateNonCryptoID(),
+		StreamConfig: stream.NewConfig(),
+		Started:      make(chan struct{}),
+	}
+}
+
+type rio struct {
+	cio.IO
+
+	sc *stream.Config
+}
+
+func (i *rio) Close() error {
+	i.IO.Close()
+
+	return i.sc.CloseStreams()
+}
+
+func (i *rio) Wait() {
+	i.sc.Wait()
+
+	i.IO.Wait()
+}
+
+// InitializeStdio is called by libcontainerd to connect the stdio.
+func (c *Config) InitializeStdio(iop *cio.DirectIO) (cio.IO, error) {
+	c.StreamConfig.CopyToPipe(iop)
+
+	if c.StreamConfig.Stdin() == nil && !c.Tty && runtime.GOOS == "windows" {
+		if iop.Stdin != nil {
+			if err := iop.Stdin.Close(); err != nil {
+				logrus.Errorf("error closing exec stdin: %+v", err)
+			}
+		}
+	}
+
+	return &rio{IO: iop, sc: c.StreamConfig}, nil
+}
+
+// CloseStreams closes the stdio streams for the exec
+func (c *Config) CloseStreams() error {
+	return c.StreamConfig.CloseStreams()
+}
+
+// SetExitCode sets the exec config's exit code
+func (c *Config) SetExitCode(code int) {
+	c.ExitCode = &code
+}
+
+// Store keeps track of the exec configurations.
+type Store struct {
+	byID map[string]*Config
+	sync.RWMutex
+}
+
+// NewStore initializes a new exec store.
+func NewStore() *Store {
+	return &Store{
+		byID: make(map[string]*Config),
+	}
+}
+
+// Commands returns the exec configurations in the store.
+func (e *Store) Commands() map[string]*Config {
+	e.RLock()
+	byID := make(map[string]*Config, len(e.byID))
+	for id, config := range e.byID {
+		byID[id] = config
+	}
+	e.RUnlock()
+	return byID
+}
+
+// Add adds a new exec configuration to the store.
+func (e *Store) Add(id string, Config *Config) {
+	e.Lock()
+	e.byID[id] = Config
+	e.Unlock()
+}
+
+// Get returns an exec configuration by its id.
+func (e *Store) Get(id string) *Config {
+	e.RLock()
+	res := e.byID[id]
+	e.RUnlock()
+	return res
+}
+
+// Delete removes an exec configuration from the store.
+func (e *Store) Delete(id string, pid int) {
+	e.Lock()
+	delete(e.byID, id)
+	e.Unlock()
+}
+
+// List returns the list of exec ids in the store.
+func (e *Store) List() []string {
+	var IDs []string
+	e.RLock()
+	for id := range e.byID {
+		IDs = append(IDs, id)
+	}
+	e.RUnlock()
+	return IDs
+}
diff --git a/engine/daemon/exec_linux.go b/engine/daemon/exec_linux.go
new file mode 100644
index 00000000..cd52f488
--- /dev/null
+++ b/engine/daemon/exec_linux.go
@@ -0,0 +1,59 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/caps"
+	"github.com/docker/docker/daemon/exec"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error {
+	if len(ec.User) > 0 {
+		uid, gid, additionalGids, err := getUser(c, ec.User)
+		if err != nil {
+			return err
+		}
+		p.User = specs.User{
+			UID:            uid,
+			GID:            gid,
+			AdditionalGids: additionalGids,
+		}
+	}
+	if ec.Privileged {
+		if p.Capabilities == nil {
+			p.Capabilities = &specs.LinuxCapabilities{}
+		}
+		p.Capabilities.Bounding = caps.GetAllCapabilities()
+		p.Capabilities.Permitted = p.Capabilities.Bounding
+		p.Capabilities.Inheritable = p.Capabilities.Bounding
+		p.Capabilities.Effective = p.Capabilities.Bounding
+	}
+	if apparmor.IsEnabled() {
+		var appArmorProfile string
+		if c.AppArmorProfile != "" {
+			appArmorProfile = c.AppArmorProfile
+		} else if c.HostConfig.Privileged {
+			// `docker exec --privileged` does not currently disable AppArmor
+			// profiles. Privileged configuration of the container is inherited
+			appArmorProfile = "unconfined"
+		} else {
+			appArmorProfile = "docker-default"
+		}
+
+		if appArmorProfile == "docker-default" {
+			// Unattended upgrades and other fun services can unload AppArmor
+			// profiles inadvertently. Since we cannot store our profile in
+			// /etc/apparmor.d, nor can we practically add other ways of
+			// telling the system to keep our profile loaded, in order to make
+			// sure that we keep the default profile enabled we dynamically
+			// reload it if necessary.
+			if err := ensureDefaultAppArmorProfile(); err != nil {
+				return err
+			}
+		}
+		p.ApparmorProfile = appArmorProfile
+	}
+	daemon.setRlimits(&specs.Spec{Process: p}, c)
+	return nil
+}
diff --git a/engine/daemon/exec_linux_test.go b/engine/daemon/exec_linux_test.go
new file mode 100644
index 00000000..0db7f080
--- /dev/null
+++ b/engine/daemon/exec_linux_test.go
@@ -0,0 +1,53 @@
+// +build linux
+
+package daemon
+
+import (
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/exec"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"gotest.tools/assert"
+)
+
+func TestExecSetPlatformOpt(t *testing.T) {
+	if !apparmor.IsEnabled() {
+		t.Skip("requires AppArmor to be enabled")
+	}
+	d := &Daemon{}
+	c := &container.Container{AppArmorProfile: "my-custom-profile"}
+	ec := &exec.Config{}
+	p := &specs.Process{}
+
+	err := d.execSetPlatformOpt(c, ec, p)
+	assert.NilError(t, err)
+	assert.Equal(t, "my-custom-profile", p.ApparmorProfile)
+}
+
+// TestExecSetPlatformOptPrivileged verifies that `docker exec --privileged`
+// does not disable AppArmor profiles. Exec currently inherits the `Privileged`
+// configuration of the container. See https://github.com/moby/moby/pull/31773#discussion_r105586900
+//
+// This behavior may change in future, but test for the behavior to prevent it
+// from being changed accidentally.
+func TestExecSetPlatformOptPrivileged(t *testing.T) {
+	if !apparmor.IsEnabled() {
+		t.Skip("requires AppArmor to be enabled")
+	}
+	d := &Daemon{}
+	c := &container.Container{AppArmorProfile: "my-custom-profile"}
+	ec := &exec.Config{Privileged: true}
+	p := &specs.Process{}
+
+	err := d.execSetPlatformOpt(c, ec, p)
+	assert.NilError(t, err)
+	assert.Equal(t, "my-custom-profile", p.ApparmorProfile)
+
+	c.HostConfig = &containertypes.HostConfig{Privileged: true}
+	err = d.execSetPlatformOpt(c, ec, p)
+	assert.NilError(t, err)
+	assert.Equal(t, "unconfined", p.ApparmorProfile)
+}
diff --git a/engine/daemon/exec_windows.go b/engine/daemon/exec_windows.go
new file mode 100644
index 00000000..c37ea9f3
--- /dev/null
+++ b/engine/daemon/exec_windows.go
@@ -0,0 +1,16 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/exec"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config, p *specs.Process) error {
+	// Process arguments need to be escaped before sending to OCI.
+	if c.OS == "windows" {
+		p.Args = escapeArgs(p.Args)
+		p.User.Username = ec.User
+	}
+	return nil
+}
diff --git a/engine/daemon/export.go b/engine/daemon/export.go
new file mode 100644
index 00000000..737e161e
--- /dev/null
+++ b/engine/daemon/export.go
@@ -0,0 +1,86 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"io"
+	"runtime"
+
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/system"
+)
+
+// ContainerExport writes the contents of the container to the given
+// writer. An error is returned if the container cannot be found.
+func (daemon *Daemon) ContainerExport(name string, out io.Writer) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	if runtime.GOOS == "windows" && container.OS == "windows" {
+		return fmt.Errorf("the daemon on this operating system does not support exporting Windows containers")
+	}
+
+	if container.IsDead() {
+		err := fmt.Errorf("You cannot export container %s which is Dead", container.ID)
+		return errdefs.Conflict(err)
+	}
+
+	if container.IsRemovalInProgress() {
+		err := fmt.Errorf("You cannot export container %s which is being removed", container.ID)
+		return errdefs.Conflict(err)
+	}
+
+	data, err := daemon.containerExport(container)
+	if err != nil {
+		return fmt.Errorf("Error exporting container %s: %v", name, err)
+	}
+	defer data.Close()
+
+	// Stream the entire contents of the container (basically a volatile snapshot)
+	if _, err := io.Copy(out, data); err != nil {
+		return fmt.Errorf("Error exporting container %s: %v", name, err)
+	}
+	return nil
+}
+
+func (daemon *Daemon) containerExport(container *container.Container) (arch io.ReadCloser, err error) {
+	if !system.IsOSSupported(container.OS) {
+		return nil, fmt.Errorf("cannot export %s: %s ", container.ID, system.ErrNotSupportedOperatingSystem)
+	}
+	rwlayer, err := daemon.imageService.GetLayerByID(container.ID, container.OS)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			daemon.imageService.ReleaseLayer(rwlayer, container.OS)
+		}
+	}()
+
+	basefs, err := rwlayer.Mount(container.GetMountLabel())
+	if err != nil {
+		return nil, err
+	}
+
+	archive, err := archivePath(basefs, basefs.Path(), &archive.TarOptions{
+		Compression: archive.Uncompressed,
+		UIDMaps:     daemon.idMappings.UIDs(),
+		GIDMaps:     daemon.idMappings.GIDs(),
+	})
+	if err != nil {
+		rwlayer.Unmount()
+		return nil, err
+	}
+	arch = ioutils.NewReadCloserWrapper(archive, func() error {
+		err := archive.Close()
+		rwlayer.Unmount()
+		daemon.imageService.ReleaseLayer(rwlayer, container.OS)
+		return err
+	})
+	daemon.LogContainerEvent(container, "export")
+	return arch, err
+}
diff --git a/engine/daemon/graphdriver/aufs/aufs.go b/engine/daemon/graphdriver/aufs/aufs.go
new file mode 100644
index 00000000..91522527
--- /dev/null
+++ b/engine/daemon/graphdriver/aufs/aufs.go
@@ -0,0 +1,678 @@
+// +build linux
+
+/*
+
+aufs driver directory structure
+
+  .
+  ├── layers // Metadata of layers
+  │   ├── 1
+  │   ├── 2
+  │   └── 3
+  ├── diff  // Content of the layer
+  │   ├── 1  // Contains layers that need to be mounted for the id
+  │   ├── 2
+  │   └── 3
+  └── mnt    // Mount points for the rw layers to be mounted
+      ├── 1
+      ├── 2
+      └── 3
+
+*/
+
+package aufs // import "github.com/docker/docker/daemon/graphdriver/aufs"
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/directory"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/locker"
+	mountpk "github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/system"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/vbatts/tar-split/tar/storage"
+	"golang.org/x/sys/unix"
+)
+
+var (
+	// ErrAufsNotSupported is returned if aufs is not supported by the host.
+	ErrAufsNotSupported = fmt.Errorf("AUFS was not found in /proc/filesystems")
+	// ErrAufsNested means aufs cannot be used bc we are in a user namespace
+	ErrAufsNested = fmt.Errorf("AUFS cannot be used in non-init user namespace")
+	backingFs     = "<unknown>"
+
+	enableDirpermLock sync.Once
+	enableDirperm     bool
+
+	logger = logrus.WithField("storage-driver", "aufs")
+)
+
+func init() {
+	graphdriver.Register("aufs", Init)
+}
+
+// Driver contains information about the filesystem mounted.
+type Driver struct {
+	sync.Mutex
+	root          string
+	uidMaps       []idtools.IDMap
+	gidMaps       []idtools.IDMap
+	ctr           *graphdriver.RefCounter
+	pathCacheLock sync.Mutex
+	pathCache     map[string]string
+	naiveDiff     graphdriver.DiffDriver
+	locker        *locker.Locker
+}
+
+// Init returns a new AUFS driver.
+// An error is returned if AUFS is not supported.
+func Init(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
+	// Try to load the aufs kernel module
+	if err := supportsAufs(); err != nil {
+		logger.Error(err)
+		return nil, graphdriver.ErrNotSupported
+	}
+
+	// Perform feature detection on /var/lib/docker/aufs if it's an existing directory.
+	// This covers situations where /var/lib/docker/aufs is a mount, and on a different
+	// filesystem than /var/lib/docker.
+	// If the path does not exist, fall back to using /var/lib/docker for feature detection.
+	testdir := root
+	if _, err := os.Stat(testdir); os.IsNotExist(err) {
+		testdir = filepath.Dir(testdir)
+	}
+
+	fsMagic, err := graphdriver.GetFSMagic(testdir)
+	if err != nil {
+		return nil, err
+	}
+	if fsName, ok := graphdriver.FsNames[fsMagic]; ok {
+		backingFs = fsName
+	}
+
+	switch fsMagic {
+	case graphdriver.FsMagicAufs, graphdriver.FsMagicBtrfs, graphdriver.FsMagicEcryptfs:
+		logger.Errorf("AUFS is not supported over %s", backingFs)
+		return nil, graphdriver.ErrIncompatibleFS
+	}
+
+	paths := []string{
+		"mnt",
+		"diff",
+		"layers",
+	}
+
+	a := &Driver{
+		root:      root,
+		uidMaps:   uidMaps,
+		gidMaps:   gidMaps,
+		pathCache: make(map[string]string),
+		ctr:       graphdriver.NewRefCounter(graphdriver.NewFsChecker(graphdriver.FsMagicAufs)),
+		locker:    locker.New(),
+	}
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
+	if err != nil {
+		return nil, err
+	}
+	// Create the root aufs driver dir
+	if err := idtools.MkdirAllAndChown(root, 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return nil, err
+	}
+
+	// Populate the dir structure
+	for _, p := range paths {
+		if err := idtools.MkdirAllAndChown(path.Join(root, p), 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+			return nil, err
+		}
+	}
+
+	for _, path := range []string{"mnt", "diff"} {
+		p := filepath.Join(root, path)
+		entries, err := ioutil.ReadDir(p)
+		if err != nil {
+			logger.WithError(err).WithField("dir", p).Error("error reading dir entries")
+			continue
+		}
+		for _, entry := range entries {
+			if !entry.IsDir() {
+				continue
+			}
+			if strings.HasSuffix(entry.Name(), "-removing") {
+				logger.WithField("dir", entry.Name()).Debug("Cleaning up stale layer dir")
+				if err := system.EnsureRemoveAll(filepath.Join(p, entry.Name())); err != nil {
+					logger.WithField("dir", entry.Name()).WithError(err).Error("Error removing stale layer dir")
+				}
+			}
+		}
+	}
+
+	a.naiveDiff = graphdriver.NewNaiveDiffDriver(a, uidMaps, gidMaps)
+	return a, nil
+}
+
+// Return a nil error if the kernel supports aufs
+// We cannot modprobe because inside dind modprobe fails
+// to run
+func supportsAufs() error {
+	// We can try to modprobe aufs first before looking at
+	// proc/filesystems for when aufs is supported
+	exec.Command("modprobe", "aufs").Run()
+
+	if rsystem.RunningInUserNS() {
+		return ErrAufsNested
+	}
+
+	f, err := os.Open("/proc/filesystems")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	s := bufio.NewScanner(f)
+	for s.Scan() {
+		if strings.Contains(s.Text(), "aufs") {
+			return nil
+		}
+	}
+	return ErrAufsNotSupported
+}
+
+func (a *Driver) rootPath() string {
+	return a.root
+}
+
+func (*Driver) String() string {
+	return "aufs"
+}
+
+// Status returns current information about the filesystem such as root directory, number of directories mounted, etc.
+func (a *Driver) Status() [][2]string {
+	ids, _ := loadIds(path.Join(a.rootPath(), "layers"))
+	return [][2]string{
+		{"Root Dir", a.rootPath()},
+		{"Backing Filesystem", backingFs},
+		{"Dirs", fmt.Sprintf("%d", len(ids))},
+		{"Dirperm1 Supported", fmt.Sprintf("%v", useDirperm())},
+	}
+}
+
+// GetMetadata not implemented
+func (a *Driver) GetMetadata(id string) (map[string]string, error) {
+	return nil, nil
+}
+
+// Exists returns true if the given id is registered with
+// this driver
+func (a *Driver) Exists(id string) bool {
+	if _, err := os.Lstat(path.Join(a.rootPath(), "layers", id)); err != nil {
+		return false
+	}
+	return true
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system.
+func (a *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	return a.Create(id, parent, opts)
+}
+
+// Create three folders for each id
+// mnt, layers, and diff
+func (a *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+
+	if opts != nil && len(opts.StorageOpt) != 0 {
+		return fmt.Errorf("--storage-opt is not supported for aufs")
+	}
+
+	if err := a.createDirsFor(id); err != nil {
+		return err
+	}
+	// Write the layers metadata
+	f, err := os.Create(path.Join(a.rootPath(), "layers", id))
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	if parent != "" {
+		ids, err := getParentIDs(a.rootPath(), parent)
+		if err != nil {
+			return err
+		}
+
+		if _, err := fmt.Fprintln(f, parent); err != nil {
+			return err
+		}
+		for _, i := range ids {
+			if _, err := fmt.Fprintln(f, i); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+// createDirsFor creates two directories for the given id.
+// mnt and diff
+func (a *Driver) createDirsFor(id string) error {
+	paths := []string{
+		"mnt",
+		"diff",
+	}
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(a.uidMaps, a.gidMaps)
+	if err != nil {
+		return err
+	}
+	// Directory permission is 0755.
+	// The path of directories are <aufs_root_path>/mnt/<image_id>
+	// and <aufs_root_path>/diff/<image_id>
+	for _, p := range paths {
+		if err := idtools.MkdirAllAndChown(path.Join(a.rootPath(), p, id), 0755, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Remove will unmount and remove the given id.
+func (a *Driver) Remove(id string) error {
+	a.locker.Lock(id)
+	defer a.locker.Unlock(id)
+	a.pathCacheLock.Lock()
+	mountpoint, exists := a.pathCache[id]
+	a.pathCacheLock.Unlock()
+	if !exists {
+		mountpoint = a.getMountpoint(id)
+	}
+
+	logger := logger.WithField("layer", id)
+
+	var retries int
+	for {
+		mounted, err := a.mounted(mountpoint)
+		if err != nil {
+			if os.IsNotExist(err) {
+				break
+			}
+			return err
+		}
+		if !mounted {
+			break
+		}
+
+		err = a.unmount(mountpoint)
+		if err == nil {
+			break
+		}
+
+		if err != unix.EBUSY {
+			return errors.Wrapf(err, "aufs: unmount error: %s", mountpoint)
+		}
+		if retries >= 5 {
+			return errors.Wrapf(err, "aufs: unmount error after retries: %s", mountpoint)
+		}
+		// If unmount returns EBUSY, it could be a transient error. Sleep and retry.
+		retries++
+		logger.Warnf("unmount failed due to EBUSY: retry count: %d", retries)
+		time.Sleep(100 * time.Millisecond)
+	}
+
+	// Remove the layers file for the id
+	if err := os.Remove(path.Join(a.rootPath(), "layers", id)); err != nil && !os.IsNotExist(err) {
+		return errors.Wrapf(err, "error removing layers dir for %s", id)
+	}
+
+	if err := atomicRemove(a.getDiffPath(id)); err != nil {
+		return errors.Wrapf(err, "could not remove diff path for id %s", id)
+	}
+
+	// Atomically remove each directory in turn by first moving it out of the
+	// way (so that docker doesn't find it anymore) before doing removal of
+	// the whole tree.
+	if err := atomicRemove(mountpoint); err != nil {
+		if errors.Cause(err) == unix.EBUSY {
+			logger.WithField("dir", mountpoint).WithError(err).Warn("error performing atomic remove due to EBUSY")
+		}
+		return errors.Wrapf(err, "could not remove mountpoint for id %s", id)
+	}
+
+	a.pathCacheLock.Lock()
+	delete(a.pathCache, id)
+	a.pathCacheLock.Unlock()
+	return nil
+}
+
+func atomicRemove(source string) error {
+	target := source + "-removing"
+
+	err := os.Rename(source, target)
+	switch {
+	case err == nil, os.IsNotExist(err):
+	case os.IsExist(err):
+		// Got error saying the target dir already exists, maybe the source doesn't exist due to a previous (failed) remove
+		if _, e := os.Stat(source); !os.IsNotExist(e) {
+			return errors.Wrapf(err, "target rename dir '%s' exists but should not, this needs to be manually cleaned up")
+		}
+	default:
+		return errors.Wrapf(err, "error preparing atomic delete")
+	}
+
+	return system.EnsureRemoveAll(target)
+}
+
+// Get returns the rootfs path for the id.
+// This will mount the dir at its given path
+func (a *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
+	a.locker.Lock(id)
+	defer a.locker.Unlock(id)
+	parents, err := a.getParentLayerPaths(id)
+	if err != nil && !os.IsNotExist(err) {
+		return nil, err
+	}
+
+	a.pathCacheLock.Lock()
+	m, exists := a.pathCache[id]
+	a.pathCacheLock.Unlock()
+
+	if !exists {
+		m = a.getDiffPath(id)
+		if len(parents) > 0 {
+			m = a.getMountpoint(id)
+		}
+	}
+	if count := a.ctr.Increment(m); count > 1 {
+		return containerfs.NewLocalContainerFS(m), nil
+	}
+
+	// If a dir does not have a parent ( no layers )do not try to mount
+	// just return the diff path to the data
+	if len(parents) > 0 {
+		if err := a.mount(id, m, mountLabel, parents); err != nil {
+			return nil, err
+		}
+	}
+
+	a.pathCacheLock.Lock()
+	a.pathCache[id] = m
+	a.pathCacheLock.Unlock()
+	return containerfs.NewLocalContainerFS(m), nil
+}
+
+// Put unmounts and updates list of active mounts.
+func (a *Driver) Put(id string) error {
+	a.locker.Lock(id)
+	defer a.locker.Unlock(id)
+	a.pathCacheLock.Lock()
+	m, exists := a.pathCache[id]
+	if !exists {
+		m = a.getMountpoint(id)
+		a.pathCache[id] = m
+	}
+	a.pathCacheLock.Unlock()
+	if count := a.ctr.Decrement(m); count > 0 {
+		return nil
+	}
+
+	err := a.unmount(m)
+	if err != nil {
+		logger.Debugf("Failed to unmount %s aufs: %v", id, err)
+	}
+	return err
+}
+
+// isParent returns if the passed in parent is the direct parent of the passed in layer
+func (a *Driver) isParent(id, parent string) bool {
+	parents, _ := getParentIDs(a.rootPath(), id)
+	if parent == "" && len(parents) > 0 {
+		return false
+	}
+	return !(len(parents) > 0 && parent != parents[0])
+}
+
+// Diff produces an archive of the changes between the specified
+// layer and its parent layer which may be "".
+func (a *Driver) Diff(id, parent string) (io.ReadCloser, error) {
+	if !a.isParent(id, parent) {
+		return a.naiveDiff.Diff(id, parent)
+	}
+
+	// AUFS doesn't need the parent layer to produce a diff.
+	return archive.TarWithOptions(path.Join(a.rootPath(), "diff", id), &archive.TarOptions{
+		Compression:     archive.Uncompressed,
+		ExcludePatterns: []string{archive.WhiteoutMetaPrefix + "*", "!" + archive.WhiteoutOpaqueDir},
+		UIDMaps:         a.uidMaps,
+		GIDMaps:         a.gidMaps,
+	})
+}
+
+type fileGetNilCloser struct {
+	storage.FileGetter
+}
+
+func (f fileGetNilCloser) Close() error {
+	return nil
+}
+
+// DiffGetter returns a FileGetCloser that can read files from the directory that
+// contains files for the layer differences. Used for direct access for tar-split.
+func (a *Driver) DiffGetter(id string) (graphdriver.FileGetCloser, error) {
+	p := path.Join(a.rootPath(), "diff", id)
+	return fileGetNilCloser{storage.NewPathFileGetter(p)}, nil
+}
+
+func (a *Driver) applyDiff(id string, diff io.Reader) error {
+	return chrootarchive.UntarUncompressed(diff, path.Join(a.rootPath(), "diff", id), &archive.TarOptions{
+		UIDMaps: a.uidMaps,
+		GIDMaps: a.gidMaps,
+	})
+}
+
+// DiffSize calculates the changes between the specified id
+// and its parent and returns the size in bytes of the changes
+// relative to its base filesystem directory.
+func (a *Driver) DiffSize(id, parent string) (size int64, err error) {
+	if !a.isParent(id, parent) {
+		return a.naiveDiff.DiffSize(id, parent)
+	}
+	// AUFS doesn't need the parent layer to calculate the diff size.
+	return directory.Size(context.TODO(), path.Join(a.rootPath(), "diff", id))
+}
+
+// ApplyDiff extracts the changeset from the given diff into the
+// layer with the specified id and parent, returning the size of the
+// new layer in bytes.
+func (a *Driver) ApplyDiff(id, parent string, diff io.Reader) (size int64, err error) {
+	if !a.isParent(id, parent) {
+		return a.naiveDiff.ApplyDiff(id, parent, diff)
+	}
+
+	// AUFS doesn't need the parent id to apply the diff if it is the direct parent.
+	if err = a.applyDiff(id, diff); err != nil {
+		return
+	}
+
+	return a.DiffSize(id, parent)
+}
+
+// Changes produces a list of changes between the specified layer
+// and its parent layer. If parent is "", then all changes will be ADD changes.
+func (a *Driver) Changes(id, parent string) ([]archive.Change, error) {
+	if !a.isParent(id, parent) {
+		return a.naiveDiff.Changes(id, parent)
+	}
+
+	// AUFS doesn't have snapshots, so we need to get changes from all parent
+	// layers.
+	layers, err := a.getParentLayerPaths(id)
+	if err != nil {
+		return nil, err
+	}
+	return archive.Changes(layers, path.Join(a.rootPath(), "diff", id))
+}
+
+func (a *Driver) getParentLayerPaths(id string) ([]string, error) {
+	parentIds, err := getParentIDs(a.rootPath(), id)
+	if err != nil {
+		return nil, err
+	}
+	layers := make([]string, len(parentIds))
+
+	// Get the diff paths for all the parent ids
+	for i, p := range parentIds {
+		layers[i] = path.Join(a.rootPath(), "diff", p)
+	}
+	return layers, nil
+}
+
+func (a *Driver) mount(id string, target string, mountLabel string, layers []string) error {
+	a.Lock()
+	defer a.Unlock()
+
+	// If the id is mounted or we get an error return
+	if mounted, err := a.mounted(target); err != nil || mounted {
+		return err
+	}
+
+	rw := a.getDiffPath(id)
+
+	if err := a.aufsMount(layers, rw, target, mountLabel); err != nil {
+		return fmt.Errorf("error creating aufs mount to %s: %v", target, err)
+	}
+	return nil
+}
+
+func (a *Driver) unmount(mountPath string) error {
+	a.Lock()
+	defer a.Unlock()
+
+	if mounted, err := a.mounted(mountPath); err != nil || !mounted {
+		return err
+	}
+	return Unmount(mountPath)
+}
+
+func (a *Driver) mounted(mountpoint string) (bool, error) {
+	return graphdriver.Mounted(graphdriver.FsMagicAufs, mountpoint)
+}
+
+// Cleanup aufs and unmount all mountpoints
+func (a *Driver) Cleanup() error {
+	var dirs []string
+	if err := filepath.Walk(a.mntPath(), func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() {
+			return nil
+		}
+		dirs = append(dirs, path)
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	for _, m := range dirs {
+		if err := a.unmount(m); err != nil {
+			logger.Debugf("error unmounting %s: %s", m, err)
+		}
+	}
+	return mountpk.RecursiveUnmount(a.root)
+}
+
+func (a *Driver) aufsMount(ro []string, rw, target, mountLabel string) (err error) {
+	defer func() {
+		if err != nil {
+			Unmount(target)
+		}
+	}()
+
+	// Mount options are clipped to page size(4096 bytes). If there are more
+	// layers then these are remounted individually using append.
+
+	offset := 54
+	if useDirperm() {
+		offset += len(",dirperm1")
+	}
+	b := make([]byte, unix.Getpagesize()-len(mountLabel)-offset) // room for xino & mountLabel
+	bp := copy(b, fmt.Sprintf("br:%s=rw", rw))
+
+	index := 0
+	for ; index < len(ro); index++ {
+		layer := fmt.Sprintf(":%s=ro+wh", ro[index])
+		if bp+len(layer) > len(b) {
+			break
+		}
+		bp += copy(b[bp:], layer)
+	}
+
+	opts := "dio,xino=/dev/shm/aufs.xino"
+	if useDirperm() {
+		opts += ",dirperm1"
+	}
+	data := label.FormatMountLabel(fmt.Sprintf("%s,%s", string(b[:bp]), opts), mountLabel)
+	if err = mount("none", target, "aufs", 0, data); err != nil {
+		return
+	}
+
+	for ; index < len(ro); index++ {
+		layer := fmt.Sprintf(":%s=ro+wh", ro[index])
+		data := label.FormatMountLabel(fmt.Sprintf("append%s", layer), mountLabel)
+		if err = mount("none", target, "aufs", unix.MS_REMOUNT, data); err != nil {
+			return
+		}
+	}
+
+	return
+}
+
+// useDirperm checks dirperm1 mount option can be used with the current
+// version of aufs.
+func useDirperm() bool {
+	enableDirpermLock.Do(func() {
+		base, err := ioutil.TempDir("", "docker-aufs-base")
+		if err != nil {
+			logger.Errorf("error checking dirperm1: %v", err)
+			return
+		}
+		defer os.RemoveAll(base)
+
+		union, err := ioutil.TempDir("", "docker-aufs-union")
+		if err != nil {
+			logger.Errorf("error checking dirperm1: %v", err)
+			return
+		}
+		defer os.RemoveAll(union)
+
+		opts := fmt.Sprintf("br:%s,dirperm1,xino=/dev/shm/aufs.xino", base)
+		if err := mount("none", union, "aufs", 0, opts); err != nil {
+			return
+		}
+		enableDirperm = true
+		if err := Unmount(union); err != nil {
+			logger.Errorf("error checking dirperm1: failed to unmount %v", err)
+		}
+	})
+	return enableDirperm
+}
diff --git a/engine/daemon/graphdriver/aufs/aufs_test.go b/engine/daemon/graphdriver/aufs/aufs_test.go
new file mode 100644
index 00000000..fdc502ba
--- /dev/null
+++ b/engine/daemon/graphdriver/aufs/aufs_test.go
@@ -0,0 +1,805 @@
+// +build linux
+
+package aufs // import "github.com/docker/docker/daemon/graphdriver/aufs"
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"sync"
+	"testing"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/reexec"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var (
+	tmpOuter = path.Join(os.TempDir(), "aufs-tests")
+	tmp      = path.Join(tmpOuter, "aufs")
+)
+
+func init() {
+	reexec.Init()
+}
+
+func testInit(dir string, t testing.TB) graphdriver.Driver {
+	d, err := Init(dir, nil, nil, nil)
+	if err != nil {
+		if err == graphdriver.ErrNotSupported {
+			t.Skip(err)
+		} else {
+			t.Fatal(err)
+		}
+	}
+	return d
+}
+
+func driverGet(d *Driver, id string, mntLabel string) (string, error) {
+	mnt, err := d.Get(id, mntLabel)
+	if err != nil {
+		return "", err
+	}
+	return mnt.Path(), nil
+}
+
+func newDriver(t testing.TB) *Driver {
+	if err := os.MkdirAll(tmp, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	d := testInit(tmp, t)
+	return d.(*Driver)
+}
+
+func TestNewDriver(t *testing.T) {
+	if err := os.MkdirAll(tmp, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	d := testInit(tmp, t)
+	defer os.RemoveAll(tmp)
+	if d == nil {
+		t.Fatal("Driver should not be nil")
+	}
+}
+
+func TestAufsString(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if d.String() != "aufs" {
+		t.Fatalf("Expected aufs got %s", d.String())
+	}
+}
+
+func TestCreateDirStructure(t *testing.T) {
+	newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	paths := []string{
+		"mnt",
+		"layers",
+		"diff",
+	}
+
+	for _, p := range paths {
+		if _, err := os.Stat(path.Join(tmp, p)); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
+// We should be able to create two drivers with the same dir structure
+func TestNewDriverFromExistingDir(t *testing.T) {
+	if err := os.MkdirAll(tmp, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	testInit(tmp, t)
+	testInit(tmp, t)
+	os.RemoveAll(tmp)
+}
+
+func TestCreateNewDir(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestCreateNewDirStructure(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	paths := []string{
+		"mnt",
+		"diff",
+		"layers",
+	}
+
+	for _, p := range paths {
+		if _, err := os.Stat(path.Join(tmp, p, "1")); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
+
+func TestRemoveImage(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := d.Remove("1"); err != nil {
+		t.Fatal(err)
+	}
+
+	paths := []string{
+		"mnt",
+		"diff",
+		"layers",
+	}
+
+	for _, p := range paths {
+		if _, err := os.Stat(path.Join(tmp, p, "1")); err == nil {
+			t.Fatalf("Error should not be nil because dirs with id 1 should be deleted: %s", p)
+		}
+		if _, err := os.Stat(path.Join(tmp, p, "1-removing")); err == nil {
+			t.Fatalf("Error should not be nil because dirs with id 1-removing should be deleted: %s", p)
+		}
+	}
+}
+
+func TestGetWithoutParent(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	diffPath, err := d.Get("1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	expected := path.Join(tmp, "diff", "1")
+	if diffPath.Path() != expected {
+		t.Fatalf("Expected path %s got %s", expected, diffPath)
+	}
+}
+
+func TestCleanupWithNoDirs(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	err := d.Cleanup()
+	assert.Check(t, err)
+}
+
+func TestCleanupWithDir(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := d.Cleanup(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestMountedFalseResponse(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	err := d.Create("1", "", nil)
+	assert.NilError(t, err)
+
+	response, err := d.mounted(d.getDiffPath("1"))
+	assert.NilError(t, err)
+	assert.Check(t, !response)
+}
+
+func TestMountedTrueResponse(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+	defer d.Cleanup()
+
+	err := d.Create("1", "", nil)
+	assert.NilError(t, err)
+	err = d.Create("2", "1", nil)
+	assert.NilError(t, err)
+
+	_, err = d.Get("2", "")
+	assert.NilError(t, err)
+
+	response, err := d.mounted(d.pathCache["2"])
+	assert.NilError(t, err)
+	assert.Check(t, response)
+}
+
+func TestMountWithParent(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+	if err := d.Create("2", "1", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() {
+		if err := d.Cleanup(); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	mntPath, err := d.Get("2", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if mntPath == nil {
+		t.Fatal("mntPath should not be nil")
+	}
+
+	expected := path.Join(tmp, "mnt", "2")
+	if mntPath.Path() != expected {
+		t.Fatalf("Expected %s got %s", expected, mntPath.Path())
+	}
+}
+
+func TestRemoveMountedDir(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+	if err := d.Create("2", "1", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() {
+		if err := d.Cleanup(); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	mntPath, err := d.Get("2", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if mntPath == nil {
+		t.Fatal("mntPath should not be nil")
+	}
+
+	mounted, err := d.mounted(d.pathCache["2"])
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !mounted {
+		t.Fatal("Dir id 2 should be mounted")
+	}
+
+	if err := d.Remove("2"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestCreateWithInvalidParent(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "docker", nil); err == nil {
+		t.Fatal("Error should not be nil with parent does not exist")
+	}
+}
+
+func TestGetDiff(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.CreateReadWrite("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	diffPath, err := driverGet(d, "1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a file to the diff path with a fixed size
+	size := int64(1024)
+
+	f, err := os.Create(path.Join(diffPath, "test_file"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := f.Truncate(size); err != nil {
+		t.Fatal(err)
+	}
+	f.Close()
+
+	a, err := d.Diff("1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if a == nil {
+		t.Fatal("Archive should not be nil")
+	}
+}
+
+func TestChanges(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := d.CreateReadWrite("2", "1", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	defer func() {
+		if err := d.Cleanup(); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	mntPoint, err := driverGet(d, "2", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a file to save in the mountpoint
+	f, err := os.Create(path.Join(mntPoint, "test.txt"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := f.WriteString("testline"); err != nil {
+		t.Fatal(err)
+	}
+	if err := f.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	changes, err := d.Changes("2", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(changes) != 1 {
+		t.Fatalf("Dir 2 should have one change from parent got %d", len(changes))
+	}
+	change := changes[0]
+
+	expectedPath := "/test.txt"
+	if change.Path != expectedPath {
+		t.Fatalf("Expected path %s got %s", expectedPath, change.Path)
+	}
+
+	if change.Kind != archive.ChangeAdd {
+		t.Fatalf("Change kind should be ChangeAdd got %s", change.Kind)
+	}
+
+	if err := d.CreateReadWrite("3", "2", nil); err != nil {
+		t.Fatal(err)
+	}
+	mntPoint, err = driverGet(d, "3", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a file to save in the mountpoint
+	f, err = os.Create(path.Join(mntPoint, "test2.txt"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := f.WriteString("testline"); err != nil {
+		t.Fatal(err)
+	}
+	if err := f.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	changes, err = d.Changes("3", "2")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(changes) != 1 {
+		t.Fatalf("Dir 2 should have one change from parent got %d", len(changes))
+	}
+	change = changes[0]
+
+	expectedPath = "/test2.txt"
+	if change.Path != expectedPath {
+		t.Fatalf("Expected path %s got %s", expectedPath, change.Path)
+	}
+
+	if change.Kind != archive.ChangeAdd {
+		t.Fatalf("Change kind should be ChangeAdd got %s", change.Kind)
+	}
+}
+
+func TestDiffSize(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+
+	if err := d.CreateReadWrite("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	diffPath, err := driverGet(d, "1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a file to the diff path with a fixed size
+	size := int64(1024)
+
+	f, err := os.Create(path.Join(diffPath, "test_file"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := f.Truncate(size); err != nil {
+		t.Fatal(err)
+	}
+	s, err := f.Stat()
+	if err != nil {
+		t.Fatal(err)
+	}
+	size = s.Size()
+	if err := f.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	diffSize, err := d.DiffSize("1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diffSize != size {
+		t.Fatalf("Expected size to be %d got %d", size, diffSize)
+	}
+}
+
+func TestChildDiffSize(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+	defer d.Cleanup()
+
+	if err := d.CreateReadWrite("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	diffPath, err := driverGet(d, "1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a file to the diff path with a fixed size
+	size := int64(1024)
+
+	f, err := os.Create(path.Join(diffPath, "test_file"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := f.Truncate(size); err != nil {
+		t.Fatal(err)
+	}
+	s, err := f.Stat()
+	if err != nil {
+		t.Fatal(err)
+	}
+	size = s.Size()
+	if err := f.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	diffSize, err := d.DiffSize("1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diffSize != size {
+		t.Fatalf("Expected size to be %d got %d", size, diffSize)
+	}
+
+	if err := d.Create("2", "1", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	diffSize, err = d.DiffSize("2", "1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	// The diff size for the child should be zero
+	if diffSize != 0 {
+		t.Fatalf("Expected size to be %d got %d", 0, diffSize)
+	}
+}
+
+func TestExists(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+	defer d.Cleanup()
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if d.Exists("none") {
+		t.Fatal("id none should not exist in the driver")
+	}
+
+	if !d.Exists("1") {
+		t.Fatal("id 1 should exist in the driver")
+	}
+}
+
+func TestStatus(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+	defer d.Cleanup()
+
+	if err := d.Create("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	status := d.Status()
+	assert.Check(t, is.Len(status, 4))
+
+	rootDir := status[0]
+	dirs := status[2]
+	if rootDir[0] != "Root Dir" {
+		t.Fatalf("Expected Root Dir got %s", rootDir[0])
+	}
+	if rootDir[1] != d.rootPath() {
+		t.Fatalf("Expected %s got %s", d.rootPath(), rootDir[1])
+	}
+	if dirs[0] != "Dirs" {
+		t.Fatalf("Expected Dirs got %s", dirs[0])
+	}
+	if dirs[1] != "1" {
+		t.Fatalf("Expected 1 got %s", dirs[1])
+	}
+}
+
+func TestApplyDiff(t *testing.T) {
+	d := newDriver(t)
+	defer os.RemoveAll(tmp)
+	defer d.Cleanup()
+
+	if err := d.CreateReadWrite("1", "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	diffPath, err := driverGet(d, "1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a file to the diff path with a fixed size
+	size := int64(1024)
+
+	f, err := os.Create(path.Join(diffPath, "test_file"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := f.Truncate(size); err != nil {
+		t.Fatal(err)
+	}
+	f.Close()
+
+	diff, err := d.Diff("1", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := d.Create("2", "", nil); err != nil {
+		t.Fatal(err)
+	}
+	if err := d.Create("3", "2", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := d.applyDiff("3", diff); err != nil {
+		t.Fatal(err)
+	}
+
+	// Ensure that the file is in the mount point for id 3
+
+	mountPoint, err := driverGet(d, "3", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := os.Stat(path.Join(mountPoint, "test_file")); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func hash(c string) string {
+	h := sha256.New()
+	fmt.Fprint(h, c)
+	return hex.EncodeToString(h.Sum(nil))
+}
+
+func testMountMoreThan42Layers(t *testing.T, mountPath string) {
+	if err := os.MkdirAll(mountPath, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	defer os.RemoveAll(mountPath)
+	d := testInit(mountPath, t).(*Driver)
+	defer d.Cleanup()
+	var last string
+	var expected int
+
+	for i := 1; i < 127; i++ {
+		expected++
+		var (
+			parent  = fmt.Sprintf("%d", i-1)
+			current = fmt.Sprintf("%d", i)
+		)
+
+		if parent == "0" {
+			parent = ""
+		} else {
+			parent = hash(parent)
+		}
+		current = hash(current)
+
+		err := d.CreateReadWrite(current, parent, nil)
+		assert.NilError(t, err, "current layer %d", i)
+
+		point, err := driverGet(d, current, "")
+		assert.NilError(t, err, "current layer %d", i)
+
+		f, err := os.Create(path.Join(point, current))
+		assert.NilError(t, err, "current layer %d", i)
+		f.Close()
+
+		if i%10 == 0 {
+			err := os.Remove(path.Join(point, parent))
+			assert.NilError(t, err, "current layer %d", i)
+			expected--
+		}
+		last = current
+	}
+
+	// Perform the actual mount for the top most image
+	point, err := driverGet(d, last, "")
+	assert.NilError(t, err)
+	files, err := ioutil.ReadDir(point)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(files, expected))
+}
+
+func TestMountMoreThan42Layers(t *testing.T) {
+	defer os.RemoveAll(tmpOuter)
+	testMountMoreThan42Layers(t, tmp)
+}
+
+func TestMountMoreThan42LayersMatchingPathLength(t *testing.T) {
+	defer os.RemoveAll(tmpOuter)
+	zeroes := "0"
+	for {
+		// This finds a mount path so that when combined into aufs mount options
+		// 4096 byte boundary would be in between the paths or in permission
+		// section. For '/tmp' it will use '/tmp/aufs-tests/00000000/aufs'
+		mountPath := path.Join(tmpOuter, zeroes, "aufs")
+		pathLength := 77 + len(mountPath)
+
+		if mod := 4095 % pathLength; mod == 0 || mod > pathLength-2 {
+			t.Logf("Using path: %s", mountPath)
+			testMountMoreThan42Layers(t, mountPath)
+			return
+		}
+		zeroes += "0"
+	}
+}
+
+func BenchmarkConcurrentAccess(b *testing.B) {
+	b.StopTimer()
+	b.ResetTimer()
+
+	d := newDriver(b)
+	defer os.RemoveAll(tmp)
+	defer d.Cleanup()
+
+	numConcurrent := 256
+	// create a bunch of ids
+	var ids []string
+	for i := 0; i < numConcurrent; i++ {
+		ids = append(ids, stringid.GenerateNonCryptoID())
+	}
+
+	if err := d.Create(ids[0], "", nil); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := d.Create(ids[1], ids[0], nil); err != nil {
+		b.Fatal(err)
+	}
+
+	parent := ids[1]
+	ids = append(ids[2:])
+
+	chErr := make(chan error, numConcurrent)
+	var outerGroup sync.WaitGroup
+	outerGroup.Add(len(ids))
+	b.StartTimer()
+
+	// here's the actual bench
+	for _, id := range ids {
+		go func(id string) {
+			defer outerGroup.Done()
+			if err := d.Create(id, parent, nil); err != nil {
+				b.Logf("Create %s failed", id)
+				chErr <- err
+				return
+			}
+			var innerGroup sync.WaitGroup
+			for i := 0; i < b.N; i++ {
+				innerGroup.Add(1)
+				go func() {
+					d.Get(id, "")
+					d.Put(id)
+					innerGroup.Done()
+				}()
+			}
+			innerGroup.Wait()
+			d.Remove(id)
+		}(id)
+	}
+
+	outerGroup.Wait()
+	b.StopTimer()
+	close(chErr)
+	for err := range chErr {
+		if err != nil {
+			b.Log(err)
+			b.Fail()
+		}
+	}
+}
+
+func TestInitStaleCleanup(t *testing.T) {
+	if err := os.MkdirAll(tmp, 0755); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+
+	for _, d := range []string{"diff", "mnt"} {
+		if err := os.MkdirAll(filepath.Join(tmp, d, "123-removing"), 0755); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	testInit(tmp, t)
+	for _, d := range []string{"diff", "mnt"} {
+		if _, err := os.Stat(filepath.Join(tmp, d, "123-removing")); err == nil {
+			t.Fatal("cleanup failed")
+		}
+	}
+}
diff --git a/engine/daemon/graphdriver/aufs/dirs.go b/engine/daemon/graphdriver/aufs/dirs.go
new file mode 100644
index 00000000..e60be5e3
--- /dev/null
+++ b/engine/daemon/graphdriver/aufs/dirs.go
@@ -0,0 +1,64 @@
+// +build linux
+
+package aufs // import "github.com/docker/docker/daemon/graphdriver/aufs"
+
+import (
+	"bufio"
+	"io/ioutil"
+	"os"
+	"path"
+)
+
+// Return all the directories
+func loadIds(root string) ([]string, error) {
+	dirs, err := ioutil.ReadDir(root)
+	if err != nil {
+		return nil, err
+	}
+	var out []string
+	for _, d := range dirs {
+		if !d.IsDir() {
+			out = append(out, d.Name())
+		}
+	}
+	return out, nil
+}
+
+// Read the layers file for the current id and return all the
+// layers represented by new lines in the file
+//
+// If there are no lines in the file then the id has no parent
+// and an empty slice is returned.
+func getParentIDs(root, id string) ([]string, error) {
+	f, err := os.Open(path.Join(root, "layers", id))
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	var out []string
+	s := bufio.NewScanner(f)
+
+	for s.Scan() {
+		if t := s.Text(); t != "" {
+			out = append(out, s.Text())
+		}
+	}
+	return out, s.Err()
+}
+
+func (a *Driver) getMountpoint(id string) string {
+	return path.Join(a.mntPath(), id)
+}
+
+func (a *Driver) mntPath() string {
+	return path.Join(a.rootPath(), "mnt")
+}
+
+func (a *Driver) getDiffPath(id string) string {
+	return path.Join(a.diffPath(), id)
+}
+
+func (a *Driver) diffPath() string {
+	return path.Join(a.rootPath(), "diff")
+}
diff --git a/engine/daemon/graphdriver/aufs/mount.go b/engine/daemon/graphdriver/aufs/mount.go
new file mode 100644
index 00000000..9f551038
--- /dev/null
+++ b/engine/daemon/graphdriver/aufs/mount.go
@@ -0,0 +1,17 @@
+// +build linux
+
+package aufs // import "github.com/docker/docker/daemon/graphdriver/aufs"
+
+import (
+	"os/exec"
+
+	"golang.org/x/sys/unix"
+)
+
+// Unmount the target specified.
+func Unmount(target string) error {
+	if err := exec.Command("auplink", target, "flush").Run(); err != nil {
+		logger.WithError(err).Warnf("Couldn't run auplink before unmount %s", target)
+	}
+	return unix.Unmount(target, 0)
+}
diff --git a/engine/daemon/graphdriver/aufs/mount_linux.go b/engine/daemon/graphdriver/aufs/mount_linux.go
new file mode 100644
index 00000000..8d5ad8f3
--- /dev/null
+++ b/engine/daemon/graphdriver/aufs/mount_linux.go
@@ -0,0 +1,7 @@
+package aufs // import "github.com/docker/docker/daemon/graphdriver/aufs"
+
+import "golang.org/x/sys/unix"
+
+func mount(source string, target string, fstype string, flags uintptr, data string) error {
+	return unix.Mount(source, target, fstype, flags, data)
+}
diff --git a/engine/daemon/graphdriver/aufs/mount_unsupported.go b/engine/daemon/graphdriver/aufs/mount_unsupported.go
new file mode 100644
index 00000000..cf7f58c2
--- /dev/null
+++ b/engine/daemon/graphdriver/aufs/mount_unsupported.go
@@ -0,0 +1,12 @@
+// +build !linux
+
+package aufs // import "github.com/docker/docker/daemon/graphdriver/aufs"
+
+import "errors"
+
+// MsRemount declared to specify a non-linux system mount.
+const MsRemount = 0
+
+func mount(source string, target string, fstype string, flags uintptr, data string) (err error) {
+	return errors.New("mount is not implemented on this platform")
+}
diff --git a/engine/daemon/graphdriver/btrfs/btrfs.go b/engine/daemon/graphdriver/btrfs/btrfs.go
new file mode 100644
index 00000000..cac62403
--- /dev/null
+++ b/engine/daemon/graphdriver/btrfs/btrfs.go
@@ -0,0 +1,663 @@
+// +build linux
+
+package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+
+/*
+#include <stdlib.h>
+#include <dirent.h>
+#include <btrfs/ioctl.h>
+#include <btrfs/ctree.h>
+
+static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
+    snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
+}
+*/
+import "C"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"math"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"unsafe"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/parsers"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/go-units"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func init() {
+	graphdriver.Register("btrfs", Init)
+}
+
+type btrfsOptions struct {
+	minSpace uint64
+	size     uint64
+}
+
+// Init returns a new BTRFS driver.
+// An error is returned if BTRFS is not supported.
+func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
+
+	// Perform feature detection on /var/lib/docker/btrfs if it's an existing directory.
+	// This covers situations where /var/lib/docker/btrfs is a mount, and on a different
+	// filesystem than /var/lib/docker.
+	// If the path does not exist, fall back to using /var/lib/docker for feature detection.
+	testdir := home
+	if _, err := os.Stat(testdir); os.IsNotExist(err) {
+		testdir = filepath.Dir(testdir)
+	}
+
+	fsMagic, err := graphdriver.GetFSMagic(testdir)
+	if err != nil {
+		return nil, err
+	}
+
+	if fsMagic != graphdriver.FsMagicBtrfs {
+		return nil, graphdriver.ErrPrerequisites
+	}
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
+	if err != nil {
+		return nil, err
+	}
+	if err := idtools.MkdirAllAndChown(home, 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return nil, err
+	}
+
+	opt, userDiskQuota, err := parseOptions(options)
+	if err != nil {
+		return nil, err
+	}
+
+	driver := &Driver{
+		home:    home,
+		uidMaps: uidMaps,
+		gidMaps: gidMaps,
+		options: opt,
+	}
+
+	if userDiskQuota {
+		if err := driver.subvolEnableQuota(); err != nil {
+			return nil, err
+		}
+	}
+
+	return graphdriver.NewNaiveDiffDriver(driver, uidMaps, gidMaps), nil
+}
+
+func parseOptions(opt []string) (btrfsOptions, bool, error) {
+	var options btrfsOptions
+	userDiskQuota := false
+	for _, option := range opt {
+		key, val, err := parsers.ParseKeyValueOpt(option)
+		if err != nil {
+			return options, userDiskQuota, err
+		}
+		key = strings.ToLower(key)
+		switch key {
+		case "btrfs.min_space":
+			minSpace, err := units.RAMInBytes(val)
+			if err != nil {
+				return options, userDiskQuota, err
+			}
+			userDiskQuota = true
+			options.minSpace = uint64(minSpace)
+		default:
+			return options, userDiskQuota, fmt.Errorf("Unknown option %s", key)
+		}
+	}
+	return options, userDiskQuota, nil
+}
+
+// Driver contains information about the filesystem mounted.
+type Driver struct {
+	//root of the file system
+	home         string
+	uidMaps      []idtools.IDMap
+	gidMaps      []idtools.IDMap
+	options      btrfsOptions
+	quotaEnabled bool
+	once         sync.Once
+}
+
+// String prints the name of the driver (btrfs).
+func (d *Driver) String() string {
+	return "btrfs"
+}
+
+// Status returns current driver information in a two dimensional string array.
+// Output contains "Build Version" and "Library Version" of the btrfs libraries used.
+// Version information can be used to check compatibility with your kernel.
+func (d *Driver) Status() [][2]string {
+	status := [][2]string{}
+	if bv := btrfsBuildVersion(); bv != "-" {
+		status = append(status, [2]string{"Build Version", bv})
+	}
+	if lv := btrfsLibVersion(); lv != -1 {
+		status = append(status, [2]string{"Library Version", fmt.Sprintf("%d", lv)})
+	}
+	return status
+}
+
+// GetMetadata returns empty metadata for this driver.
+func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+	return nil, nil
+}
+
+// Cleanup unmounts the home directory.
+func (d *Driver) Cleanup() error {
+	return d.subvolDisableQuota()
+}
+
+func free(p *C.char) {
+	C.free(unsafe.Pointer(p))
+}
+
+func openDir(path string) (*C.DIR, error) {
+	Cpath := C.CString(path)
+	defer free(Cpath)
+
+	dir := C.opendir(Cpath)
+	if dir == nil {
+		return nil, fmt.Errorf("Can't open dir")
+	}
+	return dir, nil
+}
+
+func closeDir(dir *C.DIR) {
+	if dir != nil {
+		C.closedir(dir)
+	}
+}
+
+func getDirFd(dir *C.DIR) uintptr {
+	return uintptr(C.dirfd(dir))
+}
+
+func subvolCreate(path, name string) error {
+	dir, err := openDir(path)
+	if err != nil {
+		return err
+	}
+	defer closeDir(dir)
+
+	var args C.struct_btrfs_ioctl_vol_args
+	for i, c := range []byte(name) {
+		args.name[i] = C.char(c)
+	}
+
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_SUBVOL_CREATE,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to create btrfs subvolume: %v", errno.Error())
+	}
+	return nil
+}
+
+func subvolSnapshot(src, dest, name string) error {
+	srcDir, err := openDir(src)
+	if err != nil {
+		return err
+	}
+	defer closeDir(srcDir)
+
+	destDir, err := openDir(dest)
+	if err != nil {
+		return err
+	}
+	defer closeDir(destDir)
+
+	var args C.struct_btrfs_ioctl_vol_args_v2
+	args.fd = C.__s64(getDirFd(srcDir))
+
+	var cs = C.CString(name)
+	C.set_name_btrfs_ioctl_vol_args_v2(&args, cs)
+	C.free(unsafe.Pointer(cs))
+
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(destDir), C.BTRFS_IOC_SNAP_CREATE_V2,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to create btrfs snapshot: %v", errno.Error())
+	}
+	return nil
+}
+
+func isSubvolume(p string) (bool, error) {
+	var bufStat unix.Stat_t
+	if err := unix.Lstat(p, &bufStat); err != nil {
+		return false, err
+	}
+
+	// return true if it is a btrfs subvolume
+	return bufStat.Ino == C.BTRFS_FIRST_FREE_OBJECTID, nil
+}
+
+func subvolDelete(dirpath, name string, quotaEnabled bool) error {
+	dir, err := openDir(dirpath)
+	if err != nil {
+		return err
+	}
+	defer closeDir(dir)
+	fullPath := path.Join(dirpath, name)
+
+	var args C.struct_btrfs_ioctl_vol_args
+
+	// walk the btrfs subvolumes
+	walkSubvolumes := func(p string, f os.FileInfo, err error) error {
+		if err != nil {
+			if os.IsNotExist(err) && p != fullPath {
+				// missing most likely because the path was a subvolume that got removed in the previous iteration
+				// since it's gone anyway, we don't care
+				return nil
+			}
+			return fmt.Errorf("error walking subvolumes: %v", err)
+		}
+		// we want to check children only so skip itself
+		// it will be removed after the filepath walk anyways
+		if f.IsDir() && p != fullPath {
+			sv, err := isSubvolume(p)
+			if err != nil {
+				return fmt.Errorf("Failed to test if %s is a btrfs subvolume: %v", p, err)
+			}
+			if sv {
+				if err := subvolDelete(path.Dir(p), f.Name(), quotaEnabled); err != nil {
+					return fmt.Errorf("Failed to destroy btrfs child subvolume (%s) of parent (%s): %v", p, dirpath, err)
+				}
+			}
+		}
+		return nil
+	}
+	if err := filepath.Walk(path.Join(dirpath, name), walkSubvolumes); err != nil {
+		return fmt.Errorf("Recursively walking subvolumes for %s failed: %v", dirpath, err)
+	}
+
+	if quotaEnabled {
+		if qgroupid, err := subvolLookupQgroup(fullPath); err == nil {
+			var args C.struct_btrfs_ioctl_qgroup_create_args
+			args.qgroupid = C.__u64(qgroupid)
+
+			_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_QGROUP_CREATE,
+				uintptr(unsafe.Pointer(&args)))
+			if errno != 0 {
+				logrus.WithField("storage-driver", "btrfs").Errorf("Failed to delete btrfs qgroup %v for %s: %v", qgroupid, fullPath, errno.Error())
+			}
+		} else {
+			logrus.WithField("storage-driver", "btrfs").Errorf("Failed to lookup btrfs qgroup for %s: %v", fullPath, err.Error())
+		}
+	}
+
+	// all subvolumes have been removed
+	// now remove the one originally passed in
+	for i, c := range []byte(name) {
+		args.name[i] = C.char(c)
+	}
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_SNAP_DESTROY,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to destroy btrfs snapshot %s for %s: %v", dirpath, name, errno.Error())
+	}
+	return nil
+}
+
+func (d *Driver) updateQuotaStatus() {
+	d.once.Do(func() {
+		if !d.quotaEnabled {
+			// In case quotaEnabled is not set, check qgroup and update quotaEnabled as needed
+			if err := subvolQgroupStatus(d.home); err != nil {
+				// quota is still not enabled
+				return
+			}
+			d.quotaEnabled = true
+		}
+	})
+}
+
+func (d *Driver) subvolEnableQuota() error {
+	d.updateQuotaStatus()
+
+	if d.quotaEnabled {
+		return nil
+	}
+
+	dir, err := openDir(d.home)
+	if err != nil {
+		return err
+	}
+	defer closeDir(dir)
+
+	var args C.struct_btrfs_ioctl_quota_ctl_args
+	args.cmd = C.BTRFS_QUOTA_CTL_ENABLE
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_QUOTA_CTL,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to enable btrfs quota for %s: %v", dir, errno.Error())
+	}
+
+	d.quotaEnabled = true
+
+	return nil
+}
+
+func (d *Driver) subvolDisableQuota() error {
+	d.updateQuotaStatus()
+
+	if !d.quotaEnabled {
+		return nil
+	}
+
+	dir, err := openDir(d.home)
+	if err != nil {
+		return err
+	}
+	defer closeDir(dir)
+
+	var args C.struct_btrfs_ioctl_quota_ctl_args
+	args.cmd = C.BTRFS_QUOTA_CTL_DISABLE
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_QUOTA_CTL,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to disable btrfs quota for %s: %v", dir, errno.Error())
+	}
+
+	d.quotaEnabled = false
+
+	return nil
+}
+
+func (d *Driver) subvolRescanQuota() error {
+	d.updateQuotaStatus()
+
+	if !d.quotaEnabled {
+		return nil
+	}
+
+	dir, err := openDir(d.home)
+	if err != nil {
+		return err
+	}
+	defer closeDir(dir)
+
+	var args C.struct_btrfs_ioctl_quota_rescan_args
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_QUOTA_RESCAN_WAIT,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to rescan btrfs quota for %s: %v", dir, errno.Error())
+	}
+
+	return nil
+}
+
+func subvolLimitQgroup(path string, size uint64) error {
+	dir, err := openDir(path)
+	if err != nil {
+		return err
+	}
+	defer closeDir(dir)
+
+	var args C.struct_btrfs_ioctl_qgroup_limit_args
+	args.lim.max_referenced = C.__u64(size)
+	args.lim.flags = C.BTRFS_QGROUP_LIMIT_MAX_RFER
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_QGROUP_LIMIT,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to limit qgroup for %s: %v", dir, errno.Error())
+	}
+
+	return nil
+}
+
+// subvolQgroupStatus performs a BTRFS_IOC_TREE_SEARCH on the root path
+// with search key of BTRFS_QGROUP_STATUS_KEY.
+// In case qgroup is enabled, the retuned key type will match BTRFS_QGROUP_STATUS_KEY.
+// For more details please see https://github.com/kdave/btrfs-progs/blob/v4.9/qgroup.c#L1035
+func subvolQgroupStatus(path string) error {
+	dir, err := openDir(path)
+	if err != nil {
+		return err
+	}
+	defer closeDir(dir)
+
+	var args C.struct_btrfs_ioctl_search_args
+	args.key.tree_id = C.BTRFS_QUOTA_TREE_OBJECTID
+	args.key.min_type = C.BTRFS_QGROUP_STATUS_KEY
+	args.key.max_type = C.BTRFS_QGROUP_STATUS_KEY
+	args.key.max_objectid = C.__u64(math.MaxUint64)
+	args.key.max_offset = C.__u64(math.MaxUint64)
+	args.key.max_transid = C.__u64(math.MaxUint64)
+	args.key.nr_items = 4096
+
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_TREE_SEARCH,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to search qgroup for %s: %v", path, errno.Error())
+	}
+	sh := (*C.struct_btrfs_ioctl_search_header)(unsafe.Pointer(&args.buf))
+	if sh._type != C.BTRFS_QGROUP_STATUS_KEY {
+		return fmt.Errorf("Invalid qgroup search header type for %s: %v", path, sh._type)
+	}
+	return nil
+}
+
+func subvolLookupQgroup(path string) (uint64, error) {
+	dir, err := openDir(path)
+	if err != nil {
+		return 0, err
+	}
+	defer closeDir(dir)
+
+	var args C.struct_btrfs_ioctl_ino_lookup_args
+	args.objectid = C.BTRFS_FIRST_FREE_OBJECTID
+
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_INO_LOOKUP,
+		uintptr(unsafe.Pointer(&args)))
+	if errno != 0 {
+		return 0, fmt.Errorf("Failed to lookup qgroup for %s: %v", dir, errno.Error())
+	}
+	if args.treeid == 0 {
+		return 0, fmt.Errorf("Invalid qgroup id for %s: 0", dir)
+	}
+
+	return uint64(args.treeid), nil
+}
+
+func (d *Driver) subvolumesDir() string {
+	return path.Join(d.home, "subvolumes")
+}
+
+func (d *Driver) subvolumesDirID(id string) string {
+	return path.Join(d.subvolumesDir(), id)
+}
+
+func (d *Driver) quotasDir() string {
+	return path.Join(d.home, "quotas")
+}
+
+func (d *Driver) quotasDirID(id string) string {
+	return path.Join(d.quotasDir(), id)
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system.
+func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	return d.Create(id, parent, opts)
+}
+
+// Create the filesystem with given id.
+func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+	quotas := path.Join(d.home, "quotas")
+	subvolumes := path.Join(d.home, "subvolumes")
+	rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
+	if err != nil {
+		return err
+	}
+	if err := idtools.MkdirAllAndChown(subvolumes, 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return err
+	}
+	if parent == "" {
+		if err := subvolCreate(subvolumes, id); err != nil {
+			return err
+		}
+	} else {
+		parentDir := d.subvolumesDirID(parent)
+		st, err := os.Stat(parentDir)
+		if err != nil {
+			return err
+		}
+		if !st.IsDir() {
+			return fmt.Errorf("%s: not a directory", parentDir)
+		}
+		if err := subvolSnapshot(parentDir, subvolumes, id); err != nil {
+			return err
+		}
+	}
+
+	var storageOpt map[string]string
+	if opts != nil {
+		storageOpt = opts.StorageOpt
+	}
+
+	if _, ok := storageOpt["size"]; ok {
+		driver := &Driver{}
+		if err := d.parseStorageOpt(storageOpt, driver); err != nil {
+			return err
+		}
+
+		if err := d.setStorageSize(path.Join(subvolumes, id), driver); err != nil {
+			return err
+		}
+		if err := idtools.MkdirAllAndChown(quotas, 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+			return err
+		}
+		if err := ioutil.WriteFile(path.Join(quotas, id), []byte(fmt.Sprint(driver.options.size)), 0644); err != nil {
+			return err
+		}
+	}
+
+	// if we have a remapped root (user namespaces enabled), change the created snapshot
+	// dir ownership to match
+	if rootUID != 0 || rootGID != 0 {
+		if err := os.Chown(path.Join(subvolumes, id), rootUID, rootGID); err != nil {
+			return err
+		}
+	}
+
+	mountLabel := ""
+	if opts != nil {
+		mountLabel = opts.MountLabel
+	}
+
+	return label.Relabel(path.Join(subvolumes, id), mountLabel, false)
+}
+
+// Parse btrfs storage options
+func (d *Driver) parseStorageOpt(storageOpt map[string]string, driver *Driver) error {
+	// Read size to change the subvolume disk quota per container
+	for key, val := range storageOpt {
+		key := strings.ToLower(key)
+		switch key {
+		case "size":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return err
+			}
+			driver.options.size = uint64(size)
+		default:
+			return fmt.Errorf("Unknown option %s", key)
+		}
+	}
+
+	return nil
+}
+
+// Set btrfs storage size
+func (d *Driver) setStorageSize(dir string, driver *Driver) error {
+	if driver.options.size <= 0 {
+		return fmt.Errorf("btrfs: invalid storage size: %s", units.HumanSize(float64(driver.options.size)))
+	}
+	if d.options.minSpace > 0 && driver.options.size < d.options.minSpace {
+		return fmt.Errorf("btrfs: storage size cannot be less than %s", units.HumanSize(float64(d.options.minSpace)))
+	}
+	if err := d.subvolEnableQuota(); err != nil {
+		return err
+	}
+	return subvolLimitQgroup(dir, driver.options.size)
+}
+
+// Remove the filesystem with given id.
+func (d *Driver) Remove(id string) error {
+	dir := d.subvolumesDirID(id)
+	if _, err := os.Stat(dir); err != nil {
+		return err
+	}
+	quotasDir := d.quotasDirID(id)
+	if _, err := os.Stat(quotasDir); err == nil {
+		if err := os.Remove(quotasDir); err != nil {
+			return err
+		}
+	} else if !os.IsNotExist(err) {
+		return err
+	}
+
+	// Call updateQuotaStatus() to invoke status update
+	d.updateQuotaStatus()
+
+	if err := subvolDelete(d.subvolumesDir(), id, d.quotaEnabled); err != nil {
+		return err
+	}
+	if err := system.EnsureRemoveAll(dir); err != nil {
+		return err
+	}
+	return d.subvolRescanQuota()
+}
+
+// Get the requested filesystem id.
+func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
+	dir := d.subvolumesDirID(id)
+	st, err := os.Stat(dir)
+	if err != nil {
+		return nil, err
+	}
+
+	if !st.IsDir() {
+		return nil, fmt.Errorf("%s: not a directory", dir)
+	}
+
+	if quota, err := ioutil.ReadFile(d.quotasDirID(id)); err == nil {
+		if size, err := strconv.ParseUint(string(quota), 10, 64); err == nil && size >= d.options.minSpace {
+			if err := d.subvolEnableQuota(); err != nil {
+				return nil, err
+			}
+			if err := subvolLimitQgroup(dir, size); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	return containerfs.NewLocalContainerFS(dir), nil
+}
+
+// Put is not implemented for BTRFS as there is no cleanup required for the id.
+func (d *Driver) Put(id string) error {
+	// Get() creates no runtime resources (like e.g. mounts)
+	// so this doesn't need to do anything.
+	return nil
+}
+
+// Exists checks if the id exists in the filesystem.
+func (d *Driver) Exists(id string) bool {
+	dir := d.subvolumesDirID(id)
+	_, err := os.Stat(dir)
+	return err == nil
+}
diff --git a/engine/daemon/graphdriver/btrfs/btrfs_test.go b/engine/daemon/graphdriver/btrfs/btrfs_test.go
new file mode 100644
index 00000000..b70e93bc
--- /dev/null
+++ b/engine/daemon/graphdriver/btrfs/btrfs_test.go
@@ -0,0 +1,65 @@
+// +build linux
+
+package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+
+import (
+	"os"
+	"path"
+	"testing"
+
+	"github.com/docker/docker/daemon/graphdriver/graphtest"
+)
+
+// This avoids creating a new driver for each test if all tests are run
+// Make sure to put new tests between TestBtrfsSetup and TestBtrfsTeardown
+func TestBtrfsSetup(t *testing.T) {
+	graphtest.GetDriver(t, "btrfs")
+}
+
+func TestBtrfsCreateEmpty(t *testing.T) {
+	graphtest.DriverTestCreateEmpty(t, "btrfs")
+}
+
+func TestBtrfsCreateBase(t *testing.T) {
+	graphtest.DriverTestCreateBase(t, "btrfs")
+}
+
+func TestBtrfsCreateSnap(t *testing.T) {
+	graphtest.DriverTestCreateSnap(t, "btrfs")
+}
+
+func TestBtrfsSubvolDelete(t *testing.T) {
+	d := graphtest.GetDriver(t, "btrfs")
+	if err := d.CreateReadWrite("test", "", nil); err != nil {
+		t.Fatal(err)
+	}
+	defer graphtest.PutDriver(t)
+
+	dirFS, err := d.Get("test", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer d.Put("test")
+
+	dir := dirFS.Path()
+
+	if err := subvolCreate(dir, "subvoltest"); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := os.Stat(path.Join(dir, "subvoltest")); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := d.Remove("test"); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := os.Stat(path.Join(dir, "subvoltest")); !os.IsNotExist(err) {
+		t.Fatalf("expected not exist error on nested subvol, got: %v", err)
+	}
+}
+
+func TestBtrfsTeardown(t *testing.T) {
+	graphtest.PutDriver(t)
+}
diff --git a/engine/daemon/graphdriver/btrfs/dummy_unsupported.go b/engine/daemon/graphdriver/btrfs/dummy_unsupported.go
new file mode 100644
index 00000000..d7793f87
--- /dev/null
+++ b/engine/daemon/graphdriver/btrfs/dummy_unsupported.go
@@ -0,0 +1,3 @@
+// +build !linux !cgo
+
+package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
diff --git a/engine/daemon/graphdriver/btrfs/version.go b/engine/daemon/graphdriver/btrfs/version.go
new file mode 100644
index 00000000..2fb5c735
--- /dev/null
+++ b/engine/daemon/graphdriver/btrfs/version.go
@@ -0,0 +1,26 @@
+// +build linux,!btrfs_noversion
+
+package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+
+/*
+#include <btrfs/version.h>
+
+// around version 3.16, they did not define lib version yet
+#ifndef BTRFS_LIB_VERSION
+#define BTRFS_LIB_VERSION -1
+#endif
+
+// upstream had removed it, but now it will be coming back
+#ifndef BTRFS_BUILD_VERSION
+#define BTRFS_BUILD_VERSION "-"
+#endif
+*/
+import "C"
+
+func btrfsBuildVersion() string {
+	return string(C.BTRFS_BUILD_VERSION)
+}
+
+func btrfsLibVersion() int {
+	return int(C.BTRFS_LIB_VERSION)
+}
diff --git a/engine/daemon/graphdriver/btrfs/version_none.go b/engine/daemon/graphdriver/btrfs/version_none.go
new file mode 100644
index 00000000..5c755f81
--- /dev/null
+++ b/engine/daemon/graphdriver/btrfs/version_none.go
@@ -0,0 +1,14 @@
+// +build linux,btrfs_noversion
+
+package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+
+// TODO(vbatts) remove this work-around once supported linux distros are on
+// btrfs utilities of >= 3.16.1
+
+func btrfsBuildVersion() string {
+	return "-"
+}
+
+func btrfsLibVersion() int {
+	return -1
+}
diff --git a/engine/daemon/graphdriver/btrfs/version_test.go b/engine/daemon/graphdriver/btrfs/version_test.go
new file mode 100644
index 00000000..465daadb
--- /dev/null
+++ b/engine/daemon/graphdriver/btrfs/version_test.go
@@ -0,0 +1,13 @@
+// +build linux,!btrfs_noversion
+
+package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
+
+import (
+	"testing"
+)
+
+func TestLibVersion(t *testing.T) {
+	if btrfsLibVersion() <= 0 {
+		t.Error("expected output from btrfs lib version > 0")
+	}
+}
diff --git a/engine/daemon/graphdriver/copy/copy.go b/engine/daemon/graphdriver/copy/copy.go
new file mode 100644
index 00000000..86316fdf
--- /dev/null
+++ b/engine/daemon/graphdriver/copy/copy.go
@@ -0,0 +1,277 @@
+// +build linux
+
+package copy // import "github.com/docker/docker/daemon/graphdriver/copy"
+
+/*
+#include <linux/fs.h>
+
+#ifndef FICLONE
+#define FICLONE		_IOW(0x94, 9, int)
+#endif
+*/
+import "C"
+import (
+	"container/list"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"syscall"
+	"time"
+
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/system"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"golang.org/x/sys/unix"
+)
+
+// Mode indicates whether to use hardlink or copy content
+type Mode int
+
+const (
+	// Content creates a new file, and copies the content of the file
+	Content Mode = iota
+	// Hardlink creates a new hardlink to the existing file
+	Hardlink
+)
+
+func copyRegular(srcPath, dstPath string, fileinfo os.FileInfo, copyWithFileRange, copyWithFileClone *bool) error {
+	srcFile, err := os.Open(srcPath)
+	if err != nil {
+		return err
+	}
+	defer srcFile.Close()
+
+	// If the destination file already exists, we shouldn't blow it away
+	dstFile, err := os.OpenFile(dstPath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, fileinfo.Mode())
+	if err != nil {
+		return err
+	}
+	defer dstFile.Close()
+
+	if *copyWithFileClone {
+		_, _, err = unix.Syscall(unix.SYS_IOCTL, dstFile.Fd(), C.FICLONE, srcFile.Fd())
+		if err == nil {
+			return nil
+		}
+
+		*copyWithFileClone = false
+		if err == unix.EXDEV {
+			*copyWithFileRange = false
+		}
+	}
+	if *copyWithFileRange {
+		err = doCopyWithFileRange(srcFile, dstFile, fileinfo)
+		// Trying the file_clone may not have caught the exdev case
+		// as the ioctl may not have been available (therefore EINVAL)
+		if err == unix.EXDEV || err == unix.ENOSYS {
+			*copyWithFileRange = false
+		} else {
+			return err
+		}
+	}
+	return legacyCopy(srcFile, dstFile)
+}
+
+func doCopyWithFileRange(srcFile, dstFile *os.File, fileinfo os.FileInfo) error {
+	amountLeftToCopy := fileinfo.Size()
+
+	for amountLeftToCopy > 0 {
+		n, err := unix.CopyFileRange(int(srcFile.Fd()), nil, int(dstFile.Fd()), nil, int(amountLeftToCopy), 0)
+		if err != nil {
+			return err
+		}
+
+		amountLeftToCopy = amountLeftToCopy - int64(n)
+	}
+
+	return nil
+}
+
+func legacyCopy(srcFile io.Reader, dstFile io.Writer) error {
+	_, err := pools.Copy(dstFile, srcFile)
+
+	return err
+}
+
+func copyXattr(srcPath, dstPath, attr string) error {
+	data, err := system.Lgetxattr(srcPath, attr)
+	if err != nil {
+		return err
+	}
+	if data != nil {
+		if err := system.Lsetxattr(dstPath, attr, data, 0); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+type fileID struct {
+	dev uint64
+	ino uint64
+}
+
+type dirMtimeInfo struct {
+	dstPath *string
+	stat    *syscall.Stat_t
+}
+
+// DirCopy copies or hardlinks the contents of one directory to another,
+// properly handling xattrs, and soft links
+//
+// Copying xattrs can be opted out of by passing false for copyXattrs.
+func DirCopy(srcDir, dstDir string, copyMode Mode, copyXattrs bool) error {
+	copyWithFileRange := true
+	copyWithFileClone := true
+
+	// This is a map of source file inodes to dst file paths
+	copiedFiles := make(map[fileID]string)
+
+	dirsToSetMtimes := list.New()
+	err := filepath.Walk(srcDir, func(srcPath string, f os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Rebase path
+		relPath, err := filepath.Rel(srcDir, srcPath)
+		if err != nil {
+			return err
+		}
+
+		dstPath := filepath.Join(dstDir, relPath)
+		if err != nil {
+			return err
+		}
+
+		stat, ok := f.Sys().(*syscall.Stat_t)
+		if !ok {
+			return fmt.Errorf("Unable to get raw syscall.Stat_t data for %s", srcPath)
+		}
+
+		isHardlink := false
+
+		switch f.Mode() & os.ModeType {
+		case 0: // Regular file
+			id := fileID{dev: stat.Dev, ino: stat.Ino}
+			if copyMode == Hardlink {
+				isHardlink = true
+				if err2 := os.Link(srcPath, dstPath); err2 != nil {
+					return err2
+				}
+			} else if hardLinkDstPath, ok := copiedFiles[id]; ok {
+				if err2 := os.Link(hardLinkDstPath, dstPath); err2 != nil {
+					return err2
+				}
+			} else {
+				if err2 := copyRegular(srcPath, dstPath, f, &copyWithFileRange, &copyWithFileClone); err2 != nil {
+					return err2
+				}
+				copiedFiles[id] = dstPath
+			}
+
+		case os.ModeDir:
+			if err := os.Mkdir(dstPath, f.Mode()); err != nil && !os.IsExist(err) {
+				return err
+			}
+
+		case os.ModeSymlink:
+			link, err := os.Readlink(srcPath)
+			if err != nil {
+				return err
+			}
+
+			if err := os.Symlink(link, dstPath); err != nil {
+				return err
+			}
+
+		case os.ModeNamedPipe:
+			fallthrough
+		case os.ModeSocket:
+			if err := unix.Mkfifo(dstPath, stat.Mode); err != nil {
+				return err
+			}
+
+		case os.ModeDevice:
+			if rsystem.RunningInUserNS() {
+				// cannot create a device if running in user namespace
+				return nil
+			}
+			if err := unix.Mknod(dstPath, stat.Mode, int(stat.Rdev)); err != nil {
+				return err
+			}
+
+		default:
+			return fmt.Errorf("unknown file type for %s", srcPath)
+		}
+
+		// Everything below is copying metadata from src to dst. All this metadata
+		// already shares an inode for hardlinks.
+		if isHardlink {
+			return nil
+		}
+
+		if err := os.Lchown(dstPath, int(stat.Uid), int(stat.Gid)); err != nil {
+			return err
+		}
+
+		if copyXattrs {
+			if err := doCopyXattrs(srcPath, dstPath); err != nil {
+				return err
+			}
+		}
+
+		isSymlink := f.Mode()&os.ModeSymlink != 0
+
+		// There is no LChmod, so ignore mode for symlink. Also, this
+		// must happen after chown, as that can modify the file mode
+		if !isSymlink {
+			if err := os.Chmod(dstPath, f.Mode()); err != nil {
+				return err
+			}
+		}
+
+		// system.Chtimes doesn't support a NOFOLLOW flag atm
+		// nolint: unconvert
+		if f.IsDir() {
+			dirsToSetMtimes.PushFront(&dirMtimeInfo{dstPath: &dstPath, stat: stat})
+		} else if !isSymlink {
+			aTime := time.Unix(int64(stat.Atim.Sec), int64(stat.Atim.Nsec))
+			mTime := time.Unix(int64(stat.Mtim.Sec), int64(stat.Mtim.Nsec))
+			if err := system.Chtimes(dstPath, aTime, mTime); err != nil {
+				return err
+			}
+		} else {
+			ts := []syscall.Timespec{stat.Atim, stat.Mtim}
+			if err := system.LUtimesNano(dstPath, ts); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	for e := dirsToSetMtimes.Front(); e != nil; e = e.Next() {
+		mtimeInfo := e.Value.(*dirMtimeInfo)
+		ts := []syscall.Timespec{mtimeInfo.stat.Atim, mtimeInfo.stat.Mtim}
+		if err := system.LUtimesNano(*mtimeInfo.dstPath, ts); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func doCopyXattrs(srcPath, dstPath string) error {
+	if err := copyXattr(srcPath, dstPath, "security.capability"); err != nil {
+		return err
+	}
+
+	// We need to copy this attribute if it appears in an overlay upper layer, as
+	// this function is used to copy those. It is set by overlay if a directory
+	// is removed and then re-created and should not inherit anything from the
+	// same dir in the lower dir.
+	return copyXattr(srcPath, dstPath, "trusted.overlay.opaque")
+}
diff --git a/engine/daemon/graphdriver/copy/copy_test.go b/engine/daemon/graphdriver/copy/copy_test.go
new file mode 100644
index 00000000..0f3b1670
--- /dev/null
+++ b/engine/daemon/graphdriver/copy/copy_test.go
@@ -0,0 +1,159 @@
+// +build linux
+
+package copy // import "github.com/docker/docker/daemon/graphdriver/copy"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"math/rand"
+	"os"
+	"path/filepath"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/system"
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCopy(t *testing.T) {
+	copyWithFileRange := true
+	copyWithFileClone := true
+	doCopyTest(t, &copyWithFileRange, &copyWithFileClone)
+}
+
+func TestCopyWithoutRange(t *testing.T) {
+	copyWithFileRange := false
+	copyWithFileClone := false
+	doCopyTest(t, &copyWithFileRange, &copyWithFileClone)
+}
+
+func TestCopyDir(t *testing.T) {
+	srcDir, err := ioutil.TempDir("", "srcDir")
+	assert.NilError(t, err)
+	populateSrcDir(t, srcDir, 3)
+
+	dstDir, err := ioutil.TempDir("", "testdst")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dstDir)
+
+	assert.Check(t, DirCopy(srcDir, dstDir, Content, false))
+	assert.NilError(t, filepath.Walk(srcDir, func(srcPath string, f os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Rebase path
+		relPath, err := filepath.Rel(srcDir, srcPath)
+		assert.NilError(t, err)
+		if relPath == "." {
+			return nil
+		}
+
+		dstPath := filepath.Join(dstDir, relPath)
+		assert.NilError(t, err)
+
+		// If we add non-regular dirs and files to the test
+		// then we need to add more checks here.
+		dstFileInfo, err := os.Lstat(dstPath)
+		assert.NilError(t, err)
+
+		srcFileSys := f.Sys().(*syscall.Stat_t)
+		dstFileSys := dstFileInfo.Sys().(*syscall.Stat_t)
+
+		t.Log(relPath)
+		if srcFileSys.Dev == dstFileSys.Dev {
+			assert.Check(t, srcFileSys.Ino != dstFileSys.Ino)
+		}
+		// Todo: check size, and ctim is not equal
+		/// on filesystems that have granular ctimes
+		assert.Check(t, is.DeepEqual(srcFileSys.Mode, dstFileSys.Mode))
+		assert.Check(t, is.DeepEqual(srcFileSys.Uid, dstFileSys.Uid))
+		assert.Check(t, is.DeepEqual(srcFileSys.Gid, dstFileSys.Gid))
+		assert.Check(t, is.DeepEqual(srcFileSys.Mtim, dstFileSys.Mtim))
+
+		return nil
+	}))
+}
+
+func randomMode(baseMode int) os.FileMode {
+	for i := 0; i < 7; i++ {
+		baseMode = baseMode | (1&rand.Intn(2))<<uint(i)
+	}
+	return os.FileMode(baseMode)
+}
+
+func populateSrcDir(t *testing.T, srcDir string, remainingDepth int) {
+	if remainingDepth == 0 {
+		return
+	}
+	aTime := time.Unix(rand.Int63(), 0)
+	mTime := time.Unix(rand.Int63(), 0)
+
+	for i := 0; i < 10; i++ {
+		dirName := filepath.Join(srcDir, fmt.Sprintf("srcdir-%d", i))
+		// Owner all bits set
+		assert.NilError(t, os.Mkdir(dirName, randomMode(0700)))
+		populateSrcDir(t, dirName, remainingDepth-1)
+		assert.NilError(t, system.Chtimes(dirName, aTime, mTime))
+	}
+
+	for i := 0; i < 10; i++ {
+		fileName := filepath.Join(srcDir, fmt.Sprintf("srcfile-%d", i))
+		// Owner read bit set
+		assert.NilError(t, ioutil.WriteFile(fileName, []byte{}, randomMode(0400)))
+		assert.NilError(t, system.Chtimes(fileName, aTime, mTime))
+	}
+}
+
+func doCopyTest(t *testing.T, copyWithFileRange, copyWithFileClone *bool) {
+	dir, err := ioutil.TempDir("", "docker-copy-check")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dir)
+	srcFilename := filepath.Join(dir, "srcFilename")
+	dstFilename := filepath.Join(dir, "dstilename")
+
+	r := rand.New(rand.NewSource(0))
+	buf := make([]byte, 1024)
+	_, err = r.Read(buf)
+	assert.NilError(t, err)
+	assert.NilError(t, ioutil.WriteFile(srcFilename, buf, 0777))
+	fileinfo, err := os.Stat(srcFilename)
+	assert.NilError(t, err)
+
+	assert.NilError(t, copyRegular(srcFilename, dstFilename, fileinfo, copyWithFileRange, copyWithFileClone))
+	readBuf, err := ioutil.ReadFile(dstFilename)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(buf, readBuf))
+}
+
+func TestCopyHardlink(t *testing.T) {
+	var srcFile1FileInfo, srcFile2FileInfo, dstFile1FileInfo, dstFile2FileInfo unix.Stat_t
+
+	srcDir, err := ioutil.TempDir("", "srcDir")
+	assert.NilError(t, err)
+	defer os.RemoveAll(srcDir)
+
+	dstDir, err := ioutil.TempDir("", "dstDir")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dstDir)
+
+	srcFile1 := filepath.Join(srcDir, "file1")
+	srcFile2 := filepath.Join(srcDir, "file2")
+	dstFile1 := filepath.Join(dstDir, "file1")
+	dstFile2 := filepath.Join(dstDir, "file2")
+	assert.NilError(t, ioutil.WriteFile(srcFile1, []byte{}, 0777))
+	assert.NilError(t, os.Link(srcFile1, srcFile2))
+
+	assert.Check(t, DirCopy(srcDir, dstDir, Content, false))
+
+	assert.NilError(t, unix.Stat(srcFile1, &srcFile1FileInfo))
+	assert.NilError(t, unix.Stat(srcFile2, &srcFile2FileInfo))
+	assert.Equal(t, srcFile1FileInfo.Ino, srcFile2FileInfo.Ino)
+
+	assert.NilError(t, unix.Stat(dstFile1, &dstFile1FileInfo))
+	assert.NilError(t, unix.Stat(dstFile2, &dstFile2FileInfo))
+	assert.Check(t, is.Equal(dstFile1FileInfo.Ino, dstFile2FileInfo.Ino))
+}
diff --git a/engine/daemon/graphdriver/counter.go b/engine/daemon/graphdriver/counter.go
new file mode 100644
index 00000000..2772bd24
--- /dev/null
+++ b/engine/daemon/graphdriver/counter.go
@@ -0,0 +1,62 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+import "sync"
+
+type minfo struct {
+	check bool
+	count int
+}
+
+// RefCounter is a generic counter for use by graphdriver Get/Put calls
+type RefCounter struct {
+	counts  map[string]*minfo
+	mu      sync.Mutex
+	checker Checker
+}
+
+// NewRefCounter returns a new RefCounter
+func NewRefCounter(c Checker) *RefCounter {
+	return &RefCounter{
+		checker: c,
+		counts:  make(map[string]*minfo),
+	}
+}
+
+// Increment increases the ref count for the given id and returns the current count
+func (c *RefCounter) Increment(path string) int {
+	return c.incdec(path, func(minfo *minfo) {
+		minfo.count++
+	})
+}
+
+// Decrement decreases the ref count for the given id and returns the current count
+func (c *RefCounter) Decrement(path string) int {
+	return c.incdec(path, func(minfo *minfo) {
+		minfo.count--
+	})
+}
+
+func (c *RefCounter) incdec(path string, infoOp func(minfo *minfo)) int {
+	c.mu.Lock()
+	m := c.counts[path]
+	if m == nil {
+		m = &minfo{}
+		c.counts[path] = m
+	}
+	// if we are checking this path for the first time check to make sure
+	// if it was already mounted on the system and make sure we have a correct ref
+	// count if it is mounted as it is in use.
+	if !m.check {
+		m.check = true
+		if c.checker.IsMounted(path) {
+			m.count++
+		}
+	}
+	infoOp(m)
+	count := m.count
+	if count <= 0 {
+		delete(c.counts, path)
+	}
+	c.mu.Unlock()
+	return count
+}
diff --git a/engine/daemon/graphdriver/devmapper/README.md b/engine/daemon/graphdriver/devmapper/README.md
new file mode 100644
index 00000000..6594fa65
--- /dev/null
+++ b/engine/daemon/graphdriver/devmapper/README.md
@@ -0,0 +1,98 @@
+# devicemapper - a storage backend based on Device Mapper
+
+## Theory of operation
+
+The device mapper graphdriver uses the device mapper thin provisioning
+module (dm-thinp) to implement CoW snapshots. The preferred model is
+to have a thin pool reserved outside of Docker and passed to the
+daemon via the `--storage-opt dm.thinpooldev` option. Alternatively,
+the device mapper graphdriver can setup a block device to handle this
+for you via the `--storage-opt dm.directlvm_device` option.
+
+As a fallback if no thin pool is provided, loopback files will be
+created.  Loopback is very slow, but can be used without any
+pre-configuration of storage.  It is strongly recommended that you do
+not use loopback in production.  Ensure your Docker daemon has a
+`--storage-opt dm.thinpooldev` argument provided.
+
+In loopback, a thin pool is created at `/var/lib/docker/devicemapper`
+(devicemapper graph location) based on two block devices, one for
+data and one for metadata. By default these block devices are created
+automatically by using loopback mounts of automatically created sparse
+files.
+
+The default loopback files used are
+`/var/lib/docker/devicemapper/devicemapper/data` and
+`/var/lib/docker/devicemapper/devicemapper/metadata`. Additional metadata
+required to map from docker entities to the corresponding devicemapper
+volumes is stored in the `/var/lib/docker/devicemapper/devicemapper/json`
+file (encoded as Json).
+
+In order to support multiple devicemapper graphs on a system, the thin
+pool will be named something like: `docker-0:33-19478248-pool`, where
+the `0:33` part is the minor/major device nr and `19478248` is the
+inode number of the `/var/lib/docker/devicemapper` directory.
+
+On the thin pool, docker automatically creates a base thin device,
+called something like `docker-0:33-19478248-base` of a fixed
+size. This is automatically formatted with an empty filesystem on
+creation. This device is the base of all docker images and
+containers. All base images are snapshots of this device and those
+images are then in turn used as snapshots for other images and
+eventually containers.
+
+## Information on `docker info`
+
+As of docker-1.4.1, `docker info` when using the `devicemapper` storage driver
+will display something like:
+
+	$ sudo docker info
+	[...]
+	Storage Driver: devicemapper
+	 Pool Name: docker-253:1-17538953-pool
+	 Pool Blocksize: 65.54 kB
+	 Base Device Size: 107.4 GB
+	 Data file: /dev/loop4
+	 Metadata file: /dev/loop4
+	 Data Space Used: 2.536 GB
+	 Data Space Total: 107.4 GB
+	 Data Space Available: 104.8 GB
+	 Metadata Space Used: 7.93 MB
+	 Metadata Space Total: 2.147 GB
+	 Metadata Space Available: 2.14 GB
+	 Udev Sync Supported: true
+	 Data loop file: /home/docker/devicemapper/devicemapper/data
+	 Metadata loop file: /home/docker/devicemapper/devicemapper/metadata
+	 Library Version: 1.02.82-git (2013-10-04)
+	[...]
+
+### status items
+
+Each item in the indented section under `Storage Driver: devicemapper` are
+status information about the driver.
+ *  `Pool Name` name of the devicemapper pool for this driver.
+ *  `Pool Blocksize` tells the blocksize the thin pool was initialized with. This only changes on creation.
+ *  `Base Device Size` tells the maximum size of a container and image
+ *  `Data file` blockdevice file used for the devicemapper data
+ *  `Metadata file` blockdevice file used for the devicemapper metadata
+ *  `Data Space Used` tells how much of `Data file` is currently used
+ *  `Data Space Total` tells max size the `Data file`
+ *  `Data Space Available` tells how much free space there is in the `Data file`. If you are using a loop device this will report the actual space available to the loop device on the underlying filesystem.
+ *  `Metadata Space Used` tells how much of `Metadata file` is currently used
+ *  `Metadata Space Total` tells max size the `Metadata file`
+ *  `Metadata Space Available` tells how much free space there is in the `Metadata file`. If you are using a loop device this will report the actual space available to the loop device on the underlying filesystem.
+ *  `Udev Sync Supported` tells whether devicemapper is able to sync with Udev. Should be `true`.
+ *  `Data loop file` file attached to `Data file`, if loopback device is used
+ *  `Metadata loop file` file attached to `Metadata file`, if loopback device is used
+ *  `Library Version` from the libdevmapper used
+
+## About the devicemapper options
+
+The devicemapper backend supports some options that you can specify
+when starting the docker daemon using the `--storage-opt` flags.
+This uses the `dm` prefix and would be used something like `dockerd --storage-opt dm.foo=bar`.
+
+These options are currently documented both in [the man
+page](../../../man/docker.1.md) and in [the online
+documentation](https://docs.docker.com/engine/reference/commandline/dockerd/#/storage-driver-options).
+If you add an options, update both the `man` page and the documentation.
diff --git a/engine/daemon/graphdriver/devmapper/device_setup.go b/engine/daemon/graphdriver/devmapper/device_setup.go
new file mode 100644
index 00000000..4d7f35c4
--- /dev/null
+++ b/engine/daemon/graphdriver/devmapper/device_setup.go
@@ -0,0 +1,231 @@
+package devmapper // import "github.com/docker/docker/daemon/graphdriver/devmapper"
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"reflect"
+	"strings"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type directLVMConfig struct {
+	Device              string
+	ThinpPercent        uint64
+	ThinpMetaPercent    uint64
+	AutoExtendPercent   uint64
+	AutoExtendThreshold uint64
+}
+
+var (
+	errThinpPercentMissing = errors.New("must set both `dm.thinp_percent` and `dm.thinp_metapercent` if either is specified")
+	errThinpPercentTooBig  = errors.New("combined `dm.thinp_percent` and `dm.thinp_metapercent` must not be greater than 100")
+	errMissingSetupDevice  = errors.New("must provide device path in `dm.setup_device` in order to configure direct-lvm")
+)
+
+func validateLVMConfig(cfg directLVMConfig) error {
+	if reflect.DeepEqual(cfg, directLVMConfig{}) {
+		return nil
+	}
+	if cfg.Device == "" {
+		return errMissingSetupDevice
+	}
+	if (cfg.ThinpPercent > 0 && cfg.ThinpMetaPercent == 0) || cfg.ThinpMetaPercent > 0 && cfg.ThinpPercent == 0 {
+		return errThinpPercentMissing
+	}
+
+	if cfg.ThinpPercent+cfg.ThinpMetaPercent > 100 {
+		return errThinpPercentTooBig
+	}
+	return nil
+}
+
+func checkDevAvailable(dev string) error {
+	lvmScan, err := exec.LookPath("lvmdiskscan")
+	if err != nil {
+		logrus.Debug("could not find lvmdiskscan")
+		return nil
+	}
+
+	out, err := exec.Command(lvmScan).CombinedOutput()
+	if err != nil {
+		logrus.WithError(err).Error(string(out))
+		return nil
+	}
+
+	if !bytes.Contains(out, []byte(dev)) {
+		return errors.Errorf("%s is not available for use with devicemapper", dev)
+	}
+	return nil
+}
+
+func checkDevInVG(dev string) error {
+	pvDisplay, err := exec.LookPath("pvdisplay")
+	if err != nil {
+		logrus.Debug("could not find pvdisplay")
+		return nil
+	}
+
+	out, err := exec.Command(pvDisplay, dev).CombinedOutput()
+	if err != nil {
+		logrus.WithError(err).Error(string(out))
+		return nil
+	}
+
+	scanner := bufio.NewScanner(bytes.NewReader(bytes.TrimSpace(out)))
+	for scanner.Scan() {
+		fields := strings.SplitAfter(strings.TrimSpace(scanner.Text()), "VG Name")
+		if len(fields) > 1 {
+			// got "VG Name" line"
+			vg := strings.TrimSpace(fields[1])
+			if len(vg) > 0 {
+				return errors.Errorf("%s is already part of a volume group %q: must remove this device from any volume group or provide a different device", dev, vg)
+			}
+			logrus.Error(fields)
+			break
+		}
+	}
+	return nil
+}
+
+func checkDevHasFS(dev string) error {
+	blkid, err := exec.LookPath("blkid")
+	if err != nil {
+		logrus.Debug("could not find blkid")
+		return nil
+	}
+
+	out, err := exec.Command(blkid, dev).CombinedOutput()
+	if err != nil {
+		logrus.WithError(err).Error(string(out))
+		return nil
+	}
+
+	fields := bytes.Fields(out)
+	for _, f := range fields {
+		kv := bytes.Split(f, []byte{'='})
+		if bytes.Equal(kv[0], []byte("TYPE")) {
+			v := bytes.Trim(kv[1], "\"")
+			if len(v) > 0 {
+				return errors.Errorf("%s has a filesystem already, use dm.directlvm_device_force=true if you want to wipe the device", dev)
+			}
+			return nil
+		}
+	}
+	return nil
+}
+
+func verifyBlockDevice(dev string, force bool) error {
+	if err := checkDevAvailable(dev); err != nil {
+		return err
+	}
+	if err := checkDevInVG(dev); err != nil {
+		return err
+	}
+	if force {
+		return nil
+	}
+	return checkDevHasFS(dev)
+}
+
+func readLVMConfig(root string) (directLVMConfig, error) {
+	var cfg directLVMConfig
+
+	p := filepath.Join(root, "setup-config.json")
+	b, err := ioutil.ReadFile(p)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return cfg, nil
+		}
+		return cfg, errors.Wrap(err, "error reading existing setup config")
+	}
+
+	// check if this is just an empty file, no need to produce a json error later if so
+	if len(b) == 0 {
+		return cfg, nil
+	}
+
+	err = json.Unmarshal(b, &cfg)
+	return cfg, errors.Wrap(err, "error unmarshaling previous device setup config")
+}
+
+func writeLVMConfig(root string, cfg directLVMConfig) error {
+	p := filepath.Join(root, "setup-config.json")
+	b, err := json.Marshal(cfg)
+	if err != nil {
+		return errors.Wrap(err, "error marshalling direct lvm config")
+	}
+	err = ioutil.WriteFile(p, b, 0600)
+	return errors.Wrap(err, "error writing direct lvm config to file")
+}
+
+func setupDirectLVM(cfg directLVMConfig) error {
+	lvmProfileDir := "/etc/lvm/profile"
+	binaries := []string{"pvcreate", "vgcreate", "lvcreate", "lvconvert", "lvchange", "thin_check"}
+
+	for _, bin := range binaries {
+		if _, err := exec.LookPath(bin); err != nil {
+			return errors.Wrap(err, "error looking up command `"+bin+"` while setting up direct lvm")
+		}
+	}
+
+	err := os.MkdirAll(lvmProfileDir, 0755)
+	if err != nil {
+		return errors.Wrap(err, "error creating lvm profile directory")
+	}
+
+	if cfg.AutoExtendPercent == 0 {
+		cfg.AutoExtendPercent = 20
+	}
+
+	if cfg.AutoExtendThreshold == 0 {
+		cfg.AutoExtendThreshold = 80
+	}
+
+	if cfg.ThinpPercent == 0 {
+		cfg.ThinpPercent = 95
+	}
+	if cfg.ThinpMetaPercent == 0 {
+		cfg.ThinpMetaPercent = 1
+	}
+
+	out, err := exec.Command("pvcreate", "-f", cfg.Device).CombinedOutput()
+	if err != nil {
+		return errors.Wrap(err, string(out))
+	}
+
+	out, err = exec.Command("vgcreate", "docker", cfg.Device).CombinedOutput()
+	if err != nil {
+		return errors.Wrap(err, string(out))
+	}
+
+	out, err = exec.Command("lvcreate", "--wipesignatures", "y", "-n", "thinpool", "docker", "--extents", fmt.Sprintf("%d%%VG", cfg.ThinpPercent)).CombinedOutput()
+	if err != nil {
+		return errors.Wrap(err, string(out))
+	}
+	out, err = exec.Command("lvcreate", "--wipesignatures", "y", "-n", "thinpoolmeta", "docker", "--extents", fmt.Sprintf("%d%%VG", cfg.ThinpMetaPercent)).CombinedOutput()
+	if err != nil {
+		return errors.Wrap(err, string(out))
+	}
+
+	out, err = exec.Command("lvconvert", "-y", "--zero", "n", "-c", "512K", "--thinpool", "docker/thinpool", "--poolmetadata", "docker/thinpoolmeta").CombinedOutput()
+	if err != nil {
+		return errors.Wrap(err, string(out))
+	}
+
+	profile := fmt.Sprintf("activation{\nthin_pool_autoextend_threshold=%d\nthin_pool_autoextend_percent=%d\n}", cfg.AutoExtendThreshold, cfg.AutoExtendPercent)
+	err = ioutil.WriteFile(lvmProfileDir+"/docker-thinpool.profile", []byte(profile), 0600)
+	if err != nil {
+		return errors.Wrap(err, "error writing docker thinp autoextend profile")
+	}
+
+	out, err = exec.Command("lvchange", "--metadataprofile", "docker-thinpool", "docker/thinpool").CombinedOutput()
+	return errors.Wrap(err, string(out))
+}
diff --git a/engine/daemon/graphdriver/devmapper/deviceset.go b/engine/daemon/graphdriver/devmapper/deviceset.go
new file mode 100644
index 00000000..2bfbf05a
--- /dev/null
+++ b/engine/daemon/graphdriver/devmapper/deviceset.go
@@ -0,0 +1,2824 @@
+// +build linux
+
+package devmapper // import "github.com/docker/docker/daemon/graphdriver/devmapper"
+
+import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"reflect"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/pkg/devicemapper"
+	"github.com/docker/docker/pkg/dmesg"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/loopback"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/parsers"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/docker/go-units"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+var (
+	defaultDataLoopbackSize      int64  = 100 * 1024 * 1024 * 1024
+	defaultMetaDataLoopbackSize  int64  = 2 * 1024 * 1024 * 1024
+	defaultBaseFsSize            uint64 = 10 * 1024 * 1024 * 1024
+	defaultThinpBlockSize        uint32 = 128 // 64K = 128 512b sectors
+	defaultUdevSyncOverride             = false
+	maxDeviceID                         = 0xffffff // 24 bit, pool limit
+	deviceIDMapSz                       = (maxDeviceID + 1) / 8
+	driverDeferredRemovalSupport        = false
+	enableDeferredRemoval               = false
+	enableDeferredDeletion              = false
+	userBaseSize                        = false
+	defaultMinFreeSpacePercent   uint32 = 10
+	lvmSetupConfigForce          bool
+)
+
+const deviceSetMetaFile = "deviceset-metadata"
+const transactionMetaFile = "transaction-metadata"
+
+type transaction struct {
+	OpenTransactionID uint64 `json:"open_transaction_id"`
+	DeviceIDHash      string `json:"device_hash"`
+	DeviceID          int    `json:"device_id"`
+}
+
+type devInfo struct {
+	Hash          string `json:"-"`
+	DeviceID      int    `json:"device_id"`
+	Size          uint64 `json:"size"`
+	TransactionID uint64 `json:"transaction_id"`
+	Initialized   bool   `json:"initialized"`
+	Deleted       bool   `json:"deleted"`
+	devices       *DeviceSet
+
+	// The global DeviceSet lock guarantees that we serialize all
+	// the calls to libdevmapper (which is not threadsafe), but we
+	// sometimes release that lock while sleeping. In that case
+	// this per-device lock is still held, protecting against
+	// other accesses to the device that we're doing the wait on.
+	//
+	// WARNING: In order to avoid AB-BA deadlocks when releasing
+	// the global lock while holding the per-device locks all
+	// device locks must be acquired *before* the device lock, and
+	// multiple device locks should be acquired parent before child.
+	lock sync.Mutex
+}
+
+type metaData struct {
+	Devices map[string]*devInfo `json:"Devices"`
+}
+
+// DeviceSet holds information about list of devices
+type DeviceSet struct {
+	metaData      `json:"-"`
+	sync.Mutex    `json:"-"` // Protects all fields of DeviceSet and serializes calls into libdevmapper
+	root          string
+	devicePrefix  string
+	TransactionID uint64 `json:"-"`
+	NextDeviceID  int    `json:"next_device_id"`
+	deviceIDMap   []byte
+
+	// Options
+	dataLoopbackSize      int64
+	metaDataLoopbackSize  int64
+	baseFsSize            uint64
+	filesystem            string
+	mountOptions          string
+	mkfsArgs              []string
+	dataDevice            string // block or loop dev
+	dataLoopFile          string // loopback file, if used
+	metadataDevice        string // block or loop dev
+	metadataLoopFile      string // loopback file, if used
+	doBlkDiscard          bool
+	thinpBlockSize        uint32
+	thinPoolDevice        string
+	transaction           `json:"-"`
+	overrideUdevSyncCheck bool
+	deferredRemove        bool   // use deferred removal
+	deferredDelete        bool   // use deferred deletion
+	BaseDeviceUUID        string // save UUID of base device
+	BaseDeviceFilesystem  string // save filesystem of base device
+	nrDeletedDevices      uint   // number of deleted devices
+	deletionWorkerTicker  *time.Ticker
+	uidMaps               []idtools.IDMap
+	gidMaps               []idtools.IDMap
+	minFreeSpacePercent   uint32 //min free space percentage in thinpool
+	xfsNospaceRetries     string // max retries when xfs receives ENOSPC
+	lvmSetupConfig        directLVMConfig
+}
+
+// DiskUsage contains information about disk usage and is used when reporting Status of a device.
+type DiskUsage struct {
+	// Used bytes on the disk.
+	Used uint64
+	// Total bytes on the disk.
+	Total uint64
+	// Available bytes on the disk.
+	Available uint64
+}
+
+// Status returns the information about the device.
+type Status struct {
+	// PoolName is the name of the data pool.
+	PoolName string
+	// DataFile is the actual block device for data.
+	DataFile string
+	// DataLoopback loopback file, if used.
+	DataLoopback string
+	// MetadataFile is the actual block device for metadata.
+	MetadataFile string
+	// MetadataLoopback is the loopback file, if used.
+	MetadataLoopback string
+	// Data is the disk used for data.
+	Data DiskUsage
+	// Metadata is the disk used for meta data.
+	Metadata DiskUsage
+	// BaseDeviceSize is base size of container and image
+	BaseDeviceSize uint64
+	// BaseDeviceFS is backing filesystem.
+	BaseDeviceFS string
+	// SectorSize size of the vector.
+	SectorSize uint64
+	// UdevSyncSupported is true if sync is supported.
+	UdevSyncSupported bool
+	// DeferredRemoveEnabled is true then the device is not unmounted.
+	DeferredRemoveEnabled bool
+	// True if deferred deletion is enabled. This is different from
+	// deferred removal. "removal" means that device mapper device is
+	// deactivated. Thin device is still in thin pool and can be activated
+	// again. But "deletion" means that thin device will be deleted from
+	// thin pool and it can't be activated again.
+	DeferredDeleteEnabled      bool
+	DeferredDeletedDeviceCount uint
+	MinFreeSpace               uint64
+}
+
+// Structure used to export image/container metadata in docker inspect.
+type deviceMetadata struct {
+	deviceID   int
+	deviceSize uint64 // size in bytes
+	deviceName string // Device name as used during activation
+}
+
+// DevStatus returns information about device mounted containing its id, size and sector information.
+type DevStatus struct {
+	// DeviceID is the id of the device.
+	DeviceID int
+	// Size is the size of the filesystem.
+	Size uint64
+	// TransactionID is a unique integer per device set used to identify an operation on the file system, this number is incremental.
+	TransactionID uint64
+	// SizeInSectors indicates the size of the sectors allocated.
+	SizeInSectors uint64
+	// MappedSectors indicates number of mapped sectors.
+	MappedSectors uint64
+	// HighestMappedSector is the pointer to the highest mapped sector.
+	HighestMappedSector uint64
+}
+
+func getDevName(name string) string {
+	return "/dev/mapper/" + name
+}
+
+func (info *devInfo) Name() string {
+	hash := info.Hash
+	if hash == "" {
+		hash = "base"
+	}
+	return fmt.Sprintf("%s-%s", info.devices.devicePrefix, hash)
+}
+
+func (info *devInfo) DevName() string {
+	return getDevName(info.Name())
+}
+
+func (devices *DeviceSet) loopbackDir() string {
+	return path.Join(devices.root, "devicemapper")
+}
+
+func (devices *DeviceSet) metadataDir() string {
+	return path.Join(devices.root, "metadata")
+}
+
+func (devices *DeviceSet) metadataFile(info *devInfo) string {
+	file := info.Hash
+	if file == "" {
+		file = "base"
+	}
+	return path.Join(devices.metadataDir(), file)
+}
+
+func (devices *DeviceSet) transactionMetaFile() string {
+	return path.Join(devices.metadataDir(), transactionMetaFile)
+}
+
+func (devices *DeviceSet) deviceSetMetaFile() string {
+	return path.Join(devices.metadataDir(), deviceSetMetaFile)
+}
+
+func (devices *DeviceSet) oldMetadataFile() string {
+	return path.Join(devices.loopbackDir(), "json")
+}
+
+func (devices *DeviceSet) getPoolName() string {
+	if devices.thinPoolDevice == "" {
+		return devices.devicePrefix + "-pool"
+	}
+	return devices.thinPoolDevice
+}
+
+func (devices *DeviceSet) getPoolDevName() string {
+	return getDevName(devices.getPoolName())
+}
+
+func (devices *DeviceSet) hasImage(name string) bool {
+	dirname := devices.loopbackDir()
+	filename := path.Join(dirname, name)
+
+	_, err := os.Stat(filename)
+	return err == nil
+}
+
+// ensureImage creates a sparse file of <size> bytes at the path
+// <root>/devicemapper/<name>.
+// If the file already exists and new size is larger than its current size, it grows to the new size.
+// Either way it returns the full path.
+func (devices *DeviceSet) ensureImage(name string, size int64) (string, error) {
+	dirname := devices.loopbackDir()
+	filename := path.Join(dirname, name)
+
+	uid, gid, err := idtools.GetRootUIDGID(devices.uidMaps, devices.gidMaps)
+	if err != nil {
+		return "", err
+	}
+	if err := idtools.MkdirAllAndChown(dirname, 0700, idtools.IDPair{UID: uid, GID: gid}); err != nil {
+		return "", err
+	}
+
+	if fi, err := os.Stat(filename); err != nil {
+		if !os.IsNotExist(err) {
+			return "", err
+		}
+		logrus.WithField("storage-driver", "devicemapper").Debugf("Creating loopback file %s for device-manage use", filename)
+		file, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0600)
+		if err != nil {
+			return "", err
+		}
+		defer file.Close()
+
+		if err := file.Truncate(size); err != nil {
+			return "", err
+		}
+	} else {
+		if fi.Size() < size {
+			file, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0600)
+			if err != nil {
+				return "", err
+			}
+			defer file.Close()
+			if err := file.Truncate(size); err != nil {
+				return "", fmt.Errorf("devmapper: Unable to grow loopback file %s: %v", filename, err)
+			}
+		} else if fi.Size() > size {
+			logrus.WithField("storage-driver", "devicemapper").Warnf("Can't shrink loopback file %s", filename)
+		}
+	}
+	return filename, nil
+}
+
+func (devices *DeviceSet) allocateTransactionID() uint64 {
+	devices.OpenTransactionID = devices.TransactionID + 1
+	return devices.OpenTransactionID
+}
+
+func (devices *DeviceSet) updatePoolTransactionID() error {
+	if err := devicemapper.SetTransactionID(devices.getPoolDevName(), devices.TransactionID, devices.OpenTransactionID); err != nil {
+		return fmt.Errorf("devmapper: Error setting devmapper transaction ID: %s", err)
+	}
+	devices.TransactionID = devices.OpenTransactionID
+	return nil
+}
+
+func (devices *DeviceSet) removeMetadata(info *devInfo) error {
+	if err := os.RemoveAll(devices.metadataFile(info)); err != nil {
+		return fmt.Errorf("devmapper: Error removing metadata file %s: %s", devices.metadataFile(info), err)
+	}
+	return nil
+}
+
+// Given json data and file path, write it to disk
+func (devices *DeviceSet) writeMetaFile(jsonData []byte, filePath string) error {
+	tmpFile, err := ioutil.TempFile(devices.metadataDir(), ".tmp")
+	if err != nil {
+		return fmt.Errorf("devmapper: Error creating metadata file: %s", err)
+	}
+
+	n, err := tmpFile.Write(jsonData)
+	if err != nil {
+		return fmt.Errorf("devmapper: Error writing metadata to %s: %s", tmpFile.Name(), err)
+	}
+	if n < len(jsonData) {
+		return io.ErrShortWrite
+	}
+	if err := tmpFile.Sync(); err != nil {
+		return fmt.Errorf("devmapper: Error syncing metadata file %s: %s", tmpFile.Name(), err)
+	}
+	if err := tmpFile.Close(); err != nil {
+		return fmt.Errorf("devmapper: Error closing metadata file %s: %s", tmpFile.Name(), err)
+	}
+	if err := os.Rename(tmpFile.Name(), filePath); err != nil {
+		return fmt.Errorf("devmapper: Error committing metadata file %s: %s", tmpFile.Name(), err)
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) saveMetadata(info *devInfo) error {
+	jsonData, err := json.Marshal(info)
+	if err != nil {
+		return fmt.Errorf("devmapper: Error encoding metadata to json: %s", err)
+	}
+	return devices.writeMetaFile(jsonData, devices.metadataFile(info))
+}
+
+func (devices *DeviceSet) markDeviceIDUsed(deviceID int) {
+	var mask byte
+	i := deviceID % 8
+	mask = 1 << uint(i)
+	devices.deviceIDMap[deviceID/8] = devices.deviceIDMap[deviceID/8] | mask
+}
+
+func (devices *DeviceSet) markDeviceIDFree(deviceID int) {
+	var mask byte
+	i := deviceID % 8
+	mask = ^(1 << uint(i))
+	devices.deviceIDMap[deviceID/8] = devices.deviceIDMap[deviceID/8] & mask
+}
+
+func (devices *DeviceSet) isDeviceIDFree(deviceID int) bool {
+	var mask byte
+	i := deviceID % 8
+	mask = (1 << uint(i))
+	return (devices.deviceIDMap[deviceID/8] & mask) == 0
+}
+
+// Should be called with devices.Lock() held.
+func (devices *DeviceSet) lookupDevice(hash string) (*devInfo, error) {
+	info := devices.Devices[hash]
+	if info == nil {
+		info = devices.loadMetadata(hash)
+		if info == nil {
+			return nil, fmt.Errorf("devmapper: Unknown device %s", hash)
+		}
+
+		devices.Devices[hash] = info
+	}
+	return info, nil
+}
+
+func (devices *DeviceSet) lookupDeviceWithLock(hash string) (*devInfo, error) {
+	devices.Lock()
+	defer devices.Unlock()
+	info, err := devices.lookupDevice(hash)
+	return info, err
+}
+
+// This function relies on that device hash map has been loaded in advance.
+// Should be called with devices.Lock() held.
+func (devices *DeviceSet) constructDeviceIDMap() {
+	logrus.WithField("storage-driver", "devicemapper").Debug("constructDeviceIDMap()")
+	defer logrus.WithField("storage-driver", "devicemapper").Debug("constructDeviceIDMap() END")
+
+	for _, info := range devices.Devices {
+		devices.markDeviceIDUsed(info.DeviceID)
+		logrus.WithField("storage-driver", "devicemapper").Debugf("Added deviceId=%d to DeviceIdMap", info.DeviceID)
+	}
+}
+
+func (devices *DeviceSet) deviceFileWalkFunction(path string, finfo os.FileInfo) error {
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	// Skip some of the meta files which are not device files.
+	if strings.HasSuffix(finfo.Name(), ".migrated") {
+		logger.Debugf("Skipping file %s", path)
+		return nil
+	}
+
+	if strings.HasPrefix(finfo.Name(), ".") {
+		logger.Debugf("Skipping file %s", path)
+		return nil
+	}
+
+	if finfo.Name() == deviceSetMetaFile {
+		logger.Debugf("Skipping file %s", path)
+		return nil
+	}
+
+	if finfo.Name() == transactionMetaFile {
+		logger.Debugf("Skipping file %s", path)
+		return nil
+	}
+
+	logger.Debugf("Loading data for file %s", path)
+
+	hash := finfo.Name()
+	if hash == "base" {
+		hash = ""
+	}
+
+	// Include deleted devices also as cleanup delete device logic
+	// will go through it and see if there are any deleted devices.
+	if _, err := devices.lookupDevice(hash); err != nil {
+		return fmt.Errorf("devmapper: Error looking up device %s:%v", hash, err)
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) loadDeviceFilesOnStart() error {
+	logrus.WithField("storage-driver", "devicemapper").Debug("loadDeviceFilesOnStart()")
+	defer logrus.WithField("storage-driver", "devicemapper").Debug("loadDeviceFilesOnStart() END")
+
+	var scan = func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			logrus.WithField("storage-driver", "devicemapper").Debugf("Can't walk the file %s", path)
+			return nil
+		}
+
+		// Skip any directories
+		if info.IsDir() {
+			return nil
+		}
+
+		return devices.deviceFileWalkFunction(path, info)
+	}
+
+	return filepath.Walk(devices.metadataDir(), scan)
+}
+
+// Should be called with devices.Lock() held.
+func (devices *DeviceSet) unregisterDevice(hash string) error {
+	logrus.WithField("storage-driver", "devicemapper").Debugf("unregisterDevice(%v)", hash)
+	info := &devInfo{
+		Hash: hash,
+	}
+
+	delete(devices.Devices, hash)
+
+	if err := devices.removeMetadata(info); err != nil {
+		logrus.WithField("storage-driver", "devicemapper").Debugf("Error removing metadata: %s", err)
+		return err
+	}
+
+	return nil
+}
+
+// Should be called with devices.Lock() held.
+func (devices *DeviceSet) registerDevice(id int, hash string, size uint64, transactionID uint64) (*devInfo, error) {
+	logrus.WithField("storage-driver", "devicemapper").Debugf("registerDevice(%v, %v)", id, hash)
+	info := &devInfo{
+		Hash:          hash,
+		DeviceID:      id,
+		Size:          size,
+		TransactionID: transactionID,
+		Initialized:   false,
+		devices:       devices,
+	}
+
+	devices.Devices[hash] = info
+
+	if err := devices.saveMetadata(info); err != nil {
+		// Try to remove unused device
+		delete(devices.Devices, hash)
+		return nil, err
+	}
+
+	return info, nil
+}
+
+func (devices *DeviceSet) activateDeviceIfNeeded(info *devInfo, ignoreDeleted bool) error {
+	logrus.WithField("storage-driver", "devicemapper").Debugf("activateDeviceIfNeeded(%v)", info.Hash)
+
+	if info.Deleted && !ignoreDeleted {
+		return fmt.Errorf("devmapper: Can't activate device %v as it is marked for deletion", info.Hash)
+	}
+
+	// Make sure deferred removal on device is canceled, if one was
+	// scheduled.
+	if err := devices.cancelDeferredRemovalIfNeeded(info); err != nil {
+		return fmt.Errorf("devmapper: Device Deferred Removal Cancellation Failed: %s", err)
+	}
+
+	if devinfo, _ := devicemapper.GetInfo(info.Name()); devinfo != nil && devinfo.Exists != 0 {
+		return nil
+	}
+
+	return devicemapper.ActivateDevice(devices.getPoolDevName(), info.Name(), info.DeviceID, info.Size)
+}
+
+// xfsSupported checks if xfs is supported, returns nil if it is, otherwise an error
+func xfsSupported() error {
+	// Make sure mkfs.xfs is available
+	if _, err := exec.LookPath("mkfs.xfs"); err != nil {
+		return err // error text is descriptive enough
+	}
+
+	// Check if kernel supports xfs filesystem or not.
+	exec.Command("modprobe", "xfs").Run()
+
+	f, err := os.Open("/proc/filesystems")
+	if err != nil {
+		return errors.Wrapf(err, "error checking for xfs support")
+	}
+	defer f.Close()
+
+	s := bufio.NewScanner(f)
+	for s.Scan() {
+		if strings.HasSuffix(s.Text(), "\txfs") {
+			return nil
+		}
+	}
+
+	if err := s.Err(); err != nil {
+		return errors.Wrapf(err, "error checking for xfs support")
+	}
+
+	return errors.New(`kernel does not support xfs, or "modprobe xfs" failed`)
+}
+
+func determineDefaultFS() string {
+	err := xfsSupported()
+	if err == nil {
+		return "xfs"
+	}
+
+	logrus.WithField("storage-driver", "devicemapper").Warnf("XFS is not supported in your system (%v). Defaulting to ext4 filesystem", err)
+	return "ext4"
+}
+
+// mkfsOptions tries to figure out whether some additional mkfs options are required
+func mkfsOptions(fs string) []string {
+	if fs == "xfs" && !kernel.CheckKernelVersion(3, 16, 0) {
+		// For kernels earlier than 3.16 (and newer xfsutils),
+		// some xfs features need to be explicitly disabled.
+		return []string{"-m", "crc=0,finobt=0"}
+	}
+
+	return []string{}
+}
+
+func (devices *DeviceSet) createFilesystem(info *devInfo) (err error) {
+	devname := info.DevName()
+
+	if devices.filesystem == "" {
+		devices.filesystem = determineDefaultFS()
+	}
+	if err := devices.saveBaseDeviceFilesystem(devices.filesystem); err != nil {
+		return err
+	}
+
+	args := mkfsOptions(devices.filesystem)
+	args = append(args, devices.mkfsArgs...)
+	args = append(args, devname)
+
+	logrus.WithField("storage-driver", "devicemapper").Infof("Creating filesystem %s on device %s, mkfs args: %v", devices.filesystem, info.Name(), args)
+	defer func() {
+		if err != nil {
+			logrus.WithField("storage-driver", "devicemapper").Infof("Error while creating filesystem %s on device %s: %v", devices.filesystem, info.Name(), err)
+		} else {
+			logrus.WithField("storage-driver", "devicemapper").Infof("Successfully created filesystem %s on device %s", devices.filesystem, info.Name())
+		}
+	}()
+
+	switch devices.filesystem {
+	case "xfs":
+		err = exec.Command("mkfs.xfs", args...).Run()
+	case "ext4":
+		err = exec.Command("mkfs.ext4", append([]string{"-E", "nodiscard,lazy_itable_init=0,lazy_journal_init=0"}, args...)...).Run()
+		if err != nil {
+			err = exec.Command("mkfs.ext4", append([]string{"-E", "nodiscard,lazy_itable_init=0"}, args...)...).Run()
+		}
+		if err != nil {
+			return err
+		}
+		err = exec.Command("tune2fs", append([]string{"-c", "-1", "-i", "0"}, devname)...).Run()
+	default:
+		err = fmt.Errorf("devmapper: Unsupported filesystem type %s", devices.filesystem)
+	}
+	return
+}
+
+func (devices *DeviceSet) migrateOldMetaData() error {
+	// Migrate old metadata file
+	jsonData, err := ioutil.ReadFile(devices.oldMetadataFile())
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	if jsonData != nil {
+		m := metaData{Devices: make(map[string]*devInfo)}
+
+		if err := json.Unmarshal(jsonData, &m); err != nil {
+			return err
+		}
+
+		for hash, info := range m.Devices {
+			info.Hash = hash
+			devices.saveMetadata(info)
+		}
+		if err := os.Rename(devices.oldMetadataFile(), devices.oldMetadataFile()+".migrated"); err != nil {
+			return err
+		}
+
+	}
+
+	return nil
+}
+
+// Cleanup deleted devices. It assumes that all the devices have been
+// loaded in the hash table.
+func (devices *DeviceSet) cleanupDeletedDevices() error {
+	devices.Lock()
+
+	// If there are no deleted devices, there is nothing to do.
+	if devices.nrDeletedDevices == 0 {
+		devices.Unlock()
+		return nil
+	}
+
+	var deletedDevices []*devInfo
+
+	for _, info := range devices.Devices {
+		if !info.Deleted {
+			continue
+		}
+		logrus.WithField("storage-driver", "devicemapper").Debugf("Found deleted device %s.", info.Hash)
+		deletedDevices = append(deletedDevices, info)
+	}
+
+	// Delete the deleted devices. DeleteDevice() first takes the info lock
+	// and then devices.Lock(). So drop it to avoid deadlock.
+	devices.Unlock()
+
+	for _, info := range deletedDevices {
+		// This will again try deferred deletion.
+		if err := devices.DeleteDevice(info.Hash, false); err != nil {
+			logrus.WithField("storage-driver", "devicemapper").Warnf("Deletion of device %s, device_id=%v failed:%v", info.Hash, info.DeviceID, err)
+		}
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) countDeletedDevices() {
+	for _, info := range devices.Devices {
+		if !info.Deleted {
+			continue
+		}
+		devices.nrDeletedDevices++
+	}
+}
+
+func (devices *DeviceSet) startDeviceDeletionWorker() {
+	// Deferred deletion is not enabled. Don't do anything.
+	if !devices.deferredDelete {
+		return
+	}
+
+	logrus.WithField("storage-driver", "devicemapper").Debug("Worker to cleanup deleted devices started")
+	for range devices.deletionWorkerTicker.C {
+		devices.cleanupDeletedDevices()
+	}
+}
+
+func (devices *DeviceSet) initMetaData() error {
+	devices.Lock()
+	defer devices.Unlock()
+
+	if err := devices.migrateOldMetaData(); err != nil {
+		return err
+	}
+
+	_, transactionID, _, _, _, _, err := devices.poolStatus()
+	if err != nil {
+		return err
+	}
+
+	devices.TransactionID = transactionID
+
+	if err := devices.loadDeviceFilesOnStart(); err != nil {
+		return fmt.Errorf("devmapper: Failed to load device files:%v", err)
+	}
+
+	devices.constructDeviceIDMap()
+	devices.countDeletedDevices()
+
+	if err := devices.processPendingTransaction(); err != nil {
+		return err
+	}
+
+	// Start a goroutine to cleanup Deleted Devices
+	go devices.startDeviceDeletionWorker()
+	return nil
+}
+
+func (devices *DeviceSet) incNextDeviceID() {
+	// IDs are 24bit, so wrap around
+	devices.NextDeviceID = (devices.NextDeviceID + 1) & maxDeviceID
+}
+
+func (devices *DeviceSet) getNextFreeDeviceID() (int, error) {
+	devices.incNextDeviceID()
+	for i := 0; i <= maxDeviceID; i++ {
+		if devices.isDeviceIDFree(devices.NextDeviceID) {
+			devices.markDeviceIDUsed(devices.NextDeviceID)
+			return devices.NextDeviceID, nil
+		}
+		devices.incNextDeviceID()
+	}
+
+	return 0, fmt.Errorf("devmapper: Unable to find a free device ID")
+}
+
+func (devices *DeviceSet) poolHasFreeSpace() error {
+	if devices.minFreeSpacePercent == 0 {
+		return nil
+	}
+
+	_, _, dataUsed, dataTotal, metadataUsed, metadataTotal, err := devices.poolStatus()
+	if err != nil {
+		return err
+	}
+
+	minFreeData := (dataTotal * uint64(devices.minFreeSpacePercent)) / 100
+	if minFreeData < 1 {
+		minFreeData = 1
+	}
+	dataFree := dataTotal - dataUsed
+	if dataFree < minFreeData {
+		return fmt.Errorf("devmapper: Thin Pool has %v free data blocks which is less than minimum required %v free data blocks. Create more free space in thin pool or use dm.min_free_space option to change behavior", (dataTotal - dataUsed), minFreeData)
+	}
+
+	minFreeMetadata := (metadataTotal * uint64(devices.minFreeSpacePercent)) / 100
+	if minFreeMetadata < 1 {
+		minFreeMetadata = 1
+	}
+
+	metadataFree := metadataTotal - metadataUsed
+	if metadataFree < minFreeMetadata {
+		return fmt.Errorf("devmapper: Thin Pool has %v free metadata blocks which is less than minimum required %v free metadata blocks. Create more free metadata space in thin pool or use dm.min_free_space option to change behavior", (metadataTotal - metadataUsed), minFreeMetadata)
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) createRegisterDevice(hash string) (*devInfo, error) {
+	devices.Lock()
+	defer devices.Unlock()
+
+	deviceID, err := devices.getNextFreeDeviceID()
+	if err != nil {
+		return nil, err
+	}
+
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	if err := devices.openTransaction(hash, deviceID); err != nil {
+		logger.Debugf("Error opening transaction hash = %s deviceID = %d", hash, deviceID)
+		devices.markDeviceIDFree(deviceID)
+		return nil, err
+	}
+
+	for {
+		if err := devicemapper.CreateDevice(devices.getPoolDevName(), deviceID); err != nil {
+			if devicemapper.DeviceIDExists(err) {
+				// Device ID already exists. This should not
+				// happen. Now we have a mechanism to find
+				// a free device ID. So something is not right.
+				// Give a warning and continue.
+				logger.Errorf("Device ID %d exists in pool but it is supposed to be unused", deviceID)
+				deviceID, err = devices.getNextFreeDeviceID()
+				if err != nil {
+					return nil, err
+				}
+				// Save new device id into transaction
+				devices.refreshTransaction(deviceID)
+				continue
+			}
+			logger.Debugf("Error creating device: %s", err)
+			devices.markDeviceIDFree(deviceID)
+			return nil, err
+		}
+		break
+	}
+
+	logger.Debugf("Registering device (id %v) with FS size %v", deviceID, devices.baseFsSize)
+	info, err := devices.registerDevice(deviceID, hash, devices.baseFsSize, devices.OpenTransactionID)
+	if err != nil {
+		_ = devicemapper.DeleteDevice(devices.getPoolDevName(), deviceID)
+		devices.markDeviceIDFree(deviceID)
+		return nil, err
+	}
+
+	if err := devices.closeTransaction(); err != nil {
+		devices.unregisterDevice(hash)
+		devicemapper.DeleteDevice(devices.getPoolDevName(), deviceID)
+		devices.markDeviceIDFree(deviceID)
+		return nil, err
+	}
+	return info, nil
+}
+
+func (devices *DeviceSet) takeSnapshot(hash string, baseInfo *devInfo, size uint64) error {
+	var (
+		devinfo *devicemapper.Info
+		err     error
+	)
+
+	if err = devices.poolHasFreeSpace(); err != nil {
+		return err
+	}
+
+	if devices.deferredRemove {
+		devinfo, err = devicemapper.GetInfoWithDeferred(baseInfo.Name())
+		if err != nil {
+			return err
+		}
+		if devinfo != nil && devinfo.DeferredRemove != 0 {
+			err = devices.cancelDeferredRemoval(baseInfo)
+			if err != nil {
+				// If Error is ErrEnxio. Device is probably already gone. Continue.
+				if err != devicemapper.ErrEnxio {
+					return err
+				}
+				devinfo = nil
+			} else {
+				defer devices.deactivateDevice(baseInfo)
+			}
+		}
+	} else {
+		devinfo, err = devicemapper.GetInfo(baseInfo.Name())
+		if err != nil {
+			return err
+		}
+	}
+
+	doSuspend := devinfo != nil && devinfo.Exists != 0
+
+	if doSuspend {
+		if err = devicemapper.SuspendDevice(baseInfo.Name()); err != nil {
+			return err
+		}
+		defer devicemapper.ResumeDevice(baseInfo.Name())
+	}
+
+	return devices.createRegisterSnapDevice(hash, baseInfo, size)
+}
+
+func (devices *DeviceSet) createRegisterSnapDevice(hash string, baseInfo *devInfo, size uint64) error {
+	deviceID, err := devices.getNextFreeDeviceID()
+	if err != nil {
+		return err
+	}
+
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	if err := devices.openTransaction(hash, deviceID); err != nil {
+		logger.Debugf("Error opening transaction hash = %s deviceID = %d", hash, deviceID)
+		devices.markDeviceIDFree(deviceID)
+		return err
+	}
+
+	for {
+		if err := devicemapper.CreateSnapDeviceRaw(devices.getPoolDevName(), deviceID, baseInfo.DeviceID); err != nil {
+			if devicemapper.DeviceIDExists(err) {
+				// Device ID already exists. This should not
+				// happen. Now we have a mechanism to find
+				// a free device ID. So something is not right.
+				// Give a warning and continue.
+				logger.Errorf("Device ID %d exists in pool but it is supposed to be unused", deviceID)
+				deviceID, err = devices.getNextFreeDeviceID()
+				if err != nil {
+					return err
+				}
+				// Save new device id into transaction
+				devices.refreshTransaction(deviceID)
+				continue
+			}
+			logger.Debugf("Error creating snap device: %s", err)
+			devices.markDeviceIDFree(deviceID)
+			return err
+		}
+		break
+	}
+
+	if _, err := devices.registerDevice(deviceID, hash, size, devices.OpenTransactionID); err != nil {
+		devicemapper.DeleteDevice(devices.getPoolDevName(), deviceID)
+		devices.markDeviceIDFree(deviceID)
+		logger.Debugf("Error registering device: %s", err)
+		return err
+	}
+
+	if err := devices.closeTransaction(); err != nil {
+		devices.unregisterDevice(hash)
+		devicemapper.DeleteDevice(devices.getPoolDevName(), deviceID)
+		devices.markDeviceIDFree(deviceID)
+		return err
+	}
+	return nil
+}
+
+func (devices *DeviceSet) loadMetadata(hash string) *devInfo {
+	info := &devInfo{Hash: hash, devices: devices}
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	jsonData, err := ioutil.ReadFile(devices.metadataFile(info))
+	if err != nil {
+		logger.Debugf("Failed to read %s with err: %v", devices.metadataFile(info), err)
+		return nil
+	}
+
+	if err := json.Unmarshal(jsonData, &info); err != nil {
+		logger.Debugf("Failed to unmarshal devInfo from %s with err: %v", devices.metadataFile(info), err)
+		return nil
+	}
+
+	if info.DeviceID > maxDeviceID {
+		logger.Errorf("Ignoring Invalid DeviceId=%d", info.DeviceID)
+		return nil
+	}
+
+	return info
+}
+
+func getDeviceUUID(device string) (string, error) {
+	out, err := exec.Command("blkid", "-s", "UUID", "-o", "value", device).Output()
+	if err != nil {
+		return "", fmt.Errorf("devmapper: Failed to find uuid for device %s:%v", device, err)
+	}
+
+	uuid := strings.TrimSuffix(string(out), "\n")
+	uuid = strings.TrimSpace(uuid)
+	logrus.WithField("storage-driver", "devicemapper").Debugf("UUID for device: %s is:%s", device, uuid)
+	return uuid, nil
+}
+
+func (devices *DeviceSet) getBaseDeviceSize() uint64 {
+	info, _ := devices.lookupDevice("")
+	if info == nil {
+		return 0
+	}
+	return info.Size
+}
+
+func (devices *DeviceSet) getBaseDeviceFS() string {
+	return devices.BaseDeviceFilesystem
+}
+
+func (devices *DeviceSet) verifyBaseDeviceUUIDFS(baseInfo *devInfo) error {
+	devices.Lock()
+	defer devices.Unlock()
+
+	if err := devices.activateDeviceIfNeeded(baseInfo, false); err != nil {
+		return err
+	}
+	defer devices.deactivateDevice(baseInfo)
+
+	uuid, err := getDeviceUUID(baseInfo.DevName())
+	if err != nil {
+		return err
+	}
+
+	if devices.BaseDeviceUUID != uuid {
+		return fmt.Errorf("devmapper: Current Base Device UUID:%s does not match with stored UUID:%s. Possibly using a different thin pool than last invocation", uuid, devices.BaseDeviceUUID)
+	}
+
+	if devices.BaseDeviceFilesystem == "" {
+		fsType, err := ProbeFsType(baseInfo.DevName())
+		if err != nil {
+			return err
+		}
+		if err := devices.saveBaseDeviceFilesystem(fsType); err != nil {
+			return err
+		}
+	}
+
+	// If user specified a filesystem using dm.fs option and current
+	// file system of base image is not same, warn user that dm.fs
+	// will be ignored.
+	if devices.BaseDeviceFilesystem != devices.filesystem {
+		logrus.WithField("storage-driver", "devicemapper").Warnf("Base device already exists and has filesystem %s on it. User specified filesystem %s will be ignored.", devices.BaseDeviceFilesystem, devices.filesystem)
+		devices.filesystem = devices.BaseDeviceFilesystem
+	}
+	return nil
+}
+
+func (devices *DeviceSet) saveBaseDeviceFilesystem(fs string) error {
+	devices.BaseDeviceFilesystem = fs
+	return devices.saveDeviceSetMetaData()
+}
+
+func (devices *DeviceSet) saveBaseDeviceUUID(baseInfo *devInfo) error {
+	devices.Lock()
+	defer devices.Unlock()
+
+	if err := devices.activateDeviceIfNeeded(baseInfo, false); err != nil {
+		return err
+	}
+	defer devices.deactivateDevice(baseInfo)
+
+	uuid, err := getDeviceUUID(baseInfo.DevName())
+	if err != nil {
+		return err
+	}
+
+	devices.BaseDeviceUUID = uuid
+	return devices.saveDeviceSetMetaData()
+}
+
+func (devices *DeviceSet) createBaseImage() error {
+	logrus.WithField("storage-driver", "devicemapper").Debug("Initializing base device-mapper thin volume")
+
+	// Create initial device
+	info, err := devices.createRegisterDevice("")
+	if err != nil {
+		return err
+	}
+
+	logrus.WithField("storage-driver", "devicemapper").Debug("Creating filesystem on base device-mapper thin volume")
+
+	if err := devices.activateDeviceIfNeeded(info, false); err != nil {
+		return err
+	}
+
+	if err := devices.createFilesystem(info); err != nil {
+		return err
+	}
+
+	info.Initialized = true
+	if err := devices.saveMetadata(info); err != nil {
+		info.Initialized = false
+		return err
+	}
+
+	if err := devices.saveBaseDeviceUUID(info); err != nil {
+		return fmt.Errorf("devmapper: Could not query and save base device UUID:%v", err)
+	}
+
+	return nil
+}
+
+// Returns if thin pool device exists or not. If device exists, also makes
+// sure it is a thin pool device and not some other type of device.
+func (devices *DeviceSet) thinPoolExists(thinPoolDevice string) (bool, error) {
+	logrus.WithField("storage-driver", "devicemapper").Debugf("Checking for existence of the pool %s", thinPoolDevice)
+
+	info, err := devicemapper.GetInfo(thinPoolDevice)
+	if err != nil {
+		return false, fmt.Errorf("devmapper: GetInfo() on device %s failed: %v", thinPoolDevice, err)
+	}
+
+	// Device does not exist.
+	if info.Exists == 0 {
+		return false, nil
+	}
+
+	_, _, deviceType, _, err := devicemapper.GetStatus(thinPoolDevice)
+	if err != nil {
+		return false, fmt.Errorf("devmapper: GetStatus() on device %s failed: %v", thinPoolDevice, err)
+	}
+
+	if deviceType != "thin-pool" {
+		return false, fmt.Errorf("devmapper: Device %s is not a thin pool", thinPoolDevice)
+	}
+
+	return true, nil
+}
+
+func (devices *DeviceSet) checkThinPool() error {
+	_, transactionID, dataUsed, _, _, _, err := devices.poolStatus()
+	if err != nil {
+		return err
+	}
+	if dataUsed != 0 {
+		return fmt.Errorf("devmapper: Unable to take ownership of thin-pool (%s) that already has used data blocks",
+			devices.thinPoolDevice)
+	}
+	if transactionID != 0 {
+		return fmt.Errorf("devmapper: Unable to take ownership of thin-pool (%s) with non-zero transaction ID",
+			devices.thinPoolDevice)
+	}
+	return nil
+}
+
+// Base image is initialized properly. Either save UUID for first time (for
+// upgrade case or verify UUID.
+func (devices *DeviceSet) setupVerifyBaseImageUUIDFS(baseInfo *devInfo) error {
+	// If BaseDeviceUUID is nil (upgrade case), save it and return success.
+	if devices.BaseDeviceUUID == "" {
+		if err := devices.saveBaseDeviceUUID(baseInfo); err != nil {
+			return fmt.Errorf("devmapper: Could not query and save base device UUID:%v", err)
+		}
+		return nil
+	}
+
+	if err := devices.verifyBaseDeviceUUIDFS(baseInfo); err != nil {
+		return fmt.Errorf("devmapper: Base Device UUID and Filesystem verification failed: %v", err)
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) checkGrowBaseDeviceFS(info *devInfo) error {
+
+	if !userBaseSize {
+		return nil
+	}
+
+	if devices.baseFsSize < devices.getBaseDeviceSize() {
+		return fmt.Errorf("devmapper: Base device size cannot be smaller than %s", units.HumanSize(float64(devices.getBaseDeviceSize())))
+	}
+
+	if devices.baseFsSize == devices.getBaseDeviceSize() {
+		return nil
+	}
+
+	info.lock.Lock()
+	defer info.lock.Unlock()
+
+	devices.Lock()
+	defer devices.Unlock()
+
+	info.Size = devices.baseFsSize
+
+	if err := devices.saveMetadata(info); err != nil {
+		// Try to remove unused device
+		delete(devices.Devices, info.Hash)
+		return err
+	}
+
+	return devices.growFS(info)
+}
+
+func (devices *DeviceSet) growFS(info *devInfo) error {
+	if err := devices.activateDeviceIfNeeded(info, false); err != nil {
+		return fmt.Errorf("Error activating devmapper device: %s", err)
+	}
+
+	defer devices.deactivateDevice(info)
+
+	fsMountPoint := "/run/docker/mnt"
+	if _, err := os.Stat(fsMountPoint); os.IsNotExist(err) {
+		if err := os.MkdirAll(fsMountPoint, 0700); err != nil {
+			return err
+		}
+		defer os.RemoveAll(fsMountPoint)
+	}
+
+	options := ""
+	if devices.BaseDeviceFilesystem == "xfs" {
+		// XFS needs nouuid or it can't mount filesystems with the same fs
+		options = joinMountOptions(options, "nouuid")
+	}
+	options = joinMountOptions(options, devices.mountOptions)
+
+	if err := mount.Mount(info.DevName(), fsMountPoint, devices.BaseDeviceFilesystem, options); err != nil {
+		return fmt.Errorf("Error mounting '%s' on '%s' (fstype='%s' options='%s'): %s\n%v", info.DevName(), fsMountPoint, devices.BaseDeviceFilesystem, options, err, string(dmesg.Dmesg(256)))
+	}
+
+	defer unix.Unmount(fsMountPoint, unix.MNT_DETACH)
+
+	switch devices.BaseDeviceFilesystem {
+	case "ext4":
+		if out, err := exec.Command("resize2fs", info.DevName()).CombinedOutput(); err != nil {
+			return fmt.Errorf("Failed to grow rootfs:%v:%s", err, string(out))
+		}
+	case "xfs":
+		if out, err := exec.Command("xfs_growfs", info.DevName()).CombinedOutput(); err != nil {
+			return fmt.Errorf("Failed to grow rootfs:%v:%s", err, string(out))
+		}
+	default:
+		return fmt.Errorf("Unsupported filesystem type %s", devices.BaseDeviceFilesystem)
+	}
+	return nil
+}
+
+func (devices *DeviceSet) setupBaseImage() error {
+	oldInfo, _ := devices.lookupDeviceWithLock("")
+
+	// base image already exists. If it is initialized properly, do UUID
+	// verification and return. Otherwise remove image and set it up
+	// fresh.
+
+	if oldInfo != nil {
+		if oldInfo.Initialized && !oldInfo.Deleted {
+			if err := devices.setupVerifyBaseImageUUIDFS(oldInfo); err != nil {
+				return err
+			}
+			return devices.checkGrowBaseDeviceFS(oldInfo)
+		}
+
+		logrus.WithField("storage-driver", "devicemapper").Debug("Removing uninitialized base image")
+		// If previous base device is in deferred delete state,
+		// that needs to be cleaned up first. So don't try
+		// deferred deletion.
+		if err := devices.DeleteDevice("", true); err != nil {
+			return err
+		}
+	}
+
+	// If we are setting up base image for the first time, make sure
+	// thin pool is empty.
+	if devices.thinPoolDevice != "" && oldInfo == nil {
+		if err := devices.checkThinPool(); err != nil {
+			return err
+		}
+	}
+
+	// Create new base image device
+	return devices.createBaseImage()
+}
+
+func setCloseOnExec(name string) {
+	fileInfos, _ := ioutil.ReadDir("/proc/self/fd")
+	for _, i := range fileInfos {
+		link, _ := os.Readlink(filepath.Join("/proc/self/fd", i.Name()))
+		if link == name {
+			fd, err := strconv.Atoi(i.Name())
+			if err == nil {
+				unix.CloseOnExec(fd)
+			}
+		}
+	}
+}
+
+func major(device uint64) uint64 {
+	return (device >> 8) & 0xfff
+}
+
+func minor(device uint64) uint64 {
+	return (device & 0xff) | ((device >> 12) & 0xfff00)
+}
+
+// ResizePool increases the size of the pool.
+func (devices *DeviceSet) ResizePool(size int64) error {
+	dirname := devices.loopbackDir()
+	datafilename := path.Join(dirname, "data")
+	if len(devices.dataDevice) > 0 {
+		datafilename = devices.dataDevice
+	}
+	metadatafilename := path.Join(dirname, "metadata")
+	if len(devices.metadataDevice) > 0 {
+		metadatafilename = devices.metadataDevice
+	}
+
+	datafile, err := os.OpenFile(datafilename, os.O_RDWR, 0)
+	if datafile == nil {
+		return err
+	}
+	defer datafile.Close()
+
+	fi, err := datafile.Stat()
+	if fi == nil {
+		return err
+	}
+
+	if fi.Size() > size {
+		return fmt.Errorf("devmapper: Can't shrink file")
+	}
+
+	dataloopback := loopback.FindLoopDeviceFor(datafile)
+	if dataloopback == nil {
+		return fmt.Errorf("devmapper: Unable to find loopback mount for: %s", datafilename)
+	}
+	defer dataloopback.Close()
+
+	metadatafile, err := os.OpenFile(metadatafilename, os.O_RDWR, 0)
+	if metadatafile == nil {
+		return err
+	}
+	defer metadatafile.Close()
+
+	metadataloopback := loopback.FindLoopDeviceFor(metadatafile)
+	if metadataloopback == nil {
+		return fmt.Errorf("devmapper: Unable to find loopback mount for: %s", metadatafilename)
+	}
+	defer metadataloopback.Close()
+
+	// Grow loopback file
+	if err := datafile.Truncate(size); err != nil {
+		return fmt.Errorf("devmapper: Unable to grow loopback file: %s", err)
+	}
+
+	// Reload size for loopback device
+	if err := loopback.SetCapacity(dataloopback); err != nil {
+		return fmt.Errorf("Unable to update loopback capacity: %s", err)
+	}
+
+	// Suspend the pool
+	if err := devicemapper.SuspendDevice(devices.getPoolName()); err != nil {
+		return fmt.Errorf("devmapper: Unable to suspend pool: %s", err)
+	}
+
+	// Reload with the new block sizes
+	if err := devicemapper.ReloadPool(devices.getPoolName(), dataloopback, metadataloopback, devices.thinpBlockSize); err != nil {
+		return fmt.Errorf("devmapper: Unable to reload pool: %s", err)
+	}
+
+	// Resume the pool
+	if err := devicemapper.ResumeDevice(devices.getPoolName()); err != nil {
+		return fmt.Errorf("devmapper: Unable to resume pool: %s", err)
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) loadTransactionMetaData() error {
+	jsonData, err := ioutil.ReadFile(devices.transactionMetaFile())
+	if err != nil {
+		// There is no active transaction. This will be the case
+		// during upgrade.
+		if os.IsNotExist(err) {
+			devices.OpenTransactionID = devices.TransactionID
+			return nil
+		}
+		return err
+	}
+
+	json.Unmarshal(jsonData, &devices.transaction)
+	return nil
+}
+
+func (devices *DeviceSet) saveTransactionMetaData() error {
+	jsonData, err := json.Marshal(&devices.transaction)
+	if err != nil {
+		return fmt.Errorf("devmapper: Error encoding metadata to json: %s", err)
+	}
+
+	return devices.writeMetaFile(jsonData, devices.transactionMetaFile())
+}
+
+func (devices *DeviceSet) removeTransactionMetaData() error {
+	return os.RemoveAll(devices.transactionMetaFile())
+}
+
+func (devices *DeviceSet) rollbackTransaction() error {
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	logger.Debugf("Rolling back open transaction: TransactionID=%d hash=%s device_id=%d", devices.OpenTransactionID, devices.DeviceIDHash, devices.DeviceID)
+
+	// A device id might have already been deleted before transaction
+	// closed. In that case this call will fail. Just leave a message
+	// in case of failure.
+	if err := devicemapper.DeleteDevice(devices.getPoolDevName(), devices.DeviceID); err != nil {
+		logger.Errorf("Unable to delete device: %s", err)
+	}
+
+	dinfo := &devInfo{Hash: devices.DeviceIDHash}
+	if err := devices.removeMetadata(dinfo); err != nil {
+		logger.Errorf("Unable to remove metadata: %s", err)
+	} else {
+		devices.markDeviceIDFree(devices.DeviceID)
+	}
+
+	if err := devices.removeTransactionMetaData(); err != nil {
+		logger.Errorf("Unable to remove transaction meta file %s: %s", devices.transactionMetaFile(), err)
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) processPendingTransaction() error {
+	if err := devices.loadTransactionMetaData(); err != nil {
+		return err
+	}
+
+	// If there was open transaction but pool transaction ID is same
+	// as open transaction ID, nothing to roll back.
+	if devices.TransactionID == devices.OpenTransactionID {
+		return nil
+	}
+
+	// If open transaction ID is less than pool transaction ID, something
+	// is wrong. Bail out.
+	if devices.OpenTransactionID < devices.TransactionID {
+		logrus.WithField("storage-driver", "devicemapper").Errorf("Open Transaction id %d is less than pool transaction id %d", devices.OpenTransactionID, devices.TransactionID)
+		return nil
+	}
+
+	// Pool transaction ID is not same as open transaction. There is
+	// a transaction which was not completed.
+	if err := devices.rollbackTransaction(); err != nil {
+		return fmt.Errorf("devmapper: Rolling back open transaction failed: %s", err)
+	}
+
+	devices.OpenTransactionID = devices.TransactionID
+	return nil
+}
+
+func (devices *DeviceSet) loadDeviceSetMetaData() error {
+	jsonData, err := ioutil.ReadFile(devices.deviceSetMetaFile())
+	if err != nil {
+		// For backward compatibility return success if file does
+		// not exist.
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	return json.Unmarshal(jsonData, devices)
+}
+
+func (devices *DeviceSet) saveDeviceSetMetaData() error {
+	jsonData, err := json.Marshal(devices)
+	if err != nil {
+		return fmt.Errorf("devmapper: Error encoding metadata to json: %s", err)
+	}
+
+	return devices.writeMetaFile(jsonData, devices.deviceSetMetaFile())
+}
+
+func (devices *DeviceSet) openTransaction(hash string, DeviceID int) error {
+	devices.allocateTransactionID()
+	devices.DeviceIDHash = hash
+	devices.DeviceID = DeviceID
+	if err := devices.saveTransactionMetaData(); err != nil {
+		return fmt.Errorf("devmapper: Error saving transaction metadata: %s", err)
+	}
+	return nil
+}
+
+func (devices *DeviceSet) refreshTransaction(DeviceID int) error {
+	devices.DeviceID = DeviceID
+	if err := devices.saveTransactionMetaData(); err != nil {
+		return fmt.Errorf("devmapper: Error saving transaction metadata: %s", err)
+	}
+	return nil
+}
+
+func (devices *DeviceSet) closeTransaction() error {
+	if err := devices.updatePoolTransactionID(); err != nil {
+		logrus.WithField("storage-driver", "devicemapper").Debug("Failed to close Transaction")
+		return err
+	}
+	return nil
+}
+
+func determineDriverCapabilities(version string) error {
+	// Kernel driver version >= 4.27.0 support deferred removal
+
+	logrus.WithField("storage-driver", "devicemapper").Debugf("kernel dm driver version is %s", version)
+
+	versionSplit := strings.Split(version, ".")
+	major, err := strconv.Atoi(versionSplit[0])
+	if err != nil {
+		return graphdriver.ErrNotSupported
+	}
+
+	if major > 4 {
+		driverDeferredRemovalSupport = true
+		return nil
+	}
+
+	if major < 4 {
+		return nil
+	}
+
+	minor, err := strconv.Atoi(versionSplit[1])
+	if err != nil {
+		return graphdriver.ErrNotSupported
+	}
+
+	/*
+	 * If major is 4 and minor is 27, then there is no need to
+	 * check for patch level as it can not be less than 0.
+	 */
+	if minor >= 27 {
+		driverDeferredRemovalSupport = true
+		return nil
+	}
+
+	return nil
+}
+
+// Determine the major and minor number of loopback device
+func getDeviceMajorMinor(file *os.File) (uint64, uint64, error) {
+	var stat unix.Stat_t
+	err := unix.Stat(file.Name(), &stat)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	dev := stat.Rdev
+	majorNum := major(dev)
+	minorNum := minor(dev)
+
+	logrus.WithField("storage-driver", "devicemapper").Debugf("Major:Minor for device: %s is:%v:%v", file.Name(), majorNum, minorNum)
+	return majorNum, minorNum, nil
+}
+
+// Given a file which is backing file of a loop back device, find the
+// loopback device name and its major/minor number.
+func getLoopFileDeviceMajMin(filename string) (string, uint64, uint64, error) {
+	file, err := os.Open(filename)
+	if err != nil {
+		logrus.WithField("storage-driver", "devicemapper").Debugf("Failed to open file %s", filename)
+		return "", 0, 0, err
+	}
+
+	defer file.Close()
+	loopbackDevice := loopback.FindLoopDeviceFor(file)
+	if loopbackDevice == nil {
+		return "", 0, 0, fmt.Errorf("devmapper: Unable to find loopback mount for: %s", filename)
+	}
+	defer loopbackDevice.Close()
+
+	Major, Minor, err := getDeviceMajorMinor(loopbackDevice)
+	if err != nil {
+		return "", 0, 0, err
+	}
+	return loopbackDevice.Name(), Major, Minor, nil
+}
+
+// Get the major/minor numbers of thin pool data and metadata devices
+func (devices *DeviceSet) getThinPoolDataMetaMajMin() (uint64, uint64, uint64, uint64, error) {
+	var params, poolDataMajMin, poolMetadataMajMin string
+
+	_, _, _, params, err := devicemapper.GetTable(devices.getPoolName())
+	if err != nil {
+		return 0, 0, 0, 0, err
+	}
+
+	if _, err = fmt.Sscanf(params, "%s %s", &poolMetadataMajMin, &poolDataMajMin); err != nil {
+		return 0, 0, 0, 0, err
+	}
+
+	logrus.WithField("storage-driver", "devicemapper").Debugf("poolDataMajMin=%s poolMetaMajMin=%s\n", poolDataMajMin, poolMetadataMajMin)
+
+	poolDataMajMinorSplit := strings.Split(poolDataMajMin, ":")
+	poolDataMajor, err := strconv.ParseUint(poolDataMajMinorSplit[0], 10, 32)
+	if err != nil {
+		return 0, 0, 0, 0, err
+	}
+
+	poolDataMinor, err := strconv.ParseUint(poolDataMajMinorSplit[1], 10, 32)
+	if err != nil {
+		return 0, 0, 0, 0, err
+	}
+
+	poolMetadataMajMinorSplit := strings.Split(poolMetadataMajMin, ":")
+	poolMetadataMajor, err := strconv.ParseUint(poolMetadataMajMinorSplit[0], 10, 32)
+	if err != nil {
+		return 0, 0, 0, 0, err
+	}
+
+	poolMetadataMinor, err := strconv.ParseUint(poolMetadataMajMinorSplit[1], 10, 32)
+	if err != nil {
+		return 0, 0, 0, 0, err
+	}
+
+	return poolDataMajor, poolDataMinor, poolMetadataMajor, poolMetadataMinor, nil
+}
+
+func (devices *DeviceSet) loadThinPoolLoopBackInfo() error {
+	poolDataMajor, poolDataMinor, poolMetadataMajor, poolMetadataMinor, err := devices.getThinPoolDataMetaMajMin()
+	if err != nil {
+		return err
+	}
+
+	dirname := devices.loopbackDir()
+
+	// data device has not been passed in. So there should be a data file
+	// which is being mounted as loop device.
+	if devices.dataDevice == "" {
+		datafilename := path.Join(dirname, "data")
+		dataLoopDevice, dataMajor, dataMinor, err := getLoopFileDeviceMajMin(datafilename)
+		if err != nil {
+			return err
+		}
+
+		// Compare the two
+		if poolDataMajor == dataMajor && poolDataMinor == dataMinor {
+			devices.dataDevice = dataLoopDevice
+			devices.dataLoopFile = datafilename
+		}
+
+	}
+
+	// metadata device has not been passed in. So there should be a
+	// metadata file which is being mounted as loop device.
+	if devices.metadataDevice == "" {
+		metadatafilename := path.Join(dirname, "metadata")
+		metadataLoopDevice, metadataMajor, metadataMinor, err := getLoopFileDeviceMajMin(metadatafilename)
+		if err != nil {
+			return err
+		}
+		if poolMetadataMajor == metadataMajor && poolMetadataMinor == metadataMinor {
+			devices.metadataDevice = metadataLoopDevice
+			devices.metadataLoopFile = metadatafilename
+		}
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) enableDeferredRemovalDeletion() error {
+
+	// If user asked for deferred removal then check both libdm library
+	// and kernel driver support deferred removal otherwise error out.
+	if enableDeferredRemoval {
+		if !driverDeferredRemovalSupport {
+			return fmt.Errorf("devmapper: Deferred removal can not be enabled as kernel does not support it")
+		}
+		if !devicemapper.LibraryDeferredRemovalSupport {
+			return fmt.Errorf("devmapper: Deferred removal can not be enabled as libdm does not support it")
+		}
+		logrus.WithField("storage-driver", "devicemapper").Debug("Deferred removal support enabled.")
+		devices.deferredRemove = true
+	}
+
+	if enableDeferredDeletion {
+		if !devices.deferredRemove {
+			return fmt.Errorf("devmapper: Deferred deletion can not be enabled as deferred removal is not enabled. Enable deferred removal using --storage-opt dm.use_deferred_removal=true parameter")
+		}
+		logrus.WithField("storage-driver", "devicemapper").Debug("Deferred deletion support enabled.")
+		devices.deferredDelete = true
+	}
+	return nil
+}
+
+func (devices *DeviceSet) initDevmapper(doInit bool) (retErr error) {
+	if err := devices.enableDeferredRemovalDeletion(); err != nil {
+		return err
+	}
+
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	// https://github.com/docker/docker/issues/4036
+	if supported := devicemapper.UdevSetSyncSupport(true); !supported {
+		if dockerversion.IAmStatic == "true" {
+			logger.Error("Udev sync is not supported. This will lead to data loss and unexpected behavior. Install a dynamic binary to use devicemapper or select a different storage driver. For more information, see https://docs.docker.com/engine/reference/commandline/dockerd/#storage-driver-options")
+		} else {
+			logger.Error("Udev sync is not supported. This will lead to data loss and unexpected behavior. Install a more recent version of libdevmapper or select a different storage driver. For more information, see https://docs.docker.com/engine/reference/commandline/dockerd/#storage-driver-options")
+		}
+
+		if !devices.overrideUdevSyncCheck {
+			return graphdriver.ErrNotSupported
+		}
+	}
+
+	//create the root dir of the devmapper driver ownership to match this
+	//daemon's remapped root uid/gid so containers can start properly
+	uid, gid, err := idtools.GetRootUIDGID(devices.uidMaps, devices.gidMaps)
+	if err != nil {
+		return err
+	}
+	if err := idtools.MkdirAndChown(devices.root, 0700, idtools.IDPair{UID: uid, GID: gid}); err != nil {
+		return err
+	}
+	if err := os.MkdirAll(devices.metadataDir(), 0700); err != nil {
+		return err
+	}
+
+	prevSetupConfig, err := readLVMConfig(devices.root)
+	if err != nil {
+		return err
+	}
+
+	if !reflect.DeepEqual(devices.lvmSetupConfig, directLVMConfig{}) {
+		if devices.thinPoolDevice != "" {
+			return errors.New("cannot setup direct-lvm when `dm.thinpooldev` is also specified")
+		}
+
+		if !reflect.DeepEqual(prevSetupConfig, devices.lvmSetupConfig) {
+			if !reflect.DeepEqual(prevSetupConfig, directLVMConfig{}) {
+				return errors.New("changing direct-lvm config is not supported")
+			}
+			logger.WithField("direct-lvm-config", devices.lvmSetupConfig).Debugf("Setting up direct lvm mode")
+			if err := verifyBlockDevice(devices.lvmSetupConfig.Device, lvmSetupConfigForce); err != nil {
+				return err
+			}
+			if err := setupDirectLVM(devices.lvmSetupConfig); err != nil {
+				return err
+			}
+			if err := writeLVMConfig(devices.root, devices.lvmSetupConfig); err != nil {
+				return err
+			}
+		}
+		devices.thinPoolDevice = "docker-thinpool"
+		logger.Debugf("Setting dm.thinpooldev to %q", devices.thinPoolDevice)
+	}
+
+	// Set the device prefix from the device id and inode of the docker root dir
+	var st unix.Stat_t
+	if err := unix.Stat(devices.root, &st); err != nil {
+		return fmt.Errorf("devmapper: Error looking up dir %s: %s", devices.root, err)
+	}
+	// "reg-" stands for "regular file".
+	// In the future we might use "dev-" for "device file", etc.
+	// docker-maj,min[-inode] stands for:
+	//	- Managed by docker
+	//	- The target of this device is at major <maj> and minor <min>
+	//	- If <inode> is defined, use that file inside the device as a loopback image. Otherwise use the device itself.
+	devices.devicePrefix = fmt.Sprintf("docker-%d:%d-%d", major(st.Dev), minor(st.Dev), st.Ino)
+	logger.Debugf("Generated prefix: %s", devices.devicePrefix)
+
+	// Check for the existence of the thin-pool device
+	poolExists, err := devices.thinPoolExists(devices.getPoolName())
+	if err != nil {
+		return err
+	}
+
+	// It seems libdevmapper opens this without O_CLOEXEC, and go exec will not close files
+	// that are not Close-on-exec,
+	// so we add this badhack to make sure it closes itself
+	setCloseOnExec("/dev/mapper/control")
+
+	// Make sure the sparse images exist in <root>/devicemapper/data and
+	// <root>/devicemapper/metadata
+
+	createdLoopback := false
+
+	// If the pool doesn't exist, create it
+	if !poolExists && devices.thinPoolDevice == "" {
+		logger.Debug("Pool doesn't exist. Creating it.")
+
+		var (
+			dataFile     *os.File
+			metadataFile *os.File
+		)
+
+		if devices.dataDevice == "" {
+			// Make sure the sparse images exist in <root>/devicemapper/data
+
+			hasData := devices.hasImage("data")
+
+			if !doInit && !hasData {
+				return errors.New("loopback data file not found")
+			}
+
+			if !hasData {
+				createdLoopback = true
+			}
+
+			data, err := devices.ensureImage("data", devices.dataLoopbackSize)
+			if err != nil {
+				logger.Debugf("Error device ensureImage (data): %s", err)
+				return err
+			}
+
+			dataFile, err = loopback.AttachLoopDevice(data)
+			if err != nil {
+				return err
+			}
+			devices.dataLoopFile = data
+			devices.dataDevice = dataFile.Name()
+		} else {
+			dataFile, err = os.OpenFile(devices.dataDevice, os.O_RDWR, 0600)
+			if err != nil {
+				return err
+			}
+		}
+		defer dataFile.Close()
+
+		if devices.metadataDevice == "" {
+			// Make sure the sparse images exist in <root>/devicemapper/metadata
+
+			hasMetadata := devices.hasImage("metadata")
+
+			if !doInit && !hasMetadata {
+				return errors.New("loopback metadata file not found")
+			}
+
+			if !hasMetadata {
+				createdLoopback = true
+			}
+
+			metadata, err := devices.ensureImage("metadata", devices.metaDataLoopbackSize)
+			if err != nil {
+				logger.Debugf("Error device ensureImage (metadata): %s", err)
+				return err
+			}
+
+			metadataFile, err = loopback.AttachLoopDevice(metadata)
+			if err != nil {
+				return err
+			}
+			devices.metadataLoopFile = metadata
+			devices.metadataDevice = metadataFile.Name()
+		} else {
+			metadataFile, err = os.OpenFile(devices.metadataDevice, os.O_RDWR, 0600)
+			if err != nil {
+				return err
+			}
+		}
+		defer metadataFile.Close()
+
+		if err := devicemapper.CreatePool(devices.getPoolName(), dataFile, metadataFile, devices.thinpBlockSize); err != nil {
+			return err
+		}
+		defer func() {
+			if retErr != nil {
+				err = devices.deactivatePool()
+				if err != nil {
+					logger.Warnf("Failed to deactivatePool: %v", err)
+				}
+			}
+		}()
+	}
+
+	// Pool already exists and caller did not pass us a pool. That means
+	// we probably created pool earlier and could not remove it as some
+	// containers were still using it. Detect some of the properties of
+	// pool, like is it using loop devices.
+	if poolExists && devices.thinPoolDevice == "" {
+		if err := devices.loadThinPoolLoopBackInfo(); err != nil {
+			logger.Debugf("Failed to load thin pool loopback device information:%v", err)
+			return err
+		}
+	}
+
+	// If we didn't just create the data or metadata image, we need to
+	// load the transaction id and migrate old metadata
+	if !createdLoopback {
+		if err := devices.initMetaData(); err != nil {
+			return err
+		}
+	}
+
+	if devices.thinPoolDevice == "" {
+		if devices.metadataLoopFile != "" || devices.dataLoopFile != "" {
+			logger.Warn("Usage of loopback devices is strongly discouraged for production use. Please use `--storage-opt dm.thinpooldev` or use `man dockerd` to refer to dm.thinpooldev section.")
+		}
+	}
+
+	// Right now this loads only NextDeviceID. If there is more metadata
+	// down the line, we might have to move it earlier.
+	if err := devices.loadDeviceSetMetaData(); err != nil {
+		return err
+	}
+
+	// Setup the base image
+	if doInit {
+		if err := devices.setupBaseImage(); err != nil {
+			logger.Debugf("Error device setupBaseImage: %s", err)
+			return err
+		}
+	}
+
+	return nil
+}
+
+// AddDevice adds a device and registers in the hash.
+func (devices *DeviceSet) AddDevice(hash, baseHash string, storageOpt map[string]string) error {
+	logrus.WithField("storage-driver", "devicemapper").Debugf("AddDevice START(hash=%s basehash=%s)", hash, baseHash)
+	defer logrus.WithField("storage-driver", "devicemapper").Debugf("AddDevice END(hash=%s basehash=%s)", hash, baseHash)
+
+	// If a deleted device exists, return error.
+	baseInfo, err := devices.lookupDeviceWithLock(baseHash)
+	if err != nil {
+		return err
+	}
+
+	if baseInfo.Deleted {
+		return fmt.Errorf("devmapper: Base device %v has been marked for deferred deletion", baseInfo.Hash)
+	}
+
+	baseInfo.lock.Lock()
+	defer baseInfo.lock.Unlock()
+
+	devices.Lock()
+	defer devices.Unlock()
+
+	// Also include deleted devices in case hash of new device is
+	// same as one of the deleted devices.
+	if info, _ := devices.lookupDevice(hash); info != nil {
+		return fmt.Errorf("devmapper: device %s already exists. Deleted=%v", hash, info.Deleted)
+	}
+
+	size, err := devices.parseStorageOpt(storageOpt)
+	if err != nil {
+		return err
+	}
+
+	if size == 0 {
+		size = baseInfo.Size
+	}
+
+	if size < baseInfo.Size {
+		return fmt.Errorf("devmapper: Container size cannot be smaller than %s", units.HumanSize(float64(baseInfo.Size)))
+	}
+
+	if err := devices.takeSnapshot(hash, baseInfo, size); err != nil {
+		return err
+	}
+
+	// Grow the container rootfs.
+	if size > baseInfo.Size {
+		info, err := devices.lookupDevice(hash)
+		if err != nil {
+			return err
+		}
+
+		if err := devices.growFS(info); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) parseStorageOpt(storageOpt map[string]string) (uint64, error) {
+
+	// Read size to change the block device size per container.
+	for key, val := range storageOpt {
+		key := strings.ToLower(key)
+		switch key {
+		case "size":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return 0, err
+			}
+			return uint64(size), nil
+		default:
+			return 0, fmt.Errorf("Unknown option %s", key)
+		}
+	}
+
+	return 0, nil
+}
+
+func (devices *DeviceSet) markForDeferredDeletion(info *devInfo) error {
+	// If device is already in deleted state, there is nothing to be done.
+	if info.Deleted {
+		return nil
+	}
+
+	logrus.WithField("storage-driver", "devicemapper").Debugf("Marking device %s for deferred deletion.", info.Hash)
+
+	info.Deleted = true
+
+	// save device metadata to reflect deleted state.
+	if err := devices.saveMetadata(info); err != nil {
+		info.Deleted = false
+		return err
+	}
+
+	devices.nrDeletedDevices++
+	return nil
+}
+
+// Should be called with devices.Lock() held.
+func (devices *DeviceSet) deleteTransaction(info *devInfo, syncDelete bool) error {
+	if err := devices.openTransaction(info.Hash, info.DeviceID); err != nil {
+		logrus.WithField("storage-driver", "devicemapper").Debugf("Error opening transaction hash = %s deviceId = %d", "", info.DeviceID)
+		return err
+	}
+
+	defer devices.closeTransaction()
+
+	err := devicemapper.DeleteDevice(devices.getPoolDevName(), info.DeviceID)
+	if err != nil {
+		// If syncDelete is true, we want to return error. If deferred
+		// deletion is not enabled, we return an error. If error is
+		// something other then EBUSY, return an error.
+		if syncDelete || !devices.deferredDelete || err != devicemapper.ErrBusy {
+			logrus.WithField("storage-driver", "devicemapper").Debugf("Error deleting device: %s", err)
+			return err
+		}
+	}
+
+	if err == nil {
+		if err := devices.unregisterDevice(info.Hash); err != nil {
+			return err
+		}
+		// If device was already in deferred delete state that means
+		// deletion was being tried again later. Reduce the deleted
+		// device count.
+		if info.Deleted {
+			devices.nrDeletedDevices--
+		}
+		devices.markDeviceIDFree(info.DeviceID)
+	} else {
+		if err := devices.markForDeferredDeletion(info); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Issue discard only if device open count is zero.
+func (devices *DeviceSet) issueDiscard(info *devInfo) error {
+	logger := logrus.WithField("storage-driver", "devicemapper")
+	logger.Debugf("issueDiscard START(device: %s).", info.Hash)
+	defer logger.Debugf("issueDiscard END(device: %s).", info.Hash)
+	// This is a workaround for the kernel not discarding block so
+	// on the thin pool when we remove a thinp device, so we do it
+	// manually.
+	// Even if device is deferred deleted, activate it and issue
+	// discards.
+	if err := devices.activateDeviceIfNeeded(info, true); err != nil {
+		return err
+	}
+
+	devinfo, err := devicemapper.GetInfo(info.Name())
+	if err != nil {
+		return err
+	}
+
+	if devinfo.OpenCount != 0 {
+		logger.Debugf("Device: %s is in use. OpenCount=%d. Not issuing discards.", info.Hash, devinfo.OpenCount)
+		return nil
+	}
+
+	if err := devicemapper.BlockDeviceDiscard(info.DevName()); err != nil {
+		logger.Debugf("Error discarding block on device: %s (ignoring)", err)
+	}
+	return nil
+}
+
+// Should be called with devices.Lock() held.
+func (devices *DeviceSet) deleteDevice(info *devInfo, syncDelete bool) error {
+	if devices.doBlkDiscard {
+		devices.issueDiscard(info)
+	}
+
+	// Try to deactivate device in case it is active.
+	// If deferred removal is enabled and deferred deletion is disabled
+	// then make sure device is removed synchronously. There have been
+	// some cases of device being busy for short duration and we would
+	// rather busy wait for device removal to take care of these cases.
+	deferredRemove := devices.deferredRemove
+	if !devices.deferredDelete {
+		deferredRemove = false
+	}
+
+	if err := devices.deactivateDeviceMode(info, deferredRemove); err != nil {
+		logrus.WithField("storage-driver", "devicemapper").Debugf("Error deactivating device: %s", err)
+		return err
+	}
+
+	return devices.deleteTransaction(info, syncDelete)
+}
+
+// DeleteDevice will return success if device has been marked for deferred
+// removal. If one wants to override that and want DeleteDevice() to fail if
+// device was busy and could not be deleted, set syncDelete=true.
+func (devices *DeviceSet) DeleteDevice(hash string, syncDelete bool) error {
+	logrus.WithField("storage-driver", "devicemapper").Debugf("DeleteDevice START(hash=%v syncDelete=%v)", hash, syncDelete)
+	defer logrus.WithField("storage-driver", "devicemapper").Debugf("DeleteDevice END(hash=%v syncDelete=%v)", hash, syncDelete)
+	info, err := devices.lookupDeviceWithLock(hash)
+	if err != nil {
+		return err
+	}
+
+	info.lock.Lock()
+	defer info.lock.Unlock()
+
+	devices.Lock()
+	defer devices.Unlock()
+
+	return devices.deleteDevice(info, syncDelete)
+}
+
+func (devices *DeviceSet) deactivatePool() error {
+	logrus.WithField("storage-driver", "devicemapper").Debug("deactivatePool() START")
+	defer logrus.WithField("storage-driver", "devicemapper").Debug("deactivatePool() END")
+	devname := devices.getPoolDevName()
+
+	devinfo, err := devicemapper.GetInfo(devname)
+	if err != nil {
+		return err
+	}
+
+	if devinfo.Exists == 0 {
+		return nil
+	}
+	if err := devicemapper.RemoveDevice(devname); err != nil {
+		return err
+	}
+
+	if d, err := devicemapper.GetDeps(devname); err == nil {
+		logrus.WithField("storage-driver", "devicemapper").Warnf("device %s still has %d active dependents", devname, d.Count)
+	}
+
+	return nil
+}
+
+func (devices *DeviceSet) deactivateDevice(info *devInfo) error {
+	return devices.deactivateDeviceMode(info, devices.deferredRemove)
+}
+
+func (devices *DeviceSet) deactivateDeviceMode(info *devInfo, deferredRemove bool) error {
+	var err error
+	logrus.WithField("storage-driver", "devicemapper").Debugf("deactivateDevice START(%s)", info.Hash)
+	defer logrus.WithField("storage-driver", "devicemapper").Debugf("deactivateDevice END(%s)", info.Hash)
+
+	devinfo, err := devicemapper.GetInfo(info.Name())
+	if err != nil {
+		return err
+	}
+
+	if devinfo.Exists == 0 {
+		return nil
+	}
+
+	if deferredRemove {
+		err = devicemapper.RemoveDeviceDeferred(info.Name())
+	} else {
+		err = devices.removeDevice(info.Name())
+	}
+
+	// This function's semantics is such that it does not return an
+	// error if device does not exist. So if device went away by
+	// the time we actually tried to remove it, do not return error.
+	if err != devicemapper.ErrEnxio {
+		return err
+	}
+	return nil
+}
+
+// Issues the underlying dm remove operation.
+func (devices *DeviceSet) removeDevice(devname string) error {
+	var err error
+
+	logrus.WithField("storage-driver", "devicemapper").Debugf("removeDevice START(%s)", devname)
+	defer logrus.WithField("storage-driver", "devicemapper").Debugf("removeDevice END(%s)", devname)
+
+	for i := 0; i < 200; i++ {
+		err = devicemapper.RemoveDevice(devname)
+		if err == nil {
+			break
+		}
+		if err != devicemapper.ErrBusy {
+			return err
+		}
+
+		// If we see EBUSY it may be a transient error,
+		// sleep a bit a retry a few times.
+		devices.Unlock()
+		time.Sleep(100 * time.Millisecond)
+		devices.Lock()
+	}
+
+	return err
+}
+
+func (devices *DeviceSet) cancelDeferredRemovalIfNeeded(info *devInfo) error {
+	if !devices.deferredRemove {
+		return nil
+	}
+
+	logrus.WithField("storage-driver", "devicemapper").Debugf("cancelDeferredRemovalIfNeeded START(%s)", info.Name())
+	defer logrus.WithField("storage-driver", "devicemapper").Debugf("cancelDeferredRemovalIfNeeded END(%s)", info.Name())
+
+	devinfo, err := devicemapper.GetInfoWithDeferred(info.Name())
+	if err != nil {
+		return err
+	}
+
+	if devinfo != nil && devinfo.DeferredRemove == 0 {
+		return nil
+	}
+
+	// Cancel deferred remove
+	if err := devices.cancelDeferredRemoval(info); err != nil {
+		// If Error is ErrEnxio. Device is probably already gone. Continue.
+		if err != devicemapper.ErrEnxio {
+			return err
+		}
+	}
+	return nil
+}
+
+func (devices *DeviceSet) cancelDeferredRemoval(info *devInfo) error {
+	logrus.WithField("storage-driver", "devicemapper").Debugf("cancelDeferredRemoval START(%s)", info.Name())
+	defer logrus.WithField("storage-driver", "devicemapper").Debugf("cancelDeferredRemoval END(%s)", info.Name())
+
+	var err error
+
+	// Cancel deferred remove
+	for i := 0; i < 100; i++ {
+		err = devicemapper.CancelDeferredRemove(info.Name())
+		if err != nil {
+			if err == devicemapper.ErrBusy {
+				// If we see EBUSY it may be a transient error,
+				// sleep a bit a retry a few times.
+				devices.Unlock()
+				time.Sleep(100 * time.Millisecond)
+				devices.Lock()
+				continue
+			}
+		}
+		break
+	}
+	return err
+}
+
+func (devices *DeviceSet) unmountAndDeactivateAll(dir string) {
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	files, err := ioutil.ReadDir(dir)
+	if err != nil {
+		logger.Warnf("unmountAndDeactivate: %s", err)
+		return
+	}
+
+	for _, d := range files {
+		if !d.IsDir() {
+			continue
+		}
+
+		name := d.Name()
+		fullname := path.Join(dir, name)
+
+		// We use MNT_DETACH here in case it is still busy in some running
+		// container. This means it'll go away from the global scope directly,
+		// and the device will be released when that container dies.
+		if err := unix.Unmount(fullname, unix.MNT_DETACH); err != nil && err != unix.EINVAL {
+			logger.Warnf("Shutdown unmounting %s, error: %s", fullname, err)
+		}
+
+		if devInfo, err := devices.lookupDevice(name); err != nil {
+			logger.Debugf("Shutdown lookup device %s, error: %s", name, err)
+		} else {
+			if err := devices.deactivateDevice(devInfo); err != nil {
+				logger.Debugf("Shutdown deactivate %s, error: %s", devInfo.Hash, err)
+			}
+		}
+	}
+}
+
+// Shutdown shuts down the device by unmounting the root.
+func (devices *DeviceSet) Shutdown(home string) error {
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	logger.Debugf("[deviceset %s] Shutdown()", devices.devicePrefix)
+	logger.Debugf("Shutting down DeviceSet: %s", devices.root)
+	defer logger.Debugf("[deviceset %s] Shutdown() END", devices.devicePrefix)
+
+	// Stop deletion worker. This should start delivering new events to
+	// ticker channel. That means no new instance of cleanupDeletedDevice()
+	// will run after this call. If one instance is already running at
+	// the time of the call, it must be holding devices.Lock() and
+	// we will block on this lock till cleanup function exits.
+	devices.deletionWorkerTicker.Stop()
+
+	devices.Lock()
+	// Save DeviceSet Metadata first. Docker kills all threads if they
+	// don't finish in certain time. It is possible that Shutdown()
+	// routine does not finish in time as we loop trying to deactivate
+	// some devices while these are busy. In that case shutdown() routine
+	// will be killed and we will not get a chance to save deviceset
+	// metadata. Hence save this early before trying to deactivate devices.
+	devices.saveDeviceSetMetaData()
+	devices.unmountAndDeactivateAll(path.Join(home, "mnt"))
+	devices.Unlock()
+
+	info, _ := devices.lookupDeviceWithLock("")
+	if info != nil {
+		info.lock.Lock()
+		devices.Lock()
+		if err := devices.deactivateDevice(info); err != nil {
+			logger.Debugf("Shutdown deactivate base , error: %s", err)
+		}
+		devices.Unlock()
+		info.lock.Unlock()
+	}
+
+	devices.Lock()
+	if devices.thinPoolDevice == "" {
+		if err := devices.deactivatePool(); err != nil {
+			logger.Debugf("Shutdown deactivate pool , error: %s", err)
+		}
+	}
+	devices.Unlock()
+
+	return nil
+}
+
+// Recent XFS changes allow changing behavior of filesystem in case of errors.
+// When thin pool gets full and XFS gets ENOSPC error, currently it tries
+// IO infinitely and sometimes it can block the container process
+// and process can't be killWith 0 value, XFS will not retry upon error
+// and instead will shutdown filesystem.
+
+func (devices *DeviceSet) xfsSetNospaceRetries(info *devInfo) error {
+	dmDevicePath, err := os.Readlink(info.DevName())
+	if err != nil {
+		return fmt.Errorf("devmapper: readlink failed for device %v:%v", info.DevName(), err)
+	}
+
+	dmDeviceName := path.Base(dmDevicePath)
+	filePath := "/sys/fs/xfs/" + dmDeviceName + "/error/metadata/ENOSPC/max_retries"
+	maxRetriesFile, err := os.OpenFile(filePath, os.O_WRONLY, 0)
+	if err != nil {
+		return fmt.Errorf("devmapper: user specified daemon option dm.xfs_nospace_max_retries but it does not seem to be supported on this system :%v", err)
+	}
+	defer maxRetriesFile.Close()
+
+	// Set max retries to 0
+	_, err = maxRetriesFile.WriteString(devices.xfsNospaceRetries)
+	if err != nil {
+		return fmt.Errorf("devmapper: Failed to write string %v to file %v:%v", devices.xfsNospaceRetries, filePath, err)
+	}
+	return nil
+}
+
+// MountDevice mounts the device if not already mounted.
+func (devices *DeviceSet) MountDevice(hash, path, mountLabel string) error {
+	info, err := devices.lookupDeviceWithLock(hash)
+	if err != nil {
+		return err
+	}
+
+	if info.Deleted {
+		return fmt.Errorf("devmapper: Can't mount device %v as it has been marked for deferred deletion", info.Hash)
+	}
+
+	info.lock.Lock()
+	defer info.lock.Unlock()
+
+	devices.Lock()
+	defer devices.Unlock()
+
+	if err := devices.activateDeviceIfNeeded(info, false); err != nil {
+		return fmt.Errorf("devmapper: Error activating devmapper device for '%s': %s", hash, err)
+	}
+
+	fstype, err := ProbeFsType(info.DevName())
+	if err != nil {
+		return err
+	}
+
+	options := ""
+
+	if fstype == "xfs" {
+		// XFS needs nouuid or it can't mount filesystems with the same fs
+		options = joinMountOptions(options, "nouuid")
+	}
+
+	options = joinMountOptions(options, devices.mountOptions)
+	options = joinMountOptions(options, label.FormatMountLabel("", mountLabel))
+
+	if err := mount.Mount(info.DevName(), path, fstype, options); err != nil {
+		return fmt.Errorf("devmapper: Error mounting '%s' on '%s' (fstype='%s' options='%s'): %s\n%v", info.DevName(), path, fstype, options, err, string(dmesg.Dmesg(256)))
+	}
+
+	if fstype == "xfs" && devices.xfsNospaceRetries != "" {
+		if err := devices.xfsSetNospaceRetries(info); err != nil {
+			unix.Unmount(path, unix.MNT_DETACH)
+			devices.deactivateDevice(info)
+			return err
+		}
+	}
+
+	return nil
+}
+
+// UnmountDevice unmounts the device and removes it from hash.
+func (devices *DeviceSet) UnmountDevice(hash, mountPath string) error {
+	logger := logrus.WithField("storage-driver", "devicemapper")
+
+	logger.Debugf("UnmountDevice START(hash=%s)", hash)
+	defer logger.Debugf("UnmountDevice END(hash=%s)", hash)
+
+	info, err := devices.lookupDeviceWithLock(hash)
+	if err != nil {
+		return err
+	}
+
+	info.lock.Lock()
+	defer info.lock.Unlock()
+
+	devices.Lock()
+	defer devices.Unlock()
+
+	logger.Debugf("Unmount(%s)", mountPath)
+	if err := unix.Unmount(mountPath, unix.MNT_DETACH); err != nil {
+		return err
+	}
+	logger.Debug("Unmount done")
+
+	// Remove the mountpoint here. Removing the mountpoint (in newer kernels)
+	// will cause all other instances of this mount in other mount namespaces
+	// to be killed (this is an anti-DoS measure that is necessary for things
+	// like devicemapper). This is necessary to avoid cases where a libdm mount
+	// that is present in another namespace will cause subsequent RemoveDevice
+	// operations to fail. We ignore any errors here because this may fail on
+	// older kernels which don't have
+	// torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied.
+	if err := os.Remove(mountPath); err != nil {
+		logger.Debugf("error doing a remove on unmounted device %s: %v", mountPath, err)
+	}
+
+	return devices.deactivateDevice(info)
+}
+
+// HasDevice returns true if the device metadata exists.
+func (devices *DeviceSet) HasDevice(hash string) bool {
+	info, _ := devices.lookupDeviceWithLock(hash)
+	return info != nil
+}
+
+// List returns a list of device ids.
+func (devices *DeviceSet) List() []string {
+	devices.Lock()
+	defer devices.Unlock()
+
+	ids := make([]string, len(devices.Devices))
+	i := 0
+	for k := range devices.Devices {
+		ids[i] = k
+		i++
+	}
+	return ids
+}
+
+func (devices *DeviceSet) deviceStatus(devName string) (sizeInSectors, mappedSectors, highestMappedSector uint64, err error) {
+	var params string
+	_, sizeInSectors, _, params, err = devicemapper.GetStatus(devName)
+	if err != nil {
+		return
+	}
+	if _, err = fmt.Sscanf(params, "%d %d", &mappedSectors, &highestMappedSector); err == nil {
+		return
+	}
+	return
+}
+
+// GetDeviceStatus provides size, mapped sectors
+func (devices *DeviceSet) GetDeviceStatus(hash string) (*DevStatus, error) {
+	info, err := devices.lookupDeviceWithLock(hash)
+	if err != nil {
+		return nil, err
+	}
+
+	info.lock.Lock()
+	defer info.lock.Unlock()
+
+	devices.Lock()
+	defer devices.Unlock()
+
+	status := &DevStatus{
+		DeviceID:      info.DeviceID,
+		Size:          info.Size,
+		TransactionID: info.TransactionID,
+	}
+
+	if err := devices.activateDeviceIfNeeded(info, false); err != nil {
+		return nil, fmt.Errorf("devmapper: Error activating devmapper device for '%s': %s", hash, err)
+	}
+
+	sizeInSectors, mappedSectors, highestMappedSector, err := devices.deviceStatus(info.DevName())
+
+	if err != nil {
+		return nil, err
+	}
+
+	status.SizeInSectors = sizeInSectors
+	status.MappedSectors = mappedSectors
+	status.HighestMappedSector = highestMappedSector
+
+	return status, nil
+}
+
+func (devices *DeviceSet) poolStatus() (totalSizeInSectors, transactionID, dataUsed, dataTotal, metadataUsed, metadataTotal uint64, err error) {
+	var params string
+	if _, totalSizeInSectors, _, params, err = devicemapper.GetStatus(devices.getPoolName()); err == nil {
+		_, err = fmt.Sscanf(params, "%d %d/%d %d/%d", &transactionID, &metadataUsed, &metadataTotal, &dataUsed, &dataTotal)
+	}
+	return
+}
+
+// DataDevicePath returns the path to the data storage for this deviceset,
+// regardless of loopback or block device
+func (devices *DeviceSet) DataDevicePath() string {
+	return devices.dataDevice
+}
+
+// MetadataDevicePath returns the path to the metadata storage for this deviceset,
+// regardless of loopback or block device
+func (devices *DeviceSet) MetadataDevicePath() string {
+	return devices.metadataDevice
+}
+
+func (devices *DeviceSet) getUnderlyingAvailableSpace(loopFile string) (uint64, error) {
+	buf := new(unix.Statfs_t)
+	if err := unix.Statfs(loopFile, buf); err != nil {
+		logrus.WithField("storage-driver", "devicemapper").Warnf("Couldn't stat loopfile filesystem %v: %v", loopFile, err)
+		return 0, err
+	}
+	return buf.Bfree * uint64(buf.Bsize), nil
+}
+
+func (devices *DeviceSet) isRealFile(loopFile string) (bool, error) {
+	if loopFile != "" {
+		fi, err := os.Stat(loopFile)
+		if err != nil {
+			logrus.WithField("storage-driver", "devicemapper").Warnf("Couldn't stat loopfile %v: %v", loopFile, err)
+			return false, err
+		}
+		return fi.Mode().IsRegular(), nil
+	}
+	return false, nil
+}
+
+// Status returns the current status of this deviceset
+func (devices *DeviceSet) Status() *Status {
+	devices.Lock()
+	defer devices.Unlock()
+
+	status := &Status{}
+
+	status.PoolName = devices.getPoolName()
+	status.DataFile = devices.DataDevicePath()
+	status.DataLoopback = devices.dataLoopFile
+	status.MetadataFile = devices.MetadataDevicePath()
+	status.MetadataLoopback = devices.metadataLoopFile
+	status.UdevSyncSupported = devicemapper.UdevSyncSupported()
+	status.DeferredRemoveEnabled = devices.deferredRemove
+	status.DeferredDeleteEnabled = devices.deferredDelete
+	status.DeferredDeletedDeviceCount = devices.nrDeletedDevices
+	status.BaseDeviceSize = devices.getBaseDeviceSize()
+	status.BaseDeviceFS = devices.getBaseDeviceFS()
+
+	totalSizeInSectors, _, dataUsed, dataTotal, metadataUsed, metadataTotal, err := devices.poolStatus()
+	if err == nil {
+		// Convert from blocks to bytes
+		blockSizeInSectors := totalSizeInSectors / dataTotal
+
+		status.Data.Used = dataUsed * blockSizeInSectors * 512
+		status.Data.Total = dataTotal * blockSizeInSectors * 512
+		status.Data.Available = status.Data.Total - status.Data.Used
+
+		// metadata blocks are always 4k
+		status.Metadata.Used = metadataUsed * 4096
+		status.Metadata.Total = metadataTotal * 4096
+		status.Metadata.Available = status.Metadata.Total - status.Metadata.Used
+
+		status.SectorSize = blockSizeInSectors * 512
+
+		if check, _ := devices.isRealFile(devices.dataLoopFile); check {
+			actualSpace, err := devices.getUnderlyingAvailableSpace(devices.dataLoopFile)
+			if err == nil && actualSpace < status.Data.Available {
+				status.Data.Available = actualSpace
+			}
+		}
+
+		if check, _ := devices.isRealFile(devices.metadataLoopFile); check {
+			actualSpace, err := devices.getUnderlyingAvailableSpace(devices.metadataLoopFile)
+			if err == nil && actualSpace < status.Metadata.Available {
+				status.Metadata.Available = actualSpace
+			}
+		}
+
+		minFreeData := (dataTotal * uint64(devices.minFreeSpacePercent)) / 100
+		status.MinFreeSpace = minFreeData * blockSizeInSectors * 512
+	}
+
+	return status
+}
+
+// Status returns the current status of this deviceset
+func (devices *DeviceSet) exportDeviceMetadata(hash string) (*deviceMetadata, error) {
+	info, err := devices.lookupDeviceWithLock(hash)
+	if err != nil {
+		return nil, err
+	}
+
+	info.lock.Lock()
+	defer info.lock.Unlock()
+
+	metadata := &deviceMetadata{info.DeviceID, info.Size, info.Name()}
+	return metadata, nil
+}
+
+// NewDeviceSet creates the device set based on the options provided.
+func NewDeviceSet(root string, doInit bool, options []string, uidMaps, gidMaps []idtools.IDMap) (*DeviceSet, error) {
+	devicemapper.SetDevDir("/dev")
+
+	devices := &DeviceSet{
+		root:                  root,
+		metaData:              metaData{Devices: make(map[string]*devInfo)},
+		dataLoopbackSize:      defaultDataLoopbackSize,
+		metaDataLoopbackSize:  defaultMetaDataLoopbackSize,
+		baseFsSize:            defaultBaseFsSize,
+		overrideUdevSyncCheck: defaultUdevSyncOverride,
+		doBlkDiscard:          true,
+		thinpBlockSize:        defaultThinpBlockSize,
+		deviceIDMap:           make([]byte, deviceIDMapSz),
+		deletionWorkerTicker:  time.NewTicker(time.Second * 30),
+		uidMaps:               uidMaps,
+		gidMaps:               gidMaps,
+		minFreeSpacePercent:   defaultMinFreeSpacePercent,
+	}
+
+	version, err := devicemapper.GetDriverVersion()
+	if err != nil {
+		// Can't even get driver version, assume not supported
+		return nil, graphdriver.ErrNotSupported
+	}
+
+	if err := determineDriverCapabilities(version); err != nil {
+		return nil, graphdriver.ErrNotSupported
+	}
+
+	if driverDeferredRemovalSupport && devicemapper.LibraryDeferredRemovalSupport {
+		// enable deferred stuff by default
+		enableDeferredDeletion = true
+		enableDeferredRemoval = true
+	}
+
+	foundBlkDiscard := false
+	var lvmSetupConfig directLVMConfig
+	for _, option := range options {
+		key, val, err := parsers.ParseKeyValueOpt(option)
+		if err != nil {
+			return nil, err
+		}
+		key = strings.ToLower(key)
+		switch key {
+		case "dm.basesize":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return nil, err
+			}
+			userBaseSize = true
+			devices.baseFsSize = uint64(size)
+		case "dm.loopdatasize":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return nil, err
+			}
+			devices.dataLoopbackSize = size
+		case "dm.loopmetadatasize":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return nil, err
+			}
+			devices.metaDataLoopbackSize = size
+		case "dm.fs":
+			if val != "ext4" && val != "xfs" {
+				return nil, fmt.Errorf("devmapper: Unsupported filesystem %s", val)
+			}
+			devices.filesystem = val
+		case "dm.mkfsarg":
+			devices.mkfsArgs = append(devices.mkfsArgs, val)
+		case "dm.mountopt":
+			devices.mountOptions = joinMountOptions(devices.mountOptions, val)
+		case "dm.metadatadev":
+			devices.metadataDevice = val
+		case "dm.datadev":
+			devices.dataDevice = val
+		case "dm.thinpooldev":
+			devices.thinPoolDevice = strings.TrimPrefix(val, "/dev/mapper/")
+		case "dm.blkdiscard":
+			foundBlkDiscard = true
+			devices.doBlkDiscard, err = strconv.ParseBool(val)
+			if err != nil {
+				return nil, err
+			}
+		case "dm.blocksize":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return nil, err
+			}
+			// convert to 512b sectors
+			devices.thinpBlockSize = uint32(size) >> 9
+		case "dm.override_udev_sync_check":
+			devices.overrideUdevSyncCheck, err = strconv.ParseBool(val)
+			if err != nil {
+				return nil, err
+			}
+
+		case "dm.use_deferred_removal":
+			enableDeferredRemoval, err = strconv.ParseBool(val)
+			if err != nil {
+				return nil, err
+			}
+
+		case "dm.use_deferred_deletion":
+			enableDeferredDeletion, err = strconv.ParseBool(val)
+			if err != nil {
+				return nil, err
+			}
+
+		case "dm.min_free_space":
+			if !strings.HasSuffix(val, "%") {
+				return nil, fmt.Errorf("devmapper: Option dm.min_free_space requires %% suffix")
+			}
+
+			valstring := strings.TrimSuffix(val, "%")
+			minFreeSpacePercent, err := strconv.ParseUint(valstring, 10, 32)
+			if err != nil {
+				return nil, err
+			}
+
+			if minFreeSpacePercent >= 100 {
+				return nil, fmt.Errorf("devmapper: Invalid value %v for option dm.min_free_space", val)
+			}
+
+			devices.minFreeSpacePercent = uint32(minFreeSpacePercent)
+		case "dm.xfs_nospace_max_retries":
+			_, err := strconv.ParseUint(val, 10, 64)
+			if err != nil {
+				return nil, err
+			}
+			devices.xfsNospaceRetries = val
+		case "dm.directlvm_device":
+			lvmSetupConfig.Device = val
+		case "dm.directlvm_device_force":
+			lvmSetupConfigForce, err = strconv.ParseBool(val)
+			if err != nil {
+				return nil, err
+			}
+		case "dm.thinp_percent":
+			per, err := strconv.ParseUint(strings.TrimSuffix(val, "%"), 10, 32)
+			if err != nil {
+				return nil, errors.Wrapf(err, "could not parse `dm.thinp_percent=%s`", val)
+			}
+			if per >= 100 {
+				return nil, errors.New("dm.thinp_percent must be greater than 0 and less than 100")
+			}
+			lvmSetupConfig.ThinpPercent = per
+		case "dm.thinp_metapercent":
+			per, err := strconv.ParseUint(strings.TrimSuffix(val, "%"), 10, 32)
+			if err != nil {
+				return nil, errors.Wrapf(err, "could not parse `dm.thinp_metapercent=%s`", val)
+			}
+			if per >= 100 {
+				return nil, errors.New("dm.thinp_metapercent must be greater than 0 and less than 100")
+			}
+			lvmSetupConfig.ThinpMetaPercent = per
+		case "dm.thinp_autoextend_percent":
+			per, err := strconv.ParseUint(strings.TrimSuffix(val, "%"), 10, 32)
+			if err != nil {
+				return nil, errors.Wrapf(err, "could not parse `dm.thinp_autoextend_percent=%s`", val)
+			}
+			if per > 100 {
+				return nil, errors.New("dm.thinp_autoextend_percent must be greater than 0 and less than 100")
+			}
+			lvmSetupConfig.AutoExtendPercent = per
+		case "dm.thinp_autoextend_threshold":
+			per, err := strconv.ParseUint(strings.TrimSuffix(val, "%"), 10, 32)
+			if err != nil {
+				return nil, errors.Wrapf(err, "could not parse `dm.thinp_autoextend_threshold=%s`", val)
+			}
+			if per > 100 {
+				return nil, errors.New("dm.thinp_autoextend_threshold must be greater than 0 and less than 100")
+			}
+			lvmSetupConfig.AutoExtendThreshold = per
+		case "dm.libdm_log_level":
+			level, err := strconv.ParseInt(val, 10, 32)
+			if err != nil {
+				return nil, errors.Wrapf(err, "could not parse `dm.libdm_log_level=%s`", val)
+			}
+			if level < devicemapper.LogLevelFatal || level > devicemapper.LogLevelDebug {
+				return nil, errors.Errorf("dm.libdm_log_level must be in range [%d,%d]", devicemapper.LogLevelFatal, devicemapper.LogLevelDebug)
+			}
+			// Register a new logging callback with the specified level.
+			devicemapper.LogInit(devicemapper.DefaultLogger{
+				Level: int(level),
+			})
+		default:
+			return nil, fmt.Errorf("devmapper: Unknown option %s", key)
+		}
+	}
+
+	if err := validateLVMConfig(lvmSetupConfig); err != nil {
+		return nil, err
+	}
+
+	devices.lvmSetupConfig = lvmSetupConfig
+
+	// By default, don't do blk discard hack on raw devices, its rarely useful and is expensive
+	if !foundBlkDiscard && (devices.dataDevice != "" || devices.thinPoolDevice != "") {
+		devices.doBlkDiscard = false
+	}
+
+	if err := devices.initDevmapper(doInit); err != nil {
+		return nil, err
+	}
+
+	return devices, nil
+}
diff --git a/engine/daemon/graphdriver/devmapper/devmapper_doc.go b/engine/daemon/graphdriver/devmapper/devmapper_doc.go
new file mode 100644
index 00000000..98ff5cf1
--- /dev/null
+++ b/engine/daemon/graphdriver/devmapper/devmapper_doc.go
@@ -0,0 +1,106 @@
+package devmapper // import "github.com/docker/docker/daemon/graphdriver/devmapper"
+
+// Definition of struct dm_task and sub structures (from lvm2)
+//
+// struct dm_ioctl {
+// 	/*
+// 	 * The version number is made up of three parts:
+// 	 * major - no backward or forward compatibility,
+// 	 * minor - only backwards compatible,
+// 	 * patch - both backwards and forwards compatible.
+// 	 *
+// 	 * All clients of the ioctl interface should fill in the
+// 	 * version number of the interface that they were
+// 	 * compiled with.
+// 	 *
+// 	 * All recognized ioctl commands (ie. those that don't
+// 	 * return -ENOTTY) fill out this field, even if the
+// 	 * command failed.
+// 	 */
+// 	uint32_t version[3];	/* in/out */
+// 	uint32_t data_size;	/* total size of data passed in
+// 				 * including this struct */
+
+// 	uint32_t data_start;	/* offset to start of data
+// 				 * relative to start of this struct */
+
+// 	uint32_t target_count;	/* in/out */
+// 	int32_t open_count;	/* out */
+// 	uint32_t flags;		/* in/out */
+
+// 	/*
+// 	 * event_nr holds either the event number (input and output) or the
+// 	 * udev cookie value (input only).
+// 	 * The DM_DEV_WAIT ioctl takes an event number as input.
+// 	 * The DM_SUSPEND, DM_DEV_REMOVE and DM_DEV_RENAME ioctls
+// 	 * use the field as a cookie to return in the DM_COOKIE
+// 	 * variable with the uevents they issue.
+// 	 * For output, the ioctls return the event number, not the cookie.
+// 	 */
+// 	uint32_t event_nr;      	/* in/out */
+// 	uint32_t padding;
+
+// 	uint64_t dev;		/* in/out */
+
+// 	char name[DM_NAME_LEN];	/* device name */
+// 	char uuid[DM_UUID_LEN];	/* unique identifier for
+// 				 * the block device */
+// 	char data[7];		/* padding or data */
+// };
+
+// struct target {
+// 	uint64_t start;
+// 	uint64_t length;
+// 	char *type;
+// 	char *params;
+
+// 	struct target *next;
+// };
+
+// typedef enum {
+// 	DM_ADD_NODE_ON_RESUME, /* add /dev/mapper node with dmsetup resume */
+// 	DM_ADD_NODE_ON_CREATE  /* add /dev/mapper node with dmsetup create */
+// } dm_add_node_t;
+
+// struct dm_task {
+// 	int type;
+// 	char *dev_name;
+// 	char *mangled_dev_name;
+
+// 	struct target *head, *tail;
+
+// 	int read_only;
+// 	uint32_t event_nr;
+// 	int major;
+// 	int minor;
+// 	int allow_default_major_fallback;
+// 	uid_t uid;
+// 	gid_t gid;
+// 	mode_t mode;
+// 	uint32_t read_ahead;
+// 	uint32_t read_ahead_flags;
+// 	union {
+// 		struct dm_ioctl *v4;
+// 	} dmi;
+// 	char *newname;
+// 	char *message;
+// 	char *geometry;
+// 	uint64_t sector;
+// 	int no_flush;
+// 	int no_open_count;
+// 	int skip_lockfs;
+// 	int query_inactive_table;
+// 	int suppress_identical_reload;
+// 	dm_add_node_t add_node;
+// 	uint64_t existing_table_size;
+// 	int cookie_set;
+// 	int new_uuid;
+// 	int secure_data;
+// 	int retry_remove;
+// 	int enable_checks;
+// 	int expected_errno;
+
+// 	char *uuid;
+// 	char *mangled_uuid;
+// };
+//
diff --git a/engine/daemon/graphdriver/devmapper/devmapper_test.go b/engine/daemon/graphdriver/devmapper/devmapper_test.go
new file mode 100644
index 00000000..bda907a5
--- /dev/null
+++ b/engine/daemon/graphdriver/devmapper/devmapper_test.go
@@ -0,0 +1,205 @@
+// +build linux
+
+package devmapper // import "github.com/docker/docker/daemon/graphdriver/devmapper"
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/graphtest"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"golang.org/x/sys/unix"
+)
+
+func init() {
+	// Reduce the size of the base fs and loopback for the tests
+	defaultDataLoopbackSize = 300 * 1024 * 1024
+	defaultMetaDataLoopbackSize = 200 * 1024 * 1024
+	defaultBaseFsSize = 300 * 1024 * 1024
+	defaultUdevSyncOverride = true
+	if err := initLoopbacks(); err != nil {
+		panic(err)
+	}
+}
+
+// initLoopbacks ensures that the loopback devices are properly created within
+// the system running the device mapper tests.
+func initLoopbacks() error {
+	statT, err := getBaseLoopStats()
+	if err != nil {
+		return err
+	}
+	// create at least 8 loopback files, ya, that is a good number
+	for i := 0; i < 8; i++ {
+		loopPath := fmt.Sprintf("/dev/loop%d", i)
+		// only create new loopback files if they don't exist
+		if _, err := os.Stat(loopPath); err != nil {
+			if mkerr := syscall.Mknod(loopPath,
+				uint32(statT.Mode|syscall.S_IFBLK), int((7<<8)|(i&0xff)|((i&0xfff00)<<12))); mkerr != nil {
+				return mkerr
+			}
+			os.Chown(loopPath, int(statT.Uid), int(statT.Gid))
+		}
+	}
+	return nil
+}
+
+// getBaseLoopStats inspects /dev/loop0 to collect uid,gid, and mode for the
+// loop0 device on the system.  If it does not exist we assume 0,0,0660 for the
+// stat data
+func getBaseLoopStats() (*syscall.Stat_t, error) {
+	loop0, err := os.Stat("/dev/loop0")
+	if err != nil {
+		if os.IsNotExist(err) {
+			return &syscall.Stat_t{
+				Uid:  0,
+				Gid:  0,
+				Mode: 0660,
+			}, nil
+		}
+		return nil, err
+	}
+	return loop0.Sys().(*syscall.Stat_t), nil
+}
+
+// This avoids creating a new driver for each test if all tests are run
+// Make sure to put new tests between TestDevmapperSetup and TestDevmapperTeardown
+func TestDevmapperSetup(t *testing.T) {
+	graphtest.GetDriver(t, "devicemapper")
+}
+
+func TestDevmapperCreateEmpty(t *testing.T) {
+	graphtest.DriverTestCreateEmpty(t, "devicemapper")
+}
+
+func TestDevmapperCreateBase(t *testing.T) {
+	graphtest.DriverTestCreateBase(t, "devicemapper")
+}
+
+func TestDevmapperCreateSnap(t *testing.T) {
+	graphtest.DriverTestCreateSnap(t, "devicemapper")
+}
+
+func TestDevmapperTeardown(t *testing.T) {
+	graphtest.PutDriver(t)
+}
+
+func TestDevmapperReduceLoopBackSize(t *testing.T) {
+	tenMB := int64(10 * 1024 * 1024)
+	testChangeLoopBackSize(t, -tenMB, defaultDataLoopbackSize, defaultMetaDataLoopbackSize)
+}
+
+func TestDevmapperIncreaseLoopBackSize(t *testing.T) {
+	tenMB := int64(10 * 1024 * 1024)
+	testChangeLoopBackSize(t, tenMB, defaultDataLoopbackSize+tenMB, defaultMetaDataLoopbackSize+tenMB)
+}
+
+func testChangeLoopBackSize(t *testing.T, delta, expectDataSize, expectMetaDataSize int64) {
+	driver := graphtest.GetDriver(t, "devicemapper").(*graphtest.Driver).Driver.(*graphdriver.NaiveDiffDriver).ProtoDriver.(*Driver)
+	defer graphtest.PutDriver(t)
+	// make sure data or metadata loopback size are the default size
+	if s := driver.DeviceSet.Status(); s.Data.Total != uint64(defaultDataLoopbackSize) || s.Metadata.Total != uint64(defaultMetaDataLoopbackSize) {
+		t.Fatal("data or metadata loop back size is incorrect")
+	}
+	if err := driver.Cleanup(); err != nil {
+		t.Fatal(err)
+	}
+	//Reload
+	d, err := Init(driver.home, []string{
+		fmt.Sprintf("dm.loopdatasize=%d", defaultDataLoopbackSize+delta),
+		fmt.Sprintf("dm.loopmetadatasize=%d", defaultMetaDataLoopbackSize+delta),
+	}, nil, nil)
+	if err != nil {
+		t.Fatalf("error creating devicemapper driver: %v", err)
+	}
+	driver = d.(*graphdriver.NaiveDiffDriver).ProtoDriver.(*Driver)
+	if s := driver.DeviceSet.Status(); s.Data.Total != uint64(expectDataSize) || s.Metadata.Total != uint64(expectMetaDataSize) {
+		t.Fatal("data or metadata loop back size is incorrect")
+	}
+	if err := driver.Cleanup(); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Make sure devices.Lock() has been release upon return from cleanupDeletedDevices() function
+func TestDevmapperLockReleasedDeviceDeletion(t *testing.T) {
+	driver := graphtest.GetDriver(t, "devicemapper").(*graphtest.Driver).Driver.(*graphdriver.NaiveDiffDriver).ProtoDriver.(*Driver)
+	defer graphtest.PutDriver(t)
+
+	// Call cleanupDeletedDevices() and after the call take and release
+	// DeviceSet Lock. If lock has not been released, this will hang.
+	driver.DeviceSet.cleanupDeletedDevices()
+
+	doneChan := make(chan bool)
+
+	go func() {
+		driver.DeviceSet.Lock()
+		defer driver.DeviceSet.Unlock()
+		doneChan <- true
+	}()
+
+	select {
+	case <-time.After(time.Second * 5):
+		// Timer expired. That means lock was not released upon
+		// function return and we are deadlocked. Release lock
+		// here so that cleanup could succeed and fail the test.
+		driver.DeviceSet.Unlock()
+		t.Fatal("Could not acquire devices lock after call to cleanupDeletedDevices()")
+	case <-doneChan:
+	}
+}
+
+// Ensure that mounts aren't leakedriver. It's non-trivial for us to test the full
+// reproducer of #34573 in a unit test, but we can at least make sure that a
+// simple command run in a new namespace doesn't break things horribly.
+func TestDevmapperMountLeaks(t *testing.T) {
+	if !kernel.CheckKernelVersion(3, 18, 0) {
+		t.Skipf("kernel version <3.18.0 and so is missing torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe.")
+	}
+
+	driver := graphtest.GetDriver(t, "devicemapper", "dm.use_deferred_removal=false", "dm.use_deferred_deletion=false").(*graphtest.Driver).Driver.(*graphdriver.NaiveDiffDriver).ProtoDriver.(*Driver)
+	defer graphtest.PutDriver(t)
+
+	// We need to create a new (dummy) device.
+	if err := driver.Create("some-layer", "", nil); err != nil {
+		t.Fatalf("setting up some-layer: %v", err)
+	}
+
+	// Mount the device.
+	_, err := driver.Get("some-layer", "")
+	if err != nil {
+		t.Fatalf("mounting some-layer: %v", err)
+	}
+
+	// Create a new subprocess which will inherit our mountpoint, then
+	// intentionally leak it and stick around. We can't do this entirely within
+	// Go because forking and namespaces in Go are really not handled well at
+	// all.
+	cmd := exec.Cmd{
+		Path: "/bin/sh",
+		Args: []string{
+			"/bin/sh", "-c",
+			"mount --make-rprivate / && sleep 1000s",
+		},
+		SysProcAttr: &syscall.SysProcAttr{
+			Unshareflags: syscall.CLONE_NEWNS,
+		},
+	}
+	if err := cmd.Start(); err != nil {
+		t.Fatalf("starting sub-command: %v", err)
+	}
+	defer func() {
+		unix.Kill(cmd.Process.Pid, unix.SIGKILL)
+		cmd.Wait()
+	}()
+
+	// Now try to "drop" the device.
+	if err := driver.Put("some-layer"); err != nil {
+		t.Fatalf("unmounting some-layer: %v", err)
+	}
+}
diff --git a/engine/daemon/graphdriver/devmapper/driver.go b/engine/daemon/graphdriver/devmapper/driver.go
new file mode 100644
index 00000000..df883de3
--- /dev/null
+++ b/engine/daemon/graphdriver/devmapper/driver.go
@@ -0,0 +1,258 @@
+// +build linux
+
+package devmapper // import "github.com/docker/docker/daemon/graphdriver/devmapper"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"strconv"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/devicemapper"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/go-units"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func init() {
+	graphdriver.Register("devicemapper", Init)
+}
+
+// Driver contains the device set mounted and the home directory
+type Driver struct {
+	*DeviceSet
+	home    string
+	uidMaps []idtools.IDMap
+	gidMaps []idtools.IDMap
+	ctr     *graphdriver.RefCounter
+	locker  *locker.Locker
+}
+
+// Init creates a driver with the given home and the set of options.
+func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
+	deviceSet, err := NewDeviceSet(home, true, options, uidMaps, gidMaps)
+	if err != nil {
+		return nil, err
+	}
+
+	d := &Driver{
+		DeviceSet: deviceSet,
+		home:      home,
+		uidMaps:   uidMaps,
+		gidMaps:   gidMaps,
+		ctr:       graphdriver.NewRefCounter(graphdriver.NewDefaultChecker()),
+		locker:    locker.New(),
+	}
+
+	return graphdriver.NewNaiveDiffDriver(d, uidMaps, gidMaps), nil
+}
+
+func (d *Driver) String() string {
+	return "devicemapper"
+}
+
+// Status returns the status about the driver in a printable format.
+// Information returned contains Pool Name, Data File, Metadata file, disk usage by
+// the data and metadata, etc.
+func (d *Driver) Status() [][2]string {
+	s := d.DeviceSet.Status()
+
+	status := [][2]string{
+		{"Pool Name", s.PoolName},
+		{"Pool Blocksize", units.HumanSize(float64(s.SectorSize))},
+		{"Base Device Size", units.HumanSize(float64(s.BaseDeviceSize))},
+		{"Backing Filesystem", s.BaseDeviceFS},
+		{"Udev Sync Supported", fmt.Sprintf("%v", s.UdevSyncSupported)},
+	}
+
+	if len(s.DataFile) > 0 {
+		status = append(status, [2]string{"Data file", s.DataFile})
+	}
+	if len(s.MetadataFile) > 0 {
+		status = append(status, [2]string{"Metadata file", s.MetadataFile})
+	}
+	if len(s.DataLoopback) > 0 {
+		status = append(status, [2]string{"Data loop file", s.DataLoopback})
+	}
+	if len(s.MetadataLoopback) > 0 {
+		status = append(status, [2]string{"Metadata loop file", s.MetadataLoopback})
+	}
+
+	status = append(status, [][2]string{
+		{"Data Space Used", units.HumanSize(float64(s.Data.Used))},
+		{"Data Space Total", units.HumanSize(float64(s.Data.Total))},
+		{"Data Space Available", units.HumanSize(float64(s.Data.Available))},
+		{"Metadata Space Used", units.HumanSize(float64(s.Metadata.Used))},
+		{"Metadata Space Total", units.HumanSize(float64(s.Metadata.Total))},
+		{"Metadata Space Available", units.HumanSize(float64(s.Metadata.Available))},
+		{"Thin Pool Minimum Free Space", units.HumanSize(float64(s.MinFreeSpace))},
+		{"Deferred Removal Enabled", fmt.Sprintf("%v", s.DeferredRemoveEnabled)},
+		{"Deferred Deletion Enabled", fmt.Sprintf("%v", s.DeferredDeleteEnabled)},
+		{"Deferred Deleted Device Count", fmt.Sprintf("%v", s.DeferredDeletedDeviceCount)},
+	}...)
+
+	if vStr, err := devicemapper.GetLibraryVersion(); err == nil {
+		status = append(status, [2]string{"Library Version", vStr})
+	}
+	return status
+}
+
+// GetMetadata returns a map of information about the device.
+func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+	m, err := d.DeviceSet.exportDeviceMetadata(id)
+
+	if err != nil {
+		return nil, err
+	}
+
+	metadata := make(map[string]string)
+	metadata["DeviceId"] = strconv.Itoa(m.deviceID)
+	metadata["DeviceSize"] = strconv.FormatUint(m.deviceSize, 10)
+	metadata["DeviceName"] = m.deviceName
+	return metadata, nil
+}
+
+// Cleanup unmounts a device.
+func (d *Driver) Cleanup() error {
+	err := d.DeviceSet.Shutdown(d.home)
+	umountErr := mount.RecursiveUnmount(d.home)
+
+	// in case we have two errors, prefer the one from Shutdown()
+	if err != nil {
+		return err
+	}
+
+	if umountErr != nil {
+		return errors.Wrapf(umountErr, "error unmounting %s", d.home)
+	}
+
+	return nil
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system.
+func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	return d.Create(id, parent, opts)
+}
+
+// Create adds a device with a given id and the parent.
+func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+	var storageOpt map[string]string
+	if opts != nil {
+		storageOpt = opts.StorageOpt
+	}
+	return d.DeviceSet.AddDevice(id, parent, storageOpt)
+}
+
+// Remove removes a device with a given id, unmounts the filesystem, and removes the mount point.
+func (d *Driver) Remove(id string) error {
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	if !d.DeviceSet.HasDevice(id) {
+		// Consider removing a non-existing device a no-op
+		// This is useful to be able to progress on container removal
+		// if the underlying device has gone away due to earlier errors
+		return nil
+	}
+
+	// This assumes the device has been properly Get/Put:ed and thus is unmounted
+	if err := d.DeviceSet.DeleteDevice(id, false); err != nil {
+		return fmt.Errorf("failed to remove device %s: %v", id, err)
+	}
+
+	// Most probably the mount point is already removed on Put()
+	// (see DeviceSet.UnmountDevice()), but just in case it was not
+	// let's try to remove it here as well, ignoring errors as
+	// an older kernel can return EBUSY if e.g. the mount was leaked
+	// to other mount namespaces. A failure to remove the container's
+	// mount point is not important and should not be treated
+	// as a failure to remove the container.
+	mp := path.Join(d.home, "mnt", id)
+	err := unix.Rmdir(mp)
+	if err != nil && !os.IsNotExist(err) {
+		logrus.WithField("storage-driver", "devicemapper").Warnf("unable to remove mount point %q: %s", mp, err)
+	}
+
+	return nil
+}
+
+// Get mounts a device with given id into the root filesystem
+func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	mp := path.Join(d.home, "mnt", id)
+	rootFs := path.Join(mp, "rootfs")
+	if count := d.ctr.Increment(mp); count > 1 {
+		return containerfs.NewLocalContainerFS(rootFs), nil
+	}
+
+	uid, gid, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
+	if err != nil {
+		d.ctr.Decrement(mp)
+		return nil, err
+	}
+
+	// Create the target directories if they don't exist
+	if err := idtools.MkdirAllAndChown(path.Join(d.home, "mnt"), 0755, idtools.IDPair{UID: uid, GID: gid}); err != nil {
+		d.ctr.Decrement(mp)
+		return nil, err
+	}
+	if err := idtools.MkdirAndChown(mp, 0755, idtools.IDPair{UID: uid, GID: gid}); err != nil && !os.IsExist(err) {
+		d.ctr.Decrement(mp)
+		return nil, err
+	}
+
+	// Mount the device
+	if err := d.DeviceSet.MountDevice(id, mp, mountLabel); err != nil {
+		d.ctr.Decrement(mp)
+		return nil, err
+	}
+
+	if err := idtools.MkdirAllAndChown(rootFs, 0755, idtools.IDPair{UID: uid, GID: gid}); err != nil {
+		d.ctr.Decrement(mp)
+		d.DeviceSet.UnmountDevice(id, mp)
+		return nil, err
+	}
+
+	idFile := path.Join(mp, "id")
+	if _, err := os.Stat(idFile); err != nil && os.IsNotExist(err) {
+		// Create an "id" file with the container/image id in it to help reconstruct this in case
+		// of later problems
+		if err := ioutil.WriteFile(idFile, []byte(id), 0600); err != nil {
+			d.ctr.Decrement(mp)
+			d.DeviceSet.UnmountDevice(id, mp)
+			return nil, err
+		}
+	}
+
+	return containerfs.NewLocalContainerFS(rootFs), nil
+}
+
+// Put unmounts a device and removes it.
+func (d *Driver) Put(id string) error {
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	mp := path.Join(d.home, "mnt", id)
+	if count := d.ctr.Decrement(mp); count > 0 {
+		return nil
+	}
+
+	err := d.DeviceSet.UnmountDevice(id, mp)
+	if err != nil {
+		logrus.WithField("storage-driver", "devicemapper").Errorf("Error unmounting device %s: %v", id, err)
+	}
+
+	return err
+}
+
+// Exists checks to see if the device exists.
+func (d *Driver) Exists(id string) bool {
+	return d.DeviceSet.HasDevice(id)
+}
diff --git a/engine/daemon/graphdriver/devmapper/mount.go b/engine/daemon/graphdriver/devmapper/mount.go
new file mode 100644
index 00000000..78d05b07
--- /dev/null
+++ b/engine/daemon/graphdriver/devmapper/mount.go
@@ -0,0 +1,66 @@
+// +build linux
+
+package devmapper // import "github.com/docker/docker/daemon/graphdriver/devmapper"
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+)
+
+type probeData struct {
+	fsName string
+	magic  string
+	offset uint64
+}
+
+// ProbeFsType returns the filesystem name for the given device id.
+func ProbeFsType(device string) (string, error) {
+	probes := []probeData{
+		{"btrfs", "_BHRfS_M", 0x10040},
+		{"ext4", "\123\357", 0x438},
+		{"xfs", "XFSB", 0},
+	}
+
+	maxLen := uint64(0)
+	for _, p := range probes {
+		l := p.offset + uint64(len(p.magic))
+		if l > maxLen {
+			maxLen = l
+		}
+	}
+
+	file, err := os.Open(device)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	buffer := make([]byte, maxLen)
+	l, err := file.Read(buffer)
+	if err != nil {
+		return "", err
+	}
+
+	if uint64(l) != maxLen {
+		return "", fmt.Errorf("devmapper: unable to detect filesystem type of %s, short read", device)
+	}
+
+	for _, p := range probes {
+		if bytes.Equal([]byte(p.magic), buffer[p.offset:p.offset+uint64(len(p.magic))]) {
+			return p.fsName, nil
+		}
+	}
+
+	return "", fmt.Errorf("devmapper: Unknown filesystem type on %s", device)
+}
+
+func joinMountOptions(a, b string) string {
+	if a == "" {
+		return b
+	}
+	if b == "" {
+		return a
+	}
+	return a + "," + b
+}
diff --git a/engine/daemon/graphdriver/driver.go b/engine/daemon/graphdriver/driver.go
new file mode 100644
index 00000000..a9e19573
--- /dev/null
+++ b/engine/daemon/graphdriver/driver.go
@@ -0,0 +1,307 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"github.com/vbatts/tar-split/tar/storage"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/plugingetter"
+)
+
+// FsMagic unsigned id of the filesystem in use.
+type FsMagic uint32
+
+const (
+	// FsMagicUnsupported is a predefined constant value other than a valid filesystem id.
+	FsMagicUnsupported = FsMagic(0x00000000)
+)
+
+var (
+	// All registered drivers
+	drivers map[string]InitFunc
+)
+
+//CreateOpts contains optional arguments for Create() and CreateReadWrite()
+// methods.
+type CreateOpts struct {
+	MountLabel string
+	StorageOpt map[string]string
+}
+
+// InitFunc initializes the storage driver.
+type InitFunc func(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (Driver, error)
+
+// ProtoDriver defines the basic capabilities of a driver.
+// This interface exists solely to be a minimum set of methods
+// for client code which choose not to implement the entire Driver
+// interface and use the NaiveDiffDriver wrapper constructor.
+//
+// Use of ProtoDriver directly by client code is not recommended.
+type ProtoDriver interface {
+	// String returns a string representation of this driver.
+	String() string
+	// CreateReadWrite creates a new, empty filesystem layer that is ready
+	// to be used as the storage for a container. Additional options can
+	// be passed in opts. parent may be "" and opts may be nil.
+	CreateReadWrite(id, parent string, opts *CreateOpts) error
+	// Create creates a new, empty, filesystem layer with the
+	// specified id and parent and options passed in opts. Parent
+	// may be "" and opts may be nil.
+	Create(id, parent string, opts *CreateOpts) error
+	// Remove attempts to remove the filesystem layer with this id.
+	Remove(id string) error
+	// Get returns the mountpoint for the layered filesystem referred
+	// to by this id. You can optionally specify a mountLabel or "".
+	// Returns the absolute path to the mounted layered filesystem.
+	Get(id, mountLabel string) (fs containerfs.ContainerFS, err error)
+	// Put releases the system resources for the specified id,
+	// e.g, unmounting layered filesystem.
+	Put(id string) error
+	// Exists returns whether a filesystem layer with the specified
+	// ID exists on this driver.
+	Exists(id string) bool
+	// Status returns a set of key-value pairs which give low
+	// level diagnostic status about this driver.
+	Status() [][2]string
+	// Returns a set of key-value pairs which give low level information
+	// about the image/container driver is managing.
+	GetMetadata(id string) (map[string]string, error)
+	// Cleanup performs necessary tasks to release resources
+	// held by the driver, e.g., unmounting all layered filesystems
+	// known to this driver.
+	Cleanup() error
+}
+
+// DiffDriver is the interface to use to implement graph diffs
+type DiffDriver interface {
+	// Diff produces an archive of the changes between the specified
+	// layer and its parent layer which may be "".
+	Diff(id, parent string) (io.ReadCloser, error)
+	// Changes produces a list of changes between the specified layer
+	// and its parent layer. If parent is "", then all changes will be ADD changes.
+	Changes(id, parent string) ([]archive.Change, error)
+	// ApplyDiff extracts the changeset from the given diff into the
+	// layer with the specified id and parent, returning the size of the
+	// new layer in bytes.
+	// The archive.Reader must be an uncompressed stream.
+	ApplyDiff(id, parent string, diff io.Reader) (size int64, err error)
+	// DiffSize calculates the changes between the specified id
+	// and its parent and returns the size in bytes of the changes
+	// relative to its base filesystem directory.
+	DiffSize(id, parent string) (size int64, err error)
+}
+
+// Driver is the interface for layered/snapshot file system drivers.
+type Driver interface {
+	ProtoDriver
+	DiffDriver
+}
+
+// Capabilities defines a list of capabilities a driver may implement.
+// These capabilities are not required; however, they do determine how a
+// graphdriver can be used.
+type Capabilities struct {
+	// Flags that this driver is capable of reproducing exactly equivalent
+	// diffs for read-only layers. If set, clients can rely on the driver
+	// for consistent tar streams, and avoid extra processing to account
+	// for potential differences (eg: the layer store's use of tar-split).
+	ReproducesExactDiffs bool
+}
+
+// CapabilityDriver is the interface for layered file system drivers that
+// can report on their Capabilities.
+type CapabilityDriver interface {
+	Capabilities() Capabilities
+}
+
+// DiffGetterDriver is the interface for layered file system drivers that
+// provide a specialized function for getting file contents for tar-split.
+type DiffGetterDriver interface {
+	Driver
+	// DiffGetter returns an interface to efficiently retrieve the contents
+	// of files in a layer.
+	DiffGetter(id string) (FileGetCloser, error)
+}
+
+// FileGetCloser extends the storage.FileGetter interface with a Close method
+// for cleaning up.
+type FileGetCloser interface {
+	storage.FileGetter
+	// Close cleans up any resources associated with the FileGetCloser.
+	Close() error
+}
+
+// Checker makes checks on specified filesystems.
+type Checker interface {
+	// IsMounted returns true if the provided path is mounted for the specific checker
+	IsMounted(path string) bool
+}
+
+func init() {
+	drivers = make(map[string]InitFunc)
+}
+
+// Register registers an InitFunc for the driver.
+func Register(name string, initFunc InitFunc) error {
+	if _, exists := drivers[name]; exists {
+		return fmt.Errorf("Name already registered %s", name)
+	}
+	drivers[name] = initFunc
+
+	return nil
+}
+
+// GetDriver initializes and returns the registered driver
+func GetDriver(name string, pg plugingetter.PluginGetter, config Options) (Driver, error) {
+	if initFunc, exists := drivers[name]; exists {
+		return initFunc(filepath.Join(config.Root, name), config.DriverOptions, config.UIDMaps, config.GIDMaps)
+	}
+
+	pluginDriver, err := lookupPlugin(name, pg, config)
+	if err == nil {
+		return pluginDriver, nil
+	}
+	logrus.WithError(err).WithField("driver", name).WithField("home-dir", config.Root).Error("Failed to GetDriver graph")
+	return nil, ErrNotSupported
+}
+
+// getBuiltinDriver initializes and returns the registered driver, but does not try to load from plugins
+func getBuiltinDriver(name, home string, options []string, uidMaps, gidMaps []idtools.IDMap) (Driver, error) {
+	if initFunc, exists := drivers[name]; exists {
+		return initFunc(filepath.Join(home, name), options, uidMaps, gidMaps)
+	}
+	logrus.Errorf("Failed to built-in GetDriver graph %s %s", name, home)
+	return nil, ErrNotSupported
+}
+
+// Options is used to initialize a graphdriver
+type Options struct {
+	Root                string
+	DriverOptions       []string
+	UIDMaps             []idtools.IDMap
+	GIDMaps             []idtools.IDMap
+	ExperimentalEnabled bool
+}
+
+// New creates the driver and initializes it at the specified root.
+func New(name string, pg plugingetter.PluginGetter, config Options) (Driver, error) {
+	if name != "" {
+		logrus.Debugf("[graphdriver] trying provided driver: %s", name) // so the logs show specified driver
+		return GetDriver(name, pg, config)
+	}
+
+	// Guess for prior driver
+	driversMap := scanPriorDrivers(config.Root)
+	list := strings.Split(priority, ",")
+	logrus.Debugf("[graphdriver] priority list: %v", list)
+	for _, name := range list {
+		if name == "vfs" {
+			// don't use vfs even if there is state present.
+			continue
+		}
+		if _, prior := driversMap[name]; prior {
+			// of the state found from prior drivers, check in order of our priority
+			// which we would prefer
+			driver, err := getBuiltinDriver(name, config.Root, config.DriverOptions, config.UIDMaps, config.GIDMaps)
+			if err != nil {
+				// unlike below, we will return error here, because there is prior
+				// state, and now it is no longer supported/prereq/compatible, so
+				// something changed and needs attention. Otherwise the daemon's
+				// images would just "disappear".
+				logrus.Errorf("[graphdriver] prior storage driver %s failed: %s", name, err)
+				return nil, err
+			}
+
+			// abort starting when there are other prior configured drivers
+			// to ensure the user explicitly selects the driver to load
+			if len(driversMap)-1 > 0 {
+				var driversSlice []string
+				for name := range driversMap {
+					driversSlice = append(driversSlice, name)
+				}
+
+				return nil, fmt.Errorf("%s contains several valid graphdrivers: %s; Please cleanup or explicitly choose storage driver (-s <DRIVER>)", config.Root, strings.Join(driversSlice, ", "))
+			}
+
+			logrus.Infof("[graphdriver] using prior storage driver: %s", name)
+			return driver, nil
+		}
+	}
+
+	// Check for priority drivers first
+	for _, name := range list {
+		driver, err := getBuiltinDriver(name, config.Root, config.DriverOptions, config.UIDMaps, config.GIDMaps)
+		if err != nil {
+			if IsDriverNotSupported(err) {
+				continue
+			}
+			return nil, err
+		}
+		return driver, nil
+	}
+
+	// Check all registered drivers if no priority driver is found
+	for name, initFunc := range drivers {
+		driver, err := initFunc(filepath.Join(config.Root, name), config.DriverOptions, config.UIDMaps, config.GIDMaps)
+		if err != nil {
+			if IsDriverNotSupported(err) {
+				continue
+			}
+			return nil, err
+		}
+		return driver, nil
+	}
+	return nil, fmt.Errorf("No supported storage backend found")
+}
+
+// scanPriorDrivers returns an un-ordered scan of directories of prior storage drivers
+func scanPriorDrivers(root string) map[string]bool {
+	driversMap := make(map[string]bool)
+
+	for driver := range drivers {
+		p := filepath.Join(root, driver)
+		if _, err := os.Stat(p); err == nil && driver != "vfs" {
+			if !isEmptyDir(p) {
+				driversMap[driver] = true
+			}
+		}
+	}
+	return driversMap
+}
+
+// IsInitialized checks if the driver's home-directory exists and is non-empty.
+func IsInitialized(driverHome string) bool {
+	_, err := os.Stat(driverHome)
+	if os.IsNotExist(err) {
+		return false
+	}
+	if err != nil {
+		logrus.Warnf("graphdriver.IsInitialized: stat failed: %v", err)
+	}
+	return !isEmptyDir(driverHome)
+}
+
+// isEmptyDir checks if a directory is empty. It is used to check if prior
+// storage-driver directories exist. If an error occurs, it also assumes the
+// directory is not empty (which preserves the behavior _before_ this check
+// was added)
+func isEmptyDir(name string) bool {
+	f, err := os.Open(name)
+	if err != nil {
+		return false
+	}
+	defer f.Close()
+
+	if _, err = f.Readdirnames(1); err == io.EOF {
+		return true
+	}
+	return false
+}
diff --git a/engine/daemon/graphdriver/driver_freebsd.go b/engine/daemon/graphdriver/driver_freebsd.go
new file mode 100644
index 00000000..cd83c4e2
--- /dev/null
+++ b/engine/daemon/graphdriver/driver_freebsd.go
@@ -0,0 +1,21 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+import (
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+var (
+	// List of drivers that should be used in an order
+	priority = "zfs"
+)
+
+// Mounted checks if the given path is mounted as the fs type
+func Mounted(fsType FsMagic, mountPath string) (bool, error) {
+	var buf unix.Statfs_t
+	if err := syscall.Statfs(mountPath, &buf); err != nil {
+		return false, err
+	}
+	return FsMagic(buf.Type) == fsType, nil
+}
diff --git a/engine/daemon/graphdriver/driver_linux.go b/engine/daemon/graphdriver/driver_linux.go
new file mode 100644
index 00000000..61c6b24a
--- /dev/null
+++ b/engine/daemon/graphdriver/driver_linux.go
@@ -0,0 +1,124 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+import (
+	"github.com/docker/docker/pkg/mount"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// FsMagicAufs filesystem id for Aufs
+	FsMagicAufs = FsMagic(0x61756673)
+	// FsMagicBtrfs filesystem id for Btrfs
+	FsMagicBtrfs = FsMagic(0x9123683E)
+	// FsMagicCramfs filesystem id for Cramfs
+	FsMagicCramfs = FsMagic(0x28cd3d45)
+	// FsMagicEcryptfs filesystem id for eCryptfs
+	FsMagicEcryptfs = FsMagic(0xf15f)
+	// FsMagicExtfs filesystem id for Extfs
+	FsMagicExtfs = FsMagic(0x0000EF53)
+	// FsMagicF2fs filesystem id for F2fs
+	FsMagicF2fs = FsMagic(0xF2F52010)
+	// FsMagicGPFS filesystem id for GPFS
+	FsMagicGPFS = FsMagic(0x47504653)
+	// FsMagicJffs2Fs filesystem if for Jffs2Fs
+	FsMagicJffs2Fs = FsMagic(0x000072b6)
+	// FsMagicJfs filesystem id for Jfs
+	FsMagicJfs = FsMagic(0x3153464a)
+	// FsMagicNfsFs filesystem id for NfsFs
+	FsMagicNfsFs = FsMagic(0x00006969)
+	// FsMagicRAMFs filesystem id for RamFs
+	FsMagicRAMFs = FsMagic(0x858458f6)
+	// FsMagicReiserFs filesystem id for ReiserFs
+	FsMagicReiserFs = FsMagic(0x52654973)
+	// FsMagicSmbFs filesystem id for SmbFs
+	FsMagicSmbFs = FsMagic(0x0000517B)
+	// FsMagicSquashFs filesystem id for SquashFs
+	FsMagicSquashFs = FsMagic(0x73717368)
+	// FsMagicTmpFs filesystem id for TmpFs
+	FsMagicTmpFs = FsMagic(0x01021994)
+	// FsMagicVxFS filesystem id for VxFs
+	FsMagicVxFS = FsMagic(0xa501fcf5)
+	// FsMagicXfs filesystem id for Xfs
+	FsMagicXfs = FsMagic(0x58465342)
+	// FsMagicZfs filesystem id for Zfs
+	FsMagicZfs = FsMagic(0x2fc12fc1)
+	// FsMagicOverlay filesystem id for overlay
+	FsMagicOverlay = FsMagic(0x794C7630)
+)
+
+var (
+	// List of drivers that should be used in an order
+	priority = "btrfs,zfs,overlay2,aufs,overlay,devicemapper,vfs"
+
+	// FsNames maps filesystem id to name of the filesystem.
+	FsNames = map[FsMagic]string{
+		FsMagicAufs:        "aufs",
+		FsMagicBtrfs:       "btrfs",
+		FsMagicCramfs:      "cramfs",
+		FsMagicEcryptfs:    "ecryptfs",
+		FsMagicExtfs:       "extfs",
+		FsMagicF2fs:        "f2fs",
+		FsMagicGPFS:        "gpfs",
+		FsMagicJffs2Fs:     "jffs2",
+		FsMagicJfs:         "jfs",
+		FsMagicNfsFs:       "nfs",
+		FsMagicOverlay:     "overlayfs",
+		FsMagicRAMFs:       "ramfs",
+		FsMagicReiserFs:    "reiserfs",
+		FsMagicSmbFs:       "smb",
+		FsMagicSquashFs:    "squashfs",
+		FsMagicTmpFs:       "tmpfs",
+		FsMagicUnsupported: "unsupported",
+		FsMagicVxFS:        "vxfs",
+		FsMagicXfs:         "xfs",
+		FsMagicZfs:         "zfs",
+	}
+)
+
+// GetFSMagic returns the filesystem id given the path.
+func GetFSMagic(rootpath string) (FsMagic, error) {
+	var buf unix.Statfs_t
+	if err := unix.Statfs(rootpath, &buf); err != nil {
+		return 0, err
+	}
+	return FsMagic(buf.Type), nil
+}
+
+// NewFsChecker returns a checker configured for the provided FsMagic
+func NewFsChecker(t FsMagic) Checker {
+	return &fsChecker{
+		t: t,
+	}
+}
+
+type fsChecker struct {
+	t FsMagic
+}
+
+func (c *fsChecker) IsMounted(path string) bool {
+	m, _ := Mounted(c.t, path)
+	return m
+}
+
+// NewDefaultChecker returns a check that parses /proc/mountinfo to check
+// if the specified path is mounted.
+func NewDefaultChecker() Checker {
+	return &defaultChecker{}
+}
+
+type defaultChecker struct {
+}
+
+func (c *defaultChecker) IsMounted(path string) bool {
+	m, _ := mount.Mounted(path)
+	return m
+}
+
+// Mounted checks if the given path is mounted as the fs type
+func Mounted(fsType FsMagic, mountPath string) (bool, error) {
+	var buf unix.Statfs_t
+	if err := unix.Statfs(mountPath, &buf); err != nil {
+		return false, err
+	}
+	return FsMagic(buf.Type) == fsType, nil
+}
diff --git a/engine/daemon/graphdriver/driver_test.go b/engine/daemon/graphdriver/driver_test.go
new file mode 100644
index 00000000..e6f973c3
--- /dev/null
+++ b/engine/daemon/graphdriver/driver_test.go
@@ -0,0 +1,36 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func TestIsEmptyDir(t *testing.T) {
+	tmp, err := ioutil.TempDir("", "test-is-empty-dir")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmp)
+
+	d := filepath.Join(tmp, "empty-dir")
+	err = os.Mkdir(d, 0755)
+	assert.NilError(t, err)
+	empty := isEmptyDir(d)
+	assert.Check(t, empty)
+
+	d = filepath.Join(tmp, "dir-with-subdir")
+	err = os.MkdirAll(filepath.Join(d, "subdir"), 0755)
+	assert.NilError(t, err)
+	empty = isEmptyDir(d)
+	assert.Check(t, !empty)
+
+	d = filepath.Join(tmp, "dir-with-empty-file")
+	err = os.Mkdir(d, 0755)
+	assert.NilError(t, err)
+	_, err = ioutil.TempFile(d, "file")
+	assert.NilError(t, err)
+	empty = isEmptyDir(d)
+	assert.Check(t, !empty)
+}
diff --git a/engine/daemon/graphdriver/driver_unsupported.go b/engine/daemon/graphdriver/driver_unsupported.go
new file mode 100644
index 00000000..1f2e8f07
--- /dev/null
+++ b/engine/daemon/graphdriver/driver_unsupported.go
@@ -0,0 +1,13 @@
+// +build !linux,!windows,!freebsd
+
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+var (
+	// List of drivers that should be used in an order
+	priority = "unsupported"
+)
+
+// GetFSMagic returns the filesystem id given the path.
+func GetFSMagic(rootpath string) (FsMagic, error) {
+	return FsMagicUnsupported, nil
+}
diff --git a/engine/daemon/graphdriver/driver_windows.go b/engine/daemon/graphdriver/driver_windows.go
new file mode 100644
index 00000000..856b575e
--- /dev/null
+++ b/engine/daemon/graphdriver/driver_windows.go
@@ -0,0 +1,12 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+var (
+	// List of drivers that should be used in order
+	priority = "windowsfilter"
+)
+
+// GetFSMagic returns the filesystem id given the path.
+func GetFSMagic(rootpath string) (FsMagic, error) {
+	// Note it is OK to return FsMagicUnsupported on Windows.
+	return FsMagicUnsupported, nil
+}
diff --git a/engine/daemon/graphdriver/errors.go b/engine/daemon/graphdriver/errors.go
new file mode 100644
index 00000000..96d35445
--- /dev/null
+++ b/engine/daemon/graphdriver/errors.go
@@ -0,0 +1,36 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+const (
+	// ErrNotSupported returned when driver is not supported.
+	ErrNotSupported NotSupportedError = "driver not supported"
+	// ErrPrerequisites returned when driver does not meet prerequisites.
+	ErrPrerequisites NotSupportedError = "prerequisites for driver not satisfied (wrong filesystem?)"
+	// ErrIncompatibleFS returned when file system is not supported.
+	ErrIncompatibleFS NotSupportedError = "backing file system is unsupported for this graph driver"
+)
+
+// ErrUnSupported signals that the graph-driver is not supported on the current configuration
+type ErrUnSupported interface {
+	NotSupported()
+}
+
+// NotSupportedError signals that the graph-driver is not supported on the current configuration
+type NotSupportedError string
+
+func (e NotSupportedError) Error() string {
+	return string(e)
+}
+
+// NotSupported signals that a graph-driver is not supported.
+func (e NotSupportedError) NotSupported() {}
+
+// IsDriverNotSupported returns true if the error initializing
+// the graph driver is a non-supported error.
+func IsDriverNotSupported(err error) bool {
+	switch err.(type) {
+	case ErrUnSupported:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/engine/daemon/graphdriver/fsdiff.go b/engine/daemon/graphdriver/fsdiff.go
new file mode 100644
index 00000000..e1f36850
--- /dev/null
+++ b/engine/daemon/graphdriver/fsdiff.go
@@ -0,0 +1,175 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+import (
+	"io"
+	"time"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// ApplyUncompressedLayer defines the unpack method used by the graph
+	// driver.
+	ApplyUncompressedLayer = chrootarchive.ApplyUncompressedLayer
+)
+
+// NaiveDiffDriver takes a ProtoDriver and adds the
+// capability of the Diffing methods on the local file system,
+// which it may or may not support on its own. See the comment
+// on the exported NewNaiveDiffDriver function below.
+// Notably, the AUFS driver doesn't need to be wrapped like this.
+type NaiveDiffDriver struct {
+	ProtoDriver
+	uidMaps []idtools.IDMap
+	gidMaps []idtools.IDMap
+}
+
+// NewNaiveDiffDriver returns a fully functional driver that wraps the
+// given ProtoDriver and adds the capability of the following methods which
+// it may or may not support on its own:
+//     Diff(id, parent string) (archive.Archive, error)
+//     Changes(id, parent string) ([]archive.Change, error)
+//     ApplyDiff(id, parent string, diff archive.Reader) (size int64, err error)
+//     DiffSize(id, parent string) (size int64, err error)
+func NewNaiveDiffDriver(driver ProtoDriver, uidMaps, gidMaps []idtools.IDMap) Driver {
+	return &NaiveDiffDriver{ProtoDriver: driver,
+		uidMaps: uidMaps,
+		gidMaps: gidMaps}
+}
+
+// Diff produces an archive of the changes between the specified
+// layer and its parent layer which may be "".
+func (gdw *NaiveDiffDriver) Diff(id, parent string) (arch io.ReadCloser, err error) {
+	startTime := time.Now()
+	driver := gdw.ProtoDriver
+
+	layerRootFs, err := driver.Get(id, "")
+	if err != nil {
+		return nil, err
+	}
+	layerFs := layerRootFs.Path()
+
+	defer func() {
+		if err != nil {
+			driver.Put(id)
+		}
+	}()
+
+	if parent == "" {
+		archive, err := archive.Tar(layerFs, archive.Uncompressed)
+		if err != nil {
+			return nil, err
+		}
+		return ioutils.NewReadCloserWrapper(archive, func() error {
+			err := archive.Close()
+			driver.Put(id)
+			return err
+		}), nil
+	}
+
+	parentRootFs, err := driver.Get(parent, "")
+	if err != nil {
+		return nil, err
+	}
+	defer driver.Put(parent)
+
+	parentFs := parentRootFs.Path()
+
+	changes, err := archive.ChangesDirs(layerFs, parentFs)
+	if err != nil {
+		return nil, err
+	}
+
+	archive, err := archive.ExportChanges(layerFs, changes, gdw.uidMaps, gdw.gidMaps)
+	if err != nil {
+		return nil, err
+	}
+
+	return ioutils.NewReadCloserWrapper(archive, func() error {
+		err := archive.Close()
+		driver.Put(id)
+
+		// NaiveDiffDriver compares file metadata with parent layers. Parent layers
+		// are extracted from tar's with full second precision on modified time.
+		// We need this hack here to make sure calls within same second receive
+		// correct result.
+		time.Sleep(time.Until(startTime.Truncate(time.Second).Add(time.Second)))
+		return err
+	}), nil
+}
+
+// Changes produces a list of changes between the specified layer
+// and its parent layer. If parent is "", then all changes will be ADD changes.
+func (gdw *NaiveDiffDriver) Changes(id, parent string) ([]archive.Change, error) {
+	driver := gdw.ProtoDriver
+
+	layerRootFs, err := driver.Get(id, "")
+	if err != nil {
+		return nil, err
+	}
+	defer driver.Put(id)
+
+	layerFs := layerRootFs.Path()
+	parentFs := ""
+
+	if parent != "" {
+		parentRootFs, err := driver.Get(parent, "")
+		if err != nil {
+			return nil, err
+		}
+		defer driver.Put(parent)
+		parentFs = parentRootFs.Path()
+	}
+
+	return archive.ChangesDirs(layerFs, parentFs)
+}
+
+// ApplyDiff extracts the changeset from the given diff into the
+// layer with the specified id and parent, returning the size of the
+// new layer in bytes.
+func (gdw *NaiveDiffDriver) ApplyDiff(id, parent string, diff io.Reader) (size int64, err error) {
+	driver := gdw.ProtoDriver
+
+	// Mount the root filesystem so we can apply the diff/layer.
+	layerRootFs, err := driver.Get(id, "")
+	if err != nil {
+		return
+	}
+	defer driver.Put(id)
+
+	layerFs := layerRootFs.Path()
+	options := &archive.TarOptions{UIDMaps: gdw.uidMaps,
+		GIDMaps: gdw.gidMaps}
+	start := time.Now().UTC()
+	logrus.Debug("Start untar layer")
+	if size, err = ApplyUncompressedLayer(layerFs, diff, options); err != nil {
+		return
+	}
+	logrus.Debugf("Untar time: %vs", time.Now().UTC().Sub(start).Seconds())
+
+	return
+}
+
+// DiffSize calculates the changes between the specified layer
+// and its parent and returns the size in bytes of the changes
+// relative to its base filesystem directory.
+func (gdw *NaiveDiffDriver) DiffSize(id, parent string) (size int64, err error) {
+	driver := gdw.ProtoDriver
+
+	changes, err := gdw.Changes(id, parent)
+	if err != nil {
+		return
+	}
+
+	layerFs, err := driver.Get(id, "")
+	if err != nil {
+		return
+	}
+	defer driver.Put(id)
+
+	return archive.ChangesSize(layerFs.Path(), changes), nil
+}
diff --git a/engine/daemon/graphdriver/graphtest/graphbench_unix.go b/engine/daemon/graphdriver/graphtest/graphbench_unix.go
new file mode 100644
index 00000000..22de8d17
--- /dev/null
+++ b/engine/daemon/graphdriver/graphtest/graphbench_unix.go
@@ -0,0 +1,257 @@
+// +build linux freebsd
+
+package graphtest // import "github.com/docker/docker/daemon/graphdriver/graphtest"
+
+import (
+	"io"
+	"io/ioutil"
+	"testing"
+
+	contdriver "github.com/containerd/continuity/driver"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+)
+
+// DriverBenchExists benchmarks calls to exist
+func DriverBenchExists(b *testing.B, drivername string, driveroptions ...string) {
+	driver := GetDriver(b, drivername, driveroptions...)
+	defer PutDriver(b)
+
+	base := stringid.GenerateRandomID()
+
+	if err := driver.Create(base, "", nil); err != nil {
+		b.Fatal(err)
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		if !driver.Exists(base) {
+			b.Fatal("Newly created image doesn't exist")
+		}
+	}
+}
+
+// DriverBenchGetEmpty benchmarks calls to get on an empty layer
+func DriverBenchGetEmpty(b *testing.B, drivername string, driveroptions ...string) {
+	driver := GetDriver(b, drivername, driveroptions...)
+	defer PutDriver(b)
+
+	base := stringid.GenerateRandomID()
+
+	if err := driver.Create(base, "", nil); err != nil {
+		b.Fatal(err)
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, err := driver.Get(base, "")
+		b.StopTimer()
+		if err != nil {
+			b.Fatalf("Error getting mount: %s", err)
+		}
+		if err := driver.Put(base); err != nil {
+			b.Fatalf("Error putting mount: %s", err)
+		}
+		b.StartTimer()
+	}
+}
+
+// DriverBenchDiffBase benchmarks calls to diff on a root layer
+func DriverBenchDiffBase(b *testing.B, drivername string, driveroptions ...string) {
+	driver := GetDriver(b, drivername, driveroptions...)
+	defer PutDriver(b)
+
+	base := stringid.GenerateRandomID()
+	if err := driver.Create(base, "", nil); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := addFiles(driver, base, 3); err != nil {
+		b.Fatal(err)
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		arch, err := driver.Diff(base, "")
+		if err != nil {
+			b.Fatal(err)
+		}
+		_, err = io.Copy(ioutil.Discard, arch)
+		if err != nil {
+			b.Fatalf("Error copying archive: %s", err)
+		}
+		arch.Close()
+	}
+}
+
+// DriverBenchDiffN benchmarks calls to diff on two layers with
+// a provided number of files on the lower and upper layers.
+func DriverBenchDiffN(b *testing.B, bottom, top int, drivername string, driveroptions ...string) {
+	driver := GetDriver(b, drivername, driveroptions...)
+	defer PutDriver(b)
+	base := stringid.GenerateRandomID()
+	upper := stringid.GenerateRandomID()
+	if err := driver.Create(base, "", nil); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := addManyFiles(driver, base, bottom, 3); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := driver.Create(upper, base, nil); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := addManyFiles(driver, upper, top, 6); err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		arch, err := driver.Diff(upper, "")
+		if err != nil {
+			b.Fatal(err)
+		}
+		_, err = io.Copy(ioutil.Discard, arch)
+		if err != nil {
+			b.Fatalf("Error copying archive: %s", err)
+		}
+		arch.Close()
+	}
+}
+
+// DriverBenchDiffApplyN benchmarks calls to diff and apply together
+func DriverBenchDiffApplyN(b *testing.B, fileCount int, drivername string, driveroptions ...string) {
+	driver := GetDriver(b, drivername, driveroptions...)
+	defer PutDriver(b)
+	base := stringid.GenerateRandomID()
+	upper := stringid.GenerateRandomID()
+	if err := driver.Create(base, "", nil); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := addManyFiles(driver, base, fileCount, 3); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := driver.Create(upper, base, nil); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := addManyFiles(driver, upper, fileCount, 6); err != nil {
+		b.Fatal(err)
+	}
+	diffSize, err := driver.DiffSize(upper, "")
+	if err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+	b.StopTimer()
+	for i := 0; i < b.N; i++ {
+		diff := stringid.GenerateRandomID()
+		if err := driver.Create(diff, base, nil); err != nil {
+			b.Fatal(err)
+		}
+
+		if err := checkManyFiles(driver, diff, fileCount, 3); err != nil {
+			b.Fatal(err)
+		}
+
+		b.StartTimer()
+
+		arch, err := driver.Diff(upper, "")
+		if err != nil {
+			b.Fatal(err)
+		}
+
+		applyDiffSize, err := driver.ApplyDiff(diff, "", arch)
+		if err != nil {
+			b.Fatal(err)
+		}
+
+		b.StopTimer()
+		arch.Close()
+
+		if applyDiffSize != diffSize {
+			// TODO: enforce this
+			//b.Fatalf("Apply diff size different, got %d, expected %s", applyDiffSize, diffSize)
+		}
+		if err := checkManyFiles(driver, diff, fileCount, 6); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+// DriverBenchDeepLayerDiff benchmarks calls to diff on top of a given number of layers.
+func DriverBenchDeepLayerDiff(b *testing.B, layerCount int, drivername string, driveroptions ...string) {
+	driver := GetDriver(b, drivername, driveroptions...)
+	defer PutDriver(b)
+
+	base := stringid.GenerateRandomID()
+	if err := driver.Create(base, "", nil); err != nil {
+		b.Fatal(err)
+	}
+
+	if err := addFiles(driver, base, 50); err != nil {
+		b.Fatal(err)
+	}
+
+	topLayer, err := addManyLayers(driver, base, layerCount)
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		arch, err := driver.Diff(topLayer, "")
+		if err != nil {
+			b.Fatal(err)
+		}
+		_, err = io.Copy(ioutil.Discard, arch)
+		if err != nil {
+			b.Fatalf("Error copying archive: %s", err)
+		}
+		arch.Close()
+	}
+}
+
+// DriverBenchDeepLayerRead benchmarks calls to read a file under a given number of layers.
+func DriverBenchDeepLayerRead(b *testing.B, layerCount int, drivername string, driveroptions ...string) {
+	driver := GetDriver(b, drivername, driveroptions...)
+	defer PutDriver(b)
+
+	base := stringid.GenerateRandomID()
+	if err := driver.Create(base, "", nil); err != nil {
+		b.Fatal(err)
+	}
+
+	content := []byte("test content")
+	if err := addFile(driver, base, "testfile.txt", content); err != nil {
+		b.Fatal(err)
+	}
+
+	topLayer, err := addManyLayers(driver, base, layerCount)
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	root, err := driver.Get(topLayer, "")
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer driver.Put(topLayer)
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+
+		// Read content
+		c, err := contdriver.ReadFile(root, root.Join(root.Path(), "testfile.txt"))
+		if err != nil {
+			b.Fatal(err)
+		}
+
+		b.StopTimer()
+		assert.DeepEqual(b, content, c)
+		b.StartTimer()
+	}
+}
diff --git a/engine/daemon/graphdriver/graphtest/graphtest_unix.go b/engine/daemon/graphdriver/graphtest/graphtest_unix.go
new file mode 100644
index 00000000..e83d0bb2
--- /dev/null
+++ b/engine/daemon/graphdriver/graphtest/graphtest_unix.go
@@ -0,0 +1,352 @@
+// +build linux freebsd
+
+package graphtest // import "github.com/docker/docker/daemon/graphdriver/graphtest"
+
+import (
+	"bytes"
+	"io/ioutil"
+	"math/rand"
+	"os"
+	"path"
+	"reflect"
+	"testing"
+	"unsafe"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/quota"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/go-units"
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var (
+	drv *Driver
+)
+
+// Driver conforms to graphdriver.Driver interface and
+// contains information such as root and reference count of the number of clients using it.
+// This helps in testing drivers added into the framework.
+type Driver struct {
+	graphdriver.Driver
+	root     string
+	refCount int
+}
+
+func newDriver(t testing.TB, name string, options []string) *Driver {
+	root, err := ioutil.TempDir("", "docker-graphtest-")
+	assert.NilError(t, err)
+
+	assert.NilError(t, os.MkdirAll(root, 0755))
+	d, err := graphdriver.GetDriver(name, nil, graphdriver.Options{DriverOptions: options, Root: root})
+	if err != nil {
+		t.Logf("graphdriver: %v\n", err)
+		if graphdriver.IsDriverNotSupported(err) {
+			t.Skipf("Driver %s not supported", name)
+		}
+		t.Fatal(err)
+	}
+	return &Driver{d, root, 1}
+}
+
+func cleanup(t testing.TB, d *Driver) {
+	if err := drv.Cleanup(); err != nil {
+		t.Fatal(err)
+	}
+	os.RemoveAll(d.root)
+}
+
+// GetDriver create a new driver with given name or return an existing driver with the name updating the reference count.
+func GetDriver(t testing.TB, name string, options ...string) graphdriver.Driver {
+	if drv == nil {
+		drv = newDriver(t, name, options)
+	} else {
+		drv.refCount++
+	}
+	return drv
+}
+
+// PutDriver removes the driver if it is no longer used and updates the reference count.
+func PutDriver(t testing.TB) {
+	if drv == nil {
+		t.Skip("No driver to put!")
+	}
+	drv.refCount--
+	if drv.refCount == 0 {
+		cleanup(t, drv)
+		drv = nil
+	}
+}
+
+// DriverTestCreateEmpty creates a new image and verifies it is empty and the right metadata
+func DriverTestCreateEmpty(t testing.TB, drivername string, driverOptions ...string) {
+	driver := GetDriver(t, drivername, driverOptions...)
+	defer PutDriver(t)
+
+	err := driver.Create("empty", "", nil)
+	assert.NilError(t, err)
+
+	defer func() {
+		assert.NilError(t, driver.Remove("empty"))
+	}()
+
+	if !driver.Exists("empty") {
+		t.Fatal("Newly created image doesn't exist")
+	}
+
+	dir, err := driver.Get("empty", "")
+	assert.NilError(t, err)
+
+	verifyFile(t, dir.Path(), 0755|os.ModeDir, 0, 0)
+
+	// Verify that the directory is empty
+	fis, err := readDir(dir, dir.Path())
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(fis, 0))
+
+	driver.Put("empty")
+}
+
+// DriverTestCreateBase create a base driver and verify.
+func DriverTestCreateBase(t testing.TB, drivername string, driverOptions ...string) {
+	driver := GetDriver(t, drivername, driverOptions...)
+	defer PutDriver(t)
+
+	createBase(t, driver, "Base")
+	defer func() {
+		assert.NilError(t, driver.Remove("Base"))
+	}()
+	verifyBase(t, driver, "Base")
+}
+
+// DriverTestCreateSnap Create a driver and snap and verify.
+func DriverTestCreateSnap(t testing.TB, drivername string, driverOptions ...string) {
+	driver := GetDriver(t, drivername, driverOptions...)
+	defer PutDriver(t)
+
+	createBase(t, driver, "Base")
+	defer func() {
+		assert.NilError(t, driver.Remove("Base"))
+	}()
+
+	err := driver.Create("Snap", "Base", nil)
+	assert.NilError(t, err)
+	defer func() {
+		assert.NilError(t, driver.Remove("Snap"))
+	}()
+
+	verifyBase(t, driver, "Snap")
+}
+
+// DriverTestDeepLayerRead reads a file from a lower layer under a given number of layers
+func DriverTestDeepLayerRead(t testing.TB, layerCount int, drivername string, driverOptions ...string) {
+	driver := GetDriver(t, drivername, driverOptions...)
+	defer PutDriver(t)
+
+	base := stringid.GenerateRandomID()
+	if err := driver.Create(base, "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	content := []byte("test content")
+	if err := addFile(driver, base, "testfile.txt", content); err != nil {
+		t.Fatal(err)
+	}
+
+	topLayer, err := addManyLayers(driver, base, layerCount)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = checkManyLayers(driver, topLayer, layerCount)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := checkFile(driver, topLayer, "testfile.txt", content); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// DriverTestDiffApply tests diffing and applying produces the same layer
+func DriverTestDiffApply(t testing.TB, fileCount int, drivername string, driverOptions ...string) {
+	driver := GetDriver(t, drivername, driverOptions...)
+	defer PutDriver(t)
+	base := stringid.GenerateRandomID()
+	upper := stringid.GenerateRandomID()
+	deleteFile := "file-remove.txt"
+	deleteFileContent := []byte("This file should get removed in upper!")
+	deleteDir := "var/lib"
+
+	if err := driver.Create(base, "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := addManyFiles(driver, base, fileCount, 3); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := addFile(driver, base, deleteFile, deleteFileContent); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := addDirectory(driver, base, deleteDir); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := driver.Create(upper, base, nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := addManyFiles(driver, upper, fileCount, 6); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := removeAll(driver, upper, deleteFile, deleteDir); err != nil {
+		t.Fatal(err)
+	}
+
+	diffSize, err := driver.DiffSize(upper, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	diff := stringid.GenerateRandomID()
+	if err := driver.Create(diff, base, nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := checkManyFiles(driver, diff, fileCount, 3); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := checkFile(driver, diff, deleteFile, deleteFileContent); err != nil {
+		t.Fatal(err)
+	}
+
+	arch, err := driver.Diff(upper, base)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	buf := bytes.NewBuffer(nil)
+	if _, err := buf.ReadFrom(arch); err != nil {
+		t.Fatal(err)
+	}
+	if err := arch.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	applyDiffSize, err := driver.ApplyDiff(diff, base, bytes.NewReader(buf.Bytes()))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if applyDiffSize != diffSize {
+		t.Fatalf("Apply diff size different, got %d, expected %d", applyDiffSize, diffSize)
+	}
+
+	if err := checkManyFiles(driver, diff, fileCount, 6); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := checkFileRemoved(driver, diff, deleteFile); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := checkFileRemoved(driver, diff, deleteDir); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// DriverTestChanges tests computed changes on a layer matches changes made
+func DriverTestChanges(t testing.TB, drivername string, driverOptions ...string) {
+	driver := GetDriver(t, drivername, driverOptions...)
+	defer PutDriver(t)
+	base := stringid.GenerateRandomID()
+	upper := stringid.GenerateRandomID()
+	if err := driver.Create(base, "", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := addManyFiles(driver, base, 20, 3); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := driver.Create(upper, base, nil); err != nil {
+		t.Fatal(err)
+	}
+
+	expectedChanges, err := changeManyFiles(driver, upper, 20, 6)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	changes, err := driver.Changes(upper, base)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err = checkChanges(expectedChanges, changes); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func writeRandomFile(path string, size uint64) error {
+	buf := make([]int64, size/8)
+
+	r := rand.NewSource(0)
+	for i := range buf {
+		buf[i] = r.Int63()
+	}
+
+	// Cast to []byte
+	header := *(*reflect.SliceHeader)(unsafe.Pointer(&buf))
+	header.Len *= 8
+	header.Cap *= 8
+	data := *(*[]byte)(unsafe.Pointer(&header))
+
+	return ioutil.WriteFile(path, data, 0700)
+}
+
+// DriverTestSetQuota Create a driver and test setting quota.
+func DriverTestSetQuota(t *testing.T, drivername string, required bool) {
+	driver := GetDriver(t, drivername)
+	defer PutDriver(t)
+
+	createBase(t, driver, "Base")
+	createOpts := &graphdriver.CreateOpts{}
+	createOpts.StorageOpt = make(map[string]string, 1)
+	createOpts.StorageOpt["size"] = "50M"
+	layerName := drivername + "Test"
+	if err := driver.CreateReadWrite(layerName, "Base", createOpts); err == quota.ErrQuotaNotSupported && !required {
+		t.Skipf("Quota not supported on underlying filesystem: %v", err)
+	} else if err != nil {
+		t.Fatal(err)
+	}
+
+	mountPath, err := driver.Get(layerName, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	quota := uint64(50 * units.MiB)
+
+	// Try to write a file smaller than quota, and ensure it works
+	err = writeRandomFile(path.Join(mountPath.Path(), "smallfile"), quota/2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.Remove(path.Join(mountPath.Path(), "smallfile"))
+
+	// Try to write a file bigger than quota. We've already filled up half the quota, so hitting the limit should be easy
+	err = writeRandomFile(path.Join(mountPath.Path(), "bigfile"), quota)
+	if err == nil {
+		t.Fatalf("expected write to fail(), instead had success")
+	}
+	if pathError, ok := err.(*os.PathError); ok && pathError.Err != unix.EDQUOT && pathError.Err != unix.ENOSPC {
+		os.Remove(path.Join(mountPath.Path(), "bigfile"))
+		t.Fatalf("expect write() to fail with %v or %v, got %v", unix.EDQUOT, unix.ENOSPC, pathError.Err)
+	}
+}
diff --git a/engine/daemon/graphdriver/graphtest/graphtest_windows.go b/engine/daemon/graphdriver/graphtest/graphtest_windows.go
new file mode 100644
index 00000000..c6a03f34
--- /dev/null
+++ b/engine/daemon/graphdriver/graphtest/graphtest_windows.go
@@ -0,0 +1 @@
+package graphtest // import "github.com/docker/docker/daemon/graphdriver/graphtest"
diff --git a/engine/daemon/graphdriver/graphtest/testutil.go b/engine/daemon/graphdriver/graphtest/testutil.go
new file mode 100644
index 00000000..258aba70
--- /dev/null
+++ b/engine/daemon/graphdriver/graphtest/testutil.go
@@ -0,0 +1,337 @@
+package graphtest // import "github.com/docker/docker/daemon/graphdriver/graphtest"
+
+import (
+	"bytes"
+	"fmt"
+	"math/rand"
+	"os"
+	"sort"
+
+	"github.com/containerd/continuity/driver"
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/stringid"
+)
+
+func randomContent(size int, seed int64) []byte {
+	s := rand.NewSource(seed)
+	content := make([]byte, size)
+
+	for i := 0; i < len(content); i += 7 {
+		val := s.Int63()
+		for j := 0; i+j < len(content) && j < 7; j++ {
+			content[i+j] = byte(val)
+			val >>= 8
+		}
+	}
+
+	return content
+}
+
+func addFiles(drv graphdriver.Driver, layer string, seed int64) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	if err := driver.WriteFile(root, root.Join(root.Path(), "file-a"), randomContent(64, seed), 0755); err != nil {
+		return err
+	}
+	if err := root.MkdirAll(root.Join(root.Path(), "dir-b"), 0755); err != nil {
+		return err
+	}
+	if err := driver.WriteFile(root, root.Join(root.Path(), "dir-b", "file-b"), randomContent(128, seed+1), 0755); err != nil {
+		return err
+	}
+
+	return driver.WriteFile(root, root.Join(root.Path(), "file-c"), randomContent(128*128, seed+2), 0755)
+}
+
+func checkFile(drv graphdriver.Driver, layer, filename string, content []byte) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	fileContent, err := driver.ReadFile(root, root.Join(root.Path(), filename))
+	if err != nil {
+		return err
+	}
+
+	if !bytes.Equal(fileContent, content) {
+		return fmt.Errorf("mismatched file content %v, expecting %v", fileContent, content)
+	}
+
+	return nil
+}
+
+func addFile(drv graphdriver.Driver, layer, filename string, content []byte) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	return driver.WriteFile(root, root.Join(root.Path(), filename), content, 0755)
+}
+
+func addDirectory(drv graphdriver.Driver, layer, dir string) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	return root.MkdirAll(root.Join(root.Path(), dir), 0755)
+}
+
+func removeAll(drv graphdriver.Driver, layer string, names ...string) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	for _, filename := range names {
+		if err := root.RemoveAll(root.Join(root.Path(), filename)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func checkFileRemoved(drv graphdriver.Driver, layer, filename string) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	if _, err := root.Stat(root.Join(root.Path(), filename)); err == nil {
+		return fmt.Errorf("file still exists: %s", root.Join(root.Path(), filename))
+	} else if !os.IsNotExist(err) {
+		return err
+	}
+
+	return nil
+}
+
+func addManyFiles(drv graphdriver.Driver, layer string, count int, seed int64) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	for i := 0; i < count; i += 100 {
+		dir := root.Join(root.Path(), fmt.Sprintf("directory-%d", i))
+		if err := root.MkdirAll(dir, 0755); err != nil {
+			return err
+		}
+		for j := 0; i+j < count && j < 100; j++ {
+			file := root.Join(dir, fmt.Sprintf("file-%d", i+j))
+			if err := driver.WriteFile(root, file, randomContent(64, seed+int64(i+j)), 0755); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func changeManyFiles(drv graphdriver.Driver, layer string, count int, seed int64) ([]archive.Change, error) {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return nil, err
+	}
+	defer drv.Put(layer)
+
+	var changes []archive.Change
+	for i := 0; i < count; i += 100 {
+		archiveRoot := fmt.Sprintf("/directory-%d", i)
+		if err := root.MkdirAll(root.Join(root.Path(), archiveRoot), 0755); err != nil {
+			return nil, err
+		}
+		for j := 0; i+j < count && j < 100; j++ {
+			if j == 0 {
+				changes = append(changes, archive.Change{
+					Path: archiveRoot,
+					Kind: archive.ChangeModify,
+				})
+			}
+			var change archive.Change
+			switch j % 3 {
+			// Update file
+			case 0:
+				change.Path = root.Join(archiveRoot, fmt.Sprintf("file-%d", i+j))
+				change.Kind = archive.ChangeModify
+				if err := driver.WriteFile(root, root.Join(root.Path(), change.Path), randomContent(64, seed+int64(i+j)), 0755); err != nil {
+					return nil, err
+				}
+			// Add file
+			case 1:
+				change.Path = root.Join(archiveRoot, fmt.Sprintf("file-%d-%d", seed, i+j))
+				change.Kind = archive.ChangeAdd
+				if err := driver.WriteFile(root, root.Join(root.Path(), change.Path), randomContent(64, seed+int64(i+j)), 0755); err != nil {
+					return nil, err
+				}
+			// Remove file
+			case 2:
+				change.Path = root.Join(archiveRoot, fmt.Sprintf("file-%d", i+j))
+				change.Kind = archive.ChangeDelete
+				if err := root.Remove(root.Join(root.Path(), change.Path)); err != nil {
+					return nil, err
+				}
+			}
+			changes = append(changes, change)
+		}
+	}
+
+	return changes, nil
+}
+
+func checkManyFiles(drv graphdriver.Driver, layer string, count int, seed int64) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	for i := 0; i < count; i += 100 {
+		dir := root.Join(root.Path(), fmt.Sprintf("directory-%d", i))
+		for j := 0; i+j < count && j < 100; j++ {
+			file := root.Join(dir, fmt.Sprintf("file-%d", i+j))
+			fileContent, err := driver.ReadFile(root, file)
+			if err != nil {
+				return err
+			}
+
+			content := randomContent(64, seed+int64(i+j))
+
+			if !bytes.Equal(fileContent, content) {
+				return fmt.Errorf("mismatched file content %v, expecting %v", fileContent, content)
+			}
+		}
+	}
+
+	return nil
+}
+
+type changeList []archive.Change
+
+func (c changeList) Less(i, j int) bool {
+	if c[i].Path == c[j].Path {
+		return c[i].Kind < c[j].Kind
+	}
+	return c[i].Path < c[j].Path
+}
+func (c changeList) Len() int      { return len(c) }
+func (c changeList) Swap(i, j int) { c[j], c[i] = c[i], c[j] }
+
+func checkChanges(expected, actual []archive.Change) error {
+	if len(expected) != len(actual) {
+		return fmt.Errorf("unexpected number of changes, expected %d, got %d", len(expected), len(actual))
+	}
+	sort.Sort(changeList(expected))
+	sort.Sort(changeList(actual))
+
+	for i := range expected {
+		if expected[i] != actual[i] {
+			return fmt.Errorf("unexpected change, expecting %v, got %v", expected[i], actual[i])
+		}
+	}
+
+	return nil
+}
+
+func addLayerFiles(drv graphdriver.Driver, layer, parent string, i int) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	if err := driver.WriteFile(root, root.Join(root.Path(), "top-id"), []byte(layer), 0755); err != nil {
+		return err
+	}
+	layerDir := root.Join(root.Path(), fmt.Sprintf("layer-%d", i))
+	if err := root.MkdirAll(layerDir, 0755); err != nil {
+		return err
+	}
+	if err := driver.WriteFile(root, root.Join(layerDir, "layer-id"), []byte(layer), 0755); err != nil {
+		return err
+	}
+	return driver.WriteFile(root, root.Join(layerDir, "parent-id"), []byte(parent), 0755)
+}
+
+func addManyLayers(drv graphdriver.Driver, baseLayer string, count int) (string, error) {
+	lastLayer := baseLayer
+	for i := 1; i <= count; i++ {
+		nextLayer := stringid.GenerateRandomID()
+		if err := drv.Create(nextLayer, lastLayer, nil); err != nil {
+			return "", err
+		}
+		if err := addLayerFiles(drv, nextLayer, lastLayer, i); err != nil {
+			return "", err
+		}
+
+		lastLayer = nextLayer
+
+	}
+	return lastLayer, nil
+}
+
+func checkManyLayers(drv graphdriver.Driver, layer string, count int) error {
+	root, err := drv.Get(layer, "")
+	if err != nil {
+		return err
+	}
+	defer drv.Put(layer)
+
+	layerIDBytes, err := driver.ReadFile(root, root.Join(root.Path(), "top-id"))
+	if err != nil {
+		return err
+	}
+
+	if !bytes.Equal(layerIDBytes, []byte(layer)) {
+		return fmt.Errorf("mismatched file content %v, expecting %v", layerIDBytes, []byte(layer))
+	}
+
+	for i := count; i > 0; i-- {
+		layerDir := root.Join(root.Path(), fmt.Sprintf("layer-%d", i))
+
+		thisLayerIDBytes, err := driver.ReadFile(root, root.Join(layerDir, "layer-id"))
+		if err != nil {
+			return err
+		}
+		if !bytes.Equal(thisLayerIDBytes, layerIDBytes) {
+			return fmt.Errorf("mismatched file content %v, expecting %v", thisLayerIDBytes, layerIDBytes)
+		}
+		layerIDBytes, err = driver.ReadFile(root, root.Join(layerDir, "parent-id"))
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// readDir reads a directory just like driver.ReadDir()
+// then hides specific files (currently "lost+found")
+// so the tests don't "see" it
+func readDir(r driver.Driver, dir string) ([]os.FileInfo, error) {
+	a, err := driver.ReadDir(r, dir)
+	if err != nil {
+		return nil, err
+	}
+
+	b := a[:0]
+	for _, x := range a {
+		if x.Name() != "lost+found" { // ext4 always have this dir
+			b = append(b, x)
+		}
+	}
+
+	return b, nil
+}
diff --git a/engine/daemon/graphdriver/graphtest/testutil_unix.go b/engine/daemon/graphdriver/graphtest/testutil_unix.go
new file mode 100644
index 00000000..6871dca0
--- /dev/null
+++ b/engine/daemon/graphdriver/graphtest/testutil_unix.go
@@ -0,0 +1,69 @@
+// +build linux freebsd
+
+package graphtest // import "github.com/docker/docker/daemon/graphdriver/graphtest"
+
+import (
+	"os"
+	"syscall"
+	"testing"
+
+	contdriver "github.com/containerd/continuity/driver"
+	"github.com/docker/docker/daemon/graphdriver"
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func verifyFile(t testing.TB, path string, mode os.FileMode, uid, gid uint32) {
+	fi, err := os.Stat(path)
+	assert.NilError(t, err)
+
+	actual := fi.Mode()
+	assert.Check(t, is.Equal(mode&os.ModeType, actual&os.ModeType), path)
+	assert.Check(t, is.Equal(mode&os.ModePerm, actual&os.ModePerm), path)
+	assert.Check(t, is.Equal(mode&os.ModeSticky, actual&os.ModeSticky), path)
+	assert.Check(t, is.Equal(mode&os.ModeSetuid, actual&os.ModeSetuid), path)
+	assert.Check(t, is.Equal(mode&os.ModeSetgid, actual&os.ModeSetgid), path)
+
+	if stat, ok := fi.Sys().(*syscall.Stat_t); ok {
+		assert.Check(t, is.Equal(uid, stat.Uid), path)
+		assert.Check(t, is.Equal(gid, stat.Gid), path)
+	}
+}
+
+func createBase(t testing.TB, driver graphdriver.Driver, name string) {
+	// We need to be able to set any perms
+	oldmask := unix.Umask(0)
+	defer unix.Umask(oldmask)
+
+	err := driver.CreateReadWrite(name, "", nil)
+	assert.NilError(t, err)
+
+	dirFS, err := driver.Get(name, "")
+	assert.NilError(t, err)
+	defer driver.Put(name)
+
+	subdir := dirFS.Join(dirFS.Path(), "a subdir")
+	assert.NilError(t, dirFS.Mkdir(subdir, 0705|os.ModeSticky))
+	assert.NilError(t, dirFS.Lchown(subdir, 1, 2))
+
+	file := dirFS.Join(dirFS.Path(), "a file")
+	err = contdriver.WriteFile(dirFS, file, []byte("Some data"), 0222|os.ModeSetuid)
+	assert.NilError(t, err)
+}
+
+func verifyBase(t testing.TB, driver graphdriver.Driver, name string) {
+	dirFS, err := driver.Get(name, "")
+	assert.NilError(t, err)
+	defer driver.Put(name)
+
+	subdir := dirFS.Join(dirFS.Path(), "a subdir")
+	verifyFile(t, subdir, 0705|os.ModeDir|os.ModeSticky, 1, 2)
+
+	file := dirFS.Join(dirFS.Path(), "a file")
+	verifyFile(t, file, 0222|os.ModeSetuid, 0, 0)
+
+	files, err := readDir(dirFS, dirFS.Path())
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(files, 2))
+}
diff --git a/engine/daemon/graphdriver/lcow/lcow.go b/engine/daemon/graphdriver/lcow/lcow.go
new file mode 100644
index 00000000..649beccd
--- /dev/null
+++ b/engine/daemon/graphdriver/lcow/lcow.go
@@ -0,0 +1,1052 @@
+// +build windows
+
+// Maintainer:  jhowardmsft
+// Locale:      en-gb
+// About:       Graph-driver for Linux Containers On Windows (LCOW)
+//
+// This graphdriver runs in two modes. Yet to be determined which one will
+// be the shipping mode. The global mode is where a single utility VM
+// is used for all service VM tool operations. This isn't safe security-wise
+// as it's attaching a sandbox of multiple containers to it, containing
+// untrusted data. This may be fine for client devops scenarios. In
+// safe mode, a unique utility VM is instantiated for all service VM tool
+// operations. The downside of safe-mode is that operations are slower as
+// a new service utility VM has to be started and torn-down when needed.
+//
+// Options:
+//
+// The following options are read by the graphdriver itself:
+//
+//   * lcow.globalmode - Enables global service VM Mode
+//        -- Possible values:     true/false
+//        -- Default if omitted:  false
+//
+//   * lcow.sandboxsize - Specifies a custom sandbox size in GB for starting a container
+//        -- Possible values:      >= default sandbox size (opengcs defined, currently 20)
+//        -- Default if omitted:  20
+//
+// The following options are read by opengcs:
+//
+//   * lcow.kirdpath - Specifies a custom path to a kernel/initrd pair
+//        -- Possible values:      Any local path that is not a mapped drive
+//        -- Default if omitted:  %ProgramFiles%\Linux Containers
+//
+//   * lcow.kernel - Specifies a custom kernel file located in the `lcow.kirdpath` path
+//        -- Possible values:      Any valid filename
+//        -- Default if omitted:  bootx64.efi
+//
+//   * lcow.initrd - Specifies a custom initrd file located in the `lcow.kirdpath` path
+//        -- Possible values:      Any valid filename
+//        -- Default if omitted:  initrd.img
+//
+//   * lcow.bootparameters - Specifies additional boot parameters for booting in kernel+initrd mode
+//        -- Possible values:      Any valid linux kernel boot options
+//        -- Default if omitted:  <nil>
+//
+//   * lcow.vhdx - Specifies a custom vhdx file to boot (instead of a kernel+initrd)
+//        -- Possible values:      Any valid filename
+//        -- Default if omitted:  uvm.vhdx under `lcow.kirdpath`
+//
+//   * lcow.timeout - Specifies a timeout for utility VM operations in seconds
+//        -- Possible values:      >=0
+//        -- Default if omitted:  300
+
+// TODO: Grab logs from SVM at terminate or errors
+
+package lcow // import "github.com/docker/docker/daemon/graphdriver/lcow"
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/Microsoft/opengcs/client"
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/system"
+	"github.com/sirupsen/logrus"
+)
+
+// init registers this driver to the register. It gets initialised by the
+// function passed in the second parameter, implemented in this file.
+func init() {
+	graphdriver.Register("lcow", InitDriver)
+}
+
+const (
+	// sandboxFilename is the name of the file containing a layer's sandbox (read-write layer).
+	sandboxFilename = "sandbox.vhdx"
+
+	// scratchFilename is the name of the scratch-space used by an SVM to avoid running out of memory.
+	scratchFilename = "scratch.vhdx"
+
+	// layerFilename is the name of the file containing a layer's read-only contents.
+	// Note this really is VHD format, not VHDX.
+	layerFilename = "layer.vhd"
+
+	// toolsScratchPath is a location in a service utility VM that the tools can use as a
+	// scratch space to avoid running out of memory.
+	toolsScratchPath = "/tmp/scratch"
+
+	// svmGlobalID is the ID used in the serviceVMs map for the global service VM when running in "global" mode.
+	svmGlobalID = "_lcow_global_svm_"
+
+	// cacheDirectory is the sub-folder under the driver's data-root used to cache blank sandbox and scratch VHDs.
+	cacheDirectory = "cache"
+
+	// scratchDirectory is the sub-folder under the driver's data-root used for scratch VHDs in service VMs
+	scratchDirectory = "scratch"
+
+	// errOperationPending is the HRESULT returned by the HCS when the VM termination operation is still pending.
+	errOperationPending syscall.Errno = 0xc0370103
+)
+
+// Driver represents an LCOW graph driver.
+type Driver struct {
+	dataRoot           string     // Root path on the host where we are storing everything.
+	cachedSandboxFile  string     // Location of the local default-sized cached sandbox.
+	cachedSandboxMutex sync.Mutex // Protects race conditions from multiple threads creating the cached sandbox.
+	cachedScratchFile  string     // Location of the local cached empty scratch space.
+	cachedScratchMutex sync.Mutex // Protects race conditions from multiple threads creating the cached scratch.
+	options            []string   // Graphdriver options we are initialised with.
+	globalMode         bool       // Indicates if running in an unsafe/global service VM mode.
+
+	// NOTE: It is OK to use a cache here because Windows does not support
+	// restoring containers when the daemon dies.
+	serviceVms *serviceVMMap // Map of the configs representing the service VM(s) we are running.
+}
+
+// layerDetails is the structure returned by a helper function `getLayerDetails`
+// for getting information about a layer folder
+type layerDetails struct {
+	filename  string // \path\to\sandbox.vhdx or \path\to\layer.vhd
+	size      int64  // size of the above file
+	isSandbox bool   // true if sandbox.vhdx
+}
+
+// deletefiles is a helper function for initialisation where we delete any
+// left-over scratch files in case we were previously forcibly terminated.
+func deletefiles(path string, f os.FileInfo, err error) error {
+	if strings.HasSuffix(f.Name(), ".vhdx") {
+		logrus.Warnf("lcowdriver: init: deleting stale scratch file %s", path)
+		return os.Remove(path)
+	}
+	return nil
+}
+
+// InitDriver returns a new LCOW storage driver.
+func InitDriver(dataRoot string, options []string, _, _ []idtools.IDMap) (graphdriver.Driver, error) {
+	title := "lcowdriver: init:"
+
+	cd := filepath.Join(dataRoot, cacheDirectory)
+	sd := filepath.Join(dataRoot, scratchDirectory)
+
+	d := &Driver{
+		dataRoot:          dataRoot,
+		options:           options,
+		cachedSandboxFile: filepath.Join(cd, sandboxFilename),
+		cachedScratchFile: filepath.Join(cd, scratchFilename),
+		serviceVms: &serviceVMMap{
+			svms: make(map[string]*serviceVMMapItem),
+		},
+		globalMode: false,
+	}
+
+	// Looks for relevant options
+	for _, v := range options {
+		opt := strings.SplitN(v, "=", 2)
+		if len(opt) == 2 {
+			switch strings.ToLower(opt[0]) {
+			case "lcow.globalmode":
+				var err error
+				d.globalMode, err = strconv.ParseBool(opt[1])
+				if err != nil {
+					return nil, fmt.Errorf("%s failed to parse value for 'lcow.globalmode' - must be 'true' or 'false'", title)
+				}
+				break
+			}
+		}
+	}
+
+	// Make sure the dataRoot directory is created
+	if err := idtools.MkdirAllAndChown(dataRoot, 0700, idtools.IDPair{UID: 0, GID: 0}); err != nil {
+		return nil, fmt.Errorf("%s failed to create '%s': %v", title, dataRoot, err)
+	}
+
+	// Make sure the cache directory is created under dataRoot
+	if err := idtools.MkdirAllAndChown(cd, 0700, idtools.IDPair{UID: 0, GID: 0}); err != nil {
+		return nil, fmt.Errorf("%s failed to create '%s': %v", title, cd, err)
+	}
+
+	// Make sure the scratch directory is created under dataRoot
+	if err := idtools.MkdirAllAndChown(sd, 0700, idtools.IDPair{UID: 0, GID: 0}); err != nil {
+		return nil, fmt.Errorf("%s failed to create '%s': %v", title, sd, err)
+	}
+
+	// Delete any items in the scratch directory
+	filepath.Walk(sd, deletefiles)
+
+	logrus.Infof("%s dataRoot: %s globalMode: %t", title, dataRoot, d.globalMode)
+
+	return d, nil
+}
+
+func (d *Driver) getVMID(id string) string {
+	if d.globalMode {
+		return svmGlobalID
+	}
+	return id
+}
+
+// startServiceVMIfNotRunning starts a service utility VM if it is not currently running.
+// It can optionally be started with a mapped virtual disk. Returns a opengcs config structure
+// representing the VM.
+func (d *Driver) startServiceVMIfNotRunning(id string, mvdToAdd []hcsshim.MappedVirtualDisk, context string) (_ *serviceVM, err error) {
+	// Use the global ID if in global mode
+	id = d.getVMID(id)
+
+	title := fmt.Sprintf("lcowdriver: startservicevmifnotrunning %s:", id)
+
+	// Attempt to add ID to the service vm map
+	logrus.Debugf("%s: Adding entry to service vm map", title)
+	svm, exists, err := d.serviceVms.add(id)
+	if err != nil && err == errVMisTerminating {
+		// VM is in the process of terminating. Wait until it's done and and then try again
+		logrus.Debugf("%s: VM with current ID still in the process of terminating: %s", title, id)
+		if err := svm.getStopError(); err != nil {
+			logrus.Debugf("%s: VM %s did not stop successfully: %s", title, id, err)
+			return nil, err
+		}
+		return d.startServiceVMIfNotRunning(id, mvdToAdd, context)
+	} else if err != nil {
+		logrus.Debugf("%s: failed to add service vm to map: %s", err)
+		return nil, fmt.Errorf("%s: failed to add to service vm map: %s", title, err)
+	}
+
+	if exists {
+		// Service VM is already up and running. In this case, just hot add the vhds.
+		logrus.Debugf("%s: service vm already exists. Just hot adding: %+v", title, mvdToAdd)
+		if err := svm.hotAddVHDs(mvdToAdd...); err != nil {
+			logrus.Debugf("%s: failed to hot add vhds on service vm creation: %s", title, err)
+			return nil, fmt.Errorf("%s: failed to hot add vhds on service vm: %s", title, err)
+		}
+		return svm, nil
+	}
+
+	// We are the first service for this id, so we need to start it
+	logrus.Debugf("%s: service vm doesn't exist. Now starting it up: %s", title, id)
+
+	defer func() {
+		// Signal that start has finished, passing in the error if any.
+		svm.signalStartFinished(err)
+		if err != nil {
+			// We added a ref to the VM, since we failed, we should delete the ref.
+			d.terminateServiceVM(id, "error path on startServiceVMIfNotRunning", false)
+		}
+	}()
+
+	// Generate a default configuration
+	if err := svm.config.GenerateDefault(d.options); err != nil {
+		return nil, fmt.Errorf("%s failed to generate default gogcs configuration for global svm (%s): %s", title, context, err)
+	}
+
+	// For the name, we deliberately suffix if safe-mode to ensure that it doesn't
+	// clash with another utility VM which may be running for the container itself.
+	// This also makes it easier to correlate through Get-ComputeProcess.
+	if id == svmGlobalID {
+		svm.config.Name = svmGlobalID
+	} else {
+		svm.config.Name = fmt.Sprintf("%s_svm", id)
+	}
+
+	// Ensure we take the cached scratch mutex around the check to ensure the file is complete
+	// and not in the process of being created by another thread.
+	scratchTargetFile := filepath.Join(d.dataRoot, scratchDirectory, fmt.Sprintf("%s.vhdx", id))
+
+	logrus.Debugf("%s locking cachedScratchMutex", title)
+	d.cachedScratchMutex.Lock()
+	if _, err := os.Stat(d.cachedScratchFile); err == nil {
+		// Make a copy of cached scratch to the scratch directory
+		logrus.Debugf("lcowdriver: startServiceVmIfNotRunning: (%s) cloning cached scratch for mvd", context)
+		if err := client.CopyFile(d.cachedScratchFile, scratchTargetFile, true); err != nil {
+			logrus.Debugf("%s releasing cachedScratchMutex on err: %s", title, err)
+			d.cachedScratchMutex.Unlock()
+			return nil, err
+		}
+
+		// Add the cached clone as a mapped virtual disk
+		logrus.Debugf("lcowdriver: startServiceVmIfNotRunning: (%s) adding cloned scratch as mvd", context)
+		mvd := hcsshim.MappedVirtualDisk{
+			HostPath:          scratchTargetFile,
+			ContainerPath:     toolsScratchPath,
+			CreateInUtilityVM: true,
+		}
+		svm.config.MappedVirtualDisks = append(svm.config.MappedVirtualDisks, mvd)
+		svm.scratchAttached = true
+	}
+
+	logrus.Debugf("%s releasing cachedScratchMutex", title)
+	d.cachedScratchMutex.Unlock()
+
+	// If requested to start it with a mapped virtual disk, add it now.
+	svm.config.MappedVirtualDisks = append(svm.config.MappedVirtualDisks, mvdToAdd...)
+	for _, mvd := range svm.config.MappedVirtualDisks {
+		svm.attachedVHDs[mvd.HostPath] = 1
+	}
+
+	// Start it.
+	logrus.Debugf("lcowdriver: startServiceVmIfNotRunning: (%s) starting %s", context, svm.config.Name)
+	if err := svm.config.StartUtilityVM(); err != nil {
+		return nil, fmt.Errorf("failed to start service utility VM (%s): %s", context, err)
+	}
+
+	// defer function to terminate the VM if the next steps fail
+	defer func() {
+		if err != nil {
+			waitTerminate(svm, fmt.Sprintf("startServiceVmIfNotRunning: %s (%s)", id, context))
+		}
+	}()
+
+	// Now we have a running service VM, we can create the cached scratch file if it doesn't exist.
+	logrus.Debugf("%s locking cachedScratchMutex", title)
+	d.cachedScratchMutex.Lock()
+	if _, err := os.Stat(d.cachedScratchFile); err != nil {
+		logrus.Debugf("%s (%s): creating an SVM scratch", title, context)
+
+		// Don't use svm.CreateExt4Vhdx since that only works when the service vm is setup,
+		// but we're still in that process right now.
+		if err := svm.config.CreateExt4Vhdx(scratchTargetFile, client.DefaultVhdxSizeGB, d.cachedScratchFile); err != nil {
+			logrus.Debugf("%s (%s): releasing cachedScratchMutex on error path", title, context)
+			d.cachedScratchMutex.Unlock()
+			logrus.Debugf("%s: failed to create vm scratch %s: %s", title, scratchTargetFile, err)
+			return nil, fmt.Errorf("failed to create SVM scratch VHDX (%s): %s", context, err)
+		}
+	}
+	logrus.Debugf("%s (%s): releasing cachedScratchMutex", title, context)
+	d.cachedScratchMutex.Unlock()
+
+	// Hot-add the scratch-space if not already attached
+	if !svm.scratchAttached {
+		logrus.Debugf("lcowdriver: startServiceVmIfNotRunning: (%s) hot-adding scratch %s", context, scratchTargetFile)
+		if err := svm.hotAddVHDsAtStart(hcsshim.MappedVirtualDisk{
+			HostPath:          scratchTargetFile,
+			ContainerPath:     toolsScratchPath,
+			CreateInUtilityVM: true,
+		}); err != nil {
+			logrus.Debugf("%s: failed to hot-add scratch %s: %s", title, scratchTargetFile, err)
+			return nil, fmt.Errorf("failed to hot-add %s failed: %s", scratchTargetFile, err)
+		}
+		svm.scratchAttached = true
+	}
+
+	logrus.Debugf("lcowdriver: startServiceVmIfNotRunning: (%s) success", context)
+	return svm, nil
+}
+
+// terminateServiceVM terminates a service utility VM if its running if it's,
+// not being used by any goroutine, but does nothing when in global mode as it's
+// lifetime is limited to that of the daemon. If the force flag is set, then
+// the VM will be killed regardless of the ref count or if it's global.
+func (d *Driver) terminateServiceVM(id, context string, force bool) (err error) {
+	// We don't do anything in safe mode unless the force flag has been passed, which
+	// is only the case for cleanup at driver termination.
+	if d.globalMode && !force {
+		logrus.Debugf("lcowdriver: terminateservicevm: %s (%s) - doing nothing as in global mode", id, context)
+		return nil
+	}
+
+	id = d.getVMID(id)
+
+	var svm *serviceVM
+	var lastRef bool
+	if !force {
+		// In the not force case, we ref count
+		svm, lastRef, err = d.serviceVms.decrementRefCount(id)
+	} else {
+		// In the force case, we ignore the ref count and just set it to 0
+		svm, err = d.serviceVms.setRefCountZero(id)
+		lastRef = true
+	}
+
+	if err == errVMUnknown {
+		return nil
+	} else if err == errVMisTerminating {
+		return svm.getStopError()
+	} else if !lastRef {
+		return nil
+	}
+
+	// We run the deletion of the scratch as a deferred function to at least attempt
+	// clean-up in case of errors.
+	defer func() {
+		if svm.scratchAttached {
+			scratchTargetFile := filepath.Join(d.dataRoot, scratchDirectory, fmt.Sprintf("%s.vhdx", id))
+			logrus.Debugf("lcowdriver: terminateservicevm: %s (%s) - deleting scratch %s", id, context, scratchTargetFile)
+			if errRemove := os.Remove(scratchTargetFile); errRemove != nil {
+				logrus.Warnf("failed to remove scratch file %s (%s): %s", scratchTargetFile, context, errRemove)
+				err = errRemove
+			}
+		}
+
+		// This function shouldn't actually return error unless there is a bug
+		if errDelete := d.serviceVms.deleteID(id); errDelete != nil {
+			logrus.Warnf("failed to service vm from svm map %s (%s): %s", id, context, errDelete)
+		}
+
+		// Signal that this VM has stopped
+		svm.signalStopFinished(err)
+	}()
+
+	// Now it's possible that the service VM failed to start and now we are trying to terminate it.
+	// In this case, we will relay the error to the goroutines waiting for this vm to stop.
+	if err := svm.getStartError(); err != nil {
+		logrus.Debugf("lcowdriver: terminateservicevm: %s had failed to start up: %s", id, err)
+		return err
+	}
+
+	if err := waitTerminate(svm, fmt.Sprintf("terminateservicevm: %s (%s)", id, context)); err != nil {
+		return err
+	}
+
+	logrus.Debugf("lcowdriver: terminateservicevm: %s (%s) - success", id, context)
+	return nil
+}
+
+func waitTerminate(svm *serviceVM, context string) error {
+	if svm.config == nil {
+		return fmt.Errorf("lcowdriver: waitTermiante: Nil utility VM. %s", context)
+	}
+
+	logrus.Debugf("lcowdriver: waitTerminate: Calling terminate: %s", context)
+	if err := svm.config.Uvm.Terminate(); err != nil {
+		// We might get operation still pending from the HCS. In that case, we shouldn't return
+		// an error since we call wait right after.
+		underlyingError := err
+		if conterr, ok := err.(*hcsshim.ContainerError); ok {
+			underlyingError = conterr.Err
+		}
+
+		if syscallErr, ok := underlyingError.(syscall.Errno); ok {
+			underlyingError = syscallErr
+		}
+
+		if underlyingError != errOperationPending {
+			return fmt.Errorf("failed to terminate utility VM (%s): %s", context, err)
+		}
+		logrus.Debugf("lcowdriver: waitTerminate: uvm.Terminate() returned operation pending (%s)", context)
+	}
+
+	logrus.Debugf("lcowdriver: waitTerminate: (%s) - waiting for utility VM to terminate", context)
+	if err := svm.config.Uvm.WaitTimeout(time.Duration(svm.config.UvmTimeoutSeconds) * time.Second); err != nil {
+		return fmt.Errorf("failed waiting for utility VM to terminate (%s): %s", context, err)
+	}
+	return nil
+}
+
+// String returns the string representation of a driver. This should match
+// the name the graph driver has been registered with.
+func (d *Driver) String() string {
+	return "lcow"
+}
+
+// Status returns the status of the driver.
+func (d *Driver) Status() [][2]string {
+	return [][2]string{
+		{"LCOW", ""},
+		// TODO: Add some more info here - mode, home, ....
+	}
+}
+
+// Exists returns true if the given id is registered with this driver.
+func (d *Driver) Exists(id string) bool {
+	_, err := os.Lstat(d.dir(id))
+	logrus.Debugf("lcowdriver: exists: id %s %t", id, err == nil)
+	return err == nil
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system. That equates to creating a sandbox.
+func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	title := fmt.Sprintf("lcowdriver: createreadwrite: id %s", id)
+	logrus.Debugf(title)
+
+	// First we need to create the folder
+	if err := d.Create(id, parent, opts); err != nil {
+		return err
+	}
+
+	// Look for an explicit sandbox size option.
+	sandboxSize := uint64(client.DefaultVhdxSizeGB)
+	for k, v := range opts.StorageOpt {
+		switch strings.ToLower(k) {
+		case "lcow.sandboxsize":
+			var err error
+			sandboxSize, err = strconv.ParseUint(v, 10, 32)
+			if err != nil {
+				return fmt.Errorf("%s failed to parse value '%s' for 'lcow.sandboxsize'", title, v)
+			}
+			if sandboxSize < client.DefaultVhdxSizeGB {
+				return fmt.Errorf("%s 'lcow.sandboxsize' option cannot be less than %d", title, client.DefaultVhdxSizeGB)
+			}
+			break
+		}
+	}
+
+	// Massive perf optimisation here. If we know that the RW layer is the default size,
+	// and that the cached sandbox already exists, and we are running in safe mode, we
+	// can just do a simple copy into the layers sandbox file without needing to start a
+	// unique service VM. For a global service VM, it doesn't really matter. Of course,
+	// this is only the case where the sandbox is the default size.
+	//
+	// Make sure we have the sandbox mutex taken while we are examining it.
+	if sandboxSize == client.DefaultVhdxSizeGB {
+		logrus.Debugf("%s: locking cachedSandboxMutex", title)
+		d.cachedSandboxMutex.Lock()
+		_, err := os.Stat(d.cachedSandboxFile)
+		logrus.Debugf("%s: releasing cachedSandboxMutex", title)
+		d.cachedSandboxMutex.Unlock()
+		if err == nil {
+			logrus.Debugf("%s: using cached sandbox to populate", title)
+			if err := client.CopyFile(d.cachedSandboxFile, filepath.Join(d.dir(id), sandboxFilename), true); err != nil {
+				return err
+			}
+			return nil
+		}
+	}
+
+	logrus.Debugf("%s: creating SVM to create sandbox", title)
+	svm, err := d.startServiceVMIfNotRunning(id, nil, "createreadwrite")
+	if err != nil {
+		return err
+	}
+	defer d.terminateServiceVM(id, "createreadwrite", false)
+
+	// So the sandbox needs creating. If default size ensure we are the only thread populating the cache.
+	// Non-default size we don't store, just create them one-off so no need to lock the cachedSandboxMutex.
+	if sandboxSize == client.DefaultVhdxSizeGB {
+		logrus.Debugf("%s: locking cachedSandboxMutex for creation", title)
+		d.cachedSandboxMutex.Lock()
+		defer func() {
+			logrus.Debugf("%s: releasing cachedSandboxMutex for creation", title)
+			d.cachedSandboxMutex.Unlock()
+		}()
+	}
+
+	// Make sure we don't write to our local cached copy if this is for a non-default size request.
+	targetCacheFile := d.cachedSandboxFile
+	if sandboxSize != client.DefaultVhdxSizeGB {
+		targetCacheFile = ""
+	}
+
+	// Create the ext4 vhdx
+	logrus.Debugf("%s: creating sandbox ext4 vhdx", title)
+	if err := svm.createExt4VHDX(filepath.Join(d.dir(id), sandboxFilename), uint32(sandboxSize), targetCacheFile); err != nil {
+		logrus.Debugf("%s: failed to create sandbox vhdx for %s: %s", title, id, err)
+		return err
+	}
+	return nil
+}
+
+// Create creates the folder for the layer with the given id, and
+// adds it to the layer chain.
+func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+	logrus.Debugf("lcowdriver: create: id %s parent: %s", id, parent)
+
+	parentChain, err := d.getLayerChain(parent)
+	if err != nil {
+		return err
+	}
+
+	var layerChain []string
+	if parent != "" {
+		if !d.Exists(parent) {
+			return fmt.Errorf("lcowdriver: cannot create layer folder with missing parent %s", parent)
+		}
+		layerChain = []string{d.dir(parent)}
+	}
+	layerChain = append(layerChain, parentChain...)
+
+	// Make sure layers are created with the correct ACL so that VMs can access them.
+	layerPath := d.dir(id)
+	logrus.Debugf("lcowdriver: create: id %s: creating %s", id, layerPath)
+	if err := system.MkdirAllWithACL(layerPath, 755, system.SddlNtvmAdministratorsLocalSystem); err != nil {
+		return err
+	}
+
+	if err := d.setLayerChain(id, layerChain); err != nil {
+		if err2 := os.RemoveAll(layerPath); err2 != nil {
+			logrus.Warnf("failed to remove layer %s: %s", layerPath, err2)
+		}
+		return err
+	}
+	logrus.Debugf("lcowdriver: create: id %s: success", id)
+
+	return nil
+}
+
+// Remove unmounts and removes the dir information.
+func (d *Driver) Remove(id string) error {
+	logrus.Debugf("lcowdriver: remove: id %s", id)
+	tmpID := fmt.Sprintf("%s-removing", id)
+	tmpLayerPath := d.dir(tmpID)
+	layerPath := d.dir(id)
+
+	logrus.Debugf("lcowdriver: remove: id %s: layerPath %s", id, layerPath)
+
+	// Unmount all the layers
+	err := d.Put(id)
+	if err != nil {
+		logrus.Debugf("lcowdriver: remove id %s: failed to unmount: %s", id, err)
+		return err
+	}
+
+	// for non-global case just kill the vm
+	if !d.globalMode {
+		if err := d.terminateServiceVM(id, fmt.Sprintf("Remove %s", id), true); err != nil {
+			return err
+		}
+	}
+
+	if err := os.Rename(layerPath, tmpLayerPath); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	if err := os.RemoveAll(tmpLayerPath); err != nil {
+		return err
+	}
+
+	logrus.Debugf("lcowdriver: remove: id %s: layerPath %s succeeded", id, layerPath)
+	return nil
+}
+
+// Get returns the rootfs path for the id. It is reference counted and
+// effectively can be thought of as a "mount the layer into the utility
+// vm if it isn't already". The contract from the caller of this is that
+// all Gets and Puts are matched. It -should- be the case that on cleanup,
+// nothing is mounted.
+//
+// For optimisation, we don't actually mount the filesystem (which in our
+// case means [hot-]adding it to a service VM. But we track that and defer
+// the actual adding to the point we need to access it.
+func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
+	title := fmt.Sprintf("lcowdriver: get: %s", id)
+	logrus.Debugf(title)
+
+	// Generate the mounts needed for the defered operation.
+	disks, err := d.getAllMounts(id)
+	if err != nil {
+		logrus.Debugf("%s failed to get all layer details for %s: %s", title, d.dir(id), err)
+		return nil, fmt.Errorf("%s failed to get layer details for %s: %s", title, d.dir(id), err)
+	}
+
+	logrus.Debugf("%s: got layer mounts: %+v", title, disks)
+	return &lcowfs{
+		root:        unionMountName(disks),
+		d:           d,
+		mappedDisks: disks,
+		vmID:        d.getVMID(id),
+	}, nil
+}
+
+// Put does the reverse of get. If there are no more references to
+// the layer, it unmounts it from the utility VM.
+func (d *Driver) Put(id string) error {
+	title := fmt.Sprintf("lcowdriver: put: %s", id)
+
+	// Get the service VM that we need to remove from
+	svm, err := d.serviceVms.get(d.getVMID(id))
+	if err == errVMUnknown {
+		return nil
+	} else if err == errVMisTerminating {
+		return svm.getStopError()
+	}
+
+	// Generate the mounts that Get() might have mounted
+	disks, err := d.getAllMounts(id)
+	if err != nil {
+		logrus.Debugf("%s failed to get all layer details for %s: %s", title, d.dir(id), err)
+		return fmt.Errorf("%s failed to get layer details for %s: %s", title, d.dir(id), err)
+	}
+
+	// Now, we want to perform the unmounts, hot-remove and stop the service vm.
+	// We want to go though all the steps even if we have an error to clean up properly
+	err = svm.deleteUnionMount(unionMountName(disks), disks...)
+	if err != nil {
+		logrus.Debugf("%s failed to delete union mount %s: %s", title, id, err)
+	}
+
+	err1 := svm.hotRemoveVHDs(disks...)
+	if err1 != nil {
+		logrus.Debugf("%s failed to hot remove vhds %s: %s", title, id, err)
+		if err == nil {
+			err = err1
+		}
+	}
+
+	err1 = d.terminateServiceVM(id, fmt.Sprintf("Put %s", id), false)
+	if err1 != nil {
+		logrus.Debugf("%s failed to terminate service vm %s: %s", title, id, err1)
+		if err == nil {
+			err = err1
+		}
+	}
+	logrus.Debugf("Put succeeded on id %s", id)
+	return err
+}
+
+// Cleanup ensures the information the driver stores is properly removed.
+// We use this opportunity to cleanup any -removing folders which may be
+// still left if the daemon was killed while it was removing a layer.
+func (d *Driver) Cleanup() error {
+	title := "lcowdriver: cleanup"
+
+	items, err := ioutil.ReadDir(d.dataRoot)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	// Note we don't return an error below - it's possible the files
+	// are locked. However, next time around after the daemon exits,
+	// we likely will be able to to cleanup successfully. Instead we log
+	// warnings if there are errors.
+	for _, item := range items {
+		if item.IsDir() && strings.HasSuffix(item.Name(), "-removing") {
+			if err := os.RemoveAll(filepath.Join(d.dataRoot, item.Name())); err != nil {
+				logrus.Warnf("%s failed to cleanup %s: %s", title, item.Name(), err)
+			} else {
+				logrus.Infof("%s cleaned up %s", title, item.Name())
+			}
+		}
+	}
+
+	// Cleanup any service VMs we have running, along with their scratch spaces.
+	// We don't take the lock for this as it's taken in terminateServiceVm.
+	for k, v := range d.serviceVms.svms {
+		logrus.Debugf("%s svm entry: %s: %+v", title, k, v)
+		d.terminateServiceVM(k, "cleanup", true)
+	}
+
+	return nil
+}
+
+// Diff takes a layer (and it's parent layer which may be null, but
+// is ignored by this implementation below) and returns a reader for
+// a tarstream representing the layers contents. The id could be
+// a read-only "layer.vhd" or a read-write "sandbox.vhdx". The semantics
+// of this function dictate that the layer is already mounted.
+// However, as we do lazy mounting as a performance optimisation,
+// this will likely not be the case.
+func (d *Driver) Diff(id, parent string) (io.ReadCloser, error) {
+	title := fmt.Sprintf("lcowdriver: diff: %s", id)
+
+	// Get VHDX info
+	ld, err := getLayerDetails(d.dir(id))
+	if err != nil {
+		logrus.Debugf("%s: failed to get vhdx information of %s: %s", title, d.dir(id), err)
+		return nil, err
+	}
+
+	// Start the SVM with a mapped virtual disk. Note that if the SVM is
+	// already running and we are in global mode, this will be
+	// hot-added.
+	mvd := hcsshim.MappedVirtualDisk{
+		HostPath:          ld.filename,
+		ContainerPath:     hostToGuest(ld.filename),
+		CreateInUtilityVM: true,
+		ReadOnly:          true,
+	}
+
+	logrus.Debugf("%s: starting service VM", title)
+	svm, err := d.startServiceVMIfNotRunning(id, []hcsshim.MappedVirtualDisk{mvd}, fmt.Sprintf("diff %s", id))
+	if err != nil {
+		return nil, err
+	}
+
+	logrus.Debugf("lcowdriver: diff: waiting for svm to finish booting")
+	err = svm.getStartError()
+	if err != nil {
+		d.terminateServiceVM(id, fmt.Sprintf("diff %s", id), false)
+		return nil, fmt.Errorf("lcowdriver: diff: svm failed to boot: %s", err)
+	}
+
+	// Obtain the tar stream for it
+	logrus.Debugf("%s: %s %s, size %d, ReadOnly %t", title, ld.filename, mvd.ContainerPath, ld.size, ld.isSandbox)
+	tarReadCloser, err := svm.config.VhdToTar(mvd.HostPath, mvd.ContainerPath, ld.isSandbox, ld.size)
+	if err != nil {
+		svm.hotRemoveVHDs(mvd)
+		d.terminateServiceVM(id, fmt.Sprintf("diff %s", id), false)
+		return nil, fmt.Errorf("%s failed to export layer to tar stream for id: %s, parent: %s : %s", title, id, parent, err)
+	}
+
+	logrus.Debugf("%s id %s parent %s completed successfully", title, id, parent)
+
+	// In safe/non-global mode, we can't tear down the service VM until things have been read.
+	return ioutils.NewReadCloserWrapper(tarReadCloser, func() error {
+		tarReadCloser.Close()
+		svm.hotRemoveVHDs(mvd)
+		d.terminateServiceVM(id, fmt.Sprintf("diff %s", id), false)
+		return nil
+	}), nil
+}
+
+// ApplyDiff extracts the changeset from the given diff into the
+// layer with the specified id and parent, returning the size of the
+// new layer in bytes. The layer should not be mounted when calling
+// this function. Another way of describing this is that ApplyDiff writes
+// to a new layer (a VHD in LCOW) the contents of a tarstream it's given.
+func (d *Driver) ApplyDiff(id, parent string, diff io.Reader) (int64, error) {
+	logrus.Debugf("lcowdriver: applydiff: id %s", id)
+
+	svm, err := d.startServiceVMIfNotRunning(id, nil, fmt.Sprintf("applydiff %s", id))
+	if err != nil {
+		return 0, err
+	}
+	defer d.terminateServiceVM(id, fmt.Sprintf("applydiff %s", id), false)
+
+	logrus.Debugf("lcowdriver: applydiff: waiting for svm to finish booting")
+	err = svm.getStartError()
+	if err != nil {
+		return 0, fmt.Errorf("lcowdriver: applydiff: svm failed to boot: %s", err)
+	}
+
+	// TODO @jhowardmsft - the retries are temporary to overcome platform reliability issues.
+	// Obviously this will be removed as platform bugs are fixed.
+	retries := 0
+	for {
+		retries++
+		size, err := svm.config.TarToVhd(filepath.Join(d.dataRoot, id, layerFilename), diff)
+		if err != nil {
+			if retries <= 10 {
+				continue
+			}
+			return 0, err
+		}
+		return size, err
+	}
+}
+
+// Changes produces a list of changes between the specified layer
+// and its parent layer. If parent is "", then all changes will be ADD changes.
+// The layer should not be mounted when calling this function.
+func (d *Driver) Changes(id, parent string) ([]archive.Change, error) {
+	logrus.Debugf("lcowdriver: changes: id %s parent %s", id, parent)
+	// TODO @gupta-ak. Needs implementation with assistance from service VM
+	return nil, nil
+}
+
+// DiffSize calculates the changes between the specified layer
+// and its parent and returns the size in bytes of the changes
+// relative to its base filesystem directory.
+func (d *Driver) DiffSize(id, parent string) (size int64, err error) {
+	logrus.Debugf("lcowdriver: diffsize: id %s", id)
+	// TODO @gupta-ak. Needs implementation with assistance from service VM
+	return 0, nil
+}
+
+// GetMetadata returns custom driver information.
+func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+	logrus.Debugf("lcowdriver: getmetadata: id %s", id)
+	m := make(map[string]string)
+	m["dir"] = d.dir(id)
+	return m, nil
+}
+
+// GetLayerPath gets the layer path on host (path to VHD/VHDX)
+func (d *Driver) GetLayerPath(id string) (string, error) {
+	return d.dir(id), nil
+}
+
+// dir returns the absolute path to the layer.
+func (d *Driver) dir(id string) string {
+	return filepath.Join(d.dataRoot, filepath.Base(id))
+}
+
+// getLayerChain returns the layer chain information.
+func (d *Driver) getLayerChain(id string) ([]string, error) {
+	jPath := filepath.Join(d.dir(id), "layerchain.json")
+	logrus.Debugf("lcowdriver: getlayerchain: id %s json %s", id, jPath)
+	content, err := ioutil.ReadFile(jPath)
+	if os.IsNotExist(err) {
+		return nil, nil
+	} else if err != nil {
+		return nil, fmt.Errorf("lcowdriver: getlayerchain: %s unable to read layerchain file %s: %s", id, jPath, err)
+	}
+
+	var layerChain []string
+	err = json.Unmarshal(content, &layerChain)
+	if err != nil {
+		return nil, fmt.Errorf("lcowdriver: getlayerchain: %s failed to unmarshall layerchain file %s: %s", id, jPath, err)
+	}
+	return layerChain, nil
+}
+
+// setLayerChain stores the layer chain information on disk.
+func (d *Driver) setLayerChain(id string, chain []string) error {
+	content, err := json.Marshal(&chain)
+	if err != nil {
+		return fmt.Errorf("lcowdriver: setlayerchain: %s failed to marshall layerchain json: %s", id, err)
+	}
+
+	jPath := filepath.Join(d.dir(id), "layerchain.json")
+	logrus.Debugf("lcowdriver: setlayerchain: id %s json %s", id, jPath)
+	err = ioutil.WriteFile(jPath, content, 0600)
+	if err != nil {
+		return fmt.Errorf("lcowdriver: setlayerchain: %s failed to write layerchain file: %s", id, err)
+	}
+	return nil
+}
+
+// getLayerDetails is a utility for getting a file name, size and indication of
+// sandbox for a VHD(x) in a folder. A read-only layer will be layer.vhd. A
+// read-write layer will be sandbox.vhdx.
+func getLayerDetails(folder string) (*layerDetails, error) {
+	var fileInfo os.FileInfo
+	ld := &layerDetails{
+		isSandbox: false,
+		filename:  filepath.Join(folder, layerFilename),
+	}
+
+	fileInfo, err := os.Stat(ld.filename)
+	if err != nil {
+		ld.filename = filepath.Join(folder, sandboxFilename)
+		if fileInfo, err = os.Stat(ld.filename); err != nil {
+			return nil, fmt.Errorf("failed to locate layer or sandbox in %s", folder)
+		}
+		ld.isSandbox = true
+	}
+	ld.size = fileInfo.Size()
+
+	return ld, nil
+}
+
+func (d *Driver) getAllMounts(id string) ([]hcsshim.MappedVirtualDisk, error) {
+	layerChain, err := d.getLayerChain(id)
+	if err != nil {
+		return nil, err
+	}
+	layerChain = append([]string{d.dir(id)}, layerChain...)
+
+	logrus.Debugf("getting all  layers: %v", layerChain)
+	disks := make([]hcsshim.MappedVirtualDisk, len(layerChain), len(layerChain))
+	for i := range layerChain {
+		ld, err := getLayerDetails(layerChain[i])
+		if err != nil {
+			logrus.Debugf("Failed to get LayerVhdDetails from %s: %s", layerChain[i], err)
+			return nil, err
+		}
+		disks[i].HostPath = ld.filename
+		disks[i].ContainerPath = hostToGuest(ld.filename)
+		disks[i].CreateInUtilityVM = true
+		disks[i].ReadOnly = !ld.isSandbox
+	}
+	return disks, nil
+}
+
+func hostToGuest(hostpath string) string {
+	return fmt.Sprintf("/tmp/%s", filepath.Base(filepath.Dir(hostpath)))
+}
+
+func unionMountName(disks []hcsshim.MappedVirtualDisk) string {
+	return fmt.Sprintf("%s-mount", disks[0].ContainerPath)
+}
+
+type nopCloser struct {
+	io.Reader
+}
+
+func (nopCloser) Close() error {
+	return nil
+}
+
+type fileGetCloserFromSVM struct {
+	id  string
+	svm *serviceVM
+	mvd *hcsshim.MappedVirtualDisk
+	d   *Driver
+}
+
+func (fgc *fileGetCloserFromSVM) Close() error {
+	if fgc.svm != nil {
+		if fgc.mvd != nil {
+			if err := fgc.svm.hotRemoveVHDs(*fgc.mvd); err != nil {
+				// We just log this as we're going to tear down the SVM imminently unless in global mode
+				logrus.Errorf("failed to remove mvd %s: %s", fgc.mvd.ContainerPath, err)
+			}
+		}
+	}
+	if fgc.d != nil && fgc.svm != nil && fgc.id != "" {
+		if err := fgc.d.terminateServiceVM(fgc.id, fmt.Sprintf("diffgetter %s", fgc.id), false); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (fgc *fileGetCloserFromSVM) Get(filename string) (io.ReadCloser, error) {
+	errOut := &bytes.Buffer{}
+	outOut := &bytes.Buffer{}
+	file := path.Join(fgc.mvd.ContainerPath, filename)
+	if err := fgc.svm.runProcess(fmt.Sprintf("cat %s", file), nil, outOut, errOut); err != nil {
+		logrus.Debugf("cat %s failed: %s", file, errOut.String())
+		return nil, err
+	}
+	return nopCloser{bytes.NewReader(outOut.Bytes())}, nil
+}
+
+// DiffGetter returns a FileGetCloser that can read files from the directory that
+// contains files for the layer differences. Used for direct access for tar-split.
+func (d *Driver) DiffGetter(id string) (graphdriver.FileGetCloser, error) {
+	title := fmt.Sprintf("lcowdriver: diffgetter: %s", id)
+	logrus.Debugf(title)
+
+	ld, err := getLayerDetails(d.dir(id))
+	if err != nil {
+		logrus.Debugf("%s: failed to get vhdx information of %s: %s", title, d.dir(id), err)
+		return nil, err
+	}
+
+	// Start the SVM with a mapped virtual disk. Note that if the SVM is
+	// already running and we are in global mode, this will be hot-added.
+	mvd := hcsshim.MappedVirtualDisk{
+		HostPath:          ld.filename,
+		ContainerPath:     hostToGuest(ld.filename),
+		CreateInUtilityVM: true,
+		ReadOnly:          true,
+	}
+
+	logrus.Debugf("%s: starting service VM", title)
+	svm, err := d.startServiceVMIfNotRunning(id, []hcsshim.MappedVirtualDisk{mvd}, fmt.Sprintf("diffgetter %s", id))
+	if err != nil {
+		return nil, err
+	}
+
+	logrus.Debugf("%s: waiting for svm to finish booting", title)
+	err = svm.getStartError()
+	if err != nil {
+		d.terminateServiceVM(id, fmt.Sprintf("diff %s", id), false)
+		return nil, fmt.Errorf("%s: svm failed to boot: %s", title, err)
+	}
+
+	return &fileGetCloserFromSVM{
+		id:  id,
+		svm: svm,
+		mvd: &mvd,
+		d:   d}, nil
+}
diff --git a/engine/daemon/graphdriver/lcow/lcow_svm.go b/engine/daemon/graphdriver/lcow/lcow_svm.go
new file mode 100644
index 00000000..9a27ac94
--- /dev/null
+++ b/engine/daemon/graphdriver/lcow/lcow_svm.go
@@ -0,0 +1,378 @@
+// +build windows
+
+package lcow // import "github.com/docker/docker/daemon/graphdriver/lcow"
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/Microsoft/opengcs/client"
+	"github.com/sirupsen/logrus"
+)
+
+// Code for all the service VM management for the LCOW graphdriver
+
+var errVMisTerminating = errors.New("service VM is shutting down")
+var errVMUnknown = errors.New("service vm id is unknown")
+var errVMStillHasReference = errors.New("Attemping to delete a VM that is still being used")
+
+// serviceVMMap is the struct representing the id -> service VM mapping.
+type serviceVMMap struct {
+	sync.Mutex
+	svms map[string]*serviceVMMapItem
+}
+
+// serviceVMMapItem is our internal structure representing an item in our
+// map of service VMs we are maintaining.
+type serviceVMMapItem struct {
+	svm      *serviceVM // actual service vm object
+	refCount int        // refcount for VM
+}
+
+type serviceVM struct {
+	sync.Mutex                     // Serialises operations being performed in this service VM.
+	scratchAttached bool           // Has a scratch been attached?
+	config          *client.Config // Represents the service VM item.
+
+	// Indicates that the vm is started
+	startStatus chan interface{}
+	startError  error
+
+	// Indicates that the vm is stopped
+	stopStatus chan interface{}
+	stopError  error
+
+	attachedVHDs map[string]int // Map ref counting all the VHDS we've hot-added/hot-removed.
+	unionMounts  map[string]int // Map ref counting all the union filesystems we mounted.
+}
+
+// add will add an id to the service vm map. There are three cases:
+// 	- entry doesn't exist:
+// 		- add id to map and return a new vm that the caller can manually configure+start
+//	- entry does exist
+//  	- return vm in map and increment ref count
+//  - entry does exist but the ref count is 0
+//		- return the svm and errVMisTerminating. Caller can call svm.getStopError() to wait for stop
+func (svmMap *serviceVMMap) add(id string) (svm *serviceVM, alreadyExists bool, err error) {
+	svmMap.Lock()
+	defer svmMap.Unlock()
+	if svm, ok := svmMap.svms[id]; ok {
+		if svm.refCount == 0 {
+			return svm.svm, true, errVMisTerminating
+		}
+		svm.refCount++
+		return svm.svm, true, nil
+	}
+
+	// Doesn't exist, so create an empty svm to put into map and return
+	newSVM := &serviceVM{
+		startStatus:  make(chan interface{}),
+		stopStatus:   make(chan interface{}),
+		attachedVHDs: make(map[string]int),
+		unionMounts:  make(map[string]int),
+		config:       &client.Config{},
+	}
+	svmMap.svms[id] = &serviceVMMapItem{
+		svm:      newSVM,
+		refCount: 1,
+	}
+	return newSVM, false, nil
+}
+
+// get will get the service vm from the map. There are three cases:
+// 	- entry doesn't exist:
+// 		- return errVMUnknown
+//	- entry does exist
+//  	- return vm with no error
+//  - entry does exist but the ref count is 0
+//		- return the svm and errVMisTerminating. Caller can call svm.getStopError() to wait for stop
+func (svmMap *serviceVMMap) get(id string) (*serviceVM, error) {
+	svmMap.Lock()
+	defer svmMap.Unlock()
+	svm, ok := svmMap.svms[id]
+	if !ok {
+		return nil, errVMUnknown
+	}
+	if svm.refCount == 0 {
+		return svm.svm, errVMisTerminating
+	}
+	return svm.svm, nil
+}
+
+// decrementRefCount decrements the ref count of the given ID from the map. There are four cases:
+// 	- entry doesn't exist:
+// 		- return errVMUnknown
+//  - entry does exist but the ref count is 0
+//		- return the svm and errVMisTerminating. Caller can call svm.getStopError() to wait for stop
+//	- entry does exist but ref count is 1
+//  	- return vm and set lastRef to true. The caller can then stop the vm, delete the id from this map
+//      - and execute svm.signalStopFinished to signal the threads that the svm has been terminated.
+//	- entry does exist and ref count > 1
+//		- just reduce ref count and return svm
+func (svmMap *serviceVMMap) decrementRefCount(id string) (_ *serviceVM, lastRef bool, _ error) {
+	svmMap.Lock()
+	defer svmMap.Unlock()
+
+	svm, ok := svmMap.svms[id]
+	if !ok {
+		return nil, false, errVMUnknown
+	}
+	if svm.refCount == 0 {
+		return svm.svm, false, errVMisTerminating
+	}
+	svm.refCount--
+	return svm.svm, svm.refCount == 0, nil
+}
+
+// setRefCountZero works the same way as decrementRefCount, but sets ref count to 0 instead of decrementing it.
+func (svmMap *serviceVMMap) setRefCountZero(id string) (*serviceVM, error) {
+	svmMap.Lock()
+	defer svmMap.Unlock()
+
+	svm, ok := svmMap.svms[id]
+	if !ok {
+		return nil, errVMUnknown
+	}
+	if svm.refCount == 0 {
+		return svm.svm, errVMisTerminating
+	}
+	svm.refCount = 0
+	return svm.svm, nil
+}
+
+// deleteID deletes the given ID from the map. If the refcount is not 0 or the
+// VM does not exist, then this function returns an error.
+func (svmMap *serviceVMMap) deleteID(id string) error {
+	svmMap.Lock()
+	defer svmMap.Unlock()
+	svm, ok := svmMap.svms[id]
+	if !ok {
+		return errVMUnknown
+	}
+	if svm.refCount != 0 {
+		return errVMStillHasReference
+	}
+	delete(svmMap.svms, id)
+	return nil
+}
+
+func (svm *serviceVM) signalStartFinished(err error) {
+	svm.Lock()
+	svm.startError = err
+	svm.Unlock()
+	close(svm.startStatus)
+}
+
+func (svm *serviceVM) getStartError() error {
+	<-svm.startStatus
+	svm.Lock()
+	defer svm.Unlock()
+	return svm.startError
+}
+
+func (svm *serviceVM) signalStopFinished(err error) {
+	svm.Lock()
+	svm.stopError = err
+	svm.Unlock()
+	close(svm.stopStatus)
+}
+
+func (svm *serviceVM) getStopError() error {
+	<-svm.stopStatus
+	svm.Lock()
+	defer svm.Unlock()
+	return svm.stopError
+}
+
+// hotAddVHDs waits for the service vm to start and then attaches the vhds.
+func (svm *serviceVM) hotAddVHDs(mvds ...hcsshim.MappedVirtualDisk) error {
+	if err := svm.getStartError(); err != nil {
+		return err
+	}
+	return svm.hotAddVHDsAtStart(mvds...)
+}
+
+// hotAddVHDsAtStart works the same way as hotAddVHDs but does not wait for the VM to start.
+func (svm *serviceVM) hotAddVHDsAtStart(mvds ...hcsshim.MappedVirtualDisk) error {
+	svm.Lock()
+	defer svm.Unlock()
+	for i, mvd := range mvds {
+		if _, ok := svm.attachedVHDs[mvd.HostPath]; ok {
+			svm.attachedVHDs[mvd.HostPath]++
+			continue
+		}
+
+		if err := svm.config.HotAddVhd(mvd.HostPath, mvd.ContainerPath, mvd.ReadOnly, !mvd.AttachOnly); err != nil {
+			svm.hotRemoveVHDsNoLock(mvds[:i]...)
+			return err
+		}
+		svm.attachedVHDs[mvd.HostPath] = 1
+	}
+	return nil
+}
+
+// hotRemoveVHDs waits for the service vm to start and then removes the vhds.
+// The service VM must not be locked when calling this function.
+func (svm *serviceVM) hotRemoveVHDs(mvds ...hcsshim.MappedVirtualDisk) error {
+	if err := svm.getStartError(); err != nil {
+		return err
+	}
+	svm.Lock()
+	defer svm.Unlock()
+	return svm.hotRemoveVHDsNoLock(mvds...)
+}
+
+// hotRemoveVHDsNoLock removes VHDs from a service VM. When calling this function,
+// the contract is the service VM lock must be held.
+func (svm *serviceVM) hotRemoveVHDsNoLock(mvds ...hcsshim.MappedVirtualDisk) error {
+	var retErr error
+	for _, mvd := range mvds {
+		if _, ok := svm.attachedVHDs[mvd.HostPath]; !ok {
+			// We continue instead of returning an error if we try to hot remove a non-existent VHD.
+			// This is because one of the callers of the function is graphdriver.Put(). Since graphdriver.Get()
+			// defers the VM start to the first operation, it's possible that nothing have been hot-added
+			// when Put() is called. To avoid Put returning an error in that case, we simply continue if we
+			// don't find the vhd attached.
+			continue
+		}
+
+		if svm.attachedVHDs[mvd.HostPath] > 1 {
+			svm.attachedVHDs[mvd.HostPath]--
+			continue
+		}
+
+		// last VHD, so remove from VM and map
+		if err := svm.config.HotRemoveVhd(mvd.HostPath); err == nil {
+			delete(svm.attachedVHDs, mvd.HostPath)
+		} else {
+			// Take note of the error, but still continue to remove the other VHDs
+			logrus.Warnf("Failed to hot remove %s: %s", mvd.HostPath, err)
+			if retErr == nil {
+				retErr = err
+			}
+		}
+	}
+	return retErr
+}
+
+func (svm *serviceVM) createExt4VHDX(destFile string, sizeGB uint32, cacheFile string) error {
+	if err := svm.getStartError(); err != nil {
+		return err
+	}
+
+	svm.Lock()
+	defer svm.Unlock()
+	return svm.config.CreateExt4Vhdx(destFile, sizeGB, cacheFile)
+}
+
+func (svm *serviceVM) createUnionMount(mountName string, mvds ...hcsshim.MappedVirtualDisk) (err error) {
+	if len(mvds) == 0 {
+		return fmt.Errorf("createUnionMount: error must have at least 1 layer")
+	}
+
+	if err = svm.getStartError(); err != nil {
+		return err
+	}
+
+	svm.Lock()
+	defer svm.Unlock()
+	if _, ok := svm.unionMounts[mountName]; ok {
+		svm.unionMounts[mountName]++
+		return nil
+	}
+
+	var lowerLayers []string
+	if mvds[0].ReadOnly {
+		lowerLayers = append(lowerLayers, mvds[0].ContainerPath)
+	}
+
+	for i := 1; i < len(mvds); i++ {
+		lowerLayers = append(lowerLayers, mvds[i].ContainerPath)
+	}
+
+	logrus.Debugf("Doing the overlay mount with union directory=%s", mountName)
+	if err = svm.runProcess(fmt.Sprintf("mkdir -p %s", mountName), nil, nil, nil); err != nil {
+		return err
+	}
+
+	var cmd string
+	if len(mvds) == 1 {
+		// `FROM SCRATCH` case and the only layer. No overlay required.
+		cmd = fmt.Sprintf("mount %s %s", mvds[0].ContainerPath, mountName)
+	} else if mvds[0].ReadOnly {
+		// Readonly overlay
+		cmd = fmt.Sprintf("mount -t overlay overlay -olowerdir=%s %s",
+			strings.Join(lowerLayers, ","),
+			mountName)
+	} else {
+		upper := fmt.Sprintf("%s/upper", mvds[0].ContainerPath)
+		work := fmt.Sprintf("%s/work", mvds[0].ContainerPath)
+
+		if err = svm.runProcess(fmt.Sprintf("mkdir -p %s %s", upper, work), nil, nil, nil); err != nil {
+			return err
+		}
+
+		cmd = fmt.Sprintf("mount -t overlay overlay -olowerdir=%s,upperdir=%s,workdir=%s %s",
+			strings.Join(lowerLayers, ":"),
+			upper,
+			work,
+			mountName)
+	}
+
+	logrus.Debugf("createUnionMount: Executing mount=%s", cmd)
+	if err = svm.runProcess(cmd, nil, nil, nil); err != nil {
+		return err
+	}
+
+	svm.unionMounts[mountName] = 1
+	return nil
+}
+
+func (svm *serviceVM) deleteUnionMount(mountName string, disks ...hcsshim.MappedVirtualDisk) error {
+	if err := svm.getStartError(); err != nil {
+		return err
+	}
+
+	svm.Lock()
+	defer svm.Unlock()
+	if _, ok := svm.unionMounts[mountName]; !ok {
+		return nil
+	}
+
+	if svm.unionMounts[mountName] > 1 {
+		svm.unionMounts[mountName]--
+		return nil
+	}
+
+	logrus.Debugf("Removing union mount %s", mountName)
+	if err := svm.runProcess(fmt.Sprintf("umount %s", mountName), nil, nil, nil); err != nil {
+		return err
+	}
+
+	delete(svm.unionMounts, mountName)
+	return nil
+}
+
+func (svm *serviceVM) runProcess(command string, stdin io.Reader, stdout io.Writer, stderr io.Writer) error {
+	process, err := svm.config.RunProcess(command, stdin, stdout, stderr)
+	if err != nil {
+		return err
+	}
+	defer process.Close()
+
+	process.WaitTimeout(time.Duration(int(time.Second) * svm.config.UvmTimeoutSeconds))
+	exitCode, err := process.ExitCode()
+	if err != nil {
+		return err
+	}
+
+	if exitCode != 0 {
+		return fmt.Errorf("svm.runProcess: command %s failed with exit code %d", command, exitCode)
+	}
+	return nil
+}
diff --git a/engine/daemon/graphdriver/lcow/remotefs.go b/engine/daemon/graphdriver/lcow/remotefs.go
new file mode 100644
index 00000000..29f15fd2
--- /dev/null
+++ b/engine/daemon/graphdriver/lcow/remotefs.go
@@ -0,0 +1,139 @@
+// +build windows
+
+package lcow // import "github.com/docker/docker/daemon/graphdriver/lcow"
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"runtime"
+	"strings"
+	"sync"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/Microsoft/opengcs/service/gcsutils/remotefs"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/sirupsen/logrus"
+)
+
+type lcowfs struct {
+	root        string
+	d           *Driver
+	mappedDisks []hcsshim.MappedVirtualDisk
+	vmID        string
+	currentSVM  *serviceVM
+	sync.Mutex
+}
+
+var _ containerfs.ContainerFS = &lcowfs{}
+
+// ErrNotSupported is an error for unsupported operations in the remotefs
+var ErrNotSupported = fmt.Errorf("not supported")
+
+// Functions to implement the ContainerFS interface
+func (l *lcowfs) Path() string {
+	return l.root
+}
+
+func (l *lcowfs) ResolveScopedPath(path string, rawPath bool) (string, error) {
+	logrus.Debugf("remotefs.resolvescopedpath inputs: %s %s ", path, l.root)
+
+	arg1 := l.Join(l.root, path)
+	if !rawPath {
+		// The l.Join("/", path) will make path an absolute path and then clean it
+		// so if path = ../../X, it will become /X.
+		arg1 = l.Join(l.root, l.Join("/", path))
+	}
+	arg2 := l.root
+
+	output := &bytes.Buffer{}
+	if err := l.runRemoteFSProcess(nil, output, remotefs.ResolvePathCmd, arg1, arg2); err != nil {
+		return "", err
+	}
+
+	logrus.Debugf("remotefs.resolvescopedpath success. Output: %s\n", output.String())
+	return output.String(), nil
+}
+
+func (l *lcowfs) OS() string {
+	return "linux"
+}
+
+func (l *lcowfs) Architecture() string {
+	return runtime.GOARCH
+}
+
+// Other functions that are used by docker like the daemon Archiver/Extractor
+func (l *lcowfs) ExtractArchive(src io.Reader, dst string, opts *archive.TarOptions) error {
+	logrus.Debugf("remotefs.ExtractArchve inputs: %s %+v", dst, opts)
+
+	tarBuf := &bytes.Buffer{}
+	if err := remotefs.WriteTarOptions(tarBuf, opts); err != nil {
+		return fmt.Errorf("failed to marshall tar opts: %s", err)
+	}
+
+	input := io.MultiReader(tarBuf, src)
+	if err := l.runRemoteFSProcess(input, nil, remotefs.ExtractArchiveCmd, dst); err != nil {
+		return fmt.Errorf("failed to extract archive to %s: %s", dst, err)
+	}
+	return nil
+}
+
+func (l *lcowfs) ArchivePath(src string, opts *archive.TarOptions) (io.ReadCloser, error) {
+	logrus.Debugf("remotefs.ArchivePath: %s %+v", src, opts)
+
+	tarBuf := &bytes.Buffer{}
+	if err := remotefs.WriteTarOptions(tarBuf, opts); err != nil {
+		return nil, fmt.Errorf("failed to marshall tar opts: %s", err)
+	}
+
+	r, w := io.Pipe()
+	go func() {
+		defer w.Close()
+		if err := l.runRemoteFSProcess(tarBuf, w, remotefs.ArchivePathCmd, src); err != nil {
+			logrus.Debugf("REMOTEFS: Failed to extract archive: %s %+v %s", src, opts, err)
+		}
+	}()
+	return r, nil
+}
+
+// Helper functions
+func (l *lcowfs) startVM() error {
+	l.Lock()
+	defer l.Unlock()
+	if l.currentSVM != nil {
+		return nil
+	}
+
+	svm, err := l.d.startServiceVMIfNotRunning(l.vmID, l.mappedDisks, fmt.Sprintf("lcowfs.startVM"))
+	if err != nil {
+		return err
+	}
+
+	if err = svm.createUnionMount(l.root, l.mappedDisks...); err != nil {
+		return err
+	}
+	l.currentSVM = svm
+	return nil
+}
+
+func (l *lcowfs) runRemoteFSProcess(stdin io.Reader, stdout io.Writer, args ...string) error {
+	if err := l.startVM(); err != nil {
+		return err
+	}
+
+	// Append remotefs prefix and setup as a command line string
+	cmd := fmt.Sprintf("%s %s", remotefs.RemotefsCmd, strings.Join(args, " "))
+	stderr := &bytes.Buffer{}
+	if err := l.currentSVM.runProcess(cmd, stdin, stdout, stderr); err != nil {
+		return err
+	}
+
+	eerr, err := remotefs.ReadError(stderr)
+	if eerr != nil {
+		// Process returned an error so return that.
+		return remotefs.ExportedToError(eerr)
+	}
+	return err
+}
diff --git a/engine/daemon/graphdriver/lcow/remotefs_file.go b/engine/daemon/graphdriver/lcow/remotefs_file.go
new file mode 100644
index 00000000..1f00bfff
--- /dev/null
+++ b/engine/daemon/graphdriver/lcow/remotefs_file.go
@@ -0,0 +1,211 @@
+// +build windows
+
+package lcow // import "github.com/docker/docker/daemon/graphdriver/lcow"
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/Microsoft/opengcs/service/gcsutils/remotefs"
+	"github.com/containerd/continuity/driver"
+)
+
+type lcowfile struct {
+	process   hcsshim.Process
+	stdin     io.WriteCloser
+	stdout    io.ReadCloser
+	stderr    io.ReadCloser
+	fs        *lcowfs
+	guestPath string
+}
+
+func (l *lcowfs) Open(path string) (driver.File, error) {
+	return l.OpenFile(path, os.O_RDONLY, 0)
+}
+
+func (l *lcowfs) OpenFile(path string, flag int, perm os.FileMode) (_ driver.File, err error) {
+	flagStr := strconv.FormatInt(int64(flag), 10)
+	permStr := strconv.FormatUint(uint64(perm), 8)
+
+	commandLine := fmt.Sprintf("%s %s %s %s %s", remotefs.RemotefsCmd, remotefs.OpenFileCmd, path, flagStr, permStr)
+	env := make(map[string]string)
+	env["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:"
+	processConfig := &hcsshim.ProcessConfig{
+		EmulateConsole:    false,
+		CreateStdInPipe:   true,
+		CreateStdOutPipe:  true,
+		CreateStdErrPipe:  true,
+		CreateInUtilityVm: true,
+		WorkingDirectory:  "/bin",
+		Environment:       env,
+		CommandLine:       commandLine,
+	}
+
+	process, err := l.currentSVM.config.Uvm.CreateProcess(processConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file %s: %s", path, err)
+	}
+
+	stdin, stdout, stderr, err := process.Stdio()
+	if err != nil {
+		process.Kill()
+		process.Close()
+		return nil, fmt.Errorf("failed to open file pipes %s: %s", path, err)
+	}
+
+	lf := &lcowfile{
+		process:   process,
+		stdin:     stdin,
+		stdout:    stdout,
+		stderr:    stderr,
+		fs:        l,
+		guestPath: path,
+	}
+
+	if _, err := lf.getResponse(); err != nil {
+		return nil, fmt.Errorf("failed to open file %s: %s", path, err)
+	}
+	return lf, nil
+}
+
+func (l *lcowfile) Read(b []byte) (int, error) {
+	hdr := &remotefs.FileHeader{
+		Cmd:  remotefs.Read,
+		Size: uint64(len(b)),
+	}
+
+	if err := remotefs.WriteFileHeader(l.stdin, hdr, nil); err != nil {
+		return 0, err
+	}
+
+	buf, err := l.getResponse()
+	if err != nil {
+		return 0, err
+	}
+
+	n := copy(b, buf)
+	return n, nil
+}
+
+func (l *lcowfile) Write(b []byte) (int, error) {
+	hdr := &remotefs.FileHeader{
+		Cmd:  remotefs.Write,
+		Size: uint64(len(b)),
+	}
+
+	if err := remotefs.WriteFileHeader(l.stdin, hdr, b); err != nil {
+		return 0, err
+	}
+
+	_, err := l.getResponse()
+	if err != nil {
+		return 0, err
+	}
+
+	return len(b), nil
+}
+
+func (l *lcowfile) Seek(offset int64, whence int) (int64, error) {
+	seekHdr := &remotefs.SeekHeader{
+		Offset: offset,
+		Whence: int32(whence),
+	}
+
+	buf := &bytes.Buffer{}
+	if err := binary.Write(buf, binary.BigEndian, seekHdr); err != nil {
+		return 0, err
+	}
+
+	hdr := &remotefs.FileHeader{
+		Cmd:  remotefs.Write,
+		Size: uint64(buf.Len()),
+	}
+	if err := remotefs.WriteFileHeader(l.stdin, hdr, buf.Bytes()); err != nil {
+		return 0, err
+	}
+
+	resBuf, err := l.getResponse()
+	if err != nil {
+		return 0, err
+	}
+
+	var res int64
+	if err := binary.Read(bytes.NewBuffer(resBuf), binary.BigEndian, &res); err != nil {
+		return 0, err
+	}
+	return res, nil
+}
+
+func (l *lcowfile) Close() error {
+	hdr := &remotefs.FileHeader{
+		Cmd:  remotefs.Close,
+		Size: 0,
+	}
+
+	if err := remotefs.WriteFileHeader(l.stdin, hdr, nil); err != nil {
+		return err
+	}
+
+	_, err := l.getResponse()
+	return err
+}
+
+func (l *lcowfile) Readdir(n int) ([]os.FileInfo, error) {
+	nStr := strconv.FormatInt(int64(n), 10)
+
+	// Unlike the other File functions, this one can just be run without maintaining state,
+	// so just do the normal runRemoteFSProcess way.
+	buf := &bytes.Buffer{}
+	if err := l.fs.runRemoteFSProcess(nil, buf, remotefs.ReadDirCmd, l.guestPath, nStr); err != nil {
+		return nil, err
+	}
+
+	var info []remotefs.FileInfo
+	if err := json.Unmarshal(buf.Bytes(), &info); err != nil {
+		return nil, err
+	}
+
+	osInfo := make([]os.FileInfo, len(info))
+	for i := range info {
+		osInfo[i] = &info[i]
+	}
+	return osInfo, nil
+}
+
+func (l *lcowfile) getResponse() ([]byte, error) {
+	hdr, err := remotefs.ReadFileHeader(l.stdout)
+	if err != nil {
+		return nil, err
+	}
+
+	if hdr.Cmd != remotefs.CmdOK {
+		// Something went wrong during the openfile in the server.
+		// Parse stderr and return that as an error
+		eerr, err := remotefs.ReadError(l.stderr)
+		if eerr != nil {
+			return nil, remotefs.ExportedToError(eerr)
+		}
+
+		// Maybe the parsing went wrong?
+		if err != nil {
+			return nil, err
+		}
+
+		// At this point, we know something went wrong in the remotefs program, but
+		// we we don't know why.
+		return nil, fmt.Errorf("unknown error")
+	}
+
+	// Successful command, we might have some data to read (for Read + Seek)
+	buf := make([]byte, hdr.Size, hdr.Size)
+	if _, err := io.ReadFull(l.stdout, buf); err != nil {
+		return nil, err
+	}
+	return buf, nil
+}
diff --git a/engine/daemon/graphdriver/lcow/remotefs_filedriver.go b/engine/daemon/graphdriver/lcow/remotefs_filedriver.go
new file mode 100644
index 00000000..f335868a
--- /dev/null
+++ b/engine/daemon/graphdriver/lcow/remotefs_filedriver.go
@@ -0,0 +1,123 @@
+// +build windows
+
+package lcow // import "github.com/docker/docker/daemon/graphdriver/lcow"
+
+import (
+	"bytes"
+	"encoding/json"
+	"os"
+	"strconv"
+
+	"github.com/Microsoft/opengcs/service/gcsutils/remotefs"
+
+	"github.com/containerd/continuity/driver"
+	"github.com/sirupsen/logrus"
+)
+
+var _ driver.Driver = &lcowfs{}
+
+func (l *lcowfs) Readlink(p string) (string, error) {
+	logrus.Debugf("removefs.readlink args: %s", p)
+
+	result := &bytes.Buffer{}
+	if err := l.runRemoteFSProcess(nil, result, remotefs.ReadlinkCmd, p); err != nil {
+		return "", err
+	}
+	return result.String(), nil
+}
+
+func (l *lcowfs) Mkdir(path string, mode os.FileMode) error {
+	return l.mkdir(path, mode, remotefs.MkdirCmd)
+}
+
+func (l *lcowfs) MkdirAll(path string, mode os.FileMode) error {
+	return l.mkdir(path, mode, remotefs.MkdirAllCmd)
+}
+
+func (l *lcowfs) mkdir(path string, mode os.FileMode, cmd string) error {
+	modeStr := strconv.FormatUint(uint64(mode), 8)
+	logrus.Debugf("remotefs.%s args: %s %s", cmd, path, modeStr)
+	return l.runRemoteFSProcess(nil, nil, cmd, path, modeStr)
+}
+
+func (l *lcowfs) Remove(path string) error {
+	return l.remove(path, remotefs.RemoveCmd)
+}
+
+func (l *lcowfs) RemoveAll(path string) error {
+	return l.remove(path, remotefs.RemoveAllCmd)
+}
+
+func (l *lcowfs) remove(path string, cmd string) error {
+	logrus.Debugf("remotefs.%s args: %s", cmd, path)
+	return l.runRemoteFSProcess(nil, nil, cmd, path)
+}
+
+func (l *lcowfs) Link(oldname, newname string) error {
+	return l.link(oldname, newname, remotefs.LinkCmd)
+}
+
+func (l *lcowfs) Symlink(oldname, newname string) error {
+	return l.link(oldname, newname, remotefs.SymlinkCmd)
+}
+
+func (l *lcowfs) link(oldname, newname, cmd string) error {
+	logrus.Debugf("remotefs.%s args: %s %s", cmd, oldname, newname)
+	return l.runRemoteFSProcess(nil, nil, cmd, oldname, newname)
+}
+
+func (l *lcowfs) Lchown(name string, uid, gid int64) error {
+	uidStr := strconv.FormatInt(uid, 10)
+	gidStr := strconv.FormatInt(gid, 10)
+
+	logrus.Debugf("remotefs.lchown args: %s %s %s", name, uidStr, gidStr)
+	return l.runRemoteFSProcess(nil, nil, remotefs.LchownCmd, name, uidStr, gidStr)
+}
+
+// Lchmod changes the mode of an file not following symlinks.
+func (l *lcowfs) Lchmod(path string, mode os.FileMode) error {
+	modeStr := strconv.FormatUint(uint64(mode), 8)
+	logrus.Debugf("remotefs.lchmod args: %s %s", path, modeStr)
+	return l.runRemoteFSProcess(nil, nil, remotefs.LchmodCmd, path, modeStr)
+}
+
+func (l *lcowfs) Mknod(path string, mode os.FileMode, major, minor int) error {
+	modeStr := strconv.FormatUint(uint64(mode), 8)
+	majorStr := strconv.FormatUint(uint64(major), 10)
+	minorStr := strconv.FormatUint(uint64(minor), 10)
+
+	logrus.Debugf("remotefs.mknod args: %s %s %s %s", path, modeStr, majorStr, minorStr)
+	return l.runRemoteFSProcess(nil, nil, remotefs.MknodCmd, path, modeStr, majorStr, minorStr)
+}
+
+func (l *lcowfs) Mkfifo(path string, mode os.FileMode) error {
+	modeStr := strconv.FormatUint(uint64(mode), 8)
+	logrus.Debugf("remotefs.mkfifo args: %s %s", path, modeStr)
+	return l.runRemoteFSProcess(nil, nil, remotefs.MkfifoCmd, path, modeStr)
+}
+
+func (l *lcowfs) Stat(p string) (os.FileInfo, error) {
+	return l.stat(p, remotefs.StatCmd)
+}
+
+func (l *lcowfs) Lstat(p string) (os.FileInfo, error) {
+	return l.stat(p, remotefs.LstatCmd)
+}
+
+func (l *lcowfs) stat(path string, cmd string) (os.FileInfo, error) {
+	logrus.Debugf("remotefs.stat inputs: %s %s", cmd, path)
+
+	output := &bytes.Buffer{}
+	err := l.runRemoteFSProcess(nil, output, cmd, path)
+	if err != nil {
+		return nil, err
+	}
+
+	var fi remotefs.FileInfo
+	if err := json.Unmarshal(output.Bytes(), &fi); err != nil {
+		return nil, err
+	}
+
+	logrus.Debugf("remotefs.stat success. got: %v\n", fi)
+	return &fi, nil
+}
diff --git a/engine/daemon/graphdriver/lcow/remotefs_pathdriver.go b/engine/daemon/graphdriver/lcow/remotefs_pathdriver.go
new file mode 100644
index 00000000..74895b04
--- /dev/null
+++ b/engine/daemon/graphdriver/lcow/remotefs_pathdriver.go
@@ -0,0 +1,212 @@
+// +build windows
+
+package lcow // import "github.com/docker/docker/daemon/graphdriver/lcow"
+
+import (
+	"errors"
+	"os"
+	pathpkg "path"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/containerd/continuity/pathdriver"
+)
+
+var _ pathdriver.PathDriver = &lcowfs{}
+
+// Continuity Path functions can be done locally
+func (l *lcowfs) Join(path ...string) string {
+	return pathpkg.Join(path...)
+}
+
+func (l *lcowfs) IsAbs(path string) bool {
+	return pathpkg.IsAbs(path)
+}
+
+func sameWord(a, b string) bool {
+	return a == b
+}
+
+// Implementation taken from the Go standard library
+func (l *lcowfs) Rel(basepath, targpath string) (string, error) {
+	baseVol := ""
+	targVol := ""
+	base := l.Clean(basepath)
+	targ := l.Clean(targpath)
+	if sameWord(targ, base) {
+		return ".", nil
+	}
+	base = base[len(baseVol):]
+	targ = targ[len(targVol):]
+	if base == "." {
+		base = ""
+	}
+	// Can't use IsAbs - `\a` and `a` are both relative in Windows.
+	baseSlashed := len(base) > 0 && base[0] == l.Separator()
+	targSlashed := len(targ) > 0 && targ[0] == l.Separator()
+	if baseSlashed != targSlashed || !sameWord(baseVol, targVol) {
+		return "", errors.New("Rel: can't make " + targpath + " relative to " + basepath)
+	}
+	// Position base[b0:bi] and targ[t0:ti] at the first differing elements.
+	bl := len(base)
+	tl := len(targ)
+	var b0, bi, t0, ti int
+	for {
+		for bi < bl && base[bi] != l.Separator() {
+			bi++
+		}
+		for ti < tl && targ[ti] != l.Separator() {
+			ti++
+		}
+		if !sameWord(targ[t0:ti], base[b0:bi]) {
+			break
+		}
+		if bi < bl {
+			bi++
+		}
+		if ti < tl {
+			ti++
+		}
+		b0 = bi
+		t0 = ti
+	}
+	if base[b0:bi] == ".." {
+		return "", errors.New("Rel: can't make " + targpath + " relative to " + basepath)
+	}
+	if b0 != bl {
+		// Base elements left. Must go up before going down.
+		seps := strings.Count(base[b0:bl], string(l.Separator()))
+		size := 2 + seps*3
+		if tl != t0 {
+			size += 1 + tl - t0
+		}
+		buf := make([]byte, size)
+		n := copy(buf, "..")
+		for i := 0; i < seps; i++ {
+			buf[n] = l.Separator()
+			copy(buf[n+1:], "..")
+			n += 3
+		}
+		if t0 != tl {
+			buf[n] = l.Separator()
+			copy(buf[n+1:], targ[t0:])
+		}
+		return string(buf), nil
+	}
+	return targ[t0:], nil
+}
+
+func (l *lcowfs) Base(path string) string {
+	return pathpkg.Base(path)
+}
+
+func (l *lcowfs) Dir(path string) string {
+	return pathpkg.Dir(path)
+}
+
+func (l *lcowfs) Clean(path string) string {
+	return pathpkg.Clean(path)
+}
+
+func (l *lcowfs) Split(path string) (dir, file string) {
+	return pathpkg.Split(path)
+}
+
+func (l *lcowfs) Separator() byte {
+	return '/'
+}
+
+func (l *lcowfs) Abs(path string) (string, error) {
+	// Abs is supposed to add the current working directory, which is meaningless in lcow.
+	// So, return an error.
+	return "", ErrNotSupported
+}
+
+// Implementation taken from the Go standard library
+func (l *lcowfs) Walk(root string, walkFn filepath.WalkFunc) error {
+	info, err := l.Lstat(root)
+	if err != nil {
+		err = walkFn(root, nil, err)
+	} else {
+		err = l.walk(root, info, walkFn)
+	}
+	if err == filepath.SkipDir {
+		return nil
+	}
+	return err
+}
+
+// walk recursively descends path, calling w.
+func (l *lcowfs) walk(path string, info os.FileInfo, walkFn filepath.WalkFunc) error {
+	err := walkFn(path, info, nil)
+	if err != nil {
+		if info.IsDir() && err == filepath.SkipDir {
+			return nil
+		}
+		return err
+	}
+
+	if !info.IsDir() {
+		return nil
+	}
+
+	names, err := l.readDirNames(path)
+	if err != nil {
+		return walkFn(path, info, err)
+	}
+
+	for _, name := range names {
+		filename := l.Join(path, name)
+		fileInfo, err := l.Lstat(filename)
+		if err != nil {
+			if err := walkFn(filename, fileInfo, err); err != nil && err != filepath.SkipDir {
+				return err
+			}
+		} else {
+			err = l.walk(filename, fileInfo, walkFn)
+			if err != nil {
+				if !fileInfo.IsDir() || err != filepath.SkipDir {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// readDirNames reads the directory named by dirname and returns
+// a sorted list of directory entries.
+func (l *lcowfs) readDirNames(dirname string) ([]string, error) {
+	f, err := l.Open(dirname)
+	if err != nil {
+		return nil, err
+	}
+	files, err := f.Readdir(-1)
+	f.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	names := make([]string, len(files), len(files))
+	for i := range files {
+		names[i] = files[i].Name()
+	}
+
+	sort.Strings(names)
+	return names, nil
+}
+
+// Note that Go's filepath.FromSlash/ToSlash convert between OS paths and '/'. Since the path separator
+// for LCOW (and Unix) is '/', they are no-ops.
+func (l *lcowfs) FromSlash(path string) string {
+	return path
+}
+
+func (l *lcowfs) ToSlash(path string) string {
+	return path
+}
+
+func (l *lcowfs) Match(pattern, name string) (matched bool, err error) {
+	return pathpkg.Match(pattern, name)
+}
diff --git a/engine/daemon/graphdriver/overlay/overlay.go b/engine/daemon/graphdriver/overlay/overlay.go
new file mode 100644
index 00000000..0c2167f0
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay/overlay.go
@@ -0,0 +1,524 @@
+// +build linux
+
+package overlay // import "github.com/docker/docker/daemon/graphdriver/overlay"
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/copy"
+	"github.com/docker/docker/daemon/graphdriver/overlayutils"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/fsutils"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/parsers"
+	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// This is a small wrapper over the NaiveDiffWriter that lets us have a custom
+// implementation of ApplyDiff()
+
+var (
+	// ErrApplyDiffFallback is returned to indicate that a normal ApplyDiff is applied as a fallback from Naive diff writer.
+	ErrApplyDiffFallback = fmt.Errorf("Fall back to normal ApplyDiff")
+	backingFs            = "<unknown>"
+)
+
+// ApplyDiffProtoDriver wraps the ProtoDriver by extending the interface with ApplyDiff method.
+type ApplyDiffProtoDriver interface {
+	graphdriver.ProtoDriver
+	// ApplyDiff writes the diff to the archive for the given id and parent id.
+	// It returns the size in bytes written if successful, an error ErrApplyDiffFallback is returned otherwise.
+	ApplyDiff(id, parent string, diff io.Reader) (size int64, err error)
+}
+
+type naiveDiffDriverWithApply struct {
+	graphdriver.Driver
+	applyDiff ApplyDiffProtoDriver
+}
+
+// NaiveDiffDriverWithApply returns a NaiveDiff driver with custom ApplyDiff.
+func NaiveDiffDriverWithApply(driver ApplyDiffProtoDriver, uidMaps, gidMaps []idtools.IDMap) graphdriver.Driver {
+	return &naiveDiffDriverWithApply{
+		Driver:    graphdriver.NewNaiveDiffDriver(driver, uidMaps, gidMaps),
+		applyDiff: driver,
+	}
+}
+
+// ApplyDiff creates a diff layer with either the NaiveDiffDriver or with a fallback.
+func (d *naiveDiffDriverWithApply) ApplyDiff(id, parent string, diff io.Reader) (int64, error) {
+	b, err := d.applyDiff.ApplyDiff(id, parent, diff)
+	if err == ErrApplyDiffFallback {
+		return d.Driver.ApplyDiff(id, parent, diff)
+	}
+	return b, err
+}
+
+// This backend uses the overlay union filesystem for containers
+// plus hard link file sharing for images.
+
+// Each container/image can have a "root" subdirectory which is a plain
+// filesystem hierarchy, or they can use overlay.
+
+// If they use overlay there is a "upper" directory and a "lower-id"
+// file, as well as "merged" and "work" directories. The "upper"
+// directory has the upper layer of the overlay, and "lower-id" contains
+// the id of the parent whose "root" directory shall be used as the lower
+// layer in the overlay. The overlay itself is mounted in the "merged"
+// directory, and the "work" dir is needed for overlay to work.
+
+// When an overlay layer is created there are two cases, either the
+// parent has a "root" dir, then we start out with an empty "upper"
+// directory overlaid on the parents root. This is typically the
+// case with the init layer of a container which is based on an image.
+// If there is no "root" in the parent, we inherit the lower-id from
+// the parent and start by making a copy in the parent's "upper" dir.
+// This is typically the case for a container layer which copies
+// its parent -init upper layer.
+
+// Additionally we also have a custom implementation of ApplyLayer
+// which makes a recursive copy of the parent "root" layer using
+// hardlinks to share file data, and then applies the layer on top
+// of that. This means all child images share file (but not directory)
+// data with the parent.
+
+type overlayOptions struct{}
+
+// Driver contains information about the home directory and the list of active mounts that are created using this driver.
+type Driver struct {
+	home          string
+	uidMaps       []idtools.IDMap
+	gidMaps       []idtools.IDMap
+	ctr           *graphdriver.RefCounter
+	supportsDType bool
+	locker        *locker.Locker
+}
+
+func init() {
+	graphdriver.Register("overlay", Init)
+}
+
+// Init returns the NaiveDiffDriver, a native diff driver for overlay filesystem.
+// If overlay filesystem is not supported on the host, the error
+// graphdriver.ErrNotSupported is returned.
+// If an overlay filesystem is not supported over an existing filesystem then
+// error graphdriver.ErrIncompatibleFS is returned.
+func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
+	_, err := parseOptions(options)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := supportsOverlay(); err != nil {
+		return nil, graphdriver.ErrNotSupported
+	}
+
+	// Perform feature detection on /var/lib/docker/overlay if it's an existing directory.
+	// This covers situations where /var/lib/docker/overlay is a mount, and on a different
+	// filesystem than /var/lib/docker.
+	// If the path does not exist, fall back to using /var/lib/docker for feature detection.
+	testdir := home
+	if _, err := os.Stat(testdir); os.IsNotExist(err) {
+		testdir = filepath.Dir(testdir)
+	}
+
+	fsMagic, err := graphdriver.GetFSMagic(testdir)
+	if err != nil {
+		return nil, err
+	}
+	if fsName, ok := graphdriver.FsNames[fsMagic]; ok {
+		backingFs = fsName
+	}
+
+	switch fsMagic {
+	case graphdriver.FsMagicAufs, graphdriver.FsMagicBtrfs, graphdriver.FsMagicEcryptfs, graphdriver.FsMagicNfsFs, graphdriver.FsMagicOverlay, graphdriver.FsMagicZfs:
+		logrus.WithField("storage-driver", "overlay").Errorf("'overlay' is not supported over %s", backingFs)
+		return nil, graphdriver.ErrIncompatibleFS
+	}
+
+	supportsDType, err := fsutils.SupportsDType(testdir)
+	if err != nil {
+		return nil, err
+	}
+	if !supportsDType {
+		if !graphdriver.IsInitialized(home) {
+			return nil, overlayutils.ErrDTypeNotSupported("overlay", backingFs)
+		}
+		// allow running without d_type only for existing setups (#27443)
+		logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs))
+	}
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
+	if err != nil {
+		return nil, err
+	}
+	// Create the driver home dir
+	if err := idtools.MkdirAllAndChown(home, 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return nil, err
+	}
+
+	d := &Driver{
+		home:          home,
+		uidMaps:       uidMaps,
+		gidMaps:       gidMaps,
+		ctr:           graphdriver.NewRefCounter(graphdriver.NewFsChecker(graphdriver.FsMagicOverlay)),
+		supportsDType: supportsDType,
+		locker:        locker.New(),
+	}
+
+	return NaiveDiffDriverWithApply(d, uidMaps, gidMaps), nil
+}
+
+func parseOptions(options []string) (*overlayOptions, error) {
+	o := &overlayOptions{}
+	for _, option := range options {
+		key, _, err := parsers.ParseKeyValueOpt(option)
+		if err != nil {
+			return nil, err
+		}
+		key = strings.ToLower(key)
+		switch key {
+		default:
+			return nil, fmt.Errorf("overlay: unknown option %s", key)
+		}
+	}
+	return o, nil
+}
+
+func supportsOverlay() error {
+	// We can try to modprobe overlay first before looking at
+	// proc/filesystems for when overlay is supported
+	exec.Command("modprobe", "overlay").Run()
+
+	f, err := os.Open("/proc/filesystems")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	s := bufio.NewScanner(f)
+	for s.Scan() {
+		if s.Text() == "nodev\toverlay" {
+			return nil
+		}
+	}
+	logrus.WithField("storage-driver", "overlay").Error("'overlay' not found as a supported filesystem on this host. Please ensure kernel is new enough and has overlay support loaded.")
+	return graphdriver.ErrNotSupported
+}
+
+func (d *Driver) String() string {
+	return "overlay"
+}
+
+// Status returns current driver information in a two dimensional string array.
+// Output contains "Backing Filesystem" used in this implementation.
+func (d *Driver) Status() [][2]string {
+	return [][2]string{
+		{"Backing Filesystem", backingFs},
+		{"Supports d_type", strconv.FormatBool(d.supportsDType)},
+	}
+}
+
+// GetMetadata returns metadata about the overlay driver such as root,
+// LowerDir, UpperDir, WorkDir and MergeDir used to store data.
+func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+	dir := d.dir(id)
+	if _, err := os.Stat(dir); err != nil {
+		return nil, err
+	}
+
+	metadata := make(map[string]string)
+
+	// If id has a root, it is an image
+	rootDir := path.Join(dir, "root")
+	if _, err := os.Stat(rootDir); err == nil {
+		metadata["RootDir"] = rootDir
+		return metadata, nil
+	}
+
+	lowerID, err := ioutil.ReadFile(path.Join(dir, "lower-id"))
+	if err != nil {
+		return nil, err
+	}
+
+	metadata["LowerDir"] = path.Join(d.dir(string(lowerID)), "root")
+	metadata["UpperDir"] = path.Join(dir, "upper")
+	metadata["WorkDir"] = path.Join(dir, "work")
+	metadata["MergedDir"] = path.Join(dir, "merged")
+
+	return metadata, nil
+}
+
+// Cleanup any state created by overlay which should be cleaned when daemon
+// is being shutdown. For now, we just have to unmount the bind mounted
+// we had created.
+func (d *Driver) Cleanup() error {
+	return mount.RecursiveUnmount(d.home)
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system.
+func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	return d.Create(id, parent, opts)
+}
+
+// Create is used to create the upper, lower, and merge directories required for overlay fs for a given id.
+// The parent filesystem is used to configure these directories for the overlay.
+func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr error) {
+
+	if opts != nil && len(opts.StorageOpt) != 0 {
+		return fmt.Errorf("--storage-opt is not supported for overlay")
+	}
+
+	dir := d.dir(id)
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
+	if err != nil {
+		return err
+	}
+	root := idtools.IDPair{UID: rootUID, GID: rootGID}
+
+	if err := idtools.MkdirAllAndChown(path.Dir(dir), 0700, root); err != nil {
+		return err
+	}
+	if err := idtools.MkdirAndChown(dir, 0700, root); err != nil {
+		return err
+	}
+
+	defer func() {
+		// Clean up on failure
+		if retErr != nil {
+			os.RemoveAll(dir)
+		}
+	}()
+
+	// Toplevel images are just a "root" dir
+	if parent == "" {
+		return idtools.MkdirAndChown(path.Join(dir, "root"), 0755, root)
+	}
+
+	parentDir := d.dir(parent)
+
+	// Ensure parent exists
+	if _, err := os.Lstat(parentDir); err != nil {
+		return err
+	}
+
+	// If parent has a root, just do an overlay to it
+	parentRoot := path.Join(parentDir, "root")
+
+	if s, err := os.Lstat(parentRoot); err == nil {
+		if err := idtools.MkdirAndChown(path.Join(dir, "upper"), s.Mode(), root); err != nil {
+			return err
+		}
+		if err := idtools.MkdirAndChown(path.Join(dir, "work"), 0700, root); err != nil {
+			return err
+		}
+		return ioutil.WriteFile(path.Join(dir, "lower-id"), []byte(parent), 0666)
+	}
+
+	// Otherwise, copy the upper and the lower-id from the parent
+
+	lowerID, err := ioutil.ReadFile(path.Join(parentDir, "lower-id"))
+	if err != nil {
+		return err
+	}
+
+	if err := ioutil.WriteFile(path.Join(dir, "lower-id"), lowerID, 0666); err != nil {
+		return err
+	}
+
+	parentUpperDir := path.Join(parentDir, "upper")
+	s, err := os.Lstat(parentUpperDir)
+	if err != nil {
+		return err
+	}
+
+	upperDir := path.Join(dir, "upper")
+	if err := idtools.MkdirAndChown(upperDir, s.Mode(), root); err != nil {
+		return err
+	}
+	if err := idtools.MkdirAndChown(path.Join(dir, "work"), 0700, root); err != nil {
+		return err
+	}
+
+	return copy.DirCopy(parentUpperDir, upperDir, copy.Content, true)
+}
+
+func (d *Driver) dir(id string) string {
+	return path.Join(d.home, id)
+}
+
+// Remove cleans the directories that are created for this id.
+func (d *Driver) Remove(id string) error {
+	if id == "" {
+		return fmt.Errorf("refusing to remove the directories: id is empty")
+	}
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	return system.EnsureRemoveAll(d.dir(id))
+}
+
+// Get creates and mounts the required file system for the given id and returns the mount path.
+func (d *Driver) Get(id, mountLabel string) (_ containerfs.ContainerFS, err error) {
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	dir := d.dir(id)
+	if _, err := os.Stat(dir); err != nil {
+		return nil, err
+	}
+	// If id has a root, just return it
+	rootDir := path.Join(dir, "root")
+	if _, err := os.Stat(rootDir); err == nil {
+		return containerfs.NewLocalContainerFS(rootDir), nil
+	}
+
+	mergedDir := path.Join(dir, "merged")
+	if count := d.ctr.Increment(mergedDir); count > 1 {
+		return containerfs.NewLocalContainerFS(mergedDir), nil
+	}
+	defer func() {
+		if err != nil {
+			if c := d.ctr.Decrement(mergedDir); c <= 0 {
+				if mntErr := unix.Unmount(mergedDir, 0); mntErr != nil {
+					logrus.WithField("storage-driver", "overlay").Debugf("Failed to unmount %s: %v: %v", id, mntErr, err)
+				}
+				// Cleanup the created merged directory; see the comment in Put's rmdir
+				if rmErr := unix.Rmdir(mergedDir); rmErr != nil && !os.IsNotExist(rmErr) {
+					logrus.WithField("storage-driver", "overlay").Warnf("Failed to remove %s: %v: %v", id, rmErr, err)
+				}
+			}
+		}
+	}()
+	lowerID, err := ioutil.ReadFile(path.Join(dir, "lower-id"))
+	if err != nil {
+		return nil, err
+	}
+	rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
+	if err != nil {
+		return nil, err
+	}
+	if err := idtools.MkdirAndChown(mergedDir, 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return nil, err
+	}
+	var (
+		lowerDir = path.Join(d.dir(string(lowerID)), "root")
+		upperDir = path.Join(dir, "upper")
+		workDir  = path.Join(dir, "work")
+		opts     = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerDir, upperDir, workDir)
+	)
+	if err := unix.Mount("overlay", mergedDir, "overlay", 0, label.FormatMountLabel(opts, mountLabel)); err != nil {
+		return nil, fmt.Errorf("error creating overlay mount to %s: %v", mergedDir, err)
+	}
+	// chown "workdir/work" to the remapped root UID/GID. Overlay fs inside a
+	// user namespace requires this to move a directory from lower to upper.
+	if err := os.Chown(path.Join(workDir, "work"), rootUID, rootGID); err != nil {
+		return nil, err
+	}
+	return containerfs.NewLocalContainerFS(mergedDir), nil
+}
+
+// Put unmounts the mount path created for the give id.
+// It also removes the 'merged' directory to force the kernel to unmount the
+// overlay mount in other namespaces.
+func (d *Driver) Put(id string) error {
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	// If id has a root, just return
+	if _, err := os.Stat(path.Join(d.dir(id), "root")); err == nil {
+		return nil
+	}
+	mountpoint := path.Join(d.dir(id), "merged")
+	logger := logrus.WithField("storage-driver", "overlay")
+	if count := d.ctr.Decrement(mountpoint); count > 0 {
+		return nil
+	}
+	if err := unix.Unmount(mountpoint, unix.MNT_DETACH); err != nil {
+		logger.Debugf("Failed to unmount %s overlay: %v", id, err)
+	}
+
+	// Remove the mountpoint here. Removing the mountpoint (in newer kernels)
+	// will cause all other instances of this mount in other mount namespaces
+	// to be unmounted. This is necessary to avoid cases where an overlay mount
+	// that is present in another namespace will cause subsequent mounts
+	// operations to fail with ebusy.  We ignore any errors here because this may
+	// fail on older kernels which don't have
+	// torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied.
+	if err := unix.Rmdir(mountpoint); err != nil {
+		logger.Debugf("Failed to remove %s overlay: %v", id, err)
+	}
+	return nil
+}
+
+// ApplyDiff applies the new layer on top of the root, if parent does not exist with will return an ErrApplyDiffFallback error.
+func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64, err error) {
+	dir := d.dir(id)
+
+	if parent == "" {
+		return 0, ErrApplyDiffFallback
+	}
+
+	parentRootDir := path.Join(d.dir(parent), "root")
+	if _, err := os.Stat(parentRootDir); err != nil {
+		return 0, ErrApplyDiffFallback
+	}
+
+	// We now know there is a parent, and it has a "root" directory containing
+	// the full root filesystem. We can just hardlink it and apply the
+	// layer. This relies on two things:
+	// 1) ApplyDiff is only run once on a clean (no writes to upper layer) container
+	// 2) ApplyDiff doesn't do any in-place writes to files (would break hardlinks)
+	// These are all currently true and are not expected to break
+
+	tmpRootDir, err := ioutil.TempDir(dir, "tmproot")
+	if err != nil {
+		return 0, err
+	}
+	defer func() {
+		if err != nil {
+			os.RemoveAll(tmpRootDir)
+		} else {
+			os.RemoveAll(path.Join(dir, "upper"))
+			os.RemoveAll(path.Join(dir, "work"))
+			os.RemoveAll(path.Join(dir, "merged"))
+			os.RemoveAll(path.Join(dir, "lower-id"))
+		}
+	}()
+
+	if err = copy.DirCopy(parentRootDir, tmpRootDir, copy.Hardlink, true); err != nil {
+		return 0, err
+	}
+
+	options := &archive.TarOptions{UIDMaps: d.uidMaps, GIDMaps: d.gidMaps}
+	if size, err = graphdriver.ApplyUncompressedLayer(tmpRootDir, diff, options); err != nil {
+		return 0, err
+	}
+
+	rootDir := path.Join(dir, "root")
+	if err := os.Rename(tmpRootDir, rootDir); err != nil {
+		return 0, err
+	}
+
+	return
+}
+
+// Exists checks to see if the id is already mounted.
+func (d *Driver) Exists(id string) bool {
+	_, err := os.Stat(d.dir(id))
+	return err == nil
+}
diff --git a/engine/daemon/graphdriver/overlay/overlay_test.go b/engine/daemon/graphdriver/overlay/overlay_test.go
new file mode 100644
index 00000000..b270122c
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay/overlay_test.go
@@ -0,0 +1,93 @@
+// +build linux
+
+package overlay // import "github.com/docker/docker/daemon/graphdriver/overlay"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/graphtest"
+	"github.com/docker/docker/pkg/archive"
+)
+
+func init() {
+	// Do not sure chroot to speed run time and allow archive
+	// errors or hangs to be debugged directly from the test process.
+	graphdriver.ApplyUncompressedLayer = archive.ApplyUncompressedLayer
+}
+
+// This avoids creating a new driver for each test if all tests are run
+// Make sure to put new tests between TestOverlaySetup and TestOverlayTeardown
+func TestOverlaySetup(t *testing.T) {
+	graphtest.GetDriver(t, "overlay")
+}
+
+func TestOverlayCreateEmpty(t *testing.T) {
+	graphtest.DriverTestCreateEmpty(t, "overlay")
+}
+
+func TestOverlayCreateBase(t *testing.T) {
+	graphtest.DriverTestCreateBase(t, "overlay")
+}
+
+func TestOverlayCreateSnap(t *testing.T) {
+	graphtest.DriverTestCreateSnap(t, "overlay")
+}
+
+func TestOverlay50LayerRead(t *testing.T) {
+	graphtest.DriverTestDeepLayerRead(t, 50, "overlay")
+}
+
+// Fails due to bug in calculating changes after apply
+// likely related to https://github.com/docker/docker/issues/21555
+func TestOverlayDiffApply10Files(t *testing.T) {
+	t.Skipf("Fails to compute changes after apply intermittently")
+	graphtest.DriverTestDiffApply(t, 10, "overlay")
+}
+
+func TestOverlayChanges(t *testing.T) {
+	t.Skipf("Fails to compute changes intermittently")
+	graphtest.DriverTestChanges(t, "overlay")
+}
+
+func TestOverlayTeardown(t *testing.T) {
+	graphtest.PutDriver(t)
+}
+
+// Benchmarks should always setup new driver
+
+func BenchmarkExists(b *testing.B) {
+	graphtest.DriverBenchExists(b, "overlay")
+}
+
+func BenchmarkGetEmpty(b *testing.B) {
+	graphtest.DriverBenchGetEmpty(b, "overlay")
+}
+
+func BenchmarkDiffBase(b *testing.B) {
+	graphtest.DriverBenchDiffBase(b, "overlay")
+}
+
+func BenchmarkDiffSmallUpper(b *testing.B) {
+	graphtest.DriverBenchDiffN(b, 10, 10, "overlay")
+}
+
+func BenchmarkDiff10KFileUpper(b *testing.B) {
+	graphtest.DriverBenchDiffN(b, 10, 10000, "overlay")
+}
+
+func BenchmarkDiff10KFilesBottom(b *testing.B) {
+	graphtest.DriverBenchDiffN(b, 10000, 10, "overlay")
+}
+
+func BenchmarkDiffApply100(b *testing.B) {
+	graphtest.DriverBenchDiffApplyN(b, 100, "overlay")
+}
+
+func BenchmarkDiff20Layers(b *testing.B) {
+	graphtest.DriverBenchDeepLayerDiff(b, 20, "overlay")
+}
+
+func BenchmarkRead20Layers(b *testing.B) {
+	graphtest.DriverBenchDeepLayerRead(b, 20, "overlay")
+}
diff --git a/engine/daemon/graphdriver/overlay/overlay_unsupported.go b/engine/daemon/graphdriver/overlay/overlay_unsupported.go
new file mode 100644
index 00000000..8fc06ffe
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay/overlay_unsupported.go
@@ -0,0 +1,3 @@
+// +build !linux
+
+package overlay // import "github.com/docker/docker/daemon/graphdriver/overlay"
diff --git a/engine/daemon/graphdriver/overlay2/check.go b/engine/daemon/graphdriver/overlay2/check.go
new file mode 100644
index 00000000..d6ee42f4
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay2/check.go
@@ -0,0 +1,134 @@
+// +build linux
+
+package overlay2 // import "github.com/docker/docker/daemon/graphdriver/overlay2"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"syscall"
+
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// doesSupportNativeDiff checks whether the filesystem has a bug
+// which copies up the opaque flag when copying up an opaque
+// directory or the kernel enable CONFIG_OVERLAY_FS_REDIRECT_DIR.
+// When these exist naive diff should be used.
+func doesSupportNativeDiff(d string) error {
+	td, err := ioutil.TempDir(d, "opaque-bug-check")
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := os.RemoveAll(td); err != nil {
+			logrus.WithField("storage-driver", "overlay2").Warnf("Failed to remove check directory %v: %v", td, err)
+		}
+	}()
+
+	// Make directories l1/d, l1/d1, l2/d, l3, work, merged
+	if err := os.MkdirAll(filepath.Join(td, "l1", "d"), 0755); err != nil {
+		return err
+	}
+	if err := os.MkdirAll(filepath.Join(td, "l1", "d1"), 0755); err != nil {
+		return err
+	}
+	if err := os.MkdirAll(filepath.Join(td, "l2", "d"), 0755); err != nil {
+		return err
+	}
+	if err := os.Mkdir(filepath.Join(td, "l3"), 0755); err != nil {
+		return err
+	}
+	if err := os.Mkdir(filepath.Join(td, "work"), 0755); err != nil {
+		return err
+	}
+	if err := os.Mkdir(filepath.Join(td, "merged"), 0755); err != nil {
+		return err
+	}
+
+	// Mark l2/d as opaque
+	if err := system.Lsetxattr(filepath.Join(td, "l2", "d"), "trusted.overlay.opaque", []byte("y"), 0); err != nil {
+		return errors.Wrap(err, "failed to set opaque flag on middle layer")
+	}
+
+	opts := fmt.Sprintf("lowerdir=%s:%s,upperdir=%s,workdir=%s", path.Join(td, "l2"), path.Join(td, "l1"), path.Join(td, "l3"), path.Join(td, "work"))
+	if err := unix.Mount("overlay", filepath.Join(td, "merged"), "overlay", 0, opts); err != nil {
+		return errors.Wrap(err, "failed to mount overlay")
+	}
+	defer func() {
+		if err := unix.Unmount(filepath.Join(td, "merged"), 0); err != nil {
+			logrus.WithField("storage-driver", "overlay2").Warnf("Failed to unmount check directory %v: %v", filepath.Join(td, "merged"), err)
+		}
+	}()
+
+	// Touch file in d to force copy up of opaque directory "d" from "l2" to "l3"
+	if err := ioutil.WriteFile(filepath.Join(td, "merged", "d", "f"), []byte{}, 0644); err != nil {
+		return errors.Wrap(err, "failed to write to merged directory")
+	}
+
+	// Check l3/d does not have opaque flag
+	xattrOpaque, err := system.Lgetxattr(filepath.Join(td, "l3", "d"), "trusted.overlay.opaque")
+	if err != nil {
+		return errors.Wrap(err, "failed to read opaque flag on upper layer")
+	}
+	if string(xattrOpaque) == "y" {
+		return errors.New("opaque flag erroneously copied up, consider update to kernel 4.8 or later to fix")
+	}
+
+	// rename "d1" to "d2"
+	if err := os.Rename(filepath.Join(td, "merged", "d1"), filepath.Join(td, "merged", "d2")); err != nil {
+		// if rename failed with syscall.EXDEV, the kernel doesn't have CONFIG_OVERLAY_FS_REDIRECT_DIR enabled
+		if err.(*os.LinkError).Err == syscall.EXDEV {
+			return nil
+		}
+		return errors.Wrap(err, "failed to rename dir in merged directory")
+	}
+	// get the xattr of "d2"
+	xattrRedirect, err := system.Lgetxattr(filepath.Join(td, "l3", "d2"), "trusted.overlay.redirect")
+	if err != nil {
+		return errors.Wrap(err, "failed to read redirect flag on upper layer")
+	}
+
+	if string(xattrRedirect) == "d1" {
+		return errors.New("kernel has CONFIG_OVERLAY_FS_REDIRECT_DIR enabled")
+	}
+
+	return nil
+}
+
+// supportsMultipleLowerDir checks if the system supports multiple lowerdirs,
+// which is required for the overlay2 driver. On 4.x kernels, multiple lowerdirs
+// are always available (so this check isn't needed), and backported to RHEL and
+// CentOS 3.x kernels (3.10.0-693.el7.x86_64 and up). This function is to detect
+// support on those kernels, without doing a kernel version compare.
+func supportsMultipleLowerDir(d string) error {
+	td, err := ioutil.TempDir(d, "multiple-lowerdir-check")
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := os.RemoveAll(td); err != nil {
+			logrus.WithField("storage-driver", "overlay2").Warnf("Failed to remove check directory %v: %v", td, err)
+		}
+	}()
+
+	for _, dir := range []string{"lower1", "lower2", "upper", "work", "merged"} {
+		if err := os.Mkdir(filepath.Join(td, dir), 0755); err != nil {
+			return err
+		}
+	}
+
+	opts := fmt.Sprintf("lowerdir=%s:%s,upperdir=%s,workdir=%s", path.Join(td, "lower2"), path.Join(td, "lower1"), path.Join(td, "upper"), path.Join(td, "work"))
+	if err := unix.Mount("overlay", filepath.Join(td, "merged"), "overlay", 0, opts); err != nil {
+		return errors.Wrap(err, "failed to mount overlay")
+	}
+	if err := unix.Unmount(filepath.Join(td, "merged"), 0); err != nil {
+		logrus.WithField("storage-driver", "overlay2").Warnf("Failed to unmount check directory %v: %v", filepath.Join(td, "merged"), err)
+	}
+	return nil
+}
diff --git a/engine/daemon/graphdriver/overlay2/mount.go b/engine/daemon/graphdriver/overlay2/mount.go
new file mode 100644
index 00000000..da409fc8
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay2/mount.go
@@ -0,0 +1,89 @@
+// +build linux
+
+package overlay2 // import "github.com/docker/docker/daemon/graphdriver/overlay2"
+
+import (
+	"bytes"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"os"
+	"runtime"
+
+	"github.com/docker/docker/pkg/reexec"
+	"golang.org/x/sys/unix"
+)
+
+func init() {
+	reexec.Register("docker-mountfrom", mountFromMain)
+}
+
+func fatal(err error) {
+	fmt.Fprint(os.Stderr, err)
+	os.Exit(1)
+}
+
+type mountOptions struct {
+	Device string
+	Target string
+	Type   string
+	Label  string
+	Flag   uint32
+}
+
+func mountFrom(dir, device, target, mType string, flags uintptr, label string) error {
+	options := &mountOptions{
+		Device: device,
+		Target: target,
+		Type:   mType,
+		Flag:   uint32(flags),
+		Label:  label,
+	}
+
+	cmd := reexec.Command("docker-mountfrom", dir)
+	w, err := cmd.StdinPipe()
+	if err != nil {
+		return fmt.Errorf("mountfrom error on pipe creation: %v", err)
+	}
+
+	output := bytes.NewBuffer(nil)
+	cmd.Stdout = output
+	cmd.Stderr = output
+	if err := cmd.Start(); err != nil {
+		w.Close()
+		return fmt.Errorf("mountfrom error on re-exec cmd: %v", err)
+	}
+	//write the options to the pipe for the untar exec to read
+	if err := json.NewEncoder(w).Encode(options); err != nil {
+		w.Close()
+		return fmt.Errorf("mountfrom json encode to pipe failed: %v", err)
+	}
+	w.Close()
+
+	if err := cmd.Wait(); err != nil {
+		return fmt.Errorf("mountfrom re-exec error: %v: output: %v", err, output)
+	}
+	return nil
+}
+
+// mountfromMain is the entry-point for docker-mountfrom on re-exec.
+func mountFromMain() {
+	runtime.LockOSThread()
+	flag.Parse()
+
+	var options *mountOptions
+
+	if err := json.NewDecoder(os.Stdin).Decode(&options); err != nil {
+		fatal(err)
+	}
+
+	if err := os.Chdir(flag.Arg(0)); err != nil {
+		fatal(err)
+	}
+
+	if err := unix.Mount(options.Device, options.Target, options.Type, uintptr(options.Flag), options.Label); err != nil {
+		fatal(err)
+	}
+
+	os.Exit(0)
+}
diff --git a/engine/daemon/graphdriver/overlay2/overlay.go b/engine/daemon/graphdriver/overlay2/overlay.go
new file mode 100644
index 00000000..49b055cc
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay2/overlay.go
@@ -0,0 +1,758 @@
+// +build linux
+
+package overlay2 // import "github.com/docker/docker/daemon/graphdriver/overlay2"
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/overlayutils"
+	"github.com/docker/docker/daemon/graphdriver/quota"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/directory"
+	"github.com/docker/docker/pkg/fsutils"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/parsers"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/go-units"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+var (
+	// untar defines the untar method
+	untar = chrootarchive.UntarUncompressed
+)
+
+// This backend uses the overlay union filesystem for containers
+// with diff directories for each layer.
+
+// This version of the overlay driver requires at least kernel
+// 4.0.0 in order to support mounting multiple diff directories.
+
+// Each container/image has at least a "diff" directory and "link" file.
+// If there is also a "lower" file when there are diff layers
+// below as well as "merged" and "work" directories. The "diff" directory
+// has the upper layer of the overlay and is used to capture any
+// changes to the layer. The "lower" file contains all the lower layer
+// mounts separated by ":" and ordered from uppermost to lowermost
+// layers. The overlay itself is mounted in the "merged" directory,
+// and the "work" dir is needed for overlay to work.
+
+// The "link" file for each layer contains a unique string for the layer.
+// Under the "l" directory at the root there will be a symbolic link
+// with that unique string pointing the "diff" directory for the layer.
+// The symbolic links are used to reference lower layers in the "lower"
+// file and on mount. The links are used to shorten the total length
+// of a layer reference without requiring changes to the layer identifier
+// or root directory. Mounts are always done relative to root and
+// referencing the symbolic links in order to ensure the number of
+// lower directories can fit in a single page for making the mount
+// syscall. A hard upper limit of 128 lower layers is enforced to ensure
+// that mounts do not fail due to length.
+
+const (
+	driverName = "overlay2"
+	linkDir    = "l"
+	lowerFile  = "lower"
+	maxDepth   = 128
+
+	// idLength represents the number of random characters
+	// which can be used to create the unique link identifier
+	// for every layer. If this value is too long then the
+	// page size limit for the mount command may be exceeded.
+	// The idLength should be selected such that following equation
+	// is true (512 is a buffer for label metadata).
+	// ((idLength + len(linkDir) + 1) * maxDepth) <= (pageSize - 512)
+	idLength = 26
+)
+
+type overlayOptions struct {
+	overrideKernelCheck bool
+	quota               quota.Quota
+}
+
+// Driver contains information about the home directory and the list of active
+// mounts that are created using this driver.
+type Driver struct {
+	home          string
+	uidMaps       []idtools.IDMap
+	gidMaps       []idtools.IDMap
+	ctr           *graphdriver.RefCounter
+	quotaCtl      *quota.Control
+	options       overlayOptions
+	naiveDiff     graphdriver.DiffDriver
+	supportsDType bool
+	locker        *locker.Locker
+}
+
+var (
+	backingFs             = "<unknown>"
+	projectQuotaSupported = false
+
+	useNaiveDiffLock sync.Once
+	useNaiveDiffOnly bool
+)
+
+func init() {
+	graphdriver.Register(driverName, Init)
+}
+
+// Init returns the native diff driver for overlay filesystem.
+// If overlay filesystem is not supported on the host, the error
+// graphdriver.ErrNotSupported is returned.
+// If an overlay filesystem is not supported over an existing filesystem then
+// the error graphdriver.ErrIncompatibleFS is returned.
+func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
+	opts, err := parseOptions(options)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := supportsOverlay(); err != nil {
+		return nil, graphdriver.ErrNotSupported
+	}
+
+	// require kernel 4.0.0 to ensure multiple lower dirs are supported
+	v, err := kernel.GetKernelVersion()
+	if err != nil {
+		return nil, err
+	}
+
+	// Perform feature detection on /var/lib/docker/overlay2 if it's an existing directory.
+	// This covers situations where /var/lib/docker/overlay2 is a mount, and on a different
+	// filesystem than /var/lib/docker.
+	// If the path does not exist, fall back to using /var/lib/docker for feature detection.
+	testdir := home
+	if _, err := os.Stat(testdir); os.IsNotExist(err) {
+		testdir = filepath.Dir(testdir)
+	}
+
+	fsMagic, err := graphdriver.GetFSMagic(testdir)
+	if err != nil {
+		return nil, err
+	}
+	if fsName, ok := graphdriver.FsNames[fsMagic]; ok {
+		backingFs = fsName
+	}
+
+	logger := logrus.WithField("storage-driver", "overlay2")
+
+	switch fsMagic {
+	case graphdriver.FsMagicAufs, graphdriver.FsMagicEcryptfs, graphdriver.FsMagicNfsFs, graphdriver.FsMagicOverlay, graphdriver.FsMagicZfs:
+		logger.Errorf("'overlay2' is not supported over %s", backingFs)
+		return nil, graphdriver.ErrIncompatibleFS
+	case graphdriver.FsMagicBtrfs:
+		// Support for OverlayFS on BTRFS was added in kernel 4.7
+		// See https://btrfs.wiki.kernel.org/index.php/Changelog
+		if kernel.CompareKernelVersion(*v, kernel.VersionInfo{Kernel: 4, Major: 7, Minor: 0}) < 0 {
+			if !opts.overrideKernelCheck {
+				logger.Errorf("'overlay2' requires kernel 4.7 to use on %s", backingFs)
+				return nil, graphdriver.ErrIncompatibleFS
+			}
+			logger.Warn("Using pre-4.7.0 kernel for overlay2 on btrfs, may require kernel update")
+		}
+	}
+
+	if kernel.CompareKernelVersion(*v, kernel.VersionInfo{Kernel: 4, Major: 0, Minor: 0}) < 0 {
+		if opts.overrideKernelCheck {
+			logger.Warn("Using pre-4.0.0 kernel for overlay2, mount failures may require kernel update")
+		} else {
+			if err := supportsMultipleLowerDir(testdir); err != nil {
+				logger.Debugf("Multiple lower dirs not supported: %v", err)
+				return nil, graphdriver.ErrNotSupported
+			}
+		}
+	}
+	supportsDType, err := fsutils.SupportsDType(testdir)
+	if err != nil {
+		return nil, err
+	}
+	if !supportsDType {
+		if !graphdriver.IsInitialized(home) {
+			return nil, overlayutils.ErrDTypeNotSupported("overlay2", backingFs)
+		}
+		// allow running without d_type only for existing setups (#27443)
+		logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs))
+	}
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
+	if err != nil {
+		return nil, err
+	}
+	// Create the driver home dir
+	if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return nil, err
+	}
+
+	d := &Driver{
+		home:          home,
+		uidMaps:       uidMaps,
+		gidMaps:       gidMaps,
+		ctr:           graphdriver.NewRefCounter(graphdriver.NewFsChecker(graphdriver.FsMagicOverlay)),
+		supportsDType: supportsDType,
+		locker:        locker.New(),
+		options:       *opts,
+	}
+
+	d.naiveDiff = graphdriver.NewNaiveDiffDriver(d, uidMaps, gidMaps)
+
+	if backingFs == "xfs" {
+		// Try to enable project quota support over xfs.
+		if d.quotaCtl, err = quota.NewControl(home); err == nil {
+			projectQuotaSupported = true
+		} else if opts.quota.Size > 0 {
+			return nil, fmt.Errorf("Storage option overlay2.size not supported. Filesystem does not support Project Quota: %v", err)
+		}
+	} else if opts.quota.Size > 0 {
+		// if xfs is not the backing fs then error out if the storage-opt overlay2.size is used.
+		return nil, fmt.Errorf("Storage Option overlay2.size only supported for backingFS XFS. Found %v", backingFs)
+	}
+
+	logger.Debugf("backingFs=%s,  projectQuotaSupported=%v", backingFs, projectQuotaSupported)
+
+	return d, nil
+}
+
+func parseOptions(options []string) (*overlayOptions, error) {
+	o := &overlayOptions{}
+	for _, option := range options {
+		key, val, err := parsers.ParseKeyValueOpt(option)
+		if err != nil {
+			return nil, err
+		}
+		key = strings.ToLower(key)
+		switch key {
+		case "overlay2.override_kernel_check":
+			o.overrideKernelCheck, err = strconv.ParseBool(val)
+			if err != nil {
+				return nil, err
+			}
+		case "overlay2.size":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return nil, err
+			}
+			o.quota.Size = uint64(size)
+		default:
+			return nil, fmt.Errorf("overlay2: unknown option %s", key)
+		}
+	}
+	return o, nil
+}
+
+func supportsOverlay() error {
+	// We can try to modprobe overlay first before looking at
+	// proc/filesystems for when overlay is supported
+	exec.Command("modprobe", "overlay").Run()
+
+	f, err := os.Open("/proc/filesystems")
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	s := bufio.NewScanner(f)
+	for s.Scan() {
+		if s.Text() == "nodev\toverlay" {
+			return nil
+		}
+	}
+	logrus.WithField("storage-driver", "overlay2").Error("'overlay' not found as a supported filesystem on this host. Please ensure kernel is new enough and has overlay support loaded.")
+	return graphdriver.ErrNotSupported
+}
+
+func useNaiveDiff(home string) bool {
+	useNaiveDiffLock.Do(func() {
+		if err := doesSupportNativeDiff(home); err != nil {
+			logrus.WithField("storage-driver", "overlay2").Warnf("Not using native diff for overlay2, this may cause degraded performance for building images: %v", err)
+			useNaiveDiffOnly = true
+		}
+	})
+	return useNaiveDiffOnly
+}
+
+func (d *Driver) String() string {
+	return driverName
+}
+
+// Status returns current driver information in a two dimensional string array.
+// Output contains "Backing Filesystem" used in this implementation.
+func (d *Driver) Status() [][2]string {
+	return [][2]string{
+		{"Backing Filesystem", backingFs},
+		{"Supports d_type", strconv.FormatBool(d.supportsDType)},
+		{"Native Overlay Diff", strconv.FormatBool(!useNaiveDiff(d.home))},
+	}
+}
+
+// GetMetadata returns metadata about the overlay driver such as the LowerDir,
+// UpperDir, WorkDir, and MergeDir used to store data.
+func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+	dir := d.dir(id)
+	if _, err := os.Stat(dir); err != nil {
+		return nil, err
+	}
+
+	metadata := map[string]string{
+		"WorkDir":   path.Join(dir, "work"),
+		"MergedDir": path.Join(dir, "merged"),
+		"UpperDir":  path.Join(dir, "diff"),
+	}
+
+	lowerDirs, err := d.getLowerDirs(id)
+	if err != nil {
+		return nil, err
+	}
+	if len(lowerDirs) > 0 {
+		metadata["LowerDir"] = strings.Join(lowerDirs, ":")
+	}
+
+	return metadata, nil
+}
+
+// Cleanup any state created by overlay which should be cleaned when daemon
+// is being shutdown. For now, we just have to unmount the bind mounted
+// we had created.
+func (d *Driver) Cleanup() error {
+	return mount.RecursiveUnmount(d.home)
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system.
+func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	if opts != nil && len(opts.StorageOpt) != 0 && !projectQuotaSupported {
+		return fmt.Errorf("--storage-opt is supported only for overlay over xfs with 'pquota' mount option")
+	}
+
+	if opts == nil {
+		opts = &graphdriver.CreateOpts{
+			StorageOpt: map[string]string{},
+		}
+	}
+
+	if _, ok := opts.StorageOpt["size"]; !ok {
+		if opts.StorageOpt == nil {
+			opts.StorageOpt = map[string]string{}
+		}
+		opts.StorageOpt["size"] = strconv.FormatUint(d.options.quota.Size, 10)
+	}
+
+	return d.create(id, parent, opts)
+}
+
+// Create is used to create the upper, lower, and merge directories required for overlay fs for a given id.
+// The parent filesystem is used to configure these directories for the overlay.
+func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr error) {
+	if opts != nil && len(opts.StorageOpt) != 0 {
+		if _, ok := opts.StorageOpt["size"]; ok {
+			return fmt.Errorf("--storage-opt size is only supported for ReadWrite Layers")
+		}
+	}
+	return d.create(id, parent, opts)
+}
+
+func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr error) {
+	dir := d.dir(id)
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
+	if err != nil {
+		return err
+	}
+	root := idtools.IDPair{UID: rootUID, GID: rootGID}
+
+	if err := idtools.MkdirAllAndChown(path.Dir(dir), 0700, root); err != nil {
+		return err
+	}
+	if err := idtools.MkdirAndChown(dir, 0700, root); err != nil {
+		return err
+	}
+
+	defer func() {
+		// Clean up on failure
+		if retErr != nil {
+			os.RemoveAll(dir)
+		}
+	}()
+
+	if opts != nil && len(opts.StorageOpt) > 0 {
+		driver := &Driver{}
+		if err := d.parseStorageOpt(opts.StorageOpt, driver); err != nil {
+			return err
+		}
+
+		if driver.options.quota.Size > 0 {
+			// Set container disk quota limit
+			if err := d.quotaCtl.SetQuota(dir, driver.options.quota); err != nil {
+				return err
+			}
+		}
+	}
+
+	if err := idtools.MkdirAndChown(path.Join(dir, "diff"), 0755, root); err != nil {
+		return err
+	}
+
+	lid := generateID(idLength)
+	if err := os.Symlink(path.Join("..", id, "diff"), path.Join(d.home, linkDir, lid)); err != nil {
+		return err
+	}
+
+	// Write link id to link file
+	if err := ioutil.WriteFile(path.Join(dir, "link"), []byte(lid), 0644); err != nil {
+		return err
+	}
+
+	// if no parent directory, done
+	if parent == "" {
+		return nil
+	}
+
+	if err := idtools.MkdirAndChown(path.Join(dir, "work"), 0700, root); err != nil {
+		return err
+	}
+
+	lower, err := d.getLower(parent)
+	if err != nil {
+		return err
+	}
+	if lower != "" {
+		if err := ioutil.WriteFile(path.Join(dir, lowerFile), []byte(lower), 0666); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Parse overlay storage options
+func (d *Driver) parseStorageOpt(storageOpt map[string]string, driver *Driver) error {
+	// Read size to set the disk project quota per container
+	for key, val := range storageOpt {
+		key := strings.ToLower(key)
+		switch key {
+		case "size":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return err
+			}
+			driver.options.quota.Size = uint64(size)
+		default:
+			return fmt.Errorf("Unknown option %s", key)
+		}
+	}
+
+	return nil
+}
+
+func (d *Driver) getLower(parent string) (string, error) {
+	parentDir := d.dir(parent)
+
+	// Ensure parent exists
+	if _, err := os.Lstat(parentDir); err != nil {
+		return "", err
+	}
+
+	// Read Parent link fileA
+	parentLink, err := ioutil.ReadFile(path.Join(parentDir, "link"))
+	if err != nil {
+		return "", err
+	}
+	lowers := []string{path.Join(linkDir, string(parentLink))}
+
+	parentLower, err := ioutil.ReadFile(path.Join(parentDir, lowerFile))
+	if err == nil {
+		parentLowers := strings.Split(string(parentLower), ":")
+		lowers = append(lowers, parentLowers...)
+	}
+	if len(lowers) > maxDepth {
+		return "", errors.New("max depth exceeded")
+	}
+	return strings.Join(lowers, ":"), nil
+}
+
+func (d *Driver) dir(id string) string {
+	return path.Join(d.home, id)
+}
+
+func (d *Driver) getLowerDirs(id string) ([]string, error) {
+	var lowersArray []string
+	lowers, err := ioutil.ReadFile(path.Join(d.dir(id), lowerFile))
+	if err == nil {
+		for _, s := range strings.Split(string(lowers), ":") {
+			lp, err := os.Readlink(path.Join(d.home, s))
+			if err != nil {
+				return nil, err
+			}
+			lowersArray = append(lowersArray, path.Clean(path.Join(d.home, linkDir, lp)))
+		}
+	} else if !os.IsNotExist(err) {
+		return nil, err
+	}
+	return lowersArray, nil
+}
+
+// Remove cleans the directories that are created for this id.
+func (d *Driver) Remove(id string) error {
+	if id == "" {
+		return fmt.Errorf("refusing to remove the directories: id is empty")
+	}
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	dir := d.dir(id)
+	lid, err := ioutil.ReadFile(path.Join(dir, "link"))
+	if err == nil {
+		if len(lid) == 0 {
+			logrus.WithField("storage-driver", "overlay2").Errorf("refusing to remove empty link for layer %v", id)
+		} else if err := os.RemoveAll(path.Join(d.home, linkDir, string(lid))); err != nil {
+			logrus.WithField("storage-driver", "overlay2").Debugf("Failed to remove link: %v", err)
+		}
+	}
+
+	if err := system.EnsureRemoveAll(dir); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	return nil
+}
+
+// Get creates and mounts the required file system for the given id and returns the mount path.
+func (d *Driver) Get(id, mountLabel string) (_ containerfs.ContainerFS, retErr error) {
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	dir := d.dir(id)
+	if _, err := os.Stat(dir); err != nil {
+		return nil, err
+	}
+
+	diffDir := path.Join(dir, "diff")
+	lowers, err := ioutil.ReadFile(path.Join(dir, lowerFile))
+	if err != nil {
+		// If no lower, just return diff directory
+		if os.IsNotExist(err) {
+			return containerfs.NewLocalContainerFS(diffDir), nil
+		}
+		return nil, err
+	}
+
+	mergedDir := path.Join(dir, "merged")
+	if count := d.ctr.Increment(mergedDir); count > 1 {
+		return containerfs.NewLocalContainerFS(mergedDir), nil
+	}
+	defer func() {
+		if retErr != nil {
+			if c := d.ctr.Decrement(mergedDir); c <= 0 {
+				if mntErr := unix.Unmount(mergedDir, 0); mntErr != nil {
+					logrus.WithField("storage-driver", "overlay2").Errorf("error unmounting %v: %v", mergedDir, mntErr)
+				}
+				// Cleanup the created merged directory; see the comment in Put's rmdir
+				if rmErr := unix.Rmdir(mergedDir); rmErr != nil && !os.IsNotExist(rmErr) {
+					logrus.WithField("storage-driver", "overlay2").Debugf("Failed to remove %s: %v: %v", id, rmErr, err)
+				}
+			}
+		}
+	}()
+
+	workDir := path.Join(dir, "work")
+	splitLowers := strings.Split(string(lowers), ":")
+	absLowers := make([]string, len(splitLowers))
+	for i, s := range splitLowers {
+		absLowers[i] = path.Join(d.home, s)
+	}
+	opts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(absLowers, ":"), path.Join(dir, "diff"), path.Join(dir, "work"))
+	mountData := label.FormatMountLabel(opts, mountLabel)
+	mount := unix.Mount
+	mountTarget := mergedDir
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
+	if err != nil {
+		return nil, err
+	}
+	if err := idtools.MkdirAndChown(mergedDir, 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return nil, err
+	}
+
+	pageSize := unix.Getpagesize()
+
+	// Go can return a larger page size than supported by the system
+	// as of go 1.7. This will be fixed in 1.8 and this block can be
+	// removed when building with 1.8.
+	// See https://github.com/golang/go/commit/1b9499b06989d2831e5b156161d6c07642926ee1
+	// See https://github.com/docker/docker/issues/27384
+	if pageSize > 4096 {
+		pageSize = 4096
+	}
+
+	// Use relative paths and mountFrom when the mount data has exceeded
+	// the page size. The mount syscall fails if the mount data cannot
+	// fit within a page and relative links make the mount data much
+	// smaller at the expense of requiring a fork exec to chroot.
+	if len(mountData) > pageSize {
+		opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", string(lowers), path.Join(id, "diff"), path.Join(id, "work"))
+		mountData = label.FormatMountLabel(opts, mountLabel)
+		if len(mountData) > pageSize {
+			return nil, fmt.Errorf("cannot mount layer, mount label too large %d", len(mountData))
+		}
+
+		mount = func(source string, target string, mType string, flags uintptr, label string) error {
+			return mountFrom(d.home, source, target, mType, flags, label)
+		}
+		mountTarget = path.Join(id, "merged")
+	}
+
+	if err := mount("overlay", mountTarget, "overlay", 0, mountData); err != nil {
+		return nil, fmt.Errorf("error creating overlay mount to %s: %v", mergedDir, err)
+	}
+
+	// chown "workdir/work" to the remapped root UID/GID. Overlay fs inside a
+	// user namespace requires this to move a directory from lower to upper.
+	if err := os.Chown(path.Join(workDir, "work"), rootUID, rootGID); err != nil {
+		return nil, err
+	}
+
+	return containerfs.NewLocalContainerFS(mergedDir), nil
+}
+
+// Put unmounts the mount path created for the give id.
+// It also removes the 'merged' directory to force the kernel to unmount the
+// overlay mount in other namespaces.
+func (d *Driver) Put(id string) error {
+	d.locker.Lock(id)
+	defer d.locker.Unlock(id)
+	dir := d.dir(id)
+	_, err := ioutil.ReadFile(path.Join(dir, lowerFile))
+	if err != nil {
+		// If no lower, no mount happened and just return directly
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	mountpoint := path.Join(dir, "merged")
+	logger := logrus.WithField("storage-driver", "overlay2")
+	if count := d.ctr.Decrement(mountpoint); count > 0 {
+		return nil
+	}
+	if err := unix.Unmount(mountpoint, unix.MNT_DETACH); err != nil {
+		logger.Debugf("Failed to unmount %s overlay: %s - %v", id, mountpoint, err)
+	}
+	// Remove the mountpoint here. Removing the mountpoint (in newer kernels)
+	// will cause all other instances of this mount in other mount namespaces
+	// to be unmounted. This is necessary to avoid cases where an overlay mount
+	// that is present in another namespace will cause subsequent mounts
+	// operations to fail with ebusy.  We ignore any errors here because this may
+	// fail on older kernels which don't have
+	// torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied.
+	if err := unix.Rmdir(mountpoint); err != nil && !os.IsNotExist(err) {
+		logger.Debugf("Failed to remove %s overlay: %v", id, err)
+	}
+	return nil
+}
+
+// Exists checks to see if the id is already mounted.
+func (d *Driver) Exists(id string) bool {
+	_, err := os.Stat(d.dir(id))
+	return err == nil
+}
+
+// isParent determines whether the given parent is the direct parent of the
+// given layer id
+func (d *Driver) isParent(id, parent string) bool {
+	lowers, err := d.getLowerDirs(id)
+	if err != nil {
+		return false
+	}
+	if parent == "" && len(lowers) > 0 {
+		return false
+	}
+
+	parentDir := d.dir(parent)
+	var ld string
+	if len(lowers) > 0 {
+		ld = filepath.Dir(lowers[0])
+	}
+	if ld == "" && parent == "" {
+		return true
+	}
+	return ld == parentDir
+}
+
+// ApplyDiff applies the new layer into a root
+func (d *Driver) ApplyDiff(id string, parent string, diff io.Reader) (size int64, err error) {
+	if !d.isParent(id, parent) {
+		return d.naiveDiff.ApplyDiff(id, parent, diff)
+	}
+
+	applyDir := d.getDiffPath(id)
+
+	logrus.WithField("storage-driver", "overlay2").Debugf("Applying tar in %s", applyDir)
+	// Overlay doesn't need the parent id to apply the diff
+	if err := untar(diff, applyDir, &archive.TarOptions{
+		UIDMaps:        d.uidMaps,
+		GIDMaps:        d.gidMaps,
+		WhiteoutFormat: archive.OverlayWhiteoutFormat,
+		InUserNS:       rsystem.RunningInUserNS(),
+	}); err != nil {
+		return 0, err
+	}
+
+	return directory.Size(context.TODO(), applyDir)
+}
+
+func (d *Driver) getDiffPath(id string) string {
+	dir := d.dir(id)
+
+	return path.Join(dir, "diff")
+}
+
+// DiffSize calculates the changes between the specified id
+// and its parent and returns the size in bytes of the changes
+// relative to its base filesystem directory.
+func (d *Driver) DiffSize(id, parent string) (size int64, err error) {
+	if useNaiveDiff(d.home) || !d.isParent(id, parent) {
+		return d.naiveDiff.DiffSize(id, parent)
+	}
+	return directory.Size(context.TODO(), d.getDiffPath(id))
+}
+
+// Diff produces an archive of the changes between the specified
+// layer and its parent layer which may be "".
+func (d *Driver) Diff(id, parent string) (io.ReadCloser, error) {
+	if useNaiveDiff(d.home) || !d.isParent(id, parent) {
+		return d.naiveDiff.Diff(id, parent)
+	}
+
+	diffPath := d.getDiffPath(id)
+	logrus.WithField("storage-driver", "overlay2").Debugf("Tar with options on %s", diffPath)
+	return archive.TarWithOptions(diffPath, &archive.TarOptions{
+		Compression:    archive.Uncompressed,
+		UIDMaps:        d.uidMaps,
+		GIDMaps:        d.gidMaps,
+		WhiteoutFormat: archive.OverlayWhiteoutFormat,
+	})
+}
+
+// Changes produces a list of changes between the specified layer and its
+// parent layer. If parent is "", then all changes will be ADD changes.
+func (d *Driver) Changes(id, parent string) ([]archive.Change, error) {
+	return d.naiveDiff.Changes(id, parent)
+}
diff --git a/engine/daemon/graphdriver/overlay2/overlay_test.go b/engine/daemon/graphdriver/overlay2/overlay_test.go
new file mode 100644
index 00000000..6befa7db
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay2/overlay_test.go
@@ -0,0 +1,109 @@
+// +build linux
+
+package overlay2 // import "github.com/docker/docker/daemon/graphdriver/overlay2"
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/graphtest"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/reexec"
+)
+
+func init() {
+	// Do not sure chroot to speed run time and allow archive
+	// errors or hangs to be debugged directly from the test process.
+	untar = archive.UntarUncompressed
+	graphdriver.ApplyUncompressedLayer = archive.ApplyUncompressedLayer
+
+	reexec.Init()
+}
+
+func skipIfNaive(t *testing.T) {
+	td, err := ioutil.TempDir("", "naive-check-")
+	if err != nil {
+		t.Fatalf("Failed to create temp dir: %v", err)
+	}
+	defer os.RemoveAll(td)
+
+	if useNaiveDiff(td) {
+		t.Skipf("Cannot run test with naive diff")
+	}
+}
+
+// This avoids creating a new driver for each test if all tests are run
+// Make sure to put new tests between TestOverlaySetup and TestOverlayTeardown
+func TestOverlaySetup(t *testing.T) {
+	graphtest.GetDriver(t, driverName)
+}
+
+func TestOverlayCreateEmpty(t *testing.T) {
+	graphtest.DriverTestCreateEmpty(t, driverName)
+}
+
+func TestOverlayCreateBase(t *testing.T) {
+	graphtest.DriverTestCreateBase(t, driverName)
+}
+
+func TestOverlayCreateSnap(t *testing.T) {
+	graphtest.DriverTestCreateSnap(t, driverName)
+}
+
+func TestOverlay128LayerRead(t *testing.T) {
+	graphtest.DriverTestDeepLayerRead(t, 128, driverName)
+}
+
+func TestOverlayDiffApply10Files(t *testing.T) {
+	skipIfNaive(t)
+	graphtest.DriverTestDiffApply(t, 10, driverName)
+}
+
+func TestOverlayChanges(t *testing.T) {
+	t.Skipf("Cannot run test with naive change algorithm")
+	graphtest.DriverTestChanges(t, driverName)
+}
+
+func TestOverlayTeardown(t *testing.T) {
+	graphtest.PutDriver(t)
+}
+
+// Benchmarks should always setup new driver
+
+func BenchmarkExists(b *testing.B) {
+	graphtest.DriverBenchExists(b, driverName)
+}
+
+func BenchmarkGetEmpty(b *testing.B) {
+	graphtest.DriverBenchGetEmpty(b, driverName)
+}
+
+func BenchmarkDiffBase(b *testing.B) {
+	graphtest.DriverBenchDiffBase(b, driverName)
+}
+
+func BenchmarkDiffSmallUpper(b *testing.B) {
+	graphtest.DriverBenchDiffN(b, 10, 10, driverName)
+}
+
+func BenchmarkDiff10KFileUpper(b *testing.B) {
+	graphtest.DriverBenchDiffN(b, 10, 10000, driverName)
+}
+
+func BenchmarkDiff10KFilesBottom(b *testing.B) {
+	graphtest.DriverBenchDiffN(b, 10000, 10, driverName)
+}
+
+func BenchmarkDiffApply100(b *testing.B) {
+	graphtest.DriverBenchDiffApplyN(b, 100, driverName)
+}
+
+func BenchmarkDiff20Layers(b *testing.B) {
+	graphtest.DriverBenchDeepLayerDiff(b, 20, driverName)
+}
+
+func BenchmarkRead20Layers(b *testing.B) {
+	graphtest.DriverBenchDeepLayerRead(b, 20, driverName)
+}
diff --git a/engine/daemon/graphdriver/overlay2/overlay_unsupported.go b/engine/daemon/graphdriver/overlay2/overlay_unsupported.go
new file mode 100644
index 00000000..68b75a36
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay2/overlay_unsupported.go
@@ -0,0 +1,3 @@
+// +build !linux
+
+package overlay2 // import "github.com/docker/docker/daemon/graphdriver/overlay2"
diff --git a/engine/daemon/graphdriver/overlay2/randomid.go b/engine/daemon/graphdriver/overlay2/randomid.go
new file mode 100644
index 00000000..842c0612
--- /dev/null
+++ b/engine/daemon/graphdriver/overlay2/randomid.go
@@ -0,0 +1,81 @@
+// +build linux
+
+package overlay2 // import "github.com/docker/docker/daemon/graphdriver/overlay2"
+
+import (
+	"crypto/rand"
+	"encoding/base32"
+	"fmt"
+	"io"
+	"os"
+	"syscall"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// generateID creates a new random string identifier with the given length
+func generateID(l int) string {
+	const (
+		// ensures we backoff for less than 450ms total. Use the following to
+		// select new value, in units of 10ms:
+		// 	n*(n+1)/2 = d -> n^2 + n - 2d -> n = (sqrt(8d + 1) - 1)/2
+		maxretries = 9
+		backoff    = time.Millisecond * 10
+	)
+
+	var (
+		totalBackoff time.Duration
+		count        int
+		retries      int
+		size         = (l*5 + 7) / 8
+		u            = make([]byte, size)
+	)
+	// TODO: Include time component, counter component, random component
+
+	for {
+		// This should never block but the read may fail. Because of this,
+		// we just try to read the random number generator until we get
+		// something. This is a very rare condition but may happen.
+		b := time.Duration(retries) * backoff
+		time.Sleep(b)
+		totalBackoff += b
+
+		n, err := io.ReadFull(rand.Reader, u[count:])
+		if err != nil {
+			if retryOnError(err) && retries < maxretries {
+				count += n
+				retries++
+				logrus.Errorf("error generating version 4 uuid, retrying: %v", err)
+				continue
+			}
+
+			// Any other errors represent a system problem. What did someone
+			// do to /dev/urandom?
+			panic(fmt.Errorf("error reading random number generator, retried for %v: %v", totalBackoff.String(), err))
+		}
+
+		break
+	}
+
+	s := base32.StdEncoding.EncodeToString(u)
+
+	return s[:l]
+}
+
+// retryOnError tries to detect whether or not retrying would be fruitful.
+func retryOnError(err error) bool {
+	switch err := err.(type) {
+	case *os.PathError:
+		return retryOnError(err.Err) // unpack the target error
+	case syscall.Errno:
+		if err == unix.EPERM {
+			// EPERM represents an entropy pool exhaustion, a condition under
+			// which we backoff and retry.
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/engine/daemon/graphdriver/overlayutils/overlayutils.go b/engine/daemon/graphdriver/overlayutils/overlayutils.go
new file mode 100644
index 00000000..71f6d2d4
--- /dev/null
+++ b/engine/daemon/graphdriver/overlayutils/overlayutils.go
@@ -0,0 +1,25 @@
+// +build linux
+
+package overlayutils // import "github.com/docker/docker/daemon/graphdriver/overlayutils"
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/daemon/graphdriver"
+)
+
+// ErrDTypeNotSupported denotes that the backing filesystem doesn't support d_type.
+func ErrDTypeNotSupported(driver, backingFs string) error {
+	msg := fmt.Sprintf("%s: the backing %s filesystem is formatted without d_type support, which leads to incorrect behavior.", driver, backingFs)
+	if backingFs == "xfs" {
+		msg += " Reformat the filesystem with ftype=1 to enable d_type support."
+	}
+
+	if backingFs == "extfs" {
+		msg += " Reformat the filesystem (or use tune2fs) with -O filetype flag to enable d_type support."
+	}
+
+	msg += " Backing filesystems without d_type support are not supported."
+
+	return graphdriver.NotSupportedError(msg)
+}
diff --git a/engine/daemon/graphdriver/plugin.go b/engine/daemon/graphdriver/plugin.go
new file mode 100644
index 00000000..b0983c56
--- /dev/null
+++ b/engine/daemon/graphdriver/plugin.go
@@ -0,0 +1,55 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/plugin/v2"
+	"github.com/pkg/errors"
+)
+
+func lookupPlugin(name string, pg plugingetter.PluginGetter, config Options) (Driver, error) {
+	if !config.ExperimentalEnabled {
+		return nil, fmt.Errorf("graphdriver plugins are only supported with experimental mode")
+	}
+	pl, err := pg.Get(name, "GraphDriver", plugingetter.Acquire)
+	if err != nil {
+		return nil, fmt.Errorf("Error looking up graphdriver plugin %s: %v", name, err)
+	}
+	return newPluginDriver(name, pl, config)
+}
+
+func newPluginDriver(name string, pl plugingetter.CompatPlugin, config Options) (Driver, error) {
+	home := config.Root
+	if !pl.IsV1() {
+		if p, ok := pl.(*v2.Plugin); ok {
+			if p.PluginObj.Config.PropagatedMount != "" {
+				home = p.PluginObj.Config.PropagatedMount
+			}
+		}
+	}
+
+	var proxy *graphDriverProxy
+
+	switch pt := pl.(type) {
+	case plugingetter.PluginWithV1Client:
+		proxy = &graphDriverProxy{name, pl, Capabilities{}, pt.Client()}
+	case plugingetter.PluginAddr:
+		if pt.Protocol() != plugins.ProtocolSchemeHTTPV1 {
+			return nil, errors.Errorf("plugin protocol not supported: %s", pt.Protocol())
+		}
+		addr := pt.Addr()
+		client, err := plugins.NewClientWithTimeout(addr.Network()+"://"+addr.String(), nil, pt.Timeout())
+		if err != nil {
+			return nil, errors.Wrap(err, "error creating plugin client")
+		}
+		proxy = &graphDriverProxy{name, pl, Capabilities{}, client}
+	default:
+		return nil, errdefs.System(errors.Errorf("got unknown plugin type %T", pt))
+	}
+
+	return proxy, proxy.Init(filepath.Join(home, name), config.DriverOptions, config.UIDMaps, config.GIDMaps)
+}
diff --git a/engine/daemon/graphdriver/proxy.go b/engine/daemon/graphdriver/proxy.go
new file mode 100644
index 00000000..cb350d80
--- /dev/null
+++ b/engine/daemon/graphdriver/proxy.go
@@ -0,0 +1,264 @@
+package graphdriver // import "github.com/docker/docker/daemon/graphdriver"
+
+import (
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+)
+
+type graphDriverProxy struct {
+	name   string
+	p      plugingetter.CompatPlugin
+	caps   Capabilities
+	client *plugins.Client
+}
+
+type graphDriverRequest struct {
+	ID         string            `json:",omitempty"`
+	Parent     string            `json:",omitempty"`
+	MountLabel string            `json:",omitempty"`
+	StorageOpt map[string]string `json:",omitempty"`
+}
+
+type graphDriverResponse struct {
+	Err          string            `json:",omitempty"`
+	Dir          string            `json:",omitempty"`
+	Exists       bool              `json:",omitempty"`
+	Status       [][2]string       `json:",omitempty"`
+	Changes      []archive.Change  `json:",omitempty"`
+	Size         int64             `json:",omitempty"`
+	Metadata     map[string]string `json:",omitempty"`
+	Capabilities Capabilities      `json:",omitempty"`
+}
+
+type graphDriverInitRequest struct {
+	Home    string
+	Opts    []string        `json:"Opts"`
+	UIDMaps []idtools.IDMap `json:"UIDMaps"`
+	GIDMaps []idtools.IDMap `json:"GIDMaps"`
+}
+
+func (d *graphDriverProxy) Init(home string, opts []string, uidMaps, gidMaps []idtools.IDMap) error {
+	if !d.p.IsV1() {
+		if cp, ok := d.p.(plugingetter.CountedPlugin); ok {
+			// always acquire here, it will be cleaned up on daemon shutdown
+			cp.Acquire()
+		}
+	}
+	args := &graphDriverInitRequest{
+		Home:    home,
+		Opts:    opts,
+		UIDMaps: uidMaps,
+		GIDMaps: gidMaps,
+	}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Init", args, &ret); err != nil {
+		return err
+	}
+	if ret.Err != "" {
+		return errors.New(ret.Err)
+	}
+	caps, err := d.fetchCaps()
+	if err != nil {
+		return err
+	}
+	d.caps = caps
+	return nil
+}
+
+func (d *graphDriverProxy) fetchCaps() (Capabilities, error) {
+	args := &graphDriverRequest{}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Capabilities", args, &ret); err != nil {
+		if !plugins.IsNotFound(err) {
+			return Capabilities{}, err
+		}
+	}
+	return ret.Capabilities, nil
+}
+
+func (d *graphDriverProxy) String() string {
+	return d.name
+}
+
+func (d *graphDriverProxy) Capabilities() Capabilities {
+	return d.caps
+}
+
+func (d *graphDriverProxy) CreateReadWrite(id, parent string, opts *CreateOpts) error {
+	return d.create("GraphDriver.CreateReadWrite", id, parent, opts)
+}
+
+func (d *graphDriverProxy) Create(id, parent string, opts *CreateOpts) error {
+	return d.create("GraphDriver.Create", id, parent, opts)
+}
+
+func (d *graphDriverProxy) create(method, id, parent string, opts *CreateOpts) error {
+	args := &graphDriverRequest{
+		ID:     id,
+		Parent: parent,
+	}
+	if opts != nil {
+		args.MountLabel = opts.MountLabel
+		args.StorageOpt = opts.StorageOpt
+	}
+	var ret graphDriverResponse
+	if err := d.client.Call(method, args, &ret); err != nil {
+		return err
+	}
+	if ret.Err != "" {
+		return errors.New(ret.Err)
+	}
+	return nil
+}
+
+func (d *graphDriverProxy) Remove(id string) error {
+	args := &graphDriverRequest{ID: id}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Remove", args, &ret); err != nil {
+		return err
+	}
+	if ret.Err != "" {
+		return errors.New(ret.Err)
+	}
+	return nil
+}
+
+func (d *graphDriverProxy) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
+	args := &graphDriverRequest{
+		ID:         id,
+		MountLabel: mountLabel,
+	}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Get", args, &ret); err != nil {
+		return nil, err
+	}
+	var err error
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+	return containerfs.NewLocalContainerFS(d.p.ScopedPath(ret.Dir)), err
+}
+
+func (d *graphDriverProxy) Put(id string) error {
+	args := &graphDriverRequest{ID: id}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Put", args, &ret); err != nil {
+		return err
+	}
+	if ret.Err != "" {
+		return errors.New(ret.Err)
+	}
+	return nil
+}
+
+func (d *graphDriverProxy) Exists(id string) bool {
+	args := &graphDriverRequest{ID: id}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Exists", args, &ret); err != nil {
+		return false
+	}
+	return ret.Exists
+}
+
+func (d *graphDriverProxy) Status() [][2]string {
+	args := &graphDriverRequest{}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Status", args, &ret); err != nil {
+		return nil
+	}
+	return ret.Status
+}
+
+func (d *graphDriverProxy) GetMetadata(id string) (map[string]string, error) {
+	args := &graphDriverRequest{
+		ID: id,
+	}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.GetMetadata", args, &ret); err != nil {
+		return nil, err
+	}
+	if ret.Err != "" {
+		return nil, errors.New(ret.Err)
+	}
+	return ret.Metadata, nil
+}
+
+func (d *graphDriverProxy) Cleanup() error {
+	if !d.p.IsV1() {
+		if cp, ok := d.p.(plugingetter.CountedPlugin); ok {
+			// always release
+			defer cp.Release()
+		}
+	}
+
+	args := &graphDriverRequest{}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Cleanup", args, &ret); err != nil {
+		return nil
+	}
+	if ret.Err != "" {
+		return errors.New(ret.Err)
+	}
+	return nil
+}
+
+func (d *graphDriverProxy) Diff(id, parent string) (io.ReadCloser, error) {
+	args := &graphDriverRequest{
+		ID:     id,
+		Parent: parent,
+	}
+	body, err := d.client.Stream("GraphDriver.Diff", args)
+	if err != nil {
+		return nil, err
+	}
+	return body, nil
+}
+
+func (d *graphDriverProxy) Changes(id, parent string) ([]archive.Change, error) {
+	args := &graphDriverRequest{
+		ID:     id,
+		Parent: parent,
+	}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.Changes", args, &ret); err != nil {
+		return nil, err
+	}
+	if ret.Err != "" {
+		return nil, errors.New(ret.Err)
+	}
+
+	return ret.Changes, nil
+}
+
+func (d *graphDriverProxy) ApplyDiff(id, parent string, diff io.Reader) (int64, error) {
+	var ret graphDriverResponse
+	if err := d.client.SendFile(fmt.Sprintf("GraphDriver.ApplyDiff?id=%s&parent=%s", id, parent), diff, &ret); err != nil {
+		return -1, err
+	}
+	if ret.Err != "" {
+		return -1, errors.New(ret.Err)
+	}
+	return ret.Size, nil
+}
+
+func (d *graphDriverProxy) DiffSize(id, parent string) (int64, error) {
+	args := &graphDriverRequest{
+		ID:     id,
+		Parent: parent,
+	}
+	var ret graphDriverResponse
+	if err := d.client.Call("GraphDriver.DiffSize", args, &ret); err != nil {
+		return -1, err
+	}
+	if ret.Err != "" {
+		return -1, errors.New(ret.Err)
+	}
+	return ret.Size, nil
+}
diff --git a/engine/daemon/graphdriver/quota/errors.go b/engine/daemon/graphdriver/quota/errors.go
new file mode 100644
index 00000000..68e79747
--- /dev/null
+++ b/engine/daemon/graphdriver/quota/errors.go
@@ -0,0 +1,19 @@
+package quota // import "github.com/docker/docker/daemon/graphdriver/quota"
+
+import "github.com/docker/docker/errdefs"
+
+var (
+	_ errdefs.ErrNotImplemented = (*errQuotaNotSupported)(nil)
+)
+
+// ErrQuotaNotSupported indicates if were found the FS didn't have projects quotas available
+var ErrQuotaNotSupported = errQuotaNotSupported{}
+
+type errQuotaNotSupported struct {
+}
+
+func (e errQuotaNotSupported) NotImplemented() {}
+
+func (e errQuotaNotSupported) Error() string {
+	return "Filesystem does not support, or has not enabled quotas"
+}
diff --git a/engine/daemon/graphdriver/quota/projectquota.go b/engine/daemon/graphdriver/quota/projectquota.go
new file mode 100644
index 00000000..93e85823
--- /dev/null
+++ b/engine/daemon/graphdriver/quota/projectquota.go
@@ -0,0 +1,384 @@
+// +build linux
+
+//
+// projectquota.go - implements XFS project quota controls
+// for setting quota limits on a newly created directory.
+// It currently supports the legacy XFS specific ioctls.
+//
+// TODO: use generic quota control ioctl FS_IOC_FS{GET,SET}XATTR
+//       for both xfs/ext4 for kernel version >= v4.5
+//
+
+package quota // import "github.com/docker/docker/daemon/graphdriver/quota"
+
+/*
+#include <stdlib.h>
+#include <dirent.h>
+#include <linux/fs.h>
+#include <linux/quota.h>
+#include <linux/dqblk_xfs.h>
+
+#ifndef FS_XFLAG_PROJINHERIT
+struct fsxattr {
+	__u32		fsx_xflags;
+	__u32		fsx_extsize;
+	__u32		fsx_nextents;
+	__u32		fsx_projid;
+	unsigned char	fsx_pad[12];
+};
+#define FS_XFLAG_PROJINHERIT	0x00000200
+#endif
+#ifndef FS_IOC_FSGETXATTR
+#define FS_IOC_FSGETXATTR		_IOR ('X', 31, struct fsxattr)
+#endif
+#ifndef FS_IOC_FSSETXATTR
+#define FS_IOC_FSSETXATTR		_IOW ('X', 32, struct fsxattr)
+#endif
+
+#ifndef PRJQUOTA
+#define PRJQUOTA	2
+#endif
+#ifndef XFS_PROJ_QUOTA
+#define XFS_PROJ_QUOTA	2
+#endif
+#ifndef Q_XSETPQLIM
+#define Q_XSETPQLIM QCMD(Q_XSETQLIM, PRJQUOTA)
+#endif
+#ifndef Q_XGETPQUOTA
+#define Q_XGETPQUOTA QCMD(Q_XGETQUOTA, PRJQUOTA)
+#endif
+
+const int Q_XGETQSTAT_PRJQUOTA = QCMD(Q_XGETQSTAT, PRJQUOTA);
+*/
+import "C"
+import (
+	"fmt"
+	"io/ioutil"
+	"path"
+	"path/filepath"
+	"unsafe"
+
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// Quota limit params - currently we only control blocks hard limit
+type Quota struct {
+	Size uint64
+}
+
+// Control - Context to be used by storage driver (e.g. overlay)
+// who wants to apply project quotas to container dirs
+type Control struct {
+	backingFsBlockDev string
+	nextProjectID     uint32
+	quotas            map[string]uint32
+}
+
+// NewControl - initialize project quota support.
+// Test to make sure that quota can be set on a test dir and find
+// the first project id to be used for the next container create.
+//
+// Returns nil (and error) if project quota is not supported.
+//
+// First get the project id of the home directory.
+// This test will fail if the backing fs is not xfs.
+//
+// xfs_quota tool can be used to assign a project id to the driver home directory, e.g.:
+//    echo 999:/var/lib/docker/overlay2 >> /etc/projects
+//    echo docker:999 >> /etc/projid
+//    xfs_quota -x -c 'project -s docker' /<xfs mount point>
+//
+// In that case, the home directory project id will be used as a "start offset"
+// and all containers will be assigned larger project ids (e.g. >= 1000).
+// This is a way to prevent xfs_quota management from conflicting with docker.
+//
+// Then try to create a test directory with the next project id and set a quota
+// on it. If that works, continue to scan existing containers to map allocated
+// project ids.
+//
+func NewControl(basePath string) (*Control, error) {
+	//
+	// If we are running in a user namespace quota won't be supported for
+	// now since makeBackingFsDev() will try to mknod().
+	//
+	if rsystem.RunningInUserNS() {
+		return nil, ErrQuotaNotSupported
+	}
+
+	//
+	// create backing filesystem device node
+	//
+	backingFsBlockDev, err := makeBackingFsDev(basePath)
+	if err != nil {
+		return nil, err
+	}
+
+	// check if we can call quotactl with project quotas
+	// as a mechanism to determine (early) if we have support
+	hasQuotaSupport, err := hasQuotaSupport(backingFsBlockDev)
+	if err != nil {
+		return nil, err
+	}
+	if !hasQuotaSupport {
+		return nil, ErrQuotaNotSupported
+	}
+
+	//
+	// Get project id of parent dir as minimal id to be used by driver
+	//
+	minProjectID, err := getProjectID(basePath)
+	if err != nil {
+		return nil, err
+	}
+	minProjectID++
+
+	//
+	// Test if filesystem supports project quotas by trying to set
+	// a quota on the first available project id
+	//
+	quota := Quota{
+		Size: 0,
+	}
+	if err := setProjectQuota(backingFsBlockDev, minProjectID, quota); err != nil {
+		return nil, err
+	}
+
+	q := Control{
+		backingFsBlockDev: backingFsBlockDev,
+		nextProjectID:     minProjectID + 1,
+		quotas:            make(map[string]uint32),
+	}
+
+	//
+	// get first project id to be used for next container
+	//
+	err = q.findNextProjectID(basePath)
+	if err != nil {
+		return nil, err
+	}
+
+	logrus.Debugf("NewControl(%s): nextProjectID = %d", basePath, q.nextProjectID)
+	return &q, nil
+}
+
+// SetQuota - assign a unique project id to directory and set the quota limits
+// for that project id
+func (q *Control) SetQuota(targetPath string, quota Quota) error {
+
+	projectID, ok := q.quotas[targetPath]
+	if !ok {
+		projectID = q.nextProjectID
+
+		//
+		// assign project id to new container directory
+		//
+		err := setProjectID(targetPath, projectID)
+		if err != nil {
+			return err
+		}
+
+		q.quotas[targetPath] = projectID
+		q.nextProjectID++
+	}
+
+	//
+	// set the quota limit for the container's project id
+	//
+	logrus.Debugf("SetQuota(%s, %d): projectID=%d", targetPath, quota.Size, projectID)
+	return setProjectQuota(q.backingFsBlockDev, projectID, quota)
+}
+
+// setProjectQuota - set the quota for project id on xfs block device
+func setProjectQuota(backingFsBlockDev string, projectID uint32, quota Quota) error {
+	var d C.fs_disk_quota_t
+	d.d_version = C.FS_DQUOT_VERSION
+	d.d_id = C.__u32(projectID)
+	d.d_flags = C.XFS_PROJ_QUOTA
+
+	d.d_fieldmask = C.FS_DQ_BHARD | C.FS_DQ_BSOFT
+	d.d_blk_hardlimit = C.__u64(quota.Size / 512)
+	d.d_blk_softlimit = d.d_blk_hardlimit
+
+	var cs = C.CString(backingFsBlockDev)
+	defer C.free(unsafe.Pointer(cs))
+
+	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XSETPQLIM,
+		uintptr(unsafe.Pointer(cs)), uintptr(d.d_id),
+		uintptr(unsafe.Pointer(&d)), 0, 0)
+	if errno != 0 {
+		return fmt.Errorf("Failed to set quota limit for projid %d on %s: %v",
+			projectID, backingFsBlockDev, errno.Error())
+	}
+
+	return nil
+}
+
+// GetQuota - get the quota limits of a directory that was configured with SetQuota
+func (q *Control) GetQuota(targetPath string, quota *Quota) error {
+
+	projectID, ok := q.quotas[targetPath]
+	if !ok {
+		return fmt.Errorf("quota not found for path : %s", targetPath)
+	}
+
+	//
+	// get the quota limit for the container's project id
+	//
+	var d C.fs_disk_quota_t
+
+	var cs = C.CString(q.backingFsBlockDev)
+	defer C.free(unsafe.Pointer(cs))
+
+	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, C.Q_XGETPQUOTA,
+		uintptr(unsafe.Pointer(cs)), uintptr(C.__u32(projectID)),
+		uintptr(unsafe.Pointer(&d)), 0, 0)
+	if errno != 0 {
+		return fmt.Errorf("Failed to get quota limit for projid %d on %s: %v",
+			projectID, q.backingFsBlockDev, errno.Error())
+	}
+	quota.Size = uint64(d.d_blk_hardlimit) * 512
+
+	return nil
+}
+
+// getProjectID - get the project id of path on xfs
+func getProjectID(targetPath string) (uint32, error) {
+	dir, err := openDir(targetPath)
+	if err != nil {
+		return 0, err
+	}
+	defer closeDir(dir)
+
+	var fsx C.struct_fsxattr
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR,
+		uintptr(unsafe.Pointer(&fsx)))
+	if errno != 0 {
+		return 0, fmt.Errorf("Failed to get projid for %s: %v", targetPath, errno.Error())
+	}
+
+	return uint32(fsx.fsx_projid), nil
+}
+
+// setProjectID - set the project id of path on xfs
+func setProjectID(targetPath string, projectID uint32) error {
+	dir, err := openDir(targetPath)
+	if err != nil {
+		return err
+	}
+	defer closeDir(dir)
+
+	var fsx C.struct_fsxattr
+	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSGETXATTR,
+		uintptr(unsafe.Pointer(&fsx)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to get projid for %s: %v", targetPath, errno.Error())
+	}
+	fsx.fsx_projid = C.__u32(projectID)
+	fsx.fsx_xflags |= C.FS_XFLAG_PROJINHERIT
+	_, _, errno = unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.FS_IOC_FSSETXATTR,
+		uintptr(unsafe.Pointer(&fsx)))
+	if errno != 0 {
+		return fmt.Errorf("Failed to set projid for %s: %v", targetPath, errno.Error())
+	}
+
+	return nil
+}
+
+// findNextProjectID - find the next project id to be used for containers
+// by scanning driver home directory to find used project ids
+func (q *Control) findNextProjectID(home string) error {
+	files, err := ioutil.ReadDir(home)
+	if err != nil {
+		return fmt.Errorf("read directory failed : %s", home)
+	}
+	for _, file := range files {
+		if !file.IsDir() {
+			continue
+		}
+		path := filepath.Join(home, file.Name())
+		projid, err := getProjectID(path)
+		if err != nil {
+			return err
+		}
+		if projid > 0 {
+			q.quotas[path] = projid
+		}
+		if q.nextProjectID <= projid {
+			q.nextProjectID = projid + 1
+		}
+	}
+
+	return nil
+}
+
+func free(p *C.char) {
+	C.free(unsafe.Pointer(p))
+}
+
+func openDir(path string) (*C.DIR, error) {
+	Cpath := C.CString(path)
+	defer free(Cpath)
+
+	dir := C.opendir(Cpath)
+	if dir == nil {
+		return nil, fmt.Errorf("Can't open dir")
+	}
+	return dir, nil
+}
+
+func closeDir(dir *C.DIR) {
+	if dir != nil {
+		C.closedir(dir)
+	}
+}
+
+func getDirFd(dir *C.DIR) uintptr {
+	return uintptr(C.dirfd(dir))
+}
+
+// Get the backing block device of the driver home directory
+// and create a block device node under the home directory
+// to be used by quotactl commands
+func makeBackingFsDev(home string) (string, error) {
+	var stat unix.Stat_t
+	if err := unix.Stat(home, &stat); err != nil {
+		return "", err
+	}
+
+	backingFsBlockDev := path.Join(home, "backingFsBlockDev")
+	// Re-create just in case someone copied the home directory over to a new device
+	unix.Unlink(backingFsBlockDev)
+	err := unix.Mknod(backingFsBlockDev, unix.S_IFBLK|0600, int(stat.Dev))
+	switch err {
+	case nil:
+		return backingFsBlockDev, nil
+
+	case unix.ENOSYS:
+		return "", ErrQuotaNotSupported
+
+	default:
+		return "", fmt.Errorf("Failed to mknod %s: %v", backingFsBlockDev, err)
+	}
+}
+
+func hasQuotaSupport(backingFsBlockDev string) (bool, error) {
+	var cs = C.CString(backingFsBlockDev)
+	defer free(cs)
+	var qstat C.fs_quota_stat_t
+
+	_, _, errno := unix.Syscall6(unix.SYS_QUOTACTL, uintptr(C.Q_XGETQSTAT_PRJQUOTA), uintptr(unsafe.Pointer(cs)), 0, uintptr(unsafe.Pointer(&qstat)), 0, 0)
+	if errno == 0 && qstat.qs_flags&C.FS_QUOTA_PDQ_ENFD > 0 && qstat.qs_flags&C.FS_QUOTA_PDQ_ACCT > 0 {
+		return true, nil
+	}
+
+	switch errno {
+	// These are the known fatal errors, consider all other errors (ENOTTY, etc.. not supporting quota)
+	case unix.EFAULT, unix.ENOENT, unix.ENOTBLK, unix.EPERM:
+	default:
+		return false, nil
+	}
+
+	return false, errno
+}
diff --git a/engine/daemon/graphdriver/quota/projectquota_test.go b/engine/daemon/graphdriver/quota/projectquota_test.go
new file mode 100644
index 00000000..aa164cc4
--- /dev/null
+++ b/engine/daemon/graphdriver/quota/projectquota_test.go
@@ -0,0 +1,152 @@
+// +build linux
+
+package quota // import "github.com/docker/docker/daemon/graphdriver/quota"
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+// 10MB
+const testQuotaSize = 10 * 1024 * 1024
+const imageSize = 64 * 1024 * 1024
+
+func TestBlockDev(t *testing.T) {
+	mkfs, err := exec.LookPath("mkfs.xfs")
+	if err != nil {
+		t.Skip("mkfs.xfs not found in PATH")
+	}
+
+	// create a sparse image
+	imageFile, err := ioutil.TempFile("", "xfs-image")
+	if err != nil {
+		t.Fatal(err)
+	}
+	imageFileName := imageFile.Name()
+	defer os.Remove(imageFileName)
+	if _, err = imageFile.Seek(imageSize-1, 0); err != nil {
+		t.Fatal(err)
+	}
+	if _, err = imageFile.Write([]byte{0}); err != nil {
+		t.Fatal(err)
+	}
+	if err = imageFile.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	// The reason for disabling these options is sometimes people run with a newer userspace
+	// than kernelspace
+	out, err := exec.Command(mkfs, "-m", "crc=0,finobt=0", imageFileName).CombinedOutput()
+	if len(out) > 0 {
+		t.Log(string(out))
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("testBlockDevQuotaDisabled", wrapMountTest(imageFileName, false, testBlockDevQuotaDisabled))
+	t.Run("testBlockDevQuotaEnabled", wrapMountTest(imageFileName, true, testBlockDevQuotaEnabled))
+	t.Run("testSmallerThanQuota", wrapMountTest(imageFileName, true, wrapQuotaTest(testSmallerThanQuota)))
+	t.Run("testBiggerThanQuota", wrapMountTest(imageFileName, true, wrapQuotaTest(testBiggerThanQuota)))
+	t.Run("testRetrieveQuota", wrapMountTest(imageFileName, true, wrapQuotaTest(testRetrieveQuota)))
+}
+
+func wrapMountTest(imageFileName string, enableQuota bool, testFunc func(t *testing.T, mountPoint, backingFsDev string)) func(*testing.T) {
+	return func(t *testing.T) {
+		mountOptions := "loop"
+
+		if enableQuota {
+			mountOptions = mountOptions + ",prjquota"
+		}
+
+		mountPointDir := fs.NewDir(t, "xfs-mountPoint")
+		defer mountPointDir.Remove()
+		mountPoint := mountPointDir.Path()
+
+		out, err := exec.Command("mount", "-o", mountOptions, imageFileName, mountPoint).CombinedOutput()
+		if err != nil {
+			_, err := os.Stat("/proc/fs/xfs")
+			if os.IsNotExist(err) {
+				t.Skip("no /proc/fs/xfs")
+			}
+		}
+
+		assert.NilError(t, err, "mount failed: %s", out)
+
+		defer func() {
+			assert.NilError(t, unix.Unmount(mountPoint, 0))
+		}()
+
+		backingFsDev, err := makeBackingFsDev(mountPoint)
+		assert.NilError(t, err)
+
+		testFunc(t, mountPoint, backingFsDev)
+	}
+}
+
+func testBlockDevQuotaDisabled(t *testing.T, mountPoint, backingFsDev string) {
+	hasSupport, err := hasQuotaSupport(backingFsDev)
+	assert.NilError(t, err)
+	assert.Check(t, !hasSupport)
+}
+
+func testBlockDevQuotaEnabled(t *testing.T, mountPoint, backingFsDev string) {
+	hasSupport, err := hasQuotaSupport(backingFsDev)
+	assert.NilError(t, err)
+	assert.Check(t, hasSupport)
+}
+
+func wrapQuotaTest(testFunc func(t *testing.T, ctrl *Control, mountPoint, testDir, testSubDir string)) func(t *testing.T, mountPoint, backingFsDev string) {
+	return func(t *testing.T, mountPoint, backingFsDev string) {
+		testDir, err := ioutil.TempDir(mountPoint, "per-test")
+		assert.NilError(t, err)
+		defer os.RemoveAll(testDir)
+
+		ctrl, err := NewControl(testDir)
+		assert.NilError(t, err)
+
+		testSubDir, err := ioutil.TempDir(testDir, "quota-test")
+		assert.NilError(t, err)
+		testFunc(t, ctrl, mountPoint, testDir, testSubDir)
+	}
+
+}
+
+func testSmallerThanQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {
+	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))
+	smallerThanQuotaFile := filepath.Join(testSubDir, "smaller-than-quota")
+	assert.NilError(t, ioutil.WriteFile(smallerThanQuotaFile, make([]byte, testQuotaSize/2), 0644))
+	assert.NilError(t, os.Remove(smallerThanQuotaFile))
+}
+
+func testBiggerThanQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {
+	// Make sure the quota is being enforced
+	// TODO: When we implement this under EXT4, we need to shed CAP_SYS_RESOURCE, otherwise
+	// we're able to violate quota without issue
+	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))
+
+	biggerThanQuotaFile := filepath.Join(testSubDir, "bigger-than-quota")
+	err := ioutil.WriteFile(biggerThanQuotaFile, make([]byte, testQuotaSize+1), 0644)
+	assert.Assert(t, is.ErrorContains(err, ""))
+	if err == io.ErrShortWrite {
+		assert.NilError(t, os.Remove(biggerThanQuotaFile))
+	}
+}
+
+func testRetrieveQuota(t *testing.T, ctrl *Control, homeDir, testDir, testSubDir string) {
+	// Validate that we can retrieve quota
+	assert.NilError(t, ctrl.SetQuota(testSubDir, Quota{testQuotaSize}))
+
+	var q Quota
+	assert.NilError(t, ctrl.GetQuota(testSubDir, &q))
+	assert.Check(t, is.Equal(uint64(testQuotaSize), q.Size))
+}
diff --git a/engine/daemon/graphdriver/register/register_aufs.go b/engine/daemon/graphdriver/register/register_aufs.go
new file mode 100644
index 00000000..ec18d1d3
--- /dev/null
+++ b/engine/daemon/graphdriver/register/register_aufs.go
@@ -0,0 +1,8 @@
+// +build !exclude_graphdriver_aufs,linux
+
+package register // import "github.com/docker/docker/daemon/graphdriver/register"
+
+import (
+	// register the aufs graphdriver
+	_ "github.com/docker/docker/daemon/graphdriver/aufs"
+)
diff --git a/engine/daemon/graphdriver/register/register_btrfs.go b/engine/daemon/graphdriver/register/register_btrfs.go
new file mode 100644
index 00000000..2f8c6705
--- /dev/null
+++ b/engine/daemon/graphdriver/register/register_btrfs.go
@@ -0,0 +1,8 @@
+// +build !exclude_graphdriver_btrfs,linux
+
+package register // import "github.com/docker/docker/daemon/graphdriver/register"
+
+import (
+	// register the btrfs graphdriver
+	_ "github.com/docker/docker/daemon/graphdriver/btrfs"
+)
diff --git a/engine/daemon/graphdriver/register/register_devicemapper.go b/engine/daemon/graphdriver/register/register_devicemapper.go
new file mode 100644
index 00000000..ccbb8bfa
--- /dev/null
+++ b/engine/daemon/graphdriver/register/register_devicemapper.go
@@ -0,0 +1,8 @@
+// +build !exclude_graphdriver_devicemapper,!static_build,linux
+
+package register // import "github.com/docker/docker/daemon/graphdriver/register"
+
+import (
+	// register the devmapper graphdriver
+	_ "github.com/docker/docker/daemon/graphdriver/devmapper"
+)
diff --git a/engine/daemon/graphdriver/register/register_overlay.go b/engine/daemon/graphdriver/register/register_overlay.go
new file mode 100644
index 00000000..a2e384d5
--- /dev/null
+++ b/engine/daemon/graphdriver/register/register_overlay.go
@@ -0,0 +1,8 @@
+// +build !exclude_graphdriver_overlay,linux
+
+package register // import "github.com/docker/docker/daemon/graphdriver/register"
+
+import (
+	// register the overlay graphdriver
+	_ "github.com/docker/docker/daemon/graphdriver/overlay"
+)
diff --git a/engine/daemon/graphdriver/register/register_overlay2.go b/engine/daemon/graphdriver/register/register_overlay2.go
new file mode 100644
index 00000000..bcd2cee2
--- /dev/null
+++ b/engine/daemon/graphdriver/register/register_overlay2.go
@@ -0,0 +1,8 @@
+// +build !exclude_graphdriver_overlay2,linux
+
+package register // import "github.com/docker/docker/daemon/graphdriver/register"
+
+import (
+	// register the overlay2 graphdriver
+	_ "github.com/docker/docker/daemon/graphdriver/overlay2"
+)
diff --git a/engine/daemon/graphdriver/register/register_vfs.go b/engine/daemon/graphdriver/register/register_vfs.go
new file mode 100644
index 00000000..26f33a21
--- /dev/null
+++ b/engine/daemon/graphdriver/register/register_vfs.go
@@ -0,0 +1,6 @@
+package register // import "github.com/docker/docker/daemon/graphdriver/register"
+
+import (
+	// register vfs
+	_ "github.com/docker/docker/daemon/graphdriver/vfs"
+)
diff --git a/engine/daemon/graphdriver/register/register_windows.go b/engine/daemon/graphdriver/register/register_windows.go
new file mode 100644
index 00000000..cd612cbe
--- /dev/null
+++ b/engine/daemon/graphdriver/register/register_windows.go
@@ -0,0 +1,7 @@
+package register // import "github.com/docker/docker/daemon/graphdriver/register"
+
+import (
+	// register the windows graph drivers
+	_ "github.com/docker/docker/daemon/graphdriver/lcow"
+	_ "github.com/docker/docker/daemon/graphdriver/windows"
+)
diff --git a/engine/daemon/graphdriver/register/register_zfs.go b/engine/daemon/graphdriver/register/register_zfs.go
new file mode 100644
index 00000000..b137ad25
--- /dev/null
+++ b/engine/daemon/graphdriver/register/register_zfs.go
@@ -0,0 +1,8 @@
+// +build !exclude_graphdriver_zfs,linux !exclude_graphdriver_zfs,freebsd
+
+package register // import "github.com/docker/docker/daemon/graphdriver/register"
+
+import (
+	// register the zfs driver
+	_ "github.com/docker/docker/daemon/graphdriver/zfs"
+)
diff --git a/engine/daemon/graphdriver/vfs/copy_linux.go b/engine/daemon/graphdriver/vfs/copy_linux.go
new file mode 100644
index 00000000..7276b383
--- /dev/null
+++ b/engine/daemon/graphdriver/vfs/copy_linux.go
@@ -0,0 +1,7 @@
+package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
+
+import "github.com/docker/docker/daemon/graphdriver/copy"
+
+func dirCopy(srcDir, dstDir string) error {
+	return copy.DirCopy(srcDir, dstDir, copy.Content, false)
+}
diff --git a/engine/daemon/graphdriver/vfs/copy_unsupported.go b/engine/daemon/graphdriver/vfs/copy_unsupported.go
new file mode 100644
index 00000000..894ff02f
--- /dev/null
+++ b/engine/daemon/graphdriver/vfs/copy_unsupported.go
@@ -0,0 +1,9 @@
+// +build !linux
+
+package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
+
+import "github.com/docker/docker/pkg/chrootarchive"
+
+func dirCopy(srcDir, dstDir string) error {
+	return chrootarchive.NewArchiver(nil).CopyWithTar(srcDir, dstDir)
+}
diff --git a/engine/daemon/graphdriver/vfs/driver.go b/engine/daemon/graphdriver/vfs/driver.go
new file mode 100644
index 00000000..e51cb6c2
--- /dev/null
+++ b/engine/daemon/graphdriver/vfs/driver.go
@@ -0,0 +1,167 @@
+package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/quota"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/go-units"
+	"github.com/opencontainers/selinux/go-selinux/label"
+)
+
+var (
+	// CopyDir defines the copy method to use.
+	CopyDir = dirCopy
+)
+
+func init() {
+	graphdriver.Register("vfs", Init)
+}
+
+// Init returns a new VFS driver.
+// This sets the home directory for the driver and returns NaiveDiffDriver.
+func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
+	d := &Driver{
+		home:       home,
+		idMappings: idtools.NewIDMappingsFromMaps(uidMaps, gidMaps),
+	}
+	rootIDs := d.idMappings.RootPair()
+	if err := idtools.MkdirAllAndChown(home, 0700, rootIDs); err != nil {
+		return nil, err
+	}
+
+	setupDriverQuota(d)
+
+	return graphdriver.NewNaiveDiffDriver(d, uidMaps, gidMaps), nil
+}
+
+// Driver holds information about the driver, home directory of the driver.
+// Driver implements graphdriver.ProtoDriver. It uses only basic vfs operations.
+// In order to support layering, files are copied from the parent layer into the new layer. There is no copy-on-write support.
+// Driver must be wrapped in NaiveDiffDriver to be used as a graphdriver.Driver
+type Driver struct {
+	driverQuota
+	home       string
+	idMappings *idtools.IDMappings
+}
+
+func (d *Driver) String() string {
+	return "vfs"
+}
+
+// Status is used for implementing the graphdriver.ProtoDriver interface. VFS does not currently have any status information.
+func (d *Driver) Status() [][2]string {
+	return nil
+}
+
+// GetMetadata is used for implementing the graphdriver.ProtoDriver interface. VFS does not currently have any meta data.
+func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+	return nil, nil
+}
+
+// Cleanup is used to implement graphdriver.ProtoDriver. There is no cleanup required for this driver.
+func (d *Driver) Cleanup() error {
+	return nil
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system.
+func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	var err error
+	var size int64
+
+	if opts != nil {
+		for key, val := range opts.StorageOpt {
+			switch key {
+			case "size":
+				if !d.quotaSupported() {
+					return quota.ErrQuotaNotSupported
+				}
+				if size, err = units.RAMInBytes(val); err != nil {
+					return err
+				}
+			default:
+				return fmt.Errorf("Storage opt %s not supported", key)
+			}
+		}
+	}
+
+	return d.create(id, parent, uint64(size))
+}
+
+// Create prepares the filesystem for the VFS driver and copies the directory for the given id under the parent.
+func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+	if opts != nil && len(opts.StorageOpt) != 0 {
+		return fmt.Errorf("--storage-opt is not supported for vfs on read-only layers")
+	}
+
+	return d.create(id, parent, 0)
+}
+
+func (d *Driver) create(id, parent string, size uint64) error {
+	dir := d.dir(id)
+	rootIDs := d.idMappings.RootPair()
+	if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0700, rootIDs); err != nil {
+		return err
+	}
+	if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil {
+		return err
+	}
+
+	if size != 0 {
+		if err := d.setupQuota(dir, size); err != nil {
+			return err
+		}
+	}
+
+	labelOpts := []string{"level:s0"}
+	if _, mountLabel, err := label.InitLabels(labelOpts); err == nil {
+		label.SetFileLabel(dir, mountLabel)
+	}
+	if parent == "" {
+		return nil
+	}
+	parentDir, err := d.Get(parent, "")
+	if err != nil {
+		return fmt.Errorf("%s: %s", parent, err)
+	}
+	return CopyDir(parentDir.Path(), dir)
+}
+
+func (d *Driver) dir(id string) string {
+	return filepath.Join(d.home, "dir", filepath.Base(id))
+}
+
+// Remove deletes the content from the directory for a given id.
+func (d *Driver) Remove(id string) error {
+	return system.EnsureRemoveAll(d.dir(id))
+}
+
+// Get returns the directory for the given id.
+func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
+	dir := d.dir(id)
+	if st, err := os.Stat(dir); err != nil {
+		return nil, err
+	} else if !st.IsDir() {
+		return nil, fmt.Errorf("%s: not a directory", dir)
+	}
+	return containerfs.NewLocalContainerFS(dir), nil
+}
+
+// Put is a noop for vfs that return nil for the error, since this driver has no runtime resources to clean up.
+func (d *Driver) Put(id string) error {
+	// The vfs driver has no runtime resources (e.g. mounts)
+	// to clean up, so we don't need anything here
+	return nil
+}
+
+// Exists checks to see if the directory exists for the given id.
+func (d *Driver) Exists(id string) bool {
+	_, err := os.Stat(d.dir(id))
+	return err == nil
+}
diff --git a/engine/daemon/graphdriver/vfs/quota_linux.go b/engine/daemon/graphdriver/vfs/quota_linux.go
new file mode 100644
index 00000000..0d5c3a7b
--- /dev/null
+++ b/engine/daemon/graphdriver/vfs/quota_linux.go
@@ -0,0 +1,26 @@
+package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
+
+import (
+	"github.com/docker/docker/daemon/graphdriver/quota"
+	"github.com/sirupsen/logrus"
+)
+
+type driverQuota struct {
+	quotaCtl *quota.Control
+}
+
+func setupDriverQuota(driver *Driver) {
+	if quotaCtl, err := quota.NewControl(driver.home); err == nil {
+		driver.quotaCtl = quotaCtl
+	} else if err != quota.ErrQuotaNotSupported {
+		logrus.Warnf("Unable to setup quota: %v\n", err)
+	}
+}
+
+func (d *Driver) setupQuota(dir string, size uint64) error {
+	return d.quotaCtl.SetQuota(dir, quota.Quota{Size: size})
+}
+
+func (d *Driver) quotaSupported() bool {
+	return d.quotaCtl != nil
+}
diff --git a/engine/daemon/graphdriver/vfs/quota_unsupported.go b/engine/daemon/graphdriver/vfs/quota_unsupported.go
new file mode 100644
index 00000000..3ae60ac0
--- /dev/null
+++ b/engine/daemon/graphdriver/vfs/quota_unsupported.go
@@ -0,0 +1,20 @@
+// +build !linux
+
+package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
+
+import "github.com/docker/docker/daemon/graphdriver/quota"
+
+type driverQuota struct {
+}
+
+func setupDriverQuota(driver *Driver) error {
+	return nil
+}
+
+func (d *Driver) setupQuota(dir string, size uint64) error {
+	return quota.ErrQuotaNotSupported
+}
+
+func (d *Driver) quotaSupported() bool {
+	return false
+}
diff --git a/engine/daemon/graphdriver/vfs/vfs_test.go b/engine/daemon/graphdriver/vfs/vfs_test.go
new file mode 100644
index 00000000..7c59ec32
--- /dev/null
+++ b/engine/daemon/graphdriver/vfs/vfs_test.go
@@ -0,0 +1,41 @@
+// +build linux
+
+package vfs // import "github.com/docker/docker/daemon/graphdriver/vfs"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/daemon/graphdriver/graphtest"
+
+	"github.com/docker/docker/pkg/reexec"
+)
+
+func init() {
+	reexec.Init()
+}
+
+// This avoids creating a new driver for each test if all tests are run
+// Make sure to put new tests between TestVfsSetup and TestVfsTeardown
+func TestVfsSetup(t *testing.T) {
+	graphtest.GetDriver(t, "vfs")
+}
+
+func TestVfsCreateEmpty(t *testing.T) {
+	graphtest.DriverTestCreateEmpty(t, "vfs")
+}
+
+func TestVfsCreateBase(t *testing.T) {
+	graphtest.DriverTestCreateBase(t, "vfs")
+}
+
+func TestVfsCreateSnap(t *testing.T) {
+	graphtest.DriverTestCreateSnap(t, "vfs")
+}
+
+func TestVfsSetQuota(t *testing.T) {
+	graphtest.DriverTestSetQuota(t, "vfs", false)
+}
+
+func TestVfsTeardown(t *testing.T) {
+	graphtest.PutDriver(t)
+}
diff --git a/engine/daemon/graphdriver/windows/windows.go b/engine/daemon/graphdriver/windows/windows.go
new file mode 100644
index 00000000..16a52292
--- /dev/null
+++ b/engine/daemon/graphdriver/windows/windows.go
@@ -0,0 +1,942 @@
+//+build windows
+
+package windows // import "github.com/docker/docker/daemon/graphdriver/windows"
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/Microsoft/go-winio/archive/tar"
+	"github.com/Microsoft/go-winio/backuptar"
+	"github.com/Microsoft/hcsshim"
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/longpath"
+	"github.com/docker/docker/pkg/reexec"
+	"github.com/docker/docker/pkg/system"
+	units "github.com/docker/go-units"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+// filterDriver is an HCSShim driver type for the Windows Filter driver.
+const filterDriver = 1
+
+var (
+	// mutatedFiles is a list of files that are mutated by the import process
+	// and must be backed up and restored.
+	mutatedFiles = map[string]string{
+		"UtilityVM/Files/EFI/Microsoft/Boot/BCD":      "bcd.bak",
+		"UtilityVM/Files/EFI/Microsoft/Boot/BCD.LOG":  "bcd.log.bak",
+		"UtilityVM/Files/EFI/Microsoft/Boot/BCD.LOG1": "bcd.log1.bak",
+		"UtilityVM/Files/EFI/Microsoft/Boot/BCD.LOG2": "bcd.log2.bak",
+	}
+	noreexec = false
+)
+
+// init registers the windows graph drivers to the register.
+func init() {
+	graphdriver.Register("windowsfilter", InitFilter)
+	// DOCKER_WINDOWSFILTER_NOREEXEC allows for inline processing which makes
+	// debugging issues in the re-exec codepath significantly easier.
+	if os.Getenv("DOCKER_WINDOWSFILTER_NOREEXEC") != "" {
+		logrus.Warnf("WindowsGraphDriver is set to not re-exec. This is intended for debugging purposes only.")
+		noreexec = true
+	} else {
+		reexec.Register("docker-windows-write-layer", writeLayerReexec)
+	}
+}
+
+type checker struct {
+}
+
+func (c *checker) IsMounted(path string) bool {
+	return false
+}
+
+// Driver represents a windows graph driver.
+type Driver struct {
+	// info stores the shim driver information
+	info hcsshim.DriverInfo
+	ctr  *graphdriver.RefCounter
+	// it is safe for windows to use a cache here because it does not support
+	// restoring containers when the daemon dies.
+	cacheMu sync.Mutex
+	cache   map[string]string
+}
+
+// InitFilter returns a new Windows storage filter driver.
+func InitFilter(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
+	logrus.Debugf("WindowsGraphDriver InitFilter at %s", home)
+
+	fsType, err := getFileSystemType(string(home[0]))
+	if err != nil {
+		return nil, err
+	}
+	if strings.ToLower(fsType) == "refs" {
+		return nil, fmt.Errorf("%s is on an ReFS volume - ReFS volumes are not supported", home)
+	}
+
+	if err := idtools.MkdirAllAndChown(home, 0700, idtools.IDPair{UID: 0, GID: 0}); err != nil {
+		return nil, fmt.Errorf("windowsfilter failed to create '%s': %v", home, err)
+	}
+
+	d := &Driver{
+		info: hcsshim.DriverInfo{
+			HomeDir: home,
+			Flavour: filterDriver,
+		},
+		cache: make(map[string]string),
+		ctr:   graphdriver.NewRefCounter(&checker{}),
+	}
+	return d, nil
+}
+
+// win32FromHresult is a helper function to get the win32 error code from an HRESULT
+func win32FromHresult(hr uintptr) uintptr {
+	if hr&0x1fff0000 == 0x00070000 {
+		return hr & 0xffff
+	}
+	return hr
+}
+
+// getFileSystemType obtains the type of a file system through GetVolumeInformation
+// https://msdn.microsoft.com/en-us/library/windows/desktop/aa364993(v=vs.85).aspx
+func getFileSystemType(drive string) (fsType string, hr error) {
+	var (
+		modkernel32              = windows.NewLazySystemDLL("kernel32.dll")
+		procGetVolumeInformation = modkernel32.NewProc("GetVolumeInformationW")
+		buf                      = make([]uint16, 255)
+		size                     = windows.MAX_PATH + 1
+	)
+	if len(drive) != 1 {
+		hr = errors.New("getFileSystemType must be called with a drive letter")
+		return
+	}
+	drive += `:\`
+	n := uintptr(unsafe.Pointer(nil))
+	r0, _, _ := syscall.Syscall9(procGetVolumeInformation.Addr(), 8, uintptr(unsafe.Pointer(windows.StringToUTF16Ptr(drive))), n, n, n, n, n, uintptr(unsafe.Pointer(&buf[0])), uintptr(size), 0)
+	if int32(r0) < 0 {
+		hr = syscall.Errno(win32FromHresult(r0))
+	}
+	fsType = windows.UTF16ToString(buf)
+	return
+}
+
+// String returns the string representation of a driver. This should match
+// the name the graph driver has been registered with.
+func (d *Driver) String() string {
+	return "windowsfilter"
+}
+
+// Status returns the status of the driver.
+func (d *Driver) Status() [][2]string {
+	return [][2]string{
+		{"Windows", ""},
+	}
+}
+
+// Exists returns true if the given id is registered with this driver.
+func (d *Driver) Exists(id string) bool {
+	rID, err := d.resolveID(id)
+	if err != nil {
+		return false
+	}
+	result, err := hcsshim.LayerExists(d.info, rID)
+	if err != nil {
+		return false
+	}
+	return result
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system.
+func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	if opts != nil {
+		return d.create(id, parent, opts.MountLabel, false, opts.StorageOpt)
+	}
+	return d.create(id, parent, "", false, nil)
+}
+
+// Create creates a new read-only layer with the given id.
+func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+	if opts != nil {
+		return d.create(id, parent, opts.MountLabel, true, opts.StorageOpt)
+	}
+	return d.create(id, parent, "", true, nil)
+}
+
+func (d *Driver) create(id, parent, mountLabel string, readOnly bool, storageOpt map[string]string) error {
+	rPId, err := d.resolveID(parent)
+	if err != nil {
+		return err
+	}
+
+	parentChain, err := d.getLayerChain(rPId)
+	if err != nil {
+		return err
+	}
+
+	var layerChain []string
+
+	if rPId != "" {
+		parentPath, err := hcsshim.GetLayerMountPath(d.info, rPId)
+		if err != nil {
+			return err
+		}
+		if _, err := os.Stat(filepath.Join(parentPath, "Files")); err == nil {
+			// This is a legitimate parent layer (not the empty "-init" layer),
+			// so include it in the layer chain.
+			layerChain = []string{parentPath}
+		}
+	}
+
+	layerChain = append(layerChain, parentChain...)
+
+	if readOnly {
+		if err := hcsshim.CreateLayer(d.info, id, rPId); err != nil {
+			return err
+		}
+	} else {
+		var parentPath string
+		if len(layerChain) != 0 {
+			parentPath = layerChain[0]
+		}
+
+		if err := hcsshim.CreateSandboxLayer(d.info, id, parentPath, layerChain); err != nil {
+			return err
+		}
+
+		storageOptions, err := parseStorageOpt(storageOpt)
+		if err != nil {
+			return fmt.Errorf("Failed to parse storage options - %s", err)
+		}
+
+		if storageOptions.size != 0 {
+			if err := hcsshim.ExpandSandboxSize(d.info, id, storageOptions.size); err != nil {
+				return err
+			}
+		}
+	}
+
+	if _, err := os.Lstat(d.dir(parent)); err != nil {
+		if err2 := hcsshim.DestroyLayer(d.info, id); err2 != nil {
+			logrus.Warnf("Failed to DestroyLayer %s: %s", id, err2)
+		}
+		return fmt.Errorf("Cannot create layer with missing parent %s: %s", parent, err)
+	}
+
+	if err := d.setLayerChain(id, layerChain); err != nil {
+		if err2 := hcsshim.DestroyLayer(d.info, id); err2 != nil {
+			logrus.Warnf("Failed to DestroyLayer %s: %s", id, err2)
+		}
+		return err
+	}
+
+	return nil
+}
+
+// dir returns the absolute path to the layer.
+func (d *Driver) dir(id string) string {
+	return filepath.Join(d.info.HomeDir, filepath.Base(id))
+}
+
+// Remove unmounts and removes the dir information.
+func (d *Driver) Remove(id string) error {
+	rID, err := d.resolveID(id)
+	if err != nil {
+		return err
+	}
+
+	// This retry loop is due to a bug in Windows (Internal bug #9432268)
+	// if GetContainers fails with ErrVmcomputeOperationInvalidState
+	// it is a transient error. Retry until it succeeds.
+	var computeSystems []hcsshim.ContainerProperties
+	retryCount := 0
+	osv := system.GetOSVersion()
+	for {
+		// Get and terminate any template VMs that are currently using the layer.
+		// Note: It is unfortunate that we end up in the graphdrivers Remove() call
+		// for both containers and images, but the logic for template VMs is only
+		// needed for images - specifically we are looking to see if a base layer
+		// is in use by a template VM as a result of having started a Hyper-V
+		// container at some point.
+		//
+		// We have a retry loop for ErrVmcomputeOperationInvalidState and
+		// ErrVmcomputeOperationAccessIsDenied as there is a race condition
+		// in RS1 and RS2 building during enumeration when a silo is going away
+		// for example under it, in HCS. AccessIsDenied added to fix 30278.
+		//
+		// TODO @jhowardmsft - For RS3, we can remove the retries. Also consider
+		// using platform APIs (if available) to get this more succinctly. Also
+		// consider enhancing the Remove() interface to have context of why
+		// the remove is being called - that could improve efficiency by not
+		// enumerating compute systems during a remove of a container as it's
+		// not required.
+		computeSystems, err = hcsshim.GetContainers(hcsshim.ComputeSystemQuery{})
+		if err != nil {
+			if (osv.Build < 15139) &&
+				((err == hcsshim.ErrVmcomputeOperationInvalidState) || (err == hcsshim.ErrVmcomputeOperationAccessIsDenied)) {
+				if retryCount >= 500 {
+					break
+				}
+				retryCount++
+				time.Sleep(10 * time.Millisecond)
+				continue
+			}
+			return err
+		}
+		break
+	}
+
+	for _, computeSystem := range computeSystems {
+		if strings.Contains(computeSystem.RuntimeImagePath, id) && computeSystem.IsRuntimeTemplate {
+			container, err := hcsshim.OpenContainer(computeSystem.ID)
+			if err != nil {
+				return err
+			}
+			defer container.Close()
+			err = container.Terminate()
+			if hcsshim.IsPending(err) {
+				err = container.Wait()
+			} else if hcsshim.IsAlreadyStopped(err) {
+				err = nil
+			}
+
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	layerPath := filepath.Join(d.info.HomeDir, rID)
+	tmpID := fmt.Sprintf("%s-removing", rID)
+	tmpLayerPath := filepath.Join(d.info.HomeDir, tmpID)
+	if err := os.Rename(layerPath, tmpLayerPath); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	if err := hcsshim.DestroyLayer(d.info, tmpID); err != nil {
+		logrus.Errorf("Failed to DestroyLayer %s: %s", id, err)
+	}
+
+	return nil
+}
+
+// GetLayerPath gets the layer path on host
+func (d *Driver) GetLayerPath(id string) (string, error) {
+	return d.dir(id), nil
+}
+
+// Get returns the rootfs path for the id. This will mount the dir at its given path.
+func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
+	logrus.Debugf("WindowsGraphDriver Get() id %s mountLabel %s", id, mountLabel)
+	var dir string
+
+	rID, err := d.resolveID(id)
+	if err != nil {
+		return nil, err
+	}
+	if count := d.ctr.Increment(rID); count > 1 {
+		return containerfs.NewLocalContainerFS(d.cache[rID]), nil
+	}
+
+	// Getting the layer paths must be done outside of the lock.
+	layerChain, err := d.getLayerChain(rID)
+	if err != nil {
+		d.ctr.Decrement(rID)
+		return nil, err
+	}
+
+	if err := hcsshim.ActivateLayer(d.info, rID); err != nil {
+		d.ctr.Decrement(rID)
+		return nil, err
+	}
+	if err := hcsshim.PrepareLayer(d.info, rID, layerChain); err != nil {
+		d.ctr.Decrement(rID)
+		if err2 := hcsshim.DeactivateLayer(d.info, rID); err2 != nil {
+			logrus.Warnf("Failed to Deactivate %s: %s", id, err)
+		}
+		return nil, err
+	}
+
+	mountPath, err := hcsshim.GetLayerMountPath(d.info, rID)
+	if err != nil {
+		d.ctr.Decrement(rID)
+		if err := hcsshim.UnprepareLayer(d.info, rID); err != nil {
+			logrus.Warnf("Failed to Unprepare %s: %s", id, err)
+		}
+		if err2 := hcsshim.DeactivateLayer(d.info, rID); err2 != nil {
+			logrus.Warnf("Failed to Deactivate %s: %s", id, err)
+		}
+		return nil, err
+	}
+	d.cacheMu.Lock()
+	d.cache[rID] = mountPath
+	d.cacheMu.Unlock()
+
+	// If the layer has a mount path, use that. Otherwise, use the
+	// folder path.
+	if mountPath != "" {
+		dir = mountPath
+	} else {
+		dir = d.dir(id)
+	}
+
+	return containerfs.NewLocalContainerFS(dir), nil
+}
+
+// Put adds a new layer to the driver.
+func (d *Driver) Put(id string) error {
+	logrus.Debugf("WindowsGraphDriver Put() id %s", id)
+
+	rID, err := d.resolveID(id)
+	if err != nil {
+		return err
+	}
+	if count := d.ctr.Decrement(rID); count > 0 {
+		return nil
+	}
+	d.cacheMu.Lock()
+	_, exists := d.cache[rID]
+	delete(d.cache, rID)
+	d.cacheMu.Unlock()
+
+	// If the cache was not populated, then the layer was left unprepared and deactivated
+	if !exists {
+		return nil
+	}
+
+	if err := hcsshim.UnprepareLayer(d.info, rID); err != nil {
+		return err
+	}
+	return hcsshim.DeactivateLayer(d.info, rID)
+}
+
+// Cleanup ensures the information the driver stores is properly removed.
+// We use this opportunity to cleanup any -removing folders which may be
+// still left if the daemon was killed while it was removing a layer.
+func (d *Driver) Cleanup() error {
+	items, err := ioutil.ReadDir(d.info.HomeDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	// Note we don't return an error below - it's possible the files
+	// are locked. However, next time around after the daemon exits,
+	// we likely will be able to to cleanup successfully. Instead we log
+	// warnings if there are errors.
+	for _, item := range items {
+		if item.IsDir() && strings.HasSuffix(item.Name(), "-removing") {
+			if err := hcsshim.DestroyLayer(d.info, item.Name()); err != nil {
+				logrus.Warnf("Failed to cleanup %s: %s", item.Name(), err)
+			} else {
+				logrus.Infof("Cleaned up %s", item.Name())
+			}
+		}
+	}
+
+	return nil
+}
+
+// Diff produces an archive of the changes between the specified
+// layer and its parent layer which may be "".
+// The layer should be mounted when calling this function
+func (d *Driver) Diff(id, parent string) (_ io.ReadCloser, err error) {
+	rID, err := d.resolveID(id)
+	if err != nil {
+		return
+	}
+
+	layerChain, err := d.getLayerChain(rID)
+	if err != nil {
+		return
+	}
+
+	// this is assuming that the layer is unmounted
+	if err := hcsshim.UnprepareLayer(d.info, rID); err != nil {
+		return nil, err
+	}
+	prepare := func() {
+		if err := hcsshim.PrepareLayer(d.info, rID, layerChain); err != nil {
+			logrus.Warnf("Failed to Deactivate %s: %s", rID, err)
+		}
+	}
+
+	arch, err := d.exportLayer(rID, layerChain)
+	if err != nil {
+		prepare()
+		return
+	}
+	return ioutils.NewReadCloserWrapper(arch, func() error {
+		err := arch.Close()
+		prepare()
+		return err
+	}), nil
+}
+
+// Changes produces a list of changes between the specified layer
+// and its parent layer. If parent is "", then all changes will be ADD changes.
+// The layer should not be mounted when calling this function.
+func (d *Driver) Changes(id, parent string) ([]archive.Change, error) {
+	rID, err := d.resolveID(id)
+	if err != nil {
+		return nil, err
+	}
+	parentChain, err := d.getLayerChain(rID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := hcsshim.ActivateLayer(d.info, rID); err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err2 := hcsshim.DeactivateLayer(d.info, rID); err2 != nil {
+			logrus.Errorf("changes() failed to DeactivateLayer %s %s: %s", id, rID, err2)
+		}
+	}()
+
+	var changes []archive.Change
+	err = winio.RunWithPrivilege(winio.SeBackupPrivilege, func() error {
+		r, err := hcsshim.NewLayerReader(d.info, id, parentChain)
+		if err != nil {
+			return err
+		}
+		defer r.Close()
+
+		for {
+			name, _, fileInfo, err := r.Next()
+			if err == io.EOF {
+				return nil
+			}
+			if err != nil {
+				return err
+			}
+			name = filepath.ToSlash(name)
+			if fileInfo == nil {
+				changes = append(changes, archive.Change{Path: name, Kind: archive.ChangeDelete})
+			} else {
+				// Currently there is no way to tell between an add and a modify.
+				changes = append(changes, archive.Change{Path: name, Kind: archive.ChangeModify})
+			}
+		}
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return changes, nil
+}
+
+// ApplyDiff extracts the changeset from the given diff into the
+// layer with the specified id and parent, returning the size of the
+// new layer in bytes.
+// The layer should not be mounted when calling this function
+func (d *Driver) ApplyDiff(id, parent string, diff io.Reader) (int64, error) {
+	var layerChain []string
+	if parent != "" {
+		rPId, err := d.resolveID(parent)
+		if err != nil {
+			return 0, err
+		}
+		parentChain, err := d.getLayerChain(rPId)
+		if err != nil {
+			return 0, err
+		}
+		parentPath, err := hcsshim.GetLayerMountPath(d.info, rPId)
+		if err != nil {
+			return 0, err
+		}
+		layerChain = append(layerChain, parentPath)
+		layerChain = append(layerChain, parentChain...)
+	}
+
+	size, err := d.importLayer(id, diff, layerChain)
+	if err != nil {
+		return 0, err
+	}
+
+	if err = d.setLayerChain(id, layerChain); err != nil {
+		return 0, err
+	}
+
+	return size, nil
+}
+
+// DiffSize calculates the changes between the specified layer
+// and its parent and returns the size in bytes of the changes
+// relative to its base filesystem directory.
+func (d *Driver) DiffSize(id, parent string) (size int64, err error) {
+	rPId, err := d.resolveID(parent)
+	if err != nil {
+		return
+	}
+
+	changes, err := d.Changes(id, rPId)
+	if err != nil {
+		return
+	}
+
+	layerFs, err := d.Get(id, "")
+	if err != nil {
+		return
+	}
+	defer d.Put(id)
+
+	return archive.ChangesSize(layerFs.Path(), changes), nil
+}
+
+// GetMetadata returns custom driver information.
+func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+	m := make(map[string]string)
+	m["dir"] = d.dir(id)
+	return m, nil
+}
+
+func writeTarFromLayer(r hcsshim.LayerReader, w io.Writer) error {
+	t := tar.NewWriter(w)
+	for {
+		name, size, fileInfo, err := r.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+		if fileInfo == nil {
+			// Write a whiteout file.
+			hdr := &tar.Header{
+				Name: filepath.ToSlash(filepath.Join(filepath.Dir(name), archive.WhiteoutPrefix+filepath.Base(name))),
+			}
+			err := t.WriteHeader(hdr)
+			if err != nil {
+				return err
+			}
+		} else {
+			err = backuptar.WriteTarFileFromBackupStream(t, r, name, size, fileInfo)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return t.Close()
+}
+
+// exportLayer generates an archive from a layer based on the given ID.
+func (d *Driver) exportLayer(id string, parentLayerPaths []string) (io.ReadCloser, error) {
+	archive, w := io.Pipe()
+	go func() {
+		err := winio.RunWithPrivilege(winio.SeBackupPrivilege, func() error {
+			r, err := hcsshim.NewLayerReader(d.info, id, parentLayerPaths)
+			if err != nil {
+				return err
+			}
+
+			err = writeTarFromLayer(r, w)
+			cerr := r.Close()
+			if err == nil {
+				err = cerr
+			}
+			return err
+		})
+		w.CloseWithError(err)
+	}()
+
+	return archive, nil
+}
+
+// writeBackupStreamFromTarAndSaveMutatedFiles reads data from a tar stream and
+// writes it to a backup stream, and also saves any files that will be mutated
+// by the import layer process to a backup location.
+func writeBackupStreamFromTarAndSaveMutatedFiles(buf *bufio.Writer, w io.Writer, t *tar.Reader, hdr *tar.Header, root string) (nextHdr *tar.Header, err error) {
+	var bcdBackup *os.File
+	var bcdBackupWriter *winio.BackupFileWriter
+	if backupPath, ok := mutatedFiles[hdr.Name]; ok {
+		bcdBackup, err = os.Create(filepath.Join(root, backupPath))
+		if err != nil {
+			return nil, err
+		}
+		defer func() {
+			cerr := bcdBackup.Close()
+			if err == nil {
+				err = cerr
+			}
+		}()
+
+		bcdBackupWriter = winio.NewBackupFileWriter(bcdBackup, false)
+		defer func() {
+			cerr := bcdBackupWriter.Close()
+			if err == nil {
+				err = cerr
+			}
+		}()
+
+		buf.Reset(io.MultiWriter(w, bcdBackupWriter))
+	} else {
+		buf.Reset(w)
+	}
+
+	defer func() {
+		ferr := buf.Flush()
+		if err == nil {
+			err = ferr
+		}
+	}()
+
+	return backuptar.WriteBackupStreamFromTarFile(buf, t, hdr)
+}
+
+func writeLayerFromTar(r io.Reader, w hcsshim.LayerWriter, root string) (int64, error) {
+	t := tar.NewReader(r)
+	hdr, err := t.Next()
+	totalSize := int64(0)
+	buf := bufio.NewWriter(nil)
+	for err == nil {
+		base := path.Base(hdr.Name)
+		if strings.HasPrefix(base, archive.WhiteoutPrefix) {
+			name := path.Join(path.Dir(hdr.Name), base[len(archive.WhiteoutPrefix):])
+			err = w.Remove(filepath.FromSlash(name))
+			if err != nil {
+				return 0, err
+			}
+			hdr, err = t.Next()
+		} else if hdr.Typeflag == tar.TypeLink {
+			err = w.AddLink(filepath.FromSlash(hdr.Name), filepath.FromSlash(hdr.Linkname))
+			if err != nil {
+				return 0, err
+			}
+			hdr, err = t.Next()
+		} else {
+			var (
+				name     string
+				size     int64
+				fileInfo *winio.FileBasicInfo
+			)
+			name, size, fileInfo, err = backuptar.FileInfoFromHeader(hdr)
+			if err != nil {
+				return 0, err
+			}
+			err = w.Add(filepath.FromSlash(name), fileInfo)
+			if err != nil {
+				return 0, err
+			}
+			hdr, err = writeBackupStreamFromTarAndSaveMutatedFiles(buf, w, t, hdr, root)
+			totalSize += size
+		}
+	}
+	if err != io.EOF {
+		return 0, err
+	}
+	return totalSize, nil
+}
+
+// importLayer adds a new layer to the tag and graph store based on the given data.
+func (d *Driver) importLayer(id string, layerData io.Reader, parentLayerPaths []string) (size int64, err error) {
+	if !noreexec {
+		cmd := reexec.Command(append([]string{"docker-windows-write-layer", d.info.HomeDir, id}, parentLayerPaths...)...)
+		output := bytes.NewBuffer(nil)
+		cmd.Stdin = layerData
+		cmd.Stdout = output
+		cmd.Stderr = output
+
+		if err = cmd.Start(); err != nil {
+			return
+		}
+
+		if err = cmd.Wait(); err != nil {
+			return 0, fmt.Errorf("re-exec error: %v: output: %s", err, output)
+		}
+
+		return strconv.ParseInt(output.String(), 10, 64)
+	}
+	return writeLayer(layerData, d.info.HomeDir, id, parentLayerPaths...)
+}
+
+// writeLayerReexec is the re-exec entry point for writing a layer from a tar file
+func writeLayerReexec() {
+	size, err := writeLayer(os.Stdin, os.Args[1], os.Args[2], os.Args[3:]...)
+	if err != nil {
+		fmt.Fprint(os.Stderr, err)
+		os.Exit(1)
+	}
+	fmt.Fprint(os.Stdout, size)
+}
+
+// writeLayer writes a layer from a tar file.
+func writeLayer(layerData io.Reader, home string, id string, parentLayerPaths ...string) (size int64, retErr error) {
+	err := winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege})
+	if err != nil {
+		return 0, err
+	}
+	if noreexec {
+		defer func() {
+			if err := winio.DisableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege}); err != nil {
+				// This should never happen, but just in case when in debugging mode.
+				// See https://github.com/docker/docker/pull/28002#discussion_r86259241 for rationale.
+				panic("Failed to disabled process privileges while in non re-exec mode")
+			}
+		}()
+	}
+
+	info := hcsshim.DriverInfo{
+		Flavour: filterDriver,
+		HomeDir: home,
+	}
+
+	w, err := hcsshim.NewLayerWriter(info, id, parentLayerPaths)
+	if err != nil {
+		return 0, err
+	}
+
+	defer func() {
+		if err := w.Close(); err != nil {
+			// This error should not be discarded as a failure here
+			// could result in an invalid layer on disk
+			if retErr == nil {
+				retErr = err
+			}
+		}
+	}()
+
+	return writeLayerFromTar(layerData, w, filepath.Join(home, id))
+}
+
+// resolveID computes the layerID information based on the given id.
+func (d *Driver) resolveID(id string) (string, error) {
+	content, err := ioutil.ReadFile(filepath.Join(d.dir(id), "layerID"))
+	if os.IsNotExist(err) {
+		return id, nil
+	} else if err != nil {
+		return "", err
+	}
+	return string(content), nil
+}
+
+// setID stores the layerId in disk.
+func (d *Driver) setID(id, altID string) error {
+	return ioutil.WriteFile(filepath.Join(d.dir(id), "layerId"), []byte(altID), 0600)
+}
+
+// getLayerChain returns the layer chain information.
+func (d *Driver) getLayerChain(id string) ([]string, error) {
+	jPath := filepath.Join(d.dir(id), "layerchain.json")
+	content, err := ioutil.ReadFile(jPath)
+	if os.IsNotExist(err) {
+		return nil, nil
+	} else if err != nil {
+		return nil, fmt.Errorf("Unable to read layerchain file - %s", err)
+	}
+
+	var layerChain []string
+	err = json.Unmarshal(content, &layerChain)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to unmarshall layerchain json - %s", err)
+	}
+
+	return layerChain, nil
+}
+
+// setLayerChain stores the layer chain information in disk.
+func (d *Driver) setLayerChain(id string, chain []string) error {
+	content, err := json.Marshal(&chain)
+	if err != nil {
+		return fmt.Errorf("Failed to marshall layerchain json - %s", err)
+	}
+
+	jPath := filepath.Join(d.dir(id), "layerchain.json")
+	err = ioutil.WriteFile(jPath, content, 0600)
+	if err != nil {
+		return fmt.Errorf("Unable to write layerchain file - %s", err)
+	}
+
+	return nil
+}
+
+type fileGetCloserWithBackupPrivileges struct {
+	path string
+}
+
+func (fg *fileGetCloserWithBackupPrivileges) Get(filename string) (io.ReadCloser, error) {
+	if backupPath, ok := mutatedFiles[filename]; ok {
+		return os.Open(filepath.Join(fg.path, backupPath))
+	}
+
+	var f *os.File
+	// Open the file while holding the Windows backup privilege. This ensures that the
+	// file can be opened even if the caller does not actually have access to it according
+	// to the security descriptor. Also use sequential file access to avoid depleting the
+	// standby list - Microsoft VSO Bug Tracker #9900466
+	err := winio.RunWithPrivilege(winio.SeBackupPrivilege, func() error {
+		path := longpath.AddPrefix(filepath.Join(fg.path, filename))
+		p, err := windows.UTF16FromString(path)
+		if err != nil {
+			return err
+		}
+		const fileFlagSequentialScan = 0x08000000 // FILE_FLAG_SEQUENTIAL_SCAN
+		h, err := windows.CreateFile(&p[0], windows.GENERIC_READ, windows.FILE_SHARE_READ, nil, windows.OPEN_EXISTING, windows.FILE_FLAG_BACKUP_SEMANTICS|fileFlagSequentialScan, 0)
+		if err != nil {
+			return &os.PathError{Op: "open", Path: path, Err: err}
+		}
+		f = os.NewFile(uintptr(h), path)
+		return nil
+	})
+	return f, err
+}
+
+func (fg *fileGetCloserWithBackupPrivileges) Close() error {
+	return nil
+}
+
+// DiffGetter returns a FileGetCloser that can read files from the directory that
+// contains files for the layer differences. Used for direct access for tar-split.
+func (d *Driver) DiffGetter(id string) (graphdriver.FileGetCloser, error) {
+	id, err := d.resolveID(id)
+	if err != nil {
+		return nil, err
+	}
+
+	return &fileGetCloserWithBackupPrivileges{d.dir(id)}, nil
+}
+
+type storageOptions struct {
+	size uint64
+}
+
+func parseStorageOpt(storageOpt map[string]string) (*storageOptions, error) {
+	options := storageOptions{}
+
+	// Read size to change the block device size per container.
+	for key, val := range storageOpt {
+		key := strings.ToLower(key)
+		switch key {
+		case "size":
+			size, err := units.RAMInBytes(val)
+			if err != nil {
+				return nil, err
+			}
+			options.size = uint64(size)
+		}
+	}
+	return &options, nil
+}
diff --git a/engine/daemon/graphdriver/zfs/MAINTAINERS b/engine/daemon/graphdriver/zfs/MAINTAINERS
new file mode 100644
index 00000000..9c270c54
--- /dev/null
+++ b/engine/daemon/graphdriver/zfs/MAINTAINERS
@@ -0,0 +1,2 @@
+Jörg Thalheim <joerg@higgsboson.tk> (@Mic92)
+Arthur Gautier <baloo@gandi.net> (@baloose)
diff --git a/engine/daemon/graphdriver/zfs/zfs.go b/engine/daemon/graphdriver/zfs/zfs.go
new file mode 100644
index 00000000..1d9153e1
--- /dev/null
+++ b/engine/daemon/graphdriver/zfs/zfs.go
@@ -0,0 +1,431 @@
+// +build linux freebsd
+
+package zfs // import "github.com/docker/docker/daemon/graphdriver/zfs"
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/parsers"
+	"github.com/mistifyio/go-zfs"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+type zfsOptions struct {
+	fsName    string
+	mountPath string
+}
+
+func init() {
+	graphdriver.Register("zfs", Init)
+}
+
+// Logger returns a zfs logger implementation.
+type Logger struct{}
+
+// Log wraps log message from ZFS driver with a prefix '[zfs]'.
+func (*Logger) Log(cmd []string) {
+	logrus.WithField("storage-driver", "zfs").Debugf("[zfs] %s", strings.Join(cmd, " "))
+}
+
+// Init returns a new ZFS driver.
+// It takes base mount path and an array of options which are represented as key value pairs.
+// Each option is in the for key=value. 'zfs.fsname' is expected to be a valid key in the options.
+func Init(base string, opt []string, uidMaps, gidMaps []idtools.IDMap) (graphdriver.Driver, error) {
+	var err error
+
+	logger := logrus.WithField("storage-driver", "zfs")
+
+	if _, err := exec.LookPath("zfs"); err != nil {
+		logger.Debugf("zfs command is not available: %v", err)
+		return nil, graphdriver.ErrPrerequisites
+	}
+
+	file, err := os.OpenFile("/dev/zfs", os.O_RDWR, 600)
+	if err != nil {
+		logger.Debugf("cannot open /dev/zfs: %v", err)
+		return nil, graphdriver.ErrPrerequisites
+	}
+	defer file.Close()
+
+	options, err := parseOptions(opt)
+	if err != nil {
+		return nil, err
+	}
+	options.mountPath = base
+
+	rootdir := path.Dir(base)
+
+	if options.fsName == "" {
+		err = checkRootdirFs(rootdir)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if options.fsName == "" {
+		options.fsName, err = lookupZfsDataset(rootdir)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	zfs.SetLogger(new(Logger))
+
+	filesystems, err := zfs.Filesystems(options.fsName)
+	if err != nil {
+		return nil, fmt.Errorf("Cannot find root filesystem %s: %v", options.fsName, err)
+	}
+
+	filesystemsCache := make(map[string]bool, len(filesystems))
+	var rootDataset *zfs.Dataset
+	for _, fs := range filesystems {
+		if fs.Name == options.fsName {
+			rootDataset = fs
+		}
+		filesystemsCache[fs.Name] = true
+	}
+
+	if rootDataset == nil {
+		return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName)
+	}
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to get root uid/guid: %v", err)
+	}
+	if err := idtools.MkdirAllAndChown(base, 0700, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return nil, fmt.Errorf("Failed to create '%s': %v", base, err)
+	}
+
+	d := &Driver{
+		dataset:          rootDataset,
+		options:          options,
+		filesystemsCache: filesystemsCache,
+		uidMaps:          uidMaps,
+		gidMaps:          gidMaps,
+		ctr:              graphdriver.NewRefCounter(graphdriver.NewDefaultChecker()),
+	}
+	return graphdriver.NewNaiveDiffDriver(d, uidMaps, gidMaps), nil
+}
+
+func parseOptions(opt []string) (zfsOptions, error) {
+	var options zfsOptions
+	options.fsName = ""
+	for _, option := range opt {
+		key, val, err := parsers.ParseKeyValueOpt(option)
+		if err != nil {
+			return options, err
+		}
+		key = strings.ToLower(key)
+		switch key {
+		case "zfs.fsname":
+			options.fsName = val
+		default:
+			return options, fmt.Errorf("Unknown option %s", key)
+		}
+	}
+	return options, nil
+}
+
+func lookupZfsDataset(rootdir string) (string, error) {
+	var stat unix.Stat_t
+	if err := unix.Stat(rootdir, &stat); err != nil {
+		return "", fmt.Errorf("Failed to access '%s': %s", rootdir, err)
+	}
+	wantedDev := stat.Dev
+
+	mounts, err := mount.GetMounts(nil)
+	if err != nil {
+		return "", err
+	}
+	for _, m := range mounts {
+		if err := unix.Stat(m.Mountpoint, &stat); err != nil {
+			logrus.WithField("storage-driver", "zfs").Debugf("failed to stat '%s' while scanning for zfs mount: %v", m.Mountpoint, err)
+			continue // may fail on fuse file systems
+		}
+
+		if stat.Dev == wantedDev && m.Fstype == "zfs" {
+			return m.Source, nil
+		}
+	}
+
+	return "", fmt.Errorf("Failed to find zfs dataset mounted on '%s' in /proc/mounts", rootdir)
+}
+
+// Driver holds information about the driver, such as zfs dataset, options and cache.
+type Driver struct {
+	dataset          *zfs.Dataset
+	options          zfsOptions
+	sync.Mutex       // protects filesystem cache against concurrent access
+	filesystemsCache map[string]bool
+	uidMaps          []idtools.IDMap
+	gidMaps          []idtools.IDMap
+	ctr              *graphdriver.RefCounter
+}
+
+func (d *Driver) String() string {
+	return "zfs"
+}
+
+// Cleanup is called on daemon shutdown, it is a no-op for ZFS.
+// TODO(@cpuguy83): Walk layer tree and check mounts?
+func (d *Driver) Cleanup() error {
+	return nil
+}
+
+// Status returns information about the ZFS filesystem. It returns a two dimensional array of information
+// such as pool name, dataset name, disk usage, parent quota and compression used.
+// Currently it return 'Zpool', 'Zpool Health', 'Parent Dataset', 'Space Used By Parent',
+// 'Space Available', 'Parent Quota' and 'Compression'.
+func (d *Driver) Status() [][2]string {
+	parts := strings.Split(d.dataset.Name, "/")
+	pool, err := zfs.GetZpool(parts[0])
+
+	var poolName, poolHealth string
+	if err == nil {
+		poolName = pool.Name
+		poolHealth = pool.Health
+	} else {
+		poolName = fmt.Sprintf("error while getting pool information %v", err)
+		poolHealth = "not available"
+	}
+
+	quota := "no"
+	if d.dataset.Quota != 0 {
+		quota = strconv.FormatUint(d.dataset.Quota, 10)
+	}
+
+	return [][2]string{
+		{"Zpool", poolName},
+		{"Zpool Health", poolHealth},
+		{"Parent Dataset", d.dataset.Name},
+		{"Space Used By Parent", strconv.FormatUint(d.dataset.Used, 10)},
+		{"Space Available", strconv.FormatUint(d.dataset.Avail, 10)},
+		{"Parent Quota", quota},
+		{"Compression", d.dataset.Compression},
+	}
+}
+
+// GetMetadata returns image/container metadata related to graph driver
+func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+	return map[string]string{
+		"Mountpoint": d.mountPath(id),
+		"Dataset":    d.zfsPath(id),
+	}, nil
+}
+
+func (d *Driver) cloneFilesystem(name, parentName string) error {
+	snapshotName := fmt.Sprintf("%d", time.Now().Nanosecond())
+	parentDataset := zfs.Dataset{Name: parentName}
+	snapshot, err := parentDataset.Snapshot(snapshotName /*recursive */, false)
+	if err != nil {
+		return err
+	}
+
+	_, err = snapshot.Clone(name, map[string]string{"mountpoint": "legacy"})
+	if err == nil {
+		d.Lock()
+		d.filesystemsCache[name] = true
+		d.Unlock()
+	}
+
+	if err != nil {
+		snapshot.Destroy(zfs.DestroyDeferDeletion)
+		return err
+	}
+	return snapshot.Destroy(zfs.DestroyDeferDeletion)
+}
+
+func (d *Driver) zfsPath(id string) string {
+	return d.options.fsName + "/" + id
+}
+
+func (d *Driver) mountPath(id string) string {
+	return path.Join(d.options.mountPath, "graph", getMountpoint(id))
+}
+
+// CreateReadWrite creates a layer that is writable for use as a container
+// file system.
+func (d *Driver) CreateReadWrite(id, parent string, opts *graphdriver.CreateOpts) error {
+	return d.Create(id, parent, opts)
+}
+
+// Create prepares the dataset and filesystem for the ZFS driver for the given id under the parent.
+func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+	var storageOpt map[string]string
+	if opts != nil {
+		storageOpt = opts.StorageOpt
+	}
+
+	err := d.create(id, parent, storageOpt)
+	if err == nil {
+		return nil
+	}
+	if zfsError, ok := err.(*zfs.Error); ok {
+		if !strings.HasSuffix(zfsError.Stderr, "dataset already exists\n") {
+			return err
+		}
+		// aborted build -> cleanup
+	} else {
+		return err
+	}
+
+	dataset := zfs.Dataset{Name: d.zfsPath(id)}
+	if err := dataset.Destroy(zfs.DestroyRecursiveClones); err != nil {
+		return err
+	}
+
+	// retry
+	return d.create(id, parent, storageOpt)
+}
+
+func (d *Driver) create(id, parent string, storageOpt map[string]string) error {
+	name := d.zfsPath(id)
+	quota, err := parseStorageOpt(storageOpt)
+	if err != nil {
+		return err
+	}
+	if parent == "" {
+		mountoptions := map[string]string{"mountpoint": "legacy"}
+		fs, err := zfs.CreateFilesystem(name, mountoptions)
+		if err == nil {
+			err = setQuota(name, quota)
+			if err == nil {
+				d.Lock()
+				d.filesystemsCache[fs.Name] = true
+				d.Unlock()
+			}
+		}
+		return err
+	}
+	err = d.cloneFilesystem(name, d.zfsPath(parent))
+	if err == nil {
+		err = setQuota(name, quota)
+	}
+	return err
+}
+
+func parseStorageOpt(storageOpt map[string]string) (string, error) {
+	// Read size to change the disk quota per container
+	for k, v := range storageOpt {
+		key := strings.ToLower(k)
+		switch key {
+		case "size":
+			return v, nil
+		default:
+			return "0", fmt.Errorf("Unknown option %s", key)
+		}
+	}
+	return "0", nil
+}
+
+func setQuota(name string, quota string) error {
+	if quota == "0" {
+		return nil
+	}
+	fs, err := zfs.GetDataset(name)
+	if err != nil {
+		return err
+	}
+	return fs.SetProperty("quota", quota)
+}
+
+// Remove deletes the dataset, filesystem and the cache for the given id.
+func (d *Driver) Remove(id string) error {
+	name := d.zfsPath(id)
+	dataset := zfs.Dataset{Name: name}
+	err := dataset.Destroy(zfs.DestroyRecursive)
+	if err == nil {
+		d.Lock()
+		delete(d.filesystemsCache, name)
+		d.Unlock()
+	}
+	return err
+}
+
+// Get returns the mountpoint for the given id after creating the target directories if necessary.
+func (d *Driver) Get(id, mountLabel string) (_ containerfs.ContainerFS, retErr error) {
+	mountpoint := d.mountPath(id)
+	if count := d.ctr.Increment(mountpoint); count > 1 {
+		return containerfs.NewLocalContainerFS(mountpoint), nil
+	}
+	defer func() {
+		if retErr != nil {
+			if c := d.ctr.Decrement(mountpoint); c <= 0 {
+				if mntErr := unix.Unmount(mountpoint, 0); mntErr != nil {
+					logrus.WithField("storage-driver", "zfs").Errorf("Error unmounting %v: %v", mountpoint, mntErr)
+				}
+				if rmErr := unix.Rmdir(mountpoint); rmErr != nil && !os.IsNotExist(rmErr) {
+					logrus.WithField("storage-driver", "zfs").Debugf("Failed to remove %s: %v", id, rmErr)
+				}
+
+			}
+		}
+	}()
+
+	filesystem := d.zfsPath(id)
+	options := label.FormatMountLabel("", mountLabel)
+	logrus.WithField("storage-driver", "zfs").Debugf(`mount("%s", "%s", "%s")`, filesystem, mountpoint, options)
+
+	rootUID, rootGID, err := idtools.GetRootUIDGID(d.uidMaps, d.gidMaps)
+	if err != nil {
+		return nil, err
+	}
+	// Create the target directories if they don't exist
+	if err := idtools.MkdirAllAndChown(mountpoint, 0755, idtools.IDPair{UID: rootUID, GID: rootGID}); err != nil {
+		return nil, err
+	}
+
+	if err := mount.Mount(filesystem, mountpoint, "zfs", options); err != nil {
+		return nil, fmt.Errorf("error creating zfs mount of %s to %s: %v", filesystem, mountpoint, err)
+	}
+
+	// this could be our first mount after creation of the filesystem, and the root dir may still have root
+	// permissions instead of the remapped root uid:gid (if user namespaces are enabled):
+	if err := os.Chown(mountpoint, rootUID, rootGID); err != nil {
+		return nil, fmt.Errorf("error modifying zfs mountpoint (%s) directory ownership: %v", mountpoint, err)
+	}
+
+	return containerfs.NewLocalContainerFS(mountpoint), nil
+}
+
+// Put removes the existing mountpoint for the given id if it exists.
+func (d *Driver) Put(id string) error {
+	mountpoint := d.mountPath(id)
+	if count := d.ctr.Decrement(mountpoint); count > 0 {
+		return nil
+	}
+
+	logger := logrus.WithField("storage-driver", "zfs")
+
+	logger.Debugf(`unmount("%s")`, mountpoint)
+
+	if err := unix.Unmount(mountpoint, unix.MNT_DETACH); err != nil {
+		logger.Warnf("Failed to unmount %s mount %s: %v", id, mountpoint, err)
+	}
+	if err := unix.Rmdir(mountpoint); err != nil && !os.IsNotExist(err) {
+		logger.Debugf("Failed to remove %s mount point %s: %v", id, mountpoint, err)
+	}
+
+	return nil
+}
+
+// Exists checks to see if the cache entry exists for the given id.
+func (d *Driver) Exists(id string) bool {
+	d.Lock()
+	defer d.Unlock()
+	return d.filesystemsCache[d.zfsPath(id)]
+}
diff --git a/engine/daemon/graphdriver/zfs/zfs_freebsd.go b/engine/daemon/graphdriver/zfs/zfs_freebsd.go
new file mode 100644
index 00000000..f15aae05
--- /dev/null
+++ b/engine/daemon/graphdriver/zfs/zfs_freebsd.go
@@ -0,0 +1,38 @@
+package zfs // import "github.com/docker/docker/daemon/graphdriver/zfs"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func checkRootdirFs(rootdir string) error {
+	var buf unix.Statfs_t
+	if err := unix.Statfs(rootdir, &buf); err != nil {
+		return fmt.Errorf("Failed to access '%s': %s", rootdir, err)
+	}
+
+	// on FreeBSD buf.Fstypename contains ['z', 'f', 's', 0 ... ]
+	if (buf.Fstypename[0] != 122) || (buf.Fstypename[1] != 102) || (buf.Fstypename[2] != 115) || (buf.Fstypename[3] != 0) {
+		logrus.WithField("storage-driver", "zfs").Debugf("no zfs dataset found for rootdir '%s'", rootdir)
+		return graphdriver.ErrPrerequisites
+	}
+
+	return nil
+}
+
+func getMountpoint(id string) string {
+	maxlen := 12
+
+	// we need to preserve filesystem suffix
+	suffix := strings.SplitN(id, "-", 2)
+
+	if len(suffix) > 1 {
+		return id[:maxlen] + "-" + suffix[1]
+	}
+
+	return id[:maxlen]
+}
diff --git a/engine/daemon/graphdriver/zfs/zfs_linux.go b/engine/daemon/graphdriver/zfs/zfs_linux.go
new file mode 100644
index 00000000..589ecbd1
--- /dev/null
+++ b/engine/daemon/graphdriver/zfs/zfs_linux.go
@@ -0,0 +1,28 @@
+package zfs // import "github.com/docker/docker/daemon/graphdriver/zfs"
+
+import (
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/sirupsen/logrus"
+)
+
+func checkRootdirFs(rootDir string) error {
+	fsMagic, err := graphdriver.GetFSMagic(rootDir)
+	if err != nil {
+		return err
+	}
+	backingFS := "unknown"
+	if fsName, ok := graphdriver.FsNames[fsMagic]; ok {
+		backingFS = fsName
+	}
+
+	if fsMagic != graphdriver.FsMagicZfs {
+		logrus.WithField("root", rootDir).WithField("backingFS", backingFS).WithField("storage-driver", "zfs").Error("No zfs dataset found for root")
+		return graphdriver.ErrPrerequisites
+	}
+
+	return nil
+}
+
+func getMountpoint(id string) string {
+	return id
+}
diff --git a/engine/daemon/graphdriver/zfs/zfs_test.go b/engine/daemon/graphdriver/zfs/zfs_test.go
new file mode 100644
index 00000000..b5d6cb18
--- /dev/null
+++ b/engine/daemon/graphdriver/zfs/zfs_test.go
@@ -0,0 +1,35 @@
+// +build linux
+
+package zfs // import "github.com/docker/docker/daemon/graphdriver/zfs"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/daemon/graphdriver/graphtest"
+)
+
+// This avoids creating a new driver for each test if all tests are run
+// Make sure to put new tests between TestZfsSetup and TestZfsTeardown
+func TestZfsSetup(t *testing.T) {
+	graphtest.GetDriver(t, "zfs")
+}
+
+func TestZfsCreateEmpty(t *testing.T) {
+	graphtest.DriverTestCreateEmpty(t, "zfs")
+}
+
+func TestZfsCreateBase(t *testing.T) {
+	graphtest.DriverTestCreateBase(t, "zfs")
+}
+
+func TestZfsCreateSnap(t *testing.T) {
+	graphtest.DriverTestCreateSnap(t, "zfs")
+}
+
+func TestZfsSetQuota(t *testing.T) {
+	graphtest.DriverTestSetQuota(t, "zfs", true)
+}
+
+func TestZfsTeardown(t *testing.T) {
+	graphtest.PutDriver(t)
+}
diff --git a/engine/daemon/graphdriver/zfs/zfs_unsupported.go b/engine/daemon/graphdriver/zfs/zfs_unsupported.go
new file mode 100644
index 00000000..1b770306
--- /dev/null
+++ b/engine/daemon/graphdriver/zfs/zfs_unsupported.go
@@ -0,0 +1,11 @@
+// +build !linux,!freebsd
+
+package zfs // import "github.com/docker/docker/daemon/graphdriver/zfs"
+
+func checkRootdirFs(rootdir string) error {
+	return nil
+}
+
+func getMountpoint(id string) string {
+	return id
+}
diff --git a/engine/daemon/health.go b/engine/daemon/health.go
new file mode 100644
index 00000000..ae0d7f89
--- /dev/null
+++ b/engine/daemon/health.go
@@ -0,0 +1,381 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/exec"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// Longest healthcheck probe output message to store. Longer messages will be truncated.
+	maxOutputLen = 4096
+
+	// Default interval between probe runs (from the end of the first to the start of the second).
+	// Also the time before the first probe.
+	defaultProbeInterval = 30 * time.Second
+
+	// The maximum length of time a single probe run should take. If the probe takes longer
+	// than this, the check is considered to have failed.
+	defaultProbeTimeout = 30 * time.Second
+
+	// The time given for the container to start before the health check starts considering
+	// the container unstable. Defaults to none.
+	defaultStartPeriod = 0 * time.Second
+
+	// Default number of consecutive failures of the health check
+	// for the container to be considered unhealthy.
+	defaultProbeRetries = 3
+
+	// Maximum number of entries to record
+	maxLogEntries = 5
+)
+
+const (
+	// Exit status codes that can be returned by the probe command.
+
+	exitStatusHealthy = 0 // Container is healthy
+)
+
+// probe implementations know how to run a particular type of probe.
+type probe interface {
+	// Perform one run of the check. Returns the exit code and an optional
+	// short diagnostic string.
+	run(context.Context, *Daemon, *container.Container) (*types.HealthcheckResult, error)
+}
+
+// cmdProbe implements the "CMD" probe type.
+type cmdProbe struct {
+	// Run the command with the system's default shell instead of execing it directly.
+	shell bool
+}
+
+// exec the healthcheck command in the container.
+// Returns the exit code and probe output (if any)
+func (p *cmdProbe) run(ctx context.Context, d *Daemon, cntr *container.Container) (*types.HealthcheckResult, error) {
+	cmdSlice := strslice.StrSlice(cntr.Config.Healthcheck.Test)[1:]
+	if p.shell {
+		cmdSlice = append(getShell(cntr.Config), cmdSlice...)
+	}
+	entrypoint, args := d.getEntrypointAndArgs(strslice.StrSlice{}, cmdSlice)
+	execConfig := exec.NewConfig()
+	execConfig.OpenStdin = false
+	execConfig.OpenStdout = true
+	execConfig.OpenStderr = true
+	execConfig.ContainerID = cntr.ID
+	execConfig.DetachKeys = []byte{}
+	execConfig.Entrypoint = entrypoint
+	execConfig.Args = args
+	execConfig.Tty = false
+	execConfig.Privileged = false
+	execConfig.User = cntr.Config.User
+	execConfig.WorkingDir = cntr.Config.WorkingDir
+
+	linkedEnv, err := d.setupLinkedContainers(cntr)
+	if err != nil {
+		return nil, err
+	}
+	execConfig.Env = container.ReplaceOrAppendEnvValues(cntr.CreateDaemonEnvironment(execConfig.Tty, linkedEnv), execConfig.Env)
+
+	d.registerExecCommand(cntr, execConfig)
+	attributes := map[string]string{
+		"execID": execConfig.ID,
+	}
+	d.LogContainerEventWithAttributes(cntr, "exec_create: "+execConfig.Entrypoint+" "+strings.Join(execConfig.Args, " "), attributes)
+
+	output := &limitedBuffer{}
+	err = d.ContainerExecStart(ctx, execConfig.ID, nil, output, output)
+	if err != nil {
+		return nil, err
+	}
+	info, err := d.getExecConfig(execConfig.ID)
+	if err != nil {
+		return nil, err
+	}
+	if info.ExitCode == nil {
+		return nil, fmt.Errorf("healthcheck for container %s has no exit code", cntr.ID)
+	}
+	// Note: Go's json package will handle invalid UTF-8 for us
+	out := output.String()
+	return &types.HealthcheckResult{
+		End:      time.Now(),
+		ExitCode: *info.ExitCode,
+		Output:   out,
+	}, nil
+}
+
+// Update the container's Status.Health struct based on the latest probe's result.
+func handleProbeResult(d *Daemon, c *container.Container, result *types.HealthcheckResult, done chan struct{}) {
+	c.Lock()
+	defer c.Unlock()
+
+	// probe may have been cancelled while waiting on lock. Ignore result then
+	select {
+	case <-done:
+		return
+	default:
+	}
+
+	retries := c.Config.Healthcheck.Retries
+	if retries <= 0 {
+		retries = defaultProbeRetries
+	}
+
+	h := c.State.Health
+	oldStatus := h.Status()
+
+	if len(h.Log) >= maxLogEntries {
+		h.Log = append(h.Log[len(h.Log)+1-maxLogEntries:], result)
+	} else {
+		h.Log = append(h.Log, result)
+	}
+
+	if result.ExitCode == exitStatusHealthy {
+		h.FailingStreak = 0
+		h.SetStatus(types.Healthy)
+	} else { // Failure (including invalid exit code)
+		shouldIncrementStreak := true
+
+		// If the container is starting (i.e. we never had a successful health check)
+		// then we check if we are within the start period of the container in which
+		// case we do not increment the failure streak.
+		if h.Status() == types.Starting {
+			startPeriod := timeoutWithDefault(c.Config.Healthcheck.StartPeriod, defaultStartPeriod)
+			timeSinceStart := result.Start.Sub(c.State.StartedAt)
+
+			// If still within the start period, then don't increment failing streak.
+			if timeSinceStart < startPeriod {
+				shouldIncrementStreak = false
+			}
+		}
+
+		if shouldIncrementStreak {
+			h.FailingStreak++
+
+			if h.FailingStreak >= retries {
+				h.SetStatus(types.Unhealthy)
+			}
+		}
+		// Else we're starting or healthy. Stay in that state.
+	}
+
+	// replicate Health status changes
+	if err := c.CheckpointTo(d.containersReplica); err != nil {
+		// queries will be inconsistent until the next probe runs or other state mutations
+		// checkpoint the container
+		logrus.Errorf("Error replicating health state for container %s: %v", c.ID, err)
+	}
+
+	current := h.Status()
+	if oldStatus != current {
+		d.LogContainerEvent(c, "health_status: "+current)
+	}
+}
+
+// Run the container's monitoring thread until notified via "stop".
+// There is never more than one monitor thread running per container at a time.
+func monitor(d *Daemon, c *container.Container, stop chan struct{}, probe probe) {
+	probeTimeout := timeoutWithDefault(c.Config.Healthcheck.Timeout, defaultProbeTimeout)
+	probeInterval := timeoutWithDefault(c.Config.Healthcheck.Interval, defaultProbeInterval)
+	for {
+		select {
+		case <-stop:
+			logrus.Debugf("Stop healthcheck monitoring for container %s (received while idle)", c.ID)
+			return
+		case <-time.After(probeInterval):
+			logrus.Debugf("Running health check for container %s ...", c.ID)
+			startTime := time.Now()
+			ctx, cancelProbe := context.WithTimeout(context.Background(), probeTimeout)
+			results := make(chan *types.HealthcheckResult, 1)
+			go func() {
+				healthChecksCounter.Inc()
+				result, err := probe.run(ctx, d, c)
+				if err != nil {
+					healthChecksFailedCounter.Inc()
+					logrus.Warnf("Health check for container %s error: %v", c.ID, err)
+					results <- &types.HealthcheckResult{
+						ExitCode: -1,
+						Output:   err.Error(),
+						Start:    startTime,
+						End:      time.Now(),
+					}
+				} else {
+					result.Start = startTime
+					logrus.Debugf("Health check for container %s done (exitCode=%d)", c.ID, result.ExitCode)
+					results <- result
+				}
+				close(results)
+			}()
+			select {
+			case <-stop:
+				logrus.Debugf("Stop healthcheck monitoring for container %s (received while probing)", c.ID)
+				cancelProbe()
+				// Wait for probe to exit (it might take a while to respond to the TERM
+				// signal and we don't want dying probes to pile up).
+				<-results
+				return
+			case result := <-results:
+				handleProbeResult(d, c, result, stop)
+				// Stop timeout
+				cancelProbe()
+			case <-ctx.Done():
+				logrus.Debugf("Health check for container %s taking too long", c.ID)
+				handleProbeResult(d, c, &types.HealthcheckResult{
+					ExitCode: -1,
+					Output:   fmt.Sprintf("Health check exceeded timeout (%v)", probeTimeout),
+					Start:    startTime,
+					End:      time.Now(),
+				}, stop)
+				cancelProbe()
+				// Wait for probe to exit (it might take a while to respond to the TERM
+				// signal and we don't want dying probes to pile up).
+				<-results
+			}
+		}
+	}
+}
+
+// Get a suitable probe implementation for the container's healthcheck configuration.
+// Nil will be returned if no healthcheck was configured or NONE was set.
+func getProbe(c *container.Container) probe {
+	config := c.Config.Healthcheck
+	if config == nil || len(config.Test) == 0 {
+		return nil
+	}
+	switch config.Test[0] {
+	case "CMD":
+		return &cmdProbe{shell: false}
+	case "CMD-SHELL":
+		return &cmdProbe{shell: true}
+	case "NONE":
+		return nil
+	default:
+		logrus.Warnf("Unknown healthcheck type '%s' (expected 'CMD') in container %s", config.Test[0], c.ID)
+		return nil
+	}
+}
+
+// Ensure the health-check monitor is running or not, depending on the current
+// state of the container.
+// Called from monitor.go, with c locked.
+func (d *Daemon) updateHealthMonitor(c *container.Container) {
+	h := c.State.Health
+	if h == nil {
+		return // No healthcheck configured
+	}
+
+	probe := getProbe(c)
+	wantRunning := c.Running && !c.Paused && probe != nil
+	if wantRunning {
+		if stop := h.OpenMonitorChannel(); stop != nil {
+			go monitor(d, c, stop, probe)
+		}
+	} else {
+		h.CloseMonitorChannel()
+	}
+}
+
+// Reset the health state for a newly-started, restarted or restored container.
+// initHealthMonitor is called from monitor.go and we should never be running
+// two instances at once.
+// Called with c locked.
+func (d *Daemon) initHealthMonitor(c *container.Container) {
+	// If no healthcheck is setup then don't init the monitor
+	if getProbe(c) == nil {
+		return
+	}
+
+	// This is needed in case we're auto-restarting
+	d.stopHealthchecks(c)
+
+	if h := c.State.Health; h != nil {
+		h.SetStatus(types.Starting)
+		h.FailingStreak = 0
+	} else {
+		h := &container.Health{}
+		h.SetStatus(types.Starting)
+		c.State.Health = h
+	}
+
+	d.updateHealthMonitor(c)
+}
+
+// Called when the container is being stopped (whether because the health check is
+// failing or for any other reason).
+func (d *Daemon) stopHealthchecks(c *container.Container) {
+	h := c.State.Health
+	if h != nil {
+		h.CloseMonitorChannel()
+	}
+}
+
+// Buffer up to maxOutputLen bytes. Further data is discarded.
+type limitedBuffer struct {
+	buf       bytes.Buffer
+	mu        sync.Mutex
+	truncated bool // indicates that data has been lost
+}
+
+// Append to limitedBuffer while there is room.
+func (b *limitedBuffer) Write(data []byte) (int, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	bufLen := b.buf.Len()
+	dataLen := len(data)
+	keep := min(maxOutputLen-bufLen, dataLen)
+	if keep > 0 {
+		b.buf.Write(data[:keep])
+	}
+	if keep < dataLen {
+		b.truncated = true
+	}
+	return dataLen, nil
+}
+
+// The contents of the buffer, with "..." appended if it overflowed.
+func (b *limitedBuffer) String() string {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	out := b.buf.String()
+	if b.truncated {
+		out = out + "..."
+	}
+	return out
+}
+
+// If configuredValue is zero, use defaultValue instead.
+func timeoutWithDefault(configuredValue time.Duration, defaultValue time.Duration) time.Duration {
+	if configuredValue == 0 {
+		return defaultValue
+	}
+	return configuredValue
+}
+
+func min(x, y int) int {
+	if x < y {
+		return x
+	}
+	return y
+}
+
+func getShell(config *containertypes.Config) []string {
+	if len(config.Shell) != 0 {
+		return config.Shell
+	}
+	if runtime.GOOS != "windows" {
+		return []string{"/bin/sh", "-c"}
+	}
+	return []string{"cmd", "/S", "/C"}
+}
diff --git a/engine/daemon/health_test.go b/engine/daemon/health_test.go
new file mode 100644
index 00000000..db166317
--- /dev/null
+++ b/engine/daemon/health_test.go
@@ -0,0 +1,154 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/events"
+)
+
+func reset(c *container.Container) {
+	c.State = &container.State{}
+	c.State.Health = &container.Health{}
+	c.State.Health.SetStatus(types.Starting)
+}
+
+func TestNoneHealthcheck(t *testing.T) {
+	c := &container.Container{
+		ID:   "container_id",
+		Name: "container_name",
+		Config: &containertypes.Config{
+			Image: "image_name",
+			Healthcheck: &containertypes.HealthConfig{
+				Test: []string{"NONE"},
+			},
+		},
+		State: &container.State{},
+	}
+	store, err := container.NewViewDB()
+	if err != nil {
+		t.Fatal(err)
+	}
+	daemon := &Daemon{
+		containersReplica: store,
+	}
+
+	daemon.initHealthMonitor(c)
+	if c.State.Health != nil {
+		t.Error("Expecting Health to be nil, but was not")
+	}
+}
+
+// FIXME(vdemeester) This takes around 3s… This is *way* too long
+func TestHealthStates(t *testing.T) {
+	e := events.New()
+	_, l, _ := e.Subscribe()
+	defer e.Evict(l)
+
+	expect := func(expected string) {
+		select {
+		case event := <-l:
+			ev := event.(eventtypes.Message)
+			if ev.Status != expected {
+				t.Errorf("Expecting event %#v, but got %#v\n", expected, ev.Status)
+			}
+		case <-time.After(1 * time.Second):
+			t.Errorf("Expecting event %#v, but got nothing\n", expected)
+		}
+	}
+
+	c := &container.Container{
+		ID:   "container_id",
+		Name: "container_name",
+		Config: &containertypes.Config{
+			Image: "image_name",
+		},
+	}
+
+	store, err := container.NewViewDB()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	daemon := &Daemon{
+		EventsService:     e,
+		containersReplica: store,
+	}
+
+	c.Config.Healthcheck = &containertypes.HealthConfig{
+		Retries: 1,
+	}
+
+	reset(c)
+
+	handleResult := func(startTime time.Time, exitCode int) {
+		handleProbeResult(daemon, c, &types.HealthcheckResult{
+			Start:    startTime,
+			End:      startTime,
+			ExitCode: exitCode,
+		}, nil)
+	}
+
+	// starting -> failed -> success -> failed
+
+	handleResult(c.State.StartedAt.Add(1*time.Second), 1)
+	expect("health_status: unhealthy")
+
+	handleResult(c.State.StartedAt.Add(2*time.Second), 0)
+	expect("health_status: healthy")
+
+	handleResult(c.State.StartedAt.Add(3*time.Second), 1)
+	expect("health_status: unhealthy")
+
+	// Test retries
+
+	reset(c)
+	c.Config.Healthcheck.Retries = 3
+
+	handleResult(c.State.StartedAt.Add(20*time.Second), 1)
+	handleResult(c.State.StartedAt.Add(40*time.Second), 1)
+	if status := c.State.Health.Status(); status != types.Starting {
+		t.Errorf("Expecting starting, but got %#v\n", status)
+	}
+	if c.State.Health.FailingStreak != 2 {
+		t.Errorf("Expecting FailingStreak=2, but got %d\n", c.State.Health.FailingStreak)
+	}
+	handleResult(c.State.StartedAt.Add(60*time.Second), 1)
+	expect("health_status: unhealthy")
+
+	handleResult(c.State.StartedAt.Add(80*time.Second), 0)
+	expect("health_status: healthy")
+	if c.State.Health.FailingStreak != 0 {
+		t.Errorf("Expecting FailingStreak=0, but got %d\n", c.State.Health.FailingStreak)
+	}
+
+	// Test start period
+
+	reset(c)
+	c.Config.Healthcheck.Retries = 2
+	c.Config.Healthcheck.StartPeriod = 30 * time.Second
+
+	handleResult(c.State.StartedAt.Add(20*time.Second), 1)
+	if status := c.State.Health.Status(); status != types.Starting {
+		t.Errorf("Expecting starting, but got %#v\n", status)
+	}
+	if c.State.Health.FailingStreak != 0 {
+		t.Errorf("Expecting FailingStreak=0, but got %d\n", c.State.Health.FailingStreak)
+	}
+	handleResult(c.State.StartedAt.Add(50*time.Second), 1)
+	if status := c.State.Health.Status(); status != types.Starting {
+		t.Errorf("Expecting starting, but got %#v\n", status)
+	}
+	if c.State.Health.FailingStreak != 1 {
+		t.Errorf("Expecting FailingStreak=1, but got %d\n", c.State.Health.FailingStreak)
+	}
+	handleResult(c.State.StartedAt.Add(80*time.Second), 0)
+	expect("health_status: healthy")
+	if c.State.Health.FailingStreak != 0 {
+		t.Errorf("Expecting FailingStreak=0, but got %d\n", c.State.Health.FailingStreak)
+	}
+}
diff --git a/engine/daemon/images/cache.go b/engine/daemon/images/cache.go
new file mode 100644
index 00000000..3b433106
--- /dev/null
+++ b/engine/daemon/images/cache.go
@@ -0,0 +1,27 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/image/cache"
+	"github.com/sirupsen/logrus"
+)
+
+// MakeImageCache creates a stateful image cache.
+func (i *ImageService) MakeImageCache(sourceRefs []string) builder.ImageCache {
+	if len(sourceRefs) == 0 {
+		return cache.NewLocal(i.imageStore)
+	}
+
+	cache := cache.New(i.imageStore)
+
+	for _, ref := range sourceRefs {
+		img, err := i.GetImage(ref)
+		if err != nil {
+			logrus.Warnf("Could not look up %s for cache resolution, skipping: %+v", ref, err)
+			continue
+		}
+		cache.Populate(img)
+	}
+
+	return cache
+}
diff --git a/engine/daemon/images/image.go b/engine/daemon/images/image.go
new file mode 100644
index 00000000..79cc07c4
--- /dev/null
+++ b/engine/daemon/images/image.go
@@ -0,0 +1,64 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"fmt"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+)
+
+// ErrImageDoesNotExist is error returned when no image can be found for a reference.
+type ErrImageDoesNotExist struct {
+	ref reference.Reference
+}
+
+func (e ErrImageDoesNotExist) Error() string {
+	ref := e.ref
+	if named, ok := ref.(reference.Named); ok {
+		ref = reference.TagNameOnly(named)
+	}
+	return fmt.Sprintf("No such image: %s", reference.FamiliarString(ref))
+}
+
+// NotFound implements the NotFound interface
+func (e ErrImageDoesNotExist) NotFound() {}
+
+// GetImage returns an image corresponding to the image referred to by refOrID.
+func (i *ImageService) GetImage(refOrID string) (*image.Image, error) {
+	ref, err := reference.ParseAnyReference(refOrID)
+	if err != nil {
+		return nil, errdefs.InvalidParameter(err)
+	}
+	namedRef, ok := ref.(reference.Named)
+	if !ok {
+		digested, ok := ref.(reference.Digested)
+		if !ok {
+			return nil, ErrImageDoesNotExist{ref}
+		}
+		id := image.IDFromDigest(digested.Digest())
+		if img, err := i.imageStore.Get(id); err == nil {
+			return img, nil
+		}
+		return nil, ErrImageDoesNotExist{ref}
+	}
+
+	if digest, err := i.referenceStore.Get(namedRef); err == nil {
+		// Search the image stores to get the operating system, defaulting to host OS.
+		id := image.IDFromDigest(digest)
+		if img, err := i.imageStore.Get(id); err == nil {
+			return img, nil
+		}
+	}
+
+	// Search based on ID
+	if id, err := i.imageStore.Search(refOrID); err == nil {
+		img, err := i.imageStore.Get(id)
+		if err != nil {
+			return nil, ErrImageDoesNotExist{ref}
+		}
+		return img, nil
+	}
+
+	return nil, ErrImageDoesNotExist{ref}
+}
diff --git a/engine/daemon/images/image_builder.go b/engine/daemon/images/image_builder.go
new file mode 100644
index 00000000..cdf951c6
--- /dev/null
+++ b/engine/daemon/images/image_builder.go
@@ -0,0 +1,225 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"context"
+	"io"
+	"runtime"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/builder"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/registry"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type roLayer struct {
+	released   bool
+	layerStore layer.Store
+	roLayer    layer.Layer
+}
+
+func (l *roLayer) DiffID() layer.DiffID {
+	if l.roLayer == nil {
+		return layer.DigestSHA256EmptyTar
+	}
+	return l.roLayer.DiffID()
+}
+
+func (l *roLayer) Release() error {
+	if l.released {
+		return nil
+	}
+	if l.roLayer != nil {
+		metadata, err := l.layerStore.Release(l.roLayer)
+		layer.LogReleaseMetadata(metadata)
+		if err != nil {
+			return errors.Wrap(err, "failed to release ROLayer")
+		}
+	}
+	l.roLayer = nil
+	l.released = true
+	return nil
+}
+
+func (l *roLayer) NewRWLayer() (builder.RWLayer, error) {
+	var chainID layer.ChainID
+	if l.roLayer != nil {
+		chainID = l.roLayer.ChainID()
+	}
+
+	mountID := stringid.GenerateRandomID()
+	newLayer, err := l.layerStore.CreateRWLayer(mountID, chainID, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create rwlayer")
+	}
+
+	rwLayer := &rwLayer{layerStore: l.layerStore, rwLayer: newLayer}
+
+	fs, err := newLayer.Mount("")
+	if err != nil {
+		rwLayer.Release()
+		return nil, err
+	}
+
+	rwLayer.fs = fs
+
+	return rwLayer, nil
+}
+
+type rwLayer struct {
+	released   bool
+	layerStore layer.Store
+	rwLayer    layer.RWLayer
+	fs         containerfs.ContainerFS
+}
+
+func (l *rwLayer) Root() containerfs.ContainerFS {
+	return l.fs
+}
+
+func (l *rwLayer) Commit() (builder.ROLayer, error) {
+	stream, err := l.rwLayer.TarStream()
+	if err != nil {
+		return nil, err
+	}
+	defer stream.Close()
+
+	var chainID layer.ChainID
+	if parent := l.rwLayer.Parent(); parent != nil {
+		chainID = parent.ChainID()
+	}
+
+	newLayer, err := l.layerStore.Register(stream, chainID)
+	if err != nil {
+		return nil, err
+	}
+	// TODO: An optimization would be to handle empty layers before returning
+	return &roLayer{layerStore: l.layerStore, roLayer: newLayer}, nil
+}
+
+func (l *rwLayer) Release() error {
+	if l.released {
+		return nil
+	}
+
+	if l.fs != nil {
+		if err := l.rwLayer.Unmount(); err != nil {
+			return errors.Wrap(err, "failed to unmount RWLayer")
+		}
+		l.fs = nil
+	}
+
+	metadata, err := l.layerStore.ReleaseRWLayer(l.rwLayer)
+	layer.LogReleaseMetadata(metadata)
+	if err != nil {
+		return errors.Wrap(err, "failed to release RWLayer")
+	}
+	l.released = true
+	return nil
+}
+
+func newROLayerForImage(img *image.Image, layerStore layer.Store) (builder.ROLayer, error) {
+	if img == nil || img.RootFS.ChainID() == "" {
+		return &roLayer{layerStore: layerStore}, nil
+	}
+	// Hold a reference to the image layer so that it can't be removed before
+	// it is released
+	layer, err := layerStore.Get(img.RootFS.ChainID())
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to get layer for image %s", img.ImageID())
+	}
+	return &roLayer{layerStore: layerStore, roLayer: layer}, nil
+}
+
+// TODO: could this use the regular daemon PullImage ?
+func (i *ImageService) pullForBuilder(ctx context.Context, name string, authConfigs map[string]types.AuthConfig, output io.Writer, platform *specs.Platform) (*image.Image, error) {
+	ref, err := reference.ParseNormalizedNamed(name)
+	if err != nil {
+		return nil, err
+	}
+	ref = reference.TagNameOnly(ref)
+
+	pullRegistryAuth := &types.AuthConfig{}
+	if len(authConfigs) > 0 {
+		// The request came with a full auth config, use it
+		repoInfo, err := i.registryService.ResolveRepository(ref)
+		if err != nil {
+			return nil, err
+		}
+
+		resolvedConfig := registry.ResolveAuthConfig(authConfigs, repoInfo.Index)
+		pullRegistryAuth = &resolvedConfig
+	}
+
+	if err := i.pullImageWithReference(ctx, ref, platform, nil, pullRegistryAuth, output); err != nil {
+		return nil, err
+	}
+	return i.GetImage(name)
+}
+
+// GetImageAndReleasableLayer returns an image and releaseable layer for a reference or ID.
+// Every call to GetImageAndReleasableLayer MUST call releasableLayer.Release() to prevent
+// leaking of layers.
+func (i *ImageService) GetImageAndReleasableLayer(ctx context.Context, refOrID string, opts backend.GetImageAndLayerOptions) (builder.Image, builder.ROLayer, error) {
+	if refOrID == "" { // ie FROM scratch
+		os := runtime.GOOS
+		if opts.Platform != nil {
+			os = opts.Platform.OS
+		}
+		if !system.IsOSSupported(os) {
+			return nil, nil, system.ErrNotSupportedOperatingSystem
+		}
+		layer, err := newROLayerForImage(nil, i.layerStores[os])
+		return nil, layer, err
+	}
+
+	if opts.PullOption != backend.PullOptionForcePull {
+		image, err := i.GetImage(refOrID)
+		if err != nil && opts.PullOption == backend.PullOptionNoPull {
+			return nil, nil, err
+		}
+		// TODO: shouldn't we error out if error is different from "not found" ?
+		if image != nil {
+			if !system.IsOSSupported(image.OperatingSystem()) {
+				return nil, nil, system.ErrNotSupportedOperatingSystem
+			}
+			layer, err := newROLayerForImage(image, i.layerStores[image.OperatingSystem()])
+			return image, layer, err
+		}
+	}
+
+	image, err := i.pullForBuilder(ctx, refOrID, opts.AuthConfig, opts.Output, opts.Platform)
+	if err != nil {
+		return nil, nil, err
+	}
+	if !system.IsOSSupported(image.OperatingSystem()) {
+		return nil, nil, system.ErrNotSupportedOperatingSystem
+	}
+	layer, err := newROLayerForImage(image, i.layerStores[image.OperatingSystem()])
+	return image, layer, err
+}
+
+// CreateImage creates a new image by adding a config and ID to the image store.
+// This is similar to LoadImage() except that it receives JSON encoded bytes of
+// an image instead of a tar archive.
+func (i *ImageService) CreateImage(config []byte, parent string) (builder.Image, error) {
+	id, err := i.imageStore.Create(config)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to create image")
+	}
+
+	if parent != "" {
+		if err := i.imageStore.SetParent(id, image.ID(parent)); err != nil {
+			return nil, errors.Wrapf(err, "failed to set parent %s", parent)
+		}
+	}
+
+	return i.imageStore.Get(id)
+}
diff --git a/engine/daemon/images/image_commit.go b/engine/daemon/images/image_commit.go
new file mode 100644
index 00000000..4caba9f2
--- /dev/null
+++ b/engine/daemon/images/image_commit.go
@@ -0,0 +1,127 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+)
+
+// CommitImage creates a new image from a commit config
+func (i *ImageService) CommitImage(c backend.CommitConfig) (image.ID, error) {
+	layerStore, ok := i.layerStores[c.ContainerOS]
+	if !ok {
+		return "", system.ErrNotSupportedOperatingSystem
+	}
+	rwTar, err := exportContainerRw(layerStore, c.ContainerID, c.ContainerMountLabel)
+	if err != nil {
+		return "", err
+	}
+	defer func() {
+		if rwTar != nil {
+			rwTar.Close()
+		}
+	}()
+
+	var parent *image.Image
+	if c.ParentImageID == "" {
+		parent = new(image.Image)
+		parent.RootFS = image.NewRootFS()
+	} else {
+		parent, err = i.imageStore.Get(image.ID(c.ParentImageID))
+		if err != nil {
+			return "", err
+		}
+	}
+
+	l, err := layerStore.Register(rwTar, parent.RootFS.ChainID())
+	if err != nil {
+		return "", err
+	}
+	defer layer.ReleaseAndLog(layerStore, l)
+
+	cc := image.ChildConfig{
+		ContainerID:     c.ContainerID,
+		Author:          c.Author,
+		Comment:         c.Comment,
+		ContainerConfig: c.ContainerConfig,
+		Config:          c.Config,
+		DiffID:          l.DiffID(),
+	}
+	config, err := json.Marshal(image.NewChildImage(parent, cc, c.ContainerOS))
+	if err != nil {
+		return "", err
+	}
+
+	id, err := i.imageStore.Create(config)
+	if err != nil {
+		return "", err
+	}
+
+	if c.ParentImageID != "" {
+		if err := i.imageStore.SetParent(id, image.ID(c.ParentImageID)); err != nil {
+			return "", err
+		}
+	}
+	return id, nil
+}
+
+func exportContainerRw(layerStore layer.Store, id, mountLabel string) (arch io.ReadCloser, err error) {
+	rwlayer, err := layerStore.GetRWLayer(id)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if err != nil {
+			layerStore.ReleaseRWLayer(rwlayer)
+		}
+	}()
+
+	// TODO: this mount call is not necessary as we assume that TarStream() should
+	// mount the layer if needed. But the Diff() function for windows requests that
+	// the layer should be mounted when calling it. So we reserve this mount call
+	// until windows driver can implement Diff() interface correctly.
+	_, err = rwlayer.Mount(mountLabel)
+	if err != nil {
+		return nil, err
+	}
+
+	archive, err := rwlayer.TarStream()
+	if err != nil {
+		rwlayer.Unmount()
+		return nil, err
+	}
+	return ioutils.NewReadCloserWrapper(archive, func() error {
+			archive.Close()
+			err = rwlayer.Unmount()
+			layerStore.ReleaseRWLayer(rwlayer)
+			return err
+		}),
+		nil
+}
+
+// CommitBuildStep is used by the builder to create an image for each step in
+// the build.
+//
+// This method is different from CreateImageFromContainer:
+//   * it doesn't attempt to validate container state
+//   * it doesn't send a commit action to metrics
+//   * it doesn't log a container commit event
+//
+// This is a temporary shim. Should be removed when builder stops using commit.
+func (i *ImageService) CommitBuildStep(c backend.CommitConfig) (image.ID, error) {
+	container := i.containers.Get(c.ContainerID)
+	if container == nil {
+		// TODO: use typed error
+		return "", errors.Errorf("container not found: %s", c.ContainerID)
+	}
+	c.ContainerMountLabel = container.MountLabel
+	c.ContainerOS = container.OS
+	c.ParentImageID = string(container.ImageID)
+	return i.CommitImage(c)
+}
diff --git a/engine/daemon/images/image_delete.go b/engine/daemon/images/image_delete.go
new file mode 100644
index 00000000..94d6f872
--- /dev/null
+++ b/engine/daemon/images/image_delete.go
@@ -0,0 +1,414 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+)
+
+type conflictType int
+
+const (
+	conflictDependentChild conflictType = 1 << iota
+	conflictRunningContainer
+	conflictActiveReference
+	conflictStoppedContainer
+	conflictHard = conflictDependentChild | conflictRunningContainer
+	conflictSoft = conflictActiveReference | conflictStoppedContainer
+)
+
+// ImageDelete deletes the image referenced by the given imageRef from this
+// daemon. The given imageRef can be an image ID, ID prefix, or a repository
+// reference (with an optional tag or digest, defaulting to the tag name
+// "latest"). There is differing behavior depending on whether the given
+// imageRef is a repository reference or not.
+//
+// If the given imageRef is a repository reference then that repository
+// reference will be removed. However, if there exists any containers which
+// were created using the same image reference then the repository reference
+// cannot be removed unless either there are other repository references to the
+// same image or force is true. Following removal of the repository reference,
+// the referenced image itself will attempt to be deleted as described below
+// but quietly, meaning any image delete conflicts will cause the image to not
+// be deleted and the conflict will not be reported.
+//
+// There may be conflicts preventing deletion of an image and these conflicts
+// are divided into two categories grouped by their severity:
+//
+// Hard Conflict:
+// 	- a pull or build using the image.
+// 	- any descendant image.
+// 	- any running container using the image.
+//
+// Soft Conflict:
+// 	- any stopped container using the image.
+// 	- any repository tag or digest references to the image.
+//
+// The image cannot be removed if there are any hard conflicts and can be
+// removed if there are soft conflicts only if force is true.
+//
+// If prune is true, ancestor images will each attempt to be deleted quietly,
+// meaning any delete conflicts will cause the image to not be deleted and the
+// conflict will not be reported.
+//
+func (i *ImageService) ImageDelete(imageRef string, force, prune bool) ([]types.ImageDeleteResponseItem, error) {
+	start := time.Now()
+	records := []types.ImageDeleteResponseItem{}
+
+	img, err := i.GetImage(imageRef)
+	if err != nil {
+		return nil, err
+	}
+	if !system.IsOSSupported(img.OperatingSystem()) {
+		return nil, errors.Errorf("unable to delete image: %q", system.ErrNotSupportedOperatingSystem)
+	}
+
+	imgID := img.ID()
+	repoRefs := i.referenceStore.References(imgID.Digest())
+
+	using := func(c *container.Container) bool {
+		return c.ImageID == imgID
+	}
+
+	var removedRepositoryRef bool
+	if !isImageIDPrefix(imgID.String(), imageRef) {
+		// A repository reference was given and should be removed
+		// first. We can only remove this reference if either force is
+		// true, there are multiple repository references to this
+		// image, or there are no containers using the given reference.
+		if !force && isSingleReference(repoRefs) {
+			if container := i.containers.First(using); container != nil {
+				// If we removed the repository reference then
+				// this image would remain "dangling" and since
+				// we really want to avoid that the client must
+				// explicitly force its removal.
+				err := errors.Errorf("conflict: unable to remove repository reference %q (must force) - container %s is using its referenced image %s", imageRef, stringid.TruncateID(container.ID), stringid.TruncateID(imgID.String()))
+				return nil, errdefs.Conflict(err)
+			}
+		}
+
+		parsedRef, err := reference.ParseNormalizedNamed(imageRef)
+		if err != nil {
+			return nil, err
+		}
+
+		parsedRef, err = i.removeImageRef(parsedRef)
+		if err != nil {
+			return nil, err
+		}
+
+		untaggedRecord := types.ImageDeleteResponseItem{Untagged: reference.FamiliarString(parsedRef)}
+
+		i.LogImageEvent(imgID.String(), imgID.String(), "untag")
+		records = append(records, untaggedRecord)
+
+		repoRefs = i.referenceStore.References(imgID.Digest())
+
+		// If a tag reference was removed and the only remaining
+		// references to the same repository are digest references,
+		// then clean up those digest references.
+		if _, isCanonical := parsedRef.(reference.Canonical); !isCanonical {
+			foundRepoTagRef := false
+			for _, repoRef := range repoRefs {
+				if _, repoRefIsCanonical := repoRef.(reference.Canonical); !repoRefIsCanonical && parsedRef.Name() == repoRef.Name() {
+					foundRepoTagRef = true
+					break
+				}
+			}
+			if !foundRepoTagRef {
+				// Remove canonical references from same repository
+				var remainingRefs []reference.Named
+				for _, repoRef := range repoRefs {
+					if _, repoRefIsCanonical := repoRef.(reference.Canonical); repoRefIsCanonical && parsedRef.Name() == repoRef.Name() {
+						if _, err := i.removeImageRef(repoRef); err != nil {
+							return records, err
+						}
+
+						untaggedRecord := types.ImageDeleteResponseItem{Untagged: reference.FamiliarString(repoRef)}
+						records = append(records, untaggedRecord)
+					} else {
+						remainingRefs = append(remainingRefs, repoRef)
+
+					}
+				}
+				repoRefs = remainingRefs
+			}
+		}
+
+		// If it has remaining references then the untag finished the remove
+		if len(repoRefs) > 0 {
+			return records, nil
+		}
+
+		removedRepositoryRef = true
+	} else {
+		// If an ID reference was given AND there is at most one tag
+		// reference to the image AND all references are within one
+		// repository, then remove all references.
+		if isSingleReference(repoRefs) {
+			c := conflictHard
+			if !force {
+				c |= conflictSoft &^ conflictActiveReference
+			}
+			if conflict := i.checkImageDeleteConflict(imgID, c); conflict != nil {
+				return nil, conflict
+			}
+
+			for _, repoRef := range repoRefs {
+				parsedRef, err := i.removeImageRef(repoRef)
+				if err != nil {
+					return nil, err
+				}
+
+				untaggedRecord := types.ImageDeleteResponseItem{Untagged: reference.FamiliarString(parsedRef)}
+
+				i.LogImageEvent(imgID.String(), imgID.String(), "untag")
+				records = append(records, untaggedRecord)
+			}
+		}
+	}
+
+	if err := i.imageDeleteHelper(imgID, &records, force, prune, removedRepositoryRef); err != nil {
+		return nil, err
+	}
+
+	imageActions.WithValues("delete").UpdateSince(start)
+
+	return records, nil
+}
+
+// isSingleReference returns true when all references are from one repository
+// and there is at most one tag. Returns false for empty input.
+func isSingleReference(repoRefs []reference.Named) bool {
+	if len(repoRefs) <= 1 {
+		return len(repoRefs) == 1
+	}
+	var singleRef reference.Named
+	canonicalRefs := map[string]struct{}{}
+	for _, repoRef := range repoRefs {
+		if _, isCanonical := repoRef.(reference.Canonical); isCanonical {
+			canonicalRefs[repoRef.Name()] = struct{}{}
+		} else if singleRef == nil {
+			singleRef = repoRef
+		} else {
+			return false
+		}
+	}
+	if singleRef == nil {
+		// Just use first canonical ref
+		singleRef = repoRefs[0]
+	}
+	_, ok := canonicalRefs[singleRef.Name()]
+	return len(canonicalRefs) == 1 && ok
+}
+
+// isImageIDPrefix returns whether the given possiblePrefix is a prefix of the
+// given imageID.
+func isImageIDPrefix(imageID, possiblePrefix string) bool {
+	if strings.HasPrefix(imageID, possiblePrefix) {
+		return true
+	}
+
+	if i := strings.IndexRune(imageID, ':'); i >= 0 {
+		return strings.HasPrefix(imageID[i+1:], possiblePrefix)
+	}
+
+	return false
+}
+
+// removeImageRef attempts to parse and remove the given image reference from
+// this daemon's store of repository tag/digest references. The given
+// repositoryRef must not be an image ID but a repository name followed by an
+// optional tag or digest reference. If tag or digest is omitted, the default
+// tag is used. Returns the resolved image reference and an error.
+func (i *ImageService) removeImageRef(ref reference.Named) (reference.Named, error) {
+	ref = reference.TagNameOnly(ref)
+
+	// Ignore the boolean value returned, as far as we're concerned, this
+	// is an idempotent operation and it's okay if the reference didn't
+	// exist in the first place.
+	_, err := i.referenceStore.Delete(ref)
+
+	return ref, err
+}
+
+// removeAllReferencesToImageID attempts to remove every reference to the given
+// imgID from this daemon's store of repository tag/digest references. Returns
+// on the first encountered error. Removed references are logged to this
+// daemon's event service. An "Untagged" types.ImageDeleteResponseItem is added to the
+// given list of records.
+func (i *ImageService) removeAllReferencesToImageID(imgID image.ID, records *[]types.ImageDeleteResponseItem) error {
+	imageRefs := i.referenceStore.References(imgID.Digest())
+
+	for _, imageRef := range imageRefs {
+		parsedRef, err := i.removeImageRef(imageRef)
+		if err != nil {
+			return err
+		}
+
+		untaggedRecord := types.ImageDeleteResponseItem{Untagged: reference.FamiliarString(parsedRef)}
+
+		i.LogImageEvent(imgID.String(), imgID.String(), "untag")
+		*records = append(*records, untaggedRecord)
+	}
+
+	return nil
+}
+
+// ImageDeleteConflict holds a soft or hard conflict and an associated error.
+// Implements the error interface.
+type imageDeleteConflict struct {
+	hard    bool
+	used    bool
+	imgID   image.ID
+	message string
+}
+
+func (idc *imageDeleteConflict) Error() string {
+	var forceMsg string
+	if idc.hard {
+		forceMsg = "cannot be forced"
+	} else {
+		forceMsg = "must be forced"
+	}
+
+	return fmt.Sprintf("conflict: unable to delete %s (%s) - %s", stringid.TruncateID(idc.imgID.String()), forceMsg, idc.message)
+}
+
+func (idc *imageDeleteConflict) Conflict() {}
+
+// imageDeleteHelper attempts to delete the given image from this daemon. If
+// the image has any hard delete conflicts (child images or running containers
+// using the image) then it cannot be deleted. If the image has any soft delete
+// conflicts (any tags/digests referencing the image or any stopped container
+// using the image) then it can only be deleted if force is true. If the delete
+// succeeds and prune is true, the parent images are also deleted if they do
+// not have any soft or hard delete conflicts themselves. Any deleted images
+// and untagged references are appended to the given records. If any error or
+// conflict is encountered, it will be returned immediately without deleting
+// the image. If quiet is true, any encountered conflicts will be ignored and
+// the function will return nil immediately without deleting the image.
+func (i *ImageService) imageDeleteHelper(imgID image.ID, records *[]types.ImageDeleteResponseItem, force, prune, quiet bool) error {
+	// First, determine if this image has any conflicts. Ignore soft conflicts
+	// if force is true.
+	c := conflictHard
+	if !force {
+		c |= conflictSoft
+	}
+	if conflict := i.checkImageDeleteConflict(imgID, c); conflict != nil {
+		if quiet && (!i.imageIsDangling(imgID) || conflict.used) {
+			// Ignore conflicts UNLESS the image is "dangling" or not being used in
+			// which case we want the user to know.
+			return nil
+		}
+
+		// There was a conflict and it's either a hard conflict OR we are not
+		// forcing deletion on soft conflicts.
+		return conflict
+	}
+
+	parent, err := i.imageStore.GetParent(imgID)
+	if err != nil {
+		// There may be no parent
+		parent = ""
+	}
+
+	// Delete all repository tag/digest references to this image.
+	if err := i.removeAllReferencesToImageID(imgID, records); err != nil {
+		return err
+	}
+
+	removedLayers, err := i.imageStore.Delete(imgID)
+	if err != nil {
+		return err
+	}
+
+	i.LogImageEvent(imgID.String(), imgID.String(), "delete")
+	*records = append(*records, types.ImageDeleteResponseItem{Deleted: imgID.String()})
+	for _, removedLayer := range removedLayers {
+		*records = append(*records, types.ImageDeleteResponseItem{Deleted: removedLayer.ChainID.String()})
+	}
+
+	if !prune || parent == "" {
+		return nil
+	}
+
+	// We need to prune the parent image. This means delete it if there are
+	// no tags/digests referencing it and there are no containers using it (
+	// either running or stopped).
+	// Do not force prunings, but do so quietly (stopping on any encountered
+	// conflicts).
+	return i.imageDeleteHelper(parent, records, false, true, true)
+}
+
+// checkImageDeleteConflict determines whether there are any conflicts
+// preventing deletion of the given image from this daemon. A hard conflict is
+// any image which has the given image as a parent or any running container
+// using the image. A soft conflict is any tags/digest referencing the given
+// image or any stopped container using the image. If ignoreSoftConflicts is
+// true, this function will not check for soft conflict conditions.
+func (i *ImageService) checkImageDeleteConflict(imgID image.ID, mask conflictType) *imageDeleteConflict {
+	// Check if the image has any descendant images.
+	if mask&conflictDependentChild != 0 && len(i.imageStore.Children(imgID)) > 0 {
+		return &imageDeleteConflict{
+			hard:    true,
+			imgID:   imgID,
+			message: "image has dependent child images",
+		}
+	}
+
+	if mask&conflictRunningContainer != 0 {
+		// Check if any running container is using the image.
+		running := func(c *container.Container) bool {
+			return c.IsRunning() && c.ImageID == imgID
+		}
+		if container := i.containers.First(running); container != nil {
+			return &imageDeleteConflict{
+				imgID:   imgID,
+				hard:    true,
+				used:    true,
+				message: fmt.Sprintf("image is being used by running container %s", stringid.TruncateID(container.ID)),
+			}
+		}
+	}
+
+	// Check if any repository tags/digest reference this image.
+	if mask&conflictActiveReference != 0 && len(i.referenceStore.References(imgID.Digest())) > 0 {
+		return &imageDeleteConflict{
+			imgID:   imgID,
+			message: "image is referenced in multiple repositories",
+		}
+	}
+
+	if mask&conflictStoppedContainer != 0 {
+		// Check if any stopped containers reference this image.
+		stopped := func(c *container.Container) bool {
+			return !c.IsRunning() && c.ImageID == imgID
+		}
+		if container := i.containers.First(stopped); container != nil {
+			return &imageDeleteConflict{
+				imgID:   imgID,
+				used:    true,
+				message: fmt.Sprintf("image is being used by stopped container %s", stringid.TruncateID(container.ID)),
+			}
+		}
+	}
+
+	return nil
+}
+
+// imageIsDangling returns whether the given image is "dangling" which means
+// that there are no repository references to the given image and it has no
+// child images.
+func (i *ImageService) imageIsDangling(imgID image.ID) bool {
+	return !(len(i.referenceStore.References(imgID.Digest())) > 0 || len(i.imageStore.Children(imgID)) > 0)
+}
diff --git a/engine/daemon/images/image_events.go b/engine/daemon/images/image_events.go
new file mode 100644
index 00000000..d0b3064d
--- /dev/null
+++ b/engine/daemon/images/image_events.go
@@ -0,0 +1,39 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"github.com/docker/docker/api/types/events"
+)
+
+// LogImageEvent generates an event related to an image with only the default attributes.
+func (i *ImageService) LogImageEvent(imageID, refName, action string) {
+	i.LogImageEventWithAttributes(imageID, refName, action, map[string]string{})
+}
+
+// LogImageEventWithAttributes generates an event related to an image with specific given attributes.
+func (i *ImageService) LogImageEventWithAttributes(imageID, refName, action string, attributes map[string]string) {
+	img, err := i.GetImage(imageID)
+	if err == nil && img.Config != nil {
+		// image has not been removed yet.
+		// it could be missing if the event is `delete`.
+		copyAttributes(attributes, img.Config.Labels)
+	}
+	if refName != "" {
+		attributes["name"] = refName
+	}
+	actor := events.Actor{
+		ID:         imageID,
+		Attributes: attributes,
+	}
+
+	i.eventsService.Log(action, events.ImageEventType, actor)
+}
+
+// copyAttributes guarantees that labels are not mutated by event triggers.
+func copyAttributes(attributes, labels map[string]string) {
+	if labels == nil {
+		return
+	}
+	for k, v := range labels {
+		attributes[k] = v
+	}
+}
diff --git a/engine/daemon/images/image_exporter.go b/engine/daemon/images/image_exporter.go
new file mode 100644
index 00000000..58105dcb
--- /dev/null
+++ b/engine/daemon/images/image_exporter.go
@@ -0,0 +1,25 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"io"
+
+	"github.com/docker/docker/image/tarexport"
+)
+
+// ExportImage exports a list of images to the given output stream. The
+// exported images are archived into a tar when written to the output
+// stream. All images with the given tag and all versions containing
+// the same tag are exported. names is the set of tags to export, and
+// outStream is the writer which the images are written to.
+func (i *ImageService) ExportImage(names []string, outStream io.Writer) error {
+	imageExporter := tarexport.NewTarExporter(i.imageStore, i.layerStores, i.referenceStore, i)
+	return imageExporter.Save(names, outStream)
+}
+
+// LoadImage uploads a set of images into the repository. This is the
+// complement of ImageExport.  The input stream is an uncompressed tar
+// ball containing images and metadata.
+func (i *ImageService) LoadImage(inTar io.ReadCloser, outStream io.Writer, quiet bool) error {
+	imageExporter := tarexport.NewTarExporter(i.imageStore, i.layerStores, i.referenceStore, i)
+	return imageExporter.Load(inTar, outStream, quiet)
+}
diff --git a/engine/daemon/images/image_history.go b/engine/daemon/images/image_history.go
new file mode 100644
index 00000000..b4ca25b1
--- /dev/null
+++ b/engine/daemon/images/image_history.go
@@ -0,0 +1,87 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/system"
+)
+
+// ImageHistory returns a slice of ImageHistory structures for the specified image
+// name by walking the image lineage.
+func (i *ImageService) ImageHistory(name string) ([]*image.HistoryResponseItem, error) {
+	start := time.Now()
+	img, err := i.GetImage(name)
+	if err != nil {
+		return nil, err
+	}
+
+	history := []*image.HistoryResponseItem{}
+
+	layerCounter := 0
+	rootFS := *img.RootFS
+	rootFS.DiffIDs = nil
+
+	for _, h := range img.History {
+		var layerSize int64
+
+		if !h.EmptyLayer {
+			if len(img.RootFS.DiffIDs) <= layerCounter {
+				return nil, fmt.Errorf("too many non-empty layers in History section")
+			}
+			if !system.IsOSSupported(img.OperatingSystem()) {
+				return nil, system.ErrNotSupportedOperatingSystem
+			}
+			rootFS.Append(img.RootFS.DiffIDs[layerCounter])
+			l, err := i.layerStores[img.OperatingSystem()].Get(rootFS.ChainID())
+			if err != nil {
+				return nil, err
+			}
+			layerSize, err = l.DiffSize()
+			layer.ReleaseAndLog(i.layerStores[img.OperatingSystem()], l)
+			if err != nil {
+				return nil, err
+			}
+
+			layerCounter++
+		}
+
+		history = append([]*image.HistoryResponseItem{{
+			ID:        "<missing>",
+			Created:   h.Created.Unix(),
+			CreatedBy: h.CreatedBy,
+			Comment:   h.Comment,
+			Size:      layerSize,
+		}}, history...)
+	}
+
+	// Fill in image IDs and tags
+	histImg := img
+	id := img.ID()
+	for _, h := range history {
+		h.ID = id.String()
+
+		var tags []string
+		for _, r := range i.referenceStore.References(id.Digest()) {
+			if _, ok := r.(reference.NamedTagged); ok {
+				tags = append(tags, reference.FamiliarString(r))
+			}
+		}
+
+		h.Tags = tags
+
+		id = histImg.Parent
+		if id == "" {
+			break
+		}
+		histImg, err = i.GetImage(id.String())
+		if err != nil {
+			break
+		}
+	}
+	imageActions.WithValues("history").UpdateSince(start)
+	return history, nil
+}
diff --git a/engine/daemon/images/image_import.go b/engine/daemon/images/image_import.go
new file mode 100644
index 00000000..8d54e070
--- /dev/null
+++ b/engine/daemon/images/image_import.go
@@ -0,0 +1,138 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/builder/dockerfile"
+	"github.com/docker/docker/builder/remotecontext"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/pkg/errors"
+)
+
+// ImportImage imports an image, getting the archived layer data either from
+// inConfig (if src is "-"), or from a URI specified in src. Progress output is
+// written to outStream. Repository and tag names can optionally be given in
+// the repo and tag arguments, respectively.
+func (i *ImageService) ImportImage(src string, repository, os string, tag string, msg string, inConfig io.ReadCloser, outStream io.Writer, changes []string) error {
+	var (
+		rc     io.ReadCloser
+		resp   *http.Response
+		newRef reference.Named
+	)
+
+	// Default the operating system if not supplied.
+	if os == "" {
+		os = runtime.GOOS
+	}
+
+	if repository != "" {
+		var err error
+		newRef, err = reference.ParseNormalizedNamed(repository)
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+		if _, isCanonical := newRef.(reference.Canonical); isCanonical {
+			return errdefs.InvalidParameter(errors.New("cannot import digest reference"))
+		}
+
+		if tag != "" {
+			newRef, err = reference.WithTag(newRef, tag)
+			if err != nil {
+				return errdefs.InvalidParameter(err)
+			}
+		}
+	}
+
+	config, err := dockerfile.BuildFromConfig(&container.Config{}, changes, os)
+	if err != nil {
+		return err
+	}
+	if src == "-" {
+		rc = inConfig
+	} else {
+		inConfig.Close()
+		if len(strings.Split(src, "://")) == 1 {
+			src = "http://" + src
+		}
+		u, err := url.Parse(src)
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+
+		resp, err = remotecontext.GetWithStatusError(u.String())
+		if err != nil {
+			return err
+		}
+		outStream.Write(streamformatter.FormatStatus("", "Downloading from %s", u))
+		progressOutput := streamformatter.NewJSONProgressOutput(outStream, true)
+		rc = progress.NewProgressReader(resp.Body, progressOutput, resp.ContentLength, "", "Importing")
+	}
+
+	defer rc.Close()
+	if len(msg) == 0 {
+		msg = "Imported from " + src
+	}
+
+	inflatedLayerData, err := archive.DecompressStream(rc)
+	if err != nil {
+		return err
+	}
+	l, err := i.layerStores[os].Register(inflatedLayerData, "")
+	if err != nil {
+		return err
+	}
+	defer layer.ReleaseAndLog(i.layerStores[os], l)
+
+	created := time.Now().UTC()
+	imgConfig, err := json.Marshal(&image.Image{
+		V1Image: image.V1Image{
+			DockerVersion: dockerversion.Version,
+			Config:        config,
+			Architecture:  runtime.GOARCH,
+			OS:            os,
+			Created:       created,
+			Comment:       msg,
+		},
+		RootFS: &image.RootFS{
+			Type:    "layers",
+			DiffIDs: []layer.DiffID{l.DiffID()},
+		},
+		History: []image.History{{
+			Created: created,
+			Comment: msg,
+		}},
+	})
+	if err != nil {
+		return err
+	}
+
+	id, err := i.imageStore.Create(imgConfig)
+	if err != nil {
+		return err
+	}
+
+	// FIXME: connect with commit code and call refstore directly
+	if newRef != nil {
+		if err := i.TagImageWithReference(id, newRef); err != nil {
+			return err
+		}
+	}
+
+	i.LogImageEvent(id.String(), id.String(), "import")
+	outStream.Write(streamformatter.FormatStatus("", id.String()))
+	return nil
+}
diff --git a/engine/daemon/images/image_inspect.go b/engine/daemon/images/image_inspect.go
new file mode 100644
index 00000000..16c4c9b2
--- /dev/null
+++ b/engine/daemon/images/image_inspect.go
@@ -0,0 +1,104 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+)
+
+// LookupImage looks up an image by name and returns it as an ImageInspect
+// structure.
+func (i *ImageService) LookupImage(name string) (*types.ImageInspect, error) {
+	img, err := i.GetImage(name)
+	if err != nil {
+		return nil, errors.Wrapf(err, "no such image: %s", name)
+	}
+	if !system.IsOSSupported(img.OperatingSystem()) {
+		return nil, system.ErrNotSupportedOperatingSystem
+	}
+	refs := i.referenceStore.References(img.ID().Digest())
+	repoTags := []string{}
+	repoDigests := []string{}
+	for _, ref := range refs {
+		switch ref.(type) {
+		case reference.NamedTagged:
+			repoTags = append(repoTags, reference.FamiliarString(ref))
+		case reference.Canonical:
+			repoDigests = append(repoDigests, reference.FamiliarString(ref))
+		}
+	}
+
+	var size int64
+	var layerMetadata map[string]string
+	layerID := img.RootFS.ChainID()
+	if layerID != "" {
+		l, err := i.layerStores[img.OperatingSystem()].Get(layerID)
+		if err != nil {
+			return nil, err
+		}
+		defer layer.ReleaseAndLog(i.layerStores[img.OperatingSystem()], l)
+		size, err = l.Size()
+		if err != nil {
+			return nil, err
+		}
+
+		layerMetadata, err = l.Metadata()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	comment := img.Comment
+	if len(comment) == 0 && len(img.History) > 0 {
+		comment = img.History[len(img.History)-1].Comment
+	}
+
+	lastUpdated, err := i.imageStore.GetLastUpdated(img.ID())
+	if err != nil {
+		return nil, err
+	}
+
+	imageInspect := &types.ImageInspect{
+		ID:              img.ID().String(),
+		RepoTags:        repoTags,
+		RepoDigests:     repoDigests,
+		Parent:          img.Parent.String(),
+		Comment:         comment,
+		Created:         img.Created.Format(time.RFC3339Nano),
+		Container:       img.Container,
+		ContainerConfig: &img.ContainerConfig,
+		DockerVersion:   img.DockerVersion,
+		Author:          img.Author,
+		Config:          img.Config,
+		Architecture:    img.Architecture,
+		Os:              img.OperatingSystem(),
+		OsVersion:       img.OSVersion,
+		Size:            size,
+		VirtualSize:     size, // TODO: field unused, deprecate
+		RootFS:          rootFSToAPIType(img.RootFS),
+		Metadata: types.ImageMetadata{
+			LastTagTime: lastUpdated,
+		},
+	}
+
+	imageInspect.GraphDriver.Name = i.layerStores[img.OperatingSystem()].DriverName()
+	imageInspect.GraphDriver.Data = layerMetadata
+
+	return imageInspect, nil
+}
+
+func rootFSToAPIType(rootfs *image.RootFS) types.RootFS {
+	var layers []string
+	for _, l := range rootfs.DiffIDs {
+		layers = append(layers, l.String())
+	}
+	return types.RootFS{
+		Type:   rootfs.Type,
+		Layers: layers,
+	}
+}
diff --git a/engine/daemon/images/image_prune.go b/engine/daemon/images/image_prune.go
new file mode 100644
index 00000000..313494f2
--- /dev/null
+++ b/engine/daemon/images/image_prune.go
@@ -0,0 +1,211 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"context"
+	"fmt"
+	"sync/atomic"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	timetypes "github.com/docker/docker/api/types/time"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var imagesAcceptedFilters = map[string]bool{
+	"dangling": true,
+	"label":    true,
+	"label!":   true,
+	"until":    true,
+}
+
+// errPruneRunning is returned when a prune request is received while
+// one is in progress
+var errPruneRunning = errdefs.Conflict(errors.New("a prune operation is already running"))
+
+// ImagesPrune removes unused images
+func (i *ImageService) ImagesPrune(ctx context.Context, pruneFilters filters.Args) (*types.ImagesPruneReport, error) {
+	if !atomic.CompareAndSwapInt32(&i.pruneRunning, 0, 1) {
+		return nil, errPruneRunning
+	}
+	defer atomic.StoreInt32(&i.pruneRunning, 0)
+
+	// make sure that only accepted filters have been received
+	err := pruneFilters.Validate(imagesAcceptedFilters)
+	if err != nil {
+		return nil, err
+	}
+
+	rep := &types.ImagesPruneReport{}
+
+	danglingOnly := true
+	if pruneFilters.Contains("dangling") {
+		if pruneFilters.ExactMatch("dangling", "false") || pruneFilters.ExactMatch("dangling", "0") {
+			danglingOnly = false
+		} else if !pruneFilters.ExactMatch("dangling", "true") && !pruneFilters.ExactMatch("dangling", "1") {
+			return nil, invalidFilter{"dangling", pruneFilters.Get("dangling")}
+		}
+	}
+
+	until, err := getUntilFromPruneFilters(pruneFilters)
+	if err != nil {
+		return nil, err
+	}
+
+	var allImages map[image.ID]*image.Image
+	if danglingOnly {
+		allImages = i.imageStore.Heads()
+	} else {
+		allImages = i.imageStore.Map()
+	}
+
+	// Filter intermediary images and get their unique size
+	allLayers := make(map[layer.ChainID]layer.Layer)
+	for _, ls := range i.layerStores {
+		for k, v := range ls.Map() {
+			allLayers[k] = v
+		}
+	}
+	topImages := map[image.ID]*image.Image{}
+	for id, img := range allImages {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		default:
+			dgst := digest.Digest(id)
+			if len(i.referenceStore.References(dgst)) == 0 && len(i.imageStore.Children(id)) != 0 {
+				continue
+			}
+			if !until.IsZero() && img.Created.After(until) {
+				continue
+			}
+			if img.Config != nil && !matchLabels(pruneFilters, img.Config.Labels) {
+				continue
+			}
+			topImages[id] = img
+		}
+	}
+
+	canceled := false
+deleteImagesLoop:
+	for id := range topImages {
+		select {
+		case <-ctx.Done():
+			// we still want to calculate freed size and return the data
+			canceled = true
+			break deleteImagesLoop
+		default:
+		}
+
+		deletedImages := []types.ImageDeleteResponseItem{}
+		refs := i.referenceStore.References(id.Digest())
+		if len(refs) > 0 {
+			shouldDelete := !danglingOnly
+			if !shouldDelete {
+				hasTag := false
+				for _, ref := range refs {
+					if _, ok := ref.(reference.NamedTagged); ok {
+						hasTag = true
+						break
+					}
+				}
+
+				// Only delete if it's untagged (i.e. repo:<none>)
+				shouldDelete = !hasTag
+			}
+
+			if shouldDelete {
+				for _, ref := range refs {
+					imgDel, err := i.ImageDelete(ref.String(), false, true)
+					if imageDeleteFailed(ref.String(), err) {
+						continue
+					}
+					deletedImages = append(deletedImages, imgDel...)
+				}
+			}
+		} else {
+			hex := id.Digest().Hex()
+			imgDel, err := i.ImageDelete(hex, false, true)
+			if imageDeleteFailed(hex, err) {
+				continue
+			}
+			deletedImages = append(deletedImages, imgDel...)
+		}
+
+		rep.ImagesDeleted = append(rep.ImagesDeleted, deletedImages...)
+	}
+
+	// Compute how much space was freed
+	for _, d := range rep.ImagesDeleted {
+		if d.Deleted != "" {
+			chid := layer.ChainID(d.Deleted)
+			if l, ok := allLayers[chid]; ok {
+				diffSize, err := l.DiffSize()
+				if err != nil {
+					logrus.Warnf("failed to get layer %s size: %v", chid, err)
+					continue
+				}
+				rep.SpaceReclaimed += uint64(diffSize)
+			}
+		}
+	}
+
+	if canceled {
+		logrus.Debugf("ImagesPrune operation cancelled: %#v", *rep)
+	}
+
+	return rep, nil
+}
+
+func imageDeleteFailed(ref string, err error) bool {
+	switch {
+	case err == nil:
+		return false
+	case errdefs.IsConflict(err):
+		return true
+	default:
+		logrus.Warnf("failed to prune image %s: %v", ref, err)
+		return true
+	}
+}
+
+func matchLabels(pruneFilters filters.Args, labels map[string]string) bool {
+	if !pruneFilters.MatchKVList("label", labels) {
+		return false
+	}
+	// By default MatchKVList will return true if field (like 'label!') does not exist
+	// So we have to add additional Contains("label!") check
+	if pruneFilters.Contains("label!") {
+		if pruneFilters.MatchKVList("label!", labels) {
+			return false
+		}
+	}
+	return true
+}
+
+func getUntilFromPruneFilters(pruneFilters filters.Args) (time.Time, error) {
+	until := time.Time{}
+	if !pruneFilters.Contains("until") {
+		return until, nil
+	}
+	untilFilters := pruneFilters.Get("until")
+	if len(untilFilters) > 1 {
+		return until, fmt.Errorf("more than one until filter specified")
+	}
+	ts, err := timetypes.GetTimestamp(untilFilters[0], time.Now())
+	if err != nil {
+		return until, err
+	}
+	seconds, nanoseconds, err := timetypes.ParseTimestamps(ts, 0)
+	if err != nil {
+		return until, err
+	}
+	until = time.Unix(seconds, nanoseconds)
+	return until, nil
+}
diff --git a/engine/daemon/images/image_pull.go b/engine/daemon/images/image_pull.go
new file mode 100644
index 00000000..3e6b4330
--- /dev/null
+++ b/engine/daemon/images/image_pull.go
@@ -0,0 +1,126 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"context"
+	"io"
+	"strings"
+	"time"
+
+	dist "github.com/docker/distribution"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/distribution"
+	progressutils "github.com/docker/docker/distribution/utils"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/registry"
+	"github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// PullImage initiates a pull operation. image is the repository name to pull, and
+// tag may be either empty, or indicate a specific tag to pull.
+func (i *ImageService) PullImage(ctx context.Context, image, tag string, platform *specs.Platform, metaHeaders map[string][]string, authConfig *types.AuthConfig, outStream io.Writer) error {
+	start := time.Now()
+	// Special case: "pull -a" may send an image name with a
+	// trailing :. This is ugly, but let's not break API
+	// compatibility.
+	image = strings.TrimSuffix(image, ":")
+
+	ref, err := reference.ParseNormalizedNamed(image)
+	if err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	if tag != "" {
+		// The "tag" could actually be a digest.
+		var dgst digest.Digest
+		dgst, err = digest.Parse(tag)
+		if err == nil {
+			ref, err = reference.WithDigest(reference.TrimNamed(ref), dgst)
+		} else {
+			ref, err = reference.WithTag(ref, tag)
+		}
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+	}
+
+	err = i.pullImageWithReference(ctx, ref, platform, metaHeaders, authConfig, outStream)
+	imageActions.WithValues("pull").UpdateSince(start)
+	return err
+}
+
+func (i *ImageService) pullImageWithReference(ctx context.Context, ref reference.Named, platform *specs.Platform, metaHeaders map[string][]string, authConfig *types.AuthConfig, outStream io.Writer) error {
+	// Include a buffer so that slow client connections don't affect
+	// transfer performance.
+	progressChan := make(chan progress.Progress, 100)
+
+	writesDone := make(chan struct{})
+
+	ctx, cancelFunc := context.WithCancel(ctx)
+
+	go func() {
+		progressutils.WriteDistributionProgress(cancelFunc, outStream, progressChan)
+		close(writesDone)
+	}()
+
+	imagePullConfig := &distribution.ImagePullConfig{
+		Config: distribution.Config{
+			MetaHeaders:      metaHeaders,
+			AuthConfig:       authConfig,
+			ProgressOutput:   progress.ChanOutput(progressChan),
+			RegistryService:  i.registryService,
+			ImageEventLogger: i.LogImageEvent,
+			MetadataStore:    i.distributionMetadataStore,
+			ImageStore:       distribution.NewImageConfigStoreFromStore(i.imageStore),
+			ReferenceStore:   i.referenceStore,
+		},
+		DownloadManager: i.downloadManager,
+		Schema2Types:    distribution.ImageTypes,
+		Platform:        platform,
+	}
+
+	err := distribution.Pull(ctx, ref, imagePullConfig)
+	close(progressChan)
+	<-writesDone
+	return err
+}
+
+// GetRepository returns a repository from the registry.
+func (i *ImageService) GetRepository(ctx context.Context, ref reference.Named, authConfig *types.AuthConfig) (dist.Repository, bool, error) {
+	// get repository info
+	repoInfo, err := i.registryService.ResolveRepository(ref)
+	if err != nil {
+		return nil, false, err
+	}
+	// makes sure name is not empty or `scratch`
+	if err := distribution.ValidateRepoName(repoInfo.Name); err != nil {
+		return nil, false, errdefs.InvalidParameter(err)
+	}
+
+	// get endpoints
+	endpoints, err := i.registryService.LookupPullEndpoints(reference.Domain(repoInfo.Name))
+	if err != nil {
+		return nil, false, err
+	}
+
+	// retrieve repository
+	var (
+		confirmedV2 bool
+		repository  dist.Repository
+		lastError   error
+	)
+
+	for _, endpoint := range endpoints {
+		if endpoint.Version == registry.APIVersion1 {
+			continue
+		}
+
+		repository, confirmedV2, lastError = distribution.NewV2Repository(ctx, repoInfo, endpoint, nil, authConfig, "pull")
+		if lastError == nil && confirmedV2 {
+			break
+		}
+	}
+	return repository, confirmedV2, lastError
+}
diff --git a/engine/daemon/images/image_push.go b/engine/daemon/images/image_push.go
new file mode 100644
index 00000000..4c7be8d2
--- /dev/null
+++ b/engine/daemon/images/image_push.go
@@ -0,0 +1,66 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"context"
+	"io"
+	"time"
+
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/distribution"
+	progressutils "github.com/docker/docker/distribution/utils"
+	"github.com/docker/docker/pkg/progress"
+)
+
+// PushImage initiates a push operation on the repository named localName.
+func (i *ImageService) PushImage(ctx context.Context, image, tag string, metaHeaders map[string][]string, authConfig *types.AuthConfig, outStream io.Writer) error {
+	start := time.Now()
+	ref, err := reference.ParseNormalizedNamed(image)
+	if err != nil {
+		return err
+	}
+	if tag != "" {
+		// Push by digest is not supported, so only tags are supported.
+		ref, err = reference.WithTag(ref, tag)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Include a buffer so that slow client connections don't affect
+	// transfer performance.
+	progressChan := make(chan progress.Progress, 100)
+
+	writesDone := make(chan struct{})
+
+	ctx, cancelFunc := context.WithCancel(ctx)
+
+	go func() {
+		progressutils.WriteDistributionProgress(cancelFunc, outStream, progressChan)
+		close(writesDone)
+	}()
+
+	imagePushConfig := &distribution.ImagePushConfig{
+		Config: distribution.Config{
+			MetaHeaders:      metaHeaders,
+			AuthConfig:       authConfig,
+			ProgressOutput:   progress.ChanOutput(progressChan),
+			RegistryService:  i.registryService,
+			ImageEventLogger: i.LogImageEvent,
+			MetadataStore:    i.distributionMetadataStore,
+			ImageStore:       distribution.NewImageConfigStoreFromStore(i.imageStore),
+			ReferenceStore:   i.referenceStore,
+		},
+		ConfigMediaType: schema2.MediaTypeImageConfig,
+		LayerStores:     distribution.NewLayerProvidersFromStores(i.layerStores),
+		TrustKey:        i.trustKey,
+		UploadManager:   i.uploadManager,
+	}
+
+	err = distribution.Push(ctx, ref, imagePushConfig)
+	close(progressChan)
+	<-writesDone
+	imageActions.WithValues("push").UpdateSince(start)
+	return err
+}
diff --git a/engine/daemon/images/image_search.go b/engine/daemon/images/image_search.go
new file mode 100644
index 00000000..8b65ec70
--- /dev/null
+++ b/engine/daemon/images/image_search.go
@@ -0,0 +1,95 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"context"
+	"strconv"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/dockerversion"
+)
+
+var acceptedSearchFilterTags = map[string]bool{
+	"is-automated": true,
+	"is-official":  true,
+	"stars":        true,
+}
+
+// SearchRegistryForImages queries the registry for images matching
+// term. authConfig is used to login.
+//
+// TODO: this could be implemented in a registry service instead of the image
+// service.
+func (i *ImageService) SearchRegistryForImages(ctx context.Context, filtersArgs string, term string, limit int,
+	authConfig *types.AuthConfig,
+	headers map[string][]string) (*registrytypes.SearchResults, error) {
+
+	searchFilters, err := filters.FromJSON(filtersArgs)
+	if err != nil {
+		return nil, err
+	}
+	if err := searchFilters.Validate(acceptedSearchFilterTags); err != nil {
+		return nil, err
+	}
+
+	var isAutomated, isOfficial bool
+	var hasStarFilter = 0
+	if searchFilters.Contains("is-automated") {
+		if searchFilters.UniqueExactMatch("is-automated", "true") {
+			isAutomated = true
+		} else if !searchFilters.UniqueExactMatch("is-automated", "false") {
+			return nil, invalidFilter{"is-automated", searchFilters.Get("is-automated")}
+		}
+	}
+	if searchFilters.Contains("is-official") {
+		if searchFilters.UniqueExactMatch("is-official", "true") {
+			isOfficial = true
+		} else if !searchFilters.UniqueExactMatch("is-official", "false") {
+			return nil, invalidFilter{"is-official", searchFilters.Get("is-official")}
+		}
+	}
+	if searchFilters.Contains("stars") {
+		hasStars := searchFilters.Get("stars")
+		for _, hasStar := range hasStars {
+			iHasStar, err := strconv.Atoi(hasStar)
+			if err != nil {
+				return nil, invalidFilter{"stars", hasStar}
+			}
+			if iHasStar > hasStarFilter {
+				hasStarFilter = iHasStar
+			}
+		}
+	}
+
+	unfilteredResult, err := i.registryService.Search(ctx, term, limit, authConfig, dockerversion.DockerUserAgent(ctx), headers)
+	if err != nil {
+		return nil, err
+	}
+
+	filteredResults := []registrytypes.SearchResult{}
+	for _, result := range unfilteredResult.Results {
+		if searchFilters.Contains("is-automated") {
+			if isAutomated != result.IsAutomated {
+				continue
+			}
+		}
+		if searchFilters.Contains("is-official") {
+			if isOfficial != result.IsOfficial {
+				continue
+			}
+		}
+		if searchFilters.Contains("stars") {
+			if result.StarCount < hasStarFilter {
+				continue
+			}
+		}
+		filteredResults = append(filteredResults, result)
+	}
+
+	return &registrytypes.SearchResults{
+		Query:      unfilteredResult.Query,
+		NumResults: len(filteredResults),
+		Results:    filteredResults,
+	}, nil
+}
diff --git a/engine/daemon/images/image_search_test.go b/engine/daemon/images/image_search_test.go
new file mode 100644
index 00000000..4fef86b6
--- /dev/null
+++ b/engine/daemon/images/image_search_test.go
@@ -0,0 +1,357 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"context"
+	"errors"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/registry"
+)
+
+type FakeService struct {
+	registry.DefaultService
+
+	shouldReturnError bool
+
+	term    string
+	results []registrytypes.SearchResult
+}
+
+func (s *FakeService) Search(ctx context.Context, term string, limit int, authConfig *types.AuthConfig, userAgent string, headers map[string][]string) (*registrytypes.SearchResults, error) {
+	if s.shouldReturnError {
+		return nil, errors.New("Search unknown error")
+	}
+	return &registrytypes.SearchResults{
+		Query:      s.term,
+		NumResults: len(s.results),
+		Results:    s.results,
+	}, nil
+}
+
+func TestSearchRegistryForImagesErrors(t *testing.T) {
+	errorCases := []struct {
+		filtersArgs       string
+		shouldReturnError bool
+		expectedError     string
+	}{
+		{
+			expectedError:     "Search unknown error",
+			shouldReturnError: true,
+		},
+		{
+			filtersArgs:   "invalid json",
+			expectedError: "invalid character 'i' looking for beginning of value",
+		},
+		{
+			filtersArgs:   `{"type":{"custom":true}}`,
+			expectedError: "Invalid filter 'type'",
+		},
+		{
+			filtersArgs:   `{"is-automated":{"invalid":true}}`,
+			expectedError: "Invalid filter 'is-automated=[invalid]'",
+		},
+		{
+			filtersArgs:   `{"is-automated":{"true":true,"false":true}}`,
+			expectedError: "Invalid filter 'is-automated",
+		},
+		{
+			filtersArgs:   `{"is-official":{"invalid":true}}`,
+			expectedError: "Invalid filter 'is-official=[invalid]'",
+		},
+		{
+			filtersArgs:   `{"is-official":{"true":true,"false":true}}`,
+			expectedError: "Invalid filter 'is-official",
+		},
+		{
+			filtersArgs:   `{"stars":{"invalid":true}}`,
+			expectedError: "Invalid filter 'stars=invalid'",
+		},
+		{
+			filtersArgs:   `{"stars":{"1":true,"invalid":true}}`,
+			expectedError: "Invalid filter 'stars=invalid'",
+		},
+	}
+	for index, e := range errorCases {
+		daemon := &ImageService{
+			registryService: &FakeService{
+				shouldReturnError: e.shouldReturnError,
+			},
+		}
+		_, err := daemon.SearchRegistryForImages(context.Background(), e.filtersArgs, "term", 25, nil, map[string][]string{})
+		if err == nil {
+			t.Errorf("%d: expected an error, got nothing", index)
+		}
+		if !strings.Contains(err.Error(), e.expectedError) {
+			t.Errorf("%d: expected error to contain %s, got %s", index, e.expectedError, err.Error())
+		}
+	}
+}
+
+func TestSearchRegistryForImages(t *testing.T) {
+	term := "term"
+	successCases := []struct {
+		filtersArgs     string
+		registryResults []registrytypes.SearchResult
+		expectedResults []registrytypes.SearchResult
+	}{
+		{
+			filtersArgs:     "",
+			registryResults: []registrytypes.SearchResult{},
+			expectedResults: []registrytypes.SearchResult{},
+		},
+		{
+			filtersArgs: "",
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+				},
+			},
+		},
+		{
+			filtersArgs: `{"is-automated":{"true":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{},
+		},
+		{
+			filtersArgs: `{"is-automated":{"true":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsAutomated: true,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsAutomated: true,
+				},
+			},
+		},
+		{
+			filtersArgs: `{"is-automated":{"false":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsAutomated: true,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{},
+		},
+		{
+			filtersArgs: `{"is-automated":{"false":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsAutomated: false,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsAutomated: false,
+				},
+			},
+		},
+		{
+			filtersArgs: `{"is-official":{"true":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{},
+		},
+		{
+			filtersArgs: `{"is-official":{"true":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsOfficial:  true,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsOfficial:  true,
+				},
+			},
+		},
+		{
+			filtersArgs: `{"is-official":{"false":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsOfficial:  true,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{},
+		},
+		{
+			filtersArgs: `{"is-official":{"false":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsOfficial:  false,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					IsOfficial:  false,
+				},
+			},
+		},
+		{
+			filtersArgs: `{"stars":{"0":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					StarCount:   0,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					StarCount:   0,
+				},
+			},
+		},
+		{
+			filtersArgs: `{"stars":{"1":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name",
+					Description: "description",
+					StarCount:   0,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{},
+		},
+		{
+			filtersArgs: `{"stars":{"1":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name0",
+					Description: "description0",
+					StarCount:   0,
+				},
+				{
+					Name:        "name1",
+					Description: "description1",
+					StarCount:   1,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{
+				{
+					Name:        "name1",
+					Description: "description1",
+					StarCount:   1,
+				},
+			},
+		},
+		{
+			filtersArgs: `{"stars":{"1":true}, "is-official":{"true":true}, "is-automated":{"true":true}}`,
+			registryResults: []registrytypes.SearchResult{
+				{
+					Name:        "name0",
+					Description: "description0",
+					StarCount:   0,
+					IsOfficial:  true,
+					IsAutomated: true,
+				},
+				{
+					Name:        "name1",
+					Description: "description1",
+					StarCount:   1,
+					IsOfficial:  false,
+					IsAutomated: true,
+				},
+				{
+					Name:        "name2",
+					Description: "description2",
+					StarCount:   1,
+					IsOfficial:  true,
+					IsAutomated: false,
+				},
+				{
+					Name:        "name3",
+					Description: "description3",
+					StarCount:   2,
+					IsOfficial:  true,
+					IsAutomated: true,
+				},
+			},
+			expectedResults: []registrytypes.SearchResult{
+				{
+					Name:        "name3",
+					Description: "description3",
+					StarCount:   2,
+					IsOfficial:  true,
+					IsAutomated: true,
+				},
+			},
+		},
+	}
+	for index, s := range successCases {
+		daemon := &ImageService{
+			registryService: &FakeService{
+				term:    term,
+				results: s.registryResults,
+			},
+		}
+		results, err := daemon.SearchRegistryForImages(context.Background(), s.filtersArgs, term, 25, nil, map[string][]string{})
+		if err != nil {
+			t.Errorf("%d: %v", index, err)
+		}
+		if results.Query != term {
+			t.Errorf("%d: expected Query to be %s, got %s", index, term, results.Query)
+		}
+		if results.NumResults != len(s.expectedResults) {
+			t.Errorf("%d: expected NumResults to be %d, got %d", index, len(s.expectedResults), results.NumResults)
+		}
+		for _, result := range results.Results {
+			found := false
+			for _, expectedResult := range s.expectedResults {
+				if expectedResult.Name == result.Name &&
+					expectedResult.Description == result.Description &&
+					expectedResult.IsAutomated == result.IsAutomated &&
+					expectedResult.IsOfficial == result.IsOfficial &&
+					expectedResult.StarCount == result.StarCount {
+					found = true
+					break
+				}
+			}
+			if !found {
+				t.Errorf("%d: expected results %v, got %v", index, s.expectedResults, results.Results)
+			}
+		}
+	}
+}
diff --git a/engine/daemon/images/image_tag.go b/engine/daemon/images/image_tag.go
new file mode 100644
index 00000000..4693611c
--- /dev/null
+++ b/engine/daemon/images/image_tag.go
@@ -0,0 +1,41 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/image"
+)
+
+// TagImage creates the tag specified by newTag, pointing to the image named
+// imageName (alternatively, imageName can also be an image ID).
+func (i *ImageService) TagImage(imageName, repository, tag string) (string, error) {
+	img, err := i.GetImage(imageName)
+	if err != nil {
+		return "", err
+	}
+
+	newTag, err := reference.ParseNormalizedNamed(repository)
+	if err != nil {
+		return "", err
+	}
+	if tag != "" {
+		if newTag, err = reference.WithTag(reference.TrimNamed(newTag), tag); err != nil {
+			return "", err
+		}
+	}
+
+	err = i.TagImageWithReference(img.ID(), newTag)
+	return reference.FamiliarString(newTag), err
+}
+
+// TagImageWithReference adds the given reference to the image ID provided.
+func (i *ImageService) TagImageWithReference(imageID image.ID, newTag reference.Named) error {
+	if err := i.referenceStore.AddTag(newTag, imageID.Digest(), true); err != nil {
+		return err
+	}
+
+	if err := i.imageStore.SetLastUpdated(imageID); err != nil {
+		return err
+	}
+	i.LogImageEvent(imageID.String(), reference.FamiliarString(newTag), "tag")
+	return nil
+}
diff --git a/engine/daemon/images/image_unix.go b/engine/daemon/images/image_unix.go
new file mode 100644
index 00000000..3f577271
--- /dev/null
+++ b/engine/daemon/images/image_unix.go
@@ -0,0 +1,45 @@
+// +build linux freebsd
+
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"runtime"
+
+	"github.com/sirupsen/logrus"
+)
+
+// GetContainerLayerSize returns the real size & virtual size of the container.
+func (i *ImageService) GetContainerLayerSize(containerID string) (int64, int64) {
+	var (
+		sizeRw, sizeRootfs int64
+		err                error
+	)
+
+	// Safe to index by runtime.GOOS as Unix hosts don't support multiple
+	// container operating systems.
+	rwlayer, err := i.layerStores[runtime.GOOS].GetRWLayer(containerID)
+	if err != nil {
+		logrus.Errorf("Failed to compute size of container rootfs %v: %v", containerID, err)
+		return sizeRw, sizeRootfs
+	}
+	defer i.layerStores[runtime.GOOS].ReleaseRWLayer(rwlayer)
+
+	sizeRw, err = rwlayer.Size()
+	if err != nil {
+		logrus.Errorf("Driver %s couldn't return diff size of container %s: %s",
+			i.layerStores[runtime.GOOS].DriverName(), containerID, err)
+		// FIXME: GetSize should return an error. Not changing it now in case
+		// there is a side-effect.
+		sizeRw = -1
+	}
+
+	if parent := rwlayer.Parent(); parent != nil {
+		sizeRootfs, err = parent.Size()
+		if err != nil {
+			sizeRootfs = -1
+		} else if sizeRw != -1 {
+			sizeRootfs += sizeRw
+		}
+	}
+	return sizeRw, sizeRootfs
+}
diff --git a/engine/daemon/images/image_windows.go b/engine/daemon/images/image_windows.go
new file mode 100644
index 00000000..6f4be497
--- /dev/null
+++ b/engine/daemon/images/image_windows.go
@@ -0,0 +1,41 @@
+package images
+
+import (
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+)
+
+// GetContainerLayerSize returns real size & virtual size
+func (i *ImageService) GetContainerLayerSize(containerID string) (int64, int64) {
+	// TODO Windows
+	return 0, 0
+}
+
+// GetLayerFolders returns the layer folders from an image RootFS
+func (i *ImageService) GetLayerFolders(img *image.Image, rwLayer layer.RWLayer) ([]string, error) {
+	folders := []string{}
+	max := len(img.RootFS.DiffIDs)
+	for index := 1; index <= max; index++ {
+		// FIXME: why does this mutate the RootFS?
+		img.RootFS.DiffIDs = img.RootFS.DiffIDs[:index]
+		if !system.IsOSSupported(img.OperatingSystem()) {
+			return nil, errors.Wrapf(system.ErrNotSupportedOperatingSystem, "cannot get layerpath for ImageID %s", img.RootFS.ChainID())
+		}
+		layerPath, err := layer.GetLayerPath(i.layerStores[img.OperatingSystem()], img.RootFS.ChainID())
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to get layer path from graphdriver %s for ImageID %s", i.layerStores[img.OperatingSystem()], img.RootFS.ChainID())
+		}
+		// Reverse order, expecting parent first
+		folders = append([]string{layerPath}, folders...)
+	}
+	if rwLayer == nil {
+		return nil, errors.New("RWLayer is unexpectedly nil")
+	}
+	m, err := rwLayer.Metadata()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get layer metadata")
+	}
+	return append(folders, m["dir"]), nil
+}
diff --git a/engine/daemon/images/images.go b/engine/daemon/images/images.go
new file mode 100644
index 00000000..49212341
--- /dev/null
+++ b/engine/daemon/images/images.go
@@ -0,0 +1,348 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"encoding/json"
+	"fmt"
+	"sort"
+	"time"
+
+	"github.com/pkg/errors"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/system"
+)
+
+var acceptedImageFilterTags = map[string]bool{
+	"dangling":  true,
+	"label":     true,
+	"before":    true,
+	"since":     true,
+	"reference": true,
+}
+
+// byCreated is a temporary type used to sort a list of images by creation
+// time.
+type byCreated []*types.ImageSummary
+
+func (r byCreated) Len() int           { return len(r) }
+func (r byCreated) Swap(i, j int)      { r[i], r[j] = r[j], r[i] }
+func (r byCreated) Less(i, j int) bool { return r[i].Created < r[j].Created }
+
+// Map returns a map of all images in the ImageStore
+func (i *ImageService) Map() map[image.ID]*image.Image {
+	return i.imageStore.Map()
+}
+
+// Images returns a filtered list of images. filterArgs is a JSON-encoded set
+// of filter arguments which will be interpreted by api/types/filters.
+// filter is a shell glob string applied to repository names. The argument
+// named all controls whether all images in the graph are filtered, or just
+// the heads.
+func (i *ImageService) Images(imageFilters filters.Args, all bool, withExtraAttrs bool) ([]*types.ImageSummary, error) {
+	var (
+		allImages    map[image.ID]*image.Image
+		err          error
+		danglingOnly = false
+	)
+
+	if err := imageFilters.Validate(acceptedImageFilterTags); err != nil {
+		return nil, err
+	}
+
+	if imageFilters.Contains("dangling") {
+		if imageFilters.ExactMatch("dangling", "true") {
+			danglingOnly = true
+		} else if !imageFilters.ExactMatch("dangling", "false") {
+			return nil, invalidFilter{"dangling", imageFilters.Get("dangling")}
+		}
+	}
+	if danglingOnly {
+		allImages = i.imageStore.Heads()
+	} else {
+		allImages = i.imageStore.Map()
+	}
+
+	var beforeFilter, sinceFilter *image.Image
+	err = imageFilters.WalkValues("before", func(value string) error {
+		beforeFilter, err = i.GetImage(value)
+		return err
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	err = imageFilters.WalkValues("since", func(value string) error {
+		sinceFilter, err = i.GetImage(value)
+		return err
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	images := []*types.ImageSummary{}
+	var imagesMap map[*image.Image]*types.ImageSummary
+	var layerRefs map[layer.ChainID]int
+	var allLayers map[layer.ChainID]layer.Layer
+	var allContainers []*container.Container
+
+	for id, img := range allImages {
+		if beforeFilter != nil {
+			if img.Created.Equal(beforeFilter.Created) || img.Created.After(beforeFilter.Created) {
+				continue
+			}
+		}
+
+		if sinceFilter != nil {
+			if img.Created.Equal(sinceFilter.Created) || img.Created.Before(sinceFilter.Created) {
+				continue
+			}
+		}
+
+		if imageFilters.Contains("label") {
+			// Very old image that do not have image.Config (or even labels)
+			if img.Config == nil {
+				continue
+			}
+			// We are now sure image.Config is not nil
+			if !imageFilters.MatchKVList("label", img.Config.Labels) {
+				continue
+			}
+		}
+
+		// Skip any images with an unsupported operating system to avoid a potential
+		// panic when indexing through the layerstore. Don't error as we want to list
+		// the other images. This should never happen, but here as a safety precaution.
+		if !system.IsOSSupported(img.OperatingSystem()) {
+			continue
+		}
+
+		layerID := img.RootFS.ChainID()
+		var size int64
+		if layerID != "" {
+			l, err := i.layerStores[img.OperatingSystem()].Get(layerID)
+			if err != nil {
+				// The layer may have been deleted between the call to `Map()` or
+				// `Heads()` and the call to `Get()`, so we just ignore this error
+				if err == layer.ErrLayerDoesNotExist {
+					continue
+				}
+				return nil, err
+			}
+
+			size, err = l.Size()
+			layer.ReleaseAndLog(i.layerStores[img.OperatingSystem()], l)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		newImage := newImage(img, size)
+
+		for _, ref := range i.referenceStore.References(id.Digest()) {
+			if imageFilters.Contains("reference") {
+				var found bool
+				var matchErr error
+				for _, pattern := range imageFilters.Get("reference") {
+					found, matchErr = reference.FamiliarMatch(pattern, ref)
+					if matchErr != nil {
+						return nil, matchErr
+					}
+				}
+				if !found {
+					continue
+				}
+			}
+			if _, ok := ref.(reference.Canonical); ok {
+				newImage.RepoDigests = append(newImage.RepoDigests, reference.FamiliarString(ref))
+			}
+			if _, ok := ref.(reference.NamedTagged); ok {
+				newImage.RepoTags = append(newImage.RepoTags, reference.FamiliarString(ref))
+			}
+		}
+		if newImage.RepoDigests == nil && newImage.RepoTags == nil {
+			if all || len(i.imageStore.Children(id)) == 0 {
+
+				if imageFilters.Contains("dangling") && !danglingOnly {
+					//dangling=false case, so dangling image is not needed
+					continue
+				}
+				if imageFilters.Contains("reference") { // skip images with no references if filtering by reference
+					continue
+				}
+				newImage.RepoDigests = []string{"<none>@<none>"}
+				newImage.RepoTags = []string{"<none>:<none>"}
+			} else {
+				continue
+			}
+		} else if danglingOnly && len(newImage.RepoTags) > 0 {
+			continue
+		}
+
+		if withExtraAttrs {
+			// lazily init variables
+			if imagesMap == nil {
+				allContainers = i.containers.List()
+				allLayers = i.layerStores[img.OperatingSystem()].Map()
+				imagesMap = make(map[*image.Image]*types.ImageSummary)
+				layerRefs = make(map[layer.ChainID]int)
+			}
+
+			// Get container count
+			newImage.Containers = 0
+			for _, c := range allContainers {
+				if c.ImageID == id {
+					newImage.Containers++
+				}
+			}
+
+			// count layer references
+			rootFS := *img.RootFS
+			rootFS.DiffIDs = nil
+			for _, id := range img.RootFS.DiffIDs {
+				rootFS.Append(id)
+				chid := rootFS.ChainID()
+				layerRefs[chid]++
+				if _, ok := allLayers[chid]; !ok {
+					return nil, fmt.Errorf("layer %v was not found (corruption?)", chid)
+				}
+			}
+			imagesMap[img] = newImage
+		}
+
+		images = append(images, newImage)
+	}
+
+	if withExtraAttrs {
+		// Get Shared sizes
+		for img, newImage := range imagesMap {
+			rootFS := *img.RootFS
+			rootFS.DiffIDs = nil
+
+			newImage.SharedSize = 0
+			for _, id := range img.RootFS.DiffIDs {
+				rootFS.Append(id)
+				chid := rootFS.ChainID()
+
+				diffSize, err := allLayers[chid].DiffSize()
+				if err != nil {
+					return nil, err
+				}
+
+				if layerRefs[chid] > 1 {
+					newImage.SharedSize += diffSize
+				}
+			}
+		}
+	}
+
+	sort.Sort(sort.Reverse(byCreated(images)))
+
+	return images, nil
+}
+
+// SquashImage creates a new image with the diff of the specified image and the specified parent.
+// This new image contains only the layers from it's parent + 1 extra layer which contains the diff of all the layers in between.
+// The existing image(s) is not destroyed.
+// If no parent is specified, a new image with the diff of all the specified image's layers merged into a new layer that has no parents.
+func (i *ImageService) SquashImage(id, parent string) (string, error) {
+
+	var (
+		img *image.Image
+		err error
+	)
+	if img, err = i.imageStore.Get(image.ID(id)); err != nil {
+		return "", err
+	}
+
+	var parentImg *image.Image
+	var parentChainID layer.ChainID
+	if len(parent) != 0 {
+		parentImg, err = i.imageStore.Get(image.ID(parent))
+		if err != nil {
+			return "", errors.Wrap(err, "error getting specified parent layer")
+		}
+		parentChainID = parentImg.RootFS.ChainID()
+	} else {
+		rootFS := image.NewRootFS()
+		parentImg = &image.Image{RootFS: rootFS}
+	}
+	if !system.IsOSSupported(img.OperatingSystem()) {
+		return "", errors.Wrap(err, system.ErrNotSupportedOperatingSystem.Error())
+	}
+	l, err := i.layerStores[img.OperatingSystem()].Get(img.RootFS.ChainID())
+	if err != nil {
+		return "", errors.Wrap(err, "error getting image layer")
+	}
+	defer i.layerStores[img.OperatingSystem()].Release(l)
+
+	ts, err := l.TarStreamFrom(parentChainID)
+	if err != nil {
+		return "", errors.Wrapf(err, "error getting tar stream to parent")
+	}
+	defer ts.Close()
+
+	newL, err := i.layerStores[img.OperatingSystem()].Register(ts, parentChainID)
+	if err != nil {
+		return "", errors.Wrap(err, "error registering layer")
+	}
+	defer i.layerStores[img.OperatingSystem()].Release(newL)
+
+	newImage := *img
+	newImage.RootFS = nil
+
+	rootFS := *parentImg.RootFS
+	rootFS.DiffIDs = append(rootFS.DiffIDs, newL.DiffID())
+	newImage.RootFS = &rootFS
+
+	for i, hi := range newImage.History {
+		if i >= len(parentImg.History) {
+			hi.EmptyLayer = true
+		}
+		newImage.History[i] = hi
+	}
+
+	now := time.Now()
+	var historyComment string
+	if len(parent) > 0 {
+		historyComment = fmt.Sprintf("merge %s to %s", id, parent)
+	} else {
+		historyComment = fmt.Sprintf("create new from %s", id)
+	}
+
+	newImage.History = append(newImage.History, image.History{
+		Created: now,
+		Comment: historyComment,
+	})
+	newImage.Created = now
+
+	b, err := json.Marshal(&newImage)
+	if err != nil {
+		return "", errors.Wrap(err, "error marshalling image config")
+	}
+
+	newImgID, err := i.imageStore.Create(b)
+	if err != nil {
+		return "", errors.Wrap(err, "error creating new image after squash")
+	}
+	return string(newImgID), nil
+}
+
+func newImage(image *image.Image, size int64) *types.ImageSummary {
+	newImage := new(types.ImageSummary)
+	newImage.ParentID = image.Parent.String()
+	newImage.ID = image.ID().String()
+	newImage.Created = image.Created.Unix()
+	newImage.Size = size
+	newImage.VirtualSize = size
+	newImage.SharedSize = -1
+	newImage.Containers = -1
+	if image.Config != nil {
+		newImage.Labels = image.Config.Labels
+	}
+	return newImage
+}
diff --git a/engine/daemon/images/locals.go b/engine/daemon/images/locals.go
new file mode 100644
index 00000000..5ffc460a
--- /dev/null
+++ b/engine/daemon/images/locals.go
@@ -0,0 +1,32 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"fmt"
+
+	"github.com/docker/go-metrics"
+)
+
+type invalidFilter struct {
+	filter string
+	value  interface{}
+}
+
+func (e invalidFilter) Error() string {
+	msg := "Invalid filter '" + e.filter
+	if e.value != nil {
+		msg += fmt.Sprintf("=%s", e.value)
+	}
+	return msg + "'"
+}
+
+func (e invalidFilter) InvalidParameter() {}
+
+var imageActions metrics.LabeledTimer
+
+func init() {
+	ns := metrics.NewNamespace("engine", "daemon", nil)
+	imageActions = ns.NewLabeledTimer("image_actions", "The number of seconds it takes to process each image action", "action")
+	// TODO: is it OK to register a namespace with the same name? Or does this
+	// need to be exported from somewhere?
+	metrics.Register(ns)
+}
diff --git a/engine/daemon/images/service.go b/engine/daemon/images/service.go
new file mode 100644
index 00000000..263217dc
--- /dev/null
+++ b/engine/daemon/images/service.go
@@ -0,0 +1,251 @@
+package images // import "github.com/docker/docker/daemon/images"
+
+import (
+	"context"
+	"os"
+	"runtime"
+
+	"github.com/docker/docker/container"
+	daemonevents "github.com/docker/docker/daemon/events"
+	"github.com/docker/docker/distribution"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	dockerreference "github.com/docker/docker/reference"
+	"github.com/docker/docker/registry"
+	"github.com/docker/libtrust"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type containerStore interface {
+	// used by image delete
+	First(container.StoreFilter) *container.Container
+	// used by image prune, and image list
+	List() []*container.Container
+	// TODO: remove, only used for CommitBuildStep
+	Get(string) *container.Container
+}
+
+// ImageServiceConfig is the configuration used to create a new ImageService
+type ImageServiceConfig struct {
+	ContainerStore            containerStore
+	DistributionMetadataStore metadata.Store
+	EventsService             *daemonevents.Events
+	ImageStore                image.Store
+	LayerStores               map[string]layer.Store
+	MaxConcurrentDownloads    int
+	MaxConcurrentUploads      int
+	ReferenceStore            dockerreference.Store
+	RegistryService           registry.Service
+	TrustKey                  libtrust.PrivateKey
+}
+
+// NewImageService returns a new ImageService from a configuration
+func NewImageService(config ImageServiceConfig) *ImageService {
+	logrus.Debugf("Max Concurrent Downloads: %d", config.MaxConcurrentDownloads)
+	logrus.Debugf("Max Concurrent Uploads: %d", config.MaxConcurrentUploads)
+	return &ImageService{
+		containers:                config.ContainerStore,
+		distributionMetadataStore: config.DistributionMetadataStore,
+		downloadManager:           xfer.NewLayerDownloadManager(config.LayerStores, config.MaxConcurrentDownloads),
+		eventsService:             config.EventsService,
+		imageStore:                config.ImageStore,
+		layerStores:               config.LayerStores,
+		referenceStore:            config.ReferenceStore,
+		registryService:           config.RegistryService,
+		trustKey:                  config.TrustKey,
+		uploadManager:             xfer.NewLayerUploadManager(config.MaxConcurrentUploads),
+	}
+}
+
+// ImageService provides a backend for image management
+type ImageService struct {
+	containers                containerStore
+	distributionMetadataStore metadata.Store
+	downloadManager           *xfer.LayerDownloadManager
+	eventsService             *daemonevents.Events
+	imageStore                image.Store
+	layerStores               map[string]layer.Store // By operating system
+	pruneRunning              int32
+	referenceStore            dockerreference.Store
+	registryService           registry.Service
+	trustKey                  libtrust.PrivateKey
+	uploadManager             *xfer.LayerUploadManager
+}
+
+// DistributionServices provides daemon image storage services
+type DistributionServices struct {
+	DownloadManager   distribution.RootFSDownloadManager
+	V2MetadataService metadata.V2MetadataService
+	LayerStore        layer.Store // TODO: lcow
+	ImageStore        image.Store
+	ReferenceStore    dockerreference.Store
+}
+
+// DistributionServices return services controlling daemon image storage
+func (i *ImageService) DistributionServices() DistributionServices {
+	return DistributionServices{
+		DownloadManager:   i.downloadManager,
+		V2MetadataService: metadata.NewV2MetadataService(i.distributionMetadataStore),
+		LayerStore:        i.layerStores[runtime.GOOS],
+		ImageStore:        i.imageStore,
+		ReferenceStore:    i.referenceStore,
+	}
+}
+
+// CountImages returns the number of images stored by ImageService
+// called from info.go
+func (i *ImageService) CountImages() int {
+	return i.imageStore.Len()
+}
+
+// Children returns the children image.IDs for a parent image.
+// called from list.go to filter containers
+// TODO: refactor to expose an ancestry for image.ID?
+func (i *ImageService) Children(id image.ID) []image.ID {
+	return i.imageStore.Children(id)
+}
+
+// CreateLayer creates a filesystem layer for a container.
+// called from create.go
+// TODO: accept an opt struct instead of container?
+func (i *ImageService) CreateLayer(container *container.Container, initFunc layer.MountInit) (layer.RWLayer, error) {
+	var layerID layer.ChainID
+	if container.ImageID != "" {
+		img, err := i.imageStore.Get(container.ImageID)
+		if err != nil {
+			return nil, err
+		}
+		layerID = img.RootFS.ChainID()
+	}
+
+	rwLayerOpts := &layer.CreateRWLayerOpts{
+		MountLabel: container.MountLabel,
+		InitFunc:   initFunc,
+		StorageOpt: container.HostConfig.StorageOpt,
+	}
+
+	// Indexing by OS is safe here as validation of OS has already been performed in create() (the only
+	// caller), and guaranteed non-nil
+	return i.layerStores[container.OS].CreateRWLayer(container.ID, layerID, rwLayerOpts)
+}
+
+// GetLayerByID returns a layer by ID and operating system
+// called from daemon.go Daemon.restore(), and Daemon.containerExport()
+func (i *ImageService) GetLayerByID(cid string, os string) (layer.RWLayer, error) {
+	return i.layerStores[os].GetRWLayer(cid)
+}
+
+// LayerStoreStatus returns the status for each layer store
+// called from info.go
+func (i *ImageService) LayerStoreStatus() map[string][][2]string {
+	result := make(map[string][][2]string)
+	for os, store := range i.layerStores {
+		result[os] = store.DriverStatus()
+	}
+	return result
+}
+
+// GetLayerMountID returns the mount ID for a layer
+// called from daemon.go Daemon.Shutdown(), and Daemon.Cleanup() (cleanup is actually continerCleanup)
+// TODO: needs to be refactored to Unmount (see callers), or removed and replaced
+// with GetLayerByID
+func (i *ImageService) GetLayerMountID(cid string, os string) (string, error) {
+	return i.layerStores[os].GetMountID(cid)
+}
+
+// Cleanup resources before the process is shutdown.
+// called from daemon.go Daemon.Shutdown()
+func (i *ImageService) Cleanup() {
+	for os, ls := range i.layerStores {
+		if ls != nil {
+			if err := ls.Cleanup(); err != nil {
+				logrus.Errorf("Error during layer Store.Cleanup(): %v %s", err, os)
+			}
+		}
+	}
+}
+
+// GraphDriverForOS returns the name of the graph drvier
+// moved from Daemon.GraphDriverName, used by:
+// - newContainer
+// - to report an error in Daemon.Mount(container)
+func (i *ImageService) GraphDriverForOS(os string) string {
+	return i.layerStores[os].DriverName()
+}
+
+// ReleaseLayer releases a layer allowing it to be removed
+// called from delete.go Daemon.cleanupContainer(), and Daemon.containerExport()
+func (i *ImageService) ReleaseLayer(rwlayer layer.RWLayer, containerOS string) error {
+	metadata, err := i.layerStores[containerOS].ReleaseRWLayer(rwlayer)
+	layer.LogReleaseMetadata(metadata)
+	if err != nil && err != layer.ErrMountDoesNotExist && !os.IsNotExist(errors.Cause(err)) {
+		return errors.Wrapf(err, "driver %q failed to remove root filesystem",
+			i.layerStores[containerOS].DriverName())
+	}
+	return nil
+}
+
+// LayerDiskUsage returns the number of bytes used by layer stores
+// called from disk_usage.go
+func (i *ImageService) LayerDiskUsage(ctx context.Context) (int64, error) {
+	var allLayersSize int64
+	layerRefs := i.getLayerRefs()
+	for _, ls := range i.layerStores {
+		allLayers := ls.Map()
+		for _, l := range allLayers {
+			select {
+			case <-ctx.Done():
+				return allLayersSize, ctx.Err()
+			default:
+				size, err := l.DiffSize()
+				if err == nil {
+					if _, ok := layerRefs[l.ChainID()]; ok {
+						allLayersSize += size
+					} else {
+						logrus.Warnf("found leaked image layer %v", l.ChainID())
+					}
+				} else {
+					logrus.Warnf("failed to get diff size for layer %v", l.ChainID())
+				}
+			}
+		}
+	}
+	return allLayersSize, nil
+}
+
+func (i *ImageService) getLayerRefs() map[layer.ChainID]int {
+	tmpImages := i.imageStore.Map()
+	layerRefs := map[layer.ChainID]int{}
+	for id, img := range tmpImages {
+		dgst := digest.Digest(id)
+		if len(i.referenceStore.References(dgst)) == 0 && len(i.imageStore.Children(id)) != 0 {
+			continue
+		}
+
+		rootFS := *img.RootFS
+		rootFS.DiffIDs = nil
+		for _, id := range img.RootFS.DiffIDs {
+			rootFS.Append(id)
+			chid := rootFS.ChainID()
+			layerRefs[chid]++
+		}
+	}
+
+	return layerRefs
+}
+
+// UpdateConfig values
+//
+// called from reload.go
+func (i *ImageService) UpdateConfig(maxDownloads, maxUploads *int) {
+	if i.downloadManager != nil && maxDownloads != nil {
+		i.downloadManager.SetConcurrency(*maxDownloads)
+	}
+	if i.uploadManager != nil && maxUploads != nil {
+		i.uploadManager.SetConcurrency(*maxUploads)
+	}
+}
diff --git a/engine/daemon/info.go b/engine/daemon/info.go
new file mode 100644
index 00000000..7b011fe3
--- /dev/null
+++ b/engine/daemon/info.go
@@ -0,0 +1,206 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/cli/debug"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/docker/docker/pkg/parsers/operatingsystem"
+	"github.com/docker/docker/pkg/platform"
+	"github.com/docker/docker/pkg/sysinfo"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/registry"
+	"github.com/docker/go-connections/sockets"
+	"github.com/sirupsen/logrus"
+)
+
+// SystemInfo returns information about the host server the daemon is running on.
+func (daemon *Daemon) SystemInfo() (*types.Info, error) {
+	kernelVersion := "<unknown>"
+	if kv, err := kernel.GetKernelVersion(); err != nil {
+		logrus.Warnf("Could not get kernel version: %v", err)
+	} else {
+		kernelVersion = kv.String()
+	}
+
+	operatingSystem := "<unknown>"
+	if s, err := operatingsystem.GetOperatingSystem(); err != nil {
+		logrus.Warnf("Could not get operating system name: %v", err)
+	} else {
+		operatingSystem = s
+	}
+
+	// Don't do containerized check on Windows
+	if runtime.GOOS != "windows" {
+		if inContainer, err := operatingsystem.IsContainerized(); err != nil {
+			logrus.Errorf("Could not determine if daemon is containerized: %v", err)
+			operatingSystem += " (error determining if containerized)"
+		} else if inContainer {
+			operatingSystem += " (containerized)"
+		}
+	}
+
+	meminfo, err := system.ReadMemInfo()
+	if err != nil {
+		logrus.Errorf("Could not read system memory info: %v", err)
+		meminfo = &system.MemInfo{}
+	}
+
+	sysInfo := sysinfo.New(true)
+	cRunning, cPaused, cStopped := stateCtr.get()
+
+	securityOptions := []string{}
+	if sysInfo.AppArmor {
+		securityOptions = append(securityOptions, "name=apparmor")
+	}
+	if sysInfo.Seccomp && supportsSeccomp {
+		profile := daemon.seccompProfilePath
+		if profile == "" {
+			profile = "default"
+		}
+		securityOptions = append(securityOptions, fmt.Sprintf("name=seccomp,profile=%s", profile))
+	}
+	if selinuxEnabled() {
+		securityOptions = append(securityOptions, "name=selinux")
+	}
+	rootIDs := daemon.idMappings.RootPair()
+	if rootIDs.UID != 0 || rootIDs.GID != 0 {
+		securityOptions = append(securityOptions, "name=userns")
+	}
+
+	var ds [][2]string
+	drivers := ""
+	statuses := daemon.imageService.LayerStoreStatus()
+	for os, gd := range daemon.graphDrivers {
+		ds = append(ds, statuses[os]...)
+		drivers += gd
+		if len(daemon.graphDrivers) > 1 {
+			drivers += fmt.Sprintf(" (%s) ", os)
+		}
+	}
+	drivers = strings.TrimSpace(drivers)
+
+	v := &types.Info{
+		ID:                 daemon.ID,
+		Containers:         cRunning + cPaused + cStopped,
+		ContainersRunning:  cRunning,
+		ContainersPaused:   cPaused,
+		ContainersStopped:  cStopped,
+		Images:             daemon.imageService.CountImages(),
+		Driver:             drivers,
+		DriverStatus:       ds,
+		Plugins:            daemon.showPluginsInfo(),
+		IPv4Forwarding:     !sysInfo.IPv4ForwardingDisabled,
+		BridgeNfIptables:   !sysInfo.BridgeNFCallIPTablesDisabled,
+		BridgeNfIP6tables:  !sysInfo.BridgeNFCallIP6TablesDisabled,
+		Debug:              debug.IsEnabled(),
+		NFd:                fileutils.GetTotalUsedFds(),
+		NGoroutines:        runtime.NumGoroutine(),
+		SystemTime:         time.Now().Format(time.RFC3339Nano),
+		LoggingDriver:      daemon.defaultLogConfig.Type,
+		CgroupDriver:       daemon.getCgroupDriver(),
+		NEventsListener:    daemon.EventsService.SubscribersCount(),
+		KernelVersion:      kernelVersion,
+		OperatingSystem:    operatingSystem,
+		IndexServerAddress: registry.IndexServer,
+		OSType:             platform.OSType,
+		Architecture:       platform.Architecture,
+		RegistryConfig:     daemon.RegistryService.ServiceConfig(),
+		NCPU:               sysinfo.NumCPU(),
+		MemTotal:           meminfo.MemTotal,
+		GenericResources:   daemon.genericResources,
+		DockerRootDir:      daemon.configStore.Root,
+		Labels:             daemon.configStore.Labels,
+		ExperimentalBuild:  daemon.configStore.Experimental,
+		ServerVersion:      dockerversion.Version,
+		ClusterStore:       daemon.configStore.ClusterStore,
+		ClusterAdvertise:   daemon.configStore.ClusterAdvertise,
+		HTTPProxy:          sockets.GetProxyEnv("http_proxy"),
+		HTTPSProxy:         sockets.GetProxyEnv("https_proxy"),
+		NoProxy:            sockets.GetProxyEnv("no_proxy"),
+		LiveRestoreEnabled: daemon.configStore.LiveRestoreEnabled,
+		SecurityOptions:    securityOptions,
+		Isolation:          daemon.defaultIsolation,
+	}
+
+	// Retrieve platform specific info
+	daemon.FillPlatformInfo(v, sysInfo)
+
+	hostname := ""
+	if hn, err := os.Hostname(); err != nil {
+		logrus.Warnf("Could not get hostname: %v", err)
+	} else {
+		hostname = hn
+	}
+	v.Name = hostname
+
+	return v, nil
+}
+
+// SystemVersion returns version information about the daemon.
+func (daemon *Daemon) SystemVersion() types.Version {
+	kernelVersion := "<unknown>"
+	if kv, err := kernel.GetKernelVersion(); err != nil {
+		logrus.Warnf("Could not get kernel version: %v", err)
+	} else {
+		kernelVersion = kv.String()
+	}
+
+	v := types.Version{
+		Components: []types.ComponentVersion{
+			{
+				Name:    "Engine",
+				Version: dockerversion.Version,
+				Details: map[string]string{
+					"GitCommit":     dockerversion.GitCommit,
+					"ApiVersion":    api.DefaultVersion,
+					"MinAPIVersion": api.MinVersion,
+					"GoVersion":     runtime.Version(),
+					"Os":            runtime.GOOS,
+					"Arch":          runtime.GOARCH,
+					"BuildTime":     dockerversion.BuildTime,
+					"KernelVersion": kernelVersion,
+					"Experimental":  fmt.Sprintf("%t", daemon.configStore.Experimental),
+				},
+			},
+		},
+
+		// Populate deprecated fields for older clients
+		Version:       dockerversion.Version,
+		GitCommit:     dockerversion.GitCommit,
+		APIVersion:    api.DefaultVersion,
+		MinAPIVersion: api.MinVersion,
+		GoVersion:     runtime.Version(),
+		Os:            runtime.GOOS,
+		Arch:          runtime.GOARCH,
+		BuildTime:     dockerversion.BuildTime,
+		KernelVersion: kernelVersion,
+		Experimental:  daemon.configStore.Experimental,
+	}
+
+	v.Platform.Name = dockerversion.PlatformName
+
+	return v
+}
+
+func (daemon *Daemon) showPluginsInfo() types.PluginsInfo {
+	var pluginsInfo types.PluginsInfo
+
+	pluginsInfo.Volume = daemon.volumes.GetDriverList()
+	pluginsInfo.Network = daemon.GetNetworkDriverList()
+	// The authorization plugins are returned in the order they are
+	// used as they constitute a request/response modification chain.
+	pluginsInfo.Authorization = daemon.configStore.AuthorizationPlugins
+	pluginsInfo.Log = logger.ListDrivers()
+
+	return pluginsInfo
+}
diff --git a/engine/daemon/info_unix.go b/engine/daemon/info_unix.go
new file mode 100644
index 00000000..56be9c06
--- /dev/null
+++ b/engine/daemon/info_unix.go
@@ -0,0 +1,93 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"os/exec"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/pkg/sysinfo"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// FillPlatformInfo fills the platform related info.
+func (daemon *Daemon) FillPlatformInfo(v *types.Info, sysInfo *sysinfo.SysInfo) {
+	v.MemoryLimit = sysInfo.MemoryLimit
+	v.SwapLimit = sysInfo.SwapLimit
+	v.KernelMemory = sysInfo.KernelMemory
+	v.OomKillDisable = sysInfo.OomKillDisable
+	v.CPUCfsPeriod = sysInfo.CPUCfsPeriod
+	v.CPUCfsQuota = sysInfo.CPUCfsQuota
+	v.CPUShares = sysInfo.CPUShares
+	v.CPUSet = sysInfo.Cpuset
+	v.Runtimes = daemon.configStore.GetAllRuntimes()
+	v.DefaultRuntime = daemon.configStore.GetDefaultRuntimeName()
+	v.InitBinary = daemon.configStore.GetInitPath()
+
+	v.RuncCommit.Expected = dockerversion.RuncCommitID
+	defaultRuntimeBinary := daemon.configStore.GetRuntime(v.DefaultRuntime).Path
+	if rv, err := exec.Command(defaultRuntimeBinary, "--version").Output(); err == nil {
+		parts := strings.Split(strings.TrimSpace(string(rv)), "\n")
+		if len(parts) == 3 {
+			parts = strings.Split(parts[1], ": ")
+			if len(parts) == 2 {
+				v.RuncCommit.ID = strings.TrimSpace(parts[1])
+			}
+		}
+
+		if v.RuncCommit.ID == "" {
+			logrus.Warnf("failed to retrieve %s version: unknown output format: %s", defaultRuntimeBinary, string(rv))
+			v.RuncCommit.ID = "N/A"
+		}
+	} else {
+		logrus.Warnf("failed to retrieve %s version: %v", defaultRuntimeBinary, err)
+		v.RuncCommit.ID = "N/A"
+	}
+
+	v.ContainerdCommit.Expected = dockerversion.ContainerdCommitID
+	if rv, err := daemon.containerd.Version(context.Background()); err == nil {
+		v.ContainerdCommit.ID = rv.Revision
+	} else {
+		logrus.Warnf("failed to retrieve containerd version: %v", err)
+		v.ContainerdCommit.ID = "N/A"
+	}
+
+	defaultInitBinary := daemon.configStore.GetInitPath()
+	if rv, err := exec.Command(defaultInitBinary, "--version").Output(); err == nil {
+		ver, err := parseInitVersion(string(rv))
+
+		if err != nil {
+			logrus.Warnf("failed to retrieve %s version: %s", defaultInitBinary, err)
+		}
+		v.InitCommit = ver
+	} else {
+		logrus.Warnf("failed to retrieve %s version: %s", defaultInitBinary, err)
+		v.InitCommit.ID = "N/A"
+	}
+}
+
+// parseInitVersion parses a Tini version string, and extracts the version.
+func parseInitVersion(v string) (types.Commit, error) {
+	version := types.Commit{ID: "", Expected: dockerversion.InitCommitID}
+	parts := strings.Split(strings.TrimSpace(v), " - ")
+
+	if len(parts) >= 2 {
+		gitParts := strings.Split(parts[1], ".")
+		if len(gitParts) == 2 && gitParts[0] == "git" {
+			version.ID = gitParts[1]
+			version.Expected = dockerversion.InitCommitID[0:len(version.ID)]
+		}
+	}
+	if version.ID == "" && strings.HasPrefix(parts[0], "tini version ") {
+		version.ID = "v" + strings.TrimPrefix(parts[0], "tini version ")
+	}
+	if version.ID == "" {
+		version.ID = "N/A"
+		return version, errors.Errorf("unknown output format: %s", v)
+	}
+	return version, nil
+}
diff --git a/engine/daemon/info_unix_test.go b/engine/daemon/info_unix_test.go
new file mode 100644
index 00000000..a5a4e06f
--- /dev/null
+++ b/engine/daemon/info_unix_test.go
@@ -0,0 +1,53 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/dockerversion"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestParseInitVersion(t *testing.T) {
+	tests := []struct {
+		version string
+		result  types.Commit
+		invalid bool
+	}{
+		{
+			version: "tini version 0.13.0 - git.949e6fa",
+			result:  types.Commit{ID: "949e6fa", Expected: dockerversion.InitCommitID[0:7]},
+		}, {
+			version: "tini version 0.13.0\n",
+			result:  types.Commit{ID: "v0.13.0", Expected: dockerversion.InitCommitID},
+		}, {
+			version: "tini version 0.13.2",
+			result:  types.Commit{ID: "v0.13.2", Expected: dockerversion.InitCommitID},
+		}, {
+			version: "tini version0.13.2",
+			result:  types.Commit{ID: "N/A", Expected: dockerversion.InitCommitID},
+			invalid: true,
+		}, {
+			version: "",
+			result:  types.Commit{ID: "N/A", Expected: dockerversion.InitCommitID},
+			invalid: true,
+		}, {
+			version: "hello world",
+			result:  types.Commit{ID: "N/A", Expected: dockerversion.InitCommitID},
+			invalid: true,
+		},
+	}
+
+	for _, test := range tests {
+		ver, err := parseInitVersion(string(test.version))
+		if test.invalid {
+			assert.Check(t, is.ErrorContains(err, ""))
+		} else {
+			assert.Check(t, err)
+		}
+		assert.Check(t, is.DeepEqual(test.result, ver))
+	}
+}
diff --git a/engine/daemon/info_windows.go b/engine/daemon/info_windows.go
new file mode 100644
index 00000000..e452369f
--- /dev/null
+++ b/engine/daemon/info_windows.go
@@ -0,0 +1,10 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/sysinfo"
+)
+
+// FillPlatformInfo fills the platform related info.
+func (daemon *Daemon) FillPlatformInfo(v *types.Info, sysInfo *sysinfo.SysInfo) {
+}
diff --git a/engine/daemon/initlayer/setup_unix.go b/engine/daemon/initlayer/setup_unix.go
new file mode 100644
index 00000000..035f6207
--- /dev/null
+++ b/engine/daemon/initlayer/setup_unix.go
@@ -0,0 +1,73 @@
+// +build linux freebsd
+
+package initlayer // import "github.com/docker/docker/daemon/initlayer"
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"golang.org/x/sys/unix"
+)
+
+// Setup populates a directory with mountpoints suitable
+// for bind-mounting things into the container.
+//
+// This extra layer is used by all containers as the top-most ro layer. It protects
+// the container from unwanted side-effects on the rw layer.
+func Setup(initLayerFs containerfs.ContainerFS, rootIDs idtools.IDPair) error {
+	// Since all paths are local to the container, we can just extract initLayerFs.Path()
+	initLayer := initLayerFs.Path()
+
+	for pth, typ := range map[string]string{
+		"/dev/pts":         "dir",
+		"/dev/shm":         "dir",
+		"/proc":            "dir",
+		"/sys":             "dir",
+		"/.dockerenv":      "file",
+		"/etc/resolv.conf": "file",
+		"/etc/hosts":       "file",
+		"/etc/hostname":    "file",
+		"/dev/console":     "file",
+		"/etc/mtab":        "/proc/mounts",
+	} {
+		parts := strings.Split(pth, "/")
+		prev := "/"
+		for _, p := range parts[1:] {
+			prev = filepath.Join(prev, p)
+			unix.Unlink(filepath.Join(initLayer, prev))
+		}
+
+		if _, err := os.Stat(filepath.Join(initLayer, pth)); err != nil {
+			if os.IsNotExist(err) {
+				if err := idtools.MkdirAllAndChownNew(filepath.Join(initLayer, filepath.Dir(pth)), 0755, rootIDs); err != nil {
+					return err
+				}
+				switch typ {
+				case "dir":
+					if err := idtools.MkdirAllAndChownNew(filepath.Join(initLayer, pth), 0755, rootIDs); err != nil {
+						return err
+					}
+				case "file":
+					f, err := os.OpenFile(filepath.Join(initLayer, pth), os.O_CREATE, 0755)
+					if err != nil {
+						return err
+					}
+					f.Chown(rootIDs.UID, rootIDs.GID)
+					f.Close()
+				default:
+					if err := os.Symlink(typ, filepath.Join(initLayer, pth)); err != nil {
+						return err
+					}
+				}
+			} else {
+				return err
+			}
+		}
+	}
+
+	// Layer is ready to use, if it wasn't before.
+	return nil
+}
diff --git a/engine/daemon/initlayer/setup_windows.go b/engine/daemon/initlayer/setup_windows.go
new file mode 100644
index 00000000..1032092e
--- /dev/null
+++ b/engine/daemon/initlayer/setup_windows.go
@@ -0,0 +1,16 @@
+package initlayer // import "github.com/docker/docker/daemon/initlayer"
+
+import (
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+)
+
+// Setup populates a directory with mountpoints suitable
+// for bind-mounting dockerinit into the container. The mountpoint is simply an
+// empty file at /.dockerinit
+//
+// This extra layer is used by all containers as the top-most ro layer. It protects
+// the container from unwanted side-effects on the rw layer.
+func Setup(initLayer containerfs.ContainerFS, rootIDs idtools.IDPair) error {
+	return nil
+}
diff --git a/engine/daemon/inspect.go b/engine/daemon/inspect.go
new file mode 100644
index 00000000..45a21542
--- /dev/null
+++ b/engine/daemon/inspect.go
@@ -0,0 +1,273 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/api/types/versions/v1p20"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/network"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/go-connections/nat"
+)
+
+// ContainerInspect returns low-level information about a
+// container. Returns an error if the container cannot be found, or if
+// there is an error getting the data.
+func (daemon *Daemon) ContainerInspect(name string, size bool, version string) (interface{}, error) {
+	switch {
+	case versions.LessThan(version, "1.20"):
+		return daemon.containerInspectPre120(name)
+	case versions.Equal(version, "1.20"):
+		return daemon.containerInspect120(name)
+	}
+	return daemon.ContainerInspectCurrent(name, size)
+}
+
+// ContainerInspectCurrent returns low-level information about a
+// container in a most recent api version.
+func (daemon *Daemon) ContainerInspectCurrent(name string, size bool) (*types.ContainerJSON, error) {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	container.Lock()
+
+	base, err := daemon.getInspectData(container)
+	if err != nil {
+		container.Unlock()
+		return nil, err
+	}
+
+	apiNetworks := make(map[string]*networktypes.EndpointSettings)
+	for name, epConf := range container.NetworkSettings.Networks {
+		if epConf.EndpointSettings != nil {
+			// We must make a copy of this pointer object otherwise it can race with other operations
+			apiNetworks[name] = epConf.EndpointSettings.Copy()
+		}
+	}
+
+	mountPoints := container.GetMountPoints()
+	networkSettings := &types.NetworkSettings{
+		NetworkSettingsBase: types.NetworkSettingsBase{
+			Bridge:                 container.NetworkSettings.Bridge,
+			SandboxID:              container.NetworkSettings.SandboxID,
+			HairpinMode:            container.NetworkSettings.HairpinMode,
+			LinkLocalIPv6Address:   container.NetworkSettings.LinkLocalIPv6Address,
+			LinkLocalIPv6PrefixLen: container.NetworkSettings.LinkLocalIPv6PrefixLen,
+			SandboxKey:             container.NetworkSettings.SandboxKey,
+			SecondaryIPAddresses:   container.NetworkSettings.SecondaryIPAddresses,
+			SecondaryIPv6Addresses: container.NetworkSettings.SecondaryIPv6Addresses,
+		},
+		DefaultNetworkSettings: daemon.getDefaultNetworkSettings(container.NetworkSettings.Networks),
+		Networks:               apiNetworks,
+	}
+
+	ports := make(nat.PortMap, len(container.NetworkSettings.Ports))
+	for k, pm := range container.NetworkSettings.Ports {
+		ports[k] = pm
+	}
+	networkSettings.NetworkSettingsBase.Ports = ports
+
+	container.Unlock()
+
+	if size {
+		sizeRw, sizeRootFs := daemon.imageService.GetContainerLayerSize(base.ID)
+		base.SizeRw = &sizeRw
+		base.SizeRootFs = &sizeRootFs
+	}
+
+	return &types.ContainerJSON{
+		ContainerJSONBase: base,
+		Mounts:            mountPoints,
+		Config:            container.Config,
+		NetworkSettings:   networkSettings,
+	}, nil
+}
+
+// containerInspect120 serializes the master version of a container into a json type.
+func (daemon *Daemon) containerInspect120(name string) (*v1p20.ContainerJSON, error) {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	container.Lock()
+	defer container.Unlock()
+
+	base, err := daemon.getInspectData(container)
+	if err != nil {
+		return nil, err
+	}
+
+	mountPoints := container.GetMountPoints()
+	config := &v1p20.ContainerConfig{
+		Config:          container.Config,
+		MacAddress:      container.Config.MacAddress,
+		NetworkDisabled: container.Config.NetworkDisabled,
+		ExposedPorts:    container.Config.ExposedPorts,
+		VolumeDriver:    container.HostConfig.VolumeDriver,
+	}
+	networkSettings := daemon.getBackwardsCompatibleNetworkSettings(container.NetworkSettings)
+
+	return &v1p20.ContainerJSON{
+		ContainerJSONBase: base,
+		Mounts:            mountPoints,
+		Config:            config,
+		NetworkSettings:   networkSettings,
+	}, nil
+}
+
+func (daemon *Daemon) getInspectData(container *container.Container) (*types.ContainerJSONBase, error) {
+	// make a copy to play with
+	hostConfig := *container.HostConfig
+
+	children := daemon.children(container)
+	hostConfig.Links = nil // do not expose the internal structure
+	for linkAlias, child := range children {
+		hostConfig.Links = append(hostConfig.Links, fmt.Sprintf("%s:%s", child.Name, linkAlias))
+	}
+
+	// We merge the Ulimits from hostConfig with daemon default
+	daemon.mergeUlimits(&hostConfig)
+
+	var containerHealth *types.Health
+	if container.State.Health != nil {
+		containerHealth = &types.Health{
+			Status:        container.State.Health.Status(),
+			FailingStreak: container.State.Health.FailingStreak,
+			Log:           append([]*types.HealthcheckResult{}, container.State.Health.Log...),
+		}
+	}
+
+	containerState := &types.ContainerState{
+		Status:     container.State.StateString(),
+		Running:    container.State.Running,
+		Paused:     container.State.Paused,
+		Restarting: container.State.Restarting,
+		OOMKilled:  container.State.OOMKilled,
+		Dead:       container.State.Dead,
+		Pid:        container.State.Pid,
+		ExitCode:   container.State.ExitCode(),
+		Error:      container.State.ErrorMsg,
+		StartedAt:  container.State.StartedAt.Format(time.RFC3339Nano),
+		FinishedAt: container.State.FinishedAt.Format(time.RFC3339Nano),
+		Health:     containerHealth,
+	}
+
+	contJSONBase := &types.ContainerJSONBase{
+		ID:           container.ID,
+		Created:      container.Created.Format(time.RFC3339Nano),
+		Path:         container.Path,
+		Args:         container.Args,
+		State:        containerState,
+		Image:        container.ImageID.String(),
+		LogPath:      container.LogPath,
+		Name:         container.Name,
+		RestartCount: container.RestartCount,
+		Driver:       container.Driver,
+		Platform:     container.OS,
+		MountLabel:   container.MountLabel,
+		ProcessLabel: container.ProcessLabel,
+		ExecIDs:      container.GetExecIDs(),
+		HostConfig:   &hostConfig,
+	}
+
+	// Now set any platform-specific fields
+	contJSONBase = setPlatformSpecificContainerFields(container, contJSONBase)
+
+	contJSONBase.GraphDriver.Name = container.Driver
+
+	if container.RWLayer == nil {
+		if container.Dead {
+			return contJSONBase, nil
+		}
+		return nil, errdefs.System(errors.New("RWLayer of container " + container.ID + " is unexpectedly nil"))
+	}
+
+	graphDriverData, err := container.RWLayer.Metadata()
+	// If container is marked as Dead, the container's graphdriver metadata
+	// could have been removed, it will cause error if we try to get the metadata,
+	// we can ignore the error if the container is dead.
+	if err != nil {
+		if !container.Dead {
+			return nil, errdefs.System(err)
+		}
+	} else {
+		contJSONBase.GraphDriver.Data = graphDriverData
+	}
+
+	return contJSONBase, nil
+}
+
+// ContainerExecInspect returns low-level information about the exec
+// command. An error is returned if the exec cannot be found.
+func (daemon *Daemon) ContainerExecInspect(id string) (*backend.ExecInspect, error) {
+	e := daemon.execCommands.Get(id)
+	if e == nil {
+		return nil, errExecNotFound(id)
+	}
+
+	if container := daemon.containers.Get(e.ContainerID); container == nil {
+		return nil, errExecNotFound(id)
+	}
+
+	pc := inspectExecProcessConfig(e)
+
+	return &backend.ExecInspect{
+		ID:            e.ID,
+		Running:       e.Running,
+		ExitCode:      e.ExitCode,
+		ProcessConfig: pc,
+		OpenStdin:     e.OpenStdin,
+		OpenStdout:    e.OpenStdout,
+		OpenStderr:    e.OpenStderr,
+		CanRemove:     e.CanRemove,
+		ContainerID:   e.ContainerID,
+		DetachKeys:    e.DetachKeys,
+		Pid:           e.Pid,
+	}, nil
+}
+
+func (daemon *Daemon) getBackwardsCompatibleNetworkSettings(settings *network.Settings) *v1p20.NetworkSettings {
+	result := &v1p20.NetworkSettings{
+		NetworkSettingsBase: types.NetworkSettingsBase{
+			Bridge:                 settings.Bridge,
+			SandboxID:              settings.SandboxID,
+			HairpinMode:            settings.HairpinMode,
+			LinkLocalIPv6Address:   settings.LinkLocalIPv6Address,
+			LinkLocalIPv6PrefixLen: settings.LinkLocalIPv6PrefixLen,
+			Ports:                  settings.Ports,
+			SandboxKey:             settings.SandboxKey,
+			SecondaryIPAddresses:   settings.SecondaryIPAddresses,
+			SecondaryIPv6Addresses: settings.SecondaryIPv6Addresses,
+		},
+		DefaultNetworkSettings: daemon.getDefaultNetworkSettings(settings.Networks),
+	}
+
+	return result
+}
+
+// getDefaultNetworkSettings creates the deprecated structure that holds the information
+// about the bridge network for a container.
+func (daemon *Daemon) getDefaultNetworkSettings(networks map[string]*network.EndpointSettings) types.DefaultNetworkSettings {
+	var settings types.DefaultNetworkSettings
+
+	if defaultNetwork, ok := networks["bridge"]; ok && defaultNetwork.EndpointSettings != nil {
+		settings.EndpointID = defaultNetwork.EndpointID
+		settings.Gateway = defaultNetwork.Gateway
+		settings.GlobalIPv6Address = defaultNetwork.GlobalIPv6Address
+		settings.GlobalIPv6PrefixLen = defaultNetwork.GlobalIPv6PrefixLen
+		settings.IPAddress = defaultNetwork.IPAddress
+		settings.IPPrefixLen = defaultNetwork.IPPrefixLen
+		settings.IPv6Gateway = defaultNetwork.IPv6Gateway
+		settings.MacAddress = defaultNetwork.MacAddress
+	}
+	return settings
+}
diff --git a/engine/daemon/inspect_linux.go b/engine/daemon/inspect_linux.go
new file mode 100644
index 00000000..77a4c44d
--- /dev/null
+++ b/engine/daemon/inspect_linux.go
@@ -0,0 +1,73 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/versions/v1p19"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/exec"
+)
+
+// This sets platform-specific fields
+func setPlatformSpecificContainerFields(container *container.Container, contJSONBase *types.ContainerJSONBase) *types.ContainerJSONBase {
+	contJSONBase.AppArmorProfile = container.AppArmorProfile
+	contJSONBase.ResolvConfPath = container.ResolvConfPath
+	contJSONBase.HostnamePath = container.HostnamePath
+	contJSONBase.HostsPath = container.HostsPath
+
+	return contJSONBase
+}
+
+// containerInspectPre120 gets containers for pre 1.20 APIs.
+func (daemon *Daemon) containerInspectPre120(name string) (*v1p19.ContainerJSON, error) {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	container.Lock()
+	defer container.Unlock()
+
+	base, err := daemon.getInspectData(container)
+	if err != nil {
+		return nil, err
+	}
+
+	volumes := make(map[string]string)
+	volumesRW := make(map[string]bool)
+	for _, m := range container.MountPoints {
+		volumes[m.Destination] = m.Path()
+		volumesRW[m.Destination] = m.RW
+	}
+
+	config := &v1p19.ContainerConfig{
+		Config:          container.Config,
+		MacAddress:      container.Config.MacAddress,
+		NetworkDisabled: container.Config.NetworkDisabled,
+		ExposedPorts:    container.Config.ExposedPorts,
+		VolumeDriver:    container.HostConfig.VolumeDriver,
+		Memory:          container.HostConfig.Memory,
+		MemorySwap:      container.HostConfig.MemorySwap,
+		CPUShares:       container.HostConfig.CPUShares,
+		CPUSet:          container.HostConfig.CpusetCpus,
+	}
+	networkSettings := daemon.getBackwardsCompatibleNetworkSettings(container.NetworkSettings)
+
+	return &v1p19.ContainerJSON{
+		ContainerJSONBase: base,
+		Volumes:           volumes,
+		VolumesRW:         volumesRW,
+		Config:            config,
+		NetworkSettings:   networkSettings,
+	}, nil
+}
+
+func inspectExecProcessConfig(e *exec.Config) *backend.ExecProcessConfig {
+	return &backend.ExecProcessConfig{
+		Tty:        e.Tty,
+		Entrypoint: e.Entrypoint,
+		Arguments:  e.Args,
+		Privileged: &e.Privileged,
+		User:       e.User,
+	}
+}
diff --git a/engine/daemon/inspect_test.go b/engine/daemon/inspect_test.go
new file mode 100644
index 00000000..f402a7af
--- /dev/null
+++ b/engine/daemon/inspect_test.go
@@ -0,0 +1,33 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/daemon/exec"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestGetInspectData(t *testing.T) {
+	c := &container.Container{
+		ID:           "inspect-me",
+		HostConfig:   &containertypes.HostConfig{},
+		State:        container.NewState(),
+		ExecCommands: exec.NewStore(),
+	}
+
+	d := &Daemon{
+		linkIndex:   newLinkIndex(),
+		configStore: &config.Config{},
+	}
+
+	_, err := d.getInspectData(c)
+	assert.Check(t, is.ErrorContains(err, ""))
+
+	c.Dead = true
+	_, err = d.getInspectData(c)
+	assert.Check(t, err)
+}
diff --git a/engine/daemon/inspect_windows.go b/engine/daemon/inspect_windows.go
new file mode 100644
index 00000000..12fda670
--- /dev/null
+++ b/engine/daemon/inspect_windows.go
@@ -0,0 +1,26 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/exec"
+)
+
+// This sets platform-specific fields
+func setPlatformSpecificContainerFields(container *container.Container, contJSONBase *types.ContainerJSONBase) *types.ContainerJSONBase {
+	return contJSONBase
+}
+
+// containerInspectPre120 get containers for pre 1.20 APIs.
+func (daemon *Daemon) containerInspectPre120(name string) (*types.ContainerJSON, error) {
+	return daemon.ContainerInspectCurrent(name, false)
+}
+
+func inspectExecProcessConfig(e *exec.Config) *backend.ExecProcessConfig {
+	return &backend.ExecProcessConfig{
+		Tty:        e.Tty,
+		Entrypoint: e.Entrypoint,
+		Arguments:  e.Args,
+	}
+}
diff --git a/engine/daemon/keys.go b/engine/daemon/keys.go
new file mode 100644
index 00000000..946eaaab
--- /dev/null
+++ b/engine/daemon/keys.go
@@ -0,0 +1,59 @@
+// +build linux
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strconv"
+	"strings"
+)
+
+const (
+	rootKeyFile   = "/proc/sys/kernel/keys/root_maxkeys"
+	rootBytesFile = "/proc/sys/kernel/keys/root_maxbytes"
+	rootKeyLimit  = 1000000
+	// it is standard configuration to allocate 25 bytes per key
+	rootKeyByteMultiplier = 25
+)
+
+// ModifyRootKeyLimit checks to see if the root key limit is set to
+// at least 1000000 and changes it to that limit along with the maxbytes
+// allocated to the keys at a 25 to 1 multiplier.
+func ModifyRootKeyLimit() error {
+	value, err := readRootKeyLimit(rootKeyFile)
+	if err != nil {
+		return err
+	}
+	if value < rootKeyLimit {
+		return setRootKeyLimit(rootKeyLimit)
+	}
+	return nil
+}
+
+func setRootKeyLimit(limit int) error {
+	keys, err := os.OpenFile(rootKeyFile, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer keys.Close()
+	if _, err := fmt.Fprintf(keys, "%d", limit); err != nil {
+		return err
+	}
+	bytes, err := os.OpenFile(rootBytesFile, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer bytes.Close()
+	_, err = fmt.Fprintf(bytes, "%d", limit*rootKeyByteMultiplier)
+	return err
+}
+
+func readRootKeyLimit(path string) (int, error) {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return -1, err
+	}
+	return strconv.Atoi(strings.Trim(string(data), "\n"))
+}
diff --git a/engine/daemon/keys_unsupported.go b/engine/daemon/keys_unsupported.go
new file mode 100644
index 00000000..2ccdb576
--- /dev/null
+++ b/engine/daemon/keys_unsupported.go
@@ -0,0 +1,8 @@
+// +build !linux
+
+package daemon // import "github.com/docker/docker/daemon"
+
+// ModifyRootKeyLimit is a noop on unsupported platforms.
+func ModifyRootKeyLimit() error {
+	return nil
+}
diff --git a/engine/daemon/kill.go b/engine/daemon/kill.go
new file mode 100644
index 00000000..5034c4df
--- /dev/null
+++ b/engine/daemon/kill.go
@@ -0,0 +1,180 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"runtime"
+	"syscall"
+	"time"
+
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/libcontainerd"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type errNoSuchProcess struct {
+	pid    int
+	signal int
+}
+
+func (e errNoSuchProcess) Error() string {
+	return fmt.Sprintf("Cannot kill process (pid=%d) with signal %d: no such process.", e.pid, e.signal)
+}
+
+func (errNoSuchProcess) NotFound() {}
+
+// isErrNoSuchProcess returns true if the error
+// is an instance of errNoSuchProcess.
+func isErrNoSuchProcess(err error) bool {
+	_, ok := err.(errNoSuchProcess)
+	return ok
+}
+
+// ContainerKill sends signal to the container
+// If no signal is given (sig 0), then Kill with SIGKILL and wait
+// for the container to exit.
+// If a signal is given, then just send it to the container and return.
+func (daemon *Daemon) ContainerKill(name string, sig uint64) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	if sig != 0 && !signal.ValidSignalForPlatform(syscall.Signal(sig)) {
+		return fmt.Errorf("The %s daemon does not support signal %d", runtime.GOOS, sig)
+	}
+
+	// If no signal is passed, or SIGKILL, perform regular Kill (SIGKILL + wait())
+	if sig == 0 || syscall.Signal(sig) == syscall.SIGKILL {
+		return daemon.Kill(container)
+	}
+	return daemon.killWithSignal(container, int(sig))
+}
+
+// killWithSignal sends the container the given signal. This wrapper for the
+// host specific kill command prepares the container before attempting
+// to send the signal. An error is returned if the container is paused
+// or not running, or if there is a problem returned from the
+// underlying kill command.
+func (daemon *Daemon) killWithSignal(container *containerpkg.Container, sig int) error {
+	logrus.Debugf("Sending kill signal %d to container %s", sig, container.ID)
+	container.Lock()
+	defer container.Unlock()
+
+	daemon.stopHealthchecks(container)
+
+	if !container.Running {
+		return errNotRunning(container.ID)
+	}
+
+	var unpause bool
+	if container.Config.StopSignal != "" && syscall.Signal(sig) != syscall.SIGKILL {
+		containerStopSignal, err := signal.ParseSignal(container.Config.StopSignal)
+		if err != nil {
+			return err
+		}
+		if containerStopSignal == syscall.Signal(sig) {
+			container.ExitOnNext()
+			unpause = container.Paused
+		}
+	} else {
+		container.ExitOnNext()
+		unpause = container.Paused
+	}
+
+	if !daemon.IsShuttingDown() {
+		container.HasBeenManuallyStopped = true
+	}
+
+	// if the container is currently restarting we do not need to send the signal
+	// to the process. Telling the monitor that it should exit on its next event
+	// loop is enough
+	if container.Restarting {
+		return nil
+	}
+
+	if err := daemon.kill(container, sig); err != nil {
+		if errdefs.IsNotFound(err) {
+			unpause = false
+			logrus.WithError(err).WithField("container", container.ID).WithField("action", "kill").Debug("container kill failed because of 'container not found' or 'no such process'")
+		} else {
+			return errors.Wrapf(err, "Cannot kill container %s", container.ID)
+		}
+	}
+
+	if unpause {
+		// above kill signal will be sent once resume is finished
+		if err := daemon.containerd.Resume(context.Background(), container.ID); err != nil {
+			logrus.Warn("Cannot unpause container %s: %s", container.ID, err)
+		}
+	}
+
+	attributes := map[string]string{
+		"signal": fmt.Sprintf("%d", sig),
+	}
+	daemon.LogContainerEventWithAttributes(container, "kill", attributes)
+	return nil
+}
+
+// Kill forcefully terminates a container.
+func (daemon *Daemon) Kill(container *containerpkg.Container) error {
+	if !container.IsRunning() {
+		return errNotRunning(container.ID)
+	}
+
+	// 1. Send SIGKILL
+	if err := daemon.killPossiblyDeadProcess(container, int(syscall.SIGKILL)); err != nil {
+		// While normally we might "return err" here we're not going to
+		// because if we can't stop the container by this point then
+		// it's probably because it's already stopped. Meaning, between
+		// the time of the IsRunning() call above and now it stopped.
+		// Also, since the err return will be environment specific we can't
+		// look for any particular (common) error that would indicate
+		// that the process is already dead vs something else going wrong.
+		// So, instead we'll give it up to 2 more seconds to complete and if
+		// by that time the container is still running, then the error
+		// we got is probably valid and so we return it to the caller.
+		if isErrNoSuchProcess(err) {
+			return nil
+		}
+
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+
+		if status := <-container.Wait(ctx, containerpkg.WaitConditionNotRunning); status.Err() != nil {
+			return err
+		}
+	}
+
+	// 2. Wait for the process to die, in last resort, try to kill the process directly
+	if err := killProcessDirectly(container); err != nil {
+		if isErrNoSuchProcess(err) {
+			return nil
+		}
+		return err
+	}
+
+	// Wait for exit with no timeout.
+	// Ignore returned status.
+	<-container.Wait(context.Background(), containerpkg.WaitConditionNotRunning)
+
+	return nil
+}
+
+// killPossibleDeadProcess is a wrapper around killSig() suppressing "no such process" error.
+func (daemon *Daemon) killPossiblyDeadProcess(container *containerpkg.Container, sig int) error {
+	err := daemon.killWithSignal(container, sig)
+	if errdefs.IsNotFound(err) {
+		e := errNoSuchProcess{container.GetPID(), sig}
+		logrus.Debug(e)
+		return e
+	}
+	return err
+}
+
+func (daemon *Daemon) kill(c *containerpkg.Container, sig int) error {
+	return daemon.containerd.SignalProcess(context.Background(), c.ID, libcontainerd.InitProcessName, sig)
+}
diff --git a/engine/daemon/links.go b/engine/daemon/links.go
new file mode 100644
index 00000000..1639572f
--- /dev/null
+++ b/engine/daemon/links.go
@@ -0,0 +1,91 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"sync"
+
+	"github.com/docker/docker/container"
+)
+
+// linkIndex stores link relationships between containers, including their specified alias
+// The alias is the name the parent uses to reference the child
+type linkIndex struct {
+	// idx maps a parent->alias->child relationship
+	idx map[*container.Container]map[string]*container.Container
+	// childIdx maps  child->parent->aliases
+	childIdx map[*container.Container]map[*container.Container]map[string]struct{}
+	mu       sync.Mutex
+}
+
+func newLinkIndex() *linkIndex {
+	return &linkIndex{
+		idx:      make(map[*container.Container]map[string]*container.Container),
+		childIdx: make(map[*container.Container]map[*container.Container]map[string]struct{}),
+	}
+}
+
+// link adds indexes for the passed in parent/child/alias relationships
+func (l *linkIndex) link(parent, child *container.Container, alias string) {
+	l.mu.Lock()
+
+	if l.idx[parent] == nil {
+		l.idx[parent] = make(map[string]*container.Container)
+	}
+	l.idx[parent][alias] = child
+	if l.childIdx[child] == nil {
+		l.childIdx[child] = make(map[*container.Container]map[string]struct{})
+	}
+	if l.childIdx[child][parent] == nil {
+		l.childIdx[child][parent] = make(map[string]struct{})
+	}
+	l.childIdx[child][parent][alias] = struct{}{}
+
+	l.mu.Unlock()
+}
+
+// unlink removes the requested alias for the given parent/child
+func (l *linkIndex) unlink(alias string, child, parent *container.Container) {
+	l.mu.Lock()
+	delete(l.idx[parent], alias)
+	delete(l.childIdx[child], parent)
+	l.mu.Unlock()
+}
+
+// children maps all the aliases-> children for the passed in parent
+// aliases here are the aliases the parent uses to refer to the child
+func (l *linkIndex) children(parent *container.Container) map[string]*container.Container {
+	l.mu.Lock()
+	children := l.idx[parent]
+	l.mu.Unlock()
+	return children
+}
+
+// parents maps all the aliases->parent for the passed in child
+// aliases here are the aliases the parents use to refer to the child
+func (l *linkIndex) parents(child *container.Container) map[string]*container.Container {
+	l.mu.Lock()
+
+	parents := make(map[string]*container.Container)
+	for parent, aliases := range l.childIdx[child] {
+		for alias := range aliases {
+			parents[alias] = parent
+		}
+	}
+
+	l.mu.Unlock()
+	return parents
+}
+
+// delete deletes all link relationships referencing this container
+func (l *linkIndex) delete(container *container.Container) []string {
+	l.mu.Lock()
+
+	var aliases []string
+	for alias, child := range l.idx[container] {
+		aliases = append(aliases, alias)
+		delete(l.childIdx[child], container)
+	}
+	delete(l.idx, container)
+	delete(l.childIdx, container)
+	l.mu.Unlock()
+	return aliases
+}
diff --git a/engine/daemon/links/links.go b/engine/daemon/links/links.go
new file mode 100644
index 00000000..2bcb4832
--- /dev/null
+++ b/engine/daemon/links/links.go
@@ -0,0 +1,141 @@
+package links // import "github.com/docker/docker/daemon/links"
+
+import (
+	"fmt"
+	"path"
+	"strings"
+
+	"github.com/docker/go-connections/nat"
+)
+
+// Link struct holds informations about parent/child linked container
+type Link struct {
+	// Parent container IP address
+	ParentIP string
+	// Child container IP address
+	ChildIP string
+	// Link name
+	Name string
+	// Child environments variables
+	ChildEnvironment []string
+	// Child exposed ports
+	Ports []nat.Port
+}
+
+// NewLink initializes a new Link struct with the provided options.
+func NewLink(parentIP, childIP, name string, env []string, exposedPorts map[nat.Port]struct{}) *Link {
+	var (
+		i     int
+		ports = make([]nat.Port, len(exposedPorts))
+	)
+
+	for p := range exposedPorts {
+		ports[i] = p
+		i++
+	}
+
+	return &Link{
+		Name:             name,
+		ChildIP:          childIP,
+		ParentIP:         parentIP,
+		ChildEnvironment: env,
+		Ports:            ports,
+	}
+}
+
+// ToEnv creates a string's slice containing child container informations in
+// the form of environment variables which will be later exported on container
+// startup.
+func (l *Link) ToEnv() []string {
+	env := []string{}
+
+	_, n := path.Split(l.Name)
+	alias := strings.Replace(strings.ToUpper(n), "-", "_", -1)
+
+	if p := l.getDefaultPort(); p != nil {
+		env = append(env, fmt.Sprintf("%s_PORT=%s://%s:%s", alias, p.Proto(), l.ChildIP, p.Port()))
+	}
+
+	//sort the ports so that we can bulk the continuous ports together
+	nat.Sort(l.Ports, func(ip, jp nat.Port) bool {
+		// If the two ports have the same number, tcp takes priority
+		// Sort in desc order
+		return ip.Int() < jp.Int() || (ip.Int() == jp.Int() && strings.ToLower(ip.Proto()) == "tcp")
+	})
+
+	for i := 0; i < len(l.Ports); {
+		p := l.Ports[i]
+		j := nextContiguous(l.Ports, p.Int(), i)
+		if j > i+1 {
+			env = append(env, fmt.Sprintf("%s_PORT_%s_%s_START=%s://%s:%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Proto(), l.ChildIP, p.Port()))
+			env = append(env, fmt.Sprintf("%s_PORT_%s_%s_ADDR=%s", alias, p.Port(), strings.ToUpper(p.Proto()), l.ChildIP))
+			env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PROTO=%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Proto()))
+			env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PORT_START=%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Port()))
+
+			q := l.Ports[j]
+			env = append(env, fmt.Sprintf("%s_PORT_%s_%s_END=%s://%s:%s", alias, p.Port(), strings.ToUpper(q.Proto()), q.Proto(), l.ChildIP, q.Port()))
+			env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PORT_END=%s", alias, p.Port(), strings.ToUpper(q.Proto()), q.Port()))
+
+			i = j + 1
+			continue
+		} else {
+			i++
+		}
+	}
+	for _, p := range l.Ports {
+		env = append(env, fmt.Sprintf("%s_PORT_%s_%s=%s://%s:%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Proto(), l.ChildIP, p.Port()))
+		env = append(env, fmt.Sprintf("%s_PORT_%s_%s_ADDR=%s", alias, p.Port(), strings.ToUpper(p.Proto()), l.ChildIP))
+		env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PORT=%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Port()))
+		env = append(env, fmt.Sprintf("%s_PORT_%s_%s_PROTO=%s", alias, p.Port(), strings.ToUpper(p.Proto()), p.Proto()))
+	}
+
+	// Load the linked container's name into the environment
+	env = append(env, fmt.Sprintf("%s_NAME=%s", alias, l.Name))
+
+	if l.ChildEnvironment != nil {
+		for _, v := range l.ChildEnvironment {
+			parts := strings.SplitN(v, "=", 2)
+			if len(parts) < 2 {
+				continue
+			}
+			// Ignore a few variables that are added during docker build (and not really relevant to linked containers)
+			if parts[0] == "HOME" || parts[0] == "PATH" {
+				continue
+			}
+			env = append(env, fmt.Sprintf("%s_ENV_%s=%s", alias, parts[0], parts[1]))
+		}
+	}
+	return env
+}
+
+func nextContiguous(ports []nat.Port, value int, index int) int {
+	if index+1 == len(ports) {
+		return index
+	}
+	for i := index + 1; i < len(ports); i++ {
+		if ports[i].Int() > value+1 {
+			return i - 1
+		}
+
+		value++
+	}
+	return len(ports) - 1
+}
+
+// Default port rules
+func (l *Link) getDefaultPort() *nat.Port {
+	var p nat.Port
+	i := len(l.Ports)
+
+	if i == 0 {
+		return nil
+	} else if i > 1 {
+		nat.Sort(l.Ports, func(ip, jp nat.Port) bool {
+			// If the two ports have the same number, tcp takes priority
+			// Sort in desc order
+			return ip.Int() < jp.Int() || (ip.Int() == jp.Int() && strings.ToLower(ip.Proto()) == "tcp")
+		})
+	}
+	p = l.Ports[0]
+	return &p
+}
diff --git a/engine/daemon/links/links_test.go b/engine/daemon/links/links_test.go
new file mode 100644
index 00000000..e1b36dbb
--- /dev/null
+++ b/engine/daemon/links/links_test.go
@@ -0,0 +1,213 @@
+package links // import "github.com/docker/docker/daemon/links"
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/docker/go-connections/nat"
+)
+
+// Just to make life easier
+func newPortNoError(proto, port string) nat.Port {
+	p, _ := nat.NewPort(proto, port)
+	return p
+}
+
+func TestLinkNaming(t *testing.T) {
+	ports := make(nat.PortSet)
+	ports[newPortNoError("tcp", "6379")] = struct{}{}
+
+	link := NewLink("172.0.17.3", "172.0.17.2", "/db/docker-1", nil, ports)
+
+	rawEnv := link.ToEnv()
+	env := make(map[string]string, len(rawEnv))
+	for _, e := range rawEnv {
+		parts := strings.Split(e, "=")
+		if len(parts) != 2 {
+			t.FailNow()
+		}
+		env[parts[0]] = parts[1]
+	}
+
+	value, ok := env["DOCKER_1_PORT"]
+
+	if !ok {
+		t.Fatal("DOCKER_1_PORT not found in env")
+	}
+
+	if value != "tcp://172.0.17.2:6379" {
+		t.Fatalf("Expected 172.0.17.2:6379, got %s", env["DOCKER_1_PORT"])
+	}
+}
+
+func TestLinkNew(t *testing.T) {
+	ports := make(nat.PortSet)
+	ports[newPortNoError("tcp", "6379")] = struct{}{}
+
+	link := NewLink("172.0.17.3", "172.0.17.2", "/db/docker", nil, ports)
+
+	if link.Name != "/db/docker" {
+		t.Fail()
+	}
+	if link.ParentIP != "172.0.17.3" {
+		t.Fail()
+	}
+	if link.ChildIP != "172.0.17.2" {
+		t.Fail()
+	}
+	for _, p := range link.Ports {
+		if p != newPortNoError("tcp", "6379") {
+			t.Fail()
+		}
+	}
+}
+
+func TestLinkEnv(t *testing.T) {
+	ports := make(nat.PortSet)
+	ports[newPortNoError("tcp", "6379")] = struct{}{}
+
+	link := NewLink("172.0.17.3", "172.0.17.2", "/db/docker", []string{"PASSWORD=gordon"}, ports)
+
+	rawEnv := link.ToEnv()
+	env := make(map[string]string, len(rawEnv))
+	for _, e := range rawEnv {
+		parts := strings.Split(e, "=")
+		if len(parts) != 2 {
+			t.FailNow()
+		}
+		env[parts[0]] = parts[1]
+	}
+	if env["DOCKER_PORT"] != "tcp://172.0.17.2:6379" {
+		t.Fatalf("Expected 172.0.17.2:6379, got %s", env["DOCKER_PORT"])
+	}
+	if env["DOCKER_PORT_6379_TCP"] != "tcp://172.0.17.2:6379" {
+		t.Fatalf("Expected tcp://172.0.17.2:6379, got %s", env["DOCKER_PORT_6379_TCP"])
+	}
+	if env["DOCKER_PORT_6379_TCP_PROTO"] != "tcp" {
+		t.Fatalf("Expected tcp, got %s", env["DOCKER_PORT_6379_TCP_PROTO"])
+	}
+	if env["DOCKER_PORT_6379_TCP_ADDR"] != "172.0.17.2" {
+		t.Fatalf("Expected 172.0.17.2, got %s", env["DOCKER_PORT_6379_TCP_ADDR"])
+	}
+	if env["DOCKER_PORT_6379_TCP_PORT"] != "6379" {
+		t.Fatalf("Expected 6379, got %s", env["DOCKER_PORT_6379_TCP_PORT"])
+	}
+	if env["DOCKER_NAME"] != "/db/docker" {
+		t.Fatalf("Expected /db/docker, got %s", env["DOCKER_NAME"])
+	}
+	if env["DOCKER_ENV_PASSWORD"] != "gordon" {
+		t.Fatalf("Expected gordon, got %s", env["DOCKER_ENV_PASSWORD"])
+	}
+}
+
+func TestLinkMultipleEnv(t *testing.T) {
+	ports := make(nat.PortSet)
+	ports[newPortNoError("tcp", "6379")] = struct{}{}
+	ports[newPortNoError("tcp", "6380")] = struct{}{}
+	ports[newPortNoError("tcp", "6381")] = struct{}{}
+
+	link := NewLink("172.0.17.3", "172.0.17.2", "/db/docker", []string{"PASSWORD=gordon"}, ports)
+
+	rawEnv := link.ToEnv()
+	env := make(map[string]string, len(rawEnv))
+	for _, e := range rawEnv {
+		parts := strings.Split(e, "=")
+		if len(parts) != 2 {
+			t.FailNow()
+		}
+		env[parts[0]] = parts[1]
+	}
+	if env["DOCKER_PORT"] != "tcp://172.0.17.2:6379" {
+		t.Fatalf("Expected 172.0.17.2:6379, got %s", env["DOCKER_PORT"])
+	}
+	if env["DOCKER_PORT_6379_TCP_START"] != "tcp://172.0.17.2:6379" {
+		t.Fatalf("Expected tcp://172.0.17.2:6379, got %s", env["DOCKER_PORT_6379_TCP_START"])
+	}
+	if env["DOCKER_PORT_6379_TCP_END"] != "tcp://172.0.17.2:6381" {
+		t.Fatalf("Expected tcp://172.0.17.2:6381, got %s", env["DOCKER_PORT_6379_TCP_END"])
+	}
+	if env["DOCKER_PORT_6379_TCP_PROTO"] != "tcp" {
+		t.Fatalf("Expected tcp, got %s", env["DOCKER_PORT_6379_TCP_PROTO"])
+	}
+	if env["DOCKER_PORT_6379_TCP_ADDR"] != "172.0.17.2" {
+		t.Fatalf("Expected 172.0.17.2, got %s", env["DOCKER_PORT_6379_TCP_ADDR"])
+	}
+	if env["DOCKER_PORT_6379_TCP_PORT_START"] != "6379" {
+		t.Fatalf("Expected 6379, got %s", env["DOCKER_PORT_6379_TCP_PORT_START"])
+	}
+	if env["DOCKER_PORT_6379_TCP_PORT_END"] != "6381" {
+		t.Fatalf("Expected 6381, got %s", env["DOCKER_PORT_6379_TCP_PORT_END"])
+	}
+	if env["DOCKER_NAME"] != "/db/docker" {
+		t.Fatalf("Expected /db/docker, got %s", env["DOCKER_NAME"])
+	}
+	if env["DOCKER_ENV_PASSWORD"] != "gordon" {
+		t.Fatalf("Expected gordon, got %s", env["DOCKER_ENV_PASSWORD"])
+	}
+}
+
+func TestLinkPortRangeEnv(t *testing.T) {
+	ports := make(nat.PortSet)
+	ports[newPortNoError("tcp", "6379")] = struct{}{}
+	ports[newPortNoError("tcp", "6380")] = struct{}{}
+	ports[newPortNoError("tcp", "6381")] = struct{}{}
+
+	link := NewLink("172.0.17.3", "172.0.17.2", "/db/docker", []string{"PASSWORD=gordon"}, ports)
+
+	rawEnv := link.ToEnv()
+	env := make(map[string]string, len(rawEnv))
+	for _, e := range rawEnv {
+		parts := strings.Split(e, "=")
+		if len(parts) != 2 {
+			t.FailNow()
+		}
+		env[parts[0]] = parts[1]
+	}
+
+	if env["DOCKER_PORT"] != "tcp://172.0.17.2:6379" {
+		t.Fatalf("Expected 172.0.17.2:6379, got %s", env["DOCKER_PORT"])
+	}
+	if env["DOCKER_PORT_6379_TCP_START"] != "tcp://172.0.17.2:6379" {
+		t.Fatalf("Expected tcp://172.0.17.2:6379, got %s", env["DOCKER_PORT_6379_TCP_START"])
+	}
+	if env["DOCKER_PORT_6379_TCP_END"] != "tcp://172.0.17.2:6381" {
+		t.Fatalf("Expected tcp://172.0.17.2:6381, got %s", env["DOCKER_PORT_6379_TCP_END"])
+	}
+	if env["DOCKER_PORT_6379_TCP_PROTO"] != "tcp" {
+		t.Fatalf("Expected tcp, got %s", env["DOCKER_PORT_6379_TCP_PROTO"])
+	}
+	if env["DOCKER_PORT_6379_TCP_ADDR"] != "172.0.17.2" {
+		t.Fatalf("Expected 172.0.17.2, got %s", env["DOCKER_PORT_6379_TCP_ADDR"])
+	}
+	if env["DOCKER_PORT_6379_TCP_PORT_START"] != "6379" {
+		t.Fatalf("Expected 6379, got %s", env["DOCKER_PORT_6379_TCP_PORT_START"])
+	}
+	if env["DOCKER_PORT_6379_TCP_PORT_END"] != "6381" {
+		t.Fatalf("Expected 6381, got %s", env["DOCKER_PORT_6379_TCP_PORT_END"])
+	}
+	if env["DOCKER_NAME"] != "/db/docker" {
+		t.Fatalf("Expected /db/docker, got %s", env["DOCKER_NAME"])
+	}
+	if env["DOCKER_ENV_PASSWORD"] != "gordon" {
+		t.Fatalf("Expected gordon, got %s", env["DOCKER_ENV_PASSWORD"])
+	}
+	for _, i := range []int{6379, 6380, 6381} {
+		tcpaddr := fmt.Sprintf("DOCKER_PORT_%d_TCP_ADDR", i)
+		tcpport := fmt.Sprintf("DOCKER_PORT_%d_TCP_PORT", i)
+		tcpproto := fmt.Sprintf("DOCKER_PORT_%d_TCP_PROTO", i)
+		tcp := fmt.Sprintf("DOCKER_PORT_%d_TCP", i)
+		if env[tcpaddr] != "172.0.17.2" {
+			t.Fatalf("Expected env %s  = 172.0.17.2, got %s", tcpaddr, env[tcpaddr])
+		}
+		if env[tcpport] != fmt.Sprintf("%d", i) {
+			t.Fatalf("Expected env %s  = %d, got %s", tcpport, i, env[tcpport])
+		}
+		if env[tcpproto] != "tcp" {
+			t.Fatalf("Expected env %s  = tcp, got %s", tcpproto, env[tcpproto])
+		}
+		if env[tcp] != fmt.Sprintf("tcp://172.0.17.2:%d", i) {
+			t.Fatalf("Expected env %s  = tcp://172.0.17.2:%d, got %s", tcp, i, env[tcp])
+		}
+	}
+}
diff --git a/engine/daemon/list.go b/engine/daemon/list.go
new file mode 100644
index 00000000..750079f9
--- /dev/null
+++ b/engine/daemon/list.go
@@ -0,0 +1,607 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/images"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+	"github.com/docker/go-connections/nat"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var acceptedPsFilterTags = map[string]bool{
+	"ancestor":  true,
+	"before":    true,
+	"exited":    true,
+	"id":        true,
+	"isolation": true,
+	"label":     true,
+	"name":      true,
+	"status":    true,
+	"health":    true,
+	"since":     true,
+	"volume":    true,
+	"network":   true,
+	"is-task":   true,
+	"publish":   true,
+	"expose":    true,
+}
+
+// iterationAction represents possible outcomes happening during the container iteration.
+type iterationAction int
+
+// containerReducer represents a reducer for a container.
+// Returns the object to serialize by the api.
+type containerReducer func(*container.Snapshot, *listContext) (*types.Container, error)
+
+const (
+	// includeContainer is the action to include a container in the reducer.
+	includeContainer iterationAction = iota
+	// excludeContainer is the action to exclude a container in the reducer.
+	excludeContainer
+	// stopIteration is the action to stop iterating over the list of containers.
+	stopIteration
+)
+
+// errStopIteration makes the iterator to stop without returning an error.
+var errStopIteration = errors.New("container list iteration stopped")
+
+// List returns an array of all containers registered in the daemon.
+func (daemon *Daemon) List() []*container.Container {
+	return daemon.containers.List()
+}
+
+// listContext is the daemon generated filtering to iterate over containers.
+// This is created based on the user specification from types.ContainerListOptions.
+type listContext struct {
+	// idx is the container iteration index for this context
+	idx int
+	// ancestorFilter tells whether it should check ancestors or not
+	ancestorFilter bool
+	// names is a list of container names to filter with
+	names map[string][]string
+	// images is a list of images to filter with
+	images map[image.ID]bool
+	// filters is a collection of arguments to filter with, specified by the user
+	filters filters.Args
+	// exitAllowed is a list of exit codes allowed to filter with
+	exitAllowed []int
+
+	// beforeFilter is a filter to ignore containers that appear before the one given
+	beforeFilter *container.Snapshot
+	// sinceFilter is a filter to stop the filtering when the iterator arrive to the given container
+	sinceFilter *container.Snapshot
+
+	// taskFilter tells if we should filter based on wether a container is part of a task
+	taskFilter bool
+	// isTask tells us if the we should filter container that are a task (true) or not (false)
+	isTask bool
+
+	// publish is a list of published ports to filter with
+	publish map[nat.Port]bool
+	// expose is a list of exposed ports to filter with
+	expose map[nat.Port]bool
+
+	// ContainerListOptions is the filters set by the user
+	*types.ContainerListOptions
+}
+
+// byCreatedDescending is a temporary type used to sort a list of containers by creation time.
+type byCreatedDescending []container.Snapshot
+
+func (r byCreatedDescending) Len() int      { return len(r) }
+func (r byCreatedDescending) Swap(i, j int) { r[i], r[j] = r[j], r[i] }
+func (r byCreatedDescending) Less(i, j int) bool {
+	return r[j].CreatedAt.UnixNano() < r[i].CreatedAt.UnixNano()
+}
+
+// Containers returns the list of containers to show given the user's filtering.
+func (daemon *Daemon) Containers(config *types.ContainerListOptions) ([]*types.Container, error) {
+	return daemon.reduceContainers(config, daemon.refreshImage)
+}
+
+func (daemon *Daemon) filterByNameIDMatches(view container.View, ctx *listContext) ([]container.Snapshot, error) {
+	idSearch := false
+	names := ctx.filters.Get("name")
+	ids := ctx.filters.Get("id")
+	if len(names)+len(ids) == 0 {
+		// if name or ID filters are not in use, return to
+		// standard behavior of walking the entire container
+		// list from the daemon's in-memory store
+		all, err := view.All()
+		sort.Sort(byCreatedDescending(all))
+		return all, err
+	}
+
+	// idSearch will determine if we limit name matching to the IDs
+	// matched from any IDs which were specified as filters
+	if len(ids) > 0 {
+		idSearch = true
+	}
+
+	matches := make(map[string]bool)
+	// find ID matches; errors represent "not found" and can be ignored
+	for _, id := range ids {
+		if fullID, err := daemon.idIndex.Get(id); err == nil {
+			matches[fullID] = true
+		}
+	}
+
+	// look for name matches; if ID filtering was used, then limit the
+	// search space to the matches map only; errors represent "not found"
+	// and can be ignored
+	if len(names) > 0 {
+		for id, idNames := range ctx.names {
+			// if ID filters were used and no matches on that ID were
+			// found, continue to next ID in the list
+			if idSearch && !matches[id] {
+				continue
+			}
+			for _, eachName := range idNames {
+				if ctx.filters.Match("name", eachName) {
+					matches[id] = true
+				}
+			}
+		}
+	}
+
+	cntrs := make([]container.Snapshot, 0, len(matches))
+	for id := range matches {
+		c, err := view.Get(id)
+		switch err.(type) {
+		case nil:
+			cntrs = append(cntrs, *c)
+		case container.NoSuchContainerError:
+			// ignore error
+		default:
+			return nil, err
+		}
+	}
+
+	// Restore sort-order after filtering
+	// Created gives us nanosec resolution for sorting
+	sort.Sort(byCreatedDescending(cntrs))
+
+	return cntrs, nil
+}
+
+// reduceContainers parses the user's filtering options and generates the list of containers to return based on a reducer.
+func (daemon *Daemon) reduceContainers(config *types.ContainerListOptions, reducer containerReducer) ([]*types.Container, error) {
+	if err := config.Filters.Validate(acceptedPsFilterTags); err != nil {
+		return nil, err
+	}
+
+	var (
+		view       = daemon.containersReplica.Snapshot()
+		containers = []*types.Container{}
+	)
+
+	ctx, err := daemon.foldFilter(view, config)
+	if err != nil {
+		return nil, err
+	}
+
+	// fastpath to only look at a subset of containers if specific name
+	// or ID matches were provided by the user--otherwise we potentially
+	// end up querying many more containers than intended
+	containerList, err := daemon.filterByNameIDMatches(view, ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := range containerList {
+		t, err := daemon.reducePsContainer(&containerList[i], ctx, reducer)
+		if err != nil {
+			if err != errStopIteration {
+				return nil, err
+			}
+			break
+		}
+		if t != nil {
+			containers = append(containers, t)
+			ctx.idx++
+		}
+	}
+
+	return containers, nil
+}
+
+// reducePsContainer is the basic representation for a container as expected by the ps command.
+func (daemon *Daemon) reducePsContainer(container *container.Snapshot, ctx *listContext, reducer containerReducer) (*types.Container, error) {
+	// filter containers to return
+	switch includeContainerInList(container, ctx) {
+	case excludeContainer:
+		return nil, nil
+	case stopIteration:
+		return nil, errStopIteration
+	}
+
+	// transform internal container struct into api structs
+	newC, err := reducer(container, ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// release lock because size calculation is slow
+	if ctx.Size {
+		sizeRw, sizeRootFs := daemon.imageService.GetContainerLayerSize(newC.ID)
+		newC.SizeRw = sizeRw
+		newC.SizeRootFs = sizeRootFs
+	}
+	return newC, nil
+}
+
+// foldFilter generates the container filter based on the user's filtering options.
+func (daemon *Daemon) foldFilter(view container.View, config *types.ContainerListOptions) (*listContext, error) {
+	psFilters := config.Filters
+
+	var filtExited []int
+
+	err := psFilters.WalkValues("exited", func(value string) error {
+		code, err := strconv.Atoi(value)
+		if err != nil {
+			return err
+		}
+		filtExited = append(filtExited, code)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	err = psFilters.WalkValues("status", func(value string) error {
+		if !container.IsValidStateString(value) {
+			return invalidFilter{"status", value}
+		}
+
+		config.All = true
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var taskFilter, isTask bool
+	if psFilters.Contains("is-task") {
+		if psFilters.ExactMatch("is-task", "true") {
+			taskFilter = true
+			isTask = true
+		} else if psFilters.ExactMatch("is-task", "false") {
+			taskFilter = true
+			isTask = false
+		} else {
+			return nil, invalidFilter{"is-task", psFilters.Get("is-task")}
+		}
+	}
+
+	err = psFilters.WalkValues("health", func(value string) error {
+		if !container.IsValidHealthString(value) {
+			return errdefs.InvalidParameter(errors.Errorf("Unrecognised filter value for health: %s", value))
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var beforeContFilter, sinceContFilter *container.Snapshot
+
+	err = psFilters.WalkValues("before", func(value string) error {
+		beforeContFilter, err = idOrNameFilter(view, value)
+		return err
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	err = psFilters.WalkValues("since", func(value string) error {
+		sinceContFilter, err = idOrNameFilter(view, value)
+		return err
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	imagesFilter := map[image.ID]bool{}
+	var ancestorFilter bool
+	if psFilters.Contains("ancestor") {
+		ancestorFilter = true
+		psFilters.WalkValues("ancestor", func(ancestor string) error {
+			img, err := daemon.imageService.GetImage(ancestor)
+			if err != nil {
+				logrus.Warnf("Error while looking up for image %v", ancestor)
+				return nil
+			}
+			if imagesFilter[img.ID()] {
+				// Already seen this ancestor, skip it
+				return nil
+			}
+			// Then walk down the graph and put the imageIds in imagesFilter
+			populateImageFilterByParents(imagesFilter, img.ID(), daemon.imageService.Children)
+			return nil
+		})
+	}
+
+	publishFilter := map[nat.Port]bool{}
+	err = psFilters.WalkValues("publish", portOp("publish", publishFilter))
+	if err != nil {
+		return nil, err
+	}
+
+	exposeFilter := map[nat.Port]bool{}
+	err = psFilters.WalkValues("expose", portOp("expose", exposeFilter))
+	if err != nil {
+		return nil, err
+	}
+
+	return &listContext{
+		filters:              psFilters,
+		ancestorFilter:       ancestorFilter,
+		images:               imagesFilter,
+		exitAllowed:          filtExited,
+		beforeFilter:         beforeContFilter,
+		sinceFilter:          sinceContFilter,
+		taskFilter:           taskFilter,
+		isTask:               isTask,
+		publish:              publishFilter,
+		expose:               exposeFilter,
+		ContainerListOptions: config,
+		names:                view.GetAllNames(),
+	}, nil
+}
+
+func idOrNameFilter(view container.View, value string) (*container.Snapshot, error) {
+	filter, err := view.Get(value)
+	switch err.(type) {
+	case container.NoSuchContainerError:
+		// Try name search instead
+		found := ""
+		for id, idNames := range view.GetAllNames() {
+			for _, eachName := range idNames {
+				if strings.TrimPrefix(value, "/") == strings.TrimPrefix(eachName, "/") {
+					if found != "" && found != id {
+						return nil, err
+					}
+					found = id
+				}
+			}
+		}
+		if found != "" {
+			filter, err = view.Get(found)
+		}
+	}
+	return filter, err
+}
+
+func portOp(key string, filter map[nat.Port]bool) func(value string) error {
+	return func(value string) error {
+		if strings.Contains(value, ":") {
+			return fmt.Errorf("filter for '%s' should not contain ':': %s", key, value)
+		}
+		//support two formats, original format <portnum>/[<proto>] or <startport-endport>/[<proto>]
+		proto, port := nat.SplitProtoPort(value)
+		start, end, err := nat.ParsePortRange(port)
+		if err != nil {
+			return fmt.Errorf("error while looking up for %s %s: %s", key, value, err)
+		}
+		for i := start; i <= end; i++ {
+			p, err := nat.NewPort(proto, strconv.FormatUint(i, 10))
+			if err != nil {
+				return fmt.Errorf("error while looking up for %s %s: %s", key, value, err)
+			}
+			filter[p] = true
+		}
+		return nil
+	}
+}
+
+// includeContainerInList decides whether a container should be included in the output or not based in the filter.
+// It also decides if the iteration should be stopped or not.
+func includeContainerInList(container *container.Snapshot, ctx *listContext) iterationAction {
+	// Do not include container if it's in the list before the filter container.
+	// Set the filter container to nil to include the rest of containers after this one.
+	if ctx.beforeFilter != nil {
+		if container.ID == ctx.beforeFilter.ID {
+			ctx.beforeFilter = nil
+		}
+		return excludeContainer
+	}
+
+	// Stop iteration when the container arrives to the filter container
+	if ctx.sinceFilter != nil {
+		if container.ID == ctx.sinceFilter.ID {
+			return stopIteration
+		}
+	}
+
+	// Do not include container if it's stopped and we're not filters
+	if !container.Running && !ctx.All && ctx.Limit <= 0 {
+		return excludeContainer
+	}
+
+	// Do not include container if the name doesn't match
+	if !ctx.filters.Match("name", container.Name) {
+		return excludeContainer
+	}
+
+	// Do not include container if the id doesn't match
+	if !ctx.filters.Match("id", container.ID) {
+		return excludeContainer
+	}
+
+	if ctx.taskFilter {
+		if ctx.isTask != container.Managed {
+			return excludeContainer
+		}
+	}
+
+	// Do not include container if any of the labels don't match
+	if !ctx.filters.MatchKVList("label", container.Labels) {
+		return excludeContainer
+	}
+
+	// Do not include container if isolation doesn't match
+	if excludeContainer == excludeByIsolation(container, ctx) {
+		return excludeContainer
+	}
+
+	// Stop iteration when the index is over the limit
+	if ctx.Limit > 0 && ctx.idx == ctx.Limit {
+		return stopIteration
+	}
+
+	// Do not include container if its exit code is not in the filter
+	if len(ctx.exitAllowed) > 0 {
+		shouldSkip := true
+		for _, code := range ctx.exitAllowed {
+			if code == container.ExitCode && !container.Running && !container.StartedAt.IsZero() {
+				shouldSkip = false
+				break
+			}
+		}
+		if shouldSkip {
+			return excludeContainer
+		}
+	}
+
+	// Do not include container if its status doesn't match the filter
+	if !ctx.filters.Match("status", container.State) {
+		return excludeContainer
+	}
+
+	// Do not include container if its health doesn't match the filter
+	if !ctx.filters.ExactMatch("health", container.Health) {
+		return excludeContainer
+	}
+
+	if ctx.filters.Contains("volume") {
+		volumesByName := make(map[string]types.MountPoint)
+		for _, m := range container.Mounts {
+			if m.Name != "" {
+				volumesByName[m.Name] = m
+			} else {
+				volumesByName[m.Source] = m
+			}
+		}
+		volumesByDestination := make(map[string]types.MountPoint)
+		for _, m := range container.Mounts {
+			if m.Destination != "" {
+				volumesByDestination[m.Destination] = m
+			}
+		}
+
+		volumeExist := fmt.Errorf("volume mounted in container")
+		err := ctx.filters.WalkValues("volume", func(value string) error {
+			if _, exist := volumesByDestination[value]; exist {
+				return volumeExist
+			}
+			if _, exist := volumesByName[value]; exist {
+				return volumeExist
+			}
+			return nil
+		})
+		if err != volumeExist {
+			return excludeContainer
+		}
+	}
+
+	if ctx.ancestorFilter {
+		if len(ctx.images) == 0 {
+			return excludeContainer
+		}
+		if !ctx.images[image.ID(container.ImageID)] {
+			return excludeContainer
+		}
+	}
+
+	var (
+		networkExist = errors.New("container part of network")
+		noNetworks   = errors.New("container is not part of any networks")
+	)
+	if ctx.filters.Contains("network") {
+		err := ctx.filters.WalkValues("network", func(value string) error {
+			if container.NetworkSettings == nil {
+				return noNetworks
+			}
+			if _, ok := container.NetworkSettings.Networks[value]; ok {
+				return networkExist
+			}
+			for _, nw := range container.NetworkSettings.Networks {
+				if nw == nil {
+					continue
+				}
+				if strings.HasPrefix(nw.NetworkID, value) {
+					return networkExist
+				}
+			}
+			return nil
+		})
+		if err != networkExist {
+			return excludeContainer
+		}
+	}
+
+	if len(ctx.publish) > 0 {
+		shouldSkip := true
+		for port := range ctx.publish {
+			if _, ok := container.PortBindings[port]; ok {
+				shouldSkip = false
+				break
+			}
+		}
+		if shouldSkip {
+			return excludeContainer
+		}
+	}
+
+	if len(ctx.expose) > 0 {
+		shouldSkip := true
+		for port := range ctx.expose {
+			if _, ok := container.ExposedPorts[port]; ok {
+				shouldSkip = false
+				break
+			}
+		}
+		if shouldSkip {
+			return excludeContainer
+		}
+	}
+
+	return includeContainer
+}
+
+// refreshImage checks if the Image ref still points to the correct ID, and updates the ref to the actual ID when it doesn't
+func (daemon *Daemon) refreshImage(s *container.Snapshot, ctx *listContext) (*types.Container, error) {
+	c := s.Container
+	image := s.Image // keep the original ref if still valid (hasn't changed)
+	if image != s.ImageID {
+		img, err := daemon.imageService.GetImage(image)
+		if _, isDNE := err.(images.ErrImageDoesNotExist); err != nil && !isDNE {
+			return nil, err
+		}
+		if err != nil || img.ImageID() != s.ImageID {
+			// ref changed, we need to use original ID
+			image = s.ImageID
+		}
+	}
+	c.Image = image
+	return &c, nil
+}
+
+func populateImageFilterByParents(ancestorMap map[image.ID]bool, imageID image.ID, getChildren func(image.ID) []image.ID) {
+	if !ancestorMap[imageID] {
+		for _, id := range getChildren(imageID) {
+			populateImageFilterByParents(ancestorMap, id, getChildren)
+		}
+		ancestorMap[imageID] = true
+	}
+}
diff --git a/engine/daemon/list_test.go b/engine/daemon/list_test.go
new file mode 100644
index 00000000..3be510d1
--- /dev/null
+++ b/engine/daemon/list_test.go
@@ -0,0 +1,26 @@
+package daemon
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/container"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestListInvalidFilter(t *testing.T) {
+	db, err := container.NewViewDB()
+	assert.Assert(t, err == nil)
+	d := &Daemon{
+		containersReplica: db,
+	}
+
+	f := filters.NewArgs(filters.Arg("invalid", "foo"))
+
+	_, err = d.Containers(&types.ContainerListOptions{
+		Filters: f,
+	})
+	assert.Assert(t, is.Error(err, "Invalid filter 'invalid'"))
+}
diff --git a/engine/daemon/list_unix.go b/engine/daemon/list_unix.go
new file mode 100644
index 00000000..4f9e453b
--- /dev/null
+++ b/engine/daemon/list_unix.go
@@ -0,0 +1,11 @@
+// +build linux freebsd
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import "github.com/docker/docker/container"
+
+// excludeByIsolation is a platform specific helper function to support PS
+// filtering by Isolation. This is a Windows-only concept, so is a no-op on Unix.
+func excludeByIsolation(container *container.Snapshot, ctx *listContext) iterationAction {
+	return includeContainer
+}
diff --git a/engine/daemon/list_windows.go b/engine/daemon/list_windows.go
new file mode 100644
index 00000000..7c7b5fa8
--- /dev/null
+++ b/engine/daemon/list_windows.go
@@ -0,0 +1,20 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"strings"
+
+	"github.com/docker/docker/container"
+)
+
+// excludeByIsolation is a platform specific helper function to support PS
+// filtering by Isolation. This is a Windows-only concept, so is a no-op on Unix.
+func excludeByIsolation(container *container.Snapshot, ctx *listContext) iterationAction {
+	i := strings.ToLower(string(container.HostConfig.Isolation))
+	if i == "" {
+		i = "default"
+	}
+	if !ctx.filters.Match("isolation", i) {
+		return excludeContainer
+	}
+	return includeContainer
+}
diff --git a/engine/daemon/listeners/group_unix.go b/engine/daemon/listeners/group_unix.go
new file mode 100644
index 00000000..9cc17eba
--- /dev/null
+++ b/engine/daemon/listeners/group_unix.go
@@ -0,0 +1,34 @@
+// +build !windows
+
+package listeners // import "github.com/docker/docker/daemon/listeners"
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/opencontainers/runc/libcontainer/user"
+	"github.com/pkg/errors"
+)
+
+const defaultSocketGroup = "docker"
+
+func lookupGID(name string) (int, error) {
+	groupFile, err := user.GetGroupPath()
+	if err != nil {
+		return -1, errors.Wrap(err, "error looking up groups")
+	}
+	groups, err := user.ParseGroupFileFilter(groupFile, func(g user.Group) bool {
+		return g.Name == name || strconv.Itoa(g.Gid) == name
+	})
+	if err != nil {
+		return -1, errors.Wrapf(err, "error parsing groups for %s", name)
+	}
+	if len(groups) > 0 {
+		return groups[0].Gid, nil
+	}
+	gid, err := strconv.Atoi(name)
+	if err == nil {
+		return gid, nil
+	}
+	return -1, fmt.Errorf("group %s not found", name)
+}
diff --git a/engine/daemon/listeners/listeners_linux.go b/engine/daemon/listeners/listeners_linux.go
new file mode 100644
index 00000000..c8956db2
--- /dev/null
+++ b/engine/daemon/listeners/listeners_linux.go
@@ -0,0 +1,102 @@
+package listeners // import "github.com/docker/docker/daemon/listeners"
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+	"os"
+	"strconv"
+
+	"github.com/coreos/go-systemd/activation"
+	"github.com/docker/go-connections/sockets"
+	"github.com/sirupsen/logrus"
+)
+
+// Init creates new listeners for the server.
+// TODO: Clean up the fact that socketGroup and tlsConfig aren't always used.
+func Init(proto, addr, socketGroup string, tlsConfig *tls.Config) ([]net.Listener, error) {
+	ls := []net.Listener{}
+
+	switch proto {
+	case "fd":
+		fds, err := listenFD(addr, tlsConfig)
+		if err != nil {
+			return nil, err
+		}
+		ls = append(ls, fds...)
+	case "tcp":
+		l, err := sockets.NewTCPSocket(addr, tlsConfig)
+		if err != nil {
+			return nil, err
+		}
+		ls = append(ls, l)
+	case "unix":
+		gid, err := lookupGID(socketGroup)
+		if err != nil {
+			if socketGroup != "" {
+				if socketGroup != defaultSocketGroup {
+					return nil, err
+				}
+				logrus.Warnf("could not change group %s to %s: %v", addr, defaultSocketGroup, err)
+			}
+			gid = os.Getgid()
+		}
+		l, err := sockets.NewUnixSocket(addr, gid)
+		if err != nil {
+			return nil, fmt.Errorf("can't create unix socket %s: %v", addr, err)
+		}
+		ls = append(ls, l)
+	default:
+		return nil, fmt.Errorf("invalid protocol format: %q", proto)
+	}
+
+	return ls, nil
+}
+
+// listenFD returns the specified socket activated files as a slice of
+// net.Listeners or all of the activated files if "*" is given.
+func listenFD(addr string, tlsConfig *tls.Config) ([]net.Listener, error) {
+	var (
+		err       error
+		listeners []net.Listener
+	)
+	// socket activation
+	if tlsConfig != nil {
+		listeners, err = activation.TLSListeners(tlsConfig)
+	} else {
+		listeners, err = activation.Listeners()
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	if len(listeners) == 0 {
+		return nil, fmt.Errorf("no sockets found via socket activation: make sure the service was started by systemd")
+	}
+
+	// default to all fds just like unix:// and tcp://
+	if addr == "" || addr == "*" {
+		return listeners, nil
+	}
+
+	fdNum, err := strconv.Atoi(addr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse systemd fd address: should be a number: %v", addr)
+	}
+	fdOffset := fdNum - 3
+	if len(listeners) < fdOffset+1 {
+		return nil, fmt.Errorf("too few socket activated files passed in by systemd")
+	}
+	if listeners[fdOffset] == nil {
+		return nil, fmt.Errorf("failed to listen on systemd activated file: fd %d", fdOffset+3)
+	}
+	for i, ls := range listeners {
+		if i == fdOffset || ls == nil {
+			continue
+		}
+		if err := ls.Close(); err != nil {
+			return nil, fmt.Errorf("failed to close systemd activated file: fd %d: %v", fdOffset+3, err)
+		}
+	}
+	return []net.Listener{listeners[fdOffset]}, nil
+}
diff --git a/engine/daemon/listeners/listeners_windows.go b/engine/daemon/listeners/listeners_windows.go
new file mode 100644
index 00000000..73f5f79e
--- /dev/null
+++ b/engine/daemon/listeners/listeners_windows.go
@@ -0,0 +1,54 @@
+package listeners // import "github.com/docker/docker/daemon/listeners"
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/docker/go-connections/sockets"
+)
+
+// Init creates new listeners for the server.
+func Init(proto, addr, socketGroup string, tlsConfig *tls.Config) ([]net.Listener, error) {
+	ls := []net.Listener{}
+
+	switch proto {
+	case "tcp":
+		l, err := sockets.NewTCPSocket(addr, tlsConfig)
+		if err != nil {
+			return nil, err
+		}
+		ls = append(ls, l)
+
+	case "npipe":
+		// allow Administrators and SYSTEM, plus whatever additional users or groups were specified
+		sddl := "D:P(A;;GA;;;BA)(A;;GA;;;SY)"
+		if socketGroup != "" {
+			for _, g := range strings.Split(socketGroup, ",") {
+				sid, err := winio.LookupSidByName(g)
+				if err != nil {
+					return nil, err
+				}
+				sddl += fmt.Sprintf("(A;;GRGW;;;%s)", sid)
+			}
+		}
+		c := winio.PipeConfig{
+			SecurityDescriptor: sddl,
+			MessageMode:        true,  // Use message mode so that CloseWrite() is supported
+			InputBufferSize:    65536, // Use 64KB buffers to improve performance
+			OutputBufferSize:   65536,
+		}
+		l, err := winio.ListenPipe(addr, &c)
+		if err != nil {
+			return nil, err
+		}
+		ls = append(ls, l)
+
+	default:
+		return nil, fmt.Errorf("invalid protocol format: windows only supports tcp and npipe")
+	}
+
+	return ls, nil
+}
diff --git a/engine/daemon/logdrivers_linux.go b/engine/daemon/logdrivers_linux.go
new file mode 100644
index 00000000..6ddcd2fc
--- /dev/null
+++ b/engine/daemon/logdrivers_linux.go
@@ -0,0 +1,15 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	// Importing packages here only to make sure their init gets called and
+	// therefore they register themselves to the logdriver factory.
+	_ "github.com/docker/docker/daemon/logger/awslogs"
+	_ "github.com/docker/docker/daemon/logger/fluentd"
+	_ "github.com/docker/docker/daemon/logger/gcplogs"
+	_ "github.com/docker/docker/daemon/logger/gelf"
+	_ "github.com/docker/docker/daemon/logger/journald"
+	_ "github.com/docker/docker/daemon/logger/jsonfilelog"
+	_ "github.com/docker/docker/daemon/logger/logentries"
+	_ "github.com/docker/docker/daemon/logger/splunk"
+	_ "github.com/docker/docker/daemon/logger/syslog"
+)
diff --git a/engine/daemon/logdrivers_windows.go b/engine/daemon/logdrivers_windows.go
new file mode 100644
index 00000000..62e7a6f9
--- /dev/null
+++ b/engine/daemon/logdrivers_windows.go
@@ -0,0 +1,14 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	// Importing packages here only to make sure their init gets called and
+	// therefore they register themselves to the logdriver factory.
+	_ "github.com/docker/docker/daemon/logger/awslogs"
+	_ "github.com/docker/docker/daemon/logger/etwlogs"
+	_ "github.com/docker/docker/daemon/logger/fluentd"
+	_ "github.com/docker/docker/daemon/logger/gelf"
+	_ "github.com/docker/docker/daemon/logger/jsonfilelog"
+	_ "github.com/docker/docker/daemon/logger/logentries"
+	_ "github.com/docker/docker/daemon/logger/splunk"
+	_ "github.com/docker/docker/daemon/logger/syslog"
+)
diff --git a/engine/daemon/logger/adapter.go b/engine/daemon/logger/adapter.go
new file mode 100644
index 00000000..95aff9bf
--- /dev/null
+++ b/engine/daemon/logger/adapter.go
@@ -0,0 +1,139 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types/plugins/logdriver"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// pluginAdapter takes a plugin and implements the Logger interface for logger
+// instances
+type pluginAdapter struct {
+	driverName   string
+	id           string
+	plugin       logPlugin
+	fifoPath     string
+	capabilities Capability
+	logInfo      Info
+
+	// synchronize access to the log stream and shared buffer
+	mu     sync.Mutex
+	enc    logdriver.LogEntryEncoder
+	stream io.WriteCloser
+	// buf is shared for each `Log()` call to reduce allocations.
+	// buf must be protected by mutex
+	buf logdriver.LogEntry
+}
+
+func (a *pluginAdapter) Log(msg *Message) error {
+	a.mu.Lock()
+
+	a.buf.Line = msg.Line
+	a.buf.TimeNano = msg.Timestamp.UnixNano()
+	a.buf.Partial = msg.PLogMetaData != nil
+	a.buf.Source = msg.Source
+
+	err := a.enc.Encode(&a.buf)
+	a.buf.Reset()
+
+	a.mu.Unlock()
+
+	PutMessage(msg)
+	return err
+}
+
+func (a *pluginAdapter) Name() string {
+	return a.driverName
+}
+
+func (a *pluginAdapter) Close() error {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	if err := a.plugin.StopLogging(filepath.Join("/", "run", "docker", "logging", a.id)); err != nil {
+		return err
+	}
+
+	if err := a.stream.Close(); err != nil {
+		logrus.WithError(err).Error("error closing plugin fifo")
+	}
+	if err := os.Remove(a.fifoPath); err != nil && !os.IsNotExist(err) {
+		logrus.WithError(err).Error("error cleaning up plugin fifo")
+	}
+
+	// may be nil, especially for unit tests
+	if pluginGetter != nil {
+		pluginGetter.Get(a.Name(), extName, plugingetter.Release)
+	}
+	return nil
+}
+
+type pluginAdapterWithRead struct {
+	*pluginAdapter
+}
+
+func (a *pluginAdapterWithRead) ReadLogs(config ReadConfig) *LogWatcher {
+	watcher := NewLogWatcher()
+
+	go func() {
+		defer close(watcher.Msg)
+		stream, err := a.plugin.ReadLogs(a.logInfo, config)
+		if err != nil {
+			watcher.Err <- errors.Wrap(err, "error getting log reader")
+			return
+		}
+		defer stream.Close()
+
+		dec := logdriver.NewLogEntryDecoder(stream)
+		for {
+			select {
+			case <-watcher.WatchClose():
+				return
+			default:
+			}
+
+			var buf logdriver.LogEntry
+			if err := dec.Decode(&buf); err != nil {
+				if err == io.EOF {
+					return
+				}
+				select {
+				case watcher.Err <- errors.Wrap(err, "error decoding log message"):
+				case <-watcher.WatchClose():
+				}
+				return
+			}
+
+			msg := &Message{
+				Timestamp: time.Unix(0, buf.TimeNano),
+				Line:      buf.Line,
+				Source:    buf.Source,
+			}
+
+			// plugin should handle this, but check just in case
+			if !config.Since.IsZero() && msg.Timestamp.Before(config.Since) {
+				continue
+			}
+			if !config.Until.IsZero() && msg.Timestamp.After(config.Until) {
+				return
+			}
+
+			select {
+			case watcher.Msg <- msg:
+			case <-watcher.WatchClose():
+				// make sure the message we consumed is sent
+				watcher.Msg <- msg
+				return
+			}
+		}
+	}()
+
+	return watcher
+}
diff --git a/engine/daemon/logger/adapter_test.go b/engine/daemon/logger/adapter_test.go
new file mode 100644
index 00000000..f47e711c
--- /dev/null
+++ b/engine/daemon/logger/adapter_test.go
@@ -0,0 +1,216 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"encoding/binary"
+	"io"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/plugins/logdriver"
+	protoio "github.com/gogo/protobuf/io"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// mockLoggingPlugin implements the loggingPlugin interface for testing purposes
+// it only supports a single log stream
+type mockLoggingPlugin struct {
+	io.WriteCloser
+	inStream io.Reader
+	logs     []*logdriver.LogEntry
+	c        *sync.Cond
+	err      error
+}
+
+func newMockLoggingPlugin() *mockLoggingPlugin {
+	r, w := io.Pipe()
+	return &mockLoggingPlugin{
+		WriteCloser: w,
+		inStream:    r,
+		logs:        []*logdriver.LogEntry{},
+		c:           sync.NewCond(new(sync.Mutex)),
+	}
+}
+
+func (l *mockLoggingPlugin) StartLogging(file string, info Info) error {
+	go func() {
+		dec := protoio.NewUint32DelimitedReader(l.inStream, binary.BigEndian, 1e6)
+		for {
+			var msg logdriver.LogEntry
+			if err := dec.ReadMsg(&msg); err != nil {
+				l.c.L.Lock()
+				if l.err == nil {
+					l.err = err
+				}
+				l.c.L.Unlock()
+
+				l.c.Broadcast()
+				return
+
+			}
+
+			l.c.L.Lock()
+			l.logs = append(l.logs, &msg)
+			l.c.L.Unlock()
+			l.c.Broadcast()
+		}
+
+	}()
+	return nil
+}
+
+func (l *mockLoggingPlugin) StopLogging(file string) error {
+	l.c.L.Lock()
+	if l.err == nil {
+		l.err = io.EOF
+	}
+	l.c.L.Unlock()
+	l.c.Broadcast()
+	return nil
+}
+
+func (l *mockLoggingPlugin) Capabilities() (cap Capability, err error) {
+	return Capability{ReadLogs: true}, nil
+}
+
+func (l *mockLoggingPlugin) ReadLogs(info Info, config ReadConfig) (io.ReadCloser, error) {
+	r, w := io.Pipe()
+
+	go func() {
+		var idx int
+		enc := logdriver.NewLogEntryEncoder(w)
+
+		l.c.L.Lock()
+		defer l.c.L.Unlock()
+		for {
+			if l.err != nil {
+				w.Close()
+				return
+			}
+
+			if idx >= len(l.logs) {
+				if !config.Follow {
+					w.Close()
+					return
+				}
+
+				l.c.Wait()
+				continue
+			}
+
+			if err := enc.Encode(l.logs[idx]); err != nil {
+				w.CloseWithError(err)
+				return
+			}
+			idx++
+		}
+	}()
+
+	return r, nil
+}
+
+func (l *mockLoggingPlugin) waitLen(i int) {
+	l.c.L.Lock()
+	defer l.c.L.Unlock()
+	for len(l.logs) < i {
+		l.c.Wait()
+	}
+}
+
+func (l *mockLoggingPlugin) check(t *testing.T) {
+	if l.err != nil && l.err != io.EOF {
+		t.Fatal(l.err)
+	}
+}
+
+func newMockPluginAdapter(plugin *mockLoggingPlugin) Logger {
+	enc := logdriver.NewLogEntryEncoder(plugin)
+	a := &pluginAdapterWithRead{
+		&pluginAdapter{
+			plugin: plugin,
+			stream: plugin,
+			enc:    enc,
+		},
+	}
+	a.plugin.StartLogging("", Info{})
+	return a
+}
+
+func TestAdapterReadLogs(t *testing.T) {
+	plugin := newMockLoggingPlugin()
+	l := newMockPluginAdapter(plugin)
+
+	testMsg := []Message{
+		{Line: []byte("Are you the keymaker?"), Timestamp: time.Now()},
+		{Line: []byte("Follow the white rabbit"), Timestamp: time.Now()},
+	}
+	for _, msg := range testMsg {
+		m := msg.copy()
+		assert.Check(t, l.Log(m))
+	}
+
+	// Wait until messages are read into plugin
+	plugin.waitLen(len(testMsg))
+
+	lr, ok := l.(LogReader)
+	assert.Check(t, ok, "Logger does not implement LogReader")
+
+	lw := lr.ReadLogs(ReadConfig{})
+
+	for _, x := range testMsg {
+		select {
+		case msg := <-lw.Msg:
+			testMessageEqual(t, &x, msg)
+		case <-time.After(10 * time.Second):
+			t.Fatal("timeout reading logs")
+		}
+	}
+
+	select {
+	case _, ok := <-lw.Msg:
+		assert.Check(t, !ok, "expected message channel to be closed")
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for message channel to close")
+
+	}
+	lw.Close()
+
+	lw = lr.ReadLogs(ReadConfig{Follow: true})
+	for _, x := range testMsg {
+		select {
+		case msg := <-lw.Msg:
+			testMessageEqual(t, &x, msg)
+		case <-time.After(10 * time.Second):
+			t.Fatal("timeout reading logs")
+		}
+	}
+
+	x := Message{Line: []byte("Too infinity and beyond!"), Timestamp: time.Now()}
+	assert.Check(t, l.Log(x.copy()))
+
+	select {
+	case msg, ok := <-lw.Msg:
+		assert.Check(t, ok, "message channel unexpectedly closed")
+		testMessageEqual(t, &x, msg)
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout reading logs")
+	}
+
+	l.Close()
+	select {
+	case msg, ok := <-lw.Msg:
+		assert.Check(t, !ok, "expected message channel to be closed")
+		assert.Check(t, is.Nil(msg))
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for logger to close")
+	}
+
+	plugin.check(t)
+}
+
+func testMessageEqual(t *testing.T, a, b *Message) {
+	assert.Check(t, is.DeepEqual(a.Line, b.Line))
+	assert.Check(t, is.DeepEqual(a.Timestamp.UnixNano(), b.Timestamp.UnixNano()))
+	assert.Check(t, is.Equal(a.Source, b.Source))
+}
diff --git a/engine/daemon/logger/awslogs/cloudwatchlogs.go b/engine/daemon/logger/awslogs/cloudwatchlogs.go
new file mode 100644
index 00000000..3d6466f0
--- /dev/null
+++ b/engine/daemon/logger/awslogs/cloudwatchlogs.go
@@ -0,0 +1,744 @@
+// Package awslogs provides the logdriver for forwarding container logs to Amazon CloudWatch Logs
+package awslogs // import "github.com/docker/docker/daemon/logger/awslogs"
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+	"runtime"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/aws/credentials/endpointcreds"
+	"github.com/aws/aws-sdk-go/aws/ec2metadata"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/cloudwatchlogs"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/loggerutils"
+	"github.com/docker/docker/dockerversion"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	name                   = "awslogs"
+	regionKey              = "awslogs-region"
+	regionEnvKey           = "AWS_REGION"
+	logGroupKey            = "awslogs-group"
+	logStreamKey           = "awslogs-stream"
+	logCreateGroupKey      = "awslogs-create-group"
+	tagKey                 = "tag"
+	datetimeFormatKey      = "awslogs-datetime-format"
+	multilinePatternKey    = "awslogs-multiline-pattern"
+	credentialsEndpointKey = "awslogs-credentials-endpoint"
+	batchPublishFrequency  = 5 * time.Second
+
+	// See: http://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutLogEvents.html
+	perEventBytes          = 26
+	maximumBytesPerPut     = 1048576
+	maximumLogEventsPerPut = 10000
+
+	// See: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_limits.html
+	maximumBytesPerEvent = 262144 - perEventBytes
+
+	resourceAlreadyExistsCode = "ResourceAlreadyExistsException"
+	dataAlreadyAcceptedCode   = "DataAlreadyAcceptedException"
+	invalidSequenceTokenCode  = "InvalidSequenceTokenException"
+	resourceNotFoundCode      = "ResourceNotFoundException"
+
+	credentialsEndpoint = "http://169.254.170.2"
+
+	userAgentHeader = "User-Agent"
+)
+
+type logStream struct {
+	logStreamName    string
+	logGroupName     string
+	logCreateGroup   bool
+	logNonBlocking   bool
+	multilinePattern *regexp.Regexp
+	client           api
+	messages         chan *logger.Message
+	lock             sync.RWMutex
+	closed           bool
+	sequenceToken    *string
+}
+
+var _ logger.SizedLogger = &logStream{}
+
+type api interface {
+	CreateLogGroup(*cloudwatchlogs.CreateLogGroupInput) (*cloudwatchlogs.CreateLogGroupOutput, error)
+	CreateLogStream(*cloudwatchlogs.CreateLogStreamInput) (*cloudwatchlogs.CreateLogStreamOutput, error)
+	PutLogEvents(*cloudwatchlogs.PutLogEventsInput) (*cloudwatchlogs.PutLogEventsOutput, error)
+}
+
+type regionFinder interface {
+	Region() (string, error)
+}
+
+type wrappedEvent struct {
+	inputLogEvent *cloudwatchlogs.InputLogEvent
+	insertOrder   int
+}
+type byTimestamp []wrappedEvent
+
+// init registers the awslogs driver
+func init() {
+	if err := logger.RegisterLogDriver(name, New); err != nil {
+		logrus.Fatal(err)
+	}
+	if err := logger.RegisterLogOptValidator(name, ValidateLogOpt); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// eventBatch holds the events that are batched for submission and the
+// associated data about it.
+//
+// Warning: this type is not threadsafe and must not be used
+// concurrently. This type is expected to be consumed in a single go
+// routine and never concurrently.
+type eventBatch struct {
+	batch []wrappedEvent
+	bytes int
+}
+
+// New creates an awslogs logger using the configuration passed in on the
+// context.  Supported context configuration variables are awslogs-region,
+// awslogs-group, awslogs-stream, awslogs-create-group, awslogs-multiline-pattern
+// and awslogs-datetime-format.  When available, configuration is
+// also taken from environment variables AWS_REGION, AWS_ACCESS_KEY_ID,
+// AWS_SECRET_ACCESS_KEY, the shared credentials file (~/.aws/credentials), and
+// the EC2 Instance Metadata Service.
+func New(info logger.Info) (logger.Logger, error) {
+	logGroupName := info.Config[logGroupKey]
+	logStreamName, err := loggerutils.ParseLogTag(info, "{{.FullID}}")
+	if err != nil {
+		return nil, err
+	}
+	logCreateGroup := false
+	if info.Config[logCreateGroupKey] != "" {
+		logCreateGroup, err = strconv.ParseBool(info.Config[logCreateGroupKey])
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	logNonBlocking := info.Config["mode"] == "non-blocking"
+
+	if info.Config[logStreamKey] != "" {
+		logStreamName = info.Config[logStreamKey]
+	}
+
+	multilinePattern, err := parseMultilineOptions(info)
+	if err != nil {
+		return nil, err
+	}
+
+	client, err := newAWSLogsClient(info)
+	if err != nil {
+		return nil, err
+	}
+
+	containerStream := &logStream{
+		logStreamName:    logStreamName,
+		logGroupName:     logGroupName,
+		logCreateGroup:   logCreateGroup,
+		logNonBlocking:   logNonBlocking,
+		multilinePattern: multilinePattern,
+		client:           client,
+		messages:         make(chan *logger.Message, 4096),
+	}
+
+	creationDone := make(chan bool)
+	if logNonBlocking {
+		go func() {
+			backoff := 1
+			maxBackoff := 32
+			for {
+				// If logger is closed we are done
+				containerStream.lock.RLock()
+				if containerStream.closed {
+					containerStream.lock.RUnlock()
+					break
+				}
+				containerStream.lock.RUnlock()
+				err := containerStream.create()
+				if err == nil {
+					break
+				}
+
+				time.Sleep(time.Duration(backoff) * time.Second)
+				if backoff < maxBackoff {
+					backoff *= 2
+				}
+				logrus.
+					WithError(err).
+					WithField("container-id", info.ContainerID).
+					WithField("container-name", info.ContainerName).
+					Error("Error while trying to initialize awslogs. Retrying in: ", backoff, " seconds")
+			}
+			close(creationDone)
+		}()
+	} else {
+		if err = containerStream.create(); err != nil {
+			return nil, err
+		}
+		close(creationDone)
+	}
+	go containerStream.collectBatch(creationDone)
+
+	return containerStream, nil
+}
+
+// Parses awslogs-multiline-pattern and awslogs-datetime-format options
+// If awslogs-datetime-format is present, convert the format from strftime
+// to regexp and return.
+// If awslogs-multiline-pattern is present, compile regexp and return
+func parseMultilineOptions(info logger.Info) (*regexp.Regexp, error) {
+	dateTimeFormat := info.Config[datetimeFormatKey]
+	multilinePatternKey := info.Config[multilinePatternKey]
+	// strftime input is parsed into a regular expression
+	if dateTimeFormat != "" {
+		// %. matches each strftime format sequence and ReplaceAllStringFunc
+		// looks up each format sequence in the conversion table strftimeToRegex
+		// to replace with a defined regular expression
+		r := regexp.MustCompile("%.")
+		multilinePatternKey = r.ReplaceAllStringFunc(dateTimeFormat, func(s string) string {
+			return strftimeToRegex[s]
+		})
+	}
+	if multilinePatternKey != "" {
+		multilinePattern, err := regexp.Compile(multilinePatternKey)
+		if err != nil {
+			return nil, errors.Wrapf(err, "awslogs could not parse multiline pattern key %q", multilinePatternKey)
+		}
+		return multilinePattern, nil
+	}
+	return nil, nil
+}
+
+// Maps strftime format strings to regex
+var strftimeToRegex = map[string]string{
+	/*weekdayShort          */ `%a`: `(?:Mon|Tue|Wed|Thu|Fri|Sat|Sun)`,
+	/*weekdayFull           */ `%A`: `(?:Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday)`,
+	/*weekdayZeroIndex      */ `%w`: `[0-6]`,
+	/*dayZeroPadded         */ `%d`: `(?:0[1-9]|[1,2][0-9]|3[0,1])`,
+	/*monthShort            */ `%b`: `(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)`,
+	/*monthFull             */ `%B`: `(?:January|February|March|April|May|June|July|August|September|October|November|December)`,
+	/*monthZeroPadded       */ `%m`: `(?:0[1-9]|1[0-2])`,
+	/*yearCentury           */ `%Y`: `\d{4}`,
+	/*yearZeroPadded        */ `%y`: `\d{2}`,
+	/*hour24ZeroPadded      */ `%H`: `(?:[0,1][0-9]|2[0-3])`,
+	/*hour12ZeroPadded      */ `%I`: `(?:0[0-9]|1[0-2])`,
+	/*AM or PM              */ `%p`: "[A,P]M",
+	/*minuteZeroPadded      */ `%M`: `[0-5][0-9]`,
+	/*secondZeroPadded      */ `%S`: `[0-5][0-9]`,
+	/*microsecondZeroPadded */ `%f`: `\d{6}`,
+	/*utcOffset             */ `%z`: `[+-]\d{4}`,
+	/*tzName                */ `%Z`: `[A-Z]{1,4}T`,
+	/*dayOfYearZeroPadded   */ `%j`: `(?:0[0-9][1-9]|[1,2][0-9][0-9]|3[0-5][0-9]|36[0-6])`,
+	/*milliseconds          */ `%L`: `\.\d{3}`,
+}
+
+// newRegionFinder is a variable such that the implementation
+// can be swapped out for unit tests.
+var newRegionFinder = func() regionFinder {
+	return ec2metadata.New(session.New())
+}
+
+// newSDKEndpoint is a variable such that the implementation
+// can be swapped out for unit tests.
+var newSDKEndpoint = credentialsEndpoint
+
+// newAWSLogsClient creates the service client for Amazon CloudWatch Logs.
+// Customizations to the default client from the SDK include a Docker-specific
+// User-Agent string and automatic region detection using the EC2 Instance
+// Metadata Service when region is otherwise unspecified.
+func newAWSLogsClient(info logger.Info) (api, error) {
+	var region *string
+	if os.Getenv(regionEnvKey) != "" {
+		region = aws.String(os.Getenv(regionEnvKey))
+	}
+	if info.Config[regionKey] != "" {
+		region = aws.String(info.Config[regionKey])
+	}
+	if region == nil || *region == "" {
+		logrus.Info("Trying to get region from EC2 Metadata")
+		ec2MetadataClient := newRegionFinder()
+		r, err := ec2MetadataClient.Region()
+		if err != nil {
+			logrus.WithFields(logrus.Fields{
+				"error": err,
+			}).Error("Could not get region from EC2 metadata, environment, or log option")
+			return nil, errors.New("Cannot determine region for awslogs driver")
+		}
+		region = &r
+	}
+
+	sess, err := session.NewSession()
+	if err != nil {
+		return nil, errors.New("Failed to create a service client session for for awslogs driver")
+	}
+
+	// attach region to cloudwatchlogs config
+	sess.Config.Region = region
+
+	if uri, ok := info.Config[credentialsEndpointKey]; ok {
+		logrus.Debugf("Trying to get credentials from awslogs-credentials-endpoint")
+
+		endpoint := fmt.Sprintf("%s%s", newSDKEndpoint, uri)
+		creds := endpointcreds.NewCredentialsClient(*sess.Config, sess.Handlers, endpoint,
+			func(p *endpointcreds.Provider) {
+				p.ExpiryWindow = 5 * time.Minute
+			})
+
+		// attach credentials to cloudwatchlogs config
+		sess.Config.Credentials = creds
+	}
+
+	logrus.WithFields(logrus.Fields{
+		"region": *region,
+	}).Debug("Created awslogs client")
+
+	client := cloudwatchlogs.New(sess)
+
+	client.Handlers.Build.PushBackNamed(request.NamedHandler{
+		Name: "DockerUserAgentHandler",
+		Fn: func(r *request.Request) {
+			currentAgent := r.HTTPRequest.Header.Get(userAgentHeader)
+			r.HTTPRequest.Header.Set(userAgentHeader,
+				fmt.Sprintf("Docker %s (%s) %s",
+					dockerversion.Version, runtime.GOOS, currentAgent))
+		},
+	})
+	return client, nil
+}
+
+// Name returns the name of the awslogs logging driver
+func (l *logStream) Name() string {
+	return name
+}
+
+func (l *logStream) BufSize() int {
+	return maximumBytesPerEvent
+}
+
+// Log submits messages for logging by an instance of the awslogs logging driver
+func (l *logStream) Log(msg *logger.Message) error {
+	l.lock.RLock()
+	defer l.lock.RUnlock()
+	if l.closed {
+		return errors.New("awslogs is closed")
+	}
+	if l.logNonBlocking {
+		select {
+		case l.messages <- msg:
+			return nil
+		default:
+			return errors.New("awslogs buffer is full")
+		}
+	}
+	l.messages <- msg
+	return nil
+}
+
+// Close closes the instance of the awslogs logging driver
+func (l *logStream) Close() error {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+	if !l.closed {
+		close(l.messages)
+	}
+	l.closed = true
+	return nil
+}
+
+// create creates log group and log stream for the instance of the awslogs logging driver
+func (l *logStream) create() error {
+	if err := l.createLogStream(); err != nil {
+		if l.logCreateGroup {
+			if awsErr, ok := err.(awserr.Error); ok && awsErr.Code() == resourceNotFoundCode {
+				if err := l.createLogGroup(); err != nil {
+					return err
+				}
+				return l.createLogStream()
+			}
+		}
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// createLogGroup creates a log group for the instance of the awslogs logging driver
+func (l *logStream) createLogGroup() error {
+	if _, err := l.client.CreateLogGroup(&cloudwatchlogs.CreateLogGroupInput{
+		LogGroupName: aws.String(l.logGroupName),
+	}); err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			fields := logrus.Fields{
+				"errorCode":      awsErr.Code(),
+				"message":        awsErr.Message(),
+				"origError":      awsErr.OrigErr(),
+				"logGroupName":   l.logGroupName,
+				"logCreateGroup": l.logCreateGroup,
+			}
+			if awsErr.Code() == resourceAlreadyExistsCode {
+				// Allow creation to succeed
+				logrus.WithFields(fields).Info("Log group already exists")
+				return nil
+			}
+			logrus.WithFields(fields).Error("Failed to create log group")
+		}
+		return err
+	}
+	return nil
+}
+
+// createLogStream creates a log stream for the instance of the awslogs logging driver
+func (l *logStream) createLogStream() error {
+	input := &cloudwatchlogs.CreateLogStreamInput{
+		LogGroupName:  aws.String(l.logGroupName),
+		LogStreamName: aws.String(l.logStreamName),
+	}
+
+	_, err := l.client.CreateLogStream(input)
+
+	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			fields := logrus.Fields{
+				"errorCode":     awsErr.Code(),
+				"message":       awsErr.Message(),
+				"origError":     awsErr.OrigErr(),
+				"logGroupName":  l.logGroupName,
+				"logStreamName": l.logStreamName,
+			}
+			if awsErr.Code() == resourceAlreadyExistsCode {
+				// Allow creation to succeed
+				logrus.WithFields(fields).Info("Log stream already exists")
+				return nil
+			}
+			logrus.WithFields(fields).Error("Failed to create log stream")
+		}
+	}
+	return err
+}
+
+// newTicker is used for time-based batching.  newTicker is a variable such
+// that the implementation can be swapped out for unit tests.
+var newTicker = func(freq time.Duration) *time.Ticker {
+	return time.NewTicker(freq)
+}
+
+// collectBatch executes as a goroutine to perform batching of log events for
+// submission to the log stream.  If the awslogs-multiline-pattern or
+// awslogs-datetime-format options have been configured, multiline processing
+// is enabled, where log messages are stored in an event buffer until a multiline
+// pattern match is found, at which point the messages in the event buffer are
+// pushed to CloudWatch logs as a single log event.  Multiline messages are processed
+// according to the maximumBytesPerPut constraint, and the implementation only
+// allows for messages to be buffered for a maximum of 2*batchPublishFrequency
+// seconds.  When events are ready to be processed for submission to CloudWatch
+// Logs, the processEvents method is called.  If a multiline pattern is not
+// configured, log events are submitted to the processEvents method immediately.
+func (l *logStream) collectBatch(created chan bool) {
+	// Wait for the logstream/group to be created
+	<-created
+	ticker := newTicker(batchPublishFrequency)
+	var eventBuffer []byte
+	var eventBufferTimestamp int64
+	var batch = newEventBatch()
+	for {
+		select {
+		case t := <-ticker.C:
+			// If event buffer is older than batch publish frequency flush the event buffer
+			if eventBufferTimestamp > 0 && len(eventBuffer) > 0 {
+				eventBufferAge := t.UnixNano()/int64(time.Millisecond) - eventBufferTimestamp
+				eventBufferExpired := eventBufferAge >= int64(batchPublishFrequency)/int64(time.Millisecond)
+				eventBufferNegative := eventBufferAge < 0
+				if eventBufferExpired || eventBufferNegative {
+					l.processEvent(batch, eventBuffer, eventBufferTimestamp)
+					eventBuffer = eventBuffer[:0]
+				}
+			}
+			l.publishBatch(batch)
+			batch.reset()
+		case msg, more := <-l.messages:
+			if !more {
+				// Flush event buffer and release resources
+				l.processEvent(batch, eventBuffer, eventBufferTimestamp)
+				eventBuffer = eventBuffer[:0]
+				l.publishBatch(batch)
+				batch.reset()
+				return
+			}
+			if eventBufferTimestamp == 0 {
+				eventBufferTimestamp = msg.Timestamp.UnixNano() / int64(time.Millisecond)
+			}
+			line := msg.Line
+			if l.multilinePattern != nil {
+				if l.multilinePattern.Match(line) || len(eventBuffer)+len(line) > maximumBytesPerEvent {
+					// This is a new log event or we will exceed max bytes per event
+					// so flush the current eventBuffer to events and reset timestamp
+					l.processEvent(batch, eventBuffer, eventBufferTimestamp)
+					eventBufferTimestamp = msg.Timestamp.UnixNano() / int64(time.Millisecond)
+					eventBuffer = eventBuffer[:0]
+				}
+				// Append new line if event is less than max event size
+				if len(line) < maximumBytesPerEvent {
+					line = append(line, "\n"...)
+				}
+				eventBuffer = append(eventBuffer, line...)
+				logger.PutMessage(msg)
+			} else {
+				l.processEvent(batch, line, msg.Timestamp.UnixNano()/int64(time.Millisecond))
+				logger.PutMessage(msg)
+			}
+		}
+	}
+}
+
+// processEvent processes log events that are ready for submission to CloudWatch
+// logs.  Batching is performed on time- and size-bases.  Time-based batching
+// occurs at a 5 second interval (defined in the batchPublishFrequency const).
+// Size-based batching is performed on the maximum number of events per batch
+// (defined in maximumLogEventsPerPut) and the maximum number of total bytes in a
+// batch (defined in maximumBytesPerPut).  Log messages are split by the maximum
+// bytes per event (defined in maximumBytesPerEvent).  There is a fixed per-event
+// byte overhead (defined in perEventBytes) which is accounted for in split- and
+// batch-calculations.
+func (l *logStream) processEvent(batch *eventBatch, events []byte, timestamp int64) {
+	for len(events) > 0 {
+		// Split line length so it does not exceed the maximum
+		lineBytes := len(events)
+		if lineBytes > maximumBytesPerEvent {
+			lineBytes = maximumBytesPerEvent
+		}
+		line := events[:lineBytes]
+
+		event := wrappedEvent{
+			inputLogEvent: &cloudwatchlogs.InputLogEvent{
+				Message:   aws.String(string(line)),
+				Timestamp: aws.Int64(timestamp),
+			},
+			insertOrder: batch.count(),
+		}
+
+		added := batch.add(event, lineBytes)
+		if added {
+			events = events[lineBytes:]
+		} else {
+			l.publishBatch(batch)
+			batch.reset()
+		}
+	}
+}
+
+// publishBatch calls PutLogEvents for a given set of InputLogEvents,
+// accounting for sequencing requirements (each request must reference the
+// sequence token returned by the previous request).
+func (l *logStream) publishBatch(batch *eventBatch) {
+	if batch.isEmpty() {
+		return
+	}
+	cwEvents := unwrapEvents(batch.events())
+
+	nextSequenceToken, err := l.putLogEvents(cwEvents, l.sequenceToken)
+
+	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == dataAlreadyAcceptedCode {
+				// already submitted, just grab the correct sequence token
+				parts := strings.Split(awsErr.Message(), " ")
+				nextSequenceToken = &parts[len(parts)-1]
+				logrus.WithFields(logrus.Fields{
+					"errorCode":     awsErr.Code(),
+					"message":       awsErr.Message(),
+					"logGroupName":  l.logGroupName,
+					"logStreamName": l.logStreamName,
+				}).Info("Data already accepted, ignoring error")
+				err = nil
+			} else if awsErr.Code() == invalidSequenceTokenCode {
+				// sequence code is bad, grab the correct one and retry
+				parts := strings.Split(awsErr.Message(), " ")
+				token := parts[len(parts)-1]
+				nextSequenceToken, err = l.putLogEvents(cwEvents, &token)
+			}
+		}
+	}
+	if err != nil {
+		logrus.Error(err)
+	} else {
+		l.sequenceToken = nextSequenceToken
+	}
+}
+
+// putLogEvents wraps the PutLogEvents API
+func (l *logStream) putLogEvents(events []*cloudwatchlogs.InputLogEvent, sequenceToken *string) (*string, error) {
+	input := &cloudwatchlogs.PutLogEventsInput{
+		LogEvents:     events,
+		SequenceToken: sequenceToken,
+		LogGroupName:  aws.String(l.logGroupName),
+		LogStreamName: aws.String(l.logStreamName),
+	}
+	resp, err := l.client.PutLogEvents(input)
+	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			logrus.WithFields(logrus.Fields{
+				"errorCode":     awsErr.Code(),
+				"message":       awsErr.Message(),
+				"origError":     awsErr.OrigErr(),
+				"logGroupName":  l.logGroupName,
+				"logStreamName": l.logStreamName,
+			}).Error("Failed to put log events")
+		}
+		return nil, err
+	}
+	return resp.NextSequenceToken, nil
+}
+
+// ValidateLogOpt looks for awslogs-specific log options awslogs-region,
+// awslogs-group, awslogs-stream, awslogs-create-group, awslogs-datetime-format,
+// awslogs-multiline-pattern
+func ValidateLogOpt(cfg map[string]string) error {
+	for key := range cfg {
+		switch key {
+		case logGroupKey:
+		case logStreamKey:
+		case logCreateGroupKey:
+		case regionKey:
+		case tagKey:
+		case datetimeFormatKey:
+		case multilinePatternKey:
+		case credentialsEndpointKey:
+		default:
+			return fmt.Errorf("unknown log opt '%s' for %s log driver", key, name)
+		}
+	}
+	if cfg[logGroupKey] == "" {
+		return fmt.Errorf("must specify a value for log opt '%s'", logGroupKey)
+	}
+	if cfg[logCreateGroupKey] != "" {
+		if _, err := strconv.ParseBool(cfg[logCreateGroupKey]); err != nil {
+			return fmt.Errorf("must specify valid value for log opt '%s': %v", logCreateGroupKey, err)
+		}
+	}
+	_, datetimeFormatKeyExists := cfg[datetimeFormatKey]
+	_, multilinePatternKeyExists := cfg[multilinePatternKey]
+	if datetimeFormatKeyExists && multilinePatternKeyExists {
+		return fmt.Errorf("you cannot configure log opt '%s' and '%s' at the same time", datetimeFormatKey, multilinePatternKey)
+	}
+	return nil
+}
+
+// Len returns the length of a byTimestamp slice.  Len is required by the
+// sort.Interface interface.
+func (slice byTimestamp) Len() int {
+	return len(slice)
+}
+
+// Less compares two values in a byTimestamp slice by Timestamp.  Less is
+// required by the sort.Interface interface.
+func (slice byTimestamp) Less(i, j int) bool {
+	iTimestamp, jTimestamp := int64(0), int64(0)
+	if slice != nil && slice[i].inputLogEvent.Timestamp != nil {
+		iTimestamp = *slice[i].inputLogEvent.Timestamp
+	}
+	if slice != nil && slice[j].inputLogEvent.Timestamp != nil {
+		jTimestamp = *slice[j].inputLogEvent.Timestamp
+	}
+	if iTimestamp == jTimestamp {
+		return slice[i].insertOrder < slice[j].insertOrder
+	}
+	return iTimestamp < jTimestamp
+}
+
+// Swap swaps two values in a byTimestamp slice with each other.  Swap is
+// required by the sort.Interface interface.
+func (slice byTimestamp) Swap(i, j int) {
+	slice[i], slice[j] = slice[j], slice[i]
+}
+
+func unwrapEvents(events []wrappedEvent) []*cloudwatchlogs.InputLogEvent {
+	cwEvents := make([]*cloudwatchlogs.InputLogEvent, len(events))
+	for i, input := range events {
+		cwEvents[i] = input.inputLogEvent
+	}
+	return cwEvents
+}
+
+func newEventBatch() *eventBatch {
+	return &eventBatch{
+		batch: make([]wrappedEvent, 0),
+		bytes: 0,
+	}
+}
+
+// events returns a slice of wrappedEvents sorted in order of their
+// timestamps and then by their insertion order (see `byTimestamp`).
+//
+// Warning: this method is not threadsafe and must not be used
+// concurrently.
+func (b *eventBatch) events() []wrappedEvent {
+	sort.Sort(byTimestamp(b.batch))
+	return b.batch
+}
+
+// add adds an event to the batch of events accounting for the
+// necessary overhead for an event to be logged. An error will be
+// returned if the event cannot be added to the batch due to service
+// limits.
+//
+// Warning: this method is not threadsafe and must not be used
+// concurrently.
+func (b *eventBatch) add(event wrappedEvent, size int) bool {
+	addBytes := size + perEventBytes
+
+	// verify we are still within service limits
+	switch {
+	case len(b.batch)+1 > maximumLogEventsPerPut:
+		return false
+	case b.bytes+addBytes > maximumBytesPerPut:
+		return false
+	}
+
+	b.bytes += addBytes
+	b.batch = append(b.batch, event)
+
+	return true
+}
+
+// count is the number of batched events.  Warning: this method
+// is not threadsafe and must not be used concurrently.
+func (b *eventBatch) count() int {
+	return len(b.batch)
+}
+
+// size is the total number of bytes that the batch represents.
+//
+// Warning: this method is not threadsafe and must not be used
+// concurrently.
+func (b *eventBatch) size() int {
+	return b.bytes
+}
+
+func (b *eventBatch) isEmpty() bool {
+	zeroEvents := b.count() == 0
+	zeroSize := b.size() == 0
+	return zeroEvents && zeroSize
+}
+
+// reset prepares the batch for reuse.
+func (b *eventBatch) reset() {
+	b.bytes = 0
+	b.batch = b.batch[:0]
+}
diff --git a/engine/daemon/logger/awslogs/cloudwatchlogs_test.go b/engine/daemon/logger/awslogs/cloudwatchlogs_test.go
new file mode 100644
index 00000000..6955d910
--- /dev/null
+++ b/engine/daemon/logger/awslogs/cloudwatchlogs_test.go
@@ -0,0 +1,1391 @@
+package awslogs // import "github.com/docker/docker/daemon/logger/awslogs"
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"reflect"
+	"regexp"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/aws/request"
+	"github.com/aws/aws-sdk-go/service/cloudwatchlogs"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/loggerutils"
+	"github.com/docker/docker/dockerversion"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+const (
+	groupName         = "groupName"
+	streamName        = "streamName"
+	sequenceToken     = "sequenceToken"
+	nextSequenceToken = "nextSequenceToken"
+	logline           = "this is a log line\r"
+	multilineLogline  = "2017-01-01 01:01:44 This is a multiline log entry\r"
+)
+
+// Generates i multi-line events each with j lines
+func (l *logStream) logGenerator(lineCount int, multilineCount int) {
+	for i := 0; i < multilineCount; i++ {
+		l.Log(&logger.Message{
+			Line:      []byte(multilineLogline),
+			Timestamp: time.Time{},
+		})
+		for j := 0; j < lineCount; j++ {
+			l.Log(&logger.Message{
+				Line:      []byte(logline),
+				Timestamp: time.Time{},
+			})
+		}
+	}
+}
+
+func testEventBatch(events []wrappedEvent) *eventBatch {
+	batch := newEventBatch()
+	for _, event := range events {
+		eventlen := len([]byte(*event.inputLogEvent.Message))
+		batch.add(event, eventlen)
+	}
+	return batch
+}
+
+func TestNewAWSLogsClientUserAgentHandler(t *testing.T) {
+	info := logger.Info{
+		Config: map[string]string{
+			regionKey: "us-east-1",
+		},
+	}
+
+	client, err := newAWSLogsClient(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+	realClient, ok := client.(*cloudwatchlogs.CloudWatchLogs)
+	if !ok {
+		t.Fatal("Could not cast client to cloudwatchlogs.CloudWatchLogs")
+	}
+	buildHandlerList := realClient.Handlers.Build
+	request := &request.Request{
+		HTTPRequest: &http.Request{
+			Header: http.Header{},
+		},
+	}
+	buildHandlerList.Run(request)
+	expectedUserAgentString := fmt.Sprintf("Docker %s (%s) %s/%s (%s; %s; %s)",
+		dockerversion.Version, runtime.GOOS, aws.SDKName, aws.SDKVersion, runtime.Version(), runtime.GOOS, runtime.GOARCH)
+	userAgent := request.HTTPRequest.Header.Get("User-Agent")
+	if userAgent != expectedUserAgentString {
+		t.Errorf("Wrong User-Agent string, expected \"%s\" but was \"%s\"",
+			expectedUserAgentString, userAgent)
+	}
+}
+
+func TestNewAWSLogsClientRegionDetect(t *testing.T) {
+	info := logger.Info{
+		Config: map[string]string{},
+	}
+
+	mockMetadata := newMockMetadataClient()
+	newRegionFinder = func() regionFinder {
+		return mockMetadata
+	}
+	mockMetadata.regionResult <- &regionResult{
+		successResult: "us-east-1",
+	}
+
+	_, err := newAWSLogsClient(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestCreateSuccess(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+	}
+	mockClient.createLogStreamResult <- &createLogStreamResult{}
+
+	err := stream.create()
+
+	if err != nil {
+		t.Errorf("Received unexpected err: %v\n", err)
+	}
+	argument := <-mockClient.createLogStreamArgument
+	if argument.LogGroupName == nil {
+		t.Fatal("Expected non-nil LogGroupName")
+	}
+	if *argument.LogGroupName != groupName {
+		t.Errorf("Expected LogGroupName to be %s", groupName)
+	}
+	if argument.LogStreamName == nil {
+		t.Fatal("Expected non-nil LogStreamName")
+	}
+	if *argument.LogStreamName != streamName {
+		t.Errorf("Expected LogStreamName to be %s", streamName)
+	}
+}
+
+func TestCreateLogGroupSuccess(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:         mockClient,
+		logGroupName:   groupName,
+		logStreamName:  streamName,
+		logCreateGroup: true,
+	}
+	mockClient.createLogGroupResult <- &createLogGroupResult{}
+	mockClient.createLogStreamResult <- &createLogStreamResult{}
+
+	err := stream.create()
+
+	if err != nil {
+		t.Errorf("Received unexpected err: %v\n", err)
+	}
+	argument := <-mockClient.createLogStreamArgument
+	if argument.LogGroupName == nil {
+		t.Fatal("Expected non-nil LogGroupName")
+	}
+	if *argument.LogGroupName != groupName {
+		t.Errorf("Expected LogGroupName to be %s", groupName)
+	}
+	if argument.LogStreamName == nil {
+		t.Fatal("Expected non-nil LogStreamName")
+	}
+	if *argument.LogStreamName != streamName {
+		t.Errorf("Expected LogStreamName to be %s", streamName)
+	}
+}
+
+func TestCreateError(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client: mockClient,
+	}
+	mockClient.createLogStreamResult <- &createLogStreamResult{
+		errorResult: errors.New("Error"),
+	}
+
+	err := stream.create()
+
+	if err == nil {
+		t.Fatal("Expected non-nil err")
+	}
+}
+
+func TestCreateAlreadyExists(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client: mockClient,
+	}
+	mockClient.createLogStreamResult <- &createLogStreamResult{
+		errorResult: awserr.New(resourceAlreadyExistsCode, "", nil),
+	}
+
+	err := stream.create()
+
+	if err != nil {
+		t.Fatal("Expected nil err")
+	}
+}
+
+func TestLogClosed(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client: mockClient,
+		closed: true,
+	}
+	err := stream.Log(&logger.Message{})
+	if err == nil {
+		t.Fatal("Expected non-nil error")
+	}
+}
+
+func TestLogBlocking(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:   mockClient,
+		messages: make(chan *logger.Message),
+	}
+
+	errorCh := make(chan error, 1)
+	started := make(chan bool)
+	go func() {
+		started <- true
+		err := stream.Log(&logger.Message{})
+		errorCh <- err
+	}()
+	<-started
+	select {
+	case err := <-errorCh:
+		t.Fatal("Expected stream.Log to block: ", err)
+	default:
+		break
+	}
+	select {
+	case <-stream.messages:
+		break
+	default:
+		t.Fatal("Expected to be able to read from stream.messages but was unable to")
+	}
+	select {
+	case err := <-errorCh:
+		if err != nil {
+			t.Fatal(err)
+		}
+	case <-time.After(30 * time.Second):
+		t.Fatal("timed out waiting for read")
+	}
+}
+
+func TestLogNonBlockingBufferEmpty(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:         mockClient,
+		messages:       make(chan *logger.Message, 1),
+		logNonBlocking: true,
+	}
+	err := stream.Log(&logger.Message{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestLogNonBlockingBufferFull(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:         mockClient,
+		messages:       make(chan *logger.Message, 1),
+		logNonBlocking: true,
+	}
+	stream.messages <- &logger.Message{}
+	errorCh := make(chan error)
+	started := make(chan bool)
+	go func() {
+		started <- true
+		err := stream.Log(&logger.Message{})
+		errorCh <- err
+	}()
+	<-started
+	select {
+	case err := <-errorCh:
+		if err == nil {
+			t.Fatal("Expected non-nil error")
+		}
+	case <-time.After(30 * time.Second):
+		t.Fatal("Expected Log call to not block")
+	}
+}
+func TestPublishBatchSuccess(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	events := []wrappedEvent{
+		{
+			inputLogEvent: &cloudwatchlogs.InputLogEvent{
+				Message: aws.String(logline),
+			},
+		},
+	}
+
+	stream.publishBatch(testEventBatch(events))
+	if stream.sequenceToken == nil {
+		t.Fatal("Expected non-nil sequenceToken")
+	}
+	if *stream.sequenceToken != nextSequenceToken {
+		t.Errorf("Expected sequenceToken to be %s, but was %s", nextSequenceToken, *stream.sequenceToken)
+	}
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if argument.SequenceToken == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput.SequenceToken")
+	}
+	if *argument.SequenceToken != sequenceToken {
+		t.Errorf("Expected PutLogEventsInput.SequenceToken to be %s, but was %s", sequenceToken, *argument.SequenceToken)
+	}
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain 1 element, but contains %d", len(argument.LogEvents))
+	}
+	if argument.LogEvents[0] != events[0].inputLogEvent {
+		t.Error("Expected event to equal input")
+	}
+}
+
+func TestPublishBatchError(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		errorResult: errors.New("Error"),
+	}
+
+	events := []wrappedEvent{
+		{
+			inputLogEvent: &cloudwatchlogs.InputLogEvent{
+				Message: aws.String(logline),
+			},
+		},
+	}
+
+	stream.publishBatch(testEventBatch(events))
+	if stream.sequenceToken == nil {
+		t.Fatal("Expected non-nil sequenceToken")
+	}
+	if *stream.sequenceToken != sequenceToken {
+		t.Errorf("Expected sequenceToken to be %s, but was %s", sequenceToken, *stream.sequenceToken)
+	}
+}
+
+func TestPublishBatchInvalidSeqSuccess(t *testing.T) {
+	mockClient := newMockClientBuffered(2)
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		errorResult: awserr.New(invalidSequenceTokenCode, "use token token", nil),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+
+	events := []wrappedEvent{
+		{
+			inputLogEvent: &cloudwatchlogs.InputLogEvent{
+				Message: aws.String(logline),
+			},
+		},
+	}
+
+	stream.publishBatch(testEventBatch(events))
+	if stream.sequenceToken == nil {
+		t.Fatal("Expected non-nil sequenceToken")
+	}
+	if *stream.sequenceToken != nextSequenceToken {
+		t.Errorf("Expected sequenceToken to be %s, but was %s", nextSequenceToken, *stream.sequenceToken)
+	}
+
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if argument.SequenceToken == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput.SequenceToken")
+	}
+	if *argument.SequenceToken != sequenceToken {
+		t.Errorf("Expected PutLogEventsInput.SequenceToken to be %s, but was %s", sequenceToken, *argument.SequenceToken)
+	}
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain 1 element, but contains %d", len(argument.LogEvents))
+	}
+	if argument.LogEvents[0] != events[0].inputLogEvent {
+		t.Error("Expected event to equal input")
+	}
+
+	argument = <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if argument.SequenceToken == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput.SequenceToken")
+	}
+	if *argument.SequenceToken != "token" {
+		t.Errorf("Expected PutLogEventsInput.SequenceToken to be %s, but was %s", "token", *argument.SequenceToken)
+	}
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain 1 element, but contains %d", len(argument.LogEvents))
+	}
+	if argument.LogEvents[0] != events[0].inputLogEvent {
+		t.Error("Expected event to equal input")
+	}
+}
+
+func TestPublishBatchAlreadyAccepted(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		errorResult: awserr.New(dataAlreadyAcceptedCode, "use token token", nil),
+	}
+
+	events := []wrappedEvent{
+		{
+			inputLogEvent: &cloudwatchlogs.InputLogEvent{
+				Message: aws.String(logline),
+			},
+		},
+	}
+
+	stream.publishBatch(testEventBatch(events))
+	if stream.sequenceToken == nil {
+		t.Fatal("Expected non-nil sequenceToken")
+	}
+	if *stream.sequenceToken != "token" {
+		t.Errorf("Expected sequenceToken to be %s, but was %s", "token", *stream.sequenceToken)
+	}
+
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if argument.SequenceToken == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput.SequenceToken")
+	}
+	if *argument.SequenceToken != sequenceToken {
+		t.Errorf("Expected PutLogEventsInput.SequenceToken to be %s, but was %s", sequenceToken, *argument.SequenceToken)
+	}
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain 1 element, but contains %d", len(argument.LogEvents))
+	}
+	if argument.LogEvents[0] != events[0].inputLogEvent {
+		t.Error("Expected event to equal input")
+	}
+}
+
+func TestCollectBatchSimple(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+		messages:      make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	ticks := make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Time{},
+	})
+
+	ticks <- time.Time{}
+	stream.Close()
+
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain 1 element, but contains %d", len(argument.LogEvents))
+	}
+	if *argument.LogEvents[0].Message != logline {
+		t.Errorf("Expected message to be %s but was %s", logline, *argument.LogEvents[0].Message)
+	}
+}
+
+func TestCollectBatchTicker(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+		messages:      make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	ticks := make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	stream.Log(&logger.Message{
+		Line:      []byte(logline + " 1"),
+		Timestamp: time.Time{},
+	})
+	stream.Log(&logger.Message{
+		Line:      []byte(logline + " 2"),
+		Timestamp: time.Time{},
+	})
+
+	ticks <- time.Time{}
+
+	// Verify first batch
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if len(argument.LogEvents) != 2 {
+		t.Errorf("Expected LogEvents to contain 2 elements, but contains %d", len(argument.LogEvents))
+	}
+	if *argument.LogEvents[0].Message != logline+" 1" {
+		t.Errorf("Expected message to be %s but was %s", logline+" 1", *argument.LogEvents[0].Message)
+	}
+	if *argument.LogEvents[1].Message != logline+" 2" {
+		t.Errorf("Expected message to be %s but was %s", logline+" 2", *argument.LogEvents[0].Message)
+	}
+
+	stream.Log(&logger.Message{
+		Line:      []byte(logline + " 3"),
+		Timestamp: time.Time{},
+	})
+
+	ticks <- time.Time{}
+	argument = <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain 1 elements, but contains %d", len(argument.LogEvents))
+	}
+	if *argument.LogEvents[0].Message != logline+" 3" {
+		t.Errorf("Expected message to be %s but was %s", logline+" 3", *argument.LogEvents[0].Message)
+	}
+
+	stream.Close()
+
+}
+
+func TestCollectBatchMultilinePattern(t *testing.T) {
+	mockClient := newMockClient()
+	multilinePattern := regexp.MustCompile("xxxx")
+	stream := &logStream{
+		client:           mockClient,
+		logGroupName:     groupName,
+		logStreamName:    streamName,
+		multilinePattern: multilinePattern,
+		sequenceToken:    aws.String(sequenceToken),
+		messages:         make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	ticks := make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Now(),
+	})
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Now(),
+	})
+	stream.Log(&logger.Message{
+		Line:      []byte("xxxx " + logline),
+		Timestamp: time.Now(),
+	})
+
+	ticks <- time.Now()
+
+	// Verify single multiline event
+	argument := <-mockClient.putLogEventsArgument
+	assert.Check(t, argument != nil, "Expected non-nil PutLogEventsInput")
+	assert.Check(t, is.Equal(1, len(argument.LogEvents)), "Expected single multiline event")
+	assert.Check(t, is.Equal(logline+"\n"+logline+"\n", *argument.LogEvents[0].Message), "Received incorrect multiline message")
+
+	stream.Close()
+
+	// Verify single event
+	argument = <-mockClient.putLogEventsArgument
+	assert.Check(t, argument != nil, "Expected non-nil PutLogEventsInput")
+	assert.Check(t, is.Equal(1, len(argument.LogEvents)), "Expected single multiline event")
+	assert.Check(t, is.Equal("xxxx "+logline+"\n", *argument.LogEvents[0].Message), "Received incorrect multiline message")
+}
+
+func BenchmarkCollectBatch(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		mockClient := newMockClient()
+		stream := &logStream{
+			client:        mockClient,
+			logGroupName:  groupName,
+			logStreamName: streamName,
+			sequenceToken: aws.String(sequenceToken),
+			messages:      make(chan *logger.Message),
+		}
+		mockClient.putLogEventsResult <- &putLogEventsResult{
+			successResult: &cloudwatchlogs.PutLogEventsOutput{
+				NextSequenceToken: aws.String(nextSequenceToken),
+			},
+		}
+		ticks := make(chan time.Time)
+		newTicker = func(_ time.Duration) *time.Ticker {
+			return &time.Ticker{
+				C: ticks,
+			}
+		}
+
+		d := make(chan bool)
+		close(d)
+		go stream.collectBatch(d)
+		stream.logGenerator(10, 100)
+		ticks <- time.Time{}
+		stream.Close()
+	}
+}
+
+func BenchmarkCollectBatchMultilinePattern(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		mockClient := newMockClient()
+		multilinePattern := regexp.MustCompile(`\d{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[1,2][0-9]|3[0,1]) (?:[0,1][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]`)
+		stream := &logStream{
+			client:           mockClient,
+			logGroupName:     groupName,
+			logStreamName:    streamName,
+			multilinePattern: multilinePattern,
+			sequenceToken:    aws.String(sequenceToken),
+			messages:         make(chan *logger.Message),
+		}
+		mockClient.putLogEventsResult <- &putLogEventsResult{
+			successResult: &cloudwatchlogs.PutLogEventsOutput{
+				NextSequenceToken: aws.String(nextSequenceToken),
+			},
+		}
+		ticks := make(chan time.Time)
+		newTicker = func(_ time.Duration) *time.Ticker {
+			return &time.Ticker{
+				C: ticks,
+			}
+		}
+		d := make(chan bool)
+		close(d)
+		go stream.collectBatch(d)
+		stream.logGenerator(10, 100)
+		ticks <- time.Time{}
+		stream.Close()
+	}
+}
+
+func TestCollectBatchMultilinePatternMaxEventAge(t *testing.T) {
+	mockClient := newMockClient()
+	multilinePattern := regexp.MustCompile("xxxx")
+	stream := &logStream{
+		client:           mockClient,
+		logGroupName:     groupName,
+		logStreamName:    streamName,
+		multilinePattern: multilinePattern,
+		sequenceToken:    aws.String(sequenceToken),
+		messages:         make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	ticks := make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Now(),
+	})
+
+	// Log an event 1 second later
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Now().Add(time.Second),
+	})
+
+	// Fire ticker batchPublishFrequency seconds later
+	ticks <- time.Now().Add(batchPublishFrequency + time.Second)
+
+	// Verify single multiline event is flushed after maximum event buffer age (batchPublishFrequency)
+	argument := <-mockClient.putLogEventsArgument
+	assert.Check(t, argument != nil, "Expected non-nil PutLogEventsInput")
+	assert.Check(t, is.Equal(1, len(argument.LogEvents)), "Expected single multiline event")
+	assert.Check(t, is.Equal(logline+"\n"+logline+"\n", *argument.LogEvents[0].Message), "Received incorrect multiline message")
+
+	// Log an event 1 second later
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Now().Add(time.Second),
+	})
+
+	// Fire ticker another batchPublishFrequency seconds later
+	ticks <- time.Now().Add(2*batchPublishFrequency + time.Second)
+
+	// Verify the event buffer is truly flushed - we should only receive a single event
+	argument = <-mockClient.putLogEventsArgument
+	assert.Check(t, argument != nil, "Expected non-nil PutLogEventsInput")
+	assert.Check(t, is.Equal(1, len(argument.LogEvents)), "Expected single multiline event")
+	assert.Check(t, is.Equal(logline+"\n", *argument.LogEvents[0].Message), "Received incorrect multiline message")
+	stream.Close()
+}
+
+func TestCollectBatchMultilinePatternNegativeEventAge(t *testing.T) {
+	mockClient := newMockClient()
+	multilinePattern := regexp.MustCompile("xxxx")
+	stream := &logStream{
+		client:           mockClient,
+		logGroupName:     groupName,
+		logStreamName:    streamName,
+		multilinePattern: multilinePattern,
+		sequenceToken:    aws.String(sequenceToken),
+		messages:         make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	ticks := make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Now(),
+	})
+
+	// Log an event 1 second later
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Now().Add(time.Second),
+	})
+
+	// Fire ticker in past to simulate negative event buffer age
+	ticks <- time.Now().Add(-time.Second)
+
+	// Verify single multiline event is flushed with a negative event buffer age
+	argument := <-mockClient.putLogEventsArgument
+	assert.Check(t, argument != nil, "Expected non-nil PutLogEventsInput")
+	assert.Check(t, is.Equal(1, len(argument.LogEvents)), "Expected single multiline event")
+	assert.Check(t, is.Equal(logline+"\n"+logline+"\n", *argument.LogEvents[0].Message), "Received incorrect multiline message")
+
+	stream.Close()
+}
+
+func TestCollectBatchMultilinePatternMaxEventSize(t *testing.T) {
+	mockClient := newMockClient()
+	multilinePattern := regexp.MustCompile("xxxx")
+	stream := &logStream{
+		client:           mockClient,
+		logGroupName:     groupName,
+		logStreamName:    streamName,
+		multilinePattern: multilinePattern,
+		sequenceToken:    aws.String(sequenceToken),
+		messages:         make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	ticks := make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	// Log max event size
+	longline := strings.Repeat("A", maximumBytesPerEvent)
+	stream.Log(&logger.Message{
+		Line:      []byte(longline),
+		Timestamp: time.Now(),
+	})
+
+	// Log short event
+	shortline := strings.Repeat("B", 100)
+	stream.Log(&logger.Message{
+		Line:      []byte(shortline),
+		Timestamp: time.Now(),
+	})
+
+	// Fire ticker
+	ticks <- time.Now().Add(batchPublishFrequency)
+
+	// Verify multiline events
+	// We expect a maximum sized event with no new line characters and a
+	// second short event with a new line character at the end
+	argument := <-mockClient.putLogEventsArgument
+	assert.Check(t, argument != nil, "Expected non-nil PutLogEventsInput")
+	assert.Check(t, is.Equal(2, len(argument.LogEvents)), "Expected two events")
+	assert.Check(t, is.Equal(longline, *argument.LogEvents[0].Message), "Received incorrect multiline message")
+	assert.Check(t, is.Equal(shortline+"\n", *argument.LogEvents[1].Message), "Received incorrect multiline message")
+	stream.Close()
+}
+
+func TestCollectBatchClose(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+		messages:      make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	var ticks = make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	stream.Log(&logger.Message{
+		Line:      []byte(logline),
+		Timestamp: time.Time{},
+	})
+
+	// no ticks
+	stream.Close()
+
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain 1 element, but contains %d", len(argument.LogEvents))
+	}
+	if *argument.LogEvents[0].Message != logline {
+		t.Errorf("Expected message to be %s but was %s", logline, *argument.LogEvents[0].Message)
+	}
+}
+
+func TestCollectBatchLineSplit(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+		messages:      make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	var ticks = make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	longline := strings.Repeat("A", maximumBytesPerEvent)
+	stream.Log(&logger.Message{
+		Line:      []byte(longline + "B"),
+		Timestamp: time.Time{},
+	})
+
+	// no ticks
+	stream.Close()
+
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if len(argument.LogEvents) != 2 {
+		t.Errorf("Expected LogEvents to contain 2 elements, but contains %d", len(argument.LogEvents))
+	}
+	if *argument.LogEvents[0].Message != longline {
+		t.Errorf("Expected message to be %s but was %s", longline, *argument.LogEvents[0].Message)
+	}
+	if *argument.LogEvents[1].Message != "B" {
+		t.Errorf("Expected message to be %s but was %s", "B", *argument.LogEvents[1].Message)
+	}
+}
+
+func TestCollectBatchMaxEvents(t *testing.T) {
+	mockClient := newMockClientBuffered(1)
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+		messages:      make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	var ticks = make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	line := "A"
+	for i := 0; i <= maximumLogEventsPerPut; i++ {
+		stream.Log(&logger.Message{
+			Line:      []byte(line),
+			Timestamp: time.Time{},
+		})
+	}
+
+	// no ticks
+	stream.Close()
+
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if len(argument.LogEvents) != maximumLogEventsPerPut {
+		t.Errorf("Expected LogEvents to contain %d elements, but contains %d", maximumLogEventsPerPut, len(argument.LogEvents))
+	}
+
+	argument = <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain %d elements, but contains %d", 1, len(argument.LogEvents))
+	}
+}
+
+func TestCollectBatchMaxTotalBytes(t *testing.T) {
+	expectedPuts := 2
+	mockClient := newMockClientBuffered(expectedPuts)
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+		messages:      make(chan *logger.Message),
+	}
+	for i := 0; i < expectedPuts; i++ {
+		mockClient.putLogEventsResult <- &putLogEventsResult{
+			successResult: &cloudwatchlogs.PutLogEventsOutput{
+				NextSequenceToken: aws.String(nextSequenceToken),
+			},
+		}
+	}
+
+	var ticks = make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	numPayloads := maximumBytesPerPut / (maximumBytesPerEvent + perEventBytes)
+	// maxline is the maximum line that could be submitted after
+	// accounting for its overhead.
+	maxline := strings.Repeat("A", maximumBytesPerPut-(perEventBytes*numPayloads))
+	// This will be split and batched up to the `maximumBytesPerPut'
+	// (+/- `maximumBytesPerEvent'). This /should/ be aligned, but
+	// should also tolerate an offset within that range.
+	stream.Log(&logger.Message{
+		Line:      []byte(maxline[:len(maxline)/2]),
+		Timestamp: time.Time{},
+	})
+	stream.Log(&logger.Message{
+		Line:      []byte(maxline[len(maxline)/2:]),
+		Timestamp: time.Time{},
+	})
+	stream.Log(&logger.Message{
+		Line:      []byte("B"),
+		Timestamp: time.Time{},
+	})
+
+	// no ticks, guarantee batch by size (and chan close)
+	stream.Close()
+
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+
+	// Should total to the maximum allowed bytes.
+	eventBytes := 0
+	for _, event := range argument.LogEvents {
+		eventBytes += len(*event.Message)
+	}
+	eventsOverhead := len(argument.LogEvents) * perEventBytes
+	payloadTotal := eventBytes + eventsOverhead
+	// lowestMaxBatch allows the payload to be offset if the messages
+	// don't lend themselves to align with the maximum event size.
+	lowestMaxBatch := maximumBytesPerPut - maximumBytesPerEvent
+
+	if payloadTotal > maximumBytesPerPut {
+		t.Errorf("Expected <= %d bytes but was %d", maximumBytesPerPut, payloadTotal)
+	}
+	if payloadTotal < lowestMaxBatch {
+		t.Errorf("Batch to be no less than %d but was %d", lowestMaxBatch, payloadTotal)
+	}
+
+	argument = <-mockClient.putLogEventsArgument
+	if len(argument.LogEvents) != 1 {
+		t.Errorf("Expected LogEvents to contain 1 elements, but contains %d", len(argument.LogEvents))
+	}
+	message := *argument.LogEvents[len(argument.LogEvents)-1].Message
+	if message[len(message)-1:] != "B" {
+		t.Errorf("Expected message to be %s but was %s", "B", message[len(message)-1:])
+	}
+}
+
+func TestCollectBatchWithDuplicateTimestamps(t *testing.T) {
+	mockClient := newMockClient()
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: streamName,
+		sequenceToken: aws.String(sequenceToken),
+		messages:      make(chan *logger.Message),
+	}
+	mockClient.putLogEventsResult <- &putLogEventsResult{
+		successResult: &cloudwatchlogs.PutLogEventsOutput{
+			NextSequenceToken: aws.String(nextSequenceToken),
+		},
+	}
+	ticks := make(chan time.Time)
+	newTicker = func(_ time.Duration) *time.Ticker {
+		return &time.Ticker{
+			C: ticks,
+		}
+	}
+
+	d := make(chan bool)
+	close(d)
+	go stream.collectBatch(d)
+
+	var expectedEvents []*cloudwatchlogs.InputLogEvent
+	times := maximumLogEventsPerPut
+	timestamp := time.Now()
+	for i := 0; i < times; i++ {
+		line := fmt.Sprintf("%d", i)
+		if i%2 == 0 {
+			timestamp.Add(1 * time.Nanosecond)
+		}
+		stream.Log(&logger.Message{
+			Line:      []byte(line),
+			Timestamp: timestamp,
+		})
+		expectedEvents = append(expectedEvents, &cloudwatchlogs.InputLogEvent{
+			Message:   aws.String(line),
+			Timestamp: aws.Int64(timestamp.UnixNano() / int64(time.Millisecond)),
+		})
+	}
+
+	ticks <- time.Time{}
+	stream.Close()
+
+	argument := <-mockClient.putLogEventsArgument
+	if argument == nil {
+		t.Fatal("Expected non-nil PutLogEventsInput")
+	}
+	if len(argument.LogEvents) != times {
+		t.Errorf("Expected LogEvents to contain %d elements, but contains %d", times, len(argument.LogEvents))
+	}
+	for i := 0; i < times; i++ {
+		if !reflect.DeepEqual(*argument.LogEvents[i], *expectedEvents[i]) {
+			t.Errorf("Expected event to be %v but was %v", *expectedEvents[i], *argument.LogEvents[i])
+		}
+	}
+}
+
+func TestParseLogOptionsMultilinePattern(t *testing.T) {
+	info := logger.Info{
+		Config: map[string]string{
+			multilinePatternKey: "^xxxx",
+		},
+	}
+
+	multilinePattern, err := parseMultilineOptions(info)
+	assert.Check(t, err, "Received unexpected error")
+	assert.Check(t, multilinePattern.MatchString("xxxx"), "No multiline pattern match found")
+}
+
+func TestParseLogOptionsDatetimeFormat(t *testing.T) {
+	datetimeFormatTests := []struct {
+		format string
+		match  string
+	}{
+		{"%d/%m/%y %a %H:%M:%S%L %Z", "31/12/10 Mon 08:42:44.345 NZDT"},
+		{"%Y-%m-%d %A %I:%M:%S.%f%p%z", "2007-12-04 Monday 08:42:44.123456AM+1200"},
+		{"%b|%b|%b|%b|%b|%b|%b|%b|%b|%b|%b|%b", "Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec"},
+		{"%B|%B|%B|%B|%B|%B|%B|%B|%B|%B|%B|%B", "January|February|March|April|May|June|July|August|September|October|November|December"},
+		{"%A|%A|%A|%A|%A|%A|%A", "Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday"},
+		{"%a|%a|%a|%a|%a|%a|%a", "Mon|Tue|Wed|Thu|Fri|Sat|Sun"},
+		{"Day of the week: %w, Day of the year: %j", "Day of the week: 4, Day of the year: 091"},
+	}
+	for _, dt := range datetimeFormatTests {
+		t.Run(dt.match, func(t *testing.T) {
+			info := logger.Info{
+				Config: map[string]string{
+					datetimeFormatKey: dt.format,
+				},
+			}
+			multilinePattern, err := parseMultilineOptions(info)
+			assert.Check(t, err, "Received unexpected error")
+			assert.Check(t, multilinePattern.MatchString(dt.match), "No multiline pattern match found")
+		})
+	}
+}
+
+func TestValidateLogOptionsDatetimeFormatAndMultilinePattern(t *testing.T) {
+	cfg := map[string]string{
+		multilinePatternKey: "^xxxx",
+		datetimeFormatKey:   "%Y-%m-%d",
+		logGroupKey:         groupName,
+	}
+	conflictingLogOptionsError := "you cannot configure log opt 'awslogs-datetime-format' and 'awslogs-multiline-pattern' at the same time"
+
+	err := ValidateLogOpt(cfg)
+	assert.Check(t, err != nil, "Expected an error")
+	assert.Check(t, is.Equal(err.Error(), conflictingLogOptionsError), "Received invalid error")
+}
+
+func TestCreateTagSuccess(t *testing.T) {
+	mockClient := newMockClient()
+	info := logger.Info{
+		ContainerName: "/test-container",
+		ContainerID:   "container-abcdefghijklmnopqrstuvwxyz01234567890",
+		Config:        map[string]string{"tag": "{{.Name}}/{{.FullID}}"},
+	}
+	logStreamName, e := loggerutils.ParseLogTag(info, loggerutils.DefaultTemplate)
+	if e != nil {
+		t.Errorf("Error generating tag: %q", e)
+	}
+	stream := &logStream{
+		client:        mockClient,
+		logGroupName:  groupName,
+		logStreamName: logStreamName,
+	}
+	mockClient.createLogStreamResult <- &createLogStreamResult{}
+
+	err := stream.create()
+
+	if err != nil {
+		t.Errorf("Received unexpected err: %v\n", err)
+	}
+	argument := <-mockClient.createLogStreamArgument
+
+	if *argument.LogStreamName != "test-container/container-abcdefghijklmnopqrstuvwxyz01234567890" {
+		t.Errorf("Expected LogStreamName to be %s", "test-container/container-abcdefghijklmnopqrstuvwxyz01234567890")
+	}
+}
+
+func BenchmarkUnwrapEvents(b *testing.B) {
+	events := make([]wrappedEvent, maximumLogEventsPerPut)
+	for i := 0; i < maximumLogEventsPerPut; i++ {
+		mes := strings.Repeat("0", maximumBytesPerEvent)
+		events[i].inputLogEvent = &cloudwatchlogs.InputLogEvent{
+			Message: &mes,
+		}
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		res := unwrapEvents(events)
+		assert.Check(b, is.Len(res, maximumLogEventsPerPut))
+	}
+}
+
+func TestNewAWSLogsClientCredentialEndpointDetect(t *testing.T) {
+	// required for the cloudwatchlogs client
+	os.Setenv("AWS_REGION", "us-west-2")
+	defer os.Unsetenv("AWS_REGION")
+
+	credsResp := `{
+		"AccessKeyId" :    "test-access-key-id",
+		"SecretAccessKey": "test-secret-access-key"
+		}`
+
+	expectedAccessKeyID := "test-access-key-id"
+	expectedSecretAccessKey := "test-secret-access-key"
+
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Fprintln(w, credsResp)
+	}))
+	defer testServer.Close()
+
+	// set the SDKEndpoint in the driver
+	newSDKEndpoint = testServer.URL
+
+	info := logger.Info{
+		Config: map[string]string{},
+	}
+
+	info.Config["awslogs-credentials-endpoint"] = "/creds"
+
+	c, err := newAWSLogsClient(info)
+	assert.Check(t, err)
+
+	client := c.(*cloudwatchlogs.CloudWatchLogs)
+
+	creds, err := client.Config.Credentials.Get()
+	assert.Check(t, err)
+
+	assert.Check(t, is.Equal(expectedAccessKeyID, creds.AccessKeyID))
+	assert.Check(t, is.Equal(expectedSecretAccessKey, creds.SecretAccessKey))
+}
+
+func TestNewAWSLogsClientCredentialEnvironmentVariable(t *testing.T) {
+	// required for the cloudwatchlogs client
+	os.Setenv("AWS_REGION", "us-west-2")
+	defer os.Unsetenv("AWS_REGION")
+
+	expectedAccessKeyID := "test-access-key-id"
+	expectedSecretAccessKey := "test-secret-access-key"
+
+	os.Setenv("AWS_ACCESS_KEY_ID", expectedAccessKeyID)
+	defer os.Unsetenv("AWS_ACCESS_KEY_ID")
+
+	os.Setenv("AWS_SECRET_ACCESS_KEY", expectedSecretAccessKey)
+	defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
+
+	info := logger.Info{
+		Config: map[string]string{},
+	}
+
+	c, err := newAWSLogsClient(info)
+	assert.Check(t, err)
+
+	client := c.(*cloudwatchlogs.CloudWatchLogs)
+
+	creds, err := client.Config.Credentials.Get()
+	assert.Check(t, err)
+
+	assert.Check(t, is.Equal(expectedAccessKeyID, creds.AccessKeyID))
+	assert.Check(t, is.Equal(expectedSecretAccessKey, creds.SecretAccessKey))
+
+}
+
+func TestNewAWSLogsClientCredentialSharedFile(t *testing.T) {
+	// required for the cloudwatchlogs client
+	os.Setenv("AWS_REGION", "us-west-2")
+	defer os.Unsetenv("AWS_REGION")
+
+	expectedAccessKeyID := "test-access-key-id"
+	expectedSecretAccessKey := "test-secret-access-key"
+
+	contentStr := `
+	[default]
+	aws_access_key_id = "test-access-key-id"
+	aws_secret_access_key =  "test-secret-access-key"
+	`
+	content := []byte(contentStr)
+
+	tmpfile, err := ioutil.TempFile("", "example")
+	defer os.Remove(tmpfile.Name()) // clean up
+	assert.Check(t, err)
+
+	_, err = tmpfile.Write(content)
+	assert.Check(t, err)
+
+	err = tmpfile.Close()
+	assert.Check(t, err)
+
+	os.Unsetenv("AWS_ACCESS_KEY_ID")
+	os.Unsetenv("AWS_SECRET_ACCESS_KEY")
+
+	os.Setenv("AWS_SHARED_CREDENTIALS_FILE", tmpfile.Name())
+	defer os.Unsetenv("AWS_SHARED_CREDENTIALS_FILE")
+
+	info := logger.Info{
+		Config: map[string]string{},
+	}
+
+	c, err := newAWSLogsClient(info)
+	assert.Check(t, err)
+
+	client := c.(*cloudwatchlogs.CloudWatchLogs)
+
+	creds, err := client.Config.Credentials.Get()
+	assert.Check(t, err)
+
+	assert.Check(t, is.Equal(expectedAccessKeyID, creds.AccessKeyID))
+	assert.Check(t, is.Equal(expectedSecretAccessKey, creds.SecretAccessKey))
+}
diff --git a/engine/daemon/logger/awslogs/cwlogsiface_mock_test.go b/engine/daemon/logger/awslogs/cwlogsiface_mock_test.go
new file mode 100644
index 00000000..155e602b
--- /dev/null
+++ b/engine/daemon/logger/awslogs/cwlogsiface_mock_test.go
@@ -0,0 +1,119 @@
+package awslogs // import "github.com/docker/docker/daemon/logger/awslogs"
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/service/cloudwatchlogs"
+)
+
+type mockcwlogsclient struct {
+	createLogGroupArgument  chan *cloudwatchlogs.CreateLogGroupInput
+	createLogGroupResult    chan *createLogGroupResult
+	createLogStreamArgument chan *cloudwatchlogs.CreateLogStreamInput
+	createLogStreamResult   chan *createLogStreamResult
+	putLogEventsArgument    chan *cloudwatchlogs.PutLogEventsInput
+	putLogEventsResult      chan *putLogEventsResult
+}
+
+type createLogGroupResult struct {
+	successResult *cloudwatchlogs.CreateLogGroupOutput
+	errorResult   error
+}
+
+type createLogStreamResult struct {
+	successResult *cloudwatchlogs.CreateLogStreamOutput
+	errorResult   error
+}
+
+type putLogEventsResult struct {
+	successResult *cloudwatchlogs.PutLogEventsOutput
+	errorResult   error
+}
+
+func newMockClient() *mockcwlogsclient {
+	return &mockcwlogsclient{
+		createLogGroupArgument:  make(chan *cloudwatchlogs.CreateLogGroupInput, 1),
+		createLogGroupResult:    make(chan *createLogGroupResult, 1),
+		createLogStreamArgument: make(chan *cloudwatchlogs.CreateLogStreamInput, 1),
+		createLogStreamResult:   make(chan *createLogStreamResult, 1),
+		putLogEventsArgument:    make(chan *cloudwatchlogs.PutLogEventsInput, 1),
+		putLogEventsResult:      make(chan *putLogEventsResult, 1),
+	}
+}
+
+func newMockClientBuffered(buflen int) *mockcwlogsclient {
+	return &mockcwlogsclient{
+		createLogStreamArgument: make(chan *cloudwatchlogs.CreateLogStreamInput, buflen),
+		createLogStreamResult:   make(chan *createLogStreamResult, buflen),
+		putLogEventsArgument:    make(chan *cloudwatchlogs.PutLogEventsInput, buflen),
+		putLogEventsResult:      make(chan *putLogEventsResult, buflen),
+	}
+}
+
+func (m *mockcwlogsclient) CreateLogGroup(input *cloudwatchlogs.CreateLogGroupInput) (*cloudwatchlogs.CreateLogGroupOutput, error) {
+	m.createLogGroupArgument <- input
+	output := <-m.createLogGroupResult
+	return output.successResult, output.errorResult
+}
+
+func (m *mockcwlogsclient) CreateLogStream(input *cloudwatchlogs.CreateLogStreamInput) (*cloudwatchlogs.CreateLogStreamOutput, error) {
+	m.createLogStreamArgument <- input
+	output := <-m.createLogStreamResult
+	return output.successResult, output.errorResult
+}
+
+func (m *mockcwlogsclient) PutLogEvents(input *cloudwatchlogs.PutLogEventsInput) (*cloudwatchlogs.PutLogEventsOutput, error) {
+	events := make([]*cloudwatchlogs.InputLogEvent, len(input.LogEvents))
+	copy(events, input.LogEvents)
+	m.putLogEventsArgument <- &cloudwatchlogs.PutLogEventsInput{
+		LogEvents:     events,
+		SequenceToken: input.SequenceToken,
+		LogGroupName:  input.LogGroupName,
+		LogStreamName: input.LogStreamName,
+	}
+
+	// Intended mock output
+	output := <-m.putLogEventsResult
+
+	// Checked enforced limits in mock
+	totalBytes := 0
+	for _, evt := range events {
+		if evt.Message == nil {
+			continue
+		}
+		eventBytes := len([]byte(*evt.Message))
+		if eventBytes > maximumBytesPerEvent {
+			// exceeded per event message size limits
+			return nil, fmt.Errorf("maximum bytes per event exceeded: Event too large %d, max allowed: %d", eventBytes, maximumBytesPerEvent)
+		}
+		// total event bytes including overhead
+		totalBytes += eventBytes + perEventBytes
+	}
+
+	if totalBytes > maximumBytesPerPut {
+		// exceeded per put maximum size limit
+		return nil, fmt.Errorf("maximum bytes per put exceeded: Upload too large %d, max allowed: %d", totalBytes, maximumBytesPerPut)
+	}
+
+	return output.successResult, output.errorResult
+}
+
+type mockmetadataclient struct {
+	regionResult chan *regionResult
+}
+
+type regionResult struct {
+	successResult string
+	errorResult   error
+}
+
+func newMockMetadataClient() *mockmetadataclient {
+	return &mockmetadataclient{
+		regionResult: make(chan *regionResult, 1),
+	}
+}
+
+func (m *mockmetadataclient) Region() (string, error) {
+	output := <-m.regionResult
+	return output.successResult, output.errorResult
+}
diff --git a/engine/daemon/logger/copier.go b/engine/daemon/logger/copier.go
new file mode 100644
index 00000000..e24272fa
--- /dev/null
+++ b/engine/daemon/logger/copier.go
@@ -0,0 +1,186 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"bytes"
+	"io"
+	"sync"
+	"time"
+
+	types "github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// readSize is the maximum bytes read during a single read
+	// operation.
+	readSize = 2 * 1024
+
+	// defaultBufSize provides a reasonable default for loggers that do
+	// not have an external limit to impose on log line size.
+	defaultBufSize = 16 * 1024
+)
+
+// Copier can copy logs from specified sources to Logger and attach Timestamp.
+// Writes are concurrent, so you need implement some sync in your logger.
+type Copier struct {
+	// srcs is map of name -> reader pairs, for example "stdout", "stderr"
+	srcs      map[string]io.Reader
+	dst       Logger
+	copyJobs  sync.WaitGroup
+	closeOnce sync.Once
+	closed    chan struct{}
+}
+
+// NewCopier creates a new Copier
+func NewCopier(srcs map[string]io.Reader, dst Logger) *Copier {
+	return &Copier{
+		srcs:   srcs,
+		dst:    dst,
+		closed: make(chan struct{}),
+	}
+}
+
+// Run starts logs copying
+func (c *Copier) Run() {
+	for src, w := range c.srcs {
+		c.copyJobs.Add(1)
+		go c.copySrc(src, w)
+	}
+}
+
+func (c *Copier) copySrc(name string, src io.Reader) {
+	defer c.copyJobs.Done()
+
+	bufSize := defaultBufSize
+	if sizedLogger, ok := c.dst.(SizedLogger); ok {
+		bufSize = sizedLogger.BufSize()
+	}
+	buf := make([]byte, bufSize)
+
+	n := 0
+	eof := false
+	var partialid string
+	var partialTS time.Time
+	var ordinal int
+	firstPartial := true
+	hasMorePartial := false
+
+	for {
+		select {
+		case <-c.closed:
+			return
+		default:
+			// Work out how much more data we are okay with reading this time.
+			upto := n + readSize
+			if upto > cap(buf) {
+				upto = cap(buf)
+			}
+			// Try to read that data.
+			if upto > n {
+				read, err := src.Read(buf[n:upto])
+				if err != nil {
+					if err != io.EOF {
+						logReadsFailedCount.Inc(1)
+						logrus.Errorf("Error scanning log stream: %s", err)
+						return
+					}
+					eof = true
+				}
+				n += read
+			}
+			// If we have no data to log, and there's no more coming, we're done.
+			if n == 0 && eof {
+				return
+			}
+			// Break up the data that we've buffered up into lines, and log each in turn.
+			p := 0
+
+			for q := bytes.IndexByte(buf[p:n], '\n'); q >= 0; q = bytes.IndexByte(buf[p:n], '\n') {
+				select {
+				case <-c.closed:
+					return
+				default:
+					msg := NewMessage()
+					msg.Source = name
+					msg.Line = append(msg.Line, buf[p:p+q]...)
+
+					if hasMorePartial {
+						msg.PLogMetaData = &types.PartialLogMetaData{ID: partialid, Ordinal: ordinal, Last: true}
+
+						// reset
+						partialid = ""
+						ordinal = 0
+						firstPartial = true
+						hasMorePartial = false
+					}
+					if msg.PLogMetaData == nil {
+						msg.Timestamp = time.Now().UTC()
+					} else {
+						msg.Timestamp = partialTS
+					}
+
+					if logErr := c.dst.Log(msg); logErr != nil {
+						logWritesFailedCount.Inc(1)
+						logrus.Errorf("Failed to log msg %q for logger %s: %s", msg.Line, c.dst.Name(), logErr)
+					}
+				}
+				p += q + 1
+			}
+			// If there's no more coming, or the buffer is full but
+			// has no newlines, log whatever we haven't logged yet,
+			// noting that it's a partial log line.
+			if eof || (p == 0 && n == len(buf)) {
+				if p < n {
+					msg := NewMessage()
+					msg.Source = name
+					msg.Line = append(msg.Line, buf[p:n]...)
+
+					// Generate unique partialID for first partial. Use it across partials.
+					// Record timestamp for first partial. Use it across partials.
+					// Initialize Ordinal for first partial. Increment it across partials.
+					if firstPartial {
+						msg.Timestamp = time.Now().UTC()
+						partialTS = msg.Timestamp
+						partialid = stringid.GenerateRandomID()
+						ordinal = 1
+						firstPartial = false
+						totalPartialLogs.Inc(1)
+					} else {
+						msg.Timestamp = partialTS
+					}
+					msg.PLogMetaData = &types.PartialLogMetaData{ID: partialid, Ordinal: ordinal, Last: false}
+					ordinal++
+					hasMorePartial = true
+
+					if logErr := c.dst.Log(msg); logErr != nil {
+						logWritesFailedCount.Inc(1)
+						logrus.Errorf("Failed to log msg %q for logger %s: %s", msg.Line, c.dst.Name(), logErr)
+					}
+					p = 0
+					n = 0
+				}
+				if eof {
+					return
+				}
+			}
+			// Move any unlogged data to the front of the buffer in preparation for another read.
+			if p > 0 {
+				copy(buf[0:], buf[p:n])
+				n -= p
+			}
+		}
+	}
+}
+
+// Wait waits until all copying is done
+func (c *Copier) Wait() {
+	c.copyJobs.Wait()
+}
+
+// Close closes the copier
+func (c *Copier) Close() {
+	c.closeOnce.Do(func() {
+		close(c.closed)
+	})
+}
diff --git a/engine/daemon/logger/copier_test.go b/engine/daemon/logger/copier_test.go
new file mode 100644
index 00000000..d09450bd
--- /dev/null
+++ b/engine/daemon/logger/copier_test.go
@@ -0,0 +1,484 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+)
+
+type TestLoggerJSON struct {
+	*json.Encoder
+	mu    sync.Mutex
+	delay time.Duration
+}
+
+func (l *TestLoggerJSON) Log(m *Message) error {
+	if l.delay > 0 {
+		time.Sleep(l.delay)
+	}
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	return l.Encode(m)
+}
+
+func (l *TestLoggerJSON) Close() error { return nil }
+
+func (l *TestLoggerJSON) Name() string { return "json" }
+
+type TestSizedLoggerJSON struct {
+	*json.Encoder
+	mu sync.Mutex
+}
+
+func (l *TestSizedLoggerJSON) Log(m *Message) error {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	return l.Encode(m)
+}
+
+func (*TestSizedLoggerJSON) Close() error { return nil }
+
+func (*TestSizedLoggerJSON) Name() string { return "sized-json" }
+
+func (*TestSizedLoggerJSON) BufSize() int {
+	return 32 * 1024
+}
+
+func TestCopier(t *testing.T) {
+	stdoutLine := "Line that thinks that it is log line from docker stdout"
+	stderrLine := "Line that thinks that it is log line from docker stderr"
+	stdoutTrailingLine := "stdout trailing line"
+	stderrTrailingLine := "stderr trailing line"
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	for i := 0; i < 30; i++ {
+		if _, err := stdout.WriteString(stdoutLine + "\n"); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := stderr.WriteString(stderrLine + "\n"); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// Test remaining lines without line-endings
+	if _, err := stdout.WriteString(stdoutTrailingLine); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := stderr.WriteString(stderrTrailingLine); err != nil {
+		t.Fatal(err)
+	}
+
+	var jsonBuf bytes.Buffer
+
+	jsonLog := &TestLoggerJSON{Encoder: json.NewEncoder(&jsonBuf)}
+
+	c := NewCopier(
+		map[string]io.Reader{
+			"stdout": &stdout,
+			"stderr": &stderr,
+		},
+		jsonLog)
+	c.Run()
+	wait := make(chan struct{})
+	go func() {
+		c.Wait()
+		close(wait)
+	}()
+	select {
+	case <-time.After(1 * time.Second):
+		t.Fatal("Copier failed to do its work in 1 second")
+	case <-wait:
+	}
+	dec := json.NewDecoder(&jsonBuf)
+	for {
+		var msg Message
+		if err := dec.Decode(&msg); err != nil {
+			if err == io.EOF {
+				break
+			}
+			t.Fatal(err)
+		}
+		if msg.Source != "stdout" && msg.Source != "stderr" {
+			t.Fatalf("Wrong Source: %q, should be %q or %q", msg.Source, "stdout", "stderr")
+		}
+		if msg.Source == "stdout" {
+			if string(msg.Line) != stdoutLine && string(msg.Line) != stdoutTrailingLine {
+				t.Fatalf("Wrong Line: %q, expected %q or %q", msg.Line, stdoutLine, stdoutTrailingLine)
+			}
+		}
+		if msg.Source == "stderr" {
+			if string(msg.Line) != stderrLine && string(msg.Line) != stderrTrailingLine {
+				t.Fatalf("Wrong Line: %q, expected %q or %q", msg.Line, stderrLine, stderrTrailingLine)
+			}
+		}
+	}
+}
+
+// TestCopierLongLines tests long lines without line breaks
+func TestCopierLongLines(t *testing.T) {
+	// Long lines (should be split at "defaultBufSize")
+	stdoutLongLine := strings.Repeat("a", defaultBufSize)
+	stderrLongLine := strings.Repeat("b", defaultBufSize)
+	stdoutTrailingLine := "stdout trailing line"
+	stderrTrailingLine := "stderr trailing line"
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+
+	for i := 0; i < 3; i++ {
+		if _, err := stdout.WriteString(stdoutLongLine); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := stderr.WriteString(stderrLongLine); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	if _, err := stdout.WriteString(stdoutTrailingLine); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := stderr.WriteString(stderrTrailingLine); err != nil {
+		t.Fatal(err)
+	}
+
+	var jsonBuf bytes.Buffer
+
+	jsonLog := &TestLoggerJSON{Encoder: json.NewEncoder(&jsonBuf)}
+
+	c := NewCopier(
+		map[string]io.Reader{
+			"stdout": &stdout,
+			"stderr": &stderr,
+		},
+		jsonLog)
+	c.Run()
+	wait := make(chan struct{})
+	go func() {
+		c.Wait()
+		close(wait)
+	}()
+	select {
+	case <-time.After(1 * time.Second):
+		t.Fatal("Copier failed to do its work in 1 second")
+	case <-wait:
+	}
+	dec := json.NewDecoder(&jsonBuf)
+	for {
+		var msg Message
+		if err := dec.Decode(&msg); err != nil {
+			if err == io.EOF {
+				break
+			}
+			t.Fatal(err)
+		}
+		if msg.Source != "stdout" && msg.Source != "stderr" {
+			t.Fatalf("Wrong Source: %q, should be %q or %q", msg.Source, "stdout", "stderr")
+		}
+		if msg.Source == "stdout" {
+			if string(msg.Line) != stdoutLongLine && string(msg.Line) != stdoutTrailingLine {
+				t.Fatalf("Wrong Line: %q, expected 'stdoutLongLine' or 'stdoutTrailingLine'", msg.Line)
+			}
+		}
+		if msg.Source == "stderr" {
+			if string(msg.Line) != stderrLongLine && string(msg.Line) != stderrTrailingLine {
+				t.Fatalf("Wrong Line: %q, expected 'stderrLongLine' or 'stderrTrailingLine'", msg.Line)
+			}
+		}
+	}
+}
+
+func TestCopierSlow(t *testing.T) {
+	stdoutLine := "Line that thinks that it is log line from docker stdout"
+	var stdout bytes.Buffer
+	for i := 0; i < 30; i++ {
+		if _, err := stdout.WriteString(stdoutLine + "\n"); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	var jsonBuf bytes.Buffer
+	//encoder := &encodeCloser{Encoder: json.NewEncoder(&jsonBuf)}
+	jsonLog := &TestLoggerJSON{Encoder: json.NewEncoder(&jsonBuf), delay: 100 * time.Millisecond}
+
+	c := NewCopier(map[string]io.Reader{"stdout": &stdout}, jsonLog)
+	c.Run()
+	wait := make(chan struct{})
+	go func() {
+		c.Wait()
+		close(wait)
+	}()
+	<-time.After(150 * time.Millisecond)
+	c.Close()
+	select {
+	case <-time.After(200 * time.Millisecond):
+		t.Fatal("failed to exit in time after the copier is closed")
+	case <-wait:
+	}
+}
+
+func TestCopierWithSized(t *testing.T) {
+	var jsonBuf bytes.Buffer
+	expectedMsgs := 2
+	sizedLogger := &TestSizedLoggerJSON{Encoder: json.NewEncoder(&jsonBuf)}
+	logbuf := bytes.NewBufferString(strings.Repeat(".", sizedLogger.BufSize()*expectedMsgs))
+	c := NewCopier(map[string]io.Reader{"stdout": logbuf}, sizedLogger)
+
+	c.Run()
+	// Wait for Copier to finish writing to the buffered logger.
+	c.Wait()
+	c.Close()
+
+	recvdMsgs := 0
+	dec := json.NewDecoder(&jsonBuf)
+	for {
+		var msg Message
+		if err := dec.Decode(&msg); err != nil {
+			if err == io.EOF {
+				break
+			}
+			t.Fatal(err)
+		}
+		if msg.Source != "stdout" {
+			t.Fatalf("Wrong Source: %q, should be %q", msg.Source, "stdout")
+		}
+		if len(msg.Line) != sizedLogger.BufSize() {
+			t.Fatalf("Line was not of expected max length %d, was %d", sizedLogger.BufSize(), len(msg.Line))
+		}
+		recvdMsgs++
+	}
+	if recvdMsgs != expectedMsgs {
+		t.Fatalf("expected to receive %d messages, actually received %d", expectedMsgs, recvdMsgs)
+	}
+}
+
+func checkIdentical(t *testing.T, msg Message, expectedID string, expectedTS time.Time) {
+	if msg.PLogMetaData.ID != expectedID {
+		t.Fatalf("IDs are not he same across partials. Expected: %s Received: %s",
+			expectedID, msg.PLogMetaData.ID)
+	}
+	if msg.Timestamp != expectedTS {
+		t.Fatalf("Timestamps are not the same across partials. Expected: %v Received: %v",
+			expectedTS.Format(time.UnixDate), msg.Timestamp.Format(time.UnixDate))
+	}
+}
+
+// Have long lines and make sure that it comes out with PartialMetaData
+func TestCopierWithPartial(t *testing.T) {
+	stdoutLongLine := strings.Repeat("a", defaultBufSize)
+	stderrLongLine := strings.Repeat("b", defaultBufSize)
+	stdoutTrailingLine := "stdout trailing line"
+	stderrTrailingLine := "stderr trailing line"
+	normalStr := "This is an impartial message :)"
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	var normalMsg bytes.Buffer
+
+	for i := 0; i < 3; i++ {
+		if _, err := stdout.WriteString(stdoutLongLine); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := stderr.WriteString(stderrLongLine); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	if _, err := stdout.WriteString(stdoutTrailingLine + "\n"); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := stderr.WriteString(stderrTrailingLine + "\n"); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := normalMsg.WriteString(normalStr + "\n"); err != nil {
+		t.Fatal(err)
+	}
+
+	var jsonBuf bytes.Buffer
+
+	jsonLog := &TestLoggerJSON{Encoder: json.NewEncoder(&jsonBuf)}
+
+	c := NewCopier(
+		map[string]io.Reader{
+			"stdout": &stdout,
+			"normal": &normalMsg,
+			"stderr": &stderr,
+		},
+		jsonLog)
+	c.Run()
+	wait := make(chan struct{})
+	go func() {
+		c.Wait()
+		close(wait)
+	}()
+	select {
+	case <-time.After(1 * time.Second):
+		t.Fatal("Copier failed to do its work in 1 second")
+	case <-wait:
+	}
+
+	dec := json.NewDecoder(&jsonBuf)
+	expectedMsgs := 9
+	recvMsgs := 0
+	var expectedPartID1, expectedPartID2 string
+	var expectedTS1, expectedTS2 time.Time
+
+	for {
+		var msg Message
+
+		if err := dec.Decode(&msg); err != nil {
+			if err == io.EOF {
+				break
+			}
+			t.Fatal(err)
+		}
+		if msg.Source != "stdout" && msg.Source != "stderr" && msg.Source != "normal" {
+			t.Fatalf("Wrong Source: %q, should be %q or %q or %q", msg.Source, "stdout", "stderr", "normal")
+		}
+
+		if msg.Source == "stdout" {
+			if string(msg.Line) != stdoutLongLine && string(msg.Line) != stdoutTrailingLine {
+				t.Fatalf("Wrong Line: %q, expected 'stdoutLongLine' or 'stdoutTrailingLine'", msg.Line)
+			}
+
+			if msg.PLogMetaData.ID == "" {
+				t.Fatalf("Expected partial metadata. Got nothing")
+			}
+
+			if msg.PLogMetaData.Ordinal == 1 {
+				expectedPartID1 = msg.PLogMetaData.ID
+				expectedTS1 = msg.Timestamp
+			} else {
+				checkIdentical(t, msg, expectedPartID1, expectedTS1)
+			}
+			if msg.PLogMetaData.Ordinal == 4 && !msg.PLogMetaData.Last {
+				t.Fatalf("Last is not set for last chunk")
+			}
+		}
+
+		if msg.Source == "stderr" {
+			if string(msg.Line) != stderrLongLine && string(msg.Line) != stderrTrailingLine {
+				t.Fatalf("Wrong Line: %q, expected 'stderrLongLine' or 'stderrTrailingLine'", msg.Line)
+			}
+
+			if msg.PLogMetaData.ID == "" {
+				t.Fatalf("Expected partial metadata. Got nothing")
+			}
+
+			if msg.PLogMetaData.Ordinal == 1 {
+				expectedPartID2 = msg.PLogMetaData.ID
+				expectedTS2 = msg.Timestamp
+			} else {
+				checkIdentical(t, msg, expectedPartID2, expectedTS2)
+			}
+			if msg.PLogMetaData.Ordinal == 4 && !msg.PLogMetaData.Last {
+				t.Fatalf("Last is not set for last chunk")
+			}
+		}
+
+		if msg.Source == "normal" && msg.PLogMetaData != nil {
+			t.Fatalf("Normal messages should not have PartialLogMetaData")
+		}
+		recvMsgs++
+	}
+
+	if expectedMsgs != recvMsgs {
+		t.Fatalf("Expected msgs: %d Recv msgs: %d", expectedMsgs, recvMsgs)
+	}
+}
+
+type BenchmarkLoggerDummy struct {
+}
+
+func (l *BenchmarkLoggerDummy) Log(m *Message) error { PutMessage(m); return nil }
+
+func (l *BenchmarkLoggerDummy) Close() error { return nil }
+
+func (l *BenchmarkLoggerDummy) Name() string { return "dummy" }
+
+func BenchmarkCopier64(b *testing.B) {
+	benchmarkCopier(b, 1<<6)
+}
+func BenchmarkCopier128(b *testing.B) {
+	benchmarkCopier(b, 1<<7)
+}
+func BenchmarkCopier256(b *testing.B) {
+	benchmarkCopier(b, 1<<8)
+}
+func BenchmarkCopier512(b *testing.B) {
+	benchmarkCopier(b, 1<<9)
+}
+func BenchmarkCopier1K(b *testing.B) {
+	benchmarkCopier(b, 1<<10)
+}
+func BenchmarkCopier2K(b *testing.B) {
+	benchmarkCopier(b, 1<<11)
+}
+func BenchmarkCopier4K(b *testing.B) {
+	benchmarkCopier(b, 1<<12)
+}
+func BenchmarkCopier8K(b *testing.B) {
+	benchmarkCopier(b, 1<<13)
+}
+func BenchmarkCopier16K(b *testing.B) {
+	benchmarkCopier(b, 1<<14)
+}
+func BenchmarkCopier32K(b *testing.B) {
+	benchmarkCopier(b, 1<<15)
+}
+func BenchmarkCopier64K(b *testing.B) {
+	benchmarkCopier(b, 1<<16)
+}
+func BenchmarkCopier128K(b *testing.B) {
+	benchmarkCopier(b, 1<<17)
+}
+func BenchmarkCopier256K(b *testing.B) {
+	benchmarkCopier(b, 1<<18)
+}
+
+func piped(b *testing.B, iterations int, delay time.Duration, buf []byte) io.Reader {
+	r, w, err := os.Pipe()
+	if err != nil {
+		b.Fatal(err)
+		return nil
+	}
+	go func() {
+		for i := 0; i < iterations; i++ {
+			time.Sleep(delay)
+			if n, err := w.Write(buf); err != nil || n != len(buf) {
+				if err != nil {
+					b.Fatal(err)
+				}
+				b.Fatal(fmt.Errorf("short write"))
+			}
+		}
+		w.Close()
+	}()
+	return r
+}
+
+func benchmarkCopier(b *testing.B, length int) {
+	b.StopTimer()
+	buf := []byte{'A'}
+	for len(buf) < length {
+		buf = append(buf, buf...)
+	}
+	buf = append(buf[:length-1], []byte{'\n'}...)
+	b.StartTimer()
+	for i := 0; i < b.N; i++ {
+		c := NewCopier(
+			map[string]io.Reader{
+				"buffer": piped(b, 10, time.Nanosecond, buf),
+			},
+			&BenchmarkLoggerDummy{})
+		c.Run()
+		c.Wait()
+		c.Close()
+	}
+}
diff --git a/engine/daemon/logger/etwlogs/etwlogs_windows.go b/engine/daemon/logger/etwlogs/etwlogs_windows.go
new file mode 100644
index 00000000..78d3477b
--- /dev/null
+++ b/engine/daemon/logger/etwlogs/etwlogs_windows.go
@@ -0,0 +1,168 @@
+// Package etwlogs provides a log driver for forwarding container logs
+// as ETW events.(ETW stands for Event Tracing for Windows)
+// A client can then create an ETW listener to listen for events that are sent
+// by the ETW provider that we register, using the provider's GUID "a3693192-9ed6-46d2-a981-f8226c8363bd".
+// Here is an example of how to do this using the logman utility:
+// 1. logman start -ets DockerContainerLogs -p {a3693192-9ed6-46d2-a981-f8226c8363bd} 0 0 -o trace.etl
+// 2. Run container(s) and generate log messages
+// 3. logman stop -ets DockerContainerLogs
+// 4. You can then convert the etl log file to XML using: tracerpt -y trace.etl
+//
+// Each container log message generates an ETW event that also contains:
+// the container name and ID, the timestamp, and the stream type.
+package etwlogs // import "github.com/docker/docker/daemon/logger/etwlogs"
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+	"unsafe"
+
+	"github.com/docker/docker/daemon/logger"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+type etwLogs struct {
+	containerName string
+	imageName     string
+	containerID   string
+	imageID       string
+}
+
+const (
+	name             = "etwlogs"
+	win32CallSuccess = 0
+)
+
+var (
+	modAdvapi32          = windows.NewLazySystemDLL("Advapi32.dll")
+	procEventRegister    = modAdvapi32.NewProc("EventRegister")
+	procEventWriteString = modAdvapi32.NewProc("EventWriteString")
+	procEventUnregister  = modAdvapi32.NewProc("EventUnregister")
+)
+var providerHandle windows.Handle
+var refCount int
+var mu sync.Mutex
+
+func init() {
+	providerHandle = windows.InvalidHandle
+	if err := logger.RegisterLogDriver(name, New); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// New creates a new etwLogs logger for the given container and registers the EWT provider.
+func New(info logger.Info) (logger.Logger, error) {
+	if err := registerETWProvider(); err != nil {
+		return nil, err
+	}
+	logrus.Debugf("logging driver etwLogs configured for container: %s.", info.ContainerID)
+
+	return &etwLogs{
+		containerName: info.Name(),
+		imageName:     info.ContainerImageName,
+		containerID:   info.ContainerID,
+		imageID:       info.ContainerImageID,
+	}, nil
+}
+
+// Log logs the message to the ETW stream.
+func (etwLogger *etwLogs) Log(msg *logger.Message) error {
+	if providerHandle == windows.InvalidHandle {
+		// This should never be hit, if it is, it indicates a programming error.
+		errorMessage := "ETWLogs cannot log the message, because the event provider has not been registered."
+		logrus.Error(errorMessage)
+		return errors.New(errorMessage)
+	}
+	m := createLogMessage(etwLogger, msg)
+	logger.PutMessage(msg)
+	return callEventWriteString(m)
+}
+
+// Close closes the logger by unregistering the ETW provider.
+func (etwLogger *etwLogs) Close() error {
+	unregisterETWProvider()
+	return nil
+}
+
+func (etwLogger *etwLogs) Name() string {
+	return name
+}
+
+func createLogMessage(etwLogger *etwLogs, msg *logger.Message) string {
+	return fmt.Sprintf("container_name: %s, image_name: %s, container_id: %s, image_id: %s, source: %s, log: %s",
+		etwLogger.containerName,
+		etwLogger.imageName,
+		etwLogger.containerID,
+		etwLogger.imageID,
+		msg.Source,
+		msg.Line)
+}
+
+func registerETWProvider() error {
+	mu.Lock()
+	defer mu.Unlock()
+	if refCount == 0 {
+		var err error
+		if err = callEventRegister(); err != nil {
+			return err
+		}
+	}
+
+	refCount++
+	return nil
+}
+
+func unregisterETWProvider() {
+	mu.Lock()
+	defer mu.Unlock()
+	if refCount == 1 {
+		if callEventUnregister() {
+			refCount--
+			providerHandle = windows.InvalidHandle
+		}
+		// Not returning an error if EventUnregister fails, because etwLogs will continue to work
+	} else {
+		refCount--
+	}
+}
+
+func callEventRegister() error {
+	// The provider's GUID is {a3693192-9ed6-46d2-a981-f8226c8363bd}
+	guid := windows.GUID{
+		Data1: 0xa3693192,
+		Data2: 0x9ed6,
+		Data3: 0x46d2,
+		Data4: [8]byte{0xa9, 0x81, 0xf8, 0x22, 0x6c, 0x83, 0x63, 0xbd},
+	}
+
+	ret, _, _ := procEventRegister.Call(uintptr(unsafe.Pointer(&guid)), 0, 0, uintptr(unsafe.Pointer(&providerHandle)))
+	if ret != win32CallSuccess {
+		errorMessage := fmt.Sprintf("Failed to register ETW provider. Error: %d", ret)
+		logrus.Error(errorMessage)
+		return errors.New(errorMessage)
+	}
+	return nil
+}
+
+func callEventWriteString(message string) error {
+	utf16message, err := windows.UTF16FromString(message)
+
+	if err != nil {
+		return err
+	}
+
+	ret, _, _ := procEventWriteString.Call(uintptr(providerHandle), 0, 0, uintptr(unsafe.Pointer(&utf16message[0])))
+	if ret != win32CallSuccess {
+		errorMessage := fmt.Sprintf("ETWLogs provider failed to log message. Error: %d", ret)
+		logrus.Error(errorMessage)
+		return errors.New(errorMessage)
+	}
+	return nil
+}
+
+func callEventUnregister() bool {
+	ret, _, _ := procEventUnregister.Call(uintptr(providerHandle))
+	return ret == win32CallSuccess
+}
diff --git a/engine/daemon/logger/factory.go b/engine/daemon/logger/factory.go
new file mode 100644
index 00000000..84b54b27
--- /dev/null
+++ b/engine/daemon/logger/factory.go
@@ -0,0 +1,162 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"fmt"
+	"sort"
+	"sync"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/go-units"
+	"github.com/pkg/errors"
+)
+
+// Creator builds a logging driver instance with given context.
+type Creator func(Info) (Logger, error)
+
+// LogOptValidator checks the options specific to the underlying
+// logging implementation.
+type LogOptValidator func(cfg map[string]string) error
+
+type logdriverFactory struct {
+	registry     map[string]Creator
+	optValidator map[string]LogOptValidator
+	m            sync.Mutex
+}
+
+func (lf *logdriverFactory) list() []string {
+	ls := make([]string, 0, len(lf.registry))
+	lf.m.Lock()
+	for name := range lf.registry {
+		ls = append(ls, name)
+	}
+	lf.m.Unlock()
+	sort.Strings(ls)
+	return ls
+}
+
+// ListDrivers gets the list of registered log driver names
+func ListDrivers() []string {
+	return factory.list()
+}
+
+func (lf *logdriverFactory) register(name string, c Creator) error {
+	if lf.driverRegistered(name) {
+		return fmt.Errorf("logger: log driver named '%s' is already registered", name)
+	}
+
+	lf.m.Lock()
+	lf.registry[name] = c
+	lf.m.Unlock()
+	return nil
+}
+
+func (lf *logdriverFactory) driverRegistered(name string) bool {
+	lf.m.Lock()
+	_, ok := lf.registry[name]
+	lf.m.Unlock()
+	if !ok {
+		if pluginGetter != nil { // this can be nil when the init functions are running
+			if l, _ := getPlugin(name, plugingetter.Lookup); l != nil {
+				return true
+			}
+		}
+	}
+	return ok
+}
+
+func (lf *logdriverFactory) registerLogOptValidator(name string, l LogOptValidator) error {
+	lf.m.Lock()
+	defer lf.m.Unlock()
+
+	if _, ok := lf.optValidator[name]; ok {
+		return fmt.Errorf("logger: log validator named '%s' is already registered", name)
+	}
+	lf.optValidator[name] = l
+	return nil
+}
+
+func (lf *logdriverFactory) get(name string) (Creator, error) {
+	lf.m.Lock()
+	defer lf.m.Unlock()
+
+	c, ok := lf.registry[name]
+	if ok {
+		return c, nil
+	}
+
+	c, err := getPlugin(name, plugingetter.Acquire)
+	return c, errors.Wrapf(err, "logger: no log driver named '%s' is registered", name)
+}
+
+func (lf *logdriverFactory) getLogOptValidator(name string) LogOptValidator {
+	lf.m.Lock()
+	defer lf.m.Unlock()
+
+	c := lf.optValidator[name]
+	return c
+}
+
+var factory = &logdriverFactory{registry: make(map[string]Creator), optValidator: make(map[string]LogOptValidator)} // global factory instance
+
+// RegisterLogDriver registers the given logging driver builder with given logging
+// driver name.
+func RegisterLogDriver(name string, c Creator) error {
+	return factory.register(name, c)
+}
+
+// RegisterLogOptValidator registers the logging option validator with
+// the given logging driver name.
+func RegisterLogOptValidator(name string, l LogOptValidator) error {
+	return factory.registerLogOptValidator(name, l)
+}
+
+// GetLogDriver provides the logging driver builder for a logging driver name.
+func GetLogDriver(name string) (Creator, error) {
+	return factory.get(name)
+}
+
+var builtInLogOpts = map[string]bool{
+	"mode":            true,
+	"max-buffer-size": true,
+}
+
+// ValidateLogOpts checks the options for the given log driver. The
+// options supported are specific to the LogDriver implementation.
+func ValidateLogOpts(name string, cfg map[string]string) error {
+	if name == "none" {
+		return nil
+	}
+
+	switch containertypes.LogMode(cfg["mode"]) {
+	case containertypes.LogModeBlocking, containertypes.LogModeNonBlock, containertypes.LogModeUnset:
+	default:
+		return fmt.Errorf("logger: logging mode not supported: %s", cfg["mode"])
+	}
+
+	if s, ok := cfg["max-buffer-size"]; ok {
+		if containertypes.LogMode(cfg["mode"]) != containertypes.LogModeNonBlock {
+			return fmt.Errorf("logger: max-buffer-size option is only supported with 'mode=%s'", containertypes.LogModeNonBlock)
+		}
+		if _, err := units.RAMInBytes(s); err != nil {
+			return errors.Wrap(err, "error parsing option max-buffer-size")
+		}
+	}
+
+	if !factory.driverRegistered(name) {
+		return fmt.Errorf("logger: no log driver named '%s' is registered", name)
+	}
+
+	filteredOpts := make(map[string]string, len(builtInLogOpts))
+	for k, v := range cfg {
+		if !builtInLogOpts[k] {
+			filteredOpts[k] = v
+		}
+	}
+
+	validator := factory.getLogOptValidator(name)
+	if validator != nil {
+		return validator(filteredOpts)
+	}
+	return nil
+}
diff --git a/engine/daemon/logger/fluentd/fluentd.go b/engine/daemon/logger/fluentd/fluentd.go
new file mode 100644
index 00000000..907261f4
--- /dev/null
+++ b/engine/daemon/logger/fluentd/fluentd.go
@@ -0,0 +1,263 @@
+// Package fluentd provides the log driver for forwarding server logs
+// to fluentd endpoints.
+package fluentd // import "github.com/docker/docker/daemon/logger/fluentd"
+
+import (
+	"fmt"
+	"math"
+	"net"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/loggerutils"
+	"github.com/docker/docker/pkg/urlutil"
+	"github.com/docker/go-units"
+	"github.com/fluent/fluent-logger-golang/fluent"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type fluentd struct {
+	tag           string
+	containerID   string
+	containerName string
+	writer        *fluent.Fluent
+	extra         map[string]string
+}
+
+type location struct {
+	protocol string
+	host     string
+	port     int
+	path     string
+}
+
+const (
+	name = "fluentd"
+
+	defaultProtocol    = "tcp"
+	defaultHost        = "127.0.0.1"
+	defaultPort        = 24224
+	defaultBufferLimit = 1024 * 1024
+
+	// logger tries to reconnect 2**32 - 1 times
+	// failed (and panic) after 204 years [ 1.5 ** (2**32 - 1) - 1 seconds]
+	defaultRetryWait  = 1000
+	defaultMaxRetries = math.MaxInt32
+
+	addressKey            = "fluentd-address"
+	bufferLimitKey        = "fluentd-buffer-limit"
+	retryWaitKey          = "fluentd-retry-wait"
+	maxRetriesKey         = "fluentd-max-retries"
+	asyncConnectKey       = "fluentd-async-connect"
+	subSecondPrecisionKey = "fluentd-sub-second-precision"
+)
+
+func init() {
+	if err := logger.RegisterLogDriver(name, New); err != nil {
+		logrus.Fatal(err)
+	}
+	if err := logger.RegisterLogOptValidator(name, ValidateLogOpt); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// New creates a fluentd logger using the configuration passed in on
+// the context. The supported context configuration variable is
+// fluentd-address.
+func New(info logger.Info) (logger.Logger, error) {
+	loc, err := parseAddress(info.Config[addressKey])
+	if err != nil {
+		return nil, err
+	}
+
+	tag, err := loggerutils.ParseLogTag(info, loggerutils.DefaultTemplate)
+	if err != nil {
+		return nil, err
+	}
+
+	extra, err := info.ExtraAttributes(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	bufferLimit := defaultBufferLimit
+	if info.Config[bufferLimitKey] != "" {
+		bl64, err := units.RAMInBytes(info.Config[bufferLimitKey])
+		if err != nil {
+			return nil, err
+		}
+		bufferLimit = int(bl64)
+	}
+
+	retryWait := defaultRetryWait
+	if info.Config[retryWaitKey] != "" {
+		rwd, err := time.ParseDuration(info.Config[retryWaitKey])
+		if err != nil {
+			return nil, err
+		}
+		retryWait = int(rwd.Seconds() * 1000)
+	}
+
+	maxRetries := defaultMaxRetries
+	if info.Config[maxRetriesKey] != "" {
+		mr64, err := strconv.ParseUint(info.Config[maxRetriesKey], 10, strconv.IntSize)
+		if err != nil {
+			return nil, err
+		}
+		maxRetries = int(mr64)
+	}
+
+	asyncConnect := false
+	if info.Config[asyncConnectKey] != "" {
+		if asyncConnect, err = strconv.ParseBool(info.Config[asyncConnectKey]); err != nil {
+			return nil, err
+		}
+	}
+
+	subSecondPrecision := false
+	if info.Config[subSecondPrecisionKey] != "" {
+		if subSecondPrecision, err = strconv.ParseBool(info.Config[subSecondPrecisionKey]); err != nil {
+			return nil, err
+		}
+	}
+
+	fluentConfig := fluent.Config{
+		FluentPort:         loc.port,
+		FluentHost:         loc.host,
+		FluentNetwork:      loc.protocol,
+		FluentSocketPath:   loc.path,
+		BufferLimit:        bufferLimit,
+		RetryWait:          retryWait,
+		MaxRetry:           maxRetries,
+		AsyncConnect:       asyncConnect,
+		SubSecondPrecision: subSecondPrecision,
+	}
+
+	logrus.WithField("container", info.ContainerID).WithField("config", fluentConfig).
+		Debug("logging driver fluentd configured")
+
+	log, err := fluent.New(fluentConfig)
+	if err != nil {
+		return nil, err
+	}
+	return &fluentd{
+		tag:           tag,
+		containerID:   info.ContainerID,
+		containerName: info.ContainerName,
+		writer:        log,
+		extra:         extra,
+	}, nil
+}
+
+func (f *fluentd) Log(msg *logger.Message) error {
+	data := map[string]string{
+		"container_id":   f.containerID,
+		"container_name": f.containerName,
+		"source":         msg.Source,
+		"log":            string(msg.Line),
+	}
+	for k, v := range f.extra {
+		data[k] = v
+	}
+	if msg.PLogMetaData != nil {
+		data["partial_message"] = "true"
+	}
+
+	ts := msg.Timestamp
+	logger.PutMessage(msg)
+	// fluent-logger-golang buffers logs from failures and disconnections,
+	// and these are transferred again automatically.
+	return f.writer.PostWithTime(f.tag, ts, data)
+}
+
+func (f *fluentd) Close() error {
+	return f.writer.Close()
+}
+
+func (f *fluentd) Name() string {
+	return name
+}
+
+// ValidateLogOpt looks for fluentd specific log option fluentd-address.
+func ValidateLogOpt(cfg map[string]string) error {
+	for key := range cfg {
+		switch key {
+		case "env":
+		case "env-regex":
+		case "labels":
+		case "tag":
+		case addressKey:
+		case bufferLimitKey:
+		case retryWaitKey:
+		case maxRetriesKey:
+		case asyncConnectKey:
+		case subSecondPrecisionKey:
+			// Accepted
+		default:
+			return fmt.Errorf("unknown log opt '%s' for fluentd log driver", key)
+		}
+	}
+
+	_, err := parseAddress(cfg[addressKey])
+	return err
+}
+
+func parseAddress(address string) (*location, error) {
+	if address == "" {
+		return &location{
+			protocol: defaultProtocol,
+			host:     defaultHost,
+			port:     defaultPort,
+			path:     "",
+		}, nil
+	}
+
+	protocol := defaultProtocol
+	givenAddress := address
+	if urlutil.IsTransportURL(address) {
+		url, err := url.Parse(address)
+		if err != nil {
+			return nil, errors.Wrapf(err, "invalid fluentd-address %s", givenAddress)
+		}
+		// unix and unixgram socket
+		if url.Scheme == "unix" || url.Scheme == "unixgram" {
+			return &location{
+				protocol: url.Scheme,
+				host:     "",
+				port:     0,
+				path:     url.Path,
+			}, nil
+		}
+		// tcp|udp
+		protocol = url.Scheme
+		address = url.Host
+	}
+
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		if !strings.Contains(err.Error(), "missing port in address") {
+			return nil, errors.Wrapf(err, "invalid fluentd-address %s", givenAddress)
+		}
+		return &location{
+			protocol: protocol,
+			host:     host,
+			port:     defaultPort,
+			path:     "",
+		}, nil
+	}
+
+	portnum, err := strconv.Atoi(port)
+	if err != nil {
+		return nil, errors.Wrapf(err, "invalid fluentd-address %s", givenAddress)
+	}
+	return &location{
+		protocol: protocol,
+		host:     host,
+		port:     portnum,
+		path:     "",
+	}, nil
+}
diff --git a/engine/daemon/logger/gcplogs/gcplogging.go b/engine/daemon/logger/gcplogs/gcplogging.go
new file mode 100644
index 00000000..1699f67a
--- /dev/null
+++ b/engine/daemon/logger/gcplogs/gcplogging.go
@@ -0,0 +1,244 @@
+package gcplogs // import "github.com/docker/docker/daemon/logger/gcplogs"
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/docker/docker/daemon/logger"
+
+	"cloud.google.com/go/compute/metadata"
+	"cloud.google.com/go/logging"
+	"github.com/sirupsen/logrus"
+	mrpb "google.golang.org/genproto/googleapis/api/monitoredres"
+)
+
+const (
+	name = "gcplogs"
+
+	projectOptKey  = "gcp-project"
+	logLabelsKey   = "labels"
+	logEnvKey      = "env"
+	logEnvRegexKey = "env-regex"
+	logCmdKey      = "gcp-log-cmd"
+	logZoneKey     = "gcp-meta-zone"
+	logNameKey     = "gcp-meta-name"
+	logIDKey       = "gcp-meta-id"
+)
+
+var (
+	// The number of logs the gcplogs driver has dropped.
+	droppedLogs uint64
+
+	onGCE bool
+
+	// instance metadata populated from the metadata server if available
+	projectID    string
+	zone         string
+	instanceName string
+	instanceID   string
+)
+
+func init() {
+
+	if err := logger.RegisterLogDriver(name, New); err != nil {
+		logrus.Fatal(err)
+	}
+
+	if err := logger.RegisterLogOptValidator(name, ValidateLogOpts); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+type gcplogs struct {
+	logger    *logging.Logger
+	instance  *instanceInfo
+	container *containerInfo
+}
+
+type dockerLogEntry struct {
+	Instance  *instanceInfo  `json:"instance,omitempty"`
+	Container *containerInfo `json:"container,omitempty"`
+	Message   string         `json:"message,omitempty"`
+}
+
+type instanceInfo struct {
+	Zone string `json:"zone,omitempty"`
+	Name string `json:"name,omitempty"`
+	ID   string `json:"id,omitempty"`
+}
+
+type containerInfo struct {
+	Name      string            `json:"name,omitempty"`
+	ID        string            `json:"id,omitempty"`
+	ImageName string            `json:"imageName,omitempty"`
+	ImageID   string            `json:"imageId,omitempty"`
+	Created   time.Time         `json:"created,omitempty"`
+	Command   string            `json:"command,omitempty"`
+	Metadata  map[string]string `json:"metadata,omitempty"`
+}
+
+var initGCPOnce sync.Once
+
+func initGCP() {
+	initGCPOnce.Do(func() {
+		onGCE = metadata.OnGCE()
+		if onGCE {
+			// These will fail on instances if the metadata service is
+			// down or the client is compiled with an API version that
+			// has been removed. Since these are not vital, let's ignore
+			// them and make their fields in the dockerLogEntry ,omitempty
+			projectID, _ = metadata.ProjectID()
+			zone, _ = metadata.Zone()
+			instanceName, _ = metadata.InstanceName()
+			instanceID, _ = metadata.InstanceID()
+		}
+	})
+}
+
+// New creates a new logger that logs to Google Cloud Logging using the application
+// default credentials.
+//
+// See https://developers.google.com/identity/protocols/application-default-credentials
+func New(info logger.Info) (logger.Logger, error) {
+	initGCP()
+
+	var project string
+	if projectID != "" {
+		project = projectID
+	}
+	if projectID, found := info.Config[projectOptKey]; found {
+		project = projectID
+	}
+	if project == "" {
+		return nil, fmt.Errorf("No project was specified and couldn't read project from the metadata server. Please specify a project")
+	}
+
+	// Issue #29344: gcplogs segfaults (static binary)
+	// If HOME is not set, logging.NewClient() will call os/user.Current() via oauth2/google.
+	// However, in static binary, os/user.Current() leads to segfault due to a glibc issue that won't be fixed
+	// in a short term. (golang/go#13470, https://sourceware.org/bugzilla/show_bug.cgi?id=19341)
+	// So we forcibly set HOME so as to avoid call to os/user/Current()
+	if err := ensureHomeIfIAmStatic(); err != nil {
+		return nil, err
+	}
+
+	c, err := logging.NewClient(context.Background(), project)
+	if err != nil {
+		return nil, err
+	}
+	var instanceResource *instanceInfo
+	if onGCE {
+		instanceResource = &instanceInfo{
+			Zone: zone,
+			Name: instanceName,
+			ID:   instanceID,
+		}
+	} else if info.Config[logZoneKey] != "" || info.Config[logNameKey] != "" || info.Config[logIDKey] != "" {
+		instanceResource = &instanceInfo{
+			Zone: info.Config[logZoneKey],
+			Name: info.Config[logNameKey],
+			ID:   info.Config[logIDKey],
+		}
+	}
+
+	options := []logging.LoggerOption{}
+	if instanceResource != nil {
+		vmMrpb := logging.CommonResource(
+			&mrpb.MonitoredResource{
+				Type: "gce_instance",
+				Labels: map[string]string{
+					"instance_id": instanceResource.ID,
+					"zone":        instanceResource.Zone,
+				},
+			},
+		)
+		options = []logging.LoggerOption{vmMrpb}
+	}
+	lg := c.Logger("gcplogs-docker-driver", options...)
+
+	if err := c.Ping(context.Background()); err != nil {
+		return nil, fmt.Errorf("unable to connect or authenticate with Google Cloud Logging: %v", err)
+	}
+
+	extraAttributes, err := info.ExtraAttributes(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	l := &gcplogs{
+		logger: lg,
+		container: &containerInfo{
+			Name:      info.ContainerName,
+			ID:        info.ContainerID,
+			ImageName: info.ContainerImageName,
+			ImageID:   info.ContainerImageID,
+			Created:   info.ContainerCreated,
+			Metadata:  extraAttributes,
+		},
+	}
+
+	if info.Config[logCmdKey] == "true" {
+		l.container.Command = info.Command()
+	}
+
+	if instanceResource != nil {
+		l.instance = instanceResource
+	}
+
+	// The logger "overflows" at a rate of 10,000 logs per second and this
+	// overflow func is called. We want to surface the error to the user
+	// without overly spamming /var/log/docker.log so we log the first time
+	// we overflow and every 1000th time after.
+	c.OnError = func(err error) {
+		if err == logging.ErrOverflow {
+			if i := atomic.AddUint64(&droppedLogs, 1); i%1000 == 1 {
+				logrus.Errorf("gcplogs driver has dropped %v logs", i)
+			}
+		} else {
+			logrus.Error(err)
+		}
+	}
+
+	return l, nil
+}
+
+// ValidateLogOpts validates the opts passed to the gcplogs driver. Currently, the gcplogs
+// driver doesn't take any arguments.
+func ValidateLogOpts(cfg map[string]string) error {
+	for k := range cfg {
+		switch k {
+		case projectOptKey, logLabelsKey, logEnvKey, logEnvRegexKey, logCmdKey, logZoneKey, logNameKey, logIDKey:
+		default:
+			return fmt.Errorf("%q is not a valid option for the gcplogs driver", k)
+		}
+	}
+	return nil
+}
+
+func (l *gcplogs) Log(m *logger.Message) error {
+	message := string(m.Line)
+	ts := m.Timestamp
+	logger.PutMessage(m)
+
+	l.logger.Log(logging.Entry{
+		Timestamp: ts,
+		Payload: &dockerLogEntry{
+			Instance:  l.instance,
+			Container: l.container,
+			Message:   message,
+		},
+	})
+	return nil
+}
+
+func (l *gcplogs) Close() error {
+	l.logger.Flush()
+	return nil
+}
+
+func (l *gcplogs) Name() string {
+	return name
+}
diff --git a/engine/daemon/logger/gcplogs/gcplogging_linux.go b/engine/daemon/logger/gcplogs/gcplogging_linux.go
new file mode 100644
index 00000000..27f8ef32
--- /dev/null
+++ b/engine/daemon/logger/gcplogs/gcplogging_linux.go
@@ -0,0 +1,29 @@
+package gcplogs // import "github.com/docker/docker/daemon/logger/gcplogs"
+
+import (
+	"os"
+
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/sirupsen/logrus"
+)
+
+// ensureHomeIfIAmStatic ensure $HOME to be set if dockerversion.IAmStatic is "true".
+// See issue #29344: gcplogs segfaults (static binary)
+// If HOME is not set, logging.NewClient() will call os/user.Current() via oauth2/google.
+// However, in static binary, os/user.Current() leads to segfault due to a glibc issue that won't be fixed
+// in a short term. (golang/go#13470, https://sourceware.org/bugzilla/show_bug.cgi?id=19341)
+// So we forcibly set HOME so as to avoid call to os/user/Current()
+func ensureHomeIfIAmStatic() error {
+	// Note: dockerversion.IAmStatic and homedir.GetStatic() is only available for linux.
+	// So we need to use them in this gcplogging_linux.go rather than in gcplogging.go
+	if dockerversion.IAmStatic == "true" && os.Getenv("HOME") == "" {
+		home, err := homedir.GetStatic()
+		if err != nil {
+			return err
+		}
+		logrus.Warnf("gcplogs requires HOME to be set for static daemon binary. Forcibly setting HOME to %s.", home)
+		os.Setenv("HOME", home)
+	}
+	return nil
+}
diff --git a/engine/daemon/logger/gcplogs/gcplogging_others.go b/engine/daemon/logger/gcplogs/gcplogging_others.go
new file mode 100644
index 00000000..10a2cdc8
--- /dev/null
+++ b/engine/daemon/logger/gcplogs/gcplogging_others.go
@@ -0,0 +1,7 @@
+// +build !linux
+
+package gcplogs // import "github.com/docker/docker/daemon/logger/gcplogs"
+
+func ensureHomeIfIAmStatic() error {
+	return nil
+}
diff --git a/engine/daemon/logger/gelf/gelf.go b/engine/daemon/logger/gelf/gelf.go
new file mode 100644
index 00000000..e9c86040
--- /dev/null
+++ b/engine/daemon/logger/gelf/gelf.go
@@ -0,0 +1,268 @@
+// Package gelf provides the log driver for forwarding server logs to
+// endpoints that support the Graylog Extended Log Format.
+package gelf // import "github.com/docker/docker/daemon/logger/gelf"
+
+import (
+	"compress/flate"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/Graylog2/go-gelf/gelf"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/loggerutils"
+	"github.com/docker/docker/pkg/urlutil"
+	"github.com/sirupsen/logrus"
+)
+
+const name = "gelf"
+
+type gelfLogger struct {
+	writer   gelf.Writer
+	info     logger.Info
+	hostname string
+	rawExtra json.RawMessage
+}
+
+func init() {
+	if err := logger.RegisterLogDriver(name, New); err != nil {
+		logrus.Fatal(err)
+	}
+	if err := logger.RegisterLogOptValidator(name, ValidateLogOpt); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// New creates a gelf logger using the configuration passed in on the
+// context. The supported context configuration variable is gelf-address.
+func New(info logger.Info) (logger.Logger, error) {
+	// parse gelf address
+	address, err := parseAddress(info.Config["gelf-address"])
+	if err != nil {
+		return nil, err
+	}
+
+	// collect extra data for GELF message
+	hostname, err := info.Hostname()
+	if err != nil {
+		return nil, fmt.Errorf("gelf: cannot access hostname to set source field")
+	}
+
+	// parse log tag
+	tag, err := loggerutils.ParseLogTag(info, loggerutils.DefaultTemplate)
+	if err != nil {
+		return nil, err
+	}
+
+	extra := map[string]interface{}{
+		"_container_id":   info.ContainerID,
+		"_container_name": info.Name(),
+		"_image_id":       info.ContainerImageID,
+		"_image_name":     info.ContainerImageName,
+		"_command":        info.Command(),
+		"_tag":            tag,
+		"_created":        info.ContainerCreated,
+	}
+
+	extraAttrs, err := info.ExtraAttributes(func(key string) string {
+		if key[0] == '_' {
+			return key
+		}
+		return "_" + key
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	for k, v := range extraAttrs {
+		extra[k] = v
+	}
+
+	rawExtra, err := json.Marshal(extra)
+	if err != nil {
+		return nil, err
+	}
+
+	var gelfWriter gelf.Writer
+	if address.Scheme == "udp" {
+		gelfWriter, err = newGELFUDPWriter(address.Host, info)
+		if err != nil {
+			return nil, err
+		}
+	} else if address.Scheme == "tcp" {
+		gelfWriter, err = newGELFTCPWriter(address.Host, info)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &gelfLogger{
+		writer:   gelfWriter,
+		info:     info,
+		hostname: hostname,
+		rawExtra: rawExtra,
+	}, nil
+}
+
+// create new TCP gelfWriter
+func newGELFTCPWriter(address string, info logger.Info) (gelf.Writer, error) {
+	gelfWriter, err := gelf.NewTCPWriter(address)
+	if err != nil {
+		return nil, fmt.Errorf("gelf: cannot connect to GELF endpoint: %s %v", address, err)
+	}
+
+	if v, ok := info.Config["gelf-tcp-max-reconnect"]; ok {
+		i, err := strconv.Atoi(v)
+		if err != nil || i < 0 {
+			return nil, fmt.Errorf("gelf-tcp-max-reconnect must be a positive integer")
+		}
+		gelfWriter.MaxReconnect = i
+	}
+
+	if v, ok := info.Config["gelf-tcp-reconnect-delay"]; ok {
+		i, err := strconv.Atoi(v)
+		if err != nil || i < 0 {
+			return nil, fmt.Errorf("gelf-tcp-reconnect-delay must be a positive integer")
+		}
+		gelfWriter.ReconnectDelay = time.Duration(i)
+	}
+
+	return gelfWriter, nil
+}
+
+// create new UDP gelfWriter
+func newGELFUDPWriter(address string, info logger.Info) (gelf.Writer, error) {
+	gelfWriter, err := gelf.NewUDPWriter(address)
+	if err != nil {
+		return nil, fmt.Errorf("gelf: cannot connect to GELF endpoint: %s %v", address, err)
+	}
+
+	if v, ok := info.Config["gelf-compression-type"]; ok {
+		switch v {
+		case "gzip":
+			gelfWriter.CompressionType = gelf.CompressGzip
+		case "zlib":
+			gelfWriter.CompressionType = gelf.CompressZlib
+		case "none":
+			gelfWriter.CompressionType = gelf.CompressNone
+		default:
+			return nil, fmt.Errorf("gelf: invalid compression type %q", v)
+		}
+	}
+
+	if v, ok := info.Config["gelf-compression-level"]; ok {
+		val, err := strconv.Atoi(v)
+		if err != nil {
+			return nil, fmt.Errorf("gelf: invalid compression level %s, err %v", v, err)
+		}
+		gelfWriter.CompressionLevel = val
+	}
+
+	return gelfWriter, nil
+}
+
+func (s *gelfLogger) Log(msg *logger.Message) error {
+	level := gelf.LOG_INFO
+	if msg.Source == "stderr" {
+		level = gelf.LOG_ERR
+	}
+
+	m := gelf.Message{
+		Version:  "1.1",
+		Host:     s.hostname,
+		Short:    string(msg.Line),
+		TimeUnix: float64(msg.Timestamp.UnixNano()/int64(time.Millisecond)) / 1000.0,
+		Level:    int32(level),
+		RawExtra: s.rawExtra,
+	}
+	logger.PutMessage(msg)
+
+	if err := s.writer.WriteMessage(&m); err != nil {
+		return fmt.Errorf("gelf: cannot send GELF message: %v", err)
+	}
+	return nil
+}
+
+func (s *gelfLogger) Close() error {
+	return s.writer.Close()
+}
+
+func (s *gelfLogger) Name() string {
+	return name
+}
+
+// ValidateLogOpt looks for gelf specific log option gelf-address.
+func ValidateLogOpt(cfg map[string]string) error {
+	address, err := parseAddress(cfg["gelf-address"])
+	if err != nil {
+		return err
+	}
+
+	for key, val := range cfg {
+		switch key {
+		case "gelf-address":
+		case "tag":
+		case "labels":
+		case "env":
+		case "env-regex":
+		case "gelf-compression-level":
+			if address.Scheme != "udp" {
+				return fmt.Errorf("compression is only supported on UDP")
+			}
+			i, err := strconv.Atoi(val)
+			if err != nil || i < flate.DefaultCompression || i > flate.BestCompression {
+				return fmt.Errorf("unknown value %q for log opt %q for gelf log driver", val, key)
+			}
+		case "gelf-compression-type":
+			if address.Scheme != "udp" {
+				return fmt.Errorf("compression is only supported on UDP")
+			}
+			switch val {
+			case "gzip", "zlib", "none":
+			default:
+				return fmt.Errorf("unknown value %q for log opt %q for gelf log driver", val, key)
+			}
+		case "gelf-tcp-max-reconnect", "gelf-tcp-reconnect-delay":
+			if address.Scheme != "tcp" {
+				return fmt.Errorf("%q is only valid for TCP", key)
+			}
+			i, err := strconv.Atoi(val)
+			if err != nil || i < 0 {
+				return fmt.Errorf("%q must be a positive integer", key)
+			}
+		default:
+			return fmt.Errorf("unknown log opt %q for gelf log driver", key)
+		}
+	}
+
+	return nil
+}
+
+func parseAddress(address string) (*url.URL, error) {
+	if address == "" {
+		return nil, fmt.Errorf("gelf-address is a required parameter")
+	}
+	if !urlutil.IsTransportURL(address) {
+		return nil, fmt.Errorf("gelf-address should be in form proto://address, got %v", address)
+	}
+	url, err := url.Parse(address)
+	if err != nil {
+		return nil, err
+	}
+
+	// we support only udp
+	if url.Scheme != "udp" && url.Scheme != "tcp" {
+		return nil, fmt.Errorf("gelf: endpoint needs to be TCP or UDP")
+	}
+
+	// get host and port
+	if _, _, err = net.SplitHostPort(url.Host); err != nil {
+		return nil, fmt.Errorf("gelf: please provide gelf-address as proto://host:port")
+	}
+
+	return url, nil
+}
diff --git a/engine/daemon/logger/gelf/gelf_test.go b/engine/daemon/logger/gelf/gelf_test.go
new file mode 100644
index 00000000..a88d56ce
--- /dev/null
+++ b/engine/daemon/logger/gelf/gelf_test.go
@@ -0,0 +1,260 @@
+// +build linux
+
+package gelf // import "github.com/docker/docker/daemon/logger/gelf"
+
+import (
+	"net"
+	"testing"
+
+	"github.com/docker/docker/daemon/logger"
+)
+
+// Validate parseAddress
+func TestParseAddress(t *testing.T) {
+	url, err := parseAddress("udp://127.0.0.1:12201")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if url.String() != "udp://127.0.0.1:12201" {
+		t.Fatalf("Expected address udp://127.0.0.1:12201, got %s", url.String())
+	}
+
+	_, err = parseAddress("127.0.0.1:12201")
+	if err == nil {
+		t.Fatal("Expected error requiring protocol")
+	}
+
+	_, err = parseAddress("http://127.0.0.1:12201")
+	if err == nil {
+		t.Fatal("Expected error restricting protocol")
+	}
+}
+
+// Validate TCP options
+func TestTCPValidateLogOpt(t *testing.T) {
+	err := ValidateLogOpt(map[string]string{
+		"gelf-address": "tcp://127.0.0.1:12201",
+	})
+	if err != nil {
+		t.Fatal("Expected TCP to be supported")
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"gelf-address":           "tcp://127.0.0.1:12201",
+		"gelf-compression-level": "9",
+	})
+	if err == nil {
+		t.Fatal("Expected TCP to reject compression level")
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"gelf-address":          "tcp://127.0.0.1:12201",
+		"gelf-compression-type": "gzip",
+	})
+	if err == nil {
+		t.Fatal("Expected TCP to reject compression type")
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"gelf-address":             "tcp://127.0.0.1:12201",
+		"gelf-tcp-max-reconnect":   "5",
+		"gelf-tcp-reconnect-delay": "10",
+	})
+	if err != nil {
+		t.Fatal("Expected TCP reconnect to be a valid parameters")
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"gelf-address":             "tcp://127.0.0.1:12201",
+		"gelf-tcp-max-reconnect":   "-1",
+		"gelf-tcp-reconnect-delay": "-3",
+	})
+	if err == nil {
+		t.Fatal("Expected negative TCP reconnect to be rejected")
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"gelf-address":             "tcp://127.0.0.1:12201",
+		"gelf-tcp-max-reconnect":   "invalid",
+		"gelf-tcp-reconnect-delay": "invalid",
+	})
+	if err == nil {
+		t.Fatal("Expected TCP reconnect to be required to be an int")
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"gelf-address":             "udp://127.0.0.1:12201",
+		"gelf-tcp-max-reconnect":   "1",
+		"gelf-tcp-reconnect-delay": "3",
+	})
+	if err == nil {
+		t.Fatal("Expected TCP reconnect to be invalid for UDP")
+	}
+}
+
+// Validate UDP options
+func TestUDPValidateLogOpt(t *testing.T) {
+	err := ValidateLogOpt(map[string]string{
+		"gelf-address":           "udp://127.0.0.1:12201",
+		"tag":                    "testtag",
+		"labels":                 "testlabel",
+		"env":                    "testenv",
+		"env-regex":              "testenv-regex",
+		"gelf-compression-level": "9",
+		"gelf-compression-type":  "gzip",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"gelf-address":           "udp://127.0.0.1:12201",
+		"gelf-compression-level": "ultra",
+		"gelf-compression-type":  "zlib",
+	})
+	if err == nil {
+		t.Fatal("Expected compression level error")
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"gelf-address":          "udp://127.0.0.1:12201",
+		"gelf-compression-type": "rar",
+	})
+	if err == nil {
+		t.Fatal("Expected compression type error")
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"invalid": "invalid",
+	})
+	if err == nil {
+		t.Fatal("Expected unknown option error")
+	}
+
+	err = ValidateLogOpt(map[string]string{})
+	if err == nil {
+		t.Fatal("Expected required parameter error")
+	}
+}
+
+// Validate newGELFTCPWriter
+func TestNewGELFTCPWriter(t *testing.T) {
+	address := "127.0.0.1:0"
+	tcpAddr, err := net.ResolveTCPAddr("tcp", address)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	listener, err := net.ListenTCP("tcp", tcpAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	url := "tcp://" + listener.Addr().String()
+	info := logger.Info{
+		Config: map[string]string{
+			"gelf-address":             url,
+			"gelf-tcp-max-reconnect":   "0",
+			"gelf-tcp-reconnect-delay": "0",
+			"tag": "{{.ID}}",
+		},
+		ContainerID: "12345678901234567890",
+	}
+
+	writer, err := newGELFTCPWriter(listener.Addr().String(), info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = writer.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = listener.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Validate newGELFUDPWriter
+func TestNewGELFUDPWriter(t *testing.T) {
+	address := "127.0.0.1:0"
+	info := logger.Info{
+		Config: map[string]string{
+			"gelf-address":           "udp://127.0.0.1:0",
+			"gelf-compression-level": "5",
+			"gelf-compression-type":  "gzip",
+		},
+	}
+
+	writer, err := newGELFUDPWriter(address, info)
+	if err != nil {
+		t.Fatal(err)
+	}
+	writer.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Validate New for TCP
+func TestNewTCP(t *testing.T) {
+	address := "127.0.0.1:0"
+	tcpAddr, err := net.ResolveTCPAddr("tcp", address)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	listener, err := net.ListenTCP("tcp", tcpAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	url := "tcp://" + listener.Addr().String()
+	info := logger.Info{
+		Config: map[string]string{
+			"gelf-address":             url,
+			"gelf-tcp-max-reconnect":   "0",
+			"gelf-tcp-reconnect-delay": "0",
+		},
+		ContainerID: "12345678901234567890",
+	}
+
+	logger, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = logger.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = listener.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Validate New for UDP
+func TestNewUDP(t *testing.T) {
+	info := logger.Info{
+		Config: map[string]string{
+			"gelf-address":           "udp://127.0.0.1:0",
+			"gelf-compression-level": "5",
+			"gelf-compression-type":  "gzip",
+		},
+		ContainerID: "12345678901234567890",
+	}
+
+	logger, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = logger.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/daemon/logger/journald/journald.go b/engine/daemon/logger/journald/journald.go
new file mode 100644
index 00000000..342e18f5
--- /dev/null
+++ b/engine/daemon/logger/journald/journald.go
@@ -0,0 +1,127 @@
+// +build linux
+
+// Package journald provides the log driver for forwarding server logs
+// to endpoints that receive the systemd format.
+package journald // import "github.com/docker/docker/daemon/logger/journald"
+
+import (
+	"fmt"
+	"sync"
+	"unicode"
+
+	"github.com/coreos/go-systemd/journal"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/loggerutils"
+	"github.com/sirupsen/logrus"
+)
+
+const name = "journald"
+
+type journald struct {
+	mu      sync.Mutex
+	vars    map[string]string // additional variables and values to send to the journal along with the log message
+	readers readerList
+	closed  bool
+}
+
+type readerList struct {
+	readers map[*logger.LogWatcher]*logger.LogWatcher
+}
+
+func init() {
+	if err := logger.RegisterLogDriver(name, New); err != nil {
+		logrus.Fatal(err)
+	}
+	if err := logger.RegisterLogOptValidator(name, validateLogOpt); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// sanitizeKeyMode returns the sanitized string so that it could be used in journald.
+// In journald log, there are special requirements for fields.
+// Fields must be composed of uppercase letters, numbers, and underscores, but must
+// not start with an underscore.
+func sanitizeKeyMod(s string) string {
+	n := ""
+	for _, v := range s {
+		if 'a' <= v && v <= 'z' {
+			v = unicode.ToUpper(v)
+		} else if ('Z' < v || v < 'A') && ('9' < v || v < '0') {
+			v = '_'
+		}
+		// If (n == "" && v == '_'), then we will skip as this is the beginning with '_'
+		if !(n == "" && v == '_') {
+			n += string(v)
+		}
+	}
+	return n
+}
+
+// New creates a journald logger using the configuration passed in on
+// the context.
+func New(info logger.Info) (logger.Logger, error) {
+	if !journal.Enabled() {
+		return nil, fmt.Errorf("journald is not enabled on this host")
+	}
+
+	// parse log tag
+	tag, err := loggerutils.ParseLogTag(info, loggerutils.DefaultTemplate)
+	if err != nil {
+		return nil, err
+	}
+
+	vars := map[string]string{
+		"CONTAINER_ID":      info.ContainerID[:12],
+		"CONTAINER_ID_FULL": info.ContainerID,
+		"CONTAINER_NAME":    info.Name(),
+		"CONTAINER_TAG":     tag,
+		"SYSLOG_IDENTIFIER": tag,
+	}
+	extraAttrs, err := info.ExtraAttributes(sanitizeKeyMod)
+	if err != nil {
+		return nil, err
+	}
+	for k, v := range extraAttrs {
+		vars[k] = v
+	}
+	return &journald{vars: vars, readers: readerList{readers: make(map[*logger.LogWatcher]*logger.LogWatcher)}}, nil
+}
+
+// We don't actually accept any options, but we have to supply a callback for
+// the factory to pass the (probably empty) configuration map to.
+func validateLogOpt(cfg map[string]string) error {
+	for key := range cfg {
+		switch key {
+		case "labels":
+		case "env":
+		case "env-regex":
+		case "tag":
+		default:
+			return fmt.Errorf("unknown log opt '%s' for journald log driver", key)
+		}
+	}
+	return nil
+}
+
+func (s *journald) Log(msg *logger.Message) error {
+	vars := map[string]string{}
+	for k, v := range s.vars {
+		vars[k] = v
+	}
+	if msg.PLogMetaData != nil {
+		vars["CONTAINER_PARTIAL_MESSAGE"] = "true"
+	}
+
+	line := string(msg.Line)
+	source := msg.Source
+	logger.PutMessage(msg)
+
+	if source == "stderr" {
+		return journal.Send(line, journal.PriErr, vars)
+	}
+	return journal.Send(line, journal.PriInfo, vars)
+}
+
+func (s *journald) Name() string {
+	return name
+}
diff --git a/engine/daemon/logger/journald/journald_test.go b/engine/daemon/logger/journald/journald_test.go
new file mode 100644
index 00000000..bd7bf7a3
--- /dev/null
+++ b/engine/daemon/logger/journald/journald_test.go
@@ -0,0 +1,23 @@
+// +build linux
+
+package journald // import "github.com/docker/docker/daemon/logger/journald"
+
+import (
+	"testing"
+)
+
+func TestSanitizeKeyMod(t *testing.T) {
+	entries := map[string]string{
+		"io.kubernetes.pod.name":      "IO_KUBERNETES_POD_NAME",
+		"io?.kubernetes.pod.name":     "IO__KUBERNETES_POD_NAME",
+		"?io.kubernetes.pod.name":     "IO_KUBERNETES_POD_NAME",
+		"io123.kubernetes.pod.name":   "IO123_KUBERNETES_POD_NAME",
+		"_io123.kubernetes.pod.name":  "IO123_KUBERNETES_POD_NAME",
+		"__io123_kubernetes.pod.name": "IO123_KUBERNETES_POD_NAME",
+	}
+	for k, v := range entries {
+		if sanitizeKeyMod(k) != v {
+			t.Fatalf("Failed to sanitize %s, got %s, expected %s", k, sanitizeKeyMod(k), v)
+		}
+	}
+}
diff --git a/engine/daemon/logger/journald/journald_unsupported.go b/engine/daemon/logger/journald/journald_unsupported.go
new file mode 100644
index 00000000..7899fc12
--- /dev/null
+++ b/engine/daemon/logger/journald/journald_unsupported.go
@@ -0,0 +1,6 @@
+// +build !linux
+
+package journald // import "github.com/docker/docker/daemon/logger/journald"
+
+type journald struct {
+}
diff --git a/engine/daemon/logger/journald/read.go b/engine/daemon/logger/journald/read.go
new file mode 100644
index 00000000..d4bcc62d
--- /dev/null
+++ b/engine/daemon/logger/journald/read.go
@@ -0,0 +1,441 @@
+// +build linux,cgo,!static_build,journald
+
+package journald // import "github.com/docker/docker/daemon/logger/journald"
+
+// #include <sys/types.h>
+// #include <sys/poll.h>
+// #include <systemd/sd-journal.h>
+// #include <errno.h>
+// #include <stdio.h>
+// #include <stdlib.h>
+// #include <string.h>
+// #include <time.h>
+// #include <unistd.h>
+//
+//static int get_message(sd_journal *j, const char **msg, size_t *length, int *partial)
+//{
+//	int rc;
+//	size_t plength;
+//	*msg = NULL;
+//	*length = 0;
+//	plength = strlen("CONTAINER_PARTIAL_MESSAGE=true");
+//	rc = sd_journal_get_data(j, "CONTAINER_PARTIAL_MESSAGE", (const void **) msg, length);
+//	*partial = ((rc == 0) && (*length == plength) && (memcmp(*msg, "CONTAINER_PARTIAL_MESSAGE=true", plength) == 0));
+//	rc = sd_journal_get_data(j, "MESSAGE", (const void **) msg, length);
+//	if (rc == 0) {
+//		if (*length > 8) {
+//			(*msg) += 8;
+//			*length -= 8;
+//		} else {
+//			*msg = NULL;
+//			*length = 0;
+//			rc = -ENOENT;
+//		}
+//	}
+//	return rc;
+//}
+//static int get_priority(sd_journal *j, int *priority)
+//{
+//	const void *data;
+//	size_t i, length;
+//	int rc;
+//	*priority = -1;
+//	rc = sd_journal_get_data(j, "PRIORITY", &data, &length);
+//	if (rc == 0) {
+//		if ((length > 9) && (strncmp(data, "PRIORITY=", 9) == 0)) {
+//			*priority = 0;
+//			for (i = 9; i < length; i++) {
+//				*priority = *priority * 10 + ((const char *)data)[i] - '0';
+//			}
+//			if (length > 9) {
+//				rc = 0;
+//			}
+//		}
+//	}
+//	return rc;
+//}
+//static int is_attribute_field(const char *msg, size_t length)
+//{
+//	static const struct known_field {
+//		const char *name;
+//		size_t length;
+//	} fields[] = {
+//		{"MESSAGE", sizeof("MESSAGE") - 1},
+//		{"MESSAGE_ID", sizeof("MESSAGE_ID") - 1},
+//		{"PRIORITY", sizeof("PRIORITY") - 1},
+//		{"CODE_FILE", sizeof("CODE_FILE") - 1},
+//		{"CODE_LINE", sizeof("CODE_LINE") - 1},
+//		{"CODE_FUNC", sizeof("CODE_FUNC") - 1},
+//		{"ERRNO", sizeof("ERRNO") - 1},
+//		{"SYSLOG_FACILITY", sizeof("SYSLOG_FACILITY") - 1},
+//		{"SYSLOG_IDENTIFIER", sizeof("SYSLOG_IDENTIFIER") - 1},
+//		{"SYSLOG_PID", sizeof("SYSLOG_PID") - 1},
+//		{"CONTAINER_NAME", sizeof("CONTAINER_NAME") - 1},
+//		{"CONTAINER_ID", sizeof("CONTAINER_ID") - 1},
+//		{"CONTAINER_ID_FULL", sizeof("CONTAINER_ID_FULL") - 1},
+//		{"CONTAINER_TAG", sizeof("CONTAINER_TAG") - 1},
+//	};
+//	unsigned int i;
+//	void *p;
+//	if ((length < 1) || (msg[0] == '_') || ((p = memchr(msg, '=', length)) == NULL)) {
+//		return -1;
+//	}
+//	length = ((const char *) p) - msg;
+//	for (i = 0; i < sizeof(fields) / sizeof(fields[0]); i++) {
+//		if ((fields[i].length == length) && (memcmp(fields[i].name, msg, length) == 0)) {
+//			return -1;
+//		}
+//	}
+//	return 0;
+//}
+//static int get_attribute_field(sd_journal *j, const char **msg, size_t *length)
+//{
+//	int rc;
+//	*msg = NULL;
+//	*length = 0;
+//	while ((rc = sd_journal_enumerate_data(j, (const void **) msg, length)) > 0) {
+//		if (is_attribute_field(*msg, *length) == 0) {
+//			break;
+//		}
+//		rc = -ENOENT;
+//	}
+//	return rc;
+//}
+//static int wait_for_data_cancelable(sd_journal *j, int pipefd)
+//{
+//	struct pollfd fds[2];
+//	uint64_t when = 0;
+//	int timeout, jevents, i;
+//	struct timespec ts;
+//	uint64_t now;
+//
+//	memset(&fds, 0, sizeof(fds));
+//	fds[0].fd = pipefd;
+//	fds[0].events = POLLHUP;
+//	fds[1].fd = sd_journal_get_fd(j);
+//	if (fds[1].fd < 0) {
+//		return fds[1].fd;
+//	}
+//
+//	do {
+//		jevents = sd_journal_get_events(j);
+//		if (jevents < 0) {
+//			return jevents;
+//		}
+//		fds[1].events = jevents;
+//		sd_journal_get_timeout(j, &when);
+//		if (when == -1) {
+//			timeout = -1;
+//		} else {
+//			clock_gettime(CLOCK_MONOTONIC, &ts);
+//			now = (uint64_t) ts.tv_sec * 1000000 + ts.tv_nsec / 1000;
+//			timeout = when > now ? (int) ((when - now + 999) / 1000) : 0;
+//		}
+//		i = poll(fds, 2, timeout);
+//		if ((i == -1) && (errno != EINTR)) {
+//			/* An unexpected error. */
+//			return (errno != 0) ? -errno : -EINTR;
+//		}
+//		if (fds[0].revents & POLLHUP) {
+//			/* The close notification pipe was closed. */
+//			return 0;
+//		}
+//		if (sd_journal_process(j) == SD_JOURNAL_APPEND) {
+//			/* Data, which we might care about, was appended. */
+//			return 1;
+//		}
+//	} while ((fds[0].revents & POLLHUP) == 0);
+//	return 0;
+//}
+import "C"
+
+import (
+	"fmt"
+	"strings"
+	"time"
+	"unsafe"
+
+	"github.com/coreos/go-systemd/journal"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/sirupsen/logrus"
+)
+
+func (s *journald) Close() error {
+	s.mu.Lock()
+	s.closed = true
+	for reader := range s.readers.readers {
+		reader.Close()
+	}
+	s.mu.Unlock()
+	return nil
+}
+
+func (s *journald) drainJournal(logWatcher *logger.LogWatcher, j *C.sd_journal, oldCursor *C.char, untilUnixMicro uint64) (*C.char, bool) {
+	var msg, data, cursor *C.char
+	var length C.size_t
+	var stamp C.uint64_t
+	var priority, partial C.int
+	var done bool
+
+	// Walk the journal from here forward until we run out of new entries
+	// or we reach the until value (if provided).
+drain:
+	for {
+		// Try not to send a given entry twice.
+		if oldCursor != nil {
+			for C.sd_journal_test_cursor(j, oldCursor) > 0 {
+				if C.sd_journal_next(j) <= 0 {
+					break drain
+				}
+			}
+		}
+		// Read and send the logged message, if there is one to read.
+		i := C.get_message(j, &msg, &length, &partial)
+		if i != -C.ENOENT && i != -C.EADDRNOTAVAIL {
+			// Read the entry's timestamp.
+			if C.sd_journal_get_realtime_usec(j, &stamp) != 0 {
+				break
+			}
+			// Break if the timestamp exceeds any provided until flag.
+			if untilUnixMicro != 0 && untilUnixMicro < uint64(stamp) {
+				done = true
+				break
+			}
+
+			// Set up the time and text of the entry.
+			timestamp := time.Unix(int64(stamp)/1000000, (int64(stamp)%1000000)*1000)
+			line := C.GoBytes(unsafe.Pointer(msg), C.int(length))
+			if partial == 0 {
+				line = append(line, "\n"...)
+			}
+			// Recover the stream name by mapping
+			// from the journal priority back to
+			// the stream that we would have
+			// assigned that value.
+			source := ""
+			if C.get_priority(j, &priority) != 0 {
+				source = ""
+			} else if priority == C.int(journal.PriErr) {
+				source = "stderr"
+			} else if priority == C.int(journal.PriInfo) {
+				source = "stdout"
+			}
+			// Retrieve the values of any variables we're adding to the journal.
+			var attrs []backend.LogAttr
+			C.sd_journal_restart_data(j)
+			for C.get_attribute_field(j, &data, &length) > C.int(0) {
+				kv := strings.SplitN(C.GoStringN(data, C.int(length)), "=", 2)
+				attrs = append(attrs, backend.LogAttr{Key: kv[0], Value: kv[1]})
+			}
+			// Send the log message.
+			logWatcher.Msg <- &logger.Message{
+				Line:      line,
+				Source:    source,
+				Timestamp: timestamp.In(time.UTC),
+				Attrs:     attrs,
+			}
+		}
+		// If we're at the end of the journal, we're done (for now).
+		if C.sd_journal_next(j) <= 0 {
+			break
+		}
+	}
+
+	// free(NULL) is safe
+	C.free(unsafe.Pointer(oldCursor))
+	if C.sd_journal_get_cursor(j, &cursor) != 0 {
+		// ensure that we won't be freeing an address that's invalid
+		cursor = nil
+	}
+	return cursor, done
+}
+
+func (s *journald) followJournal(logWatcher *logger.LogWatcher, j *C.sd_journal, pfd [2]C.int, cursor *C.char, untilUnixMicro uint64) *C.char {
+	s.mu.Lock()
+	s.readers.readers[logWatcher] = logWatcher
+	if s.closed {
+		// the journald Logger is closed, presumably because the container has been
+		// reset.  So we shouldn't follow, because we'll never be woken up.  But we
+		// should make one more drainJournal call to be sure we've got all the logs.
+		// Close pfd[1] so that one drainJournal happens, then cleanup, then return.
+		C.close(pfd[1])
+	}
+	s.mu.Unlock()
+
+	newCursor := make(chan *C.char)
+
+	go func() {
+		for {
+			// Keep copying journal data out until we're notified to stop
+			// or we hit an error.
+			status := C.wait_for_data_cancelable(j, pfd[0])
+			if status < 0 {
+				cerrstr := C.strerror(C.int(-status))
+				errstr := C.GoString(cerrstr)
+				fmtstr := "error %q while attempting to follow journal for container %q"
+				logrus.Errorf(fmtstr, errstr, s.vars["CONTAINER_ID_FULL"])
+				break
+			}
+
+			var done bool
+			cursor, done = s.drainJournal(logWatcher, j, cursor, untilUnixMicro)
+
+			if status != 1 || done {
+				// We were notified to stop
+				break
+			}
+		}
+
+		// Clean up.
+		C.close(pfd[0])
+		s.mu.Lock()
+		delete(s.readers.readers, logWatcher)
+		s.mu.Unlock()
+		close(logWatcher.Msg)
+		newCursor <- cursor
+	}()
+
+	// Wait until we're told to stop.
+	select {
+	case cursor = <-newCursor:
+	case <-logWatcher.WatchClose():
+		// Notify the other goroutine that its work is done.
+		C.close(pfd[1])
+		cursor = <-newCursor
+	}
+
+	return cursor
+}
+
+func (s *journald) readLogs(logWatcher *logger.LogWatcher, config logger.ReadConfig) {
+	var j *C.sd_journal
+	var cmatch, cursor *C.char
+	var stamp C.uint64_t
+	var sinceUnixMicro uint64
+	var untilUnixMicro uint64
+	var pipes [2]C.int
+
+	// Get a handle to the journal.
+	rc := C.sd_journal_open(&j, C.int(0))
+	if rc != 0 {
+		logWatcher.Err <- fmt.Errorf("error opening journal")
+		close(logWatcher.Msg)
+		return
+	}
+	// If we end up following the log, we can set the journal context
+	// pointer and the channel pointer to nil so that we won't close them
+	// here, potentially while the goroutine that uses them is still
+	// running.  Otherwise, close them when we return from this function.
+	following := false
+	defer func(pfollowing *bool) {
+		if !*pfollowing {
+			close(logWatcher.Msg)
+		}
+		C.sd_journal_close(j)
+	}(&following)
+	// Remove limits on the size of data items that we'll retrieve.
+	rc = C.sd_journal_set_data_threshold(j, C.size_t(0))
+	if rc != 0 {
+		logWatcher.Err <- fmt.Errorf("error setting journal data threshold")
+		return
+	}
+	// Add a match to have the library do the searching for us.
+	cmatch = C.CString("CONTAINER_ID_FULL=" + s.vars["CONTAINER_ID_FULL"])
+	defer C.free(unsafe.Pointer(cmatch))
+	rc = C.sd_journal_add_match(j, unsafe.Pointer(cmatch), C.strlen(cmatch))
+	if rc != 0 {
+		logWatcher.Err <- fmt.Errorf("error setting journal match")
+		return
+	}
+	// If we have a cutoff time, convert it to Unix time once.
+	if !config.Since.IsZero() {
+		nano := config.Since.UnixNano()
+		sinceUnixMicro = uint64(nano / 1000)
+	}
+	// If we have an until value, convert it too
+	if !config.Until.IsZero() {
+		nano := config.Until.UnixNano()
+		untilUnixMicro = uint64(nano / 1000)
+	}
+	if config.Tail > 0 {
+		lines := config.Tail
+		// If until time provided, start from there.
+		// Otherwise start at the end of the journal.
+		if untilUnixMicro != 0 && C.sd_journal_seek_realtime_usec(j, C.uint64_t(untilUnixMicro)) < 0 {
+			logWatcher.Err <- fmt.Errorf("error seeking provided until value")
+			return
+		} else if C.sd_journal_seek_tail(j) < 0 {
+			logWatcher.Err <- fmt.Errorf("error seeking to end of journal")
+			return
+		}
+		if C.sd_journal_previous(j) < 0 {
+			logWatcher.Err <- fmt.Errorf("error backtracking to previous journal entry")
+			return
+		}
+		// Walk backward.
+		for lines > 0 {
+			// Stop if the entry time is before our cutoff.
+			// We'll need the entry time if it isn't, so go
+			// ahead and parse it now.
+			if C.sd_journal_get_realtime_usec(j, &stamp) != 0 {
+				break
+			} else {
+				// Compare the timestamp on the entry to our threshold value.
+				if sinceUnixMicro != 0 && sinceUnixMicro > uint64(stamp) {
+					break
+				}
+			}
+			lines--
+			// If we're at the start of the journal, or
+			// don't need to back up past any more entries,
+			// stop.
+			if lines == 0 || C.sd_journal_previous(j) <= 0 {
+				break
+			}
+		}
+	} else {
+		// Start at the beginning of the journal.
+		if C.sd_journal_seek_head(j) < 0 {
+			logWatcher.Err <- fmt.Errorf("error seeking to start of journal")
+			return
+		}
+		// If we have a cutoff date, fast-forward to it.
+		if sinceUnixMicro != 0 && C.sd_journal_seek_realtime_usec(j, C.uint64_t(sinceUnixMicro)) != 0 {
+			logWatcher.Err <- fmt.Errorf("error seeking to start time in journal")
+			return
+		}
+		if C.sd_journal_next(j) < 0 {
+			logWatcher.Err <- fmt.Errorf("error skipping to next journal entry")
+			return
+		}
+	}
+	cursor, _ = s.drainJournal(logWatcher, j, nil, untilUnixMicro)
+	if config.Follow {
+		// Allocate a descriptor for following the journal, if we'll
+		// need one.  Do it here so that we can report if it fails.
+		if fd := C.sd_journal_get_fd(j); fd < C.int(0) {
+			logWatcher.Err <- fmt.Errorf("error opening journald follow descriptor: %q", C.GoString(C.strerror(-fd)))
+		} else {
+			// Create a pipe that we can poll at the same time as
+			// the journald descriptor.
+			if C.pipe(&pipes[0]) == C.int(-1) {
+				logWatcher.Err <- fmt.Errorf("error opening journald close notification pipe")
+			} else {
+				cursor = s.followJournal(logWatcher, j, pipes, cursor, untilUnixMicro)
+				// Let followJournal handle freeing the journal context
+				// object and closing the channel.
+				following = true
+			}
+		}
+	}
+
+	C.free(unsafe.Pointer(cursor))
+	return
+}
+
+func (s *journald) ReadLogs(config logger.ReadConfig) *logger.LogWatcher {
+	logWatcher := logger.NewLogWatcher()
+	go s.readLogs(logWatcher, config)
+	return logWatcher
+}
diff --git a/engine/daemon/logger/journald/read_native.go b/engine/daemon/logger/journald/read_native.go
new file mode 100644
index 00000000..ab68cf4b
--- /dev/null
+++ b/engine/daemon/logger/journald/read_native.go
@@ -0,0 +1,6 @@
+// +build linux,cgo,!static_build,journald,!journald_compat
+
+package journald // import "github.com/docker/docker/daemon/logger/journald"
+
+// #cgo pkg-config: libsystemd
+import "C"
diff --git a/engine/daemon/logger/journald/read_native_compat.go b/engine/daemon/logger/journald/read_native_compat.go
new file mode 100644
index 00000000..4806e130
--- /dev/null
+++ b/engine/daemon/logger/journald/read_native_compat.go
@@ -0,0 +1,6 @@
+// +build linux,cgo,!static_build,journald,journald_compat
+
+package journald // import "github.com/docker/docker/daemon/logger/journald"
+
+// #cgo pkg-config: libsystemd-journal
+import "C"
diff --git a/engine/daemon/logger/journald/read_unsupported.go b/engine/daemon/logger/journald/read_unsupported.go
new file mode 100644
index 00000000..a66b6666
--- /dev/null
+++ b/engine/daemon/logger/journald/read_unsupported.go
@@ -0,0 +1,7 @@
+// +build !linux !cgo static_build !journald
+
+package journald // import "github.com/docker/docker/daemon/logger/journald"
+
+func (s *journald) Close() error {
+	return nil
+}
diff --git a/engine/daemon/logger/jsonfilelog/jsonfilelog.go b/engine/daemon/logger/jsonfilelog/jsonfilelog.go
new file mode 100644
index 00000000..b806a5ad
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/jsonfilelog.go
@@ -0,0 +1,185 @@
+// Package jsonfilelog provides the default Logger implementation for
+// Docker logging. This logger logs to files on the host server in the
+// JSON format.
+package jsonfilelog // import "github.com/docker/docker/daemon/logger/jsonfilelog"
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"sync"
+
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/jsonfilelog/jsonlog"
+	"github.com/docker/docker/daemon/logger/loggerutils"
+	"github.com/docker/go-units"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Name is the name of the file that the jsonlogger logs to.
+const Name = "json-file"
+
+// JSONFileLogger is Logger implementation for default Docker logging.
+type JSONFileLogger struct {
+	mu      sync.Mutex
+	closed  bool
+	writer  *loggerutils.LogFile
+	readers map[*logger.LogWatcher]struct{} // stores the active log followers
+	tag     string                          // tag values requested by the user to log
+}
+
+func init() {
+	if err := logger.RegisterLogDriver(Name, New); err != nil {
+		logrus.Fatal(err)
+	}
+	if err := logger.RegisterLogOptValidator(Name, ValidateLogOpt); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// New creates new JSONFileLogger which writes to filename passed in
+// on given context.
+func New(info logger.Info) (logger.Logger, error) {
+	var capval int64 = -1
+	if capacity, ok := info.Config["max-size"]; ok {
+		var err error
+		capval, err = units.FromHumanSize(capacity)
+		if err != nil {
+			return nil, err
+		}
+		if capval <= 0 {
+			return nil, fmt.Errorf("max-size should be a positive numbler")
+		}
+	}
+	var maxFiles = 1
+	if maxFileString, ok := info.Config["max-file"]; ok {
+		var err error
+		maxFiles, err = strconv.Atoi(maxFileString)
+		if err != nil {
+			return nil, err
+		}
+		if maxFiles < 1 {
+			return nil, fmt.Errorf("max-file cannot be less than 1")
+		}
+	}
+
+	var compress bool
+	if compressString, ok := info.Config["compress"]; ok {
+		var err error
+		compress, err = strconv.ParseBool(compressString)
+		if err != nil {
+			return nil, err
+		}
+		if compress && (maxFiles == 1 || capval == -1) {
+			return nil, fmt.Errorf("compress cannot be true when max-file is less than 2 or max-size is not set")
+		}
+	}
+
+	attrs, err := info.ExtraAttributes(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	// no default template. only use a tag if the user asked for it
+	tag, err := loggerutils.ParseLogTag(info, "")
+	if err != nil {
+		return nil, err
+	}
+	if tag != "" {
+		attrs["tag"] = tag
+	}
+
+	var extra []byte
+	if len(attrs) > 0 {
+		var err error
+		extra, err = json.Marshal(attrs)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	buf := bytes.NewBuffer(nil)
+	marshalFunc := func(msg *logger.Message) ([]byte, error) {
+		if err := marshalMessage(msg, extra, buf); err != nil {
+			return nil, err
+		}
+		b := buf.Bytes()
+		buf.Reset()
+		return b, nil
+	}
+
+	writer, err := loggerutils.NewLogFile(info.LogPath, capval, maxFiles, compress, marshalFunc, decodeFunc, 0640)
+	if err != nil {
+		return nil, err
+	}
+
+	return &JSONFileLogger{
+		writer:  writer,
+		readers: make(map[*logger.LogWatcher]struct{}),
+		tag:     tag,
+	}, nil
+}
+
+// Log converts logger.Message to jsonlog.JSONLog and serializes it to file.
+func (l *JSONFileLogger) Log(msg *logger.Message) error {
+	l.mu.Lock()
+	err := l.writer.WriteLogEntry(msg)
+	l.mu.Unlock()
+	return err
+}
+
+func marshalMessage(msg *logger.Message, extra json.RawMessage, buf *bytes.Buffer) error {
+	logLine := msg.Line
+	if msg.PLogMetaData == nil || (msg.PLogMetaData != nil && msg.PLogMetaData.Last) {
+		logLine = append(msg.Line, '\n')
+	}
+	err := (&jsonlog.JSONLogs{
+		Log:      logLine,
+		Stream:   msg.Source,
+		Created:  msg.Timestamp,
+		RawAttrs: extra,
+	}).MarshalJSONBuf(buf)
+	if err != nil {
+		return errors.Wrap(err, "error writing log message to buffer")
+	}
+	err = buf.WriteByte('\n')
+	return errors.Wrap(err, "error finalizing log buffer")
+}
+
+// ValidateLogOpt looks for json specific log options max-file & max-size.
+func ValidateLogOpt(cfg map[string]string) error {
+	for key := range cfg {
+		switch key {
+		case "max-file":
+		case "max-size":
+		case "compress":
+		case "labels":
+		case "env":
+		case "env-regex":
+		case "tag":
+		default:
+			return fmt.Errorf("unknown log opt '%s' for json-file log driver", key)
+		}
+	}
+	return nil
+}
+
+// Close closes underlying file and signals all readers to stop.
+func (l *JSONFileLogger) Close() error {
+	l.mu.Lock()
+	l.closed = true
+	err := l.writer.Close()
+	for r := range l.readers {
+		r.Close()
+		delete(l.readers, r)
+	}
+	l.mu.Unlock()
+	return err
+}
+
+// Name returns name of this logger.
+func (l *JSONFileLogger) Name() string {
+	return Name
+}
diff --git a/engine/daemon/logger/jsonfilelog/jsonfilelog_test.go b/engine/daemon/logger/jsonfilelog/jsonfilelog_test.go
new file mode 100644
index 00000000..22bbcf2e
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/jsonfilelog_test.go
@@ -0,0 +1,302 @@
+package jsonfilelog // import "github.com/docker/docker/daemon/logger/jsonfilelog"
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/jsonfilelog/jsonlog"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+func TestJSONFileLogger(t *testing.T) {
+	cid := "a7317399f3f857173c6179d44823594f8294678dea9999662e5c625b5a1c7657"
+	tmp, err := ioutil.TempDir("", "docker-logger-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+	filename := filepath.Join(tmp, "container.log")
+	l, err := New(logger.Info{
+		ContainerID: cid,
+		LogPath:     filename,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	if err := l.Log(&logger.Message{Line: []byte("line1"), Source: "src1"}); err != nil {
+		t.Fatal(err)
+	}
+	if err := l.Log(&logger.Message{Line: []byte("line2"), Source: "src2"}); err != nil {
+		t.Fatal(err)
+	}
+	if err := l.Log(&logger.Message{Line: []byte("line3"), Source: "src3"}); err != nil {
+		t.Fatal(err)
+	}
+	res, err := ioutil.ReadFile(filename)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expected := `{"log":"line1\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line2\n","stream":"src2","time":"0001-01-01T00:00:00Z"}
+{"log":"line3\n","stream":"src3","time":"0001-01-01T00:00:00Z"}
+`
+
+	if string(res) != expected {
+		t.Fatalf("Wrong log content: %q, expected %q", res, expected)
+	}
+}
+
+func TestJSONFileLoggerWithTags(t *testing.T) {
+	cid := "a7317399f3f857173c6179d44823594f8294678dea9999662e5c625b5a1c7657"
+	cname := "test-container"
+	tmp, err := ioutil.TempDir("", "docker-logger-")
+
+	assert.NilError(t, err)
+
+	defer os.RemoveAll(tmp)
+	filename := filepath.Join(tmp, "container.log")
+	l, err := New(logger.Info{
+		Config: map[string]string{
+			"tag": "{{.ID}}/{{.Name}}", // first 12 characters of ContainerID and full ContainerName
+		},
+		ContainerID:   cid,
+		ContainerName: cname,
+		LogPath:       filename,
+	})
+
+	assert.NilError(t, err)
+	defer l.Close()
+
+	err = l.Log(&logger.Message{Line: []byte("line1"), Source: "src1"})
+	assert.NilError(t, err)
+
+	err = l.Log(&logger.Message{Line: []byte("line2"), Source: "src2"})
+	assert.NilError(t, err)
+
+	err = l.Log(&logger.Message{Line: []byte("line3"), Source: "src3"})
+	assert.NilError(t, err)
+
+	res, err := ioutil.ReadFile(filename)
+	assert.NilError(t, err)
+
+	expected := `{"log":"line1\n","stream":"src1","attrs":{"tag":"a7317399f3f8/test-container"},"time":"0001-01-01T00:00:00Z"}
+{"log":"line2\n","stream":"src2","attrs":{"tag":"a7317399f3f8/test-container"},"time":"0001-01-01T00:00:00Z"}
+{"log":"line3\n","stream":"src3","attrs":{"tag":"a7317399f3f8/test-container"},"time":"0001-01-01T00:00:00Z"}
+`
+	assert.Check(t, is.Equal(expected, string(res)))
+}
+
+func BenchmarkJSONFileLoggerLog(b *testing.B) {
+	tmp := fs.NewDir(b, "bench-jsonfilelog")
+	defer tmp.Remove()
+
+	jsonlogger, err := New(logger.Info{
+		ContainerID: "a7317399f3f857173c6179d44823594f8294678dea9999662e5c625b5a1c7657",
+		LogPath:     tmp.Join("container.log"),
+		Config: map[string]string{
+			"labels": "first,second",
+		},
+		ContainerLabels: map[string]string{
+			"first":  "label_value",
+			"second": "label_foo",
+		},
+	})
+	assert.NilError(b, err)
+	defer jsonlogger.Close()
+
+	msg := &logger.Message{
+		Line:      []byte("Line that thinks that it is log line from docker\n"),
+		Source:    "stderr",
+		Timestamp: time.Now().UTC(),
+	}
+
+	buf := bytes.NewBuffer(nil)
+	assert.NilError(b, marshalMessage(msg, nil, buf))
+	b.SetBytes(int64(buf.Len()))
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		if err := jsonlogger.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func TestJSONFileLoggerWithOpts(t *testing.T) {
+	cid := "a7317399f3f857173c6179d44823594f8294678dea9999662e5c625b5a1c7657"
+	tmp, err := ioutil.TempDir("", "docker-logger-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+	filename := filepath.Join(tmp, "container.log")
+	config := map[string]string{"max-file": "3", "max-size": "1k", "compress": "true"}
+	l, err := New(logger.Info{
+		ContainerID: cid,
+		LogPath:     filename,
+		Config:      config,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+	for i := 0; i < 36; i++ {
+		if err := l.Log(&logger.Message{Line: []byte("line" + strconv.Itoa(i)), Source: "src1"}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	res, err := ioutil.ReadFile(filename)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	penUlt, err := ioutil.ReadFile(filename + ".1")
+	if err != nil {
+		if !os.IsNotExist(err) {
+			t.Fatal(err)
+		}
+
+		file, err := os.Open(filename + ".1.gz")
+		defer file.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
+		zipReader, err := gzip.NewReader(file)
+		defer zipReader.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
+		penUlt, err = ioutil.ReadAll(zipReader)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	file, err := os.Open(filename + ".2.gz")
+	defer file.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+	zipReader, err := gzip.NewReader(file)
+	defer zipReader.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+	antepenult, err := ioutil.ReadAll(zipReader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedAntepenultimate := `{"log":"line0\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line1\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line2\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line3\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line4\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line5\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line6\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line7\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line8\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line9\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line10\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line11\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line12\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line13\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line14\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line15\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+`
+	expectedPenultimate := `{"log":"line16\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line17\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line18\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line19\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line20\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line21\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line22\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line23\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line24\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line25\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line26\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line27\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line28\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line29\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line30\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line31\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+`
+	expected := `{"log":"line32\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line33\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line34\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+{"log":"line35\n","stream":"src1","time":"0001-01-01T00:00:00Z"}
+`
+
+	if string(res) != expected {
+		t.Fatalf("Wrong log content: %q, expected %q", res, expected)
+	}
+	if string(penUlt) != expectedPenultimate {
+		t.Fatalf("Wrong log content: %q, expected %q", penUlt, expectedPenultimate)
+	}
+	if string(antepenult) != expectedAntepenultimate {
+		t.Fatalf("Wrong log content: %q, expected %q", antepenult, expectedAntepenultimate)
+	}
+}
+
+func TestJSONFileLoggerWithLabelsEnv(t *testing.T) {
+	cid := "a7317399f3f857173c6179d44823594f8294678dea9999662e5c625b5a1c7657"
+	tmp, err := ioutil.TempDir("", "docker-logger-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+	filename := filepath.Join(tmp, "container.log")
+	config := map[string]string{"labels": "rack,dc", "env": "environ,debug,ssl", "env-regex": "^dc"}
+	l, err := New(logger.Info{
+		ContainerID:     cid,
+		LogPath:         filename,
+		Config:          config,
+		ContainerLabels: map[string]string{"rack": "101", "dc": "lhr"},
+		ContainerEnv:    []string{"environ=production", "debug=false", "port=10001", "ssl=true", "dc_region=west"},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+	if err := l.Log(&logger.Message{Line: []byte("line"), Source: "src1"}); err != nil {
+		t.Fatal(err)
+	}
+	res, err := ioutil.ReadFile(filename)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var jsonLog jsonlog.JSONLogs
+	if err := json.Unmarshal(res, &jsonLog); err != nil {
+		t.Fatal(err)
+	}
+	extra := make(map[string]string)
+	if err := json.Unmarshal(jsonLog.RawAttrs, &extra); err != nil {
+		t.Fatal(err)
+	}
+	expected := map[string]string{
+		"rack":      "101",
+		"dc":        "lhr",
+		"environ":   "production",
+		"debug":     "false",
+		"ssl":       "true",
+		"dc_region": "west",
+	}
+	if !reflect.DeepEqual(extra, expected) {
+		t.Fatalf("Wrong log attrs: %q, expected %q", extra, expected)
+	}
+}
diff --git a/engine/daemon/logger/jsonfilelog/jsonlog/jsonlog.go b/engine/daemon/logger/jsonfilelog/jsonlog/jsonlog.go
new file mode 100644
index 00000000..74be8e7d
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/jsonlog/jsonlog.go
@@ -0,0 +1,25 @@
+package jsonlog // import "github.com/docker/docker/daemon/logger/jsonfilelog/jsonlog"
+
+import (
+	"time"
+)
+
+// JSONLog is a log message, typically a single entry from a given log stream.
+type JSONLog struct {
+	// Log is the log message
+	Log string `json:"log,omitempty"`
+	// Stream is the log source
+	Stream string `json:"stream,omitempty"`
+	// Created is the created timestamp of log
+	Created time.Time `json:"time"`
+	// Attrs is the list of extra attributes provided by the user
+	Attrs map[string]string `json:"attrs,omitempty"`
+}
+
+// Reset all fields to their zero value.
+func (jl *JSONLog) Reset() {
+	jl.Log = ""
+	jl.Stream = ""
+	jl.Created = time.Time{}
+	jl.Attrs = make(map[string]string)
+}
diff --git a/engine/daemon/logger/jsonfilelog/jsonlog/jsonlogbytes.go b/engine/daemon/logger/jsonfilelog/jsonlog/jsonlogbytes.go
new file mode 100644
index 00000000..577c718f
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/jsonlog/jsonlogbytes.go
@@ -0,0 +1,125 @@
+package jsonlog // import "github.com/docker/docker/daemon/logger/jsonfilelog/jsonlog"
+
+import (
+	"bytes"
+	"encoding/json"
+	"time"
+	"unicode/utf8"
+)
+
+// JSONLogs marshals encoded JSONLog objects
+type JSONLogs struct {
+	Log     []byte    `json:"log,omitempty"`
+	Stream  string    `json:"stream,omitempty"`
+	Created time.Time `json:"time"`
+
+	// json-encoded bytes
+	RawAttrs json.RawMessage `json:"attrs,omitempty"`
+}
+
+// MarshalJSONBuf is an optimized JSON marshaller that avoids reflection
+// and unnecessary allocation.
+func (mj *JSONLogs) MarshalJSONBuf(buf *bytes.Buffer) error {
+	var first = true
+
+	buf.WriteString(`{`)
+	if len(mj.Log) != 0 {
+		first = false
+		buf.WriteString(`"log":`)
+		ffjsonWriteJSONBytesAsString(buf, mj.Log)
+	}
+	if len(mj.Stream) != 0 {
+		if first {
+			first = false
+		} else {
+			buf.WriteString(`,`)
+		}
+		buf.WriteString(`"stream":`)
+		ffjsonWriteJSONBytesAsString(buf, []byte(mj.Stream))
+	}
+	if len(mj.RawAttrs) > 0 {
+		if first {
+			first = false
+		} else {
+			buf.WriteString(`,`)
+		}
+		buf.WriteString(`"attrs":`)
+		buf.Write(mj.RawAttrs)
+	}
+	if !first {
+		buf.WriteString(`,`)
+	}
+
+	created, err := fastTimeMarshalJSON(mj.Created)
+	if err != nil {
+		return err
+	}
+
+	buf.WriteString(`"time":`)
+	buf.WriteString(created)
+	buf.WriteString(`}`)
+	return nil
+}
+
+func ffjsonWriteJSONBytesAsString(buf *bytes.Buffer, s []byte) {
+	const hex = "0123456789abcdef"
+
+	buf.WriteByte('"')
+	start := 0
+	for i := 0; i < len(s); {
+		if b := s[i]; b < utf8.RuneSelf {
+			if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
+				i++
+				continue
+			}
+			if start < i {
+				buf.Write(s[start:i])
+			}
+			switch b {
+			case '\\', '"':
+				buf.WriteByte('\\')
+				buf.WriteByte(b)
+			case '\n':
+				buf.WriteByte('\\')
+				buf.WriteByte('n')
+			case '\r':
+				buf.WriteByte('\\')
+				buf.WriteByte('r')
+			default:
+
+				buf.WriteString(`\u00`)
+				buf.WriteByte(hex[b>>4])
+				buf.WriteByte(hex[b&0xF])
+			}
+			i++
+			start = i
+			continue
+		}
+		c, size := utf8.DecodeRune(s[i:])
+		if c == utf8.RuneError && size == 1 {
+			if start < i {
+				buf.Write(s[start:i])
+			}
+			buf.WriteString(`\ufffd`)
+			i += size
+			start = i
+			continue
+		}
+
+		if c == '\u2028' || c == '\u2029' {
+			if start < i {
+				buf.Write(s[start:i])
+			}
+			buf.WriteString(`\u202`)
+			buf.WriteByte(hex[c&0xF])
+			i += size
+			start = i
+			continue
+		}
+		i += size
+	}
+	if start < len(s) {
+		buf.Write(s[start:])
+	}
+	buf.WriteByte('"')
+}
diff --git a/engine/daemon/logger/jsonfilelog/jsonlog/jsonlogbytes_test.go b/engine/daemon/logger/jsonfilelog/jsonlog/jsonlogbytes_test.go
new file mode 100644
index 00000000..d268db4d
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/jsonlog/jsonlogbytes_test.go
@@ -0,0 +1,51 @@
+package jsonlog // import "github.com/docker/docker/daemon/logger/jsonfilelog/jsonlog"
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+)
+
+func TestJSONLogsMarshalJSONBuf(t *testing.T) {
+	logs := map[*JSONLogs]string{
+		{Log: []byte(`"A log line with \\"`)}:                  `^{\"log\":\"\\\"A log line with \\\\\\\\\\\"\",\"time\":`,
+		{Log: []byte("A log line")}:                            `^{\"log\":\"A log line\",\"time\":`,
+		{Log: []byte("A log line with \r")}:                    `^{\"log\":\"A log line with \\r\",\"time\":`,
+		{Log: []byte("A log line with & < >")}:                 `^{\"log\":\"A log line with \\u0026 \\u003c \\u003e\",\"time\":`,
+		{Log: []byte("A log line with utf8 : 🚀 ψ ω β")}:        `^{\"log\":\"A log line with utf8 : 🚀 ψ ω β\",\"time\":`,
+		{Stream: "stdout"}:                                     `^{\"stream\":\"stdout\",\"time\":`,
+		{Stream: "stdout", Log: []byte("A log line")}:          `^{\"log\":\"A log line\",\"stream\":\"stdout\",\"time\":`,
+		{Created: time.Date(2017, 9, 1, 1, 1, 1, 1, time.UTC)}: `^{\"time\":"2017-09-01T01:01:01.000000001Z"}$`,
+
+		{}: `^{\"time\":"0001-01-01T00:00:00Z"}$`,
+		// These ones are a little weird
+		{Log: []byte("\u2028 \u2029")}: `^{\"log\":\"\\u2028 \\u2029\",\"time\":`,
+		{Log: []byte{0xaF}}:            `^{\"log\":\"\\ufffd\",\"time\":`,
+		{Log: []byte{0x7F}}:            `^{\"log\":\"\x7f\",\"time\":`,
+		// with raw attributes
+		{Log: []byte("A log line"), RawAttrs: []byte(`{"hello":"world","value":1234}`)}: `^{\"log\":\"A log line\",\"attrs\":{\"hello\":\"world\",\"value\":1234},\"time\":`,
+		// with Tag set
+		{Log: []byte("A log line with tag"), RawAttrs: []byte(`{"hello":"world","value":1234}`)}: `^{\"log\":\"A log line with tag\",\"attrs\":{\"hello\":\"world\",\"value\":1234},\"time\":`,
+	}
+	for jsonLog, expression := range logs {
+		var buf bytes.Buffer
+		err := jsonLog.MarshalJSONBuf(&buf)
+		assert.NilError(t, err)
+
+		assert.Assert(t, regexP(buf.String(), expression))
+		assert.NilError(t, json.Unmarshal(buf.Bytes(), &map[string]interface{}{}))
+	}
+}
+
+func regexP(value string, pattern string) func() (bool, string) {
+	return func() (bool, string) {
+		re := regexp.MustCompile(pattern)
+		msg := fmt.Sprintf("%q did not match pattern %q", value, pattern)
+		return re.MatchString(value), msg
+	}
+}
diff --git a/engine/daemon/logger/jsonfilelog/jsonlog/time_marshalling.go b/engine/daemon/logger/jsonfilelog/jsonlog/time_marshalling.go
new file mode 100644
index 00000000..1822ea5d
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/jsonlog/time_marshalling.go
@@ -0,0 +1,20 @@
+package jsonlog // import "github.com/docker/docker/daemon/logger/jsonfilelog/jsonlog"
+
+import (
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+const jsonFormat = `"` + time.RFC3339Nano + `"`
+
+// fastTimeMarshalJSON avoids one of the extra allocations that
+// time.MarshalJSON is making.
+func fastTimeMarshalJSON(t time.Time) (string, error) {
+	if y := t.Year(); y < 0 || y >= 10000 {
+		// RFC 3339 is clear that years are 4 digits exactly.
+		// See golang.org/issue/4556#c15 for more discussion.
+		return "", errors.New("time.MarshalJSON: year outside of range [0,9999]")
+	}
+	return t.Format(jsonFormat), nil
+}
diff --git a/engine/daemon/logger/jsonfilelog/jsonlog/time_marshalling_test.go b/engine/daemon/logger/jsonfilelog/jsonlog/time_marshalling_test.go
new file mode 100644
index 00000000..b3959b04
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/jsonlog/time_marshalling_test.go
@@ -0,0 +1,34 @@
+package jsonlog // import "github.com/docker/docker/daemon/logger/jsonfilelog/jsonlog"
+
+import (
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestFastTimeMarshalJSONWithInvalidYear(t *testing.T) {
+	aTime := time.Date(-1, 1, 1, 0, 0, 0, 0, time.Local)
+	_, err := fastTimeMarshalJSON(aTime)
+	assert.Check(t, is.ErrorContains(err, "year outside of range"))
+
+	anotherTime := time.Date(10000, 1, 1, 0, 0, 0, 0, time.Local)
+	_, err = fastTimeMarshalJSON(anotherTime)
+	assert.Check(t, is.ErrorContains(err, "year outside of range"))
+}
+
+func TestFastTimeMarshalJSON(t *testing.T) {
+	aTime := time.Date(2015, 5, 29, 11, 1, 2, 3, time.UTC)
+	json, err := fastTimeMarshalJSON(aTime)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("\"2015-05-29T11:01:02.000000003Z\"", json))
+
+	location, err := time.LoadLocation("Europe/Paris")
+	assert.NilError(t, err)
+
+	aTime = time.Date(2015, 5, 29, 11, 1, 2, 3, location)
+	json, err = fastTimeMarshalJSON(aTime)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("\"2015-05-29T11:01:02.000000003+02:00\"", json))
+}
diff --git a/engine/daemon/logger/jsonfilelog/read.go b/engine/daemon/logger/jsonfilelog/read.go
new file mode 100644
index 00000000..ab1793bb
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/read.go
@@ -0,0 +1,89 @@
+package jsonfilelog // import "github.com/docker/docker/daemon/logger/jsonfilelog"
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/jsonfilelog/jsonlog"
+)
+
+const maxJSONDecodeRetry = 20000
+
+// ReadLogs implements the logger's LogReader interface for the logs
+// created by this driver.
+func (l *JSONFileLogger) ReadLogs(config logger.ReadConfig) *logger.LogWatcher {
+	logWatcher := logger.NewLogWatcher()
+
+	go l.readLogs(logWatcher, config)
+	return logWatcher
+}
+
+func (l *JSONFileLogger) readLogs(watcher *logger.LogWatcher, config logger.ReadConfig) {
+	defer close(watcher.Msg)
+
+	l.mu.Lock()
+	l.readers[watcher] = struct{}{}
+	l.mu.Unlock()
+
+	l.writer.ReadLogs(config, watcher)
+
+	l.mu.Lock()
+	delete(l.readers, watcher)
+	l.mu.Unlock()
+}
+
+func decodeLogLine(dec *json.Decoder, l *jsonlog.JSONLog) (*logger.Message, error) {
+	l.Reset()
+	if err := dec.Decode(l); err != nil {
+		return nil, err
+	}
+
+	var attrs []backend.LogAttr
+	if len(l.Attrs) != 0 {
+		attrs = make([]backend.LogAttr, 0, len(l.Attrs))
+		for k, v := range l.Attrs {
+			attrs = append(attrs, backend.LogAttr{Key: k, Value: v})
+		}
+	}
+	msg := &logger.Message{
+		Source:    l.Stream,
+		Timestamp: l.Created,
+		Line:      []byte(l.Log),
+		Attrs:     attrs,
+	}
+	return msg, nil
+}
+
+// decodeFunc is used to create a decoder for the log file reader
+func decodeFunc(rdr io.Reader) func() (*logger.Message, error) {
+	l := &jsonlog.JSONLog{}
+	dec := json.NewDecoder(rdr)
+	return func() (msg *logger.Message, err error) {
+		for retries := 0; retries < maxJSONDecodeRetry; retries++ {
+			msg, err = decodeLogLine(dec, l)
+			if err == nil {
+				break
+			}
+
+			// try again, could be due to a an incomplete json object as we read
+			if _, ok := err.(*json.SyntaxError); ok {
+				dec = json.NewDecoder(rdr)
+				retries++
+				continue
+			}
+
+			// io.ErrUnexpectedEOF is returned from json.Decoder when there is
+			// remaining data in the parser's buffer while an io.EOF occurs.
+			// If the json logger writes a partial json log entry to the disk
+			// while at the same time the decoder tries to decode it, the race condition happens.
+			if err == io.ErrUnexpectedEOF {
+				reader := io.MultiReader(dec.Buffered(), rdr)
+				dec = json.NewDecoder(reader)
+				retries++
+			}
+		}
+		return msg, err
+	}
+}
diff --git a/engine/daemon/logger/jsonfilelog/read_test.go b/engine/daemon/logger/jsonfilelog/read_test.go
new file mode 100644
index 00000000..cad8003e
--- /dev/null
+++ b/engine/daemon/logger/jsonfilelog/read_test.go
@@ -0,0 +1,64 @@
+package jsonfilelog // import "github.com/docker/docker/daemon/logger/jsonfilelog"
+
+import (
+	"bytes"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/daemon/logger"
+	"gotest.tools/assert"
+	"gotest.tools/fs"
+)
+
+func BenchmarkJSONFileLoggerReadLogs(b *testing.B) {
+	tmp := fs.NewDir(b, "bench-jsonfilelog")
+	defer tmp.Remove()
+
+	jsonlogger, err := New(logger.Info{
+		ContainerID: "a7317399f3f857173c6179d44823594f8294678dea9999662e5c625b5a1c7657",
+		LogPath:     tmp.Join("container.log"),
+		Config: map[string]string{
+			"labels": "first,second",
+		},
+		ContainerLabels: map[string]string{
+			"first":  "label_value",
+			"second": "label_foo",
+		},
+	})
+	assert.NilError(b, err)
+	defer jsonlogger.Close()
+
+	msg := &logger.Message{
+		Line:      []byte("Line that thinks that it is log line from docker\n"),
+		Source:    "stderr",
+		Timestamp: time.Now().UTC(),
+	}
+
+	buf := bytes.NewBuffer(nil)
+	assert.NilError(b, marshalMessage(msg, nil, buf))
+	b.SetBytes(int64(buf.Len()))
+
+	b.ResetTimer()
+
+	chError := make(chan error, b.N+1)
+	go func() {
+		for i := 0; i < b.N; i++ {
+			chError <- jsonlogger.Log(msg)
+		}
+		chError <- jsonlogger.Close()
+	}()
+
+	lw := jsonlogger.(*JSONFileLogger).ReadLogs(logger.ReadConfig{Follow: true})
+	watchClose := lw.WatchClose()
+	for {
+		select {
+		case <-lw.Msg:
+		case <-watchClose:
+			return
+		case err := <-chError:
+			if err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
diff --git a/engine/daemon/logger/logentries/logentries.go b/engine/daemon/logger/logentries/logentries.go
new file mode 100644
index 00000000..70a8baf6
--- /dev/null
+++ b/engine/daemon/logger/logentries/logentries.go
@@ -0,0 +1,115 @@
+// Package logentries provides the log driver for forwarding server logs
+// to logentries endpoints.
+package logentries // import "github.com/docker/docker/daemon/logger/logentries"
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/bsphere/le_go"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type logentries struct {
+	tag           string
+	containerID   string
+	containerName string
+	writer        *le_go.Logger
+	extra         map[string]string
+	lineOnly      bool
+}
+
+const (
+	name     = "logentries"
+	token    = "logentries-token"
+	lineonly = "line-only"
+)
+
+func init() {
+	if err := logger.RegisterLogDriver(name, New); err != nil {
+		logrus.Fatal(err)
+	}
+	if err := logger.RegisterLogOptValidator(name, ValidateLogOpt); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// New creates a logentries logger using the configuration passed in on
+// the context. The supported context configuration variable is
+// logentries-token.
+func New(info logger.Info) (logger.Logger, error) {
+	logrus.WithField("container", info.ContainerID).
+		WithField("token", info.Config[token]).
+		WithField("line-only", info.Config[lineonly]).
+		Debug("logging driver logentries configured")
+
+	log, err := le_go.Connect(info.Config[token])
+	if err != nil {
+		return nil, errors.Wrap(err, "error connecting to logentries")
+	}
+	var lineOnly bool
+	if info.Config[lineonly] != "" {
+		if lineOnly, err = strconv.ParseBool(info.Config[lineonly]); err != nil {
+			return nil, errors.Wrap(err, "error parsing lineonly option")
+		}
+	}
+	return &logentries{
+		containerID:   info.ContainerID,
+		containerName: info.ContainerName,
+		writer:        log,
+		lineOnly:      lineOnly,
+	}, nil
+}
+
+func (f *logentries) Log(msg *logger.Message) error {
+	if !f.lineOnly {
+		data := map[string]string{
+			"container_id":   f.containerID,
+			"container_name": f.containerName,
+			"source":         msg.Source,
+			"log":            string(msg.Line),
+		}
+		for k, v := range f.extra {
+			data[k] = v
+		}
+		ts := msg.Timestamp
+		logger.PutMessage(msg)
+		f.writer.Println(f.tag, ts, data)
+	} else {
+		line := string(msg.Line)
+		logger.PutMessage(msg)
+		f.writer.Println(line)
+	}
+	return nil
+}
+
+func (f *logentries) Close() error {
+	return f.writer.Close()
+}
+
+func (f *logentries) Name() string {
+	return name
+}
+
+// ValidateLogOpt looks for logentries specific log option logentries-address.
+func ValidateLogOpt(cfg map[string]string) error {
+	for key := range cfg {
+		switch key {
+		case "env":
+		case "env-regex":
+		case "labels":
+		case "tag":
+		case key:
+		default:
+			return fmt.Errorf("unknown log opt '%s' for logentries log driver", key)
+		}
+	}
+
+	if cfg[token] == "" {
+		return fmt.Errorf("Missing logentries token")
+	}
+
+	return nil
+}
diff --git a/engine/daemon/logger/logger.go b/engine/daemon/logger/logger.go
new file mode 100644
index 00000000..912e855c
--- /dev/null
+++ b/engine/daemon/logger/logger.go
@@ -0,0 +1,145 @@
+// Package logger defines interfaces that logger drivers implement to
+// log messages.
+//
+// The other half of a logger driver is the implementation of the
+// factory, which holds the contextual instance information that
+// allows multiple loggers of the same type to perform different
+// actions, such as logging to different locations.
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types/backend"
+)
+
+// ErrReadLogsNotSupported is returned when the underlying log driver does not support reading
+type ErrReadLogsNotSupported struct{}
+
+func (ErrReadLogsNotSupported) Error() string {
+	return "configured logging driver does not support reading"
+}
+
+// NotImplemented makes this error implement the `NotImplemented` interface from api/errdefs
+func (ErrReadLogsNotSupported) NotImplemented() {}
+
+const (
+	logWatcherBufferSize = 4096
+)
+
+var messagePool = &sync.Pool{New: func() interface{} { return &Message{Line: make([]byte, 0, 256)} }}
+
+// NewMessage returns a new message from the message sync.Pool
+func NewMessage() *Message {
+	return messagePool.Get().(*Message)
+}
+
+// PutMessage puts the specified message back n the message pool.
+// The message fields are reset before putting into the pool.
+func PutMessage(msg *Message) {
+	msg.reset()
+	messagePool.Put(msg)
+}
+
+// Message is data structure that represents piece of output produced by some
+// container.  The Line member is a slice of an array whose contents can be
+// changed after a log driver's Log() method returns.
+//
+// Message is subtyped from backend.LogMessage because there is a lot of
+// internal complexity around the Message type that should not be exposed
+// to any package not explicitly importing the logger type.
+//
+// Any changes made to this struct must also be updated in the `reset` function
+type Message backend.LogMessage
+
+// reset sets the message back to default values
+// This is used when putting a message back into the message pool.
+// Any changes to the `Message` struct should be reflected here.
+func (m *Message) reset() {
+	m.Line = m.Line[:0]
+	m.Source = ""
+	m.Attrs = nil
+	m.PLogMetaData = nil
+
+	m.Err = nil
+}
+
+// AsLogMessage returns a pointer to the message as a pointer to
+// backend.LogMessage, which is an identical type with a different purpose
+func (m *Message) AsLogMessage() *backend.LogMessage {
+	return (*backend.LogMessage)(m)
+}
+
+// Logger is the interface for docker logging drivers.
+type Logger interface {
+	Log(*Message) error
+	Name() string
+	Close() error
+}
+
+// SizedLogger is the interface for logging drivers that can control
+// the size of buffer used for their messages.
+type SizedLogger interface {
+	Logger
+	BufSize() int
+}
+
+// ReadConfig is the configuration passed into ReadLogs.
+type ReadConfig struct {
+	Since  time.Time
+	Until  time.Time
+	Tail   int
+	Follow bool
+}
+
+// LogReader is the interface for reading log messages for loggers that support reading.
+type LogReader interface {
+	// Read logs from underlying logging backend
+	ReadLogs(ReadConfig) *LogWatcher
+}
+
+// LogWatcher is used when consuming logs read from the LogReader interface.
+type LogWatcher struct {
+	// For sending log messages to a reader.
+	Msg chan *Message
+	// For sending error messages that occur while while reading logs.
+	Err           chan error
+	closeOnce     sync.Once
+	closeNotifier chan struct{}
+}
+
+// NewLogWatcher returns a new LogWatcher.
+func NewLogWatcher() *LogWatcher {
+	return &LogWatcher{
+		Msg:           make(chan *Message, logWatcherBufferSize),
+		Err:           make(chan error, 1),
+		closeNotifier: make(chan struct{}),
+	}
+}
+
+// Close notifies the underlying log reader to stop.
+func (w *LogWatcher) Close() {
+	// only close if not already closed
+	w.closeOnce.Do(func() {
+		close(w.closeNotifier)
+	})
+}
+
+// WatchClose returns a channel receiver that receives notification
+// when the watcher has been closed. This should only be called from
+// one goroutine.
+func (w *LogWatcher) WatchClose() <-chan struct{} {
+	return w.closeNotifier
+}
+
+// Capability defines the list of capabilities that a driver can implement
+// These capabilities are not required to be a logging driver, however do
+// determine how a logging driver can be used
+type Capability struct {
+	// Determines if a log driver can read back logs
+	ReadLogs bool
+}
+
+// MarshalFunc is a func that marshals a message into an arbitrary format
+type MarshalFunc func(*Message) ([]byte, error)
diff --git a/engine/daemon/logger/logger_test.go b/engine/daemon/logger/logger_test.go
new file mode 100644
index 00000000..eaeec240
--- /dev/null
+++ b/engine/daemon/logger/logger_test.go
@@ -0,0 +1,21 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"github.com/docker/docker/api/types/backend"
+)
+
+func (m *Message) copy() *Message {
+	msg := &Message{
+		Source:       m.Source,
+		PLogMetaData: m.PLogMetaData,
+		Timestamp:    m.Timestamp,
+	}
+
+	if m.Attrs != nil {
+		msg.Attrs = make([]backend.LogAttr, len(m.Attrs))
+		copy(msg.Attrs, m.Attrs)
+	}
+
+	msg.Line = append(make([]byte, 0, len(m.Line)), m.Line...)
+	return msg
+}
diff --git a/engine/daemon/logger/loggerutils/log_tag.go b/engine/daemon/logger/loggerutils/log_tag.go
new file mode 100644
index 00000000..719512db
--- /dev/null
+++ b/engine/daemon/logger/loggerutils/log_tag.go
@@ -0,0 +1,31 @@
+package loggerutils // import "github.com/docker/docker/daemon/logger/loggerutils"
+
+import (
+	"bytes"
+
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/templates"
+)
+
+// DefaultTemplate defines the defaults template logger should use.
+const DefaultTemplate = "{{.ID}}"
+
+// ParseLogTag generates a context aware tag for consistency across different
+// log drivers based on the context of the running container.
+func ParseLogTag(info logger.Info, defaultTemplate string) (string, error) {
+	tagTemplate := info.Config["tag"]
+	if tagTemplate == "" {
+		tagTemplate = defaultTemplate
+	}
+
+	tmpl, err := templates.NewParse("log-tag", tagTemplate)
+	if err != nil {
+		return "", err
+	}
+	buf := new(bytes.Buffer)
+	if err := tmpl.Execute(buf, &info); err != nil {
+		return "", err
+	}
+
+	return buf.String(), nil
+}
diff --git a/engine/daemon/logger/loggerutils/log_tag_test.go b/engine/daemon/logger/loggerutils/log_tag_test.go
new file mode 100644
index 00000000..41957a8b
--- /dev/null
+++ b/engine/daemon/logger/loggerutils/log_tag_test.go
@@ -0,0 +1,47 @@
+package loggerutils // import "github.com/docker/docker/daemon/logger/loggerutils"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/daemon/logger"
+)
+
+func TestParseLogTagDefaultTag(t *testing.T) {
+	info := buildContext(map[string]string{})
+	tag, e := ParseLogTag(info, "{{.ID}}")
+	assertTag(t, e, tag, info.ID())
+}
+
+func TestParseLogTag(t *testing.T) {
+	info := buildContext(map[string]string{"tag": "{{.ImageName}}/{{.Name}}/{{.ID}}"})
+	tag, e := ParseLogTag(info, "{{.ID}}")
+	assertTag(t, e, tag, "test-image/test-container/container-ab")
+}
+
+func TestParseLogTagEmptyTag(t *testing.T) {
+	info := buildContext(map[string]string{})
+	tag, e := ParseLogTag(info, "{{.DaemonName}}/{{.ID}}")
+	assertTag(t, e, tag, "test-dockerd/container-ab")
+}
+
+// Helpers
+
+func buildContext(cfg map[string]string) logger.Info {
+	return logger.Info{
+		ContainerID:        "container-abcdefghijklmnopqrstuvwxyz01234567890",
+		ContainerName:      "/test-container",
+		ContainerImageID:   "image-abcdefghijklmnopqrstuvwxyz01234567890",
+		ContainerImageName: "test-image",
+		Config:             cfg,
+		DaemonName:         "test-dockerd",
+	}
+}
+
+func assertTag(t *testing.T, e error, tag string, expected string) {
+	if e != nil {
+		t.Fatalf("Error generating tag: %q", e)
+	}
+	if tag != expected {
+		t.Fatalf("Wrong tag: %q, should be %q", tag, expected)
+	}
+}
diff --git a/engine/daemon/logger/loggerutils/logfile.go b/engine/daemon/logger/loggerutils/logfile.go
new file mode 100644
index 00000000..96575e38
--- /dev/null
+++ b/engine/daemon/logger/loggerutils/logfile.go
@@ -0,0 +1,680 @@
+package loggerutils // import "github.com/docker/docker/daemon/logger/loggerutils"
+
+import (
+	"bytes"
+	"compress/gzip"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/loggerutils/multireader"
+	"github.com/docker/docker/pkg/filenotify"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/pubsub"
+	"github.com/docker/docker/pkg/tailfile"
+	"github.com/fsnotify/fsnotify"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const tmpLogfileSuffix = ".tmp"
+
+// rotateFileMetadata is a metadata of the gzip header of the compressed log file
+type rotateFileMetadata struct {
+	LastTime time.Time `json:"lastTime,omitempty"`
+}
+
+// refCounter is a counter of logfile being referenced
+type refCounter struct {
+	mu      sync.Mutex
+	counter map[string]int
+}
+
+// Reference increase the reference counter for specified logfile
+func (rc *refCounter) GetReference(fileName string, openRefFile func(fileName string, exists bool) (*os.File, error)) (*os.File, error) {
+	rc.mu.Lock()
+	defer rc.mu.Unlock()
+
+	var (
+		file *os.File
+		err  error
+	)
+	_, ok := rc.counter[fileName]
+	file, err = openRefFile(fileName, ok)
+	if err != nil {
+		return nil, err
+	}
+
+	if ok {
+		rc.counter[fileName]++
+	} else if file != nil {
+		rc.counter[file.Name()] = 1
+	}
+
+	return file, nil
+}
+
+// Dereference reduce the reference counter for specified logfile
+func (rc *refCounter) Dereference(fileName string) error {
+	rc.mu.Lock()
+	defer rc.mu.Unlock()
+
+	rc.counter[fileName]--
+	if rc.counter[fileName] <= 0 {
+		delete(rc.counter, fileName)
+		err := os.Remove(fileName)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// LogFile is Logger implementation for default Docker logging.
+type LogFile struct {
+	mu              sync.RWMutex // protects the logfile access
+	f               *os.File     // store for closing
+	closed          bool
+	rotateMu        sync.Mutex // blocks the next rotation until the current rotation is completed
+	capacity        int64      // maximum size of each file
+	currentSize     int64      // current size of the latest file
+	maxFiles        int        // maximum number of files
+	compress        bool       // whether old versions of log files are compressed
+	lastTimestamp   time.Time  // timestamp of the last log
+	filesRefCounter refCounter // keep reference-counted of decompressed files
+	notifyRotate    *pubsub.Publisher
+	marshal         logger.MarshalFunc
+	createDecoder   makeDecoderFunc
+	perms           os.FileMode
+}
+
+type makeDecoderFunc func(rdr io.Reader) func() (*logger.Message, error)
+
+// NewLogFile creates new LogFile
+func NewLogFile(logPath string, capacity int64, maxFiles int, compress bool, marshaller logger.MarshalFunc, decodeFunc makeDecoderFunc, perms os.FileMode) (*LogFile, error) {
+	log, err := os.OpenFile(logPath, os.O_WRONLY|os.O_APPEND|os.O_CREATE, perms)
+	if err != nil {
+		return nil, err
+	}
+
+	size, err := log.Seek(0, os.SEEK_END)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LogFile{
+		f:               log,
+		capacity:        capacity,
+		currentSize:     size,
+		maxFiles:        maxFiles,
+		compress:        compress,
+		filesRefCounter: refCounter{counter: make(map[string]int)},
+		notifyRotate:    pubsub.NewPublisher(0, 1),
+		marshal:         marshaller,
+		createDecoder:   decodeFunc,
+		perms:           perms,
+	}, nil
+}
+
+// WriteLogEntry writes the provided log message to the current log file.
+// This may trigger a rotation event if the max file/capacity limits are hit.
+func (w *LogFile) WriteLogEntry(msg *logger.Message) error {
+	b, err := w.marshal(msg)
+	if err != nil {
+		return errors.Wrap(err, "error marshalling log message")
+	}
+
+	logger.PutMessage(msg)
+
+	w.mu.Lock()
+	if w.closed {
+		w.mu.Unlock()
+		return errors.New("cannot write because the output file was closed")
+	}
+
+	if err := w.checkCapacityAndRotate(); err != nil {
+		w.mu.Unlock()
+		return err
+	}
+
+	n, err := w.f.Write(b)
+	if err == nil {
+		w.currentSize += int64(n)
+		w.lastTimestamp = msg.Timestamp
+	}
+	w.mu.Unlock()
+	return err
+}
+
+func (w *LogFile) checkCapacityAndRotate() error {
+	if w.capacity == -1 {
+		return nil
+	}
+
+	if w.currentSize >= w.capacity {
+		w.rotateMu.Lock()
+		fname := w.f.Name()
+		if err := w.f.Close(); err != nil {
+			w.rotateMu.Unlock()
+			return errors.Wrap(err, "error closing file")
+		}
+		if err := rotate(fname, w.maxFiles, w.compress); err != nil {
+			w.rotateMu.Unlock()
+			return err
+		}
+		file, err := os.OpenFile(fname, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, w.perms)
+		if err != nil {
+			w.rotateMu.Unlock()
+			return err
+		}
+		w.f = file
+		w.currentSize = 0
+		w.notifyRotate.Publish(struct{}{})
+
+		if w.maxFiles <= 1 || !w.compress {
+			w.rotateMu.Unlock()
+			return nil
+		}
+
+		go func() {
+			compressFile(fname+".1", w.lastTimestamp)
+			w.rotateMu.Unlock()
+		}()
+	}
+
+	return nil
+}
+
+func rotate(name string, maxFiles int, compress bool) error {
+	if maxFiles < 2 {
+		return nil
+	}
+
+	var extension string
+	if compress {
+		extension = ".gz"
+	}
+
+	lastFile := fmt.Sprintf("%s.%d%s", name, maxFiles-1, extension)
+	err := os.Remove(lastFile)
+	if err != nil && !os.IsNotExist(err) {
+		return errors.Wrap(err, "error removing oldest log file")
+	}
+
+	for i := maxFiles - 1; i > 1; i-- {
+		toPath := name + "." + strconv.Itoa(i) + extension
+		fromPath := name + "." + strconv.Itoa(i-1) + extension
+		if err := os.Rename(fromPath, toPath); err != nil && !os.IsNotExist(err) {
+			return err
+		}
+	}
+
+	if err := os.Rename(name, name+".1"); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	return nil
+}
+
+func compressFile(fileName string, lastTimestamp time.Time) {
+	file, err := os.Open(fileName)
+	if err != nil {
+		logrus.Errorf("Failed to open log file: %v", err)
+		return
+	}
+	defer func() {
+		file.Close()
+		err := os.Remove(fileName)
+		if err != nil {
+			logrus.Errorf("Failed to remove source log file: %v", err)
+		}
+	}()
+
+	outFile, err := os.OpenFile(fileName+".gz", os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0640)
+	if err != nil {
+		logrus.Errorf("Failed to open or create gzip log file: %v", err)
+		return
+	}
+	defer func() {
+		outFile.Close()
+		if err != nil {
+			os.Remove(fileName + ".gz")
+		}
+	}()
+
+	compressWriter := gzip.NewWriter(outFile)
+	defer compressWriter.Close()
+
+	// Add the last log entry timestramp to the gzip header
+	extra := rotateFileMetadata{}
+	extra.LastTime = lastTimestamp
+	compressWriter.Header.Extra, err = json.Marshal(&extra)
+	if err != nil {
+		// Here log the error only and don't return since this is just an optimization.
+		logrus.Warningf("Failed to marshal gzip header as JSON: %v", err)
+	}
+
+	_, err = pools.Copy(compressWriter, file)
+	if err != nil {
+		logrus.WithError(err).WithField("module", "container.logs").WithField("file", fileName).Error("Error compressing log file")
+		return
+	}
+}
+
+// MaxFiles return maximum number of files
+func (w *LogFile) MaxFiles() int {
+	return w.maxFiles
+}
+
+// Close closes underlying file and signals all readers to stop.
+func (w *LogFile) Close() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	if w.closed {
+		return nil
+	}
+	if err := w.f.Close(); err != nil {
+		return err
+	}
+	w.closed = true
+	return nil
+}
+
+// ReadLogs decodes entries from log files and sends them the passed in watcher
+//
+// Note: Using the follow option can become inconsistent in cases with very frequent rotations and max log files is 1.
+// TODO: Consider a different implementation which can effectively follow logs under frequent rotations.
+func (w *LogFile) ReadLogs(config logger.ReadConfig, watcher *logger.LogWatcher) {
+	w.mu.RLock()
+	currentFile, err := os.Open(w.f.Name())
+	if err != nil {
+		w.mu.RUnlock()
+		watcher.Err <- err
+		return
+	}
+	defer currentFile.Close()
+
+	currentChunk, err := newSectionReader(currentFile)
+	if err != nil {
+		w.mu.RUnlock()
+		watcher.Err <- err
+		return
+	}
+
+	if config.Tail != 0 {
+		files, err := w.openRotatedFiles(config)
+		if err != nil {
+			w.mu.RUnlock()
+			watcher.Err <- err
+			return
+		}
+		w.mu.RUnlock()
+		seekers := make([]io.ReadSeeker, 0, len(files)+1)
+		for _, f := range files {
+			seekers = append(seekers, f)
+		}
+		if currentChunk.Size() > 0 {
+			seekers = append(seekers, currentChunk)
+		}
+		if len(seekers) > 0 {
+			tailFile(multireader.MultiReadSeeker(seekers...), watcher, w.createDecoder, config)
+		}
+		for _, f := range files {
+			f.Close()
+			fileName := f.Name()
+			if strings.HasSuffix(fileName, tmpLogfileSuffix) {
+				err := w.filesRefCounter.Dereference(fileName)
+				if err != nil {
+					logrus.Errorf("Failed to dereference the log file %q: %v", fileName, err)
+				}
+			}
+		}
+
+		w.mu.RLock()
+	}
+
+	if !config.Follow || w.closed {
+		w.mu.RUnlock()
+		return
+	}
+	w.mu.RUnlock()
+
+	notifyRotate := w.notifyRotate.Subscribe()
+	defer w.notifyRotate.Evict(notifyRotate)
+	followLogs(currentFile, watcher, notifyRotate, w.createDecoder, config.Since, config.Until)
+}
+
+func (w *LogFile) openRotatedFiles(config logger.ReadConfig) (files []*os.File, err error) {
+	w.rotateMu.Lock()
+	defer w.rotateMu.Unlock()
+
+	defer func() {
+		if err == nil {
+			return
+		}
+		for _, f := range files {
+			f.Close()
+			if strings.HasSuffix(f.Name(), tmpLogfileSuffix) {
+				err := os.Remove(f.Name())
+				if err != nil && !os.IsNotExist(err) {
+					logrus.Warningf("Failed to remove the logfile %q: %v", f.Name, err)
+				}
+			}
+		}
+	}()
+
+	for i := w.maxFiles; i > 1; i-- {
+		f, err := os.Open(fmt.Sprintf("%s.%d", w.f.Name(), i-1))
+		if err != nil {
+			if !os.IsNotExist(err) {
+				return nil, errors.Wrap(err, "error opening rotated log file")
+			}
+
+			fileName := fmt.Sprintf("%s.%d.gz", w.f.Name(), i-1)
+			decompressedFileName := fileName + tmpLogfileSuffix
+			tmpFile, err := w.filesRefCounter.GetReference(decompressedFileName, func(refFileName string, exists bool) (*os.File, error) {
+				if exists {
+					return os.Open(refFileName)
+				}
+				return decompressfile(fileName, refFileName, config.Since)
+			})
+
+			if err != nil {
+				if !os.IsNotExist(errors.Cause(err)) {
+					return nil, errors.Wrap(err, "error getting reference to decompressed log file")
+				}
+				continue
+			}
+			if tmpFile == nil {
+				// The log before `config.Since` does not need to read
+				break
+			}
+
+			files = append(files, tmpFile)
+			continue
+		}
+		files = append(files, f)
+	}
+
+	return files, nil
+}
+
+func decompressfile(fileName, destFileName string, since time.Time) (*os.File, error) {
+	cf, err := os.Open(fileName)
+	if err != nil {
+		return nil, errors.Wrap(err, "error opening file for decompression")
+	}
+	defer cf.Close()
+
+	rc, err := gzip.NewReader(cf)
+	if err != nil {
+		return nil, errors.Wrap(err, "error making gzip reader for compressed log file")
+	}
+	defer rc.Close()
+
+	// Extract the last log entry timestramp from the gzip header
+	extra := &rotateFileMetadata{}
+	err = json.Unmarshal(rc.Header.Extra, extra)
+	if err == nil && extra.LastTime.Before(since) {
+		return nil, nil
+	}
+
+	rs, err := os.OpenFile(destFileName, os.O_CREATE|os.O_RDWR, 0640)
+	if err != nil {
+		return nil, errors.Wrap(err, "error creating file for copying decompressed log stream")
+	}
+
+	_, err = pools.Copy(rs, rc)
+	if err != nil {
+		rs.Close()
+		rErr := os.Remove(rs.Name())
+		if rErr != nil && !os.IsNotExist(rErr) {
+			logrus.Errorf("Failed to remove the logfile %q: %v", rs.Name(), rErr)
+		}
+		return nil, errors.Wrap(err, "error while copying decompressed log stream to file")
+	}
+
+	return rs, nil
+}
+
+func newSectionReader(f *os.File) (*io.SectionReader, error) {
+	// seek to the end to get the size
+	// we'll leave this at the end of the file since section reader does not advance the reader
+	size, err := f.Seek(0, os.SEEK_END)
+	if err != nil {
+		return nil, errors.Wrap(err, "error getting current file size")
+	}
+	return io.NewSectionReader(f, 0, size), nil
+}
+
+type decodeFunc func() (*logger.Message, error)
+
+func tailFile(f io.ReadSeeker, watcher *logger.LogWatcher, createDecoder makeDecoderFunc, config logger.ReadConfig) {
+	var rdr io.Reader = f
+	if config.Tail > 0 {
+		ls, err := tailfile.TailFile(f, config.Tail)
+		if err != nil {
+			watcher.Err <- err
+			return
+		}
+		rdr = bytes.NewBuffer(bytes.Join(ls, []byte("\n")))
+	}
+
+	decodeLogLine := createDecoder(rdr)
+	for {
+		msg, err := decodeLogLine()
+		if err != nil {
+			if errors.Cause(err) != io.EOF {
+				watcher.Err <- err
+			}
+			return
+		}
+		if !config.Since.IsZero() && msg.Timestamp.Before(config.Since) {
+			continue
+		}
+		if !config.Until.IsZero() && msg.Timestamp.After(config.Until) {
+			return
+		}
+		select {
+		case <-watcher.WatchClose():
+			return
+		case watcher.Msg <- msg:
+		}
+	}
+}
+
+func followLogs(f *os.File, logWatcher *logger.LogWatcher, notifyRotate chan interface{}, createDecoder makeDecoderFunc, since, until time.Time) {
+	decodeLogLine := createDecoder(f)
+
+	name := f.Name()
+	fileWatcher, err := watchFile(name)
+	if err != nil {
+		logWatcher.Err <- err
+		return
+	}
+	defer func() {
+		f.Close()
+		fileWatcher.Remove(name)
+		fileWatcher.Close()
+	}()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go func() {
+		select {
+		case <-logWatcher.WatchClose():
+			fileWatcher.Remove(name)
+			cancel()
+		case <-ctx.Done():
+			return
+		}
+	}()
+
+	var retries int
+	handleRotate := func() error {
+		f.Close()
+		fileWatcher.Remove(name)
+
+		// retry when the file doesn't exist
+		for retries := 0; retries <= 5; retries++ {
+			f, err = os.Open(name)
+			if err == nil || !os.IsNotExist(err) {
+				break
+			}
+		}
+		if err != nil {
+			return err
+		}
+		if err := fileWatcher.Add(name); err != nil {
+			return err
+		}
+		decodeLogLine = createDecoder(f)
+		return nil
+	}
+
+	errRetry := errors.New("retry")
+	errDone := errors.New("done")
+	waitRead := func() error {
+		select {
+		case e := <-fileWatcher.Events():
+			switch e.Op {
+			case fsnotify.Write:
+				decodeLogLine = createDecoder(f)
+				return nil
+			case fsnotify.Rename, fsnotify.Remove:
+				select {
+				case <-notifyRotate:
+				case <-ctx.Done():
+					return errDone
+				}
+				if err := handleRotate(); err != nil {
+					return err
+				}
+				return nil
+			}
+			return errRetry
+		case err := <-fileWatcher.Errors():
+			logrus.Debug("logger got error watching file: %v", err)
+			// Something happened, let's try and stay alive and create a new watcher
+			if retries <= 5 {
+				fileWatcher.Close()
+				fileWatcher, err = watchFile(name)
+				if err != nil {
+					return err
+				}
+				retries++
+				return errRetry
+			}
+			return err
+		case <-ctx.Done():
+			return errDone
+		}
+	}
+
+	handleDecodeErr := func(err error) error {
+		if errors.Cause(err) != io.EOF {
+			return err
+		}
+
+		for {
+			err := waitRead()
+			if err == nil {
+				break
+			}
+			if err == errRetry {
+				continue
+			}
+			return err
+		}
+		return nil
+	}
+
+	// main loop
+	for {
+		msg, err := decodeLogLine()
+		if err != nil {
+			if err := handleDecodeErr(err); err != nil {
+				if err == errDone {
+					return
+				}
+				// we got an unrecoverable error, so return
+				logWatcher.Err <- err
+				return
+			}
+			// ready to try again
+			continue
+		}
+
+		retries = 0 // reset retries since we've succeeded
+		if !since.IsZero() && msg.Timestamp.Before(since) {
+			continue
+		}
+		if !until.IsZero() && msg.Timestamp.After(until) {
+			return
+		}
+		select {
+		case logWatcher.Msg <- msg:
+		case <-ctx.Done():
+			logWatcher.Msg <- msg
+			for {
+				msg, err := decodeLogLine()
+				if err != nil {
+					return
+				}
+				if !since.IsZero() && msg.Timestamp.Before(since) {
+					continue
+				}
+				if !until.IsZero() && msg.Timestamp.After(until) {
+					return
+				}
+				logWatcher.Msg <- msg
+			}
+		}
+	}
+}
+
+func watchFile(name string) (filenotify.FileWatcher, error) {
+	var fileWatcher filenotify.FileWatcher
+
+	if runtime.GOOS == "windows" {
+		// FileWatcher on Windows files is based on the syscall notifications which has an issue becuase of file caching.
+		// It is based on ReadDirectoryChangesW() which doesn't detect writes to the cache. It detects writes to disk only.
+		// Becuase of the OS lazy writing, we don't get notifications for file writes and thereby the watcher
+		// doesn't work. Hence for Windows we will use poll based notifier.
+		fileWatcher = filenotify.NewPollingWatcher()
+	} else {
+		var err error
+		fileWatcher, err = filenotify.New()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	logger := logrus.WithFields(logrus.Fields{
+		"module": "logger",
+		"fille":  name,
+	})
+
+	if err := fileWatcher.Add(name); err != nil {
+		// we will retry using file poller.
+		logger.WithError(err).Warnf("falling back to file poller")
+		fileWatcher.Close()
+		fileWatcher = filenotify.NewPollingWatcher()
+
+		if err := fileWatcher.Add(name); err != nil {
+			fileWatcher.Close()
+			logger.WithError(err).Debugf("error watching log file for modifications")
+			return nil, err
+		}
+	}
+
+	return fileWatcher, nil
+}
diff --git a/engine/daemon/logger/loggerutils/multireader/multireader.go b/engine/daemon/logger/loggerutils/multireader/multireader.go
new file mode 100644
index 00000000..77980a2a
--- /dev/null
+++ b/engine/daemon/logger/loggerutils/multireader/multireader.go
@@ -0,0 +1,212 @@
+package multireader // import "github.com/docker/docker/daemon/logger/loggerutils/multireader"
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+)
+
+type pos struct {
+	idx    int
+	offset int64
+}
+
+type multiReadSeeker struct {
+	readers []io.ReadSeeker
+	pos     *pos
+	posIdx  map[io.ReadSeeker]int
+}
+
+func (r *multiReadSeeker) Seek(offset int64, whence int) (int64, error) {
+	var tmpOffset int64
+	switch whence {
+	case os.SEEK_SET:
+		for i, rdr := range r.readers {
+			// get size of the current reader
+			s, err := rdr.Seek(0, os.SEEK_END)
+			if err != nil {
+				return -1, err
+			}
+
+			if offset > tmpOffset+s {
+				if i == len(r.readers)-1 {
+					rdrOffset := s + (offset - tmpOffset)
+					if _, err := rdr.Seek(rdrOffset, os.SEEK_SET); err != nil {
+						return -1, err
+					}
+					r.pos = &pos{i, rdrOffset}
+					return offset, nil
+				}
+
+				tmpOffset += s
+				continue
+			}
+
+			rdrOffset := offset - tmpOffset
+			idx := i
+
+			if _, err := rdr.Seek(rdrOffset, os.SEEK_SET); err != nil {
+				return -1, err
+			}
+			// make sure all following readers are at 0
+			for _, rdr := range r.readers[i+1:] {
+				rdr.Seek(0, os.SEEK_SET)
+			}
+
+			if rdrOffset == s && i != len(r.readers)-1 {
+				idx++
+				rdrOffset = 0
+			}
+			r.pos = &pos{idx, rdrOffset}
+			return offset, nil
+		}
+	case os.SEEK_END:
+		for _, rdr := range r.readers {
+			s, err := rdr.Seek(0, os.SEEK_END)
+			if err != nil {
+				return -1, err
+			}
+			tmpOffset += s
+		}
+		if _, err := r.Seek(tmpOffset+offset, os.SEEK_SET); err != nil {
+			return -1, err
+		}
+		return tmpOffset + offset, nil
+	case os.SEEK_CUR:
+		if r.pos == nil {
+			return r.Seek(offset, os.SEEK_SET)
+		}
+		// Just return the current offset
+		if offset == 0 {
+			return r.getCurOffset()
+		}
+
+		curOffset, err := r.getCurOffset()
+		if err != nil {
+			return -1, err
+		}
+		rdr, rdrOffset, err := r.getReaderForOffset(curOffset + offset)
+		if err != nil {
+			return -1, err
+		}
+
+		r.pos = &pos{r.posIdx[rdr], rdrOffset}
+		return curOffset + offset, nil
+	default:
+		return -1, fmt.Errorf("Invalid whence: %d", whence)
+	}
+
+	return -1, fmt.Errorf("Error seeking for whence: %d, offset: %d", whence, offset)
+}
+
+func (r *multiReadSeeker) getReaderForOffset(offset int64) (io.ReadSeeker, int64, error) {
+
+	var offsetTo int64
+
+	for _, rdr := range r.readers {
+		size, err := getReadSeekerSize(rdr)
+		if err != nil {
+			return nil, -1, err
+		}
+		if offsetTo+size > offset {
+			return rdr, offset - offsetTo, nil
+		}
+		if rdr == r.readers[len(r.readers)-1] {
+			return rdr, offsetTo + offset, nil
+		}
+		offsetTo += size
+	}
+
+	return nil, 0, nil
+}
+
+func (r *multiReadSeeker) getCurOffset() (int64, error) {
+	var totalSize int64
+	for _, rdr := range r.readers[:r.pos.idx+1] {
+		if r.posIdx[rdr] == r.pos.idx {
+			totalSize += r.pos.offset
+			break
+		}
+
+		size, err := getReadSeekerSize(rdr)
+		if err != nil {
+			return -1, fmt.Errorf("error getting seeker size: %v", err)
+		}
+		totalSize += size
+	}
+	return totalSize, nil
+}
+
+func (r *multiReadSeeker) Read(b []byte) (int, error) {
+	if r.pos == nil {
+		// make sure all readers are at 0
+		r.Seek(0, os.SEEK_SET)
+	}
+
+	bLen := int64(len(b))
+	buf := bytes.NewBuffer(nil)
+	var rdr io.ReadSeeker
+
+	for _, rdr = range r.readers[r.pos.idx:] {
+		readBytes, err := io.CopyN(buf, rdr, bLen)
+		if err != nil && err != io.EOF {
+			return -1, err
+		}
+		bLen -= readBytes
+
+		if bLen == 0 {
+			break
+		}
+	}
+
+	rdrPos, err := rdr.Seek(0, os.SEEK_CUR)
+	if err != nil {
+		return -1, err
+	}
+	r.pos = &pos{r.posIdx[rdr], rdrPos}
+	return buf.Read(b)
+}
+
+func getReadSeekerSize(rdr io.ReadSeeker) (int64, error) {
+	// save the current position
+	pos, err := rdr.Seek(0, os.SEEK_CUR)
+	if err != nil {
+		return -1, err
+	}
+
+	// get the size
+	size, err := rdr.Seek(0, os.SEEK_END)
+	if err != nil {
+		return -1, err
+	}
+
+	// reset the position
+	if _, err := rdr.Seek(pos, os.SEEK_SET); err != nil {
+		return -1, err
+	}
+	return size, nil
+}
+
+// MultiReadSeeker returns a ReadSeeker that's the logical concatenation of the provided
+// input readseekers. After calling this method the initial position is set to the
+// beginning of the first ReadSeeker. At the end of a ReadSeeker, Read always advances
+// to the beginning of the next ReadSeeker and returns EOF at the end of the last ReadSeeker.
+// Seek can be used over the sum of lengths of all readseekers.
+//
+// When a MultiReadSeeker is used, no Read and Seek operations should be made on
+// its ReadSeeker components. Also, users should make no assumption on the state
+// of individual readseekers while the MultiReadSeeker is used.
+func MultiReadSeeker(readers ...io.ReadSeeker) io.ReadSeeker {
+	if len(readers) == 1 {
+		return readers[0]
+	}
+	idx := make(map[io.ReadSeeker]int)
+	for i, rdr := range readers {
+		idx[rdr] = i
+	}
+	return &multiReadSeeker{
+		readers: readers,
+		posIdx:  idx,
+	}
+}
diff --git a/engine/daemon/logger/loggerutils/multireader/multireader_test.go b/engine/daemon/logger/loggerutils/multireader/multireader_test.go
new file mode 100644
index 00000000..2fb66ab5
--- /dev/null
+++ b/engine/daemon/logger/loggerutils/multireader/multireader_test.go
@@ -0,0 +1,225 @@
+package multireader // import "github.com/docker/docker/daemon/logger/loggerutils/multireader"
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+)
+
+func TestMultiReadSeekerReadAll(t *testing.T) {
+	str := "hello world"
+	s1 := strings.NewReader(str + " 1")
+	s2 := strings.NewReader(str + " 2")
+	s3 := strings.NewReader(str + " 3")
+	mr := MultiReadSeeker(s1, s2, s3)
+
+	expectedSize := int64(s1.Len() + s2.Len() + s3.Len())
+
+	b, err := ioutil.ReadAll(mr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := "hello world 1hello world 2hello world 3"
+	if string(b) != expected {
+		t.Fatalf("ReadAll failed, got: %q, expected %q", string(b), expected)
+	}
+
+	size, err := mr.Seek(0, os.SEEK_END)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if size != expectedSize {
+		t.Fatalf("reader size does not match, got %d, expected %d", size, expectedSize)
+	}
+
+	// Reset the position and read again
+	pos, err := mr.Seek(0, os.SEEK_SET)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if pos != 0 {
+		t.Fatalf("expected position to be set to 0, got %d", pos)
+	}
+
+	b, err = ioutil.ReadAll(mr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if string(b) != expected {
+		t.Fatalf("ReadAll failed, got: %q, expected %q", string(b), expected)
+	}
+
+	// The positions of some readers are not 0
+	s1.Seek(0, os.SEEK_SET)
+	s2.Seek(0, os.SEEK_END)
+	s3.Seek(0, os.SEEK_SET)
+	mr = MultiReadSeeker(s1, s2, s3)
+	b, err = ioutil.ReadAll(mr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if string(b) != expected {
+		t.Fatalf("ReadAll failed, got: %q, expected %q", string(b), expected)
+	}
+}
+
+func TestMultiReadSeekerReadEach(t *testing.T) {
+	str := "hello world"
+	s1 := strings.NewReader(str + " 1")
+	s2 := strings.NewReader(str + " 2")
+	s3 := strings.NewReader(str + " 3")
+	mr := MultiReadSeeker(s1, s2, s3)
+
+	var totalBytes int64
+	for i, s := range []*strings.Reader{s1, s2, s3} {
+		sLen := int64(s.Len())
+		buf := make([]byte, s.Len())
+		expected := []byte(fmt.Sprintf("%s %d", str, i+1))
+
+		if _, err := mr.Read(buf); err != nil && err != io.EOF {
+			t.Fatal(err)
+		}
+
+		if !bytes.Equal(buf, expected) {
+			t.Fatalf("expected %q to be %q", string(buf), string(expected))
+		}
+
+		pos, err := mr.Seek(0, os.SEEK_CUR)
+		if err != nil {
+			t.Fatalf("iteration: %d, error: %v", i+1, err)
+		}
+
+		// check that the total bytes read is the current position of the seeker
+		totalBytes += sLen
+		if pos != totalBytes {
+			t.Fatalf("expected current position to be: %d, got: %d, iteration: %d", totalBytes, pos, i+1)
+		}
+
+		// This tests not only that SEEK_SET and SEEK_CUR give the same values, but that the next iteration is in the expected position as well
+		newPos, err := mr.Seek(pos, os.SEEK_SET)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if newPos != pos {
+			t.Fatalf("expected to get same position when calling SEEK_SET with value from SEEK_CUR, cur: %d, set: %d", pos, newPos)
+		}
+	}
+}
+
+func TestMultiReadSeekerReadSpanningChunks(t *testing.T) {
+	str := "hello world"
+	s1 := strings.NewReader(str + " 1")
+	s2 := strings.NewReader(str + " 2")
+	s3 := strings.NewReader(str + " 3")
+	mr := MultiReadSeeker(s1, s2, s3)
+
+	buf := make([]byte, s1.Len()+3)
+	_, err := mr.Read(buf)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// expected is the contents of s1 + 3 bytes from s2, ie, the `hel` at the end of this string
+	expected := "hello world 1hel"
+	if string(buf) != expected {
+		t.Fatalf("expected %s to be %s", string(buf), expected)
+	}
+}
+
+func TestMultiReadSeekerNegativeSeek(t *testing.T) {
+	str := "hello world"
+	s1 := strings.NewReader(str + " 1")
+	s2 := strings.NewReader(str + " 2")
+	s3 := strings.NewReader(str + " 3")
+	mr := MultiReadSeeker(s1, s2, s3)
+
+	s1Len := s1.Len()
+	s2Len := s2.Len()
+	s3Len := s3.Len()
+
+	s, err := mr.Seek(int64(-1*s3.Len()), os.SEEK_END)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if s != int64(s1Len+s2Len) {
+		t.Fatalf("expected %d to be %d", s, s1.Len()+s2.Len())
+	}
+
+	buf := make([]byte, s3Len)
+	if _, err := mr.Read(buf); err != nil && err != io.EOF {
+		t.Fatal(err)
+	}
+	expected := fmt.Sprintf("%s %d", str, 3)
+	if string(buf) != fmt.Sprintf("%s %d", str, 3) {
+		t.Fatalf("expected %q to be %q", string(buf), expected)
+	}
+}
+
+func TestMultiReadSeekerCurAfterSet(t *testing.T) {
+	str := "hello world"
+	s1 := strings.NewReader(str + " 1")
+	s2 := strings.NewReader(str + " 2")
+	s3 := strings.NewReader(str + " 3")
+	mr := MultiReadSeeker(s1, s2, s3)
+
+	mid := int64(s1.Len() + s2.Len()/2)
+
+	size, err := mr.Seek(mid, os.SEEK_SET)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if size != mid {
+		t.Fatalf("reader size does not match, got %d, expected %d", size, mid)
+	}
+
+	size, err = mr.Seek(3, os.SEEK_CUR)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if size != mid+3 {
+		t.Fatalf("reader size does not match, got %d, expected %d", size, mid+3)
+	}
+	size, err = mr.Seek(5, os.SEEK_CUR)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if size != mid+8 {
+		t.Fatalf("reader size does not match, got %d, expected %d", size, mid+8)
+	}
+
+	size, err = mr.Seek(10, os.SEEK_CUR)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if size != mid+18 {
+		t.Fatalf("reader size does not match, got %d, expected %d", size, mid+18)
+	}
+}
+
+func TestMultiReadSeekerSmallReads(t *testing.T) {
+	var readers []io.ReadSeeker
+	for i := 0; i < 10; i++ {
+		integer := make([]byte, 4)
+		binary.BigEndian.PutUint32(integer, uint32(i))
+		readers = append(readers, bytes.NewReader(integer))
+	}
+
+	reader := MultiReadSeeker(readers...)
+	for i := 0; i < 10; i++ {
+		var integer uint32
+		if err := binary.Read(reader, binary.BigEndian, &integer); err != nil {
+			t.Fatalf("Read from NewMultiReadSeeker failed: %v", err)
+		}
+		if uint32(i) != integer {
+			t.Fatalf("Read wrong value from NewMultiReadSeeker: %d != %d", i, integer)
+		}
+	}
+}
diff --git a/engine/daemon/logger/loginfo.go b/engine/daemon/logger/loginfo.go
new file mode 100644
index 00000000..4c48235f
--- /dev/null
+++ b/engine/daemon/logger/loginfo.go
@@ -0,0 +1,129 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+	"strings"
+	"time"
+)
+
+// Info provides enough information for a logging driver to do its function.
+type Info struct {
+	Config              map[string]string
+	ContainerID         string
+	ContainerName       string
+	ContainerEntrypoint string
+	ContainerArgs       []string
+	ContainerImageID    string
+	ContainerImageName  string
+	ContainerCreated    time.Time
+	ContainerEnv        []string
+	ContainerLabels     map[string]string
+	LogPath             string
+	DaemonName          string
+}
+
+// ExtraAttributes returns the user-defined extra attributes (labels,
+// environment variables) in key-value format. This can be used by log drivers
+// that support metadata to add more context to a log.
+func (info *Info) ExtraAttributes(keyMod func(string) string) (map[string]string, error) {
+	extra := make(map[string]string)
+	labels, ok := info.Config["labels"]
+	if ok && len(labels) > 0 {
+		for _, l := range strings.Split(labels, ",") {
+			if v, ok := info.ContainerLabels[l]; ok {
+				if keyMod != nil {
+					l = keyMod(l)
+				}
+				extra[l] = v
+			}
+		}
+	}
+
+	envMapping := make(map[string]string)
+	for _, e := range info.ContainerEnv {
+		if kv := strings.SplitN(e, "=", 2); len(kv) == 2 {
+			envMapping[kv[0]] = kv[1]
+		}
+	}
+
+	env, ok := info.Config["env"]
+	if ok && len(env) > 0 {
+		for _, l := range strings.Split(env, ",") {
+			if v, ok := envMapping[l]; ok {
+				if keyMod != nil {
+					l = keyMod(l)
+				}
+				extra[l] = v
+			}
+		}
+	}
+
+	envRegex, ok := info.Config["env-regex"]
+	if ok && len(envRegex) > 0 {
+		re, err := regexp.Compile(envRegex)
+		if err != nil {
+			return nil, err
+		}
+		for k, v := range envMapping {
+			if re.MatchString(k) {
+				if keyMod != nil {
+					k = keyMod(k)
+				}
+				extra[k] = v
+			}
+		}
+	}
+
+	return extra, nil
+}
+
+// Hostname returns the hostname from the underlying OS.
+func (info *Info) Hostname() (string, error) {
+	hostname, err := os.Hostname()
+	if err != nil {
+		return "", fmt.Errorf("logger: can not resolve hostname: %v", err)
+	}
+	return hostname, nil
+}
+
+// Command returns the command that the container being logged was
+// started with. The Entrypoint is prepended to the container
+// arguments.
+func (info *Info) Command() string {
+	terms := []string{info.ContainerEntrypoint}
+	terms = append(terms, info.ContainerArgs...)
+	command := strings.Join(terms, " ")
+	return command
+}
+
+// ID Returns the Container ID shortened to 12 characters.
+func (info *Info) ID() string {
+	return info.ContainerID[:12]
+}
+
+// FullID is an alias of ContainerID.
+func (info *Info) FullID() string {
+	return info.ContainerID
+}
+
+// Name returns the ContainerName without a preceding '/'.
+func (info *Info) Name() string {
+	return strings.TrimPrefix(info.ContainerName, "/")
+}
+
+// ImageID returns the ContainerImageID shortened to 12 characters.
+func (info *Info) ImageID() string {
+	return info.ContainerImageID[:12]
+}
+
+// ImageFullID is an alias of ContainerImageID.
+func (info *Info) ImageFullID() string {
+	return info.ContainerImageID
+}
+
+// ImageName is an alias of ContainerImageName
+func (info *Info) ImageName() string {
+	return info.ContainerImageName
+}
diff --git a/engine/daemon/logger/metrics.go b/engine/daemon/logger/metrics.go
new file mode 100644
index 00000000..b7dfd38e
--- /dev/null
+++ b/engine/daemon/logger/metrics.go
@@ -0,0 +1,21 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"github.com/docker/go-metrics"
+)
+
+var (
+	logWritesFailedCount metrics.Counter
+	logReadsFailedCount  metrics.Counter
+	totalPartialLogs     metrics.Counter
+)
+
+func init() {
+	loggerMetrics := metrics.NewNamespace("logger", "", nil)
+
+	logWritesFailedCount = loggerMetrics.NewCounter("log_write_operations_failed", "Number of log write operations that failed")
+	logReadsFailedCount = loggerMetrics.NewCounter("log_read_operations_failed", "Number of log reads from container stdio that failed")
+	totalPartialLogs = loggerMetrics.NewCounter("log_entries_size_greater_than_buffer", "Number of log entries which are larger than the log buffer")
+
+	metrics.Register(loggerMetrics)
+}
diff --git a/engine/daemon/logger/plugin.go b/engine/daemon/logger/plugin.go
new file mode 100644
index 00000000..c66540ce
--- /dev/null
+++ b/engine/daemon/logger/plugin.go
@@ -0,0 +1,116 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/api/types/plugins/logdriver"
+	"github.com/docker/docker/errdefs"
+	getter "github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/pkg/errors"
+)
+
+var pluginGetter getter.PluginGetter
+
+const extName = "LogDriver"
+
+// logPlugin defines the available functions that logging plugins must implement.
+type logPlugin interface {
+	StartLogging(streamPath string, info Info) (err error)
+	StopLogging(streamPath string) (err error)
+	Capabilities() (cap Capability, err error)
+	ReadLogs(info Info, config ReadConfig) (stream io.ReadCloser, err error)
+}
+
+// RegisterPluginGetter sets the plugingetter
+func RegisterPluginGetter(plugingetter getter.PluginGetter) {
+	pluginGetter = plugingetter
+}
+
+// GetDriver returns a logging driver by its name.
+// If the driver is empty, it looks for the local driver.
+func getPlugin(name string, mode int) (Creator, error) {
+	p, err := pluginGetter.Get(name, extName, mode)
+	if err != nil {
+		return nil, fmt.Errorf("error looking up logging plugin %s: %v", name, err)
+	}
+
+	client, err := makePluginClient(p)
+	if err != nil {
+		return nil, err
+	}
+	return makePluginCreator(name, client, p.ScopedPath), nil
+}
+
+func makePluginClient(p getter.CompatPlugin) (logPlugin, error) {
+	if pc, ok := p.(getter.PluginWithV1Client); ok {
+		return &logPluginProxy{pc.Client()}, nil
+	}
+	pa, ok := p.(getter.PluginAddr)
+	if !ok {
+		return nil, errdefs.System(errors.Errorf("got unknown plugin type %T", p))
+	}
+
+	if pa.Protocol() != plugins.ProtocolSchemeHTTPV1 {
+		return nil, errors.Errorf("plugin protocol not supported: %s", p)
+	}
+
+	addr := pa.Addr()
+	c, err := plugins.NewClientWithTimeout(addr.Network()+"://"+addr.String(), nil, pa.Timeout())
+	if err != nil {
+		return nil, errors.Wrap(err, "error making plugin client")
+	}
+	return &logPluginProxy{c}, nil
+}
+
+func makePluginCreator(name string, l logPlugin, scopePath func(s string) string) Creator {
+	return func(logCtx Info) (logger Logger, err error) {
+		defer func() {
+			if err != nil {
+				pluginGetter.Get(name, extName, getter.Release)
+			}
+		}()
+
+		unscopedPath := filepath.Join("/", "run", "docker", "logging")
+		logRoot := scopePath(unscopedPath)
+		if err := os.MkdirAll(logRoot, 0700); err != nil {
+			return nil, err
+		}
+
+		id := stringid.GenerateNonCryptoID()
+		a := &pluginAdapter{
+			driverName: name,
+			id:         id,
+			plugin:     l,
+			fifoPath:   filepath.Join(logRoot, id),
+			logInfo:    logCtx,
+		}
+
+		cap, err := a.plugin.Capabilities()
+		if err == nil {
+			a.capabilities = cap
+		}
+
+		stream, err := openPluginStream(a)
+		if err != nil {
+			return nil, err
+		}
+
+		a.stream = stream
+		a.enc = logdriver.NewLogEntryEncoder(a.stream)
+
+		if err := l.StartLogging(filepath.Join(unscopedPath, id), logCtx); err != nil {
+			return nil, errors.Wrapf(err, "error creating logger")
+		}
+
+		if cap.ReadLogs {
+			return &pluginAdapterWithRead{a}, nil
+		}
+
+		return a, nil
+	}
+}
diff --git a/engine/daemon/logger/plugin_unix.go b/engine/daemon/logger/plugin_unix.go
new file mode 100644
index 00000000..e9a16af9
--- /dev/null
+++ b/engine/daemon/logger/plugin_unix.go
@@ -0,0 +1,23 @@
+// +build linux freebsd
+
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"context"
+	"io"
+
+	"github.com/containerd/fifo"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+func openPluginStream(a *pluginAdapter) (io.WriteCloser, error) {
+	// Make sure to also open with read (in addition to write) to avoid borken pipe errors on plugin failure.
+	// It is up to the plugin to keep track of pipes that it should re-attach to, however.
+	// If the plugin doesn't open for reads, then the container will block once the pipe is full.
+	f, err := fifo.OpenFifo(context.Background(), a.fifoPath, unix.O_RDWR|unix.O_CREAT|unix.O_NONBLOCK, 0700)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error creating i/o pipe for log plugin: %s", a.Name())
+	}
+	return f, nil
+}
diff --git a/engine/daemon/logger/plugin_unsupported.go b/engine/daemon/logger/plugin_unsupported.go
new file mode 100644
index 00000000..2ad47cc0
--- /dev/null
+++ b/engine/daemon/logger/plugin_unsupported.go
@@ -0,0 +1,12 @@
+// +build !linux,!freebsd
+
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"errors"
+	"io"
+)
+
+func openPluginStream(a *pluginAdapter) (io.WriteCloser, error) {
+	return nil, errors.New("log plugin not supported")
+}
diff --git a/engine/daemon/logger/proxy.go b/engine/daemon/logger/proxy.go
new file mode 100644
index 00000000..4a1c7781
--- /dev/null
+++ b/engine/daemon/logger/proxy.go
@@ -0,0 +1,107 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"errors"
+	"io"
+)
+
+type client interface {
+	Call(string, interface{}, interface{}) error
+	Stream(string, interface{}) (io.ReadCloser, error)
+}
+
+type logPluginProxy struct {
+	client
+}
+
+type logPluginProxyStartLoggingRequest struct {
+	File string
+	Info Info
+}
+
+type logPluginProxyStartLoggingResponse struct {
+	Err string
+}
+
+func (pp *logPluginProxy) StartLogging(file string, info Info) (err error) {
+	var (
+		req logPluginProxyStartLoggingRequest
+		ret logPluginProxyStartLoggingResponse
+	)
+
+	req.File = file
+	req.Info = info
+	if err = pp.Call("LogDriver.StartLogging", req, &ret); err != nil {
+		return
+	}
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type logPluginProxyStopLoggingRequest struct {
+	File string
+}
+
+type logPluginProxyStopLoggingResponse struct {
+	Err string
+}
+
+func (pp *logPluginProxy) StopLogging(file string) (err error) {
+	var (
+		req logPluginProxyStopLoggingRequest
+		ret logPluginProxyStopLoggingResponse
+	)
+
+	req.File = file
+	if err = pp.Call("LogDriver.StopLogging", req, &ret); err != nil {
+		return
+	}
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type logPluginProxyCapabilitiesResponse struct {
+	Cap Capability
+	Err string
+}
+
+func (pp *logPluginProxy) Capabilities() (cap Capability, err error) {
+	var (
+		ret logPluginProxyCapabilitiesResponse
+	)
+
+	if err = pp.Call("LogDriver.Capabilities", nil, &ret); err != nil {
+		return
+	}
+
+	cap = ret.Cap
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type logPluginProxyReadLogsRequest struct {
+	Info   Info
+	Config ReadConfig
+}
+
+func (pp *logPluginProxy) ReadLogs(info Info, config ReadConfig) (stream io.ReadCloser, err error) {
+	var (
+		req logPluginProxyReadLogsRequest
+	)
+
+	req.Info = info
+	req.Config = config
+	return pp.Stream("LogDriver.ReadLogs", req)
+}
diff --git a/engine/daemon/logger/ring.go b/engine/daemon/logger/ring.go
new file mode 100644
index 00000000..c675c1e8
--- /dev/null
+++ b/engine/daemon/logger/ring.go
@@ -0,0 +1,223 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"errors"
+	"sync"
+	"sync/atomic"
+
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	defaultRingMaxSize = 1e6 // 1MB
+)
+
+// RingLogger is a ring buffer that implements the Logger interface.
+// This is used when lossy logging is OK.
+type RingLogger struct {
+	buffer    *messageRing
+	l         Logger
+	logInfo   Info
+	closeFlag int32
+}
+
+type ringWithReader struct {
+	*RingLogger
+}
+
+func (r *ringWithReader) ReadLogs(cfg ReadConfig) *LogWatcher {
+	reader, ok := r.l.(LogReader)
+	if !ok {
+		// something is wrong if we get here
+		panic("expected log reader")
+	}
+	return reader.ReadLogs(cfg)
+}
+
+func newRingLogger(driver Logger, logInfo Info, maxSize int64) *RingLogger {
+	l := &RingLogger{
+		buffer:  newRing(maxSize),
+		l:       driver,
+		logInfo: logInfo,
+	}
+	go l.run()
+	return l
+}
+
+// NewRingLogger creates a new Logger that is implemented as a RingBuffer wrapping
+// the passed in logger.
+func NewRingLogger(driver Logger, logInfo Info, maxSize int64) Logger {
+	if maxSize < 0 {
+		maxSize = defaultRingMaxSize
+	}
+	l := newRingLogger(driver, logInfo, maxSize)
+	if _, ok := driver.(LogReader); ok {
+		return &ringWithReader{l}
+	}
+	return l
+}
+
+// Log queues messages into the ring buffer
+func (r *RingLogger) Log(msg *Message) error {
+	if r.closed() {
+		return errClosed
+	}
+	return r.buffer.Enqueue(msg)
+}
+
+// Name returns the name of the underlying logger
+func (r *RingLogger) Name() string {
+	return r.l.Name()
+}
+
+func (r *RingLogger) closed() bool {
+	return atomic.LoadInt32(&r.closeFlag) == 1
+}
+
+func (r *RingLogger) setClosed() {
+	atomic.StoreInt32(&r.closeFlag, 1)
+}
+
+// Close closes the logger
+func (r *RingLogger) Close() error {
+	r.setClosed()
+	r.buffer.Close()
+	// empty out the queue
+	var logErr bool
+	for _, msg := range r.buffer.Drain() {
+		if logErr {
+			// some error logging a previous message, so re-insert to message pool
+			// and assume log driver is hosed
+			PutMessage(msg)
+			continue
+		}
+
+		if err := r.l.Log(msg); err != nil {
+			logrus.WithField("driver", r.l.Name()).
+				WithField("container", r.logInfo.ContainerID).
+				WithError(err).
+				Errorf("Error writing log message")
+			logErr = true
+		}
+	}
+	return r.l.Close()
+}
+
+// run consumes messages from the ring buffer and forwards them to the underling
+// logger.
+// This is run in a goroutine when the RingLogger is created
+func (r *RingLogger) run() {
+	for {
+		if r.closed() {
+			return
+		}
+		msg, err := r.buffer.Dequeue()
+		if err != nil {
+			// buffer is closed
+			return
+		}
+		if err := r.l.Log(msg); err != nil {
+			logrus.WithField("driver", r.l.Name()).
+				WithField("container", r.logInfo.ContainerID).
+				WithError(err).
+				Errorf("Error writing log message")
+		}
+	}
+}
+
+type messageRing struct {
+	mu sync.Mutex
+	// signals callers of `Dequeue` to wake up either on `Close` or when a new `Message` is added
+	wait *sync.Cond
+
+	sizeBytes int64 // current buffer size
+	maxBytes  int64 // max buffer size size
+	queue     []*Message
+	closed    bool
+}
+
+func newRing(maxBytes int64) *messageRing {
+	queueSize := 1000
+	if maxBytes == 0 || maxBytes == 1 {
+		// With 0 or 1 max byte size, the maximum size of the queue would only ever be 1
+		// message long.
+		queueSize = 1
+	}
+
+	r := &messageRing{queue: make([]*Message, 0, queueSize), maxBytes: maxBytes}
+	r.wait = sync.NewCond(&r.mu)
+	return r
+}
+
+// Enqueue adds a message to the buffer queue
+// If the message is too big for the buffer it drops the new message.
+// If there are no messages in the queue and the message is still too big, it adds the message anyway.
+func (r *messageRing) Enqueue(m *Message) error {
+	mSize := int64(len(m.Line))
+
+	r.mu.Lock()
+	if r.closed {
+		r.mu.Unlock()
+		return errClosed
+	}
+	if mSize+r.sizeBytes > r.maxBytes && len(r.queue) > 0 {
+		r.wait.Signal()
+		r.mu.Unlock()
+		return nil
+	}
+
+	r.queue = append(r.queue, m)
+	r.sizeBytes += mSize
+	r.wait.Signal()
+	r.mu.Unlock()
+	return nil
+}
+
+// Dequeue pulls a message off the queue
+// If there are no messages, it waits for one.
+// If the buffer is closed, it will return immediately.
+func (r *messageRing) Dequeue() (*Message, error) {
+	r.mu.Lock()
+	for len(r.queue) == 0 && !r.closed {
+		r.wait.Wait()
+	}
+
+	if r.closed {
+		r.mu.Unlock()
+		return nil, errClosed
+	}
+
+	msg := r.queue[0]
+	r.queue = r.queue[1:]
+	r.sizeBytes -= int64(len(msg.Line))
+	r.mu.Unlock()
+	return msg, nil
+}
+
+var errClosed = errors.New("closed")
+
+// Close closes the buffer ensuring no new messages can be added.
+// Any callers waiting to dequeue a message will be woken up.
+func (r *messageRing) Close() {
+	r.mu.Lock()
+	if r.closed {
+		r.mu.Unlock()
+		return
+	}
+
+	r.closed = true
+	r.wait.Broadcast()
+	r.mu.Unlock()
+}
+
+// Drain drains all messages from the queue.
+// This can be used after `Close()` to get any remaining messages that were in queue.
+func (r *messageRing) Drain() []*Message {
+	r.mu.Lock()
+	ls := make([]*Message, 0, len(r.queue))
+	ls = append(ls, r.queue...)
+	r.sizeBytes = 0
+	r.queue = r.queue[:0]
+	r.mu.Unlock()
+	return ls
+}
diff --git a/engine/daemon/logger/ring_test.go b/engine/daemon/logger/ring_test.go
new file mode 100644
index 00000000..a2289cc6
--- /dev/null
+++ b/engine/daemon/logger/ring_test.go
@@ -0,0 +1,299 @@
+package logger // import "github.com/docker/docker/daemon/logger"
+
+import (
+	"context"
+	"strconv"
+	"testing"
+	"time"
+)
+
+type mockLogger struct{ c chan *Message }
+
+func (l *mockLogger) Log(msg *Message) error {
+	l.c <- msg
+	return nil
+}
+
+func (l *mockLogger) Name() string {
+	return "mock"
+}
+
+func (l *mockLogger) Close() error {
+	return nil
+}
+
+func TestRingLogger(t *testing.T) {
+	mockLog := &mockLogger{make(chan *Message)} // no buffer on this channel
+	ring := newRingLogger(mockLog, Info{}, 1)
+	defer ring.setClosed()
+
+	// this should never block
+	ring.Log(&Message{Line: []byte("1")})
+	ring.Log(&Message{Line: []byte("2")})
+	ring.Log(&Message{Line: []byte("3")})
+
+	select {
+	case msg := <-mockLog.c:
+		if string(msg.Line) != "1" {
+			t.Fatalf("got unexpected msg: %q", string(msg.Line))
+		}
+	case <-time.After(100 * time.Millisecond):
+		t.Fatal("timeout reading log message")
+	}
+
+	select {
+	case msg := <-mockLog.c:
+		t.Fatalf("expected no more messages in the queue, got: %q", string(msg.Line))
+	default:
+	}
+}
+
+func TestRingCap(t *testing.T) {
+	r := newRing(5)
+	for i := 0; i < 10; i++ {
+		// queue messages with "0" to "10"
+		// the "5" to "10" messages should be dropped since we only allow 5 bytes in the buffer
+		if err := r.Enqueue(&Message{Line: []byte(strconv.Itoa(i))}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	// should have messages in the queue for "0" to "4"
+	for i := 0; i < 5; i++ {
+		m, err := r.Dequeue()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if string(m.Line) != strconv.Itoa(i) {
+			t.Fatalf("got unexpected message for iter %d: %s", i, string(m.Line))
+		}
+	}
+
+	// queue a message that's bigger than the buffer cap
+	if err := r.Enqueue(&Message{Line: []byte("hello world")}); err != nil {
+		t.Fatal(err)
+	}
+
+	// queue another message that's bigger than the buffer cap
+	if err := r.Enqueue(&Message{Line: []byte("eat a banana")}); err != nil {
+		t.Fatal(err)
+	}
+
+	m, err := r.Dequeue()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(m.Line) != "hello world" {
+		t.Fatalf("got unexpected message: %s", string(m.Line))
+	}
+	if len(r.queue) != 0 {
+		t.Fatalf("expected queue to be empty, got: %d", len(r.queue))
+	}
+}
+
+func TestRingClose(t *testing.T) {
+	r := newRing(1)
+	if err := r.Enqueue(&Message{Line: []byte("hello")}); err != nil {
+		t.Fatal(err)
+	}
+	r.Close()
+	if err := r.Enqueue(&Message{}); err != errClosed {
+		t.Fatalf("expected errClosed, got: %v", err)
+	}
+	if len(r.queue) != 1 {
+		t.Fatal("expected empty queue")
+	}
+	if m, err := r.Dequeue(); err == nil || m != nil {
+		t.Fatal("expected err on Dequeue after close")
+	}
+
+	ls := r.Drain()
+	if len(ls) != 1 {
+		t.Fatalf("expected one message: %v", ls)
+	}
+	if string(ls[0].Line) != "hello" {
+		t.Fatalf("got unexpected message: %s", string(ls[0].Line))
+	}
+}
+
+func TestRingDrain(t *testing.T) {
+	r := newRing(5)
+	for i := 0; i < 5; i++ {
+		if err := r.Enqueue(&Message{Line: []byte(strconv.Itoa(i))}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	ls := r.Drain()
+	if len(ls) != 5 {
+		t.Fatal("got unexpected length after drain")
+	}
+
+	for i := 0; i < 5; i++ {
+		if string(ls[i].Line) != strconv.Itoa(i) {
+			t.Fatalf("got unexpected message at position %d: %s", i, string(ls[i].Line))
+		}
+	}
+	if r.sizeBytes != 0 {
+		t.Fatalf("expected buffer size to be 0 after drain, got: %d", r.sizeBytes)
+	}
+
+	ls = r.Drain()
+	if len(ls) != 0 {
+		t.Fatalf("expected 0 messages on 2nd drain: %v", ls)
+	}
+
+}
+
+type nopLogger struct{}
+
+func (nopLogger) Name() string       { return "nopLogger" }
+func (nopLogger) Close() error       { return nil }
+func (nopLogger) Log(*Message) error { return nil }
+
+func BenchmarkRingLoggerThroughputNoReceiver(b *testing.B) {
+	mockLog := &mockLogger{make(chan *Message)}
+	defer mockLog.Close()
+	l := NewRingLogger(mockLog, Info{}, -1)
+	msg := &Message{Line: []byte("hello humans and everyone else!")}
+	b.SetBytes(int64(len(msg.Line)))
+
+	for i := 0; i < b.N; i++ {
+		if err := l.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkRingLoggerThroughputWithReceiverDelay0(b *testing.B) {
+	l := NewRingLogger(nopLogger{}, Info{}, -1)
+	msg := &Message{Line: []byte("hello humans and everyone else!")}
+	b.SetBytes(int64(len(msg.Line)))
+
+	for i := 0; i < b.N; i++ {
+		if err := l.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func consumeWithDelay(delay time.Duration, c <-chan *Message) (cancel func()) {
+	started := make(chan struct{})
+	ctx, cancel := context.WithCancel(context.Background())
+	go func() {
+		close(started)
+		ticker := time.NewTicker(delay)
+		for range ticker.C {
+			select {
+			case <-ctx.Done():
+				ticker.Stop()
+				return
+			case <-c:
+			}
+		}
+	}()
+	<-started
+	return cancel
+}
+
+func BenchmarkRingLoggerThroughputConsumeDelay1(b *testing.B) {
+	mockLog := &mockLogger{make(chan *Message)}
+	defer mockLog.Close()
+	l := NewRingLogger(mockLog, Info{}, -1)
+	msg := &Message{Line: []byte("hello humans and everyone else!")}
+	b.SetBytes(int64(len(msg.Line)))
+
+	cancel := consumeWithDelay(1*time.Millisecond, mockLog.c)
+	defer cancel()
+
+	for i := 0; i < b.N; i++ {
+		if err := l.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkRingLoggerThroughputConsumeDelay10(b *testing.B) {
+	mockLog := &mockLogger{make(chan *Message)}
+	defer mockLog.Close()
+	l := NewRingLogger(mockLog, Info{}, -1)
+	msg := &Message{Line: []byte("hello humans and everyone else!")}
+	b.SetBytes(int64(len(msg.Line)))
+
+	cancel := consumeWithDelay(10*time.Millisecond, mockLog.c)
+	defer cancel()
+
+	for i := 0; i < b.N; i++ {
+		if err := l.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkRingLoggerThroughputConsumeDelay50(b *testing.B) {
+	mockLog := &mockLogger{make(chan *Message)}
+	defer mockLog.Close()
+	l := NewRingLogger(mockLog, Info{}, -1)
+	msg := &Message{Line: []byte("hello humans and everyone else!")}
+	b.SetBytes(int64(len(msg.Line)))
+
+	cancel := consumeWithDelay(50*time.Millisecond, mockLog.c)
+	defer cancel()
+
+	for i := 0; i < b.N; i++ {
+		if err := l.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkRingLoggerThroughputConsumeDelay100(b *testing.B) {
+	mockLog := &mockLogger{make(chan *Message)}
+	defer mockLog.Close()
+	l := NewRingLogger(mockLog, Info{}, -1)
+	msg := &Message{Line: []byte("hello humans and everyone else!")}
+	b.SetBytes(int64(len(msg.Line)))
+
+	cancel := consumeWithDelay(100*time.Millisecond, mockLog.c)
+	defer cancel()
+
+	for i := 0; i < b.N; i++ {
+		if err := l.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkRingLoggerThroughputConsumeDelay300(b *testing.B) {
+	mockLog := &mockLogger{make(chan *Message)}
+	defer mockLog.Close()
+	l := NewRingLogger(mockLog, Info{}, -1)
+	msg := &Message{Line: []byte("hello humans and everyone else!")}
+	b.SetBytes(int64(len(msg.Line)))
+
+	cancel := consumeWithDelay(300*time.Millisecond, mockLog.c)
+	defer cancel()
+
+	for i := 0; i < b.N; i++ {
+		if err := l.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func BenchmarkRingLoggerThroughputConsumeDelay500(b *testing.B) {
+	mockLog := &mockLogger{make(chan *Message)}
+	defer mockLog.Close()
+	l := NewRingLogger(mockLog, Info{}, -1)
+	msg := &Message{Line: []byte("hello humans and everyone else!")}
+	b.SetBytes(int64(len(msg.Line)))
+
+	cancel := consumeWithDelay(500*time.Millisecond, mockLog.c)
+	defer cancel()
+
+	for i := 0; i < b.N; i++ {
+		if err := l.Log(msg); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
diff --git a/engine/daemon/logger/splunk/splunk.go b/engine/daemon/logger/splunk/splunk.go
new file mode 100644
index 00000000..8756ffa3
--- /dev/null
+++ b/engine/daemon/logger/splunk/splunk.go
@@ -0,0 +1,649 @@
+// Package splunk provides the log driver for forwarding server logs to
+// Splunk HTTP Event Collector endpoint.
+package splunk // import "github.com/docker/docker/daemon/logger/splunk"
+
+import (
+	"bytes"
+	"compress/gzip"
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/loggerutils"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/urlutil"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	driverName                    = "splunk"
+	splunkURLKey                  = "splunk-url"
+	splunkTokenKey                = "splunk-token"
+	splunkSourceKey               = "splunk-source"
+	splunkSourceTypeKey           = "splunk-sourcetype"
+	splunkIndexKey                = "splunk-index"
+	splunkCAPathKey               = "splunk-capath"
+	splunkCANameKey               = "splunk-caname"
+	splunkInsecureSkipVerifyKey   = "splunk-insecureskipverify"
+	splunkFormatKey               = "splunk-format"
+	splunkVerifyConnectionKey     = "splunk-verify-connection"
+	splunkGzipCompressionKey      = "splunk-gzip"
+	splunkGzipCompressionLevelKey = "splunk-gzip-level"
+	envKey                        = "env"
+	envRegexKey                   = "env-regex"
+	labelsKey                     = "labels"
+	tagKey                        = "tag"
+)
+
+const (
+	// How often do we send messages (if we are not reaching batch size)
+	defaultPostMessagesFrequency = 5 * time.Second
+	// How big can be batch of messages
+	defaultPostMessagesBatchSize = 1000
+	// Maximum number of messages we can store in buffer
+	defaultBufferMaximum = 10 * defaultPostMessagesBatchSize
+	// Number of messages allowed to be queued in the channel
+	defaultStreamChannelSize = 4 * defaultPostMessagesBatchSize
+	// maxResponseSize is the max amount that will be read from an http response
+	maxResponseSize = 1024
+)
+
+const (
+	envVarPostMessagesFrequency = "SPLUNK_LOGGING_DRIVER_POST_MESSAGES_FREQUENCY"
+	envVarPostMessagesBatchSize = "SPLUNK_LOGGING_DRIVER_POST_MESSAGES_BATCH_SIZE"
+	envVarBufferMaximum         = "SPLUNK_LOGGING_DRIVER_BUFFER_MAX"
+	envVarStreamChannelSize     = "SPLUNK_LOGGING_DRIVER_CHANNEL_SIZE"
+)
+
+var batchSendTimeout = 30 * time.Second
+
+type splunkLoggerInterface interface {
+	logger.Logger
+	worker()
+}
+
+type splunkLogger struct {
+	client    *http.Client
+	transport *http.Transport
+
+	url         string
+	auth        string
+	nullMessage *splunkMessage
+
+	// http compression
+	gzipCompression      bool
+	gzipCompressionLevel int
+
+	// Advanced options
+	postMessagesFrequency time.Duration
+	postMessagesBatchSize int
+	bufferMaximum         int
+
+	// For synchronization between background worker and logger.
+	// We use channel to send messages to worker go routine.
+	// All other variables for blocking Close call before we flush all messages to HEC
+	stream     chan *splunkMessage
+	lock       sync.RWMutex
+	closed     bool
+	closedCond *sync.Cond
+}
+
+type splunkLoggerInline struct {
+	*splunkLogger
+
+	nullEvent *splunkMessageEvent
+}
+
+type splunkLoggerJSON struct {
+	*splunkLoggerInline
+}
+
+type splunkLoggerRaw struct {
+	*splunkLogger
+
+	prefix []byte
+}
+
+type splunkMessage struct {
+	Event      interface{} `json:"event"`
+	Time       string      `json:"time"`
+	Host       string      `json:"host"`
+	Source     string      `json:"source,omitempty"`
+	SourceType string      `json:"sourcetype,omitempty"`
+	Index      string      `json:"index,omitempty"`
+}
+
+type splunkMessageEvent struct {
+	Line   interface{}       `json:"line"`
+	Source string            `json:"source"`
+	Tag    string            `json:"tag,omitempty"`
+	Attrs  map[string]string `json:"attrs,omitempty"`
+}
+
+const (
+	splunkFormatRaw    = "raw"
+	splunkFormatJSON   = "json"
+	splunkFormatInline = "inline"
+)
+
+func init() {
+	if err := logger.RegisterLogDriver(driverName, New); err != nil {
+		logrus.Fatal(err)
+	}
+	if err := logger.RegisterLogOptValidator(driverName, ValidateLogOpt); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// New creates splunk logger driver using configuration passed in context
+func New(info logger.Info) (logger.Logger, error) {
+	hostname, err := info.Hostname()
+	if err != nil {
+		return nil, fmt.Errorf("%s: cannot access hostname to set source field", driverName)
+	}
+
+	// Parse and validate Splunk URL
+	splunkURL, err := parseURL(info)
+	if err != nil {
+		return nil, err
+	}
+
+	// Splunk Token is required parameter
+	splunkToken, ok := info.Config[splunkTokenKey]
+	if !ok {
+		return nil, fmt.Errorf("%s: %s is expected", driverName, splunkTokenKey)
+	}
+
+	tlsConfig := &tls.Config{}
+
+	// Splunk is using autogenerated certificates by default,
+	// allow users to trust them with skipping verification
+	if insecureSkipVerifyStr, ok := info.Config[splunkInsecureSkipVerifyKey]; ok {
+		insecureSkipVerify, err := strconv.ParseBool(insecureSkipVerifyStr)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.InsecureSkipVerify = insecureSkipVerify
+	}
+
+	// If path to the root certificate is provided - load it
+	if caPath, ok := info.Config[splunkCAPathKey]; ok {
+		caCert, err := ioutil.ReadFile(caPath)
+		if err != nil {
+			return nil, err
+		}
+		caPool := x509.NewCertPool()
+		caPool.AppendCertsFromPEM(caCert)
+		tlsConfig.RootCAs = caPool
+	}
+
+	if caName, ok := info.Config[splunkCANameKey]; ok {
+		tlsConfig.ServerName = caName
+	}
+
+	gzipCompression := false
+	if gzipCompressionStr, ok := info.Config[splunkGzipCompressionKey]; ok {
+		gzipCompression, err = strconv.ParseBool(gzipCompressionStr)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	gzipCompressionLevel := gzip.DefaultCompression
+	if gzipCompressionLevelStr, ok := info.Config[splunkGzipCompressionLevelKey]; ok {
+		var err error
+		gzipCompressionLevel64, err := strconv.ParseInt(gzipCompressionLevelStr, 10, 32)
+		if err != nil {
+			return nil, err
+		}
+		gzipCompressionLevel = int(gzipCompressionLevel64)
+		if gzipCompressionLevel < gzip.DefaultCompression || gzipCompressionLevel > gzip.BestCompression {
+			err := fmt.Errorf("not supported level '%s' for %s (supported values between %d and %d)",
+				gzipCompressionLevelStr, splunkGzipCompressionLevelKey, gzip.DefaultCompression, gzip.BestCompression)
+			return nil, err
+		}
+	}
+
+	transport := &http.Transport{
+		TLSClientConfig: tlsConfig,
+		Proxy:           http.ProxyFromEnvironment,
+	}
+	client := &http.Client{
+		Transport: transport,
+	}
+
+	source := info.Config[splunkSourceKey]
+	sourceType := info.Config[splunkSourceTypeKey]
+	index := info.Config[splunkIndexKey]
+
+	var nullMessage = &splunkMessage{
+		Host:       hostname,
+		Source:     source,
+		SourceType: sourceType,
+		Index:      index,
+	}
+
+	// Allow user to remove tag from the messages by setting tag to empty string
+	tag := ""
+	if tagTemplate, ok := info.Config[tagKey]; !ok || tagTemplate != "" {
+		tag, err = loggerutils.ParseLogTag(info, loggerutils.DefaultTemplate)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	attrs, err := info.ExtraAttributes(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		postMessagesFrequency = getAdvancedOptionDuration(envVarPostMessagesFrequency, defaultPostMessagesFrequency)
+		postMessagesBatchSize = getAdvancedOptionInt(envVarPostMessagesBatchSize, defaultPostMessagesBatchSize)
+		bufferMaximum         = getAdvancedOptionInt(envVarBufferMaximum, defaultBufferMaximum)
+		streamChannelSize     = getAdvancedOptionInt(envVarStreamChannelSize, defaultStreamChannelSize)
+	)
+
+	logger := &splunkLogger{
+		client:                client,
+		transport:             transport,
+		url:                   splunkURL.String(),
+		auth:                  "Splunk " + splunkToken,
+		nullMessage:           nullMessage,
+		gzipCompression:       gzipCompression,
+		gzipCompressionLevel:  gzipCompressionLevel,
+		stream:                make(chan *splunkMessage, streamChannelSize),
+		postMessagesFrequency: postMessagesFrequency,
+		postMessagesBatchSize: postMessagesBatchSize,
+		bufferMaximum:         bufferMaximum,
+	}
+
+	// By default we verify connection, but we allow use to skip that
+	verifyConnection := true
+	if verifyConnectionStr, ok := info.Config[splunkVerifyConnectionKey]; ok {
+		var err error
+		verifyConnection, err = strconv.ParseBool(verifyConnectionStr)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if verifyConnection {
+		err = verifySplunkConnection(logger)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var splunkFormat string
+	if splunkFormatParsed, ok := info.Config[splunkFormatKey]; ok {
+		switch splunkFormatParsed {
+		case splunkFormatInline:
+		case splunkFormatJSON:
+		case splunkFormatRaw:
+		default:
+			return nil, fmt.Errorf("Unknown format specified %s, supported formats are inline, json and raw", splunkFormat)
+		}
+		splunkFormat = splunkFormatParsed
+	} else {
+		splunkFormat = splunkFormatInline
+	}
+
+	var loggerWrapper splunkLoggerInterface
+
+	switch splunkFormat {
+	case splunkFormatInline:
+		nullEvent := &splunkMessageEvent{
+			Tag:   tag,
+			Attrs: attrs,
+		}
+
+		loggerWrapper = &splunkLoggerInline{logger, nullEvent}
+	case splunkFormatJSON:
+		nullEvent := &splunkMessageEvent{
+			Tag:   tag,
+			Attrs: attrs,
+		}
+
+		loggerWrapper = &splunkLoggerJSON{&splunkLoggerInline{logger, nullEvent}}
+	case splunkFormatRaw:
+		var prefix bytes.Buffer
+		if tag != "" {
+			prefix.WriteString(tag)
+			prefix.WriteString(" ")
+		}
+		for key, value := range attrs {
+			prefix.WriteString(key)
+			prefix.WriteString("=")
+			prefix.WriteString(value)
+			prefix.WriteString(" ")
+		}
+
+		loggerWrapper = &splunkLoggerRaw{logger, prefix.Bytes()}
+	default:
+		return nil, fmt.Errorf("Unexpected format %s", splunkFormat)
+	}
+
+	go loggerWrapper.worker()
+
+	return loggerWrapper, nil
+}
+
+func (l *splunkLoggerInline) Log(msg *logger.Message) error {
+	message := l.createSplunkMessage(msg)
+
+	event := *l.nullEvent
+	event.Line = string(msg.Line)
+	event.Source = msg.Source
+
+	message.Event = &event
+	logger.PutMessage(msg)
+	return l.queueMessageAsync(message)
+}
+
+func (l *splunkLoggerJSON) Log(msg *logger.Message) error {
+	message := l.createSplunkMessage(msg)
+	event := *l.nullEvent
+
+	var rawJSONMessage json.RawMessage
+	if err := json.Unmarshal(msg.Line, &rawJSONMessage); err == nil {
+		event.Line = &rawJSONMessage
+	} else {
+		event.Line = string(msg.Line)
+	}
+
+	event.Source = msg.Source
+
+	message.Event = &event
+	logger.PutMessage(msg)
+	return l.queueMessageAsync(message)
+}
+
+func (l *splunkLoggerRaw) Log(msg *logger.Message) error {
+	// empty or whitespace-only messages are not accepted by HEC
+	if strings.TrimSpace(string(msg.Line)) == "" {
+		return nil
+	}
+
+	message := l.createSplunkMessage(msg)
+
+	message.Event = string(append(l.prefix, msg.Line...))
+	logger.PutMessage(msg)
+	return l.queueMessageAsync(message)
+}
+
+func (l *splunkLogger) queueMessageAsync(message *splunkMessage) error {
+	l.lock.RLock()
+	defer l.lock.RUnlock()
+	if l.closedCond != nil {
+		return fmt.Errorf("%s: driver is closed", driverName)
+	}
+	l.stream <- message
+	return nil
+}
+
+func (l *splunkLogger) worker() {
+	timer := time.NewTicker(l.postMessagesFrequency)
+	var messages []*splunkMessage
+	for {
+		select {
+		case message, open := <-l.stream:
+			if !open {
+				l.postMessages(messages, true)
+				l.lock.Lock()
+				defer l.lock.Unlock()
+				l.transport.CloseIdleConnections()
+				l.closed = true
+				l.closedCond.Signal()
+				return
+			}
+			messages = append(messages, message)
+			// Only sending when we get exactly to the batch size,
+			// This also helps not to fire postMessages on every new message,
+			// when previous try failed.
+			if len(messages)%l.postMessagesBatchSize == 0 {
+				messages = l.postMessages(messages, false)
+			}
+		case <-timer.C:
+			messages = l.postMessages(messages, false)
+		}
+	}
+}
+
+func (l *splunkLogger) postMessages(messages []*splunkMessage, lastChance bool) []*splunkMessage {
+	messagesLen := len(messages)
+
+	ctx, cancel := context.WithTimeout(context.Background(), batchSendTimeout)
+	defer cancel()
+
+	for i := 0; i < messagesLen; i += l.postMessagesBatchSize {
+		upperBound := i + l.postMessagesBatchSize
+		if upperBound > messagesLen {
+			upperBound = messagesLen
+		}
+
+		if err := l.tryPostMessages(ctx, messages[i:upperBound]); err != nil {
+			logrus.WithError(err).WithField("module", "logger/splunk").Warn("Error while sending logs")
+			if messagesLen-i >= l.bufferMaximum || lastChance {
+				// If this is last chance - print them all to the daemon log
+				if lastChance {
+					upperBound = messagesLen
+				}
+				// Not all sent, but buffer has got to its maximum, let's log all messages
+				// we could not send and return buffer minus one batch size
+				for j := i; j < upperBound; j++ {
+					if jsonEvent, err := json.Marshal(messages[j]); err != nil {
+						logrus.Error(err)
+					} else {
+						logrus.Error(fmt.Errorf("Failed to send a message '%s'", string(jsonEvent)))
+					}
+				}
+				return messages[upperBound:messagesLen]
+			}
+			// Not all sent, returning buffer from where we have not sent messages
+			return messages[i:messagesLen]
+		}
+	}
+	// All sent, return empty buffer
+	return messages[:0]
+}
+
+func (l *splunkLogger) tryPostMessages(ctx context.Context, messages []*splunkMessage) error {
+	if len(messages) == 0 {
+		return nil
+	}
+	var buffer bytes.Buffer
+	var writer io.Writer
+	var gzipWriter *gzip.Writer
+	var err error
+	// If gzip compression is enabled - create gzip writer with specified compression
+	// level. If gzip compression is disabled, use standard buffer as a writer
+	if l.gzipCompression {
+		gzipWriter, err = gzip.NewWriterLevel(&buffer, l.gzipCompressionLevel)
+		if err != nil {
+			return err
+		}
+		writer = gzipWriter
+	} else {
+		writer = &buffer
+	}
+	for _, message := range messages {
+		jsonEvent, err := json.Marshal(message)
+		if err != nil {
+			return err
+		}
+		if _, err := writer.Write(jsonEvent); err != nil {
+			return err
+		}
+	}
+	// If gzip compression is enabled, tell it, that we are done
+	if l.gzipCompression {
+		err = gzipWriter.Close()
+		if err != nil {
+			return err
+		}
+	}
+	req, err := http.NewRequest("POST", l.url, bytes.NewBuffer(buffer.Bytes()))
+	if err != nil {
+		return err
+	}
+	req = req.WithContext(ctx)
+	req.Header.Set("Authorization", l.auth)
+	// Tell if we are sending gzip compressed body
+	if l.gzipCompression {
+		req.Header.Set("Content-Encoding", "gzip")
+	}
+	resp, err := l.client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		pools.Copy(ioutil.Discard, resp.Body)
+		resp.Body.Close()
+	}()
+	if resp.StatusCode != http.StatusOK {
+		rdr := io.LimitReader(resp.Body, maxResponseSize)
+		body, err := ioutil.ReadAll(rdr)
+		if err != nil {
+			return err
+		}
+		return fmt.Errorf("%s: failed to send event - %s - %s", driverName, resp.Status, string(body))
+	}
+	return nil
+}
+
+func (l *splunkLogger) Close() error {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+	if l.closedCond == nil {
+		l.closedCond = sync.NewCond(&l.lock)
+		close(l.stream)
+		for !l.closed {
+			l.closedCond.Wait()
+		}
+	}
+	return nil
+}
+
+func (l *splunkLogger) Name() string {
+	return driverName
+}
+
+func (l *splunkLogger) createSplunkMessage(msg *logger.Message) *splunkMessage {
+	message := *l.nullMessage
+	message.Time = fmt.Sprintf("%f", float64(msg.Timestamp.UnixNano())/float64(time.Second))
+	return &message
+}
+
+// ValidateLogOpt looks for all supported by splunk driver options
+func ValidateLogOpt(cfg map[string]string) error {
+	for key := range cfg {
+		switch key {
+		case splunkURLKey:
+		case splunkTokenKey:
+		case splunkSourceKey:
+		case splunkSourceTypeKey:
+		case splunkIndexKey:
+		case splunkCAPathKey:
+		case splunkCANameKey:
+		case splunkInsecureSkipVerifyKey:
+		case splunkFormatKey:
+		case splunkVerifyConnectionKey:
+		case splunkGzipCompressionKey:
+		case splunkGzipCompressionLevelKey:
+		case envKey:
+		case envRegexKey:
+		case labelsKey:
+		case tagKey:
+		default:
+			return fmt.Errorf("unknown log opt '%s' for %s log driver", key, driverName)
+		}
+	}
+	return nil
+}
+
+func parseURL(info logger.Info) (*url.URL, error) {
+	splunkURLStr, ok := info.Config[splunkURLKey]
+	if !ok {
+		return nil, fmt.Errorf("%s: %s is expected", driverName, splunkURLKey)
+	}
+
+	splunkURL, err := url.Parse(splunkURLStr)
+	if err != nil {
+		return nil, fmt.Errorf("%s: failed to parse %s as url value in %s", driverName, splunkURLStr, splunkURLKey)
+	}
+
+	if !urlutil.IsURL(splunkURLStr) ||
+		!splunkURL.IsAbs() ||
+		(splunkURL.Path != "" && splunkURL.Path != "/") ||
+		splunkURL.RawQuery != "" ||
+		splunkURL.Fragment != "" {
+		return nil, fmt.Errorf("%s: expected format scheme://dns_name_or_ip:port for %s", driverName, splunkURLKey)
+	}
+
+	splunkURL.Path = "/services/collector/event/1.0"
+
+	return splunkURL, nil
+}
+
+func verifySplunkConnection(l *splunkLogger) error {
+	req, err := http.NewRequest(http.MethodOptions, l.url, nil)
+	if err != nil {
+		return err
+	}
+	resp, err := l.client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		pools.Copy(ioutil.Discard, resp.Body)
+		resp.Body.Close()
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		rdr := io.LimitReader(resp.Body, maxResponseSize)
+		body, err := ioutil.ReadAll(rdr)
+		if err != nil {
+			return err
+		}
+		return fmt.Errorf("%s: failed to verify connection - %s - %s", driverName, resp.Status, string(body))
+	}
+	return nil
+}
+
+func getAdvancedOptionDuration(envName string, defaultValue time.Duration) time.Duration {
+	valueStr := os.Getenv(envName)
+	if valueStr == "" {
+		return defaultValue
+	}
+	parsedValue, err := time.ParseDuration(valueStr)
+	if err != nil {
+		logrus.Error(fmt.Sprintf("Failed to parse value of %s as duration. Using default %v. %v", envName, defaultValue, err))
+		return defaultValue
+	}
+	return parsedValue
+}
+
+func getAdvancedOptionInt(envName string, defaultValue int) int {
+	valueStr := os.Getenv(envName)
+	if valueStr == "" {
+		return defaultValue
+	}
+	parsedValue, err := strconv.ParseInt(valueStr, 10, 32)
+	if err != nil {
+		logrus.Error(fmt.Sprintf("Failed to parse value of %s as integer. Using default %d. %v", envName, defaultValue, err))
+		return defaultValue
+	}
+	return int(parsedValue)
+}
diff --git a/engine/daemon/logger/splunk/splunk_test.go b/engine/daemon/logger/splunk/splunk_test.go
new file mode 100644
index 00000000..cfb83e80
--- /dev/null
+++ b/engine/daemon/logger/splunk/splunk_test.go
@@ -0,0 +1,1389 @@
+package splunk // import "github.com/docker/docker/daemon/logger/splunk"
+
+import (
+	"compress/gzip"
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/daemon/logger"
+	"gotest.tools/assert"
+	"gotest.tools/env"
+)
+
+// Validate options
+func TestValidateLogOpt(t *testing.T) {
+	err := ValidateLogOpt(map[string]string{
+		splunkURLKey:                  "http://127.0.0.1",
+		splunkTokenKey:                "2160C7EF-2CE9-4307-A180-F852B99CF417",
+		splunkSourceKey:               "mysource",
+		splunkSourceTypeKey:           "mysourcetype",
+		splunkIndexKey:                "myindex",
+		splunkCAPathKey:               "/usr/cert.pem",
+		splunkCANameKey:               "ca_name",
+		splunkInsecureSkipVerifyKey:   "true",
+		splunkFormatKey:               "json",
+		splunkVerifyConnectionKey:     "true",
+		splunkGzipCompressionKey:      "true",
+		splunkGzipCompressionLevelKey: "1",
+		envKey:      "a",
+		envRegexKey: "^foo",
+		labelsKey:   "b",
+		tagKey:      "c",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = ValidateLogOpt(map[string]string{
+		"not-supported-option": "a",
+	})
+	if err == nil {
+		t.Fatal("Expecting error on unsupported options")
+	}
+}
+
+// Driver require user to specify required options
+func TestNewMissedConfig(t *testing.T) {
+	info := logger.Info{
+		Config: map[string]string{},
+	}
+	_, err := New(info)
+	if err == nil {
+		t.Fatal("Logger driver should fail when no required parameters specified")
+	}
+}
+
+// Driver require user to specify splunk-url
+func TestNewMissedUrl(t *testing.T) {
+	info := logger.Info{
+		Config: map[string]string{
+			splunkTokenKey: "4642492F-D8BD-47F1-A005-0C08AE4657DF",
+		},
+	}
+	_, err := New(info)
+	if err.Error() != "splunk: splunk-url is expected" {
+		t.Fatal("Logger driver should fail when no required parameters specified")
+	}
+}
+
+// Driver require user to specify splunk-token
+func TestNewMissedToken(t *testing.T) {
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey: "http://127.0.0.1:8088",
+		},
+	}
+	_, err := New(info)
+	if err.Error() != "splunk: splunk-token is expected" {
+		t.Fatal("Logger driver should fail when no required parameters specified")
+	}
+}
+
+func TestNewWithProxy(t *testing.T) {
+	proxy := "http://proxy.testing:8888"
+	reset := env.Patch(t, "HTTP_PROXY", proxy)
+	defer reset()
+
+	// must not be localhost
+	splunkURL := "http://example.com:12345"
+	logger, err := New(logger.Info{
+		Config: map[string]string{
+			splunkURLKey:              splunkURL,
+			splunkTokenKey:            "token",
+			splunkVerifyConnectionKey: "false",
+		},
+		ContainerID: "containeriid",
+	})
+	assert.NilError(t, err)
+	splunkLogger := logger.(*splunkLoggerInline)
+
+	proxyFunc := splunkLogger.transport.Proxy
+	assert.Assert(t, proxyFunc != nil)
+
+	req, err := http.NewRequest("GET", splunkURL, nil)
+	assert.NilError(t, err)
+
+	proxyURL, err := proxyFunc(req)
+	assert.NilError(t, err)
+	assert.Assert(t, proxyURL != nil)
+	assert.Equal(t, proxy, proxyURL.String())
+}
+
+// Test default settings
+func TestDefault(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:   hec.URL(),
+			splunkTokenKey: hec.token,
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	hostname, err := info.Hostname()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if loggerDriver.Name() != driverName {
+		t.Fatal("Unexpected logger driver name")
+	}
+
+	if !hec.connectionVerified {
+		t.Fatal("By default connection should be verified")
+	}
+
+	splunkLoggerDriver, ok := loggerDriver.(*splunkLoggerInline)
+	if !ok {
+		t.Fatal("Unexpected Splunk Logging Driver type")
+	}
+
+	if splunkLoggerDriver.url != hec.URL()+"/services/collector/event/1.0" ||
+		splunkLoggerDriver.auth != "Splunk "+hec.token ||
+		splunkLoggerDriver.nullMessage.Host != hostname ||
+		splunkLoggerDriver.nullMessage.Source != "" ||
+		splunkLoggerDriver.nullMessage.SourceType != "" ||
+		splunkLoggerDriver.nullMessage.Index != "" ||
+		splunkLoggerDriver.gzipCompression ||
+		splunkLoggerDriver.postMessagesFrequency != defaultPostMessagesFrequency ||
+		splunkLoggerDriver.postMessagesBatchSize != defaultPostMessagesBatchSize ||
+		splunkLoggerDriver.bufferMaximum != defaultBufferMaximum ||
+		cap(splunkLoggerDriver.stream) != defaultStreamChannelSize {
+		t.Fatal("Found not default values setup in Splunk Logging Driver.")
+	}
+
+	message1Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("{\"a\":\"b\"}"), Source: "stdout", Timestamp: message1Time}); err != nil {
+		t.Fatal(err)
+	}
+	message2Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("notajson"), Source: "stdout", Timestamp: message2Time}); err != nil {
+		t.Fatal(err)
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 2 {
+		t.Fatal("Expected two messages")
+	}
+
+	if *hec.gzipEnabled {
+		t.Fatal("Gzip should not be used")
+	}
+
+	message1 := hec.messages[0]
+	if message1.Time != fmt.Sprintf("%f", float64(message1Time.UnixNano())/float64(time.Second)) ||
+		message1.Host != hostname ||
+		message1.Source != "" ||
+		message1.SourceType != "" ||
+		message1.Index != "" {
+		t.Fatalf("Unexpected values of message 1 %v", message1)
+	}
+
+	if event, err := message1.EventAsMap(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event["line"] != "{\"a\":\"b\"}" ||
+			event["source"] != "stdout" ||
+			event["tag"] != "containeriid" ||
+			len(event) != 3 {
+			t.Fatalf("Unexpected event in message %v", event)
+		}
+	}
+
+	message2 := hec.messages[1]
+	if message2.Time != fmt.Sprintf("%f", float64(message2Time.UnixNano())/float64(time.Second)) ||
+		message2.Host != hostname ||
+		message2.Source != "" ||
+		message2.SourceType != "" ||
+		message2.Index != "" {
+		t.Fatalf("Unexpected values of message 1 %v", message2)
+	}
+
+	if event, err := message2.EventAsMap(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event["line"] != "notajson" ||
+			event["source"] != "stdout" ||
+			event["tag"] != "containeriid" ||
+			len(event) != 3 {
+			t.Fatalf("Unexpected event in message %v", event)
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify inline format with a not default settings for most of options
+func TestInlineFormatWithNonDefaultOptions(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:             hec.URL(),
+			splunkTokenKey:           hec.token,
+			splunkSourceKey:          "mysource",
+			splunkSourceTypeKey:      "mysourcetype",
+			splunkIndexKey:           "myindex",
+			splunkFormatKey:          splunkFormatInline,
+			splunkGzipCompressionKey: "true",
+			tagKey:      "{{.ImageName}}/{{.Name}}",
+			labelsKey:   "a",
+			envRegexKey: "^foo",
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+		ContainerLabels: map[string]string{
+			"a": "b",
+		},
+		ContainerEnv: []string{"foo_finder=bar"},
+	}
+
+	hostname, err := info.Hostname()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !hec.connectionVerified {
+		t.Fatal("By default connection should be verified")
+	}
+
+	splunkLoggerDriver, ok := loggerDriver.(*splunkLoggerInline)
+	if !ok {
+		t.Fatal("Unexpected Splunk Logging Driver type")
+	}
+
+	if splunkLoggerDriver.url != hec.URL()+"/services/collector/event/1.0" ||
+		splunkLoggerDriver.auth != "Splunk "+hec.token ||
+		splunkLoggerDriver.nullMessage.Host != hostname ||
+		splunkLoggerDriver.nullMessage.Source != "mysource" ||
+		splunkLoggerDriver.nullMessage.SourceType != "mysourcetype" ||
+		splunkLoggerDriver.nullMessage.Index != "myindex" ||
+		!splunkLoggerDriver.gzipCompression ||
+		splunkLoggerDriver.gzipCompressionLevel != gzip.DefaultCompression ||
+		splunkLoggerDriver.postMessagesFrequency != defaultPostMessagesFrequency ||
+		splunkLoggerDriver.postMessagesBatchSize != defaultPostMessagesBatchSize ||
+		splunkLoggerDriver.bufferMaximum != defaultBufferMaximum ||
+		cap(splunkLoggerDriver.stream) != defaultStreamChannelSize {
+		t.Fatal("Values do not match configuration.")
+	}
+
+	messageTime := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("1"), Source: "stdout", Timestamp: messageTime}); err != nil {
+		t.Fatal(err)
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 1 {
+		t.Fatal("Expected one message")
+	}
+
+	if !*hec.gzipEnabled {
+		t.Fatal("Gzip should be used")
+	}
+
+	message := hec.messages[0]
+	if message.Time != fmt.Sprintf("%f", float64(messageTime.UnixNano())/float64(time.Second)) ||
+		message.Host != hostname ||
+		message.Source != "mysource" ||
+		message.SourceType != "mysourcetype" ||
+		message.Index != "myindex" {
+		t.Fatalf("Unexpected values of message %v", message)
+	}
+
+	if event, err := message.EventAsMap(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event["line"] != "1" ||
+			event["source"] != "stdout" ||
+			event["tag"] != "container_image_name/container_name" ||
+			event["attrs"].(map[string]interface{})["a"] != "b" ||
+			event["attrs"].(map[string]interface{})["foo_finder"] != "bar" ||
+			len(event) != 4 {
+			t.Fatalf("Unexpected event in message %v", event)
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify JSON format
+func TestJsonFormat(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:                  hec.URL(),
+			splunkTokenKey:                hec.token,
+			splunkFormatKey:               splunkFormatJSON,
+			splunkGzipCompressionKey:      "true",
+			splunkGzipCompressionLevelKey: "1",
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	hostname, err := info.Hostname()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !hec.connectionVerified {
+		t.Fatal("By default connection should be verified")
+	}
+
+	splunkLoggerDriver, ok := loggerDriver.(*splunkLoggerJSON)
+	if !ok {
+		t.Fatal("Unexpected Splunk Logging Driver type")
+	}
+
+	if splunkLoggerDriver.url != hec.URL()+"/services/collector/event/1.0" ||
+		splunkLoggerDriver.auth != "Splunk "+hec.token ||
+		splunkLoggerDriver.nullMessage.Host != hostname ||
+		splunkLoggerDriver.nullMessage.Source != "" ||
+		splunkLoggerDriver.nullMessage.SourceType != "" ||
+		splunkLoggerDriver.nullMessage.Index != "" ||
+		!splunkLoggerDriver.gzipCompression ||
+		splunkLoggerDriver.gzipCompressionLevel != gzip.BestSpeed ||
+		splunkLoggerDriver.postMessagesFrequency != defaultPostMessagesFrequency ||
+		splunkLoggerDriver.postMessagesBatchSize != defaultPostMessagesBatchSize ||
+		splunkLoggerDriver.bufferMaximum != defaultBufferMaximum ||
+		cap(splunkLoggerDriver.stream) != defaultStreamChannelSize {
+		t.Fatal("Values do not match configuration.")
+	}
+
+	message1Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("{\"a\":\"b\"}"), Source: "stdout", Timestamp: message1Time}); err != nil {
+		t.Fatal(err)
+	}
+	message2Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("notjson"), Source: "stdout", Timestamp: message2Time}); err != nil {
+		t.Fatal(err)
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 2 {
+		t.Fatal("Expected two messages")
+	}
+
+	message1 := hec.messages[0]
+	if message1.Time != fmt.Sprintf("%f", float64(message1Time.UnixNano())/float64(time.Second)) ||
+		message1.Host != hostname ||
+		message1.Source != "" ||
+		message1.SourceType != "" ||
+		message1.Index != "" {
+		t.Fatalf("Unexpected values of message 1 %v", message1)
+	}
+
+	if event, err := message1.EventAsMap(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event["line"].(map[string]interface{})["a"] != "b" ||
+			event["source"] != "stdout" ||
+			event["tag"] != "containeriid" ||
+			len(event) != 3 {
+			t.Fatalf("Unexpected event in message 1 %v", event)
+		}
+	}
+
+	message2 := hec.messages[1]
+	if message2.Time != fmt.Sprintf("%f", float64(message2Time.UnixNano())/float64(time.Second)) ||
+		message2.Host != hostname ||
+		message2.Source != "" ||
+		message2.SourceType != "" ||
+		message2.Index != "" {
+		t.Fatalf("Unexpected values of message 2 %v", message2)
+	}
+
+	// If message cannot be parsed as JSON - it should be sent as a line
+	if event, err := message2.EventAsMap(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event["line"] != "notjson" ||
+			event["source"] != "stdout" ||
+			event["tag"] != "containeriid" ||
+			len(event) != 3 {
+			t.Fatalf("Unexpected event in message 2 %v", event)
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify raw format
+func TestRawFormat(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:    hec.URL(),
+			splunkTokenKey:  hec.token,
+			splunkFormatKey: splunkFormatRaw,
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	hostname, err := info.Hostname()
+	assert.NilError(t, err)
+
+	loggerDriver, err := New(info)
+	assert.NilError(t, err)
+
+	if !hec.connectionVerified {
+		t.Fatal("By default connection should be verified")
+	}
+
+	splunkLoggerDriver, ok := loggerDriver.(*splunkLoggerRaw)
+	if !ok {
+		t.Fatal("Unexpected Splunk Logging Driver type")
+	}
+
+	if splunkLoggerDriver.url != hec.URL()+"/services/collector/event/1.0" ||
+		splunkLoggerDriver.auth != "Splunk "+hec.token ||
+		splunkLoggerDriver.nullMessage.Host != hostname ||
+		splunkLoggerDriver.nullMessage.Source != "" ||
+		splunkLoggerDriver.nullMessage.SourceType != "" ||
+		splunkLoggerDriver.nullMessage.Index != "" ||
+		splunkLoggerDriver.gzipCompression ||
+		splunkLoggerDriver.postMessagesFrequency != defaultPostMessagesFrequency ||
+		splunkLoggerDriver.postMessagesBatchSize != defaultPostMessagesBatchSize ||
+		splunkLoggerDriver.bufferMaximum != defaultBufferMaximum ||
+		cap(splunkLoggerDriver.stream) != defaultStreamChannelSize ||
+		string(splunkLoggerDriver.prefix) != "containeriid " {
+		t.Fatal("Values do not match configuration.")
+	}
+
+	message1Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("{\"a\":\"b\"}"), Source: "stdout", Timestamp: message1Time}); err != nil {
+		t.Fatal(err)
+	}
+	message2Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("notjson"), Source: "stdout", Timestamp: message2Time}); err != nil {
+		t.Fatal(err)
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 2 {
+		t.Fatal("Expected two messages")
+	}
+
+	message1 := hec.messages[0]
+	if message1.Time != fmt.Sprintf("%f", float64(message1Time.UnixNano())/float64(time.Second)) ||
+		message1.Host != hostname ||
+		message1.Source != "" ||
+		message1.SourceType != "" ||
+		message1.Index != "" {
+		t.Fatalf("Unexpected values of message 1 %v", message1)
+	}
+
+	if event, err := message1.EventAsString(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event != "containeriid {\"a\":\"b\"}" {
+			t.Fatalf("Unexpected event in message 1 %v", event)
+		}
+	}
+
+	message2 := hec.messages[1]
+	if message2.Time != fmt.Sprintf("%f", float64(message2Time.UnixNano())/float64(time.Second)) ||
+		message2.Host != hostname ||
+		message2.Source != "" ||
+		message2.SourceType != "" ||
+		message2.Index != "" {
+		t.Fatalf("Unexpected values of message 2 %v", message2)
+	}
+
+	if event, err := message2.EventAsString(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event != "containeriid notjson" {
+			t.Fatalf("Unexpected event in message 1 %v", event)
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify raw format with labels
+func TestRawFormatWithLabels(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:    hec.URL(),
+			splunkTokenKey:  hec.token,
+			splunkFormatKey: splunkFormatRaw,
+			labelsKey:       "a",
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+		ContainerLabels: map[string]string{
+			"a": "b",
+		},
+	}
+
+	hostname, err := info.Hostname()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !hec.connectionVerified {
+		t.Fatal("By default connection should be verified")
+	}
+
+	splunkLoggerDriver, ok := loggerDriver.(*splunkLoggerRaw)
+	if !ok {
+		t.Fatal("Unexpected Splunk Logging Driver type")
+	}
+
+	if splunkLoggerDriver.url != hec.URL()+"/services/collector/event/1.0" ||
+		splunkLoggerDriver.auth != "Splunk "+hec.token ||
+		splunkLoggerDriver.nullMessage.Host != hostname ||
+		splunkLoggerDriver.nullMessage.Source != "" ||
+		splunkLoggerDriver.nullMessage.SourceType != "" ||
+		splunkLoggerDriver.nullMessage.Index != "" ||
+		splunkLoggerDriver.gzipCompression ||
+		splunkLoggerDriver.postMessagesFrequency != defaultPostMessagesFrequency ||
+		splunkLoggerDriver.postMessagesBatchSize != defaultPostMessagesBatchSize ||
+		splunkLoggerDriver.bufferMaximum != defaultBufferMaximum ||
+		cap(splunkLoggerDriver.stream) != defaultStreamChannelSize ||
+		string(splunkLoggerDriver.prefix) != "containeriid a=b " {
+		t.Fatal("Values do not match configuration.")
+	}
+
+	message1Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("{\"a\":\"b\"}"), Source: "stdout", Timestamp: message1Time}); err != nil {
+		t.Fatal(err)
+	}
+	message2Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("notjson"), Source: "stdout", Timestamp: message2Time}); err != nil {
+		t.Fatal(err)
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 2 {
+		t.Fatal("Expected two messages")
+	}
+
+	message1 := hec.messages[0]
+	if message1.Time != fmt.Sprintf("%f", float64(message1Time.UnixNano())/float64(time.Second)) ||
+		message1.Host != hostname ||
+		message1.Source != "" ||
+		message1.SourceType != "" ||
+		message1.Index != "" {
+		t.Fatalf("Unexpected values of message 1 %v", message1)
+	}
+
+	if event, err := message1.EventAsString(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event != "containeriid a=b {\"a\":\"b\"}" {
+			t.Fatalf("Unexpected event in message 1 %v", event)
+		}
+	}
+
+	message2 := hec.messages[1]
+	if message2.Time != fmt.Sprintf("%f", float64(message2Time.UnixNano())/float64(time.Second)) ||
+		message2.Host != hostname ||
+		message2.Source != "" ||
+		message2.SourceType != "" ||
+		message2.Index != "" {
+		t.Fatalf("Unexpected values of message 2 %v", message2)
+	}
+
+	if event, err := message2.EventAsString(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event != "containeriid a=b notjson" {
+			t.Fatalf("Unexpected event in message 2 %v", event)
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify that Splunk Logging Driver can accept tag="" which will allow to send raw messages
+// in the same way we get them in stdout/stderr
+func TestRawFormatWithoutTag(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:    hec.URL(),
+			splunkTokenKey:  hec.token,
+			splunkFormatKey: splunkFormatRaw,
+			tagKey:          "",
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	hostname, err := info.Hostname()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !hec.connectionVerified {
+		t.Fatal("By default connection should be verified")
+	}
+
+	splunkLoggerDriver, ok := loggerDriver.(*splunkLoggerRaw)
+	if !ok {
+		t.Fatal("Unexpected Splunk Logging Driver type")
+	}
+
+	if splunkLoggerDriver.url != hec.URL()+"/services/collector/event/1.0" ||
+		splunkLoggerDriver.auth != "Splunk "+hec.token ||
+		splunkLoggerDriver.nullMessage.Host != hostname ||
+		splunkLoggerDriver.nullMessage.Source != "" ||
+		splunkLoggerDriver.nullMessage.SourceType != "" ||
+		splunkLoggerDriver.nullMessage.Index != "" ||
+		splunkLoggerDriver.gzipCompression ||
+		splunkLoggerDriver.postMessagesFrequency != defaultPostMessagesFrequency ||
+		splunkLoggerDriver.postMessagesBatchSize != defaultPostMessagesBatchSize ||
+		splunkLoggerDriver.bufferMaximum != defaultBufferMaximum ||
+		cap(splunkLoggerDriver.stream) != defaultStreamChannelSize ||
+		string(splunkLoggerDriver.prefix) != "" {
+		t.Log(string(splunkLoggerDriver.prefix) + "a")
+		t.Fatal("Values do not match configuration.")
+	}
+
+	message1Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("{\"a\":\"b\"}"), Source: "stdout", Timestamp: message1Time}); err != nil {
+		t.Fatal(err)
+	}
+	message2Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("notjson"), Source: "stdout", Timestamp: message2Time}); err != nil {
+		t.Fatal(err)
+	}
+	message3Time := time.Now()
+	if err := loggerDriver.Log(&logger.Message{Line: []byte(" "), Source: "stdout", Timestamp: message3Time}); err != nil {
+		t.Fatal(err)
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// message3 would have an empty or whitespace only string in the "event" field
+	// both of which are not acceptable to HEC
+	// thus here we must expect 2 messages, not 3
+	if len(hec.messages) != 2 {
+		t.Fatal("Expected two messages")
+	}
+
+	message1 := hec.messages[0]
+	if message1.Time != fmt.Sprintf("%f", float64(message1Time.UnixNano())/float64(time.Second)) ||
+		message1.Host != hostname ||
+		message1.Source != "" ||
+		message1.SourceType != "" ||
+		message1.Index != "" {
+		t.Fatalf("Unexpected values of message 1 %v", message1)
+	}
+
+	if event, err := message1.EventAsString(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event != "{\"a\":\"b\"}" {
+			t.Fatalf("Unexpected event in message 1 %v", event)
+		}
+	}
+
+	message2 := hec.messages[1]
+	if message2.Time != fmt.Sprintf("%f", float64(message2Time.UnixNano())/float64(time.Second)) ||
+		message2.Host != hostname ||
+		message2.Source != "" ||
+		message2.SourceType != "" ||
+		message2.Index != "" {
+		t.Fatalf("Unexpected values of message 2 %v", message2)
+	}
+
+	if event, err := message2.EventAsString(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event != "notjson" {
+			t.Fatalf("Unexpected event in message 2 %v", event)
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify that we will send messages in batches with default batching parameters,
+// but change frequency to be sure that numOfRequests will match expected 17 requests
+func TestBatching(t *testing.T) {
+	if err := os.Setenv(envVarPostMessagesFrequency, "10h"); err != nil {
+		t.Fatal(err)
+	}
+
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:   hec.URL(),
+			splunkTokenKey: hec.token,
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for i := 0; i < defaultStreamChannelSize*4; i++ {
+		if err := loggerDriver.Log(&logger.Message{Line: []byte(fmt.Sprintf("%d", i)), Source: "stdout", Timestamp: time.Now()}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != defaultStreamChannelSize*4 {
+		t.Fatal("Not all messages delivered")
+	}
+
+	for i, message := range hec.messages {
+		if event, err := message.EventAsMap(); err != nil {
+			t.Fatal(err)
+		} else {
+			if event["line"] != fmt.Sprintf("%d", i) {
+				t.Fatalf("Unexpected event in message %v", event)
+			}
+		}
+	}
+
+	// 1 to verify connection and 16 batches
+	if hec.numOfRequests != 17 {
+		t.Fatalf("Unexpected number of requests %d", hec.numOfRequests)
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarPostMessagesFrequency, ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify that test is using time to fire events not rare than specified frequency
+func TestFrequency(t *testing.T) {
+	if err := os.Setenv(envVarPostMessagesFrequency, "5ms"); err != nil {
+		t.Fatal(err)
+	}
+
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:   hec.URL(),
+			splunkTokenKey: hec.token,
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for i := 0; i < 10; i++ {
+		if err := loggerDriver.Log(&logger.Message{Line: []byte(fmt.Sprintf("%d", i)), Source: "stdout", Timestamp: time.Now()}); err != nil {
+			t.Fatal(err)
+		}
+		time.Sleep(15 * time.Millisecond)
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 10 {
+		t.Fatal("Not all messages delivered")
+	}
+
+	for i, message := range hec.messages {
+		if event, err := message.EventAsMap(); err != nil {
+			t.Fatal(err)
+		} else {
+			if event["line"] != fmt.Sprintf("%d", i) {
+				t.Fatalf("Unexpected event in message %v", event)
+			}
+		}
+	}
+
+	// 1 to verify connection and 10 to verify that we have sent messages with required frequency,
+	// but because frequency is too small (to keep test quick), instead of 11, use 9 if context switches will be slow
+	if hec.numOfRequests < 9 {
+		t.Fatalf("Unexpected number of requests %d", hec.numOfRequests)
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarPostMessagesFrequency, ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Simulate behavior similar to first version of Splunk Logging Driver, when we were sending one message
+// per request
+func TestOneMessagePerRequest(t *testing.T) {
+	if err := os.Setenv(envVarPostMessagesFrequency, "10h"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarPostMessagesBatchSize, "1"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarBufferMaximum, "1"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarStreamChannelSize, "0"); err != nil {
+		t.Fatal(err)
+	}
+
+	hec := NewHTTPEventCollectorMock(t)
+
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:   hec.URL(),
+			splunkTokenKey: hec.token,
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for i := 0; i < 10; i++ {
+		if err := loggerDriver.Log(&logger.Message{Line: []byte(fmt.Sprintf("%d", i)), Source: "stdout", Timestamp: time.Now()}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 10 {
+		t.Fatal("Not all messages delivered")
+	}
+
+	for i, message := range hec.messages {
+		if event, err := message.EventAsMap(); err != nil {
+			t.Fatal(err)
+		} else {
+			if event["line"] != fmt.Sprintf("%d", i) {
+				t.Fatalf("Unexpected event in message %v", event)
+			}
+		}
+	}
+
+	// 1 to verify connection and 10 messages
+	if hec.numOfRequests != 11 {
+		t.Fatalf("Unexpected number of requests %d", hec.numOfRequests)
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarPostMessagesFrequency, ""); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarPostMessagesBatchSize, ""); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarBufferMaximum, ""); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarStreamChannelSize, ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Driver should not be created when HEC is unresponsive
+func TestVerify(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+	hec.simulateServerError = true
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:   hec.URL(),
+			splunkTokenKey: hec.token,
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	_, err := New(info)
+	if err == nil {
+		t.Fatal("Expecting driver to fail, when server is unresponsive")
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify that user can specify to skip verification that Splunk HEC is working.
+// Also in this test we verify retry logic.
+func TestSkipVerify(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+	hec.simulateServerError = true
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:              hec.URL(),
+			splunkTokenKey:            hec.token,
+			splunkVerifyConnectionKey: "false",
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if hec.connectionVerified {
+		t.Fatal("Connection should not be verified")
+	}
+
+	for i := 0; i < defaultStreamChannelSize*2; i++ {
+		if err := loggerDriver.Log(&logger.Message{Line: []byte(fmt.Sprintf("%d", i)), Source: "stdout", Timestamp: time.Now()}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	if len(hec.messages) != 0 {
+		t.Fatal("No messages should be accepted at this point")
+	}
+
+	hec.simulateErr(false)
+
+	for i := defaultStreamChannelSize * 2; i < defaultStreamChannelSize*4; i++ {
+		if err := loggerDriver.Log(&logger.Message{Line: []byte(fmt.Sprintf("%d", i)), Source: "stdout", Timestamp: time.Now()}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != defaultStreamChannelSize*4 {
+		t.Fatal("Not all messages delivered")
+	}
+
+	for i, message := range hec.messages {
+		if event, err := message.EventAsMap(); err != nil {
+			t.Fatal(err)
+		} else {
+			if event["line"] != fmt.Sprintf("%d", i) {
+				t.Fatalf("Unexpected event in message %v", event)
+			}
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify logic for when we filled whole buffer
+func TestBufferMaximum(t *testing.T) {
+	if err := os.Setenv(envVarPostMessagesBatchSize, "2"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarBufferMaximum, "10"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarStreamChannelSize, "0"); err != nil {
+		t.Fatal(err)
+	}
+
+	hec := NewHTTPEventCollectorMock(t)
+	hec.simulateErr(true)
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:              hec.URL(),
+			splunkTokenKey:            hec.token,
+			splunkVerifyConnectionKey: "false",
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if hec.connectionVerified {
+		t.Fatal("Connection should not be verified")
+	}
+
+	for i := 0; i < 11; i++ {
+		if err := loggerDriver.Log(&logger.Message{Line: []byte(fmt.Sprintf("%d", i)), Source: "stdout", Timestamp: time.Now()}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	if len(hec.messages) != 0 {
+		t.Fatal("No messages should be accepted at this point")
+	}
+
+	hec.simulateServerError = false
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 9 {
+		t.Fatalf("Expected # of messages %d, got %d", 9, len(hec.messages))
+	}
+
+	// First 1000 messages are written to daemon log when buffer was full
+	for i, message := range hec.messages {
+		if event, err := message.EventAsMap(); err != nil {
+			t.Fatal(err)
+		} else {
+			if event["line"] != fmt.Sprintf("%d", i+2) {
+				t.Fatalf("Unexpected event in message %v", event)
+			}
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarPostMessagesBatchSize, ""); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarBufferMaximum, ""); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarStreamChannelSize, ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Verify that we are not blocking close when HEC is down for the whole time
+func TestServerAlwaysDown(t *testing.T) {
+	if err := os.Setenv(envVarPostMessagesBatchSize, "2"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarBufferMaximum, "4"); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarStreamChannelSize, "0"); err != nil {
+		t.Fatal(err)
+	}
+
+	hec := NewHTTPEventCollectorMock(t)
+	hec.simulateServerError = true
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:              hec.URL(),
+			splunkTokenKey:            hec.token,
+			splunkVerifyConnectionKey: "false",
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if hec.connectionVerified {
+		t.Fatal("Connection should not be verified")
+	}
+
+	for i := 0; i < 5; i++ {
+		if err := loggerDriver.Log(&logger.Message{Line: []byte(fmt.Sprintf("%d", i)), Source: "stdout", Timestamp: time.Now()}); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(hec.messages) != 0 {
+		t.Fatal("No messages should be sent")
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarPostMessagesBatchSize, ""); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarBufferMaximum, ""); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Setenv(envVarStreamChannelSize, ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Cannot send messages after we close driver
+func TestCannotSendAfterClose(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+	go hec.Serve()
+
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:   hec.URL(),
+			splunkTokenKey: hec.token,
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	loggerDriver, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("message1"), Source: "stdout", Timestamp: time.Now()}); err != nil {
+		t.Fatal(err)
+	}
+
+	err = loggerDriver.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := loggerDriver.Log(&logger.Message{Line: []byte("message2"), Source: "stdout", Timestamp: time.Now()}); err == nil {
+		t.Fatal("Driver should not allow to send messages after close")
+	}
+
+	if len(hec.messages) != 1 {
+		t.Fatal("Only one message should be sent")
+	}
+
+	message := hec.messages[0]
+	if event, err := message.EventAsMap(); err != nil {
+		t.Fatal(err)
+	} else {
+		if event["line"] != "message1" {
+			t.Fatalf("Unexpected event in message %v", event)
+		}
+	}
+
+	err = hec.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestDeadlockOnBlockedEndpoint(t *testing.T) {
+	hec := NewHTTPEventCollectorMock(t)
+	go hec.Serve()
+	info := logger.Info{
+		Config: map[string]string{
+			splunkURLKey:   hec.URL(),
+			splunkTokenKey: hec.token,
+		},
+		ContainerID:        "containeriid",
+		ContainerName:      "/container_name",
+		ContainerImageID:   "contaimageid",
+		ContainerImageName: "container_image_name",
+	}
+
+	l, err := New(info)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ctx, unblock := context.WithCancel(context.Background())
+	hec.withBlock(ctx)
+	defer unblock()
+
+	batchSendTimeout = 1 * time.Second
+
+	if err := l.Log(&logger.Message{}); err != nil {
+		t.Fatal(err)
+	}
+
+	done := make(chan struct{})
+	go func() {
+		l.Close()
+		close(done)
+	}()
+
+	select {
+	case <-time.After(60 * time.Second):
+		buf := make([]byte, 1e6)
+		buf = buf[:runtime.Stack(buf, true)]
+		t.Logf("STACK DUMP: \n\n%s\n\n", string(buf))
+		t.Fatal("timeout waiting for close to finish")
+	case <-done:
+	}
+}
diff --git a/engine/daemon/logger/splunk/splunkhecmock_test.go b/engine/daemon/logger/splunk/splunkhecmock_test.go
new file mode 100644
index 00000000..a3a83ac1
--- /dev/null
+++ b/engine/daemon/logger/splunk/splunkhecmock_test.go
@@ -0,0 +1,182 @@
+package splunk // import "github.com/docker/docker/daemon/logger/splunk"
+
+import (
+	"compress/gzip"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"sync"
+	"testing"
+)
+
+func (message *splunkMessage) EventAsString() (string, error) {
+	if val, ok := message.Event.(string); ok {
+		return val, nil
+	}
+	return "", fmt.Errorf("Cannot cast Event %v to string", message.Event)
+}
+
+func (message *splunkMessage) EventAsMap() (map[string]interface{}, error) {
+	if val, ok := message.Event.(map[string]interface{}); ok {
+		return val, nil
+	}
+	return nil, fmt.Errorf("Cannot cast Event %v to map", message.Event)
+}
+
+type HTTPEventCollectorMock struct {
+	tcpAddr     *net.TCPAddr
+	tcpListener *net.TCPListener
+
+	mu                  sync.Mutex
+	token               string
+	simulateServerError bool
+	blockingCtx         context.Context
+
+	test *testing.T
+
+	connectionVerified bool
+	gzipEnabled        *bool
+	messages           []*splunkMessage
+	numOfRequests      int
+}
+
+func NewHTTPEventCollectorMock(t *testing.T) *HTTPEventCollectorMock {
+	tcpAddr := &net.TCPAddr{IP: []byte{127, 0, 0, 1}, Port: 0, Zone: ""}
+	tcpListener, err := net.ListenTCP("tcp", tcpAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return &HTTPEventCollectorMock{
+		tcpAddr:             tcpAddr,
+		tcpListener:         tcpListener,
+		token:               "4642492F-D8BD-47F1-A005-0C08AE4657DF",
+		simulateServerError: false,
+		test:                t,
+		connectionVerified:  false}
+}
+
+func (hec *HTTPEventCollectorMock) simulateErr(b bool) {
+	hec.mu.Lock()
+	hec.simulateServerError = b
+	hec.mu.Unlock()
+}
+
+func (hec *HTTPEventCollectorMock) withBlock(ctx context.Context) {
+	hec.mu.Lock()
+	hec.blockingCtx = ctx
+	hec.mu.Unlock()
+}
+
+func (hec *HTTPEventCollectorMock) URL() string {
+	return "http://" + hec.tcpListener.Addr().String()
+}
+
+func (hec *HTTPEventCollectorMock) Serve() error {
+	return http.Serve(hec.tcpListener, hec)
+}
+
+func (hec *HTTPEventCollectorMock) Close() error {
+	return hec.tcpListener.Close()
+}
+
+func (hec *HTTPEventCollectorMock) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
+	var err error
+
+	hec.numOfRequests++
+
+	hec.mu.Lock()
+	simErr := hec.simulateServerError
+	ctx := hec.blockingCtx
+	hec.mu.Unlock()
+
+	if ctx != nil {
+		<-hec.blockingCtx.Done()
+	}
+
+	if simErr {
+		if request.Body != nil {
+			defer request.Body.Close()
+		}
+		writer.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	switch request.Method {
+	case http.MethodOptions:
+		// Verify that options method is getting called only once
+		if hec.connectionVerified {
+			hec.test.Errorf("Connection should not be verified more than once. Got second request with %s method.", request.Method)
+		}
+		hec.connectionVerified = true
+		writer.WriteHeader(http.StatusOK)
+	case http.MethodPost:
+		// Always verify that Driver is using correct path to HEC
+		if request.URL.String() != "/services/collector/event/1.0" {
+			hec.test.Errorf("Unexpected path %v", request.URL)
+		}
+		defer request.Body.Close()
+
+		if authorization, ok := request.Header["Authorization"]; !ok || authorization[0] != ("Splunk "+hec.token) {
+			hec.test.Error("Authorization header is invalid.")
+		}
+
+		gzipEnabled := false
+		if contentEncoding, ok := request.Header["Content-Encoding"]; ok && contentEncoding[0] == "gzip" {
+			gzipEnabled = true
+		}
+
+		if hec.gzipEnabled == nil {
+			hec.gzipEnabled = &gzipEnabled
+		} else if gzipEnabled != *hec.gzipEnabled {
+			// Nothing wrong with that, but we just know that Splunk Logging Driver does not do that
+			hec.test.Error("Driver should not change Content Encoding.")
+		}
+
+		var gzipReader *gzip.Reader
+		var reader io.Reader
+		if gzipEnabled {
+			gzipReader, err = gzip.NewReader(request.Body)
+			if err != nil {
+				hec.test.Fatal(err)
+			}
+			reader = gzipReader
+		} else {
+			reader = request.Body
+		}
+
+		// Read body
+		var body []byte
+		body, err = ioutil.ReadAll(reader)
+		if err != nil {
+			hec.test.Fatal(err)
+		}
+
+		// Parse message
+		messageStart := 0
+		for i := 0; i < len(body); i++ {
+			if i == len(body)-1 || (body[i] == '}' && body[i+1] == '{') {
+				var message splunkMessage
+				err = json.Unmarshal(body[messageStart:i+1], &message)
+				if err != nil {
+					hec.test.Log(string(body[messageStart : i+1]))
+					hec.test.Fatal(err)
+				}
+				hec.messages = append(hec.messages, &message)
+				messageStart = i + 1
+			}
+		}
+
+		if gzipEnabled {
+			gzipReader.Close()
+		}
+
+		writer.WriteHeader(http.StatusOK)
+	default:
+		hec.test.Errorf("Unexpected HTTP method %s", http.MethodOptions)
+		writer.WriteHeader(http.StatusBadRequest)
+	}
+}
diff --git a/engine/daemon/logger/syslog/syslog.go b/engine/daemon/logger/syslog/syslog.go
new file mode 100644
index 00000000..94bdee36
--- /dev/null
+++ b/engine/daemon/logger/syslog/syslog.go
@@ -0,0 +1,266 @@
+// Package syslog provides the logdriver for forwarding server logs to syslog endpoints.
+package syslog // import "github.com/docker/docker/daemon/logger/syslog"
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	syslog "github.com/RackSec/srslog"
+
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/daemon/logger/loggerutils"
+	"github.com/docker/docker/pkg/urlutil"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	name        = "syslog"
+	secureProto = "tcp+tls"
+)
+
+var facilities = map[string]syslog.Priority{
+	"kern":     syslog.LOG_KERN,
+	"user":     syslog.LOG_USER,
+	"mail":     syslog.LOG_MAIL,
+	"daemon":   syslog.LOG_DAEMON,
+	"auth":     syslog.LOG_AUTH,
+	"syslog":   syslog.LOG_SYSLOG,
+	"lpr":      syslog.LOG_LPR,
+	"news":     syslog.LOG_NEWS,
+	"uucp":     syslog.LOG_UUCP,
+	"cron":     syslog.LOG_CRON,
+	"authpriv": syslog.LOG_AUTHPRIV,
+	"ftp":      syslog.LOG_FTP,
+	"local0":   syslog.LOG_LOCAL0,
+	"local1":   syslog.LOG_LOCAL1,
+	"local2":   syslog.LOG_LOCAL2,
+	"local3":   syslog.LOG_LOCAL3,
+	"local4":   syslog.LOG_LOCAL4,
+	"local5":   syslog.LOG_LOCAL5,
+	"local6":   syslog.LOG_LOCAL6,
+	"local7":   syslog.LOG_LOCAL7,
+}
+
+type syslogger struct {
+	writer *syslog.Writer
+}
+
+func init() {
+	if err := logger.RegisterLogDriver(name, New); err != nil {
+		logrus.Fatal(err)
+	}
+	if err := logger.RegisterLogOptValidator(name, ValidateLogOpt); err != nil {
+		logrus.Fatal(err)
+	}
+}
+
+// rsyslog uses appname part of syslog message to fill in an %syslogtag% template
+// attribute in rsyslog.conf. In order to be backward compatible to rfc3164
+// tag will be also used as an appname
+func rfc5424formatterWithAppNameAsTag(p syslog.Priority, hostname, tag, content string) string {
+	timestamp := time.Now().Format(time.RFC3339)
+	pid := os.Getpid()
+	msg := fmt.Sprintf("<%d>%d %s %s %s %d %s - %s",
+		p, 1, timestamp, hostname, tag, pid, tag, content)
+	return msg
+}
+
+// The timestamp field in rfc5424 is derived from rfc3339. Whereas rfc3339 makes allowances
+// for multiple syntaxes, there are further restrictions in rfc5424, i.e., the maximum
+// resolution is limited to "TIME-SECFRAC" which is 6 (microsecond resolution)
+func rfc5424microformatterWithAppNameAsTag(p syslog.Priority, hostname, tag, content string) string {
+	timestamp := time.Now().Format("2006-01-02T15:04:05.999999Z07:00")
+	pid := os.Getpid()
+	msg := fmt.Sprintf("<%d>%d %s %s %s %d %s - %s",
+		p, 1, timestamp, hostname, tag, pid, tag, content)
+	return msg
+}
+
+// New creates a syslog logger using the configuration passed in on
+// the context. Supported context configuration variables are
+// syslog-address, syslog-facility, syslog-format.
+func New(info logger.Info) (logger.Logger, error) {
+	tag, err := loggerutils.ParseLogTag(info, loggerutils.DefaultTemplate)
+	if err != nil {
+		return nil, err
+	}
+
+	proto, address, err := parseAddress(info.Config["syslog-address"])
+	if err != nil {
+		return nil, err
+	}
+
+	facility, err := parseFacility(info.Config["syslog-facility"])
+	if err != nil {
+		return nil, err
+	}
+
+	syslogFormatter, syslogFramer, err := parseLogFormat(info.Config["syslog-format"], proto)
+	if err != nil {
+		return nil, err
+	}
+
+	var log *syslog.Writer
+	if proto == secureProto {
+		tlsConfig, tlsErr := parseTLSConfig(info.Config)
+		if tlsErr != nil {
+			return nil, tlsErr
+		}
+		log, err = syslog.DialWithTLSConfig(proto, address, facility, tag, tlsConfig)
+	} else {
+		log, err = syslog.Dial(proto, address, facility, tag)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	log.SetFormatter(syslogFormatter)
+	log.SetFramer(syslogFramer)
+
+	return &syslogger{
+		writer: log,
+	}, nil
+}
+
+func (s *syslogger) Log(msg *logger.Message) error {
+	line := string(msg.Line)
+	source := msg.Source
+	logger.PutMessage(msg)
+	if source == "stderr" {
+		return s.writer.Err(line)
+	}
+	return s.writer.Info(line)
+}
+
+func (s *syslogger) Close() error {
+	return s.writer.Close()
+}
+
+func (s *syslogger) Name() string {
+	return name
+}
+
+func parseAddress(address string) (string, string, error) {
+	if address == "" {
+		return "", "", nil
+	}
+	if !urlutil.IsTransportURL(address) {
+		return "", "", fmt.Errorf("syslog-address should be in form proto://address, got %v", address)
+	}
+	url, err := url.Parse(address)
+	if err != nil {
+		return "", "", err
+	}
+
+	// unix and unixgram socket validation
+	if url.Scheme == "unix" || url.Scheme == "unixgram" {
+		if _, err := os.Stat(url.Path); err != nil {
+			return "", "", err
+		}
+		return url.Scheme, url.Path, nil
+	}
+
+	// here we process tcp|udp
+	host := url.Host
+	if _, _, err := net.SplitHostPort(host); err != nil {
+		if !strings.Contains(err.Error(), "missing port in address") {
+			return "", "", err
+		}
+		host = host + ":514"
+	}
+
+	return url.Scheme, host, nil
+}
+
+// ValidateLogOpt looks for syslog specific log options
+// syslog-address, syslog-facility.
+func ValidateLogOpt(cfg map[string]string) error {
+	for key := range cfg {
+		switch key {
+		case "env":
+		case "env-regex":
+		case "labels":
+		case "syslog-address":
+		case "syslog-facility":
+		case "syslog-tls-ca-cert":
+		case "syslog-tls-cert":
+		case "syslog-tls-key":
+		case "syslog-tls-skip-verify":
+		case "tag":
+		case "syslog-format":
+		default:
+			return fmt.Errorf("unknown log opt '%s' for syslog log driver", key)
+		}
+	}
+	if _, _, err := parseAddress(cfg["syslog-address"]); err != nil {
+		return err
+	}
+	if _, err := parseFacility(cfg["syslog-facility"]); err != nil {
+		return err
+	}
+	if _, _, err := parseLogFormat(cfg["syslog-format"], ""); err != nil {
+		return err
+	}
+	return nil
+}
+
+func parseFacility(facility string) (syslog.Priority, error) {
+	if facility == "" {
+		return syslog.LOG_DAEMON, nil
+	}
+
+	if syslogFacility, valid := facilities[facility]; valid {
+		return syslogFacility, nil
+	}
+
+	fInt, err := strconv.Atoi(facility)
+	if err == nil && 0 <= fInt && fInt <= 23 {
+		return syslog.Priority(fInt << 3), nil
+	}
+
+	return syslog.Priority(0), errors.New("invalid syslog facility")
+}
+
+func parseTLSConfig(cfg map[string]string) (*tls.Config, error) {
+	_, skipVerify := cfg["syslog-tls-skip-verify"]
+
+	opts := tlsconfig.Options{
+		CAFile:             cfg["syslog-tls-ca-cert"],
+		CertFile:           cfg["syslog-tls-cert"],
+		KeyFile:            cfg["syslog-tls-key"],
+		InsecureSkipVerify: skipVerify,
+	}
+
+	return tlsconfig.Client(opts)
+}
+
+func parseLogFormat(logFormat, proto string) (syslog.Formatter, syslog.Framer, error) {
+	switch logFormat {
+	case "":
+		return syslog.UnixFormatter, syslog.DefaultFramer, nil
+	case "rfc3164":
+		return syslog.RFC3164Formatter, syslog.DefaultFramer, nil
+	case "rfc5424":
+		if proto == secureProto {
+			return rfc5424formatterWithAppNameAsTag, syslog.RFC5425MessageLengthFramer, nil
+		}
+		return rfc5424formatterWithAppNameAsTag, syslog.DefaultFramer, nil
+	case "rfc5424micro":
+		if proto == secureProto {
+			return rfc5424microformatterWithAppNameAsTag, syslog.RFC5425MessageLengthFramer, nil
+		}
+		return rfc5424microformatterWithAppNameAsTag, syslog.DefaultFramer, nil
+	default:
+		return nil, nil, errors.New("Invalid syslog format")
+	}
+
+}
diff --git a/engine/daemon/logger/syslog/syslog_test.go b/engine/daemon/logger/syslog/syslog_test.go
new file mode 100644
index 00000000..4631788f
--- /dev/null
+++ b/engine/daemon/logger/syslog/syslog_test.go
@@ -0,0 +1,62 @@
+package syslog // import "github.com/docker/docker/daemon/logger/syslog"
+
+import (
+	"reflect"
+	"testing"
+
+	syslog "github.com/RackSec/srslog"
+)
+
+func functionMatches(expectedFun interface{}, actualFun interface{}) bool {
+	return reflect.ValueOf(expectedFun).Pointer() == reflect.ValueOf(actualFun).Pointer()
+}
+
+func TestParseLogFormat(t *testing.T) {
+	formatter, framer, err := parseLogFormat("rfc5424", "udp")
+	if err != nil || !functionMatches(rfc5424formatterWithAppNameAsTag, formatter) ||
+		!functionMatches(syslog.DefaultFramer, framer) {
+		t.Fatal("Failed to parse rfc5424 format", err, formatter, framer)
+	}
+
+	formatter, framer, err = parseLogFormat("rfc5424", "tcp+tls")
+	if err != nil || !functionMatches(rfc5424formatterWithAppNameAsTag, formatter) ||
+		!functionMatches(syslog.RFC5425MessageLengthFramer, framer) {
+		t.Fatal("Failed to parse rfc5424 format", err, formatter, framer)
+	}
+
+	formatter, framer, err = parseLogFormat("rfc5424micro", "udp")
+	if err != nil || !functionMatches(rfc5424microformatterWithAppNameAsTag, formatter) ||
+		!functionMatches(syslog.DefaultFramer, framer) {
+		t.Fatal("Failed to parse rfc5424 (microsecond) format", err, formatter, framer)
+	}
+
+	formatter, framer, err = parseLogFormat("rfc5424micro", "tcp+tls")
+	if err != nil || !functionMatches(rfc5424microformatterWithAppNameAsTag, formatter) ||
+		!functionMatches(syslog.RFC5425MessageLengthFramer, framer) {
+		t.Fatal("Failed to parse rfc5424 (microsecond) format", err, formatter, framer)
+	}
+
+	formatter, framer, err = parseLogFormat("rfc3164", "")
+	if err != nil || !functionMatches(syslog.RFC3164Formatter, formatter) ||
+		!functionMatches(syslog.DefaultFramer, framer) {
+		t.Fatal("Failed to parse rfc3164 format", err, formatter, framer)
+	}
+
+	formatter, framer, err = parseLogFormat("", "")
+	if err != nil || !functionMatches(syslog.UnixFormatter, formatter) ||
+		!functionMatches(syslog.DefaultFramer, framer) {
+		t.Fatal("Failed to parse empty format", err, formatter, framer)
+	}
+
+	formatter, framer, err = parseLogFormat("invalid", "")
+	if err == nil {
+		t.Fatal("Failed to parse invalid format", err, formatter, framer)
+	}
+}
+
+func TestValidateLogOptEmpty(t *testing.T) {
+	emptyConfig := make(map[string]string)
+	if err := ValidateLogOpt(emptyConfig); err != nil {
+		t.Fatal("Failed to parse empty config", err)
+	}
+}
diff --git a/engine/daemon/logger/templates/templates.go b/engine/daemon/logger/templates/templates.go
new file mode 100644
index 00000000..ab76d0f1
--- /dev/null
+++ b/engine/daemon/logger/templates/templates.go
@@ -0,0 +1,50 @@
+package templates // import "github.com/docker/docker/daemon/logger/templates"
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"text/template"
+)
+
+// basicFunctions are the set of initial
+// functions provided to every template.
+var basicFunctions = template.FuncMap{
+	"json": func(v interface{}) string {
+		buf := &bytes.Buffer{}
+		enc := json.NewEncoder(buf)
+		enc.SetEscapeHTML(false)
+		enc.Encode(v)
+		// Remove the trailing new line added by the encoder
+		return strings.TrimSpace(buf.String())
+	},
+	"split":    strings.Split,
+	"join":     strings.Join,
+	"title":    strings.Title,
+	"lower":    strings.ToLower,
+	"upper":    strings.ToUpper,
+	"pad":      padWithSpace,
+	"truncate": truncateWithLength,
+}
+
+// NewParse creates a new tagged template with the basic functions
+// and parses the given format.
+func NewParse(tag, format string) (*template.Template, error) {
+	return template.New(tag).Funcs(basicFunctions).Parse(format)
+}
+
+// padWithSpace adds whitespace to the input if the input is non-empty
+func padWithSpace(source string, prefix, suffix int) string {
+	if source == "" {
+		return source
+	}
+	return strings.Repeat(" ", prefix) + source + strings.Repeat(" ", suffix)
+}
+
+// truncateWithLength truncates the source string up to the length provided by the input
+func truncateWithLength(source string, length int) string {
+	if len(source) < length {
+		return source
+	}
+	return source[:length]
+}
diff --git a/engine/daemon/logger/templates/templates_test.go b/engine/daemon/logger/templates/templates_test.go
new file mode 100644
index 00000000..25e7c887
--- /dev/null
+++ b/engine/daemon/logger/templates/templates_test.go
@@ -0,0 +1,19 @@
+package templates // import "github.com/docker/docker/daemon/logger/templates"
+
+import (
+	"bytes"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestNewParse(t *testing.T) {
+	tm, err := NewParse("foo", "this is a {{ . }}")
+	assert.Check(t, err)
+
+	var b bytes.Buffer
+	assert.Check(t, tm.Execute(&b, "string"))
+	want := "this is a string"
+	assert.Check(t, is.Equal(want, b.String()))
+}
diff --git a/engine/daemon/logs.go b/engine/daemon/logs.go
new file mode 100644
index 00000000..37ca4caf
--- /dev/null
+++ b/engine/daemon/logs.go
@@ -0,0 +1,209 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"strconv"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	containertypes "github.com/docker/docker/api/types/container"
+	timetypes "github.com/docker/docker/api/types/time"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/logger"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerLogs copies the container's log channel to the channel provided in
+// the config. If ContainerLogs returns an error, no messages have been copied.
+// and the channel will be closed without data.
+//
+// if it returns nil, the config channel will be active and return log
+// messages until it runs out or the context is canceled.
+func (daemon *Daemon) ContainerLogs(ctx context.Context, containerName string, config *types.ContainerLogsOptions) (messages <-chan *backend.LogMessage, isTTY bool, retErr error) {
+	lg := logrus.WithFields(logrus.Fields{
+		"module":    "daemon",
+		"method":    "(*Daemon).ContainerLogs",
+		"container": containerName,
+	})
+
+	if !(config.ShowStdout || config.ShowStderr) {
+		return nil, false, errdefs.InvalidParameter(errors.New("You must choose at least one stream"))
+	}
+	container, err := daemon.GetContainer(containerName)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if container.RemovalInProgress || container.Dead {
+		return nil, false, errdefs.Conflict(errors.New("can not get logs from container which is dead or marked for removal"))
+	}
+
+	if container.HostConfig.LogConfig.Type == "none" {
+		return nil, false, logger.ErrReadLogsNotSupported{}
+	}
+
+	cLog, cLogCreated, err := daemon.getLogger(container)
+	if err != nil {
+		return nil, false, err
+	}
+	if cLogCreated {
+		defer func() {
+			if retErr != nil {
+				if err = cLog.Close(); err != nil {
+					logrus.Errorf("Error closing logger: %v", err)
+				}
+			}
+		}()
+	}
+
+	logReader, ok := cLog.(logger.LogReader)
+	if !ok {
+		return nil, false, logger.ErrReadLogsNotSupported{}
+	}
+
+	follow := config.Follow && !cLogCreated
+	tailLines, err := strconv.Atoi(config.Tail)
+	if err != nil {
+		tailLines = -1
+	}
+
+	var since time.Time
+	if config.Since != "" {
+		s, n, err := timetypes.ParseTimestamps(config.Since, 0)
+		if err != nil {
+			return nil, false, err
+		}
+		since = time.Unix(s, n)
+	}
+
+	var until time.Time
+	if config.Until != "" && config.Until != "0" {
+		s, n, err := timetypes.ParseTimestamps(config.Until, 0)
+		if err != nil {
+			return nil, false, err
+		}
+		until = time.Unix(s, n)
+	}
+
+	readConfig := logger.ReadConfig{
+		Since:  since,
+		Until:  until,
+		Tail:   tailLines,
+		Follow: follow,
+	}
+
+	logs := logReader.ReadLogs(readConfig)
+
+	// past this point, we can't possibly return any errors, so we can just
+	// start a goroutine and return to tell the caller not to expect errors
+	// (if the caller wants to give up on logs, they have to cancel the context)
+	// this goroutine functions as a shim between the logger and the caller.
+	messageChan := make(chan *backend.LogMessage, 1)
+	go func() {
+		if cLogCreated {
+			defer func() {
+				if err = cLog.Close(); err != nil {
+					logrus.Errorf("Error closing logger: %v", err)
+				}
+			}()
+		}
+		// set up some defers
+		defer logs.Close()
+
+		// close the messages channel. closing is the only way to signal above
+		// that we're doing with logs (other than context cancel i guess).
+		defer close(messageChan)
+
+		lg.Debug("begin logs")
+		for {
+			select {
+			// i do not believe as the system is currently designed any error
+			// is possible, but we should be prepared to handle it anyway. if
+			// we do get an error, copy only the error field to a new object so
+			// we don't end up with partial data in the other fields
+			case err := <-logs.Err:
+				lg.Errorf("Error streaming logs: %v", err)
+				select {
+				case <-ctx.Done():
+				case messageChan <- &backend.LogMessage{Err: err}:
+				}
+				return
+			case <-ctx.Done():
+				lg.Debugf("logs: end stream, ctx is done: %v", ctx.Err())
+				return
+			case msg, ok := <-logs.Msg:
+				// there is some kind of pool or ring buffer in the logger that
+				// produces these messages, and a possible future optimization
+				// might be to use that pool and reuse message objects
+				if !ok {
+					lg.Debug("end logs")
+					return
+				}
+				m := msg.AsLogMessage() // just a pointer conversion, does not copy data
+
+				// there could be a case where the reader stops accepting
+				// messages and the context is canceled. we need to check that
+				// here, or otherwise we risk blocking forever on the message
+				// send.
+				select {
+				case <-ctx.Done():
+					return
+				case messageChan <- m:
+				}
+			}
+		}
+	}()
+	return messageChan, container.Config.Tty, nil
+}
+
+func (daemon *Daemon) getLogger(container *container.Container) (l logger.Logger, created bool, err error) {
+	container.Lock()
+	if container.State.Running {
+		l = container.LogDriver
+	}
+	container.Unlock()
+	if l == nil {
+		created = true
+		l, err = container.StartLogger()
+	}
+	return
+}
+
+// mergeLogConfig merges the daemon log config to the container's log config if the container's log driver is not specified.
+func (daemon *Daemon) mergeAndVerifyLogConfig(cfg *containertypes.LogConfig) error {
+	if cfg.Type == "" {
+		cfg.Type = daemon.defaultLogConfig.Type
+	}
+
+	if cfg.Config == nil {
+		cfg.Config = make(map[string]string)
+	}
+
+	if cfg.Type == daemon.defaultLogConfig.Type {
+		for k, v := range daemon.defaultLogConfig.Config {
+			if _, ok := cfg.Config[k]; !ok {
+				cfg.Config[k] = v
+			}
+		}
+	}
+
+	return logger.ValidateLogOpts(cfg.Type, cfg.Config)
+}
+
+func (daemon *Daemon) setupDefaultLogConfig() error {
+	config := daemon.configStore
+	if len(config.LogConfig.Config) > 0 {
+		if err := logger.ValidateLogOpts(config.LogConfig.Type, config.LogConfig.Config); err != nil {
+			return errors.Wrap(err, "failed to set log opts")
+		}
+	}
+	daemon.defaultLogConfig = containertypes.LogConfig{
+		Type:   config.LogConfig.Type,
+		Config: config.LogConfig.Config,
+	}
+	logrus.Debugf("Using default logging driver %s", daemon.defaultLogConfig.Type)
+	return nil
+}
diff --git a/engine/daemon/logs_test.go b/engine/daemon/logs_test.go
new file mode 100644
index 00000000..a32691a8
--- /dev/null
+++ b/engine/daemon/logs_test.go
@@ -0,0 +1,15 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+)
+
+func TestMergeAndVerifyLogConfigNilConfig(t *testing.T) {
+	d := &Daemon{defaultLogConfig: containertypes.LogConfig{Type: "json-file", Config: map[string]string{"max-file": "1"}}}
+	cfg := containertypes.LogConfig{Type: d.defaultLogConfig.Type}
+	if err := d.mergeAndVerifyLogConfig(&cfg); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/daemon/metrics.go b/engine/daemon/metrics.go
new file mode 100644
index 00000000..f6961a35
--- /dev/null
+++ b/engine/daemon/metrics.go
@@ -0,0 +1,192 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"sync"
+
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/go-metrics"
+	"github.com/pkg/errors"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/sirupsen/logrus"
+)
+
+const metricsPluginType = "MetricsCollector"
+
+var (
+	containerActions          metrics.LabeledTimer
+	networkActions            metrics.LabeledTimer
+	engineInfo                metrics.LabeledGauge
+	engineCpus                metrics.Gauge
+	engineMemory              metrics.Gauge
+	healthChecksCounter       metrics.Counter
+	healthChecksFailedCounter metrics.Counter
+
+	stateCtr *stateCounter
+)
+
+func init() {
+	ns := metrics.NewNamespace("engine", "daemon", nil)
+	containerActions = ns.NewLabeledTimer("container_actions", "The number of seconds it takes to process each container action", "action")
+	for _, a := range []string{
+		"start",
+		"changes",
+		"commit",
+		"create",
+		"delete",
+	} {
+		containerActions.WithValues(a).Update(0)
+	}
+
+	networkActions = ns.NewLabeledTimer("network_actions", "The number of seconds it takes to process each network action", "action")
+	engineInfo = ns.NewLabeledGauge("engine", "The information related to the engine and the OS it is running on", metrics.Unit("info"),
+		"version",
+		"commit",
+		"architecture",
+		"graphdriver",
+		"kernel", "os",
+		"os_type",
+		"daemon_id", // ID is a randomly generated unique identifier (e.g. UUID4)
+	)
+	engineCpus = ns.NewGauge("engine_cpus", "The number of cpus that the host system of the engine has", metrics.Unit("cpus"))
+	engineMemory = ns.NewGauge("engine_memory", "The number of bytes of memory that the host system of the engine has", metrics.Bytes)
+	healthChecksCounter = ns.NewCounter("health_checks", "The total number of health checks")
+	healthChecksFailedCounter = ns.NewCounter("health_checks_failed", "The total number of failed health checks")
+
+	stateCtr = newStateCounter(ns.NewDesc("container_states", "The count of containers in various states", metrics.Unit("containers"), "state"))
+	ns.Add(stateCtr)
+
+	metrics.Register(ns)
+}
+
+type stateCounter struct {
+	mu     sync.Mutex
+	states map[string]string
+	desc   *prometheus.Desc
+}
+
+func newStateCounter(desc *prometheus.Desc) *stateCounter {
+	return &stateCounter{
+		states: make(map[string]string),
+		desc:   desc,
+	}
+}
+
+func (ctr *stateCounter) get() (running int, paused int, stopped int) {
+	ctr.mu.Lock()
+	defer ctr.mu.Unlock()
+
+	states := map[string]int{
+		"running": 0,
+		"paused":  0,
+		"stopped": 0,
+	}
+	for _, state := range ctr.states {
+		states[state]++
+	}
+	return states["running"], states["paused"], states["stopped"]
+}
+
+func (ctr *stateCounter) set(id, label string) {
+	ctr.mu.Lock()
+	ctr.states[id] = label
+	ctr.mu.Unlock()
+}
+
+func (ctr *stateCounter) del(id string) {
+	ctr.mu.Lock()
+	delete(ctr.states, id)
+	ctr.mu.Unlock()
+}
+
+func (ctr *stateCounter) Describe(ch chan<- *prometheus.Desc) {
+	ch <- ctr.desc
+}
+
+func (ctr *stateCounter) Collect(ch chan<- prometheus.Metric) {
+	running, paused, stopped := ctr.get()
+	ch <- prometheus.MustNewConstMetric(ctr.desc, prometheus.GaugeValue, float64(running), "running")
+	ch <- prometheus.MustNewConstMetric(ctr.desc, prometheus.GaugeValue, float64(paused), "paused")
+	ch <- prometheus.MustNewConstMetric(ctr.desc, prometheus.GaugeValue, float64(stopped), "stopped")
+}
+
+func (d *Daemon) cleanupMetricsPlugins() {
+	ls := d.PluginStore.GetAllManagedPluginsByCap(metricsPluginType)
+	var wg sync.WaitGroup
+	wg.Add(len(ls))
+
+	for _, plugin := range ls {
+		p := plugin
+		go func() {
+			defer wg.Done()
+
+			adapter, err := makePluginAdapter(p)
+			if err != nil {
+				logrus.WithError(err).WithField("plugin", p.Name()).Error("Error creating metrics plugin adapater")
+				return
+			}
+			if err := adapter.StopMetrics(); err != nil {
+				logrus.WithError(err).WithField("plugin", p.Name()).Error("Error stopping plugin metrics collection")
+			}
+		}()
+	}
+	wg.Wait()
+
+	if d.metricsPluginListener != nil {
+		d.metricsPluginListener.Close()
+	}
+}
+
+type metricsPlugin interface {
+	StartMetrics() error
+	StopMetrics() error
+}
+
+func makePluginAdapter(p plugingetter.CompatPlugin) (metricsPlugin, error) { // nolint: interfacer
+	if pc, ok := p.(plugingetter.PluginWithV1Client); ok {
+		return &metricsPluginAdapter{pc.Client(), p.Name()}, nil
+	}
+
+	pa, ok := p.(plugingetter.PluginAddr)
+	if !ok {
+		return nil, errdefs.System(errors.Errorf("got unknown plugin type %T", p))
+	}
+
+	if pa.Protocol() != plugins.ProtocolSchemeHTTPV1 {
+		return nil, errors.Errorf("plugin protocol not supported: %s", pa.Protocol())
+	}
+
+	addr := pa.Addr()
+	client, err := plugins.NewClientWithTimeout(addr.Network()+"://"+addr.String(), nil, pa.Timeout())
+	if err != nil {
+		return nil, errors.Wrap(err, "error creating metrics plugin client")
+	}
+	return &metricsPluginAdapter{client, p.Name()}, nil
+}
+
+type metricsPluginAdapter struct {
+	c    *plugins.Client
+	name string
+}
+
+func (a *metricsPluginAdapter) StartMetrics() error {
+	type metricsPluginResponse struct {
+		Err string
+	}
+	var res metricsPluginResponse
+	if err := a.c.Call(metricsPluginType+".StartMetrics", nil, &res); err != nil {
+		return errors.Wrap(err, "could not start metrics plugin")
+	}
+	if res.Err != "" {
+		return errors.New(res.Err)
+	}
+	return nil
+}
+
+func (a *metricsPluginAdapter) StopMetrics() error {
+	if err := a.c.Call(metricsPluginType+".StopMetrics", nil, nil); err != nil {
+		return errors.Wrap(err, "error stopping metrics collector")
+	}
+	return nil
+}
diff --git a/engine/daemon/metrics_unix.go b/engine/daemon/metrics_unix.go
new file mode 100644
index 00000000..452424e6
--- /dev/null
+++ b/engine/daemon/metrics_unix.go
@@ -0,0 +1,60 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"net"
+	"net/http"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/plugin"
+	"github.com/docker/go-metrics"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func (daemon *Daemon) listenMetricsSock() (string, error) {
+	path := filepath.Join(daemon.configStore.ExecRoot, "metrics.sock")
+	unix.Unlink(path)
+	l, err := net.Listen("unix", path)
+	if err != nil {
+		return "", errors.Wrap(err, "error setting up metrics plugin listener")
+	}
+
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", metrics.Handler())
+	go func() {
+		http.Serve(l, mux)
+	}()
+	daemon.metricsPluginListener = l
+	return path, nil
+}
+
+func registerMetricsPluginCallback(store *plugin.Store, sockPath string) {
+	store.RegisterRuntimeOpt(metricsPluginType, func(s *specs.Spec) {
+		f := plugin.WithSpecMounts([]specs.Mount{
+			{Type: "bind", Source: sockPath, Destination: "/run/docker/metrics.sock", Options: []string{"bind", "ro"}},
+		})
+		f(s)
+	})
+	store.Handle(metricsPluginType, func(name string, client *plugins.Client) {
+		// Use lookup since nothing in the system can really reference it, no need
+		// to protect against removal
+		p, err := store.Get(name, metricsPluginType, plugingetter.Lookup)
+		if err != nil {
+			return
+		}
+
+		adapter, err := makePluginAdapter(p)
+		if err != nil {
+			logrus.WithError(err).WithField("plugin", p.Name()).Error("Error creating plugin adapater")
+		}
+		if err := adapter.StartMetrics(); err != nil {
+			logrus.WithError(err).WithField("plugin", p.Name()).Error("Error starting metrics collector plugin")
+		}
+	})
+}
diff --git a/engine/daemon/metrics_unsupported.go b/engine/daemon/metrics_unsupported.go
new file mode 100644
index 00000000..653c77fc
--- /dev/null
+++ b/engine/daemon/metrics_unsupported.go
@@ -0,0 +1,12 @@
+// +build windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import "github.com/docker/docker/pkg/plugingetter"
+
+func registerMetricsPluginCallback(getter plugingetter.PluginGetter, sockPath string) {
+}
+
+func (daemon *Daemon) listenMetricsSock() (string, error) {
+	return "", nil
+}
diff --git a/engine/daemon/monitor.go b/engine/daemon/monitor.go
new file mode 100644
index 00000000..5e740dd4
--- /dev/null
+++ b/engine/daemon/monitor.go
@@ -0,0 +1,212 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"runtime"
+	"strconv"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/libcontainerd"
+	"github.com/docker/docker/restartmanager"
+	"github.com/sirupsen/logrus"
+)
+
+func (daemon *Daemon) setStateCounter(c *container.Container) {
+	switch c.StateString() {
+	case "paused":
+		stateCtr.set(c.ID, "paused")
+	case "running":
+		stateCtr.set(c.ID, "running")
+	default:
+		stateCtr.set(c.ID, "stopped")
+	}
+}
+
+// ProcessEvent is called by libcontainerd whenever an event occurs
+func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libcontainerd.EventInfo) error {
+	c, err := daemon.GetContainer(id)
+	if c == nil || err != nil {
+		return fmt.Errorf("no such container: %s", id)
+	}
+
+	switch e {
+	case libcontainerd.EventOOM:
+		// StateOOM is Linux specific and should never be hit on Windows
+		if runtime.GOOS == "windows" {
+			return errors.New("received StateOOM from libcontainerd on Windows. This should never happen")
+		}
+
+		c.Lock()
+		defer c.Unlock()
+		daemon.updateHealthMonitor(c)
+		if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+			return err
+		}
+
+		daemon.LogContainerEvent(c, "oom")
+	case libcontainerd.EventExit:
+		if int(ei.Pid) == c.Pid {
+			c.Lock()
+			_, _, err := daemon.containerd.DeleteTask(context.Background(), c.ID)
+			if err != nil {
+				logrus.WithError(err).Warnf("failed to delete container %s from containerd", c.ID)
+			}
+
+			c.StreamConfig.Wait()
+			c.Reset(false)
+
+			exitStatus := container.ExitStatus{
+				ExitCode:  int(ei.ExitCode),
+				ExitedAt:  ei.ExitedAt,
+				OOMKilled: ei.OOMKilled,
+			}
+			restart, wait, err := c.RestartManager().ShouldRestart(ei.ExitCode, daemon.IsShuttingDown() || c.HasBeenManuallyStopped, time.Since(c.StartedAt))
+			if err == nil && restart {
+				c.RestartCount++
+				c.SetRestarting(&exitStatus)
+			} else {
+				if ei.Error != nil {
+					c.SetError(ei.Error)
+				}
+				c.SetStopped(&exitStatus)
+				defer daemon.autoRemove(c)
+			}
+			defer c.Unlock() // needs to be called before autoRemove
+
+			// cancel healthcheck here, they will be automatically
+			// restarted if/when the container is started again
+			daemon.stopHealthchecks(c)
+			attributes := map[string]string{
+				"exitCode": strconv.Itoa(int(ei.ExitCode)),
+			}
+			daemon.LogContainerEventWithAttributes(c, "die", attributes)
+			daemon.Cleanup(c)
+
+			if err == nil && restart {
+				go func() {
+					err := <-wait
+					if err == nil {
+						// daemon.netController is initialized when daemon is restoring containers.
+						// But containerStart will use daemon.netController segment.
+						// So to avoid panic at startup process, here must wait util daemon restore done.
+						daemon.waitForStartupDone()
+						if err = daemon.containerStart(c, "", "", false); err != nil {
+							logrus.Debugf("failed to restart container: %+v", err)
+						}
+					}
+					if err != nil {
+						c.Lock()
+						c.SetStopped(&exitStatus)
+						c.Unlock()
+						defer daemon.autoRemove(c)
+						if err != restartmanager.ErrRestartCanceled {
+							logrus.Errorf("restartmanger wait error: %+v", err)
+						}
+					}
+				}()
+			}
+
+			daemon.setStateCounter(c)
+			return c.CheckpointTo(daemon.containersReplica)
+		}
+
+		if execConfig := c.ExecCommands.Get(ei.ProcessID); execConfig != nil {
+			ec := int(ei.ExitCode)
+			execConfig.Lock()
+			defer execConfig.Unlock()
+			execConfig.ExitCode = &ec
+			execConfig.Running = false
+			execConfig.StreamConfig.Wait()
+			if err := execConfig.CloseStreams(); err != nil {
+				logrus.Errorf("failed to cleanup exec %s streams: %s", c.ID, err)
+			}
+
+			// remove the exec command from the container's store only and not the
+			// daemon's store so that the exec command can be inspected.
+			c.ExecCommands.Delete(execConfig.ID, execConfig.Pid)
+			attributes := map[string]string{
+				"execID":   execConfig.ID,
+				"exitCode": strconv.Itoa(ec),
+			}
+			daemon.LogContainerEventWithAttributes(c, "exec_die", attributes)
+		} else {
+			logrus.WithFields(logrus.Fields{
+				"container": c.ID,
+				"exec-id":   ei.ProcessID,
+				"exec-pid":  ei.Pid,
+			}).Warnf("Ignoring Exit Event, no such exec command found")
+		}
+	case libcontainerd.EventStart:
+		c.Lock()
+		defer c.Unlock()
+
+		// This is here to handle start not generated by docker
+		if !c.Running {
+			c.SetRunning(int(ei.Pid), false)
+			c.HasBeenManuallyStopped = false
+			c.HasBeenStartedBefore = true
+			daemon.setStateCounter(c)
+
+			daemon.initHealthMonitor(c)
+
+			if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+				return err
+			}
+			daemon.LogContainerEvent(c, "start")
+		}
+
+	case libcontainerd.EventPaused:
+		c.Lock()
+		defer c.Unlock()
+
+		if !c.Paused {
+			c.Paused = true
+			daemon.setStateCounter(c)
+			daemon.updateHealthMonitor(c)
+			if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+				return err
+			}
+			daemon.LogContainerEvent(c, "pause")
+		}
+	case libcontainerd.EventResumed:
+		c.Lock()
+		defer c.Unlock()
+
+		if c.Paused {
+			c.Paused = false
+			daemon.setStateCounter(c)
+			daemon.updateHealthMonitor(c)
+
+			if err := c.CheckpointTo(daemon.containersReplica); err != nil {
+				return err
+			}
+			daemon.LogContainerEvent(c, "unpause")
+		}
+	}
+	return nil
+}
+
+func (daemon *Daemon) autoRemove(c *container.Container) {
+	c.Lock()
+	ar := c.HostConfig.AutoRemove
+	c.Unlock()
+	if !ar {
+		return
+	}
+
+	var err error
+	if err = daemon.ContainerRm(c.ID, &types.ContainerRmConfig{ForceRemove: true, RemoveVolume: true}); err == nil {
+		return
+	}
+	if c := daemon.containers.Get(c.ID); c == nil {
+		return
+	}
+
+	if err != nil {
+		logrus.WithError(err).WithField("container", c.ID).Error("error removing container")
+	}
+}
diff --git a/engine/daemon/mounts.go b/engine/daemon/mounts.go
new file mode 100644
index 00000000..383a38e7
--- /dev/null
+++ b/engine/daemon/mounts.go
@@ -0,0 +1,55 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/container"
+	volumesservice "github.com/docker/docker/volume/service"
+)
+
+func (daemon *Daemon) prepareMountPoints(container *container.Container) error {
+	for _, config := range container.MountPoints {
+		if err := daemon.lazyInitializeVolume(container.ID, config); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (daemon *Daemon) removeMountPoints(container *container.Container, rm bool) error {
+	var rmErrors []string
+	ctx := context.TODO()
+	for _, m := range container.MountPoints {
+		if m.Type != mounttypes.TypeVolume || m.Volume == nil {
+			continue
+		}
+		daemon.volumes.Release(ctx, m.Volume.Name(), container.ID)
+		if !rm {
+			continue
+		}
+
+		// Do not remove named mountpoints
+		// these are mountpoints specified like `docker run -v <name>:/foo`
+		if m.Spec.Source != "" {
+			continue
+		}
+
+		err := daemon.volumes.Remove(ctx, m.Volume.Name())
+		// Ignore volume in use errors because having this
+		// volume being referenced by other container is
+		// not an error, but an implementation detail.
+		// This prevents docker from logging "ERROR: Volume in use"
+		// where there is another container using the volume.
+		if err != nil && !volumesservice.IsInUse(err) {
+			rmErrors = append(rmErrors, err.Error())
+		}
+	}
+
+	if len(rmErrors) > 0 {
+		return fmt.Errorf("Error removing volumes:\n%v", strings.Join(rmErrors, "\n"))
+	}
+	return nil
+}
diff --git a/engine/daemon/names.go b/engine/daemon/names.go
new file mode 100644
index 00000000..6c319497
--- /dev/null
+++ b/engine/daemon/names.go
@@ -0,0 +1,113 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/names"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/namesgenerator"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	validContainerNameChars   = names.RestrictedNameChars
+	validContainerNamePattern = names.RestrictedNamePattern
+)
+
+func (daemon *Daemon) registerName(container *container.Container) error {
+	if daemon.Exists(container.ID) {
+		return fmt.Errorf("Container is already loaded")
+	}
+	if err := validateID(container.ID); err != nil {
+		return err
+	}
+	if container.Name == "" {
+		name, err := daemon.generateNewName(container.ID)
+		if err != nil {
+			return err
+		}
+		container.Name = name
+	}
+	return daemon.containersReplica.ReserveName(container.Name, container.ID)
+}
+
+func (daemon *Daemon) generateIDAndName(name string) (string, string, error) {
+	var (
+		err error
+		id  = stringid.GenerateNonCryptoID()
+	)
+
+	if name == "" {
+		if name, err = daemon.generateNewName(id); err != nil {
+			return "", "", err
+		}
+		return id, name, nil
+	}
+
+	if name, err = daemon.reserveName(id, name); err != nil {
+		return "", "", err
+	}
+
+	return id, name, nil
+}
+
+func (daemon *Daemon) reserveName(id, name string) (string, error) {
+	if !validContainerNamePattern.MatchString(strings.TrimPrefix(name, "/")) {
+		return "", errdefs.InvalidParameter(errors.Errorf("Invalid container name (%s), only %s are allowed", name, validContainerNameChars))
+	}
+	if name[0] != '/' {
+		name = "/" + name
+	}
+
+	if err := daemon.containersReplica.ReserveName(name, id); err != nil {
+		if err == container.ErrNameReserved {
+			id, err := daemon.containersReplica.Snapshot().GetID(name)
+			if err != nil {
+				logrus.Errorf("got unexpected error while looking up reserved name: %v", err)
+				return "", err
+			}
+			return "", nameConflictError{id: id, name: name}
+		}
+		return "", errors.Wrapf(err, "error reserving name: %q", name)
+	}
+	return name, nil
+}
+
+func (daemon *Daemon) releaseName(name string) {
+	daemon.containersReplica.ReleaseName(name)
+}
+
+func (daemon *Daemon) generateNewName(id string) (string, error) {
+	var name string
+	for i := 0; i < 6; i++ {
+		name = namesgenerator.GetRandomName(i)
+		if name[0] != '/' {
+			name = "/" + name
+		}
+
+		if err := daemon.containersReplica.ReserveName(name, id); err != nil {
+			if err == container.ErrNameReserved {
+				continue
+			}
+			return "", err
+		}
+		return name, nil
+	}
+
+	name = "/" + stringid.TruncateID(id)
+	if err := daemon.containersReplica.ReserveName(name, id); err != nil {
+		return "", err
+	}
+	return name, nil
+}
+
+func validateID(id string) error {
+	if id == "" {
+		return fmt.Errorf("Invalid empty id")
+	}
+	return nil
+}
diff --git a/engine/daemon/names/names.go b/engine/daemon/names/names.go
new file mode 100644
index 00000000..22bba53d
--- /dev/null
+++ b/engine/daemon/names/names.go
@@ -0,0 +1,9 @@
+package names // import "github.com/docker/docker/daemon/names"
+
+import "regexp"
+
+// RestrictedNameChars collects the characters allowed to represent a name, normally used to validate container and volume names.
+const RestrictedNameChars = `[a-zA-Z0-9][a-zA-Z0-9_.-]`
+
+// RestrictedNamePattern is a regular expression to validate names against the collection of restricted characters.
+var RestrictedNamePattern = regexp.MustCompile(`^` + RestrictedNameChars + `+$`)
diff --git a/engine/daemon/network.go b/engine/daemon/network.go
new file mode 100644
index 00000000..56d10678
--- /dev/null
+++ b/engine/daemon/network.go
@@ -0,0 +1,884 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/container"
+	clustertypes "github.com/docker/docker/daemon/cluster/provider"
+	internalnetwork "github.com/docker/docker/daemon/network"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/runconfig"
+	"github.com/docker/go-connections/nat"
+	"github.com/docker/libnetwork"
+	lncluster "github.com/docker/libnetwork/cluster"
+	"github.com/docker/libnetwork/driverapi"
+	"github.com/docker/libnetwork/ipamapi"
+	"github.com/docker/libnetwork/netlabel"
+	"github.com/docker/libnetwork/options"
+	networktypes "github.com/docker/libnetwork/types"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// PredefinedNetworkError is returned when user tries to create predefined network that already exists.
+type PredefinedNetworkError string
+
+func (pnr PredefinedNetworkError) Error() string {
+	return fmt.Sprintf("operation is not permitted on predefined %s network ", string(pnr))
+}
+
+// Forbidden denotes the type of this error
+func (pnr PredefinedNetworkError) Forbidden() {}
+
+// NetworkControllerEnabled checks if the networking stack is enabled.
+// This feature depends on OS primitives and it's disabled in systems like Windows.
+func (daemon *Daemon) NetworkControllerEnabled() bool {
+	return daemon.netController != nil
+}
+
+// FindNetwork returns a network based on:
+// 1. Full ID
+// 2. Full Name
+// 3. Partial ID
+// as long as there is no ambiguity
+func (daemon *Daemon) FindNetwork(term string) (libnetwork.Network, error) {
+	listByFullName := []libnetwork.Network{}
+	listByPartialID := []libnetwork.Network{}
+	for _, nw := range daemon.getAllNetworks() {
+		if nw.ID() == term {
+			return nw, nil
+		}
+		if nw.Name() == term {
+			listByFullName = append(listByFullName, nw)
+		}
+		if strings.HasPrefix(nw.ID(), term) {
+			listByPartialID = append(listByPartialID, nw)
+		}
+	}
+	switch {
+	case len(listByFullName) == 1:
+		return listByFullName[0], nil
+	case len(listByFullName) > 1:
+		return nil, errdefs.InvalidParameter(errors.Errorf("network %s is ambiguous (%d matches found on name)", term, len(listByFullName)))
+	case len(listByPartialID) == 1:
+		return listByPartialID[0], nil
+	case len(listByPartialID) > 1:
+		return nil, errdefs.InvalidParameter(errors.Errorf("network %s is ambiguous (%d matches found based on ID prefix)", term, len(listByPartialID)))
+	}
+
+	// Be very careful to change the error type here, the
+	// libnetwork.ErrNoSuchNetwork error is used by the controller
+	// to retry the creation of the network as managed through the swarm manager
+	return nil, errdefs.NotFound(libnetwork.ErrNoSuchNetwork(term))
+}
+
+// GetNetworkByID function returns a network whose ID matches the given ID.
+// It fails with an error if no matching network is found.
+func (daemon *Daemon) GetNetworkByID(id string) (libnetwork.Network, error) {
+	c := daemon.netController
+	if c == nil {
+		return nil, libnetwork.ErrNoSuchNetwork(id)
+	}
+	return c.NetworkByID(id)
+}
+
+// GetNetworkByName function returns a network for a given network name.
+// If no network name is given, the default network is returned.
+func (daemon *Daemon) GetNetworkByName(name string) (libnetwork.Network, error) {
+	c := daemon.netController
+	if c == nil {
+		return nil, libnetwork.ErrNoSuchNetwork(name)
+	}
+	if name == "" {
+		name = c.Config().Daemon.DefaultNetwork
+	}
+	return c.NetworkByName(name)
+}
+
+// GetNetworksByIDPrefix returns a list of networks whose ID partially matches zero or more networks
+func (daemon *Daemon) GetNetworksByIDPrefix(partialID string) []libnetwork.Network {
+	c := daemon.netController
+	if c == nil {
+		return nil
+	}
+	list := []libnetwork.Network{}
+	l := func(nw libnetwork.Network) bool {
+		if strings.HasPrefix(nw.ID(), partialID) {
+			list = append(list, nw)
+		}
+		return false
+	}
+	c.WalkNetworks(l)
+
+	return list
+}
+
+// getAllNetworks returns a list containing all networks
+func (daemon *Daemon) getAllNetworks() []libnetwork.Network {
+	c := daemon.netController
+	if c == nil {
+		return nil
+	}
+	return c.Networks()
+}
+
+type ingressJob struct {
+	create  *clustertypes.NetworkCreateRequest
+	ip      net.IP
+	jobDone chan struct{}
+}
+
+var (
+	ingressWorkerOnce  sync.Once
+	ingressJobsChannel chan *ingressJob
+	ingressID          string
+)
+
+func (daemon *Daemon) startIngressWorker() {
+	ingressJobsChannel = make(chan *ingressJob, 100)
+	go func() {
+		// nolint: gosimple
+		for {
+			select {
+			case r := <-ingressJobsChannel:
+				if r.create != nil {
+					daemon.setupIngress(r.create, r.ip, ingressID)
+					ingressID = r.create.ID
+				} else {
+					daemon.releaseIngress(ingressID)
+					ingressID = ""
+				}
+				close(r.jobDone)
+			}
+		}
+	}()
+}
+
+// enqueueIngressJob adds a ingress add/rm request to the worker queue.
+// It guarantees the worker is started.
+func (daemon *Daemon) enqueueIngressJob(job *ingressJob) {
+	ingressWorkerOnce.Do(daemon.startIngressWorker)
+	ingressJobsChannel <- job
+}
+
+// SetupIngress setups ingress networking.
+// The function returns a channel which will signal the caller when the programming is completed.
+func (daemon *Daemon) SetupIngress(create clustertypes.NetworkCreateRequest, nodeIP string) (<-chan struct{}, error) {
+	ip, _, err := net.ParseCIDR(nodeIP)
+	if err != nil {
+		return nil, err
+	}
+	done := make(chan struct{})
+	daemon.enqueueIngressJob(&ingressJob{&create, ip, done})
+	return done, nil
+}
+
+// ReleaseIngress releases the ingress networking.
+// The function returns a channel which will signal the caller when the programming is completed.
+func (daemon *Daemon) ReleaseIngress() (<-chan struct{}, error) {
+	done := make(chan struct{})
+	daemon.enqueueIngressJob(&ingressJob{nil, nil, done})
+	return done, nil
+}
+
+func (daemon *Daemon) setupIngress(create *clustertypes.NetworkCreateRequest, ip net.IP, staleID string) {
+	controller := daemon.netController
+	controller.AgentInitWait()
+
+	if staleID != "" && staleID != create.ID {
+		daemon.releaseIngress(staleID)
+	}
+
+	if _, err := daemon.createNetwork(create.NetworkCreateRequest, create.ID, true); err != nil {
+		// If it is any other error other than already
+		// exists error log error and return.
+		if _, ok := err.(libnetwork.NetworkNameError); !ok {
+			logrus.Errorf("Failed creating ingress network: %v", err)
+			return
+		}
+		// Otherwise continue down the call to create or recreate sandbox.
+	}
+
+	_, err := daemon.GetNetworkByID(create.ID)
+	if err != nil {
+		logrus.Errorf("Failed getting ingress network by id after creating: %v", err)
+	}
+}
+
+func (daemon *Daemon) releaseIngress(id string) {
+	controller := daemon.netController
+
+	if id == "" {
+		return
+	}
+
+	n, err := controller.NetworkByID(id)
+	if err != nil {
+		logrus.Errorf("failed to retrieve ingress network %s: %v", id, err)
+		return
+	}
+
+	if err := n.Delete(libnetwork.NetworkDeleteOptionRemoveLB); err != nil {
+		logrus.Errorf("Failed to delete ingress network %s: %v", n.ID(), err)
+		return
+	}
+}
+
+// SetNetworkBootstrapKeys sets the bootstrap keys.
+func (daemon *Daemon) SetNetworkBootstrapKeys(keys []*networktypes.EncryptionKey) error {
+	err := daemon.netController.SetKeys(keys)
+	if err == nil {
+		// Upon successful key setting dispatch the keys available event
+		daemon.cluster.SendClusterEvent(lncluster.EventNetworkKeysAvailable)
+	}
+	return err
+}
+
+// UpdateAttachment notifies the attacher about the attachment config.
+func (daemon *Daemon) UpdateAttachment(networkName, networkID, containerID string, config *network.NetworkingConfig) error {
+	if daemon.clusterProvider == nil {
+		return fmt.Errorf("cluster provider is not initialized")
+	}
+
+	if err := daemon.clusterProvider.UpdateAttachment(networkName, containerID, config); err != nil {
+		return daemon.clusterProvider.UpdateAttachment(networkID, containerID, config)
+	}
+
+	return nil
+}
+
+// WaitForDetachment makes the cluster manager wait for detachment of
+// the container from the network.
+func (daemon *Daemon) WaitForDetachment(ctx context.Context, networkName, networkID, taskID, containerID string) error {
+	if daemon.clusterProvider == nil {
+		return fmt.Errorf("cluster provider is not initialized")
+	}
+
+	return daemon.clusterProvider.WaitForDetachment(ctx, networkName, networkID, taskID, containerID)
+}
+
+// CreateManagedNetwork creates an agent network.
+func (daemon *Daemon) CreateManagedNetwork(create clustertypes.NetworkCreateRequest) error {
+	_, err := daemon.createNetwork(create.NetworkCreateRequest, create.ID, true)
+	return err
+}
+
+// CreateNetwork creates a network with the given name, driver and other optional parameters
+func (daemon *Daemon) CreateNetwork(create types.NetworkCreateRequest) (*types.NetworkCreateResponse, error) {
+	resp, err := daemon.createNetwork(create, "", false)
+	if err != nil {
+		return nil, err
+	}
+	return resp, err
+}
+
+func (daemon *Daemon) createNetwork(create types.NetworkCreateRequest, id string, agent bool) (*types.NetworkCreateResponse, error) {
+	if runconfig.IsPreDefinedNetwork(create.Name) {
+		return nil, PredefinedNetworkError(create.Name)
+	}
+
+	var warning string
+	nw, err := daemon.GetNetworkByName(create.Name)
+	if err != nil {
+		if _, ok := err.(libnetwork.ErrNoSuchNetwork); !ok {
+			return nil, err
+		}
+	}
+	if nw != nil {
+		// check if user defined CheckDuplicate, if set true, return err
+		// otherwise prepare a warning message
+		if create.CheckDuplicate {
+			if !agent || nw.Info().Dynamic() {
+				return nil, libnetwork.NetworkNameError(create.Name)
+			}
+		}
+		warning = fmt.Sprintf("Network with name %s (id : %s) already exists", nw.Name(), nw.ID())
+	}
+
+	c := daemon.netController
+	driver := create.Driver
+	if driver == "" {
+		driver = c.Config().Daemon.DefaultDriver
+	}
+
+	nwOptions := []libnetwork.NetworkOption{
+		libnetwork.NetworkOptionEnableIPv6(create.EnableIPv6),
+		libnetwork.NetworkOptionDriverOpts(create.Options),
+		libnetwork.NetworkOptionLabels(create.Labels),
+		libnetwork.NetworkOptionAttachable(create.Attachable),
+		libnetwork.NetworkOptionIngress(create.Ingress),
+		libnetwork.NetworkOptionScope(create.Scope),
+	}
+
+	if create.ConfigOnly {
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionConfigOnly())
+	}
+
+	if create.IPAM != nil {
+		ipam := create.IPAM
+		v4Conf, v6Conf, err := getIpamConfig(ipam.Config)
+		if err != nil {
+			return nil, err
+		}
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionIpam(ipam.Driver, "", v4Conf, v6Conf, ipam.Options))
+	}
+
+	if create.Internal {
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionInternalNetwork())
+	}
+	if agent {
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionDynamic())
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionPersist(false))
+	}
+
+	if create.ConfigFrom != nil {
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionConfigFrom(create.ConfigFrom.Network))
+	}
+
+	if agent && driver == "overlay" {
+		nodeIP, exists := daemon.GetAttachmentStore().GetIPForNetwork(id)
+		if !exists {
+			return nil, fmt.Errorf("Failed to find a load balancer IP to use for network: %v", id)
+		}
+
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionLBEndpoint(nodeIP))
+	}
+
+	n, err := c.NewNetwork(driver, create.Name, id, nwOptions...)
+	if err != nil {
+		if _, ok := err.(libnetwork.ErrDataStoreNotInitialized); ok {
+			// nolint: golint
+			return nil, errors.New("This node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again.")
+		}
+		return nil, err
+	}
+
+	daemon.pluginRefCount(driver, driverapi.NetworkPluginEndpointType, plugingetter.Acquire)
+	if create.IPAM != nil {
+		daemon.pluginRefCount(create.IPAM.Driver, ipamapi.PluginEndpointType, plugingetter.Acquire)
+	}
+	daemon.LogNetworkEvent(n, "create")
+
+	return &types.NetworkCreateResponse{
+		ID:      n.ID(),
+		Warning: warning,
+	}, nil
+}
+
+func (daemon *Daemon) pluginRefCount(driver, capability string, mode int) {
+	var builtinDrivers []string
+
+	if capability == driverapi.NetworkPluginEndpointType {
+		builtinDrivers = daemon.netController.BuiltinDrivers()
+	} else if capability == ipamapi.PluginEndpointType {
+		builtinDrivers = daemon.netController.BuiltinIPAMDrivers()
+	}
+
+	for _, d := range builtinDrivers {
+		if d == driver {
+			return
+		}
+	}
+
+	if daemon.PluginStore != nil {
+		_, err := daemon.PluginStore.Get(driver, capability, mode)
+		if err != nil {
+			logrus.WithError(err).WithFields(logrus.Fields{"mode": mode, "driver": driver}).Error("Error handling plugin refcount operation")
+		}
+	}
+}
+
+func getIpamConfig(data []network.IPAMConfig) ([]*libnetwork.IpamConf, []*libnetwork.IpamConf, error) {
+	ipamV4Cfg := []*libnetwork.IpamConf{}
+	ipamV6Cfg := []*libnetwork.IpamConf{}
+	for _, d := range data {
+		iCfg := libnetwork.IpamConf{}
+		iCfg.PreferredPool = d.Subnet
+		iCfg.SubPool = d.IPRange
+		iCfg.Gateway = d.Gateway
+		iCfg.AuxAddresses = d.AuxAddress
+		ip, _, err := net.ParseCIDR(d.Subnet)
+		if err != nil {
+			return nil, nil, fmt.Errorf("Invalid subnet %s : %v", d.Subnet, err)
+		}
+		if ip.To4() != nil {
+			ipamV4Cfg = append(ipamV4Cfg, &iCfg)
+		} else {
+			ipamV6Cfg = append(ipamV6Cfg, &iCfg)
+		}
+	}
+	return ipamV4Cfg, ipamV6Cfg, nil
+}
+
+// UpdateContainerServiceConfig updates a service configuration.
+func (daemon *Daemon) UpdateContainerServiceConfig(containerName string, serviceConfig *clustertypes.ServiceConfig) error {
+	container, err := daemon.GetContainer(containerName)
+	if err != nil {
+		return err
+	}
+
+	container.NetworkSettings.Service = serviceConfig
+	return nil
+}
+
+// ConnectContainerToNetwork connects the given container to the given
+// network. If either cannot be found, an err is returned. If the
+// network cannot be set up, an err is returned.
+func (daemon *Daemon) ConnectContainerToNetwork(containerName, networkName string, endpointConfig *network.EndpointSettings) error {
+	container, err := daemon.GetContainer(containerName)
+	if err != nil {
+		return err
+	}
+	return daemon.ConnectToNetwork(container, networkName, endpointConfig)
+}
+
+// DisconnectContainerFromNetwork disconnects the given container from
+// the given network. If either cannot be found, an err is returned.
+func (daemon *Daemon) DisconnectContainerFromNetwork(containerName string, networkName string, force bool) error {
+	container, err := daemon.GetContainer(containerName)
+	if err != nil {
+		if force {
+			return daemon.ForceEndpointDelete(containerName, networkName)
+		}
+		return err
+	}
+	return daemon.DisconnectFromNetwork(container, networkName, force)
+}
+
+// GetNetworkDriverList returns the list of plugins drivers
+// registered for network.
+func (daemon *Daemon) GetNetworkDriverList() []string {
+	if !daemon.NetworkControllerEnabled() {
+		return nil
+	}
+
+	pluginList := daemon.netController.BuiltinDrivers()
+
+	managedPlugins := daemon.PluginStore.GetAllManagedPluginsByCap(driverapi.NetworkPluginEndpointType)
+
+	for _, plugin := range managedPlugins {
+		pluginList = append(pluginList, plugin.Name())
+	}
+
+	pluginMap := make(map[string]bool)
+	for _, plugin := range pluginList {
+		pluginMap[plugin] = true
+	}
+
+	networks := daemon.netController.Networks()
+
+	for _, network := range networks {
+		if !pluginMap[network.Type()] {
+			pluginList = append(pluginList, network.Type())
+			pluginMap[network.Type()] = true
+		}
+	}
+
+	sort.Strings(pluginList)
+
+	return pluginList
+}
+
+// DeleteManagedNetwork deletes an agent network.
+// The requirement of networkID is enforced.
+func (daemon *Daemon) DeleteManagedNetwork(networkID string) error {
+	n, err := daemon.GetNetworkByID(networkID)
+	if err != nil {
+		return err
+	}
+	return daemon.deleteNetwork(n, true)
+}
+
+// DeleteNetwork destroys a network unless it's one of docker's predefined networks.
+func (daemon *Daemon) DeleteNetwork(networkID string) error {
+	n, err := daemon.GetNetworkByID(networkID)
+	if err != nil {
+		return err
+	}
+	return daemon.deleteNetwork(n, false)
+}
+
+func (daemon *Daemon) deleteNetwork(nw libnetwork.Network, dynamic bool) error {
+	if runconfig.IsPreDefinedNetwork(nw.Name()) && !dynamic {
+		err := fmt.Errorf("%s is a pre-defined network and cannot be removed", nw.Name())
+		return errdefs.Forbidden(err)
+	}
+
+	if dynamic && !nw.Info().Dynamic() {
+		if runconfig.IsPreDefinedNetwork(nw.Name()) {
+			// Predefined networks now support swarm services. Make this
+			// a no-op when cluster requests to remove the predefined network.
+			return nil
+		}
+		err := fmt.Errorf("%s is not a dynamic network", nw.Name())
+		return errdefs.Forbidden(err)
+	}
+
+	if err := nw.Delete(); err != nil {
+		return err
+	}
+
+	// If this is not a configuration only network, we need to
+	// update the corresponding remote drivers' reference counts
+	if !nw.Info().ConfigOnly() {
+		daemon.pluginRefCount(nw.Type(), driverapi.NetworkPluginEndpointType, plugingetter.Release)
+		ipamType, _, _, _ := nw.Info().IpamConfig()
+		daemon.pluginRefCount(ipamType, ipamapi.PluginEndpointType, plugingetter.Release)
+		daemon.LogNetworkEvent(nw, "destroy")
+	}
+
+	return nil
+}
+
+// GetNetworks returns a list of all networks
+func (daemon *Daemon) GetNetworks() []libnetwork.Network {
+	return daemon.getAllNetworks()
+}
+
+// clearAttachableNetworks removes the attachable networks
+// after disconnecting any connected container
+func (daemon *Daemon) clearAttachableNetworks() {
+	for _, n := range daemon.getAllNetworks() {
+		if !n.Info().Attachable() {
+			continue
+		}
+		for _, ep := range n.Endpoints() {
+			epInfo := ep.Info()
+			if epInfo == nil {
+				continue
+			}
+			sb := epInfo.Sandbox()
+			if sb == nil {
+				continue
+			}
+			containerID := sb.ContainerID()
+			if err := daemon.DisconnectContainerFromNetwork(containerID, n.ID(), true); err != nil {
+				logrus.Warnf("Failed to disconnect container %s from swarm network %s on cluster leave: %v",
+					containerID, n.Name(), err)
+			}
+		}
+		if err := daemon.DeleteManagedNetwork(n.ID()); err != nil {
+			logrus.Warnf("Failed to remove swarm network %s on cluster leave: %v", n.Name(), err)
+		}
+	}
+}
+
+// buildCreateEndpointOptions builds endpoint options from a given network.
+func buildCreateEndpointOptions(c *container.Container, n libnetwork.Network, epConfig *network.EndpointSettings, sb libnetwork.Sandbox, daemonDNS []string) ([]libnetwork.EndpointOption, error) {
+	var (
+		bindings      = make(nat.PortMap)
+		pbList        []networktypes.PortBinding
+		exposeList    []networktypes.TransportPort
+		createOptions []libnetwork.EndpointOption
+	)
+
+	defaultNetName := runconfig.DefaultDaemonNetworkMode().NetworkName()
+
+	if (!c.EnableServiceDiscoveryOnDefaultNetwork() && n.Name() == defaultNetName) ||
+		c.NetworkSettings.IsAnonymousEndpoint {
+		createOptions = append(createOptions, libnetwork.CreateOptionAnonymous())
+	}
+
+	if epConfig != nil {
+		ipam := epConfig.IPAMConfig
+
+		if ipam != nil {
+			var (
+				ipList          []net.IP
+				ip, ip6, linkip net.IP
+			)
+
+			for _, ips := range ipam.LinkLocalIPs {
+				if linkip = net.ParseIP(ips); linkip == nil && ips != "" {
+					return nil, errors.Errorf("Invalid link-local IP address: %s", ipam.LinkLocalIPs)
+				}
+				ipList = append(ipList, linkip)
+
+			}
+
+			if ip = net.ParseIP(ipam.IPv4Address); ip == nil && ipam.IPv4Address != "" {
+				return nil, errors.Errorf("Invalid IPv4 address: %s)", ipam.IPv4Address)
+			}
+
+			if ip6 = net.ParseIP(ipam.IPv6Address); ip6 == nil && ipam.IPv6Address != "" {
+				return nil, errors.Errorf("Invalid IPv6 address: %s)", ipam.IPv6Address)
+			}
+
+			createOptions = append(createOptions,
+				libnetwork.CreateOptionIpam(ip, ip6, ipList, nil))
+
+		}
+
+		for _, alias := range epConfig.Aliases {
+			createOptions = append(createOptions, libnetwork.CreateOptionMyAlias(alias))
+		}
+		for k, v := range epConfig.DriverOpts {
+			createOptions = append(createOptions, libnetwork.EndpointOptionGeneric(options.Generic{k: v}))
+		}
+	}
+
+	if c.NetworkSettings.Service != nil {
+		svcCfg := c.NetworkSettings.Service
+
+		var vip string
+		if svcCfg.VirtualAddresses[n.ID()] != nil {
+			vip = svcCfg.VirtualAddresses[n.ID()].IPv4
+		}
+
+		var portConfigs []*libnetwork.PortConfig
+		for _, portConfig := range svcCfg.ExposedPorts {
+			portConfigs = append(portConfigs, &libnetwork.PortConfig{
+				Name:          portConfig.Name,
+				Protocol:      libnetwork.PortConfig_Protocol(portConfig.Protocol),
+				TargetPort:    portConfig.TargetPort,
+				PublishedPort: portConfig.PublishedPort,
+			})
+		}
+
+		createOptions = append(createOptions, libnetwork.CreateOptionService(svcCfg.Name, svcCfg.ID, net.ParseIP(vip), portConfigs, svcCfg.Aliases[n.ID()]))
+	}
+
+	if !containertypes.NetworkMode(n.Name()).IsUserDefined() {
+		createOptions = append(createOptions, libnetwork.CreateOptionDisableResolution())
+	}
+
+	// configs that are applicable only for the endpoint in the network
+	// to which container was connected to on docker run.
+	// Ideally all these network-specific endpoint configurations must be moved under
+	// container.NetworkSettings.Networks[n.Name()]
+	if n.Name() == c.HostConfig.NetworkMode.NetworkName() ||
+		(n.Name() == defaultNetName && c.HostConfig.NetworkMode.IsDefault()) {
+		if c.Config.MacAddress != "" {
+			mac, err := net.ParseMAC(c.Config.MacAddress)
+			if err != nil {
+				return nil, err
+			}
+
+			genericOption := options.Generic{
+				netlabel.MacAddress: mac,
+			}
+
+			createOptions = append(createOptions, libnetwork.EndpointOptionGeneric(genericOption))
+		}
+
+	}
+
+	// Port-mapping rules belong to the container & applicable only to non-internal networks
+	portmaps := getSandboxPortMapInfo(sb)
+	if n.Info().Internal() || len(portmaps) > 0 {
+		return createOptions, nil
+	}
+
+	if c.HostConfig.PortBindings != nil {
+		for p, b := range c.HostConfig.PortBindings {
+			bindings[p] = []nat.PortBinding{}
+			for _, bb := range b {
+				bindings[p] = append(bindings[p], nat.PortBinding{
+					HostIP:   bb.HostIP,
+					HostPort: bb.HostPort,
+				})
+			}
+		}
+	}
+
+	portSpecs := c.Config.ExposedPorts
+	ports := make([]nat.Port, len(portSpecs))
+	var i int
+	for p := range portSpecs {
+		ports[i] = p
+		i++
+	}
+	nat.SortPortMap(ports, bindings)
+	for _, port := range ports {
+		expose := networktypes.TransportPort{}
+		expose.Proto = networktypes.ParseProtocol(port.Proto())
+		expose.Port = uint16(port.Int())
+		exposeList = append(exposeList, expose)
+
+		pb := networktypes.PortBinding{Port: expose.Port, Proto: expose.Proto}
+		binding := bindings[port]
+		for i := 0; i < len(binding); i++ {
+			pbCopy := pb.GetCopy()
+			newP, err := nat.NewPort(nat.SplitProtoPort(binding[i].HostPort))
+			var portStart, portEnd int
+			if err == nil {
+				portStart, portEnd, err = newP.Range()
+			}
+			if err != nil {
+				return nil, errors.Wrapf(err, "Error parsing HostPort value (%s)", binding[i].HostPort)
+			}
+			pbCopy.HostPort = uint16(portStart)
+			pbCopy.HostPortEnd = uint16(portEnd)
+			pbCopy.HostIP = net.ParseIP(binding[i].HostIP)
+			pbList = append(pbList, pbCopy)
+		}
+
+		if c.HostConfig.PublishAllPorts && len(binding) == 0 {
+			pbList = append(pbList, pb)
+		}
+	}
+
+	var dns []string
+
+	if len(c.HostConfig.DNS) > 0 {
+		dns = c.HostConfig.DNS
+	} else if len(daemonDNS) > 0 {
+		dns = daemonDNS
+	}
+
+	if len(dns) > 0 {
+		createOptions = append(createOptions,
+			libnetwork.CreateOptionDNS(dns))
+	}
+
+	createOptions = append(createOptions,
+		libnetwork.CreateOptionPortMapping(pbList),
+		libnetwork.CreateOptionExposedPorts(exposeList))
+
+	return createOptions, nil
+}
+
+// getEndpointInNetwork returns the container's endpoint to the provided network.
+func getEndpointInNetwork(name string, n libnetwork.Network) (libnetwork.Endpoint, error) {
+	endpointName := strings.TrimPrefix(name, "/")
+	return n.EndpointByName(endpointName)
+}
+
+// getSandboxPortMapInfo retrieves the current port-mapping programmed for the given sandbox
+func getSandboxPortMapInfo(sb libnetwork.Sandbox) nat.PortMap {
+	pm := nat.PortMap{}
+	if sb == nil {
+		return pm
+	}
+
+	for _, ep := range sb.Endpoints() {
+		pm, _ = getEndpointPortMapInfo(ep)
+		if len(pm) > 0 {
+			break
+		}
+	}
+	return pm
+}
+
+func getEndpointPortMapInfo(ep libnetwork.Endpoint) (nat.PortMap, error) {
+	pm := nat.PortMap{}
+	driverInfo, err := ep.DriverInfo()
+	if err != nil {
+		return pm, err
+	}
+
+	if driverInfo == nil {
+		// It is not an error for epInfo to be nil
+		return pm, nil
+	}
+
+	if expData, ok := driverInfo[netlabel.ExposedPorts]; ok {
+		if exposedPorts, ok := expData.([]networktypes.TransportPort); ok {
+			for _, tp := range exposedPorts {
+				natPort, err := nat.NewPort(tp.Proto.String(), strconv.Itoa(int(tp.Port)))
+				if err != nil {
+					return pm, fmt.Errorf("Error parsing Port value(%v):%v", tp.Port, err)
+				}
+				pm[natPort] = nil
+			}
+		}
+	}
+
+	mapData, ok := driverInfo[netlabel.PortMap]
+	if !ok {
+		return pm, nil
+	}
+
+	if portMapping, ok := mapData.([]networktypes.PortBinding); ok {
+		for _, pp := range portMapping {
+			natPort, err := nat.NewPort(pp.Proto.String(), strconv.Itoa(int(pp.Port)))
+			if err != nil {
+				return pm, err
+			}
+			natBndg := nat.PortBinding{HostIP: pp.HostIP.String(), HostPort: strconv.Itoa(int(pp.HostPort))}
+			pm[natPort] = append(pm[natPort], natBndg)
+		}
+	}
+
+	return pm, nil
+}
+
+// buildEndpointInfo sets endpoint-related fields on container.NetworkSettings based on the provided network and endpoint.
+func buildEndpointInfo(networkSettings *internalnetwork.Settings, n libnetwork.Network, ep libnetwork.Endpoint) error {
+	if ep == nil {
+		return errors.New("endpoint cannot be nil")
+	}
+
+	if networkSettings == nil {
+		return errors.New("network cannot be nil")
+	}
+
+	epInfo := ep.Info()
+	if epInfo == nil {
+		// It is not an error to get an empty endpoint info
+		return nil
+	}
+
+	if _, ok := networkSettings.Networks[n.Name()]; !ok {
+		networkSettings.Networks[n.Name()] = &internalnetwork.EndpointSettings{
+			EndpointSettings: &network.EndpointSettings{},
+		}
+	}
+	networkSettings.Networks[n.Name()].NetworkID = n.ID()
+	networkSettings.Networks[n.Name()].EndpointID = ep.ID()
+
+	iface := epInfo.Iface()
+	if iface == nil {
+		return nil
+	}
+
+	if iface.MacAddress() != nil {
+		networkSettings.Networks[n.Name()].MacAddress = iface.MacAddress().String()
+	}
+
+	if iface.Address() != nil {
+		ones, _ := iface.Address().Mask.Size()
+		networkSettings.Networks[n.Name()].IPAddress = iface.Address().IP.String()
+		networkSettings.Networks[n.Name()].IPPrefixLen = ones
+	}
+
+	if iface.AddressIPv6() != nil && iface.AddressIPv6().IP.To16() != nil {
+		onesv6, _ := iface.AddressIPv6().Mask.Size()
+		networkSettings.Networks[n.Name()].GlobalIPv6Address = iface.AddressIPv6().IP.String()
+		networkSettings.Networks[n.Name()].GlobalIPv6PrefixLen = onesv6
+	}
+
+	return nil
+}
+
+// buildJoinOptions builds endpoint Join options from a given network.
+func buildJoinOptions(networkSettings *internalnetwork.Settings, n interface {
+	Name() string
+}) ([]libnetwork.EndpointOption, error) {
+	var joinOptions []libnetwork.EndpointOption
+	if epConfig, ok := networkSettings.Networks[n.Name()]; ok {
+		for _, str := range epConfig.Links {
+			name, alias, err := opts.ParseLink(str)
+			if err != nil {
+				return nil, err
+			}
+			joinOptions = append(joinOptions, libnetwork.CreateOptionAlias(name, alias))
+		}
+		for k, v := range epConfig.DriverOpts {
+			joinOptions = append(joinOptions, libnetwork.EndpointOptionGeneric(options.Generic{k: v}))
+		}
+	}
+
+	return joinOptions, nil
+}
diff --git a/engine/daemon/network/settings.go b/engine/daemon/network/settings.go
new file mode 100644
index 00000000..b0460ed6
--- /dev/null
+++ b/engine/daemon/network/settings.go
@@ -0,0 +1,69 @@
+package network // import "github.com/docker/docker/daemon/network"
+
+import (
+	"net"
+
+	networktypes "github.com/docker/docker/api/types/network"
+	clustertypes "github.com/docker/docker/daemon/cluster/provider"
+	"github.com/docker/go-connections/nat"
+	"github.com/pkg/errors"
+)
+
+// Settings stores configuration details about the daemon network config
+// TODO Windows. Many of these fields can be factored out.,
+type Settings struct {
+	Bridge                 string
+	SandboxID              string
+	HairpinMode            bool
+	LinkLocalIPv6Address   string
+	LinkLocalIPv6PrefixLen int
+	Networks               map[string]*EndpointSettings
+	Service                *clustertypes.ServiceConfig
+	Ports                  nat.PortMap
+	SandboxKey             string
+	SecondaryIPAddresses   []networktypes.Address
+	SecondaryIPv6Addresses []networktypes.Address
+	IsAnonymousEndpoint    bool
+	HasSwarmEndpoint       bool
+}
+
+// EndpointSettings is a package local wrapper for
+// networktypes.EndpointSettings which stores Endpoint state that
+// needs to be persisted to disk but not exposed in the api.
+type EndpointSettings struct {
+	*networktypes.EndpointSettings
+	IPAMOperational bool
+}
+
+// AttachmentStore stores the load balancer IP address for a network id.
+type AttachmentStore struct {
+	//key: networkd id
+	//value: load balancer ip address
+	networkToNodeLBIP map[string]net.IP
+}
+
+// ResetAttachments clears any existing load balancer IP to network mapping and
+// sets the mapping to the given attachments.
+func (store *AttachmentStore) ResetAttachments(attachments map[string]string) error {
+	store.ClearAttachments()
+	for nid, nodeIP := range attachments {
+		ip, _, err := net.ParseCIDR(nodeIP)
+		if err != nil {
+			store.networkToNodeLBIP = make(map[string]net.IP)
+			return errors.Wrapf(err, "Failed to parse load balancer address %s", nodeIP)
+		}
+		store.networkToNodeLBIP[nid] = ip
+	}
+	return nil
+}
+
+// ClearAttachments clears all the mappings of network to load balancer IP Address.
+func (store *AttachmentStore) ClearAttachments() {
+	store.networkToNodeLBIP = make(map[string]net.IP)
+}
+
+// GetIPForNetwork return the load balancer IP address for the given network.
+func (store *AttachmentStore) GetIPForNetwork(networkID string) (net.IP, bool) {
+	ip, exists := store.networkToNodeLBIP[networkID]
+	return ip, exists
+}
diff --git a/engine/daemon/oci.go b/engine/daemon/oci.go
new file mode 100644
index 00000000..52050e24
--- /dev/null
+++ b/engine/daemon/oci.go
@@ -0,0 +1,78 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/caps"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// nolint: gosimple
+var (
+	deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
+)
+
+func setCapabilities(s *specs.Spec, c *container.Container) error {
+	var caplist []string
+	var err error
+	if c.HostConfig.Privileged {
+		caplist = caps.GetAllCapabilities()
+	} else {
+		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
+		if err != nil {
+			return err
+		}
+	}
+	s.Process.Capabilities.Effective = caplist
+	s.Process.Capabilities.Bounding = caplist
+	s.Process.Capabilities.Permitted = caplist
+	s.Process.Capabilities.Inheritable = caplist
+	// setUser has already been executed here
+	// if non root drop capabilities in the way execve does
+	if s.Process.User.UID != 0 {
+		s.Process.Capabilities.Effective = []string{}
+		s.Process.Capabilities.Permitted = []string{}
+	}
+	return nil
+}
+
+func appendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
+	for _, deviceCgroupRule := range rules {
+		ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
+		if len(ss[0]) != 5 {
+			return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
+		}
+		matches := ss[0]
+
+		dPermissions := specs.LinuxDeviceCgroup{
+			Allow:  true,
+			Type:   matches[1],
+			Access: matches[4],
+		}
+		if matches[2] == "*" {
+			major := int64(-1)
+			dPermissions.Major = &major
+		} else {
+			major, err := strconv.ParseInt(matches[2], 10, 64)
+			if err != nil {
+				return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
+			}
+			dPermissions.Major = &major
+		}
+		if matches[3] == "*" {
+			minor := int64(-1)
+			dPermissions.Minor = &minor
+		} else {
+			minor, err := strconv.ParseInt(matches[3], 10, 64)
+			if err != nil {
+				return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
+			}
+			dPermissions.Minor = &minor
+		}
+		devPermissions = append(devPermissions, dPermissions)
+	}
+	return devPermissions, nil
+}
diff --git a/engine/daemon/oci_linux.go b/engine/daemon/oci_linux.go
new file mode 100644
index 00000000..6fb7a26d
--- /dev/null
+++ b/engine/daemon/oci_linux.go
@@ -0,0 +1,881 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	daemonconfig "github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/oci"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/mount"
+	volumemounts "github.com/docker/docker/volume/mounts"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/devices"
+	"github.com/opencontainers/runc/libcontainer/user"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func setResources(s *specs.Spec, r containertypes.Resources) error {
+	weightDevices, err := getBlkioWeightDevices(r)
+	if err != nil {
+		return err
+	}
+	readBpsDevice, err := getBlkioThrottleDevices(r.BlkioDeviceReadBps)
+	if err != nil {
+		return err
+	}
+	writeBpsDevice, err := getBlkioThrottleDevices(r.BlkioDeviceWriteBps)
+	if err != nil {
+		return err
+	}
+	readIOpsDevice, err := getBlkioThrottleDevices(r.BlkioDeviceReadIOps)
+	if err != nil {
+		return err
+	}
+	writeIOpsDevice, err := getBlkioThrottleDevices(r.BlkioDeviceWriteIOps)
+	if err != nil {
+		return err
+	}
+
+	memoryRes := getMemoryResources(r)
+	cpuRes, err := getCPUResources(r)
+	if err != nil {
+		return err
+	}
+	blkioWeight := r.BlkioWeight
+
+	specResources := &specs.LinuxResources{
+		Memory: memoryRes,
+		CPU:    cpuRes,
+		BlockIO: &specs.LinuxBlockIO{
+			Weight:                  &blkioWeight,
+			WeightDevice:            weightDevices,
+			ThrottleReadBpsDevice:   readBpsDevice,
+			ThrottleWriteBpsDevice:  writeBpsDevice,
+			ThrottleReadIOPSDevice:  readIOpsDevice,
+			ThrottleWriteIOPSDevice: writeIOpsDevice,
+		},
+		Pids: &specs.LinuxPids{
+			Limit: r.PidsLimit,
+		},
+	}
+
+	if s.Linux.Resources != nil && len(s.Linux.Resources.Devices) > 0 {
+		specResources.Devices = s.Linux.Resources.Devices
+	}
+
+	s.Linux.Resources = specResources
+	return nil
+}
+
+func setDevices(s *specs.Spec, c *container.Container) error {
+	// Build lists of devices allowed and created within the container.
+	var devs []specs.LinuxDevice
+	devPermissions := s.Linux.Resources.Devices
+	if c.HostConfig.Privileged {
+		hostDevices, err := devices.HostDevices()
+		if err != nil {
+			return err
+		}
+		for _, d := range hostDevices {
+			devs = append(devs, oci.Device(d))
+		}
+		devPermissions = []specs.LinuxDeviceCgroup{
+			{
+				Allow:  true,
+				Access: "rwm",
+			},
+		}
+	} else {
+		for _, deviceMapping := range c.HostConfig.Devices {
+			d, dPermissions, err := oci.DevicesFromPath(deviceMapping.PathOnHost, deviceMapping.PathInContainer, deviceMapping.CgroupPermissions)
+			if err != nil {
+				return err
+			}
+			devs = append(devs, d...)
+			devPermissions = append(devPermissions, dPermissions...)
+		}
+
+		var err error
+		devPermissions, err = appendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
+		if err != nil {
+			return err
+		}
+	}
+
+	s.Linux.Devices = append(s.Linux.Devices, devs...)
+	s.Linux.Resources.Devices = devPermissions
+	return nil
+}
+
+func (daemon *Daemon) setRlimits(s *specs.Spec, c *container.Container) error {
+	var rlimits []specs.POSIXRlimit
+
+	// We want to leave the original HostConfig alone so make a copy here
+	hostConfig := *c.HostConfig
+	// Merge with the daemon defaults
+	daemon.mergeUlimits(&hostConfig)
+	for _, ul := range hostConfig.Ulimits {
+		rlimits = append(rlimits, specs.POSIXRlimit{
+			Type: "RLIMIT_" + strings.ToUpper(ul.Name),
+			Soft: uint64(ul.Soft),
+			Hard: uint64(ul.Hard),
+		})
+	}
+
+	s.Process.Rlimits = rlimits
+	return nil
+}
+
+func setUser(s *specs.Spec, c *container.Container) error {
+	uid, gid, additionalGids, err := getUser(c, c.Config.User)
+	if err != nil {
+		return err
+	}
+	s.Process.User.UID = uid
+	s.Process.User.GID = gid
+	s.Process.User.AdditionalGids = additionalGids
+	return nil
+}
+
+func readUserFile(c *container.Container, p string) (io.ReadCloser, error) {
+	fp, err := c.GetResourcePath(p)
+	if err != nil {
+		return nil, err
+	}
+	return os.Open(fp)
+}
+
+func getUser(c *container.Container, username string) (uint32, uint32, []uint32, error) {
+	passwdPath, err := user.GetPasswdPath()
+	if err != nil {
+		return 0, 0, nil, err
+	}
+	groupPath, err := user.GetGroupPath()
+	if err != nil {
+		return 0, 0, nil, err
+	}
+	passwdFile, err := readUserFile(c, passwdPath)
+	if err == nil {
+		defer passwdFile.Close()
+	}
+	groupFile, err := readUserFile(c, groupPath)
+	if err == nil {
+		defer groupFile.Close()
+	}
+
+	execUser, err := user.GetExecUser(username, nil, passwdFile, groupFile)
+	if err != nil {
+		return 0, 0, nil, err
+	}
+
+	// todo: fix this double read by a change to libcontainer/user pkg
+	groupFile, err = readUserFile(c, groupPath)
+	if err == nil {
+		defer groupFile.Close()
+	}
+	var addGroups []int
+	if len(c.HostConfig.GroupAdd) > 0 {
+		addGroups, err = user.GetAdditionalGroups(c.HostConfig.GroupAdd, groupFile)
+		if err != nil {
+			return 0, 0, nil, err
+		}
+	}
+	uid := uint32(execUser.Uid)
+	gid := uint32(execUser.Gid)
+	sgids := append(execUser.Sgids, addGroups...)
+	var additionalGids []uint32
+	for _, g := range sgids {
+		additionalGids = append(additionalGids, uint32(g))
+	}
+	return uid, gid, additionalGids, nil
+}
+
+func setNamespace(s *specs.Spec, ns specs.LinuxNamespace) {
+	for i, n := range s.Linux.Namespaces {
+		if n.Type == ns.Type {
+			s.Linux.Namespaces[i] = ns
+			return
+		}
+	}
+	s.Linux.Namespaces = append(s.Linux.Namespaces, ns)
+}
+
+func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error {
+	userNS := false
+	// user
+	if c.HostConfig.UsernsMode.IsPrivate() {
+		uidMap := daemon.idMappings.UIDs()
+		if uidMap != nil {
+			userNS = true
+			ns := specs.LinuxNamespace{Type: "user"}
+			setNamespace(s, ns)
+			s.Linux.UIDMappings = specMapping(uidMap)
+			s.Linux.GIDMappings = specMapping(daemon.idMappings.GIDs())
+		}
+	}
+	// network
+	if !c.Config.NetworkDisabled {
+		ns := specs.LinuxNamespace{Type: "network"}
+		parts := strings.SplitN(string(c.HostConfig.NetworkMode), ":", 2)
+		if parts[0] == "container" {
+			nc, err := daemon.getNetworkedContainer(c.ID, c.HostConfig.NetworkMode.ConnectedContainer())
+			if err != nil {
+				return err
+			}
+			ns.Path = fmt.Sprintf("/proc/%d/ns/net", nc.State.GetPID())
+			if userNS {
+				// to share a net namespace, they must also share a user namespace
+				nsUser := specs.LinuxNamespace{Type: "user"}
+				nsUser.Path = fmt.Sprintf("/proc/%d/ns/user", nc.State.GetPID())
+				setNamespace(s, nsUser)
+			}
+		} else if c.HostConfig.NetworkMode.IsHost() {
+			ns.Path = c.NetworkSettings.SandboxKey
+		}
+		setNamespace(s, ns)
+	}
+
+	// ipc
+	ipcMode := c.HostConfig.IpcMode
+	switch {
+	case ipcMode.IsContainer():
+		ns := specs.LinuxNamespace{Type: "ipc"}
+		ic, err := daemon.getIpcContainer(ipcMode.Container())
+		if err != nil {
+			return err
+		}
+		ns.Path = fmt.Sprintf("/proc/%d/ns/ipc", ic.State.GetPID())
+		setNamespace(s, ns)
+		if userNS {
+			// to share an IPC namespace, they must also share a user namespace
+			nsUser := specs.LinuxNamespace{Type: "user"}
+			nsUser.Path = fmt.Sprintf("/proc/%d/ns/user", ic.State.GetPID())
+			setNamespace(s, nsUser)
+		}
+	case ipcMode.IsHost():
+		oci.RemoveNamespace(s, specs.LinuxNamespaceType("ipc"))
+	case ipcMode.IsEmpty():
+		// A container was created by an older version of the daemon.
+		// The default behavior used to be what is now called "shareable".
+		fallthrough
+	case ipcMode.IsPrivate(), ipcMode.IsShareable(), ipcMode.IsNone():
+		ns := specs.LinuxNamespace{Type: "ipc"}
+		setNamespace(s, ns)
+	default:
+		return fmt.Errorf("Invalid IPC mode: %v", ipcMode)
+	}
+
+	// pid
+	if c.HostConfig.PidMode.IsContainer() {
+		ns := specs.LinuxNamespace{Type: "pid"}
+		pc, err := daemon.getPidContainer(c)
+		if err != nil {
+			return err
+		}
+		ns.Path = fmt.Sprintf("/proc/%d/ns/pid", pc.State.GetPID())
+		setNamespace(s, ns)
+		if userNS {
+			// to share a PID namespace, they must also share a user namespace
+			nsUser := specs.LinuxNamespace{Type: "user"}
+			nsUser.Path = fmt.Sprintf("/proc/%d/ns/user", pc.State.GetPID())
+			setNamespace(s, nsUser)
+		}
+	} else if c.HostConfig.PidMode.IsHost() {
+		oci.RemoveNamespace(s, specs.LinuxNamespaceType("pid"))
+	} else {
+		ns := specs.LinuxNamespace{Type: "pid"}
+		setNamespace(s, ns)
+	}
+	// uts
+	if c.HostConfig.UTSMode.IsHost() {
+		oci.RemoveNamespace(s, specs.LinuxNamespaceType("uts"))
+		s.Hostname = ""
+	}
+
+	return nil
+}
+
+func specMapping(s []idtools.IDMap) []specs.LinuxIDMapping {
+	var ids []specs.LinuxIDMapping
+	for _, item := range s {
+		ids = append(ids, specs.LinuxIDMapping{
+			HostID:      uint32(item.HostID),
+			ContainerID: uint32(item.ContainerID),
+			Size:        uint32(item.Size),
+		})
+	}
+	return ids
+}
+
+// Get the source mount point of directory passed in as argument. Also return
+// optional fields.
+func getSourceMount(source string) (string, string, error) {
+	// Ensure any symlinks are resolved.
+	sourcePath, err := filepath.EvalSymlinks(source)
+	if err != nil {
+		return "", "", err
+	}
+
+	mi, err := mount.GetMounts(mount.ParentsFilter(sourcePath))
+	if err != nil {
+		return "", "", err
+	}
+	if len(mi) < 1 {
+		return "", "", fmt.Errorf("Can't find mount point of %s", source)
+	}
+
+	// find the longest mount point
+	var idx, maxlen int
+	for i := range mi {
+		if len(mi[i].Mountpoint) > maxlen {
+			maxlen = len(mi[i].Mountpoint)
+			idx = i
+		}
+	}
+	return mi[idx].Mountpoint, mi[idx].Optional, nil
+}
+
+const (
+	sharedPropagationOption = "shared:"
+	slavePropagationOption  = "master:"
+)
+
+// hasMountinfoOption checks if any of the passed any of the given option values
+// are set in the passed in option string.
+func hasMountinfoOption(opts string, vals ...string) bool {
+	for _, opt := range strings.Split(opts, " ") {
+		for _, val := range vals {
+			if strings.HasPrefix(opt, val) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// Ensure mount point on which path is mounted, is shared.
+func ensureShared(path string) error {
+	sourceMount, optionalOpts, err := getSourceMount(path)
+	if err != nil {
+		return err
+	}
+	// Make sure source mount point is shared.
+	if !hasMountinfoOption(optionalOpts, sharedPropagationOption) {
+		return errors.Errorf("path %s is mounted on %s but it is not a shared mount", path, sourceMount)
+	}
+	return nil
+}
+
+// Ensure mount point on which path is mounted, is either shared or slave.
+func ensureSharedOrSlave(path string) error {
+	sourceMount, optionalOpts, err := getSourceMount(path)
+	if err != nil {
+		return err
+	}
+
+	if !hasMountinfoOption(optionalOpts, sharedPropagationOption, slavePropagationOption) {
+		return errors.Errorf("path %s is mounted on %s but it is not a shared or slave mount", path, sourceMount)
+	}
+	return nil
+}
+
+// Get the set of mount flags that are set on the mount that contains the given
+// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
+// bind-mounting "with options" will not fail with user namespaces, due to
+// kernel restrictions that require user namespace mounts to preserve
+// CL_UNPRIVILEGED locked flags.
+func getUnprivilegedMountFlags(path string) ([]string, error) {
+	var statfs unix.Statfs_t
+	if err := unix.Statfs(path, &statfs); err != nil {
+		return nil, err
+	}
+
+	// The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
+	unprivilegedFlags := map[uint64]string{
+		unix.MS_RDONLY:     "ro",
+		unix.MS_NODEV:      "nodev",
+		unix.MS_NOEXEC:     "noexec",
+		unix.MS_NOSUID:     "nosuid",
+		unix.MS_NOATIME:    "noatime",
+		unix.MS_RELATIME:   "relatime",
+		unix.MS_NODIRATIME: "nodiratime",
+	}
+
+	var flags []string
+	for mask, flag := range unprivilegedFlags {
+		if uint64(statfs.Flags)&mask == mask {
+			flags = append(flags, flag)
+		}
+	}
+
+	return flags, nil
+}
+
+var (
+	mountPropagationMap = map[string]int{
+		"private":  mount.PRIVATE,
+		"rprivate": mount.RPRIVATE,
+		"shared":   mount.SHARED,
+		"rshared":  mount.RSHARED,
+		"slave":    mount.SLAVE,
+		"rslave":   mount.RSLAVE,
+	}
+
+	mountPropagationReverseMap = map[int]string{
+		mount.PRIVATE:  "private",
+		mount.RPRIVATE: "rprivate",
+		mount.SHARED:   "shared",
+		mount.RSHARED:  "rshared",
+		mount.SLAVE:    "slave",
+		mount.RSLAVE:   "rslave",
+	}
+)
+
+// inSlice tests whether a string is contained in a slice of strings or not.
+// Comparison is case sensitive
+func inSlice(slice []string, s string) bool {
+	for _, ss := range slice {
+		if s == ss {
+			return true
+		}
+	}
+	return false
+}
+
+func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []container.Mount) error {
+	userMounts := make(map[string]struct{})
+	for _, m := range mounts {
+		userMounts[m.Destination] = struct{}{}
+	}
+
+	// Copy all mounts from spec to defaultMounts, except for
+	//  - mounts overriden by a user supplied mount;
+	//  - all mounts under /dev if a user supplied /dev is present;
+	//  - /dev/shm, in case IpcMode is none.
+	// While at it, also
+	//  - set size for /dev/shm from shmsize.
+	defaultMounts := s.Mounts[:0]
+	_, mountDev := userMounts["/dev"]
+	for _, m := range s.Mounts {
+		if _, ok := userMounts[m.Destination]; ok {
+			// filter out mount overridden by a user supplied mount
+			continue
+		}
+		if mountDev && strings.HasPrefix(m.Destination, "/dev/") {
+			// filter out everything under /dev if /dev is user-mounted
+			continue
+		}
+
+		if m.Destination == "/dev/shm" {
+			if c.HostConfig.IpcMode.IsNone() {
+				// filter out /dev/shm for "none" IpcMode
+				continue
+			}
+			// set size for /dev/shm mount from spec
+			sizeOpt := "size=" + strconv.FormatInt(c.HostConfig.ShmSize, 10)
+			m.Options = append(m.Options, sizeOpt)
+		}
+
+		defaultMounts = append(defaultMounts, m)
+	}
+
+	s.Mounts = defaultMounts
+	for _, m := range mounts {
+		for _, cm := range s.Mounts {
+			if cm.Destination == m.Destination {
+				return duplicateMountPointError(m.Destination)
+			}
+		}
+
+		if m.Source == "tmpfs" {
+			data := m.Data
+			parser := volumemounts.NewParser("linux")
+			options := []string{"noexec", "nosuid", "nodev", string(parser.DefaultPropagationMode())}
+			if data != "" {
+				options = append(options, strings.Split(data, ",")...)
+			}
+
+			merged, err := mount.MergeTmpfsOptions(options)
+			if err != nil {
+				return err
+			}
+
+			s.Mounts = append(s.Mounts, specs.Mount{Destination: m.Destination, Source: m.Source, Type: "tmpfs", Options: merged})
+			continue
+		}
+
+		mt := specs.Mount{Destination: m.Destination, Source: m.Source, Type: "bind"}
+
+		// Determine property of RootPropagation based on volume
+		// properties. If a volume is shared, then keep root propagation
+		// shared. This should work for slave and private volumes too.
+		//
+		// For slave volumes, it can be either [r]shared/[r]slave.
+		//
+		// For private volumes any root propagation value should work.
+		pFlag := mountPropagationMap[m.Propagation]
+		switch pFlag {
+		case mount.SHARED, mount.RSHARED:
+			if err := ensureShared(m.Source); err != nil {
+				return err
+			}
+			rootpg := mountPropagationMap[s.Linux.RootfsPropagation]
+			if rootpg != mount.SHARED && rootpg != mount.RSHARED {
+				s.Linux.RootfsPropagation = mountPropagationReverseMap[mount.SHARED]
+			}
+		case mount.SLAVE, mount.RSLAVE:
+			var fallback bool
+			if err := ensureSharedOrSlave(m.Source); err != nil {
+				// For backwards compatability purposes, treat mounts from the daemon root
+				// as special since we automatically add rslave propagation to these mounts
+				// when the user did not set anything, so we should fallback to the old
+				// behavior which is to use private propagation which is normally the
+				// default.
+				if !strings.HasPrefix(m.Source, daemon.root) && !strings.HasPrefix(daemon.root, m.Source) {
+					return err
+				}
+
+				cm, ok := c.MountPoints[m.Destination]
+				if !ok {
+					return err
+				}
+				if cm.Spec.BindOptions != nil && cm.Spec.BindOptions.Propagation != "" {
+					// This means the user explicitly set a propagation, do not fallback in that case.
+					return err
+				}
+				fallback = true
+				logrus.WithField("container", c.ID).WithField("source", m.Source).Warn("Falling back to default propagation for bind source in daemon root")
+			}
+			if !fallback {
+				rootpg := mountPropagationMap[s.Linux.RootfsPropagation]
+				if rootpg != mount.SHARED && rootpg != mount.RSHARED && rootpg != mount.SLAVE && rootpg != mount.RSLAVE {
+					s.Linux.RootfsPropagation = mountPropagationReverseMap[mount.RSLAVE]
+				}
+			}
+		}
+
+		opts := []string{"rbind"}
+		if !m.Writable {
+			opts = append(opts, "ro")
+		}
+		if pFlag != 0 {
+			opts = append(opts, mountPropagationReverseMap[pFlag])
+		}
+
+		// If we are using user namespaces, then we must make sure that we
+		// don't drop any of the CL_UNPRIVILEGED "locked" flags of the source
+		// "mount" when we bind-mount. The reason for this is that at the point
+		// when runc sets up the root filesystem, it is already inside a user
+		// namespace, and thus cannot change any flags that are locked.
+		if daemon.configStore.RemappedRoot != "" {
+			unprivOpts, err := getUnprivilegedMountFlags(m.Source)
+			if err != nil {
+				return err
+			}
+			opts = append(opts, unprivOpts...)
+		}
+
+		mt.Options = opts
+		s.Mounts = append(s.Mounts, mt)
+	}
+
+	if s.Root.Readonly {
+		for i, m := range s.Mounts {
+			switch m.Destination {
+			case "/proc", "/dev/pts", "/dev/shm", "/dev/mqueue", "/dev":
+				continue
+			}
+			if _, ok := userMounts[m.Destination]; !ok {
+				if !inSlice(m.Options, "ro") {
+					s.Mounts[i].Options = append(s.Mounts[i].Options, "ro")
+				}
+			}
+		}
+	}
+
+	if c.HostConfig.Privileged {
+		// clear readonly for /sys
+		for i := range s.Mounts {
+			if s.Mounts[i].Destination == "/sys" {
+				clearReadOnly(&s.Mounts[i])
+			}
+		}
+		s.Linux.ReadonlyPaths = nil
+		s.Linux.MaskedPaths = nil
+	}
+
+	// TODO: until a kernel/mount solution exists for handling remount in a user namespace,
+	// we must clear the readonly flag for the cgroups mount (@mrunalp concurs)
+	if uidMap := daemon.idMappings.UIDs(); uidMap != nil || c.HostConfig.Privileged {
+		for i, m := range s.Mounts {
+			if m.Type == "cgroup" {
+				clearReadOnly(&s.Mounts[i])
+			}
+		}
+	}
+
+	return nil
+}
+
+func (daemon *Daemon) populateCommonSpec(s *specs.Spec, c *container.Container) error {
+	if c.BaseFS == nil {
+		return errors.New("populateCommonSpec: BaseFS of container " + c.ID + " is unexpectedly nil")
+	}
+	linkedEnv, err := daemon.setupLinkedContainers(c)
+	if err != nil {
+		return err
+	}
+	s.Root = &specs.Root{
+		Path:     c.BaseFS.Path(),
+		Readonly: c.HostConfig.ReadonlyRootfs,
+	}
+	if err := c.SetupWorkingDirectory(daemon.idMappings.RootPair()); err != nil {
+		return err
+	}
+	cwd := c.Config.WorkingDir
+	if len(cwd) == 0 {
+		cwd = "/"
+	}
+	s.Process.Args = append([]string{c.Path}, c.Args...)
+
+	// only add the custom init if it is specified and the container is running in its
+	// own private pid namespace.  It does not make sense to add if it is running in the
+	// host namespace or another container's pid namespace where we already have an init
+	if c.HostConfig.PidMode.IsPrivate() {
+		if (c.HostConfig.Init != nil && *c.HostConfig.Init) ||
+			(c.HostConfig.Init == nil && daemon.configStore.Init) {
+			s.Process.Args = append([]string{"/dev/init", "--", c.Path}, c.Args...)
+			var path string
+			if daemon.configStore.InitPath == "" {
+				path, err = exec.LookPath(daemonconfig.DefaultInitBinary)
+				if err != nil {
+					return err
+				}
+			}
+			if daemon.configStore.InitPath != "" {
+				path = daemon.configStore.InitPath
+			}
+			s.Mounts = append(s.Mounts, specs.Mount{
+				Destination: "/dev/init",
+				Type:        "bind",
+				Source:      path,
+				Options:     []string{"bind", "ro"},
+			})
+		}
+	}
+	s.Process.Cwd = cwd
+	s.Process.Env = c.CreateDaemonEnvironment(c.Config.Tty, linkedEnv)
+	s.Process.Terminal = c.Config.Tty
+	s.Hostname = c.FullHostname()
+
+	return nil
+}
+
+func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, err error) {
+	s := oci.DefaultSpec()
+	if err := daemon.populateCommonSpec(&s, c); err != nil {
+		return nil, err
+	}
+
+	var cgroupsPath string
+	scopePrefix := "docker"
+	parent := "/docker"
+	useSystemd := UsingSystemd(daemon.configStore)
+	if useSystemd {
+		parent = "system.slice"
+	}
+
+	if c.HostConfig.CgroupParent != "" {
+		parent = c.HostConfig.CgroupParent
+	} else if daemon.configStore.CgroupParent != "" {
+		parent = daemon.configStore.CgroupParent
+	}
+
+	if useSystemd {
+		cgroupsPath = parent + ":" + scopePrefix + ":" + c.ID
+		logrus.Debugf("createSpec: cgroupsPath: %s", cgroupsPath)
+	} else {
+		cgroupsPath = filepath.Join(parent, c.ID)
+	}
+	s.Linux.CgroupsPath = cgroupsPath
+
+	if err := setResources(&s, c.HostConfig.Resources); err != nil {
+		return nil, fmt.Errorf("linux runtime spec resources: %v", err)
+	}
+	s.Linux.Sysctl = c.HostConfig.Sysctls
+
+	p := s.Linux.CgroupsPath
+	if useSystemd {
+		initPath, err := cgroups.GetInitCgroup("cpu")
+		if err != nil {
+			return nil, err
+		}
+		_, err = cgroups.GetOwnCgroup("cpu")
+		if err != nil {
+			return nil, err
+		}
+		p = filepath.Join(initPath, s.Linux.CgroupsPath)
+	}
+
+	// Clean path to guard against things like ../../../BAD
+	parentPath := filepath.Dir(p)
+	if !filepath.IsAbs(parentPath) {
+		parentPath = filepath.Clean("/" + parentPath)
+	}
+
+	if err := daemon.initCgroupsPath(parentPath); err != nil {
+		return nil, fmt.Errorf("linux init cgroups path: %v", err)
+	}
+	if err := setDevices(&s, c); err != nil {
+		return nil, fmt.Errorf("linux runtime spec devices: %v", err)
+	}
+	if err := daemon.setRlimits(&s, c); err != nil {
+		return nil, fmt.Errorf("linux runtime spec rlimits: %v", err)
+	}
+	if err := setUser(&s, c); err != nil {
+		return nil, fmt.Errorf("linux spec user: %v", err)
+	}
+	if err := setNamespaces(daemon, &s, c); err != nil {
+		return nil, fmt.Errorf("linux spec namespaces: %v", err)
+	}
+	if err := setCapabilities(&s, c); err != nil {
+		return nil, fmt.Errorf("linux spec capabilities: %v", err)
+	}
+	if err := setSeccomp(daemon, &s, c); err != nil {
+		return nil, fmt.Errorf("linux seccomp: %v", err)
+	}
+
+	if err := daemon.setupContainerMountsRoot(c); err != nil {
+		return nil, err
+	}
+
+	if err := daemon.setupIpcDirs(c); err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			daemon.cleanupSecretDir(c)
+		}
+	}()
+
+	if err := daemon.setupSecretDir(c); err != nil {
+		return nil, err
+	}
+
+	ms, err := daemon.setupMounts(c)
+	if err != nil {
+		return nil, err
+	}
+
+	if !c.HostConfig.IpcMode.IsPrivate() && !c.HostConfig.IpcMode.IsEmpty() {
+		ms = append(ms, c.IpcMounts()...)
+	}
+
+	tmpfsMounts, err := c.TmpfsMounts()
+	if err != nil {
+		return nil, err
+	}
+	ms = append(ms, tmpfsMounts...)
+
+	secretMounts, err := c.SecretMounts()
+	if err != nil {
+		return nil, err
+	}
+	ms = append(ms, secretMounts...)
+
+	sort.Sort(mounts(ms))
+	if err := setMounts(daemon, &s, c, ms); err != nil {
+		return nil, fmt.Errorf("linux mounts: %v", err)
+	}
+
+	for _, ns := range s.Linux.Namespaces {
+		if ns.Type == "network" && ns.Path == "" && !c.Config.NetworkDisabled {
+			target := filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe")
+			s.Hooks = &specs.Hooks{
+				Prestart: []specs.Hook{{
+					Path: target,
+					Args: []string{"libnetwork-setkey", c.ID, daemon.netController.ID()},
+				}},
+			}
+		}
+	}
+
+	if apparmor.IsEnabled() {
+		var appArmorProfile string
+		if c.AppArmorProfile != "" {
+			appArmorProfile = c.AppArmorProfile
+		} else if c.HostConfig.Privileged {
+			appArmorProfile = "unconfined"
+		} else {
+			appArmorProfile = "docker-default"
+		}
+
+		if appArmorProfile == "docker-default" {
+			// Unattended upgrades and other fun services can unload AppArmor
+			// profiles inadvertently. Since we cannot store our profile in
+			// /etc/apparmor.d, nor can we practically add other ways of
+			// telling the system to keep our profile loaded, in order to make
+			// sure that we keep the default profile enabled we dynamically
+			// reload it if necessary.
+			if err := ensureDefaultAppArmorProfile(); err != nil {
+				return nil, err
+			}
+		}
+
+		s.Process.ApparmorProfile = appArmorProfile
+	}
+	s.Process.SelinuxLabel = c.GetProcessLabel()
+	s.Process.NoNewPrivileges = c.NoNewPrivileges
+	s.Process.OOMScoreAdj = &c.HostConfig.OomScoreAdj
+	s.Linux.MountLabel = c.MountLabel
+
+	// Set the masked and readonly paths with regard to the host config options if they are set.
+	if c.HostConfig.MaskedPaths != nil {
+		s.Linux.MaskedPaths = c.HostConfig.MaskedPaths
+	}
+	if c.HostConfig.ReadonlyPaths != nil {
+		s.Linux.ReadonlyPaths = c.HostConfig.ReadonlyPaths
+	}
+
+	return &s, nil
+}
+
+func clearReadOnly(m *specs.Mount) {
+	var opt []string
+	for _, o := range m.Options {
+		if o != "ro" {
+			opt = append(opt, o)
+		}
+	}
+	m.Options = opt
+}
+
+// mergeUlimits merge the Ulimits from HostConfig with daemon defaults, and update HostConfig
+func (daemon *Daemon) mergeUlimits(c *containertypes.HostConfig) {
+	ulimits := c.Ulimits
+	// Merge ulimits with daemon defaults
+	ulIdx := make(map[string]struct{})
+	for _, ul := range ulimits {
+		ulIdx[ul.Name] = struct{}{}
+	}
+	for name, ul := range daemon.configStore.Ulimits {
+		if _, exists := ulIdx[name]; !exists {
+			ulimits = append(ulimits, ul)
+		}
+	}
+	c.Ulimits = ulimits
+}
diff --git a/engine/daemon/oci_linux_test.go b/engine/daemon/oci_linux_test.go
new file mode 100644
index 00000000..e618951e
--- /dev/null
+++ b/engine/daemon/oci_linux_test.go
@@ -0,0 +1,102 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"os"
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/oci"
+	"github.com/docker/docker/pkg/idtools"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// TestTmpfsDevShmNoDupMount checks that a user-specified /dev/shm tmpfs
+// mount (as in "docker run --tmpfs /dev/shm:rw,size=NNN") does not result
+// in "Duplicate mount point" error from the engine.
+// https://github.com/moby/moby/issues/35455
+func TestTmpfsDevShmNoDupMount(t *testing.T) {
+	d := Daemon{
+		// some empty structs to avoid getting a panic
+		// caused by a null pointer dereference
+		idMappings:  &idtools.IDMappings{},
+		configStore: &config.Config{},
+	}
+	c := &container.Container{
+		ShmPath: "foobar", // non-empty, for c.IpcMounts() to work
+		HostConfig: &containertypes.HostConfig{
+			IpcMode: containertypes.IpcMode("shareable"), // default mode
+			// --tmpfs /dev/shm:rw,exec,size=NNN
+			Tmpfs: map[string]string{
+				"/dev/shm": "rw,exec,size=1g",
+			},
+		},
+	}
+
+	// Mimick the code flow of daemon.createSpec(), enough to reproduce the issue
+	ms, err := d.setupMounts(c)
+	assert.Check(t, err)
+
+	ms = append(ms, c.IpcMounts()...)
+
+	tmpfsMounts, err := c.TmpfsMounts()
+	assert.Check(t, err)
+	ms = append(ms, tmpfsMounts...)
+
+	s := oci.DefaultSpec()
+	err = setMounts(&d, &s, c, ms)
+	assert.Check(t, err)
+}
+
+// TestIpcPrivateVsReadonly checks that in case of IpcMode: private
+// and ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
+// the resulting /dev/shm mount is NOT made read-only.
+// https://github.com/moby/moby/issues/36503
+func TestIpcPrivateVsReadonly(t *testing.T) {
+	d := Daemon{
+		// some empty structs to avoid getting a panic
+		// caused by a null pointer dereference
+		idMappings:  &idtools.IDMappings{},
+		configStore: &config.Config{},
+	}
+	c := &container.Container{
+		HostConfig: &containertypes.HostConfig{
+			IpcMode:        containertypes.IpcMode("private"),
+			ReadonlyRootfs: true,
+		},
+	}
+
+	// We can't call createSpec() so mimick the minimal part
+	// of its code flow, just enough to reproduce the issue.
+	ms, err := d.setupMounts(c)
+	assert.Check(t, err)
+
+	s := oci.DefaultSpec()
+	s.Root.Readonly = c.HostConfig.ReadonlyRootfs
+
+	err = setMounts(&d, &s, c, ms)
+	assert.Check(t, err)
+
+	// Find the /dev/shm mount in ms, check it does not have ro
+	for _, m := range s.Mounts {
+		if m.Destination != "/dev/shm" {
+			continue
+		}
+		assert.Check(t, is.Equal(false, inSlice(m.Options, "ro")))
+	}
+}
+
+func TestGetSourceMount(t *testing.T) {
+	// must be able to find source mount for /
+	mnt, _, err := getSourceMount("/")
+	assert.NilError(t, err)
+	assert.Equal(t, mnt, "/")
+
+	// must be able to find source mount for current directory
+	cwd, err := os.Getwd()
+	assert.NilError(t, err)
+	_, _, err = getSourceMount(cwd)
+	assert.NilError(t, err)
+}
diff --git a/engine/daemon/oci_windows.go b/engine/daemon/oci_windows.go
new file mode 100644
index 00000000..6279d7dd
--- /dev/null
+++ b/engine/daemon/oci_windows.go
@@ -0,0 +1,419 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/oci"
+	"github.com/docker/docker/pkg/sysinfo"
+	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/registry"
+)
+
+const (
+	credentialSpecRegistryLocation = `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Containers\CredentialSpecs`
+	credentialSpecFileLocation     = "CredentialSpecs"
+)
+
+func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
+	img, err := daemon.imageService.GetImage(string(c.ImageID))
+	if err != nil {
+		return nil, err
+	}
+
+	s := oci.DefaultOSSpec(img.OS)
+
+	linkedEnv, err := daemon.setupLinkedContainers(c)
+	if err != nil {
+		return nil, err
+	}
+
+	// Note, unlike Unix, we do NOT call into SetupWorkingDirectory as
+	// this is done in VMCompute. Further, we couldn't do it for Hyper-V
+	// containers anyway.
+
+	// In base spec
+	s.Hostname = c.FullHostname()
+
+	if err := daemon.setupSecretDir(c); err != nil {
+		return nil, err
+	}
+
+	if err := daemon.setupConfigDir(c); err != nil {
+		return nil, err
+	}
+
+	// In s.Mounts
+	mounts, err := daemon.setupMounts(c)
+	if err != nil {
+		return nil, err
+	}
+
+	var isHyperV bool
+	if c.HostConfig.Isolation.IsDefault() {
+		// Container using default isolation, so take the default from the daemon configuration
+		isHyperV = daemon.defaultIsolation.IsHyperV()
+	} else {
+		// Container may be requesting an explicit isolation mode.
+		isHyperV = c.HostConfig.Isolation.IsHyperV()
+	}
+
+	if isHyperV {
+		s.Windows.HyperV = &specs.WindowsHyperV{}
+	}
+
+	// If the container has not been started, and has configs or secrets
+	// secrets, create symlinks to each config and secret. If it has been
+	// started before, the symlinks should have already been created. Also, it
+	// is important to not mount a Hyper-V  container that has been started
+	// before, to protect the host from the container; for example, from
+	// malicious mutation of NTFS data structures.
+	if !c.HasBeenStartedBefore && (len(c.SecretReferences) > 0 || len(c.ConfigReferences) > 0) {
+		// The container file system is mounted before this function is called,
+		// except for Hyper-V containers, so mount it here in that case.
+		if isHyperV {
+			if err := daemon.Mount(c); err != nil {
+				return nil, err
+			}
+			defer daemon.Unmount(c)
+		}
+		if err := c.CreateSecretSymlinks(); err != nil {
+			return nil, err
+		}
+		if err := c.CreateConfigSymlinks(); err != nil {
+			return nil, err
+		}
+	}
+
+	secretMounts, err := c.SecretMounts()
+	if err != nil {
+		return nil, err
+	}
+	if secretMounts != nil {
+		mounts = append(mounts, secretMounts...)
+	}
+
+	configMounts := c.ConfigMounts()
+	if configMounts != nil {
+		mounts = append(mounts, configMounts...)
+	}
+
+	for _, mount := range mounts {
+		m := specs.Mount{
+			Source:      mount.Source,
+			Destination: mount.Destination,
+		}
+		if !mount.Writable {
+			m.Options = append(m.Options, "ro")
+		}
+		if img.OS != runtime.GOOS {
+			m.Type = "bind"
+			m.Options = append(m.Options, "rbind")
+			m.Options = append(m.Options, fmt.Sprintf("uvmpath=/tmp/gcs/%s/binds", c.ID))
+		}
+		s.Mounts = append(s.Mounts, m)
+	}
+
+	// In s.Process
+	s.Process.Args = append([]string{c.Path}, c.Args...)
+	if !c.Config.ArgsEscaped && img.OS == "windows" {
+		s.Process.Args = escapeArgs(s.Process.Args)
+	}
+
+	s.Process.Cwd = c.Config.WorkingDir
+	s.Process.Env = c.CreateDaemonEnvironment(c.Config.Tty, linkedEnv)
+	if c.Config.Tty {
+		s.Process.Terminal = c.Config.Tty
+		s.Process.ConsoleSize = &specs.Box{
+			Height: c.HostConfig.ConsoleSize[0],
+			Width:  c.HostConfig.ConsoleSize[1],
+		}
+	}
+	s.Process.User.Username = c.Config.User
+	s.Windows.LayerFolders, err = daemon.imageService.GetLayerFolders(img, c.RWLayer)
+	if err != nil {
+		return nil, errors.Wrapf(err, "container %s", c.ID)
+	}
+
+	dnsSearch := daemon.getDNSSearchSettings(c)
+
+	// Get endpoints for the libnetwork allocated networks to the container
+	var epList []string
+	AllowUnqualifiedDNSQuery := false
+	gwHNSID := ""
+	if c.NetworkSettings != nil {
+		for n := range c.NetworkSettings.Networks {
+			sn, err := daemon.FindNetwork(n)
+			if err != nil {
+				continue
+			}
+
+			ep, err := getEndpointInNetwork(c.Name, sn)
+			if err != nil {
+				continue
+			}
+
+			data, err := ep.DriverInfo()
+			if err != nil {
+				continue
+			}
+
+			if data["GW_INFO"] != nil {
+				gwInfo := data["GW_INFO"].(map[string]interface{})
+				if gwInfo["hnsid"] != nil {
+					gwHNSID = gwInfo["hnsid"].(string)
+				}
+			}
+
+			if data["hnsid"] != nil {
+				epList = append(epList, data["hnsid"].(string))
+			}
+
+			if data["AllowUnqualifiedDNSQuery"] != nil {
+				AllowUnqualifiedDNSQuery = true
+			}
+		}
+	}
+
+	var networkSharedContainerID string
+	if c.HostConfig.NetworkMode.IsContainer() {
+		networkSharedContainerID = c.NetworkSharedContainerID
+		for _, ep := range c.SharedEndpointList {
+			epList = append(epList, ep)
+		}
+	}
+
+	if gwHNSID != "" {
+		epList = append(epList, gwHNSID)
+	}
+
+	s.Windows.Network = &specs.WindowsNetwork{
+		AllowUnqualifiedDNSQuery:   AllowUnqualifiedDNSQuery,
+		DNSSearchList:              dnsSearch,
+		EndpointList:               epList,
+		NetworkSharedContainerName: networkSharedContainerID,
+	}
+
+	switch img.OS {
+	case "windows":
+		if err := daemon.createSpecWindowsFields(c, &s, isHyperV); err != nil {
+			return nil, err
+		}
+	case "linux":
+		if !system.LCOWSupported() {
+			return nil, fmt.Errorf("Linux containers on Windows are not supported")
+		}
+		if err := daemon.createSpecLinuxFields(c, &s); err != nil {
+			return nil, err
+		}
+	default:
+		return nil, fmt.Errorf("Unsupported platform %q", img.OS)
+	}
+
+	return (*specs.Spec)(&s), nil
+}
+
+// Sets the Windows-specific fields of the OCI spec
+func (daemon *Daemon) createSpecWindowsFields(c *container.Container, s *specs.Spec, isHyperV bool) error {
+	if len(s.Process.Cwd) == 0 {
+		// We default to C:\ to workaround the oddity of the case that the
+		// default directory for cmd running as LocalSystem (or
+		// ContainerAdministrator) is c:\windows\system32. Hence docker run
+		// <image> cmd will by default end in c:\windows\system32, rather
+		// than 'root' (/) on Linux. The oddity is that if you have a dockerfile
+		// which has no WORKDIR and has a COPY file ., . will be interpreted
+		// as c:\. Hence, setting it to default of c:\ makes for consistency.
+		s.Process.Cwd = `C:\`
+	}
+
+	s.Root.Readonly = false // Windows does not support a read-only root filesystem
+	if !isHyperV {
+		if c.BaseFS == nil {
+			return errors.New("createSpecWindowsFields: BaseFS of container " + c.ID + " is unexpectedly nil")
+		}
+
+		s.Root.Path = c.BaseFS.Path() // This is not set for Hyper-V containers
+		if !strings.HasSuffix(s.Root.Path, `\`) {
+			s.Root.Path = s.Root.Path + `\` // Ensure a correctly formatted volume GUID path \\?\Volume{GUID}\
+		}
+	}
+
+	// First boot optimization
+	s.Windows.IgnoreFlushesDuringBoot = !c.HasBeenStartedBefore
+
+	// In s.Windows.Resources
+	cpuShares := uint16(c.HostConfig.CPUShares)
+	cpuMaximum := uint16(c.HostConfig.CPUPercent) * 100
+	cpuCount := uint64(c.HostConfig.CPUCount)
+	if c.HostConfig.NanoCPUs > 0 {
+		if isHyperV {
+			cpuCount = uint64(c.HostConfig.NanoCPUs / 1e9)
+			leftoverNanoCPUs := c.HostConfig.NanoCPUs % 1e9
+			if leftoverNanoCPUs != 0 {
+				cpuCount++
+				cpuMaximum = uint16(c.HostConfig.NanoCPUs / int64(cpuCount) / (1e9 / 10000))
+				if cpuMaximum < 1 {
+					// The requested NanoCPUs is so small that we rounded to 0, use 1 instead
+					cpuMaximum = 1
+				}
+			}
+		} else {
+			cpuMaximum = uint16(c.HostConfig.NanoCPUs / int64(sysinfo.NumCPU()) / (1e9 / 10000))
+			if cpuMaximum < 1 {
+				// The requested NanoCPUs is so small that we rounded to 0, use 1 instead
+				cpuMaximum = 1
+			}
+		}
+	}
+	memoryLimit := uint64(c.HostConfig.Memory)
+	s.Windows.Resources = &specs.WindowsResources{
+		CPU: &specs.WindowsCPUResources{
+			Maximum: &cpuMaximum,
+			Shares:  &cpuShares,
+			Count:   &cpuCount,
+		},
+		Memory: &specs.WindowsMemoryResources{
+			Limit: &memoryLimit,
+		},
+		Storage: &specs.WindowsStorageResources{
+			Bps:  &c.HostConfig.IOMaximumBandwidth,
+			Iops: &c.HostConfig.IOMaximumIOps,
+		},
+	}
+
+	// Read and add credentials from the security options if a credential spec has been provided.
+	if c.HostConfig.SecurityOpt != nil {
+		cs := ""
+		for _, sOpt := range c.HostConfig.SecurityOpt {
+			sOpt = strings.ToLower(sOpt)
+			if !strings.Contains(sOpt, "=") {
+				return fmt.Errorf("invalid security option: no equals sign in supplied value %s", sOpt)
+			}
+			var splitsOpt []string
+			splitsOpt = strings.SplitN(sOpt, "=", 2)
+			if len(splitsOpt) != 2 {
+				return fmt.Errorf("invalid security option: %s", sOpt)
+			}
+			if splitsOpt[0] != "credentialspec" {
+				return fmt.Errorf("security option not supported: %s", splitsOpt[0])
+			}
+
+			var (
+				match   bool
+				csValue string
+				err     error
+			)
+			if match, csValue = getCredentialSpec("file://", splitsOpt[1]); match {
+				if csValue == "" {
+					return fmt.Errorf("no value supplied for file:// credential spec security option")
+				}
+				if cs, err = readCredentialSpecFile(c.ID, daemon.root, filepath.Clean(csValue)); err != nil {
+					return err
+				}
+			} else if match, csValue = getCredentialSpec("registry://", splitsOpt[1]); match {
+				if csValue == "" {
+					return fmt.Errorf("no value supplied for registry:// credential spec security option")
+				}
+				if cs, err = readCredentialSpecRegistry(c.ID, csValue); err != nil {
+					return err
+				}
+			} else {
+				return fmt.Errorf("invalid credential spec security option - value must be prefixed file:// or registry:// followed by a value")
+			}
+		}
+		s.Windows.CredentialSpec = cs
+	}
+
+	return nil
+}
+
+// Sets the Linux-specific fields of the OCI spec
+// TODO: @jhowardmsft LCOW Support. We need to do a lot more pulling in what can
+// be pulled in from oci_linux.go.
+func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spec) error {
+	if len(s.Process.Cwd) == 0 {
+		s.Process.Cwd = `/`
+	}
+	s.Root.Path = "rootfs"
+	s.Root.Readonly = c.HostConfig.ReadonlyRootfs
+	if err := setCapabilities(s, c); err != nil {
+		return fmt.Errorf("linux spec capabilities: %v", err)
+	}
+	devPermissions, err := appendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
+	if err != nil {
+		return fmt.Errorf("linux runtime spec devices: %v", err)
+	}
+	s.Linux.Resources.Devices = devPermissions
+	return nil
+}
+
+func escapeArgs(args []string) []string {
+	escapedArgs := make([]string, len(args))
+	for i, a := range args {
+		escapedArgs[i] = windows.EscapeArg(a)
+	}
+	return escapedArgs
+}
+
+// mergeUlimits merge the Ulimits from HostConfig with daemon defaults, and update HostConfig
+// It will do nothing on non-Linux platform
+func (daemon *Daemon) mergeUlimits(c *containertypes.HostConfig) {
+	return
+}
+
+// getCredentialSpec is a helper function to get the value of a credential spec supplied
+// on the CLI, stripping the prefix
+func getCredentialSpec(prefix, value string) (bool, string) {
+	if strings.HasPrefix(value, prefix) {
+		return true, strings.TrimPrefix(value, prefix)
+	}
+	return false, ""
+}
+
+// readCredentialSpecRegistry is a helper function to read a credential spec from
+// the registry. If not found, we return an empty string and warn in the log.
+// This allows for staging on machines which do not have the necessary components.
+func readCredentialSpecRegistry(id, name string) (string, error) {
+	var (
+		k   registry.Key
+		err error
+		val string
+	)
+	if k, err = registry.OpenKey(registry.LOCAL_MACHINE, credentialSpecRegistryLocation, registry.QUERY_VALUE); err != nil {
+		return "", fmt.Errorf("failed handling spec %q for container %s - %s could not be opened", name, id, credentialSpecRegistryLocation)
+	}
+	if val, _, err = k.GetStringValue(name); err != nil {
+		if err == registry.ErrNotExist {
+			return "", fmt.Errorf("credential spec %q for container %s as it was not found", name, id)
+		}
+		return "", fmt.Errorf("error %v reading credential spec %q from registry for container %s", err, name, id)
+	}
+	return val, nil
+}
+
+// readCredentialSpecFile is a helper function to read a credential spec from
+// a file. If not found, we return an empty string and warn in the log.
+// This allows for staging on machines which do not have the necessary components.
+func readCredentialSpecFile(id, root, location string) (string, error) {
+	if filepath.IsAbs(location) {
+		return "", fmt.Errorf("invalid credential spec - file:// path cannot be absolute")
+	}
+	base := filepath.Join(root, credentialSpecFileLocation)
+	full := filepath.Join(base, location)
+	if !strings.HasPrefix(full, base) {
+		return "", fmt.Errorf("invalid credential spec - file:// path must be under %s", base)
+	}
+	bcontents, err := ioutil.ReadFile(full)
+	if err != nil {
+		return "", fmt.Errorf("credential spec '%s' for container %s as the file could not be read: %q", full, id, err)
+	}
+	return string(bcontents[:]), nil
+}
diff --git a/engine/daemon/pause.go b/engine/daemon/pause.go
new file mode 100644
index 00000000..be6ec1b9
--- /dev/null
+++ b/engine/daemon/pause.go
@@ -0,0 +1,55 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/docker/container"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerPause pauses a container
+func (daemon *Daemon) ContainerPause(name string) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+	return daemon.containerPause(container)
+}
+
+// containerPause pauses the container execution without stopping the process.
+// The execution can be resumed by calling containerUnpause.
+func (daemon *Daemon) containerPause(container *container.Container) error {
+	container.Lock()
+	defer container.Unlock()
+
+	// We cannot Pause the container which is not running
+	if !container.Running {
+		return errNotRunning(container.ID)
+	}
+
+	// We cannot Pause the container which is already paused
+	if container.Paused {
+		return errNotPaused(container.ID)
+	}
+
+	// We cannot Pause the container which is restarting
+	if container.Restarting {
+		return errContainerIsRestarting(container.ID)
+	}
+
+	if err := daemon.containerd.Pause(context.Background(), container.ID); err != nil {
+		return fmt.Errorf("Cannot pause container %s: %s", container.ID, err)
+	}
+
+	container.Paused = true
+	daemon.setStateCounter(container)
+	daemon.updateHealthMonitor(container)
+	daemon.LogContainerEvent(container, "pause")
+
+	if err := container.CheckpointTo(daemon.containersReplica); err != nil {
+		logrus.WithError(err).Warn("could not save container to disk")
+	}
+
+	return nil
+}
diff --git a/engine/daemon/prune.go b/engine/daemon/prune.go
new file mode 100644
index 00000000..b690f2e5
--- /dev/null
+++ b/engine/daemon/prune.go
@@ -0,0 +1,250 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"sync/atomic"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	timetypes "github.com/docker/docker/api/types/time"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/runconfig"
+	"github.com/docker/libnetwork"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// errPruneRunning is returned when a prune request is received while
+	// one is in progress
+	errPruneRunning = errdefs.Conflict(errors.New("a prune operation is already running"))
+
+	containersAcceptedFilters = map[string]bool{
+		"label":  true,
+		"label!": true,
+		"until":  true,
+	}
+
+	networksAcceptedFilters = map[string]bool{
+		"label":  true,
+		"label!": true,
+		"until":  true,
+	}
+)
+
+// ContainersPrune removes unused containers
+func (daemon *Daemon) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (*types.ContainersPruneReport, error) {
+	if !atomic.CompareAndSwapInt32(&daemon.pruneRunning, 0, 1) {
+		return nil, errPruneRunning
+	}
+	defer atomic.StoreInt32(&daemon.pruneRunning, 0)
+
+	rep := &types.ContainersPruneReport{}
+
+	// make sure that only accepted filters have been received
+	err := pruneFilters.Validate(containersAcceptedFilters)
+	if err != nil {
+		return nil, err
+	}
+
+	until, err := getUntilFromPruneFilters(pruneFilters)
+	if err != nil {
+		return nil, err
+	}
+
+	allContainers := daemon.List()
+	for _, c := range allContainers {
+		select {
+		case <-ctx.Done():
+			logrus.Debugf("ContainersPrune operation cancelled: %#v", *rep)
+			return rep, nil
+		default:
+		}
+
+		if !c.IsRunning() {
+			if !until.IsZero() && c.Created.After(until) {
+				continue
+			}
+			if !matchLabels(pruneFilters, c.Config.Labels) {
+				continue
+			}
+			cSize, _ := daemon.imageService.GetContainerLayerSize(c.ID)
+			// TODO: sets RmLink to true?
+			err := daemon.ContainerRm(c.ID, &types.ContainerRmConfig{})
+			if err != nil {
+				logrus.Warnf("failed to prune container %s: %v", c.ID, err)
+				continue
+			}
+			if cSize > 0 {
+				rep.SpaceReclaimed += uint64(cSize)
+			}
+			rep.ContainersDeleted = append(rep.ContainersDeleted, c.ID)
+		}
+	}
+
+	return rep, nil
+}
+
+// localNetworksPrune removes unused local networks
+func (daemon *Daemon) localNetworksPrune(ctx context.Context, pruneFilters filters.Args) *types.NetworksPruneReport {
+	rep := &types.NetworksPruneReport{}
+
+	until, _ := getUntilFromPruneFilters(pruneFilters)
+
+	// When the function returns true, the walk will stop.
+	l := func(nw libnetwork.Network) bool {
+		select {
+		case <-ctx.Done():
+			// context cancelled
+			return true
+		default:
+		}
+		if nw.Info().ConfigOnly() {
+			return false
+		}
+		if !until.IsZero() && nw.Info().Created().After(until) {
+			return false
+		}
+		if !matchLabels(pruneFilters, nw.Info().Labels()) {
+			return false
+		}
+		nwName := nw.Name()
+		if runconfig.IsPreDefinedNetwork(nwName) {
+			return false
+		}
+		if len(nw.Endpoints()) > 0 {
+			return false
+		}
+		if err := daemon.DeleteNetwork(nw.ID()); err != nil {
+			logrus.Warnf("could not remove local network %s: %v", nwName, err)
+			return false
+		}
+		rep.NetworksDeleted = append(rep.NetworksDeleted, nwName)
+		return false
+	}
+	daemon.netController.WalkNetworks(l)
+	return rep
+}
+
+// clusterNetworksPrune removes unused cluster networks
+func (daemon *Daemon) clusterNetworksPrune(ctx context.Context, pruneFilters filters.Args) (*types.NetworksPruneReport, error) {
+	rep := &types.NetworksPruneReport{}
+
+	until, _ := getUntilFromPruneFilters(pruneFilters)
+
+	cluster := daemon.GetCluster()
+
+	if !cluster.IsManager() {
+		return rep, nil
+	}
+
+	networks, err := cluster.GetNetworks()
+	if err != nil {
+		return rep, err
+	}
+	networkIsInUse := regexp.MustCompile(`network ([[:alnum:]]+) is in use`)
+	for _, nw := range networks {
+		select {
+		case <-ctx.Done():
+			return rep, nil
+		default:
+			if nw.Ingress {
+				// Routing-mesh network removal has to be explicitly invoked by user
+				continue
+			}
+			if !until.IsZero() && nw.Created.After(until) {
+				continue
+			}
+			if !matchLabels(pruneFilters, nw.Labels) {
+				continue
+			}
+			// https://github.com/docker/docker/issues/24186
+			// `docker network inspect` unfortunately displays ONLY those containers that are local to that node.
+			// So we try to remove it anyway and check the error
+			err = cluster.RemoveNetwork(nw.ID)
+			if err != nil {
+				// we can safely ignore the "network .. is in use" error
+				match := networkIsInUse.FindStringSubmatch(err.Error())
+				if len(match) != 2 || match[1] != nw.ID {
+					logrus.Warnf("could not remove cluster network %s: %v", nw.Name, err)
+				}
+				continue
+			}
+			rep.NetworksDeleted = append(rep.NetworksDeleted, nw.Name)
+		}
+	}
+	return rep, nil
+}
+
+// NetworksPrune removes unused networks
+func (daemon *Daemon) NetworksPrune(ctx context.Context, pruneFilters filters.Args) (*types.NetworksPruneReport, error) {
+	if !atomic.CompareAndSwapInt32(&daemon.pruneRunning, 0, 1) {
+		return nil, errPruneRunning
+	}
+	defer atomic.StoreInt32(&daemon.pruneRunning, 0)
+
+	// make sure that only accepted filters have been received
+	err := pruneFilters.Validate(networksAcceptedFilters)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err := getUntilFromPruneFilters(pruneFilters); err != nil {
+		return nil, err
+	}
+
+	rep := &types.NetworksPruneReport{}
+	if clusterRep, err := daemon.clusterNetworksPrune(ctx, pruneFilters); err == nil {
+		rep.NetworksDeleted = append(rep.NetworksDeleted, clusterRep.NetworksDeleted...)
+	}
+
+	localRep := daemon.localNetworksPrune(ctx, pruneFilters)
+	rep.NetworksDeleted = append(rep.NetworksDeleted, localRep.NetworksDeleted...)
+
+	select {
+	case <-ctx.Done():
+		logrus.Debugf("NetworksPrune operation cancelled: %#v", *rep)
+		return rep, nil
+	default:
+	}
+
+	return rep, nil
+}
+
+func getUntilFromPruneFilters(pruneFilters filters.Args) (time.Time, error) {
+	until := time.Time{}
+	if !pruneFilters.Contains("until") {
+		return until, nil
+	}
+	untilFilters := pruneFilters.Get("until")
+	if len(untilFilters) > 1 {
+		return until, fmt.Errorf("more than one until filter specified")
+	}
+	ts, err := timetypes.GetTimestamp(untilFilters[0], time.Now())
+	if err != nil {
+		return until, err
+	}
+	seconds, nanoseconds, err := timetypes.ParseTimestamps(ts, 0)
+	if err != nil {
+		return until, err
+	}
+	until = time.Unix(seconds, nanoseconds)
+	return until, nil
+}
+
+func matchLabels(pruneFilters filters.Args, labels map[string]string) bool {
+	if !pruneFilters.MatchKVList("label", labels) {
+		return false
+	}
+	// By default MatchKVList will return true if field (like 'label!') does not exist
+	// So we have to add additional Contains("label!") check
+	if pruneFilters.Contains("label!") {
+		if pruneFilters.MatchKVList("label!", labels) {
+			return false
+		}
+	}
+	return true
+}
diff --git a/engine/daemon/reload.go b/engine/daemon/reload.go
new file mode 100644
index 00000000..210864ff
--- /dev/null
+++ b/engine/daemon/reload.go
@@ -0,0 +1,324 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/daemon/discovery"
+	"github.com/sirupsen/logrus"
+)
+
+// Reload reads configuration changes and modifies the
+// daemon according to those changes.
+// These are the settings that Reload changes:
+// - Platform runtime
+// - Daemon debug log level
+// - Daemon max concurrent downloads
+// - Daemon max concurrent uploads
+// - Daemon shutdown timeout (in seconds)
+// - Cluster discovery (reconfigure and restart)
+// - Daemon labels
+// - Insecure registries
+// - Registry mirrors
+// - Daemon live restore
+func (daemon *Daemon) Reload(conf *config.Config) (err error) {
+	daemon.configStore.Lock()
+	attributes := map[string]string{}
+
+	defer func() {
+		jsonString, _ := json.Marshal(daemon.configStore)
+
+		// we're unlocking here, because
+		// LogDaemonEventWithAttributes() -> SystemInfo() -> GetAllRuntimes()
+		// holds that lock too.
+		daemon.configStore.Unlock()
+		if err == nil {
+			logrus.Infof("Reloaded configuration: %s", jsonString)
+			daemon.LogDaemonEventWithAttributes("reload", attributes)
+		}
+	}()
+
+	if err := daemon.reloadPlatform(conf, attributes); err != nil {
+		return err
+	}
+	daemon.reloadDebug(conf, attributes)
+	daemon.reloadMaxConcurrentDownloadsAndUploads(conf, attributes)
+	daemon.reloadShutdownTimeout(conf, attributes)
+
+	if err := daemon.reloadClusterDiscovery(conf, attributes); err != nil {
+		return err
+	}
+	if err := daemon.reloadLabels(conf, attributes); err != nil {
+		return err
+	}
+	if err := daemon.reloadAllowNondistributableArtifacts(conf, attributes); err != nil {
+		return err
+	}
+	if err := daemon.reloadInsecureRegistries(conf, attributes); err != nil {
+		return err
+	}
+	if err := daemon.reloadRegistryMirrors(conf, attributes); err != nil {
+		return err
+	}
+	if err := daemon.reloadLiveRestore(conf, attributes); err != nil {
+		return err
+	}
+	return daemon.reloadNetworkDiagnosticPort(conf, attributes)
+}
+
+// reloadDebug updates configuration with Debug option
+// and updates the passed attributes
+func (daemon *Daemon) reloadDebug(conf *config.Config, attributes map[string]string) {
+	// update corresponding configuration
+	if conf.IsValueSet("debug") {
+		daemon.configStore.Debug = conf.Debug
+	}
+	// prepare reload event attributes with updatable configurations
+	attributes["debug"] = fmt.Sprintf("%t", daemon.configStore.Debug)
+}
+
+// reloadMaxConcurrentDownloadsAndUploads updates configuration with max concurrent
+// download and upload options and updates the passed attributes
+func (daemon *Daemon) reloadMaxConcurrentDownloadsAndUploads(conf *config.Config, attributes map[string]string) {
+	// If no value is set for max-concurrent-downloads we assume it is the default value
+	// We always "reset" as the cost is lightweight and easy to maintain.
+	if conf.IsValueSet("max-concurrent-downloads") && conf.MaxConcurrentDownloads != nil {
+		*daemon.configStore.MaxConcurrentDownloads = *conf.MaxConcurrentDownloads
+	} else {
+		maxConcurrentDownloads := config.DefaultMaxConcurrentDownloads
+		daemon.configStore.MaxConcurrentDownloads = &maxConcurrentDownloads
+	}
+	logrus.Debugf("Reset Max Concurrent Downloads: %d", *daemon.configStore.MaxConcurrentDownloads)
+
+	// If no value is set for max-concurrent-upload we assume it is the default value
+	// We always "reset" as the cost is lightweight and easy to maintain.
+	if conf.IsValueSet("max-concurrent-uploads") && conf.MaxConcurrentUploads != nil {
+		*daemon.configStore.MaxConcurrentUploads = *conf.MaxConcurrentUploads
+	} else {
+		maxConcurrentUploads := config.DefaultMaxConcurrentUploads
+		daemon.configStore.MaxConcurrentUploads = &maxConcurrentUploads
+	}
+	logrus.Debugf("Reset Max Concurrent Uploads: %d", *daemon.configStore.MaxConcurrentUploads)
+
+	daemon.imageService.UpdateConfig(conf.MaxConcurrentDownloads, conf.MaxConcurrentUploads)
+	// prepare reload event attributes with updatable configurations
+	attributes["max-concurrent-downloads"] = fmt.Sprintf("%d", *daemon.configStore.MaxConcurrentDownloads)
+	// prepare reload event attributes with updatable configurations
+	attributes["max-concurrent-uploads"] = fmt.Sprintf("%d", *daemon.configStore.MaxConcurrentUploads)
+}
+
+// reloadShutdownTimeout updates configuration with daemon shutdown timeout option
+// and updates the passed attributes
+func (daemon *Daemon) reloadShutdownTimeout(conf *config.Config, attributes map[string]string) {
+	// update corresponding configuration
+	if conf.IsValueSet("shutdown-timeout") {
+		daemon.configStore.ShutdownTimeout = conf.ShutdownTimeout
+		logrus.Debugf("Reset Shutdown Timeout: %d", daemon.configStore.ShutdownTimeout)
+	}
+
+	// prepare reload event attributes with updatable configurations
+	attributes["shutdown-timeout"] = fmt.Sprintf("%d", daemon.configStore.ShutdownTimeout)
+}
+
+// reloadClusterDiscovery updates configuration with cluster discovery options
+// and updates the passed attributes
+func (daemon *Daemon) reloadClusterDiscovery(conf *config.Config, attributes map[string]string) (err error) {
+	defer func() {
+		// prepare reload event attributes with updatable configurations
+		attributes["cluster-store"] = conf.ClusterStore
+		attributes["cluster-advertise"] = conf.ClusterAdvertise
+
+		attributes["cluster-store-opts"] = "{}"
+		if daemon.configStore.ClusterOpts != nil {
+			opts, err2 := json.Marshal(conf.ClusterOpts)
+			if err != nil {
+				err = err2
+			}
+			attributes["cluster-store-opts"] = string(opts)
+		}
+	}()
+
+	newAdvertise := conf.ClusterAdvertise
+	newClusterStore := daemon.configStore.ClusterStore
+	if conf.IsValueSet("cluster-advertise") {
+		if conf.IsValueSet("cluster-store") {
+			newClusterStore = conf.ClusterStore
+		}
+		newAdvertise, err = config.ParseClusterAdvertiseSettings(newClusterStore, conf.ClusterAdvertise)
+		if err != nil && err != discovery.ErrDiscoveryDisabled {
+			return err
+		}
+	}
+
+	if daemon.clusterProvider != nil {
+		if err := conf.IsSwarmCompatible(); err != nil {
+			return err
+		}
+	}
+
+	// check discovery modifications
+	if !config.ModifiedDiscoverySettings(daemon.configStore, newClusterStore, newAdvertise, conf.ClusterOpts) {
+		return nil
+	}
+
+	// enable discovery for the first time if it was not previously enabled
+	if daemon.discoveryWatcher == nil {
+		discoveryWatcher, err := discovery.Init(newClusterStore, newAdvertise, conf.ClusterOpts)
+		if err != nil {
+			return fmt.Errorf("failed to initialize discovery: %v", err)
+		}
+		daemon.discoveryWatcher = discoveryWatcher
+	} else if err == discovery.ErrDiscoveryDisabled {
+		// disable discovery if it was previously enabled and it's disabled now
+		daemon.discoveryWatcher.Stop()
+	} else if err = daemon.discoveryWatcher.Reload(conf.ClusterStore, newAdvertise, conf.ClusterOpts); err != nil {
+		// reload discovery
+		return err
+	}
+
+	daemon.configStore.ClusterStore = newClusterStore
+	daemon.configStore.ClusterOpts = conf.ClusterOpts
+	daemon.configStore.ClusterAdvertise = newAdvertise
+
+	if daemon.netController == nil {
+		return nil
+	}
+	netOptions, err := daemon.networkOptions(daemon.configStore, daemon.PluginStore, nil)
+	if err != nil {
+		logrus.WithError(err).Warnf("failed to get options with network controller")
+		return nil
+	}
+	err = daemon.netController.ReloadConfiguration(netOptions...)
+	if err != nil {
+		logrus.Warnf("Failed to reload configuration with network controller: %v", err)
+	}
+	return nil
+}
+
+// reloadLabels updates configuration with engine labels
+// and updates the passed attributes
+func (daemon *Daemon) reloadLabels(conf *config.Config, attributes map[string]string) error {
+	// update corresponding configuration
+	if conf.IsValueSet("labels") {
+		daemon.configStore.Labels = conf.Labels
+	}
+
+	// prepare reload event attributes with updatable configurations
+	if daemon.configStore.Labels != nil {
+		labels, err := json.Marshal(daemon.configStore.Labels)
+		if err != nil {
+			return err
+		}
+		attributes["labels"] = string(labels)
+	} else {
+		attributes["labels"] = "[]"
+	}
+
+	return nil
+}
+
+// reloadAllowNondistributableArtifacts updates the configuration with allow-nondistributable-artifacts options
+// and updates the passed attributes.
+func (daemon *Daemon) reloadAllowNondistributableArtifacts(conf *config.Config, attributes map[string]string) error {
+	// Update corresponding configuration.
+	if conf.IsValueSet("allow-nondistributable-artifacts") {
+		daemon.configStore.AllowNondistributableArtifacts = conf.AllowNondistributableArtifacts
+		if err := daemon.RegistryService.LoadAllowNondistributableArtifacts(conf.AllowNondistributableArtifacts); err != nil {
+			return err
+		}
+	}
+
+	// Prepare reload event attributes with updatable configurations.
+	if daemon.configStore.AllowNondistributableArtifacts != nil {
+		v, err := json.Marshal(daemon.configStore.AllowNondistributableArtifacts)
+		if err != nil {
+			return err
+		}
+		attributes["allow-nondistributable-artifacts"] = string(v)
+	} else {
+		attributes["allow-nondistributable-artifacts"] = "[]"
+	}
+
+	return nil
+}
+
+// reloadInsecureRegistries updates configuration with insecure registry option
+// and updates the passed attributes
+func (daemon *Daemon) reloadInsecureRegistries(conf *config.Config, attributes map[string]string) error {
+	// update corresponding configuration
+	if conf.IsValueSet("insecure-registries") {
+		daemon.configStore.InsecureRegistries = conf.InsecureRegistries
+		if err := daemon.RegistryService.LoadInsecureRegistries(conf.InsecureRegistries); err != nil {
+			return err
+		}
+	}
+
+	// prepare reload event attributes with updatable configurations
+	if daemon.configStore.InsecureRegistries != nil {
+		insecureRegistries, err := json.Marshal(daemon.configStore.InsecureRegistries)
+		if err != nil {
+			return err
+		}
+		attributes["insecure-registries"] = string(insecureRegistries)
+	} else {
+		attributes["insecure-registries"] = "[]"
+	}
+
+	return nil
+}
+
+// reloadRegistryMirrors updates configuration with registry mirror options
+// and updates the passed attributes
+func (daemon *Daemon) reloadRegistryMirrors(conf *config.Config, attributes map[string]string) error {
+	// update corresponding configuration
+	if conf.IsValueSet("registry-mirrors") {
+		daemon.configStore.Mirrors = conf.Mirrors
+		if err := daemon.RegistryService.LoadMirrors(conf.Mirrors); err != nil {
+			return err
+		}
+	}
+
+	// prepare reload event attributes with updatable configurations
+	if daemon.configStore.Mirrors != nil {
+		mirrors, err := json.Marshal(daemon.configStore.Mirrors)
+		if err != nil {
+			return err
+		}
+		attributes["registry-mirrors"] = string(mirrors)
+	} else {
+		attributes["registry-mirrors"] = "[]"
+	}
+
+	return nil
+}
+
+// reloadLiveRestore updates configuration with live retore option
+// and updates the passed attributes
+func (daemon *Daemon) reloadLiveRestore(conf *config.Config, attributes map[string]string) error {
+	// update corresponding configuration
+	if conf.IsValueSet("live-restore") {
+		daemon.configStore.LiveRestoreEnabled = conf.LiveRestoreEnabled
+	}
+
+	// prepare reload event attributes with updatable configurations
+	attributes["live-restore"] = fmt.Sprintf("%t", daemon.configStore.LiveRestoreEnabled)
+	return nil
+}
+
+// reloadNetworkDiagnosticPort updates the network controller starting the diagnostic if the config is valid
+func (daemon *Daemon) reloadNetworkDiagnosticPort(conf *config.Config, attributes map[string]string) error {
+	if conf == nil || daemon.netController == nil || !conf.IsValueSet("network-diagnostic-port") ||
+		conf.NetworkDiagnosticPort < 1 || conf.NetworkDiagnosticPort > 65535 {
+		// If there is no config make sure that the diagnostic is off
+		if daemon.netController != nil {
+			daemon.netController.StopDiagnostic()
+		}
+		return nil
+	}
+	// Enable the network diagnostic if the flag is set with a valid port withing the range
+	logrus.WithFields(logrus.Fields{"port": conf.NetworkDiagnosticPort, "ip": "127.0.0.1"}).Warn("Starting network diagnostic server")
+	daemon.netController.StartDiagnostic(conf.NetworkDiagnosticPort)
+
+	return nil
+}
diff --git a/engine/daemon/reload_test.go b/engine/daemon/reload_test.go
new file mode 100644
index 00000000..ffad297f
--- /dev/null
+++ b/engine/daemon/reload_test.go
@@ -0,0 +1,573 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"os"
+	"reflect"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/daemon/config"
+	"github.com/docker/docker/daemon/images"
+	"github.com/docker/docker/pkg/discovery"
+	_ "github.com/docker/docker/pkg/discovery/memory"
+	"github.com/docker/docker/registry"
+	"github.com/docker/libnetwork"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDaemonReloadLabels(t *testing.T) {
+	daemon := &Daemon{
+		configStore: &config.Config{
+			CommonConfig: config.CommonConfig{
+				Labels: []string{"foo:bar"},
+			},
+		},
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+
+	valuesSets := make(map[string]interface{})
+	valuesSets["labels"] = "foo:baz"
+	newConfig := &config.Config{
+		CommonConfig: config.CommonConfig{
+			Labels:    []string{"foo:baz"},
+			ValuesSet: valuesSets,
+		},
+	}
+
+	if err := daemon.Reload(newConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	label := daemon.configStore.Labels[0]
+	if label != "foo:baz" {
+		t.Fatalf("Expected daemon label `foo:baz`, got %s", label)
+	}
+}
+
+func TestDaemonReloadAllowNondistributableArtifacts(t *testing.T) {
+	daemon := &Daemon{
+		configStore:  &config.Config{},
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+
+	var err error
+	// Initialize daemon with some registries.
+	daemon.RegistryService, err = registry.NewService(registry.ServiceOptions{
+		AllowNondistributableArtifacts: []string{
+			"127.0.0.0/8",
+			"10.10.1.11:5000",
+			"10.10.1.22:5000", // This will be removed during reload.
+			"docker1.com",
+			"docker2.com", // This will be removed during reload.
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	registries := []string{
+		"127.0.0.0/8",
+		"10.10.1.11:5000",
+		"10.10.1.33:5000", // This will be added during reload.
+		"docker1.com",
+		"docker3.com", // This will be added during reload.
+	}
+
+	newConfig := &config.Config{
+		CommonConfig: config.CommonConfig{
+			ServiceOptions: registry.ServiceOptions{
+				AllowNondistributableArtifacts: registries,
+			},
+			ValuesSet: map[string]interface{}{
+				"allow-nondistributable-artifacts": registries,
+			},
+		},
+	}
+
+	if err := daemon.Reload(newConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	var actual []string
+	serviceConfig := daemon.RegistryService.ServiceConfig()
+	for _, value := range serviceConfig.AllowNondistributableArtifactsCIDRs {
+		actual = append(actual, value.String())
+	}
+	actual = append(actual, serviceConfig.AllowNondistributableArtifactsHostnames...)
+
+	sort.Strings(registries)
+	sort.Strings(actual)
+	assert.Check(t, is.DeepEqual(registries, actual))
+}
+
+func TestDaemonReloadMirrors(t *testing.T) {
+	daemon := &Daemon{
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+	var err error
+	daemon.RegistryService, err = registry.NewService(registry.ServiceOptions{
+		InsecureRegistries: []string{},
+		Mirrors: []string{
+			"https://mirror.test1.com",
+			"https://mirror.test2.com", // this will be removed when reloading
+			"https://mirror.test3.com", // this will be removed when reloading
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	daemon.configStore = &config.Config{}
+
+	type pair struct {
+		valid   bool
+		mirrors []string
+		after   []string
+	}
+
+	loadMirrors := []pair{
+		{
+			valid:   false,
+			mirrors: []string{"10.10.1.11:5000"}, // this mirror is invalid
+			after:   []string{},
+		},
+		{
+			valid:   false,
+			mirrors: []string{"mirror.test1.com"}, // this mirror is invalid
+			after:   []string{},
+		},
+		{
+			valid:   false,
+			mirrors: []string{"10.10.1.11:5000", "mirror.test1.com"}, // mirrors are invalid
+			after:   []string{},
+		},
+		{
+			valid:   true,
+			mirrors: []string{"https://mirror.test1.com", "https://mirror.test4.com"},
+			after:   []string{"https://mirror.test1.com/", "https://mirror.test4.com/"},
+		},
+	}
+
+	for _, value := range loadMirrors {
+		valuesSets := make(map[string]interface{})
+		valuesSets["registry-mirrors"] = value.mirrors
+
+		newConfig := &config.Config{
+			CommonConfig: config.CommonConfig{
+				ServiceOptions: registry.ServiceOptions{
+					Mirrors: value.mirrors,
+				},
+				ValuesSet: valuesSets,
+			},
+		}
+
+		err := daemon.Reload(newConfig)
+		if !value.valid && err == nil {
+			// mirrors should be invalid, should be a non-nil error
+			t.Fatalf("Expected daemon reload error with invalid mirrors: %s, while get nil", value.mirrors)
+		}
+
+		if value.valid {
+			if err != nil {
+				// mirrors should be valid, should be no error
+				t.Fatal(err)
+			}
+			registryService := daemon.RegistryService.ServiceConfig()
+
+			if len(registryService.Mirrors) != len(value.after) {
+				t.Fatalf("Expected %d daemon mirrors %s while get %d with %s",
+					len(value.after),
+					value.after,
+					len(registryService.Mirrors),
+					registryService.Mirrors)
+			}
+
+			dataMap := map[string]struct{}{}
+
+			for _, mirror := range registryService.Mirrors {
+				if _, exist := dataMap[mirror]; !exist {
+					dataMap[mirror] = struct{}{}
+				}
+			}
+
+			for _, address := range value.after {
+				if _, exist := dataMap[address]; !exist {
+					t.Fatalf("Expected %s in daemon mirrors, while get none", address)
+				}
+			}
+		}
+	}
+}
+
+func TestDaemonReloadInsecureRegistries(t *testing.T) {
+	daemon := &Daemon{
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+	var err error
+	// initialize daemon with existing insecure registries: "127.0.0.0/8", "10.10.1.11:5000", "10.10.1.22:5000"
+	daemon.RegistryService, err = registry.NewService(registry.ServiceOptions{
+		InsecureRegistries: []string{
+			"127.0.0.0/8",
+			"10.10.1.11:5000",
+			"10.10.1.22:5000", // this will be removed when reloading
+			"docker1.com",
+			"docker2.com", // this will be removed when reloading
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	daemon.configStore = &config.Config{}
+
+	insecureRegistries := []string{
+		"127.0.0.0/8",     // this will be kept
+		"10.10.1.11:5000", // this will be kept
+		"10.10.1.33:5000", // this will be newly added
+		"docker1.com",     // this will be kept
+		"docker3.com",     // this will be newly added
+	}
+
+	valuesSets := make(map[string]interface{})
+	valuesSets["insecure-registries"] = insecureRegistries
+
+	newConfig := &config.Config{
+		CommonConfig: config.CommonConfig{
+			ServiceOptions: registry.ServiceOptions{
+				InsecureRegistries: insecureRegistries,
+			},
+			ValuesSet: valuesSets,
+		},
+	}
+
+	if err := daemon.Reload(newConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	// After Reload, daemon.RegistryService will be changed which is useful
+	// for registry communication in daemon.
+	registries := daemon.RegistryService.ServiceConfig()
+
+	// After Reload(), newConfig has come to registries.InsecureRegistryCIDRs and registries.IndexConfigs in daemon.
+	// Then collect registries.InsecureRegistryCIDRs in dataMap.
+	// When collecting, we need to convert CIDRS into string as a key,
+	// while the times of key appears as value.
+	dataMap := map[string]int{}
+	for _, value := range registries.InsecureRegistryCIDRs {
+		if _, ok := dataMap[value.String()]; !ok {
+			dataMap[value.String()] = 1
+		} else {
+			dataMap[value.String()]++
+		}
+	}
+
+	for _, value := range registries.IndexConfigs {
+		if _, ok := dataMap[value.Name]; !ok {
+			dataMap[value.Name] = 1
+		} else {
+			dataMap[value.Name]++
+		}
+	}
+
+	// Finally compare dataMap with the original insecureRegistries.
+	// Each value in insecureRegistries should appear in daemon's insecure registries,
+	// and each can only appear exactly ONCE.
+	for _, r := range insecureRegistries {
+		if value, ok := dataMap[r]; !ok {
+			t.Fatalf("Expected daemon insecure registry %s, got none", r)
+		} else if value != 1 {
+			t.Fatalf("Expected only 1 daemon insecure registry %s, got %d", r, value)
+		}
+	}
+
+	// assert if "10.10.1.22:5000" is removed when reloading
+	if value, ok := dataMap["10.10.1.22:5000"]; ok {
+		t.Fatalf("Expected no insecure registry of 10.10.1.22:5000, got %d", value)
+	}
+
+	// assert if "docker2.com" is removed when reloading
+	if value, ok := dataMap["docker2.com"]; ok {
+		t.Fatalf("Expected no insecure registry of docker2.com, got %d", value)
+	}
+}
+
+func TestDaemonReloadNotAffectOthers(t *testing.T) {
+	daemon := &Daemon{
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+	daemon.configStore = &config.Config{
+		CommonConfig: config.CommonConfig{
+			Labels: []string{"foo:bar"},
+			Debug:  true,
+		},
+	}
+
+	valuesSets := make(map[string]interface{})
+	valuesSets["labels"] = "foo:baz"
+	newConfig := &config.Config{
+		CommonConfig: config.CommonConfig{
+			Labels:    []string{"foo:baz"},
+			ValuesSet: valuesSets,
+		},
+	}
+
+	if err := daemon.Reload(newConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	label := daemon.configStore.Labels[0]
+	if label != "foo:baz" {
+		t.Fatalf("Expected daemon label `foo:baz`, got %s", label)
+	}
+	debug := daemon.configStore.Debug
+	if !debug {
+		t.Fatal("Expected debug 'enabled', got 'disabled'")
+	}
+}
+
+func TestDaemonDiscoveryReload(t *testing.T) {
+	daemon := &Daemon{
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+	daemon.configStore = &config.Config{
+		CommonConfig: config.CommonConfig{
+			ClusterStore:     "memory://127.0.0.1",
+			ClusterAdvertise: "127.0.0.1:3333",
+		},
+	}
+
+	if err := daemon.initDiscovery(daemon.configStore); err != nil {
+		t.Fatal(err)
+	}
+
+	expected := discovery.Entries{
+		&discovery.Entry{Host: "127.0.0.1", Port: "3333"},
+	}
+
+	select {
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for discovery")
+	case <-daemon.discoveryWatcher.ReadyCh():
+	}
+
+	stopCh := make(chan struct{})
+	defer close(stopCh)
+	ch, errCh := daemon.discoveryWatcher.Watch(stopCh)
+
+	select {
+	case <-time.After(1 * time.Second):
+		t.Fatal("failed to get discovery advertisements in time")
+	case e := <-ch:
+		if !reflect.DeepEqual(e, expected) {
+			t.Fatalf("expected %v, got %v\n", expected, e)
+		}
+	case e := <-errCh:
+		t.Fatal(e)
+	}
+
+	valuesSets := make(map[string]interface{})
+	valuesSets["cluster-store"] = "memory://127.0.0.1:2222"
+	valuesSets["cluster-advertise"] = "127.0.0.1:5555"
+	newConfig := &config.Config{
+		CommonConfig: config.CommonConfig{
+			ClusterStore:     "memory://127.0.0.1:2222",
+			ClusterAdvertise: "127.0.0.1:5555",
+			ValuesSet:        valuesSets,
+		},
+	}
+
+	expected = discovery.Entries{
+		&discovery.Entry{Host: "127.0.0.1", Port: "5555"},
+	}
+
+	if err := daemon.Reload(newConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	select {
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for discovery")
+	case <-daemon.discoveryWatcher.ReadyCh():
+	}
+
+	ch, errCh = daemon.discoveryWatcher.Watch(stopCh)
+
+	select {
+	case <-time.After(1 * time.Second):
+		t.Fatal("failed to get discovery advertisements in time")
+	case e := <-ch:
+		if !reflect.DeepEqual(e, expected) {
+			t.Fatalf("expected %v, got %v\n", expected, e)
+		}
+	case e := <-errCh:
+		t.Fatal(e)
+	}
+}
+
+func TestDaemonDiscoveryReloadFromEmptyDiscovery(t *testing.T) {
+	daemon := &Daemon{
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+	daemon.configStore = &config.Config{}
+
+	valuesSet := make(map[string]interface{})
+	valuesSet["cluster-store"] = "memory://127.0.0.1:2222"
+	valuesSet["cluster-advertise"] = "127.0.0.1:5555"
+	newConfig := &config.Config{
+		CommonConfig: config.CommonConfig{
+			ClusterStore:     "memory://127.0.0.1:2222",
+			ClusterAdvertise: "127.0.0.1:5555",
+			ValuesSet:        valuesSet,
+		},
+	}
+
+	expected := discovery.Entries{
+		&discovery.Entry{Host: "127.0.0.1", Port: "5555"},
+	}
+
+	if err := daemon.Reload(newConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	select {
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for discovery")
+	case <-daemon.discoveryWatcher.ReadyCh():
+	}
+
+	stopCh := make(chan struct{})
+	defer close(stopCh)
+	ch, errCh := daemon.discoveryWatcher.Watch(stopCh)
+
+	select {
+	case <-time.After(1 * time.Second):
+		t.Fatal("failed to get discovery advertisements in time")
+	case e := <-ch:
+		if !reflect.DeepEqual(e, expected) {
+			t.Fatalf("expected %v, got %v\n", expected, e)
+		}
+	case e := <-errCh:
+		t.Fatal(e)
+	}
+}
+
+func TestDaemonDiscoveryReloadOnlyClusterAdvertise(t *testing.T) {
+	daemon := &Daemon{
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+	daemon.configStore = &config.Config{
+		CommonConfig: config.CommonConfig{
+			ClusterStore: "memory://127.0.0.1",
+		},
+	}
+	valuesSets := make(map[string]interface{})
+	valuesSets["cluster-advertise"] = "127.0.0.1:5555"
+	newConfig := &config.Config{
+		CommonConfig: config.CommonConfig{
+			ClusterAdvertise: "127.0.0.1:5555",
+			ValuesSet:        valuesSets,
+		},
+	}
+	expected := discovery.Entries{
+		&discovery.Entry{Host: "127.0.0.1", Port: "5555"},
+	}
+
+	if err := daemon.Reload(newConfig); err != nil {
+		t.Fatal(err)
+	}
+
+	select {
+	case <-daemon.discoveryWatcher.ReadyCh():
+	case <-time.After(10 * time.Second):
+		t.Fatal("Timeout waiting for discovery")
+	}
+	stopCh := make(chan struct{})
+	defer close(stopCh)
+	ch, errCh := daemon.discoveryWatcher.Watch(stopCh)
+
+	select {
+	case <-time.After(1 * time.Second):
+		t.Fatal("failed to get discovery advertisements in time")
+	case e := <-ch:
+		if !reflect.DeepEqual(e, expected) {
+			t.Fatalf("expected %v, got %v\n", expected, e)
+		}
+	case e := <-errCh:
+		t.Fatal(e)
+	}
+}
+
+func TestDaemonReloadNetworkDiagnosticPort(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+	daemon := &Daemon{
+		imageService: images.NewImageService(images.ImageServiceConfig{}),
+	}
+	daemon.configStore = &config.Config{}
+
+	valuesSet := make(map[string]interface{})
+	valuesSet["network-diagnostic-port"] = 2000
+	enableConfig := &config.Config{
+		CommonConfig: config.CommonConfig{
+			NetworkDiagnosticPort: 2000,
+			ValuesSet:             valuesSet,
+		},
+	}
+	disableConfig := &config.Config{
+		CommonConfig: config.CommonConfig{},
+	}
+
+	netOptions, err := daemon.networkOptions(enableConfig, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	controller, err := libnetwork.New(netOptions...)
+	if err != nil {
+		t.Fatal(err)
+	}
+	daemon.netController = controller
+
+	// Enable/Disable the server for some iterations
+	for i := 0; i < 10; i++ {
+		enableConfig.CommonConfig.NetworkDiagnosticPort++
+		if err := daemon.Reload(enableConfig); err != nil {
+			t.Fatal(err)
+		}
+		// Check that the diagnostic is enabled
+		if !daemon.netController.IsDiagnosticEnabled() {
+			t.Fatalf("diagnostic should be enable")
+		}
+
+		// Reload
+		if err := daemon.Reload(disableConfig); err != nil {
+			t.Fatal(err)
+		}
+		// Check that the diagnostic is disabled
+		if daemon.netController.IsDiagnosticEnabled() {
+			t.Fatalf("diagnostic should be disable")
+		}
+	}
+
+	enableConfig.CommonConfig.NetworkDiagnosticPort++
+	// 2 times the enable should not create problems
+	if err := daemon.Reload(enableConfig); err != nil {
+		t.Fatal(err)
+	}
+	// Check that the diagnostic is enabled
+	if !daemon.netController.IsDiagnosticEnabled() {
+		t.Fatalf("diagnostic should be enable")
+	}
+
+	// Check that another reload does not cause issues
+	if err := daemon.Reload(enableConfig); err != nil {
+		t.Fatal(err)
+	}
+	// Check that the diagnostic is enable
+	if !daemon.netController.IsDiagnosticEnabled() {
+		t.Fatalf("diagnostic should be enable")
+	}
+
+}
diff --git a/engine/daemon/reload_unix.go b/engine/daemon/reload_unix.go
new file mode 100644
index 00000000..9c1bb992
--- /dev/null
+++ b/engine/daemon/reload_unix.go
@@ -0,0 +1,56 @@
+// +build linux freebsd
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"bytes"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/daemon/config"
+)
+
+// reloadPlatform updates configuration with platform specific options
+// and updates the passed attributes
+func (daemon *Daemon) reloadPlatform(conf *config.Config, attributes map[string]string) error {
+	if err := conf.ValidatePlatformConfig(); err != nil {
+		return err
+	}
+
+	if conf.IsValueSet("runtimes") {
+		// Always set the default one
+		conf.Runtimes[config.StockRuntimeName] = types.Runtime{Path: DefaultRuntimeBinary}
+		if err := daemon.initRuntimes(conf.Runtimes); err != nil {
+			return err
+		}
+		daemon.configStore.Runtimes = conf.Runtimes
+	}
+
+	if conf.DefaultRuntime != "" {
+		daemon.configStore.DefaultRuntime = conf.DefaultRuntime
+	}
+
+	if conf.IsValueSet("default-shm-size") {
+		daemon.configStore.ShmSize = conf.ShmSize
+	}
+
+	if conf.IpcMode != "" {
+		daemon.configStore.IpcMode = conf.IpcMode
+	}
+
+	// Update attributes
+	var runtimeList bytes.Buffer
+	for name, rt := range daemon.configStore.Runtimes {
+		if runtimeList.Len() > 0 {
+			runtimeList.WriteRune(' ')
+		}
+		runtimeList.WriteString(fmt.Sprintf("%s:%s", name, rt))
+	}
+
+	attributes["runtimes"] = runtimeList.String()
+	attributes["default-runtime"] = daemon.configStore.DefaultRuntime
+	attributes["default-shm-size"] = fmt.Sprintf("%d", daemon.configStore.ShmSize)
+	attributes["default-ipc-mode"] = daemon.configStore.IpcMode
+
+	return nil
+}
diff --git a/engine/daemon/reload_windows.go b/engine/daemon/reload_windows.go
new file mode 100644
index 00000000..548466e8
--- /dev/null
+++ b/engine/daemon/reload_windows.go
@@ -0,0 +1,9 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import "github.com/docker/docker/daemon/config"
+
+// reloadPlatform updates configuration with platform specific options
+// and updates the passed attributes
+func (daemon *Daemon) reloadPlatform(config *config.Config, attributes map[string]string) error {
+	return nil
+}
diff --git a/engine/daemon/rename.go b/engine/daemon/rename.go
new file mode 100644
index 00000000..2b2c48b2
--- /dev/null
+++ b/engine/daemon/rename.go
@@ -0,0 +1,123 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"strings"
+
+	dockercontainer "github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/libnetwork"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerRename changes the name of a container, using the oldName
+// to find the container. An error is returned if newName is already
+// reserved.
+func (daemon *Daemon) ContainerRename(oldName, newName string) error {
+	var (
+		sid string
+		sb  libnetwork.Sandbox
+	)
+
+	if oldName == "" || newName == "" {
+		return errdefs.InvalidParameter(errors.New("Neither old nor new names may be empty"))
+	}
+
+	if newName[0] != '/' {
+		newName = "/" + newName
+	}
+
+	container, err := daemon.GetContainer(oldName)
+	if err != nil {
+		return err
+	}
+
+	container.Lock()
+	defer container.Unlock()
+
+	oldName = container.Name
+	oldIsAnonymousEndpoint := container.NetworkSettings.IsAnonymousEndpoint
+
+	if oldName == newName {
+		return errdefs.InvalidParameter(errors.New("Renaming a container with the same name as its current name"))
+	}
+
+	links := map[string]*dockercontainer.Container{}
+	for k, v := range daemon.linkIndex.children(container) {
+		if !strings.HasPrefix(k, oldName) {
+			return errdefs.InvalidParameter(errors.Errorf("Linked container %s does not match parent %s", k, oldName))
+		}
+		links[strings.TrimPrefix(k, oldName)] = v
+	}
+
+	if newName, err = daemon.reserveName(container.ID, newName); err != nil {
+		return errors.Wrap(err, "Error when allocating new name")
+	}
+
+	for k, v := range links {
+		daemon.containersReplica.ReserveName(newName+k, v.ID)
+		daemon.linkIndex.link(container, v, newName+k)
+	}
+
+	container.Name = newName
+	container.NetworkSettings.IsAnonymousEndpoint = false
+
+	defer func() {
+		if err != nil {
+			container.Name = oldName
+			container.NetworkSettings.IsAnonymousEndpoint = oldIsAnonymousEndpoint
+			daemon.reserveName(container.ID, oldName)
+			for k, v := range links {
+				daemon.containersReplica.ReserveName(oldName+k, v.ID)
+				daemon.linkIndex.link(container, v, oldName+k)
+				daemon.linkIndex.unlink(newName+k, v, container)
+				daemon.containersReplica.ReleaseName(newName + k)
+			}
+			daemon.releaseName(newName)
+		}
+	}()
+
+	for k, v := range links {
+		daemon.linkIndex.unlink(oldName+k, v, container)
+		daemon.containersReplica.ReleaseName(oldName + k)
+	}
+	daemon.releaseName(oldName)
+	if err = container.CheckpointTo(daemon.containersReplica); err != nil {
+		return err
+	}
+
+	attributes := map[string]string{
+		"oldName": oldName,
+	}
+
+	if !container.Running {
+		daemon.LogContainerEventWithAttributes(container, "rename", attributes)
+		return nil
+	}
+
+	defer func() {
+		if err != nil {
+			container.Name = oldName
+			container.NetworkSettings.IsAnonymousEndpoint = oldIsAnonymousEndpoint
+			if e := container.CheckpointTo(daemon.containersReplica); e != nil {
+				logrus.Errorf("%s: Failed in writing to Disk on rename failure: %v", container.ID, e)
+			}
+		}
+	}()
+
+	sid = container.NetworkSettings.SandboxID
+	if sid != "" && daemon.netController != nil {
+		sb, err = daemon.netController.SandboxByID(sid)
+		if err != nil {
+			return err
+		}
+
+		err = sb.Rename(strings.TrimPrefix(container.Name, "/"))
+		if err != nil {
+			return err
+		}
+	}
+
+	daemon.LogContainerEventWithAttributes(container, "rename", attributes)
+	return nil
+}
diff --git a/engine/daemon/resize.go b/engine/daemon/resize.go
new file mode 100644
index 00000000..21240650
--- /dev/null
+++ b/engine/daemon/resize.go
@@ -0,0 +1,50 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/docker/docker/libcontainerd"
+)
+
+// ContainerResize changes the size of the TTY of the process running
+// in the container with the given name to the given height and width.
+func (daemon *Daemon) ContainerResize(name string, height, width int) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	if !container.IsRunning() {
+		return errNotRunning(container.ID)
+	}
+
+	if err = daemon.containerd.ResizeTerminal(context.Background(), container.ID, libcontainerd.InitProcessName, width, height); err == nil {
+		attributes := map[string]string{
+			"height": fmt.Sprintf("%d", height),
+			"width":  fmt.Sprintf("%d", width),
+		}
+		daemon.LogContainerEventWithAttributes(container, "resize", attributes)
+	}
+	return err
+}
+
+// ContainerExecResize changes the size of the TTY of the process
+// running in the exec with the given name to the given height and
+// width.
+func (daemon *Daemon) ContainerExecResize(name string, height, width int) error {
+	ec, err := daemon.getExecConfig(name)
+	if err != nil {
+		return err
+	}
+	// TODO: the timeout is hardcoded here, it would be more flexible to make it
+	// a parameter in resize request context, which would need API changes.
+	timeout := 10 * time.Second
+	select {
+	case <-ec.Started:
+		return daemon.containerd.ResizeTerminal(context.Background(), ec.ContainerID, ec.ID, width, height)
+	case <-time.After(timeout):
+		return fmt.Errorf("timeout waiting for exec session ready")
+	}
+}
diff --git a/engine/daemon/resize_test.go b/engine/daemon/resize_test.go
new file mode 100644
index 00000000..edfe9d3e
--- /dev/null
+++ b/engine/daemon/resize_test.go
@@ -0,0 +1,103 @@
+// +build linux
+
+package daemon
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/exec"
+	"gotest.tools/assert"
+)
+
+// This test simply verify that when a wrong ID used, a specific error should be returned for exec resize.
+func TestExecResizeNoSuchExec(t *testing.T) {
+	n := "TestExecResize"
+	d := &Daemon{
+		execCommands: exec.NewStore(),
+	}
+	c := &container.Container{
+		ExecCommands: exec.NewStore(),
+	}
+	ec := &exec.Config{
+		ID: n,
+	}
+	d.registerExecCommand(c, ec)
+	err := d.ContainerExecResize("nil", 24, 8)
+	assert.ErrorContains(t, err, "No such exec instance")
+}
+
+type execResizeMockContainerdClient struct {
+	MockContainerdClient
+	ProcessID   string
+	ContainerID string
+	Width       int
+	Height      int
+}
+
+func (c *execResizeMockContainerdClient) ResizeTerminal(ctx context.Context, containerID, processID string, width, height int) error {
+	c.ProcessID = processID
+	c.ContainerID = containerID
+	c.Width = width
+	c.Height = height
+	return nil
+}
+
+// This test is to make sure that when exec context is ready, resize should call ResizeTerminal via containerd client.
+func TestExecResize(t *testing.T) {
+	n := "TestExecResize"
+	width := 24
+	height := 8
+	ec := &exec.Config{
+		ID:          n,
+		ContainerID: n,
+		Started:     make(chan struct{}),
+	}
+	close(ec.Started)
+	mc := &execResizeMockContainerdClient{}
+	d := &Daemon{
+		execCommands: exec.NewStore(),
+		containerd:   mc,
+		containers:   container.NewMemoryStore(),
+	}
+	c := &container.Container{
+		ExecCommands: exec.NewStore(),
+		State:        &container.State{Running: true},
+	}
+	d.containers.Add(n, c)
+	d.registerExecCommand(c, ec)
+	err := d.ContainerExecResize(n, height, width)
+	assert.NilError(t, err)
+	assert.Equal(t, mc.Width, width)
+	assert.Equal(t, mc.Height, height)
+	assert.Equal(t, mc.ProcessID, n)
+	assert.Equal(t, mc.ContainerID, n)
+}
+
+// This test is to make sure that when exec context is not ready, a timeout error should happen.
+// TODO: the expect running time for this test is 10s, which would be too long for unit test.
+func TestExecResizeTimeout(t *testing.T) {
+	n := "TestExecResize"
+	width := 24
+	height := 8
+	ec := &exec.Config{
+		ID:          n,
+		ContainerID: n,
+		Started:     make(chan struct{}),
+	}
+	mc := &execResizeMockContainerdClient{}
+	d := &Daemon{
+		execCommands: exec.NewStore(),
+		containerd:   mc,
+		containers:   container.NewMemoryStore(),
+	}
+	c := &container.Container{
+		ExecCommands: exec.NewStore(),
+		State:        &container.State{Running: true},
+	}
+	d.containers.Add(n, c)
+	d.registerExecCommand(c, ec)
+	err := d.ContainerExecResize(n, height, width)
+	assert.ErrorContains(t, err, "timeout waiting for exec session ready")
+}
diff --git a/engine/daemon/restart.go b/engine/daemon/restart.go
new file mode 100644
index 00000000..0f06dea2
--- /dev/null
+++ b/engine/daemon/restart.go
@@ -0,0 +1,70 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/container"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerRestart stops and starts a container. It attempts to
+// gracefully stop the container within the given timeout, forcefully
+// stopping it if the timeout is exceeded. If given a negative
+// timeout, ContainerRestart will wait forever until a graceful
+// stop. Returns an error if the container cannot be found, or if
+// there is an underlying error at any stage of the restart.
+func (daemon *Daemon) ContainerRestart(name string, seconds *int) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+	if seconds == nil {
+		stopTimeout := container.StopTimeout()
+		seconds = &stopTimeout
+	}
+	if err := daemon.containerRestart(container, *seconds); err != nil {
+		return fmt.Errorf("Cannot restart container %s: %v", name, err)
+	}
+	return nil
+
+}
+
+// containerRestart attempts to gracefully stop and then start the
+// container. When stopping, wait for the given duration in seconds to
+// gracefully stop, before forcefully terminating the container. If
+// given a negative duration, wait forever for a graceful stop.
+func (daemon *Daemon) containerRestart(container *container.Container, seconds int) error {
+	// Avoid unnecessarily unmounting and then directly mounting
+	// the container when the container stops and then starts
+	// again
+	if err := daemon.Mount(container); err == nil {
+		defer daemon.Unmount(container)
+	}
+
+	if container.IsRunning() {
+		// set AutoRemove flag to false before stop so the container won't be
+		// removed during restart process
+		autoRemove := container.HostConfig.AutoRemove
+
+		container.HostConfig.AutoRemove = false
+		err := daemon.containerStop(container, seconds)
+		// restore AutoRemove irrespective of whether the stop worked or not
+		container.HostConfig.AutoRemove = autoRemove
+		// containerStop will write HostConfig to disk, we shall restore AutoRemove
+		// in disk too
+		if toDiskErr := daemon.checkpointAndSave(container); toDiskErr != nil {
+			logrus.Errorf("Write container to disk error: %v", toDiskErr)
+		}
+
+		if err != nil {
+			return err
+		}
+	}
+
+	if err := daemon.containerStart(container, "", "", true); err != nil {
+		return err
+	}
+
+	daemon.LogContainerEvent(container, "restart")
+	return nil
+}
diff --git a/engine/daemon/seccomp_disabled.go b/engine/daemon/seccomp_disabled.go
new file mode 100644
index 00000000..3855c783
--- /dev/null
+++ b/engine/daemon/seccomp_disabled.go
@@ -0,0 +1,19 @@
+// +build linux,!seccomp
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/container"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+var supportsSeccomp = false
+
+func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
+	if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
+		return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
+	}
+	return nil
+}
diff --git a/engine/daemon/seccomp_linux.go b/engine/daemon/seccomp_linux.go
new file mode 100644
index 00000000..66ab8c76
--- /dev/null
+++ b/engine/daemon/seccomp_linux.go
@@ -0,0 +1,55 @@
+// +build linux,seccomp
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/profiles/seccomp"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+)
+
+var supportsSeccomp = true
+
+func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
+	var profile *specs.LinuxSeccomp
+	var err error
+
+	if c.HostConfig.Privileged {
+		return nil
+	}
+
+	if !daemon.seccompEnabled {
+		if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
+			return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
+		}
+		logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
+		c.SeccompProfile = "unconfined"
+	}
+	if c.SeccompProfile == "unconfined" {
+		return nil
+	}
+	if c.SeccompProfile != "" {
+		profile, err = seccomp.LoadProfile(c.SeccompProfile, rs)
+		if err != nil {
+			return err
+		}
+	} else {
+		if daemon.seccompProfile != nil {
+			profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), rs)
+			if err != nil {
+				return err
+			}
+		} else {
+			profile, err = seccomp.GetDefaultProfile(rs)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	rs.Linux.Seccomp = profile
+	return nil
+}
diff --git a/engine/daemon/seccomp_unsupported.go b/engine/daemon/seccomp_unsupported.go
new file mode 100644
index 00000000..a323fe0b
--- /dev/null
+++ b/engine/daemon/seccomp_unsupported.go
@@ -0,0 +1,5 @@
+// +build !linux
+
+package daemon // import "github.com/docker/docker/daemon"
+
+var supportsSeccomp = false
diff --git a/engine/daemon/secrets.go b/engine/daemon/secrets.go
new file mode 100644
index 00000000..6d368a9f
--- /dev/null
+++ b/engine/daemon/secrets.go
@@ -0,0 +1,23 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/sirupsen/logrus"
+)
+
+// SetContainerSecretReferences sets the container secret references needed
+func (daemon *Daemon) SetContainerSecretReferences(name string, refs []*swarmtypes.SecretReference) error {
+	if !secretsSupported() && len(refs) > 0 {
+		logrus.Warn("secrets are not supported on this platform")
+		return nil
+	}
+
+	c, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	c.SecretReferences = refs
+
+	return nil
+}
diff --git a/engine/daemon/secrets_linux.go b/engine/daemon/secrets_linux.go
new file mode 100644
index 00000000..2be70be3
--- /dev/null
+++ b/engine/daemon/secrets_linux.go
@@ -0,0 +1,5 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+func secretsSupported() bool {
+	return true
+}
diff --git a/engine/daemon/secrets_unsupported.go b/engine/daemon/secrets_unsupported.go
new file mode 100644
index 00000000..edad69c5
--- /dev/null
+++ b/engine/daemon/secrets_unsupported.go
@@ -0,0 +1,7 @@
+// +build !linux,!windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+func secretsSupported() bool {
+	return false
+}
diff --git a/engine/daemon/secrets_windows.go b/engine/daemon/secrets_windows.go
new file mode 100644
index 00000000..2be70be3
--- /dev/null
+++ b/engine/daemon/secrets_windows.go
@@ -0,0 +1,5 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+func secretsSupported() bool {
+	return true
+}
diff --git a/engine/daemon/selinux_linux.go b/engine/daemon/selinux_linux.go
new file mode 100644
index 00000000..f87b30b7
--- /dev/null
+++ b/engine/daemon/selinux_linux.go
@@ -0,0 +1,15 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import "github.com/opencontainers/selinux/go-selinux"
+
+func selinuxSetDisabled() {
+	selinux.SetDisabled()
+}
+
+func selinuxFreeLxcContexts(label string) {
+	selinux.ReleaseLabel(label)
+}
+
+func selinuxEnabled() bool {
+	return selinux.GetEnabled()
+}
diff --git a/engine/daemon/selinux_unsupported.go b/engine/daemon/selinux_unsupported.go
new file mode 100644
index 00000000..49d0d13b
--- /dev/null
+++ b/engine/daemon/selinux_unsupported.go
@@ -0,0 +1,13 @@
+// +build !linux
+
+package daemon // import "github.com/docker/docker/daemon"
+
+func selinuxSetDisabled() {
+}
+
+func selinuxFreeLxcContexts(label string) {
+}
+
+func selinuxEnabled() bool {
+	return false
+}
diff --git a/engine/daemon/start.go b/engine/daemon/start.go
new file mode 100644
index 00000000..c00bd9ce
--- /dev/null
+++ b/engine/daemon/start.go
@@ -0,0 +1,254 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"runtime"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerStart starts a container.
+func (daemon *Daemon) ContainerStart(name string, hostConfig *containertypes.HostConfig, checkpoint string, checkpointDir string) error {
+	if checkpoint != "" && !daemon.HasExperimental() {
+		return errdefs.InvalidParameter(errors.New("checkpoint is only supported in experimental mode"))
+	}
+
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	validateState := func() error {
+		container.Lock()
+		defer container.Unlock()
+
+		if container.Paused {
+			return errdefs.Conflict(errors.New("cannot start a paused container, try unpause instead"))
+		}
+
+		if container.Running {
+			return containerNotModifiedError{running: true}
+		}
+
+		if container.RemovalInProgress || container.Dead {
+			return errdefs.Conflict(errors.New("container is marked for removal and cannot be started"))
+		}
+		return nil
+	}
+
+	if err := validateState(); err != nil {
+		return err
+	}
+
+	// Windows does not have the backwards compatibility issue here.
+	if runtime.GOOS != "windows" {
+		// This is kept for backward compatibility - hostconfig should be passed when
+		// creating a container, not during start.
+		if hostConfig != nil {
+			logrus.Warn("DEPRECATED: Setting host configuration options when the container starts is deprecated and has been removed in Docker 1.12")
+			oldNetworkMode := container.HostConfig.NetworkMode
+			if err := daemon.setSecurityOptions(container, hostConfig); err != nil {
+				return errdefs.InvalidParameter(err)
+			}
+			if err := daemon.mergeAndVerifyLogConfig(&hostConfig.LogConfig); err != nil {
+				return errdefs.InvalidParameter(err)
+			}
+			if err := daemon.setHostConfig(container, hostConfig); err != nil {
+				return errdefs.InvalidParameter(err)
+			}
+			newNetworkMode := container.HostConfig.NetworkMode
+			if string(oldNetworkMode) != string(newNetworkMode) {
+				// if user has change the network mode on starting, clean up the
+				// old networks. It is a deprecated feature and has been removed in Docker 1.12
+				container.NetworkSettings.Networks = nil
+				if err := container.CheckpointTo(daemon.containersReplica); err != nil {
+					return errdefs.System(err)
+				}
+			}
+			container.InitDNSHostConfig()
+		}
+	} else {
+		if hostConfig != nil {
+			return errdefs.InvalidParameter(errors.New("Supplying a hostconfig on start is not supported. It should be supplied on create"))
+		}
+	}
+
+	// check if hostConfig is in line with the current system settings.
+	// It may happen cgroups are umounted or the like.
+	if _, err = daemon.verifyContainerSettings(container.OS, container.HostConfig, nil, false); err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+	// Adapt for old containers in case we have updates in this function and
+	// old containers never have chance to call the new function in create stage.
+	if hostConfig != nil {
+		if err := daemon.adaptContainerSettings(container.HostConfig, false); err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+	}
+	return daemon.containerStart(container, checkpoint, checkpointDir, true)
+}
+
+// containerStart prepares the container to run by setting up everything the
+// container needs, such as storage and networking, as well as links
+// between containers. The container is left waiting for a signal to
+// begin running.
+func (daemon *Daemon) containerStart(container *container.Container, checkpoint string, checkpointDir string, resetRestartManager bool) (err error) {
+	start := time.Now()
+	container.Lock()
+	defer container.Unlock()
+
+	if resetRestartManager && container.Running { // skip this check if already in restarting step and resetRestartManager==false
+		return nil
+	}
+
+	if container.RemovalInProgress || container.Dead {
+		return errdefs.Conflict(errors.New("container is marked for removal and cannot be started"))
+	}
+
+	if checkpointDir != "" {
+		// TODO(mlaventure): how would we support that?
+		return errdefs.Forbidden(errors.New("custom checkpointdir is not supported"))
+	}
+
+	// if we encounter an error during start we need to ensure that any other
+	// setup has been cleaned up properly
+	defer func() {
+		if err != nil {
+			container.SetError(err)
+			// if no one else has set it, make sure we don't leave it at zero
+			if container.ExitCode() == 0 {
+				container.SetExitCode(128)
+			}
+			if err := container.CheckpointTo(daemon.containersReplica); err != nil {
+				logrus.Errorf("%s: failed saving state on start failure: %v", container.ID, err)
+			}
+			container.Reset(false)
+
+			daemon.Cleanup(container)
+			// if containers AutoRemove flag is set, remove it after clean up
+			if container.HostConfig.AutoRemove {
+				container.Unlock()
+				if err := daemon.ContainerRm(container.ID, &types.ContainerRmConfig{ForceRemove: true, RemoveVolume: true}); err != nil {
+					logrus.Errorf("can't remove container %s: %v", container.ID, err)
+				}
+				container.Lock()
+			}
+		}
+	}()
+
+	if err := daemon.conditionalMountOnStart(container); err != nil {
+		return err
+	}
+
+	if err := daemon.initializeNetworking(container); err != nil {
+		return err
+	}
+
+	spec, err := daemon.createSpec(container)
+	if err != nil {
+		return errdefs.System(err)
+	}
+
+	if resetRestartManager {
+		container.ResetRestartManager(true)
+	}
+
+	if daemon.saveApparmorConfig(container); err != nil {
+		return err
+	}
+
+	if checkpoint != "" {
+		checkpointDir, err = getCheckpointDir(checkpointDir, checkpoint, container.Name, container.ID, container.CheckpointDir(), false)
+		if err != nil {
+			return err
+		}
+	}
+
+	createOptions, err := daemon.getLibcontainerdCreateOptions(container)
+	if err != nil {
+		return err
+	}
+
+	err = daemon.containerd.Create(context.Background(), container.ID, spec, createOptions)
+	if err != nil {
+		return translateContainerdStartErr(container.Path, container.SetExitCode, err)
+	}
+
+	// TODO(mlaventure): we need to specify checkpoint options here
+	pid, err := daemon.containerd.Start(context.Background(), container.ID, checkpointDir,
+		container.StreamConfig.Stdin() != nil || container.Config.Tty,
+		container.InitializeStdio)
+	if err != nil {
+		if err := daemon.containerd.Delete(context.Background(), container.ID); err != nil {
+			logrus.WithError(err).WithField("container", container.ID).
+				Error("failed to delete failed start container")
+		}
+		return translateContainerdStartErr(container.Path, container.SetExitCode, err)
+	}
+
+	container.SetRunning(pid, true)
+	container.HasBeenManuallyStopped = false
+	container.HasBeenStartedBefore = true
+	daemon.setStateCounter(container)
+
+	daemon.initHealthMonitor(container)
+
+	if err := container.CheckpointTo(daemon.containersReplica); err != nil {
+		logrus.WithError(err).WithField("container", container.ID).
+			Errorf("failed to store container")
+	}
+
+	daemon.LogContainerEvent(container, "start")
+	containerActions.WithValues("start").UpdateSince(start)
+
+	return nil
+}
+
+// Cleanup releases any network resources allocated to the container along with any rules
+// around how containers are linked together.  It also unmounts the container's root filesystem.
+func (daemon *Daemon) Cleanup(container *container.Container) {
+	daemon.releaseNetwork(container)
+
+	if err := container.UnmountIpcMount(detachMounted); err != nil {
+		logrus.Warnf("%s cleanup: failed to unmount IPC: %s", container.ID, err)
+	}
+
+	if err := daemon.conditionalUnmountOnCleanup(container); err != nil {
+		// FIXME: remove once reference counting for graphdrivers has been refactored
+		// Ensure that all the mounts are gone
+		if mountid, err := daemon.imageService.GetLayerMountID(container.ID, container.OS); err == nil {
+			daemon.cleanupMountsByID(mountid)
+		}
+	}
+
+	if err := container.UnmountSecrets(); err != nil {
+		logrus.Warnf("%s cleanup: failed to unmount secrets: %s", container.ID, err)
+	}
+
+	if err := mount.RecursiveUnmount(container.Root); err != nil {
+		logrus.WithError(err).WithField("container", container.ID).Warn("Error while cleaning up container resource mounts.")
+	}
+
+	for _, eConfig := range container.ExecCommands.Commands() {
+		daemon.unregisterExecCommand(container, eConfig)
+	}
+
+	if container.BaseFS != nil && container.BaseFS.Path() != "" {
+		if err := container.UnmountVolumes(daemon.LogVolumeEvent); err != nil {
+			logrus.Warnf("%s cleanup: Failed to umount volumes: %v", container.ID, err)
+		}
+	}
+
+	container.CancelAttachContext()
+
+	if err := daemon.containerd.Delete(context.Background(), container.ID); err != nil {
+		logrus.Errorf("%s cleanup: failed to delete container from containerd: %v", container.ID, err)
+	}
+}
diff --git a/engine/daemon/start_unix.go b/engine/daemon/start_unix.go
new file mode 100644
index 00000000..e680b95f
--- /dev/null
+++ b/engine/daemon/start_unix.go
@@ -0,0 +1,57 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/containerd/containerd/runtime/linux/runctypes"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+)
+
+func (daemon *Daemon) getRuntimeScript(container *container.Container) (string, error) {
+	name := container.HostConfig.Runtime
+	rt := daemon.configStore.GetRuntime(name)
+	if rt == nil {
+		return "", errdefs.InvalidParameter(errors.Errorf("no such runtime '%s'", name))
+	}
+
+	if len(rt.Args) > 0 {
+		// First check that the target exist, as using it in a script won't
+		// give us the right error
+		if _, err := exec.LookPath(rt.Path); err != nil {
+			return "", translateContainerdStartErr(container.Path, container.SetExitCode, err)
+		}
+		return filepath.Join(daemon.configStore.Root, "runtimes", name), nil
+	}
+	return rt.Path, nil
+}
+
+// getLibcontainerdCreateOptions callers must hold a lock on the container
+func (daemon *Daemon) getLibcontainerdCreateOptions(container *container.Container) (interface{}, error) {
+	// Ensure a runtime has been assigned to this container
+	if container.HostConfig.Runtime == "" {
+		container.HostConfig.Runtime = daemon.configStore.GetDefaultRuntimeName()
+		container.CheckpointTo(daemon.containersReplica)
+	}
+
+	path, err := daemon.getRuntimeScript(container)
+	if err != nil {
+		return nil, err
+	}
+	opts := &runctypes.RuncOptions{
+		Runtime: path,
+		RuntimeRoot: filepath.Join(daemon.configStore.ExecRoot,
+			fmt.Sprintf("runtime-%s", container.HostConfig.Runtime)),
+	}
+
+	if UsingSystemd(daemon.configStore) {
+		opts.SystemdCgroup = true
+	}
+
+	return opts, nil
+}
diff --git a/engine/daemon/start_windows.go b/engine/daemon/start_windows.go
new file mode 100644
index 00000000..f4606f7a
--- /dev/null
+++ b/engine/daemon/start_windows.go
@@ -0,0 +1,38 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/Microsoft/opengcs/client"
+	"github.com/docker/docker/container"
+)
+
+func (daemon *Daemon) getLibcontainerdCreateOptions(container *container.Container) (interface{}, error) {
+	// LCOW options.
+	if container.OS == "linux" {
+		config := &client.Config{}
+		if err := config.GenerateDefault(daemon.configStore.GraphOptions); err != nil {
+			return nil, err
+		}
+		// Override from user-supplied options.
+		for k, v := range container.HostConfig.StorageOpt {
+			switch k {
+			case "lcow.kirdpath":
+				config.KirdPath = v
+			case "lcow.kernel":
+				config.KernelFile = v
+			case "lcow.initrd":
+				config.InitrdFile = v
+			case "lcow.vhdx":
+				config.Vhdx = v
+			case "lcow.bootparameters":
+				config.BootParameters = v
+			}
+		}
+		if err := config.Validate(); err != nil {
+			return nil, err
+		}
+
+		return config, nil
+	}
+
+	return nil, nil
+}
diff --git a/engine/daemon/stats.go b/engine/daemon/stats.go
new file mode 100644
index 00000000..eb23e272
--- /dev/null
+++ b/engine/daemon/stats.go
@@ -0,0 +1,155 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"runtime"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/backend"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/api/types/versions/v1p20"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/ioutils"
+)
+
+// ContainerStats writes information about the container to the stream
+// given in the config object.
+func (daemon *Daemon) ContainerStats(ctx context.Context, prefixOrName string, config *backend.ContainerStatsConfig) error {
+	// Engine API version (used for backwards compatibility)
+	apiVersion := config.Version
+
+	container, err := daemon.GetContainer(prefixOrName)
+	if err != nil {
+		return err
+	}
+
+	// If the container is either not running or restarting and requires no stream, return an empty stats.
+	if (!container.IsRunning() || container.IsRestarting()) && !config.Stream {
+		return json.NewEncoder(config.OutStream).Encode(&types.StatsJSON{
+			Name: container.Name,
+			ID:   container.ID})
+	}
+
+	outStream := config.OutStream
+	if config.Stream {
+		wf := ioutils.NewWriteFlusher(outStream)
+		defer wf.Close()
+		wf.Flush()
+		outStream = wf
+	}
+
+	var preCPUStats types.CPUStats
+	var preRead time.Time
+	getStatJSON := func(v interface{}) *types.StatsJSON {
+		ss := v.(types.StatsJSON)
+		ss.Name = container.Name
+		ss.ID = container.ID
+		ss.PreCPUStats = preCPUStats
+		ss.PreRead = preRead
+		preCPUStats = ss.CPUStats
+		preRead = ss.Read
+		return &ss
+	}
+
+	enc := json.NewEncoder(outStream)
+
+	updates := daemon.subscribeToContainerStats(container)
+	defer daemon.unsubscribeToContainerStats(container, updates)
+
+	noStreamFirstFrame := true
+	for {
+		select {
+		case v, ok := <-updates:
+			if !ok {
+				return nil
+			}
+
+			var statsJSON interface{}
+			statsJSONPost120 := getStatJSON(v)
+			if versions.LessThan(apiVersion, "1.21") {
+				if runtime.GOOS == "windows" {
+					return errors.New("API versions pre v1.21 do not support stats on Windows")
+				}
+				var (
+					rxBytes   uint64
+					rxPackets uint64
+					rxErrors  uint64
+					rxDropped uint64
+					txBytes   uint64
+					txPackets uint64
+					txErrors  uint64
+					txDropped uint64
+				)
+				for _, v := range statsJSONPost120.Networks {
+					rxBytes += v.RxBytes
+					rxPackets += v.RxPackets
+					rxErrors += v.RxErrors
+					rxDropped += v.RxDropped
+					txBytes += v.TxBytes
+					txPackets += v.TxPackets
+					txErrors += v.TxErrors
+					txDropped += v.TxDropped
+				}
+				statsJSON = &v1p20.StatsJSON{
+					Stats: statsJSONPost120.Stats,
+					Network: types.NetworkStats{
+						RxBytes:   rxBytes,
+						RxPackets: rxPackets,
+						RxErrors:  rxErrors,
+						RxDropped: rxDropped,
+						TxBytes:   txBytes,
+						TxPackets: txPackets,
+						TxErrors:  txErrors,
+						TxDropped: txDropped,
+					},
+				}
+			} else {
+				statsJSON = statsJSONPost120
+			}
+
+			if !config.Stream && noStreamFirstFrame {
+				// prime the cpu stats so they aren't 0 in the final output
+				noStreamFirstFrame = false
+				continue
+			}
+
+			if err := enc.Encode(statsJSON); err != nil {
+				return err
+			}
+
+			if !config.Stream {
+				return nil
+			}
+		case <-ctx.Done():
+			return nil
+		}
+	}
+}
+
+func (daemon *Daemon) subscribeToContainerStats(c *container.Container) chan interface{} {
+	return daemon.statsCollector.Collect(c)
+}
+
+func (daemon *Daemon) unsubscribeToContainerStats(c *container.Container, ch chan interface{}) {
+	daemon.statsCollector.Unsubscribe(c, ch)
+}
+
+// GetContainerStats collects all the stats published by a container
+func (daemon *Daemon) GetContainerStats(container *container.Container) (*types.StatsJSON, error) {
+	stats, err := daemon.stats(container)
+	if err != nil {
+		return nil, err
+	}
+
+	// We already have the network stats on Windows directly from HCS.
+	if !container.Config.NetworkDisabled && runtime.GOOS != "windows" {
+		if stats.Networks, err = daemon.getNetworkStats(container); err != nil {
+			return nil, err
+		}
+	}
+
+	return stats, nil
+}
diff --git a/engine/daemon/stats/collector.go b/engine/daemon/stats/collector.go
new file mode 100644
index 00000000..88e20984
--- /dev/null
+++ b/engine/daemon/stats/collector.go
@@ -0,0 +1,159 @@
+package stats // import "github.com/docker/docker/daemon/stats"
+
+import (
+	"bufio"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/pubsub"
+	"github.com/sirupsen/logrus"
+)
+
+// Collector manages and provides container resource stats
+type Collector struct {
+	m          sync.Mutex
+	supervisor supervisor
+	interval   time.Duration
+	publishers map[*container.Container]*pubsub.Publisher
+	bufReader  *bufio.Reader
+
+	// The following fields are not set on Windows currently.
+	clockTicksPerSecond uint64
+}
+
+// NewCollector creates a stats collector that will poll the supervisor with the specified interval
+func NewCollector(supervisor supervisor, interval time.Duration) *Collector {
+	s := &Collector{
+		interval:   interval,
+		supervisor: supervisor,
+		publishers: make(map[*container.Container]*pubsub.Publisher),
+		bufReader:  bufio.NewReaderSize(nil, 128),
+	}
+
+	platformNewStatsCollector(s)
+
+	return s
+}
+
+type supervisor interface {
+	// GetContainerStats collects all the stats related to a container
+	GetContainerStats(container *container.Container) (*types.StatsJSON, error)
+}
+
+// Collect registers the container with the collector and adds it to
+// the event loop for collection on the specified interval returning
+// a channel for the subscriber to receive on.
+func (s *Collector) Collect(c *container.Container) chan interface{} {
+	s.m.Lock()
+	defer s.m.Unlock()
+	publisher, exists := s.publishers[c]
+	if !exists {
+		publisher = pubsub.NewPublisher(100*time.Millisecond, 1024)
+		s.publishers[c] = publisher
+	}
+	return publisher.Subscribe()
+}
+
+// StopCollection closes the channels for all subscribers and removes
+// the container from metrics collection.
+func (s *Collector) StopCollection(c *container.Container) {
+	s.m.Lock()
+	if publisher, exists := s.publishers[c]; exists {
+		publisher.Close()
+		delete(s.publishers, c)
+	}
+	s.m.Unlock()
+}
+
+// Unsubscribe removes a specific subscriber from receiving updates for a container's stats.
+func (s *Collector) Unsubscribe(c *container.Container, ch chan interface{}) {
+	s.m.Lock()
+	publisher := s.publishers[c]
+	if publisher != nil {
+		publisher.Evict(ch)
+		if publisher.Len() == 0 {
+			delete(s.publishers, c)
+		}
+	}
+	s.m.Unlock()
+}
+
+// Run starts the collectors and will indefinitely collect stats from the supervisor
+func (s *Collector) Run() {
+	type publishersPair struct {
+		container *container.Container
+		publisher *pubsub.Publisher
+	}
+	// we cannot determine the capacity here.
+	// it will grow enough in first iteration
+	var pairs []publishersPair
+
+	for {
+		// Put sleep at the start so that it will always be hit,
+		// preventing a tight loop if no stats are collected.
+		time.Sleep(s.interval)
+
+		// it does not make sense in the first iteration,
+		// but saves allocations in further iterations
+		pairs = pairs[:0]
+
+		s.m.Lock()
+		for container, publisher := range s.publishers {
+			// copy pointers here to release the lock ASAP
+			pairs = append(pairs, publishersPair{container, publisher})
+		}
+		s.m.Unlock()
+		if len(pairs) == 0 {
+			continue
+		}
+
+		onlineCPUs, err := s.getNumberOnlineCPUs()
+		if err != nil {
+			logrus.Errorf("collecting system online cpu count: %v", err)
+			continue
+		}
+
+		for _, pair := range pairs {
+			stats, err := s.supervisor.GetContainerStats(pair.container)
+
+			switch err.(type) {
+			case nil:
+				// Sample system CPU usage close to container usage to avoid
+				// noise in metric calculations.
+				systemUsage, err := s.getSystemCPUUsage()
+				if err != nil {
+					logrus.WithError(err).WithField("container_id", pair.container.ID).Errorf("collecting system cpu usage")
+					continue
+				}
+
+				// FIXME: move to containerd on Linux (not Windows)
+				stats.CPUStats.SystemUsage = systemUsage
+				stats.CPUStats.OnlineCPUs = onlineCPUs
+
+				pair.publisher.Publish(*stats)
+
+			case notRunningErr, notFoundErr:
+				// publish empty stats containing only name and ID if not running or not found
+				pair.publisher.Publish(types.StatsJSON{
+					Name: pair.container.Name,
+					ID:   pair.container.ID,
+				})
+
+			default:
+				logrus.Errorf("collecting stats for %s: %v", pair.container.ID, err)
+			}
+		}
+	}
+}
+
+type notRunningErr interface {
+	error
+	Conflict()
+}
+
+type notFoundErr interface {
+	error
+	NotFound()
+}
diff --git a/engine/daemon/stats/collector_unix.go b/engine/daemon/stats/collector_unix.go
new file mode 100644
index 00000000..2480aceb
--- /dev/null
+++ b/engine/daemon/stats/collector_unix.go
@@ -0,0 +1,83 @@
+// +build !windows
+
+package stats // import "github.com/docker/docker/daemon/stats"
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/system"
+)
+
+/*
+#include <unistd.h>
+*/
+import "C"
+
+// platformNewStatsCollector performs platform specific initialisation of the
+// Collector structure.
+func platformNewStatsCollector(s *Collector) {
+	s.clockTicksPerSecond = uint64(system.GetClockTicks())
+}
+
+const nanoSecondsPerSecond = 1e9
+
+// getSystemCPUUsage returns the host system's cpu usage in
+// nanoseconds. An error is returned if the format of the underlying
+// file does not match.
+//
+// Uses /proc/stat defined by POSIX. Looks for the cpu
+// statistics line and then sums up the first seven fields
+// provided. See `man 5 proc` for details on specific field
+// information.
+func (s *Collector) getSystemCPUUsage() (uint64, error) {
+	var line string
+	f, err := os.Open("/proc/stat")
+	if err != nil {
+		return 0, err
+	}
+	defer func() {
+		s.bufReader.Reset(nil)
+		f.Close()
+	}()
+	s.bufReader.Reset(f)
+	err = nil
+	for err == nil {
+		line, err = s.bufReader.ReadString('\n')
+		if err != nil {
+			break
+		}
+		parts := strings.Fields(line)
+		switch parts[0] {
+		case "cpu":
+			if len(parts) < 8 {
+				return 0, fmt.Errorf("invalid number of cpu fields")
+			}
+			var totalClockTicks uint64
+			for _, i := range parts[1:8] {
+				v, err := strconv.ParseUint(i, 10, 64)
+				if err != nil {
+					return 0, fmt.Errorf("Unable to convert value %s to int: %s", i, err)
+				}
+				totalClockTicks += v
+			}
+			return (totalClockTicks * nanoSecondsPerSecond) /
+				s.clockTicksPerSecond, nil
+		}
+	}
+	return 0, fmt.Errorf("invalid stat format. Error trying to parse the '/proc/stat' file")
+}
+
+func (s *Collector) getNumberOnlineCPUs() (uint32, error) {
+	i, err := C.sysconf(C._SC_NPROCESSORS_ONLN)
+	// According to POSIX - errno is undefined after successful
+	// sysconf, and can be non-zero in several cases, so look for
+	// error in returned value not in errno.
+	// (https://sourceware.org/bugzilla/show_bug.cgi?id=21536)
+	if i == -1 {
+		return 0, err
+	}
+	return uint32(i), nil
+}
diff --git a/engine/daemon/stats/collector_windows.go b/engine/daemon/stats/collector_windows.go
new file mode 100644
index 00000000..018e9065
--- /dev/null
+++ b/engine/daemon/stats/collector_windows.go
@@ -0,0 +1,17 @@
+package stats // import "github.com/docker/docker/daemon/stats"
+
+// platformNewStatsCollector performs platform specific initialisation of the
+// Collector structure. This is a no-op on Windows.
+func platformNewStatsCollector(s *Collector) {
+}
+
+// getSystemCPUUsage returns the host system's cpu usage in
+// nanoseconds. An error is returned if the format of the underlying
+// file does not match. This is a no-op on Windows.
+func (s *Collector) getSystemCPUUsage() (uint64, error) {
+	return 0, nil
+}
+
+func (s *Collector) getNumberOnlineCPUs() (uint32, error) {
+	return 0, nil
+}
diff --git a/engine/daemon/stats_collector.go b/engine/daemon/stats_collector.go
new file mode 100644
index 00000000..0490b2ea
--- /dev/null
+++ b/engine/daemon/stats_collector.go
@@ -0,0 +1,26 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"runtime"
+	"time"
+
+	"github.com/docker/docker/daemon/stats"
+	"github.com/docker/docker/pkg/system"
+)
+
+// newStatsCollector returns a new statsCollector that collections
+// stats for a registered container at the specified interval.
+// The collector allows non-running containers to be added
+// and will start processing stats when they are started.
+func (daemon *Daemon) newStatsCollector(interval time.Duration) *stats.Collector {
+	// FIXME(vdemeester) move this elsewhere
+	if runtime.GOOS == "linux" {
+		meminfo, err := system.ReadMemInfo()
+		if err == nil && meminfo.MemTotal > 0 {
+			daemon.machineMemory = uint64(meminfo.MemTotal)
+		}
+	}
+	s := stats.NewCollector(daemon, interval)
+	go s.Run()
+	return s
+}
diff --git a/engine/daemon/stats_unix.go b/engine/daemon/stats_unix.go
new file mode 100644
index 00000000..ee78ca68
--- /dev/null
+++ b/engine/daemon/stats_unix.go
@@ -0,0 +1,57 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/container"
+	"github.com/pkg/errors"
+)
+
+// Resolve Network SandboxID in case the container reuse another container's network stack
+func (daemon *Daemon) getNetworkSandboxID(c *container.Container) (string, error) {
+	curr := c
+	for curr.HostConfig.NetworkMode.IsContainer() {
+		containerID := curr.HostConfig.NetworkMode.ConnectedContainer()
+		connected, err := daemon.GetContainer(containerID)
+		if err != nil {
+			return "", errors.Wrapf(err, "Could not get container for %s", containerID)
+		}
+		curr = connected
+	}
+	return curr.NetworkSettings.SandboxID, nil
+}
+
+func (daemon *Daemon) getNetworkStats(c *container.Container) (map[string]types.NetworkStats, error) {
+	sandboxID, err := daemon.getNetworkSandboxID(c)
+	if err != nil {
+		return nil, err
+	}
+
+	sb, err := daemon.netController.SandboxByID(sandboxID)
+	if err != nil {
+		return nil, err
+	}
+
+	lnstats, err := sb.Statistics()
+	if err != nil {
+		return nil, err
+	}
+
+	stats := make(map[string]types.NetworkStats)
+	// Convert libnetwork nw stats into api stats
+	for ifName, ifStats := range lnstats {
+		stats[ifName] = types.NetworkStats{
+			RxBytes:   ifStats.RxBytes,
+			RxPackets: ifStats.RxPackets,
+			RxErrors:  ifStats.RxErrors,
+			RxDropped: ifStats.RxDropped,
+			TxBytes:   ifStats.TxBytes,
+			TxPackets: ifStats.TxPackets,
+			TxErrors:  ifStats.TxErrors,
+			TxDropped: ifStats.TxDropped,
+		}
+	}
+
+	return stats, nil
+}
diff --git a/engine/daemon/stats_windows.go b/engine/daemon/stats_windows.go
new file mode 100644
index 00000000..0306332b
--- /dev/null
+++ b/engine/daemon/stats_windows.go
@@ -0,0 +1,11 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/container"
+)
+
+// Windows network stats are obtained directly through HCS, hence this is a no-op.
+func (daemon *Daemon) getNetworkStats(c *container.Container) (map[string]types.NetworkStats, error) {
+	return make(map[string]types.NetworkStats), nil
+}
diff --git a/engine/daemon/stop.go b/engine/daemon/stop.go
new file mode 100644
index 00000000..c3ac0905
--- /dev/null
+++ b/engine/daemon/stop.go
@@ -0,0 +1,89 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"time"
+
+	containerpkg "github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerStop looks for the given container and stops it.
+// In case the container fails to stop gracefully within a time duration
+// specified by the timeout argument, in seconds, it is forcefully
+// terminated (killed).
+//
+// If the timeout is nil, the container's StopTimeout value is used, if set,
+// otherwise the engine default. A negative timeout value can be specified,
+// meaning no timeout, i.e. no forceful termination is performed.
+func (daemon *Daemon) ContainerStop(name string, timeout *int) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+	if !container.IsRunning() {
+		return containerNotModifiedError{running: false}
+	}
+	if timeout == nil {
+		stopTimeout := container.StopTimeout()
+		timeout = &stopTimeout
+	}
+	if err := daemon.containerStop(container, *timeout); err != nil {
+		return errdefs.System(errors.Wrapf(err, "cannot stop container: %s", name))
+	}
+	return nil
+}
+
+// containerStop sends a stop signal, waits, sends a kill signal.
+func (daemon *Daemon) containerStop(container *containerpkg.Container, seconds int) error {
+	if !container.IsRunning() {
+		return nil
+	}
+
+	stopSignal := container.StopSignal()
+	// 1. Send a stop signal
+	if err := daemon.killPossiblyDeadProcess(container, stopSignal); err != nil {
+		// While normally we might "return err" here we're not going to
+		// because if we can't stop the container by this point then
+		// it's probably because it's already stopped. Meaning, between
+		// the time of the IsRunning() call above and now it stopped.
+		// Also, since the err return will be environment specific we can't
+		// look for any particular (common) error that would indicate
+		// that the process is already dead vs something else going wrong.
+		// So, instead we'll give it up to 2 more seconds to complete and if
+		// by that time the container is still running, then the error
+		// we got is probably valid and so we force kill it.
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+
+		if status := <-container.Wait(ctx, containerpkg.WaitConditionNotRunning); status.Err() != nil {
+			logrus.Infof("Container failed to stop after sending signal %d to the process, force killing", stopSignal)
+			if err := daemon.killPossiblyDeadProcess(container, 9); err != nil {
+				return err
+			}
+		}
+	}
+
+	// 2. Wait for the process to exit on its own
+	ctx := context.Background()
+	if seconds >= 0 {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(ctx, time.Duration(seconds)*time.Second)
+		defer cancel()
+	}
+
+	if status := <-container.Wait(ctx, containerpkg.WaitConditionNotRunning); status.Err() != nil {
+		logrus.Infof("Container %v failed to exit within %d seconds of signal %d - using the force", container.ID, seconds, stopSignal)
+		// 3. If it doesn't, then send SIGKILL
+		if err := daemon.Kill(container); err != nil {
+			// Wait without a timeout, ignore result.
+			<-container.Wait(context.Background(), containerpkg.WaitConditionNotRunning)
+			logrus.Warn(err) // Don't return error because we only care that container is stopped, not what function stopped it
+		}
+	}
+
+	daemon.LogContainerEvent(container, "stop")
+	return nil
+}
diff --git a/engine/daemon/testdata/keyfile b/engine/daemon/testdata/keyfile
new file mode 100644
index 00000000..322f2544
--- /dev/null
+++ b/engine/daemon/testdata/keyfile
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+keyID: AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY
+
+MHcCAQEEILHTRWdcpKWsnORxSFyBnndJ4ROU41hMtr/GCiLVvwBQoAoGCCqGSM49
+AwEHoUQDQgAElpVFbQ2V2UQKajqdE3fVxJ+/pE/YuEFOxWbOxF2be19BY209/iky
+NzeFFK7SLpQ4CBJ7zDVXOHsMzrkY/GquGA==
+-----END EC PRIVATE KEY-----
diff --git a/engine/daemon/top_unix.go b/engine/daemon/top_unix.go
new file mode 100644
index 00000000..99ca56f0
--- /dev/null
+++ b/engine/daemon/top_unix.go
@@ -0,0 +1,189 @@
+//+build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os/exec"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+)
+
+func validatePSArgs(psArgs string) error {
+	// NOTE: \\s does not detect unicode whitespaces.
+	// So we use fieldsASCII instead of strings.Fields in parsePSOutput.
+	// See https://github.com/docker/docker/pull/24358
+	// nolint: gosimple
+	re := regexp.MustCompile("\\s+([^\\s]*)=\\s*(PID[^\\s]*)")
+	for _, group := range re.FindAllStringSubmatch(psArgs, -1) {
+		if len(group) >= 3 {
+			k := group[1]
+			v := group[2]
+			if k != "pid" {
+				return fmt.Errorf("specifying \"%s=%s\" is not allowed", k, v)
+			}
+		}
+	}
+	return nil
+}
+
+// fieldsASCII is similar to strings.Fields but only allows ASCII whitespaces
+func fieldsASCII(s string) []string {
+	fn := func(r rune) bool {
+		switch r {
+		case '\t', '\n', '\f', '\r', ' ':
+			return true
+		}
+		return false
+	}
+	return strings.FieldsFunc(s, fn)
+}
+
+func appendProcess2ProcList(procList *container.ContainerTopOKBody, fields []string) {
+	// Make sure number of fields equals number of header titles
+	// merging "overhanging" fields
+	process := fields[:len(procList.Titles)-1]
+	process = append(process, strings.Join(fields[len(procList.Titles)-1:], " "))
+	procList.Processes = append(procList.Processes, process)
+}
+
+func hasPid(procs []uint32, pid int) bool {
+	for _, p := range procs {
+		if int(p) == pid {
+			return true
+		}
+	}
+	return false
+}
+
+func parsePSOutput(output []byte, procs []uint32) (*container.ContainerTopOKBody, error) {
+	procList := &container.ContainerTopOKBody{}
+
+	lines := strings.Split(string(output), "\n")
+	procList.Titles = fieldsASCII(lines[0])
+
+	pidIndex := -1
+	for i, name := range procList.Titles {
+		if name == "PID" {
+			pidIndex = i
+			break
+		}
+	}
+	if pidIndex == -1 {
+		return nil, fmt.Errorf("Couldn't find PID field in ps output")
+	}
+
+	// loop through the output and extract the PID from each line
+	// fixing #30580, be able to display thread line also when "m" option used
+	// in "docker top" client command
+	preContainedPidFlag := false
+	for _, line := range lines[1:] {
+		if len(line) == 0 {
+			continue
+		}
+		fields := fieldsASCII(line)
+
+		var (
+			p   int
+			err error
+		)
+
+		if fields[pidIndex] == "-" {
+			if preContainedPidFlag {
+				appendProcess2ProcList(procList, fields)
+			}
+			continue
+		}
+		p, err = strconv.Atoi(fields[pidIndex])
+		if err != nil {
+			return nil, fmt.Errorf("Unexpected pid '%s': %s", fields[pidIndex], err)
+		}
+
+		if hasPid(procs, p) {
+			preContainedPidFlag = true
+			appendProcess2ProcList(procList, fields)
+			continue
+		}
+		preContainedPidFlag = false
+	}
+	return procList, nil
+}
+
+// psPidsArg converts a slice of PIDs to a string consisting
+// of comma-separated list of PIDs prepended by "-q".
+// For example, psPidsArg([]uint32{1,2,3}) returns "-q1,2,3".
+func psPidsArg(pids []uint32) string {
+	b := []byte{'-', 'q'}
+	for i, p := range pids {
+		b = strconv.AppendUint(b, uint64(p), 10)
+		if i < len(pids)-1 {
+			b = append(b, ',')
+		}
+	}
+	return string(b)
+}
+
+// ContainerTop lists the processes running inside of the given
+// container by calling ps with the given args, or with the flags
+// "-ef" if no args are given.  An error is returned if the container
+// is not found, or is not running, or if there are any problems
+// running ps, or parsing the output.
+func (daemon *Daemon) ContainerTop(name string, psArgs string) (*container.ContainerTopOKBody, error) {
+	if psArgs == "" {
+		psArgs = "-ef"
+	}
+
+	if err := validatePSArgs(psArgs); err != nil {
+		return nil, err
+	}
+
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	if !container.IsRunning() {
+		return nil, errNotRunning(container.ID)
+	}
+
+	if container.IsRestarting() {
+		return nil, errContainerIsRestarting(container.ID)
+	}
+
+	procs, err := daemon.containerd.ListPids(context.Background(), container.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	args := strings.Split(psArgs, " ")
+	pids := psPidsArg(procs)
+	output, err := exec.Command("ps", append(args, pids)...).Output()
+	if err != nil {
+		// some ps options (such as f) can't be used together with q,
+		// so retry without it
+		output, err = exec.Command("ps", args...).Output()
+		if err != nil {
+			if ee, ok := err.(*exec.ExitError); ok {
+				// first line of stderr shows why ps failed
+				line := bytes.SplitN(ee.Stderr, []byte{'\n'}, 2)
+				if len(line) > 0 && len(line[0]) > 0 {
+					err = errors.New(string(line[0]))
+				}
+			}
+			return nil, errdefs.System(errors.Wrap(err, "ps"))
+		}
+	}
+	procList, err := parsePSOutput(output, procs)
+	if err != nil {
+		return nil, err
+	}
+	daemon.LogContainerEvent(container, "top")
+	return procList, nil
+}
diff --git a/engine/daemon/top_unix_test.go b/engine/daemon/top_unix_test.go
new file mode 100644
index 00000000..41cb3e1c
--- /dev/null
+++ b/engine/daemon/top_unix_test.go
@@ -0,0 +1,79 @@
+//+build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"testing"
+)
+
+func TestContainerTopValidatePSArgs(t *testing.T) {
+	tests := map[string]bool{
+		"ae -o uid=PID":             true,
+		"ae -o \"uid= PID\"":        true,  // ascii space (0x20)
+		"ae -o \"uid= PID\"":        false, // unicode space (U+2003, 0xe2 0x80 0x83)
+		"ae o uid=PID":              true,
+		"aeo uid=PID":               true,
+		"ae -O uid=PID":             true,
+		"ae -o pid=PID2 -o uid=PID": true,
+		"ae -o pid=PID":             false,
+		"ae -o pid=PID -o uid=PIDX": true, // FIXME: we do not need to prohibit this
+		"aeo pid=PID":               false,
+		"ae":                        false,
+		"":                          false,
+	}
+	for psArgs, errExpected := range tests {
+		err := validatePSArgs(psArgs)
+		t.Logf("tested %q, got err=%v", psArgs, err)
+		if errExpected && err == nil {
+			t.Fatalf("expected error, got %v (%q)", err, psArgs)
+		}
+		if !errExpected && err != nil {
+			t.Fatalf("expected nil, got %v (%q)", err, psArgs)
+		}
+	}
+}
+
+func TestContainerTopParsePSOutput(t *testing.T) {
+	tests := []struct {
+		output      []byte
+		pids        []uint32
+		errExpected bool
+	}{
+		{[]byte(`  PID COMMAND
+   42 foo
+   43 bar
+		- -
+  100 baz
+`), []uint32{42, 43}, false},
+		{[]byte(`  UID COMMAND
+   42 foo
+   43 bar
+		- -
+  100 baz
+`), []uint32{42, 43}, true},
+		// unicode space (U+2003, 0xe2 0x80 0x83)
+		{[]byte(` PID COMMAND
+   42 foo
+   43 bar
+		- -
+  100 baz
+`), []uint32{42, 43}, true},
+		// the first space is U+2003, the second one is ascii.
+		{[]byte(` PID COMMAND
+   42 foo
+   43 bar
+  100 baz
+`), []uint32{42, 43}, true},
+	}
+
+	for _, f := range tests {
+		_, err := parsePSOutput(f.output, f.pids)
+		t.Logf("tested %q, got err=%v", string(f.output), err)
+		if f.errExpected && err == nil {
+			t.Fatalf("expected error, got %v (%q)", err, string(f.output))
+		}
+		if !f.errExpected && err != nil {
+			t.Fatalf("expected nil, got %v (%q)", err, string(f.output))
+		}
+	}
+}
diff --git a/engine/daemon/top_windows.go b/engine/daemon/top_windows.go
new file mode 100644
index 00000000..1b3f8439
--- /dev/null
+++ b/engine/daemon/top_windows.go
@@ -0,0 +1,63 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/go-units"
+)
+
+// ContainerTop handles `docker top` client requests.
+// Future considerations:
+// -- Windows users are far more familiar with CPU% total.
+//    Further, users on Windows rarely see user/kernel CPU stats split.
+//    The kernel returns everything in terms of 100ns. To obtain
+//    CPU%, we could do something like docker stats does which takes two
+//    samples, subtract the difference and do the maths. Unfortunately this
+//    would slow the stat call down and require two kernel calls. So instead,
+//    we do something similar to linux and display the CPU as combined HH:MM:SS.mmm.
+// -- Perhaps we could add an argument to display "raw" stats
+// -- "Memory" is an extremely overloaded term in Windows. Hence we do what
+//    task manager does and use the private working set as the memory counter.
+//    We could return more info for those who really understand how memory
+//    management works in Windows if we introduced a "raw" stats (above).
+func (daemon *Daemon) ContainerTop(name string, psArgs string) (*containertypes.ContainerTopOKBody, error) {
+	// It's not at all an equivalent to linux 'ps' on Windows
+	if psArgs != "" {
+		return nil, errors.New("Windows does not support arguments to top")
+	}
+
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	if !container.IsRunning() {
+		return nil, errNotRunning(container.ID)
+	}
+
+	if container.IsRestarting() {
+		return nil, errContainerIsRestarting(container.ID)
+	}
+
+	s, err := daemon.containerd.Summary(context.Background(), container.ID)
+	if err != nil {
+		return nil, err
+	}
+	procList := &containertypes.ContainerTopOKBody{}
+	procList.Titles = []string{"Name", "PID", "CPU", "Private Working Set"}
+
+	for _, j := range s {
+		d := time.Duration((j.KernelTime100ns + j.UserTime100ns) * 100) // Combined time in nanoseconds
+		procList.Processes = append(procList.Processes, []string{
+			j.ImageName,
+			fmt.Sprint(j.ProcessId),
+			fmt.Sprintf("%02d:%02d:%02d.%03d", int(d.Hours()), int(d.Minutes())%60, int(d.Seconds())%60, int(d.Nanoseconds()/1000000)%1000),
+			units.HumanSize(float64(j.MemoryWorkingSetPrivateBytes))})
+	}
+
+	return procList, nil
+}
diff --git a/engine/daemon/trustkey.go b/engine/daemon/trustkey.go
new file mode 100644
index 00000000..bf00b6a3
--- /dev/null
+++ b/engine/daemon/trustkey.go
@@ -0,0 +1,57 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/libtrust"
+)
+
+// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
+// otherwise generates a new one
+// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need
+// a refactor or this function to be moved into libtrust
+func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
+	err := system.MkdirAll(filepath.Dir(trustKeyPath), 0700, "")
+	if err != nil {
+		return nil, err
+	}
+	trustKey, err := libtrust.LoadKeyFile(trustKeyPath)
+	if err == libtrust.ErrKeyFileDoesNotExist {
+		trustKey, err = libtrust.GenerateECP256PrivateKey()
+		if err != nil {
+			return nil, fmt.Errorf("Error generating key: %s", err)
+		}
+		encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
+		if err != nil {
+			return nil, fmt.Errorf("Error serializing key: %s", err)
+		}
+		if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
+			return nil, fmt.Errorf("Error saving key file: %s", err)
+		}
+	} else if err != nil {
+		return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)
+	}
+	return trustKey, nil
+}
+
+func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
+	if ext == ".json" || ext == ".jwk" {
+		encoded, err = json.Marshal(key)
+		if err != nil {
+			return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
+		}
+	} else {
+		pemBlock, err := key.PEMBlock()
+		if err != nil {
+			return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
+		}
+		encoded = pem.EncodeToMemory(pemBlock)
+	}
+	return
+}
diff --git a/engine/daemon/trustkey_test.go b/engine/daemon/trustkey_test.go
new file mode 100644
index 00000000..e49e76aa
--- /dev/null
+++ b/engine/daemon/trustkey_test.go
@@ -0,0 +1,71 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+)
+
+// LoadOrCreateTrustKey
+func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {
+	tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpKeyFolderPath)
+
+	tmpKeyFile, err := ioutil.TempFile(tmpKeyFolderPath, "keyfile")
+	assert.NilError(t, err)
+
+	_, err = loadOrCreateTrustKey(tmpKeyFile.Name())
+	assert.Check(t, is.ErrorContains(err, "Error loading key file"))
+}
+
+func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
+	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
+	defer tmpKeyFolderPath.Remove()
+
+	// Without the need to create the folder hierarchy
+	tmpKeyFile := tmpKeyFolderPath.Join("keyfile")
+
+	key, err := loadOrCreateTrustKey(tmpKeyFile)
+	assert.NilError(t, err)
+	assert.Check(t, key != nil)
+
+	_, err = os.Stat(tmpKeyFile)
+	assert.NilError(t, err, "key file doesn't exist")
+}
+
+func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) {
+	tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
+	defer tmpKeyFolderPath.Remove()
+	tmpKeyFile := tmpKeyFolderPath.Join("folder/hierarchy/keyfile")
+
+	key, err := loadOrCreateTrustKey(tmpKeyFile)
+	assert.NilError(t, err)
+	assert.Check(t, key != nil)
+
+	_, err = os.Stat(tmpKeyFile)
+	assert.NilError(t, err, "key file doesn't exist")
+}
+
+func TestLoadOrCreateTrustKeyCreateKeyNoPath(t *testing.T) {
+	defer os.Remove("keyfile")
+	key, err := loadOrCreateTrustKey("keyfile")
+	assert.NilError(t, err)
+	assert.Check(t, key != nil)
+
+	_, err = os.Stat("keyfile")
+	assert.NilError(t, err, "key file doesn't exist")
+}
+
+func TestLoadOrCreateTrustKeyLoadValidKey(t *testing.T) {
+	tmpKeyFile := filepath.Join("testdata", "keyfile")
+	key, err := loadOrCreateTrustKey(tmpKeyFile)
+	assert.NilError(t, err)
+	expected := "AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY"
+	assert.Check(t, is.Contains(key.String(), expected))
+}
diff --git a/engine/daemon/unpause.go b/engine/daemon/unpause.go
new file mode 100644
index 00000000..9061d50a
--- /dev/null
+++ b/engine/daemon/unpause.go
@@ -0,0 +1,44 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/docker/container"
+	"github.com/sirupsen/logrus"
+)
+
+// ContainerUnpause unpauses a container
+func (daemon *Daemon) ContainerUnpause(name string) error {
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+	return daemon.containerUnpause(container)
+}
+
+// containerUnpause resumes the container execution after the container is paused.
+func (daemon *Daemon) containerUnpause(container *container.Container) error {
+	container.Lock()
+	defer container.Unlock()
+
+	// We cannot unpause the container which is not paused
+	if !container.Paused {
+		return fmt.Errorf("Container %s is not paused", container.ID)
+	}
+
+	if err := daemon.containerd.Resume(context.Background(), container.ID); err != nil {
+		return fmt.Errorf("Cannot unpause container %s: %s", container.ID, err)
+	}
+
+	container.Paused = false
+	daemon.setStateCounter(container)
+	daemon.updateHealthMonitor(container)
+	daemon.LogContainerEvent(container, "unpause")
+
+	if err := container.CheckpointTo(daemon.containersReplica); err != nil {
+		logrus.WithError(err).Warnf("could not save container to disk")
+	}
+
+	return nil
+}
diff --git a/engine/daemon/update.go b/engine/daemon/update.go
new file mode 100644
index 00000000..0ebb139d
--- /dev/null
+++ b/engine/daemon/update.go
@@ -0,0 +1,95 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+)
+
+// ContainerUpdate updates configuration of the container
+func (daemon *Daemon) ContainerUpdate(name string, hostConfig *container.HostConfig) (container.ContainerUpdateOKBody, error) {
+	var warnings []string
+
+	c, err := daemon.GetContainer(name)
+	if err != nil {
+		return container.ContainerUpdateOKBody{Warnings: warnings}, err
+	}
+
+	warnings, err = daemon.verifyContainerSettings(c.OS, hostConfig, nil, true)
+	if err != nil {
+		return container.ContainerUpdateOKBody{Warnings: warnings}, errdefs.InvalidParameter(err)
+	}
+
+	if err := daemon.update(name, hostConfig); err != nil {
+		return container.ContainerUpdateOKBody{Warnings: warnings}, err
+	}
+
+	return container.ContainerUpdateOKBody{Warnings: warnings}, nil
+}
+
+func (daemon *Daemon) update(name string, hostConfig *container.HostConfig) error {
+	if hostConfig == nil {
+		return nil
+	}
+
+	container, err := daemon.GetContainer(name)
+	if err != nil {
+		return err
+	}
+
+	restoreConfig := false
+	backupHostConfig := *container.HostConfig
+	defer func() {
+		if restoreConfig {
+			container.Lock()
+			container.HostConfig = &backupHostConfig
+			container.CheckpointTo(daemon.containersReplica)
+			container.Unlock()
+		}
+	}()
+
+	if container.RemovalInProgress || container.Dead {
+		return errCannotUpdate(container.ID, fmt.Errorf("container is marked for removal and cannot be \"update\""))
+	}
+
+	container.Lock()
+	if err := container.UpdateContainer(hostConfig); err != nil {
+		restoreConfig = true
+		container.Unlock()
+		return errCannotUpdate(container.ID, err)
+	}
+	if err := container.CheckpointTo(daemon.containersReplica); err != nil {
+		restoreConfig = true
+		container.Unlock()
+		return errCannotUpdate(container.ID, err)
+	}
+	container.Unlock()
+
+	// if Restart Policy changed, we need to update container monitor
+	if hostConfig.RestartPolicy.Name != "" {
+		container.UpdateMonitor(hostConfig.RestartPolicy)
+	}
+
+	// If container is not running, update hostConfig struct is enough,
+	// resources will be updated when the container is started again.
+	// If container is running (including paused), we need to update configs
+	// to the real world.
+	if container.IsRunning() && !container.IsRestarting() {
+		if err := daemon.containerd.UpdateResources(context.Background(), container.ID, toContainerdResources(hostConfig.Resources)); err != nil {
+			restoreConfig = true
+			// TODO: it would be nice if containerd responded with better errors here so we can classify this better.
+			return errCannotUpdate(container.ID, errdefs.System(err))
+		}
+	}
+
+	daemon.LogContainerEvent(container, "update")
+
+	return nil
+}
+
+func errCannotUpdate(containerID string, err error) error {
+	return errors.Wrap(err, "Cannot update container "+containerID)
+}
diff --git a/engine/daemon/update_linux.go b/engine/daemon/update_linux.go
new file mode 100644
index 00000000..6a307eab
--- /dev/null
+++ b/engine/daemon/update_linux.go
@@ -0,0 +1,54 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/libcontainerd"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func toContainerdResources(resources container.Resources) *libcontainerd.Resources {
+	var r libcontainerd.Resources
+
+	r.BlockIO = &specs.LinuxBlockIO{
+		Weight: &resources.BlkioWeight,
+	}
+
+	shares := uint64(resources.CPUShares)
+	r.CPU = &specs.LinuxCPU{
+		Shares: &shares,
+		Cpus:   resources.CpusetCpus,
+		Mems:   resources.CpusetMems,
+	}
+
+	var (
+		period uint64
+		quota  int64
+	)
+	if resources.NanoCPUs != 0 {
+		period = uint64(100 * time.Millisecond / time.Microsecond)
+		quota = resources.NanoCPUs * int64(period) / 1e9
+	}
+	if quota == 0 && resources.CPUQuota != 0 {
+		quota = resources.CPUQuota
+	}
+	if period == 0 && resources.CPUPeriod != 0 {
+		period = uint64(resources.CPUPeriod)
+	}
+
+	r.CPU.Period = &period
+	r.CPU.Quota = &quota
+
+	r.Memory = &specs.LinuxMemory{
+		Limit:       &resources.Memory,
+		Reservation: &resources.MemoryReservation,
+		Kernel:      &resources.KernelMemory,
+	}
+
+	if resources.MemorySwap > 0 {
+		r.Memory.Swap = &resources.MemorySwap
+	}
+
+	return &r
+}
diff --git a/engine/daemon/update_windows.go b/engine/daemon/update_windows.go
new file mode 100644
index 00000000..fada3c1c
--- /dev/null
+++ b/engine/daemon/update_windows.go
@@ -0,0 +1,11 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/libcontainerd"
+)
+
+func toContainerdResources(resources container.Resources) *libcontainerd.Resources {
+	// We don't support update, so do nothing
+	return nil
+}
diff --git a/engine/daemon/util_test.go b/engine/daemon/util_test.go
new file mode 100644
index 00000000..b2c464f7
--- /dev/null
+++ b/engine/daemon/util_test.go
@@ -0,0 +1,65 @@
+// +build linux
+
+package daemon
+
+import (
+	"context"
+	"time"
+
+	"github.com/containerd/containerd"
+	"github.com/docker/docker/libcontainerd"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Mock containerd client implementation, for unit tests.
+type MockContainerdClient struct {
+}
+
+func (c *MockContainerdClient) Version(ctx context.Context) (containerd.Version, error) {
+	return containerd.Version{}, nil
+}
+func (c *MockContainerdClient) Restore(ctx context.Context, containerID string, attachStdio libcontainerd.StdioCallback) (alive bool, pid int, err error) {
+	return false, 0, nil
+}
+func (c *MockContainerdClient) Create(ctx context.Context, containerID string, spec *specs.Spec, runtimeOptions interface{}) error {
+	return nil
+}
+func (c *MockContainerdClient) Start(ctx context.Context, containerID, checkpointDir string, withStdin bool, attachStdio libcontainerd.StdioCallback) (pid int, err error) {
+	return 0, nil
+}
+func (c *MockContainerdClient) SignalProcess(ctx context.Context, containerID, processID string, signal int) error {
+	return nil
+}
+func (c *MockContainerdClient) Exec(ctx context.Context, containerID, processID string, spec *specs.Process, withStdin bool, attachStdio libcontainerd.StdioCallback) (int, error) {
+	return 0, nil
+}
+func (c *MockContainerdClient) ResizeTerminal(ctx context.Context, containerID, processID string, width, height int) error {
+	return nil
+}
+func (c *MockContainerdClient) CloseStdin(ctx context.Context, containerID, processID string) error {
+	return nil
+}
+func (c *MockContainerdClient) Pause(ctx context.Context, containerID string) error  { return nil }
+func (c *MockContainerdClient) Resume(ctx context.Context, containerID string) error { return nil }
+func (c *MockContainerdClient) Stats(ctx context.Context, containerID string) (*libcontainerd.Stats, error) {
+	return nil, nil
+}
+func (c *MockContainerdClient) ListPids(ctx context.Context, containerID string) ([]uint32, error) {
+	return nil, nil
+}
+func (c *MockContainerdClient) Summary(ctx context.Context, containerID string) ([]libcontainerd.Summary, error) {
+	return nil, nil
+}
+func (c *MockContainerdClient) DeleteTask(ctx context.Context, containerID string) (uint32, time.Time, error) {
+	return 0, time.Time{}, nil
+}
+func (c *MockContainerdClient) Delete(ctx context.Context, containerID string) error { return nil }
+func (c *MockContainerdClient) Status(ctx context.Context, containerID string) (libcontainerd.Status, error) {
+	return "null", nil
+}
+func (c *MockContainerdClient) UpdateResources(ctx context.Context, containerID string, resources *libcontainerd.Resources) error {
+	return nil
+}
+func (c *MockContainerdClient) CreateCheckpoint(ctx context.Context, containerID, checkpointDir string, exit bool) error {
+	return nil
+}
diff --git a/engine/daemon/volumes.go b/engine/daemon/volumes.go
new file mode 100644
index 00000000..d1c98d0a
--- /dev/null
+++ b/engine/daemon/volumes.go
@@ -0,0 +1,421 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/volume"
+	volumemounts "github.com/docker/docker/volume/mounts"
+	"github.com/docker/docker/volume/service"
+	volumeopts "github.com/docker/docker/volume/service/opts"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// ErrVolumeReadonly is used to signal an error when trying to copy data into
+	// a volume mount that is not writable.
+	ErrVolumeReadonly = errors.New("mounted volume is marked read-only")
+)
+
+type mounts []container.Mount
+
+// Len returns the number of mounts. Used in sorting.
+func (m mounts) Len() int {
+	return len(m)
+}
+
+// Less returns true if the number of parts (a/b/c would be 3 parts) in the
+// mount indexed by parameter 1 is less than that of the mount indexed by
+// parameter 2. Used in sorting.
+func (m mounts) Less(i, j int) bool {
+	return m.parts(i) < m.parts(j)
+}
+
+// Swap swaps two items in an array of mounts. Used in sorting
+func (m mounts) Swap(i, j int) {
+	m[i], m[j] = m[j], m[i]
+}
+
+// parts returns the number of parts in the destination of a mount. Used in sorting.
+func (m mounts) parts(i int) int {
+	return strings.Count(filepath.Clean(m[i].Destination), string(os.PathSeparator))
+}
+
+// registerMountPoints initializes the container mount points with the configured volumes and bind mounts.
+// It follows the next sequence to decide what to mount in each final destination:
+//
+// 1. Select the previously configured mount points for the containers, if any.
+// 2. Select the volumes mounted from another containers. Overrides previously configured mount point destination.
+// 3. Select the bind mounts set by the client. Overrides previously configured mount point destinations.
+// 4. Cleanup old volumes that are about to be reassigned.
+func (daemon *Daemon) registerMountPoints(container *container.Container, hostConfig *containertypes.HostConfig) (retErr error) {
+	binds := map[string]bool{}
+	mountPoints := map[string]*volumemounts.MountPoint{}
+	parser := volumemounts.NewParser(container.OS)
+
+	ctx := context.TODO()
+	defer func() {
+		// clean up the container mountpoints once return with error
+		if retErr != nil {
+			for _, m := range mountPoints {
+				if m.Volume == nil {
+					continue
+				}
+				daemon.volumes.Release(ctx, m.Volume.Name(), container.ID)
+			}
+		}
+	}()
+
+	dereferenceIfExists := func(destination string) {
+		if v, ok := mountPoints[destination]; ok {
+			logrus.Debugf("Duplicate mount point '%s'", destination)
+			if v.Volume != nil {
+				daemon.volumes.Release(ctx, v.Volume.Name(), container.ID)
+			}
+		}
+	}
+
+	// 1. Read already configured mount points.
+	for destination, point := range container.MountPoints {
+		mountPoints[destination] = point
+	}
+
+	// 2. Read volumes from other containers.
+	for _, v := range hostConfig.VolumesFrom {
+		containerID, mode, err := parser.ParseVolumesFrom(v)
+		if err != nil {
+			return err
+		}
+
+		c, err := daemon.GetContainer(containerID)
+		if err != nil {
+			return err
+		}
+
+		for _, m := range c.MountPoints {
+			cp := &volumemounts.MountPoint{
+				Type:        m.Type,
+				Name:        m.Name,
+				Source:      m.Source,
+				RW:          m.RW && parser.ReadWrite(mode),
+				Driver:      m.Driver,
+				Destination: m.Destination,
+				Propagation: m.Propagation,
+				Spec:        m.Spec,
+				CopyData:    false,
+			}
+
+			if len(cp.Source) == 0 {
+				v, err := daemon.volumes.Get(ctx, cp.Name, volumeopts.WithGetDriver(cp.Driver), volumeopts.WithGetReference(container.ID))
+				if err != nil {
+					return err
+				}
+				cp.Volume = &volumeWrapper{v: v, s: daemon.volumes}
+			}
+			dereferenceIfExists(cp.Destination)
+			mountPoints[cp.Destination] = cp
+		}
+	}
+
+	// 3. Read bind mounts
+	for _, b := range hostConfig.Binds {
+		bind, err := parser.ParseMountRaw(b, hostConfig.VolumeDriver)
+		if err != nil {
+			return err
+		}
+		needsSlavePropagation, err := daemon.validateBindDaemonRoot(bind.Spec)
+		if err != nil {
+			return err
+		}
+		if needsSlavePropagation {
+			bind.Propagation = mount.PropagationRSlave
+		}
+
+		// #10618
+		_, tmpfsExists := hostConfig.Tmpfs[bind.Destination]
+		if binds[bind.Destination] || tmpfsExists {
+			return duplicateMountPointError(bind.Destination)
+		}
+
+		if bind.Type == mounttypes.TypeVolume {
+			// create the volume
+			v, err := daemon.volumes.Create(ctx, bind.Name, bind.Driver, volumeopts.WithCreateReference(container.ID))
+			if err != nil {
+				return err
+			}
+			bind.Volume = &volumeWrapper{v: v, s: daemon.volumes}
+			bind.Source = v.Mountpoint
+			// bind.Name is an already existing volume, we need to use that here
+			bind.Driver = v.Driver
+			if bind.Driver == volume.DefaultDriverName {
+				setBindModeIfNull(bind)
+			}
+		}
+
+		binds[bind.Destination] = true
+		dereferenceIfExists(bind.Destination)
+		mountPoints[bind.Destination] = bind
+	}
+
+	for _, cfg := range hostConfig.Mounts {
+		mp, err := parser.ParseMountSpec(cfg)
+		if err != nil {
+			return errdefs.InvalidParameter(err)
+		}
+		needsSlavePropagation, err := daemon.validateBindDaemonRoot(mp.Spec)
+		if err != nil {
+			return err
+		}
+		if needsSlavePropagation {
+			mp.Propagation = mount.PropagationRSlave
+		}
+
+		if binds[mp.Destination] {
+			return duplicateMountPointError(cfg.Target)
+		}
+
+		if mp.Type == mounttypes.TypeVolume {
+			var v *types.Volume
+			if cfg.VolumeOptions != nil {
+				var driverOpts map[string]string
+				if cfg.VolumeOptions.DriverConfig != nil {
+					driverOpts = cfg.VolumeOptions.DriverConfig.Options
+				}
+				v, err = daemon.volumes.Create(ctx,
+					mp.Name,
+					mp.Driver,
+					volumeopts.WithCreateReference(container.ID),
+					volumeopts.WithCreateOptions(driverOpts),
+					volumeopts.WithCreateLabels(cfg.VolumeOptions.Labels),
+				)
+			} else {
+				v, err = daemon.volumes.Create(ctx, mp.Name, mp.Driver, volumeopts.WithCreateReference(container.ID))
+			}
+			if err != nil {
+				return err
+			}
+
+			mp.Volume = &volumeWrapper{v: v, s: daemon.volumes}
+			mp.Name = v.Name
+			mp.Driver = v.Driver
+
+			if mp.Driver == volume.DefaultDriverName {
+				setBindModeIfNull(mp)
+			}
+		}
+
+		if mp.Type == mounttypes.TypeBind {
+			mp.SkipMountpointCreation = true
+		}
+
+		binds[mp.Destination] = true
+		dereferenceIfExists(mp.Destination)
+		mountPoints[mp.Destination] = mp
+	}
+
+	container.Lock()
+
+	// 4. Cleanup old volumes that are about to be reassigned.
+	for _, m := range mountPoints {
+		if parser.IsBackwardCompatible(m) {
+			if mp, exists := container.MountPoints[m.Destination]; exists && mp.Volume != nil {
+				daemon.volumes.Release(ctx, mp.Volume.Name(), container.ID)
+			}
+		}
+	}
+	container.MountPoints = mountPoints
+
+	container.Unlock()
+
+	return nil
+}
+
+// lazyInitializeVolume initializes a mountpoint's volume if needed.
+// This happens after a daemon restart.
+func (daemon *Daemon) lazyInitializeVolume(containerID string, m *volumemounts.MountPoint) error {
+	if len(m.Driver) > 0 && m.Volume == nil {
+		v, err := daemon.volumes.Get(context.TODO(), m.Name, volumeopts.WithGetDriver(m.Driver), volumeopts.WithGetReference(containerID))
+		if err != nil {
+			return err
+		}
+		m.Volume = &volumeWrapper{v: v, s: daemon.volumes}
+	}
+	return nil
+}
+
+// backportMountSpec resolves mount specs (introduced in 1.13) from pre-1.13
+// mount configurations
+// The container lock should not be held when calling this function.
+// Changes are only made in-memory and may make changes to containers referenced
+// by `container.HostConfig.VolumesFrom`
+func (daemon *Daemon) backportMountSpec(container *container.Container) {
+	container.Lock()
+	defer container.Unlock()
+
+	parser := volumemounts.NewParser(container.OS)
+
+	maybeUpdate := make(map[string]bool)
+	for _, mp := range container.MountPoints {
+		if mp.Spec.Source != "" && mp.Type != "" {
+			continue
+		}
+		maybeUpdate[mp.Destination] = true
+	}
+	if len(maybeUpdate) == 0 {
+		return
+	}
+
+	mountSpecs := make(map[string]bool, len(container.HostConfig.Mounts))
+	for _, m := range container.HostConfig.Mounts {
+		mountSpecs[m.Target] = true
+	}
+
+	binds := make(map[string]*volumemounts.MountPoint, len(container.HostConfig.Binds))
+	for _, rawSpec := range container.HostConfig.Binds {
+		mp, err := parser.ParseMountRaw(rawSpec, container.HostConfig.VolumeDriver)
+		if err != nil {
+			logrus.WithError(err).Error("Got unexpected error while re-parsing raw volume spec during spec backport")
+			continue
+		}
+		binds[mp.Destination] = mp
+	}
+
+	volumesFrom := make(map[string]volumemounts.MountPoint)
+	for _, fromSpec := range container.HostConfig.VolumesFrom {
+		from, _, err := parser.ParseVolumesFrom(fromSpec)
+		if err != nil {
+			logrus.WithError(err).WithField("id", container.ID).Error("Error reading volumes-from spec during mount spec backport")
+			continue
+		}
+		fromC, err := daemon.GetContainer(from)
+		if err != nil {
+			logrus.WithError(err).WithField("from-container", from).Error("Error looking up volumes-from container")
+			continue
+		}
+
+		// make sure from container's specs have been backported
+		daemon.backportMountSpec(fromC)
+
+		fromC.Lock()
+		for t, mp := range fromC.MountPoints {
+			volumesFrom[t] = *mp
+		}
+		fromC.Unlock()
+	}
+
+	needsUpdate := func(containerMount, other *volumemounts.MountPoint) bool {
+		if containerMount.Type != other.Type || !reflect.DeepEqual(containerMount.Spec, other.Spec) {
+			return true
+		}
+		return false
+	}
+
+	// main
+	for _, cm := range container.MountPoints {
+		if !maybeUpdate[cm.Destination] {
+			continue
+		}
+		// nothing to backport if from hostconfig.Mounts
+		if mountSpecs[cm.Destination] {
+			continue
+		}
+
+		if mp, exists := binds[cm.Destination]; exists {
+			if needsUpdate(cm, mp) {
+				cm.Spec = mp.Spec
+				cm.Type = mp.Type
+			}
+			continue
+		}
+
+		if cm.Name != "" {
+			if mp, exists := volumesFrom[cm.Destination]; exists {
+				if needsUpdate(cm, &mp) {
+					cm.Spec = mp.Spec
+					cm.Type = mp.Type
+				}
+				continue
+			}
+
+			if cm.Type != "" {
+				// probably specified via the hostconfig.Mounts
+				continue
+			}
+
+			// anon volume
+			cm.Type = mounttypes.TypeVolume
+			cm.Spec.Type = mounttypes.TypeVolume
+		} else {
+			if cm.Type != "" {
+				// already updated
+				continue
+			}
+
+			cm.Type = mounttypes.TypeBind
+			cm.Spec.Type = mounttypes.TypeBind
+			cm.Spec.Source = cm.Source
+			if cm.Propagation != "" {
+				cm.Spec.BindOptions = &mounttypes.BindOptions{
+					Propagation: cm.Propagation,
+				}
+			}
+		}
+
+		cm.Spec.Target = cm.Destination
+		cm.Spec.ReadOnly = !cm.RW
+	}
+}
+
+// VolumesService is used to perform volume operations
+func (daemon *Daemon) VolumesService() *service.VolumesService {
+	return daemon.volumes
+}
+
+type volumeMounter interface {
+	Mount(ctx context.Context, v *types.Volume, ref string) (string, error)
+	Unmount(ctx context.Context, v *types.Volume, ref string) error
+}
+
+type volumeWrapper struct {
+	v *types.Volume
+	s volumeMounter
+}
+
+func (v *volumeWrapper) Name() string {
+	return v.v.Name
+}
+
+func (v *volumeWrapper) DriverName() string {
+	return v.v.Driver
+}
+
+func (v *volumeWrapper) Path() string {
+	return v.v.Mountpoint
+}
+
+func (v *volumeWrapper) Mount(ref string) (string, error) {
+	return v.s.Mount(context.TODO(), v.v, ref)
+}
+
+func (v *volumeWrapper) Unmount(ref string) error {
+	return v.s.Unmount(context.TODO(), v.v, ref)
+}
+
+func (v *volumeWrapper) CreatedAt() (time.Time, error) {
+	return time.Time{}, errors.New("not implemented")
+}
+
+func (v *volumeWrapper) Status() map[string]interface{} {
+	return v.v.Status
+}
diff --git a/engine/daemon/volumes_linux.go b/engine/daemon/volumes_linux.go
new file mode 100644
index 00000000..cf3d9ed1
--- /dev/null
+++ b/engine/daemon/volumes_linux.go
@@ -0,0 +1,36 @@
+package daemon
+
+import (
+	"strings"
+
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+)
+
+// validateBindDaemonRoot ensures that if a given mountpoint's source is within
+// the daemon root path, that the propagation is setup to prevent a container
+// from holding private refereneces to a mount within the daemon root, which
+// can cause issues when the daemon attempts to remove the mountpoint.
+func (daemon *Daemon) validateBindDaemonRoot(m mount.Mount) (bool, error) {
+	if m.Type != mount.TypeBind {
+		return false, nil
+	}
+
+	// check if the source is within the daemon root, or if the daemon root is within the source
+	if !strings.HasPrefix(m.Source, daemon.root) && !strings.HasPrefix(daemon.root, m.Source) {
+		return false, nil
+	}
+
+	if m.BindOptions == nil {
+		return true, nil
+	}
+
+	switch m.BindOptions.Propagation {
+	case mount.PropagationRSlave, mount.PropagationRShared, "":
+		return m.BindOptions.Propagation == "", nil
+	default:
+	}
+
+	return false, errdefs.InvalidParameter(errors.Errorf(`invalid mount config: must use either propagation mode "rslave" or "rshared" when mount source is within the daemon root, daemon root: %q, bind mount source: %q, propagation: %q`, daemon.root, m.Source, m.BindOptions.Propagation))
+}
diff --git a/engine/daemon/volumes_linux_test.go b/engine/daemon/volumes_linux_test.go
new file mode 100644
index 00000000..72830c3e
--- /dev/null
+++ b/engine/daemon/volumes_linux_test.go
@@ -0,0 +1,56 @@
+package daemon
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/api/types/mount"
+)
+
+func TestBindDaemonRoot(t *testing.T) {
+	t.Parallel()
+	d := &Daemon{root: "/a/b/c/daemon"}
+	for _, test := range []struct {
+		desc      string
+		opts      *mount.BindOptions
+		needsProp bool
+		err       bool
+	}{
+		{desc: "nil propagation settings", opts: nil, needsProp: true, err: false},
+		{desc: "empty propagation settings", opts: &mount.BindOptions{}, needsProp: true, err: false},
+		{desc: "private propagation", opts: &mount.BindOptions{Propagation: mount.PropagationPrivate}, err: true},
+		{desc: "rprivate propagation", opts: &mount.BindOptions{Propagation: mount.PropagationRPrivate}, err: true},
+		{desc: "slave propagation", opts: &mount.BindOptions{Propagation: mount.PropagationSlave}, err: true},
+		{desc: "rslave propagation", opts: &mount.BindOptions{Propagation: mount.PropagationRSlave}, err: false, needsProp: false},
+		{desc: "shared propagation", opts: &mount.BindOptions{Propagation: mount.PropagationShared}, err: true},
+		{desc: "rshared propagation", opts: &mount.BindOptions{Propagation: mount.PropagationRSlave}, err: false, needsProp: false},
+	} {
+		t.Run(test.desc, func(t *testing.T) {
+			test := test
+			for desc, source := range map[string]string{
+				"source is root":    d.root,
+				"source is subpath": filepath.Join(d.root, "a", "b"),
+				"source is parent":  filepath.Dir(d.root),
+				"source is /":       "/",
+			} {
+				t.Run(desc, func(t *testing.T) {
+					mount := mount.Mount{
+						Type:        mount.TypeBind,
+						Source:      source,
+						BindOptions: test.opts,
+					}
+					needsProp, err := d.validateBindDaemonRoot(mount)
+					if (err != nil) != test.err {
+						t.Fatalf("expected err=%v, got: %v", test.err, err)
+					}
+					if test.err {
+						return
+					}
+					if test.needsProp != needsProp {
+						t.Fatalf("expected needsProp=%v, got: %v", test.needsProp, needsProp)
+					}
+				})
+			}
+		})
+	}
+}
diff --git a/engine/daemon/volumes_unit_test.go b/engine/daemon/volumes_unit_test.go
new file mode 100644
index 00000000..6bdebe46
--- /dev/null
+++ b/engine/daemon/volumes_unit_test.go
@@ -0,0 +1,42 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"runtime"
+	"testing"
+
+	volumemounts "github.com/docker/docker/volume/mounts"
+)
+
+func TestParseVolumesFrom(t *testing.T) {
+	cases := []struct {
+		spec    string
+		expID   string
+		expMode string
+		fail    bool
+	}{
+		{"", "", "", true},
+		{"foobar", "foobar", "rw", false},
+		{"foobar:rw", "foobar", "rw", false},
+		{"foobar:ro", "foobar", "ro", false},
+		{"foobar:baz", "", "", true},
+	}
+
+	parser := volumemounts.NewParser(runtime.GOOS)
+
+	for _, c := range cases {
+		id, mode, err := parser.ParseVolumesFrom(c.spec)
+		if c.fail {
+			if err == nil {
+				t.Fatalf("Expected error, was nil, for spec %s\n", c.spec)
+			}
+			continue
+		}
+
+		if id != c.expID {
+			t.Fatalf("Expected id %s, was %s, for spec %s\n", c.expID, id, c.spec)
+		}
+		if mode != c.expMode {
+			t.Fatalf("Expected mode %s, was %s for spec %s\n", c.expMode, mode, c.spec)
+		}
+	}
+}
diff --git a/engine/daemon/volumes_unix.go b/engine/daemon/volumes_unix.go
new file mode 100644
index 00000000..efffefa7
--- /dev/null
+++ b/engine/daemon/volumes_unix.go
@@ -0,0 +1,156 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"fmt"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/docker/docker/pkg/mount"
+	volumemounts "github.com/docker/docker/volume/mounts"
+)
+
+// setupMounts iterates through each of the mount points for a container and
+// calls Setup() on each. It also looks to see if is a network mount such as
+// /etc/resolv.conf, and if it is not, appends it to the array of mounts.
+func (daemon *Daemon) setupMounts(c *container.Container) ([]container.Mount, error) {
+	var mounts []container.Mount
+	// TODO: tmpfs mounts should be part of Mountpoints
+	tmpfsMounts := make(map[string]bool)
+	tmpfsMountInfo, err := c.TmpfsMounts()
+	if err != nil {
+		return nil, err
+	}
+	for _, m := range tmpfsMountInfo {
+		tmpfsMounts[m.Destination] = true
+	}
+	for _, m := range c.MountPoints {
+		if tmpfsMounts[m.Destination] {
+			continue
+		}
+		if err := daemon.lazyInitializeVolume(c.ID, m); err != nil {
+			return nil, err
+		}
+		// If the daemon is being shutdown, we should not let a container start if it is trying to
+		// mount the socket the daemon is listening on. During daemon shutdown, the socket
+		// (/var/run/docker.sock by default) doesn't exist anymore causing the call to m.Setup to
+		// create at directory instead. This in turn will prevent the daemon to restart.
+		checkfunc := func(m *volumemounts.MountPoint) error {
+			if _, exist := daemon.hosts[m.Source]; exist && daemon.IsShuttingDown() {
+				return fmt.Errorf("Could not mount %q to container while the daemon is shutting down", m.Source)
+			}
+			return nil
+		}
+
+		path, err := m.Setup(c.MountLabel, daemon.idMappings.RootPair(), checkfunc)
+		if err != nil {
+			return nil, err
+		}
+		if !c.TrySetNetworkMount(m.Destination, path) {
+			mnt := container.Mount{
+				Source:      path,
+				Destination: m.Destination,
+				Writable:    m.RW,
+				Propagation: string(m.Propagation),
+			}
+			if m.Volume != nil {
+				attributes := map[string]string{
+					"driver":      m.Volume.DriverName(),
+					"container":   c.ID,
+					"destination": m.Destination,
+					"read/write":  strconv.FormatBool(m.RW),
+					"propagation": string(m.Propagation),
+				}
+				daemon.LogVolumeEvent(m.Volume.Name(), "mount", attributes)
+			}
+			mounts = append(mounts, mnt)
+		}
+	}
+
+	mounts = sortMounts(mounts)
+	netMounts := c.NetworkMounts()
+	// if we are going to mount any of the network files from container
+	// metadata, the ownership must be set properly for potential container
+	// remapped root (user namespaces)
+	rootIDs := daemon.idMappings.RootPair()
+	for _, mount := range netMounts {
+		// we should only modify ownership of network files within our own container
+		// metadata repository. If the user specifies a mount path external, it is
+		// up to the user to make sure the file has proper ownership for userns
+		if strings.Index(mount.Source, daemon.repository) == 0 {
+			if err := os.Chown(mount.Source, rootIDs.UID, rootIDs.GID); err != nil {
+				return nil, err
+			}
+		}
+	}
+	return append(mounts, netMounts...), nil
+}
+
+// sortMounts sorts an array of mounts in lexicographic order. This ensure that
+// when mounting, the mounts don't shadow other mounts. For example, if mounting
+// /etc and /etc/resolv.conf, /etc/resolv.conf must not be mounted first.
+func sortMounts(m []container.Mount) []container.Mount {
+	sort.Sort(mounts(m))
+	return m
+}
+
+// setBindModeIfNull is platform specific processing to ensure the
+// shared mode is set to 'z' if it is null. This is called in the case
+// of processing a named volume and not a typical bind.
+func setBindModeIfNull(bind *volumemounts.MountPoint) {
+	if bind.Mode == "" {
+		bind.Mode = "z"
+	}
+}
+
+func (daemon *Daemon) mountVolumes(container *container.Container) error {
+	mounts, err := daemon.setupMounts(container)
+	if err != nil {
+		return err
+	}
+
+	for _, m := range mounts {
+		dest, err := container.GetResourcePath(m.Destination)
+		if err != nil {
+			return err
+		}
+
+		var stat os.FileInfo
+		stat, err = os.Stat(m.Source)
+		if err != nil {
+			return err
+		}
+		if err = fileutils.CreateIfNotExists(dest, stat.IsDir()); err != nil {
+			return err
+		}
+
+		opts := "rbind,ro"
+		if m.Writable {
+			opts = "rbind,rw"
+		}
+
+		if err := mount.Mount(m.Source, dest, bindMountType, opts); err != nil {
+			return err
+		}
+
+		// mountVolumes() seems to be called for temporary mounts
+		// outside the container. Soon these will be unmounted with
+		// lazy unmount option and given we have mounted the rbind,
+		// all the submounts will propagate if these are shared. If
+		// daemon is running in host namespace and has / as shared
+		// then these unmounts will propagate and unmount original
+		// mount as well. So make all these mounts rprivate.
+		// Do not use propagation property of volume as that should
+		// apply only when mounting happen inside the container.
+		if err := mount.MakeRPrivate(dest); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/engine/daemon/volumes_unix_test.go b/engine/daemon/volumes_unix_test.go
new file mode 100644
index 00000000..36e19110
--- /dev/null
+++ b/engine/daemon/volumes_unix_test.go
@@ -0,0 +1,256 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"testing"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/container"
+	volumemounts "github.com/docker/docker/volume/mounts"
+)
+
+func TestBackportMountSpec(t *testing.T) {
+	d := Daemon{containers: container.NewMemoryStore()}
+
+	c := &container.Container{
+		State: &container.State{},
+		MountPoints: map[string]*volumemounts.MountPoint{
+			"/apple":      {Destination: "/apple", Source: "/var/lib/docker/volumes/12345678", Name: "12345678", RW: true, CopyData: true}, // anonymous volume
+			"/banana":     {Destination: "/banana", Source: "/var/lib/docker/volumes/data", Name: "data", RW: true, CopyData: true},        // named volume
+			"/cherry":     {Destination: "/cherry", Source: "/var/lib/docker/volumes/data", Name: "data", CopyData: true},                  // RO named volume
+			"/dates":      {Destination: "/dates", Source: "/var/lib/docker/volumes/data", Name: "data"},                                   // named volume nocopy
+			"/elderberry": {Destination: "/elderberry", Source: "/var/lib/docker/volumes/data", Name: "data"},                              // masks anon vol
+			"/fig":        {Destination: "/fig", Source: "/data", RW: true},                                                                // RW bind
+			"/guava":      {Destination: "/guava", Source: "/data", RW: false, Propagation: "shared"},                                      // RO bind + propagation
+			"/kumquat":    {Destination: "/kumquat", Name: "data", RW: false, CopyData: true},                                              // volumes-from
+
+			// partially configured mountpoint due to #32613
+			// specifically, `mp.Spec.Source` is not set
+			"/honeydew": {
+				Type:        mounttypes.TypeVolume,
+				Destination: "/honeydew",
+				Name:        "data",
+				Source:      "/var/lib/docker/volumes/data",
+				Spec:        mounttypes.Mount{Type: mounttypes.TypeVolume, Target: "/honeydew", VolumeOptions: &mounttypes.VolumeOptions{NoCopy: true}},
+			},
+
+			// from hostconfig.Mounts
+			"/jambolan": {
+				Type:        mounttypes.TypeVolume,
+				Destination: "/jambolan",
+				Source:      "/var/lib/docker/volumes/data",
+				RW:          true,
+				Name:        "data",
+				Spec:        mounttypes.Mount{Type: mounttypes.TypeVolume, Target: "/jambolan", Source: "data"},
+			},
+		},
+		HostConfig: &containertypes.HostConfig{
+			Binds: []string{
+				"data:/banana",
+				"data:/cherry:ro",
+				"data:/dates:ro,nocopy",
+				"data:/elderberry:ro,nocopy",
+				"/data:/fig",
+				"/data:/guava:ro,shared",
+				"data:/honeydew:nocopy",
+			},
+			VolumesFrom: []string{"1:ro"},
+			Mounts: []mounttypes.Mount{
+				{Type: mounttypes.TypeVolume, Target: "/jambolan"},
+			},
+		},
+		Config: &containertypes.Config{Volumes: map[string]struct{}{
+			"/apple":      {},
+			"/elderberry": {},
+		}},
+	}
+
+	d.containers.Add("1", &container.Container{
+		State: &container.State{},
+		ID:    "1",
+		MountPoints: map[string]*volumemounts.MountPoint{
+			"/kumquat": {Destination: "/kumquat", Name: "data", RW: false, CopyData: true},
+		},
+		HostConfig: &containertypes.HostConfig{
+			Binds: []string{
+				"data:/kumquat:ro",
+			},
+		},
+	})
+
+	type expected struct {
+		mp      *volumemounts.MountPoint
+		comment string
+	}
+
+	pretty := func(mp *volumemounts.MountPoint) string {
+		b, err := json.MarshalIndent(mp, "\t", "    ")
+		if err != nil {
+			return fmt.Sprintf("%#v", mp)
+		}
+		return string(b)
+	}
+
+	for _, x := range []expected{
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeVolume,
+				Destination: "/apple",
+				RW:          true,
+				Name:        "12345678",
+				Source:      "/var/lib/docker/volumes/12345678",
+				CopyData:    true,
+				Spec: mounttypes.Mount{
+					Type:   mounttypes.TypeVolume,
+					Source: "",
+					Target: "/apple",
+				},
+			},
+			comment: "anonymous volume",
+		},
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeVolume,
+				Destination: "/banana",
+				RW:          true,
+				Name:        "data",
+				Source:      "/var/lib/docker/volumes/data",
+				CopyData:    true,
+				Spec: mounttypes.Mount{
+					Type:   mounttypes.TypeVolume,
+					Source: "data",
+					Target: "/banana",
+				},
+			},
+			comment: "named volume",
+		},
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeVolume,
+				Destination: "/cherry",
+				Name:        "data",
+				Source:      "/var/lib/docker/volumes/data",
+				CopyData:    true,
+				Spec: mounttypes.Mount{
+					Type:     mounttypes.TypeVolume,
+					Source:   "data",
+					Target:   "/cherry",
+					ReadOnly: true,
+				},
+			},
+			comment: "read-only named volume",
+		},
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeVolume,
+				Destination: "/dates",
+				Name:        "data",
+				Source:      "/var/lib/docker/volumes/data",
+				Spec: mounttypes.Mount{
+					Type:          mounttypes.TypeVolume,
+					Source:        "data",
+					Target:        "/dates",
+					ReadOnly:      true,
+					VolumeOptions: &mounttypes.VolumeOptions{NoCopy: true},
+				},
+			},
+			comment: "named volume with nocopy",
+		},
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeVolume,
+				Destination: "/elderberry",
+				Name:        "data",
+				Source:      "/var/lib/docker/volumes/data",
+				Spec: mounttypes.Mount{
+					Type:          mounttypes.TypeVolume,
+					Source:        "data",
+					Target:        "/elderberry",
+					ReadOnly:      true,
+					VolumeOptions: &mounttypes.VolumeOptions{NoCopy: true},
+				},
+			},
+			comment: "masks an anonymous volume",
+		},
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeBind,
+				Destination: "/fig",
+				Source:      "/data",
+				RW:          true,
+				Spec: mounttypes.Mount{
+					Type:   mounttypes.TypeBind,
+					Source: "/data",
+					Target: "/fig",
+				},
+			},
+			comment: "bind mount with read/write",
+		},
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeBind,
+				Destination: "/guava",
+				Source:      "/data",
+				RW:          false,
+				Propagation: "shared",
+				Spec: mounttypes.Mount{
+					Type:        mounttypes.TypeBind,
+					Source:      "/data",
+					Target:      "/guava",
+					ReadOnly:    true,
+					BindOptions: &mounttypes.BindOptions{Propagation: "shared"},
+				},
+			},
+			comment: "bind mount with read/write + shared propagation",
+		},
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeVolume,
+				Destination: "/honeydew",
+				Source:      "/var/lib/docker/volumes/data",
+				RW:          true,
+				Propagation: "shared",
+				Spec: mounttypes.Mount{
+					Type:          mounttypes.TypeVolume,
+					Source:        "data",
+					Target:        "/honeydew",
+					VolumeOptions: &mounttypes.VolumeOptions{NoCopy: true},
+				},
+			},
+			comment: "partially configured named volume caused by #32613",
+		},
+		{
+			mp:      &(*c.MountPoints["/jambolan"]), // copy the mountpoint, expect no changes
+			comment: "volume defined in mounts API",
+		},
+		{
+			mp: &volumemounts.MountPoint{
+				Type:        mounttypes.TypeVolume,
+				Destination: "/kumquat",
+				Source:      "/var/lib/docker/volumes/data",
+				RW:          false,
+				Name:        "data",
+				Spec: mounttypes.Mount{
+					Type:     mounttypes.TypeVolume,
+					Source:   "data",
+					Target:   "/kumquat",
+					ReadOnly: true,
+				},
+			},
+			comment: "partially configured named volume caused by #32613",
+		},
+	} {
+
+		mp := c.MountPoints[x.mp.Destination]
+		d.backportMountSpec(c)
+
+		if !reflect.DeepEqual(mp.Spec, x.mp.Spec) {
+			t.Fatalf("%s\nexpected:\n\t%s\n\ngot:\n\t%s", x.comment, pretty(x.mp), pretty(mp))
+		}
+	}
+}
diff --git a/engine/daemon/volumes_windows.go b/engine/daemon/volumes_windows.go
new file mode 100644
index 00000000..a2fb5152
--- /dev/null
+++ b/engine/daemon/volumes_windows.go
@@ -0,0 +1,51 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"sort"
+
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/pkg/idtools"
+	volumemounts "github.com/docker/docker/volume/mounts"
+)
+
+// setupMounts configures the mount points for a container by appending each
+// of the configured mounts on the container to the OCI mount structure
+// which will ultimately be passed into the oci runtime during container creation.
+// It also ensures each of the mounts are lexicographically sorted.
+
+// BUGBUG TODO Windows containerd. This would be much better if it returned
+// an array of runtime spec mounts, not container mounts. Then no need to
+// do multiple transitions.
+
+func (daemon *Daemon) setupMounts(c *container.Container) ([]container.Mount, error) {
+	var mnts []container.Mount
+	for _, mount := range c.MountPoints { // type is volumemounts.MountPoint
+		if err := daemon.lazyInitializeVolume(c.ID, mount); err != nil {
+			return nil, err
+		}
+		s, err := mount.Setup(c.MountLabel, idtools.IDPair{UID: 0, GID: 0}, nil)
+		if err != nil {
+			return nil, err
+		}
+
+		mnts = append(mnts, container.Mount{
+			Source:      s,
+			Destination: mount.Destination,
+			Writable:    mount.RW,
+		})
+	}
+
+	sort.Sort(mounts(mnts))
+	return mnts, nil
+}
+
+// setBindModeIfNull is platform specific processing which is a no-op on
+// Windows.
+func setBindModeIfNull(bind *volumemounts.MountPoint) {
+	return
+}
+
+func (daemon *Daemon) validateBindDaemonRoot(m mount.Mount) (bool, error) {
+	return false, nil
+}
diff --git a/engine/daemon/wait.go b/engine/daemon/wait.go
new file mode 100644
index 00000000..545f24c7
--- /dev/null
+++ b/engine/daemon/wait.go
@@ -0,0 +1,23 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"context"
+
+	"github.com/docker/docker/container"
+)
+
+// ContainerWait waits until the given container is in a certain state
+// indicated by the given condition. If the container is not found, a nil
+// channel and non-nil error is returned immediately. If the container is
+// found, a status result will be sent on the returned channel once the wait
+// condition is met or if an error occurs waiting for the container (such as a
+// context timeout or cancellation). On a successful wait, the exit code of the
+// container is returned in the status with a non-nil Err() value.
+func (daemon *Daemon) ContainerWait(ctx context.Context, name string, condition container.WaitCondition) (<-chan container.StateStatus, error) {
+	cntr, err := daemon.GetContainer(name)
+	if err != nil {
+		return nil, err
+	}
+
+	return cntr.Wait(ctx, condition), nil
+}
diff --git a/engine/daemon/workdir.go b/engine/daemon/workdir.go
new file mode 100644
index 00000000..90bba79b
--- /dev/null
+++ b/engine/daemon/workdir.go
@@ -0,0 +1,20 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+// ContainerCreateWorkdir creates the working directory. This solves the
+// issue arising from https://github.com/docker/docker/issues/27545,
+// which was initially fixed by https://github.com/docker/docker/pull/27884. But that fix
+// was too expensive in terms of performance on Windows. Instead,
+// https://github.com/docker/docker/pull/28514 introduces this new functionality
+// where the builder calls into the backend here to create the working directory.
+func (daemon *Daemon) ContainerCreateWorkdir(cID string) error {
+	container, err := daemon.GetContainer(cID)
+	if err != nil {
+		return err
+	}
+	err = daemon.Mount(container)
+	if err != nil {
+		return err
+	}
+	defer daemon.Unmount(container)
+	return container.SetupWorkingDirectory(daemon.idMappings.RootPair())
+}
diff --git a/engine/distribution/config.go b/engine/distribution/config.go
new file mode 100644
index 00000000..438051c2
--- /dev/null
+++ b/engine/distribution/config.go
@@ -0,0 +1,266 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"runtime"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/system"
+	refstore "github.com/docker/docker/reference"
+	"github.com/docker/docker/registry"
+	"github.com/docker/libtrust"
+	"github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Config stores configuration for communicating
+// with a registry.
+type Config struct {
+	// MetaHeaders stores HTTP headers with metadata about the image
+	MetaHeaders map[string][]string
+	// AuthConfig holds authentication credentials for authenticating with
+	// the registry.
+	AuthConfig *types.AuthConfig
+	// ProgressOutput is the interface for showing the status of the pull
+	// operation.
+	ProgressOutput progress.Output
+	// RegistryService is the registry service to use for TLS configuration
+	// and endpoint lookup.
+	RegistryService registry.Service
+	// ImageEventLogger notifies events for a given image
+	ImageEventLogger func(id, name, action string)
+	// MetadataStore is the storage backend for distribution-specific
+	// metadata.
+	MetadataStore metadata.Store
+	// ImageStore manages images.
+	ImageStore ImageConfigStore
+	// ReferenceStore manages tags. This value is optional, when excluded
+	// content will not be tagged.
+	ReferenceStore refstore.Store
+	// RequireSchema2 ensures that only schema2 manifests are used.
+	RequireSchema2 bool
+}
+
+// ImagePullConfig stores pull configuration.
+type ImagePullConfig struct {
+	Config
+
+	// DownloadManager manages concurrent pulls.
+	DownloadManager RootFSDownloadManager
+	// Schema2Types is the valid schema2 configuration types allowed
+	// by the pull operation.
+	Schema2Types []string
+	// Platform is the requested platform of the image being pulled
+	Platform *specs.Platform
+}
+
+// ImagePushConfig stores push configuration.
+type ImagePushConfig struct {
+	Config
+
+	// ConfigMediaType is the configuration media type for
+	// schema2 manifests.
+	ConfigMediaType string
+	// LayerStores (indexed by operating system) manages layers.
+	LayerStores map[string]PushLayerProvider
+	// TrustKey is the private key for legacy signatures. This is typically
+	// an ephemeral key, since these signatures are no longer verified.
+	TrustKey libtrust.PrivateKey
+	// UploadManager dispatches uploads.
+	UploadManager *xfer.LayerUploadManager
+}
+
+// ImageConfigStore handles storing and getting image configurations
+// by digest. Allows getting an image configurations rootfs from the
+// configuration.
+type ImageConfigStore interface {
+	Put([]byte) (digest.Digest, error)
+	Get(digest.Digest) ([]byte, error)
+	RootFSFromConfig([]byte) (*image.RootFS, error)
+	PlatformFromConfig([]byte) (*specs.Platform, error)
+}
+
+// PushLayerProvider provides layers to be pushed by ChainID.
+type PushLayerProvider interface {
+	Get(layer.ChainID) (PushLayer, error)
+}
+
+// PushLayer is a pushable layer with metadata about the layer
+// and access to the content of the layer.
+type PushLayer interface {
+	ChainID() layer.ChainID
+	DiffID() layer.DiffID
+	Parent() PushLayer
+	Open() (io.ReadCloser, error)
+	Size() (int64, error)
+	MediaType() string
+	Release()
+}
+
+// RootFSDownloadManager handles downloading of the rootfs
+type RootFSDownloadManager interface {
+	// Download downloads the layers into the given initial rootfs and
+	// returns the final rootfs.
+	// Given progress output to track download progress
+	// Returns function to release download resources
+	Download(ctx context.Context, initialRootFS image.RootFS, os string, layers []xfer.DownloadDescriptor, progressOutput progress.Output) (image.RootFS, func(), error)
+}
+
+type imageConfigStore struct {
+	image.Store
+}
+
+// NewImageConfigStoreFromStore returns an ImageConfigStore backed
+// by an image.Store for container images.
+func NewImageConfigStoreFromStore(is image.Store) ImageConfigStore {
+	return &imageConfigStore{
+		Store: is,
+	}
+}
+
+func (s *imageConfigStore) Put(c []byte) (digest.Digest, error) {
+	id, err := s.Store.Create(c)
+	return digest.Digest(id), err
+}
+
+func (s *imageConfigStore) Get(d digest.Digest) ([]byte, error) {
+	img, err := s.Store.Get(image.IDFromDigest(d))
+	if err != nil {
+		return nil, err
+	}
+	return img.RawJSON(), nil
+}
+
+func (s *imageConfigStore) RootFSFromConfig(c []byte) (*image.RootFS, error) {
+	var unmarshalledConfig image.Image
+	if err := json.Unmarshal(c, &unmarshalledConfig); err != nil {
+		return nil, err
+	}
+	return unmarshalledConfig.RootFS, nil
+}
+
+func (s *imageConfigStore) PlatformFromConfig(c []byte) (*specs.Platform, error) {
+	var unmarshalledConfig image.Image
+	if err := json.Unmarshal(c, &unmarshalledConfig); err != nil {
+		return nil, err
+	}
+
+	// fail immediately on Windows when downloading a non-Windows image
+	// and vice versa. Exception on Windows if Linux Containers are enabled.
+	if runtime.GOOS == "windows" && unmarshalledConfig.OS == "linux" && !system.LCOWSupported() {
+		return nil, fmt.Errorf("image operating system %q cannot be used on this platform", unmarshalledConfig.OS)
+	} else if runtime.GOOS != "windows" && unmarshalledConfig.OS == "windows" {
+		return nil, fmt.Errorf("image operating system %q cannot be used on this platform", unmarshalledConfig.OS)
+	}
+
+	os := unmarshalledConfig.OS
+	if os == "" {
+		os = runtime.GOOS
+	}
+	if !system.IsOSSupported(os) {
+		return nil, system.ErrNotSupportedOperatingSystem
+	}
+	return &specs.Platform{OS: os, Architecture: unmarshalledConfig.Architecture, OSVersion: unmarshalledConfig.OSVersion}, nil
+}
+
+type storeLayerProvider struct {
+	ls layer.Store
+}
+
+// NewLayerProvidersFromStores returns layer providers backed by
+// an instance of LayerStore. Only getting layers as gzipped
+// tars is supported.
+func NewLayerProvidersFromStores(lss map[string]layer.Store) map[string]PushLayerProvider {
+	plps := make(map[string]PushLayerProvider)
+	for os, ls := range lss {
+		plps[os] = &storeLayerProvider{ls: ls}
+	}
+	return plps
+}
+
+func (p *storeLayerProvider) Get(lid layer.ChainID) (PushLayer, error) {
+	if lid == "" {
+		return &storeLayer{
+			Layer: layer.EmptyLayer,
+		}, nil
+	}
+	l, err := p.ls.Get(lid)
+	if err != nil {
+		return nil, err
+	}
+
+	sl := storeLayer{
+		Layer: l,
+		ls:    p.ls,
+	}
+	if d, ok := l.(distribution.Describable); ok {
+		return &describableStoreLayer{
+			storeLayer:  sl,
+			describable: d,
+		}, nil
+	}
+
+	return &sl, nil
+}
+
+type storeLayer struct {
+	layer.Layer
+	ls layer.Store
+}
+
+func (l *storeLayer) Parent() PushLayer {
+	p := l.Layer.Parent()
+	if p == nil {
+		return nil
+	}
+	sl := storeLayer{
+		Layer: p,
+		ls:    l.ls,
+	}
+	if d, ok := p.(distribution.Describable); ok {
+		return &describableStoreLayer{
+			storeLayer:  sl,
+			describable: d,
+		}
+	}
+
+	return &sl
+}
+
+func (l *storeLayer) Open() (io.ReadCloser, error) {
+	return l.Layer.TarStream()
+}
+
+func (l *storeLayer) Size() (int64, error) {
+	return l.Layer.DiffSize()
+}
+
+func (l *storeLayer) MediaType() string {
+	// layer store always returns uncompressed tars
+	return schema2.MediaTypeUncompressedLayer
+}
+
+func (l *storeLayer) Release() {
+	if l.ls != nil {
+		layer.ReleaseAndLog(l.ls, l.Layer)
+	}
+}
+
+type describableStoreLayer struct {
+	storeLayer
+	describable distribution.Describable
+}
+
+func (l *describableStoreLayer) Descriptor() distribution.Descriptor {
+	return l.describable.Descriptor()
+}
diff --git a/engine/distribution/errors.go b/engine/distribution/errors.go
new file mode 100644
index 00000000..e2913d45
--- /dev/null
+++ b/engine/distribution/errors.go
@@ -0,0 +1,206 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"fmt"
+	"net/url"
+	"strings"
+	"syscall"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/distribution/registry/api/v2"
+	"github.com/docker/distribution/registry/client"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/errdefs"
+	"github.com/sirupsen/logrus"
+)
+
+// ErrNoSupport is an error type used for errors indicating that an operation
+// is not supported. It encapsulates a more specific error.
+type ErrNoSupport struct{ Err error }
+
+func (e ErrNoSupport) Error() string {
+	if e.Err == nil {
+		return "not supported"
+	}
+	return e.Err.Error()
+}
+
+// fallbackError wraps an error that can possibly allow fallback to a different
+// endpoint.
+type fallbackError struct {
+	// err is the error being wrapped.
+	err error
+	// confirmedV2 is set to true if it was confirmed that the registry
+	// supports the v2 protocol. This is used to limit fallbacks to the v1
+	// protocol.
+	confirmedV2 bool
+	// transportOK is set to true if we managed to speak HTTP with the
+	// registry. This confirms that we're using appropriate TLS settings
+	// (or lack of TLS).
+	transportOK bool
+}
+
+// Error renders the FallbackError as a string.
+func (f fallbackError) Error() string {
+	return f.Cause().Error()
+}
+
+func (f fallbackError) Cause() error {
+	return f.err
+}
+
+// shouldV2Fallback returns true if this error is a reason to fall back to v1.
+func shouldV2Fallback(err errcode.Error) bool {
+	switch err.Code {
+	case errcode.ErrorCodeUnauthorized, v2.ErrorCodeManifestUnknown, v2.ErrorCodeNameUnknown:
+		return true
+	}
+	return false
+}
+
+type notFoundError struct {
+	cause errcode.Error
+	ref   reference.Named
+}
+
+func (e notFoundError) Error() string {
+	switch e.cause.Code {
+	case errcode.ErrorCodeDenied:
+		// ErrorCodeDenied is used when access to the repository was denied
+		return fmt.Sprintf("pull access denied for %s, repository does not exist or may require 'docker login'", reference.FamiliarName(e.ref))
+	case v2.ErrorCodeManifestUnknown:
+		return fmt.Sprintf("manifest for %s not found", reference.FamiliarString(e.ref))
+	case v2.ErrorCodeNameUnknown:
+		return fmt.Sprintf("repository %s not found", reference.FamiliarName(e.ref))
+	}
+	// Shouldn't get here, but this is better than returning an empty string
+	return e.cause.Message
+}
+
+func (e notFoundError) NotFound() {}
+
+func (e notFoundError) Cause() error {
+	return e.cause
+}
+
+// TranslatePullError is used to convert an error from a registry pull
+// operation to an error representing the entire pull operation. Any error
+// information which is not used by the returned error gets output to
+// log at info level.
+func TranslatePullError(err error, ref reference.Named) error {
+	switch v := err.(type) {
+	case errcode.Errors:
+		if len(v) != 0 {
+			for _, extra := range v[1:] {
+				logrus.Infof("Ignoring extra error returned from registry: %v", extra)
+			}
+			return TranslatePullError(v[0], ref)
+		}
+	case errcode.Error:
+		switch v.Code {
+		case errcode.ErrorCodeDenied, v2.ErrorCodeManifestUnknown, v2.ErrorCodeNameUnknown:
+			return notFoundError{v, ref}
+		}
+	case xfer.DoNotRetry:
+		return TranslatePullError(v.Err, ref)
+	}
+
+	return errdefs.Unknown(err)
+}
+
+// continueOnError returns true if we should fallback to the next endpoint
+// as a result of this error.
+func continueOnError(err error, mirrorEndpoint bool) bool {
+	switch v := err.(type) {
+	case errcode.Errors:
+		if len(v) == 0 {
+			return true
+		}
+		return continueOnError(v[0], mirrorEndpoint)
+	case ErrNoSupport:
+		return continueOnError(v.Err, mirrorEndpoint)
+	case errcode.Error:
+		return mirrorEndpoint || shouldV2Fallback(v)
+	case *client.UnexpectedHTTPResponseError:
+		return true
+	case ImageConfigPullError:
+		// ImageConfigPullError only happens with v2 images, v1 fallback is
+		// unnecessary.
+		// Failures from a mirror endpoint should result in fallback to the
+		// canonical repo.
+		return mirrorEndpoint
+	case error:
+		return !strings.Contains(err.Error(), strings.ToLower(syscall.ESRCH.Error()))
+	}
+	// let's be nice and fallback if the error is a completely
+	// unexpected one.
+	// If new errors have to be handled in some way, please
+	// add them to the switch above.
+	return true
+}
+
+// retryOnError wraps the error in xfer.DoNotRetry if we should not retry the
+// operation after this error.
+func retryOnError(err error) error {
+	switch v := err.(type) {
+	case errcode.Errors:
+		if len(v) != 0 {
+			return retryOnError(v[0])
+		}
+	case errcode.Error:
+		switch v.Code {
+		case errcode.ErrorCodeUnauthorized, errcode.ErrorCodeUnsupported, errcode.ErrorCodeDenied, errcode.ErrorCodeTooManyRequests, v2.ErrorCodeNameUnknown:
+			return xfer.DoNotRetry{Err: err}
+		}
+	case *url.Error:
+		switch v.Err {
+		case auth.ErrNoBasicAuthCredentials, auth.ErrNoToken:
+			return xfer.DoNotRetry{Err: v.Err}
+		}
+		return retryOnError(v.Err)
+	case *client.UnexpectedHTTPResponseError:
+		return xfer.DoNotRetry{Err: err}
+	case error:
+		if err == distribution.ErrBlobUnknown {
+			return xfer.DoNotRetry{Err: err}
+		}
+		if strings.Contains(err.Error(), strings.ToLower(syscall.ENOSPC.Error())) {
+			return xfer.DoNotRetry{Err: err}
+		}
+	}
+	// let's be nice and fallback if the error is a completely
+	// unexpected one.
+	// If new errors have to be handled in some way, please
+	// add them to the switch above.
+	return err
+}
+
+type invalidManifestClassError struct {
+	mediaType string
+	class     string
+}
+
+func (e invalidManifestClassError) Error() string {
+	return fmt.Sprintf("Encountered remote %q(%s) when fetching", e.mediaType, e.class)
+}
+
+func (e invalidManifestClassError) InvalidParameter() {}
+
+type invalidManifestFormatError struct{}
+
+func (invalidManifestFormatError) Error() string {
+	return "unsupported manifest format"
+}
+
+func (invalidManifestFormatError) InvalidParameter() {}
+
+type reservedNameError string
+
+func (e reservedNameError) Error() string {
+	return "'" + string(e) + "' is a reserved name"
+}
+
+func (e reservedNameError) Forbidden() {}
diff --git a/engine/distribution/errors_test.go b/engine/distribution/errors_test.go
new file mode 100644
index 00000000..7105bdb4
--- /dev/null
+++ b/engine/distribution/errors_test.go
@@ -0,0 +1,85 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"errors"
+	"strings"
+	"syscall"
+	"testing"
+
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/distribution/registry/api/v2"
+	"github.com/docker/distribution/registry/client"
+)
+
+var alwaysContinue = []error{
+	&client.UnexpectedHTTPResponseError{},
+
+	// Some errcode.Errors that don't disprove the existence of a V1 image
+	errcode.Error{Code: errcode.ErrorCodeUnauthorized},
+	errcode.Error{Code: v2.ErrorCodeManifestUnknown},
+	errcode.Error{Code: v2.ErrorCodeNameUnknown},
+
+	errors.New("some totally unexpected error"),
+}
+
+var continueFromMirrorEndpoint = []error{
+	ImageConfigPullError{},
+
+	// Some other errcode.Error that doesn't indicate we should search for a V1 image.
+	errcode.Error{Code: errcode.ErrorCodeTooManyRequests},
+}
+
+var neverContinue = []error{
+	errors.New(strings.ToLower(syscall.ESRCH.Error())), // No such process
+}
+
+func TestContinueOnError_NonMirrorEndpoint(t *testing.T) {
+	for _, err := range alwaysContinue {
+		if !continueOnError(err, false) {
+			t.Errorf("Should continue from non-mirror endpoint: %T: '%s'", err, err.Error())
+		}
+	}
+
+	for _, err := range continueFromMirrorEndpoint {
+		if continueOnError(err, false) {
+			t.Errorf("Should only continue from mirror endpoint: %T: '%s'", err, err.Error())
+		}
+	}
+}
+
+func TestContinueOnError_MirrorEndpoint(t *testing.T) {
+	var errs []error
+	errs = append(errs, alwaysContinue...)
+	errs = append(errs, continueFromMirrorEndpoint...)
+	for _, err := range errs {
+		if !continueOnError(err, true) {
+			t.Errorf("Should continue from mirror endpoint: %T: '%s'", err, err.Error())
+		}
+	}
+}
+
+func TestContinueOnError_NeverContinue(t *testing.T) {
+	for _, isMirrorEndpoint := range []bool{true, false} {
+		for _, err := range neverContinue {
+			if continueOnError(err, isMirrorEndpoint) {
+				t.Errorf("Should never continue: %T: '%s'", err, err.Error())
+			}
+		}
+	}
+}
+
+func TestContinueOnError_UnnestsErrors(t *testing.T) {
+	// ContinueOnError should evaluate nested errcode.Errors.
+
+	// Assumes that v2.ErrorCodeNameUnknown is a continueable error code.
+	err := errcode.Errors{errcode.Error{Code: v2.ErrorCodeNameUnknown}}
+	if !continueOnError(err, false) {
+		t.Fatal("ContinueOnError should unnest, base return value on errcode.Errors")
+	}
+
+	// Assumes that errcode.ErrorCodeTooManyRequests is not a V1-fallback indication
+	err = errcode.Errors{errcode.Error{Code: errcode.ErrorCodeTooManyRequests}}
+	if continueOnError(err, false) {
+		t.Fatal("ContinueOnError should unnest, base return value on errcode.Errors")
+	}
+}
diff --git a/engine/distribution/fixtures/validate_manifest/bad_manifest b/engine/distribution/fixtures/validate_manifest/bad_manifest
new file mode 100644
index 00000000..a1f02a62
--- /dev/null
+++ b/engine/distribution/fixtures/validate_manifest/bad_manifest
@@ -0,0 +1,38 @@
+{
+   "schemaVersion": 2,
+   "name": "library/hello-world",
+   "tag": "latest",
+   "architecture": "amd64",
+   "fsLayers": [
+      {
+         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+      },
+      {
+         "blobSum": "sha256:03f4658f8b782e12230c1783426bd3bacce651ce582a4ffb6fbbfa2079428ecb"
+      }
+   ],
+   "history": [
+      {
+         "v1Compatibility": "{\"id\":\"af340544ed62de0680f441c71fa1a80cb084678fed42bae393e543faea3a572c\",\"parent\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"created\":\"2015-08-06T23:53:22.608577814Z\",\"container\":\"c2b715156f640c7ac7d98472ea24335aba5432a1323a3bb722697e6d37ef794f\",\"container_config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) CMD [\\\"/hello\\\"]\"],\"Image\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{}},\"docker_version\":\"1.7.1\",\"config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/hello\"],\"Image\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"
+      },
+      {
+         "v1Compatibility": "{\"id\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"created\":\"2015-08-06T23:53:22.241352727Z\",\"container\":\"9aeb0006ffa72a8287564caaea87625896853701459261d3b569e320c0c9d5dc\",\"container_config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) COPY file:4abd3bff60458ca3b079d7b131ce26b2719055a030dfa96ff827da2b7c7038a7 in /\"],\"Image\":\"\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":null},\"docker_version\":\"1.7.1\",\"config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":null},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":960}\n"
+      }
+   ],
+   "signatures": [
+      {
+         "header": {
+            "jwk": {
+               "crv": "P-256",
+               "kid": "OIH7:HQFS:44FK:45VB:3B53:OIAG:TPL4:ATF5:6PNE:MGHN:NHQX:2GE4",
+               "kty": "EC",
+               "x": "Cu_UyxwLgHzE9rvlYSmvVdqYCXY42E9eNhBb0xNv0SQ",
+               "y": "zUsjWJkeKQ5tv7S-hl1Tg71cd-CqnrtiiLxSi6N_yc8"
+            },
+            "alg": "ES256"
+         },
+         "signature": "Y6xaFz9Sy-OtcnKQS1Ilq3Dh8cu4h3nBTJCpOTF1XF7vKtcxxA_xMP8-SgDo869SJ3VsvgPL9-Xn-OoYG2rb1A",
+         "protected": "eyJmb3JtYXRMZW5ndGgiOjMxOTcsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxNS0wOS0xMVQwNDoxMzo0OFoifQ"
+      }
+   ]
+}
diff --git a/engine/distribution/fixtures/validate_manifest/extra_data_manifest b/engine/distribution/fixtures/validate_manifest/extra_data_manifest
new file mode 100644
index 00000000..beec19a8
--- /dev/null
+++ b/engine/distribution/fixtures/validate_manifest/extra_data_manifest
@@ -0,0 +1,46 @@
+{
+   "schemaVersion": 1,
+   "name": "library/hello-world",
+   "tag": "latest",
+   "architecture": "amd64",
+   "fsLayers": [
+      {
+         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+      },
+      {
+         "blobSum": "sha256:03f4658f8b782e12230c1783426bd3bacce651ce582a4ffb6fbbfa2079428ecb"
+      }
+   ],
+   "history": [
+      {
+         "v1Compatibility": "{\"id\":\"af340544ed62de0680f441c71fa1a80cb084678fed42bae393e543faea3a572c\",\"parent\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"created\":\"2015-08-06T23:53:22.608577814Z\",\"container\":\"c2b715156f640c7ac7d98472ea24335aba5432a1323a3bb722697e6d37ef794f\",\"container_config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) CMD [\\\"/hello\\\"]\"],\"Image\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{}},\"docker_version\":\"1.7.1\",\"config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/hello\"],\"Image\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"
+      },
+      {
+         "v1Compatibility": "{\"id\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"created\":\"2015-08-06T23:53:22.241352727Z\",\"container\":\"9aeb0006ffa72a8287564caaea87625896853701459261d3b569e320c0c9d5dc\",\"container_config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) COPY file:4abd3bff60458ca3b079d7b131ce26b2719055a030dfa96ff827da2b7c7038a7 in /\"],\"Image\":\"\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":null},\"docker_version\":\"1.7.1\",\"config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":null},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":960}\n"
+      }
+   ],
+   "fsLayers": [
+      {
+         "blobSum": "sha256:ffff95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+      },
+      {
+         "blobSum": "sha256:ffff658f8b782e12230c1783426bd3bacce651ce582a4ffb6fbbfa2079428ecb"
+      }
+   ],
+   "signatures": [
+      {
+         "header": {
+            "jwk": {
+               "crv": "P-256",
+               "kid": "OIH7:HQFS:44FK:45VB:3B53:OIAG:TPL4:ATF5:6PNE:MGHN:NHQX:2GE4",
+               "kty": "EC",
+               "x": "Cu_UyxwLgHzE9rvlYSmvVdqYCXY42E9eNhBb0xNv0SQ",
+               "y": "zUsjWJkeKQ5tv7S-hl1Tg71cd-CqnrtiiLxSi6N_yc8"
+            },
+            "alg": "ES256"
+         },
+         "signature": "Y6xaFz9Sy-OtcnKQS1Ilq3Dh8cu4h3nBTJCpOTF1XF7vKtcxxA_xMP8-SgDo869SJ3VsvgPL9-Xn-OoYG2rb1A",
+         "protected": "eyJmb3JtYXRMZW5ndGgiOjMxOTcsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxNS0wOS0xMVQwNDoxMzo0OFoifQ"
+      }
+   ]
+}
diff --git a/engine/distribution/fixtures/validate_manifest/good_manifest b/engine/distribution/fixtures/validate_manifest/good_manifest
new file mode 100644
index 00000000..b107de32
--- /dev/null
+++ b/engine/distribution/fixtures/validate_manifest/good_manifest
@@ -0,0 +1,38 @@
+{
+   "schemaVersion": 1,
+   "name": "library/hello-world",
+   "tag": "latest",
+   "architecture": "amd64",
+   "fsLayers": [
+      {
+         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
+      },
+      {
+         "blobSum": "sha256:03f4658f8b782e12230c1783426bd3bacce651ce582a4ffb6fbbfa2079428ecb"
+      }
+   ],
+   "history": [
+      {
+         "v1Compatibility": "{\"id\":\"af340544ed62de0680f441c71fa1a80cb084678fed42bae393e543faea3a572c\",\"parent\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"created\":\"2015-08-06T23:53:22.608577814Z\",\"container\":\"c2b715156f640c7ac7d98472ea24335aba5432a1323a3bb722697e6d37ef794f\",\"container_config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) CMD [\\\"/hello\\\"]\"],\"Image\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{}},\"docker_version\":\"1.7.1\",\"config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/hello\"],\"Image\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"
+      },
+      {
+         "v1Compatibility": "{\"id\":\"535020c3e8add9d6bb06e5ac15a261e73d9b213d62fb2c14d752b8e189b2b912\",\"created\":\"2015-08-06T23:53:22.241352727Z\",\"container\":\"9aeb0006ffa72a8287564caaea87625896853701459261d3b569e320c0c9d5dc\",\"container_config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) COPY file:4abd3bff60458ca3b079d7b131ce26b2719055a030dfa96ff827da2b7c7038a7 in /\"],\"Image\":\"\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":null},\"docker_version\":\"1.7.1\",\"config\":{\"Hostname\":\"9aeb0006ffa7\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":null,\"Cmd\":null,\"Image\":\"\",\"Volumes\":null,\"VolumeDriver\":\"\",\"WorkingDir\":\"\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":null,\"Labels\":null},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":960}\n"
+      }
+   ],
+   "signatures": [
+      {
+         "header": {
+            "jwk": {
+               "crv": "P-256",
+               "kid": "OIH7:HQFS:44FK:45VB:3B53:OIAG:TPL4:ATF5:6PNE:MGHN:NHQX:2GE4",
+               "kty": "EC",
+               "x": "Cu_UyxwLgHzE9rvlYSmvVdqYCXY42E9eNhBb0xNv0SQ",
+               "y": "zUsjWJkeKQ5tv7S-hl1Tg71cd-CqnrtiiLxSi6N_yc8"
+            },
+            "alg": "ES256"
+         },
+         "signature": "Y6xaFz9Sy-OtcnKQS1Ilq3Dh8cu4h3nBTJCpOTF1XF7vKtcxxA_xMP8-SgDo869SJ3VsvgPL9-Xn-OoYG2rb1A",
+         "protected": "eyJmb3JtYXRMZW5ndGgiOjMxOTcsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAxNS0wOS0xMVQwNDoxMzo0OFoifQ"
+      }
+   ]
+}
\ No newline at end of file
diff --git a/engine/distribution/metadata/metadata.go b/engine/distribution/metadata/metadata.go
new file mode 100644
index 00000000..4ae8223b
--- /dev/null
+++ b/engine/distribution/metadata/metadata.go
@@ -0,0 +1,75 @@
+package metadata // import "github.com/docker/docker/distribution/metadata"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/docker/docker/pkg/ioutils"
+)
+
+// Store implements a K/V store for mapping distribution-related IDs
+// to on-disk layer IDs and image IDs. The namespace identifies the type of
+// mapping (i.e. "v1ids" or "artifacts"). MetadataStore is goroutine-safe.
+type Store interface {
+	// Get retrieves data by namespace and key.
+	Get(namespace string, key string) ([]byte, error)
+	// Set writes data indexed by namespace and key.
+	Set(namespace, key string, value []byte) error
+	// Delete removes data indexed by namespace and key.
+	Delete(namespace, key string) error
+}
+
+// FSMetadataStore uses the filesystem to associate metadata with layer and
+// image IDs.
+type FSMetadataStore struct {
+	sync.RWMutex
+	basePath string
+}
+
+// NewFSMetadataStore creates a new filesystem-based metadata store.
+func NewFSMetadataStore(basePath string) (*FSMetadataStore, error) {
+	if err := os.MkdirAll(basePath, 0700); err != nil {
+		return nil, err
+	}
+	return &FSMetadataStore{
+		basePath: basePath,
+	}, nil
+}
+
+func (store *FSMetadataStore) path(namespace, key string) string {
+	return filepath.Join(store.basePath, namespace, key)
+}
+
+// Get retrieves data by namespace and key. The data is read from a file named
+// after the key, stored in the namespace's directory.
+func (store *FSMetadataStore) Get(namespace string, key string) ([]byte, error) {
+	store.RLock()
+	defer store.RUnlock()
+
+	return ioutil.ReadFile(store.path(namespace, key))
+}
+
+// Set writes data indexed by namespace and key. The data is written to a file
+// named after the key, stored in the namespace's directory.
+func (store *FSMetadataStore) Set(namespace, key string, value []byte) error {
+	store.Lock()
+	defer store.Unlock()
+
+	path := store.path(namespace, key)
+	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+		return err
+	}
+	return ioutils.AtomicWriteFile(path, value, 0644)
+}
+
+// Delete removes data indexed by namespace and key. The data file named after
+// the key, stored in the namespace's directory is deleted.
+func (store *FSMetadataStore) Delete(namespace, key string) error {
+	store.Lock()
+	defer store.Unlock()
+
+	path := store.path(namespace, key)
+	return os.Remove(path)
+}
diff --git a/engine/distribution/metadata/v1_id_service.go b/engine/distribution/metadata/v1_id_service.go
new file mode 100644
index 00000000..5575c59b
--- /dev/null
+++ b/engine/distribution/metadata/v1_id_service.go
@@ -0,0 +1,51 @@
+package metadata // import "github.com/docker/docker/distribution/metadata"
+
+import (
+	"github.com/docker/docker/image/v1"
+	"github.com/docker/docker/layer"
+	"github.com/pkg/errors"
+)
+
+// V1IDService maps v1 IDs to layers on disk.
+type V1IDService struct {
+	store Store
+}
+
+// NewV1IDService creates a new V1 ID mapping service.
+func NewV1IDService(store Store) *V1IDService {
+	return &V1IDService{
+		store: store,
+	}
+}
+
+// namespace returns the namespace used by this service.
+func (idserv *V1IDService) namespace() string {
+	return "v1id"
+}
+
+// Get finds a layer by its V1 ID.
+func (idserv *V1IDService) Get(v1ID, registry string) (layer.DiffID, error) {
+	if idserv.store == nil {
+		return "", errors.New("no v1IDService storage")
+	}
+	if err := v1.ValidateID(v1ID); err != nil {
+		return layer.DiffID(""), err
+	}
+
+	idBytes, err := idserv.store.Get(idserv.namespace(), registry+","+v1ID)
+	if err != nil {
+		return layer.DiffID(""), err
+	}
+	return layer.DiffID(idBytes), nil
+}
+
+// Set associates an image with a V1 ID.
+func (idserv *V1IDService) Set(v1ID, registry string, id layer.DiffID) error {
+	if idserv.store == nil {
+		return nil
+	}
+	if err := v1.ValidateID(v1ID); err != nil {
+		return err
+	}
+	return idserv.store.Set(idserv.namespace(), registry+","+v1ID, []byte(id))
+}
diff --git a/engine/distribution/metadata/v1_id_service_test.go b/engine/distribution/metadata/v1_id_service_test.go
new file mode 100644
index 00000000..5003897c
--- /dev/null
+++ b/engine/distribution/metadata/v1_id_service_test.go
@@ -0,0 +1,88 @@
+package metadata // import "github.com/docker/docker/distribution/metadata"
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/layer"
+	"gotest.tools/assert"
+)
+
+func TestV1IDService(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "v1-id-service-test")
+	if err != nil {
+		t.Fatalf("could not create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	metadataStore, err := NewFSMetadataStore(tmpDir)
+	if err != nil {
+		t.Fatalf("could not create metadata store: %v", err)
+	}
+	v1IDService := NewV1IDService(metadataStore)
+
+	ns := v1IDService.namespace()
+
+	assert.Equal(t, "v1id", ns)
+
+	testVectors := []struct {
+		registry string
+		v1ID     string
+		layerID  layer.DiffID
+	}{
+		{
+			registry: "registry1",
+			v1ID:     "f0cd5ca10b07f35512fc2f1cbf9a6cefbdb5cba70ac6b0c9e5988f4497f71937",
+			layerID:  layer.DiffID("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"),
+		},
+		{
+			registry: "registry2",
+			v1ID:     "9e3447ca24cb96d86ebd5960cb34d1299b07e0a0e03801d90b9969a2c187dd6e",
+			layerID:  layer.DiffID("sha256:86e0e091d0da6bde2456dbb48306f3956bbeb2eae1b5b9a43045843f69fe4aaa"),
+		},
+		{
+			registry: "registry1",
+			v1ID:     "9e3447ca24cb96d86ebd5960cb34d1299b07e0a0e03801d90b9969a2c187dd6e",
+			layerID:  layer.DiffID("sha256:03f4658f8b782e12230c1783426bd3bacce651ce582a4ffb6fbbfa2079428ecb"),
+		},
+	}
+
+	// Set some associations
+	for _, vec := range testVectors {
+		err := v1IDService.Set(vec.v1ID, vec.registry, vec.layerID)
+		if err != nil {
+			t.Fatalf("error calling Set: %v", err)
+		}
+	}
+
+	// Check the correct values are read back
+	for _, vec := range testVectors {
+		layerID, err := v1IDService.Get(vec.v1ID, vec.registry)
+		if err != nil {
+			t.Fatalf("error calling Get: %v", err)
+		}
+		if layerID != vec.layerID {
+			t.Fatal("Get returned incorrect layer ID")
+		}
+	}
+
+	// Test Get on a nonexistent entry
+	_, err = v1IDService.Get("82379823067823853223359023576437723560923756b03560378f4497753917", "registry1")
+	if err == nil {
+		t.Fatal("expected error looking up nonexistent entry")
+	}
+
+	// Overwrite one of the entries and read it back
+	err = v1IDService.Set(testVectors[0].v1ID, testVectors[0].registry, testVectors[1].layerID)
+	if err != nil {
+		t.Fatalf("error calling Set: %v", err)
+	}
+	layerID, err := v1IDService.Get(testVectors[0].v1ID, testVectors[0].registry)
+	if err != nil {
+		t.Fatalf("error calling Get: %v", err)
+	}
+	if layerID != testVectors[1].layerID {
+		t.Fatal("Get returned incorrect layer ID")
+	}
+}
diff --git a/engine/distribution/metadata/v2_metadata_service.go b/engine/distribution/metadata/v2_metadata_service.go
new file mode 100644
index 00000000..fe334985
--- /dev/null
+++ b/engine/distribution/metadata/v2_metadata_service.go
@@ -0,0 +1,241 @@
+package metadata // import "github.com/docker/docker/distribution/metadata"
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/layer"
+	"github.com/opencontainers/go-digest"
+)
+
+// V2MetadataService maps layer IDs to a set of known metadata for
+// the layer.
+type V2MetadataService interface {
+	GetMetadata(diffID layer.DiffID) ([]V2Metadata, error)
+	GetDiffID(dgst digest.Digest) (layer.DiffID, error)
+	Add(diffID layer.DiffID, metadata V2Metadata) error
+	TagAndAdd(diffID layer.DiffID, hmacKey []byte, metadata V2Metadata) error
+	Remove(metadata V2Metadata) error
+}
+
+// v2MetadataService implements V2MetadataService
+type v2MetadataService struct {
+	store Store
+}
+
+var _ V2MetadataService = &v2MetadataService{}
+
+// V2Metadata contains the digest and source repository information for a layer.
+type V2Metadata struct {
+	Digest           digest.Digest
+	SourceRepository string
+	// HMAC hashes above attributes with recent authconfig digest used as a key in order to determine matching
+	// metadata entries accompanied by the same credentials without actually exposing them.
+	HMAC string
+}
+
+// CheckV2MetadataHMAC returns true if the given "meta" is tagged with a hmac hashed by the given "key".
+func CheckV2MetadataHMAC(meta *V2Metadata, key []byte) bool {
+	if len(meta.HMAC) == 0 || len(key) == 0 {
+		return len(meta.HMAC) == 0 && len(key) == 0
+	}
+	mac := hmac.New(sha256.New, key)
+	mac.Write([]byte(meta.Digest))
+	mac.Write([]byte(meta.SourceRepository))
+	expectedMac := mac.Sum(nil)
+
+	storedMac, err := hex.DecodeString(meta.HMAC)
+	if err != nil {
+		return false
+	}
+
+	return hmac.Equal(storedMac, expectedMac)
+}
+
+// ComputeV2MetadataHMAC returns a hmac for the given "meta" hash by the given key.
+func ComputeV2MetadataHMAC(key []byte, meta *V2Metadata) string {
+	if len(key) == 0 || meta == nil {
+		return ""
+	}
+	mac := hmac.New(sha256.New, key)
+	mac.Write([]byte(meta.Digest))
+	mac.Write([]byte(meta.SourceRepository))
+	return hex.EncodeToString(mac.Sum(nil))
+}
+
+// ComputeV2MetadataHMACKey returns a key for the given "authConfig" that can be used to hash v2 metadata
+// entries.
+func ComputeV2MetadataHMACKey(authConfig *types.AuthConfig) ([]byte, error) {
+	if authConfig == nil {
+		return nil, nil
+	}
+	key := authConfigKeyInput{
+		Username:      authConfig.Username,
+		Password:      authConfig.Password,
+		Auth:          authConfig.Auth,
+		IdentityToken: authConfig.IdentityToken,
+		RegistryToken: authConfig.RegistryToken,
+	}
+	buf, err := json.Marshal(&key)
+	if err != nil {
+		return nil, err
+	}
+	return []byte(digest.FromBytes(buf)), nil
+}
+
+// authConfigKeyInput is a reduced AuthConfig structure holding just relevant credential data eligible for
+// hmac key creation.
+type authConfigKeyInput struct {
+	Username string `json:"username,omitempty"`
+	Password string `json:"password,omitempty"`
+	Auth     string `json:"auth,omitempty"`
+
+	IdentityToken string `json:"identitytoken,omitempty"`
+	RegistryToken string `json:"registrytoken,omitempty"`
+}
+
+// maxMetadata is the number of metadata entries to keep per layer DiffID.
+const maxMetadata = 50
+
+// NewV2MetadataService creates a new diff ID to v2 metadata mapping service.
+func NewV2MetadataService(store Store) V2MetadataService {
+	return &v2MetadataService{
+		store: store,
+	}
+}
+
+func (serv *v2MetadataService) diffIDNamespace() string {
+	return "v2metadata-by-diffid"
+}
+
+func (serv *v2MetadataService) digestNamespace() string {
+	return "diffid-by-digest"
+}
+
+func (serv *v2MetadataService) diffIDKey(diffID layer.DiffID) string {
+	return string(digest.Digest(diffID).Algorithm()) + "/" + digest.Digest(diffID).Hex()
+}
+
+func (serv *v2MetadataService) digestKey(dgst digest.Digest) string {
+	return string(dgst.Algorithm()) + "/" + dgst.Hex()
+}
+
+// GetMetadata finds the metadata associated with a layer DiffID.
+func (serv *v2MetadataService) GetMetadata(diffID layer.DiffID) ([]V2Metadata, error) {
+	if serv.store == nil {
+		return nil, errors.New("no metadata storage")
+	}
+	jsonBytes, err := serv.store.Get(serv.diffIDNamespace(), serv.diffIDKey(diffID))
+	if err != nil {
+		return nil, err
+	}
+
+	var metadata []V2Metadata
+	if err := json.Unmarshal(jsonBytes, &metadata); err != nil {
+		return nil, err
+	}
+
+	return metadata, nil
+}
+
+// GetDiffID finds a layer DiffID from a digest.
+func (serv *v2MetadataService) GetDiffID(dgst digest.Digest) (layer.DiffID, error) {
+	if serv.store == nil {
+		return layer.DiffID(""), errors.New("no metadata storage")
+	}
+	diffIDBytes, err := serv.store.Get(serv.digestNamespace(), serv.digestKey(dgst))
+	if err != nil {
+		return layer.DiffID(""), err
+	}
+
+	return layer.DiffID(diffIDBytes), nil
+}
+
+// Add associates metadata with a layer DiffID. If too many metadata entries are
+// present, the oldest one is dropped.
+func (serv *v2MetadataService) Add(diffID layer.DiffID, metadata V2Metadata) error {
+	if serv.store == nil {
+		// Support a service which has no backend storage, in this case
+		// an add becomes a no-op.
+		// TODO: implement in memory storage
+		return nil
+	}
+	oldMetadata, err := serv.GetMetadata(diffID)
+	if err != nil {
+		oldMetadata = nil
+	}
+	newMetadata := make([]V2Metadata, 0, len(oldMetadata)+1)
+
+	// Copy all other metadata to new slice
+	for _, oldMeta := range oldMetadata {
+		if oldMeta != metadata {
+			newMetadata = append(newMetadata, oldMeta)
+		}
+	}
+
+	newMetadata = append(newMetadata, metadata)
+
+	if len(newMetadata) > maxMetadata {
+		newMetadata = newMetadata[len(newMetadata)-maxMetadata:]
+	}
+
+	jsonBytes, err := json.Marshal(newMetadata)
+	if err != nil {
+		return err
+	}
+
+	err = serv.store.Set(serv.diffIDNamespace(), serv.diffIDKey(diffID), jsonBytes)
+	if err != nil {
+		return err
+	}
+
+	return serv.store.Set(serv.digestNamespace(), serv.digestKey(metadata.Digest), []byte(diffID))
+}
+
+// TagAndAdd amends the given "meta" for hmac hashed by the given "hmacKey" and associates it with a layer
+// DiffID. If too many metadata entries are present, the oldest one is dropped.
+func (serv *v2MetadataService) TagAndAdd(diffID layer.DiffID, hmacKey []byte, meta V2Metadata) error {
+	meta.HMAC = ComputeV2MetadataHMAC(hmacKey, &meta)
+	return serv.Add(diffID, meta)
+}
+
+// Remove disassociates a metadata entry from a layer DiffID.
+func (serv *v2MetadataService) Remove(metadata V2Metadata) error {
+	if serv.store == nil {
+		// Support a service which has no backend storage, in this case
+		// an remove becomes a no-op.
+		// TODO: implement in memory storage
+		return nil
+	}
+	diffID, err := serv.GetDiffID(metadata.Digest)
+	if err != nil {
+		return err
+	}
+	oldMetadata, err := serv.GetMetadata(diffID)
+	if err != nil {
+		oldMetadata = nil
+	}
+	newMetadata := make([]V2Metadata, 0, len(oldMetadata))
+
+	// Copy all other metadata to new slice
+	for _, oldMeta := range oldMetadata {
+		if oldMeta != metadata {
+			newMetadata = append(newMetadata, oldMeta)
+		}
+	}
+
+	if len(newMetadata) == 0 {
+		return serv.store.Delete(serv.diffIDNamespace(), serv.diffIDKey(diffID))
+	}
+
+	jsonBytes, err := json.Marshal(newMetadata)
+	if err != nil {
+		return err
+	}
+
+	return serv.store.Set(serv.diffIDNamespace(), serv.diffIDKey(diffID), jsonBytes)
+}
diff --git a/engine/distribution/metadata/v2_metadata_service_test.go b/engine/distribution/metadata/v2_metadata_service_test.go
new file mode 100644
index 00000000..cf24e0d8
--- /dev/null
+++ b/engine/distribution/metadata/v2_metadata_service_test.go
@@ -0,0 +1,115 @@
+package metadata // import "github.com/docker/docker/distribution/metadata"
+
+import (
+	"encoding/hex"
+	"io/ioutil"
+	"math/rand"
+	"os"
+	"reflect"
+	"testing"
+
+	"github.com/docker/docker/layer"
+	"github.com/opencontainers/go-digest"
+)
+
+func TestV2MetadataService(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "blobsum-storage-service-test")
+	if err != nil {
+		t.Fatalf("could not create temp dir: %v", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	metadataStore, err := NewFSMetadataStore(tmpDir)
+	if err != nil {
+		t.Fatalf("could not create metadata store: %v", err)
+	}
+	V2MetadataService := NewV2MetadataService(metadataStore)
+
+	tooManyBlobSums := make([]V2Metadata, 100)
+	for i := range tooManyBlobSums {
+		randDigest := randomDigest()
+		tooManyBlobSums[i] = V2Metadata{Digest: randDigest}
+	}
+
+	testVectors := []struct {
+		diffID   layer.DiffID
+		metadata []V2Metadata
+	}{
+		{
+			diffID: layer.DiffID("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"),
+			metadata: []V2Metadata{
+				{Digest: digest.Digest("sha256:f0cd5ca10b07f35512fc2f1cbf9a6cefbdb5cba70ac6b0c9e5988f4497f71937")},
+			},
+		},
+		{
+			diffID: layer.DiffID("sha256:86e0e091d0da6bde2456dbb48306f3956bbeb2eae1b5b9a43045843f69fe4aaa"),
+			metadata: []V2Metadata{
+				{Digest: digest.Digest("sha256:f0cd5ca10b07f35512fc2f1cbf9a6cefbdb5cba70ac6b0c9e5988f4497f71937")},
+				{Digest: digest.Digest("sha256:9e3447ca24cb96d86ebd5960cb34d1299b07e0a0e03801d90b9969a2c187dd6e")},
+			},
+		},
+		{
+			diffID:   layer.DiffID("sha256:03f4658f8b782e12230c1783426bd3bacce651ce582a4ffb6fbbfa2079428ecb"),
+			metadata: tooManyBlobSums,
+		},
+	}
+
+	// Set some associations
+	for _, vec := range testVectors {
+		for _, blobsum := range vec.metadata {
+			err := V2MetadataService.Add(vec.diffID, blobsum)
+			if err != nil {
+				t.Fatalf("error calling Set: %v", err)
+			}
+		}
+	}
+
+	// Check the correct values are read back
+	for _, vec := range testVectors {
+		metadata, err := V2MetadataService.GetMetadata(vec.diffID)
+		if err != nil {
+			t.Fatalf("error calling Get: %v", err)
+		}
+		expectedMetadataEntries := len(vec.metadata)
+		if expectedMetadataEntries > 50 {
+			expectedMetadataEntries = 50
+		}
+		if !reflect.DeepEqual(metadata, vec.metadata[len(vec.metadata)-expectedMetadataEntries:len(vec.metadata)]) {
+			t.Fatal("Get returned incorrect layer ID")
+		}
+	}
+
+	// Test GetMetadata on a nonexistent entry
+	_, err = V2MetadataService.GetMetadata(layer.DiffID("sha256:82379823067823853223359023576437723560923756b03560378f4497753917"))
+	if err == nil {
+		t.Fatal("expected error looking up nonexistent entry")
+	}
+
+	// Test GetDiffID on a nonexistent entry
+	_, err = V2MetadataService.GetDiffID(digest.Digest("sha256:82379823067823853223359023576437723560923756b03560378f4497753917"))
+	if err == nil {
+		t.Fatal("expected error looking up nonexistent entry")
+	}
+
+	// Overwrite one of the entries and read it back
+	err = V2MetadataService.Add(testVectors[1].diffID, testVectors[0].metadata[0])
+	if err != nil {
+		t.Fatalf("error calling Add: %v", err)
+	}
+	diffID, err := V2MetadataService.GetDiffID(testVectors[0].metadata[0].Digest)
+	if err != nil {
+		t.Fatalf("error calling GetDiffID: %v", err)
+	}
+	if diffID != testVectors[1].diffID {
+		t.Fatal("GetDiffID returned incorrect diffID")
+	}
+}
+
+func randomDigest() digest.Digest {
+	b := [32]byte{}
+	for i := 0; i < len(b); i++ {
+		b[i] = byte(rand.Intn(256))
+	}
+	d := hex.EncodeToString(b[:])
+	return digest.Digest("sha256:" + d)
+}
diff --git a/engine/distribution/oci.go b/engine/distribution/oci.go
new file mode 100644
index 00000000..7366546d
--- /dev/null
+++ b/engine/distribution/oci.go
@@ -0,0 +1,45 @@
+package distribution
+
+import (
+	"fmt"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/manifest/schema2"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func init() {
+	// TODO: Remove this registration if distribution is included with OCI support
+
+	ocischemaFunc := func(b []byte) (distribution.Manifest, distribution.Descriptor, error) {
+		m := new(schema2.DeserializedManifest)
+		err := m.UnmarshalJSON(b)
+		if err != nil {
+			return nil, distribution.Descriptor{}, err
+		}
+
+		dgst := digest.FromBytes(b)
+		return m, distribution.Descriptor{Digest: dgst, Size: int64(len(b)), MediaType: ocispec.MediaTypeImageManifest}, err
+	}
+	err := distribution.RegisterManifestSchema(ocispec.MediaTypeImageManifest, ocischemaFunc)
+	if err != nil {
+		panic(fmt.Sprintf("Unable to register manifest: %s", err))
+	}
+
+	manifestListFunc := func(b []byte) (distribution.Manifest, distribution.Descriptor, error) {
+		m := new(manifestlist.DeserializedManifestList)
+		err := m.UnmarshalJSON(b)
+		if err != nil {
+			return nil, distribution.Descriptor{}, err
+		}
+
+		dgst := digest.FromBytes(b)
+		return m, distribution.Descriptor{Digest: dgst, Size: int64(len(b)), MediaType: ocispec.MediaTypeImageIndex}, err
+	}
+	err = distribution.RegisterManifestSchema(ocispec.MediaTypeImageIndex, manifestListFunc)
+	if err != nil {
+		panic(fmt.Sprintf("Unable to register manifest: %s", err))
+	}
+}
diff --git a/engine/distribution/pull.go b/engine/distribution/pull.go
new file mode 100644
index 00000000..5de73ae9
--- /dev/null
+++ b/engine/distribution/pull.go
@@ -0,0 +1,201 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/pkg/progress"
+	refstore "github.com/docker/docker/reference"
+	"github.com/docker/docker/registry"
+	"github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Puller is an interface that abstracts pulling for different API versions.
+type Puller interface {
+	// Pull tries to pull the image referenced by `tag`
+	// Pull returns an error if any, as well as a boolean that determines whether to retry Pull on the next configured endpoint.
+	//
+	Pull(ctx context.Context, ref reference.Named, platform *specs.Platform) error
+}
+
+// newPuller returns a Puller interface that will pull from either a v1 or v2
+// registry. The endpoint argument contains a Version field that determines
+// whether a v1 or v2 puller will be created. The other parameters are passed
+// through to the underlying puller implementation for use during the actual
+// pull operation.
+func newPuller(endpoint registry.APIEndpoint, repoInfo *registry.RepositoryInfo, imagePullConfig *ImagePullConfig) (Puller, error) {
+	switch endpoint.Version {
+	case registry.APIVersion2:
+		return &v2Puller{
+			V2MetadataService: metadata.NewV2MetadataService(imagePullConfig.MetadataStore),
+			endpoint:          endpoint,
+			config:            imagePullConfig,
+			repoInfo:          repoInfo,
+		}, nil
+	case registry.APIVersion1:
+		return &v1Puller{
+			v1IDService: metadata.NewV1IDService(imagePullConfig.MetadataStore),
+			endpoint:    endpoint,
+			config:      imagePullConfig,
+			repoInfo:    repoInfo,
+		}, nil
+	}
+	return nil, fmt.Errorf("unknown version %d for registry %s", endpoint.Version, endpoint.URL)
+}
+
+// Pull initiates a pull operation. image is the repository name to pull, and
+// tag may be either empty, or indicate a specific tag to pull.
+func Pull(ctx context.Context, ref reference.Named, imagePullConfig *ImagePullConfig) error {
+	// Resolve the Repository name from fqn to RepositoryInfo
+	repoInfo, err := imagePullConfig.RegistryService.ResolveRepository(ref)
+	if err != nil {
+		return err
+	}
+
+	// makes sure name is not `scratch`
+	if err := ValidateRepoName(repoInfo.Name); err != nil {
+		return err
+	}
+
+	endpoints, err := imagePullConfig.RegistryService.LookupPullEndpoints(reference.Domain(repoInfo.Name))
+	if err != nil {
+		return err
+	}
+
+	var (
+		lastErr error
+
+		// discardNoSupportErrors is used to track whether an endpoint encountered an error of type registry.ErrNoSupport
+		// By default it is false, which means that if an ErrNoSupport error is encountered, it will be saved in lastErr.
+		// As soon as another kind of error is encountered, discardNoSupportErrors is set to true, avoiding the saving of
+		// any subsequent ErrNoSupport errors in lastErr.
+		// It's needed for pull-by-digest on v1 endpoints: if there are only v1 endpoints configured, the error should be
+		// returned and displayed, but if there was a v2 endpoint which supports pull-by-digest, then the last relevant
+		// error is the ones from v2 endpoints not v1.
+		discardNoSupportErrors bool
+
+		// confirmedV2 is set to true if a pull attempt managed to
+		// confirm that it was talking to a v2 registry. This will
+		// prevent fallback to the v1 protocol.
+		confirmedV2 bool
+
+		// confirmedTLSRegistries is a map indicating which registries
+		// are known to be using TLS. There should never be a plaintext
+		// retry for any of these.
+		confirmedTLSRegistries = make(map[string]struct{})
+	)
+	for _, endpoint := range endpoints {
+		if imagePullConfig.RequireSchema2 && endpoint.Version == registry.APIVersion1 {
+			continue
+		}
+
+		if confirmedV2 && endpoint.Version == registry.APIVersion1 {
+			logrus.Debugf("Skipping v1 endpoint %s because v2 registry was detected", endpoint.URL)
+			continue
+		}
+
+		if endpoint.URL.Scheme != "https" {
+			if _, confirmedTLS := confirmedTLSRegistries[endpoint.URL.Host]; confirmedTLS {
+				logrus.Debugf("Skipping non-TLS endpoint %s for host/port that appears to use TLS", endpoint.URL)
+				continue
+			}
+		}
+
+		logrus.Debugf("Trying to pull %s from %s %s", reference.FamiliarName(repoInfo.Name), endpoint.URL, endpoint.Version)
+
+		puller, err := newPuller(endpoint, repoInfo, imagePullConfig)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+
+		if err := puller.Pull(ctx, ref, imagePullConfig.Platform); err != nil {
+			// Was this pull cancelled? If so, don't try to fall
+			// back.
+			fallback := false
+			select {
+			case <-ctx.Done():
+			default:
+				if fallbackErr, ok := err.(fallbackError); ok {
+					fallback = true
+					confirmedV2 = confirmedV2 || fallbackErr.confirmedV2
+					if fallbackErr.transportOK && endpoint.URL.Scheme == "https" {
+						confirmedTLSRegistries[endpoint.URL.Host] = struct{}{}
+					}
+					err = fallbackErr.err
+				}
+			}
+			if fallback {
+				if _, ok := err.(ErrNoSupport); !ok {
+					// Because we found an error that's not ErrNoSupport, discard all subsequent ErrNoSupport errors.
+					discardNoSupportErrors = true
+					// append subsequent errors
+					lastErr = err
+				} else if !discardNoSupportErrors {
+					// Save the ErrNoSupport error, because it's either the first error or all encountered errors
+					// were also ErrNoSupport errors.
+					// append subsequent errors
+					lastErr = err
+				}
+				logrus.Infof("Attempting next endpoint for pull after error: %v", err)
+				continue
+			}
+			logrus.Errorf("Not continuing with pull after error: %v", err)
+			return TranslatePullError(err, ref)
+		}
+
+		imagePullConfig.ImageEventLogger(reference.FamiliarString(ref), reference.FamiliarName(repoInfo.Name), "pull")
+		return nil
+	}
+
+	if lastErr == nil {
+		lastErr = fmt.Errorf("no endpoints found for %s", reference.FamiliarString(ref))
+	}
+
+	return TranslatePullError(lastErr, ref)
+}
+
+// writeStatus writes a status message to out. If layersDownloaded is true, the
+// status message indicates that a newer image was downloaded. Otherwise, it
+// indicates that the image is up to date. requestedTag is the tag the message
+// will refer to.
+func writeStatus(requestedTag string, out progress.Output, layersDownloaded bool) {
+	if layersDownloaded {
+		progress.Message(out, "", "Status: Downloaded newer image for "+requestedTag)
+	} else {
+		progress.Message(out, "", "Status: Image is up to date for "+requestedTag)
+	}
+}
+
+// ValidateRepoName validates the name of a repository.
+func ValidateRepoName(name reference.Named) error {
+	if reference.FamiliarName(name) == api.NoBaseImageSpecifier {
+		return errors.WithStack(reservedNameError(api.NoBaseImageSpecifier))
+	}
+	return nil
+}
+
+func addDigestReference(store refstore.Store, ref reference.Named, dgst digest.Digest, id digest.Digest) error {
+	dgstRef, err := reference.WithDigest(reference.TrimNamed(ref), dgst)
+	if err != nil {
+		return err
+	}
+
+	if oldTagID, err := store.Get(dgstRef); err == nil {
+		if oldTagID != id {
+			// Updating digests not supported by reference store
+			logrus.Errorf("Image ID for digest %s changed from %s to %s, cannot update", dgst.String(), oldTagID, id)
+		}
+		return nil
+	} else if err != refstore.ErrDoesNotExist {
+		return err
+	}
+
+	return store.AddDigest(dgstRef, id, true)
+}
diff --git a/engine/distribution/pull_v1.go b/engine/distribution/pull_v1.go
new file mode 100644
index 00000000..c2c897dc
--- /dev/null
+++ b/engine/distribution/pull_v1.go
@@ -0,0 +1,368 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/image/v1"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/registry"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
+)
+
+type v1Puller struct {
+	v1IDService *metadata.V1IDService
+	endpoint    registry.APIEndpoint
+	config      *ImagePullConfig
+	repoInfo    *registry.RepositoryInfo
+	session     *registry.Session
+}
+
+func (p *v1Puller) Pull(ctx context.Context, ref reference.Named, _ *specs.Platform) error {
+	if _, isCanonical := ref.(reference.Canonical); isCanonical {
+		// Allowing fallback, because HTTPS v1 is before HTTP v2
+		return fallbackError{err: ErrNoSupport{Err: errors.New("Cannot pull by digest with v1 registry")}}
+	}
+
+	tlsConfig, err := p.config.RegistryService.TLSConfig(p.repoInfo.Index.Name)
+	if err != nil {
+		return err
+	}
+	// Adds Docker-specific headers as well as user-specified headers (metaHeaders)
+	tr := transport.NewTransport(
+		// TODO(tiborvass): was ReceiveTimeout
+		registry.NewTransport(tlsConfig),
+		registry.Headers(dockerversion.DockerUserAgent(ctx), p.config.MetaHeaders)...,
+	)
+	client := registry.HTTPClient(tr)
+	v1Endpoint := p.endpoint.ToV1Endpoint(dockerversion.DockerUserAgent(ctx), p.config.MetaHeaders)
+	p.session, err = registry.NewSession(client, p.config.AuthConfig, v1Endpoint)
+	if err != nil {
+		// TODO(dmcgowan): Check if should fallback
+		logrus.Debugf("Fallback from error: %s", err)
+		return fallbackError{err: err}
+	}
+	if err := p.pullRepository(ctx, ref); err != nil {
+		// TODO(dmcgowan): Check if should fallback
+		return err
+	}
+	progress.Message(p.config.ProgressOutput, "", p.repoInfo.Name.Name()+": this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.")
+
+	return nil
+}
+
+// Note use auth.Scope rather than reference.Named due to this warning causing Jenkins CI to fail:
+// warning: ref can be github.com/docker/docker/vendor/github.com/docker/distribution/registry/client/auth.Scope (interfacer)
+func (p *v1Puller) pullRepository(ctx context.Context, ref auth.Scope) error {
+	progress.Message(p.config.ProgressOutput, "", "Pulling repository "+p.repoInfo.Name.Name())
+
+	tagged, isTagged := ref.(reference.NamedTagged)
+
+	repoData, err := p.session.GetRepositoryData(p.repoInfo.Name)
+	if err != nil {
+		if strings.Contains(err.Error(), "HTTP code: 404") {
+			if isTagged {
+				return fmt.Errorf("Error: image %s:%s not found", reference.Path(p.repoInfo.Name), tagged.Tag())
+			}
+			return fmt.Errorf("Error: image %s not found", reference.Path(p.repoInfo.Name))
+		}
+		// Unexpected HTTP error
+		return err
+	}
+
+	logrus.Debug("Retrieving the tag list")
+	var tagsList map[string]string
+	if !isTagged {
+		tagsList, err = p.session.GetRemoteTags(repoData.Endpoints, p.repoInfo.Name)
+	} else {
+		var tagID string
+		tagsList = make(map[string]string)
+		tagID, err = p.session.GetRemoteTag(repoData.Endpoints, p.repoInfo.Name, tagged.Tag())
+		if err == registry.ErrRepoNotFound {
+			return fmt.Errorf("Tag %s not found in repository %s", tagged.Tag(), p.repoInfo.Name.Name())
+		}
+		tagsList[tagged.Tag()] = tagID
+	}
+	if err != nil {
+		logrus.Errorf("unable to get remote tags: %s", err)
+		return err
+	}
+
+	for tag, id := range tagsList {
+		repoData.ImgList[id] = &registry.ImgData{
+			ID:       id,
+			Tag:      tag,
+			Checksum: "",
+		}
+	}
+
+	layersDownloaded := false
+	for _, imgData := range repoData.ImgList {
+		if isTagged && imgData.Tag != tagged.Tag() {
+			continue
+		}
+
+		err := p.downloadImage(ctx, repoData, imgData, &layersDownloaded)
+		if err != nil {
+			return err
+		}
+	}
+
+	writeStatus(reference.FamiliarString(ref), p.config.ProgressOutput, layersDownloaded)
+	return nil
+}
+
+func (p *v1Puller) downloadImage(ctx context.Context, repoData *registry.RepositoryData, img *registry.ImgData, layersDownloaded *bool) error {
+	if img.Tag == "" {
+		logrus.Debugf("Image (id: %s) present in this repository but untagged, skipping", img.ID)
+		return nil
+	}
+
+	localNameRef, err := reference.WithTag(p.repoInfo.Name, img.Tag)
+	if err != nil {
+		retErr := fmt.Errorf("Image (id: %s) has invalid tag: %s", img.ID, img.Tag)
+		logrus.Debug(retErr.Error())
+		return retErr
+	}
+
+	if err := v1.ValidateID(img.ID); err != nil {
+		return err
+	}
+
+	progress.Updatef(p.config.ProgressOutput, stringid.TruncateID(img.ID), "Pulling image (%s) from %s", img.Tag, p.repoInfo.Name.Name())
+	success := false
+	var lastErr error
+	for _, ep := range p.repoInfo.Index.Mirrors {
+		ep += "v1/"
+		progress.Updatef(p.config.ProgressOutput, stringid.TruncateID(img.ID), fmt.Sprintf("Pulling image (%s) from %s, mirror: %s", img.Tag, p.repoInfo.Name.Name(), ep))
+		if err = p.pullImage(ctx, img.ID, ep, localNameRef, layersDownloaded); err != nil {
+			// Don't report errors when pulling from mirrors.
+			logrus.Debugf("Error pulling image (%s) from %s, mirror: %s, %s", img.Tag, p.repoInfo.Name.Name(), ep, err)
+			continue
+		}
+		success = true
+		break
+	}
+	if !success {
+		for _, ep := range repoData.Endpoints {
+			progress.Updatef(p.config.ProgressOutput, stringid.TruncateID(img.ID), "Pulling image (%s) from %s, endpoint: %s", img.Tag, p.repoInfo.Name.Name(), ep)
+			if err = p.pullImage(ctx, img.ID, ep, localNameRef, layersDownloaded); err != nil {
+				// It's not ideal that only the last error is returned, it would be better to concatenate the errors.
+				// As the error is also given to the output stream the user will see the error.
+				lastErr = err
+				progress.Updatef(p.config.ProgressOutput, stringid.TruncateID(img.ID), "Error pulling image (%s) from %s, endpoint: %s, %s", img.Tag, p.repoInfo.Name.Name(), ep, err)
+				continue
+			}
+			success = true
+			break
+		}
+	}
+	if !success {
+		err := fmt.Errorf("Error pulling image (%s) from %s, %v", img.Tag, p.repoInfo.Name.Name(), lastErr)
+		progress.Update(p.config.ProgressOutput, stringid.TruncateID(img.ID), err.Error())
+		return err
+	}
+	return nil
+}
+
+func (p *v1Puller) pullImage(ctx context.Context, v1ID, endpoint string, localNameRef reference.Named, layersDownloaded *bool) (err error) {
+	var history []string
+	history, err = p.session.GetRemoteHistory(v1ID, endpoint)
+	if err != nil {
+		return err
+	}
+	if len(history) < 1 {
+		return fmt.Errorf("empty history for image %s", v1ID)
+	}
+	progress.Update(p.config.ProgressOutput, stringid.TruncateID(v1ID), "Pulling dependent layers")
+
+	var (
+		descriptors []xfer.DownloadDescriptor
+		newHistory  []image.History
+		imgJSON     []byte
+		imgSize     int64
+	)
+
+	// Iterate over layers, in order from bottom-most to top-most. Download
+	// config for all layers and create descriptors.
+	for i := len(history) - 1; i >= 0; i-- {
+		v1LayerID := history[i]
+		imgJSON, imgSize, err = p.downloadLayerConfig(v1LayerID, endpoint)
+		if err != nil {
+			return err
+		}
+
+		// Create a new-style config from the legacy configs
+		h, err := v1.HistoryFromConfig(imgJSON, false)
+		if err != nil {
+			return err
+		}
+		newHistory = append(newHistory, h)
+
+		layerDescriptor := &v1LayerDescriptor{
+			v1LayerID:        v1LayerID,
+			indexName:        p.repoInfo.Index.Name,
+			endpoint:         endpoint,
+			v1IDService:      p.v1IDService,
+			layersDownloaded: layersDownloaded,
+			layerSize:        imgSize,
+			session:          p.session,
+		}
+
+		descriptors = append(descriptors, layerDescriptor)
+	}
+
+	rootFS := image.NewRootFS()
+	resultRootFS, release, err := p.config.DownloadManager.Download(ctx, *rootFS, "", descriptors, p.config.ProgressOutput)
+	if err != nil {
+		return err
+	}
+	defer release()
+
+	config, err := v1.MakeConfigFromV1Config(imgJSON, &resultRootFS, newHistory)
+	if err != nil {
+		return err
+	}
+
+	imageID, err := p.config.ImageStore.Put(config)
+	if err != nil {
+		return err
+	}
+
+	if p.config.ReferenceStore != nil {
+		if err := p.config.ReferenceStore.AddTag(localNameRef, imageID, true); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (p *v1Puller) downloadLayerConfig(v1LayerID, endpoint string) (imgJSON []byte, imgSize int64, err error) {
+	progress.Update(p.config.ProgressOutput, stringid.TruncateID(v1LayerID), "Pulling metadata")
+
+	retries := 5
+	for j := 1; j <= retries; j++ {
+		imgJSON, imgSize, err := p.session.GetRemoteImageJSON(v1LayerID, endpoint)
+		if err != nil && j == retries {
+			progress.Update(p.config.ProgressOutput, stringid.TruncateID(v1LayerID), "Error pulling layer metadata")
+			return nil, 0, err
+		} else if err != nil {
+			time.Sleep(time.Duration(j) * 500 * time.Millisecond)
+			continue
+		}
+
+		return imgJSON, imgSize, nil
+	}
+
+	// not reached
+	return nil, 0, nil
+}
+
+type v1LayerDescriptor struct {
+	v1LayerID        string
+	indexName        string
+	endpoint         string
+	v1IDService      *metadata.V1IDService
+	layersDownloaded *bool
+	layerSize        int64
+	session          *registry.Session
+	tmpFile          *os.File
+}
+
+func (ld *v1LayerDescriptor) Key() string {
+	return "v1:" + ld.v1LayerID
+}
+
+func (ld *v1LayerDescriptor) ID() string {
+	return stringid.TruncateID(ld.v1LayerID)
+}
+
+func (ld *v1LayerDescriptor) DiffID() (layer.DiffID, error) {
+	return ld.v1IDService.Get(ld.v1LayerID, ld.indexName)
+}
+
+func (ld *v1LayerDescriptor) Download(ctx context.Context, progressOutput progress.Output) (io.ReadCloser, int64, error) {
+	progress.Update(progressOutput, ld.ID(), "Pulling fs layer")
+	layerReader, err := ld.session.GetRemoteImageLayer(ld.v1LayerID, ld.endpoint, ld.layerSize)
+	if err != nil {
+		progress.Update(progressOutput, ld.ID(), "Error pulling dependent layers")
+		if uerr, ok := err.(*url.Error); ok {
+			err = uerr.Err
+		}
+		if terr, ok := err.(net.Error); ok && terr.Timeout() {
+			return nil, 0, err
+		}
+		return nil, 0, xfer.DoNotRetry{Err: err}
+	}
+	*ld.layersDownloaded = true
+
+	ld.tmpFile, err = ioutil.TempFile("", "GetImageBlob")
+	if err != nil {
+		layerReader.Close()
+		return nil, 0, err
+	}
+
+	reader := progress.NewProgressReader(ioutils.NewCancelReadCloser(ctx, layerReader), progressOutput, ld.layerSize, ld.ID(), "Downloading")
+	defer reader.Close()
+
+	_, err = io.Copy(ld.tmpFile, reader)
+	if err != nil {
+		ld.Close()
+		return nil, 0, err
+	}
+
+	progress.Update(progressOutput, ld.ID(), "Download complete")
+
+	logrus.Debugf("Downloaded %s to tempfile %s", ld.ID(), ld.tmpFile.Name())
+
+	ld.tmpFile.Seek(0, 0)
+
+	// hand off the temporary file to the download manager, so it will only
+	// be closed once
+	tmpFile := ld.tmpFile
+	ld.tmpFile = nil
+
+	return ioutils.NewReadCloserWrapper(tmpFile, func() error {
+		tmpFile.Close()
+		err := os.RemoveAll(tmpFile.Name())
+		if err != nil {
+			logrus.Errorf("Failed to remove temp file: %s", tmpFile.Name())
+		}
+		return err
+	}), ld.layerSize, nil
+}
+
+func (ld *v1LayerDescriptor) Close() {
+	if ld.tmpFile != nil {
+		ld.tmpFile.Close()
+		if err := os.RemoveAll(ld.tmpFile.Name()); err != nil {
+			logrus.Errorf("Failed to remove temp file: %s", ld.tmpFile.Name())
+		}
+		ld.tmpFile = nil
+	}
+}
+
+func (ld *v1LayerDescriptor) Registered(diffID layer.DiffID) {
+	// Cache mapping from this layer's DiffID to the blobsum
+	ld.v1IDService.Set(ld.v1LayerID, ld.indexName, diffID)
+}
diff --git a/engine/distribution/pull_v2.go b/engine/distribution/pull_v2.go
new file mode 100644
index 00000000..8f05cfa0
--- /dev/null
+++ b/engine/distribution/pull_v2.go
@@ -0,0 +1,976 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/url"
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/manifest/schema1"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/image/v1"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	refstore "github.com/docker/docker/reference"
+	"github.com/docker/docker/registry"
+	"github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	errRootFSMismatch = errors.New("layers from manifest don't match image configuration")
+	errRootFSInvalid  = errors.New("invalid rootfs in image configuration")
+)
+
+// ImageConfigPullError is an error pulling the image config blob
+// (only applies to schema2).
+type ImageConfigPullError struct {
+	Err error
+}
+
+// Error returns the error string for ImageConfigPullError.
+func (e ImageConfigPullError) Error() string {
+	return "error pulling image configuration: " + e.Err.Error()
+}
+
+type v2Puller struct {
+	V2MetadataService metadata.V2MetadataService
+	endpoint          registry.APIEndpoint
+	config            *ImagePullConfig
+	repoInfo          *registry.RepositoryInfo
+	repo              distribution.Repository
+	// confirmedV2 is set to true if we confirm we're talking to a v2
+	// registry. This is used to limit fallbacks to the v1 protocol.
+	confirmedV2 bool
+}
+
+func (p *v2Puller) Pull(ctx context.Context, ref reference.Named, platform *specs.Platform) (err error) {
+	// TODO(tiborvass): was ReceiveTimeout
+	p.repo, p.confirmedV2, err = NewV2Repository(ctx, p.repoInfo, p.endpoint, p.config.MetaHeaders, p.config.AuthConfig, "pull")
+	if err != nil {
+		logrus.Warnf("Error getting v2 registry: %v", err)
+		return err
+	}
+
+	if err = p.pullV2Repository(ctx, ref, platform); err != nil {
+		if _, ok := err.(fallbackError); ok {
+			return err
+		}
+		if continueOnError(err, p.endpoint.Mirror) {
+			return fallbackError{
+				err:         err,
+				confirmedV2: p.confirmedV2,
+				transportOK: true,
+			}
+		}
+	}
+	return err
+}
+
+func (p *v2Puller) pullV2Repository(ctx context.Context, ref reference.Named, platform *specs.Platform) (err error) {
+	var layersDownloaded bool
+	if !reference.IsNameOnly(ref) {
+		layersDownloaded, err = p.pullV2Tag(ctx, ref, platform)
+		if err != nil {
+			return err
+		}
+	} else {
+		tags, err := p.repo.Tags(ctx).All(ctx)
+		if err != nil {
+			// If this repository doesn't exist on V2, we should
+			// permit a fallback to V1.
+			return allowV1Fallback(err)
+		}
+
+		// The v2 registry knows about this repository, so we will not
+		// allow fallback to the v1 protocol even if we encounter an
+		// error later on.
+		p.confirmedV2 = true
+
+		for _, tag := range tags {
+			tagRef, err := reference.WithTag(ref, tag)
+			if err != nil {
+				return err
+			}
+			pulledNew, err := p.pullV2Tag(ctx, tagRef, platform)
+			if err != nil {
+				// Since this is the pull-all-tags case, don't
+				// allow an error pulling a particular tag to
+				// make the whole pull fall back to v1.
+				if fallbackErr, ok := err.(fallbackError); ok {
+					return fallbackErr.err
+				}
+				return err
+			}
+			// pulledNew is true if either new layers were downloaded OR if existing images were newly tagged
+			// TODO(tiborvass): should we change the name of `layersDownload`? What about message in WriteStatus?
+			layersDownloaded = layersDownloaded || pulledNew
+		}
+	}
+
+	writeStatus(reference.FamiliarString(ref), p.config.ProgressOutput, layersDownloaded)
+
+	return nil
+}
+
+type v2LayerDescriptor struct {
+	digest            digest.Digest
+	diffID            layer.DiffID
+	repoInfo          *registry.RepositoryInfo
+	repo              distribution.Repository
+	V2MetadataService metadata.V2MetadataService
+	tmpFile           *os.File
+	verifier          digest.Verifier
+	src               distribution.Descriptor
+}
+
+func (ld *v2LayerDescriptor) Key() string {
+	return "v2:" + ld.digest.String()
+}
+
+func (ld *v2LayerDescriptor) ID() string {
+	return stringid.TruncateID(ld.digest.String())
+}
+
+func (ld *v2LayerDescriptor) DiffID() (layer.DiffID, error) {
+	if ld.diffID != "" {
+		return ld.diffID, nil
+	}
+	return ld.V2MetadataService.GetDiffID(ld.digest)
+}
+
+func (ld *v2LayerDescriptor) Download(ctx context.Context, progressOutput progress.Output) (io.ReadCloser, int64, error) {
+	logrus.Debugf("pulling blob %q", ld.digest)
+
+	var (
+		err    error
+		offset int64
+	)
+
+	if ld.tmpFile == nil {
+		ld.tmpFile, err = createDownloadFile()
+		if err != nil {
+			return nil, 0, xfer.DoNotRetry{Err: err}
+		}
+	} else {
+		offset, err = ld.tmpFile.Seek(0, os.SEEK_END)
+		if err != nil {
+			logrus.Debugf("error seeking to end of download file: %v", err)
+			offset = 0
+
+			ld.tmpFile.Close()
+			if err := os.Remove(ld.tmpFile.Name()); err != nil {
+				logrus.Errorf("Failed to remove temp file: %s", ld.tmpFile.Name())
+			}
+			ld.tmpFile, err = createDownloadFile()
+			if err != nil {
+				return nil, 0, xfer.DoNotRetry{Err: err}
+			}
+		} else if offset != 0 {
+			logrus.Debugf("attempting to resume download of %q from %d bytes", ld.digest, offset)
+		}
+	}
+
+	tmpFile := ld.tmpFile
+
+	layerDownload, err := ld.open(ctx)
+	if err != nil {
+		logrus.Errorf("Error initiating layer download: %v", err)
+		return nil, 0, retryOnError(err)
+	}
+
+	if offset != 0 {
+		_, err := layerDownload.Seek(offset, os.SEEK_SET)
+		if err != nil {
+			if err := ld.truncateDownloadFile(); err != nil {
+				return nil, 0, xfer.DoNotRetry{Err: err}
+			}
+			return nil, 0, err
+		}
+	}
+	size, err := layerDownload.Seek(0, os.SEEK_END)
+	if err != nil {
+		// Seek failed, perhaps because there was no Content-Length
+		// header. This shouldn't fail the download, because we can
+		// still continue without a progress bar.
+		size = 0
+	} else {
+		if size != 0 && offset > size {
+			logrus.Debug("Partial download is larger than full blob. Starting over")
+			offset = 0
+			if err := ld.truncateDownloadFile(); err != nil {
+				return nil, 0, xfer.DoNotRetry{Err: err}
+			}
+		}
+
+		// Restore the seek offset either at the beginning of the
+		// stream, or just after the last byte we have from previous
+		// attempts.
+		_, err = layerDownload.Seek(offset, os.SEEK_SET)
+		if err != nil {
+			return nil, 0, err
+		}
+	}
+
+	reader := progress.NewProgressReader(ioutils.NewCancelReadCloser(ctx, layerDownload), progressOutput, size-offset, ld.ID(), "Downloading")
+	defer reader.Close()
+
+	if ld.verifier == nil {
+		ld.verifier = ld.digest.Verifier()
+	}
+
+	_, err = io.Copy(tmpFile, io.TeeReader(reader, ld.verifier))
+	if err != nil {
+		if err == transport.ErrWrongCodeForByteRange {
+			if err := ld.truncateDownloadFile(); err != nil {
+				return nil, 0, xfer.DoNotRetry{Err: err}
+			}
+			return nil, 0, err
+		}
+		return nil, 0, retryOnError(err)
+	}
+
+	progress.Update(progressOutput, ld.ID(), "Verifying Checksum")
+
+	if !ld.verifier.Verified() {
+		err = fmt.Errorf("filesystem layer verification failed for digest %s", ld.digest)
+		logrus.Error(err)
+
+		// Allow a retry if this digest verification error happened
+		// after a resumed download.
+		if offset != 0 {
+			if err := ld.truncateDownloadFile(); err != nil {
+				return nil, 0, xfer.DoNotRetry{Err: err}
+			}
+
+			return nil, 0, err
+		}
+		return nil, 0, xfer.DoNotRetry{Err: err}
+	}
+
+	progress.Update(progressOutput, ld.ID(), "Download complete")
+
+	logrus.Debugf("Downloaded %s to tempfile %s", ld.ID(), tmpFile.Name())
+
+	_, err = tmpFile.Seek(0, os.SEEK_SET)
+	if err != nil {
+		tmpFile.Close()
+		if err := os.Remove(tmpFile.Name()); err != nil {
+			logrus.Errorf("Failed to remove temp file: %s", tmpFile.Name())
+		}
+		ld.tmpFile = nil
+		ld.verifier = nil
+		return nil, 0, xfer.DoNotRetry{Err: err}
+	}
+
+	// hand off the temporary file to the download manager, so it will only
+	// be closed once
+	ld.tmpFile = nil
+
+	return ioutils.NewReadCloserWrapper(tmpFile, func() error {
+		tmpFile.Close()
+		err := os.RemoveAll(tmpFile.Name())
+		if err != nil {
+			logrus.Errorf("Failed to remove temp file: %s", tmpFile.Name())
+		}
+		return err
+	}), size, nil
+}
+
+func (ld *v2LayerDescriptor) Close() {
+	if ld.tmpFile != nil {
+		ld.tmpFile.Close()
+		if err := os.RemoveAll(ld.tmpFile.Name()); err != nil {
+			logrus.Errorf("Failed to remove temp file: %s", ld.tmpFile.Name())
+		}
+	}
+}
+
+func (ld *v2LayerDescriptor) truncateDownloadFile() error {
+	// Need a new hash context since we will be redoing the download
+	ld.verifier = nil
+
+	if _, err := ld.tmpFile.Seek(0, os.SEEK_SET); err != nil {
+		logrus.Errorf("error seeking to beginning of download file: %v", err)
+		return err
+	}
+
+	if err := ld.tmpFile.Truncate(0); err != nil {
+		logrus.Errorf("error truncating download file: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+func (ld *v2LayerDescriptor) Registered(diffID layer.DiffID) {
+	// Cache mapping from this layer's DiffID to the blobsum
+	ld.V2MetadataService.Add(diffID, metadata.V2Metadata{Digest: ld.digest, SourceRepository: ld.repoInfo.Name.Name()})
+}
+
+func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform *specs.Platform) (tagUpdated bool, err error) {
+	manSvc, err := p.repo.Manifests(ctx)
+	if err != nil {
+		return false, err
+	}
+
+	var (
+		manifest    distribution.Manifest
+		tagOrDigest string // Used for logging/progress only
+	)
+	if digested, isDigested := ref.(reference.Canonical); isDigested {
+		manifest, err = manSvc.Get(ctx, digested.Digest())
+		if err != nil {
+			return false, err
+		}
+		tagOrDigest = digested.Digest().String()
+	} else if tagged, isTagged := ref.(reference.NamedTagged); isTagged {
+		manifest, err = manSvc.Get(ctx, "", distribution.WithTag(tagged.Tag()))
+		if err != nil {
+			return false, allowV1Fallback(err)
+		}
+		tagOrDigest = tagged.Tag()
+	} else {
+		return false, fmt.Errorf("internal error: reference has neither a tag nor a digest: %s", reference.FamiliarString(ref))
+	}
+
+	if manifest == nil {
+		return false, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest)
+	}
+
+	if m, ok := manifest.(*schema2.DeserializedManifest); ok {
+		var allowedMediatype bool
+		for _, t := range p.config.Schema2Types {
+			if m.Manifest.Config.MediaType == t {
+				allowedMediatype = true
+				break
+			}
+		}
+		if !allowedMediatype {
+			configClass := mediaTypeClasses[m.Manifest.Config.MediaType]
+			if configClass == "" {
+				configClass = "unknown"
+			}
+			return false, invalidManifestClassError{m.Manifest.Config.MediaType, configClass}
+		}
+	}
+
+	// If manSvc.Get succeeded, we can be confident that the registry on
+	// the other side speaks the v2 protocol.
+	p.confirmedV2 = true
+
+	logrus.Debugf("Pulling ref from V2 registry: %s", reference.FamiliarString(ref))
+	progress.Message(p.config.ProgressOutput, tagOrDigest, "Pulling from "+reference.FamiliarName(p.repo.Named()))
+
+	var (
+		id             digest.Digest
+		manifestDigest digest.Digest
+	)
+
+	switch v := manifest.(type) {
+	case *schema1.SignedManifest:
+		if p.config.RequireSchema2 {
+			return false, fmt.Errorf("invalid manifest: not schema2")
+		}
+		id, manifestDigest, err = p.pullSchema1(ctx, ref, v, platform)
+		if err != nil {
+			return false, err
+		}
+	case *schema2.DeserializedManifest:
+		id, manifestDigest, err = p.pullSchema2(ctx, ref, v, platform)
+		if err != nil {
+			return false, err
+		}
+	case *manifestlist.DeserializedManifestList:
+		id, manifestDigest, err = p.pullManifestList(ctx, ref, v, platform)
+		if err != nil {
+			return false, err
+		}
+	default:
+		return false, invalidManifestFormatError{}
+	}
+
+	progress.Message(p.config.ProgressOutput, "", "Digest: "+manifestDigest.String())
+
+	if p.config.ReferenceStore != nil {
+		oldTagID, err := p.config.ReferenceStore.Get(ref)
+		if err == nil {
+			if oldTagID == id {
+				return false, addDigestReference(p.config.ReferenceStore, ref, manifestDigest, id)
+			}
+		} else if err != refstore.ErrDoesNotExist {
+			return false, err
+		}
+
+		if canonical, ok := ref.(reference.Canonical); ok {
+			if err = p.config.ReferenceStore.AddDigest(canonical, id, true); err != nil {
+				return false, err
+			}
+		} else {
+			if err = addDigestReference(p.config.ReferenceStore, ref, manifestDigest, id); err != nil {
+				return false, err
+			}
+			if err = p.config.ReferenceStore.AddTag(ref, id, true); err != nil {
+				return false, err
+			}
+		}
+	}
+	return true, nil
+}
+
+func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unverifiedManifest *schema1.SignedManifest, platform *specs.Platform) (id digest.Digest, manifestDigest digest.Digest, err error) {
+	var verifiedManifest *schema1.Manifest
+	verifiedManifest, err = verifySchema1Manifest(unverifiedManifest, ref)
+	if err != nil {
+		return "", "", err
+	}
+
+	rootFS := image.NewRootFS()
+
+	// remove duplicate layers and check parent chain validity
+	err = fixManifestLayers(verifiedManifest)
+	if err != nil {
+		return "", "", err
+	}
+
+	var descriptors []xfer.DownloadDescriptor
+
+	// Image history converted to the new format
+	var history []image.History
+
+	// Note that the order of this loop is in the direction of bottom-most
+	// to top-most, so that the downloads slice gets ordered correctly.
+	for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
+		blobSum := verifiedManifest.FSLayers[i].BlobSum
+
+		var throwAway struct {
+			ThrowAway bool `json:"throwaway,omitempty"`
+		}
+		if err := json.Unmarshal([]byte(verifiedManifest.History[i].V1Compatibility), &throwAway); err != nil {
+			return "", "", err
+		}
+
+		h, err := v1.HistoryFromConfig([]byte(verifiedManifest.History[i].V1Compatibility), throwAway.ThrowAway)
+		if err != nil {
+			return "", "", err
+		}
+		history = append(history, h)
+
+		if throwAway.ThrowAway {
+			continue
+		}
+
+		layerDescriptor := &v2LayerDescriptor{
+			digest:            blobSum,
+			repoInfo:          p.repoInfo,
+			repo:              p.repo,
+			V2MetadataService: p.V2MetadataService,
+		}
+
+		descriptors = append(descriptors, layerDescriptor)
+	}
+
+	// The v1 manifest itself doesn't directly contain an OS. However,
+	// the history does, but unfortunately that's a string, so search through
+	// all the history until hopefully we find one which indicates the OS.
+	// supertest2014/nyan is an example of a registry image with schemav1.
+	configOS := runtime.GOOS
+	if system.LCOWSupported() {
+		type config struct {
+			Os string `json:"os,omitempty"`
+		}
+		for _, v := range verifiedManifest.History {
+			var c config
+			if err := json.Unmarshal([]byte(v.V1Compatibility), &c); err == nil {
+				if c.Os != "" {
+					configOS = c.Os
+					break
+				}
+			}
+		}
+	}
+
+	// In the situation that the API call didn't specify an OS explicitly, but
+	// we support the operating system, switch to that operating system.
+	// eg FROM supertest2014/nyan with no platform specifier, and docker build
+	// with no --platform= flag under LCOW.
+	requestedOS := ""
+	if platform != nil {
+		requestedOS = platform.OS
+	} else if system.IsOSSupported(configOS) {
+		requestedOS = configOS
+	}
+
+	// Early bath if the requested OS doesn't match that of the configuration.
+	// This avoids doing the download, only to potentially fail later.
+	if !strings.EqualFold(configOS, requestedOS) {
+		return "", "", fmt.Errorf("cannot download image with operating system %q when requesting %q", configOS, requestedOS)
+	}
+
+	resultRootFS, release, err := p.config.DownloadManager.Download(ctx, *rootFS, configOS, descriptors, p.config.ProgressOutput)
+	if err != nil {
+		return "", "", err
+	}
+	defer release()
+
+	config, err := v1.MakeConfigFromV1Config([]byte(verifiedManifest.History[0].V1Compatibility), &resultRootFS, history)
+	if err != nil {
+		return "", "", err
+	}
+
+	imageID, err := p.config.ImageStore.Put(config)
+	if err != nil {
+		return "", "", err
+	}
+
+	manifestDigest = digest.FromBytes(unverifiedManifest.Canonical)
+
+	return imageID, manifestDigest, nil
+}
+
+func (p *v2Puller) pullSchema2(ctx context.Context, ref reference.Named, mfst *schema2.DeserializedManifest, platform *specs.Platform) (id digest.Digest, manifestDigest digest.Digest, err error) {
+	manifestDigest, err = schema2ManifestDigest(ref, mfst)
+	if err != nil {
+		return "", "", err
+	}
+
+	target := mfst.Target()
+	if _, err := p.config.ImageStore.Get(target.Digest); err == nil {
+		// If the image already exists locally, no need to pull
+		// anything.
+		return target.Digest, manifestDigest, nil
+	}
+
+	var descriptors []xfer.DownloadDescriptor
+
+	// Note that the order of this loop is in the direction of bottom-most
+	// to top-most, so that the downloads slice gets ordered correctly.
+	for _, d := range mfst.Layers {
+		layerDescriptor := &v2LayerDescriptor{
+			digest:            d.Digest,
+			repo:              p.repo,
+			repoInfo:          p.repoInfo,
+			V2MetadataService: p.V2MetadataService,
+			src:               d,
+		}
+
+		descriptors = append(descriptors, layerDescriptor)
+	}
+
+	configChan := make(chan []byte, 1)
+	configErrChan := make(chan error, 1)
+	layerErrChan := make(chan error, 1)
+	downloadsDone := make(chan struct{})
+	var cancel func()
+	ctx, cancel = context.WithCancel(ctx)
+	defer cancel()
+
+	// Pull the image config
+	go func() {
+		configJSON, err := p.pullSchema2Config(ctx, target.Digest)
+		if err != nil {
+			configErrChan <- ImageConfigPullError{Err: err}
+			cancel()
+			return
+		}
+		configChan <- configJSON
+	}()
+
+	var (
+		configJSON       []byte          // raw serialized image config
+		downloadedRootFS *image.RootFS   // rootFS from registered layers
+		configRootFS     *image.RootFS   // rootFS from configuration
+		release          func()          // release resources from rootFS download
+		configPlatform   *specs.Platform // for LCOW when registering downloaded layers
+	)
+
+	layerStoreOS := runtime.GOOS
+	if platform != nil {
+		layerStoreOS = platform.OS
+	}
+
+	// https://github.com/docker/docker/issues/24766 - Err on the side of caution,
+	// explicitly blocking images intended for linux from the Windows daemon. On
+	// Windows, we do this before the attempt to download, effectively serialising
+	// the download slightly slowing it down. We have to do it this way, as
+	// chances are the download of layers itself would fail due to file names
+	// which aren't suitable for NTFS. At some point in the future, if a similar
+	// check to block Windows images being pulled on Linux is implemented, it
+	// may be necessary to perform the same type of serialisation.
+	if runtime.GOOS == "windows" {
+		configJSON, configRootFS, configPlatform, err = receiveConfig(p.config.ImageStore, configChan, configErrChan)
+		if err != nil {
+			return "", "", err
+		}
+		if configRootFS == nil {
+			return "", "", errRootFSInvalid
+		}
+		if err := checkImageCompatibility(configPlatform.OS, configPlatform.OSVersion); err != nil {
+			return "", "", err
+		}
+
+		if len(descriptors) != len(configRootFS.DiffIDs) {
+			return "", "", errRootFSMismatch
+		}
+		if platform == nil {
+			// Early bath if the requested OS doesn't match that of the configuration.
+			// This avoids doing the download, only to potentially fail later.
+			if !system.IsOSSupported(configPlatform.OS) {
+				return "", "", fmt.Errorf("cannot download image with operating system %q when requesting %q", configPlatform.OS, layerStoreOS)
+			}
+			layerStoreOS = configPlatform.OS
+		}
+
+		// Populate diff ids in descriptors to avoid downloading foreign layers
+		// which have been side loaded
+		for i := range descriptors {
+			descriptors[i].(*v2LayerDescriptor).diffID = configRootFS.DiffIDs[i]
+		}
+	}
+
+	if p.config.DownloadManager != nil {
+		go func() {
+			var (
+				err    error
+				rootFS image.RootFS
+			)
+			downloadRootFS := *image.NewRootFS()
+			rootFS, release, err = p.config.DownloadManager.Download(ctx, downloadRootFS, layerStoreOS, descriptors, p.config.ProgressOutput)
+			if err != nil {
+				// Intentionally do not cancel the config download here
+				// as the error from config download (if there is one)
+				// is more interesting than the layer download error
+				layerErrChan <- err
+				return
+			}
+
+			downloadedRootFS = &rootFS
+			close(downloadsDone)
+		}()
+	} else {
+		// We have nothing to download
+		close(downloadsDone)
+	}
+
+	if configJSON == nil {
+		configJSON, configRootFS, _, err = receiveConfig(p.config.ImageStore, configChan, configErrChan)
+		if err == nil && configRootFS == nil {
+			err = errRootFSInvalid
+		}
+		if err != nil {
+			cancel()
+			select {
+			case <-downloadsDone:
+			case <-layerErrChan:
+			}
+			return "", "", err
+		}
+	}
+
+	select {
+	case <-downloadsDone:
+	case err = <-layerErrChan:
+		return "", "", err
+	}
+
+	if release != nil {
+		defer release()
+	}
+
+	if downloadedRootFS != nil {
+		// The DiffIDs returned in rootFS MUST match those in the config.
+		// Otherwise the image config could be referencing layers that aren't
+		// included in the manifest.
+		if len(downloadedRootFS.DiffIDs) != len(configRootFS.DiffIDs) {
+			return "", "", errRootFSMismatch
+		}
+
+		for i := range downloadedRootFS.DiffIDs {
+			if downloadedRootFS.DiffIDs[i] != configRootFS.DiffIDs[i] {
+				return "", "", errRootFSMismatch
+			}
+		}
+	}
+
+	imageID, err := p.config.ImageStore.Put(configJSON)
+	if err != nil {
+		return "", "", err
+	}
+
+	return imageID, manifestDigest, nil
+}
+
+func receiveConfig(s ImageConfigStore, configChan <-chan []byte, errChan <-chan error) ([]byte, *image.RootFS, *specs.Platform, error) {
+	select {
+	case configJSON := <-configChan:
+		rootfs, err := s.RootFSFromConfig(configJSON)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+		platform, err := s.PlatformFromConfig(configJSON)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+		return configJSON, rootfs, platform, nil
+	case err := <-errChan:
+		return nil, nil, nil, err
+		// Don't need a case for ctx.Done in the select because cancellation
+		// will trigger an error in p.pullSchema2ImageConfig.
+	}
+}
+
+// pullManifestList handles "manifest lists" which point to various
+// platform-specific manifests.
+func (p *v2Puller) pullManifestList(ctx context.Context, ref reference.Named, mfstList *manifestlist.DeserializedManifestList, pp *specs.Platform) (id digest.Digest, manifestListDigest digest.Digest, err error) {
+	manifestListDigest, err = schema2ManifestDigest(ref, mfstList)
+	if err != nil {
+		return "", "", err
+	}
+
+	var platform specs.Platform
+	if pp != nil {
+		platform = *pp
+	}
+	logrus.Debugf("%s resolved to a manifestList object with %d entries; looking for a %s/%s match", ref, len(mfstList.Manifests), platforms.Format(platform), runtime.GOARCH)
+
+	manifestMatches := filterManifests(mfstList.Manifests, platform)
+
+	if len(manifestMatches) == 0 {
+		errMsg := fmt.Sprintf("no matching manifest for %s in the manifest list entries", platforms.Format(platform))
+		logrus.Debugf(errMsg)
+		return "", "", errors.New(errMsg)
+	}
+
+	if len(manifestMatches) > 1 {
+		logrus.Debugf("found multiple matches in manifest list, choosing best match %s", manifestMatches[0].Digest.String())
+	}
+	manifestDigest := manifestMatches[0].Digest
+
+	if err := checkImageCompatibility(manifestMatches[0].Platform.OS, manifestMatches[0].Platform.OSVersion); err != nil {
+		return "", "", err
+	}
+
+	manSvc, err := p.repo.Manifests(ctx)
+	if err != nil {
+		return "", "", err
+	}
+
+	manifest, err := manSvc.Get(ctx, manifestDigest)
+	if err != nil {
+		return "", "", err
+	}
+
+	manifestRef, err := reference.WithDigest(reference.TrimNamed(ref), manifestDigest)
+	if err != nil {
+		return "", "", err
+	}
+
+	switch v := manifest.(type) {
+	case *schema1.SignedManifest:
+		platform := toOCIPlatform(manifestMatches[0].Platform)
+		id, _, err = p.pullSchema1(ctx, manifestRef, v, &platform)
+		if err != nil {
+			return "", "", err
+		}
+	case *schema2.DeserializedManifest:
+		platform := toOCIPlatform(manifestMatches[0].Platform)
+		id, _, err = p.pullSchema2(ctx, manifestRef, v, &platform)
+		if err != nil {
+			return "", "", err
+		}
+	default:
+		return "", "", errors.New("unsupported manifest format")
+	}
+
+	return id, manifestListDigest, err
+}
+
+func (p *v2Puller) pullSchema2Config(ctx context.Context, dgst digest.Digest) (configJSON []byte, err error) {
+	blobs := p.repo.Blobs(ctx)
+	configJSON, err = blobs.Get(ctx, dgst)
+	if err != nil {
+		return nil, err
+	}
+
+	// Verify image config digest
+	verifier := dgst.Verifier()
+	if _, err := verifier.Write(configJSON); err != nil {
+		return nil, err
+	}
+	if !verifier.Verified() {
+		err := fmt.Errorf("image config verification failed for digest %s", dgst)
+		logrus.Error(err)
+		return nil, err
+	}
+
+	return configJSON, nil
+}
+
+// schema2ManifestDigest computes the manifest digest, and, if pulling by
+// digest, ensures that it matches the requested digest.
+func schema2ManifestDigest(ref reference.Named, mfst distribution.Manifest) (digest.Digest, error) {
+	_, canonical, err := mfst.Payload()
+	if err != nil {
+		return "", err
+	}
+
+	// If pull by digest, then verify the manifest digest.
+	if digested, isDigested := ref.(reference.Canonical); isDigested {
+		verifier := digested.Digest().Verifier()
+		if _, err := verifier.Write(canonical); err != nil {
+			return "", err
+		}
+		if !verifier.Verified() {
+			err := fmt.Errorf("manifest verification failed for digest %s", digested.Digest())
+			logrus.Error(err)
+			return "", err
+		}
+		return digested.Digest(), nil
+	}
+
+	return digest.FromBytes(canonical), nil
+}
+
+// allowV1Fallback checks if the error is a possible reason to fallback to v1
+// (even if confirmedV2 has been set already), and if so, wraps the error in
+// a fallbackError with confirmedV2 set to false. Otherwise, it returns the
+// error unmodified.
+func allowV1Fallback(err error) error {
+	switch v := err.(type) {
+	case errcode.Errors:
+		if len(v) != 0 {
+			if v0, ok := v[0].(errcode.Error); ok && shouldV2Fallback(v0) {
+				return fallbackError{
+					err:         err,
+					confirmedV2: false,
+					transportOK: true,
+				}
+			}
+		}
+	case errcode.Error:
+		if shouldV2Fallback(v) {
+			return fallbackError{
+				err:         err,
+				confirmedV2: false,
+				transportOK: true,
+			}
+		}
+	case *url.Error:
+		if v.Err == auth.ErrNoBasicAuthCredentials {
+			return fallbackError{err: err, confirmedV2: false}
+		}
+	}
+
+	return err
+}
+
+func verifySchema1Manifest(signedManifest *schema1.SignedManifest, ref reference.Reference) (m *schema1.Manifest, err error) {
+	// If pull by digest, then verify the manifest digest. NOTE: It is
+	// important to do this first, before any other content validation. If the
+	// digest cannot be verified, don't even bother with those other things.
+	if digested, isCanonical := ref.(reference.Canonical); isCanonical {
+		verifier := digested.Digest().Verifier()
+		if _, err := verifier.Write(signedManifest.Canonical); err != nil {
+			return nil, err
+		}
+		if !verifier.Verified() {
+			err := fmt.Errorf("image verification failed for digest %s", digested.Digest())
+			logrus.Error(err)
+			return nil, err
+		}
+	}
+	m = &signedManifest.Manifest
+
+	if m.SchemaVersion != 1 {
+		return nil, fmt.Errorf("unsupported schema version %d for %q", m.SchemaVersion, reference.FamiliarString(ref))
+	}
+	if len(m.FSLayers) != len(m.History) {
+		return nil, fmt.Errorf("length of history not equal to number of layers for %q", reference.FamiliarString(ref))
+	}
+	if len(m.FSLayers) == 0 {
+		return nil, fmt.Errorf("no FSLayers in manifest for %q", reference.FamiliarString(ref))
+	}
+	return m, nil
+}
+
+// fixManifestLayers removes repeated layers from the manifest and checks the
+// correctness of the parent chain.
+func fixManifestLayers(m *schema1.Manifest) error {
+	imgs := make([]*image.V1Image, len(m.FSLayers))
+	for i := range m.FSLayers {
+		img := &image.V1Image{}
+
+		if err := json.Unmarshal([]byte(m.History[i].V1Compatibility), img); err != nil {
+			return err
+		}
+
+		imgs[i] = img
+		if err := v1.ValidateID(img.ID); err != nil {
+			return err
+		}
+	}
+
+	if imgs[len(imgs)-1].Parent != "" && runtime.GOOS != "windows" {
+		// Windows base layer can point to a base layer parent that is not in manifest.
+		return errors.New("invalid parent ID in the base layer of the image")
+	}
+
+	// check general duplicates to error instead of a deadlock
+	idmap := make(map[string]struct{})
+
+	var lastID string
+	for _, img := range imgs {
+		// skip IDs that appear after each other, we handle those later
+		if _, exists := idmap[img.ID]; img.ID != lastID && exists {
+			return fmt.Errorf("ID %+v appears multiple times in manifest", img.ID)
+		}
+		lastID = img.ID
+		idmap[lastID] = struct{}{}
+	}
+
+	// backwards loop so that we keep the remaining indexes after removing items
+	for i := len(imgs) - 2; i >= 0; i-- {
+		if imgs[i].ID == imgs[i+1].ID { // repeated ID. remove and continue
+			m.FSLayers = append(m.FSLayers[:i], m.FSLayers[i+1:]...)
+			m.History = append(m.History[:i], m.History[i+1:]...)
+		} else if imgs[i].Parent != imgs[i+1].ID {
+			return fmt.Errorf("invalid parent ID. Expected %v, got %v", imgs[i+1].ID, imgs[i].Parent)
+		}
+	}
+
+	return nil
+}
+
+func createDownloadFile() (*os.File, error) {
+	return ioutil.TempFile("", "GetImageBlob")
+}
+
+func toOCIPlatform(p manifestlist.PlatformSpec) specs.Platform {
+	return specs.Platform{
+		OS:           p.OS,
+		Architecture: p.Architecture,
+		Variant:      p.Variant,
+		OSFeatures:   p.OSFeatures,
+		OSVersion:    p.OSVersion,
+	}
+}
diff --git a/engine/distribution/pull_v2_test.go b/engine/distribution/pull_v2_test.go
new file mode 100644
index 00000000..ca3470c8
--- /dev/null
+++ b/engine/distribution/pull_v2_test.go
@@ -0,0 +1,184 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"reflect"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/distribution/manifest/schema1"
+	"github.com/docker/distribution/reference"
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// TestFixManifestLayers checks that fixManifestLayers removes a duplicate
+// layer, and that it makes no changes to the manifest when called a second
+// time, after the duplicate is removed.
+func TestFixManifestLayers(t *testing.T) {
+	duplicateLayerManifest := schema1.Manifest{
+		FSLayers: []schema1.FSLayer{
+			{BlobSum: digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")},
+			{BlobSum: digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")},
+			{BlobSum: digest.Digest("sha256:86e0e091d0da6bde2456dbb48306f3956bbeb2eae1b5b9a43045843f69fe4aaa")},
+		},
+		History: []schema1.History{
+			{V1Compatibility: "{\"id\":\"3b38edc92eb7c074812e217b41a6ade66888531009d6286a6f5f36a06f9841b9\",\"parent\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:11.368300679Z\",\"container\":\"d91be3479d5b1e84b0c00d18eea9dc777ca0ad166d51174b24283e2e6f104253\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT [\\\"/go/bin/dnsdock\\\"]\"],\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":null,\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"},
+			{V1Compatibility: "{\"id\":\"3b38edc92eb7c074812e217b41a6ade66888531009d6286a6f5f36a06f9841b9\",\"parent\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:11.368300679Z\",\"container\":\"d91be3479d5b1e84b0c00d18eea9dc777ca0ad166d51174b24283e2e6f104253\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT [\\\"/go/bin/dnsdock\\\"]\"],\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":null,\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"},
+			{V1Compatibility: "{\"id\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:07.568027497Z\",\"container\":\"fe9e5a5264a843c9292d17b736c92dd19bdb49986a8782d7389964ddaff887cc\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"cd /go/src/github.com/tonistiigi/dnsdock \\u0026\\u0026     go get -v github.com/tools/godep \\u0026\\u0026     godep restore \\u0026\\u0026     go install -ldflags \\\"-X main.version `git describe --tags HEAD``if [[ -n $(command git status --porcelain --untracked-files=no 2\\u003e/dev/null) ]]; then echo \\\"-dirty\\\"; fi`\\\" ./...\"],\"Image\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/bash\"],\"Image\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":118430532}\n"},
+		},
+	}
+
+	duplicateLayerManifestExpectedOutput := schema1.Manifest{
+		FSLayers: []schema1.FSLayer{
+			{BlobSum: digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")},
+			{BlobSum: digest.Digest("sha256:86e0e091d0da6bde2456dbb48306f3956bbeb2eae1b5b9a43045843f69fe4aaa")},
+		},
+		History: []schema1.History{
+			{V1Compatibility: "{\"id\":\"3b38edc92eb7c074812e217b41a6ade66888531009d6286a6f5f36a06f9841b9\",\"parent\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:11.368300679Z\",\"container\":\"d91be3479d5b1e84b0c00d18eea9dc777ca0ad166d51174b24283e2e6f104253\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT [\\\"/go/bin/dnsdock\\\"]\"],\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":null,\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"},
+			{V1Compatibility: "{\"id\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:07.568027497Z\",\"container\":\"fe9e5a5264a843c9292d17b736c92dd19bdb49986a8782d7389964ddaff887cc\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"cd /go/src/github.com/tonistiigi/dnsdock \\u0026\\u0026     go get -v github.com/tools/godep \\u0026\\u0026     godep restore \\u0026\\u0026     go install -ldflags \\\"-X main.version `git describe --tags HEAD``if [[ -n $(command git status --porcelain --untracked-files=no 2\\u003e/dev/null) ]]; then echo \\\"-dirty\\\"; fi`\\\" ./...\"],\"Image\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/bash\"],\"Image\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":118430532}\n"},
+		},
+	}
+
+	if err := fixManifestLayers(&duplicateLayerManifest); err != nil {
+		t.Fatalf("unexpected error from fixManifestLayers: %v", err)
+	}
+
+	if !reflect.DeepEqual(duplicateLayerManifest, duplicateLayerManifestExpectedOutput) {
+		t.Fatal("incorrect output from fixManifestLayers on duplicate layer manifest")
+	}
+
+	// Run fixManifestLayers again and confirm that it doesn't change the
+	// manifest (which no longer has duplicate layers).
+	if err := fixManifestLayers(&duplicateLayerManifest); err != nil {
+		t.Fatalf("unexpected error from fixManifestLayers: %v", err)
+	}
+
+	if !reflect.DeepEqual(duplicateLayerManifest, duplicateLayerManifestExpectedOutput) {
+		t.Fatal("incorrect output from fixManifestLayers on duplicate layer manifest (second pass)")
+	}
+}
+
+// TestFixManifestLayersBaseLayerParent makes sure that fixManifestLayers fails
+// if the base layer configuration specifies a parent.
+func TestFixManifestLayersBaseLayerParent(t *testing.T) {
+	// TODO Windows: Fix this unit text
+	if runtime.GOOS == "windows" {
+		t.Skip("Needs fixing on Windows")
+	}
+	duplicateLayerManifest := schema1.Manifest{
+		FSLayers: []schema1.FSLayer{
+			{BlobSum: digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")},
+			{BlobSum: digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")},
+			{BlobSum: digest.Digest("sha256:86e0e091d0da6bde2456dbb48306f3956bbeb2eae1b5b9a43045843f69fe4aaa")},
+		},
+		History: []schema1.History{
+			{V1Compatibility: "{\"id\":\"3b38edc92eb7c074812e217b41a6ade66888531009d6286a6f5f36a06f9841b9\",\"parent\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:11.368300679Z\",\"container\":\"d91be3479d5b1e84b0c00d18eea9dc777ca0ad166d51174b24283e2e6f104253\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT [\\\"/go/bin/dnsdock\\\"]\"],\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":null,\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"},
+			{V1Compatibility: "{\"id\":\"3b38edc92eb7c074812e217b41a6ade66888531009d6286a6f5f36a06f9841b9\",\"parent\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:11.368300679Z\",\"container\":\"d91be3479d5b1e84b0c00d18eea9dc777ca0ad166d51174b24283e2e6f104253\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT [\\\"/go/bin/dnsdock\\\"]\"],\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":null,\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"},
+			{V1Compatibility: "{\"id\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"parent\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"created\":\"2015-08-19T16:49:07.568027497Z\",\"container\":\"fe9e5a5264a843c9292d17b736c92dd19bdb49986a8782d7389964ddaff887cc\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"cd /go/src/github.com/tonistiigi/dnsdock \\u0026\\u0026     go get -v github.com/tools/godep \\u0026\\u0026     godep restore \\u0026\\u0026     go install -ldflags \\\"-X main.version `git describe --tags HEAD``if [[ -n $(command git status --porcelain --untracked-files=no 2\\u003e/dev/null) ]]; then echo \\\"-dirty\\\"; fi`\\\" ./...\"],\"Image\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/bash\"],\"Image\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":118430532}\n"},
+		},
+	}
+
+	if err := fixManifestLayers(&duplicateLayerManifest); err == nil || !strings.Contains(err.Error(), "invalid parent ID in the base layer of the image") {
+		t.Fatalf("expected an invalid parent ID error from fixManifestLayers")
+	}
+}
+
+// TestFixManifestLayersBadParent makes sure that fixManifestLayers fails
+// if an image configuration specifies a parent that doesn't directly follow
+// that (deduplicated) image in the image history.
+func TestFixManifestLayersBadParent(t *testing.T) {
+	duplicateLayerManifest := schema1.Manifest{
+		FSLayers: []schema1.FSLayer{
+			{BlobSum: digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")},
+			{BlobSum: digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")},
+			{BlobSum: digest.Digest("sha256:86e0e091d0da6bde2456dbb48306f3956bbeb2eae1b5b9a43045843f69fe4aaa")},
+		},
+		History: []schema1.History{
+			{V1Compatibility: "{\"id\":\"3b38edc92eb7c074812e217b41a6ade66888531009d6286a6f5f36a06f9841b9\",\"parent\":\"ac3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:11.368300679Z\",\"container\":\"d91be3479d5b1e84b0c00d18eea9dc777ca0ad166d51174b24283e2e6f104253\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT [\\\"/go/bin/dnsdock\\\"]\"],\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":null,\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"},
+			{V1Compatibility: "{\"id\":\"3b38edc92eb7c074812e217b41a6ade66888531009d6286a6f5f36a06f9841b9\",\"parent\":\"ac3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:11.368300679Z\",\"container\":\"d91be3479d5b1e84b0c00d18eea9dc777ca0ad166d51174b24283e2e6f104253\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) ENTRYPOINT [\\\"/go/bin/dnsdock\\\"]\"],\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":null,\"Image\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":[\"/go/bin/dnsdock\"],\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":0}\n"},
+			{V1Compatibility: "{\"id\":\"ec3025ca8cc9bcab039e193e20ec647c2da3c53a74020f2ba611601f9b2c6c02\",\"created\":\"2015-08-19T16:49:07.568027497Z\",\"container\":\"fe9e5a5264a843c9292d17b736c92dd19bdb49986a8782d7389964ddaff887cc\",\"container_config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"cd /go/src/github.com/tonistiigi/dnsdock \\u0026\\u0026     go get -v github.com/tools/godep \\u0026\\u0026     godep restore \\u0026\\u0026     go install -ldflags \\\"-X main.version `git describe --tags HEAD``if [[ -n $(command git status --porcelain --untracked-files=no 2\\u003e/dev/null) ]]; then echo \\\"-dirty\\\"; fi`\\\" ./...\"],\"Image\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"docker_version\":\"1.6.2\",\"config\":{\"Hostname\":\"03797203757d\",\"Domainname\":\"\",\"User\":\"\",\"Memory\":0,\"MemorySwap\":0,\"CpuShares\":0,\"Cpuset\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"PortSpecs\":null,\"ExposedPorts\":null,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/go/bin:/usr/src/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"GOLANG_VERSION=1.4.1\",\"GOPATH=/go\"],\"Cmd\":[\"/bin/bash\"],\"Image\":\"e3b0ff09e647595dafee15c54cd632c900df9e82b1d4d313b1e20639a1461779\",\"Volumes\":null,\"WorkingDir\":\"/go\",\"Entrypoint\":null,\"NetworkDisabled\":false,\"MacAddress\":\"\",\"OnBuild\":[],\"Labels\":{}},\"architecture\":\"amd64\",\"os\":\"linux\",\"Size\":118430532}\n"},
+		},
+	}
+
+	err := fixManifestLayers(&duplicateLayerManifest)
+	assert.Check(t, is.ErrorContains(err, "invalid parent ID"))
+}
+
+// TestValidateManifest verifies the validateManifest function
+func TestValidateManifest(t *testing.T) {
+	// TODO Windows: Fix this unit text
+	if runtime.GOOS == "windows" {
+		t.Skip("Needs fixing on Windows")
+	}
+	expectedDigest, err := reference.ParseNormalizedNamed("repo@sha256:02fee8c3220ba806531f606525eceb83f4feb654f62b207191b1c9209188dedd")
+	if err != nil {
+		t.Fatal("could not parse reference")
+	}
+	expectedFSLayer0 := digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")
+
+	// Good manifest
+
+	goodManifestBytes, err := ioutil.ReadFile("fixtures/validate_manifest/good_manifest")
+	if err != nil {
+		t.Fatal("error reading fixture:", err)
+	}
+
+	var goodSignedManifest schema1.SignedManifest
+	err = json.Unmarshal(goodManifestBytes, &goodSignedManifest)
+	if err != nil {
+		t.Fatal("error unmarshaling manifest:", err)
+	}
+
+	verifiedManifest, err := verifySchema1Manifest(&goodSignedManifest, expectedDigest)
+	if err != nil {
+		t.Fatal("validateManifest failed:", err)
+	}
+
+	if verifiedManifest.FSLayers[0].BlobSum != expectedFSLayer0 {
+		t.Fatal("unexpected FSLayer in good manifest")
+	}
+
+	// "Extra data" manifest
+
+	extraDataManifestBytes, err := ioutil.ReadFile("fixtures/validate_manifest/extra_data_manifest")
+	if err != nil {
+		t.Fatal("error reading fixture:", err)
+	}
+
+	var extraDataSignedManifest schema1.SignedManifest
+	err = json.Unmarshal(extraDataManifestBytes, &extraDataSignedManifest)
+	if err != nil {
+		t.Fatal("error unmarshaling manifest:", err)
+	}
+
+	verifiedManifest, err = verifySchema1Manifest(&extraDataSignedManifest, expectedDigest)
+	if err != nil {
+		t.Fatal("validateManifest failed:", err)
+	}
+
+	if verifiedManifest.FSLayers[0].BlobSum != expectedFSLayer0 {
+		t.Fatal("unexpected FSLayer in extra data manifest")
+	}
+
+	// Bad manifest
+
+	badManifestBytes, err := ioutil.ReadFile("fixtures/validate_manifest/bad_manifest")
+	if err != nil {
+		t.Fatal("error reading fixture:", err)
+	}
+
+	var badSignedManifest schema1.SignedManifest
+	err = json.Unmarshal(badManifestBytes, &badSignedManifest)
+	if err != nil {
+		t.Fatal("error unmarshaling manifest:", err)
+	}
+
+	verifiedManifest, err = verifySchema1Manifest(&badSignedManifest, expectedDigest)
+	if err == nil || !strings.HasPrefix(err.Error(), "image verification failed for digest") {
+		t.Fatal("expected validateManifest to fail with digest error")
+	}
+}
diff --git a/engine/distribution/pull_v2_unix.go b/engine/distribution/pull_v2_unix.go
new file mode 100644
index 00000000..adbaf414
--- /dev/null
+++ b/engine/distribution/pull_v2_unix.go
@@ -0,0 +1,60 @@
+// +build !windows
+
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
+)
+
+func (ld *v2LayerDescriptor) open(ctx context.Context) (distribution.ReadSeekCloser, error) {
+	blobs := ld.repo.Blobs(ctx)
+	return blobs.Open(ctx, ld.digest)
+}
+
+func filterManifests(manifests []manifestlist.ManifestDescriptor, p specs.Platform) []manifestlist.ManifestDescriptor {
+	p = platforms.Normalize(withDefault(p))
+	m := platforms.NewMatcher(p)
+	var matches []manifestlist.ManifestDescriptor
+	for _, desc := range manifests {
+		if m.Match(toOCIPlatform(desc.Platform)) {
+			matches = append(matches, desc)
+			logrus.Debugf("found match for %s with media type %s, digest %s", platforms.Format(p), desc.MediaType, desc.Digest.String())
+		}
+	}
+
+	// deprecated: backwards compatibility with older versions that didn't compare variant
+	if len(matches) == 0 && p.Architecture == "arm" {
+		p = platforms.Normalize(p)
+		for _, desc := range manifests {
+			if desc.Platform.OS == p.OS && desc.Platform.Architecture == p.Architecture {
+				matches = append(matches, desc)
+				logrus.Debugf("found deprecated partial match for %s with media type %s, digest %s", platforms.Format(p), desc.MediaType, desc.Digest.String())
+			}
+		}
+	}
+
+	return matches
+}
+
+// checkImageCompatibility is a Windows-specific function. No-op on Linux
+func checkImageCompatibility(imageOS, imageOSVersion string) error {
+	return nil
+}
+
+func withDefault(p specs.Platform) specs.Platform {
+	def := platforms.DefaultSpec()
+	if p.OS == "" {
+		p.OS = def.OS
+	}
+	if p.Architecture == "" {
+		p.Architecture = def.Architecture
+		p.Variant = def.Variant
+	}
+	return p
+}
diff --git a/engine/distribution/pull_v2_windows.go b/engine/distribution/pull_v2_windows.go
new file mode 100644
index 00000000..1ae167ef
--- /dev/null
+++ b/engine/distribution/pull_v2_windows.go
@@ -0,0 +1,138 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"runtime"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/pkg/system"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/sirupsen/logrus"
+)
+
+var _ distribution.Describable = &v2LayerDescriptor{}
+
+func (ld *v2LayerDescriptor) Descriptor() distribution.Descriptor {
+	if ld.src.MediaType == schema2.MediaTypeForeignLayer && len(ld.src.URLs) > 0 {
+		return ld.src
+	}
+	return distribution.Descriptor{}
+}
+
+func (ld *v2LayerDescriptor) open(ctx context.Context) (distribution.ReadSeekCloser, error) {
+	blobs := ld.repo.Blobs(ctx)
+	rsc, err := blobs.Open(ctx, ld.digest)
+
+	if len(ld.src.URLs) == 0 {
+		return rsc, err
+	}
+
+	// We're done if the registry has this blob.
+	if err == nil {
+		// Seek does an HTTP GET.  If it succeeds, the blob really is accessible.
+		if _, err = rsc.Seek(0, os.SEEK_SET); err == nil {
+			return rsc, nil
+		}
+		rsc.Close()
+	}
+
+	// Find the first URL that results in a 200 result code.
+	for _, url := range ld.src.URLs {
+		logrus.Debugf("Pulling %v from foreign URL %v", ld.digest, url)
+		rsc = transport.NewHTTPReadSeeker(http.DefaultClient, url, nil)
+
+		// Seek does an HTTP GET.  If it succeeds, the blob really is accessible.
+		_, err = rsc.Seek(0, os.SEEK_SET)
+		if err == nil {
+			break
+		}
+		logrus.Debugf("Download for %v failed: %v", ld.digest, err)
+		rsc.Close()
+		rsc = nil
+	}
+	return rsc, err
+}
+
+func filterManifests(manifests []manifestlist.ManifestDescriptor, p specs.Platform) []manifestlist.ManifestDescriptor {
+	version := system.GetOSVersion()
+	osVersion := fmt.Sprintf("%d.%d.%d", version.MajorVersion, version.MinorVersion, version.Build)
+	logrus.Debugf("will prefer Windows entries with version %s", osVersion)
+
+	var matches []manifestlist.ManifestDescriptor
+	foundWindowsMatch := false
+	for _, manifestDescriptor := range manifests {
+		if (manifestDescriptor.Platform.Architecture == runtime.GOARCH) &&
+			((p.OS != "" && manifestDescriptor.Platform.OS == p.OS) || // Explicit user request for an OS we know we support
+				(p.OS == "" && system.IsOSSupported(manifestDescriptor.Platform.OS))) { // No user requested OS, but one we can support
+			if strings.EqualFold("windows", manifestDescriptor.Platform.OS) {
+				if err := checkImageCompatibility("windows", manifestDescriptor.Platform.OSVersion); err != nil {
+					continue
+				}
+				foundWindowsMatch = true
+			}
+			matches = append(matches, manifestDescriptor)
+			logrus.Debugf("found match %s/%s %s with media type %s, digest %s", manifestDescriptor.Platform.OS, runtime.GOARCH, manifestDescriptor.Platform.OSVersion, manifestDescriptor.MediaType, manifestDescriptor.Digest.String())
+		} else {
+			logrus.Debugf("ignoring %s/%s %s with media type %s, digest %s", manifestDescriptor.Platform.OS, manifestDescriptor.Platform.Architecture, manifestDescriptor.Platform.OSVersion, manifestDescriptor.MediaType, manifestDescriptor.Digest.String())
+		}
+	}
+	if foundWindowsMatch {
+		sort.Stable(manifestsByVersion{osVersion, matches})
+	}
+	return matches
+}
+
+func versionMatch(actual, expected string) bool {
+	// Check whether the version matches up to the build, ignoring UBR
+	return strings.HasPrefix(actual, expected+".")
+}
+
+type manifestsByVersion struct {
+	version string
+	list    []manifestlist.ManifestDescriptor
+}
+
+func (mbv manifestsByVersion) Less(i, j int) bool {
+	// TODO: Split version by parts and compare
+	// TODO: Prefer versions which have a greater version number
+	// Move compatible versions to the top, with no other ordering changes
+	return (strings.EqualFold("windows", mbv.list[i].Platform.OS) && !strings.EqualFold("windows", mbv.list[j].Platform.OS)) ||
+		(versionMatch(mbv.list[i].Platform.OSVersion, mbv.version) && !versionMatch(mbv.list[j].Platform.OSVersion, mbv.version))
+}
+
+func (mbv manifestsByVersion) Len() int {
+	return len(mbv.list)
+}
+
+func (mbv manifestsByVersion) Swap(i, j int) {
+	mbv.list[i], mbv.list[j] = mbv.list[j], mbv.list[i]
+}
+
+// checkImageCompatibility blocks pulling incompatible images based on a later OS build
+// Fixes https://github.com/moby/moby/issues/36184.
+func checkImageCompatibility(imageOS, imageOSVersion string) error {
+	if imageOS == "windows" {
+		hostOSV := system.GetOSVersion()
+		splitImageOSVersion := strings.Split(imageOSVersion, ".") // eg 10.0.16299.nnnn
+		if len(splitImageOSVersion) >= 3 {
+			if imageOSBuild, err := strconv.Atoi(splitImageOSVersion[2]); err == nil {
+				if imageOSBuild > int(hostOSV.Build) {
+					errMsg := fmt.Sprintf("a Windows version %s.%s.%s-based image is incompatible with a %s host", splitImageOSVersion[0], splitImageOSVersion[1], splitImageOSVersion[2], hostOSV.ToString())
+					logrus.Debugf(errMsg)
+					return errors.New(errMsg)
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/engine/distribution/push.go b/engine/distribution/push.go
new file mode 100644
index 00000000..eb3bc559
--- /dev/null
+++ b/engine/distribution/push.go
@@ -0,0 +1,186 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"bufio"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/registry"
+	"github.com/sirupsen/logrus"
+)
+
+// Pusher is an interface that abstracts pushing for different API versions.
+type Pusher interface {
+	// Push tries to push the image configured at the creation of Pusher.
+	// Push returns an error if any, as well as a boolean that determines whether to retry Push on the next configured endpoint.
+	//
+	// TODO(tiborvass): have Push() take a reference to repository + tag, so that the pusher itself is repository-agnostic.
+	Push(ctx context.Context) error
+}
+
+const compressionBufSize = 32768
+
+// NewPusher creates a new Pusher interface that will push to either a v1 or v2
+// registry. The endpoint argument contains a Version field that determines
+// whether a v1 or v2 pusher will be created. The other parameters are passed
+// through to the underlying pusher implementation for use during the actual
+// push operation.
+func NewPusher(ref reference.Named, endpoint registry.APIEndpoint, repoInfo *registry.RepositoryInfo, imagePushConfig *ImagePushConfig) (Pusher, error) {
+	switch endpoint.Version {
+	case registry.APIVersion2:
+		return &v2Pusher{
+			v2MetadataService: metadata.NewV2MetadataService(imagePushConfig.MetadataStore),
+			ref:               ref,
+			endpoint:          endpoint,
+			repoInfo:          repoInfo,
+			config:            imagePushConfig,
+		}, nil
+	case registry.APIVersion1:
+		return &v1Pusher{
+			v1IDService: metadata.NewV1IDService(imagePushConfig.MetadataStore),
+			ref:         ref,
+			endpoint:    endpoint,
+			repoInfo:    repoInfo,
+			config:      imagePushConfig,
+		}, nil
+	}
+	return nil, fmt.Errorf("unknown version %d for registry %s", endpoint.Version, endpoint.URL)
+}
+
+// Push initiates a push operation on ref.
+// ref is the specific variant of the image to be pushed.
+// If no tag is provided, all tags will be pushed.
+func Push(ctx context.Context, ref reference.Named, imagePushConfig *ImagePushConfig) error {
+	// FIXME: Allow to interrupt current push when new push of same image is done.
+
+	// Resolve the Repository name from fqn to RepositoryInfo
+	repoInfo, err := imagePushConfig.RegistryService.ResolveRepository(ref)
+	if err != nil {
+		return err
+	}
+
+	endpoints, err := imagePushConfig.RegistryService.LookupPushEndpoints(reference.Domain(repoInfo.Name))
+	if err != nil {
+		return err
+	}
+
+	progress.Messagef(imagePushConfig.ProgressOutput, "", "The push refers to repository [%s]", repoInfo.Name.Name())
+
+	associations := imagePushConfig.ReferenceStore.ReferencesByName(repoInfo.Name)
+	if len(associations) == 0 {
+		return fmt.Errorf("An image does not exist locally with the tag: %s", reference.FamiliarName(repoInfo.Name))
+	}
+
+	var (
+		lastErr error
+
+		// confirmedV2 is set to true if a push attempt managed to
+		// confirm that it was talking to a v2 registry. This will
+		// prevent fallback to the v1 protocol.
+		confirmedV2 bool
+
+		// confirmedTLSRegistries is a map indicating which registries
+		// are known to be using TLS. There should never be a plaintext
+		// retry for any of these.
+		confirmedTLSRegistries = make(map[string]struct{})
+	)
+
+	for _, endpoint := range endpoints {
+		if imagePushConfig.RequireSchema2 && endpoint.Version == registry.APIVersion1 {
+			continue
+		}
+		if confirmedV2 && endpoint.Version == registry.APIVersion1 {
+			logrus.Debugf("Skipping v1 endpoint %s because v2 registry was detected", endpoint.URL)
+			continue
+		}
+
+		if endpoint.URL.Scheme != "https" {
+			if _, confirmedTLS := confirmedTLSRegistries[endpoint.URL.Host]; confirmedTLS {
+				logrus.Debugf("Skipping non-TLS endpoint %s for host/port that appears to use TLS", endpoint.URL)
+				continue
+			}
+		}
+
+		logrus.Debugf("Trying to push %s to %s %s", repoInfo.Name.Name(), endpoint.URL, endpoint.Version)
+
+		pusher, err := NewPusher(ref, endpoint, repoInfo, imagePushConfig)
+		if err != nil {
+			lastErr = err
+			continue
+		}
+		if err := pusher.Push(ctx); err != nil {
+			// Was this push cancelled? If so, don't try to fall
+			// back.
+			select {
+			case <-ctx.Done():
+			default:
+				if fallbackErr, ok := err.(fallbackError); ok {
+					confirmedV2 = confirmedV2 || fallbackErr.confirmedV2
+					if fallbackErr.transportOK && endpoint.URL.Scheme == "https" {
+						confirmedTLSRegistries[endpoint.URL.Host] = struct{}{}
+					}
+					err = fallbackErr.err
+					lastErr = err
+					logrus.Infof("Attempting next endpoint for push after error: %v", err)
+					continue
+				}
+			}
+
+			logrus.Errorf("Not continuing with push after error: %v", err)
+			return err
+		}
+
+		imagePushConfig.ImageEventLogger(reference.FamiliarString(ref), reference.FamiliarName(repoInfo.Name), "push")
+		return nil
+	}
+
+	if lastErr == nil {
+		lastErr = fmt.Errorf("no endpoints found for %s", repoInfo.Name.Name())
+	}
+	return lastErr
+}
+
+// compress returns an io.ReadCloser which will supply a compressed version of
+// the provided Reader. The caller must close the ReadCloser after reading the
+// compressed data.
+//
+// Note that this function returns a reader instead of taking a writer as an
+// argument so that it can be used with httpBlobWriter's ReadFrom method.
+// Using httpBlobWriter's Write method would send a PATCH request for every
+// Write call.
+//
+// The second return value is a channel that gets closed when the goroutine
+// is finished. This allows the caller to make sure the goroutine finishes
+// before it releases any resources connected with the reader that was
+// passed in.
+func compress(in io.Reader) (io.ReadCloser, chan struct{}) {
+	compressionDone := make(chan struct{})
+
+	pipeReader, pipeWriter := io.Pipe()
+	// Use a bufio.Writer to avoid excessive chunking in HTTP request.
+	bufWriter := bufio.NewWriterSize(pipeWriter, compressionBufSize)
+	compressor := gzip.NewWriter(bufWriter)
+
+	go func() {
+		_, err := io.Copy(compressor, in)
+		if err == nil {
+			err = compressor.Close()
+		}
+		if err == nil {
+			err = bufWriter.Flush()
+		}
+		if err != nil {
+			pipeWriter.CloseWithError(err)
+		} else {
+			pipeWriter.Close()
+		}
+		close(compressionDone)
+	}()
+
+	return pipeReader, compressionDone
+}
diff --git a/engine/distribution/push_v1.go b/engine/distribution/push_v1.go
new file mode 100644
index 00000000..7bd75e9f
--- /dev/null
+++ b/engine/distribution/push_v1.go
@@ -0,0 +1,457 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/image/v1"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/registry"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+type v1Pusher struct {
+	v1IDService *metadata.V1IDService
+	endpoint    registry.APIEndpoint
+	ref         reference.Named
+	repoInfo    *registry.RepositoryInfo
+	config      *ImagePushConfig
+	session     *registry.Session
+}
+
+func (p *v1Pusher) Push(ctx context.Context) error {
+	tlsConfig, err := p.config.RegistryService.TLSConfig(p.repoInfo.Index.Name)
+	if err != nil {
+		return err
+	}
+	// Adds Docker-specific headers as well as user-specified headers (metaHeaders)
+	tr := transport.NewTransport(
+		// TODO(tiborvass): was NoTimeout
+		registry.NewTransport(tlsConfig),
+		registry.Headers(dockerversion.DockerUserAgent(ctx), p.config.MetaHeaders)...,
+	)
+	client := registry.HTTPClient(tr)
+	v1Endpoint := p.endpoint.ToV1Endpoint(dockerversion.DockerUserAgent(ctx), p.config.MetaHeaders)
+	p.session, err = registry.NewSession(client, p.config.AuthConfig, v1Endpoint)
+	if err != nil {
+		// TODO(dmcgowan): Check if should fallback
+		return fallbackError{err: err}
+	}
+	if err := p.pushRepository(ctx); err != nil {
+		// TODO(dmcgowan): Check if should fallback
+		return err
+	}
+	return nil
+}
+
+// v1Image exposes the configuration, filesystem layer ID, and a v1 ID for an
+// image being pushed to a v1 registry.
+type v1Image interface {
+	Config() []byte
+	Layer() layer.Layer
+	V1ID() string
+}
+
+type v1ImageCommon struct {
+	layer  layer.Layer
+	config []byte
+	v1ID   string
+}
+
+func (common *v1ImageCommon) Config() []byte {
+	return common.config
+}
+
+func (common *v1ImageCommon) V1ID() string {
+	return common.v1ID
+}
+
+func (common *v1ImageCommon) Layer() layer.Layer {
+	return common.layer
+}
+
+// v1TopImage defines a runnable (top layer) image being pushed to a v1
+// registry.
+type v1TopImage struct {
+	v1ImageCommon
+	imageID image.ID
+}
+
+func newV1TopImage(imageID image.ID, img *image.Image, l layer.Layer, parent *v1DependencyImage) (*v1TopImage, error) {
+	v1ID := imageID.Digest().Hex()
+	parentV1ID := ""
+	if parent != nil {
+		parentV1ID = parent.V1ID()
+	}
+
+	config, err := v1.MakeV1ConfigFromConfig(img, v1ID, parentV1ID, false)
+	if err != nil {
+		return nil, err
+	}
+
+	return &v1TopImage{
+		v1ImageCommon: v1ImageCommon{
+			v1ID:   v1ID,
+			config: config,
+			layer:  l,
+		},
+		imageID: imageID,
+	}, nil
+}
+
+// v1DependencyImage defines a dependency layer being pushed to a v1 registry.
+type v1DependencyImage struct {
+	v1ImageCommon
+}
+
+func newV1DependencyImage(l layer.Layer, parent *v1DependencyImage) *v1DependencyImage {
+	v1ID := digest.Digest(l.ChainID()).Hex()
+
+	var config string
+	if parent != nil {
+		config = fmt.Sprintf(`{"id":"%s","parent":"%s"}`, v1ID, parent.V1ID())
+	} else {
+		config = fmt.Sprintf(`{"id":"%s"}`, v1ID)
+	}
+	return &v1DependencyImage{
+		v1ImageCommon: v1ImageCommon{
+			v1ID:   v1ID,
+			config: []byte(config),
+			layer:  l,
+		},
+	}
+}
+
+// Retrieve the all the images to be uploaded in the correct order
+func (p *v1Pusher) getImageList() (imageList []v1Image, tagsByImage map[image.ID][]string, referencedLayers []PushLayer, err error) {
+	tagsByImage = make(map[image.ID][]string)
+
+	// Ignore digest references
+	if _, isCanonical := p.ref.(reference.Canonical); isCanonical {
+		return
+	}
+
+	tagged, isTagged := p.ref.(reference.NamedTagged)
+	if isTagged {
+		// Push a specific tag
+		var imgID image.ID
+		var dgst digest.Digest
+		dgst, err = p.config.ReferenceStore.Get(p.ref)
+		if err != nil {
+			return
+		}
+		imgID = image.IDFromDigest(dgst)
+
+		imageList, err = p.imageListForTag(imgID, nil, &referencedLayers)
+		if err != nil {
+			return
+		}
+
+		tagsByImage[imgID] = []string{tagged.Tag()}
+
+		return
+	}
+
+	imagesSeen := make(map[digest.Digest]struct{})
+	dependenciesSeen := make(map[layer.ChainID]*v1DependencyImage)
+
+	associations := p.config.ReferenceStore.ReferencesByName(p.ref)
+	for _, association := range associations {
+		if tagged, isTagged = association.Ref.(reference.NamedTagged); !isTagged {
+			// Ignore digest references.
+			continue
+		}
+
+		imgID := image.IDFromDigest(association.ID)
+		tagsByImage[imgID] = append(tagsByImage[imgID], tagged.Tag())
+
+		if _, present := imagesSeen[association.ID]; present {
+			// Skip generating image list for already-seen image
+			continue
+		}
+		imagesSeen[association.ID] = struct{}{}
+
+		imageListForThisTag, err := p.imageListForTag(imgID, dependenciesSeen, &referencedLayers)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
+		// append to main image list
+		imageList = append(imageList, imageListForThisTag...)
+	}
+	if len(imageList) == 0 {
+		return nil, nil, nil, fmt.Errorf("No images found for the requested repository / tag")
+	}
+	logrus.Debugf("Image list: %v", imageList)
+	logrus.Debugf("Tags by image: %v", tagsByImage)
+
+	return
+}
+
+func (p *v1Pusher) imageListForTag(imgID image.ID, dependenciesSeen map[layer.ChainID]*v1DependencyImage, referencedLayers *[]PushLayer) (imageListForThisTag []v1Image, err error) {
+	ics, ok := p.config.ImageStore.(*imageConfigStore)
+	if !ok {
+		return nil, fmt.Errorf("only image store images supported for v1 push")
+	}
+	img, err := ics.Store.Get(imgID)
+	if err != nil {
+		return nil, err
+	}
+
+	topLayerID := img.RootFS.ChainID()
+
+	if !system.IsOSSupported(img.OperatingSystem()) {
+		return nil, system.ErrNotSupportedOperatingSystem
+	}
+	pl, err := p.config.LayerStores[img.OperatingSystem()].Get(topLayerID)
+	*referencedLayers = append(*referencedLayers, pl)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get top layer from image: %v", err)
+	}
+
+	// V1 push is deprecated, only support existing layerstore layers
+	lsl, ok := pl.(*storeLayer)
+	if !ok {
+		return nil, fmt.Errorf("only layer store layers supported for v1 push")
+	}
+	l := lsl.Layer
+
+	dependencyImages, parent := generateDependencyImages(l.Parent(), dependenciesSeen)
+
+	topImage, err := newV1TopImage(imgID, img, l, parent)
+	if err != nil {
+		return nil, err
+	}
+
+	imageListForThisTag = append(dependencyImages, topImage)
+
+	return
+}
+
+func generateDependencyImages(l layer.Layer, dependenciesSeen map[layer.ChainID]*v1DependencyImage) (imageListForThisTag []v1Image, parent *v1DependencyImage) {
+	if l == nil {
+		return nil, nil
+	}
+
+	imageListForThisTag, parent = generateDependencyImages(l.Parent(), dependenciesSeen)
+
+	if dependenciesSeen != nil {
+		if dependencyImage, present := dependenciesSeen[l.ChainID()]; present {
+			// This layer is already on the list, we can ignore it
+			// and all its parents.
+			return imageListForThisTag, dependencyImage
+		}
+	}
+
+	dependencyImage := newV1DependencyImage(l, parent)
+	imageListForThisTag = append(imageListForThisTag, dependencyImage)
+
+	if dependenciesSeen != nil {
+		dependenciesSeen[l.ChainID()] = dependencyImage
+	}
+
+	return imageListForThisTag, dependencyImage
+}
+
+// createImageIndex returns an index of an image's layer IDs and tags.
+func createImageIndex(images []v1Image, tags map[image.ID][]string) []*registry.ImgData {
+	var imageIndex []*registry.ImgData
+	for _, img := range images {
+		v1ID := img.V1ID()
+
+		if topImage, isTopImage := img.(*v1TopImage); isTopImage {
+			if tags, hasTags := tags[topImage.imageID]; hasTags {
+				// If an image has tags you must add an entry in the image index
+				// for each tag
+				for _, tag := range tags {
+					imageIndex = append(imageIndex, &registry.ImgData{
+						ID:  v1ID,
+						Tag: tag,
+					})
+				}
+				continue
+			}
+		}
+
+		// If the image does not have a tag it still needs to be sent to the
+		// registry with an empty tag so that it is associated with the repository
+		imageIndex = append(imageIndex, &registry.ImgData{
+			ID:  v1ID,
+			Tag: "",
+		})
+	}
+	return imageIndex
+}
+
+// lookupImageOnEndpoint checks the specified endpoint to see if an image exists
+// and if it is absent then it sends the image id to the channel to be pushed.
+func (p *v1Pusher) lookupImageOnEndpoint(wg *sync.WaitGroup, endpoint string, images chan v1Image, imagesToPush chan string) {
+	defer wg.Done()
+	for image := range images {
+		v1ID := image.V1ID()
+		truncID := stringid.TruncateID(image.Layer().DiffID().String())
+		if err := p.session.LookupRemoteImage(v1ID, endpoint); err != nil {
+			logrus.Errorf("Error in LookupRemoteImage: %s", err)
+			imagesToPush <- v1ID
+			progress.Update(p.config.ProgressOutput, truncID, "Waiting")
+		} else {
+			progress.Update(p.config.ProgressOutput, truncID, "Already exists")
+		}
+	}
+}
+
+func (p *v1Pusher) pushImageToEndpoint(ctx context.Context, endpoint string, imageList []v1Image, tags map[image.ID][]string, repo *registry.RepositoryData) error {
+	workerCount := len(imageList)
+	// start a maximum of 5 workers to check if images exist on the specified endpoint.
+	if workerCount > 5 {
+		workerCount = 5
+	}
+	var (
+		wg           = &sync.WaitGroup{}
+		imageData    = make(chan v1Image, workerCount*2)
+		imagesToPush = make(chan string, workerCount*2)
+		pushes       = make(chan map[string]struct{}, 1)
+	)
+	for i := 0; i < workerCount; i++ {
+		wg.Add(1)
+		go p.lookupImageOnEndpoint(wg, endpoint, imageData, imagesToPush)
+	}
+	// start a go routine that consumes the images to push
+	go func() {
+		shouldPush := make(map[string]struct{})
+		for id := range imagesToPush {
+			shouldPush[id] = struct{}{}
+		}
+		pushes <- shouldPush
+	}()
+	for _, v1Image := range imageList {
+		imageData <- v1Image
+	}
+	// close the channel to notify the workers that there will be no more images to check.
+	close(imageData)
+	wg.Wait()
+	close(imagesToPush)
+	// wait for all the images that require pushes to be collected into a consumable map.
+	shouldPush := <-pushes
+	// finish by pushing any images and tags to the endpoint.  The order that the images are pushed
+	// is very important that is why we are still iterating over the ordered list of imageIDs.
+	for _, img := range imageList {
+		v1ID := img.V1ID()
+		if _, push := shouldPush[v1ID]; push {
+			if _, err := p.pushImage(ctx, img, endpoint); err != nil {
+				// FIXME: Continue on error?
+				return err
+			}
+		}
+		if topImage, isTopImage := img.(*v1TopImage); isTopImage {
+			for _, tag := range tags[topImage.imageID] {
+				progress.Messagef(p.config.ProgressOutput, "", "Pushing tag for rev [%s] on {%s}", stringid.TruncateID(v1ID), endpoint+"repositories/"+reference.Path(p.repoInfo.Name)+"/tags/"+tag)
+				if err := p.session.PushRegistryTag(p.repoInfo.Name, v1ID, tag, endpoint); err != nil {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// pushRepository pushes layers that do not already exist on the registry.
+func (p *v1Pusher) pushRepository(ctx context.Context) error {
+	imgList, tags, referencedLayers, err := p.getImageList()
+	defer func() {
+		for _, l := range referencedLayers {
+			l.Release()
+		}
+	}()
+	if err != nil {
+		return err
+	}
+
+	imageIndex := createImageIndex(imgList, tags)
+	for _, data := range imageIndex {
+		logrus.Debugf("Pushing ID: %s with Tag: %s", data.ID, data.Tag)
+	}
+
+	// Register all the images in a repository with the registry
+	// If an image is not in this list it will not be associated with the repository
+	repoData, err := p.session.PushImageJSONIndex(p.repoInfo.Name, imageIndex, false, nil)
+	if err != nil {
+		return err
+	}
+	// push the repository to each of the endpoints only if it does not exist.
+	for _, endpoint := range repoData.Endpoints {
+		if err := p.pushImageToEndpoint(ctx, endpoint, imgList, tags, repoData); err != nil {
+			return err
+		}
+	}
+	_, err = p.session.PushImageJSONIndex(p.repoInfo.Name, imageIndex, true, repoData.Endpoints)
+	return err
+}
+
+func (p *v1Pusher) pushImage(ctx context.Context, v1Image v1Image, ep string) (checksum string, err error) {
+	l := v1Image.Layer()
+	v1ID := v1Image.V1ID()
+	truncID := stringid.TruncateID(l.DiffID().String())
+
+	jsonRaw := v1Image.Config()
+	progress.Update(p.config.ProgressOutput, truncID, "Pushing")
+
+	// General rule is to use ID for graph accesses and compatibilityID for
+	// calls to session.registry()
+	imgData := &registry.ImgData{
+		ID: v1ID,
+	}
+
+	// Send the json
+	if err := p.session.PushImageJSONRegistry(imgData, jsonRaw, ep); err != nil {
+		if err == registry.ErrAlreadyExists {
+			progress.Update(p.config.ProgressOutput, truncID, "Image already pushed, skipping")
+			return "", nil
+		}
+		return "", err
+	}
+
+	arch, err := l.TarStream()
+	if err != nil {
+		return "", err
+	}
+	defer arch.Close()
+
+	// don't care if this fails; best effort
+	size, _ := l.DiffSize()
+
+	// Send the layer
+	logrus.Debugf("rendered layer for %s of [%d] size", v1ID, size)
+
+	reader := progress.NewProgressReader(ioutils.NewCancelReadCloser(ctx, arch), p.config.ProgressOutput, size, truncID, "Pushing")
+	defer reader.Close()
+
+	checksum, checksumPayload, err := p.session.PushImageLayerRegistry(v1ID, reader, ep, jsonRaw)
+	if err != nil {
+		return "", err
+	}
+	imgData.Checksum = checksum
+	imgData.ChecksumPayload = checksumPayload
+	// Send the checksum
+	if err := p.session.PushImageChecksumRegistry(imgData, ep); err != nil {
+		return "", err
+	}
+
+	if err := p.v1IDService.Set(v1ID, p.repoInfo.Index.Name, l.DiffID()); err != nil {
+		logrus.Warnf("Could not set v1 ID mapping: %v", err)
+	}
+
+	progress.Update(p.config.ProgressOutput, truncID, "Image successfully pushed")
+	return imgData.Checksum, nil
+}
diff --git a/engine/distribution/push_v2.go b/engine/distribution/push_v2.go
new file mode 100644
index 00000000..9dc3e7a2
--- /dev/null
+++ b/engine/distribution/push_v2.go
@@ -0,0 +1,709 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"runtime"
+	"sort"
+	"strings"
+	"sync"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/schema1"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/distribution/registry/client"
+	apitypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/registry"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	smallLayerMaximumSize  = 100 * (1 << 10) // 100KB
+	middleLayerMaximumSize = 10 * (1 << 20)  // 10MB
+)
+
+type v2Pusher struct {
+	v2MetadataService metadata.V2MetadataService
+	ref               reference.Named
+	endpoint          registry.APIEndpoint
+	repoInfo          *registry.RepositoryInfo
+	config            *ImagePushConfig
+	repo              distribution.Repository
+
+	// pushState is state built by the Upload functions.
+	pushState pushState
+}
+
+type pushState struct {
+	sync.Mutex
+	// remoteLayers is the set of layers known to exist on the remote side.
+	// This avoids redundant queries when pushing multiple tags that
+	// involve the same layers. It is also used to fill in digest and size
+	// information when building the manifest.
+	remoteLayers map[layer.DiffID]distribution.Descriptor
+	// confirmedV2 is set to true if we confirm we're talking to a v2
+	// registry. This is used to limit fallbacks to the v1 protocol.
+	confirmedV2 bool
+	hasAuthInfo bool
+}
+
+func (p *v2Pusher) Push(ctx context.Context) (err error) {
+	p.pushState.remoteLayers = make(map[layer.DiffID]distribution.Descriptor)
+
+	p.repo, p.pushState.confirmedV2, err = NewV2Repository(ctx, p.repoInfo, p.endpoint, p.config.MetaHeaders, p.config.AuthConfig, "push", "pull")
+	p.pushState.hasAuthInfo = p.config.AuthConfig.RegistryToken != "" || (p.config.AuthConfig.Username != "" && p.config.AuthConfig.Password != "")
+	if err != nil {
+		logrus.Debugf("Error getting v2 registry: %v", err)
+		return err
+	}
+
+	if err = p.pushV2Repository(ctx); err != nil {
+		if continueOnError(err, p.endpoint.Mirror) {
+			return fallbackError{
+				err:         err,
+				confirmedV2: p.pushState.confirmedV2,
+				transportOK: true,
+			}
+		}
+	}
+	return err
+}
+
+func (p *v2Pusher) pushV2Repository(ctx context.Context) (err error) {
+	if namedTagged, isNamedTagged := p.ref.(reference.NamedTagged); isNamedTagged {
+		imageID, err := p.config.ReferenceStore.Get(p.ref)
+		if err != nil {
+			return fmt.Errorf("tag does not exist: %s", reference.FamiliarString(p.ref))
+		}
+
+		return p.pushV2Tag(ctx, namedTagged, imageID)
+	}
+
+	if !reference.IsNameOnly(p.ref) {
+		return errors.New("cannot push a digest reference")
+	}
+
+	// Pull all tags
+	pushed := 0
+	for _, association := range p.config.ReferenceStore.ReferencesByName(p.ref) {
+		if namedTagged, isNamedTagged := association.Ref.(reference.NamedTagged); isNamedTagged {
+			pushed++
+			if err := p.pushV2Tag(ctx, namedTagged, association.ID); err != nil {
+				return err
+			}
+		}
+	}
+
+	if pushed == 0 {
+		return fmt.Errorf("no tags to push for %s", reference.FamiliarName(p.repoInfo.Name))
+	}
+
+	return nil
+}
+
+func (p *v2Pusher) pushV2Tag(ctx context.Context, ref reference.NamedTagged, id digest.Digest) error {
+	logrus.Debugf("Pushing repository: %s", reference.FamiliarString(ref))
+
+	imgConfig, err := p.config.ImageStore.Get(id)
+	if err != nil {
+		return fmt.Errorf("could not find image from tag %s: %v", reference.FamiliarString(ref), err)
+	}
+
+	rootfs, err := p.config.ImageStore.RootFSFromConfig(imgConfig)
+	if err != nil {
+		return fmt.Errorf("unable to get rootfs for image %s: %s", reference.FamiliarString(ref), err)
+	}
+
+	platform, err := p.config.ImageStore.PlatformFromConfig(imgConfig)
+	if err != nil {
+		return fmt.Errorf("unable to get platform for image %s: %s", reference.FamiliarString(ref), err)
+	}
+
+	l, err := p.config.LayerStores[platform.OS].Get(rootfs.ChainID())
+	if err != nil {
+		return fmt.Errorf("failed to get top layer from image: %v", err)
+	}
+	defer l.Release()
+
+	hmacKey, err := metadata.ComputeV2MetadataHMACKey(p.config.AuthConfig)
+	if err != nil {
+		return fmt.Errorf("failed to compute hmac key of auth config: %v", err)
+	}
+
+	var descriptors []xfer.UploadDescriptor
+
+	descriptorTemplate := v2PushDescriptor{
+		v2MetadataService: p.v2MetadataService,
+		hmacKey:           hmacKey,
+		repoInfo:          p.repoInfo.Name,
+		ref:               p.ref,
+		endpoint:          p.endpoint,
+		repo:              p.repo,
+		pushState:         &p.pushState,
+	}
+
+	// Loop bounds condition is to avoid pushing the base layer on Windows.
+	for range rootfs.DiffIDs {
+		descriptor := descriptorTemplate
+		descriptor.layer = l
+		descriptor.checkedDigests = make(map[digest.Digest]struct{})
+		descriptors = append(descriptors, &descriptor)
+
+		l = l.Parent()
+	}
+
+	if err := p.config.UploadManager.Upload(ctx, descriptors, p.config.ProgressOutput); err != nil {
+		return err
+	}
+
+	// Try schema2 first
+	builder := schema2.NewManifestBuilder(p.repo.Blobs(ctx), p.config.ConfigMediaType, imgConfig)
+	manifest, err := manifestFromBuilder(ctx, builder, descriptors)
+	if err != nil {
+		return err
+	}
+
+	manSvc, err := p.repo.Manifests(ctx)
+	if err != nil {
+		return err
+	}
+
+	putOptions := []distribution.ManifestServiceOption{distribution.WithTag(ref.Tag())}
+	if _, err = manSvc.Put(ctx, manifest, putOptions...); err != nil {
+		if runtime.GOOS == "windows" || p.config.TrustKey == nil || p.config.RequireSchema2 {
+			logrus.Warnf("failed to upload schema2 manifest: %v", err)
+			return err
+		}
+
+		logrus.Warnf("failed to upload schema2 manifest: %v - falling back to schema1", err)
+
+		manifestRef, err := reference.WithTag(p.repo.Named(), ref.Tag())
+		if err != nil {
+			return err
+		}
+		builder = schema1.NewConfigManifestBuilder(p.repo.Blobs(ctx), p.config.TrustKey, manifestRef, imgConfig)
+		manifest, err = manifestFromBuilder(ctx, builder, descriptors)
+		if err != nil {
+			return err
+		}
+
+		if _, err = manSvc.Put(ctx, manifest, putOptions...); err != nil {
+			return err
+		}
+	}
+
+	var canonicalManifest []byte
+
+	switch v := manifest.(type) {
+	case *schema1.SignedManifest:
+		canonicalManifest = v.Canonical
+	case *schema2.DeserializedManifest:
+		_, canonicalManifest, err = v.Payload()
+		if err != nil {
+			return err
+		}
+	}
+
+	manifestDigest := digest.FromBytes(canonicalManifest)
+	progress.Messagef(p.config.ProgressOutput, "", "%s: digest: %s size: %d", ref.Tag(), manifestDigest, len(canonicalManifest))
+
+	if err := addDigestReference(p.config.ReferenceStore, ref, manifestDigest, id); err != nil {
+		return err
+	}
+
+	// Signal digest to the trust client so it can sign the
+	// push, if appropriate.
+	progress.Aux(p.config.ProgressOutput, apitypes.PushResult{Tag: ref.Tag(), Digest: manifestDigest.String(), Size: len(canonicalManifest)})
+
+	return nil
+}
+
+func manifestFromBuilder(ctx context.Context, builder distribution.ManifestBuilder, descriptors []xfer.UploadDescriptor) (distribution.Manifest, error) {
+	// descriptors is in reverse order; iterate backwards to get references
+	// appended in the right order.
+	for i := len(descriptors) - 1; i >= 0; i-- {
+		if err := builder.AppendReference(descriptors[i].(*v2PushDescriptor)); err != nil {
+			return nil, err
+		}
+	}
+
+	return builder.Build(ctx)
+}
+
+type v2PushDescriptor struct {
+	layer             PushLayer
+	v2MetadataService metadata.V2MetadataService
+	hmacKey           []byte
+	repoInfo          reference.Named
+	ref               reference.Named
+	endpoint          registry.APIEndpoint
+	repo              distribution.Repository
+	pushState         *pushState
+	remoteDescriptor  distribution.Descriptor
+	// a set of digests whose presence has been checked in a target repository
+	checkedDigests map[digest.Digest]struct{}
+}
+
+func (pd *v2PushDescriptor) Key() string {
+	return "v2push:" + pd.ref.Name() + " " + pd.layer.DiffID().String()
+}
+
+func (pd *v2PushDescriptor) ID() string {
+	return stringid.TruncateID(pd.layer.DiffID().String())
+}
+
+func (pd *v2PushDescriptor) DiffID() layer.DiffID {
+	return pd.layer.DiffID()
+}
+
+func (pd *v2PushDescriptor) Upload(ctx context.Context, progressOutput progress.Output) (distribution.Descriptor, error) {
+	// Skip foreign layers unless this registry allows nondistributable artifacts.
+	if !pd.endpoint.AllowNondistributableArtifacts {
+		if fs, ok := pd.layer.(distribution.Describable); ok {
+			if d := fs.Descriptor(); len(d.URLs) > 0 {
+				progress.Update(progressOutput, pd.ID(), "Skipped foreign layer")
+				return d, nil
+			}
+		}
+	}
+
+	diffID := pd.DiffID()
+
+	pd.pushState.Lock()
+	if descriptor, ok := pd.pushState.remoteLayers[diffID]; ok {
+		// it is already known that the push is not needed and
+		// therefore doing a stat is unnecessary
+		pd.pushState.Unlock()
+		progress.Update(progressOutput, pd.ID(), "Layer already exists")
+		return descriptor, nil
+	}
+	pd.pushState.Unlock()
+
+	maxMountAttempts, maxExistenceChecks, checkOtherRepositories := getMaxMountAndExistenceCheckAttempts(pd.layer)
+
+	// Do we have any metadata associated with this layer's DiffID?
+	v2Metadata, err := pd.v2MetadataService.GetMetadata(diffID)
+	if err == nil {
+		// check for blob existence in the target repository
+		descriptor, exists, err := pd.layerAlreadyExists(ctx, progressOutput, diffID, true, 1, v2Metadata)
+		if exists || err != nil {
+			return descriptor, err
+		}
+	}
+
+	// if digest was empty or not saved, or if blob does not exist on the remote repository,
+	// then push the blob.
+	bs := pd.repo.Blobs(ctx)
+
+	var layerUpload distribution.BlobWriter
+
+	// Attempt to find another repository in the same registry to mount the layer from to avoid an unnecessary upload
+	candidates := getRepositoryMountCandidates(pd.repoInfo, pd.hmacKey, maxMountAttempts, v2Metadata)
+	isUnauthorizedError := false
+	for _, mountCandidate := range candidates {
+		logrus.Debugf("attempting to mount layer %s (%s) from %s", diffID, mountCandidate.Digest, mountCandidate.SourceRepository)
+		createOpts := []distribution.BlobCreateOption{}
+
+		if len(mountCandidate.SourceRepository) > 0 {
+			namedRef, err := reference.ParseNormalizedNamed(mountCandidate.SourceRepository)
+			if err != nil {
+				logrus.Errorf("failed to parse source repository reference %v: %v", reference.FamiliarString(namedRef), err)
+				pd.v2MetadataService.Remove(mountCandidate)
+				continue
+			}
+
+			// Candidates are always under same domain, create remote reference
+			// with only path to set mount from with
+			remoteRef, err := reference.WithName(reference.Path(namedRef))
+			if err != nil {
+				logrus.Errorf("failed to make remote reference out of %q: %v", reference.Path(namedRef), err)
+				continue
+			}
+
+			canonicalRef, err := reference.WithDigest(reference.TrimNamed(remoteRef), mountCandidate.Digest)
+			if err != nil {
+				logrus.Errorf("failed to make canonical reference: %v", err)
+				continue
+			}
+
+			createOpts = append(createOpts, client.WithMountFrom(canonicalRef))
+		}
+
+		// send the layer
+		lu, err := bs.Create(ctx, createOpts...)
+		switch err := err.(type) {
+		case nil:
+			// noop
+		case distribution.ErrBlobMounted:
+			progress.Updatef(progressOutput, pd.ID(), "Mounted from %s", err.From.Name())
+
+			err.Descriptor.MediaType = schema2.MediaTypeLayer
+
+			pd.pushState.Lock()
+			pd.pushState.confirmedV2 = true
+			pd.pushState.remoteLayers[diffID] = err.Descriptor
+			pd.pushState.Unlock()
+
+			// Cache mapping from this layer's DiffID to the blobsum
+			if err := pd.v2MetadataService.TagAndAdd(diffID, pd.hmacKey, metadata.V2Metadata{
+				Digest:           err.Descriptor.Digest,
+				SourceRepository: pd.repoInfo.Name(),
+			}); err != nil {
+				return distribution.Descriptor{}, xfer.DoNotRetry{Err: err}
+			}
+			return err.Descriptor, nil
+		case errcode.Errors:
+			for _, e := range err {
+				switch e := e.(type) {
+				case errcode.Error:
+					if e.Code == errcode.ErrorCodeUnauthorized {
+						// when unauthorized error that indicate user don't has right to push layer to register
+						logrus.Debugln("failed to push layer to registry because unauthorized error")
+						isUnauthorizedError = true
+					}
+				default:
+				}
+			}
+		default:
+			logrus.Infof("failed to mount layer %s (%s) from %s: %v", diffID, mountCandidate.Digest, mountCandidate.SourceRepository, err)
+		}
+
+		// when error is unauthorizedError and user don't hasAuthInfo that's the case user don't has right to push layer to register
+		// and he hasn't login either, in this case candidate cache should be removed
+		if len(mountCandidate.SourceRepository) > 0 &&
+			!(isUnauthorizedError && !pd.pushState.hasAuthInfo) &&
+			(metadata.CheckV2MetadataHMAC(&mountCandidate, pd.hmacKey) ||
+				len(mountCandidate.HMAC) == 0) {
+			cause := "blob mount failure"
+			if err != nil {
+				cause = fmt.Sprintf("an error: %v", err.Error())
+			}
+			logrus.Debugf("removing association between layer %s and %s due to %s", mountCandidate.Digest, mountCandidate.SourceRepository, cause)
+			pd.v2MetadataService.Remove(mountCandidate)
+		}
+
+		if lu != nil {
+			// cancel previous upload
+			cancelLayerUpload(ctx, mountCandidate.Digest, layerUpload)
+			layerUpload = lu
+		}
+	}
+
+	if maxExistenceChecks-len(pd.checkedDigests) > 0 {
+		// do additional layer existence checks with other known digests if any
+		descriptor, exists, err := pd.layerAlreadyExists(ctx, progressOutput, diffID, checkOtherRepositories, maxExistenceChecks-len(pd.checkedDigests), v2Metadata)
+		if exists || err != nil {
+			return descriptor, err
+		}
+	}
+
+	logrus.Debugf("Pushing layer: %s", diffID)
+	if layerUpload == nil {
+		layerUpload, err = bs.Create(ctx)
+		if err != nil {
+			return distribution.Descriptor{}, retryOnError(err)
+		}
+	}
+	defer layerUpload.Close()
+	// upload the blob
+	return pd.uploadUsingSession(ctx, progressOutput, diffID, layerUpload)
+}
+
+func (pd *v2PushDescriptor) SetRemoteDescriptor(descriptor distribution.Descriptor) {
+	pd.remoteDescriptor = descriptor
+}
+
+func (pd *v2PushDescriptor) Descriptor() distribution.Descriptor {
+	return pd.remoteDescriptor
+}
+
+func (pd *v2PushDescriptor) uploadUsingSession(
+	ctx context.Context,
+	progressOutput progress.Output,
+	diffID layer.DiffID,
+	layerUpload distribution.BlobWriter,
+) (distribution.Descriptor, error) {
+	var reader io.ReadCloser
+
+	contentReader, err := pd.layer.Open()
+	if err != nil {
+		return distribution.Descriptor{}, retryOnError(err)
+	}
+
+	size, _ := pd.layer.Size()
+
+	reader = progress.NewProgressReader(ioutils.NewCancelReadCloser(ctx, contentReader), progressOutput, size, pd.ID(), "Pushing")
+
+	switch m := pd.layer.MediaType(); m {
+	case schema2.MediaTypeUncompressedLayer:
+		compressedReader, compressionDone := compress(reader)
+		defer func(closer io.Closer) {
+			closer.Close()
+			<-compressionDone
+		}(reader)
+		reader = compressedReader
+	case schema2.MediaTypeLayer:
+	default:
+		reader.Close()
+		return distribution.Descriptor{}, fmt.Errorf("unsupported layer media type %s", m)
+	}
+
+	digester := digest.Canonical.Digester()
+	tee := io.TeeReader(reader, digester.Hash())
+
+	nn, err := layerUpload.ReadFrom(tee)
+	reader.Close()
+	if err != nil {
+		return distribution.Descriptor{}, retryOnError(err)
+	}
+
+	pushDigest := digester.Digest()
+	if _, err := layerUpload.Commit(ctx, distribution.Descriptor{Digest: pushDigest}); err != nil {
+		return distribution.Descriptor{}, retryOnError(err)
+	}
+
+	logrus.Debugf("uploaded layer %s (%s), %d bytes", diffID, pushDigest, nn)
+	progress.Update(progressOutput, pd.ID(), "Pushed")
+
+	// Cache mapping from this layer's DiffID to the blobsum
+	if err := pd.v2MetadataService.TagAndAdd(diffID, pd.hmacKey, metadata.V2Metadata{
+		Digest:           pushDigest,
+		SourceRepository: pd.repoInfo.Name(),
+	}); err != nil {
+		return distribution.Descriptor{}, xfer.DoNotRetry{Err: err}
+	}
+
+	desc := distribution.Descriptor{
+		Digest:    pushDigest,
+		MediaType: schema2.MediaTypeLayer,
+		Size:      nn,
+	}
+
+	pd.pushState.Lock()
+	// If Commit succeeded, that's an indication that the remote registry speaks the v2 protocol.
+	pd.pushState.confirmedV2 = true
+	pd.pushState.remoteLayers[diffID] = desc
+	pd.pushState.Unlock()
+
+	return desc, nil
+}
+
+// layerAlreadyExists checks if the registry already knows about any of the metadata passed in the "metadata"
+// slice. If it finds one that the registry knows about, it returns the known digest and "true". If
+// "checkOtherRepositories" is true, stat will be performed also with digests mapped to any other repository
+// (not just the target one).
+func (pd *v2PushDescriptor) layerAlreadyExists(
+	ctx context.Context,
+	progressOutput progress.Output,
+	diffID layer.DiffID,
+	checkOtherRepositories bool,
+	maxExistenceCheckAttempts int,
+	v2Metadata []metadata.V2Metadata,
+) (desc distribution.Descriptor, exists bool, err error) {
+	// filter the metadata
+	candidates := []metadata.V2Metadata{}
+	for _, meta := range v2Metadata {
+		if len(meta.SourceRepository) > 0 && !checkOtherRepositories && meta.SourceRepository != pd.repoInfo.Name() {
+			continue
+		}
+		candidates = append(candidates, meta)
+	}
+	// sort the candidates by similarity
+	sortV2MetadataByLikenessAndAge(pd.repoInfo, pd.hmacKey, candidates)
+
+	digestToMetadata := make(map[digest.Digest]*metadata.V2Metadata)
+	// an array of unique blob digests ordered from the best mount candidates to worst
+	layerDigests := []digest.Digest{}
+	for i := 0; i < len(candidates); i++ {
+		if len(layerDigests) >= maxExistenceCheckAttempts {
+			break
+		}
+		meta := &candidates[i]
+		if _, exists := digestToMetadata[meta.Digest]; exists {
+			// keep reference just to the first mapping (the best mount candidate)
+			continue
+		}
+		if _, exists := pd.checkedDigests[meta.Digest]; exists {
+			// existence of this digest has already been tested
+			continue
+		}
+		digestToMetadata[meta.Digest] = meta
+		layerDigests = append(layerDigests, meta.Digest)
+	}
+
+attempts:
+	for _, dgst := range layerDigests {
+		meta := digestToMetadata[dgst]
+		logrus.Debugf("Checking for presence of layer %s (%s) in %s", diffID, dgst, pd.repoInfo.Name())
+		desc, err = pd.repo.Blobs(ctx).Stat(ctx, dgst)
+		pd.checkedDigests[meta.Digest] = struct{}{}
+		switch err {
+		case nil:
+			if m, ok := digestToMetadata[desc.Digest]; !ok || m.SourceRepository != pd.repoInfo.Name() || !metadata.CheckV2MetadataHMAC(m, pd.hmacKey) {
+				// cache mapping from this layer's DiffID to the blobsum
+				if err := pd.v2MetadataService.TagAndAdd(diffID, pd.hmacKey, metadata.V2Metadata{
+					Digest:           desc.Digest,
+					SourceRepository: pd.repoInfo.Name(),
+				}); err != nil {
+					return distribution.Descriptor{}, false, xfer.DoNotRetry{Err: err}
+				}
+			}
+			desc.MediaType = schema2.MediaTypeLayer
+			exists = true
+			break attempts
+		case distribution.ErrBlobUnknown:
+			if meta.SourceRepository == pd.repoInfo.Name() {
+				// remove the mapping to the target repository
+				pd.v2MetadataService.Remove(*meta)
+			}
+		default:
+			logrus.WithError(err).Debugf("Failed to check for presence of layer %s (%s) in %s", diffID, dgst, pd.repoInfo.Name())
+		}
+	}
+
+	if exists {
+		progress.Update(progressOutput, pd.ID(), "Layer already exists")
+		pd.pushState.Lock()
+		pd.pushState.remoteLayers[diffID] = desc
+		pd.pushState.Unlock()
+	}
+
+	return desc, exists, nil
+}
+
+// getMaxMountAndExistenceCheckAttempts returns a maximum number of cross repository mount attempts from
+// source repositories of target registry, maximum number of layer existence checks performed on the target
+// repository and whether the check shall be done also with digests mapped to different repositories. The
+// decision is based on layer size. The smaller the layer, the fewer attempts shall be made because the cost
+// of upload does not outweigh a latency.
+func getMaxMountAndExistenceCheckAttempts(layer PushLayer) (maxMountAttempts, maxExistenceCheckAttempts int, checkOtherRepositories bool) {
+	size, err := layer.Size()
+	switch {
+	// big blob
+	case size > middleLayerMaximumSize:
+		// 1st attempt to mount the blob few times
+		// 2nd few existence checks with digests associated to any repository
+		// then fallback to upload
+		return 4, 3, true
+
+	// middle sized blobs; if we could not get the size, assume we deal with middle sized blob
+	case size > smallLayerMaximumSize, err != nil:
+		// 1st attempt to mount blobs of average size few times
+		// 2nd try at most 1 existence check if there's an existing mapping to the target repository
+		// then fallback to upload
+		return 3, 1, false
+
+	// small blobs, do a minimum number of checks
+	default:
+		return 1, 1, false
+	}
+}
+
+// getRepositoryMountCandidates returns an array of v2 metadata items belonging to the given registry. The
+// array is sorted from youngest to oldest. If requireRegistryMatch is true, the resulting array will contain
+// only metadata entries having registry part of SourceRepository matching the part of repoInfo.
+func getRepositoryMountCandidates(
+	repoInfo reference.Named,
+	hmacKey []byte,
+	max int,
+	v2Metadata []metadata.V2Metadata,
+) []metadata.V2Metadata {
+	candidates := []metadata.V2Metadata{}
+	for _, meta := range v2Metadata {
+		sourceRepo, err := reference.ParseNamed(meta.SourceRepository)
+		if err != nil || reference.Domain(repoInfo) != reference.Domain(sourceRepo) {
+			continue
+		}
+		// target repository is not a viable candidate
+		if meta.SourceRepository == repoInfo.Name() {
+			continue
+		}
+		candidates = append(candidates, meta)
+	}
+
+	sortV2MetadataByLikenessAndAge(repoInfo, hmacKey, candidates)
+	if max >= 0 && len(candidates) > max {
+		// select the youngest metadata
+		candidates = candidates[:max]
+	}
+
+	return candidates
+}
+
+// byLikeness is a sorting container for v2 metadata candidates for cross repository mount. The
+// candidate "a" is preferred over "b":
+//
+//  1. if it was hashed using the same AuthConfig as the one used to authenticate to target repository and the
+//     "b" was not
+//  2. if a number of its repository path components exactly matching path components of target repository is higher
+type byLikeness struct {
+	arr            []metadata.V2Metadata
+	hmacKey        []byte
+	pathComponents []string
+}
+
+func (bla byLikeness) Less(i, j int) bool {
+	aMacMatch := metadata.CheckV2MetadataHMAC(&bla.arr[i], bla.hmacKey)
+	bMacMatch := metadata.CheckV2MetadataHMAC(&bla.arr[j], bla.hmacKey)
+	if aMacMatch != bMacMatch {
+		return aMacMatch
+	}
+	aMatch := numOfMatchingPathComponents(bla.arr[i].SourceRepository, bla.pathComponents)
+	bMatch := numOfMatchingPathComponents(bla.arr[j].SourceRepository, bla.pathComponents)
+	return aMatch > bMatch
+}
+func (bla byLikeness) Swap(i, j int) {
+	bla.arr[i], bla.arr[j] = bla.arr[j], bla.arr[i]
+}
+func (bla byLikeness) Len() int { return len(bla.arr) }
+
+// nolint: interfacer
+func sortV2MetadataByLikenessAndAge(repoInfo reference.Named, hmacKey []byte, marr []metadata.V2Metadata) {
+	// reverse the metadata array to shift the newest entries to the beginning
+	for i := 0; i < len(marr)/2; i++ {
+		marr[i], marr[len(marr)-i-1] = marr[len(marr)-i-1], marr[i]
+	}
+	// keep equal entries ordered from the youngest to the oldest
+	sort.Stable(byLikeness{
+		arr:            marr,
+		hmacKey:        hmacKey,
+		pathComponents: getPathComponents(repoInfo.Name()),
+	})
+}
+
+// numOfMatchingPathComponents returns a number of path components in "pth" that exactly match "matchComponents".
+func numOfMatchingPathComponents(pth string, matchComponents []string) int {
+	pthComponents := getPathComponents(pth)
+	i := 0
+	for ; i < len(pthComponents) && i < len(matchComponents); i++ {
+		if matchComponents[i] != pthComponents[i] {
+			return i
+		}
+	}
+	return i
+}
+
+func getPathComponents(path string) []string {
+	return strings.Split(path, "/")
+}
+
+func cancelLayerUpload(ctx context.Context, dgst digest.Digest, layerUpload distribution.BlobWriter) {
+	if layerUpload != nil {
+		logrus.Debugf("cancelling upload of blob %s", dgst)
+		err := layerUpload.Cancel(ctx)
+		if err != nil {
+			logrus.Warnf("failed to cancel upload: %v", err)
+		}
+	}
+}
diff --git a/engine/distribution/push_v2_test.go b/engine/distribution/push_v2_test.go
new file mode 100644
index 00000000..436b4a17
--- /dev/null
+++ b/engine/distribution/push_v2_test.go
@@ -0,0 +1,740 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"reflect"
+	"testing"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/progress"
+	refstore "github.com/docker/docker/reference"
+	"github.com/docker/docker/registry"
+	"github.com/opencontainers/go-digest"
+)
+
+func TestGetRepositoryMountCandidates(t *testing.T) {
+	for _, tc := range []struct {
+		name          string
+		hmacKey       string
+		targetRepo    string
+		maxCandidates int
+		metadata      []metadata.V2Metadata
+		candidates    []metadata.V2Metadata
+	}{
+		{
+			name:          "empty metadata",
+			targetRepo:    "busybox",
+			maxCandidates: -1,
+			metadata:      []metadata.V2Metadata{},
+			candidates:    []metadata.V2Metadata{},
+		},
+		{
+			name:          "one item not matching",
+			targetRepo:    "busybox",
+			maxCandidates: -1,
+			metadata:      []metadata.V2Metadata{taggedMetadata("key", "dgst", "127.0.0.1/repo")},
+			candidates:    []metadata.V2Metadata{},
+		},
+		{
+			name:          "one item matching",
+			targetRepo:    "busybox",
+			maxCandidates: -1,
+			metadata:      []metadata.V2Metadata{taggedMetadata("hash", "1", "docker.io/library/hello-world")},
+			candidates:    []metadata.V2Metadata{taggedMetadata("hash", "1", "docker.io/library/hello-world")},
+		},
+		{
+			name:          "allow missing SourceRepository",
+			targetRepo:    "busybox",
+			maxCandidates: -1,
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("1")},
+				{Digest: digest.Digest("3")},
+				{Digest: digest.Digest("2")},
+			},
+			candidates: []metadata.V2Metadata{},
+		},
+		{
+			name:          "handle docker.io",
+			targetRepo:    "user/app",
+			maxCandidates: -1,
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("1"), SourceRepository: "docker.io/user/foo"},
+				{Digest: digest.Digest("3"), SourceRepository: "docker.io/user/bar"},
+				{Digest: digest.Digest("2"), SourceRepository: "docker.io/library/app"},
+			},
+			candidates: []metadata.V2Metadata{
+				{Digest: digest.Digest("3"), SourceRepository: "docker.io/user/bar"},
+				{Digest: digest.Digest("1"), SourceRepository: "docker.io/user/foo"},
+				{Digest: digest.Digest("2"), SourceRepository: "docker.io/library/app"},
+			},
+		},
+		{
+			name:          "sort more items",
+			hmacKey:       "abcd",
+			targetRepo:    "127.0.0.1/foo/bar",
+			maxCandidates: -1,
+			metadata: []metadata.V2Metadata{
+				taggedMetadata("hash", "1", "docker.io/library/hello-world"),
+				taggedMetadata("efgh", "2", "127.0.0.1/hello-world"),
+				taggedMetadata("abcd", "3", "docker.io/library/busybox"),
+				taggedMetadata("hash", "4", "docker.io/library/busybox"),
+				taggedMetadata("hash", "5", "127.0.0.1/foo"),
+				taggedMetadata("hash", "6", "127.0.0.1/bar"),
+				taggedMetadata("efgh", "7", "127.0.0.1/foo/bar"),
+				taggedMetadata("abcd", "8", "127.0.0.1/xyz"),
+				taggedMetadata("hash", "9", "127.0.0.1/foo/app"),
+			},
+			candidates: []metadata.V2Metadata{
+				// first by matching hash
+				taggedMetadata("abcd", "8", "127.0.0.1/xyz"),
+				// then by longest matching prefix
+				taggedMetadata("hash", "9", "127.0.0.1/foo/app"),
+				taggedMetadata("hash", "5", "127.0.0.1/foo"),
+				// sort the rest of the matching items in reversed order
+				taggedMetadata("hash", "6", "127.0.0.1/bar"),
+				taggedMetadata("efgh", "2", "127.0.0.1/hello-world"),
+			},
+		},
+		{
+			name:          "limit max candidates",
+			hmacKey:       "abcd",
+			targetRepo:    "user/app",
+			maxCandidates: 3,
+			metadata: []metadata.V2Metadata{
+				taggedMetadata("abcd", "1", "docker.io/user/app1"),
+				taggedMetadata("abcd", "2", "docker.io/user/app/base"),
+				taggedMetadata("hash", "3", "docker.io/user/app"),
+				taggedMetadata("abcd", "4", "127.0.0.1/user/app"),
+				taggedMetadata("hash", "5", "docker.io/user/foo"),
+				taggedMetadata("hash", "6", "docker.io/app/bar"),
+			},
+			candidates: []metadata.V2Metadata{
+				// first by matching hash
+				taggedMetadata("abcd", "2", "docker.io/user/app/base"),
+				taggedMetadata("abcd", "1", "docker.io/user/app1"),
+				// then by longest matching prefix
+				// "docker.io/usr/app" is excluded since candidates must
+				// be from a different repository
+				taggedMetadata("hash", "5", "docker.io/user/foo"),
+			},
+		},
+	} {
+		repoInfo, err := reference.ParseNormalizedNamed(tc.targetRepo)
+		if err != nil {
+			t.Fatalf("[%s] failed to parse reference name: %v", tc.name, err)
+		}
+		candidates := getRepositoryMountCandidates(repoInfo, []byte(tc.hmacKey), tc.maxCandidates, tc.metadata)
+		if len(candidates) != len(tc.candidates) {
+			t.Errorf("[%s] got unexpected number of candidates: %d != %d", tc.name, len(candidates), len(tc.candidates))
+		}
+		for i := 0; i < len(candidates) && i < len(tc.candidates); i++ {
+			if !reflect.DeepEqual(candidates[i], tc.candidates[i]) {
+				t.Errorf("[%s] candidate %d does not match expected: %#+v != %#+v", tc.name, i, candidates[i], tc.candidates[i])
+			}
+		}
+		for i := len(candidates); i < len(tc.candidates); i++ {
+			t.Errorf("[%s] missing expected candidate at position %d (%#+v)", tc.name, i, tc.candidates[i])
+		}
+		for i := len(tc.candidates); i < len(candidates); i++ {
+			t.Errorf("[%s] got unexpected candidate at position %d (%#+v)", tc.name, i, candidates[i])
+		}
+	}
+}
+
+func TestLayerAlreadyExists(t *testing.T) {
+	for _, tc := range []struct {
+		name                   string
+		metadata               []metadata.V2Metadata
+		targetRepo             string
+		hmacKey                string
+		maxExistenceChecks     int
+		checkOtherRepositories bool
+		remoteBlobs            map[digest.Digest]distribution.Descriptor
+		remoteErrors           map[digest.Digest]error
+		expectedDescriptor     distribution.Descriptor
+		expectedExists         bool
+		expectedError          error
+		expectedRequests       []string
+		expectedAdditions      []metadata.V2Metadata
+		expectedRemovals       []metadata.V2Metadata
+	}{
+		{
+			name:                   "empty metadata",
+			targetRepo:             "busybox",
+			maxExistenceChecks:     3,
+			checkOtherRepositories: true,
+		},
+		{
+			name:               "single not existent metadata",
+			targetRepo:         "busybox",
+			metadata:           []metadata.V2Metadata{{Digest: digest.Digest("pear"), SourceRepository: "docker.io/library/busybox"}},
+			maxExistenceChecks: 3,
+			expectedRequests:   []string{"pear"},
+			expectedRemovals:   []metadata.V2Metadata{{Digest: digest.Digest("pear"), SourceRepository: "docker.io/library/busybox"}},
+		},
+		{
+			name:               "access denied",
+			targetRepo:         "busybox",
+			maxExistenceChecks: 1,
+			metadata:           []metadata.V2Metadata{{Digest: digest.Digest("apple"), SourceRepository: "docker.io/library/busybox"}},
+			remoteErrors:       map[digest.Digest]error{digest.Digest("apple"): distribution.ErrAccessDenied},
+			expectedError:      nil,
+			expectedRequests:   []string{"apple"},
+		},
+		{
+			name:               "not matching repositories",
+			targetRepo:         "busybox",
+			maxExistenceChecks: 3,
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("apple"), SourceRepository: "docker.io/library/hello-world"},
+				{Digest: digest.Digest("orange"), SourceRepository: "docker.io/library/busybox/subapp"},
+				{Digest: digest.Digest("pear"), SourceRepository: "docker.io/busybox"},
+				{Digest: digest.Digest("plum"), SourceRepository: "busybox"},
+				{Digest: digest.Digest("banana"), SourceRepository: "127.0.0.1/busybox"},
+			},
+		},
+		{
+			name:                   "check other repositories",
+			targetRepo:             "busybox",
+			maxExistenceChecks:     10,
+			checkOtherRepositories: true,
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("apple"), SourceRepository: "docker.io/library/hello-world"},
+				{Digest: digest.Digest("orange"), SourceRepository: "docker.io/busybox/subapp"},
+				{Digest: digest.Digest("pear"), SourceRepository: "docker.io/busybox"},
+				{Digest: digest.Digest("plum"), SourceRepository: "docker.io/library/busybox"},
+				{Digest: digest.Digest("banana"), SourceRepository: "127.0.0.1/busybox"},
+			},
+			expectedRequests: []string{"plum", "apple", "pear", "orange", "banana"},
+			expectedRemovals: []metadata.V2Metadata{
+				{Digest: digest.Digest("plum"), SourceRepository: "docker.io/library/busybox"},
+			},
+		},
+		{
+			name:               "find existing blob",
+			targetRepo:         "busybox",
+			metadata:           []metadata.V2Metadata{{Digest: digest.Digest("apple"), SourceRepository: "docker.io/library/busybox"}},
+			maxExistenceChecks: 3,
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("apple"): {Digest: digest.Digest("apple")}},
+			expectedDescriptor: distribution.Descriptor{Digest: digest.Digest("apple"), MediaType: schema2.MediaTypeLayer},
+			expectedExists:     true,
+			expectedRequests:   []string{"apple"},
+		},
+		{
+			name:               "find existing blob with different hmac",
+			targetRepo:         "busybox",
+			metadata:           []metadata.V2Metadata{{SourceRepository: "docker.io/library/busybox", Digest: digest.Digest("apple"), HMAC: "dummyhmac"}},
+			maxExistenceChecks: 3,
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("apple"): {Digest: digest.Digest("apple")}},
+			expectedDescriptor: distribution.Descriptor{Digest: digest.Digest("apple"), MediaType: schema2.MediaTypeLayer},
+			expectedExists:     true,
+			expectedRequests:   []string{"apple"},
+			expectedAdditions:  []metadata.V2Metadata{{Digest: digest.Digest("apple"), SourceRepository: "docker.io/library/busybox"}},
+		},
+		{
+			name:               "overwrite media types",
+			targetRepo:         "busybox",
+			metadata:           []metadata.V2Metadata{{Digest: digest.Digest("apple"), SourceRepository: "docker.io/library/busybox"}},
+			hmacKey:            "key",
+			maxExistenceChecks: 3,
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("apple"): {Digest: digest.Digest("apple"), MediaType: "custom-media-type"}},
+			expectedDescriptor: distribution.Descriptor{Digest: digest.Digest("apple"), MediaType: schema2.MediaTypeLayer},
+			expectedExists:     true,
+			expectedRequests:   []string{"apple"},
+			expectedAdditions:  []metadata.V2Metadata{taggedMetadata("key", "apple", "docker.io/library/busybox")},
+		},
+		{
+			name:       "find existing blob among many",
+			targetRepo: "127.0.0.1/myapp",
+			hmacKey:    "key",
+			metadata: []metadata.V2Metadata{
+				taggedMetadata("someotherkey", "pear", "127.0.0.1/myapp"),
+				taggedMetadata("key", "apple", "127.0.0.1/myapp"),
+				taggedMetadata("", "plum", "127.0.0.1/myapp"),
+			},
+			maxExistenceChecks: 3,
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("pear"): {Digest: digest.Digest("pear")}},
+			expectedDescriptor: distribution.Descriptor{Digest: digest.Digest("pear"), MediaType: schema2.MediaTypeLayer},
+			expectedExists:     true,
+			expectedRequests:   []string{"apple", "plum", "pear"},
+			expectedAdditions:  []metadata.V2Metadata{taggedMetadata("key", "pear", "127.0.0.1/myapp")},
+			expectedRemovals: []metadata.V2Metadata{
+				taggedMetadata("key", "apple", "127.0.0.1/myapp"),
+				{Digest: digest.Digest("plum"), SourceRepository: "127.0.0.1/myapp"},
+			},
+		},
+		{
+			name:       "reach maximum existence checks",
+			targetRepo: "user/app",
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("pear"), SourceRepository: "docker.io/user/app"},
+				{Digest: digest.Digest("apple"), SourceRepository: "docker.io/user/app"},
+				{Digest: digest.Digest("plum"), SourceRepository: "docker.io/user/app"},
+				{Digest: digest.Digest("banana"), SourceRepository: "docker.io/user/app"},
+			},
+			maxExistenceChecks: 3,
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("pear"): {Digest: digest.Digest("pear")}},
+			expectedExists:     false,
+			expectedRequests:   []string{"banana", "plum", "apple"},
+			expectedRemovals: []metadata.V2Metadata{
+				{Digest: digest.Digest("banana"), SourceRepository: "docker.io/user/app"},
+				{Digest: digest.Digest("plum"), SourceRepository: "docker.io/user/app"},
+				{Digest: digest.Digest("apple"), SourceRepository: "docker.io/user/app"},
+			},
+		},
+		{
+			name:       "zero allowed existence checks",
+			targetRepo: "user/app",
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("pear"), SourceRepository: "docker.io/user/app"},
+				{Digest: digest.Digest("apple"), SourceRepository: "docker.io/user/app"},
+				{Digest: digest.Digest("plum"), SourceRepository: "docker.io/user/app"},
+				{Digest: digest.Digest("banana"), SourceRepository: "docker.io/user/app"},
+			},
+			maxExistenceChecks: 0,
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("pear"): {Digest: digest.Digest("pear")}},
+		},
+		{
+			name:       "stat single digest just once",
+			targetRepo: "busybox",
+			metadata: []metadata.V2Metadata{
+				taggedMetadata("key1", "pear", "docker.io/library/busybox"),
+				taggedMetadata("key2", "apple", "docker.io/library/busybox"),
+				taggedMetadata("key3", "apple", "docker.io/library/busybox"),
+			},
+			maxExistenceChecks: 3,
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("pear"): {Digest: digest.Digest("pear")}},
+			expectedDescriptor: distribution.Descriptor{Digest: digest.Digest("pear"), MediaType: schema2.MediaTypeLayer},
+			expectedExists:     true,
+			expectedRequests:   []string{"apple", "pear"},
+			expectedAdditions:  []metadata.V2Metadata{{Digest: digest.Digest("pear"), SourceRepository: "docker.io/library/busybox"}},
+			expectedRemovals:   []metadata.V2Metadata{taggedMetadata("key3", "apple", "docker.io/library/busybox")},
+		},
+		{
+			name:       "don't stop on first error",
+			targetRepo: "user/app",
+			hmacKey:    "key",
+			metadata: []metadata.V2Metadata{
+				taggedMetadata("key", "banana", "docker.io/user/app"),
+				taggedMetadata("key", "orange", "docker.io/user/app"),
+				taggedMetadata("key", "plum", "docker.io/user/app"),
+			},
+			maxExistenceChecks: 3,
+			remoteErrors:       map[digest.Digest]error{"orange": distribution.ErrAccessDenied},
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("apple"): {}},
+			expectedError:      nil,
+			expectedRequests:   []string{"plum", "orange", "banana"},
+			expectedRemovals: []metadata.V2Metadata{
+				taggedMetadata("key", "plum", "docker.io/user/app"),
+				taggedMetadata("key", "banana", "docker.io/user/app"),
+			},
+		},
+		{
+			name:       "remove outdated metadata",
+			targetRepo: "docker.io/user/app",
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("plum"), SourceRepository: "docker.io/library/busybox"},
+				{Digest: digest.Digest("orange"), SourceRepository: "docker.io/user/app"},
+			},
+			maxExistenceChecks: 3,
+			remoteErrors:       map[digest.Digest]error{"orange": distribution.ErrBlobUnknown},
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("plum"): {}},
+			expectedExists:     false,
+			expectedRequests:   []string{"orange"},
+			expectedRemovals:   []metadata.V2Metadata{{Digest: digest.Digest("orange"), SourceRepository: "docker.io/user/app"}},
+		},
+		{
+			name:       "missing SourceRepository",
+			targetRepo: "busybox",
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("1")},
+				{Digest: digest.Digest("3")},
+				{Digest: digest.Digest("2")},
+			},
+			maxExistenceChecks: 3,
+			expectedExists:     false,
+			expectedRequests:   []string{"2", "3", "1"},
+		},
+
+		{
+			name:       "with and without SourceRepository",
+			targetRepo: "busybox",
+			metadata: []metadata.V2Metadata{
+				{Digest: digest.Digest("1")},
+				{Digest: digest.Digest("2"), SourceRepository: "docker.io/library/busybox"},
+				{Digest: digest.Digest("3")},
+			},
+			remoteBlobs:        map[digest.Digest]distribution.Descriptor{digest.Digest("1"): {Digest: digest.Digest("1")}},
+			maxExistenceChecks: 3,
+			expectedDescriptor: distribution.Descriptor{Digest: digest.Digest("1"), MediaType: schema2.MediaTypeLayer},
+			expectedExists:     true,
+			expectedRequests:   []string{"2", "3", "1"},
+			expectedAdditions:  []metadata.V2Metadata{{Digest: digest.Digest("1"), SourceRepository: "docker.io/library/busybox"}},
+			expectedRemovals: []metadata.V2Metadata{
+				{Digest: digest.Digest("2"), SourceRepository: "docker.io/library/busybox"},
+			},
+		},
+	} {
+		repoInfo, err := reference.ParseNormalizedNamed(tc.targetRepo)
+		if err != nil {
+			t.Fatalf("[%s] failed to parse reference name: %v", tc.name, err)
+		}
+		repo := &mockRepo{
+			t:        t,
+			errors:   tc.remoteErrors,
+			blobs:    tc.remoteBlobs,
+			requests: []string{},
+		}
+		ctx := context.Background()
+		ms := &mockV2MetadataService{}
+		pd := &v2PushDescriptor{
+			hmacKey:  []byte(tc.hmacKey),
+			repoInfo: repoInfo,
+			layer: &storeLayer{
+				Layer: layer.EmptyLayer,
+			},
+			repo:              repo,
+			v2MetadataService: ms,
+			pushState:         &pushState{remoteLayers: make(map[layer.DiffID]distribution.Descriptor)},
+			checkedDigests:    make(map[digest.Digest]struct{}),
+		}
+
+		desc, exists, err := pd.layerAlreadyExists(ctx, &progressSink{t}, layer.EmptyLayer.DiffID(), tc.checkOtherRepositories, tc.maxExistenceChecks, tc.metadata)
+
+		if !reflect.DeepEqual(desc, tc.expectedDescriptor) {
+			t.Errorf("[%s] got unexpected descriptor: %#+v != %#+v", tc.name, desc, tc.expectedDescriptor)
+		}
+		if exists != tc.expectedExists {
+			t.Errorf("[%s] got unexpected exists: %t != %t", tc.name, exists, tc.expectedExists)
+		}
+		if !reflect.DeepEqual(err, tc.expectedError) {
+			t.Errorf("[%s] got unexpected error: %#+v != %#+v", tc.name, err, tc.expectedError)
+		}
+
+		if len(repo.requests) != len(tc.expectedRequests) {
+			t.Errorf("[%s] got unexpected number of requests: %d != %d", tc.name, len(repo.requests), len(tc.expectedRequests))
+		}
+		for i := 0; i < len(repo.requests) && i < len(tc.expectedRequests); i++ {
+			if repo.requests[i] != tc.expectedRequests[i] {
+				t.Errorf("[%s] request %d does not match expected: %q != %q", tc.name, i, repo.requests[i], tc.expectedRequests[i])
+			}
+		}
+		for i := len(repo.requests); i < len(tc.expectedRequests); i++ {
+			t.Errorf("[%s] missing expected request at position %d (%q)", tc.name, i, tc.expectedRequests[i])
+		}
+		for i := len(tc.expectedRequests); i < len(repo.requests); i++ {
+			t.Errorf("[%s] got unexpected request at position %d (%q)", tc.name, i, repo.requests[i])
+		}
+
+		if len(ms.added) != len(tc.expectedAdditions) {
+			t.Errorf("[%s] got unexpected number of additions: %d != %d", tc.name, len(ms.added), len(tc.expectedAdditions))
+		}
+		for i := 0; i < len(ms.added) && i < len(tc.expectedAdditions); i++ {
+			if ms.added[i] != tc.expectedAdditions[i] {
+				t.Errorf("[%s] added metadata at %d does not match expected: %q != %q", tc.name, i, ms.added[i], tc.expectedAdditions[i])
+			}
+		}
+		for i := len(ms.added); i < len(tc.expectedAdditions); i++ {
+			t.Errorf("[%s] missing expected addition at position %d (%q)", tc.name, i, tc.expectedAdditions[i])
+		}
+		for i := len(tc.expectedAdditions); i < len(ms.added); i++ {
+			t.Errorf("[%s] unexpected metadata addition at position %d (%q)", tc.name, i, ms.added[i])
+		}
+
+		if len(ms.removed) != len(tc.expectedRemovals) {
+			t.Errorf("[%s] got unexpected number of removals: %d != %d", tc.name, len(ms.removed), len(tc.expectedRemovals))
+		}
+		for i := 0; i < len(ms.removed) && i < len(tc.expectedRemovals); i++ {
+			if ms.removed[i] != tc.expectedRemovals[i] {
+				t.Errorf("[%s] removed metadata at %d does not match expected: %q != %q", tc.name, i, ms.removed[i], tc.expectedRemovals[i])
+			}
+		}
+		for i := len(ms.removed); i < len(tc.expectedRemovals); i++ {
+			t.Errorf("[%s] missing expected removal at position %d (%q)", tc.name, i, tc.expectedRemovals[i])
+		}
+		for i := len(tc.expectedRemovals); i < len(ms.removed); i++ {
+			t.Errorf("[%s] removed unexpected metadata at position %d (%q)", tc.name, i, ms.removed[i])
+		}
+	}
+}
+
+type mockReferenceStore struct {
+}
+
+func (s *mockReferenceStore) References(id digest.Digest) []reference.Named {
+	return []reference.Named{}
+}
+func (s *mockReferenceStore) ReferencesByName(ref reference.Named) []refstore.Association {
+	return []refstore.Association{}
+}
+func (s *mockReferenceStore) AddTag(ref reference.Named, id digest.Digest, force bool) error {
+	return nil
+}
+func (s *mockReferenceStore) AddDigest(ref reference.Canonical, id digest.Digest, force bool) error {
+	return nil
+}
+func (s *mockReferenceStore) Delete(ref reference.Named) (bool, error) {
+	return true, nil
+}
+func (s *mockReferenceStore) Get(ref reference.Named) (digest.Digest, error) {
+	return "", nil
+}
+
+func TestWhenEmptyAuthConfig(t *testing.T) {
+	for _, authInfo := range []struct {
+		username      string
+		password      string
+		registryToken string
+		expected      bool
+	}{
+		{
+			username:      "",
+			password:      "",
+			registryToken: "",
+			expected:      false,
+		},
+		{
+			username:      "username",
+			password:      "password",
+			registryToken: "",
+			expected:      true,
+		},
+		{
+			username:      "",
+			password:      "",
+			registryToken: "token",
+			expected:      true,
+		},
+	} {
+		imagePushConfig := &ImagePushConfig{}
+		imagePushConfig.AuthConfig = &types.AuthConfig{
+			Username:      authInfo.username,
+			Password:      authInfo.password,
+			RegistryToken: authInfo.registryToken,
+		}
+		imagePushConfig.ReferenceStore = &mockReferenceStore{}
+		repoInfo, _ := reference.ParseNormalizedNamed("xujihui1985/test.img")
+		pusher := &v2Pusher{
+			config: imagePushConfig,
+			repoInfo: &registry.RepositoryInfo{
+				Name: repoInfo,
+			},
+			endpoint: registry.APIEndpoint{
+				URL: &url.URL{
+					Scheme: "https",
+					Host:   "index.docker.io",
+				},
+				Version:      registry.APIVersion1,
+				TrimHostname: true,
+			},
+		}
+		pusher.Push(context.Background())
+		if pusher.pushState.hasAuthInfo != authInfo.expected {
+			t.Errorf("hasAuthInfo does not match expected: %t != %t", authInfo.expected, pusher.pushState.hasAuthInfo)
+		}
+	}
+}
+
+type mockBlobStoreWithCreate struct {
+	mockBlobStore
+	repo *mockRepoWithBlob
+}
+
+func (blob *mockBlobStoreWithCreate) Create(ctx context.Context, options ...distribution.BlobCreateOption) (distribution.BlobWriter, error) {
+	return nil, errcode.Errors(append([]error{errcode.ErrorCodeUnauthorized.WithMessage("unauthorized")}))
+}
+
+type mockRepoWithBlob struct {
+	mockRepo
+}
+
+func (m *mockRepoWithBlob) Blobs(ctx context.Context) distribution.BlobStore {
+	blob := &mockBlobStoreWithCreate{}
+	blob.mockBlobStore.repo = &m.mockRepo
+	blob.repo = m
+	return blob
+}
+
+type mockMetadataService struct {
+	mockV2MetadataService
+}
+
+func (m *mockMetadataService) GetMetadata(diffID layer.DiffID) ([]metadata.V2Metadata, error) {
+	return []metadata.V2Metadata{
+		taggedMetadata("abcd", "sha256:ff3a5c916c92643ff77519ffa742d3ec61b7f591b6b7504599d95a4a41134e28", "docker.io/user/app1"),
+		taggedMetadata("abcd", "sha256:ff3a5c916c92643ff77519ffa742d3ec61b7f591b6b7504599d95a4a41134e22", "docker.io/user/app/base"),
+		taggedMetadata("hash", "sha256:ff3a5c916c92643ff77519ffa742d3ec61b7f591b6b7504599d95a4a41134e23", "docker.io/user/app"),
+		taggedMetadata("abcd", "sha256:ff3a5c916c92643ff77519ffa742d3ec61b7f591b6b7504599d95a4a41134e24", "127.0.0.1/user/app"),
+		taggedMetadata("hash", "sha256:ff3a5c916c92643ff77519ffa742d3ec61b7f591b6b7504599d95a4a41134e25", "docker.io/user/foo"),
+		taggedMetadata("hash", "sha256:ff3a5c916c92643ff77519ffa742d3ec61b7f591b6b7504599d95a4a41134e26", "docker.io/app/bar"),
+	}, nil
+}
+
+var removeMetadata bool
+
+func (m *mockMetadataService) Remove(metadata metadata.V2Metadata) error {
+	removeMetadata = true
+	return nil
+}
+
+func TestPushRegistryWhenAuthInfoEmpty(t *testing.T) {
+	repoInfo, _ := reference.ParseNormalizedNamed("user/app")
+	ms := &mockMetadataService{}
+	remoteErrors := map[digest.Digest]error{digest.Digest("sha256:apple"): distribution.ErrAccessDenied}
+	remoteBlobs := map[digest.Digest]distribution.Descriptor{digest.Digest("sha256:apple"): {Digest: digest.Digest("shar256:apple")}}
+	repo := &mockRepoWithBlob{
+		mockRepo: mockRepo{
+			t:        t,
+			errors:   remoteErrors,
+			blobs:    remoteBlobs,
+			requests: []string{},
+		},
+	}
+	pd := &v2PushDescriptor{
+		hmacKey:  []byte("abcd"),
+		repoInfo: repoInfo,
+		layer: &storeLayer{
+			Layer: layer.EmptyLayer,
+		},
+		repo:              repo,
+		v2MetadataService: ms,
+		pushState: &pushState{
+			remoteLayers: make(map[layer.DiffID]distribution.Descriptor),
+			hasAuthInfo:  false,
+		},
+		checkedDigests: make(map[digest.Digest]struct{}),
+	}
+	pd.Upload(context.Background(), &progressSink{t})
+	if removeMetadata {
+		t.Fatalf("expect remove not be called but called")
+	}
+}
+
+func taggedMetadata(key string, dgst string, sourceRepo string) metadata.V2Metadata {
+	meta := metadata.V2Metadata{
+		Digest:           digest.Digest(dgst),
+		SourceRepository: sourceRepo,
+	}
+
+	meta.HMAC = metadata.ComputeV2MetadataHMAC([]byte(key), &meta)
+	return meta
+}
+
+type mockRepo struct {
+	t        *testing.T
+	errors   map[digest.Digest]error
+	blobs    map[digest.Digest]distribution.Descriptor
+	requests []string
+}
+
+var _ distribution.Repository = &mockRepo{}
+
+func (m *mockRepo) Named() reference.Named {
+	m.t.Fatalf("Named() not implemented")
+	return nil
+}
+func (m *mockRepo) Manifests(ctc context.Context, options ...distribution.ManifestServiceOption) (distribution.ManifestService, error) {
+	m.t.Fatalf("Manifests() not implemented")
+	return nil, nil
+}
+func (m *mockRepo) Tags(ctc context.Context) distribution.TagService {
+	m.t.Fatalf("Tags() not implemented")
+	return nil
+}
+func (m *mockRepo) Blobs(ctx context.Context) distribution.BlobStore {
+	return &mockBlobStore{
+		repo: m,
+	}
+}
+
+type mockBlobStore struct {
+	repo *mockRepo
+}
+
+var _ distribution.BlobStore = &mockBlobStore{}
+
+func (m *mockBlobStore) Stat(ctx context.Context, dgst digest.Digest) (distribution.Descriptor, error) {
+	m.repo.requests = append(m.repo.requests, dgst.String())
+	if err, exists := m.repo.errors[dgst]; exists {
+		return distribution.Descriptor{}, err
+	}
+	if desc, exists := m.repo.blobs[dgst]; exists {
+		return desc, nil
+	}
+	return distribution.Descriptor{}, distribution.ErrBlobUnknown
+}
+func (m *mockBlobStore) Get(ctx context.Context, dgst digest.Digest) ([]byte, error) {
+	m.repo.t.Fatal("Get() not implemented")
+	return nil, nil
+}
+
+func (m *mockBlobStore) Open(ctx context.Context, dgst digest.Digest) (distribution.ReadSeekCloser, error) {
+	m.repo.t.Fatal("Open() not implemented")
+	return nil, nil
+}
+
+func (m *mockBlobStore) Put(ctx context.Context, mediaType string, p []byte) (distribution.Descriptor, error) {
+	m.repo.t.Fatal("Put() not implemented")
+	return distribution.Descriptor{}, nil
+}
+
+func (m *mockBlobStore) Create(ctx context.Context, options ...distribution.BlobCreateOption) (distribution.BlobWriter, error) {
+	m.repo.t.Fatal("Create() not implemented")
+	return nil, nil
+}
+func (m *mockBlobStore) Resume(ctx context.Context, id string) (distribution.BlobWriter, error) {
+	m.repo.t.Fatal("Resume() not implemented")
+	return nil, nil
+}
+func (m *mockBlobStore) Delete(ctx context.Context, dgst digest.Digest) error {
+	m.repo.t.Fatal("Delete() not implemented")
+	return nil
+}
+func (m *mockBlobStore) ServeBlob(ctx context.Context, w http.ResponseWriter, r *http.Request, dgst digest.Digest) error {
+	m.repo.t.Fatalf("ServeBlob() not implemented")
+	return nil
+}
+
+type mockV2MetadataService struct {
+	added   []metadata.V2Metadata
+	removed []metadata.V2Metadata
+}
+
+var _ metadata.V2MetadataService = &mockV2MetadataService{}
+
+func (*mockV2MetadataService) GetMetadata(diffID layer.DiffID) ([]metadata.V2Metadata, error) {
+	return nil, nil
+}
+func (*mockV2MetadataService) GetDiffID(dgst digest.Digest) (layer.DiffID, error) {
+	return "", nil
+}
+func (m *mockV2MetadataService) Add(diffID layer.DiffID, metadata metadata.V2Metadata) error {
+	m.added = append(m.added, metadata)
+	return nil
+}
+func (m *mockV2MetadataService) TagAndAdd(diffID layer.DiffID, hmacKey []byte, meta metadata.V2Metadata) error {
+	meta.HMAC = metadata.ComputeV2MetadataHMAC(hmacKey, &meta)
+	m.Add(diffID, meta)
+	return nil
+}
+func (m *mockV2MetadataService) Remove(metadata metadata.V2Metadata) error {
+	m.removed = append(m.removed, metadata)
+	return nil
+}
+
+type progressSink struct {
+	t *testing.T
+}
+
+func (s *progressSink) WriteProgress(p progress.Progress) error {
+	s.t.Logf("progress update: %#+v", p)
+	return nil
+}
diff --git a/engine/distribution/registry.go b/engine/distribution/registry.go
new file mode 100644
index 00000000..d81530b7
--- /dev/null
+++ b/engine/distribution/registry.go
@@ -0,0 +1,158 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/client"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/registry"
+	"github.com/docker/go-connections/sockets"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// ImageTypes represents the schema2 config types for images
+var ImageTypes = []string{
+	schema2.MediaTypeImageConfig,
+	ocispec.MediaTypeImageConfig,
+	// Handle unexpected values from https://github.com/docker/distribution/issues/1621
+	// (see also https://github.com/docker/docker/issues/22378,
+	// https://github.com/docker/docker/issues/30083)
+	"application/octet-stream",
+	"application/json",
+	"text/html",
+	// Treat defaulted values as images, newer types cannot be implied
+	"",
+}
+
+// PluginTypes represents the schema2 config types for plugins
+var PluginTypes = []string{
+	schema2.MediaTypePluginConfig,
+}
+
+var mediaTypeClasses map[string]string
+
+func init() {
+	// initialize media type classes with all know types for
+	// plugin
+	mediaTypeClasses = map[string]string{}
+	for _, t := range ImageTypes {
+		mediaTypeClasses[t] = "image"
+	}
+	for _, t := range PluginTypes {
+		mediaTypeClasses[t] = "plugin"
+	}
+}
+
+// NewV2Repository returns a repository (v2 only). It creates an HTTP transport
+// providing timeout settings and authentication support, and also verifies the
+// remote API version.
+func NewV2Repository(ctx context.Context, repoInfo *registry.RepositoryInfo, endpoint registry.APIEndpoint, metaHeaders http.Header, authConfig *types.AuthConfig, actions ...string) (repo distribution.Repository, foundVersion bool, err error) {
+	repoName := repoInfo.Name.Name()
+	// If endpoint does not support CanonicalName, use the RemoteName instead
+	if endpoint.TrimHostname {
+		repoName = reference.Path(repoInfo.Name)
+	}
+
+	direct := &net.Dialer{
+		Timeout:   30 * time.Second,
+		KeepAlive: 30 * time.Second,
+		DualStack: true,
+	}
+
+	// TODO(dmcgowan): Call close idle connections when complete, use keep alive
+	base := &http.Transport{
+		Proxy:               http.ProxyFromEnvironment,
+		Dial:                direct.Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+		TLSClientConfig:     endpoint.TLSConfig,
+		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
+		DisableKeepAlives: true,
+	}
+
+	proxyDialer, err := sockets.DialerFromEnvironment(direct)
+	if err == nil {
+		base.Dial = proxyDialer.Dial
+	}
+
+	modifiers := registry.Headers(dockerversion.DockerUserAgent(ctx), metaHeaders)
+	authTransport := transport.NewTransport(base, modifiers...)
+
+	challengeManager, foundVersion, err := registry.PingV2Registry(endpoint.URL, authTransport)
+	if err != nil {
+		transportOK := false
+		if responseErr, ok := err.(registry.PingResponseError); ok {
+			transportOK = true
+			err = responseErr.Err
+		}
+		return nil, foundVersion, fallbackError{
+			err:         err,
+			confirmedV2: foundVersion,
+			transportOK: transportOK,
+		}
+	}
+
+	if authConfig.RegistryToken != "" {
+		passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
+		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
+	} else {
+		scope := auth.RepositoryScope{
+			Repository: repoName,
+			Actions:    actions,
+			Class:      repoInfo.Class,
+		}
+
+		creds := registry.NewStaticCredentialStore(authConfig)
+		tokenHandlerOptions := auth.TokenHandlerOptions{
+			Transport:   authTransport,
+			Credentials: creds,
+			Scopes:      []auth.Scope{scope},
+			ClientID:    registry.AuthClientID,
+		}
+		tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions)
+		basicHandler := auth.NewBasicHandler(creds)
+		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
+	}
+	tr := transport.NewTransport(base, modifiers...)
+
+	repoNameRef, err := reference.WithName(repoName)
+	if err != nil {
+		return nil, foundVersion, fallbackError{
+			err:         err,
+			confirmedV2: foundVersion,
+			transportOK: true,
+		}
+	}
+
+	repo, err = client.NewRepository(repoNameRef, endpoint.URL.String(), tr)
+	if err != nil {
+		err = fallbackError{
+			err:         err,
+			confirmedV2: foundVersion,
+			transportOK: true,
+		}
+	}
+	return
+}
+
+type existingTokenHandler struct {
+	token string
+}
+
+func (th *existingTokenHandler) Scheme() string {
+	return "bearer"
+}
+
+func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))
+	return nil
+}
diff --git a/engine/distribution/registry_unit_test.go b/engine/distribution/registry_unit_test.go
new file mode 100644
index 00000000..3651c468
--- /dev/null
+++ b/engine/distribution/registry_unit_test.go
@@ -0,0 +1,127 @@
+package distribution // import "github.com/docker/docker/distribution"
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/registry"
+	"github.com/sirupsen/logrus"
+)
+
+const secretRegistryToken = "mysecrettoken"
+
+type tokenPassThruHandler struct {
+	reached       bool
+	gotToken      bool
+	shouldSend401 func(url string) bool
+}
+
+func (h *tokenPassThruHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	h.reached = true
+	if strings.Contains(r.Header.Get("Authorization"), secretRegistryToken) {
+		logrus.Debug("Detected registry token in auth header")
+		h.gotToken = true
+	}
+	if h.shouldSend401 == nil || h.shouldSend401(r.RequestURI) {
+		w.Header().Set("WWW-Authenticate", `Bearer realm="foorealm"`)
+		w.WriteHeader(401)
+	}
+}
+
+func testTokenPassThru(t *testing.T, ts *httptest.Server) {
+	uri, err := url.Parse(ts.URL)
+	if err != nil {
+		t.Fatalf("could not parse url from test server: %v", err)
+	}
+
+	endpoint := registry.APIEndpoint{
+		Mirror:       false,
+		URL:          uri,
+		Version:      2,
+		Official:     false,
+		TrimHostname: false,
+		TLSConfig:    nil,
+	}
+	n, _ := reference.ParseNormalizedNamed("testremotename")
+	repoInfo := &registry.RepositoryInfo{
+		Name: n,
+		Index: &registrytypes.IndexInfo{
+			Name:     "testrepo",
+			Mirrors:  nil,
+			Secure:   false,
+			Official: false,
+		},
+		Official: false,
+	}
+	imagePullConfig := &ImagePullConfig{
+		Config: Config{
+			MetaHeaders: http.Header{},
+			AuthConfig: &types.AuthConfig{
+				RegistryToken: secretRegistryToken,
+			},
+		},
+		Schema2Types: ImageTypes,
+	}
+	puller, err := newPuller(endpoint, repoInfo, imagePullConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	p := puller.(*v2Puller)
+	ctx := context.Background()
+	p.repo, _, err = NewV2Repository(ctx, p.repoInfo, p.endpoint, p.config.MetaHeaders, p.config.AuthConfig, "pull")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	logrus.Debug("About to pull")
+	// We expect it to fail, since we haven't mock'd the full registry exchange in our handler above
+	tag, _ := reference.WithTag(n, "tag_goes_here")
+	_ = p.pullV2Repository(ctx, tag, nil)
+}
+
+func TestTokenPassThru(t *testing.T) {
+	handler := &tokenPassThruHandler{shouldSend401: func(url string) bool { return url == "/v2/" }}
+	ts := httptest.NewServer(handler)
+	defer ts.Close()
+
+	testTokenPassThru(t, ts)
+
+	if !handler.reached {
+		t.Fatal("Handler not reached")
+	}
+	if !handler.gotToken {
+		t.Fatal("Failed to receive registry token")
+	}
+}
+
+func TestTokenPassThruDifferentHost(t *testing.T) {
+	handler := new(tokenPassThruHandler)
+	ts := httptest.NewServer(handler)
+	defer ts.Close()
+
+	tsredirect := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.RequestURI == "/v2/" {
+			w.Header().Set("WWW-Authenticate", `Bearer realm="foorealm"`)
+			w.WriteHeader(401)
+			return
+		}
+		http.Redirect(w, r, ts.URL+r.URL.Path, http.StatusMovedPermanently)
+	}))
+	defer tsredirect.Close()
+
+	testTokenPassThru(t, tsredirect)
+
+	if !handler.reached {
+		t.Fatal("Handler not reached")
+	}
+	if handler.gotToken {
+		t.Fatal("Redirect should not forward Authorization header to another host")
+	}
+}
diff --git a/engine/distribution/utils/progress.go b/engine/distribution/utils/progress.go
new file mode 100644
index 00000000..73ee2be6
--- /dev/null
+++ b/engine/distribution/utils/progress.go
@@ -0,0 +1,44 @@
+package utils // import "github.com/docker/docker/distribution/utils"
+
+import (
+	"io"
+	"net"
+	"os"
+	"syscall"
+
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/sirupsen/logrus"
+)
+
+// WriteDistributionProgress is a helper for writing progress from chan to JSON
+// stream with an optional cancel function.
+func WriteDistributionProgress(cancelFunc func(), outStream io.Writer, progressChan <-chan progress.Progress) {
+	progressOutput := streamformatter.NewJSONProgressOutput(outStream, false)
+	operationCancelled := false
+
+	for prog := range progressChan {
+		if err := progressOutput.WriteProgress(prog); err != nil && !operationCancelled {
+			// don't log broken pipe errors as this is the normal case when a client aborts
+			if isBrokenPipe(err) {
+				logrus.Info("Pull session cancelled")
+			} else {
+				logrus.Errorf("error writing progress to client: %v", err)
+			}
+			cancelFunc()
+			operationCancelled = true
+			// Don't return, because we need to continue draining
+			// progressChan until it's closed to avoid a deadlock.
+		}
+	}
+}
+
+func isBrokenPipe(e error) bool {
+	if netErr, ok := e.(*net.OpError); ok {
+		e = netErr.Err
+		if sysErr, ok := netErr.Err.(*os.SyscallError); ok {
+			e = sysErr.Err
+		}
+	}
+	return e == syscall.EPIPE
+}
diff --git a/engine/distribution/xfer/download.go b/engine/distribution/xfer/download.go
new file mode 100644
index 00000000..e8cda936
--- /dev/null
+++ b/engine/distribution/xfer/download.go
@@ -0,0 +1,474 @@
+package xfer // import "github.com/docker/docker/distribution/xfer"
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"runtime"
+	"time"
+
+	"github.com/docker/distribution"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/system"
+	"github.com/sirupsen/logrus"
+)
+
+const maxDownloadAttempts = 5
+
+// LayerDownloadManager figures out which layers need to be downloaded, then
+// registers and downloads those, taking into account dependencies between
+// layers.
+type LayerDownloadManager struct {
+	layerStores  map[string]layer.Store
+	tm           TransferManager
+	waitDuration time.Duration
+}
+
+// SetConcurrency sets the max concurrent downloads for each pull
+func (ldm *LayerDownloadManager) SetConcurrency(concurrency int) {
+	ldm.tm.SetConcurrency(concurrency)
+}
+
+// NewLayerDownloadManager returns a new LayerDownloadManager.
+func NewLayerDownloadManager(layerStores map[string]layer.Store, concurrencyLimit int, options ...func(*LayerDownloadManager)) *LayerDownloadManager {
+	manager := LayerDownloadManager{
+		layerStores:  layerStores,
+		tm:           NewTransferManager(concurrencyLimit),
+		waitDuration: time.Second,
+	}
+	for _, option := range options {
+		option(&manager)
+	}
+	return &manager
+}
+
+type downloadTransfer struct {
+	Transfer
+
+	layerStore layer.Store
+	layer      layer.Layer
+	err        error
+}
+
+// result returns the layer resulting from the download, if the download
+// and registration were successful.
+func (d *downloadTransfer) result() (layer.Layer, error) {
+	return d.layer, d.err
+}
+
+// A DownloadDescriptor references a layer that may need to be downloaded.
+type DownloadDescriptor interface {
+	// Key returns the key used to deduplicate downloads.
+	Key() string
+	// ID returns the ID for display purposes.
+	ID() string
+	// DiffID should return the DiffID for this layer, or an error
+	// if it is unknown (for example, if it has not been downloaded
+	// before).
+	DiffID() (layer.DiffID, error)
+	// Download is called to perform the download.
+	Download(ctx context.Context, progressOutput progress.Output) (io.ReadCloser, int64, error)
+	// Close is called when the download manager is finished with this
+	// descriptor and will not call Download again or read from the reader
+	// that Download returned.
+	Close()
+}
+
+// DownloadDescriptorWithRegistered is a DownloadDescriptor that has an
+// additional Registered method which gets called after a downloaded layer is
+// registered. This allows the user of the download manager to know the DiffID
+// of each registered layer. This method is called if a cast to
+// DownloadDescriptorWithRegistered is successful.
+type DownloadDescriptorWithRegistered interface {
+	DownloadDescriptor
+	Registered(diffID layer.DiffID)
+}
+
+// Download is a blocking function which ensures the requested layers are
+// present in the layer store. It uses the string returned by the Key method to
+// deduplicate downloads. If a given layer is not already known to present in
+// the layer store, and the key is not used by an in-progress download, the
+// Download method is called to get the layer tar data. Layers are then
+// registered in the appropriate order.  The caller must call the returned
+// release function once it is done with the returned RootFS object.
+func (ldm *LayerDownloadManager) Download(ctx context.Context, initialRootFS image.RootFS, os string, layers []DownloadDescriptor, progressOutput progress.Output) (image.RootFS, func(), error) {
+	var (
+		topLayer       layer.Layer
+		topDownload    *downloadTransfer
+		watcher        *Watcher
+		missingLayer   bool
+		transferKey    = ""
+		downloadsByKey = make(map[string]*downloadTransfer)
+	)
+
+	// Assume that the operating system is the host OS if blank, and validate it
+	// to ensure we don't cause a panic by an invalid index into the layerstores.
+	if os == "" {
+		os = runtime.GOOS
+	}
+	if !system.IsOSSupported(os) {
+		return image.RootFS{}, nil, system.ErrNotSupportedOperatingSystem
+	}
+
+	rootFS := initialRootFS
+	for _, descriptor := range layers {
+		key := descriptor.Key()
+		transferKey += key
+
+		if !missingLayer {
+			missingLayer = true
+			diffID, err := descriptor.DiffID()
+			if err == nil {
+				getRootFS := rootFS
+				getRootFS.Append(diffID)
+				l, err := ldm.layerStores[os].Get(getRootFS.ChainID())
+				if err == nil {
+					// Layer already exists.
+					logrus.Debugf("Layer already exists: %s", descriptor.ID())
+					progress.Update(progressOutput, descriptor.ID(), "Already exists")
+					if topLayer != nil {
+						layer.ReleaseAndLog(ldm.layerStores[os], topLayer)
+					}
+					topLayer = l
+					missingLayer = false
+					rootFS.Append(diffID)
+					// Register this repository as a source of this layer.
+					withRegistered, hasRegistered := descriptor.(DownloadDescriptorWithRegistered)
+					if hasRegistered { // As layerstore may set the driver
+						withRegistered.Registered(diffID)
+					}
+					continue
+				}
+			}
+		}
+
+		// Does this layer have the same data as a previous layer in
+		// the stack? If so, avoid downloading it more than once.
+		var topDownloadUncasted Transfer
+		if existingDownload, ok := downloadsByKey[key]; ok {
+			xferFunc := ldm.makeDownloadFuncFromDownload(descriptor, existingDownload, topDownload, os)
+			defer topDownload.Transfer.Release(watcher)
+			topDownloadUncasted, watcher = ldm.tm.Transfer(transferKey, xferFunc, progressOutput)
+			topDownload = topDownloadUncasted.(*downloadTransfer)
+			continue
+		}
+
+		// Layer is not known to exist - download and register it.
+		progress.Update(progressOutput, descriptor.ID(), "Pulling fs layer")
+
+		var xferFunc DoFunc
+		if topDownload != nil {
+			xferFunc = ldm.makeDownloadFunc(descriptor, "", topDownload, os)
+			defer topDownload.Transfer.Release(watcher)
+		} else {
+			xferFunc = ldm.makeDownloadFunc(descriptor, rootFS.ChainID(), nil, os)
+		}
+		topDownloadUncasted, watcher = ldm.tm.Transfer(transferKey, xferFunc, progressOutput)
+		topDownload = topDownloadUncasted.(*downloadTransfer)
+		downloadsByKey[key] = topDownload
+	}
+
+	if topDownload == nil {
+		return rootFS, func() {
+			if topLayer != nil {
+				layer.ReleaseAndLog(ldm.layerStores[os], topLayer)
+			}
+		}, nil
+	}
+
+	// Won't be using the list built up so far - will generate it
+	// from downloaded layers instead.
+	rootFS.DiffIDs = []layer.DiffID{}
+
+	defer func() {
+		if topLayer != nil {
+			layer.ReleaseAndLog(ldm.layerStores[os], topLayer)
+		}
+	}()
+
+	select {
+	case <-ctx.Done():
+		topDownload.Transfer.Release(watcher)
+		return rootFS, func() {}, ctx.Err()
+	case <-topDownload.Done():
+		break
+	}
+
+	l, err := topDownload.result()
+	if err != nil {
+		topDownload.Transfer.Release(watcher)
+		return rootFS, func() {}, err
+	}
+
+	// Must do this exactly len(layers) times, so we don't include the
+	// base layer on Windows.
+	for range layers {
+		if l == nil {
+			topDownload.Transfer.Release(watcher)
+			return rootFS, func() {}, errors.New("internal error: too few parent layers")
+		}
+		rootFS.DiffIDs = append([]layer.DiffID{l.DiffID()}, rootFS.DiffIDs...)
+		l = l.Parent()
+	}
+	return rootFS, func() { topDownload.Transfer.Release(watcher) }, err
+}
+
+// makeDownloadFunc returns a function that performs the layer download and
+// registration. If parentDownload is non-nil, it waits for that download to
+// complete before the registration step, and registers the downloaded data
+// on top of parentDownload's resulting layer. Otherwise, it registers the
+// layer on top of the ChainID given by parentLayer.
+func (ldm *LayerDownloadManager) makeDownloadFunc(descriptor DownloadDescriptor, parentLayer layer.ChainID, parentDownload *downloadTransfer, os string) DoFunc {
+	return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+		d := &downloadTransfer{
+			Transfer:   NewTransfer(),
+			layerStore: ldm.layerStores[os],
+		}
+
+		go func() {
+			defer func() {
+				close(progressChan)
+			}()
+
+			progressOutput := progress.ChanOutput(progressChan)
+
+			select {
+			case <-start:
+			default:
+				progress.Update(progressOutput, descriptor.ID(), "Waiting")
+				<-start
+			}
+
+			if parentDownload != nil {
+				// Did the parent download already fail or get
+				// cancelled?
+				select {
+				case <-parentDownload.Done():
+					_, err := parentDownload.result()
+					if err != nil {
+						d.err = err
+						return
+					}
+				default:
+				}
+			}
+
+			var (
+				downloadReader io.ReadCloser
+				size           int64
+				err            error
+				retries        int
+			)
+
+			defer descriptor.Close()
+
+			for {
+				downloadReader, size, err = descriptor.Download(d.Transfer.Context(), progressOutput)
+				if err == nil {
+					break
+				}
+
+				// If an error was returned because the context
+				// was cancelled, we shouldn't retry.
+				select {
+				case <-d.Transfer.Context().Done():
+					d.err = err
+					return
+				default:
+				}
+
+				retries++
+				if _, isDNR := err.(DoNotRetry); isDNR || retries == maxDownloadAttempts {
+					logrus.Errorf("Download failed: %v", err)
+					d.err = err
+					return
+				}
+
+				logrus.Errorf("Download failed, retrying: %v", err)
+				delay := retries * 5
+				ticker := time.NewTicker(ldm.waitDuration)
+
+			selectLoop:
+				for {
+					progress.Updatef(progressOutput, descriptor.ID(), "Retrying in %d second%s", delay, (map[bool]string{true: "s"})[delay != 1])
+					select {
+					case <-ticker.C:
+						delay--
+						if delay == 0 {
+							ticker.Stop()
+							break selectLoop
+						}
+					case <-d.Transfer.Context().Done():
+						ticker.Stop()
+						d.err = errors.New("download cancelled during retry delay")
+						return
+					}
+
+				}
+			}
+
+			close(inactive)
+
+			if parentDownload != nil {
+				select {
+				case <-d.Transfer.Context().Done():
+					d.err = errors.New("layer registration cancelled")
+					downloadReader.Close()
+					return
+				case <-parentDownload.Done():
+				}
+
+				l, err := parentDownload.result()
+				if err != nil {
+					d.err = err
+					downloadReader.Close()
+					return
+				}
+				parentLayer = l.ChainID()
+			}
+
+			reader := progress.NewProgressReader(ioutils.NewCancelReadCloser(d.Transfer.Context(), downloadReader), progressOutput, size, descriptor.ID(), "Extracting")
+			defer reader.Close()
+
+			inflatedLayerData, err := archive.DecompressStream(reader)
+			if err != nil {
+				d.err = fmt.Errorf("could not get decompression stream: %v", err)
+				return
+			}
+
+			var src distribution.Descriptor
+			if fs, ok := descriptor.(distribution.Describable); ok {
+				src = fs.Descriptor()
+			}
+			if ds, ok := d.layerStore.(layer.DescribableStore); ok {
+				d.layer, err = ds.RegisterWithDescriptor(inflatedLayerData, parentLayer, src)
+			} else {
+				d.layer, err = d.layerStore.Register(inflatedLayerData, parentLayer)
+			}
+			if err != nil {
+				select {
+				case <-d.Transfer.Context().Done():
+					d.err = errors.New("layer registration cancelled")
+				default:
+					d.err = fmt.Errorf("failed to register layer: %v", err)
+				}
+				return
+			}
+
+			progress.Update(progressOutput, descriptor.ID(), "Pull complete")
+			withRegistered, hasRegistered := descriptor.(DownloadDescriptorWithRegistered)
+			if hasRegistered {
+				withRegistered.Registered(d.layer.DiffID())
+			}
+
+			// Doesn't actually need to be its own goroutine, but
+			// done like this so we can defer close(c).
+			go func() {
+				<-d.Transfer.Released()
+				if d.layer != nil {
+					layer.ReleaseAndLog(d.layerStore, d.layer)
+				}
+			}()
+		}()
+
+		return d
+	}
+}
+
+// makeDownloadFuncFromDownload returns a function that performs the layer
+// registration when the layer data is coming from an existing download. It
+// waits for sourceDownload and parentDownload to complete, and then
+// reregisters the data from sourceDownload's top layer on top of
+// parentDownload. This function does not log progress output because it would
+// interfere with the progress reporting for sourceDownload, which has the same
+// Key.
+func (ldm *LayerDownloadManager) makeDownloadFuncFromDownload(descriptor DownloadDescriptor, sourceDownload *downloadTransfer, parentDownload *downloadTransfer, os string) DoFunc {
+	return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+		d := &downloadTransfer{
+			Transfer:   NewTransfer(),
+			layerStore: ldm.layerStores[os],
+		}
+
+		go func() {
+			defer func() {
+				close(progressChan)
+			}()
+
+			<-start
+
+			close(inactive)
+
+			select {
+			case <-d.Transfer.Context().Done():
+				d.err = errors.New("layer registration cancelled")
+				return
+			case <-parentDownload.Done():
+			}
+
+			l, err := parentDownload.result()
+			if err != nil {
+				d.err = err
+				return
+			}
+			parentLayer := l.ChainID()
+
+			// sourceDownload should have already finished if
+			// parentDownload finished, but wait for it explicitly
+			// to be sure.
+			select {
+			case <-d.Transfer.Context().Done():
+				d.err = errors.New("layer registration cancelled")
+				return
+			case <-sourceDownload.Done():
+			}
+
+			l, err = sourceDownload.result()
+			if err != nil {
+				d.err = err
+				return
+			}
+
+			layerReader, err := l.TarStream()
+			if err != nil {
+				d.err = err
+				return
+			}
+			defer layerReader.Close()
+
+			var src distribution.Descriptor
+			if fs, ok := l.(distribution.Describable); ok {
+				src = fs.Descriptor()
+			}
+			if ds, ok := d.layerStore.(layer.DescribableStore); ok {
+				d.layer, err = ds.RegisterWithDescriptor(layerReader, parentLayer, src)
+			} else {
+				d.layer, err = d.layerStore.Register(layerReader, parentLayer)
+			}
+			if err != nil {
+				d.err = fmt.Errorf("failed to register layer: %v", err)
+				return
+			}
+
+			withRegistered, hasRegistered := descriptor.(DownloadDescriptorWithRegistered)
+			if hasRegistered {
+				withRegistered.Registered(d.layer.DiffID())
+			}
+
+			// Doesn't actually need to be its own goroutine, but
+			// done like this so we can defer close(c).
+			go func() {
+				<-d.Transfer.Released()
+				if d.layer != nil {
+					layer.ReleaseAndLog(d.layerStore, d.layer)
+				}
+			}()
+		}()
+
+		return d
+	}
+}
diff --git a/engine/distribution/xfer/download_test.go b/engine/distribution/xfer/download_test.go
new file mode 100644
index 00000000..4ab3705a
--- /dev/null
+++ b/engine/distribution/xfer/download_test.go
@@ -0,0 +1,362 @@
+package xfer // import "github.com/docker/docker/distribution/xfer"
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"runtime"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/docker/distribution"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/opencontainers/go-digest"
+)
+
+const maxDownloadConcurrency = 3
+
+type mockLayer struct {
+	layerData bytes.Buffer
+	diffID    layer.DiffID
+	chainID   layer.ChainID
+	parent    layer.Layer
+	os        string
+}
+
+func (ml *mockLayer) TarStream() (io.ReadCloser, error) {
+	return ioutil.NopCloser(bytes.NewBuffer(ml.layerData.Bytes())), nil
+}
+
+func (ml *mockLayer) TarStreamFrom(layer.ChainID) (io.ReadCloser, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+func (ml *mockLayer) ChainID() layer.ChainID {
+	return ml.chainID
+}
+
+func (ml *mockLayer) DiffID() layer.DiffID {
+	return ml.diffID
+}
+
+func (ml *mockLayer) Parent() layer.Layer {
+	return ml.parent
+}
+
+func (ml *mockLayer) Size() (size int64, err error) {
+	return 0, nil
+}
+
+func (ml *mockLayer) DiffSize() (size int64, err error) {
+	return 0, nil
+}
+
+func (ml *mockLayer) Metadata() (map[string]string, error) {
+	return make(map[string]string), nil
+}
+
+type mockLayerStore struct {
+	layers map[layer.ChainID]*mockLayer
+}
+
+func createChainIDFromParent(parent layer.ChainID, dgsts ...layer.DiffID) layer.ChainID {
+	if len(dgsts) == 0 {
+		return parent
+	}
+	if parent == "" {
+		return createChainIDFromParent(layer.ChainID(dgsts[0]), dgsts[1:]...)
+	}
+	// H = "H(n-1) SHA256(n)"
+	dgst := digest.FromBytes([]byte(string(parent) + " " + string(dgsts[0])))
+	return createChainIDFromParent(layer.ChainID(dgst), dgsts[1:]...)
+}
+
+func (ls *mockLayerStore) Map() map[layer.ChainID]layer.Layer {
+	layers := map[layer.ChainID]layer.Layer{}
+
+	for k, v := range ls.layers {
+		layers[k] = v
+	}
+
+	return layers
+}
+
+func (ls *mockLayerStore) Register(reader io.Reader, parentID layer.ChainID) (layer.Layer, error) {
+	return ls.RegisterWithDescriptor(reader, parentID, distribution.Descriptor{})
+}
+
+func (ls *mockLayerStore) RegisterWithDescriptor(reader io.Reader, parentID layer.ChainID, _ distribution.Descriptor) (layer.Layer, error) {
+	var (
+		parent layer.Layer
+		err    error
+	)
+
+	if parentID != "" {
+		parent, err = ls.Get(parentID)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	l := &mockLayer{parent: parent}
+	_, err = l.layerData.ReadFrom(reader)
+	if err != nil {
+		return nil, err
+	}
+	l.diffID = layer.DiffID(digest.FromBytes(l.layerData.Bytes()))
+	l.chainID = createChainIDFromParent(parentID, l.diffID)
+
+	ls.layers[l.chainID] = l
+	return l, nil
+}
+
+func (ls *mockLayerStore) Get(chainID layer.ChainID) (layer.Layer, error) {
+	l, ok := ls.layers[chainID]
+	if !ok {
+		return nil, layer.ErrLayerDoesNotExist
+	}
+	return l, nil
+}
+
+func (ls *mockLayerStore) Release(l layer.Layer) ([]layer.Metadata, error) {
+	return []layer.Metadata{}, nil
+}
+func (ls *mockLayerStore) CreateRWLayer(string, layer.ChainID, *layer.CreateRWLayerOpts) (layer.RWLayer, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (ls *mockLayerStore) GetRWLayer(string) (layer.RWLayer, error) {
+	return nil, errors.New("not implemented")
+}
+
+func (ls *mockLayerStore) ReleaseRWLayer(layer.RWLayer) ([]layer.Metadata, error) {
+	return nil, errors.New("not implemented")
+}
+func (ls *mockLayerStore) GetMountID(string) (string, error) {
+	return "", errors.New("not implemented")
+}
+
+func (ls *mockLayerStore) Cleanup() error {
+	return nil
+}
+
+func (ls *mockLayerStore) DriverStatus() [][2]string {
+	return [][2]string{}
+}
+
+func (ls *mockLayerStore) DriverName() string {
+	return "mock"
+}
+
+type mockDownloadDescriptor struct {
+	currentDownloads *int32
+	id               string
+	diffID           layer.DiffID
+	registeredDiffID layer.DiffID
+	expectedDiffID   layer.DiffID
+	simulateRetries  int
+}
+
+// Key returns the key used to deduplicate downloads.
+func (d *mockDownloadDescriptor) Key() string {
+	return d.id
+}
+
+// ID returns the ID for display purposes.
+func (d *mockDownloadDescriptor) ID() string {
+	return d.id
+}
+
+// DiffID should return the DiffID for this layer, or an error
+// if it is unknown (for example, if it has not been downloaded
+// before).
+func (d *mockDownloadDescriptor) DiffID() (layer.DiffID, error) {
+	if d.diffID != "" {
+		return d.diffID, nil
+	}
+	return "", errors.New("no diffID available")
+}
+
+func (d *mockDownloadDescriptor) Registered(diffID layer.DiffID) {
+	d.registeredDiffID = diffID
+}
+
+func (d *mockDownloadDescriptor) mockTarStream() io.ReadCloser {
+	// The mock implementation returns the ID repeated 5 times as a tar
+	// stream instead of actual tar data. The data is ignored except for
+	// computing IDs.
+	return ioutil.NopCloser(bytes.NewBuffer([]byte(d.id + d.id + d.id + d.id + d.id)))
+}
+
+// Download is called to perform the download.
+func (d *mockDownloadDescriptor) Download(ctx context.Context, progressOutput progress.Output) (io.ReadCloser, int64, error) {
+	if d.currentDownloads != nil {
+		defer atomic.AddInt32(d.currentDownloads, -1)
+
+		if atomic.AddInt32(d.currentDownloads, 1) > maxDownloadConcurrency {
+			return nil, 0, errors.New("concurrency limit exceeded")
+		}
+	}
+
+	// Sleep a bit to simulate a time-consuming download.
+	for i := int64(0); i <= 10; i++ {
+		select {
+		case <-ctx.Done():
+			return nil, 0, ctx.Err()
+		case <-time.After(10 * time.Millisecond):
+			progressOutput.WriteProgress(progress.Progress{ID: d.ID(), Action: "Downloading", Current: i, Total: 10})
+		}
+	}
+
+	if d.simulateRetries != 0 {
+		d.simulateRetries--
+		return nil, 0, errors.New("simulating retry")
+	}
+
+	return d.mockTarStream(), 0, nil
+}
+
+func (d *mockDownloadDescriptor) Close() {
+}
+
+func downloadDescriptors(currentDownloads *int32) []DownloadDescriptor {
+	return []DownloadDescriptor{
+		&mockDownloadDescriptor{
+			currentDownloads: currentDownloads,
+			id:               "id1",
+			expectedDiffID:   layer.DiffID("sha256:68e2c75dc5c78ea9240689c60d7599766c213ae210434c53af18470ae8c53ec1"),
+		},
+		&mockDownloadDescriptor{
+			currentDownloads: currentDownloads,
+			id:               "id2",
+			expectedDiffID:   layer.DiffID("sha256:64a636223116aa837973a5d9c2bdd17d9b204e4f95ac423e20e65dfbb3655473"),
+		},
+		&mockDownloadDescriptor{
+			currentDownloads: currentDownloads,
+			id:               "id3",
+			expectedDiffID:   layer.DiffID("sha256:58745a8bbd669c25213e9de578c4da5c8ee1c836b3581432c2b50e38a6753300"),
+		},
+		&mockDownloadDescriptor{
+			currentDownloads: currentDownloads,
+			id:               "id2",
+			expectedDiffID:   layer.DiffID("sha256:64a636223116aa837973a5d9c2bdd17d9b204e4f95ac423e20e65dfbb3655473"),
+		},
+		&mockDownloadDescriptor{
+			currentDownloads: currentDownloads,
+			id:               "id4",
+			expectedDiffID:   layer.DiffID("sha256:0dfb5b9577716cc173e95af7c10289322c29a6453a1718addc00c0c5b1330936"),
+			simulateRetries:  1,
+		},
+		&mockDownloadDescriptor{
+			currentDownloads: currentDownloads,
+			id:               "id5",
+			expectedDiffID:   layer.DiffID("sha256:0a5f25fa1acbc647f6112a6276735d0fa01e4ee2aa7ec33015e337350e1ea23d"),
+		},
+	}
+}
+
+func TestSuccessfulDownload(t *testing.T) {
+	// TODO Windows: Fix this unit text
+	if runtime.GOOS == "windows" {
+		t.Skip("Needs fixing on Windows")
+	}
+
+	layerStore := &mockLayerStore{make(map[layer.ChainID]*mockLayer)}
+	lsMap := make(map[string]layer.Store)
+	lsMap[runtime.GOOS] = layerStore
+	ldm := NewLayerDownloadManager(lsMap, maxDownloadConcurrency, func(m *LayerDownloadManager) { m.waitDuration = time.Millisecond })
+
+	progressChan := make(chan progress.Progress)
+	progressDone := make(chan struct{})
+	receivedProgress := make(map[string]progress.Progress)
+
+	go func() {
+		for p := range progressChan {
+			receivedProgress[p.ID] = p
+		}
+		close(progressDone)
+	}()
+
+	var currentDownloads int32
+	descriptors := downloadDescriptors(&currentDownloads)
+
+	firstDescriptor := descriptors[0].(*mockDownloadDescriptor)
+
+	// Pre-register the first layer to simulate an already-existing layer
+	l, err := layerStore.Register(firstDescriptor.mockTarStream(), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	firstDescriptor.diffID = l.DiffID()
+
+	rootFS, releaseFunc, err := ldm.Download(context.Background(), *image.NewRootFS(), runtime.GOOS, descriptors, progress.ChanOutput(progressChan))
+	if err != nil {
+		t.Fatalf("download error: %v", err)
+	}
+
+	releaseFunc()
+
+	close(progressChan)
+	<-progressDone
+
+	if len(rootFS.DiffIDs) != len(descriptors) {
+		t.Fatal("got wrong number of diffIDs in rootfs")
+	}
+
+	for i, d := range descriptors {
+		descriptor := d.(*mockDownloadDescriptor)
+
+		if descriptor.diffID != "" {
+			if receivedProgress[d.ID()].Action != "Already exists" {
+				t.Fatalf("did not get 'Already exists' message for %v", d.ID())
+			}
+		} else if receivedProgress[d.ID()].Action != "Pull complete" {
+			t.Fatalf("did not get 'Pull complete' message for %v", d.ID())
+		}
+
+		if rootFS.DiffIDs[i] != descriptor.expectedDiffID {
+			t.Fatalf("rootFS item %d has the wrong diffID (expected: %v got: %v)", i, descriptor.expectedDiffID, rootFS.DiffIDs[i])
+		}
+
+		if descriptor.diffID == "" && descriptor.registeredDiffID != rootFS.DiffIDs[i] {
+			t.Fatal("diffID mismatch between rootFS and Registered callback")
+		}
+	}
+}
+
+func TestCancelledDownload(t *testing.T) {
+	layerStore := &mockLayerStore{make(map[layer.ChainID]*mockLayer)}
+	lsMap := make(map[string]layer.Store)
+	lsMap[runtime.GOOS] = layerStore
+	ldm := NewLayerDownloadManager(lsMap, maxDownloadConcurrency, func(m *LayerDownloadManager) { m.waitDuration = time.Millisecond })
+	progressChan := make(chan progress.Progress)
+	progressDone := make(chan struct{})
+
+	go func() {
+		for range progressChan {
+		}
+		close(progressDone)
+	}()
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() {
+		<-time.After(time.Millisecond)
+		cancel()
+	}()
+
+	descriptors := downloadDescriptors(nil)
+	_, _, err := ldm.Download(ctx, *image.NewRootFS(), runtime.GOOS, descriptors, progress.ChanOutput(progressChan))
+	if err != context.Canceled {
+		t.Fatal("expected download to be cancelled")
+	}
+
+	close(progressChan)
+	<-progressDone
+}
diff --git a/engine/distribution/xfer/transfer.go b/engine/distribution/xfer/transfer.go
new file mode 100644
index 00000000..c356fde8
--- /dev/null
+++ b/engine/distribution/xfer/transfer.go
@@ -0,0 +1,401 @@
+package xfer // import "github.com/docker/docker/distribution/xfer"
+
+import (
+	"context"
+	"runtime"
+	"sync"
+
+	"github.com/docker/docker/pkg/progress"
+)
+
+// DoNotRetry is an error wrapper indicating that the error cannot be resolved
+// with a retry.
+type DoNotRetry struct {
+	Err error
+}
+
+// Error returns the stringified representation of the encapsulated error.
+func (e DoNotRetry) Error() string {
+	return e.Err.Error()
+}
+
+// Watcher is returned by Watch and can be passed to Release to stop watching.
+type Watcher struct {
+	// signalChan is used to signal to the watcher goroutine that
+	// new progress information is available, or that the transfer
+	// has finished.
+	signalChan chan struct{}
+	// releaseChan signals to the watcher goroutine that the watcher
+	// should be detached.
+	releaseChan chan struct{}
+	// running remains open as long as the watcher is watching the
+	// transfer. It gets closed if the transfer finishes or the
+	// watcher is detached.
+	running chan struct{}
+}
+
+// Transfer represents an in-progress transfer.
+type Transfer interface {
+	Watch(progressOutput progress.Output) *Watcher
+	Release(*Watcher)
+	Context() context.Context
+	Close()
+	Done() <-chan struct{}
+	Released() <-chan struct{}
+	Broadcast(masterProgressChan <-chan progress.Progress)
+}
+
+type transfer struct {
+	mu sync.Mutex
+
+	ctx    context.Context
+	cancel context.CancelFunc
+
+	// watchers keeps track of the goroutines monitoring progress output,
+	// indexed by the channels that release them.
+	watchers map[chan struct{}]*Watcher
+
+	// lastProgress is the most recently received progress event.
+	lastProgress progress.Progress
+	// hasLastProgress is true when lastProgress has been set.
+	hasLastProgress bool
+
+	// running remains open as long as the transfer is in progress.
+	running chan struct{}
+	// released stays open until all watchers release the transfer and
+	// the transfer is no longer tracked by the transfer manager.
+	released chan struct{}
+
+	// broadcastDone is true if the master progress channel has closed.
+	broadcastDone bool
+	// closed is true if Close has been called
+	closed bool
+	// broadcastSyncChan allows watchers to "ping" the broadcasting
+	// goroutine to wait for it for deplete its input channel. This ensures
+	// a detaching watcher won't miss an event that was sent before it
+	// started detaching.
+	broadcastSyncChan chan struct{}
+}
+
+// NewTransfer creates a new transfer.
+func NewTransfer() Transfer {
+	t := &transfer{
+		watchers:          make(map[chan struct{}]*Watcher),
+		running:           make(chan struct{}),
+		released:          make(chan struct{}),
+		broadcastSyncChan: make(chan struct{}),
+	}
+
+	// This uses context.Background instead of a caller-supplied context
+	// so that a transfer won't be cancelled automatically if the client
+	// which requested it is ^C'd (there could be other viewers).
+	t.ctx, t.cancel = context.WithCancel(context.Background())
+
+	return t
+}
+
+// Broadcast copies the progress and error output to all viewers.
+func (t *transfer) Broadcast(masterProgressChan <-chan progress.Progress) {
+	for {
+		var (
+			p  progress.Progress
+			ok bool
+		)
+		select {
+		case p, ok = <-masterProgressChan:
+		default:
+			// We've depleted the channel, so now we can handle
+			// reads on broadcastSyncChan to let detaching watchers
+			// know we're caught up.
+			select {
+			case <-t.broadcastSyncChan:
+				continue
+			case p, ok = <-masterProgressChan:
+			}
+		}
+
+		t.mu.Lock()
+		if ok {
+			t.lastProgress = p
+			t.hasLastProgress = true
+			for _, w := range t.watchers {
+				select {
+				case w.signalChan <- struct{}{}:
+				default:
+				}
+			}
+		} else {
+			t.broadcastDone = true
+		}
+		t.mu.Unlock()
+		if !ok {
+			close(t.running)
+			return
+		}
+	}
+}
+
+// Watch adds a watcher to the transfer. The supplied channel gets progress
+// updates and is closed when the transfer finishes.
+func (t *transfer) Watch(progressOutput progress.Output) *Watcher {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+
+	w := &Watcher{
+		releaseChan: make(chan struct{}),
+		signalChan:  make(chan struct{}),
+		running:     make(chan struct{}),
+	}
+
+	t.watchers[w.releaseChan] = w
+
+	if t.broadcastDone {
+		close(w.running)
+		return w
+	}
+
+	go func() {
+		defer func() {
+			close(w.running)
+		}()
+		var (
+			done           bool
+			lastWritten    progress.Progress
+			hasLastWritten bool
+		)
+		for {
+			t.mu.Lock()
+			hasLastProgress := t.hasLastProgress
+			lastProgress := t.lastProgress
+			t.mu.Unlock()
+
+			// Make sure we don't write the last progress item
+			// twice.
+			if hasLastProgress && (!done || !hasLastWritten || lastProgress != lastWritten) {
+				progressOutput.WriteProgress(lastProgress)
+				lastWritten = lastProgress
+				hasLastWritten = true
+			}
+
+			if done {
+				return
+			}
+
+			select {
+			case <-w.signalChan:
+			case <-w.releaseChan:
+				done = true
+				// Since the watcher is going to detach, make
+				// sure the broadcaster is caught up so we
+				// don't miss anything.
+				select {
+				case t.broadcastSyncChan <- struct{}{}:
+				case <-t.running:
+				}
+			case <-t.running:
+				done = true
+			}
+		}
+	}()
+
+	return w
+}
+
+// Release is the inverse of Watch; indicating that the watcher no longer wants
+// to be notified about the progress of the transfer. All calls to Watch must
+// be paired with later calls to Release so that the lifecycle of the transfer
+// is properly managed.
+func (t *transfer) Release(watcher *Watcher) {
+	t.mu.Lock()
+	delete(t.watchers, watcher.releaseChan)
+
+	if len(t.watchers) == 0 {
+		if t.closed {
+			// released may have been closed already if all
+			// watchers were released, then another one was added
+			// while waiting for a previous watcher goroutine to
+			// finish.
+			select {
+			case <-t.released:
+			default:
+				close(t.released)
+			}
+		} else {
+			t.cancel()
+		}
+	}
+	t.mu.Unlock()
+
+	close(watcher.releaseChan)
+	// Block until the watcher goroutine completes
+	<-watcher.running
+}
+
+// Done returns a channel which is closed if the transfer completes or is
+// cancelled. Note that having 0 watchers causes a transfer to be cancelled.
+func (t *transfer) Done() <-chan struct{} {
+	// Note that this doesn't return t.ctx.Done() because that channel will
+	// be closed the moment Cancel is called, and we need to return a
+	// channel that blocks until a cancellation is actually acknowledged by
+	// the transfer function.
+	return t.running
+}
+
+// Released returns a channel which is closed once all watchers release the
+// transfer AND the transfer is no longer tracked by the transfer manager.
+func (t *transfer) Released() <-chan struct{} {
+	return t.released
+}
+
+// Context returns the context associated with the transfer.
+func (t *transfer) Context() context.Context {
+	return t.ctx
+}
+
+// Close is called by the transfer manager when the transfer is no longer
+// being tracked.
+func (t *transfer) Close() {
+	t.mu.Lock()
+	t.closed = true
+	if len(t.watchers) == 0 {
+		close(t.released)
+	}
+	t.mu.Unlock()
+}
+
+// DoFunc is a function called by the transfer manager to actually perform
+// a transfer. It should be non-blocking. It should wait until the start channel
+// is closed before transferring any data. If the function closes inactive, that
+// signals to the transfer manager that the job is no longer actively moving
+// data - for example, it may be waiting for a dependent transfer to finish.
+// This prevents it from taking up a slot.
+type DoFunc func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer
+
+// TransferManager is used by LayerDownloadManager and LayerUploadManager to
+// schedule and deduplicate transfers. It is up to the TransferManager
+// implementation to make the scheduling and concurrency decisions.
+type TransferManager interface {
+	// Transfer checks if a transfer with the given key is in progress. If
+	// so, it returns progress and error output from that transfer.
+	// Otherwise, it will call xferFunc to initiate the transfer.
+	Transfer(key string, xferFunc DoFunc, progressOutput progress.Output) (Transfer, *Watcher)
+	// SetConcurrency set the concurrencyLimit so that it is adjustable daemon reload
+	SetConcurrency(concurrency int)
+}
+
+type transferManager struct {
+	mu sync.Mutex
+
+	concurrencyLimit int
+	activeTransfers  int
+	transfers        map[string]Transfer
+	waitingTransfers []chan struct{}
+}
+
+// NewTransferManager returns a new TransferManager.
+func NewTransferManager(concurrencyLimit int) TransferManager {
+	return &transferManager{
+		concurrencyLimit: concurrencyLimit,
+		transfers:        make(map[string]Transfer),
+	}
+}
+
+// SetConcurrency sets the concurrencyLimit
+func (tm *transferManager) SetConcurrency(concurrency int) {
+	tm.mu.Lock()
+	tm.concurrencyLimit = concurrency
+	tm.mu.Unlock()
+}
+
+// Transfer checks if a transfer matching the given key is in progress. If not,
+// it starts one by calling xferFunc. The caller supplies a channel which
+// receives progress output from the transfer.
+func (tm *transferManager) Transfer(key string, xferFunc DoFunc, progressOutput progress.Output) (Transfer, *Watcher) {
+	tm.mu.Lock()
+	defer tm.mu.Unlock()
+
+	for {
+		xfer, present := tm.transfers[key]
+		if !present {
+			break
+		}
+		// Transfer is already in progress.
+		watcher := xfer.Watch(progressOutput)
+
+		select {
+		case <-xfer.Context().Done():
+			// We don't want to watch a transfer that has been cancelled.
+			// Wait for it to be removed from the map and try again.
+			xfer.Release(watcher)
+			tm.mu.Unlock()
+			// The goroutine that removes this transfer from the
+			// map is also waiting for xfer.Done(), so yield to it.
+			// This could be avoided by adding a Closed method
+			// to Transfer to allow explicitly waiting for it to be
+			// removed the map, but forcing a scheduling round in
+			// this very rare case seems better than bloating the
+			// interface definition.
+			runtime.Gosched()
+			<-xfer.Done()
+			tm.mu.Lock()
+		default:
+			return xfer, watcher
+		}
+	}
+
+	start := make(chan struct{})
+	inactive := make(chan struct{})
+
+	if tm.concurrencyLimit == 0 || tm.activeTransfers < tm.concurrencyLimit {
+		close(start)
+		tm.activeTransfers++
+	} else {
+		tm.waitingTransfers = append(tm.waitingTransfers, start)
+	}
+
+	masterProgressChan := make(chan progress.Progress)
+	xfer := xferFunc(masterProgressChan, start, inactive)
+	watcher := xfer.Watch(progressOutput)
+	go xfer.Broadcast(masterProgressChan)
+	tm.transfers[key] = xfer
+
+	// When the transfer is finished, remove from the map.
+	go func() {
+		for {
+			select {
+			case <-inactive:
+				tm.mu.Lock()
+				tm.inactivate(start)
+				tm.mu.Unlock()
+				inactive = nil
+			case <-xfer.Done():
+				tm.mu.Lock()
+				if inactive != nil {
+					tm.inactivate(start)
+				}
+				delete(tm.transfers, key)
+				tm.mu.Unlock()
+				xfer.Close()
+				return
+			}
+		}
+	}()
+
+	return xfer, watcher
+}
+
+func (tm *transferManager) inactivate(start chan struct{}) {
+	// If the transfer was started, remove it from the activeTransfers
+	// count.
+	select {
+	case <-start:
+		// Start next transfer if any are waiting
+		if len(tm.waitingTransfers) != 0 {
+			close(tm.waitingTransfers[0])
+			tm.waitingTransfers = tm.waitingTransfers[1:]
+		} else {
+			tm.activeTransfers--
+		}
+	default:
+	}
+}
diff --git a/engine/distribution/xfer/transfer_test.go b/engine/distribution/xfer/transfer_test.go
new file mode 100644
index 00000000..a86e2795
--- /dev/null
+++ b/engine/distribution/xfer/transfer_test.go
@@ -0,0 +1,410 @@
+package xfer // import "github.com/docker/docker/distribution/xfer"
+
+import (
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/progress"
+)
+
+func TestTransfer(t *testing.T) {
+	makeXferFunc := func(id string) DoFunc {
+		return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+			select {
+			case <-start:
+			default:
+				t.Fatalf("transfer function not started even though concurrency limit not reached")
+			}
+
+			xfer := NewTransfer()
+			go func() {
+				for i := 0; i <= 10; i++ {
+					progressChan <- progress.Progress{ID: id, Action: "testing", Current: int64(i), Total: 10}
+					time.Sleep(10 * time.Millisecond)
+				}
+				close(progressChan)
+			}()
+			return xfer
+		}
+	}
+
+	tm := NewTransferManager(5)
+	progressChan := make(chan progress.Progress)
+	progressDone := make(chan struct{})
+	receivedProgress := make(map[string]int64)
+
+	go func() {
+		for p := range progressChan {
+			val, present := receivedProgress[p.ID]
+			if present && p.Current <= val {
+				t.Fatalf("got unexpected progress value: %d (expected %d)", p.Current, val+1)
+			}
+			receivedProgress[p.ID] = p.Current
+		}
+		close(progressDone)
+	}()
+
+	// Start a few transfers
+	ids := []string{"id1", "id2", "id3"}
+	xfers := make([]Transfer, len(ids))
+	watchers := make([]*Watcher, len(ids))
+	for i, id := range ids {
+		xfers[i], watchers[i] = tm.Transfer(id, makeXferFunc(id), progress.ChanOutput(progressChan))
+	}
+
+	for i, xfer := range xfers {
+		<-xfer.Done()
+		xfer.Release(watchers[i])
+	}
+	close(progressChan)
+	<-progressDone
+
+	for _, id := range ids {
+		if receivedProgress[id] != 10 {
+			t.Fatalf("final progress value %d instead of 10", receivedProgress[id])
+		}
+	}
+}
+
+func TestConcurrencyLimit(t *testing.T) {
+	concurrencyLimit := 3
+	var runningJobs int32
+
+	makeXferFunc := func(id string) DoFunc {
+		return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+			xfer := NewTransfer()
+			go func() {
+				<-start
+				totalJobs := atomic.AddInt32(&runningJobs, 1)
+				if int(totalJobs) > concurrencyLimit {
+					t.Fatalf("too many jobs running")
+				}
+				for i := 0; i <= 10; i++ {
+					progressChan <- progress.Progress{ID: id, Action: "testing", Current: int64(i), Total: 10}
+					time.Sleep(10 * time.Millisecond)
+				}
+				atomic.AddInt32(&runningJobs, -1)
+				close(progressChan)
+			}()
+			return xfer
+		}
+	}
+
+	tm := NewTransferManager(concurrencyLimit)
+	progressChan := make(chan progress.Progress)
+	progressDone := make(chan struct{})
+	receivedProgress := make(map[string]int64)
+
+	go func() {
+		for p := range progressChan {
+			receivedProgress[p.ID] = p.Current
+		}
+		close(progressDone)
+	}()
+
+	// Start more transfers than the concurrency limit
+	ids := []string{"id1", "id2", "id3", "id4", "id5", "id6", "id7", "id8"}
+	xfers := make([]Transfer, len(ids))
+	watchers := make([]*Watcher, len(ids))
+	for i, id := range ids {
+		xfers[i], watchers[i] = tm.Transfer(id, makeXferFunc(id), progress.ChanOutput(progressChan))
+	}
+
+	for i, xfer := range xfers {
+		<-xfer.Done()
+		xfer.Release(watchers[i])
+	}
+	close(progressChan)
+	<-progressDone
+
+	for _, id := range ids {
+		if receivedProgress[id] != 10 {
+			t.Fatalf("final progress value %d instead of 10", receivedProgress[id])
+		}
+	}
+}
+
+func TestInactiveJobs(t *testing.T) {
+	concurrencyLimit := 3
+	var runningJobs int32
+	testDone := make(chan struct{})
+
+	makeXferFunc := func(id string) DoFunc {
+		return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+			xfer := NewTransfer()
+			go func() {
+				<-start
+				totalJobs := atomic.AddInt32(&runningJobs, 1)
+				if int(totalJobs) > concurrencyLimit {
+					t.Fatalf("too many jobs running")
+				}
+				for i := 0; i <= 10; i++ {
+					progressChan <- progress.Progress{ID: id, Action: "testing", Current: int64(i), Total: 10}
+					time.Sleep(10 * time.Millisecond)
+				}
+				atomic.AddInt32(&runningJobs, -1)
+				close(inactive)
+				<-testDone
+				close(progressChan)
+			}()
+			return xfer
+		}
+	}
+
+	tm := NewTransferManager(concurrencyLimit)
+	progressChan := make(chan progress.Progress)
+	progressDone := make(chan struct{})
+	receivedProgress := make(map[string]int64)
+
+	go func() {
+		for p := range progressChan {
+			receivedProgress[p.ID] = p.Current
+		}
+		close(progressDone)
+	}()
+
+	// Start more transfers than the concurrency limit
+	ids := []string{"id1", "id2", "id3", "id4", "id5", "id6", "id7", "id8"}
+	xfers := make([]Transfer, len(ids))
+	watchers := make([]*Watcher, len(ids))
+	for i, id := range ids {
+		xfers[i], watchers[i] = tm.Transfer(id, makeXferFunc(id), progress.ChanOutput(progressChan))
+	}
+
+	close(testDone)
+	for i, xfer := range xfers {
+		<-xfer.Done()
+		xfer.Release(watchers[i])
+	}
+	close(progressChan)
+	<-progressDone
+
+	for _, id := range ids {
+		if receivedProgress[id] != 10 {
+			t.Fatalf("final progress value %d instead of 10", receivedProgress[id])
+		}
+	}
+}
+
+func TestWatchRelease(t *testing.T) {
+	ready := make(chan struct{})
+
+	makeXferFunc := func(id string) DoFunc {
+		return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+			xfer := NewTransfer()
+			go func() {
+				defer func() {
+					close(progressChan)
+				}()
+				<-ready
+				for i := int64(0); ; i++ {
+					select {
+					case <-time.After(10 * time.Millisecond):
+					case <-xfer.Context().Done():
+						return
+					}
+					progressChan <- progress.Progress{ID: id, Action: "testing", Current: i, Total: 10}
+				}
+			}()
+			return xfer
+		}
+	}
+
+	tm := NewTransferManager(5)
+
+	type watcherInfo struct {
+		watcher               *Watcher
+		progressChan          chan progress.Progress
+		progressDone          chan struct{}
+		receivedFirstProgress chan struct{}
+	}
+
+	progressConsumer := func(w watcherInfo) {
+		first := true
+		for range w.progressChan {
+			if first {
+				close(w.receivedFirstProgress)
+			}
+			first = false
+		}
+		close(w.progressDone)
+	}
+
+	// Start a transfer
+	watchers := make([]watcherInfo, 5)
+	var xfer Transfer
+	watchers[0].progressChan = make(chan progress.Progress)
+	watchers[0].progressDone = make(chan struct{})
+	watchers[0].receivedFirstProgress = make(chan struct{})
+	xfer, watchers[0].watcher = tm.Transfer("id1", makeXferFunc("id1"), progress.ChanOutput(watchers[0].progressChan))
+	go progressConsumer(watchers[0])
+
+	// Give it multiple watchers
+	for i := 1; i != len(watchers); i++ {
+		watchers[i].progressChan = make(chan progress.Progress)
+		watchers[i].progressDone = make(chan struct{})
+		watchers[i].receivedFirstProgress = make(chan struct{})
+		watchers[i].watcher = xfer.Watch(progress.ChanOutput(watchers[i].progressChan))
+		go progressConsumer(watchers[i])
+	}
+
+	// Now that the watchers are set up, allow the transfer goroutine to
+	// proceed.
+	close(ready)
+
+	// Confirm that each watcher gets progress output.
+	for _, w := range watchers {
+		<-w.receivedFirstProgress
+	}
+
+	// Release one watcher every 5ms
+	for _, w := range watchers {
+		xfer.Release(w.watcher)
+		<-time.After(5 * time.Millisecond)
+	}
+
+	// Now that all watchers have been released, Released() should
+	// return a closed channel.
+	<-xfer.Released()
+
+	// Done() should return a closed channel because the xfer func returned
+	// due to cancellation.
+	<-xfer.Done()
+
+	for _, w := range watchers {
+		close(w.progressChan)
+		<-w.progressDone
+	}
+}
+
+func TestWatchFinishedTransfer(t *testing.T) {
+	makeXferFunc := func(id string) DoFunc {
+		return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+			xfer := NewTransfer()
+			go func() {
+				// Finish immediately
+				close(progressChan)
+			}()
+			return xfer
+		}
+	}
+
+	tm := NewTransferManager(5)
+
+	// Start a transfer
+	watchers := make([]*Watcher, 3)
+	var xfer Transfer
+	xfer, watchers[0] = tm.Transfer("id1", makeXferFunc("id1"), progress.ChanOutput(make(chan progress.Progress)))
+
+	// Give it a watcher immediately
+	watchers[1] = xfer.Watch(progress.ChanOutput(make(chan progress.Progress)))
+
+	// Wait for the transfer to complete
+	<-xfer.Done()
+
+	// Set up another watcher
+	watchers[2] = xfer.Watch(progress.ChanOutput(make(chan progress.Progress)))
+
+	// Release the watchers
+	for _, w := range watchers {
+		xfer.Release(w)
+	}
+
+	// Now that all watchers have been released, Released() should
+	// return a closed channel.
+	<-xfer.Released()
+}
+
+func TestDuplicateTransfer(t *testing.T) {
+	ready := make(chan struct{})
+
+	var xferFuncCalls int32
+
+	makeXferFunc := func(id string) DoFunc {
+		return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+			atomic.AddInt32(&xferFuncCalls, 1)
+			xfer := NewTransfer()
+			go func() {
+				defer func() {
+					close(progressChan)
+				}()
+				<-ready
+				for i := int64(0); ; i++ {
+					select {
+					case <-time.After(10 * time.Millisecond):
+					case <-xfer.Context().Done():
+						return
+					}
+					progressChan <- progress.Progress{ID: id, Action: "testing", Current: i, Total: 10}
+				}
+			}()
+			return xfer
+		}
+	}
+
+	tm := NewTransferManager(5)
+
+	type transferInfo struct {
+		xfer                  Transfer
+		watcher               *Watcher
+		progressChan          chan progress.Progress
+		progressDone          chan struct{}
+		receivedFirstProgress chan struct{}
+	}
+
+	progressConsumer := func(t transferInfo) {
+		first := true
+		for range t.progressChan {
+			if first {
+				close(t.receivedFirstProgress)
+			}
+			first = false
+		}
+		close(t.progressDone)
+	}
+
+	// Try to start multiple transfers with the same ID
+	transfers := make([]transferInfo, 5)
+	for i := range transfers {
+		t := &transfers[i]
+		t.progressChan = make(chan progress.Progress)
+		t.progressDone = make(chan struct{})
+		t.receivedFirstProgress = make(chan struct{})
+		t.xfer, t.watcher = tm.Transfer("id1", makeXferFunc("id1"), progress.ChanOutput(t.progressChan))
+		go progressConsumer(*t)
+	}
+
+	// Allow the transfer goroutine to proceed.
+	close(ready)
+
+	// Confirm that each watcher gets progress output.
+	for _, t := range transfers {
+		<-t.receivedFirstProgress
+	}
+
+	// Confirm that the transfer function was called exactly once.
+	if xferFuncCalls != 1 {
+		t.Fatal("transfer function wasn't called exactly once")
+	}
+
+	// Release one watcher every 5ms
+	for _, t := range transfers {
+		t.xfer.Release(t.watcher)
+		<-time.After(5 * time.Millisecond)
+	}
+
+	for _, t := range transfers {
+		// Now that all watchers have been released, Released() should
+		// return a closed channel.
+		<-t.xfer.Released()
+		// Done() should return a closed channel because the xfer func returned
+		// due to cancellation.
+		<-t.xfer.Done()
+	}
+
+	for _, t := range transfers {
+		close(t.progressChan)
+		<-t.progressDone
+	}
+}
diff --git a/engine/distribution/xfer/upload.go b/engine/distribution/xfer/upload.go
new file mode 100644
index 00000000..33b45ad7
--- /dev/null
+++ b/engine/distribution/xfer/upload.go
@@ -0,0 +1,174 @@
+package xfer // import "github.com/docker/docker/distribution/xfer"
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/docker/distribution"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/sirupsen/logrus"
+)
+
+const maxUploadAttempts = 5
+
+// LayerUploadManager provides task management and progress reporting for
+// uploads.
+type LayerUploadManager struct {
+	tm           TransferManager
+	waitDuration time.Duration
+}
+
+// SetConcurrency sets the max concurrent uploads for each push
+func (lum *LayerUploadManager) SetConcurrency(concurrency int) {
+	lum.tm.SetConcurrency(concurrency)
+}
+
+// NewLayerUploadManager returns a new LayerUploadManager.
+func NewLayerUploadManager(concurrencyLimit int, options ...func(*LayerUploadManager)) *LayerUploadManager {
+	manager := LayerUploadManager{
+		tm:           NewTransferManager(concurrencyLimit),
+		waitDuration: time.Second,
+	}
+	for _, option := range options {
+		option(&manager)
+	}
+	return &manager
+}
+
+type uploadTransfer struct {
+	Transfer
+
+	remoteDescriptor distribution.Descriptor
+	err              error
+}
+
+// An UploadDescriptor references a layer that may need to be uploaded.
+type UploadDescriptor interface {
+	// Key returns the key used to deduplicate uploads.
+	Key() string
+	// ID returns the ID for display purposes.
+	ID() string
+	// DiffID should return the DiffID for this layer.
+	DiffID() layer.DiffID
+	// Upload is called to perform the Upload.
+	Upload(ctx context.Context, progressOutput progress.Output) (distribution.Descriptor, error)
+	// SetRemoteDescriptor provides the distribution.Descriptor that was
+	// returned by Upload. This descriptor is not to be confused with
+	// the UploadDescriptor interface, which is used for internally
+	// identifying layers that are being uploaded.
+	SetRemoteDescriptor(descriptor distribution.Descriptor)
+}
+
+// Upload is a blocking function which ensures the listed layers are present on
+// the remote registry. It uses the string returned by the Key method to
+// deduplicate uploads.
+func (lum *LayerUploadManager) Upload(ctx context.Context, layers []UploadDescriptor, progressOutput progress.Output) error {
+	var (
+		uploads          []*uploadTransfer
+		dedupDescriptors = make(map[string]*uploadTransfer)
+	)
+
+	for _, descriptor := range layers {
+		progress.Update(progressOutput, descriptor.ID(), "Preparing")
+
+		key := descriptor.Key()
+		if _, present := dedupDescriptors[key]; present {
+			continue
+		}
+
+		xferFunc := lum.makeUploadFunc(descriptor)
+		upload, watcher := lum.tm.Transfer(descriptor.Key(), xferFunc, progressOutput)
+		defer upload.Release(watcher)
+		uploads = append(uploads, upload.(*uploadTransfer))
+		dedupDescriptors[key] = upload.(*uploadTransfer)
+	}
+
+	for _, upload := range uploads {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-upload.Transfer.Done():
+			if upload.err != nil {
+				return upload.err
+			}
+		}
+	}
+	for _, l := range layers {
+		l.SetRemoteDescriptor(dedupDescriptors[l.Key()].remoteDescriptor)
+	}
+
+	return nil
+}
+
+func (lum *LayerUploadManager) makeUploadFunc(descriptor UploadDescriptor) DoFunc {
+	return func(progressChan chan<- progress.Progress, start <-chan struct{}, inactive chan<- struct{}) Transfer {
+		u := &uploadTransfer{
+			Transfer: NewTransfer(),
+		}
+
+		go func() {
+			defer func() {
+				close(progressChan)
+			}()
+
+			progressOutput := progress.ChanOutput(progressChan)
+
+			select {
+			case <-start:
+			default:
+				progress.Update(progressOutput, descriptor.ID(), "Waiting")
+				<-start
+			}
+
+			retries := 0
+			for {
+				remoteDescriptor, err := descriptor.Upload(u.Transfer.Context(), progressOutput)
+				if err == nil {
+					u.remoteDescriptor = remoteDescriptor
+					break
+				}
+
+				// If an error was returned because the context
+				// was cancelled, we shouldn't retry.
+				select {
+				case <-u.Transfer.Context().Done():
+					u.err = err
+					return
+				default:
+				}
+
+				retries++
+				if _, isDNR := err.(DoNotRetry); isDNR || retries == maxUploadAttempts {
+					logrus.Errorf("Upload failed: %v", err)
+					u.err = err
+					return
+				}
+
+				logrus.Errorf("Upload failed, retrying: %v", err)
+				delay := retries * 5
+				ticker := time.NewTicker(lum.waitDuration)
+
+			selectLoop:
+				for {
+					progress.Updatef(progressOutput, descriptor.ID(), "Retrying in %d second%s", delay, (map[bool]string{true: "s"})[delay != 1])
+					select {
+					case <-ticker.C:
+						delay--
+						if delay == 0 {
+							ticker.Stop()
+							break selectLoop
+						}
+					case <-u.Transfer.Context().Done():
+						ticker.Stop()
+						u.err = errors.New("upload cancelled during retry delay")
+						return
+					}
+				}
+			}
+		}()
+
+		return u
+	}
+}
diff --git a/engine/distribution/xfer/upload_test.go b/engine/distribution/xfer/upload_test.go
new file mode 100644
index 00000000..4507feac
--- /dev/null
+++ b/engine/distribution/xfer/upload_test.go
@@ -0,0 +1,134 @@
+package xfer // import "github.com/docker/docker/distribution/xfer"
+
+import (
+	"context"
+	"errors"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/docker/distribution"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/progress"
+)
+
+const maxUploadConcurrency = 3
+
+type mockUploadDescriptor struct {
+	currentUploads  *int32
+	diffID          layer.DiffID
+	simulateRetries int
+}
+
+// Key returns the key used to deduplicate downloads.
+func (u *mockUploadDescriptor) Key() string {
+	return u.diffID.String()
+}
+
+// ID returns the ID for display purposes.
+func (u *mockUploadDescriptor) ID() string {
+	return u.diffID.String()
+}
+
+// DiffID should return the DiffID for this layer.
+func (u *mockUploadDescriptor) DiffID() layer.DiffID {
+	return u.diffID
+}
+
+// SetRemoteDescriptor is not used in the mock.
+func (u *mockUploadDescriptor) SetRemoteDescriptor(remoteDescriptor distribution.Descriptor) {
+}
+
+// Upload is called to perform the upload.
+func (u *mockUploadDescriptor) Upload(ctx context.Context, progressOutput progress.Output) (distribution.Descriptor, error) {
+	if u.currentUploads != nil {
+		defer atomic.AddInt32(u.currentUploads, -1)
+
+		if atomic.AddInt32(u.currentUploads, 1) > maxUploadConcurrency {
+			return distribution.Descriptor{}, errors.New("concurrency limit exceeded")
+		}
+	}
+
+	// Sleep a bit to simulate a time-consuming upload.
+	for i := int64(0); i <= 10; i++ {
+		select {
+		case <-ctx.Done():
+			return distribution.Descriptor{}, ctx.Err()
+		case <-time.After(10 * time.Millisecond):
+			progressOutput.WriteProgress(progress.Progress{ID: u.ID(), Current: i, Total: 10})
+		}
+	}
+
+	if u.simulateRetries != 0 {
+		u.simulateRetries--
+		return distribution.Descriptor{}, errors.New("simulating retry")
+	}
+
+	return distribution.Descriptor{}, nil
+}
+
+func uploadDescriptors(currentUploads *int32) []UploadDescriptor {
+	return []UploadDescriptor{
+		&mockUploadDescriptor{currentUploads, layer.DiffID("sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"), 0},
+		&mockUploadDescriptor{currentUploads, layer.DiffID("sha256:1515325234325236634634608943609283523908626098235490238423902343"), 0},
+		&mockUploadDescriptor{currentUploads, layer.DiffID("sha256:6929356290463485374960346430698374523437683470934634534953453453"), 0},
+		&mockUploadDescriptor{currentUploads, layer.DiffID("sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"), 0},
+		&mockUploadDescriptor{currentUploads, layer.DiffID("sha256:8159352387436803946235346346368745389534789534897538734598734987"), 1},
+		&mockUploadDescriptor{currentUploads, layer.DiffID("sha256:4637863963478346897346987346987346789346789364879364897364987346"), 0},
+	}
+}
+
+func TestSuccessfulUpload(t *testing.T) {
+	lum := NewLayerUploadManager(maxUploadConcurrency, func(m *LayerUploadManager) { m.waitDuration = time.Millisecond })
+
+	progressChan := make(chan progress.Progress)
+	progressDone := make(chan struct{})
+	receivedProgress := make(map[string]int64)
+
+	go func() {
+		for p := range progressChan {
+			receivedProgress[p.ID] = p.Current
+		}
+		close(progressDone)
+	}()
+
+	var currentUploads int32
+	descriptors := uploadDescriptors(&currentUploads)
+
+	err := lum.Upload(context.Background(), descriptors, progress.ChanOutput(progressChan))
+	if err != nil {
+		t.Fatalf("upload error: %v", err)
+	}
+
+	close(progressChan)
+	<-progressDone
+}
+
+func TestCancelledUpload(t *testing.T) {
+	lum := NewLayerUploadManager(maxUploadConcurrency, func(m *LayerUploadManager) { m.waitDuration = time.Millisecond })
+
+	progressChan := make(chan progress.Progress)
+	progressDone := make(chan struct{})
+
+	go func() {
+		for range progressChan {
+		}
+		close(progressDone)
+	}()
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() {
+		<-time.After(time.Millisecond)
+		cancel()
+	}()
+
+	descriptors := uploadDescriptors(nil)
+	err := lum.Upload(ctx, descriptors, progress.ChanOutput(progressChan))
+	if err != context.Canceled {
+		t.Fatal("expected upload to be cancelled")
+	}
+
+	close(progressChan)
+	<-progressDone
+}
diff --git a/engine/dockerversion/useragent.go b/engine/dockerversion/useragent.go
new file mode 100644
index 00000000..2eceb6fa
--- /dev/null
+++ b/engine/dockerversion/useragent.go
@@ -0,0 +1,76 @@
+package dockerversion // import "github.com/docker/docker/dockerversion"
+
+import (
+	"context"
+	"fmt"
+	"runtime"
+
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/docker/docker/pkg/useragent"
+)
+
+// UAStringKey is used as key type for user-agent string in net/context struct
+const UAStringKey = "upstream-user-agent"
+
+// DockerUserAgent is the User-Agent the Docker client uses to identify itself.
+// In accordance with RFC 7231 (5.5.3) is of the form:
+//    [docker client's UA] UpstreamClient([upstream client's UA])
+func DockerUserAgent(ctx context.Context) string {
+	httpVersion := make([]useragent.VersionInfo, 0, 6)
+	httpVersion = append(httpVersion, useragent.VersionInfo{Name: "docker", Version: Version})
+	httpVersion = append(httpVersion, useragent.VersionInfo{Name: "go", Version: runtime.Version()})
+	httpVersion = append(httpVersion, useragent.VersionInfo{Name: "git-commit", Version: GitCommit})
+	if kernelVersion, err := kernel.GetKernelVersion(); err == nil {
+		httpVersion = append(httpVersion, useragent.VersionInfo{Name: "kernel", Version: kernelVersion.String()})
+	}
+	httpVersion = append(httpVersion, useragent.VersionInfo{Name: "os", Version: runtime.GOOS})
+	httpVersion = append(httpVersion, useragent.VersionInfo{Name: "arch", Version: runtime.GOARCH})
+
+	dockerUA := useragent.AppendVersions("", httpVersion...)
+	upstreamUA := getUserAgentFromContext(ctx)
+	if len(upstreamUA) > 0 {
+		ret := insertUpstreamUserAgent(upstreamUA, dockerUA)
+		return ret
+	}
+	return dockerUA
+}
+
+// getUserAgentFromContext returns the previously saved user-agent context stored in ctx, if one exists
+func getUserAgentFromContext(ctx context.Context) string {
+	var upstreamUA string
+	if ctx != nil {
+		var ki interface{} = ctx.Value(UAStringKey)
+		if ki != nil {
+			upstreamUA = ctx.Value(UAStringKey).(string)
+		}
+	}
+	return upstreamUA
+}
+
+// escapeStr returns s with every rune in charsToEscape escaped by a backslash
+func escapeStr(s string, charsToEscape string) string {
+	var ret string
+	for _, currRune := range s {
+		appended := false
+		for _, escapableRune := range charsToEscape {
+			if currRune == escapableRune {
+				ret += `\` + string(currRune)
+				appended = true
+				break
+			}
+		}
+		if !appended {
+			ret += string(currRune)
+		}
+	}
+	return ret
+}
+
+// insertUpstreamUserAgent adds the upstream client useragent to create a user-agent
+// string of the form:
+//   $dockerUA UpstreamClient($upstreamUA)
+func insertUpstreamUserAgent(upstreamUA string, dockerUA string) string {
+	charsToEscape := `();\`
+	upstreamUAEscaped := escapeStr(upstreamUA, charsToEscape)
+	return fmt.Sprintf("%s UpstreamClient(%s)", dockerUA, upstreamUAEscaped)
+}
diff --git a/engine/dockerversion/version_lib.go b/engine/dockerversion/version_lib.go
new file mode 100644
index 00000000..ff181650
--- /dev/null
+++ b/engine/dockerversion/version_lib.go
@@ -0,0 +1,18 @@
+// +build !autogen
+
+// Package dockerversion is auto-generated at build-time
+package dockerversion // import "github.com/docker/docker/dockerversion"
+
+// Default build-time variable for library-import.
+// This file is overridden on build with build-time informations.
+const (
+	GitCommit          = "library-import"
+	Version            = "library-import"
+	BuildTime          = "library-import"
+	IAmStatic          = "library-import"
+	ContainerdCommitID = "library-import"
+	RuncCommitID       = "library-import"
+	InitCommitID       = "library-import"
+	PlatformName       = ""
+	ProductName        = ""
+)
diff --git a/engine/docs/api/v1.18.md b/engine/docs/api/v1.18.md
new file mode 100644
index 00000000..32770142
--- /dev/null
+++ b/engine/docs/api/v1.18.md
@@ -0,0 +1,2179 @@
+---
+title: "Engine API v1.18"
+description: "API Documentation for Docker"
+keywords: "API, Docker, rcli, REST, documentation"
+redirect_from:
+- /engine/reference/api/docker_remote_api_v1.18/
+- /reference/api/docker_remote_api_v1.18/
+---
+
+<!-- This file is maintained within the moby/moby GitHub
+     repository at https://github.com/moby/moby/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## 1. Brief introduction
+
+ - The daemon listens on `unix:///var/run/docker.sock` but you can
+   [Bind Docker to another host/port or a Unix socket](../reference/commandline/dockerd.md#bind-docker-to-another-host-port-or-a-unix-socket).
+ - The API tends to be REST, but for some complex commands, like `attach`
+   or `pull`, the HTTP connection is hijacked to transport `stdout`,
+   `stdin` and `stderr`.
+ - A `Content-Length` header should be present in `POST` requests to endpoints
+   that expect a body.
+ - To lock to a specific version of the API, you prefix the URL with the version
+   of the API to use. For example, `/v1.18/info`. If no version is included in
+   the URL, the maximum supported API version is used.
+ - If the API version specified in the URL is not supported by the daemon, a HTTP
+   `400 Bad Request` error message is returned.
+
+## 2. Endpoints
+
+### 2.1 Containers
+
+#### List containers
+
+`GET /containers/json`
+
+List containers
+
+**Example request**:
+
+    GET /v1.18/containers/json?all=1&before=8dfafdbc3a40&size=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Id": "8dfafdbc3a40",
+                 "Names":["/boring_feynman"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 1",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [{"PrivatePort": 2222, "PublicPort": 3333, "Type": "tcp"}],
+                 "Labels": {
+                         "com.example.vendor": "Acme",
+                         "com.example.license": "GPL",
+                         "com.example.version": "1.0"
+                 },
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         },
+         {
+                 "Id": "9cd87474be90",
+                 "Names":["/coolName"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 222222",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         },
+         {
+                 "Id": "3176a2479c92",
+                 "Names":["/sleepy_dog"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 3333333333333333",
+                 "Created": 1367854154,
+                 "Status": "Exit 0",
+                 "Ports":[],
+                 "Labels": {},
+                 "SizeRw":12288,
+                 "SizeRootFs":0
+         },
+         {
+                 "Id": "4cb07b47f9fb",
+                 "Names":["/running_cat"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 444444444444444444444444444444444",
+                 "Created": 1367854152,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         }
+    ]
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, Show all containers.
+        Only running containers are shown by default (i.e., this defaults to false)
+-   **limit** – Show `limit` last created
+        containers, include non-running ones.
+-   **since** – Show only containers created since Id, include
+        non-running ones.
+-   **before** – Show only containers created before Id, include
+        non-running ones.
+-   **size** – 1/True/true or 0/False/false, Show the containers
+        sizes
+-   **filters** - a JSON encoded value of the filters (a `map[string][]string`) to process on the containers list. Available filters:
+  -   `exited=<int>`; -- containers with exit code of  `<int>` ;
+  -   `status=`(`restarting`|`running`|`paused`|`exited`)
+  -   `label=key` or `label="key=value"` of a container label
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **500** – server error
+
+#### Create a container
+
+`POST /containers/create`
+
+Create a container
+
+**Example request**:
+
+    POST /v1.18/containers/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+           "Hostname": "",
+           "Domainname": "",
+           "User": "",
+           "AttachStdin": false,
+           "AttachStdout": true,
+           "AttachStderr": true,
+           "Tty": false,
+           "OpenStdin": false,
+           "StdinOnce": false,
+           "Env": [
+                   "FOO=bar",
+                   "BAZ=quux"
+           ],
+           "Cmd": [
+                   "date"
+           ],
+           "Entrypoint": null,
+           "Image": "ubuntu",
+           "Labels": {
+                   "com.example.vendor": "Acme",
+                   "com.example.license": "GPL",
+                   "com.example.version": "1.0"
+           },
+           "Volumes": {
+             "/volumes/data": {}
+           },
+           "WorkingDir": "",
+           "NetworkDisabled": false,
+           "MacAddress": "12:34:56:78:9a:bc",
+           "ExposedPorts": {
+                   "22/tcp": {}
+           },
+           "HostConfig": {
+             "Binds": ["/tmp:/tmp"],
+             "Links": ["redis3:redis"],
+             "LxcConf": {"lxc.utsname":"docker"},
+             "Memory": 0,
+             "MemorySwap": 0,
+             "CpuShares": 512,
+             "CpusetCpus": "0,1",
+             "PidMode": "",
+             "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+             "PublishAllPorts": false,
+             "Privileged": false,
+             "ReadonlyRootfs": false,
+             "Dns": ["8.8.8.8"],
+             "DnsSearch": [""],
+             "ExtraHosts": null,
+             "VolumesFrom": ["parent", "other:ro"],
+             "CapAdd": ["NET_ADMIN"],
+             "CapDrop": ["MKNOD"],
+             "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+             "NetworkMode": "bridge",
+             "Devices": [],
+             "Ulimits": [{}],
+             "LogConfig": { "Type": "json-file", "Config": {} },
+             "SecurityOpt": [],
+             "CgroupParent": ""
+          }
+      }
+
+**Example response**:
+
+      HTTP/1.1 201 Created
+      Content-Type: application/json
+
+      {
+           "Id":"e90e34656806",
+           "Warnings":[]
+      }
+
+**JSON parameters**:
+
+-   **Hostname** - A string value containing the hostname to use for the
+      container.
+-   **Domainname** - A string value containing the domain name to use
+      for the container.
+-   **User** - A string value specifying the user inside the container.
+-   **AttachStdin** - Boolean value, attaches to `stdin`.
+-   **AttachStdout** - Boolean value, attaches to `stdout`.
+-   **AttachStderr** - Boolean value, attaches to `stderr`.
+-   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
+-   **OpenStdin** - Boolean value, opens `stdin`,
+-   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Entrypoint** - Set the entry point for the container as a string or an array
+      of strings.
+-   **Image** - A string specifying the image name to use for the container.
+-   **Volumes** - An object mapping mount point paths (strings) inside the
+      container to empty objects.
+-   **WorkingDir** - A string specifying the working directory for commands to
+      run in.
+-   **NetworkDisabled** - Boolean value, when true disables networking for the
+      container
+-   **ExposedPorts** - An object mapping ports to an empty object in the form of:
+      `"ExposedPorts": { "<port>/<tcp|udp>: {}" }`
+-   **HostConfig**
+    -   **Binds** – A list of bind mounts for this container. Each item is a string in one of these forms:
+           + `host-src:container-dest` to bind-mount a host path into the
+             container. Both `host-src`, and `container-dest` must be an
+             _absolute_ path.
+           + `host-src:container-dest:ro` to make the bind mount read-only
+             inside the container. Both `host-src`, and `container-dest` must be
+             an _absolute_ path.
+    -   **Links** - A list of links for the container. Each link entry should be
+          in the form of `container_name:alias`.
+    -   **LxcConf** - LXC specific configurations. These configurations only
+          work when using the `lxc` execution driver.
+    -   **Memory** - Memory limit in bytes.
+    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
+          You must use this with `memory` and make the swap value larger than `memory`.
+    -   **CpuShares** - An integer value containing the container's CPU Shares
+          (ie. the relative weight vs other containers).
+    -   **CpusetCpus** - String value containing the `cgroups CpusetCpus` to use.
+    -   **PidMode** - Set the PID (Process) Namespace mode for the container;
+          `"container:<name|id>"`: joins another container's PID namespace
+          `"host"`: use the host's PID namespace inside the container
+    -   **PortBindings** - A map of exposed container ports and the host port they
+          should map to. A JSON object in the form
+          `{ <port>/<protocol>: [{ "HostPort": "<port>" }] }`
+          Take note that `port` is specified as a string and not an integer value.
+    -   **PublishAllPorts** - Allocates an ephemeral host port for all of a container's
+          exposed ports. Specified as a boolean value.
+
+          Ports are de-allocated when the container stops and allocated when the container starts.
+          The allocated port might be changed when restarting the container.
+
+          The port is selected from the ephemeral port range that depends on the kernel.
+          For example, on Linux the range is defined by `/proc/sys/net/ipv4/ip_local_port_range`.
+    -   **Privileged** - Gives the container full access to the host. Specified as
+          a boolean value.
+    -   **ReadonlyRootfs** - Mount the container's root filesystem as read only.
+          Specified as a boolean value.
+    -   **Dns** - A list of DNS servers for the container to use.
+    -   **DnsSearch** - A list of DNS search domains
+    -   **ExtraHosts** - A list of hostnames/IP mappings to add to the
+        container's `/etc/hosts` file. Specified in the form `["hostname:IP"]`.
+    -   **VolumesFrom** - A list of volumes to inherit from another container.
+          Specified in the form `<container name>[:<ro|rw>]`
+    -   **CapAdd** - A list of kernel capabilities to add to the container.
+    -   **Capdrop** - A list of kernel capabilities to drop from the container.
+    -   **RestartPolicy** – The behavior to apply when the container exits.  The
+            value is an object with a `Name` property of either `"always"` to
+            always restart or `"on-failure"` to restart only when the container
+            exit code is non-zero.  If `on-failure` is used, `MaximumRetryCount`
+            controls the number of times to retry before giving up.
+            The default is not to restart. (optional)
+            An ever increasing delay (double the previous delay, starting at 100mS)
+            is added before each restart to prevent flooding the server.
+    -   **NetworkMode** - Sets the networking mode for the container. Supported
+          values are: `bridge`, `host`, `none`, and `container:<name|id>`
+    -   **Devices** - A list of devices to add to the container specified as a JSON object in the
+      form
+          `{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}`
+    -   **Ulimits** - A list of ulimits to set in the container, specified as
+          `{ "Name": <name>, "Soft": <soft limit>, "Hard": <hard limit> }`, for example:
+          `Ulimits: { "Name": "nofile", "Soft": 1024, "Hard": 2048 }`
+    -   **SecurityOpt**: A list of string values to customize labels for MLS
+        systems, such as SELinux.
+    -   **LogConfig** - Log configuration for the container, specified as a JSON object in the form
+          `{ "Type": "<driver_name>", "Config": {"key1": "val1"}}`.
+          Available types: `json-file`, `syslog`, `journald`, `none`.
+          `json-file` logging driver.
+    -   **CgroupParent** - Path to `cgroups` under which the container's `cgroup` is created. If the path is not absolute, the path is considered to be relative to the `cgroups` path of the init process. Cgroups are created if they do not already exist.
+
+**Query parameters**:
+
+-   **name** – Assign the specified name to the container. Must
+    match `/?[a-zA-Z0-9_-]+`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **406** – impossible to attach (container not running)
+-   **409** – conflict
+-   **500** – server error
+
+#### Inspect a container
+
+`GET /containers/(id or name)/json`
+
+Return low-level information on the container `id`
+
+**Example request**:
+
+      GET /v1.18/containers/4fa6e0f0c678/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+	{
+		"AppArmorProfile": "",
+		"Args": [
+			"-c",
+			"exit 9"
+		],
+		"Config": {
+			"AttachStderr": true,
+			"AttachStdin": false,
+			"AttachStdout": true,
+			"Cmd": [
+				"/bin/sh",
+				"-c",
+				"exit 9"
+			],
+			"Domainname": "",
+			"Entrypoint": null,
+			"Env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+			],
+			"ExposedPorts": null,
+			"Hostname": "ba033ac44011",
+			"Image": "ubuntu",
+			"Labels": {
+				"com.example.vendor": "Acme",
+				"com.example.license": "GPL",
+				"com.example.version": "1.0"
+			},
+			"MacAddress": "",
+			"NetworkDisabled": false,
+			"OnBuild": null,
+			"OpenStdin": false,
+			"PortSpecs": null,
+			"StdinOnce": false,
+			"Tty": false,
+			"User": "",
+			"Volumes": null,
+			"WorkingDir": ""
+		},
+		"Created": "2015-01-06T15:47:31.485331387Z",
+		"Driver": "devicemapper",
+		"ExecDriver": "native-0.2",
+		"ExecIDs": null,
+		"HostConfig": {
+			"Binds": null,
+			"CapAdd": null,
+			"CapDrop": null,
+			"ContainerIDFile": "",
+			"CpusetCpus": "",
+			"CpuShares": 0,
+			"Devices": [],
+			"Dns": null,
+			"DnsSearch": null,
+			"ExtraHosts": null,
+			"IpcMode": "",
+			"Links": null,
+			"LxcConf": [],
+			"Memory": 0,
+			"MemorySwap": 0,
+			"NetworkMode": "bridge",
+			"PidMode": "",
+			"PortBindings": {},
+			"Privileged": false,
+			"ReadonlyRootfs": false,
+			"PublishAllPorts": false,
+			"RestartPolicy": {
+				"MaximumRetryCount": 2,
+				"Name": "on-failure"
+			},
+			"LogConfig": {
+				"Config": null,
+				"Type": "json-file"
+			},
+			"SecurityOpt": null,
+			"VolumesFrom": null,
+			"Ulimits": [{}]
+		},
+		"HostnamePath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hostname",
+		"HostsPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hosts",
+		"LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+		"Id": "ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39",
+		"Image": "04c5d3b7b0656168630d3ba35d8889bd0e9caafcaeb3004d2bfbc47e7c5d35d2",
+		"MountLabel": "",
+		"Name": "/boring_euclid",
+		"NetworkSettings": {
+			"Bridge": "",
+			"Gateway": "",
+			"IPAddress": "",
+			"IPPrefixLen": 0,
+			"MacAddress": "",
+			"PortMapping": null,
+			"Ports": null
+		},
+		"Path": "/bin/sh",
+		"ProcessLabel": "",
+		"ResolvConfPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/resolv.conf",
+		"RestartCount": 1,
+		"State": {
+			"Error": "",
+			"ExitCode": 9,
+			"FinishedAt": "2015-01-06T15:47:32.080254511Z",
+			"OOMKilled": false,
+			"Paused": false,
+			"Pid": 0,
+			"Restarting": false,
+			"Running": true,
+			"StartedAt": "2015-01-06T15:47:32.072697474Z"
+		},
+		"Volumes": {},
+		"VolumesRW": {}
+	}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### List processes running inside a container
+
+`GET /containers/(id or name)/top`
+
+List processes running inside the container `id`. On Unix systems this
+is done by running the `ps` command. This endpoint is not
+supported on Windows.
+
+**Example request**:
+
+    GET /v1.18/containers/4fa6e0f0c678/top HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Titles" : [
+         "UID", "PID", "PPID", "C", "STIME", "TTY", "TIME", "CMD"
+       ],
+       "Processes" : [
+         [
+           "root", "13642", "882", "0", "17:03", "pts/0", "00:00:00", "/bin/bash"
+         ],
+         [
+           "root", "13735", "13642", "0", "17:06", "pts/0", "00:00:00", "sleep 10"
+         ]
+       ]
+    }
+
+**Example request**:
+
+    GET /v1.18/containers/4fa6e0f0c678/top?ps_args=aux HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Titles" : [
+        "USER","PID","%CPU","%MEM","VSZ","RSS","TTY","STAT","START","TIME","COMMAND"
+      ]
+      "Processes" : [
+        [
+          "root","13642","0.0","0.1","18172","3184","pts/0","Ss","17:03","0:00","/bin/bash"
+        ],
+        [
+          "root","13895","0.0","0.0","4348","692","pts/0","S+","17:15","0:00","sleep 10"
+        ]
+      ],
+    }
+
+**Query parameters**:
+
+-   **ps_args** – `ps` arguments to use (e.g., `aux`), defaults to `-ef`
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container logs
+
+`GET /containers/(id or name)/logs`
+
+Get `stdout` and `stderr` logs from the container ``id``
+
+> **Note**:
+> This endpoint works only for containers with the `json-file` or `journald` logging drivers.
+
+**Example request**:
+
+     GET /v1.18/containers/4fa6e0f0c678/logs?stderr=1&stdout=1&timestamps=1&follow=1&tail=10 HTTP/1.1
+
+**Example response**:
+
+     HTTP/1.1 101 UPGRADED
+     Content-Type: application/vnd.docker.raw-stream
+     Connection: Upgrade
+     Upgrade: tcp
+
+     {% raw %}
+     {{ STREAM }}
+     {% endraw %}
+
+**Query parameters**:
+
+-   **follow** – 1/True/true or 0/False/false, return stream. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, show `stdout` log. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, show `stderr` log. Default `false`.
+-   **timestamps** – 1/True/true or 0/False/false, print timestamps for
+        every log line. Default `false`.
+-   **tail** – Output specified number of lines at the end of logs: `all` or `<number>`. Default all.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **404** – no such container
+-   **500** – server error
+
+#### Inspect changes on a container's filesystem
+
+`GET /containers/(id or name)/changes`
+
+Inspect changes on container `id`'s filesystem
+
+**Example request**:
+
+    GET /v1.18/containers/4fa6e0f0c678/changes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Path": "/dev",
+                 "Kind": 0
+         },
+         {
+                 "Path": "/dev/kmsg",
+                 "Kind": 1
+         },
+         {
+                 "Path": "/test",
+                 "Kind": 1
+         }
+    ]
+
+Values for `Kind`:
+
+- `0`: Modify
+- `1`: Add
+- `2`: Delete
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Export a container
+
+`GET /containers/(id or name)/export`
+
+Export the contents of container `id`
+
+**Example request**:
+
+    GET /v1.18/containers/4fa6e0f0c678/export HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/octet-stream
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container stats based on resource usage
+
+`GET /containers/(id or name)/stats`
+
+This endpoint returns a live stream of a container's resource usage statistics.
+
+**Example request**:
+
+    GET /v1.18/containers/redis1/stats HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Type: application/json
+
+      {
+         "read" : "2015-01-08T22:57:31.547920715Z",
+         "network" : {
+            "rx_dropped" : 0,
+            "rx_bytes" : 648,
+            "rx_errors" : 0,
+            "tx_packets" : 8,
+            "tx_dropped" : 0,
+            "rx_packets" : 8,
+            "tx_errors" : 0,
+            "tx_bytes" : 648
+         },
+         "memory_stats" : {
+            "stats" : {
+               "total_pgmajfault" : 0,
+               "cache" : 0,
+               "mapped_file" : 0,
+               "total_inactive_file" : 0,
+               "pgpgout" : 414,
+               "rss" : 6537216,
+               "total_mapped_file" : 0,
+               "writeback" : 0,
+               "unevictable" : 0,
+               "pgpgin" : 477,
+               "total_unevictable" : 0,
+               "pgmajfault" : 0,
+               "total_rss" : 6537216,
+               "total_rss_huge" : 6291456,
+               "total_writeback" : 0,
+               "total_inactive_anon" : 0,
+               "rss_huge" : 6291456,
+               "hierarchical_memory_limit" : 67108864,
+               "total_pgfault" : 964,
+               "total_active_file" : 0,
+               "active_anon" : 6537216,
+               "total_active_anon" : 6537216,
+               "total_pgpgout" : 414,
+               "total_cache" : 0,
+               "inactive_anon" : 0,
+               "active_file" : 0,
+               "pgfault" : 964,
+               "inactive_file" : 0,
+               "total_pgpgin" : 477
+            },
+            "max_usage" : 6651904,
+            "usage" : 6537216,
+            "failcnt" : 0,
+            "limit" : 67108864
+         },
+         "blkio_stats" : {},
+         "cpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  16970827,
+                  1839451,
+                  7107380,
+                  10571290
+               ],
+               "usage_in_usermode" : 10000000,
+               "total_usage" : 36488948,
+               "usage_in_kernelmode" : 20000000
+            },
+            "system_cpu_usage" : 20091722000000000,
+            "throttling_data" : {}
+         }
+      }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Resize a container TTY
+
+`POST /containers/(id or name)/resize?h=<height>&w=<width>`
+
+Resize the TTY for container with  `id`. You must restart the container for the resize to take effect.
+
+**Example request**:
+
+      POST /v1.18/containers/4fa6e0f0c678/resize?h=40&w=80 HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Length: 0
+      Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – No such container
+-   **500** – Cannot resize container
+
+#### Start a container
+
+`POST /containers/(id or name)/start`
+
+Start the container `id`
+
+> **Note**:
+> For backwards compatibility, this endpoint accepts a `HostConfig` as JSON-encoded request body.
+> See [create a container](#create-a-container) for details.
+
+**Example request**:
+
+    POST /v1.18/containers/e90e34656806/start HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already started
+-   **404** – no such container
+-   **500** – server error
+
+#### Stop a container
+
+`POST /containers/(id or name)/stop`
+
+Stop the container `id`
+
+**Example request**:
+
+    POST /v1.18/containers/e90e34656806/stop?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already stopped
+-   **404** – no such container
+-   **500** – server error
+
+#### Restart a container
+
+`POST /containers/(id or name)/restart`
+
+Restart the container `id`
+
+**Example request**:
+
+    POST /v1.18/containers/e90e34656806/restart?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Kill a container
+
+`POST /containers/(id or name)/kill`
+
+Kill the container `id`
+
+**Example request**:
+
+    POST /v1.18/containers/e90e34656806/kill HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **signal** - Signal to send to the container: integer or string like `SIGINT`.
+        When not set, `SIGKILL` is assumed and the call waits for the container to exit.
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Rename a container
+
+`POST /containers/(id or name)/rename`
+
+Rename the container `id` to a `new_name`
+
+**Example request**:
+
+    POST /v1.18/containers/e90e34656806/rename?name=new_name HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **name** – new name for the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **409** - conflict name already assigned
+-   **500** – server error
+
+#### Pause a container
+
+`POST /containers/(id or name)/pause`
+
+Pause the container `id`
+
+**Example request**:
+
+    POST /v1.18/containers/e90e34656806/pause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Unpause a container
+
+`POST /containers/(id or name)/unpause`
+
+Unpause the container `id`
+
+**Example request**:
+
+    POST /v1.18/containers/e90e34656806/unpause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Attach to a container
+
+`POST /containers/(id or name)/attach`
+
+Attach to the container `id`
+
+**Example request**:
+
+    POST /v1.18/containers/16253994b7c4/attach?logs=1&stream=0&stdout=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 101 UPGRADED
+    Content-Type: application/vnd.docker.raw-stream
+    Connection: Upgrade
+    Upgrade: tcp
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+**Stream details**:
+
+When using the TTY setting is enabled in
+[`POST /containers/create`
+](#create-a-container),
+the stream is the raw data from the process PTY and client's `stdin`.
+When the TTY is disabled, then the stream is multiplexed to separate
+`stdout` and `stderr`.
+
+The format is a **Header** and a **Payload** (frame).
+
+**HEADER**
+
+The header contains the information which the stream writes (`stdout` or
+`stderr`). It also contains the size of the associated frame encoded in the
+last four bytes (`uint32`).
+
+It is encoded on the first eight bytes like this:
+
+    header := [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}
+
+`STREAM_TYPE` can be:
+
+-   0: `stdin` (is written on `stdout`)
+-   1: `stdout`
+-   2: `stderr`
+
+`SIZE1, SIZE2, SIZE3, SIZE4` are the four bytes of
+the `uint32` size encoded as big endian.
+
+**PAYLOAD**
+
+The payload is the raw stream.
+
+**IMPLEMENTATION**
+
+The simplest way to implement the Attach protocol is the following:
+
+    1.  Read eight bytes.
+    2.  Choose `stdout` or `stderr` depending on the first byte.
+    3.  Extract the frame size from the last four bytes.
+    4.  Read the extracted size and output it on the correct output.
+    5.  Goto 1.
+
+#### Attach to a container (websocket)
+
+`GET /containers/(id or name)/attach/ws`
+
+Attach to the container `id` via websocket
+
+Implements websocket protocol handshake according to [RFC 6455](http://tools.ietf.org/html/rfc6455)
+
+**Example request**
+
+    GET /v1.18/containers/e90e34656806/attach/ws?logs=0&stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
+
+**Example response**
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Wait a container
+
+`POST /containers/(id or name)/wait`
+
+Block until container `id` stops, then returns the exit code
+
+**Example request**:
+
+    POST /v1.18/containers/16253994b7c4/wait HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"StatusCode": 0}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Remove a container
+
+`DELETE /containers/(id or name)`
+
+Remove the container `id` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.18/containers/16253994b7c4?v=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **v** – 1/True/true or 0/False/false, Remove the volumes
+        associated to the container. Default `false`.
+-   **force** - 1/True/true or 0/False/false, Kill then remove the container.
+        Default `false`.
+-   **link** - 1/True/true or 0/False/false, Remove the specified
+        link associated to the container. Default `false`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** – conflict
+-   **500** – server error
+
+#### Copy files or folders from a container
+
+`POST /containers/(id or name)/copy`
+
+Copy files or folders of container `id`
+
+**Example request**:
+
+    POST /v1.18/containers/4fa6e0f0c678/copy HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Resource": "test.txt"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+### 2.2 Images
+
+#### List Images
+
+`GET /images/json`
+
+**Example request**:
+
+    GET /v1.18/images/json?all=0 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+         "RepoTags": [
+           "ubuntu:12.04",
+           "ubuntu:precise",
+           "ubuntu:latest"
+         ],
+         "Id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
+         "Created": 1365714795,
+         "Size": 131506275,
+         "VirtualSize": 131506275
+      },
+      {
+         "RepoTags": [
+           "ubuntu:12.10",
+           "ubuntu:quantal"
+         ],
+         "ParentId": "27cf784147099545",
+         "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+         "Created": 1364102658,
+         "Size": 24653,
+         "VirtualSize": 180116135
+      }
+    ]
+
+**Example request, with digest information**:
+
+    GET /v1.18/images/json?digests=1 HTTP/1.1
+
+**Example response, with digest information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "Created": 1420064636,
+        "Id": "4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125",
+        "ParentId": "ea13149945cb6b1e746bf28032f02e9b5a793523481a0a18645fc77ad53c4ea2",
+        "RepoDigests": [
+          "localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+        ],
+        "RepoTags": [
+          "localhost:5000/test/busybox:latest",
+          "playdate:latest"
+        ],
+        "Size": 0,
+        "VirtualSize": 2429728
+      }
+    ]
+
+The response shows a single image `Id` associated with two repositories
+(`RepoTags`): `localhost:5000/test/busybox`: and `playdate`. A caller can use
+either of the `RepoTags` values `localhost:5000/test/busybox:latest` or
+`playdate:latest` to reference the image.
+
+You can also use `RepoDigests` values to reference an image. In this response,
+the array has only one reference and that is to the
+`localhost:5000/test/busybox` repository; the `playdate` repository has no
+digest. You can reference this digest using the value:
+`localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d...`
+
+See the `docker run` and `docker build` commands for examples of digest and tag
+references on the command line.
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, default false
+-   **filters** – a JSON encoded value of the filters (a map[string][]string) to process on the images list. Available filters:
+  -   `dangling=true`
+  -   `label=key` or `label="key=value"` of an image label
+-   **filter** - only return images with the specified name
+
+#### Build image from a Dockerfile
+
+`POST /build`
+
+Build an image from a Dockerfile
+
+**Example request**:
+
+    POST /v1.18/build HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"stream": "Step 1/5..."}
+    {"stream": "..."}
+    {"error": "Error...", "errorDetail": {"code": 123, "message": "Error..."}}
+
+The input stream must be a `tar` archive compressed with one of the
+following algorithms: `identity` (no compression), `gzip`, `bzip2`, `xz`.
+
+The archive must include a build instructions file, typically called
+`Dockerfile` at the archive's root. The `dockerfile` parameter may be
+used to specify a different build instructions file. To do this, its value must be
+the path to the alternate build instructions file to use.
+
+The archive may include any number of other files,
+which are accessible in the build context (See the [*ADD build
+command*](../reference/builder.md#add)).
+
+The Docker daemon performs a preliminary validation of the `Dockerfile` before
+starting the build, and returns an error if the syntax is incorrect. After that,
+each instruction is run one-by-one until the ID of the new image is output.
+
+The build is canceled if the client drops the connection by quitting
+or being killed.
+
+**Query parameters**:
+
+-   **dockerfile** - Path within the build context to the Dockerfile. This is
+        ignored if `remote` is specified and points to an individual filename.
+-   **t** – A name and optional tag to apply to the image in the `name:tag` format.
+        If you omit the `tag` the default `latest` value is assumed.
+-   **remote** – A Git repository URI or HTTP/HTTPS context URI. If the
+        URI points to a single text file, the file's contents are placed into
+        a file called `Dockerfile` and the image is built from that file.
+-   **q** – Suppress verbose build output.
+-   **nocache** – Do not use the cache when building the image.
+-   **pull** - Attempt to pull the image even if an older image exists locally.
+-   **rm** - Remove intermediate containers after a successful build (default behavior).
+-   **forcerm** - Always remove intermediate containers (includes `rm`).
+-   **memory** - Set memory limit for build.
+-   **memswap** - Total memory (memory + swap), `-1` to enable unlimited swap.
+-   **cpushares** - CPU shares (relative weight).
+-   **cpusetcpus** - CPUs in which to allow execution (e.g., `0-3`, `0,1`).
+
+**Request Headers**:
+
+-   **Content-type** – Set to `"application/x-tar"`.
+-   **X-Registry-Config** – base64-encoded ConfigFile object
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Create an image
+
+`POST /images/create`
+
+Create an image either by pulling it from the registry or by importing it
+
+**Example request**:
+
+    POST /v1.18/images/create?fromImage=busybox&tag=latest HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pulling..."}
+    {"status": "Pulling", "progress": "1 B/ 100 B", "progressDetail": {"current": 1, "total": 100}}
+    {"error": "Invalid..."}
+    ...
+
+When using this endpoint to pull an image from the registry, the
+`X-Registry-Auth` header can be used to include
+a base64-encoded AuthConfig object.
+
+**Query parameters**:
+
+-   **fromImage** – Name of the image to pull.
+-   **fromSrc** – Source to import.  The value may be a URL from which the image
+        can be retrieved or `-` to read the image from the request body.
+-   **repo** – Repository name.
+-   **tag** – Tag. If empty when pulling an image, this causes all tags
+        for the given image to be pulled.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** - repository does not exist or no read access
+-   **500** – server error
+
+
+
+#### Inspect an image
+
+`GET /images/(name)/json`
+
+Return low-level information on the image `name`
+
+**Example request**:
+
+    GET /v1.18/images/ubuntu/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Created": "2013-03-23T22:24:18.818426-07:00",
+       "Container": "3d67245a8d72ecf13f33dffac9f79dcdf70f75acb84d308770391510e0c23ad0",
+       "ContainerConfig": {
+          "Hostname": "",
+          "User": "",
+          "AttachStdin": false,
+          "AttachStdout": false,
+          "AttachStderr": false,
+          "Tty": true,
+          "OpenStdin": true,
+          "StdinOnce": false,
+          "Env": null,
+          "Cmd": ["/bin/bash"],
+          "Dns": null,
+          "Image": "ubuntu",
+          "Labels": {
+             "com.example.vendor": "Acme",
+             "com.example.license": "GPL",
+             "com.example.version": "1.0"
+          },
+          "Volumes": null,
+          "VolumesFrom": "",
+          "WorkingDir": ""
+       },
+       "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+       "Parent": "27cf784147099545",
+       "Size": 6824592
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Get the history of an image
+
+`GET /images/(name)/history`
+
+Return the history of the image `name`
+
+**Example request**:
+
+    GET /v1.18/images/ubuntu/history HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+        {
+            "Id": "b750fe79269d",
+            "Created": 1364102658,
+            "CreatedBy": "/bin/bash"
+        },
+        {
+            "Id": "27cf78414709",
+            "Created": 1364068391,
+            "CreatedBy": ""
+        }
+    ]
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Push an image on the registry
+
+`POST /images/(name)/push`
+
+Push the image `name` on the registry
+
+**Example request**:
+
+    POST /v1.18/images/test/push HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pushing..."}
+    {"status": "Pushing", "progress": "1/? (n/a)", "progressDetail": {"current": 1}}}
+    {"error": "Invalid..."}
+    ...
+
+If you wish to push an image on to a private registry, that image must already have a tag
+into a repository which references that registry `hostname` and `port`.  This repository name should
+then be used in the URL. This duplicates the command line's flow.
+
+**Example request**:
+
+    POST /v1.18/images/registry.acme.com:5000/test/push HTTP/1.1
+
+
+**Query parameters**:
+
+-   **tag** – The tag to associate with the image on the registry. This is optional.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Tag an image into a repository
+
+`POST /images/(name)/tag`
+
+Tag the image `name` into a repository
+
+**Example request**:
+
+    POST /v1.18/images/test/tag?repo=myrepo&force=0&tag=v42 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+
+**Query parameters**:
+
+-   **repo** – The repository to tag in
+-   **force** – 1/True/true or 0/False/false, default false
+-   **tag** - The new tag name
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Remove an image
+
+`DELETE /images/(name)`
+
+Remove the image `name` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.18/images/test HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-type: application/json
+
+    [
+     {"Untagged": "3e2f21a89f"},
+     {"Deleted": "3e2f21a89f"},
+     {"Deleted": "53b4f83ac9"}
+    ]
+
+**Query parameters**:
+
+-   **force** – 1/True/true or 0/False/false, default false
+-   **noprune** – 1/True/true or 0/False/false, default false
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Search images
+
+`GET /images/search`
+
+Search for an image on [Docker Hub](https://hub.docker.com).
+
+> **Note**:
+> The response keys have changed from API v1.6 to reflect the JSON
+> sent by the registry server to the docker daemon's request.
+
+**Example request**:
+
+    GET /v1.18/images/search?term=sshd HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+            {
+                "star_count": 12,
+                "is_official": false,
+                "name": "wma55/u1210sshd",
+                "is_automated": false,
+                "description": ""
+            },
+            {
+                "star_count": 10,
+                "is_official": false,
+                "name": "jdswinbank/sshd",
+                "is_automated": false,
+                "description": ""
+            },
+            {
+                "star_count": 18,
+                "is_official": false,
+                "name": "vgauthier/sshd",
+                "is_automated": false,
+                "description": ""
+            }
+    ...
+    ]
+
+**Query parameters**:
+
+-   **term** – term to search
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+### 2.3 Misc
+
+#### Check auth configuration
+
+`POST /auth`
+
+Get the default username and email
+
+**Example request**:
+
+    POST /v1.18/auth HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "username": "hannibal",
+         "password": "xxxx",
+         "email": "hannibal@a-team.com",
+         "serveraddress": "https://index.docker.io/v1/"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **204** – no error
+-   **500** – server error
+
+#### Display system-wide information
+
+`GET /info`
+
+Display system-wide information
+
+**Example request**:
+
+    GET /v1.18/info HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+        "Containers": 11,
+        "Debug": 0,
+        "DockerRootDir": "/var/lib/docker",
+        "Driver": "btrfs",
+        "DriverStatus": [[""]],
+        "ExecutionDriver": "native-0.1",
+        "HttpProxy": "http://test:test@localhost:8080",
+        "HttpsProxy": "https://test:test@localhost:8080",
+        "ID": "7TRN:IPZB:QYBB:VPBQ:UMPP:KARE:6ZNR:XE6T:7EWV:PKF4:ZOJD:TPYS",
+        "IPv4Forwarding": 1,
+        "Images": 16,
+        "IndexServerAddress": "https://index.docker.io/v1/",
+        "InitPath": "/usr/bin/docker",
+        "InitSha1": "",
+        "KernelVersion": "3.12.0-1-amd64",
+        "Labels": [
+            "storage=ssd"
+        ],
+        "MemTotal": 2099236864,
+        "MemoryLimit": 1,
+        "NCPU": 1,
+        "NEventsListener": 0,
+        "NFd": 11,
+        "NGoroutines": 21,
+        "Name": "prod-server-42",
+        "NoProxy": "9.81.1.160",
+        "OperatingSystem": "Boot2Docker",
+        "RegistryConfig": {
+            "IndexConfigs": {
+                "docker.io": {
+                    "Mirrors": null,
+                    "Name": "docker.io",
+                    "Official": true,
+                    "Secure": true
+                }
+            },
+            "InsecureRegistryCIDRs": [
+                "127.0.0.0/8"
+            ]
+        },
+        "SwapLimit": 0,
+        "SystemTime": "2015-03-10T11:11:23.730591467-07:00"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Show the docker version information
+
+`GET /version`
+
+Show the docker version information
+
+**Example request**:
+
+    GET /v1.18/version HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+         "Version": "1.5.0",
+         "Os": "linux",
+         "KernelVersion": "3.18.5-tinycore64",
+         "GoVersion": "go1.4.1",
+         "GitCommit": "a8a31ef",
+         "Arch": "amd64",
+         "ApiVersion": "1.18"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Ping the docker server
+
+`GET /_ping`
+
+Ping the docker server
+
+**Example request**:
+
+    GET /v1.18/_ping HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+
+    OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a new image from a container's changes
+
+`POST /commit`
+
+Create a new image from a container's changes
+
+**Example request**:
+
+    POST /v1.18/commit?container=44c004db4b17&comment=message&repo=myrepo HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Hostname": "",
+         "Domainname": "",
+         "User": "",
+         "AttachStdin": false,
+         "AttachStdout": true,
+         "AttachStderr": true,
+         "PortSpecs": null,
+         "Tty": false,
+         "OpenStdin": false,
+         "StdinOnce": false,
+         "Env": null,
+         "Cmd": [
+                 "date"
+         ],
+         "Volumes": {
+                 "/tmp": {}
+         },
+         "WorkingDir": "",
+         "NetworkDisabled": false,
+         "ExposedPorts": {
+                 "22/tcp": {}
+         }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {"Id": "596069db4bf5"}
+
+**JSON parameters**:
+
+-  **config** - the container's configuration
+
+**Query parameters**:
+
+-   **container** – source container
+-   **repo** – repository
+-   **tag** – tag
+-   **comment** – commit message
+-   **author** – author (e.g., "John Hannibal Smith
+    <[hannibal@a-team.com](mailto:hannibal%40a-team.com)>")
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Monitor Docker's events
+
+`GET /events`
+
+Get container events from docker, in real time via streaming.
+
+Docker containers report the following events:
+
+    create, destroy, die, exec_create, exec_start, export, kill, oom, pause, restart, start, stop, unpause
+
+Docker images report the following events:
+
+    untag, delete
+
+**Example request**:
+
+    GET /v1.18/events?since=1374067924
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "create", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067924}
+    {"status": "start", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067924}
+    {"status": "stop", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067966}
+    {"status": "destroy", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067970}
+
+**Query parameters**:
+
+-   **since** – Timestamp. Show all events created since timestamp and then stream
+-   **until** – Timestamp. Show events created until given timestamp and stop streaming
+-   **filters** – A json encoded value of the filters (a map[string][]string) to process on the event list. Available filters:
+  -   `container=<string>`; -- container to filter
+  -   `event=<string>`; -- event to filter
+  -   `image=<string>`; -- image to filter
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images in a repository
+
+`GET /images/(name)/get`
+
+Get a tarball containing all images and metadata for the repository specified
+by `name`.
+
+If `name` is a specific name and tag (e.g. ubuntu:latest), then only that image
+(and its parents) are returned. If `name` is an image ID, similarly only that
+image (and its parents) are returned, but with the exclusion of the
+'repositories' file in the tarball, as there were no image names referenced.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.18/images/ubuntu/get
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images
+
+`GET /images/get`
+
+Get a tarball containing all images and metadata for one or more repositories.
+
+For each value of the `names` parameter: if it is a specific name and tag (e.g.
+`ubuntu:latest`), then only that image (and its parents) are returned; if it is
+an image ID, similarly only that image (and its parents) are returned and there
+would be no names referenced in the 'repositories' file for this image ID.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.18/images/get?names=myname%2Fmyapp%3Alatest&names=busybox
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Load a tarball with a set of images and tags into docker
+
+`POST /images/load`
+
+Load a set of images and tags into a Docker repository.
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    POST /v1.18/images/load
+    Content-Type: application/x-tar
+    Content-Length: 12345
+
+    Tarball in body
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Image tarball format
+
+An image tarball contains one directory per image layer (named using its long ID),
+each containing these files:
+
+- `VERSION`: currently `1.0` - the file format version
+- `json`: detailed layer information, similar to `docker inspect layer_id`
+- `layer.tar`: A tarfile containing the filesystem changes in this layer
+
+The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories
+for storing attribute changes and deletions.
+
+If the tarball defines a repository, the tarball should also include a `repositories` file at
+the root that contains a list of repository and tag names mapped to layer IDs.
+
+```
+{"hello-world":
+    {"latest": "565a9d68a73f6706862bfe8409a7f659776d4d60a8d096eb4a3cbce6999cc2a1"}
+}
+```
+
+#### Exec Create
+
+`POST /containers/(id or name)/exec`
+
+Sets up an exec instance in a running container `id`
+
+**Example request**:
+
+    POST /v1.18/containers/e90e34656806/exec HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "AttachStdin": true,
+      "AttachStdout": true,
+      "AttachStderr": true,
+      "Cmd": ["sh"],
+      "Tty": true
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+         "Id": "f90e34656806",
+         "Warnings":[]
+    }
+
+**JSON parameters**:
+
+-   **AttachStdin** - Boolean value, attaches to `stdin` of the `exec` command.
+-   **AttachStdout** - Boolean value, attaches to `stdout` of the `exec` command.
+-   **AttachStderr** - Boolean value, attaches to `stderr` of the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+-   **Cmd** - Command to run specified as a string or an array of strings.
+
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+
+#### Exec Start
+
+`POST /exec/(id)/start`
+
+Starts a previously set up `exec` instance `id`. If `detach` is true, this API
+returns after starting the `exec` command. Otherwise, this API sets up an
+interactive session with the `exec` command.
+
+**Example request**:
+
+    POST /v1.18/exec/e90e34656806/start HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+     "Detach": false,
+     "Tty": false
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/vnd.docker.raw-stream
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**JSON parameters**:
+
+-   **Detach** - Detach from the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+
+**Stream details**:
+
+Similar to the stream behavior of `POST /containers/(id or name)/attach` API
+
+#### Exec Resize
+
+`POST /exec/(id)/resize`
+
+Resizes the `tty` session used by the `exec` command `id`.  The unit is number of characters.
+This API is valid only if `tty` was specified as part of creating and starting the `exec` command.
+
+**Example request**:
+
+    POST /v1.18/exec/e90e34656806/resize?h=40&w=80 HTTP/1.1
+    Content-Type: text/plain
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: text/plain
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such exec instance
+
+#### Exec Inspect
+
+`GET /exec/(id)/json`
+
+Return low-level information about the `exec` command `id`.
+
+**Example request**:
+
+    GET /v1.18/exec/11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: plain/text
+
+    {
+      "ID" : "11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39",
+      "Running" : false,
+      "ExitCode" : 2,
+      "ProcessConfig" : {
+        "privileged" : false,
+        "user" : "",
+        "tty" : false,
+        "entrypoint" : "sh",
+        "arguments" : [
+          "-c",
+          "exit 2"
+        ]
+      },
+      "OpenStdin" : false,
+      "OpenStderr" : false,
+      "OpenStdout" : false,
+      "Container" : {
+        "State" : {
+          "Running" : true,
+          "Paused" : false,
+          "Restarting" : false,
+          "OOMKilled" : false,
+          "Pid" : 3650,
+          "ExitCode" : 0,
+          "Error" : "",
+          "StartedAt" : "2014-11-17T22:26:03.717657531Z",
+          "FinishedAt" : "0001-01-01T00:00:00Z"
+        },
+        "ID" : "8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c",
+        "Created" : "2014-11-17T22:26:03.626304998Z",
+        "Path" : "date",
+        "Args" : [],
+        "Config" : {
+          "Hostname" : "8f177a186b97",
+          "Domainname" : "",
+          "User" : "",
+          "AttachStdin" : false,
+          "AttachStdout" : false,
+          "AttachStderr" : false,
+          "PortSpecs": null,
+          "ExposedPorts" : null,
+          "Tty" : false,
+          "OpenStdin" : false,
+          "StdinOnce" : false,
+          "Env" : [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ],
+          "Cmd" : [
+            "date"
+          ],
+          "Image" : "ubuntu",
+          "Volumes" : null,
+          "WorkingDir" : "",
+          "Entrypoint" : null,
+          "NetworkDisabled" : false,
+          "MacAddress" : "",
+          "OnBuild" : null,
+          "SecurityOpt" : null
+        },
+        "Image" : "5506de2b643be1e6febbf3b8a240760c6843244c41e12aa2f60ccbb7153d17f5",
+        "NetworkSettings" : {
+          "IPAddress" : "172.17.0.2",
+          "IPPrefixLen" : 16,
+          "MacAddress" : "02:42:ac:11:00:02",
+          "Gateway" : "172.17.42.1",
+          "Bridge" : "docker0",
+          "PortMapping" : null,
+          "Ports" : {}
+        },
+        "ResolvConfPath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/resolv.conf",
+        "HostnamePath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/hostname",
+        "HostsPath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/hosts",
+        "LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+        "Name" : "/test",
+        "Driver" : "aufs",
+        "ExecDriver" : "native-0.2",
+        "MountLabel" : "",
+        "ProcessLabel" : "",
+        "AppArmorProfile" : "",
+        "RestartCount" : 0,
+        "Volumes" : {},
+        "VolumesRW" : {}
+      }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **500** - server error
+
+## 3. Going further
+
+### 3.1 Inside `docker run`
+
+As an example, the `docker run` command line makes the following API calls:
+
+- Create the container
+
+- If the status code is 404, it means the image doesn't exist:
+    - Try to pull it.
+    - Then, retry to create the container.
+
+- Start the container.
+
+- If you are not in detached mode:
+- Attach to the container, using `logs=1` (to have `stdout` and
+      `stderr` from the container's start) and `stream=1`
+
+- If in detached mode or only `stdin` is attached, display the container's id.
+
+### 3.2 Hijacking
+
+In this version of the API, `/attach`, uses hijacking to transport `stdin`,
+`stdout`, and `stderr` on the same socket.
+
+To hint potential proxies about connection hijacking, Docker client sends
+connection upgrade headers similarly to websocket.
+
+    Upgrade: tcp
+    Connection: Upgrade
+
+When Docker daemon detects the `Upgrade` header, it switches its status code
+from **200 OK** to **101 UPGRADED** and resends the same headers.
+
+This might change in the future.
+
+### 3.3 CORS Requests
+
+To set cross origin requests to the Engine API please give values to
+`--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
+default or blank means CORS disabled
+
+    $ docker -d -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
diff --git a/engine/docs/api/v1.19.md b/engine/docs/api/v1.19.md
new file mode 100644
index 00000000..f3d44555
--- /dev/null
+++ b/engine/docs/api/v1.19.md
@@ -0,0 +1,2259 @@
+---
+title: "Engine API v1.19"
+description: "API Documentation for Docker"
+keywords: "API, Docker, rcli, REST, documentation"
+redirect_from:
+- /engine/reference/api/docker_remote_api_v1.19/
+- /reference/api/docker_remote_api_v1.19/
+---
+
+<!-- This file is maintained within the moby/moby GitHub
+     repository at https://github.com/moby/moby/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## 1. Brief introduction
+
+ - The daemon listens on `unix:///var/run/docker.sock` but you can
+   [Bind Docker to another host/port or a Unix socket](../reference/commandline/dockerd.md#bind-docker-to-another-host-port-or-a-unix-socket).
+ - The API tends to be REST. However, for some complex commands, like `attach`
+   or `pull`, the HTTP connection is hijacked to transport `stdout`,
+   `stdin` and `stderr`.
+ - A `Content-Length` header should be present in `POST` requests to endpoints
+   that expect a body.
+ - To lock to a specific version of the API, you prefix the URL with the version
+   of the API to use. For example, `/v1.18/info`. If no version is included in
+   the URL, the maximum supported API version is used.
+ - If the API version specified in the URL is not supported by the daemon, a HTTP
+   `400 Bad Request` error message is returned.
+
+## 2. Endpoints
+
+### 2.1 Containers
+
+#### List containers
+
+`GET /containers/json`
+
+List containers
+
+**Example request**:
+
+    GET /v1.19/containers/json?all=1&before=8dfafdbc3a40&size=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Id": "8dfafdbc3a40",
+                 "Names":["/boring_feynman"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 1",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [{"PrivatePort": 2222, "PublicPort": 3333, "Type": "tcp"}],
+                 "Labels": {
+                         "com.example.vendor": "Acme",
+                         "com.example.license": "GPL",
+                         "com.example.version": "1.0"
+                 },
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         },
+         {
+                 "Id": "9cd87474be90",
+                 "Names":["/coolName"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 222222",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         },
+         {
+                 "Id": "3176a2479c92",
+                 "Names":["/sleepy_dog"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 3333333333333333",
+                 "Created": 1367854154,
+                 "Status": "Exit 0",
+                 "Ports":[],
+                 "Labels": {},
+                 "SizeRw":12288,
+                 "SizeRootFs":0
+         },
+         {
+                 "Id": "4cb07b47f9fb",
+                 "Names":["/running_cat"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 444444444444444444444444444444444",
+                 "Created": 1367854152,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         }
+    ]
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, Show all containers.
+        Only running containers are shown by default (i.e., this defaults to false)
+-   **limit** – Show `limit` last created
+        containers, include non-running ones.
+-   **since** – Show only containers created since Id, include
+        non-running ones.
+-   **before** – Show only containers created before Id, include
+        non-running ones.
+-   **size** – 1/True/true or 0/False/false, Show the containers
+        sizes
+-   **filters** - a JSON encoded value of the filters (a `map[string][]string`) to process on the containers list. Available filters:
+  -   `exited=<int>`; -- containers with exit code of  `<int>` ;
+  -   `status=`(`restarting`|`running`|`paused`|`exited`)
+  -   `label=key` or `label="key=value"` of a container label
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **500** – server error
+
+#### Create a container
+
+`POST /containers/create`
+
+Create a container
+
+**Example request**:
+
+    POST /v1.19/containers/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+           "Hostname": "",
+           "Domainname": "",
+           "User": "",
+           "AttachStdin": false,
+           "AttachStdout": true,
+           "AttachStderr": true,
+           "Tty": false,
+           "OpenStdin": false,
+           "StdinOnce": false,
+           "Env": [
+                   "FOO=bar",
+                   "BAZ=quux"
+           ],
+           "Cmd": [
+                   "date"
+           ],
+           "Entrypoint": null,
+           "Image": "ubuntu",
+           "Labels": {
+                   "com.example.vendor": "Acme",
+                   "com.example.license": "GPL",
+                   "com.example.version": "1.0"
+           },
+           "Volumes": {
+             "/volumes/data": {}
+           },
+           "WorkingDir": "",
+           "NetworkDisabled": false,
+           "MacAddress": "12:34:56:78:9a:bc",
+           "ExposedPorts": {
+                   "22/tcp": {}
+           },
+           "HostConfig": {
+             "Binds": ["/tmp:/tmp"],
+             "Links": ["redis3:redis"],
+             "LxcConf": {"lxc.utsname":"docker"},
+             "Memory": 0,
+             "MemorySwap": 0,
+             "CpuShares": 512,
+             "CpuPeriod": 100000,
+             "CpuQuota": 50000,
+             "CpusetCpus": "0,1",
+             "CpusetMems": "0,1",
+             "BlkioWeight": 300,
+             "OomKillDisable": false,
+             "PidMode": "",
+             "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+             "PublishAllPorts": false,
+             "Privileged": false,
+             "ReadonlyRootfs": false,
+             "Dns": ["8.8.8.8"],
+             "DnsSearch": [""],
+             "ExtraHosts": null,
+             "VolumesFrom": ["parent", "other:ro"],
+             "CapAdd": ["NET_ADMIN"],
+             "CapDrop": ["MKNOD"],
+             "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+             "NetworkMode": "bridge",
+             "Devices": [],
+             "Ulimits": [{}],
+             "LogConfig": { "Type": "json-file", "Config": {} },
+             "SecurityOpt": [],
+             "CgroupParent": ""
+          }
+      }
+
+**Example response**:
+
+      HTTP/1.1 201 Created
+      Content-Type: application/json
+
+      {
+           "Id":"e90e34656806",
+           "Warnings":[]
+      }
+
+**JSON parameters**:
+
+-   **Hostname** - A string value containing the hostname to use for the
+      container.
+-   **Domainname** - A string value containing the domain name to use
+      for the container.
+-   **User** - A string value specifying the user inside the container.
+-   **AttachStdin** - Boolean value, attaches to `stdin`.
+-   **AttachStdout** - Boolean value, attaches to `stdout`.
+-   **AttachStderr** - Boolean value, attaches to `stderr`.
+-   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
+-   **OpenStdin** - Boolean value, opens `stdin`,
+-   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Entrypoint** - Set the entry point for the container as a string or an array
+      of strings.
+-   **Image** - A string specifying the image name to use for the container.
+-   **Volumes** - An object mapping mount point paths (strings) inside the
+      container to empty objects.
+-   **WorkingDir** - A string specifying the working directory for commands to
+      run in.
+-   **NetworkDisabled** - Boolean value, when true disables networking for the
+      container
+-   **ExposedPorts** - An object mapping ports to an empty object in the form of:
+      `"ExposedPorts": { "<port>/<tcp|udp>: {}" }`
+-   **HostConfig**
+    -   **Binds** – A list of bind mounts for this container. Each item is a string in one of these forms:
+           + `host-src:container-dest` to bind-mount a host path into the
+             container. Both `host-src`, and `container-dest` must be an
+             _absolute_ path.
+           + `host-src:container-dest:ro` to make the bind mount read-only
+             inside the container. Both `host-src`, and `container-dest` must be
+             an _absolute_ path.
+    -   **Links** - A list of links for the container. Each link entry should be
+          in the form of `container_name:alias`.
+    -   **LxcConf** - LXC specific configurations. These configurations only
+          work when using the `lxc` execution driver.
+    -   **Memory** - Memory limit in bytes.
+    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
+          You must use this with `memory` and make the swap value larger than `memory`.
+    -   **CpuShares** - An integer value containing the container's CPU Shares
+          (ie. the relative weight vs other containers).
+    -   **CpuPeriod** - The length of a CPU period in microseconds.
+    -   **CpuQuota** - Microseconds of CPU time that the container can get in a CPU period.
+    -   **CpusetCpus** - String value containing the `cgroups CpusetCpus` to use.
+    -   **CpusetMems** - Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.
+    -   **BlkioWeight** - Block IO weight (relative weight) accepts a weight value between 10 and 1000.
+    -   **OomKillDisable** - Boolean value, whether to disable OOM Killer for the container or not.
+    -   **PidMode** - Set the PID (Process) Namespace mode for the container;
+          `"container:<name|id>"`: joins another container's PID namespace
+          `"host"`: use the host's PID namespace inside the container
+    -   **PortBindings** - A map of exposed container ports and the host port they
+          should map to. A JSON object in the form
+          `{ <port>/<protocol>: [{ "HostPort": "<port>" }] }`
+          Take note that `port` is specified as a string and not an integer value.
+    -   **PublishAllPorts** - Allocates an ephemeral host port for all of a container's
+          exposed ports. Specified as a boolean value.
+
+          Ports are de-allocated when the container stops and allocated when the container starts.
+          The allocated port might be changed when restarting the container.
+
+          The port is selected from the ephemeral port range that depends on the kernel.
+          For example, on Linux the range is defined by `/proc/sys/net/ipv4/ip_local_port_range`.
+    -   **Privileged** - Gives the container full access to the host. Specified as
+          a boolean value.
+    -   **ReadonlyRootfs** - Mount the container's root filesystem as read only.
+          Specified as a boolean value.
+    -   **Dns** - A list of DNS servers for the container to use.
+    -   **DnsSearch** - A list of DNS search domains
+    -   **ExtraHosts** - A list of hostnames/IP mappings to add to the
+        container's `/etc/hosts` file. Specified in the form `["hostname:IP"]`.
+    -   **VolumesFrom** - A list of volumes to inherit from another container.
+          Specified in the form `<container name>[:<ro|rw>]`
+    -   **CapAdd** - A list of kernel capabilities to add to the container.
+    -   **Capdrop** - A list of kernel capabilities to drop from the container.
+    -   **RestartPolicy** – The behavior to apply when the container exits.  The
+            value is an object with a `Name` property of either `"always"` to
+            always restart or `"on-failure"` to restart only when the container
+            exit code is non-zero.  If `on-failure` is used, `MaximumRetryCount`
+            controls the number of times to retry before giving up.
+            The default is not to restart. (optional)
+            An ever increasing delay (double the previous delay, starting at 100mS)
+            is added before each restart to prevent flooding the server.
+    -   **NetworkMode** - Sets the networking mode for the container. Supported
+          values are: `bridge`, `host`, `none`, and `container:<name|id>`
+    -   **Devices** - A list of devices to add to the container specified as a JSON object in the
+      form
+          `{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}`
+    -   **Ulimits** - A list of ulimits to set in the container, specified as
+          `{ "Name": <name>, "Soft": <soft limit>, "Hard": <hard limit> }`, for example:
+          `Ulimits: { "Name": "nofile", "Soft": 1024, "Hard": 2048 }`
+    -   **SecurityOpt**: A list of string values to customize labels for MLS
+        systems, such as SELinux.
+    -   **LogConfig** - Log configuration for the container, specified as a JSON object in the form
+          `{ "Type": "<driver_name>", "Config": {"key1": "val1"}}`.
+          Available types: `json-file`, `syslog`, `journald`, `none`.
+          `syslog` available options are: `address`.
+    -   **CgroupParent** - Path to `cgroups` under which the container's `cgroup` is created. If the path is not absolute, the path is considered to be relative to the `cgroups` path of the init process. Cgroups are created if they do not already exist.
+
+**Query parameters**:
+
+-   **name** – Assign the specified name to the container. Must
+    match `/?[a-zA-Z0-9_-]+`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **406** – impossible to attach (container not running)
+-   **409** – conflict
+-   **500** – server error
+
+#### Inspect a container
+
+`GET /containers/(id or name)/json`
+
+Return low-level information on the container `id`
+
+**Example request**:
+
+      GET /v1.19/containers/4fa6e0f0c678/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+	{
+		"AppArmorProfile": "",
+		"Args": [
+			"-c",
+			"exit 9"
+		],
+		"Config": {
+			"AttachStderr": true,
+			"AttachStdin": false,
+			"AttachStdout": true,
+			"Cmd": [
+				"/bin/sh",
+				"-c",
+				"exit 9"
+			],
+			"Domainname": "",
+			"Entrypoint": null,
+			"Env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+			],
+			"ExposedPorts": null,
+			"Hostname": "ba033ac44011",
+			"Image": "ubuntu",
+			"Labels": {
+				"com.example.vendor": "Acme",
+				"com.example.license": "GPL",
+				"com.example.version": "1.0"
+			},
+			"MacAddress": "",
+			"NetworkDisabled": false,
+			"OnBuild": null,
+			"OpenStdin": false,
+			"PortSpecs": null,
+			"StdinOnce": false,
+			"Tty": false,
+			"User": "",
+			"Volumes": null,
+			"WorkingDir": ""
+		},
+		"Created": "2015-01-06T15:47:31.485331387Z",
+		"Driver": "devicemapper",
+		"ExecDriver": "native-0.2",
+		"ExecIDs": null,
+		"HostConfig": {
+			"Binds": null,
+			"BlkioWeight": 0,
+			"CapAdd": null,
+			"CapDrop": null,
+			"ContainerIDFile": "",
+			"CpusetCpus": "",
+			"CpusetMems": "",
+			"CpuShares": 0,
+			"CpuPeriod": 100000,
+			"Devices": [],
+			"Dns": null,
+			"DnsSearch": null,
+			"ExtraHosts": null,
+			"IpcMode": "",
+			"Links": null,
+			"LxcConf": [],
+			"Memory": 0,
+			"MemorySwap": 0,
+			"OomKillDisable": false,
+			"NetworkMode": "bridge",
+			"PidMode": "",
+			"PortBindings": {},
+			"Privileged": false,
+			"ReadonlyRootfs": false,
+			"PublishAllPorts": false,
+			"RestartPolicy": {
+				"MaximumRetryCount": 2,
+				"Name": "on-failure"
+			},
+			"LogConfig": {
+				"Config": null,
+				"Type": "json-file"
+			},
+			"SecurityOpt": null,
+			"VolumesFrom": null,
+			"Ulimits": [{}]
+		},
+		"HostnamePath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hostname",
+		"HostsPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hosts",
+		"LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+		"Id": "ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39",
+		"Image": "04c5d3b7b0656168630d3ba35d8889bd0e9caafcaeb3004d2bfbc47e7c5d35d2",
+		"MountLabel": "",
+		"Name": "/boring_euclid",
+		"NetworkSettings": {
+			"Bridge": "",
+			"Gateway": "",
+			"IPAddress": "",
+			"IPPrefixLen": 0,
+			"MacAddress": "",
+			"PortMapping": null,
+			"Ports": null
+		},
+		"Path": "/bin/sh",
+		"ProcessLabel": "",
+		"ResolvConfPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/resolv.conf",
+		"RestartCount": 1,
+		"State": {
+			"Error": "",
+			"ExitCode": 9,
+			"FinishedAt": "2015-01-06T15:47:32.080254511Z",
+			"OOMKilled": false,
+			"Paused": false,
+			"Pid": 0,
+			"Restarting": false,
+			"Running": true,
+			"StartedAt": "2015-01-06T15:47:32.072697474Z"
+		},
+		"Volumes": {},
+		"VolumesRW": {}
+	}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### List processes running inside a container
+
+`GET /containers/(id or name)/top`
+
+List processes running inside the container `id`. On Unix systems this
+is done by running the `ps` command. This endpoint is not
+supported on Windows.
+
+**Example request**:
+
+    GET /v1.19/containers/4fa6e0f0c678/top HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Titles" : [
+         "UID", "PID", "PPID", "C", "STIME", "TTY", "TIME", "CMD"
+       ],
+       "Processes" : [
+         [
+           "root", "13642", "882", "0", "17:03", "pts/0", "00:00:00", "/bin/bash"
+         ],
+         [
+           "root", "13735", "13642", "0", "17:06", "pts/0", "00:00:00", "sleep 10"
+         ]
+       ]
+    }
+
+**Example request**:
+
+    GET /v1.19/containers/4fa6e0f0c678/top?ps_args=aux HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Titles" : [
+        "USER","PID","%CPU","%MEM","VSZ","RSS","TTY","STAT","START","TIME","COMMAND"
+      ]
+      "Processes" : [
+        [
+          "root","13642","0.0","0.1","18172","3184","pts/0","Ss","17:03","0:00","/bin/bash"
+        ],
+        [
+          "root","13895","0.0","0.0","4348","692","pts/0","S+","17:15","0:00","sleep 10"
+        ]
+      ],
+    }
+
+**Query parameters**:
+
+-   **ps_args** – `ps` arguments to use (e.g., `aux`), defaults to `-ef`
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container logs
+
+`GET /containers/(id or name)/logs`
+
+Get `stdout` and `stderr` logs from the container ``id``
+
+> **Note**:
+> This endpoint works only for containers with the `json-file` or `journald` logging drivers.
+
+**Example request**:
+
+     GET /v1.19/containers/4fa6e0f0c678/logs?stderr=1&stdout=1&timestamps=1&follow=1&tail=10&since=1428990821 HTTP/1.1
+
+**Example response**:
+
+     HTTP/1.1 101 UPGRADED
+     Content-Type: application/vnd.docker.raw-stream
+     Connection: Upgrade
+     Upgrade: tcp
+
+     {% raw %}
+     {{ STREAM }}
+     {% endraw %}
+
+**Query parameters**:
+
+-   **follow** – 1/True/true or 0/False/false, return stream. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, show `stdout` log. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, show `stderr` log. Default `false`.
+-   **since** – UNIX timestamp (integer) to filter logs. Specifying a timestamp
+    will only output log-entries since that timestamp. Default: 0 (unfiltered)
+-   **timestamps** – 1/True/true or 0/False/false, print timestamps for
+        every log line. Default `false`.
+-   **tail** – Output specified number of lines at the end of logs: `all` or `<number>`. Default all.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **404** – no such container
+-   **500** – server error
+
+#### Inspect changes on a container's filesystem
+
+`GET /containers/(id or name)/changes`
+
+Inspect changes on container `id`'s filesystem
+
+**Example request**:
+
+    GET /v1.19/containers/4fa6e0f0c678/changes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Path": "/dev",
+                 "Kind": 0
+         },
+         {
+                 "Path": "/dev/kmsg",
+                 "Kind": 1
+         },
+         {
+                 "Path": "/test",
+                 "Kind": 1
+         }
+    ]
+
+Values for `Kind`:
+
+- `0`: Modify
+- `1`: Add
+- `2`: Delete
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Export a container
+
+`GET /containers/(id or name)/export`
+
+Export the contents of container `id`
+
+**Example request**:
+
+    GET /v1.19/containers/4fa6e0f0c678/export HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/octet-stream
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container stats based on resource usage
+
+`GET /containers/(id or name)/stats`
+
+This endpoint returns a live stream of a container's resource usage statistics.
+
+**Example request**:
+
+    GET /v1.19/containers/redis1/stats HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Type: application/json
+
+      {
+         "read" : "2015-01-08T22:57:31.547920715Z",
+         "network" : {
+            "rx_dropped" : 0,
+            "rx_bytes" : 648,
+            "rx_errors" : 0,
+            "tx_packets" : 8,
+            "tx_dropped" : 0,
+            "rx_packets" : 8,
+            "tx_errors" : 0,
+            "tx_bytes" : 648
+         },
+         "memory_stats" : {
+            "stats" : {
+               "total_pgmajfault" : 0,
+               "cache" : 0,
+               "mapped_file" : 0,
+               "total_inactive_file" : 0,
+               "pgpgout" : 414,
+               "rss" : 6537216,
+               "total_mapped_file" : 0,
+               "writeback" : 0,
+               "unevictable" : 0,
+               "pgpgin" : 477,
+               "total_unevictable" : 0,
+               "pgmajfault" : 0,
+               "total_rss" : 6537216,
+               "total_rss_huge" : 6291456,
+               "total_writeback" : 0,
+               "total_inactive_anon" : 0,
+               "rss_huge" : 6291456,
+               "hierarchical_memory_limit" : 67108864,
+               "total_pgfault" : 964,
+               "total_active_file" : 0,
+               "active_anon" : 6537216,
+               "total_active_anon" : 6537216,
+               "total_pgpgout" : 414,
+               "total_cache" : 0,
+               "inactive_anon" : 0,
+               "active_file" : 0,
+               "pgfault" : 964,
+               "inactive_file" : 0,
+               "total_pgpgin" : 477
+            },
+            "max_usage" : 6651904,
+            "usage" : 6537216,
+            "failcnt" : 0,
+            "limit" : 67108864
+         },
+         "blkio_stats" : {},
+         "cpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24472255,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100215355,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 739306590000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         },
+         "precpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24350896,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100093996,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 9492140000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         }
+      }
+
+The `precpu_stats` is the cpu statistic of *previous* read, which is used for calculating the cpu usage percent. It is not the exact copy of the `cpu_stats` field.
+
+**Query parameters**:
+
+-   **stream** – 1/True/true or 0/False/false, pull stats once then disconnect. Default `true`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Resize a container TTY
+
+`POST /containers/(id or name)/resize?h=<height>&w=<width>`
+
+Resize the TTY for container with  `id`. You must restart the container for the resize to take effect.
+
+**Example request**:
+
+      POST /v1.19/containers/4fa6e0f0c678/resize?h=40&w=80 HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Length: 0
+      Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – No such container
+-   **500** – Cannot resize container
+
+#### Start a container
+
+`POST /containers/(id or name)/start`
+
+Start the container `id`
+
+> **Note**:
+> For backwards compatibility, this endpoint accepts a `HostConfig` as JSON-encoded request body.
+> See [create a container](#create-a-container) for details.
+
+**Example request**:
+
+    POST /v1.19/containers/e90e34656806/start HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already started
+-   **404** – no such container
+-   **500** – server error
+
+#### Stop a container
+
+`POST /containers/(id or name)/stop`
+
+Stop the container `id`
+
+**Example request**:
+
+    POST /v1.19/containers/e90e34656806/stop?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already stopped
+-   **404** – no such container
+-   **500** – server error
+
+#### Restart a container
+
+`POST /containers/(id or name)/restart`
+
+Restart the container `id`
+
+**Example request**:
+
+    POST /v1.19/containers/e90e34656806/restart?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Kill a container
+
+`POST /containers/(id or name)/kill`
+
+Kill the container `id`
+
+**Example request**:
+
+    POST /v1.19/containers/e90e34656806/kill HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **signal** - Signal to send to the container: integer or string like `SIGINT`.
+        When not set, `SIGKILL` is assumed and the call waits for the container to exit.
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Rename a container
+
+`POST /containers/(id or name)/rename`
+
+Rename the container `id` to a `new_name`
+
+**Example request**:
+
+    POST /v1.19/containers/e90e34656806/rename?name=new_name HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **name** – new name for the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **409** - conflict name already assigned
+-   **500** – server error
+
+#### Pause a container
+
+`POST /containers/(id or name)/pause`
+
+Pause the container `id`
+
+**Example request**:
+
+    POST /v1.19/containers/e90e34656806/pause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Unpause a container
+
+`POST /containers/(id or name)/unpause`
+
+Unpause the container `id`
+
+**Example request**:
+
+    POST /v1.19/containers/e90e34656806/unpause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Attach to a container
+
+`POST /containers/(id or name)/attach`
+
+Attach to the container `id`
+
+**Example request**:
+
+    POST /v1.19/containers/16253994b7c4/attach?logs=1&stream=0&stdout=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 101 UPGRADED
+    Content-Type: application/vnd.docker.raw-stream
+    Connection: Upgrade
+    Upgrade: tcp
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+**Stream details**:
+
+When using the TTY setting is enabled in
+[`POST /containers/create`
+](#create-a-container),
+the stream is the raw data from the process PTY and client's `stdin`.
+When the TTY is disabled, then the stream is multiplexed to separate
+`stdout` and `stderr`.
+
+The format is a **Header** and a **Payload** (frame).
+
+**HEADER**
+
+The header contains the information which the stream writes (`stdout` or
+`stderr`). It also contains the size of the associated frame encoded in the
+last four bytes (`uint32`).
+
+It is encoded on the first eight bytes like this:
+
+    header := [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}
+
+`STREAM_TYPE` can be:
+
+-   0: `stdin` (is written on `stdout`)
+-   1: `stdout`
+-   2: `stderr`
+
+`SIZE1, SIZE2, SIZE3, SIZE4` are the four bytes of
+the `uint32` size encoded as big endian.
+
+**PAYLOAD**
+
+The payload is the raw stream.
+
+**IMPLEMENTATION**
+
+The simplest way to implement the Attach protocol is the following:
+
+    1.  Read eight bytes.
+    2.  Choose `stdout` or `stderr` depending on the first byte.
+    3.  Extract the frame size from the last four bytes.
+    4.  Read the extracted size and output it on the correct output.
+    5.  Goto 1.
+
+#### Attach to a container (websocket)
+
+`GET /containers/(id or name)/attach/ws`
+
+Attach to the container `id` via websocket
+
+Implements websocket protocol handshake according to [RFC 6455](http://tools.ietf.org/html/rfc6455)
+
+**Example request**
+
+    GET /v1.19/containers/e90e34656806/attach/ws?logs=0&stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
+
+**Example response**
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Wait a container
+
+`POST /containers/(id or name)/wait`
+
+Block until container `id` stops, then returns the exit code
+
+**Example request**:
+
+    POST /v1.19/containers/16253994b7c4/wait HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"StatusCode": 0}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Remove a container
+
+`DELETE /containers/(id or name)`
+
+Remove the container `id` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.19/containers/16253994b7c4?v=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **v** – 1/True/true or 0/False/false, Remove the volumes
+        associated to the container. Default `false`.
+-   **force** - 1/True/true or 0/False/false, Kill then remove the container.
+        Default `false`.
+-   **link** - 1/True/true or 0/False/false, Remove the specified
+        link associated to the container. Default `false`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** – conflict
+-   **500** – server error
+
+#### Copy files or folders from a container
+
+`POST /containers/(id or name)/copy`
+
+Copy files or folders of container `id`
+
+**Example request**:
+
+    POST /v1.19/containers/4fa6e0f0c678/copy HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Resource": "test.txt"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+### 2.2 Images
+
+#### List Images
+
+`GET /images/json`
+
+**Example request**:
+
+    GET /v1.19/images/json?all=0 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+         "RepoTags": [
+           "ubuntu:12.04",
+           "ubuntu:precise",
+           "ubuntu:latest"
+         ],
+         "Id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
+         "Created": 1365714795,
+         "Size": 131506275,
+         "VirtualSize": 131506275,
+         "Labels": {}
+      },
+      {
+         "RepoTags": [
+           "ubuntu:12.10",
+           "ubuntu:quantal"
+         ],
+         "ParentId": "27cf784147099545",
+         "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+         "Created": 1364102658,
+         "Size": 24653,
+         "VirtualSize": 180116135,
+         "Labels": {
+            "com.example.version": "v1"
+         }
+      }
+    ]
+
+**Example request, with digest information**:
+
+    GET /v1.19/images/json?digests=1 HTTP/1.1
+
+**Example response, with digest information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "Created": 1420064636,
+        "Id": "4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125",
+        "ParentId": "ea13149945cb6b1e746bf28032f02e9b5a793523481a0a18645fc77ad53c4ea2",
+        "RepoDigests": [
+          "localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+        ],
+        "RepoTags": [
+          "localhost:5000/test/busybox:latest",
+          "playdate:latest"
+        ],
+        "Size": 0,
+        "VirtualSize": 2429728,
+        "Labels": {}
+      }
+    ]
+
+The response shows a single image `Id` associated with two repositories
+(`RepoTags`): `localhost:5000/test/busybox`: and `playdate`. A caller can use
+either of the `RepoTags` values `localhost:5000/test/busybox:latest` or
+`playdate:latest` to reference the image.
+
+You can also use `RepoDigests` values to reference an image. In this response,
+the array has only one reference and that is to the
+`localhost:5000/test/busybox` repository; the `playdate` repository has no
+digest. You can reference this digest using the value:
+`localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d...`
+
+See the `docker run` and `docker build` commands for examples of digest and tag
+references on the command line.
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, default false
+-   **filters** – a JSON encoded value of the filters (a map[string][]string) to process on the images list. Available filters:
+  -   `dangling=true`
+  -   `label=key` or `label="key=value"` of an image label
+-   **filter** - only return images with the specified name
+
+#### Build image from a Dockerfile
+
+`POST /build`
+
+Build an image from a Dockerfile
+
+**Example request**:
+
+    POST /v1.19/build HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"stream": "Step 1/5..."}
+    {"stream": "..."}
+    {"error": "Error...", "errorDetail": {"code": 123, "message": "Error..."}}
+
+The input stream must be a `tar` archive compressed with one of the
+following algorithms: `identity` (no compression), `gzip`, `bzip2`, `xz`.
+
+The archive must include a build instructions file, typically called
+`Dockerfile` at the archive's root. The `dockerfile` parameter may be
+used to specify a different build instructions file. To do this, its value must be
+the path to the alternate build instructions file to use.
+
+The archive may include any number of other files,
+which are accessible in the build context (See the [*ADD build
+command*](../reference/builder.md#add)).
+
+The Docker daemon performs a preliminary validation of the `Dockerfile` before
+starting the build, and returns an error if the syntax is incorrect. After that,
+each instruction is run one-by-one until the ID of the new image is output.
+
+The build is canceled if the client drops the connection by quitting
+or being killed.
+
+**Query parameters**:
+
+-   **dockerfile** - Path within the build context to the Dockerfile. This is
+        ignored if `remote` is specified and points to an individual filename.
+-   **t** – A name and optional tag to apply to the image in the `name:tag` format.
+        If you omit the `tag` the default `latest` value is assumed.
+-   **remote** – A Git repository URI or HTTP/HTTPS URI build source. If the
+        URI specifies a filename, the file's contents are placed into a file
+        called `Dockerfile`.
+-   **q** – Suppress verbose build output.
+-   **nocache** – Do not use the cache when building the image.
+-   **pull** - Attempt to pull the image even if an older image exists locally.
+-   **rm** - Remove intermediate containers after a successful build (default behavior).
+-   **forcerm** - Always remove intermediate containers (includes `rm`).
+-   **memory** - Set memory limit for build.
+-   **memswap** - Total memory (memory + swap), `-1` to enable unlimited swap.
+-   **cpushares** - CPU shares (relative weight).
+-   **cpusetcpus** - CPUs in which to allow execution (e.g., `0-3`, `0,1`).
+-   **cpuperiod** - The length of a CPU period in microseconds.
+-   **cpuquota** - Microseconds of CPU time that the container can get in a CPU period.
+
+**Request Headers**:
+
+-   **Content-type** – Set to `"application/x-tar"`.
+-   **X-Registry-Config** – base64-encoded ConfigFile object
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Create an image
+
+`POST /images/create`
+
+Create an image either by pulling it from the registry or by importing it
+
+**Example request**:
+
+    POST /v1.19/images/create?fromImage=busybox&tag=latest HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pulling..."}
+    {"status": "Pulling", "progress": "1 B/ 100 B", "progressDetail": {"current": 1, "total": 100}}
+    {"error": "Invalid..."}
+    ...
+
+When using this endpoint to pull an image from the registry, the
+`X-Registry-Auth` header can be used to include
+a base64-encoded AuthConfig object.
+
+**Query parameters**:
+
+-   **fromImage** – Name of the image to pull.
+-   **fromSrc** – Source to import.  The value may be a URL from which the image
+        can be retrieved or `-` to read the image from the request body.
+-   **repo** – Repository name.
+-   **tag** – Tag. If empty when pulling an image, this causes all tags
+        for the given image to be pulled.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** - repository does not exist or no read access
+-   **500** – server error
+
+
+
+#### Inspect an image
+
+`GET /images/(name)/json`
+
+Return low-level information on the image `name`
+
+**Example request**:
+
+    GET /v1.19/images/ubuntu/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Created": "2013-03-23T22:24:18.818426-07:00",
+       "Container": "3d67245a8d72ecf13f33dffac9f79dcdf70f75acb84d308770391510e0c23ad0",
+       "ContainerConfig": {
+          "Hostname": "",
+          "User": "",
+          "AttachStdin": false,
+          "AttachStdout": false,
+          "AttachStderr": false,
+          "Tty": true,
+          "OpenStdin": true,
+          "StdinOnce": false,
+          "Env": null,
+          "Cmd": ["/bin/bash"],
+          "Dns": null,
+          "Image": "ubuntu",
+          "Labels": {
+             "com.example.vendor": "Acme",
+             "com.example.license": "GPL",
+             "com.example.version": "1.0"
+          },
+          "Volumes": null,
+          "VolumesFrom": "",
+          "WorkingDir": ""
+       },
+       "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+       "Parent": "27cf784147099545",
+       "Size": 6824592
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Get the history of an image
+
+`GET /images/(name)/history`
+
+Return the history of the image `name`
+
+**Example request**:
+
+    GET /v1.19/images/ubuntu/history HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+        {
+            "Id": "3db9c44f45209632d6050b35958829c3a2aa256d81b9a7be45b362ff85c54710",
+            "Created": 1398108230,
+            "CreatedBy": "/bin/sh -c #(nop) ADD file:eb15dbd63394e063b805a3c32ca7bf0266ef64676d5a6fab4801f2e81e2a5148 in /",
+            "Tags": [
+                "ubuntu:lucid",
+                "ubuntu:10.04"
+            ],
+            "Size": 182964289,
+            "Comment": ""
+        },
+        {
+            "Id": "6cfa4d1f33fb861d4d114f43b25abd0ac737509268065cdfd69d544a59c85ab8",
+            "Created": 1398108222,
+            "CreatedBy": "/bin/sh -c #(nop) MAINTAINER Tianon Gravi <admwiggin@gmail.com> - mkimage-debootstrap.sh -i iproute,iputils-ping,ubuntu-minimal -t lucid.tar.xz lucid http://archive.ubuntu.com/ubuntu/",
+            "Tags": null,
+            "Size": 0,
+            "Comment": ""
+        },
+        {
+            "Id": "511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158",
+            "Created": 1371157430,
+            "CreatedBy": "",
+            "Tags": [
+                "scratch12:latest",
+                "scratch:latest"
+            ],
+            "Size": 0,
+            "Comment": "Imported from -"
+        }
+    ]
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Push an image on the registry
+
+`POST /images/(name)/push`
+
+Push the image `name` on the registry
+
+**Example request**:
+
+    POST /v1.19/images/test/push HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pushing..."}
+    {"status": "Pushing", "progress": "1/? (n/a)", "progressDetail": {"current": 1}}}
+    {"error": "Invalid..."}
+    ...
+
+If you wish to push an image on to a private registry, that image must already have a tag
+into a repository which references that registry `hostname` and `port`.  This repository name should
+then be used in the URL. This duplicates the command line's flow.
+
+**Example request**:
+
+    POST /v1.19/images/registry.acme.com:5000/test/push HTTP/1.1
+
+
+**Query parameters**:
+
+-   **tag** – The tag to associate with the image on the registry. This is optional.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Tag an image into a repository
+
+`POST /images/(name)/tag`
+
+Tag the image `name` into a repository
+
+**Example request**:
+
+    POST /v1.19/images/test/tag?repo=myrepo&force=0&tag=v42 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+
+**Query parameters**:
+
+-   **repo** – The repository to tag in
+-   **force** – 1/True/true or 0/False/false, default false
+-   **tag** - The new tag name
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Remove an image
+
+`DELETE /images/(name)`
+
+Remove the image `name` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.19/images/test HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-type: application/json
+
+    [
+     {"Untagged": "3e2f21a89f"},
+     {"Deleted": "3e2f21a89f"},
+     {"Deleted": "53b4f83ac9"}
+    ]
+
+**Query parameters**:
+
+-   **force** – 1/True/true or 0/False/false, default false
+-   **noprune** – 1/True/true or 0/False/false, default false
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Search images
+
+`GET /images/search`
+
+Search for an image on [Docker Hub](https://hub.docker.com). This API
+returns both `is_trusted` and `is_automated` images. Currently, they
+are considered identical. In the future, the `is_trusted` property will
+be deprecated and replaced by the `is_automated` property.
+
+> **Note**:
+> The response keys have changed from API v1.6 to reflect the JSON
+> sent by the registry server to the docker daemon's request.
+
+**Example request**:
+
+    GET /v1.19/images/search?term=sshd HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+            {
+                "star_count": 12,
+                "is_official": false,
+                "name": "wma55/u1210sshd",
+                "is_trusted": false,
+                "is_automated": false,
+                "description": ""
+            },
+            {
+                "star_count": 10,
+                "is_official": false,
+                "name": "jdswinbank/sshd",
+                "is_trusted": false,
+                "is_automated": false,
+                "description": ""
+            },
+            {
+                "star_count": 18,
+                "is_official": false,
+                "name": "vgauthier/sshd",
+                "is_trusted": false,
+                "is_automated": false,
+                "description": ""
+            }
+    ...
+    ]
+
+**Query parameters**:
+
+-   **term** – term to search
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+### 2.3 Misc
+
+#### Check auth configuration
+
+`POST /auth`
+
+Get the default username and email
+
+**Example request**:
+
+    POST /v1.19/auth HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "username": "hannibal",
+         "password": "xxxx",
+         "email": "hannibal@a-team.com",
+         "serveraddress": "https://index.docker.io/v1/"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **204** – no error
+-   **500** – server error
+
+#### Display system-wide information
+
+`GET /info`
+
+Display system-wide information
+
+**Example request**:
+
+    GET /v1.19/info HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+        "Containers": 11,
+        "CpuCfsPeriod": true,
+        "CpuCfsQuota": true,
+        "Debug": false,
+        "DockerRootDir": "/var/lib/docker",
+        "Driver": "btrfs",
+        "DriverStatus": [[""]],
+        "ExecutionDriver": "native-0.1",
+        "ExperimentalBuild": false,
+        "HttpProxy": "http://test:test@localhost:8080",
+        "HttpsProxy": "https://test:test@localhost:8080",
+        "ID": "7TRN:IPZB:QYBB:VPBQ:UMPP:KARE:6ZNR:XE6T:7EWV:PKF4:ZOJD:TPYS",
+        "IPv4Forwarding": true,
+        "Images": 16,
+        "IndexServerAddress": "https://index.docker.io/v1/",
+        "InitPath": "/usr/bin/docker",
+        "InitSha1": "",
+        "KernelVersion": "3.12.0-1-amd64",
+        "Labels": [
+            "storage=ssd"
+        ],
+        "MemTotal": 2099236864,
+        "MemoryLimit": true,
+        "NCPU": 1,
+        "NEventsListener": 0,
+        "NFd": 11,
+        "NGoroutines": 21,
+        "Name": "prod-server-42",
+        "NoProxy": "9.81.1.160",
+        "OomKillDisable": true,
+        "OperatingSystem": "Boot2Docker",
+        "RegistryConfig": {
+            "IndexConfigs": {
+                "docker.io": {
+                    "Mirrors": null,
+                    "Name": "docker.io",
+                    "Official": true,
+                    "Secure": true
+                }
+            },
+            "InsecureRegistryCIDRs": [
+                "127.0.0.0/8"
+            ]
+        },
+        "SwapLimit": false,
+        "SystemTime": "2015-03-10T11:11:23.730591467-07:00"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Show the docker version information
+
+`GET /version`
+
+Show the docker version information
+
+**Example request**:
+
+    GET /v1.19/version HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+         "Version": "1.5.0",
+         "Os": "linux",
+         "KernelVersion": "3.18.5-tinycore64",
+         "GoVersion": "go1.4.1",
+         "GitCommit": "a8a31ef",
+         "Arch": "amd64",
+         "ApiVersion": "1.19"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Ping the docker server
+
+`GET /_ping`
+
+Ping the docker server
+
+**Example request**:
+
+    GET /v1.19/_ping HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+
+    OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a new image from a container's changes
+
+`POST /commit`
+
+Create a new image from a container's changes
+
+**Example request**:
+
+    POST /v1.19/commit?container=44c004db4b17&comment=message&repo=myrepo HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Hostname": "",
+         "Domainname": "",
+         "User": "",
+         "AttachStdin": false,
+         "AttachStdout": true,
+         "AttachStderr": true,
+         "PortSpecs": null,
+         "Tty": false,
+         "OpenStdin": false,
+         "StdinOnce": false,
+         "Env": null,
+         "Cmd": [
+                 "date"
+         ],
+         "Volumes": {
+                 "/tmp": {}
+         },
+         "Labels": {
+                 "key1": "value1",
+                 "key2": "value2"
+          },
+         "WorkingDir": "",
+         "NetworkDisabled": false,
+         "ExposedPorts": {
+                 "22/tcp": {}
+         }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {"Id": "596069db4bf5"}
+
+**JSON parameters**:
+
+-  **config** - the container's configuration
+
+**Query parameters**:
+
+-   **container** – source container
+-   **repo** – repository
+-   **tag** – tag
+-   **comment** – commit message
+-   **author** – author (e.g., "John Hannibal Smith
+    <[hannibal@a-team.com](mailto:hannibal%40a-team.com)>")
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Monitor Docker's events
+
+`GET /events`
+
+Get container events from docker, in real time via streaming.
+
+Docker containers report the following events:
+
+    attach, commit, copy, create, destroy, die, exec_create, exec_start, export, kill, oom, pause, rename, resize, restart, start, stop, top, unpause
+
+Docker images report the following events:
+
+    untag, delete
+
+**Example request**:
+
+    GET /v1.19/events?since=1374067924
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "create", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067924}
+    {"status": "start", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067924}
+    {"status": "stop", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067966}
+    {"status": "destroy", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067970}
+
+**Query parameters**:
+
+-   **since** – Timestamp. Show all events created since timestamp and then stream
+-   **until** – Timestamp. Show events created until given timestamp and stop streaming
+-   **filters** – A json encoded value of the filters (a map[string][]string) to process on the event list. Available filters:
+  -   `container=<string>`; -- container to filter
+  -   `event=<string>`; -- event to filter
+  -   `image=<string>`; -- image to filter
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images in a repository
+
+`GET /images/(name)/get`
+
+Get a tarball containing all images and metadata for the repository specified
+by `name`.
+
+If `name` is a specific name and tag (e.g. ubuntu:latest), then only that image
+(and its parents) are returned. If `name` is an image ID, similarly only that
+image (and its parents) are returned, but with the exclusion of the
+'repositories' file in the tarball, as there were no image names referenced.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.19/images/ubuntu/get
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images
+
+`GET /images/get`
+
+Get a tarball containing all images and metadata for one or more repositories.
+
+For each value of the `names` parameter: if it is a specific name and tag (e.g.
+`ubuntu:latest`), then only that image (and its parents) are returned; if it is
+an image ID, similarly only that image (and its parents) are returned and there
+would be no names referenced in the 'repositories' file for this image ID.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.19/images/get?names=myname%2Fmyapp%3Alatest&names=busybox
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Load a tarball with a set of images and tags into docker
+
+`POST /images/load`
+
+Load a set of images and tags into a Docker repository.
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    POST /v1.19/images/load
+    Content-Type: application/x-tar
+    Content-Length: 12345
+
+    Tarball in body
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Image tarball format
+
+An image tarball contains one directory per image layer (named using its long ID),
+each containing these files:
+
+- `VERSION`: currently `1.0` - the file format version
+- `json`: detailed layer information, similar to `docker inspect layer_id`
+- `layer.tar`: A tarfile containing the filesystem changes in this layer
+
+The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories
+for storing attribute changes and deletions.
+
+If the tarball defines a repository, the tarball should also include a `repositories` file at
+the root that contains a list of repository and tag names mapped to layer IDs.
+
+```
+{"hello-world":
+    {"latest": "565a9d68a73f6706862bfe8409a7f659776d4d60a8d096eb4a3cbce6999cc2a1"}
+}
+```
+
+#### Exec Create
+
+`POST /containers/(id or name)/exec`
+
+Sets up an exec instance in a running container `id`
+
+**Example request**:
+
+    POST /v1.19/containers/e90e34656806/exec HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "AttachStdin": true,
+      "AttachStdout": true,
+      "AttachStderr": true,
+      "Cmd": ["sh"],
+      "Tty": true,
+      "User": "123:456"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+         "Id": "f90e34656806",
+         "Warnings":[]
+    }
+
+**JSON parameters**:
+
+-   **AttachStdin** - Boolean value, attaches to `stdin` of the `exec` command.
+-   **AttachStdout** - Boolean value, attaches to `stdout` of the `exec` command.
+-   **AttachStderr** - Boolean value, attaches to `stderr` of the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **User** - A string value specifying the user, and optionally, group to run
+        the exec process inside the container. Format is one of: `"user"`,
+        `"user:group"`, `"uid"`, or `"uid:gid"`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+
+#### Exec Start
+
+`POST /exec/(id)/start`
+
+Starts a previously set up `exec` instance `id`. If `detach` is true, this API
+returns after starting the `exec` command. Otherwise, this API sets up an
+interactive session with the `exec` command.
+
+**Example request**:
+
+    POST /v1.19/exec/e90e34656806/start HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+     "Detach": false,
+     "Tty": false
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/vnd.docker.raw-stream
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**JSON parameters**:
+
+-   **Detach** - Detach from the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+
+**Stream details**:
+
+Similar to the stream behavior of `POST /containers/(id or name)/attach` API
+
+#### Exec Resize
+
+`POST /exec/(id)/resize`
+
+Resizes the `tty` session used by the `exec` command `id`.  The unit is number of characters.
+This API is valid only if `tty` was specified as part of creating and starting the `exec` command.
+
+**Example request**:
+
+    POST /v1.19/exec/e90e34656806/resize?h=40&w=80 HTTP/1.1
+    Content-Type: text/plain
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: text/plain
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such exec instance
+
+#### Exec Inspect
+
+`GET /exec/(id)/json`
+
+Return low-level information about the `exec` command `id`.
+
+**Example request**:
+
+    GET /v1.19/exec/11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: plain/text
+
+    {
+      "ID" : "11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39",
+      "Running" : false,
+      "ExitCode" : 2,
+      "ProcessConfig" : {
+        "privileged" : false,
+        "user" : "",
+        "tty" : false,
+        "entrypoint" : "sh",
+        "arguments" : [
+          "-c",
+          "exit 2"
+        ]
+      },
+      "OpenStdin" : false,
+      "OpenStderr" : false,
+      "OpenStdout" : false,
+      "Container" : {
+        "State" : {
+          "Running" : true,
+          "Paused" : false,
+          "Restarting" : false,
+          "OOMKilled" : false,
+          "Pid" : 3650,
+          "ExitCode" : 0,
+          "Error" : "",
+          "StartedAt" : "2014-11-17T22:26:03.717657531Z",
+          "FinishedAt" : "0001-01-01T00:00:00Z"
+        },
+        "ID" : "8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c",
+        "Created" : "2014-11-17T22:26:03.626304998Z",
+        "Path" : "date",
+        "Args" : [],
+        "Config" : {
+          "Hostname" : "8f177a186b97",
+          "Domainname" : "",
+          "User" : "",
+          "AttachStdin" : false,
+          "AttachStdout" : false,
+          "AttachStderr" : false,
+          "PortSpecs": null,
+          "ExposedPorts" : null,
+          "Tty" : false,
+          "OpenStdin" : false,
+          "StdinOnce" : false,
+          "Env" : [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ],
+          "Cmd" : [
+            "date"
+          ],
+          "Image" : "ubuntu",
+          "Volumes" : null,
+          "WorkingDir" : "",
+          "Entrypoint" : null,
+          "NetworkDisabled" : false,
+          "MacAddress" : "",
+          "OnBuild" : null,
+          "SecurityOpt" : null
+        },
+        "Image" : "5506de2b643be1e6febbf3b8a240760c6843244c41e12aa2f60ccbb7153d17f5",
+        "NetworkSettings" : {
+          "IPAddress" : "172.17.0.2",
+          "IPPrefixLen" : 16,
+          "MacAddress" : "02:42:ac:11:00:02",
+          "Gateway" : "172.17.42.1",
+          "Bridge" : "docker0",
+          "PortMapping" : null,
+          "Ports" : {}
+        },
+        "ResolvConfPath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/resolv.conf",
+        "HostnamePath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/hostname",
+        "HostsPath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/hosts",
+        "LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+        "Name" : "/test",
+        "Driver" : "aufs",
+        "ExecDriver" : "native-0.2",
+        "MountLabel" : "",
+        "ProcessLabel" : "",
+        "AppArmorProfile" : "",
+        "RestartCount" : 0,
+        "Volumes" : {},
+        "VolumesRW" : {}
+      }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **500** - server error
+
+## 3. Going further
+
+### 3.1 Inside `docker run`
+
+As an example, the `docker run` command line makes the following API calls:
+
+- Create the container
+
+- If the status code is 404, it means the image doesn't exist:
+    - Try to pull it.
+    - Then, retry to create the container.
+
+- Start the container.
+
+- If you are not in detached mode:
+- Attach to the container, using `logs=1` (to have `stdout` and
+      `stderr` from the container's start) and `stream=1`
+
+- If in detached mode or only `stdin` is attached, display the container's id.
+
+### 3.2 Hijacking
+
+In this version of the API, `/attach`, uses hijacking to transport `stdin`,
+`stdout`, and `stderr` on the same socket.
+
+To hint potential proxies about connection hijacking, Docker client sends
+connection upgrade headers similarly to websocket.
+
+    Upgrade: tcp
+    Connection: Upgrade
+
+When Docker daemon detects the `Upgrade` header, it switches its status code
+from **200 OK** to **101 UPGRADED** and resends the same headers.
+
+
+### 3.3 CORS Requests
+
+To set cross origin requests to the Engine API please give values to
+`--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
+default or blank means CORS disabled
+
+    $ docker -d -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
diff --git a/engine/docs/api/v1.20.md b/engine/docs/api/v1.20.md
new file mode 100644
index 00000000..19942812
--- /dev/null
+++ b/engine/docs/api/v1.20.md
@@ -0,0 +1,2414 @@
+---
+title: "Engine API v1.20"
+description: "API Documentation for Docker"
+keywords: "API, Docker, rcli, REST, documentation"
+redirect_from:
+- /engine/reference/api/docker_remote_api_v1.20/
+- /reference/api/docker_remote_api_v1.20/
+---
+
+<!-- This file is maintained within the moby/moby GitHub
+     repository at https://github.com/moby/moby/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## 1. Brief introduction
+
+ - The daemon listens on `unix:///var/run/docker.sock` but you can
+   [Bind Docker to another host/port or a Unix socket](../reference/commandline/dockerd.md#bind-docker-to-another-host-port-or-a-unix-socket).
+ - The API tends to be REST. However, for some complex commands, like `attach`
+   or `pull`, the HTTP connection is hijacked to transport `stdout`,
+   `stdin` and `stderr`.
+ - A `Content-Length` header should be present in `POST` requests to endpoints
+   that expect a body.
+ - To lock to a specific version of the API, you prefix the URL with the version
+   of the API to use. For example, `/v1.18/info`. If no version is included in
+   the URL, the maximum supported API version is used.
+ - If the API version specified in the URL is not supported by the daemon, a HTTP
+   `400 Bad Request` error message is returned.
+
+## 2. Endpoints
+
+### 2.1 Containers
+
+#### List containers
+
+`GET /containers/json`
+
+List containers
+
+**Example request**:
+
+    GET /v1.20/containers/json?all=1&before=8dfafdbc3a40&size=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Id": "8dfafdbc3a40",
+                 "Names":["/boring_feynman"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 1",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [{"PrivatePort": 2222, "PublicPort": 3333, "Type": "tcp"}],
+                 "Labels": {
+                         "com.example.vendor": "Acme",
+                         "com.example.license": "GPL",
+                         "com.example.version": "1.0"
+                 },
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         },
+         {
+                 "Id": "9cd87474be90",
+                 "Names":["/coolName"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 222222",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         },
+         {
+                 "Id": "3176a2479c92",
+                 "Names":["/sleepy_dog"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 3333333333333333",
+                 "Created": 1367854154,
+                 "Status": "Exit 0",
+                 "Ports":[],
+                 "Labels": {},
+                 "SizeRw":12288,
+                 "SizeRootFs":0
+         },
+         {
+                 "Id": "4cb07b47f9fb",
+                 "Names":["/running_cat"],
+                 "Image": "ubuntu:latest",
+                 "Command": "echo 444444444444444444444444444444444",
+                 "Created": 1367854152,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         }
+    ]
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, Show all containers.
+        Only running containers are shown by default (i.e., this defaults to false)
+-   **limit** – Show `limit` last created
+        containers, include non-running ones.
+-   **since** – Show only containers created since Id, include
+        non-running ones.
+-   **before** – Show only containers created before Id, include
+        non-running ones.
+-   **size** – 1/True/true or 0/False/false, Show the containers
+        sizes
+-   **filters** - a JSON encoded value of the filters (a `map[string][]string`) to process on the containers list. Available filters:
+  -   `exited=<int>`; -- containers with exit code of  `<int>` ;
+  -   `status=`(`created`|`restarting`|`running`|`paused`|`exited`)
+  -   `label=key` or `label="key=value"` of a container label
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **500** – server error
+
+#### Create a container
+
+`POST /containers/create`
+
+Create a container
+
+**Example request**:
+
+    POST /v1.20/containers/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+           "Hostname": "",
+           "Domainname": "",
+           "User": "",
+           "AttachStdin": false,
+           "AttachStdout": true,
+           "AttachStderr": true,
+           "Tty": false,
+           "OpenStdin": false,
+           "StdinOnce": false,
+           "Env": [
+                   "FOO=bar",
+                   "BAZ=quux"
+           ],
+           "Cmd": [
+                   "date"
+           ],
+           "Entrypoint": null,
+           "Image": "ubuntu",
+           "Labels": {
+                   "com.example.vendor": "Acme",
+                   "com.example.license": "GPL",
+                   "com.example.version": "1.0"
+           },
+           "Volumes": {
+             "/volumes/data": {}
+           },
+           "WorkingDir": "",
+           "NetworkDisabled": false,
+           "MacAddress": "12:34:56:78:9a:bc",
+           "ExposedPorts": {
+                   "22/tcp": {}
+           },
+           "HostConfig": {
+             "Binds": ["/tmp:/tmp"],
+             "Links": ["redis3:redis"],
+             "LxcConf": {"lxc.utsname":"docker"},
+             "Memory": 0,
+             "MemorySwap": 0,
+             "CpuShares": 512,
+             "CpuPeriod": 100000,
+             "CpuQuota": 50000,
+             "CpusetCpus": "0,1",
+             "CpusetMems": "0,1",
+             "BlkioWeight": 300,
+             "MemorySwappiness": 60,
+             "OomKillDisable": false,
+             "PidMode": "",
+             "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+             "PublishAllPorts": false,
+             "Privileged": false,
+             "ReadonlyRootfs": false,
+             "Dns": ["8.8.8.8"],
+             "DnsSearch": [""],
+             "ExtraHosts": null,
+             "VolumesFrom": ["parent", "other:ro"],
+             "CapAdd": ["NET_ADMIN"],
+             "CapDrop": ["MKNOD"],
+             "GroupAdd": ["newgroup"],
+             "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+             "NetworkMode": "bridge",
+             "Devices": [],
+             "Ulimits": [{}],
+             "LogConfig": { "Type": "json-file", "Config": {} },
+             "SecurityOpt": [],
+             "CgroupParent": ""
+          }
+      }
+
+**Example response**:
+
+      HTTP/1.1 201 Created
+      Content-Type: application/json
+
+      {
+           "Id":"e90e34656806",
+           "Warnings":[]
+      }
+
+**JSON parameters**:
+
+-   **Hostname** - A string value containing the hostname to use for the
+      container.
+-   **Domainname** - A string value containing the domain name to use
+      for the container.
+-   **User** - A string value specifying the user inside the container.
+-   **AttachStdin** - Boolean value, attaches to `stdin`.
+-   **AttachStdout** - Boolean value, attaches to `stdout`.
+-   **AttachStderr** - Boolean value, attaches to `stderr`.
+-   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
+-   **OpenStdin** - Boolean value, opens `stdin`,
+-   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Entrypoint** - Set the entry point for the container as a string or an array
+      of strings.
+-   **Image** - A string specifying the image name to use for the container.
+-   **Volumes** - An object mapping mount point paths (strings) inside the
+      container to empty objects.
+-   **WorkingDir** - A string specifying the working directory for commands to
+      run in.
+-   **NetworkDisabled** - Boolean value, when true disables networking for the
+      container
+-   **ExposedPorts** - An object mapping ports to an empty object in the form of:
+      `"ExposedPorts": { "<port>/<tcp|udp>: {}" }`
+-   **HostConfig**
+    -   **Binds** – A list of bind mounts for this container. Each item is a string in one of these forms:
+           + `host-src:container-dest` to bind-mount a host path into the
+             container. Both `host-src`, and `container-dest` must be an
+             _absolute_ path.
+           + `host-src:container-dest:ro` to make the bind mount read-only
+             inside the container. Both `host-src`, and `container-dest` must be
+             an _absolute_ path.
+    -   **Links** - A list of links for the container. Each link entry should be
+          in the form of `container_name:alias`.
+    -   **LxcConf** - LXC specific configurations. These configurations only
+          work when using the `lxc` execution driver.
+    -   **Memory** - Memory limit in bytes.
+    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
+          You must use this with `memory` and make the swap value larger than `memory`.
+    -   **CpuShares** - An integer value containing the container's CPU Shares
+          (ie. the relative weight vs other containers).
+    -   **CpuPeriod** - The length of a CPU period in microseconds.
+    -   **CpuQuota** - Microseconds of CPU time that the container can get in a CPU period.
+    -   **CpusetCpus** - String value containing the `cgroups CpusetCpus` to use.
+    -   **CpusetMems** - Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.
+    -   **BlkioWeight** - Block IO weight (relative weight) accepts a weight value between 10 and 1000.
+    -   **MemorySwappiness** - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+    -   **OomKillDisable** - Boolean value, whether to disable OOM Killer for the container or not.
+    -   **PidMode** - Set the PID (Process) Namespace mode for the container;
+          `"container:<name|id>"`: joins another container's PID namespace
+          `"host"`: use the host's PID namespace inside the container
+    -   **PortBindings** - A map of exposed container ports and the host port they
+          should map to. A JSON object in the form
+          `{ <port>/<protocol>: [{ "HostPort": "<port>" }] }`
+          Take note that `port` is specified as a string and not an integer value.
+    -   **PublishAllPorts** - Allocates an ephemeral host port for all of a container's
+          exposed ports. Specified as a boolean value.
+
+          Ports are de-allocated when the container stops and allocated when the container starts.
+          The allocated port might be changed when restarting the container.
+
+          The port is selected from the ephemeral port range that depends on the kernel.
+          For example, on Linux the range is defined by `/proc/sys/net/ipv4/ip_local_port_range`.
+    -   **Privileged** - Gives the container full access to the host. Specified as
+          a boolean value.
+    -   **ReadonlyRootfs** - Mount the container's root filesystem as read only.
+          Specified as a boolean value.
+    -   **Dns** - A list of DNS servers for the container to use.
+    -   **DnsSearch** - A list of DNS search domains
+    -   **ExtraHosts** - A list of hostnames/IP mappings to add to the
+        container's `/etc/hosts` file. Specified in the form `["hostname:IP"]`.
+    -   **VolumesFrom** - A list of volumes to inherit from another container.
+          Specified in the form `<container name>[:<ro|rw>]`
+    -   **CapAdd** - A list of kernel capabilities to add to the container.
+    -   **Capdrop** - A list of kernel capabilities to drop from the container.
+    -   **GroupAdd** - A list of additional groups that the container process will run as
+    -   **RestartPolicy** – The behavior to apply when the container exits.  The
+            value is an object with a `Name` property of either `"always"` to
+            always restart or `"on-failure"` to restart only when the container
+            exit code is non-zero.  If `on-failure` is used, `MaximumRetryCount`
+            controls the number of times to retry before giving up.
+            The default is not to restart. (optional)
+            An ever increasing delay (double the previous delay, starting at 100mS)
+            is added before each restart to prevent flooding the server.
+    -   **NetworkMode** - Sets the networking mode for the container. Supported
+          values are: `bridge`, `host`, `none`, and `container:<name|id>`
+    -   **Devices** - A list of devices to add to the container specified as a JSON object in the
+      form
+          `{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}`
+    -   **Ulimits** - A list of ulimits to set in the container, specified as
+          `{ "Name": <name>, "Soft": <soft limit>, "Hard": <hard limit> }`, for example:
+          `Ulimits: { "Name": "nofile", "Soft": 1024, "Hard": 2048 }`
+    -   **SecurityOpt**: A list of string values to customize labels for MLS
+        systems, such as SELinux.
+    -   **LogConfig** - Log configuration for the container, specified as a JSON object in the form
+          `{ "Type": "<driver_name>", "Config": {"key1": "val1"}}`.
+          Available types: `json-file`, `syslog`, `journald`, `gelf`, `none`.
+          `json-file` logging driver.
+    -   **CgroupParent** - Path to `cgroups` under which the container's `cgroup` is created. If the path is not absolute, the path is considered to be relative to the `cgroups` path of the init process. Cgroups are created if they do not already exist.
+
+**Query parameters**:
+
+-   **name** – Assign the specified name to the container. Must
+    match `/?[a-zA-Z0-9_-]+`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **406** – impossible to attach (container not running)
+-   **409** – conflict
+-   **500** – server error
+
+#### Inspect a container
+
+`GET /containers/(id or name)/json`
+
+Return low-level information on the container `id`
+
+**Example request**:
+
+      GET /v1.20/containers/4fa6e0f0c678/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+	{
+		"AppArmorProfile": "",
+		"Args": [
+			"-c",
+			"exit 9"
+		],
+		"Config": {
+			"AttachStderr": true,
+			"AttachStdin": false,
+			"AttachStdout": true,
+			"Cmd": [
+				"/bin/sh",
+				"-c",
+				"exit 9"
+			],
+			"Domainname": "",
+			"Entrypoint": null,
+			"Env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+			],
+			"ExposedPorts": null,
+			"Hostname": "ba033ac44011",
+			"Image": "ubuntu",
+			"Labels": {
+				"com.example.vendor": "Acme",
+				"com.example.license": "GPL",
+				"com.example.version": "1.0"
+			},
+			"MacAddress": "",
+			"NetworkDisabled": false,
+			"OnBuild": null,
+			"OpenStdin": false,
+			"StdinOnce": false,
+			"Tty": false,
+			"User": "",
+			"Volumes": null,
+			"WorkingDir": ""
+		},
+		"Created": "2015-01-06T15:47:31.485331387Z",
+		"Driver": "devicemapper",
+		"ExecDriver": "native-0.2",
+		"ExecIDs": null,
+		"HostConfig": {
+			"Binds": null,
+			"BlkioWeight": 0,
+			"CapAdd": null,
+			"CapDrop": null,
+			"ContainerIDFile": "",
+			"CpusetCpus": "",
+			"CpusetMems": "",
+			"CpuShares": 0,
+			"CpuPeriod": 100000,
+			"Devices": [],
+			"Dns": null,
+			"DnsSearch": null,
+			"ExtraHosts": null,
+			"IpcMode": "",
+			"Links": null,
+			"LxcConf": [],
+			"Memory": 0,
+			"MemorySwap": 0,
+			"OomKillDisable": false,
+			"NetworkMode": "bridge",
+			"PidMode": "",
+			"PortBindings": {},
+			"Privileged": false,
+			"ReadonlyRootfs": false,
+			"PublishAllPorts": false,
+			"RestartPolicy": {
+				"MaximumRetryCount": 2,
+				"Name": "on-failure"
+			},
+			"LogConfig": {
+				"Config": null,
+				"Type": "json-file"
+			},
+			"SecurityOpt": null,
+			"VolumesFrom": null,
+			"Ulimits": [{}]
+		},
+		"HostnamePath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hostname",
+		"HostsPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hosts",
+		"LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+		"Id": "ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39",
+		"Image": "04c5d3b7b0656168630d3ba35d8889bd0e9caafcaeb3004d2bfbc47e7c5d35d2",
+		"MountLabel": "",
+		"Name": "/boring_euclid",
+		"NetworkSettings": {
+			"Bridge": "",
+			"Gateway": "",
+			"IPAddress": "",
+			"IPPrefixLen": 0,
+			"MacAddress": "",
+			"PortMapping": null,
+			"Ports": null
+		},
+		"Path": "/bin/sh",
+		"ProcessLabel": "",
+		"ResolvConfPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/resolv.conf",
+		"RestartCount": 1,
+		"State": {
+			"Error": "",
+			"ExitCode": 9,
+			"FinishedAt": "2015-01-06T15:47:32.080254511Z",
+			"OOMKilled": false,
+			"Paused": false,
+			"Pid": 0,
+			"Restarting": false,
+			"Running": true,
+			"StartedAt": "2015-01-06T15:47:32.072697474Z"
+		},
+		"Mounts": [
+			{
+				"Source": "/data",
+				"Destination": "/data",
+				"Mode": "ro,Z",
+				"RW": false
+			}
+		]
+	}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### List processes running inside a container
+
+`GET /containers/(id or name)/top`
+
+List processes running inside the container `id`. On Unix systems this
+is done by running the `ps` command. This endpoint is not
+supported on Windows.
+
+**Example request**:
+
+    GET /v1.20/containers/4fa6e0f0c678/top HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Titles" : [
+         "UID", "PID", "PPID", "C", "STIME", "TTY", "TIME", "CMD"
+       ],
+       "Processes" : [
+         [
+           "root", "13642", "882", "0", "17:03", "pts/0", "00:00:00", "/bin/bash"
+         ],
+         [
+           "root", "13735", "13642", "0", "17:06", "pts/0", "00:00:00", "sleep 10"
+         ]
+       ]
+    }
+
+**Example request**:
+
+    GET /v1.20/containers/4fa6e0f0c678/top?ps_args=aux HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Titles" : [
+        "USER","PID","%CPU","%MEM","VSZ","RSS","TTY","STAT","START","TIME","COMMAND"
+      ]
+      "Processes" : [
+        [
+          "root","13642","0.0","0.1","18172","3184","pts/0","Ss","17:03","0:00","/bin/bash"
+        ],
+        [
+          "root","13895","0.0","0.0","4348","692","pts/0","S+","17:15","0:00","sleep 10"
+        ]
+      ],
+    }
+
+**Query parameters**:
+
+-   **ps_args** – `ps` arguments to use (e.g., `aux`), defaults to `-ef`
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container logs
+
+`GET /containers/(id or name)/logs`
+
+Get `stdout` and `stderr` logs from the container ``id``
+
+> **Note**:
+> This endpoint works only for containers with the `json-file` or `journald` logging drivers.
+
+**Example request**:
+
+     GET /v1.20/containers/4fa6e0f0c678/logs?stderr=1&stdout=1&timestamps=1&follow=1&tail=10&since=1428990821 HTTP/1.1
+
+**Example response**:
+
+     HTTP/1.1 101 UPGRADED
+     Content-Type: application/vnd.docker.raw-stream
+     Connection: Upgrade
+     Upgrade: tcp
+
+     {% raw %}
+     {{ STREAM }}
+     {% endraw %}
+
+**Query parameters**:
+
+-   **follow** – 1/True/true or 0/False/false, return stream. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, show `stdout` log. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, show `stderr` log. Default `false`.
+-   **since** – UNIX timestamp (integer) to filter logs. Specifying a timestamp
+    will only output log-entries since that timestamp. Default: 0 (unfiltered)
+-   **timestamps** – 1/True/true or 0/False/false, print timestamps for
+        every log line. Default `false`.
+-   **tail** – Output specified number of lines at the end of logs: `all` or `<number>`. Default all.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **404** – no such container
+-   **500** – server error
+
+#### Inspect changes on a container's filesystem
+
+`GET /containers/(id or name)/changes`
+
+Inspect changes on container `id`'s filesystem
+
+**Example request**:
+
+    GET /v1.20/containers/4fa6e0f0c678/changes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Path": "/dev",
+                 "Kind": 0
+         },
+         {
+                 "Path": "/dev/kmsg",
+                 "Kind": 1
+         },
+         {
+                 "Path": "/test",
+                 "Kind": 1
+         }
+    ]
+
+Values for `Kind`:
+
+- `0`: Modify
+- `1`: Add
+- `2`: Delete
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Export a container
+
+`GET /containers/(id or name)/export`
+
+Export the contents of container `id`
+
+**Example request**:
+
+    GET /v1.20/containers/4fa6e0f0c678/export HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/octet-stream
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container stats based on resource usage
+
+`GET /containers/(id or name)/stats`
+
+This endpoint returns a live stream of a container's resource usage statistics.
+
+**Example request**:
+
+    GET /v1.20/containers/redis1/stats HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Type: application/json
+
+      {
+         "read" : "2015-01-08T22:57:31.547920715Z",
+         "network" : {
+            "rx_dropped" : 0,
+            "rx_bytes" : 648,
+            "rx_errors" : 0,
+            "tx_packets" : 8,
+            "tx_dropped" : 0,
+            "rx_packets" : 8,
+            "tx_errors" : 0,
+            "tx_bytes" : 648
+         },
+         "memory_stats" : {
+            "stats" : {
+               "total_pgmajfault" : 0,
+               "cache" : 0,
+               "mapped_file" : 0,
+               "total_inactive_file" : 0,
+               "pgpgout" : 414,
+               "rss" : 6537216,
+               "total_mapped_file" : 0,
+               "writeback" : 0,
+               "unevictable" : 0,
+               "pgpgin" : 477,
+               "total_unevictable" : 0,
+               "pgmajfault" : 0,
+               "total_rss" : 6537216,
+               "total_rss_huge" : 6291456,
+               "total_writeback" : 0,
+               "total_inactive_anon" : 0,
+               "rss_huge" : 6291456,
+               "hierarchical_memory_limit" : 67108864,
+               "total_pgfault" : 964,
+               "total_active_file" : 0,
+               "active_anon" : 6537216,
+               "total_active_anon" : 6537216,
+               "total_pgpgout" : 414,
+               "total_cache" : 0,
+               "inactive_anon" : 0,
+               "active_file" : 0,
+               "pgfault" : 964,
+               "inactive_file" : 0,
+               "total_pgpgin" : 477
+            },
+            "max_usage" : 6651904,
+            "usage" : 6537216,
+            "failcnt" : 0,
+            "limit" : 67108864
+         },
+         "blkio_stats" : {},
+         "cpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24472255,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100215355,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 739306590000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         },
+         "precpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24350896,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100093996,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 9492140000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         }
+      }
+
+The `precpu_stats` is the cpu statistic of *previous* read, which is used for calculating the cpu usage percent. It is not the exact copy of the `cpu_stats` field.
+
+**Query parameters**:
+
+-   **stream** – 1/True/true or 0/False/false, pull stats once then disconnect. Default `true`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Resize a container TTY
+
+`POST /containers/(id or name)/resize?h=<height>&w=<width>`
+
+Resize the TTY for container with  `id`. You must restart the container for the resize to take effect.
+
+**Example request**:
+
+      POST /v1.20/containers/4fa6e0f0c678/resize?h=40&w=80 HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Length: 0
+      Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – No such container
+-   **500** – Cannot resize container
+
+#### Start a container
+
+`POST /containers/(id or name)/start`
+
+Start the container `id`
+
+> **Note**:
+> For backwards compatibility, this endpoint accepts a `HostConfig` as JSON-encoded request body.
+> See [create a container](#create-a-container) for details.
+
+**Example request**:
+
+    POST /v1.20/containers/e90e34656806/start HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already started
+-   **404** – no such container
+-   **500** – server error
+
+#### Stop a container
+
+`POST /containers/(id or name)/stop`
+
+Stop the container `id`
+
+**Example request**:
+
+    POST /v1.20/containers/e90e34656806/stop?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already stopped
+-   **404** – no such container
+-   **500** – server error
+
+#### Restart a container
+
+`POST /containers/(id or name)/restart`
+
+Restart the container `id`
+
+**Example request**:
+
+    POST /v1.20/containers/e90e34656806/restart?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Kill a container
+
+`POST /containers/(id or name)/kill`
+
+Kill the container `id`
+
+**Example request**:
+
+    POST /v1.20/containers/e90e34656806/kill HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **signal** - Signal to send to the container: integer or string like `SIGINT`.
+        When not set, `SIGKILL` is assumed and the call waits for the container to exit.
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Rename a container
+
+`POST /containers/(id or name)/rename`
+
+Rename the container `id` to a `new_name`
+
+**Example request**:
+
+    POST /v1.20/containers/e90e34656806/rename?name=new_name HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **name** – new name for the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **409** - conflict name already assigned
+-   **500** – server error
+
+#### Pause a container
+
+`POST /containers/(id or name)/pause`
+
+Pause the container `id`
+
+**Example request**:
+
+    POST /v1.20/containers/e90e34656806/pause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Unpause a container
+
+`POST /containers/(id or name)/unpause`
+
+Unpause the container `id`
+
+**Example request**:
+
+    POST /v1.20/containers/e90e34656806/unpause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Attach to a container
+
+`POST /containers/(id or name)/attach`
+
+Attach to the container `id`
+
+**Example request**:
+
+    POST /v1.20/containers/16253994b7c4/attach?logs=1&stream=0&stdout=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 101 UPGRADED
+    Content-Type: application/vnd.docker.raw-stream
+    Connection: Upgrade
+    Upgrade: tcp
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+**Stream details**:
+
+When using the TTY setting is enabled in
+[`POST /containers/create`
+](#create-a-container),
+the stream is the raw data from the process PTY and client's `stdin`.
+When the TTY is disabled, then the stream is multiplexed to separate
+`stdout` and `stderr`.
+
+The format is a **Header** and a **Payload** (frame).
+
+**HEADER**
+
+The header contains the information which the stream writes (`stdout` or
+`stderr`). It also contains the size of the associated frame encoded in the
+last four bytes (`uint32`).
+
+It is encoded on the first eight bytes like this:
+
+    header := [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}
+
+`STREAM_TYPE` can be:
+
+-   0: `stdin` (is written on `stdout`)
+-   1: `stdout`
+-   2: `stderr`
+
+`SIZE1, SIZE2, SIZE3, SIZE4` are the four bytes of
+the `uint32` size encoded as big endian.
+
+**PAYLOAD**
+
+The payload is the raw stream.
+
+**IMPLEMENTATION**
+
+The simplest way to implement the Attach protocol is the following:
+
+    1.  Read eight bytes.
+    2.  Choose `stdout` or `stderr` depending on the first byte.
+    3.  Extract the frame size from the last four bytes.
+    4.  Read the extracted size and output it on the correct output.
+    5.  Goto 1.
+
+#### Attach to a container (websocket)
+
+`GET /containers/(id or name)/attach/ws`
+
+Attach to the container `id` via websocket
+
+Implements websocket protocol handshake according to [RFC 6455](http://tools.ietf.org/html/rfc6455)
+
+**Example request**
+
+    GET /v1.20/containers/e90e34656806/attach/ws?logs=0&stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
+
+**Example response**
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Wait a container
+
+`POST /containers/(id or name)/wait`
+
+Block until container `id` stops, then returns the exit code
+
+**Example request**:
+
+    POST /v1.20/containers/16253994b7c4/wait HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"StatusCode": 0}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Remove a container
+
+`DELETE /containers/(id or name)`
+
+Remove the container `id` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.20/containers/16253994b7c4?v=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **v** – 1/True/true or 0/False/false, Remove the volumes
+        associated to the container. Default `false`.
+-   **force** - 1/True/true or 0/False/false, Kill then remove the container.
+        Default `false`.
+-   **link** - 1/True/true or 0/False/false, Remove the specified
+        link associated to the container. Default `false`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** – conflict
+-   **500** – server error
+
+#### Copy files or folders from a container
+
+`POST /containers/(id or name)/copy`
+
+Copy files or folders of container `id`
+
+**Deprecated** in favor of the `archive` endpoint below.
+
+**Example request**:
+
+    POST /v1.20/containers/4fa6e0f0c678/copy HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Resource": "test.txt"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Retrieving information about files and folders in a container
+
+`HEAD /containers/(id or name)/archive`
+
+See the description of the `X-Docker-Container-Path-Stat` header in the
+following section.
+
+#### Get an archive of a filesystem resource in a container
+
+`GET /containers/(id or name)/archive`
+
+Get a tar archive of a resource in the filesystem of container `id`.
+
+**Query parameters**:
+
+- **path** - resource in the container's filesystem to archive. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The resource specified by **path** must exist. To assert that the resource
+    is expected to be a directory, **path** should end in `/` or  `/.`
+    (assuming a path separator of `/`). If **path** ends in `/.` then this
+    indicates that only the contents of the **path** directory should be
+    copied. A symlink is always resolved to its target.
+
+    > **Note**: It is not possible to copy certain system files such as resources
+    > under `/proc`, `/sys`, `/dev`, and mounts created by the user in the
+    > container.
+
+**Example request**:
+
+    GET /v1.20/containers/8cce319429b2/archive?path=/root HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+    X-Docker-Container-Path-Stat: eyJuYW1lIjoicm9vdCIsInNpemUiOjQwOTYsIm1vZGUiOjIxNDc0ODQwOTYsIm10aW1lIjoiMjAxNC0wMi0yN1QyMDo1MToyM1oiLCJsaW5rVGFyZ2V0IjoiIn0=
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+On success, a response header `X-Docker-Container-Path-Stat` will be set to a
+base64-encoded JSON object containing some filesystem header information about
+the archived resource. The above example value would decode to the following
+JSON object (whitespace added for readability):
+
+```json
+{
+    "name": "root",
+    "size": 4096,
+    "mode": 2147484096,
+    "mtime": "2014-02-27T20:51:23Z",
+    "linkTarget": ""
+}
+```
+
+A `HEAD` request can also be made to this endpoint if only this information is
+desired.
+
+**Status codes**:
+
+- **200** - success, returns archive of copied resource
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** was asserted to be a directory but exists as a
+      file)
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** does not exist)
+- **500** - server error
+
+#### Extract an archive of files or folders to a directory in a container
+
+`PUT /containers/(id or name)/archive`
+
+Upload a tar archive to be extracted to a path in the filesystem of container
+`id`.
+
+**Query parameters**:
+
+- **path** - path to a directory in the container
+    to extract the archive's contents into. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The **path** resource must exist.
+- **noOverwriteDirNonDir** - If "1", "true", or "True" then it will be an error
+    if unpacking the given content would cause an existing directory to be
+    replaced with a non-directory and vice versa.
+
+**Example request**:
+
+    PUT /v1.20/containers/8cce319429b2/archive?path=/vol1 HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** – the content was extracted successfully
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** should be a directory but exists as a file)
+    - unable to overwrite existing directory with non-directory
+      (if **noOverwriteDirNonDir**)
+    - unable to overwrite existing non-directory with directory
+      (if **noOverwriteDirNonDir**)
+- **403** - client error, permission denied, the volume
+    or container rootfs is marked as read-only.
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** resource does not exist)
+- **500** – server error
+
+### 2.2 Images
+
+#### List Images
+
+`GET /images/json`
+
+**Example request**:
+
+    GET /v1.20/images/json?all=0 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+         "RepoTags": [
+           "ubuntu:12.04",
+           "ubuntu:precise",
+           "ubuntu:latest"
+         ],
+         "Id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
+         "Created": 1365714795,
+         "Size": 131506275,
+         "VirtualSize": 131506275,
+         "Labels": {}
+      },
+      {
+         "RepoTags": [
+           "ubuntu:12.10",
+           "ubuntu:quantal"
+         ],
+         "ParentId": "27cf784147099545",
+         "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+         "Created": 1364102658,
+         "Size": 24653,
+         "VirtualSize": 180116135,
+         "Labels": {
+            "com.example.version": "v1"
+         }
+      }
+    ]
+
+**Example request, with digest information**:
+
+    GET /v1.20/images/json?digests=1 HTTP/1.1
+
+**Example response, with digest information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "Created": 1420064636,
+        "Id": "4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125",
+        "ParentId": "ea13149945cb6b1e746bf28032f02e9b5a793523481a0a18645fc77ad53c4ea2",
+        "RepoDigests": [
+          "localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+        ],
+        "RepoTags": [
+          "localhost:5000/test/busybox:latest",
+          "playdate:latest"
+        ],
+        "Size": 0,
+        "VirtualSize": 2429728,
+        "Labels": {}
+      }
+    ]
+
+The response shows a single image `Id` associated with two repositories
+(`RepoTags`): `localhost:5000/test/busybox`: and `playdate`. A caller can use
+either of the `RepoTags` values `localhost:5000/test/busybox:latest` or
+`playdate:latest` to reference the image.
+
+You can also use `RepoDigests` values to reference an image. In this response,
+the array has only one reference and that is to the
+`localhost:5000/test/busybox` repository; the `playdate` repository has no
+digest. You can reference this digest using the value:
+`localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d...`
+
+See the `docker run` and `docker build` commands for examples of digest and tag
+references on the command line.
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, default false
+-   **filters** – a JSON encoded value of the filters (a map[string][]string) to process on the images list. Available filters:
+  -   `dangling=true`
+  -   `label=key` or `label="key=value"` of an image label
+-   **filter** - only return images with the specified name
+
+#### Build image from a Dockerfile
+
+`POST /build`
+
+Build an image from a Dockerfile
+
+**Example request**:
+
+    POST /v1.20/build HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"stream": "Step 1/5..."}
+    {"stream": "..."}
+    {"error": "Error...", "errorDetail": {"code": 123, "message": "Error..."}}
+
+The input stream must be a `tar` archive compressed with one of the
+following algorithms: `identity` (no compression), `gzip`, `bzip2`, `xz`.
+
+The archive must include a build instructions file, typically called
+`Dockerfile` at the archive's root. The `dockerfile` parameter may be
+used to specify a different build instructions file. To do this, its value must be
+the path to the alternate build instructions file to use.
+
+The archive may include any number of other files,
+which are accessible in the build context (See the [*ADD build
+command*](../reference/builder.md#add)).
+
+The Docker daemon performs a preliminary validation of the `Dockerfile` before
+starting the build, and returns an error if the syntax is incorrect. After that,
+each instruction is run one-by-one until the ID of the new image is output.
+
+The build is canceled if the client drops the connection by quitting
+or being killed.
+
+**Query parameters**:
+
+-   **dockerfile** - Path within the build context to the `Dockerfile`. This is
+        ignored if `remote` is specified and points to an external `Dockerfile`.
+-   **t** – A name and optional tag to apply to the image in the `name:tag` format.
+        If you omit the `tag` the default `latest` value is assumed.
+-   **remote** – A Git repository URI or HTTP/HTTPS context URI. If the
+        URI points to a single text file, the file's contents are placed into
+        a file called `Dockerfile` and the image is built from that file. If
+        the URI points to a tarball, the file is downloaded by the daemon and
+        the contents therein used as the context for the build. If the URI
+        points to a tarball and the `dockerfile` parameter is also specified,
+        there must be a file with the corresponding path inside the tarball.
+-   **q** – Suppress verbose build output.
+-   **nocache** – Do not use the cache when building the image.
+-   **pull** - Attempt to pull the image even if an older image exists locally.
+-   **rm** - Remove intermediate containers after a successful build (default behavior).
+-   **forcerm** - Always remove intermediate containers (includes `rm`).
+-   **memory** - Set memory limit for build.
+-   **memswap** - Total memory (memory + swap), `-1` to enable unlimited swap.
+-   **cpushares** - CPU shares (relative weight).
+-   **cpusetcpus** - CPUs in which to allow execution (e.g., `0-3`, `0,1`).
+-   **cpuperiod** - The length of a CPU period in microseconds.
+-   **cpuquota** - Microseconds of CPU time that the container can get in a CPU period.
+
+**Request Headers**:
+
+-   **Content-type** – Set to `"application/x-tar"`.
+-   **X-Registry-Config** – A base64-url-safe-encoded Registry Auth Config JSON
+        object with the following structure:
+
+            {
+                "docker.example.com": {
+                    "username": "janedoe",
+                    "password": "hunter2"
+                },
+                "https://index.docker.io/v1/": {
+                    "username": "mobydock",
+                    "password": "conta1n3rize14"
+                }
+            }
+
+    This object maps the hostname of a registry to an object containing the
+    "username" and "password" for that registry. Multiple registries may
+    be specified as the build may be based on an image requiring
+    authentication to pull from any arbitrary registry. Only the registry
+    domain name (and port if not the default "443") are required. However
+    (for legacy reasons) the "official" Docker, Inc. hosted registry must
+    be specified with both a "https://" prefix and a "/v1/" suffix even
+    though Docker will prefer to use the v2 registry API.
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Create an image
+
+`POST /images/create`
+
+Create an image either by pulling it from the registry or by importing it
+
+**Example request**:
+
+    POST /v1.20/images/create?fromImage=busybox&tag=latest HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pulling..."}
+    {"status": "Pulling", "progress": "1 B/ 100 B", "progressDetail": {"current": 1, "total": 100}}
+    {"error": "Invalid..."}
+    ...
+
+When using this endpoint to pull an image from the registry, the
+`X-Registry-Auth` header can be used to include
+a base64-encoded AuthConfig object.
+
+**Query parameters**:
+
+-   **fromImage** – Name of the image to pull.
+-   **fromSrc** – Source to import.  The value may be a URL from which the image
+        can be retrieved or `-` to read the image from the request body.
+-   **repo** – Repository name.
+-   **tag** – Tag. If empty when pulling an image, this causes all tags
+        for the given image to be pulled.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** - repository does not exist or no read access
+-   **500** – server error
+
+
+
+#### Inspect an image
+
+`GET /images/(name)/json`
+
+Return low-level information on the image `name`
+
+**Example request**:
+
+    GET /v1.20/images/ubuntu/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Created": "2013-03-23T22:24:18.818426-07:00",
+       "Container": "3d67245a8d72ecf13f33dffac9f79dcdf70f75acb84d308770391510e0c23ad0",
+       "ContainerConfig": {
+          "Hostname": "",
+          "User": "",
+          "AttachStdin": false,
+          "AttachStdout": false,
+          "AttachStderr": false,
+          "Tty": true,
+          "OpenStdin": true,
+          "StdinOnce": false,
+          "Env": null,
+          "Cmd": ["/bin/bash"],
+          "Dns": null,
+          "Image": "ubuntu",
+          "Labels": {
+             "com.example.vendor": "Acme",
+             "com.example.license": "GPL",
+             "com.example.version": "1.0"
+          },
+          "Volumes": null,
+          "VolumesFrom": "",
+          "WorkingDir": ""
+       },
+       "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+       "Parent": "27cf784147099545",
+       "Size": 6824592
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Get the history of an image
+
+`GET /images/(name)/history`
+
+Return the history of the image `name`
+
+**Example request**:
+
+    GET /v1.20/images/ubuntu/history HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+        {
+            "Id": "3db9c44f45209632d6050b35958829c3a2aa256d81b9a7be45b362ff85c54710",
+            "Created": 1398108230,
+            "CreatedBy": "/bin/sh -c #(nop) ADD file:eb15dbd63394e063b805a3c32ca7bf0266ef64676d5a6fab4801f2e81e2a5148 in /",
+            "Tags": [
+                "ubuntu:lucid",
+                "ubuntu:10.04"
+            ],
+            "Size": 182964289,
+            "Comment": ""
+        },
+        {
+            "Id": "6cfa4d1f33fb861d4d114f43b25abd0ac737509268065cdfd69d544a59c85ab8",
+            "Created": 1398108222,
+            "CreatedBy": "/bin/sh -c #(nop) MAINTAINER Tianon Gravi <admwiggin@gmail.com> - mkimage-debootstrap.sh -i iproute,iputils-ping,ubuntu-minimal -t lucid.tar.xz lucid http://archive.ubuntu.com/ubuntu/",
+            "Tags": null,
+            "Size": 0,
+            "Comment": ""
+        },
+        {
+            "Id": "511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158",
+            "Created": 1371157430,
+            "CreatedBy": "",
+            "Tags": [
+                "scratch12:latest",
+                "scratch:latest"
+            ],
+            "Size": 0,
+            "Comment": "Imported from -"
+        }
+    ]
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Push an image on the registry
+
+`POST /images/(name)/push`
+
+Push the image `name` on the registry
+
+**Example request**:
+
+    POST /v1.20/images/test/push HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pushing..."}
+    {"status": "Pushing", "progress": "1/? (n/a)", "progressDetail": {"current": 1}}}
+    {"error": "Invalid..."}
+    ...
+
+If you wish to push an image on to a private registry, that image must already have a tag
+into a repository which references that registry `hostname` and `port`.  This repository name should
+then be used in the URL. This duplicates the command line's flow.
+
+**Example request**:
+
+    POST /v1.20/images/registry.acme.com:5000/test/push HTTP/1.1
+
+
+**Query parameters**:
+
+-   **tag** – The tag to associate with the image on the registry. This is optional.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Tag an image into a repository
+
+`POST /images/(name)/tag`
+
+Tag the image `name` into a repository
+
+**Example request**:
+
+    POST /v1.20/images/test/tag?repo=myrepo&force=0&tag=v42 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+
+**Query parameters**:
+
+-   **repo** – The repository to tag in
+-   **force** – 1/True/true or 0/False/false, default false
+-   **tag** - The new tag name
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Remove an image
+
+`DELETE /images/(name)`
+
+Remove the image `name` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.20/images/test HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-type: application/json
+
+    [
+     {"Untagged": "3e2f21a89f"},
+     {"Deleted": "3e2f21a89f"},
+     {"Deleted": "53b4f83ac9"}
+    ]
+
+**Query parameters**:
+
+-   **force** – 1/True/true or 0/False/false, default false
+-   **noprune** – 1/True/true or 0/False/false, default false
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Search images
+
+`GET /images/search`
+
+Search for an image on [Docker Hub](https://hub.docker.com).
+
+> **Note**:
+> The response keys have changed from API v1.6 to reflect the JSON
+> sent by the registry server to the docker daemon's request.
+
+**Example request**:
+
+    GET /v1.20/images/search?term=sshd HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "wma55/u1210sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "jdswinbank/sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "vgauthier/sshd",
+                "star_count": 0
+            }
+    ...
+    ]
+
+**Query parameters**:
+
+-   **term** – term to search
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+### 2.3 Misc
+
+#### Check auth configuration
+
+`POST /auth`
+
+Get the default username and email
+
+**Example request**:
+
+    POST /v1.20/auth HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "username": "hannibal",
+         "password": "xxxx",
+         "email": "hannibal@a-team.com",
+         "serveraddress": "https://index.docker.io/v1/"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **204** – no error
+-   **500** – server error
+
+#### Display system-wide information
+
+`GET /info`
+
+Display system-wide information
+
+**Example request**:
+
+    GET /v1.20/info HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+        "Containers": 11,
+        "CpuCfsPeriod": true,
+        "CpuCfsQuota": true,
+        "Debug": false,
+        "DockerRootDir": "/var/lib/docker",
+        "Driver": "btrfs",
+        "DriverStatus": [[""]],
+        "ExecutionDriver": "native-0.1",
+        "ExperimentalBuild": false,
+        "HttpProxy": "http://test:test@localhost:8080",
+        "HttpsProxy": "https://test:test@localhost:8080",
+        "ID": "7TRN:IPZB:QYBB:VPBQ:UMPP:KARE:6ZNR:XE6T:7EWV:PKF4:ZOJD:TPYS",
+        "IPv4Forwarding": true,
+        "Images": 16,
+        "IndexServerAddress": "https://index.docker.io/v1/",
+        "InitPath": "/usr/bin/docker",
+        "InitSha1": "",
+        "KernelVersion": "3.12.0-1-amd64",
+        "Labels": [
+            "storage=ssd"
+        ],
+        "MemTotal": 2099236864,
+        "MemoryLimit": true,
+        "NCPU": 1,
+        "NEventsListener": 0,
+        "NFd": 11,
+        "NGoroutines": 21,
+        "Name": "prod-server-42",
+        "NoProxy": "9.81.1.160",
+        "OomKillDisable": true,
+        "OperatingSystem": "Boot2Docker",
+        "RegistryConfig": {
+            "IndexConfigs": {
+                "docker.io": {
+                    "Mirrors": null,
+                    "Name": "docker.io",
+                    "Official": true,
+                    "Secure": true
+                }
+            },
+            "InsecureRegistryCIDRs": [
+                "127.0.0.0/8"
+            ]
+        },
+        "SwapLimit": false,
+        "SystemTime": "2015-03-10T11:11:23.730591467-07:00"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Show the docker version information
+
+`GET /version`
+
+Show the docker version information
+
+**Example request**:
+
+    GET /v1.20/version HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+         "Version": "1.5.0",
+         "Os": "linux",
+         "KernelVersion": "3.18.5-tinycore64",
+         "GoVersion": "go1.4.1",
+         "GitCommit": "a8a31ef",
+         "Arch": "amd64",
+         "ApiVersion": "1.20",
+         "Experimental": false
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Ping the docker server
+
+`GET /_ping`
+
+Ping the docker server
+
+**Example request**:
+
+    GET /v1.20/_ping HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+
+    OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a new image from a container's changes
+
+`POST /commit`
+
+Create a new image from a container's changes
+
+**Example request**:
+
+    POST /v1.20/commit?container=44c004db4b17&comment=message&repo=myrepo HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Hostname": "",
+         "Domainname": "",
+         "User": "",
+         "AttachStdin": false,
+         "AttachStdout": true,
+         "AttachStderr": true,
+         "Tty": false,
+         "OpenStdin": false,
+         "StdinOnce": false,
+         "Env": null,
+         "Cmd": [
+                 "date"
+         ],
+         "Mounts": [
+           {
+             "Source": "/data",
+             "Destination": "/data",
+             "Mode": "ro,Z",
+             "RW": false
+           }
+         ],
+         "Labels": {
+                 "key1": "value1",
+                 "key2": "value2"
+          },
+         "WorkingDir": "",
+         "NetworkDisabled": false,
+         "ExposedPorts": {
+                 "22/tcp": {}
+         }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {"Id": "596069db4bf5"}
+
+**JSON parameters**:
+
+-  **config** - the container's configuration
+
+**Query parameters**:
+
+-   **container** – source container
+-   **repo** – repository
+-   **tag** – tag
+-   **comment** – commit message
+-   **author** – author (e.g., "John Hannibal Smith
+    <[hannibal@a-team.com](mailto:hannibal%40a-team.com)>")
+-   **pause** – 1/True/true or 0/False/false, whether to pause the container before committing
+-   **changes** – Dockerfile instructions to apply while committing
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Monitor Docker's events
+
+`GET /events`
+
+Get container events from docker, in real time via streaming.
+
+Docker containers report the following events:
+
+    attach, commit, copy, create, destroy, die, exec_create, exec_start, export, kill, oom, pause, rename, resize, restart, start, stop, top, unpause
+
+Docker images report the following events:
+
+    delete, import, pull, push, tag, untag
+
+**Example request**:
+
+    GET /v1.20/events?since=1374067924
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "create", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067924}
+    {"status": "start", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067924}
+    {"status": "stop", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067966}
+    {"status": "destroy", "id": "dfdf82bd3881","from": "ubuntu:latest", "time":1374067970}
+
+**Query parameters**:
+
+-   **since** – Timestamp. Show all events created since timestamp and then stream
+-   **until** – Timestamp. Show events created until given timestamp and stop streaming
+-   **filters** – A json encoded value of the filters (a map[string][]string) to process on the event list. Available filters:
+  -   `container=<string>`; -- container to filter
+  -   `event=<string>`; -- event to filter
+  -   `image=<string>`; -- image to filter
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images in a repository
+
+`GET /images/(name)/get`
+
+Get a tarball containing all images and metadata for the repository specified
+by `name`.
+
+If `name` is a specific name and tag (e.g. ubuntu:latest), then only that image
+(and its parents) are returned. If `name` is an image ID, similarly only that
+image (and its parents) are returned, but with the exclusion of the
+'repositories' file in the tarball, as there were no image names referenced.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.20/images/ubuntu/get
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images
+
+`GET /images/get`
+
+Get a tarball containing all images and metadata for one or more repositories.
+
+For each value of the `names` parameter: if it is a specific name and tag (e.g.
+`ubuntu:latest`), then only that image (and its parents) are returned; if it is
+an image ID, similarly only that image (and its parents) are returned and there
+would be no names referenced in the 'repositories' file for this image ID.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.20/images/get?names=myname%2Fmyapp%3Alatest&names=busybox
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Load a tarball with a set of images and tags into docker
+
+`POST /images/load`
+
+Load a set of images and tags into a Docker repository.
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    POST /v1.20/images/load
+    Content-Type: application/x-tar
+    Content-Length: 12345
+
+    Tarball in body
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Image tarball format
+
+An image tarball contains one directory per image layer (named using its long ID),
+each containing these files:
+
+- `VERSION`: currently `1.0` - the file format version
+- `json`: detailed layer information, similar to `docker inspect layer_id`
+- `layer.tar`: A tarfile containing the filesystem changes in this layer
+
+The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories
+for storing attribute changes and deletions.
+
+If the tarball defines a repository, the tarball should also include a `repositories` file at
+the root that contains a list of repository and tag names mapped to layer IDs.
+
+```
+{"hello-world":
+    {"latest": "565a9d68a73f6706862bfe8409a7f659776d4d60a8d096eb4a3cbce6999cc2a1"}
+}
+```
+
+#### Exec Create
+
+`POST /containers/(id or name)/exec`
+
+Sets up an exec instance in a running container `id`
+
+**Example request**:
+
+    POST /v1.20/containers/e90e34656806/exec HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "AttachStdin": true,
+      "AttachStdout": true,
+      "AttachStderr": true,
+      "Cmd": ["sh"],
+      "Tty": true,
+      "User": "123:456"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+         "Id": "f90e34656806",
+         "Warnings":[]
+    }
+
+**JSON parameters**:
+
+-   **AttachStdin** - Boolean value, attaches to `stdin` of the `exec` command.
+-   **AttachStdout** - Boolean value, attaches to `stdout` of the `exec` command.
+-   **AttachStderr** - Boolean value, attaches to `stderr` of the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **User** - A string value specifying the user, and optionally, group to run
+        the exec process inside the container. Format is one of: `"user"`,
+        `"user:group"`, `"uid"`, or `"uid:gid"`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+
+#### Exec Start
+
+`POST /exec/(id)/start`
+
+Starts a previously set up `exec` instance `id`. If `detach` is true, this API
+returns after starting the `exec` command. Otherwise, this API sets up an
+interactive session with the `exec` command.
+
+**Example request**:
+
+    POST /v1.20/exec/e90e34656806/start HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+     "Detach": false,
+     "Tty": false
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/vnd.docker.raw-stream
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**JSON parameters**:
+
+-   **Detach** - Detach from the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+
+**Stream details**:
+
+Similar to the stream behavior of `POST /containers/(id or name)/attach` API
+
+#### Exec Resize
+
+`POST /exec/(id)/resize`
+
+Resizes the `tty` session used by the `exec` command `id`.  The unit is number of characters.
+This API is valid only if `tty` was specified as part of creating and starting the `exec` command.
+
+**Example request**:
+
+    POST /v1.20/exec/e90e34656806/resize?h=40&w=80 HTTP/1.1
+    Content-Type: text/plain
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: text/plain
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such exec instance
+
+#### Exec Inspect
+
+`GET /exec/(id)/json`
+
+Return low-level information about the `exec` command `id`.
+
+**Example request**:
+
+    GET /v1.20/exec/11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: plain/text
+
+    {
+      "ID" : "11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39",
+      "Running" : false,
+      "ExitCode" : 2,
+      "ProcessConfig" : {
+        "privileged" : false,
+        "user" : "",
+        "tty" : false,
+        "entrypoint" : "sh",
+        "arguments" : [
+          "-c",
+          "exit 2"
+        ]
+      },
+      "OpenStdin" : false,
+      "OpenStderr" : false,
+      "OpenStdout" : false,
+      "Container" : {
+        "State" : {
+          "Running" : true,
+          "Paused" : false,
+          "Restarting" : false,
+          "OOMKilled" : false,
+          "Pid" : 3650,
+          "ExitCode" : 0,
+          "Error" : "",
+          "StartedAt" : "2014-11-17T22:26:03.717657531Z",
+          "FinishedAt" : "0001-01-01T00:00:00Z"
+        },
+        "ID" : "8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c",
+        "Created" : "2014-11-17T22:26:03.626304998Z",
+        "Path" : "date",
+        "Args" : [],
+        "Config" : {
+          "Hostname" : "8f177a186b97",
+          "Domainname" : "",
+          "User" : "",
+          "AttachStdin" : false,
+          "AttachStdout" : false,
+          "AttachStderr" : false,
+          "ExposedPorts" : null,
+          "Tty" : false,
+          "OpenStdin" : false,
+          "StdinOnce" : false,
+          "Env" : [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ],
+          "Cmd" : [
+            "date"
+          ],
+          "Image" : "ubuntu",
+          "Volumes" : null,
+          "WorkingDir" : "",
+          "Entrypoint" : null,
+          "NetworkDisabled" : false,
+          "MacAddress" : "",
+          "OnBuild" : null,
+          "SecurityOpt" : null
+        },
+        "Image" : "5506de2b643be1e6febbf3b8a240760c6843244c41e12aa2f60ccbb7153d17f5",
+        "NetworkSettings" : {
+          "IPAddress" : "172.17.0.2",
+          "IPPrefixLen" : 16,
+          "MacAddress" : "02:42:ac:11:00:02",
+          "Gateway" : "172.17.42.1",
+          "Bridge" : "docker0",
+          "PortMapping" : null,
+          "Ports" : {}
+        },
+        "ResolvConfPath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/resolv.conf",
+        "HostnamePath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/hostname",
+        "HostsPath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/hosts",
+        "LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+        "Name" : "/test",
+        "Driver" : "aufs",
+        "ExecDriver" : "native-0.2",
+        "MountLabel" : "",
+        "ProcessLabel" : "",
+        "AppArmorProfile" : "",
+        "RestartCount" : 0,
+        "Mounts" : []
+      }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **500** - server error
+
+## 3. Going further
+
+### 3.1 Inside `docker run`
+
+As an example, the `docker run` command line makes the following API calls:
+
+- Create the container
+
+- If the status code is 404, it means the image doesn't exist:
+    - Try to pull it.
+    - Then, retry to create the container.
+
+- Start the container.
+
+- If you are not in detached mode:
+- Attach to the container, using `logs=1` (to have `stdout` and
+      `stderr` from the container's start) and `stream=1`
+
+- If in detached mode or only `stdin` is attached, display the container's id.
+
+### 3.2 Hijacking
+
+In this version of the API, `/attach`, uses hijacking to transport `stdin`,
+`stdout`, and `stderr` on the same socket.
+
+To hint potential proxies about connection hijacking, Docker client sends
+connection upgrade headers similarly to websocket.
+
+    Upgrade: tcp
+    Connection: Upgrade
+
+When Docker daemon detects the `Upgrade` header, it switches its status code
+from **200 OK** to **101 UPGRADED** and resends the same headers.
+
+
+### 3.3 CORS Requests
+
+To set cross origin requests to the Engine API please give values to
+`--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
+default or blank means CORS disabled
+
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
diff --git a/engine/docs/api/v1.21.md b/engine/docs/api/v1.21.md
new file mode 100644
index 00000000..3ecfd3b9
--- /dev/null
+++ b/engine/docs/api/v1.21.md
@@ -0,0 +1,3003 @@
+---
+title: "Engine API v1.21"
+description: "API Documentation for Docker"
+keywords: "API, Docker, rcli, REST, documentation"
+redirect_from:
+- /engine/reference/api/docker_remote_api_v1.21/
+- /reference/api/docker_remote_api_v1.21/
+---
+
+<!-- This file is maintained within the moby/moby GitHub
+     repository at https://github.com/moby/moby/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## 1. Brief introduction
+
+ - The daemon listens on `unix:///var/run/docker.sock` but you can
+   [Bind Docker to another host/port or a Unix socket](../reference/commandline/dockerd.md#bind-docker-to-another-host-port-or-a-unix-socket).
+ - The API tends to be REST. However, for some complex commands, like `attach`
+   or `pull`, the HTTP connection is hijacked to transport `stdout`,
+   `stdin` and `stderr`.
+ - A `Content-Length` header should be present in `POST` requests to endpoints
+   that expect a body.
+ - To lock to a specific version of the API, you prefix the URL with the version
+   of the API to use. For example, `/v1.18/info`. If no version is included in
+   the URL, the maximum supported API version is used.
+ - If the API version specified in the URL is not supported by the daemon, a HTTP
+   `400 Bad Request` error message is returned.
+
+## 2. Endpoints
+
+### 2.1 Containers
+
+#### List containers
+
+`GET /containers/json`
+
+List containers
+
+**Example request**:
+
+    GET /v1.21/containers/json?all=1&before=8dfafdbc3a40&size=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Id": "8dfafdbc3a40",
+                 "Names":["/boring_feynman"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 1",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [{"PrivatePort": 2222, "PublicPort": 3333, "Type": "tcp"}],
+                 "Labels": {
+                         "com.example.vendor": "Acme",
+                         "com.example.license": "GPL",
+                         "com.example.version": "1.0"
+                 },
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         },
+         {
+                 "Id": "9cd87474be90",
+                 "Names":["/coolName"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 222222",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         },
+         {
+                 "Id": "3176a2479c92",
+                 "Names":["/sleepy_dog"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 3333333333333333",
+                 "Created": 1367854154,
+                 "Status": "Exit 0",
+                 "Ports":[],
+                 "Labels": {},
+                 "SizeRw":12288,
+                 "SizeRootFs":0
+         },
+         {
+                 "Id": "4cb07b47f9fb",
+                 "Names":["/running_cat"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 444444444444444444444444444444444",
+                 "Created": 1367854152,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0
+         }
+    ]
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, Show all containers.
+        Only running containers are shown by default (i.e., this defaults to false)
+-   **limit** – Show `limit` last created
+        containers, include non-running ones.
+-   **since** – Show only containers created since Id, include
+        non-running ones.
+-   **before** – Show only containers created before Id, include
+        non-running ones.
+-   **size** – 1/True/true or 0/False/false, Show the containers
+        sizes
+-   **filters** - a JSON encoded value of the filters (a `map[string][]string`) to process on the containers list. Available filters:
+  -   `exited=<int>`; -- containers with exit code of  `<int>` ;
+  -   `status=`(`created`|`restarting`|`running`|`paused`|`exited`)
+  -   `label=key` or `label="key=value"` of a container label
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **500** – server error
+
+#### Create a container
+
+`POST /containers/create`
+
+Create a container
+
+**Example request**:
+
+    POST /v1.21/containers/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+           "Hostname": "",
+           "Domainname": "",
+           "User": "",
+           "AttachStdin": false,
+           "AttachStdout": true,
+           "AttachStderr": true,
+           "Tty": false,
+           "OpenStdin": false,
+           "StdinOnce": false,
+           "Env": [
+                   "FOO=bar",
+                   "BAZ=quux"
+           ],
+           "Cmd": [
+                   "date"
+           ],
+           "Entrypoint": null,
+           "Image": "ubuntu",
+           "Labels": {
+                   "com.example.vendor": "Acme",
+                   "com.example.license": "GPL",
+                   "com.example.version": "1.0"
+           },
+           "Volumes": {
+             "/volumes/data": {}
+           },
+           "WorkingDir": "",
+           "NetworkDisabled": false,
+           "MacAddress": "12:34:56:78:9a:bc",
+           "ExposedPorts": {
+                   "22/tcp": {}
+           },
+           "StopSignal": "SIGTERM",
+           "HostConfig": {
+             "Binds": ["/tmp:/tmp"],
+             "Links": ["redis3:redis"],
+             "LxcConf": {"lxc.utsname":"docker"},
+             "Memory": 0,
+             "MemorySwap": 0,
+             "MemoryReservation": 0,
+             "KernelMemory": 0,
+             "CpuShares": 512,
+             "CpuPeriod": 100000,
+             "CpuQuota": 50000,
+             "CpusetCpus": "0,1",
+             "CpusetMems": "0,1",
+             "BlkioWeight": 300,
+             "MemorySwappiness": 60,
+             "OomKillDisable": false,
+             "PidMode": "",
+             "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+             "PublishAllPorts": false,
+             "Privileged": false,
+             "ReadonlyRootfs": false,
+             "Dns": ["8.8.8.8"],
+             "DnsOptions": [""],
+             "DnsSearch": [""],
+             "ExtraHosts": null,
+             "VolumesFrom": ["parent", "other:ro"],
+             "CapAdd": ["NET_ADMIN"],
+             "CapDrop": ["MKNOD"],
+             "GroupAdd": ["newgroup"],
+             "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+             "NetworkMode": "bridge",
+             "Devices": [],
+             "Ulimits": [{}],
+             "LogConfig": { "Type": "json-file", "Config": {} },
+             "SecurityOpt": [],
+             "CgroupParent": "",
+             "VolumeDriver": ""
+          }
+      }
+
+**Example response**:
+
+      HTTP/1.1 201 Created
+      Content-Type: application/json
+
+      {
+           "Id":"e90e34656806",
+           "Warnings":[]
+      }
+
+**JSON parameters**:
+
+-   **Hostname** - A string value containing the hostname to use for the
+      container.
+-   **Domainname** - A string value containing the domain name to use
+      for the container.
+-   **User** - A string value specifying the user inside the container.
+-   **AttachStdin** - Boolean value, attaches to `stdin`.
+-   **AttachStdout** - Boolean value, attaches to `stdout`.
+-   **AttachStderr** - Boolean value, attaches to `stderr`.
+-   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
+-   **OpenStdin** - Boolean value, opens `stdin`,
+-   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Entrypoint** - Set the entry point for the container as a string or an array
+      of strings.
+-   **Image** - A string specifying the image name to use for the container.
+-   **Volumes** - An object mapping mount point paths (strings) inside the
+      container to empty objects.
+-   **WorkingDir** - A string specifying the working directory for commands to
+      run in.
+-   **NetworkDisabled** - Boolean value, when true disables networking for the
+      container
+-   **ExposedPorts** - An object mapping ports to an empty object in the form of:
+      `"ExposedPorts": { "<port>/<tcp|udp>: {}" }`
+-   **StopSignal** - Signal to stop a container as a string or unsigned integer. `SIGTERM` by default.
+-   **HostConfig**
+    -   **Binds** – A list of volume bindings for this container. Each volume binding is a string in one of these forms:
+           + `host-src:container-dest` to bind-mount a host path into the
+             container. Both `host-src`, and `container-dest` must be an
+             _absolute_ path.
+           + `host-src:container-dest:ro` to make the bind mount read-only
+             inside the container. Both `host-src`, and `container-dest` must be
+             an _absolute_ path.
+           + `volume-name:container-dest` to bind-mount a volume managed by a
+             volume driver into the container. `container-dest` must be an
+             _absolute_ path.
+           + `volume-name:container-dest:ro` to mount the volume read-only
+             inside the container.  `container-dest` must be an _absolute_ path.
+    -   **Links** - A list of links for the container. Each link entry should be
+          in the form of `container_name:alias`.
+    -   **LxcConf** - LXC specific configurations. These configurations only
+          work when using the `lxc` execution driver.
+    -   **Memory** - Memory limit in bytes.
+    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
+          You must use this with `memory` and make the swap value larger than `memory`.
+    -   **MemoryReservation** - Memory soft limit in bytes.
+    -   **KernelMemory** - Kernel memory limit in bytes.
+    -   **CpuShares** - An integer value containing the container's CPU Shares
+          (ie. the relative weight vs other containers).
+    -   **CpuPeriod** - The length of a CPU period in microseconds.
+    -   **CpuQuota** - Microseconds of CPU time that the container can get in a CPU period.
+    -   **CpusetCpus** - String value containing the `cgroups CpusetCpus` to use.
+    -   **CpusetMems** - Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.
+    -   **BlkioWeight** - Block IO weight (relative weight) accepts a weight value between 10 and 1000.
+    -   **MemorySwappiness** - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+    -   **OomKillDisable** - Boolean value, whether to disable OOM Killer for the container or not.
+    -   **PidMode** - Set the PID (Process) Namespace mode for the container;
+          `"container:<name|id>"`: joins another container's PID namespace
+          `"host"`: use the host's PID namespace inside the container
+    -   **PortBindings** - A map of exposed container ports and the host port they
+          should map to. A JSON object in the form
+          `{ <port>/<protocol>: [{ "HostPort": "<port>" }] }`
+          Take note that `port` is specified as a string and not an integer value.
+    -   **PublishAllPorts** - Allocates an ephemeral host port for all of a container's
+          exposed ports. Specified as a boolean value.
+
+          Ports are de-allocated when the container stops and allocated when the container starts.
+          The allocated port might be changed when restarting the container.
+
+          The port is selected from the ephemeral port range that depends on the kernel.
+          For example, on Linux the range is defined by `/proc/sys/net/ipv4/ip_local_port_range`.
+    -   **Privileged** - Gives the container full access to the host. Specified as
+          a boolean value.
+    -   **ReadonlyRootfs** - Mount the container's root filesystem as read only.
+          Specified as a boolean value.
+    -   **Dns** - A list of DNS servers for the container to use.
+    -   **DnsOptions** - A list of DNS options
+    -   **DnsSearch** - A list of DNS search domains
+    -   **ExtraHosts** - A list of hostnames/IP mappings to add to the
+        container's `/etc/hosts` file. Specified in the form `["hostname:IP"]`.
+    -   **VolumesFrom** - A list of volumes to inherit from another container.
+          Specified in the form `<container name>[:<ro|rw>]`
+    -   **CapAdd** - A list of kernel capabilities to add to the container.
+    -   **Capdrop** - A list of kernel capabilities to drop from the container.
+    -   **GroupAdd** - A list of additional groups that the container process will run as
+    -   **RestartPolicy** – The behavior to apply when the container exits.  The
+            value is an object with a `Name` property of either `"always"` to
+            always restart, `"unless-stopped"` to restart always except when
+            user has manually stopped the container or `"on-failure"` to restart only when the container
+            exit code is non-zero.  If `on-failure` is used, `MaximumRetryCount`
+            controls the number of times to retry before giving up.
+            The default is not to restart. (optional)
+            An ever increasing delay (double the previous delay, starting at 100mS)
+            is added before each restart to prevent flooding the server.
+    -   **NetworkMode** - Sets the networking mode for the container. Supported
+          standard values are: `bridge`, `host`, `none`, and `container:<name|id>`. Any other value is taken
+          as a custom network's name to which this container should connect to.
+    -   **Devices** - A list of devices to add to the container specified as a JSON object in the
+      form
+          `{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}`
+    -   **Ulimits** - A list of ulimits to set in the container, specified as
+          `{ "Name": <name>, "Soft": <soft limit>, "Hard": <hard limit> }`, for example:
+          `Ulimits: { "Name": "nofile", "Soft": 1024, "Hard": 2048 }`
+    -   **SecurityOpt**: A list of string values to customize labels for MLS
+        systems, such as SELinux.
+    -   **LogConfig** - Log configuration for the container, specified as a JSON object in the form
+          `{ "Type": "<driver_name>", "Config": {"key1": "val1"}}`.
+          Available types: `json-file`, `syslog`, `journald`, `gelf`, `awslogs`, `none`.
+          `json-file` logging driver.
+    -   **CgroupParent** - Path to `cgroups` under which the container's `cgroup` is created. If the path is not absolute, the path is considered to be relative to the `cgroups` path of the init process. Cgroups are created if they do not already exist.
+    -   **VolumeDriver** - Driver that this container users to mount volumes.
+
+**Query parameters**:
+
+-   **name** – Assign the specified name to the container. Must
+    match `/?[a-zA-Z0-9_-]+`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **406** – impossible to attach (container not running)
+-   **409** – conflict
+-   **500** – server error
+
+#### Inspect a container
+
+`GET /containers/(id or name)/json`
+
+Return low-level information on the container `id`
+
+**Example request**:
+
+      GET /v1.21/containers/4fa6e0f0c678/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+	{
+		"AppArmorProfile": "",
+		"Args": [
+			"-c",
+			"exit 9"
+		],
+		"Config": {
+			"AttachStderr": true,
+			"AttachStdin": false,
+			"AttachStdout": true,
+			"Cmd": [
+				"/bin/sh",
+				"-c",
+				"exit 9"
+			],
+			"Domainname": "",
+			"Entrypoint": null,
+			"Env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+			],
+			"ExposedPorts": null,
+			"Hostname": "ba033ac44011",
+			"Image": "ubuntu",
+			"Labels": {
+				"com.example.vendor": "Acme",
+				"com.example.license": "GPL",
+				"com.example.version": "1.0"
+			},
+			"MacAddress": "",
+			"NetworkDisabled": false,
+			"OnBuild": null,
+			"OpenStdin": false,
+			"StdinOnce": false,
+			"Tty": false,
+			"User": "",
+			"Volumes": null,
+			"WorkingDir": "",
+			"StopSignal": "SIGTERM"
+		},
+		"Created": "2015-01-06T15:47:31.485331387Z",
+		"Driver": "devicemapper",
+		"ExecDriver": "native-0.2",
+		"ExecIDs": null,
+		"HostConfig": {
+			"Binds": null,
+			"BlkioWeight": 0,
+			"CapAdd": null,
+			"CapDrop": null,
+			"ContainerIDFile": "",
+			"CpusetCpus": "",
+			"CpusetMems": "",
+			"CpuShares": 0,
+			"CpuPeriod": 100000,
+			"Devices": [],
+			"Dns": null,
+			"DnsOptions": null,
+			"DnsSearch": null,
+			"ExtraHosts": null,
+			"IpcMode": "",
+			"Links": null,
+			"LxcConf": [],
+			"Memory": 0,
+			"MemorySwap": 0,
+			"MemoryReservation": 0,
+			"KernelMemory": 0,
+			"OomKillDisable": false,
+			"NetworkMode": "bridge",
+			"PidMode": "",
+			"PortBindings": {},
+			"Privileged": false,
+			"ReadonlyRootfs": false,
+			"PublishAllPorts": false,
+			"RestartPolicy": {
+				"MaximumRetryCount": 2,
+				"Name": "on-failure"
+			},
+			"LogConfig": {
+				"Config": null,
+				"Type": "json-file"
+			},
+			"SecurityOpt": null,
+			"VolumesFrom": null,
+			"Ulimits": [{}],
+			"VolumeDriver": ""
+		},
+		"HostnamePath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hostname",
+		"HostsPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hosts",
+		"LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+		"Id": "ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39",
+		"Image": "04c5d3b7b0656168630d3ba35d8889bd0e9caafcaeb3004d2bfbc47e7c5d35d2",
+		"MountLabel": "",
+		"Name": "/boring_euclid",
+		"NetworkSettings": {
+			"Bridge": "",
+			"SandboxID": "",
+			"HairpinMode": false,
+			"LinkLocalIPv6Address": "",
+			"LinkLocalIPv6PrefixLen": 0,
+			"Ports": null,
+			"SandboxKey": "",
+			"SecondaryIPAddresses": null,
+			"SecondaryIPv6Addresses": null,
+			"EndpointID": "",
+			"Gateway": "",
+			"GlobalIPv6Address": "",
+			"GlobalIPv6PrefixLen": 0,
+			"IPAddress": "",
+			"IPPrefixLen": 0,
+			"IPv6Gateway": "",
+			"MacAddress": "",
+			"Networks": {
+				"bridge": {
+					"EndpointID": "7587b82f0dada3656fda26588aee72630c6fab1536d36e394b2bfbcf898c971d",
+					"Gateway": "172.17.0.1",
+					"IPAddress": "172.17.0.2",
+					"IPPrefixLen": 16,
+					"IPv6Gateway": "",
+					"GlobalIPv6Address": "",
+					"GlobalIPv6PrefixLen": 0,
+					"MacAddress": "02:42:ac:12:00:02"
+				}
+			}
+		},
+		"Path": "/bin/sh",
+		"ProcessLabel": "",
+		"ResolvConfPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/resolv.conf",
+		"RestartCount": 1,
+		"State": {
+			"Error": "",
+			"ExitCode": 9,
+			"FinishedAt": "2015-01-06T15:47:32.080254511Z",
+			"OOMKilled": false,
+			"Paused": false,
+			"Pid": 0,
+			"Restarting": false,
+			"Running": true,
+			"StartedAt": "2015-01-06T15:47:32.072697474Z",
+			"Status": "running"
+		},
+		"Mounts": [
+			{
+				"Source": "/data",
+				"Destination": "/data",
+				"Mode": "ro,Z",
+				"RW": false
+			}
+		]
+	}
+
+**Example request, with size information**:
+
+    GET /v1.21/containers/4fa6e0f0c678/json?size=1 HTTP/1.1
+
+**Example response, with size information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+    ....
+    "SizeRw": 0,
+    "SizeRootFs": 972,
+    ....
+    }
+
+**Query parameters**:
+
+-   **size** – 1/True/true or 0/False/false, return container size information. Default is `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### List processes running inside a container
+
+`GET /containers/(id or name)/top`
+
+List processes running inside the container `id`. On Unix systems this
+is done by running the `ps` command. This endpoint is not
+supported on Windows.
+
+**Example request**:
+
+    GET /v1.21/containers/4fa6e0f0c678/top HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Titles" : [
+         "UID", "PID", "PPID", "C", "STIME", "TTY", "TIME", "CMD"
+       ],
+       "Processes" : [
+         [
+           "root", "13642", "882", "0", "17:03", "pts/0", "00:00:00", "/bin/bash"
+         ],
+         [
+           "root", "13735", "13642", "0", "17:06", "pts/0", "00:00:00", "sleep 10"
+         ]
+       ]
+    }
+
+**Example request**:
+
+    GET /v1.21/containers/4fa6e0f0c678/top?ps_args=aux HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Titles" : [
+        "USER","PID","%CPU","%MEM","VSZ","RSS","TTY","STAT","START","TIME","COMMAND"
+      ]
+      "Processes" : [
+        [
+          "root","13642","0.0","0.1","18172","3184","pts/0","Ss","17:03","0:00","/bin/bash"
+        ],
+        [
+          "root","13895","0.0","0.0","4348","692","pts/0","S+","17:15","0:00","sleep 10"
+        ]
+      ],
+    }
+
+**Query parameters**:
+
+-   **ps_args** – `ps` arguments to use (e.g., `aux`), defaults to `-ef`
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container logs
+
+`GET /containers/(id or name)/logs`
+
+Get `stdout` and `stderr` logs from the container ``id``
+
+> **Note**:
+> This endpoint works only for containers with the `json-file` or `journald` logging drivers.
+
+**Example request**:
+
+     GET /v1.21/containers/4fa6e0f0c678/logs?stderr=1&stdout=1&timestamps=1&follow=1&tail=10&since=1428990821 HTTP/1.1
+
+**Example response**:
+
+     HTTP/1.1 101 UPGRADED
+     Content-Type: application/vnd.docker.raw-stream
+     Connection: Upgrade
+     Upgrade: tcp
+
+     {% raw %}
+     {{ STREAM }}
+     {% endraw %}
+
+**Query parameters**:
+
+-   **follow** – 1/True/true or 0/False/false, return stream. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, show `stdout` log. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, show `stderr` log. Default `false`.
+-   **since** – UNIX timestamp (integer) to filter logs. Specifying a timestamp
+    will only output log-entries since that timestamp. Default: 0 (unfiltered)
+-   **timestamps** – 1/True/true or 0/False/false, print timestamps for
+        every log line. Default `false`.
+-   **tail** – Output specified number of lines at the end of logs: `all` or `<number>`. Default all.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **404** – no such container
+-   **500** – server error
+
+#### Inspect changes on a container's filesystem
+
+`GET /containers/(id or name)/changes`
+
+Inspect changes on container `id`'s filesystem
+
+**Example request**:
+
+    GET /v1.21/containers/4fa6e0f0c678/changes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Path": "/dev",
+                 "Kind": 0
+         },
+         {
+                 "Path": "/dev/kmsg",
+                 "Kind": 1
+         },
+         {
+                 "Path": "/test",
+                 "Kind": 1
+         }
+    ]
+
+Values for `Kind`:
+
+- `0`: Modify
+- `1`: Add
+- `2`: Delete
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Export a container
+
+`GET /containers/(id or name)/export`
+
+Export the contents of container `id`
+
+**Example request**:
+
+    GET /v1.21/containers/4fa6e0f0c678/export HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/octet-stream
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container stats based on resource usage
+
+`GET /containers/(id or name)/stats`
+
+This endpoint returns a live stream of a container's resource usage statistics.
+
+**Example request**:
+
+    GET /v1.21/containers/redis1/stats HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Type: application/json
+
+      {
+         "read" : "2015-01-08T22:57:31.547920715Z",
+         "networks": {
+                 "eth0": {
+                     "rx_bytes": 5338,
+                     "rx_dropped": 0,
+                     "rx_errors": 0,
+                     "rx_packets": 36,
+                     "tx_bytes": 648,
+                     "tx_dropped": 0,
+                     "tx_errors": 0,
+                     "tx_packets": 8
+                 },
+                 "eth5": {
+                     "rx_bytes": 4641,
+                     "rx_dropped": 0,
+                     "rx_errors": 0,
+                     "rx_packets": 26,
+                     "tx_bytes": 690,
+                     "tx_dropped": 0,
+                     "tx_errors": 0,
+                     "tx_packets": 9
+                 }
+         },
+         "memory_stats" : {
+            "stats" : {
+               "total_pgmajfault" : 0,
+               "cache" : 0,
+               "mapped_file" : 0,
+               "total_inactive_file" : 0,
+               "pgpgout" : 414,
+               "rss" : 6537216,
+               "total_mapped_file" : 0,
+               "writeback" : 0,
+               "unevictable" : 0,
+               "pgpgin" : 477,
+               "total_unevictable" : 0,
+               "pgmajfault" : 0,
+               "total_rss" : 6537216,
+               "total_rss_huge" : 6291456,
+               "total_writeback" : 0,
+               "total_inactive_anon" : 0,
+               "rss_huge" : 6291456,
+               "hierarchical_memory_limit" : 67108864,
+               "total_pgfault" : 964,
+               "total_active_file" : 0,
+               "active_anon" : 6537216,
+               "total_active_anon" : 6537216,
+               "total_pgpgout" : 414,
+               "total_cache" : 0,
+               "inactive_anon" : 0,
+               "active_file" : 0,
+               "pgfault" : 964,
+               "inactive_file" : 0,
+               "total_pgpgin" : 477
+            },
+            "max_usage" : 6651904,
+            "usage" : 6537216,
+            "failcnt" : 0,
+            "limit" : 67108864
+         },
+         "blkio_stats" : {},
+         "cpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24472255,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100215355,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 739306590000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         },
+         "precpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24350896,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100093996,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 9492140000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         }
+      }
+
+The `precpu_stats` is the cpu statistic of *previous* read, which is used for calculating the cpu usage percent. It is not the exact copy of the `cpu_stats` field.
+
+**Query parameters**:
+
+-   **stream** – 1/True/true or 0/False/false, pull stats once then disconnect. Default `true`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Resize a container TTY
+
+`POST /containers/(id or name)/resize`
+
+Resize the TTY for container with  `id`. The unit is number of characters. You must restart the container for the resize to take effect.
+
+**Example request**:
+
+      POST /v1.21/containers/4fa6e0f0c678/resize?h=40&w=80 HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Length: 0
+      Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – No such container
+-   **500** – Cannot resize container
+
+#### Start a container
+
+`POST /containers/(id or name)/start`
+
+Start the container `id`
+
+> **Note**:
+> For backwards compatibility, this endpoint accepts a `HostConfig` as JSON-encoded request body.
+> See [create a container](#create-a-container) for details.
+
+**Example request**:
+
+    POST /v1.21/containers/e90e34656806/start HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already started
+-   **404** – no such container
+-   **500** – server error
+
+#### Stop a container
+
+`POST /containers/(id or name)/stop`
+
+Stop the container `id`
+
+**Example request**:
+
+    POST /v1.21/containers/e90e34656806/stop?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already stopped
+-   **404** – no such container
+-   **500** – server error
+
+#### Restart a container
+
+`POST /containers/(id or name)/restart`
+
+Restart the container `id`
+
+**Example request**:
+
+    POST /v1.21/containers/e90e34656806/restart?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Kill a container
+
+`POST /containers/(id or name)/kill`
+
+Kill the container `id`
+
+**Example request**:
+
+    POST /v1.21/containers/e90e34656806/kill HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **signal** - Signal to send to the container: integer or string like `SIGINT`.
+        When not set, `SIGKILL` is assumed and the call waits for the container to exit.
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Rename a container
+
+`POST /containers/(id or name)/rename`
+
+Rename the container `id` to a `new_name`
+
+**Example request**:
+
+    POST /v1.21/containers/e90e34656806/rename?name=new_name HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **name** – new name for the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **409** - conflict name already assigned
+-   **500** – server error
+
+#### Pause a container
+
+`POST /containers/(id or name)/pause`
+
+Pause the container `id`
+
+**Example request**:
+
+    POST /v1.21/containers/e90e34656806/pause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Unpause a container
+
+`POST /containers/(id or name)/unpause`
+
+Unpause the container `id`
+
+**Example request**:
+
+    POST /v1.21/containers/e90e34656806/unpause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Attach to a container
+
+`POST /containers/(id or name)/attach`
+
+Attach to the container `id`
+
+**Example request**:
+
+    POST /v1.21/containers/16253994b7c4/attach?logs=1&stream=0&stdout=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 101 UPGRADED
+    Content-Type: application/vnd.docker.raw-stream
+    Connection: Upgrade
+    Upgrade: tcp
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+**Stream details**:
+
+When using the TTY setting is enabled in
+[`POST /containers/create`
+](#create-a-container),
+the stream is the raw data from the process PTY and client's `stdin`.
+When the TTY is disabled, then the stream is multiplexed to separate
+`stdout` and `stderr`.
+
+The format is a **Header** and a **Payload** (frame).
+
+**HEADER**
+
+The header contains the information which the stream writes (`stdout` or
+`stderr`). It also contains the size of the associated frame encoded in the
+last four bytes (`uint32`).
+
+It is encoded on the first eight bytes like this:
+
+    header := [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}
+
+`STREAM_TYPE` can be:
+
+-   0: `stdin` (is written on `stdout`)
+-   1: `stdout`
+-   2: `stderr`
+
+`SIZE1, SIZE2, SIZE3, SIZE4` are the four bytes of
+the `uint32` size encoded as big endian.
+
+**PAYLOAD**
+
+The payload is the raw stream.
+
+**IMPLEMENTATION**
+
+The simplest way to implement the Attach protocol is the following:
+
+    1.  Read eight bytes.
+    2.  Choose `stdout` or `stderr` depending on the first byte.
+    3.  Extract the frame size from the last four bytes.
+    4.  Read the extracted size and output it on the correct output.
+    5.  Goto 1.
+
+#### Attach to a container (websocket)
+
+`GET /containers/(id or name)/attach/ws`
+
+Attach to the container `id` via websocket
+
+Implements websocket protocol handshake according to [RFC 6455](http://tools.ietf.org/html/rfc6455)
+
+**Example request**
+
+    GET /v1.21/containers/e90e34656806/attach/ws?logs=0&stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
+
+**Example response**
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Wait a container
+
+`POST /containers/(id or name)/wait`
+
+Block until container `id` stops, then returns the exit code
+
+**Example request**:
+
+    POST /v1.21/containers/16253994b7c4/wait HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"StatusCode": 0}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Remove a container
+
+`DELETE /containers/(id or name)`
+
+Remove the container `id` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.21/containers/16253994b7c4?v=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **v** – 1/True/true or 0/False/false, Remove the volumes
+        associated to the container. Default `false`.
+-   **force** - 1/True/true or 0/False/false, Kill then remove the container.
+        Default `false`.
+-   **link** - 1/True/true or 0/False/false, Remove the specified
+        link associated to the container. Default `false`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** – conflict
+-   **500** – server error
+
+#### Copy files or folders from a container
+
+`POST /containers/(id or name)/copy`
+
+Copy files or folders of container `id`
+
+**Deprecated** in favor of the `archive` endpoint below.
+
+**Example request**:
+
+    POST /v1.21/containers/4fa6e0f0c678/copy HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Resource": "test.txt"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Retrieving information about files and folders in a container
+
+`HEAD /containers/(id or name)/archive`
+
+See the description of the `X-Docker-Container-Path-Stat` header in the
+following section.
+
+#### Get an archive of a filesystem resource in a container
+
+`GET /containers/(id or name)/archive`
+
+Get a tar archive of a resource in the filesystem of container `id`.
+
+**Query parameters**:
+
+- **path** - resource in the container's filesystem to archive. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The resource specified by **path** must exist. To assert that the resource
+    is expected to be a directory, **path** should end in `/` or  `/.`
+    (assuming a path separator of `/`). If **path** ends in `/.` then this
+    indicates that only the contents of the **path** directory should be
+    copied. A symlink is always resolved to its target.
+
+    > **Note**: It is not possible to copy certain system files such as resources
+    > under `/proc`, `/sys`, `/dev`, and mounts created by the user in the
+    > container.
+
+**Example request**:
+
+    GET /v1.21/containers/8cce319429b2/archive?path=/root HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+    X-Docker-Container-Path-Stat: eyJuYW1lIjoicm9vdCIsInNpemUiOjQwOTYsIm1vZGUiOjIxNDc0ODQwOTYsIm10aW1lIjoiMjAxNC0wMi0yN1QyMDo1MToyM1oiLCJsaW5rVGFyZ2V0IjoiIn0=
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+On success, a response header `X-Docker-Container-Path-Stat` will be set to a
+base64-encoded JSON object containing some filesystem header information about
+the archived resource. The above example value would decode to the following
+JSON object (whitespace added for readability):
+
+```json
+{
+    "name": "root",
+    "size": 4096,
+    "mode": 2147484096,
+    "mtime": "2014-02-27T20:51:23Z",
+    "linkTarget": ""
+}
+```
+
+A `HEAD` request can also be made to this endpoint if only this information is
+desired.
+
+**Status codes**:
+
+- **200** - success, returns archive of copied resource
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** was asserted to be a directory but exists as a
+      file)
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** does not exist)
+- **500** - server error
+
+#### Extract an archive of files or folders to a directory in a container
+
+`PUT /containers/(id or name)/archive`
+
+Upload a tar archive to be extracted to a path in the filesystem of container
+`id`.
+
+**Query parameters**:
+
+- **path** - path to a directory in the container
+    to extract the archive's contents into. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The **path** resource must exist.
+- **noOverwriteDirNonDir** - If "1", "true", or "True" then it will be an error
+    if unpacking the given content would cause an existing directory to be
+    replaced with a non-directory and vice versa.
+
+**Example request**:
+
+    PUT /v1.21/containers/8cce319429b2/archive?path=/vol1 HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** – the content was extracted successfully
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** should be a directory but exists as a file)
+    - unable to overwrite existing directory with non-directory
+      (if **noOverwriteDirNonDir**)
+    - unable to overwrite existing non-directory with directory
+      (if **noOverwriteDirNonDir**)
+- **403** - client error, permission denied, the volume
+    or container rootfs is marked as read-only.
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** resource does not exist)
+- **500** – server error
+
+### 2.2 Images
+
+#### List Images
+
+`GET /images/json`
+
+**Example request**:
+
+    GET /v1.21/images/json?all=0 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+         "RepoTags": [
+           "ubuntu:12.04",
+           "ubuntu:precise",
+           "ubuntu:latest"
+         ],
+         "Id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
+         "Created": 1365714795,
+         "Size": 131506275,
+         "VirtualSize": 131506275,
+         "Labels": {}
+      },
+      {
+         "RepoTags": [
+           "ubuntu:12.10",
+           "ubuntu:quantal"
+         ],
+         "ParentId": "27cf784147099545",
+         "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+         "Created": 1364102658,
+         "Size": 24653,
+         "VirtualSize": 180116135,
+         "Labels": {
+            "com.example.version": "v1"
+         }
+      }
+    ]
+
+**Example request, with digest information**:
+
+    GET /v1.21/images/json?digests=1 HTTP/1.1
+
+**Example response, with digest information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "Created": 1420064636,
+        "Id": "4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125",
+        "ParentId": "ea13149945cb6b1e746bf28032f02e9b5a793523481a0a18645fc77ad53c4ea2",
+        "RepoDigests": [
+          "localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+        ],
+        "RepoTags": [
+          "localhost:5000/test/busybox:latest",
+          "playdate:latest"
+        ],
+        "Size": 0,
+        "VirtualSize": 2429728,
+        "Labels": {}
+      }
+    ]
+
+The response shows a single image `Id` associated with two repositories
+(`RepoTags`): `localhost:5000/test/busybox`: and `playdate`. A caller can use
+either of the `RepoTags` values `localhost:5000/test/busybox:latest` or
+`playdate:latest` to reference the image.
+
+You can also use `RepoDigests` values to reference an image. In this response,
+the array has only one reference and that is to the
+`localhost:5000/test/busybox` repository; the `playdate` repository has no
+digest. You can reference this digest using the value:
+`localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d...`
+
+See the `docker run` and `docker build` commands for examples of digest and tag
+references on the command line.
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, default false
+-   **filters** – a JSON encoded value of the filters (a map[string][]string) to process on the images list. Available filters:
+  -   `dangling=true`
+  -   `label=key` or `label="key=value"` of an image label
+-   **filter** - only return images with the specified name
+
+#### Build image from a Dockerfile
+
+`POST /build`
+
+Build an image from a Dockerfile
+
+**Example request**:
+
+    POST /v1.21/build HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"stream": "Step 1/5..."}
+    {"stream": "..."}
+    {"error": "Error...", "errorDetail": {"code": 123, "message": "Error..."}}
+
+The input stream must be a `tar` archive compressed with one of the
+following algorithms: `identity` (no compression), `gzip`, `bzip2`, `xz`.
+
+The archive must include a build instructions file, typically called
+`Dockerfile` at the archive's root. The `dockerfile` parameter may be
+used to specify a different build instructions file. To do this, its value must be
+the path to the alternate build instructions file to use.
+
+The archive may include any number of other files,
+which are accessible in the build context (See the [*ADD build
+command*](../reference/builder.md#add)).
+
+The Docker daemon performs a preliminary validation of the `Dockerfile` before
+starting the build, and returns an error if the syntax is incorrect. After that,
+each instruction is run one-by-one until the ID of the new image is output.
+
+The build is canceled if the client drops the connection by quitting
+or being killed.
+
+**Query parameters**:
+
+-   **dockerfile** - Path within the build context to the `Dockerfile`. This is
+        ignored if `remote` is specified and points to an external `Dockerfile`.
+-   **t** – A name and optional tag to apply to the image in the `name:tag` format.
+        If you omit the `tag` the default `latest` value is assumed.
+        You can provide one or more `t` parameters.
+-   **remote** – A Git repository URI or HTTP/HTTPS context URI. If the
+        URI points to a single text file, the file's contents are placed into
+        a file called `Dockerfile` and the image is built from that file. If
+        the URI points to a tarball, the file is downloaded by the daemon and
+        the contents therein used as the context for the build. If the URI
+        points to a tarball and the `dockerfile` parameter is also specified,
+        there must be a file with the corresponding path inside the tarball.
+-   **q** – Suppress verbose build output.
+-   **nocache** – Do not use the cache when building the image.
+-   **pull** - Attempt to pull the image even if an older image exists locally.
+-   **rm** - Remove intermediate containers after a successful build (default behavior).
+-   **forcerm** - Always remove intermediate containers (includes `rm`).
+-   **memory** - Set memory limit for build.
+-   **memswap** - Total memory (memory + swap), `-1` to enable unlimited swap.
+-   **cpushares** - CPU shares (relative weight).
+-   **cpusetcpus** - CPUs in which to allow execution (e.g., `0-3`, `0,1`).
+-   **cpuperiod** - The length of a CPU period in microseconds.
+-   **cpuquota** - Microseconds of CPU time that the container can get in a CPU period.
+-   **buildargs** – JSON map of string pairs for build-time variables. Users pass
+        these values at build-time. Docker uses the `buildargs` as the environment
+        context for command(s) run via the Dockerfile's `RUN` instruction or for
+        variable expansion in other Dockerfile instructions. This is not meant for
+        passing secret values. [Read more about the buildargs instruction](../reference/builder.md#arg)
+
+**Request Headers**:
+
+-   **Content-type** – Set to `"application/x-tar"`.
+-   **X-Registry-Config** – A base64-url-safe-encoded Registry Auth Config JSON
+        object with the following structure:
+
+            {
+                "docker.example.com": {
+                    "username": "janedoe",
+                    "password": "hunter2"
+                },
+                "https://index.docker.io/v1/": {
+                    "username": "mobydock",
+                    "password": "conta1n3rize14"
+                }
+            }
+
+    This object maps the hostname of a registry to an object containing the
+    "username" and "password" for that registry. Multiple registries may
+    be specified as the build may be based on an image requiring
+    authentication to pull from any arbitrary registry. Only the registry
+    domain name (and port if not the default "443") are required. However
+    (for legacy reasons) the "official" Docker, Inc. hosted registry must
+    be specified with both a "https://" prefix and a "/v1/" suffix even
+    though Docker will prefer to use the v2 registry API.
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Create an image
+
+`POST /images/create`
+
+Create an image either by pulling it from the registry or by importing it
+
+**Example request**:
+
+    POST /v1.21/images/create?fromImage=busybox&tag=latest HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pulling..."}
+    {"status": "Pulling", "progress": "1 B/ 100 B", "progressDetail": {"current": 1, "total": 100}}
+    {"error": "Invalid..."}
+    ...
+
+When using this endpoint to pull an image from the registry, the
+`X-Registry-Auth` header can be used to include
+a base64-encoded AuthConfig object.
+
+**Query parameters**:
+
+-   **fromImage** – Name of the image to pull. The name may include a tag or
+        digest. This parameter may only be used when pulling an image.
+-   **fromSrc** – Source to import.  The value may be a URL from which the image
+        can be retrieved or `-` to read the image from the request body.
+        This parameter may only be used when importing an image.
+-   **repo** – Repository name given to an image when it is imported.
+        The repo may include a tag. This parameter may only be used when importing
+        an image.
+-   **tag** – Tag or digest. If empty when pulling an image, this causes all tags
+        for the given image to be pulled.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** - repository does not exist or no read access
+-   **500** – server error
+
+
+
+#### Inspect an image
+
+`GET /images/(name)/json`
+
+Return low-level information on the image `name`
+
+**Example request**:
+
+    GET /v1.21/images/example/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Id" : "85f05633ddc1c50679be2b16a0479ab6f7637f8884e0cfe0f4d20e1ebb3d6e7c",
+       "Container" : "cb91e48a60d01f1e27028b4fc6819f4f290b3cf12496c8176ec714d0d390984a",
+       "Comment" : "",
+       "Os" : "linux",
+       "Architecture" : "amd64",
+       "Parent" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+       "ContainerConfig" : {
+          "Tty" : false,
+          "Hostname" : "e611e15f9c9d",
+          "Volumes" : null,
+          "Domainname" : "",
+          "AttachStdout" : false,
+          "PublishService" : "",
+          "AttachStdin" : false,
+          "OpenStdin" : false,
+          "StdinOnce" : false,
+          "NetworkDisabled" : false,
+          "OnBuild" : [],
+          "Image" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+          "User" : "",
+          "WorkingDir" : "",
+          "Entrypoint" : null,
+          "MacAddress" : "",
+          "AttachStderr" : false,
+          "Labels" : {
+             "com.example.license" : "GPL",
+             "com.example.version" : "1.0",
+             "com.example.vendor" : "Acme"
+          },
+          "Env" : [
+             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "ExposedPorts" : null,
+          "Cmd" : [
+             "/bin/sh",
+             "-c",
+             "#(nop) LABEL com.example.vendor=Acme com.example.license=GPL com.example.version=1.0"
+          ]
+       },
+       "DockerVersion" : "1.9.0-dev",
+       "VirtualSize" : 188359297,
+       "Size" : 0,
+       "Author" : "",
+       "Created" : "2015-09-10T08:30:53.26995814Z",
+       "GraphDriver" : {
+          "Name" : "aufs",
+          "Data" : null
+       },
+       "RepoDigests" : [
+          "localhost:5000/test/busybox/example@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+       ],
+       "RepoTags" : [
+          "example:1.0",
+          "example:latest",
+          "example:stable"
+       ],
+       "Config" : {
+          "Image" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+          "NetworkDisabled" : false,
+          "OnBuild" : [],
+          "StdinOnce" : false,
+          "PublishService" : "",
+          "AttachStdin" : false,
+          "OpenStdin" : false,
+          "Domainname" : "",
+          "AttachStdout" : false,
+          "Tty" : false,
+          "Hostname" : "e611e15f9c9d",
+          "Volumes" : null,
+          "Cmd" : [
+             "/bin/bash"
+          ],
+          "ExposedPorts" : null,
+          "Env" : [
+             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "Labels" : {
+             "com.example.vendor" : "Acme",
+             "com.example.version" : "1.0",
+             "com.example.license" : "GPL"
+          },
+          "Entrypoint" : null,
+          "MacAddress" : "",
+          "AttachStderr" : false,
+          "WorkingDir" : "",
+          "User" : ""
+       }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Get the history of an image
+
+`GET /images/(name)/history`
+
+Return the history of the image `name`
+
+**Example request**:
+
+    GET /v1.21/images/ubuntu/history HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+        {
+            "Id": "3db9c44f45209632d6050b35958829c3a2aa256d81b9a7be45b362ff85c54710",
+            "Created": 1398108230,
+            "CreatedBy": "/bin/sh -c #(nop) ADD file:eb15dbd63394e063b805a3c32ca7bf0266ef64676d5a6fab4801f2e81e2a5148 in /",
+            "Tags": [
+                "ubuntu:lucid",
+                "ubuntu:10.04"
+            ],
+            "Size": 182964289,
+            "Comment": ""
+        },
+        {
+            "Id": "6cfa4d1f33fb861d4d114f43b25abd0ac737509268065cdfd69d544a59c85ab8",
+            "Created": 1398108222,
+            "CreatedBy": "/bin/sh -c #(nop) MAINTAINER Tianon Gravi <admwiggin@gmail.com> - mkimage-debootstrap.sh -i iproute,iputils-ping,ubuntu-minimal -t lucid.tar.xz lucid http://archive.ubuntu.com/ubuntu/",
+            "Tags": null,
+            "Size": 0,
+            "Comment": ""
+        },
+        {
+            "Id": "511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158",
+            "Created": 1371157430,
+            "CreatedBy": "",
+            "Tags": [
+                "scratch12:latest",
+                "scratch:latest"
+            ],
+            "Size": 0,
+            "Comment": "Imported from -"
+        }
+    ]
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Push an image on the registry
+
+`POST /images/(name)/push`
+
+Push the image `name` on the registry
+
+**Example request**:
+
+    POST /v1.21/images/test/push HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pushing..."}
+    {"status": "Pushing", "progress": "1/? (n/a)", "progressDetail": {"current": 1}}}
+    {"error": "Invalid..."}
+    ...
+
+If you wish to push an image on to a private registry, that image must already have a tag
+into a repository which references that registry `hostname` and `port`.  This repository name should
+then be used in the URL. This duplicates the command line's flow.
+
+**Example request**:
+
+    POST /v1.21/images/registry.acme.com:5000/test/push HTTP/1.1
+
+
+**Query parameters**:
+
+-   **tag** – The tag to associate with the image on the registry. This is optional.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Tag an image into a repository
+
+`POST /images/(name)/tag`
+
+Tag the image `name` into a repository
+
+**Example request**:
+
+    POST /v1.21/images/test/tag?repo=myrepo&force=0&tag=v42 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+
+**Query parameters**:
+
+-   **repo** – The repository to tag in
+-   **force** – 1/True/true or 0/False/false, default false
+-   **tag** - The new tag name
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Remove an image
+
+`DELETE /images/(name)`
+
+Remove the image `name` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.21/images/test HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-type: application/json
+
+    [
+     {"Untagged": "3e2f21a89f"},
+     {"Deleted": "3e2f21a89f"},
+     {"Deleted": "53b4f83ac9"}
+    ]
+
+**Query parameters**:
+
+-   **force** – 1/True/true or 0/False/false, default false
+-   **noprune** – 1/True/true or 0/False/false, default false
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Search images
+
+`GET /images/search`
+
+Search for an image on [Docker Hub](https://hub.docker.com).
+
+> **Note**:
+> The response keys have changed from API v1.6 to reflect the JSON
+> sent by the registry server to the docker daemon's request.
+
+**Example request**:
+
+    GET /v1.21/images/search?term=sshd HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "wma55/u1210sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "jdswinbank/sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "vgauthier/sshd",
+                "star_count": 0
+            }
+    ...
+    ]
+
+**Query parameters**:
+
+-   **term** – term to search
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+### 2.3 Misc
+
+#### Check auth configuration
+
+`POST /auth`
+
+Get the default username and email
+
+**Example request**:
+
+    POST /v1.21/auth HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "username": "hannibal",
+         "password": "xxxx",
+         "email": "hannibal@a-team.com",
+         "serveraddress": "https://index.docker.io/v1/"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **204** – no error
+-   **500** – server error
+
+#### Display system-wide information
+
+`GET /info`
+
+Display system-wide information
+
+**Example request**:
+
+    GET /v1.21/info HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+        "ClusterStore": "etcd://localhost:2379",
+        "Containers": 11,
+        "CpuCfsPeriod": true,
+        "CpuCfsQuota": true,
+        "Debug": false,
+        "DockerRootDir": "/var/lib/docker",
+        "Driver": "btrfs",
+        "DriverStatus": [[""]],
+        "ExecutionDriver": "native-0.1",
+        "ExperimentalBuild": false,
+        "HttpProxy": "http://test:test@localhost:8080",
+        "HttpsProxy": "https://test:test@localhost:8080",
+        "ID": "7TRN:IPZB:QYBB:VPBQ:UMPP:KARE:6ZNR:XE6T:7EWV:PKF4:ZOJD:TPYS",
+        "IPv4Forwarding": true,
+        "Images": 16,
+        "IndexServerAddress": "https://index.docker.io/v1/",
+        "InitPath": "/usr/bin/docker",
+        "InitSha1": "",
+        "KernelVersion": "3.12.0-1-amd64",
+        "Labels": [
+            "storage=ssd"
+        ],
+        "MemTotal": 2099236864,
+        "MemoryLimit": true,
+        "NCPU": 1,
+        "NEventsListener": 0,
+        "NFd": 11,
+        "NGoroutines": 21,
+        "Name": "prod-server-42",
+        "NoProxy": "9.81.1.160",
+        "OomKillDisable": true,
+        "OperatingSystem": "Boot2Docker",
+        "RegistryConfig": {
+            "IndexConfigs": {
+                "docker.io": {
+                    "Mirrors": null,
+                    "Name": "docker.io",
+                    "Official": true,
+                    "Secure": true
+                }
+            },
+            "InsecureRegistryCIDRs": [
+                "127.0.0.0/8"
+            ]
+        },
+        "ServerVersion": "1.9.0",
+        "SwapLimit": false,
+        "SystemTime": "2015-03-10T11:11:23.730591467-07:00"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Show the docker version information
+
+`GET /version`
+
+Show the docker version information
+
+**Example request**:
+
+    GET /v1.21/version HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+         "Version": "1.5.0",
+         "Os": "linux",
+         "KernelVersion": "3.18.5-tinycore64",
+         "GoVersion": "go1.4.1",
+         "GitCommit": "a8a31ef",
+         "Arch": "amd64",
+         "ApiVersion": "1.20",
+         "Experimental": false
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Ping the docker server
+
+`GET /_ping`
+
+Ping the docker server
+
+**Example request**:
+
+    GET /v1.21/_ping HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+
+    OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a new image from a container's changes
+
+`POST /commit`
+
+Create a new image from a container's changes
+
+**Example request**:
+
+    POST /v1.21/commit?container=44c004db4b17&comment=message&repo=myrepo HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Hostname": "",
+         "Domainname": "",
+         "User": "",
+         "AttachStdin": false,
+         "AttachStdout": true,
+         "AttachStderr": true,
+         "Tty": false,
+         "OpenStdin": false,
+         "StdinOnce": false,
+         "Env": null,
+         "Cmd": [
+                 "date"
+         ],
+         "Mounts": [
+           {
+             "Source": "/data",
+             "Destination": "/data",
+             "Mode": "ro,Z",
+             "RW": false
+           }
+         ],
+         "Labels": {
+                 "key1": "value1",
+                 "key2": "value2"
+          },
+         "WorkingDir": "",
+         "NetworkDisabled": false,
+         "ExposedPorts": {
+                 "22/tcp": {}
+         }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {"Id": "596069db4bf5"}
+
+**JSON parameters**:
+
+-  **config** - the container's configuration
+
+**Query parameters**:
+
+-   **container** – source container
+-   **repo** – repository
+-   **tag** – tag
+-   **comment** – commit message
+-   **author** – author (e.g., "John Hannibal Smith
+    <[hannibal@a-team.com](mailto:hannibal%40a-team.com)>")
+-   **pause** – 1/True/true or 0/False/false, whether to pause the container before committing
+-   **changes** – Dockerfile instructions to apply while committing
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Monitor Docker's events
+
+`GET /events`
+
+Get container events from docker, in real time via streaming.
+
+Docker containers report the following events:
+
+    attach, commit, copy, create, destroy, die, exec_create, exec_start, export, kill, oom, pause, rename, resize, restart, start, stop, top, unpause
+
+Docker images report the following events:
+
+    delete, import, pull, push, tag, untag
+
+**Example request**:
+
+    GET /v1.21/events?since=1374067924
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status":"pull","id":"busybox:latest","time":1442421700,"timeNano":1442421700598988358}
+    {"status":"create","id":"5745704abe9caa5","from":"busybox","time":1442421716,"timeNano":1442421716853979870}
+    {"status":"attach","id":"5745704abe9caa5","from":"busybox","time":1442421716,"timeNano":1442421716894759198}
+    {"status":"start","id":"5745704abe9caa5","from":"busybox","time":1442421716,"timeNano":1442421716983607193}
+
+**Query parameters**:
+
+-   **since** – Timestamp. Show all events created since timestamp and then stream
+-   **until** – Timestamp. Show events created until given timestamp and stop streaming
+-   **filters** – A json encoded value of the filters (a map[string][]string) to process on the event list. Available filters:
+  -   `container=<string>`; -- container to filter
+  -   `event=<string>`; -- event to filter
+  -   `image=<string>`; -- image to filter
+  -   `label=<string>`; -- image and container label to filter
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images in a repository
+
+`GET /images/(name)/get`
+
+Get a tarball containing all images and metadata for the repository specified
+by `name`.
+
+If `name` is a specific name and tag (e.g. ubuntu:latest), then only that image
+(and its parents) are returned. If `name` is an image ID, similarly only that
+image (and its parents) are returned, but with the exclusion of the
+'repositories' file in the tarball, as there were no image names referenced.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.21/images/ubuntu/get
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images
+
+`GET /images/get`
+
+Get a tarball containing all images and metadata for one or more repositories.
+
+For each value of the `names` parameter: if it is a specific name and tag (e.g.
+`ubuntu:latest`), then only that image (and its parents) are returned; if it is
+an image ID, similarly only that image (and its parents) are returned and there
+would be no names referenced in the 'repositories' file for this image ID.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.21/images/get?names=myname%2Fmyapp%3Alatest&names=busybox
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Load a tarball with a set of images and tags into docker
+
+`POST /images/load`
+
+Load a set of images and tags into a Docker repository.
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    POST /v1.21/images/load
+    Content-Type: application/x-tar
+    Content-Length: 12345
+
+    Tarball in body
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Image tarball format
+
+An image tarball contains one directory per image layer (named using its long ID),
+each containing these files:
+
+- `VERSION`: currently `1.0` - the file format version
+- `json`: detailed layer information, similar to `docker inspect layer_id`
+- `layer.tar`: A tarfile containing the filesystem changes in this layer
+
+The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories
+for storing attribute changes and deletions.
+
+If the tarball defines a repository, the tarball should also include a `repositories` file at
+the root that contains a list of repository and tag names mapped to layer IDs.
+
+```
+{"hello-world":
+    {"latest": "565a9d68a73f6706862bfe8409a7f659776d4d60a8d096eb4a3cbce6999cc2a1"}
+}
+```
+
+#### Exec Create
+
+`POST /containers/(id or name)/exec`
+
+Sets up an exec instance in a running container `id`
+
+**Example request**:
+
+    POST /v1.21/containers/e90e34656806/exec HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "AttachStdin": true,
+      "AttachStdout": true,
+      "AttachStderr": true,
+      "Cmd": ["sh"],
+      "Privileged": true,
+      "Tty": true,
+      "User": "123:456"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+         "Id": "f90e34656806",
+         "Warnings":[]
+    }
+
+**JSON parameters**:
+
+-   **AttachStdin** - Boolean value, attaches to `stdin` of the `exec` command.
+-   **AttachStdout** - Boolean value, attaches to `stdout` of the `exec` command.
+-   **AttachStderr** - Boolean value, attaches to `stderr` of the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Privileged** - Boolean value, runs the exec process with extended privileges.
+-   **User** - A string value specifying the user, and optionally, group to run
+        the exec process inside the container. Format is one of: `"user"`,
+        `"user:group"`, `"uid"`, or `"uid:gid"`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **409** - container is paused
+-   **500** - server error
+
+#### Exec Start
+
+`POST /exec/(id)/start`
+
+Starts a previously set up `exec` instance `id`. If `detach` is true, this API
+returns after starting the `exec` command. Otherwise, this API sets up an
+interactive session with the `exec` command.
+
+**Example request**:
+
+    POST /v1.21/exec/e90e34656806/start HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+     "Detach": false,
+     "Tty": false
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/vnd.docker.raw-stream
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**JSON parameters**:
+
+-   **Detach** - Detach from the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **409** - container is paused
+
+**Stream details**:
+
+Similar to the stream behavior of `POST /containers/(id or name)/attach` API
+
+#### Exec Resize
+
+`POST /exec/(id)/resize`
+
+Resizes the `tty` session used by the `exec` command `id`.  The unit is number of characters.
+This API is valid only if `tty` was specified as part of creating and starting the `exec` command.
+
+**Example request**:
+
+    POST /v1.21/exec/e90e34656806/resize?h=40&w=80 HTTP/1.1
+    Content-Type: text/plain
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: text/plain
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such exec instance
+
+#### Exec Inspect
+
+`GET /exec/(id)/json`
+
+Return low-level information about the `exec` command `id`.
+
+**Example request**:
+
+    GET /v1.21/exec/11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: plain/text
+
+    {
+      "ID" : "11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39",
+      "Running" : false,
+      "ExitCode" : 2,
+      "ProcessConfig" : {
+        "privileged" : false,
+        "user" : "",
+        "tty" : false,
+        "entrypoint" : "sh",
+        "arguments" : [
+          "-c",
+          "exit 2"
+        ]
+      },
+      "OpenStdin" : false,
+      "OpenStderr" : false,
+      "OpenStdout" : false,
+      "Container" : {
+        "State" : {
+          "Status" : "running",
+          "Running" : true,
+          "Paused" : false,
+          "Restarting" : false,
+          "OOMKilled" : false,
+          "Pid" : 3650,
+          "ExitCode" : 0,
+          "Error" : "",
+          "StartedAt" : "2014-11-17T22:26:03.717657531Z",
+          "FinishedAt" : "0001-01-01T00:00:00Z"
+        },
+        "ID" : "8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c",
+        "Created" : "2014-11-17T22:26:03.626304998Z",
+        "Path" : "date",
+        "Args" : [],
+        "Config" : {
+          "Hostname" : "8f177a186b97",
+          "Domainname" : "",
+          "User" : "",
+          "AttachStdin" : false,
+          "AttachStdout" : false,
+          "AttachStderr" : false,
+          "ExposedPorts" : null,
+          "Tty" : false,
+          "OpenStdin" : false,
+          "StdinOnce" : false,
+          "Env" : [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ],
+          "Cmd" : [
+            "date"
+          ],
+          "Image" : "ubuntu",
+          "Volumes" : null,
+          "WorkingDir" : "",
+          "Entrypoint" : null,
+          "NetworkDisabled" : false,
+          "MacAddress" : "",
+          "OnBuild" : null,
+          "SecurityOpt" : null
+        },
+        "Image" : "5506de2b643be1e6febbf3b8a240760c6843244c41e12aa2f60ccbb7153d17f5",
+        "NetworkSettings" : {
+          "Bridge": "",
+          "SandboxID": "",
+          "HairpinMode": false,
+          "LinkLocalIPv6Address": "",
+          "LinkLocalIPv6PrefixLen": 0,
+          "Ports": null,
+          "SandboxKey": "",
+          "SecondaryIPAddresses": null,
+          "SecondaryIPv6Addresses": null,
+          "EndpointID": "",
+          "Gateway": "",
+          "GlobalIPv6Address": "",
+          "GlobalIPv6PrefixLen": 0,
+          "IPAddress": "",
+          "IPPrefixLen": 0,
+          "IPv6Gateway": "",
+          "MacAddress": "",
+          "Networks": {
+            "bridge": {
+              "EndpointID": "",
+              "Gateway": "",
+              "IPAddress": "",
+              "IPPrefixLen": 0,
+              "IPv6Gateway": "",
+              "GlobalIPv6Address": "",
+              "GlobalIPv6PrefixLen": 0,
+              "MacAddress": ""
+            }
+          }
+        },
+        "ResolvConfPath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/resolv.conf",
+        "HostnamePath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/hostname",
+        "HostsPath" : "/var/lib/docker/containers/8f177a186b977fb451136e0fdf182abff5599a08b3c7f6ef0d36a55aaf89634c/hosts",
+        "LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+        "Name" : "/test",
+        "Driver" : "aufs",
+        "ExecDriver" : "native-0.2",
+        "MountLabel" : "",
+        "ProcessLabel" : "",
+        "AppArmorProfile" : "",
+        "RestartCount" : 0,
+        "Mounts" : []
+      }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **500** - server error
+
+### 2.4 Volumes
+
+#### List volumes
+
+`GET /volumes`
+
+**Example request**:
+
+    GET /v1.21/volumes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Volumes": [
+        {
+          "Name": "tardis",
+          "Driver": "local",
+          "Mountpoint": "/var/lib/docker/volumes/tardis"
+        }
+      ]
+    }
+
+**Query parameters**:
+
+- **filters** - JSON encoded value of the filters (a `map[string][]string`) to process on the volumes list. There is one available filter: `dangling=true`
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a volume
+
+`POST /volumes/create`
+
+Create a volume
+
+**Example request**:
+
+    POST /v1.21/volumes/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "Name": "tardis"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+      "Name": "tardis",
+      "Driver": "local",
+      "Mountpoint": "/var/lib/docker/volumes/tardis"
+    }
+
+**Status codes**:
+
+- **201** - no error
+- **500**  - server error
+
+**JSON parameters**:
+
+- **Name** - The new volume's name. If not specified, Docker generates a name.
+- **Driver** - Name of the volume driver to use. Defaults to `local` for the name.
+- **DriverOpts** - A mapping of driver options and values. These options are
+    passed directly to the driver and are driver specific.
+
+#### Inspect a volume
+
+`GET /volumes/(name)`
+
+Return low-level information on the volume `name`
+
+**Example request**:
+
+    GET /volumes/tardis
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Name": "tardis",
+      "Driver": "local",
+      "Mountpoint": "/var/lib/docker/volumes/tardis"
+    }
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - no such volume
+-   **500** - server error
+
+#### Remove a volume
+
+`DELETE /volumes/(name)`
+
+Instruct the driver to remove the volume (`name`).
+
+**Example request**:
+
+    DELETE /v1.21/volumes/tardis HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** - no error
+-   **404** - no such volume or volume driver
+-   **409** - volume is in use and cannot be removed
+-   **500** - server error
+
+### 2.5 Networks
+
+#### List networks
+
+`GET /networks`
+
+**Example request**:
+
+    GET /v1.21/networks HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+[
+  {
+    "Name": "bridge",
+    "Id": "f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566",
+    "Scope": "local",
+    "Driver": "bridge",
+    "IPAM": {
+      "Driver": "default",
+      "Config": [
+        {
+          "Subnet": "172.17.0.0/16"
+        }
+      ]
+    },
+    "Containers": {
+      "39b69226f9d79f5634485fb236a23b2fe4e96a0a94128390a7fbbcc167065867": {
+        "EndpointID": "ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda",
+        "MacAddress": "02:42:ac:11:00:02",
+        "IPv4Address": "172.17.0.2/16",
+        "IPv6Address": ""
+      }
+    },
+    "Options": {
+      "com.docker.network.bridge.default_bridge": "true",
+      "com.docker.network.bridge.enable_icc": "true",
+      "com.docker.network.bridge.enable_ip_masquerade": "true",
+      "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+      "com.docker.network.bridge.name": "docker0",
+      "com.docker.network.driver.mtu": "1500"
+    }
+  },
+  {
+    "Name": "none",
+    "Id": "e086a3893b05ab69242d3c44e49483a3bbbd3a26b46baa8f61ab797c1088d794",
+    "Scope": "local",
+    "Driver": "null",
+    "IPAM": {
+      "Driver": "default",
+      "Config": []
+    },
+    "Containers": {},
+    "Options": {}
+  },
+  {
+    "Name": "host",
+    "Id": "13e871235c677f196c4e1ecebb9dc733b9b2d2ab589e30c539efeda84a24215e",
+    "Scope": "local",
+    "Driver": "host",
+    "IPAM": {
+      "Driver": "default",
+      "Config": []
+    },
+    "Containers": {},
+    "Options": {}
+  }
+]
+```
+
+**Query parameters**:
+
+- **filters** - JSON encoded value of the filters (a `map[string][]string`) to process on the networks list. Available filters: `name=[network-names]` , `id=[network-ids]`
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Inspect network
+
+`GET /networks/(id or name)`
+
+Return low-level information on the network `id`
+
+**Example request**:
+
+    GET /v1.21/networks/f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566 HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "Name": "bridge",
+  "Id": "f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566",
+  "Scope": "local",
+  "Driver": "bridge",
+  "IPAM": {
+    "Driver": "default",
+    "Config": [
+      {
+        "Subnet": "172.17.0.0/16"
+      }
+    ]
+  },
+  "Containers": {
+    "39b69226f9d79f5634485fb236a23b2fe4e96a0a94128390a7fbbcc167065867": {
+      "EndpointID": "ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda",
+      "MacAddress": "02:42:ac:11:00:02",
+      "IPv4Address": "172.17.0.2/16",
+      "IPv6Address": ""
+    }
+  },
+  "Options": {
+    "com.docker.network.bridge.default_bridge": "true",
+    "com.docker.network.bridge.enable_icc": "true",
+    "com.docker.network.bridge.enable_ip_masquerade": "true",
+    "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+    "com.docker.network.bridge.name": "docker0",
+    "com.docker.network.driver.mtu": "1500"
+  }
+}
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - network not found
+-   **500** - server error
+
+#### Create a network
+
+`POST /networks/create`
+
+Create a network
+
+**Example request**:
+
+```
+POST /v1.21/networks/create HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Name":"isolated_nw",
+  "CheckDuplicate":true,
+  "Driver":"bridge",
+  "IPAM":{
+    "Driver": "default",
+    "Config":[
+      {
+        "Subnet":"172.20.0.0/16",
+        "IPRange":"172.20.10.0/24",
+        "Gateway":"172.20.10.11"
+      }
+    ]
+  }
+}
+```
+
+**Example response**:
+
+```
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+  "Id": "22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30",
+  "Warning": ""
+}
+```
+
+**Status codes**:
+
+- **201** - no error
+- **404** - plugin not found
+- **500** - server error
+
+**JSON parameters**:
+
+- **Name** - The new network's name. this is a mandatory field
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`.
+    Since Network is primarily keyed based on a random ID and not on the name, 
+    and network name is strictly a user-friendly alias to the network which is uniquely identified using ID, 
+    there is no guaranteed way to check for duplicates across a cluster of docker hosts. 
+    This parameter CheckDuplicate is there to provide a best effort checking of any networks 
+    which has the same name but it is not guaranteed to catch all name collisions.
+- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
+- **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+- **Options** - Network specific options to be used by the drivers
+
+#### Connect a container to a network
+
+`POST /networks/(id or name)/connect`
+
+Connect a container to a network
+
+**Example request**:
+
+```
+POST /v1.21/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30/connect HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Container":"3613f73ba0e4"
+}
+```
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** - no error
+- **404** - network or container is not found
+- **500** - Internal Server Error
+
+**JSON parameters**:
+
+- **container** - container-id/name to be connected to the network
+
+#### Disconnect a container from a network
+
+`POST /networks/(id or name)/disconnect`
+
+Disconnect a container from a network
+
+**Example request**:
+
+```
+POST /v1.21/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30/disconnect HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Container":"3613f73ba0e4"
+}
+```
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** - no error
+- **404** - network or container not found
+- **500** - Internal Server Error
+
+**JSON parameters**:
+
+- **Container** - container-id/name to be disconnected from a network
+
+#### Remove a network
+
+`DELETE /networks/(id or name)`
+
+Instruct the driver to remove the network (`id`).
+
+**Example request**:
+
+    DELETE /v1.21/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **403** - operation not supported for pre-defined networks
+-   **404** - no such network
+-   **500** - server error
+
+## 3. Going further
+
+### 3.1 Inside `docker run`
+
+As an example, the `docker run` command line makes the following API calls:
+
+- Create the container
+
+- If the status code is 404, it means the image doesn't exist:
+    - Try to pull it.
+    - Then, retry to create the container.
+
+- Start the container.
+
+- If you are not in detached mode:
+- Attach to the container, using `logs=1` (to have `stdout` and
+      `stderr` from the container's start) and `stream=1`
+
+- If in detached mode or only `stdin` is attached, display the container's id.
+
+### 3.2 Hijacking
+
+In this version of the API, `/attach`, uses hijacking to transport `stdin`,
+`stdout`, and `stderr` on the same socket.
+
+To hint potential proxies about connection hijacking, Docker client sends
+connection upgrade headers similarly to websocket.
+
+    Upgrade: tcp
+    Connection: Upgrade
+
+When Docker daemon detects the `Upgrade` header, it switches its status code
+from **200 OK** to **101 UPGRADED** and resends the same headers.
+
+
+### 3.3 CORS Requests
+
+To set cross origin requests to the Engine API please give values to
+`--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
+default or blank means CORS disabled
+
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
diff --git a/engine/docs/api/v1.22.md b/engine/docs/api/v1.22.md
new file mode 100644
index 00000000..fc19c9f0
--- /dev/null
+++ b/engine/docs/api/v1.22.md
@@ -0,0 +1,3343 @@
+---
+title: "Engine API v1.22"
+description: "API Documentation for Docker"
+keywords: "API, Docker, rcli, REST, documentation"
+redirect_from:
+- /engine/reference/api/docker_remote_api_v1.22/
+- /reference/api/docker_remote_api_v1.22/
+---
+
+<!-- This file is maintained within the moby/moby GitHub
+     repository at https://github.com/moby/moby/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## 1. Brief introduction
+
+ - The daemon listens on `unix:///var/run/docker.sock` but you can
+   [Bind Docker to another host/port or a Unix socket](../reference/commandline/dockerd.md#bind-docker-to-another-host-port-or-a-unix-socket).
+ - The API tends to be REST. However, for some complex commands, like `attach`
+   or `pull`, the HTTP connection is hijacked to transport `stdout`,
+   `stdin` and `stderr`.
+ - A `Content-Length` header should be present in `POST` requests to endpoints
+   that expect a body.
+ - To lock to a specific version of the API, you prefix the URL with the version
+   of the API to use. For example, `/v1.18/info`. If no version is included in
+   the URL, the maximum supported API version is used.
+ - If the API version specified in the URL is not supported by the daemon, a HTTP
+   `400 Bad Request` error message is returned.
+
+## 2. Endpoints
+
+### 2.1 Containers
+
+#### List containers
+
+`GET /containers/json`
+
+List containers
+
+**Example request**:
+
+    GET /v1.22/containers/json?all=1&before=8dfafdbc3a40&size=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Id": "8dfafdbc3a40",
+                 "Names":["/boring_feynman"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 1",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [{"PrivatePort": 2222, "PublicPort": 3333, "Type": "tcp"}],
+                 "Labels": {
+                         "com.example.vendor": "Acme",
+                         "com.example.license": "GPL",
+                         "com.example.version": "1.0"
+                 },
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "2cdc4edb1ded3631c81f57966563e5c8525b81121bb3706a9a9a3ae102711f3f",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.2",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:02"
+                                  }
+                         }
+                 }
+         },
+         {
+                 "Id": "9cd87474be90",
+                 "Names":["/coolName"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 222222",
+                 "Created": 1367854155,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "88eaed7b37b38c2a3f0c4bc796494fdf51b270c2d22656412a2ca5d559a64d7a",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.8",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:08"
+                                  }
+                         }
+                 }
+         },
+         {
+                 "Id": "3176a2479c92",
+                 "Names":["/sleepy_dog"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 3333333333333333",
+                 "Created": 1367854154,
+                 "Status": "Exit 0",
+                 "Ports":[],
+                 "Labels": {},
+                 "SizeRw":12288,
+                 "SizeRootFs":0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "8b27c041c30326d59cd6e6f510d4f8d1d570a228466f956edf7815508f78e30d",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.6",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:06"
+                                  }
+                         }
+                 }
+         },
+         {
+                 "Id": "4cb07b47f9fb",
+                 "Names":["/running_cat"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 444444444444444444444444444444444",
+                 "Created": 1367854152,
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "d91c7b2f0644403d7ef3095985ea0e2370325cd2332ff3a3225c4247328e66e9",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.5",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:05"
+                                  }
+                         }
+                 }
+         }
+    ]
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, Show all containers.
+        Only running containers are shown by default (i.e., this defaults to false)
+-   **limit** – Show `limit` last created
+        containers, include non-running ones.
+-   **since** – Show only containers created since Id, include
+        non-running ones.
+-   **before** – Show only containers created before Id, include
+        non-running ones.
+-   **size** – 1/True/true or 0/False/false, Show the containers
+        sizes
+-   **filters** - a JSON encoded value of the filters (a `map[string][]string`) to process on the containers list. Available filters:
+  -   `exited=<int>`; -- containers with exit code of  `<int>` ;
+  -   `status=`(`created`|`restarting`|`running`|`paused`|`exited`|`dead`)
+  -   `label=key` or `label="key=value"` of a container label
+  -   `isolation=`(`default`|`process`|`hyperv`)   (Windows daemon only)
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **500** – server error
+
+#### Create a container
+
+`POST /containers/create`
+
+Create a container
+
+**Example request**:
+
+    POST /v1.22/containers/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+           "Hostname": "",
+           "Domainname": "",
+           "User": "",
+           "AttachStdin": false,
+           "AttachStdout": true,
+           "AttachStderr": true,
+           "Tty": false,
+           "OpenStdin": false,
+           "StdinOnce": false,
+           "Env": [
+                   "FOO=bar",
+                   "BAZ=quux"
+           ],
+           "Cmd": [
+                   "date"
+           ],
+           "Entrypoint": null,
+           "Image": "ubuntu",
+           "Labels": {
+                   "com.example.vendor": "Acme",
+                   "com.example.license": "GPL",
+                   "com.example.version": "1.0"
+           },
+           "Volumes": {
+             "/volumes/data": {}
+           },
+           "WorkingDir": "",
+           "NetworkDisabled": false,
+           "MacAddress": "12:34:56:78:9a:bc",
+           "ExposedPorts": {
+                   "22/tcp": {}
+           },
+           "StopSignal": "SIGTERM",
+           "HostConfig": {
+             "Binds": ["/tmp:/tmp"],
+             "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
+             "Links": ["redis3:redis"],
+             "Memory": 0,
+             "MemorySwap": 0,
+             "MemoryReservation": 0,
+             "KernelMemory": 0,
+             "CpuShares": 512,
+             "CpuPeriod": 100000,
+             "CpuQuota": 50000,
+             "CpusetCpus": "0,1",
+             "CpusetMems": "0,1",
+             "BlkioWeight": 300,
+             "BlkioWeightDevice": [{}],
+             "BlkioDeviceReadBps": [{}],
+             "BlkioDeviceReadIOps": [{}],
+             "BlkioDeviceWriteBps": [{}],
+             "BlkioDeviceWriteIOps": [{}],
+             "MemorySwappiness": 60,
+             "OomKillDisable": false,
+             "OomScoreAdj": 500,
+             "PidMode": "",
+             "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+             "PublishAllPorts": false,
+             "Privileged": false,
+             "ReadonlyRootfs": false,
+             "Dns": ["8.8.8.8"],
+             "DnsOptions": [""],
+             "DnsSearch": [""],
+             "ExtraHosts": null,
+             "VolumesFrom": ["parent", "other:ro"],
+             "CapAdd": ["NET_ADMIN"],
+             "CapDrop": ["MKNOD"],
+             "GroupAdd": ["newgroup"],
+             "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+             "NetworkMode": "bridge",
+             "Devices": [],
+             "Ulimits": [{}],
+             "LogConfig": { "Type": "json-file", "Config": {} },
+             "SecurityOpt": [],
+             "CgroupParent": "",
+             "VolumeDriver": "",
+             "ShmSize": 67108864
+          },
+          "NetworkingConfig": {
+              "EndpointsConfig": {
+                  "isolated_nw" : {
+                      "IPAMConfig": {
+                          "IPv4Address":"172.20.30.33",
+                          "IPv6Address":"2001:db8:abcd::3033"
+                      },
+                      "Links":["container_1", "container_2"],
+                      "Aliases":["server_x", "server_y"]
+                  }
+              }
+          }
+      }
+
+**Example response**:
+
+      HTTP/1.1 201 Created
+      Content-Type: application/json
+
+      {
+           "Id":"e90e34656806",
+           "Warnings":[]
+      }
+
+**JSON parameters**:
+
+-   **Hostname** - A string value containing the hostname to use for the
+      container.
+-   **Domainname** - A string value containing the domain name to use
+      for the container.
+-   **User** - A string value specifying the user inside the container.
+-   **AttachStdin** - Boolean value, attaches to `stdin`.
+-   **AttachStdout** - Boolean value, attaches to `stdout`.
+-   **AttachStderr** - Boolean value, attaches to `stderr`.
+-   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
+-   **OpenStdin** - Boolean value, opens `stdin`,
+-   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Entrypoint** - Set the entry point for the container as a string or an array
+      of strings.
+-   **Image** - A string specifying the image name to use for the container.
+-   **Volumes** - An object mapping mount point paths (strings) inside the
+      container to empty objects.
+-   **WorkingDir** - A string specifying the working directory for commands to
+      run in.
+-   **NetworkDisabled** - Boolean value, when true disables networking for the
+      container
+-   **ExposedPorts** - An object mapping ports to an empty object in the form of:
+      `"ExposedPorts": { "<port>/<tcp|udp>: {}" }`
+-   **StopSignal** - Signal to stop a container as a string or unsigned integer. `SIGTERM` by default.
+-   **HostConfig**
+    -   **Binds** – A list of volume bindings for this container. Each volume binding is a string in one of these forms:
+           + `host-src:container-dest` to bind-mount a host path into the
+             container. Both `host-src`, and `container-dest` must be an
+             _absolute_ path.
+           + `host-src:container-dest:ro` to make the bind mount read-only
+             inside the container. Both `host-src`, and `container-dest` must be
+             an _absolute_ path.
+           + `volume-name:container-dest` to bind-mount a volume managed by a
+             volume driver into the container. `container-dest` must be an
+             _absolute_ path.
+           + `volume-name:container-dest:ro` to mount the volume read-only
+             inside the container.  `container-dest` must be an _absolute_ path.
+    -   **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+          mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
+    -   **Links** - A list of links for the container. Each link entry should be
+          in the form of `container_name:alias`.
+    -   **Memory** - Memory limit in bytes.
+    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
+          You must use this with `memory` and make the swap value larger than `memory`.
+    -   **MemoryReservation** - Memory soft limit in bytes.
+    -   **KernelMemory** - Kernel memory limit in bytes.
+    -   **CpuShares** - An integer value containing the container's CPU Shares
+          (ie. the relative weight vs other containers).
+    -   **CpuPeriod** - The length of a CPU period in microseconds.
+    -   **CpuQuota** - Microseconds of CPU time that the container can get in a CPU period.
+    -   **CpusetCpus** - String value containing the `cgroups CpusetCpus` to use.
+    -   **CpusetMems** - Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.
+    -   **BlkioWeight** - Block IO weight (relative weight) accepts a weight value between 10 and 1000.
+    -   **BlkioWeightDevice** - Block IO weight (relative device weight) in the form of:        `"BlkioWeightDevice": [{"Path": "device_path", "Weight": weight}]`
+    -   **BlkioDeviceReadBps** - Limit read rate (bytes per second) from a device in the form of:	`"BlkioDeviceReadBps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceReadBps": [{"Path": "/dev/sda", "Rate": "1024"}]"`
+    -   **BlkioDeviceWriteBps** - Limit write rate (bytes per second) to a device in the form of:	`"BlkioDeviceWriteBps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceWriteBps": [{"Path": "/dev/sda", "Rate": "1024"}]"`
+    -   **BlkioDeviceReadIOps** - Limit read rate (IO per second) from a device in the form of:	`"BlkioDeviceReadIOps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceReadIOps": [{"Path": "/dev/sda", "Rate": "1000"}]`
+    -   **BlkioDeviceWriteIOps** - Limit write rate (IO per second) to a device in the form of:	`"BlkioDeviceWriteIOps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceWriteIOps": [{"Path": "/dev/sda", "Rate": "1000"}]`
+    -   **MemorySwappiness** - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+    -   **OomKillDisable** - Boolean value, whether to disable OOM Killer for the container or not.
+    -   **OomScoreAdj** - An integer value containing the score given to the container in order to tune OOM killer preferences.
+    -   **PidMode** - Set the PID (Process) Namespace mode for the container;
+          `"container:<name|id>"`: joins another container's PID namespace
+          `"host"`: use the host's PID namespace inside the container
+    -   **PortBindings** - A map of exposed container ports and the host port they
+          should map to. A JSON object in the form
+          `{ <port>/<protocol>: [{ "HostPort": "<port>" }] }`
+          Take note that `port` is specified as a string and not an integer value.
+    -   **PublishAllPorts** - Allocates an ephemeral host port for all of a container's
+          exposed ports. Specified as a boolean value.
+
+          Ports are de-allocated when the container stops and allocated when the container starts.
+          The allocated port might be changed when restarting the container.
+
+          The port is selected from the ephemeral port range that depends on the kernel.
+          For example, on Linux the range is defined by `/proc/sys/net/ipv4/ip_local_port_range`.
+    -   **Privileged** - Gives the container full access to the host. Specified as
+          a boolean value.
+    -   **ReadonlyRootfs** - Mount the container's root filesystem as read only.
+          Specified as a boolean value.
+    -   **Dns** - A list of DNS servers for the container to use.
+    -   **DnsOptions** - A list of DNS options
+    -   **DnsSearch** - A list of DNS search domains
+    -   **ExtraHosts** - A list of hostnames/IP mappings to add to the
+        container's `/etc/hosts` file. Specified in the form `["hostname:IP"]`.
+    -   **VolumesFrom** - A list of volumes to inherit from another container.
+          Specified in the form `<container name>[:<ro|rw>]`
+    -   **CapAdd** - A list of kernel capabilities to add to the container.
+    -   **Capdrop** - A list of kernel capabilities to drop from the container.
+    -   **GroupAdd** - A list of additional groups that the container process will run as
+    -   **RestartPolicy** – The behavior to apply when the container exits.  The
+            value is an object with a `Name` property of either `"always"` to
+            always restart, `"unless-stopped"` to restart always except when
+            user has manually stopped the container or `"on-failure"` to restart only when the container
+            exit code is non-zero.  If `on-failure` is used, `MaximumRetryCount`
+            controls the number of times to retry before giving up.
+            The default is not to restart. (optional)
+            An ever increasing delay (double the previous delay, starting at 100mS)
+            is added before each restart to prevent flooding the server.
+    -   **NetworkMode** - Sets the networking mode for the container. Supported
+          standard values are: `bridge`, `host`, `none`, and `container:<name|id>`. Any other value is taken
+          as a custom network's name to which this container should connect to.
+    -   **Devices** - A list of devices to add to the container specified as a JSON object in the
+      form
+          `{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}`
+    -   **Ulimits** - A list of ulimits to set in the container, specified as
+          `{ "Name": <name>, "Soft": <soft limit>, "Hard": <hard limit> }`, for example:
+          `Ulimits: { "Name": "nofile", "Soft": 1024, "Hard": 2048 }`
+    -   **SecurityOpt**: A list of string values to customize labels for MLS
+        systems, such as SELinux.
+    -   **LogConfig** - Log configuration for the container, specified as a JSON object in the form
+          `{ "Type": "<driver_name>", "Config": {"key1": "val1"}}`.
+          Available types: `json-file`, `syslog`, `journald`, `gelf`, `awslogs`, `splunk`, `none`.
+          `json-file` logging driver.
+    -   **CgroupParent** - Path to `cgroups` under which the container's `cgroup` is created. If the path is not absolute, the path is considered to be relative to the `cgroups` path of the init process. Cgroups are created if they do not already exist.
+    -   **VolumeDriver** - Driver that this container users to mount volumes.
+    -   **ShmSize** - Size of `/dev/shm` in bytes. The size must be greater than 0.  If omitted the system uses 64MB.
+
+**Query parameters**:
+
+-   **name** – Assign the specified name to the container. Must
+    match `/?[a-zA-Z0-9_-]+`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **406** – impossible to attach (container not running)
+-   **409** – conflict
+-   **500** – server error
+
+#### Inspect a container
+
+`GET /containers/(id or name)/json`
+
+Return low-level information on the container `id`
+
+**Example request**:
+
+      GET /v1.22/containers/4fa6e0f0c678/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+	{
+		"AppArmorProfile": "",
+		"Args": [
+			"-c",
+			"exit 9"
+		],
+		"Config": {
+			"AttachStderr": true,
+			"AttachStdin": false,
+			"AttachStdout": true,
+			"Cmd": [
+				"/bin/sh",
+				"-c",
+				"exit 9"
+			],
+			"Domainname": "",
+			"Entrypoint": null,
+			"Env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+			],
+			"ExposedPorts": null,
+			"Hostname": "ba033ac44011",
+			"Image": "ubuntu",
+			"Labels": {
+				"com.example.vendor": "Acme",
+				"com.example.license": "GPL",
+				"com.example.version": "1.0"
+			},
+			"MacAddress": "",
+			"NetworkDisabled": false,
+			"OnBuild": null,
+			"OpenStdin": false,
+			"StdinOnce": false,
+			"Tty": false,
+			"User": "",
+			"Volumes": {
+				"/volumes/data": {}
+			},
+			"WorkingDir": "",
+			"StopSignal": "SIGTERM"
+		},
+		"Created": "2015-01-06T15:47:31.485331387Z",
+		"Driver": "devicemapper",
+		"ExecIDs": null,
+		"HostConfig": {
+			"Binds": null,
+			"BlkioWeight": 0,
+			"BlkioWeightDevice": [{}],
+			"BlkioDeviceReadBps": [{}],
+			"BlkioDeviceWriteBps": [{}],
+			"BlkioDeviceReadIOps": [{}],
+			"BlkioDeviceWriteIOps": [{}],
+			"CapAdd": null,
+			"CapDrop": null,
+			"ContainerIDFile": "",
+			"CpusetCpus": "",
+			"CpusetMems": "",
+			"CpuShares": 0,
+			"CpuPeriod": 100000,
+			"Devices": [],
+			"Dns": null,
+			"DnsOptions": null,
+			"DnsSearch": null,
+			"ExtraHosts": null,
+			"IpcMode": "",
+			"Links": null,
+			"LxcConf": [],
+			"Memory": 0,
+			"MemorySwap": 0,
+			"MemoryReservation": 0,
+			"KernelMemory": 0,
+			"OomKillDisable": false,
+			"OomScoreAdj": 500,
+			"NetworkMode": "bridge",
+			"PidMode": "",
+			"PortBindings": {},
+			"Privileged": false,
+			"ReadonlyRootfs": false,
+			"PublishAllPorts": false,
+			"RestartPolicy": {
+				"MaximumRetryCount": 2,
+				"Name": "on-failure"
+			},
+			"LogConfig": {
+				"Config": null,
+				"Type": "json-file"
+			},
+			"SecurityOpt": null,
+			"VolumesFrom": null,
+			"Ulimits": [{}],
+			"VolumeDriver": "",
+			"ShmSize": 67108864
+		},
+		"HostnamePath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hostname",
+		"HostsPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hosts",
+		"LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+		"Id": "ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39",
+		"Image": "04c5d3b7b0656168630d3ba35d8889bd0e9caafcaeb3004d2bfbc47e7c5d35d2",
+		"MountLabel": "",
+		"Name": "/boring_euclid",
+		"NetworkSettings": {
+			"Bridge": "",
+			"SandboxID": "",
+			"HairpinMode": false,
+			"LinkLocalIPv6Address": "",
+			"LinkLocalIPv6PrefixLen": 0,
+			"Ports": null,
+			"SandboxKey": "",
+			"SecondaryIPAddresses": null,
+			"SecondaryIPv6Addresses": null,
+			"EndpointID": "",
+			"Gateway": "",
+			"GlobalIPv6Address": "",
+			"GlobalIPv6PrefixLen": 0,
+			"IPAddress": "",
+			"IPPrefixLen": 0,
+			"IPv6Gateway": "",
+			"MacAddress": "",
+			"Networks": {
+				"bridge": {
+					"NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+					"EndpointID": "7587b82f0dada3656fda26588aee72630c6fab1536d36e394b2bfbcf898c971d",
+					"Gateway": "172.17.0.1",
+					"IPAddress": "172.17.0.2",
+					"IPPrefixLen": 16,
+					"IPv6Gateway": "",
+					"GlobalIPv6Address": "",
+					"GlobalIPv6PrefixLen": 0,
+					"MacAddress": "02:42:ac:12:00:02"
+				}
+			}
+		},
+		"Path": "/bin/sh",
+		"ProcessLabel": "",
+		"ResolvConfPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/resolv.conf",
+		"RestartCount": 1,
+		"State": {
+			"Error": "",
+			"ExitCode": 9,
+			"FinishedAt": "2015-01-06T15:47:32.080254511Z",
+			"OOMKilled": false,
+			"Dead": false,
+			"Paused": false,
+			"Pid": 0,
+			"Restarting": false,
+			"Running": true,
+			"StartedAt": "2015-01-06T15:47:32.072697474Z",
+			"Status": "running"
+		},
+		"Mounts": [
+			{
+				"Name": "fac362...80535",
+				"Source": "/data",
+				"Destination": "/data",
+				"Driver": "local",
+				"Mode": "ro,Z",
+				"RW": false,
+				"Propagation": ""
+			}
+		]
+	}
+
+**Example request, with size information**:
+
+    GET /v1.22/containers/4fa6e0f0c678/json?size=1 HTTP/1.1
+
+**Example response, with size information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+    ....
+    "SizeRw": 0,
+    "SizeRootFs": 972,
+    ....
+    }
+
+**Query parameters**:
+
+-   **size** – 1/True/true or 0/False/false, return container size information. Default is `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### List processes running inside a container
+
+`GET /containers/(id or name)/top`
+
+List processes running inside the container `id`. On Unix systems this
+is done by running the `ps` command. This endpoint is not
+supported on Windows.
+
+**Example request**:
+
+    GET /v1.22/containers/4fa6e0f0c678/top HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Titles" : [
+         "UID", "PID", "PPID", "C", "STIME", "TTY", "TIME", "CMD"
+       ],
+       "Processes" : [
+         [
+           "root", "13642", "882", "0", "17:03", "pts/0", "00:00:00", "/bin/bash"
+         ],
+         [
+           "root", "13735", "13642", "0", "17:06", "pts/0", "00:00:00", "sleep 10"
+         ]
+       ]
+    }
+
+**Example request**:
+
+    GET /v1.22/containers/4fa6e0f0c678/top?ps_args=aux HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Titles" : [
+        "USER","PID","%CPU","%MEM","VSZ","RSS","TTY","STAT","START","TIME","COMMAND"
+      ]
+      "Processes" : [
+        [
+          "root","13642","0.0","0.1","18172","3184","pts/0","Ss","17:03","0:00","/bin/bash"
+        ],
+        [
+          "root","13895","0.0","0.0","4348","692","pts/0","S+","17:15","0:00","sleep 10"
+        ]
+      ],
+    }
+
+**Query parameters**:
+
+-   **ps_args** – `ps` arguments to use (e.g., `aux`), defaults to `-ef`
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container logs
+
+`GET /containers/(id or name)/logs`
+
+Get `stdout` and `stderr` logs from the container ``id``
+
+> **Note**:
+> This endpoint works only for containers with the `json-file` or `journald` logging drivers.
+
+**Example request**:
+
+     GET /v1.22/containers/4fa6e0f0c678/logs?stderr=1&stdout=1&timestamps=1&follow=1&tail=10&since=1428990821 HTTP/1.1
+
+**Example response**:
+
+     HTTP/1.1 101 UPGRADED
+     Content-Type: application/vnd.docker.raw-stream
+     Connection: Upgrade
+     Upgrade: tcp
+
+     {% raw %}
+     {{ STREAM }}
+     {% endraw %}
+
+**Query parameters**:
+
+-   **follow** – 1/True/true or 0/False/false, return stream. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, show `stdout` log. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, show `stderr` log. Default `false`.
+-   **since** – UNIX timestamp (integer) to filter logs. Specifying a timestamp
+    will only output log-entries since that timestamp. Default: 0 (unfiltered)
+-   **timestamps** – 1/True/true or 0/False/false, print timestamps for
+        every log line. Default `false`.
+-   **tail** – Output specified number of lines at the end of logs: `all` or `<number>`. Default all.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **404** – no such container
+-   **500** – server error
+
+#### Inspect changes on a container's filesystem
+
+`GET /containers/(id or name)/changes`
+
+Inspect changes on container `id`'s filesystem
+
+**Example request**:
+
+    GET /v1.22/containers/4fa6e0f0c678/changes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Path": "/dev",
+                 "Kind": 0
+         },
+         {
+                 "Path": "/dev/kmsg",
+                 "Kind": 1
+         },
+         {
+                 "Path": "/test",
+                 "Kind": 1
+         }
+    ]
+
+Values for `Kind`:
+
+- `0`: Modify
+- `1`: Add
+- `2`: Delete
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Export a container
+
+`GET /containers/(id or name)/export`
+
+Export the contents of container `id`
+
+**Example request**:
+
+    GET /v1.22/containers/4fa6e0f0c678/export HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/octet-stream
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container stats based on resource usage
+
+`GET /containers/(id or name)/stats`
+
+This endpoint returns a live stream of a container's resource usage statistics.
+
+**Example request**:
+
+    GET /v1.22/containers/redis1/stats HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Type: application/json
+
+      {
+         "read" : "2015-01-08T22:57:31.547920715Z",
+         "networks": {
+                 "eth0": {
+                     "rx_bytes": 5338,
+                     "rx_dropped": 0,
+                     "rx_errors": 0,
+                     "rx_packets": 36,
+                     "tx_bytes": 648,
+                     "tx_dropped": 0,
+                     "tx_errors": 0,
+                     "tx_packets": 8
+                 },
+                 "eth5": {
+                     "rx_bytes": 4641,
+                     "rx_dropped": 0,
+                     "rx_errors": 0,
+                     "rx_packets": 26,
+                     "tx_bytes": 690,
+                     "tx_dropped": 0,
+                     "tx_errors": 0,
+                     "tx_packets": 9
+                 }
+         },
+         "memory_stats" : {
+            "stats" : {
+               "total_pgmajfault" : 0,
+               "cache" : 0,
+               "mapped_file" : 0,
+               "total_inactive_file" : 0,
+               "pgpgout" : 414,
+               "rss" : 6537216,
+               "total_mapped_file" : 0,
+               "writeback" : 0,
+               "unevictable" : 0,
+               "pgpgin" : 477,
+               "total_unevictable" : 0,
+               "pgmajfault" : 0,
+               "total_rss" : 6537216,
+               "total_rss_huge" : 6291456,
+               "total_writeback" : 0,
+               "total_inactive_anon" : 0,
+               "rss_huge" : 6291456,
+               "hierarchical_memory_limit" : 67108864,
+               "total_pgfault" : 964,
+               "total_active_file" : 0,
+               "active_anon" : 6537216,
+               "total_active_anon" : 6537216,
+               "total_pgpgout" : 414,
+               "total_cache" : 0,
+               "inactive_anon" : 0,
+               "active_file" : 0,
+               "pgfault" : 964,
+               "inactive_file" : 0,
+               "total_pgpgin" : 477
+            },
+            "max_usage" : 6651904,
+            "usage" : 6537216,
+            "failcnt" : 0,
+            "limit" : 67108864
+         },
+         "blkio_stats" : {},
+         "cpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24472255,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100215355,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 739306590000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         },
+         "precpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24350896,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100093996,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 9492140000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         }
+      }
+
+The `precpu_stats` is the cpu statistic of *previous* read, which is used for calculating the cpu usage percent. It is not the exact copy of the `cpu_stats` field.
+
+**Query parameters**:
+
+-   **stream** – 1/True/true or 0/False/false, pull stats once then disconnect. Default `true`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Resize a container TTY
+
+`POST /containers/(id or name)/resize`
+
+Resize the TTY for container with  `id`. The unit is number of characters. You must restart the container for the resize to take effect.
+
+**Example request**:
+
+      POST /v1.22/containers/4fa6e0f0c678/resize?h=40&w=80 HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Length: 0
+      Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – No such container
+-   **500** – Cannot resize container
+
+#### Start a container
+
+`POST /containers/(id or name)/start`
+
+Start the container `id`
+
+> **Note**:
+> For backwards compatibility, this endpoint accepts a `HostConfig` as JSON-encoded request body.
+> See [create a container](#create-a-container) for details.
+
+**Example request**:
+
+    POST /v1.22/containers/e90e34656806/start HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already started
+-   **404** – no such container
+-   **500** – server error
+
+#### Stop a container
+
+`POST /containers/(id or name)/stop`
+
+Stop the container `id`
+
+**Example request**:
+
+    POST /v1.22/containers/e90e34656806/stop?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already stopped
+-   **404** – no such container
+-   **500** – server error
+
+#### Restart a container
+
+`POST /containers/(id or name)/restart`
+
+Restart the container `id`
+
+**Example request**:
+
+    POST /v1.22/containers/e90e34656806/restart?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Kill a container
+
+`POST /containers/(id or name)/kill`
+
+Kill the container `id`
+
+**Example request**:
+
+    POST /v1.22/containers/e90e34656806/kill HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **signal** - Signal to send to the container: integer or string like `SIGINT`.
+        When not set, `SIGKILL` is assumed and the call waits for the container to exit.
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Update a container
+
+`POST /containers/(id or name)/update`
+
+Update resource configs of one or more containers.
+
+**Example request**:
+
+       POST /v1.22/containers/e90e34656806/update HTTP/1.1
+       Content-Type: application/json
+
+       {
+         "BlkioWeight": 300,
+         "CpuShares": 512,
+         "CpuPeriod": 100000,
+         "CpuQuota": 50000,
+         "CpusetCpus": "0,1",
+         "CpusetMems": "0",
+         "Memory": 314572800,
+         "MemorySwap": 514288000,
+         "MemoryReservation": 209715200,
+         "KernelMemory": 52428800
+       }
+
+**Example response**:
+
+       HTTP/1.1 200 OK
+       Content-Type: application/json
+
+       {
+           "Warnings": []
+       }
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Rename a container
+
+`POST /containers/(id or name)/rename`
+
+Rename the container `id` to a `new_name`
+
+**Example request**:
+
+    POST /v1.22/containers/e90e34656806/rename?name=new_name HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **name** – new name for the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **409** - conflict name already assigned
+-   **500** – server error
+
+#### Pause a container
+
+`POST /containers/(id or name)/pause`
+
+Pause the container `id`
+
+**Example request**:
+
+    POST /v1.22/containers/e90e34656806/pause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Unpause a container
+
+`POST /containers/(id or name)/unpause`
+
+Unpause the container `id`
+
+**Example request**:
+
+    POST /v1.22/containers/e90e34656806/unpause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Attach to a container
+
+`POST /containers/(id or name)/attach`
+
+Attach to the container `id`
+
+**Example request**:
+
+    POST /v1.22/containers/16253994b7c4/attach?logs=1&stream=0&stdout=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 101 UPGRADED
+    Content-Type: application/vnd.docker.raw-stream
+    Connection: Upgrade
+    Upgrade: tcp
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** - container is paused
+-   **500** – server error
+
+**Stream details**:
+
+When using the TTY setting is enabled in
+[`POST /containers/create`
+](#create-a-container),
+the stream is the raw data from the process PTY and client's `stdin`.
+When the TTY is disabled, then the stream is multiplexed to separate
+`stdout` and `stderr`.
+
+The format is a **Header** and a **Payload** (frame).
+
+**HEADER**
+
+The header contains the information which the stream writes (`stdout` or
+`stderr`). It also contains the size of the associated frame encoded in the
+last four bytes (`uint32`).
+
+It is encoded on the first eight bytes like this:
+
+    header := [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}
+
+`STREAM_TYPE` can be:
+
+-   0: `stdin` (is written on `stdout`)
+-   1: `stdout`
+-   2: `stderr`
+
+`SIZE1, SIZE2, SIZE3, SIZE4` are the four bytes of
+the `uint32` size encoded as big endian.
+
+**PAYLOAD**
+
+The payload is the raw stream.
+
+**IMPLEMENTATION**
+
+The simplest way to implement the Attach protocol is the following:
+
+    1.  Read eight bytes.
+    2.  Choose `stdout` or `stderr` depending on the first byte.
+    3.  Extract the frame size from the last four bytes.
+    4.  Read the extracted size and output it on the correct output.
+    5.  Goto 1.
+
+#### Attach to a container (websocket)
+
+`GET /containers/(id or name)/attach/ws`
+
+Attach to the container `id` via websocket
+
+Implements websocket protocol handshake according to [RFC 6455](http://tools.ietf.org/html/rfc6455)
+
+**Example request**
+
+    GET /v1.22/containers/e90e34656806/attach/ws?logs=0&stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
+
+**Example response**
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Wait a container
+
+`POST /containers/(id or name)/wait`
+
+Block until container `id` stops, then returns the exit code
+
+**Example request**:
+
+    POST /v1.22/containers/16253994b7c4/wait HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"StatusCode": 0}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Remove a container
+
+`DELETE /containers/(id or name)`
+
+Remove the container `id` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.22/containers/16253994b7c4?v=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **v** – 1/True/true or 0/False/false, Remove the volumes
+        associated to the container. Default `false`.
+-   **force** - 1/True/true or 0/False/false, Kill then remove the container.
+        Default `false`.
+-   **link** - 1/True/true or 0/False/false, Remove the specified
+        link associated to the container. Default `false`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** – conflict
+-   **500** – server error
+
+#### Copy files or folders from a container
+
+`POST /containers/(id or name)/copy`
+
+Copy files or folders of container `id`
+
+**Deprecated** in favor of the `archive` endpoint below.
+
+**Example request**:
+
+    POST /v1.22/containers/4fa6e0f0c678/copy HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Resource": "test.txt"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Retrieving information about files and folders in a container
+
+`HEAD /containers/(id or name)/archive`
+
+See the description of the `X-Docker-Container-Path-Stat` header in the
+following section.
+
+#### Get an archive of a filesystem resource in a container
+
+`GET /containers/(id or name)/archive`
+
+Get a tar archive of a resource in the filesystem of container `id`.
+
+**Query parameters**:
+
+- **path** - resource in the container's filesystem to archive. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The resource specified by **path** must exist. To assert that the resource
+    is expected to be a directory, **path** should end in `/` or  `/.`
+    (assuming a path separator of `/`). If **path** ends in `/.` then this
+    indicates that only the contents of the **path** directory should be
+    copied. A symlink is always resolved to its target.
+
+    > **Note**: It is not possible to copy certain system files such as resources
+    > under `/proc`, `/sys`, `/dev`, and mounts created by the user in the
+    > container.
+
+**Example request**:
+
+    GET /v1.22/containers/8cce319429b2/archive?path=/root HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+    X-Docker-Container-Path-Stat: eyJuYW1lIjoicm9vdCIsInNpemUiOjQwOTYsIm1vZGUiOjIxNDc0ODQwOTYsIm10aW1lIjoiMjAxNC0wMi0yN1QyMDo1MToyM1oiLCJsaW5rVGFyZ2V0IjoiIn0=
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+On success, a response header `X-Docker-Container-Path-Stat` will be set to a
+base64-encoded JSON object containing some filesystem header information about
+the archived resource. The above example value would decode to the following
+JSON object (whitespace added for readability):
+
+```json
+{
+    "name": "root",
+    "size": 4096,
+    "mode": 2147484096,
+    "mtime": "2014-02-27T20:51:23Z",
+    "linkTarget": ""
+}
+```
+
+A `HEAD` request can also be made to this endpoint if only this information is
+desired.
+
+**Status codes**:
+
+- **200** - success, returns archive of copied resource
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** was asserted to be a directory but exists as a
+      file)
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** does not exist)
+- **500** - server error
+
+#### Extract an archive of files or folders to a directory in a container
+
+`PUT /containers/(id or name)/archive`
+
+Upload a tar archive to be extracted to a path in the filesystem of container
+`id`.
+
+**Query parameters**:
+
+- **path** - path to a directory in the container
+    to extract the archive's contents into. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The **path** resource must exist.
+- **noOverwriteDirNonDir** - If "1", "true", or "True" then it will be an error
+    if unpacking the given content would cause an existing directory to be
+    replaced with a non-directory and vice versa.
+
+**Example request**:
+
+    PUT /v1.22/containers/8cce319429b2/archive?path=/vol1 HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** – the content was extracted successfully
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** should be a directory but exists as a file)
+    - unable to overwrite existing directory with non-directory
+      (if **noOverwriteDirNonDir**)
+    - unable to overwrite existing non-directory with directory
+      (if **noOverwriteDirNonDir**)
+- **403** - client error, permission denied, the volume
+    or container rootfs is marked as read-only.
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** resource does not exist)
+- **500** – server error
+
+### 2.2 Images
+
+#### List Images
+
+`GET /images/json`
+
+**Example request**:
+
+    GET /v1.22/images/json?all=0 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+         "RepoTags": [
+           "ubuntu:12.04",
+           "ubuntu:precise",
+           "ubuntu:latest"
+         ],
+         "Id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
+         "Created": 1365714795,
+         "Size": 131506275,
+         "VirtualSize": 131506275,
+         "Labels": {}
+      },
+      {
+         "RepoTags": [
+           "ubuntu:12.10",
+           "ubuntu:quantal"
+         ],
+         "ParentId": "27cf784147099545",
+         "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+         "Created": 1364102658,
+         "Size": 24653,
+         "VirtualSize": 180116135,
+         "Labels": {
+            "com.example.version": "v1"
+         }
+      }
+    ]
+
+**Example request, with digest information**:
+
+    GET /v1.22/images/json?digests=1 HTTP/1.1
+
+**Example response, with digest information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "Created": 1420064636,
+        "Id": "4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125",
+        "ParentId": "ea13149945cb6b1e746bf28032f02e9b5a793523481a0a18645fc77ad53c4ea2",
+        "RepoDigests": [
+          "localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+        ],
+        "RepoTags": [
+          "localhost:5000/test/busybox:latest",
+          "playdate:latest"
+        ],
+        "Size": 0,
+        "VirtualSize": 2429728,
+        "Labels": {}
+      }
+    ]
+
+The response shows a single image `Id` associated with two repositories
+(`RepoTags`): `localhost:5000/test/busybox`: and `playdate`. A caller can use
+either of the `RepoTags` values `localhost:5000/test/busybox:latest` or
+`playdate:latest` to reference the image.
+
+You can also use `RepoDigests` values to reference an image. In this response,
+the array has only one reference and that is to the
+`localhost:5000/test/busybox` repository; the `playdate` repository has no
+digest. You can reference this digest using the value:
+`localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d...`
+
+See the `docker run` and `docker build` commands for examples of digest and tag
+references on the command line.
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, default false
+-   **filters** – a JSON encoded value of the filters (a map[string][]string) to process on the images list. Available filters:
+  -   `dangling=true`
+  -   `label=key` or `label="key=value"` of an image label
+-   **filter** - only return images with the specified name
+
+#### Build image from a Dockerfile
+
+`POST /build`
+
+Build an image from a Dockerfile
+
+**Example request**:
+
+    POST /v1.22/build HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"stream": "Step 1/5..."}
+    {"stream": "..."}
+    {"error": "Error...", "errorDetail": {"code": 123, "message": "Error..."}}
+
+The input stream must be a `tar` archive compressed with one of the
+following algorithms: `identity` (no compression), `gzip`, `bzip2`, `xz`.
+
+The archive must include a build instructions file, typically called
+`Dockerfile` at the archive's root. The `dockerfile` parameter may be
+used to specify a different build instructions file. To do this, its value must be
+the path to the alternate build instructions file to use.
+
+The archive may include any number of other files,
+which are accessible in the build context (See the [*ADD build
+command*](../reference/builder.md#add)).
+
+The Docker daemon performs a preliminary validation of the `Dockerfile` before
+starting the build, and returns an error if the syntax is incorrect. After that,
+each instruction is run one-by-one until the ID of the new image is output.
+
+The build is canceled if the client drops the connection by quitting
+or being killed.
+
+**Query parameters**:
+
+-   **dockerfile** - Path within the build context to the `Dockerfile`. This is
+        ignored if `remote` is specified and points to an external `Dockerfile`.
+-   **t** – A name and optional tag to apply to the image in the `name:tag` format.
+        If you omit the `tag` the default `latest` value is assumed.
+        You can provide one or more `t` parameters.
+-   **remote** – A Git repository URI or HTTP/HTTPS context URI. If the
+        URI points to a single text file, the file's contents are placed into
+        a file called `Dockerfile` and the image is built from that file. If
+        the URI points to a tarball, the file is downloaded by the daemon and
+        the contents therein used as the context for the build. If the URI
+        points to a tarball and the `dockerfile` parameter is also specified,
+        there must be a file with the corresponding path inside the tarball.
+-   **q** – Suppress verbose build output.
+-   **nocache** – Do not use the cache when building the image.
+-   **pull** - Attempt to pull the image even if an older image exists locally.
+-   **rm** - Remove intermediate containers after a successful build (default behavior).
+-   **forcerm** - Always remove intermediate containers (includes `rm`).
+-   **memory** - Set memory limit for build.
+-   **memswap** - Total memory (memory + swap), `-1` to enable unlimited swap.
+-   **cpushares** - CPU shares (relative weight).
+-   **cpusetcpus** - CPUs in which to allow execution (e.g., `0-3`, `0,1`).
+-   **cpuperiod** - The length of a CPU period in microseconds.
+-   **cpuquota** - Microseconds of CPU time that the container can get in a CPU period.
+-   **buildargs** – JSON map of string pairs for build-time variables. Users pass
+        these values at build-time. Docker uses the `buildargs` as the environment
+        context for command(s) run via the Dockerfile's `RUN` instruction or for
+        variable expansion in other Dockerfile instructions. This is not meant for
+        passing secret values. [Read more about the buildargs instruction](../reference/builder.md#arg)
+-   **shmsize** - Size of `/dev/shm` in bytes. The size must be greater than 0.  If omitted the system uses 64MB.
+
+**Request Headers**:
+
+-   **Content-type** – Set to `"application/x-tar"`.
+-   **X-Registry-Config** – A base64-url-safe-encoded Registry Auth Config JSON
+        object with the following structure:
+
+            {
+                "docker.example.com": {
+                    "username": "janedoe",
+                    "password": "hunter2"
+                },
+                "https://index.docker.io/v1/": {
+                    "username": "mobydock",
+                    "password": "conta1n3rize14"
+                }
+            }
+
+    This object maps the hostname of a registry to an object containing the
+    "username" and "password" for that registry. Multiple registries may
+    be specified as the build may be based on an image requiring
+    authentication to pull from any arbitrary registry. Only the registry
+    domain name (and port if not the default "443") are required. However
+    (for legacy reasons) the "official" Docker, Inc. hosted registry must
+    be specified with both a "https://" prefix and a "/v1/" suffix even
+    though Docker will prefer to use the v2 registry API.
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Create an image
+
+`POST /images/create`
+
+Create an image either by pulling it from the registry or by importing it
+
+**Example request**:
+
+    POST /v1.22/images/create?fromImage=busybox&tag=latest HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pulling..."}
+    {"status": "Pulling", "progress": "1 B/ 100 B", "progressDetail": {"current": 1, "total": 100}}
+    {"error": "Invalid..."}
+    ...
+
+When using this endpoint to pull an image from the registry, the
+`X-Registry-Auth` header can be used to include
+a base64-encoded AuthConfig object.
+
+**Query parameters**:
+
+-   **fromImage** – Name of the image to pull. The name may include a tag or
+        digest. This parameter may only be used when pulling an image.
+        The pull is cancelled if the HTTP connection is closed.
+-   **fromSrc** – Source to import.  The value may be a URL from which the image
+        can be retrieved or `-` to read the image from the request body.
+        This parameter may only be used when importing an image.
+-   **repo** – Repository name given to an image when it is imported.
+        The repo may include a tag. This parameter may only be used when importing
+        an image.
+-   **tag** – Tag or digest. If empty when pulling an image, this causes all tags
+        for the given image to be pulled.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object, containing either login information, or a token
+    - Credential based login:
+
+        ```
+    {
+            "username": "jdoe",
+            "password": "secret",
+            "email": "jdoe@acme.com"
+    }
+        ```
+
+    - Token based login:
+
+        ```
+    {
+            "registrytoken": "9cbaf023786cd7..."
+    }
+        ```
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** - repository does not exist or no read access
+-   **500** – server error
+
+
+
+#### Inspect an image
+
+`GET /images/(name)/json`
+
+Return low-level information on the image `name`
+
+**Example request**:
+
+    GET /v1.22/images/example/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Id" : "85f05633ddc1c50679be2b16a0479ab6f7637f8884e0cfe0f4d20e1ebb3d6e7c",
+       "Container" : "cb91e48a60d01f1e27028b4fc6819f4f290b3cf12496c8176ec714d0d390984a",
+       "Comment" : "",
+       "Os" : "linux",
+       "Architecture" : "amd64",
+       "Parent" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+       "ContainerConfig" : {
+          "Tty" : false,
+          "Hostname" : "e611e15f9c9d",
+          "Volumes" : null,
+          "Domainname" : "",
+          "AttachStdout" : false,
+          "PublishService" : "",
+          "AttachStdin" : false,
+          "OpenStdin" : false,
+          "StdinOnce" : false,
+          "NetworkDisabled" : false,
+          "OnBuild" : [],
+          "Image" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+          "User" : "",
+          "WorkingDir" : "",
+          "Entrypoint" : null,
+          "MacAddress" : "",
+          "AttachStderr" : false,
+          "Labels" : {
+             "com.example.license" : "GPL",
+             "com.example.version" : "1.0",
+             "com.example.vendor" : "Acme"
+          },
+          "Env" : [
+             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "ExposedPorts" : null,
+          "Cmd" : [
+             "/bin/sh",
+             "-c",
+             "#(nop) LABEL com.example.vendor=Acme com.example.license=GPL com.example.version=1.0"
+          ]
+       },
+       "DockerVersion" : "1.9.0-dev",
+       "VirtualSize" : 188359297,
+       "Size" : 0,
+       "Author" : "",
+       "Created" : "2015-09-10T08:30:53.26995814Z",
+       "GraphDriver" : {
+          "Name" : "aufs",
+          "Data" : null
+       },
+       "RepoDigests" : [
+          "localhost:5000/test/busybox/example@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+       ],
+       "RepoTags" : [
+          "example:1.0",
+          "example:latest",
+          "example:stable"
+       ],
+       "Config" : {
+          "Image" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+          "NetworkDisabled" : false,
+          "OnBuild" : [],
+          "StdinOnce" : false,
+          "PublishService" : "",
+          "AttachStdin" : false,
+          "OpenStdin" : false,
+          "Domainname" : "",
+          "AttachStdout" : false,
+          "Tty" : false,
+          "Hostname" : "e611e15f9c9d",
+          "Volumes" : null,
+          "Cmd" : [
+             "/bin/bash"
+          ],
+          "ExposedPorts" : null,
+          "Env" : [
+             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "Labels" : {
+             "com.example.vendor" : "Acme",
+             "com.example.version" : "1.0",
+             "com.example.license" : "GPL"
+          },
+          "Entrypoint" : null,
+          "MacAddress" : "",
+          "AttachStderr" : false,
+          "WorkingDir" : "",
+          "User" : ""
+       }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Get the history of an image
+
+`GET /images/(name)/history`
+
+Return the history of the image `name`
+
+**Example request**:
+
+    GET /v1.22/images/ubuntu/history HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+        {
+            "Id": "3db9c44f45209632d6050b35958829c3a2aa256d81b9a7be45b362ff85c54710",
+            "Created": 1398108230,
+            "CreatedBy": "/bin/sh -c #(nop) ADD file:eb15dbd63394e063b805a3c32ca7bf0266ef64676d5a6fab4801f2e81e2a5148 in /",
+            "Tags": [
+                "ubuntu:lucid",
+                "ubuntu:10.04"
+            ],
+            "Size": 182964289,
+            "Comment": ""
+        },
+        {
+            "Id": "6cfa4d1f33fb861d4d114f43b25abd0ac737509268065cdfd69d544a59c85ab8",
+            "Created": 1398108222,
+            "CreatedBy": "/bin/sh -c #(nop) MAINTAINER Tianon Gravi <admwiggin@gmail.com> - mkimage-debootstrap.sh -i iproute,iputils-ping,ubuntu-minimal -t lucid.tar.xz lucid http://archive.ubuntu.com/ubuntu/",
+            "Tags": null,
+            "Size": 0,
+            "Comment": ""
+        },
+        {
+            "Id": "511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158",
+            "Created": 1371157430,
+            "CreatedBy": "",
+            "Tags": [
+                "scratch12:latest",
+                "scratch:latest"
+            ],
+            "Size": 0,
+            "Comment": "Imported from -"
+        }
+    ]
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Push an image on the registry
+
+`POST /images/(name)/push`
+
+Push the image `name` on the registry
+
+**Example request**:
+
+    POST /v1.22/images/test/push HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pushing..."}
+    {"status": "Pushing", "progress": "1/? (n/a)", "progressDetail": {"current": 1}}}
+    {"error": "Invalid..."}
+    ...
+
+If you wish to push an image on to a private registry, that image must already have a tag
+into a repository which references that registry `hostname` and `port`.  This repository name should
+then be used in the URL. This duplicates the command line's flow.
+
+The push is cancelled if the HTTP connection is closed.
+
+**Example request**:
+
+    POST /v1.22/images/registry.acme.com:5000/test/push HTTP/1.1
+
+
+**Query parameters**:
+
+-   **tag** – The tag to associate with the image on the registry. This is optional.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object, containing either login information, or a token
+    - Credential based login:
+
+        ```
+    {
+            "username": "jdoe",
+            "password": "secret",
+            "email": "jdoe@acme.com",
+    }
+        ```
+
+    - Token based login:
+
+        ```
+    {
+            "registrytoken": "9cbaf023786cd7..."
+    }
+        ```
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Tag an image into a repository
+
+`POST /images/(name)/tag`
+
+Tag the image `name` into a repository
+
+**Example request**:
+
+    POST /v1.22/images/test/tag?repo=myrepo&force=0&tag=v42 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+
+**Query parameters**:
+
+-   **repo** – The repository to tag in
+-   **force** – 1/True/true or 0/False/false, default false
+-   **tag** - The new tag name
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Remove an image
+
+`DELETE /images/(name)`
+
+Remove the image `name` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.22/images/test HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-type: application/json
+
+    [
+     {"Untagged": "3e2f21a89f"},
+     {"Deleted": "3e2f21a89f"},
+     {"Deleted": "53b4f83ac9"}
+    ]
+
+**Query parameters**:
+
+-   **force** – 1/True/true or 0/False/false, default false
+-   **noprune** – 1/True/true or 0/False/false, default false
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Search images
+
+`GET /images/search`
+
+Search for an image on [Docker Hub](https://hub.docker.com).
+
+> **Note**:
+> The response keys have changed from API v1.6 to reflect the JSON
+> sent by the registry server to the docker daemon's request.
+
+**Example request**:
+
+    GET /v1.22/images/search?term=sshd HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "wma55/u1210sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "jdswinbank/sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "vgauthier/sshd",
+                "star_count": 0
+            }
+    ...
+    ]
+
+**Query parameters**:
+
+-   **term** – term to search
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+### 2.3 Misc
+
+#### Check auth configuration
+
+`POST /auth`
+
+Get the default username and email
+
+**Example request**:
+
+    POST /v1.22/auth HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "username": "hannibal",
+         "password": "xxxx",
+         "email": "hannibal@a-team.com",
+         "serveraddress": "https://index.docker.io/v1/"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **204** – no error
+-   **500** – server error
+
+#### Display system-wide information
+
+`GET /info`
+
+Display system-wide information
+
+**Example request**:
+
+    GET /v1.22/info HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+        "Architecture": "x86_64",
+        "ClusterStore": "etcd://localhost:2379",
+        "Containers": 11,
+        "ContainersRunning": 7,
+        "ContainersStopped": 3,
+        "ContainersPaused": 1,
+        "CpuCfsPeriod": true,
+        "CpuCfsQuota": true,
+        "Debug": false,
+        "DockerRootDir": "/var/lib/docker",
+        "Driver": "btrfs",
+        "DriverStatus": [[""]],
+        "ExecutionDriver": "native-0.1",
+        "ExperimentalBuild": false,
+        "HttpProxy": "http://test:test@localhost:8080",
+        "HttpsProxy": "https://test:test@localhost:8080",
+        "ID": "7TRN:IPZB:QYBB:VPBQ:UMPP:KARE:6ZNR:XE6T:7EWV:PKF4:ZOJD:TPYS",
+        "IPv4Forwarding": true,
+        "Images": 16,
+        "IndexServerAddress": "https://index.docker.io/v1/",
+        "InitPath": "/usr/bin/docker",
+        "InitSha1": "",
+        "KernelVersion": "3.12.0-1-amd64",
+        "Labels": [
+            "storage=ssd"
+        ],
+        "MemTotal": 2099236864,
+        "MemoryLimit": true,
+        "NCPU": 1,
+        "NEventsListener": 0,
+        "NFd": 11,
+        "NGoroutines": 21,
+        "Name": "prod-server-42",
+        "NoProxy": "9.81.1.160",
+        "OomKillDisable": true,
+        "OSType": "linux",
+        "OperatingSystem": "Boot2Docker",
+        "Plugins": {
+            "Volume": [
+                "local"
+            ],
+            "Network": [
+                "null",
+                "host",
+                "bridge"
+            ]
+        },
+        "RegistryConfig": {
+            "IndexConfigs": {
+                "docker.io": {
+                    "Mirrors": null,
+                    "Name": "docker.io",
+                    "Official": true,
+                    "Secure": true
+                }
+            },
+            "InsecureRegistryCIDRs": [
+                "127.0.0.0/8"
+            ]
+        },
+        "ServerVersion": "1.9.0",
+        "SwapLimit": false,
+        "SystemStatus": [["State", "Healthy"]],
+        "SystemTime": "2015-03-10T11:11:23.730591467-07:00"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Show the docker version information
+
+`GET /version`
+
+Show the docker version information
+
+**Example request**:
+
+    GET /v1.22/version HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+         "Version": "1.10.0",
+         "Os": "linux",
+         "KernelVersion": "3.19.0-23-generic",
+         "GoVersion": "go1.4.2",
+         "GitCommit": "e75da4b",
+         "Arch": "amd64",
+         "ApiVersion": "1.22",
+         "BuildTime": "2015-12-01T07:09:13.444803460+00:00",
+         "Experimental": true
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Ping the docker server
+
+`GET /_ping`
+
+Ping the docker server
+
+**Example request**:
+
+    GET /v1.22/_ping HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+
+    OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a new image from a container's changes
+
+`POST /commit`
+
+Create a new image from a container's changes
+
+**Example request**:
+
+    POST /v1.22/commit?container=44c004db4b17&comment=message&repo=myrepo HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Hostname": "",
+         "Domainname": "",
+         "User": "",
+         "AttachStdin": false,
+         "AttachStdout": true,
+         "AttachStderr": true,
+         "Tty": false,
+         "OpenStdin": false,
+         "StdinOnce": false,
+         "Env": null,
+         "Cmd": [
+                 "date"
+         ],
+         "Mounts": [
+           {
+             "Source": "/data",
+             "Destination": "/data",
+             "Mode": "ro,Z",
+             "RW": false
+           }
+         ],
+         "Labels": {
+                 "key1": "value1",
+                 "key2": "value2"
+          },
+         "WorkingDir": "",
+         "NetworkDisabled": false,
+         "ExposedPorts": {
+                 "22/tcp": {}
+         }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {"Id": "596069db4bf5"}
+
+**JSON parameters**:
+
+-  **config** - the container's configuration
+
+**Query parameters**:
+
+-   **container** – source container
+-   **repo** – repository
+-   **tag** – tag
+-   **comment** – commit message
+-   **author** – author (e.g., "John Hannibal Smith
+    <[hannibal@a-team.com](mailto:hannibal%40a-team.com)>")
+-   **pause** – 1/True/true or 0/False/false, whether to pause the container before committing
+-   **changes** – Dockerfile instructions to apply while committing
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Monitor Docker's events
+
+`GET /events`
+
+Get container events from docker, in real time via streaming.
+
+Docker containers report the following events:
+
+    attach, commit, copy, create, destroy, die, exec_create, exec_start, export, kill, oom, pause, rename, resize, restart, start, stop, top, unpause, update
+
+Docker images report the following events:
+
+    delete, import, pull, push, tag, untag
+
+Docker volumes report the following events:
+
+    create, mount, unmount, destroy
+
+Docker networks report the following events:
+
+    create, connect, disconnect, destroy
+
+**Example request**:
+
+    GET /v1.22/events?since=1374067924
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+    Server: Docker/1.10.0 (linux)
+    Date: Fri, 29 Apr 2016 15:18:06 GMT
+    Transfer-Encoding: chunked
+
+    {
+      "status": "pull",
+      "id": "alpine:latest",
+      "Type": "image",
+      "Action": "pull",
+      "Actor": {
+        "ID": "alpine:latest",
+        "Attributes": {
+          "name": "alpine"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101301854122
+    }
+    {
+      "status": "create",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "create",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101381709551
+    }
+    {
+      "status": "attach",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "attach",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101383858412
+    }
+    {
+      "Type": "network",
+      "Action": "connect",
+      "Actor": {
+        "ID": "7dc8ac97d5d29ef6c31b6052f3938c1e8f2749abbd17d1bd1febf2608db1b474",
+        "Attributes": {
+          "container": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+          "name": "bridge",
+          "type": "bridge"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101394865557
+    }
+    {
+      "status": "start",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "start",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101607533796
+    }
+    {
+      "status": "resize",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "resize",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "height": "46",
+          "image": "alpine",
+          "name": "my-container",
+          "width": "204"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101610269268
+    }
+    {
+      "status": "die",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "die",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "exitCode": "0",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105079144137
+    }
+    {
+      "Type": "network",
+      "Action": "disconnect",
+      "Actor": {
+        "ID": "7dc8ac97d5d29ef6c31b6052f3938c1e8f2749abbd17d1bd1febf2608db1b474",
+        "Attributes": {
+          "container": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+          "name": "bridge",
+          "type": "bridge"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105230860245
+    }
+    {
+      "status": "destroy",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "destroy",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105338056026
+    }
+
+**Query parameters**:
+
+-   **since** – Timestamp. Show all events created since timestamp and then stream
+-   **until** – Timestamp. Show events created until given timestamp and stop streaming
+-   **filters** – A json encoded value of the filters (a map[string][]string) to process on the event list. Available filters:
+  -   `container=<string>`; -- container to filter
+  -   `event=<string>`; -- event to filter
+  -   `image=<string>`; -- image to filter
+  -   `label=<string>`; -- image and container label to filter
+  -   `type=<string>`; -- either `container` or `image` or `volume` or `network`
+  -   `volume=<string>`; -- volume to filter
+  -   `network=<string>`; -- network to filter
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images in a repository
+
+`GET /images/(name)/get`
+
+Get a tarball containing all images and metadata for the repository specified
+by `name`.
+
+If `name` is a specific name and tag (e.g. ubuntu:latest), then only that image
+(and its parents) are returned. If `name` is an image ID, similarly only that
+image (and its parents) are returned, but with the exclusion of the
+'repositories' file in the tarball, as there were no image names referenced.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.22/images/ubuntu/get
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images
+
+`GET /images/get`
+
+Get a tarball containing all images and metadata for one or more repositories.
+
+For each value of the `names` parameter: if it is a specific name and tag (e.g.
+`ubuntu:latest`), then only that image (and its parents) are returned; if it is
+an image ID, similarly only that image (and its parents) are returned and there
+would be no names referenced in the 'repositories' file for this image ID.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.22/images/get?names=myname%2Fmyapp%3Alatest&names=busybox
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Load a tarball with a set of images and tags into docker
+
+`POST /images/load`
+
+Load a set of images and tags into a Docker repository.
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    POST /v1.22/images/load
+    Content-Type: application/x-tar
+    Content-Length: 12345
+
+    Tarball in body
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Image tarball format
+
+An image tarball contains one directory per image layer (named using its long ID),
+each containing these files:
+
+- `VERSION`: currently `1.0` - the file format version
+- `json`: detailed layer information, similar to `docker inspect layer_id`
+- `layer.tar`: A tarfile containing the filesystem changes in this layer
+
+The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories
+for storing attribute changes and deletions.
+
+If the tarball defines a repository, the tarball should also include a `repositories` file at
+the root that contains a list of repository and tag names mapped to layer IDs.
+
+```
+{"hello-world":
+    {"latest": "565a9d68a73f6706862bfe8409a7f659776d4d60a8d096eb4a3cbce6999cc2a1"}
+}
+```
+
+#### Exec Create
+
+`POST /containers/(id or name)/exec`
+
+Sets up an exec instance in a running container `id`
+
+**Example request**:
+
+    POST /v1.22/containers/e90e34656806/exec HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "AttachStdin": true,
+      "AttachStdout": true,
+      "AttachStderr": true,
+      "Cmd": ["sh"],
+      "DetachKeys": "ctrl-p,ctrl-q",
+      "Privileged": true,
+      "Tty": true,
+      "User": "123:456"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+         "Id": "f90e34656806",
+         "Warnings":[]
+    }
+
+**JSON parameters**:
+
+-   **AttachStdin** - Boolean value, attaches to `stdin` of the `exec` command.
+-   **AttachStdout** - Boolean value, attaches to `stdout` of the `exec` command.
+-   **AttachStderr** - Boolean value, attaches to `stderr` of the `exec` command.
+-   **DetachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Privileged** - Boolean value, runs the exec process with extended privileges.
+-   **User** - A string value specifying the user, and optionally, group to run
+        the exec process inside the container. Format is one of: `"user"`,
+        `"user:group"`, `"uid"`, or `"uid:gid"`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **409** - container is paused
+-   **500** - server error
+
+#### Exec Start
+
+`POST /exec/(id)/start`
+
+Starts a previously set up `exec` instance `id`. If `detach` is true, this API
+returns after starting the `exec` command. Otherwise, this API sets up an
+interactive session with the `exec` command.
+
+**Example request**:
+
+    POST /v1.22/exec/e90e34656806/start HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+     "Detach": false,
+     "Tty": false
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/vnd.docker.raw-stream
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**JSON parameters**:
+
+-   **Detach** - Detach from the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **409** - container is paused
+
+**Stream details**:
+
+Similar to the stream behavior of `POST /containers/(id or name)/attach` API
+
+#### Exec Resize
+
+`POST /exec/(id)/resize`
+
+Resizes the `tty` session used by the `exec` command `id`.  The unit is number of characters.
+This API is valid only if `tty` was specified as part of creating and starting the `exec` command.
+
+**Example request**:
+
+    POST /v1.22/exec/e90e34656806/resize?h=40&w=80 HTTP/1.1
+    Content-Type: text/plain
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: text/plain
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such exec instance
+
+#### Exec Inspect
+
+`GET /exec/(id)/json`
+
+Return low-level information about the `exec` command `id`.
+
+**Example request**:
+
+    GET /v1.22/exec/11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "CanRemove": false,
+      "ContainerID": "b53ee82b53a40c7dca428523e34f741f3abc51d9f297a14ff874bf761b995126",
+      "DetachKeys": "",
+      "ExitCode": 2,
+      "ID": "f33bbfb39f5b142420f4759b2348913bd4a8d1a6d7fd56499cb41a1bb91d7b3b",
+      "OpenStderr": true,
+      "OpenStdin": true,
+      "OpenStdout": true,
+      "ProcessConfig": {
+        "arguments": [
+          "-c",
+          "exit 2"
+        ],
+        "entrypoint": "sh",
+        "privileged": false,
+        "tty": true,
+        "user": "1000"
+      },
+      "Running": false
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **500** - server error
+
+### 2.4 Volumes
+
+#### List volumes
+
+`GET /volumes`
+
+**Example request**:
+
+    GET /v1.22/volumes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Volumes": [
+        {
+          "Name": "tardis",
+          "Driver": "local",
+          "Mountpoint": "/var/lib/docker/volumes/tardis"
+        }
+      ],
+      "Warnings": []
+    }
+
+**Query parameters**:
+
+- **filters** - JSON encoded value of the filters (a `map[string][]string`) to process on the volumes list. There is one available filter: `dangling=true`
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a volume
+
+`POST /volumes/create`
+
+Create a volume
+
+**Example request**:
+
+    POST /v1.22/volumes/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "Name": "tardis"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+      "Name": "tardis",
+      "Driver": "local",
+      "Mountpoint": "/var/lib/docker/volumes/tardis"
+    }
+
+**Status codes**:
+
+- **201** - no error
+- **500**  - server error
+
+**JSON parameters**:
+
+- **Name** - The new volume's name. If not specified, Docker generates a name.
+- **Driver** - Name of the volume driver to use. Defaults to `local` for the name.
+- **DriverOpts** - A mapping of driver options and values. These options are
+    passed directly to the driver and are driver specific.
+
+#### Inspect a volume
+
+`GET /volumes/(name)`
+
+Return low-level information on the volume `name`
+
+**Example request**:
+
+    GET /volumes/tardis
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Name": "tardis",
+      "Driver": "local",
+      "Mountpoint": "/var/lib/docker/volumes/tardis"
+    }
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - no such volume
+-   **500** - server error
+
+#### Remove a volume
+
+`DELETE /volumes/(name)`
+
+Instruct the driver to remove the volume (`name`).
+
+**Example request**:
+
+    DELETE /v1.22/volumes/tardis HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** - no error
+-   **404** - no such volume or volume driver
+-   **409** - volume is in use and cannot be removed
+-   **500** - server error
+
+### 2.5 Networks
+
+#### List networks
+
+`GET /networks`
+
+**Example request**:
+
+    GET /v1.22/networks?filters={"type":{"custom":true}} HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+[
+  {
+    "Name": "bridge",
+    "Id": "f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566",
+    "Scope": "local",
+    "Driver": "bridge",
+    "IPAM": {
+      "Driver": "default",
+      "Config": [
+        {
+          "Subnet": "172.17.0.0/16"
+        }
+      ]
+    },
+    "Containers": {
+      "39b69226f9d79f5634485fb236a23b2fe4e96a0a94128390a7fbbcc167065867": {
+        "EndpointID": "ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda",
+        "MacAddress": "02:42:ac:11:00:02",
+        "IPv4Address": "172.17.0.2/16",
+        "IPv6Address": ""
+      }
+    },
+    "Options": {
+      "com.docker.network.bridge.default_bridge": "true",
+      "com.docker.network.bridge.enable_icc": "true",
+      "com.docker.network.bridge.enable_ip_masquerade": "true",
+      "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+      "com.docker.network.bridge.name": "docker0",
+      "com.docker.network.driver.mtu": "1500"
+    }
+  },
+  {
+    "Name": "none",
+    "Id": "e086a3893b05ab69242d3c44e49483a3bbbd3a26b46baa8f61ab797c1088d794",
+    "Scope": "local",
+    "Driver": "null",
+    "IPAM": {
+      "Driver": "default",
+      "Config": []
+    },
+    "Containers": {},
+    "Options": {}
+  },
+  {
+    "Name": "host",
+    "Id": "13e871235c677f196c4e1ecebb9dc733b9b2d2ab589e30c539efeda84a24215e",
+    "Scope": "local",
+    "Driver": "host",
+    "IPAM": {
+      "Driver": "default",
+      "Config": []
+    },
+    "Containers": {},
+    "Options": {}
+  }
+]
+```
+
+**Query parameters**:
+
+- **filters** - JSON encoded network list filter. The filter value is one of:
+  -   `id=<network-id>` Matches all or part of a network id.
+  -   `name=<network-name>` Matches all or part of a network name.
+  -   `type=["custom"|"builtin"]` Filters networks by type. The `custom` keyword returns all user-defined networks.
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Inspect network
+
+`GET /networks/(id or name)`
+
+Return low-level information on the network `id`
+
+**Example request**:
+
+    GET /v1.22/networks/7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99 HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "Name": "net01",
+  "Id": "7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99",
+  "Scope": "local",
+  "Driver": "bridge",
+  "IPAM": {
+    "Driver": "default",
+    "Config": [
+      {
+        "Subnet": "172.19.0.0/16",
+        "Gateway": "172.19.0.1/16"
+      }
+    ],
+    "Options": {
+        "foo": "bar"
+    }
+  },
+  "Containers": {
+    "19a4d5d687db25203351ed79d478946f861258f018fe384f229f2efa4b23513c": {
+      "Name": "test",
+      "EndpointID": "628cadb8bcb92de107b2a1e516cbffe463e321f548feb37697cce00ad694f21a",
+      "MacAddress": "02:42:ac:13:00:02",
+      "IPv4Address": "172.19.0.2/16",
+      "IPv6Address": ""
+    }
+  },
+  "Options": {
+    "com.docker.network.bridge.default_bridge": "true",
+    "com.docker.network.bridge.enable_icc": "true",
+    "com.docker.network.bridge.enable_ip_masquerade": "true",
+    "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+    "com.docker.network.bridge.name": "docker0",
+    "com.docker.network.driver.mtu": "1500"
+  }
+}
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - network not found
+-   **500** - server error
+
+#### Create a network
+
+`POST /networks/create`
+
+Create a network
+
+**Example request**:
+
+```
+POST /v1.22/networks/create HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Name":"isolated_nw",
+  "CheckDuplicate":true,
+  "Driver":"bridge",
+  "IPAM":{
+    "Driver": "default",
+    "Config":[
+      {
+        "Subnet":"172.20.0.0/16",
+        "IPRange":"172.20.10.0/24",
+        "Gateway":"172.20.10.11"
+      },
+      {
+        "Subnet":"2001:db8:abcd::/64",
+        "Gateway":"2001:db8:abcd::1011"
+      }
+    ],
+    "Options": {
+      "foo": "bar"
+    }
+  },
+  "Internal":true
+}
+```
+
+**Example response**:
+
+```
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+  "Id": "22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30",
+  "Warning": ""
+}
+```
+
+**Status codes**:
+
+- **201** - no error
+- **404** - plugin not found
+- **500** - server error
+
+**JSON parameters**:
+
+- **Name** - The new network's name. this is a mandatory field
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`.
+    Since Network is primarily keyed based on a random ID and not on the name, 
+    and network name is strictly a user-friendly alias to the network 
+    which is uniquely identified using ID, there is no guaranteed way to check for duplicates. 
+    This parameter CheckDuplicate is there to provide a best effort checking of any networks 
+    which has the same name but it is not guaranteed to catch all name collisions.
+- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
+- **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+  - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
+- **Options** - Network specific options to be used by the drivers
+
+#### Connect a container to a network
+
+`POST /networks/(id or name)/connect`
+
+Connect a container to a network
+
+**Example request**:
+
+```
+POST /v1.22/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30/connect HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Container":"3613f73ba0e4",
+  "EndpointConfig": {
+    "IPAMConfig": {
+        "IPv4Address":"172.24.56.89",
+        "IPv6Address":"2001:db8::5689"
+    }
+  }
+}
+```
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** - no error
+- **404** - network or container is not found
+- **500** - Internal Server Error
+
+**JSON parameters**:
+
+- **container** - container-id/name to be connected to the network
+
+#### Disconnect a container from a network
+
+`POST /networks/(id or name)/disconnect`
+
+Disconnect a container from a network
+
+**Example request**:
+
+```
+POST /v1.22/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30/disconnect HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Container":"3613f73ba0e4",
+  "Force":false
+}
+```
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** - no error
+- **404** - network or container not found
+- **500** - Internal Server Error
+
+**JSON parameters**:
+
+- **Container** - container-id/name to be disconnected from a network
+- **Force** - Force the container to disconnect from a network
+
+#### Remove a network
+
+`DELETE /networks/(id or name)`
+
+Instruct the driver to remove the network (`id`).
+
+**Example request**:
+
+    DELETE /v1.22/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **403** - operation not supported for pre-defined networks
+-   **404** - no such network
+-   **500** - server error
+
+## 3. Going further
+
+### 3.1 Inside `docker run`
+
+As an example, the `docker run` command line makes the following API calls:
+
+- Create the container
+
+- If the status code is 404, it means the image doesn't exist:
+    - Try to pull it.
+    - Then, retry to create the container.
+
+- Start the container.
+
+- If you are not in detached mode:
+- Attach to the container, using `logs=1` (to have `stdout` and
+      `stderr` from the container's start) and `stream=1`
+
+- If in detached mode or only `stdin` is attached, display the container's id.
+
+### 3.2 Hijacking
+
+In this version of the API, `/attach`, uses hijacking to transport `stdin`,
+`stdout`, and `stderr` on the same socket.
+
+To hint potential proxies about connection hijacking, Docker client sends
+connection upgrade headers similarly to websocket.
+
+    Upgrade: tcp
+    Connection: Upgrade
+
+When Docker daemon detects the `Upgrade` header, it switches its status code
+from **200 OK** to **101 UPGRADED** and resends the same headers.
+
+
+### 3.3 CORS Requests
+
+To set cross origin requests to the Engine API please give values to
+`--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
+default or blank means CORS disabled
+
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
diff --git a/engine/docs/api/v1.23.md b/engine/docs/api/v1.23.md
new file mode 100644
index 00000000..218734ae
--- /dev/null
+++ b/engine/docs/api/v1.23.md
@@ -0,0 +1,3459 @@
+---
+title: "Engine API v1.23"
+description: "API Documentation for Docker"
+keywords: "API, Docker, rcli, REST, documentation"
+redirect_from:
+- /engine/reference/api/docker_remote_api_v1.23/
+- /reference/api/docker_remote_api_v1.23/
+---
+
+<!-- This file is maintained within the moby/moby GitHub
+     repository at https://github.com/moby/moby/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## 1. Brief introduction
+
+ - The daemon listens on `unix:///var/run/docker.sock` but you can
+   [Bind Docker to another host/port or a Unix socket](../reference/commandline/dockerd.md#bind-docker-to-another-host-port-or-a-unix-socket).
+ - The API tends to be REST. However, for some complex commands, like `attach`
+   or `pull`, the HTTP connection is hijacked to transport `stdout`,
+   `stdin` and `stderr`.
+ - A `Content-Length` header should be present in `POST` requests to endpoints
+   that expect a body.
+ - To lock to a specific version of the API, you prefix the URL with the version
+   of the API to use. For example, `/v1.18/info`. If no version is included in
+   the URL, the maximum supported API version is used.
+ - If the API version specified in the URL is not supported by the daemon, a HTTP
+   `400 Bad Request` error message is returned.
+
+## 2. Endpoints
+
+### 2.1 Containers
+
+#### List containers
+
+`GET /containers/json`
+
+List containers
+
+**Example request**:
+
+    GET /v1.23/containers/json?all=1&before=8dfafdbc3a40&size=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Id": "8dfafdbc3a40",
+                 "Names":["/boring_feynman"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 1",
+                 "Created": 1367854155,
+                 "State": "exited",
+                 "Status": "Exit 0",
+                 "Ports": [{"PrivatePort": 2222, "PublicPort": 3333, "Type": "tcp"}],
+                 "Labels": {
+                         "com.example.vendor": "Acme",
+                         "com.example.license": "GPL",
+                         "com.example.version": "1.0"
+                 },
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "2cdc4edb1ded3631c81f57966563e5c8525b81121bb3706a9a9a3ae102711f3f",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.2",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:02"
+                                  }
+                         }
+                 },
+                 "Mounts": [
+                         {
+                                  "Name": "fac362...80535",
+                                  "Source": "/data",
+                                  "Destination": "/data",
+                                  "Driver": "local",
+                                  "Mode": "ro,Z",
+                                  "RW": false,
+                                  "Propagation": ""
+                         }
+                 ]
+         },
+         {
+                 "Id": "9cd87474be90",
+                 "Names":["/coolName"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 222222",
+                 "Created": 1367854155,
+                 "State": "exited",
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "88eaed7b37b38c2a3f0c4bc796494fdf51b270c2d22656412a2ca5d559a64d7a",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.8",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:08"
+                                  }
+                         }
+                 },
+                 "Mounts": []
+         },
+         {
+                 "Id": "3176a2479c92",
+                 "Names":["/sleepy_dog"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 3333333333333333",
+                 "Created": 1367854154,
+                 "State": "exited",
+                 "Status": "Exit 0",
+                 "Ports":[],
+                 "Labels": {},
+                 "SizeRw":12288,
+                 "SizeRootFs":0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "8b27c041c30326d59cd6e6f510d4f8d1d570a228466f956edf7815508f78e30d",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.6",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:06"
+                                  }
+                         }
+                 },
+                 "Mounts": []
+         },
+         {
+                 "Id": "4cb07b47f9fb",
+                 "Names":["/running_cat"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 444444444444444444444444444444444",
+                 "Created": 1367854152,
+                 "State": "exited",
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "d91c7b2f0644403d7ef3095985ea0e2370325cd2332ff3a3225c4247328e66e9",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.5",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:05"
+                                  }
+                         }
+                 },
+                 "Mounts": []
+         }
+    ]
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, Show all containers.
+        Only running containers are shown by default (i.e., this defaults to false)
+-   **limit** – Show `limit` last created
+        containers, include non-running ones.
+-   **since** – Show only containers created since Id, include
+        non-running ones.
+-   **before** – Show only containers created before Id, include
+        non-running ones.
+-   **size** – 1/True/true or 0/False/false, Show the containers
+        sizes
+-   **filters** - a JSON encoded value of the filters (a `map[string][]string`) to process on the containers list. Available filters:
+  -   `exited=<int>`; -- containers with exit code of  `<int>` ;
+  -   `status=`(`created`|`restarting`|`running`|`paused`|`exited`|`dead`)
+  -   `label=key` or `label="key=value"` of a container label
+  -   `isolation=`(`default`|`process`|`hyperv`)   (Windows daemon only)
+  -   `ancestor`=(`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`)
+  -   `before`=(`<container id>` or `<container name>`)
+  -   `since`=(`<container id>` or `<container name>`)
+  -   `volume`=(`<volume name>` or `<mount point destination>`)
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **500** – server error
+
+#### Create a container
+
+`POST /containers/create`
+
+Create a container
+
+**Example request**:
+
+    POST /v1.23/containers/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+           "Hostname": "",
+           "Domainname": "",
+           "User": "",
+           "AttachStdin": false,
+           "AttachStdout": true,
+           "AttachStderr": true,
+           "Tty": false,
+           "OpenStdin": false,
+           "StdinOnce": false,
+           "Env": [
+                   "FOO=bar",
+                   "BAZ=quux"
+           ],
+           "Cmd": [
+                   "date"
+           ],
+           "Entrypoint": "",
+           "Image": "ubuntu",
+           "Labels": {
+                   "com.example.vendor": "Acme",
+                   "com.example.license": "GPL",
+                   "com.example.version": "1.0"
+           },
+           "Volumes": {
+             "/volumes/data": {}
+           },
+           "WorkingDir": "",
+           "NetworkDisabled": false,
+           "MacAddress": "12:34:56:78:9a:bc",
+           "ExposedPorts": {
+                   "22/tcp": {}
+           },
+           "StopSignal": "SIGTERM",
+           "HostConfig": {
+             "Binds": ["/tmp:/tmp"],
+             "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
+             "Links": ["redis3:redis"],
+             "Memory": 0,
+             "MemorySwap": 0,
+             "MemoryReservation": 0,
+             "KernelMemory": 0,
+             "CpuShares": 512,
+             "CpuPeriod": 100000,
+             "CpuQuota": 50000,
+             "CpusetCpus": "0,1",
+             "CpusetMems": "0,1",
+             "BlkioWeight": 300,
+             "BlkioWeightDevice": [{}],
+             "BlkioDeviceReadBps": [{}],
+             "BlkioDeviceReadIOps": [{}],
+             "BlkioDeviceWriteBps": [{}],
+             "BlkioDeviceWriteIOps": [{}],
+             "MemorySwappiness": 60,
+             "OomKillDisable": false,
+             "OomScoreAdj": 500,
+             "PidMode": "",
+             "PidsLimit": -1,
+             "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+             "PublishAllPorts": false,
+             "Privileged": false,
+             "ReadonlyRootfs": false,
+             "Dns": ["8.8.8.8"],
+             "DnsOptions": [""],
+             "DnsSearch": [""],
+             "ExtraHosts": null,
+             "VolumesFrom": ["parent", "other:ro"],
+             "CapAdd": ["NET_ADMIN"],
+             "CapDrop": ["MKNOD"],
+             "GroupAdd": ["newgroup"],
+             "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+             "NetworkMode": "bridge",
+             "Devices": [],
+             "Ulimits": [{}],
+             "LogConfig": { "Type": "json-file", "Config": {} },
+             "SecurityOpt": [],
+             "CgroupParent": "",
+             "VolumeDriver": "",
+             "ShmSize": 67108864
+          },
+          "NetworkingConfig": {
+              "EndpointsConfig": {
+                  "isolated_nw" : {
+                      "IPAMConfig": {
+                          "IPv4Address":"172.20.30.33",
+                          "IPv6Address":"2001:db8:abcd::3033"
+                      },
+                      "Links":["container_1", "container_2"],
+                      "Aliases":["server_x", "server_y"]
+                  }
+              }
+          }
+      }
+
+**Example response**:
+
+      HTTP/1.1 201 Created
+      Content-Type: application/json
+
+      {
+           "Id":"e90e34656806",
+           "Warnings":[]
+      }
+
+**JSON parameters**:
+
+-   **Hostname** - A string value containing the hostname to use for the
+      container.
+-   **Domainname** - A string value containing the domain name to use
+      for the container.
+-   **User** - A string value specifying the user inside the container.
+-   **AttachStdin** - Boolean value, attaches to `stdin`.
+-   **AttachStdout** - Boolean value, attaches to `stdout`.
+-   **AttachStderr** - Boolean value, attaches to `stderr`.
+-   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
+-   **OpenStdin** - Boolean value, opens `stdin`,
+-   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Entrypoint** - Set the entry point for the container as a string or an array
+      of strings.
+-   **Image** - A string specifying the image name to use for the container.
+-   **Volumes** - An object mapping mount point paths (strings) inside the
+      container to empty objects.
+-   **WorkingDir** - A string specifying the working directory for commands to
+      run in.
+-   **NetworkDisabled** - Boolean value, when true disables networking for the
+      container
+-   **ExposedPorts** - An object mapping ports to an empty object in the form of:
+      `"ExposedPorts": { "<port>/<tcp|udp>: {}" }`
+-   **StopSignal** - Signal to stop a container as a string or unsigned integer. `SIGTERM` by default.
+-   **HostConfig**
+    -   **Binds** – A list of volume bindings for this container. Each volume binding is a string in one of these forms:
+           + `host-src:container-dest` to bind-mount a host path into the
+             container. Both `host-src`, and `container-dest` must be an
+             _absolute_ path.
+           + `host-src:container-dest:ro` to make the bind mount read-only
+             inside the container. Both `host-src`, and `container-dest` must be
+             an _absolute_ path.
+           + `volume-name:container-dest` to bind-mount a volume managed by a
+             volume driver into the container. `container-dest` must be an
+             _absolute_ path.
+           + `volume-name:container-dest:ro` to mount the volume read-only
+             inside the container.  `container-dest` must be an _absolute_ path.
+    -   **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+          mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
+    -   **Links** - A list of links for the container. Each link entry should be
+          in the form of `container_name:alias`.
+    -   **Memory** - Memory limit in bytes.
+    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
+          You must use this with `memory` and make the swap value larger than `memory`.
+    -   **MemoryReservation** - Memory soft limit in bytes.
+    -   **KernelMemory** - Kernel memory limit in bytes.
+    -   **CpuShares** - An integer value containing the container's CPU Shares
+          (ie. the relative weight vs other containers).
+    -   **CpuPeriod** - The length of a CPU period in microseconds.
+    -   **CpuQuota** - Microseconds of CPU time that the container can get in a CPU period.
+    -   **CpusetCpus** - String value containing the `cgroups CpusetCpus` to use.
+    -   **CpusetMems** - Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.
+    -   **BlkioWeight** - Block IO weight (relative weight) accepts a weight value between 10 and 1000.
+    -   **BlkioWeightDevice** - Block IO weight (relative device weight) in the form of:        `"BlkioWeightDevice": [{"Path": "device_path", "Weight": weight}]`
+    -   **BlkioDeviceReadBps** - Limit read rate (bytes per second) from a device in the form of:	`"BlkioDeviceReadBps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceReadBps": [{"Path": "/dev/sda", "Rate": "1024"}]"`
+    -   **BlkioDeviceWriteBps** - Limit write rate (bytes per second) to a device in the form of:	`"BlkioDeviceWriteBps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceWriteBps": [{"Path": "/dev/sda", "Rate": "1024"}]"`
+    -   **BlkioDeviceReadIOps** - Limit read rate (IO per second) from a device in the form of:	`"BlkioDeviceReadIOps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceReadIOps": [{"Path": "/dev/sda", "Rate": "1000"}]`
+    -   **BlkioDeviceWriteIOps** - Limit write rate (IO per second) to a device in the form of:	`"BlkioDeviceWriteIOps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceWriteIOps": [{"Path": "/dev/sda", "Rate": "1000"}]`
+    -   **MemorySwappiness** - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+    -   **OomKillDisable** - Boolean value, whether to disable OOM Killer for the container or not.
+    -   **OomScoreAdj** - An integer value containing the score given to the container in order to tune OOM killer preferences.
+    -   **PidMode** - Set the PID (Process) Namespace mode for the container;
+          `"container:<name|id>"`: joins another container's PID namespace
+          `"host"`: use the host's PID namespace inside the container
+    -   **PidsLimit** - Tune a container's pids limit. Set -1 for unlimited.
+    -   **PortBindings** - A map of exposed container ports and the host port they
+          should map to. A JSON object in the form
+          `{ <port>/<protocol>: [{ "HostPort": "<port>" }] }`
+          Take note that `port` is specified as a string and not an integer value.
+    -   **PublishAllPorts** - Allocates an ephemeral host port for all of a container's
+          exposed ports. Specified as a boolean value.
+
+          Ports are de-allocated when the container stops and allocated when the container starts.
+          The allocated port might be changed when restarting the container.
+
+          The port is selected from the ephemeral port range that depends on the kernel.
+          For example, on Linux the range is defined by `/proc/sys/net/ipv4/ip_local_port_range`.
+    -   **Privileged** - Gives the container full access to the host. Specified as
+          a boolean value.
+    -   **ReadonlyRootfs** - Mount the container's root filesystem as read only.
+          Specified as a boolean value.
+    -   **Dns** - A list of DNS servers for the container to use.
+    -   **DnsOptions** - A list of DNS options
+    -   **DnsSearch** - A list of DNS search domains
+    -   **ExtraHosts** - A list of hostnames/IP mappings to add to the
+        container's `/etc/hosts` file. Specified in the form `["hostname:IP"]`.
+    -   **VolumesFrom** - A list of volumes to inherit from another container.
+          Specified in the form `<container name>[:<ro|rw>]`
+    -   **CapAdd** - A list of kernel capabilities to add to the container.
+    -   **Capdrop** - A list of kernel capabilities to drop from the container.
+    -   **GroupAdd** - A list of additional groups that the container process will run as
+    -   **RestartPolicy** – The behavior to apply when the container exits.  The
+            value is an object with a `Name` property of either `"always"` to
+            always restart, `"unless-stopped"` to restart always except when
+            user has manually stopped the container or `"on-failure"` to restart only when the container
+            exit code is non-zero.  If `on-failure` is used, `MaximumRetryCount`
+            controls the number of times to retry before giving up.
+            The default is not to restart. (optional)
+            An ever increasing delay (double the previous delay, starting at 100mS)
+            is added before each restart to prevent flooding the server.
+    -   **UsernsMode**  - Sets the usernamespace mode for the container when usernamespace remapping option is enabled.
+           supported values are: `host`.
+    -   **NetworkMode** - Sets the networking mode for the container. Supported
+          standard values are: `bridge`, `host`, `none`, and `container:<name|id>`. Any other value is taken
+          as a custom network's name to which this container should connect to.
+    -   **Devices** - A list of devices to add to the container specified as a JSON object in the
+      form
+          `{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}`
+    -   **Ulimits** - A list of ulimits to set in the container, specified as
+          `{ "Name": <name>, "Soft": <soft limit>, "Hard": <hard limit> }`, for example:
+          `Ulimits: { "Name": "nofile", "Soft": 1024, "Hard": 2048 }`
+    -   **SecurityOpt**: A list of string values to customize labels for MLS
+        systems, such as SELinux.
+    -   **LogConfig** - Log configuration for the container, specified as a JSON object in the form
+          `{ "Type": "<driver_name>", "Config": {"key1": "val1"}}`.
+          Available types: `json-file`, `syslog`, `journald`, `gelf`, `fluentd`, `awslogs`, `splunk`, `etwlogs`, `none`.
+          `json-file` logging driver.
+    -   **CgroupParent** - Path to `cgroups` under which the container's `cgroup` is created. If the path is not absolute, the path is considered to be relative to the `cgroups` path of the init process. Cgroups are created if they do not already exist.
+    -   **VolumeDriver** - Driver that this container users to mount volumes.
+    -   **ShmSize** - Size of `/dev/shm` in bytes. The size must be greater than 0.  If omitted the system uses 64MB.
+
+**Query parameters**:
+
+-   **name** – Assign the specified name to the container. Must
+    match `/?[a-zA-Z0-9_-]+`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **406** – impossible to attach (container not running)
+-   **409** – conflict
+-   **500** – server error
+
+#### Inspect a container
+
+`GET /containers/(id or name)/json`
+
+Return low-level information on the container `id`
+
+**Example request**:
+
+      GET /v1.23/containers/4fa6e0f0c678/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+	{
+		"AppArmorProfile": "",
+		"Args": [
+			"-c",
+			"exit 9"
+		],
+		"Config": {
+			"AttachStderr": true,
+			"AttachStdin": false,
+			"AttachStdout": true,
+			"Cmd": [
+				"/bin/sh",
+				"-c",
+				"exit 9"
+			],
+			"Domainname": "",
+			"Entrypoint": null,
+			"Env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+			],
+			"ExposedPorts": null,
+			"Hostname": "ba033ac44011",
+			"Image": "ubuntu",
+			"Labels": {
+				"com.example.vendor": "Acme",
+				"com.example.license": "GPL",
+				"com.example.version": "1.0"
+			},
+			"MacAddress": "",
+			"NetworkDisabled": false,
+			"OnBuild": null,
+			"OpenStdin": false,
+			"StdinOnce": false,
+			"Tty": false,
+			"User": "",
+			"Volumes": {
+				"/volumes/data": {}
+			},
+			"WorkingDir": "",
+			"StopSignal": "SIGTERM"
+		},
+		"Created": "2015-01-06T15:47:31.485331387Z",
+		"Driver": "devicemapper",
+		"ExecIDs": null,
+		"HostConfig": {
+			"Binds": null,
+			"BlkioWeight": 0,
+			"BlkioWeightDevice": [{}],
+			"BlkioDeviceReadBps": [{}],
+			"BlkioDeviceWriteBps": [{}],
+			"BlkioDeviceReadIOps": [{}],
+			"BlkioDeviceWriteIOps": [{}],
+			"CapAdd": null,
+			"CapDrop": null,
+			"ContainerIDFile": "",
+			"CpusetCpus": "",
+			"CpusetMems": "",
+			"CpuShares": 0,
+			"CpuPeriod": 100000,
+			"Devices": [],
+			"Dns": null,
+			"DnsOptions": null,
+			"DnsSearch": null,
+			"ExtraHosts": null,
+			"IpcMode": "",
+			"Links": null,
+			"LxcConf": [],
+			"Memory": 0,
+			"MemorySwap": 0,
+			"MemoryReservation": 0,
+			"KernelMemory": 0,
+			"OomKillDisable": false,
+			"OomScoreAdj": 500,
+			"NetworkMode": "bridge",
+			"PidMode": "",
+			"PortBindings": {},
+			"Privileged": false,
+			"ReadonlyRootfs": false,
+			"PublishAllPorts": false,
+			"RestartPolicy": {
+				"MaximumRetryCount": 2,
+				"Name": "on-failure"
+			},
+			"LogConfig": {
+				"Config": null,
+				"Type": "json-file"
+			},
+			"SecurityOpt": null,
+			"VolumesFrom": null,
+			"Ulimits": [{}],
+			"VolumeDriver": "",
+			"ShmSize": 67108864
+		},
+		"HostnamePath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hostname",
+		"HostsPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hosts",
+		"LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+		"Id": "ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39",
+		"Image": "04c5d3b7b0656168630d3ba35d8889bd0e9caafcaeb3004d2bfbc47e7c5d35d2",
+		"MountLabel": "",
+		"Name": "/boring_euclid",
+		"NetworkSettings": {
+			"Bridge": "",
+			"SandboxID": "",
+			"HairpinMode": false,
+			"LinkLocalIPv6Address": "",
+			"LinkLocalIPv6PrefixLen": 0,
+			"Ports": null,
+			"SandboxKey": "",
+			"SecondaryIPAddresses": null,
+			"SecondaryIPv6Addresses": null,
+			"EndpointID": "",
+			"Gateway": "",
+			"GlobalIPv6Address": "",
+			"GlobalIPv6PrefixLen": 0,
+			"IPAddress": "",
+			"IPPrefixLen": 0,
+			"IPv6Gateway": "",
+			"MacAddress": "",
+			"Networks": {
+				"bridge": {
+					"NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+					"EndpointID": "7587b82f0dada3656fda26588aee72630c6fab1536d36e394b2bfbcf898c971d",
+					"Gateway": "172.17.0.1",
+					"IPAddress": "172.17.0.2",
+					"IPPrefixLen": 16,
+					"IPv6Gateway": "",
+					"GlobalIPv6Address": "",
+					"GlobalIPv6PrefixLen": 0,
+					"MacAddress": "02:42:ac:12:00:02"
+				}
+			}
+		},
+		"Path": "/bin/sh",
+		"ProcessLabel": "",
+		"ResolvConfPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/resolv.conf",
+		"RestartCount": 1,
+		"State": {
+			"Error": "",
+			"ExitCode": 9,
+			"FinishedAt": "2015-01-06T15:47:32.080254511Z",
+			"OOMKilled": false,
+			"Dead": false,
+			"Paused": false,
+			"Pid": 0,
+			"Restarting": false,
+			"Running": true,
+			"StartedAt": "2015-01-06T15:47:32.072697474Z",
+			"Status": "running"
+		},
+		"Mounts": [
+			{
+				"Name": "fac362...80535",
+				"Source": "/data",
+				"Destination": "/data",
+				"Driver": "local",
+				"Mode": "ro,Z",
+				"RW": false,
+				"Propagation": ""
+			}
+		]
+	}
+
+**Example request, with size information**:
+
+    GET /v1.23/containers/4fa6e0f0c678/json?size=1 HTTP/1.1
+
+**Example response, with size information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+    ....
+    "SizeRw": 0,
+    "SizeRootFs": 972,
+    ....
+    }
+
+**Query parameters**:
+
+-   **size** – 1/True/true or 0/False/false, return container size information. Default is `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### List processes running inside a container
+
+`GET /containers/(id or name)/top`
+
+List processes running inside the container `id`. On Unix systems this
+is done by running the `ps` command. This endpoint is not
+supported on Windows.
+
+**Example request**:
+
+    GET /v1.23/containers/4fa6e0f0c678/top HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Titles" : [
+         "UID", "PID", "PPID", "C", "STIME", "TTY", "TIME", "CMD"
+       ],
+       "Processes" : [
+         [
+           "root", "13642", "882", "0", "17:03", "pts/0", "00:00:00", "/bin/bash"
+         ],
+         [
+           "root", "13735", "13642", "0", "17:06", "pts/0", "00:00:00", "sleep 10"
+         ]
+       ]
+    }
+
+**Example request**:
+
+    GET /v1.23/containers/4fa6e0f0c678/top?ps_args=aux HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Titles" : [
+        "USER","PID","%CPU","%MEM","VSZ","RSS","TTY","STAT","START","TIME","COMMAND"
+      ]
+      "Processes" : [
+        [
+          "root","13642","0.0","0.1","18172","3184","pts/0","Ss","17:03","0:00","/bin/bash"
+        ],
+        [
+          "root","13895","0.0","0.0","4348","692","pts/0","S+","17:15","0:00","sleep 10"
+        ]
+      ],
+    }
+
+**Query parameters**:
+
+-   **ps_args** – `ps` arguments to use (e.g., `aux`), defaults to `-ef`
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container logs
+
+`GET /containers/(id or name)/logs`
+
+Get `stdout` and `stderr` logs from the container ``id``
+
+> **Note**:
+> This endpoint works only for containers with the `json-file` or `journald` logging drivers.
+
+**Example request**:
+
+     GET /v1.23/containers/4fa6e0f0c678/logs?stderr=1&stdout=1&timestamps=1&follow=1&tail=10&since=1428990821 HTTP/1.1
+
+**Example response**:
+
+     HTTP/1.1 101 UPGRADED
+     Content-Type: application/vnd.docker.raw-stream
+     Connection: Upgrade
+     Upgrade: tcp
+
+     {% raw %}
+     {{ STREAM }}
+     {% endraw %}
+
+**Query parameters**:
+
+-   **follow** – 1/True/true or 0/False/false, return stream. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, show `stdout` log. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, show `stderr` log. Default `false`.
+-   **since** – UNIX timestamp (integer) to filter logs. Specifying a timestamp
+    will only output log-entries since that timestamp. Default: 0 (unfiltered)
+-   **timestamps** – 1/True/true or 0/False/false, print timestamps for
+        every log line. Default `false`.
+-   **tail** – Output specified number of lines at the end of logs: `all` or `<number>`. Default all.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **404** – no such container
+-   **500** – server error
+
+#### Inspect changes on a container's filesystem
+
+`GET /containers/(id or name)/changes`
+
+Inspect changes on container `id`'s filesystem
+
+**Example request**:
+
+    GET /v1.23/containers/4fa6e0f0c678/changes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Path": "/dev",
+                 "Kind": 0
+         },
+         {
+                 "Path": "/dev/kmsg",
+                 "Kind": 1
+         },
+         {
+                 "Path": "/test",
+                 "Kind": 1
+         }
+    ]
+
+Values for `Kind`:
+
+- `0`: Modify
+- `1`: Add
+- `2`: Delete
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Export a container
+
+`GET /containers/(id or name)/export`
+
+Export the contents of container `id`
+
+**Example request**:
+
+    GET /v1.23/containers/4fa6e0f0c678/export HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/octet-stream
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container stats based on resource usage
+
+`GET /containers/(id or name)/stats`
+
+This endpoint returns a live stream of a container's resource usage statistics.
+
+**Example request**:
+
+    GET /v1.23/containers/redis1/stats HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Type: application/json
+
+      {
+         "read" : "2015-01-08T22:57:31.547920715Z",
+         "pids_stats": {
+            "current": 3
+         },
+         "networks": {
+                 "eth0": {
+                     "rx_bytes": 5338,
+                     "rx_dropped": 0,
+                     "rx_errors": 0,
+                     "rx_packets": 36,
+                     "tx_bytes": 648,
+                     "tx_dropped": 0,
+                     "tx_errors": 0,
+                     "tx_packets": 8
+                 },
+                 "eth5": {
+                     "rx_bytes": 4641,
+                     "rx_dropped": 0,
+                     "rx_errors": 0,
+                     "rx_packets": 26,
+                     "tx_bytes": 690,
+                     "tx_dropped": 0,
+                     "tx_errors": 0,
+                     "tx_packets": 9
+                 }
+         },
+         "memory_stats" : {
+            "stats" : {
+               "total_pgmajfault" : 0,
+               "cache" : 0,
+               "mapped_file" : 0,
+               "total_inactive_file" : 0,
+               "pgpgout" : 414,
+               "rss" : 6537216,
+               "total_mapped_file" : 0,
+               "writeback" : 0,
+               "unevictable" : 0,
+               "pgpgin" : 477,
+               "total_unevictable" : 0,
+               "pgmajfault" : 0,
+               "total_rss" : 6537216,
+               "total_rss_huge" : 6291456,
+               "total_writeback" : 0,
+               "total_inactive_anon" : 0,
+               "rss_huge" : 6291456,
+               "hierarchical_memory_limit" : 67108864,
+               "total_pgfault" : 964,
+               "total_active_file" : 0,
+               "active_anon" : 6537216,
+               "total_active_anon" : 6537216,
+               "total_pgpgout" : 414,
+               "total_cache" : 0,
+               "inactive_anon" : 0,
+               "active_file" : 0,
+               "pgfault" : 964,
+               "inactive_file" : 0,
+               "total_pgpgin" : 477
+            },
+            "max_usage" : 6651904,
+            "usage" : 6537216,
+            "failcnt" : 0,
+            "limit" : 67108864
+         },
+         "blkio_stats" : {},
+         "cpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24472255,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100215355,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 739306590000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         },
+         "precpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24350896,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100093996,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 9492140000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         }
+      }
+
+The `precpu_stats` is the cpu statistic of *previous* read, which is used for calculating the cpu usage percent. It is not the exact copy of the `cpu_stats` field.
+
+**Query parameters**:
+
+-   **stream** – 1/True/true or 0/False/false, pull stats once then disconnect. Default `true`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Resize a container TTY
+
+`POST /containers/(id or name)/resize`
+
+Resize the TTY for container with  `id`. The unit is number of characters. You must restart the container for the resize to take effect.
+
+**Example request**:
+
+      POST /v1.23/containers/4fa6e0f0c678/resize?h=40&w=80 HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Length: 0
+      Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – No such container
+-   **500** – Cannot resize container
+
+#### Start a container
+
+`POST /containers/(id or name)/start`
+
+Start the container `id`
+
+> **Note**:
+> For backwards compatibility, this endpoint accepts a `HostConfig` as JSON-encoded request body.
+> See [create a container](#create-a-container) for details.
+
+**Example request**:
+
+    POST /v1.23/containers/e90e34656806/start HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already started
+-   **404** – no such container
+-   **500** – server error
+
+#### Stop a container
+
+`POST /containers/(id or name)/stop`
+
+Stop the container `id`
+
+**Example request**:
+
+    POST /v1.23/containers/e90e34656806/stop?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already stopped
+-   **404** – no such container
+-   **500** – server error
+
+#### Restart a container
+
+`POST /containers/(id or name)/restart`
+
+Restart the container `id`
+
+**Example request**:
+
+    POST /v1.23/containers/e90e34656806/restart?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Kill a container
+
+`POST /containers/(id or name)/kill`
+
+Kill the container `id`
+
+**Example request**:
+
+    POST /v1.23/containers/e90e34656806/kill HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **signal** - Signal to send to the container: integer or string like `SIGINT`.
+        When not set, `SIGKILL` is assumed and the call waits for the container to exit.
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Update a container
+
+`POST /containers/(id or name)/update`
+
+Update configuration of one or more containers.
+
+**Example request**:
+
+       POST /v1.23/containers/e90e34656806/update HTTP/1.1
+       Content-Type: application/json
+       Content-Length: 12345
+
+       {
+         "BlkioWeight": 300,
+         "CpuShares": 512,
+         "CpuPeriod": 100000,
+         "CpuQuota": 50000,
+         "CpusetCpus": "0,1",
+         "CpusetMems": "0",
+         "Memory": 314572800,
+         "MemorySwap": 514288000,
+         "MemoryReservation": 209715200,
+         "KernelMemory": 52428800,
+         "RestartPolicy": {
+           "MaximumRetryCount": 4,
+           "Name": "on-failure"
+         }
+       }
+
+**Example response**:
+
+       HTTP/1.1 200 OK
+       Content-Type: application/json
+
+       {
+           "Warnings": []
+       }
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Rename a container
+
+`POST /containers/(id or name)/rename`
+
+Rename the container `id` to a `new_name`
+
+**Example request**:
+
+    POST /v1.23/containers/e90e34656806/rename?name=new_name HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **name** – new name for the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **409** - conflict name already assigned
+-   **500** – server error
+
+#### Pause a container
+
+`POST /containers/(id or name)/pause`
+
+Pause the container `id`
+
+**Example request**:
+
+    POST /v1.23/containers/e90e34656806/pause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Unpause a container
+
+`POST /containers/(id or name)/unpause`
+
+Unpause the container `id`
+
+**Example request**:
+
+    POST /v1.23/containers/e90e34656806/unpause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Attach to a container
+
+`POST /containers/(id or name)/attach`
+
+Attach to the container `id`
+
+**Example request**:
+
+    POST /v1.23/containers/16253994b7c4/attach?logs=1&stream=0&stdout=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 101 UPGRADED
+    Content-Type: application/vnd.docker.raw-stream
+    Connection: Upgrade
+    Upgrade: tcp
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** - container is paused
+-   **500** – server error
+
+**Stream details**:
+
+When using the TTY setting is enabled in
+[`POST /containers/create`
+](#create-a-container),
+the stream is the raw data from the process PTY and client's `stdin`.
+When the TTY is disabled, then the stream is multiplexed to separate
+`stdout` and `stderr`.
+
+The format is a **Header** and a **Payload** (frame).
+
+**HEADER**
+
+The header contains the information which the stream writes (`stdout` or
+`stderr`). It also contains the size of the associated frame encoded in the
+last four bytes (`uint32`).
+
+It is encoded on the first eight bytes like this:
+
+    header := [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}
+
+`STREAM_TYPE` can be:
+
+-   0: `stdin` (is written on `stdout`)
+-   1: `stdout`
+-   2: `stderr`
+
+`SIZE1, SIZE2, SIZE3, SIZE4` are the four bytes of
+the `uint32` size encoded as big endian.
+
+**PAYLOAD**
+
+The payload is the raw stream.
+
+**IMPLEMENTATION**
+
+The simplest way to implement the Attach protocol is the following:
+
+    1.  Read eight bytes.
+    2.  Choose `stdout` or `stderr` depending on the first byte.
+    3.  Extract the frame size from the last four bytes.
+    4.  Read the extracted size and output it on the correct output.
+    5.  Goto 1.
+
+#### Attach to a container (websocket)
+
+`GET /containers/(id or name)/attach/ws`
+
+Attach to the container `id` via websocket
+
+Implements websocket protocol handshake according to [RFC 6455](http://tools.ietf.org/html/rfc6455)
+
+**Example request**
+
+    GET /v1.23/containers/e90e34656806/attach/ws?logs=0&stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
+
+**Example response**
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Wait a container
+
+`POST /containers/(id or name)/wait`
+
+Block until container `id` stops, then returns the exit code
+
+**Example request**:
+
+    POST /v1.23/containers/16253994b7c4/wait HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"StatusCode": 0}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Remove a container
+
+`DELETE /containers/(id or name)`
+
+Remove the container `id` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.23/containers/16253994b7c4?v=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **v** – 1/True/true or 0/False/false, Remove the volumes
+        associated to the container. Default `false`.
+-   **force** - 1/True/true or 0/False/false, Kill then remove the container.
+        Default `false`.
+-   **link** - 1/True/true or 0/False/false, Remove the specified
+        link associated to the container. Default `false`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** – conflict
+-   **500** – server error
+
+#### Copy files or folders from a container
+
+`POST /containers/(id or name)/copy`
+
+Copy files or folders of container `id`
+
+**Deprecated** in favor of the `archive` endpoint below.
+
+**Example request**:
+
+    POST /v1.23/containers/4fa6e0f0c678/copy HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Resource": "test.txt"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Retrieving information about files and folders in a container
+
+`HEAD /containers/(id or name)/archive`
+
+See the description of the `X-Docker-Container-Path-Stat` header in the
+following section.
+
+#### Get an archive of a filesystem resource in a container
+
+`GET /containers/(id or name)/archive`
+
+Get a tar archive of a resource in the filesystem of container `id`.
+
+**Query parameters**:
+
+- **path** - resource in the container's filesystem to archive. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The resource specified by **path** must exist. To assert that the resource
+    is expected to be a directory, **path** should end in `/` or  `/.`
+    (assuming a path separator of `/`). If **path** ends in `/.` then this
+    indicates that only the contents of the **path** directory should be
+    copied. A symlink is always resolved to its target.
+
+    > **Note**: It is not possible to copy certain system files such as resources
+    > under `/proc`, `/sys`, `/dev`, and mounts created by the user in the
+    > container.
+
+**Example request**:
+
+    GET /v1.23/containers/8cce319429b2/archive?path=/root HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+    X-Docker-Container-Path-Stat: eyJuYW1lIjoicm9vdCIsInNpemUiOjQwOTYsIm1vZGUiOjIxNDc0ODQwOTYsIm10aW1lIjoiMjAxNC0wMi0yN1QyMDo1MToyM1oiLCJsaW5rVGFyZ2V0IjoiIn0=
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+On success, a response header `X-Docker-Container-Path-Stat` will be set to a
+base64-encoded JSON object containing some filesystem header information about
+the archived resource. The above example value would decode to the following
+JSON object (whitespace added for readability):
+
+```json
+{
+    "name": "root",
+    "size": 4096,
+    "mode": 2147484096,
+    "mtime": "2014-02-27T20:51:23Z",
+    "linkTarget": ""
+}
+```
+
+A `HEAD` request can also be made to this endpoint if only this information is
+desired.
+
+**Status codes**:
+
+- **200** - success, returns archive of copied resource
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** was asserted to be a directory but exists as a
+      file)
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** does not exist)
+- **500** - server error
+
+#### Extract an archive of files or folders to a directory in a container
+
+`PUT /containers/(id or name)/archive`
+
+Upload a tar archive to be extracted to a path in the filesystem of container
+`id`.
+
+**Query parameters**:
+
+- **path** - path to a directory in the container
+    to extract the archive's contents into. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The **path** resource must exist.
+- **noOverwriteDirNonDir** - If "1", "true", or "True" then it will be an error
+    if unpacking the given content would cause an existing directory to be
+    replaced with a non-directory and vice versa.
+
+**Example request**:
+
+    PUT /v1.23/containers/8cce319429b2/archive?path=/vol1 HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** – the content was extracted successfully
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** should be a directory but exists as a file)
+    - unable to overwrite existing directory with non-directory
+      (if **noOverwriteDirNonDir**)
+    - unable to overwrite existing non-directory with directory
+      (if **noOverwriteDirNonDir**)
+- **403** - client error, permission denied, the volume
+    or container rootfs is marked as read-only.
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** resource does not exist)
+- **500** – server error
+
+### 2.2 Images
+
+#### List Images
+
+`GET /images/json`
+
+**Example request**:
+
+    GET /v1.23/images/json?all=0 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+         "RepoTags": [
+           "ubuntu:12.04",
+           "ubuntu:precise",
+           "ubuntu:latest"
+         ],
+         "Id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
+         "Created": 1365714795,
+         "Size": 131506275,
+         "VirtualSize": 131506275,
+         "Labels": {}
+      },
+      {
+         "RepoTags": [
+           "ubuntu:12.10",
+           "ubuntu:quantal"
+         ],
+         "ParentId": "27cf784147099545",
+         "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+         "Created": 1364102658,
+         "Size": 24653,
+         "VirtualSize": 180116135,
+         "Labels": {
+            "com.example.version": "v1"
+         }
+      }
+    ]
+
+**Example request, with digest information**:
+
+    GET /v1.23/images/json?digests=1 HTTP/1.1
+
+**Example response, with digest information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "Created": 1420064636,
+        "Id": "4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125",
+        "ParentId": "ea13149945cb6b1e746bf28032f02e9b5a793523481a0a18645fc77ad53c4ea2",
+        "RepoDigests": [
+          "localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+        ],
+        "RepoTags": [
+          "localhost:5000/test/busybox:latest",
+          "playdate:latest"
+        ],
+        "Size": 0,
+        "VirtualSize": 2429728,
+        "Labels": {}
+      }
+    ]
+
+The response shows a single image `Id` associated with two repositories
+(`RepoTags`): `localhost:5000/test/busybox`: and `playdate`. A caller can use
+either of the `RepoTags` values `localhost:5000/test/busybox:latest` or
+`playdate:latest` to reference the image.
+
+You can also use `RepoDigests` values to reference an image. In this response,
+the array has only one reference and that is to the
+`localhost:5000/test/busybox` repository; the `playdate` repository has no
+digest. You can reference this digest using the value:
+`localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d...`
+
+See the `docker run` and `docker build` commands for examples of digest and tag
+references on the command line.
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, default false
+-   **filters** – a JSON encoded value of the filters (a map[string][]string) to process on the images list. Available filters:
+  -   `dangling=true`
+  -   `label=key` or `label="key=value"` of an image label
+-   **filter** - only return images with the specified name
+
+#### Build image from a Dockerfile
+
+`POST /build`
+
+Build an image from a Dockerfile
+
+**Example request**:
+
+    POST /v1.23/build HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"stream": "Step 1/5..."}
+    {"stream": "..."}
+    {"error": "Error...", "errorDetail": {"code": 123, "message": "Error..."}}
+
+The input stream must be a `tar` archive compressed with one of the
+following algorithms: `identity` (no compression), `gzip`, `bzip2`, `xz`.
+
+The archive must include a build instructions file, typically called
+`Dockerfile` at the archive's root. The `dockerfile` parameter may be
+used to specify a different build instructions file. To do this, its value must be
+the path to the alternate build instructions file to use.
+
+The archive may include any number of other files,
+which are accessible in the build context (See the [*ADD build
+command*](../reference/builder.md#add)).
+
+The Docker daemon performs a preliminary validation of the `Dockerfile` before
+starting the build, and returns an error if the syntax is incorrect. After that,
+each instruction is run one-by-one until the ID of the new image is output.
+
+The build is canceled if the client drops the connection by quitting
+or being killed.
+
+**Query parameters**:
+
+-   **dockerfile** - Path within the build context to the `Dockerfile`. This is
+        ignored if `remote` is specified and points to an external `Dockerfile`.
+-   **t** – A name and optional tag to apply to the image in the `name:tag` format.
+        If you omit the `tag` the default `latest` value is assumed.
+        You can provide one or more `t` parameters.
+-   **remote** – A Git repository URI or HTTP/HTTPS context URI. If the
+        URI points to a single text file, the file's contents are placed into
+        a file called `Dockerfile` and the image is built from that file. If
+        the URI points to a tarball, the file is downloaded by the daemon and
+        the contents therein used as the context for the build. If the URI
+        points to a tarball and the `dockerfile` parameter is also specified,
+        there must be a file with the corresponding path inside the tarball.
+-   **q** – Suppress verbose build output.
+-   **nocache** – Do not use the cache when building the image.
+-   **pull** - Attempt to pull the image even if an older image exists locally.
+-   **rm** - Remove intermediate containers after a successful build (default behavior).
+-   **forcerm** - Always remove intermediate containers (includes `rm`).
+-   **memory** - Set memory limit for build.
+-   **memswap** - Total memory (memory + swap), `-1` to enable unlimited swap.
+-   **cpushares** - CPU shares (relative weight).
+-   **cpusetcpus** - CPUs in which to allow execution (e.g., `0-3`, `0,1`).
+-   **cpuperiod** - The length of a CPU period in microseconds.
+-   **cpuquota** - Microseconds of CPU time that the container can get in a CPU period.
+-   **buildargs** – JSON map of string pairs for build-time variables. Users pass
+        these values at build-time. Docker uses the `buildargs` as the environment
+        context for command(s) run via the Dockerfile's `RUN` instruction or for
+        variable expansion in other Dockerfile instructions. This is not meant for
+        passing secret values. [Read more about the buildargs instruction](../reference/builder.md#arg)
+-   **shmsize** - Size of `/dev/shm` in bytes. The size must be greater than 0.  If omitted the system uses 64MB.
+-   **labels** – JSON map of string pairs for labels to set on the image.
+
+**Request Headers**:
+
+-   **Content-type** – Set to `"application/x-tar"`.
+-   **X-Registry-Config** – A base64-url-safe-encoded Registry Auth Config JSON
+        object with the following structure:
+
+            {
+                "docker.example.com": {
+                    "username": "janedoe",
+                    "password": "hunter2"
+                },
+                "https://index.docker.io/v1/": {
+                    "username": "mobydock",
+                    "password": "conta1n3rize14"
+                }
+            }
+
+    This object maps the hostname of a registry to an object containing the
+    "username" and "password" for that registry. Multiple registries may
+    be specified as the build may be based on an image requiring
+    authentication to pull from any arbitrary registry. Only the registry
+    domain name (and port if not the default "443") are required. However
+    (for legacy reasons) the "official" Docker, Inc. hosted registry must
+    be specified with both a "https://" prefix and a "/v1/" suffix even
+    though Docker will prefer to use the v2 registry API.
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Create an image
+
+`POST /images/create`
+
+Create an image either by pulling it from the registry or by importing it
+
+**Example request**:
+
+    POST /v1.23/images/create?fromImage=busybox&tag=latest HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pulling..."}
+    {"status": "Pulling", "progress": "1 B/ 100 B", "progressDetail": {"current": 1, "total": 100}}
+    {"error": "Invalid..."}
+    ...
+
+When using this endpoint to pull an image from the registry, the
+`X-Registry-Auth` header can be used to include
+a base64-encoded AuthConfig object.
+
+**Query parameters**:
+
+-   **fromImage** – Name of the image to pull. The name may include a tag or
+        digest. This parameter may only be used when pulling an image.
+        The pull is cancelled if the HTTP connection is closed.
+-   **fromSrc** – Source to import.  The value may be a URL from which the image
+        can be retrieved or `-` to read the image from the request body.
+        This parameter may only be used when importing an image.
+-   **repo** – Repository name given to an image when it is imported.
+        The repo may include a tag. This parameter may only be used when importing
+        an image.
+-   **tag** – Tag or digest. If empty when pulling an image, this causes all tags
+        for the given image to be pulled.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object, containing either login information, or a token
+    - Credential based login:
+
+        ```
+    {
+            "username": "jdoe",
+            "password": "secret",
+            "email": "jdoe@acme.com"
+    }
+        ```
+
+    - Token based login:
+
+        ```
+    {
+            "identitytoken": "9cbaf023786cd7..."
+    }
+        ```
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** - repository does not exist or no read access
+-   **500** – server error
+
+
+
+#### Inspect an image
+
+`GET /images/(name)/json`
+
+Return low-level information on the image `name`
+
+**Example request**:
+
+    GET /v1.23/images/example/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Id" : "sha256:85f05633ddc1c50679be2b16a0479ab6f7637f8884e0cfe0f4d20e1ebb3d6e7c",
+       "Container" : "cb91e48a60d01f1e27028b4fc6819f4f290b3cf12496c8176ec714d0d390984a",
+       "Comment" : "",
+       "Os" : "linux",
+       "Architecture" : "amd64",
+       "Parent" : "sha256:91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+       "ContainerConfig" : {
+          "Tty" : false,
+          "Hostname" : "e611e15f9c9d",
+          "Volumes" : null,
+          "Domainname" : "",
+          "AttachStdout" : false,
+          "PublishService" : "",
+          "AttachStdin" : false,
+          "OpenStdin" : false,
+          "StdinOnce" : false,
+          "NetworkDisabled" : false,
+          "OnBuild" : [],
+          "Image" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+          "User" : "",
+          "WorkingDir" : "",
+          "Entrypoint" : null,
+          "MacAddress" : "",
+          "AttachStderr" : false,
+          "Labels" : {
+             "com.example.license" : "GPL",
+             "com.example.version" : "1.0",
+             "com.example.vendor" : "Acme"
+          },
+          "Env" : [
+             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "ExposedPorts" : null,
+          "Cmd" : [
+             "/bin/sh",
+             "-c",
+             "#(nop) LABEL com.example.vendor=Acme com.example.license=GPL com.example.version=1.0"
+          ]
+       },
+       "DockerVersion" : "1.9.0-dev",
+       "VirtualSize" : 188359297,
+       "Size" : 0,
+       "Author" : "",
+       "Created" : "2015-09-10T08:30:53.26995814Z",
+       "GraphDriver" : {
+          "Name" : "aufs",
+          "Data" : null
+       },
+       "RepoDigests" : [
+          "localhost:5000/test/busybox/example@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+       ],
+       "RepoTags" : [
+          "example:1.0",
+          "example:latest",
+          "example:stable"
+       ],
+       "Config" : {
+          "Image" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+          "NetworkDisabled" : false,
+          "OnBuild" : [],
+          "StdinOnce" : false,
+          "PublishService" : "",
+          "AttachStdin" : false,
+          "OpenStdin" : false,
+          "Domainname" : "",
+          "AttachStdout" : false,
+          "Tty" : false,
+          "Hostname" : "e611e15f9c9d",
+          "Volumes" : null,
+          "Cmd" : [
+             "/bin/bash"
+          ],
+          "ExposedPorts" : null,
+          "Env" : [
+             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "Labels" : {
+             "com.example.vendor" : "Acme",
+             "com.example.version" : "1.0",
+             "com.example.license" : "GPL"
+          },
+          "Entrypoint" : null,
+          "MacAddress" : "",
+          "AttachStderr" : false,
+          "WorkingDir" : "",
+          "User" : ""
+       },
+       "RootFS": {
+           "Type": "layers",
+           "Layers": [
+               "sha256:1834950e52ce4d5a88a1bbd131c537f4d0e56d10ff0dd69e66be3b7dfa9df7e6",
+               "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+           ]
+       }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Get the history of an image
+
+`GET /images/(name)/history`
+
+Return the history of the image `name`
+
+**Example request**:
+
+    GET /v1.23/images/ubuntu/history HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+        {
+            "Id": "3db9c44f45209632d6050b35958829c3a2aa256d81b9a7be45b362ff85c54710",
+            "Created": 1398108230,
+            "CreatedBy": "/bin/sh -c #(nop) ADD file:eb15dbd63394e063b805a3c32ca7bf0266ef64676d5a6fab4801f2e81e2a5148 in /",
+            "Tags": [
+                "ubuntu:lucid",
+                "ubuntu:10.04"
+            ],
+            "Size": 182964289,
+            "Comment": ""
+        },
+        {
+            "Id": "6cfa4d1f33fb861d4d114f43b25abd0ac737509268065cdfd69d544a59c85ab8",
+            "Created": 1398108222,
+            "CreatedBy": "/bin/sh -c #(nop) MAINTAINER Tianon Gravi <admwiggin@gmail.com> - mkimage-debootstrap.sh -i iproute,iputils-ping,ubuntu-minimal -t lucid.tar.xz lucid http://archive.ubuntu.com/ubuntu/",
+            "Tags": null,
+            "Size": 0,
+            "Comment": ""
+        },
+        {
+            "Id": "511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158",
+            "Created": 1371157430,
+            "CreatedBy": "",
+            "Tags": [
+                "scratch12:latest",
+                "scratch:latest"
+            ],
+            "Size": 0,
+            "Comment": "Imported from -"
+        }
+    ]
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Push an image on the registry
+
+`POST /images/(name)/push`
+
+Push the image `name` on the registry
+
+**Example request**:
+
+    POST /v1.23/images/test/push HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pushing..."}
+    {"status": "Pushing", "progress": "1/? (n/a)", "progressDetail": {"current": 1}}}
+    {"error": "Invalid..."}
+    ...
+
+If you wish to push an image on to a private registry, that image must already have a tag
+into a repository which references that registry `hostname` and `port`.  This repository name should
+then be used in the URL. This duplicates the command line's flow.
+
+The push is cancelled if the HTTP connection is closed.
+
+**Example request**:
+
+    POST /v1.23/images/registry.acme.com:5000/test/push HTTP/1.1
+
+
+**Query parameters**:
+
+-   **tag** – The tag to associate with the image on the registry. This is optional.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object, containing either login information, or a token
+    - Credential based login:
+
+        ```
+    {
+            "username": "jdoe",
+            "password": "secret",
+            "email": "jdoe@acme.com",
+    }
+        ```
+
+    - Identity token based login:
+
+        ```
+    {
+            "identitytoken": "9cbaf023786cd7..."
+    }
+        ```
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Tag an image into a repository
+
+`POST /images/(name)/tag`
+
+Tag the image `name` into a repository
+
+**Example request**:
+
+    POST /v1.23/images/test/tag?repo=myrepo&force=0&tag=v42 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+
+**Query parameters**:
+
+-   **repo** – The repository to tag in
+-   **force** – 1/True/true or 0/False/false, default false
+-   **tag** - The new tag name
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Remove an image
+
+`DELETE /images/(name)`
+
+Remove the image `name` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.23/images/test HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-type: application/json
+
+    [
+     {"Untagged": "3e2f21a89f"},
+     {"Deleted": "3e2f21a89f"},
+     {"Deleted": "53b4f83ac9"}
+    ]
+
+**Query parameters**:
+
+-   **force** – 1/True/true or 0/False/false, default false
+-   **noprune** – 1/True/true or 0/False/false, default false
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Search images
+
+`GET /images/search`
+
+Search for an image on [Docker Hub](https://hub.docker.com).
+
+> **Note**:
+> The response keys have changed from API v1.6 to reflect the JSON
+> sent by the registry server to the docker daemon's request.
+
+**Example request**:
+
+    GET /v1.23/images/search?term=sshd HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "wma55/u1210sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "jdswinbank/sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "vgauthier/sshd",
+                "star_count": 0
+            }
+    ...
+    ]
+
+**Query parameters**:
+
+-   **term** – term to search
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+### 2.3 Misc
+
+#### Check auth configuration
+
+`POST /auth`
+
+Validate credentials for a registry and get identity token,
+if available, for accessing the registry without password.
+
+**Example request**:
+
+    POST /v1.23/auth HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "username": "hannibal",
+         "password": "xxxx",
+         "serveraddress": "https://index.docker.io/v1/"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+    {
+         "Status": "Login Succeeded",
+         "IdentityToken": "9cbaf023786cd7..."
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **204** – no error
+-   **500** – server error
+
+#### Display system-wide information
+
+`GET /info`
+
+Display system-wide information
+
+**Example request**:
+
+    GET /v1.23/info HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+        "Architecture": "x86_64",
+        "ClusterStore": "etcd://localhost:2379",
+        "CgroupDriver": "cgroupfs",
+        "Containers": 11,
+        "ContainersRunning": 7,
+        "ContainersStopped": 3,
+        "ContainersPaused": 1,
+        "CpuCfsPeriod": true,
+        "CpuCfsQuota": true,
+        "Debug": false,
+        "DockerRootDir": "/var/lib/docker",
+        "Driver": "btrfs",
+        "DriverStatus": [[""]],
+        "ExecutionDriver": "native-0.1",
+        "ExperimentalBuild": false,
+        "HttpProxy": "http://test:test@localhost:8080",
+        "HttpsProxy": "https://test:test@localhost:8080",
+        "ID": "7TRN:IPZB:QYBB:VPBQ:UMPP:KARE:6ZNR:XE6T:7EWV:PKF4:ZOJD:TPYS",
+        "IPv4Forwarding": true,
+        "Images": 16,
+        "IndexServerAddress": "https://index.docker.io/v1/",
+        "InitPath": "/usr/bin/docker",
+        "InitSha1": "",
+        "KernelMemory": true,
+        "KernelVersion": "3.12.0-1-amd64",
+        "Labels": [
+            "storage=ssd"
+        ],
+        "MemTotal": 2099236864,
+        "MemoryLimit": true,
+        "NCPU": 1,
+        "NEventsListener": 0,
+        "NFd": 11,
+        "NGoroutines": 21,
+        "Name": "prod-server-42",
+        "NoProxy": "9.81.1.160",
+        "OomKillDisable": true,
+        "OSType": "linux",
+        "OperatingSystem": "Boot2Docker",
+        "Plugins": {
+            "Volume": [
+                "local"
+            ],
+            "Network": [
+                "null",
+                "host",
+                "bridge"
+            ]
+        },
+        "RegistryConfig": {
+            "IndexConfigs": {
+                "docker.io": {
+                    "Mirrors": null,
+                    "Name": "docker.io",
+                    "Official": true,
+                    "Secure": true
+                }
+            },
+            "InsecureRegistryCIDRs": [
+                "127.0.0.0/8"
+            ]
+        },
+        "ServerVersion": "1.9.0",
+        "SwapLimit": false,
+        "SystemStatus": [["State", "Healthy"]],
+        "SystemTime": "2015-03-10T11:11:23.730591467-07:00"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Show the docker version information
+
+`GET /version`
+
+Show the docker version information
+
+**Example request**:
+
+    GET /v1.23/version HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+         "Version": "1.11.0",
+         "Os": "linux",
+         "KernelVersion": "3.19.0-23-generic",
+         "GoVersion": "go1.4.2",
+         "GitCommit": "e75da4b",
+         "Arch": "amd64",
+         "ApiVersion": "1.23",
+         "BuildTime": "2015-12-01T07:09:13.444803460+00:00",
+         "Experimental": true
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Ping the docker server
+
+`GET /_ping`
+
+Ping the docker server
+
+**Example request**:
+
+    GET /v1.23/_ping HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+
+    OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a new image from a container's changes
+
+`POST /commit`
+
+Create a new image from a container's changes
+
+**Example request**:
+
+    POST /v1.23/commit?container=44c004db4b17&comment=message&repo=myrepo HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Hostname": "",
+         "Domainname": "",
+         "User": "",
+         "AttachStdin": false,
+         "AttachStdout": true,
+         "AttachStderr": true,
+         "Tty": false,
+         "OpenStdin": false,
+         "StdinOnce": false,
+         "Env": null,
+         "Cmd": [
+                 "date"
+         ],
+         "Mounts": [
+           {
+             "Source": "/data",
+             "Destination": "/data",
+             "Mode": "ro,Z",
+             "RW": false
+           }
+         ],
+         "Labels": {
+                 "key1": "value1",
+                 "key2": "value2"
+          },
+         "WorkingDir": "",
+         "NetworkDisabled": false,
+         "ExposedPorts": {
+                 "22/tcp": {}
+         }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {"Id": "596069db4bf5"}
+
+**JSON parameters**:
+
+-  **config** - the container's configuration
+
+**Query parameters**:
+
+-   **container** – source container
+-   **repo** – repository
+-   **tag** – tag
+-   **comment** – commit message
+-   **author** – author (e.g., "John Hannibal Smith
+    <[hannibal@a-team.com](mailto:hannibal%40a-team.com)>")
+-   **pause** – 1/True/true or 0/False/false, whether to pause the container before committing
+-   **changes** – Dockerfile instructions to apply while committing
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Monitor Docker's events
+
+`GET /events`
+
+Get container events from docker, in real time via streaming.
+
+Docker containers report the following events:
+
+    attach, commit, copy, create, destroy, die, exec_create, exec_start, export, kill, oom, pause, rename, resize, restart, start, stop, top, unpause, update
+
+Docker images report the following events:
+
+    delete, import, pull, push, tag, untag
+
+Docker volumes report the following events:
+
+    create, mount, unmount, destroy
+
+Docker networks report the following events:
+
+    create, connect, disconnect, destroy
+
+**Example request**:
+
+    GET /v1.23/events?since=1374067924
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+    Server: Docker/1.11.0 (linux)
+    Date: Fri, 29 Apr 2016 15:18:06 GMT
+    Transfer-Encoding: chunked
+
+    {
+      "status": "pull",
+      "id": "alpine:latest",
+      "Type": "image",
+      "Action": "pull",
+      "Actor": {
+        "ID": "alpine:latest",
+        "Attributes": {
+          "name": "alpine"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101301854122
+    }
+    {
+      "status": "create",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "create",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101381709551
+    }
+    {
+      "status": "attach",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "attach",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101383858412
+    }
+    {
+      "Type": "network",
+      "Action": "connect",
+      "Actor": {
+        "ID": "7dc8ac97d5d29ef6c31b6052f3938c1e8f2749abbd17d1bd1febf2608db1b474",
+        "Attributes": {
+          "container": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+          "name": "bridge",
+          "type": "bridge"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101394865557
+    }
+    {
+      "status": "start",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "start",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101607533796
+    }
+    {
+      "status": "resize",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "resize",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "height": "46",
+          "image": "alpine",
+          "name": "my-container",
+          "width": "204"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101610269268
+    }
+    {
+      "status": "die",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "die",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "exitCode": "0",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105079144137
+    }
+    {
+      "Type": "network",
+      "Action": "disconnect",
+      "Actor": {
+        "ID": "7dc8ac97d5d29ef6c31b6052f3938c1e8f2749abbd17d1bd1febf2608db1b474",
+        "Attributes": {
+          "container": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+          "name": "bridge",
+          "type": "bridge"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105230860245
+    }
+    {
+      "status": "destroy",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "destroy",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105338056026
+    }
+
+**Query parameters**:
+
+-   **since** – Timestamp. Show all events created since timestamp and then stream
+-   **until** – Timestamp. Show events created until given timestamp and stop streaming
+-   **filters** – A json encoded value of the filters (a map[string][]string) to process on the event list. Available filters:
+  -   `container=<string>`; -- container to filter
+  -   `event=<string>`; -- event to filter
+  -   `image=<string>`; -- image to filter
+  -   `label=<string>`; -- image and container label to filter
+  -   `type=<string>`; -- either `container` or `image` or `volume` or `network`
+  -   `volume=<string>`; -- volume to filter
+  -   `network=<string>`; -- network to filter
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images in a repository
+
+`GET /images/(name)/get`
+
+Get a tarball containing all images and metadata for the repository specified
+by `name`.
+
+If `name` is a specific name and tag (e.g. ubuntu:latest), then only that image
+(and its parents) are returned. If `name` is an image ID, similarly only that
+image (and its parents) are returned, but with the exclusion of the
+'repositories' file in the tarball, as there were no image names referenced.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.23/images/ubuntu/get
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images
+
+`GET /images/get`
+
+Get a tarball containing all images and metadata for one or more repositories.
+
+For each value of the `names` parameter: if it is a specific name and tag (e.g.
+`ubuntu:latest`), then only that image (and its parents) are returned; if it is
+an image ID, similarly only that image (and its parents) are returned and there
+would be no names referenced in the 'repositories' file for this image ID.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.23/images/get?names=myname%2Fmyapp%3Alatest&names=busybox
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Load a tarball with a set of images and tags into docker
+
+`POST /images/load`
+
+Load a set of images and tags into a Docker repository.
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    POST /v1.23/images/load
+    Content-Type: application/x-tar
+    Content-Length: 12345
+
+    Tarball in body
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+    Transfer-Encoding: chunked
+
+    {"status":"Loading layer","progressDetail":{"current":32768,"total":1292800},"progress":"[=                                                 ] 32.77 kB/1.293 MB","id":"8ac8bfaff55a"}
+    {"status":"Loading layer","progressDetail":{"current":65536,"total":1292800},"progress":"[==                                                ] 65.54 kB/1.293 MB","id":"8ac8bfaff55a"}
+    {"status":"Loading layer","progressDetail":{"current":98304,"total":1292800},"progress":"[===                                               ]  98.3 kB/1.293 MB","id":"8ac8bfaff55a"}
+    {"status":"Loading layer","progressDetail":{"current":131072,"total":1292800},"progress":"[=====                                             ] 131.1 kB/1.293 MB","id":"8ac8bfaff55a"}
+    ...
+    {"stream":"Loaded image: busybox:latest\n"}
+
+**Example response**:
+
+If the "quiet" query parameter is set to `true` / `1` (`?quiet=1`), progress
+details are suppressed, and only a confirmation message is returned once the
+action completes.
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+    Transfer-Encoding: chunked
+
+    {"stream":"Loaded image: busybox:latest\n"}
+
+**Query parameters**:
+
+-   **quiet** – Boolean value, suppress progress details during load. Defaults
+      to `0` / `false` if omitted.
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Image tarball format
+
+An image tarball contains one directory per image layer (named using its long ID),
+each containing these files:
+
+- `VERSION`: currently `1.0` - the file format version
+- `json`: detailed layer information, similar to `docker inspect layer_id`
+- `layer.tar`: A tarfile containing the filesystem changes in this layer
+
+The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories
+for storing attribute changes and deletions.
+
+If the tarball defines a repository, the tarball should also include a `repositories` file at
+the root that contains a list of repository and tag names mapped to layer IDs.
+
+```
+{"hello-world":
+    {"latest": "565a9d68a73f6706862bfe8409a7f659776d4d60a8d096eb4a3cbce6999cc2a1"}
+}
+```
+
+#### Exec Create
+
+`POST /containers/(id or name)/exec`
+
+Sets up an exec instance in a running container `id`
+
+**Example request**:
+
+    POST /v1.23/containers/e90e34656806/exec HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "AttachStdin": true,
+      "AttachStdout": true,
+      "AttachStderr": true,
+      "Cmd": ["sh"],
+      "DetachKeys": "ctrl-p,ctrl-q",
+      "Privileged": true,
+      "Tty": true,
+      "User": "123:456"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+         "Id": "f90e34656806",
+         "Warnings":[]
+    }
+
+**JSON parameters**:
+
+-   **AttachStdin** - Boolean value, attaches to `stdin` of the `exec` command.
+-   **AttachStdout** - Boolean value, attaches to `stdout` of the `exec` command.
+-   **AttachStderr** - Boolean value, attaches to `stderr` of the `exec` command.
+-   **DetachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Privileged** - Boolean value, runs the exec process with extended privileges.
+-   **User** - A string value specifying the user, and optionally, group to run
+        the exec process inside the container. Format is one of: `"user"`,
+        `"user:group"`, `"uid"`, or `"uid:gid"`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **409** - container is paused
+-   **500** - server error
+
+#### Exec Start
+
+`POST /exec/(id)/start`
+
+Starts a previously set up `exec` instance `id`. If `detach` is true, this API
+returns after starting the `exec` command. Otherwise, this API sets up an
+interactive session with the `exec` command.
+
+**Example request**:
+
+    POST /v1.23/exec/e90e34656806/start HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+     "Detach": false,
+     "Tty": false
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/vnd.docker.raw-stream
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**JSON parameters**:
+
+-   **Detach** - Detach from the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **409** - container is paused
+
+**Stream details**:
+
+Similar to the stream behavior of `POST /containers/(id or name)/attach` API
+
+#### Exec Resize
+
+`POST /exec/(id)/resize`
+
+Resizes the `tty` session used by the `exec` command `id`.  The unit is number of characters.
+This API is valid only if `tty` was specified as part of creating and starting the `exec` command.
+
+**Example request**:
+
+    POST /v1.23/exec/e90e34656806/resize?h=40&w=80 HTTP/1.1
+    Content-Type: text/plain
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: text/plain
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such exec instance
+
+#### Exec Inspect
+
+`GET /exec/(id)/json`
+
+Return low-level information about the `exec` command `id`.
+
+**Example request**:
+
+    GET /v1.23/exec/11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "CanRemove": false,
+      "ContainerID": "b53ee82b53a40c7dca428523e34f741f3abc51d9f297a14ff874bf761b995126",
+      "DetachKeys": "",
+      "ExitCode": 2,
+      "ID": "f33bbfb39f5b142420f4759b2348913bd4a8d1a6d7fd56499cb41a1bb91d7b3b",
+      "OpenStderr": true,
+      "OpenStdin": true,
+      "OpenStdout": true,
+      "ProcessConfig": {
+        "arguments": [
+          "-c",
+          "exit 2"
+        ],
+        "entrypoint": "sh",
+        "privileged": false,
+        "tty": true,
+        "user": "1000"
+      },
+      "Running": false
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **500** - server error
+
+### 2.4 Volumes
+
+#### List volumes
+
+`GET /volumes`
+
+**Example request**:
+
+    GET /v1.23/volumes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Volumes": [
+        {
+          "Name": "tardis",
+          "Driver": "local",
+          "Mountpoint": "/var/lib/docker/volumes/tardis"
+        }
+      ],
+      "Warnings": []
+    }
+
+**Query parameters**:
+
+- **filters** - JSON encoded value of the filters (a `map[string][]string`) to process on the volumes list. There is one available filter: `dangling=true`
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a volume
+
+`POST /volumes/create`
+
+Create a volume
+
+**Example request**:
+
+    POST /v1.23/volumes/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "Name": "tardis",
+      "Labels": {
+        "com.example.some-label": "some-value",
+        "com.example.some-other-label": "some-other-value"
+      }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+      "Name": "tardis",
+      "Driver": "local",
+      "Mountpoint": "/var/lib/docker/volumes/tardis",
+      "Labels": {
+        "com.example.some-label": "some-value",
+        "com.example.some-other-label": "some-other-value"
+      }
+    }
+
+**Status codes**:
+
+- **201** - no error
+- **500**  - server error
+
+**JSON parameters**:
+
+- **Name** - The new volume's name. If not specified, Docker generates a name.
+- **Driver** - Name of the volume driver to use. Defaults to `local` for the name.
+- **DriverOpts** - A mapping of driver options and values. These options are
+    passed directly to the driver and are driver specific.
+- **Labels** - Labels to set on the volume, specified as a map: `{"key":"value","key2":"value2"}`
+
+#### Inspect a volume
+
+`GET /volumes/(name)`
+
+Return low-level information on the volume `name`
+
+**Example request**:
+
+    GET /v1.23/volumes/tardis
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Name": "tardis",
+      "Driver": "local",
+      "Mountpoint": "/var/lib/docker/volumes/tardis/_data",
+      "Labels": {
+          "com.example.some-label": "some-value",
+          "com.example.some-other-label": "some-other-value"
+      }
+    }
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - no such volume
+-   **500** - server error
+
+#### Remove a volume
+
+`DELETE /volumes/(name)`
+
+Instruct the driver to remove the volume (`name`).
+
+**Example request**:
+
+    DELETE /v1.23/volumes/tardis HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** - no error
+-   **404** - no such volume or volume driver
+-   **409** - volume is in use and cannot be removed
+-   **500** - server error
+
+### 3.5 Networks
+
+#### List networks
+
+`GET /networks`
+
+**Example request**:
+
+    GET /v1.23/networks?filters={"type":{"custom":true}} HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+[
+  {
+    "Name": "bridge",
+    "Id": "f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566",
+    "Scope": "local",
+    "Driver": "bridge",
+    "EnableIPv6": false,
+    "Internal": false,
+    "IPAM": {
+      "Driver": "default",
+      "Config": [
+        {
+          "Subnet": "172.17.0.0/16"
+        }
+      ]
+    },
+    "Containers": {
+      "39b69226f9d79f5634485fb236a23b2fe4e96a0a94128390a7fbbcc167065867": {
+        "EndpointID": "ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda",
+        "MacAddress": "02:42:ac:11:00:02",
+        "IPv4Address": "172.17.0.2/16",
+        "IPv6Address": ""
+      }
+    },
+    "Options": {
+      "com.docker.network.bridge.default_bridge": "true",
+      "com.docker.network.bridge.enable_icc": "true",
+      "com.docker.network.bridge.enable_ip_masquerade": "true",
+      "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+      "com.docker.network.bridge.name": "docker0",
+      "com.docker.network.driver.mtu": "1500"
+    }
+  },
+  {
+    "Name": "none",
+    "Id": "e086a3893b05ab69242d3c44e49483a3bbbd3a26b46baa8f61ab797c1088d794",
+    "Scope": "local",
+    "Driver": "null",
+    "EnableIPv6": false,
+    "Internal": false,
+    "IPAM": {
+      "Driver": "default",
+      "Config": []
+    },
+    "Containers": {},
+    "Options": {}
+  },
+  {
+    "Name": "host",
+    "Id": "13e871235c677f196c4e1ecebb9dc733b9b2d2ab589e30c539efeda84a24215e",
+    "Scope": "local",
+    "Driver": "host",
+    "EnableIPv6": false,
+    "Internal": false,
+    "IPAM": {
+      "Driver": "default",
+      "Config": []
+    },
+    "Containers": {},
+    "Options": {}
+  }
+]
+```
+
+**Query parameters**:
+
+- **filters** - JSON encoded network list filter. The filter value is one of:
+  -   `id=<network-id>` Matches all or part of a network id.
+  -   `name=<network-name>` Matches all or part of a network name.
+  -   `type=["custom"|"builtin"]` Filters networks by type. The `custom` keyword returns all user-defined networks.
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Inspect network
+
+`GET /networks/(id or name)`
+
+Return low-level information on the network `id`
+
+**Example request**:
+
+    GET /v1.23/networks/7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99 HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "Name": "net01",
+  "Id": "7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99",
+  "Scope": "local",
+  "Driver": "bridge",
+  "EnableIPv6": false,
+  "IPAM": {
+    "Driver": "default",
+    "Config": [
+      {
+        "Subnet": "172.19.0.0/16",
+        "Gateway": "172.19.0.1/16"
+      }
+    ],
+    "Options": {
+        "foo": "bar"
+    }
+  },
+  "Internal": false,
+  "Containers": {
+    "19a4d5d687db25203351ed79d478946f861258f018fe384f229f2efa4b23513c": {
+      "Name": "test",
+      "EndpointID": "628cadb8bcb92de107b2a1e516cbffe463e321f548feb37697cce00ad694f21a",
+      "MacAddress": "02:42:ac:13:00:02",
+      "IPv4Address": "172.19.0.2/16",
+      "IPv6Address": ""
+    }
+  },
+  "Options": {
+    "com.docker.network.bridge.default_bridge": "true",
+    "com.docker.network.bridge.enable_icc": "true",
+    "com.docker.network.bridge.enable_ip_masquerade": "true",
+    "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+    "com.docker.network.bridge.name": "docker0",
+    "com.docker.network.driver.mtu": "1500"
+  },
+  "Labels": {
+    "com.example.some-label": "some-value",
+    "com.example.some-other-label": "some-other-value"
+  }
+}
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - network not found
+-   **500** - server error
+
+#### Create a network
+
+`POST /networks/create`
+
+Create a network
+
+**Example request**:
+
+```
+POST /v1.23/networks/create HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Name":"isolated_nw",
+  "CheckDuplicate":true,
+  "Driver":"bridge",
+  "EnableIPv6": true,
+  "IPAM":{
+    "Driver": "default",
+    "Config":[
+      {
+        "Subnet":"172.20.0.0/16",
+        "IPRange":"172.20.10.0/24",
+        "Gateway":"172.20.10.11"
+      },
+      {
+        "Subnet":"2001:db8:abcd::/64",
+        "Gateway":"2001:db8:abcd::1011"
+      }
+    ],
+    "Options": {
+      "foo": "bar"
+    }
+  },
+  "Internal":true,
+  "Options": {
+    "com.docker.network.bridge.default_bridge": "true",
+    "com.docker.network.bridge.enable_icc": "true",
+    "com.docker.network.bridge.enable_ip_masquerade": "true",
+    "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+    "com.docker.network.bridge.name": "docker0",
+    "com.docker.network.driver.mtu": "1500"
+  },
+  "Labels": {
+    "com.example.some-label": "some-value",
+    "com.example.some-other-label": "some-other-value"
+  }
+}
+```
+
+**Example response**:
+
+```
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+  "Id": "22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30",
+  "Warning": ""
+}
+```
+
+**Status codes**:
+
+- **201** - no error
+- **404** - plugin not found
+- **500** - server error
+
+**JSON parameters**:
+
+- **Name** - The new network's name. this is a mandatory field
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`.
+    Since Network is primarily keyed based on a random ID and not on the name, 
+    and network name is strictly a user-friendly alias to the network 
+    which is uniquely identified using ID, there is no guaranteed way to check for duplicates. 
+    This parameter CheckDuplicate is there to provide a best effort checking of any networks 
+    which has the same name but it is not guaranteed to catch all name collisions.
+- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
+- **Internal** - Restrict external access to the network
+- **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+  - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
+- **EnableIPv6** - Enable IPv6 on the network
+- **Options** - Network specific options to be used by the drivers
+- **Labels** - Labels to set on the network, specified as a map: `{"key":"value" [,"key2":"value2"]}`
+
+#### Connect a container to a network
+
+`POST /networks/(id or name)/connect`
+
+Connect a container to a network
+
+**Example request**:
+
+```
+POST /v1.23/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30/connect HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Container":"3613f73ba0e4",
+  "EndpointConfig": {
+    "IPAMConfig": {
+        "IPv4Address":"172.24.56.89",
+        "IPv6Address":"2001:db8::5689"
+    }
+  }
+}
+```
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** - no error
+- **404** - network or container is not found
+- **500** - Internal Server Error
+
+**JSON parameters**:
+
+- **container** - container-id/name to be connected to the network
+
+#### Disconnect a container from a network
+
+`POST /networks/(id or name)/disconnect`
+
+Disconnect a container from a network
+
+**Example request**:
+
+```
+POST /v1.23/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30/disconnect HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Container":"3613f73ba0e4",
+  "Force":false
+}
+```
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** - no error
+- **404** - network or container not found
+- **500** - Internal Server Error
+
+**JSON parameters**:
+
+- **Container** - container-id/name to be disconnected from a network
+- **Force** - Force the container to disconnect from a network
+
+#### Remove a network
+
+`DELETE /networks/(id or name)`
+
+Instruct the driver to remove the network (`id`).
+
+**Example request**:
+
+    DELETE /v1.23/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** - no error
+-   **403** - operation not supported for pre-defined networks
+-   **404** - no such network
+-   **500** - server error
+
+## 3. Going further
+
+### 3.1 Inside `docker run`
+
+As an example, the `docker run` command line makes the following API calls:
+
+- Create the container
+
+- If the status code is 404, it means the image doesn't exist:
+    - Try to pull it.
+    - Then, retry to create the container.
+
+- Start the container.
+
+- If you are not in detached mode:
+- Attach to the container, using `logs=1` (to have `stdout` and
+      `stderr` from the container's start) and `stream=1`
+
+- If in detached mode or only `stdin` is attached, display the container's id.
+
+### 3.2 Hijacking
+
+In this version of the API, `/attach`, uses hijacking to transport `stdin`,
+`stdout`, and `stderr` on the same socket.
+
+To hint potential proxies about connection hijacking, Docker client sends
+connection upgrade headers similarly to websocket.
+
+    Upgrade: tcp
+    Connection: Upgrade
+
+When Docker daemon detects the `Upgrade` header, it switches its status code
+from **200 OK** to **101 UPGRADED** and resends the same headers.
+
+
+### 3.3 CORS Requests
+
+To set cross origin requests to the Engine API please give values to
+`--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
+default or blank means CORS disabled
+
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
diff --git a/engine/docs/api/v1.24.md b/engine/docs/api/v1.24.md
new file mode 100644
index 00000000..e320020e
--- /dev/null
+++ b/engine/docs/api/v1.24.md
@@ -0,0 +1,5377 @@
+---
+title: "Engine API v1.24"
+description: "API Documentation for Docker"
+keywords: "API, Docker, rcli, REST, documentation"
+redirect_from:
+- /engine/reference/api/docker_remote_api_v1.24/
+- /reference/api/docker_remote_api_v1.24/
+---
+
+<!-- This file is maintained within the moby/moby GitHub
+     repository at https://github.com/moby/moby/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## 1. Brief introduction
+
+ - The daemon listens on `unix:///var/run/docker.sock` but you can
+   [Bind Docker to another host/port or a Unix socket](../reference/commandline/dockerd.md#bind-docker-to-another-host-port-or-a-unix-socket).
+ - The API tends to be REST. However, for some complex commands, like `attach`
+   or `pull`, the HTTP connection is hijacked to transport `stdout`,
+   `stdin` and `stderr`.
+ - A `Content-Length` header should be present in `POST` requests to endpoints
+   that expect a body.
+ - To lock to a specific version of the API, you prefix the URL with the version
+   of the API to use. For example, `/v1.18/info`. If no version is included in
+   the URL, the maximum supported API version is used.
+ - If the API version specified in the URL is not supported by the daemon, a HTTP
+   `400 Bad Request` error message is returned.
+
+## 2. Errors
+
+The Engine API uses standard HTTP status codes to indicate the success or failure of the API call. The body of the response will be JSON in the following format:
+
+    {
+        "message": "page not found"
+    }
+
+The status codes that are returned for each endpoint are specified in the endpoint documentation below.
+
+## 3. Endpoints
+
+### 3.1 Containers
+
+#### List containers
+
+`GET /containers/json`
+
+List containers
+
+**Example request**:
+
+    GET /v1.24/containers/json?all=1&before=8dfafdbc3a40&size=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Id": "8dfafdbc3a40",
+                 "Names":["/boring_feynman"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 1",
+                 "Created": 1367854155,
+                 "State": "exited",
+                 "Status": "Exit 0",
+                 "Ports": [{"PrivatePort": 2222, "PublicPort": 3333, "Type": "tcp"}],
+                 "Labels": {
+                         "com.example.vendor": "Acme",
+                         "com.example.license": "GPL",
+                         "com.example.version": "1.0"
+                 },
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "2cdc4edb1ded3631c81f57966563e5c8525b81121bb3706a9a9a3ae102711f3f",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.2",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:02"
+                                  }
+                         }
+                 },
+                 "Mounts": [
+                         {
+                                  "Name": "fac362...80535",
+                                  "Source": "/data",
+                                  "Destination": "/data",
+                                  "Driver": "local",
+                                  "Mode": "ro,Z",
+                                  "RW": false,
+                                  "Propagation": ""
+                         }
+                 ]
+         },
+         {
+                 "Id": "9cd87474be90",
+                 "Names":["/coolName"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 222222",
+                 "Created": 1367854155,
+                 "State": "exited",
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "88eaed7b37b38c2a3f0c4bc796494fdf51b270c2d22656412a2ca5d559a64d7a",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.8",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:08"
+                                  }
+                         }
+                 },
+                 "Mounts": []
+         },
+         {
+                 "Id": "3176a2479c92",
+                 "Names":["/sleepy_dog"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 3333333333333333",
+                 "Created": 1367854154,
+                 "State": "exited",
+                 "Status": "Exit 0",
+                 "Ports":[],
+                 "Labels": {},
+                 "SizeRw":12288,
+                 "SizeRootFs":0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "8b27c041c30326d59cd6e6f510d4f8d1d570a228466f956edf7815508f78e30d",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.6",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:06"
+                                  }
+                         }
+                 },
+                 "Mounts": []
+         },
+         {
+                 "Id": "4cb07b47f9fb",
+                 "Names":["/running_cat"],
+                 "Image": "ubuntu:latest",
+                 "ImageID": "d74508fb6632491cea586a1fd7d748dfc5274cd6fdfedee309ecdcbc2bf5cb82",
+                 "Command": "echo 444444444444444444444444444444444",
+                 "Created": 1367854152,
+                 "State": "exited",
+                 "Status": "Exit 0",
+                 "Ports": [],
+                 "Labels": {},
+                 "SizeRw": 12288,
+                 "SizeRootFs": 0,
+                 "HostConfig": {
+                         "NetworkMode": "default"
+                 },
+                 "NetworkSettings": {
+                         "Networks": {
+                                 "bridge": {
+                                          "IPAMConfig": null,
+                                          "Links": null,
+                                          "Aliases": null,
+                                          "NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+                                          "EndpointID": "d91c7b2f0644403d7ef3095985ea0e2370325cd2332ff3a3225c4247328e66e9",
+                                          "Gateway": "172.17.0.1",
+                                          "IPAddress": "172.17.0.5",
+                                          "IPPrefixLen": 16,
+                                          "IPv6Gateway": "",
+                                          "GlobalIPv6Address": "",
+                                          "GlobalIPv6PrefixLen": 0,
+                                          "MacAddress": "02:42:ac:11:00:05"
+                                  }
+                         }
+                 },
+                 "Mounts": []
+         }
+    ]
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, Show all containers.
+        Only running containers are shown by default (i.e., this defaults to false)
+-   **limit** – Show `limit` last created
+        containers, include non-running ones.
+-   **since** – Show only containers created since Id, include
+        non-running ones.
+-   **before** – Show only containers created before Id, include
+        non-running ones.
+-   **size** – 1/True/true or 0/False/false, Show the containers
+        sizes
+-   **filters** - a JSON encoded value of the filters (a `map[string][]string`) to process on the containers list. Available filters:
+  -   `exited=<int>`; -- containers with exit code of  `<int>` ;
+  -   `status=`(`created`|`restarting`|`running`|`paused`|`exited`|`dead`)
+  -   `label=key` or `label="key=value"` of a container label
+  -   `isolation=`(`default`|`process`|`hyperv`)   (Windows daemon only)
+  -   `ancestor`=(`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`)
+  -   `before`=(`<container id>` or `<container name>`)
+  -   `since`=(`<container id>` or `<container name>`)
+  -   `volume`=(`<volume name>` or `<mount point destination>`)
+  -   `network`=(`<network id>` or `<network name>`)
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **500** – server error
+
+#### Create a container
+
+`POST /containers/create`
+
+Create a container
+
+**Example request**:
+
+    POST /v1.24/containers/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+           "Hostname": "",
+           "Domainname": "",
+           "User": "",
+           "AttachStdin": false,
+           "AttachStdout": true,
+           "AttachStderr": true,
+           "Tty": false,
+           "OpenStdin": false,
+           "StdinOnce": false,
+           "Env": [
+                   "FOO=bar",
+                   "BAZ=quux"
+           ],
+           "Cmd": [
+                   "date"
+           ],
+           "Entrypoint": "",
+           "Image": "ubuntu",
+           "Labels": {
+                   "com.example.vendor": "Acme",
+                   "com.example.license": "GPL",
+                   "com.example.version": "1.0"
+           },
+           "Volumes": {
+             "/volumes/data": {}
+           },
+           "Healthcheck":{
+              "Test": ["CMD-SHELL", "curl localhost:3000"],
+              "Interval": 1000000000,
+              "Timeout": 10000000000,
+              "Retries": 10,
+              "StartPeriod": 60000000000
+           },
+           "WorkingDir": "",
+           "NetworkDisabled": false,
+           "MacAddress": "12:34:56:78:9a:bc",
+           "ExposedPorts": {
+                   "22/tcp": {}
+           },
+           "StopSignal": "SIGTERM",
+           "HostConfig": {
+             "Binds": ["/tmp:/tmp"],
+             "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
+             "Links": ["redis3:redis"],
+             "Memory": 0,
+             "MemorySwap": 0,
+             "MemoryReservation": 0,
+             "KernelMemory": 0,
+             "CpuPercent": 80,
+             "CpuShares": 512,
+             "CpuPeriod": 100000,
+             "CpuQuota": 50000,
+             "CpusetCpus": "0,1",
+             "CpusetMems": "0,1",
+             "IOMaximumBandwidth": 0,
+             "IOMaximumIOps": 0,
+             "BlkioWeight": 300,
+             "BlkioWeightDevice": [{}],
+             "BlkioDeviceReadBps": [{}],
+             "BlkioDeviceReadIOps": [{}],
+             "BlkioDeviceWriteBps": [{}],
+             "BlkioDeviceWriteIOps": [{}],
+             "MemorySwappiness": 60,
+             "OomKillDisable": false,
+             "OomScoreAdj": 500,
+             "PidMode": "",
+             "PidsLimit": -1,
+             "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+             "PublishAllPorts": false,
+             "Privileged": false,
+             "ReadonlyRootfs": false,
+             "Dns": ["8.8.8.8"],
+             "DnsOptions": [""],
+             "DnsSearch": [""],
+             "ExtraHosts": null,
+             "VolumesFrom": ["parent", "other:ro"],
+             "CapAdd": ["NET_ADMIN"],
+             "CapDrop": ["MKNOD"],
+             "GroupAdd": ["newgroup"],
+             "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+             "NetworkMode": "bridge",
+             "Devices": [],
+             "Sysctls": { "net.ipv4.ip_forward": "1" },
+             "Ulimits": [{}],
+             "LogConfig": { "Type": "json-file", "Config": {} },
+             "SecurityOpt": [],
+             "StorageOpt": {},
+             "CgroupParent": "",
+             "VolumeDriver": "",
+             "ShmSize": 67108864
+          },
+          "NetworkingConfig": {
+              "EndpointsConfig": {
+                  "isolated_nw" : {
+                      "IPAMConfig": {
+                          "IPv4Address":"172.20.30.33",
+                          "IPv6Address":"2001:db8:abcd::3033",
+                          "LinkLocalIPs":["169.254.34.68", "fe80::3468"]
+                      },
+                      "Links":["container_1", "container_2"],
+                      "Aliases":["server_x", "server_y"]
+                  }
+              }
+          }
+      }
+
+**Example response**:
+
+      HTTP/1.1 201 Created
+      Content-Type: application/json
+
+      {
+           "Id":"e90e34656806",
+           "Warnings":[]
+      }
+
+**JSON parameters**:
+
+-   **Hostname** - A string value containing the hostname to use for the
+      container. This must be a valid RFC 1123 hostname.
+-   **Domainname** - A string value containing the domain name to use
+      for the container.
+-   **User** - A string value specifying the user inside the container.
+-   **AttachStdin** - Boolean value, attaches to `stdin`.
+-   **AttachStdout** - Boolean value, attaches to `stdout`.
+-   **AttachStderr** - Boolean value, attaches to `stderr`.
+-   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
+-   **OpenStdin** - Boolean value, opens `stdin`,
+-   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Entrypoint** - Set the entry point for the container as a string or an array
+      of strings.
+-   **Image** - A string specifying the image name to use for the container.
+-   **Volumes** - An object mapping mount point paths (strings) inside the
+      container to empty objects.
+-   **Healthcheck** - A test to perform to check that the container is healthy.
+    -     **Test** - The test to perform. Possible values are:
+              + `{}` inherit healthcheck from image or parent image
+              + `{"NONE"}` disable healthcheck
+              + `{"CMD", args...}` exec arguments directly
+              + `{"CMD-SHELL", command}` run command with system's default shell
+    -     **Interval** - The time to wait between checks in nanoseconds. It should be 0 or at least 1000000 (1 ms). 0 means inherit.
+    -     **Timeout** - The time to wait before considering the check to have hung. It should be 0 or at least 1000000 (1 ms). 0 means inherit.
+    -     **Retries** - The number of consecutive failures needed to consider a container as unhealthy. 0 means inherit.
+    -     **StartPeriod** - The time to wait for container initialization before starting health-retries countdown in nanoseconds. It should be 0 or at least 1000000 (1 ms). 0 means inherit.
+-   **WorkingDir** - A string specifying the working directory for commands to
+      run in.
+-   **NetworkDisabled** - Boolean value, when true disables networking for the
+      container
+-   **ExposedPorts** - An object mapping ports to an empty object in the form of:
+      `"ExposedPorts": { "<port>/<tcp|udp>: {}" }`
+-   **StopSignal** - Signal to stop a container as a string or unsigned integer. `SIGTERM` by default.
+-   **HostConfig**
+    -   **Binds** – A list of volume bindings for this container. Each volume binding is a string in one of these forms:
+           + `host-src:container-dest` to bind-mount a host path into the
+             container. Both `host-src`, and `container-dest` must be an
+             _absolute_ path.
+           + `host-src:container-dest:ro` to make the bind mount read-only
+             inside the container. Both `host-src`, and `container-dest` must be
+             an _absolute_ path.
+           + `volume-name:container-dest` to bind-mount a volume managed by a
+             volume driver into the container. `container-dest` must be an
+             _absolute_ path.
+           + `volume-name:container-dest:ro` to mount the volume read-only
+             inside the container.  `container-dest` must be an _absolute_ path.
+    -   **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+          mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
+    -   **Links** - A list of links for the container. Each link entry should be
+          in the form of `container_name:alias`.
+    -   **Memory** - Memory limit in bytes.
+    -   **MemorySwap** - Total memory limit (memory + swap); set `-1` to enable unlimited swap.
+          You must use this with `memory` and make the swap value larger than `memory`.
+    -   **MemoryReservation** - Memory soft limit in bytes.
+    -   **KernelMemory** - Kernel memory limit in bytes.
+    -   **CpuPercent** - An integer value containing the usable percentage of the available CPUs. (Windows daemon only)
+    -   **CpuShares** - An integer value containing the container's CPU Shares
+          (ie. the relative weight vs other containers).
+    -   **CpuPeriod** - The length of a CPU period in microseconds.
+    -   **CpuQuota** - Microseconds of CPU time that the container can get in a CPU period.
+    -   **CpusetCpus** - String value containing the `cgroups CpusetCpus` to use.
+    -   **CpusetMems** - Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effective on NUMA systems.
+    -   **IOMaximumBandwidth** - Maximum IO absolute rate in terms of IOps.
+    -   **IOMaximumIOps** - Maximum IO absolute rate in terms of bytes per second.
+    -   **BlkioWeight** - Block IO weight (relative weight) accepts a weight value between 10 and 1000.
+    -   **BlkioWeightDevice** - Block IO weight (relative device weight) in the form of:        `"BlkioWeightDevice": [{"Path": "device_path", "Weight": weight}]`
+    -   **BlkioDeviceReadBps** - Limit read rate (bytes per second) from a device in the form of:	`"BlkioDeviceReadBps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceReadBps": [{"Path": "/dev/sda", "Rate": "1024"}]"`
+    -   **BlkioDeviceWriteBps** - Limit write rate (bytes per second) to a device in the form of:	`"BlkioDeviceWriteBps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceWriteBps": [{"Path": "/dev/sda", "Rate": "1024"}]"`
+    -   **BlkioDeviceReadIOps** - Limit read rate (IO per second) from a device in the form of:	`"BlkioDeviceReadIOps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceReadIOps": [{"Path": "/dev/sda", "Rate": "1000"}]`
+    -   **BlkioDeviceWriteIOps** - Limit write rate (IO per second) to a device in the form of:	`"BlkioDeviceWriteIOps": [{"Path": "device_path", "Rate": rate}]`, for example:
+        `"BlkioDeviceWriteIOps": [{"Path": "/dev/sda", "Rate": "1000"}]`
+    -   **MemorySwappiness** - Tune a container's memory swappiness behavior. Accepts an integer between 0 and 100.
+    -   **OomKillDisable** - Boolean value, whether to disable OOM Killer for the container or not.
+    -   **OomScoreAdj** - An integer value containing the score given to the container in order to tune OOM killer preferences.
+    -   **PidMode** - Set the PID (Process) Namespace mode for the container;
+          `"container:<name|id>"`: joins another container's PID namespace
+          `"host"`: use the host's PID namespace inside the container
+    -   **PidsLimit** - Tune a container's pids limit. Set -1 for unlimited.
+    -   **PortBindings** - A map of exposed container ports and the host port they
+          should map to. A JSON object in the form
+          `{ <port>/<protocol>: [{ "HostPort": "<port>" }] }`
+          Take note that `port` is specified as a string and not an integer value.
+    -   **PublishAllPorts** - Allocates an ephemeral host port for all of a container's
+          exposed ports. Specified as a boolean value.
+
+          Ports are de-allocated when the container stops and allocated when the container starts.
+          The allocated port might be changed when restarting the container.
+
+          The port is selected from the ephemeral port range that depends on the kernel.
+          For example, on Linux the range is defined by `/proc/sys/net/ipv4/ip_local_port_range`.
+    -   **Privileged** - Gives the container full access to the host. Specified as
+          a boolean value.
+    -   **ReadonlyRootfs** - Mount the container's root filesystem as read only.
+          Specified as a boolean value.
+    -   **Dns** - A list of DNS servers for the container to use.
+    -   **DnsOptions** - A list of DNS options
+    -   **DnsSearch** - A list of DNS search domains
+    -   **ExtraHosts** - A list of hostnames/IP mappings to add to the
+        container's `/etc/hosts` file. Specified in the form `["hostname:IP"]`.
+    -   **VolumesFrom** - A list of volumes to inherit from another container.
+          Specified in the form `<container name>[:<ro|rw>]`
+    -   **CapAdd** - A list of kernel capabilities to add to the container.
+    -   **Capdrop** - A list of kernel capabilities to drop from the container.
+    -   **GroupAdd** - A list of additional groups that the container process will run as
+    -   **RestartPolicy** – The behavior to apply when the container exits.  The
+            value is an object with a `Name` property of either `"always"` to
+            always restart, `"unless-stopped"` to restart always except when
+            user has manually stopped the container or `"on-failure"` to restart only when the container
+            exit code is non-zero.  If `on-failure` is used, `MaximumRetryCount`
+            controls the number of times to retry before giving up.
+            The default is not to restart. (optional)
+            An ever increasing delay (double the previous delay, starting at 100mS)
+            is added before each restart to prevent flooding the server.
+    -   **UsernsMode**  - Sets the usernamespace mode for the container when usernamespace remapping option is enabled.
+           supported values are: `host`.
+    -   **NetworkMode** - Sets the networking mode for the container. Supported
+          standard values are: `bridge`, `host`, `none`, and `container:<name|id>`. Any other value is taken
+          as a custom network's name to which this container should connect to.
+    -   **Devices** - A list of devices to add to the container specified as a JSON object in the
+      form
+          `{ "PathOnHost": "/dev/deviceName", "PathInContainer": "/dev/deviceName", "CgroupPermissions": "mrw"}`
+    -   **Ulimits** - A list of ulimits to set in the container, specified as
+          `{ "Name": <name>, "Soft": <soft limit>, "Hard": <hard limit> }`, for example:
+          `Ulimits: { "Name": "nofile", "Soft": 1024, "Hard": 2048 }`
+    -   **Sysctls** - A list of kernel parameters (sysctls) to set in the container, specified as
+          `{ <name>: <Value> }`, for example:
+	  `{ "net.ipv4.ip_forward": "1" }`
+    -   **SecurityOpt**: A list of string values to customize labels for MLS
+        systems, such as SELinux.
+    -   **StorageOpt**: Storage driver options per container. Options can be passed in the form
+        `{"size":"120G"}`
+    -   **LogConfig** - Log configuration for the container, specified as a JSON object in the form
+          `{ "Type": "<driver_name>", "Config": {"key1": "val1"}}`.
+          Available types: `json-file`, `syslog`, `journald`, `gelf`, `fluentd`, `awslogs`, `splunk`, `etwlogs`, `none`.
+          `json-file` logging driver.
+    -   **CgroupParent** - Path to `cgroups` under which the container's `cgroup` is created. If the path is not absolute, the path is considered to be relative to the `cgroups` path of the init process. Cgroups are created if they do not already exist.
+    -   **VolumeDriver** - Driver that this container users to mount volumes.
+    -   **ShmSize** - Size of `/dev/shm` in bytes. The size must be greater than 0.  If omitted the system uses 64MB.
+
+**Query parameters**:
+
+-   **name** – Assign the specified name to the container. Must
+    match `/?[a-zA-Z0-9_-]+`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **406** – impossible to attach (container not running)
+-   **409** – conflict
+-   **500** – server error
+
+#### Inspect a container
+
+`GET /containers/(id or name)/json`
+
+Return low-level information on the container `id`
+
+**Example request**:
+
+      GET /v1.24/containers/4fa6e0f0c678/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+	{
+		"AppArmorProfile": "",
+		"Args": [
+			"-c",
+			"exit 9"
+		],
+		"Config": {
+			"AttachStderr": true,
+			"AttachStdin": false,
+			"AttachStdout": true,
+			"Cmd": [
+				"/bin/sh",
+				"-c",
+				"exit 9"
+			],
+			"Domainname": "",
+			"Entrypoint": null,
+			"Env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+			],
+			"ExposedPorts": null,
+			"Hostname": "ba033ac44011",
+			"Image": "ubuntu",
+			"Labels": {
+				"com.example.vendor": "Acme",
+				"com.example.license": "GPL",
+				"com.example.version": "1.0"
+			},
+			"MacAddress": "",
+			"NetworkDisabled": false,
+			"OnBuild": null,
+			"OpenStdin": false,
+			"StdinOnce": false,
+			"Tty": false,
+			"User": "",
+			"Volumes": {
+				"/volumes/data": {}
+			},
+			"WorkingDir": "",
+			"StopSignal": "SIGTERM"
+		},
+		"Created": "2015-01-06T15:47:31.485331387Z",
+		"Driver": "devicemapper",
+		"ExecIDs": null,
+		"HostConfig": {
+			"Binds": null,
+			"IOMaximumBandwidth": 0,
+			"IOMaximumIOps": 0,
+			"BlkioWeight": 0,
+			"BlkioWeightDevice": [{}],
+			"BlkioDeviceReadBps": [{}],
+			"BlkioDeviceWriteBps": [{}],
+			"BlkioDeviceReadIOps": [{}],
+			"BlkioDeviceWriteIOps": [{}],
+			"CapAdd": null,
+			"CapDrop": null,
+			"ContainerIDFile": "",
+			"CpusetCpus": "",
+			"CpusetMems": "",
+			"CpuPercent": 80,
+			"CpuShares": 0,
+			"CpuPeriod": 100000,
+			"Devices": [],
+			"Dns": null,
+			"DnsOptions": null,
+			"DnsSearch": null,
+			"ExtraHosts": null,
+			"IpcMode": "",
+			"Links": null,
+			"LxcConf": [],
+			"Memory": 0,
+			"MemorySwap": 0,
+			"MemoryReservation": 0,
+			"KernelMemory": 0,
+			"OomKillDisable": false,
+			"OomScoreAdj": 500,
+			"NetworkMode": "bridge",
+			"PidMode": "",
+			"PortBindings": {},
+			"Privileged": false,
+			"ReadonlyRootfs": false,
+			"PublishAllPorts": false,
+			"RestartPolicy": {
+				"MaximumRetryCount": 2,
+				"Name": "on-failure"
+			},
+			"LogConfig": {
+				"Config": null,
+				"Type": "json-file"
+			},
+			"SecurityOpt": null,
+			"Sysctls": {
+			        "net.ipv4.ip_forward": "1"
+			},
+			"StorageOpt": null,
+			"VolumesFrom": null,
+			"Ulimits": [{}],
+			"VolumeDriver": "",
+			"ShmSize": 67108864
+		},
+		"HostnamePath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hostname",
+		"HostsPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/hosts",
+		"LogPath": "/var/lib/docker/containers/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b/1eb5fabf5a03807136561b3c00adcd2992b535d624d5e18b6cdc6a6844d9767b-json.log",
+		"Id": "ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39",
+		"Image": "04c5d3b7b0656168630d3ba35d8889bd0e9caafcaeb3004d2bfbc47e7c5d35d2",
+		"MountLabel": "",
+		"Name": "/boring_euclid",
+		"NetworkSettings": {
+			"Bridge": "",
+			"SandboxID": "",
+			"HairpinMode": false,
+			"LinkLocalIPv6Address": "",
+			"LinkLocalIPv6PrefixLen": 0,
+			"Ports": null,
+			"SandboxKey": "",
+			"SecondaryIPAddresses": null,
+			"SecondaryIPv6Addresses": null,
+			"EndpointID": "",
+			"Gateway": "",
+			"GlobalIPv6Address": "",
+			"GlobalIPv6PrefixLen": 0,
+			"IPAddress": "",
+			"IPPrefixLen": 0,
+			"IPv6Gateway": "",
+			"MacAddress": "",
+			"Networks": {
+				"bridge": {
+					"NetworkID": "7ea29fc1412292a2d7bba362f9253545fecdfa8ce9a6e37dd10ba8bee7129812",
+					"EndpointID": "7587b82f0dada3656fda26588aee72630c6fab1536d36e394b2bfbcf898c971d",
+					"Gateway": "172.17.0.1",
+					"IPAddress": "172.17.0.2",
+					"IPPrefixLen": 16,
+					"IPv6Gateway": "",
+					"GlobalIPv6Address": "",
+					"GlobalIPv6PrefixLen": 0,
+					"MacAddress": "02:42:ac:12:00:02"
+				}
+			}
+		},
+		"Path": "/bin/sh",
+		"ProcessLabel": "",
+		"ResolvConfPath": "/var/lib/docker/containers/ba033ac4401106a3b513bc9d639eee123ad78ca3616b921167cd74b20e25ed39/resolv.conf",
+		"RestartCount": 1,
+		"State": {
+			"Error": "",
+			"ExitCode": 9,
+			"FinishedAt": "2015-01-06T15:47:32.080254511Z",
+			"OOMKilled": false,
+			"Dead": false,
+			"Paused": false,
+			"Pid": 0,
+			"Restarting": false,
+			"Running": true,
+			"StartedAt": "2015-01-06T15:47:32.072697474Z",
+			"Status": "running"
+		},
+		"Mounts": [
+			{
+				"Name": "fac362...80535",
+				"Source": "/data",
+				"Destination": "/data",
+				"Driver": "local",
+				"Mode": "ro,Z",
+				"RW": false,
+				"Propagation": ""
+			}
+		]
+	}
+
+**Example request, with size information**:
+
+    GET /v1.24/containers/4fa6e0f0c678/json?size=1 HTTP/1.1
+
+**Example response, with size information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+    ....
+    "SizeRw": 0,
+    "SizeRootFs": 972,
+    ....
+    }
+
+**Query parameters**:
+
+-   **size** – 1/True/true or 0/False/false, return container size information. Default is `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### List processes running inside a container
+
+`GET /containers/(id or name)/top`
+
+List processes running inside the container `id`. On Unix systems this
+is done by running the `ps` command. This endpoint is not
+supported on Windows.
+
+**Example request**:
+
+    GET /v1.24/containers/4fa6e0f0c678/top HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Titles" : [
+         "UID", "PID", "PPID", "C", "STIME", "TTY", "TIME", "CMD"
+       ],
+       "Processes" : [
+         [
+           "root", "13642", "882", "0", "17:03", "pts/0", "00:00:00", "/bin/bash"
+         ],
+         [
+           "root", "13735", "13642", "0", "17:06", "pts/0", "00:00:00", "sleep 10"
+         ]
+       ]
+    }
+
+**Example request**:
+
+    GET /v1.24/containers/4fa6e0f0c678/top?ps_args=aux HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Titles" : [
+        "USER","PID","%CPU","%MEM","VSZ","RSS","TTY","STAT","START","TIME","COMMAND"
+      ]
+      "Processes" : [
+        [
+          "root","13642","0.0","0.1","18172","3184","pts/0","Ss","17:03","0:00","/bin/bash"
+        ],
+        [
+          "root","13895","0.0","0.0","4348","692","pts/0","S+","17:15","0:00","sleep 10"
+        ]
+      ],
+    }
+
+**Query parameters**:
+
+-   **ps_args** – `ps` arguments to use (e.g., `aux`), defaults to `-ef`
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container logs
+
+`GET /containers/(id or name)/logs`
+
+Get `stdout` and `stderr` logs from the container ``id``
+
+> **Note**:
+> This endpoint works only for containers with the `json-file` or `journald` logging drivers.
+
+**Example request**:
+
+     GET /v1.24/containers/4fa6e0f0c678/logs?stderr=1&stdout=1&timestamps=1&follow=1&tail=10&since=1428990821 HTTP/1.1
+
+**Example response**:
+
+     HTTP/1.1 101 UPGRADED
+     Content-Type: application/vnd.docker.raw-stream
+     Connection: Upgrade
+     Upgrade: tcp
+
+     {% raw %}
+     {{ STREAM }}
+     {% endraw %}
+
+**Query parameters**:
+
+-   **details** - 1/True/true or 0/False/false, Show extra details provided to logs. Default `false`.
+-   **follow** – 1/True/true or 0/False/false, return stream. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, show `stdout` log. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, show `stderr` log. Default `false`.
+-   **since** – UNIX timestamp (integer) to filter logs. Specifying a timestamp
+    will only output log-entries since that timestamp. Default: 0 (unfiltered)
+-   **timestamps** – 1/True/true or 0/False/false, print timestamps for
+        every log line. Default `false`.
+-   **tail** – Output specified number of lines at the end of logs: `all` or `<number>`. Default all.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **404** – no such container
+-   **500** – server error
+
+#### Inspect changes on a container's filesystem
+
+`GET /containers/(id or name)/changes`
+
+Inspect changes on container `id`'s filesystem
+
+**Example request**:
+
+    GET /v1.24/containers/4fa6e0f0c678/changes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+         {
+                 "Path": "/dev",
+                 "Kind": 0
+         },
+         {
+                 "Path": "/dev/kmsg",
+                 "Kind": 1
+         },
+         {
+                 "Path": "/test",
+                 "Kind": 1
+         }
+    ]
+
+Values for `Kind`:
+
+- `0`: Modify
+- `1`: Add
+- `2`: Delete
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Export a container
+
+`GET /containers/(id or name)/export`
+
+Export the contents of container `id`
+
+**Example request**:
+
+    GET /v1.24/containers/4fa6e0f0c678/export HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/octet-stream
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Get container stats based on resource usage
+
+`GET /containers/(id or name)/stats`
+
+This endpoint returns a live stream of a container's resource usage statistics.
+
+**Example request**:
+
+    GET /v1.24/containers/redis1/stats HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Type: application/json
+
+      {
+         "read" : "2015-01-08T22:57:31.547920715Z",
+         "pids_stats": {
+            "current": 3
+         },
+         "networks": {
+                 "eth0": {
+                     "rx_bytes": 5338,
+                     "rx_dropped": 0,
+                     "rx_errors": 0,
+                     "rx_packets": 36,
+                     "tx_bytes": 648,
+                     "tx_dropped": 0,
+                     "tx_errors": 0,
+                     "tx_packets": 8
+                 },
+                 "eth5": {
+                     "rx_bytes": 4641,
+                     "rx_dropped": 0,
+                     "rx_errors": 0,
+                     "rx_packets": 26,
+                     "tx_bytes": 690,
+                     "tx_dropped": 0,
+                     "tx_errors": 0,
+                     "tx_packets": 9
+                 }
+         },
+         "memory_stats" : {
+            "stats" : {
+               "total_pgmajfault" : 0,
+               "cache" : 0,
+               "mapped_file" : 0,
+               "total_inactive_file" : 0,
+               "pgpgout" : 414,
+               "rss" : 6537216,
+               "total_mapped_file" : 0,
+               "writeback" : 0,
+               "unevictable" : 0,
+               "pgpgin" : 477,
+               "total_unevictable" : 0,
+               "pgmajfault" : 0,
+               "total_rss" : 6537216,
+               "total_rss_huge" : 6291456,
+               "total_writeback" : 0,
+               "total_inactive_anon" : 0,
+               "rss_huge" : 6291456,
+               "hierarchical_memory_limit" : 67108864,
+               "total_pgfault" : 964,
+               "total_active_file" : 0,
+               "active_anon" : 6537216,
+               "total_active_anon" : 6537216,
+               "total_pgpgout" : 414,
+               "total_cache" : 0,
+               "inactive_anon" : 0,
+               "active_file" : 0,
+               "pgfault" : 964,
+               "inactive_file" : 0,
+               "total_pgpgin" : 477
+            },
+            "max_usage" : 6651904,
+            "usage" : 6537216,
+            "failcnt" : 0,
+            "limit" : 67108864
+         },
+         "blkio_stats" : {},
+         "cpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24472255,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100215355,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 739306590000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         },
+         "precpu_stats" : {
+            "cpu_usage" : {
+               "percpu_usage" : [
+                  8646879,
+                  24350896,
+                  36438778,
+                  30657443
+               ],
+               "usage_in_usermode" : 50000000,
+               "total_usage" : 100093996,
+               "usage_in_kernelmode" : 30000000
+            },
+            "system_cpu_usage" : 9492140000000,
+            "throttling_data" : {"periods":0,"throttled_periods":0,"throttled_time":0}
+         }
+      }
+
+The `precpu_stats` is the cpu statistic of *previous* read, which is used for calculating the cpu usage percent. It is not the exact copy of the `cpu_stats` field.
+
+**Query parameters**:
+
+-   **stream** – 1/True/true or 0/False/false, pull stats once then disconnect. Default `true`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Resize a container TTY
+
+`POST /containers/(id or name)/resize`
+
+Resize the TTY for container with  `id`. The unit is number of characters. You must restart the container for the resize to take effect.
+
+**Example request**:
+
+      POST /v1.24/containers/4fa6e0f0c678/resize?h=40&w=80 HTTP/1.1
+
+**Example response**:
+
+      HTTP/1.1 200 OK
+      Content-Length: 0
+      Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – No such container
+-   **500** – Cannot resize container
+
+#### Start a container
+
+`POST /containers/(id or name)/start`
+
+Start the container `id`
+
+**Example request**:
+
+    POST /v1.24/containers/e90e34656806/start HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already started
+-   **404** – no such container
+-   **500** – server error
+
+#### Stop a container
+
+`POST /containers/(id or name)/stop`
+
+Stop the container `id`
+
+**Example request**:
+
+    POST /v1.24/containers/e90e34656806/stop?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **304** – container already stopped
+-   **404** – no such container
+-   **500** – server error
+
+#### Restart a container
+
+`POST /containers/(id or name)/restart`
+
+Restart the container `id`
+
+**Example request**:
+
+    POST /v1.24/containers/e90e34656806/restart?t=5 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **t** – number of seconds to wait before killing the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Kill a container
+
+`POST /containers/(id or name)/kill`
+
+Kill the container `id`
+
+**Example request**:
+
+    POST /v1.24/containers/e90e34656806/kill HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **signal** - Signal to send to the container: integer or string like `SIGINT`.
+        When not set, `SIGKILL` is assumed and the call waits for the container to exit.
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Update a container
+
+`POST /containers/(id or name)/update`
+
+Update configuration of one or more containers.
+
+**Example request**:
+
+       POST /v1.24/containers/e90e34656806/update HTTP/1.1
+       Content-Type: application/json
+       Content-Length: 12345
+
+       {
+         "BlkioWeight": 300,
+         "CpuShares": 512,
+         "CpuPeriod": 100000,
+         "CpuQuota": 50000,
+         "CpusetCpus": "0,1",
+         "CpusetMems": "0",
+         "Memory": 314572800,
+         "MemorySwap": 514288000,
+         "MemoryReservation": 209715200,
+         "KernelMemory": 52428800,
+         "RestartPolicy": {
+           "MaximumRetryCount": 4,
+           "Name": "on-failure"
+         }
+       }
+
+**Example response**:
+
+       HTTP/1.1 200 OK
+       Content-Type: application/json
+
+       {
+           "Warnings": []
+       }
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Rename a container
+
+`POST /containers/(id or name)/rename`
+
+Rename the container `id` to a `new_name`
+
+**Example request**:
+
+    POST /v1.24/containers/e90e34656806/rename?name=new_name HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **name** – new name for the container
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **409** - conflict name already assigned
+-   **500** – server error
+
+#### Pause a container
+
+`POST /containers/(id or name)/pause`
+
+Pause the container `id`
+
+**Example request**:
+
+    POST /v1.24/containers/e90e34656806/pause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Unpause a container
+
+`POST /containers/(id or name)/unpause`
+
+Unpause the container `id`
+
+**Example request**:
+
+    POST /v1.24/containers/e90e34656806/unpause HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Attach to a container
+
+`POST /containers/(id or name)/attach`
+
+Attach to the container `id`
+
+**Example request**:
+
+    POST /v1.24/containers/16253994b7c4/attach?logs=1&stream=0&stdout=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 101 UPGRADED
+    Content-Type: application/vnd.docker.raw-stream
+    Connection: Upgrade
+    Upgrade: tcp
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **101** – no error, hints proxy about hijacking
+-   **200** – no error, no upgrade header found
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** - container is paused
+-   **500** – server error
+
+**Stream details**:
+
+When using the TTY setting is enabled in
+[`POST /containers/create`
+](#create-a-container),
+the stream is the raw data from the process PTY and client's `stdin`.
+When the TTY is disabled, then the stream is multiplexed to separate
+`stdout` and `stderr`.
+
+The format is a **Header** and a **Payload** (frame).
+
+**HEADER**
+
+The header contains the information which the stream writes (`stdout` or
+`stderr`). It also contains the size of the associated frame encoded in the
+last four bytes (`uint32`).
+
+It is encoded on the first eight bytes like this:
+
+    header := [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}
+
+`STREAM_TYPE` can be:
+
+-   0: `stdin` (is written on `stdout`)
+-   1: `stdout`
+-   2: `stderr`
+
+`SIZE1, SIZE2, SIZE3, SIZE4` are the four bytes of
+the `uint32` size encoded as big endian.
+
+**PAYLOAD**
+
+The payload is the raw stream.
+
+**IMPLEMENTATION**
+
+The simplest way to implement the Attach protocol is the following:
+
+    1.  Read eight bytes.
+    2.  Choose `stdout` or `stderr` depending on the first byte.
+    3.  Extract the frame size from the last four bytes.
+    4.  Read the extracted size and output it on the correct output.
+    5.  Goto 1.
+
+#### Attach to a container (websocket)
+
+`GET /containers/(id or name)/attach/ws`
+
+Attach to the container `id` via websocket
+
+Implements websocket protocol handshake according to [RFC 6455](http://tools.ietf.org/html/rfc6455)
+
+**Example request**
+
+    GET /v1.24/containers/e90e34656806/attach/ws?logs=0&stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
+
+**Example response**
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**Query parameters**:
+
+-   **detachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **logs** – 1/True/true or 0/False/false, return logs. Default `false`.
+-   **stream** – 1/True/true or 0/False/false, return stream.
+        Default `false`.
+-   **stdin** – 1/True/true or 0/False/false, if `stream=true`, attach
+        to `stdin`. Default `false`.
+-   **stdout** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stdout` log, if `stream=true`, attach to `stdout`. Default `false`.
+-   **stderr** – 1/True/true or 0/False/false, if `logs=true`, return
+        `stderr` log, if `stream=true`, attach to `stderr`. Default `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **500** – server error
+
+#### Wait a container
+
+`POST /containers/(id or name)/wait`
+
+Block until container `id` stops, then returns the exit code
+
+**Example request**:
+
+    POST /v1.24/containers/16253994b7c4/wait HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"StatusCode": 0}
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Remove a container
+
+`DELETE /containers/(id or name)`
+
+Remove the container `id` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.24/containers/16253994b7c4?v=1 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Query parameters**:
+
+-   **v** – 1/True/true or 0/False/false, Remove the volumes
+        associated to the container. Default `false`.
+-   **force** - 1/True/true or 0/False/false, Kill then remove the container.
+        Default `false`.
+-   **link** - 1/True/true or 0/False/false, Remove the specified
+        link associated to the container. Default `false`.
+
+**Status codes**:
+
+-   **204** – no error
+-   **400** – bad parameter
+-   **404** – no such container
+-   **409** – conflict
+-   **500** – server error
+
+#### Retrieving information about files and folders in a container
+
+`HEAD /containers/(id or name)/archive`
+
+See the description of the `X-Docker-Container-Path-Stat` header in the
+following section.
+
+#### Get an archive of a filesystem resource in a container
+
+`GET /containers/(id or name)/archive`
+
+Get a tar archive of a resource in the filesystem of container `id`.
+
+**Query parameters**:
+
+- **path** - resource in the container's filesystem to archive. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The resource specified by **path** must exist. To assert that the resource
+    is expected to be a directory, **path** should end in `/` or  `/.`
+    (assuming a path separator of `/`). If **path** ends in `/.` then this
+    indicates that only the contents of the **path** directory should be
+    copied. A symlink is always resolved to its target.
+
+    > **Note**: It is not possible to copy certain system files such as resources
+    > under `/proc`, `/sys`, `/dev`, and mounts created by the user in the
+    > container.
+
+**Example request**:
+
+    GET /v1.24/containers/8cce319429b2/archive?path=/root HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+    X-Docker-Container-Path-Stat: eyJuYW1lIjoicm9vdCIsInNpemUiOjQwOTYsIm1vZGUiOjIxNDc0ODQwOTYsIm10aW1lIjoiMjAxNC0wMi0yN1QyMDo1MToyM1oiLCJsaW5rVGFyZ2V0IjoiIn0=
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+On success, a response header `X-Docker-Container-Path-Stat` will be set to a
+base64-encoded JSON object containing some filesystem header information about
+the archived resource. The above example value would decode to the following
+JSON object (whitespace added for readability):
+
+```json
+{
+    "name": "root",
+    "size": 4096,
+    "mode": 2147484096,
+    "mtime": "2014-02-27T20:51:23Z",
+    "linkTarget": ""
+}
+```
+
+A `HEAD` request can also be made to this endpoint if only this information is
+desired.
+
+**Status codes**:
+
+- **200** - success, returns archive of copied resource
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** was asserted to be a directory but exists as a
+      file)
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** does not exist)
+- **500** - server error
+
+#### Extract an archive of files or folders to a directory in a container
+
+`PUT /containers/(id or name)/archive`
+
+Upload a tar archive to be extracted to a path in the filesystem of container
+`id`.
+
+**Query parameters**:
+
+- **path** - path to a directory in the container
+    to extract the archive's contents into. Required.
+
+    If not an absolute path, it is relative to the container's root directory.
+    The **path** resource must exist.
+- **noOverwriteDirNonDir** - If "1", "true", or "True" then it will be an error
+    if unpacking the given content would cause an existing directory to be
+    replaced with a non-directory and vice versa.
+
+**Example request**:
+
+    PUT /v1.24/containers/8cce319429b2/archive?path=/vol1 HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** – the content was extracted successfully
+- **400** - client error, bad parameter, details in JSON response body, one of:
+    - must specify path parameter (**path** cannot be empty)
+    - not a directory (**path** should be a directory but exists as a file)
+    - unable to overwrite existing directory with non-directory
+      (if **noOverwriteDirNonDir**)
+    - unable to overwrite existing non-directory with directory
+      (if **noOverwriteDirNonDir**)
+- **403** - client error, permission denied, the volume
+    or container rootfs is marked as read-only.
+- **404** - client error, resource not found, one of:
+    – no such container (container `id` does not exist)
+    - no such file or directory (**path** resource does not exist)
+- **500** – server error
+
+### 3.2 Images
+
+#### List Images
+
+`GET /images/json`
+
+**Example request**:
+
+    GET /v1.24/images/json?all=0 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+         "RepoTags": [
+           "ubuntu:12.04",
+           "ubuntu:precise",
+           "ubuntu:latest"
+         ],
+         "Id": "8dbd9e392a964056420e5d58ca5cc376ef18e2de93b5cc90e868a1bbc8318c1c",
+         "Created": 1365714795,
+         "Size": 131506275,
+         "VirtualSize": 131506275,
+         "Labels": {}
+      },
+      {
+         "RepoTags": [
+           "ubuntu:12.10",
+           "ubuntu:quantal"
+         ],
+         "ParentId": "27cf784147099545",
+         "Id": "b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc",
+         "Created": 1364102658,
+         "Size": 24653,
+         "VirtualSize": 180116135,
+         "Labels": {
+            "com.example.version": "v1"
+         }
+      }
+    ]
+
+**Example request, with digest information**:
+
+    GET /v1.24/images/json?digests=1 HTTP/1.1
+
+**Example response, with digest information**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "Created": 1420064636,
+        "Id": "4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125",
+        "ParentId": "ea13149945cb6b1e746bf28032f02e9b5a793523481a0a18645fc77ad53c4ea2",
+        "RepoDigests": [
+          "localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+        ],
+        "RepoTags": [
+          "localhost:5000/test/busybox:latest",
+          "playdate:latest"
+        ],
+        "Size": 0,
+        "VirtualSize": 2429728,
+        "Labels": {}
+      }
+    ]
+
+The response shows a single image `Id` associated with two repositories
+(`RepoTags`): `localhost:5000/test/busybox`: and `playdate`. A caller can use
+either of the `RepoTags` values `localhost:5000/test/busybox:latest` or
+`playdate:latest` to reference the image.
+
+You can also use `RepoDigests` values to reference an image. In this response,
+the array has only one reference and that is to the
+`localhost:5000/test/busybox` repository; the `playdate` repository has no
+digest. You can reference this digest using the value:
+`localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d...`
+
+See the `docker run` and `docker build` commands for examples of digest and tag
+references on the command line.
+
+**Query parameters**:
+
+-   **all** – 1/True/true or 0/False/false, default false
+-   **filters** – a JSON encoded value of the filters (a map[string][]string) to process on the images list. Available filters:
+  -   `dangling=true`
+  -   `label=key` or `label="key=value"` of an image label
+  -   `before`=(`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`)
+  -   `since`=(`<image-name>[:<tag>]`,  `<image id>` or `<image@digest>`)
+-   **filter** - only return images with the specified name
+
+#### Build image from a Dockerfile
+
+`POST /build`
+
+Build an image from a Dockerfile
+
+**Example request**:
+
+    POST /v1.24/build HTTP/1.1
+    Content-Type: application/x-tar
+
+    {% raw %}
+    {{ TAR STREAM }}
+    {% endraw %}
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"stream": "Step 1/5..."}
+    {"stream": "..."}
+    {"error": "Error...", "errorDetail": {"code": 123, "message": "Error..."}}
+
+The input stream must be a `tar` archive compressed with one of the
+following algorithms: `identity` (no compression), `gzip`, `bzip2`, `xz`.
+
+The archive must include a build instructions file, typically called
+`Dockerfile` at the archive's root. The `dockerfile` parameter may be
+used to specify a different build instructions file. To do this, its value must be
+the path to the alternate build instructions file to use.
+
+The archive may include any number of other files,
+which are accessible in the build context (See the [*ADD build
+command*](../reference/builder.md#add)).
+
+The Docker daemon performs a preliminary validation of the `Dockerfile` before
+starting the build, and returns an error if the syntax is incorrect. After that,
+each instruction is run one-by-one until the ID of the new image is output.
+
+The build is canceled if the client drops the connection by quitting
+or being killed.
+
+**Query parameters**:
+
+-   **dockerfile** - Path within the build context to the `Dockerfile`. This is
+        ignored if `remote` is specified and points to an external `Dockerfile`.
+-   **t** – A name and optional tag to apply to the image in the `name:tag` format.
+        If you omit the `tag` the default `latest` value is assumed.
+        You can provide one or more `t` parameters.
+-   **remote** – A Git repository URI or HTTP/HTTPS context URI. If the
+        URI points to a single text file, the file's contents are placed into
+        a file called `Dockerfile` and the image is built from that file. If
+        the URI points to a tarball, the file is downloaded by the daemon and
+        the contents therein used as the context for the build. If the URI
+        points to a tarball and the `dockerfile` parameter is also specified,
+        there must be a file with the corresponding path inside the tarball.
+-   **q** – Suppress verbose build output.
+-   **nocache** – Do not use the cache when building the image.
+-   **pull** - Attempt to pull the image even if an older image exists locally.
+-   **rm** - Remove intermediate containers after a successful build (default behavior).
+-   **forcerm** - Always remove intermediate containers (includes `rm`).
+-   **memory** - Set memory limit for build.
+-   **memswap** - Total memory (memory + swap), `-1` to enable unlimited swap.
+-   **cpushares** - CPU shares (relative weight).
+-   **cpusetcpus** - CPUs in which to allow execution (e.g., `0-3`, `0,1`).
+-   **cpuperiod** - The length of a CPU period in microseconds.
+-   **cpuquota** - Microseconds of CPU time that the container can get in a CPU period.
+-   **buildargs** – JSON map of string pairs for build-time variables. Users pass
+        these values at build-time. Docker uses the `buildargs` as the environment
+        context for command(s) run via the Dockerfile's `RUN` instruction or for
+        variable expansion in other Dockerfile instructions. This is not meant for
+        passing secret values. [Read more about the buildargs instruction](../reference/builder.md#arg)
+-   **shmsize** - Size of `/dev/shm` in bytes. The size must be greater than 0.  If omitted the system uses 64MB.
+-   **labels** – JSON map of string pairs for labels to set on the image.
+
+**Request Headers**:
+
+-   **Content-type** – Set to `"application/x-tar"`.
+-   **X-Registry-Config** – A base64-url-safe-encoded Registry Auth Config JSON
+        object with the following structure:
+
+            {
+                "docker.example.com": {
+                    "username": "janedoe",
+                    "password": "hunter2"
+                },
+                "https://index.docker.io/v1/": {
+                    "username": "mobydock",
+                    "password": "conta1n3rize14"
+                }
+            }
+
+    This object maps the hostname of a registry to an object containing the
+    "username" and "password" for that registry. Multiple registries may
+    be specified as the build may be based on an image requiring
+    authentication to pull from any arbitrary registry. Only the registry
+    domain name (and port if not the default "443") are required. However
+    (for legacy reasons) the "official" Docker, Inc. hosted registry must
+    be specified with both a "https://" prefix and a "/v1/" suffix even
+    though Docker will prefer to use the v2 registry API.
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Create an image
+
+`POST /images/create`
+
+Create an image either by pulling it from the registry or by importing it
+
+**Example request**:
+
+    POST /v1.24/images/create?fromImage=busybox&tag=latest HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pulling..."}
+    {"status": "Pulling", "progress": "1 B/ 100 B", "progressDetail": {"current": 1, "total": 100}}
+    {"error": "Invalid..."}
+    ...
+
+When using this endpoint to pull an image from the registry, the
+`X-Registry-Auth` header can be used to include
+a base64-encoded AuthConfig object.
+
+**Query parameters**:
+
+-   **fromImage** – Name of the image to pull. The name may include a tag or
+        digest. This parameter may only be used when pulling an image.
+        The pull is cancelled if the HTTP connection is closed.
+-   **fromSrc** – Source to import.  The value may be a URL from which the image
+        can be retrieved or `-` to read the image from the request body.
+        This parameter may only be used when importing an image.
+-   **repo** – Repository name given to an image when it is imported.
+        The repo may include a tag. This parameter may only be used when importing
+        an image.
+-   **tag** – Tag or digest. If empty when pulling an image, this causes all tags
+        for the given image to be pulled.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object, containing either login information, or a token
+    - Credential based login:
+
+        ```
+    {
+            "username": "jdoe",
+            "password": "secret",
+            "email": "jdoe@acme.com"
+    }
+        ```
+
+    - Token based login:
+
+        ```
+    {
+            "identitytoken": "9cbaf023786cd7..."
+    }
+        ```
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** - repository does not exist or no read access
+-   **500** – server error
+
+
+
+#### Inspect an image
+
+`GET /images/(name)/json`
+
+Return low-level information on the image `name`
+
+**Example request**:
+
+    GET /v1.24/images/example/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+       "Id" : "sha256:85f05633ddc1c50679be2b16a0479ab6f7637f8884e0cfe0f4d20e1ebb3d6e7c",
+       "Container" : "cb91e48a60d01f1e27028b4fc6819f4f290b3cf12496c8176ec714d0d390984a",
+       "Comment" : "",
+       "Os" : "linux",
+       "Architecture" : "amd64",
+       "Parent" : "sha256:91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+       "ContainerConfig" : {
+          "Tty" : false,
+          "Hostname" : "e611e15f9c9d",
+          "Volumes" : null,
+          "Domainname" : "",
+          "AttachStdout" : false,
+          "PublishService" : "",
+          "AttachStdin" : false,
+          "OpenStdin" : false,
+          "StdinOnce" : false,
+          "NetworkDisabled" : false,
+          "OnBuild" : [],
+          "Image" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+          "User" : "",
+          "WorkingDir" : "",
+          "Entrypoint" : null,
+          "MacAddress" : "",
+          "AttachStderr" : false,
+          "Labels" : {
+             "com.example.license" : "GPL",
+             "com.example.version" : "1.0",
+             "com.example.vendor" : "Acme"
+          },
+          "Env" : [
+             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "ExposedPorts" : null,
+          "Cmd" : [
+             "/bin/sh",
+             "-c",
+             "#(nop) LABEL com.example.vendor=Acme com.example.license=GPL com.example.version=1.0"
+          ]
+       },
+       "DockerVersion" : "1.9.0-dev",
+       "VirtualSize" : 188359297,
+       "Size" : 0,
+       "Author" : "",
+       "Created" : "2015-09-10T08:30:53.26995814Z",
+       "GraphDriver" : {
+          "Name" : "aufs",
+          "Data" : null
+       },
+       "RepoDigests" : [
+          "localhost:5000/test/busybox/example@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf"
+       ],
+       "RepoTags" : [
+          "example:1.0",
+          "example:latest",
+          "example:stable"
+       ],
+       "Config" : {
+          "Image" : "91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+          "NetworkDisabled" : false,
+          "OnBuild" : [],
+          "StdinOnce" : false,
+          "PublishService" : "",
+          "AttachStdin" : false,
+          "OpenStdin" : false,
+          "Domainname" : "",
+          "AttachStdout" : false,
+          "Tty" : false,
+          "Hostname" : "e611e15f9c9d",
+          "Volumes" : null,
+          "Cmd" : [
+             "/bin/bash"
+          ],
+          "ExposedPorts" : null,
+          "Env" : [
+             "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          ],
+          "Labels" : {
+             "com.example.vendor" : "Acme",
+             "com.example.version" : "1.0",
+             "com.example.license" : "GPL"
+          },
+          "Entrypoint" : null,
+          "MacAddress" : "",
+          "AttachStderr" : false,
+          "WorkingDir" : "",
+          "User" : ""
+       },
+       "RootFS": {
+           "Type": "layers",
+           "Layers": [
+               "sha256:1834950e52ce4d5a88a1bbd131c537f4d0e56d10ff0dd69e66be3b7dfa9df7e6",
+               "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+           ]
+       }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Get the history of an image
+
+`GET /images/(name)/history`
+
+Return the history of the image `name`
+
+**Example request**:
+
+    GET /v1.24/images/ubuntu/history HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+        {
+            "Id": "3db9c44f45209632d6050b35958829c3a2aa256d81b9a7be45b362ff85c54710",
+            "Created": 1398108230,
+            "CreatedBy": "/bin/sh -c #(nop) ADD file:eb15dbd63394e063b805a3c32ca7bf0266ef64676d5a6fab4801f2e81e2a5148 in /",
+            "Tags": [
+                "ubuntu:lucid",
+                "ubuntu:10.04"
+            ],
+            "Size": 182964289,
+            "Comment": ""
+        },
+        {
+            "Id": "6cfa4d1f33fb861d4d114f43b25abd0ac737509268065cdfd69d544a59c85ab8",
+            "Created": 1398108222,
+            "CreatedBy": "/bin/sh -c #(nop) MAINTAINER Tianon Gravi <admwiggin@gmail.com> - mkimage-debootstrap.sh -i iproute,iputils-ping,ubuntu-minimal -t lucid.tar.xz lucid http://archive.ubuntu.com/ubuntu/",
+            "Tags": null,
+            "Size": 0,
+            "Comment": ""
+        },
+        {
+            "Id": "511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158",
+            "Created": 1371157430,
+            "CreatedBy": "",
+            "Tags": [
+                "scratch12:latest",
+                "scratch:latest"
+            ],
+            "Size": 0,
+            "Comment": "Imported from -"
+        }
+    ]
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Push an image on the registry
+
+`POST /images/(name)/push`
+
+Push the image `name` on the registry
+
+**Example request**:
+
+    POST /v1.24/images/test/push HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {"status": "Pushing..."}
+    {"status": "Pushing", "progress": "1/? (n/a)", "progressDetail": {"current": 1}}}
+    {"error": "Invalid..."}
+    ...
+
+If you wish to push an image on to a private registry, that image must already have a tag
+into a repository which references that registry `hostname` and `port`.  This repository name should
+then be used in the URL. This duplicates the command line's flow.
+
+The push is cancelled if the HTTP connection is closed.
+
+**Example request**:
+
+    POST /v1.24/images/registry.acme.com:5000/test/push HTTP/1.1
+
+
+**Query parameters**:
+
+-   **tag** – The tag to associate with the image on the registry. This is optional.
+
+**Request Headers**:
+
+-   **X-Registry-Auth** – base64-encoded AuthConfig object, containing either login information, or a token
+    - Credential based login:
+
+        ```
+    {
+            "username": "jdoe",
+            "password": "secret",
+            "email": "jdoe@acme.com",
+    }
+        ```
+
+    - Identity token based login:
+
+        ```
+    {
+            "identitytoken": "9cbaf023786cd7..."
+    }
+        ```
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **500** – server error
+
+#### Tag an image into a repository
+
+`POST /images/(name)/tag`
+
+Tag the image `name` into a repository
+
+**Example request**:
+
+    POST /v1.24/images/test/tag?repo=myrepo&tag=v42 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+
+**Query parameters**:
+
+-   **repo** – The repository to tag in
+-   **tag** - The new tag name
+
+**Status codes**:
+
+-   **201** – no error
+-   **400** – bad parameter
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Remove an image
+
+`DELETE /images/(name)`
+
+Remove the image `name` from the filesystem
+
+**Example request**:
+
+    DELETE /v1.24/images/test HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-type: application/json
+
+    [
+     {"Untagged": "3e2f21a89f"},
+     {"Deleted": "3e2f21a89f"},
+     {"Deleted": "53b4f83ac9"}
+    ]
+
+**Query parameters**:
+
+-   **force** – 1/True/true or 0/False/false, default false
+-   **noprune** – 1/True/true or 0/False/false, default false
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such image
+-   **409** – conflict
+-   **500** – server error
+
+#### Search images
+
+`GET /images/search`
+
+Search for an image on [Docker Hub](https://hub.docker.com).
+
+> **Note**:
+> The response keys have changed from API v1.6 to reflect the JSON
+> sent by the registry server to the docker daemon's request.
+
+**Example request**:
+
+    GET /v1.24/images/search?term=sshd HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "wma55/u1210sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "jdswinbank/sshd",
+                "star_count": 0
+            },
+            {
+                "description": "",
+                "is_official": false,
+                "is_automated": false,
+                "name": "vgauthier/sshd",
+                "star_count": 0
+            }
+    ...
+    ]
+
+**Query parameters**:
+
+-   **term** – term to search
+-   **limit** – maximum returned search results
+-   **filters** – a JSON encoded value of the filters (a map[string][]string) to process on the images list. Available filters:
+  -   `stars=<number>`
+  -   `is-automated=(true|false)`
+  -   `is-official=(true|false)`
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+### 3.3 Misc
+
+#### Check auth configuration
+
+`POST /auth`
+
+Validate credentials for a registry and get identity token,
+if available, for accessing the registry without password.
+
+**Example request**:
+
+    POST /v1.24/auth HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "username": "hannibal",
+         "password": "xxxx",
+         "serveraddress": "https://index.docker.io/v1/"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+    {
+         "Status": "Login Succeeded",
+         "IdentityToken": "9cbaf023786cd7..."
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **204** – no error
+-   **500** – server error
+
+#### Display system-wide information
+
+`GET /info`
+
+Display system-wide information
+
+**Example request**:
+
+    GET /v1.24/info HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+        "Architecture": "x86_64",
+        "ClusterStore": "etcd://localhost:2379",
+        "CgroupDriver": "cgroupfs",
+        "Containers": 11,
+        "ContainersRunning": 7,
+        "ContainersStopped": 3,
+        "ContainersPaused": 1,
+        "CpuCfsPeriod": true,
+        "CpuCfsQuota": true,
+        "Debug": false,
+        "DockerRootDir": "/var/lib/docker",
+        "Driver": "btrfs",
+        "DriverStatus": [[""]],
+        "ExperimentalBuild": false,
+        "HttpProxy": "http://test:test@localhost:8080",
+        "HttpsProxy": "https://test:test@localhost:8080",
+        "ID": "7TRN:IPZB:QYBB:VPBQ:UMPP:KARE:6ZNR:XE6T:7EWV:PKF4:ZOJD:TPYS",
+        "IPv4Forwarding": true,
+        "Images": 16,
+        "IndexServerAddress": "https://index.docker.io/v1/",
+        "InitPath": "/usr/bin/docker",
+        "InitSha1": "",
+        "KernelMemory": true,
+        "KernelVersion": "3.12.0-1-amd64",
+        "Labels": [
+            "storage=ssd"
+        ],
+        "MemTotal": 2099236864,
+        "MemoryLimit": true,
+        "NCPU": 1,
+        "NEventsListener": 0,
+        "NFd": 11,
+        "NGoroutines": 21,
+        "Name": "prod-server-42",
+        "NoProxy": "9.81.1.160",
+        "OomKillDisable": true,
+        "OSType": "linux",
+        "OperatingSystem": "Boot2Docker",
+        "Plugins": {
+            "Volume": [
+                "local"
+            ],
+            "Network": [
+                "null",
+                "host",
+                "bridge"
+            ]
+        },
+        "RegistryConfig": {
+            "IndexConfigs": {
+                "docker.io": {
+                    "Mirrors": null,
+                    "Name": "docker.io",
+                    "Official": true,
+                    "Secure": true
+                }
+            },
+            "InsecureRegistryCIDRs": [
+                "127.0.0.0/8"
+            ]
+        },
+        "SecurityOptions": [
+            "apparmor",
+            "seccomp",
+            "selinux"
+        ],
+        "ServerVersion": "1.9.0",
+        "SwapLimit": false,
+        "SystemStatus": [["State", "Healthy"]],
+        "SystemTime": "2015-03-10T11:11:23.730591467-07:00"
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Show the docker version information
+
+`GET /version`
+
+Show the docker version information
+
+**Example request**:
+
+    GET /v1.24/version HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+         "Version": "1.12.0",
+         "Os": "linux",
+         "KernelVersion": "3.19.0-23-generic",
+         "GoVersion": "go1.6.3",
+         "GitCommit": "deadbee",
+         "Arch": "amd64",
+         "ApiVersion": "1.24",
+         "BuildTime": "2016-06-14T07:09:13.444803460+00:00",
+         "Experimental": true
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Ping the docker server
+
+`GET /_ping`
+
+Ping the docker server
+
+**Example request**:
+
+    GET /v1.24/_ping HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+
+    OK
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a new image from a container's changes
+
+`POST /commit`
+
+Create a new image from a container's changes
+
+**Example request**:
+
+    POST /v1.24/commit?container=44c004db4b17&comment=message&repo=myrepo HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+         "Hostname": "",
+         "Domainname": "",
+         "User": "",
+         "AttachStdin": false,
+         "AttachStdout": true,
+         "AttachStderr": true,
+         "Tty": false,
+         "OpenStdin": false,
+         "StdinOnce": false,
+         "Env": null,
+         "Cmd": [
+                 "date"
+         ],
+         "Mounts": [
+           {
+             "Source": "/data",
+             "Destination": "/data",
+             "Mode": "ro,Z",
+             "RW": false
+           }
+         ],
+         "Labels": {
+                 "key1": "value1",
+                 "key2": "value2"
+          },
+         "WorkingDir": "",
+         "NetworkDisabled": false,
+         "ExposedPorts": {
+                 "22/tcp": {}
+         }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {"Id": "596069db4bf5"}
+
+**JSON parameters**:
+
+-  **config** - the container's configuration
+
+**Query parameters**:
+
+-   **container** – source container
+-   **repo** – repository
+-   **tag** – tag
+-   **comment** – commit message
+-   **author** – author (e.g., "John Hannibal Smith
+    <[hannibal@a-team.com](mailto:hannibal%40a-team.com)>")
+-   **pause** – 1/True/true or 0/False/false, whether to pause the container before committing
+-   **changes** – Dockerfile instructions to apply while committing
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **500** – server error
+
+#### Monitor Docker's events
+
+`GET /events`
+
+Get container events from docker, in real time via streaming.
+
+Docker containers report the following events:
+
+    attach, commit, copy, create, destroy, detach, die, exec_create, exec_detach, exec_start, export, health_status, kill, oom, pause, rename, resize, restart, start, stop, top, unpause, update
+
+Docker images report the following events:
+
+    delete, import, load, pull, push, save, tag, untag
+
+Docker volumes report the following events:
+
+    create, mount, unmount, destroy
+
+Docker networks report the following events:
+
+    create, connect, disconnect, destroy
+
+Docker daemon report the following event:
+
+    reload
+
+**Example request**:
+
+    GET /v1.24/events?since=1374067924
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+    Server: Docker/1.12.0 (linux)
+    Date: Fri, 29 Apr 2016 15:18:06 GMT
+    Transfer-Encoding: chunked
+
+    {
+      "status": "pull",
+      "id": "alpine:latest",
+      "Type": "image",
+      "Action": "pull",
+      "Actor": {
+        "ID": "alpine:latest",
+        "Attributes": {
+          "name": "alpine"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101301854122
+    }
+    {
+      "status": "create",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "create",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101381709551
+    }
+    {
+      "status": "attach",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "attach",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101383858412
+    }
+    {
+      "Type": "network",
+      "Action": "connect",
+      "Actor": {
+        "ID": "7dc8ac97d5d29ef6c31b6052f3938c1e8f2749abbd17d1bd1febf2608db1b474",
+        "Attributes": {
+          "container": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+          "name": "bridge",
+          "type": "bridge"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101394865557
+    }
+    {
+      "status": "start",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "start",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101607533796
+    }
+    {
+      "status": "resize",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "resize",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "height": "46",
+          "image": "alpine",
+          "name": "my-container",
+          "width": "204"
+        }
+      },
+      "time": 1461943101,
+      "timeNano": 1461943101610269268
+    }
+    {
+      "status": "die",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "die",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "exitCode": "0",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105079144137
+    }
+    {
+      "Type": "network",
+      "Action": "disconnect",
+      "Actor": {
+        "ID": "7dc8ac97d5d29ef6c31b6052f3938c1e8f2749abbd17d1bd1febf2608db1b474",
+        "Attributes": {
+          "container": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+          "name": "bridge",
+          "type": "bridge"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105230860245
+    }
+    {
+      "status": "destroy",
+      "id": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+      "from": "alpine",
+      "Type": "container",
+      "Action": "destroy",
+      "Actor": {
+        "ID": "ede54ee1afda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c743",
+        "Attributes": {
+          "com.example.some-label": "some-label-value",
+          "image": "alpine",
+          "name": "my-container"
+        }
+      },
+      "time": 1461943105,
+      "timeNano": 1461943105338056026
+    }
+
+**Query parameters**:
+
+-   **since** – Timestamp. Show all events created since timestamp and then stream
+-   **until** – Timestamp. Show events created until given timestamp and stop streaming
+-   **filters** – A json encoded value of the filters (a map[string][]string) to process on the event list. Available filters:
+  -   `container=<string>`; -- container to filter
+  -   `event=<string>`; -- event to filter
+  -   `image=<string>`; -- image to filter
+  -   `label=<string>`; -- image and container label to filter
+  -   `type=<string>`; -- either `container` or `image` or `volume` or `network` or `daemon`
+  -   `volume=<string>`; -- volume to filter
+  -   `network=<string>`; -- network to filter
+  -   `daemon=<string>`; -- daemon name or id to filter
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** - bad parameter
+-   **500** – server error
+
+#### Get a tarball containing all images in a repository
+
+`GET /images/(name)/get`
+
+Get a tarball containing all images and metadata for the repository specified
+by `name`.
+
+If `name` is a specific name and tag (e.g. ubuntu:latest), then only that image
+(and its parents) are returned. If `name` is an image ID, similarly only that
+image (and its parents) are returned, but with the exclusion of the
+'repositories' file in the tarball, as there were no image names referenced.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.24/images/ubuntu/get
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Get a tarball containing all images
+
+`GET /images/get`
+
+Get a tarball containing all images and metadata for one or more repositories.
+
+For each value of the `names` parameter: if it is a specific name and tag (e.g.
+`ubuntu:latest`), then only that image (and its parents) are returned; if it is
+an image ID, similarly only that image (and its parents) are returned and there
+would be no names referenced in the 'repositories' file for this image ID.
+
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    GET /v1.24/images/get?names=myname%2Fmyapp%3Alatest&names=busybox
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/x-tar
+
+    Binary data stream
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Load a tarball with a set of images and tags into docker
+
+`POST /images/load`
+
+Load a set of images and tags into a Docker repository.
+See the [image tarball format](#image-tarball-format) for more details.
+
+**Example request**
+
+    POST /v1.24/images/load
+    Content-Type: application/x-tar
+    Content-Length: 12345
+
+    Tarball in body
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+    Transfer-Encoding: chunked
+
+    {"status":"Loading layer","progressDetail":{"current":32768,"total":1292800},"progress":"[=                                                 ] 32.77 kB/1.293 MB","id":"8ac8bfaff55a"}
+    {"status":"Loading layer","progressDetail":{"current":65536,"total":1292800},"progress":"[==                                                ] 65.54 kB/1.293 MB","id":"8ac8bfaff55a"}
+    {"status":"Loading layer","progressDetail":{"current":98304,"total":1292800},"progress":"[===                                               ]  98.3 kB/1.293 MB","id":"8ac8bfaff55a"}
+    {"status":"Loading layer","progressDetail":{"current":131072,"total":1292800},"progress":"[=====                                             ] 131.1 kB/1.293 MB","id":"8ac8bfaff55a"}
+    ...
+    {"stream":"Loaded image: busybox:latest\n"}
+
+**Example response**:
+
+If the "quiet" query parameter is set to `true` / `1` (`?quiet=1`), progress
+details are suppressed, and only a confirmation message is returned once the
+action completes.
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+    Transfer-Encoding: chunked
+
+    {"stream":"Loaded image: busybox:latest\n"}
+
+**Query parameters**:
+
+-   **quiet** – Boolean value, suppress progress details during load. Defaults
+      to `0` / `false` if omitted.
+
+**Status codes**:
+
+-   **200** – no error
+-   **500** – server error
+
+#### Image tarball format
+
+An image tarball contains one directory per image layer (named using its long ID),
+each containing these files:
+
+- `VERSION`: currently `1.0` - the file format version
+- `json`: detailed layer information, similar to `docker inspect layer_id`
+- `layer.tar`: A tarfile containing the filesystem changes in this layer
+
+The `layer.tar` file contains `aufs` style `.wh..wh.aufs` files and directories
+for storing attribute changes and deletions.
+
+If the tarball defines a repository, the tarball should also include a `repositories` file at
+the root that contains a list of repository and tag names mapped to layer IDs.
+
+```
+{"hello-world":
+    {"latest": "565a9d68a73f6706862bfe8409a7f659776d4d60a8d096eb4a3cbce6999cc2a1"}
+}
+```
+
+#### Exec Create
+
+`POST /containers/(id or name)/exec`
+
+Sets up an exec instance in a running container `id`
+
+**Example request**:
+
+    POST /v1.24/containers/e90e34656806/exec HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "AttachStdin": true,
+      "AttachStdout": true,
+      "AttachStderr": true,
+      "Cmd": ["sh"],
+      "DetachKeys": "ctrl-p,ctrl-q",
+      "Privileged": true,
+      "Tty": true,
+      "User": "123:456"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+         "Id": "f90e34656806",
+         "Warnings":[]
+    }
+
+**JSON parameters**:
+
+-   **AttachStdin** - Boolean value, attaches to `stdin` of the `exec` command.
+-   **AttachStdout** - Boolean value, attaches to `stdout` of the `exec` command.
+-   **AttachStderr** - Boolean value, attaches to `stderr` of the `exec` command.
+-   **DetachKeys** – Override the key sequence for detaching a
+        container. Format is a single character `[a-Z]` or `ctrl-<value>`
+        where `<value>` is one of: `a-z`, `@`, `^`, `[`, `,` or `_`.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+-   **Cmd** - Command to run specified as a string or an array of strings.
+-   **Privileged** - Boolean value, runs the exec process with extended privileges.
+-   **User** - A string value specifying the user, and optionally, group to run
+        the exec process inside the container. Format is one of: `"user"`,
+        `"user:group"`, `"uid"`, or `"uid:gid"`.
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such container
+-   **409** - container is paused
+-   **500** - server error
+
+#### Exec Start
+
+`POST /exec/(id)/start`
+
+Starts a previously set up `exec` instance `id`. If `detach` is true, this API
+returns after starting the `exec` command. Otherwise, this API sets up an
+interactive session with the `exec` command.
+
+**Example request**:
+
+    POST /v1.24/exec/e90e34656806/start HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+     "Detach": false,
+     "Tty": false
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/vnd.docker.raw-stream
+
+    {% raw %}
+    {{ STREAM }}
+    {% endraw %}
+
+**JSON parameters**:
+
+-   **Detach** - Detach from the `exec` command.
+-   **Tty** - Boolean value to allocate a pseudo-TTY.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **409** - container is paused
+
+**Stream details**:
+
+Similar to the stream behavior of `POST /containers/(id or name)/attach` API
+
+#### Exec Resize
+
+`POST /exec/(id)/resize`
+
+Resizes the `tty` session used by the `exec` command `id`.  The unit is number of characters.
+This API is valid only if `tty` was specified as part of creating and starting the `exec` command.
+
+**Example request**:
+
+    POST /v1.24/exec/e90e34656806/resize?h=40&w=80 HTTP/1.1
+    Content-Type: text/plain
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: text/plain
+
+**Query parameters**:
+
+-   **h** – height of `tty` session
+-   **w** – width
+
+**Status codes**:
+
+-   **201** – no error
+-   **404** – no such exec instance
+
+#### Exec Inspect
+
+`GET /exec/(id)/json`
+
+Return low-level information about the `exec` command `id`.
+
+**Example request**:
+
+    GET /v1.24/exec/11fb006128e8ceb3942e7c58d77750f24210e35f879dd204ac975c184b820b39/json HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "CanRemove": false,
+      "ContainerID": "b53ee82b53a40c7dca428523e34f741f3abc51d9f297a14ff874bf761b995126",
+      "DetachKeys": "",
+      "ExitCode": 2,
+      "ID": "f33bbfb39f5b142420f4759b2348913bd4a8d1a6d7fd56499cb41a1bb91d7b3b",
+      "OpenStderr": true,
+      "OpenStdin": true,
+      "OpenStdout": true,
+      "ProcessConfig": {
+        "arguments": [
+          "-c",
+          "exit 2"
+        ],
+        "entrypoint": "sh",
+        "privileged": false,
+        "tty": true,
+        "user": "1000"
+      },
+      "Running": false
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such exec instance
+-   **500** - server error
+
+### 3.4 Volumes
+
+#### List volumes
+
+`GET /volumes`
+
+**Example request**:
+
+    GET /v1.24/volumes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Volumes": [
+        {
+          "Name": "tardis",
+          "Driver": "local",
+          "Mountpoint": "/var/lib/docker/volumes/tardis",
+          "Labels": null,
+          "Scope": "local"
+        }
+      ],
+      "Warnings": []
+    }
+
+**Query parameters**:
+
+- **filters** - JSON encoded value of the filters (a `map[string][]string`) to process on the volumes list. Available filters:
+  -   `name=<volume-name>` Matches all or part of a volume name.
+  -   `dangling=<boolean>` When set to `true` (or `1`), returns all volumes that are "dangling" (not in use by a container). When set to `false` (or `0`), only volumes that are in use by one or more containers are returned.
+  -   `driver=<volume-driver-name>` Matches all or part of a volume driver name.
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Create a volume
+
+`POST /volumes/create`
+
+Create a volume
+
+**Example request**:
+
+    POST /v1.24/volumes/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "Name": "tardis",
+      "Labels": {
+        "com.example.some-label": "some-value",
+        "com.example.some-other-label": "some-other-value"
+      },
+      "Driver": "custom"
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+      "Name": "tardis",
+      "Driver": "custom",
+      "Mountpoint": "/var/lib/docker/volumes/tardis",
+      "Status": {
+        "hello": "world"
+      },
+      "Labels": {
+        "com.example.some-label": "some-value",
+        "com.example.some-other-label": "some-other-value"
+      },
+      "Scope": "local"
+    }
+
+**Status codes**:
+
+- **201** - no error
+- **500**  - server error
+
+**JSON parameters**:
+
+- **Name** - The new volume's name. If not specified, Docker generates a name.
+- **Driver** - Name of the volume driver to use. Defaults to `local` for the name.
+- **DriverOpts** - A mapping of driver options and values. These options are
+    passed directly to the driver and are driver specific.
+- **Labels** - Labels to set on the volume, specified as a map: `{"key":"value","key2":"value2"}`
+
+**JSON fields in response**:
+
+Refer to the [inspect a volume](#inspect-a-volume) section or details about the
+JSON fields returned in the response.
+
+#### Inspect a volume
+
+`GET /volumes/(name)`
+
+Return low-level information on the volume `name`
+
+**Example request**:
+
+    GET /v1.24/volumes/tardis
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "Name": "tardis",
+      "Driver": "custom",
+      "Mountpoint": "/var/lib/docker/volumes/tardis/_data",
+      "Status": {
+        "hello": "world"
+      },
+      "Labels": {
+          "com.example.some-label": "some-value",
+          "com.example.some-other-label": "some-other-value"
+      },
+      "Scope": "local"
+    }
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - no such volume
+-   **500** - server error
+
+**JSON fields in response**:
+
+The following fields can be returned in the API response. Empty fields, or
+fields that are not supported by the volume's driver may be omitted in the
+response.
+
+- **Name** - Name of the volume.
+- **Driver** - Name of the volume driver used by the volume.
+- **Mountpoint** - Mount path of the volume on the host.
+- **Status** - Low-level details about the volume, provided by the volume driver.
+    Details are returned as a map with key/value pairs: `{"key":"value","key2":"value2"}`.
+    The `Status` field is optional, and is omitted if the volume driver does not
+    support this feature.
+- **Labels** - Labels set on the volume, specified as a map: `{"key":"value","key2":"value2"}`.
+- **Scope** - Scope describes the level at which the volume exists, can be one of
+    `global` for cluster-wide or `local` for machine level. The default is `local`.
+
+#### Remove a volume
+
+`DELETE /volumes/(name)`
+
+Instruct the driver to remove the volume (`name`).
+
+**Example request**:
+
+    DELETE /v1.24/volumes/tardis HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** - no error
+-   **404** - no such volume or volume driver
+-   **409** - volume is in use and cannot be removed
+-   **500** - server error
+
+### 3.5 Networks
+
+#### List networks
+
+`GET /networks`
+
+**Example request**:
+
+    GET /v1.24/networks?filters={"type":{"custom":true}} HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+[
+  {
+    "Name": "bridge",
+    "Id": "f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566",
+    "Scope": "local",
+    "Driver": "bridge",
+    "EnableIPv6": false,
+    "Internal": false,
+    "IPAM": {
+      "Driver": "default",
+      "Config": [
+        {
+          "Subnet": "172.17.0.0/16"
+        }
+      ]
+    },
+    "Containers": {
+      "39b69226f9d79f5634485fb236a23b2fe4e96a0a94128390a7fbbcc167065867": {
+        "EndpointID": "ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda",
+        "MacAddress": "02:42:ac:11:00:02",
+        "IPv4Address": "172.17.0.2/16",
+        "IPv6Address": ""
+      }
+    },
+    "Options": {
+      "com.docker.network.bridge.default_bridge": "true",
+      "com.docker.network.bridge.enable_icc": "true",
+      "com.docker.network.bridge.enable_ip_masquerade": "true",
+      "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+      "com.docker.network.bridge.name": "docker0",
+      "com.docker.network.driver.mtu": "1500"
+    }
+  },
+  {
+    "Name": "none",
+    "Id": "e086a3893b05ab69242d3c44e49483a3bbbd3a26b46baa8f61ab797c1088d794",
+    "Scope": "local",
+    "Driver": "null",
+    "EnableIPv6": false,
+    "Internal": false,
+    "IPAM": {
+      "Driver": "default",
+      "Config": []
+    },
+    "Containers": {},
+    "Options": {}
+  },
+  {
+    "Name": "host",
+    "Id": "13e871235c677f196c4e1ecebb9dc733b9b2d2ab589e30c539efeda84a24215e",
+    "Scope": "local",
+    "Driver": "host",
+    "EnableIPv6": false,
+    "Internal": false,
+    "IPAM": {
+      "Driver": "default",
+      "Config": []
+    },
+    "Containers": {},
+    "Options": {}
+  }
+]
+```
+
+**Query parameters**:
+
+- **filters** - JSON encoded network list filter. The filter value is one of:
+  -   `driver=<driver-name>` Matches a network's driver.
+  -   `id=<network-id>` Matches all or part of a network id.
+  -   `label=<key>` or `label=<key>=<value>` of a network label.
+  -   `name=<network-name>` Matches all or part of a network name.
+  -   `type=["custom"|"builtin"]` Filters networks by type. The `custom` keyword returns all user-defined networks.
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Inspect network
+
+`GET /networks/(id or name)`
+
+Return low-level information on the network `id`
+
+**Example request**:
+
+    GET /v1.24/networks/7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99 HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "Name": "net01",
+  "Id": "7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99",
+  "Scope": "local",
+  "Driver": "bridge",
+  "EnableIPv6": false,
+  "IPAM": {
+    "Driver": "default",
+    "Config": [
+      {
+        "Subnet": "172.19.0.0/16",
+        "Gateway": "172.19.0.1"
+      }
+    ],
+    "Options": {
+        "foo": "bar"
+    }
+  },
+  "Internal": false,
+  "Containers": {
+    "19a4d5d687db25203351ed79d478946f861258f018fe384f229f2efa4b23513c": {
+      "Name": "test",
+      "EndpointID": "628cadb8bcb92de107b2a1e516cbffe463e321f548feb37697cce00ad694f21a",
+      "MacAddress": "02:42:ac:13:00:02",
+      "IPv4Address": "172.19.0.2/16",
+      "IPv6Address": ""
+    }
+  },
+  "Options": {
+    "com.docker.network.bridge.default_bridge": "true",
+    "com.docker.network.bridge.enable_icc": "true",
+    "com.docker.network.bridge.enable_ip_masquerade": "true",
+    "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+    "com.docker.network.bridge.name": "docker0",
+    "com.docker.network.driver.mtu": "1500"
+  },
+  "Labels": {
+    "com.example.some-label": "some-value",
+    "com.example.some-other-label": "some-other-value"
+  }
+}
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - network not found
+-   **500** - server error
+
+#### Create a network
+
+`POST /networks/create`
+
+Create a network
+
+**Example request**:
+
+```
+POST /v1.24/networks/create HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Name":"isolated_nw",
+  "CheckDuplicate":true,
+  "Driver":"bridge",
+  "EnableIPv6": true,
+  "IPAM":{
+    "Driver": "default",
+    "Config":[
+      {
+        "Subnet":"172.20.0.0/16",
+        "IPRange":"172.20.10.0/24",
+        "Gateway":"172.20.10.11"
+      },
+      {
+        "Subnet":"2001:db8:abcd::/64",
+        "Gateway":"2001:db8:abcd::1011"
+      }
+    ],
+    "Options": {
+      "foo": "bar"
+    }
+  },
+  "Internal":true,
+  "Options": {
+    "com.docker.network.bridge.default_bridge": "true",
+    "com.docker.network.bridge.enable_icc": "true",
+    "com.docker.network.bridge.enable_ip_masquerade": "true",
+    "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
+    "com.docker.network.bridge.name": "docker0",
+    "com.docker.network.driver.mtu": "1500"
+  },
+  "Labels": {
+    "com.example.some-label": "some-value",
+    "com.example.some-other-label": "some-other-value"
+  }
+}
+```
+
+**Example response**:
+
+```
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+  "Id": "22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30",
+  "Warning": ""
+}
+```
+
+**Status codes**:
+
+- **201** - no error
+- **403** - operation not supported for pre-defined networks
+- **404** - plugin not found
+- **500** - server error
+
+**JSON parameters**:
+
+- **Name** - The new network's name. this is a mandatory field
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`.
+    Since Network is primarily keyed based on a random ID and not on the name, 
+    and network name is strictly a user-friendly alias to the network 
+    which is uniquely identified using ID, there is no guaranteed way to check for duplicates. 
+    This parameter CheckDuplicate is there to provide a best effort checking of any networks 
+    which has the same name but it is not guaranteed to catch all name collisions.
+- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
+- **Internal** - Restrict external access to the network
+- **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+  - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
+- **EnableIPv6** - Enable IPv6 on the network
+- **Options** - Network specific options to be used by the drivers
+- **Labels** - Labels to set on the network, specified as a map: `{"key":"value" [,"key2":"value2"]}`
+
+#### Connect a container to a network
+
+`POST /networks/(id or name)/connect`
+
+Connect a container to a network
+
+**Example request**:
+
+```
+POST /v1.24/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30/connect HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Container":"3613f73ba0e4",
+  "EndpointConfig": {
+    "IPAMConfig": {
+        "IPv4Address":"172.24.56.89",
+        "IPv6Address":"2001:db8::5689"
+    }
+  }
+}
+```
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** - no error
+- **403** - operation not supported for swarm scoped networks
+- **404** - network or container is not found
+- **500** - Internal Server Error
+
+**JSON parameters**:
+
+- **container** - container-id/name to be connected to the network
+
+#### Disconnect a container from a network
+
+`POST /networks/(id or name)/disconnect`
+
+Disconnect a container from a network
+
+**Example request**:
+
+```
+POST /v1.24/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30/disconnect HTTP/1.1
+Content-Type: application/json
+Content-Length: 12345
+
+{
+  "Container":"3613f73ba0e4",
+  "Force":false
+}
+```
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+
+**Status codes**:
+
+- **200** - no error
+- **403** - operation not supported for swarm scoped networks
+- **404** - network or container not found
+- **500** - Internal Server Error
+
+**JSON parameters**:
+
+- **Container** - container-id/name to be disconnected from a network
+- **Force** - Force the container to disconnect from a network
+
+#### Remove a network
+
+`DELETE /networks/(id or name)`
+
+Instruct the driver to remove the network (`id`).
+
+**Example request**:
+
+    DELETE /v1.24/networks/22be93d5babb089c5aab8dbc369042fad48ff791584ca2da2100db837a1c7c30 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 204 No Content
+
+**Status codes**:
+
+-   **204** - no error
+-   **403** - operation not supported for pre-defined networks
+-   **404** - no such network
+-   **500** - server error
+
+### 3.6 Plugins (experimental)
+
+#### List plugins
+
+`GET /plugins`
+
+Returns information about installed plugins.
+
+**Example request**:
+
+    GET /v1.24/plugins HTTP/1.1
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+[
+  {
+    "Id": "5724e2c8652da337ab2eedd19fc6fc0ec908e4bd907c7421bf6a8dfc70c4c078",
+    "Name": "tiborvass/no-remove",
+    "Tag": "latest",
+    "Active": true,
+    "Config": {
+      "Mounts": [
+        {
+          "Name": "",
+          "Description": "",
+          "Settable": null,
+          "Source": "/data",
+          "Destination": "/data",
+          "Type": "bind",
+          "Options": [
+            "shared",
+            "rbind"
+          ]
+        },
+        {
+          "Name": "",
+          "Description": "",
+          "Settable": null,
+          "Source": null,
+          "Destination": "/foobar",
+          "Type": "tmpfs",
+          "Options": null
+        }
+      ],
+      "Env": [
+        "DEBUG=1"
+      ],
+      "Args": null,
+      "Devices": null
+    },
+    "Manifest": {
+      "ManifestVersion": "v0",
+      "Description": "A test plugin for Docker",
+      "Documentation": "https://docs.docker.com/engine/extend/plugins/",
+      "Interface": {
+        "Types": [
+          "docker.volumedriver/1.0"
+        ],
+        "Socket": "plugins.sock"
+      },
+      "Entrypoint": [
+        "plugin-no-remove",
+        "/data"
+      ],
+      "Workdir": "",
+      "User": {
+      },
+      "Network": {
+        "Type": "host"
+      },
+      "Capabilities": null,
+      "Mounts": [
+        {
+          "Name": "",
+          "Description": "",
+          "Settable": null,
+          "Source": "/data",
+          "Destination": "/data",
+          "Type": "bind",
+          "Options": [
+            "shared",
+            "rbind"
+          ]
+        },
+        {
+          "Name": "",
+          "Description": "",
+          "Settable": null,
+          "Source": null,
+          "Destination": "/foobar",
+          "Type": "tmpfs",
+          "Options": null
+        }
+      ],
+      "Devices": [
+        {
+          "Name": "device",
+          "Description": "a host device to mount",
+          "Settable": null,
+          "Path": "/dev/cpu_dma_latency"
+        }
+      ],
+      "Env": [
+        {
+          "Name": "DEBUG",
+          "Description": "If set, prints debug messages",
+          "Settable": null,
+          "Value": "1"
+        }
+      ],
+      "Args": {
+        "Name": "args",
+        "Description": "command line arguments",
+        "Settable": null,
+        "Value": [
+
+        ]
+      }
+    }
+  }
+]
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - server error
+
+#### Install a plugin
+
+`POST /plugins/pull?name=<plugin name>`
+
+Pulls and installs a plugin. After the plugin is installed, it can be enabled
+using the [`POST /plugins/(plugin name)/enable` endpoint](#enable-a-plugin).
+
+**Example request**:
+
+```
+POST /v1.24/plugins/pull?name=tiborvass/no-remove:latest HTTP/1.1
+```
+
+The `:latest` tag is optional, and is used as default if omitted. When using
+this endpoint to pull a plugin from the registry, the `X-Registry-Auth` header
+can be used to include a base64-encoded AuthConfig object. Refer to the [create
+an image](#create-an-image) section for more details.
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+Content-Length: 175
+
+[
+  {
+    "Name": "network",
+    "Description": "",
+    "Value": [
+      "host"
+    ]
+  },
+  {
+    "Name": "mount",
+    "Description": "",
+    "Value": [
+      "/data"
+    ]
+  },
+  {
+    "Name": "device",
+    "Description": "",
+    "Value": [
+      "/dev/cpu_dma_latency"
+    ]
+  }
+]
+```
+
+**Query parameters**:
+
+- **name** -  Name of the plugin to pull. The name may include a tag or digest.
+    This parameter is required.
+
+**Status codes**:
+
+-   **200** - no error
+-   **500** - error parsing reference / not a valid repository/tag: repository
+      name must have at least one component
+-   **500** - plugin already exists
+
+#### Inspect a plugin
+
+`GET /plugins/(plugin name)`
+
+Returns detailed information about an installed plugin.
+
+**Example request**:
+
+```
+GET /v1.24/plugins/tiborvass/no-remove:latest HTTP/1.1
+```
+
+The `:latest` tag is optional, and is used as default if omitted.
+
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "Id": "5724e2c8652da337ab2eedd19fc6fc0ec908e4bd907c7421bf6a8dfc70c4c078",
+  "Name": "tiborvass/no-remove",
+  "Tag": "latest",
+  "Active": false,
+  "Config": {
+    "Mounts": [
+      {
+        "Name": "",
+        "Description": "",
+        "Settable": null,
+        "Source": "/data",
+        "Destination": "/data",
+        "Type": "bind",
+        "Options": [
+          "shared",
+          "rbind"
+        ]
+      },
+      {
+        "Name": "",
+        "Description": "",
+        "Settable": null,
+        "Source": null,
+        "Destination": "/foobar",
+        "Type": "tmpfs",
+        "Options": null
+      }
+    ],
+    "Env": [
+      "DEBUG=1"
+    ],
+    "Args": null,
+    "Devices": null
+  },
+  "Manifest": {
+    "ManifestVersion": "v0",
+    "Description": "A test plugin for Docker",
+    "Documentation": "https://docs.docker.com/engine/extend/plugins/",
+    "Interface": {
+      "Types": [
+        "docker.volumedriver/1.0"
+      ],
+      "Socket": "plugins.sock"
+    },
+    "Entrypoint": [
+      "plugin-no-remove",
+      "/data"
+    ],
+    "Workdir": "",
+    "User": {
+    },
+    "Network": {
+      "Type": "host"
+    },
+    "Capabilities": null,
+    "Mounts": [
+      {
+        "Name": "",
+        "Description": "",
+        "Settable": null,
+        "Source": "/data",
+        "Destination": "/data",
+        "Type": "bind",
+        "Options": [
+          "shared",
+          "rbind"
+        ]
+      },
+      {
+        "Name": "",
+        "Description": "",
+        "Settable": null,
+        "Source": null,
+        "Destination": "/foobar",
+        "Type": "tmpfs",
+        "Options": null
+      }
+    ],
+    "Devices": [
+      {
+        "Name": "device",
+        "Description": "a host device to mount",
+        "Settable": null,
+        "Path": "/dev/cpu_dma_latency"
+      }
+    ],
+    "Env": [
+      {
+        "Name": "DEBUG",
+        "Description": "If set, prints debug messages",
+        "Settable": null,
+        "Value": "1"
+      }
+    ],
+    "Args": {
+      "Name": "args",
+      "Description": "command line arguments",
+      "Settable": null,
+      "Value": [
+
+      ]
+    }
+  }
+}
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - plugin not installed
+
+#### Enable a plugin
+
+`POST /plugins/(plugin name)/enable`
+
+Enables a plugin
+
+**Example request**:
+
+```
+POST /v1.24/plugins/tiborvass/no-remove:latest/enable HTTP/1.1
+```
+
+The `:latest` tag is optional, and is used as default if omitted.
+
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Length: 0
+Content-Type: text/plain; charset=utf-8
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - plugin not installed
+-   **500** - plugin is already enabled
+
+#### Disable a plugin
+
+`POST /plugins/(plugin name)/disable`
+
+Disables a plugin
+
+**Example request**:
+
+```
+POST /v1.24/plugins/tiborvass/no-remove:latest/disable HTTP/1.1
+```
+
+The `:latest` tag is optional, and is used as default if omitted.
+
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Length: 0
+Content-Type: text/plain; charset=utf-8
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - plugin not installed
+-   **500** - plugin is already disabled
+
+#### Remove a plugin
+
+`DELETE /plugins/(plugin name)`
+
+Removes a plugin
+
+**Example request**:
+
+```
+DELETE /v1.24/plugins/tiborvass/no-remove:latest HTTP/1.1
+```
+
+The `:latest` tag is optional, and is used as default if omitted.
+
+**Example response**:
+
+```
+HTTP/1.1 200 OK
+Content-Length: 0
+Content-Type: text/plain; charset=utf-8
+```
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - plugin not installed
+-   **500** - plugin is active
+
+<!-- TODO Document "docker plugin push" endpoint once we have "plugin build"
+
+#### Push a plugin
+
+`POST /v1.24/plugins/tiborvass/(plugin name)/push HTTP/1.1`
+
+Pushes a plugin to the registry.
+
+**Example request**:
+
+```
+POST /v1.24/plugins/tiborvass/no-remove:latest HTTP/1.1
+```
+
+The `:latest` tag is optional, and is used as default if omitted. When using
+this endpoint to push a plugin to the registry, the `X-Registry-Auth` header
+can be used to include a base64-encoded AuthConfig object. Refer to the [create
+an image](#create-an-image) section for more details.
+
+**Example response**:
+
+**Status codes**:
+
+-   **200** - no error
+-   **404** - plugin not installed
+
+-->
+
+### 3.7 Nodes
+
+**Note**: Node operations require the engine to be part of a swarm.
+
+#### List nodes
+
+
+`GET /nodes`
+
+List nodes
+
+**Example request**:
+
+    GET /v1.24/nodes HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "ID": "24ifsmvkjbyhk",
+        "Version": {
+          "Index": 8
+        },
+        "CreatedAt": "2016-06-07T20:31:11.853781916Z",
+        "UpdatedAt": "2016-06-07T20:31:11.999868824Z",
+        "Spec": {
+          "Name": "my-node",
+          "Role": "manager",
+          "Availability": "active"
+          "Labels": {
+              "foo": "bar"
+          }
+        },
+        "Description": {
+          "Hostname": "bf3067039e47",
+          "Platform": {
+            "Architecture": "x86_64",
+            "OS": "linux"
+          },
+          "Resources": {
+            "NanoCPUs": 4000000000,
+            "MemoryBytes": 8272408576
+          },
+          "Engine": {
+            "EngineVersion": "1.12.0",
+            "Labels": {
+                "foo": "bar",
+            }
+            "Plugins": [
+              {
+                "Type": "Volume",
+                "Name": "local"
+              },
+              {
+                "Type": "Network",
+                "Name": "bridge"
+              }
+              {
+                "Type": "Network",
+                "Name": "null"
+              }
+              {
+                "Type": "Network",
+                "Name": "overlay"
+              }
+            ]
+          }
+        },
+        "Status": {
+          "State": "ready"
+        },
+        "ManagerStatus": {
+          "Leader": true,
+          "Reachability": "reachable",
+          "Addr": "172.17.0.2:2377""
+        }
+      }
+    ]
+
+**Query parameters**:
+
+- **filters** – a JSON encoded value of the filters (a `map[string][]string`) to process on the
+  nodes list. Available filters:
+  - `id=<node id>`
+  - `label=<engine label>`
+  - `membership=`(`accepted`|`pending`)`
+  - `name=<node name>`
+  - `role=`(`manager`|`worker`)`
+
+**Status codes**:
+
+-   **200** – no error
+-   **406** - node is not part of a swarm
+-   **500** – server error
+
+#### Inspect a node
+
+
+`GET /nodes/(id or name)`
+
+Return low-level information on the node `id`
+
+**Example request**:
+
+      GET /v1.24/nodes/24ifsmvkjbyhk HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "ID": "24ifsmvkjbyhk",
+      "Version": {
+        "Index": 8
+      },
+      "CreatedAt": "2016-06-07T20:31:11.853781916Z",
+      "UpdatedAt": "2016-06-07T20:31:11.999868824Z",
+      "Spec": {
+        "Name": "my-node",
+        "Role": "manager",
+        "Availability": "active"
+        "Labels": {
+            "foo": "bar"
+        }
+      },
+      "Description": {
+        "Hostname": "bf3067039e47",
+        "Platform": {
+          "Architecture": "x86_64",
+          "OS": "linux"
+        },
+        "Resources": {
+          "NanoCPUs": 4000000000,
+          "MemoryBytes": 8272408576
+        },
+        "Engine": {
+          "EngineVersion": "1.12.0",
+          "Labels": {
+              "foo": "bar",
+          }
+          "Plugins": [
+            {
+              "Type": "Volume",
+              "Name": "local"
+            },
+            {
+              "Type": "Network",
+              "Name": "bridge"
+            }
+            {
+              "Type": "Network",
+              "Name": "null"
+            }
+            {
+              "Type": "Network",
+              "Name": "overlay"
+            }
+          ]
+        }
+      },
+      "Status": {
+        "State": "ready"
+      },
+      "ManagerStatus": {
+        "Leader": true,
+        "Reachability": "reachable",
+        "Addr": "172.17.0.2:2377""
+      }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such node
+-   **406** – node is not part of a swarm
+-   **500** – server error
+
+#### Remove a node
+
+
+`DELETE /nodes/(id or name)`
+
+Remove a node from the swarm.
+
+**Example request**:
+
+    DELETE /v1.24/nodes/24ifsmvkjbyhk HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Length: 0
+    Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+-   **force** - 1/True/true or 0/False/false, Force remove a node from the swarm.
+        Default `false`.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such node
+-   **406** – node is not part of a swarm
+-   **500** – server error
+
+#### Update a node
+
+
+`POST /nodes/(id)/update`
+
+Update a node.
+
+The payload of the `POST` request is the new `NodeSpec` and
+overrides the current `NodeSpec` for the specified node.
+
+If `Availability` or `Role` are omitted, this returns an
+error. Any other field omitted resets the current value to either
+an empty value or the default cluster-wide value.
+
+**Example Request**
+
+    POST /v1.24/nodes/24ifsmvkjbyhk/update?version=8 HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "Availability": "active",
+      "Name": "node-name",
+      "Role": "manager",
+      "Labels": {
+        "foo": "bar"
+      }
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Length: 0
+    Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+- **version** – The version number of the node object being updated. This is
+  required to avoid conflicting writes.
+
+JSON Parameters:
+
+- **Annotations** – Optional medata to associate with the node.
+    - **Name** – User-defined name for the node.
+    - **Labels** – A map of labels to associate with the node (e.g.,
+      `{"key":"value", "key2":"value2"}`).
+- **Role** - Role of the node (worker|manager).
+- **Availability** - Availability of the node (active|pause|drain).
+
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such node
+-   **406** – node is not part of a swarm
+-   **500** – server error
+
+### 3.8 Swarm
+
+#### Inspect swarm
+
+
+`GET /swarm`
+
+Inspect swarm
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+      "CreatedAt" : "2016-08-15T16:00:20.349727406Z",
+      "Spec" : {
+        "Dispatcher" : {
+          "HeartbeatPeriod" : 5000000000
+        },
+        "Orchestration" : {
+         "TaskHistoryRetentionLimit" : 10
+        },
+        "CAConfig" : {
+          "NodeCertExpiry" : 7776000000000000
+        },
+        "Raft" : {
+          "LogEntriesForSlowFollowers" : 500,
+          "HeartbeatTick" : 1,
+          "SnapshotInterval" : 10000,
+          "ElectionTick" : 3
+        },
+        "TaskDefaults" : {},
+        "Name" : "default"
+      },
+     "JoinTokens" : {
+        "Worker" : "SWMTKN-1-1h8aps2yszaiqmz2l3oc5392pgk8e49qhx2aj3nyv0ui0hez2a-6qmn92w6bu3jdvnglku58u11a",
+        "Manager" : "SWMTKN-1-1h8aps2yszaiqmz2l3oc5392pgk8e49qhx2aj3nyv0ui0hez2a-8llk83c4wm9lwioey2s316r9l"
+     },
+     "ID" : "70ilmkj2f6sp2137c753w2nmt",
+     "UpdatedAt" : "2016-08-15T16:32:09.623207604Z",
+     "Version" : {
+       "Index" : 51
+    }
+  }
+
+**Status codes**:
+
+-   **200** - no error
+-   **406** – node is not part of a swarm
+-   **500** - sever error
+
+#### Initialize a new swarm
+
+
+`POST /swarm/init`
+
+Initialize a new swarm. The body of the HTTP response includes the node ID.
+
+**Example request**:
+
+    POST /v1.24/swarm/init HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "ListenAddr": "0.0.0.0:2377",
+      "AdvertiseAddr": "192.168.1.1:2377",
+      "ForceNewCluster": false,
+      "Spec": {
+        "Orchestration": {},
+        "Raft": {},
+        "Dispatcher": {},
+        "CAConfig": {}
+      }
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Length: 28
+    Content-Type: application/json
+    Date: Thu, 01 Sep 2016 21:49:13 GMT
+    Server: Docker/1.12.0 (linux)
+
+    "7v2t30z9blmxuhnyo6s4cpenp"
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **406** – node is already part of a swarm
+-   **500** - server error
+
+JSON Parameters:
+
+- **ListenAddr** – Listen address used for inter-manager communication, as well as determining
+  the networking interface used for the VXLAN Tunnel Endpoint (VTEP). This can either be an
+  address/port combination in the form `192.168.1.1:4567`, or an interface followed by a port
+  number, like `eth0:4567`. If the port number is omitted, the default swarm listening port is
+  used.
+- **AdvertiseAddr** – Externally reachable address advertised to other nodes. This can either be
+  an address/port combination in the form `192.168.1.1:4567`, or an interface followed by a port
+  number, like `eth0:4567`. If the port number is omitted, the port number from the listen
+  address is used. If `AdvertiseAddr` is not specified, it will be automatically detected when
+  possible.
+- **ForceNewCluster** – Force creation of a new swarm.
+- **Spec** – Configuration settings for the new swarm.
+    - **Orchestration** – Configuration settings for the orchestration aspects of the swarm.
+        - **TaskHistoryRetentionLimit** – Maximum number of tasks history stored.
+    - **Raft** – Raft related configuration.
+        - **SnapshotInterval** – Number of logs entries between snapshot.
+        - **KeepOldSnapshots** – Number of snapshots to keep beyond the current snapshot.
+        - **LogEntriesForSlowFollowers** – Number of log entries to keep around to sync up slow
+          followers after a snapshot is created.
+        - **HeartbeatTick** – Amount of ticks (in seconds) between each heartbeat.
+        - **ElectionTick** – Amount of ticks (in seconds) needed without a leader to trigger a new
+          election.
+    - **Dispatcher** – Configuration settings for the task dispatcher.
+        - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
+    - **CAConfig** – Certificate authority configuration.
+        - **NodeCertExpiry** – Automatic expiry for nodes certificates.
+        - **ExternalCA** - Configuration for forwarding signing requests to an external
+          certificate authority.
+            - **Protocol** - Protocol for communication with the external CA
+              (currently only "cfssl" is supported).
+            - **URL** - URL where certificate signing requests should be sent.
+            - **Options** - An object with key/value pairs that are interpreted
+              as protocol-specific options for the external CA driver.
+
+#### Join an existing swarm
+
+`POST /swarm/join`
+
+Join an existing swarm
+
+**Example request**:
+
+    POST /v1.24/swarm/join HTTP/1.1
+    Content-Type: application/json
+
+    {
+      "ListenAddr": "0.0.0.0:2377",
+      "AdvertiseAddr": "192.168.1.1:2377",
+      "RemoteAddrs": ["node1:2377"],
+      "JoinToken": "SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2"
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Length: 0
+    Content-Type: text/plain; charset=utf-8
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **406** – node is already part of a swarm
+-   **500** - server error
+
+JSON Parameters:
+
+- **ListenAddr** – Listen address used for inter-manager communication if the node gets promoted to
+  manager, as well as determining the networking interface used for the VXLAN Tunnel Endpoint (VTEP).
+- **AdvertiseAddr** – Externally reachable address advertised to other nodes. This can either be
+  an address/port combination in the form `192.168.1.1:4567`, or an interface followed by a port
+  number, like `eth0:4567`. If the port number is omitted, the port number from the listen
+  address is used. If `AdvertiseAddr` is not specified, it will be automatically detected when
+  possible.
+- **RemoteAddr** – Address of any manager node already participating in the swarm.
+- **JoinToken** – Secret token for joining this swarm.
+
+#### Leave a swarm
+
+
+`POST /swarm/leave`
+
+Leave a swarm
+
+**Example request**:
+
+    POST /v1.24/swarm/leave HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Length: 0
+    Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+- **force** - Boolean (0/1, false/true). Force leave swarm, even if this is the last manager or that it will break the cluster.
+
+**Status codes**:
+
+-  **200** – no error
+-  **406** – node is not part of a swarm
+-  **500** - server error
+
+#### Update a swarm
+
+
+`POST /swarm/update`
+
+Update a swarm
+
+**Example request**:
+
+    POST /v1.24/swarm/update HTTP/1.1
+    Content-Length: 12345
+
+    {
+      "Name": "default",
+      "Orchestration": {
+        "TaskHistoryRetentionLimit": 10
+      },
+      "Raft": {
+        "SnapshotInterval": 10000,
+        "LogEntriesForSlowFollowers": 500,
+        "HeartbeatTick": 1,
+        "ElectionTick": 3
+      },
+      "Dispatcher": {
+        "HeartbeatPeriod": 5000000000
+      },
+      "CAConfig": {
+        "NodeCertExpiry": 7776000000000000
+      },
+      "JoinTokens": {
+        "Worker": "SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx",
+        "Manager": "SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2"
+      }
+    }
+
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Length: 0
+    Content-Type: text/plain; charset=utf-8
+
+**Query parameters**:
+
+- **version** – The version number of the swarm object being updated. This is
+  required to avoid conflicting writes.
+- **rotateWorkerToken** - Set to `true` (or `1`) to rotate the worker join token.
+- **rotateManagerToken** - Set to `true` (or `1`) to rotate the manager join token.
+
+**Status codes**:
+
+-   **200** – no error
+-   **400** – bad parameter
+-   **406** – node is not part of a swarm
+-   **500** - server error
+
+JSON Parameters:
+
+- **Orchestration** – Configuration settings for the orchestration aspects of the swarm.
+    - **TaskHistoryRetentionLimit** – Maximum number of tasks history stored.
+- **Raft** – Raft related configuration.
+    - **SnapshotInterval** – Number of logs entries between snapshot.
+    - **KeepOldSnapshots** – Number of snapshots to keep beyond the current snapshot.
+    - **LogEntriesForSlowFollowers** – Number of log entries to keep around to sync up slow
+      followers after a snapshot is created.
+    - **HeartbeatTick** – Amount of ticks (in seconds) between each heartbeat.
+    - **ElectionTick** – Amount of ticks (in seconds) needed without a leader to trigger a new
+      election.
+- **Dispatcher** – Configuration settings for the task dispatcher.
+    - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
+- **CAConfig** – CA configuration.
+    - **NodeCertExpiry** – Automatic expiry for nodes certificates.
+    - **ExternalCA** - Configuration for forwarding signing requests to an external
+      certificate authority.
+        - **Protocol** - Protocol for communication with the external CA
+          (currently only "cfssl" is supported).
+        - **URL** - URL where certificate signing requests should be sent.
+        - **Options** - An object with key/value pairs that are interpreted
+          as protocol-specific options for the external CA driver.
+- **JoinTokens** - Tokens that can be used by other nodes to join the swarm.
+    - **Worker** - Token to use for joining as a worker.
+    - **Manager** - Token to use for joining as a manager.
+
+### 3.9 Services
+
+**Note**: Service operations require to first be part of a swarm.
+
+#### List services
+
+
+`GET /services`
+
+List services
+
+**Example request**:
+
+    GET /v1.24/services HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    [
+      {
+        "ID": "9mnpnzenvg8p8tdbtq4wvbkcz",
+        "Version": {
+          "Index": 19
+        },
+        "CreatedAt": "2016-06-07T21:05:51.880065305Z",
+        "UpdatedAt": "2016-06-07T21:07:29.962229872Z",
+        "Spec": {
+          "Name": "hopeful_cori",
+          "TaskTemplate": {
+            "ContainerSpec": {
+              "Image": "redis"
+            },
+            "Resources": {
+              "Limits": {},
+              "Reservations": {}
+            },
+            "RestartPolicy": {
+              "Condition": "any",
+              "MaxAttempts": 0
+            },
+            "Placement": {
+              "Constraints": [
+                "node.role == worker"
+              ]
+            }
+          },
+          "Mode": {
+            "Replicated": {
+              "Replicas": 1
+            }
+          },
+          "UpdateConfig": {
+            "Parallelism": 1,
+            "FailureAction": "pause"
+          },
+          "EndpointSpec": {
+            "Mode": "vip",
+            "Ports": [
+              {
+                "Protocol": "tcp",
+                "TargetPort": 6379,
+                "PublishedPort": 30001
+              }
+            ]
+          }
+        },
+        "Endpoint": {
+          "Spec": {
+            "Mode": "vip",
+            "Ports": [
+              {
+                "Protocol": "tcp",
+                "TargetPort": 6379,
+                "PublishedPort": 30001
+              }
+            ]
+          },
+          "Ports": [
+            {
+              "Protocol": "tcp",
+              "TargetPort": 6379,
+              "PublishedPort": 30001
+            }
+          ],
+          "VirtualIPs": [
+            {
+              "NetworkID": "4qvuz4ko70xaltuqbt8956gd1",
+              "Addr": "10.255.0.2/16"
+            },
+            {
+              "NetworkID": "4qvuz4ko70xaltuqbt8956gd1",
+              "Addr": "10.255.0.3/16"
+            }
+          ]
+        }
+      }
+    ]
+
+**Query parameters**:
+
+- **filters** – a JSON encoded value of the filters (a `map[string][]string`) to process on the
+  services list. Available filters:
+  - `id=<service id>`
+  - `label=<service label>`
+  - `name=<service name>`
+
+**Status codes**:
+
+-   **200** – no error
+-   **406** – node is not part of a swarm
+-   **500** – server error
+
+#### Create a service
+
+`POST /services/create`
+
+Create a service. When using this endpoint to create a service using a private
+repository from the registry, the `X-Registry-Auth` header must be used to
+include a base64-encoded AuthConfig object. Refer to the [create an
+image](#create-an-image) section for more details.
+
+**Example request**:
+
+    POST /v1.24/services/create HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "Name": "web",
+      "TaskTemplate": {
+        "ContainerSpec": {
+          "Image": "nginx:alpine",
+          "Mounts": [
+            {
+              "ReadOnly": true,
+              "Source": "web-data",
+              "Target": "/usr/share/nginx/html",
+              "Type": "volume",
+              "VolumeOptions": {
+                "DriverConfig": {
+                },
+                "Labels": {
+                  "com.example.something": "something-value"
+                }
+              }
+            }
+          ],
+          "User": "33"
+        },
+        "Networks": [
+            {
+              "Target": "overlay1"
+            }
+        ],
+        "LogDriver": {
+          "Name": "json-file",
+          "Options": {
+            "max-file": "3",
+            "max-size": "10M"
+          }
+        },
+        "Placement": {
+          "Constraints": [
+            "node.role == worker"
+          ]
+        },
+        "Resources": {
+          "Limits": {
+            "MemoryBytes": 104857600
+          },
+          "Reservations": {
+          }
+        },
+        "RestartPolicy": {
+          "Condition": "on-failure",
+          "Delay": 10000000000,
+          "MaxAttempts": 10
+        }
+      },
+      "Mode": {
+        "Replicated": {
+          "Replicas": 4
+        }
+      },
+      "UpdateConfig": {
+        "Delay": 30000000000,
+        "Parallelism": 2,
+        "FailureAction": "pause"
+      },
+      "EndpointSpec": {
+        "Ports": [
+          {
+            "Protocol": "tcp",
+            "PublishedPort": 8080,
+            "TargetPort": 80
+          }
+        ]
+      },
+      "Labels": {
+        "foo": "bar"
+      }
+    }
+
+**Example response**:
+
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+
+    {
+      "ID":"ak7w3gjqoa3kuz8xcpnyy0pvl"
+    }
+
+**Status codes**:
+
+-   **201** – no error
+-   **403** - network is not eligible for services
+-   **406** – node is not part of a swarm
+-   **409** – name conflicts with an existing object
+-   **500** - server error
+
+**JSON Parameters**:
+
+- **Name** – User-defined name for the service.
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
+- **TaskTemplate** – Specification of the tasks to start as part of the new service.
+    - **ContainerSpec** - Container settings for containers started as part of this task.
+        - **Image** – A string specifying the image name to use for the container.
+        - **Command** – The command to be run in the image.
+        - **Args** – Arguments to the command.
+        - **Env** – A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`.
+        - **Dir** – A string specifying the working directory for commands to run in.
+        - **User** – A string value specifying the user inside the container.
+        - **Labels** – A map of labels to associate with the service (e.g.,
+          `{"key":"value", "key2":"value2"}`).
+        - **Mounts** – Specification for mounts to be added to containers
+          created as part of the service.
+            - **Target** – Container path.
+            - **Source** – Mount source (e.g. a volume name, a host path).
+            - **Type** – The mount type (`bind`, or `volume`).
+            - **ReadOnly** – A boolean indicating whether the mount should be read-only.
+            - **BindOptions** - Optional configuration for the `bind` type.
+              - **Propagation** – A propagation mode with the value `[r]private`, `[r]shared`, or `[r]slave`.
+            - **VolumeOptions** – Optional configuration for the `volume` type.
+                - **NoCopy** – A boolean indicating if volume should be
+                  populated with the data from the target. (Default false)
+                - **Labels** – User-defined name and labels for the volume.
+                - **DriverConfig** – Map of driver-specific options.
+                  - **Name** - Name of the driver to use to create the volume.
+                  - **Options** - key/value map of driver specific options.
+        - **StopGracePeriod** – Amount of time to wait for the container to terminate before
+          forcefully killing it.
+    - **LogDriver** - Log configuration for containers created as part of the
+      service.
+        - **Name** - Name of the logging driver to use (`json-file`, `syslog`,
+          `journald`, `gelf`, `fluentd`, `awslogs`, `splunk`, `etwlogs`, `none`).
+        - **Options** - Driver-specific options.
+    - **Resources** – Resource requirements which apply to each individual container created as part
+      of the service.
+        - **Limits** – Define resources limits.
+            - **NanoCPUs** – CPU limit in units of 10<sup>-9</sup> CPU shares.
+            - **MemoryBytes** – Memory limit in Bytes.
+        - **Reservation** – Define resources reservation.
+            - **NanoCPUs** – CPU reservation in units of 10<sup>-9</sup> CPU shares.
+            - **MemoryBytes** – Memory reservation in Bytes.
+    - **RestartPolicy** – Specification for the restart policy which applies to containers created
+      as part of this service.
+        - **Condition** – Condition for restart (`none`, `on-failure`, or `any`).
+        - **Delay** – Delay between restart attempts.
+        - **MaxAttempts** – Maximum attempts to restart a given container before giving up (default value
+          is 0, which is ignored).
+        - **Window** – Windows is the time window used to evaluate the restart policy (default value is
+          0, which is unbounded).
+    - **Placement** – Restrictions on where a service can run.
+        - **Constraints** – An array of constraints, e.g. `[ "node.role == manager" ]`.
+- **Mode** – Scheduling mode for the service (`replicated` or `global`, defaults to `replicated`).
+- **UpdateConfig** – Specification for the update strategy of the service.
+    - **Parallelism** – Maximum number of tasks to be updated in one iteration (0 means unlimited
+      parallelism).
+    - **Delay** – Amount of time between updates.
+    - **FailureAction** - Action to take if an updated task fails to run, or stops running during the
+      update. Values are `continue` and `pause`.
+- **Networks** – Array of network names or IDs to attach the service to.
+- **EndpointSpec** – Properties that can be configured to access and load balance a service.
+    - **Mode** – The mode of resolution to use for internal load balancing
+      between tasks (`vip` or `dnsrr`). Defaults to `vip` if not provided.
+    - **Ports** – List of exposed ports that this service is accessible on from
+      the outside, in the form of:
+      `{"Protocol": <"tcp"|"udp">, "PublishedPort": <port>, "TargetPort": <port>}`.
+      Ports can only be provided if `vip` resolution mode is used.
+
+**Request Headers**:
+
+- **Content-type** – Set to `"application/json"`.
+- **X-Registry-Auth** – base64-encoded AuthConfig object, containing either
+  login information, or a token. Refer to the [create an image](#create-an-image)
+  section for more details.
+
+
+#### Remove a service
+
+
+`DELETE /services/(id or name)`
+
+Stop and remove the service `id`
+
+**Example request**:
+
+    DELETE /v1.24/services/16253994b7c4 HTTP/1.1
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Length: 0
+    Content-Type: text/plain; charset=utf-8
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such service
+-   **406** - node is not part of a swarm
+-   **500** – server error
+
+#### Inspect one or more services
+
+
+`GET /services/(id or name)`
+
+Return information on the service `id`.
+
+**Example request**:
+
+    GET /v1.24/services/1cb4dnqcyx6m66g2t538x3rxha HTTP/1.1
+
+**Example response**:
+
+    {
+      "ID": "ak7w3gjqoa3kuz8xcpnyy0pvl",
+      "Version": {
+        "Index": 95
+      },
+      "CreatedAt": "2016-06-07T21:10:20.269723157Z",
+      "UpdatedAt": "2016-06-07T21:10:20.276301259Z",
+      "Spec": {
+        "Name": "redis",
+        "TaskTemplate": {
+          "ContainerSpec": {
+            "Image": "redis"
+          },
+          "Resources": {
+            "Limits": {},
+            "Reservations": {}
+          },
+          "RestartPolicy": {
+            "Condition": "any",
+            "MaxAttempts": 0
+          },
+          "Placement": {}
+        },
+        "Mode": {
+          "Replicated": {
+            "Replicas": 1
+          }
+        },
+        "UpdateConfig": {
+          "Parallelism": 1,
+          "FailureAction": "pause"
+        },
+        "EndpointSpec": {
+          "Mode": "vip",
+          "Ports": [
+            {
+              "Protocol": "tcp",
+              "TargetPort": 6379,
+              "PublishedPort": 30001
+            }
+          ]
+        }
+      },
+      "Endpoint": {
+        "Spec": {
+          "Mode": "vip",
+          "Ports": [
+            {
+              "Protocol": "tcp",
+              "TargetPort": 6379,
+              "PublishedPort": 30001
+            }
+          ]
+        },
+        "Ports": [
+          {
+            "Protocol": "tcp",
+            "TargetPort": 6379,
+            "PublishedPort": 30001
+          }
+        ],
+        "VirtualIPs": [
+          {
+            "NetworkID": "4qvuz4ko70xaltuqbt8956gd1",
+            "Addr": "10.255.0.4/16"
+          }
+        ]
+      }
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such service
+-   **406** - node is not part of a swarm
+-   **500** – server error
+
+#### Update a service
+
+`POST /services/(id)/update`
+
+Update a service. When using this endpoint to create a service using a
+private repository from the registry, the `X-Registry-Auth` header can be used
+to update the authentication information for that is stored for the service.
+The header contains a base64-encoded AuthConfig object. Refer to the [create an
+image](#create-an-image) section for more details.
+
+**Example request**:
+
+    POST /v1.24/services/1cb4dnqcyx6m66g2t538x3rxha/update?version=23 HTTP/1.1
+    Content-Type: application/json
+    Content-Length: 12345
+
+    {
+      "Name": "top",
+      "TaskTemplate": {
+        "ContainerSpec": {
+          "Image": "busybox",
+          "Args": [
+            "top"
+          ]
+        },
+        "Resources": {
+          "Limits": {},
+          "Reservations": {}
+        },
+        "RestartPolicy": {
+          "Condition": "any",
+          "MaxAttempts": 0
+        },
+        "Placement": {}
+      },
+      "Mode": {
+        "Replicated": {
+          "Replicas": 1
+        }
+      },
+      "UpdateConfig": {
+        "Parallelism": 1
+      },
+      "EndpointSpec": {
+        "Mode": "vip"
+      }
+    }
+
+**Example response**:
+
+    HTTP/1.1 200 OK
+    Content-Length: 0
+    Content-Type: text/plain; charset=utf-8
+
+**JSON Parameters**:
+
+- **Name** – User-defined name for the service. Note that renaming services is not supported.
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
+- **TaskTemplate** – Specification of the tasks to start as part of the new service.
+    - **ContainerSpec** - Container settings for containers started as part of this task.
+        - **Image** – A string specifying the image name to use for the container.
+        - **Command** – The command to be run in the image.
+        - **Args** – Arguments to the command.
+        - **Env** – A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`.
+        - **Dir** – A string specifying the working directory for commands to run in.
+        - **User** – A string value specifying the user inside the container.
+        - **Labels** – A map of labels to associate with the service (e.g.,
+          `{"key":"value", "key2":"value2"}`).
+        - **Mounts** – Specification for mounts to be added to containers created as part of the new
+          service.
+            - **Target** – Container path.
+            - **Source** – Mount source (e.g. a volume name, a host path).
+            - **Type** – The mount type (`bind`, or `volume`).
+            - **ReadOnly** – A boolean indicating whether the mount should be read-only.
+            - **BindOptions** - Optional configuration for the `bind` type
+              - **Propagation** – A propagation mode with the value `[r]private`, `[r]shared`, or `[r]slave`.
+            - **VolumeOptions** – Optional configuration for the `volume` type.
+                - **NoCopy** – A boolean indicating if volume should be
+                  populated with the data from the target. (Default false)
+                - **Labels** – User-defined name and labels for the volume.
+                - **DriverConfig** – Map of driver-specific options.
+                  - **Name** - Name of the driver to use to create the volume
+                  - **Options** - key/value map of driver specific options
+        - **StopGracePeriod** – Amount of time to wait for the container to terminate before
+          forcefully killing it.
+    - **Resources** – Resource requirements which apply to each individual container created as part
+      of the service.
+        - **Limits** – Define resources limits.
+            - **CPU** – CPU limit
+            - **Memory** – Memory limit
+        - **Reservation** – Define resources reservation.
+            - **CPU** – CPU reservation
+            - **Memory** – Memory reservation
+    - **RestartPolicy** – Specification for the restart policy which applies to containers created
+      as part of this service.
+        - **Condition** – Condition for restart (`none`, `on-failure`, or `any`).
+        - **Delay** – Delay between restart attempts.
+        - **MaxAttempts** – Maximum attempts to restart a given container before giving up (default value
+          is 0, which is ignored).
+        - **Window** – Windows is the time window used to evaluate the restart policy (default value is
+          0, which is unbounded).
+    - **Placement** – Restrictions on where a service can run.
+        - **Constraints** – An array of constraints, e.g. `[ "node.role == manager" ]`.
+- **Mode** – Scheduling mode for the service (`replicated` or `global`, defaults to `replicated`).
+- **UpdateConfig** – Specification for the update strategy of the service.
+    - **Parallelism** – Maximum number of tasks to be updated in one iteration (0 means unlimited
+      parallelism).
+    - **Delay** – Amount of time between updates.
+- **Networks** – Array of network names or IDs to attach the service to.
+- **EndpointSpec** – Properties that can be configured to access and load balance a service.
+    - **Mode** – The mode of resolution to use for internal load balancing
+      between tasks (`vip` or `dnsrr`). Defaults to `vip` if not provided.
+    - **Ports** – List of exposed ports that this service is accessible on from
+      the outside, in the form of:
+      `{"Protocol": <"tcp"|"udp">, "PublishedPort": <port>, "TargetPort": <port>}`.
+      Ports can only be provided if `vip` resolution mode is used.
+
+**Query parameters**:
+
+- **version** – The version number of the service object being updated. This is
+  required to avoid conflicting writes.
+
+**Request Headers**:
+
+- **Content-type** – Set to `"application/json"`.
+- **X-Registry-Auth** – base64-encoded AuthConfig object, containing either
+  login information, or a token. Refer to the [create an image](#create-an-image)
+  section for more details.
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – no such service
+-   **406** - node is not part of a swarm
+-   **500** – server error
+
+### 3.10 Tasks
+
+**Note**: Task operations require the engine to be part of a swarm.
+
+#### List tasks
+
+
+`GET /tasks`
+
+List tasks
+
+**Example request**:
+
+    GET /v1.24/tasks HTTP/1.1
+
+**Example response**:
+
+    [
+      {
+        "ID": "0kzzo1i0y4jz6027t0k7aezc7",
+        "Version": {
+          "Index": 71
+        },
+        "CreatedAt": "2016-06-07T21:07:31.171892745Z",
+        "UpdatedAt": "2016-06-07T21:07:31.376370513Z",
+        "Spec": {
+          "ContainerSpec": {
+            "Image": "redis"
+          },
+          "Resources": {
+            "Limits": {},
+            "Reservations": {}
+          },
+          "RestartPolicy": {
+            "Condition": "any",
+            "MaxAttempts": 0
+          },
+          "Placement": {}
+        },
+        "ServiceID": "9mnpnzenvg8p8tdbtq4wvbkcz",
+        "Slot": 1,
+        "NodeID": "60gvrl6tm78dmak4yl7srz94v",
+        "Status": {
+          "Timestamp": "2016-06-07T21:07:31.290032978Z",
+          "State": "running",
+          "Message": "started",
+          "ContainerStatus": {
+            "ContainerID": "e5d62702a1b48d01c3e02ca1e0212a250801fa8d67caca0b6f35919ebc12f035",
+            "PID": 677
+          }
+        },
+        "DesiredState": "running",
+        "NetworksAttachments": [
+          {
+            "Network": {
+              "ID": "4qvuz4ko70xaltuqbt8956gd1",
+              "Version": {
+                "Index": 18
+              },
+              "CreatedAt": "2016-06-07T20:31:11.912919752Z",
+              "UpdatedAt": "2016-06-07T21:07:29.955277358Z",
+              "Spec": {
+                "Name": "ingress",
+                "Labels": {
+                  "com.docker.swarm.internal": "true"
+                },
+                "DriverConfiguration": {},
+                "IPAMOptions": {
+                  "Driver": {},
+                  "Configs": [
+                    {
+                      "Subnet": "10.255.0.0/16",
+                      "Gateway": "10.255.0.1"
+                    }
+                  ]
+                }
+              },
+              "DriverState": {
+                "Name": "overlay",
+                "Options": {
+                  "com.docker.network.driver.overlay.vxlanid_list": "256"
+                }
+              },
+              "IPAMOptions": {
+                "Driver": {
+                  "Name": "default"
+                },
+                "Configs": [
+                  {
+                    "Subnet": "10.255.0.0/16",
+                    "Gateway": "10.255.0.1"
+                  }
+                ]
+              }
+            },
+            "Addresses": [
+              "10.255.0.10/16"
+            ]
+          }
+        ],
+      },
+      {
+        "ID": "1yljwbmlr8er2waf8orvqpwms",
+        "Version": {
+          "Index": 30
+        },
+        "CreatedAt": "2016-06-07T21:07:30.019104782Z",
+        "UpdatedAt": "2016-06-07T21:07:30.231958098Z",
+        "Name": "hopeful_cori",
+        "Spec": {
+          "ContainerSpec": {
+            "Image": "redis"
+          },
+          "Resources": {
+            "Limits": {},
+            "Reservations": {}
+          },
+          "RestartPolicy": {
+            "Condition": "any",
+            "MaxAttempts": 0
+          },
+          "Placement": {}
+        },
+        "ServiceID": "9mnpnzenvg8p8tdbtq4wvbkcz",
+        "Slot": 1,
+        "NodeID": "60gvrl6tm78dmak4yl7srz94v",
+        "Status": {
+          "Timestamp": "2016-06-07T21:07:30.202183143Z",
+          "State": "shutdown",
+          "Message": "shutdown",
+          "ContainerStatus": {
+            "ContainerID": "1cf8d63d18e79668b0004a4be4c6ee58cddfad2dae29506d8781581d0688a213"
+          }
+        },
+        "DesiredState": "shutdown",
+        "NetworksAttachments": [
+          {
+            "Network": {
+              "ID": "4qvuz4ko70xaltuqbt8956gd1",
+              "Version": {
+                "Index": 18
+              },
+              "CreatedAt": "2016-06-07T20:31:11.912919752Z",
+              "UpdatedAt": "2016-06-07T21:07:29.955277358Z",
+              "Spec": {
+                "Name": "ingress",
+                "Labels": {
+                  "com.docker.swarm.internal": "true"
+                },
+                "DriverConfiguration": {},
+                "IPAMOptions": {
+                  "Driver": {},
+                  "Configs": [
+                    {
+                      "Subnet": "10.255.0.0/16",
+                      "Gateway": "10.255.0.1"
+                    }
+                  ]
+                }
+              },
+              "DriverState": {
+                "Name": "overlay",
+                "Options": {
+                  "com.docker.network.driver.overlay.vxlanid_list": "256"
+                }
+              },
+              "IPAMOptions": {
+                "Driver": {
+                  "Name": "default"
+                },
+                "Configs": [
+                  {
+                    "Subnet": "10.255.0.0/16",
+                    "Gateway": "10.255.0.1"
+                  }
+                ]
+              }
+            },
+            "Addresses": [
+              "10.255.0.5/16"
+            ]
+          }
+        ]
+      }
+    ]
+
+**Query parameters**:
+
+- **filters** – a JSON encoded value of the filters (a `map[string][]string`) to process on the
+  services list. Available filters:
+  - `id=<task id>`
+  - `name=<task name>`
+  - `service=<service name>`
+  - `node=<node id or name>`
+  - `label=key` or `label="key=value"`
+  - `desired-state=(running | shutdown | accepted)`
+
+**Status codes**:
+
+-   **200** – no error
+-   **406** - node is not part of a swarm
+-   **500** – server error
+
+#### Inspect a task
+
+
+`GET /tasks/(id)`
+
+Get details on the task `id`
+
+**Example request**:
+
+    GET /v1.24/tasks/0kzzo1i0y4jz6027t0k7aezc7 HTTP/1.1
+
+**Example response**:
+
+    {
+      "ID": "0kzzo1i0y4jz6027t0k7aezc7",
+      "Version": {
+        "Index": 71
+      },
+      "CreatedAt": "2016-06-07T21:07:31.171892745Z",
+      "UpdatedAt": "2016-06-07T21:07:31.376370513Z",
+      "Spec": {
+        "ContainerSpec": {
+          "Image": "redis"
+        },
+        "Resources": {
+          "Limits": {},
+          "Reservations": {}
+        },
+        "RestartPolicy": {
+          "Condition": "any",
+          "MaxAttempts": 0
+        },
+        "Placement": {}
+      },
+      "ServiceID": "9mnpnzenvg8p8tdbtq4wvbkcz",
+      "Slot": 1,
+      "NodeID": "60gvrl6tm78dmak4yl7srz94v",
+      "Status": {
+        "Timestamp": "2016-06-07T21:07:31.290032978Z",
+        "State": "running",
+        "Message": "started",
+        "ContainerStatus": {
+          "ContainerID": "e5d62702a1b48d01c3e02ca1e0212a250801fa8d67caca0b6f35919ebc12f035",
+          "PID": 677
+        }
+      },
+      "DesiredState": "running",
+      "NetworksAttachments": [
+        {
+          "Network": {
+            "ID": "4qvuz4ko70xaltuqbt8956gd1",
+            "Version": {
+              "Index": 18
+            },
+            "CreatedAt": "2016-06-07T20:31:11.912919752Z",
+            "UpdatedAt": "2016-06-07T21:07:29.955277358Z",
+            "Spec": {
+              "Name": "ingress",
+              "Labels": {
+                "com.docker.swarm.internal": "true"
+              },
+              "DriverConfiguration": {},
+              "IPAMOptions": {
+                "Driver": {},
+                "Configs": [
+                  {
+                    "Subnet": "10.255.0.0/16",
+                    "Gateway": "10.255.0.1"
+                  }
+                ]
+              }
+            },
+            "DriverState": {
+              "Name": "overlay",
+              "Options": {
+                "com.docker.network.driver.overlay.vxlanid_list": "256"
+              }
+            },
+            "IPAMOptions": {
+              "Driver": {
+                "Name": "default"
+              },
+              "Configs": [
+                {
+                  "Subnet": "10.255.0.0/16",
+                  "Gateway": "10.255.0.1"
+                }
+              ]
+            }
+          },
+          "Addresses": [
+            "10.255.0.10/16"
+          ]
+        }
+      ]
+    }
+
+**Status codes**:
+
+-   **200** – no error
+-   **404** – unknown task
+-   **406** - node is not part of a swarm
+-   **500** – server error
+
+## 4. Going further
+
+### 4.1 Inside `docker run`
+
+As an example, the `docker run` command line makes the following API calls:
+
+- Create the container
+
+- If the status code is 404, it means the image doesn't exist:
+    - Try to pull it.
+    - Then, retry to create the container.
+
+- Start the container.
+
+- If you are not in detached mode:
+- Attach to the container, using `logs=1` (to have `stdout` and
+      `stderr` from the container's start) and `stream=1`
+
+- If in detached mode or only `stdin` is attached, display the container's id.
+
+### 4.2 Hijacking
+
+In this version of the API, `/attach`, uses hijacking to transport `stdin`,
+`stdout`, and `stderr` on the same socket.
+
+To hint potential proxies about connection hijacking, Docker client sends
+connection upgrade headers similarly to websocket.
+
+    Upgrade: tcp
+    Connection: Upgrade
+
+When Docker daemon detects the `Upgrade` header, it switches its status code
+from **200 OK** to **101 UPGRADED** and resends the same headers.
+
+
+### 4.3 CORS Requests
+
+To set cross origin requests to the Engine API please give values to
+`--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
+default or blank means CORS disabled
+
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
diff --git a/engine/docs/api/version-history.md b/engine/docs/api/version-history.md
new file mode 100644
index 00000000..749d9788
--- /dev/null
+++ b/engine/docs/api/version-history.md
@@ -0,0 +1,424 @@
+---
+title: "Engine API version history"
+description: "Documentation of changes that have been made to Engine API."
+keywords: "API, Docker, rcli, REST, documentation"
+---
+
+<!-- This file is maintained within the moby/moby GitHub
+     repository at https://github.com/moby/moby/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
+## V1.38 API changes
+
+[Docker Engine API v1.38](https://docs.docker.com/engine/api/v1.38/) documentation
+
+
+* `GET /tasks` and `GET /tasks/{id}` now return a `NetworkAttachmentSpec` field,
+  containing the `ContainerID` for non-service containers connected to "attachable"
+  swarm-scoped networks.
+
+## v1.37 API changes
+
+[Docker Engine API v1.37](https://docs.docker.com/engine/api/v1.37/) documentation
+
+* `POST /containers/create` and `POST /services/create` now supports exposing SCTP ports.
+* `POST /configs/create` and `POST /configs/{id}/create` now accept a `Templating` driver.
+* `GET /configs` and `GET /configs/{id}` now return the `Templating` driver of the config.
+* `POST /secrets/create` and `POST /secrets/{id}/create` now accept a `Templating` driver.
+* `GET /secrets` and `GET /secrets/{id}` now return the `Templating` driver of the secret.
+
+## v1.36 API changes
+
+[Docker Engine API v1.36](https://docs.docker.com/engine/api/v1.36/) documentation
+
+* `Get /events` now return `exec_die` event when an exec process terminates.  
+
+
+## v1.35 API changes
+
+[Docker Engine API v1.35](https://docs.docker.com/engine/api/v1.35/) documentation
+
+* `POST /services/create` and `POST /services/(id)/update` now accepts an
+  `Isolation` field on container spec to set the Isolation technology of the
+  containers running the service (`default`, `process`, or `hyperv`). This
+  configuration is only used for Windows containers.
+* `GET /containers/(name)/logs` now supports an additional query parameter: `until`,
+  which returns log lines that occurred before the specified timestamp.
+* `POST /containers/{id}/exec` now accepts a `WorkingDir` property to set the
+  work-dir for the exec process, independent of the container's work-dir.
+* `Get /version` now returns a `Platform.Name` field, which can be used by products
+  using Moby as a foundation to return information about the platform.
+* `Get /version` now returns a `Components` field, which can be used to return
+  information about the components used. Information about the engine itself is
+  now included as a "Component" version, and contains all information from the
+  top-level `Version`, `GitCommit`, `APIVersion`, `MinAPIVersion`, `GoVersion`,
+  `Os`, `Arch`, `BuildTime`, `KernelVersion`, and `Experimental` fields. Going
+  forward, the information from the `Components` section is preferred over their
+  top-level counterparts.
+
+
+## v1.34 API changes
+
+[Docker Engine API v1.34](https://docs.docker.com/engine/api/v1.34/) documentation
+
+* `POST /containers/(name)/wait?condition=removed` now also also returns
+  in case of container removal failure. A pointer to a structure named
+  `Error` added to the response JSON in order to indicate a failure.
+  If `Error` is `null`, container removal has succeeded, otherwise
+  the test of an error message indicating why container removal has failed
+  is available from `Error.Message` field.
+
+## v1.33 API changes
+
+[Docker Engine API v1.33](https://docs.docker.com/engine/api/v1.33/) documentation
+
+* `GET /events` now supports filtering 4 more kinds of events: `config`, `node`,
+`secret` and `service`.
+
+## v1.32 API changes
+
+[Docker Engine API v1.32](https://docs.docker.com/engine/api/v1.32/) documentation
+
+* `POST /containers/create` now accepts additional values for the
+  `HostConfig.IpcMode` property. New values are `private`, `shareable`,
+  and `none`.
+* `DELETE /networks/{id or name}` fixed issue where a `name` equal to another
+  network's name was able to mask that `id`. If both a network with the given
+  _name_ exists, and a network with the given _id_, the network with the given
+  _id_ is now deleted. This change is not versioned, and affects all API versions
+  if the daemon has this patch.
+
+## v1.31 API changes
+
+[Docker Engine API v1.31](https://docs.docker.com/engine/api/v1.31/) documentation
+
+* `DELETE /secrets/(name)` now returns status code 404 instead of 500 when the secret does not exist.
+* `POST /secrets/create` now returns status code 409 instead of 500 when creating an already existing secret.
+* `POST /secrets/create` now accepts a `Driver` struct, allowing the
+  `Name` and driver-specific `Options` to be passed to store a secrets
+  in an external secrets store. The `Driver` property can be omitted
+  if the default (internal) secrets store is used.
+* `GET /secrets/(id)` and `GET /secrets` now return a `Driver` struct,
+  containing the `Name` and driver-specific `Options` of the external
+  secrets store used to store the secret. The `Driver` property is
+  omitted if no external store is used.
+* `POST /secrets/(name)/update` now returns status code 400 instead of 500 when updating a secret's content which is not the labels.
+* `POST /nodes/(name)/update` now returns status code 400 instead of 500 when demoting last node fails.
+* `GET /networks/(id or name)` now takes an optional query parameter `scope` that will filter the network based on the scope (`local`, `swarm`, or `global`).
+* `POST /session` is a new endpoint that can be used for running interactive long-running protocols between client and
+  the daemon. This endpoint is experimental and only available if the daemon is started with experimental features
+  enabled.
+* `GET /images/(name)/get` now includes an `ImageMetadata` field which contains image metadata that is local to the engine and not part of the image config.
+* `POST /services/create` now accepts a `PluginSpec` when `TaskTemplate.Runtime` is set to `plugin`
+* `GET /events` now supports config events `create`, `update` and `remove` that are emitted when users create, update or remove a config
+* `GET /volumes/` and `GET /volumes/{name}` now return a `CreatedAt` field,
+  containing the date/time the volume was created. This field is omitted if the
+  creation date/time for the volume is unknown. For volumes with scope "global",
+  this field represents the creation date/time of the local _instance_ of the
+  volume, which may differ from instances of the same volume on different nodes.
+* `GET /system/df` now returns a `CreatedAt` field for `Volumes`. Refer to the
+  `/volumes/` endpoint for a description of this field.
+
+## v1.30 API changes
+
+[Docker Engine API v1.30](https://docs.docker.com/engine/api/v1.30/) documentation
+
+* `GET /info` now returns the list of supported logging drivers, including plugins.
+* `GET /info` and `GET /swarm` now returns the cluster-wide swarm CA info if the node is in a swarm: the cluster root CA certificate, and the cluster TLS
+ leaf certificate issuer's subject and public key. It also displays the desired CA signing certificate, if any was provided as part of the spec.
+* `POST /build/` now (when not silent) produces an `Aux` message in the JSON output stream with payload `types.BuildResult` for each image produced. The final such message will reference the image resulting from the build.
+* `GET /nodes` and `GET /nodes/{id}` now returns additional information about swarm TLS info if the node is part of a swarm: the trusted root CA, and the
+ issuer's subject and public key.
+* `GET /distribution/(name)/json` is a new endpoint that returns a JSON output stream with payload `types.DistributionInspect` for an image name. It includes a descriptor with the digest, and supported platforms retrieved from directly contacting the registry.
+* `POST /swarm/update` now accepts 3 additional parameters as part of the swarm spec's CA configuration; the desired CA certificate for
+ the swarm, the desired CA key for the swarm (if not using an external certificate), and an optional parameter to force swarm to
+ generate and rotate to a new CA certificate/key pair.
+* `POST /service/create` and `POST /services/(id or name)/update` now take the field `Platforms` as part of the service `Placement`, allowing to specify platforms supported by the service.
+* `POST /containers/(name)/wait` now accepts a `condition` query parameter to indicate which state change condition to wait for. Also, response headers are now returned immediately to acknowledge that the server has registered a wait callback for the client.
+* `POST /swarm/init` now accepts a `DataPathAddr` property to set the IP-address or network interface to use for data traffic
+* `POST /swarm/join` now accepts a `DataPathAddr` property to set the IP-address or network interface to use for data traffic
+* `GET /events` now supports service, node and secret events which are emitted when users create, update and remove service, node and secret
+* `GET /events` now supports network remove event which is emitted when users remove a swarm scoped network
+* `GET /events` now supports a filter type `scope` in which supported value could be swarm and local
+
+## v1.29 API changes
+
+[Docker Engine API v1.29](https://docs.docker.com/engine/api/v1.29/) documentation
+
+* `DELETE /networks/(name)` now allows to remove the ingress network, the one used to provide the routing-mesh.
+* `POST /networks/create` now supports creating the ingress network, by specifying an `Ingress` boolean field. As of now this is supported only when using the overlay network driver.
+* `GET /networks/(name)` now returns an `Ingress` field showing whether the network is the ingress one.
+* `GET /networks/` now supports a `scope` filter to filter networks based on the network mode (`swarm`, `global`, or `local`).
+* `POST /containers/create`, `POST /service/create` and `POST /services/(id or name)/update` now takes the field `StartPeriod` as a part of the `HealthConfig` allowing for specification of a period during which the container should not be considered unhealthy even if health checks do not pass.
+* `GET /services/(id)` now accepts an `insertDefaults` query-parameter to merge default values into the service inspect output.
+* `POST /containers/prune`, `POST /images/prune`, `POST /volumes/prune`, and `POST /networks/prune` now support a `label` filter to filter containers, images, volumes, or networks based on the label. The format of the label filter could be `label=<key>`/`label=<key>=<value>` to remove those with the specified labels, or `label!=<key>`/`label!=<key>=<value>` to remove those without the specified labels.
+* `POST /services/create` now accepts `Privileges` as part of `ContainerSpec`. Privileges currently include
+  `CredentialSpec` and `SELinuxContext`.
+
+## v1.28 API changes
+
+[Docker Engine API v1.28](https://docs.docker.com/engine/api/v1.28/) documentation
+
+* `POST /containers/create` now includes a `Consistency` field to specify the consistency level for each `Mount`, with possible values `default`, `consistent`, `cached`, or `delegated`.
+* `GET /containers/create` now takes a `DeviceCgroupRules` field in `HostConfig` allowing to set custom device cgroup rules for the created container.
+* Optional query parameter `verbose` for `GET /networks/(id or name)` will now list all services with all the tasks, including the non-local tasks on the given network.
+* `GET /containers/(id or name)/attach/ws` now returns WebSocket in binary frame format for API version >= v1.28, and returns WebSocket in text frame format for API version< v1.28, for the purpose of backward-compatibility.
+* `GET /networks` is optimised only to return list of all networks and network specific information. List of all containers attached to a specific network is removed from this API and is only available using the network specific `GET /networks/{network-id}.
+* `GET /containers/json` now supports `publish` and `expose` filters to filter containers that expose or publish certain ports.
+* `POST /services/create` and `POST /services/(id or name)/update` now accept the `ReadOnly` parameter, which mounts the container's root filesystem as read only.
+* `POST /build` now accepts `extrahosts` parameter to specify a host to ip mapping to use during the build.
+* `POST /services/create` and `POST /services/(id or name)/update` now accept a `rollback` value for `FailureAction`.
+* `POST /services/create` and `POST /services/(id or name)/update` now accept an optional `RollbackConfig` object which specifies rollback options.
+* `GET /services` now supports a `mode` filter to filter services based on the service mode (either `global` or `replicated`).
+* `POST /containers/(name)/update` now supports updating `NanoCPUs` that represents CPU quota in units of 10<sup>-9</sup> CPUs.
+
+## v1.27 API changes
+
+[Docker Engine API v1.27](https://docs.docker.com/engine/api/v1.27/) documentation
+
+* `GET /containers/(id or name)/stats` now includes an `online_cpus` field in both `precpu_stats` and `cpu_stats`. If this field is `nil` then for compatibility with older daemons the length of the corresponding `cpu_usage.percpu_usage` array should be used.
+
+## v1.26 API changes
+
+[Docker Engine API v1.26](https://docs.docker.com/engine/api/v1.26/) documentation
+
+* `POST /plugins/(plugin name)/upgrade` upgrade a plugin.
+
+## v1.25 API changes
+
+[Docker Engine API v1.25](https://docs.docker.com/engine/api/v1.25/) documentation
+
+* The API version is now required in all API calls. Instead of just requesting, for example, the URL `/containers/json`, you must now request `/v1.25/containers/json`.
+* `GET /version` now returns `MinAPIVersion`.
+* `POST /build` accepts `networkmode` parameter to specify network used during build.
+* `GET /images/(name)/json` now returns `OsVersion` if populated
+* `GET /info` now returns `Isolation`.
+* `POST /containers/create` now takes `AutoRemove` in HostConfig, to enable auto-removal of the container on daemon side when the container's process exits.
+* `GET /containers/json` and `GET /containers/(id or name)/json` now return `"removing"` as a value for the `State.Status` field if the container is being removed. Previously, "exited" was returned as status.
+* `GET /containers/json` now accepts `removing` as a valid value for the `status` filter.
+* `GET /containers/json` now supports filtering containers by `health` status.
+* `DELETE /volumes/(name)` now accepts a `force` query parameter to force removal of volumes that were already removed out of band by the volume driver plugin.
+* `POST /containers/create/` and `POST /containers/(name)/update` now validates restart policies.
+* `POST /containers/create` now validates IPAMConfig in NetworkingConfig, and returns error for invalid IPv4 and IPv6 addresses (`--ip` and `--ip6` in `docker create/run`).
+* `POST /containers/create` now takes a `Mounts` field in `HostConfig` which replaces `Binds`, `Volumes`, and `Tmpfs`. *note*: `Binds`, `Volumes`, and `Tmpfs` are still available and can be combined with `Mounts`.
+* `POST /build` now performs a preliminary validation of the `Dockerfile` before starting the build, and returns an error if the syntax is incorrect. Note that this change is _unversioned_ and applied to all API versions.
+* `POST /build` accepts `cachefrom` parameter to specify images used for build cache.
+* `GET /networks/` endpoint now correctly returns a list of *all* networks,
+  instead of the default network if a trailing slash is provided, but no `name`
+  or `id`.
+* `DELETE /containers/(name)` endpoint now returns an error of `removal of container name is already in progress` with status code of 400, when container name is in a state of removal in progress.
+* `GET /containers/json` now supports a `is-task` filter to filter
+  containers that are tasks (part of a service in swarm mode).
+* `POST /containers/create` now takes `StopTimeout` field.
+* `POST /services/create` and `POST /services/(id or name)/update` now accept `Monitor` and `MaxFailureRatio` parameters, which control the response to failures during service updates.
+* `POST /services/(id or name)/update` now accepts a `ForceUpdate` parameter inside the `TaskTemplate`, which causes the service to be updated even if there are no changes which would ordinarily trigger an update.
+* `POST /services/create` and `POST /services/(id or name)/update` now return a `Warnings` array.
+* `GET /networks/(name)` now returns field `Created` in response to show network created time.
+* `POST /containers/(id or name)/exec` now accepts an `Env` field, which holds a list of environment variables to be set in the context of the command execution.
+* `GET /volumes`, `GET /volumes/(name)`, and `POST /volumes/create` now return the `Options` field which holds the driver specific options to use for when creating the volume.
+* `GET /exec/(id)/json` now returns `Pid`, which is the system pid for the exec'd process.
+* `POST /containers/prune` prunes stopped containers.
+* `POST /images/prune` prunes unused images.
+* `POST /volumes/prune` prunes unused volumes.
+* `POST /networks/prune` prunes unused networks.
+* Every API response now includes a `Docker-Experimental` header specifying if experimental features are enabled (value can be `true` or `false`).
+* Every API response now includes a `API-Version` header specifying the default API version of the server.
+* The `hostConfig` option now accepts the fields `CpuRealtimePeriod` and `CpuRtRuntime` to allocate cpu runtime to rt tasks when `CONFIG_RT_GROUP_SCHED` is enabled in the kernel.
+* The `SecurityOptions` field within the `GET /info` response now includes `userns` if user namespaces are enabled in the daemon.
+* `GET /nodes` and `GET /node/(id or name)` now return `Addr` as part of a node's `Status`, which is the address that that node connects to the manager from.
+* The `HostConfig` field now includes `NanoCPUs` that represents CPU quota in units of 10<sup>-9</sup> CPUs.
+* `GET /info` now returns more structured information about security options.
+* The `HostConfig` field now includes `CpuCount` that represents the number of CPUs available for execution by the container. Windows daemon only.
+* `POST /services/create` and `POST /services/(id or name)/update` now accept the `TTY` parameter, which allocate a pseudo-TTY in container.
+* `POST /services/create` and `POST /services/(id or name)/update` now accept the `DNSConfig` parameter, which specifies DNS related configurations in resolver configuration file (resolv.conf) through `Nameservers`, `Search`, and `Options`.
+* `GET /networks/(id or name)` now includes IP and name of all peers nodes for swarm mode overlay networks.
+* `GET /plugins` list plugins.
+* `POST /plugins/pull?name=<plugin name>` pulls a plugin.
+* `GET /plugins/(plugin name)` inspect a plugin.
+* `POST /plugins/(plugin name)/set` configure a plugin.
+* `POST /plugins/(plugin name)/enable` enable a plugin.
+* `POST /plugins/(plugin name)/disable` disable a plugin.
+* `POST /plugins/(plugin name)/push` push a plugin.
+* `POST /plugins/create?name=(plugin name)` create a plugin.
+* `DELETE /plugins/(plugin name)` delete a plugin.
+* `POST /node/(id or name)/update` now accepts both `id` or `name` to identify the node to update.
+* `GET /images/json` now support a `reference` filter.
+* `GET /secrets` returns information on the secrets.
+* `POST /secrets/create` creates a secret.
+* `DELETE /secrets/{id}` removes the secret `id`.
+* `GET /secrets/{id}` returns information on the secret `id`.
+* `POST /secrets/{id}/update` updates the secret `id`.
+* `POST /services/(id or name)/update` now accepts service name or prefix of service id as a parameter.
+* `POST /containers/create` added 2 built-in log-opts that work on all logging drivers,
+  `mode` (`blocking`|`non-blocking`), and `max-buffer-size` (e.g. `2m`) which enables a non-blocking log buffer.
+* `POST /containers/create` now takes `HostConfig.Init` field to run an init
+  inside the container that forwards signals and reaps processes.
+
+## v1.24 API changes
+
+[Docker Engine API v1.24](v1.24.md) documentation
+
+* `POST /containers/create` now takes `StorageOpt` field.
+* `GET /info` now returns `SecurityOptions` field, showing if `apparmor`, `seccomp`, or `selinux` is supported.
+* `GET /info` no longer returns the `ExecutionDriver` property. This property was no longer used after integration
+  with ContainerD in Docker 1.11.
+* `GET /networks` now supports filtering by `label` and `driver`.
+* `GET /containers/json` now supports filtering containers by `network` name or id.
+* `POST /containers/create` now takes `IOMaximumBandwidth` and `IOMaximumIOps` fields. Windows daemon only.
+* `POST /containers/create` now returns an HTTP 400 "bad parameter" message
+  if no command is specified (instead of an HTTP 500 "server error")
+* `GET /images/search` now takes a `filters` query parameter.
+* `GET /events` now supports a `reload` event that is emitted when the daemon configuration is reloaded.
+* `GET /events` now supports filtering by daemon name or ID.
+* `GET /events` now supports a `detach` event that is emitted on detaching from container process.
+* `GET /events` now supports an `exec_detach ` event that is emitted on detaching from exec process.
+* `GET /images/json` now supports filters `since` and `before`.
+* `POST /containers/(id or name)/start` no longer accepts a `HostConfig`.
+* `POST /images/(name)/tag` no longer has a `force` query parameter.
+* `GET /images/search` now supports maximum returned search results `limit`.
+* `POST /containers/{name:.*}/copy` is now removed and errors out starting from this API version.
+* API errors are now returned as JSON instead of plain text.
+* `POST /containers/create` and `POST /containers/(id)/start` allow you to configure kernel parameters (sysctls) for use in the container.
+* `POST /containers/<container ID>/exec` and `POST /exec/<exec ID>/start`
+  no longer expects a "Container" field to be present. This property was not used
+  and is no longer sent by the docker client.
+* `POST /containers/create/` now validates the hostname (should be a valid RFC 1123 hostname).
+* `POST /containers/create/` `HostConfig.PidMode` field now accepts `container:<name|id>`,
+  to have the container join the PID namespace of an existing container.
+
+## v1.23 API changes
+
+[Docker Engine API v1.23](v1.23.md) documentation
+
+* `GET /containers/json` returns the state of the container, one of `created`, `restarting`, `running`, `paused`, `exited` or `dead`.
+* `GET /containers/json` returns the mount points for the container.
+* `GET /networks/(name)` now returns an `Internal` field showing whether the network is internal or not.
+* `GET /networks/(name)` now returns an `EnableIPv6` field showing whether the network has ipv6 enabled or not.
+* `POST /containers/(name)/update` now supports updating container's restart policy.
+* `POST /networks/create` now supports enabling ipv6 on the network by setting the `EnableIPv6` field (doing this with a label will no longer work).
+* `GET /info` now returns `CgroupDriver` field showing what cgroup driver the daemon is using; `cgroupfs` or `systemd`.
+* `GET /info` now returns `KernelMemory` field, showing if "kernel memory limit" is supported.
+* `POST /containers/create` now takes `PidsLimit` field, if the kernel is >= 4.3 and the pids cgroup is supported.
+* `GET /containers/(id or name)/stats` now returns `pids_stats`, if the kernel is >= 4.3 and the pids cgroup is supported.
+* `POST /containers/create` now allows you to override usernamespaces remapping and use privileged options for the container.
+* `POST /containers/create` now allows specifying `nocopy` for named volumes, which disables automatic copying from the container path to the volume.
+* `POST /auth` now returns an `IdentityToken` when supported by a registry.
+* `POST /containers/create` with both `Hostname` and `Domainname` fields specified will result in the container's hostname being set to `Hostname`, rather than `Hostname.Domainname`.
+* `GET /volumes` now supports more filters, new added filters are `name` and `driver`.
+* `GET /containers/(id or name)/logs` now accepts a `details` query parameter to stream the extra attributes that were provided to the containers `LogOpts`, such as environment variables and labels, with the logs.
+* `POST /images/load` now returns progress information as a JSON stream, and has a `quiet` query parameter to suppress progress details.
+
+## v1.22 API changes
+
+[Docker Engine API v1.22](v1.22.md) documentation
+
+* `POST /container/(name)/update` updates the resources of a container.
+* `GET /containers/json` supports filter `isolation` on Windows.
+* `GET /containers/json` now returns the list of networks of containers.
+* `GET /info` Now returns `Architecture` and `OSType` fields, providing information
+  about the host architecture and operating system type that the daemon runs on.
+* `GET /networks/(name)` now returns a `Name` field for each container attached to the network.
+* `GET /version` now returns the `BuildTime` field in RFC3339Nano format to make it
+  consistent with other date/time values returned by the API.
+* `AuthConfig` now supports a `registrytoken` for token based authentication
+* `POST /containers/create` now has a 4M minimum value limit for `HostConfig.KernelMemory`
+* Pushes initiated with `POST /images/(name)/push` and pulls initiated with `POST /images/create`
+  will be cancelled if the HTTP connection making the API request is closed before
+  the push or pull completes.
+* `POST /containers/create` now allows you to set a read/write rate limit for a
+  device (in bytes per second or IO per second).
+* `GET /networks` now supports filtering by `name`, `id` and `type`.
+* `POST /containers/create` now allows you to set the static IPv4 and/or IPv6 address for the container.
+* `POST /networks/(id)/connect` now allows you to set the static IPv4 and/or IPv6 address for the container.
+* `GET /info` now includes the number of containers running, stopped, and paused.
+* `POST /networks/create` now supports restricting external access to the network by setting the `Internal` field.
+* `POST /networks/(id)/disconnect` now includes a `Force` option to forcefully disconnect a container from network
+* `GET /containers/(id)/json` now returns the `NetworkID` of containers.
+* `POST /networks/create` Now supports an options field in the IPAM config that provides options
+  for custom IPAM plugins.
+* `GET /networks/{network-id}` Now returns IPAM config options for custom IPAM plugins if any
+  are available.
+* `GET /networks/<network-id>` now returns subnets info for user-defined networks.
+* `GET /info` can now return a `SystemStatus` field useful for returning additional information about applications
+  that are built on top of engine.
+
+## v1.21 API changes
+
+[Docker Engine API v1.21](v1.21.md) documentation
+
+* `GET /volumes` lists volumes from all volume drivers.
+* `POST /volumes/create` to create a volume.
+* `GET /volumes/(name)` get low-level information about a volume.
+* `DELETE /volumes/(name)` remove a volume with the specified name.
+* `VolumeDriver` was moved from `config` to `HostConfig` to make the configuration portable.
+* `GET /images/(name)/json` now returns information about an image's `RepoTags` and `RepoDigests`.
+* The `config` option now accepts the field `StopSignal`, which specifies the signal to use to kill a container.
+* `GET /containers/(id)/stats` will return networking information respectively for each interface.
+* The `HostConfig` option now includes the `DnsOptions` field to configure the container's DNS options.
+* `POST /build` now optionally takes a serialized map of build-time variables.
+* `GET /events` now includes a `timenano` field, in addition to the existing `time` field.
+* `GET /events` now supports filtering by image and container labels.
+* `GET /info` now lists engine version information and return the information of `CPUShares` and `Cpuset`.
+* `GET /containers/json` will return `ImageID` of the image used by container.
+* `POST /exec/(name)/start` will now return an HTTP 409 when the container is either stopped or paused.
+* `POST /containers/create` now takes `KernelMemory` in HostConfig to specify kernel memory limit.
+* `GET /containers/(name)/json` now accepts a `size` parameter. Setting this parameter to '1' returns container size information in the `SizeRw` and `SizeRootFs` fields.
+* `GET /containers/(name)/json` now returns a `NetworkSettings.Networks` field,
+  detailing network settings per network. This field deprecates the
+  `NetworkSettings.Gateway`, `NetworkSettings.IPAddress`,
+  `NetworkSettings.IPPrefixLen`, and `NetworkSettings.MacAddress` fields, which
+  are still returned for backward-compatibility, but will be removed in a future version.
+* `GET /exec/(id)/json` now returns a `NetworkSettings.Networks` field,
+  detailing networksettings per network. This field deprecates the
+  `NetworkSettings.Gateway`, `NetworkSettings.IPAddress`,
+  `NetworkSettings.IPPrefixLen`, and `NetworkSettings.MacAddress` fields, which
+  are still returned for backward-compatibility, but will be removed in a future version.
+* The `HostConfig` option now includes the `OomScoreAdj` field for adjusting the
+  badness heuristic. This heuristic selects which processes the OOM killer kills
+  under out-of-memory conditions.
+
+## v1.20 API changes
+
+[Docker Engine API v1.20](v1.20.md) documentation
+
+* `GET /containers/(id)/archive` get an archive of filesystem content from a container.
+* `PUT /containers/(id)/archive` upload an archive of content to be extracted to
+an existing directory inside a container's filesystem.
+* `POST /containers/(id)/copy` is deprecated in favor of the above `archive`
+endpoint which can be used to download files and directories from a container.
+* The `hostConfig` option now accepts the field `GroupAdd`, which specifies a
+list of additional groups that the container process will run as.
+
+## v1.19 API changes
+
+[Docker Engine API v1.19](v1.19.md) documentation
+
+* When the daemon detects a version mismatch with the client, usually when
+the client is newer than the daemon, an HTTP 400 is now returned instead
+of a 404.
+* `GET /containers/(id)/stats` now accepts `stream` bool to get only one set of stats and disconnect.
+* `GET /containers/(id)/logs` now accepts a `since` timestamp parameter.
+* `GET /info` The fields `Debug`, `IPv4Forwarding`, `MemoryLimit`, and
+`SwapLimit` are now returned as boolean instead of as an int. In addition, the
+end point now returns the new boolean fields `CpuCfsPeriod`, `CpuCfsQuota`, and
+`OomKillDisable`.
+* The `hostConfig` option now accepts the fields `CpuPeriod` and `CpuQuota`
+* `POST /build` accepts `cpuperiod` and `cpuquota` options
+
+## v1.18 API changes
+
+[Docker Engine API v1.18](v1.18.md) documentation
+
+* `GET /version` now returns `Os`, `Arch` and `KernelVersion`.
+* `POST /containers/create` and `POST /containers/(id)/start`allow you to  set ulimit settings for use in the container.
+* `GET /info` now returns `SystemTime`, `HttpProxy`,`HttpsProxy` and `NoProxy`.
+* `GET /images/json` added a `RepoDigests` field to include image digest information.
+* `POST /build` can now set resource constraints for all containers created for the build.
+* `CgroupParent` can be passed in the host config to setup container cgroups under a specific cgroup.
+* `POST /build` closing the HTTP request cancels the build
+* `POST /containers/(id)/exec` includes `Warnings` field to response.
diff --git a/engine/docs/contributing/README.md b/engine/docs/contributing/README.md
new file mode 100644
index 00000000..915c0cff
--- /dev/null
+++ b/engine/docs/contributing/README.md
@@ -0,0 +1,8 @@
+### Get set up for Moby development
+
+ * [README first](who-written-for.md)
+ * [Get the required software](software-required.md)
+ * [Set up for development on Windows](software-req-win.md)
+ * [Configure Git for contributing](set-up-git.md)
+ * [Work with a development container](set-up-dev-env.md)
+ * [Run tests and test documentation](test.md)
diff --git a/engine/docs/contributing/images/branch-sig.png b/engine/docs/contributing/images/branch-sig.png
new file mode 100644
index 0000000000000000000000000000000000000000..b069319eeeb7efa7c3f00b5b9d080ce83ffc6654
GIT binary patch
literal 56537
zcmd?ORa{(6&^|a=1|NdEgdi_Ya2q_hyE}nkg9LYXNpN>}cbDMq?(PgO|LlI>#oq33
zFSl>bsj8>@=|0`nU41G{QC<QKnGhKO0H8@piYWsC@E`yHmIV>+pJv0jw(OtqrYNf_
z4uwJ=9v%)452vQ4o}ZszUS3{bU(e6a2L=Y--`~&9&U$-$%gV~?>+2U57WVe`($dnx
z!ongWBO@Xr+S}Woo}P+}i(_J9K0ZEv|Nb2v9lf=+RZ>!NcL%+_y?uOqyuZJHxW5}7
z9&T!C%F4>h&(B|3S(%%gJ2*JlIKHSIKTc@f%IeweU%oiIx^;DRm6MZWWo2bxVBp~3
zkd&0Pv9UQiI+~uD+1%XR-Q8`QJ#{Kru*{qduUogYv{X@1xw*MnUS2*uJ)NDM9pAX(
z;o-4|K(4Q^jZ&sHG&C+QE-o)G-#<RI<0mpQGIVuyU*A5~*48?PMwj<bRAR?{Dpr=3
zmJE%ID=I4d{ryEnMRRg;sHv&>`1nUhN8jIHWFtp+c6PkHyquhzYHDhVii*Hs@YU5-
zOG`^tRaJ0saA9HL@$qqIXD2Zc>H7Nm_V#vncehyZ-}$Y5Q!}%np`qlIl%%92GJ1YD
z|KR7>w}ga*lA(j~@$uZ;TrMsybwkL1+=^4Ho7<<?GOAi^qGp!%PD$AXZ!b@Mlk>(u
zZ8M82A`?;?y82HpA5`^>0wQCt?_c(>p!d&jb9=X|M^F~`K0d#}<GZJwvxkH0drq(Z
zv-=lRB$R`h*7XR!yS2U<BfzW~%&ZAur8j@1;`i<4fsAdVd2sQcJ#9Aa3SryK;GORr
zx)t8}lf!c>#qD!^M%A~k=SMqJd)tHi8^f1J3s1M(cb97)&nF*G#~-g3AFpQ}+f}|D
zrlIXlgZpi{%hCF^0#2hUE|VH|g9;Yaavn1}!5ij=^@2W&h5@T4PR&|<orNt8sXx1=
zk_Lkor`xN_Vi(UQYu0imj|N}w4<<+I5*ED9p+{R+%U2H<1*1u!Q?|u<L4NK=#)je>
zO9Q#--iNolnaQq~CmWFgmR6SXiII+vulL?|s^%Ty#?2y+4>ua6T<gaJCwnWhmiD{n
zx2uO|YsZ%rP3?u%^$<7Di|2P<?ZEnxjl|j+6`Lq^b|xn!*1C$Qs(=1)<D@LF@^1nE
z|EmCE*?lYlfTa{EF=16#n6vaSgB|J2Zu;NY*$&HL@r<$Tw7fJWu)>=#pMh*bG3<_^
zQ=cUig^0v|2)#r_w6`3dcf8=)QJwR_6Ti&9F)ezw_^4s$vm2a9r~&?YPz;WFZ|_F8
zJwyFU_iq2ca_1KoHXI5fA3&EQ17Kmz0wE4RSGG-gW`QxJ|D>t?`!W8MZG>6izq%X1
zu`?`Yv%xS~GJXeHSu&x;HI+Uf`u{?2+4M6AvX0@f{#^2T`;c!v_y~G-LwL&(2PslK
zQGACY!vq1DO0a&H8$iraIe1Z&2v3OqR`T@D@YM`gWSAoX|4&&G{+Aw*&)sg;D>i(m
z6<M`!%->|i+?s@C?)czev6@jneaX$3R+z5!$?)AkGH<b`M<DrC#<S3lzm)71T426s
zIHaxjnV%AQ6F)Z^>Cc8@x5+^N$Jr0Ej_uv7Pp_LfAbfk)yjAj_=}vzOBRcj23fM<K
z&Dnht59FmT7tHY=3YQ|kx}FsL_V@&x>=Y%F98-}Eo4Li4CSPXp7zO^BvK#jj-J{4&
z7CP3s@e4!z>^{-M{JF<v5(IvJBJ#e@V?~1NtJ#bOH8bYYAO(L$4SjFM!0SALE7KeH
zGQkJ4_>DE~!eQZd(7rp6E`Q$V3EJ>{5OKXPGg!Mi-9&v6itRuDtpUj825)}AZg+Tf
zU(dna$hU~tb_XFa4}OKszw`sil0ocZgL_f2yH_b3u!A?Ey%D3|RgQ6%<M7&c`=lRh
z#S_8TJ>9g-G6XhF;rF(YLRI9=A*|~(LI;JX7bmPz*gbD(j=Zr?#}ZxMeRe+l>CAy|
z7BXe!IZtn_=QT1x$|Z)ej3}4KaQ`JyCC_23RnD*T0Ylj6!3Y&xEQ1u>gFrd)0@`tN
zHi_Y~r?u6bMeB`AxM&V92#S;q2{$c8nG^lQ7#RZ96=(H8#Z8S}3Qm%~+5of0pU4T?
z5Mu03Mp~NadjUSKI%f!GZ1PF;?QM7?9Nw+3=M~+r(u@&H)27wU8DQ?dnm+;ZvVM@b
z3Et0!o0-RqGDqCz%W<a(1*b>0ZHcazik>PTpH<+QlZj)czx^W7Xl0Z$+v4n%c`?^7
zZ`-!Nwf}~2p*V?tz)cR}s{ZYYn^z+eO>iwdYrnm*;$R@l<C*~G)uH8dv=epo&SBG%
zJ^W|^2~BQq=^ZhZZc7{mIE&BrkR-<WiZMs_Bcg5*uM`4&yJzSLKYd}uw(x}C?za$X
z%pRTn1|O*(wp*tI+Z=Tii5c}<Pff*D3LbUz+jrgA{5bPvtS^UDoDS|KO|;U#yJV~x
zD5ZJ>V*O1eR#Wevp)@|(B1?6v2A;=o!%LsuU?VpYA~y=~UdE1bBv35+AD5Ewk!&-c
z$=5Ah7m6dBC_H9p`!A0%HK}nj235>=@-_)xN9$HGx7PwOWSxv(Ogu5Za;IiYh@wN0
ziC^@=v9Jj1z|ZKO2u3D&Dz3KWpf3#-D60eI`NiW;5!I!1BjcLFYBz4;N=HJz8)}wE
za!M*W9DI1U6AntOBT=Q_!`w%Ku@6wJ=w&1)V9p8Uov?QFM2D_sv#m~r_xFZ_`1;M0
z$U5CnG5BEnPZ^Pj4(f%o=5MF+^eDj?eK^0<cTkFggpA8*kdOO+C+zE6a@aTTI8*O}
z+ruq&l%2P*m-l~ijKfOt>uB8m@rDpNBNr8eex?%D+Wf#reE)h8W+|@cQZoa0)w7|`
zd!KqU49e_UTCEc->VrpgdR6x#GIaD3$<Ecetb$XL(t*j7r<<>!>pRF;4F`z%)WDVV
zTzifV%O1RCKo}awd|4qBjGXo{pnlt)U*_5T5k9XGn{W4dWd1qF-;H>J?eo$Gl3hRJ
zpTcR^55r!xEAH_e3wV-$b%r)F**yuZB|!}dq7P6?F<nm*<GTlpCzZw<7_pvC;__zm
zc|#vEDxP#FSvhioll+0gR-KkS4uSLLtWI;2O;}740&})mm+AfUbz-?@^ar=6Z^Kp3
z<cF(5k{K72OUEu^fiq$6gko6dP`7$q+2Z1P`uoMRm~mi@EV0sx)KhLsyqC(2xw8hi
zT7?X9t{rUp<y=TWr!3v+cUy|844}zRLz@##iM!=D-*1E7TUGWyyodCzO=n5LUW&t%
zstc9HpvD~0LGE7@pQ7p8)|LO8h<qe3`xg5Q2vSb@&c#4&U;Rh#_+pTW)E{)_ajx(o
z>GpP<g;7gM@;I2eZ0e%X$-rR>{K3ctp==SHP5{kH@vvvC)U4K~tp5&jwBaPAFCpYg
z;*CjaO}m*}2b14Kf$-IT%q7a|Fo`OKz`&5dKmF*^$U-~zHPR+vc+lF1{d1Axngl{F
zhj$zx@4P~}ynv(B>()9wANS*9m$YzN0>;0pH2qdtk26tNZ`5|ooU4o;Ww){jwu-wM
zv^K5eT)dx;>40Vc46<(L7|Ql(Hh4GxdpI~@n~3;pX2WDtw%E?ml=?8SPDn;OOOf<b
z1BQ!Z^u=}J7yb^2OYs!a*mYOh;Fy0^2aMLpkl+G$FDw7&f#6avEhi(_h$v+?Y@1vJ
z=3b!NPgcLjLyS}St=$w&Z)9)5#FHx!<oD*aNO%f{7Js`=<apwbpw}_%2Tor|TXLzO
znF7USf~~2g%zlN4$>6L(q8`b4|KcL!)T*rw#Q7(pezpI_C%p&T!~cSDgD`6F{=C?w
zO!<0VbVR=k*F!L{j7{MnJ^GEUzR%3&PshSus=8v8{Q7zF2K}<RR+$qpABD0=;u@I(
zVO5h1kvPQli-Jfr7L{40VlK9G|F-sa4+qfpif=YAggG=r`O_aOcrhv&$N=TqcEE41
zyeT<z)@4+-f8QFEBj>g?m3F4eGMJF-S_EQ>UZfUSyfr(VkDT9cEN(HcX`HHDuo3xU
zyjo%dbpA=SFJAC==TMpn07_&yaDV=9<;1IytOkKgXCWZ942wtU-wD^|_`{yJ9)1#6
zBkmN!!9TDp%Gpnre>*GS;oka}&lfW1;R(h!{l@);<+F&h4XqfmoRwcYFGXCK^jxs@
z^vKVoc*jJG-LFdIVAq#pWxck>A(e#WwU!0*M7BrnyWe=|^(HSCoxUzaaKCGm$ej4K
zqu``$D01DD>=X%h;fNy!zU}QNF38n?i<&^LtduY*>n*$w^Z-1;YQMxk3vu-#0JBah
z11G&OMrm?!@H+GqwlQkYID5yCDWbrwGx|4T7pun8iIF--R8qaE&KNP<N#pY)#h|Yr
zXOS+I(L|X%m$C}j8YqMm+BSP05)0qu$(#MkXw+Cxb><PNDYV1RG0Sl-?qF&yQ}sFA
zyF1%JC#@jQwW-0qI(B}^YL^$o=_=jU642w{Yjw!CqL=K+D`;6n+285Agwn4+D^`Lr
z5#2aP8d_q@ieJe2&&T&2GxH2>#xEo9<bU3duim1-Xb9F@ND<%g`$&%WgqV92n~9EA
zC4RoCs~{JlSj`*7`=nx2<fyj8`7IyaDAX0>?x*cZz*D3(PDPDyZUj~_Z|HZ{!T`Ux
z>mJn9@}%4Vs8ws3du}Rjnu&{~7CuxsZ&NGAf}ZCjAhi+hTw~>roOQs@pJR`JBHl{w
zU*kAE@xlfVFqIMaq7@9_K+o-g&5xf~yaz&8Wnjst#k~KjNun5sYnrpMAs{GAiLj*C
zRyUk%OQH$ZRM_TYHl|fyojq8ww&-~yj6;sEV+(M4f~ouo72m&&^ea3BF5R*`+9@mk
zkc+h>0)vXKd1u4?;s$215rHv6d*mMcB%=J#b5{*YZ3RJM+E#&J@s71rX66<KAUlbo
z6Pc<oJ?4&E$gE2NJVTtisT2~io9+ab%Xo+FWB1`W*X$5bSPx$RA>rlzA<T*bi2{G;
z1uSDs*=(JLUa3qlRcB>Su)LZ*?-LLHI~7%A){7-V=Y{>{GoQwyzA{-k2cfvC^;xit
z63Usxeu<&gP_M5JL__=MhP(|cq6!%;%_8$3d^@r@``v(WoSdZmsX{QVl_TPOJ$>s?
z9whJEAW%!(m*WJEapsbQxEYl!{`IKjzzy-KS8z%}@GXy3$n`BL@Quu17;mqevxEB=
z87hMXW8$(ehlug&^CP)f>%9I^HX)H}T!80AfSGeS2sYF9Tgm`|yB;!<FLI75(L9Xr
zz9!*DAi`d^u=Chz)F{5h<1#iin<T*H$v0tY25Yns1@<a)H=vAyEY#}TAot3T%ZHx*
z=sBhrTThJghkmpev)0CST?Xa^gObXd-Y_mEQujnBGHZqT7tC=2Co)=3ff*Isr|w^R
zII&QR(%YY8EzuLihs7->k3t1cz3)48AGBWNyED??QtFo=dD#g<C?KXomW$i3y<Z!?
zcIEzZoCBuQ2Q%v|C(Gf>gH6Qrn~P&np*^!y%G;AfOD&?mku3l1pzdx3Ipar9BBAW&
zP2ZYN7U&e}0-v{{pMruMF;Q#=q|d)Xdwk>Zh)kbh_E4D5JdWxXeO~h@0)5o(F+?cA
zn$Z>o3x(=ed=SdA3dE!pf40`sv_zEwIYtf@0%#8gLtrRP?Yws#p|&*_0Sl~dSfaEV
zu43S*Nca^-B)O^!D>b(4?^35G5Wpo9tr*sojEwjcEQu^St&eT820`BS+-k`NH>ax2
z(LZ>O6O?)gGz9*96q2$NZ;vaxbLu!N33<(VmTe*4s3e)3M-Oi}mp^wsru&Ac^>_8>
zk8x_R=Jc+8IDF52i>K(7tF^_OYY`}mlhfX+og76xH|n%d@iXlZP%JODFaAKUVu~L|
zqdGXoNV2RCZCO)`9H&|wLj*^=Y$3keCQx6xD!zX^NF_#-l91x_aAVmoi37YyD6lP!
zi7Kcm<(n5q2G%V{`EUR$nEXGJw;lxk!8@s0<KOU$zy!bVCvL~WkA|Q(q6`Q-HNiWH
z7Z1354q>nW6NJYu7on!dI^NM)CfBC04l&BMeDp_4LX5M&8Gi^%Fmuk*U+3x)GWyCg
z0SvTABi`e#-ynA_2W_Quh8jh(v3^^^cuxTpBB#S|i~_+O6@xQ2C4D9WsnTqe;B4!V
z+ZIn(jw}$~tjxLY{AXk?%jORDxXB`q9DP2>QAH!eljp{cMMdd2<gZde!TGCl)q1AG
z5_MW-!EkzNVP1F+RPw&LU=s$>o@BICs0s_qFLy=NqNo28+TI)De!|c`9LCXulYfT3
zowC!)g6Q6ogXy2-W*Z$$U0^31-s$F%7F9Pc$t*j1un`S$Nc59yRf`>c`1^lZm%2vz
z@OIarA0<7c14v>%Uy@C}rcG+#3`9-E4a``eel*FP>-U24f32qcRdsPrC)PaKPl5>8
zcXOqLuxwf^23-xGb}3R$QS>s$kvM!8uKWShlI>kmYQ4(p#XdP;)05t8x(covXA{}6
zXk~^kl|Vm)kqSTM)X3h{_?n>a=iwzpa0wU5R`<Nqi`cX4)jdX*)plaKm8_YLuq97M
zj=PL}*#eG}Gren6ces+N3U%H<{LcMv4u1a8=SUkQ;izKfRqoPkvo7aS#_JfFa{rol
z7Xg)a<4uP!&GnYLz4ms10SrILYl-3D(Sz#0?Pwygqyv15@c@L0zSq8k5=M8@s5Gqg
zrTI<N$CDV{81<oF@PmF|hayaQXkVK)RDMCz;LK!(<X*qSzcIB5b7~cHy<;5UVLStQ
z!)4hk1#`fm85D?ijS+9J4zu=yJxI@q;olXAyw(K9-RV|v=pm?vmg2i7B#V>;;BGPC
zE}tg=|E~y<6axI4O_W}h>@p)Za?JzO51Tg5B64J3%s=<D;r7ZJ(}I2ELr(|$)A6g<
zFV)pQf6Q(BfrX$8KY^rm;>SkA6|<HvRn`$(-u=*Wpdt}JBH5BbyRSzW1PbVQjOlv4
z{v|Bz1F(zQT8pPI*=2Y9K#^Mt{*F%Bo&UYlf5G2{eIAwf(p8vR-xecMrSaeIQMBVX
zPrw%Y@Z*FT<BHb|9<)yzmy&f|RY_zv$mJSFT<x;zPf<Xi5?M0188om0ze$R^x)Fo&
z#gzzlf!`Hh(%BsqD-gYi%SPfTsYdYq`p<_a%m%4&`cjtZ<zmn3s|C#NnHP@EYo$4r
zdh<)w9s^fB<}+`!i@5`p^05YySf5HcSYLD6iD)VU<oyxt!s$iMiuuTCBz90yCJh<@
zh8pk3#Nc5$x4k_vf1Jknyk369b>`@|fc)AJZf&EgCsx9*8eU0}7l~s1+2`d*h_t?}
zQ3Rv^4LA7ab@g%cpeRc|4=5^CZ*FP=8t{K?PQJ%<v>7TBg~HKh61NeZy?$Gl?p=V*
z`{m-|@{nneU76M4FGF&ww_%6sLYn%@ELa=aP~37+DPKWm`BpeimT(jQpRG(n=OQ--
z(=?QF8g8ky9)EVZzlr?og!gK8WW$mf?;PA8w>Hb!_g|+)Yz?H=8~A_JO+agGMQwf8
z?Cz^@OX7o-hWa{DpN|h+xHdZ|$^@1?DP!eMHRLU*+QjfEj79_i&wM@<9-gD?M7c`=
zz3bymo4j(jc%*14f!|%i5*8V=%e!t<^aYtJL`F&68~81r5@*|-OcC`GN$5Tn@s3_z
zzf;j=mFKUvHvMu(*Gs(n+v5}Bb{Pya8R_y#03ZYcOu+%}0Nr-e|JMWXKbnB^&j^N0
z))#(6YJh`OkL*0;Zd2J}&lVsT<vJYThp|Y8n+j^LE8U3z;K)z$`ntx9esF>>toQ+t
z4ODI?)vDpoQ28HY>`w>Rwls{pe+H3ayRZN7!eRM9A%p*$^ncm@AH@IjD!J#p1}ZN+
z|1JR%0;xKmbCnD)oC_sUO`M^6m}x|$7g=G-A1ZAA<bJ!aJekn*vFNU!5AZ8_dflG1
zx-9z#b)jO;xc2DdF>T_GdvKc9<v#uh2%zf3dOf;h)N2q(zXQFqT|x{$a)#U2<w4Qq
zXbltC)UVIy&PKhnLM|m!Dgwr^>my_fI5)qQ&aaq`)oC1BMRaS`_+Ax1O4wFck9!Uq
z`n1a)=S<(639@)|{4Oy4=so(MM>0tS3!+}ph-o<T^D~PXpEibyf>{byi2D8Xu2f;F
z)k}_+k5I9t@Fa3VEDF@WSFwdd1&>e-g60MV@0T$|uF(rS4()9Ri8d>~YApmA+;hP2
zxshA@rLd1^e=w)$j4cntSrU%vT2-_VUm4nv_%K}T$9Qa=e0;c8AAnO6?jt%x4o}JK
z+LePQ)CAau44wFQd4P46LmLfRIM2FCOmqo^uP?2)zBZG{-M0W@k6o>SOOLCf$F7F=
zGZz61xdzl>1uA+k8POY}p67tm4--;Jg|&i>+&t(+3gzvyU88cB@5KCEe#>-O+Ww@W
z^Owt}NxH><hhowfXe-{u^P(Ghjg4QyBP}7xSsKEw_7>pIXbb)xxa0ey?cNLYE{3II
zyi!RhUqgZ!xpe7aI1%I$2JQ;ril)kZXTq-$(OEcMJQF;CX?Bko*imgdC1b|y44m*n
zE6^tW+I9YP?iy_KV5lPF{2(-Y!T-qRPF`=^@;eeK=L5?&8plHYrCQWDW#%eg?I^Lo
z-g#=_`4hcU*sn&nZkPKlZO@pSNGnFh`~95&i90=(-%~ZtprvTi`h}1`kG1XSu&Db)
z63)vVqB_iayM}g$TPx428T^K;q!nEIFxJ>41LsVO>pDSQYCw?u{x6IBRW%$YIZ$a*
z()>c1YL)uONzc;{uX+wM99v5lQWj-;Tm0>?&#Qy(q}woMLK0j5Ni}QAq&EB6I!(|?
zF}$1)jo3R~#eIY>PF7%EQiG#O`KZSl`Kx6;&yM_@7?~u#r9X`_krm446up`<%zB!=
z2_W7X%DY**L%zPyH1fKUbJT(5X+u011P0^#c-+(JFjhReWDMP+3#@8jQHs6}BHmGr
zL6f@N$e)ahgwkYRK#PWSCkk1;PHW73wo?K7m5cS)k~aMH$*tV?Q$udqUQrB{f%J!f
zgqjh$?iv?sV*U+!K(RP39%U2{OBQm`pj84&u{!_I7QxGj)?H?k+ZB6<d8ZI}3hFpM
zsczx#w6tN>3W~lZ<8Lk8_XBs?n8-m)+iPti5*>$kIKA5=V>=^0+lkJHeq~W`XHE8s
zk!=-3NZ-1TNj-aO#jA;pxgHFiUzWk6XXC76YjAHN8|dwtCgn5m$Ge)&HV!Mu=;>Oi
zYdiVTDWniS%iqU)!bEZmLjeL2$azysS(u9f@o+DbVkxIomP*z4f;x^`DK9c(w?J5v
zuPLMqPjz78Lq7Lz{GP3sO<_T>=SMVYMNC4Sp!0%{gXC*RUX(}r-df$*`2)EYW+Ewf
z!NIc)DJtd8l-?gWFg6Z#>?H&BK^(JY@_PtBepyv<skTD!Nvb-t0YLZb>3+UC$Ok5-
z&<#NM>lZ2R>0L^SLx*l<*~aEkwzdYxuR8E2j$ix4z0hiP1rncIp|L}Ji#?^|R_&H@
zWzbKlifL-Sa>9kXlL(DqAgMdp*;8BsDss40VnuIO;fd7Lzz0e;KLb)Ve@bugfe{RP
zUrJdYVQD}1Ghw8rfel(Wm|=Y>Hn{LPhynkl^%HS-V)3o@n$V@lKKq8g_W+ECNz7?k
z`d+bLkR%6MT8F>b@k_bgIL$N0rXXe}73iY*hWewg#-ke@mB$}ZJc*3%2f|a3<CnO}
zdxwMPRXLFSFnuVUBMHCZm|@Z@Dkh~p_$K%r{G!Qvp!4F7kFa^&Xb6r2i`TMXN8Y21
zLzA>g?_L6$#bTWAFdTv?sX#QYlq3NfM+4)oSAiEFQs`s%(&!;Ct-#d8(s3H-P{e>c
zd?`J2ZhxNNOZSaYdGpm%Yk>}6)bOdH7PqDSt~5RbMUA9PFOb~^m1#8MP-wC@Q+xHT
zC*lr~{kgrQbbl(mP#L7&m#Q5tHd2ZUE<&HajxGJEzaB8cO%nCGfG<}t@_ZEeJxkTD
z3g|+rsZDD77ky0-a~<Z)z#nshEf|>lRT*@KI0|+$pZwE=9_g_-Y#0U~V!XH8>W@wn
zBFU2F)#d05dyQ27nroLMXk5!cV@!FsR(uR&L-^~yyFNfq<_8@9Gz+>Z=s_!Zo!M|7
zvW4B4E9o{bgDh(K%_0s--Wn2F_SwXJi`w>zQTEqew^@Hh9s<`Sgpzj3s=z_+KbXy}
zi;KBaw!Pb&Zd2yLWm%APSI;uqgjs(*|CZyikplq0Sqle(>jKIfCNFJdi*fd>MFN@E
z&?TlP0;XqR_ItM5y?rqB=gIJ5VECaJ>%sJDy!=&{{miOCiURdNT`@|Ed~tIu@(GI$
z=@~&M+qYJmWbHD70pD?23l6u#rDMw{R0s!QjuteA%A~v|X9rFwPW%X^OMm{vDZLZ=
zp<0Yz)(R|%SYcgTxZsBnuvT(6UV|{-8AL`%e@Ix;?Cz}aBQo871LISRegs_oWwJl(
zT6X&;EZ;3*tqYrA_&BB4Yw7)8v8)VJQazV23w4W)BdF1>8t3TWT5K4qa>U5~sQw5_
zh=x!ReD>en`5N6jSF}yT^Nn`IwY#@Dm334Ov~faeO6GFaZ8iv@X*LXKf?*$<mNB9W
zWzl=P!x@I#`%A`2T(9E+i}J${v-y3e=lhmnGB!-Mn7|U6rwG|L$$$G(M#9To1fYBx
zapYcF_SExvo}-XcQdd9esim!5D8!^~HX5(N&Fl21_6;T~2$$m$VO$3^J!_xscFG9i
zpStjizYVMCA`!bwP&*M8pA`{8u}p1JSLf=2^-M`gSro`VM%9a-uWeE$$b)#MOe6WN
zu4VvpNB{O#;^cm5lEL@_R{sm6){2Pm2$;>SkDn5dJY~XOoZ2>0jV?mzx{yHOj!+<v
ziI8~@`oRFewhvyt<>H4R$=FA-<?el3wROA7i2&j{mIiGml_0p^0OiTNE$zX~2e_dx
z*b+g<t}u8kQ1Z6P>EZ88vv5RiG6G8{M}7qaChJr^MF{-er=q>_$`IN6yHFa_<XvaU
z!lZt`(;R$+@brR|)6U}_#B01*V<7hc<rVFe27chj)@L)==f4x<t^nLL^xlv`?WozI
zD;f|#8fY+;H2=;@Tk`>+oT?7f7jTO+AL_klki$Pk#|S#wa|Y=bWx-aoJf!*9mAjXq
z6@JFU4m~jKgWFvYHpncrJXs{ri)pj10m{p;#qs@pPW<5*WbG|KmJYSg9q7H^UV>ZF
zfF+uYJ#!*8=Axv$`!8S$K8vDr2u|!_ODGb7Gn?JQaf{d^#=ZM!RO(@uhem)+=e-h`
zJ0QEafSn(a?YVWQv_Nua53sKl74XfH@;s;cb`)Rd95%sG%fKP91QPS`XDtZ;9_SM8
z-WWxaY3Y5DThWMT+;Z~{HFd@RD$0qO6sV#qxw}*q+2TDKut?b@VPE*M-7O$~as6^R
z;9qpy8;6<ZDY?eA>*uC&h2neFZ?i$?xfw7&_}1g|=UKy}5UBk#@&M{yx_N7;cL9?M
z6W-}iQO<DzQkDY^I)N$y>Sgn{!9X)Lz48-M>q3h-$$Z|t$<EV-L9k1B#bc)CnP8st
z%aMGq9bDXCq`Cc_Wh(q3bqTO;4sL1S?>*KaWh_mM^|vR29aqSx1p4CJ<%={ojUuQ~
zcQ8|D#k^nLhLr!i9{*#asezDt(4z9L1Dw(3^A^F1tG`Jj@$!1Cl&$)M5WAIIH`)%s
z9fgD+WA(Rwp_Km5PNkC`TCcKREbK>aNU(KBF!1;spTKw=N_Hk%M&i)_$>i!Y<sG`W
z2qMT{^p3UFNrklg#t*%h*hSmgD`9FK?)J8KpL+eKtmJv5@PLDVD~$}Zlnt+Jd{z|?
zRG#uWYG<GktWiSzJnnOg1(+AR)lHoL#$iUC5_tp;yt~Beh>seKoR5egTw5nwa|W3Y
zsLP*@LPb*&y<M^#2`MjY12G21p@whozRf*;3CE=MSN@I+hS+_U*YI5*^|+MqKbF2s
z3(&F)U@+p=RM?RsR{5MC{fiSs$OgzmS?Fq`9(vH}17mv;A9N|+H(<TYuvdTMouPV7
zNVa!<`hI44%;R+5ZAs0$O+j!F`T0cHC_X3PtPDVL6zHf3%2!F>a)I0<+;*L<pQ{kM
zbPd@nYU)-@eVy@C9^H}5C9wToq*8Xl1dk=ZRGM#YKD}a|jx+O{up(G$g}~p-iIndL
z9DU{A4|i_{*?t*ie9?@E>lf*z7e3NG5-o_u#q>%*`s$Ei8XQ;G;is()qCH<4lgqOs
zEzp%~B!ZD?#6CI8WR57PztkKSk&K=SzRWF8b3AFfJ&QKU*WZcQ?2qzrYui*O@Wt*!
zOeJ62hhAjvL=c_WGNIHI|5%#J4mbX%I8&0!{BA7No08~Xjx4A!m2=Fgp|l+81u6!L
zL?BJ@RoA~yf!e0Fc0n8P-$`#oCIpxs(bt#^*51~r%N3U44`((EJ=ZhRlfie~dLDjK
zLxH2`*8>klJK*han+`*h^eBhTe9WY8>{kP45f2-K8?KM$*49Mes>7*s&rTP718oB>
zP3c-Ty%WCzJrI+wJpaA%?17amO;KSv<<lcn!_RW!z=65ey9Lj>5qhkr;}|mZVnJmZ
zJf&~v?i&InpL2v9i4~E?@0o~42GXm24jxRbb!#z&cF&b6fBiD=VYC;sZ%AwKCI*5P
z>=acIE>$mm3ja6WUg$ADQJ`-&hh9l(Q50!11Maa}O>g2)Ypc(50p6Fw$`&{e%N_b{
zRaBVzr0s&F4?M5_TP{mWff|OO#;`w!)a~d!hkIxCe4q)uCZ02EV2FZ6kt0ZZ;$-#J
zA*JcIvdcLY81dqEwZTo~DBok0vAoEw(k_gDkqf+zdF`@26Ck|hdVsonK|g!Q`>GTR
z#tgFE^DMF1VldqU(n&sSK`ie-Bi%TTC5A}5<6}~!lbI!l!hcO>Rj8DHidBpu;D8~|
zRgH;BxO;kusu0-XIt=zJ%zLJZq_b=oaaS}%GP=out;Q`?C2+3)4mznR{)(Ym!5E%R
zdglY$!J|rvxQ*m!B(1>0wIc3nR^sz7a|BK7>$XRc%nX8PnDu~sX$5YD7akaP+Z_T;
zFMU<-u1)2nPE)(2hNYPSjXD|lynqf**lg2eXbyf9E?TxBK8@j6Ez&G4%v8X1tZQ(q
zGLJITypA%<n3`v``fachpwHuztEVbP-}X1z(<zpK9L1@?0oq`ZT=cCm7N=9EL4xcE
z>*JDNtb?DQ@uB2N?WEV+@&cODjTosW28%;JYc;@O+|B|r?`Rv8;mQG*st({Q-+j0d
zUWc+Qj-dDVZL$O$@i>BlcSF+%W1g(n=E|1(UtmA5xPYdV{-0=pX5&-`v|(HKSU#?8
zhePX@3#zIv;P|H1S;Cfmr>1;<#Uj=Rt<sz9(3fW%D7lLqsmn#rq2z`0neYW{59#E3
zF=_nF{H`=qlhI{us=4%|;w_6~;W`Box)q*OI}>}l6hPH@-jWVI(!Y52=vJsDMa}#1
zC`L<y^Xt{>lhs;;)E)DVu0w_HpGJXd=FB1^OSk=#m4|GoL7|uBzT;l!WhbyR^Ul}j
zJ)Gbs#{eQq<k~XqcgN`MvEAxly;=yI2w}<&BO~jYDPZ6#uRryhtwUwEM*&vum+2gL
z0?`#J@dWT)p@VGvOA?!H-BBN)Le9a1I9dNYnxUQ<4lNgE{o0PvZOTj6%b1VkA&K`%
z{`Y6&q{fgZ{X0W&HQ-TVaL0zX$wn~ie%n7EYpgb;uP8lXN`!gqONS{M6XOX37vDuy
z$K&p~OT%Y8&`i=R*1gqESAT?hd)MNSOE%8t?Wx@)%v~-pz;8go^Ah&K%=({)T~3d9
zkD?j!c??A;#EGTrBw#ih%7p`BdoAK{r-L4EKvha8U#(PB8U#D{g%FM0X9M246(_*+
z7an+LY$ozcy6qeSEpS)F7%qS<8!Wb4Kw~Xw_bHIe8o1l!hc%UbD~-X;1LHUtT!N?w
zkZx52l9)jepHqoz7ryZljR+gsG_;`Isnt7nsgIgpugc6(Kc*fYQecR<FTlMh8lH`p
zb#pVhy*ZovSW|mgk-I!x$Zz3Nv&~knE{|b!b|tK*q<sqJ+5{85@v^mcq+}5EoVKN;
zR5{oBEW@NrrIsVeD9J@6B2&o8B*h0ZiKB?C$(@>MB|cWGN?V2FG6kxt&1m$MQXl`;
zl$I$V*MT_ENsSP!K<0>b8UzjPZFi?Hi4iF}PGAE2Iy6Lq{7gK5qsNB^ab0XdV`c}N
z>zR>J?w4!Vk%Rm$Y$_nmLKq2hk1O}xh=FmB%%qx-hl5XKuiULTj&PD?VGwcDL##MY
z&GOK=cG?K#6F8!zdBqkw8rPJHC~SHoRx+vLX)&tgzjy_P+8iTKxjFgc?U?^%qirAB
zk1gsJ%fLFqpa;fgLIJOVTS7z|kseOKWFOuPFaMsUL4mW0buy%WSnGwP3?L+V+hDWj
zaqSB+o9F}S7G!Wc-3>N=j$B<unCD-5T?%%DY|pbGvX~Hc#NmrwuVjieer%sIAuXK}
z0WFboC!sL60cvf!g;~AXYKq(!r1l}3G1wSto_}*P6@Y%0a-4Mmqo4`G)dbm&+kgZ+
zUiRyLh*~dfHv7cdgIz%nDoOJJb}T8^@?)}at%NY~*_iMmwZsTxY~s_op+AqEc!`x_
z6yr6S0X$!WP6Q-nx~IePOJ}sXCmWFxIIwK&Crz|i1ZxHBuDnmTg%Mj4NhA45x;N7@
z&%lk&#C%PObubJY+F4J?0d_@c0>vM5)gezyA~GOkY4?hByjcffg&>jt-c)h+12v@r
z)kvllMFjj*0~zpS8OIh9_negYW>mzb7&OF`_(ZsWT6|i$C7bAkt2TmeMJ#_sq*$B|
zNO4=8m>q8sPMU|4?N}!YGdtMe+wAB3VH`yYsk(&e8gf2(Kj^f*-$L@01Q#3()Fvvc
z6czoa_GdD_zcl_EHe*487D!(C6XugD9U14msx+IEmWhtEuo#EvjPg_H(=e$}^TRqX
z1kZ)#^!?n0?;q(DoOgG0SjA^hGYm7ev!9<{B&da?`+e%ZlBB!;;V&ATraRmCwte*Y
zEi?n4Qu94~mz_2f=7(`Ud>#C{=B)TNHkD)48^W03&K)X^@fG$IWgJ_zfb{ng?9X!8
zW3XU9oxgJnFju`7g9l788<c_WQ(VL<jvVM4+T%Jphmb#?MFf0ZI`27Oj@p*BZD6>F
zDCXeyIwwrczr!t);KigxVVuBlwYx&L(lpohA$|YgfJuAe?rZYEyB{FLe_#<rs4s?y
z0C}L||7$T|4^12~%;UWdxF#o#Xg_@#loo)|>LY}hLy93%3=I57O%dq+|3NGwW&bR~
zo!NyXu;hL}`u5Tld65@Y@&h!Ta4Z;dy=ij2%>KRex=G>ni1tD2gX4-Bj=%Ej`vdNZ
zOg<WWd2Yo#<TFbyb!!tYvR>ze<Q=v^0<qPj&&^mrP1NDrZgF+3_JoL6o`V=R;Z!UN
zC^||bHYQvY%W0jR6_JxXh&&AeOXwqz8r!ttF6M2Vp#$vw(q{K^(sS0wKRIUI8<A4b
zjuh2eGQ#2S>UZ@i^XA5@S~5^onmnBBL-M=|?X|32RT>g2_qu5mo;(#!y2X<@B9To_
zaCIqW$G3e=!lb-?MV4FY*?)-?b)R#ctcCD9j5PCF3LVY}`uW58xkZ*}Qj6qbw+nmJ
zrfA?uSIA^ojZ1SB!pv!q4!R?j2)f$wg2<;9%tW%%ZETZS#0tEYHRnnchv__a^#xn>
zMh5jcu1%v~Ig@<oH|L@Wy6Ft~p!V%kcq_=RhYZqiAocIR3p(RxXN2u;3UmH>j{;d_
zd?;^hJcHQNr<#xElmvX+_Fe745QkI@{Z0_4kY#uk+SL>NOgMt?s%lAlX|z|hlkKNP
zr*VTW1Y21yvJ2=Vj)~Z#;!j$<2u>@E?ncYbU5H6!o%x?cJB!r3_d#c6Aj@{L;}gga
zP2#Pu9d{a0lb(dKD2kp@-A~{TaH#{i+IzvuMnB>d;4_^f*kp+6^P}OHdB>7-`utfX
zb;!>a+gg{xK`<gAbZU0{k{L#C+)QUf^jMdcI~~u3-*f+(mqspazh#vQoiKfxDFYtB
zFfPN$#-g;LbJF|@uKG`#UCwZ~f1%{Kn|Xb^!m>wjQF{l*E~@eeAvgVIdb+5|^NP2X
zlfNB9io(I93yiFm&R|{e#wud=MORDahjZSUpslKGR0XyC;?;lUg`(?`#P9WFgkQ1F
zJg1@uR=O<<WBgiI^x!^idl~w0G(LwqH?2x^5ox~>T=-4vL}gX7lHIk1Io-f?n{a1j
z6N~{pY59c&v16*da|zZ%Ou118z4=LENZ<lgo>L1378iD|mni9>%un5ZmkjZ8DuePF
zAX_(c9lOG2yaPC9i6;|J7A48?$1^c^#=?oM#yEemuj>p*y$bnKZyw6={d0WWlJS!I
zudth+<9Ei(X~pQn6^AI~=rPiWP%jz(Tf#9yHv5uKmx~eTk%_}}W~_y+{9ChJ#6&c-
zHGGe76-T)yY(Op@1EpGmk|tM(7t1kUks{9W9qm8${$c_`@87vn56w#OIlsSDv4~rU
zVvx)Mz3X#VKhcM&_QwaE#`dO@b1tHU8#>Bh9;TU`=Ko@{2+j}v&Z7A%?F)Rh<QGT(
zoo**pMdbf(dMN)B>0zV)uJ?In=TQVfX1AT{QFq0C!BRec>^fWXOD;AA35|wgyky`~
zI!hQViPlo45;%M8oA@?KVFM9#<!u~To31$D5Ry(ugISwO6d2;bBrqbFT~ul?{im<H
z^p#wNF&%xEJNocX9|q~%G~lJr6g*qFt#XC*L{Izn$nx)|=9I`egQT`GWa6GI55lrJ
z2)JUomfZZCAJRfIWgm<*4y53%=Rc`!>38fiZOhV_k1Ri!kE8>=GlCH}8aL|88Qt|E
zs+T$oj(sw>e%lH+FlXTfvg&uQLB?#!e>)bRwyRJmS(649so14P`xyUov<MyO5GC!}
zNsrKeB&<<GGjj-f=&yQU!W6`>%ikAQq&>3A|7N18Ojm!Et8qy~uSt<1dMTjg|6Qge
zPc`(ha+n_O2linz&Hya@0R37-!n1RfCJpML&%A$bS-;%$lV2~+m$oUKFIb7i7<<$x
zBl%kYF+rfJKlvoRAj;{@<c_Q9yHy%({xUJGkcgk9Y<|)RW)4+{m+{D4RJf<lR5b{}
zTJeQX)I22-38K2Vd9wxaQ+N7>$Y6!(gI#(hl=Mamq#3KVusAs{mHJ)<uqzb(hV)Pj
zIbLY{K#a1e?l<+<Yh4#bC1*wvBZuDN{Kldnac)Vob;~b{K3z&RN(VV4L{!(=nfEXD
zPq+52_?OVOzFBKN;tQ+8Fl*jS0ky1^6s5||KMKH~m^srH310g?AfE(<o@_S*k8Pz?
zj%Q7k+4C!wwaYB@hqe=6^$U|<$!AS%eP5x%?jN7ytK8fmujGfFd$(|&QJ}?I9*(&p
z2hF@$&9_4@Lp|`1N1lh9n*#6cy+&J2=PR~_S}bN1+g_Fp@>dElBn-MZO#rCMQ`4zO
z9%D$0+G+pd21u&iy+6v&^+?3e+3v97ylmg?pF{mw{@35(k`Y&$^dX7`G?;D-Glj{B
z=Fk&~l@T9)N;+w)v?EBT(@mPQ>Y_blNOd{cUQk-6cn648UhR6!MsGLQ2)Vr6h!9?H
zoTOG2-iAZj7&gp5YD8oNaLn*yO*TN=iC(%p7(M~k!>2KHUF^n@Nr>}pg}u6$11)Ww
zCC&_C41T^2c#og;ca-W`arKLFHs+CVp3cE&c#h}kyQq)<hH&2t6HFE8rekN^xuQp4
zx-e!6=g}?wB5l&r3dX*MrM|8$T(65}x%ZQdFrcHKP~Gm{ZNcW<^qfK<-B<C9Yd8c7
z1WLeVXADDoBxe?Z4KfHA9>3Xc`reB@(q)?dxIM9_{WbLo7R@%ry1~m%Qh3-c7d{m*
zy%E^jcA8S#&2!Cyx}HEu9b2qj>x1o75ZV3&ny9jNuh6EC7sT|Sib{~abYI=$d2V_^
zY99~A(?A;S%L9AhRU@$P&`CE+!0a)aPb`T0zg8+WAs!{?e1E*iVA}9F(d;jU;RCst
z0_jxd7P82Ji1T*fC2=`jz(QWdalB%FXqE8xkXhy5w&43_dvR90_%Gsd%?Wd#A=LV6
zI3l?Pqp+V<DiD6yqsK=pzdiN=M|f9}T)V5SW-$Vr4BP99a>Frmz|FAL6p54l)Bwtq
zZ&u)?Mie$f$oH^&Y#rJHUZH^lk`Iw9;d<*(7hekFU7?y<*5xvmiiDDuJhGvrIUq5U
zo^^BaK>&&w+!Wq<=U-QW&xZ})kfMCMFNCD)a}9x87?YLQoSV0H;Ox_$%4$z+lFi~4
zyTc%k?5vpGTM*fl&o1r~ANz`0)>VG6iG%D#t+TS%U#dSXG^xUU6g-8_8kWg3lcp;|
zoEaBUWd8-vH+X(Q89cFImwuR<EO84@oeZ7_S~!K|T+?I0S0tYuDx~E77WAsNeUqYj
z+-=WxQNC+FYKN<4z3;h4x%1PpGZc9g^{l3nZ1wNA+B8L30WMdIH^D7fIrQdzdHg|C
zS0^VL0H3pMH8UD^2(FfwK&guwv^D{umUO$X&A$1$A{lBe|A%dbrhOD`AVmUeem!E9
z|0_LtNhg0oD|9KxMp2snjE!Bq7-SJJ+lcl_X1Fq0^H-h%o3eB>*M{oS`xaq&oyl3i
zr{$M<;OlB03MNk%iWr}u7db(_=t%tm+#45Jx&=5n9c*M-92aqZGy)>Kk`Om?bFQO&
zz4NQH$O_FTwidv9<&iOm$4+ww!g}^hu#uhVT1FT=T?9yF)3pnROKUf6O>W|4K5fza
zis|3>5YCHp#{I3Ge6%b~ilCXXNySPup>R`+nuhFnJQjggQk)d56dh67$?nM9@6v^0
z(C2^-Tw-A)A@e;|;K#c;k^unf97N}~r|JdnaDN<xyEd6crrQh)xX`Zz@yowuZ3mD8
zG9n(0uo!&#Fzr`^WVS?D3B$CQ!(5JNe*s3-|Mi5YQuTP~U5G5~$WJs4DKZ)#!2RE^
zY?~CCFL7`ypV}+MJ#TwB@O6J6bbn#h$ZhLZlAiG~%*xT&^aS7$d5d28V2=aTc~e15
zh;p1_;aIpm2wQMGY!PJ3*(1-7?b$k?i+o$FU70%JaIqT&Ei4Za+Kge^*`an|mbg!f
za*QuwO7wM*t689PvbZw^60qyJn_L_O6L5;={b;CB&Dy3;xaozFOyw=45&C`-VCGfR
z4KvI6Vdpg^;VMRHuqQ?|G=!+a$Uj`R^3awlrmWW2ZK9tjDEQam{dBXp-iNaiT?lLD
zy!jb$=lC>K|B4tm*HHO9H9GCmfF;hE8F&E4Ik-ZLbQLBW*<t)^X&ijp({;~(JvI;6
z@@WAt-Onh@WNihQh3vKpS@W`o+BlvD>h?)m`$dJ`EJ)sC<m=p^DXlEG(p+Bik&Pj7
zY;uvU?cmhtf1>M09L%6a*yyBqfW+<$@X<eoeoI+hJA2(9daDBa>Xnns+eps~pCu(R
z?i3+q7;0g3J#G0fAmPTRkrZImGhosKr4{RKE}SHP&SI)no|qMEq0#y0dCTiN5~YGX
zVOHMCMebksqV_9=&I$tJO%LdB@TJUVYsb9f9_N8NA}1H?#3>DkB_*W>^^OvPUKq<L
zw8{d8I6-Xhcx2h%&wjO%&MJ^yIi(~T`lX(xfyUaDa%#3QRl1(H;GGC`V2CW=*MSNS
z##!F!qHk9$b&X_X&eIBC!Ta)lv5hsG8WI$N-^)EX!Lm)ODMslZI<Aae;Y%z6_+P&t
zn=H6WqW2x4?*?e<zqgj6TXZ=Ivdf}=D(aiB0X<(kRb{ES{flsxM~l}dS$RH|KAN7g
zq2^)JYw4Pna_3A9+NmJ)@<W|hlw0B9)42~MFb0kiw#p?4##a0@{IxppA|aPn1g*{(
z!&L#-O|S!7kCfeFi^nX;8%W2s;s(>1NJ~4y1N!7rK&xcm2_K@Y2*1Em9_ke6(dX&|
zDNN3;(ZW^<-wAO{>G0Ya$oWb)l5W`B!NOCShiFF1;g?uL=D%%9iKDxtE1;b%CC<iK
zuY{bmgf%(`BwfguKv0v4q;tf4>K=~^9Wvi-7Uz^5iu%ti{Ar5=_?@j3aU>k(yWd2s
zVb6BcAuz;KCURnJHvMmfCPc=0?LUt(;O*8%we;w77Px!5omP?6@6W*yxcj@9>KDva
zvi9d1LEnqS^<w(hb>Le+%b)Y;IbqH5l9QwQ7=3UT^$^6fGy}n%=P68@a&gxAQHq@B
z%o`;5w*`!mJ8kWnU)rL}J4$#%yCEtlMOlw}3xgw-1e%pm2lH<T|Bb;n{eDAxjTAua
zHC{Dsc(Z&Pu*qs^^9!E|$h7HFULk%;ee3tW_RG%I2+W=ONa?wyU!^QP<*MNf&#j0X
ziPz?9w~oY3^8+B0hszQPH@VHZ>E@*dXQK)NT#T_=^|;^?N3#iRDW3FbD}togr!@i9
z9iuQ4rRXM&Ki<$8t%`KZ905)}5eT*#A?GKLZL7_y2xhfPY^SV))k>?$TmDH&{=+kx
zbbilUx%zFhHLYOcY8dJ?IraJ3a)jo961p`$oi&PCsf@~5fNPn)Zx&B)^1Au$r+BEg
zTi?(^9hyZDH7p80o|Eh`_bs38bLasNjCa!hyj7GODa7h_j^&Ie@)TepDAZJ$m0YgB
z@mM}>Q+eVS4V^{4H4mBgXMHOI$G*Md9Gwf2^Woq1-OOrR#3Dp@c^(Ti_%R#wxW0Nu
z?oMV6N(p2Sed`J#>yoJ1jDotKIZT~jH1!bXaJY|4Pk)du|FVFTBP`)()z!D)&a~c(
ztS?cb)qbuk*Vdtb@@Nj2!6(~VUe$CV#ealbxwkpLaaC&9C3~IR#b~<P`~-zz=j`_}
zJ_LJWEn*5p!!?4EjkA_f)(pg0VFQ#%AeiJ;rikrGgqkTt397)bKvc+(ZYXwWJ?<X!
zvi|$T56MF7Dx<!$CrR59+vl0}9+a==Dx^a%o0zZX>Q&4vr$g@5=mGceljaVKeaMUQ
zy9f?Gvz^{vO=*3byFM8%RF!aj?$zE2ia3*nsXV>mI5%5V4lzdz$wQm_AL$CzEX?)5
zav*A-dp7^4ZE;FL?|V`fR7z^?3iXcynb)&J!IzrHH338XU~7Ma*Bgy8^6G!~w)7Kb
zZ|G^(M{+eO11sujPnGvO$>*$`f9+J0T7L^R5_lYDyYn@|Uw{iX(gflEQ~YZI`oD_I
zJfJDWxq)Nga$EFzP-F8SMu7WS369pMY%A=v!S=-5KA5=$Wi{bn-r!%y6s<n0gZlYy
ziTowBZnt+H6Dl2rn20T4Fk)J?U*6!`7vi`|fIBp(eXooH#TRLpgX95CyaUKS#<nm!
z59e{!P{Wg;|1hh_!uc*I_h<BKTwAEDr9qeu4_LuQdnX3xem5(gO+bmq3etY%Iz`z&
z;i*~XbE~?kk<`m7<mac2gcgNK=ydR1H;2?s77Oa1BlQny(3c<PI)fue4t#JS4Rv~h
zBb6!Qd;O?nyt4tLw{Av!X<+sy&U|1d7(e()MC6@b0CJudVq3oF>;xD6P9y-xo-I2&
zb=(?>yu{-XTe&<8+PS~)yPprf6O#8cN@f;o^(g>WuN?e>jo$4Y`hg7^7saDKG=E%)
z6y;`RYcmI}-`>h^dkv+6*cSq-u>0J7rFz;g;FNpXcWQQ47Ze(i%~u83C+F$Ch7`t0
z8f-F$D#uS}T?R-`dltiu1bm%rEA{Qx<hG>D{|{YX6%@x4Z@mkI#TQM`T_8YkC+Ok?
zm*4~s?iwJAXOZ9#BzSOwyL)hVm*DPBu*<*dyASu_dzq@~>F)Veb@$9U-KS4W&tAoH
zP?v?~wQ`AXsPJO$?4+NC*uO6OQ4BI<3AzHbHgU*U{*6+8P&3r=-!KxmLS7xbXys+2
z%u)mcUf%tt6AoB&szxmau~BrwPqF@M>?^;QmX>T*DF%_j`A9wzRwON%u>3TF-IBsZ
zlfSt$Tk(hWYGpFYYS>actC!C5ym=o*Z|OXs=3WKy!iJ3vq`BtDrYEG_l3HrYQqKvA
zAGeoCZdPKFeTd`PLlaeqr3<(+y6}wNX8t)SAmiTbvAORANY4BnWkf3yJ_^kFFfN8c
z*=pGr)`mCQk1JIi@mu2_Urgf%srE;>3$v^-jyx#&ds|o9_3Gb_GAYJh*3C97q&FhV
z$dtVzLubLoUs2e^)of%;0LyTV%GK{*wlBU~q>J<WEWBdJL8X28s%!xgsVkgBZKeEC
zbK`d<N?1M8Ts`2GtX3{L1ugaKC!3rq(|4S5SE#zhwp!ZDn`ezVNs|@p{7aXq#DQky
zZB4!d8fT7@T&3g{X%5QPWOuKa3L|)+Eztoz<J8C*l12eX^C@wgER%PDjyrie>Sv$<
zHz=F<QKCpPuPj1v+vO{tK~kf^QtQ-|oyC<maWl_wFy@0!D=<N?y4j-lG;m|GuhFv|
zKISe(Er)``@pA={U8goR>Zc{5XXfS#C2taGCN+57OLd`mGV)Mse~g7QJga@?b`S8-
zi3A{x{v?%&{~;==B8N^R&+wh44tEr76_$%OBeu#1%vsqjgX22C-`?M&fpw|wa>qCT
zyA-W4RKJD+Fh0s*13t^TWhys(5Pl_ksfz@lJyDp+cpphVt4p)Z=#BO5>WQ=3?D*Wh
z5w;|Jf{eSI^B3@smN#P@RfQ#Y)v`~K&-#vroJAf;87DW;n10iDm)odG_7m*EhpMGz
z@eZE(^knBSxa8i#@#e!>a|o@}H5wp!nU1ot`-3d7ALVV9xOJ&!j$qNPJW>W9a@lu^
znpZj3LMY#He?q-lyQ&~UF5n)QlYIqh>O!js05N&(PgvrSr=wjE@OxRQzU4u3W-vP^
zc+g!UU|63I1)9r^%_O&{_@>n;y0A{C5JE)|K4H81jrCkEnrzrS`_s~0jL?kV4j<&y
zCG}0@sqtbnl8O)Cyw9OnkG9G_0n_}LEptH}s?9ET)zs?hz)<R!vO=hOWAw+Pj~fUq
z{)30_zAU^|lt}&YHB-Hm9*_m%H#aws6>ZN2NkDXHuq7paUQZxugl5PnyE+by5i$41
zHfTy^&`~h98<;F6SH+qBi+*;;tmJ`D0ZlU?cD?%U8vFC&yT>A~95+^&<EDrTsYA?`
z4goGHRGe{mCa+4z@`R3i<J%8~s-O$+HCGH2_z#XItFG5^>9y>{tl#eFbH_;!Ixen7
z<=z3Go7Gr%-jcuRQ0)^!WP8=>(;L&CHqI$&-gr2hx1u&zX9TZC*LtmVB#<}vdD_1|
zUMv|ma2w=p*v+(1HYtQbCu6ey{o`%%F<)aTNV>Xehs{bBn<l`%FSU>m{el~Ttc{yg
z=RZ06)My<|0M^|Ep!)Q6wdPV9@)|Bg0=N=AbD^xNohhvf(jGo|R!Bbv@s#gOaBn5N
zpVNHcr;c||nU0v!1BtJ!C+{nHC3W!?r;c2iyx4TFr!;DN`R^%{IO5tBF0L&P5<b-&
zMi+1FA^*&!rH+x2`?0Kw&7`{>MXAT8C4xa&Rc1&4kaMGgE=O^DF331c7ja$f8oe*P
zUatu$8G*&co@9H1s-k~T0M~38ja*ZDtV%v(1+L6w{AjR*PXP})xNb5wkj^QjX;rrg
znXe$8>|9skSWH@ZPd(u3k)aziQTSLGuj6GF%CzXC0a8!xj$0;W>K0xkW=qERHC#UI
z239ZPAiS(pv+0>BWHI%~JOUvM7Ej#S{N$%81fSTziyVXFJB_FF2f#S4O5RF0;1q@V
zE%s#)59#%+fSbGJ)FUn1jOaLB^J`t0zY60!z{{rZy6$yxIQ{YQ{*DiT0gkzrwNtir
zJlI?P6>g%ltg}#}!^uk~uUogAcc?1yv`|s9yl|mfLbE>KPq5jf{o{u6XE|Y$P~Gan
zEL+``C*FEm0W=TLcMZ&N%A^N|+$2|VvXfH_N!~mWvwljjAX?Qt@~zju25ezwE${eq
zUj?mGi&xv~%=l`9eI74PW)=~83*hK~&7^n)6cJv>{!B6CC&_;SxC9}sQ}45*R}uxS
zBnt~BvTpM*zMnzJO%}m@wL+l+EcGFL$Rb$4&UCI~xTAn*mAgn&e@Q;*qM|34=P3+=
zc2ax9)Do@3!q&@M7w;)T4V=~<^7@XG0E@<kl4B15GY!I3r^l~;txS4g9iWTzW+{%P
zYTaK5`}yA~rMJS`mhHoG^cBkBWB!BMrHLO!@}6#olCslGdmP`tmG*MYQ@Y>ZUsUDc
zN-?9w8y#6>*fNv<P!RXG=!>=X0_V#b#g)7Bzw?%O1)iN(kFWh)p@<E06iRMe0X$sK
zC|Kf`7)Q8~2T-ZTUic~_n^AQBG#D;A%paH~{j3AK-752`+J4a~fK2C+Uwv0(x}8F<
zY~$(yU4(0wXx{5XML4TUzTGvVbg@-MvtfDz^2PA5p%(7`sYfKsk}nnBc*4-$nrq~y
zgb}9yD)$nUYRFm*gPfj(;&{8)kkdF8wa&E!R-`F4R{7^crlxc$q2=Lsm7sImWSO|_
zez}rN7W><)S8EwdCoYP7O2e~`zYHTG3)D)XX&T@OM>1rsO8y)9DPJxHnj#k)>m9w<
zu)=QD*zl5qx{w_A<C9PQ2)-|C^D!GR2m6UYa=}WWC?dBOotXo~SG1dvt>2EI!(?NC
zi6>UvPQHZSQb6*}#12G36Xsay=eN+ef|R5I=G%XjS530-&nGQDz<TSe2v&W>j=r5Q
z^C?0@IXDCwDh=WuT%cK}eO-3}JK7zyxecv69NFjCwdS2%xy~>j8=jE9b+M?hIlcf)
z)W#7nX-!Rjc$=v4$F~;L*`>%%WjZr~coOnH#P?(K1jt_pTsF~>lQgBC&Y#ciiH(df
zP<Yam!rA4`u^LE5g|An+uc#K3O)b^18}2eE5jC&GtYKRK;m02adx6`nPmguoY1?XG
znZ7<I;U=1K>($mj?uT+ln({b@8`Wvj^N?VyL2sME{BauevTRVFyKHF{NLiZt4#wPF
z>;6x)(Su)b60?Hhaa!}t4o7sFSkt7|!5S((p!?~{1Y8*r1uOStnI}Hw6+7u*#)#ZD
z6HKjS4a%8C{zZ{@JJ$9a^sVhv2^~S{RM@uC)A2hbyx9e0Zo#zd542iot`iU;jJ-0y
zB|&|*bades7B`H>yK<?KP;hsaPv0-1FOO*`(u~|{7B1v!ohnSk-FNw7yMcbaR5gj~
zGdMfH;bQ#7{_0hc=$frw&V)<XJPD|UnJf3~c|7VHTs&ks6-LDLlW{jeq#u|I68sgw
zo+G2<CUF*pa<oQvVz|1>{C?#%B?qsdk(iBN)BWF?xdI&G42JTe!%aW)=?>XT>Ev2F
z#>8iH3l2svfOZxs!V4-=i~WW0U~2iGJ=n+N&jqdC)Bw|(f53o|FOQtxbCC-tjHZ`e
zGzFP2_kdk0U<yyZO#S+B_=+|$_X3i;17Ghe{l?u<3&!D3MJ}>gg>nbCvzP4$)h{s7
zW6kV75*P2_2-v(--RX3(w}g1d(16jNo9jYN{UIg8P^s6?XJzATGX=MoVkD4=8d?Lm
zq-8*_*U#cI;?Gg_AnlSw`8F*o|KmX$`J+uW_qS11XQ+I0eju%T;n!7Q01a?S+N6$}
ziIungofLh%91=~xNU101&jaLBc~t_NY#GoNov?u1sBTgAbKL&c2nzK^s&B&|6w@D7
zk{P~ZM5JFo_FL&A(Ql->e^KDZJWyHR*IU>V3oaTpW0n#!V2%(>dkqLX=<}Eo`SI0H
zy&8r`!%*zTUGa%VmXhx44;hUf48U`JK|P>M%E*fUX1^CuM)UQoY!7G!oAGOQ&HDc3
z1|X-kvHgkGUnJK6%{cq^AQ_q>AJaU?Op_(qNbs>#lF&>|xJ~rau?DuJt=~&_N+IRb
z{F={m?BDzp={_UJYu;cRKxPnECdB8QCuHRiKjXx<8N{>2iI3+*-#?K^1ScXJ4f)#z
z31QH8mA9vho}X0k<@!I1qAQL~C7yPcpyqN{#}X2tenq1r#AR6dD>D0hfM>vEnbK(Y
zbH8yq@r0?TlV7~Pd$Du#`-@)SH|T#aFZ!(il@DaRtoXxTF6X%LcKGLRQ_el-7d=74
zAfz0i%@y2~qf9n=wjB7Gk;ufM1O(RuzX%VW4^2r;CYg_;h2t5M?L_Q6!}hVS6X4}!
zMR@0w9M8T4<nOSL#1752jy4nj+|wCusM7!5TU9MuvDY7hiw&>yw@TFpIdtbtVW}H(
z*ZQ)*Q|p;yxiY%i2@Z)i^l1snAI#p)gw62^!>XAy4Awg9abe5ax(5SxdX}%ho!p11
zNGZA4*pNNeIADl-^MpBUzRwF?vrAcg%7*3TbvO#b=5CLSsW%;b+x!hL?i!>!;q4R`
zg7V?BJIMqs^|&m}Mbr4st}RKgl55OaJtinFDW|~G)+PU}P%Pb6#HMY3O($E{_<eGr
z;IpzR&_1aijmF*_@i(|fk*MfaXWV;U>*G1g);jY4=&lR9?Uj)1i|~wwE+FT`>xd4#
z%}o@(&Oo1XPDv9-8m@sK#6oBQ)yi-182Zl52{Kbtb@jWqF;om~%#kaZLF0NcTjHi4
zk4w`fL71K81w}B&ze-@AOi1)W7KAu{e(=l$yeUJC$5-P1kBZx+L)jA-E0DS<&_LQ?
zkHrmn_|K=NmF4yUQe0;4H%%Qk<37|AQK==HBUuefzuV@*2U;8&z1XW*;46B~hTq4Z
zR-Y)R5UtFE%fmA}uw82rzGcaBvVB+0S?Xn!@~mqkjf0Lmxzb75KL2hX?(u^c>x!{G
z^Ih+zD;AgxSvT}>J#6cK23g$Fcg$zjvo7*_=N{2Fuj3$f{HpQQwA_n^I|T|q_0iCc
zM=tSOVnM0uh_HRHy*n^Y7i2W~31!;{e)h*g-GNm9X6F%!Y6|g(pZmxMX(x~ghKAkx
z4#|1vPzXQ7brI@`OP^X&n)WMgYVk;tt76_^mUj%DXK{QIEyyWfy*tU|qFxg<du`+z
z6fkxrIT`=)po4@v%_rjx?6DXW;zK<SuEuw+o?I3}@3#hHq)BFuVY$A2X<mBDy4izA
zxAL(fcZvBvE3{5N)#T5We0^d+nzA2(FCDw8GPaSJ%nA#|*<!3(voTPQYHk57y$|oV
z_%g1a5^p(V_x0v9!PJ(xn1L?1-`UtMdtUwIZ-lugKmTlmbLR0Ui<*>!Qf`j8k;H%W
z-nu&k&$2MeSxK1V=*ZAlwq9hc>X9nq-!%lo<~EPb-Dx$b7geNwhx7bn=ruLD2EXeX
zK6c7xO$zKpD+UO>@NAhB<k^EvqEH&^ThzuWGrVvq)Ve8z@1xr*Dp!cr%WTh&*4uN4
z-?~w=|F9mmZ+eG@LeXakPTe%(u+8^r^rd4C!ySbh2XPL7y#FSuGa`ChbujHSAj9kL
z9e+MY@6EsgGVj26RL?hmQ`p(t%OL<r=hkj}MDgFrQ3;Yr-1Acrs1@J;l^G${{(sUV
zXYc<bNt$r_y>6xVlY3;XD3n1jW@cM8sdF~GSF}$*8?sqKl<|3Z<CAI`xpE=gYkKp7
zZHTEkpzLg3?7zpv+g}m>zuemil#o$TQ@c16m{Hq1h)KEzZ~zQp5TgwSzb`Uo=sq@H
z^0K4=&2>P+8MCYr1vxQt{W($?EY_wUVC0pG%$Mysin2=b%V5mkg}8^mmfWI)G^Y|r
zbpDUg4yBGcur?Jbqs~&f%P;yQ4DRR1Afkn_kwm><;1ujeTqIARaRwOU<*W_l7vqCR
zaHM1ee3|@qsz<6(I8vCzrWkc@(o9Amh|^wH63;TtjYF5a^KCN!Vu4V%hn7Mh&^ygk
z^<6N4@x2r-(}#2sc*|Q1!NzxT8o2H{Wy49b$6=v%GppC=f6|RV;MtiF5Auoj-AKXw
zmaS_f%7ol0e*US7{l576Ft>tu^<yNX&q0Mv<5?qj!Vo!xeyjY5ugzQUb<aa>Ov%1U
zQPNfmU}&+I!RNYS@_WlpQ*LMsuczIpf$pzx^n}V=MhEZrCZ0H}PFBoEgNI5y%-LS>
z{@R+F$M>b=w(&zwPM<$j3$a8fKu9c#2R%vL(`U7Mh;f~N!5#4enoy6~j{J9I#ydE9
zkhU#Ha<1DO9LI=@nX(hB;79ja`r~gk({~K#16vxfPS1@xlDx7!ygcP+^a0z9i19+5
zF}M+79Kx)3lbKIgq^KEAtJJoHjH3u()BvTUn;XArtOMQ8e5_h;U(2imhUb%k9K(DJ
zyfISTi>HWFjK%t3fAS`h*KdBRcYn5zm(QKt6M{q;&=yQd77!B^jeowf@bsJaHgYe-
zlI>4vCaz;4S1`OZ!gNS`+4(-4Qi!~<cK5Yu`QFt&UCq;I9B#y?Nymi>h~gwq_*xa+
zlOE#znD=qOQxO3<-G3WN77O*H%%n~Zq@A;ib?7#`h{?HHr7c&PfoI%uVP63UkELTn
zwNa>U&{Ev?)YC_IeRuZ1UA~HB<M4`X2z`Vd-`MXwbhLtH1dfKBtvaS06>XzD3=J;Z
zv8ukHy2ZAcx}62*eU)bBD!giUH>&8aBV=H(j}kLuz0<#_YSQ%8<Kw;%*xPLvoP&B4
zL6lAYutt(~huvTf!Y3oU`M=%i2r*Ek5S4&>)e_>^*Cww)@jr#>hS`+czBQ;Dcno}t
zzMn)MUEO+IoA%^?qS_vu0~23^otX2zy^#RDkJCFb3Uq)whHmqngnUUUy~>n~i3??;
zxfJ{~^AQ_@c;`DA$K(2KFLLvv4?9ovWxbg^IMWFlgk9yWnJYG&{b8Y>&miAYpe*O#
z+Vf+Z)d=4KhtRU<N5aG87h*NyhZe(;V?8IT6%(ThupOaCk@Q)UJ0xiW_zFXk8h^ZB
zfX75P5z2>dpF8*WodyIquj;$J*9Fs+rw%ehQ&<41#%bwauwL_lksXbFu~t8rU;6d7
z4Yp^1E^%lk!-Gu}C&z>qNN$>d!L-NG88;3MRI+}-{@Leqz};UgmM-P#Q&lwD6qw=a
zLh1FL$VZX3e71foK&4*s9dMQC!#EZuBDnKW>^BH5+gP98=R6x!gzBPn;Wxr`a8p8L
znQnesjwkNh#vV>}(kr@;4k3PtcUJnTcVwO=KSC1SLybsp3nZgqsQBKYa#pu>j`#H7
z@Isp@GvSjTv*~-tC(2Bb09qQVx9ke(#>%{}I}F}A;pe?Rxzw6WJ)RU98oryL4)8@q
zT0{01rSzi2MGF9<Ao-vAUm7C$ucDtnd%pEr1j*@A;*w`P#d?qRyrlYFi_C)<XHZ@w
z_WzX{qx5prLqU496Au6ffFq;YcblaeVboqP$)+e>&9(m=aPJo=lTSN1@X*TPT(>8@
zA<G>vw-5!iag?^O(~g}*kzY=WJ8NAeSUhV81X#1+ZKn$5tsQhp`19XzQJlI?j@UnM
z1tlIx%P$tyh7ZfqmqkwfPl1_{2L-qNEdIM9Z_yq$2s_4BxA@y!xcoOz^0yE{Paf;;
z_6`o=tJ`^P?p>CqovS~~Z4bz}kQZBzIvd(L2%u<CKKsSkzBLxAaB6Kw$#NzF#Tdee
z2X!5v*7F*T$m!oK0gj)9iMe@5l^?r^v9P#PZabe?d7CkjvTgo8VRTlAKyVDE#P;uf
zlUwg5G0JgFFDRf7f)CgH8-JhJEPd>}pHoJL9hxftq2l;NpM4+2to%8CdX`Y$L|(n~
zHM5Egxy<kh35Y-D5e)8QRSs<kroydU#Ih3KQJ-bM<iUxN<IgeEnQ*KFU0(#jqOdb&
zbBLtp6@iMD3FMnpK@i&H)f}%eBUbx|j9&&+M&oM*O5glu^nKaOZNtp|A%rCdKQ9YM
zjm?8Wb<y9tQvtQ8&9lW@c%S}C{<QM@A?EVg1r>!@e69w;JxDeQ*@RTIx{Da`+<~TO
zkpH|eDTni8ekjm`e-+smh$G*&*8R&IcDxhPRY3E{0Ug7*hOYl+uo3NqM@m%#JNWdE
z%Cw5+qV@O18$03X&NSgHFQU)XMEIx#^npuse1kCYKUpe}v^Bo266!$BSL1xvDW`e#
zd|gxrR+*>~Nyx>>4zk?EVjiway2kP{zk^UDRMbyDe*7kY@@^C19kQ(Sdb0j+l!a_6
z<u5H0KUTUP!kW(qd5cFlC1UwphpxfAiqOx#?E9kSckDI6&EU()nWPHgsJpY_Pv48d
z!rJ*T?lrYTNj`+~Vj3%!pe>1mkX;3Ls`V?&iLYtkWJA53W`}j~?Y)oF<JP)JEBKZL
zh{`v#55H3x9BKB_F5NCY7A{`U?mU{VEL?Ur*d0f_DczRW?s*Vf3T`Y_2OA8&cY~b6
zb@;yMdkz$i7}IXgBE<94^O$l6-T9QZrN%JC-$tl{;qc7>$!pWHq0MOXq_=p}{_PH!
z#&KpkUE5s29~x1@$m6TIoW%GzpxoMY7|duD9dPE@R%u{(*~o*jqyN}v+gB$)xZ*CK
zUTnB-CvE*ljDpW%6mzR|z73rbX3o#8r_5Tkd|_I?vM9f%Chj@O+oQbO?G=QU^YRGO
zRTV{^LBuL_-F-8_VeTKQhOYlo#kuN`4j+fVwpRRyeSPB%;Pfz9vrx7=yRJ&*{W2=Z
z_RV1M%-gReG`>#h0{*Io#q+Cyr$+kT3!D{^*u40h)Ks2@wR0z-v4fKm{qqX3vkBf3
zx-mU%XEYrD3d=WZJ>O5oq-4~{DlAms3IQ|apEC9iH;*}Smu0=W{5?ApCg(gTlWT?&
z|2Hp5FAissQcFEEKF5zYHMF)$!A)NJZQT3^M*-pT^nZZ$)d~<W33t+COu{0TiJL+p
z<8su4YaO%NfYP*mSw!0pI)hg7NFs-SNoC#}jugP^*-0hHVV5bdy=Vd<W*#GeQU>57
zmmo+mR>PTaLpy#d#yDiT@Ck(I(kEtoaR@36cer1zX{-0CjS@i@VC=o|&$6-KtDy?f
zYRGR|0?G4-pXW9Xh4ozsStWVitZ6|dpOdz7hv=5Pa?7+u45e0a_v;%$h1%Ql`znEH
zvTK&bZ_MI5qW8qc#qi*91w$Yl^OiKQdT!i8Qg-dKoLi-MylJgr$dqSYoZj3U^XlKG
zX(z#SUXH55maDJ%4(EjhqNwa^5j>o>^zvMyV!q$#io17ynv3{bW7938%Vi`W2>0Pa
z25<ic4ZHus{l{&<jOr-f*m_z5P@H!We=Y*gdA7giQXI>%$<P7och_N>axb8bWqE=U
z#4OiAK5fBBi`M1cf7ygCfVl=bl@^}G6`>BJNnoKg`itb5LC5%=hNfaO{l$9#s)2!O
zV#X?RbMZlQ>CQx9kS@yfy!pTAP7RY2gbL<K*bir@>C&qR@NcDSVU>1}oQ}DU=Ib9?
zW|3XjMRBw=r9{DvNdqE6W8EOMciS&xdEN+kUk+OPY^&>5huIBTd}JsZOCKh^048I%
z6NkA@h=0GQTp`{?`nQ8>`|Zp$)ZDUTL|*rRP$?zp4cjec1yy(LW4!3!V<+gT89}-*
zFEZKzWC&#@J?6B73#zWM*WWb7ng4U3a|A@naKJA)o2icU3U?bJe^Lad2^M(pDIcPk
z&y6AEhX@JNANr{9Dcu25+=a);={=WSs^55tx(TCwxfutk$85@I5HbwR<pz#TXoTW_
zu=@tvPhcFMr$83?1A4cGK(+TD?}Hx#RVG_f4miZ0h#H%Yn<ePn#WoPioi@L>A<2;u
zY2Xj2m%Z-p42Kcp_e$;&BZ@vMMbnS#7x!X2=8ZSNA#UN_j@l*wi@mUNG*H?-h-({x
zF35UJ`r%tNy71gw6dF|M-X}}TED#@Gm|90Tzvy8c1XrK^BKE!XLJ+xQ&`au|On8js
zqcB^g7fJjV*^37G25=#gq$=|~l^&q0pQePK;Vuu%DSIV%>Q4qw56xT=g9Ml}&XmU%
zP?h9lg)Z1j<%U`p?gX-<SMrGkfIrafM@+1t!cBJPMg7KdZrC1N5cA6@p^0~Xyw}Zs
zbUmOcggvhq<}rdejm-VP#ifhT4+-k!ShpNP%OT7Wtal0D9Rt1HM&`4Jze#2B3P9RO
zy;~)Zl*$91EZ8VwU-}5ON;-jQ^_#?QSNCoR3JwbXnIJI@3Y8s5Lyf+qvq=n{9}1!e
zs9X!RdqtmkwO_yaf&<3jS0LQS7eCq?BC%yqI1~oQxiT=d45+bVxsN^t3;V?kLGcNB
zm@xSVn;EI?x4xQny(c6xl~c|wM~xF_VjDEg`Z^-JCwgmCT~<y^YuM92JhQTr*^fPV
z`3^0yJH-{l$u5%acb(0{1#*BW(Ki23Mnb=r5!st)Oy=5I5sS(1{l;;n^9wrG?+%H#
z5i|Z^BcF~aizl(4eXE0?`szF`@0l~Yko1`kgCb5lo}YZyeSUvXPYA756+QY~IY6Pm
z(I-XLX|uWV1|ND#1V~sys?#T3CMf=Z!@`b(sYS>6g|ho~z>Dyko^iqJH>2?+p_H2X
zkhCKPrd%d|cLYs14@0PFL|Y(=ZmxJdt<Kr+(*BP*xYQNOLQ3ds2-pk~?Wv)~lujan
zZ>MVQ{J|aa?xlC9jC3|P1vkqFuF2E;?2op$4B?Ygq!s?g3%KsfbKgjIaaPKVSuU9;
zqb92z@(W;oBz~a2&NDI(!A`8`im!S-J*a=DxfE<ndwqngafLmuA0?xL79hn30l48`
zit(&;W+NCWZ*CtY#BTuy!&t6HZ){inMU5E#s9~v^Vg%VepuBH#P`QfUe4Dr}OI(#}
zO9sXg&L7msk&KtWRq31p>ZH>A0i|$@`87nuviUev4FW+F9#*8c?Lm;yBh}!8lw<oj
ze%<`V$Isstk#TOs=B}fGi^*pfr{7*+X0k|G%}>hi&Lye^yo_VKNOUVr^YN$W1)y3Q
z{!6XMRC5KsR`&1R%C&Q%pCKuiWr5f>2Az3aDQ*T$GumWjI*nVxxWbn0n<+%Um!P@Z
z<*y+dgzP`%9Jx?J(q8`o1>2gqy!@I!r9e6M4`-V{+gV&L)VTHf40Eo%_&BFL@OCGz
zO7y3`<Xp^;9}He(34l74ZztN+mFeE=+yeeX#D74ui*+F{K(*tq-wVh+O4<B$D|)+n
ziw4#6^@&A$fuH1LKpa8C(!Vr@J=(XTf{aK&SpmZpn&s=~a(4?w#hiQO-lm!+s(OHU
zR2zNEl;1eDtl|VaKDxZoIt?9aIV0Y90)|a=$h#k^#nh|K$VJZLmf|jtz91J~!K^9`
z4h#1df%}fC7R2*pT6OF=aat8YdX%WhXxZe-S&6FzQ9Y<0G}k7C*7k4^8Q{Zkd<9?S
zCk_^Jj_ZQ8muo%ndGtQr^~~=3d#r9_qv96MFAW{<LyU-@?ne$^RY?tYC|C>gfRa<E
zDfWiiU7D}uj)6gIkngMjJ|lb73^KI~UQi@bWvW8sBhxWAp>|36LJgMv^T>Y3v$x9S
zeJ63y<2mAQ!U@p*FeA}YmICl$w1e1^x}ThRPE!CFG&2FPShnwDaO=xtV9r3VOpoeb
zh<fwn?rHSz2qeXhbx)?&3d-9~IT;?!r`v0odU)`|bUk(?rJQWRGVtYINULD%XKll;
z(QO+2K>cJ{PmmTC^!8X!06*ei%X1M-G(g0J_<9Hm9Jm2kM<%HinAA+ugTA2m>8fYP
z%$WJ<RSw#y+3EQHtkbB-TYjq2FPw(puxM-OTB!H4(jBdo|GjLRMx3)_F-;<`{=6RM
zcC+L!_sg87(Eqr!C)M2qZ(>3@Mk}Um$+*hEY=1o*)C3fW<u95@9)t%wf*D^0d1mnY
zxKdu}<GijU(bhjUsL+|V<W9Y`f%VZI!NJs@zzNx5fO*sFT3y9|g20=MA4c_{A%%_2
z4j8ac7kd$aE>$e+@P2XrpE$U30kgT^_I--Y)jOAZ5D`izEF+nWq(@_R6Syp{HIXh`
zSNOik8ez+abX=;yIxlcp46@N5w=HE#iU^oAk~e3{2N4H(ijHz~s;Ieheep+Lc9ua8
zCc3dxtHYNIsvK*<mklQJ?DCx{yP-_Orp;b6ok<A~inD(Z!s}$r2dQshVYeG74(FGC
z&yaUtc>VJYU<9r!IB9t>EI!iInt)ics~*H*S^Qa*Cd+NBf5|GEdkN@t1b@2+tNbg+
zdzG2wKf9*1(Bk8ZibXVzjMWJ<!ogA}slzTvLFVwFm@l=gwjp6G`Y%Su>IMvqxt_)k
zs0M>$3k$gF+F*998&RXsZ4OieL$j;@svY>f`qD{*JYO_sFCEgj9@KVwn{p0$CUIS=
zaS@cv>OmpC=FBVXYT%57yE%b<&hEBbDv!PHHlzG-6G-iYPifZujM)g3Z|gacUi;i!
zuf`6u8LS<QLXn&cf6a6Bxp2n?8DH|pFcj@C93OS`k{ODejI^Abh&+=}qC+K~f2xS!
zD(awkDAE0tmyk_bEW%WQkeC392)_kp4X%$I?L)lcZ?0OJ+<Duc_75VIkA2OCxIchD
zb8GnFTW3A}jNkQ#C0C2fhK>JzGhpMRj8gm!uJU^LWE*1ZV|IHx8T@zU&UzzO`q$F(
zzrwx?m{AWMDwsXa-}v{rTr<GWya4Lw9m&BM@mc;-RDUn%hb>bf#lZPAPYR$Y6;iIQ
zQx8h^Y`g8Y03ZKtdImrq4$pXR3=V<a+es^=BCCA8V_4l86k7{S<y+D6CfxVlUH*Bb
zq2Bs5(ye^>bDZfXVsyxEQq!L7)vc|7uM#BQW@<!&#GHG9Co^<?f)2uH+O$_0%mY<L
zo{nX!IEC$HCx7qwErl2AZxk{?Vw!y>@K4qhy^6DRBMK9iv$n7I9vEIz(95yUpvhM-
z`|dJIWTyF>DYUxfzZzEgNMFsSC;pMSa~o9LYJC2t!$0f`C0ck09_~UwkAl1>m*q1a
zOWbt}Wa$_uc=>$`$jXME97ku;FQHb2Z?pCdJUUErY4CKz-nCW`G&a9={o#*6pH1mT
zrV+;y#+=fLzltdI=qNMtdY{}ORvZ%MnbF|#Jf5vQzP4i_a(@`L87s(k1cWUJFSm0p
zG@)R!j741N3CUE@bf9|3h2O-+iK3Y*hU04&nnwk14^K;`<_8G5UK>d_-&A+Id{amj
zX^=K;fH{2>#5>s$DEz04TU_>@vg;mp;_7i3w(Ad#$Pm_Ek<@v!D|xj-{B~;ar?x<?
zYo`=CjVuN#r!r-jXZgO?^ov8nfmlz8wdN9u%+61_{1rsCuNm!+{vZuSde96JZ6RqL
zp5!2qU^A28eY+bREJGDlD}%GJJ|&A|!g%ZU;?Z<W{2ub>5!>~4_bIQHlMs%J+lNG)
zAV{3IgAe~H8hbhYuQBK!$+h}&;J=MhbqQ~M7ME3GQVq4wF5Zu8Em>bFH5`PcXNTHk
zV{&lGM2-&A(%qID`8Z%4UQScoTresO8Zu(x3%AAHrZ<8LTC6D{#=S<1_njuYNZaBm
zll*^%)7{e3(JHqGM{2oFrfT^AD(j3?^XG#z<z<y<@HR3Sj{P+>vNY>f5K`58df|-w
zS+!V;OQHLQ<(c#ue3G0N%Z2OqN2*h38A-{Po?;fVU;H{W(P8Z{dfeNt#P%lqMh=rt
zQ^-rmCK_3w9DhihG>LWf<2jW-O+nGd8*7UmL2GIAqN4qMB|Sl*{zKoQuf<!@Cp{it
z?Bpecc$(t)oWly?CS})0-m>ZGjxv+dJ7)b(wtDY7zY77lJ5eZpyc`EqUX60ne-$9%
z%&jn}*3Mq;uCi~}N-H?j;=F9I)7@XU8M1F+RSy@3G&qj)%f+gjlu3AY@~#s|QZT%}
zGNQ^^2B${+{tfccIQw=@pUITX7TlPXS*@rc9=fj7`AHo+mx@BOlZ5+XCwvDKaZwSv
z4?OmlAtfgD-X9ylU0jCEv1ecqmSF`#)MGva1L2}ore%}j*^1doMgddt3o*2~|E!Df
z3osSbD6o5_twHu2L+QxxhPeR4y!`&=<28q0?qIw1Uh_O`Z4?0{R`rE9u7A}fI@?1G
z3POmgAqrM7N7fF!yRnsj5?3a%=Xk^kqzOaki(0vRoo`B0gX4tIJI}8k)uuIaWPW`4
zu^9*Ir5{(BLR^*a8;-plOG7Wp#1f^;33A!x!j5ij5inIFlJe{Y49e1yU<8iM@^IS(
zBArjrsCl^IVo1f)!)2KcE$czAZ2yeErGbBmgqSood6u^rj~(N`|D{WGBg(wrflnYK
zix7)LbIW^~^XAR#F=r|E=v;~>6@%4xRrXrwZ_9>e_=z;X90jz^|M3J}kp2t1-ig%|
zg28Aba_{lvrrg4Ger><SD*~?u!rgzBYVz-QKQr{}hIFM+onfg3Ds6t%Fh4oeA$IGU
zZo7O5#pUS7(u^7tE{bdoU+%#>`YchJP<T11MpF==`8UX_TGEObqhQ=DE{J>g5<<Vm
z(*jDi<kouN0%=+Id$?t67QCP9cLbwlgLY_x9alVjj1;={R}hK_P5=B9vcUL`T`_E9
zBT#P0!O_H?b?93(W4i8;^@n)1s-1$0802@|y7zl|uf;qpOl@03@Rjsn#_0qB+g}X`
zC6Bf`Cup=;4U~okdo3eLV#p`R^2Qq)#_KmK18GrnKk|jc{oaS`l>T-3Vqa=4Cyaua
zh+l9wx4+b{pO|`EbCa^gbh%W~BXM*N7<NkSo6#@J<wNdxu}h(t`HNm%XkEup{J{a?
zV^|)UT#jROP-}gIdd%wjx>9z!rLi`7(ELrPXZeXa_U=T3Ua4nyXltJFyH42ZcO=8l
z;inC*Asi#bAo**`T6uW6)f^n{m#w$wo03{zROQ<D*uEU_cA_!F4;uYeVL2DHdA`;t
zUzcVRtSd^6$}YEX?h1$MXz^YdyNknyIrT@`DP;U*Hk4}}$;j-X%8iL~?g+SJ*!pj8
zyNT|Ac7SNRQ=>9v+2E{NK5aIrDx-nc5Xv)%&|0w*tbCSkarv1Vxr%pJ!n?SoepUVe
zNn;cB+YBXq@f6BsT;AI%zZT-iVvM=E`d;`UXsPh?utzM@zbYip_XYGT3fhVb9S30d
zJ+8iN`y-2t%5>-|gcwaz^w-xvRmK^nU@xSaLHH@A$HUKHsCR44*PGeXqiamqDu$$1
z)0EFufat{?WQv!Zw1K+*#eT3u{;l-T#aqx#-FMSoTRU5$9Ah^&Cl9FX$Pj_2dD#zg
zw(A=i=X<G_)e`!2wDg$2X8h?pA*8+4fu>~2@^%PS<ly%Ta>A0CYJXY>&lfAu^O>;?
zF`L8WxV`<8Y-10|^37!T`DIT@l>~|TT7QF#W{**S6wV;bT+y;QX{rJXu9rlgS57p?
zOS-ZO=_F*obSMAXN|Rgm8+iGs07tiCUQ0(=?tR&Xhcjq3f*`NAGR{3uU0sTd?zspq
zY%qiu7M?CA9ef|p5;DgSK9QpYE2LJ3itH$58{hnI&roDN)`ino?{Q`vLqs)1dhgaD
zF;%HiReC~wPX0bC1W`^4(_Om}Pq0}bo)AE<i)56L>;>uZRATT(ftn{l0FzR9rXsc+
zZd7?qZ!gNf+t!aU)Pa#j)A__ojud4)X}{AK<uSY%x?y}xiRv2NX_7F2r@GidIfbH~
zED=kI#NEkbO?g%|&U}_-LNzPl&FXN<JEoEsCi7}jte*<Poem{dD=jny*XvIpN>044
z0g8~U#lT*7-$&E?JILuPab^8K6_TX7-*9#OZ%(OuJ^2!7`TRFjnE3GQUWrX9XS_LE
zz&pdmlK6qdR*Av}If*Af6W2x&dmbo9VcI9dqxizi;=#Ajg$r@5=<hm*q-VV{V7Gd^
zav{V$aMK>Gucv3w_xGx7(eC}dfTeRuZMW@Hg(#{K&rjV~+6T<(d*2h$TVqT8EM6jp
zv{LSpZXl%fNvk<~ay>;iT~zj9x6TKGiz(3Oe``J0*Rh7r|FTPVJaKnmU)LiHdhu3F
zPOYj<j9*NluI~b!hDLE8<K{T{_&VX?cQ+&3Y)`$!FnaV(82c&G-kL1MC!*#Y5Os?n
zyj=fqZ<IGZt8=?oiYprgG4xmYBDd=OjM3c3+3JfB2Fi7^XO3zm<mZ`!Ws>KyVYgoQ
z_v!nF>B8O>AYqAc0`F&Pa_B{i>LKX7+YwyO3HyFGu+KJ)9BZ_h@yGM@QX~C}vex7U
zcyGZ~X5``R*8IN{ArFry&$eKto+sUJA}Y+^J^kYM#Mm`8_aG`Ca2T6FzIW#u=P<{#
z@2}iL3x!|5giu(<sI7Epnxzi5BtVK^LHv5&y3o2E<c$KLUv?u4O2!`~qrYUEOe|tl
z`OuczHl-0Bg9tqaUfd40#oe4qj3urov{L-x?D;cjMEs?&jC@d*Ag&#tx(5@5JTwYn
zU|6~ZX8<|}GUqrg>9fyYD8ifw_6?wued&dDIKEJcPFVX3pZGrs?8YxN@%UKm^g)m~
z2<B3bDwmZ&DoE_=%A*MaA~~TZdJqw#fa4^)6#xq1ncq5$L{TVjpZ6eL0_#FS#-mfN
z>SE|;#`&9Gynu@ndDVOD#N7z7C62S_!?eA~b(zL;9ddtc;?E!4+-^I2UK4k=mBw!=
z*HH18@W`;9v2bflQD*wTrynN1r1&Eu?&0%Gmyg$}^oaS5;~(bu_?EKxWiB66{@NRF
zo8g@=rK?Q6*iRpNu<1f;lTI3|lB{L|9?yA?kc(c4iHra7Ts8XE2K;vnelUFAcKg-J
znyCD%uWUtt@A;Z2Qua=uwBRhUhZv0^_^9I}Mz1!ju34YaVM5DCe~-m=hXqhB`RYn+
zbTr_Q?g{nj)Yc3O&)4fl3mO*lv~L%k;`R01pNA`ZrJ}EAzL;hzET)O*Fv1FA<Yn0-
zEQ+YGGSZ{F^94X@XlR6gi+Epe73B(hoFAY3nxyc#J7hC_+R`~h1`(xhISbc(%p7RC
zv&#0C?1YaW#14Rj(Z;BBbrl=_U-9-{UPB?@8`Pct!MYQJY6D^4i(cMQ6DUe4Le0mH
zbV#*6wAkvkXWlgK4v4$$MogGe-YG;<OwQ}{{vFj>N1Wpv{66QRS6IpWU-<I{CdHzI
zvM@VOagB{yQHOELT}Fs>1sLPi-lf+noH$Bxn6rr3UBN_9(d*PN0OhoZD9FO+6}0(o
zF&`iP&-v*%gx=@c{a|Ym?^;>-R5q62=LG|q@eBo_!&%=l5pAlL`ysb7#<^wTpVmF2
zCC-|o!sU^0d}tR94FHYL=)t<AMa%rs>vZrw<0`bJZ(~RC`_mtTC9gok*3;9~Zh1FK
zauw5rDm8y;CRf7s9Yj(a*ITWrjY<9xJ(u8;zR2nEt&juiGu{(Kkq%I(WX-BR-SKb7
zBSU~lF34+o>y+%G9bt#oF`Hdx+-8Q~UcTP`F&42@1|)xPA{WeY+wJYQcB{=fH#cIw
zI9n!7x=!4t+U<;ine+tMAPmk#t$^8!d41+C&0$AP_Tvz0lPj=$xb}{=>Aux43{yjG
zB6RN_%xQ4wJuAyUItMw4)|nlHD1UNs0&Z-Up}^yVIg%s9f=`D3WLKXDIEzQ5`%zT%
zbEGuDBY0$Kr|vPqi{rj!af7I-bWud?=tG-BH%jM%6dC~Ibm!md*;f>(Xbkn6@f6bj
z&%|W|v%dJ+qAXY&oB(Ial`sq2jcUJFs>b<PE#J>)$zT6T5f&O|)d-MB*L>g%d()m$
zqIzLRq&H}`BtTYbHESyLPO(papuHX2{j{1Qx&`+{zbYlCYrtTlbW|YUkWh#jqi~Tq
z+~N#hlyz+bz$NYNqbGj_k2Tq~n?ZayUBKkzcXJ8{E{<59O3P7r1X5&I*25yLO(KCc
z8Nb#<*AdVY#E3!8zK^ihc1b!;)RoXsgr}7o+D-MM4Kn+AGw0<u1B^W9Pi6VY+9k|b
z#zhKn7S^Djwux<<+EU`2?4>CN>f~sf25nfPUre>m^@@s-M@ckOFaHD=*oiS^z5o8!
zeK}@~TE5Mu)8k{HN>OU;B8c`{OfT=1s8~TSl7G^QWDL93@eLm!LchC5F_*!EpH;s=
zJu_zZ6C~edFLQ=*uv4E%^qsaPKoe2=*0it3=%5md=Q^LGJ|GHdEb3mjrSqPL0mPTc
zi$`UDbm@j|yg~#zR^1jY?5mZ1>t{>ge1>O)$Nu^exxi+T-(wZQA5iW)wYJG8gr(E7
z9;B)|+s<2?t!8}NYN&S<d%KF#rJw8Pl+YL;v*fm|tRS8T3HLS%`rX4~vCaKmyz<;(
z8I{VWv^gtNV5t{fh>1FksjO>T4dhtPmi!J1@Ra>SKXwrC1Bt%Aiv1IQ<t#7P&)?m+
z%hpmKsW<IW{Oiy|JP(@C0(to@2!bM<m9S+^_iV(MqVE8fSJ7D#AuKF?9i$lgjQ%W4
zEd3Dq?*p{CzoZ7QgM!?TN}H&2joz2l<B7|2si#R1{%9I9l9J(04>Hvap~s6L4I7kT
zUCRa_;F$Y@@8hU0fX+9%0Rtn^lNZy#`EsV~4s4wZY7Mh798~5ZFnO6Z7PrbUnaaVj
zDz2r%{@A<jDG8`!kbdkrL!$oDHn5yby_iRsp}pRM-8;Nc@Yi5@BoFD=cq$Y<eqw<A
z?w0Nt=77NJXMAX?zlj;xIH7c#j&#cED*=R-oBuAO@9osWSd$3_#f)5jc5x)vgu#Tj
z{u-t$Toij7pd*E#?k|n`@}pkH1S)EPcjKC*k(VY&dT8aXsJO!8BGve7Vm*O1ZGQL`
zhhh?-^yeQHAs4FvbG(vR%&kglthc|Mw^?^e+#O&<C+Wi+-X0vq2s5c!?&fvN-tTH1
zm3`gZl^p6&R9!ROj4xsM75b{TtahjLOK<i}$)1mQc+7Mq?saoMF&0j5)G*BZ$=}ka
zN&*1nhF;}=JQU^0G)7YHg+Aeo&4cKpq<_Z<Q-)fXhwKjNxsT&P$40cQes7~PQdOZJ
zP+q+(-<X6r1w3M00Bt7<B0alHSn=d)SKAk28YCs<!t!Jl<r8GSV@!YE3|+40nWH@G
znDxpSa!RY6sn*LkkEs(oM7&D)T_Z-aRHUpp;1%8dna`d(T)nL&AIRGHwXgq>)xeqW
zc>TrDO``mF6~1EN-$}Qm(zBl7H`$jTt*nnHLhN0~zfgiwAA|OU5D6Yxr}6^J0o(S2
zwK+&fCQqBlF$qr6NznKo?dSw%QN05R`LAmUtt3#5^z2pTqUwp2^11iNY5);2LYf|P
ziMfIUIr_gwcAF)}hZo$JYD}_n|H(dz3i6G2NM8ZTN`=|0cw$kkX?8;5nr?u2b!v@&
zKVHp=YD!|LF`~Lgetl_vW96G>Y6|_m*E~I7Z@@rr3wPZr&9%RZnsqd?z{R(Pk3?Zw
z397s2c?WD(-trFc<ICL-cY=j8n)x#T0;tzANO~KAb<vR}Eai%00=+EH(N5`Gd$0b<
z(A!7~TY{-u*iQ?J#ppDG=d+6#1I;Mqv{Zr5F}D%9DOy^44bDZwpP|I^v;4fzNTJ@8
zaf#sX>e06XM0J^jWEQ3DPymN52XsmavoFi>r#<G2-vGG<2ee+Y<h61??EofuFZ$~e
zr--DP9NL(dvkBfWuqu8UZL%2+$9PrXl7ZO=!w&(Y<(if)b0>mpZ-iAOHh+}6%D){~
zr%~?}Zn!nd!l(26GLmC3TJD1c{pYv5{R7o_Zyj;h57O=aLojerEr=zhCw-KwvlVJ@
z-l{J9_AfgHICCqa5+wxOIt@yIPsYtD9U{zTB#*4JldThHra`V8xuCsR394(Lz`c=s
zb^=W<<<dPsE>vButGJS(<abRj!r>CwIK9!g5o6%xILGMaQo}kyS7w_sz)hyVVyK;P
zY<Y8t;7l^hA80N6otx#%#IT5{WM!CdRE^zTtF5Tn74y?{#fl393%LJoGtb|yc&+5E
zg-!bVYoZyr`oYON+UsFefE_9+)(z@m{Gq!B60R2$+>n{oX<VzD@Gm~2yaq<yROe)Q
ziwR&|E9}dkka@MoH(5EJb?iL`w#U_8t|L|`3D*R!#X^~qU7UNRhd{iPQRaayagPuv
z+UXfyYn0&#2*@Hjm#L%ojwGadJ0SYQLzJc{9W4*L{=5ptM`Sy}>dwy(rLucHtO5Fb
zX<LclyzNum9aAH{lE`(uZ4J3>=SD~!&|VqUjM~^K;aB0_TRUs)aVx^f`!RCP+_#)u
z4oGT*bj2ZW7<fvUsbZQ)LW)rs#c<T;!wFY~Ofhjz14hQuW5r438r!liM}DakZGG5a
zkjH7vp=;O8RYBibQhYm&b^l5eN7kPN-!+ACqQ*@16ZwqHIwA_hJdNBJWG>V$WYvd@
zBtgsbaelkcS(H`Sasz{?*VQ`2-J5_yit+eQO0g_6hmbkhtNs#-&Xi2gy4ymqDS-d(
z5P4U!Iz1vzNsXa0eSBwceIL0I7GSM7f33fbOr%a`AN$K}&HWB=Z7&$5H2F`safEFX
znH4s{H$qI3vA>s`kL<ft(i5D#bI9peMM1LL61Y8I;DSZ|$sbtrQ9yXT{&vKf(Fq6f
zstdU|k_CkHb=(2iUbvr*YO7qEcB}Oxt?+P8Zvk4ay$VW)ai%h|e_%*72#596G}azD
z?ddn{lN8V8Dh$Z?Vvg+#6q9Nl|1<*}RhUU20_We(e~+Cs2;I;w@Ngx6FF)8KHSOg0
z28AC`c!cNr%^o99C{6xW#!s(AtE$7ykN<{l*ljI_ed8p!G|^pZ8##No_7$|C04dXS
zkOEK2w7^b0??Qi@)t)_Gd!K^tYD)szPT|XUs<@3%f;c+5OA}SbU#X1(g!ZsiDCEp_
zX}&jVdVW~yqbQOhx!#yzzh#A@El(Kn!S#Z&hxi_0;mk*G&c(?4fNp{>?$NWafoN>`
zwg+8bz9e-yft^b|Zwys0TT$u_ZmJI6<m%V5dagcd3h9OF4=%k+mH$Nmp%Ho5@Uv;K
z!9zQC!579KE4u@MQ-knUO-Hwtus&%>$F?vw@dX|29S()v%LgI1mmT)u6K^$d=Vof6
z+xDpokMycSg)jY87}y0oRFkke_6}m`>;Qgx>2VG96x~-vkrg2e@#H9-l!g?!wkaFh
zEup}MlT-hdvx#$)>>Z?AZ!CD*&l3wdndsgNeIe}&j9!o5*B4)wTisz@$c+uPfnkSb
zs=lkpD-LzUNe>l&`fso|nU2u*)zk=9y*-<1V^7Zgor;ie=U!m4*gcYXC}IgYaULJ~
zU@rsU<O84f(pc#nfFyG((=er<1qXE%)9wZSZXlDaOMmcNx$W%zil+6e1q0<&B{bya
zq=j)H(u0`sP3#GZ_;K&OAHk_fr&qhvIZ1SF#7Nkm6p{QR#>M6zx2rp`(Wjng9i9}`
zhArM_-`1}W-mw`Bq1<8czHpdPaq)Fz9g(*~e_NK>gnF+Lye9?{kD;lzs~j>iUMj~%
zr~$WK!TC!Z(37rrr->am3UVT|pvH7z;Er<J!(r9C@X>UkN2I*6zRoUCl&JVRVg!{d
zhu{2m!u(*3>0I&W@<pLPNAtm|=gj)(wb(zbO_3X>c>Ua+`_{{UD<JsGc$IyL;C^NR
zi{ns7Fuca;Bi4Y&nw)n<-<o~C2I?H<KMm%%9eXaBj`e1BIg=L9S$ppf%Vo_o&(~?P
z0zM<<lp~;Fx2nJj$ZfH8olb2J(tEiyAyobQ6_BQYU8>*18-i=g(@ixjj%QL*t%-&%
z5Hu>F3pB0aD)F^=c9@}Ot3WX2SS)5Xg=cc~N0y+A<6e*}$5NS!Q!-wj46V%)Ck6BL
zSwi8sT&IN*P|?C=iAt(ENS9mUqeQ2fS;ScYw+eFnWMPBzpbGOqgC~?&>wf^_Kpejx
zyf(TEzwKB=;J<+B#0QT-LgItD>u3>=F|4VW-NgcggJ`(C*`V?40Bf#;1;-57NqIJe
z0xYgUHj*>5vkw}n5z68-nXn19oF46=75dwCY2`<4oI!hxOKQt4Z~7gSlZzs@BXRxS
z2S(});J;|T_*4+~FFvmh%EM9Wg7GtbFp%~4BqSur-go<8yTn*5#A0ARI8R&Cc9hc9
zrrW};na6@>0XxaeY>c7WWP7Rh*$3>xOCFyoMQL^)p&i!DV9Qrj@2-sn4ziQ!C>n_U
z{S@PaD&XLg<$E8bv@;z4TI;qP<@vL}zkU1S%a^itCYAqLKA0RkACQocko_JXOdtAy
zkA0AdY=ik=fy?H}2i=nos<97lnGdu!o3EJ<M2t5)29sL@<G!h3j6KxFn%mvh+Ukh;
zKrWA%4>sDJFZK&ljCtk*o^HPGgTia}e4xE~`t<pq{`9A(|MK1kgP-MtfB*mg`2h(D
z3IFx4-|2%A2^NUQFwNhjbd1G~E$5@0*ig|<6-RZ`!FtXtr6JCcu>ns$FsnWZ@@5@x
z-F%Ofu;$VX#yP^vgECO-=`6`fwTwDyv~ihAu@9;ZUz}KE;WXBGLi)$|KG3RX<icyM
zvKT_~%g=Lud62vAYd_Nm|L5O6AR!^)zrWiDKyvR~9#<MOGpb`8%w}sa-RjNBPF_T_
zyT}phksC!ltk=z`jHe}>X;ftqH6jTY+z8cWoVsy+jPb1-xkqf7GgQOdd3)-qK9k56
z<B6!LgZe}kUGrvCjSd)o%?CPrK6vuvuQG1_FQN7d7}ZDcK|(^}13|ML^?+f@Fj8r@
z*4e#16RmCw%XanF)NndJf|!M{yACl-3z%y=vW&U((1)x<+JKm$WpZpxm4_J19Mpw4
z){rqiO=W=Lpe3^^_zLqu)jp%|Kg(At3*R3NhxO0X_LZvt@qCbwkodqTE{jnfKg8Kj
zi));1h%S$REgtwF6}*0O<pnh!#|H@s$@4)go3-)RfB@oDX&wl_t`BVILe=)K<PGON
z_Q&x-LPFw$$A<a9@vc<0_pr??&OetA5)u+0d<RbZpT!3W35gH9(Rbth4|`|8={b@F
zaL3)PgI$1Q;ege^V4VdRi(`T5Mn1v;=E(n+2I#azcM{clp_Kj({oOh`3E<Mn%gkhN
zX5QeP+a*7*LseH*0{MxA_rHB`bMrs<!5@D7+wZ~$|M=$H7x4jx14N`kKswojXFwzj
zpV@pFzGP593Li^;0{;={$_?E<_{;X=0{{R2M*G$4pT7D$e}DbYm+%4Rq1%bQK_W^s
zM><J;2|fp^p^IJpL6v8oo@n}r^hGocT}k_t6Ev>JXL_67sIJD#3=*CCMBg`WfA}xn
z{>#(N?Sm_SeES>tJ(eH8e*Fw@e){W+_@HYS(CxBtm{&w<+Ah%3v%)1PARg;IVbJ{u
zvE*s547?TiRLmYZ;MsqGXFs0v3h0KF&cc1l*iJ}iM7Y3=M3<6t7RqiVqA=OawFyWk
zAumY*M?A|fSN_A>kCEu+_Q9|D({F%3f1dKu^F@3>-eU)fsIGEt1p0bHQbtkX5|Bu>
znNUTBVk%)dB)OzU`DSWjL(wRtxr&~M&?_ZuMv-DIJP|7g^1`cnnur=fr6(q&4Ys(3
zur@Uk`KKw03K+RUoUA({!41QwWD==d%hsF9D5eqz6U)9}L~Nqos-&87$|#UfMB&-(
zgPUi3@cZS3-Y13*YQ);w3M%859tWtPqmAYoEEZY^(2AiIC~Ox9d#&AAscaW8rLyOs
zZA7A`6v7y-1P2C5N>7BUmC!qhVYaOFfNY2eoz_F>xAws&cTQ1Alm-A8QrSl$G!~#$
zv?o0;{cT<LM!NuSvw>s39Rdz=1Z}zH$}Sby7{=|m4B_g7ufKb9uG<G6a{J)+!Gp(2
zdfOSDeFqAOnoH0EA9b~@k!!w=ng^n3S;VMS{(j-(Q8`z}QxV0iq#mQT*+91{=+_Me
zFbi3HP_g-YS9hA1v{)qLx?{7>T#sp+(jQZ1-EYZRSUC|9v#m0E$a*f7Mz?X){nWZ9
zziP+2nvGr*2kC9`!P4|LM&Jsp;d-b+s#&|M4_>$M?>A5D+uH~4xqWc^pqkfJE~)K|
zmZMS)6(3xJVNJH%R-dd}UE3fL%4ID+0JU=MxKcPi1QPjHhM-`KdR$SqID;~MKNc;7
z-3JdgL%nVls_(OxZXF&bM(fTgb~>gb;v%sfR-#Ze6ms5^tuxxJWQSD_zhoWP=`okg
z+S&T>LCCgI#RqxC#bvDmN_qR>%eZ}T`ydB&#Rp-w0B$;ba1EZ;I#^}9K<|A})kvjs
zNaLeMB38DU9iuiFvW`-QPHU;EG2rO~D~d6)hL%aUI&H0e4A_?`KHI}8!%C&T9Rg7p
zwLx0Lkt{wyZ-;dm)(i^8<^!lPWO(ucX3KUT@IZ^pc0wF3KG^u~yEpIF?SqeS`{4G0
z8XMK=9Cihq!PN%_97MeOAdYFP<b1!Ala=f7e83Tfb=&Y}ni>VU_#mv^=7Y!X1DYm=
za#&p}7|Xm&`C0R)=YvHC^sPI5us<JQKkrHVfe(H;d~iM=h%Fgp@j=>sFz!BpdO!0Q
zy-&QkeQ^6=-hE)ZQICFGy8^C3I9FQqLUi%Ln)gb+{dpoB^eEh`-3KMGHJ0k#2d*+4
zESoD4N_<S2vhG>dbD5I08KF!Gz0PdbBU%@TP}rp&bvGZ$cRpCQK850Ze=uO%s;n2x
zVB$L;MD0|s-R*;CxP5T@ptr>bw%n>REq#(;!7(CgE<xLebA|rZ9B5<fSUIR{1x|aV
zk5#3RP)Mj+%Oe=1z_mN7YdZ$y6;$OWZUrhkV##;f(Et?;>6k*MdMG4fZvVRBj}HUL
z9{_S{_9PmJ=-Z#yP7h;M<7Bh3Ex;l|2C$1n1IPCTjwIchEm(W|;M3gPJ~(KYC-N*2
zF-ELGZ+P@bM86Ksg=-HrKJ`+Xd}5xCN+MAwBEl36W64jRXyuv*D(ojg5o^z=^pv>Z
zYk{bYDt+4&DpP!!LXk(@Pg_7?l*f`(SWa6uN^hF>QJyu?BqXe(@NB=5DfuatvU*n2
zf7m<Y=cbK(fhUj{LJy#nye{+t9iS8^@yqr4D8+Fy6#PsI31?)xuJ2KBWA1<)h1N28
zl@oX~@{Kf-B_hktWGyy-gZ?-9$<mMSyOwdGG!&*hnjHI?u_Wz&cXy?k{jgfB*zuST
z7_aDq(3uOc?f<?Xy)3(Kq8IYn2yFWHqJZ*h9k$JywfYn_44Y;dawDS=$nUZ`I@*L?
zEjk)cqWUW2C!6)x=7WvF7;kXW0rT>TMm8$;B)nJ5X{(;OVf6vHm;78U`1z90CO#YR
zOxRE9;)<Ya^tq?YnR~y$2d4E54CaI3L%AaeU7py1UY4cX=tYFyJ$mWJ;I&*RIBgc=
zFzjQ?Q~7)`pHHXr#bUlVI#q<z7^zPd=ZbSp6tG-Or;DSgIhUU+X6o_$DngIa(bw&R
zR|ngkk;2x?QZWP@TfZ|{_av|VEAKNg9WWm}$Gy@q^l^#)*uuRLG&B-I1AW0X;L1&e
z2KMe9MuUAH(n$nm@4bHX{vT*;9}4vipF9U?XTR-a4v(PF*%0a*zH)K<sXIsKZ+?F^
z@IeHj<ji=T#Mh!VLTY2_N4T7ssnz1e(MYjTUM)_c4z=`nxt__Fr{+jG`Z&@kf)8;1
z_xAx{V*D!67PfwOuvIaM#dt-S575`AKFA#k4gT#^p>Sfy{O9PvdkFX;QAljRnJW}>
z7e6k{ClY%Q*x})+#QeE~Uxz+ARhYQ9Yhu1IeG5G(6cU|ZZJ6)dGktzAcXVm@eCgoP
z>4`+)MBsyZy*4u*%oKp}xmkoVF_6UEc(fR=qj&^$!1=KnBBRO7T(gWuoAF|!UT?lp
zA21lq2Os7Vi8E;X^y!hM+{wfhbSwvnccyRmE$+XTyYyM&=*Oi47w12M#0S&ccg!DK
zx^a5?{K(S6$?4-a_vLmZ{xGmRu>+xPr%v4X^7fg;x4E5r3g;e_-nlgYZyg`NLqdA3
z<AX@xgCs&z`SJ0|wK$ns%V(mqsKe~oS}`{M2*vZoxv4mcuhD{!nGYC@H|YcParPKO
zAMHnIPhn5t3c5voa5`}b9oaRqd*A-j{nHbJ=)aaA@!<kOXGae1{>S@J2x31+*K%K#
zmL4vZVD=DN*u9iHbZa4$yZ?Qm@7jC_?OW{lU@RJqrho2(VkR>cLCJc2eDd*B*9YY$
ztSh7+C2P^~nYC!6xEzg+7MTwij5q3oUDMlPtRF&Xd*K9(@!dH@4=<oQ=l__vy>nvc
z>G=V4ociGSy9k~5_TcV^2Vt%-@kQYt_+ZcU*SBunz5}^8CUQsTCw8OU{ST-Q2GQkx
z=*d&U%ria+o)>_zF}k4%KqFRz%~~YWS#X$Y6q^Xu-t6-NgTZ`oXZjjK_ow$9e*e8)
zrw)8JPknH5`q+i{4jz0zbglHm_KB_!c20kBGI3z(#?k4o4(~s-Edf55-+SuV;CJ(v
zAoof(*PqLtK)IctC+>g`y7PlI7~bWM57wUZ!8j~2He<1&17E<&>e>{kjjydvrW>%<
zINn)Le3Xyw+I^V$fWdfk^Mk@^gpOQ>HNp>u9-b=X4kF+{qA-8vL86e$<=$BsM1MPu
zAm;d~#G%9cb`S4^%)PtjzeNug&^xg3_+79L@kjJgZg}XuqdN)*uPuboM-QnF(!u{X
z21mehj6N?+B1$b&Oy_4B*K@ZKFq#LJQFEr4E>4n0x`_~;i(HvL^TvF@U@#vH^@r$o
z@0C7;LU(oz9zm2HXZk@E-}et+9Dsy@VMN)sErf;#g4j@h2tE*a?<VRnJcwx7BO!G5
zLI@6qX_;g_3EO%(I0DLbdQLZ#W@ELChAx9p0McmGXvAuxIU9t})|0yy&M_Y_7;n$_
zl?QhoMjNv2D0<yKU@#c${RIYt5x{)#hG8(64+cgyy$>)UxU;u525<Dv6Tx`nm<|3;
z`$i!fro4Xe%f#T<+9L+@!RgW`cmMkC$fovzsmpB<_AOb&8;uN6Zv8w@Hx^s8kkRhu
zR5mQ1;&>e9#25O8Q=U2tJ2Zt>{Q7aiCTwIIZ>#|aW4gDi73&#XoeAM>_d#uRJW@sh
zWOd`PU(C9^el@ZG%k@vc+RQ%CN`_}x7H$c2j9`N4787F86CcBl__oC3XJ!*bRAsk<
z{kGcsJ*Tk5`GgkjejqG>=wE6+d<Z5%t)1F2J?d4OQdMYyX3(v``IuA%KWM#M2y%Lb
zdSHOo`=nn%6`hb?Sg%>S^EtsG*a`aDE!1r`D1<pf(4a5G*QIbbAm{`(7NP2ATe7-9
zI0?dnd|IEy_?PoRb1pwqjFI3Z8bccqnJJ^^*tuT1dG@RR2Uq_-vT1#Qd6grMXj!7J
zx8RhMIVEgzcC`(IA=Q=@Y*~8M^`7_u+tn%@D^=CyoRq#GaP|`)c<rj|U{1uC=PH=j
z`JN9}ys!a25ZkiuK#Pi9bz58u>QZ_ks;U!9vD;9&=t{C~leVDCHm1`T-NY%5lXciu
zEC|9@7upifRk^lnnOwC>GZay;+9GFJ4)?@(yesP!9Oe{RhcH=n^|0f)ZF+%xwJKuE
zR$SPL3N6&q)wXRcn5J88dttZ(Rk#DV0#!Izll_#Q>fRM-$)zp!CRuJ62Yt2ms!~;;
zuT&R|t^YpLSNB3_xbNZ}I37!rWPEM3Ttlc<j>I0t2_khkuAzFPiBP@X#AuZ!HozTm
z6LRX!)vg*sfBp2xwY%%zoZGp6d^7u?8n%dqb)jTq>}CxqYnz^Glw_axJVWLDYDrTi
z9tS9@Aizmg$Qp83)I3RZaX{FEIGJbyCbD1>_(O>J$zb<{w%}>LAuOsICVEyfJlm@h
z)00WJ7aBmYv0|u##lc2%{q~CBsXW$H4Z5PNc*Y8s0%^1)w_Auf3S_z^AuFi1=xK%u
z!_+8wg3PJB&#58~>XwB?NyDNl8Ckc}ag8^<l982(D0zaa5N*Yf1XJ%6vOPT|%MuSg
zEqRp|+<}r#!h)oE9MR;IXE?!KA*P^0OWjL!3{~@7Uxqudh&9QBEJgCbZCl<5%m;ht
z3yJ-Qe<&m_!^u>>QAd&HattM7(ReYP&o?rYC^<O>6Nh3ZIhM{ZkLA<(MkF@0Tuc|2
z(PTPZ%mhL>xxR=d{<LrX2KvvxY~tsIYPKXO7{nkcFhUo7j{2bLw>>ONcFGXKQrmY`
zK4nuJO|T$=5T)}3L1cqq$EJuCsp`X+QdBr{3D#Av=L4a=q8S=#@u{|y^7R!Chpnn-
zDQa(SA?YwX$A&>T73%eLVv)8NPN`G@(0Yo73bL;m&_pUIRB6K~<xE$wB~j3EisuE5
zSb|6Y<QsHZTfkO8m`_3fMHs`-2f}$_Y&jCWK&vf<EkW}^VL`8<eoo*$1Iz-=Rz2zn
zVi?c?k+fP^Gd#^9vLwP?u`EHTn62&=a#@9hQz_N;^%AdDT|tzfQ9&{|Yiq-NFm!O?
z!pX#~A4&%f!`bQ_eE}IQ&!FVYXuKF9vDj!4H;a+U$$GpPA6tuB`SJSHcw}z1xLjW@
zuEt_`wAe(H^XmuDksXOo_M$KUXA}DXi>?5Ju;YV@$N9Wuo3P_NQ_FguWQdaD+fu5n
zN|K~1LX}_`Rygnhras_3nxj=b#TO+Td)3aEHciv&`M_2=C{$G;5`5q}7+O^oS+D}I
zvf{cc3NhMHgNRK}$KV5lSRQA?P!v^L@mfUFe5e`f>2_OPaUI`x4c-$Cju%v~v<N<^
z`p{xkNJ-!n?9<pb?H&&!)UO)2>x0e(Ry2b^Xy-XVvVB<q|8N=y#`AQD<~*k=Sib9-
zvVm!f+6w(`7p+9^iem|FKUi6?sJl$qLSJ!8RWw(JKJmWKYyUK?tqt=*|NKsb_AMUB
zAxgOx8IL_4r9Oy_Mq&s>=d65mc@C#%rZUClsYz6xEKZK&$V@a{M>rpejiP405ll4J
zVTN(<zqcXu&6k_m2gK)9j{3m%E0PN*T^~4xVO1Q9R}~*dzZs@jg6tDPe%c3CkW-=S
zi7;~gwr6ON#dE2i54=jsGBi=uu^#w<HftEYnLn<Ad9t!^R0AIb^MeI?0AtLDkK(1k
z2gLC-Nx@ctElZLtx<;7#K=x85RfW(d9am@`U7wKk&L57p6zT)9>w`+q2he*TKH4Jn
z0kNTwqifKV=;_d`?wM`Rq7x->21PTfU?+{<71J_>PVd82`nc7W9E_>A=-ty?j{1N;
z_P8l)Yr}l-;lzD}mM#ZANM=T1JDC9=%+8EPW)K=p&rVIo#_Q?K^72??Duc?+=u|!v
z_@G&Q+6RMw{|4TJy!shBy1sAI`T(b7CDqQ_IHgEj%G5kjUU@P<a7$d6<1EieX)2GO
z{B3rd%j)=P9|YjAWTY0Q7I<X^hU~NJ2M)&62V6=}pZI`qD^jW(;druT$)3~mfyTE;
zTcAF0B(0@M6)x}rY5!AjeiB*B6^xz_THMNF*9Y_$Vr2q-_>+M#XsBgmfAT?z;~ggu
zo}T4wwd!jc^#Qh^kPkL6JWsMEIVDIATq^HrKDW|taW>XuBEVfy>0QBr4=|t2@)+CM
zYD-aQUuCrw%nvw8Q=BcoqR4y@dVk^KiBtCjAIxU*@mf4THkx0JK90uW>0l;<;*X2X
zWDK4c(v7J}82yoYCKiR~h4I>09?wu8tbTDU1f{=QPxPI82c5tA>4nWZKWHtelG?T$
zLsBJAgaIqS{6K)=A~>cDSuRWtR8Q#o0JjWP)f@}k0v*h_su8P8MetOKPV@~r-ie#-
z`2ec2U@+lDRT6|0(FG^)$CI*HloU)9Nz~fD=!qEX5{%NefuSD+jwQ}lgcgxyg2gNy
z?>&gw(zUR_Yn<poC&2-ROY>ok!p0z?tcF1}&@BBopC@fNt!Szw1{WB1G*vZP7%EOd
zv%U+396_#difHL@H-rk5Rq3VEhb5aVQeCxaeQKMSotALQ^Wa8c7t)|g=&Md-ozr-M
zPho6rd6*B-8CXx;H}K9OM6qJ@U1My`<>%(2@pL*rW1@O2gHQw36Q`16Q>Z)ztBjFg
zJux3elTp;1X&%Uh5O8q)&l5}8^*^8A%-=t7QhW=;a1H}zg%8t(`HE?o70beqMIFFb
zARz#oJZ}MJkm5L2k4lABWTvDl>3;7A2x7aDJa2Yu29#27=5KalE2iTF_2Np{u^b44
z6C4(4t(Bk#w>wekfg!8{g>aY;n+}wK4}@xh*{K(bb(^IXLo5)6*1FxGS=j0}3x%LQ
zTQXc-p_g8v0V&?W-5WvUFeC;i-ImPY*5ELtb^Gejwjj*f`Y;~=M?T++P-q}H8Cq?a
zvk2AAS~;1llg^JPl*<TGR;}()vq4Z2(k<AddJ@gnXG6oN!_mLoUH@c$*CzkIGVUD`
zPBK*ax$pJjm;BZ)<X}$nQux=u0gPo;d*$yIn_8)ge?1KILP;kt*JIo}5(Sm(4E?HR
zRB6I90r(f2+Tc!Y0E4~1(0_AqE4|O;*t%l<CU~WVt(U-79P5>_ZPR)QDvF4$S0&sn
zgbB77%m?iK#@8|$Fn-y%O<6gE`GEO=!C){SFc^#g<^u+U(S!Mb!C>@YK435y0n7&s
zMh^z_K>&lnU_R)<U@({u7z{=i<^!__gTZ*aeZc?kQ!p3|{%!WbzYjeHgTWYit9^i;
zg27-gA21k<F3bl#7z_sU!7QSL;D9ppToi-Bd@wk$1qi(cAIv5%ey3@7&=5Ta5QFjd
zKx!}JgTXT=wgOjn{dOOO{_!7I@7~RhpzDDV5QFj7u$-QY|GE!`&g>oD{1b%1!I3K$
zezOmTPTu(B?vGbBI2syaK482x)E_-+q#MgK7RKcl`(XIWaA<G~5ZdwWZ}!3U>qx!(
z<B#9yXm;rO^`YbtfL=^!$4&GsXYULkO5df>FHW~Ud_iR&Zq(dhKl=ZI!KlTG>A7)~
z%*^H2re5rW{u3~co+tD(27Y%RT)6i-d|>?ef9%?aQzCty$8kdU4_XNg()vN-fq)ln
zdr<TOjatHj^T1g3oI=|&D<a9}LAMZ}onByb&Ut44%ga~sx`ERh-QAh0ow`lF3_s}V
z->>q!z68yezWbx+dI{d62a1^H@RrJ{89Fzgz(Z$o9Qrx@Ch=GR0Eu`!9y8wJ@KbL`
zCl$hzCm+b`UwrOwUw{A2_ust!n_qqOt{zao2A#S3zs`d6>^e=q&u~wDcy#l3@4@qz
z^bf!GwXc2YOJDlokHFvojsPL(a>4uKJGV3to?ItJXcpIe0BE|hZ^i_{9ZwnYOPWA8
zTNvj4jzc!1pI)@t>k&+m>7V6j_F(2pZQea61ot=JqY0k;ei&L&E5SWN@E8b#_tuLr
z0GPMW;grz*VfF+j42~Td6T>KANti7FQ#cxK1IRg@P7?ujW<H_-%DI=y&3d4X2Q#02
zj~;Lj(Yb7rpAj|5wGgG<M#C87Kx-@EsNaNp&;yQOg5n<B2GE>-DAAVxpB^ww`0HPr
z2H`*Ol6lT(Ftt)yPM>=^eOCeTnwVeCDV56EQO&#UW|_irsXs7am_2s82E<l#c5B6r
zNM|}HoZ0>M9(*@6e39O$XpYC`ZFVO(tKXJlg4SVqx9PF9Okf;!dut^FV0EQQFtKX2
z+PZOj*~}<IGOT)R^P%8%0h#M7`yd()T-%~o2x$lHG0>QzetVo@9Bq3wLWkxTZ3zay
z4^P6;!4idgo@+eDUF_h!c~k;mSY~jCj`pSdbGgz5bfz@V*9_3HB}90U=esy4@nUj7
zuq=uE@vgSyli5vpl6hXNLie+ee)3xP>eZ{Cef0btJ>a;|L!_5q)mM%NrJS8P<9QR!
zaU{d`OKH`@IL=v$`%S1^XU$1-cgW~`ZEdaArKtzEEq4@JTa|c$;@*uq_y9e4`TQGS
z`|n8+zFK|z{ltxZKHq4F{CK5VI!%|xHF{xvE&D9C%O8hp`~A{bRm9U$a@;4iXM4qQ
zBWa!XAXscC>MO?TD1>V4%s-0v)WzY6jq(hJ^J=Ov7(`e7mnmB@*i)m{!AS-{kFDFf
z8EB4{Y*u#QiQZa{Ms(Zj(RR$;Zew#0zrM8w+b8BayBlHm=Dj@tp^-lkWdm`wHLn%}
zQPzB|?%~Pr$Gn#UKxdj^fHsW$1_J>|E=K?`IsGcP>$))*aWB|3U~&%w#u&)Z86!AD
zjtT?;5_WDeAcm+nV<4DG@HO58fU%e|0M{=cm>9s#Z+Z6Z05LUJ`WP;noE!OYc;4AO
zksRn`&wN(|w)xzR#KITJo%PdX(u2>u(ME%h{{heO?jD35qkE-E02tpWn;btAhb0pg
zqH<YTkOVm$n3vOZhyp-sw-TBG(HjD7(NKj_vd0jbfJ{QeWaahoy1X7EA&Swj=?iFT
zj^FPQLa-#15#pH1ZfdeE^y_dRpa*#Q{9nKLrAZGy{q{Bp?qwShC!e45?7Qa2Yt(LD
z>Sc}_jWtRU(}`q0b)7u+@7Ii0DNQP;iP3)6M^E2J2v>KF!(zaE8N%?Abn7@A%pq}d
z#hQVr&7>`kTVKe@n(bwRn_>n)O6^8izY)OBpn$R+bL?vTf^ORx_^&Oj6AG(12Z1X!
z9-1rOc#7NM9R&bqHW~NWgLa+4{K*!Z0Q4iD{9at^JqWBUEH4dF^}5{ZK*8?FwXhh3
z!M3opbcLwbwWP*q%!Hx~%kDVlPFya3AXN0aPuy(IzO<k{@?rZ{^%FP;ZkOtHVCJBg
z5j{Y#CW`qwxb$%;SqX$o1Gt`5kgFw2$7uphnOC4mNL6&!Ommn@SD<s1=;?g$N*@mJ
zvwy;m{{ippf$<@&2dh+w*{U=IVSRm_AL>uZrEqG`MNdB|M}!TEm@ZWR7BM=iTlU2S
z7or^(7bz}e421&Mtpii!@Fvy`a@teoTvpE#9YOLzsjqmN6jiXZ<sPw!lFw+aI@V;b
zLg(z>L4t7G)-&rxgwjrVge&~+J$OL~zW1eB5I!Gz`SSktLRQ*pidt~@UG;GcSlh3n
z-DpIh^}w7=iXxx(o-QJo?@xL#jsnvjaMqR4$;zw;bhnLoEQI(<f}I1Zi_YRUhPR_p
zY$Z~j2YQnp1Qg&%T?OE{<WTlNVNH4utU$Rt?ZM{uAQx9-+CJ-?pJhEc0QAkt$%wW1
zt-#SJ!5#oNi!^?Jo_Y}MUd`DT4syMf*wz+BoeZ{pUOUX4gi<v@akxEOP6jjG%8lt}
zhq1X2_c|V<+f#R^783pwYbU~bVC>mcf{?H6J?sT==Rog4W|Sz5_-&F-My!%Qz}u^0
zzYjK9olo`&06Lqdf%Zav&47+1CcPXq4yg@T)Jn3A>3s0xkF*Z_{bxUZ^Zg%x|ChhL
z2gb*!!;+I@JV`wUvmS6EE-f#ELcMZr6*ibXUKV7@O484?W{kVA?aT5rmNFVSOI|uF
zuS;V=sOhO8=dvHjh;pkZ3WAW{-R%ow;q)daO4|#9m=)G#Zy_xR@_reYLQ<O~ytMJL
z&<E&&{wd>&&&%4|2YL{`gO|9Im3jrSPpbPakCxxiapNeEK0U1wy$4c%tJk_Ik85Q3
zzw<$N)&n@yRPL~7FvmDpwI0+Fztnqh#GU~jn@L-Stka@IHvKJNZ#o|w0zTCV;OK%w
zx%Hq2+gKfFJqX5CpT$z$zA`DPK^H(z9Ul1D1AiB&jvRwkef}W${dwvEEY_B7!3p@=
z0Crs?k7wXTs&lOn03o*-cc?)bny|YIlm{8N!>St9p+9=HY^m#;yDFLd2k@W=$hB`5
zk_o224Aj<|Vyxfx9@86cpmIzAu*nnvZH%uOQ62i&(<p$sQZ@`ImE)ubn9T=2e(~48
znEL2lJqSOf_W<^>mV#&6&pKb#dypx~Q4$UVm=`v<4SAz`E|-F7xzy^*oo#9Cw>QRn
zv@v868)t3d)TRna6F2F>B{5QI*<X`u*1kMy$@zrZ=rl!XVLh3++7N16URmsV1!>zR
zG*&9>`>Dr4(2o58^8up;!SMA@KKb-Zx<e3#FqqhA92WRKi9G9Uic;l#e<S35c78lA
zTljt<-RRUBwK#v8<xjO9j1w!*JV0e^o(%s!#Wqk5)kKfIpu4dHeLmP>l|`GSH@GRV
zS8(211Chbz%^<!RoAkiWYFkEz*?eHrdN45UT+(GLVDlJ@t<AcsY^(8I))O=j;&p%1
zQoIJR<2{^ftIl~g9xsk|W95VRZ3It#k3G0rR_hn;Rba6VV9RxBuiLMQ(Z1wTw*iBD
zh&x8F6&i!yh^X3h?+tGagQ4HPyR>U>-@Tux{eRR0XTIch@eZaR16=*NJf9`5ez>m!
zF1-gAk_QvjMhm*M3&?Dg6zFKTn7f}3zVNwUeePq;KmPU}gdgJ$OUliuUIWdv2cb}|
zB)7C45WNRkXY#a%&17RIEnK56XXgb;9VF#C2~T?<*RUx`hg>*3?E#mTizT5}Ov~pj
zd7SP<Ef#ToU1$Sdxs7Al1Jaj0WqAqIBs-57KR^!{fO(0d(;xDm>J!2jGa%$SCMx-}
zTzZX3i7FzcWHP(GRXX0biW@uH#lx(2;R?eIvBsx~SB%$1E8rC!00QOWN$b)Rt`|pk
zJLwg>y*h`UKkSSZ*=XosaTQ3dtgH+XwzDhkc3=|xV)4QW&0(EFbRL#PrB|n0Lm+C!
zO>w1dQv$Y8X6K|>w35|Wu~<F;CI__qc0>2%vV6&1jfzDNhu@DU)+G+;E*s!*>GQ!N
z0Hu?{6ct~t1L37A?ob2UbUyF^Ha6qlGf#U^nDwBmPAfxzdj_!!w8R6%_4&Z9&j+Et
z6i2#3vM!)@Okht&G1W}kpdtMQgli=ers}+M_x`~z@zc+I{OTufUcLD3Juo~LikA*c
z^7@RR^}uNi8~XAJ!esh-!I|VOTrNL0r`K;#)_SnMFG)OKrwqn9v2j(FmzbU;#X|-I
zeJ(FDw89JZ(t1)#^5@~(q#&=~7W7vS=LX`I{Zwh)Of%=Qy)3thzS4$A!gC+s`$!Bx
zURut>=k4Kte(h_Yex5vMFg1Bslz^cL5I%Df5Q+fWiG%=T(?qaS88}<g2GQ<hXlA-Y
zL+=J*G=dx$Kma4h5J3M6ZO#E8&;%3%05W&L5a>ujp`g>B6Gs1I$m{_SXfg}~I?N!f
z1Oad+WwvcDhfp{%<Vd$nVBECe_vJ~v<8g$o9fwctIDx1uwZ+jV-ncS<gG5*9xmy6u
z7LT?W%v@KjbJiWkws4s0bd9c*Sv9Ctf4#7*_h9#`ywr0Nm^;>95HqCOPA+wW^O7f?
zmJ&=lc{4BBz)IF~;~GWj=345*Ds6OIU9RUHCOVC3z-v8n?|Ybq#-JNb!GF1Poj(pw
z=Y#Kmqzwr8(HHRgGr+rg5O_%IL8`>xNt;W~aDZNtc{4SXKB-594TWEC!8(?%(t=g*
z!Htk_a^14e7zj^$;3oGyU<=z7f%oOt=do8FwrbH-M-ZLj{;ed`;g-ut%LAP8!cAE|
z=d`s;8y@=*J$T8ycmc(6)qaVeeB(=B`t%!k@f`2TnSUmoN_PC7nZ0)V?H+!wo)C{$
z-7;Ldy_c*4C^4_LST2{nOI8e*yi2hI0P%r0Mq`F+EiEm@VTmofZH5pVcf`W6guUA=
z9(X*ktGB9pVuZ2oz5jfHs)?n1DITuy`L%Q$wQPy+7!a)R{D4NL#vh+oVAF2N_YcmF
zMKNz<GHFp1F9=o3m-3>D3o)<Fx0v+c<JS{!-n{<XcYfX&c+40VBU`<m?@Hs-)_GCu
zfpMFcPty(gSpU3{c;&`gQm)W_VIF>YqmY-6vqB>g3WRsXQ(swLAcu`c+!zQ@S$WJi
zWFZExoUBQ*fAopuJ(v4)d}CLY`CYf1@3w^Td0s9V76qZ7mqjHUc*L;#yZ1mxa?zNp
zMHsyLuJ$g%cYcERX0b2Y68L>%dRD6szi&?nVZanJZ+(aKz`_CGEC-li2*JJJZb-jo
zDd27(Bn$``24n)WQ!ztm4Fg!3nB16|gH9<x!^{Qry|fM>O(l%UV!&)80YY<@*=axd
z=ezGGe*8ChXAgo88FC$7OO7<wB=aKAFB^h^Aib4s>^Ih&BqCKpLAUm}QV6XjhomJ{
zNIZSIFWykWfWeZ^YlC%>J}Z@c;Xr`vB>7~rZ>J1Fue2`>j5$|h|Fpl;OqZO>vD6-l
z4V7Fb_fOM3aw%-^r}>n2%3~j*2MohdDO<7S_zQ--_{o2K@dy9;<^N&tjGogr{zWgr
z?pgo>Nw7x3h}8gqPunE1lK@VV2II7(=7b#2NnFczNk~aBvN%8{;F+U9XKr5n^qaZ8
zos)<D5BHDDuTQ5hcO~P-snevrsgvYbpYfvI@2++i7CtOMg8V-p7nlG14f$<8NWKOY
z5HKU0civ2#lxe|<0u=5S5H4$&BsHJ8R6wjsfL10L)4D=fL(aJvt1Kq=kx5c$Ehb1-
z%bKqiUiC4W&)=Mfz;32N!T^$FRNv}S7y`Vz-C+wXOumM{#Rt=WPw=nwmBT&sZ~yv#
zUi|NWlU-a+6>s-J`8Y|Y_T~2C0%dXgdsR)Alaz82W8!4(JUPsl?Nn9?W}M=b@~g*k
zndVr`(hNOd_2rq2#+1vN9m13U$RgtOavbyT@`2Az)Cay}|3#9Ei|d1Oxq6&(a#g>0
z-r-`T{GMPM(wHg#0q^bu7nir<`k?xH$^aiyeP3Xi{880=@PUhq>x1QLwS62KtbSa)
z2Oqe&xISoq5>yNC=7Sgi>EhyYgtLF-gW7T09~rgwyZPXM{rf*%TwIRw@A7d#Zl+!P
z_-R*{n(yL+uzB=ay12Obm*nI4=5qz}6Ck{<zLO8ynEZx|iwjOR<=22Jz1%0jTv9%1
zAGo-<KA`wM0c824eBk2Z`ry;&-F@KV;`+e#fs2ca>w_u41``(-*9Wc-v=`4PXNil;
zX~y+|1NiT2zuKJLf7fk-3&ww6SL8$B`oQ(Uub0ohc=61>q`Y>U0KmudfWyuu!GG<n
zzxqi1&5MU;B48H~LYM&L;FKVZLi^wVnDSp81%ubl7vL)U`zZrN4n_k6BM0Ej1=A|0
za9VK|!u7%5<%7@v?-71Ii^=cVe|k;D<RbvrIuFCZKJ3!Np9Yq8&D_HoO#U>iIlXys
zmn#L^7!$4s2&i#<BMD2X2F0stV}5516EL^4vjzwS^n^+EFO5>gZIeAd-+nN>VdaAj
z^va#S$7vXo^>j3h+T(^z6D>vgK@EVJ0Y8{ItwO-%6u(o#WC|RlT_5~SKA`+_pHT4r
z{yv~}fF8;I7gs+H9{@A<Ac_de>v|3nh#)2yV&`cR0ze3MLN)+QYn|YV-f!q0a1e)w
z&FBFDK<q34G$910&%c;a0zRi3RS84|4Kqc3fN-sDSjH@gijovJ#0sxlabt+`MqDu(
z&~CjUHCPA`p7sR*K+qnH*kDMb7#s|Z=mD2wLz%Nw=nM<(={kv^s4&*k;X3D=#vJ?^
zC5a)YD{*OUJ{FNAN$>V0$ufj$WhCwydzI5E1gs_WJ;^9SrvQ;0tWOscJ4*`>ZtdwB
z*m1iWPL~}12_Inc2>?&h2bjI_^s{Gx{pHz>r#CQu@e4~n20%s8>q!h-y0L~xX_zm=
z<lL&agbL%(OhE%`Xt<_fLh%$zTu1|}B?hY{HE%S>Mgb7QHY@8PsOE=jEXK^raB0b8
zOEZ{+=P{h|Ho^eo9@j8IFWz#t6Uk+1S>SQbGV}m~oZdj3UQC9=9<Q;}H+bT=GD*QQ
z%NeDO3HA$ur#9zrn5ZA%JP?OH&0$W<4SRN1nAVKP)k3OR#-Qfq@=2VN(qTT9>o3vj
zey>*r{xua>dMq<a55&B>G!yPIpxiTUfiS^{K1u?Ae3CR{6J|af4sR)*pcIBfeVEeM
z(OBmYIgP-c9t9q2LMWKcHNqQP1UHAnC0tvpVo>QZ)iD>+oHbx_+}H#JEH!d71p@uU
z!5YSI@d0S&J_Xjy6Z8SN_WaKM$7j@AkMG}q{`tLYx6a~^#0QqxL#x)FxCYXOA`1S#
zWa)#PBuR?3+MXDSvEgiGGLg8VZ-9p3K|Qe;n)(2%7H!}(>oDr9p~S`XjMPP}kU%{}
zQbY~~L`#Y-Zy90~5yB+s5Mr!r4%0>ek;zDfeyN23BpHEiZiQvGKIw~HA4=&xNI=&R
zvqMoaLMc&+MaEz^9*c|hh-BCse>66fm?6+KOA3}~iIa+8#P=j|l#TmQI8u)ceJ#C+
zI+oUtbrnM?#-c-gfLcZ#5<;}`&>AJticv%;E&3twd5t{Y;vp&+-J!AOTQP>G(+8kG
zDac77OS72px*|zg$Qg<vrb@QNH)74YWEma1TH7$_>h@4dj7zaPu$SCOvv2l+uQ?A8
z{MbQ=>9tSH2lyX%KEL<l{cGB-$2Ziw&wu&+<M9D+rRAa+73V^F7w1HNNwh*9OPCK^
zvD%K92b?}ewhxRV6V>zMV?Gd5GifnIo2@kTp*qkHeZUGM4-*u_Ru-Cj(N!g?5khcS
z*yzTVO(^%M57@l~z?u~V1aU?V(caP-V@$h;Fyw4klUwz&SKlg?#97r}SK70N*R;ft
zM+pMk2YRQS*7-Iswi{we9vWdYKG34d%!)piIb&Vvup>RqD!d%9RL<ztq$r+9T_X(<
z@<D>&#7g>7Vi=&IF%N)0Mtf~1QF%jOnNg%{WK;v>RDwa3uNy_%xp_TZ9viz%J;5^d
zi7M2|YK(8_MPJu40Re?bz_%oF{>ZF97ZcQsGOwle9DJh>@ESny69BFDPw@SN8<(G6
zd;Ga}=kC4z8_zF)JU)nZJA2GVy=e5(Mj+Kt>N#;J&xsA6Zy2u#Rw~7bE!zk62}XXY
z>;1hClnt5P+iRo(1|J+Ts2t-Dd=Lza*>Qu{i(6vHJ6C3ufsYW<o>#ceq>Ty8**+Kr
z0k$tdO_>D*L$xCqtz~fq!klRP0Pkj?*XYS(V-EQm#?r$&0oe>qTN<W5FqUMm5w=sg
z=<R03a5Bcp0Y$CGf_O_{Tccjg+Ukibpw7!wWL0TL4#)INncdk4Ht5K<4;rEepp-Zd
zVAp6u0&vmNqaYO7>sV3<o>Cv6c5r0yG>3R;72&N3o+}R1u`G&;;k>aP(uHo$!_s<o
z-5cl_sgRNL$-LkZ0|=T1hu-J|HU}X%&d2A2YVX8+0A5^ueCx{NYucS_`}_ZV{89NJ
zWUMIBoYCtTqtQs<bK+R;iOUdq<AsqVj07QIudnbB;G`0@eNcME2RuqzPBU(6!qO&=
z4~P)#i3;tmzP8#@45>kVVE4i+q9w)>Nj&wzLrl-ufXIHmj%Rurz-f^a#|RY-=fRlG
z0Q(Woi8BCsjpoCQMng_=d=Qoo(tKWu)iaTB+3`UcrQ<nqAdjWA#l?2w?RhCAH;j4e
z1Eke;-p6DuB?=FGkTUuZ1&ji0D+xewGN@;AkYp7<GGnu+R0owl0eFKtlE4j1!)Rlo
zZiv=I$-=NPY$;{vtxLwlZ|@I;$Y>&_8j&#Y?FfCNh(JYrs}I1R0V0IJhXl4y&IkLK
z|LgKS?T)iQxOe&I8y}GmqGd}Fo9jktM>G)_r21k*E{U9s(y@w=!Kj*cUT)VjM4l75
zv0=)2W95hsT8P=3VASSAL8~mA67QD=a#;z^i#syv^ZlJZE?M=q5|9ZYwN||t39S<1
z_y7lEHQFilO=d5N5vPZJ^3Yh3T0UP?G{K<{mgKR%?31I0XZH_$u(W0Q<+13oKVJw~
z49Z0^QW%*rG3bd!5@@JYeU1;J^1x8UWkeioAE0G}lff*_6!kG8U`I?L*+(*UjL0a<
zlG6xEizbqHs1NL{M^;C>CB2K#WCH0;7E7bz0IvpgFCu7Qgyf2tTG#V3d?*yesLz+v
z8*ldkJ`Okv26DNVn~@=&mLa0ZPWcZ(2pq4*PT1+d!7kE7kr94RKKS)@KKT5`mH)c(
z<E_U}&)m6l_S&6~#Rt-k+<8zZA-%U|%r?7vw`nv`Qjk(nL#YMyXfvTZ&(s-xCs!9e
zMV<FrdNE{w-gw}H4uV}h+E3_fW1Y|K>gi-mSP4EzkV(Y5Y{kMcp`VK<lFF9z1qWeg
zXsOWlfj&SeuLsxbQURG_3lZ2eGHXLgNCu5z$_QdYnbd(-Zz40cm-C9V?4+)dX_~%X
zuv5cW+Lc0M#qd_+Su<cXSXIz>31%k`22gmw!OR9kwhtoFzA@{GS*!TK2N^4gRUuxa
z*BU`y^kZCBV(E06UykbOURtN3I*q_}eYeMn8O_mlw#4hZO}#V6>m$E!sEa*$pa;wy
zJqHO@cpx`<z!wzD%j*L3&}gg)F%!JS2N;v%;G+Qikp4pCZ7T_}1L7`GzOJ_+{v%ND
zlE~s?fVOdN9%3~9((d4r;V~}dJm)S^6cge%0cwAj51#&dlz#z)VD;|f`&aJXzkKt~
zoyWJ%-239nNAi87)ePrbwgSGjQ6HrgDbBNDArFC>P=su3MoUX^Wrzu-uIx$57`B7)
zSR%9B8_lnbDz*<MU4)Z7ZI%LBG%g7u?;9%d%)>M?vyvqAP*IVj`V!#dQABWUlH1v_
z^#c2&F(RZJk0?b5OCv8WfK*J3Y&B735{XO>?o@mSghn0!LRKWQTLG;OOQs1ElphtQ
zsnW9~B`svCoj6yrgqm-l)81ifZw>`Uo@yo!QC=|1buKN0ePe3~4}8#?RWaxbkw_;A
z*o_2(aV;~lEK3=xElHBn3?`=%9Ee3C*#fY$!<Zywd9owLGkiRSOsTGca!``uQCbUD
zccoY`q0G&1DfRjYo7qTYZyA!e_<+0(1jTO#tL4U%uT_Kz#TVROc=X-&_SZ>_ku3W#
zL5SuMp^5$>*$0q!@j8nE9RS%q&;uZZ7OUsK>Otb`Uij|2?-sW&HqS4PmmY0@^=NVX
z%Ooam0RKHccs-ardxr7Zvv;nkzo`4<qvG(p%5XJY0oV>y(_RdCr44`?ZbM=tB$7)s
zi%F$&Oz-%h8HRpORpAk67Z`gjwE3_K39R*(>|$FxXv^YP_9y*={+%G4nG3U!05%+E
z0XYgR_m75-0m@4?RBqd&;A9yiI(K|<#V~O)Q&^|WzH+L%<aymS>YD(QQwsFY%@c5t
zoe3ua!MHH5;TZ<?#UUb?%=atcU^T-g&}tPv2S~PVuUtO~$=iLv9)}#l0=zVPy&z*O
zYu_q!45W3w&f*hKc;l<Zv`nH@{mCRZSZxoua&0gy1R9NcA}kjdZfmG85tS80aAQ)B
z&R`Ut-5Orsq&^_kxn?+hVbQ2vUl=cKK57(NU;W@kZ+@;kK_47^V{iZL{cHC=-n$tF
zfH-J%kq_!oNC-Hb?I;Tmvb4={z_bn~<1Iumz(=AO9vsN)0Ptv>HYLZ$IIMXC&X5>8
zqhQp}>Rm+M!dtoqG<pg-e(mwgWe03jvD)BBy%Wc<ro_`(y#c4|`8FT0Zv@XgxW3tu
zS&DDCdHqr!uq^6qU-BXO+_nhxMauW)H;aLlg&&Hk#oLVwUtL(-{-%;&xD9gGw->j6
zXvxCD;=<yW$=><x?S%`QJ=z0C^33h++sOkTTr_3o{6Yh<Z-AVv4;<7lE(7xM1N=Lg
z$?%o!GS~Q18q>N(NIozyoQNh*K)Nn$H_>~oJj1Q}t{0OjZ})+A9QF_-e(jlQvn&8C
zn=GsvUy}nLVAfaP{yMPuh)-YKPRF;i{Nf^?*d8rkSg>|B7rD^FZTw*S$uPcne(B52
z4Q}(%oVfiB|MjBd1C7<b-@aJ#`Kb?@n?G#roLl&A9lX&8Gbir@vJXCy=Ld`-{_FoD
z(`om?!2r5CIN2TK@%<r&<j?v*dlO{!+p$boP0fX>8jIolH$AL5KG1x7+vi5xk}M0`
zk-+vj@vBG5gT-NJ;X0AO+}@!+pbz$<tbMb<<tEZ4x-WRL9hJkIn>|eXMb_d4P9_z{
z2MgPD;}8ehn_%DF2QDryZ}kE5CbaUC9T@<&aQ?dxW{8~sCd@K$WBU>W;L^4rY-bVL
z*nTj-dGY+YOV`g|T(#dfV4pZXFt0!A0sLe!eQxp5lg-WCw+miWqwgOOhC%5I3t1Th
z+Xwy4uY`@n7_o1jh~M?W`@qHZfqEQfiV8Na^E+vudHzud!Cv&X0#xdQ#V^DC`h|tY
z?Dn@c=F+z1yR^8N7%eWIlf4VysM>)K%HM8p$>T@gZTxVtQa!&}`f__DcQ0(N5r%jl
zEq>kX<w~CG3yuEfW<iz_qcU&A^}&0<#r1*uW-$Nc_W5|}`lFQ<;r#8aZ4VG!T-c-^
z5$dpcar^eSi;qIS%=SWRu(;ik>F129_U(V9^NZJEaPh*I7q`FfJ^Devy?w#kqQ&pF
zH*>5CCfkcYeD~E4=Zn`D8>L5&)>t*Ez8R+C`rv)w;`$(Y9QBZ-ihRCMY~}i+@wu;u
zGGb^IiC(8XnPoIk{C0Em_7Jl9>rXs$w{Ne3(Dm<CO+U}&=n-enZ*D#?;pF1xxpU_`
zU__5!K51$yPGA4#I_1mU_uquV-#%H=)VJdL;632t`XKpsaF{#)UAlzev`i4iCu_+h
z1g1%l6Ja!j*fPCPsX|!iD3?vYOp++sMlxbmU%Te>A<ga(9l#=_F*GILitB^-gNy5f
z@^O+!C?^^ItA&Myx}80O-KxwG!q~@YaeBhxi5g+;xW*n7S@y8vuVcDCIC)%LAC$}0
z<CI^ailSdFWMTP3;`-n{;NtqA`e#5p4`KB~@~%FpvD$CAxVW&@*ZN?&T5TVvdK9|_
z0aY6OfV`s*%%j)R#l^+{dLOhu391G6^}>nc;=W#>KByh1{gF{?yFNH^TwEW3od30t
zzmJS|b*bt4;Dm8;ec<!tJmzr<9~tJ-GUNK-gmH0wAp2%|Yo7p3Ms|Jhcj4mV{(j>W
z3~VrQadCa%`ha=%FO;*y#l`i3`}@xS{j0;-{Uh51O#T2&J}j8>m(MwN(g~c7$%%2i
z|LH;<sdK@u5B{d#U%33@*|TTAUVcV7+$ON(C>Ybf!-@|JO92S~<#WjKb0Gdx|A`uA
zZ4i8OD^?@_KVV4SJ}qY`=EzB?Ht$i<k-<-|1Q0r08OHU&3H(0OuP*>0`~SRpW1sxS
z{?oh6=hv{EJ9CBBe=xAt%1|cV@?Q`F2xl{tf%?0NGk^G&>U`x$1zg+8P!gfvosRt;
z@)B5_)c*XOv|#t3H(Xv)$*ZX0SFaq)r%9y%ds`*&+pQ2#46(ifnT;Jn+rr*t4xCaQ
zw7CsFM<}3|nS-tmPU!dAZv1@a-oBlo3GDBGaYeg&6VuYY%a4Bncz=H%6TA=T<@*IQ
zR*dIcg1!R@aGn?dq(?w&pmTr#BJeVT2?h3yEuOFI2^ACgvN7<-z4Q_yf|1=4Lc1-n
zM;Y<*G)O^SeZun_k`#u{Sax#a={ms}9+o&`#^+?6hyzA;b~;fE!ON1C=mKW|v@FiQ
zdR4%@6hd}4@L)C&^E_%zP{;_$w3P#|Pl_qa2x-cM#e|@|5rU^v2h2lVQ1r2VTjlj-
z8NuHc0N4pSH!21QO*dVK>je>X8aNei_krt!=bwG{^d~@W{Dko@H^{S}z?G|b|EH&C
zK70IZ|Lo<bXISu$8_%9T!|&Y(4-tgwNJyeeiYsAID22J932@chO__kn6^emot-*x>
zW|srr8gzUhdVP>h>nQ~KT&e)DmX8ii;+1y%;c#!LRZ~0TGRVylqUFMXkdl&}hwY&q
zq^F~zo|mC-Md!4f+2Bl*8&+(mn7dYvXvH1Q4;>$fp}^3D1kVNNL<j{i-ksDcfZ;)O
zodB~pKO7bSm=6q=3F#MLc^qxDnSnU0BF~WP103$t*{!mTNOuMkwl_z#<t3~wd*<g0
zlhIsWY%~IMm^i;37bM7Mij$<3J@5e~8QSK7xPCf)0N3;Zs#p^{8xk9-KoelR936xq
znQLNP$PrI(iL1^GyF~^&kNA9dI1dQuad|ULU||pq5&U)^xITFN`2PLppY7kgvcG@r
zj!OToT;2cd`ThHk??3zT=JQ+6@8ZkP?>|4Y|Ned8Lr5D5Y%eBRMifQGxMf(ia>fv(
z*t}nf#iY0ukHqIm%h(h5Jizh67!gpB5{NUDn3PAnC`ih3U5pPmByrTNi-K79@5XAV
zrw<TeXGJmX7icgu1ExMe@`|47i7`b~l$bGUV*&!AI9c5=Mv_v3whwgC5@UT7Fs!&_
zKRmITpfeE4>r!mbNYkO|M3vQ2T-npRtkq$&5jtvKF_hl26jKb2&Wc{6%+kn+(dm+1
zg=rdf(l=7sNmLYPi=wDV;<7zd*XY~*_j;$^2ViNoAh$<Z?D!y}NMa8~jlEc81!uMh
zO2?VBD8<%=*vJU7_T4982r+5Rz8^@E0CI7<G%d~b!JpV4TsiyV)}6DC4{oXS@5<GG
z+`szcvs?FHTzh=u-qWAYocXUSKdJA1e=t&bp3fK!TpyX3H#`G<pbho)l2nv?;&?SC
zm?0zM&l}^s&Y@nU1rL2dh%jkJI&4i4JW@vvk5Zm^0|)i4pEuTF(HIo<6*(%-147Ds
zEx;Sg&}(#&<AZFP@5Dy!HDk9r)PrTtaDL^ZRaeJ42b)rsVA}^#c3JE!i9GS|)fpOT
z=p3L8gi(d0_0mv}GAY9w6$>c6)wWtay({OfUS2Gft<0(xlvdOFknI|CeW{2EK|`a^
z(52N>#GFjDjf@sDg6+P@BSJt+a^9*yNImU7AQ-hbMn)0YKF~L+J+a$2=mH2<Z8D)g
zh%q}lZ*p{HxseG7C`dzjUgRobuw7Dwq+ppis;|Sh`@r?VnS1x1KK|vX56=92*@@k{
z_4Mf%&p$u&^No9iymuc&1VNCDl|m#l<aoU}kXC(tv4KO4=tIN18js5Uc$cO@+UN#2
zMNsieA7mRk&v99!DTu-GoMy(nC^2Hd-b0AVC|HYi$S6x}Mm*e`rNO;~vp+B_LD(|{
zW=*uE<0ME3NY@FklmX<Gw(SF{2ElBG)6*O`5&eLGR;&!PTwdgSFf0yJ;tcXchAF+?
z&G|K}Rghw>Vi>MR3MFHg<2Ll=w4(Z!#r1*|vL&`8rg%&8Zft3j3204VNDTQjr3GL5
zKrOpI0I1r^7#-I3fwAl>TWL-VLth}$%pUk49bc70#$GyKAU4a5XwXQ7j2x1A!DDa;
zn)KrBK5$<z+}Pj0{HhNw|7^$Z|8(o|&6_u`es<>hPy6rR2i7hCa4ynmib}nnnXC=s
zepC{@eI;I>jo3c$nNI3<M4?{a;+aDqKvUw!x*eOXnJvqZihkP%bw*WqL}f9HI#ymx
z(JWy{JnIBU2R_h?K7gb8ob7^~lcqk<W-}TF=>s3csu;BD1H&F7K_g^VDPxRtVjhBd
zDgx1u!VwOo>XII;S{uGnLNTmnE>c)FEP6_|nYPL(B(8g;Jao*L*z49etS;J`;MN3C
zA0XB70g4(;yG3WWeZ&VCpGF-N)(C_hF$`=UtfRJ-9?;c5T%>>K1AAHWlbD_{0Rdr4
zs?Un4aU=|UJ3`+mB2W=sAN-m9!P9&9uHFCf=9PQ<SEfF=@v|MH`-7|Z?w!4R<MIdc
z0VbHWW=$zA%gqh5d*Fi|u_^b(V(m8{45DI1hEeX|{ez;6a9Yo==pkA5ru!`ul;Vj>
ztSBc0l?Zj>n~^$lUaZIb!0|!aCuHnk3my0X*_ZiaK7i>+#YZwi()NL|Br|)7l%A92
zMq0%Lrs)hk^{5n;<rRHpc;EwWh}yi~-)oh4M#~$~wTKxu2C}@?sqs@EOg~?U8j*ff
zjFhnB1N71dFsE-2<jWaB``uNF&-Ou*A*T<NHs*cujyV6)2SZ~`_O;^XWP(sap+0D%
zaTJz^x)%}DHJ0Uy*jUz!GRO+1nD)ub`q=fs@4k=py3ZRQfA;kGwR=||KfU(zE$98j
zo9azF_V~pYKYxDa>hpin?ZOA}fs)1aC}gyRG0a=BS~TKEJ;OWDx#CDqn-X<F#7^Ck
zkzGsc18Doe$h0~cJwav^B|kJ0^Ws)-ET(6qUC*qbB2MSm62>wr@97;#93SlUI6b{K
zYvgDddF{Ir4C!M!j+}GSfe%D)hz_!&bG9|O2f|8A_s+zu5T^&7j{%I`P)6)O6jOQ2
zQaOYAK;(EMHJ6o4tCQ0^O98!+Gk9|n85d)g+ES<wjF3kRnt%`#(iNttTS=1H!mUU#
zZ{(30b0)}c=-Kf=iib5NzOk_pT&E9(ve1R()B$tG)_T{NXwK)2A=FlQQyQ&vMhhlH
zF0E4^NNp6*yGuM>OXp3VeEmVIU@60nE@%mZ3+*X>e9Q;#_myAr3{W5ZboK6?`*+Xo
z-?(}I=C!-p(<|ENcj=du?%%n4<wx!F`}c2MzIW#4FMzynv_u*cg87Wu4#r~j9!h0v
zFub+AnvE;z;9l=x1I=U)(%6bCQI@s_OIv~<)B|M<d-ZrMI76!>DKW!#lvKCFU}h&K
zSq)6!jvhjUf&)sLod)guoREVAgzM2}CWrb?S_3p5+M6UBN+jkC0=<*nxH7O?$735c
zT2Da3ijBOe@=%iMO`mtG2F*#awkt`Nmjt_@8<S!@vzoPfGrO_aB#Z(<6_zq3EohAq
zA-Fx+0hLS_uzVWkt;BMs1ewGDI``YC5|3w_h}jS*qsClju1s5!(+3_Z65Z*6>GzS!
zi2zz3N%2k_mg+H~mC%N}NvyWwk`l06w}Ww|)v@~KLu-;5VShrBgx;Y?T^~%r0KWtr
zg!cE(zQCC5vp;J4fY2xawD97rUD*G}3w56!$Oiy`=_MehsX^k*7hu2^YLKnc963y|
zN<(;h62;C#t>6cMz;?KRX_GQ*cZZ=r+=c{`*->)ZKB-NE)0<~{N&oOPQLxI`JyqaA
z2@-RLo&Xs-gcG4NFjYtZDa<oRChD25LT7&da0Ot@CJA6olLbx-Od}*Y9Tqsrxw0yQ
z53iatR=Z$gNXrg*I=9mZT>ujULcxdYo^&EW^C#iqjcU%XLZ=P3*Qi_xE+aCj)7FJB
z1IZNE2XExi3`d&*{PGd<!2#g+Q#)FI{VXv6M-NAOf;mA?p~Gg=;G4mC+S8FKyb{3x
zADigQ5|~cn_&=C<{ZPlRhs(=b;&=q$<F~mJ1Z_*|WOOflb!l85xV!{3gB**A%P9a9
z(vx8R*kZdraCr%a5EGYE0e}F)V^P-!E-o%pTpzf&xVS!Wec<A94A%#TxVX5uJ~+h1
z#l`i3i;K$?*9R^xE)K2_$`H7`3!kD-U0ffm&iG$Ls9*57ybFF-V_g0Rp;b?X4_eW#
z%Lx!|tXA7D|AUx09X{x-`d$8h!h<3vF7E4vPtFH36_>xCnSQkVDGI^G^?|?YuTcE|
zue~#HZR5)GxMa<HBT2HQk!GrqZD|xqlC$L;&Th`O1Kdr<-VQe^YQ2H1##UX-DUm!G
zjVyAO)g7e9ZQP`r_V&6>pjRqWKr)7fMquLWKaqtkaA5(G#>B2M1WdQ-)v{&ojcj#Y
z8fd%M;&$UNe$xAW-|zk2yb1I1yZ~6>IQ+46;DttONJ|#b4}V}B1>Yt!YkvGdMEH8l
z<IS(;9Mo;9c>zBI$z<e+2R}m{@c_SNKV#-Nvn?!}I|d%}uqD^8@u(%WKE7nXD2H1j
zcdp@o#lf9x=5NEn@;}ugj~ftfKl-{Ky{Q3WHFy&@FaL8*;LMvdHxB{<zZE=VKH|ZV
zek2|7;6yoo>KJSG-adKb*!qsn%qLk^;5hUd;mj<Kp1|I!7d4(|c|JM+eD?>VwX5s1
z?|b>i?`|`%Ljk-0TN`Il4|yz$Mv@Vh7ql`QTghK%zlzXj66FXen_pYxQMNWaf?R&}
zU#rPv#QRZwn`bMt*CVWFN!jL6)n>+t@-K%4KB+B)0EJdCAMxOa)RB&O(DP{K+Fv&B
zDPI^qnSHAxkXEl;j0ksTa&IIz6R+almAQAdwvcc?O24{lw0*2B9)B<!P#<wz>Q#I*
z^@|6yt?n;m?ZFf_L+(c$j^B1)xtLtaTHIfRgSj^Zj^ABe&1Uzb$o;7L7QZ=plV7r4
zynj<b*<ZY7PTtSijTX*$arLdC;1J@$!tNroG?oj*tKQ8E?nh>G#9*KKm3Mx0*n9iY
zXK10fl3MDk_z@3&Kpp9b2TJ^;vU4Y1y1cHGcFHB?WPJ8|SsCq7YUR>4yHNkoi`v7r
z(#d#fd;Y~=)l2!>N~z~$>Dou}ZQXnv1@V)mof8~~Z|*9n=Upp}DyT%MceE5A?ag=d
z^F62bqj-M!Px1U{>B>TV_7}VPzicc%TvO2U@7{^$e_5LQbA5X`uH@gUZ+qu^x|i!{
zs8mH?qo_X07)2K_di_D^&CT83lghOvMakD9M?Cl;b)+L6Y}0r1?^k->HLY#Y<<f`r
zva(ny)fU9+s{agM&JTOb`Rnt_hiGj3gVF8}dQV+_kiSmv?tIj{?U~Ql9w?{iic(E-
z>|Ldsu3Wx@N-QahWu;2*&iw`fgIVADvaI~WezY<Bo@p(A<5s*Uf9mSS;=Ho$t0=XN
zxi7EoHh7?Hy@$>V%-YsFE6OlkDODR)8yPR%Tbw`tEV|wmrTf^u+0)9_e?)#p=LPCV
zLIm~g{@*N0)BmgV;d1f&{}UXY7rMQb-W!#k>$<hAx68fV!o%I2<xiB}|GgOT3GBv>
z2eo&QA6f3zcrc%@K3t!BpIzH(@?h?L9Cdlli)@*pD~%F=C_giN?B13hC7{P!U->H9
zT|CB?mD)=WN`C<S#$vhj;`#IODss{E#`{54w_4vubFQw<y^W)AZSG5aS-FNXINCH{
zDk-PX%gX5aS7r<G>M`zT!~>6y`KAEId|zSUYoX7>JYL>|>rsIETZ-#6ee)W1%y*UE
z#~iW%IJli}%Rb^k?<rk_2RDwbZT+UKRH=pf;{7)^|ETPE`N*xFDvO#9J;7jJ+2cX&
z>iXR8*?U{d@$Kiz%F_?>HyAYJ<-P0q|6=aEd|Rn8s08B7v5hU?eE#Xm><zZkjB2}E
zZ&Q^xIt;|~wTFlYN;Uka+{N9kcOGu+^MGHiSJ9kfs2nO>-T&I%p^n|Xf@oBqdv|^I
zW;lK2R=k@08Sy}W&H|ZlXiBD-@2Qr-gAwpw@I0;r<p~+#0XSs%@3IiZ4fqa3-g9=O
zNf~@S2_O5ee-#q?qXKofIGAqLf7MSVzAgQT2XVxM_>GEk<+HW?qjG8Xi+iQ&O6f|X
z2fdtE@6NsFU735&yjq_P)wTaW=>9<2IkP_ddv;^%f9i9wdg<v0rAw2$`RgCgT`!k*
zV)eO&`mA-MR4e!H5g?A<2y`bZ&FJY$>E)ub#qZ|L_1V`p7XQ0G*Lp8MTq*tMdTH;x
zu&wbxo6{&)s?IByto7L&E2TH@me3{Lm`9(=%dPdfCFQ5g0|+6Y7z_XiF@~Waq|{c(
zARz-%$UqHXlp3HJOmiAJ0AP&-?Gu28iy^m>3MmRXfPsl1Mp64^0i?5TFG^z?PBUHm
z(z{5wR|^T)h;SonKF5u2qw2o9SDdyuJWU6AtjnHCSta#2*7UUc7)KZ&2C)Oz2DCA7
z(4i;@QBvWlB(-NAj$l|)_XtNpNLz#Z`=lDT7Ep~_-yDXGO+WxZ^FBU#JP_u8J<Q(z
z_2)~U&JEug-6{9}_L&#2c~;kYdS3s0ezdxAja@*E!*6Z;^51&5m!2J7SbMSd$DI?&
zl|@ha{4=j#>aJY+wC7|^|MBHB4{x9Expa}e^-0h9M{k$^eVAQYWN%%{K7UF$@l|x{
z;oVnyUVm-=WR<ypvbu6bcmI=~(JH_2@%hW2&i(n>+Vb<Y$m+8RG>7w6&iDNG`I=Vs
zayPrM{!Gu}yYsJKeE8t<=auu%TpC{fT`ls{<w2NCb?LCdkxbesV_0N58&(4v4=|f0
zP>29-h^4$;EvH=<27x)->gO@cTgZl|S}^7`X|!SbvmIUJI8R~bX|l@$<hH?Vi?1t1
zj!?F-nKs7PMNZ2YrSD32k*dZ6N>^yj_F=$Awi<L4CZP4)q=`988e24Oc#H(e!GTnu
zYwti$wFOd{M%6x$Nn30f<!eikrx`BhDCn>e&DrAtNkeE5Cn=B#1llMHYav_veP)Nj
zgc~}b;3tPXfNQg5$HNSxZ_5DuE9W>r9WdfR4*LL_Q}AHSVF-)lB)f0#eW{QRTgNE<
zS&}@fHydyavkiIWY+#(Fv_!rT$WBlcbvkRX4IqAM`=p*c9>@_BF0+smXc}i}y4-u6
zHZdFyAv6gQIw|m+9N{^9=^w8|DoTw7I0xyZ7s|2^lYJ(HT!E!c@CC2zrEytrqFzYK
zya{_jFDD_2DH%5je1!XJ6yd0szzYISdu5(Z`gAf&!xwbPmEWD&tnaX<Bxg#>928iA
z<2e0Gz(gm}GT3vhY=#g(vjEJf0H-&>=d@JrCn`BjiaEQOf&s~qlX7gtF6Eq(#sd&0
z+)=5>6vPQ=BeF5Vk?vESK_ZHKLedP%F`=1mXPaIn+H>M0u&IPy>ZHa+2XQta+EvMK
zB#3i-LbN;FQy?X(?L<!FfzB$~oo;!=;fhL~dUH-&k2IykoXc?*Fjz~Da1Zqps$C2)
zNLUsvBAxb&4rj(FscvEjrbK&AoHjTJyO0%Ukb^aNkOBxGV{V;aQteU-X4+k-1m_rv
z*c~IXc5P4T3zEa(cFM3tBKMtf$wBmo96@4+O%no|6O}?dbtr$5B{pNt`Lv$TD&`zS
z2$0%7EmL9|Vx6u5)g6>B_!_4xDd;9n!>o2k?O2=BZI`UNCyWQJVVvV+t|3`Q?L_%s
zx^c~E{-E)__MmsP_f58$*i<vI*?X*Q-ZzjAmOhv++#h}MmCF}#%{(yY@%0aMeyWmF
z(HMrEi!v$Ej~S&*Rx~h1vB87v3{G2!q(K^l$DKyK8UQh(1NKXnf;g@(h~%J@0+C#l
z&AB>!o$X1h%VwIE+6<z#C7BD*UNr_L$C!S}XtK4(2Bd^;%BArD_KRr{mdK(iLyOo?
zN?nXa%yvj5z-NL!iopgPZM-|kQvqoN;lW09>Nr<yT#U&RM1tX?Gs$28>Z9jix;-*T
z1gK<m#!Kz<fPt;fDObqLOiCRg*Kul+=xDbDT>~)IK1KV*{(iAj?ia^ti!?RaK4J2U
zLz)woEOf@6u{h+Ss}CB*0z8b<!nhPBRiD-~h*_qMxZo)!AT>7Ti`w;ON5C(3(f+86
zF<75#obDrxGBN2LblX|Gii5P+2A?b*WQ}J0YcdO70e_s#7(4PAz<(^6*{g#c@33b4
z??fD#87Hl-F(%;lnnsBJVvxZ+ZjA?&P{>Z^98DeoH9)yzkn*XMt!@v{tK_(tNT;KO
ztWH9c(b?k8rOAMp?nmiZhd<RxBw%6;OGzm*?apNh8-xK>;{i!TFls8}Oq(#l85j#;
zfOll4#a1$HcSaBo1|8uEX&iznVj3cPNL`S!$<xGfx**2V*`UPP{3)x$3N7uvX>n3>
zWUR>p(AsVwh9DdvrqLcSVW6*_5REjes%bJMrVT^}aq203FvuTpWS7G_J^|B?2?q%=
z-a#G$574etbZUm8G^V+d01FkVL2aKQXpsgD(#VM9PV~1la>LVskmT=@Mj#!qAD4^}
z$mrt<dp}4R!<p}<k%7Ufk<5>%iNVa@k492OB5KWPJV?SY(I4!jD4p8iL0ZanhW2>S
z;xuAvz~>4;G#Il+b(C+0oEC${VrWuOCjqoLZEkn5SiCS~kd6a9N{q!^8V{IODTv$@
z>BK3R)_8!mI+7Hln;@nkB{)*{7)E*BS!1JCf<@yKj&PVb3$Q7|4;g46!hq3HenK{l
zOLmkKYbg@JnA(YWpqrMW$gv7k^St1*M+-y-fDB=5Cjq1Pa1Pa-i+EL65heB;&=?Fj
z+6cc-b!*O$ffxXoZ89ghI<k(8c1_7c;Q<VY(U99&>;MdisX7W+i+qTP#?%mKAuKV~
z1I~7;qP-78_s88{j1m5Va}a|8`-EhGm`prDJOFycgH$3LNc<Q&k`#cjGuY(8Ih6;p
zQ{#azSM<?-?Yv-vVF~ddg{c=9%<O0lv_~-9K^CMblgSWZ8$2NT+*SyalNpq5>Jq0-
z%*-TA6tOfRKwvTYrPGi(r||%0i9Rf14<NRHjFb-9J>WQz9hU}8a6IMP<AIH^KxmK*
zfPq6&0s1;y{Y0P1Ahpr-P@qk+n6Mz?flD_og=xCKRoCPJ7!t_=$q%7lGPq+DoVIs3
z`U_&(H**d^T_U6L0E{^8E?K8OweJkTk%ZTWidq~tS1X1MN|wXm!FVVXaudY~fY3l3
zhivXbhiHNDLXl#Msw-tGq%hVf8XyC+(rH?7PPb_<PM!8Xf<#*q$DbS?K->QT_kcmW
TmoUm+00000NkvXXu0mjf*nsb{

literal 0
HcmV?d00001

diff --git a/engine/docs/contributing/images/contributor-edit.png b/engine/docs/contributing/images/contributor-edit.png
new file mode 100644
index 0000000000000000000000000000000000000000..d847e224a5596d1211627295f068f19d5c0f38e6
GIT binary patch
literal 17933
zcmYhibyS<p^9M@NVg(Attyqxa4gp$<TPV=tZpEcYa41k5ihC&50L9(iwGga8u^`0>
z?%eQxfA`$`N6tw$v-9lE&V0u9iBMOQ$H$?>K|w*mS5%PEKtVwxK|y&&`5YBFg5~xt
z2L(lTT2bbm7WmozY!JqKUc$h&=u^iwi#U~+g9^Dv&Z1<Kc<M&EKZx&ENQ|4ym1UIJ
z+AewfMYr#f3_88`+vfDXsPQW^XxPO(=hvK}LXJvl&5Sav-$IkVcw9dH4rua`DVSZr
zMSi987^4?*;E#mkor|g35{U0FmkcP~S1W(qoHCz5+sBibf(#bEDbb0adi`1`DuOp5
zl8dGCTR}nLdkzkwkKxZP+*p|EyU6F{V719Cdee$6`@ipbe_OJ~c2CO=o!p;UEMG3?
zO!!ZvoNQDQ)YsRm<gq@;<le358l-Nsmo*7;R{dNyhHcH&CeRbKV24WQs<Uz%weqax
zTaKP;C|-E)X_rrrX9ab2z3iHmRPQyDfG?-fmihYQU}7nw>)-xp{NM&%%FmtDglO`J
z=rGLRXsfegA9{WI`(X6fKaY-VW+kC}V$Z!v5RU{0$=$@6&!%61PNGErO$S8c_V)TT
zz^D-=IGFjXf{o7<E4NmD>NMLIaYz5;5O?Y~L^4W?iJ|M=g%w<FaB<Uz6NxVye&qj+
z=c|9)UXGjKmHG>x7X7Q(xhD1^<;yY0us!#Spc}C2Y_tuDnRW#hgl)lD-~{pu;`?6Q
zHwnndm}_7tu0wk(FM0M8>uad)(Z>mUL-DD$vI*~Utf^$Q_J|<F+v2JkK=Q38DjW`{
zbz(Intd&e&>Is|+c4kd6TDj!U%Dezu<BAIhh|rwiIjZGSGpdw4Q>qGoZF9TSG?$-`
z_KjYHun1Ei^c9|Bhs;<&0Ve*t0(y0P9bMzD?-md1e~I_8{zpSH{9UDDm|r?`Q`kC0
zmD*f-qKh}OaK4I_q1!6jsYYtBgtxAc@bv{i&|Rb;D_I9o)`R)T^meeU+PhLgdG2|-
z9;N-jR8qFi`*7OL<yrM!`P?jTbpd9_<$!~n2_~sfltVju9;-g6d;6Q$!xG2DJRT#D
zJLHn`{Z<!~{KZ!e&&_UEUb*=HYHwP3tjZ3&cGWCYkELMgL)p1-Xtn4rs{QpEBgic9
z>aVIhPX5&4Hxl&7XTo$#y~-@nN-dNcgsjLNRQ_^R0gE!WMkBbb-J;I#|H<jc{cA73
zZf4?WnJf|%8`ymQ`a;%JzBO|`b0IH#p8u=sV390MFRg*VAZ3aWIc<V9ZVuu4uYF)#
z`^rf{unr5x=D$miO2Z<vAF~ZTnr@|G@G<^BI@g$ci@3jV2>H}kNqaJDJzL!kYpC7d
z@i#Qj)jbCR6zSw2U)z*=2wfIJcA_i+8i}A+IGbsvwv_Zn?a={K=RXUngpHgWyI0*9
z72f?8_~CtNChjN#e2wuA78unPbp^<tJPsj2SH-bZI4oCq^Q|C8=$C%d5rvVwEYaE`
zFRi>pcLSrW&2juVvjOQ;*SeW+b_bbmJNA{dZTGw8#x(S~MCCss`6IcW)#<Lp;kr~+
zmS;{b>ESVi!kMtTO%b7K7nMrO`_b$0#aD`j-CTJAn^GalYpseeQa_kct7RqbB=u;y
zv=zE_2;e4m7NSDjMOnH{Yo!N>)Lz}ZO4Zex{57A-7WLQp^{c~%f&Si_`}z}8T$gIE
zzhwNS6H^}>gWolT&UY7GDV%*`XXf3Lt)4OZ=rt?7BuZpheVxE8b5goERB7s2(XN0~
zccGMFG8xl=66V3vMGu#Ya2j5lYNwe|RAid`$Qx!P!g&3lI{4#5v_FDDoAvz?RF7S&
zusjuiuSLA_9nWHgSkPV^Su@TH>uLtsTxx!m>Syaau&a1YCvf+C0UDI*9S-Url*5|D
ziiB@H#2SQym|3mvFQr`hC?Vg!zWu5GZ9^?LwwRU0?ad9D_;xO=zq!}N=rw_h5q-;t
zmiv+w9Le2oIZpIf!<?NqJ8joj3z(!7Ax)*h`M-OO7F~oL8!rttjp)y54j-w!$|T4W
zjoPHjO4F~ctgQPvyk2(lEq*sRslg)LwGYtysZCVU45YCgDx&~H=y-2E5+o5qGOR&2
zYo;!C&)0v~mA#dDIYv045;eSLs?mya{k5__F*>{<J&M1Wnmy>XKWlZEMFZQPlx~f=
zY~tT6GR8~{qVm&tM9&ybt3~G`eU6s>Br3N^NPFK_cMC8#)qj&laTIW~>Mj0`>xhj9
zYseNUQz$*Od0kmk!&2!nszIctMK)?TWMQ#}`h^Jf)jV0+UlaXPSyVeRywZG>v9Oqd
zeYHcDIr~zOKKg7=n<3G-WN($Os@+S<BAaJw#)I}zR%iiR-IP-(J3^W7Ff=LGI|Q*_
z%=qB{C1n(s<R`W%7@|Q4CB3G*@pY2<CV-7r|9Y8TOTjVOv{TEoVy(PB@J6cz-+o@@
z6<}W7bJrrpUOgndzOfC%O(sYN<65T(W@A3lNk|)G^j;o%^aFQ*8^mpFn+kQTs;B|F
zNBL!M?!1-X#&;>m;D~{8r5h5;44&Prh_y{I&*qeW-&HuYG4FZd`$;8iGbO_$=aTVZ
z;T`zJ1@?24g1_5d%NrFlTPk<yr*YH&zWO+-DUD!N(=9iQ9<M>O*U<9PNpp?d2W;zH
zn?B)+v*=*zW;PLv5?$Q(3_SCB^LPLGeCse;Vvuzji(Hzspel2YyrRalm&sw(vLR^f
zCJULIsklWPW3@!`2dkg$?A_A{?WX(6REN=q6R^9?)_)v_&xVQy<k638rb%U$Rh=2t
ztc})YD#{b5{E1Qd^6xfrv|e}Q21My#jrZzX*gH9Aytuw=c^lhEVcq*(^074B?>(O&
zIP`sXtE$TjEo46!ZdEfvcm?dz?0mvL5Ef5ydLPlmwZ1%1X3d_#9*(v7ye+%UdGSe7
z>GKymF@_EFWls~nItW`B8RrG5n3&(K;rGWAvV*vT`GvE)ri%d&=YOR7x_4tkQuV>_
z8|GK${lA>V9jsP9e*5=N<fYGi`X`(BUytAVvrjR|>XUHk=*bP94oNuJe<mFXtSc#r
zDGK((`6Rxdt9$Y8B^VgWxskH{83X@OWTo5Lzwljs$;vQYUnNOd_2^Gsi$io?mUfN-
zxk90oPwz(!B7LYYoeZ0f!ujyi4^Qv33~Z7;W49~pEv8e7bvWU%Q~vI=opBYti|P3_
z&#Qmxl5I=J)Hkj1AXb*GiNl?^Rf{(>ewI!qR9DEvFDRYAm7GYl7SDxKJH5rtv8pGT
zdPO|*hX~GV>bO`a7mnYxV)9d0Pf!o^q7Kd3+}mCcqo+^Pj{qZZJj9<PvN;EkKHRBQ
z#(c7v)@JtOgF)4D80>l`Y4>AuH-CTXI?bP%*zkW-BHh~Xk5hbuszW}wG}-M|WJw&_
zY7e0<B5qM-$}2f{xNxL6Z|@f_0gv4x)EQ!8PT}7_SK~)Km`7maKR?iZX>qZew`s$b
z``H|gzlU0w!m)NbWKTYp>LS@x*mWt+!N=pCWq_j4wTrJ4Av`zpFT~P*z8dm**7w**
zO#o*~;)Ur5Z<gT8k?&+Zf`ck!m<Hu#_Q8Avqe+=`N&P3})|FR!l*!ibv}M4woW^QJ
z<$pSxm8H8Zr~8Z@8{~H52u7-8WBW+8Y6!Z_PuHwOtLhHT+XRPsbL^twn1_mg&PN8b
zSO#K4>SRSICa=f@7W>}=UnKIMN|}-D9sG<I&^c%u4x*@ii}uqdKl@Tk##%a~r_=i#
z|IFI8YYhu0cX^n;+HXt|N28C0>53sLYLp)eI6lF)W<Ah-Nw1a)mZEv~CQ(1iL!tjP
zo9X5AT>}CdD%d-TsGIwQBIBo~=vw?fK8s!b%_)=+bvOAi;As3YkWqvcDaOIk*w!iV
z35qri8L`1RfXllNY51i@e9`>8x>WjcQPgR*VH)ZGe*T_FGIdg{i_>kL1b^1#;j2;C
zAgQn<UpJi09P0h+IY1v(+^liFjy9-odA*bxpTB~ipHNllCRP60eb|Z4+|}U2od@Hb
zlY9w*f`83N@^_mqq)zRHKbJ%Vjf|r6uqwhCAIb|@nN8EsQppNcB<rklEKc+y-QSII
zE9Zi>nn!%2GrbCT8({OZ>**@&8??bQUwKUxUduAqhBMhp;~K15$P*cl+fV-NB$9rv
z`)+9b6FxW7L7S32rCf1=TIR;(d+Y850hRoL#ceXD%JIK0Y0NB?sci_~VV|Bs%p8Wx
zu@)6wnfvcH-Da&NwYjmFzlq}G5383*J*mwNYs~xa;>-*uCwDk+HV&uhBzqI4ubI<%
zs`H79`wevx#5$OW<*2i%_aYlBncV#qS)xS}+})O`eM(<fXJc#IS?h(Wkj@*rDhFaf
zFRmt!ufCP#*tuN1>8*h<)BqYn-_0ybc>|s^n$LOd*f0883l7@9nxGeM9HXYk3NVR4
z|G5cFWyRoS*N7abuUYzmKNZIKnQG%EG_oWQsC8EZ@U$NZeys1at9(Ty;C=7i(h#sH
zWMZ{J+feq|zN<!gcA?%m0ya88=PW%xI7At_em?23`j39#aZxwEqx28U5uTZxXVLa-
z5@x^!b(1!t3Lg#klZ8XqQPg;d;sLRbp?x+<u&3POR)7<e9Uqb5tIr~V%XJuCiTRAG
z^7*)3^}*I_FQI-y?A5Vq6_eUh@p`OU9pEa&w$#XqZ!j*ZmX$AlNt21CT}kWl-g=v6
zBmLV@gu7XAOILB2W=H+Q&2-;?V^t5Ikl5&%`MBuQUA~p*aDH+q5kJTvs7UYbb2OyU
z>}3$EL7OCYko+>=bsFbVg?4K$$oKR-PJuZ`X_KSk?8cJ7>vRQ_>Bn462h+pe5Km0t
zZ?$1<<RBKamJOowub04xd1by!t-zw`y$vXmX>xb-PHb<ERU=r9PPUJa6x68-wXIi}
zp)9`xXjRFTTqq=Cua)4V8l|i2Mw7;k<R%K|NcuT&XwFR{Rl(uLR!mIdtx%@wV~(Gw
z0LpU|RFo^9OzFBHdlVuRmX{s=o^uuUknOApyMGJ*z~un6a4eL->c(d%tWm%4Py#;>
zqo9PxWsCn-rw{KziG^9!*bR*CAHI3JzKh+g%1sm~jq&{7AJnrqiX?1WvL$YZb_arg
zXG*?QdOk?y@Ya;2Gx(a6%<L+&Tk=u#@TkCQ-$e1U6rKS=vZ&G!;%}z;lSOlTS2^Yp
zL|=exsUz>2iKMl9FZ~E2Oi*_d{Z)Hz1GNq3lBIFDMBrHxp<lQPlFIk4iO$je<^^A)
z3-!dtj@d{3X%ep@Ox)xe65E>l7w0Obv+PrDZu*5vUbzcV$JN0=A9v<0u@qgc^XAj9
z8DB}d7h#PP*r^c&n864zFmo(rWYemqOC(*T2pIoZ`p16j^xCXS=hw`_fsouNZm9IH
z8JwvY!aTQtscBgh#Z5&r%An_6M6p@C{fQZg;mwI$HXZCBk^Z%MF3`{z+sJyig~%Ud
zRw~Rq)T*fA<;ny-Ipe>7xaJx<_ikG}xVV*&(<++$ERd}>SyaDxfLubhT3FAsk)zF>
zgZpzKEyx3_MzNMywpzoYtTlVG5;^ZcA`c##w8Ac1=n@%_9keP}&W?}TtYApw;_eDR
zDVWCcv0mkst^I}=toImOIP*JLkfJ}7eH-+=v(TVe%TQaLA@w0GuOttL5QmjjL4ls|
zc?e2SxX<;H^_Byz^;Wug_Qk00LH6>1`Dp8x3kmCnsR^I)tQ~v^AOFx$rD9eO@e(RX
zK|1U>i2_Jt{}r0D!Y7MR6xMhF;!6GZZ!(|t-NBz4EcvVo1FpHp<b_AgPZ`C>#44NN
zXzxG8=hd5r?@zx19teYnf36SP(*)UIhV?;Nz|w@D{7X7vORF~GfzaWi;?GO*IT>BE
zr8@z;9T*TUgGT3vyK8>y@hma--LoB-^#nx1^Khvzii`&G@TTe53FSBhZmZ+kWFXD|
zTB_?+Pz-uOQLqeDZB23Sy|mgl)mx>-&E6{;K4B|9MzelvOO1-~yFe&sFtjhP_>KI|
zTny)%I%wI3$}L)<5Rzqcje`*Z<hW~m4O?{Qn9RcYl>#H)ZrPO;X+(T1pxp1P+cCD{
z%YpAN_nm65774)JE}O1Rm{2)z<U7_96sZ5IVtT|pI$DB)+AAulF8H5XfpMY&7hQU-
znSWf1PRF%|L4a}$Tr4|dF{_`hy2S8=WRen5^Fl+61sbsT$;MEd&!yvXtJn5;HWmRb
z(EIG)_HhU!$e$Z%vx$9uE;X*_ta>(?m4_b&y~=tLyj^7<K;a6T)c>oUp4&4}-&D!n
zhnANR5jZAsCX2iMuxp$WS!zhZ%gi@io@n{FXCgU4%SvFqZ)k$GxS`KGM9-ygl+TSL
zj8_tNcX^q)5;5KT7EmcvRAX+xK?maKR@!{Xj@@oA4sI`xq<pV<NFiV~cD_0F2rHR)
zC7bZp<QE{VhU00YsC7=voqnqW&YkB>ku<=zi`9S#)Wr@f6?I~{Eqfbm`}NvvUtbf~
zCTfV;RmAfd4xnWq^lQ3;nw+$fT7I!tNWK@H{r4oQRG!SLE)jtQkd>y-YIz8BbE@Cw
z-&wHp)pyg^>o015?Ebb`;Uo(v#t6b=Q~pTIW!8JoS|VG@fQ`jc6HO)T06i{H(88@>
zaR8Jg4HL)4A6r;4`7NkrC@R~K5-{^}!m%bW5y7A^fbBtSo_}-r>QEw};@}SL*llO3
z5LY}vA77a(^;d+A9$`ryyI5fljC9Q=;2G%D<^@P-2a`k8(m6skadLU8H~%+dZzffA
zfXMp?6bLCM$O5n!pk#?|Su*-B-a<!bnCfLtboPmU0=I%JZ<$O1#~vOIyTyrs#Y8ed
zW&UrY3w*XrKdr-jv)CAH%cgEq0tQzLg6ujqd&_EVKLJS<cz!Y^^4&v4;aC-Imsp@P
z?<^U+V`K5hB~2W0VAa^_hN~!$O}aQKM=S{781@#NK>;*nFJnT=bXY0D3nww_;*ciO
zB~~Fc$2mgi9a<xfP6*TsAF{6u&q#umv)7ReVtBelomuEImldL*ejp7>iw{ztt@YAE
z7w&?Zb|&gZMCuVhqO)v|(eW`M0%_==mrEGnuP_c!gjDvjgv&a*#~`|>VY@HIw%#n#
z`p|*_yV|>;sPfez6VzjY3BDhAm28<PY5%+>BA5$ZP(W~02wohE^Q0AZE!$ee-L!$1
z-lx?FLW>OHJ*YiK2oYFmGH5DjtFX@Lmt;Jako`g|U<c;0a~zU#RfS0a0@|o0pn&YO
zA?rSKr}#mDa63qC(8wkwEl~DYQ&t8_yJ~~_V<>1y<u?(SvY`vc8Uj^(r>5E1sBFF0
z4J$2YphN>@)tj3UwV2GZKFiF=9p5#wJg|8$G&Eg?)2zn>;d2PHLMTVSziitomYAUA
zcWd3pfe2XNtrD*lOIQ!Px(h`S7%g14NH{>pkO22~En>kP%qRDZ(*i~f={N6U2?B^<
zv82}r|C(XzVVVEB*5k=T7VU%$q}Y1CK?p(5`9Ti0)l(7-!<IU)-RmLVVLNKI1A8OZ
z`@#t5j?G$*Ryu;SoY95+Zq9a2w<nC-eXnoM_Zpm52z!ZKR+zq=%DR#JA4v>0usb)k
zo}6W_DMEL9n@y<4gF^uIY=c9UL!*9zUlu=Mgg`CbyBfzTF-l0o@&+U9AfztG=pWZ2
zbc;SmS1YGL6wo^!`#N8MsKQl`kA03b<zuP43<OuP{{wFAfD=IwDrgM{LF&&yn@+K2
zD8`X(uE_-aBXaFZnK;@owjHXU3c%PWvH#d9yP4-z#Do1RRDHjr!lq?=B1a0j`k7za
zKZ=kry>_xWl3HQh;eWa{*5Y~8`7v$!_6ormi`*z3AF#;)i7p);2MgzWbB`K0+u`)>
zl#vEp+G3*V-ob!Fr$2}B(g|tv7Udn&%mMGC91?Vc0PC8^mQA98lABfn@9T>ts2aww
zmg)WP^9mIv0rPz*biufa+6*2O7;qZ2uEho?hdNk?>?2#RawW-{4Lk{nmUGD*+AnCt
z+^&vIfxJOjht9pC4B8b&hWLhDsYj<I4Iq{o8XyfJnD5B029c;&6;Td&4XirprRmQ-
z*8XnT)1W*g2kPSV^Ku;ovAYs|^a{XbmdNGM={;;&0l?OVHuGX>#J?S2R|>N{K;SRs
zvlz`%1CYB~G0hsC-g^N@1=Y8SG<dR0u>V!~kPjB_gvqQGM{szV+WxuD?07X=)ZP&~
zHqRce-rAt`QL1ZME8B_p@OT4hUR+@SPLcSOlAkvr(56mJFh!6$r704PKOKv4KR9&M
zB%r%Q(uOD*I|_dWPi4Q@a0CJ!9vDp!;`9Yf1)ipNnHMm`6w*`G?iXyh@u)={*S_k8
z`O1O6T8m^1X+)~qI2xU5v64zKCMQW(7kEe+fT!BBAE?3WB7R4K8x=dqMR=L+Xm9P4
zD!XbrtVK7Ifio;OZv!s{^{mdOfD~lMNt?%RZ&z)!dm#etO-f;alyI~9MvKe~RlXj5
z%G|mNLdd$Ox;>j#X&cDu3)4Xv+Zko>G-ifrOl+;o0iR{&@QXD?|Lb?do33?Zf_<GZ
z)RGPdk6*t%9CcH&o`aIZj;_sC?QQS0ge8U~_B#JzK=L%*VqQBZs%!$ZxsSC(BT3x!
z4(qAw3bQLuLcSdGlqW;UBQ<6}6t*%kL2}F@StGw8ka$9KpW1e-tYO(i%KvcKDBhg^
z5EQoR88`60*}EyFKUbHnKy<#`$O4i5$__g9miX`4wg0fX^AC28DF4-{ulR79fr+Wr
zVtz=0xQ-eiOYZ1;+I2nZ^<qVls`ja+!G^y#5aQtjycfHPK(toT{exF)-U%s30PumY
zA>TSGrgGN)AOs#<{Dt~Y;WohQE4_ubk3oo_!*IZs0E9_`z`Z&yY6)}?wp~0;UO1B2
zm~LN#_Q3>amh*BJuHsq-7A^6F?64LHyd$7~iu&R-F%rxW+kd`cV9Jh=fE@5{>aZrf
zc=Q?!oC&%43SR%6;GcIY8SA=kJe2Ie+fV%Ny=dFPjd70O0o2Z6i2?*$6WQhU|10Xh
zIr%3Vt*yftZi7!XeZB;yH1OKR_|)cne%Elo)BZTJ9`PLP3iR7e1}xElaxS=bK}>AW
zA<4nO$0M+<6s5FS?i`3y<S-V>_J?r`S4IALy`2r?h^Zgni!)9MghPw#Ha!G0Q{oy8
zeknV1r8xlyQ>qQ#gPKp=;6eS$G&z%3#Z=s{2s)bBhQJvxcfj->s24_!sFffA8GQ9N
z=q2Q6jsDHAsm4kZ+*G_M<>>oEI~EF{|8|poW__QaA|d6?bX`w_m{wQI0dKNVBSJP^
zROHAH8m_m$8j`1~+GLz#_ha!v2J?deeThs%1ktGt2Xa3z;ryUIha9gGslyA^YI9tP
z(KvvwoUQW@r`{avc&7XBQJ_n|kMF!V90=7+mm9W>7x5R1Y0Cw=ik%wANNrQ9;O1$q
z(<)Bz+gN?#NHjk{z$`d{37KrSn!!Lb5T$c|=}X^_&k)nShYD12)0_>R8$kz0uF{6r
z4&#jXXr{Hd^WdJY{eI+%a;(|NfF)j5=)*gj>o&DylAb46+7Foyk=By3Ga?b{!W4WE
zCPk?g5y-B%@uJ=v<>;+(F$%z-1OlC%$I9wtAcm!aZo3)4o4y@eLykp#y5#9M$^lAX
zx-IS_zON-X)8Bni7Vp($3pT}fZajJgdgHpLyf9$Q?7iD^`R2KZB=0Nm$@hm&(Q4;d
z#?)S;$58~6;>kL(qe{_%4MM=5U@x;zlLK0O-;Y?Vs9b6EhrVBK|AP~&0m;ktJ+O0h
zl@T=fAhVEHPa@8BYxJ}u&qG_OY+ES_DM<f{UFSQxaH!@AXX26025@4|^(M~w0Gb|<
zuA{-U*!>qlB5pKdlTkIAebm36gAzF3Em&ukBlQ8OnBazaKMg7>XdjhggAC&81sbcH
z4z#RC_!jRf#=s*+)R3&4))qhpzG7!;4xUcHzS>%tTUyx4kYv>XHKSq8!a%b@%MRb)
z+kC`X$HVsH-+}WByC)R@Gvo$x`WON6+x^&ogQ#!n!Mlc66xnkkkPEVvPipx0wNhH}
z;s9IEeqv+K;Y($ct1_rpetl8pD1O`dTi^#}rX<9f5|U51>Re8}Je*A(^B%dJxd*l+
zq}KGoR$E$gC_rykn-BtAfCA3O3ZoWp0K|7uEx`ilev3Wb1MP*88F}foq}{bQ9OPwW
z=&#f-cHcWK{-p-pn%irs*c0kg_aN1Y0z^JQ450=!<!FdXkb~ffIG(;HciNxn$O(|<
z1byi|@9YFD^e&mYb>oy@Ty+tO2;v#wfxJ{qKxj#bL%!XU*oyv@y8aDzT{`}V@%Ni~
zcbBf#sG_6Q5^o>tBPMtKJe^{CuLA#pJ{3}3;A~B7kZ~{&!gJTu>;o8ROz%hZCKud~
zFQ-}@5}bc6Z9ad~*)A$l6^I3P4l#^|ZYLsF=;^m(c{En-gjn>*^~^3cV)yCRoc<$z
z+_y%qdwXKh5A$SJ<b$Aw;jVB(b~X0gtGD}!TY`hl?f1m57d;XRDy)H_upXU_Ina3j
zgw$_sUZk!YcTNCf;6G^nYVlW=-2%LTVxo%y7eUbgxFS-7p$D43smE|tB_)3gn<Mq4
zJrF@+c|4S||B;1``rj=t<k%j$nFxPW9QY9U$#nWPb=*71;sE|HMI5O>-;s;P_|pCc
zi7yt!*ckt@{0JojtknC^A_XVloPe-Ea*c-Os3LW_cmVtr!35uVjbyn)GA@-F4M6?}
zh#^M`i~`ggj5L)5#2G8all+SLAWt(bfPdAHGZp(253P|u<)Q)PAU;T>^^>&tAXkd3
zjSfJ+03^MlG3nD1ERjSHG6)MP3Q)TPKyjBBf}D<g{JVtxA5zQjss0jy0MYOr+}oX`
zY-6r9wFtzSFOvU`Z{~b(c3_s$ExG6pXb9{ro517^J%ZrA*01j;-!;hh&U;0+2p4&_
z)I>*cX2m`d@VXzi7tcfl%qMfl>nUz6;dThQnTk76uU}=@YQ?P?8)=REmX75U)K}3X
zN7cxAr8C?bClX`nhDsB>eQFa8onutIF&D=-ns&+i8Od21B(fHoeLY_q#`BqF6c+up
zjWBG$z58-UqDdvrRytE8de6ch17|h>@nUx741!ggm?1@!7@XV*_BKSyNOrI`RRdF(
zhqXj=yL#{g)hWVt+=5Bgo(D>6d%5aIryG9zhrU0=k+{y@c6s^2rRovOhlij<=-_L~
z#meYEtpO9El$r6|m;y3w{xlo=yU~K}oDNItTcjXN6E+q-^b1C*i4wUF-h`2S9Gm<=
z$Cyk0^H)A(zCeO<66V}O?~+H<A0ByA9gvNfTdXLcK^@in4kG(&zn=DL?44<z7|R9)
zMQI0+fVxybXEEU*Y`#k96W$?f`qPmb-Auvi>%q-N<LOauZ6UZ^z9nphA2PXB6<iJJ
zXghd}8FTSpmc-Udn9A%3%z2>RyU?fY3RTUpLZ&{J6G6^gfRkz+&DNcXD6<B9d_v<O
zJv@jTiTzA>Q6n(j%N41TXWiG+%Z<tit!lPjOnX@5bG96fn7$-Y$Z%+cx)LjU*rdz;
z%usd`KGXX@_H^_tVh9rA7u@2TBih&0-;SP<j(Tk<%%;$o9}5&%o6)`X)AOG}L=h<o
zAym4NxYEWddFj^514AQud#3518sl%P2NWEYi<trMwwImGHl2_xNSNH30yjU0d;PJ}
zQnPQOI)8CMG8|Ic+6$|M=t!kTS08pO1FPy|DU*0zfxL|my%+!%;U_m$2&um)MrcV3
zyp4e_f##OPBvsWU1%YaME;P7F#FraI-f#%Zp<>mH6EsVpS3WaTFq%s|)adZLsF$=G
zym*{Q>^w;<!MfDv1AE(h9XPha7pQ;U5_y((+tyhVq8EfZ;P50L=Er}Ix_gUG*XzVh
zFvn?;1=LUhP+9p&t%F*$<ek=$X&~9vl32luYqv8j%|L(Dnl^V==r;oQsR+Q?BHJ<H
z-cf#zj+fG)UVM+M8LVs3LlgpW-i**=$VD3X6j|$+hB9q^dN<_8P!34M6F~bd#}c43
zVq$r7B6Na0|K~JHP-D7Hy6{bcn~+26q>D3|k}PUaYeRC}=*j1K%fo5SOLUKO#iA}@
z=;jPNgIHHe$OlfSU37m8xrvVy&%=9#gq4(ty@{!KRD=YE*N?u*0Z5P^w-3w$fdcb*
zFqJ|J^11p3EfB)k41p`y^YjVvUOkMKv(2f=xy?58EAWu2`15Idt7!lW&*yLhfnU2|
zJR&nAj>IsJ<?a?{hx?MRbng@H3RBn_itKFilRqr*mO4;h+`{9<97>8TZ1SUy)c*xA
zdPQb=lb=`^rPZvzy?0%AV}P6h8eUj>wKNCpz)t90!&0_$rEoLdeM-+=uOlbXaxtct
z1(C;G;dqznzPYU{bclE0=mD(6RVZQ-{Noz^$_2EFsqTJ@NzL{sgNHAi_Qe^&W~rH7
z)6nYwGkJ5h9U3GZqt~ag68%P`IJAoXFbD~tH@O(HIDM?9p@*@b6W#3l^p14RmkL$R
z*%rifUuoC}k~7SEE1dz`AMh{75~bW<?JmZ`6Zs(iZxpAlMb#AXi~U+N64cL#Kj-H4
zF(g{7Y*9BAeWL{DQ#@g{&3VXo@6Bc<>`((`B9)4;QykCDY{axef?NBqBDIR0Z+0K%
zX^-0`Na3PS<O!#SY8CcADRUx!U@`w2U{vFF`sMTnwMvx&N;iQtpJEaC;#uPVypgyA
z@0sh9%7ECi0R<m?TVU5`Lw^Mxe82m<0uhOwE{ouVf}>t#8GH2Ve-}8Ep_>1a3FFFV
z3^C3Xy#6+ALs?cDYzOcsq5;(rAxLMnvv-y0k<T<NRmtbiY-moc=C|LYO<zbe|LrIz
zda^cTxPOJHudACrZobWqnv7#ue$Yvo`{$yVCgOqRhS<y?l1iPQ6d3g6NW2jq3%~td
ztq{5guL-kZw#&D~(R90?xXwfv*Jj@uuNc0NAEmjXY4hf?9|A7@nN!A6b5Yz~R#cU6
zM#bG$pJ?N1@s!#X+pP^=Nh~hxGs;9BmG_$4y09?0c5CAl1=&Dc2d01HCAs~_039;B
zla>{}+#J-@?7Xan!J9DC`+4Dskr5i6ei-UPkma`Vw@fI(T>@9?@2Rg1LON19elT7A
z=o@vs0^`#*crmNg{K)|HM@rSxLw3Nn+~s$Nem2>nHWl}#%UGS?9Da)}x$h6>0(yHl
zG-IKk=!ei_L)|>mL{j-ov-u^YuxtAAE$HmFs8?35KmN@VmTK{=lnmTPzZ30TA#o2D
z%NU`k^If3yzATb^f)8&!aYT2@`=C#sFFP7i??&+Dh#LcxmMiiVsGtsD?89EoADmke
ze;3zow#<7|ia6NH)BBjIxmai>6oGo{xty-{ILyYFw-*!XQt$4gs2SZJN?FrhmxXjJ
zaXpw^FU24g!meM_j%b)sj(_yI(dWgOuc9kq!*)E_)gH_Bx2nLPkP=VVDvKmOCkOh9
zH@$1=B@UA*<6p7qtpdz@S(OWwx)K6OEAR+a;8N&vSY?aEpe+9^3{7O5Q7}h*FdYRw
zi=8QQH#<9~=g#{3X|?)O=~rBkXCG`j0-*NYP=lhNkT1>C%(OHN?E?W_eO<4n{m@2G
zKHfBQvURK0kqCrEZa-6)ElOnqQ#>T15eUg4O)Xsk--t2|ae#Ib`C&^fCj!aO)OiGz
zY)cD-llu{FhSs>n(_S|9A;P^sm-J1tqcha*G#ksxphn*8i0QL(U`*)EeljuL0P!v$
zJwwkPNE0-nSLYvz)_a<{&exZy{RA6ypuN`G1QA!J08FuISFtm=&Dk<tTIFL9f~Ai*
zIKTHFjW^D|AoM&=MT<z;cEVJt>MX@v&zYQ->G#k5nSuVzUfxarbuj}?$=1i^K8UYQ
zyF^o#Pm%W4lL_wmn`DvdPH8hAq`2E$LdE`!Sx$$rR}2?Bk>kS{0`#9D!&zF){8D^s
zOSSo5`aW;ixc^aeFvMwGmfZ(9&fXSyERuBuylCowkEdoiO>7G7?7&AqA$l+7xIfsg
zrR@mSY`zkxg9$+V@f1&dAksGsqh}h!+RtWEM{j7*vr{+hO#|=u3ITc{f7UO)g2Rd8
zTme-1U*tM;@i*P#Q>Hg8xBc_xw@NPmez@Dt+TdR+?eeM6ENUs2*bFxTRj$@OTG>4X
zv_@??ot{x&F7@nr)s6OdD*dJ-=6{&dTG4L}CZCy&ihQc;BgfsJnoeZET#(km(Rr!!
z#RLsf)X4jg@+BqJdJyXu$M##?*Yn-N+5RpIVgc2@OVxfRa{dR~T2z0Z+&_!aea%Sr
z_2I)r{eHgLNQr$<Hq9H3X*xTOLOw|xA1$g*m}WLANcK-cguEJ>KA(|S8<T+K?^O`>
z#L+y(<{e$k|HabC`)}P|=uq;%VF|UCbx!IH6s<4GvIj=;dv1ds5Qvq_N6Vh#J+D6U
z3T$ZC2Takv@%Q9XWWwWLJfE_tX|ktae|!Az%E+b8?_*Kh`Bh~+_T%ej=n*nAVDkIv
zQW5gJn0!KCF&dCX1C#9W+DEkdhd+hf?ZuR;#uMNY<ku&VE*N+Uz!d|Z{yGzZ+o&WU
zvolI$4E_}UBPoz3j|{$_f^t5{6TQX%LGvzhQa|w@8R@6#L*Nq!aU>zU7&-di#KWi4
z_}|2xCAlyQ;FI}%A!|R)=vY1ek5hG)8jW!>TO0V+!|PIP(u+%uYDtRfNf{@kMI1~G
z&F$yKh}_j2!R`{lSg`}(TIq_TW9+io%rA{ar`f}!`JvV3{@d<X``JhO=2A@{ONsmY
zC-8_<fDZn2*S!d`lpy?IjiPd!2FtCb${iR!98I}RRSKcDby!#V1x$EDP)@9mmqj7_
zPql?3R08t}+inm7+^0Yg|CVKX#p{nS`t_fu-9wo6#6|drphmpejr{)mreh%<>xm}z
z4?zz%Riyg;Oh3dsiNx&=N=vLciqvLB`Wax-3kJ&K+dTdkCQlj(gru-Si({gSV+=Wx
zEBka@TJ4Ph_Fulv?bWTnrZwzVX(U2d)@R4X-D`i%LGAh0kR5u;TjIJt;+~DK=*eis
zHDU8!lZA>gWlZQ}@%Y21Xy!63c_;2HVJgRLDHpS+N2s@*B*ASmeqNHdG&-#mq!U$S
zp5cqW%<R+YY~PQ$=0o*zOZPX|BfSV3#JzT2rBt*ozD7S4^9q-x-9ukAsy7`e95?th
zaxY-6Ywc;wLq+ULwTTWx*)x4NK$n;O0Gv5L#v@sq1g`^v;PnVCg#?H%qPUF*M(<K1
zsKlP!a~sx}(>cU_O7yl@b)QPS+UYZaWyqu;Q|w?ScOs8^Bzx@0FY#BM8r#f5tJK#M
zLI9YnSP=h$e2>fC&X<hQS=w;|*{W%%TLAs1nUvnwB70~ARruc@8u1Qupi>~Allx^8
zUVp4L{1BX%qEKYbkJL<sqb1IR1T^h;KS@9?`5Ag^_F-CTy`LtWP{Xwk$CCjb&%_L6
zBQa7kChT||vb2ODN=bqFm4eM68y)lPd{}9WzINxo@%|q<|HcUsGDe=Gn}emZ4F^b^
zH2`r!X2Su?pKa!_#kh~1vQxde#9jIdYn%u+1^5y2>n@?u{y0v&-f5|!5Dg&jD`LJW
z#&cBAAVydJ`S=-1%jH)AX1ET((y^#VU|6>0`@`_2HxrvE)D@WxD|(-U*Nv+_sGWb2
zf`u6YIa{X!NQQ=?*3t`K!Y}_$iGLMmaB6l@TaVabKy5q;aTHAk=jAjbWZoC}oF2A;
z^^}1zF4<W7;sU&^P<6OX`YEilJ;-e<Bk_s1`}KP`*=9~_=q%{y`3|wzPIBFWvK0QZ
zF}yG*U{e^T7Gy`eb3;7rW04jP)UY?yT_jKKO(@3KD7k#cD+$voKkDn*q|}88*;5@)
zC$mO4=lVz9K>ikGbvGZ|__W*DbxE5*<K8Aue0Z{Ex^t()NM^ZJr5*%(nq*3n)ZbQu
z3)O>UF12Zb=tR{IYNJa9ql`cvb0sUvxS?1Qc)_p<=2!YRcqSQ({dgCfBd<syvrYbH
zz<~KEcOf^${+rWksL+(vYX|D!?GBr$wF<)WIAdJfVffqk#>k>ULC&!|=)h2T+KC`f
zFGEWW|JK8^KuT=(Y!h|B(|ut7j3Tv>tNhmWPiai2L6(5wRNu5^w~*MDz}v{$8k43r
zK(hOk?dZ^&bmU~jd9dP^Mu=s)NKl7s%{TAEJJ}Puz9)S5m&BK;4XI;W$#Qd4!w{UU
zap<5K^&=lmALjN8voI-9=gwOSaYG5ioHsq2c3yX*tqP4H`pk$L#o0h^_x?J*#9?Gy
zxc;>F<Id9Ugob|Ee@E_38MP-l$Xy=ncN$y8-9iwv&7^?Yd^*kSUeUO3-s-BBVk1u>
zol}i1B1UD2PHIf#KSu9dT5=f@lPyB5w)9k0)m0zb$%+Y>r`xpj3U`+*%HoHf;z7wh
zsdC)$-w>L?bMPPbJGzJHFb@-$(sezL!X=tx<4^XsL{IY_qOBWO9Qc<mvz9Z|2fy^A
zbf#QVK+Y_ml4T}8G`Ptv*AuXxIrwhd|A*b}^#50CaYqusBkcc6?2y2JU7w9~2?(wK
zfE@|+ar}_}Cm#XjeWF8tc0TmO(w;~JSe_ike{}zU&+$K3@jn!qW`6Q6$jJSs_{sGk
z%MRvG9tG)V{#QgAr*r&MZx%3wJd}H_23f+)94_Z}P_|cVc&dZYllqZqONZl7I<$of
z_G8?l{d4lPB{&qmi89HE3(7I9?SC?emCzkGx8L3_5kKzO37_YT^p8|?>7>q!W?_bN
zzAWJ^kN_`$nK&8e^zm4l8jBTg;_&Hwf$om6D#+>=QZ#XHkuUYO2u7-9P~$;$HD>U6
zf3x297E+U;<~Vo#3gNdlb;Ug|;|N{oS3FdzsVwCnYvyOi3NDc!cn_{=4V>)q|Gdb`
zK%BWhIkgY(iQdBm+6K}j89ujt!(FUK#H$j+`B;mrnlj9(pVukS4M%W#v0^ALxW*El
z{#M`r-DDK%DjO|-xk!FEACRQ<{x6XTq|3cH70o#PNvqzS$xQ#giRU}gjtALoz(fn&
z^yZo@VO(4yL>gx>(-%!uW?^i-_3@Zz>WgonuTD~6?Mu(w>;2fuH4K9;Da=nvI2?|3
z`~=*jtxZ=P!#3L%V#lfi2|=$wFC}h=pOy@2+CO`EAZ0v>hyvvrc-*`NjPcLqCCt|{
zkB8;EUpx}XOJR7kV&1zkDJX2Bzl{7n7**ltVIM~^lBH=i9`|iLe^kjPlz96sEzSAR
z=SETyS;_dC{|@G+dQa^@Y03v2^-iL!7!n&N_kos^JEbU$kRaJrNl#&Iurh)cCuwGq
z&W;N(t0L9cZALc5?N@HMvg)_a>OjT?!I)xaFOk$E<~1FkZ_DbAZPR;$#E(YXa|@s!
z4N@1UZ9gwgSwb7gJG}N{A6Bc0Rp0(bnSPlZ==|r+rMi885alr2hHK=c$LpNN{oZzr
zYw4TcDmEu~pI1LP(kZW#>?VFB`##Xc0UDITUUCFxBPE{qEyXJ~bw?tT`~af`T>$_|
zF<eq*ihmjMAsXJ{gE*U&8@$(AE=SWP4v+b1xelzc%i1ZY;V{t0@<Q+v&>AL>=Nd@i
zW_3?VgidGRK~SVlWjN#2jl7VW)+gWBwESLblR&aA0ElcSeHSRq(Oa2r*e)Ndic<rI
zJ_J3_5YdZ(>R5Z%aNmjD*wD$-a;D}JftrHAwRJBDs&UimA=3Vs-TwLO_T&C0ceqb@
zsQ^8L&~%D>;^%lNU292(gs@F>3(||FZ8IueEZ!Ox0&UYw$U&u9ZHtyrV+ZH^ouA;0
zZ-|f+9u^3C242<5$qm_4$Tu|sp5R(%3(!jspwQln2yhtK{uzPCMJaff**XOZBgMqu
z8=^zQsUoxa$bE2ztjAv&_{IRZ>Nkg9$DMo-*;JPTk7qMK6AeAg^e)Vq(tZWr{Lj2L
z=OP<kG6biP-zh&(f_(SI+`a^5e6|I~tLgWoD#W`usJmmhYy7nQ>##Ln+b*vwb<r!P
zi%n3cZuf7zR)X=TWgxvW9bkYY_!NN#f2!(^z#}S7w{oTi?k6<_o=ZhlCm0OscAitU
z8)cEa%?!vNTgWvZArDHCzLxi`!XKNP{riaqpuF)>MWeke&~hUT%=p57w!Ro+wo<R1
zzU>_L(JL<+%Ka3?O{K~SEtWrY8ayPgb~!D&2NW<9+Ule~_D;Jj-FImbW>@GA4{YA(
z>Iw0~e2=1qOliq%>Zs%2l*aY5-g>mNv0HL{DgcadfQ+A<Ogu@@O0f9h5wI7orA9jW
zJ}&p3mS^{j`lhok&6|Xh!};+a8KQehuE+lKh`~;J{k!{TDU@QlK%9CT{qumm*kZK@
zyOxTl$WI}1K@ONiXD-hUU4<?Ma>{AMwZz%C;Gb51&a2Rk<Ap@_&0&4;Q0<4!LEG00
zj8dL}<KDmfs_Mk~5#vE<bZJt2u=rHH(R2)8HR5Tt$#W^;y>fcCzWIdSZnRYPk4G#W
z(IBqq+wEN`A^)>@>KoHP7QmSQp#A>^?5WfN;wLMi0vSG~0t}f7tWVzHe>HieANcrx
zz&;iH|GA3)wHLO@4gU}AU$ra4vJnnB{p2~<SUmr!oiG<v)1@Cq7VoDvk1s^Kf4s3z
z4Sd`tCjLujy7Hs%Db@$|;9io>`jsxqsuled|M1f3QNo_k<KG*r)mcNi$>0+$rp-SD
zRNfPkjr6G)Q+ChuU*b|Do{c&oH)kZ0T_0zqmuhL4;ofl2-*jU0v6e0xZmHi_A~v6@
ziNaI#gT2DR!Q6A9-v<kFKXOWE-bS8n6@YNLtA;0Lmor9*2fYM6-fc@gK3sM@9#yVf
z&2>CHH6+^ofMX*|zd`pV&$t(%k?h_6p!#xFg1-Ebfgk(fxYM|zmg9{b{TO5`yOd`4
z_7D$xu_~@ot{s}o{4BF?Ua|4p*Z?^{@5`V;9<?9#zN4R#63u<K*al*Vbga9D+z|oM
z(11HQUBLaG@#E=nYRBECQ^4(_KNNYkH~olO-z1p8L9j1-y`g_@Sz&cqE1HOm*JzO2
zXM#|#*ZcFONt3erD*O7vm@Tz`&B)w@p%V-uaIYw6d5qUuIFKM4USF6{hW8RDSI#<-
zBUVZt{j)JPlQdt1K+9bBSUp6lALd`oRuTbTIPmmXFTP`PUII%Zk6Wt(NQ0;)F?b=0
zx=X_P%ET%}nUsXs>iBrTgjk59knmU2)^jTDDp)=Ijb2afm}YP9to^ty$R+90uayq&
z-HY*f*r*IV9Uxjv{8mWvk!<4A;;SafbkWkgkD{Vn-wqh*3TuE5zn84w-!!kxfd@`A
zGvJ$w$D0aDP?DzVlfs?(8u$($RQ_l`DYJ73Z!%ZXw)D;u%_#nbtn6a4(|>{u7ptV-
z{>1nYehO_!%Skaih4*f2si}@m90tS7i9iCwl<?{VzAayI%-C*UC&uHun!&~{(U)$U
zPQyeL7<+7ty{E)jV-urv@Exgl$UB)&ZOJoy7euk8e0zI5C99weeYU#MRi-C(#X$%L
z3$5(ZAN)7v=jv+I74Sjw@ePG?Aq@&QwQR7Gxo!V|VFl>+;c<hGW9|B_*f1W>X^ATG
zwTo%+@TN>FpZbG(G$bvT4#b1Zbyn&j;K!nvC<;M{t#}o)m67+m)Z-F^7IvqaI6XC+
z?(5F?!S)K<FQI&)lpxIpDov@r*ec~EQ4y{hLeQ;=o-N)Es)iI~c^ONgY1XyXW}vVF
zu@Y|0=E<~7&I2*ZMp~+`Yq~2=+yJqY;mq9K%_m|jw+2%+J;1RUolkTHiVN47=H)O9
zQG9l{JiAmK0muzlq6E>EPk6;b>&YSgrofn)1aW+LF+L>4iVKmXuGS9&F)Fq@4Rp+{
z|9WP1w$j25e#e<}D{6FnE$sGX@#kw81IzqR#-G$hABm!hjy`cxm(YQ-Corpa{nYuh
z8;0t?5kz02)m~zks9!LUvOye0UH<I6B@uE#b4iPi`{>Rk8MMz2@qey(va%#A^m-S=
z*Q6D__vmHhI|YoJXy9-dwk4Hqsmcotv;vf|c&Xd*rs=+#t!6*vLLuo=v0j&<Y~LkL
zRX(|&JSR1?Zjf~Eoqr;1?EwtNUS`S}JKnKm{2($1ZLA|89~5zhrjYQs&Q(gK_xAO9
z&zSMY?;RU_au46~ti~2ApCywDlTHUL=TtcjLc1G~m#i%jb_<dhBK1y;ex}mo)R!W*
z$g36%`<{Enl^38^NvYD!Rt`iG7c{=cS6lPCCF$QA5i<DBxnja~(j@WxRmy1RNI-Sn
zvqLF^i#zh`y{h5{SQUO8ZHgc$>O?(&SL^+CQ}TH~_jAr)Te)So%<0*H?_=t8G4Y#+
zmZliu)7yaz1smbrEZHVE?V1d6e%$$d5TkS^n>$<=y8IpczN4@ocLG>kKK<?FPBqNP
zx5vWFCGwGXhx@bg54t|V;ng%TgP(Mdcp(=rgx>3NhBqy#{3R|;Z`|-Zbuk6D0Trjb
zp7;1UBTHj2w*ISJkVrC&xAXLzeyb=dAYu9L9F>VeiQ9dqcTb-3fe8soe8se*<p>vP
zzchSITB8xP#Y<Y6Z0g@$U<=?WxDK#Xe?mOG+z*RG#{K=t=jvacnrw<voIehiYW5$J
z{wq0L{2D-}1yjWTr6T@vNQgyVTlp^)`7g(iEI-40${Wr(FvlDAzf~A`xlFWITntFJ
zNqH?RA$zYZiegejV1HmMq?)^#7?N;G>^DvvaMXb7+`auU6q^&(G9Fa<P!lkLyx?Fj
zcECvGFMlzBd9H0dzx_u?$PUGNa-bbfTp`J!osQOn(Tlz9L_qh@J=UXYaDDowLM0)|
zC-57Jl7lnV)j>P?-MZtv(o%2AzonJOvbL{ub%r`>`y(ib$q)5(cLGM_kF>`BRAB+^
zW^i(7=e29KPQ$Ck;Sk;%`E47vZCbGyD_|Rg;>%P<k3CHTs?h6HzYs5@?txE$N=gr#
zU|pYqJk-v~nl%0tUaVREYNwvTC>dRS&R+c-4~;K8LvoGw=pz~9p6RDUT%V!I4s~Bf
z=x|Lu9|&)W{_8=npU0)nm>aBH(eX1DIFQ>%3lU5S!D{3F0_7zPPuaLJiEH@ujhwqn
z=E>h&=?vZ8k_c~k+bSsQk()*$^ivgbb57FvOufcOWUhyH9}l{TG<YwlZ*(3vZ31$-
z>EiUsvRz)R{=??5R{Tsr0peCpXg%!RTLG$i(XU9Qy4c^f$60mI%wrtH|9iD-1Mf?7
zNc%3j7?K@2=4I+oTi5s4Kr#4}T%4AjpWa!DU-*D^F5NTBay-`3>YLwLZG^tv6p#L+
zlQ2l0v=4)KxHx-XORfH)>s@2=cufAOKng5P+#IRwPnQJ-I93g)SUZLpDw(OYdu0|2
zi9vR;P{!<sgDi9`5mN6Fb4*&xOM~xTRL+kIP2KeloZ@Lgf`nf85gA2!pXq9e^B2rU
zlNhY^T5I@Sfd@*DRd1)!EsWqh$gH*e=ue?CS?+~QO2wvy)4-qx5Mc(wl>u&2l9OU9
zw?Lgf_X_y?IAHJOdJN;8<%e;|jT(@CiXE9`G>b*{8CJLqMb>@UX6xTcYKGjIWCnuu
zY=L$8UwZAOGZy}9@FS7bMrpD~C>UIF0&J~Ik?ikDhHg^oOdzA`<Jurfkb~87;D-OO
z4LJyZ&OR;3VI+41xW|hdAnyFNzzCX!y!;aZy>Qx#&G#IM0NCD~{a@h@86QM~m0|_f
zdV1J=#1I0$i{%PA@7pooQ6K8e6y@kRx49*8`TVf|L#HqyM?!nf&x3^YPg~O94V$zu
zFtVs!KGGQ06%mII-)XS!vOe0wp^F08{?~g`G=2rz?3uf(DP#T(IyVP-P5<$@TWlLq
zIOy$zUQleq!S@qeXJ|$KR=^{LQFmUnKfSOnK;2GqF;tLXGhWixFwuN~*a*6&Ofhdl
z{?%lpiQvBBU^WyKH3z$LE^uyg-C6XI3SzoW2b6miINc7d04Pp6CMH5dFnXsPV?MOE
zg!{A0+lTcCVt%f^$$oyWR+%OgnNGBjAuQ=sTTcVmS)I~qYyb2RFU6ce6?(au7CCK^
zaMv&b{Y2I;;Wcujg2I8deZ?HDVN-SxVaqmJLJHq0R7`kWIAjfE{w=WPM*msT*=FOt
zaP-1kA4S=R&=gHMS(haP7Oyd0%&AldN0YiDJ1Yl+2a5dvCtU-g{5r1ZNF9=@Jn@~=
z&nw7Z@<ezQON@FCvjS^AGzaG|buB#3g7(X25nIA|dU=xMmt^K<I-&k*%7K^Rg?+&!
z{MHKh)gu7)pd6ROhJ3K!uc3VN_V9;j%9_*K%Eq0mXzUA?1a>Z`e`1#U_2N7cESLo#
zt&@%W>K|@=3gs;Pd6u6-lGOcWw0_R83%g<PE4f3lqP|)|B}~RnF$UQ93Cd~qDsrq8
zVW?Zh$oI5y_bKF)IDt6<7GONRBuP?z<x6@y1a`!YFTgQ|*aLSTv_?RT{l?f}c_YJJ
z(cg*(f0Heb7@u0G+hDk9+Sqt{Rg$E0b<ciy`g#HXb}#o#7*9WeBpFb5?THsy@=wF%
zoEKQC@gzx-^p)}SKmN~h{6F_x2itLfe@pIR)cNbiHJ<i6TResRKie5|`%ZPL(S&Tw
zmd|m0Lhd>=yMOM})ti=k`U{XG>F38&y<Ince9L;HA5Y`Zd44>x@$+$@`;X4{;~gKI
zv)(C5(vula@wVN5`x;OC?QPqlpKgsOF4BxIiaZog>|5`@|ITk3Pt0RHNs^2wjNZ0u
z4?Vu+v*W35{P^2gy&CHT#2t6OUOe&t#*-w;c)IC&5_dlF$`dcoUmj0)bQ0tF@pS+B
zjwdvpBuNi5p1AR;@f73r<B1!1c07$|d;Ymgk_6-F*&i6+Z(qNv;HIiDp4e=#BM&_<
zo+L@~Gf&)qS4$1Ps^E$76ga78#?$!U@b|YI&T!w?3e-Cv2{ON`K$2uU`6Zcm#M8?k
zy-p}elJWGHU_5>DH(37J4*mbyvjfcxp)d~PpA8WSNdpleKoMeFH+ib-=mNTe1au84
zKm-i-?#o&!)@YV_exUx~03PSy9|Hj5DNWODJSnA!ryT$QfOsm3VjE8~5>Gn-008mS
zbzPQa%XrH3T*g&ANuXRmo-E6fcyb))2><}#RLgjp`bn;u)SZ0veJ|rzJcVKCy6$D;
zNz*imC(|?~o^0Em`sqgi00550)5hD~{9D)c&G-E%ilm<;Qy%}$!`j?Waw=Wd4a1mT
z?mqhIQ~&?~2jgiNhN`M=p65wF1wjzU@$<#Je0u#I0000<l6)Ia<2bf$+cZsCmha`R
VbC@T9_9*}W002ovPDHLkV1mCih?W2V

literal 0
HcmV?d00001

diff --git a/engine/docs/contributing/images/copy_url.png b/engine/docs/contributing/images/copy_url.png
new file mode 100644
index 0000000000000000000000000000000000000000..82df4eec50d8734ce416cd0853dbcda1441a8514
GIT binary patch
literal 69486
zcmZU)Wl$Ymur)jfcMb0D7Bs;jL4vyncL?rw2<{f#Lm&{`-QC^Y-Q7R(<lee()i;06
z)S2G1r)|&b)w4t7WyO&Z@DTt2K$evFqzC{|Z>ONIa1d`lKRO?-01zst<R@WeSI|-V
zq1wV+WAA9I(@AaZ?#;#0O1jVb(BtI&^69K>zr=7-%$Lt}w4s&}npoX4KgqxUqz%nF
zS2RnTV+~AR=bPuX%E_j?tgM!Oe69+^a_MO4UvO(#HHCdGa^v?FxE=SodhOPF_OV$H
z8g?cmA}TH}-u?y)_Qn~_6twXk1-(6wE7;ERG`?E1_-koqW@c*MyctK!%fq2f%l*!x
zO{?{H)YSR;`O=n$fd{=hGuEysxePw^zk0kKOU@F2XE!UJE<5Qz6#<~_7#i<Q)&DL7
z(IDWo_1`Jb2LN#YPQge3`2Y7OOEf5JFlFr-1_BKE_u`w74!fY>>QQ(n&3@Fc?o5d=
zm%G=;LH2u`VKw^}H0fu1t5$f@fA{$Y-v<<xl%SxXaPd+sr#>A<?Y};?z68HqZf@;r
zG|y*D%AHcamY6pF?|?SzK47e1RPgob<@s@VL>+NN;i^^H#(rpdsnsj(DRJdk4FODY
zQMo3H0Vt~#C~InJe)*@99IesMwtZ@Lz|ztZLv+^Z;r#3@x~uaL8qADv1uH21LKJX!
z-JJPiB@jF7w!ZaD^NPdp0lIB|=0UtTygiDdhLUxVK=2uhCGD1qUgpdj4tPK-EiEMo
z)c<EwIi$|4wh&7&K_4LRMv4}VyKSGm@_8N{gi6xlc|V~A4E-2Qae8ig+197Oj3S|V
zWv`o@;-<qod#s{%eu<{Hg##auyeWI&lH5_!fF`NX^%{1iaoOGDqqJU{kZDr8*({fT
zmUuauy2g(NP#W<@z5J(G7KqlfAsI<XATv?Z=zVf|Ih*&=?CkHu2L>oGR)OxrYiBN_
zj+P4ofPNbWd2J{K6uld`>N=}WVak7~PnUMp=OWl0-WmTb_zSVZ5vt`D0vxMh()-Un
z2$?I+FhcfdC_(%2O+N0&`}=NZYrb1qIxwVo{lqGRK^7V+gS|~pP7qmcJdM&gw!>$-
zE{T<Y=EbC*IC8i_f0O6!fNDz}0VJ5rI#G{#Fa#&qj$gAy6gHmG%D^_D3u9e-&{;2U
zBD7FWiqz>r!hI?8sL4yJHCjcB{NBg}vx>@WDsuA~C2t(R`S(-|ptrYIR8%yRb#HBJ
z3+kWg*Sv;+x-lmm14@h#>fe_^VCaaA*Col9<{v88njb69W@r3BC?NS&qbLNc46S1<
zbKWsQSeKCrx`rbkipAZC%TDE#=G-YLZgL<pGV)}(@irB^_4(MwOMnDR<ev&nQFs8(
z^78W5L!72rOC-}mt;4Q)&5C0s_f7ceRyLx*LvlI@?&${!$E2_nRu!{^hSsa3>?g&a
zXS%;Qo8iAn0MXm81hB2f@?`&v()O4MBK<i|dkmO=O})hFRjGDf@q}iHoW96@o&yV&
zs!SU`2dqGG(*kCTQCh%Kv&Zet-(?8^#>A|>fsv7s8||ah(^Miqq_!{|mXyB%-%6$p
z0Y>>2^Pd>F<nRhi-8^xgsOw!{Rwe`s9_`5s>+bHJo>rMeeh;kOK>kaN2J6w`VJrk_
z_h}BM7zt@<X?d`RtE-v!oY8_XyMw!XitO)Yd;kwPL-7U1dW<q1lTX&GBV3~>=`@P%
z_P?~sT|_9$uq@d$G5>Vxrs+3K+3#tzIU&B0oM_AQ9`DpN`E>Ibf7bMEg;aBfMN+5J
zGS7TVDeAYPR^Wa}hRU8AdxO5aeF{kor8$R-#YgopFM7!rtcP63sV>c3PL~JCI=67Y
zsVQap*TB=auoU9u$Pn=Q;_}UX*rZaICyRCV37njfA>drz*eF#V83e=XSgcuW@$o&t
zjR*#kP_FwzHxhBZKgVppoEJyjc}d33B2W5egkMAFT&C;?xNZ^zB4W8obL%)R)mqpY
zlh3ed^x=$`l@tBI)iG4Lgc+|jY!{*|7Zo>*{dDlzN5_%bg&DXo&GSp&vL$8h;EclQ
z$?M>h<UN2c+*#KyHU!z~4qfuLsozfiLa|8!fU~@8^#pAn;u9r$Jrk2a*t%aJ4jFdn
z2X`TR@+jt0w?~!@limE!smh*-g?Q=;hdWy0NlNJ={b+VgEiJNw7dnbpNWd&WncRhw
z#*UIFx~v%1GOhxN2PS~gLmX3mVi#ZQJJzB@Lt<4yOJayUEgTj1fE?Et=9pgE1g~Nv
z<rEObZF=YMl_~#3sMeUk^_Axt`&<v5(?E>uc+MTP5vIH-YapLDNoJ~*R~MdwD{F=8
zoF{?;V^p}&)>rcl;p54oSGgyGsXLQNsX)oq_wtzFvy>ltjD<7Bv2<TM9yIcki$`Gn
zLXDihF(%{2YfMI6a$2sfe|4U4S7PN#556sri>jE0fd`ujg;37y=I~>5ei6pqF0d^%
z;{Hh8L;DSNidhCg5B)ta$wYLTh|BS0AqB|i9MQY+)OUWwQ-Dyw0FHk*RJ@C&I@daE
zVFYdx=7aBs79raBQM-i67Y4(=mupPdMSu6`*H?^hF0WcYIM&ctJZH!@n;W%<b~mOX
z4jbJ<84aBbErJpi7A&-(kB2MIX{VEVtrHa4*>+>FSX2nmB}JxoHv6;L{>|HqQh&OP
z(|A~vgAlFtYUC|P+{@w(yxg$_8xR8QMDMUPzt)fL$o7OX)W3GvIO`auFetDvfJAnt
zucQxl7JCNMF3<oY*U30Q8%3dRl(TJS2AeKdnp*S&$Sy7&_5P?)m!m6anztnYsSO!|
z6mVT*e$siNSSJbYeK=Z6vaZzUy8k9Y4$&`7&seFaX~T0^?kB`cNJz`;jCU<pELX9q
zPL7A_SdJ}6r&zUUaL%T6hZ0Chywg+fby26h8Sfa-W6;jLABwZ0vD)>89!jX0!}^*m
z8Lk1UZT$k6Wi4kVP#C@P9$-#R3hwtLD&;yFf$dmVmB5b(I8rF9xm%c-plmmjh`FP;
zVY!|6oQN!w+&!Ws9#gRK6yRht)9LBmLjyjs;v=5*r!CfQt6JHI%IK&W#lr(4k-dgR
zGR8Wl=|(Q;&PqBci_;6~jtF3P<CIzKh=6^{SAW8q)F8*IL3+gQpP)=mttgi|AXx6x
zJe6o;;CxFh;XV5GCC6<rikIKdwC=s)6S^Av$z_u4=EBRGr10BI_{{!O+e^leF~OB`
zvXl;e9vvU~kl!3smjIm6ZXMR}neaU2txHGn!L<&#{EQWzVG1&-uAD^xj3>8_V5k}#
zyDsFvjEYnocMok@CL$5pyT5a@wHTb@?yP9dL`m8um%7;OC>Z1;53f$B6s;Mm+~}ur
z_+tnn-4P~5D1`$DK7@1P*set0w@veLU%<WE#$GQ?V*R{-w}LHm^ksXfiayz{!B?$G
zB9YA>30M;X%A)NG7V3hFyZ;zj!BU1S4z1gA#LTZtr5;A?7|iu@`JQzjjx#sPGVz54
zbe6mRXe68Z2`49`RGZ49lO3nyXWp<P&#lz2EL^Pl+f!8Kw-WhYzRfq#Sz4f2O!J89
zS4}z8Aw*Tf<ziplfNf=ZC3OUsknCd`l8+x*Opz-UaLxNMI!~kv)dD5Tie`s<@K2j?
z18}Ql6J<Q#mgs8%fyQDywdd?UdLl0RN>v|2b7oeEao4m$l+``~#B>U&>X~7&9Xmmi
z3Xea99&xexs_D(-K;2G=k%d(sq-Wng*QLD4s2&m#E4zT<Z~|Nfd_X_zu}br?+(|N_
zs1k#P3U?B)Hd#&gEmNyl;Vs*&cZSt>qom<rBRLnXISDkjMa=S)xk131H6rku<N3Mx
zor8jjSUAoIbAo|gkXJKs){9BkfJ3$6H$<N~<D|JA-1f;Jw6|Mo`paE~+|+T??AbfE
zR)_kdBzN;z6|R~lzL9Ui=i!}c?_0tE(%DQ1uTYyiQS>UD{9=G-7<r!m9j-qWk`;la
z#rK}>Q{jvfwAN~LRKuHj@y2VJfOzTLyzdz6qZYC(?{~QZ-ykpq96(GJ)-6Gp6#t~n
z(ZyB6x<h|mGYS-m32sBQm8TJnu`Qyqv!PdOSxsWI!!!gX)6SxX2K@Y^a;!uQ(bo9p
zs;pcpSU!$-vkFNJ7;qK^>Wl>rWSO)DOoAI?D5rc_8QbETmdW16J&tV6^Xv%HIuJtI
zCdgcPQHp=&PUK#Hj^E&cCqK7}0{#YeVvGVY0_C%}O1muMUZnW^%-;Hk*yH|&2Dh=O
z-92TMGwFsc!+g;ITB|{`GUE^B2-M_B!|BrM)8fZ=1G~hZ`+rIYq=7x0PKCFW;<}{H
z8yrcaEjBUS9Q25Ed&BLui~!-?_c+Z(-XlwBFyzTa8IS_kMYFMVjVc!fFWOtgd{>G9
zl!uel9plC?Bf1`dJ%30S>~Q>k@izr%XMWFTH49OXs{&gAmOJ2ORsZv;eCf-y`dWr9
zN8)=Ti_e8Pikn+--FG|W4MY2%YuMi`>`DYcWYx4O+Qv~;^Yn0BnXO-a;a^_gm$sN1
zy}B)N-R!pDk<VA9_B(36pX9QhN8O=kuTNY4bl#-}xZVyk0d?20zo%&v2Xn>h6`qS6
z?ao)GAT3G9=d~@8@aW<i8SzgLWOnQwrua8Ba$kC&z*n~Q5<4G>?!?(Wa)<Wfbu!4K
ziF8M7dw;T&ciJ;f*xKhL;i(n149{rlH`D^Q+tNQmrrxV~I3dd0#h#8zGSQg#HSIie
zUD|#ec7FMUQ5g0FsV692Vl-_qr)prj(o8jipnJz;V{-Th*t3TNZ*u*$be_iKVa_h-
z4{s6VfObpW02kafjWg*RNaIch^~Lvz(I?RVX8s*+t#vE`^f9Omj(!}{7|dbe(A|U(
za+`Y3y&)IJRvw5b+G|dHOharBTB|X1RQmm#pRL!%Vn-Y=bNmqkd;z?b8$+jR@L+c4
z4_h&R_y?@O%PqBvkR3hm3&Xs*m@-P_JCFHHZq!^K$hp|CRO$|QljfXz#$eMy02<H{
zmP?WzL+%43L>OG`%ePR{aDYxD?hq7-4`;}>WStrJ{1lSuY@HmGj9&10^)7HzxzVQZ
z>L~T`@KdQbe{MOR*`@TfFdwOOqOVoF^~_ef>8Dr^9L!wqg8=kzPP*uTXZk|u?Sg7U
z`3UbRZh(MP4EH*LVwgjy;Z2VNXKfs%)i20GTkgDISpjW@!y1{66<TUlLRT5i-GeUt
z!YKz(Y5g)E$5cGnVL{{2^RvJ((s>Z=mD<gXGOmax%CUW3B7{M4E$`|Mh2u^Jw;^vA
zjfHJ|O@C-h3?(hWNE9~!c$#u?bJNZIRy!3T_PmUrxt<<UeC;xbWht|Vg%D!Yu-ZkH
zi<k0$AIpN3S7bW<#IE(kMYbq_jss{ej1oV8F^&Z-_I|KiWP2QheDZLm&!y`2_CD%J
zdnkcui_ijshXMszW2G;2q!mv$iE4V|op>@gb8w}PJ?cenie(N$MoeOBF6&ypB@4H-
zXs8Us9H-}xgfKNmWV^)wbwH-)MaVytpYTG)Dq8sGs`O9mgQp7nP|cWD_Xn1%Kbi&k
zDRvPpI*EV&s47p}I)xs1SK>C55WomlJuqvUy~g)1#Jed@|Iz;n*?gb?nf`A1JPmf4
zUXgP$?(lkMlVU4_o2|gVJ!N{x5)x=5X-rQ|r3gy>x<8i_?Sq`J1w=Ds!x4011EtUS
z^4(-Wu&;IJk`%J;J<9O&Hkkr>?8JW3aaez7rU&!4%f1JLkM!u(GTQHd{~<yIUUD<x
zVXvk$zk%Aa#qM1`*t#2rc~0?$2rJBCYD~#YPGW69tcAi>5nM|VCKH9@$fjW)as{ra
zzyLx35;Af<G=Q~&{a-NxPGr%gj*|?%-j9#uM`&if`jgj;ejA)j&|{qVdGn+2QT%lE
zpS;$UNHULp_sT`_`anQkT^$XAG;>tY=Vi%yPnjNz4QjmpORovRs$E0Lcv`4M-RY)2
zSwncX%a6Z?78e)4Jy~`@05V6#1JM3fN^MNvH^kmo?oT_~+S-;?REU)BSPMyAnrf}y
z>q6{USy@E`tg9%N<sKY!SjE1rkU)zMMB8V-_9!yoBkbQBXqHE_sLBo#P;T}w#)&m(
z(!Z1X_=3TD2J^2v1xO(Q(!X+V$9n+y_vc#8#kBW)Qs%f{rq_MrtLZ7?YD!&=%WJuV
zK$=6#a>5O9rXf?-_Sbe*+Aruu7g_w&e;{bh*s7q>4GPvk`NF;wZB(QnI3X}443z=~
z7%a;XheR2Tc9NozYy>A-o-g=$_OXeC%kt)^*<^IbZKm;dAucRq<I*OfG8A)ZI*fNG
zOaxlXk$EEJb^w}Eo18g5@oq5{GKz_;H3|xV2QvwiqQOBy_?C4vB*GHg*4nruV4Yl1
zx?FtSDA^g@YCbABt-Bz3CSnqP#KZt7fuH}xh19u_>ML9FvhE@CYDKWl+y#z4(P03K
zenS6U*YEDMj~BF##F@`|O>Fd>nLS$!{aX8xtBF^F1L>YuGm&07W3qRN?$KanKg>|K
z@!AWGyfb+}N&$!l{%3+S8Qi5_r5xc`m;RQ9gX!#->fNwIf1SwaRg$C>|4U#gK5V=x
z%kNcFUgxds1;)>UstAN2!2dHpL6Ix}N~$p$ikOIK$<;+lkPeM!usYF!Av=oL%5~+b
zBDN#{;NT$1kSYKVK=}S0<!`-4*Pm$eScG&i15d&+qt5M8%$kDoqv_V%rgrgo<?W3J
z57vSHCk!>n<m9;CO6fEFY@dE+r<eN*^4NM^E6nVdU_(M>VP+N?d)noA8!+SD$=4|T
z##ekIkE!G3VSiOb0wqqj7GVm!hr-!eE_k$qKzezEf*QWOyhP)O14uz<`mqxK$vfP8
z@?7qA)skh}q@SI)ug>GkLVc{OJ+ar<)m^PL9VHc@1_?o|iBiP;mGA1ld5qc01b0`-
z-qC{K1y@9%Wg!=5;agQ#l9H0nT%C_gp`w9kn*W49{q(x&uGI~Q^YJcJr}6AkH_WJ?
zL|HT1`<Re7ZkEC41~JYK4`2Xq5B+v;K|+C2`d;v8oC76PHu3sq&li`*B)F^6%rNHL
ztE)EOwdEwZPY^;G|D;2hw<VG8RD)n?pQr%7*O3mo^UHFiYE6CtftFNEUkL#1uPr1f
zzwq3~dbsg`a+*13WXf4UWlxr_N_&Dqs9)=B*Wb7qlpx3r!@nUH{Ga%V`$rlQ{rp}N
zpGsL$IQ9MgE{*ZHG~1`U^NNc1b5LtM-?+a){GWmkFQ{sYWp9#jA2T+J%7~se_QrD(
znRUL$0nCY(*47bk!4LeWT}Wf<D1%SC{HRN<e!37E8UoDnsy}9D#iZhB2LIyH5>hMT
z4ZgUqB*3bwvL1lh?Lxza%cRz(t{&0jBDa`zp*#<4vL8&*lw8lPVwU1!Bc3uH*Q~_h
z=~87ha9?A4=%*^1UM!l{)>)|0u}sM|7^Ic6+bkge&dn~Ut|@39W~C@+_jA_~Wx&PZ
ziU==|iQ?oQv%oJJPsvS)9N55E4u87zruDRNnfnT9`<Qy+|K<=Kgmb7f|G!VW&Y$Rq
zxp^@Q>)_z<#&@oJWR;$Gwow9UIYBp6-Zd=e4eeNLvNz9ncsA09_77th-^>Z<#Z4Oq
zQM$X;WSVitU-w?TLhc`M?A0=76Od_Be+Tgfp(M)kVINQC7}^cAU`EtP4BH*=C5E>6
z&^~T3BiCy2o2B7%5)U83Zt7zB9b_ZN98Qg?ALO<}CI&uc+~2_r_r!HS#N~GOQREsL
zmLQ)NO5Rh2F9tlE*M4{>ZEn!9J6p5YK^Ga@g?E_rfGo$Pg>!Y0+&7B&5jteADFvN`
zEyLW0zIoeO)pKd(qCn=9!&-Nv2j0Z@H4>u}aent%&&<QRiB9e<EY5T5#u|6@XSsca
zcEL8ep7H7FItmK<T&Z5A=a}PFkb2UX<iECbf3nHs*b9<ydBt32z=0+D@(UqAXNw+W
z0H2ru2jTUAc16nTpCct_0s4W%N2zjnM$}=shDRBi(OX|H-RVtRj#WVjABfF16zBlr
z4tF$ov!~vBZ^otfVI4!pyng`1vR1DZ*aY7LP!Z&hh0hhaK^Pl0dM-9mR@>Qkqh0+J
z3~`|_x)SMjDTQm+0(xFH1HKjlV{(Pu^*eat`}>eQD%6i(^ih0tU(tRD8Dr~a&$r+5
z<WJL9wtSbe6E~#B@OZpRROF=}tz)^MuJKvneq#XNQX*KG*fw1#y3J*mOE$dW2P7UI
z9u*Z;XJ_ZvQkULcup|)v69`^>-1Il|9pl=*>K|?C69ef@Sx#Wwe|+V0ul|rWG9K@B
zbx?{dcnTlnGP0=FvP&Q-zmnf<r|4TRYUR?&nGf7defPkWmTv3i`uf2^M8%7XLO8gg
z#Ce`ikGm@27ww5CRABS3T<w6NOu=`+jFbjV7y*9dsZ@ASne>PjsVjLA6pc>))3s4x
zh4+MErWG$G2k|#b3MuQ3ft!O4Omz*r9FoTh*_#Z$A7C+k;pG&Z7j_wITS*cNPqT`e
z(5OMVX*@lrSDReJh5qCx+cjn^U})IjW%Mc!udcA>6YMtTFnc;y(|PJgfu9v-L0M0U
z8zJV|=dTIfFb_m32J=*L;YM{H3Ae0l`?hw!Id{B1h_fIFv$7s0X3z~;t?P;#l933}
zP-i^I6wdCzb>6kgJ-2+o9QtX~E<Dnpm_Qxbv>Z6x!O_P&E)atN&S!TM{JrKWRe#sE
zzsONGGBDXYV&+d~AD%JPM}LrlHQ+Z-H^3D%iqfx#J{oq482RDyhU$sMPI3jL1noXG
zs@#e16Iz#Wx`#zWuau0A`ppU($Qv2dTY|jV%5Sc=U8RBU)DkESXTO+S8GBF)tvCui
z2xsNNIo(6f{f&xfY@9kA<h7sj<;GuJ%&m6|Vb!VONNnDXF!L#)x8h!nX5i%O2O?Ag
zoQ7i$HzyFQ`FojfD%7B}5(&y!fHWGole>7K5RZKK?wzBH%jpv#D?EU7i-_;N>{o!2
z^m_R@GVhVPXG!EiW@Fv*)<Y(+u;YtGDkR0lr>vhxCy+tEV@6LT8uExNZRkN1^g$;T
zr&-!#98-lhnC}?|NP2!n!r|ffS_Hx(>!4Y7C?3KcPU^>w1`d(9fzaYQerT$@^_Gzy
z7Vo!uUb$_E3A%odC&R9a3?PUy`jZt~?@kLMZWXhcsZl+<r<@IJpDql6&&+u6YTGfh
zp@lGP@y@H=Y(V3Gb%D|n67Wc)?|G0wI^5M6stPkNjz$3Qes=S`D=ELIy@j*9&s63A
zq>|-X1}Db*4Lyy(V~FN8{K6u8Tv34#9T@d#!99kK4b~+0fYu+Mi0=tHjgLNRIro~k
z_Xo;{-+711g+5Z0Qrv6)uG!r2F4A6HUeN?$ZmvZH5$p`bnbbY(7YsNzzbLBmeIr>9
z3+7dwF=6FQIJaPJbzvh1$VaMfWjM~&;zG50^Ne6_K5y=`kU`ZNej2&8Cvo@Z#=Q-&
z{}g<^spx(1o_~LOT6FNd$<V4)mV50?(pWBixZ8#YtQITj-Lzfccp?eur3|-fMtndJ
zB}JWdUANZsbUDCV$;f-`q|$UgX{d7S&V-QR|9y4Q>G-Ki?uDp<9Zu=$F-1QIdDj}_
zNNr7L>@z#b07>*<YDX<hr}wo<klW(duNpv-xAcw;iy61g{~I0>a&m9b`sw-c76%*q
zd;1!S7A2@GQxG_V!XOY}A%;Pu6!A=1G;~v@fg)s9XX~z>kf=&8a0>+)!*_`pI68^(
zVZ)QXV*v<ZSgBWW#dC~<Q8`Len<nO<MXKc9@f%3Hk&Kc_h<ffBYk|PcVMJ`H&HQ<8
zeJ+%I_+#HnL_uigN)7T%Ud%{4q$h-Wgr>K`X%CCwVQ8_OcGmSPeFXU!X@oID^*cG6
z6bstv=j)BTDzjc%U3$Q~g);CWR*J&O6LjP@O#%DPix$Y!mXj5^Cw~pc!nrTh#989J
z^pjsdb@PMmko@E~m%^bz^@1ZnAJ2!A5O?yyEA}@265KvJ9>U$h>h1o=p)efhg|cTQ
z^V0{@VRY3lvWHLWG`Q(w_+2N?iTOp8BXexf!M-Us!;lPnqgE1V7ED{0W2}&{%I!4J
zO<%^Hs}OlV7ftK?du--LejutXHM-EkenN?*kh904N~5&PELb81a90)$Z|}zQpHQfA
z`%tei#Z180{Q{*;>_hoSRkJGan38?&6RRU_K^-Sh^@9?5v}5+#XgU*(JL!J3<Ha?S
z#Vb>mtbDA)XBkq|PtMIx@F4knqEd#?M$)m&9|?n9@8QAAQsgmEZ7DLf%3rsbMlSy-
z4?-r$&k@3fo2gkL>9z|TkdzOsGB!8xLli<1F>tvQ;XOh;M!q4+x2CcRef(SXl$x6A
zQH%<T0chFWWL$i}jHEenf*7{4uMn8k3c%Wioj=;DM2;y^!E{`PnLlzOVcsUeX)M%?
zgvlm;@p&{F-H8yO7aU?e;Ofy#C3B_`+sHxzj0KO9Q^8bI7rVEbNh+uc*xvnm7MoMx
zcO)$(p}6DG*MG5%H`Y`If_Z^s_Lhjmv}$9|4+9Q4IvvxkiQ$|aQJW~81s0X_-2!Q8
zc-%QB2w}cqsMyBh>KA3W)I0h~xL&%l`>`J=v=X=oT;8eu$UzWRbK^7FBW0}?g9bOT
zzlS`0NBzqiN#wv%lc}jO6-HF{j*@LsA#9$rZ_o0$gsCS{CEJU9w`RMJRNELDyncfE
zM7N$t#>7~~fGUKfQ_9|%douA!IBP)g&0XONCJUQI*o|RKy_Y$TaLbEx0aYeOq2JZ!
zifn`3It^d+S>*HB|GuxGg!HymBkx2F3)WjIR6v5-8wpuO!~qjuKFq0T87CC2e6goV
z9Q^v(|A;7KDT&K)ZKthdqBXWxhd%1hX7hjpj*fdGgiyA8+bL*tWF!`FMFxQx<`Gdz
zQzZG*yGvm!1;ly2IIMS+5eY8$@hoaBl6{Hmv903@>D6b`@<UC@#Jw?`2(ZmrW}6?I
z!ij@`ViHeGFnw7y#Q^Cg%7GTX0)1|cwvr9F;Y9ifXhj_C0_GG+!pby^hawc%aV;&K
zR;I~cpDFgHPHfGp@q;^EYtIuRR)hA<2wxQ2OS>}Py?2XL4%a?SnYV{sGvHYKts?!L
znc_LYf0gg$h#kJ!fd_7lPx1J(Zo#M(j(Rx|D5sLsX1kM#2_^J;1EE*(DDHWN%*%yz
zIRF8S1RExxyzF;XJL@Mu^`e_4=<8p>I9U$|2K2QJ@IZ1J!(#uuWE7CmRrfOe!`@+>
zA9calx)~FHuKyz(*%@(xqIDX{*gTl!o7vjC&)h~(;FfGNIfI3lu3!8e^T7EXZ|ku`
zi;G?1ZoEs+2YTM)+)LHG@JFn1J_afL6JTvxrnjJ2HY#2JNP1{-J`d+VyagpxRv2u<
z*Gk=&-QK#;qc!)Df~3gw)Yt~kjlB^q$*{)4sG4~?{p+RpdTDV_dRha%HqK&IpB2TB
z46M$JT4+u8$qGr96eZx?3Pfi_`G=o<Czk9BE_jmUzGj!tZoFAdnjl4{Ws9LWF}sIM
zMMPQK5MiVbs`DplBxLRz&gXlk!tKVal{jKPPJpMMqYsEz%LmSBolUDFcJ!1=83Ay`
z$_6a$VL)Vw$nUy2n+C`L_Uld6-#Pe8nBhsBS8nZIJdNhn$izY62NbuYQO2mPExcAZ
zE!;lXhMZ(myg6=t1UZfwetxYg2`GJA3VXe_@j9{qAdU~qYO`y9&DwM2q?(zlM8Y)#
zuL)u3j>FFR>gk@5>@vKC_z1&fTX#QCsXC`?(#LSz+xVc}Vhs)KG>VqIiUtb$rDA(;
zmeK?AB5k(mHk^xg(E(|$Q?jeGQH%EubJy|$>X+)O032tW1rochiiw`ED1zJ5dRkf!
z$r&Y>Keq2z5JB=ukAu8y-3*Io4+8z`jPd(+41qG8-rpGO?NOJ<a>ugb=Bj+&6JKtS
zz&{k8@Ao3J!aTM3-x8FOg7>%<d6;Y!-eM*dJ1anS9jg1Z2HB<mgeL|d#R%~Uqy$Ww
zJqO(gAjQ5(*3YJEVaCFN*T4&fGYBB&ABXdfOSF9&#K{qG;Oa9?*LoUm2Xk;Og-DGm
zS5s&7W+jtI>d8h*uKnAWHaht2Dc-FgqYl$|4p}1Yzbu7GT+Hl?q|PiX&uO-#j5@jC
z)j!!9M>QBCGb;9d4DX3?N5!9P*V<Ea{Hju^t>)ii$CT4lF4Mj9NA-h3eiEluO^4v_
zs;^X|5HLoj$M+J}%N*7vZO4|osG)NwbLDZs6vbu(RVpUCk%85^9qaYL@Zu+8CjE&*
z9`34Jc6-7pw&V~8%BO>54wOfaH7E6px6f*Y5(qbsZIhVMGP_g^+><njy$iR>QNPU8
zz(M^?ykrX-r+D^66`F9e;9%B%S_r0D53nH9p+6Y<g${8p^(;rG^vaTp&Cvq~ex6oB
zSF=eFQ@dJsfrQ$$`Yh?wbth9@g}%fcyz>y{64@2P*{&|wZbhsgj$*iyDCwaSo38{t
zcr!6jZfuvWBT}OhPgm0xwad-vxmJRSazT!X@bULA8}WraOhLYQsFyyZB3gyWX+(DG
ziu=kvcuZcBfiMzudS&835${p(*aFPPqjkfDQ&)e)WR$NBl(1@48gPda0D33n^wj=_
zlyZE?-k?$~dzps0#sX25GnN)+(kdr`lG1|@{bOkD;dTzre+x5UY7|G-MH1gij}8>p
zl6I+y2Dfr4j_}46UO4Fk>02(JT>uCsx2NeOBV09}tlM{mPtLOy7@gm`W5t+iNUxxc
z_ZWDNu}YY0tA9%9an2-}t;8X_7`qQzLKJoT(f^b=Y|LFtRk7f5WI8SD;>p^E@@dk^
zH+r9q6v5)+#JEj!E>NpJJ7m$)(FP&**y5R=1qbDFf&mY{6$XydRD&irY&G#RmsIka
z3#tdPQOb}a=3O`B?I{cs8w;<{O77l^rBdvK9eL`?juKpBhoj_lVt%kfE8aKadNi50
za{1UUmorSq`7^GxlTILN_1xB5ly{Q-y_j1=MwHwLK=L|Yf+yxmID3fnK3wc5)#-id
z&51fg=K$)FbCrm3kQAYh$>Ts=WKcdsw9TH|cKZCc1)J02VbEoQH!N6!vc)YHILiT8
zzcBz^XsgKBF766EPfq6T4BwW9dxz&O1b0y4EsZyHw7fW=X>n9H2Frb;(X?118gsnv
znTY$zK&_hV_0{H>LUHgTX93s(9XG?!9XDKGy%`rN-9BBQ@V3$3f%Tvgg;ufviHrGX
z1&<2)I%c!jCskWfN4eG(io~}Cl@wHloLu;bq33&_=UkLqgNsS&e1}+JlR2@P2mMBl
z{dNvI<^*a_Q-Y{4LMVX)#`2pi!LEB_C;&%Gu*)u+RC^dbU0O$f8wDhYF#_0PDEO|4
zWw%pRY8hm1mla$|mo}Jm_dK=7_+dHG6ANH_6u1~#qW66q>cNM^KNG}U!qiGwP*USL
zqQ!)gHfth;d`NHn1hEE*4G1-M=F{_4iubwEn&Ep?H_lN{yFDfUepPrs!|=P515xnf
zjlw@p4g)BwX&%QvqdQL(Ttoz*5CGNW&7SxRHJrB=bJ1J(TTOE+L;F1L6a6vvc#RL<
z(@@~|Uy0UG;3>0kE?OF3EE0m$XcmqatMbKu2@^P)%3Wpw{+DiBYW^kK=B+ERdT~J^
z>u#b3*XZ<~7f8y|T`G^%yB>d+<yc+zlHRWcgS`a}_VECrrA)eC4t4`G$4XS|^N{ss
z1nkcCs(vxro+?KdO+}qKVx`JzdQ-$QAbJEbfBEyTb{{g=C$eSpKFJ=nQT?UuRzCdW
z`6f<*At$}fG%=hqEwzTJyWgYCi4gw3eb+x(4Vu}GSNsa+hiW3OLJ-%(LOYc5t$+C%
z;muUHjM7Gaidr}UrSZ*rq;GrUd&9dmND`yRp~@t^&5=@g#s<F~RWpQ5SNJWWuL@ye
zvmK$-sHl${s)1vAUP4us2MTON622ri=S&8!&6tUApJlx@693V#60J~#6_x=}bHPI+
zm!oz`43%$nVTv>xnrT9q5=DGHb9m}GeN?qwwZ~;*08b9=Vbtg#99TT<lNFTe0qc}l
z9&>84Oy;$+J|jy1hr2>({k+}c1_J|KjiBt1fbFMW!7)syaFX`PKb2>ox~n~flh<Yy
z(0N@#{*Q6&a-jv#d^u-DY`<~U?RirTuNiy~Ln3_jl7cHo1U)+HebXOge$wt^39Ki?
zd`JJP5j2Z!y55r&wiw+Xr$h369Gq=yO&Iz?fPG*wtodl^KYRb9NikNN0a6LYdv4>S
zJ5#R|cUih8gM|@J)c<31Lr&uX(lt|`A1TpCwXv~r2|aimZ>&2==zpy9#-T%ip@4re
zN&d!;|35=10k}8ECId-nrvE#gX^SLC=xsEF-t#lee?&S|#~}hB60Na64L#TPk^3+R
zqSncCNYl%@p?Yo6vB&t_DWb&7|L+|C#3A6p(aoK4g$Q@6_S{SPX9PwkW3C^tYp!~=
zBL#P^X8@i2@~|km|7#6o5dm5eydRu6?-D%PR|&WpXZ^It1R86cT(ZUYMi+gI{)XS*
zrp6nszY+>0O}g7VBv6o)-D-U>rk*tkFtGi#631MXmQl~a8X>hUpn@{XNu-l8I&wbG
zv(DUYuU5$I!J=ilGzZ#LVi@D+(rq4qsX1Y*G3lEb*vOniT+JCtP3@ZPS7j8}rdP8~
ziQK**T*=Vds@3RreqWxbUMKd!I98slU+cF{90K@rGk0sB;4bR0dGkHJZYhj7n5hKy
zjsk+zTrvmym=hE}wH<_5gec(j^)CCz=N9q3sLb1X8JfGa%7JXDf)2mLN6pYS2Mpje
z47hteN{3ZenxE+v)!qn_B9X2ZB<%T`*DCNifUapJ$!&Ti$t3yUl9ORh&m@hOESwKF
z1!IhK`gez@uzw5&85tDO_a9kVWZY!jOKtZz{6X6GY<Ps{!<A{P2F5zhH~glnjTL<_
znU%NO3)PmEvnAJ;mvIu5oz1@lzAC=7Eqaukda--9ZgYDkWuDRs+Su5HK&`}lX<pN@
z4OBu45UJ<SmZyD34-j6P@VGe0vTW>s_|3YmoJ5$!HDE;roiO~gChd(Wg3Yj1C%GH2
zZMzYUX%_n!h~Y-6r*>9QL#1M@MEB7R_H$Ga-m>e*Ndt#p;hbg7frOsP1Vz2dLt=yz
z<`n)@0Z}rifm(6oX|?22vA^2(?;5^ghm@sp8^RuzZ_Y^Y-Ic=#18Wxqo^87L8RT@m
z3HXt{QIG|sbHkxq%+Yw1vi^Ka%#jh4e)(3tu>r3BNg-8x`qeuEoUzg+hg@%869YwB
zm0}x4{#}+oK0UOVt)6?MHgT9=+?vSU#<=tIyIrue=S7_p@GnViFvTN`Sk4p)ze5NR
zdDFet7(SYxc`Dh?o=ZR<*@ZOjT1UbS3+0np?KeuiGU%gpVkn{CN3JaRz+$x@lEjnB
z&hY!BzUA-}{&DEs%B{faa}@NEXlb5bTVIWQA<3premSAV7AIqd?$2{6R16y1bg*fm
z30)0|sjx)q_B{qbIvlvIlK_{_=>c<iV@SBnf)I;Ze9I*z!(l`8OywIee)5f<(SXzj
z-gDC4yXXc-N=lw>=f5iQfoESp>Wd_FF+*n_t|R_7QFtfMmFIE0L&(4;syIKZ+g1Jt
z_Pn8{SCCBz(25GCeK%kY|5r)S*dWb3S%L$#|6T6hNS(b=JG|E))w6YF0$bGs4IsK`
zA-#dLo2x8zRpsaLHAfDOT)I5ks3iuE$-DQ6PhI^(M%Ow;k_}42Kp$brdI+!kv1Iml
z$SA*K;}2WHz*SgKBzZeC{g{ow$l_?aokyd@+>K}MXY6k)5+x`Ec0<&k>CTOfZOO8*
z;f&bVYxY4|5JCsiuj_i@wYTi35vd#O2l^pK`fWo6N;G#72{2Jt9*+LCs}iS~J{}95
z@(5cHKi~XB_t#;m;0SCU9o4lqXjUDV1UO*U;^jmb8u(xvlygu=W$(w{C$o(0!rpM}
zhz>-;z$DJHSJ+a=zLs~<F@_pN5|IKTGB(t=C~&A0MWvfwkZdQ=0NpG);nMsfLNIV<
z+nB<*rOEZJf|9OrV+J0gjml)M9W7vs$Lr7oh{bvJp06+_@xIfyx3_n4y51g4EUnk;
za5NY)VRwVZ4evG}D+OasPEUXS3L=0}bh!9p?--jGr$#31!b7-)wby=ia}%q!c7p|A
ze8*{pJR7=`9F;lC{MfPEE%{=Z`EW8-ek%+=Hem;nd$_;<LWM{pn|ZSasSGT^zoqD#
z^3Z?=kM7hxvxbt3$zsL#moFK^BPrNtG4Tim2YL`$%~CZ5g#%lftcLBap{7@R^E80^
z?w@-xD*Fy1C05DL&3l&c!28nZ_DUTBJMQluAR!T|!i)D-wLC<OUd~T*W6TjV&&S`N
zK@<5xX;MZb1>I~k@MQ2F)V1mWq4q=X*w~oQ(<X^{Bq19vQnX|o<I{uMXtbx!(?h%v
zaH6|x_XdFISb(odT+h4gCeRN)kK1&hQ~uW{xgNPB+L)r$N5{USdASF#L*!SDO6mv_
zX@Hfka0eQ?q(twNYM8T+y!=?G8RvQb(nBGsUc2tWQE-;bVwF*U>@Xe<+L%tuM_N`1
z(z|I?0Vcgqo$)qW)vo;mI-Jgq?6y0aPQ}Th!P8xRhJT9p5)6jJA{4i@Z8<-Lt7zcK
zqL?akE`ENoum6+qKUx2+03gj}JTn|Aaba54uNWjE5^JPSYx?|NO+wC^Q)a2&h!uqz
zkXCKE<V@qNx^>2%|Ap+S;2pGxx9kyHqAjMfuqmW{1EZa&yR~OkYdR?X%X!Zd0Z{ZZ
zT8J5{jyWWkX?u$-4nk4B$P_}?#3~Y=<3n{FOz|U9y|+{!As3L)K$+D)5+D+9h--8_
z?$cp__McidIT}&pVF(~qjvpgny~4<v)%AJKe0}=;CAYzGALG}!=;+#MJO(LCA`$ol
zsvum*3u=$xQzsZ6k+{ic@JD@^>9G3!)Fw-m8;{Y(7V=vZMcsC`=+XfRU_kvq6<~a*
z!j8O@ydkN3unH;@cj4m+-kr_-qXXR*tI`%rIwYlq5FPhq{nTibklLOdGq|l;BL|p$
zaFklVF!=fN{h_wZF;>vl#at&|5GeQJ46hvMg8^mHVE<i5k?>AZ8mg+AnyR#y`?5Wt
z^9ocQvXPhhoCEd8^c?pXEHs&dS*z-gR>J{O{^~)I`N$W}`Vyir{}^5@FXR?}&M)nK
zUHuOTt`ZQ()GE+ESWQ%E2D0?WPJ%gFa_iarMr<nvN=2B2(lLLCp|ocq&q~BWLTeYs
z&$Czs_B_#Of-$fnl{UL#>nKHs9w-H}{fnzuN2y2FX}yb72(B?yl7TGp!d!|HL;fd6
z!7qrrB%W2-sZ<UzcQ!JpZ#!uAKmbU{18BKH0RVmgRVr67jr9ao@NT41>G`)Lm4ZWt
z*KYDDzo7F_)A^?Ako(hVrOzJsLMqQ{8lax>i&=>g)A+R`4`dP(2Eb`QC8vA3hxaDJ
zKqDABTVe*Ymj~}N4oE~B8pJ~vKjFW2|Csyn5&JyauyEZL$?k)?iwprnqUp8?x~RJX
zWJguL!-Mul)J!swUcGWsMywM(H`SMtzDn{b`B+Ip4EE4rxK4a~OsuCSI=Zt2a-|^c
z{LzKdJ~q-@bzxS@t(^|@Hs4OxtVdk@i@4a!e*5pXL)Z+M6$ps&wg!18p)Zc)AE>Bv
z|I}MX^Fo%%)YHM*4&mX^g(PD!ecNf?%z9gDw4AO=Y%|J4sX2HeOcj-6zY-33Qo&-%
ze$^X){SkV1ysn?w_?5+y2i>QvEf8kc0_(+~oA(ln=x3>k$eN9SVVRxo+IKhf1A=MF
zVoo|OwYL2Wgu=<0i}Bd|j+d6EDOw}Ak|XF>Em}Yi<X!nk&Fa|P(jFI|kO(_wT7Q4v
z?6ln0j1|fU*Por^%F#Z<^y-KX<_4B<xF<sv8yPw*q!nt^53c&9ndr%}d6w6)ig#hb
zX3hD7IB7COm`5c4SGBmik`)x0Hf2D9>I@QT7aDx)u=(V}Z~gG|RN#{Tl@0OtsM~$E
zWE3CYPRxGP2od+oZzYp^R}W<2Hwc<}AOxW{SmQ^RQ*o7^)utN;4R%1{4c~u4oVXZg
zK-}?(R!Mldxvtcvf5M?Gp_xXGs5adoqX|q)odyTIyXT22zNSjHjn??Zrd4&$L&dB-
zi*4L3yirvBvn0@pm1;|si(A#O!1fo``@5ylvbQE_XkbDp$5*Cz8MCu#{<k?3!u!r9
zy`O{!wDU{o<U2sp$Mitm#yeIF1Lc70B_}FTqqY=sLUrrJMO;UX#~fvRf3n_=`tpGy
zgyt94p;V`ua*a$J)E<hR(iZl7_Nb^2<-ckYaJbZ~>QZkb{ol~Q!NiS!P%gWfZ53>7
z5S2126~Tvh#4m2~M9*^T;nyEUe-{Q!Q~N^UYXj;7qIw|apGo@o0tgzUTMukxm#cCN
z?0eVvZMIk+B3dI$K68t>xUtd(Md!AQh(zr^*lyQM#z(yEh)d?hfq`z(1jWrSazZs{
z(?9FnHH?01=HvzV8^|q}s4FfaTF|@LS0bZVARn#qiLijxU%=VHDhPLf8*6QsfOTTG
zKg2M@%cMukq2;l19Mg*!cYBljfGor)Z8Ug&jn4=K9MM^eLU|Bn-d+yEBS&AcgqJu`
z0B1=?l35v}kGjQW6owBNNx3F%OS-D@Q&ps0<*JZIThZg8f1UyigHTW;;L(nNd<#9|
z6}a9H56m(>-uJ!`DEdS3_N?CX-H71)oWyj*8-;@Su60EPj3dgo9WaKj+>P=R6f2-T
zD8xFfg6RNPJb`QJK`;?uYBJivc7<9OA)JUsl>3K*%U*h98w;*YN4g85&1{>;Qb{Ia
zWeC~bbnDgJ5f1(P_;J%7%3p6(ne%>v09#6gMZ(b>DZV4H?KRMWVLPkQIjd;>bLwvi
z4Qt%>BDn#NNzQ6)p7~+<HlvGT%2@0=s?7tH{KLZ3yhr-Uz=R2gMu5XyFr-EzPuU#8
zhTwiGb&8eAk)UZ+9s5RapKjj@bWgL#wo!BDk#8`IbisMjIo{=Kzfbwb5n+qx`W>Sm
z&ZDkI+3${n9fp_q=|T~RdznX~UR;B3O!H-1+oVGqs0NxxT?=0|%s=&cpT*z*w1dJ&
zg%5j%Fm4p`CG6^4xD?Rl;Q$Fe7-VM<<68u^9e><JBaUduPDKFd0d1uR{mx&g9fD6C
z273O=7bb0(tsbretWCVEvgFA=tLm9CqV%Bet@ym>-$<Xl$f$&_>7>?ctH<3wi{HX@
zJ~9Xj<hHsu1HtXQffp4HcQ%u}A98=+7W=?EV~|gTE+`1<L~Q?x4zz8H1JH>23Wqux
z%N|w`nChRInyhpfPsWNzBND{7H3FbL(911kP?|16zw<;REkci2)Yu2hOCJPx$+Ybs
zI43$3F7>R@0|))(t|fsTj)`6{M7MAKhLva;17gRojyP|<oP3~6rB|FL!Gf8CQ>Tv?
z4QBd%BHBih6n;82!$(HxjNI}4DGQ=bGS<W{n_VSO8N;{}%B@3Qr9bTlb@?0Y`x6b+
ze$0YQ>#MFIiROQ1%|?jfP!mlP_8sw&IpoQs%5dD8(a|$q+V%4LWTF{HFJrTgboHeB
zX7M?mwDmL70~97*0s{IgzC`t|;YsN~jZPPzgqwJpCvxC(Y6nR5V>$@uFl=^9TG9FE
z&Tz02Z~j@h4QorhOIaLJxr9)&CPln4Di;hs8#q9U=yu}&HoE`NGoXB?UD5<@-9Ys!
zqtG!lv*uK`LPSZc&BcYU!^H6K8LGXrYG+;u1Bb2-|6V}L>&!Y;fA)yoy{^*5ZlZm6
zXzI0$VmFAR2(m?l0^gSD3%YuaKq?lLetN&{y-E_5N%*j*Bqy7+MRlD*OLVhfxJq!s
z)T{u~b9qZw2*FAgBM>v~(rV=E2~<cjj&}weFc&~+h<jOUID8iQV)0pGOlai&&s;}0
z&#yW2p=d5#&@LMdd3S1|+sqI`g9u;RQ~<|!G_jmc;n#c`&^Yh_?PLFxEup2chC^k|
zub=Iq45kC=%K#)au&De)i_(*(jow39gpE53zAnK|vdeO*7m)O6NSLEn`U!&oj67{8
zMyN(MPUN!;eIZqQz;fx)=Y#H4)p)$6<r@w=aec$$SOC-_w9|(wSe#$|diqa<6hDAt
zw0NLAJ|;Stq))MM(3iv1z<QkeJlVx9CqmS~YCntSPZ2lvL^g=b_!#<L0n8fFOJ=M#
z<<JDo6+BJYp<9HJTcW!dusmt5kEkCOY)R6B3}7PYcXko6iKf)NAdmqVDP+%A1CSmI
zuX~m9q}f>Jv)Qy~1(T3+`_nC=KPIH^!YX%5b8|&iRaM1%lV?6F!cTxBH!(c<Lp!t~
zvBdXjPUplpmuB&crW2MgP!s_MFN^LM?Q<;#bXb6>H3SUR8byq!P3)`O6N#JkPEn@7
zi~5*<e{1S}7fYu5gPNQGzv<Im2xe~t=`(~M0-&CTib4hj3r%Ce*aV=tdzNAc!ZEcv
z=b;*|E4E<gC)v3n$oIuk6(&4!!Bt|vCL6*z=P_Q4p55;GpD{v^amw)zl2562nr<OX
zyBTeVIc(TF61w1(F7;Xz2jj{eEH1+Xc>$#dF_|y1pjHE_H2X4mGDe^xWb?lBu|2<e
z13V<a8>l;C8bb!1r<(D8^LV*s7&e^s!guM?)4AjowTZx`0^SW9h)!>e067C$M!J^H
zRkIs~gX8coaC?8Ca=tA0kQ~UtL9}hAuOo%<>@XCmB&G@(IP<c+;n^i<h_-RZ?;J3v
z%e6KvK2@~?_bYDP5J2$KAmqv8&rMmq)tREb^pS=Xb!~4^JyNPxbdWrtg>0uAY)v^^
z>U7dX+%W(}pk#sm2>qnlEo_g9p5b6x^n%cCSkDHMr+UQnG`~E2h|Y6K42p(SW29>D
zqCElSKbV26h}!OYelEM_=<PpTAFexA_?}7vaOQ1Nya>_3&U@#nwW5wbR&*W`8KzQF
zl-LNliN-R6x_)xq)48o)hTZmPfL4uF|Im<?xp_SvNC+BW{X*{Mm~=ZaFUOSnGPgAD
zE$H<WVoDw1Gh=$ik~fqjz#w!$g%{$~kp;2#;OxDN0>+0Adq`3i<t~r@MZyaQAw=pL
zhH*q*6>9t~1svv&pQKLZO&#@T=9lkL0$|RA4x|Z(AWzR$l|X>60MaRqwTa3{5`I4k
z%rg1fPW<-<&_P`m>@7zNR_pJUjJ2YmB<v#3oDsa?q9kgAp@6hQE|`-qPCxa?@kP&Q
zbT#noIv8P<<Bv#P0?WCvdmEQhwk8voMx@@T8W(b>WD-#kE74~SZ=V39k;+1C7oZQH
z&$j@|H(GnrZ>fV#reVXY>~pj{T^hg(T*NV%p-CW7QpNyi%EF6y(6n)ysY*cBfez)Y
zAT1maV`mFOBldtthPVRYMi)+IPH>2)$Vl@c$N_)CW`XUfCj&v*bKP+HTfBQ~kQzuY
z3LO!cFh83}FqDvX@q*|__|(H5@(EDCu_Ak`f+lBU<vt%z%&L}X-|wW_d|PdKo+~%B
zwzhuzDs~yF3JUJe>*?i%yZ6(bF08bh{(xhv!U}tk$E*24(XOe$$8&Gpvmal&sf21t
z(x$DN3```stdAL*Oo!EmOb!9@gzae4BDL`0VX;C}oJ*|Dcm|VoulEt-uHBn-gh=q&
z8Zo9YQNEQOzlifl$*SJ=Q*<KZK8@HWN?lx5i}7-43rK$ocK!NRtJOQ`+jYxEJ{Ty)
zjR%f>9)nyD#gFr2pZ1KzxqE~bS|D!8p3&pLm*Ik9l~3rzx#rNY3f~uTi^LG5{K1(v
zJS1piWJRd-`oSE@R&pczc~<W|o($53w5i*BX+jt6!8t3Ll(+$(Su!}rTP1ml*BK{!
zX(p068aF}(=o2WRBwkP(8+DHfz0?wjZI(T}-^gLbSG3M#|7Sm(0!5Vi7t&TAwhhF_
zW-60uPsO&$Wz9Qt#hC1BzkM@_)dz;JSXCdjE+BM=+0>8zKdQbmpsuD@cWoSsm*VbP
zDDLj=ZpGc*-QC?O6ff@5BE{XIKyi1syWdaFIXD0J?93!HEAwQYgy7SJ`Tg>&#&~eq
zb)Qz6ms;H@vY>=@F326a(_htg>X_$*N$?h?JKg@4rVCBLKyqV*Sa`a5AHv|Rl_2uK
zl2b~#Yoa9`^+V`S!b!^fsO`}=0AlmBW#bQ+&;4DctVX}<iR~>D>l5(jXHj>`JI?3Z
zcK_BJ*jd6$|IN4bSEAQQ|6XI1Kkp|ufPn?--PIK?yDmLI?f!XZS@eh2W7`Ner({(_
zQ3o7&)h)+)P|=VRocvWxU0MUmq2TIg9)2_RB@e0l!?6Z@^pq!9($otZJw#B35IvYP
zkqFzE@+X|y8-y469d{&^Gu1<fsAKvwij<jN`1??sp9#`m=hs{sgH{&xYo|~s1=Ilt
z21fp%CG?5RMDrN2d?++xHhYTW%kT&go`GBi>zx$AqCaxo!!~9Sv4aQ`2)UqG&?BL|
z!wJ9&aVkEuTEg@Y*hWW(yh|JCIXs5!UW0)_7{F~v_aT34@*#QYS#mvI7&c+HSp1<$
zf3R1;13(o)=V4#^`)4p8mj=+FczFM+O?WjfCGPTu0tQyJ6Z4%lGmFNknbuyH1;FR2
z1La5hH0OiCx=cX)Wc&-Fy{Jgv;3gBygehw#=S|PA2^SY8w;!>6OY7V$W5CDD&RwPs
zj%1toae*-EMo>XV$90$DRpL^+&+yTF<%aip*V2+^wfYB3)^^8o;Ntc+RTtLeN#QZ(
z>2OB^!dyQ8V1L!#4J0r6ACUK*tvwF^s1m}<+Hta}^59RHk&GO1et2^!iG7tO8ZPcr
zOV29<8(ULhAxPQ8Wm^$cXEu)80%6#kf8G%PAi&4A`L$=dpEckg{43%g)EEO{w?~}O
znuSZlhk+=x&>I^;qn2#)Jun|~6iWya;DxX_Ua02c;sRF&F{p*iKmdwBH5;(lJXR&|
zuYM@8glseBA)2_7y_sh3|5mXZ)LubX%kat|^?Xt$PddV<{bJ1VZi@7Xo$@N+eSbrs
zbvFQd*?4gLGkDG29Gil(rn41mOGQW5OxwKN9Mo(($ZqX+B(H%tuf{n4`dam>SXmX`
zHMzWxuWn~=ukZn|fOfF5veM94Tv}SXt^&mWMd>jFS(vy>W{;cuZP&2Vk%_cxpo}e~
zUcLwNi=Wun7H;_;y~D%7QPa?HxgKHI+Lt#lQU8l7lNTWFMkOI0)=BX2VoytB<@!|!
zwl-<tqr?y!`Ws5YJjeUgm4TI^l&tJpr)PtbL_p!cepUyhz#!ot;LPs(V<ZdNx!|TC
z>&H&yFSk31+-;1G&^(vz5yfr){Phd`EZ*{+2=|Sn;vE+HpPvRm%R-EekKcaUz0e|t
zHVtXG{ggs*v{|ZuYklxs);b>Hd(Qs;@cg{Lzpo<C%glV$IqI(j<aDsa{D)jZ<G8o5
zS$M7Cjd1mJY8n>fz&z)CI3l(_3itdv8<+o*ClL0-pZ^~P6ciM?ANTjhvp-BOql7_h
zUhR$+|Dyt?se{AC%j2~U?vX+}^SvCjWLa|YepUq*%54=Q(m}7$^b9iYRsKeE;KUPK
z&fP%m)9&-z<H^SOI0G$hMR)hxTATAA+j{{};MoYKbOJ!Ma5%LJ($t?ne{fDXdar!9
zQ2IkU)?KVlY>anxb-I28W^6P&x>^pG$XC0LGhVc_P;e!0@!!Yat6;mm?A*T;cKaW_
z6#noZc>}XzPzbn1b^LJ`UxFbF3BiN+&P>5k-umQoIh(yc-Imfw4dqtRNQh>9`Bns(
z_H5T<IQo{EZ017+IksYH(6}KWa53qKfBUMkj}rT;a;GpWG<Xgk>K`?GA;u>rlzC7o
zSiJAgs;jETqN1pG@K;%nAY)FDgAxDWZ&m3ob;+4`X1=hh=)0$&<r<f)YMHhTa;qB;
zEwAFiyjcz@tXzkyzuK)dMsoWfpa{bMnE3f`k6<z)G<0%Ga`PAPd+`9%ztq*$B_-hq
z5M(lq5`rmZj8%pzj&Mpni<K$t4AmI%o0_k<c?Mn;9u9n?DE#-{9zPO!`oHQLlXbk~
zM$tCy{7}%RsE>Lapxx7`qz|l9CHda0w$>$;c0IZx7wY7gsVRtM^p3t*Il$FZt@k}O
znvUFB<C`XYrA;c5a3zQ*k%S<BLRK>~X9~yIPi5#8{?#n@imL~I<YD_1M}Fhz7u754
zjzSORkmF6mjHLnVg#wSCGK_4c-}m#4D;|GE02>9oU;*etR<K~ib|#O{8@%OaW@oqm
z{uLGxd3|}Y=*`&X93jpflPFboq%_o8IOL!3`uzFxS}=B)QsumK=~Y?2U()EV!FqVj
ze%_ci@$;t2R*%2~)!XxT(bL~tzsX%5Wxj`P=TMhyOv{m$l9fFPU7VwsxP02L^4f;n
z+GmDsr+yc@7}%d_IO!69foFUkNS1IN)LiPCuQPu)6-O`EdY%hYc#^HDsc9Tc$9+AN
zK>Y9_IyP2LPOh}U&+-@1%6Yz@opg$v&TaI+&3{z}@$~d$p(g0=&T$*g%Ep$Onrdop
zPDMqf!iS23BUMfIbx%-CECn6{67oA|;XeFg^i**R)-6<bcejv`5JcdndskVvmqS2{
zfdi*M7yZ&=_9w3HyQV$4K#A7uk9r=|IYGs`Vkg!H9Z<9DBI_GZ+Sd)vsCqlKh)5{q
zAAb*Kc&mUKno7lUTk1UOyw`*#1nwy5A|2gICWVQ3kF<=8jQ(zKABK+(57RI(*xJ~v
zwK^Ju&pGfH+@jgs%WGvP&>sU}{P2$}R|G^xMiv$p>a^HRhXA|L;QBw`K0&CWO!*0c
zPils}f_W<*IY9z?2Cr%_Td%pExko4$x_Nl8%)JVCor4RsDEL6yQuNTFZ`{##o>yQR
zsQvZkUl|;0bWe#y8;H%dMPjgJVDt1${IZfZF`?Vj?~b8`<TA7u6rU1_yd0bBURz~b
zX*!VTW;Lmk^*o^icdg&;sdv9-@h1Qi{UZL<n8Lr|p2E&jPiMn_o@2v4FYhpSqvbl6
z+3oC9ZvVX5cNU(sS`=3)X*0s8cTHSrJ3x+39LfX(6#@d{%jG5sAuszBt7o_CUC=3f
zUf9@|;Wxf!uCs=+hC43r+6`@M`&c4>DD{`wG6gz*MrfOpyquhn!0SgJ!*hkQS;5oI
zaw3P@0K%7Er1uygV}gSJ^m^2vxOA-d-%=Od1uCG4DuUw&P2qCILGmXIn<#&uyLtsO
zimva00t!L-0+xbB;ac!Eu3x4XZKN{`)8XUe!;FUZhaRtu?A>*u*?X7w-P`D9x$#?k
z<m}xi`V!YyJ9(h@_<Kx%5cetm$kKrMllyz!{nS*?>&3Gwzd#}0Q%m?@nJ?DWW#;?y
z#8iGqPJ)NL|K0{+R@819|NCsO|I?`8d*rtM<Ax6BgO8`x&0W)lb>!0EanDeFsPClD
z#vKFxI;4@Rj|o)9<Kn`CVK5^iDI#@wr{R^qhnD~uP;iL_o%n{Z$h!Ljfc&>?LvG>-
zN;?<;6}L^^04jRoCRGqKNbPC|&_lJ^LcNW151hmo@Y7WQY5-ysgeHUW+XFMd>%+Ur
z<Ml1NoeA;Y=N8u2I-YhZbS%sg0|Bj8C)?^WsrK9D7q9a3p$+^yy*BlemzTBo`HtW|
zVh@tAKb#Iy-7F8;leGpkf4=>Elwl|9>_Yi)<^4Xe=!tJJxwrT2uL>FAkHJYe!R>r7
z?HyzC)*~*aCdHi!Tsfg~+VG&h)J_^Pn`D|ZV~N1TfsW67F8il2#Wt@gliY`0J&@7^
zTMfNeRW7ExA03zFLC%h;5fXPUd^hRnu*4d2##3&e&+WY~vvRm5vX0c#9&y?Fmi%>5
z)kw<f*YF*|8r466%1(m?YS!AeFEz;-)DeIAx=_OUQmDtY6)NU&qZw`3um_C?cs!10
zL1p$@c|Xg3A$R!xJQH;k5vEs;uh<cr;QE44#}j<jH&7TNTJzEv5E!W7RSN(6ETRO@
zC&1BL!TP*P(T^86n(eYMFkFI>5Aq_kYG151*!X@T{4_U*A^NjdFDpZm9Fa|s9u;bk
z+P=5T=~0>4oyOVoT057myWimN16^r0dTko52Aw8y%2j(sL3j{xFPZ=Q>%H0f^us9Q
z@cZ1#r2gWmQ^06?$i4nRkjCBH=-*5A3jlccjA`-_2R6%m?x`E`^PUxQFPVRxLG=`<
z$<#qbvof5Y5L@D6SyXlaV*W&KgZBJI>PROD(3On^N|oNe(52oqs0Ipk*e!%gP4ZEy
zwz11|iv3OcGQW{6)Q)iFSGE&&4xgm;VAY5;FwN!0uNp5+B7JoBn{FeWB4%OA4Q9D^
zu-r5Ig%`YWhstm9nyefcoYlP~T-VP`IdokV``E)czp0@0sVBPM4@3Rwg1Vxes5}mk
zi-_d+K=d>Nb))@(`Lr<K+j~($wtb*9>fm&wP79mcm5&Y~Sp9~*RzJIf6y;%HKm;|S
za+(i;+`}<9wZ8s}+WbqHNKgf~e(TbM-t79fOb^|NJB&M?T}tgAbw07~oAegTzKfQP
z03v{wB?gi=7YeA;`qMN@61=(ior3k=yWES_QqWd>f1Lt~*aLx;?*LH=ANEmiEA_%U
zkPVtWmGeB_s)=0}(*}2bIFt7aPI&k@m6H8Qtz%fHiZ;(`xNt8N48^SyOLC>dm-Js-
z<PIIDT}jNIPTKSn)|)>KM<b0^++onOpCA=~`7ENf5+Y!V+UYBl3*YS(63mrn(aY?3
zxl19kc@+A%YvL(Z>I|urQomHf8{>v0vWH<iBH}1%*?(hHPAh*Og7hif<e`ACpM^Hw
z`$o3qOs0mXU?)~BK_O;NiXi>o+4Kpv5hD?%bp9{erZX<TlqDhLuaB`!pjZTceES;m
z5<M78Biv2gOSe2vzzPT_!T$=?k@?9QNG~pgDL*AS_%_9Nz+h7jJb}MWwVspNGCkgA
z-sTtK_PR0@cF~YFY3u^;0hlrDzR2Dr0g%L#p6I=Bf^G{v`xk5eZ-{<5`T23_#Fk`*
zTt`+%_g#`R1{OMF5eeEk2RZLP)M|fn4XGIp<|5)m8K5!PstJ>t4nV(K!z(-+30TOd
zic)gstYd%u>SBv!=UJE+c52kBHVXzBheJ&|P^Hb{*uod)dCIyq;mWEPtB106%uq<i
zD!5pz4jCr)s=H(%N4&Is0->hMa_4$3RY){x7PbJ>2FFtA^Hx(wL&l}bCsk>xaj7?!
zO(Kb;ZSu=83>nK7xdY8nKX8J@V-paM{wizSYK$wQN-JI1J@?nOeVVB*R{uR?R4?p-
zawrgl4h);gE{;l{NgSrNXr}eqzryU`1PtA~|61ol9?pR46rLv%+*_FIAa-7{*a>0a
zU-?F9ahSDZN646X?Iv^#RlR391N$`#F<gqV)cPjaZX*RWzU&3pOfw29nzckyuY{*C
z{Na7F;8r#McVcsPTt{hBSx+Q^I$5))4YD?C#Wrs%S^Je(W0uM$Z0}AeTd0_T#5mDC
zf5z&D<*@q5b=0tevNCfw0#rGBAWjNOmPZlW+?}?#QTc&>xKpBEe3)Bt&36_2&^-(X
zpu)F}@Ne9vz7P}}h>lJvpPmWco-G848%=<!z9NSjXoZYblVOb@A}X*>$+#KSJZ<$;
zymsdS5nT4^m}Mz7pDhQ;4AK(n7WOn_YZS5`AEArIt-s?)AoQ^?aY2&A^U!Ov33Kd>
zp2Iojh%lo}xyP!N(d-ULBF5THN~$FOB)bQyYHLL<P_WnSmEd#S5D@$9S_EW~K0VPy
zk)Fte1*^ky^YGfAZT!LMd|$34^Y3!R^LmM`)ZkzXx9oes@|U7S-@G)$-;5*%tiLK=
zzTfp5?Fc_T&l0xs?=cEb(O0~!H;ld!bvayS8-IOByA9ue(@`kur0WY9iM3pkE)IyG
z{ocSsU#^HL=^`3!NssNA9a-r0S)&lQdfMj0PSnAdI!<2s920owi;SMcn~Lej0(;%?
zJ4*_+s(EH2_@Ww5d<ZJxIXU|1mo{in0f{Vku_tYY#>webNC`rVj(H)~N*1O*VrHFF
zm8gm_bN{zeJV)5|kFUzL-uu%#h+YolnK=^AHH<{{_a9F^Z6a4`RU*E_Ti2Ex96d*b
zRkP?+Z#O->p`+na0ET%IgTfMpzByKvqI9L1V*I%ik#!m0lKncwywVasXofh!;3uLL
zJ(EWLkjkA)2En=Q3$Jc}8WUAqnUF-!7oO*m2`^q|J#5xtReNJOB^S16rayD|4Y+)?
zE1RDZU6@1enB}5QgtZk6aQ`M@Bwd`RNpHa-3{$PK`Mn?W7e6zr?e>{RSgTN&WJ^n$
zRK%R;aLSUXb`HC6a|JU)C`(fed>vCfA=x>=VVjobd3|8Ryj=r>1^*S&b9P3!C_CgY
zH6G!`S0${($Mg&R-%m*0QBWxrYFg6Vocl3zFc?Pda9@_B6|4#-!-U+YIM(Lrk)T41
z`L+xVQQKUyu*CS&;~u}=T=X@?!*l4EBZ{KsJ9J3MF{HT4&}&!YfT_xTIK?-+f<|ew
zYnr+_b24aNZ9y{94HJ~fXn2_jcF0oWZX!wFRtX}Zb1~&yXHYS)ia9@n(jHA_tSNK8
zQnuWd^8y`2Qwj%Mt(3xrs5w<u&o{-R-Yt5d?4$VFT4y9WkbTgD?MH^xhlgAbRs{Ub
zOM&%#G{Dc)h_$^Qr2c;U$^XLNkG)KfI)#HA;^NYSu)#!PzmIG4@8Ye&*z2hs1%Qa1
zX$wCnL=^fPRuX%*Qnh-vjnhg@RLv@_kw_`z(T}h?yBtEhQ>>yhFGsuYspyvkMX3FJ
zWh%xHP!iFEZ7m~O^XXDK`gHa|hQb*WCqj0hENhto4rq=;0;PEI;FiQwYE)U~s=_si
zvV9Sayb$4()zOr6Ck9E%91a&S_C;e)&D5eoq=b$&>rx=#0bY<iH)hfRIg)EOKs+Sq
z+#Q0krq&b}$&-gMeLfL96WOF>o%4<VN|YF1WTxcMWBM4Uh7^xcPq23@qY88GCy!!B
z*o|K(Y@i2r>mSl9d@1z{T&~oFJNYFM2#me9sRMZ3;P3q=B!cCn0r(}b_Zn>WMMSK9
z>lj`Lk_zZv9z*yzKDJqrUkF740_>-@ilw;%%_xz&&}S117_kwbeCni>5&;u@WfU3^
z^_+z{!$?~&Qzf@+;C+GD^c>YP)&P`AlF&ZHZBXDA4d9n#1@VwDzzpptU0|g#qFPNw
zq&LICwmT|_Fj+<!tL8=kYZSjhAnSs?jYXE|y0FYj)oVj|BgT38&CT}?p3wtEG;kD}
z+ksn6H^w9HGYGx;rx&XguQE#S8LUgIDy`7X1d6~5Q-J`c@9n*6cKAmDy6d<wwt!m0
zQID83Y2OPodW;}$B4^}YxZc62Hl&+puBTwA&GRh?T@X}u^oMvPkRcSYvUb|uMjScT
zRG&Z%T@tedd;q@a>bDi}!@;=-nR(`OE5X_tSlR*r`eW<nB09m@XSe{fRn(ff)xa+V
z%uu+IHKG6$TD};vs(v~FCerIV6Y6hUrP7Aa<x-WiNwVBy8!G~IU?$1q_AFcEU@S%s
zA5W@$$Zx8M!Y(qc8)<@aXyQJjNJ2miem1-m^Q=x%52?Iq^tsqYPRRNrZId-a*PwbY
zTfCn?RK=oG<nYk6aoF*h4VMfK+BBZa#3tOO=&gvouS2YmV(2ycy`=qcb|qf4CHlae
zkygnVLgA6F;vEnod*cX*q7@Pb*lZwEra9)%%#rpBI`$0(;(lY|{>)bvOiDGGj)R?t
z8$o*hqj}c;;}(a%NX&=Sc0OQqLIt~&24zs>BaBTJEoUqn%;&KrZnV=qDTiR?-`j|X
zKX2%w6Vt_a=W*CFU<(TAfIJ8{81F9q(eEmE_iz29ZZP%)_H93!=Ig@ppLi@2#|qPn
z|AfZI#tvmbGC`p7okH#Ud0ZMv)%y)lbom!X5CVrmn=@6<jwC<~5TKW4qo;O!qis2Y
zNmp9oHc<Fgvwjbuh}tCg<Hv%xkx$Zd!v}7f==R08d%9Uxve9tRp}HPMb4nb(qvl)E
ze##7F00a`qN*34|*~n71pH-BZjSCYz{pIn=lVXaLuuQ~@VUN@~i6R?2-=mx*{e~+{
zP;kmt8S2&^0gZQy9dc>HR;X<5+R=bKQr%n(q9C<Bic|=PG&V7N1l45QQbM{r9U1fY
zJP?UnK{>0|Kmz*B!+j8Jk2f5`Lj@>iUo{yf&mHqeAboU18boA{oOUcp6wq7ve56)@
zH#<Mh{*|sO*%BVd8!wh()lPdEvLN(;k=HwAf7rjs2~JUJZ>m7)t<m1Kzv+NS%xKJR
zM(jW)I)E&UDdrR&1`^VbQ)SbfY$@rqG_e*sMSBu`l2D=hfO6I)4vY9plnN;K-esLK
z7Xd}#V;hA56WMs>aD;KI3cKe>^Vw4I&M!=dEM@(e2Nw<)IFbU$F-Qk0e4tTz2?sxZ
z=<DJY&3NKXAXd3BW9RcolSkuM3XRE}BC&e=(+@oR1;XWNXaPe>0Myg|+x6FUx`FhC
z`aR?QK1he1a5ZAU8(E}%u|-|C2Q~0`!-wE=Dh_CAz5vr@F6v?lr$R3=nWHDLpTr<+
z$wT`~(*9nZCHi~8>4$G0c4BZFvz+@G*S5w#S&LgUEIY~sj$4Y8LMIyFvi7>-nE<{R
z+1s=Fkl&B)-~qw!En>V#&N-|hLv2&ZI`YVmT>Pf98Xrf=tt3tHW#CEk^Ja^YwY3x8
znkGIZf%w;i7SPw&9h}I?PcFh*#&yRgkEBpP2q%K6%Oz)xL(mEF@?w*^!nYdT(Tzt4
zEo06>32}l|4C3Qa54tKpAo9ue<_k@5QGqqlRYck<;-7nFdanKFWT1p7L36<{-5Jwz
z@ogJh8AKE)Rrk3!w?5o%kMh5xlZ944==+-FB-|n33Us!GYh;1`Qe-C#Ftv6nIr@a*
z9&j)f4N5uE`3qeqH_{0!*|qZ1XkDf<J1BvaBXAZ+7W1<7v?<&pP~l0ORgx3DODzg0
zk$xn~;7^u8at?2+61Oz7x=N`aJ&a%A?Mv%d-$Z&sDQOP&f9p<ZC14Io!9x<f(G4^@
zsmj9DJ=j+`i-Oq4u}iKv%>9&#RXkF4N!N-Uzay5I&DMhY=jR=;rp1Yhznwg}pDVvF
z=-zUz0Ne5_@Q%;<wssFMw(+svHwLrq;fV;-pLgi`#dsKm4JtSJ)kGGs_jZ<XK81Gp
zvkA8>a%S>ti#5_-knkj$IN<h7X}I>*VIx2yS6>4mU)!|IOLw|0x(SM~@a^k>oA}_}
zhU$f0kc3*=kIV*5{UioWAq(??@QQe9+h~qEm{6y1{FGM`dET@_jqVQf=%nL2!x*FN
zOb&N2=Eq?WM%JmmJDKIBib7+^w!WQ=vW_e5<K=Zq?AYZ?iTu2>KQbZ$l2|P2w~pox
z>0PpGBb5mB%)%)b!w9a_PoO*tRjRLZ>&HXZ%hP4wrjR$K?pRs$!4;u3v#(t9%BSIi
zhoR~zFdgHh5fxTTs4mTaM~5eNuwD^{1`OeB1;siVx%e~qQsWA++j9%Q6AA|&U{=@Z
z7{WRjFkT^f)u4SUIocstfG+=)J2b+`01+bcr`;?oXrJ;66Yu5kDMq~@vwb1H(K|vd
z7*^#7!fPe%ev_c@sdoMqs~!2!;j|1D%u9BA*EBf_<Q8$+h;j%1iuy7AA(>`jHpr^6
z8L*pi?l8Z$#I_uk%o=hZPm*Px^Va|1yevQW=<0X5BBizwaolM{>w4|BMBhm*nIr!6
z+|)CN+5{D}CXLkAYz;>axOPW)196XS%suT%+6*kbLYvOO&GK1)mb1%TYSo1M<yJAa
zkPxvG7f_~%%qBBR%Jnzw%~2<WICU%Zc~$3gy8OPhs#X<cQkomgO0vFjS#v&lCd`hg
z7Vco`+J{ybW*nJ4!Dw435O+ezX9w3|W#}K|2HhfXy68X?A2A$0+y_|wl1mO%BXXs3
zct)0KapO=TG)3ZoH9l3q9y{uW1_TM2D>Wmmg+rPjYMK1e&5xc-HaT>k0#VsvVrD$q
zQ(HLhy~#MD;LM6=CZ@U*n}nF<Cgm=~6F8gr1W-K&%$b{+J+0mrYP{E-B6#eUj*Q(@
zN57xk+u&D;qdLMGz{Mdt;=?MhoF;vRD){0N3E&5=_bOmvJLH$T{ocxJ$}90#sX}`Y
zYC=E~K>5V`>fMOg0SNzGF;#5H$SlJ{M0A)65|RjxAbc_E=LPOJ5fY%fn)mLXVPRpZ
z_<0-SpaNccr}Gy%WLl{GY-u_#kL<rVe|>i@?9u*g(Eak@42T2l$_x@%-xzgi1WXN4
zoj{dn#;UAc#eSD}2y)pg&jh0=U9~c1U5;S{v)wYpAsvmlUDJa`W_e~zO#Ko(tlE72
zHv)455#SkrHD|)#19Nmv+@5JpIfjE7m63^GJl`j`daKvq4o$bJ`7$y$?q%z0y<OF!
za6DD7zCwYKvj2!DfD1{D^g^)>t}EWITLV%#KPg<Kh7HKihiSKa@$z|Rtn}Q<4bEt2
z-8T>>fLZ#Am~z+`9f1bG{8#ostu48Iyps~e(?5Rvm^JWob9{GBflT4&x{>kQ)p-2H
zt?_h$H0EhKDZqFXZ`Pn?h=HOn9Ro1^kD&DOog?aNX*qJ@zf#3L>u)riBK#Y8T_k*I
zuTy$jbhq4#P|qDU+3cK#Wuz7du>ULI&5-8~<BX4m2s4?(#d4Q^&-FO5xyM*zKtqeQ
zwz8t?E9*R{nh!2BsDvS;3;t7x|3J^Zz2JKWZb1)15Kxqzmq+-}O!0PQ|J@9w!_WV&
zEtN~Kl+>!Hgp2Xz7#7RuivtZWFF2t5FPIAn39daiI$_8;KeT<RIkx9~-l@NKJ-Nyg
z?2X7VqVb8dx5--PR6C2|aeDPq5*)M!u3>|t&i`3;Pr%Ka6P1@)($LcK@MO6m_=vIL
zIUjtzewof*oRJDu?#1_to3%N-*VjRK*eaPG$^-{Z|3`5Jq|HPzr7^RH{mFcygOiKS
zHh(ZK6u4g#=jSd$^K<{mkZ3&3_gS$2wB2bJ0WJXz>~8;O#V$F?8x^U+k3|a$Nmi+d
z^#42~&YyG4=j$3Up3tii5*2w~*`L8ra(m=$%;N|Auc^g>Uc1*6Z-9F9k|awYRXUf)
z-LBwP^Coq}wgW={-PiQbj|NFoGcRL<RNAWUr;e%nyW3mWgq>WrF*w1?=Dz>VzyVx!
zFldnuN}&N(@C*Uq2B)?tY8S1!T&<p71upAz`*f&WIQ&*B=&l-u+8hhooefWSu|&)z
zz!?ImGjSYdl>f2AH4reaWB2Bt#RsH722l5YL60AzqNJoZAR5N^2y_Crx-@F_G%NOj
zt=>U8#;-7Ez1Mv#Wnjo&u%bgg=KuI01TeHT+SGm=P?il$ffdlvY15rJbU}7;=h@(H
zB|vUGU#|3L+h~0p%eNkGy%;27`t{Up9$fa+8w(USbdZBloc{p*kYqp+^%?6s3xuFM
zjEJm1Cw}v?jXD4G!%Vk%i#v?}<rZVQhW%f}wohB9uO2O}=b45rmwyMMQ574bL;k;E
z4EMWX3ZMeO&e96eE0rW)=Kpdj;q0w*FfX8p415*%G;|}Ex%e6WyeG`P_T)7^VGH{K
zb#pTI6w{OWf4v0`$S6PD5*T}_g+qn=jq~&A)$e_CbF)9(Uw`A8F$E@Kh!uQHv0mTO
z`5bPy9In@$9jB&#GSuo2uK54fhwViej4uAl?Q<|vCQYncJuS=Xktg(U1Up_n$_qZS
zopZpr92{zqd$C;puj!&*kYH#0!xymI|5u;@R^GO|Nw{7HfHcU1Fyh3$O}9+;+p<7U
z6fOVT3+t3`@g11u%rq@G{?&`_?olH016Bam8WOA_RIkhDOUrzNH%J=O|DHPHz!^e8
zuhMBgTEOZW&e*jND=q;6!Rv8)IOCar9PLx70?KRBq>(%^Br1WZJq5oX6=7_eG(~}q
z`vUp@P0+~yk5|G07EWV#{_Z@%B&{1;4jBsg_dVU_tDhV$LhF4IDLl8IZW)Z}x>CK~
zV@nMMQA2q4z*iOOH&&MqHlLvl1dc}6Fjc7YjxX_X^k|~#o{Z17D7w$woP4%!CrXtc
z(E^2JH9KMkYd#wz>6ulsC{v#!rzEk62cre%W=F5fZG=2aT8jyFc8xGks7$$MnsihZ
zUvpi8*tMc^=Z|60<MV!gXxK~c+P-||!6(J&sN`1!r6nbM=^1F2ueIlvuNSFk6ml%1
z^X_4NlRI@q33bK2fs|3)R{>zcbo<#rbvz$CTeoMmn2&F_e~^M#AclGMUGE%mkMlDs
zoX`EbyRpA#ZQVUi#c}isW39bzpN#;L%k<4yzCqk)4@1Vj*M0D8dlmGA{+vHf=8v}-
z>e<8yk8ZWS&*3m$|LA$QIr}Z#b+>nz`8*l^db}$E1>+}FnO5*!IJOST9U7MU>Dgkx
zam8w%yDaUzDru9Z9KvAH8%Cg9{reMSOY*$^oA~E{K+50g=ZGZ7XiZiD9l2CUnFY{3
zGZF}Xg4OD`pVub0s2KvFynRDE4j?}fcgn|Rf%6^`bLcBo#l>dEAKLf{F|9>5bOdg$
zxWVzVO-R+y9CHknjB6#lUkTWiOWz4!se*{flZOuvEuEv;{VqyRbNlR1UzgAOY&62F
zS^4f4y6c>4H0gzxVb}S@fzJ0wmNJFTaW?w~#L@jQQJ|3rPOy;(PH;034G2pT1+wU)
zo#^Uul?9zwpao5*by#ZcO7~r?0v5cfo)*+y09yFXW3O6N7&cnk8u4ffRDi*aa8w>Q
z`%G9XMwqWcXv=M&bb!it4pr>38+j<r;6o>CohO!W0R+_J)HksK@ibe>nR-=}3{Db9
zd2@YIfa&HHw5yQ<{&Olqov#E5R<DNA^!vW%tXHN%^)63|Q3^O955SNoSVKdDk1&3~
z=4~sNBg*^D)7#u(((wXAu=(mnE35VCpE#Zq9LI}nf^9nXdYSRz4Ml+HJ{dbNb}n5a
zCpen-b96G*o&ceA-+<`;%f15%8IWpoGD@c0*Td6(vAgK}{`i3$5Sz4|d?)|(_QTfE
zv>5Ss9OKJn#^f3cicj$J5+Odw;tXXjTfUMe$h=iWu7G6)9Rfb&z=|!S%1q=VWxPa`
zrWLr_5d`ZKi91YNh`e>3wp@nQzYzB^BN7}ycxAp+C6Tpy0L{K!?~`vrksXmjD#&O=
z+@=vIcE#N2Z2eWFM&=^Y?L*_){8YK;5fDxtryjg)won-%r3ps1?>(gve6$;IvQ`=V
ztfrVP8bySB1byzz#{TeQ(9&UOkOK7+>B5xc01|}=TK+-r%{MnZUc=88v-4ReEfT5y
zr3*MW8QUeM`WECSQ1tsrDNMm1_hU~qHDpe=V1D|9x_r~9Ja5RV)H@{@LarJ&+6S%J
z+1o{njyAf*iQ*wih;2cu*of&K&8S8XhmrA=+w)6lf8WuCsczo*AzL$f%=Xl#i}p;6
zWynuHTsFEEO2hEYvfJ->obX2$u1D2m=3~|BG%;}?&y5MrFT>}ll3cgZQmta)%hw^R
z86##5Dq_72bc4s+;S!Nm{=vn+2mj<;#&w$S4-g@L?WyNb9h=1yOuIXaGgpId^o#{%
z?CdJX5k^zKGJy_9oY}~L4nBOi8$+feMh1plK5sY0S21;Pwz#;(PfEsE)p5e+#2@n`
zW7mtag;S>@wO}9YDwj9_zV+Wf2pbjo6V@2uY13Rg;rR>sdz|&$k~cF_gHTn%kwvr?
zFMLj1_B&N46MMNMp@WXU6;iwlTg0dI`Tx*GzLAMccsw{fsL(X?P$UeP(9*~7fY+V-
z8Yorox&yIxlR%vI=U?DHtVTsQeYuc!YKgq-^4b|qa0>N6BgPt^!!p-V<UkO+@kj0M
zNIR%0xz=2Da>T5EK=X19p)eq0u+5V}iz=sYGo($-YBbZnK+iVxt1F3@rkh}K&`+|n
z0`DS&Bgu1KRcacyg=G_FBNpjbm+Eh2Qsb{53FZ4IL<-}+dQ)>xQ+~htHz@sKSk}(^
z&&{VQ{I6)$JqbcAL$)n>$Z^Lc`F_0wbp5GO=fpr(rpXW5Wf!3SE3cIC@EozKOjB&f
zwwO`AIt~okFgCwx8CipfZosxmcftBf)b^6%?^4aC6+?PX3&q6J7FHU)a)t>DdQP#h
zZk|vDs3{j7AG-ruWF$nsJz4QR?vflxUZfN&Cj2PI3?n+9-+vhS;=oCYVqr|GExTls
zmB}Rv9=>uiQeBztnPzfzuul<V2|rp$<nWU-y#6uDgxENx+{Lag%L9kp<n8dTEgind
zKUY_Wwp}YDk&9U+_I+o#gFZGD@MdOMnrwsnk3HUjxUcK@T8@$?33-C>8cJB!&m`#&
z8ZD;c<yM_Ma@1lCK9u5)&39x2b-8^-)MgFK*ZY$wF4$Oq)_S^F9(tX3f1DdCTucT+
zFHyuquJvIBH5WEDu_@LQ84_cX0khT*Y<7A4Uiwkn8?Bju&zJiaN#LT$E!{vfVZ^M`
zRHEPn3j{7SyVZvEMA8!?bFG|LGe9Q@5LTV$gUU|40^U@eku@O>CdNCSOCs5vJQW*k
zA80sZEp{+x{=j>~p+o0=h|TM@#JZin+)-z^5aCOz+GNW;E6pjGiJTHnTkw%NwUQfI
zAnF}q=!Q7Vl~f&W7JP^)q0}~?%~8Z`D`14sHj8AXvYap9VncCa^Oc`JOuCLT8zqGa
zyy-xgN32c;19b^bmtM|S$ixj+)HtQ6#4)Dl6ANBOv-8%Knx}~20|Q_F9yqX}GplD;
z@I^?OXGFELV&4lZM&*#K3P&;Nrx2um*#Gi{-z%o7m4x&vgfRody4{J!ZFEb~uTMIv
z+7J#^n~3IW0vY{^d;+&ecrTf_O3?L+cYbjfqQs~S0SZSNVJDnG>z}|LgINBfSkBMC
z6X&c{h2EG<;8Y^3P%5UMDKl5lAlah?`F$4c1R?VU|8oe39&I#4`Ue-{WnuzOuBIR^
zaB@S+Hg^ALT>)4kDKuO}2?f6_6KPi9*G)b}{KI>7=-TbTK)CF2>Ykyz^sejRusKsI
zgAxN~diEAvE)HC75Q2z1{PenGN5)OJ?eSss-oND=e;5E(NiGz5fr^Pk{K;J>t~eR*
zFa>FGtwnB5pW7oZO&`y>fa6A@i$S-*D^VdzN8CPzU$d84Y08R;*|3i~)*2>UmOtpx
z`09~+xuq?Z#Tv7zoQpcqD}HSS7jws<CTIYC0bWAE7?DTI=XBK8fj!!te;}C%N1eHV
z^tiSd+~MCyH^qe}Bg}K^(uxY-&*UTf0F4&-j5$Vg<UAPRFsszae#t6Py?1R=gzr=t
zAE6_z&_4D@22R~6g!J2TeQ3c(-o+ZzQMG{{>hj}^x=yfg?BF4XF@mM#!EnL5I4uQ#
zq*J1`A$p8|iw^rNiHb#`?pJqV4qd6pgYDs<eb6}c<wf~wLdhEnLSRNaK|f+l;4$IK
zq(~MpiHvH1g+}5o1ymqDBZxFLPc3Zf-O^6Z$K!#(pKh5_^qA2$=Y1IMp4je~BmPIv
z*ZWV4Cybe<OQbP0FWu(CzUy_NK-g8F1JDegu|hN1ghs~?58~e2C<uS2Mh`flhCkRS
zPvr|VEq1s+RU$siE{z>mX1BykGV&v21sN8oFSW0y6&w_}LCfp&1}Oawr4lFLQmTQO
zj?}4>k~T3Q*1$My9M#xqPyE|N)Y*F!M^Q-1MvQ>A-%6IzGeBu5=+cOUB$>2`9bZTs
z>YT{sAat>o#F!C?yq|>Tpj-^YSSkAF5rYkweYLf~)J~IK;coaIs+sa>yf?aqx~3H#
z8%@l(v)%+3J)lBNF2NJPctn3?GLKb$dlVPW3$;2dqWi2Bt2YtqY}KBL@`}zA<EBcs
zZxm=)50@k*?(<7;yaZB>E4qacY@w>EC4_l~qwr!}sHzXqopL%|VI!a519Us15PW?e
zu=#1^zVG;vw-2E2g`@d%!vm1PHYj|4^b*JGsZMF~JsoTDEg7;<xDbuO0QCf6BhB2c
z_o<RTDn%|~&+bpp70f{gbQM)?&l*2OcwiL=?73=8r~giJ%$|3ttu?%I1h>fhcr&D;
z{_(`|57i+t_U6wIC%w;ytV1n$ceHVIHD=-YuvpNs--inK<N2N7?)=I+Z}zjKPoY5|
zpjsd8aBQy-Qd)ogwn7*%ns6#Wbk|<*lWB0sMJx6e!a*AY@Zv)V&J!PzgdU;?+X}kh
z1ZhuFG4b-zQ=<Z^4|DB(Da1}v=|V_TV<j!P6>ZQ({Vgbu&`P>)`NDFQcEf!E^7(k1
z`0PzTYb)-gG})ON^-S@D#UF2S^l5E6WNG_-8^xS*l>B39W1v{(nB{JbJ&G<R^)cGC
z&@=c`|BzM-j{{tcMVi6Coh(?XB1Q(>QGrJY_-STI__GLrSPo%F8b>0$aZfHpP}fl+
zA2)aX_AkVv<hqWVy1NVqIy1~nIS*A)P(m&{0SRQ*Ss1x35i9ML47pV^nVP!#_^Vk$
zu-#|9B>Aa)P9efN+I^$oEk&O`+7YOL^w08fAtCLqxZotk03}2Z=@AdNRJk7`7V)Rr
zB3R%t9z=k4huZopsg*?tp`b$b`WQCXj_T)@LkQQh400Z-vGu!Z=UDFrIYhC0mfWmm
zUbttsOjO5^!-x(lu!NSPoF&V|FTuAndSS`<c+ltyCFppUFzM={fx$WHfXCHlr%q4B
zEveJzLUPI@at}~X&Vy}{w<TCWVbJD8K^U(9u7|xBKlZjy1B?2{yNUUn+V_U?%?pfi
zh3hoY(a|{+O!@wEKRkI<Mwk<_C3L;nDaTVG{=GkySOHrA%gFv$5G4TET;{)0%m?R6
zQle@H`1xc%Ub2$7NgjxBFBN*4lQ&lIkOU>2o+_$Xh?9zS(oq4emTU@hav^;tGfCqG
znF%iG70pqLB<PMI7TjFJbX>WnQ`ptBF2giXlNQbAF3AEHDNQ)4ta7GxrlqhIXU-0n
zjn_~{5F8;SUIe4Ag*8#pAw;BB7Xh9Ff0;!~bGUtEt(t!J7%L*Ory+{<!A4^9kZ&G^
zT7Yu~DgC9hb34nSS2n~Z=({uRuf!^jFCT5V*+T7TwS=XeRUD9UN4a!+(9mZK7^RB0
z%Bi~yN2(>~q9r>Ze|n=bfABq?LO(P6RuXY1^jYvpSQ(<g5N-#8(jr25^>oD6)*s6$
zfo!rRT(-Pz0vkI|@!?RGw9qzgB7wCt+^(vOsQ#}B1nR-G{!E|g16p8w3OX>bEE0wx
z59d*mF+8OjtGnAdsNLk%CCZLobfx;P`4MPl@vyf3Kx*BG$}+Xi_Ffjex+VCW7b+qw
zlaF6SGi|0unH>1i3(jM-#xLnk?rGE?UzN<P99g+l&(%@?gNo~IENPKonlJI8ehJaD
z7^7%);f{S24cv#mbi?aCg&kpF{VeM>G>W(FYzfb$pC-2nz57%+J8V*4b7>ijp$BOh
zRe(ap_(mMKj%95mFBE;KdzdB?7Vi%$j4262D<LaG1+v^?=Z+vvPq*jAcfSh)iDJC)
zAzZitKY<cw-ORwiuS2}~vU?$eT6pr55Sg93ma*n2IHL0H16yp2)ezPb(@GlklEEnv
zAB4Zw_%XwQPbhE~K|<tkTlUo{b0UL3_w;H{GVkXMTkj3-So*dm-uS)m`TL>8lk2wY
zzAafb=j!UmmOon5%<v=w3JSq><{1XqNLpniiIZ`hNCG=Im`akbt^%|nPVSw*<z%jo
z_GdVsx!3H7n067*9x@&lV?hPNppk&zr~A7!NDqn8Zp(oHL+=6#d`VUD-CWw>ushP^
zBlkP3z(Ts-EeAzJdPYWtZl^Zi_v3Co&{bS#X3x`{4YQKzJI+6yXgyTaRW(ySSL+)B
z;HYv*Lfe8iP8&TfVV3@+-yXuOGxTB%(n$l5yDklV&(6vMzk>e|@54$qj(FE_OW?aP
zH$8F9I{*U(ew7U#D+Ofu^+Mdj;y?$c!G|-WDI9rL_N8fE0Iq9s)iKmtSa<=0GNUTA
z;+$@X#2;bQ#>9n`y+Y-ceeO7++j1R)7}G(w+49fzl$UdN>;w~C_~Vzgc?hMIX~*tH
zj@ZuCUt`*FqsN&j7h{`kZCnk@K45ar-0!+>KE}s!05Tt+iJe1fTp}Cvua-05J~Yau
zK*2psfVKCInXk~p+dA!hvOi+sF9BXh#U^ieO?B7)Gk4XBb$`TEULkJ<{4qSuScDEW
ziFkZ2;&%<<%BkENnA6UWc`5n!oDV~KjYPAwRUZK-uFt=AE_fTynn0U6pSd+sf`z=s
zOH7?&5b;==rge2GbeOD4Hn-qjNDGUoXWH{!U0uI>`Od>WznBFS-ftXssz@BeDOuxz
z*B&f{)_}tU;Ws3D4-EQj?U#-_>`W)@`r~!KN1OFa)%W~J_ZopmvK5*=zN8-`wW<|M
zN$?xVjr&y2bV=8%ndpFKdW&wp3YGMy=h>!}loSv7q$O5LzU0S1?MKaIO{RW!L;$)-
zH*dWx#atiU%L<kXpk@iKR<|}cH<y>6xK$Y%OvwaB*xfG1<0=p;?x<P*(>n(O{DuNy
zMGFtu5rOV#MhCPr6$s%xD@+V?T4GWU@04GCJw>h*!2$G<g^gKvB<>miH#;iFoMua#
zKVK9F9d-X)<lqD9BilMddjrF9qH)o5I3=P5yPWNw_FF>;e~XKe2nf5yL{hUQbZZVr
zFb>7Lt&0i4w{9n+*8U)Q6>}YP^VL)I5tOGHeeO1VAc%)0BkirKs!F!|$@V&s<DCOC
z=G?!j`T>)HR8-FPKkf$(vlc%}G(~E!#PL5SBS8f85C$j`k@N^GO!As^k}$6EP)GP=
zak$(gn$D$6vX8>1Z3RkAccTMUs)WbY?8+6%c7J3z4%rCCME2x3zOxC~j{N16^AmFw
z6La<RVjU_)Zd>>OF0KfCxzV{~W{{}iP=MwGe(Ql^ejFYirlqCfaoFwn-9_$Jn=hIK
zeD7jx+A~uku!>Xhg$f9V0b4tOL@<oR6#W7cDj=ckN_N{Ay^Yd(Z0`6PPlL#)^Wpnc
zf?ki@R+o9XY)p4n%TuG+Xi4ZW$go}TV|6Vq*pso(nSABK4@j>0v@ifOuU$Y<3EX>G
z;7Ug4!P^U{k?ex9-iN9sfS5}nWJnza1yF)u@tVp`-FSQ<1sxq7M>v%Bx@xP2f!PiN
zi>^d@IygRX&E9|95D4G`{K5g8%ncD7x-|v{Bp2eUIxv;uWM#kc{a4){8^>OmCE}RL
z$00|GKO}<dTuxk>1xc+*N>;_S@IV9E00tP9yYh6=wZXZj9<-;DqB_Ye^c@mRH8aIe
z%+CXHvo`+Tjz*mC>NHiRZ0GG0W(fvUyoQE`j*pLLlafdImB+gu8|`5-JfGVZF!<CA
zWB6wNtC^`_Z1fwlDZR|CZ`Q3h2QbB40Pe2!^;JsZ?bFe1$FJey?oUezjo|j9OEH*x
zdN3&?4XkSw52@tD&_J~kJlOw-=2L6;)h(@4m!X+8yyfvFQj(vw2wmz}1Gmwi#hiKF
zQM{1*2#`fjEwjhXSaGkfu4=w3#CBc>*~8Rzz1mcs(J~P2xNv`G{&!y~h~9;t*poUQ
zdFF)vqEAEuEo*u+uO1)HwbEsF79YdDh?^5*I%fNs*Ac^kTY}8b&(r+)f^^=!oeeVE
z@cPE^^z-*`I9Dv*r~gh60Q$7a=Zt<#0TnSZF(-`ivg<r7t=rko;2U8Pweol_Dq!=E
zjp{7n0G>~5^`3cUlj+}hs0?`R*X}FqVGg*xt9p9!nE^RM!GDNL;BKmbAytAo3^-b1
zWo5-yR*^yOviDXQ2H3vfGvMzyaF*l#cP7YzTY_^ddAYf4nX=H((3blXh-ZF@+V5(x
zf55toO-!(7kK>sG|K4Cwz>+>ou$WRwTMru>8;xW8&v+EVw})+!aAYNzg4-Yqe!v(J
zWC;0>3UB~xu#4sLw*FOXTAH3ro|sMF`r7D?P-`hlDEm80FgQ`n&COk3Uq6vA@V=XF
zKq%nH`{m2D1*;ts3HHCwMv$SUmeoCv-ssQ2S2@nZ+&v~}>$4Ee1-2}IXR4fse-Qgp
zW5A@Py}CnR@Cq<7DeCLjEFQDrBHaRr$jIPm^&bHl@{JOHzXf-NQi*n!c0ieId$u_v
ztXz#@@X)Cp=QDDj9r`kqmh<@?1Wt)LaObM1sO0A6vT|kYfmFzQ@&7djQ~;9QJCC07
z@docULS?-`uGOPAdUJKX8XMlRPR9y2H<;oGJ-4!=ZD61fdp<Zg*xcMa@%)t)mqx%Q
z8z^8reWd-d>|TuiuM+@p5U^Mih<z!{9^bDx3BO`UR_}mp20GT|L55S!Ol0)+V)swF
z`e)Cg<4<pIep&K$d=Nm>gRNVj=XAI7KV}O6>bPnsEdMo#_qz&vURVmf4Tw036dIUi
z&8}<kY(DU^!8Qgr(q5$m9@g1UFdeXU)ZQ&|F_tKoq_>YJ_Yl8)J-8a+$rPs}3yOu0
zK}_fHD?j~<0~J4IJT=gNaIitES6|pXi(U}E*XolT%g5XCC9?xRS=T}>>WRg5I;VTd
z%f5>?SiBlp#`@@j--UST^yg7Al{NZRhgQIH?9=sHwSFESwU8f3C(#fKs+ntD>@pp_
z;v~>lAozB{_U<cmG09;1=i=sP(B~bK&*FX}K}EI9u{AC{!J9waFm_bq;IexFcPrpx
zs>%TOUSV9$>UEUtH_1VHpIpA=A_iW*F{w_<>T>)cRV?(15-6a#3Cr90l`(E{P77;k
zkbVQd@-eeHTTAYpU*Ea8PnaS-e*T49AK}yO<$Mq40`D(kk18Z3E2$;gCi?2zOLL$*
zkdV6hY})7Tb{Nft-FCOYXUVj+9N#N4*mH)CkH~#USAmhWkOq}&Xdz2FzRl@}rpnwA
z3p`Tbdj!$Zz|}~tJ)3P<!x0P3tc^-m^6m)8M<DomfyUn{yZhxAxl$$8JD2T`*R72N
zz)GIKnm?IyoLIB!aDVc*zZ0H801r1XMaqJiX!a@%3c&TuV}Jn}+AK(c3`Lrnniy*e
zatEGo^x%Nl9!~vLa{4+sN2b6ZTr_~F6sQ-|zkZKMs!NuV6B`PRu?d(cZK8wz#><up
z^(~hc4#Hd2>+jr-G;Hp)GNHKK>A_Dns{M{~Xu^dp+e`}Rl3~&sUW@3ug3e9gV|MWl
z)-!5P-ojr)9ffofVPDF1KY`ThK=4d%{+S705@Sfmq~bwgT29J4o~_MwN+pfO&M`tz
z5zl^<Hu}7U-qHia+A_#+n1!Kr91hT723+L1X#hC+@0W5E$1f${{FkHB^}VD%FTYHl
zO9JJd+eQShC8yEkWD2FuuVoVp-&%As`_(;e@33%Q8&wLreE;^G=q+pDj<&xS->v3`
z@AGV=^Pt3=6B3?#h_BbHOKS3jsZ%CO3D$qQj1Y0cCyhvy5?U{yPRNO1r;3%EsbNu{
zm+)`41vyd>F6tj{kXFfS{n9W{`*p5yt0wZ98=`<+pdGoin?<W;g75u)I+sO^W+?A{
z_O)?!{rko2QlaqWQDklMm3cn@M)}CdX)h{p@1q3``Y@l1Vd=cW_1o}=gbcczmJ=Ta
zFUcem1;V#22ih*;I&dOj>(>OTnz<f|1^PJZ5*p)5>h9NMPw90vi#>jh?2zhYzIaoQ
zZ&Tz+zl<=2Nl>Z;`4zX_c2?4cnEPoj!(QAfYbWm<D=)Z)eI{A(nou0NV@n7?vdmg$
z%^xMTw0B*3DEKgb)ht`<d0-$sLX+qk9m2K!*j1L{yJ2M0guEVOabuC;;9;k&R)3`0
ziz5@SFKXQJJjkJOiY_*O{fYYET~k2z6<?(zJ&END73;}W2MpJXtZW!D<n6iY5nN;b
z^3GD?XJXENYj%a*hR-Tgv#K>x%GW<el|NXOYx40KgDN8^?!ImufhxC{tj=X2y)EQU
zmWPVxFy;hbn(G%$a&w8;SIf$V`W}vbH{yA?=@u5Kzw1`mlz(P})wuuUiqJO3q@;IK
zE28}dO7oY8g_EX0Zf$4@7ifz$a*17VeX&BbpbcioAa^6AZ)XrTTzN-bQ0IChPmm^I
zn>M*TD#LG4ML9$Eh9J)KZiV3gxMWzJo}DY*oVBSCJ-nm4cFyx{VR~|G!9oO-BO2<x
zuzA-p7V<h@z-^ND-9_(foY!X1g#bA9?ci;Zei(#i09@D$PL%vVqW&r%j;`q%KpS^=
z*93wSJlNn8EV#P`cbCC}I|O$N5Zv9}Ex5b8+u?b?bN<s;b1~gr-Br8x?p?Lk`cyM+
z^A&E+-A%fKoY?qIm&~#kMX>o1s|Ot*O9TFdT2lgG|Kqiex7!Ne+^w|rm(P_Kw%*5D
z$&z0|<7?++9~{9w=LLJ2Nn7pIO>alDRg_zV9sc$LZhpMLK+4N}N5dQ3{Y>#{f1xLd
zFt}Qv5YeaccIR>J!rLK(T+hw$ibv|j>U6`c<-&J8ARX4m46d{3^KhKx6m2=|7y67x
z$Zd;$qakgNabceJhLRA2YhZivy0|a9ScKs>rahS~vW*fc!z6N-s6BH-r*tHVZUS-A
zU*XRLk}7q3xT2_&Aux#7vlbSt#w5^RDb5ku?TsliGM!hAM42ZK$l#rPV+_(^-w*7n
zcZ&3o-xf5Rek;1mJ4g6@iYP$zY=S-=kEus0O$$xNvYI)w$+Hd>=IJ=d({U>QQes95
z8y~a+X}o|#Klz8beKDr*Vgpc7<qt<|$}PrbEZ1Y)P8(*fBlGRe@AIOAnAK(m<dkgU
z4kE12PIq(fD4up1b=a>nN4&i-{%o?=#i(+$ESrne{nM}3Uc0KPSWDDwslzK6Lli|U
zZ|=k|AuWZ#YN{X2cPQpQ-gb+#W#s4|30$`-k1?D}{bz~CLJxoPW?rw_wB}kIXOcoT
zR&ci~J}o2V&lNk;m(nwU<vceLy;ZC{+QZ$|M$aTR;^_IIVabZjIDT@vCvTINgw9cp
z)iifys%#Ls3b{>W=3Z?mZEz{i{Li>tFfsplp!XyNyV#{q?iCZaKx8ao`}a|s8}pbZ
z>_Xe;OC5~kQHW_uqApOLnC*^!j*7h7;l{Mx%bQU%AHOuy-mo=!>_%IAfkO*IDn+d-
z6JGK-8TAZ~(f7t{C04s|Zeu7;EvD%|Y;C~CI=EG;R5^zfp`HBKB3|!d|812jI@jaD
zo?Ju=CJ>F(e|)Fg2HiP6u{N7#JHCF=#9R6D(e@LUMZ5-f;_kb=IaGR}-#K}GtAYm?
zU^Nm=(45yOyv?h@bfV3_PwR9e$-$#vyq%j&e8VH+{d!TGAxP6IIKv?S=?|dJl+pG%
zbWXXj5Wf)yLZ6^DN}{E@nFl>z3u4FD`EHe%p%pO=7CsTK9Q3f#DRR3cy2z-2XqH>9
zlZdvL+BfN~pQ2Fae1<**=hY>Tqj^zvRzS9^A*uaG8?-xhJkqdbz?3n*JE$d;Ft;|T
zNZ3A(1Tm~g6muVP*!Q4XP%x;N_uHA}3K4e+H!4Tj{;A!@9?44Ur?&Z5_3F4mz8dII
zJPAR+C_T=SN#y)D-9EB$X}fpolV<V9Lb?^jNB{?ih~ztJ?mP@wc`=N6?~?-s=T+5@
z3w#dbj=m`|^vgK@;QC6<f;P5MYBH2wGAH7aP~&d~WQ%c`GP*KS0!y3svBmzLo3KMP
z^q}3)w?IO2+@NJwYk2hS;k`)lG}RpCoJ5cQk@iDoY-1cJ#KS1`h@9OUb6fiWF3;$u
zw;fJI9jNT%=2h(EAH2&3^g|7Hz-^D6)8)PxPg`Y-0OgllH*VV^5-amP_Xfo_XrSMs
zq27&i{wJ69cYG#pKH>%5)m-60nRQa=&5<pVe&u2Hg_j)0>CC8vr{B4Zifp96{?Va?
z?hF<np%C=5GPtB<h52cTn2E=xK??4&bDuguInbQ?oUo~TgQM4j9fMb@#8-Cm(ga!0
zWB_cF_ZdaE=aGRjsztT8-FV4pzD2xt8fGf*BO$aEzyC{fgO65XQysonsNnRrb-^f+
z&eYon%8LhAtPgxR9w11KhfTdN=pDUhjE0&^2yVl?H!|t#JUs!Bxsxmm^HfVY2ouMC
z5;1`26hF$%(fZA(47i{D&j?f2M|HnLNLqB>9I|m=d8QHzeF8%QirJ*-n93|5kZ;n%
zl&L9lnI_zL3CBV=0;iaNxU3O1vOhd&e->;}HWH{PTNw_-CDF+_T1k=1RqjMgB!+iO
zN4oMaEo>vDgtk?&4u!42aQWMJr<Q$uJOAbTZxBGiq*@H5mI&ccQiNvAgCXUE0vuaM
zG&!KGKR=m#<}I-&!E}apR0>b?g|`a$vMEckR4#{kVP<O>bo`MFC~dvljz9L-o^L(S
zJSC?3vhd(S5k@$mCY^PpZ!rOuJXkVOy<K-sTfQ3bbqfO}va<{RQ}h=ry~>`JIaYGx
zb7g6N5=`)%pq>asXI7TRE~h@gHF+}S^lf#qDUxPLAV*y4$`*8%uaYYD6~~(1xtR%&
z26O!jA@XwSSlN>QZ>TSl2%-10dF*{_%B*~jk5|JAxJ>qLe)7|B_(58OApFOn;5Ly*
z$nM#p4N;B>28M$8%w}z8MyiVt<(>n4?x%$ZEHf{EbkQu?x@SXX-*3br+pa^9jZo;n
zP`W=I5EPs<Kp)hMT6#Um%R^)@Lx7PGN8Rh6#rBY5cLdkg?xV|%!pYEK?Nam_tfbuN
zyePHy?=}s7DWZ_xe7?g4@alGjxF16HF$}7(gpq!=k#^%*PdMGccWhLV;^rCl*VJ4?
zI&eUvXvR^8z8nWKA@{7EiFwZnB}ElpdBXr+1`*7-Vp5+uKr`7Yl}K=x65ky9kGQt+
zw9GQ3FzeRo@opc5tk2m$_(sD5*qR{0wk6&4&eb%N7%RU-@iBCgB@!I;Z0r9ea3BW%
z0&)x_Q8xXfHa783YPJmpx2@AM$>MWju|ZN`5^zKkj9cx(N~~p&bNy!LsS(s&f+Pxi
zsj_VE_M#>c|76{{WURrI$7B_~&fwoLVM7}ZwR7b3qy3NeD0@T$M8+tzUZ+o)g1e(@
zPQU+)jWF1Q<}<D!7x6A?zk$AQ0ijT3z{WGyofe;H+jl3*;z#@8%kTDR5Jtijh*e%X
zR%;|8YLy3GE&SRxivA{A{0q_1(+1KQH0d`4N`K-RFFk~r8m-q05>^&u_Yb!0%e2)q
zT)IJjqP8aFcX9Or&LEk9hYfDT)l2&~l);SJMlpSYYxRTj>J^i}Raa?VPHGQW+vU(8
zA9-}EwNuL*4|mPV@gryuxq02wy&$a^Y`N{V?&i9!4rkZ5sfrwupIaKG!S0*8$@-D<
zcWeOP#&SCpgaUtjDByOzH@4jH<l23{se|-FPYd06_A!eD0<Vi^%glONYV!xT4Mxsl
zOt1U*|K4w=?yB6Xd76YU-=_v}fQny31Yn6;D_e+8Qq1Nmj|WFF9_D^UWuTQ4y0Z)(
z*fDMtkrrUud`?zKXB5WjQ%s(=ypEcc003EHb}Wa*xIP_ByU<Gt^bI6>c7AAJ@*sSe
z?-OPDW7xu=%nZET!k4pOlw(j1FnvHE&c_JMIPjm1W#Hh{KoQxttX6cWWZI!CO1#-`
zc2>#;+aczD9vW-IxpMCIr__I)W>@0=L}JFe8||Wu$r;ZZr-FAGemz)KKgCpd^}TFS
zBf+|y={t*EtBUUT2ZcDIT@>6ROU>e1iqRg<#GfI-KNvnK>Mfem+8fWM?jt&D*!-;m
zT?a`&o5xNInDNPfpVFOS+eIf6)X(}P8<KcykV=@?tUjWO2v;;MQO#iUi?mv@1{YOz
zzP+?HYm^<Hvr^84T0=lmmIbi|iO_0L?A5CmlcE*+hdg)ku9#E_le>UPzj9+u(*J@D
z_rG9+8K<37E^a*d#mN0%ti`XkqWP!AG5A4<&XNod?|!UBnq8i?M7|$7h3UtV)E1P8
zt2VC=N~xKlN=A}YAWQ&YQ9gqPuu18AGNjxBMv%~o(2*Kqv$z>#Tj2zK-f3=L<8?g0
z-&(LB_9R`!Lhz*;QvRpt+gIPz9uQIz5BtZWq>S+_zb}SD8DpiYf7teBYAg%il?D)p
zHkdudrCm9j<J5`!5UFGlW@=5y*#90QDulSOZ7{r=1k=TX=xf(U^UdoiXrye9#FMkw
z;mJN)2_HdEYu1++R{K4b`r=QVJ|$-)<1%I9cp=2k?mgmL0VI(xneLk=iqSK$-u9wU
zf4e)kJ0<_D6!-2rF*bBTQK1%rHgBnYrZOfwZi7ThzD#v;vf2JbRq~qs5qyWi(qrui
z?+pW{?%0Gpc&n($U9@_;_kC~R6tVUC&<GOropsNg(3_@tR7f!TB1zHv+LGns0<73w
zdSnek!J{wb@BccCh63%NF++!BLMX`HwLkNlLuL{xD++KU>r<CAu^Z|~2=L`p?c$4~
zTPz25=*Ic5Ng&q_2hLJ5r0T)b@x%lk1{jZOLV!;EXu^_brGJg34|p7rUI^-EB(krB
zPm@d|tr7s{A$Nq_mlS;W=$WZo7{9=tu~Ex&^}$~@9TSXKZPDD}F!lfqSXkSG?t)It
zi~e6BXGfaa-=pkVNjteXoJW~IoqAN@2ON(LdedCU`wtiuwj1sXoQjl;z;MXyLN7U^
zHw=CfY=MoaAO%^c{3QDA4@G)Gi#D^nLa=-|H(-IiWK!7|t_B<KFDO&=a|y`})+=)n
zz^@()XOT&efok+KaEPmt>3rz+nO_{ar|I|+_}@nw2e&^)7o5SN(eK8$gw0uAYIi<W
zm(lws(_tMu>03TX<Emg+!kFNFL@#C9&u1K);;_NB^w*!!YhU}Z?K(M8yomnDJ^wE8
zAB0ARpP~!g=~_c|_1QWX+xQzWfUNLm|7sl#w%qF%)dLr~@AOt)`lULm>t776=YzeE
zdGSN?IP`RgWat$0?;2&n2Eix%X!w5zqJ<=D7BwtSdV$w*^JaA(HJijz%A~IN_4-+!
z1VbHmQShqbe`&HX+er&|xP6bb_|lcPy})`<Wdrj&OYz^!qvJX$)L;9?eU%Uthnw6m
zhe(%T5)ga4@1X1KaG^oW*L!;6)dfEssun0i-?DM&;Ns0G-8!=}7>3t2{%F$d<D_3<
zM($`>%kELH&q{+sQk<gPvk8Z?qM8Qhq^Ub3S{_eeioJHOrO_Z_d@0DXGCKrp9fcnF
zTYF%-#>dCkUsu;ReM3pjJD}RxAvfCWeN@ZH)Fx`B%HorlOKHk{K51=feD^8(tV{YY
z8ts_5&vDmAA7nENPdJSdBvv4!(51*F9w180_&a|jCeiQm#M-&?gV=}Aj*(MTgGZ{@
zkZAWq4KAx)ej#A+&@jNcDhFU8*29(Z&i!i*v6b-9w>~ken_@}LY`iC&o5(>OQFx@>
zKkgsWT(U6%C`RB%VdYjekcOLyuIQS{yL3BnKvvd}^%4fruKqdS(A4<gN{RaIj9FTn
zJiChWH-Yxr%+~f}=V-SvN{MkjA#-i(S;<17C0mYI`~s<CHn=f1NBr@%|7Nd%MI<P<
zFs&f{(S4q!vjgHWUiAw?Wn@3m@%_Vp&gMmd!0d0J?LuLMj(wA38o1EJGGZ%<uEHSg
z>3;9sW*waPcOHZx?_^cTlB02sR-`LSJzfsG^U_`B;O!;$FEg8;oMtit1W<WB;NG!J
z99Q`ZTpDHO$`Cxq<GOXWb$x8y{zJla6Y@dlNfsUp|54}IWdE@jjX<lo!r65>qt{vl
zfP;J;Fi?Yi-#@Yk7AZ1>-3W_*c8YQ7woz%ZatI^hlcMvkYhXP1NqxF5CbF;A>W&er
zG_*3|_6LNV(YlfRow23u-fbG6=M)$M3Kms0z#qo9V^>wM`CJzu-$kJ+IAb|)lmi|R
zV6rA*7A1N#A%Mf7>4#Y*qR7BY!%=zaqCiK)-!S!&+GL-)xL1P~`V&YYfwI$|q{e`?
z0yM<rkdl`H7Bt+)wmVgmOOtG@;4O2~OQ{(KHUOyxfcpW64HV-|8JM3_KYep=(1E6>
z#~*pO*S|+$4DK#a@nR+O(|{Py?vJew02X=H!O<n0z^B>dvv>XrD#cti1ut}Pa=#IQ
z#vxh=&9C*&r$O@FZK3eu>ly(q*k>;N&Q6pnGRNf69`>zwRDtGmZ9v~HYNjTKZ>>Ms
zt^X=$vGb0Zk^#feDqYZ;pGn#%O71~{+L>6gHg;WPtkNqAMaSXw^0YJ#e0h!%NiA88
zo=syGeLa9G3$Ku$hmwo6<B?`WTIqO#%Jc%4r%Q{Y>qGem5}XVR2L)-sh3TQ04l46|
zO-x3=vyC10WxY%|wauR<LBn42fKn9-k>68+KtG@Ys_Squ0NF$B-@Dh2ue>at3lQXA
z*bCdV-<~_(J>yVA;Rh$Yxu83fK3)Jmi+<;apIjLLySWaxlFVIa-Re7Kzw%?HjW1fg
zM(QV7v(!;C#-HsUSA;NEbpO&7Z$8l?tcYS7v%=_NO@(~a9l)oQ;@bx0?#(0sI$H6I
z`2hDl{O*~x0~lWsFd9*A)2CPGIS$&n1IsgUaX~6kaP-Ndp)2uB`N9Fvpj}Z)NHCJ{
z%_a$8mAUc$cK%*V@buxF|7Y1R;6b4S8u|N4ghh{#ftNM?rVM@hGfW3L?Cx=+&sV>y
zhb1-9RsRc^wP%Wab5g<x=B4m|Eic6C)HA4N3G{uA){2}CJp*7<pOJC?I-WQf0RQcW
zXG^=zHriin-7;&A{(9^Bezugc+LERI;)Lm9>LC6yi<V<4m#emkP`MMYAEgvfpo2ma
zjY1v+9xw0nXvF<ppWyislE9WMlN3N*{G(6--AVe`|8CPHP=fL1J=vTnvQCcpp2wCo
z@B;M#U8jKRWI>)uZ+#i(Jzrs?Zwj!xuVKIfMn0+}U?4^?epQ$ChG>y?U`@+=nVC*&
z;tQ|Q=8g^~5V`8%Yxp#OcE!;k`2WuO?{1(d3S^*8DIVhE+uK02PFwQ7DiR22^wFDE
zfd{uDgNYcMk--A8(Q*d=<D!I!xrJoi;4p^<3BY#V?gdU$c!*Id!r*+I1wex<cy-e@
z`CIbjYZM`_j_5&*2z5#~cb1`p@DwGbr3hf*kE?&^79pKPtQ)lmCK6?3qMOnY?Vv!C
zuhFG8!$Of$zP`TR-rj!Dra^;p{&&fJxZ=NAlI|IWG(;dD)QbaE@%D(TG!8YRxrS|5
zN<|$VMk4Z<D{7$D{iA}`xdqvIAMkgdhAjYP(x}Dy*L-$UnB6f!6H&?M3V1bLlIHCp
zzW7+&I^oCvigRFjfZFyCgrdg!_=CqV7L=~u^l2Rd57DcX{9SS)X{+K_CWy)pA;S-w
zhwkCnI&WdWlOMwnh}#4okI;9MG%M~T!~Ea-`oCHq#7FzYe@1`2z@7hoK>+`&7(xT^
z;IaLLiG~$o!JUW?GeH30Y61+Zy`&oO=IuP${m*-y@8ZMQI&HsAU>vKOJ;aiJXBwQt
zU;s7I@PfFL9A=260&iVpTt~OH9y?2E#}+a)9xNXXKpItsuQ~k)@t4*P4r4Z-1Pxgh
zm75CP99JZ{)K1l_9wRn)V3w1M6HiN9{++f?XDZ8=tGg<4Q&6d@6ok~WiLW#%x@`4^
zmZ-O|iRmm}R!d!r8>y(sL}ZzVCuPJ88(L(s1r_URUp}J=;*nsEJAAc_#=)~yJ8@ra
z=6tW)O0f8r^HbjV@{W*dRiVDX$@0-j&1SnC$C8QjQ_^{=l1rJoeXFY0&00g5I#y;e
z?dY?MO@b|xrfVzHfEhIUC6>hSl9d^*a}gJ=H60fs6)^7g-aTSlF&%)>KNpvz=kus+
z$vK$e=XN<#Q6>lbqe<oFCEQm#-qM18y!6VvdVbygF@wlqj6H%;P+6e9jRIe#t!=B_
z_N{D5+kIUPYv7|w_v~=B6F{WQ>tpmXiY3;-TjQtf{b0fUc#&0AuFS&!{q-oVs_k9n
zj*M6BElIrk^u3~ixue~CJxOXumNO$IS>t>UF)ZwkHntZg5(%Q_Pv|_1nQlTQZ8ZX9
zb)&w&aO%QBulX6@dhs`f8R-E_0oUr4(0vgZ*B{PD${7|<&t>0Kv|>K%d2x9Zb`L*_
znLdK*ZuOAq&oLmt6KIidBEBj=%N$9A7+Pl#Ue7k}`Pw$z?&J3>^yGqEEtEwg){wt1
zS2|Czb3AP6RI+ZLNf@mJIMWqS+%hdBIG3oD5S7=ixY{4I>)L*{Dp9JJ4U6ax6jxE`
z?drd67Rpn`$?qW+m^D6^l~i7{lg8?~*P@8!fw^Wm<VJ+<`$=-3=8D$RNA{1TU7(m?
z0Aa%8&~3jY%HGChC|mI-UpE>Tc8ZE^`@_&q?{+$w;+I6I%!Z{HB_14~5T)S`<}is{
z&uU2Wg%Rv9JsIoCv=Hf>#(b)c2SzM#+`J?Zm~3hPy4cnA<}4Q4Ul$JDc^}t0UsC2f
z<(dpAyFC~?Fs8~pdHZVqZ1ZCNtu6bvtkCVs)$wOK=(;6y%$Pk^<}AdA#x4M4$kx={
zw0Hlm1p~7yAD~dV+9ZYkW`PcVCc7P?a+crkS+~@dIXfX~9ULb(>CpQL<+&Sv&IF~t
z%eRa<Lc#AM4fsG|^t@{tSUcN}c-KMs@<IJuuefUq4J}r}SV<3)oayAd?#f5?`_gbB
zhYpA~Td?$-`Kt}0zsvoVZsh1p<>URTS3m~n-wNW1&kaYVpiJj{c^}jd))X`DOk}G3
ztJ`Qzb_apgIlnJsSdqO_F~ZvyuSSqeaAKA7GqqI-B>2U7t||@(3kk#%rd!?}qp4ww
z+)nCh&bPIO@H37zhF>6w7V{V7zIHE4-C&-N`W0-H+jXBjEe+{DpYtW<-ImtR!Qyo3
zhqt*NLD{QnV~gG&ubF|sr@~U~FnTb!XB7|oQ=}!ky<>TUjL^=?{(K&E#J-KHj{v#{
ztQzxH{|F8j8q^Jkx5<|=-G8?%5cl?uytsnCDUSI$ql!lEO^S~^Qgp>ncNd5~;X8ki
zybu`6s{eNALuW7iS{|Mdv{jhyy>7Ps@^c8LPA|QuTB*uR(ePTVc(_3x<Y}a#Q9=Lx
z!s(vb0xoI0fqhIQ_VAbdB>p;^T9fdPH!+^F;^8<i`#|8O$(WR18Xjy5XX}#p{yD`-
zV)4EOy)aJ!a%0&D+`hkg-dznIkh;S5cm3+ZW#&V@PtaZ`-24{P`tML@l|P0t3Oajr
zVx^kPP8tBk$(?uXC7D|B*C3?c9sG0l^bspu+%4*WK_9)Y7%N}Xg)5w2jTXe)=9qi*
zhdPtMTD_C^z|%?{N_gKkc`tx1^7V{H2eQFqoS|<@?mBFX>4*jNijolKrBlMyux3uG
z`@gQ;*>%`*kWrSCXDz--h}&SJpFSm%ZXT+{|5PaIS)efR$tN1I&&b2rq`gj_Z8&_A
z$sqh>0ZWclycx<Q`;6a8U5P8V3KJ_hfB|6m%QSXj#H$vRkX>MFg{Q2*e82e|FPBGx
zW<nA5(b1I`=M!nl4Ppzw{DD{}^i3A`FFjW3RIv)Jv9J#E(RIU-fvq^=;NB<}Re*Jj
zO|z{(1Ecq6_;UlLTTIAKtOwn!;1kbKxSi6V*1DMt={W<)4K@y=upP!06JS)ZGK8S}
z!a+snI$X@wq*6#Q<=Y7}Yh8BmQgJPcoDxys&!Z>-MkzJR;5}_6N#TU0oJMsSKsjA5
zobX$O%Z+t6uO|NYBZzBEqVIHar9v|X`tY^o?VPI{2jsH_?9`o{a_4xHO|VOw#~YA!
zg@Tetk@p}RHlpe$#sKToyD7-iMZ!6bIwCxi0nq5m$RY9pp@f4U#Cr1S=b1(RuW0`s
z#lNvHQ54IO|Lkid$f(<F9x0w%-Mgr$xUq+awID+l<k&kL(35N$5X}Viom0D6Se6VW
z0p%s18$#M-%G=>%V|fTo^GMSjqV8we=0Y!x*M&<Vk|GDXrUPabS_f!g@AD1ei`3Nd
z5Hl&soN%x5L!^r1>rPUZt4j$-KO~;4=XrN@P4GI>1R)YsCXtIZwiucwFH(n*=BxUq
zne?3r_0!q*22G(1%(SgB8mPRZRrH5Ax?NGU@cbA;BP?x4$NPin?qb|X|7*a??e!-;
zUib)~y`L078*P+1V*^>c3W_%6LpN%lCmzN1%yOcc;H<mBZ<5+9CExfp-Q)MI6OB4q
zX;S^goLcA44Oz`)d|HYYqgddvAw!}YlTTro<4J3GH{OVN#R1srV#AOZze>KB<Oa|A
zoIcM9wUXUT5-LT8#f?vv@275Al{)(J4t|lg2>v})KfPx=-9%j@O9%-)c@}^>02hh+
zfJ9ET=Y`?<on|#9L=texhwkJ#4sGGb7^sCaJ$pZ90^dF)B8CYP?K`_d`Kb&tGEaG;
z_Ws`GUt{$ozQ)0mFnUA5w6xNvc|})vsyOF?SU~WQj8HC}C(%B$_J)5w*kHRK45}Nz
z3~ziT10|_2{N2(Pus`kQ`Y41hN;?YJ%X3p)8lD>(TPkTuu(5N)^;4lkin0L^<f2>m
zsjH4><cuaHhyva|bQMDAxwnzY>e%R!@0+7F;=L<}O+Gjf)kbTbE94n}>ObG%=bjQ1
z-%@{VG}KSeXqY0?Fh;!&h@{@yZC^bm+=q`j(G&dYUQAK26mbW}tJ>oLyaeiH7(!oo
zegT!}pUWNXhFd5st*!h)n=bJ%3{%(&+`U!V4!B5uGX2@V6j$1K&R2Q?l<q33Sy*D?
z5b;wglKda#C|T~{-2EzjY0NaHei|7r5RU%Wu*xQ(_@Axl16e_;`ixd*E}c}j!n~22
zi^-pA9((*2XkFQxd(12nT1~{h>yfZ`nP<9=p^Dg>@TPs1nEpD1@g12{jbZnBO>b=u
zxT|MG?^C61VH_oq^^SKm&HFatTWDR2l^PM=_W??mX=*i9B03EA99dkT{ZSC0iztg$
zk6y^$GJH@lb>fm1NiDLR40iUj)1fleLu`u}FC)XeVp1@&@<5$coF6&T<IoEZzci16
zh$Z5DWCgXLLO15}#C|~s--t+-%t!l;FUF#JLED*_a`#%$d^1Vn;Iw+p=SKPWew%2+
zXdVNKQr|OI%f8<w#d3#?LD}`}B)UR9WZCj}w;l}&j7*4|4-KqbHAizdb86I0(4n;%
z^wMJ_FG>Ni>k}1jlSO#Rn{Xw0;-ZAlZ1X<3<P<;MP~AWNe3&MfkRY>F(Yw<A_AII6
zc(B}G0r`PjLQ|s?2-o@Hw$c2TeMUKh_8s^-K-a$Vmrjq4fBQ>NZ&prbQNI4%@PNXR
zq2}usY>k(bVb#;5su8n|Z}yV!6aEVMH!tG1Y6!RcRC)=nPBN!^J9^@qp)VWJ;&`xM
z%#x*c)_Om0(5xp2UC5WBoOg2x(tRQ6v_#CN5Y5B{TveGw%?^=*a=kHV+U|{V@Kaj#
zYLmxAR_9Ykgv!Rl4LI*!q58@2EqpM}D4y=CoanHZL|+AXh;H<u#>)k3veeRDFPK<b
z>YwizW7-LUr@~vP&;NeEH_h&%5c!nT(krFUl-tTtid<;7JQ$SXnWI^VEKdRk?Xipf
zs(??$6u%{!d|JRoL*1?l0yv!f_S<sD+`?ORe<3>qUi)IGoABp=>i|N3qW3<)WoShA
zs{n8NAFDi>?CwnuIz3{9PT%`S5?mGzK1&UT(#p3!PdR`OD&)L41jD&!rBM(NC{0}*
zWeXJRM%P>=NS%qzN?y5o|03IqPL6^AA&mv8u<!1lJlF<?2LE;tq!U%v`$c;0jY1SF
zACyC2i+}N_dKm)2NVA~Y`WuG$s4Rv!Rth?f7`#c9CGC<3yt(!u%f%9F-LI$L;;9Id
z-mTdbol^lh2t+`1)Gz;w{QkS2t&3W(pSqd9+!!>zb3=kG2Esr)f7{MYWP894qMI^B
z?6{QcO#V}14+`YYbIgC8C?M1+4u4e8cZcIcvXf&$)}p3JV0nHoY^K`y;ur#mdLW|5
z$nM97_}02}!%HzVi~I(_<S!=EhUs|WBH#l|h-<u-OsP|;mp*rBrvc;kY}o!zY9-2D
z3NgZ7)^D-r<mHDN%*y;>HQuwlI#D!MXi(j%d!LJwFqj-It_J*utA=FrAhidN@9kiG
zwhArDWB0G9RHvQeCh-IeGm|5cDznn`F4smpC6JFoEYoGo6tLAGb(7|gotq%(Q(mfn
ziHkfF`x413f4OD|(a{TkrFu@r?&s0_^RJ~ld;#iGI0k=Jr!7<$Yw=%3l7I)h*+8um
zkt=PR!YsN$0!x@Bo1e<TweoC0+Q>SY``u3H!|9G(wA`Pkm*TCghKZL~+o}DVYvoJ%
z&Fl9=Wlle=uEfVAjENdGK!8{CWy%e!2sp)JM<&k<>v$HH>f?gBC@X5@aV6RO>USam
z56VYOLj99JAJ2?weD&rK;Bw$gwx+y=2tX`GY1@YgVuI=0y<0~<#V;ot2r=72#l^G=
z`=JBQ>!(_<Pzr!ZR###_<RH5~Ta~nmDkr+;&Ug|ByS9KDuVW`XFr#X<94ZWsq5-Zb
zK(xpAdn2ES!nqi)D=R>zIQm?=IjKb@3UP@z{|NW%y)N@8K)gj1pu@Fq*_I(oKhRsg
z?;SRL>2)pShl)#IrjYp%tJ{Hu2XR2%V?s_^zOEh{{NnP+8PG$6;Kt$1AfVd#OP_jW
z2VKQK2BBaI4Wh%=VwvnG=NM0p(_(m7$m3T;hM<+c#BSX9r|@ul1Pu;i1rKUi;&0=N
zbS`-FK!QUTa6el?e&MuKuJO$1iXUV}cc=a%)$`N*GwO8%in^#fWM}HcniN3r3N0gI
zwzN{-^o7KPgwr<SC#`tZ?dl9)*^-=5pdFr&J=%AoW1}u%OkW<iV*ac7U``17XQg0a
zPZZd0f_`Wz$~2=)|FgI#6e%6W<$MFVpkG!H9@bg8RZP`S7*be9|2(glogXng&39PV
z5ioGiKA}vel8IJVMNy+15`<MRhmH`^-d2L39j>I?2==6}R8-$shww%hGz{-o2$lUX
zurXtgr4}V742<L<;<tWnglc^oQXjZ2y%%+G{C65Xp4ojshCo2e8{agepry6%wIeDV
zrE3~bXzLHKut#LCtV3k42zAxgof;19yOJlv)sMazB4%H_IYB|c+_2<_DjhaDyIl*#
z3tyUaLUnNv_w`vWeSJ8>hXfMcA$l8l-5R|n9exD?2z{K`SYWd*X7cfYYO%RH(3}u8
zW?TV+KB{Flgw?O~s1ppx?5c}_Mb%b>hdBfgYvVfmOk{UXk+M|(v{4`5Va)F47S?YR
zjQ8`S7hdKK5BUgKgDAaIjNR}KFDw>fm!0n&N%X+FE}SinejEP0uCpew@iyo3d`rWD
zAw9rA)ARa><hoY?tq<}*RM^@tq6aDxfejg#Cm{;WwCfPhMLve_o7hwUvk<zN!73*!
z#Dy9nEo+p&b#TEYXKGNONJjKejGXKkS^?^)q&LKKYnc*iXplYyh=vkCR<Rw@Xo1u`
z3a5j_9vS~_AZ;Frt{7LK8XgLE?moflO_;~o5Hh0->*DOS`jTmMSx%qxgJfg&M@6K%
zz!{>b8cP5%#AIcY)``f2g%NUh#oSR3$RQ-@6X4ZlzfitF;?g^54-JS!sP`;}McOGs
zcGgy52{L3De|`4Le8I_QyODh)IMc;*fmHT>RfhzU8)*`*Trofv>cQe==w=#+7GND!
zK_0C`rkz8!L!=i87vvpd1fbrV*tA8g8#z|0dXS8NF7#52h1f0g4GZbJZcWuiuk-Z2
zBT<F&mo?T9=I7)}|7i=xNhp~#e0JxfvMJe=%mm+?K~+R;)b3S|j0};fQQ;pVy?;h<
zASMuxA?A@qZMVxK$l6X!AO4m%;fo@wjfYyJwA`PcwCvsSfAF<AKH2kh3T=G0Q>}ty
z#FHldwbx={ab)wfV1;zQrwTZDgq1CxI*o{l>9*G@Jm9yhMBkg}C1ka%PzAM37{>1g
zt?2cvt(YOHASPTVI&Iq)E$bH2y0XT2%MFw153s1wdc(+(kC8!X8bc8-o-K(%f)TSu
zZ|U+?@JJlOM&P?eP!qBt-YoIpX?PZbUl9<s#bX*!?g4BJ@R8Wz=M9$*w`8C(`V&CQ
z`&*!82mVJePqRo$DC7i<NwqxMqXEx*i>>><N#7;Dg6kz~Hjl$XEY-6BCOF>&_1m8#
zAHJ4Xw_GBsXD*9uk>i!}+oFj_x9?EPP~;MTo5SUdL8peit}qZnB+!I26edqPZ8>vw
zXj(f@X$6}xW@wlWK)Krx%JZFQ;)waI&Hkc5!~`K=9_FSIw$UHr%&&I;<uO35{9PF{
z7~*9ti8N2xy!{(NwWu9WGTbYspIt8q89Y?^&BsJYLM0;|_{eN&T{A2LKgD4GVADK9
z_0C2axQ0bXTU>|Y`{kVwha*vT7|sdP^=27o?D%3W9?@MvX9^pmZk<PY3gnoJ-yMzS
zp@jd=QQ?8?OpZgW*Fl^VOvjwirbFHMf(ijyR5_3D)It-xsT9lV&3`v{2@P-&8~yba
zMmKO|OS*rc#{_8S1YijbIUQC7Nc9S|@N8rNJ<Oh(SGowqJoOaR00y!GXN++wc>w=@
zq%mY1ciYe{KV{5)<aprV3x_?K7Fi5QRkeEh9Sw0_0)`@nzK!Vn3EfeznO_xiG0R!-
z;-o!I1@<{2Z{{u;*3T}g;A<Co288Y>_SLt|m^?*h&l|ANkNO&l{FhgYdbkZq5jQAn
zXKnHfmc>v@R6&O!M(%pSA6{rrf<I28)|T{~e3NiceM)zfJ54sY?Xt-2&9An6Cth-E
zOG<34>~*k}aGL|nEp~%fpgy`yz3)rM2A<`f&nhwgNZyT9^DmEn&-1VUKvjC^rN%9<
zjh}X~^Ll-0k}aBXL&CpQ&r3c!#abZO`#lSjqN~$c+whq;#n>?3H`N58n@=qadL!oK
zl$tX>bawoVwJ$pUu|9fT9ulYyXe1VN-nOLvnR4=Kvh&j`B@hZH7^sU2eIHwcjVqgO
z|EERs39zY$1n_)=O5kUJ*P<&zE{N^Bb^ORLWOn%&GUVC$64kS%h|{c9fmOu88>SXH
zN@c=R76=a^A=FjjI8-3Po}+}wRF*9YG)P|k;B>Zty2>MC)Htk_bZ9jkt?+NpXmdf2
zK~lftXAI!cNkKVpYe%Hij5bOw`8Rbi)t9c}*)CFGUMP3f%&eUR#{1v9<23{2;uwXu
z>uGe$f)X+JaR}SD*Q=Q>QZg`O^(q=DeQ#k9VAEVyXrUZxwiba*z%Hoy_%<H@SD>wG
z!fzs6zYN;GYC~V?o9_~YotKa+*o;r#y6KM=yW3jdAQQXoJy-DcsU*Ic_V$WIHEGVH
z1pv^GIA;|f#S9#Vanh8P;e0}ZSp>Q{@|nVJLi*=qNknO}S|tlV2O~O$<#-mp9Ws6l
z_rkCYJnH2bb`w3Bi-Sb6(v!0jW8U|ywi+Oeex&<C=CS#ASxbWK;#1T_LWQkyuzB!j
zKU#tit$`Y7!$xEBu22Ar>MNFzKNqes(GvJq=2>m)JnG8px~FXLB=l!akqs{~XZ~?V
z8>QR#`%F)pmjzTKiKR=7Oru^TR6-0{o_do~HRi=Oqk(qsXH;TtyC=DOB~=K*dd=1{
z*|Tai5*n<=RiZL_;r>WIyW)XX$`4=@6&2OVb-+QBd)eY}CP!4*F;^M$88NtMz=rf>
z{x<C)xYn=!d(r7poxC@v+1GVfc~sk@^TSgvN1Ltd{=axE%PUx{>du#jbstp22X!Rz
zoSj6so#tuzfjrGia~7i|BmuJA16H2(@|Lrua~_`h)m`T3u86prjldQfKlYkv0qhg2
zknZr98)1Y+Vu?tB@6|1?l^bKCwDk_zJzpN;pU5+sV7&MIz2J(afYPmVzIL%*k*o(>
z9IscJ*M3+dk-VploL0t*vYCWWQo6@O?QYRh8|%gvR;HWkZ0~{d3GIt7%0(qAAB<X~
zRwq0(WKJ&<zbI1zG1%bQX;V2SdrzNTRaI1e!ZFAdT~{G@hKw94IeXaXIPMwSy|0>R
z(Wg1U`n&7=5zm{lsQVm`U=hs+u=XGWLeO*zV5(297Q^Aw1La>hZz&7^cwQ5*JsuT7
z`%&(ueDV95(JRw8_0I~y>4l~b#nDB4lzZ}TRK9v~;?#<(oY`87tNfsqJ>OTD!M^Kp
z(!}zczsFWgzArJ>+rtB?UREJd=KL61s_F{L%F2q0ih9w#-`M&g@P%R^$W2K(+p1|r
zq~$_*ysKj0ooH4E<;MFIPRt_8_?cO^ISaF7;Dr`6*`j-?O}#>#gF;fmMr<0Q5P1b$
z(5Ot=%?*po>gaLP>1oYvY{UmzM|K^;xt~2qoL!sZC_NR^ojvo#1l|$CPzfk;=gw9V
zi0~YD24g?KWv3rXj`QU@A2gSEOxm5<M1dq!@LvIFA#~_V9z(&zqa>SBT(mUVh~%m4
z(5cC{W>D-VSpkiugFt0INyF)?Rj7K%2G%?B@V=VZudJ17`{jD;52U7chtF%X^D!kA
zRbFl`I*-TA!R|<sr>Cb`KEwyj-g1Mj@AGLx$9>y*+wDKC1@S-(V*uWt9Nv&{%iN}R
z@Qo3HTmEst3Kx`}Lz8$Vw5u0QVuzdIVobe&L-coKfEmFoZmd|hird@SZRbPmP_<0+
zi+^OD<-E;8rBIH-hib!Yv66|2$so5dN#^F}=1^uNTPlhoPbwblXyHQ_n$N`t%)q<L
z9|r%dlcpX+DE<F;`(~B5Dw~iPV`5R#G!At0v(VkQ)Pj|qjO2~uCU=y0Z`NH`$>r_Q
ziR!YXXkN_r9|TWpa0cJ!E7VCzN!x{?iAvQf#FO5mNO)1n1kz(;{bt|8K1xD&cOPIg
zr!e`YS6e12cZC=qS(l_>S?KvDeOs!5OoB#ooB4};wOVzC_1803J>OU7R&pN_eEk2J
zM(jzz>irR!=pP=5@?`W`Z15PW+!grGIve(H(k{75>#-Q;?TSa%DwGc!K>U>R=3j3u
z<4UOmZBAyrc5@|l^W?#+U4IBrlAwc6%uzu8dqP4&joHLnvvX-d0gTi;de<KgXnrpD
zSF-kUSdJN@8)BnOzm`b!-2tsf2?7Ak)8%0_(wU#wQ+Vw|BIv_$%K-ra55XQE{CavG
zhXr~sTX@Nuk?>m!BO!-I|MQ~%MtK6P^c$Pu9S%%)u1;4tY<4e=tDR@%+5FJnZziN4
zgC-EG(M-O^&*US%AN`Qe_viAGl7kZy9roM56pKYy<wqICy(xa&ds@`oOPPI9wBg3T
zcE%MKBjH2;q(`#eEB?b&rM1L-FF7mq1@`Cd;z8T34il^sp2hr5X-cW3U#_(MUuk^W
zh2=^83)F=9cgBCdloeJn^(tIP>!c)7ofT_Qg)qSuc~!HDs$3NoTBUz(vdZ^UO7}Zi
zFL4D#<oxl2?;F<!>|&AXkfP?wSGg8LdOsdq>w(NFo!9kjzT=HUoUi>Vu|mI}jWWcD
znW``vg8aYu?an;XBOCU<g-q*1r$X0oc71%nw_JF@eur30rw`xjA58i+v}@!nsQAJ<
z<2sSaKM+keF+MIH=BuMa68L+{e1{vggem4&(9TF+ec`u5#*9H@cv+;o&iFqkZ40I0
z$TN8_D{ONoDX$SsLZk{OLT*^{`*qT>i65qFt+54|C?FH%s<3TXX-qoZ)#Xu*CHsHw
zkx8ubKmXbx>#0TWD%qAYkcz0)<~j@o3AEQi3^0tHO%g^ldD5?soSR0J4wXDyZ`My~
zxd}@Dd2qCfhnQEPv$yjL>qye`i`<G5`r@$M>Hm0@)Dh7E5W!%Pwm<YScS9Nw*(XDY
z%aB2V{tMDT=i_fuJCDsvizfjfxu}YovDg&iKS<aQtRrtapVG*fwQ7YwrwRHB+<bHL
z6&3AG<*>}n%lq+<?L*>^jSVZ2pJKeZxfvN2O7Vqa&;R%H$IOAM<J%k_db1-D9AuWF
z72mych>9C%Sy|P}!I5`&o{J?}&L))cuJeP#0-#$TJTleZU&pC?l@VR1EIfDgKb!bh
zog*jtc<jL(<)t#Ep!m-}Yc*_Gkj!#l>sVKXmIsy({fYZ~?5bwjY%)*uJ1*|+SFzng
z)J%ve$(IkbjIRWQV{7h}T}C3z<uH9kClV{hi#!e<9@TMZD0x&{MDk}?@c*2jG-j&7
zsixqW<0!Gh#5qD9^Uk)}tvgojPGf@fZ}2x0R_w?w1qDU&Qn-_gazjLDsFb{X@Mw^S
zhzeQ4t*8N+SBAfnFCa0l`B-k*mIte!;Wgu~WoZ}#u~DAC!oNBw_(wTG@v?{^Q7@wf
zALQF=4B$#ClHxD1SObf^2Uo%E6-=d`&bHxj5~fIp{GaeN!@{(r!?eOiIM9#*yVZBS
z)ix}GIpL_uF3xBtBqc6bT&Bae>7H~R+6bZuR-j&4%p_uZ*dNR+-1VU_TDiKg5W)jI
z^m6_e;b{UNQ`CPEuKB8l>6LsiWcsOhfv25raRpLiP<%1Ygfb_mn^>>71nt{fRi%l8
z!&ls!Huvk#|4?Tv>P&0ghl|@Vhi6p`EUP1sZ;HeQx%P@PgkV96F9-Fub#6g=49yR1
ziMGZ_4rE{3)IS*?<uSikgn%l}%lW+28Z*C=@xP9d!a7YEYQDeG#b124$Jy}_gsNw&
zl6;toVg&-=a1w{MZVcO7HQ}G&2u_N-Z&i>Fmfx8Qfk+PEG7h4$Uaw<usDE;PJ~%ha
zac{IM5YCN4oyzNqFZ#d4RfzC^(~tiKQ__POP?V)#g9$0i><u?QEDYI9rt@~tAg)5D
ze4SA8V1!a}JYSJ#)KXLgcWa&PlrseR<xOc@<x_cLaOfbHiEtAVEIA)7%wR!yw6_B6
z%|ulsVUjXYt#H_&A-#wwR3!+5`>%8|E%J+Lw%oQ6q=1OUhN5TUs{k$wFg?50sgoNv
z=f^-*QFwZucUkaA_c@BX(*ar>h~m1E+pS`8k4xki{rU5Y!>jMpOja&DrYhh6&0w-v
zgTM;Se;$I|F_GSyP|@x*{REw=`-Hl~_&D*w#hb*WgLwOqbc;*mKUN+F2Ae1t*mXPH
za?+P(@`1Nl0h?I#X^7+c><4gm6~Q0lE`5aU3}n#8vW}hfRqG^rfh(jXnFoz1IGT;h
zW^=(Pcjge6NgICk{c41H8*4eF@+V9r@Zb1{?#dXVfFc)y1%?D;-u|2hFuXrJxG7&I
zDSFRZaFjfe&kM$E3GzVC(oqfm-w6cZLo@<lXFt0Y?cas}jf4u>Uvv81>K1LLK^k%N
z|F36|J7xTlfvdOJR$T>!$*C!bL$uX%(jer{+5i7P>|BGW7^8R{V!lh-tyz;9U<&BH
z%E~uLaf6mO%GIhu;g@)M1kP8FGi~TS$0Kg)8b>UD1><jfuI}OptljUR2{NJpSH6|$
zjJ=rO-d4fLokaoU|CiK^0k6!JvFSeRADh#^IOw|e`<d4KPXEGMxlg0Z<C|h_kM&I}
z|Lln$v_Exz{%1e$RlX5>!4%HVNAy#=hv-sP^)4Sx@R2AMf?SvS|2=h1^mZUU*)Y*o
zO31ROO2|T(CUg}k$H4F9Zm@OdyqRHirxv!2P9j$~sjO?Jvqqz9NThDfYZDQeQh6-;
z=E_aPM{+ql2TbGjP`n=Uu|$9c|KB>{C9CcDNsj7q+IL}Zb$*PesA!Dm@g<iXf_e-w
z&8QMT;u8Y_dp3_*rT-_SiWfF@=+Hk_InaYtF@!U+6nJ^H&c`m_+q{>$FBfW*)(?Zf
zi3MpjJZ(PPtXi~lKxVIi4ay|UJYr1u&u2UK1?LdJ+l>vI-tY_r!&F!6n?hZQJ<5;i
zB1Y)1=KW<}=UHj?e<advR^sQde$h{G(OHc)kF7gxSM}&|89+1gn)ioOjp&@I29?zP
z==ip}uEV3fq_jMJmBT6AgD37|%LLF3iK{WM7MQi5CCb5#@mqPFPh@Z3duUBhg+~gy
zot=VB^&{?y2>6YgDIo=<B56xv|325F1Lug4!T|Ev-}eJK@%Ku?r#STgJ0QUfgAsjC
z(|a99(17vmOGZ-FPJBXIjoH98L4K>RctJS%(^Mdik8_~LBcx)gldwaqq2naUVI@|m
zg9O{ooH%HB9Kk#3*{*x!@K&&4r=}(Y{lY5k{!!-7CI6Y9&S&I1c(Y{`y@Sc{wzG_O
z5RlH~t`V@O`06xNf#D%BW4T+3Z_p+aY1<@39ixBXKFAnQcNULV9-{j|{TAco&|^9*
z476gw!$Wl9`^tV+hN3^Vg#O<V2$(~KLF(s}0h8(uBwP2s^PWx-d=C_b^H9rgT+Dqd
z6kNpE_*JY9v5>uPFC9(xKw?G>w0AS)Z*x~DJ7bevJNBtA?CxtF<jy218qt;LJeH}=
zUoN6{WFfp|#3@K%4nahKVX&Q=)7+gPprJY_nLr+`WkX+-!-26k3UxtYk6t*dGYlQh
z%Wn;f0)Sq__^{}`RuK1(?Cn6y=Mm+NW%z1R;tMxeSUy77m#&3rfmfDnY*Ke^QfNZ1
zmZxv^L$*KuVWzaM=r30>C!c<sK!qOI{&a;}q^x?*lhJd0uGc;C<9)1asIH-f1iHEH
zH%cm0Vz+nE>v--;vsdP>U8jx8CNZH-Qf1qV{-23TTH={qVqHI0nD%8z@<zkIf`vta
zsqlcIm9O;RVHIKPKp-*vG7$s=@xj-rP()~{k#8=#=e3v(0fPU&9r<N=a#ybm$sv=H
zUMdr(%hg~0)^!cIv@I9W6$jYoL)wMHlL@1*067}$w6_{bQ+i7AEaIT@joA<HFn@Rl
zKx;#O9*<hoJHTraS(lT%=A_S-2*SY_^hPJl{@vtglRj2RI4{_CX%Vo~t}jBJ|4-|3
zK4i}D(&X?v`S!bQn`IgNbBL%O%A<bL+*fVyl*GN@1?0-<d*q)B7Inzu9b=~odns^m
zGtU(^0ec{?j3pV_ToE1B&d802#&yTYBtbpurGIFI4Z4Dbov!Kt=q+Ni1vJ5XnI>or
z0|*=KWb|95-$4S%le_ybS`s}5)(Z<WBZF<JGI|<3H+Necz+KF2rt~6j&L=){{EKmr
z76bqz5`ahGn~sFF+{AgH&&Z4eAmJ(bUO<9CAb9Z7X|$Q|+sDXSm!l;InxT-MXsZ+F
z07s8^P<8Tjcj;J}25D+tfo_m3M^f-2xyF?$Z7Sci(bUS^??$!{x`pkkb8q>3%a}eB
z&L|U69}U+<{ep9{z?g<+lCg-$!)dGSIqON{khiJA&xP?;5xJ7|792!MHk0X9Ukfm;
z+L$fh!Vn=YGTNbKvRu0=gDpjUdlHMf1vz;jxYvGt@2Rg`QkK)r2VOJq6!+WSkvT5;
z9U(w^w7|GaPs}$m{z;D$l5ZYpj-Gb(^Un`_A84&CbdwpO+Dr>;S29kkH!6?2RLIWW
zhX4_Y0RuT}clMd^5q3R{r{2qpm4e_5N*KwFfIxIWZ({$g+UU;go7ww#hG~%AE@bwl
z@nvvUmGob|4+fBW&imaJ=F8!Z#;QuC;F9i#7cyP>^|NS^?Wmodmy&CXh$O67*^~O`
z0^TT**QL3e+}UnjUndUlXBWuhmVU0oWiUF>*8Z2(spQ|FqwDkBV4azh&aYHBDAaj{
z$@8QBqoD%AyD+$%PuT+m(l&X&E0?vqHqigUb~|qBlW`(|punw(_?2328I0%}mLugB
zKUIxR({{AvIVC8>kuIR~Fk$|RL2}Y}lS(HgcJrrM%<XH0n%Hw|zy0W#=@#jx7W6T=
zW~UZV5!Y$+_8Wb?3@IJJ9o~erKW$rRWlkviygCLA9(VgB7zml&X2$+kcD4KIto=uQ
zr=rblx$Gelb6V4gg)2{0-xx^S=G+*>^NQn!K-9}go6XH?C#$t`kvqH9kGz!b>hCi*
z+a<-GjR~_|)xf1<p@`^nMy6%cK*CsqH)@4j{dF?WWyV^<zIV|xeqx&LlQw4>b9L89
zbO!(Uq9Tg*ByVLp+&l6ET;<-<B-Bu&iP|D|w6q6j$6<pOu^$Wt5C}9v54J9f2uDY|
zAeIqSe4C2WKtx}IHI?zE^w!q+=|ad1kwt=s9g%c=*!cT+9sZMi)EEq4I?X2Tle{cY
zjGe0E+h6lCG}Vh!X>Gb2I2-Li^<vn0rxCRL!hg?|7_eQ(l2vv8u<#%D69J6N%F(_S
z2n9#K%EO&_|K}W$=^BRKa9HR%w00g*<MPhG5t`w`KnNcEFP>q0UC^6@Bt!3LGvXah
z2srWSrtTUj-syJvocee>zNmMJqrTm=Jekc~8<#Q>V0tikqL_L+)(xLkkayYV`wBhW
z;X#EL$@D@W5hIvgS9Kh%QNYz)m8r4QrnqduoV?`=VySeHNpJ1Q!217?^^Vb*1xp*~
zeq&E;+qRv_#G2T)W@0-N+jcUs&6#Lo+qRwDoO8ar?vMNadsnaByH{6rRqcMNp7MJy
z6*qxZ)QyI~=5mS@@bBD_rVre?((yobE7_Ben<CDDJe=*ZVC6Xr_%>v@q_7?$eDt__
zY-Kk)6BTE_DG9u&vSNz&PCC=!M?`TmAeSa<H{dq+Ubq^yt|orq{==YaHdG&zkhJId
zLWlIAp>a@a!pO4+E(Wz@BTVelYmryOehlJ6Q)ni<jPq7;RtxxBFW-C~ax<#J<u?Mo
z9V|LB@pM(7%qDnCBlDp_j{Rne=wViYRd2sX>94~Vno#j#ZMKF81}vK76??eQjiwt4
zN_$RN#Lnq)Q6^Y(5au+sNG8Kow3NONHBIUIO_a>EI!yY%EY1&)l=Iryad2(dIfUo0
zh6ZpTYwL~4-Bdo<ZU5>~wI|OqDc+vnoUcy~E?Ux_bkdkcEn2n>J%TsmjY$0RV!-nr
zo^;%rFzkJA%@uUt+;4YymP-5^;l;@~xRmpdKx3@H*T%S({THTwx#WcZg-f%0bTTp^
z3g|@7WQD@T+Mhjf(XCOW=J~oY0-~qI^fe}7(JOuz+hS&LUyHBQLlW?rjdxOlhXMl5
zoE79CfNY^5_}H;(A{<=wp@&&q@;9lDGe@|^j(Z)JRp2i_e#ed{T=P%EUpE1aDjy?U
zv#XB@MX`~AH&Ry=dHzqoj?D)>Lv?C5$=drTHDCb$FL0s&P;&A0OnG3xyPOJm86FNE
z*k}7@1^tIgsBh%?nCR!f_dI)D0j{tKHYlN*ON3G{DKN`<)<l-m@V$Q`-bqKHF{GZ0
z6}5oJjz@9vg#=wh_W)g4PX;W|J_j?N)6nlPjCn&bGR)U=lYEbjXe29B?Dv)m9k_b^
z-HJBTJgM$8LT%SH6;+1pG07{V@X;8AW1u%C#y8%Dl{|vU$SaLr4bfH0O=F4(gr0s`
z<?SomjXK>{7e))5sw|h4=19>iM=ifR@>3)0KOrcy@*1DcnLPQm-UCMI|A_ix1wQC)
zlnrLGzJ@K&DXj9{R=_wJEU5K#J>P7&bZzLn<Dyi#5eeFBF4@%hF!yP3Q!GilwFl2s
zpgR-(2&x-LY(=k+<#E`#(BF~9s}ser-PX~CnO3l=mbyBRBbU@}gI`DVsbIVP=){P7
ziwxP<;`!MMN>9I?)eKsnG$s}}ppRFPs6Fn6?Sa|Q=3k-!4CpeQn>X%0+I4g==~>1S
z>S(jY$-(0l>0fE0p@~N^bOrzN66dnyi9roS(gnoj7o!!Mb+i`uRYC(EHf2(xO(K8T
z&yb?#;MMKk{Pz?14uRj>prGtsZ|KeY^YVtPu;zzO&VlOt4t=x%y{m~UE6u!($sUfx
z>_Y0Vnz4%$?feFVB-PC*1%UqT%QxjlRa&(QZD&_|QAJKi;l0QiD{*37Nhliwp>KvR
zz)%95D&#YQk6x3A=E7(Y=>skfLle6WR41keh|m%!MS>)24-@=&L!Cm*-*IShDBQuV
zA6)6g;AAw84N_6i_t;2;>}qMhf-rDu)L~#zZT^myO$g(pPGft5V?};QhB~RTd+uS#
ztiz!Lw!d?d)USg_)n8LAYGk7}g_%<8sP0Fxh)NLlPIB^!3~qQMw>KP|vnSKk{|YHH
zCu`p8&1EOWFis0Tyvv|SY)EM;)>;U^p*IGV1^%<@Z!lhSWKXM9^Hvu}I5aeP9O8cr
zy<0W1+sFT66sX+;uS_*+qX#s?Q+xVC5++}#o7{C_wI15ChJQv+AN*bY9yE6$%Jh*T
z$vLRx&tLb(MkFH77igp+Vt!`<Ixqm|b;f5h3j>^Wi|ue2Qe8#YFvlxUpre(E8<Q9o
z4W(N{<c|JzH_N6>k~+lAAN8m;&XQ;6!U(j0(F%!%>`udpGn_QW1hUp3?Di)yd=;KF
z5y|UtwzNzp5cxWn^usO#M~9YP;{2X0Z~-x&%SQzZ2pMYDh2OFl{<?Bb)CPrOdc%C#
zN3r%fN5K_#B-ewiHb{5}JV*3z#5qKdDicM+xzd-0m}Y0EL`3)<=h&oNb7D>*<2k$4
z?N*3qo%$d#<K4MAn<_=)Y#REa3#3~oa8;p%(dN(XEhw%p4b~ZJA@~OiypYC8+FId2
zabW<w59z4SjqR`OVq7v6w`g>yr*KW71Xy6gFaYQ?%7^I6pb^&pARoqllG=d`#{c)U
z?FKEpZTNC>rK?r_&pXYp;r$)st|gZ&iTa!Ba_bn{1J)<qBbZ<ECa;J(rLLD`(U^6P
zrR#qLMFj>NcCic#*7yx`M)DP7SEkIf2zV=Tq5xkXf8WQ+rK!ThVohxNG|bt^I6v@&
zU%;E1h;qj3TgZ-L|3VVqpOy|;Tq7B>ZoXYhq4_iG5@8-7M{7IAn|E_aNQ8VbHUD@J
z>6NaEJ!*SGI)f|Jv`m>Y5~Nzd&*JS-F>D?jS6LbnSz7bYiPKV=lIhS69eDO497+aB
zUs{0yrpir)Hd4fcJ`S`KtBsic5^I_3EN$?w;QO`%vn$hQnUUe_^Y3M*nv8<j$J=;q
zd!}kld^XCYm6!O>+8MK%>E^HhzT7V{Kz8K{?d`*>zUf%k6BILPjOqYi6<c_qEX_P@
z97HTSIlrZLZQtthkt=-$F^bOBPq4r-5f-6%&`pt5qaPO<v443{lWX)qJc~Fvs^;%w
zJ*PUtTW+rzYt>JI_<xlAN720?OF3sgeCs^k@y}n9Gjl9Ca>(1O2RDU@n-u6OgxZF{
zenruL4f*6$b=raLeu?PhMNLr1#?dl@o6J}TA;+>|w{e<@YImFjO<TdW<o(L7Ey8^-
z#{%3e8~+_q_HnSA?4*b^-&|Hm+K!F7XFCQRcDd`b!d4$o?Z66_Dr3B~R(mk|TrrBS
zHgk{ISCi6LO_9=n?L3H$W#2(DAt<d35&3!}91Bet5jSZ)BrJ*OWw74Sjx;(sU1ffg
z+B7TFX?Tw4tr_~pUNNvrf|CTby=<V$>73Fjb#nkb)@LQKjQ(+~MV2>A`fP5&9^~DY
zn_I|2ejr@ak?v%9rf8|tL2lbrV0s^rHUTyr;rW7D_@F2jw2q?HyYi1$sc<RRnYb&~
z0|eN2f#yz;Wea=v<r34E{n|WkF$gU-Q|nxQP!dD<eMZ_~U>Ev82OB<m&bf`CS}9>v
z;Mlc%ZGJKx^ugWls~IDSyy~Fk@r3R1ggQ~kbuyUZn$fdH@t>b0%qu9G@g~=GXq$K7
zH#p0#`}5Mz!-dnBx#UU^xa1iz6OoMQa3RA)EyV5n5>Q*)k!u?ylV16)?g?WpYRZgj
ztQzlhJevE6>_Viwm0+?I-9i3`PTn6)D_7-A*z}^$`uF266;U?BJH8X6K{;I9%rB$x
zAxj-6{ruCou@4AH*iZ^c$&px`mI>K0ao}}`_mTKP;Kqvw4%pau{C+rTnfoN5@2)51
z?Q<d?&Gu!UxUpoZAl00LnFHnWD(&VBqT`ivx+@b7tjl0c6P_rAP*Vs<AOLKWVv3ys
z9S-sHM~Va9xprG@|H+z148#9q_q+jR{c<7WPYeSGKtT4qzP>IlVn>N3`IVQu{R<*v
zI63Mb>+1vi99;4e#*;SoHlBGRBqf9SoHUpO?K(<6Nj(7%@NUpP#{FjJgj)Z0on@!H
z;sr*GjWA728*eyNCu{F*2J>IwQ3M1CS-}fg+=0iX+F%{8mfJ)o?Tc0|7EmqVHTE;K
zEF433Y(B)p@0i@c0?Wu?e{_louD;rP|NVa-N4~Ai8A?hJLN8$VcaktJa+cvaxTKiZ
z2YzpLT+R&rQ5)Gu2jJr4a)JLq7EO%Q047mv44h^|pM^|`9URbm5;f1_sT&w?1+AQf
zl;hBon&PY)*8~2Y2yOU=1op?T^)H&S*BT3vIOz!)Ss_<Fp+-`8mNv1J;fBfP;tCAh
zQW+~L9Dm6rSKOM|--RpLzeP?jZ6({el?I#64O0f2baVu|xA9-acI2NFvmHChxW0lt
zvNx4)lE%cwM0({zzyGp7DuFulp?jQ^_|r!D*$-THu)QNajxbI;lV()PE|qSr2;5l6
zF)2{#vhSF)83?P6Zr<?WdkD@OcQi5f1N#qPxRjp@5Wj(`o^dT3M@cTxuBIA*0l&<u
zVKBUOt^3fSGDpdNHi$&w;gPckX+Y22gw|p*RTRSSNfi7_#?>4?zxtEA%Jo@|;}l(E
z#kYKl)%ow-N`@YboIXLanV*J^VHWz;o4IV0C|_?DX*dkTgodEz=(G1p4rG)u3&uN8
zfd`hG!xR!UDm@tFv(b-vnB2xYEcLJ3Sn|Zml(&TT_^PaqwjDn0{&JK+(8bQ(i{-6I
zW<;#GR>jKf*CClNX+0#saFW1;@H4tZLgR7VfTT+gCIETE<9|{^MhC1m#p<I=Vp9W?
z`+NulK^E=?C;G1CTFPe@ez?oRc-s+Mu)N_)piKvB+*2ZhGqE2ZJvMj*mt$qb$B0xg
zz?nQaL0CcE8e`~eVb;`lZFt4XF<*admX`$9jJ21ZS%fUfKL5BRFyUMrR&-y66Khgp
z;8E3A2#ZfR*k4Kp4E_g0jpUrZgti~TijC*DpFn~wzP8)4ObK%Vdxcg-;4W7q5UUPd
zd8CeOT#H=^A49;`WW7+OlTgAvq4V=?{(5-nYJJVoUn_W!;dbJ8K9igK*p?8}6Aj|}
zY&UT?5HpdyzdSTdS8DzI@syHtYxRfI<2g9DW|sfvuG3Q=x;tTk0R6v!YaIuq@GABB
zn%1;<0$QEbIf(fF{f^u4;>&szM|(k)R%({L8QA7$kNCnI^I$=0kfpL5n9~Rnq`<}@
zB_Y?9hXv922;v~Uzf*9b8T3;xF=+-o>#m^FH1X-)F1>)k7o!x+2v-sR)HGx|?JiSl
z%lv2SJmuzl!XD97Fi=Zs{}9PpQG{pNRDo}f7@cfe*(WE6H2XLmk)@J#RNk$S_w(&1
zB<{rU9R|qw_;;1n?dM9s!C`7|A{OrLt`iphc*y+1g#~e`Gg{!#+|@?xYj2R+5%%#_
z250n`2@Y=L8~io#iatJq0~1&Er1CSH$M$fqM7x0Cstvufb_Is*S~T^4kpvSNIDmAz
zI0d{*d|9q1aJ3Hc_cv#?a>tD`l(+K+upZi5k}#9GjaP6PK=_Q%)`Y3RtC{z42F}lk
zPRyE7E3tn*pcHSLT@eR3d$}i;Tt;3@PUWb91<2fmHE96KH!~Hq8es&`WY+ogunXC4
z4F^Pz6#xPzE!tf##=YTO%ne>8E0wg&Kb&2;%T!RO@6w4>Mkl`bJaq!G2xi^)L?at%
z9>7H>O2`bKysEl7(Un`)+#h%MCyKqQcH<5cX74{Y@;-zV-5uw<{WbIqB8P$(<z?;{
z4=PGNr=$HCbD>$?d`J9WJ6)6Ttvb0F86Y8qr;ZFrMc8DAjL%GYcxIipw2iBt>|ZaE
zPmK<~v+EwGVBc)4JE^^fJWoO(5%TbvkQ3`LzLk*xAqDa59@CnxEp4wKT1?&Au}P!c
zi?h-k0N0Gz0vK)S;=fEH>k7s)?(KG`DR<@^hMW23o9S|q|G0wyVr?Zr<4>o}eD%);
zcKc7(dVqAk*9-_T6W~)|0&*p(zQCsD-3-zPkM4Zem2W=gd{*U2lLUrFyCH|t;g_BA
zT`}Wn_QhQTA06!6kyp&&pS`($oYJEJ%i@W8lCB5SaO)K-`*M*@#oIt39%lCaG>dU%
zJ_V?9v=dUxPh2UH{3t1=K_l4F-u@!zZ7F9DY~qu$q_z3vBT>u8o452Yg;^Yj(sm#I
z#2<(Z0A}OOJ}maap(8D$Un`K&sUb+<4Rf(xrdR%L!V%Tg|L5Z_dLqxaG_#>9cl0=$
zn`;J0q0rE)J_8lT*qh=4Vt6BgU6U1DIgo=D480=<R8hyxLxR^Od#0|I<`Wbie#@;!
zB!77!90}FMVH(@ux2W*Cdz~V%o{4eZ1wMzSUGtFI77l)Iv<3*%h4zJ@CqBrUU&@2)
zs;tpnVGvp{s=avooAV6~>Fpu^HQORhzX8AFWap>Z$xpV;22M~lI^c*5{271T&E)jJ
z(sH$+>Z~fl0u;4p(27FIj=jkYXw6F3uov7DCj&5Tun;^0i;JE}0!q8J7pCEX!?lv$
zKcQ$I7UcW1CO<i)n_*kNXX{Ktt+=HQWs?MQo?$yf5?Vw!KpHTCyjGRy5XZ?A*px7(
z;KnI1r4A`Uhx8sJMfH*RvT#m)^O6$cSU)eRIFo>|KStGF5TMJ)D`Sfncc@vS=>1j_
z>H%Nx<EaN0ig3)VI(khozX*Y+%%t(Ed(A9Tr1^d9EYZpsQpI$8--ouZXI?3Jpt{lX
zFHdE0NOlT0q+Cw)Oc9MQ&Q0#_rGFHV=zHjSG>Ia^V0B|M4W2UJD2?<BC;(ZR7M$sK
z-H9YIAr`2?3&(tJm(gKVJ487he+YTVw$SJ0iJS-DB>~)UM`oIuw@Fj^1q+5O?DnC7
z9#f@-0Gs;WrUHUCkzM7Yt?mQSSfUW}4S#a&)XpJ3;Hl#p<ueHSRBszOkio}@%zXOA
z0=pvQJRxxSt4wXT5b7ttn@7hknZ?EjV-(=$j721VqWmtp6Ixta^T!`dps@JGjud8`
z=Dj?LLHKX%1vCm6(=<!`{Q`p9Bc)0#X@QA!h#x0a8=UQlmBJ$7dVjSm1tlK|QBBW7
zW^v~a^gYQy(_MUdQzedSl2el!!LLi~U<OG)$!BkoLdhQ7{j_Sb=r%kqCTtox>O&<7
z@9q$zLY}q~flUd*wgYgLAex}VyOErlg9rG2#q=D!q_Qj`hh1#2-0F+dkuu*if|@b-
z#ugNiS>BziYO%|Eon>=13r9qe@;@(~W^)6BP|8a=cBiuag?rupak{{|GG0G@{5HxO
zi+R@m;%RRDRFo*q-6@$e_q1<$fw`ngo~w1$%B{A<pv$2DY#MP`wdH580AX%#N0EcQ
z1J996PCjFg5nhGt<Fc_~uH__&<FcyNczDMK3A?0ii7#UodBNgs1C;_m_#Ylym-8ja
zW)yQLQEhS=EE&`~tGB!{`O*ZowpXx}X!=Qu<5QjMpGL62hPJP|j*gCs%FfNxXWP`i
ztxGgKYf=D)q}r>2@JtBn_>0tyj^p#PkHwEx0V>u}BCp>9W-D=e6|DO(3nSSrp63&6
zIaALa^!KmX&EK5+$L|7xL+>A)cZxY^5^;EEC&iH=VYYfI0K&f&GfkuB>Zx={`k2=o
zQB7aZXupr%o|dYJ)mw|^UJZ8sdo@>2ZS4ugjWf2py~*#lb4Ijo65aw0Z(f+#MN_hn
zPT?_spe8#02x=S#yW11JVf?dxZs4z7s`S!(3d;d(eEtKMzd{&fO-VxB!{{K%mzqIG
zms2btE`CL(8fN(W><cFR9eVaQ9IMBvDXc=};=n{qptGc^ikyk#oi=~@o3rKZGRTbS
z@pJ&k{Awa<i|O4|IqtNGC;YQq6P)#D<R5w$4{h(9J=Uton<mTFn<61?N}%tb9V}o3
zZkBiYZ(?F%)c>kF#<y~0`nJ+F(!}LEXJb>_x7@XEIhbreImq>lwKe}8_urmW)J2qU
zUf&Kb<^yOCpT#1HZtEPEK76L6imOF01*Fo`qhC2G*hC#@5L^<81eMhxc6!h?DgMtZ
z7r^;NbnQw?5ZOfdsM7U}?x`)bV&>SO30f)cRnh^B#k^(XT|OY>C`tXN7W<8^Rjd$R
zrf}iyHg2bUr;NSW`kSnkf(}xNCqs+qZuD@;o$^KJ=iI%7tPc^UlF_Ndnhj(q&+({9
zi(+6AFLL0|QT000P#v#>{LhI}$0<%G*C-B@tdoP&dJVA6o54))sAQl9tPM;=S0xfJ
zFHC^p=R6-DZF-5gnlfp#{A<G6hue!yrub_TGCwH|{we9AOQ9Hgh+&H8{XJV=3-63G
z>%|M&#%q3x`X2TmL{IdHmi1swh4-q~6djQg@Sl?~^f$oE9r2gYwqUY2E2_uImhYx-
zgiH5#5V9^oc{!yln19d4$J@ria;~p(!Jcqd!6@=h`jjwQc6K&WD39(!Qp?c4a=YAL
z|D>l%zhD(J=d_5Ia_r^*A&DN(HIJwhh2CVGe!y^FO5AtP_r@GWYHWlYv&Tutr81+2
ztSfOKg|}pr&-hN!#ohuza)ej5hi7q%m{!U54;j%sJmiyy@JBQUu97%Ri<aX5EmssD
zR`hC6U7b8GGHBi7k%(JI^-&AbuSOD|_XqU@&17?sIV#!~bh-F7J&{tr-^2~cCLvkh
z$>+<$YAI&$WQ@LFgMkpj1kwd=hJ@><e*AEnbc+GI`HlO3;c0EGQSH~I4UxAJsbKPW
z!^sRJSKqF~>Tkb(l>%-bZx5gCn;##!88EntfztAF56OcVzYbajO5PJ|EBUp|I{N=p
zB<ntJ4Md9E>5U9=Rs@fkt#cvz=Zx*`?d$977@_yn`{_x+G!87_6<5T%cR(fA{%WW~
zlw4wlT`lg31M>e&J9kj=hd-)fn-fX63HEJq|5~^5?Sm@tnU9Mv;L%WD&xQ^s9pBId
z=C{M0eQ=ekG&n{M$h#tR`xY;}=VRjhCl9lUba(zIHE7s(o+=I@@O4nB<>f=Ap}nxs
z<YK+^KYT*#Gc#h{kNQyassJ(0P%#S7u<hH2wiFc20RLb2!ZI*rNDXSO>z*tAoAC9o
zusv7jk;B91{WdKF!&<lR$JNf@QMDgzK+QfFF>1I2e&}E%uN^BW_WmxO2%f*yCx7&(
z?S9OuF0?w{aNWB~hVwYjLC@cei;$E8GS=lr8v?RPToS{4iZebs2+pfj>mC@0Z@CaK
z5U3IA-~}fr{asU|bGpi8Ul<0U+~~6}EO^A)#eS-dU8}kNlv!e#H}B8Mx|+}%qx-m+
zB%a{0!HhtBr|X$NzZC!eU|~_;N|mkV!&|7)zGPx~frb$hEU(?!YO2`Lv>sL<QZlph
zX2^L<C>+1rcX)<4CcrjADE6xnd+aTIHHHga-atq+c{l49C!0f6le_pbr1!bl+}RHe
zp8cA{zWwWeuVGlNYc_^(OP>F}tZd1pxVRx<cm26N+#rGf_cnUq;J<y><IUlh*Sl)r
zDun;3EYF7pG4G#S{{H%OQ(s?SNB_|Q5@yH6kU-(Y^h4JZ5^Bt`wzf8S4nzYsrIwH?
zip2^Zv<?yp#4<BGZY~d7N+E$4V7pL6Dwjz(v?kO=2x>^KPdIAFdSt>s{GKU~>*SL3
z9rtIZVK=J{y&gFm2dBF^l|la4duNz)UEU2d<(*5dSV@Il_Nph^N8#|k#*KF<%^<Aq
z&(NCs5r3E89q`Yq=H<qW%{vSF3I^02uN?CtmRRU@o-hqW3u?{ht92*CPp4AV*Ig*G
z{k<RW)v|N&zPfive4y2}wXAPNmk^f|*nm!}6Xf=<69%ZsMImg0@dO=pknsKL)RgD=
zTP#4l*?v<a1rOXqIt77d7fZO{w}U7aP7xLU1gGRcJInD3>tcK8bQVIF>uyk0?Bha0
zReixq(_G0`Oh)9jP#mv^z2M*kgUUQru(115MfdVWX)vYDs^nITHln?9!aJ9D--!=F
zX*o6MI&(%tZrgWboNJJ_Tkhq|m)v31`EG+3E?k(X<27eE=x@vy&Yl4Si-wlQV?=|G
z*bi`MKt7wFho3)^%Fp-jC(+SbpOM3En?DpY*8pJg22Kd*q#>vg;06c3Ze-u}_p4w7
zCfkEuexh1FjBO!md-mOe+SFc^j152T(gB0*lkk$5DA)0KNHAEpuAJ|l&33ruAZ3As
zi|niB9K0E@5M4w-z6lZoN~e@D@he)^cY@%l?d*iF!?~67tJ@YVDEYZuJe}`8Y?X?(
zPK-l~V#fhz><oc$1cof#aUCYpcshS{gKZA+0@qJR2ec!LtG;52A{F$WIy7v;?H(De
zM`zwQVq05KRYtqWcxwm0M(OP05&SFK3s?cG!||dGjq9T>(X&5Izh@qamx<J(J_3DS
zUp2|*jc-|SWn?)wWQt&VH5pYb-;4MoO-gYXvrIaP?YOa~$mp=6qhF~hCPHajRq86~
zITveS|Ax9-LsLp%&Mw{48uquNL$a}MKH`3r#dkJ<%-2tGMKKl%>|&wcW8o>BGjNcD
zw0#z(P^X43Qd!HWe2yqH8hvLZ`vw`WA#2-z(+~>TT(k*=IT+S*hL6?BcnG@VM4y-*
zzE49)9v?SD_c>WL_rSYaNcZ6S!ALO}LCdiiYMz)6zl3mD%6VPQQ4Rp)A0gN<+V1<U
z>)LubuOgZ*a%IPlYpl#lG`Oe6#0RfEJO!-<^_`e0H$2Y}U!9|k^41s2U3lax;8qD9
zAeh}4E8t#z!8qnENVN|KQY5@_?>tU=WF<1@a|Db_UE$$KcQ|u?H!EBWpqYi7NhILt
zzMBTq9ycJ)d~m-HLlz$UJWK=!#jXl@UkiQ2EofYeKw@(}#N^~weztSojpAB+f0VKB
z<@(HmQIL^=#|L7`rA1zE0pY+9a3WyWJWzP%f_slBE%K0N$M+LYcHd%yfkkqcDxUFQ
zm!|G`vq2crTPPd7TxDm)YS|48^{iyW27>nP!kr7x!m}w3(Q>SHYI}B7F^;G%EAt^%
za*?wK6}$;_<C4|_n!pVRP)w!Ck@Ndq`o6WBY3j*2KWGeX7?b07a}<Tii*f8Nd9Q=o
zyM*bX1UhXCCk5r)YSI`<J@T&<g>2^<VsorlO)ywh{i>!liOi5DBO(2IIZg>2KHIj*
z4zY|ZbRR#wFfGa}=c}{$f<p)v6<CDq5^=Bwo&}9HxW<rAuajO#bD&gB?nVuW5wd2b
zPtzbMxWRe#DdPIFF7d|=%nIYB<^L3?u_~Sy#Du*w4o*!S5Lxk{g3$bNTuxHA+~poM
zc6K+tf4pZ^Rr>m!t@9^)!{LobY<dN_pV|cvb%Tq-zz#`sQOJOdvLN4FT^cVb=_j-Y
zYpIT9)Cc9FZBHaa?sb;<h*ZSo<j93HkC3-ngBVOQWn3=yW#TWR{m_cc!6N_Plw_Eh
zZ{XeVd0{Co6-06eQ*=PGiz{>1Dz7UIPGQoCM+aLSvl($v%^VusopLajXL5u`)ybVl
zyEb*4fP2)pwB0<nA<L>_=LyG-=1jrXKs!--rL3W|<O8KRlxH~hm})tmF7fo0b)MMd
z)@RkfHiIIkj7&fHOh`N&e@*ulk2-3rX>_D8VpklsQ(mb}>0W}c<FsnThT^c62!|Ow
zwZa`Od3_`@^p5%AzX-s_d(_6Yge_Mr(xTtQ!bQi4lZx(m5wy_BoNqsu^nn+8>A)&P
z5Ow}F0&IykbF1Fi?z^wg;k(`UT3_tikCL_R-0yaTvIV_y83A2QO_2E{m|vDiASOVp
zDYX0YT?DwG;sX-rW01_QHE`dS!3WlI(%kni4~6c2qr>T<bvOR4noO_u-SW>dr>vfY
zOnW>DmDIP+=(ke;`}Nfz;~gFXXz#qQh6E(nzR&*I-QM>TfN9)pHhpehB77PztA?VD
z(E&Z`{ItE&R9IwChO01d{h_u_I3h_<5^HMId?x@O>9tAZrcNHp-kdbqPK<d^b+g#&
zd2(IZf_(iVM)HV)vbSxMo0MK%q2d>y+!gc?_U^Bz&ss7RAB)6E>RyD(dCP>6*>sa=
zB?L0XL%pWJh!l}7Ovf4Md)=1EeB954D+Au_7dq|(f*{t6l@Ld;)V7*XdA};M=*60>
zcX9x+@m=fwG_Zu?hUG8xRtV06j+1g2hJR%o2nLPTXz>iu5TCx1c2zm%X~3Kh>|0O;
zj$G!&ndqhpN#SB-{(w_d_#QhV_NsZ<o5CRUFosS%l7zU^2X!PWy+u9h|NR?CDby(k
zR`=`Apxkh2`RIGeLHG6cfjKHy#Z26Q&+kx~UfS{wf~NT8=Yv{bb}1b1eYDRSoe$E)
zux-(tU|B`#s~e}vN08rfjrjOrf_s{5y<uz-e7Y>bl^PLj5W?=Dr6+Kvwp6U#^Ytw>
z@~heNoX*~NW>S=bd6sx|@=}y*DF~diL-f(d5@o1X9mbzsIAtXJU?S-)E|ibNS<jGx
zM*ClU#*MBgJek%!U(OUd-or=t0wQfYK0ZA;`zf*(aG7;<c$n2z)@VHeAlLZ};U!}X
zJU0-vycDqznLaH|-(%Bm9t`BDTL8>AeCdh<f{VZIaR&TdzAPgNH~wU1fIIr3g&dET
zh1dd=eFY`RBewhEXwqxN3sfxHs`Hl+7aH~59-H!CxAWd(L_lZ&pRoKFC{$!-15w{r
zh;y6IZR7Zr*{EtjMzxZGqQl8P8f56_7kW*V1z+O#15O)*MdArA0g)~;0ur&5avaK(
zcDbt6TZ@4fTtSt3x8Yk19t=jtcj^2Q%Dy=d2vj*Wz^^j3ss^Gt<eO+0OLH8G{`W9m
z)m}xj=wMsW+-xfI-obb(5r5`%S-V3tN|$wE9@avzfzHpbJr8;l$m%((A`<J*9!n`;
z{?`>d0-SsStk3@@Jjd~xVR}^6i|1TGfJfqa!%I6&_P?E!sM1%~2pEoFf{+o;q7^JR
zH?FxLS#POI@>LR%+2)5LO`zvtVv~~!L~O`4Wuy7#r-L|r4#|t{8feAk6F`%uslM+1
zKIF^<_7d9uA@u$jh(*|PvA6LZI#9#`Z~$ijCTpB6Ks_D{X``-$i2LXR&4Y(XJxMZp
z2CwfG8GOKHg)1YN<y(j_CcKJ3SAlIXfnW9#o%iH~;RLe{ZkW;{^<$wYEboM_?nDu)
z9oF#E6qw%{l=i+lgElH@2Ej~1(KAlRKgDmMp6#JCbuHdNtb+dZR<D!`Aqo~BOJmRM
zGMHEGR$V$_lA^$A=zb~o;?k1f%{+u%d;_^O>Z|%!UFNM~Umy1t6hbRq6%25|<m(u?
zl2UvgG(N5|250coIxhxK!5bcD8igIoS0kFOA*P3;Z|3TC;EG*5v<XDOrG%PWC95M_
zt$}|{zJ#hJp<SQ1cHq%(9n>vhIApZQveHXo`j*KccPX3Noa?6W<Q)TCX_0?vj?l!D
z-_ZD-W?grGm?YY9I~-7NW~1H;mw%&Cu(xOK>}6MUIgcdW$#1M;q1-#NP#&0J!`EWO
zt|~o1S#jJK{T;+<j%BpWpWwUgRxLF2pYvJ-A^USr|Ce%%C{^!?QKbWM9y_pkg7%=T
zMeLChMuu_1_Q@u<O$cTNiNdviofOA2KcFg7f5U)jPI^MdXV!ni)@dG|){z?|3z=b*
z^Mj}Rk756U3st2F$^Mr(f|wtqtgDt1V(1uu9u$K8Q(z!)h_e}8Umq^WR0b}fV<!%`
z=!`$e@Lw<PG9@*AXaHmX;T{JAL1t36!^L){t{*S9Ttb&%H6LGuUN7qvD)fBrmxS=G
z_sBm~5de0JNo7Ck1tNjztf66RG+SdgDB>KrjW3^N4kL3vSup+i-}#R7kqHkCEk7)X
zGc~o-kc3p6pbTDVx8AD78kt0`TPhrexUx|(9FJDZluD7i(l;^yVR!(W%2@m0(iQ!K
z5d6;-NDloVGe{4wPdOL>Ec3^KT~?|HmZ1UDCz907QOt!=NZ@P1&9I=TxQ(~863mbJ
zUbbScL^1SZgO<JkQ1W+GL4eu>%MHs^IyF~dmOW-@M29R(l)5$j*0(^5O9C#egm^kW
zGwKUyB3Bxv#i#7z*YCaoOL=$Qmalznq7hC?607?<wEDc%`m?N+lJx8x{0;On7ToK!
z)l;p+!=gr+W;rLJ@p!5GQ=4!w+W{Gk`Jo`(HW<gkHCzwU(K`CbN%5Qa-M`yFp7;DZ
z%`}`@l=+C|yJX`Y7y=2Ulw9E~LsA^4a7=p3YeXHrJhzo)v1T+*#p!B92NAz*5^d``
zMy!eZx@WfXBKBVc4$k}o39Yar3WU*YNm_T+c;!F_s#0d@st2dLVFFbeNEO|sl>FHO
zMO7MJ2c+iBZ{R?e;L)h(vLMMYDjXoP7Vz7q4ZnFVd7*oq<?z811b&;#5N;*hYHC7Q
zkKrYZ+E?k}0tJW-Ab3MYc8zdKm>i-&60C@nFT#~TWeaB?d7Cmbs-Q0j9jOa9)H1;h
zQH0P_-d92@$DI8;+LzJQ)y4XFclN)Qn3H-w(H|{lB1zlb=;o>RzTbkD1&0D-vu#{+
zy%6+0jf2kisXs1jx9fP?U&;2mJ5vyRS|eKbKxzV8mejnC!2~Q8X&L|^?k(Xi{YRGT
zGOA*F8+)s!8>yfEU6MWw){Lj$$&3Gd$~su$F-h%!&>cNp+GDqk8OS|zhScz<7ErTd
zkk(Q@8+J_TbP=^_J<9?#j%|0_#ruF$VGmLG&9Y+4bdgw8p-5v>N&i*E1^oEk3c|V;
z!-s3`v=rtbKNPnDRQo#p&SN!8$AL{@llh@=tjl$=4vwNfI)SV3ly)@HwyY?}Y*ZCp
zo~3Go28UtN?z17Zx^NUCwviFCx_jvrLo6#4!k6NAj91#ywcnGNgL0Cb^h-7UT8sV&
z|B#sQ*0TCV%Y`+g%F1m=Rw|KgT{022zvX_)FuByDwFUZudJ#P7MeU&C*3MJB`a?%t
z%>EYF80B)T;h3tvhi|i_6d^1<L=a^R!UVTh0U=?~&$RC7b|UdkuS@VLkTtP9dc~Fo
zbBgqol>X;9s(KD<w#Q(8a<T`3&(uKi=pIjHlK_}W19v~z{8m|jF2)Glj;2?f5((b0
zpa4_@hV3t?{0u1D9eUo%McQBy%KYV1dBbmn=VzC%DtF!}*s@I+6Up4=F+_D9Mzz?h
z(DrjVFuu1?$Wmv{fMANg`}H4B`}U*acKtGskNyXJ&)xHt^X`v#^Bix?#gCMOkIXSM
zmZyVFXaKhXFyN|5*3#6{7%ux(ZI*1NA_I@3)>9L&r8%r>a(!a0$dEKl^8$@)LV}1~
zNQA9Hj^<Zb_^JUD>&VVbWn27Pl?&R{I$+p@m0`1<I;<}K>W6C#6<nly@eO(nbR3(6
zzr2znGChGlW}c7|BLV0p@o~&Iy>vxbUQGA*zhH4*H1cFQwZq74NE9{QEg`a89GG!@
z(Xbeo2PpAmR}p&`qqAusu^u&-Ryff`(6v~rl^ZuHOZq#tY@C_0JICbre4Q!J*5}<X
zBkBYvO&!!24S!}z$dOxX6xhjT;JfE0u1Jkzt`%yI6f7zFB0-i(DNb+otX&`Pp1FaO
zCKeW@!)6sP2fjAXW1(0ZzGSL**H&{(As1FeTWeSWYD_%(9>)<2`Y+Ir<<;foDTG~j
z`x!)T7dtURPrC`mgVAYGk|i@Zk(52F20tM4Apg6cz9NAkr>RH=7P$8w1V5B&5S=0(
zVA7(u8w<&zq0(nq^HiZa_t56`tJyX!PZMs<6xwW!u;uKjaoJy;fQa5$WH9M1f8m}z
zr(Vc72kF<3T35_-Ia5pQ4_`?*>3IigL?qif#vx9*;wG(r!^*C6<v-pI`gtm=Wh<u*
z1Z9+5PWBD$_UD$2G=XAuXZvpg?&HqaYh<lAh?kvGj!LR7X8SG`drZk3FZ3JBDeq&8
z-j7RHb9=rTY1bKh5mpObpWy4!#;f!5F~iXb>+}pm@*KPnv>ClLM+W9Z4vX>M)gt{+
zx-G>PjPc-zEen==1&}Z`0FzdDyT+$-m!bcQ&s%=;cRx4j-I{<R1!kz~DYyIJn^zL!
z`D;Q8I9+e-dCuBL#;>dPQahGsDiySt!9Zg}UOqlYe*UVkK8{+Ur(p$T!Tr6x;6K7H
zF5ka@H?tw$(8=a^zF+;Lua)%#*CTS_^>Q*AHT+rKt=+=BM`zuw@)V)pljK0X3U?sr
zv%mxi<N?G%$fDdBe(*+kxVSYe1{+=8YHDiOqKr&Tp@fS~wkw#dH2&6`#4WJn0i&DT
zEnnn==nA0UcgTQ%-p!sK;69l>AqaFHGE-9ie^U`lqrNj-oSpsARSF}vUv2SM+Epo$
zH>4Og{Qu9?=>O3I>z9|8mz_=608Zgo8f{5h2y=4PjYyeZT=TyP@%(zG&Roa>2AY(D
z;=R4M)&|#1l))ByL>$mEAyaxC9dbC2iOfNh>+8{yVC21iGh5FebRc0Ek|4z|09RU~
zTTg`4E6Zmiab(f}p5pN2zPkiH09o{NJQf=U5R&FcRsY{#Md0zPs3-{8`Ev+alp0uG
zUgoq}tod;?tyyp8y@R*0*y-6kxO0U92mI%0WK=HDW)xP-w!u=J>1PjQ?mL*0EWLJ@
zF{4^^EG*9)zk1^m65P(Iy0R|Yp#$%;ueK5%St2Q(`W{Jti^!Jjx6IG2TqT#zweLLo
zOSoqR>ERamu_e<o!%e5_M({SI$ZCVZh(-Rh6c|Xq#c2E!^n<AMF|$lx+UQ)6AO`ls
z#m2{?R#lY%6h^_4O=G&ao{+b7#;)gB_vDg^7)(|DnoHNW(eZ+L2U-0Me$+Xq!4L`F
zSD)NYu*DS~kDliyEjRSegK{uobZzo)hfdlA>!}_=V8o99d!w*y?;NzHrDe{`>cM=a
zcBr3n8qB$va7zSU+|A96BX7Cc0)!vqT@5QICR|h$&05mFWsM2pv7%qWi@0SMN_>yS
zzaeT~mm9Igs#BW3a*OSFajviR>_U9)ml_#CuRI*S#U+(K&LUg;(`{|26)b;D>XPx>
zwuL!R0#0n?<RQJ>ZY<(xB(j{C?aTSNN@1X?@M$@5`b|vic^+e23<<3GIw{CLd8cg|
z83KPHg9%SvLW&xrJTrPtAv4yLAAhIb<Rw&s*ScUB`MmSgQ>pGRXoD8}MxQ1QW{~(_
z;q!A<GXf@>lHAw@x1W`{8dott92}4z@O|45@?~{oS2i|cR^rsF^$-j0*+~H;MA(Rh
z4d+t=4a~$&s?i+PB4LEhT3c`VbP-eaj9FLSFKLBi3mALeEWf+TyHu2x=Rofl>{0B&
zY_vQ)lyPO97l}ooU<Nf;F@1I;V;EP@x3~Ssun#B6B-IMFwku8R)NTF9-V;Yd$K;C;
zVMn1vH~Pkh0=1abWrx2};i&5h<*+O|H(WgWDMIaSCr|QM!j*U_%s(O5PxTnGMga(8
zs3a|wl$3038GK6U-E?qJV%l`7c6Uv}Kx2$Qqu~J>Bg^$h`Nq>@`<38GpREZ`F~jBP
zy^6SJl!Z+SveRJ>-8J(#&`jO9OCy04rRAs)n9*-td;Yn~-1(?qNi`)Gw$q}Q(9u(5
zRyukvTm8tf84~n9HGkIU9Ln4Bw`cEsq&7IvF+m<Hf_SXM+T$bC^tz1_r!idxou>86
z(TqPIgsDq=@?rgox31Qy@^iXsXU?Ls^kbF(cl5|hfiTO&a5mqXlLr*O`*+g6wiXs)
zO)F<EFo2Fig=S_Pj$dzBk;G>)+=zV(@0W<w_39zQNpH7~Li>ilnL&#0_G*w{>1Y|S
zAFHcr2WIL{0_%1_qP808x_YX|yas^+-cl9jt9I7$<hAS{s?~g}1>3wCH^tZ`M4iry
zX0j~e{)?S?MvSb!?UcdB9yu?+F=rIqHrBh-i_2Kv?iqOw@tXNa*?|6h*Il`Je1pb)
z8ycbcz1X*3RK?4YV1ED6C~`+gzm>CSrC${98el)3Z;w8aM41#u*!DRqiH?=UMe32S
z@j)e@tSkEMF1A0`LfL@wKkL_3*t1OS?8F=k;bndbv+)90-$*GsE3GuX6l+I6xDc_x
z{Al81%)vYq`mDD5l%rpAs7vThE)VSA?sZ&cUoqEU$2Q!V<`iQXefw3{P9gL<q8Ny0
z(b&R;weP;p_Jx-Yv)W!>zc=Nu^LVRx{(3nLRDH^Tr1AmNot|BO@*+uMc(Di__>Ykx
zfu#jjYd`aPKHaq;+9iHcdU|?X91015Y-BY1S!l;+J^wq6&(%&uq?ankYdcyL1~6bx
zmn}~Gs?ohdcu89&U(0Q7Xm(V!jJU0&*&iEVrAzf^K~1f)s|TEZ6b0U2$IVQ=``D%#
zpAdZ(LO5}4#hY>ixZU4Q*DXpebZ}Xo5Q2Ga7sUX4`P}dRokuYTbP`M-cJjteFqL5h
zOUPbCGkY{IBlp^{;;2oIzwhV0%{NOJ-e%KzG<&W(2K|3R7~T7&`-=z%0m`uhG32TH
zW$i+*)ky*k;LKp);J~mB5*H4SJ34Gbg7FL27?}uJnA|BlRe7$mWj=0@%Gl^6x+VKN
znDB*mF7B~gx3PV-zkQb5b0*jar}6YG77;tLJBA7c6zg6{w|ovi#N~pCO?oK1a=|UC
zhZWQ-X(&=_d)%}$Tjx96wb^O>w9EmS&OEs;+NWGJSX*MeYcZ}pbn3~BjRG9%&i+#Q
z_Fq4R9G?r;gTaLCO6nk<m=hOAau00MHGtOp?zoZlLJ3K*6<6a*^n_fFc%k~aYhbxH
zBlxeNBs9Atm3QPGJM$&3#;Dr;EC?~EmQ8(;&!V~TIm>mQ!ALYfZD9G}9cZUkTcP*F
zTH(YySH{9P_QG`dYo7T3bNn#UilEI%vV)17&wwR_MAXcTk`cx;_@2KGRr0<is~RJQ
zf8F6nyIl+de+(1C3%c<Lj9=Er;cC-~{4F#l(|@gx>Sv;B|3?^oFjP-Cm)%1>n5!tr
zFU(if$yz@yrs==7wu2fSQ1%j;jM=;n6?!#v3xEAUVoieRF&1LtW?=Sc+P7Lt^SN-|
zIkp&iSvx}t{qlrWai@P@bwg8IH1?sN(Z3+4&lOso;o5DN-U_<?mxN<AU?|Cq($Q0i
zJA*(yUlk}e9*+(IN#%CwAh2lD+x&3kBdl%n$?sZXr#MkfUtXbL-j?(J)|L|(BXvMJ
zSX?qSmoM6XP+1kC0HWa=ORoIp`ENH%Ytram)jr&5c9PLHU3PTus*6dD;=w%LdNMaJ
z9^u(b(3e<C#b>ioLAB4yLY-4i(o_CyjRFMtoRycqr{)A96GvmemkBmb@KFGl)i0xy
z>;f?F=Q^!?oQZC)TtrZ0aNWy7JPYne4@6KzAsNVz38B5=ZuJ#go?_uL9&gG{t1R>_
z-P0%h-yU3q#ptYOPVRQ-d%o{mck1;ex_bX-9sZ}w#kcq!Lb;;f`8~46<3beaOr`jo
zOCWkWgF;>?0j-D}XkYUybrhg%z+Mo+J7-RwvFn9q>Ei~vx1{W*D&!)Hb5Anbv32UG
zPEY8p(uHFc^#|N#lr(G+m)QvW(b}7I)n{1#9UC)vyknlYFxd+h%m5YU`3vM6*%76#
zr`x21rTLI93UF!sDh%B?;d$q-5786qwtw;2%k}F!ksdk8r4%(FFQd;N@D;OLgS)?Q
zca4kbInI|efk&{L5-{2rcz=u-I__;YfFOQ-p<mh<KNVpWUc>uXDUm)f!k+FP+kd}O
z;&)wdr#5?cA#FSS`U)%a%H{l<R5^)Ig8wLxNpP@DG<ud>YC4^3$U0$a+ePaZp}vB}
zX*dd%0VbPVAD6;%y!(q-=CX!S8F|KvEsN%QO@E%AF?9Yq`|?VYWxey5<@C|dQC5uy
zEtB<9<0Hf>z{H$*j$;(<_vrR|u)W2Gc@p`|_p&utxwyh2hV)13HltZ%yORu5TUgG&
zesPLsVRH73hwN#cses6+4r}U}-3q(RlNTM%T`Hxf8>PmH0bd=Svj@a%w!MoLALVdO
zyd{!+mp(2zThUNIVi%Hf15VVqT60;qN_p*^Pp#yrmgX6lxVIA5K@PU;s6?OEiGCtE
z*_{N6ITa0N_);K7SIKsXxcuf2cyZQ>6PA)MM+`w)?PsGc4=M}1P?x=*z70hOmPJ(b
z$%BT6);k8W2j7j4qteXSQ`hV=29)`0ZRyC02c)m90}VlMAft2hc$Cg0Vt#=$7-xw-
zX88<Ty9klcvzXb-24&dx>aNwK!#IcBfdrjQEY#n|3$mOVbd*w?ii=K&xON;`Wss@=
zL~tO5G!rg^^lE-N2DiMjbibr!_i|{^NBvtaB5-(ww<zkB@2fIQb^t9q|7sHu3J%Y%
zG)V&{C-@HT7NYundQ2zDBI$+`w#F(@8xZK@E#K9W5b$`LS1dU_N5l;-eJwzW)ad9E
zmW^7%a2FFL_wFt(Q2K8KSU_hWd+h0kTjpxiL6KDCQXoJ)=L;=;N!-@H@bzgM`RRn|
zmx1y;QFriVpB+ylcn48t@VyeSJ0xKfx1V)MD3*qutwU41z0_T>SGfMO-4a?{l>7QI
zLzD+qYDu`B?9T?x6Fv$I-gaeGK(^4J#+?xTd6I&(dcTGsp<kL}SHnqm@&00a%<52*
zeNNCRGMnYf_g+l<f0HHWXC@YqQLLXIGIso???S(z-BYL9jweugY;p}fsS~bv%6RnP
z{GY0rWO&1LW6bgep~a7r`*b<Xi%C4?7?>t|L@_!>@?Dw`J4SX3<gK=g3<?$)E2j?3
z6p9nCQh&OcBFJ$V$Z(si>DMOHhvsXy?8$2J=fy6_iV+s`YUt~1eWU0dfd<vv2lwUJ
z)=7(Tj`3P3>n<7)!p%l|t+gicg!5Q-%HVCuPFtH~m494!{gX)iiv)iv+Szx?e7ZQR
zypPyG^hb@TuOur!Z8%%8EB=nJ#$hCBtRVwQpF4;)8Wu2I;SSJUa}hLbHM(vs)gT;e
z{_*2Le~+%H=a@c7H!azs80R~f5;>x9SFlRHbBkns$(Crfm8tu@4Drf{nZ@x4Na&e+
zuUL1>%M3n4ot$|y0y%vpEa_Vs$0+$(*)ke}Dxafqe8i2Oe1`=q^B0c%MYIXTPn}~6
zQ?B6nn!;|Cl(-?0^6%N-0t3%`Dt3imIxv2Y2+m!$1{1+jgFf`_510#3IjFM<b4HF>
zeJ=UNs3X!Cxd1^j<J2(Q!H#s2w|idX7~4O~+v-Y}^qMZ=+HYOkC2Xx9wl9+wD-*z~
z>zNWVju9689Jv9sibHkZ1j6}!Ari#L$G5=U?5g#BoK{d!xM%=`>)wg4sv>ebi0pva
z6#JZe=B7(Im@v=lA4G0Xz8)J7Wa>sA%<8W_%I{AF$X<d`zQUh$cPme9QaB0TFe<1*
z-46^f0Qp<T4)S-CjhEyiZ>mpEL1JQ3^%3HRrt62${R=*p66iS9!4GG0A_H&Cyxj?>
zo1@Zpz`eD>bN+eFqy!ke&VH+%_*=|>jRDCezAK-CTr<mlaa$3isg)A3PkK4{crJ?s
z`<-YyLo0>}&Z!_dRZnQBjY^SF@rM&<f#xd|)jSdf8t0zHqkAhKjMzmDlXKj8F7;w)
zv5qI?gE6@mHEp(gMP+15ZwFqu|GwOpV3Ir7o%yO)DMS6|RRR{v>gaL#4BmF{pSs`=
zQ0j<^c7k$L78x5ufu=2RS**oElH`ltB7rRUqI0SM^>&k^MFD*5vbCxBpKGza#J4VC
zwKG(;GShiSkJU^|I``L+W0y9=5~)ZBV}C&gmy8S#z*eo%^%@sUJ5%tp!l$!fp_F%4
ztM6a}EJGcGr~N8`1?Uw{O7Bm=CmvZTKvS^q%yg5K)R+9P#&AtylHgCF_4+6sA-sa$
zog@*4T!}+f{^*QQT!`fL*zbeO46zL$;s2nB+ST!UG>Tgi^J*7&O|yKkll$JwZyN8O
z_JfC7x|>PKI`B^%o+X`j(&F_}rSZ6|e;yj%E0H`v><80l=<vQS4DPj-3%XqC?g!f}
zfL*n@U8+C102DtJ<kxR_huRc~t}Zlr=H!j-8?wN`?(h%e<xQ^-BBER4%P-EgtTP%Y
zOn}8E{=+h5MHU*60z%w@1H$X{-hZyUtd?FFqfT&0PmR=zam)$1+ILC3`PrOK8?wWj
zc)+M+e}OEuhJjLbU7;k{G4y;LK5tw-XBMxs-DwA9Aj{Ff8DCVf>CW}rwbe4s4{5T!
z;wJ%<`i_Apnbqjg;nG3~>eu3vSXj}@bCH(QSY-85qLQ*gMmhW0*V_l~(K^PL{x#sk
zEJUy``8BoyM|rnFfAsL+8YADCVQK+kZ;8Ck)EL~YL}xHc*%2Y|9G?gETtXGW7K^%3
zUBcDGoqcj{sDC$a0pB*LAo{uahiM?(F(AJpunTtzYD<ns@qrL=!<5Yqp6Bb_x_fH;
z;R~d<u;A^e-&QyWd)`ePQ?}--C%JpH`d5Gfwga=kA1ECqME30tYE_BL9ccl3Oq`EG
zHNa%<mi%X0>s^Vx@6FAR_6WBJ$ac`<{}b>B5BRVX1zw&!=WYNVhN9&>xb+)SEsU&t
z6Q4W!Hvry)51UZV!%zS&4U__~_J7?thQizD7wvjwZKd#@bVmsQ44?o2HS$Np0sw2&
zFs=ZI3<SWg<;zQoJR3ON_r0J_DbbU`k?kHP>s4MO!#ncNpr^_Z8>0kHZ-ujJqN;?b
z`H(k|IccTr{hyU!v5kBXPg}Vg00VPDIb|oioA8L`u7`ZSbfdF7&)PO{zIR*ZgQIQ$
zkm!#LR~NXx;F&Hv5K>>kd6mg-1Hw1^7M_S3EPRm^-=9MVDwbMp<a`@}29bq*xqbt%
zTpyX8HPx{<pr@M_3%ax-1W)5{taumCpMk}SUOl$~pM<Pzw-&ces1Hv9f?{#Q=3~71
zBbC6Arcf6NwFJ-IM~yIU<V+JDwD(z9aA>FS8+q?!lg-JKH7XSC=|+oONuAowfvU6;
zHzv6%%G-<C=z%4E@92p%y5+YR8Z@w5P-~T^@2K-dt5_Ju(|wh{0hsbAoSo$CFdBiq
zQO1GD#bo9P>|vvl53J4&ohhJ+Sn?MXYH?J|f`>SGqyjkf;Z<i%Z16P!pkYjC0)PkO
z`oYgODs6HWbA<67fL=ZK`w*DRy+6NDih1zk|Baafy6F7o=c(N3+55fRpK$L0M9wMi
z|8q$8D07Cl3J(&II+%sy#m7NN0Pp*bB>;wQ02CVd&lTi`8pd(~nw;H~iFz2K;U_Ca
z#%qx;p0Yz?V?ya{TOeTYW{%`q0yq$oEnv)OSce2alhLDRD=C$b!|2zHy%oF6$wX&)
zRaJ>n3z}%`no5dRMuKatv}wSGQ_LHFC3!@M5~FV>pszMfIOi*<YJJ-_fjblb67aYJ
z0Cf&!t0#oWyUbB_i#b7|PyFQ>lCZ&}1OVz5*gg}D*5L5W06rnYzI2#^nsmgQ`!6vt
zDm!eb*i=={*`?uk00d7PJG7a$&4x-^r8ltEG1r$W`pc#pZKW15_0P7&ZR>JCn!BDk
z>WGUScDstyTB=-LV{W)hfg_;+;JN$A5hlg{^+@jj>4wdJDZ}poNbC6~QHmb3jyd7b
zlJ!Op6ew3B=DuH9M=((B#EnTV&U@s4!6sf-R;t*wsgW(e#n7Ok?{(t}%c@$-Z<z)!
zO^q)AjsjM?_I+8Eko|yNj}AEk0kEueWshD5D+o-A&^Vy+!FP*WrPurs2G)pAi7Lld
zXV^X7F6owO^#*&U*2G^i!h1Qf!Pf+UhOwau03NOXoxA3)^EZwP#MXD>SCJDb{HI;L
zYHr}(16)6uJHN)@>t3oQ{?mKXJuUtBAQ?RM>`}8*xF!Hnm<t2E0QfVg{Ty8X(evly
zBD|N3{}VvNI0Ar!&b(G1cvGOqNT;?b_1Rv1%`%0_jAj#jdJ9Pd^#N^PvN03@i0tYt
zCPsmw;J1}|DPa`jqm<y<Ch#PcKBZCtT}7d;N&Nt`z5>fl!i=OM@W+Dqt%WC}xNnUN
zlQO;vhFA&=RtoMP_$I@M26uU=DI;IIoPg{IMoj4diuzJzI>TDTAGdKnM(22Oc2f3S
zHPyJqOPvu<4`JWEgn_;@fXChjJqPsQ7mhOzrSB&L%S})$2hw<JyllGJZZ`CD4Y>gE
zdpsV(jT+(I`H6wkk^0J{!`D9q0^qvC6}#WKn$l*Q&491`-W({=Bp2reMS3}zjb?m5
zMBMV*4GkIy9t89uStEigL0rY7!YVRs#FM36_0l~r(HgSPDds7vTZ)e`4t3Pq+}^~a
zdbOgZ=Qj36@>1jstf)oOBTVSRM8pPP69D%YngIB8oYmhSSKqgXV$V;H59-I&(;=Su
zzW)CG=~?$XaB&97>ZhM{c#q{MW4QonK+Bs}I!dEfYbc`=l2XX)j~)tKz(<29a--3Z
zWpyaF0gx5a{SH7nfO0*z%F4vdp9r~Dt5ho3y3rWF!3ZL=)T+2IpORe`H$eDQl`DXn
zeB&oRYJAyawT-BXstSq~K*jPgm&}#;sUs|gf-ezbzpiCgWr!IxL{U^S#xRb|E0=;B
zzLdiG4=g2{f|lP2Xwaa_4Z6x}@+Xu~r6n}Jdne~srx>s?QHb{@A~TDFVTCTk)6m97
zq|(C2`>T)XRfE{zk0$^$XwU?J2JN51rfgqA%6a!@$nTQ+zB)e;G-&umd-srFXAlKo
zv{%yo-gaaCi0#>pHHwXSJgOSSY1_8XSw(%NyWmNpXJ4(&=jeM*U3>B3-tnEoFIE1w
z0~=1dH2T-@qpQb;ZtJ~lpGp8A0AOhL*665|`TY5G|LU=w6Q-`LEBN`~Ts=IKYnA={
zaOcW_okMpG4xE3zQCI)K&+qT99xsM32A#d}_D_4e06+i$03ZMm0000800aO4fB*mi
z001BWKmY&$2mlZO000621ONbl06+i;00001fB<*|003-eeT&i34gdgbW{V4e4gdgP
zGh18$bOHbXo7vI>Am<zrWm)cBa{vH9S(Xuzb6$%8NGVlSwHE*YSXWh5rIc1Z03u>9
z006K7M8v8GfSW%60I)$6MIitH0ASe!K-Z{<*arXrYyc6_wO~sOfShw(*ZTkffOS>Z
zb<TOU0-$q(lu|?#MX?tE09cQkKM|2qTFq}j0RVvQGYG7$t*sLP0N4fr&}cMTn$6}w
l13Uu&05+$Eul}3OW<R6Vim~P9cyj;%002ovPDHLkV1kxCwXgsH

literal 0
HcmV?d00001

diff --git a/engine/docs/contributing/images/fork_docker.png b/engine/docs/contributing/images/fork_docker.png
new file mode 100644
index 0000000000000000000000000000000000000000..88c6ed8a1e9e60cfc16ebef4bf6d94a92a57b49e
GIT binary patch
literal 52190
zcma%jRal%$&?X*&2OV4zB*A8ICpf_+xHGuBLm*gy0fM^+2<{f#2KV6Z?jCF>=bZg_
zFZN>l0v>w4sqX$tyWT3oloX^e(MZtX;NUPnNsFt%!65~~!NKdJBEV+6nN_3V;D+))
ziHm&pfIpgtHzzd$be#JZ=Gi`oSOu4XOSGvFtqihBr$Yv5Et?@_nlYxSRaW&~;WV)Y
zLtG-`kumXfj=r<HEJ^OsZ-cC@KM_T2y*S@`onr9_oSdF8tQo*ofphTin6u!pS+x7Z
zlWEpBG4Te3@^`ui@b~9cBmnX6Z{t#xqN9_OREqiZjEpznKxEjQKY%f5C`Q_(>@7Z;
zM4ocfCkQ-jwgV0<=NDY&`r31g?q5oX5YQCI6NnHiGz|2Y7Qhfv_Syh45b_V{kpAGl
z3tbQVZ~uITI08H*c{i`w15i*@ba!)8S65F=O#Irpc5!hrGc&WYqMxs#+@Mr3E1R#v
zl{Ny`5ow~-->3xV@5o%0wSDj>baIM&b^Cjy?j*Qp?pqBLV~q6h$O!Rla(cS1uI|$6
zs)lcjVu@&uQkgn4Tw@Fd8Zpu43>fy7<3?Z5+W!36x^6g8v(u(PHnw@U`upgp^xS=C
zch|Wo{Xm&3t!&yVDJh8yZb=#?7=lg=V;j({z1J_kBzn^TfffB(jpE!H0w5JxTwKJ%
z!;@q!C@hQ{_;DaX7Z-!gH0!$Un$`WbLKN{VMud7(G$aH84x$ASlqICJ%@kPTIj<O7
zB?to<+x#vqFDH2l?==?eO}1UsK6G}OfGelj{0cxE4-Hu!*VAS$Jg#+VJ|28u;@;mz
zOSE8nSU>Y?pMxO8e_Lx#pvipaL@Mg(uuF2~f&mAdM;#*#Xo!=^{{}L~pn}3-1WHcL
zXwO;`Q40HF_35|Bx4P%|k<Gg5=m!tHH<`9GuW;4jiOK_#fo`b0eB1@Sx2dE5M8Oz{
z+5N3=6Rl_Nd;jjGs;a7Fs4fK=8B(CgrdPm6stg692#GwfnOT7nY|S3P*(w+Vu5|SP
z+j|#&Mtp{4t#EeHd-+0xQ3hH)Qo_+NZx}IlqxY58#z3B?_p8kPv@3ce4Ff!SMk#zg
zn)GWuOY4ug;UZ$Vt~4hZjj>d>Y0muuc%lwsaHoTwUtR>dhf`uLy;pozd3QTHyT_Px
z?pGB@?-#$^pSC~mzC3bqQRu%X9Ad?$0&oq7bgiudAMBCjJ67|uFxFqBQa8#m)H=B3
zH=hF~Sn}VmG&<(h*5WH}j=sq*<ZB^9rSDLIVj6?NMXv)8wo-A4(@<li#pgAfoM>N4
zJELEXzbkEPYbz`)tg2GZQ6dxcs%>dWXS}=^VpZi5y5EYkj0MqvcSIHpf#ZQQZx90d
z=Sl--tZ=-ZlJ7Z2a8QFBo7`WLc6MfbA97#rS2O>d3VR5E`tXEG4pQfIdvYFdC`tYN
z#Z0>E`{z*og;VysuM6FGvb;RzKdY(L)z$*16urE>jy(K%0_f`Wj&;0$I*xRr^o_N_
zFVGTu?`F6&gd<?0qoQWp+&w&O3g<}i-I`()k2^X#D(Qfa!o<Ey#rDsM7lv$9Ic`cq
z2@ntw-&54p)x{-N1^n7nk#fr{PY4cu$2IP@7n>hT8UJ*Ju~~WRmS3%BovKe<v+}cl
zXt**aL1V?9BIUy`8MY~Oen|>dRB<Su(^rO9LIP6*jYz%{G-p2q0@Ezn**5{&qbRSD
z;v;(lKx!m-e8pyNZRSd?mwA)L2PGw>wO2nB^cLn+8;lOm8NJx~N(^$R=Ad%IcR()Z
zBuE=Bq^+*T+UTI)WNcE($+!sV@C=9aRgHF$xyIvEoO9Nd$BFRs(Y;K^;zB^$QADq?
zk*UpGmo~9~JVpdDaG56Yt!{t8Kpg;(v?h2x<+Tg0!$AukzS`W}tT7uQ$w54O5Q4a&
z|4Q&UnT!Bkm*gGZWrc_MX*lD%pRUNmL@NMMm4J9N9?}npsWOn&)CBZ`d&3DJjHUXm
zsT=S*X+9=$v&a$J3p&;9i`1CBxi*%T2n!DfBG6ctshir*@mx2lds2uE?r*J4>lzBw
zpuYy4*x2wf1tn`d&wdrFV2LKKa<ECb_(KTXBXLlpOCUyhICuApXP0<3LkBK-2poBU
zc&Yb66-v0|<Rn|WpWyGLEnIUMlo~mA!l&|br+kU32!s*_o>Zl%kyiSy>m?`$&E%ks
zzU$VYDoBR$*!V9O8Zgq(nQsY!<OHbwa$<*mNBHIU#<U{yji>Q?jnLsLOPl5pw69eC
zw;#k>lnY~RY(KH;V$b&Zxf4wzOMX{T(0%u%-sI@d^<ib+@bGZhE8lWEn?<+k<LSU_
zYpfZ2{^=F|kBY|QyQ!%pgV2(SHWC5?<gBIikdTlfdDS4^$NY{IcJmL6jA4*B#H5A3
z?;hzy&cA*8W~jTq))|P8Jx5|QHNw$5qw4*Gy3qBCA<4x1odNw&+v0m<8U>C+P4o{@
z(Ib|WhDn69M_tslr;}=use#OR?$UHgl&=%S--#F=YgZlNd}w5>+QZdeA)~xsE>b<u
zQ8Bc)lAzZwVLR4&zoBI8$T~7P`}xk5LI3(8f*i5F^_HklVy!7f9<f$A;hFrIJ-*?I
z$8+KnPs?0h=v(86^NAEbw40MZZOZ0<T-nTQ`(<|*XCqTDFCG^}+%DXF2einT8H<St
zKEz2D^$&jRm(_V?s9-;R-x6EQHYcrqzt(RE)?(2wWw6Yi@7KhVOW4YB-IB1HV+lB$
z8%PE-l<K6s!wu`rd2ba0vStYi>&-0#sd=e-c4^Q!%Gnv!_k0O#|DyESs)^z?oG^))
z^<iFbfaYfeG1XM%%KjfsRD|KVPD7Wt^{;*Mm2hda*Sj$N{QO9RXi{<$QZNo20_elh
z9Sy!vVLoL)C*;0LERe7_Z%2r1v(!?rY-cU8eeT?=v@|`yLR)VVQ7HyBc^}9nz{mUJ
zBKf~sK*wE9ZlEM1+PS+&89?J}6dM7Tq&<@ctq%++8=udNgE?y-G{$X+h^<E=iT*rv
zeIg9+B49>&`0!qEWjb8~=evcLocpQG9~08;r<tz=r>q|9$HFW+5AmU=8w7{d&az4m
zAapJeoFW85M105+$SvvNW@HCpz&SZMe(hPD_|<{h+aQ>3Yu~m2>9&RP!T1ahjTYxu
z%9>i9TqJ%(_gNtCbF=7bI)mA59VZhVFSQI4?to15y`mr)?h$QCDU))`sCo0!*<w6M
zIwYN^2+ig2=6F#!`W2JY`|}H!fNpf5G!~#`>3-Z8Vr~Ci^m*zXST}`MHu2-P;b4D?
zn5ucWcSx!NnO~kg@ikoGJ)~P&S{NvR0wrl|Zu_5;GawlYecGCj(XNAC(nTEais0$d
z=zd>MwbEAZSxn?d(YeLEs}HBN;BVFFDhDL_<P=pf`Mm;YL|v$usxvjqNKpFLm{s8O
z=uS-PleNDpK;xGyvpi~3NYuBg7@9{W70_0g66`a4TfK1;RWKEUTeOutQ}6Dox^7hD
zBFr>-P;C@*brzg>Lvnw6bi-<Kb`!v(<<{Fo*)d=2N_XXY(;@lG&()-qlm_fC&|X?_
zZWTRh6<1sE=#s26?RD+c>#6DYT<zGiz#LlCA~SNG`6rf4bHS2gzq(9+Vs1ICV2Gso
z^L4KWfo3?NdWm*IrJWb(lh!+d5H=L9*zf7-{@<boMQ(DVL^AOJw2JsuUNtwGn4~fn
zx7j#;R9vVPKS}tB*{SFQY|#P(pXQm@t|U|s-w&e1+t>(3(g)MTP^QimI53m-ZIiD*
z@o^Ea_Z`~M2I8sUIVfzJNti2Nh2l%%WGki6`5wfo25bQ)ytrOl4e>4rY3IxN5O^0!
zGi{g$B!-UEaSoi32{Ilk9?*LuBe#i6Bv*bsNnevVI~J#*4)(7Yhy&4U!~v}<wdY?9
zt-Ky)+NiIzZ}%ssvsmx4vYW=*1y6$`zv$l-k1e<_mjBeEB>jVoOHjr@a|7oKhjqLD
zfG@gsDrNNDWj$=<XiD(=UIXfCy72^xz)S5Q$9W0LB>sAotB=N7U8Aqz%;3VEqHoFZ
z_cKi4IJU%$40&ESb@rxpTchPL{;~0Wm$SXw>uX0W6kz%H*jUkX3u|j<bxa|@$GhKy
z$(ufgQw8$cWr_WB4B}8UboBQWr>(aXn|wO;HaQ;Y{O)$erWi-tL5b+8$3YUmwv^OE
z?dmf-*-(OA4<t=hLo*=9u|Z^}*BIUtw^Y(R#y54E7q+j5k(LK-+F#dHIv&dv`;VLq
z*yO!=l1V0-_o%rC#)3GTu@hA0f7Bh5bGeexrP@s(s^Rd;+IFVpT1TCJm;6C$R5<qs
z4h(+h4L55jMgJrA+wY-rmo+21vJZ*orgQxtY&oNnzr+U0b7HL_)P-L`TC@-QkB2y~
zXJ3Vusb5A81uIpX;tXk4QAkY6u(3G}N`fs$Xq$Gez0OrqYlOJGBt3?y*vz6ku+2$R
zIqw@2yFC$Rza#E~NJtc-XCAJlp&kfp<Z6&WVcuM18#Sg9yxE`GklcJq4k|?f%IRM$
z2bRC`EMB%gd`j2YJ1z;-47v-S%eX~mBP`1ORhI)~<m7LVF<omLwRE4vKh~<vpa<(t
zE3Ii{gYqcvq%xH9?V$?E!ER-8^F92Cc9bY>40QF>lyZ`Z*W<Nq3|^S!Wf!Ky=T=T;
zvdNejIw4d%H<wQjB3Y-pJM=z&k;z`?&Ij9yg!g_NUwYHN;NIEXyDT#QA&l>gggX49
zp$N2DdT=0*y@&Q-kISyn$TbwSL}wxUY`*q+&Nb82c5d6!cHsRo?GL$*ekcd7m3hi2
z^KI1OGaQ}$Ui4$Rm#vxMptTGarKo7RK(l-3$$Gugbql(c$Czudr+myF6To0Vq)iz>
z2)|}D#i+G4Gl4}XE;xG(V5umwlt?zWgWvDNr7SEMHu+*=V(_t3<hXj-=+NWH%Bl@|
z_Q&fs?w(YJ%e#49eZeL+<|>GZRnkR*Zwg&YA;-m>sSfKdz=loXubCM^>0&({`S@g`
zRtYaub;oa&^%b4H8|1UgrEaRzHjY5=w7hEw>k~h7|Ek+K?THnmg|;DZAr*2xSrN07
zx}dN}1&gFrm0;d8+)a<@#+c8&-L1yq-O|t`4jdK!Zj7l9pTpSd<u3P%g7|*KBbD*f
zUx`3bWB9qZXX_wKiZ_q;Y8Rt1q-T1z3DW4*J%^_BEjRR#DoBH1Q+sTRC*?cXiNwDl
z?5#bIvJ4p^$~sS<6>(k#`fcDnpt9Pqe|{6|?dyVN9#=z7e-SmbW-*=S?l{m5{%gY1
zAhe&$#8V}P2;4x#VRB--!8z^t4e9O|%!E8!XyvIR5A;>Ko;(e>2IZR*rq<k`<R`Vw
zST$0?Rs_M8psz{dnSMG*LS2PK?E+GjR;vNs?H{Md*i5Q0BB>}54ZA-5vRS;Fs^%ig
zxIty!=~`G~eLt$tsR@PpYH-w>Ih};AvX7czyvi*UhyDzOe;<r>4r-9YKt)6QvlfV*
z913rm{caQG`&ZPkZ+Ji6i{ifh!4}KWOB`3Vw4^IV9GFt03{^<y0ZGmf&)z>?j=iU#
zYF1?gU+db3N3j(gT3Nn=pQ_{5lY7?g`Y_(eRsaq(43ojM{Y@MRjrxU7An(h-M(Cv+
z+S=bwm`Lyu=V-6@Fpn+dEm+c4R+gVk&fYst*9~=l9zaYAbTyMTQq{&2W<#kCH7U)S
z)iC*S<bfn4EtTFlr<nKt8(Atkuy8vBZMeA76%J#>hRZ;MQ@72kC6q8h|0EdeEYx)x
zhqxvVWZi(kH4Xe#R9?JM4J9RS<d&cTN3)AV(_J_NO0MA;mG>XBO2%rF=N7zQkcGoZ
z-h$7>c$@+!Hs4FZr(ho=ur0Yc{CZP1`?FY!&oIV1St?LiN5%RKgDk?iG;yDEWIDJh
z{2(NR4SAG)%O)rS(zNUh-RpeE2_T~Z!>f7eSH8g-P>OzQhK3J1?0<;m=e46id7ja2
z#LcH8>6qjw_TuSPEB5m<f$2N!rl<BX4uoFKv{x!b!*?>!q(5YUrn`6jOj99`aLOE^
z;d^CpsUggJde6>__Iv*6MaZAvBXn&l1v0RZE}y2Yc;@Wb+~m=CsezeT<+w_KQp?$C
zOlBS^{qVt@4TZf>2D;(lf4`>Ba>q`thwOu40v##G@9yqS`Iqk$;}U&H<Q^RW1@`%X
zS23W#PB^gXxha#75QW*OBynIs+Ixz)=GoaY9jSBws!Ld;k75<&Pp<cQ)r83OI6)@X
z6+DR_cNVU<rWR{o<K6k|H|=*pK;}Y-Gm)6_mmoF24>I3#1;qLdgQCdhg+yIODlNIv
z9J9#?Y1J(>bF2m(;;Y0`t|hgv1)Ga-nd2>4gW`MbBls-&i4hmFA@O=wag43+Q%mq|
z7J>Ot)Pd02@*45XfJrR-t-Kv0ufuOzvv8MevdyRZrlxY9Pb=T<C5fBWXK1^DDy8Uw
zx&~Cl$OoN9aRs>iupq0Ck_N1Mhz0+rkIU!lU4jsD-8?ErM9iJ%#%hxz=IbP^h$yo|
zMIO*tk9EehZ=$G8q{64LXH+7V>D0a-_-;g>9D_da^7BjX1?cF2$^%PW{5ymJUaCDK
z(|0sM(Zz3%P2($TRh9KJk{XHo_8KKsN$crntmWf`T-%=gS%c3p+PW%`H-h9I<sF^t
zCa#!CWZzni*9D;K>=)K@ODr*sa0BW1HO#Ev&u&tIu{7eShY9D*4E+g0@N1TcP1IZQ
z&+NZwZ|pZuYz8+7s<*UTY==gu``%?aKN2#XAMZ^<Aev<})EqbL{Nu?bY|tm|^%_n(
zPTC+*@kD*|WcWS}Okpd*lV*gzbVut?WEk!~2Tgh}1>UM#?ypYg%;ARv?sbWwg4vf|
zgS_Lu%PvEJ?!bP)4G1-uT%-dDN!D=3Ccdh?oMn(gV@lJ0`4_UXMyQGItqGHDgG-@a
zDvcsEdqndWmbmrj(9Z)uld$BBE$LaHrWBItEpl(|L@7h+jbkgOylpWDcy8#`CjIMg
z9+cjrlww?aS}^gqMKcn{Xqs)^jJnM=1};}rx3{wd>e!nfMQgYC>QBB^@)Sr{lPVji
zbA;|GNXu{K{5)(L(q6dc6CfR7oUN((by>p(yl4@qy%HsDr=2r27t)7FjQXWlu}qpl
zfc#KmL}klhO-#Gk&O;&n98l%7dq5Ts(|6L}=u3gZqkt2N$k`xas*+CND3x%_D2DRW
z(GL>B#;DB`lcsqk*}y+!FFy_Wl($A?RpU3R`gxKf?12i}P@c49xYiC!`6V83+ByJE
zJA>w8BfJbd!2k@Ly~u4?GyI(FAxJN($}tLfo;gUbtc#DdttMGG5gp$&knburaybH)
z^jbA>Uvw-iyN@^rj~Tr5Wj&t=?>s42{uvvZee(O{-xq%SydP$+|Al`~DBif+f>3?6
zRK1V;wL9g;Lsr_33ZZ=Jhf<y7??;mL{&5;3yb}my^{#))$7drYn}Tt}UW~~EH-)d4
zsGkb@i1R#nqI!^>87Ls$9hIY%ZvY!9q$P+iue(2XBVoLjH?avZg+wF6<JHt!KkR0D
zM{U3dZZu8RJx%7zo-Q?Q7C@T9)yq!yl&mAKx`8*v)2+I^-*j_A^nb1B+tF#1iY;3=
z6cD;ibP{YLei+-Q)K-+@&tZzP<=Q#m0Vj(DVufsu6Qhu8$M0j*rf~OJ0Rej=?Akm$
z7WI5K12UTk(QlDxz$ei?;eo=C%wA8CRzeZ><ku1Vmbch)=)|Jfi{xce`A{;hkuEuQ
zuhyC8G%Wmr>iA-epF$tVkJ0T&vW-?r=4v8fK{)zHFkjyDF*ToCRzT7x?fOUeOTlh8
zsZqU_t9|6(OQx)z<sOUP8GA)dW0ZG7nZAo3^T(}%!`HV?rOFPmTQ~n+_6FU+sSzPs
zl>O*B!D-fP>>YV=AOUqY%4GInHWXhj(F4Mh=<~9Mm9LmzL)Ino^Ybg?|K@C@P#ysv
z;mch@`<2zzC5=4VL5;w@%RJL;v|P=`k-1v1jS$KkfhEs8JV^>pB!n1H|6y9VnFNwH
zmic7n-GQGO3bjTY94q!2aEX7zcZfCHl+(3tvHsM*Vepr$HOuEj)ASL82eZmP=L+H5
z$!0|+&0L-@6oevQC@M$u{QS!y$5~KzRBbb%D7GDh;omXw@j(wf$qVdU@Z!*K5c!_@
z8uRx())lQg$H$m>-`!AcX{mL4c%(|EPnMhA=c`TQ1;+(9?Iodm<usnkvvS9>eg~hU
zs^i>7`}0CRQn3}tMFqjD6;h={ek?&(jSiEb$#D?N=0S0-6Yl<A^2tlJh1&+1LNkOC
z15;<t=CNEMZ{1AxDStBe@-1pcC;r{Q3GY~2i^FsTdJ>Dh-9y+l=o>`P%0k{*!G+-g
z?jF5CYC9We9^60NKZgNV<vz}gy8Y&XhK*}Lu9thoBQW<TYug<{Jk`5*L9#qS_ff*6
zAMNQ$x$Rtj1L05#{K<L;1^`AT;Z!)^Aa78Sx)AFJ01xf2)--NUL~M75_owdf@4au1
z)b%Vwk)Sy_-e)18B?=$@y(xOZ%(Tm{)P%#;3d<8DPcSOd?Y}9wPgqYFbX+_<cl(7|
zDqN#k!eeu)pFfN9QnRzi!BZ5$5=?LZ_ga-8B)O$l?}pqBW1q(fu~4jSqOFF825sis
z`Aou4rfe&(KfC1K*ku<ld%+s33xsW}4nsYSuL2l|DO{31nhYaz*{=*o*1{RXZAObI
zQaI2rxA`tsA;06Kc<EcwBa=jxFv351pDASFKQEqS^ZpHAKi!FtTh?}HV{?{$i$6S;
z)5JO(^U;4fcOQOsbdc`(N?|;{S<!ZDu%Q?Cu9#IRWjaflUDj1d>vJ}`Kj6VQRcUpf
z<MIpVx$5Ofvtnv`I$5hcJ%`ndL4ye74R{qBhR7sq+2~y-uZ-}Y>Oq81&{w`rjb&@J
z=&rfI<A7JE!Je5Vr7+OJHM^8)sJFNGMC?Qtm}ok$7S{R!I&9O9%r1-I4+C9bi)FdF
zxrOHfTGu<-vF%s3wVvv$t0#RUf0bWn>chdY5R&|bcOI~di&HZ)$Zah%`@nh9V{^@j
zn8;s&{+p*SsDd9AtB{b=k?rDq@Lc){sVciyKH~0LRhM2pP#Y4l<E<L7Z7UkfPw5^=
zh|jv3vO}fdgd<$_+?y>o@nEFEt@^A<Lqi6H5fV+kExJa2o@(N?whz~={`IyA0Jwj^
zpuY&z-|fPE{0l7oo$}W<#()7xe_<sUlmQ2a14C}${!aP-0X(Gq#mrnmTnc|tsQ-DS
zC;2ah|9SBLeDMF6`u}<MCVttjLAxwfBf)%#RPygiH!YX<OL93a=04_d-<^dhqSHop
z9>SA9$rPPFD9%+kns;Vcfo`;Da+`?WfFqy$zIY$l!hc-7eV@<9v6UWbbfyKJA@06&
z;1NjIRV-8$kEb3(Q><HK_mN7s0?|QXZ^5Qvkqv~QJCcURyBn|al&EEd{#;)8M-mcN
z_05B=3I?|ft#~$a#`yX^j@`QkpB=WB(b#AhuC~cbbjeH@ym`-c=9mxly>`6SYi3}O
zIW>gWOZ`X%s)Y+cLO>Gxl=6KTNpqFmIhGnP_8Za+^X<bhp806{(h{%xg@<rDKfN&K
zn>U?In1#r9GWrI5AJ&e#ZokK%ei?(OcfY1XzNh`x0f43VJ2y2HYfo4K-aG9!#fX+=
z71CZmN3a(*_A&rfcUimn)_c<yqS}nQn<bXV%cQgHEpuylq&}_Uuz>_UYWe2(4k$_U
z7>ITU8v%%~R=&JEef^41;pU`apN$HMF%AE2qsI-ob_U)kuk=fv4UG5s3(^y;BBuAV
zK8i6BW_?f*UQO8Waz&`G#|#G9xCK@u!4l1|z15g?dX?ePEBIVZNWpH^gWjjDM5LtX
zHF6QXU5`OmdH$ds<m(ac)$geG`W?<rPSw@bhE4!7GK_qomiYm_Cp`QB5CS-+gPs_+
zm|R9=7;XeM$7pGhMj8@01_`Pk3tI&hA_Bj@wY9bS@_Z{&g7g{Xg`Q3L^Bch7(NU05
ztW3VOW9GC4EGf>Bs%17p158X!^@82hgGJ%L`~Z-WURvFXAwmB+q+cf>KW)acaM#6b
zPQ&vnNT%fYkUYRv?vR)R5IDLId?5qqn9Ru=f(|(rKnV)3$UnYLuX?4}_gQ;zXB(l`
zor;<8x<WUv0sS{b;OAjUt1y-7=$e-(Hn5&&c6KSvfGYIZN5tOyR5hBYSQSe|75fC6
zLy%&Im>~-YRpNUhYf#4DUJ$iaQ}k3@4ea}1Bf^7IIpXZ6t##Sa(Atsoms`TtfV?dF
zyF4M2?(fZZ%fF^qSKBKqv#0j8wY9&GKc9sP$H&Kyi>8ELtTE^MgJn)CZ~vG(02(i$
z818efmPBMHZ9B(P@_~~x>igfrZs=66bGWmEH$>Q5b1npJO*uGoa<Q$aA<e$ksx(-E
z&*HRtq?|R0S`zXy;vN<j;wm?Ktr6ym6EWY;_DWGQgl#^yf7{sD$OfMsEJmi-C}6zC
zaFW6IDV4Bwql}P`2I^%!n$1-;*KS(m3enSXaB#d6$XEaLTJZXsH|$ML&iY2Yb}tj3
zfvf^wl#Iftb*2+f>UI$@ENmnro11Y>i5Z9QwFtla$r8!Y-L!*-%Q>)>3p3#v?-4t<
z{RMPOK_l}-B}9WHWNm+=cR7d?SrCFkRz|*wUD11tl=Yoq!2kXgD)=vRmGcVOW8~&+
z7gNfo%(an$l95@POpHRfS{0pjVNDA|OzmYh1};J~+5%mgU$prD9DN`a8}e}0NM36_
z=9CF!Txp^4q_IBfs^L``tL02~M{WCI*$^U-!NIv@d>fR817#YdkV|T^Ih$aMWPB$6
zOiaJ*E5x_TfA|Ip?Ca-tHS3rVE$~Kfz6=4FYmD)}Klc&g&h&k&aSegV@7^vZm@5sF
z4s%8SefXc#muLHAn@{g>nF{UdwDE9pySlmt2M4niNJ{m59*!G2bAJ6=xNe2y8!+Kk
z-H0SZ(@w;nSWxj9?9z;E>I*d*?1S@Uo$`{#$RB~y`0xHGt=HM_h?aMLH9})1y*lt+
zu*$S3VuWCuI&O#X1LS^$BLs@u)6z?I&il9C?#<IB2a3IH_AIWil6#6_^%Yt1h(`zm
z>u(snF19{>SFJo<c77*|-!EUJT2pR9D`C6)k<U|{hcJy~{gZ^VqXLH1Q9e(Jz5EmH
zBCR9YVnD|peLBH3ttX~Ja6~VTIS(fszKCn3ox(9ArP!F%K)Z4D`mtZfoO1=^hj4PQ
zWVMQ3g(5p6dNCR$xP;uG)EG{vk{UzE?MV}8?aQ!l@V6M}&1ZF8U7qx%#ATFA1_{}+
zcPs#`x8&TF`|3S}JP;YP0E61=E2O_xL-?m@xaQzj`Z&WrENn1BXofi--e_%SROMB0
z(V1KX;w0N5wzNm+Ns$_m&b@0OYUmqfhgqqxo%cJ&hlYfBIQ#TPttKe|yRHD7H9q)c
zUm!hhcf;GaE4iSrL^0K8khlcVGSk;>t9Z!}qulO~-)^`f-E4pEETJ0_#1MGNK2AgS
zEvxk(19h+D=O-jrQ(aSIbkjk4cyREQN6_O8j*d*}=i2qGL1;_LghlPSF_Y`3c9g83
z1IIL5AXW!N)h>G8%qrM3lfj{V(D)V5no)>=qRYyDcp?`n0v8zjHfE13(E*H<$`SS1
zlng2Bczyjf@hrcTJRCSdx!sgJ%9MPWln@uUjkT3T;3=uWk}<D|JP5Y~kof`mZPHOL
z0dr)eN~Gs^*S5TnxF?5vg<n8|h<Tw)XRR-D9cgfxIl%=51u*sVx!+EDIj4N-bSJ&(
zL~!Fl7h1F2G(CcMB1HaSnWU^(A&HFWuU3*^2R0(H9e{*k81>N{ICu^CXNGVKw<K4y
zuB(8-$Xhd5gqUTFT`sS=%XTg5g8~s+-*Hem>@v@pdzII`vCG`dppJ$2E-_SeKGq|9
zBk4@upW_+pDOo{<jBGDXU1=-Yp^U0`X6ne<wXuRNbO(1-R#sN-7F6ZmKX|HJ+fs{K
zNSD7IwodjsRGe(IwPg2kIuaJ}$}?Hnw76JEIfz=eBSIzT`gb$=oVJui|GeGgGd^Jy
z_vi)>%QsQ$tWy-E1X#pKJ0MOy8O}Rhfg<{NPai~D(%vG#Ovv5uk@=lZ=25a8a4lk)
zJ}9fkF+&+hY&{e=Zv0dHA6$}?_{iE~w7x6iD0tvLpsswI#0<*Wb`svM#NczF%?o|g
zrKzyopWZ3!=2<U<a$)??Hsjq<+X*DPl40EwbZ@gIfGA7E65R1>W*;4@{h~vBQM<+0
zurG(3++MjcL%zYBsGY5!T-0#-<02D`KI&>sh&%yRjQRASnC@~I#t%WRF=d_}^IM^T
z4IoMiOLDoVPew{gzycziHcB8olT1GD%L86SuSj}qY^+Uswm1@*ev8LMKC<NEcX%js
zD8-)CY1in=4<60SE6*aCRqx0;`WYQS8ckA$Ttt0DG^OI#n(Q<*HMbu1UE`*7>dT&9
zoEs(l3nTHL-<Ic71?@N!oPj84(UDyl*mjsrH|;-vGFT);k@0S9dig5qh@@`ll^DsX
zW_2`B0x~DF-O@AExO6vF1VgP{9eA#R$aghW`Qu*zmlIzY?l4jkvv*(nbU1IfUg1o#
z0Xt$KOMhnU$|lf)D#at4qI%DC&BeceBOL^P`e^+T-+K^4UG+_$@=tPZlo@iP^d){n
z2t_1O7#!5lP1IHIB3|LQFw-ww$~SNryx~F$$l@6kocwHwG56Svs(#1x5Th~QmYwY?
zM(mfXLSaFlI~-=S8eTp=5(rH4gM!=2pUs9L$k3$U&c&sr7M~I1_jR7f9A*2e20pU1
z&>EgL*H~|(ENTgKbk6N=lb1Ca+en$|7R(YmS5S9(tPodrOMedgg5JQADIwiW3aE*R
z2^L$@c$<2y!Hxv=0|F%z-?Kzzt*xzpLDOB%H2ZN5<Vpy@5~WZ|sN*Ht1Yz##=o1h+
z@6PXhj$7%ZPq|q5isknylOL^M;JwJ9;@vRmt(%S2%xo`V7QUGB10zKn^fJ2Hqq0bO
z{(g*r3Wrcb{G>Q_YgS*sU;M3p5ivG0QHdvw#VhZ_OwG89_dV$J!6_VV@u(M-!(H6~
z$u*rw<i8dR7E^Vy8&VjUo142I&A|f;W)C|N7;yuGzM4bFFApo)L&Q9ChwG4=*FkCU
z=n7@UW<{lDA2Z*gEv0Juv9gk2v8S2YpraQTq%zLWbCTmp+VWp?T>EujxPNdHRw~uj
zugBPNmfcZNn>kG^D^CAe`F-tka3?%i%8HIUntdvEbkvKTf9cOD6#UWH;`aQH03bpi
z6D)0^Jg=r=$y|xVG&5OamR&Kd6h+ZsD*Uz2Y3+BLHu<QjyYBw=E2z&ErP<2m<z=&*
zNKy;h=vQoy@|Ib%tUU&tW&w6+Ob2a(<%BEKQB7c-JBztq(G*E!M({*G3cCVuB}J{G
zK|3kw=r9_%OnDjvQkt#1{p#UKHTT*_0UOsCGY(R~!mdlEF*iA-7K2>BYC41x;U0#7
zr6|CTDEl$7V(N$pa^L0*2ni^C>%;Q<z+d~lp@7RC4w)$08yWY;`?ruLncD4CKclvI
zbnwp8fa&)-))XBc?ceqtu3-V|v3{+#o}RC<m2>^^Q_lJMZS@R>eS<8{cI<A{DJwU%
z#fQC`Isxn+8LOuOom~|u|F}6Ez$Wz%N$Xo(`H6_YR*juC+QrAFIEti65G3-vakO%=
ze&gMkGhph{BvyCVt!;$d-f(qola25KTM{0!Os0jqfJ_-6ODm|Rx)tZ`vG;mQ0fFT}
z0sZIeUZoJvB>{aV8~d#y&p|<7r(Oz3#n*&zs~}KA;pV?$a-V71HH<6c@}saYZ@Xqp
z2;J$;7JLWR^)1|-v9U2A<W23zvCTNWyW59#30dDG`!iHCzvD}wb;HPzOb_+qM98ld
zerwJf8aNl?QXXdl+l1kH!qQsbl(=OxaX1Dgt+g74nO7ZDU$p1GY*p380b0rtp$;<I
zT!SaVa!&-h+Nz3TetxYhO@FYe(Zb7zL`3!cjOPWoDm9rNZcni<-c@$bPoGw^vcSUw
zt``ELcDjzlhgDA6id@LiNy|z`7U<#X`)Q`WIx|U@V&G&7zai`bkXir0baiEpOwiK(
z>IfMN<0Rak7Rpig$aWYOVCUrx1cC;+a9uAY`_-w>bh+($p3ppx=BmJFBH!gggjG65
zVOb@VX}h)fv_i||=KMg~i#NxpG7s_fsb@nf?4yxUkzK4q*KPAgx=9{7t^MN;lBnRK
zzyjCR=>i>nv7jL$(A2gdyIG=h3dl{DBjFwUP4`z&wcML^_>@6eOYbo(Y1VHnH)eKP
z;De{awut`A#kAdoM<NVo`4ujBNM{>&N-9>RHU5}_r$K1geS_9Y@u5hbJ)nlslo7jM
zzB#{gX&V!&E3M)_I(u!LgB1k2RiyscZPYm1R{)#Ki;C_qvtH6;VvIOQV6}GZiqHP~
z>+9<T1OyK1EJ^LxGdgF(7y{Ha#mHViPN;;fxmh)((0U)KB?8BAbht(FotnYMp7Z|E
z0q}ooEXm+{uonpBe47mMZJYVJ>v`4EGh@Fy<=9ie!DV!|_}AzVVhHF-7#XdvcZYgL
zoX!&YgS<X}HQjEkCgZO;{g8lpH27<6scHtJ@~HJfy6mSZ^CH^tRgg-K(uZli-q5*n
zX#Ab(l0EY*f~tciC(%26&5pK()w3-&?wT=@9AbXM`AH}9n^%VOj-O8W2sa}QDl4lh
zES7%RkVwF>%&?w;b8gwY8s*+lR*9kbx5yWIRqJ=T6&URh|7aIqoRZup4r9PM%N8jL
zaEg$w*F4^o88X!HrQ4YQk&4-*J)ho{pM3E{_4x<QEWkN4V4ZPlVqzV%@OUia$nNT+
zRS9sc+wCnU9(8`l|IR<6cmN*E{ih0903%A!Pj@)?cYS>5VbuKr4k$GhyGnoW2(i-U
zQ?beitANIO=u%!5OxZ0EP!OQf#V0|h2uBb<VPpYR$Q!_Ah8SL~%3=c_x4-2ZGw1>Z
zX%LVuiBHCbX=6k1))fL#cxAe`YlAUHU*!7M>G{4^VfbE&K=b~s>Pq1x7UT3Nrqxn+
zL0)FrYiPl#IYLBlR@_ET#c*;GrSDG8(6LP4(1Q9(ge>23#JAyr)K`m?*j$_?KP6a!
zA&>8eA+4TG8ql_gWs^y2JJrF@C@^#Ip9q<qzu&4lIkEE?+*@{E9T^!>W572|Pfri3
z1;nd84jDWnq@xHCDpp&c@>0<LD)sjnd5qH)cx*9?_YUMs3#^izjy|+2SS$KU9oIV^
zm;k`m`<YzX?;y<fv`}{?sGG<nWy>k*DH#OnJ0k4t*htF61}D6J%z6Pu24b^WQkY#3
z3zwrdzrKe*q;Vh&{k~K=lSK)<@xjEvK=Q<$6T|><LLxTA7r_b{!dZTI&V8C!W6e<#
z2C94!@F0yvZR;pWBnNS2qgqsGR~G7~v$0Z2H}7f1I{G^bX3DNBbaBAUkn-dEwzEHS
zQZg3Vh}U5Irs|XB##JhM8><dwe2Gpm<MCJ01IFP_b$5%?3}i@s1}x%l3d?uQ#qBzS
z&XSjR(7;rEM)O<M`z-pW(>MFqeYyaeQpvzCc7Rd=$T8xr+bHVb^bsRjx0s9;VYmX*
z&`9j$4HA^gC?%H?7;=VVz!iq_iv4U1GXHtcpMYuUHGN)aS6_EyEWz;LJ+IAr<7Nt|
z?RPT^q86=uvDQ`*_K<gDKhR+<qCT3ox~R9VBl*egLf^mY5G~F8v-Ju7XAAtq*}lYc
zw&jQjrYQcBxy^)B__(FU(Y9C>Yv1ABb6}iVcIsHenYlf~`(1W0K!+gf2jg%;*T(SG
zP_<pzGAZQE-vP*D7`$baV>G%MA0Kx(TN8o(+0g!k2`ie4iGgLb0ydC<S!a*>ID)R6
z#^@ToeiTggyiuj%)VF=d>DWI;Rqk9Nec<j!sdfrwb!RawboRA*%i1&)8ONPS?19?D
zB;trFmK$!erYbz`w*@3OYJhX+Cl9@cvCR!<HcB4z{MvZ|cCaMU8Z(s_o?oB`%p7<Q
zQ58P#et8aEebxNx3nO@{eplR9jPl1IsXU&nTiT(f%g8l3_G<^K@hY(9MVp;Rfxt}z
z4<RYJ5e_pd<239{g5jYY=}y={vOwEz#Ai|WH|pxJI@9x=&0&ZdAjr*ZVj*Q$8-p&P
zY*<9Odt0|RYVpIB3t3_@)0Oe=^zu@8Uuh0zIB&V$mImpCd!2g@o-o$mY{Zj;A;zG+
z&-7P0mAu^XuHA|=5RhKEc6nAay%*PX566IWfP&9*_qXq>iK1e%M3qQAr3H#vZnO^|
zzEqhq75;mNM;E%6<QWpf;RRP5C8iHz+t*EvBD1csmY(5L24&?1-%O?N(4MO=J~UZJ
zF&5g+lo4)>R+wy?E*p)C{g6LmHbBGuIoT^B)ch;>Pi7FSx=?;d2LQ&!nA?;m5@cx<
z)mL}6pnBZf3$|f;KuG6&ru%$iq82lVtNgWDN?e9pON5q5)@KAQE%sjvonvjaHrqX#
z?@4!mnD_pgw<UDYbm6ex*6zjD3PKdVMwn9nCA_Pd;D=}So|Mf5Hw>v@-?$3EmI5?6
z3+DuOo_IP~@(XdGh(LK*=ZP!Pp<m53iPjzFEmJAcU)~<+q=pZ7jm}e=btsRMJZ2zl
z_}m<6v9he#Yhct(d~4wI0CEL!Ncl_*I5zfEd=<{j<7U|Te#fUhclhP=YnZ9@o*%+j
zUVv{4>FJBTiH^ba0O0W*y?Go3lq$QJOpa!_AcXwzRoof0Cqw*>$__?2YMMajDt;_U
zSY?pqUyaHNHop&!7c#WDnXs(Ve7t}0Yfij)YV$K62JTq~Q|qI;1<PlXpB*8#a(X;Y
zn0vyX2D*||@#Q~+2)Cd-BS8hiVR2GN^1bO$wIMQdX*H|EMutskhpjU*yyt#RJSK59
z3~RU(1SMa>Gj~(BbO~v8*xi&Pmy_{9=Pxz=(XnQs5_g4f9DYyaNl|x^M4}YC|NQ*n
zG6H=gqT$yzy`P4C+h2!(sP)<RD+#HAi_<kmRU;*1vsDMCX#FP>k~HhE$D+pyB&=rE
z+fnLbUN*2``Ixnl^=Lw*GiH-r<!?7BzQDFdf1EG9LwQ>oFYv${`G!*$;kT@Dzx;Zh
zzphN-t}AK;Vtn906SxdH6F7~F*^hGOlyT{dAP~x`-+LUe>Cu?UWo$pf3M~YJ7=l1O
z%J_c`LI5Z?ivrRqj&nW`S=3>-!tn+$G&(BexPkPW%J*`Fo1TuYr75O4^>6<ArOqvg
zJ@OiBXsf%s*b-WUn6HWjE(#Nh?5qh@=PpQ@5n0AUTkrsZQ1r6M_<($+0a!Ls4CL`B
z0Vn$y@vN+6iLG+HHhFxkL~Mo1{61dvKV98+_BBtXDSODYE1!hD-8)hYarzt|kFSlr
zLf;^vc3|Zr#{Xo)$$si*gQgx?-Co_VnczQ<_4*zcjXq-FfKPoUBp@kg?c^TM^js9t
zQhCaL&a4C`JI7!-2&|K4j~99YpG`Jfs>L4;!m|@T^Im!Dc&}?}x6R=U!wu|~Oy<@I
z{vi4TnsXxn?CaDROXY-MV>t*s6*Q_39A!OI+S-%+TG(SvzQ9N$0t9l~WE2dc0K+NC
z%%9$dc2kFPS<mcJ=s0`plwI%8E*`tlE%~i6ufBDw1K@!#?*#%I-$E}+1>FBaDrqBT
zRhoNMhkts&)}y8O&#k%<tGd-!$*&tIJpymP=`lllG`V`VSTPL2@EvZ=%=s<nme=p<
zX2_WJ*JI1tKn~5?kk-U)C*BMN`rAS0OEmMp$jZ#Kc{U8p>Cp@Xz!qq#;W`Zb3-;iE
zjhQgr_%bedtSKU3sL)3UXM=tPE3I2h-~ABr{{<KQ)5G)+g0vU-KPb>Y(9&Oc$fwes
z$S%@E3%}!Kpi@UR0m<F{ws!qw#jcUHH4yvc1gFS?I;K@tlIrur2j2G6$X8JFm3zBs
zLFjVXRCGn1C5UJUJ@E_W$G?<egWaAdi;VL#QBmLzvQ0xlAKRh{iywz|118mQRR1(a
z!9A7$Zrv34R}M`+rT3&vCLN!f->^E8Nx54OVIv0p)BXepoZ|HInpDy#z`D%sq4kIt
z!gfQ;imI=xZ)k9Lae-CfJCKFm1O6lE!##DrZmF1d@`;4rwT_OZ(;0`HM_K=>IzPX(
z^yqxE&(hM8mzUSp*4EqG+hq)DAo&sS!1wQN^&)r8G33=!rG?S74S1Z~8-jn&%}OA{
zKv`m9Vpz8bEZC-|rdC!~#vjnu(Q$Woe*=XxI+Fe8%W~myHP0-1c7(g0w?o8`Q8)h|
z^vobBI#~sUC<p`t4Gj$y6%`As03caZT3dV79g1C3Q{y4`2Intk2WxRlj+9&wA8Y?P
z)q||s^XEWWI=!#^aS(3<Rlei#>B-mE_v!I*Zx`04ktN`%qM<Q6J<Z9<Syxk&r(Oag
zL=38G|A$O6&-A=fR@)h9*Efr1rXgK^?7?2_39qXg5!Tb<?+F{;-l~9zZ{M=Hd&0xR
z^;^9-IXG%-Yh7GieoXD}soQd;F}q>?x2Ivcson*&mtUXK@D<h%NTa_xlHHg&A^2E4
zO6(88YP6=N;`~A~Wg(G~`9$5tB_)>b8!)tIW+qXkXv;HG28z?YR@jw%@k04`YyQUG
zvh!2rgK>^+*ui*7N*aI+%qrQqD<gmLVc>ALEKQ8`hlEKECOSGge*Wg-;)Bh;Xct#~
zP0hKL6(IqE_@QkXYB)C#@jrr<-5Kv_9r)!%G>veiD(Wk|TpC5*2xL~t5^(5J#wfRS
zR<d=Xid_}@Aguf+mvV{$lBw_mgD!4>A#ftK=luLUG7>Xb)CgAJK^LhEm^%fB|MT+9
z0-t@3G<+oj_>`D<j&cnuSjX~KfX@=GJCg2~Scg|CPQr2@3gGBsq+xW#!mhkDVeKzv
za>GMI)^>I$r>9wIX^X3?vlbjKRnP+Q%2gmtq2S;Qmlk<#y~V&R3P<n0cWTnx%HY48
zG&zEgjV%=n9^>O0b)WoYu7&`Isf?Zs1QG88wWN${vjWwprKF_HO-&P$lG?w#_`w)t
zYa2-+-ot=##Qm@8BrD!uu0k<5X%BF)*Qt}UzB$d#ufBp6PHR;NA6rfLAkF!hWjXo`
ztwiFm<2n&{m*xQ%RI`$kljGv1=H})W7iC?IelN>;AMDe~5Aia=-4OmOijdG(g&CAC
z(XqTm5r!yJbRp*zB&_O5!%5gUB;2!C3CQVv<Z03JAeP`GU&XLvhNH2;9awV^CN_3O
zX(<^c<>9p#q^skk>z`gp|NF-ypBrv5-(b2fDG&18TVLORqa*v)-xN0wN#hyrmAgA=
z4`MN5q~7!jOuzWhF3-<jV__*sOMAeg37FKw?9bH|hZ>hNnN)-M!-6U{>R)&p4vy~r
z+|s`JM2l~Coi4ePqe{d_mbn$hjEkhAO<1z(*eu~vU{e>ma@iz=mPdOH3w8JR_hION
zg+crC)&A7QMRi>@aUQTT?>`<D@b7n(<}^Y7_$76mx0DPG@Ejg;yx-z7@Zb{oF#@T%
ze+=u-NpqBKgOL-w=0J;xj{X9}U0_y3N-DIjS}R{Ar<(YP;XlTF4zKC7)6?hLbyf60
zCEPc+C~Zkj%N;j;sH2y9jNq#i24B*aKvbE%$D#?}>E|jZ!*26gSq2^+9#&RXunYH4
z66?NSOJk$7=?JV0o~5(j(BYx`pVtY;JlCkHwPnC%u^|=|YItJztM7d+@`Q`eySwdL
zdF9)8(*;vn13VbOa;=TfSXm9mG%y%UDd_cCPj7i<h6@C$YHG49vw<>T*nRoeMguK>
zn`iyGmQef+)5}mpBmIzt$;%=~?Jnv^avp-0lircYn>2_jo;SDj@B*Z(G+_j04w;#m
zVFm>q9sSj-S3hk+7AgOg9E%f|s;a?u%LzIu%~x9WQX9D=GCa0l%$HW{d{%lNF>K|x
z-i^+FNFxq4nz;_U%ejIw{HO1^xf?Kjhwb(7@bLd4IPA4N-~YXhDM^11_rw${@qiJ1
zj6P&U;3fYwZ%RcWZx(9P=A*H7m)c6|XNqrDW`l)^DK8^4I5J{uWp!|Pm<H3x#l>#e
zX+8ftt)2Y^rM~49m}lk_RbW`g9{0qnJ#b=0lcr7qQ(x0!d3~0l?#0{#1+KBqe0oZX
zmb&`Q^OJY6jlPZ!KQFI{Df`mGzasN7kD0__B3YLF9RbBx<VyS!3nj_TYWsV;+Lq@X
z<7h<aIifec_OR}<s$yQ{_wP8?rp{twfpyiMFo_-;G((5`M?X4<R^GEwP>heFEJTN1
zzBoY^Nq<+$VdG35>R(MJeMAA1@6&?3)FAqR2Pn+unGY$cikcd8ty(2IvKXCuharDR
zV`pQNk&#(x@f6dTOGrq7c?j0XF1UY9xLjW-2R*3v_qbZ-Wt$?=$)cl!g**+j?2m-7
zTAp*Ask?h#U;Q*f+sm>j;!rFo^SYO5O?32FR>Fv@tE--#9;~Mo_WnN4%O&Zp3tq$h
zt9!K-OXEs8H=YhdxTsiyYSQ^epUKUhGiixA-f(iLt?D|r_wcAGo7QYq44RPyPh|dq
z1==tdlbcIZY(qgp0t3YP`1nLk+5dIeKFG_zIb+(oHt~felQMpKr{26cI#3iUO%cJg
zCn?F7YtB~XeLHI$Y2@x^H=kDQh%ky%j2Pu+s-G{ur1wGK*RMaT?_qBJ^ZXLbQSkD9
zN*IyJkKOfzbio<@t&3S>9Lph2wJvv)n*au#Y&=H%xvVmfzraI(r2G?rZ=%wFKP!Lm
zF-#sq$2|RD-W#6#LmJGrsj8^JJT?r80l~`u%4`ah0XM%9|K-@MUTK9z?$gUJPw!P>
z(xa+5;-31;luvpJ1tV?V`Tgs7had2S<G=NCGp3ocX{o8HSz9xzaoOA0FyNzo=K7CF
zL++C6^|SmGFb=^P$S-Owpdj2f6XZD$>8dC0+a1op0fANL$p{G(VL6(lq}in<SeLe9
z!pOtJ!%rJnS_gJ6|5LC4-<rU)#nE+(_rjtPytn8!IQ?p2#yepzNf}BT>Ptlsp_N#t
z(7hKXUThN;6*W3I_<@zRaByd0Lb=!`acCP54BwTk2OL)aWaCM<)w=Xj)W-&W`!2RJ
zm3Qb%zwjLYWdlcSS@a9o`8MnHVrY4miRY~%jXljuOp8tjgBijn2T{7z#z-FO=9)3_
zai*`;r~u^&cs%MVWw{Qj0WiCct8ZE=O&PhFH)YnW(Ac|x;uF=v#I^>Zbk#!HuT=3{
zC%RPRdr<<b=ZF=bEXQjNX6FpLXdZ=X)IXq#DwrI47P7#Z75?hcdnqsB$9;dybNR)`
zdiK@gldxsG#!_*4vH?L*;YHGgDs>!lV!JG<A|2fqW8$p-&Beh_H7~nQ==?_SxHn?5
zG#__2NLROacF`Y(p9N1I_|1(hM5_-7%3hcY7al6a47SwW7EvukC%u6fIxDxKw>K|O
zsNSaR1Y1RYjA_euw|jdQ0u=NWHu?qz^o#1p2_vZ%z<M2|E72b5UK5VrA}+@<lkTA)
zu-<a#Xwgd^OV22-_bP^f=`t@7b(VXhg~|c@!2!u1+2qbskabl#;ucX5oN`aef@9ZF
z={6f8%VOunTTOHTe?2XvEDQAT#W*U*>MbGNk}*0_o7nF;dWBWR;TTgNZ=n3u<LUBr
z1|pces>?mFsy*eY-7(*7v}-)51xs_~+w9Z+Wxj;%N4FdSPI41_+nHIl*6NhTE@>yM
z*uu7w5^D>KZ#Ex^2nlO7xU6$K=gLE>x--&=N`TWw<DYoUDCYNJ5M|-$ckis4leHQ;
z{$+L)z{B$;E3bL#$?+W)J3ps#Xw^s=Rk*tRkXjgnD@{V1VC}nG$MIMfMI2VGAC2rZ
zsn3+1$#hxh(P$L|@Zs;gGr3^x7(Eu>JfVCp-u^}&rZwH`RGtU+D=owky|Djc@V!vK
z8z|2KSlkA3sp-jVV1xlekbPK}PXu$4z<|h%Odfa3mBs0h53QXX4%Ygw!6`b+gb_ve
zSKq!d7Zom=jH}8s3lgYp56eeX`SOq))lig9)%`w+ANrHbH5E3xcv#C{SmF6l8d=$3
zOQmaSd;0p`Nw)9oDpe&%`%Cca(B7TblB~S?QhGXLw(}|p<@rC#J->E}=+x-9S?ey@
z@lCq(%VAnHbvoVXpP2qHuD${&uC3WR1b2r4f@^Sw1b26LhrxmdcXt?qyM^Eu90CLj
zFu1!zfZ*=_PwxGm{I8&<rl!t0d+$Eot9whYrc1FJ&m<m4t3RVTZ@Oe4I+!95M?oDY
zVybsD+i(v$4#wrSZ!m0M^K9*JYhAULuGTRnBkh{(<r@<JK26WpuDZ@oCwOpFP-fL&
z=`}Gow~u_kS~6i*(8#9ijSU&v$Ij~G%BC{4Vw8%mwaoz-sX4f#jZLBm=crIgB^9|`
zZK9SFIJ$|ad^pNU@sE-%DQcPC>OA)D`I=TvQt2ljJyw_SiF-y|ydFJvDnl-IA(nwY
zhmU-4u)KY&pfG=<3T9BFeNCj8;#%QT$p^Pz5^0S@b3|YkPxtNJqAIrc<qKtXYmvV0
zMy*V)ZOth!?A?-f<wEc=xzM}=FXPYYm2fsG`Tc44mKJnUh0b+CnfwltA*>O{X6*WH
zjYCq+5w+>J(@3JIVsyfv&=t*ltA~aS$GWPS)dr0ow|&T!PwZ2KUN1bmj`XlNFSYu&
zr8l=z9K^KLS|;1O&KUWf#+OKQ2JAMN3~XSLef@m@q`%@XD|j+IaX*^VV3y0~xxx`=
zs}Jjl_L;Z&t$4H8G$Ag9Z<jD1XRO#_W|O38t6zl3IzLX#rZIeaG>M^2y;6Fqntf%O
zsvh(45UvWYz0%PjhPxX0_y{O3T{P0hDmWjW3$#57!hzI*R70q1N_^aLt31Ei_3{bg
z6DsohL9qAE{JH*MIFOQM7z=CxB49cjmDgmqcP@ULr6nbco9-2OTI|zXq4kT4<6f51
zHlg=v)z$ihYdJ7_C<mGyV&AZCunnjGTxG~iZXGwF6<E2Apz{+v4^N1cxEQkRTvw*T
zk#)wvNf<C9EKW$LBL;tB*P`|Bhk3suAN|Z^2s|!<CX|&-2QffGtRUwB^C2mWS)){b
zT`cdwEZ#~}zl&A#nU9y+FibB$HR?t&F1e;lrD1cXzl(}&)E&Q42V2{<VE}qOVrGML
zzTZ=gg;wTrA6ReERTR~l9fQJ#>>p#Wco>>_Nu@$vnz{pY)aMoGa233B(hHLt+kQ-%
zxhycFYxoRjXUa<O_qRtrb7KACHD0ih89XP`k(n8mD-E;lXg0sB)WUU(#zB`OV^YVY
z;l!LKX3!umQgf{1X9W1tYKD8oTW0m3cuy`S&9Wn?W9$FONw{?ON*dj)3H(y%5N)))
zIrMa>Y+zWbb=_IVSTg<A%8`1X@UaTUR`d_Q;iZMsBW?;oUB_hq18P{gb4dXZ55&uR
zlc-*mM6c>QIaWQSPDj*ojFF`~o=b{zH}8WK6u{_SUdio0g3n%jgV*cxI@%nrd^+Mc
z78lZu)MRm~7SdQA>i`2HAR<BQ-?wrx+4O3C1`HuLgKv$JH(*|$XNdyD?onPd9_eA&
zt9h*QIp$8OjrEyeVnM40;BV~G@x|v!DZ0%PPWD?k<k3+K8mpcZL><_<$vS&I8GavR
z5^>DW%X1vf!XV00C#6jJ=<O5w4NTa@)Pb0R9N%qLR>)IK|M2Jq2v{R7!;R#?+^4Dp
zMbuu=Q?B?#P+5=c^v@TMO`Nh@f2TR_e;Xo53r^508;0w7mt;vnWDwa`n6Kt=nu=bd
zSgAG<yTN2(xkAOQ7+4QXX`>dId~~7}IUmondb8Q4@!`HsLyx;7`kMXXKv>4$_v2}2
zo(zpluJ><r>Sc9RJmC_tL|PkmNYp=?7oJ13I`ciEFvr_(xhUATC)uz%scC8dLa!8-
zWW}P%1wLDbUCI+AMMrBW|AyO2xbIpXzxvDS*Cehh+H}$FfzLM2`iPRw`B8Pb;a_;M
zjl#3M6F=Nsk(N1)J0T<Uow7%yh^|d&N67^+NfC!nt8mPYm2MRoRy40O!F)nEG)WYD
z<5ShM&=5pBfG42MA&ZSYge1*Tcu3Js9ZF>4i@Nh|r#kh>jZaO8ae(;yGKSd!en|*p
zn~O=!BY;)BU`i)9wZ(O9b*LJSswA9z=&P+)tgoQ=b;p#(Hya;n)ZJ^oukS-A-iK@3
ze7_YQutGUQ(Y!uR5Gyj)Dl>M(k~gnF)81U{5t#EZA<}k2Eh=*X#d*n*6U<q+yc`c<
zjT-yFK3lN6|2{yQH}0`kGNsS3%^iHdXGXS#16@K@E{@J&JVf7jiS)7(xRm>;;e~QG
zz}>LQ@HxrT#x*Qfym@7PM<@xdC&IQtt7y{Rr1CgP8cFfp{*|l>rOf9pY4&L6?=d+1
zHj=ED0$A9Q3lg798QxF!C3*fHnivr?3T2Dbc>bnOc6o$|BQG;Vu8@G)nZGkgsRFkU
zRg;}ZOd&@<8h=yp6N#7-IyEl5a0&e!IYykUaofnlRvXVt@fdS)sUmLzKA_RulrbVp
z^~h11RUIEnI-}{b(-pELDAM7<1U$}9JU4K|9VMKODh$u3ZPw{GysI#obs=iD%Pmrz
z0S1lYG_jnmEbQq@woK-T-AkDrcmSfEEvUXolBxVgaaS*O?~OSsC0kmBubZ4?MP%sk
zkz5Y_M5UytHMRJf@UuIEMxMqg${f^MTifma%~)k|iMRM)<s&E%?&@T5?5;(9HP(XH
zGoit{HXy~YtRXdbuJ6jrD6>65-gOq^%OP+Mo_BgvZUQ-kMG3$LpBo$<AG@^}Y&%*6
z;w}f&kCzOb5WRg3X*g!;j+)0EnSe~UtgPrZ1?)%^b*lKEDWq#w-79~SYqxb(uV9y*
zWK*H#*oV%!6wT#7rWay>0BX5ccTr<-5!GH|hj_5Aqo?uMvg*^j?er~7yx8(@kM$Ti
zNUyxcG7l<D!Q;PcytR}`U3HM3ntbeg--I*=*B*nJWn&3L8$|3B6r}xfV^}1F0fD<P
zVddrcjXX#j-CsG#!fA(6-Vow4hbB)a*g7~KIQ23FP4K@v7-{;NrJ}iBJCuhTG8|Kn
zTcC>-DN{fc`>--LpW<0yRx;$>WB6J2y~NIYkv8wo)bH{Etl*F_--0D+y|zZ1SVmJc
z3<k)Xv#0p-?^_?5BdF%#g<gw=2Y2Mr^0k~8n4+B}>*6h9vPsP^1>2M_I<bE_VVwo|
zCMJ_p?}XCR<}^(pd_B~jnY}bcFk;iWbEf^-bp*jAt4%zjhe?mn84`3DD@ZIX+?DGd
zoyA@?p(eOi@cE@HrFG{Bpa~auN-W<7Q8Eco9J26Fu~3uW#Y%i~a1%RqB1}K#<xgrl
zdN$$9^rcD3f^|Z0EUd@KsGFc(z9Sa)V8=K1zyw#3fA9J8cqvVEp^3{<ZJGb#sDqPA
zw-ts;NJmeP8YWh&gBN9;%c0nWj}B>Im)wOZM9TAcW%D1~6;OR%xXG8xkco}pxTEsy
zQXk5K!HNMEq9h6{Ph*MR<Y83w07m|><lj$k)~Q5NVQ0$)<o`TA@Uuvfn{VQlU9A2|
zSTf0ICgkU*IZNXP=!s{PmgV)9^NIzHp+v9Pb8Ey>VuC&ZloPTGm`}G<sq0Ho!0*B4
ziRW%4<yl%09N!<Ki_0`4e995giEReOsn>;i@S~iKe<*3bmgWa?ILY!2_s6_-)Hu@6
zb$l{JQT0O6X^VcfP`M$b)~#q{j4iiN@5Lb74rIg!z|Jy!mESz3OmN1d+3<Uq#|lJr
z$Uc{$n>A0Jun3jnWVOKA&g`Tx{>d&aOrJy!#-*L~e9}&=I8Yst+}!qJkxPHmF2)9j
z7>&GWm%3$?;SqYb(j-Al2H6nbLR7iWV?hH@hZoIE>y@WnCevn-uBwcXcAOB5FA(0-
zAN84;6DrAlm<(;--Wc^Zl$Rfd<^-e-nqS-tEM}Q;q5!5n6>!lZ9{`|W<A*2!UT0c8
z`J*UB#5RSXZm-4!p+cppzLZ&MaY+O^kCOTwqzBXiAeefui_^;zKM=(xE2}I3M81E(
zGh!&l04c=bKoGvg7;H^XPqV#a)IO}9@{4#Qrl#pK&y&=2sQu|9HmRFi4uyEc9}NYy
zqrl5u^ymd)M!CchTB?qXCvOGD`3$xap6QZ;>9TiOT1uRg6XHMJ%M4^k)=o-qz@#k^
z`P(B54DBCmslCl=7{Tvj@$wW+D6c)AqBL41E|PgLX5N4z>(qaE11!pV0H@f&+kbpJ
zzSfYLvQiXTRZ0O+C&~GVWqyJ8CHS-%t)$UV0P3~s7VTw!fSNuiGp1-L_X(AYdW}*6
z41ld?nKP~TCJNTv(~&}qXRdy5xC@Il{`;pcQB#m~4cp_imyTrfMIo7=#sdmp>>85_
zzc3MSMs;V|*@U^2(a~ac^cCb)GK@;aEuDP7$VM0kND@n!h(*h9!ezL}<0DIFNA)8=
zQhrM$1@QAE<B^%CCSG;+K3gAkZ|#;N12!W*M35&hCRa;9iHvaT)Oh(_wRuJRP0(&m
zouQjjrgm*H$FH$CiXXh(YY8iUm!FU;Dk^S|jzPB{XcC_3Qh@kp>0DZWXS6=1l@C@g
zn$8pORwlhe9i47>rf!8v{ygY$=*@0M@3xguMClj7X4T3X7LIwzd%=&RYqtE6xE~ML
zi&=g7eDE)jc`-FRF+5wum8pitzF)LzJfiMMkPM$nV_<hbf1CP<pTuKYQ=Zm^pV$H}
zmBCMXgNBCo*-jZ5bX2J)m_e$Wy0q_9>3UO~i?GV!Q<s~h>6B7;fZTf&1!W7<<~TYU
zS!j7PPvANvG({aGS3*!t+T*>918L%Pro7R*Mg<7f&%?X|z?2pO)#Z8GVVs@-h@L50
z6~!u2tKFjXIJn4&AuTAiK@%3-t;7~KD9bgwMt~+C%U)c!He;f&^Ij#0L*d(ZzwdQN
zpY$7h()9|~2_WW2s<}ix72k-+*vF?XOZuLs6?v!P;3x5AKa<8rXn3ZMzzmLzpiSWe
z&o<f>Jex0MO0I}RG}{tKf8*k0_1+y2j@{86wynmEX_Z@go#HBe-TXl80{cz<Xaw-&
z_~Q;gqL5cU=rg8EK)2mH6ZKy@EjlB@i_8I>;oON-<YJ3^x?=azm=dYGJtoDZ%(m=w
zsIum9_S}mB1roT5T>Ymen&8vdm~ImaWPI^_ET=CC0?{M9#gdFR-@4OprmRBxY!Z4k
z22+b|Tj=Wyd7OLKl?tgMtAg7CckKB$FCGM7krXw0$5;|#wfm&cb@{)Ywtkl`kuAUN
z0o!*Fg8Rm(;?_0Ssj4G{Z`9*?Hh^`DZbp~VAw3^9gMgXxRh=rVjTXn3@Q(Q?L$j^L
zW@?R<5qza$kDpz0dHS<c5#YSa(<NXb6DPEBC5UPEoP}OI48-;!LU|?PeCJ`jIPG(O
zY9-9Oev_s1*9cSoXXd}M4byFb-b(U*q)W#?Lly+UEawLI0)hw*wCUTFwzqe|Mwxb`
z`Bi6A3_qMmsF`wWVU!snVL|Cb`Y|J0OLqLisd~Gb-5cRe-PVjwB#MViNkezyI^U3f
zguSA0{yx7y6M|L9UO#6Xk}knL*Iz|Q?U%%dc=G3GxN<U(0yu|5%unQ<H-rC~L3{+L
zd!cBUfMY}QpTG5o?DUu0)Ix)|B~x&&*+rJ&dC|{Eb<Iv1<Q;mlU>JsW1^8dc+nNzL
zKf=G}qaZ}18B(AL(^PA#x)-SC<e+Bz*hDJ}AdOMJdI3K&!n|%65E<BiV99r3BsLCQ
zWKXGRB~)CKKJdCL(?OA_=f^%%!oKNYnKf?&yGJ>q^U4qGB4}qf0FeUWelVKY&CyD;
zJC|Yi8?Jess-&yXN@1Sxm-#aD;(p<7R2wG=6Gw+okd#y{xF<bxLot2(awkFuKf^CT
z;PXZobg>k=wImDfs<#@CS4oKcLo_WBQfr6?Ix9N+#@)bMO)sxmtp{|zz8>98GTXVC
zQN-1DGoxUhrO5i-rJ#wsfVfL{=OWz-sdu4uNB8G{y-~}xPn$Iy5W`eLp(G_ARSH@&
z4{;>nu_f7m{E=RItL^m@W!Z^WH_v8XL!mtN$*tei$nP=(``kjkhQL>Ue2B%pLKU$&
z%S>ipeh^$2MiEpLU1C;q@HCaM*<z*NF{L<exaI6I)jhM$0s|@E?(KWuw=WvGY33Sx
zf16zFU}au<%fK}AG0*L`X;Rryc7ZoQ*O+%#tLR`+1JO~(?=ihAJ4pa7GL89h(@I@t
zP+r|u#8v7sor0YAqAufY*q17H53Ezm(AztEzQ><A#>gH)$??;y+yvugUFwM|<o^a=
zuz6doVWoob4Td5-E{=62I#(f6=RN3Q+v*>Vtyt#DKa_`Z#G}D|`5N>?BmRk^E5}0*
z4un;My@y;|{`y6d%8P6lNl5nG?K1%k3D!}GKrehXVS<V9lHL}kqTa|+C_pJ8p~=j)
zk;yCfLpm?Lk<h37iLlqqcPV4PXU+R}oZ}bZVoDXpG)OUB=(#QG#M)ArW5Da7UKB}B
z>*ot%2|3~we4MGhI(;ZdZZ^K&-rAm$9pIaUXDe5F-2w{Dot5KqII_bCSLYjyO>Cwa
ziQ!GrF)TCF4~NE_S)(-Fe$W+8f9E3=+jH=zZ&3)K%;c#u391Af=OM*p23lF%&|sa4
z?*@9UWaa)8*z!e*Iw0w7NT1`PacbV@@VVkCv6KG2%yfOK<3z}Gm~)l7iXN@vALlT=
zE5bdy9lUx?9P??(k6S2e{nIJ7a$yGfy?I2`ax#LPSUMONg&*JAbYvx%nex(pV*4B$
zv-0Fv#V;)#i<WhlV^t_(rO9zb3sl!|i)Au4En%3L>^)8t>gW;vQ&8xOGDC|`imGH~
zTK}P9<oOQ7Rh~ThTb+0dk&-;mVQA86Bi@ZN0~=^u?}12W8|w6?zyC4r_!VGc%Q-{L
z@wS1el=SV&o2Fj~B8fx>fg<m17d1Uw_YV#lrY(JLreS#_EM{^Z{ohR-rl8zj3yhz3
z95VAVY7g#6BeUI~IP=|eJ-6~5q)!+#HX4K_yl`JsCqK2T5&Bz9O0~!dP2G_o3G({T
zohsUIxxu$AbIsoyex!(d<q`&KE2GTXG|t+fBZNHrzrHeopa(|6b11w%_&x=`t2;2s
zBRDr#FV&cFxRLEpcQNNcR{#sfAG?cWnknSL{8~c2?D4$6Q!P@fwQpNL9Tw?B)q+5C
ze&c&S$#SlnI?Qb)4UNLIOedwSBk=W@&?RU4Ja5J*A-eb<bqH9Y$@qbT02TOTLuhf9
z_3!&3bBEWG|MbAlg3810_Nzz@U^w(9k1r^5fQdiHjb|jssCv~Q;K+}xf}Bs#9~wwA
zGd=EzKp(=CBA066)@C?<`HjKM0&V`Eq+~O+UY%MUyAQ-UO44Qu2#jRP3USY(7<(jC
ze|HHv5X=;s-nV`~e0)J@;b2^6Sxa+lfs^~Ya|*pNeTzpFYx|)1T~Em^G}QI6)Dpc;
z!G>=6LQkx4XjRWg)viDm_U>~uq?dLZ|7I&g6S4(eFmAFY9)`z=Jh{e0VV<geVbEZU
zR8TZ)0txuAu&{J$#Y{jCpYFBFD>W2jQ&LiA=M!ntuBPOjjdNGr=B3(ZyMFrkV>B=C
zw6why9(U2cbQRoF#$h!%DkD+SW;f+3RIYx4yXds)ZhCg-X}tF^v70G)?zve2VQlS+
z{JC<%l77NFmv@}b`wFHE2m_0v_MFkv_p3m#;6$PSM4(MYNeP!Bc%qg{PLzk=C4MgH
zH)7PJ^C181<Iym`PrXkxgO$fxE*zaO=P@<y2Gj-hGpt@*N5e7kpI=7Rw@pb`XP0Ha
z#{q9ZB18qrK!^&&zZ6V~6ik5>3?y(P#wuR}7Zyz%!-9F5LGgJP<hzz=J!Aa(l}a`v
z_T8*pxc-@+raPGJs5@eKH`if08e@$VWRDieSvIW_ewzDGJhhb!^lbaiN)z$p!dakM
zp#AMNR&s3%qLU5tuD}v`+mgbKIrBkQ?xG^k_ydcydFfEf#;2Ejj@l7yB8SH9+ufny
z;@dAHKQ+0gX_02#rnx2fzHf-b!7RHgU@w-DY$jg3%ZqxK-~2ISefny(*%f4v5MlJj
zR`XXvVy*e)WkaHELlP_zQ_-}qdT+~FWj<b&bkF3e2j`$vb$mbf+~kh48|RbsbwT9i
zb@~h{Ritf`h3WRULmNI)xAp`0r-~({`J?6`Krk>I7!DN*1=0|Jh(E1t4ej138Eo&U
zwh9D|ZP8P^Ap1>!YLPrcZ`I<Zbx+Gs_-^7TNJBgj<x@4i$Tv|pN?7eXydsIkn!K;O
zigYrfuqK!9@_}<MHj1=byAB(|Tkrti%gwU%$#R`QEK)YO{3$>CP>Ti#!uC|<+O;{X
z=^07C5;xP82nifJmdNqz)R=l#B6W~znv^?<_NwXkN5OzH19NqB6d!J;5-yr1i{Es*
z=u}gGkS&Gde+iz0(cJE-5iGk}CmIorPJldo5Y40?ug;jIF~dz9FEY$&Uk2>ch#x|5
z6;&O%!VNHY;S0*?G6do;w)^ZLGPJ0T0xl#;==5<}(^q4F^1S4QhXo3?5_z1sOkC#e
zW<s1=Z#dz!YR11|SJdwY;990kIboCvwZXzHGpD}`cyo$UjHeZm=iS9AR{sWhaF1~K
z{}b$XfV0F0%Bx6l!qZb|Jk8QhvV`2w{ZmJ3G;+Kt@kBsVSjB=~EWmrtrpdX!XJo;R
z$(Jmmz;q5_IRjm`M8We%?@dfiXttxwE4F;(AEA-XpPWsNjPW_tUPP!D!9$wHda2kI
zA<akaun%k!QRHy1eZcUq;Qas6cgy+Hdl<WdsAgQ@v|8VwyaLT5W<BQ)@MLW~hi;#C
z$Hi5qM@|z0him7n`&dq`x#ggq^k6gtlwvIioWi6+f=uQ51&m(^PVv~9%<{O80;@9o
z8lkI@OaY5p8AF;nH6U2Y9LXI2Sgs0$XLW{B=}hcqeK~N$`&7n~SsnYabrgO~B;`H9
zC^MTzaKg)@6Hx)Zg+em1cN`O|7v_}|`%oY6la~Dtx3exmq9ZT|8|dQGW0^&T`t}eW
z30S@qLyCCtT(9teUU@h@+h9@30PET<q46=x0<3o1iI?X5zcit?9-9CT2)bT4`goN7
zdwldrC&TO}6JBR}m0eHCm*q7OG0w>FoC{$mdUch3oVa%qnFzOel2yKYkHx6t;W}o-
zbYLD>ycSw%XS9}dU11#dJWZ>9dAZ1|gw6x+rAO-3Rj_6@>}5SGM0RFE0B)P3fSx$~
zoo8ntV51f+nYa7sS1KP$q1e<=uzN%_SVwePG~jFzJvfsHe1bJU3b+{ysfeY~?_zt(
z7`5#k=3TJEfMi{=Qt+B6V~icejFAXZF9LypAV5g1WPCa&ELah!OC=)%KvoG6;hFg6
zG{{ow(S|Yvq#`>bfvlW<PFHhFGf^_;zCF~}Y;`}*oV3Pc%SRWiNY*;GQiE?5oL`pO
z&y0c}Hkly2)y9hcZ>^|nH&;-&tN>-fu==+9N6Spd%uBC&TbSOgZjU(LL?xBjBBtv_
z7P!vAucb7IZ@D&)jC;hgQi2R5i(3nR&+B;Z&RQruu`#2;31_eC7(cyy3#5xy?d=(h
z$dO6(P{$)-=d*lIO_oVO5|J%L%SnW*$!26PZ+D4lll3|zbiLidIOJhA3c&r@^R?1U
zb+Mln1l{#71JBKAc_Odh%kPy8Pxzl4mVs9nr7;dYE^eIq0fy8H5Va0XI(75qK>!rF
z{-PEG=&jq0KM!lz?=9Q9;Fiav^Yg(Lo>jY<#q;=^vC!}2IBCHLD%PnJv7(m!J?D?p
zvYk4f?lye;EBn0PSSNFH!I<!x@1JDvCw8If!JRLMod_TGG>AgT_96;CWK0feNQo}f
zSin`R2d1@>c49b<e;3NhO+^s=)P@HCQIv07BWK6c+xx-6Z>;4q!vKN=PgkBVj4mVm
z`P&4w`d_WION#2>f^yq`{(QEEAoABq(1=2?%nN{X^YgcuuV<LQdf|TcZ!l!nFZ2;B
zbEGgPmIV%=SvML#>oI<PRJ++c(vX5&Q|?s{-+u_mNG;w%rvnv=z49Jkxr#UW({r{K
zgoIKtfEYko$mu!^cyDP7^xyn7#O}Y)&IJV4x$KUa<LYmNK4WCd;v%Jzgo0VZuZUdv
z*lUTS-m0D|j#jH-z!wYrT*r?5^h@hU+VH}RHU2bEyd97BV&lGn^z0yW7g<sT>Oi@$
zOQZ6m{_&wh3#e~~7OYnj!dg>J7{5|t13gtrK$rNuOY)yt=FOP~($AXHbvWmYvom|S
zQGM}5iNuMPB~0|-pSMH)eQiie>Iz2C3m#BC%O1r#-fiL62v)7M7Gh58Yz|Ymp{)!-
zWl5quI;>NZ&c;QOj7;g=wTb{o#qo~{+rRq{+z^QyHJ}SHV54@`VdRYrzIdz&O}mq0
zXp+C6HMq55=*crvm`uDh*Pqd;OYR#_z}ekm+ip75S}GLhU$){M`;Fl*$&a1+M}+=$
zgV4Vw_<!C}GKcx0y*;MFN2Ap&#tFZ&uaq*pG#cs8j=u+*l{FMp!dKjASi(HSS`>W8
zbQEkxW!KNI{FbElwGjTs0{=z>Dv&?9y%O}n1N}yuK?zVO*?q|$e@i8wh!-V+WC&)K
z{$O6``Q|EWtnd<fwfwJP{s*wB$o-;rR}KWpEhv!E?+YqV#We&*?oLGgv=YJgfPbLw
zKk>%S)aeg!0w!s45XFIra2$#;<o4QIFs&8>fhZ>Z>mL7e<%K`Ia$Cwu44x>!<c|QO
z4KM%==)O0Rk4nf2r8m+}wMecVh54VpW6kbveropp{V|#XZD&Z54F5hum=l2Zm-K}E
z^{#(xOi5C8uQ>33bs8v5COq_%o9bodAHYfwLIwxJxeL4z*6mzs^Ef4O{F#uIb$ITH
zMCr;D^6y=-v9Wzy=YxZ?dE>k8(9~PCfPmM50i?A~E>gIYC~<Ld)-=?PYTp0}EZM{*
zoWQgX$Z)r#At_>b`Fp!?BiW~G3031u&5rBPnR!f13~bPw!rcFUwpaVw&CN{{4fM<u
zq`!avPY^{-Jh2A31Kb(u5}s%(H-{$|4H>d1tPu*iIM&Vu`46z->pAo44Mp6ryqCb0
z)zcdSFe%UHjlX!XLH+A)%d)jk^sfo1K$ZZ|iVUB_Hk$Bbr9!$Xgklk-_({1Q4aHzm
zN*N`&AkUAtlxrJGFzfj_I!qz)1tfG_zWp{;C}meIqOC{p+y~MO7ui8sn7zmXn86Dh
z%3&L{cME%a49~C9=)Cq#51T}-79ul3&36s8I@6@Bv7*1J#pAAox4TV7pE4HY&Y>LC
zm}CMAQ!PCIL~cNY16p&m;`emnM>8`T{Gg1!>cR)}Ki?gV0W_{;UNu)MFIQJrs}DzS
zr91ZsBw(+1>+3h*o`Wtwt_|W#C%7NhLQk1pt%l>K9$@8@6F#S$W`cKsMX+P?bf6T4
zgjgl@&`baviEji~bqcbe{>KqG(cS$9ybx-vf^py$8+V3+Ac~&@!z^7=?JwzsT{h4e
zsR9}mTt{`g5P_X1n|>#W!+XTFj)UmlUccfqb4xv&gYT~5qN5Lu#^>pZ#rkUut8x^R
z6;inY%A^lFM?HwH`oSY*<=K}Aad6rYOf+x7_4cjbeKGM}3d+jUEU5n(bSmxeMY%1P
z$domeM7Zoi>`uR05MD@(iWGx%T4MPQ-+md`uQ}ZMZSADoT3&8P47US<*>J3l@a?sR
z$ZgSwxw2(1(_nu)k-NI1*XThV#l1g)s6iWTr72NSF}6sYRPb+4!Vi7a+$Q`+NfZ-n
z8IuNotLK$~Gh)+7Z#}J5wt0tj%q$elDvv+~ZqhiXoUO^?WN%mVFQ0@8<}dY!YBM=n
zS!KuvbovOAIJRX!c)xz^c{1-?e`Z@vrHFGRxCBI+`<}{ZAtd*ibT2?tMNv^uHpWrD
z`>#*^YaC%>lmnjO5fQj)S9i}Zi;KFd+#$Fo@^MxT<-)?6@n&aOYhFY~elK<<Jd`{7
z7M~?10<J42yoz5s=2)L-8#qyX<>R8g8Z`8qOEkkzqAK={Wt7@xBTGiiK5)oouc921
z{P64P<<QT1t19$~W!=n$@A&8Z<jVXJGmzt5yPh}q)aPNddj4bh%IY7B(DOh>mi84)
z@8+G`{^;LZ#KNLqp4v6dzGp9=Hsx@-kc@I%{R*a?9nwPQlzW(x*sTLv4mIma+F5VS
zQ2O}$TU6nCvuSrJtG4DSix-7U1|#8f9*)(oYnDO^n=Lo>^xvJRvV!PrTUKqhVI~^b
z-Ryrh(*?ZrPJOu_D`O>ath_9y$0<34u>fP$StAqG1jj}B41b)*weHM&*0nZvQjD9+
z35PU~xmy$J*)*ml^DIe~1-^1NYtCvBh=_>jriA(oUBq4zw!4_ug3CaSv|gw%b44l$
z$h?GnqxU<4n*jJ^(Gr$4k3VUvQKhaeo18tQT=h{d1x@5E0kK_q<rC5$mFb!0=GDxz
zurb$slCS-03k1^vM+J9N@@zT0E`OeH*CTXCf0)?Ghy3G3xY*g>5Md_Mg+@i?2zZL3
zz06!+U5R7~p;9JG=%exF3?$|&r&@?b;+<*b4Nn*xwmMD%+zl{1^~VoCc6yJK7+TIG
zw^ijU%KP?F+iOYTmWp%zQ92O`q;G5XE}%van_zHumrpE7q*WtL;E^8<dI~pco`x_F
z8!R2U^EWCi{ib&9@(LrZcE060H{WxXZCo~VoYtF-=2BG6%Hbipsl9EOyZut?9G6<j
z-$wIZMcZs;qmU<=BXAgSwA&(=9%aO*3K!k+6U<S4!_EJ(pY_f<l#vWIE+lb??$x~E
zmaf5Z<%ERnW<EtkLq|XYtzpLf#u-$7Hr5+{_|>#Q^D*LCDJ#L^K<=XtO1y37)-~5+
zLyumzgwJrsuhnxzZ{5;#L+qh|_#V>ax8HG&M;ODX4%fTH8;F=50k_{BI}K-4d`PLJ
zo458T^1IbwT~8*+c`Mh^r}L9a-q$_8c>`H{=QRPE%-nJ4?95lIFV;U9gd@r-1(Ix@
zNw>eOg`*souN@R8yQj6I5<VBKZPauY^a=#r?$wKzG;&hFuY5dGSO@l$G;GvsA<~q!
z-L&4|wsX4LQ=C<PzPq*h<7fA(JlWrbU*7C-5bO7J;L+7Vs;kQ`irsV)=!aLOW$Wn3
z#vHgl74=^j+&SB7p&;^r5zVZNbtng)nummU_+soNR`GL*VbMkCIcB2l@pqVt+OJi-
zVzen8EtN?Dq-&I|Scf51#Hx5!euTS>Yqe}a;pruE+2m$jv(Y5>!>@8dU*}jcCc~O)
zquKDc7Ms$G0VFRf^5;2*rWq=lH$JdHG-F`~(9bIreZy{fB!M4(l^;hK$|eFF;E4|7
z-;1}y&Y{n9AOI20CzOe3jy_qFQB0_82QANwc2VHmb!B?(=DlfbJ=&Z9-m(8@K}==w
z(q3_jnq?}Q`2J&_YnlyfKRQdZUU<C*N~?n@4v+I=CLJgTmRU{AsIyn9isY(Rf<u3?
z->m!h44m4FpkwgVO-1K#HV>;qFL41z93bTT*0g)vyZP_5ITI-P@E%_c#x218QR1iq
z_#F?7E{!Be`H9VCgZvnR(ZD$!GdQB8_hr*R+kbGfD>0<d<{9fbc>V|-*3k)98az!&
zZj?fqnwq+>Hlw;IC!2EOFvgybvyX^9vO;m`lO%tg^;kDb|B6J;b~DC*`hkn<7p#yQ
ziDO$BaPILUFW{~D-=K{79fmlW05l@DwvyCMg=*4w4*67SwYF!lr3$}4sh$~LluVGb
z7Tn`6{bp?dJpYG6pu71_*ub~`1#QVcH2y@nFVXXQ5Q9xnSzN|zc%?nIeU-84_r6?H
z*eLr=6It}Y$QG->sydEuQ`f<N!~5NH&(J4nDs0AucyP)kx;BqNe#*UqcR0{2QGUb;
z-jg}%%!Gm2zg4tWLgvkHtgORyfQ$kJXY-^aTt_e!RAvoW@GSfqSH%EQ_iAhC=eBw$
zL=_>2`O4IA%NyRhxYEZ>D*jojAxk-eHL*<O>5!l~&1w*z5-+yfC0mj`gWQe(f)G9b
z1DX5c$Zux-_5kO_&73cxxD~!U1#Y9R9v<Ra9BYeQb+1<O$uZ9YMjOxg*t4f8nB;hA
zJ|DJxI!B+v(!Y8>Tzy)YB;(qr4Yk{?0}L(5>?2R$41k(l0e?MJH>-F&qKBJXcbKjk
zq!)p#!g8=+R+_T!-V#Q*e!L5#1&LMyVWZQH{#9}~SMUfCKIZ;{{S{bnXF$EsRRE2u
zlhTiv@uQ2%RCmxL+Da6dELLz+YJIhcaHrsz7nKx#rP|SRYj_PDl1ID-Yr4;^v2WJB
zp!+7W4FE<|L;d*6ObUQp#+Tc!wZvfqh3~r#@&7mnm`lx~ycfX9MaDEWFtj+0j{kZP
zUtc&vE2t+2F*jnRPR99GZvJa^;>~@709qdwyND!;r|qzFA6palM88&MvCM*?M014W
zEe<ocb#vMZS$Z)8L8aKfog@*6GfA;XJhc2s4`Jmx=cQyC&+6w+<pSAO1T{>WmW2g(
z_V7&`c9^xW$IGh5AnHd}xj~7p<+A(E+Jl$G9^D{Aehw-xep}`rhP&SJ7A=j9ZkCpi
zPt6{=zK5ID9k7cncTXH{U!n1H0UO-FyTaL?AR_&>f|1jxik0;9p7}apckdlsAC!R*
zkANT=Ir<IdHcZ`UU?w0PKna(qUyB_42CC<FOfP0;QfA-4RUM6j*eAVKh$&8fe73cJ
z_B>eaHbfn28U?j~s^$Xr-ANmC#)+rYzCOnuip$4Qh3LJEPFPv>5X^pR6&$Z5ifOQw
zZyh404u#8dJpTyNTe7d4L8Q~vJTYSu%=~q(n9Py;?VgHb0Mh$H&e`Mff#`Bv#XLuU
z85YZgNw``Lg%jqzp;P9!+C8PvQkBX;ch%?8fx<BBjEjmMiIgI;EM#^M0bIs!z(1gR
zEJbeO;82B?Mq^8^6a%6VC8Ri}&z7+s2AU~CO<L$ptMfvH-N~m@H_j@ioo=dL;#|K$
zgLJ8O`}|kDT8FwFJAX35IT-zr(Bm5nd<GM)NTDn8WUXMZ<f8D|w<Z60+Op<oeBOxM
z@c5OgLA62BNOIbvI-7_?q%6d&-92i?P4TXqevL5naGB|oV&9W*RJY8$29IpZc2b%M
z^1Uv!=A%CC*8E<fVv>@Q+FyR+&%DaWPxop6x!u97e&0eU8>`;Fo8@y6<-}?3;Lb%x
z9PAdz3IAs=fZWU6^Uu&13*S?<R4uHnkF`ffN7T|^3|d{0>lD(zGTa;oatU~(TJR19
z`XbEa{G6Z=lMy1afG(ybbNt{^Aqo+;j9=*zL~V-ylM+2Ee3kKj`e|&^%xv@R`?i2p
z;;3%foy9yunaq;%@c{AcvtwL*%DNE-BQ&qnTOC<N_LJ{Gr(TGMP2}lvcgrj<V=)~H
zjJ!k70~QCS{a}-|MEjDmx%vj(ft_+d{G=AQXhP##4mu&tBWOhGs+sr;4a@1;h@$Dr
zA=(nRE7ovQ>2`-6kDVSjxZko_e_@Vz3zkaYj|CcIMRNJ7i5699rgVdNswB|z9NSu{
zrd{Mu%NSE@T|Zr`j=ypO`s2a{9VD`0yYN$MpVy%`q6L`C06XXP#XU>`7i(HKEUVV=
z15cVfL4?Z8YrgI~uJv~`$yF~yxQ6a+vBx8m{f@+M7rfjuHXDpbeCHT$2ArZRr6G6g
zbx`s&3O2Ut3A3^QuWE*b&3V*&H}0(nM`pZUlbi);X`bw)Bq$@{rh2X^VqY)*Kn<gj
z?gn(yNTsQ1Y>hR+?kQD2tN7PHD2O0o_eD!U=ZsyWd#w~e8rg)%p9~oUZY)&N3r=+_
zrEVh0NMJAbqPBM!J^F*&_mNDhNUHC}qe4GYp-9ew?;@>U%FHH;$5A!ERC>BaqG>DB
zU8ZSL9z+Mxi5H4~t%}B(R6$Y{*-4;+P($4(zJkIVLWM^vS&x#)Jwx~uLswn8VbU)&
ztA0o^yuX&IiZytd!(b#0EqFqi`LWZ!e$Q%x&&<s1>VJuAzx-^wwe<M3UN2~2JJdE`
zE${A<H?us2JMWh5UhinPVvk+ZEfS56%+t*UW2Vp?3-xsXi8M4ZBw3BcNJbcH6}a;;
ze`!Rzw<++{PC?K9x$7>@ccU59!57wllGZb*eK`!Fsk;|e<f{u0mXC9tJo5=b?5$1D
zjn0qyW&CT}sAf8uKOEOPLPJC4(^yTr85Qih3(RyH!qGmAY)P&ZgSuKH25g~Q3Kj~1
zJ|R$oc>%Q8W4_M?U_-&PFRaE_tPU@judJKj`LH*Ek^<VXkDnUi&UIz?K$Hq#tQAue
z3q;l*Ls|^G;{i~%zDMELr<s!+UH<jX`Yrq68*UvAef`P$XGf2<SKF~Kw>TaS&uz_k
zbmgWKHG)1jzAyK?{a;9Xd<<1pO@SF3hCk2^KU;{Zu|(bzDj?;9RUvc2ol2GQk=SBL
zrYUGytJ>PyTPFr3(@;*J93ekq)CCoRZn-99p?kP6yh@v%DglQ*k1F^9=pqK?5vt=m
zXl5-*I16rVfMAEh5ws4Jm?*T)B8D=W8NON9sRuy{2m7()K>9n%f0{y~48_vga9R!u
zoA_}dHUcfoqe=_SZdOu&X5L5f`rffS?5Jwo+p&lU-EF}B)HU`!@5>jD_*PJ$oWlp-
z4J}<cK0N%mlV)5KkEk4WkKg;^l)@p#07~W%gFbm9m&9Z9hkE}v>q^re^$F+#>K#Hk
zw8F;^U1&-qG{5blJi_`z=4t2a%Sww2G=H0xmKKYBM!42Xu!)F-nE2ORWCwh$rUnsp
zC{POefhAUI{sX=n9p#3*->+rW;q>GrJc|e|oS=>%P<U(9#?i4KbnI!4r+*=r2se7O
z{=@fL3-aHiWHs(>=W&quTu<e`p#O|jFnL!&=p;_0Qlvwq{|U(g43zpSi(ktnnmYf}
zAoT89pp?dc4G8Pk5P&k71Ns5&3=$J4R0T4}`|nt>v>-p?FxI|AMIo0=@9Urd;_5%M
zt_wjm3=F-LGBkyw?n7^LEq^MaWtYH3YtVm2gk)-gwhq$L)zwu|iO<dbLf~h<eI|<Q
za%WQ2f#-8YAtT3faARo~dtZy#Jy|&8yA{t@BP_h%mEaitKzjK#P8GrcvL*Z5Kn;*i
zAiunvkp*i2vE?-F#A22{b$X7Vjc>A<?oUIq<okEAu|kmn?|4hxT-SMt;W4DhHGz*f
zG3=F%tpc1M=}_Jc9$Z$$Iki(+*nN5`@j%fMX9u7mgmjx^?=9D57EDIqmx2x3z46z=
zg42~sNXW<_tBiVA38G}uJ8!^wvolYWAl2_OX9PUHHERzT;ch2uZ%~X0znsJ@rCFBp
z$BblL7)5{>n7oZOG%DRog;68mGAsT2#n?;UdHt2|-<F^a4(Sv!f}kXdkd&MpK_Q_p
z<mb_Msy|tQ16$HyWC{?+M>Z=KISA6t+UL88<a=7Q!-zIP3~B9FGlR+7hX>|kg1#RQ
z4aS=b9Utled<M9r5)k$hh5vcJEvpU@?uNALi}%?^5Za$%fQS*^C_AteENf_`-Y_mb
zPtjCNB4uSh;h}u{rC3VV=D_*7N3Qti<}qFf4U@ucgMG{=U|YMNzO(_36jei+=H17)
zc^$>NKRnECV+&M;L?912zeRxwubZiZ9Q2@CQFAnxp}*=2`bU_xe}YpuU{a}nHP#p+
zK0p^VHyD5bA_d45(X2|b+;m`3lLg3iv|gue??}YT_RHehbWWNUdWlV{If!6Hj?H|e
z$T8HLGAbed`);DETliRAr5;#e<_nyFpW@b8!TOYns*a9R1(hyzd8vrRdB#xT%v*O!
zFvi9q-yCh=|8yg0(mK@IbgLH&7+x@7Vva?Wbg^Zk8=F!ris`?%Z+GaVq<`A;RVYl6
zm)6U&L2;dWbO7>>M}N2yOq3Z0rYv*Kp1wdEBkRo`_p|*B&*vwo2?;;7>Z!pQUv;n_
zk$!Kt&dr@2F0cA#@RIP7)iQUSIlEZ_o5ZsQDvbg#$3MEIgV;T!!()NAuyhMClg-C@
zeYdV+1JJtB8!00s>Lt{LOnwDw#lT!rVSt{Ljg`m2L2KU}<0OzVvgdAitMJz)N2&E<
z!eUHHyY-2NH#wndGz9oZkHFVhmEbU);?lZ3i|AaK_CAb$XH31T;vb%;dJ<N7W9*UQ
z1%j)ZeX&^O(+?b!pxpamylY*+`pOn$pCMQ_RZpDOfOTU3@DsPBXn=8ZQQLT}=Z`EZ
zC`>^9YAFKf7?BBNy3z#_&@D)=KXRav9zKuMRu~TKKt@Pe;)zTiUMgR}n<FEzogAFS
zl;gTI%KkQxUQ?IJ7R@innHwY}_~5v6MYSLB;C+`{d)9pl6^Sb3Uwf;ZG_hbt(_elS
zU;<$=K1=1fg|CfbB3`PM&yIxS^&ml79)FuzaxSYKgo0rTnr~=-?|h(k4pKJW+BiK$
zB2QPOORlA@_442lejxhCfSG{|AarzeC_`961(;<^KJPi5sPPtU!5+4Q-(JR@7Syaf
zAk?Dz7*8X6@s=hc(SwTo;p*clXt+Ag6d@B}apd$vqkKzR_+QEPAzGkSz)>3#!SX;W
zwWbgtZF?P(uU$ub^4HvkFBm(Wn+S~kYB9)>A<|Ecs}=fJULimNzOSb79HwRo-@#=9
zP~uM#db74K(9NHGNphkLtp7kNC3YzoTkIdKN22VF8_@oX-%vmJ7n%Qo-v9em>|e0{
zd%^$y`Y$%W75~4#|F5h6y@YDCw;F^z`?xmZcQd+TMMW_Fo7P<TY?70Q2g*^gCZz@A
zNqy!%VEYc*FwHk^z;EZlzx}8^`&{Ypcr&Fq`Ny8V)m@T-o!96s8_l?txp`ql1?uUj
zqd9&c_ghEAH9Rktzr85s24J@v)IpsL^ws{<zfvZiM&y{w;g};$u>DwE<w@x!L`q8P
z>1a7n4)Z^EMUsGJj9GR6`Xd5_8t|F?@QwB54Q->e-g;cQmy4{`X4v-q*EzPe@Y(6Q
zzAUP0i@yUl7^d>;>y?MvnT)4780fyzfS*!fa$K?#u#|Br-C*-);@RUi&F*nAoeCIZ
z2RjVVRTQ|H?aNeu^mRq2nx+^WmTbMSZv<u)Pi~}A4=6bL>**~i<0k<rL*uXMKow_D
z8R(e&b(!v!&mkblEo_tON5`irO)idOi5MXuqMM_%;VKsuI>Gw*(!(@rTa1y=!c!A~
zycL}R^g9-L;kSKEY^>jA7~w>@qp5^`Q=Fe0$JpS)r|0ya29R+Gh%vNDH<7wOxd@Ln
zRn;;DnKHDJpD5-EKM5LJ{GtOT*HVXj#5J@N);xD(S&`Yqa{ET#^w05_D>eFa{U%Os
zA9>=k_grw@7#b6QXzshivS%miS;nntcRQRL%i%{vK$uwT@Z;~50l#NvPNtDHr<yeT
z<S8i$&qr1NWqFnYwCKb{398Z_6N8)xJ}J_LV%43PGf!zNK%)udEU1}cG<Ud^Ugreb
zJFMT5inHWx{|tiqZJg!TlPk1AAs)I2Osx)jNQCvdnEXTKPv3jshsx$=LY9Yt4G<F@
zo#k*UOMe`BUS_76^v&(<-v|=Qk&y5>(iiY<aB%PrUTftGWK?k}Q|dA_Q<qkoFpHPB
z=p;pl<+u5lGUgs-$jWmX=YjDx9d>muck%(Eg)uut#X0FnU}W{QIgxkHG>pZF1v`z!
z-kABmQt>*s59hS!bpxM5hiXR4i9*zD76O@{)8*h*agr{?sN%lDv2on?AQ)iih@ruJ
zeGvaHS(y!RX8Yk5JZy^s)%yHbM@K08!nCq*tk&^ki0>W~9W?L>RfGl}h$o$HXD|9N
z%hW8VO>ryz><xP{Ph~gb8z76-v~T*&x>D#onTyU+V9ZH`Bo2U5*W8Zt@mf0xd8GBE
z^q)VYSy-H<giFv$Dy7uq0-k|I;8Jju0?iTxBIV0kKn-MCaDUq0FUj>kP-bDej*e+*
z{h@Gc`W{9sg~R93T`{mg--XX2sOmZA4QxY7)4mswi+Xr&F4hH>t1wI8N8l{i{rHoC
zS_Mri52SQZW#?m@N9=FjO4ULrpbU5?*J5e6o_0K9co168b_fqdbeKV{Q)U5bFipm{
z5dYQn;Kq4oLJqVlN1?SdStG~t*GVjU5h9m}ZD`6}KO&XhImpTB{JUYB3X^z@UIrf;
zuz1qCMh%-q&T4jcwlu4I9a_o#;NYO+<-xYnv$rNZ9D#=fvVl8i$3+clUWPI}H0aqI
z7`(ffuQu+F8i@Py#nQrp61LZlhZ|Z5jf)}CyM66=2U;M9FK6ty$8)}_$LA)Snc+Qn
z`Ekj%+J5~JR8YpTd**N@yz;p9Oz9gLB5DuKkK$rFT5zFxRqD69ph{G!9<4r!e9)D3
zCm>sUX-Lz)wRHbt3a;9Y2wB55emt8{HfuWJ-}N|(9O`u0?e}AIT+!b)B8W+-?KU4h
zEiaID^mNMy$L`WU3vDPk**ZsSk$xULP;)~K8k)_>w$vQqD$JNI;3?$H&?xiaU8R9-
zzOHW>VS3;CGh6C<R`|VFX>Ns7%~1Meo7DM9&pHDLYDz{H%zz*FJ%9$AbxfxZc$Hvm
z94@HyJGOlo?kMg=u$3PX1_73eNUv=}1_2uMIu$RSObM#C7SIwp8QIy;GlF(pNK=DJ
z^lfcz=d9n1jg5slI1=LH1N~)Xkr7<o-M_7`tbh?mC=6?W077OACbG%?=6&(yiHO4d
zUpL3i>;6zWG)!_K2~jkwO$Ku`X*Po&6Vub`T3QG@J^Od08+OnN2<Oi^v|D{8_+K@$
znmze{BTfdGd6c=>lwX$+wzn8c$DOPnjap?v6vOx@7k|)mJg#87cHt+{ZeG8#^LIle
zE_-#lzXViV8LwZTk15LS4n9kjET`YXJOtAlzgG!J3Jwk~dFJuG`@GlbwO4_f-n90*
z>XKa-Y_0_-o5G>L47rCD@q=WmTj*GnfyO!-8r^mCOWfSY0PQr&%y^91DVA4}-?H;{
z&2#1LvPSpXi6jgv##>5L_PuG)kOxA1-D07E3YOSh0XXVVZ(HxbVC#nK<vu1{7}2)c
z-TXfyh8<eakny!pINOXMr-IfP+U7_5j!#M&JO1&UtEXcuo0n5a$p2ubY-mW%JU)WI
zyKExJwy~+{S1~&oy;$u86{bqCcu_@lHD*1ODJX`<0CmgMqck_l3c}8*)Zcu%Rn!+C
zqAsMM!^Ws~br4o79k+7J`I9VVCZglL_`uZJOmbuSm4TSpr{@q3{ndVD!LTP~`{$y^
z*N=SFWcMxK+n?ulR)#H_nK9-IUO}1&0xiQ2dz0ql_-G=XLtH{1EfrUu;QU)B_$)`4
ziwce9ffz01f)DmX5l>G~@N``GiG9$Tp#vq+MGhOPRYU1E(ri{wLMBUvS<_VnZK5Ry
zNjCCi&4s;SdJ#9&=>r2Z9b>PMfjdOYn*<K~B14Su66s3SBP2SLpb)dBVhZSNFE}Wo
z%Sln9;^rAkS{!<W1(^gIaW1@m_jxuxFv6TO;&|U0=Ke|gc_|RcMTB#Wt$zh2(;3ed
zj3LkS`a@KyaYc&Y7woZ_r24clGZQ+la<mKMSEpAs5IGIa+=&~fG)JTVw&lv#2SDoz
zmP#JzRZYNSMI`FUW*DUm$s{ovGpkiVFkAUHuz<UK+3)v&>*6=CaJQW-uKmNdUTsP3
zevtiOhH&$o{bT(nX|cnz>ZCC(N|54M**VupO?(<B8bLMKzHLVE*lEkL=FMzB1}Wc%
z79;{TkmHUk!ipkC*PE|%(`HxYV0#(PuocBg`VXVeW|?O8D!S2^DYYv69K_W*A>h@M
zOX$3pDHLmHf$Ef1%x;5&2uBMdv+xz_8ilI;j$Mu`x|fEFnbE{!UcTG1`8(ehnMjL|
zUoHS|=JXxgZ`XWYuRC9~uVA#+kx$jImBRE=@34J*M3xB#bQ~O5QH)FDqN>g`iPQ<-
zi8WAw7R1R*?uK+UHSztG2LR>vrR9_%L+O0=!sV{9@W=W}g4Z+z?~Td>&h`>655@ux
zQ)&|&#E+}$>b(6P+v`T+j0425t5B<wKw=P~{m<iLXEV6{RiHaqu-n0*=<ZirEeJ3+
zNi;AH85cDUyielCsQOmcPX-OhW#8J_^|edHD}>QR2$eKTy4SS1ZsI&eM*zX{%+TiU
zQ@BH$)ap}#zSlK`?tE)m*QJ=7)3kZXyNat#QE#Q`4l{a6q?Xi>RsHD|Qw+%h&ExF^
z*?*&6LX9XC_58G+FRVUR!`W85GPG)b?L3p6mET84CVzfPi#vHzefQk(u;cse^-eOz
zf6wdfP&yNh7$lG((sca`v<!Xi<Ttj@jCgHd-<3LLD9~M<+oh|}%~Z3$!GWI~8X1wm
z$>R7m^i_Ya6i5fzfMM5wup=kVe>dzwr1cjc3FlR1#RY~ZbZ~;OsZpF*$^Fw<(`=bP
zck=%~w!Shfj-~4s36kImGC*((&I|;1cY-?v26uN2!NTA!!8N!OTnBfD;O-J!@0|0#
z-*@kiJHPsw?yhR7s@{98z4z*31Pd9IGQZxF$C3B*$F&>?W&b_g;BTF~kLJwoxJ?_~
zv02&C?{7Lg##?r=-&9q~?GRw0dfj~MA}n*;!~m{vIDc(#mNrw5Sykk^x>=~Ie15{<
zKX&XmtDZEj#;9AFF5#ohoQN7=_w}A71j)O#2(T)wuudK`sv$4T3%Kg%-V`cmNMOdg
zRZ7(?U&6eeq5*s=aOSD*5K&(oW-6$`j{-Io^>9KGf$uqCu6?!AS=-fMTk^O1#X@^v
z*-7B(Nu5IS;WSGBiFeKG)5a))qsx3E!9~G1_YeH%iN9|WfH_?7x;~0VXx=#=KPiR3
z+JBFWd6nkIYgp_gxv2*CuPef&_3i@1OqqZ{<wW4|2}M+{!~wc4m9aP0F*IigfKMh0
zJs$xWAdClv$65dZgvZ-~_dsMSAbS$Mu@ttv_sf&#UHaJ>yBYlzi$W_1zbQ*-_tGV4
zoEIQ#&@bqP_v%Aa;WVUie__@%$3%RqSJlivHPd_2o7{^}j**v1ue$=YpOiNN9g&TA
z6fz~_5ia`<GWdm>Ho&Z)ugb>z<tHSO3SFA-Lv(DlmbO$HilT4veobxz)}D_9Zl_8S
zGrb3??|%||!M+4GE21zbD!6ItAMkKq0X723w#5vAFt5TW2<D1E?w^tgRXl;KZXyml
zc>GCXeF13zZnbOpsKO&f!bew>(p9m4N8hlPLly8jiiEGX@rSyansis7S2$fuwoI{g
z4i)LCC`#xI(1F2&KxezJS)5wJ5Q1a4Rg4K$15lZX8MrvixSP2IZ1*IX@5XkIsI9-)
z?=!BH0NDym#J#+R*dzU;FfbNv#JImDn9HWxKQv0I8k}#<RIUQSV#0*L@}~yp58n9>
zRZXQ4Qdz2JExu2y`HOzPx@aWPIU1PmXsa8i(W%<mak*F)f?f*Mc{EoD$q0jVk+p7%
z@#jEzTXBcZPh%2(FTX`hY-%=rere@N!<?#^YuSBb^y^e${aGkC(K`+39O2#8)=B59
zTmMNG7^Wov^JAl5Z~np9y!||ZE*~pbEM4}^NEL<+Bv*o@>U3jYD<q}`v)4Q~@U{Xl
zpC{sBL+fcTLa8o*nL#lIs0LfT?!K|cVy%eAlQVZkA*^*1p#sw<c*sFU_WG&@_}j4>
zf@ydJu&hoRXaK$Doqs8fzCQn0ph0|jqdB=pq~#yGLmT!_MvW*=RF)Ip@=!m}YE#;w
zkmA**G&9e^r($oSz<klKn!Ju{kpCLzyF&S(konK4@}Rd|=YiGL!2Zil^b{#S^nWJG
zO5<xkW!^vv5cJuh_`&yLE41--Zv}-0+yNWkLRY`LOwgmhBH6%`j(T165x|z0OB<?{
zAEjt8$L}+SDa-{Lfnk6fQv8L1bgPrO(FA>n=N@*Vv_?pn>sp;(dJck=*R~tNvdU(Y
z<Dy7mnmZOMR<VmYQ(0Lq>jPX8&rzQIQU4;AuSdIREp~R=^68UFF4>3rlZI9i1UiT2
zG^;#5oH_bHVk0?1T@)B@`oDcf_*Cfq{wDfS2PPK$LGJHm50=n6qq=hFTa}%IaYgH?
zd@jo=vn}~*?RONY4Q`{2ytT_kTRp<%e)c-kgTG7IY&B&1_lJ(45bAMpE7#2@*YLJk
zJfxCpl-%50j=jT++G!Oxws$ayRO7|7H{GV3Wn4Zo96_q);Yov;#S?~!!rX$bhr*xp
zTvE-j2-iCfZ2@N8p#|OmY#7=d+iqMTY&v4YDb{oT=Z%id3X_RE5*~X7slzn*V&sOg
zTBjHK8zZz}eNBtXtxbimeZSVMvF|cf;kc+i?my6JscID59Wk#DVMTb9$`{iSgY-bZ
z5WkU)G9F%Q!)I-&+fj_6Lw6?eR#v$H*rZ)HsCM+ehe|iXo7&hUihKeeA^tPTB@$ro
zhr;>#P#rc8uVzhuG?lc$+|SFvEHY<C(2a^>BZGP4w3sdE7{n2gXVp&tR;-V6DScbQ
zukh2hFUBtl=T&k8#o*+;XEh;bD5X<H_XX^P9v6;eE4YNO1w&F>ss9;9<@202%*)sZ
zoY@c_O+px~h)Q8HT7Ag{V608gy)z@JYbW-&+j}-Wwq4_mQ>VKssr(l|ohUxYY_J6?
znB8ugjL`AeTBxxv@M!y7?+f*Fsq2`d@Lbg{)7vY|`zETm=RV~epGHK?<EQ8I@RSJ{
zOffzz=xD1gHxv*a+r=L7rsqmP`GSmGBnR@}8{)b@k|ZXFBQl9X<?+@?_yI_m8NYLe
zv}~{m5ieE#F-u;SA8B5npX2-=vbV8ft=AYmR}G;MNvfMP_X;A^Rm@g;7`TC5;}-se
z5z?e5*$l#$Z-#wyh^IzL7q=Yc;%Zs>BybplbUBSjb0k?ub$>Q}A}l?Q<)8Zgy~>rA
z&L~duFXY(DMg{VzXTl6b6>bDG*-tGcoWx`!#=gEVkjhlz%kFCSam7BA@u<xU(<Y`Y
zUm;7A_%-5Cv;Vqy=144rm$OCVKUst*wsf7R7ViGGcjYaeeznLqMgLs=cdxIVL~M07
zyn2a(4mJ|;6<-Wqk{d5GJ#R0a!)`11$--}bZkk`bf3)`@AMdwo1PfdZ41|I4gwG|{
zPhbLnu;}FPG4&9yplTh~WC{kbQ4CPI{4(-GvH08CsXFPy!(NF&t#aOQqO1h|@2aN#
zv;1UxKQVUb%~8;?JzKv!Fa#4aQXiUnBzw0*`bKCShje*rId{%~=@(jZ3n|97$xdgZ
zNYrGGHINpKgCyuDCQae%F`2=0Kc;10Lysb7k*fDenkI@^RMG1KQ93g~IS}S>)md-l
zh94F_hGbMI2wA3*dDXW6UM~XG2N>#LP39Pcb3eReRSqd2Jh_2yvF%(1lO^&?3speW
zskE&~l8(jl+(K8ZqM~qi>fa75_{aol*YD+t<Fh}$7tMXaR)c0+p_xn1{;n$7TGhJh
zJM0fp={Y|uf_u#yMr0Hs@k8e_>!~&Nv%-I5#HS$(Pov>&Y>--cS%m?~7nKkrMbCPX
z|KgC;mx(}S$HSy&Y|yUu14zPVJ;xZ2a1dU^i={7Yk>4)*n6!-1o_(R{Xu7oR7j0F4
z4v4c+9yrTJZ^Gosxfr<Jks#FjCZ!8}#-PeMdW*i#>?Q;Kj^9Sl;-~S{3JUSh6PD_!
zOE<Q7Xu%6XAltV4@n1@*hBFN2n=M3<%^8~>Md&?eo3NkF&M+B3ed2v-baKo+HswZW
z$L06iN(tE&Dgx6n_A@@6Nn9Gt{b2{Q>n|r7|LkJnx$3)?_R^$_%2fYhGdfzuSR(YO
zi$0gO^5M(pGQYYOQ}j<tr5cAefRYkV&QZ2QQVbUtZQ+1wu0krGubdRK-$4x;u&Du~
zB2Cd{T&=yYf^0p{=)f8&<8uMTU0_YIyXb{BwgN@1xjLD~?5zmAq=J&a3Jg8jx?Cux
zo@}hPZk)Z2s43ldClH;_^d{)qHrt>4dTqS7_Vgw#qvndK%o}xG4z7vK*+p+cVsUG3
zZ9+b;Pnv$~==i7qRG6c|@lWp*We`^vm-VAe8X3`u_OoP>QqQZM0*c6`P=|_-wA7C=
zpd8(szO9cn%OAN@Na#2fab+Mb9@|JB)Gda7W;3gK{O7czcTwr*BX0zW@X2)je9_q_
zdSUA(JgjXP1q$`@_Ri6Tg>*ANP+XScR!8`Ts2iZIM@KgzdfSIR;}Kv%x0o`9XTuY!
zui^fE9*kg7EC+)0pFbn<eb;<o+@_fs?b0kW+|&u=VOl*1q%HOZ`Y-(aAE5c)&4Hnw
z|BGV(zj*b(xO9VGXI4)6uv^=yU#dp`zcd4^xD`&5X?Ns@f4N3j)Yun>v-Af^x`+Ov
z|8NCt01AXg`6kErg3y0)>78${U9}z`{=+tPWk+w^g#Sy(8o?pm_W3{jm(gQ$c<dco
zU<m#Kvuyrl2-pA#Kp0H$5BdDxcK^L1d{`RGe`q=6e=p#Fk4FFh9Nh4d{a;q+D-3%6
z2Oj<}^bhls{~=9NPIr|aqciTRS2>05w_f%?n4j_s`+x2o{cG5t>~<S{TPU72z!g~$
zxAu$R<X6;1&0oWg7ym_`t)jvTrl?ob7Zv}R1!ndiGA=(YWlB>?EEOg}RHY(Xss-=S
zvm?{q$d+Tip-3_dc9CYI*bb(SX^j!Sgk?n6ava$0R~)}I?5)Q0v)-k3H-okJR(ZDc
zSk6}6*92~P_x`r;O<J_3cH((^Gf~n0S*34eO-tZPfVSe2-6}>tiaJjf?kNN#k3@Nz
zDtw~|JgL`VczE_}oPVuqYA;D9ZxUF=Srd)Y9uLF*_81jB#Y((mEIz`Jl;9X+tFyXf
z<`?;_SJj|<CgainGu<gIU;0t|QO|Pg^Uv<6zsSdqIiK1j15Z0%6?dVL#F|i#jo=<Y
zXm!Bz7Gk8==%6>c&Varb35QjOUT@Ocvh1_hN=sWrsne5m-i!0b-U?f3%y9N(vy)ZF
zP#-~*d%xM=Xu-26bnz@kC7=ab$23m5eyK$1PPePBhyCO6>dpD$2A=7~N<~<quba~2
zF^;!W0q5>h?~~Er<JGZqWnCKveYCYK7TtZ+3BSqsW!`uxtj_QU)#qu6)-7G*9KOBv
z-&SrmDN|v9rVwU}y`oI|H=k$9W_go-37OGhR_RJd0SpM=jewuO5X$DYB;}tHgDe-J
zTBbqrP&=4>TctOOl%%Ur$M4eu53#&<u{-S_tK1V78A*oj@l{)`@bLyMPcP}IFi2RB
za4VPq6Z{b>>aHvO(Q|)VhUSMCM_}v@N|Zh#7@35k=Y6<frMMds<n37W=cP*ZzUs&4
z9D&^?RsdqQQ^CCEd}i<#<7o~|rb26@L|xDP{-IBMYD&i99RpdUsLS2-SFVyEis&}*
zhb%P%CO_7%RC?h-5R-Y$;VE-7ugC)4?kxWF?NQMsq^^sPrXh_m=>o~;m)cvn7*IF&
zF$(h+uYwuyge9hSVZ;#<{pzoI>oh%{5G^}7;!>wwMsKbeEH>Q%sqCW#;av3OdN^ZC
zd#2f&jtVaMR-add8QbtIv`v7TA`d=VqHL$H1Vyv(S}0rUSJ5l9w^hG??yEIr*<Kh*
z`|jOz@M7Kv!^8L^LCjE~-Jd2$QwV_pH^dR(+(7PC?{iyLc<+O5V>ZJ$q-C^!Ntl2+
z62%tj$e7vw*Zlal+*U^|6x8kRAfN|6B(68$G|ah=#Kt$|c#a)H&02bjZrHsur4tgE
zoi=aOD1hL2RjRB`*)%gJX<o3*P4D$<9`>Z{x43m5KMnbjB8ns~e#6^JG9yVHEO}{f
zAKO}C$5x3p5JU`O4B|*7TkoSc`k1xT7BBEYJ40sh=r{m>N&0)?_xTW^!;!T(gC7FS
zcTXiBI;E2qT={YetzQ!RzThhV2(G3ZM7qr5X@ILrP&_TT?klpyC=q`W7w}%16lrdX
z8?X4XZ-rGMDs{%JvUa8;<CU9lJU%fwH6QYx%NHGz2r9p#j{@k}n`hZyXbym_g@cPq
zeC3()_#mSMB<>Z{Zs1CLqd$w`!xkSLwC1*3=9C<e(pVyC<%oZ+ewP$eRbsYhUYoTc
z!XDm_VwrZ#U8-LsaXU(7?fG>&FnocAJUyD$@;4j^I5AS@=q4?OM=v&b92fjFAim8*
zP-c+Yv|JXJwAe|I7Brvqt2o>Kt5I13h;n!%u@+WvuInX~<#XeZq4p!RW=GTuz&mH4
zWg@KfXz~QKY9NcW=St^VKP`V}P3KKp06I1Y?0IC>N+=O4ErMq+7#(O7uX_vZjXY;t
z*!$s|W-PcTd9Jmt+kZI6N<`m|ZBJ0qvS-vkVDHptS$8W$U4DHmnO<Wm|7A;I`jMMt
z$dW;NTCy3Xp|)!#Y8CS<6XTCXn`hpC$IuDq{|us_iND(z=JPlMY9q>5H5`Y64kO$O
zI`6<B3rrNudOxcC=T%*7y0&FLCF2P*W(+cKWZwe>h3AK$`%FVrioY>YPJe{Ah6lfM
zTL~#7d|!{&UCZl13SFY>lQP)jkqwH@Aqdi?o)Ul)n+*o02&v!bw5$ZuTrcjjavX9r
zM}S4W>Y~ZN?*>&mv!e9tDU9&+sxgLXkiF>>$C8m_SH$Paw-Dl35*?;jZpxmw#B2t|
zp>_lhMx&;aJKK3+=AbEbmD5=#(%oMf{gnd@OMu@L*qO@o*B>iCFjfk`EvHhf{ovm$
zYIJOT7ka-Q=S?X_%;;`IVKIXx$1ZkdkTmdCP755~8ds=w8DlCmcao|wl>U@>$EfVB
z=+B-NcTO0sfXg*OQsqMRZQbTI40%zrUsTk8S(*HA=y9kpoT6=L&V2b7-hHzCh}Po6
z(Wma=*3Zz|dyS^JCaOSj6o#Z`K8xn#7bVi{CseM2A@xZF77NOi4(Hp=$bA%W-^V9i
zCMc3WnzZ?@Rb>k;GiHPa^<TBGOm>~TwG{ArM&$u+WpjTqs0V8$k*2P2x>v<s#Erw`
z9~W#Xzu{SkR>q1(O&+6?2NvsW`nfJ{g=0H__`kM)<Wk8zxDtPUiADBuNEq3W%e45C
z!jWrGwEFX%^(O1$gaX6PDDI)9hWIn-6%|5kkw(qOqn?zzX99=ks=C1NN{<+SS2T*z
z+(*tGmX{l3RROQ%(CWI5XvqCbaxOJ<={yg_aSLk8#Q<(S?>2(;q`<Q=k&*<2y)$?M
zN6l4T`4p#i0z$rUqH9^Epu*qkm53wGRXPu$qEynRGJ*EPE_Il@;{yxBzFo)$go%(Y
zSUeg*ShWFS$fa1|<484g;*?4OB0mw6DN4vj$_UEW{K-Lnf=g;t^6*Fh5FD@P1Aew}
zy(_wb2%inRTC23pKiKe9!u)UZXYfo5o0E8kI<=fc1JH={8PomLM{v|JmL9=LFQ{st
zAhYBRPsbYm0AdOS92yXtf@b~2#Kcgk<&T6sE&o`QwRwR`lV|wm)-x^R6$(|neYg74
zrS~Oy1PReKZ=y$Mh{uXO+55!rf1I65-sYb)Z6RrUe#{Z~73tGe(xif9rzqUTDwy{{
z55E-PUNxuco4b)9f~V?K%mur=4)fQWJ4OXhZ?}e#9tgg?3%KIu7DYnMpD2LO5tVNG
zxiZl{&aX;0>$X;qnp|_PZH~?f$di67+x`sy5gsv~A|rg2`U7^>tIq9hn!<OZ^M__O
zPV!CO0sTncaxor-Ya{e)u^O>~K&P(28tNlk3Q*Lhpa#ohIfjPDzprm66ca%oD&i>T
zt5b5O2-y06Oby^kn<xzyj(WsvD%(;Sj|Y`z2{*<YC>vkIXIVj08W*ULO=kf90jka$
zGohLr(3Ei=2gC1AHh&E}0mSzuV{S7mB6}mN#iS5hQuv-tQ8M4;X!_)pRgUT4QDu4m
zIg&|oa_vv#uJ5)EY8W8ZLx9IpJ${)Zi+7N&YqZenm5+onNz%usxrS*NawfnaWeFA4
z$B<CZh4&wJK`+KD@UB|GvJRq>+FsqYbS4NrD8ZpI_}s^o__P>)>i&SNV6oIj-f*~|
zk$V{vj87RM5XeUYxDCpe+1Lo?h2&@@7Yj-odCDt8!?gNikn=&^311PwYBY?}I8+Yv
z1#Bh5G)M!8Bi`_H=NFOa#`KZLZ^9%oq_PvNy4w0vY~2*=TX0y(*)uA!!24hH$gb|(
zjL_+0pR&k<%rGa^&CzCqs~?EV%KWbGxWKS)^P^BG&|p>mo|xI+TsAn#weU%FSSaOE
zNymWAG$_d*xU*JgBZ4Mwop1d_03??2?r$B1O&|aRfBUdkWKR7Je(Sd`;4bE52S_u}
z8kEb1;2EASwkIsqI;qK#E6O-agWyJ)+(*93pq_0{&A}7vVL<0|YhXtmTRie26QmOD
zXU<m0yNnCHIF7`nhgSD)_o)-#rgnt32fu&Qa+%<MNU?2b+83%qSQz^rC}C^e8-7FG
zW>SrV%r_;Z)DB;Znv`SWVw;BvIRUErcrk1i8P{41jrJ$|cI^buUe7vRr&kjXg8bBw
zueU1dzUihEdYEmZe0#&Tbn_K``pZQZ9!-4W=c+ubHmkm`h(Xx7_UEio_mDI$RWz;y
zT&X^HIO+WAZVQX_l?$?)iW(j#s<4-aZRZqcnB33TLa>>cSvxzsSe>a{V%)J7{C&@4
zzwkJJX)=_rUfIH#{aUu3k0#@^B(3Pw??-x2?T6%(O6>2iglkx2tB$@%&%R3ziFvlD
z4Z>fy+*Y|z*NX?WCgK4p@9tMoV}W<<{jq{cCJ@A&0l)l-tev_uzKfVaQjbENWs)90
zX?}8slFQ<`C_{lNI`BL4TNU1%qrQrjilS}#oeg#*RgyywIFZ<_t0^J|o{w$kA^9by
zbT<?v%15I78ZwqYh){@?6$QkgP9(_4A&@o<;>zp9NR4WLt5W-sPaylmNKfhA@|p_<
zy*BmFY#*;V!H86{tG|eAX|FX_IxA;%r_l)`6rozVBs(0~cTucsv8-2)i&QE&RX=H!
zBWus?-Vuta%WMP*F5iyrDqvUEiQzXMS|u|cUiRsDE(O0_nO-#2nBxW?m3%;AudTcR
z8{GoK@$W=tuMzIu_|ZUx?YgOvoOb=}OGS;B`xX$)w@zDb9S)Mxoa9W@V!y|>r$>W8
zoi*BKVQm$>l!p_fayhNLq01L4WH#(OTWW5mXp`l-C*Ryh&1`#OAT)E3Sp3c0@;E~h
z>t!uUzt+Yz%E>4NX;uC|)g*-BNI#!h{du%T2*VZDa5=G^(|z3n07SSVm*Z|D%n4FI
zAsE&JfRw2>Uf)aGdLx5SLNx=SCL&O3p?e2ttfWwtm!Z7yXv$DpzA!2fYXhKWhP*7}
zEWdUEQDBlXu*IZZ_!!Z{Q*>5d*kfDNX0pp&ZT_ixftJ@>IpnH4dNf`%3>*tYsQ%pB
zBH3oTh_OLkL;mZE-n0N2TQNVL!_aW>r@-hf-2fLRY9VvWgeeMZc~n0;djb8AyZ0e0
z*X8e;Pqy>*GQ-ykj6d;Dd0c(El9IydQYFLGfDnyU&ef#WnJ|?O0D2h?WN_f-o3SJD
zXmJQFPAr)8&%O?o+zOF{k&%&U6=G8Ww&CH9&syRkdG=l``Q}nY?fK>kUZ=Q$QW9TP
zUquv62U2j(Q3={vN>m+8aVYV=RHt{Ags@`{5WG_U#ES5Sv)1S?8jj#u`a<9qGVCHj
zg0>Z3?jCCc6%8hf(rq!T&c^oPNvNcb2aY-S81Af0ag||Zqj-6F7%;THz0GK)wO8au
zeObI*Z2g<`_`L4%g_b(NNTq06o<3H3Z8P1IUi>7YMMrl@d9IIZkbwmE1%a?<Z$Mla
z{gb5_x@~qKU*Fj6iKghFSj}hT<WSc&>z&M7cbA)sdTz@P+Ri06PBP?yWJOnfF(0{B
zwNoVT`7m=?_y>l2-Th|gaEZceKad0!ywZNBHK^9=6$?q+T~CR_R^XZVxoeXbM*$+A
zQ%&|j{Hw_ID$PppNeaghQI6=tOh67@Rrpx&O9LOeRoj~`xQ0Ku+Hn0^ME;!^d(AtU
zN))v+*m|cX#ADeZEm@(@rS-jVgIPVmjZ_cB!Bmb9_uAwvzXUTD3#qgnQ`6qnIHp3B
z$s;Pq{Brs6_kF8Ks5yhsE<E2$x!SF2xLA?M3tT&8K?nhWlmURTVfdomI`g7^9w!FX
zkIvYuGMWCLt8YnRZ;1kogRPZme;?>oLSWr|p6wjqoD?VcixIQ#Sra^4Ju|^D`q!(K
zn$UXwmYLPzb*ZHwAY|(|{Wfz<V{$`4gMd)mniD^7kGqTtejxEgH0s^r+2P-2W1;*%
zLhgq^{uw;t{0aGn<c6KCb9S@nWPnNe=M!ArySe&h^%(1Zg4DjfR`%2${fH{7w9noj
z*VJ9S?2@oVL+kpHQ`KrebpJW{DKIAeFnX@KTpdN{I!f=sq{g*ae+AtXh|iL6Z#v^I
z*^U75o?Gy~NgPB$__92{8f<XcJ1@+B?Uec7yJrVt|5~Huz|ahDe?I#RTa4IE<gq?=
zD6Kg**8Bz;ej2U}pmjBqUimxd!S|vhT1X(8N#P9;Z=}UVB_L^<|KlhsDcTUNe>|h>
z={kBT^HE~(?UhF65aXI=D?1KfL=;z(|7(GMQ9}wV38np>cJC1f>aj1Md*Mep^OkV9
zGk>hLmdp=1lN-MU4`9VZA!)gmg@hop0l<09P1k`ZJ6**19Sh$Rg1kHm*NyS$T<w6s
zBi-c1Rq@@BL+@XJcol7;<_@zVixYwQw!Q`Fh)LP9H<WdZFU>JaXrToW4NjO1HSf`W
z;Z0zOMetDUmhURMqu(327s7Z*^*5M6UchjQ34{<<cZ>xb2Q-5fEn5fC5`v+C|JhLw
z2d4+629Lnhh8$q$0KqT`nq=T0fE`x)?0<H2n#zNq#$cNfSJeOP9Co=*la8Yv{O5lN
zP$n)P>o-IOngXPiiQE3S`4noIDd&HB-2J@x@N)e(YF4#{;Tzu%UoQqkZ>w)DRzY+e
z-{n!N%(1GXzQbb&csJOJk2lyZH`tyE)=Ey*+EVetwvRd(1d0FFA4Sf^)8AS#I@=dK
z6U+MOIJL=&G5K8g*PD1J(Qzk2`B*Y$#9@Wn;QSCcz;V74>G0hP{udnDjWKH}TT^=L
zgG_&6;Wah;Uk9_qLNE6n%xtw3e<;|++3I>q8`YH;9rW(TbsoChZUT<}kpB#(O#7#;
zCkqQGEP~|fd_(M##=tP0W=U7T(!O5$VvkAS`tI|6@o;~s_M?&j9ZX}$zjyk(K7KFL
zjZrcRYVj8%+oo)w%1!jf=K>lj9jt>vz;XvzrdijqIW+XA6B?exj)yX#;_ogZM@*`>
zu&z4Swodq_8V)numq`b;K(FSU;J9*jvymo;4TSsm(MrMU_UuIso^y7|Pqy?2t=hwr
z{bY;JgMk9OGdI3JMqwAw!3U|9_3^|D6y>#15xd&nU68STyV=k*ctXF~VC)Xw=|YFH
zA@?jgh$?2pH|FuSuvAx5XLFA8u!?`~&8NEe{^yQu1YB92mnPG(45gvViYu?|>D91o
zxiIluL=?;z)(br%=%2kzx_8lBN=rB4P1oB4g5QBKCBmTY6zcGBYbshUaV2|&lri}X
zs7&UVLMGi%>G+R2qDj_ey~f_bP6w@dE!G}3f*=`;gHb#Yg#yx@x4cI9KL__@6yLx~
z>A~Gaek5M4btnC5No|k#>UH){C=II&dEe3K(SgMDk$&7!GVLU_fiW2Gvj`iYI#2X{
z->R4@HawbEC*Zv+P1WY#k=wD(A0K5$oMl?i{2yC5TSvx5?B3n4JdRDgtikFCMe+ry
zVozc!NWJO6O9h6>6{y5iH#hToy!AbHd!#Zw7Lf7(WIT=RGMsbl!&)9nTfIoJ)xhq~
zv>FWBwTp9oli8W}*PUZb`+JUSfj<BHKa$tnZTkn^U4sBR@Jz{VMdli9dlmcZC8_oU
zJfUkb`Co^{`sg*oXLr`8LnYP9@=>q!+lQ=|ktl)}&eKHy<P0H~g9!I=|EH;bz8A}_
zLozX(D>K`@zxVVySate8HSgfg6qqA3(Q5@Rd`Ru(I3q2z|1b!$zJy0Yo-p$!fdZj1
zQWDChW<&xaUq|$eG+g~XCg#hT#_+<$e@`7YQ24WP7oZ`VD(re&+_SCVN?d!8zWQ|_
zI{f<!(D^vV?q%MQ3Ato*eyqIdY~gW@vX?P~1@k6TCL|<u%0)^d+6HxD>q9lnbpgF>
z25EllF@>Ll?5;gxWu`9I3=j9K4trxDqb@6f!~_i(Jfpj+hREKB)LK0(3`~;x<8JR;
zLo;bVW<VT4NsJ3=Ssz*D7U{;h)e=0#Go8!ieMHmzVs7V!8n@2;^zZ(3<O{ww_8Y&P
z@4UXu+E%`VGTnPz5)hA*_+LZ_ygHwc3W?%0SykGsc-8&kMYLU<Q(rd@Wu=Esd@$Ci
z#V|Q`Wdi4xm)^J9Dk(yJ)N$4S@I}O+5SeNq3&=b%#C|ERVuI{%i~h*P9c?x<rQo2x
z?y>ozR{ohIVNbZq(#39({m<t*LfWTj|Bf~1e;$zh^${O0M;d0NuM?)PX7-~zZSw7+
ze6Tjhi1-`A_xiMT)47Q9EKWNDKgVRHPVA-*{)~VJw5~eBA>}@1=-*(HbGQ^-T<$(T
z{Os)UlmUs%G~k7_Zu`9q1iESYn%&ozDdA9cx)35v3C64ZG-L}_Q7mYkKt;fO8{-jH
zMe2f1rYEwag9GU1%0%AD$XsM-wficFMq6swS&*sCEf@6q*JmS^>%PN%-QTZ~>Gb!M
zz<9x_?(NI4fAvAV|L;sM1QVu%JT67D^^=I_cnOm-F|W;mMWV;&u`(><yA*wMakr&7
z+{PUTV=s-(vCn*H7954rf^W{Cy}hTrnH8>7y~3gTQd*mCG}-`E%y7ly?iEfOzAXE%
zVUSUCXy=s{VP1NzVjuMUYg5l&1XZv7uitv2I8HmRie-$Ml8g0AU7-`k%kj*YAEzYL
ztX+e+WfEjl!w{TgbqaAp2xsF_$!%*^dvK(FY86_2F$fLx76>D?NsPm!v`nOlalBki
zoMPgyL^n(;*cYQXR{6m&GadGoVKBQ!E%PmgO9h#!t%CO4p+{3^Ci1p%YO{z4EzUd<
zI!x$XJ8I~l-#Kx32*t-led^t39R8HweldPC&!RrR%2nQbXwTW8jo4YUd_WQf&4ytG
z18qyFZ;=K{6<*f=P7XLZifb6q#}Da95u!#B{t6nG*AvMctPKbX3hK$lev2B%H@zS0
zVJopoxy&^I$ZC_+`?4p&I3!Q-r}ERWUz;sb+>+l~{56~FC8i(T>ZBVNv72?&r6)B}
zd}YhHWWR~j+~wQQON_8S%U?V#uD&L=5pvH+S;B%llMunTOFFzm%+|(tPZ2s;I;4~O
zXsh}cBU+l81br&7{JHpeL=0{yRSabwKAZr-AVitAXnN<P8&7D4-CRK4FyJ!Uw6MPB
zWiBoEqqxCx7i#4PtE@tZqXP&!xNsf8XP19QKP0G^>3nQ<N~g|~rH)4}>!kQo;QTc6
z^|=Q!`kK`E`djXC?T+mw@}&Beo`7_myHVhJrjYffV)c56EF1O8@@xwvv4W_+Nh=t5
z3+37JWj3k%#%efjA>D0jVDl8)#Fbrb<_xdE6hZcvHcOa+c;%qlI{UYgwH{MAN!%?f
z1Nh-8`Mznbp-GFB^yCXokSIErUcskdb8OpejXy*xew|R?_Tf|3*e2KG9q;RyMu5HE
z$-di&+YGS-*CG(T`zy9x8y0?}B}EeHbWD-<_G&^04?9z~-mW`XfT1*hlD9ZH$RCyQ
zH1~i32SR1X1~}TD2q+;KO6f0~#eDO;&2oi{e@L3fShbpvy#2nwx@Kx4>xMQg9=?9Z
zBv{)iQA9Ug&hFhRjp>i$U*ZKidGPKZG(1TiI}AvQ$t}_+m&&2<G;NwfX;0TB(`{#d
zkfl{sp#-0E{V=*g=*jN+6OyHLP5$W9%aEtdn8)^x{n-JvQapDilGjVNDn5~Svi2Kn
z6oD(~w8>)#3zH^QQHb(hX+d-8tkO*z5{wZYYcpI2hJcGzY}CsubT6l-v}#sm5|$9s
z4}Imk<->)r>TkxHe^;CM#itK@HFqO4)~5-VKHm_A@=`SU2dbBGZ8p@bh`P`|&ohX)
zOV@j`XGh~m<k%BuC0}xbko{Q`-v!;snnSxyM$BqQ(EuFT#0m70$<^+rL7yNo5TINl
z{nA6E7>B5;Vr@N}!*1yC<xojd-jMQlMp8m3&zJIj=f_Fa??LfEMd&-$emvDj*$R@1
zCNI6jzXu8zzd;8`j*8tU#M<Sa1S~dBl}ZNpk3S&Ogx})5SJ%kLpTu1#Sgx;H%&{&p
zTd#|hZy`W<Lr~35@I=y)9=h=rp4w*Ww%Z;=jx}=Qugs!RKy_tUK)H~C=Nc^qrF)lX
z-lNx4h+Qmbms9l3cKMQEPgA{A4#~?SpFpuadlbd?t>^JNe@rGUwqWX}<lAgGsh*0K
znJC;F36DwwTPCDgz&Ta78q!5pz>P&A&R12l@nK|k9h8egzj)M$ckDuFnY;+&7FYws
zU#ttXTRxO7FC~B|FuQj)KpJNG7r0u>y>9O@@P!|~@=mrw4hDY#{)Ck2&pguf;9K=0
zI@d`DcONm6ZYuYUaz>MR>fz_P&P4BCU=gKxNs>`^_<N~QQLaj4M$eG$Uwx5^%`V{&
z8Y)3E;4VkAB8Ej!_tyr_(F6}KSV$SwkfYL^UBxLT9)#PVH=|8$n~A3!mdap3Rqd`7
zstK!ZGPb`9U;W6(h+aP##I2&<z}YTLErxEZ$xeS;nT`m37Dtvk-CmaqH2H1D5o0Cy
z)=hR0me?6@ZH|u?2jBXcCz(7YE>7F}w)(e-k%hj;?>-mYzC&EQpu_jw7b7eok;^lh
z#?lTw6~mHqmBO6}BxbgRT>={w%XiLe`%)$-@O7*WLc$iuOwqSGzX%N_UcR0$(QIPb
zMa*GF7t<vXL{!pn;~HKD_4Yz9=gydN!XaHpO;nEDBN3GiV{d3ib%KR%7aMm?kJ~Gl
zGXEfzy>oF)O$Bn-<<$+>Po-A(m6Z1QXAF#u`CT<e;t+bvOhr>xC2sc4W2|rs*xbXZ
z7;JzF;{$%xH)8bEn%WF0e!N;8=SO_(<shPq+y@?*`n<i3G=W(h0{VoE3M=|)zEx^Y
zWuiWp8mkBCo8q2!Dv=BwE%jzqzZtd`pj4GF=GF(Z6-!f>N0xDQN|gqy&Ii+)f(v)<
zWVSEM#h`|-x&*PG1_FSnh)#Vk?Lvkza1(t}FI?xBq>nA<q8>*e{8%7Cx-*q{Cc))I
zj?pk0kOv1;NO|%lMx2}v*C+XIx$1#|M$J<z@ZBBOB&l*G9XVLD#9@e-p&IpGG+BHg
zrKs(RNTxjTMsb7!_o{gAt#}h!J6^*mx=Vx>{(-iLia}1S7zo;qRK*B^VOlvU@90oY
zU78ENmql*xANEAQC!DM43$=M~(?k*ND=1FnIPvyF@EFsDwiDts%y@9%C-yM{Nj_~a
zeU>nP9gyxQL|7fNLpr&LzPe83!28OGm$oVxpM%98NF7ksfjhIPPi2dwDQqsS{97|I
z4o+j53p8b3oG5FJkfj$Beb~DjzYH%%C@-emZbcv|jgl-^F{gFx>z;p*>VA&h!^5^%
zKup`xhB;1C?3zO;Msd>|6~!M&PSK|2t&5u4cyTK6&84&O;Srt0sq5Qgfs_rcDj!6i
zp4Ujfus!zEa19<!2J2xR-%m_^iiF$@tB-W!>mPk`3+HZ{e<s~iYc)Y+vV&$g*z-Cd
zLY^D%`}|%)?(%@^Uy+L`AQ*tOQe51l-bvRl1Y)cU@a<oqfW~PnE1|(X*eYUNlP0gB
zNzN|$A{}Gox)h=Gm8^C>{Bcu;t7SS(u{W9$#Cg;Ne=@qqxWRITM-XjJlxqTAU)x@W
zI&Aw74BKzqLg2mHGIKxGF1BW<=q|7~sB<<g=wf!Iex-HL)$#7^G8<hIMif8==$xN{
z3!YIo)=R!r)h9e2@2;C1TMlb^9%j}Y2hqgknUaI!rW<=@m=ishc7Iib=q5!yq^tZ|
zm;Ls8C#kR^_asR#<3Zwdr>&%D?Sb-CNNDkjYtodduAGrtxpP7$u7iPV#r(9fuLd-S
zUXRh_>xph;b|vcZmUtwC<HT*rl|+Gr7ez-Fntk<$M{F8QyFcGc`q<O_E@7Of&`99L
zjWDS=+Yag0nrFwz>5@%;R%@2f8hNq!E8|7cF9)-chA+?u26mA^+9$v0{=Ib4$p%8n
z$Hi7cC;>f~w(0x(S)zU%G<sEB9Dg*LoeBOjJArnHM4O>fB`Oiru>&jVl=!nX`kc34
zwDUyZ8Pw>rnyh0v)$iyS4SiKNC66c6$N_1>Jr7;K{d<pQ3GRKUOv9#KFR~^lJG83{
z=0>f%E^^$NMC%NA(F}PlfF$-)>#F3d8}}*aYNPBhu5A0_;>}Ye!&nq$;m~T7ya<?8
z^OGC%`P=B2%zg(V*}TCC0a2`}3vf@Pb(z$zp|R5rp-fuPw9f3KQ3XlbC)CK>SCa?I
z-&z1}V=D5*ib{Eg=olmfO+1grMNnVtl6(VPBP4J65JSxJR-pMQp97=4Rg?ggwT(R}
zUa8aSt*)~=03-Zit@g2`cB9d*LnGY_ja=u5VL%{#n7#tY@{I=cS4QBAz`3^4F6Cx_
zOm?Z0Ap0DnS9l|DkiktRkW0W@+6LkU=^rwO!paM(GvIk4OxW$|rxhkYb&)~&M*ncs
zvPtuuHUGS&=!HFxh3VvKj+ko1K2Is!%@0Ev(FJ=qH!CcF{iYK8@*}IVY0g<<BC8f_
zJW1D7N%ia)y|I_WuZN2YS*H(YcLaWC)gW-|e2=Mo5u;!&eat)JGrSt&5k*?M%r2>b
zg{yo_id~;r*`%iMFzvU9J5gnj>Y(X9$I|tcpM#*CYgLmlk6}^59^K3(5eI1GLR8IA
zGolDvUCY3l6i8>bO#~&r_|XRkg#5zEwS>CzE<Kc-<Bt#Gl0pSf8E+ZM3OjDBir9p(
zAy-4$pFo}#^ui=A#h#fE22Of{LJsYn6U_c>Jht@msJEy;WE_^xu=G@HeeWVo(Z5Ze
z&1)kZCCtJI$MJ%$(r@qN!8m%w?!bKc9R|Xf-~nBuBY;7S3PN5Y;pu4X&`39O`Zx+6
zceik}O&JfF&?l#F(h(oOAyI|FjIDz8A>3!%&A<8Y*=Pg=koI!71t_E_e^(-b+)`br
z*H2R$AI!)F?LH~J!{fDjrm)pYf{aG4en->QGZJaSFEm!4i11a)r2-|HT;<ta{C@NH
zP6n&2N}VwpeKjX<fDR*%NenvhicZ5<7yWS&DN-R-gfJ-j>nEf)>ycEU9hBkpg*+$Z
zSyjPmZ<7|yDcF%Cwe-TmSYbuZK%7BBm0)Afre8=DzL&!jVYFbAEy9b=Dgm&_S(;@E
zfsn-?w@^YNj#;`F^VxeA+~D((1(1o&4m;QYVe>9C^dB>9XzC_m`<ON9ql$FY%Gk^K
zot%GqovYY%eMIxa;TZJ6%vHZs*0NdM=GS{J{SK#xb#DTtz9QOVLBdAC)5PM`>Iu!j
z;33?Dbqca3tj=Yk&?7ugsTOomKfv~_o~ri#LNqf0<m&wzyW}l(U<yvvmWVbFnq!eM
zgLH*nngq^dvs5pH{2l3JpwEdDh2Ok~CLRko=1q`B)&p-J!d%xc#fo4BlltVnFHE!f
z715lbX7Iz5TUGK$P9+XC4ykJbP2YFYL{Y#(I#8#)Apm_M#H)jYed)ap1UCai^Hgo;
z9eon$WTD%&ZlHF7jv>A~(PVXl6DG<oEFh@h_)C#fD6Du@mI@OSGs-+<9(~AlWnhGi
zGX<AdZ!$Vwt_BGt`2%t9fQ6e?`qK@osb_qTt%N0l#&@lpArgZmvKl#Kid7nmEb;Ff
z{GXx|boWe0R2&3VpyW-kB!CgE6tBq`LRb*_7d2@CqkZ}AZ`nALl*ekm7M5n=OdBnZ
zD^T6xxeO}y>rRVroteN^GK!G=1^{-sgEl1y$}b9CzeFa&sdDe4tiFqt0p1cDFN^?m
zg?|4TS@@Aa&yq>FwZ3iwiLcI0@bH{7xUYXs+ze_AepKwZOwOu!jE^|0v|=8!Em!_r
zlHP1(4N1I5$~xnI=w8eEGZ5kJ-?kpVLLeCVczLe->D$<LWEn&vC}+ivD>Apo&4ne8
zj>XJ{<;9iCZ@kXhcu8uBG`fErnXa%%hVT3M9+)a3%6a}Xuk6rY{C+NhjkK?8=3*?G
z35@tzX5A8VkK0<%=Lbr<pKe_z&G`CZ=ElaxOCOrB8Q7mcv{{+9#6$47!*Q-4C*df8
zbe*tO`$C?AAucBGn}RXb7cK62G&|&Ac)#uXKlmFX3#|}O@3?9NOa1r?nI%3$UexP_
zx_Q0>5M#uT5$@v?wNDss$@6DqUkpvT;*5O6i?`DPWs=d5wbD?y;@-ar_w<^FB$L_&
z8CkwT3rZV&<2ahXX8#+b=iRRpXL!PCR$B0bgvp2ykBrii?ztrQHJpOdl;6$UP8ZGW
ziuY>(op&{8M?Fq}nCg=DUcSmO91$Z5+&BOD8)AGXC)%l2pkA%=nrWHo+w#VZU$g!8
zlmR9^9!EyW@GGhHKUaQ7)*4ONxr{aQ20z7|0Tqi;CKLP4!P~s)vxg?RgMioTX)ep&
zeN&WyDshrQk$ZGXI<62*%T{#Tz?x(;Kv4;8#}fWChlE90Cp@V#2)t&>%}uyvQnr4n
zNQh?`)7B!7YZ#C7dJwYqU^8p4qN_1WkY9pF!^K#-toB23P*djYN%xQcv)#zr(+k<_
z9P4vW*6V4MJFI-t1FJG%+g%L7^fLPl^JAu6+$TnrQbvi1m^p=iX9J$ukXj;Br|<^Z
zm^+^GHzd8dbR4<LOC9nQX)gpst5kAvnBCg^K58xOlPWd;mvC0*qx4bQ$j$t7BbjTk
z#ljD}Ipp|JRBz4PKeDZi_fa{p5;8?HdkzDbja77T>Iv}{GFS6L>nPzArayKo{R;p*
zJ1G>qZVBaD+O>?{=+)fBn~NT@{oKSPa^^=GZiO|Lz?zk>)$ENH3pTJoUT@(61Qt%@
zP}k3fT7cx5e$5*V>KM33eePGoc5_J3zaHi#Yiqi{X)O~~1-Y+#;(2E{!RuY8(6iP{
z*Pf33(4ky}6=THJ=b9lUPSTfX!|40vwY%7}$M&;V!I87)-RRbjA7BY_iYM1~Wrvt3
z4^dqkj@mOrPQT?fN=|phGlGJ)mc!Th-pWwFg0F8LdcYiSbL|lbzr8%@vCLDC)T^*@
zRH<dWjh_52!Kj^WZL;!?be%Xr>MLcTj#s_hXoJCo;*@d3E5?~<5@Z<SSO)hG#!36T
zN!iCyb*!N2s2fY&)4Y9QWcjI4h|1$gXh?NDa!$=%(~zqKRC&66qWkQByvQ!v36I-<
zaqItTvz)dBQv}eJb5mH9)2j6i;4V;gNp%Q+dj7L<L4b>IVNYabYgrVsq-`l9^0b@<
z1IvX$$PN%+F)q*crDYu(eZy0-g9?TrnXqVdh+B1eWMo?DP%H6~=WnexeaoytG+DH|
z_jtf^^^eSbI^y_y=4-GfUf#q31Hi}L&4WF&j$)pL1w$xey&Apx)Z^oh{Hy*&G#A-i
zt_5tAUGpmPIQ8tkt9^@LGq2r~Vc5Ab5crQ^mw5M^<AA(Cwy3SU)fEE`;WO$tsKNo{
z-G6}f9yV&#D=X~rj>6BM-=k(6IX?P4Z6M&Rv_C4Kzy+AXWOHDAQx!~)=kMAZIJjXz
z7!XEPeI-N$a>Bb`A0D*1j`8g2Dc|1BWmI&ojS7@;CIPX*h|=_?aM{%Q^Pd%JSM1zd
z^p_hhQs`x52SLa^um<^jxe(zJ$XAE^w}1#t2GgNEMjdPYdC9KI{@Dp}rVt}oCv%8!
zG`@4u$hwvDS!>3W!#qdTx$@4iercg_!jL|q20fOo&jMNFV75tcLFz6DCjA3}4*(4F
z%)63Q9xU1v_A`OWp}hb&HUo&dy6cbX*8|{x{|N&MnEj`rfD4#fq&8F-^3xO|(BYCi
zKifCExwi@QTR?={f~Jtx!tR@|640XGy86fd!Eh5;fdVHP{h!m_41oC73t3#9dN&ud
zW2tUMkv|=uf?S{9oS0jz-Oje2t;$xLm8E=O8>(6~x*%`%AnBaw<3=@cLxf5qzZ*lw
z2_G<x+V?x7a+GoyINn2_J`~cnW6}B};dS+NCzO`{z;`RhRcZc^HaO?Xz|i!)_>b-}
zI@&kv(K4Ap#-Z>`sS9h8dI^!RMyNH20fWLf(JaWPllbUJhj*XH3S!wYS1w%;Orzd%
zEzgiBErV#{R!1~^_zTs*()@k6I0FqAzT2<mfg*>-nHddqaXtb8reTTFqk7|ssflDh
zvRoDW+>E#U!#r55?8+1=b64Xm<qR^mu4XGgLgewaeyygyl75P$sUOiN`driB-|sP7
z`oq*2<yszrQB_^CnOWD62>K}+mh^RbeKb$zdllQ>t|CYHJ{07n`kcUc#;}jAm>7Nn
zS*$VbS=dX!0H33E{EY}b6y4zK7}-@PhR!MO40tomnaNL=JWwQAQ0ZyM^Z7zdQ>5^G
zh#Z+7i|g<Q?G#%3LEd7%!KY*TcQmdlU3ro2MYt4-AJK=uhg{h@g%udPRm4<8JJ$sb
zCHwQ7yd*YWv5|h@XZd=T#9LC>hUF-<w=jrR2)pNa*2d^*UV}&r*A#pJztF4SZ|r+!
zrepKjI@f_s_-(_f4}Q_+3%~hGtZNzq*J|XxMK>wjm-)V^zSr-c#VY%mc~@^YJZByP
zl-EmW{}iNs4O=t5Po$-Ri%B*Y3clQM`sxG!xIt|eYm7!hfY@Gnm032ky^l;dStM!2
z{A~gzBI%R$fxsvV6I2-=4*|Pvg$seCoHs4m8MlqZlj#R1q_ic184r;o?ekrLiBcBq
zvz{Nk#EH@j<9B~~iH1@kZ{p-?L{J?~y>MDXi6^IiR=8pYW5|<ldq++h4l4at3gKml
zz(NH`qiOEvhof}P=Cm0wax#BN`{mOWz{V1K-dyh*nSnRSNb()~L0-f{ODN0(G83CA
z?LNiwQsmtc!bKz55Y9(D5>n2;@{Z?vpi`fNo)2~XbY^x@e6U#y|6GNSTB!c#nc_tD
zK0BXKw9O(LGAwiu9i6mi?r3MHVC`&eZ7tdK9#${IezjFw2|zqZ(d08EJwJr9d^My)
z({$4@1hC@+H^5Fb>sdJJII-KS-U;@9K3`F3|NHKizCV~u;FGPb+yrZ|vr@MF#U<St
z{-Imy=0i8&D9U|TV8MQaWQI`er`Q=j+U1YE&iAlcfJ+&QLjd0X>0UsEBDekS2Tmm;
z`gNoZ7a1Gs_no{{)5@<?4--4*o9?yb<6TJKD3jpE#VpBuWWNqO&pep`S`<!rzqbX2
zO$#Te=gm6)_{dg<)gJ|LvA?el&!>S2*<O*iKK6PzE3LX$k*~U&C5g9l6Reai{#N}c
zU->~0zivZNtvq95i0(ZKOOk0Ta5AFAQdfQ(Svrz1OVJ2jdeCZYy9%qPQ%)@&VZ287
zQL_-ZKX{bAc%2EHrd{O5#3q`s8yuWDM3C!sjLMs<?Ryrj2Mbw;IsfF8gt~Eih~UCJ
zWe(TaG$qfH?|3(T^l$pIBLWe7x2H-jv>}Xh@U-382<I}}?=sdEn~gL0Hn&E0+nGFh
z1bNpcl&_=t_xPfkJS(dSe3chmLdJ3Gz!jra;*w6M&&&pqM_ab|b$HSS1#TBv3_PCP
zMaq?^MW6Oinf+vxn3)(MC2tBi<$cmHUStgzq6q$gog{2DIX(oq%YnTLIt|b-lGrxn
zNL&<n$>w5T7EOmkfIS$cY7C*Fp)()lil*;o?HWse9WDuSYG7_I)U$K+Oz$wviJG#n
zI|NDx7<e^Kp<vEo?+G<coFloeZ|GO&*zNb_RLQhcDj#uUR*_4sn^gIjmhfC`Sv1%q
zm(Dg)b1=o}z8@fz!Fol>0O~f_0BVhnFCL?Tc70BbCr(@D9fN**^LQCL8r|PV+kHEh
zntnU3(Ai$>;w8|_9%&X@puLwBr1nbXp>uI#1BD%=Al{*9Iyj;a^G0p|%0P|({-_+a
z9yrL^9;9ZA4ofKyh`&T<!}`+2)*sLHJ>Tjx&LZVH#Y(wsL}P*Ek)8_zhQZM<yhb?D
z?!?A!0Etj6l~W8+wtAj~W+yzBlH9C`!v|~z&U_S<M5-?$T(3#)j2<es12}9lH9?Eg
zt2FYIpA#kL&IK~v7|##g^x7ro5c*X3r85{gQF&0#BEyWED}x{s%bgMOMdNt0siyc?
zd)vZqyGG<<mdJ`xUrXv_f!~DN8Q-Y;C#-!92e?mxQV1-yZU$h`zmL&MrI~ShnHxvZ
zCy5j!Z_bpl#-7+18l1vTr}hNuuKtVfV!OF59fa~jC7;Zl>~+2&twD@w56%L7skwC2
z!&{B0yh?mqjT4<1&<7_5XRFYLeRI2*;=kjGNr3p<i$~2?sL_Z+JzbD#k{`?8t||~@
zAZ}?)iKvtdl(^`o*k_4Y_?65L-$_$VPitC!qeDZ{KG&y5>?vvb$~MJiO+rsKJ}tsb
zAJb-Ww9oG`PQIXGM)t~W(`z2bOboTEU+NGE6eh=gw-I6#1rtTt8_xn)9?zC)TFV(@
z{|wPbRnjj={3cCm=tF%>gb>9Zmp}tYy=6rtKpV^LF!e<z6%p%g)hy6s#vzp$iO6BT
zsq_B?&jT?0u*YtnHI#<54<WsxTVw=h|M5kuRXy}>7@=db@|J|I1c)b6L#aUsV*Kad
zcxTL(EgQyc80#16@xl}Ad%aZej<z3v3}e42_H+>Hyz`6f4|dyXxww`vW(#uq%~-2U
z(o<}+%-|LnSMCmZlA#(oI(Qcd|AL2<w(A<C<D0P|Jp$|N%%A5mEH%Sk%MYhIsUPbT
zRB)bX%P>YCsX|EsOq)rOTh5X{3ykpw)vO$Cv1m@sNT3bKQ5RBh3O00JWYh?F(s^`q
zef)qNHd7mFxU*fVD(LNHildB+-8|K2Wjxe8f)8B<W4+A#bl6y<a>#V{Kn6=3wWiB6
zHMFtU2ZM+n4GX6%03^$0iiD%+yePK$^Yr;E7Z8-W9m<sS0e&1QGqX(xwg`UE*6@)T
z=e*6C@LWnIid_s&+Hg?unU>vhnPM2q6k%=Q_&`C<c*pRjqK(NNULw#@ciKxlFwQZU
zlmmPx4R-L-vVElUL}1KCGBPc-Q!SOMRs2UoMfBXW!dQD}!Bl*)M-sjQw9W4(@Tt25
zSE`aXk~}w<tGyH%D%Do>;<Lb*EgQx#Xf>Nn3}Cn%@vk6!zs5C+hB>BbTEE|4*8;`2
zdCq(m9#XYlP&DAc{RJ*PwVg_2I+~6&wOc(hJAs!r!Ue;QhVQ2|d?&(<vqlexj-gUn
z`XA(I-C`nD({Mu_){aR~#ld9dEy)<+*}NLRd2pX)9S|OEXUvwZZ#0bAFm_)4@h^z?
zW&XNHVT?3D<K16pzrU_9W{W1W+Kd<u?#ylT0B6i0)y#A&koztO?sk-9Ob>^G7R|_^
z`f*Y8aVe`c1ouLksjHL1=Y=t=L9}wTAMU#;_RtUdBp9Qj56+>sVHSb-aH57RpGyUm
zeh!`kgUJDZajrAKn-$JjEohxSFbQ?W`k^HNphD<YCMkvc^mc_a=1eZ&E;Zk*lbsX{
z!qgY{%eo!V=Apgp;4SXU>NYJLvaaF6PFeSHoWpI;+1*I;np6ha+oqUHdKu!-@{IGi
zj9Hxk5-=y@PA`1i;$9dY8cnmt<sEje?0gpEw>V>zPU-rLq}^pIMjh%Lp0(fzFr5v5
z+MvN4ocU)1JJ#9ybQr_9)$8?2r4shXy4~*0%?&P1q~;iID2jsLv;Hs!LTWcJ5N9}z
zXx}(T%B_iE4$|h&jA?CJPi`$6z9265PG9fSuSlldtiaLeE5xgdPsS?QfF)={sDIln
yX`z02LceDE`kb*sp&$qX{`3DWDYa$8*na_Z;G0M|DJGr(0000<MNUMnLSTXeU|bvk

literal 0
HcmV?d00001

diff --git a/engine/docs/contributing/images/git_bash.png b/engine/docs/contributing/images/git_bash.png
new file mode 100644
index 0000000000000000000000000000000000000000..be2ec73896dbb540dbb3d24cf76e38ec8049e833
GIT binary patch
literal 26097
zcmX6@18`<dvyN@s8*FUzjqPM(+s?+eZQHhO+qUhy-~GF~rcTxL%$Yge=b7%F4wIJ^
zgNMO^0RjSomk<|L1Ofu-`}h0~1@f<*xq~+X0y1uu5EfK+1HR0JR8|_>?)CcO%~?f9
zrY3>PQ!~$N5kLVs<82}HUBy+etwhJ2f(Xa&FsSj3$|eZ!Vo#inXmtiz^N+~+*lV{%
zJo)QA!rYejw$rw^`SD|H!sG=aRLYX>J0!~IJB@@4rLaqjpa!So0_zqbiisjraO$*2
z9}^IO#zc*gg%Kq^)cd;QJ1jxQ=tIC@kZ<VDBM6q%w;xeTL-#8jBKlF1VHHn@>=oeX
zM#I)3cH1wGMy@t`_$8qay*m@t8`2v!`v3(JO6>cCb-HT++)39JWl)<^B}e7`+8HCo
zkYWE!cUAblGAoy~;K0&;KLU&{(4>pMGV3@_8dH(a!0@e>DKBy~%J8i`D@%n{lGLc=
z@NN$N6<Lp|OZ6O5eDOUCvwlX<&rtv}^^@s)%^4DF#(7U5rl(a2qg6{s$(ZJyS5JXV
zw?z(Xz~reV8xInV`qjfyG6rm4{hX+cX>OXBg`b<V07iC&OtN23QS;uKK&-w+_uKN+
zSWi!&eticU?jN~lsiDEfTX^6BSGkF;*Jfm<M<upA=W=STO=l;^0(w*GB}8cUQ$&Y}
zY46h}JLG|>&Y$q*S>v9yf_^dn4e?F1?vHQRfq)1utvq&x00jjFl!GG>|MuEAfC?>6
zYV^kBJOZk;xfXOR?Tq4O{U!s}og_!E4b@F&LNL#Z!F}lzC97C+6_^uP_ri9Bf}12}
z_($Ku2*47S9e|HC1cgy@;78-H3I1*3@C)~Oav(~*w=-8T(0{UU|D?f&YW}2@x9^>6
z+s$Wlf-wa1aP27z?_x_Ll_HK7Aq#MZpuCR602awJmHsib)CEISZ!aDQDCofph$EEx
zoB&_!PDzIksLUj?e1jN*!Z`5_%-#7%jE^rz#^>gEtC5@`K;DI&jpm;ch(dr!k&I;|
zLTY%Bg8y+9XZ#4g<)9)O#4!>U7FG{^DgcYqLndFy1evF|kaCV69s&W2y>0{nSpJ@p
znkUOw^zmzC=k)lXk4h^lc*_6<_TQA0)tKlj)13~sx_?bry&R-c#{h!2=cFrOMerb2
zEct5woPm`H@hd{w2o}V4^2JL@+{=bOcJeWe&nGE_bQ{a(7gCnq)kKi=9nDLak514<
z+~0eXry<rIB@ON)&JrCrS10-WLo;z5TI(eqA9Lv>XCpI|SA0+$-x~>j-3eGZ@W)88
z${SY}!9O(sFe@I0qqCRz@)zILksU;~fhR)4drk!V2odF5st&+yFR_4UdmFTwdOz_O
zvLkjc3Ruz81)@%Oz`R_w+}I?KI+NJEcw=jTa3ybIh&fntqz56<6eOTIV6!-Q+f2|X
z3-SW_37@BL!?#<h(CXw$hEOm^Y^(xPyWQf1%V6{JLCYPru%kxfP4fVLh}(ULwLRl%
zne;vV4N!R*vWFMESNT5A<aY9KbtahoL6Be0CBF2VBi{HD<H+$4`4(OME4nV+l2RH&
zs|S;b)gm<MKtA&+@GT|C_-R*La5x>=C3>Lp60WlZ65j`IqMa}4aBAN$V?;qMSl4|`
z`+bq**Ngv&Y*wsW5CiL^OBNd0@$`gI$*<^L!rk(Vycw^;<uF?+&k`B??P9+r_}cR5
ztRxmZu?OyFEX76d*Sp{8skr-aC0V{lO*yq8xHzu$Ayem?pZCLvf1xVY-9lW_IUGKx
zd9TVzHA)ZBxo;SI4qH6MJgHmXQoX*4yo<3x3r-O7P@!D5y_Sc@bqDC(fYU!+LT;tj
zQ5}Cgh~RxsJ9ZGV&EDJ*@^a>YDo7x{A99Gk;UF_5k^YQ+-~SsLS|3~pXnPSUG|4|h
z_15d>T)U)py%vb83aoP_-d`VRmx$6SM#f47fHAy(8v{*y8iSXYE#ND(KqJ_&H{maZ
z)Wa%vpBPtNV+O|8ECWnuHd?=*ZoUF|pSK{~@i)afW#)eLi*Lhm<=+5u=`VI0XMz4J
z`6#qx)X(Y3Q*C*-dGQp3y2mLkxj3}E?s<YaKI!C1Fvc?CZxul08E2o4nNlwU@%32Y
zqH|Rf%c>a3nz|C>ghACD(jCtzbUw(F_XK#Y!7fU$)ENrsqhGsJsu9UO2nOI8Gkn8T
zmLO+%w6-f=0cD;cqmN_icE_PjxWG9pc;oeqnmYFhfZAob3$f{43ml?91+9uJl9lG?
zp=Ci!*6l<pH%M)&%H>j@q2<t3W~c#9)!YZ%+DG9Stp`#(wRqFrQylabuki9c2(;BO
z(ne8OX6Eg${sI~=52T7!+~98H^{VyXv^+o)O|kjlDt?wX98EY*1q4gZ1^5cfevmAu
z6qOdh2VhxWf{F0^<AfbxTvWCKiBI{_asoRW<ErXUHs?_l!-5a~)r+BixMLYe#;6)^
zvMX1LwDWV;NWdy*`vv0~_xr2FqwZq^FS|m$XGk)pK`wPL!ry0|GW+E&>cHuGXQ&4S
z2*hPpgh$sq|9)3r_>Z~!<(+FJm(k7JtrVf=BcT3zx<_ULZoSLE8G9%y_I+vL*t6bm
zqSsg8uil@9OWGqI$vsTh(E0bmfi~COQqg!3Q0$VZ+A-N}rXR(jIQR_R1zyci6BSD1
zsW?vt96#f=ZE!XOeWul520ABXz!E|*$x!%6pa`=}=G4#lwNof7M4!PfQhsK_vk*I^
z&?!<*6x^SzY2tXp_xgFTaMA1Nq~O;zeRpRfC6_>O_iAJnUW%cC1CETdp{n?JhaIX>
z@rFFoV#3{|Mqx}$&31(=Hi@8dh+9fO$sK>?s{ukwEL|FfrGfFk+P{-p!Vs%*_6fvB
zz54l_=$u+IDXJjPbQRSZ#vrpgW#G-z<K{<*D-tqG=pEB?gxU+is{{;+ZPQIobH?1&
zaVKk;f68A?Lsl8Kh)5DNw|}=OMC#U#yAP|qMz!($0i~%iyjn-_=a`YE&~}HPr+9Iq
z+q+GQ9WuY3sJ=y)11#G(WY=w4pV@2V+4O_ZRgjbC4<CB@my6COyMD%6BQ5cpSLco3
zjZd9V+kV#8ht+v?O*|UQhMD$bFn#nxBC9aptcL9dtb|p>XPQ>uZWRTGPk<iR*rhd5
zT@HfAwF|1>G8l~LSlGbRcwi*e#keV+v%98ET;e0U+Y*V8{`5!X^0u^!Je6MlqNScN
z9%fnzyeyScDHI_ARqCYbgzM>1v?EWkBV#wxFCV$5)>>kAP~<8-=Aq_f_y?5c21b=F
zkIq*YgRUB`ab8Lh<2oYNGFPqVORrxqPB_3Mrq|?n(=S<d$qt7Im9MW+zJ8p-OCA8o
z7aRP3dUJM-?PpCq|3><j4XCe3(U(<Xfvkqa+&Ks?XFW}64k>7s^9{_zf-9Qt%XG=+
zMrU)`KF4NP)VWSN5J)q!v?KadAE&S6g$j0>F{&wDtQ~PCpW!?0zx7bc!zkADz>ZMn
z)<hQU_QM!r2DuyEBkfU#vN^Se3OpsG5dCm*`zZ+alhNm5qwc%14s1H!+FExyCrFpH
zb_#9u306!mAi7&HXB1o9?5>u`_|sUT+2}5Uu-fBIrr;kG<Z#e`kp3)!;cu~WsH554
zyN^KiV8pYB*SADF9DW?F5Gi_%=uNF`%ESuZ@(fRj=_{2MoN=GlvneYLh-(^-OXQ)k
zMMx2X7eq2Hx_RE~+_a&zOlly($0xP6qh3Ap$5eZwzFLOlUZPlBy9FhT6l8p&uC!0d
zMbX%p{u+rv$T&{&q;yNSYaL;#uaEAwKQ_Znkx;7lZ#fR8&Ek#b*|C&KR?{N+Rs<!f
zK;Q1%-^Dxg{ESks4k}uTqb|V>zCqja+C4k4X*ocqSr7_89!<(e&W4MDhXg^zz|xF*
zqh`mg`ixG-;?j#uy6WEohTRuaPlJETI%+d1p%};8<!8RMfX~!C6i7df(<W6l&%FBK
z?xjWOxoee*T_e)K(R_e6z37j-{56@u8W|-;-s-ryZ2U1i?1ASoy2@c2i{AHFNA$E!
ztnq0<bfaB!@Ct6d`Y^j~m+68!rV#Y?3<Z!9y6d>)U+{r1;SI6f(Af~~22L;05F~0-
zYdY@Tb2KsB{;^T0BC5vM|AC7QKFmeKHOldE`;+R~_s<PWUI7J#lH`83Oii&3*tkmg
z=k+yhUc_`nAvHhXx%oa$68lnSMng&WcUV29Y4sBaFoq2X^ULd;T)i8Q5UbZWFNxhZ
z#<@fl=HT`7xGMCwp-<f8BQM+&5Xf%N3p6h(S}hZ_!~8Z3YhLl?6!sk*w^BkjmxZ%=
zHqVoklFhUh+LYX3Y9ch<2thzTLbq#1=V~=*OzQnvXYX%R&jM`5dZ3J<CTn9VH<Pd{
zcZ<(5NNxHu&Jlw@F|ywe?~&j&uuOK99n&$J!ITy7j$JGsjH1UgB3~51_@Q>{TS?&r
zIO1KR2h33J0l%H%DXX!<Mqd)zq8lWs(kL#%RPUIc@T2-O#>aPj+gojhgS6HMd60Pd
zhqe3!HJ_HN3O|SImTLa?yVT_w_28_k1fFx^7!04UMyL}jjQb-OZnvogmDCb&hFHq7
zLvRwH=^EjFMECItu2}-j_EG+)%rO#h99!Kqq|6H=O4L9VvYNCbj%NG%i<RULs_n+4
zpx~I53Mp7W#`c3jyG9{@MB5L%C97%dX{-%_u+pUgrcsW)7&~r$Ieeh?&(KChvX7Lm
z==BNzuX7Wr$*vQfZj9l_F0H2*d-jKschc$(TfoXhrn!qwh{fRe{n$3@FfEOsjZa9X
z48A3b43JMy<dI=ug*teR1hmpfD_xO_C#}NLZBdo|3SAUjDymzZhC@qOvv)8fG4Z}A
zY`INf_zqM=w(riGquk*tvPAQlq=X2*x!@zxE85?iuG?|s2?^yIB|YJGm3()pKX~jA
zIpbYF{p^#Tlb02-#ptM^a{g6i!iiC(#YZcr;QOcuc|NaBxWEdmUeg3h0;IlNKwL$6
z3uNQ1$ht1PV5y_N;T8ymCf&sy?9OIjsdF4Xo^NweV@+ro8{*2WTLtNCZ?na;;(NIA
z*iwyMP?N+oGAq3P(Zw+l;)Pn3xBCgwN(2D&`0g!E;oY*ob)SFaY4pv6$*H}Hf$c&;
zeq{@>X(!TC+FoOYm<c>QXQYRM-d7B%(0_%op%!PsMTtQ|%Mrb7gEeSRCfo}e4AXXw
z*I1o11h@3hYn*=WNjyg%97O0j^H!D{8d<S9J3DWxkJH<}+gkx(tpx1ef|Wvhb~vll
zi;T(ozwlI<ZP^F#*MWVhal-rs7K&0t>i?=M;fpu0Np-$Gq>mr2K@>`FXT67l-I?K{
zCae}5D$$dPtsr2r+0-V4#F6$cjMA<iv?kY?9}7FdR^`Ggtkk`jrmdyp&ankvmLFD}
z>&eJ4Oj*v0Vv{U{8%6bh>B1B48#P_Z?+$}{KZpdtgYwL@3>{x%+xow1c~xg<Dl{^v
z-F<}D&xPBXNre{7DnD0=K0cG)2(&->Q}Y;WK0e`+6EjwKlzZ<X;k*cBZdG#$&-rSt
z8#D23ew?p#N@oFPVR7C{9PoIq;07??ZB!pvsu)w`aNlHJ_@BVata7U}xEQ$-bXFm#
zx9=U%{TM+=Q^rW~vmhevUDu06RcZ!Khyh??A}ZGYQOxf$8b}IrU>Dgj8pqf0305Uy
z<>g-z$*qecwQy3ISgSfKg!WK~^`{3H#5lA4>}z8i73Ma2BnPz4_rahkY6Klm{%1>g
ze0%UqN4LXM`~4PHyuvsC0@4JPBt~=<x@!IA2i4S|p#=1u2ey1d`%o@rB?^u-a~t$?
znmz2$W@zIYN?1ctyZAKYs#@igKSOV8CdKi-mh{L=9?QSe^%u1$xVFj8q6<5dy7=02
zJTl=21~?B8@~bf=xKrdigAU;*i}rukX-v1jqFv1f)ICEFqCMu0;PI(H8e{9B6_x^a
z7ip!2A#V;<*!*}#)bY7jO&GiK;ejzh3W4E(&<@i*CgFKM&^AA7+oRDgxYa!yAE;SJ
zj~0a`b%%BQim|~-k={(JHnrjJpeGN`L=A)b>R;ycCUf)gY5dUCmKWG2GefN)5P;8?
zIlE($CV0}22grqe+u-cCZ4$;JNMOo|k(7#l$@Jl_2Brp!rh$p21<FTN(vFZN%eB>S
znJE{pys2@8$aj~}L*Gzu*0@5EiQFIw*rCw5atuCQ<C9dVo*-d1c%LCPUclG3^A_)$
z_oDSN0Bln-SCp!=8DUb9ZxaCGOs7G5GDoESEZce~BFM%!#p4w`BGMVkLDR&?1pwg@
z;Uw!%>$?CM)4+;8u@?;0MTVBDG_w?eioZpUp^0Lt06jf~JB5&25?KCyr1v=}g*um$
zXHfdI*LBJcQrv}x1m+##wr&HrtMz)!&LvneA_j&KB#qQc`2uuW|3#{=C^6hAT2bl^
z&WpI8+Lmy%_Z{O?e3E%o4zT=E5tXRO#H0bS?-oQx8Toa8$%)Hb*?|D|S*fPjPUx;=
zYZH=x-*0@hEvsN8@{*gY_r?L2q$Z^LlJS~(7KlE7(?aCXmeYNupNWuU9HNwCr*GT-
z@)ISjvUhuKjHXF3-+VTT&X<PH1G&v5=%D{WYmL-4K58vFrBujO%kDcK-3E`YOj&-8
zjK?S5t~e}-$s^GXw;;F9&@q&pgTlD5sbxgJ>Usr+;sxhG%ld^kW^C$ZO<|JmL&MF0
zdYV4g?ktLauAjk*T4o_|^d_X5V_4DR4A(?DaKSw2>Xa7Uc!W=J+apZqc;C?6HJ8&O
zJ?3r_^>hC3mYq}|C*Jgw_szsAx9)|vzkNqkw<yPIGT|R(+|hc%;pzQy&0m-f(pC^Z
zNll1VpUKHsHgFUd_$0m-_%*JfcYSkzLvq*8@kx5`#X?p&y|vUs05rI?>O-R*qBG<7
zyh|94FI0R+{e_L}_AAqoET$d!9=VR8g{@)xSC9EFb@{*LN9)8}X-duXZKDV|X6N-g
zAXL;s<c{E=)}}kQV05XQTyfYnocwjy;4sIxLJ5kY6%VHk3G>1KrEs=5gvlBjW|?E}
z*}4E`8h=sp_VGQ=KQrZPP%!FZvA>Jr>ce2WwE54GUPI+B8Nq|GeW{I%@E{U!G{U3U
z=9|;cn+-pJOIw3?aR1+0prQvftx5$1hvRjcT+`7#AK)vk_KK%)es9w%`hF2BhA5dT
zIb4XCPIEwy5}OLx{KL|zc*U}Sk|q98&DUSOxQ+dt9^ND|dCB-60CjcQ$eE*LKkix#
z)$IpjPI$7yS~PrI=0v_b7)E@8`Y6!)6zK{69K#C(=E-q=N(6TAW9;n4KMoI#O$7r2
zu(e}>U-G_52@}x{4xWu^ha3-^bPcyjjf!6oh_Rh<4TzWNdW?(XeY0VNPO4Y@j_D^D
zLE>w-2Sr^5HrfVO7W|Xr_Ni3cE{0_S+az?q?ctsX4bC_QlXerUgOjHED~76x$pZxO
zGpA0eD1y!*L@h{cG%#L;=;O9X>3oBw9q>%9%(@>j6tye>Y1b`3(KZpVOWenQ%{aVq
z-rh3^Ka{9PIT_}rCLV4r8*kG|w^1%V7(-J}u_y2`Tv2F$(!0~S^)(<$a)GP<USfuE
z&`g|A^~DIo(3m~&Ja75gjBbg1cZ>M}l-)%3wVz!$29GW!5VU$WUp}`kD2B-!V0DyM
zWY}3iGfY>bGwc&J7kx{!!C{~RC^%Cq>5NL~ho?3tC@uVwqWTNg$g7tD_SNK-!eSiD
z?j1N~W`_jp*82KvzV*@RH9^zbPQ-Eq7FSSwU16|vcM}4oA>US=U(Ixm*jQMxmCMxO
z@GKyoJAhKW7rSss#`%c#gyU;vgkPC>0HVR*kda{2Zl1mTU4glxaT~n-vkN)yKpj#^
zi<c6U?kEQ^gt)9ucy(~Lpnm~ajY#=bJ$AmbE<_L_^(idB+I77eDP>CcRj!n@d~kdB
zC63sRFk#*UO*`q|M}CYYWyra!5&CJ!vi6B(Y5XZ-V^D7DArc0bOG#3ao4=gzuiDR!
ziy`1*?az2DZ@25f_)~lLCMM_cb(O|(D>(XpS_q*8J_M!ZzX!$EpAN3Rx2mn5w6D}p
z@?vU!68Wsaqc8Xa5fNRwEVSD;Ci;3$9i*PIyfSCZ=n^f0jD3)_ZNa(#0{f@&Au}JJ
zz0<suZP?)QK;CuhS{wF?Ep->G)z%v(nHKVz_MBF>_03);-Ahl`5GN;t)y%?<k>X4@
z-rL9P-4k_b&MynCFh~M-!=k@*oh~J3Nn%Xt*`_(~ss}uj6ahQq&v=>ryvoRv*#Vrl
z292X91~b*>#U3hskFRZpEI_evaUB<uD$Z9!+}+uiA!gCYhd8nzCjvk&IdJ^8ncs()
zyjT~X?%5_rbo;M-X0V~lIqMQ*vW(t9L;#vi`>+9>`+dVoOl%OKe+-0e(DxiMk>Y6R
z^Fs`HL?8kH{U@f`eEwl;1SJss?^44E>OaOZ8AV$BU@YdJy8k(qP2ZDQ+zK<<j9Ta_
zG;;bIo4Xk`M^OB+ob|?_lXAv)3v2kH`1qkP{)LwC3Du2uq?7ob8{!ki!kvm$$I-_z
z@sV`TFb)&BDFOn-(12P0OafT^n-D?YQ?A@jjW&JVns!Y6d@;k5(*I7XmRwEot3a{p
z?lHKa#a+Xd@I5&+^634c*bz8vjPce|vm>kJWgBND`y3cs#)NhkJG@Z4szKRm{J_Fd
z^$bS1SvF(rDu{>IJfT6dBi58A34Y1PVu0W%&V%XVd7PlhRrz<7aGP+-h|-b03a6)b
z+UB}?>CB1s<WU*y5c$0!sZ^P`CM6^Lw;3Husl*6ece8XHZDK~mE3RW(xo2KpUfQI5
zuUZ_{sM#+jsRuI{Lt<T}c@9zq66LsPP7rNQY>O(>H@=#O-9E{(>dZwDAUNXjzb$)*
z_*Zoq+8;CB+Py_fK0ZMFFHCd?(cDPN^EP$PTqTMPhV5sU*Vh6mF0ho8;agqRJKj%&
zJstlDm7#fsz?18{&!g;RBF<4~Fa-A?<mQRz=PsV``=FojCt{|SkmTgU2PkJ6yqJNJ
z_Q=G2XL(tk2KGCpowAJI^Q*QWl@GF7PV1xc*juBM8?@WARpx2_1v8w7^0r7%SEk2)
z42BQl8cj!I$GxPDXAUxi8F{{OzqvU%`Z>BeU)U0^oBYzZEoBE+qSklD{}@?iV|9Id
zdpQnOmLjY1%&n+Y$GfA5WG%+G<u(8n#q+GhI$SA2b0f+cgQAW~&v$=5^I7wXR)ta4
zZg9S*w7ssNs;Yr_B*L#-n}&^aC<nO26UCB?d;MrFPb{g@%i!9{)ip8f?6!%CnVFf?
z?z6=EbL9IK@n`qI=cljcXZ#bAKkebb$Jl{?Fm1&c?Q>Vxq{&Ik+23$f<mPlzou2^2
z6sgc$RSd=L_9?fOtg-pz4f&Qc*ZYk0Kr%=uFMWP-SUs*6$oQ70Ge~P)!pHMZK<6b2
zDj#yv33FpB$xORYNDV}|y_T0&D+^jT5|h4HgLc7kb<gLwpbF4m7lXSqT<kHKsHn(_
z#pxIwd)@-ta=DjDVQ0xkahj;sLkW4L*S~r!ru2l6QgD7Vy~OV(!P4aM#nCiY6*$5i
zFuhJTxN6SFTcJ_3YUb}C)-%ApNuM@F7A_Y@7hzg*c#+c{TUptq9mu38QY3WHXYXud
zt%c>T<t;kDyO#@=(Ii%LPcS@XXwV}Hq%=&AZzviVI7X0+#!Hso4R*GEb3qpapIwb-
zbJYniZ`P!lg^kD`5Vfh<%v8S^L;9zsrLC=mjv0M#&U|h9c*XmCZ}en)-B3uIgccVs
z=e%e6uw)V6d*9YnBznliVM!9F!udN1#wzb*;8+=dVh!)Zf_V}ofY=hztub5LnnLwL
zQFr(H&NTH)<cbwDwt?XK`2t7_g26em`iRt*tw2aoldY&Bq9T0>B%5}zZH9*x7{Hh4
zU1VZyZ=y>)9G_s<A|LdG`?2u`Vh)+iu~LKY3oMSC5ss)lvkBNWFl0;Qp_`+8XX*@Q
zW3I_14K+5z&s7nNA3&d;tU09d1bbNmp+<32EyDKjXo>Wt$pgak^@NM(|G?o`YziCO
z!DVUU6aWd4V9|hpZpPcDlEMS_%=l>hkYlFuaVQ4$9v)#UpDY#7WMfOktnZ^Y$PVBj
z@Jkdc-Pt^&S!J2FID#y0uE!3-$1$H*CcY%}aMn2UExixhqw*L44z4zotiBM%@?Ey@
ztgi=l%?WH&MqHXZ<S7g;68ZDkPQOJ99ADY+q#%+!=h0;NVZVOE!U4&n^cn3R9waL;
zO&g&YC0dLfz`ALDi8F$^f7qL3LWGD4!5L%0Wx`P)!BLngGlh9>+N!r5zj@MTMXrT3
zPepG#<$?4Lg;uBeDHDRIM`v4QTblVfh^1W#^4ch^a;_qYcP_Pv?5{3MM`NBc+HCG*
z|8^7uk_U^l8m!6~7XpSKid;AzwODyhdEo6Gt@zWjgA5AcJv7l#pujS3FH^JMw&X|2
zmztL5l{JaIZ|d`G`g4)+IiUL$GzMpH_~q;=X`cQGx`0jc5zy1Ro@>@E*=hvGzj_9}
z=Yi&e5QevlH&K@BqyLAs&546P2EH&a^xwF?U!Betrhf{QDU$}aSo4wvY6H$ysJWUn
zI*M_t#P<!&#G8)ojK$mPS(UXnIe8kIRxvF>dut`S3bYlZr>)PgOTto((6)_{wU>*u
zcs<|l_u@73<Yk&m+)04Y`nx^VTXM6~bkehM%N+a1ZWT_nHB4R_(TOQRN=}y*uFfTr
zY);-P!Z`4NpcG^;R`0hT)MC_FV1^3cZMJ_!I;jTgr9@S$hF``O(5LnDRkf1^M)?!`
zY8PQ$NEVOv#ZFx;(#ptCtg@2bY&0cGwG6o)GjP?|>Vn={P8e#Y#-Pk>ff>V3)lOHX
zq)_>~2l3$oYBh0rrY=5i?slfc>@XO~8Mu;!Ji#z&T7X?|tAoJ&#A`*TCA_5W_zjtu
z9#jSC<=zaIIYsLA*R-mi5PU&=dQZDzox~LeNS!>IN6R+JVa)U@M1FBQw2KT)eh)6y
za$_@L>HB=z&wlH@y`4B%gk+5Zp5XGg#>ROtxw8j1^_%x_ke2?~?)?4X;XSB!g|c`a
zjKj?gt0;GFu9!oZO?pR;`3MvxE|!WcEuV*N+vXMyXLQ15>2cVvqr=PhO?in-UkfGH
zZe;=xqvV2`S?rP2KF+Hkl#T?OI<Pj?4Kx7pf%h*-nSj7397Cb!&}LE%U%x)^5lb)J
zay+?n%@5-91p|8bHTgauL|ZM*ZfbpO(_OW?RyL#w(5{GQZ-cd_{OE0_GG27q*F(B%
zx-26o{fBw|8JYGx3*n{rgMf1)4*y&PnR9q|6v*!shJWXPX=r5Cja!Hb#4$f}7BSP#
z2XoDR-dyLa<*yga9O)Bn6pUuqHp9xoY}PCukVj7`)#nl8S577D{wAAm0d3syJ}MK@
z8~<yYd~hH=1lJS<kNK>kr}U|A8U>53OdDZxG-vu#NugI{nf9hWGA5u}e^UgOl{Jo3
ze;6qzsh0k2D>DCj$mEa)uw2um?GARGODWPmZu#w_Fi`C>QdGY2v*X8QGmxuR{92iX
zN(51+-2?r~+_<HxLm~`3(hgH6^Ft~pIN$5JxebC7Azm@)v#qsDNh44odbv98IAeH(
zsrHc=6OGL?pg^MDgc#!9r)mw4Hp)7GSK{QjE#|Gb>tTJJ+nIA+?5R2tI8e!pHI>BI
z+CXgF8XZc@A`T#ojiwfomyiZ`6HlvPpx+B6QXO@<*w<D)%$4i2E?P&1dLUuf6wx!3
zG-tY-g!FOs3_ywJIm@eFH`7-euGcP2MG$klnNk;*2Tge_+$caN^(M9rWWLsfK0iyY
zh*Cq+V7=4qlS2%g8JBbL){YFP;L6ok2wD({d#;Z6I^DE>AW0eXOsUAd!hNTm7g<YZ
zT=Z-pf8ErN4wtRMk{D|ut>_a!ZsT#6T58;bjyJd5n8*#dMUq{_@p_@^5a^YnR0El3
zK>yx3jEpOGy>bAIWNhFmxRLb)9Hj}|r~$F3eEF}D{`=iQUtvsXzaZ2dW|X{wYk9_z
zmT)_m)3$R>sS=Hk6WKO#EF_*N7&wkIUQ~l~TZ34udDgJbudOWc|L|{C!g1o0t8zFn
zsG!P1{4=SBA6D#s3Kr(l-AcH-E`Ix|PG+8MZXNB}LJfRNS?cnMx_&xWTRx9YPUd3y
zNK5vd9*t>7QT}vdB=6vByDko-?bhA(x>n{?0{{r`d(?)ehP$5D!>f~5s;l%yalM}{
z_0^Kh$%N23E27Tj#p4sjBCK3bgEp!iuyh|NHKywI7|kBma7;%_`S`<N6mD07D8@&j
z72LM{G@rrym_-^hJ}Cz_{=x!|j7%ddG%#q5)zxzboL?)>de}+d$UrK=R{Pb3V6t5}
zE<48#MVt5mIL31e84N=%RK-iri-S_hY{t6hqgnOX%zU%?^_V&W?6y#TtyTak&P|m0
z;z86{wq3YI#%xWOPa-jc&EnS57zq7lYag|_Tb-N%VPacn!Ne1Az-V&Sn@P`17IEY$
z&kIr=CCj6vR)U5meY5DU;i}~N3xWyYavD@<-|f^EGmioW(fLHd_cDJ6kug>loHzNW
zci3AEZHCJIR`0197JoZeEb6+;t+kq9g}>CKCA%wirWQE2eJ2}R!r6f7O7XAq)in!;
z$)2N+SMf6?Aonx;u4_e34ef7&V@$WlD*DlGmZL|0Q)e+liT&ShzB%Rwg=>KCwn$DT
zu!?OWC_3Xc-#xub>L%iyO)!T(sl}Q{ZiiJ!9NkjdI->m~SLN$npE_8G!EXT8ivw72
z=%79wvdFrOb{-Pv6w=T@$3c-G<-fBp%_{+We{Uef=Sj`y>6cMx<%$pGEfu!Un^8H#
zEN9ujf)qFHtkA&L<qLvyu6#EdjEFuWC_K_Mu4KXJ)19>rR{&56l6R1WbN(tOD6h-Y
zVL%zq&FL_-b;2rrwKHJpQjh*hdln<G)foQD3Qp_f;)40<$s7wCSjnzud}zr71p*K7
zCqG?61_1VTiW9M3<o<?^0dXV1@bUYo&nb!!9{gM+CHxMclErMo1mHL}V;|mMy@j^B
z$n-lJ7KcQWjRTaU0haFO<FhlN5MX>8lumRnor~KvasK8n*ug-v<4s^q8ue0v2}X@v
zj&W>}=ez&xdFoRx2?q<L=`SfQ$QZ!Rk_xj%z~0Mu`yB5#(`{^U1eY$$jUr8#rC%*6
z(sKkE1SU28`kpIb4FsI*Ck$6a55q%YmuPA-mJ)I{4&MG&-_UK{56p3<0sI*R2U^tO
z`Y~c$=v!wrw{tC;2mrPv>c*#zF-afVEPzD6I_=KYc>@hUPK@2W?js?FDP{sQh;wnh
zlGi*QXOvAQqQtVGEuZ5{y^(--iLQ~~rmD7}-zWB!=dFNP3QE}pTicV|xKwYy^Mq<Y
zU6%GKC%kftkP*6RCmDFl;yWW~tAM1|pH_Yp%G~pWI%rHQIRRu6bqvwfM2SMn`q!8)
z_fH!%qjnB3n;O}+O+bpt)>oByx^!`lgG~OT?l!o)tsC!_qN1Xjnwy)S@0%XG;MeDy
zIs5~1{#SG7YD}fr_Mh*GI1qZETM5go`KY9DQsKYIeJ)@yqM@35_kBk7yRX#xCNs;&
zibKwI!X(HcL95J2`c_~4)y*uTI61maxo2@}I%urZHKR2U<XhehD`%%ztnF<I=)vnE
zs+1|LDkPwF9D`vJ5K0U}o<3e(B@9Bk{F9o#Kz4y+4IK|pD~1LO4<*T%)oqM@X#F?u
zRclM#o?+^Vc0O;K3(m45*!?YfM`OxNf*_=5@MgN}1ivGYqzXxVJW#@Y&6Qiw+N$|C
z!oX}>OX#g;e!q8g(L@zd3XgALKM8313)3Wr0zkE}oK`k2c2tg;cg{nOQ@3Z+$WbDM
z=jyJMm>t4+@dmCEM%020co`Y=JhU>lw9Pt^aWm4n+d5PChdEAE+drJDW(gl>TQy_Y
zxIm?4BP}q=lENQu@VmYFG;l~00=d+6fPkdNwg}(fR^aCkTx9|!Ul5Qd3g;6yq&^CM
zO~Wzt2XUt7e3Tto(OYr|)!o8}#ftnwi?OQNkviJfV*)fz^ZhNgL5e79YYL$D0;loc
zPb~Lr-yt>X-vFuST51>=8irI6cFTp=&usScH&Ccj_>GFU2VeX%yXVkAj|mLAal4t<
z6qKA=5eykYHksv^JuRXBK8Dy~sLd!;yv42DJT@xuT%+8xiY>uf85a(U$AIFm&e0TI
z(SEOVa6qk`-VK!D2qYadYbW99vNArAmEEr%Mmd@l6@Rwfhg?6}+Mjnd^}+7W0VIj8
z_ALFxs+CmySjGx&a3FB{+^264M$_hP=cP(8QV0@sj6{<V9{!%)={=u9pAZJH!p7=*
z!3g^mpQt#s?;u738)T>&pPW=QO+^0xa7Bu}zw`68qucdYMOXI+(&rXZN=oYGdh6qW
z|NDSGk=UX8#RF?#ot~*LM=aJC6$2Oj&<a>IStkxV4I6^}ASjsv+y5Gm4!&+^56l1+
zEhnu^_hrXZL!@~@9*fV})i&E>i?^&}$nlq>5vY|Pva~%$AIw?T4C}y;Ck}gQ*oAbY
zbn3pmKbC%7Dv?^4di0S)*sP%U>a;u0m_<#7r23fgcV~q>DAb$c{JVok0r8(q3mo9E
z%^<(&d~;PGEW<W6z3soWc+<B`KmrNB%AEH)1tF$e6%Kk0I>m}0Vdlin834L1ot>$h
zb1ykR-aq$@j&jb0?GN5m?)(f~bn3vQP{?S-ORXDON5@ahA6?;nr*cogg;gru4tnlp
zcJhYQkvHG*3Fo(sCOxfk!G0CrtsWSKeA3>FQ$aeNYj=gF9bn~ywk`26&aGpNd=7ar
zCn=vS=r3CAEUl!QFsE2$8Fytje1Si$W42r)-y4(DZazh)SP=`N^Kb9`N&MelUu3aK
zlyV5Xg^4e%jMpijGtCw({NPZrRr!-jeYoEeUOYAg{QVjMNyHh@TsM%ADmvhUAW~C?
zDPtBBjt@@#O%bU_!%?t52o4&!)go#63|J>tk4MP~V>4vhE3eCKDZhVdXhMUiU^I6Y
zl9W!Lhmc#QYR9L~R}O9d#i_jR2h#^*d-~dtiT?wGBMep5Mzoce>9>hTS}M+i9KfYs
zR1m$(S%QK_a18RZ)?o_Ni4Fu5fY@YB-&EDrY~7;Cx!i2M@jq_=NaK9p|H+oa9;;u$
z<|y_!TU7V~_C|rXf4*FMf4U&#al1X+oy`M$Jf1zMz$;kn)%}2izlX>nu?ThI!E?h~
zZIPM!`?xg`pFd?Sx4(Lz1PJKIr<n0oixp`7G2qHTc@2ZN|9HMS7>VKk`f<7)3`5o3
zLCW#86#hoUU{oxO&A(9b+gGvV%vJEaz1a>K==lLhKxI@s-T9jjtd$bi;~5mSGEv3%
zbKbF-Uw{Jwv{`ZwfRAgEKMT*O?!GgcnU6sHiGv3Q;%P^*St?iQ;5S)Gp7KhuSwsTr
zo%ljB9FD~PW;6_jzhW?yICI8i9W(?IIGxR-kjw70T&c#tX>mN6exgok$>dN2bb<ll
z7@RMbK_U`tzIa0-;H}o%MEy&XvVZ~Q6920S2L|et{Fg(;5&EwI0h&bu^8H`$EhO7u
zB9#(>O8@rDMvu?WaZ?5BpcIfmDue!TG(PuJ0r@|V(mC#*unu2~<3utoBH!`*&_fqS
z)x+gY3XlN6YP<8TZ$zuZPWFFOzplZ@u>k58jrkh>dvP3-<DGI*iMQx~y(BleYv{k1
z&pAwP04^7PoY4$$yRQv5WoyTitD@G!|5I$~R&=<nqN6f`rR7Y)rEMeIHyFGiBzl9~
z&2{z6<1R39doe&&OtTr2(65rASzEwerII%TB2YaV8r|!lpumt+rVSVchZ6B1!?@+y
zg!6RP7s$q*qs_Lu->(6F5&8<Yh8~vri%n<^cV+euUcL-ynnGihkOqaASa7h1=0h};
z;1cEf$UJVvK3pmheYl^Pv0+dK71F{XcS<xIA|e7jJlkvfoPaFW3P)=v`^=Cp!n`?N
zm^CFFLojWKFi9Nz9<OUbZSLz>1>%oQ=qdLL7G9XJ+RW_e=&HDGWqMAI{n&m|kOe&+
z)Lfd*QiBq!J_(pE5j<PYNTK1aPwKAQ^uEQHJuyBMapo9uI9W%*x>_-ewDO#|xRnxf
zo7UCSS4{vGUS8~&fDeuFb)wJL-ya2F(C>p0a}s$x2Wsvv`T7eF0Nw<Cnx)KQiQgmx
zjCKM&3iLC%j4cBAX+S+Chb~#K`7QnwS?$TDMiwjLVNhj!@(k_J4VVGcUQTsSFHfzb
z7o#H~{$b$1i|CHzi%%IWqAi!7_6Af=7Xgwuam_kn2S-@l&JQ_&@TRxf?uN_J^3j;z
z^>+8rQkcIs2o5DIY`Nx@OfB#mLyQr8vsfAkaHJ25qe<R71FDhVBTvQ2utU^Y?%%}#
zbVo;Qk6px0ufB^f@O3L;yYvud$PR-_B+9-#JL`5kOv)(+H@CJGImE;vmkS+y_{E?b
zv*B<2j0hDIj?oAMZ2lHbTw_?KJ+8$mxst1*050O1@u)c(+|_(>GL$u>nVs(*V!nFU
zWW+G*n*v=c2s|t#X&N{qxJwXR&^|0&!%Kn=O$8iKbl@Qpn!)tyg_et@FYfD$jV|`(
zOh^0u?|l#d8S0R=yUHdu53gqpOMbA#>P&)3KGE#a{$m7LiU&eqEweu!wt`^uQ|{!6
zE~>`)j2u6U?Z=y7(+e(s!i?Lh`$3Q|0S>U?5xLv&=DS*k*;C?V{crE_{lnx0@KJI#
zxTz_UgZpz_I%uB9kgb8Ld;80G6;cc7%48TZuExxEFC2r}-YhM(ZEBQBF>FWeoIqfa
zh6YQi(!a9_j(qlsVr~1X0J)j{5gX@HoI~gZByYm({D<GK=2S@qBx{qeX0$!6JQs|}
zA{AI!=+GjLj`-NhOr3t*v_8^pUf<VSaiZk$qox`he1#cG@m&Y~p7v&XsFMS&7<(XE
zlPBa!aCFDQ>=c*fsfnN0*md$WnYLjR+ZT4LVtq-Z25CltJEXiDXYk;NX-C>1ZOSC+
zW>oqpHW1>UoYqWX>Xaxlh$|z#etUojjrZ|{f!6}XGPgp?OVmE-($_^|kot|?u0Wx^
zODAivcfSHx2M^bVpQ%(tVQ6!kDmY>TAJjx2r?<uSyQ7emzek<oBpIa=Bzla%L*WOs
zg6=9$t>TPZnwS7!HJ<4UjEG-C`j#Nb9yx$Zf~zO=VVCLO!VL#)eeB67N?eQ-apNPf
z{#!TuuG8&~p<={Av|o0N6JlhFcV_m3UIdtfgxMI-dj`*rpH&NHlq0d1$D*=mHSY2>
z3UDiqSydwg@dMe>eXML+OZ5CpE;^inxEE)Y@+3)7c3)L$LaH10Zc4sQ;ac+*9n|sA
zz5lS&<y!+GkB1vYq%F6z)ey3H$-w6|vvVop<|GFwwYI%zW!<|Hl(XCYA?K$d<{a4u
zrbKVri7OrX^tS0>vwEr?^pC3uN`;>4&w0R~UUGmA@m!^{Y{c`SQMMciP=70P{C)PA
z%m%aET3A?^eVp<MBpW_SoA$@R$cj|gC7Djp;p}FH_z)0fnOL<Z-joSrPSs_Nt9_Og
z2iV~d`p@Hyx5fp%K?xb`<4g+9ek~hh_1AtP`GGh%ebiRr*X@LjPdm48;RtzceYw+3
zG`V^=5|EqNkGjoB`Vfirw4}78te!lyI@&7?(P&oR_*E>ftEnaPp26_I&>+yR21_B6
zwe%4g`En>5T)rxQV^ux?p$N5u8&-Qv;*#!YuE?GPL;&qC7&B*5&8knel@llwS&qZo
zo~jf9GchqS9T(QwmX-s?w9mI4S=p5Mp`67O?f~2;C@zAZkO*HHm1L+~XiY4EE}bf*
zq1J(i3&MxGGF0y__S?hok)rOWZHaAY_2X-PUsuG}9TSEYu6<uN7Sw?nk>`t?_jWeb
z)TB86VwUw|12oVp27=W&S<+;nq~9=+^^4d>DGOz(%}+-TUE{*gABkTJ5DyyKM4s2`
z-J7jzS(&kama11I>ODi*@cPq8xxd~9>N@!nRQU23FNR4%5q;rDA6MN}F?{Z4NyLlt
z;{27EAR~W1OVq-v7YjRa-u4tsD=9F7YO<Maq`2cznITz{9ktacfubvMiWIhRa$>c2
zEEl2FtJSpx-fOR`s@ao;!f`h>%uU-3egB!%<!2IJ|4rEA(~Rv)6eRt2meU}=Ks%IL
z^ylr75uGn|6<W@3?mC3RRnaRCFI%j6CC>Vj7R(64+uaHx1xq#>OB!|{K$*68MUJE+
zgsL4Q>G{`L{00JXm8-S_X86~omZ;>(G`BV`{5ItMXv$5vqkkx3{fe$`=*5ATmnYT~
zwQWp^!Q8*CXHa)?XdAeLVEtfBX>JMlMltILG=Ou5qv+D0$Q^Iib+b>wx5Ff}nJ-2$
zA%_U`mPnsHZB0V%X4p$!DbTV7?qH{`Bs8IVDS-*tO=xm*-pDkt1`CdAH(xGmvJYTL
z|9Kpk+r_y#E<$yWq81>MXA*wTdd|esEyu)$1h(W9{;2u2v}}4E8y@B8sD`&33?SOo
z?(!^M99;%~NUKBwqKswMlV5bt2R_8u>S@*_ya2J<Pi}E4J%Zc>$CW4Zc~MM2@y%pz
zlrzRiK?XJ)eHCI)$KO3TNa1(+mi-8XTC)q?9WGcYF$5=2Q(`MAMus55n8DYw;f=U`
zDh_sJwVgzzAw2zYhAN5VT(ESH;+}u)J4$az&^ZR!5vuo)wAuVV8YkXd<Mps*iQ;qP
zu(O!kulALp;2l@{!&WX-MX?7f$G!my+$L#n@Tba0`YCT1?W&XiTA!%tu9x2VZufN2
ziA4bq3izMSSKnZx0he<8&#)G{{F-L>jsopq)%&MMV2HheDihPHRS0vH+$bk*eLqny
zhBMZ`!}ELQiM5!95oH?SE|yyj?lLq(1h~l~&9Cu5j^bEL|CAz*_?Ytsnv)NK!}kJq
zJkOFDGGq&RcwhGd+{M}&J1dpxphs{FMw{{cDY$r%g1I$woO8@|tsh_4+)SLL%@(W>
ziiih}Vh#I4x9u*FqKOxZ<?#Bc43|r9BnAU)!QIbQ=vhTk`{4DTf)}b_eDr>KuRAdg
zH#Gr~)(^OKCZ2#Jtp*%-{aY1eBkc}XAbQDWvw70pr}P@eX*BpD+$wP~ERc}!)9}$8
zbFfT^UHI7L4#S0NiW(vve`Z8@CCDgJx(io7m5%uqb+}H>N4ONN2Isso#J36Wpc53+
z&_VC1Hg7sTnVyod>5UFvB|Qy2Jw5H%uL0~uj}^e8h(^V4Se<7^BoIoO@rD~++~lO&
z?C~S?xdkxxM_vSCN-(Isr1gn|>(CE;e<bzxTIUNSY%kF-VIHP8zY=t+W|Mi4Oj7O_
zL^3=WUq1&5*(Ph2-K8S0?>z@seQb#C)#Gszd<F5r!gh&+juvVjex6#xk?5?Rd;lKI
zfCSKmZe;`3I_l^yuu|=hkh(v(tdrkfN=_5JS>+Nj8ISEIJ2#l$FuPW2{n;p}W7PX&
zmHzLop<)2XuayerFXUDFnlfqUp-m1j3Mj<Vgyfg;V>`PL_>kMfNuL)J(m70UHS>^X
zE%sEK3t=-Z*YhP8IUqb#a`)$@mksT*W_%D-_D(ORVG*wmKy1SK@?roZ!Y)KesQtj1
zfgy{h5$5ykTv+gh;RLZ(!-^a&DIUl92rJBj<3cEWh=5>>kRh@*K(D5&6HgY>H<g&r
ztzm1R76BlxqY+5#7D*d2s@TnQ5eX3epf(;ct*2NSSK@JX%SEFr|6s=N^Wrd)jFFyF
z=+Rcfmh85N(&t1*s!*ki6e9ShURGWf+u{iH4g}5(G(CrX5GHyB(?nqG`7xP!{~kPW
zxSLS2$3lL1LeNi@CfeZ==88J)U&<nUDmIM66j2t#)Xa+M3s}s{V)kkosWElHnp!9i
zhPejfkz{vlxCA9(4j(q@P%@vUygm6Zu5k&W{L_3nBS!Sa#a1rruAi>oYCx)?s*_1b
z58Lh`LR}JJjYUIMY<?gx+2s)G<fp2G^^}C*=bt&hp%ydsH%fzpr^m6_8^f>LCG>U9
z`9PWR&V|=N`0jYGuiD1YRYg7H+R%fpz;cBn!QlwWJ$~x#63J+oKc2aehr!B1Klyn5
zz-EN_-t=+3`{D^HGcBP7a~=KdxL99ziSWo^LxmwmXk_{2<)!5i)?hAOLIGI}Yz2YQ
zcoj>c)gEdWNwtK5@Y;;cslzc!FdMON1thK?h8+RHwI$YInH2FLR_qpaXzwjr)Z^Bn
zg#WGE39{A9P5SgL&&Ivp-Qml~gXn&lSR*CcSgr=Izd_OgdZkgLN}HVq-l$`*ik|+m
zXU=w%RU_+2eJNWM5~-Ekw}ww1L!m}$6n}%0*}{p-er5K&BB5*S-Kg*~)#+#h5#ta3
zlcU26rL};ocdmk^b31f5Gw_XWVQp%04Sv3uJHt%K51BkRyyDj$1YWj@mowMMN-==t
zoYrII04WVH!cEFJdM|oY>4%=+g38wyY*R)x#-(r1x@EL_7TVzg<%djH3_?}x-j(o$
z1@1S)AslAl$n<7HSD@Czj_h-U6m&mz#)1Q8S2_HvwV6GIT*I^xLq-h?FBq29R?Dk&
zuD_{bD^X3D+oSl|8VCK1;Pyu$BUwis4gPzuLXiHf=l#W&JKpnW5<!0?8ovY3%UN72
zY)S%*m{+a#lpwym32ufLc6ly6XjrSxvkm;OIHS%DgurqOu7CH|jRxmG%P3^%-M<9`
z$ri9x=hC#!-7=x_<sZ^l$mxEPb8`7tIPOS{iZ{!K7;NwB+Lv4T^$QOh!I7EHm!d<%
zo_yy>$G4UPWE&Vnt;IR-NIhGcw5`3pcL?MKC{G><g@)kf@I|<jlrC~`s}#wBh6T(<
zkUMsiPQ1~G1fn{n2J%UQ(N<^Aj)>&0g9CLoX91CBY;6dA8{)uDi4JUZou%}m2l|#A
zif-DD%60`X`B0S;ch};vbp^fk6%jco;?TPvD$E2O)8w5_%zV?r*rQB-(G6t;0!C~N
zAluEYaB*n0G#>SH!_R`nHhqBchZP{x%expR-&94y2~lSAhn?&Dt9OCH0peMdYjeUR
zoRqj>usv}#<hYeSyX5Zep&*DLZk^zxy@AE^nTBrKx<88mhJx&>$-)$7#!Ge&PaGer
z{z~YhbGce)=o)G}qx5#w>$>Y^gC3KSFi@s;bphGRa?1{se@x%)Rfl!}!G}1PH9k!p
zP(WLa$97#q4uR4~h@X-<^pI0%Txu(acZ3(GF-xSO^n%{zx5GP)_qHYni;nak1mko2
z_#n)!@P871FZ=+X{kZj{AZsx)&Hu@ggixJT$EnCI_n$dQxkE9}A!8n-P=0z*E{g9V
zUSVaVtSG8t2=)C|Y%d?rb`Mgf!FXIWYS)0QywhRCK4UzjPeKoJmDx)gm{U#Umw<7G
z^l_|}-7}6V+Iumn56-PkFPn?5AM`LD=_BQ$<qi-3K4wPUN^4_9FB;RKd?mVOM30gq
z&^<Bfl^05ffVlU!-^GQZJkLUt7$muKa;~RG_{<^-;yF7%{P~^2woJ;!%Dw*5SK<t6
zdY>vkO4i>N=J$?;c{?RAof#|`r~F$JiHF*FzwZWu#!rQJwjY|r+afq{v^@{IPMkz3
z@&vM7aCBvexx&1Vd<+)$n*k}UNLy}U?7yI;2R4L~!4nUc;EVp}ff-@XH-HE#%1;nL
zdHW)`x_N|%ft>@z7ZIS;bbhe$#8!hFB9KP}74+^IZSb7?CLMoQ^ncBr^<Nyly1*A$
ziaW)jIBjuvid&(yKyfItXmKg-6nA$h?(W5{z~U6A=(0F03lu4Gx9>Uk-gEzhn_n{X
zB$GUmCzH%4-;BW`8J?Giw5jtb4BBqOh>!KyD^^6pmO+BmPjy<Eh~^Y|{pQ6u@m3E=
z!N0VH>Dk9J6?y?`mw8tys=4b8HA@k{IXYx|(~PR@*xj9&8d(;Ydr&_?kKZ@te4lS4
zip+70B#j>Z_cq`AU-&Sz<u@e^{2J|4u`pHlA&Uum)<fx7(|q^>H;h;O^nSJ3(FfeN
zGze<YQL6W21cjpRk_gm2fh{zIXzooMtMz@l=66vM-R{EMDg2<`$pa<cZz@yywZrf|
zw7;!zb$xv!g?}1`fAc-4CRI<<Zsya~cbxQ9T_**tN`qd!knVdUc}#Mj=eg~3t?e~W
zW%+AD+w9zNfnEM%-^>qe%LC7sBVQWKVl-wyaqz19eZ|tBD-R@d!~qKadWv%<)TRDh
zNv*<jBf6E#?P6mT{y0YHnN}97S?sq->7;U?&YCswzGn^#CHNub0_`1{%7YUA4Nm-t
zLhuHA5#~&J#XJ$hVD_%J@ip??(S;VTZnwmOfdJz%HWo8a#sDXr7^VF04DK{R+KN;I
zctKo@8zYMTtpVXcT*O@HH}`3yq3_Gu@*t%<P)_z|A7;)pa0F(7g8a+~z5uO2N){MA
zs*Kwzu`WgSI!Rl&$r%*i^c?QdISvv*b;*<2SC}g#N^I|3OD+q@x(bL_@bI$d;ACJ5
z@ldNd3bU7**^+vs+p@Ly^OCNcTTCYmC8mJ9ZF;s%m_5GZ)GkKD!m#yPHHe6vIVlU_
z&X;cKoX;+>Vq!2Oj4i%)Bv?DWib#0mV04xRiZe1ZaMMp`Nvncb{t$ftyhRV67@3g6
z%)o~Rqm1w&F^F(X&k1MefOkNlZ5x-y-Hv6Qm&cu6<?<sqz7PsxO4!JPhbS{oPdi_#
zqk}*(Y%tp*;r6RjK_rT{o>$T0yn2rU&9`!4$NTJ?_hSz!ChW{{X_<yg9r+n5-?nHu
znGJBL-g(&+?VZ@DbSn5L3*bq3(FiW&0qI_Z$n)+aefyBn+4)mQ1jB7LX!4bzJ8odV
z=#L_2XHTwUs}4#a7Yvm|&ZS$_TM}ej#{vS=jWg?NNn7c?^V4#!VtHi7-yp+v{x<Z-
zCsX)mt%2_mzEB)&KV6cuwQO9>o;fKJO&~CP|DZDxY4_WQ6{Er3U6<K`hj@zL#&w%J
z16NyW9syL*gcL;Yif_<Lo#4EL3|-;Z9HBVTN-`AUX=#(#%(TxT)a1|QE=uZzZmGUx
zmkvyXa!4IewSAaH8C_bPub@MKTfV%6GUoubsJA=)+R9pRGk1k1Hx`AB^r~&GiREQw
z2aGlJ+l+G#AfCJpb6QqX&gdn}&e>rQByR+|-a>rWjg{ALZ0V8!78hh4N5R1D_pEF1
zY;RwKATVNh2{$|QYc4*HEb_x6RXjCiRT#7QC9Ww~L3%_4h94-c?y?H~1-*}trAQPw
z7;ng=G*p;j$O(p}hF&Ow#$30>GlZHrU8d$hP##gO4z8G|gBgwU;ZnWk<YZZi1O8ne
z-M^!j_H5zwI0n!RwNg%qss$s_ZtQm8*6Mq?q#Sj~U0?io8?$L`F7usm5-l4NjQR;R
zgdsJ?wr1i=JGpiAiqv5|$W=kbQQ2PCZ2<CE>{*i?z9wZweh+=s?CD>B_9}0Ra~$_#
zcs=dt?jb5Er93hc>NlTI{_5GmQ-6j0e8pENX1DRRq<V%Tu*F$rH`4zmZKHhnsN!{{
z7VZ>qs1N^!%C9pwMNUb>hzkP+8Sdp4niIIv;4IMt!4M4qAZt+aTMX#f$vyP$=Q`6b
zqf8xh-#d1^P93ji=N!j*cTBFmQjuqC=(mLbMuTjU)LSnNk0b3!rk*(O9=a782|s++
zzMGQy0*KVgLh10dd}O%ns314jd9Jfcf!r%|rnsDIUDMTFU=KQ)7;?3kW{4Y+811la
z%T)$$APaCwd~dScy4>wEz@qXurvc-kASs-IzK*^;_*`D&uyA@tg4({u`_OA3kikrm
zrzN0z(k)JDal1qN6b*OwySN#e3Y9;re6LvUn`x(Ort9e`XRfOpj|HUF8=X~qg8v#*
zRK1#`xT-hjd4u1uiyzVp3%#>cyWOpR$ebgh3y#LMHS{mHyXsyc;R?NC>F2>izb9#J
zs^8o2UrTCUoYz#f%PIFx+I&xC7Rj`lWw!g=cPyrQnS_F-VGF<edFa{W!SbErXSw<G
z-yrYKUh<{!VS-eB+#c!A5;_!RulBT4AV21E2An&-sI_$5Jf9$P@ovb)r=L8FxDWF`
zxA!f9THF1K+$v(9{1SIey;w7&@}(E80<zaw8185wrJ9=O&&`Tvqg-hbf5W?ZL%mPV
zK)G6A<2NupI5{f>MnR)RvxpjR;#t)i-P49)H55bykR?9zcc&=DLre)&wo_o!iIInQ
zEgT&4W^ORy3e34*5kGZ|Og!ycx3>)(c~MZ?XTN`B5uKa3clMKeKC4b<jN)T8dE8=N
zU0cveC1Gtsb+skqEPD-KhlAYB<%;3P{sAXPV>BHee@x|;zUQ}wi|Q@LviFBVp3S@O
zRd!u;49t%rebcl{UI50w=T7m>xrf6W`X<sWd4+QUyT6M4F6Js_ZmlqSd`+Je`}|dg
zjbY}6B1h~6U+niTLCrHbZN=CJElh6ayN-cliTm%Yj1f!Mjba%c7sDRzeSzpbg#lqr
z<jYEf#pu_gA8U@%pH1MAIEnC-M}vva*wco$`?RHsh->oBEWD7&yuwIE-A<6J@(0is
z@J^i#MVZ}eM?deEO--6JzFEC{^kAMu>HR>$Mp3->p5Azrb7~Kqz!7A?>}^6}ns57P
zG<+YGre{wJzad*|zS3JYXWc@=4C3NAH*dt!n>S$Pg>%!iyU9&aiGQ*|f9BrC&ygj7
zrcuqmDO}`TZi5Ft)W`r9SKUwz#Pa3lvMsHVomLratZpj2@6aUe$0R9L`z|~zUr5Kc
z;AN_^4L``p|A`gfR&n7@8Ei{fV5|Bkjg@@U1YgbA;MH{~7BZ^XJXP-wz7AxWKS%?v
zS;8MlxpTh3m$dn@L|g~5ewEr5Zu3>D|GE*Xt8yT)U+U87DBzW}ZyI5gdK7X$YBftu
ztCV4%dd5!m*}*kbN8q#Ad#(0hH5WrxBe755I*YmRKo^7B7O#9eAz+A{832=3j&<4B
zX#~d`orXF5`gg9b_%x^cmrrvSOQ|Xy#cG`ollRHH;e3)ivtKJl$vw2$^;KM`&~EBJ
z#Dr?=@7fDd;!3gqYHQ1WRoI&q2<dL*wF_MA(zaLMTaor1iHW%ReKd~MOsB<-6|}*S
z!+LQ(mG^XWp3erQYiPC%pj>Z}n^Q-7$L=y}k9S(rn6I}3o}2N}hV%$)aE`;174Ue`
zt~pxt6C4!@qDcS9)UU^K+-9ah$H>rN`gI=|4vXO)^lePWw(hlA7=db1o)9J1#sh8K
zK&-6^gY-~x5KMPOj`vS$%4^bn4!_ry+b~5klNkCon~8?`H1(C1@88o0@?-1_HHSh{
z-knrolm6t)QQ1X&ek%J?QW>;!czNVYcM3RieBP<we0if7k0GeN3LpCOE0C7nIRkxs
z7=t-QWl|&O45ULzU*>Y6IlqscJtm9B>{*V5SPD#@`A`*rZtoQbRg9-7a;Hc{^5f6E
zW4B=<i*D%0_^gZVHE~SBxl5H)8kC>%N@s=5T{rls;kyQl$yG>K(gSHOhA+lTgru~E
zOE#7KL}nU)@BcWPycQI6>tOG4vNY#9ST|U_SfG3f*=Tr_7c@4@0S<E?m&5L5=QYN0
zuKmz!U{!1FV)ij;?qZl!f;uGNnnZJ=w<WQyr8_QRsjZ>B(hQN~hXnpTm$#}X#tOT4
zB`*gy+#OFm#NN<%`G0nK`8?)ZQOY}8>Z8_HJU<V25e+Dw=wRfnX*>>o0p+EIHRb|)
zySK(X`CDme=c)A7WC)La2SM2MQgVxM^A}H!YwjDpeKj`)uzL>E$}7+Dw)s)#j>EG#
zXf$iFEBy_7yyfI337eY7QL<t#$c6a|+DzdNg-1O5624kR&B4tdX*ZYQ$IrP=6htee
zwp(ru=O$R@ZL&N{=}58}pnJa*)^vA}VmG%Qdw!YMDd0%I8As<8ysh}*?O@0J$d%0U
z(w_yH><rQ>hr<G~BT#Cw%`6Hu`CtM~s4w+hYkOC#e_4fvv7JcB@4>Y%^O;p&E^e9g
zFl~b&wFaN;BicENT&nJGKw>!n{Ix?;j<md){jZ4^C{izPS)c9rG(H1m7RnSBF=3!-
zZ|`(;&1K~YO_6nQaawq^39w~9-1K#p2QP~YEuWfudvhyHa-<d-^f^c+5wSE!<%s}e
zxr+s{iyk_jznF<kXv)$G3ouxo!bS^{MFvWsF&n?X*7^m#vOdJ~%7V7vWeASl;b0#u
zOJwiPH`#q2-u5AP$wJGXj_*I{+U*M(Mt$H-75#45B_4l7GH0rDgzMaQ8?x|P4STiY
zq;c_uT8S{gqouZcjl9WdYB2s)l0D;kT0a$EMoEo5!Od)Y<rV%*?AXNjJx$;JTS_6a
z8h$@Miy&4kQ|5?IiHf~UcAHC`$!`OD8Cs5S=3O}eR(s4t7jY}8J#TA1|0uI$NfROA
zaSpJIap>Y#*+@E~=>B1yVn;VE2<>1FNFUO!-2;pDQ49Q_3#sKyt!gz>xeeMi?oLOy
z-N7HDBzXOC_S@Q}5McwS+0u>rYEn3AYuir_GIwU71qKhb<8DoXP|#J4Z5-&U90_%~
zg7u>y?zbe+9DZ2(%W%-OL%DaOl@k#(jfcV+Ek>hDD2vSz4T!sqPp*wSgDxt2h~n{6
z!M9#BL?}cb9)IAG8yqbYAEaJMu>z{7F2{U!L-L-+r&`W%-%We4&bi*YJr<X4B3{_F
zjW_dP%h>FLq|IuHT;kV2LHKB{m`JuFVshb8aC8+SN^I14`=xN~Io|E_*X!9zGV#dx
zM~hQ9N$nn#F61|5_e@|fj9GTk=b7s?bq9+0Lah+)m=-6U0+RXJx@pS=&EXCPh0B^W
z{p4nlq-Te7J?HqND_R!rH_<ngyE+pUURy)wuIM)+VIGnv3pBM&^55d|Ws1XUne%R@
za}}p>fhLom6yt;3zjQ}pk_unKAKqnh0v?;urs6s@04lOacUZo7&xIh-6uC#DYkkxn
zg6m@!U|fOQvpzaNYA(OC(@Uk_5B=9Ef+cSjFQ-pqL*N#8FS1{nqAyrc3chQe(iu7t
zr6j_5#O{OAr4i`4p5TYpFe*Pg#t-&PULpxT)P4E2_5Qw%l|a}wrr(Dz1vlXBpB3;)
zA6Mr*T}d_W7U7CT_ZsL!)thU<M$e8F6}q;z&Du)N7L%ixil6gaBJD!dM$QB>11Nu|
z))G`f!`eL(N&2GN^xrN2e0934=jAqc+`Ec+$F(k8EzqUyZb~(BegdoVqiI0Lcb-Z-
z)K>2K?JoKaEq7=KRtT-o;S+82ajZFs7)A#2y>hboVft|5z-o0<Kj7F|sHsT07pknA
z+p=*&CDahUY#%Oj^PGcxx0CC}7)jUd!e%E^1({d;hHv{WJpNO{h%MQ-4M>NCzkhkM
z$|&ft@YgN2Km83`(R5X6P2l4S2#<<3?78A)?e&7JX}v6;c(y7UM^kk9iOflmbbIkk
z?1C7xv5xQR9}QuGnPSpajmrR)3_tg(Qh7@q$n3+g0Eb0XL8E;1_kjc1rz-1*WoRPE
z!q2G58UE{0Q{A)>dbw*QAQ^5a>Qw{D2gD{enDSIEg3OQ;W_@0dVKAfaMTYF$uQAdC
zyPp&1YqIBN+egR}X0)+W#-ZZIHs$XAqOP`)Y6q>Q)Sr@nWw`;_QDteTF)<*QkC|q4
z_;Lm(wmtfkE-w=F-f*E}?q(X$r?OioSAMkBW&_^7NigUX{S^9Hzeap1Tjku>^>g6C
z1LaCCV`(ME-TqkhgJFsRA00j`f9a13%MUepNDzFj*H5HRcMal`7;7j@`ZtHp{JEwl
zTbU`G3;J7cMqRb`8cek5N&0Y@XtvgI`EIrC@*IqMR+ZRi47z{m5-1i$h5cChO}z5Z
zEI&%Ku6GvBw4SNs*loK}l{lhx)zMsI>drRYBYS(NLb!!2f!4=R>~6013bFl9`Rlv2
ztW)eCa<$98SMsfV><Kkg)a5p2UGX^OCeP`A<r>hDC>6moDm>iLgUXh3!W90jFk##$
z80W{zche{-6CBrk<UZrr4%>23_)$nc_$e<_tJ{>=!pKrhVaw22L6s9vn+b*ii4s@a
z7r3Yr%MbafJoSl!k)D81fgvlT&r{++{n*}N#9VzRAySPcp;7*w3U5__W5gpHr&yJW
zN1KG!QiIo8p7QAFI!}!FdARqN&Y2g==iA`e2};up+mcUp*8>M$8rEBzhx!8^K$>&R
zP}m^X1YAzWeuzl4q>I1a*i^;sUV2`#K%9W>r8bB#LZ$rUYp_Ok{UQko^JCBPui)QD
zid1N@Q3&YH!5;d>p0XM7b}7hc{%8A|cU?=2pbpiU{&AFTQdRYl5AGq9@*>Ui>BvFi
zyD)OIo*mXwsL&PI!JOexL6fAiSjC-(x`_f{DiWnD))ZcG+d?N<W@Q9w#s^Bqb6wfO
z@oXgJ)^eDvGv$Mc&V0{C8~@}p_PU947QLyAmuz_Rj@(QXgr%0||CAR^Tckq_2nb*5
z{`j+xRKUY!a#@)tZUsFVC~LJ(saUr1*u8Vo`a;w+jeKu;#5%ACWh}P%qm2AP3_QCU
zG8(j9Q9~C^zUQ;7Q3NmEb6*rRC-gK7soV7~SwHuoWB_%1h#Ofl=qd)FubwuIWB_wo
z(gukN%{rt&rtjnDX&dy-jpwO%*(k%9XQ(TinF+o-R0aBfR>j&*-i_Wf)0;P^HJ##_
z^c1Lz06d0+fJBqCfe!cs2PTXGiA8M*rS$ba9DjD&$ZoP(%oGSCTZ0(1Vj{#G_a|K@
z=Ol(USqe<sYHB3kCsLepZHeWn8deiQNAnG|!*{w)y><_Fd~|OHblMi<sM=S0v`$7o
z6d(HXtB|w)_&M8;ulas8N-Rjy4FQL{Z}dP%0_s1m&>;Iu_m>=59ns!kILVXmL{GQ^
zD@~U0tTpbVkfB$ugF;~KzHKLdL#$wpJpZQ&Fm6O-zRX4Gn_kz1`t3?FoMxMqP*?m$
zWVJmM116IE*^BJoQw@C<oaidpeN$3ReZOBB5&3-qnYFzP;_4pwX{UsL&!Jf5*$?j=
z;eHt<540W-GSA*idQTL^nf`6#<NKsLlgedAK1Y=Tk-%??I_|zniVY-f@-je0ob6;6
ziP?{zc`|Sw>=#e}lwenm@Af3~3K&AOC#cs-66ONKZ<0dloeL;*x79`|ei;j4sse4A
zSD@>mWvASzOc=H*gf_9;)W{nbYlilIzpuWl8A;b2NFC*)Nj$*<g^?&fsYb^7ZeLuV
zl9|BNMl*@bzkj;gZ?rs7M6Dwb`q2d&{gHMI6lk2uaPa#*xy)TQZ_`}uO(`vlQ}=<c
z6Kvi3=5~o8P7Dq^Aw6Aumi2X7>0QTZMUptSKsN=SyU;@iYiuJiOl=~r^DcqqMK`=C
z$Gpy|Ow`EngdYvJ56Uzx&e?Se?+QL!st%?M$mar>y@*I_d;GmI4{UoYDu?2T4(O!=
z1bq6J4+sMQsE`4U=>P5i6DWx5^z-LJVOPndL{*2)bAV&xXVMNkMsz@E4>`ESb~#dp
zvTjvKw-mGT9YyiD$`%f<Oh#<Rc|z=&)NiGCpqQWg>1R-0Zymm;-X}R3S6FKFn~Der
z$Dus#-qwSw7p2lEeuR&1W7saK776ka=hsO^c_u3Wcy_TeCq}&v8_A!rNJ`Ui?+}SE
zncATH53la5;FgdBma{lap|`a?a-@qG5Az%iBj_#$C9y{!B<abyL7|Irt|<-2*w;v8
z#lMsY*GkYJ8H{M5LffzRtdPvuV1cXjd%706=3Z^e&uR0skT@E8#V*)BFpr843s2#e
zN@Z{l3vF`H{c0{JDGS2NCVj;#`vPlxaXm{C0fY?EJIRDpT^Q=gNvkJ+#vvd~1YjV?
zGa@C#2LP3%@x!|nY<7y!r6QG16QYOXpsBR7d@f4J@tZthMTHo2RWZ+iAt8*Pk3N}v
zWuCl<#K~MPs1~qDm5a>Y#+)LD5T`@+L49Hm?-I9#wUxO0+!Bd}K<|N;`zB#ofSjti
zw=9O)+ay0Ak|V^ywvCF~c1=`yutX79{FEd*EWn&_4HD0b4NsM?=qv!hl3&LyK{P}T
z7?}`in-U=OwmymGol*@D^FF>HuYJV@#te&g9;8mJs+&rC6&Np9qPvwoHIir^C(|uS
zV;nF3Mc6n1TeNcr$Gd7)Dp%&TZbXzLkYr(Lhp91S9G=P92o|uEN`3ytbAk*Bg$fp6
zXEZ%56I#wQU~TaVmMmc3sKP)*EScfv3{blj!0W^A%1$=Td%Fh8#ZUHBC1s+JB^-Cc
zGEP@@rng>KNA(myU)pAttvF5s%2354ql)N&@C^{K9z2l**~pQmXqg^D5O=TJ{%okg
z2Q!`>KYYlve(6a{hH;L=IRZB~>Dh%!P?S#wGUeJf##`)qDVicrc~W%UE!N~wcqpbM
z>x>D9zSwy^ngNmZCdw-0;2YY{1YnF$K5BFw6Cu|CrWNG*FKn1$4S{p+Gw42q1I3j`
zEjBDU1Deirtr*N9P==BYWe$U+myo(H6ci~FDg9pFP8XBpbVxVPvD5^pkGo*y$5<X~
zFyTq3rXyds;|S=Qr4xvtw-0eBalI5_;T|K|A;xGMBiPe{a?_=o60B`<OR=}hlYNWo
zRXUI-Vr>zqns_PLcN54(_qV~Gj&RPwQv<2V7>B(A14Tk5Sjiqz43(N~6J{cEI0;NP
z=nLd%<gsM{;s}Z$LO~tVAS!f^K^)1ZKWEqV7gcqAXv)UPcGBTm*679&Xqui%Mxemg
z*JS3|s)TDh0!dZy^w&r%l%}cn9OofFE`u=5qMc*a6dR_PIS-KbceD6{MQ!n&8|dQA
z!o7X+sV`xX7OB>>pd_4OAvIDuGg+KII`RZGF@~Y%u^xlodbAz>EnhuXKI7DbJvpXT
zH;cxY)Iw2RqcaT~8?2!Xv@m~KM4`4r_Z8(xk-Nu<t&O+<W1SWJgXE{M5ROL=84n;2
z)l)(!x};);XNl5%LTLE!Za~-Z`)_03D}66Tf%t~9LTJ)0ZK^4I5IK9UcNuAGdjaHk
z9z*;!&XO+*K9kQt8ZYBbGPGS?)FV+QHFl{d@&~zbHnBxRXh*38k&qM2?E^((b)fZD
zbM{F1{GV_QEK%u$sgianT#C|7NoWToSXJT~H>W;<<0nT;k=iW`bKtL@&`c4dkbU@u
zuYL9rXk@mJ@{r6jg8r>f)H8vDEr}$}rEj<p4^`9<TV5od&TVYTh-+d=-oosHnD1hY
zK!z&EOnO}kPlY$K6}HopfKLU=iV<n98byGb^KAM;s%hC2L5Lij%_#{pm{?H*s-SrQ
zUG>3SY3t<{Zwf-a>n**{9(&PK3a215$<k6+fraoy8KAPeHVp7FVP<b3%XKW5paBi`
zO0ffgf5d3<N4db}%E!}qJWVc{)XYkbQ6JSI!X?V+lNTEDQX?7*LaGUb!hpZSY82)6
zb)Gk|74iryo?aNL1B&;Cw7(OTiJtCP<)Iyt(Ua`Ok(Z1_YeMFOg|LmllRs*CN<Yi*
z1y-_6tA_qard9tTYu9fA9ZlSR#>&R~%rV7$;Z+b%+{n!mHtYBY0P17!y11m0^B@vc
z%_;b5@LxOC^@dvPj%-E$-ux+c@y*T=YTmf66M$ZKJbrBS%;hxOjZ-n|oD>)m0B`(|
zEqT?QiUS`Zlj`PCU%M~$WUp3V*=sjLuS{X)YX$clR>KuiCwmU5qo({v-;ea<QKm67
zYK>YdCcRh3?zR7Pr=^nCv*+UmZGF)vcIzyEWEugg-o8zOocV9h+OM9#YkgP6n4#EA
zfb?>e*GPbyfozS85+wj2b7FmRfzFzL2>XcUi_O3a)+GN4qZuk7p91Gxd1N@(^wy4}
ztI90yRM6<l7{O{4mmvTkuO?&beGzp)>~iMu`^pV$-{HTb#fxAGgbl*lc6UL?)><oj
zK^MO(MIRw{7U0BbHb8(U!Zdl#4gO^N`1ZuIRC9xgQ>J|Y0lwr!)js{^+D%8U^BhsC
ziJ>-ssQ?RIKh14Dg?WbtpMfE5{_2FUGspnGK>@)YvA(7`&c=TDj%wqilfr4!AM3^3
zrjvUmGNVMsW%NWw49T~sOKIn`WJwd9>wSBMo~nP4d_}T#d-{m0XSsq7O7r}t^QC;1
z?YnQG!h6}g0CqBC8hWfAvd@pIi@F|~+9Vd~CZVEdofptV@6&e6)Al`FKtN-Sg4r;+
zr4OtR?d-KDBtZe1<G#*CfuJNt8f;sZEwY+Hzn3j*H4zm%jn9qrA6$hMI)IkvKah&S
zC(QpwE)YSIGF0nJn)-j?2h*<4cPGtzNH6^ERB;eMhE+KG3U;RNmg=?eN%zV>DY&q=
z+)9-G(sx0`uaPmB-`Q3CkCgwS90H$ttxksodb+17oB4r&&FJ#sj?gpz8}38|p^@!|
z1NbLT0D$0s2@eGS5wP@c@xM}&wEbT!<gfYy|0ffC%D>9}RsA1SB>ewkB!mBe9REX*
zm=^wvF8O!-`kDU$OaA|48-jDbWES_JIkA}MS49_!3}DUxC3>HAUC-MXc|ps;_P*~C
zMU|o4e*AOh-<m0C<Ryi;=dU&Qxf)ei-~j-5Q~uI20sd*BH;^Q?4%Y*?#@24yr_;sS
zJcRg=Pu9@TFiXJB&-1>zbzS6UGg#E^u!s(jFY=k(q4Qi`LqlVu+ZRv#avIK$fv8)}
zj4(tTJipQKKoqphureHk#rj-K2u^4s1Ad$TQ|WrZJ<Sqb5>p`HlyhhA_vF@_1~J@#
zr=Pjk9WB(}(W^_p2V2_15#!DZZqJUsk-I~W`F!bi(>VgH7#_A~@><a=Jo;{EkKVH|
zf7}^F$P^hBrJ=5#E8$D=*X{`j2xewxm;m{*Mn<{V6HM>wy1Tn8Li~KMt`A}y^aTy<
z!&@e6#F=ab^gn#~@b)dZks+i400=ndcW`usEi+ppo>Wtd8`xUXkj7mpcR|jQ(iSLn
zE2Yz05&fN9r^EL3>sM7(RXBZ~CK4c^y!@4}qrQ<*cPS9y>gF~IdB`O^IXUrHlR+FL
z^msvu{I|1FNQWN#E6XTyuXX#1a&W|k0tCruXi{_Xi;Ic|fBeW3_twf4P>7?cuBu8#
zHAzC)UjQb~`DR}*3<f(nvD2oMu3hwQpo54Q_V_(4RO=(0Js+@ldiuSURT*Dd)eDv%
z?$%aTu!{>;R@Oo~M036`r;C=~`HDq4J3GtBknMmjoN|1pS2^!hLI;ViF=$WB%)HxH
zZd=5clnMFzwaY3ziA7CW=H}0zIfMjIwum1zZ`0*@0sZyeeV3AjvLD1VI>PY-)<k(l
zV};&sEKImR6h&&T5%2$227zB83=W6;%^Ux_OKV}~Qa1VbHsOMAxgj~a7IGf8x}jBR
z3EA0fi!!mJQZfPFI0VGR#6(0FkWnICqJr-3buhTHsVO=1Jq87GKq%RZ7irh49UUSp
zi(&D?_=sOWIO96^H#hTVNu7<JAkI5(07X2**?Pvs!$W@rAt5FPSz3Z^B;eTHUrsW|
zW72bSax{?;)@c<^Dr)KC{2jZ?sHd)ucF&lL41`A55cf(qweOK`GcRadJ*hNOHrR&&
zCD<ob99<O|F{bz*J<^R^G|CqySjEpN%a3ewY`poD`prUS#EX!VLR$XoD+I9@Kb@RW
z$rq9Yz%glEHMB!7oOxNxqx41B@LNlZR-&{8;Zua$>(vFl)fFm%qdp4PmBfPnyOqrP
zgsrVUq`0VXAs)V^`I!$!cVXM2g!EtBzocV(4f!A0I`C5B)TSiu^HGq`$(=w$@8u=H
zobKbHW2iY`9D=pBbVI$Y3x)YUXsT8zX-X)IrF;>noRQwt!&%F~LhAIzJX#L}T|qQh
z_+6(u=IcXmX6SS3%xv)fr<;27iRMsrTOI7GTrECHiN$f?{A2|yz3Iewqac-9csSe!
zUYV`=v(=P7-)pROekc@nxO92=la`(yaUv*gjAo#-4C0!eh7Bh$JUpBah>&kE;cP8B
zoFDv+L{C%YP<uXb(~yR9zVJQI@5AhqoF5uOUJxYL<?ty+-1GRRF;vJIqNC`jsOb3e
mZ%86tw}hXP(yLkgKL%jZw^zBO(TG#e07`Q2WNW02gZ>L$kRwn4

literal 0
HcmV?d00001

diff --git a/engine/docs/contributing/images/list_example.png b/engine/docs/contributing/images/list_example.png
new file mode 100644
index 0000000000000000000000000000000000000000..2e3b59a29e7377d89e8d4b4d8d8943e24c4e7721
GIT binary patch
literal 51194
zcmZU31yoyIvv!a|C>E?hac_$j3IumAP@pYPC{8KvF2UWkc(G!|A-KDg;I75p3C<th
z_xskpcl}u_E6G0R?345C*)#JzGa(<8WU!yVd=3Bru;pYWRRI80M*sln1c-(hSqt-)
z1OT2lno3A~kdu(0{$OYQ&D6pe0FVtyNJ9S*H~XUZ2%Z<@A1jKQ>%WA$gBq<PftTx7
z;7{-WL0nd>yEK@&?uDeJ=+{vq&@=Tswl@atP~aQAW$G~B2DTR#1x>gv{_v%yblxKo
zd#2VjzU6*CUik2x2tc-zC5r>)Ga9uTHJ%iz%lO(~f^9IVHvmi48<~U!s<BN(Ns0XM
znd&CmLeiOq$^71P36k(Ui1`}|Ab>7y2(O9@PuTA_8}tJ`5+EU{3p-K4KTbQMya;Ft
zT7}AOD%!*8nUv3{)c92Jgn<xbfU-e_q#!`{JG~N2|16rHUc$fR8F>p}^_BnPY#|Fy
zM>h~QI5d>9?&Pl+_n3!sv~0#WXkMuy$fpeBWN2d7Wf{^dxf7{fgD`VR@Sl<0^wH*p
zBGW}H8ydli#;bfcSY&lbcsf0XKRyuV%cJC&{9wJ5`=O6B$m<fAw==54HH801crb}0
z=bJ`65ltD4=vHcA&pw&vl#=ts0AIinENyjRqF{z}c(s=$P2bkd=-47MN{}s9y3bt+
z?|RT=h!A$!^X<<iwOqvWv;$V9C6u7OJ*Ftk?2T*jklLnS9CX?lus^`)-fq5_Qxk?h
zq}0`SpFdn#q}yCSc)yB%o+}Cfdt*vclN$M8Q6o95U|xx0`S<a@5RDA-ZxrX`^H)x^
z$qR-lB#bmiYjx#uJ+mlwb<i>=lL0Uut)J^YMDjRJQ_o$@YB&i1hM&ns^O6~o0!B`;
z0J}l6Kiaj{>-JGsEO@ov3?xS?Qfhf4N&ZCr=z}(bgw{r=fvmLx)b?RIMiHaNN~Wh|
zd1hgh@!lwQLyvm~a4JSKgK_E2X#*lhn_NK!KT8oMs{@pJll>$+_YD$73v5&1crNU1
z3-q-Ck!Fj(jAk=J)f9z-Q0#*4eu7>hhX%z`Q__3qj+lKX_y{BtGajKSK)ZQn=EEjB
z{gZNA_#GfZ)H;iu<2hq{Q8|wV7A%OgoR}O-rd>ggG7WpH!}Zvyj<D1}sx#vF*%jIX
z=HN=wG0F3vgdg6;Qx4#Fi(dci_<&JB7!Ry@@yYv**r)8>4<!Xk6BO}S7tb$9Bc#+u
z9jY1Th$w<1rK?6~w`;a7w>cfS8}K|aJkf=`DWxF2(Qm(yV1{D`hJ<t;a}2({{((QF
z@*ZWA^A|Cf|Fw6wfvE<;Zvq|=S(IXDX@^zkVegdTe1*`A*ggqP(0H5X%7TqP_=S@1
zVDCXEMQ?iVVh{GJ@G8-9gNs&^h%gd+n{`*xO4KTB)p{*+trueemChHFCcKU2H~l^}
zIZZXb6<#24O_C@ZV>E(9>OGwmbt3*=a8gKA@DU*);W<$n(Tmr|L{rT1Z_+;26><DL
zPL`xej`NTWp?_^EP#8L))S&Dp!x$IQpRtZw>ED#DEzu(DCH{~r`>9&h=#3rW^y@@s
zo;ORMJxU}$aH^iFekqDC{+R9XWhZfr+1R(TqB4q8!L`J$-Y(3p_4LQ{Pu<cC?-|sL
zQwQEAn7`>HB=7$5S7!CY>8qgE#IOB65>9&WN*Js0sziNYR}1=BQN&pEe)8R<_#{Em
z*P<LVLT>jOk{Tkj4KtHTqj!XVe)QxTk2sAejoy6M-TV$aN$E_la#UJOo3|G(f_;L2
z+$th2m@bAFK}LU?Uzz5b?~i>SbNL-I^=?`_w_f|qd(-%jy8WlEhGAnE>koIcLljnx
zL2YJn^Mon=lGHDTbNq8ibK(b{bHp{eJ0lK)j$;m?j>9|Q+p3O>j@J#{4O@=7Ba_=Y
z=U8s9@9{l9Dl4#mP%d(oEmN@8UX~R30?F}eelSGIM(U*Q{yForQ*YwKG{=NZjef~0
z3Y{-r=c~!@Wh(ijGKK_e8f&aQiani-yNvJSwBx?S$^0@>!yUI6mmhEZrok1c*)Z!>
zWo19J&@MRHv~ZXB%wqL>d+m(%C>Jgl%r!$#XQRnWAvQ0`IMTRe!<*>On=Z4QPjQob
z*MVmQn@1_je2<MaevW|`czZ!SgsIf25j-V4)|P)PXQ3NV=Yu|{2dBOLl!K)itr`0R
z+?i$jpZxy(7Pi|qSDV}Guk3!?liPAS$lDd!?3xsCc971KsHeXjUK-v@n@<yI1UJZP
zE7jj^nC+w-x(zwH`1B(m`qE*dEuJrGSOqN@9Xi12;h77@lx~zPQSwpw8E6^gu$&B7
z^H9@RQ>1(ICG_%zE3XUW-1bCsZTv9o6#JO<_~10>O6oS@TIggNzI8o)6NLsw{r&tq
zZWk&V`r-3^6Em*ap_iNAqt!-Iek!!*uJo-`uH@5f(qu<ZeE`3E<>0)X6CjQG3^TPu
zl!VK|d1lQf?s)%Lmsp=Tfc=f`IZFqlfup1eJ-40adPN_u%94seHl=i`v_g)6LA(LJ
zp_zej&rQ#Z?t#CXy(J-ycx9xpC~KuQhAw(?MG~$3S{K;gEXkm*yRH@nMupET_0W&@
zrafa-gYk(KiRnrm^xcdU3O57K4L?=(#3uI>_2*bnUFuvaL^9?7;OcN(dtsZIUzbOi
zhjq5#(&$Q8NLk2GSav0R$N7+2-B#^qN;Td&Ry@YUX~4D1b&@QX%!(XJ{nh5R0+YGa
z=cp0!AMEkQjYdcPltj<MB136T@NKIkiQbCv=KUJ`Gv-4MPdiOh9yCnM)XAz8FaNtK
zf0m%7E)2VX-MbRG5xIZrHEW(E`;7bh<cs}x)@mMC%U*szN7uc;DfHiEOQH+WEvvN=
zQ)FR0Ez5+Bh1|*l)}Bi%o8EtFu0yZ0?;co7wQwH1AABAqraw29+(NzBR|vJ)tJzpy
z-!()uAKXOoh$KFMD};>Qr*V2I(47pNpF3S1oX&junyVVG^{!69!P)R_bKTFY`wV0E
z(uA2L@&$zj=0#>^?AMk{CUw?ZEoH`q#?2c`8y7@hh_sl654ZMPJ=@Mi7sU?z0?=FU
zx*m6yvb-fC5_%FCf+~XSaYO|0?Q_pedSKi#+)*zm?>{pX#D0?bs9R)PRLJ+s(L#n*
zo4JI7FT<tj*8eDElYg*5;-dPdBW@-4d_7Dz)@w(A$fIcO-I~K9X$}_=_C%nsbb+n$
z+IKaxxZiv&_4y11c{!6cHLL2yy2W$na|5uV^hMi97q+8?uIq&}!-I}Xbz&D{G=W4%
z!6p*tlfyizqy{#0-4?g*$ANC8vf(rJ#Zu^3`}!%nblc{gz_o~;R2*J1FZ-*Ktig)n
zlf?0oO{=ZLsf=erTUPE1EjGRI;e^JaMqW4K%gb{q_~M@Oe$wLF0$EF@?c*Q6H1svx
zX^{@WH!i>L>efT1;s%!gc$Fpb4GiO4;VgK(ygpy0c0b;r`YY0cvmrz$!t7dl+w^V5
zsm`(sl6%|zmso;5fW23D<FWA6q}zOa+T`K%Zg2DZ!uAN+Xlh99{E}%?v77Z{iy@20
zet*yq?iv-Qu&GDU!_d{jHN)lL*~x~kt*%0AvZwhy<=y?L<Yt$DG=qVnCK6%gN<1N8
z=`)gOq)Zda-{O$a@eEh_k!n~b?Xk1qL2<r6IO&ZtAbT1G<m(cT(#QEl<e-F!RV|*$
z`(S^4FB3n1W>#sMmS&jX%+%m-IuD@kGoU4ek+BD^{N6*r_nkYH_vOB6nec0tQ#3WB
zY%!W?`0;rgWS440|2d;R=2j^H&~zgwDfZC?X@907#9I^;II76hh*te)Z{6%|6_A+&
zB>7CL%K^3{zIuPGHzwD5y3a(L(sBgJH{C7WOF6nl%z&6f;xc8QXV#iFyFWvXHk%@F
z^+*ubaOA!SEh*i5%Awm7jLQ10;_ev*lq9PeFk!ajR4z{!dhdg0?FYb-i<K-FWKRQq
z8EP4ZUZ0UxGCl2&W7sgWuevnvh|E#V=b`W_%Xz3}xTV&jPzJRAhU7PVU%;?6!zeyk
z{&cWJ%ds>y;r7ON!A&5$crm!tmZqpDL?bU;WrXCQQpA@U=u3T$=S$6zNgz%K0v7x&
zEAfG^+t&S3_FHSN#jv~~$@!&zW%23w1%)^BrpydXNb37|uSVHzvBO9Gq)mXZGHE~%
zZ3biYj$!yqF%YUgAh^_tcG{C{_Bmffo@#4=iy?rqQQ=Y+go-#S2D$-k+Kb<LiA)@C
z7<KYFzp(N;rF?ieRJh|hlo3xA?kULPdDV15YSR<Z`KPb<#ChQCig)YNKSwYcT0a`1
zwa8IKxvOQi=UkVqhMYS8^A7{RAm+}>4Eb&68<O5<Mr@F>|9y^yXgf^5xyPpfdh&+2
za(AE3>k*%TK;_dXDfhmWv+L;CSYJAsNIh7F5D*(X;LkVAhUU)IwvEB0pmi@M1_oQt
z#UAdL*aHIt{MVS6m@#Q-;VCI8R`YgIb=K8EWS@(P)XQ`zs!#rW<Fd227r1WLVRzwK
zfHyQW=wueZ^sqi%2n!2q3{QQ}n46zpWz@Wkhj@B_kk|Eve|{1E`?<T53zI98za#;p
zS0>_g|G;N9d1IgIs5iD5)n#&Q{Xllb3%_t0=_TQwD7wh6*=@`H)5*uaX1W;U@}>Bv
zsW*>jxQYbp{5c(B5jz+nh_V88ZM$u-vwF<`<o#8%xaZd9e)I13JFjU+JWo>16kaRD
zers4tTU)#J{11JnKL&wbg@&({+SjiU-C@LQT_FT3RGJTk5uu?SX?*t4$;qT2scLF!
zuFl7mS5I7SjK7|ooXk|4s+G+fo0!<^yytf$-J&{sYuK|gk|ps+Shz8gK_O9ZELTpW
z>Kk^;?V&)L2&853GL_f52QjxPu7CqSMa#`@u^1Tyez>SnZ)Yq(r918MIP~K!ieRdB
z%XMJC<b^$UtYL4Y{zQR_MxzsJPZU)YVnNO>M({=4FIl{<R?&yU_;+tTsh*69#$Tk|
zt;2C2XuakjyB$t@fG;rdp?FUBL1(GQR1uMD81ah!V^N=LS`YHvUCHvfv(z4tGTxZ~
z7dnLP1MmBYO0ZXdnFG0WB<g(fd{qO<$S@dgmPK`6(M-J39-EWCd*EhpyvebC*fGZU
zgP8e^38X982wz`c>&=&!bEFBn;=46dR#a5{;CFmuT~u%>f!*uaxOiV#dVFld_{DdM
z3!_VNaw`*pGdyTj>s+YS>Ls-KCpE|q9T!R#7V?&{PXjhM*h#GGf#ladVj6yZwxu?B
zQ!Y_F$yvy?vUa%KN;UpV5d~)19ZGay@IIU6OLf79V`5B9JJ+UWVMg)Grpe9=&i;OW
z>o*Z(yf~wyqk7Fhe|m?IFX0%Z_bW5rr7W92ZSxUp|KqSSrnK>2r*DfB{gqAxtpA1y
z9R0g<&9dfn&v8A5inz1l@}jR_W+_q`K7qMx(l3HIeac^H=l0-d)LXLx<J1QU#73^u
z_}2cZ(;E0mZ`Ob;A@;|YJ$>oKl9aHGM5X&rpFbP4`#uW}4!+8C;u`r00%mVhq0!4B
zKO+KU0ljGfVzB_cn-EdabKbKw1r3nPPfL^i_q;aFurDdUIF$w~XKcw6jgzlitS#q5
zq104dpFR=gpLZGEWo*$fW*cOfr2fM2_2uq&+%4HN>*Tmopz1>cBAJxFdfr$X_7)Y3
zjEOVdLqao=GvC_k>okb-NT3?S$UA4U<!I~;5cxZvseMNNrXXzGexBzv>t&kGHa0ei
zeKQ(s-EQnwz2jG=`;q1&_Zxb66+4e(LD&+AO`qh;_&cX%-V>Pchy}UKWO#O8EdA)0
zuB#+l^2eFRFoxL}=I}LR_ARM9z*<dm^6b(NePeB0uBVsswJ#}IhtQr+knA2Yg|4Jx
z->1U8@1(H5RQ#{=RONQvVfk^IJztuEN{hlTj8D4=ltI5H!p22jGHtjoF(he^fgkxG
zV{%M*FJ^pfB)atTn=`gdq`wZj4*E{0bj6)Ruw0XZ)m+)rhy$`qZqj~=<?_3o7nmoq
z^O=O7KkjO$)|B2%%#e~DISu=17@AU(`OB`EHwmm2l_XR7P#X$YG^^!oUC-NIOsexj
z;p-ik>_+Iu{KN7pgi<Oj9s%=R%v2t_RS+dwhhV-Vk3p?=r(tf_bw`-=WvRf@1D`+H
zC?B4KuYGAhopo(f?c(+2w@32963H!)U8Kl4O?kS#BBkph7oC&}VfRIl)0`#5vlIWf
zSeI+gA`f}q5y`$lI+?|mm12g^di`qOVS%7hZrN#mrWZeYSR2hjm|&JKUC++CL;teZ
zNtkXmfwJIeES2t`kZ1nDX|OFSwgT6FeOA-uEX)hanxrs2+VXgRWIr-nC7MQ!RgNMi
zt~Db`t^lr%Bk7jgum}sc`5N!*={!@;gcT&{$-vpJN^i+T`AXp(61w_3Bqnu-kUsqD
zn&oC6L$6umq>6-2pTw!h{?2;1c6P9kliLMtwQK2HE}fo0l+uz?=e;Z#5J+z4DJ~nG
zIbM>U7>L&yFY$5v!uA91#Tf6H4^VIERVG++rmrURZk?%1?6Sc=+dG^Jua`4@vi`R+
z2JIM$KBcbxA8t}>70H8SlMH>BZ!m$U>9Bj^$-_jxaGq`iJJO%49Xi93lH#L0FUmjM
z(_5RrQmrcQObscIaN6Y>`PYhCF>IFbOpk)DO$)Qmfp`Lv>T79ld97|_ATQx}iYal~
zuR^mmu3#`mo)G>_;lsL^f^p^}5~*}6*WOpVbtclGh!gg3k7lS$G|ZlL;D`ks$hP%g
zw^K&*UR#5!1>V3a(TC|wbY7;tMn)#{Cs*R0XUt1`&(k}2N~1fHN5Q9+CTMC?$>$vM
zZS{wp!*q4jxD4TJUzSAB)Dl&@4+Zc=eGr}8kRCc7vMI`mq|q}nJmoQUs>iF|5TY^a
z3>QW%ss=W3#%sQx`@9!H*fFz-@9>&{jEQ=DOhr;up-U=<CACX)B}ua6u*uf3m3QvY
zhy968d+?wIiHLa8ZLSm{Uihy|TaZeQ&Rpdeo>BRUn0GWBXDFL-vTvP^E$}2PZi{A)
z80@8VE11MQ;+KEmWl4&>PL-|Sq!gF37N)f%&uZRmdc|T8XOD_=O$E6-2{!E+<b&<~
zshQn<sfQ&w@VoKw$fuQHjzeEtKXMP!kqEbWH{6c)=hQe&3=6st+P6kQV}+-|wYBvG
z^{W>TtFv9q%h#8wNxIFCLS1Q>vtkSSWo)gnwOUJyx+x8J@=I2(nJ!m@YDv2Ndl{s!
z5f_!-ZVZDW&fFT!_Z(%a1<-FJS$h+z4TrJ8Isyx+cE~bmC@`EvH=Bo<l?B`2SxE}o
zC}ZJ7j#+rX*=9;k-k1Hh{xj~(XhXTc@BWGhbUIhrtr##}XOZ^6xM3V}lfM}Al@y~$
z`#+a>OpMK=gq&xnbAyHDb&YXjL>ETbpnbXEziTZNTOyBlX9qMn9+9Q?iQ1-_mEacC
zYMo~AndYW{^!Gp|p&L(W4ceRc`)kz5QV>vMu0CIcu_3ufFo`PhaQ$8e9j*YVIT(2Q
zLt!)Coz=EVJ6f?|yIEj2zf6@khN>%j!dh}u+FIBbSXGL3gunWMs<4$)YP0U!>r}qi
zZZh#<C%dpG(9hx9LViHnqvrZT5vE9UP`ineh7v=B9#%Rr>32xsC^`6ILT%Ou@cnM4
z>d8wHVm^i}b}e-iD=od!L|_Zc;C9V1a&_NGKRwk{<CRaG7UEJxoTuHqz_?P~`0%oV
zF<Z%>a{9A>22sq`?#5Js;2=LZYF~8Xq$Uk}I30+A_v#d1%1*Hh-PZTOWzICe0uLzK
zvMun1lgs=uSeS;Tf(F@_AbD%9F%V?{=QPuGGuh&Ai1Aws8@5SzOI=%SR&M>h%qY)&
zL)wqIe4A;GPSnv1t@jGxUUD@RAT5PtluZ+>CmySm&Gw|ide9cXd?!B1C?73Z!^Mb6
zw&+ZI^A1;sU$g&{U5n-Flqz&`Nqt4Vee^Ea<bT_iX5e?FFN|LS3_Zk{EBm@%eJ_G#
z$&{VTDv52VNIxmkw@`ui)^@mlNjsJ7;%uo3MJy;-8Y`}6!uFZZ*saV=4Mt__+Z?`~
zWLiKT-cU$WPJ7x=qaZN?N2!Wq+$(7uDl>PH8!tH1pN*JW^`%3qB+H|vGH1w`HYEbn
z=DRK9+kLv_?fcw%!PAC+{YSCRQmD5?6Ow=ot&;4yl4OR{#-LWtsfXp3V5Ofi5h^+l
z_=`XK@N1^UY3HpfSdcOPm?VYn_$)9@bQDO=ze9@mspEu@mClkB*xs&6Vd{8nKR8EQ
zl8%by>r>63;{QwqWq`T?ggbSS5KIKq3o9KJc`e{R0HV*ewAz1I4>Hz8CAwI7Cm=(P
z*G`8omfY;7Iki?#{+%}3-k<m&{&0$p7F)n*=kv|SR>l1_JqXo>JQ;_$0|rwjc1J=%
zc6_%fFBJyz7*G<)eXM*O*B=i#>Kp=~^<%LfVoxK*%|?%z5XjTT;CIbD&+$TdhI$nd
z`$&o*_9L*sdkS@XDXkhldyWpJo<+v7F4-NtL^Ax&)7l^nxskI{S=bY>DlB(v6Nd2B
zpt)tQE1^+vqUNj!y2X}uoXnCbIYrC*;u-h<8Z@zUh2MR<!ky~WC5|vmPPn&k`zPqK
zB0R;n%~0aUvBRrDbH5K&uyhpX-!pZKw&ss%P5t)WgAj^@Ue`_X3cq`43(7&Xtw@ee
zC<dp=I48b1Hk0yPEQu2Ns+cfp40^`uUh8>ym+QIUAUK#YGR<t7)pnJfAm_AL!XIUt
zI@ULsnqQL45`Sn`ds-cp6s9L}4(JuU-$<!8(S-h;?WdAl+*WASU>FN2p^{>GUqp<z
zlS6f1pi9B&bgJQI{9gNLQX>9YP&x&W`G)0SN*DEIhg?|{ikL(*kaMqR(2gvdTHuF_
zKj>hiPs?fZ4%h)$HLHmdgsJlEJc3vXxnRH#JwdW55j|4*Mr*nUH73LB^*nT4#Hj>T
zeia<(Lv*P2*}SFxJb1eMdS3YEGn>s7WC`ic1e+d9T8=bq!;858+OyO*{J~X)&Va4j
zW^2e`V4t4A)|XSoZ+p(2#98^U@9xf?qyG%fy-k95Q0Z7OHM>aPUP<Uy(s0fU*C%=)
zX6YVU@Gxo=YPp>g7AUKcQFk!_!)LtDqI`r_uD070gK&T0&|<WqZF#DB;ZXEW3Nwz`
z$C=orOn<Fq=~0LDLL3w)ux<h6<O&eQ!m4}q^`wXV-3^_M^S!r*R8)X$^|7f(r0QM|
zvSt(;L}qnkOq9I*6h}hqHLq|ro@|Glkhk@!(P{P!@;ymN;CLYu?KbLQZ0li!Ex~Iw
z>fqFeMyT9cms7jdqI}VQ&E{x%wh;v@*q0>OxBjtky0POX@Ye?*2*9{_=C*7=l+g8J
z&<qXWO{5-qM+X@B^qv?CvJ-H7(b8S>#)Z{)5(@xeE>-*Tq&YyfHSPcXZ2d=rDBsw{
zNBs6?ZM&aoH0eSt8dhhLQYu{+&+QD<*1N`XPfMBNj5VV|NF<Z_=}g3{Wod3Mg_4Sj
zC_<Vjs+R~0&A8?Znepa?c^zl!AG><(=cve`-3IcAq5yRM;GtBM;@`{m4-U91RT=Ox
zHthH|&aT}W@#+j~=MmptA_*tIm+m%D*|5_L5YH0cUw*dx?<JrDE_<iamV`+Wd+J&E
zbff$)uZhd>gM&Su)Z6k6Y)dQCzsK91wf4O`s#`O4Yy|zfPQw*0_Qk6Q=`f8*TT2HA
zI0@9^l6|)9sFl6WYYD>E1`o82xDPqXoIS(5U@N<8w8sHZf5<OF5Sz!<)zwEoKfgzG
zRMb1%=g)7b@bOPYSXlNUMn?1(XpZ7soR4I4Gh>rgfXfH4&fx3Y$KGWiz!&8EDwtLZ
zBn}V*iUC6lqJ70dzVg5#UwR-7Q7!-r&=yYmBN+)n8!}1H9!i#PuY27DTW+=Ce9e(g
z&T!A+o3#t@R?DHM?sUtgj{8B)(;Hpeog(s9e0i$|^4Lpxzpj>gIox=e`gs4yo#NcO
zH95V1yp%sTw`Z;A?kti$Tsgkv3Hz*Ns5o!Xco}d+O`pQ83wzjtB$jheYfhs@)oV7x
zXr-p<BCEF^Pd%Zx2i33^rxn{?ld>&VuFQv4=q;7=Ofk@h4z_K0;Iw2MvuJW7L#0)#
z!!+w9LuJ_4SE3Ai^XR_2MoYbIlDC}0UI~|)6b^IU_cnAly9{JAG%ir~ItQPz%zx`u
zqM63V@DZg30af$6zm@EtXLWjA9A#b~MoBmG&KfBAEo{$1ydC!|^BqMF9Nf=ZALoBA
z-#3w2RXg&0*Jt|5F~hU$B(PV0OIefXxt8?!B{fn&V-I>@;g^`oxEzsu;?HebS*<@L
z{xc1-rWknUdM|;y2k#G8=vlP-8YMVD{eyphwA;p^NBH_<G{4Wj%OMO>p{Wb0>N`5y
z&wS9P$W;;@fw{GA9ffU&nYm5*9W}!YFh)6in`6X!&Tmi)34o}`KBCET>2h(5vvsy>
z7U$cePJ1P_a}>@C`UH&cqva?%9%zJO&GU6ULegE9t^-0SD)km$kiFb?-uQIUg1g>E
z!<248N9ECH^PsL%Qb;kGUnT}TzGr^CORCu!8ExYnWRvj^hHO5ZR<#Y^9`?R*sgw$m
zrJz-3%jBpKYZVC0kYRA#ZNOcZDG_(PoTU4GTbMukdCFk?PhDcQ{_Sw%wTXanUjVcV
zU%^h~LKx$czp2r(xiiw~&%N5Uw)F!1h75YnIXI`*dK*e4m3n)R%X6D*9nw(*Z$?{u
zH!!uF%Wz;}^3~Q@F35BuCkoHeXt1mff1Siry$%<Zrggdc&lGgwlv$K^u3X@#C}AQ?
zH*&`rdf+;<+Mfu0ZT)~YHu_n|kvk3j=nU0=mJav)2uUc4?oFt3xoy=J@aXq4Q;=X1
znF&s-Z-p6(j1G*Xc9YD~0;P=Xx_A!6w`?^%+~#&JR8?*qy1aZlx7UAxzT_3O$Fp|E
zo_o8U8_7rpDsAFA8rBe8T{!zra4&pQ_X^kl!R^Wq_j=eZV|@AZS5NF+%$Nw4xlxmg
z!B6O)L@@6&lw~juI=O={eZ53YPE$|pbqnO1v)}=YXW;_b8=p-Z8o0j}Cm)O+fKqQe
zqjsyjxN-O&P@^hG53p5w)}4kwWWKg;GX09fH!-E*PO&L(G+gSgm$Eecx-e&&5A<Xb
zXp+0{)4-!vjR!ok6pb5+TKkvt*0m>Vy-Bo==aYD}H2hR9A2=(xG!6R}j*scUm|(cY
zpO~XH<ImPmXw8BhGnw6)1`v=&>U^5qWZC7Z28bbv20W0iz4v-?JM<PP7}ZY!6YjO<
zc+cT&Q$)7km|u`O;kw=#^?TNBk03xTG`!tAr^KTe7)TOGbwsnogoG#9#5F8ma*eb*
zu;}MEVwMWMJIYo1BHc9!Uo!bEYbSF0ta{$mL`y#}fgmVkQhq>>B+APJ4Nu2|4J?bE
zX_L)b+YuT_r`QF`?KnhtE>4(em(7FZL+<3nfh!z(g1T?7tt6zAzFJ+23w(8iHTN_(
zkh}djS;(qg)^A4p>Me+I#Jb3oidgHQ43E&!py<GL<8Axd4QU8==DYeOOR&{2m(%PO
zMtEwh78#FOb3KK~@xuC-BTRPRkE@Vt;pc@peQ5l?%M#y3CGnGk2*L#S;G;cKv()Fr
zT`!l#R?4xTHHYW)X{-xnT(4zTPKb@b#9OzfRYC>N8t<d{prU}%y3;q8ry>uU32qVx
zm{Oa%w~$BZFY{8VM*QUGq(~=i9X=1gZ~Sfvo(;NeRDH7saxzxiU*2egFJH`s^GL%h
z>-_fZ*z3~+_|Xx2o*Fb?#u?53eysn^J7z~ohKZyZz1VL7lVv3}R`%rIgeEjyUKDGP
zT;IXW)>Rd_E571_N50g~ClY-P4ney;d{ZdlFE_6wP;dJ=HoP4md=Q(}^O$~lXcleo
zn}of7UG+|<Axd;t4_x)P&pF!G--qeq+@zksd6l*Hw52t1qFuE6t=#8QS0?8l0OqK^
zFbEn5t#QA$^?Iw&x;esPg`Qy}7>8MEmz-CRI?(deORv@s2a2s#qhu$%%A%5J&YkuK
zh$TEt{MYkz&^}p~;)Zs16ADui3a%bo{yL;SdYc_)*&M+uS8CaG{X(*L8;&POA;lAI
z(h~&{Sqo#Yr#k(;EJIFg>^GuYid(R?mg#AA2bn&zkARz2o^x(LbT?r4-U_uwj%{3L
zYgu#2ZY4cD;GUU>A6PM67FjjZoCnaJfxc~H(@GE2--mX`CTi83xP8A2q&5^6*eX?C
z<t@ccfB$h#v%nq^98i(5g;j$r)pMjHDk}_oD~ZfwBzHmI(&P0Lg5^?(ez=v65n-{D
zZ-;lG^`N5qPp1=EJirqaWYhlzdi(10yt6mQYq=i1f(qJc`01+C!2~*%-_gb6owx>X
zAaPfKT_)<8*9|ExBaIMXJ|Wm^#fUgtJH@&##ueWvBf|dB7)IjsTAI&M?-M0c<Q}IB
zJJjYYhueEQ&#IDIIdaBqwi%uebgDqQagn%pDQ=*`>Yr)+edG|n_Fo^q<$d}r#YRI%
zK{6cQ`-2VqX@`e{bing;penl4C%AZy!(iZEo|MVaX63nDi>9YE&!n?DIU_BguJ^vx
zH4Fx(@n9TdVJ@WW3nU;3=%eW~U)OAn;$a(@%om676-snrsPNt4jt)3ScS_D|6xs91
zQRK0IbnOY*)RBCk_ou=Ox@k;OwqD=C{95Mb4m!9PxuuE^n9#p{DLH=}5_gwkX8r2P
z&>wCD?}N%lYe7pO6APK1%N2pb|5|!9lGtv!aznJWzg)_(=BluGvPT!%>Qqa9Dmj6(
zFuW<rPzw#m$<Na{U?OXY#5QdmX%rcJg1i>-NMrp9-BtV*w^lK=wxGPvi08d9RCIrS
z?K^J8Hz`u&5LS9HF1-iTURqnNudoeH;sHJY3H_z^{g{2U&~G~;9fEi!uSfGzMSJb=
zm)N5l%yCnDcVg=aAMhFCWV~hbx<;O{-(3+b(^Y{Co(Z08SYs-EYM3jOXjcA=s8mjH
zL%AlNL%~4fw25{fg+md$Ilm?*oYu?31~nWX)c)Q_P$nqmE;DFi)VOnlREGJQ)zU{W
z3?9=fm3;GYhn>k0ygITM)w$ge=6_hftF5Fevyb^TgYSN%m*M)u$QCI5A83u9pyj_F
z{A@Td&f_87%l<|+$o;s<$cyj*Tdb$6rB8!Om`gWS4P8@$xJq_y)XzYGy(<m>pUlCc
z)nLQ_!_oR2j{D&!Y93%MtN!~~6sbC8X#)wD7g{BOi?&RUYj^GjMxv2~|JXBfA%aES
zoBIh!L^Dew(Z_IBQ?2{EP&pdUrDJ)wD^}yef3n-oJ#Rfp;|B>#!h-t=U-$B$DUJTE
z^823CrB4e%M*SRN)FcU@?|-FPv7TG=ESet_CTVwUVF#k0AJmXzs(jC2xB!~UT7L4@
zkXxeS&VKG5p?e9VALj_*lyE5QM2<z|szc)YWp}qL#Ymw^8G<gdb`<ECu2Y9OQDK~7
zyX-y_g$)PlZo1p2LsP_k*4b43ay>llW)ozHA-74SEU^iuF1#bK?L%0-9EEN*b!ch1
zv3fPHT{M6F9!mRHjo;qy{U-3{_+-<iqy9+`x0W9tcp(Qc$V1irp>u21QOhk3a__@6
z3^K>wdPf_>FUbdTT~*?aV+%QX-i3ySKT7NsQSus$bK`j~M-~mEUsPb7PQG6SfA#VO
zx^jd0Lg>9R)biU~8bx=@LqqhRk*|m9UxYtm^g7W|<byRQ>7NH}r{65}wmXBQ)R#P?
z)@MMKUpqgrNAp|hh03YiQ^;!UXU?{$$cl$%?O)rIuh-2~-d{c>cl8OT!egS|nJ`n2
zDn@zUkY=V6QkxoeNAoubsuLDU;Ji|f!~qk9$O=8cly=Mi1l`tQz4y9K2(UY(VI23L
zZm<yjc2GCH)c+X>E2LYHAt4sqmA%nCf@AT^Cz<rHAG9}ZYfTiXTW@>D3^XYfh%FF!
zGKnaluVaj+%SF;r&ygWOTe!%I3NcWGYD&D5*aaSt=PKn$Jo(WKm%kY9i1c(HQI3K_
z?)P*-{C5FE6)@r3Aw+48`F1nadOwKDtGpE<qkHt~wv;7ItV*I_aogp9lm@%xUs?Lh
z{KSGJ-yOMLaQEST4!XGAj)QJ>x6`cUq8`fh)!wk!Rg12JPuk3~tbN-1=<XU20L!!-
zYkBJr?*4|bv7+bMudckSSOn5Ve$o+937+J>7arJAce9h*<<wvDSW5B`AorAi_qjQ$
zwdZ<87_1<4i(9aRO0dyx#>Yo)^K$lij~Q=>Oq^5Tx;{f(+y{=2wr^~$%;+5ZBmfoN
zmn6<!b-XazIX|@?4I~CLzpjA|CPxR?QV!K1e)|sWHNx0u`R%o`g-1%d1bisb#!$*D
z6QjIxI~bH1O32dX2?#MK&9^Y7H^Cj1Dzc!C>tmcJ?UVD3Q~&~2g*)nisxl)mgI1Ff
zl?EkQpqqno%`SE`yF;?c9;n_ZnhJW64R=L{T7|-5k@~xx{^E}chc;&o{1_Q_-RrzG
z#lh1%F?oPN0={Q2(>TUE;i%@1(mVyXD51+A&DWc$l1rldpe#dOuj{<#$A{a?)gY=l
z#6np?t~#mql_58A_lR2TWo_$yMC;|nwC=RhE=Ps)ekBtD3yz>PoeJogfuCHe?6ZL@
zD9PvUr={U>Ige8=@!VR}c=k8LX@7RB0M=o<>5$T;=N;d+W3_#BC{4AT<Xh__-=pm|
z?NWx0$Eak+f}<K_s4bTgtbc&>T<fP`VI@|${N;l?*<sU>7f1r(k_A?=RtP_!t&mI(
z32>ajA?4|pvq?8De8B;8vJ|2dB+SX=&1vgoD<ozEcI??o8boX&g>kwWg8*1z=b2|(
ztOJ>hlBaW0#axe)J~MiVdVOSE9S0mKZOOsqNR8Cc3pxA^SrcYVNc2=Z-OKPk3aI>P
zvkjHLHfkZ=wn_am*Y>NQd#F$^)zalp>gpv+Be&v7u6Fg;@NJ`gw4SI37B!@p_A55Y
za^&`<5617mZ#7-$ldA?^=3(zRJK*L<jtq<KzT<!5Z7T?bp@nMsbNjPZG%ovDL6m<}
zgs#`)cua=LQw5w$o9|8sK_V98mAJxJ-mRCr#bs0SyLD=9rl44R!M#0ei{aYk9e6+P
zj^;Yv%6S+f)fJnSzBo+wsTh{eCwNJObh*yHe_Lg2zNy|?R)xi!DJeqOIj*L+uH?S;
zHEl59P<?KWj@#j5YB<77q05%e%U<iQkwsJu7A{tA0PPZ8KfI_swNVFx-+Q*VBZ0?<
z^dls!w>fcra0{QmFsA5hm#Qw*RXd0%D#RUCklej8X--FZ%1pm&>yagFjnSwpVMHsS
z(@(cNKDaYEz9a$?Z4#nEY0E=l15C^!`X4`vY%4gEBm4MIm|A$Z(VFr_zQm)X|NCvy
zV}Q&$(BhpHHG$+08*+ZhtG|UZ-X&k?TLKA9{Vy<{u%ia$DxsCziR@PNMts=Ew60HR
z-kQ8uLJH<vmVW_!XQsLpgDb)bO(;)5Ms}~?P%m#cw1P&50j`y1PQ|TiW|ut>^5Q=+
z@M)%vr;QLicgm_BfwzuFmpN4JynM#W=mWS`HNZpkrTlY8+4QGS@bAt4`9M(i|1%=C
zi&~gNiK`&q)}Yj$0w0Glltn@GDVa=(TE~xal1BH2oZ`CiKSRz4lw;#-CY-%I9G+3P
z;q@41rd$_$2_PI$<4MfUU6}-xz$C7%wh=&PGY&I+eDd#NF<|0)Vb7YQH?H;mYiAt%
zzqgI%M=5O{wo2u0JS4|^e8A0jvU%^|GqVC`E^GLL#2o=i8~;3CU4y9O4uG+L?WCB`
z#`8kr$ki9O#s+^o&O1rlsVD*Y5XnCVpKaHU$qck{|4UKifM*w{TRPt_mm2P=cd@#s
z_b<)M)J#-A+F5+?3Okrf5~TRAq|;`qs=EANg@$R`rs+w{DS)Ny{Z3_-Gk+3sP$Car
z$FuHL6=e&{WQ_LC9W)J=z4Q|r7951mR*Z{J=#mJ0LOsIt)L!pI$UEPDCxws)JIgS|
zYX5j-8irIX9d%dCF1n=~-BKXhP2gIY8QmBEefXdHG5oAN=EnKB6rcA_n!tXk78QA7
z;PZWvHh!ns@rF#NhUV+#NA7|1W{<j(c>{^m>&YV@IvNP2$C0P`n31W#<-Wbe>0sH+
z-s5%mFUVbp&{?lYa?+01t|?kOvh8|)-){tGb2`RgdJ|b_M^zE7W0DrxD||mB8!q1k
zBZ@ofaa|!<6K@7n6e;#nV9}cXBm1N~cSb;m(OCC$G117FavWwnqjaTq!x3VTiis?8
zcF=I^31g1%w8;5!M<37<NlvmlNVO#mRup;@P3<@}y}WJ6AxqKB{*t8v@5t+YYgI(t
zgtiHM+kLaF9#<uPgU<0E>qi(MA}dzRQ4ER<q;nC4t%dhRUhtZlu6={OW#`%*?G67P
zwV|%vPmLrkd=(90O3)X;g8>Fv8q@G*S2Hox;C2E>ja1C({TOV~+>&wH!ur{Kg;h&E
zsVv8@rj^{COWcWW`f@Ca4+Q9^ZN!~L>a^P52B7-LBHx!b$+t%7FqTvSgEJG<&CPmo
z1#6ENXVs%P$O-1Ex__k-rFk*6^E)o~BE+q{^?P)Lj1&FrX74w1DGS)<TpghaB}0V&
zqX{K8E$ak1*OoZXjF#3zc9EC&ey%CMA~i)eo$$zsz;<1^R|3NY1?;bgvdNL}HNi%|
z>&nI)9L*a(bIs?>)9}E9sP=@MsOd}_73VE1LGGZ$&ci0=+eY_W>soV@6`VqTG|XI_
z12mdo4}`R3ZRanzLG$&V3w-fcVZZBac)B+dH48hy3xd#VBH;V3N)Ro_3+`}tvG1o=
zGMSUgyO{dgeHWuk#j+M0-)JZ=1^18X2co_U_gT}vpxJK{an!VIIvUpQ6aXBK+6|Um
zWv;D;6s$wMl0qg%9TooLEkvcG`PCQg%k;gS_|7@#?2NV#oHfeCh-acxdsDW0^tvyj
z<CLJIQ7~$=K-eLctg#JHW`VaGpygn5e9t9azlGG^e`@*BS@1S(Rqrq1-=78}0)-Ow
zo{_uy3;Bo`G_L@8l%c^#LO-1=#3eDpSntUt)|DR+WfK(z-FG|@a!Uo)$*w@<w0Q6@
zFe4b1SMUy~^sZHZFvgCmBwS|;6^!J`*4VUe#vdd4XG$w`J2`$rPKBw^{-PO93h&Wm
z;+1bqcj_6HBL|Z^-gMVeuKZlVDqXTT=(rDlAwF#Ld@r^)-wRGODgqAdcQguEUJE~?
z7?lF+Psqec+-pjTS6oE66GS*HqKw;gywWYJK&fk4c+UJ%a%hGrv(ksIENE!(;ZScO
z&1ApwgkT#sK{MU+Gmih9YMAxN=kD0TsBZW>W$@rII%RGY1%^1;^Lwu&^RhD>5ZFR7
zhY~!t5M?LXiQ!2Tj#(i*=S~!Y-N$_s2^3~OYnwkJp{GE78RNb^V4S3tVf$;)jLyp$
zdQ-{$V)iH2(I#hylX^?)<C!j341a^we*z0|0+I8&%(x;wDQpPMgr{D*tDEiipezXw
z>IE|Pe*5QfZL38unzE77=BKUh=V=<uv<Vttz~7wfKr$8Q&#nXp=q5fypRqjb#D62y
zm_v1rN*N{h5ka%8{;|Q8l^4+HmFS_XJIvM|d3IRb;ZtM~M2Mc)TY*P5`$ukGR{GDH
zEc4SBTpwz3afZQ4A5OLH?(0y{3z+MDt}<WI0l}Y_U&{zNs4^`gkJ=UU{2n6Sl|T)J
zWSn#-EkxY}+ZBjl1|@g}fwh7wP+WUGgDd4q2`Hj(7dO)QJ1&_I6&=EKC0^JLJF3dO
z6hQXpA-q|XqcFNcv=?nbdaw_MG$faS|DyTVouRA876nZlt(^7E>(+TO^!dP&FH9Hy
z<v&@b=`|yqgS1z5?r_Dr$U7hTpt=|h4F3s`Pn><CQZay)%A)v{MNQi%!9X9*#zQYT
z=Ia$48WoHO3g!-_UHWzGz}r0M2;N=X*|lj6<7eR37XAj6y+8H1nMn1fGyMKE%7>IK
zL0B{c47Tqv#^Eq;Szx%`;p+vNS9H^}%E`1rIFZ~Tv9rhl_6Zgd`o+Y#17!@31+cL}
z7IWfo$~bKk0bc<d9h15AZQ3+Zs9%h3&_jWob~MWOL%4`dbE!5*v=(Liy3JN&`5&yx
zs2iYNfiN?TqDC`h`ySWpV1~x@-7-^U^y6Yx9Djf;bDBw-WBNo)PbA>UX*jC}`EN*W
z9E)@zFXLUvNQR6MchrsS(zPTJkZlV;*o}S68j>&m9UAFP=q#F{LMg5oKk4EO-OOVC
z>J)-CAiDeg|H9Q^C+i^hq&A$r34a+O5tUUIA44uLzOBi+0XYp^K=fxnP|Sy?O}tJ3
z{jd~?Ci5zp2vH{41v6uWpqi?7ik&2Uf5h$&#Jr~c&fc*Ra0@h^;3q!mh!Tm3>cHUG
zm2_3&@s&i9ykF5i6Uhw|-xX~+j<l#<sq(W6LFo+z&v(u2ZuGu{w`?24ik?B5eYDH-
z!rT%IaB~5f1PE+`E8hq*3r&U{xw0MgnzRP-JGrHc1beY|Hkwd7(sxL+(}hzYJ#Egz
zTpTUSCZWYF=|H)C*7E=kw(6ULqm3@Kdi7uj!{1XRj~-En{?V^iLf9e9gJy=Fa76k>
z6ieQbKHhSbnP$0d@vy~9Do63P_P@E-ZWy(r8P}WHUB8?RZ8{M&<^^%m*({^t$#Q|i
zb%<S{3qqgp3ZyNJ!xs-hsXy7&ivGa$x)VyBjcT*+qMjC-GK$;G-UJlypm-?~QvA^!
z?`_V4%xk*I*|G##gdRje{kcHPvduL?mLixF`bnGf&`DSz7+{Bv14@@5#JG-#ZIM@=
z9}`7=G0J4o|0>~Q!ofEtT*_E&Ce@ICO$N!clZRsN$K~1&L(hE@6@_!E{07zrXLgZ7
ziFhO}+gMJ4{raRNgyHB)KtqgBz`J&2yZrJrj{Ys6o&XK1ljgJ;?-j-^5?J7OStGw~
z(kL5k5}{>{WePq<O|In}nNia_WnU9nCtCB<|Lv&O#iRMbK>=y>l0PhFz1(ZwBV(DI
z+Q$#90Y+Due(QZ$MpRdv*67CL()hXCoStKObsWagb(yb!YFnkxRK#z9L1SMIGsm!l
zu?~Oy1%o#J8qa+3mMB@0d7U#^5A+%wU0?rwJZVlIfO?Ku+<pg}dj2*aXH=;F1uC?3
zLN+wiKFWTx`0s<jQl5>-u1}}K#v(l4jhI}nk9}E39S}Jk>3(4OaJ?hqao}qFj&CCK
z(^yvb>kC$|-5DArmgW4Tw39`I4<hm7FO)#m1j?<$C_cv0x|2HYyZBlzJ>xjc<C$=b
zm*4%5GeWrbxMu`0GW3+FKazYrs7I|36t<#8ASQw>$)cMsH1Lra&4O1U?!(^y>?<O%
zUC>(;Q%;1)8K@?ygRCT7zdbd7&S`o`4pp~3MW5#oY)W6Vps`C!)7x0?JbJqzw2aix
zrirvsYccH`?X7W~prl+qWGz=7g7O{}q{Ng-Ad^snY+=3{|B4)Iz~vC+{JtI+V(S2I
ze(oDmfUzoUK-xSUZ-R+g+?$3Y{Sm8`&!mgH=F++_jsKkc0M{n`i{<!~2vhMM_>f@p
zPp>N-@dqE-HqCEZ&xZMrx_RoW*>ffPqmiT4YNVq8Mi|Kk#mE?HF&NITxDohCk;SQ@
zB75hw)w4S?&DIDzh3|o@B!Am<5aN&<A?L~-I&XP~fB@%wG3F1+4+K3wm3D1Xh>jE=
z7`<TD(bfY%Lm4{9Cx8Ey;lHML&>V``n8DQ2vu<1dFX5Y-lE`C;l44m@qht-gc@CYK
zW^b1kqmCs9Ei^YC1H@|y+_Tha!ohiA+6Mm<FpVUm`AHT?{*b`H$KF8fG(gRJUm20>
z3E7ue`t9~nLbv3+bN$BAB(<Pt3-cl<kzY2QandSR;~10d{55AU>_D{rmpI~xR>w|f
z93`8SiwoWmLwQ0h=08mY#xsmP6?+|?)d)sH)7(Uf2ms{FbFz$%X@C_t!wS4(wQY3u
zB`o*BB8*uwD7s+oHnxFDGDCKEW#)L^fL>*HfuR3ce{Z4g?*)Qp<chrhtOu6JqfOF@
zq!Q&m1{guFl5cYBBT9aXn3HQd*o_a~XrJb4={fL%NFQq#kvYy*3}&#A^`TzNzRC%w
zh(L&fAGV#7C-82>Nr=CA=EC3LlX-7T8O7$b#gVhJl`Vv+?F4s?8Q0jh3SgqJxzm?B
zQ$RUZ;%hqHGv!lnOzr*$v~7f(gU(zfiBY~=nl!rF+g$m{6p<NDY`n6cBgmgFKgb`p
z1Cx-9gY9bKeZU3`39XJ(*vQ`yoWCEA<c6@aGspw;vb|k+*#nzud9x*g<m>7klBS(a
z*v5%IicM79E3v`kg}m4G9Cc$6Y1k4j_#3r?fcUrf2=;%&{n(g9H4#7%sGZnd5!Z^H
z;00q1LWHk9x+Y@Kt)FeMPOx(sz-W^7zZ93+u?W>-d?oi4Gznw|8{mjR#-0G+lwSm`
z7h~GpggDXSy~82LL!nnRHugf$_irwrQ9R+Iq{ehhLjOaW3*+ehC@yB!{HN{rS?a~a
zK`-A1zc(;{Hcv`@C(9}1GW6%<@V_^FqIs%JpaO?z=Me2zh^~Ps%NPIO(f>`ypNRbb
zCFq7y(fn!U;s!GTf>}XvmDS@m4yefF{qI|tM6w%yub^_{&o3d$pA4<7w+ZT&`)XVY
zQ%^M8=E`;y`#F6q<7!!{!1|@>6~7ufQ+bxw2Ema7YELUiR2((e5?8BI-E|0)+)_qO
zBvM{_G34R75!s+mkvY{@`17Mr_fFQ-(aTmCs`;?Iq}hSu(x-@_dS!(uYE{Isk)&x0
zcy4oOx!+@lKjQN37<p+iUy5vM<SYynbJrm15pfG9BZ@iUoa>mj_?y)VfiHVg>>FUA
z%w-0GWau4`@!!{On{X@W(#=%MnU&L|5d1~t_yM9<A?AZqVP4AJa`QtkxY8MsQ5*bx
zr$=qr*ZpOWrxu#-RG9<Y?X{irNTR46@_1SQrkGRTqZ(1?pR%mTdgAd@XK4=%gA}gP
zROYp3Yyo@Z*9#@na?s_`UJ}RFiyckuUq?(ssn#V>Q*#Bj`uHq?l+yY{Mb|T4hQZjR
z?+Cr1niXoUTXEobS6V;Zz=LqR{TFKNE&hAkl42$UH_2-!3SP^I;$GaA2%=nKnRI{2
zi|?GHmCDi_PO)_R@iBuhcir=;@O5?QL#HIt30*Xv4u=nw5sZkSQ#yNO+&uGlDt)+S
zj`n1EG{dU9<ZrZ`+Angmt{HZ_ji+ij{PU=j#fv;Cl9*RPkURX#63RoK_9C_BjYsY7
zuKCQ{`(dTh3w}tn?Q`5mk;kN?r%l6agNTq3Xn{s2=CJ!~_V_jabrm}*S;|s@Li_gZ
zw>_RA;x4PbnfqgnJ!CjY$SbXyUfl`5WtO=jCS7P>+~^1|)b+N-Os6Ix^i9e@0w1+r
zc}{v*I!wqK-uxhqRe*-IzJj2dyyVJh9^_xvH!74x%z<%ap_pU76)GltJ=$N5UNH4@
z)2nW^!<T9q6%(O`h|)S^>s{#EO+<YgBZfJk()#XH*L>U--Fy+6ZaHE%9%`A1Ap01$
z$fW6#%g2!u5pa;huiu&1teH<l<CXnWbH&hwWa$sw%WbFN2+z~kIq4x&^*2kmO<0n2
z>u*{W+e`z)idp>-G!>CUAcU(ocpVy3J|(cf7N44(znBzy76D=piI$iVqE{!?V8;xG
zs!7k5E=dIPPWy6@$W^&;u9B}Dd&|cLA1PInoT*eTgxK?bKyT#gO<5ejVCyfG>U*ok
zREQOVs0$!kBMgq;y&*KlGO0u81DZ(^IEn)iZs%|Px+D{yI%vqQS0or}lhPc!6VO)W
zx~3VmEKCtRzIduX!sM+If_2-t?^r{4+0iRz5bhW}_li^e877RjDH=#lID_ct;L4Vb
z-a+(p{HU7qSVrgu5#O;M&=-~V6Bf4OX^7{X8lBKUnHQh@#nT<r`0k!}@&#Bh6h$@Q
zHd*EF7@xPy)b@@}nI4s@HV?PB`8$eSywmV9%DFqpiQ{h~h>7hpd5sX>lN-F8!ZUA?
zjpePb!B%aew7%5+=C?w*IQG(kJV4bgL|4$e>{HQJ<}&#KYI{l9$>6`f6T>A0f<-Tq
z=~WXeenev@JA6HF9vS`whHQw6k_^sZuo%(cvV0LOr9yPwTx+*a8Qoy8RPEdK{eURl
zd^&)iSvQ6JKfc~Ftm>_8`$Zb*p7f*<kW_(5hm=SO2r4BYAq^9xQ$i6YEz*M0Eg)S=
zcSuS|Pr4iSn67m{@BKb|AN$Mt;L-yf{}I<XuitqNvE-U$56a|ZF~dZ{w1f8K5TB~{
zsSU_}Z(t9cSZz_fp<nd^9P3u{w^|_-t|hxh==+nlwX=g3teRJYb}^S`1~lR?I6qm&
ze=VS^N5hYC@jERujfFuX88h4R1uz`7qG7J5ONmBqg9hrz476}Lu2T1_;@VF_^ouXv
zjhZ@eq6b#Qih79N-|Sd)$pYs*T2h;d^1iN2gn$zOG(u2dloU0=V33CBP{MQ5hh`Ea
z@y!a=7cIYSl4m}iPEyGSE5}@5PyUdtd%6F+Q+$XTvfWh?mNIW-NF>?&W_xgYr_?Bj
zuasFN>b{7#;*7}KTC(WYn+$>e38OcF$M|I$#m88l%Oh9RFGM7HMj@|c3+N%mVCD24
zK9MPp)9fx#aPbcsi#Cj_`}mg;TL<xRkFEpl_hk>q5DzRbw#mm_+j7<Cq(U}J(JVND
z1#X_2^nSEu{?!KM&A2R5<}zcBeDL`E0w=FcBD73?mN#O7JwboC(_-GjGsPppuEH#5
z$sGl2p^zE3R2ep^MKX*JFQm8JrjnfSClQ9@_Z4xsUi2M2CBh6Yi%{2Zn4Ah>(3lqP
z@EHA~1lo`?#yjvg?l%PCtS930A~VTFjU?<0ZgUvuoff(YAMiV714n+kl-~MS7j3zn
zH*R3fWV(rK$0Y*^3Iyx#k?e!y$K!OhwwSb-=E-cU`g-j|_2||RM4g~;nn34E*FFGF
z<%17;k2ZCIr)<etUm;uFE@N+!yX6L}o#@K|9M-DB09z?uU8N<L%_+WUzUF*h5C(fm
z_QzdRLG+wW&&C_$t}+9}n1jRJ(SXwCxBc^LcY$#Be&lHN?21U?1GeSwO5t4}oPzdE
z=rpx`|HE-q4VVmS0*-@_iDRsGHcFQ<;;s)<elhMcYy%tJPWggunuR9n8Td2;Df&aN
zdYK$;HJrJlci26oaY<a0#oN`9OAhIU*+eR{1{P3Ln}AU*_$xl`&~S)6{8qNQ3d2C%
z+744Tk&p&Ok+E5Pa=cN}Xjcw7G|{p9Quz5clw2@DXuZ~duz&2HUp!Ov6P#4duqsQw
z;QGNT>9woK!t!_9a|5S;9;I!SbN49biMcHHRYS*<jV!<T1edXX%S1CJxLsQ<AqIE-
zXL#@NVdllU@bZ|2z9n5s>P%6rxO$iP^DLn9Sd(236Ga5R4;*Fo5Ij?-7pPH3BHROR
z43gA+m5OnTrO&%^)RDWBvbaxGT33LG(vit|813BXIrAO+83N|LQoD-H%ogX^EEfhP
zul8e<Sb639#L_iD!ybph58dzgy1IXF+0;9Fm}5UzRGVJgF7uMRU@Q#mRT#J01ZuD|
z<+4dJ-)kza<44H3QZ>JE3`w(7saGPStsOgN`0k+k??B$1H14vTSI8i9VZ!8jZFT&e
z-;YvYYbTgeIm)=&q1PJ4Wj1dE0&NpxM@_x&HuRP+*{c>iR2@Bltb=_?#%k3jxv4t}
z3J(*yLvjy66ZnMvM7&%z@Ny9+?YTahI=%bj2c6aJ^%~l~ovgNQRId+UfvppyQzYm?
zTm6-RL4>1%`lQ*B_7!(L<)c58gIX*yHk|(B0l+=(VQY6#Zj*7bv@YRlw2G-7`;cKh
z2^?LBi%$`QPdIekY|1|FF3lN9b>@VxW!KEz$b2K>74kCMm^n~g>W9&NlOf%!A!Sx(
zpdb`lOlN+0ZtP;GjhzFjv6OQ@Q`~+V?4+QDaI7{7hL(71;0j~P5zens5ilwL`l*6c
z1~qeVu+FWt;6z;V%!nE4FY4v3f*gUNH{tpVe&t&O7weWX3dE7ZH?g}SeiuuuaHztX
z`=P$vKf@@W9i~LaJCy=X$kMSQ1b%B)Nw+dmV8A)GNcJtRal|1(Eg$roOZ<TG8ELk<
zQI6`4d!laG%2IXjGG9TyZN@mlx~g;M_Z6-!I+c0YVdn<!ZPZ?^-fupwTx7x%4#VaN
z938TI@X&#)T#E`baMVdVCM7tI`3OCoW`hvWj4fJL0%b%}oEK8oxN~XC&~-|cP$5oL
zj&qz=jyo6?{kQe(!edPP^MrF6N5}jN(dTX7gg&^9nb(%xcD-hfk5{hADoa0vrBW`@
zsh+Zq1^FpDwPeqtmS)G_<;Jv>kfMv9TTLg`x$=@7J_-vOzrJEpr^J8+ej&irn~8ay
zsPS>_`9hqKjWJ2_<Ijytv<f&)S!pB`^$vF5uQNj{sx{QLap>Jt9j2X18pySk#*zTa
z)jG=T7C3qbBTrsDaga1EB1Vd{SMp9pTbkE02OJ^nN;hQO1^+xNFf6==TEM!Je!927
zAY7yhDV(PNB{^QUTj<6SvdG{5fflUo1_T0eIXWBV4iicQET)eGNoe>0oe;nFv9^>p
zPN~%+G~8?+3skR2HU=gt9&AAM@paW5MBZ-=QRdqrx?7)un3TkX^W;C8nGW#WPVlCI
zr}(~=4@G2X){{Tt=6yQ*0o6#k3Rb}pJ9y0%CRhISGjWw|Q^T2M%#>3J&rYL~<WzJ~
zutE@9M~<*t=Z%hacH|B@KS%lKhQw7?RGu(bJln@T#Yj4`Bu*mf9A;%uP(W*5_DK+{
zvDx+=jw!`?qMM_&e!3A$Vs*bT=YZobhSYQLBVu9Y{k;#7gE-zwf3~4;sylf>W)CS0
z<VHPO-5uLYAB878UXfT)T#~9#m!VP#TTd?|ln8LZHl!w*s`<21!YzY<_0qg8`sUfR
zcv;bju+5aiMyen)Dq^<U)+Cf~ffiD~9H<O9G4fa=WDQOd0#NhJ&|$5d)JhW+1_WjX
zOycXUc=R%JJ)t7X+Bj{E*#YWrn8)$nA5uCfGamnNwjt;WUCSNeqxqCNx<KQ-a-QPQ
z#M%W($FnYs9ZeE&Xw>SDl3RM?LjRbad4KDL>xLZ{V|p$+Vd5xrG*2{jVe|Y8x#Kgo
zWgcP@Nn5et35As~O?kx_pBA;l!i3m(28-r2wKzSySURB@AYun6)oL%!O1!`NiGUWC
z3qMd6NCZFD(4^>=>9FnG?!cGGj1|#C(9N`XM3!S%N|rTlzy?2!j1^Ws7C&2ls+qfK
zO5L;Ov!H+p|KSgD>quS0D{&$HnF5=f<`m9b#Eh&K+k&pC8A@mIC`lfF-!NAvUv!BP
zh*9}8_(q*-$rXJiNIcD_zq+!PwDU*51HO!6<q5HNsMI|F;-9pq#`1~m1?eg8mQ~6p
zW8Mk}+Bf@m7m^QtIlObg+r%nj^fKFW5PmB&wZP)KJIY@u0WR07tPoMrpC_<JJjeLu
zSR4qrWvKyH9=037{yG*xBit%_y;a3$(l?ZxM3UG5+%>Reve;aL!h;35HjEY;gk(xP
z%o{R$6f-hqs#TmnSXgW}n-ZjphTjdy<~F%}B3(uCKutR|;C*JN3@_!^wMnEk0Sg?r
z#U(T_VvXQ@CYz`^NrvQmzwymu!)&6A#Z)KDN__TKNqXBm2R@kr*pHBCAbiRs*+f=7
z>4l))#~H~MKGUH4S#?m1a5tIl270rv30;Ja=yU~Y^rlIh>r0|afTqxsGszW>g^5ni
zWU;Bf)s9t8S)64SzxsyL&`*}vrVu5Uv*k_j68a9T0W|d)&s1ew<={wVq&e!SS64L>
z0|bSdfply}dE6!i86(-)4;xPBZ42DjhJ))*(a4m&ZlG{SSN(^_PGuXna5$Fko#&e+
zN}fduL3-Jc=Df?l@Fvif>UJ%e6X~C9D0=?07;IKbE^)cc4A|Ku-qiru<Z_<0>L}lg
zW^kNsm$Ulza@YhE7PQ!EF^P84cnqtJw1j$f!cP20hc<YtqJ-Q4^VJH8gM-SM20CF@
zj;fpoH8ZB!YTC<%+(1t<zlKO&YJB<)xp^5grz$qg5%IO*fG^^ifgbxBq%-a9cbug2
zyo%5=9CQ^c@dDgC>rXHvDTFYm>jXHHq3=nU`&pg}360WV1cZqZH(5B;XumQ&N6#W`
zXgQ&rlUg26n(QF<iMBQDiE1t^X<|k%P^aM~H)#Ki%UNszp$0R`?E1D&EujnzRmd%M
zZ`$zBL1UgQaPH>g9%3JY1g2Waukwi>WaQ<O?8vNpD6@&J26K$DK!=!y0JBo<A2oy<
zjY!&K-0@GC0ILBX>7BHGX3eVy&pQ?WqnG^aBEY~Do0y3CnSi6sfN*!&{g_NQEFRKF
zRZfcgkIx|3xcp^S;y*nyO)QfF{w_bU7wlEb_vw@Gngd1xXf^*!jfo8TPpkf)zX%lG
zsVM~-T~}|KeiF(ZizYVO<~&A>7HA_E|4J#MdLHOB^WRk?uMW*ZdfoxjzJrg(z3%t_
zmqg>pYw;!ciqFy3sg``vRrX|mQ3QjKCR6yR?8PWv0K(GeI^S34<~!HM3<GZPW4hd5
zHA2d%oQ;=7Tjg`tiZ6NkogDxu+@7>^ef1y7<?<DfTtsgg9KG$+AMpzp|2>QvKqJn!
z5B{r?^vSkHak}Ro`-@Ob)&AT$+YLM0F7`yB(qFZGTcB-u>9yS_eA}vVLD2}??Conf
zqXkj8%M`o39pG>83ssZ=k|4!&2d;&z=qwwNx^Vv0q%Y-PIJ|R6D&&4>a3xCiai@GS
zAxYyVedbcbfRog`3bgjC?B5d-POf>V-^46ON@PV<PJ1M_!Xr7her>Q#@2r_c)XtqB
z7XF+vrgy5DqJ2#ZHzg=8JBGat_5}C5p<IVpjz@GEmuDigadCTsb3inj!ATv4k{#?x
z70-Pts&1^@sZU1H^4>W}c@=3Mvz!f5CE6{R_aC;Vkj*D)8@$-KM|i18w}3VPm-EHU
zmrXl5D>&D>TKrt-;tnNwU<Y04wqb*(T^tzOj*X3%O4c&GG)wpH7U=zt+JJ#&*({9#
z)D&vvR8))px$XGuGuvO>HI3ICcL|4cfj5DjRInq>C(?<jKgL}i<K=p=%Rt42-$8<t
z&y@HM%GM!tLm0$}V-B<$jom}0#s~buR-;ynjVSas{n4MmA+w0y&C<5Gy2IkVkORT_
zsf|;kVhvpDWq&E@z4`;f&(5v&XKtM;oYVU}#pZyCG>{i~msAR++K7A2G!91?DE!p<
zf%#^jpoGRJh%vyw0bEoS8${7ZdR)bpG+%=okr{iaRVp1*l6@QvP%2g|+I!!$LcJk%
z3Rg1cnk(m_jKww{if&$qk|QhL7pZ&KKKxAf_2WPkDmd319_XG}pRmwq+YQwJBP<F?
zh8K&~haa@ly>V0TL|7Pdf~wE@H22y`Yr96A1ULDCCKfIzszgjONb~klc7cr`-G8)~
z@on#IkHwufChw037>d>3u&c-G*DuN@A{A6192+AMB_z@M(loA;`r(;FKhnjSFkqL`
zB2$XY3g@F$$%(<!7b*%Qk;DZHZ*jS%-cfpX$5RaZ^A?bV-F@&IY}$8305w9eN|ggY
zu&b8mcx11XP3#yf7UL9qw<@@|V2o?UpyN<{8pS}E;|~IkC`g{bG)(w$nAL(oa6AjE
z+6$aRiT*G}S)%s7G&65vgO-y%k*SF=g$2LCtsh2RKI$~inRbB6K%>#T!P6|MkT9(X
zELR;FD_Vcn2aO7^&#RQk7Fzss8n8;6K7{{>zoPJ{X=N&VCSj|(n&D(>`tkr6kP;Du
z-`dC?@mez+uf6o0;|pa}^y4^LcOM(80^RAX4(^1}b@+7#x@>=0)@P}>!wMlc1de%Z
zCw&-GvE4-e{orbFwerCX?x#465=dZACCNqO+J8}bKt0WRx;;B?#1A^6FwZ;V6^9;x
zeU%dz=9l+%X#l8Hh%YQ(!+53WryNqvWAU-PG5MZq>a^=j3-I1N`vY<5o9=Fr<FkYL
zZsSj0uxLt}M6ZO63<ywt_+{jW(Kbu}=69#(QJsJr_sG|=tuYpKn#211r^3DQ0Lx{{
z3kozQv2Kwu75{~jVg$b5&hGaRnXzg_S5xQ*WQ{UCDLsED743J5JmH(wrhRFKdZ;!I
z%R5iDH^6gau8k9f<8}(nYq!-In^^rKHJR{m#ZFpin1e|y$t`3rGI}L6aEG+KUp<<7
zJi=7zCcdS{riFmv%Yqt!nzch3Kx%12{ahaaf>OGjliI)9iY9d$Om0_0sdw)@oa+Hc
z?Qi03y#lR>VN<&9!zgJLiYZ_Vvz*>8=h5Pdpkw)^sn}I9q21O1W&B@)&aeLwbo^Cv
zOLY-N0SFq#{Co|6o75xLyU9R1W^Pg#HhCdrDs@y>qMBg2zX?1!hgd#K9<C665E<Al
zw`M|cYWex0qp}2jBHkIGgG$Gei&E7l6n;NWx%s^30r)LQI;iMG(+dJdnQyRsf@XD&
zGPBd)mbI~|C4cS^xVDnsUM+uQj0bkIJ2HdPt@@xk%Rq;Ax*YWz^Ja)??SQKB;o9!z
zK+Fn*=?ku{nZ@3U2r+D*?t@8ex!))(=_NBf%yHS!TAJlqUApHdElYYj{vfq2zuvO0
zoiJPWE424@V&Iz_iXJXKA@Hd<A`++FUp$`JRf%2prEXXMGWqS@ED1?x#wvTmC(~k`
z<r<_i1Ba8*OW8<g>+EczpveART<E?KAnZ{#6@5)IT1sVxs{4D=gy1{p=oo%)Qbo>F
z#Ie|Zq^Rka`Gw39=PC@5xSm{Xzj2q8PK+1ar#?gCsxiyO7pBQbVC7Y4W)rDNW6*r&
zo9u79A>t6^6lwV@=e(V{JChZs6;UtDEO9z}q2lpbChXPj-B2_OS%cy+9d5OJcmoqp
z5to9bhW|QwhLI&6*Rv_dTRaS%VxG8xSSx8|(cT(MGr%nne|Revjp)7cqVQSSX?mCp
zF2P5y_NdiPbOfeCdg;UWc(}u#hpUZE^#?iB{8MYU%?epiUcY?Qk`!=D88v-PWfw}`
z8T<+H&vMi`)PN<h=BUTZN3Z6mHhCJm3TjPtRelhe3*>70_tW5RMM&LMkR<C0J17-Z
zP9-}K-bz7;Qvdc$7Ic64{-V;(ZBrpw;kYpu1}?x8Dpls&E;_`<Vbte_5OGSI5u_&u
zCRKD=;-O7QjduKMJ}X>b%Wxj^N6+!5v_HZNCvz7suT7@;P7vXNu9MzVl<0$(x7f=N
zRKbzg*3Ewtm2#XRolNPD{j40eAx2lvN0i1M16z7C@72vd-c{0e1X`Xt1yS1>rMLf>
zlPM;0a(?L}c~zB!SPk9iIxYcsymzAuE-d(^?Mp;?Nu_jO7SdJ9dmNDO_#Cq!N{LM*
z@$Bu?1Va5~LAz4j<dOQC+`-s<_S#Ch6~Q#d-qwtEdq7MX^>{{U&iyVWm*f!h_Eggj
zuyMAl60xBdC;?5eO_?^rWhaEUHpE*P$f3>8?8id3^nxAtFMmXv5(steUJyRB@2=oU
z9aRY<ZB@f_IoiSU;aaz}*c8o^_bRE7#XqD}H<3f)9+8s3o(xF?P?-ztjztI51r^>J
zMsjmTU6$(Kx~_SxXGz=N4)!;Ge&Gmp;-Gq>&fuKrWQ9gV)lW9Pqfel`g1*#y@XFJx
z%rmu)Kc7ezIqyhKl+k?s(n)R2-E>pu>*InALK1xiPov?2q!m@!w1TKn)AY&;L;UC`
z9ds6W>eVcxv4i(hu(53eMq9pHlEh9g+{hyZX!fLe@Kn%sU~e}dCpFH<`uzdFJs;){
z><gtU_h&w?I9NHBfb7|A;vt++iK#h<b4;}&J;7G@5SamWjJy&qSBgvstcRBLQ&cR!
z4Z~#~VvDvU!3<x(L@+mU_9Av$Xq$)ba#0c#1MMgbo)92AAMVPmefmP_8}R_=4Mw(;
zbDS7+s_22j63RxTF}Ps?Q40QaKp;I#l9hniZxx0NjD|W6a4W|}L<jgnwck<-A7f?l
zkEOt3e5u+aV_}yX`VXGZU(TL6BZK?njx-Q3!rOroPfsr2R)op+-H_}mn5_6Ei0<Gn
z%2`<+vTE_EBo!+$TBH(7Sd}4QYi`KCKb@c<->kx!ALGrYBG#A{*=Qw4x9|;kgt_Gb
z4l>hqpQ`froYvn-{~Ans*3z)U`s}B|eevMuFz3lb$bR(8#lY@~5@Ka-%nN&c2Y{sL
zX56eO7MT9o=ogAy0v7b5&?FUx=Ic7S;m5di$mW}uJ~MkuaS(*W6IabQesUdQ6so>;
zKz|GzH4xRtF^g|V>PnEOzoy0e10{@6FcfVeLEsC#W9Bsdyxz1l%8|%ag?=|<wpd5=
z-uw7bQY3Gux8Rvz@DIR#t|q08eAUy8M07n%TR&$NlnU!-b`I4vZEBZ#mO^<$FyV&v
zC`y6^zIyfit{6NlLbk+NJ6##cb#4F=zmvD957FjyeMMS(4LYp>vWQh=T2t7dn<2U&
zp;r2h!Jm582>dUpJRe3|GV^8o7i46S6jix`I08&nQ(x~+v+kcfyw3vM%ys{2U8QeP
z`!&|YH=095Xj59^k<Hf{ZNw@!8@#ywg3%}>TNmYh+~vs5Zw`wt3DI?zTYDV?3&vX1
zL5#PkFlcNmSxIBOCXIy!yHKVmVTKb-UGo3xh^=tG`vGl`fr7Jf;$@62r9p0XI?$Xx
zM7BiLpWo*QX-!l8JSM8uB^|3D<0UBdgVi*g&$PtT*&C+%A%!bm5sB9M;U$YeS^vYN
zrzuo%cQ$<tIj;p~Cr+M?yWQOmT8vrhZrOGGI@duyB!2%QNpN7|rN(yg1(W9EY@&Hr
zS~7|ey?6hVLPF87Okpgpb0wM{S)>jjrbqGi+54^7xV_r4hSZI-boO5H*6*5AH7VJV
z0<%f{F>&a?mY8H$jeucwP)c?$pf^_D_cPXE23k1nCk&dHhpg(Y+J9%79crc_j0ZNd
z)%$D8TcTlH?ybUj(JVcpy;s009J*H=0~5$%56`sTY3zW@$>9TinA>|NJMsqmi(Fd;
z_hX;1xI8c@MS)LV-*)T(O^YhJQC?x-a)=PxOwS_N5n7$zQReQn6e>Mv&_s0(2v~L=
zvS?$*Nhrn<0+M12i&QCjI88KBv{_2!tQ(`ByIeLMic|QEeR>lzL*V^+Le!V|EPFuo
zZ5~zD$1<58xTI{`jxG*qSkFI1$S4aKAu@qzveRmV1&xc2-MXw0-^Npp=;Z!wSMjQX
zIw2m?(2t(i_MJ(}iA-p~O=+s(RV4Rur*`C3?;6AB*WPNLG*b*L@k`4QgnEogwlwd%
zAVF*#!;u@lHbEuj{-*9TUEH_u22=H4*_vVMQ0B?g4Jv*M|4fW^#ruH)bU%>fuqXZ*
ze%WP(>%lTuGKkgu^rk`1iBDa>3=j(j$oi}Z{LIuI73A7tYEc(&Sn2nc^&-*M3H&>G
zv3$XUt7oA602hI)u5bmm;dbVZUoXW!OziAW<lRfw8=?!KI6JB@e(KT}PZ&9RE2WPp
z87phx{Vllx1#KKGe+++SO>P2^SOShG%vfOX+XnWkFpe9d;}5!L<`$ne*!|@b5wM4B
z*@PG2T3jzy9rn{~e1ycfxX6xS2a-hGTMxA-pm5hWO!EY0qhxx$OFAa=T3iHfQ#2;?
zZ|)@o1%FepGd+DHX5K)R1##piT?{ibkM*fdK`Iz*V@1n2?}LHQw!JH4%smtR<gMsc
z_?W@KJ^pb6C|uNca7Q*7K{@BLEZRvbUw7^UHPq}6m-=}4=aH1+t%a5^WRqp=UF7%&
z>fwK09VP9g@H)#Z?c3LTRf10CBKDcyVP;19moioaOw~uu@;1p~)V+lJsG=Wt|HaV(
zwTj@Kr%)UriASmKaZb$NTmW_GQ=cWm47U=WWvDUD%x24LOAz;+-pMaGIC+?n?}CIj
z*(a7gr0aOT>F%+q^XYNH+6S3;m!3xB1!Ak+A&N-0g-3-i<@a?0O`6-)Z%$)JX}XB%
zaj>N^bsvs~;zHF|pMBe+lbH=~R8>hw57RMuG5>;Zv|Bvsx0AWgQO0m|RzH_6$1}}G
zG<p;?ehU4g=k(`con-CvfyeSsjGs;g<jb$A$=+bfrO_cT<Nap4Y&msqh1pmb6%`Of
zr-_y*6oYd>rZNULy;D_}{#jAI7|A4FD^UQ}W)na6%VNwib>uzo|8SM)3u@8)9~S*2
zS)@t0{<>NI%j2SH3f&=kPN=L81CmYFW1y0wEC>JdM+0oo)+tqO&4@5NJ#rjsK#<CR
z|Ifd|PagUI266z7gZ#lb4O5R~9&x2N*2hK=*3U4Pi%9Qf|Gw_67`i@>Zlmw(SZA^D
zJH~KmGE0o8`)&W`lvFBFqS*Dn`JAfdP@~lsgL4hHNzTPwQ+Wr@PxH+s6K*jV1VDBc
zjXzq7Jofu0TOHrz6|szLHXInJ)QXa1v?J{_Ex^e;_>tIDX?Q$6C(4t?N(9&w0?RAT
z$$gDF^W36u-TCcFKqshw=j7YOwDr4cM7?SSwlNiU=Y;b_64(YJHsZvWvSY;(8}&B9
z1)$vlWqG-LR&n&J`Z(2nk>G5p(UPF<+ma+GVaq&{7>;LpF3(Z)4T{&72MW5_uq}Xq
z79?Z5(xqHK7ByUBUzUs-<VOul`Pu<sC*ld7=u;-mlb&`BuJ`^ZCdaqkZ|vpr*r!h?
zVq3mID!T0K-~4W|GQvjBThMCCTlFu#Gh{3|ux?yF6K#1|<|e+Q{k?xL;Qw;Y=nDEI
z{t}ZubT1*nJ=Yu@z&n58ndDRwi$k1uGO_OYBRZs!R>~>HSpN9V0GtYA$<nEB?ls^B
zrcpQsn{^7H%QH8edn%+F^A)4+6D=i<$wZv|2hw@x)pTpz$g;ZclObi5Ld0@Cs-!?Q
z@0SzHkV<Q{Q20BQ5mXq)U)#oUR}Mj2idAX>2sEkh#mefKxXn{!TbSFhyQtx|Zn#Kj
zmU650WW!;27#jS{zDBoP)f?CcAq=gPH*E8Ncs>3iI~$^$z8^eylTkJokkRp1dntQ|
z^4BX)0#kuV6F+=jgf&Of%G(|AFdqh9oCw*$woSyhE32KD=!t{TJIqdk>XH%{8lu+S
z-G&((`k8*z?Kf##=1Hkuh^nCFxwY1;P68Kv&v&V<RCl|HRQI33tbxZ8|06143x=vm
z9<N&x29C-`GGDx?LPEyj(FO_ux+&#q8!1fZbx(0IeYn<EF_Wt%r>Z838!9IXbsIX=
zJNUe4)kS}hrMD!tl?W8?O`|$*X9l8s2(fzV0--FX^cHL0HLFAWwc3>Z!l)9}UuHBY
zx~<*oOAM@+oHt)D_AaTJ81ahl4Te^`F1y(+{O1j1DyfUu1o!mb7+-ftzxLTxEE2Jd
ze^3+h(gui<E7=co8tQ1H`9ao8uHJB~;QG%*n+>iM+_3m1+7o_w@9b#}zhipLLIeT^
zd<`bfMLo=+`+VGatfK}6Q4>-MYb1h|nsWQQI83xW8KRHt=YXEnl`mPaTUgI&0X#nM
zYDo!YYC`0YB+Q6H-0BHe;d80Kl9Honv`C7|`IjX(g(<96SK!5ienJZ@($fyLWY+Lv
zbo<_LSlyJIn7qH@;27rgElCHLlUL%srs+AM*^+-+$E3~cLhHl6?~^XQPa&s`XNq)m
zLy$}2+SCc2nt?m=eBZX*wg{jY$Rge&*hW8{tvHeQNaZJ*rM(#@-?)v!Zs8^Lc5ZW=
zXt!@8%^Qjd0Ogk(3=Q;kLm4m@8+L%Cc0F9RKjEZ}Gsz}|^C$E*U6l<X-d1+xIq%NE
z(p2RWrVL(8jWw9;P1ru~8s>sQV84QrET%I`6H=6>2jtFx!{pHf&{)l9Lic<@1P(&}
zP)2vaIKOb^W0TGmeJ<1-vZIbn0k$w~X5w>0kFl3ScqNwy#w#$BB#T7(l`9va9d#fn
znK3>y+k!_}n$8)YG~e6%eROVKKACSnJG8}h^_!C6XKUSw$dE2j{Co1b%mN6Wf3+I%
zGWKdH{rPEQA~@d`w>GlTOi9c11Rp=P)+e_|9~^;P9kpSY*!Vm)SZ)=-DMa_-@isL!
zN=CB`QvC2W%Nbl>c}$_sC7!V`E;kmV3He^Cyf29c3E_p8z^E#PB1~`izX=Ftd?%KB
zAM@g6I6I*{VHP#()TARz*=aA-#19UfK`RY(w0RhiQwT;^n)7UG7XwcDg>}w>SQ4VS
zg)_yfr>K<0PKkn!oFUo>oJ<fL1zI(5GAd*;H$k+Xsx{Kd2j$-7xL7h!@OLT!g5E2M
z#G*iu*<vDZ&-mJYG~&C%JFRiR#jW^hB9y9j$_%44^@ydZ;=eqzq$#;-@_RmVe_Y7i
zrZ<9<fRzB}Pu`pl`?x{8Wz{yc>G@7+7OC#|YI)CxoluQWFRtAOuw<ETpHG%#UP#!4
z<jPKIGK#As>0K}J6pc+TAN!tB0<8!?k5#JRUS81lq7*P)y+D0?u6^Eh@a^CAZ#u0Q
zRC!iZt~(r3EsQYMbe|X;L7En3A=Z#E6x9<{h+O4=sOQpWobOAdLn0L6p5nGbNzdqP
zkl8box`e}9t=@bLX8;@f_`>f#=|!tEA3l1o_sq$?UA;TMH6#J>b{y}XxDng+s-WFN
zsWj`*{V9C(h*(n1c*Hp4`uHQX;By3)kUv&C05g(bYyjyB5mY-%0%tJuNM;acAFpNf
zh=WV*LVrt*S`>OJGX$sH(o*`<r)`d*ny>*uQ-6ji387?)3Ajs<7qrjeL`680w;_d%
z?>)ESFq$~JP=_f1_kIdg2P>v3gR|peUSQ@}W4zgPxz4$30Ox#42G6D^huxm^Q}Re@
z!&X6-dbUB`a1trge{EGQ`{Bgu%h{{@Y}om>**G!>!0%{>hKUd?;mmnS|8)<M_aSWS
z%=WW*$8FSO{)$Zn#9SHYJ9nt#z5uZaBJ|DFY58eM1=qkgx&hUy)@UVsvdYVyG`v75
zox=*_HmjE`hq#aTS4J&?V$t@Cm%~9>jo??@XmnaU0(MEX`Vu%WX~$Qt4qdXw;DOhq
zO9o8F$O_C<6+i0F<zdKHtDeG+wI@_|m%=q4-?)tp7{4oA`PAeJ7U^wmrGY&8CQhDJ
zh36!{HH}g;96sE+e_{{fXO=1{<_t?Tu#<~uR~ddrYR?)X2qkkOhpFEcwjURi`%9E>
zD&L8C^4SV&vJ*s79A~na={`i39&ziI;&l?rn~_)mr-&cMI1|W5<Gh;^FQ3Fmkq1b3
zxn<l9)gF~>B6Zv*_H{B3&RkB_+)dQFEA%{&_VBoL50=j=B-7J!b)8UOC1O$?AkS=#
zV98auJH*lDFnK+OrotfQ^7}xfnU?(XQ`~7Y=aYe;jv3p_6@b4zGf`)tH@uen6%R2k
z9Gs^Y7s%j>($f9NhA02RHaijw_O?|^ob=%}j%Vry=YV}g#>d#X@_prdXhXcqz9+mS
zhnb(#&mtBT8~GggXH(<fTQ*)~NdVza)~^ugM6S4OuT+s%0|4U@S$lAeP6hEMxbJD0
zvzGosJ#C*?*7BVDO$%2?SWj-p3>Qx!u2A~ZgUc`7HpOR;#s>nh6_F;f9OGg3vee`a
zx?rruXEbgWUaz>)E2Z#NO_g>sH`W=Y6Fhi+zhC?v1A9XqHyy}d0+~GpvdFlddymco
z8H5_K-VLNEa&{^zYAc;EP|y@`YvZ`hPA-v|NWaYEqCPgLElWpGLAD{Um$XlTk4_Og
zyuxJ6By7^9Ly}4;hln{LSXV5l=bby4qa$YfF)+Cc0n@#khk$x(Vr8RUSoQQ#VW8)o
z0_HE1AP=^gp%Tun(p##P%rP(m-=%Kpk?X6Hng@4+o<uBmnQuD#d*g=3gg3HuXPB4>
zJUC4&m1^~V?O)IKR)s9|O<6R|Gga4w<PD3Vy2Bq~JKk{vgr$h0W^b1Rv+_t;?9J~3
z`SH-tzHVo&R;!p&a=#{R0_s^cP^VJp4PMVHX^ESh?8rl2Wrj|d^C$s_s^wk2YoDxf
zc;0o_&eHlojO$kubBhtP*_^jem}zdtB>eKqKfS&lK61$jh=xscyqytcoHUR^jq_;K
zY8mC5ooyw7Ir6)z-_p*vwS9ypZO24+xZL6nw_|K^!33lZEKEoq#gn-$H@qv2<MqZ~
zN$UaVlb8GCcI)4dh6PJ_Ojr~(pB6{!<CfpzsFitkiuQAU0P!R=-UOCRZb<cMv<Bq<
zNnpMofCx4|Y?l29Ar&%EVaW6`X|dL*;?`^rkk`@7#l6Ehj22v;7D+U~N)R`8xm5k!
zZY~pyFXHZIrg{~9`P35tFKybzXcBi&klEkLCc<P;yJy#3mB_}V`>7+(?UXHC`?&;a
zGRqQ?JAP&~i)`qXaQSmdO^pQvTf_b79!|BxBKgU=2Gn%UNcSmUbT9lacG}zM0^elI
zj?7X9Gnjj2RAq1tZkX@4FYa+(!Io;Et{v*6%BH`N>rLNilh&kT(0AW&{akFYS((B1
zItG@4!Pxzk+%=R=sjSp0gcS@_mwAQmVtv+x)^OdUa%LcC8{?Kgv)ATqwx_73G4N;m
ztd~e=Fm8HK{!_4~3UE+k??<&P3iFjy0bLZDXz}IV6(6An?`D9!U`$s7g|#e%UQxn>
zLMX-er?nh`BFw~8nE~66>~=^qgQM+0ptd~J1@y2k5Yu6Hgb)LG49u2ukybfIY+YRd
z&cYdT6G>8uoy3*2#i>@j8u7ioL~xS&*nzC5%Hm?{O1SIScj`rX$>EgjRJPZTA~lrS
zJHxe20n)^N^21H0#Kl@HE`^FhWb=vzpn$Ec(T;NTj)C&m?)>DaLe_FBl4PV6iR<x3
z^iE(|Nd&{&QLQv~1nk4palCUSgr%J~-T;~Fs~Qys|HYP8<?{Pk=PpRA|I9^gglWAz
za=sH$$7_J;Phl7V3lNLYA*t*O>Y_435|t(YXDC@Gw2*c9sG+nm<|@zc)Q4J1HQ(&{
zGFOK2(bX0&?y|a#eP@W6i%83*&dci7*NukV!!(TuR*n|CK5OzGSZ592>u*${#a#3S
zcA03zy8&}z4VCwCxS!Riv_pTS#D&f~YMYOmMLl6EcA;lYpKJp92AgrM-7i~K<_wKz
z^##KHwg$~Z^H*;iy7w*t0+k;F)AkuXPCDN9;?luPq4Yp1EUCL`cO+?HW7_qYk5t^C
zbw9w=#&M1~Sz>Uack=g%*^kFb(X9#{R6mp+!tDAb!od?q!1K(!GbhSQi9*FLo9JTb
zInd{Kb)VjwNw#d!8*wNMW|lvEZLb~b9x#a=OeBO2M5qxwQN{0L5A0}IH{V*kSc6k3
zGst}n)kq1ZFRu)7JE_;QN!@se++|4GP*Ltz2n_mTno;wg`JU%@=MSS#8~j{_Rvhe~
z5|5y8+UjER!zk!L_bFK#`&zGecH|4ow4Q@Wz8^2bwe+sulYK%Rh!o&J<ONkL0(L0u
zm&6lpqD1YrH2r57k4-W}0=k7Z-5gUSd2uXC>y@@el0t!R9dzwKs&y3d;@>?xkl{;H
z9m{|A>~|4Z`?u;y)dPwejuHt~#+|;0Fp<d_3snu_9dW?_*|{Z7R-2krTD%Yb_-oE&
z6DVL2w!2>*QT~3WjQ?5BIU1%uEZ`_9e7}j`U;U2LIpxknOoFZ`i9OP01hY1$$}g3#
z?r}-VNadrU>5h*k%xRb61iCB{P`q*&tX|wJ_AD)z8QD=*O6Wg&tCMuU)vZ>}Z+P~Q
z5F^PQCwSi@I1VLIi9?x;BD;#Iv~hq$wVy!05V6?eRF?*!`V%=8h*GF{Pq+fK7v7o&
zuXfseet)Tei&6yTiFlfD?Bw*kKPMrzRy|ioWiv-K;>_xzLSt8bPs(LbcMZi?f>T4x
zUs|)R#jQ8FvLp9-14i)-IoFtE)38#Z5|0K^*kon@no4VZmu0*D!xEC3Ho-gqM&3cK
z9PLAwjB?b<S&>1MzFBi&*V<B_<$sVWV{V0t*IYo$=2Ui-gn#Ah<X#LYBg$h%64pr3
z*jCx3xMPZ|`nf-RK%uRK#Fy2hq`_ap=nAnm=2Uc@9E3A0m#O%83l`ThI+-`9FzB}D
zhmWeXVu(GXi^)l#yhl4Kyd*+_C<r(y=K7T|_I91gF9xP`CW}eJxpq(WXHb1b_j9&A
zGLuax6IaOFXC9%NKUCmfYyK)&j&VZzqwSr?bz9rd1-<>?Z965{CF%0xD(9Rxpc*rv
zfxQzWli4kWP48OVZ@Xk)TMhXKf2yr`=8Dd<uYlAExO$R$pl&a&8c*oPSGrbw@|Le4
zz~-pwP_Vl=VL$4G8;Z)o$T&wpSPAI^WY8>wX5f&Qg<-K7X_OD<j;T>7Qg>w*G|nLG
zB{k;r`iV$#9}+9Je<-EEQGhWmm9Z*(LfBSu#nL$d+NmJpuk*}}B9Gs@PUN|v_XX%`
zLX}fPz<)`gm&5XJ>7>vD(549{SvAPEkrOO5;76D$dGI~m*Ya#klgSWd{x9+DFADYd
zulNu8^bZIni(FIs=IlE0a#FnO>==k!sTEs~eEmRL%hW{9tAs+~)p_yDQ=|-ZNsMP0
zX4%}QA)z8Ph8UxzxwiB>u=^FO`nd`HT;Ki_^{?}{FTqAnBFQE)=nzZyDS{_I2YHT8
zMiL$L`-W~aLI>7lX7OXuKf<j?GP6+WC)3v8cdd$DJxUPYkC6IhziN1UTx_=Rc}c8o
zQ&yB9(syH|f?GoreT;vAdB8eV*#B5;_xoajUINOWW?u7G?NY1(YSEoDp94Y>)ySyL
z|1q3FeC9y>g)NY;kO#cC#-@w|{uP5#{diGnl^M~p)lV@3)BxGCcn!=@)hH6{@kfz4
zf$c8E>xrE7`?#Et95~>q%Bg)Xtz}i}kgnJ1S0m{`qj~5$B@&?$IdGyF|LnKIP3H{(
zC=%yzT=!&VW88|r+muW8mGj+}5x>)^OQQ?=u{Nm3*ZMO$uPf;$$p84TLaqz3A0sgV
zdDN}W1mnHYCqfCCtU;(TqygwQ0KOi59HUCMe+5Dx?)}v*Y(dlw9nt>Ew7n%tGjS{t
zxw&X^`$hS53S}$P3q}P5)48o0R>E2&Ha_}VPN#)3q?yZf?5zRXM=wn9-Xw?i8>-CT
z0?m*p6d8lcJbvyMoAAK?nEpUlsnMZvsQu=omp$S}7PxBJPsC7>D8GwS2@lu2UR|Y{
zH1r2V<l1@=d2Elund-I!tgmYZj{)_<GM?lfnvxautlG|!1fq1b{u;Q$=CWrpk`-y}
zegVeoFgX_UWzz=S&FrmJj_#*o`^V!pue@Bvf2>^ZF0#aKpln;O{bZ4awdb_(>oi!J
z<F*I>9xoxW-)<&zq7mo$0!XeIu~g{GyQ0iByuk$mRO-{~GkzDt^4{{EA?j-}nu8~^
zZ$<_)Ul%q+?iD^@a98e7O)E>$wbWx3s;|>gL@=#OSqz5Wk}W|l>M#Wbw4?jf<HJ<T
zo-SXQ=SM*g&Qs_bjWY6;85}|4)(4fAzXXb)01X8YzD$2>h^G!<Ew0a#tAAV8(;q^4
zvQQ2-I?;X4>8p8rFx~|DsH|v^*rQT@Lbm8UZRl3X!!c(E3F+ahmLQVZ=hcg@d73Cs
zESx5Ocr0Exo`G-M*=N?rSxtKKSP(gt-8BqCvm<X$6Z6qY-wN$(`w8dNFL8kib3ad$
zPjec~d!4rv2~5k=zSX~%VJ9Ff`Z+N5w7W4+1#Ov)UVXaA`ILzA(nUx~pmJosu17rs
zDo7Qj-ZPpQnN9bGe)=ynu6>meUQr<Q$MoLfpag(hsOa)4hPex-0N|s(+ZoD~lsE}&
zX9`HfhIw=h44|pCd(Y_!tLAyje#C?XbwEBBrGp^Z?Caa3#eSF`2^~a=MH^(U<Dg?I
zauczKJgITqyc-gcMI5$-1bIag_}czEE)mO{unOAfh2LL<0xxq<?gU8@;Ckvpa?T+H
z_qaP34F|Q}HE_>y%KKm@jjzt^9--@k3;a~O!Y;DuI(?63r3qeV7b}DkO;D8NN_tM?
zQPo~Du%X?#(;=xU*3v-;v4WrzH=g+Zj}eFi*-|3tf2XIiRYn@nFG$;a`g+)zX&B9}
z|23p2W!<jQ2WRmHrE_*-UhgO2MPKB>U&(zfF4Q}}@65rDNx&nfc7B~?-W+@dQ-L1V
zJ+oBCHP5o;83J85cdShi{$><Xqz7SoVQG;jC^x+MP!TzJ9p!givv&jJ{rgK_LAJ^S
z&@el%#<-YKN9)hBEQcoU``aS3-uMHRaZbFe<4I$|1Ur0jq)SRo8Z?KdGJ^&CqGNEm
zHYJ&Hy3dhho4Qw0G)UIYda2cr66#z<?NFc@`yhe`qjT8qwB6<jYLzBtbP;Yc1rLLY
zDWfu(ubrn<G6{J43#a~siR0E}T}BKvaS^z-u2Yqe7mkY|h~w{q&Gg$(R2~U}1(o1)
zR)Ool&U*=%LA{O50^Yab^f^BW4btGiX{wUcS2f$Nf}S~d1Vee34s=ICXKymdfTbe5
zi#2{8u&N*9+GsNP@$Rk|G5)ULQf6>IF7@oafjmn4krIYh*+k2ZdBxgUA>pQ@jf2Pv
zAGt<hG$FjsKN21`_B=>9*yu&dg}769<L+n8<q(_;K-Y9VQjoCB1=frWLM<h{<9y$A
zf+JFMqjZ<HaeN*2yf(Dv@Vx<o?(6Xv$t&`Z`%}2L;BMvPXF(GiT<i%Jb4S>BMeag^
zMSpt_<clsi-S^MZhO8A5-Bthl@j3slr&ZsZpfY3&6%qYgkh0s-Z2slPQ~Hf%TzizW
z?%6nNR5=LtSsM70X1lJ^U5bT?T0%AbXjw_*4BuyM8;;I;CApzFk=QKmza}%Vf|ppB
z;n4Pa<C!6|`}i-_wn`N7Wx*Z=x~TCWRTg`|jBW$)5dwOTMQj?xYFtjGruF+vgbQ$z
zW(~PnJEJ_)h1S~qGoCIx<!=OsMEMtsC@`>36rB4AjVd8L?D`3f`B9D3{ySd8SHfOf
zrdP2-sBmz~KsHiJBGQ63e8)g1u8Ap`?~-2rv2419^JzfWE&tQvsGp)<YP2fj8!W-E
z?$O@7q$8+_bj4`ZnY>YxR0M{DvgKF6tO&U=V36Gp97G-dl6TtlxRucxz~{zLk7mJ4
zlVJO{{Ns#Y4?hpX3g0)h7u==J4PB*1uWi18#wBz>OogHSVZgWc?|qMvOXEqpfdo6n
ziT~GRCe-H4*r3u<TK}IfnfC9OJXqsQr^P-IV=dl$4Y7Rd^J_^S6&SjbuEPDZ0R=Z4
z;aZiS#Kv)p*?%I3C?D!stC#MysKp8(;Y3SHod<v7SJ#<*)KX=;6r2<SNIunqsIc!X
zUF$e%U%|hq*&3HE|9Buc&+Ct2!`z0kC1<>2FtA3~YXc3Xxb?oCQ(pBcZ{{3)Rerss
zo!}wRQwzl%6@BBM9oUepD^rB}rGdD-s!{F7<*~3c_^WtmTiu2Q=GoBB6Ko#{$zi^P
zdeA6dSnb0>Em&UG9Ovu*vxCVZ5qrrh0lKs)7<!vVmm71vJ*Y6V1xVCK=O)3t((34l
z6@Z96k5MKy^Jkr(Xl(w`pX~w+Hm~7<V)p~?5^aJ9UY1eG7a+)tdNm*`(}_=6A$b~a
z#V|}CEqK7`GRv>Miz}|9=5^)c=fG}mTb>as^9URl(sF6k=@NjR(Rx&9t4S@z<a7>P
zGPuf>{rkac#wg(X0f_WlbO#xt8Agb|M>59`pVJ>IAx?eKgENViA5xCz|F8gaD9iiX
zy9xs-GY^@{j8ibX>V+}cuvO1g7>b%`h5xST?dDrCdBvbrm}2sy>tS#mXHHJELL$il
z%0DuUEg4+#(c|y-24)0b!vC5PIGC;t%o|)oMq@j%nNoqh8!q;zo&ot#I2wU8x(}+w
zg~|`>i>D5Tn7(Sd54~e#dPHp*U>1O9df-fdrk6}kunlqw^vFcz_$JdE_VWw061<#j
z@Oi=}Q%xd`ml@eLg?>aTWYI@`5MD|eJ%ZuvXI<{o@AJmO)FM>2DF`&A<Y@s*#c7^`
z=Zw26ejXm14%=+RVGEep0V#vnBhw*`9QmPKMXKUgw<Uln|LVIBi)qY`Xnt&VGO&yV
zU*E<>X$zA92f6K_#VYSU%um0Ve#q0$0+(G`=ZtJ^H|P~dZEiNQU~}vFug%RV1!*P#
z`eu^wxR)i!lP*mr*_CB65$^^WN(2lhp^(O!{DiXx_cII1(h)l#SELj3m>#E<6}LN>
zyT}Dp;Y&0zFHyM~AAO%zLuB3s*hGW8%5!o94&J8Q=RDB0bb@`}AY4WkG`Sm{y}D2-
z+ta}gYcMgCbf<j|#Y9%V%D|)lS4d>Q|HrKWRg3=DJ>g$N#{c=1|81=pgsLz^zF!m-
z6?&g|HA!556=?`Ei|Q5@lvMxgHgQlhJ~zL+SU`ux0U{ejq=XFl1_Xb)G+q_AFbH0(
z_}z@Z0+$NU(bv9%_7WW$%y^jGSJ`FnXg5;i_E4`+{IZ<A{1NMRAv_Qw5q7YCO1&}(
z@Zk>+Y)-F?>@;ng*51oxI9uEY&JRn_ou;+iE&*X@ucxg!#m@_U9{_Ualuz6~>Fl26
zMIzk!$GX-3-#w(f`2V_x(0*t>`uB+rva=EJSU}ZM%%dw~y1S;2$6xe-@;*7nBB$XZ
zt*EN~Q`Jwmt+NycL`bKLq0)nN!A<RMia}JwgtLbC+4E_OrYpP2<%H@l2{tbuCm6L8
z?fB%MouI-v_NDqnW;##P_P+hE20!AVZ?^5gHHIzdRSKj9rTl#mL1dNY$bgU}0OW{1
zI6OE2PXg5RYgHB$H--?>d-(8)#jT<ru3IM(RL1KWj6pU~1VO56i^+kP|Es=n;S%|O
z0fCBw?V9mJ!Q62g0rdydo^<jzXh=WcbGKM$U5Uep5^t34oc4cRQZfCiuivp`YIWp4
z4R**JA;s(txSUa%UOY6$lyeA<SO?CWHgotNk5xJ%-u^SxOCI2HjF^8r(xxo!gMJ{m
z0?B(alYXPkne_9vBcOOt-0v??0i*JGCzcY81wR{rLK?5&^#7GI@ub+IBSR}|JqG|F
zJFk3?yy(QXWV1H!pJ*%#kCS^eJI$gJ7(pvP;)Lbh3es!mK!_w*wDt1A-@DkU@73dH
za=5aCY@~$WC<nesp4NkWe*zqOmWWlEeN>v68)!M@4%qnPN`Njz2uMUZ3RpVNRbmn@
z*6>*Dd*RGAfCVz#%y<gFm6INIzNrEB4s4nr*=38<$5D-zv|3&Y%Et}fq9-B2WE}ui
zUZDsZB=46T*uLp|-hO1gQ~w%7NPzqb&(Hrp?Xt9g?oFGmZWeIjb=2eXbHaCsI$)5F
z*$f8AmBX6Da&z{of72=MijpZjH7Rvy+;V%c-x8{7|3qx#9gp3}gXeTwI3Q(|y&Vo}
zgaO#sxyh<k(@+q=cv0semNFe_c>Ke_B!ley8Myd)D$HjP5UqKnkX{9_3V=(W%ddo;
zWQT8MWuJR*GN!{DVlGmImgJ_v6C-F!*^T6NnwAWr*558b*s9q#Va!et?=aG{w#9ms
z2%-@0D-c93YWbXh64x=AV^n$$dilU>{O@}!W#?}r?mp1&5Cq<XxVtqzf4<+s2v_ts
z$=f;+9U+mf^wsbhd4MvD*y$ITO}Q4m68&;nBF!@h@xOlA%QhaC!A#4ZMc?hx0*Ha?
zVkP?Z^jq23+2(S{LztgtCJ_oH62(4(k!Q-^``!9&4;WCwiVxisILUm18?%a@Tse<$
zAr<eDErWLQxp)3RPj3*yr4s2_)w{oq>ToYMTnf8<gynP|<i)~Pe>-N8O5%eyxNZb|
zD8c`5$9c`P^WlE7?^8p&ItJI$hU1%SJ8voAlTmywpN%^6LKtb@{8m0PpgA{WG?w!z
z@2W6S(&fm@s?4+>NdxcdbYhkV7=~O0^sZg;eaoDpR&B!R#>|`>yVf>Wi`H#t01=7z
z41br#8(5`+=TyX2`HPvGy2R0`oX-f|RPP^KK$RJqsmLkd<;09HgS%W07ljK^?duu=
zG$N@5h3EEfDL>p&bH%{^iF$YB!>FkcM_gKGB-;sL5P93qyDoR(L4&fNAJx+yib|if
zHZRlw$fwPdu(mm5M&g%uD~;0}1yYp_?<T1AhuWG{<~g{+|5@-u{wV%s(EirULDs{G
z*m-ikcc>q-?MYMS6L$@mT5#PgOgIqlgc$2;OgKe2f5wBp$sGW(p4|1*tW3T?^a!eA
zbTEKzq{H9^bO?P<`0Ps}`EK#{M^s4mC|*awgN``2wmYwk_ey;9+7!?X1L@hv9k+=k
z&*D;?b9=E61PYQ=dToweXLrTyR1vTxO?l~k2@8U5_$xZv8~#EJM-Z?{chVxpLf{?F
zo^X#q>5!#%EQ=_7cv1Lyb0_|YeNJllv+l=8+;fAJL@Wk%@$;F^7xkc}eI*=H2g}Jl
zxTAovACRf$D<0uJm26ibIQ#H9c)xS)Tlj(TJt=bLo>jnO*&AVB`P<rqJdcpnLC~Wo
zoP<bOm+u!!Top(0XG$3?8I)yl$Dks&7=ylHodi<+@ev1wL%*1(+KziB;aH>Qxuhls
z?p5(&BAZ!Yp`3PXf56{Ymt<*KTr{q>3pNj^56(d7<a6lPiI>~&>jGqSV_>B@T$Uok
zri;(PYbZAi5d82F@uQ;ZGs2(@M147Co;(|7Q2ds-iickE1KTkeUXA5E>b(-|Tyc@g
z!1%`$h{l`|S8b(|iePOE)YX#WgOQ>w)0ZZJjPE!F3ceq3Z>8YeM2xi9+*iE<PfqPi
zV!s+z7Y$nKbZl$54QwB{6gTK948Fz~qFEs1?2nlqjdK38?xa@*lv^G5>Gj)LRcMba
z4KN;}C1s{tdhdPNOS-G;-3Z+FF5Q_z)bpZoY+3@_HIbRi*+e1ZsGDy@qq^aVscytp
za5p4wqxS*NwbJ;q<465?ugi*ov-H}m*Iil51+FBdkl-$EMmAJ$e{i6+o_EcW+1oJv
z$zcktejHp|cV8ENlGAB_Gj4~M;<cg)Eaz#DoEvVPhq)bN-J4tKxnz;zk#Fi*e3Ykw
z?U7(x^o|WA$;EX*JtI1CZ+d51uLjM|-%w9$uHowvVVq@dcr-Mb(~z6T|0F;BsI-#Z
zDeh+o9O9?KU9#+(I=jCa0#KBqw>rI<+*)U)CM$^3w~iT&og1YTo6qi-?MQDn78xZk
z{X<~(PI#etElVQAr0<q0Wcwv6{1DdDY#nq7HRXC2Gw7AV(h%`WO3v>rUtczJQSCIl
z{~f7}wRlBjw2Id*%{-<(&>cEc^O@mmBcC%rHoGJtg4kMw=dJ{u)Xtht-cmCgv!`17
zXNJrSCVH<%Q~#-;<w6gpt~d&zf8fmsU|&UvA%3xC%_RIzkG7kLvTOqQ;(1oOH^_!d
zX9!l1*UmT7ED|QYeW_u@*mzJB0SV|rR)S!B+SMPF+3z@`IBsJbR)YtwVxEAtHr?bL
z3k&q6`hVK{>Zqu?_g}iD1OXXffFYzq=@>!@acBhT5*3gfQcAj8K?wyE5F`ZzL=cr!
zKmkd~A*55J?>?yS>-+tE*Sqc?cinaWxUA&}=bSln&OUqg-p})VV%An6yz^4I+#E?B
zighC<_1a!%4f%y@^VN72QMgyOcz3@IzBU6?=vTLx*^qrAn`LXoWQPLrf=}caFh&(s
zJSitKbfjECaV%c9T{HPj=Y{=VMLTkDh4O?49rSF!8a2Ng^KCOUSs`H%L$A@;Eft^u
z6K*}7_)unq-5fXQ83#H|Liod>Xr3z28|9bime}n2Kz+OWR&fG%dg@iO#Jd}<E)%}Z
zd(H>;SSnA1kPH#gu@GT8Na*51hevorJxh=!fdbC-^ZQgIT+4#8+OEIj`0UG>HldT`
z(;ttE$2R4SzDXvMP<{%w>^{a26{zZjr&=4#(6M!2nM#|o=yg(_p;61ENinhuK0~m}
zAc@9-6m^AHWS&{JHhk~m5C3d}^+q}U?5<2(e`1Vehjqxu!y`h2<WCeB-$_Zp+Fo1&
zp;y`ND$%E~`3au}wM;0zwD95hHnL(*RWHTdGq_t}(8~bo@C#6f@8|w9XA%UsNA@4R
z1tYg^WfU~>2aW2!ekVq|bl1ibAL+mMk}@mx@%YU8lRmCsnakA%wg4EwNa8oy$e%$T
zQT(WNYaPrnJ#@Fg9E0_EJoV_ajmAzR{8W2Gi!5vT?$W05$}Xv-hpFN<;;cD@7aYnZ
z*pT|(OMcFMA<p-@pbRgb8jiHVh)@$9a97GmmJjJcEAAvaN(ntdXzS5Z1pB%q0jxkQ
zaeA^1^4#a3)GC}$p&K?ydYwee>|6IW7Rs)v<}Busp;&fi{an5jsPH$@7b@$7^OI3Z
z4}pB@;JF5uHagV>tQN+dr^kR<+J{t`n#i?}XhsfT?kS-K;F>C|!dwUvsj_>@?GELk
zHzxA<EWx<%@wL-n3{$gI?>VR6(-8Ic-DX;;j8%sMp4G4B%eddC4K<!Z>AkvAm51jI
z=Bq=>mq|>U1`$%HBn#CRC@&<M)Zb}V9#>C)^Q8l*c5b(y>#k$!?@?tMPG4R>5ljtF
zQ;7ct&C-9ipe<-Y!vou(hz!ZT*gICWbAsb57tgcrRe`eSAyzW-k&haa;=Hg~H-k&8
zxpf(BQVaF_GEmI^D4*Px=xge|BfF3|i}=JA#V#pwpVo9kSdYFCS12b56S)0+b1Po%
zX;;<rl1VZSW5x&@1xXRLXSN~VsrD|5KT?gmYP~8tUOCg8?w8_%V?#`kaojFt9t30`
zr&=$~v7ramgWN9rKYo{fy_u){bClbeL@8`G`UJX--nIMhHfm?IGD!y)wA!Zc#=%Ps
znDWgP4y@cQ*NCmPN<_U&BW_ufrLv*%zVb?I^hIKh+RvmNL?+Q57I$~nop#vbHAc~0
zC=AwZdX<`Rm;ONb3)=Xu|I@|<g^jCAb;sDDyTLM!7piZ%Qpc_pgQSR}pGaG!gZ;N^
z^VCEstO~)%?^_WnnSI(|z>R(}j!TPLC^&r5p0*MonYL3Ny>BKbvvV+0EioObo1V-c
z7lZ_`4f+-hlH!d?n8h7yG6b&-{SN!n(eAwFEakxuh^5S+yTa`}Fr!w6I~r0DfEnO3
zWw-ciZYddNG46u`bvesvrHp=Q169M=k3jB7ptu=Jk&u{lr<<c9Gg*lA`@QGNHi35U
zFP8ubB4-lnNC9F?j13(P6WT5*<!9%;jjYvesn2;C4oroT8ybD7X4(sbi(SvE-UXJ2
z)8uT~E(Yf=r*UMfy-wryRE(5NjUqb~+JO*wmX~SL*LNMSz>P1!bUmZIuTQ19_K9vF
z8`@-nw{)7sd%MuP4uegqQ(mh!qc$l@-U7%0?YMGLh%$odv_m~CI1wz7n}M682y+j3
z57)0wzM8^NQ@xY8xWh-S6E5~R)0=KKJnN7!FYFdGSkz?SM{^CTI!E<(pAm~tZti<8
zc`;j)75$PhKuy)VyQq}au6UtEV!(lT)-XbtI&|OAiVTs53p&n+_VX`9ck`XY+G-Ip
zympPe)0Yc0&v+XwbHD#ybY4e=Ie4CM3va}*Cw-71p;xMqy&8NM6dMV7V*0fAE+-0K
zG#HvvVOFroS|0!4ouwkUd60^D%#}km{^IPuASm`VQMN`PM#<P8aY}b!U5EQxncy{2
zS_Ue0MDgP`cUtQ8DK224l!Ly`-Dt6);AkBOxf;u|rlwg=wDXr*72*^UK}0%#zQ%;}
zJ~5e3CO%NydZ?B(-pk32j4QHD>g!a6hMC()N#e=XOP>|lY|n5N>XNK@CH0iP+X;Pl
zTbZhy8YS(^&@4~qzChVj%O~{|b(bUVT+y+HSNp1D9euvu9Ru#Ruv7PkFotU}t_5BA
zSU3ck>PAPvt_BE^Gy&dz2ff}R8JqxaaVXtFJ#ycWyG?DuLa$;jYxPrVUwrO0fNr_#
z|7FfrKit>G0F<~t1qj#=XXJF}CrExUPjK$LzuLwy^Um_oZR5KI*Y^lTUN~<F%#3mZ
z$EhvR<s~-~^0c+$jKh+cpG(N9T$+*6&#Fw`WS`>^*<3Xoj#u8vXw$xG99xA3cGfN5
zN6o4LuRz0~YqJeXJ9};k!e^>q(v90@H^TA=9-A~4m6W_bA_dkSZ!I(}O{2s7NdU+?
zG40No>raw27U-vE%xI04&|$XMXOskUt*N%@$O*#Y#&Z?0YxDg!ZqxFXc(6&!wAOIq
z;iQsaQrFECxXzR}w|;qXF%x(?r6xC}RMc))$_ZY@j>td^^S0>v8{_DN6KRd_A-kB?
zjr5OKY8{`4@mbHS2X0=Wu?Q1$cqtZuoG(2P33I|OB<WZ;Q$DQ(_qGXuYaRZ@w|LZ%
z0P#6+h~!+;CY?|Fsj~U!@XG{Pz<cOzW9q1vD~G;}cq#k;mH>fDv=yLy-Q*@zo*MJ~
zStozv-BZkNZZEDp((a^}%o+5!$TkmorX13PY)|=#Z4gLVAqAdat1-dHad^nVMG-k`
zU6hQk*rHn6bY^9~9_SPOBdLWGM8fu$b;Yke3JcE4yegCY_ogqic<nRQ+l(%IynP$r
z=M(ewq#ph&gEd&h478GKK-u?ok0X7=Y0AL>lPOFla_bz|MVCghZIV%tr$S_>bP}FD
zdX@2s*?x^^9>}kP8vL__J|pj{r_~^7IrN7DYE4_5YdyrE$l>7?zN_@<sgjCu&HJ!w
zpv!Ts+imYYpC^XFulQ?MJxz(5iTQ79*}lUs`F0nGEEgaM@W;5!jVeq0M?f%R7}%ZI
zzvV)SG=>$kj+g|1!ZTuKA8;#J_n|b?OF9+74bv-IKv#X*w}oT}COmV5@q`RnT{78W
zC*rTVkofCh#h38z(fYm<`P1E>v=W~`vPLz|F|Hsf6@%vmJ8m1iQ9ENG20Sah_e7Ca
z3R|MP!byuTmU>9#6zEReuhGPpboX=ltv`Z#W#}@a4>^+5lXX;_RSjB^1-1Q|ji4}D
zLA&bKvobh!Um1x~NPoM@kYv#k>0tvps6R+9jhr?=`eMk@Ol1m$PnRJ1Qp!tsh!07Z
z1#E!?NAKMvn|`(HiO8bKWGNp;12)Ke1)k+>csP8*ZTRF_dblsIw)=<p$1`WaF*Hc4
z)+F{apZE7YA!m#c0JcZc(vd`i8lt(}F55aK02t~{#cVP*E$|Mw<Q<+Bx!Se2#-K=^
z6FAQ4wMSw8@HlLJJa;u+42<$I^Tn_4Q;4rjB5($Q3M;`)p_z~4^fnA3O}}+mpB|AV
z*d%x~dMx0!Z)?ZPwV>k&`JJ*!T!{qeWm_cH?-t0Fm;)242o|zuKJB*v@S`ORWNLRG
zk2C}!Yl9km_j)Y**Nc&lKn%x*m!$vY7gpfKgzALz6wDbj(niR_Ga60%rLyGZXJ?er
z@>iQ^euy*De@l6-*m^J1@i*7OS2BYH<_^OqU>(UK>1MM@nWy4>g6qR<SM<F6=_Fsw
zL)q4h#F>4_hqn04ru@8zRVhX;pRBg0dZbFU>06;7#K|B;on3wnDS<AJKAk4_0M;4{
z+bf`g&pJLiU;aQdpiDikSB1vljaMG<Ms~Ej6QGy<dPNIlfYQMvrC>vj;1~em?J#gx
zd4*Fb3hZoOhV^!s4?oAqws!jkt&)x~-&h4UFjd=PV<BQDkF2EtUqroA(|d8+RohOQ
z%@>em^fr&$scHeZ;8MN7l-wzy?{(Qe*IZ*=Vq!J}jP~^sl*)jUL*#?YB?_02^xrDZ
z`pM5f)qX*%Z7}b`g$~(O%z6l3s<G1q4QZY^qNpgfW^Jp+-G;1#IuyvIU!AEJr=+~Y
z`*r-y7u)c+JXfxYJ48eBGLW#%kCoJbqfRdZ!|OvcY10RyJ00IngJRjN!ehBTnS#av
zh>S4^vZ#$gnSR?uOQL6<?Ftk%!frGHrt_<v!mzU4xpl!0q8UDT=)bZ(aLT`2X4fFN
zfi<lcU<ZMR2cHia(FA-2gcB*Q(=VvO$B?(r1PE?#@Ubz!{4YQQ!jBRAPwCN)z+>nL
zP|_bf$G;z&Z2={IEDLxFbAKg%h+Qezq@8DP*m1h<eqHrjMo&xAP(7}?%vYZGSmWF2
zm5Xtt;>=f_s>O<C4&wN)zuxHDQDijWEOhHx=b~SYn|gS#!OJZ<T!cK~mM~KRN~zp7
zr?$tKr#$2NTjwu*QB0Pac}9_ZX2goKam)3tirhhg0Zw2BX`A@YhCKw|<I0rXjV{r|
zou}RdJfTGY`S$#^pN|eklCwurWC<z3ZonLQfJ;LQWYjxvU!C{${GqmeO>dVnkO$!2
z43!c;w;5`M%k35w82C9%y>YIh6(=>=#KVgp48iap1`itFy39gZ`?S&%*&MzeBaoWm
zo%Wse+TrSv^ko|RDzBu2*@_IYQ`>x`mHkR8V{cu$jibbK(2pX5ark^acyJSW<a}~C
zVc1=E^zQ-D;7SK10$bhbzyB~GYwyd*0l{@)2%*401tAp3_WtG@m?nnIu-{3Uxps;b
zJ@?e0Ofjfu(Kq@E7f2#p=GONBs-SD5yr1jqUD-Z;``bj;SKP>lAw&48OlSn9!Lcw+
zh*+@=Fn|qFCbh_$q5+F~q3btrk5taIZ?4;`(j>K4P%BXPhO(hM^jV0o<OZ-BuMlBz
z!Z2ZxIl2RW7T=Q{C6sA|z1NIkZtg^p;+x-Z2Kwj4{v)}wYw|^o7DG85zF2&QmdL)u
zy05TeIO5H-vjk}Ym$H@aS@wWd{;y3PMCS3*W`_W$YM-vI@vS1BtEx@hYYv`9O@!R#
zbi&X*O#kE{mh$IaI|t-S^r?h#bMo^yPJj(E#32ERp81z_F5_KLTWEJOWHM`Fz72Ca
zsuRu*q_s2PV7&(miPp~I=eZD?LRs_v(!xC2AgH$`k_N$S>rAZ}joaec0ks@Un6#nB
zRu;`e+N_W(C56SpuxFWl3hB=QO~BYE-Bwr!lt@pXinM6ppVv*>1v~=l1~r<aRlr<n
z>ni0$cNnsCH#UENfp^5mh4mvg*tws&OE#IMA}&U!EBE5Y_RYW^OU3zi&9`<*fz~!Z
zA}`o3>ne}~y$y7ZbJAj8_F}yMMj>BO?2j#Bce>ihq{WAh4W|e)Ma&D_l10q9#R5h0
ziHKA|a>Q4_mrskT%_5xiXU~jkoW{dT6vPnpMczA*OI+i#Wu{q3)(n?UcRy%yOCB$~
zK*k7f1ih~(k6bbG^hCDH{QimbXf9K0?+{XP-)L8#db3=rUZL{}Deh_N$W>wvcAMt}
z&Uz$@QA)2~LK2L7{x=sozSMw(33ieCyU5BasIT2^N&`OU2dnC|-|x{LT{|t}A-lo7
zcxOUEUvptC00<jHaz_u3?GvPqyopick3SNhx_HmK+x%kAgiNoTvQ%Go-#Kf)tpi?-
zmNtqaT4l$wfJT(vLpy~$?|s4z%K=<+8;1?~)7709xb2}Cj`%(Ldmh&Sp_%w+IuaWr
z$2{kTk7tS%&$AF@3jL#%fbQ@RvE))Y@*+H#i8(JWFmS?r{wPkt@CPeL#>;j)j2;(S
zWLLSlGR0e~KvRrq1#J;+<H|w=a|k>*a(%=KD!waAgj?N9N?YvqOc=hPHyTMwlWA6Y
zf=v-kfm}|wlbDbhu3dV=$B4#=0xvCUAO`Vi(Se%`h>ku%C9%bnSQrXhFw9TY6Bg<^
zBclNyKay2B3r?8b>o+GAi9;^^M7+zxPc8GJX*LYdEj)7MGOYCGR(q&MM`lD42<KJF
z(C(*-Dhf-^8E31z615%bu(u2FewbHNFbM9OJWOYlmFg@9vK2z}m|ey6hbg;?W!S)o
z2RJ)!`5K(`j+^0xg{KX<$JMtzVHr8?Y}DQkFXsR#gGBkVSvL1+F!gd}lY`{<n7sE|
zLLM1{QVi)IAlYM~#?(BWK6;X(Q2NHT?}5F4SOZi<12|b3cPdU)L=}_qv=Ht9a&Nbt
zHcA1hI>4S;S)FU>>XqM1lM2>ROL2LX<VXq$E(9^<p@6t4Wrd;PIvXL;hzU{S!36}#
zWS2xcrumZ^6R(P&D_{pia%)6rAmohb{9A7YGo}Gc6pB-Rssga1r;!?+Bl!TFT;RgG
zgIgEY`_SE}>e8v<hzyG(2HA<oq?ujCG-&qyb@#bjzSqIsW4BpDci)CwpqZobdyFHU
zvpVyZblj5H>vj4Exx@oLOXv%tA707C8`<&wPShaQ?%@nli4ENr7TeRjHx09x=aOU;
z$QGi?314O<lHK2k;4F*2-N4_D+k|Ou=d+=)qZH-tqW8G@{1P6+X9)eCAmYgfEK{un
zSrJ4k_ESX3ZGz%JyqGcwm+0!Wq2#fN^HXdU@0#JK&%cV<iy5`5$>pEu0{Df!^9=d;
z@p!jX<7J<$YUUlFeb9WIv6PwuLG(?y_&zgTVFX4K2@g$b{I8n5w@b=?5_faqgN^|Q
z8acFxi(NL=QM5LKb0d402rEg`jYZxgF}Ezya^d3bGw#^rL7GBAuPpA)5v_q`-aQjR
zYtWnK_YzjQPf`lQKn2H*()NNX)2!8Aiky|e0sz7?y6@d#{cxrE4(lM6EgXFpg!8gB
zvS$jgFx79-_2LOYW~6`o&25fj7B>>(ibT^DNni&Zx}OM3W3QLwh{oruCbHd##Mlx4
zngm@w{<uDJHnD%u@>??s>SDkZFz{2iO_Su040Rm~BdW6@;k5clFTdDSQy8{^HSzJ5
zE3Dk$Ar-cSAAXpKWHSTn?7SGz>_piFnSRt*a4u%w;f|zcbwp6jy!3=Ib>A+5T2hOT
z%-vt}p^%s4YaoyansI~3#i-*3$E)-<yl%L;q5wT%mE==pLBI_>r|B2cTiOIl->=1R
zuq+N9vmg90=1jxvIM8k8vfvs`9%jQ7$U6q}lVDPC-yR0w;2TfSZ+n5-rg9+by9M);
z28qupk_uUZA+>60f_RLN$nsD?m!Wa4x)p~uaMa`F?HvLg@KxNChK(<e=V}@zuu+#`
z8U~p@1CNVA?%UHg8<AUowU6f{oY*z%)4dlgiP9;(`)mNIt+~L5XR&Tcru#XcDCZ7@
z=?J!djKX5|6<3Z>d8a4k+Rs41@V)x(_ytM}9OW^F#gKSceoDUwqoh+0i2}_%<FP`{
zaz%aHym(ZrR)Y=J{yX)z<ME%-?=G()!9;*d+^#6m_GIzdm7TjVH}UA#Sa-t<q@N3d
z@^K2wKVn@~4^)>T5hI(Ynw2IZF8>yh9{dDy{`W!1BgJZ+#Fb#jby$W7usumNTm8>~
zd9V(3n}r<psYW0FKi&)i+y8`!+(71$tMI!XoHg3*JY4!$<;)-J*+C280!6IhK?@-~
z)<HZcF!QN*Bulyta=)Y#&fCbf+ynu1AkR7>ZV<rQ8<;&mXE!?XM+|LO`T8jAr(~s@
zfxi)xj!1aTzZr>84g4|^(ekVZMk1^+v{9hceAB+9vgA~@M0+W#eVf?8^7ipTlDUBr
zIj(+~UJFh?&Q?oMD^p|Jo_kZ(zz|Sk5!7Ljp4t+10PFDn)h7c+rJ6ClNF>W@5R#Uy
zk%<`!T7!eVeg~}(?j=0Ky@J1SO8xr@%3OzV&hr<_ys*m^^7}w18Fe3h>z>rODgh$b
z)3%Pw(yOxrOCKh$I>)}Q1O<icgNn1R^aUb$B4-LvI$QzS)q};UnR4!i{tUfpnFnap
z;_2!0ls&B|xK@9gQ#c`xKJo-k5CYQc->!d|Nl;35&1Lrc0O<d+A@PpCFa;z#KAVll
z_I9Q&PaKD@+sBz#Ua21Z9QM`w>hm~}e<BO+SDte^A|T8pV&i14en^vb@dhl0H+c0o
zHy%<+0E&y#MU;1(fZ$?U<>4-i;Xe@NLE8XP?w5J9yh{o)A6;<x9T`E+9B|GT9%nk{
zyFc$YB&jml1hv6b)lZZXR{^CKz`RfIR$usH7QRyfVBTem%xNv2lD1V*GeTO}3AU-i
z(UmgJnC%!_n~wx$;z_IS45WH60w4w;`4PxsP?&-uR-fF(tCW*9zjPiQ;%|o!0%kr&
z+IJ@V*frAzIFiD;H@fG^(Os#F(<icrL__4o<Ed9UY`s<{8#J$!WCGDuKDk2ly~W%Q
zF7wW3>R*o4IZEd|TrQCFTaGn9dRSCCBPD<ECj1o_?}uuT0fEzbe8vwhJgxoZ*%+lm
zV45xuR$VcPTab{4Uc;v{O0DfzkFxPI&;2-;zU6jZ+GHR-2>B#IDiAwbIAJN+4ld+;
zNnY-4UABi*_GxQ!*q!FcjKcUwBfzWD%BuWC2{HFWleO^&ND1+~l*o|94^!dY+XQFq
zwyh^PyXzLRd~5HcfzxM}{hvsH*t3if65!UA2Yerofq!QF!_62|G5@>h!QANZk;1MQ
zfX&_)Z)cJBxD7(bh0%n)`qHJyaA@Syc$NAj=Cc^hv2g@)hZZ4hyu^iWlY_=W2J^g-
zW$>57zFsfEVb=U&gXb^;9-N9|W}l67)y?X>BVVMKR2de5sA5Vv@Y`AheVE(CZ`E&$
zwM9hoM)6mabZ;v#wbndT?R#op@_y9;u;`ta61jXAJk8f-!%7zsTMw5Z`-&LR(ym%p
zKW7QyF5!Z9yTB|nAO_HGK5JXtnr=5FChehK^W_)wysFF9FGVtLuXxPC(H^9!Uh$4t
z+$5}@Ju0l-GcMU|C~fGfOrIWPLyk;3h<58b`Od}%=xl{q;J(Yy!S1ouPa_Q}&s~TO
z3k`fW2jr3FHQs2p=VglyPu6vj;qk=v1wFT!_)+_#_{WReHI6!AYSzF-Xs283q=?UV
zT_?^r#Wf|KQ7A#}Ein2$%sT)+3mWeDiB$flLKTflXlW>t4NYSS7NfOuR?P=8Z#Hys
zVk^;w4a%SRMMO3y3>$Ih%3WUBQAeN$FTDgg3|1@WC{U>_lpFHe<aao>j{A77NS`-6
zC@PSrXdc<(TcPiqo$FIpr~hRCJ?^|+%&lX{&Xbt2)Ct8z#A*{v`#p3lj`d@$B8q7N
zO0^uEEqYVj!;=?hXxAXu0aNkwa>}teIQ!|51kp@a;WU_o*M8V#Z#I72J}}t|xd38O
zM)@6lBPVV#<cD*qSf&O~YLWEPbz?+&7u;n_=k3(&Nc`0W4l_Qn^r5fAwQhpabnVJM
zIq?Pd7bTRpTbtG)TKEU2C5RTTl|>CgJl6**C*G7D&k*mDaC74~=<njcS8Dq@#Q_52
z0eta}pM_;gdz!Ew&<S^qTpO>l6~5j79n-N|k>rs>Nw`WWhX%nqdiK;c&BZ=+c1Fdu
zR4`W37gR*8hfb#+gl!b7QjNj#P}@}A^ChI0;?+(pCwK~Vg`^^vynxAO1(30?1xlop
z9oZ(<wlvdO^MRm7-VB@LeS?p~6mIR3C?$A2oekM+b|td-yt!4KC$7f`pG{E@6e#*^
z0*_%bb;5hbT$e?+RryF1U!Eh`ziXaiK}wXeKtd;6K{4V*z;((kpd;(vcwF!)<Y@0!
zEHHqg^c8%9sa*Q>_0i1JNNXH;;*TsXbH({vfimat-@jFFo<czF5DUC0n*4;ElNagr
zN`ykdFv$%KlhkTVM_fx@phP`;4A$6#h}D)eZ=sSntFjFR*&US8b9G5FJu*F`nX}g7
zyI<RGQm|1-_yfH)IurRyeBN4=>Pyr@9x9V7+NpYM@6M%wMZ8G4Ii5W7T~iW~F2A8+
zZIq5m+Vs1<l<YoB0XIpP{D<@Di!45dpBbZ0QM#!=LEhJQ5uj{|D-p-hCpYaT-P7V`
zKN-vf0<^w>!R#V1LMU6(1aVk{ZB_myMKOc0BxSwgYT3=NETA@gg1rNrGip@V*ec@Y
z8D0P>p`oR~^(}`=&!?1Pbl+nU=uXN(rokv?8ANTIc33mz&u_)*4haVu_C%G*pn?Q(
zDvX!FiNNT&7r0$~J)`#tcC>Qm+;&4EUx$jRX7b>A3-*XZIQQDuAmmck$&VN~-XtAy
zZ+jecR0eQBeZ<s$UHU-i^jd0NDc2(|sX(EfybqAJXm%gf+)EyIG@{}0AeL~x9*MgV
z?HrEf(!3A5)(n6*{2IP<KHQJ)ON6?-OI{biWJD?4JRv-@j)uzcEbWW~eEU&4;_7JU
z3BEn;M$(l;1h1rA=F%*}rbtMqb>}9h8tbC*FJOD2a<E2=@_oc)?`w128+MOl_V^mc
zixT@-NlsOdH)aETI=4O97+J-&UC_fx+A5-0H8(!f9q)-ZwtSPw=%SQFKRfN9&Bm1$
zaJ@d3OWmwME>x%)zT&&P*6fK9fK$9-<3z(r60939dHJ~ty=8bSP(^#y44-|N>2eG9
zrMjPE!ByM5xJTl6PzNUg9lROp;6_g8<v{gm-tHp!o<|`zXAo%jOa>x7tU@IM*BESi
zt?z`*6Qbu38uH5BK&HxCqii5aw$9_z^BRu*Qw%qXn-ec)t6^E=;%hz3{lL5jNEobl
zKGNa=#QTzQ2%hD3TmfEEKPV7-(Xp{$O}+~W-M5RGSM-i+{0(?Vg<8xgL3Q1ptQWkN
zC78Q!(p;6yZh<EH@w15_CKJM#{m$s@@xfIZ36Z;R9$q%!y#`is*hU7zm_&WlQ}1u9
z#}j?xWX|8S2FzP<Xt8Il$n26{_sRowylRX}mF7^GD3Bc|!ip2Ul<&q;Z9|i#Ms1oQ
zkE*xirJ39r&L|on)Cu=pqcds%(gJ0YN&T9r_c>%Lb2=0;9yZMErUjMPSS;gs84KB=
zum)Hsob(*L^G39@pyzP=<gT--GF_DKl+s<(b)BEf@Ob%D6gP+jz~D7_abrYx(#dXB
zY-ucz349m9QCzdQk?blOa7+l1CW#9-T{Q%%q&g;E4~$#jN3t&`HN1kIRxw(6-+{|Z
zk`A!grPItD+H9D#UQUUX%!pIn)hDr)*Zna%Gi7GFm5c5~#X_ySH<$TRK4m}I@dYJ(
z`WE_EFHTj2E6z3ud%3mWy4Y#?hzH*JY)-o=!ZPOb4vaJk_i1MuJ`a(E4o2~Dz<h7!
z&e!;9-EYS}+vi&A>g16Apn`YW-LKt_`pF0sAmOCc0OL5747cq)<Se|qxVo-*#iuC<
zq%bx~>qf^jJy(FlS6hvaU6ouj?5dcK3iL$Ve3UB1tx$znH!65O-~&UStxN2{<SWYm
z9{TA-KBlKza@kqU?j8$3t)IauOD#)={0#_(UwDqapEoQxjg&COW_!m@#luv)@WC&F
z0Gpd4&AuVCN@TBc%fD2ltfPtN`ig%k4;UaCi>=z68b?-`$(MZl7_o2=;+ebst8~K*
zAw&eJTem?p(E`NNO*5sIAO`>3L4+i#2D?K#AJ5(BqbMEt=2NznX6wp7A=#>YD%u$j
zMN3gQr`MLdWulucp4@x)N@!4QCRV&?!e~YXPN{lo7eds7@6lcGKbQ^jP!__IU;<=&
zk?we5srSXqJ@YpN@wK&|vuTO&niD7hm)8l;N`MGY(T)I8vQusAWZnf@l`3g&7i5bL
z0O2+S*?O-CoJ_2#RN(_Y2<6<bgDMg9DR?-!mtwC`=476g`~~Fy9kBi09|SHpcEQUK
zHB_+qW7Avy&}3up7oJ`}`@P?poES5^W(SDy+BtR)sNo?Zo7Mg1TCWrEV0kufJd5=M
zCKr3lA>NzIEh<kp8_E5a^yK?o60u>s?TO79<W#H7e^q|LHAOZ3LXemEj!!inTZ07Y
zxz<tIh*SRHTt&26y+2wd9RZoe*tPvhn--vl{)E(H(q75kH@p6Pq?&y))e$&Dd4Tfa
zY1b(rV_xRyIaH;`)DJwRx1`+M$ABi+Zov2<#rOz7E9=_j2z>X`@dtcay4UsK+qtwh
zmOnha=w#vRDX+LtpZR@gfLvzf2j*<t)ymmLZ5Cs<Omrm&`6B3#9!=%4p%waT#UcZ9
zZK8XI^_iZ#`qpK?)|A%@_KK|Y&rbL~j*q?rN#4bveK%?vqdf(2dm=#r<H4~bQ2V&t
zaP{w6GaUVk<6HcNecG7-BIyzlE`t0FdZ{8GGOP0iVb^7bMc-X#sN^fQSv1b&yg~S%
zsQ7X)RYhMp{&5;woNkCf3v9R{JWi&v_Br77c&rg~@x&GSusjCOEhDZ~?l8v2RQX_#
zHhHyWeey<wV#C;vnZ_@mFh{9Y4YI?@t6lYzmy7|-4GK&gfxdnvdHw2ok!mJzaeLGS
zB(o`oK+Q_oZwc@M&A1sJ^TQ(}zEgHweFI4L*>gt+bPs_iE?{x$sH{d4Ty}U@&(gc<
zfJ$)5bd=r8V)*OXKiUAYsW*Y2CzVPMK%T=AnW}-yg5&6tq*==)***GC%+&``yb3sj
zpjNrDnkVAGHN^lSwAm}(%8x*7kr@ZbDerazO1&aV=?mo*S1_5Q76yG7opkK1%ZG=7
zNg}#bk;OX&usOpqXHoM263r{|GyzVj_6US*-*&V+^U(LO*DE(}U0DV~{%2lG?=MhE
zaK6Z|8g#F`+q;S|1RivT;j(opuZ{s>nU!?wekO2z#3zh9x;5@Ce(V6%Iqw--wI}V2
zEUv9o11a@kKsYd+@MQuTT^#IJ;IR*!UI=eA?GF*pW!V90o?;5{ww(Z#`5}K57HbIU
z{h*}(17v&o@o=)$C!VQIb@(<w?kg=R7(!+e9Y-r;M<dI_3@??Q#k~RRw|WI4HgiCu
zCRLla<)--dVDz{zTCn_dx3oEfG*5_F-`?RQg&al}qRu-4kBbR2$_K9=GWi+E7Yc^B
zunwsBma>(<NelHF+$?*W%q^d@3vY}x3@O_@qOq;gZj^RAwTksprIWvADj<%JBPZ#2
z*Yxk++QES?shcy4v0DTvc;&dkKim+vN9l_PhapY}AVn+mk!62nNa&cLjC<)sVi8SF
z{yLzAdq)N?Ve~q-W5w&cBupbi5vE7x!-eLy10?w1eM5j-sRnZL@rno>atx5M3*-wL
zEd$)|l$0Qoz(Dw3Xt(aT&&a)N&muwo<(!L#i-t21q_vrG!~g9)_H{W$U@=S#r{6R2
z@NVySXA1&;A#$HYf!=HmN@otRJ*LMb7BQEA)Z}tZZnA{4#KM>$$Yj%R;M(;VI8}R0
z`YV&N+DU|>+oyp=VbnYe>@7yBqIuP&WjAh~EkkG_7qVhzdpx+;(hzy64)EJ4Wl~B9
z2C+@d0pgz3%3&#4a|l2gfZaxbrw~9ocmS5nmfb>vy>*Wo(;mg#y&a^#mzao&-Fb?4
zwsW`?I<0Xyk55(kH||socoP!As-J38s7kG<NajrbvROazy2hOKQ^Cu=?>({X3I7J~
zi5OM7I$Y7o-z}kg^0<ushR#MiXoY#YF<92~jzbydzjaM{vijD`HgW1;t_4*f_H>Pn
zhz2sE=7Q`Fhwu(8>j%f6c8>k|t%vLca;0-Y$|fjTN|_RQ#}LRR<g65LaK0n&!r?8Z
z|A7fHwEsFg8b2S6Ne2Rz^V+0eY`)n#JCho#I;&p4a};WB{p9}Kx1Gd}d34s{#~KOo
zJK@$&K<dAy3}*}|lCH=cU(+G9gK=?t3)K3L2I2Oljv@~<Q>gG@MXM>f%)s{YcF>Jl
zeMW;>(rs3p_a~w4ii)2y@DLAutKO)T!T)YB=+(5G@(^MmlDzG3#TCV5xlg;pS@*t_
zHCkd0$Uep}VJk959j*Wm#serCm7fmtxXzd3^p|BlwbeA>nXsN6I+L0*zWgZI@vXu0
zWFJLC;0pPmxTRic)K%~(9BvgCsoefM@A-@keQW4x^F4}ceVXcP6Z7r1c;T)fo(`pP
z2G-qp$8oflTxjYIg13jjY*#m+jk&Rfhqq~WyNz_DV0(5nygP98yaQ8n0+%PnxKbG9
zOp?UYkZ=2TNCX}^@ea)jdrIQsQocr_5@G8D0B#Lxu2rvYDeEWInHflu>a+W1d#~yw
z1g&Ix!z58Ex{PwCLcvGgw3R9a^dSV=u+Q)8v%ECBDnQ@HA8+CMa?^D1I>C^NAD*OM
zc4`7=@ff6**66X6aQ?ySX`{B|l_9lE#XQ<B(XKkwf~vJjU{9E0qjaHCvulp)4;HJS
z)rdXz9OZdZOOqShRO6kIr`%ZrByT>`x(*zHE~+4-q~YD%6puMOZoQH=-t0*gs8=Sy
z|0}Osz^Rk}r2sGIGURsn;HqWc4VVv^-}9IWEo#N?Tj!3G#W7uTSv#wP*D-mh_K+rr
z{h-k`dk)l{X028uHC2Ra@>%kzQssRoRWXw`ItAbIiwZB}wJtq(qk?R6cDXaKa#1OB
zHtec2$Ucg$3&%=z+<D{}($zK(QaNev`x4H@5tUbBo}2j>yR1eFa1x(C9-wQ(H?AwN
zE8IhptVy!&7sPWHbyOzlHvGt%+wi~h-M7FxA27q`2P$6qg4HG5Aw>kNC*c6=3)C;m
z`ddbN+of#M-i-lutZBuf_&qa}L&89$s(8z-*!Aw6c@$A3PS%f&ny6y21<%H{d&aEo
ztfP|4(Z}sWVO_HU{(ox;Kax_-JWE~_{9I0Aq5Z;!by+k2eJYrG^|e#=)2JgZy9lmJ
z1Q<K+B&l<(DG~{cPOtHaFC>dNkg};`wZ?hAFDzg<?AdRQh9gEFuP47$ucD(8{p=Sa
zqLX=eEfVkD>#x{Wp>_Qv8COI5g1D`X-*Zggo~sNdf_qM2eUem8Oc>|>R)l%MPo-=@
z<=1>KMn_G5=(fkk1Zz8*EwvyX9==dX-6QVM`#AQde4ON$);Ovv<zts;BRRf18(=sP
zDyQW-F+=obxViM>g3Uu!vB2Dtn#U!%cseRjUy1nHSBP%A#;rR<gei+fWUUjmhW2d6
ze*c<iopfPS)`upu<rv`=X2W$$@b3lY1z^h-9-4trPIDOY_pQ>vA+y_XOX--#`ZUQ^
zY@sy{%r`uM(RFf$)P*Jw5;Fhhm1OpJ_89%9NksM)>bmagq_bVTiGmVjD``^_lrvMd
zgVzF;_{UYabNg$F{5wBkFvV;A_NozhTcnAc2i;#tg!9Qi$+n-tt1jtNjf!%McbhGm
zI+7lH;w--q^wxdm>rRRf9ZaoFaNO)FR@^|G@A7i?@;CWA%igxoFr?q{`2D$Ue*c9*
zR&2iU{MC%(uN=VXF_@=N3CD;?4b$B&n8fDGfL`*t>o|rlw6ZPMhfYB*5c#pjke160
z`_d-ipH5UkFyp1&2X)U#PXe9%_1Dsgu>$uU-m~jO9$WA0pRCLQuu&mFO8EowK}?#f
zJc`PjSc2ibK;5=jgT@2t@MZlBo_Ato6i#yz#t|?sF2miOHD5B%Zck*z<s`yQ<7#^a
zRV1GmO(@s3*&4*)J8VuIqWt9U$lMMC?CL6KbsBO4TN%#?>8GRNjS^BBX83QE`$D`<
zmW3Uap`rcOC_;9gu<;DhsR!5gYxGb|dk?-7N?Zc=>5JLP{b<+@@#gIGt3=WQBw~WE
z@;Q!O=8n}vlVLiY92-^aw!+~Y6|9O7jq+1bA%$%r(kVHxh3=f#_H#JcP1+Nq_v@0E
zuCYkBpfilv3?wW;p<e`B2eDtj`5G!{1j=!_ew6PG_)M>-#)PVzYG@ySx4L_3;|c@t
z7tV|83v+D*8vH$U%`Yhz*&D7V4#MfE-f<hRW@te!jH<}tByR34b|0nG{!7Oz2;cGg
zeX6V*>HI)}@i$xfEO}w@o7hh=>oK?#5j{=Bl${8#tz=ELvt*WU+?EF`yIpcKO$Z{V
z$+Vjq4n-#lZ2jk&&N0f}bUmk%mTD?U$eQG^3g60>k-0NBftL?3;K>qCmEV+o{vfR#
z=4b`07Z?MbZ-C)*=OT7QNK<)Etg=okF_ynMiN9bQ8H}l9U1OoU`lTX()I4htEc8{!
zfW&7UyzvTqBuSTSqDjJ?jJ@|AvY&V<jiGj%`f)o;!Eb0U#AHLpWeJhCyD#tjjKSvq
zKxFQHw?^sK^nu}g2W{<^N9rKW!BoHWts+PxAwEQ;V~|Rfsqhpq@&PDeu;P2%ui^t%
zeAp3Y%AArUGVRBhjgAJ1)Hqc>Z3D)``bwdR3Kbk*cf-FIc|5FW_cD>oDOg2-;K$^j
za^5&KY|LN9G)^R6*2U-4i2njlc<`G~A0%9>?gdHsfQ88qW4o_#3&=~%pQRRr7($Tg
zlPp*34>g@=8V9F`P~e>6OE4$nGOE`TK#6u}Jl$ETLjjjG{5pWq3b?m}+iD)nw@j2S
z40Nl%4IHeR`D@Xk=v|ErT2L!uDSNVwFp_D-()cwq<SIoAs}Jj#to-kgm6Ax0rBK(u
z>`HKQ&Y+oMfh_M^Ws;X}U&|;h7Ae}V(#>z3URGwi0h3@OP<_zRagZWD_5p}1ZLS18
zON~92_w{tZrKHEx^15wLWIR6@5`^g|`9x*Dexc6Z{7CxxF{L&k7MAwhvwD%~y6so5
z$Gbcj^HvY^1e32lzi}~dVj%IG<%5sp5mH!K5mIX&UriUzbX2fBH%eooL}Ot=|Ni-^
z%mi)u^_r>j#~**}fIbp@=+D<VX7GDp0q%di!WWz?ti$oZR<hu|8voE;c5ZCwkUr=Y
zx!?|7v2;$(P<ZmzlkLD`0Q{()d{iDe_!Y@@a)p0x|Ko7v0(7|h|C!SOi5KW>f1Li$
zPyKl{Ah`v8er?Y@xxkZ4_;dR|PV)^q{^Y%X-t3=;tNy=r8mQ?5QU88Z&=Z{h_nZ2^
zd>W$vjjQ?DS^jK#ojK+hCh0TKBcjJR$%bOPBdEadzq?-(=nsD$ezHAK>EGLC7dqR&
zUri<jIOM-v&3|@3`hP#oNfQIdIq>u6RsP-m$bN1A$7w2|<A2{F^!v&2|GXL&u=)4*
z6guSR>Hl$>O{fq2|I_>*Z=1d@rd&8Vo(283gD)9{1qTS@Uj^T&F+?a;9Oji7ywJ3|
zDO_*O8iCiDIfc(0a?t;RMFV<7zsF+UKmIuBPbWK&KL_2ubI@@7--c@FUGSe>>Eu=8
zpA*AtXoUXfCg>gioGVuU$EK5E{MVJ`TR^*Wpds_;YhZyWnNpPSQ_5!D0rX9n%E@t$
z`U-k?{BAwq)YsqE89?6}5pz0u3o=rht0hgTOQo-UgY)DHY3R|4M9JD*zxI1;bE#ys
z7bK5g{QE-#UH|yF-yiyOn$jhLuH)CG{m*tfnW9eGj1v9xCjU4T*++FU3;cQa+FT(*
zwCD{3t6y)jiqQp^#&PNA#pJK<_nrT!(svWw&Z_oY_o4scYB+QOlxQ<ca9^dyvS`!$
zVU}$poinbrUDf(kypxpB{+zD-*6G9sKWP|w{m`9;v4huNQ8O$wU=OlSGP^tfz16zg
z_tjlta{=*@y0MyR!!dn6=zZE;$0~C^GR!+g{R>xDBm=OsQ*H|zKYmgU?NqynQZ7-n
Hxck2V))LuH

literal 0
HcmV?d00001

diff --git a/engine/docs/contributing/set-up-dev-env.md b/engine/docs/contributing/set-up-dev-env.md
new file mode 100644
index 00000000..3d56c0b8
--- /dev/null
+++ b/engine/docs/contributing/set-up-dev-env.md
@@ -0,0 +1,372 @@
+### Work with a development container
+
+In this section, you learn to develop like the Moby Engine core team.
+The `moby/moby` repository includes a `Dockerfile` at its root. This file defines
+Moby's development environment. The `Dockerfile` lists the environment's
+dependencies: system libraries and binaries, Go environment, Go dependencies,
+etc.
+
+Moby's development environment is itself, ultimately a Docker container.
+You use the `moby/moby` repository and its `Dockerfile` to create a Docker image,
+run a Docker container, and develop code in the container.
+
+If you followed the procedures that [set up Git for contributing](./set-up-git.md), you should have a fork of the `moby/moby`
+repository. You also created a branch called `dry-run-test`. In this section,
+you continue working with your fork on this branch.
+
+##  Task 1. Remove images and containers
+
+Moby developers run the latest stable release of the Docker software. They clean their local hosts of
+unnecessary Docker artifacts such as stopped containers or unused images.
+Cleaning unnecessary artifacts isn't strictly necessary, but it is good
+practice, so it is included here.
+
+To remove unnecessary artifacts:
+
+1. Verify that you have no unnecessary containers running on your host.
+
+   ```none
+   $ docker ps -a
+   ```
+
+   You should see something similar to the following:
+
+   ```none
+   CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
+   ```
+
+   There are no running or stopped containers on this host. A fast way to
+   remove old containers is the following:
+
+   You can now use the `docker system prune` command to achieve this:
+
+   ```none
+   $ docker system prune -a
+   ```
+
+   Older versions of the Docker Engine should reference the command below:
+
+   ```none
+   $ docker rm $(docker ps -a -q)
+   ```
+
+   This command uses `docker ps` to list all containers (`-a` flag) by numeric
+   IDs (`-q` flag). Then, the `docker rm` command removes the resulting list.
+   If you have running but unused containers, stop and then remove them with
+   the `docker stop` and `docker rm` commands.
+
+2. Verify that your host has no dangling images.
+
+   ```none
+   $ docker images
+   ```
+
+   You should see something similar to the following:
+
+   ```none
+   REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+   ```
+
+   This host has no images. You may have one or more _dangling_ images. A
+   dangling image is not used by a running container and is not an ancestor of
+   another image on your system. A fast way to remove dangling image is
+   the following:
+
+   ```none
+   $ docker rmi -f $(docker images -q -a -f dangling=true)
+   ```
+
+   This command uses `docker images` to list all images (`-a` flag) by numeric
+   IDs (`-q` flag) and filter them to find dangling images (`-f dangling=true`).
+   Then, the `docker rmi` command forcibly (`-f` flag) removes
+   the resulting list. If you get a "docker: "rmi" requires a minimum of 1 argument."
+   message, that means there were no dangling images. To remove just one image, use the
+   `docker rmi ID` command.
+
+## Task 2. Start a development container
+
+If you followed the last procedure, your host is clean of unnecessary images and
+containers. In this section, you build an image from the Engine development
+environment and run it in the container. Both steps are automated for you by the
+Makefile in the Engine code repository. The first time you build an image, it
+can take over 15 minutes to complete.
+
+1. Open a terminal.
+
+   For [Docker Toolbox](https://github.com/docker/toolbox) users, use `docker-machine status your_vm_name` to make sure your VM is running. You
+   may need to run `eval "$(docker-machine env your_vm_name)"` to initialize your
+   shell environment. If you use Docker for Mac or Docker for Windows, you do not need
+   to use Docker Machine.
+
+2. Change into the root of the `moby-fork` repository.
+
+   ```none
+   $ cd ~/repos/moby-fork
+   ```
+
+   If you are following along with this guide, you created a `dry-run-test`
+   branch when you [set up Git for contributing](./set-up-git.md).
+
+3. Ensure you are on your `dry-run-test` branch.
+
+   ```none
+   $ git checkout dry-run-test
+   ```
+
+   If you get a message that the branch doesn't exist, add the `-b` flag (`git checkout -b dry-run-test`) so the
+   command both creates the branch and checks it out.
+
+4. Use `make` to build a development environment image and run it in a container.
+
+   ```none
+   $ make BIND_DIR=. shell
+   ```
+
+   Using the instructions in the
+   `Dockerfile`, the build may need to download and / or configure source and other images. On first build this process may take between 5 - 15 minutes to create an image. The command returns informational messages as it runs.  A
+   successful build returns a final message and opens a Bash shell into the
+   container.
+
+   ```none
+   Successfully built 3d872560918e
+   Successfully tagged docker-dev:dry-run-test
+   docker run --rm -i --privileged -e BUILDFLAGS -e KEEPBUNDLE -e DOCKER_BUILD_GOGC -e DOCKER_BUILD_PKGS -e DOCKER_CLIENTONLY -e DOCKER_DEBUG -e DOCKER_EXPERIMENTAL -e DOCKER_GITCOMMIT -e DOCKER_GRAPHDRIVER=devicemapper -e DOCKER_INCREMENTAL_BINARY -e DOCKER_REMAP_ROOT -e DOCKER_STORAGE_OPTS -e DOCKER_USERLANDPROXY -e TESTDIRS -e TESTFLAGS -e TIMEOUT -v "home/ubuntu/repos/docker/bundles:/go/src/github.com/docker/docker/bundles" -t "docker-dev:dry-run-test" bash
+   #
+   ```
+
+   At this point, your prompt reflects the container's BASH shell.
+
+5. List the contents of the current directory (`/go/src/github.com/docker/docker`).
+
+   You should see the image's source from the  `/go/src/github.com/docker/docker`
+   directory.
+
+   ![List example](images/list_example.png)
+
+6. Make a `dockerd` binary.
+
+   ```none
+   # hack/make.sh binary
+   Removing bundles/
+
+   ---> Making bundle: binary (in bundles/binary)
+   Building: bundles/binary-daemon/dockerd-17.06.0-dev
+   Created binary: bundles/binary-daemon/dockerd-17.06.0-dev
+   Copying nested executables into bundles/binary-daemon
+
+   ```
+
+7. Run `make install`, which copies the binary to the container's
+   `/usr/local/bin/` directory.
+
+   ```none
+   # make install
+   ```
+
+8. Start the Engine daemon running in the background.
+
+   ```none
+   # dockerd -D &
+   ...output snipped...
+   DEBU[0001] Registering POST, /networks/{id:.*}/connect
+   DEBU[0001] Registering POST, /networks/{id:.*}/disconnect
+   DEBU[0001] Registering DELETE, /networks/{id:.*}
+   INFO[0001] API listen on /var/run/docker.sock
+   DEBU[0003] containerd connection state change: READY
+   ```
+
+   The `-D` flag starts the daemon in debug mode. The `&` starts it as a
+   background process. You'll find these options useful when debugging code
+   development. You will need to hit `return` in order to get back to your shell prompt.
+
+   > **Note**: The following command automates the `build`,
+   > `install`, and `run` steps above. Once the command below completes, hit `ctrl-z` to suspend the process, then run `bg 1` and hit `enter` to resume the daemon process in the background and get back to your shell prompt.
+
+   ```none
+   hack/make.sh binary install-binary run
+   ```
+
+9. Inside your container, check your Docker versions:
+
+   ```none
+   # docker version
+   Client:
+    Version:      17.06.0-ce
+    API version:  1.30
+    Go version:   go1.8.3
+    Git commit:   02c1d87
+    Built:        Fri Jun 23 21:15:15 2017
+    OS/Arch:      linux/amd64
+
+   Server:
+    Version:      dev
+    API version:  1.35 (minimum version 1.12)
+    Go version:   go1.9.2
+    Git commit:   4aa6362da
+    Built:        Sat Dec  2 05:22:42 2017
+    OS/Arch:      linux/amd64
+    Experimental: false
+   ```
+
+   Notice the split versions between client and server, which might be
+   unexpected. In more recent times the Docker CLI component (which provides the
+   `docker` command) has split out from the Moby project and is now maintained in:
+   
+   * [docker/cli](https://github.com/docker/cli) - The Docker CLI source-code;
+   * [docker/docker-ce](https://github.com/docker/docker-ce) - The Docker CE
+     edition project, which assembles engine, CLI and other components.
+   
+   The Moby project now defaults to a [fixed
+   version](https://github.com/docker/docker-ce/commits/v17.06.0-ce) of the
+   `docker` CLI for integration tests.
+
+   You may have noticed the following message when starting the container with the `shell` command:
+   
+   ```none
+   Makefile:123: The docker client CLI has moved to github.com/docker/cli. For a dev-test cycle involving the CLI, run:
+   DOCKER_CLI_PATH=/host/path/to/cli/binary make shell
+   then change the cli and compile into a binary at the same location.
+   ```
+
+   By setting `DOCKER_CLI_PATH` you can supply a newer `docker` CLI to the
+   server development container for testing and for `integration-cli`
+   test-execution:
+
+   ```none
+   make DOCKER_CLI_PATH=/home/ubuntu/git/docker-ce/components/packaging/static/build/linux/docker/docker BIND_DIR=. shell
+   ...
+   # which docker
+   /usr/local/cli/docker
+   # docker --version
+   Docker version 17.09.0-dev, build 
+   ```
+
+    This Docker CLI should be built from the [docker-ce
+    project](https://github.com/docker/docker-ce) and needs to be a Linux
+    binary.
+
+   Inside the container you are running a development version. This is the version
+   on the current branch. It reflects the value of the `VERSION` file at the
+   root of your `docker-fork` repository.
+
+10. Run the `hello-world` image.
+
+    ```none
+    # docker run hello-world
+    ```
+
+11. List the image you just downloaded.
+
+    ```none
+    # docker images
+	REPOSITORY   TAG     IMAGE ID      CREATED        SIZE
+	hello-world  latest  c54a2cc56cbb  3 months ago   1.85 kB
+    ```
+
+12. Open another terminal on your local host.
+
+13. List the container running your development container.
+
+    ```none
+    ubuntu@ubuntu1404:~$ docker ps
+    CONTAINER ID        IMAGE                     COMMAND             CREATED             STATUS              PORTS               NAMES
+    a8b2885ab900        docker-dev:dry-run-test   "hack/dind bash"    43 minutes ago      Up 43 minutes                           hungry_payne
+    ```
+
+    Notice that the tag on the container is marked with the `dry-run-test` branch name.
+
+
+## Task 3. Make a code change
+
+At this point, you have experienced the "Moby inception" technique. That is,
+you have:
+
+* forked and cloned the Moby Engine code repository
+* created a feature branch for development
+* created and started an Engine development container from your branch
+* built a binary inside of your development container
+* launched a `docker` daemon using your newly compiled binary
+* called the `docker` client to run a `hello-world` container inside
+  your development container
+
+Running the `make BIND_DIR=. shell` command mounted your local Docker repository source into
+your Docker container.
+
+   > **Note**: Inspecting the `Dockerfile` shows a `COPY . /go/src/github.com/docker/docker` instruction, suggesting that dynamic code changes will _not_ be reflected in the container. However inspecting the `Makefile` shows that the current working directory _will_ be mounted via a `-v` volume mount.
+
+When you start to develop code though, you'll
+want to iterate code changes and builds inside the container. If you have
+followed this guide exactly, you have a bash shell running a development
+container.
+
+Try a simple code change and see it reflected in your container. For this
+example, you'll edit the help for the `attach` subcommand.
+
+1. If you don't have one, open a terminal in your local host.
+
+2. Make sure you are in your `moby-fork` repository.
+
+   ```none
+   $ pwd
+   /Users/mary/go/src/github.com/moxiegirl/moby-fork
+   ```
+
+   Your location should be different because, at least, your username is
+   different.
+
+3. Open the `cmd/dockerd/docker.go` file.
+
+4. Edit the command's help message.
+
+   For example, you can edit this line:
+
+   ```go
+   Short:         "A self-sufficient runtime for containers.",
+   ```
+
+   And change it to this:
+
+   ```go
+   Short:         "A self-sufficient and really fun runtime for containers.",
+   ```
+
+5. Save and close the `cmd/dockerd/docker.go` file.
+
+6. Go to your running docker development container shell.
+
+7. Rebuild the binary by using the command `hack/make.sh binary` in the docker development container shell.
+
+8. Stop Docker if it is running.
+
+9. Copy the binaries to **/usr/bin** by entering the following commands in the docker development container shell.
+
+   ```
+   hack/make.sh binary install-binary
+   ```
+
+10. To view your change, run the `dockerd --help` command in the docker development container shell.
+
+   ```bash
+   # dockerd --help
+
+   Usage:        dockerd COMMAND
+
+   A self-sufficient and really fun runtime for containers.
+
+   Options:
+   ...
+
+   ```
+
+You've just done the basic workflow for changing the Engine code base. You made
+your code changes in your feature branch. Then, you updated the binary in your
+development container and tried your change out. If you were making a bigger
+change, you might repeat or iterate through this flow several times.
+
+## Where to go next
+
+Congratulations, you have successfully achieved Docker inception. You've had a
+small experience of the development process. You've set up your development
+environment and verified almost all the essential processes you need to
+contribute. Of course, before you start contributing, [you'll need to learn one
+more piece of the development process, the test framework](test.md).
diff --git a/engine/docs/contributing/set-up-git.md b/engine/docs/contributing/set-up-git.md
new file mode 100644
index 00000000..f320c271
--- /dev/null
+++ b/engine/docs/contributing/set-up-git.md
@@ -0,0 +1,280 @@
+### Configure Git for contributing
+
+Work through this page to configure Git and a repository you'll use throughout
+the Contributor Guide. The work you do further in the guide, depends on the work
+you do here.
+
+## Task 1. Fork and clone the Moby code
+
+Before contributing, you first fork the Moby code repository. A fork copies
+a repository at a particular point in time. GitHub tracks for you where a fork
+originates.
+
+As you make contributions, you change your fork's code. When you are ready,
+you make a pull request back to the original Docker repository. If you aren't
+familiar with this workflow, don't worry, this guide walks you through all the
+steps.
+
+To fork and clone Moby:
+
+1. Open a browser and log into GitHub with your account.
+
+2. Go to the <a href="https://github.com/moby/moby"
+target="_blank">moby/moby repository</a>.
+
+3. Click the "Fork" button in the upper right corner of the GitHub interface.
+
+    ![Branch Signature](images/fork_docker.png)
+
+    GitHub forks the repository to your GitHub account. The original
+    `moby/moby` repository becomes a new fork `YOUR_ACCOUNT/moby` under
+    your account.
+
+4. Copy your fork's clone URL from GitHub.
+
+    GitHub allows you to use HTTPS or SSH protocols for clones. You can use the
+    `git` command line or clients like Subversion to clone a repository.
+
+    ![Copy clone URL](images/copy_url.png)
+
+    This guide assume you are using the HTTPS protocol and the `git` command
+    line. If you are comfortable with SSH and some other tool, feel free to use
+    that instead. You'll need to convert what you see in the guide to what is
+    appropriate to your tool.
+
+5. Open a terminal window on your local host and change to your home directory.
+
+   ```bash
+   $ cd ~
+   ```
+
+    In Windows, you'll work in your Docker Quickstart Terminal window instead of
+    Powershell or a `cmd` window.
+
+6. Create a `repos` directory.
+
+   ```bash
+   $ mkdir repos
+   ```
+
+7. Change into your `repos` directory.
+
+   ```bash
+   $ cd repos
+   ```
+
+8. Clone the fork to your local host into a repository called `moby-fork`.
+
+   ```bash
+   $ git clone https://github.com/moxiegirl/moby.git moby-fork
+   ```
+
+    Naming your local repo `moby-fork` should help make these instructions
+    easier to follow; experienced coders don't typically change the name.
+
+9. Change directory into your new `moby-fork` directory.
+
+   ```bash
+   $ cd moby-fork
+   ```
+
+    Take a moment to familiarize yourself with the repository's contents. List
+    the contents.
+
+## Task 2. Set your signature and an upstream remote
+
+When you contribute to Docker, you must certify you agree with the
+<a href="http://developercertificate.org/" target="_blank">Developer Certificate of Origin</a>.
+You indicate your agreement by signing your `git` commits like this:
+
+```
+Signed-off-by: Pat Smith <pat.smith@email.com>
+```
+
+To create a signature, you configure your username and email address in Git.
+You can set these globally or locally on just your `moby-fork` repository.
+You must sign with your real name. You can sign your git commit automatically
+with `git commit -s`. Moby does not accept anonymous contributions or contributions
+through pseudonyms.
+
+As you change code in your fork, you'll want to keep it in sync with the changes
+others make in the `moby/moby` repository. To make syncing easier, you'll
+also add a _remote_ called `upstream` that points to `moby/moby`. A remote
+is just another project version hosted on the internet or network.
+
+To configure your username, email, and add a remote:
+
+1. Change to the root of your `moby-fork` repository.
+
+   ```bash
+   $ cd moby-fork
+   ```
+
+2. Set your `user.name` for the repository.
+
+   ```bash
+   $ git config --local user.name "FirstName LastName"
+   ```
+
+3. Set your `user.email` for the repository.
+
+   ```bash
+   $ git config --local user.email "emailname@mycompany.com"
+   ```
+
+4. Set your local repo to track changes upstream, on the `moby/moby` repository.
+
+   ```bash
+   $ git remote add upstream https://github.com/moby/moby.git
+   ```
+
+5. Check the result in your `git` configuration.
+
+   ```bash
+   $ git config --local -l
+   core.repositoryformatversion=0
+   core.filemode=true
+   core.bare=false
+   core.logallrefupdates=true
+   remote.origin.url=https://github.com/moxiegirl/moby.git
+   remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
+   branch.master.remote=origin
+   branch.master.merge=refs/heads/master
+   user.name=Mary Anthony
+   user.email=mary@docker.com
+   remote.upstream.url=https://github.com/moby/moby.git
+   remote.upstream.fetch=+refs/heads/*:refs/remotes/upstream/*
+   ```
+
+	To list just the remotes use:
+
+   ```bash
+   $ git remote -v
+   origin	https://github.com/moxiegirl/moby.git (fetch)
+   origin	https://github.com/moxiegirl/moby.git (push)
+   upstream https://github.com/moby/moby.git (fetch)
+   upstream https://github.com/moby/moby.git (push)
+   ```
+
+## Task 3. Create and push a branch
+
+As you change code in your fork, make your changes on a repository branch.
+The branch name should reflect what you are working on. In this section, you
+create a branch, make a change, and push it up to your fork.
+
+This branch is just for testing your config for this guide. The changes are part
+of a dry run, so the branch name will be dry-run-test. To create and push
+the branch to your fork on GitHub:
+
+1. Open a terminal and go to the root of your `moby-fork`.
+
+   ```bash
+   $ cd moby-fork
+   ```
+
+2. Create a `dry-run-test` branch.
+
+   ```bash
+   $ git checkout -b dry-run-test
+   ```
+
+    This command creates the branch and switches the repository to it.
+
+3. Verify you are in your new branch.
+
+   ```bash
+   $ git branch
+   * dry-run-test
+     master
+   ```
+
+    The current branch has an * (asterisk) marker. So, these results show you
+    are on the right branch.
+
+4. Create a `TEST.md` file in the repository's root.
+
+   ```bash
+   $ touch TEST.md
+   ```
+
+5. Edit the file and add your email and location.
+
+    ![Add your information](images/contributor-edit.png)
+
+    You can use any text editor you are comfortable with.
+
+6. Save and close the file.
+
+7. Check the status of your branch.
+
+   ```bash
+   $ git status
+   On branch dry-run-test
+   Untracked files:
+     (use "git add <file>..." to include in what will be committed)
+
+       TEST.md
+
+   nothing added to commit but untracked files present (use "git add" to track)
+   ```
+
+	You've only changed the one file. It is untracked so far by git.
+
+8. Add your file.
+
+   ```bash
+   $ git add TEST.md
+   ```
+
+    That is the only _staged_ file. Stage is fancy word for work that Git is
+    tracking.
+
+9. Sign and commit your change.
+
+   ```bash
+   $ git commit -s -m "Making a dry run test."
+   [dry-run-test 6e728fb] Making a dry run test
+    1 file changed, 1 insertion(+)
+    create mode 100644 TEST.md
+   ```
+
+    Commit messages should have a short summary sentence of no more than 50
+    characters. Optionally, you can also include a more detailed explanation
+    after the summary. Separate the summary from any explanation with an empty
+    line.
+
+10. Push your changes to GitHub.
+
+    ```bash
+    $ git push --set-upstream origin dry-run-test
+    Username for 'https://github.com': moxiegirl
+    Password for 'https://moxiegirl@github.com':
+    ```
+
+    Git prompts you for your GitHub username and password. Then, the command
+    returns a result.
+
+    ```bash
+    Counting objects: 13, done.
+    Compressing objects: 100% (2/2), done.
+    Writing objects: 100% (3/3), 320 bytes | 0 bytes/s, done.
+    Total 3 (delta 1), reused 0 (delta 0)
+    To https://github.com/moxiegirl/moby.git
+     * [new branch]      dry-run-test -> dry-run-test
+    Branch dry-run-test set up to track remote branch dry-run-test from origin.
+    ```
+
+11. Open your browser to GitHub.
+
+12. Navigate to your Moby fork.
+
+13. Make sure the `dry-run-test` branch exists, that it has your commit, and the
+commit is signed.
+
+    ![Branch Signature](images/branch-sig.png)
+
+## Where to go next
+
+Congratulations, you have finished configuring both your local host environment
+and Git for contributing. In the next section you'll [learn how to set up and
+work in a Moby development container](set-up-dev-env.md).
diff --git a/engine/docs/contributing/software-req-win.md b/engine/docs/contributing/software-req-win.md
new file mode 100644
index 00000000..3070d34e
--- /dev/null
+++ b/engine/docs/contributing/software-req-win.md
@@ -0,0 +1,177 @@
+### Build and test Moby on Windows
+
+This page explains how to get the software you need to build, test, and run the
+Moby source code for Windows and setup the required software and services:
+
+- Windows containers
+- GitHub account
+- Git
+
+## Prerequisites
+
+### 1. Windows Server 2016 or Windows 10 with all Windows updates applied
+
+The major build number must be at least 14393. This can be confirmed, for example,
+by running the following from an elevated PowerShell prompt - this sample output
+is from a fully up to date machine as at mid-November 2016:
+
+
+    PS C:\> $(gin).WindowsBuildLabEx
+    14393.447.amd64fre.rs1_release_inmarket.161102-0100
+
+### 2. Git for Windows (or another git client) must be installed
+
+https://git-scm.com/download/win.
+
+### 3. The machine must be configured to run containers
+
+For example, by following the quick start guidance at
+https://msdn.microsoft.com/en-us/virtualization/windowscontainers/quick_start/quick_start or https://github.com/docker/labs/blob/master/windows/windows-containers/Setup.md
+
+### 4. If building in a Hyper-V VM
+
+For Windows Server 2016 using Windows Server containers as the default option,
+it is recommended you have at least 1GB of memory assigned;
+For Windows 10 where Hyper-V Containers are employed, you should have at least
+4GB of memory assigned.
+Note also, to run Hyper-V containers in a VM, it is necessary to configure the VM
+for nested virtualization.
+
+## Usage
+
+The following steps should be run from an elevated Windows PowerShell prompt.
+
+>**Note**:  In a default installation of containers on Windows following the quick-start guidance at https://msdn.microsoft.com/en-us/virtualization/windowscontainers/quick_start/quick_start,
+the `docker.exe` client must run elevated to be able to connect to the daemon).
+
+### 1. Windows containers
+
+To test and run the Windows Moby engine, you need a system that supports Windows Containers:
+
+- Windows 10 Anniversary Edition
+- Windows Server 2016 running in a VM, on bare metal or in the cloud
+
+Check out the [getting started documentation](https://github.com/docker/labs/blob/master/windows/windows-containers/Setup.md) for details.
+
+### 2. GitHub account
+
+To contribute to the Docker project, you need a <a href="https://github.com" target="_blank">GitHub account</a>.
+A free account is fine. All the Moby project repositories are public and visible to everyone.
+
+This guide assumes that you have basic familiarity with Git and Github terminology
+and usage.
+Refer to [GitHub For Beginners: Don’t Get Scared, Get Started](http://readwrite.com/2013/09/30/understanding-github-a-journey-for-beginners-part-1/)
+to get up to speed on Github.
+
+### 3. Git
+
+In PowerShell, run:
+
+    Invoke-Webrequest "https://github.com/git-for-windows/git/releases/download/v2.7.2.windows.1/Git-2.7.2-64-bit.exe" -OutFile git.exe -UseBasicParsing
+    Start-Process git.exe -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /CLOSEAPPLICATIONS /DIR=c:\git\' -Wait
+    setx /M PATH "$env:Path;c:\git\cmd"
+
+You are now ready clone and build the Moby source code.
+
+### 4. Clone Moby
+
+In a new (to pick up the path change) PowerShell prompt, run:
+
+    git clone https://github.com/moby/moby
+    cd moby
+
+This clones the main Moby repository. Check out [Moby Project](https://mobyproject.org)
+to learn about the other software that powers the Moby platform.
+
+### 5. Build and run
+
+Create a builder-container with the Moby source code. You can change the source
+code on your system and rebuild any time:
+
+    docker build -t nativebuildimage -f .\Dockerfile.windows .
+    docker build -t nativebuildimage -f Dockerfile.windows -m 2GB .  # (if using Hyper-V containers)
+
+To build Moby, run:
+
+    $DOCKER_GITCOMMIT=(git rev-parse --short HEAD)
+    docker run --name binaries -e DOCKER_GITCOMMIT=$DOCKER_GITCOMMIT nativebuildimage hack\make.ps1 -Binary
+    docker run --name binaries -e DOCKER_GITCOMMIT=$DOCKER_GITCOMMIT -m 2GB nativebuildimage hack\make.ps1 -Binary  # (if using Hyper-V containers)
+
+Copy out the resulting Windows Moby Engine binary to `dockerd.exe` in the
+current directory:
+
+    docker cp binaries:C:\go\src\github.com\docker\docker\bundles\docker.exe docker.exe
+    docker cp binaries:C:\go\src\github.com\docker\docker\bundles\dockerd.exe dockerd.exe
+
+To test it, stop the system Docker daemon and start the one you just built:
+
+    Stop-Service Docker
+    .\dockerd.exe -D
+
+The other make targets work too, to run unit tests try:
+`docker run --rm docker-builder sh -c 'cd /c/go/src/github.com/docker/docker; hack/make.sh test-unit'`.
+
+### 6. Remove the interim binaries container
+
+_(Optional)_
+
+    docker rm binaries
+
+### 7. Remove the image
+
+_(Optional)_
+
+It may be useful to keep this image around if you need to build multiple times.
+Then you can take advantage of the builder cache to have an image which has all
+the components required to build the binaries already installed.
+
+    docker rmi nativebuildimage
+
+## Validation
+
+The validation tests can only run directly on the host.
+This is because they calculate information from the git repo, but the .git directory
+is not passed into the image as it is excluded via `.dockerignore`.
+Run the following from a Windows PowerShell prompt (elevation is not required):
+(Note Go must be installed to run these tests)
+
+    hack\make.ps1 -DCO -PkgImports -GoFormat
+
+## Unit tests
+
+To run unit tests, ensure you have created the nativebuildimage above.
+Then run one of the following from an (elevated) Windows PowerShell prompt:
+
+    docker run --rm nativebuildimage hack\make.ps1 -TestUnit
+    docker run --rm -m 2GB nativebuildimage hack\make.ps1 -TestUnit  # (if using Hyper-V containers)
+
+To run unit tests and binary build, ensure you have created the nativebuildimage above.
+Then run one of the following from an (elevated) Windows PowerShell prompt:
+
+    docker run nativebuildimage hack\make.ps1 -All
+    docker run -m 2GB nativebuildimage hack\make.ps1 -All  # (if using Hyper-V containers)
+
+## Windows limitations
+
+Don't attempt to use a bind mount to pass a local directory as the bundles
+target directory.
+It does not work (golang attempts for follow a mapped folder incorrectly).
+Instead, use docker cp as per the example.
+
+`go.zip` is not removed from the image as it is used by the Windows CI servers
+to ensure the host and image are running consistent versions of go.
+
+Nanoserver support is a work in progress. Although the image will build if the
+`FROM` statement is updated, it will not work when running autogen through `hack\make.ps1`.
+It is suspected that the required GCC utilities (eg gcc, windres, windmc) silently
+quit due to the use of console hooks which are not available.
+
+The docker integration tests do not currently run in a container on Windows,
+predominantly due to Windows not supporting privileged mode, so anything using a volume would fail.
+They (along with the rest of the docker CI suite) can be run using
+https://github.com/jhowardmsft/docker-w2wCIScripts/blob/master/runCI/Invoke-DockerCI.ps1.
+
+## Where to go next
+
+In the next section, you'll [learn how to set up and configure Git for
+contributing to Moby](set-up-git.md).
diff --git a/engine/docs/contributing/software-required.md b/engine/docs/contributing/software-required.md
new file mode 100644
index 00000000..b14c6f90
--- /dev/null
+++ b/engine/docs/contributing/software-required.md
@@ -0,0 +1,94 @@
+### Get the required software for Linux or macOS
+
+This page explains how to get the software you need to use a Linux or macOS
+machine for Moby development. Before you begin contributing you must have:
+
+*  a GitHub account
+* `git`
+* `make`
+* `docker`
+
+You'll notice that `go`, the language that Moby is written in, is not listed.
+That's because you don't need it installed; Moby's development environment
+provides it for you. You'll learn more about the development environment later.
+
+## Task 1. Get a GitHub account
+
+To contribute to the Moby project, you will need a <a
+href="https://github.com" target="_blank">GitHub account</a>. A free account is
+fine. All the Moby project repositories are public and visible to everyone.
+
+You should also have some experience using both the GitHub application and `git`
+on the command line.
+
+## Task 2. Install git
+
+Install `git` on your local system. You can check if `git` is on already on your
+system and properly installed with the following command:
+
+```bash
+$ git --version
+```
+
+This documentation is written using `git` version 2.2.2. Your version may be
+different depending on your OS.
+
+## Task 3. Install make
+
+Install `make`. You can check if `make` is on your system with the following
+command:
+
+```bash
+$ make -v
+```
+
+This documentation is written using GNU Make 3.81. Your version may be different
+depending on your OS.
+
+## Task 4. Install or upgrade Docker
+
+If you haven't already, install the Docker software using the
+<a href="https://docs.docker.com/engine/installation/" target="_blank">instructions for your operating system</a>.
+If you have an existing installation, check your version and make sure you have
+the latest Docker.
+
+To check if `docker` is already installed on Linux:
+
+```bash
+docker --version
+Docker version 17.10.0-ce, build f4ffd25
+```
+
+On macOS or Windows, you should have installed Docker for Mac or
+Docker for Windows.
+
+```bash
+$ docker --version
+Docker version 17.10.0-ce, build f4ffd25
+```
+
+## Tip for Linux users
+
+This guide assumes you have added your user to the `docker` group on your system.
+To check, list the group's contents:
+
+```
+$ getent group docker
+docker:x:999:ubuntu
+```
+
+If the command returns no matches, you have two choices. You can preface this
+guide's `docker` commands with `sudo` as you work. Alternatively, you can add
+your user to the `docker` group as follows:
+
+```bash
+$ sudo usermod -aG docker ubuntu
+```
+
+You must log out and log back in for this modification to take effect.
+
+
+## Where to go next
+
+In the next section, you'll [learn how to set up and configure Git for
+contributing to Moby](set-up-git.md).
diff --git a/engine/docs/contributing/test.md b/engine/docs/contributing/test.md
new file mode 100644
index 00000000..fdcee328
--- /dev/null
+++ b/engine/docs/contributing/test.md
@@ -0,0 +1,244 @@
+### Run tests
+
+Contributing includes testing your changes. If you change the Moby code, you
+may need to add a new test or modify an existing test. Your contribution could
+even be adding tests to Moby. For this reason, you need to know a little
+about Moby's test infrastructure.
+
+This section describes tests you can run in the `dry-run-test` branch of your Docker
+fork. If you have followed along in this guide, you already have this branch.
+If you don't have this branch, you can create it or simply use another of your
+branches.
+
+## Understand how to test Moby
+
+Moby tests use the Go language's test framework. In this framework, files
+whose names end in `_test.go` contain test code; you'll find test files like
+this throughout the Moby repo. Use these files for inspiration when writing
+your own tests. For information on Go's test framework, see <a
+href="http://golang.org/pkg/testing/" target="_blank">Go's testing package
+documentation</a> and the <a href="http://golang.org/cmd/go/#hdr-Test_packages"
+target="_blank">go test help</a>.
+
+You are responsible for _unit testing_ your contribution when you add new or
+change existing Moby code. A unit test is a piece of code that invokes a
+single, small piece of code (_unit of work_) to verify the unit works as
+expected.
+
+Depending on your contribution, you may need to add _integration tests_. These
+are tests that combine two or more work units into one component. These work
+units each have unit tests and then, together, integration tests that test the
+interface between the components. The `integration` and `integration-cli`
+directories in the Docker repository contain integration test code.  Note that
+`integration-cli` tests are now deprecated in the Moby project, and new tests
+cannot be added to this suite - add `integration` tests instead using the API
+client.
+
+Testing is its own specialty. If you aren't familiar with testing techniques,
+there is a lot of information available to you on the Web. For now, you should
+understand that, the Docker maintainers may ask you to write a new test or
+change an existing one.
+
+## Run tests on your local host
+
+Before submitting a pull request with a code change, you should run the entire
+Moby Engine test suite. The `Makefile` contains a target for the entire test
+suite, named `test`. Also, it contains several targets for
+testing:
+
+| Target                 | What this target does                          |
+| ---------------------- | ---------------------------------------------- |
+| `test`                 | Run the unit, integration, and docker-py tests |
+| `test-unit`            | Run just the unit tests                        |
+| `test-integration`     | Run the integration tests                      |
+| `test-docker-py`       | Run the tests for the Docker API client        |
+
+Running the entire test suite on your current repository can take over half an
+hour. To run the test suite, do the following:
+
+1.  Open a terminal on your local host.
+
+2.  Change to the root of your Docker repository.
+
+    ```bash
+    $ cd moby-fork
+    ```
+
+3.  Make sure you are in your development branch.
+
+    ```bash
+    $ git checkout dry-run-test
+    ```
+
+4.  Run the `make test` command.
+
+    ```bash
+    $ make test
+    ```
+
+    This command does several things, it creates a container temporarily for
+    testing. Inside that container, the `make`:
+
+    * creates a new binary
+    * cross-compiles all the binaries for the various operating systems
+    * runs all the tests in the system
+
+    It can take approximate one hour to run all the tests. The time depends
+    on your host performance. The default timeout is 60 minutes, which is
+    defined in `hack/make.sh` (`${TIMEOUT:=60m}`). You can modify the timeout
+    value on the basis of your host performance. When they complete
+    successfully, you see the output concludes with something like this:
+
+    ```none
+    Ran 68 tests in 79.135s
+    ```
+
+## Run targets inside a development container
+
+If you are working inside a development container, you use the
+`hack/test/unit` script to run unit-tests, and `hack/make.sh` script to run
+integration and other tests. The `hack/make.sh` script doesn't
+have a single target that runs all the tests. Instead, you provide a single
+command line with multiple targets that does the same thing.
+
+Try this now.
+
+1.  Open a terminal and change to the `moby-fork` root.
+
+2.  Start a Moby development image.
+
+    If you are following along with this guide, you should have a
+    `dry-run-test` image.
+
+    ```bash
+    $ docker run --privileged --rm -ti -v `pwd`:/go/src/github.com/docker/docker dry-run-test /bin/bash
+    ```
+
+3.  Run the unit tests using the `hack/test/unit` script.
+
+    ```bash
+    # hack/test/unit
+    ```
+
+4.  Run the tests using the `hack/make.sh` script.
+
+    ```bash
+    # hack/make.sh dynbinary binary cross test-integration test-docker-py
+    ```
+
+    The tests run just as they did within your local host.
+
+    Of course, you can also run a subset of these targets too. For example, to run
+    just the integration tests:
+
+    ```bash
+    # hack/make.sh dynbinary binary cross test-integration
+    ```
+
+    Most test targets require that you build these precursor targets first:
+    `dynbinary binary cross`
+
+
+## Run unit tests
+
+We use golang standard [testing](https://golang.org/pkg/testing/)
+package or [gocheck](https://labix.org/gocheck) for our unit tests.
+
+You can use the `TESTDIRS` environment variable to run unit tests for
+a single package.
+
+```bash
+$ TESTDIRS='opts' make test-unit
+```
+
+You can also use the `TESTFLAGS` environment variable to run a single test. The
+flag's value is passed as arguments to the `go test` command. For example, from
+your local host you can run the `TestBuild` test with this command:
+
+```bash
+$ TESTFLAGS='-test.run ^TestValidateIPAddress$' make test-unit
+```
+
+On unit tests, it's better to use `TESTFLAGS` in combination with
+`TESTDIRS` to make it quicker to run a specific test.
+
+```bash
+$ TESTDIRS='opts' TESTFLAGS='-test.run ^TestValidateIPAddress$' make test-unit
+```
+
+## Run integration tests
+
+We use [gocheck](https://labix.org/gocheck) for our integration-cli tests.
+You can use the `TESTFLAGS` environment variable to run a single test. The
+flag's value is passed as arguments to the `go test` command. For example, from
+your local host you can run the `TestBuild` test with this command:
+
+```bash
+$ TESTFLAGS='-check.f DockerSuite.TestBuild*' make test-integration
+```
+
+To run the same test inside your Docker development container, you do this:
+
+```bash
+# TESTFLAGS='-check.f TestBuild*' hack/make.sh binary test-integration
+```
+
+## Test the Windows binary against a Linux daemon
+
+This explains how to test the Windows binary on a Windows machine set up as a
+development environment. The tests will be run against a daemon
+running on a remote Linux machine. You'll use **Git Bash** that came with the
+Git for Windows installation. **Git Bash**, just as it sounds, allows you to
+run a Bash terminal on Windows.
+
+1.  If you don't have one open already, start a Git Bash terminal.
+
+    ![Git Bash](images/git_bash.png)
+
+2.  Change to the `moby` source directory.
+
+    ```bash
+    $ cd /c/gopath/src/github.com/docker/docker
+    ```
+
+3.  Set `DOCKER_REMOTE_DAEMON` as follows:
+
+    ```bash
+    $ export DOCKER_REMOTE_DAEMON=1
+    ```
+
+4.  Set `DOCKER_TEST_HOST` to the `tcp://IP_ADDRESS:2376` value; substitute your
+    Linux machines actual IP address. For example:
+
+    ```bash
+    $ export DOCKER_TEST_HOST=tcp://213.124.23.200:2376
+    ```
+
+5.  Make the binary and run the tests:
+
+    ```bash
+    $ hack/make.sh binary test-integration
+    ```
+    Some tests are skipped on Windows for various reasons. You can see which
+    tests were skipped by re-running the make and passing in the
+   `TESTFLAGS='-test.v'` value. For example
+
+    ```bash
+    $ TESTFLAGS='-test.v' hack/make.sh binary test-integration
+    ```
+
+    Should you wish to run a single test such as one with the name
+    'TestExample', you can pass in `TESTFLAGS='-check.f TestExample'`. For
+    example
+
+    ```bash
+    $ TESTFLAGS='-check.f TestExample' hack/make.sh binary test-integration
+    ```
+
+You can now choose to make changes to the Moby source or the tests. If you
+make any changes, just run these commands again.
+
+## Where to go next
+
+Congratulations, you have successfully completed the basics you need to
+understand the Moby test framework.
diff --git a/engine/docs/contributing/who-written-for.md b/engine/docs/contributing/who-written-for.md
new file mode 100644
index 00000000..1431f42c
--- /dev/null
+++ b/engine/docs/contributing/who-written-for.md
@@ -0,0 +1,49 @@
+### README first
+
+This section of the documentation contains a guide for Moby project users who want to
+contribute code or documentation to the Moby Engine project. As a community, we
+share rules of behavior and interaction. Make sure you are familiar with the <a
+href="https://github.com/moby/moby/blob/master/CONTRIBUTING.md#docker-community-guidelines"
+target="_blank">community guidelines</a> before continuing.
+
+## Where and what you can contribute
+
+The Moby project consists of not just one but several repositories on GitHub.
+So, in addition to the `moby/moby` repository, there is the
+`containerd/containerd` repo, the `moby/buildkit` repo, and several more.
+Contribute to any of these and you contribute to the Moby project.
+
+Not all Moby repositories use the Go language. Also, each repository has its
+own focus area. So, if you are an experienced contributor, think about
+contributing to a Moby project repository that has a language or a focus area you are
+familiar with.
+
+If you are new to the open source community, to Moby, or to formal
+programming, you should start out contributing to the `moby/moby`
+repository. Why? Because this guide is written for that repository specifically.
+
+Finally, code or documentation isn't the only way to contribute. You can report
+an issue, add to discussions in our community channel, write a blog post, or
+take a usability test. You can even propose your own type of contribution.
+Right now we don't have a lot written about this yet, but feel free to open an issue
+to discuss other contributions.
+
+## How to use this guide
+
+This is written for the distracted, the overworked, the sloppy reader with fair
+`git` skills and a failing memory for the GitHub GUI. The guide attempts to
+explain how to use the Moby Engine development environment as precisely,
+predictably, and procedurally as possible.
+
+Users who are new to Engine development should start by setting up their
+environment. Then, they should try a simple code change. After that, you should
+find something to work on or propose a totally new change.
+
+If you are a programming prodigy, you still may find this documentation useful.
+Please feel free to skim past information you find obvious or boring.
+
+## How to get started
+
+Start by getting the software you require. If you are on Mac or Linux, go to
+[get the required software for Linux or macOS](software-required.md). If you are
+on Windows, see [get the required software for Windows](software-req-win.md).
diff --git a/engine/docs/static_files/contributors.png b/engine/docs/static_files/contributors.png
new file mode 100644
index 0000000000000000000000000000000000000000..63c0a0c09b58bce2e1ade867760a937612934202
GIT binary patch
literal 23100
zcmb@OV{j(E_x888ZEbB^Tbp;=t!>=3ZQHint!;a2+qU)J@BCgqZ=W|wCYelTGH1?Q
z`J8JKt|%{o0E-Lz<HrvKDM?Y~A3s32{*9}kA^)}4-+v<ibs&z)62E@bOyi&a_#yN|
zN>o_Y4dhY>#tUQd@oOt3`ho<czZ)7xMiJNt!Q7hEid>OL|BKcJqN3Vxy$AhV?ax|X
zwP7_xdmcs=u4=&I4-7>PVT51Et0V?6adF`Fly>RguBKa_?u?$lQ0phh>{!;bJF?oY
zC)<v5?sbGHv%z?voDfg&|8nO!3LX1RgZ%%W5VErG{i_Ladf3R1NaZUE{Sp5I%+~bM
z!~VRFKI2%YZTTHCJx`^<QOG~Qagsf9-NKgAtsA6RlKle{E2D$03yqUgV%^PWTvme#
zUN8jZxxRwazM=7!=6vxSAO8;xtU$|Zyq7uN7IsQh#F2S3!%jwE<RvkZ7+ZahVj1-d
zSS)07Ak8`8q6i<z1*}?#D82eX*!qP3lZbH9Ek~x)%N}iac}9IWv#?6%7MR>U*RkjI
zsZ{9ymFQPP=Ffni?-C9P+OC9;+m(1`#sifR2o?cG#SMq<7^FFga@MBPTZc}}8{OtP
z!CXnufoQzjhXU6pDu?FO?q?N~x)gG+s5_)nwFPTwBYb7~CibK72sE%1)SrJd^${!^
zEHw&Dtkf^i4vaU^uU^}gy=)4@H#0a?oWg*dF~t!rx~8uPt`)MO;*-1xScpDwk8Yd6
zV|oWAE&v<#MZbeL_k~-u+`8|Wmvs+s;S27<SU^P!SeIGPa-hQVCA`De-3k6>t7f}(
zmXlHcCaBX3IF<@+Er8_&TT#hEUm$9AWJhM+a2DG>$2af5AN|C9xfYFRFuLL?G1+^h
z)!T!@8{JnMuGS?na}ca1a>7RB3N7|6Ju30;Ef@hw{DK01K4-F7z?<viMn;B!ZzJM*
zClA&xSz93_X|318zEgf84#YA}Y1)E;*6A&;I_LUcfPo+r$Tz=N(IW4skMEx<odaLC
z*Q{(Q5^?NB72;(M)?T6jjN-iX5w3x89$@a?EK|l!HAl)#t6?EMl-IYn&QD({>2a1d
z6xYB&;G|Ie<*=I5*<4$#T&O(X^Lx-a9hgg%5-@!cNcW>GOGntHUgUcesfkwoDU2}(
zp^XvJc&>8m=-3u88Wgay@j*@{{4f45)4=9Jiy38dDa1naT<3nu?&eE&0d1Rn`W{JW
z+U8LtqZPyYp%!)zg2B{3Lbkcu{ZEP<^T>cg)(%UgkghgLTC7~CpI^-|9klpVyAWH7
zHV%sv1WpJwWSw3XfkAq0r09b)a@xX9bKHO9xrn_r-#E&xkbhxq3~^b?MMfTMrD`?h
zS1|01CL;=KT9+@O+wU!YZtx6RE#mF=ft=3IwPZU@AV(b-C>&!>dN-kzGwftdTF&rd
zV2HwHnX$g0Btk=EJ0UuWB9?h;sVo?F6sphY7i^nLa<MG{miHzJ;-Ru@<Um@pZI<Ax
zQMJ|(2WszPFNDTN&Ve_w)E}Q6Mh7-6yUkXHS=|iu@8b8*cEd+iiW>qx;0#|-1_NIN
znQ=;!ID#{lTECe0DwM(&vRwJD*)Gz$_3@es`+CpqM7Q%IYfT1VZ34@S>|}^$zHlkX
zqF8IhE*z}@E5)`|)vYmMV8Fuuwl#g)M;dnrznCsx^)FDd&2BGw3%jIv9)+lZGfX0)
zYXR{+(nD1^wvq>61Pi@=cYUqu1fPu({)DXZT}E*gsEJb65~g}4&2#wpn~EreB`Aiq
zg7Pbi@B7eVz2$nQVzSKlXewM|_q0II6N#6^m%zv+)CQ#e{aek6h^j*oSezfg@@E<G
zW%&5h&KP(Iw!BtUlrkxi?TV0;j^CryykC+;otLA0L(8x=fAk?Wo`EyXFHAk$ntky1
z26xFR1`9Ol>S8MT<mw;qON`?9%E0>#Kt;stN<x76H-6|d!7!tEDEpIA?E_%_%DJH{
z%c*NaXMR)&{7zIi+YKp<Kps5HvtAercpwf%Tqk1w6DV;RUZuwFfg8vuq4#`454}(1
zj_<hVcmE18y|nVj?6ES9E#d0I$s(7{ip0fu%zRMFB;C!k&*?FzkBLyBvmKY4{iQYa
zQZIb0uHp5sIG@M5Q`LsvsL`vAvC-yuFgEqo-9`zccHyGTRCiAOBHPwC=|_9-%mtL7
z;A#Le>sM)7<|y0gZ}3|BfisAPKfpssv+PnM%1VQY)$rhkVcvBn)CNqo=Dw6JxNoo5
z+?S)IhN;I!PR9W}TV0%Cg%P|=Rwc*vuJcWXX}&i%Q7k8eY_YQNJh(%Oe)&`@<6og9
zh)NBcA`1moGJ-+ovIx@i7-yFFK0~yQnAM8Sr9^6XuoX!AbC?P$q2~6iiAfl=nAEpt
ztl<$HhP=f;xkH2R(?;rl($kw#&`v9rb%-xrT#kQOtTDMAWxbBS4HQeav)Z{pn`{*f
zNzch%el?n$o;f<FUQVyME9TL~grfFncrH1&u#o}sy;PVe0d+JG<Mo5%2G)C7CeqDN
zM405IG-Hvb6_-Pe7_xHN95(SD-BfZRWzH>}o{1b;5TUzc)DubRG<JJQ&f5UHj!K_P
zOGfVviv((o(QAks+!nLeG0Gy&7J2I;<8xlzTN7SwMs53*b%0*-xM^wiU!RYPzjHn>
z_P6s%V$>GskUzg(#JC12ZBkjI>s2sl+{Py{-jh`1@wQ-7m7=K;DQA=*epw=LFrIgt
zbYj&O@gA1R^a2EOt0z<MFpC$pnk#vdJz=>3ZbP);;o)nTj2r^hI#QW~6(^`bRt$iy
zl()J$C_Q(fa_hBYvjNUJAg)_uN(5Yc^KwcJf^P4KI#lO(yt;Dt%5_C^SN+!I$*8R(
z9M?!Cjh>#_`&aK}=msRvaedcGO2XFZhr>Gl8X2nHL0P#*@kV6U<iJXgCuR3aT0~nd
z-AEx`s?l|Xx0}Tvhi0ug#ri!WCWA()xCWe|JWs7yR;M3pFy(^!ODs9#-cNew!|v`;
zt@{WM`cF|33Q^DXYUyg!Lb(yQ*QZKsa2DC@Kr6_$;ZdIxISi$;I5_YHKyyk($oDP(
ztS=QmRuQ~7`V@|%VE6L?P8!oMFJ(9-2D0ndd8YB-O^%dEx4%$_AFDs4p72-_mi+=y
zP4`fuoG2P%o(NYWZScy+>ApxH+v_8;{N_M0Pl$r%yaDSqn6uqqIJBFa=5ojh-~A-^
zPmeoEHRJI_JUY^dNhY?vAL@v^rHqsPz1_@V2OKVYs(b?9_I#N5q3U0Chzi|5KU0n>
zRmfWd!I0N3rM@IH1c^x0U4q4o!Kk0L38x(yTR!)X$*8xmmY-}#7eIVJZkfXzV88`x
z!$Al&+Ttx~wK}v8dyHMT_ubr=!e}@<74}62y?&~Oka<!i?_F2!VeZ!ir%b+XKf=}2
zb#-~wP0=>F>|qt<k8x$Hh(x$}OMz!e@*6~7u-A=%#j209{!9LiEKpV89A3N061%?7
zn{Jj>=A81dXQ63s+)pM>@<@++StGdv_h{M{^*6(4wSA?L&`h(vdvy=jjQhB$s3~ob
z3Y`hzC%|P0cDQR_1}PGC$1c0J>5p^z_2l~T?oQ@{K_oKU9b&I1Oyd<(gP?o$^i(oi
z9e5d7eY~#v%EB)Gf-*+X+6%$qZ+Vc+9vrd(yTQ-(`<we8WAO*8E|=1tUyPt~6qrGd
z^{#MS+_O^0z2y5se@!_365-w6hN-4$u7pgFP%gF`aAXK&2CZq>=Y7~>G&eQq3jTPK
z?+SNz?L*%+JQ<Bufls>aLZ}9TlRVYrGKEHC-v<V-Bqj$=@>eo<>48F+QB1OX_b-y1
ziFZCun;tAP&7Y0IJMx=&mUN}<`z*`t?N2aY?vk(MCdW=@(=uNkl~T80k&p~)NiMJI
z_V}mOu+X9?basLL{_S~lM#kyDMHEU41?1ZZYu1zXWaw)kUC>@9r_yDtAL81{(T__n
zc9AR&U8ZH_zL$h_w_(L9u3!zbOuU;*atF*!Dy$yc+6<QrofV0g5YAh=R?th5y+q8P
zC=7VM)r&&hM$%5~#q*%iB*OoCOsXb#_^iFFI<H^ONrY#aKO5h6XXJ02+x=}Lv4Kxc
zua!xClVu!t@GmuK{bn8+FwmsH*6ysBbE&m#Dn&~*;(b0?M71?^@=nVvtG;3k&`RDH
z%U+{~676lP{E8eGd2VvC*Do}6fpy1^Nayx}y~c??Ly_V*V3LCYMJ6N+CwAp@;rJ7k
zF|!J)0UCgUfwMIEl<F~VOF_5}>j<Rj_`%U2`1Ta-($d%bji6y@=GRc>HptGZq~HnX
z=%6U+11T1-&TdgZrFtxrFlCioFmWS8XF@Re;1RY?ajff%ePKRjy6$9|i_b(x*Us2^
z%v;$!7$sR!p8U~Ig?=`jzhrjarKGU>D6stp{3uUyIHUa{YK?X8$H#H%cXf^v!fhH`
zd1;q$Ji0XkZSz3MoDGoRY4Hr<oC=?c{~qIrVKdC)UIn<^TVZJ>VPP`SD6+hx8B*&}
z^G~lwg9($F&bIPYuHK!?;+*1Yn|Z8zXgMP~u^^s+)+BZTyV`i5c+jAnK$g?Dnzz)l
z!Lp;k+7bS(+$`DHlDO2k6A{&JPK_#sC_IJ<_YZn9bCeXD@>Dj*oU~^Oipd|a)1j@@
zd9c!{Z-pq$UXCd0r8J=tRefM@qn=`a<zw^RX>PczYp}J#$p75w76m2L2&@gGH$xJ5
zEeP7RUtVAh)Jbl6Yn%30+Y`!kdZ6Ddopj|r8m7J_48skVI%iLci*%x^Cd%eekU|aJ
za?ga`snZG8h>&sMx#noLwhE~?*DOd#a%inn;Nbr3K6u?*D6_Fo4*LmTtgal6xQ1MT
z1fvmX5TVixN1@_b0Lk-qCbFQ0`YXFK?N{fmK3&ch^rVcuNO^sxWLHOilBqsU-<a~z
zRun*jua_osH0y2FV&F!9*ua?21;dDuo~Fv=JFW!M08@Y94!vqD&V)-V2iBEA_yQef
zF(bC|LYb;#OmGNRoT+TI7lt*3v<GAn`R7j508SGr$U78toUkYqoLseW6vGaUdp;36
z8kDuflHst!tBq~{eWC<lc<SYG2yCWn@{gPTIcI5BF^1tl!blcXGh|e5cW?B9l~L~p
zU5?#KU+=3F*&-VmCBHvG&{;K1HizTXFIl}C4i2<e^*Hy`i?O~KSG|D_3(enq4;gn?
zJ%4(GGkAS4)mWm%gEc+}o#-^Y2i@hPV#%T`$Z@a6yS5E>jY06u2G0xa-3$+X*yVJf
zI~UKD!|JODG?=<j>z?b#@%R)2H;3->;EB5UGT%k572IJ9H)t2rW?e7n=(GlVKcew~
zam>#q{bbEX(IZg%qh}Cl4};R|cEX^#^}ujEn3WWj-=VjnVqeB)6cZ?-M$xdb)@29m
z_ufV#<bv834_*Ia;7~{lub>^-1gmtJ^Qw-f{Jt@Nxv>aC+H%~G^2VgIo?1)MnmtZ}
zMI}6!Tkm&Pk-rA1eY&y+84IJ4bhZc&$fWF6YB3!}hD{c%cKVSh;!zx<eNKH;SuZ-8
z<r}(l>j<{8y5_Os6v6lFp|HsipZZq#_}(K94RQ%wcq;|?*27TE1D)R4-6exbOcEBS
z%I}n{D!QE7d_+oy%BWK3SY(;`3NWvBI}f5(w<3~H%jY>PW<++|`1Y_EEYv@E>|FBc
zEpBxzGto3zWkt7uWI}nDJG+c}F8AQ~ug--Ojkl2wf@lG&9pol}Z<vPx{eXWn#m?LT
zlsIqvhxr+)m3YKkV8&?>WNM?@aV(v^eFokThdqjox%^trPxl$6CuYbl8lGynbl3QZ
z3|b^N@NV8<$P)TW_=*|bTF4X13gK%)i)@oNh%DHS4h4+3@JM!lRU%NkrgpAinJg%p
z+qa_h@kz1s%DxKPs!HgY*4N}qhE0iueK!OWx3xwKQP`Z4B4pdmju_3Md8|mk`Cc%-
zYa;n2#lX}yK|c7mT#8@1TY&NeK9!hbYV>XS@%g{uU4GEo&kVQS{-E-?Vm3JG^W~1w
zC!8Ud-`K}PlWHPN#=i|nsxXIDk8;#r*=#3GY<<$9w%{2$LIH#tu`su(9oJAnqrfw4
z2B31CsqvQR1`u!wcRiVFFJY2QTH7mv&p0FCxRvc&4P`=p7FV06-O#rf*;`riR2Hen
z1j%}T=s42*hZN=hN?|AJ&QSw(pTM;uW#)&wuva7y%<ygyHRdbTd4C8RpG-ChK6OO!
z(~=ChX&t0*DC@C7`ZEUDl|=k=`hacnj(xHk{Woew%%w)XzJI$z<jy`}QotTV8LfX?
zPJ-%XuoIrPr@P8!S<dd~dwuiii<5%dqbAl>?`2<K>+T|(M%dx79#Xr6Tf5EQZneX5
z2P@~l%{-;BRK%8)Gnu9s`<n0U>b?a}EZWeWB*{-=kM>CA7vs}9+IoD&2L|&IVri>A
zKNu&oqw$OineM{b%a(ZL!=TMLe44hW;ClSgZtfDu-Ckdh>m0UO)UTQ@Xl*Q$Va9=y
zYRJ(y&SXiWT>*wDSF&~!19j1SQE(K74up4it=ZE9J4HVybMXT<Dj3BGZK3}06qlQX
zH7$%l4+KCer^jyHGO%d8*7bP379|7q<&=KGtO|oqdSqFG{|F53*+`DZ*P**9GS%|K
zTy(Bf(Bz1LW}=ryjUpcS>laII>#b~^2i^B{4k}n@Vpf23Wh$D#Ya#JXJ1Q_4S^<1(
zeBvx#7Lt$S{5mY>4LYSNp-JyPj)f8Nl!!>RiM{r~r><3RNmkoOaBJhV5071mB<0&6
zMBRb=79(1t*sG{m`7#2S)9&iuYS}3(U$hq&`iCd6TSvwqW)3;&U7<g6rY9;@Z>gCY
ztZY44JH#hvo7gqS=3590X!A|b)PoxmJw%j>qRjFM0gpSCK0d`;XEr16jPQ51fx8Pg
zHE3**?VgN+8{s;Q_Xwq`q**<!fv8r#M+w8P;X0zaVY8yM93p$Enhh`}Okmg**Zcc#
z_F(dQAbG63N~nimdR}tznI7W@3@vwqoAEvBLn1`E&H>R6L}YvGV~&d%YEcmsHyvkY
zEt;G0xi+_(@Rs;=y-^647=v$D^kx7XO*I#*?Q74^vu1pOSVT&eYe;;Oxm&_%3dS__
zs%gcJ3XFwo2WK^pr~YD5*6G0vbu;}Ccv>sPJ%&hyooMt)Hz$~RQ-kBPU~E=(0nT5-
z*v}0Xo%~=(jxL<ExvYQf81pK}wXOdt+*-{7muJ0}zNS6e4%<ESSC@!_zjOyo8E<xa
zkMiOT#!HjwgM2sYMNo)?Y+php8&qyVxa8AX{>#S-!KUQrk*}dD_O^<ksQXkesu2SP
zkCknxDL5t&xRqY?$(sv%mA?Z(%bH*|xQD28)9uMT29HRDyOuF@bjG7tC2Y({WGQsi
zP2~sRRKy3!+Y^+Lj0)Nl0LWK97C5>@{9r2LkwH7E;&WcsY42>R@ErHV8^YC=r?d?y
z>*o$s3jBT#2Z3Rk{rANUiw|L$fsL+2%4DGOYUPpKZ!Xq)d}v0d+p#`1{nQz1MVmSn
zXbTQX-<gG!`V+g4Zf|{=xBZ_R8_!fp^FIEUg(K$b0V|m7+Y%@(A4<A1gR(T1GH{LS
zm@?!@5XnEi#VGc!a-+HaApp6^k-J0TJ&Lfj@>;S(NfK1E?Wl2z>fVl6y?utRE&}W|
zt>AS>Z!PKGCJRwLEs}cqL*YqtkljsW9JNFS#gM8=6{@E6@B^8@6B!9?`;jdeM`S%w
z7^M2f#)~)POPrKF@TOaEl^(IqRJ8k?(rQ(%;~Q(pZdR4HzkM*}5A8#O!n%~$3ozAv
zSp+E~WuP?AMQIp{h5@4#!J%U9=W6_vmk|rQ*8a)Yg=UXWtl=)X*R))nDbE0{>1sC}
zi3b}oQ_gy-p*=7y;~8;*Vsg&o!(K(Tg(5S?F_9x;(dWg+nze~%qYVG1ZQCQ>BVrWm
zCgbrp@g<K$mf0Dtx22$7Et%;vlb%23@bHziVvn8%@w1P^;gCvy7MF@DxTOisKm}^9
zeHK5~?%a#7wo|ND`_4>}&O_i-eAkQAAU>aoZZ^LGi8+fz|Crw@SDpfkc0VWK?f3xG
zVYb*wPj2A$79(=&ksP?KY>3_)MNsFbgoZp(U=hmM+Z-J><AHAf+L_otChLp;7ef2p
z)665<`5&S;C;m^P3W=YN{Riy--^B;15J(njg(X$QBou%vfm*5UV7xYc46ETzlVm3)
z%JKqdw)sR~2tbe6VZ#P{Hw50&l0V~1`#x{W@}!>}%+69htY7X}bKOmOd1r0d^CYh6
zkBQB&5v1?nR$AD6KH2T(`_;hnHFoIV`AQ~JMXr4&^(BNg4G;8KIVsUIrMGCEUo`x6
zDB<C(fRCmU^+NP>TiM=|!;Z|H;4kAs?mR1Cv}yX6P#{-a6G)-w7F}HTsHYE0zx6AZ
z!wcPqXUs@YxXSGgBgcMApzWYs{(4;phk|>E#G{#kPjnc&jp8P5dRd#Io%cSDlzlng
z{AhE_^Fcf0^47L~W|bhx1W`NADQjZ9_^#>JJqLWyI}W-hkq0E6s__<1CfV(B6ozE(
zJLr?-k4))TjV@qH#IO}MH-XI7y14#Ng$jaCb!7|lCfvK)J|<KJy5IXt$gx$w1Ek2B
z>dCKLT$lWu_UI}E7S<=H?DX4tYo#>yf;}>4-2VQy4ce1x&>fn_cLn3eO&nO+_?;#i
zw3i(aEh-z&FG}jNXpcJU;%eNMLpxwuqSNXSh&yA&B<m`mlCGm;Qw!(*0==(PDtHUY
z@#o@JRG1?QKURJDqK^>CXUfAl5O1-lUi4G)SO^1AvJ8{+@GSRJ8mE(5q3!94h^DUc
zsr=a9_gw?$ad2Y1Y@1POPgkp0oBiG1WTnHx5?6|LX2{D)66f>f*Q3Vti0qrNAay}C
zh%T%?SuzH>n4f<2JNj@Wjs3myLa?dyJSMgBp~-2zxiruG5HA*A9SyZ3o746ncVyUB
zr9Z2*CPH<y?So$bHxG*EezMpY^>_g{xc5N=Ya$YwsAI4P-77_@D(ND{awAZNzpRC!
z(eUTAy7E#f%{`!3lImU=oT5I-2KlcfRe)kvr*)18JO<MoL|OW@6L^A?K<dwv-lE1K
z+<v=_$)6?=vmwF0prUR33RkFUbJ5*!<o44n!G0sjsuJrMuAV`R<<fVglzOGrivEJM
z@uB-kuaQ{P+AJcK4L7!5q$Xdo(XmpXbsH&?P@Tq{^QQ^GJUSym6yd#_UtIgR&((oJ
zYo%X?1rZ`@8eaZptjsRpB02Rj%-Khs))Q~&;k89%_OmWk9-?qp-Q*OYfv8PPj#@{Q
zl5QjfqTfRaP~v5m?T1WQGB|7yzHj=JBDE>{+_enyGJRD_@R}L2D0L**u?*Y(60`!x
z*<2sS(;}Aop9kT~WKM610cm6BTlwk|U+)<iGxZPjZbE(}W^zM2rwrh+US2no+A*w&
zK+DB_8vWkE+f``lsQ$v*qMf?<S!=K%)b*Q`282*BM`rW!j+Yu>g{D~&%Fsa_7j)V9
zo?I!D6`cW;n~ebDKfE{sc?|SEs}5vlp#k}p-i);>Y43kCC8f86fgaowdl#(exa?0o
zh;mM=3V@aE?LPTY5VR5d?CZ)Y&I{J5cCqeX&g?_gF^wg&Z)$WD;jO{K9ui@~H<vPO
zFvUrE^Rj~5%iU!;_ay&M4z7DrUiOGDTAPNS;E+$z40_H0i_6?IiQ`Lo1>dj^rxlpf
z9Eu+P3O8*wP{yh~-`VZhB!;)-!?ezM{Pkr_BHBZ{w@-!UOb)n_)TB0L@!R$q4^>Yg
zt;>bDoi{a{o7x`XuVpZjHDA2aLprmWWd^cfhex7inNuk%{<O_xLrALwfr^2{M~Oog
zRNb8D@lX7Y2mr<V2&`I>;BK<N`lP`}{{t<Exhqb?*C-ck6Y)P%35CGH8Y}58s=`A}
z6qG}S<%C=j2?)lk-TPOfSnqyc^kou59WL*eQwIACiBf%rAZKwW+u!GIHI1V<sXimn
zUw~Fq8!gc(2l1Bb*dG2q=V;~l3Rp9G{P2j$)0Z9*C=h;o#GRxl+EMDa>UkSPNRtEc
zza-iT|4qj1;R2f=m{ty%pat4qAxH1<*`I~r`uXQf{F}ZnzBbL?E6KIDEzbw}X@C#N
zQdK%vM`uA8FrT_Nivxp=Zrj&C^?O=byJN0h$xdf%M@MQoomvB}W=kX66ddBUe9fwD
zG=Zxh2c-bo4V|&ZKIM9n_)`^Ty5q0Y{YN~TufSD@@_r;b!8MEl1C}aHRpBKE{wkSQ
zIh=c10;>R|62RCSfNm0Bdl_HBR>{wi|HTtoJr1wc^QO{l4I2ukOO*7H?i;kX4S{t<
zenI9Nbr@Ll1HLM7Ht4ReF#qL6cn<oI{{a>M%m2(C;Tv5yk<x<O{${ii`_ZBDi;VO#
z@!l`<`kmEw{gdl%PUUv3XQ{yYz-p8>O#EznYgno$G%mvhivr%s5|O;3m_Q=d@j9rT
zYC=+-J@Z!C9qD2FHh!8p1Mia)oXnOOdd*t6GCNqwGR4HrC_&H^oZRR-sZgWwTbj=O
z!=0~J4*m{FBDybv(RiiULJ8M5fNf!2g8v?bZ9ywSvj^E(?KyeU8p$Pv#OBihHeBq)
zWMM6C$^-$WkbF$@6WfF0YWOJteJ?Pwzx{^{VYtxXU5*=%0mBuQ8=O4~|H7anp)cZ$
z0uTYL;eR|;CVIz(@DOTo^{H01+nVI=hAs;DwN^=jbnIcgOo&L};!2Nk`s%D$iVPGF
z-3Nh!pIPV&RqHb0$qkHq*0WJgKe|9$%vAx#?8&{GBxOOgn+v9$!DyXFq{9_l3}j&$
z&d&dVqCWK<R$){CV)<Op_(mvffAOP=_e3@ZAjBz|C~nZ>wqHlHG7)>D3`5}eCDySn
zn1R>NqJ45w@Wb40!u`1rM)>4RKIuutkTs+!SVgUV+BCcRHQkN{FkVj|Q}5MC3Mh6w
zHq@8pA&j~X?ks$7ZG;V$W1NkFy?v_E--yMa(qO^BJ-f7K&pn(Rd3$uAJfnvwb0_wR
zLyuKILd9@<arxL=+Tyxnp2+vgY~JH|AlyY7cb+uCGh7LYU#h(+!#>=@GNM{<jeI6m
zy=26_pTpb_o^4=$JEi{9&4(FTw!oipLtL}=Mfvlgd9Q1GJ9Jg1-1$q=p-LKX##i&y
zjD$n_SCf_Lau;tj)pOU^l;3nimK6lT0o2BpQm{6|HQ6!ML-X*CoS(k>qZd7Sk-u-9
z8hnG?8;2d;wu~z9aAgbkitRNa%9#yBeR4pCVMhb62fI@{!@pA3E5W?00%W?<-hTeb
zXnt3)qF=5{c=xt{7abojDU8~F!9~(O9G!-mPYuQUT>M+?0c<7J0kkeW8M@=vQEew(
z3Jk^Ooge`<)yUQmpGz!H$q;p`ONP!rxNL_Lq)f4PIn;yqOnsv6LK4(;LvT2{K9frj
zqBc@E=fP>%<KU?y-DYX6*IBX7XEm1F=_v(WxX>qJ!Ts7{?<dNH8OBch^E~h<XSUTh
z>Yn?EUC@MxFf87{&VU`;e1_+JXkqJ#_^!$Jz`(KuMcL7A4(R7Tr8loR1EJ1Z<stYt
z!)$IOJ4r9XaGCje@qyb$V?Vxtj8K>JcFSzl1rW%)Y)3T?Hh{Y+D`UZ25Hre|mZ)23
z=Wl5F(bAXYjh_;At^ar)a3P$^*^YQ8^b!ts(*u<EUV`{t(;1;^3CxIa8j%qC=FLoU
zjpQ#Xcr!(-OC^U+uxT;>O9x=(M)8B;j6A{hr~G$o&V`S#Kobn}9sHW#ioMclp98a;
z?N<VdL}xbLtc>6i`F2enDfUyLe6XgzLH1mmH#vs;j-`sffR8soP>rSG!VK=v_O&gI
zgI&!CbG+2p&(uogt>UHN#12YvdgE`X)nNc)o6V6+TIQMP3UKQ_JVt1>(J>iPqSw5o
z?+EY5cELRrOysYfHWjL<v%uc0#IrWNUH7f$P+@CL{QFF6jut=K?l1YY>Er&{U_Et9
zBS;@k^qwEsaQFI1*C6-l@EV>-A%_bjq|Z;LYt~#;s@{mcg|Mx#-^9i-?KpktZel32
z(5-QS4&VA|)h3GOf{tlZf08is>8S8^?q&-79$^JC!wYKoe{aLtf*jup$hXJNT-thq
z)(Dq%Ph&1*{?k|6?SDPU3g3AawK-cX`OA<NIilPb8Av~oaV{;^E1S}2I48Yo?2@ez
z1gk4AqyOOyxAIitLvFd*xP%$ZGTbb4+mHMTTBdQ`X+ZnnlDRs&rYn)NF{j5hMcF~R
zQLFVi&C498)yo>EK_h_JWx)3@`8E8TcN3;gtaqd>)I9R%=94AHMg1-R3lq_ItzhtX
zs@2XwqrcU50Cld9()E{=98uN>?4*<3$=&Jt*=I#M{O7hq(}lm5;4h6OgNF|nI1l_6
zSOZEV!`>JL)jmp#pdugA2g`hftMd`HHl+U?F9Zo-Bgz|7Zx>ARx1!(~lYC(WLQmOR
zz40Ifk<vFXcttqw_49tD?#Dc*_$Pk&aozOZS;nrtw?~MhRhiIir{64ek1Q@O(g-oK
zCyK@|^bElE4Q`@gSMQrk#6^KFW*(>we8u<XlDtd)=qlDMvORvBlyP0YRGnkKqLJh`
zz3=5KZv6(b)y=SMDWO-0=W?Gs$2<|B&|Bk!4W)M@ltgwY>8-W_PQj1`Y8+I%pQA%r
z*ERO#JtRSRZ22YC1jO9e%2sC4vfi;DCsdJw%r=DyR^Cn<`&m`Fj3*l7`Td4y?-+Zs
z6UgzNDDO6sj5vhRNUj5?(K9LWv)2Dk({U7ftADVd{InqJrfH}Qm@Mu(yiXBL8bbyw
z?__zMDR%Js2D(<eEE?osYFJ);XG;$0+^3%_A}r#~xBYXFX#BT(ZdUuC^MN|%MiD$+
zmL`m!A~X}4D_zVvv8J!>_v{yv!2Se(Trd>3>SAXH9Jird_GG0ln#^TSz6Tr+5>(N(
zG*L>oEKNiITf^bYBsXMoHrI>vMap2IWREM7f_v5aP7n-1SP}|c-T68l-{5b6oZQUb
zf#rC0JH@iUu0yFsgt_gUYcWz{k;3<pi1mt_281Q1FvWlp^LTh+2RvZB&Ehi$>Q_5t
z>1{sQXG^SX|G3ENOGAg!obXnMX3JO`P61J)J7U<B+*_4OtCV-Db)UNLW|S;p1ae}2
z8NA%ksY<iufQs%sL>5ziV0`Dt9m&jYaHDMJ)zX3JP%2_W^a*-9oD`JjAwe1U9A|N?
zw4O7fOfeGURurS}SI&HQ6@p0Qie-4a*@)Vu-C`r>u5{_b4h<+M4v+{Q?{-OAgmi}~
zLkWK=o68b1DM-A};8tm0s9JlmoRk<ELnk0uUDp^XI%t3qSy~YrKMDtcEo6su4jDYN
zR^U--ajD~3?#_L{bFE&S@YmLIRT(PWlO74$K-LoZ{4kbfcw%izph|)Bk-0qAkOeSR
z(Cqlyj-mUCn)CgP$OkZR3>b`vccCm@+a`?|p2m6%3tek1)wA<Plne@ZkZQ84kL966
zA3S=BeEzc}(kiu$sg()cBC_!_L0DV#z=NGdwPS9WVFNhA4~B0#Fd12%BFwxY)O6%A
zw%?(3HS%iy)r%*kb2n{x;G0^ea42vG+eh_@mkx#!G{;E-+=K<BU3FJl$l-RLf;mm)
zy~!sa;hEHzoi2{<D(biVo+=g-(=qgxfAGB;jyi`7)e7uHyL*&~HU)nD%sZFtrxUYM
zlmS7nNX2EF?<jctEwSt8rw(muaBE?kq=d@FSXXTMk_<0EBV{UM@~h9nF)`E7)e)xU
zlP~2Gp7YlG-X{$!Xsz2XlkJrvbl{It<<-zPRwLrjirdhl5dZ3qC@Me})1gM(XX&>v
zSa1w+Vpxe}Ss~B-lFPh#DiUB|{D@SNZW_^wTL~l*mbv>~>f>l!<pggHzM%pVboL{N
zU_r3Hxq{=P{l@ru+n+Ia*I1G~&0v7_uZqi0#4xnlm$q=)Fh^-sm$_S=0p-~ZL<h88
zwf^cQB5+TOV^V)X7AEOu!%<+JEfzW-=<>pxaUL<dgND`ZqmdG%_2^ZkGwnd!$~WB=
zz7yf{6GQNjhShdihX?Gr?+Jf_vVgX0``eXi4M_6`?&x<-chcJ@;v@)6R_cl}Oiuzd
z1QMn0Yu&hYd6epl7$CHGq&1Z>pKEw=)qg$Nk9XOZYa0G2t^x+V<4bVRsZwaH)l>g+
zt9F(fdeUuY&9`#q67O4N#lp&p4o0I`h;h~8nD%Y!VOXH11nFhZNF(N2!gf2Ki@*^O
zc!w+}zr?24dgV{{jW4j06!46QsxD8>kiKy|T2coVzKR{z8^&;gdKBv?RI~VNRYNda
zd)o=b)fVYba=_)__Zg#v!mI%ov5u1dFhn?K3pV+x7}eJWa{bmy%>Hz*yG125JBl{T
z0y4rsW1Dfw12$(}+o64>v&Oimt))6>O{WYr!WT){=t?B(hyAnkc2uIh(QKd<&(RY>
zNdREH$S)4bcXCL_llWl)#TbELpD;y}%(Hwz)JO`&y7M}*jp$IMR>^)-x~3y?#kQP^
z$c3J+)0Pssgf7!`$Mk$@d8#qM*4rFvy%N+&Q#yiMv#F4d3BQkf<aeyb(y<K2-};%F
z8Q@dB(x5A^Uw=*4A`HTq=<O{4gc+>4N_@4<?d9qlb}1)NAH7JI6oS?|@KlzfDp0)N
z_1QFOg9$~4!#ixwsv9b_!JFllWOPsoe3p;>!((sVyXLA8@w)$&@DoMIpDvLKu>k@E
ze2;ItOR)VYr@!35`h2Szm<CV9Sf`Pz6^T%#49&?*6S0tT+Y!e3%uz!0OYIB2<q`g|
z*X_camg$Q~c1aTTeImxp9R9H3ATu(;8uR0I6xf-=j7|;#0X@2L-hQ|h>E0*5wMysn
z(fd+?#wH#rw-_Quw!}dztCp^KPa$TXl$x4!!8kdyIb`7Z2);G;*s!$k2hB1wRa_VD
zLZO*yZb{h|?l-ZkHYx|6%csKFL<>S$eM`b+@*Jo~=DBkS9<~utwZeQN3_>#6ibDBh
z(U32@O#U79W_03WUP`mW$8Esvj7=er+iRY;>&r?58Ko#pD>E$Xr?&<Pn@e(299MC|
z2|w)MBh;E4i+`LB(N6e@c?=0JlDfefNAz2`#V3rXG4iCtd(i{N(C%T&X7rjJI$mO)
z+PuQb>r1Z|5L|iPvYrRTT=WVsg(!euCvC6uvh>(|SH7tMKxFw@ro?p4Rw4=%LsS5<
zKo~laFV)s)e+gu{CqsplvDW8X*XChM5EU@t+mm^5Mbh>6UhEIpQ@A*wiD+`Q2-z|S
zONfxkB1I4RrBaaeZI2lJ_M0eo*GU!qV(*VJ--mKto&X2g;VD%+EyP{L0Ndhm$N2)@
zI2@>&i&&htvvfk*6q63hz`!xspc-r<vjCFN9=S68@>kJaSlUroULnDQqaKjpBd8hZ
zR&>)cMb4Y$Q`5jmi$wFrQsskEI_XfX4Xx1V<-l=$%PRg$K4YQfca@`wZ)KY>t#7zR
z+qI!!jbr65+(blavJ|Iuo~_|TQP%kzq7aBXNAJ5cK&)j8siLY`$SR6)f!VbX*~3f7
zgeWP*E|Kk$?fP}XXAkqwHuDeL?c^1`pF;^{`8XPaB8pTIkc0U}??2l2Bms?ki);ul
zl+iT($hNQ_uns6rS6qT_rQA|Kd&plh=u(JbTSX8?r4{BJ@R4^ZGQEt&TElM&IPxvc
zkK3^PDYTe5Q}q)cqDlYxq$6|)$m+}`AT1@t19>p$o)B<g!#sYjWnMpeBiFx?bYgEo
z!0;_o{Xqi0hdR;X9JVWee?6!%fZWj{vUER4choYWD=7b|o{3(niPSITFwgtvj?8z3
zX=;jyt3huwP+e{7Rxx4|t4&}NiOxQXxXNW*rf}h^^P;#v@uJ|>Bro?_d&5We2LJ-m
z3@9|Sp!rdJ9C~I0qG!sA;JC0Td3JRPAT4QnsQAxrb}m34BH@SEleq0|Q$%CIP!sU3
zP#yg1_u(w9Ltmqy4wK$@Uqw>)w<#I+xkOlR!}9<TcvwvwN@W=Hr)>dv#%P{}Jajf$
zkjF|z9$Y*37$<v_1A1SY=p*$FIHAiGly5yUQy{534wpLplTAG*Z>OMF1;1AeSQL|b
z{1V`=?F*gk=fXn$>uMDvErrzMnKEm?^LAahMRhGzZCQ8hwx4=sR`(T+vBZ?-iA{bD
zooqvt>;Tiq+6$u+d4@<AxZ=U>ZInI{80A}?rz9l?SIH)2ny_-7Sb2N~U`OGz<g@+2
z5Kfx1{op*%`kDa8aR`j|^QMSV__$jSJWLOikB*^<bT2M21kSm|C&-FW(SsjPV<0^R
zrGl}re1K74>qP5EL2a$287qs^)Tk6Pign6p&L3r?iPUgx7>h)9v&@~SOPb{-r0MD2
zyi1~1dG5c=A9oFa%E9hJ70O*dh8>=<$eQZ(@rIlIk5gqD!2G7gPh(pDfc$s%E14!j
zV=q|=9U8IYXHRl&Ag0+-iN5C<iE5BodP&$ECeVvf2RPg>8$E@NSq{tLxNJ_<*klrU
z&%PYkh3%PX1`%*lkJcfa5`eA}6IbuGE-`j(HS+d7-4CME>zu-=Bf{J9nw-Xky*a6+
z-frjGlhPmUkSBxmT#Sok?0-t%QxZDoQM=9^Oyy<I?*c3&kuQ@iFQXFN!TL)+JjspF
z!wRLuyf<=lISf$;qoJQSF@75X`_{;85!e~ID0}`vIWXtXt5zPfnGhFYY$^7916fw!
zY+AW(9r|B6hS$qtO6jomuj9-9sLk$V<b1L`?i;KAh90+Q)m6i>bOEH4oiFT4OH}G0
zW|fi!1Wk&~2xn~VaLdqPMJ?(fEWE$L?kDvIsTWv#@5l^M_l13M1coUO8J@WrFF*~}
ziWP<<u?ZfmTRVEx2)$dr0K(3yO__t+=2SVA=D5B1niu51DiDnBKa=^^rnjIED-dcD
z5@5IYCoaS{T@w3Naj_`*SgoDv@(qo^Ig!hqu|^7awrTSAR`<g9Cyt)kfz>YSL&H4`
zY;+h5Gz`J+{xMb=EQhZz_Nld(z-{WyIlD$S0l&)lKc*NqmOL7K1?5WYv8|>t9-$2=
zJSyqL(K!0PS#loR(<@e?JoqmVW@TEi@ijcYp51_dv68EwV)x>l$dUP*?=p_#C(-dW
z<Xd7XPaNFm?h)r=_FuA){&-KIIJa>W+6n1D`{nI?efj${n?}ZpfoCE?WM0VN2rHoo
zV)$f<A}_}^pxZ)RQGwN3<2jKA&`}+O|C%NgTZqq&(kRQqHi?cr^}4%hUL3RIpkn1$
z3Oy9+Km%fc^l|Z;qYt=Da!nzVujY1Lz)EIW>eiB2O2&55bEm%i#rGIgC#SvLxp-(x
z(3rn7h*CL3`eXe-UqPYb^2!CO5rTs1ngpv)ZC{2OtC{TZK2))j1}aZYcxM9MHEA%K
znw;~j%t#WRT1`xK#63Kg5+qu&^^o(Lq=QnMqC@D3FwkIbT}m7BtA|k{l~^238-{nC
z=D&w9>hz&h!ZS{Z$_X^B$r_F)%_V&?ieS&O5WDPzusU4FPymx4-j~B8MHCIcTDlmz
zoE=L#@<PYIYn&~gVdvG7&o~C)&xl;95E+ehY(t`!&f5uzHtMlKXmS>gS+g|I2{Yb0
z!!*+l7rs=i@5=Pb6HNiYR!zvcW`HybsPvPvBw~s*i<qTl18RZ1AuF|tq^R<WWdst$
z&pu+WIk6ovmkVntiLo=bI*;-p=LOx@o%s58q}1@x3!Q6>F=);Qj+Z(r!?TV8&2<oe
znH`x3l!+3L9UzCx1y6>LNKQj*v}$m(Blk*sx4?U4jJAG*7c;0tZh4+Nkv>KUs_#>M
zynwKqsv`Tq+2zi*hGv)l(_+g0Kc<=GpV)*!aet}vAnFHugLstX!B10$$U^O<I+T@h
z_j(*Ueldwu5|-8ql40?kXxGi=G?Ev+R6pp$k{V%kV}%eQCxqkTkmJ!s@gPS};iJav
zonJ$SZ2uq<7D=IkD9ygax3O(I+$+11tHay=wL*QJu5pd-oO9R!<~tbk@v*cx26ZO8
znwIJOaBTWM#a1HVu_o^5mn%7h+;Frp`3Vy*gZt@}3<c@y;o>)DOW1ntiSk|P0Jp4=
zbq5lPxLxa^BWU*<abuPY>>Dc+GIETYL?}JzTo0T<y$5G2I8}-E%@U+gMQ{H@xOhp^
zw7BqUIp6Ja0vTP)q&@LxfE<VAU(ywLQH#28aeg;+FBmm_3UfbEl2-6cz66P#DSS&i
zfK+3h5_RMC7_imgXY%?q)DpG$KszG?(Gz=)ceBHAp@I8Cy5+-iMDb6`V~Kavg0J5y
z{e4!`IyM1@>zpJGW^&JuRyKiPM=MQjNOf8|6KC3uevYbXv{B+CJ&+%ab}zG91B`AQ
z@m-9XDp>rrXCw4OAZR))ggBjWiSLSdj`2ib=-tl@f8R})F>Dxr<ap|q0yAgoymQ`j
zMl+MQA@*MBce&&wbg-z=bz#|Ag?T|jw_!;NygD8O7(-7X5oZxdS1P#9#^V|(b}8Il
z_QCx_ffGB$bWh2sm<kr=J4ZWp7YM<k?r;4Uh1MT*+-(jV2Fb3HX$S6gstK9zY@uUY
z93Zi>2;#wkaEDXEx%lmOH<zi&o*Q#WWB$8Vj-Ko2BP*Y1q}$y|@XYh3b#Z#Dt{H`>
z5&H8~CAtDG>y?w&BRTH%0~Nc1^>O2MmDhKjhXPO07YMAE@;o~DQ2hk2FIIiE!00KF
zR<S`4*DAvwp1#+Uu_b@w_r9@heMisVmK=4M?Peq|+JzJn2p8TwSgRtQ_{bpA!k^?+
z+>(yU@MZ(QtWlU)QWkn$Y0ZfN<$h1>>8fSnQRp?Bh`yKYCS<)gt@K3XM6Nom=<j{y
z$2FvqCwA0|SWBAS*>&cS`@lrzBt3}9YIYsUE(7NkU)jgc<v@Y4O{bS9=<C&TwS#c4
z6fmj-OQu1#Zp<$>#&y+gs)5*$D(>e#e;A$DbNj?Mc68a=3y{JMEPkYd(+8Zt;6>Uq
zd_3>Bf9v^Qtd^V}{<uGs3qON$en+~Izy~@gaY(3X`H1P9Ixb^4`!;ex&){Q6$4);f
z%|v%M+J+-U4=9rDi^}EeP_Gmin7SpWj|6-f5dSC+QgcU?&`FOtQp*G;vh5{V)d1HH
z&^xdH*^jUCuw-8R*GV_$W|GZhuHJ3<j?C!PzouAT*2_L!^O;Vfo(R%WU*#s(8mQlU
zmTk0TmMSf`y0&<CiLm!v@4v3azFN+@WW43`mnQW8$eievt(t#hHQis=IVzIad9z5z
z)3sp|`TsM5z>Y-MP`=!yB7RX-R-R`Cmx0Qg!dex|^!u;T%p=xr|Gp8}5{Ta+*?937
z;X{&jYf)|;yR*&}=#6`$?Fw3VuSCir4w_}pM9c1<68VFYJJml5rZ<iMt|Okb3o>AE
zx}^{)x&s6Z0UhN@-Rk8i(9Te86PiarGUl>G?}sO@j4~}qx-`G=-tB$#mYbGV-jkue
z{0|4qOsIj+#}y`c2odKwRfZ2oC$aVBPS)feYRr%j@1LPP<-V~m*ROxnXqtqF!Y&iO
zlCKrt0TR|5+qfMR&&LQJt?6h8zf&EHX?9*P&Imdf-s>Z$w#%@GJr7V!8a0;Md8zsw
z4|TIErPwz{FO;Hu%t;@f_qk_widh?WO1VD!yngw2yx8|R<O~zjhK7M+bZ5yozi%I~
zUpg8V*Iw^MX=vZRJ_A~TmA`D{*f=OTGQs=bpK#!}h3#($xbOu;sW|4lh9zy*d-Gm0
z8ab#H|Gn;q8yR57$3#;*>C_W!w3N5DNhn2@4h9>1o^SqS8rFL|ybgPDlmv$-+SFM&
z<QP)Nw#l&QtJ;{%U-vfDBGEK!2oOGuok~78(7PeCQXB)iyF@WjOxag`wgbf2X{=`3
zWu~*&e>FXM%s^oT-tGNSa0vC#wK_GL1`E0YdrhI)DPm%nlIZa-Ni-hKw*~C4QMvrB
z4Xxs*%<e1i1GLPxN-z32)UbMQBO`*Z&+K29UJWSReQT!k(P6ee%gF!usVL9Y`qjt6
zP&RR$DoeUzUg<hVY36A(c@+L~*<BfDNA3~!L%~69LC8$o(Tx+37Osf4do=&flGYXy
z46h>gvPiM=(<)qX^f=1Gd%^7aZTu%>*_zhHTIcS^&fNWqoXEtuO)i42qf61dG%FEM
z5(B^EX(RN)*ElYUhn+=tlsP4JwX}U&$I}^FoDy%j&Cxe;%v>I=I)D7pls9=Bo1gH7
z1p%ppm7S^wKOy5Y?EM3kV6f=u<F7fZj|iczjtB<mh4@G_NjW!~RqOIaY7x@w%B3Fj
zK6Z=WzLq!N(LTP<7M}RBd=|^@8nudQKDoln+9e}UeIBcdHrr(RHfPQLOfx$hRJq<#
zuc%L7FM&r-ts9A!)vnK(JQt9%olEpY&1?RdC&b$Z;^xZsXO}W7mhV!&p@SIT)wTyg
z#dUaJQtA)IiZ&W_e*Deps@~$#!mjx?wnl+RA38QH89{jEbWA(zp?_zWiuUC3FAPfE
z8Md1JxP}pAhoi7_w!%^*0sM9f*R+C_?~%x?)tiF&L831jQ@QEu(5})Kx6R$LM^`y{
zVx?c4IgqvdSVkN?E`P2HP~4SLAMJY0zEiM5eLb2pj}aQizG(2yuik4sFLt`h*{x%w
zrhIyxtJ|LH%2!+7xh_1%4lUj9jqatb&)PyWDytxmj9Q;+Jat?5mS-LT!8IUu_uMWe
zn$$sRQGky)x*wq{O(mB7(U}x-uw5MXcabV3vdlvzM<0IPk{5($VG9k!dZhlJT_uRB
zD(NiiCR8KG>YD<^9q`mE!lsK!@-?&b+ttmB?4nJ&zYLVLHqYCyI(&J5ZU6o;|9a7$
z&@|e$4lCH-fzy%~OFxh<=&P&FU)UEh5wZJyIO4E4wKl#xjb1tddUL<IykAo7YAEC5
zs=Ih$P1-6OL|5;04YvIy@=x{k<e#;LbJ;+OD=x6{o=vK4a+~XN{nidEfDF-lTqWP;
zqfD1&ynbEX{)#oIMr9$vs0^p;d}-w8qNF#STJ_Zad}tr^B+BQNkhZk66q7?*bdj@G
zFL=eq2(GA^KT;#F^PiA~wALov>A0$%DeZjDSqnXc64h?IR+l<+AFuT@!0~<fM)kjR
zFRU9uCr%8Z|2}$KY2vo4izZSjd#WNw0t@x`Jw)~d01UKc-Xh!S0uD0DS-;0zzLt)i
zj+9ic#-MQ1NR}1UbE0q(-^c#2v+(=gIz2vL<7r<p*-_g0IMUG^;fd9KhPJhv&7T}(
zk`d`DXsR4(J$y#Jd^yK3*JN^unMzVRBtKsSc>16jU$1qnVNJ2l{~?cc=rf@m$ZR)Q
z&W?54av*}TKOti+XOH)<fdpAs(WjynxBvKrx2Sj`sXeX3>^SQ9h6A^CizHG#%VulD
zqL|#9^9|Ih;!__MpH}{6d3T?j)*Jjf^m0xi-dXaUHxx`6_`5w{dTCdcI`s%GZEf1=
zVU3MRKoFuFDti~Ezuywgx>m6c6`YoSMQCV;_KbukvKWPmsTLYNmCcQ0{lOG|bfnPP
zqU*`wFg6J8?94pFmNR1T8wyax(N^;EVv?I%cN1mEGU8rR{=Bj~iX^S$HJ<Q#36x@k
zk*fXi1Ly3&zW`*uTMaT*5_&4{xz|?B8QQ{g19F)+H#bx}fO0cw4XntGEMwjiOV!)u
z5eA%H+Juf%aGg~B%?8Gb%_?sn^Cy*^4V(fMWh6+^J}zTa_jUZVQLko(*8FX5)0YkT
zqq5F{l4Hd`e4^LpP<cplZU2%X$g+8iErY~VWy8^pJPVkQ^AE|F#`lxs%M5=*|6eUv
z*%k#CZ6${u(xIe7x}-t6r3C~A22i9!VCb%)1?iL$knWZN>6Gs7ZbV=hF7N#Z_rv`I
z=j`+BbM}7rTI(z_G^G}9L9;*Jzt1rru~U!RxDK_@Xi8E(;R$+#Omq&uWbT0`x<r`A
zl4wmlxj1}=W1_Ii#g4{AAqH2mwQ1tsS8@hYv8Z=M3W>)B)SDNFZobE(jGY{I3MbVf
z3G29FiUEJuwGf84-wtMc>-;KJ(h;<3R2gJVl2Xt{Sp8A(9mr*R@0dtZFUZ2m*UIjj
z?}Q)FAA3#md$;dtp~u8_P(7TJJEx|Q>mv!U9<;8hRBVyOK-ruqTM{|U`4dkG?j6U$
zk>#<nagT<H*qfH-6mb?EdyjrD7O;4HXJPg6Q+sJcy0sli7t26vkr*{}C0$?i_0Gd!
z{_bqZ-}=>qNoM(d%I46G8F1RYSYNMu#bs!4!uR&m9PsPb8`hHM@{P|NcjJToy-v57
z<hWxkSB(k~_sa7znAA4x>;+sDM*dk_9-1d!HkDnZFoEMUPVM!oOsMlwiwh7wDT`iV
zijIsZE9C85w0gZ2;uMCJqo_k9dc_vDf=ysEc0QA}ac5K4{b3`JKf(+DQuOa=LrS+e
z%#i;!R8`z$JN^er)%Rs(6o%+Va{Z}HbKIskJ}u^RK|KSq208c(K(G(X&?Ya~{Pn=E
z)qp=%k%(6W!Y_Bc;_lmPYg`9MY7>O(a^6J0|8o6Tb>ENSRe0Zr{>{@4ZMN^dRP6AP
z)r0yvtM7tw3wI|>+*NnwdF`L%)m64L5SSR?1{VCW8@z1yWT{NVIp8)GmJVsVYFkS%
z|HH2xi%-T?<lCcOD#Vx(8y#%G9qLOK*7$U8$SnbWWVGJ=>O=@rC0^&Y@gwlVUz3A$
zX~`Yu%gPuE`EoMfD02@jLmoFu(}l037@tv}YoZU$o^?Eur*@^$1_`8YJE^g|(H$5<
zV%)+26)W1>0OpsXIWmwZRh00zB!NL$_DKzjxN+WO4R>xLIfzr7WA3lBo{S_|{Nh8>
zo?oVuRnTWrV@Uw~c*zY!wyx7RL-SjO`?B2ju&L(LBVj_%^NbSSTHsvutI^&P0MQG2
zQljb0aC>4`d_gHB9S)1s7$eSVYXq@cXl&Ir>`Z9xo*;Csw+Tu5cf6$4rR*vvy|Ih?
zdq<Z-^O2DF0IWSY7ue{CMki%IVL_>;7+#{{RV2{A?&?-t`eHg6h9$=F(AKJO)!lcy
zfJH3h5^qeo&=UPCFO3DIZo-;Z8%227>ML$sO$gmM*u^~Q!oJVi_3wrAReC}Bnl|)$
zX1umAhXIWp6O5v?l@xE0l91=1iYe7cQE!v8ecoQiEY3LQ>$W$O5(4Q>i@Ky5Ic`PI
znx#QANYX#|++L$uv=q*GLTNiOI#Kj{!e^(1VbM~}HC;37r{39z-;d`k(a0M*GmU_?
z49%Q4son3B$QS~n1(mX-@LgAJqRf>1Fq+TA$sf&5gi*=-U?j{;#02>f?-f>^Su1y>
z>je&+`|_`*N$c3A<9@$mY*w=?->DJf83vBd`q7n3MjUsIj?q1M2aJ3Rj;nf>y^)qP
zfcqC3Hy7qB_ANG)78E46T4-KYU|DrIn`qxEU2>*9d7;nJeDMeWV~nq65Bp$`$>5##
ziJVgM1xtQxnxPb9f?AJu(_1PkYIpMJKV=fN@xqumf=|cqpb@8fL1G%^S=q^Eph#0f
z_E(8mc2(p94+THv9GYtK->qC7;gM*|g#vf$(s?~Q>1VXjF=BzwToizePd@VJ2BXnd
z9ilh0j-boqjOCw}nQ+Fxi)s>l#n5cIPK*If3LSR0IQ@~BDa#f7<2}VO?lPat3HeoQ
zsZ7;Lc!gj172^aDhc!^Xq$E=wwdU<jLXfY}%Q`s7Wowo0F^9571-;T%_obKT#WvRZ
z=GNp>0pKSb1MrZy+1;UHS){nx7LTmLd76UFAf0wi$1-K1I3gsV;TzFQe2CaZBl}}=
zhK@#=6eAId{*&4KGmia@S0h~W&}Ygt2QfbKgR~k<zuE&@on$IoS}K`Y{OMOpb+nVa
zRp)uBcE<wM+|VBbrW--}+HTfh-|-Q%ZBhfMBMi&+eI+wvJc1iP9P&I}g_n+;-D%tz
zo?ql(K1Pq-KYJ9gZITf+DB#OE%-j;-R;__h<)?K#EMPA-E7TIu4Ix9O-4WSpGNJY@
zIyH-x*Znnb=X?kOeQ9Tx9ff^xu|VZZA@y8wY+|LRjMCCp(ma-%{95?kI@<IqEh=Qb
zhU&h{n&@qH)gacp4Zxp`;ky?H#X77D?5bH%$DD8Y22cANvOZ17J<<C1b*vM8+aXaJ
z>p?M6SqF|JokTcOHa7+U5i2Aiir`qDu869rQnf61M?>DJ^O_<V@IXV^5J$ag8)e!a
z8(sPsUkW)@H<PrMe913M^Ti^sH)bg!GO|`^79N5bU$@6dK^5*B4wf&>2p&hX^B%KX
zVk>65tG<ieIl5QghAjZ9Isgj(f=X$GNX*9d+%bd(ua;;SaEP{_w|A*hKbh_9`(fBx
z5wJIbVb4Q3oQ3#UqX`I|_|z9gNe+EcX@+5IC!aU{S&_=|g*(V*`!{cqj%{ql<x$6K
zE*j3HKTL>T;wUg>IadPCWw~=kd0n2Pyw|DVoJ$5byVld5W5^R;Z^0wIDK+e*pe79w
z5{Hq-^5>eO<1Wq?G%b3ppF|ZChA*<VcZksjLC$F6xJ0+}@MPqxBggX_i*SS(?praa
ztQ0piGXXGb{=so;3uF=TqFp)7U%29D;!cdbmEZUxggV+1@C3vCK`6nSNVJNgE|rsg
zagVIFRiQDFACTJuqy9yAsYO^bROr3|ijmXwOC#VYgY|<(62@la+2;A*8pk9%4L#M+
zOe`S+8T#PZ1gu=1OzIFq#Y4$-Nr&Ig(`I|JqrE>g9@I(JFcZEi`6D&wi2ZS1^*AwE
z45YB^7D*Mk=4w-0E8uG=3J-zm5!XUfCo=v{m21{Bl$qt|CWrE<V-U9fH4bDTtq9T}
zne5Ojp&Ov0q_p|x;UT|%`E+`5Ksudy+nbml@n(SceRu(N%J1)Tz7$0+&5NX6EMXZ#
zB1?uEkn%-Somjz}juNdh>gyAuROdvMoVh07dL5ACs{Q02qj<Cm_H~hhrtFOVUz0TO
zTHMz+7w(79ro@bpk^2E)VSz5~PPwg98<+^h>_n`z60qB|aqz1~#3v|tRFPJBqD7(l
z3k&JyxAoe($X%8_3#-HpYmzrYY$or}pR?|O7yxsI?OBzUnTlSC%J6J^fijDc?PEcG
z&d*#GHFY?TNaT-Mo^3FTYJt+UkpZJ1md}fTo>yso3m%)<QENnbxvf&u#mpfWM`&|q
zKoeB@Bl7VInQUo7m=3npR;gLCyU;V9u6tsyK|{q+em#@_XI8=5p>obrXnrE#)@Y7x
z&l_KAwbdJX60TsN>R08OOCdU5%04+eQ3I(xEiOc^@O#*VUl>s`*12b#X>egL-t9m>
zB-S({5^R5;h#PAzdm;LpPs)sI_Lv%k<`}pb=0C9{#kFF}f++3@P`nA~2z`Nit^y^>
zwCZW{bhKfAb{WKGQ?y*|FgI9&MLzed-csc=+;7j$oH@8b#(~c+2gHDkztPsVJ8vJ}
z9SC@SV1gM6N08W<{vn^Y)Vo=XFp8cG-MO<JuB-sV`!2Y?RcMZ5&xvYxM(yyL{<{cf
z^E_W474iJm$m5+RCxJYuE3&n(uc3%2wcB3>(fJa|GS;i0>)F}edknqTxCIi~le&z`
zQd8cF*5b=}v6?JYAT6MmJSMF7rhC$MF1b()YU5eg`3O#1Y@iyW-+n{ZT0=m^iQqij
zIyw1jMCXdpmF*C|fZrv{EpGp`3{i8QF&&6oXx*AV?2p1En;hwdmxfu|7S<3Mu4yC7
z=IYc`4RazPpoKay#hHmUBWWatU*rAEqI|V>=T8!B^z7|RkdeKOu7ksNMN2a}Kc|C6
z)PQ8vez!Q-kcRD6;rGE=hus}7kwN5he1QOfkx6IvGW-^NM&EsE_R9O75A)RiNgJv$
z9XYYIp$kjdn@HQ0z^hF=Kl}0+KfXe{(AFVuW-j!3m6td*?B7N}F;2$z*`Xmkwr>Kf
z4$=u64v0-I#=daLpag<a!$V`VInZPPozk8Y^YX4}6K@I0^T*<5G00906=VC8GW%-z
z(=zQu4z-n?Ck*kFJ(gBfV+pn##Pxrr9wf+1O+VixYHR4T65)tUU>TMe)HM7B!>>WL
zRZHz>*mNF=mF|%&YUR#EbSt8b!#mgDKoo%-w5mSJbQ&+#g!J_EnMud<j2X<=u)?qN
zFL?z2Z8G-ji9oDFzRA^n@^2JkA_D;#{7SkfXr>omZ%g|MrN7dfqjJdaV@VbqH=KJ1
z7b+O(6B4*H#^u{C1A<$IGR}ea5Bt9~O+f$s!dB}FDxz}Y&Tn)txOw%qGVaFv6(WC?
zz9bYYa>~YTl53*t1N>AsDVm3z&Cf%uL*)UJ3fV;CQe~*jfNTBn4Phx3xCO_gz?^Of
zmIuLuqoS>lU{!8d>kcOk5V~sDurFtf&hBbcM0Z8apPYGtyPP_dRc3h;B%YynF@RAz
zTB>}f-`xhR#eNT7SP{HW^g;gQ2Y0^Y(0e8U-_cK4Rb`y3R|OSZ@p986A1O|g`UM0o
z?jfe#c_A>u4b3()*LW<Epr$X+W0%>HWW-*Ud^{n?#9~&^g*tm2Ek^n)vJDp5N@nF<
z>2L?b4R@?vtbe@@Wr<JA#FhtMht$@b0Pe`ZL{<JzdtaA-zC1-~o0~4{jdUiVHz@9^
ztf{DC_DeUBQPdW#gkOZ)vh~GLMWgN6u-akjn0NP@8{`wV-fSGdc5t|MN*u(1Ld#eP
zloZqw)3w#|uo`!1<61Ku`NeoGrZN%AHkQ0PJL+R;W6+hkTQLB);Pb}#8kByBbq|m?
zkYWf@Z(cuPE=M7l!XH2|bx3zHLHq}Yo6A_KbhiZ><lYFVj8hPOyco-R8=IR;=gVV`
zTG@dVlSoJjYrotjqQ)dc2|Y>h)NyR!%3qGx#}0UBxx;>_qy{_~t)_Rpg0K9Jy?K~#
zT3?=yiHVujuA}-*D5+k&7l@7o^S7QptbGk$X@`-S5i(cXEo;s|(GSbwM@knTDZWkr
zZh$*Ui|pd<WnhqYeip0RC6s(x$Tpn!ZY=3wZ#?uP3kqwLy|A&v=jR|J?=t@xgsXvj
zk(r1CS-w(mx$GTnuUFi;;TIzV7=4hR{xf`ZnvpfoIjHxo_H{jgAg;YmrdumWx7One
z{lqLpL!C{Y_gSl@HWyPZ03-6gG^VE4H^G*nH~Eyuvz%)NNfL)u_!f@F&(Fk=+Jew5
zr|0|rEkyCTEs6V%^kQ|3@2toLBsIF(T!~E!Hd=UlXQK%^uYbc8`8fq8VSP$GoY&m`
z_hI=qo^~j~4ox}u!hzI<cg9KeJ*;VDN)~$u;vIzh<5=Fa@6`53R`aFCCk0@o`>#=O
zE|@5YMVWRJYsFUH6vpSd%GmKf3c1v%-R&P__1&R2s@^F2CRpqRU@<hX&406p4&dui
z$Nv~s%nE??-}pyh_ut@r%CiQ*U^otXVDZF@`>~G~v0H+MK3y6hTq3hWN>s2!-|q%|
zU$!1=64}({#O2x&XY1~ti>rowsSFZd?$AkH^rt4|xBMNvg!`dT@*%RV*d6_biqQls
zxvO~VZym74+@nY*Ng6(hCWjjzO)u~`5K2%lN>GoD!U}GA`{nY3H_X4U`+kPcYn>s&
z?nmApS0b<P^iD)1o=larRJo`Z&6S71w_L7-cclZoNhGiOJ_qvHs!rj(!RYaQL_y%X
zfWMMB8hY6;DRDe)w&tEaudYW>Pl3XU*Xp?WOXYn74gACB$QMV8ZM3rCCS86I`EXdC
zU9QycN3MwLTbXKF1GlRDAA^U-O+_^Fl`m9HEr>aVh^#TWYxan~t_?NtcN(zC9fQtz
zFS{H}hlMDU9~#Sz?hH8$6nQlEq!UHPi_n*=*>rtn+0U_0=7iPkD%<^ti5*+xhS%Au
zy&dZ%4Q;ML^p<(Lm7L@!a(OJnA_Ileo`F25&A~}wbrrET>#0__=XDjV89f8hKFV(d
zVYbEsy#GwXmr|1khD!t<#_gVVhiqT}n{=#MtJ?|zYUrCze|>Jm4g_y@Z`atlT22}d
zOrj9ONF{oY3etI2BmshHgN1CcpoWb15_YJx?-~H%PVV3Gjtt&`QGK;=5)i$d)yomt
z8amgd{-W@)ZCiHK(2yjR7;Zn;kJY>`2!?off#A!TS<7Pnuc3Sz@M70oB5G?_RE<Ob
zsX~=JGJ;`68dL7QE`ycO?`x7M^l#NY&ToDQ?J3;?1wKl}PG8y<#02ZSLtI-sG-djl
zWcTV}Pzt^&!yH`Q9x+;%K@o_MXruM(cvu$j2vYZQd)AgXc|M=%IddQaXRW!vuRlH^
zYyHu}{c_WI6B>?;a*~61G(Z;T@m*MdZH$snsAp4L{~4&3<l>w<;PFiA7crzYB19cr
z@;Y8_r+lcnl_lw}`D77jNudxik=@Nif=+DGslF_}ZE8F*J1zXj{b50k@ZkoQqxKM)
zYFyfFuQ{J{i7aZIle?xoptdFl*cw<;{`HM6YTZ3;^GUa7;X}Vk3_hMf<2?xi@G=B<
zIE}uu_#>bb%{N(GS^Ybl)@ek#Qg69!fFW58OfqCx)YI$2q=fPln?uhm5>V~El3be3
zF^{@nNS-hra8`^pQb487yra7;r5JG`%)xV@BnDVy1x$Z;G_JhI_gEI_G=GCkm1WUC
zw4wXmS5X%bmU&OeSb<>^;7@^cQY#W`nF#I$e=AqN#y*yVH$E4n(v)X~^HM;^T?i11
zqdaje=<lDPqS#xbnw5Uw$uO;m%Y3FhGT}TpZ+-l7AZ}D-rGeI>HB2BP&+?O-fh>c<
zc*UoO^hPodZ@zNStNQ*66Y?Y^HX`~`qHa<C_A8*Vs2s6%;rAe>5h7_^LhGSQP#@!F
zO|Nh2GxrP5M@|}KsDn|rww{nCVaXpJ{?Mcq8Kbc1`jSnl<;6R37R8f%Dh%VMk(K%<
zF9kh^yb+)9L@cVsFIU&4N7N<BXeX+jDjbe!|Eokk=LYJb6W3(-E?>Q1Az2)#LgD+_
z;F6z0MW8{6xN4(r513cm`pFEXYUT6~io>~nTTf<QT!ydE#7BLSe!?bJ=t<@M(Ob_b
z5bZ>x6B}6h%T-k~JdarM<rY}tVDcAhWsbzFtp|mYIC$mJXamFtfr_j>dSmb4OVHIx
z?_;)Mc)dNOujjiEO12~_ARFtj)4IDEo%3}psBt97ooyYA_v`JKA;0(4FE87_9vMl0
z51PI#TJL*HH1oR#Y?INdDP<6h0m+f2H<4bXyh{e<`t%87Ng1mfZyj@Y6h59TRM1wu
zbFjOaJt}a`WfmQ;eAd<PKGQ`A{2gMrEn$g$6CZcIfmBS62*t;H#k}Yi6m2~GZ5RD7
z7&)u{#H`WW6}s@|le^UI0=wC_P@!q2XnCJR@}-_$#aZQl^A9Qh&qJB3bM6YR$edj(
z-v!{8LsZCO)+O4U;6moU{-h5gyIIWf^(F&ara~D<QNZ%rZBB3N7KS{XV>Vxz*;+ce
z7p)tTw3YS&(`0OJe~^A=p+~XuO{P8V{wYn4q>R*Q4D~)Q>e$U?-!gRVHAC-X)>N3T
z*XZywk~H@k&&>YF^6|mq!`zF1knO@A^S*NA$x_{X<`Td13QKR1txaA_Kau}E-N;UF
z<!A3x%XWllwripTuV3@Wn}9Lz)&B~B+h+nd5tKde^n&7d*cTlAZifbSUJhwTt#(dK
zX`lDW=5lYxMSA`o$91_0+8lBoTY(Rdv_7uRmGz6f6MEniAKTB0Vyi~%Q5%pfST2GS
zeJ>}_Nd@KmPd)J@GAAJyW1HH|?$Muvj@6BexRYo5)cd~F`_-spS9-Q)8GVMN<R0hV
z6>1)L*T=voe>uY0Uw~F(xk?{pI&ZfN1;Q<e!qSznK$cnzL{N)jBW_hZDLPr{^4Wla
zov~fyGbzevXTs)hnG5;^v^aI#dw=NOu%dPJ;$PS3#`n)`dN{ZA-d22GV&7Y=6`Yob
z7yjq<8;vITWMtwYKJP!2#8xy#7RNz>6M*|@;*?k38mE43V=eHCWpfw<qnnf*PatoU
z%Ouzuv^8bP%$xGEOG_to64&eXN9iX8!h}=jK)Eru-rQp$7bk&*Nhoz=^m+->x_C#r
znAllw?Q*~E6z81p{_Bque~HKLaDi1Q*3|XZtP#Ea-Ut0w_7PG`VGJklv<fq)XNpR+
z>gd1dIu%@Ub#a?BJX7Q2*Nx2x$mJ1*^ja}|1R)=J4Vtiv8$kotL2sflbO>$xT?hsO
zuY+Alx)(6`Z%|>0ptQfJN+lq2Q~l089zy4B)UX4LKEKP>ou21e(zDC+-0;~l@Bh{E
j`2XOe{3aXi30VC`rN0&MDDi9u{X#`SL%vehEckx_MeJN*

literal 0
HcmV?d00001

diff --git a/engine/docs/static_files/moby-project-logo.png b/engine/docs/static_files/moby-project-logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..2914186efdd0d3a6223efed318a9e6f09d79359e
GIT binary patch
literal 20458
zcmaHzV|ZlY(yo(C%#N)|GMU)6C$>GYZ95ZN6WdP5wrx+$iH*~<zx|!_@BC?9>w4F!
z)%8|aJ#|<AQjn8Cg2#gg0|P^n{2{6Y1_pi%dR+?(4SF1SdH)J}0(Vl95C*HBA~*p9
z69khK6;g2rztDwp-VjI6W@NW$2?$M3Uo~|8$uqGa_yvi@sDEFfe_~={!vNpZ)bzMJ
z=OxFB|HOOFqUg)tjw81@OE=fY#LC$z<lyHpR5&zPSV%|+2=D-Z!JaAr?3r2tY7pxG
z`%F++5Z3&f<o_LmgbILIL$Zs&Ne~nyAprnDhX(s&P5b}fcN+k3(%j9f;&4*9|6Tas
z5{UobCHfFx7f9_tdque2?{EltJTmC@x`bnM_zO^o1?GlhbB^bartc2M&0b#aX?$KE
zvbsKRvyMNv4h;K(^J)$Im7eU+8N5X!aF`&(B5>lrO2mlH7DyBnN}?$PCveLIvw4$v
z%-AE)xa!-$e`)>4SV5AVMc81}0I9(3ZL?|pnfk@E<DGaT=lda9&%0x$PT$v*E<ZEj
zWylB|Qi#DA%*X_CIZ@pCqN0cc?^5IVKADzCJ1X=YY~BB{t67L-0pWPrZfov_?aX|$
zxXStEP5<uYUfb1agQf*fZATLATcI%2jRN7Pr3$0Io`vcqyL>!OIOw+RU_fX9Xf<1h
z%79YQ@CVZ(s}06#ZRBITfB*%`T+~(P`6WVDuURE-mqP+Rzx%n({ks0)?>a5^36>qA
zv%(A2V#-n}cV=NWqEP?7#CHIv-!2*^m3qi}5A@@uoJ|JD;gCF|BOOGZxSi)i4Fc=W
z4f3@nyY5E2bFG#8`;Uutjy8ug_RTcE-=>rLGH`xUf=HGx%4dhN--l3U@0qZxp#JM0
zbbu>Mn#+>uY~|*zpzo>=Zz`363^r@P{=JZfIpy1(T{1i-UuKHwjNkC76;hGvm4-u>
z+ezgS%%JP~=PXwM$POhzyOoY;M{EXZ3n#4H6DRDMTWkj2eb;0BLxJtjyl#4(!lkS>
z#XjfNQrGzu=NvdYq5u89JYe0E{q<VBF^i^^!%v&7rI*v7fL`gI>96+Q&o?2!^A*|j
zTkL`{wzK)BGmc3@|6|$zdZ;t$&NT#{xW2O4bWzgk&0I~E*G$2%ybJgro9KXP@I&U5
z5@XGqGOeJgcc0ny;_ruK|8eXNH1Jr=nH3{KF4DLJ(=l1T7nCAw27QkMq(5v_-%3uV
z=gmsZpUYKhttq%Y|H$iALJ|MhQbsWFSd5u<x4(I;)_xwx$Jcicgl{QO7D79HgET5r
zHSDU@i~c?<j2tZg*E&~N_ay&NRoB(irZVvY{eg(|{sQNnD@Cc)inx8>p@1v{(*Il(
zBm@EK6)bqP&q6?VtSPjCm<FwNUdDm@=Lte2F~9e@DBOAhrQEeKo%{dpKV--aJ;A>M
z-obN+)IW?U<;}V}^<89CS&`rZBw~q`xjxtSw{xjFJznVx%l~BjcO$3y`>(^BS7xj`
zpUSCPa*&q-q0;@q`n`{~zQ|nY#);|h7zl^uBmCFi+Ax1@_+yFK9EF&#Mdq^+i$vIz
z>qIlzDlx1XANRkNQn$YFTCDu6{GT{e0kG!*?=;;r9n-3X+-!4NuJC_o93>eUC%(m2
z+)6kIDQYg+<Ym(P=gu?$dwg)DWY<X7tTKl)<hyjSUbKB8Se;haEM~?%UQr5k^8enJ
zL(&~Ah?ncclBAHTjMN%kyR8W^`Et~!yJwa~+oc5VhvSO2=+f{1J^BS;-|FAxeV@^|
z?fv)Tiw_HGRkWD@Nk_a$J2lJN>&JV0oe$jQe_c<I9&;uvmMC?Otn2eiXagQa$Y48<
zOeHu3;r;HUAuLJ*QTacf=Kc+W9(|^Q!@5|Cc7eQ}9`1$~@}tW=-4T;Uwq`q=u_D{$
zXu$m6c9IwFp@8rln`m8Vl!eKozAvO4G_8Cj;w`iek&0W%s0A0#g#S<Yl!Hy9&wWLF
z&hkXY!z*`Ub82&=H@m%Av>MaRC&=n1QPOC8GYtp-7lrh~1l?K87Tk{ivRb^zu(V_N
z;70XGU@Z)k)C&-900WdtWNhv2vU@+KHocsKi*9+HKJ41upCgi14i?XrAuIF6BE<zn
zW5p%WDD&?ul$4iba7%ymLMY)*uL|`$#2tWlJ0DQ%ws~e9Ncv4McXt*v(?(e(eOLT$
zd%l7}DMuTDO^G}hi67>8G$I#*uwV2&p6r$&l&XWio-5nTW6Ex$O_pPI`@-w-WV8M8
z?(*HsbNZt%6iHgKKs>KhF<;3!^nDufbzjo2*jRuvFY07oX~@}vN+yl5I7)R1&WXVV
zYSR!Wi{C5zqs{%-N0)PYcAa_jO1<a%VKi%|xne=R85{NBFTzNrZ}M_wO5_E17V`?1
z=d0h93d5^$981sVS-}aPh6ysv^X+Y4rIk;hTL13sDtH)8X0pC5fufao$%CC4!)uGF
z>qRX?hx3xn+Mn9&HTZkW7aFyYyuFUWar5U4q`RZ^h6tBR1o>=!X{%3t0I4t}brJ&#
zTeWs1butYd9L8CjWh`mZ5wr9wk~VN2>cJ3z*4w?Aa`lHUjRPf_S}*vmTqPg!dT&+D
zA<}6A{SgB?^2b#^hsi0*Y=Lt1xn`NdM+e%+ll_f&A4{G0y(iYZL2Ca||JK`e)V?9H
zQ&9vqh2QpA66db`L%Airz{iorNsy9LKLBrkEIyjK76oC;`8U*D-|cYXTe(_-4@sCI
zxG>^puy&K}7d9iIA2P>MeKZ{HRN89vDSFPJh*$vLF9BC!lr5h?sORu=FrOvN6}78t
zGlV1@fE10**X}@?2KN4Nf!|yFb0Z1&?!5IQ?OJlR-1dA1T&3RJa8U%bCs6P4IHQ*A
zR)^5Wyp=cU3nLU)soPBwp%=PT5hAWd?&8Wb9Fd3xBQ=k=53H6NqFhT5eNqc0lM~9-
zs|AtH77Bym{@`<W-(u4%#yhIE+%vVfxmnJ4I57HZyIsb!royC&hfoT!D7FalzZ5z6
zlq;-BaGc4myD4p&R=M2PneJ%U@lGNWnCT82v>f^8v6?LD(0BBZyNqEtdpCQN8a@%-
zbp=V3f<j#AhlplDFhfVrY(Le%-_W&k)x^+7w>`YE6pBO_HV11kh-tl!T!<o?S@o1Y
zW>!G3pT%~@g4qZxeIIVx?)XORpwQnnH-OLE-6(04--Py$XCG>S@cs?j)G-Ex!^FNt
zQfDp7F4?kbaLd~liKsl8=Lkhm&|Halmha!DXsIC^l1&gs=CE3im&@WiDnB_peWYFg
zS%#yKYRUE-;*Ma3h<FXi%?nnb8`EJRHMmz;O&DyovT?oKl+O{keZ=S+W|S|#(3g$R
z%7b{RK}a2qEn;A0sTIqi??&zNucFe;P-!%pWImm%cBx&Abs=<^fB`@6PN_T}4#S0^
z7r&q*;&u&`Qm?RB8TT66fI2TaqPeJ|?zK<9ph>;0kkx%bG(HiEc5(}PX_5FORWjvb
z5$L#bxOsgVoye*|j7G{7XVC9d3hbR>o^U&8i$3>wNEHTbw_V^qgXfkFz=X;#g7rCB
zLT4GVg8>#?GJs#roij;k%TJ%w-HOXL*`Kyo+`|8|ALW=$&FaPkH0Ay(Jvgf1gz1O8
zdxwc#IqlnCSX9~4;VM;~7mq+kBIf74KVQfOR%`V|5hYM9p@w(^dIYTQ+j<wRy*b-q
zuq*$(opR)<Peg3~=#!dC-F3fx$THY8Fi|P?l(k^PJr4|^9HCXOkdz+18tbtoU($BH
zEan{?pQ~j;mpPH2^v=y2IaAJtjwP@<<&m9SsXXgpM5a01HKJ@Y&iuXl0Te4R;-haG
zzPG&jY}syc30u2VUDR&&s3`Zeq`{<1%Rzfj60B<@g}~FdFDieT4~vaab&e=-%x82g
z{E=XZuTMsb`cU#{rztIawhUL6(Nc^aunB`aTU(dt?C8*a=$3wOMF>=SGM{UR_PNN2
z_RCwY`E05VS)>aF&Jx2&jfm*t%;dHj;xQF+U92<^FPaiV@Tz~8a&jm>XNi;)@SIbj
z)*Q?+;JS=qrMKs{S#Me{66r6;l#H!q%UisJjV$S#(1@kn4T`0#S|3msT!yQyVT0Ao
z;Nq$Xty-H8l8DW+zR+pt+T><d_unta>jyJk*zs-rxka21`Kw$!Kfx4IJUT~|QZ8$D
zV=4>3@$Xhxc0;Et3*7Z7exoI2S-Z~}>zqwfrP+B{Y))=GI>ddgf;Gau!!M~ti-$gn
zh~>?)s||hZ!n$g$?$NAJifAZeu1n#SjHe<I>`7whdn+jWtUi%%k?x&g1`9B5{Cbcm
z5bm}sWS0=0aLOT7N0kt@9PZK{0lckg6oy~M%TD!keu|kNwP7Z4iEuC4h>G3AdYfe=
zo!;YBFuN*EFE+6~GEVx_m@}L;L$0s;y~uPIwQOC-W^jh=d>e}Fsc>$>n;1OAV@L_T
z4S<G%HtrFQ^MN#Q*)BKYkQHu|3aQ6n8A5qT=XMB5&G_AHeOslXcc^8;$5#!3H}%)1
z{T_H|_rwH2BV($z9;34U03DbMrM=SS9Ku|5u8MlV4RG&=Fj7G*EeQ(hD%Mi9e(_`h
zHl>SekxoMH*_)aa4mkY{=vQeq_3^y9OP@1ortfcHGhX04-SVr|j-6i&(gu2F1t+dK
z7_>9@q~@IAzARc9+T!y3eK+%3T2J|Cfivf=G)YsfSY?R!-Q-b@FqWjdbvVWLZAU1U
z&yTV3btvyN$6$tl-C%OQ3y!0~bzb~VV;dBD#$;Wy*&_KHc;ZwcWDwCdsm-E|`KUO~
z?ewL1GMfQ6mTR89u~8_~|4UeGdA6+&4|sqIOKn-W%~#$A&*Rg3d|GA_f%PC`NxyIA
zej;COA=-S$fsnf0=}BZ(Se9G0^r`gMU;oZGk;&q7C<WK=1)AG`E1-m~_sN~_MHoz%
zAY-(d@-7)hA*=8gpWGahT0i;q)=e5UT<nObljp{JxkOYAoM|g{NgdDNB70oH^jzGq
z^1u&Uz4ifix#>XOE$MohlOZsevq$4?EL$uBJL{H8)k4^5bx8(uo75$etR%o*XTg!Q
z&4H&2TZ!g|SP&Yhq%jR@!ZKGcbiOXXDB70lEX!g=1wl@_Fh{Pk7~<!=UfroOo&HGe
zxd$XHe^o0VQSOX}GORjPO>TozE7leiY1&K>gJ=1Tw}70Rxmu4mN2gOqQn<;6RY#i0
z9zfNV-TpvmE-asq&;ZbA8$(mn@rmtrJ&{zv_QW^zs)3U(IQ#W_V!DYi@GGa=xV8Ke
zqFfDm)?W$}y+W#X-}PaOq>uOy%GK8a9|;Y8i9&5bw@Vg(y?Plw)45nCBPIRf81{s@
z5?NXNRJt8J#I2EQPx!x@2w3e!u@xmdN49&SGgx$x0bQ<pSah<y<@CVkwtIAOBhpRQ
zCLxudjMA6onByS>QuA!3s~mRQMP<=NH*J&NB3?_1d0XP!ZIG;$z$026%k&_N?oRGz
zGwS1&(8pA2F~_w=@4Rvb!hV=N3PSJC50pjI01ikG7>JVTtP%#=-|2XP&_$0syO!mi
z&RL82?6cKAFub0~;>bkhw!sRjA{{>Y9JWrjG$|#X_zs*qQpKUpaK~EF+LkwV$}A)j
zE&#MD!wbBaa))+gwt+*;NEH~N-K9Eg7VhbMLpuHTtw=K*&*F!Zc{8f2iVR#79R4-B
zx0b~yRXf6gA4lmOqJP~ts^0f;8&r_W47N6OwmZEv9Z`Zs7KLHk25DyCUaH1|8`h%y
zcAF3v+Af(>)bIXEr&dPFaD5~nc!+=Ku)q;RX-KM9tLDTN3dZ?D`krm2maCVOm=MlS
zPx8aCyyc=IeHU;_eLDFpgUdVQ_54FliruuDl-X)a;)Ji{_jUiz;u!~Ag$|hmr^^Fx
zuPqsQAJJBz35`g3-+@*ov0q_5{~(q0(A`8RIX^`>c4}8`=dOf&_8gh3eoXBv#I{v|
zZhQ51huFAAT+Etl0tuvS%IZ~`<j8|MryqaHH)aOuqICa1EZ$%1A5TP5*v@D7hG|ou
zxz@V8YIdjT|J?8KW6<dI?A{sDF8Muu54&Gb>47<z;(JxCG3a&TQ?|Q(`-G!vEV&@a
zM4NeHK3{2wrDN!yHfl(XNv|+FgWDC-W3u}u4W<;tHzHrj@XLr2(4%f$5wmIW@)R%E
z=o<U&$^LA;3jJBN?8lFxpR$ZN!rw<e`o-&No2N`3>kf~OTLiN=SWDeF#*%eyIiKS?
z-6dqxzJ|=Qer?Fi;9W7&j4~%PBF7j@4Qm71i7<8vsgZjvWM@dnUjQ527e}6gR}RHz
zHBze4Q`#<fB4f>(UhQl~Yb+@OBiP9MQU)LRUd=~F9ON`l!Uon~*2sYoYGk?bCl-td
zu>EJxLNjPh)TU9XW_Pt9Wk;H;vC0AVWQ7XTP5)5t>he7-?g`Hk=~piypH8Urn_qD_
zH_-aQdGQpEZ1@jShkEt8V2unr<9>*CiVUv#^w6S8VyC}N2+NBguFiw2orWatT=DK=
z)z_SF_m=ZR2M8D;EO>7NY6;<d0$w+qAZaQ8D+*sojJGy%!y-++A+8XB7r{)X7-=H6
z!8{Lw6y8kwGh9Wr)f<<}VrrqT8$C)cn#7oFFRQdS-Qg?P{HV`5+-s}lR?duq+V=~Q
zSN57b)GseMSlB;dUSa(S6UhQOkQ~Ks^Q(9sOSgOl&2_V>c&@u<gfpO6Q(hXd=$GbT
zQrl(=#0s#Yb+DP|nBh2QrjZFsPQ?r?$b6Ggdn~I(IE>hs#4Ggxl<vDxf~vpNt{gRc
zAYp~)@Pq~tunT8JUMjST3>RlAl)Wzd-LIMVbtc1yqhu61sEpbg8+|SuOZxBrto9%{
z9km_Q6WnwRoz5UdNB4dY%taz#5r*#xjzz12l!e@Cr8)c%S{Y&r1lHl;S%#O?;qZS)
zA>^wr))ux$&(@;!^2oVB5^wM);`Z#YD0`@cxlnJ)H`H%idN1Xo*UiU?He?VJdO_9b
zcH!y#H0WX%pB`CnvX+}EE~O}(vFdFU=zzOE8b-n|{AHtU+8+Q2;vJoZ_Z%H#<84oL
z-xcw=9UFALJ+?dnJemz>n9y3tdD2a)EN=GQkhS+=fd~EOwM^UNv&U@su0ujxrO7%R
zm)xiYuG=Q6XfdrbXs@cOh~F4oa?gIQa#d+TI{BX>T<giHLVLXik3)|ahs_{mKg-u<
zG)T4d5Zo(NuJZ*y6kL7}84;}_Lfoa%3l+zZM{%kI5*-*5M5qxIsan9Y*L-N`^~N83
zK_7g_>$jV4gRXnT<Qp#M1Tl>6>w)TRi!GBg;e!fRP&jElJx`BoOs>`(N-WK(xN6(1
z#jrn-G8ngl4uedr+$20WY@P+?%Pc5M;IXf>?RFflR(igqe)eiTDVXR_#ADKCitchY
zmB}a09Od2W#J#>z>)OffreLyfumaW*%=D1I_%dgi#cYS^R*ZN8I~1V>H*NnXSir&t
z>*u?YwdyV+rjb{Z>1_5pOsgB4rM=%KoMRGnNNiRQQ-3o33H3U$QUdH3l?_JocOR0^
zs)D6SJoKn*ceF;cr*LJF`!qI=noqNHAF>*^AC12(1l)0p4I{@>J*vzpWFb5^_D{5)
zoyuxd?WT*AF=ei5We9KEl^Lut&qZXD8T7l99(_f4e|BlIm^gc8rl+5w$d8RC404Jn
z9Nc)$a-I5plHTJ+5nT7Vob%l3;I2JrcBx2?noI$8rk{JshVNLHH-H}fp5;-!tSqKT
zZH-oYG7W(BOjBD=OIZ3~G5AAuWmQ!|3CqiSf<z+~YW0kZJqcwt`ZK9=sJp0EgjKyU
z{4-!NVFetu?V5o#ci>-|2T#Zo5rf_v%yJdo7th&kZaM3V3Nz`NtJwodhrJ<(2*Rka
zOb<=Y`PE*d(<q09o6DKDkhOBT<+Ihgta+PcysZwOVb*0C4GWGceQgUIov|IPWGWwS
z`VLx|DV7}brU90Kp<+OS8A;xF_4`|XFW1<swcQ8kdR9i2FRmFI37(l3Au&0e0mx~o
zG^&BxYtk^f9v27GIo$xD!baAP><;aTMa4o1(YV%@ks{u9Ck#rfX=NY}hWAwTx5~M@
z!?b2XGM(y)+^<l#sDDv})*Y6s6gPoCmY*-$A61%bbgB_Kc)%g0Ta8No+Dyn3J$&JX
zt@ghH+J~yZnR|nO-AJb?jgogzcdlri4&ZB-Jmr`~5(^@MJfzpcaz3wy@l@&eT%+F2
z3(Ls{N*O6qw-0d{Vdm@iYK$OKt8TQu`*<0(yY8iQO6!ax93HewRI;`RKi^Pe^60uA
zbs6cKBRGi)S7>%d9H>1073YEW=B;YBQhRjql$Kna=Xc-N*c9X(?<p}yHT#{hM(?=)
zBRChvwBt!8EA3a-W~WyU;9DZ)HSo_N7rWh&3rLu+R%V@VnJmHCew@13{sw10C9WgI
z0TA+Z*P7XG|5PZ$Z#TKOgkI?^zK3|rv^m);k#975<X`_;GHvzx%Dt(U?7!7!)I3jk
zYyoQ}x)sXiIkZ<wN2Ie~hP6)s@i`-)^h4lCi>4WkSZ1sxO)&!YC$D5|K=zV@vB8O{
z#~etf_NZ?dr%{Es@ddi#hS-CDDxYwP56@e!C#8ER?c2`@&bexZ#b%Lc3-}J4E@de6
zr_>w}FrCg9N?C9%zMUxu{x!9j-?E(e$n(H(#e2e_J9nU&+sg9WdvURV!K<MYH}DkN
z3h4RW{I^Ap+?HTZc|r^Nyb?USsPp1)yW1M`_f?>}6Y_nxqM@|Ss{}Ka9wfGOReHBO
zUGU6bEUcIL4EOTpEH>nZsNp<+A|~JZqUw`w3a*Oui8L_1ui`CV)0kY{j=$*7gEA7w
zu)J`lW6_;WuPKPNV1la@s(w5z8!18Q-*LVkMtKYB6F5vV+A{+YgUe(>R<2Cl)G>*^
z-wg{@fbn81jR1Zu;N^Y+(~xhgzKM@`G%39K`S$fhkOjEVMNPVwoaJy~F;Rl2InqgS
zsGWHkOJ+zS=KeG6RefL+2`ZhI%6J}C_bwUav_f&oyxn%!nMHNEO=BskS((zHs0l?j
zF~jlA`m!Ch*GDtn2BZ&7%KXBR-ofT8GPI`kUqdQJ{m#QZIi0Q~l))(6e!b@MF%gUz
zmP7iPN>7EwiU=u5GzyjEC_yNi`HG%tjIvKit}w9abEc_i!NxxU{uvXJS}#mi#MnlC
zQt)|19*WMCfhy(~uN1@A+^6fV+e?Z*63YdgKLW}Yy7(!*h|f9x@?Y5v@MNFb(0Sw}
zABNQfpjdBK+al^sr}oRMTkj&BZBFK|*jRU&8Bq*w(mM%4GS<J?CIyk+=w0*sd~68C
zzR?R9T0ncC{lzSqTLI|wm&UaM->=^^guP$GQOQ<ZcdvN;E_K=vYb$vKt!<5~l+X*-
z+p;>1a5z(GwMMo~77s|_kGtt{QYSWMVH?b@t-+(8o2=(%W?2Vacwi^=>o=w_70;<)
zuaHA;KuwtWV&A<bn`$3JzZJx`&mMv(B7p<5JYwD9C8(N_pCjDB#~nk@k3UeU>%lr#
zPggV2u28HWxL0C_)Hl%Jx<OnE_=JnYs*l6Rz9_*-20h19P=55V=8~gj#Uf2y-iud`
zDll6#yl@VMleuJ+a(G)vXgWGA&LP?YaGHg5W^f*OwMC_=*}OjD?_sfX<KIg8Q102&
zRxxLsu;`FZCoo}Fd36SnCgOU7-7E#vHxShCJW@@5qwcT57D~luo<X`Y84)#@AL(^L
zaLbls6eGT0U89FSI^7NAY}E4_){govr7$mg23~9MdIoD93YkrRP6i>F7_Dt1X1)zv
zz#mt&KiK0|vdDmOJ3nm+PHLFq5|ty{^$3p>bk)7*UU)rNSmbM{i=rt94<-q3Wh0tR
zeTqHGDmdx4IY!T5%S&a=5rB7Q4aO~<Dp$H>w{w*M7Rhp%9$pB@A}t1m%X|s_eCx(Q
z=aHs%a;8R7uuI><FK+hBzCiunDU3^;O)G*_LqW52oLv!4UW_kXf=luZY?@$&@ei(@
zuyArb`Zx4x6dvP_y{gM*H{~nv{&}=jAaQ9kHm$COcI6qb5x383op%K0;Y;R8I^x2`
zhwA+^zxHFz_uQH~oHk+s-}-8^Q-=i6Uoscd$5U|uVsWmJfKd53Gctwm0^0-dw`tcq
zpw<@RmxI0onnurl)9SZKjFI8w95Pd7(<v8~!ILw<6ocLkl6D5DC0a5Z6dIlj%0_bN
zi8}C7@2TYKxWqM;F=lR4t9RJ+N}k>_2ihT>Pte3bPW_8=ch{)v7fU8ipm{!eKwl;l
zD;Ba%`@<X;^}(SAA-l~j{$t0!DZ=rdUv}{-Lh5&UB?&6TGI3eNg<hd83@T-oVriQ0
z+`2+rL6`ab(hyeG&OAOF4;pw-clYVCd&Twic!Sm@uE61{E#|4^`F8)$ApOEsK*nq(
zZ(AO;N+RWH{~Y_xmg!2D7ejPrkGcX_%EP87y4nmcmG{%tM0gpwd`h|dJ>d<{W}A<?
zs%}%Vmdm*~V2-!Upld@XJGO9QW@0g(a<5jQ(L@Sk4=%PI^O0_f-(O4O&FRm8*6$Xd
zcle^oPf8ar1r<d5zrAGCmcOVkBfzW~-78v|mO+}J(hhM$s|<cGABneG<z`Pv4jVdT
zh5u~DDkQe%c3bo@GNoNO(U;Jfsm|9{`Jkf*;u=W2DY^PkJCi;bTzMrOApwt}M;gg9
ze-FGA^NaP;mjg{>CZRP{PM5>V2XQqzcf41PI?OOUK<Q{8`_(s`sCzutOzwwsi5vkx
zhYUWTV)>$tjI`P*#}5@e$Tw$QF;H!v7Xj{al8+puZ?Jy19K-6e#CtjK?<VaLgOD0w
zBGt}%32ArF4yKMVvl8h*@qQ)ZtnO;}W1A|0g5nKsF0^N`LcNKtwro<n)3RSLvs|#J
zS;?b+j^t+zo7**Wqw%7aY|65RA+m|2rXwbu2uv)IIupW$YOU(9Q%I=~BzaYCWXfYv
z0NGI7Qj{Wo^W{I`e6IW+KkH=85MM+8mbFy4WkzeUg8O_q96p_;u!J_9+1`u}ea5fh
zD%<*Ox@drBq)VF8XwhS70=H^vAP*1na?2;TIAfFhCzK5~-aI|YJ|%Mpu9(6e@TH2z
zgh44HH)3;~8EsVyub<;-D=4hdaZ}tvER9NE(Smq=WbntU+9Y8GudMs3aEJiAJ)Q}T
zN&@#Ik>D!|Vci*x&-1Cv;TU_6l-fgyC*9i2{qN?eHk<Qw^PViXPOXm(k8(qe^=%y4
zUowVW(@4U!;%rPd8F*J7i=#>WgjJg@A=vE-y+@#X)^<pxHq*AVx6}gaa<F;~S&Q_;
zY<D@SD-CKb)LltNPe1s@dmm6q`x+h&<2`JtLe0RUhvE;#;Pm!b9lnXp5$hz@av&35
zjKqJHthS2H;iVuG(5M_v{iZ6FB9mY1f|_ci5qvb3oh+BV)XY|F!nopwe09(r9mF)E
zHd8W{J<rT8a_V^o&#esYgZv!oe{m>tegApAC&58ngp*AMxidP`YC|Kj*rGSw5Twci
znV8;(n}{>l9Hxw$(E<U0U^(CI&v`?<T@gB#J6Hcrk;z0$mJ<TqWEsrp^pPrs$?!9c
zG*?DYzsoi26Oq+^V40xnvLn7$p7aL~ghUK}4w&F;sVG7fY@@|i8c3$9YDynoWEj*L
z_ohjCY;pL_W?+3!x}K=0(kTVSOx9Uq^2RITrRA>WYeIbqf+V!6TlYCE7fR_*mZRhn
zze&n4rGaO%4KXJCNav+`mHt-tJ1&LZG>Uj7=iUx6#hnbz$Lv-0>E``!Y!(Ro=wg%}
zKca0zact!G`Vf{%59Q+|5cp|XVYO^G6C{z1f4BFb8_(Gvbu@p>p9@dG;!L7it{CgZ
z2q+k?P7(NU8%8{-0eY5Jgwd7c`FP@R+pX}bROkeRkhAgcVAW%$+*28@cpF2kEuIe4
z=x4d5Ga^#NM1|d-iN&Yah6u{V)25S0an(1EpKiWBI=>ImwR!GA>vsAk0;Vw6aT(zq
z+&r%%?97GSa%wnYYXq}(77C1b@R%(#mu1oWDD5X;U($WT5tPJpjehGRUPm@xAbI3Z
z0%m+wsqxy9NzrF=bZ~<3N&M^`K7kw=k6bmpd0N9z$tW9O*1F(vxo@!RL4kO<bv4tq
zNmeWEPL!V4!Z~?qJd<Kk2ixxw=U$gPaa9vpSLZY3P^y4y<nyfrP;sC<Eq8IDcjQ58
zS51&aFH0?K%1l-!C&)&&Ivzb>aD6NlXzvfN9>)bMI2e;U)|0Jk@tR@ceD(&X#cYMQ
zXr!O(@N<~i41nx8Yc+b|-`R2w0ck3SC%v`r8tzZ-)9&I7o{&9DQ8{QPM_^R$qZp(G
z9vT>g;!mL2fU_1hfj3U5Ca*<!iX`?ui76J1i+Np{N)FwRSU6RVpiqpZq}DmTNGIcb
z52UT-ozuI2IvYmTS$@z;{pL;{mIpdMGqZXuFvjMDDWVGwFnY(O6W%nMy66X1WGNaK
zI;5FQID$_Syy(hSZ^5|Tzik%zQDG1x+;!Uz8FM%J!8Dnx$ls*1dU@MzwJq7to<E1C
zeB|b7w!0&nj2^dcAvLXzd0?UQZ=HJNKWYwiy&d<y|I-#dH7#sok1B+5jf83Ue3wgY
zGb!3k>Y2gc-+!Mij&F6L*nn>*`l15u2mJXHa@ps^gy9mK?FQks;IQq!zf$>nuXQ*w
zB_C!&jUZYZoI@8dZo#2V;I!lV?0oUNIo@5UjcN5AU2<ZPnv5o)ad(aWmhR8Ko~LgS
zIGyelNAf5N<|R2l6kRw;gEfjc6@_=*{#YH2WVg@(x$TGQ55AY6sSJnJm0gP_rX^&a
z3=-SOZ1V^qYeSgq)<gqCdy`f2e~>bN^{GSs#gt^90B2q#Wt!?yKV7}5(ONFB-@Mge
zh<R&8*u%EdIp;lr5L&v>{+;CuIP4+6F3%iD{DN)u*-WmT6KJ&QG)~>MH3|-CjQ6Ux
zJc^7PYF};dC8S-;`&pyiFMlzkx)@aBC1#px1U(AL`fcB`%}XD$*#4eRVO~J5Jo;=Y
zKhdjMsR7yrN&7tw7xTwthZx}=U?hhJn{ca3NGq#Nc|_kh|F?h*8r^S}tUtq%Rs>+&
zoUdxM5@)Fs1;KD=$2)(#mAwfB5$cUL9jT^*ZZn^N!B#Z#lQK<GnEzV)-Y^znzhwl&
zkSJ;D=NDT3R4m)#4C~k*#(@2yjU`w}eX!9J3As7gof7bL{wpmoMo7-^6Sg<%eRIzX
zsN{1<ZL~D504Ka(OuSS>Nx0ei3)IA~QW>loyE&Mm^4T$1G(Y@_;8p+1QIp(A0=s-J
z2Z`yH_vX=xG)jBV4o#algt{`+RdE83AWJoJ3-GtJ>aT~IDEf)GJ2({S3xLSLP9hqF
z!Oi;?g(Gu>^0(-+yD3?CH-jyJm#aa#TF4CfGCxHYuPx+M<6^^TC`u?%961@73&7s^
z-UkD=u)?!km79EPCKVtQbt=uUtxbyyiz1c$m5UTMLX$j_9GY!#SUzXsRKG6A$xmN_
z7CR(6K=6JHvy8xLx?HQBG>g+k{4v+47CWW^BmLP0`|#;LlUz~QEbQx`&JkCNJ$IvS
zYdV-zuM*=;E-mgeWqC7^`UYoRnRb{yMbjfG)`jh6F<qnKxNF<zRlEzE?yy3D>2yMR
zx!U(}G~FZ?8)9BO>8kOw^zc4bl%-%n#_^-6xO|IAy_PgkdNlIq_N@Ep34n4{CG&9}
zdlc4kzv4ke%<GwHyWKe)QUp?@5jhbX);@+k_sbfNO3Y~A3Mx+C;yZ~PZgry*+aEr6
zX354B3o(3N?ld0(JdM_J@1D*}lM;+q^pJ6%&&Q+6&Qb3m9woX~s?F;&p#MiO>`)@D
z1)5YmYuWxUuqOLUg4H5X_N@?wtJNLVSl&_Cx(LoUKm88cUCa)(D;948!^Lpkaj4Y?
z)m;b=SqBDqes~`<P(u3$EfpUx$SLeGjXKqs=J-earqSolLb_8iMBZOiK$Q(D4mM|2
zq&@VuMxAe?3Bwc=#2hs?*0#o^=JDBb&0X99m+#{x-?-hxM_Qzw2G9mOx{AI)EK+KP
z-a(y=VVof9CB%O;i|qHE*~#8TyBlP)n(>O)Bm_hV5`JjDMD#a9C^zO7X%A*0e8gx3
z6l$$f{}X1(Z@HT$LBy7D@{D6U4tt%^Fly7Fg6e>sZU6zB9H0;c78rWG8mcfK#<3`5
zDgNd`0|N6{G(7eBZY%fnW#yep*2ba+elij>xaD@jAh-524&Y=88qD3T-lZRu9*Rk#
zU9)iRv3={60Fg}gevm1ZI{hYbGaV#{ZL8$yGZsq4tX_x_@47ACAw&Wm<?gZ=Z43|$
zdR>LB1nSdi7U0+e*Dm_OgCqY~QZ`s#kC!Od3!dEK@_ugBv}+P;><LhSn@XQtxzp78
zc5L(fvuR>e`AqINU(Qyi-?Yus6?OQ&sc-VeH%gp;*jgxQ?avF(mm#WW^uVl^Kx2qD
z^8oK^oUorcR_wNFAV0tS1qOM0$A!>>OwW!G`1Qws@GEmM118FQ*ZM+%c5-~|LmKoM
zT$Vy3RP#n*Lz(x@SCrWb^_ply`W8nCgQ-3Wknkoil}U~&?;4m2g5Ch|fF7)q*6yc)
zd3%#Slyv{0PN!6y7W?#-S{JYH?wP!P5m#=Z4mfsFIoz0bDS<iv(9HwbD`w;%tBiHH
zV|Rx?Et3~}C)IoGi8p-#v^rf0&pG^u{0*5CcFJ-8q3RSO!652s^*i-!?g3|{&HgkE
z6;#!^iFFfnm%^}^qtdFo^iDTGhkr05AZ-AaT8*(A)f!6v9|k9ly5e=kNQ(6Zg_#G`
z-$}!Sa(<vqw?1pV^F9m|qrcF1CSrz|aolKi6WEuM(-BiCSfEnooK<4|$MOo(Ky)mu
zubhT>CDTYM3NF{2{2gN&ebED2W?lVC$@@bD#R!kj?HNcKBnc4cBK3w+{&z|qRDVi1
zw6ZG_STl8re>EY9sVW(X-z59S;s0@UO%|Q=0)sLEg)#*z$l2|EAHlNhxB3f=BD9A(
z4IZ)sE8t#+^ERS?M{19897zddrX`JD)>4|V`6-LdFJ42eeK70E4&bNTA=-dN`%&Y6
zt7s!|Yqaf{9cVxaLiEzY!5HozrhlO;qH@&w)zRdRr_h>yt&C|GR!d+?Ea9&HZkZM;
z`1m10Q2gNJ%DAiHyQMT3$+@o6i2l!DT!;~ruFn}%`i5%FPU=XQKQI0yu29Ye+)XVq
zNtB5KhjjU%fVn@abmfQ!F6zN!|5Tb-Maa>QT}c8mU63RfE8w7F*+HAJWzBP)*{mIc
zdsiN=Ff%tL;_@o8rJT^~f#RtZ&XEw}NeM({bmx8ft|Hi?jtgIFKo7WLhD@o}8aEMt
zc04Lf8clTAElT~R3yw6DK36h7p5x{9Bo?_tv0<n>dG-4EcOhSw@{*L#24*JL)!!zb
z)6ED{E{8{c^93nijj(+-|Da+(q7i?a#*ScZ_0|u)&+8_a`=eSiDv$NyN-89UxqA%r
z7^EhrD5rjkn`%bmEtW|hNGCf#YY3l#iOazjf(Q?M?)PxoAl0qRRiq0M#-p&F;tQU#
zUIv>WW|&?Dv-QhPR!V!`ZaGNG072OQ`150eUC|Bco$+N6ql~V#x_*@OwUP<^%P@<Z
z`R6?rr7NwaPBRvpl|m}oK<wi-l!GxfL|9B#E(pAJT0g4ec={89Fn1c#aG{HJU>hn3
zB0`T3FL>$|ZM5pb;rB-=Xt1Fmz_(x#3Hh?)J~bJNq<?2<vD@aRA~ipdR_7WHru-fh
z<_Gb#wuF|3!JYolO%NkBQWPoZocSrm`SfOxM0~!&lk2XmI-Eu;eB4b(yq>*N-y!43
z#Uwckx+7%{zC$)Djv#a`!QS1?xrv8E;DI^YEN8sou{I3#%@_r{-qmRRGC0i6JlMt9
z_k`5z^cDF)%0P?ik19@M`U!gvoF#GEk3}&fM{n^ts*bW+Q=u|3$=}h3%*|?4)eAML
z4he*WSc2umn4yTo%sW;rnA64*o`i)5p-Py>xFTcE7$wXUk;>&5qtVCWSI%ewvBUz3
zAWrT0Eks(*ab~F!l+do>g|E>|<mxxeEks$US3=31pbeISxIcR0-|fgf&9+8s!wK9P
z^O4$zZ?T$>R56?Q;9(GW{S5uVN9FgwTPF60)0n92s?X0EC=bSygB(q#PuZVKT4iP;
z(|W3^G}~iB@k2C85JU`1-Hwn`l&{Z7VO7kA3a|Hu@}S1m=B$cssFWCq+3Yl?MZ_6G
zsQ~u+kScJ;Te{rkSTiflF@$Fl5%`qs6f$xCbA?j9A4<^g6mn0Aulc0nSixW$W!!hi
z(x74=mYU^d=ZO4QFlz2B3I0I0eSmkcz(1fFOyJ*g7^A+XeeC?>b<dm{(;#fINUj@L
zXusR1cy~PeT`!X}!5+(ts@LGA1--OM+xb}LjKhw_<s2!!sOx_=Aqn6K8+=g>j!^6K
zYrpk$fJiW=1JPka2B{66#UgER1LC(>YC+R-OKZOg>s<n-pQ5KT_309Z6woyPVSJ-R
z1sCD*zL?LJ5+M<BrGR=h_^jDA`rUIYJtwTD$Nss@4m+)|pop0RfyZ7TtzMnZ54TU^
z78cvy{z%N|H&$}@HYiPneJ)Q+>GJmEKqa+5QfvgV4Ah?B#&gBDQ0B2ijn3SR&E_o{
zjv@x;f^yekAle@(Z`qurA>`em`{QdP&yk@RH~Ec~Ix4-6mbq*WM48F29cM%=0@_gr
ztGC#5w^w_yOcVubkP2wz07i%az?b9|S5DI#R=m5{G=o8n=ghV4Ahf!b%|KpkaB~sg
zlbJyZDn7DW?2C74v+zd*x86BS(8R)I?(aalH1<h+m@IANIB*zfIj?k8y5M{?lc~7u
zv1Do?%&{khm`cs0a!y(v5HGscLid!-|8-BZ9Ua7O1{~7r2>(EI0%^v-%qohb&CR!o
zke{`w1^unpo5Fzg-5}w8=8WUhM@9Q|hXYiVmm1H0O+YnIM-y9pP@z2=FOMZ=*(K(5
zlB<1zy4f$TpJ-XY4b*32<qTH{{SjIlR$By1yGC#m(*IiUGhHd6BGrbl^Jsacp}}HZ
zZmq)yoAC8E>1WS3Zxvy$@MC3A9jpZ6nlRh>JYHz4wr{pmX3Jgh;fM#8KrpG(*?g{%
z*R+iSl*3LFtU20@AgN^NIW6f!n1O$z^_+j`{TXJZOr|?DgnpNIUT?wBY;c)hi*-+v
z=J`5^_-uLnJN@?PcDYGBz+rQ$;_Q6nw*~8N;d;sE50KD8AeBGQ&DNy?0RmbXOnL2b
zZFjghm6L6QPC++QUz;ChX3<yRFFb0wEumN;Z;vIFHDfNtf|E<Igu_KdPtR5ku_NyH
zVzn~RZUV9CwJ9|4n~Z?Akoef5!NRn56nWOV%P%<Wj59rV$15=wFn_f49Z#P?Y!z!9
zooMFj;pp_&5+vhkXyALL#bv(9#BqJBOZ=(P`jMK8h~n%XszN7>O}fSSP&93rP`CTj
z6(-$C1E9tC7Av_*Z@s7wmtlD}=rtXg;Acc?nVNEg{g7bYA9}^rSnm5%c?F-FT#!ch
z<IOsxL2FCdY_jM)#K#<7d(;wh>iA1&Kw|N9g8M{f_Ya%qjniGigbH(uz$KAL`ysF$
z<ZwuCF3nd=D-KS+Z&xQ=_Bfc|bw{aoqhewS1V%qfEF~pHb{xO`AjyRRpM+>LJ94Ex
zH@)IZ1r6>feHxP8M~O7Dp@LUtP|E$56dQk?17-R$=bBrpm{@7#QW#E;ZlECvvZ@7P
zG{~5Te$=EdG<u?|^RHir${nnCSh+Z<rAVT*KbDd`5pksKwmT8(LNXxl6v9L*z@n})
zab$bymUDOKPSO6NQbhDWWHlI%35IA07DS!Q&4FlY8dal=&c}s(A2U1-leRziaqtv-
zBc8H_C<L9vx@qVM98W4pB;Jq+Xt11-{-!ht9W8M!5c=m!jcI&w_Zl1Lf!6vz;$FYj
zW|`pjjT5|DRe$4^-U~%xw#HeCucFQB3H`bC$0SAh1UnFc;nR|K2ReU^;^)UJ)5-^J
zRK?|%mtgw}|K*yjHl~0n0I6K5>ZQ@<Udhpzc3^9r88mW(9Id{hC&<5+FOwY8aXtu-
z8P_Dz3##WzrK+HVJ8dZXw#<thi$=r5zKC+lL83oDT=1~qcnNc)?W_R3h;3HdvTUiy
z+rY$E5cIhIqFe&OmyAMcIxpUP?r{V}%|grWi#m1J8=IeMxqU7fw7N_Qt=cnd?d(W5
zZb8Jia_|)@#sw1XeWhO=o4;yJ=O^4wIILR>@vpRHDc(>rR%AvUp2y|wf7KtAS8A0(
zSos_My4g_YM1LTQ<~nN6P>-6swth3wb}U{qLFIac(X_bWEfH&RBn*@0;YRNVlR|d3
z3B+o*M^)bE%&`QhO<|C}X}9vX(dCHfA{xn3u|W$ngL{f|GV+3mm9~y_p%RKi&A1@!
zq2#TV&`dXQRw<{K%$Px~N0~C0Tb2m(hQDo&h;;+wFP}S3u)Q9ZuHBCuBBg|kTwxv<
z*qYV^T>Mou#N-#ZzcQ-SNll&PJYlukBZ&K<(di?92u6&m_KY^-Q$riPW&qWo=6Fgp
zRZlZ>G{H*h&!H&Nc2jMCL~$GLM-p#$E%c}nV5N=>S3`*P3``SypDhum_d;8%b5sXd
zkf)nbs5yo4vNeK%4lLX26BWxyKAgV+f9s<_KjRs@>KQ9q9)A@$>Tm?Cxtc=|LZyua
z3NDF}`}K`#2CEUMrow1J2FDRzw3-dQNiE+|>*LaDG-vg=vsVu2jhxrwRHxO>c(B$f
zlHxSV#guxTxkRc6jB2ZdLFq51s94g%F5?DbO;!D7E1skkBV!)n`U(p{u^Xjx0t2j8
zrpTOyX~eltKRnw3x<stitWM+;y!LmTfDpJctL^}1;8SfHzi$%tZq$&*B>is|T`Vn(
zQxET+m1;{Ho&lKD1p8{e)~|#cZF<S}(DH@77fZY9+>JgW3ZhM+O;#(el%P5{17I&D
zSP-V=tD5d5q@`&_HViYi0b`sj8juHTpbB|*K;49|L<K}KHEoe=LdO@d&cz6jv+>!w
z-(hBR8*}fIl131^hi_uo2)DNQ-Vo|W4zOO=n5s~t9afv#RDBK<Fz#vr0rK^%NH0~r
ztY`?Iu+G##KHBDG+Khg*B@Bc=W?aVt-bt4}t_Td{e`gf;OopsM18$^V)#53x555wJ
z$8@c|n)+eC*WjU$f{Kv&(TXS2?YNL$Y&1%sL319VU&R+5to^}t4wq_m4natEUK`t6
zpnJrZ0Dl%(PP*LL)r3`LD#TZa=5OaPE@xI7UHLBhe>gcIRzyS?(<`B*YwzMF$*uNw
z*f#cPL7d<Iuu?=@#7@K)7gpMlEK=C}^u%GbsMJb0->S%z8X&!r3u2ytZ`#Xe`u4Ca
zvQmK-cMt!?6KYVAAbARNRd?EQ)OCSLR|jKm2B%N4nyc$s&g)s=1TjIi=zF_c{rb=>
z)Cy`8!Gb)Nf@yx=M^^|oKbkcXl#}T=b=fkVOXl;S6I+DGw}D?5nfk3PJ`wC&zXa`1
z${k`P6Uo0(uuUBjwx@v)dq!`Fx|jj{^F}dDYt=!+X9x6pYBxbmYQMSr=SSET%ILGI
zHpfzq(x4dyRLz1MHHHFK?y}aK>NBC=p{Ftlovpocjmbl~N8SoeyD?qj6TSGI#OjNv
zjKn!vl^SdcoRRlhes!b7>t--J(MRrM)+e`A#%Dnk+0=gUai0NoB@@2qSuaMY)+dzo
zJ$EyV@uOW?%MtPjH>eFxv5M6R3UWYzfK*RnmO_EZALJZ|#~{wVH$oAh52?qrEmc~x
zTLTx6S)qY@I$BvDoBfn%CjsqXwUirUoNf*93bT$koXipP{v-6nDYnFJ708rr6a0PL
z1vsKyh__fyokD|YYe?J;v~)g??nnBCO&Z%^V@ln^c(LlI;D%ibzEWrA$H+fpo<yg~
ztC8M7Sv$~N^d7bkZLp-+Nqb*WXKpakLHUDZhaUDAYes=?_iQs|CvmmbglE)p=^=wt
zJq(QT?RG*lquZFP>1^pYeA3T6$cDrCg=N?uhSPMSgl@N1q^{RjAC48eED}oV+v<-}
zlgxS=A?noHYmRt#6=HD|MqVjef2{3R>v&3u$Aua~UFgC#e6_#tJBc4FbUL4&dte>C
zi7~Ptq#5F?)$o>rItsLMA_E4M$OK$i=LD46u44`uT$Lt_zaX&5a#vBbEIJOPQw!lu
zq-Tq(cmj1pJ>i5<zC{z@RqABE;kUwhd4UEvQW97M>7u(|&rv=~Qmb{44t@7d(n3s#
z9T}^Y&}sWeTEEIr%2VsL<nHSkP2SGbp(mI$x}<mRo#XX|{5<FY$$<uySMdsrcG(6d
zymAqB9=+QAo=q_=Tb^)=E7nv#87e?AxtzUcsSI*B-Bwq=@L|ov3Ts*U9KMo<qo7n$
z`c}L%4=esZ8YBj+5IT^o&|H3}qGM?_rL?PH-n4nl6&FWVcRD&_pSMTTO8dFZ);Y*S
z?7Nj}kRVJaVepjlFzEH<78~pOIBOzsu_%Zm@3wjZ3JRLD`rA6rsONB^bT0+`>wqPd
zOT@lqh16;ifTTZTru!md_NA?1m{DgugQ}pgx9&=?(i+y9Pf|ANoD7r%_IQumX}8V3
zM}7)f36r2%wfQ_|-<LUOGPuc=L_?cQhz1DyqeE;!vZ|<PtJCFe435n$+x70DyIn5k
zn1GGRoXi&<vRXeH1>y8C@}iPUkhncqC&ZS%MYK}DqT<q7s#IrvosXmAGwEenQ2J@Q
zQkX*20BZm=Hpb!-Wh!9#ybpihqqM$<`@&@g7a(Rm%ANP?f{p0tsZ<bF+1uG4AUT;*
z*t&)l;S}H>iMrEpefud%ZnO(I9F6n+H=0h(DZ7=d0-Xm9>8w8q7X(w9!bYuiz*``K
z)KC1KhrmTEXDsKzjO;bzg8D8~F9J3xjP<YWN3e7j(hivX0P8bOFQVxoFl6sIWi1ra
zWgyKl=DJ+{%--+~({~?p&C^Kz0RIZW4locXlWXfwJf73`8)|sPmMXz_7kPiX7Pm^D
zIR~m8<wF=jZT5>i!1M~l9}sam8ihsq9I-_n;p7LpnC|PZum_{w9h{{aSjTT`(OIC*
z>|(wFyI0LC79J{!w>Yq_hEn=0(tg`$XKG70Ht0yiVHDV)$2D&W@Ai+sZ+H8?o3_&W
zLP6LD`M+@d3MHNX%^kp8_inz<@WDdc<CA4tl~y++Q<8sYjuTj>N*S@(@O5ib(|3zN
zQzRy&a%CpB&y0PkpSLZbsME%Cm=m5x-pj|LPEQWNkR3IdSTbZ$l%&=U=X|IgQ!?ZG
znbH)Twr{G~(c)mD%jY^frpFFYBmvY4`&UG)_hB<+U09{iK+6ektQXt(C5m0uHQqPs
zdpm#EEcRUEb&p*x(J%x}VX@f(+n$8t`W&+<H~mOBU?Z*24WrckuCRec?T>%gu^f21
zoj5q{L`UlHUzgU>6R0&U>~v}L>F$&HnQiN9b3tOmWvD-Bz$j5Bfs@omyCJHN%A^H-
z9}Em7?caX^lqSYyBUv1F1h|I^-a+#+!f1R}8)%`q74{FyI}$GC84a7f`N}2yP#Y=$
z`$cN)MA~1oqDW+J_7cj3y+K|Dx0-%eo{xGlp0cB6{*81!)h2CuuVe}*ups>w&Bucn
zA{5SCFeGi9=5Qjn)^LB5<Vn2Skc<ycvBj!#wPmp2s0XA=Vr(?&5k(}p2~6FHe3)i8
zKKf_s@4h{|yP^&tWR#(aAwXsAfocABpN8{xt2K84z77^iWAsz#sx-!Jpb*-snWFWj
zueGg%4`;EXPE8P?ztj(|pMQw?U55GVI64v;U4IQR$BVS9xI5qrfU5sHQxH2`-j14s
z^K1<D9x13}O5x)^EWUa=kaZ;#A-*4cC^Q1z;V~?STalj`l&9gAi-E>+70b1x+Cl&`
zl}5LxJXO+CDPtuBQcz7K#SM(%z%9N}`B+Dxkk&!}trLqz(;S*hkkE1!!U)!aM8uvE
zT*@ix#b2pFh!>{)xt~$B{YTxFLAK#?p9TvYQ437y^DCG-8LXKo(9taLG)3Llh@7g9
z4KSWU@qcPK^Khuz|BpvB6KVz}vJ)c0(;#FgMcD^qE&E`MrI0Df`j9QmV3K{JVeH0I
zvTs8n`;4p&WiKLS`5yhA-@o^Do%^5rT<89r_wwSDTsyzjR#<9$nx_khPAqwXDsjlD
zkB;E=;Uw-w<{uPuZ_ig3)JOWLg*A`&zeqmsBHy`k#s23LM2NAif>MfS1{Oa$rT|IR
zvd{u_6)&bc?1Nu7#~1Iud6?QY_5{R_roK;oyaJo|Y2h4s#sC6x;%@A%)4VN{Th=$7
z9tG_B*tE0#`$bE2%1^Pq+o<N{p!Qm@F(5A*Tp3sVke1_D`<Q=JhoyZnVY!!hKqW{t
z1@D<zmetO#AAm+)FmqKAe55(DvcXPc`_wv5;pa_i{%tN?KP&}0IvQV5ojWE4c(1GJ
zV&!*+y?$BZD!pf#AnDMz;6#oTOU+*Ebs{|2Y_dgHt5~-M#&G6A%=VfQ39o2ocUzR#
z{Lzt$-J$Ye`isbl>|wV7r7G5>xrFmuz`!f%`lC?bnwz!1lIN%c&K$AEBy<aZNHyJI
zG@|Uxlw5H!H|w)PHJv5lL3*84HP6&^7ZjV>!x@zgp_@N#YF>y{-vS)6(UNaV(zXcI
zOQ7%NHj>uLawOWj+B>4`r73Z#8UtAcZmZL5eDZi=RnlQhk{}H=O46~N)bGB=<?`BL
zOR-Ts&==yVfb5;uTCJi5b!{VE$9Me6Ny!g|SZ<tUFlUAh@=)tQXO>6r-lp9Jm;i*T
zQP0LFJ$Jq|b{#r<6j@8Fj`lXuF6%VH1VGGHk?_s(l0EflARt0%N@!6f!@}q=GW;cV
zY|bySMIZtblwL{2%tGPdV%~g{6oubU8Bz>?S)3NCKV!o=Pe~G#&-n8$BxqezqbnZy
z`8@y877SiOn|Sj*VrU-gRcw|JqJ@{K*RUj-&Xgq>Ru$eZ25pVjiFxQ7{26ok-b&w{
zAeXHvFPaqE!6n630n~-JEa=rzk9ZQK!go(9<in?477nmARL)+rV8QXFQXUWI&At)4
z`sjPV36D>D0C|<`4^_hn1n|o3wCkoKDj1JC!vIy)E#FJ--}q%BFZj**!#%pDqFSpI
z5oNYV+V-aly4qIhCEN2pz}UTKDUJTzF}U!%ma#Z0oXE?l=-B%M1{4?J7a2?O7>IzD
z9>t2l%ksXZ{m*VbkRSHV=^MDsG2DOK*<~XP_==ef{df=aYIXYE&(T*b+~06|SfFNo
zLS`bXaz?ENZHy2cyP-<ni;_y0b+*66FN*cbtHL5Tdn$=j<<OXB)VM>d`ZQU7K?y@U
z3rO&(^z1Hu4Mt^Q$ylLhC!pYVrjHtB;fz{_#Bp?+MO165mvxspK^uX;4%oypZT23=
zMX_o>)*zll!>$*~Iw8~spD3Ds#8$~nTHqS%dRv5_)tgZv53DPLoYsD@#cLNoDa+y$
zVos){T>jw0c|zJ@0K_)ahe{q^@8cT!q)4(Z=FaGD6Kwtk{YnkWeaJ48p`IyKWkLD~
zy#dZmv81q{36;|gx5XI`i7?Hq{`x*Y6f|~<{jhANQI9rR9dFk=QDvIHa|b)!jBzIz
zwo;Dk@GR*hj#4&T#2`*t<cq?FvTufy!c-~?;YlGT<toZk`$R^uX+cHD1@zbTCXn>-
zn6gcS&q)BZVo>>HcZNzd_{3<NviuW2L61OXrF6!b@GQEW;(O}UtNp$rDMn%-dx!@|
z_NSGpMarm%;Z=5mh=?ZQCow!Fo(;psE%o*kiJ7Bc2&X$Ad3q9blY4oDd>(n4^@_6;
z%MA{ObQTYxz!!A2oj0rKpbfS^A=Tmu1iQ)VM&=f*=U7n$%jwzAPQK!7jC)B|G8u%g
zitgIG_{L52;2kps8>JBcHCYvk!`Ir2NBN$vE}t#G)w>L}!GN3t98q<cQ3t4Wa}v4o
z0*@UbeDcv<cQeaiH;O3Gx{&SJQ16*ZM>s}}@gjfebVY3F+SKs6s^+LrsnmTs+h{HB
zR-iShZe{E_VAptc-kuRQTXn*mV6=+ee8!A=hSKCFG>#hy=1o*ON!oL`I>d(=T1<@v
zi!h7r$X9xrimdLn2KV!iPyp)#+|;JbW;z^Fi~QL(DIlDM%@#A{u^`jNuNFK&njzv~
zM^5Dp$3620J1}?~A^;@CtI7RyWjc0|DN%xO*<Nar34UCCM7d0MkFYG|Mys49!ikzd
zMPGcIlwPsypdJ)0J{PYp`j0VFX&~^ID@x-XR}n9*a0ew8w8)FDvbb+{T&r;zvoN5H
z8~_u80l3~y)7d0AccAj%4u-2@;%McXOQg$*c}l72LG)o+WZrnXUgEh}+=pzfg6QpC
ze8YUZ@67Ak6yJy;ESGlj^9bAV;lWTfSIZWgUz?@2*u9_GQ*U2ISE@O??^k@UWX!7y
zTJWU266GDpdozy}Ge7la<B_?9S;*^;V+MX1zu&qS?R@Hf4>8wQHJljN2)HNl@E$Og
z1jLBWfh^bbgM2JeNnuUDP$lVRVc~u0)dA48cOZuJl6q90T|+2m?ebvMdpQklv2fW%
z*#usb-I-7<eGX0>DDei+IwKX>srl3kPlM>GiVvlzjh>b3@Te<`MKz!^=j%usvf&B9
zWRe-UI;kI%iTiTcuCJwDV@(%2rRaOvvGEez1(P5AMn%V}d?tD4E{VoP$w|kE7i~!2
zy;K^@p63O4iv3G}1k^BxB0YGXt)ziPCdXO8TQuXznNJfYZQ*`}z=7AmIx%nOb0sF{
zod5Q6EpH?rZ7j6Yq+KU@iGsr#RJTYFCU1CeltiUhHwRyx{axeQeKq|1#rQgCZjUy&
z2`>(3L9&JRqe^vOXgAgv*7?j3KBxu_A>6iizDx!nS;aa2Tu=O<E+mo2m%kU$`j64~
zl?HJAtFTjPkO|hRQb$x{`(xELcFWJc3g1i2h8)iO(7`In%@%s$uI?VfuZM7qPMY+k
zH!f%hb?7-CCPEH+QW(QI(vxijr5aBf3N|D^+Hh^N?kh6bJXj_-!w5k8!$0cG;R=9>
zDa`2iuvl5fjcW?kydc92zTEQWlh>|+E{zt=a)z+`vYxM#**~TP742^1+KguYEO-^P
zptGYu1H>+3zqG%seS=$H_{!c?XP-9KH@fz#6nT8Lw+%6H@*YCLnZA0ajmP?4Eof8;
zJ;ye^YrQRR`>7FikLK`=FLXF|;%zIujmJ6eoMb-iR6isGxR<zN!)WUFgMSst6(lII
zE>+C_-XUF>BQihL1A7%ygE{TwZpOdtcuB(iaK54kw8OuB>WyIXLILxV0{Ak$F#09_
zubm{w=yN4kW;on&8LI&?e~Y`jcJo@e0S6*(_BrA$(hzy{;giG0MhEg*LnnAll}nU%
z)R7|WZC@Kn_shP&JpKMf0LQxzTAGsfF8DOb{%>~MBG65zW3tXkOfe5=`>VlI!O!}S
z{9Pd51BE<vc(|^fBchoy26g_0te#!B4_TZoMlrd`jZ_C<8hyP5=^uFhAtwgMuH-?U
zaTa~-dHg}N`e5>gazLcITt_@JW7aX_2bFnkXOK)n7#O-4yIOY2OLxXKn>-OMLl3dM
zhXMW5BFon1q#Wtz*9jAuF<e}d$&R0l9w2E{9e1JVH3O!zf*QRk(fi`Oj8lWNR?^2A
zi9vwVW8+tn$uUAL5I1tYGL=ab(Qe%YndU$P%YpPd!pNSc&W={jF=mdD$D?SE+LZtK
z7SFGkOv-4&U>8cy*GWw2SjDrKMf(OdKKgUkzW#w8O99J@uPwFPEUB#=aU68Wg&bp(
zaL5H_c_58^QCZmJq53z$eElK{-N0P4R?0#SEznthaFayi<QT`WwwhnIB74JpI)t=y
z4+jC@*j7{Dgi83+hqp$`T(6P&N5u-I{$h!80UXnX!LhBZ<_A$}PZj~v&se9hfOE4n
zx-840P*eRIM828*M6<<c7?k#iqPIG8!L3!U3nHj1X?-tlQ1^IaS|Zbf2&zKiQarjm
z{H3N4aEQ|{UpwS5?{?1sLVY0<qf!Q*YDz2vJli34E*bDsp<mWF|DD~d&~;(>%`WCS
zk{p_rjPL*~1MVnI08c|GHSJLc^dTYWY)qIHDHnCW)ga`Y`IB<%<`)k88vmrB_|Yo*
zHjRKIVfu10;ms-YnV20-mY$RcsZqu?ug^+H<<~I@R%WO3bpH$T#Uay0<W9<QBVW7E
zX>HLdTDR&X|L&a>X2t5^RsV7Sr&0p9YHZ*J%~%joua3^w)i~&YfkH=K>zV%+4uPTZ
z_>AX&vnJqLaO6b>R6~1D&fEKaiuku4%7%8nIEQzkohi#UWg%VY3E%sYh?Ja6c!;oe
z|ALFOJNf@@S0G=d{VI&y^aOBA^9WvJLm`XWj0+V&aJNcoU92*XXq5F;LMlsEcJy@d
z&8QzsoSrr`UP(Y6KE@@b3qzNgYt{~QyK-Dh#)n!9x(k_jAcE?7N*mLs2+P%^fj@j*
z_P0EeFZqd(bFy$!*sc4>Rh9r_LN{jWZ>r{)Dz~WzK;y8%(@!^(0hvpD@0r6pAb3<Q
zmkS`Sav}XJ`&;R<+w?5}2)Fhh5UxF3Y5ytv*`tMu`)vlu!?tU4tPFgTPM5+lRu9OI
zS!r~xkH8IkzCRV<6ZJ33g~d_k;ynN3JI&64!3=A2N+xWMz)2o6?cQ-RB*k^Ey{gmf
zH~4RfiP0ZG-Qk=?4F2Qg0r{WfmB2k2=*i<}{%@J@*%3qg4K{Y{8e$!Q_no+{XQW%E
HeJ}if1jLh+

literal 0
HcmV?d00001

diff --git a/engine/errdefs/defs.go b/engine/errdefs/defs.go
new file mode 100644
index 00000000..e6a2275b
--- /dev/null
+++ b/engine/errdefs/defs.go
@@ -0,0 +1,74 @@
+package errdefs // import "github.com/docker/docker/errdefs"
+
+// ErrNotFound signals that the requested object doesn't exist
+type ErrNotFound interface {
+	NotFound()
+}
+
+// ErrInvalidParameter signals that the user input is invalid
+type ErrInvalidParameter interface {
+	InvalidParameter()
+}
+
+// ErrConflict signals that some internal state conflicts with the requested action and can't be performed.
+// A change in state should be able to clear this error.
+type ErrConflict interface {
+	Conflict()
+}
+
+// ErrUnauthorized is used to signify that the user is not authorized to perform a specific action
+type ErrUnauthorized interface {
+	Unauthorized()
+}
+
+// ErrUnavailable signals that the requested action/subsystem is not available.
+type ErrUnavailable interface {
+	Unavailable()
+}
+
+// ErrForbidden signals that the requested action cannot be performed under any circumstances.
+// When a ErrForbidden is returned, the caller should never retry the action.
+type ErrForbidden interface {
+	Forbidden()
+}
+
+// ErrSystem signals that some internal error occurred.
+// An example of this would be a failed mount request.
+type ErrSystem interface {
+	System()
+}
+
+// ErrNotModified signals that an action can't be performed because it's already in the desired state
+type ErrNotModified interface {
+	NotModified()
+}
+
+// ErrAlreadyExists is a special case of ErrConflict which signals that the desired object already exists
+type ErrAlreadyExists interface {
+	AlreadyExists()
+}
+
+// ErrNotImplemented signals that the requested action/feature is not implemented on the system as configured.
+type ErrNotImplemented interface {
+	NotImplemented()
+}
+
+// ErrUnknown signals that the kind of error that occurred is not known.
+type ErrUnknown interface {
+	Unknown()
+}
+
+// ErrCancelled signals that the action was cancelled.
+type ErrCancelled interface {
+	Cancelled()
+}
+
+// ErrDeadline signals that the deadline was reached before the action completed.
+type ErrDeadline interface {
+	DeadlineExceeded()
+}
+
+// ErrDataLoss indicates that data was lost or there is data corruption.
+type ErrDataLoss interface {
+	DataLoss()
+}
diff --git a/engine/errdefs/doc.go b/engine/errdefs/doc.go
new file mode 100644
index 00000000..c211f174
--- /dev/null
+++ b/engine/errdefs/doc.go
@@ -0,0 +1,8 @@
+// Package errdefs defines a set of error interfaces that packages should use for communicating classes of errors.
+// Errors that cross the package boundary should implement one (and only one) of these interfaces.
+//
+// Packages should not reference these interfaces directly, only implement them.
+// To check if a particular error implements one of these interfaces, there are helper
+// functions provided (e.g. `Is<SomeError>`) which can be used rather than asserting the interfaces directly.
+// If you must assert on these interfaces, be sure to check the causal chain (`err.Cause()`).
+package errdefs // import "github.com/docker/docker/errdefs"
diff --git a/engine/errdefs/helpers.go b/engine/errdefs/helpers.go
new file mode 100644
index 00000000..6169c2bc
--- /dev/null
+++ b/engine/errdefs/helpers.go
@@ -0,0 +1,240 @@
+package errdefs // import "github.com/docker/docker/errdefs"
+
+import "context"
+
+type errNotFound struct{ error }
+
+func (errNotFound) NotFound() {}
+
+func (e errNotFound) Cause() error {
+	return e.error
+}
+
+// NotFound is a helper to create an error of the class with the same name from any error type
+func NotFound(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errNotFound{err}
+}
+
+type errInvalidParameter struct{ error }
+
+func (errInvalidParameter) InvalidParameter() {}
+
+func (e errInvalidParameter) Cause() error {
+	return e.error
+}
+
+// InvalidParameter is a helper to create an error of the class with the same name from any error type
+func InvalidParameter(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errInvalidParameter{err}
+}
+
+type errConflict struct{ error }
+
+func (errConflict) Conflict() {}
+
+func (e errConflict) Cause() error {
+	return e.error
+}
+
+// Conflict is a helper to create an error of the class with the same name from any error type
+func Conflict(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errConflict{err}
+}
+
+type errUnauthorized struct{ error }
+
+func (errUnauthorized) Unauthorized() {}
+
+func (e errUnauthorized) Cause() error {
+	return e.error
+}
+
+// Unauthorized is a helper to create an error of the class with the same name from any error type
+func Unauthorized(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errUnauthorized{err}
+}
+
+type errUnavailable struct{ error }
+
+func (errUnavailable) Unavailable() {}
+
+func (e errUnavailable) Cause() error {
+	return e.error
+}
+
+// Unavailable is a helper to create an error of the class with the same name from any error type
+func Unavailable(err error) error {
+	return errUnavailable{err}
+}
+
+type errForbidden struct{ error }
+
+func (errForbidden) Forbidden() {}
+
+func (e errForbidden) Cause() error {
+	return e.error
+}
+
+// Forbidden is a helper to create an error of the class with the same name from any error type
+func Forbidden(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errForbidden{err}
+}
+
+type errSystem struct{ error }
+
+func (errSystem) System() {}
+
+func (e errSystem) Cause() error {
+	return e.error
+}
+
+// System is a helper to create an error of the class with the same name from any error type
+func System(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errSystem{err}
+}
+
+type errNotModified struct{ error }
+
+func (errNotModified) NotModified() {}
+
+func (e errNotModified) Cause() error {
+	return e.error
+}
+
+// NotModified is a helper to create an error of the class with the same name from any error type
+func NotModified(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errNotModified{err}
+}
+
+type errAlreadyExists struct{ error }
+
+func (errAlreadyExists) AlreadyExists() {}
+
+func (e errAlreadyExists) Cause() error {
+	return e.error
+}
+
+// AlreadyExists is a helper to create an error of the class with the same name from any error type
+func AlreadyExists(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errAlreadyExists{err}
+}
+
+type errNotImplemented struct{ error }
+
+func (errNotImplemented) NotImplemented() {}
+
+func (e errNotImplemented) Cause() error {
+	return e.error
+}
+
+// NotImplemented is a helper to create an error of the class with the same name from any error type
+func NotImplemented(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errNotImplemented{err}
+}
+
+type errUnknown struct{ error }
+
+func (errUnknown) Unknown() {}
+
+func (e errUnknown) Cause() error {
+	return e.error
+}
+
+// Unknown is a helper to create an error of the class with the same name from any error type
+func Unknown(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errUnknown{err}
+}
+
+type errCancelled struct{ error }
+
+func (errCancelled) Cancelled() {}
+
+func (e errCancelled) Cause() error {
+	return e.error
+}
+
+// Cancelled is a helper to create an error of the class with the same name from any error type
+func Cancelled(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errCancelled{err}
+}
+
+type errDeadline struct{ error }
+
+func (errDeadline) DeadlineExceeded() {}
+
+func (e errDeadline) Cause() error {
+	return e.error
+}
+
+// Deadline is a helper to create an error of the class with the same name from any error type
+func Deadline(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errDeadline{err}
+}
+
+type errDataLoss struct{ error }
+
+func (errDataLoss) DataLoss() {}
+
+func (e errDataLoss) Cause() error {
+	return e.error
+}
+
+// DataLoss is a helper to create an error of the class with the same name from any error type
+func DataLoss(err error) error {
+	if err == nil {
+		return nil
+	}
+	return errDataLoss{err}
+}
+
+// FromContext returns the error class from the passed in context
+func FromContext(ctx context.Context) error {
+	e := ctx.Err()
+	if e == nil {
+		return nil
+	}
+
+	if e == context.Canceled {
+		return Cancelled(e)
+	}
+	if e == context.DeadlineExceeded {
+		return Deadline(e)
+	}
+	return Unknown(e)
+}
diff --git a/engine/errdefs/helpers_test.go b/engine/errdefs/helpers_test.go
new file mode 100644
index 00000000..f1c88704
--- /dev/null
+++ b/engine/errdefs/helpers_test.go
@@ -0,0 +1,194 @@
+package errdefs // import "github.com/docker/docker/errdefs"
+
+import (
+	"errors"
+	"testing"
+)
+
+var errTest = errors.New("this is a test")
+
+type causal interface {
+	Cause() error
+}
+
+func TestNotFound(t *testing.T) {
+	if IsNotFound(errTest) {
+		t.Fatalf("did not expect not found error, got %T", errTest)
+	}
+	e := NotFound(errTest)
+	if !IsNotFound(e) {
+		t.Fatalf("expected not found error, got: %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestConflict(t *testing.T) {
+	if IsConflict(errTest) {
+		t.Fatalf("did not expect conflcit error, got %T", errTest)
+	}
+	e := Conflict(errTest)
+	if !IsConflict(e) {
+		t.Fatalf("expected conflcit error, got: %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestForbidden(t *testing.T) {
+	if IsForbidden(errTest) {
+		t.Fatalf("did not expect forbidden error, got %T", errTest)
+	}
+	e := Forbidden(errTest)
+	if !IsForbidden(e) {
+		t.Fatalf("expected forbidden error, got: %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestInvalidParameter(t *testing.T) {
+	if IsInvalidParameter(errTest) {
+		t.Fatalf("did not expect invalid argument error, got %T", errTest)
+	}
+	e := InvalidParameter(errTest)
+	if !IsInvalidParameter(e) {
+		t.Fatalf("expected invalid argument error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestNotImplemented(t *testing.T) {
+	if IsNotImplemented(errTest) {
+		t.Fatalf("did not expect not implemented error, got %T", errTest)
+	}
+	e := NotImplemented(errTest)
+	if !IsNotImplemented(e) {
+		t.Fatalf("expected not implemented error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestNotModified(t *testing.T) {
+	if IsNotModified(errTest) {
+		t.Fatalf("did not expect not modified error, got %T", errTest)
+	}
+	e := NotModified(errTest)
+	if !IsNotModified(e) {
+		t.Fatalf("expected not modified error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestAlreadyExists(t *testing.T) {
+	if IsAlreadyExists(errTest) {
+		t.Fatalf("did not expect already exists error, got %T", errTest)
+	}
+	e := AlreadyExists(errTest)
+	if !IsAlreadyExists(e) {
+		t.Fatalf("expected already exists error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestUnauthorized(t *testing.T) {
+	if IsUnauthorized(errTest) {
+		t.Fatalf("did not expect unauthorized error, got %T", errTest)
+	}
+	e := Unauthorized(errTest)
+	if !IsUnauthorized(e) {
+		t.Fatalf("expected unauthorized error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestUnknown(t *testing.T) {
+	if IsUnknown(errTest) {
+		t.Fatalf("did not expect unknown error, got %T", errTest)
+	}
+	e := Unknown(errTest)
+	if !IsUnknown(e) {
+		t.Fatalf("expected unknown error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestCancelled(t *testing.T) {
+	if IsCancelled(errTest) {
+		t.Fatalf("did not expect cancelled error, got %T", errTest)
+	}
+	e := Cancelled(errTest)
+	if !IsCancelled(e) {
+		t.Fatalf("expected cancelled error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestDeadline(t *testing.T) {
+	if IsDeadline(errTest) {
+		t.Fatalf("did not expect deadline error, got %T", errTest)
+	}
+	e := Deadline(errTest)
+	if !IsDeadline(e) {
+		t.Fatalf("expected deadline error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestDataLoss(t *testing.T) {
+	if IsDataLoss(errTest) {
+		t.Fatalf("did not expect data loss error, got %T", errTest)
+	}
+	e := DataLoss(errTest)
+	if !IsDataLoss(e) {
+		t.Fatalf("expected data loss error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestUnavailable(t *testing.T) {
+	if IsUnavailable(errTest) {
+		t.Fatalf("did not expect unavaillable error, got %T", errTest)
+	}
+	e := Unavailable(errTest)
+	if !IsUnavailable(e) {
+		t.Fatalf("expected unavaillable error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
+
+func TestSystem(t *testing.T) {
+	if IsSystem(errTest) {
+		t.Fatalf("did not expect system error, got %T", errTest)
+	}
+	e := System(errTest)
+	if !IsSystem(e) {
+		t.Fatalf("expected system error, got %T", e)
+	}
+	if cause := e.(causal).Cause(); cause != errTest {
+		t.Fatalf("causual should be errTest, got: %v", cause)
+	}
+}
diff --git a/engine/errdefs/is.go b/engine/errdefs/is.go
new file mode 100644
index 00000000..e0513331
--- /dev/null
+++ b/engine/errdefs/is.go
@@ -0,0 +1,114 @@
+package errdefs // import "github.com/docker/docker/errdefs"
+
+type causer interface {
+	Cause() error
+}
+
+func getImplementer(err error) error {
+	switch e := err.(type) {
+	case
+		ErrNotFound,
+		ErrInvalidParameter,
+		ErrConflict,
+		ErrUnauthorized,
+		ErrUnavailable,
+		ErrForbidden,
+		ErrSystem,
+		ErrNotModified,
+		ErrAlreadyExists,
+		ErrNotImplemented,
+		ErrCancelled,
+		ErrDeadline,
+		ErrDataLoss,
+		ErrUnknown:
+		return err
+	case causer:
+		return getImplementer(e.Cause())
+	default:
+		return err
+	}
+}
+
+// IsNotFound returns if the passed in error is an ErrNotFound
+func IsNotFound(err error) bool {
+	_, ok := getImplementer(err).(ErrNotFound)
+	return ok
+}
+
+// IsInvalidParameter returns if the passed in error is an ErrInvalidParameter
+func IsInvalidParameter(err error) bool {
+	_, ok := getImplementer(err).(ErrInvalidParameter)
+	return ok
+}
+
+// IsConflict returns if the passed in error is an ErrConflict
+func IsConflict(err error) bool {
+	_, ok := getImplementer(err).(ErrConflict)
+	return ok
+}
+
+// IsUnauthorized returns if the passed in error is an ErrUnauthorized
+func IsUnauthorized(err error) bool {
+	_, ok := getImplementer(err).(ErrUnauthorized)
+	return ok
+}
+
+// IsUnavailable returns if the passed in error is an ErrUnavailable
+func IsUnavailable(err error) bool {
+	_, ok := getImplementer(err).(ErrUnavailable)
+	return ok
+}
+
+// IsForbidden returns if the passed in error is an ErrForbidden
+func IsForbidden(err error) bool {
+	_, ok := getImplementer(err).(ErrForbidden)
+	return ok
+}
+
+// IsSystem returns if the passed in error is an ErrSystem
+func IsSystem(err error) bool {
+	_, ok := getImplementer(err).(ErrSystem)
+	return ok
+}
+
+// IsNotModified returns if the passed in error is a NotModified error
+func IsNotModified(err error) bool {
+	_, ok := getImplementer(err).(ErrNotModified)
+	return ok
+}
+
+// IsAlreadyExists returns if the passed in error is a AlreadyExists error
+func IsAlreadyExists(err error) bool {
+	_, ok := getImplementer(err).(ErrAlreadyExists)
+	return ok
+}
+
+// IsNotImplemented returns if the passed in error is an ErrNotImplemented
+func IsNotImplemented(err error) bool {
+	_, ok := getImplementer(err).(ErrNotImplemented)
+	return ok
+}
+
+// IsUnknown returns if the passed in error is an ErrUnknown
+func IsUnknown(err error) bool {
+	_, ok := getImplementer(err).(ErrUnknown)
+	return ok
+}
+
+// IsCancelled returns if the passed in error is an ErrCancelled
+func IsCancelled(err error) bool {
+	_, ok := getImplementer(err).(ErrCancelled)
+	return ok
+}
+
+// IsDeadline returns if the passed in error is an ErrDeadline
+func IsDeadline(err error) bool {
+	_, ok := getImplementer(err).(ErrDeadline)
+	return ok
+}
+
+// IsDataLoss returns if the passed in error is an ErrDataLoss
+func IsDataLoss(err error) bool {
+	_, ok := getImplementer(err).(ErrDataLoss)
+	return ok
+}
diff --git a/engine/hack/README.md b/engine/hack/README.md
new file mode 100644
index 00000000..a9a948ee
--- /dev/null
+++ b/engine/hack/README.md
@@ -0,0 +1,55 @@
+## About
+
+This directory contains a collection of scripts used to build and manage this
+repository. If there are any issues regarding the intention of a particular
+script (or even part of a certain script), please reach out to us.
+It may help us either refine our current scripts, or add on new ones
+that are appropriate for a given use case.
+
+## DinD (dind.sh)
+
+DinD is a wrapper script which allows Docker to be run inside a Docker
+container. DinD requires the container to
+be run with privileged mode enabled.
+
+## Generate Authors (generate-authors.sh)
+
+Generates AUTHORS; a file with all the names and corresponding emails of
+individual contributors. AUTHORS can be found in the home directory of
+this repository.
+
+## Make
+
+There are two make files, each with different extensions. Neither are supposed
+to be called directly; only invoke `make`. Both scripts run inside a Docker
+container.
+
+### make.ps1
+
+- The Windows native build script that uses PowerShell semantics; it is limited
+unlike `hack\make.sh` since it does not provide support for the full set of
+operations provided by the Linux counterpart, `make.sh`. However, `make.ps1`
+does provide support for local Windows development and Windows to Windows CI.
+More information is found within `make.ps1` by the author, @jhowardmsft
+
+### make.sh
+
+- Referenced via `make test` when running tests on a local machine,
+or directly referenced when running tests inside a Docker development container.  
+- When running on a local machine, `make test` to run all tests found in
+`test`, `test-unit`, `test-integration`, and `test-docker-py` on
+your local machine. The default timeout is set in `make.sh` to 60 minutes
+(`${TIMEOUT:=60m}`), since it currently takes up to an hour to run
+all of the tests.
+- When running inside a Docker development container, `hack/make.sh` does
+not have a single target that runs all the tests. You need to provide a
+single command line with multiple targets that performs the same thing.
+An example referenced from [Run targets inside a development container](https://docs.docker.com/opensource/project/test-and-docs/#run-targets-inside-a-development-container): `root@5f8630b873fe:/go/src/github.com/moby/moby# hack/make.sh dynbinary binary cross test-unit test-integration test-docker-py`
+- For more information related to testing outside the scope of this README,
+refer to
+[Run tests and test documentation](https://docs.docker.com/opensource/project/test-and-docs/)
+
+## Vendor (vendor.sh)
+
+A shell script that is a wrapper around Vndr. For information on how to use
+this, please refer to [vndr's README](https://github.com/LK4D4/vndr/blob/master/README.md)
diff --git a/engine/hack/ci/arm b/engine/hack/ci/arm
new file mode 100755
index 00000000..e60332a6
--- /dev/null
+++ b/engine/hack/ci/arm
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# Entrypoint for jenkins arm CI build
+set -eu -o pipefail
+
+hack/test/unit
+
+hack/make.sh \
+	binary-daemon \
+	dynbinary \
+	test-integration
diff --git a/engine/hack/ci/experimental b/engine/hack/ci/experimental
new file mode 100755
index 00000000..9ccbc842
--- /dev/null
+++ b/engine/hack/ci/experimental
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# Entrypoint for jenkins experimental CI
+set -eu -o pipefail
+
+export DOCKER_EXPERIMENTAL=y
+
+hack/make.sh \
+	binary-daemon \
+	test-integration
diff --git a/engine/hack/ci/janky b/engine/hack/ci/janky
new file mode 100755
index 00000000..f2bdfbf3
--- /dev/null
+++ b/engine/hack/ci/janky
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Entrypoint for jenkins janky CI build
+set -eu -o pipefail
+
+hack/validate/default
+hack/test/unit
+bash <(curl -s https://codecov.io/bash) \
+    -f coverage.txt \
+    -C "$GIT_SHA1" || \
+    echo 'Codecov failed to upload'
+
+hack/make.sh \
+	binary-daemon \
+	dynbinary \
+	test-docker-py \
+	test-integration \
+	cross
diff --git a/engine/hack/ci/powerpc b/engine/hack/ci/powerpc
new file mode 100755
index 00000000..c36cf37d
--- /dev/null
+++ b/engine/hack/ci/powerpc
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+# Entrypoint for jenkins powerpc CI build
+set -eu -o pipefail
+
+hack/test/unit
+hack/make.sh dynbinary test-integration
diff --git a/engine/hack/ci/z b/engine/hack/ci/z
new file mode 100755
index 00000000..5ba868e8
--- /dev/null
+++ b/engine/hack/ci/z
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+# Entrypoint for jenkins s390x (z) CI build
+set -eu -o pipefail
+
+hack/test/unit
+hack/make.sh dynbinary test-integration
diff --git a/engine/hack/dind b/engine/hack/dind
new file mode 100755
index 00000000..3254f9db
--- /dev/null
+++ b/engine/hack/dind
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -e
+
+# DinD: a wrapper script which allows docker to be run inside a docker container.
+# Original version by Jerome Petazzoni <jerome@docker.com>
+# See the blog post: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/
+#
+# This script should be executed inside a docker container in privileged mode
+# ('docker run --privileged', introduced in docker 0.6).
+
+# Usage: dind CMD [ARG...]
+
+# apparmor sucks and Docker needs to know that it's in a container (c) @tianon
+export container=docker
+
+if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
+	mount -t securityfs none /sys/kernel/security || {
+		echo >&2 'Could not mount /sys/kernel/security.'
+		echo >&2 'AppArmor detection and --privileged mode might break.'
+	}
+fi
+
+# Mount /tmp (conditionally)
+if ! mountpoint -q /tmp; then
+	mount -t tmpfs none /tmp
+fi
+
+if [ $# -gt 0 ]; then
+	exec "$@"
+fi
+
+echo >&2 'ERROR: No command specified.'
+echo >&2 'You probably want to run hack/make.sh, or maybe a shell?'
diff --git a/engine/hack/dockerfile/install/containerd.installer b/engine/hack/dockerfile/install/containerd.installer
new file mode 100755
index 00000000..dceae495
--- /dev/null
+++ b/engine/hack/dockerfile/install/containerd.installer
@@ -0,0 +1,36 @@
+#!/bin/sh
+
+
+# containerd is also pinned in vendor.conf. When updating the binary
+# version you may also need to update the vendor version to pick up bug
+# fixes or new APIs.
+CONTAINERD_COMMIT=468a545b9edcd5932818eb9de8e72413e616e86e # v1.1.2
+
+install_containerd() {
+	echo "Install containerd version $CONTAINERD_COMMIT"
+	git clone https://github.com/containerd/containerd.git "$GOPATH/src/github.com/containerd/containerd"
+	cd "$GOPATH/src/github.com/containerd/containerd"
+	git checkout -q "$CONTAINERD_COMMIT"
+
+	(
+
+		export BUILDTAGS='static_build netgo'
+		export EXTRA_FLAGS='-buildmode=pie'
+		export EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"'
+
+		# Reset build flags to nothing if we want a dynbinary
+		if [ "$1" == "dynamic" ]; then
+			export BUILDTAGS=''
+			export EXTRA_FLAGS=''
+			export EXTRA_LDFLAGS=''
+		fi
+
+		make
+	)
+
+	mkdir -p ${PREFIX}
+
+	cp bin/containerd ${PREFIX}/docker-containerd
+	cp bin/containerd-shim ${PREFIX}/docker-containerd-shim
+	cp bin/ctr ${PREFIX}/docker-containerd-ctr
+}
diff --git a/engine/hack/dockerfile/install/dockercli.installer b/engine/hack/dockerfile/install/dockercli.installer
new file mode 100755
index 00000000..ae3aa0dd
--- /dev/null
+++ b/engine/hack/dockerfile/install/dockercli.installer
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+DOCKERCLI_CHANNEL=${DOCKERCLI_CHANNEL:-edge}
+DOCKERCLI_VERSION=${DOCKERCLI_VERSION:-17.06.0-ce}
+
+install_dockercli() {
+	echo "Install docker/cli version $DOCKERCLI_VERSION from $DOCKERCLI_CHANNEL"
+
+	arch=$(uname -m)
+	# No official release of these platforms
+	if [[ "$arch" != "x86_64" ]] && [[ "$arch" != "s390x" ]]; then
+		build_dockercli
+		return
+	fi
+
+	url=https://download.docker.com/linux/static
+	curl -Ls $url/$DOCKERCLI_CHANNEL/$arch/docker-$DOCKERCLI_VERSION.tgz | \
+	tar -xz docker/docker
+	mkdir -p ${PREFIX}
+	mv docker/docker ${PREFIX}/
+	rmdir docker
+}
+
+build_dockercli() {
+	git clone https://github.com/docker/docker-ce "$GOPATH/tmp/docker-ce"
+	cd "$GOPATH/tmp/docker-ce"
+	git checkout -q "v$DOCKERCLI_VERSION"
+	mkdir -p "$GOPATH/src/github.com/docker"
+	mv components/cli "$GOPATH/src/github.com/docker/cli"
+	go build -buildmode=pie -o ${PREFIX}/docker github.com/docker/cli/cmd/docker
+}
diff --git a/engine/hack/dockerfile/install/gometalinter.installer b/engine/hack/dockerfile/install/gometalinter.installer
new file mode 100755
index 00000000..13500e1c
--- /dev/null
+++ b/engine/hack/dockerfile/install/gometalinter.installer
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+GOMETALINTER_COMMIT=bfcc1d6942136fd86eb6f1a6fb328de8398fbd80
+
+install_gometalinter() {
+	echo "Installing gometalinter version $GOMETALINTER_COMMIT"
+	go get -d github.com/alecthomas/gometalinter
+	cd "$GOPATH/src/github.com/alecthomas/gometalinter"
+	git checkout -q "$GOMETALINTER_COMMIT"
+	go build -buildmode=pie -o ${PREFIX}/gometalinter github.com/alecthomas/gometalinter
+	GOBIN=${PREFIX} ${PREFIX}/gometalinter --install
+}
diff --git a/engine/hack/dockerfile/install/install.sh b/engine/hack/dockerfile/install/install.sh
new file mode 100755
index 00000000..a0ff09da
--- /dev/null
+++ b/engine/hack/dockerfile/install/install.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+set -x
+
+RM_GOPATH=0
+
+TMP_GOPATH=${TMP_GOPATH:-""}
+
+: ${PREFIX:="/usr/local/bin"}
+
+if [ -z "$TMP_GOPATH" ]; then
+	export GOPATH="$(mktemp -d)"
+	RM_GOPATH=1
+else
+	export GOPATH="$TMP_GOPATH"
+fi
+
+dir="$(dirname $0)"
+
+bin=$1
+shift
+
+if [ ! -f "${dir}/${bin}.installer" ]; then
+	echo "Could not find installer for \"$bin\""
+	exit 1
+fi
+
+. $dir/$bin.installer
+install_$bin "$@"
diff --git a/engine/hack/dockerfile/install/proxy.installer b/engine/hack/dockerfile/install/proxy.installer
new file mode 100755
index 00000000..4983d909
--- /dev/null
+++ b/engine/hack/dockerfile/install/proxy.installer
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When
+# updating the binary version, consider updating github.com/docker/libnetwork
+# in vendor.conf accordingly
+LIBNETWORK_COMMIT=3ac297bc7fd0afec9051bbb47024c9bc1d75bf5b
+
+install_proxy() {
+	case "$1" in
+		"dynamic")
+			install_proxy_dynamic
+			return
+			;;
+		"")
+			export CGO_ENABLED=0
+			_install_proxy
+			;;
+		*)
+			echo 'Usage: $0 [dynamic]'
+			;;
+	esac
+}
+
+install_proxy_dynamic() {
+	export PROXY_LDFLAGS="-linkmode=external" install_proxy
+	export BUILD_MODE="-buildmode=pie"
+	_install_proxy
+}
+
+_install_proxy() {
+	echo "Install docker-proxy version $LIBNETWORK_COMMIT"
+	git clone https://github.com/docker/libnetwork.git "$GOPATH/src/github.com/docker/libnetwork"
+	cd "$GOPATH/src/github.com/docker/libnetwork"
+	git checkout -q "$LIBNETWORK_COMMIT"
+	go build $BUILD_MODE -ldflags="$PROXY_LDFLAGS" -o ${PREFIX}/docker-proxy github.com/docker/libnetwork/cmd/proxy
+}
+
+
diff --git a/engine/hack/dockerfile/install/runc.installer b/engine/hack/dockerfile/install/runc.installer
new file mode 100755
index 00000000..62263b3c
--- /dev/null
+++ b/engine/hack/dockerfile/install/runc.installer
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# When updating RUNC_COMMIT, also update runc in vendor.conf accordingly
+RUNC_COMMIT=69663f0bd4b60df09991c08812a60108003fa340
+
+install_runc() {
+	# Do not build with ambient capabilities support
+	RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp apparmor selinux"}"
+
+	echo "Install runc version $RUNC_COMMIT"
+	git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc"
+	cd "$GOPATH/src/github.com/opencontainers/runc"
+	git checkout -q "$RUNC_COMMIT"
+	if [ -z "$1" ]; then
+		target=static
+	else
+		target="$1"
+	fi
+	make BUILDTAGS="$RUNC_BUILDTAGS" "$target"
+	mkdir -p ${PREFIX}
+	cp runc ${PREFIX}/docker-runc
+}
diff --git a/engine/hack/dockerfile/install/tini.installer b/engine/hack/dockerfile/install/tini.installer
new file mode 100755
index 00000000..34f43f15
--- /dev/null
+++ b/engine/hack/dockerfile/install/tini.installer
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+TINI_COMMIT=fec3683b971d9c3ef73f284f176672c44b448662 # v0.18.0
+
+install_tini() {
+	echo "Install tini version $TINI_COMMIT"
+	git clone https://github.com/krallin/tini.git "$GOPATH/tini"
+	cd "$GOPATH/tini"
+	git checkout -q "$TINI_COMMIT"
+	cmake .
+	make tini-static
+	mkdir -p ${PREFIX}
+	cp tini-static ${PREFIX}/docker-init
+}
diff --git a/engine/hack/dockerfile/install/tomlv.installer b/engine/hack/dockerfile/install/tomlv.installer
new file mode 100755
index 00000000..c926454f
--- /dev/null
+++ b/engine/hack/dockerfile/install/tomlv.installer
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# When updating TOMLV_COMMIT, consider updating github.com/BurntSushi/toml
+# in vendor.conf accordingly
+TOMLV_COMMIT=a368813c5e648fee92e5f6c30e3944ff9d5e8895
+
+install_tomlv() {
+	echo "Install tomlv version $TOMLV_COMMIT"
+	git clone https://github.com/BurntSushi/toml.git "$GOPATH/src/github.com/BurntSushi/toml"
+	cd "$GOPATH/src/github.com/BurntSushi/toml" && git checkout -q "$TOMLV_COMMIT"
+	go build -v -buildmode=pie -o ${PREFIX}/tomlv github.com/BurntSushi/toml/cmd/tomlv
+}
diff --git a/engine/hack/dockerfile/install/vndr.installer b/engine/hack/dockerfile/install/vndr.installer
new file mode 100755
index 00000000..1d30eecc
--- /dev/null
+++ b/engine/hack/dockerfile/install/vndr.installer
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+VNDR_COMMIT=a6e196d8b4b0cbbdc29aebdb20c59ac6926bb384
+
+install_vndr() {
+	echo "Install vndr version $VNDR_COMMIT"
+	git clone https://github.com/LK4D4/vndr.git "$GOPATH/src/github.com/LK4D4/vndr"
+	cd "$GOPATH/src/github.com/LK4D4/vndr"
+	git checkout -q "$VNDR_COMMIT"
+	go build -buildmode=pie -v -o ${PREFIX}/vndr .
+}
diff --git a/engine/hack/generate-authors.sh b/engine/hack/generate-authors.sh
new file mode 100755
index 00000000..680bdb7b
--- /dev/null
+++ b/engine/hack/generate-authors.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -e
+
+cd "$(dirname "$(readlink -f "$BASH_SOURCE")")/.."
+
+# see also ".mailmap" for how email addresses and names are deduplicated
+
+{
+	cat <<-'EOH'
+	# This file lists all individuals having contributed content to the repository.
+	# For how it is generated, see `hack/generate-authors.sh`.
+	EOH
+	echo
+	git log --format='%aN <%aE>' | LC_ALL=C.UTF-8 sort -uf
+} > AUTHORS
diff --git a/engine/hack/generate-swagger-api.sh b/engine/hack/generate-swagger-api.sh
new file mode 100755
index 00000000..a01a5738
--- /dev/null
+++ b/engine/hack/generate-swagger-api.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+set -eu
+
+swagger generate model -f api/swagger.yaml \
+    -t api -m types --skip-validator -C api/swagger-gen.yaml \
+    -n ErrorResponse \
+    -n GraphDriverData \
+    -n IdResponse \
+    -n ImageDeleteResponseItem \
+    -n ImageSummary \
+    -n Plugin -n PluginDevice -n PluginMount -n PluginEnv -n PluginInterfaceType \
+    -n Port \
+    -n ServiceUpdateResponse \
+    -n Volume
+
+swagger generate operation -f api/swagger.yaml \
+    -t api -a types -m types -C api/swagger-gen.yaml \
+    -T api/templates --skip-responses --skip-parameters --skip-validator \
+    -n Authenticate \
+    -n ContainerChanges \
+    -n ContainerCreate \
+    -n ContainerTop \
+    -n ContainerUpdate \
+    -n ContainerWait \
+    -n ImageHistory \
+    -n VolumeCreate \
+    -n VolumeList
diff --git a/engine/hack/integration-cli-on-swarm/README.md b/engine/hack/integration-cli-on-swarm/README.md
new file mode 100644
index 00000000..4f4f67d4
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/README.md
@@ -0,0 +1,69 @@
+# Integration Testing on Swarm
+
+IT on Swarm allows you to execute integration test in parallel across a Docker Swarm cluster
+
+## Architecture
+
+### Master service
+
+  - Works as a funker caller
+  - Calls a worker funker (`-worker-service`) with a chunk of `-check.f` filter strings (passed as a file via `-input` flag, typically `/mnt/input`)
+
+### Worker service
+
+  - Works as a funker callee
+  - Executes an equivalent of `TESTFLAGS=-check.f TestFoo|TestBar|TestBaz ... make test-integration` using the bind-mounted API socket (`docker.sock`)
+
+### Client
+
+  - Controls master and workers via `docker stack`
+  - No need to have a local daemon
+
+Typically, the master and workers are supposed to be running on a cloud environment,
+while the client is supposed to be running on a laptop, e.g. Docker for Mac/Windows.
+
+## Requirement
+
+  - Docker daemon 1.13 or later
+  - Private registry for distributed execution with multiple nodes
+
+## Usage
+
+### Step 1: Prepare images
+
+    $ make build-integration-cli-on-swarm
+
+Following environment variables are known to work in this step:
+
+ - `BUILDFLAGS`
+ - `DOCKER_INCREMENTAL_BINARY`
+
+Note: during the transition into Moby Project, you might need to create a symbolic link `$GOPATH/src/github.com/docker/docker` to `$GOPATH/src/github.com/moby/moby`. 
+
+### Step 2: Execute tests
+
+    $ ./hack/integration-cli-on-swarm/integration-cli-on-swarm -replicas 40 -push-worker-image YOUR_REGISTRY.EXAMPLE.COM/integration-cli-worker:latest 
+
+Following environment variables are known to work in this step:
+
+ - `DOCKER_GRAPHDRIVER`
+ - `DOCKER_EXPERIMENTAL`
+
+#### Flags
+
+Basic flags:
+
+ - `-replicas N`: the number of worker service replicas. i.e. degree of parallelism.
+ - `-chunks N`: the number of chunks. By default, `chunks` == `replicas`.
+ - `-push-worker-image REGISTRY/IMAGE:TAG`: push the worker image to the registry. Note that if you have only single node and hence you do not need a private registry, you do not need to specify `-push-worker-image`.
+
+Experimental flags for mitigating makespan nonuniformity:
+
+ - `-shuffle`: Shuffle the test filter strings
+
+Flags for debugging IT on Swarm itself:
+
+ - `-rand-seed N`: the random seed. This flag is useful for deterministic replaying. By default(0), the timestamp is used.
+ - `-filters-file FILE`: the file contains `-check.f` strings. By default, the file is automatically generated.
+ - `-dry-run`: skip the actual workload
+ - `keep-executor`: do not auto-remove executor containers, which is used for running privileged programs on Swarm
diff --git a/engine/hack/integration-cli-on-swarm/agent/Dockerfile b/engine/hack/integration-cli-on-swarm/agent/Dockerfile
new file mode 100644
index 00000000..1ae228f6
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/Dockerfile
@@ -0,0 +1,6 @@
+# this Dockerfile is solely used for the master image.
+# Please refer to the top-level Makefile for the worker image.
+FROM golang:1.7
+ADD . /go/src/github.com/docker/docker/hack/integration-cli-on-swarm/agent
+RUN go build -buildmode=pie -o /master github.com/docker/docker/hack/integration-cli-on-swarm/agent/master
+ENTRYPOINT ["/master"]
diff --git a/engine/hack/integration-cli-on-swarm/agent/master/call.go b/engine/hack/integration-cli-on-swarm/agent/master/call.go
new file mode 100644
index 00000000..dab9c670
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/master/call.go
@@ -0,0 +1,132 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/bfirsh/funker-go"
+	"github.com/docker/docker/hack/integration-cli-on-swarm/agent/types"
+)
+
+const (
+	// funkerRetryTimeout is for the issue https://github.com/bfirsh/funker/issues/3
+	// When all the funker replicas are busy in their own job, we cannot connect to funker.
+	funkerRetryTimeout  = 1 * time.Hour
+	funkerRetryDuration = 1 * time.Second
+)
+
+// ticker is needed for some CI (e.g., on Travis, job is aborted when no output emitted for 10 minutes)
+func ticker(d time.Duration) chan struct{} {
+	t := time.NewTicker(d)
+	stop := make(chan struct{})
+	go func() {
+		for {
+			select {
+			case <-t.C:
+				log.Printf("tick (just for keeping CI job active) per %s", d.String())
+			case <-stop:
+				t.Stop()
+			}
+		}
+	}()
+	return stop
+}
+
+func executeTests(funkerName string, testChunks [][]string) error {
+	tickerStopper := ticker(9*time.Minute + 55*time.Second)
+	defer func() {
+		close(tickerStopper)
+	}()
+	begin := time.Now()
+	log.Printf("Executing %d chunks in parallel, against %q", len(testChunks), funkerName)
+	var wg sync.WaitGroup
+	var passed, failed uint32
+	for chunkID, tests := range testChunks {
+		log.Printf("Executing chunk %d (contains %d test filters)", chunkID, len(tests))
+		wg.Add(1)
+		go func(chunkID int, tests []string) {
+			defer wg.Done()
+			chunkBegin := time.Now()
+			result, err := executeTestChunkWithRetry(funkerName, types.Args{
+				ChunkID: chunkID,
+				Tests:   tests,
+			})
+			if result.RawLog != "" {
+				for _, s := range strings.Split(result.RawLog, "\n") {
+					log.Printf("Log (chunk %d): %s", chunkID, s)
+				}
+			}
+			if err != nil {
+				log.Printf("Error while executing chunk %d: %v",
+					chunkID, err)
+				atomic.AddUint32(&failed, 1)
+			} else {
+				if result.Code == 0 {
+					atomic.AddUint32(&passed, 1)
+				} else {
+					atomic.AddUint32(&failed, 1)
+				}
+				log.Printf("Finished chunk %d [%d/%d] with %d test filters in %s, code=%d.",
+					chunkID, passed+failed, len(testChunks), len(tests),
+					time.Since(chunkBegin), result.Code)
+			}
+		}(chunkID, tests)
+	}
+	wg.Wait()
+	// TODO: print actual tests rather than chunks
+	log.Printf("Executed %d chunks in %s. PASS: %d, FAIL: %d.",
+		len(testChunks), time.Since(begin), passed, failed)
+	if failed > 0 {
+		return fmt.Errorf("%d chunks failed", failed)
+	}
+	return nil
+}
+
+func executeTestChunk(funkerName string, args types.Args) (types.Result, error) {
+	ret, err := funker.Call(funkerName, args)
+	if err != nil {
+		return types.Result{}, err
+	}
+	tmp, err := json.Marshal(ret)
+	if err != nil {
+		return types.Result{}, err
+	}
+	var result types.Result
+	err = json.Unmarshal(tmp, &result)
+	return result, err
+}
+
+func executeTestChunkWithRetry(funkerName string, args types.Args) (types.Result, error) {
+	begin := time.Now()
+	for i := 0; time.Since(begin) < funkerRetryTimeout; i++ {
+		result, err := executeTestChunk(funkerName, args)
+		if err == nil {
+			log.Printf("executeTestChunk(%q, %d) returned code %d in trial %d", funkerName, args.ChunkID, result.Code, i)
+			return result, nil
+		}
+		if errorSeemsInteresting(err) {
+			log.Printf("Error while calling executeTestChunk(%q, %d), will retry (trial %d): %v",
+				funkerName, args.ChunkID, i, err)
+		}
+		// TODO: non-constant sleep
+		time.Sleep(funkerRetryDuration)
+	}
+	return types.Result{}, fmt.Errorf("could not call executeTestChunk(%q, %d) in %v", funkerName, args.ChunkID, funkerRetryTimeout)
+}
+
+//  errorSeemsInteresting returns true if err does not seem about https://github.com/bfirsh/funker/issues/3
+func errorSeemsInteresting(err error) bool {
+	boringSubstrs := []string{"connection refused", "connection reset by peer", "no such host", "transport endpoint is not connected", "no route to host"}
+	errS := err.Error()
+	for _, boringS := range boringSubstrs {
+		if strings.Contains(errS, boringS) {
+			return false
+		}
+	}
+	return true
+}
diff --git a/engine/hack/integration-cli-on-swarm/agent/master/master.go b/engine/hack/integration-cli-on-swarm/agent/master/master.go
new file mode 100644
index 00000000..a0d9a0d3
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/master/master.go
@@ -0,0 +1,65 @@
+package main
+
+import (
+	"errors"
+	"flag"
+	"io/ioutil"
+	"log"
+	"strings"
+)
+
+func main() {
+	if err := xmain(); err != nil {
+		log.Fatalf("fatal error: %v", err)
+	}
+}
+
+func xmain() error {
+	workerService := flag.String("worker-service", "", "Name of worker service")
+	chunks := flag.Int("chunks", 0, "Number of chunks")
+	input := flag.String("input", "", "Path to input file")
+	randSeed := flag.Int64("rand-seed", int64(0), "Random seed")
+	shuffle := flag.Bool("shuffle", false, "Shuffle the input so as to mitigate makespan nonuniformity")
+	flag.Parse()
+	if *workerService == "" {
+		return errors.New("worker-service unset")
+	}
+	if *chunks == 0 {
+		return errors.New("chunks unset")
+	}
+	if *input == "" {
+		return errors.New("input unset")
+	}
+
+	tests, err := loadTests(*input)
+	if err != nil {
+		return err
+	}
+	testChunks := chunkTests(tests, *chunks, *shuffle, *randSeed)
+	log.Printf("Loaded %d tests (%d chunks)", len(tests), len(testChunks))
+	return executeTests(*workerService, testChunks)
+}
+
+func chunkTests(tests []string, numChunks int, shuffle bool, randSeed int64) [][]string {
+	// shuffling (experimental) mitigates makespan nonuniformity
+	// Not sure this can cause some locality problem..
+	if shuffle {
+		shuffleStrings(tests, randSeed)
+	}
+	return chunkStrings(tests, numChunks)
+}
+
+func loadTests(filename string) ([]string, error) {
+	b, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	var tests []string
+	for _, line := range strings.Split(string(b), "\n") {
+		s := strings.TrimSpace(line)
+		if s != "" {
+			tests = append(tests, s)
+		}
+	}
+	return tests, nil
+}
diff --git a/engine/hack/integration-cli-on-swarm/agent/master/set.go b/engine/hack/integration-cli-on-swarm/agent/master/set.go
new file mode 100644
index 00000000..d28c41da
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/master/set.go
@@ -0,0 +1,28 @@
+package main
+
+import (
+	"math/rand"
+)
+
+// chunkStrings chunks the string slice
+func chunkStrings(x []string, numChunks int) [][]string {
+	var result [][]string
+	chunkSize := (len(x) + numChunks - 1) / numChunks
+	for i := 0; i < len(x); i += chunkSize {
+		ub := i + chunkSize
+		if ub > len(x) {
+			ub = len(x)
+		}
+		result = append(result, x[i:ub])
+	}
+	return result
+}
+
+// shuffleStrings shuffles strings
+func shuffleStrings(x []string, seed int64) {
+	r := rand.New(rand.NewSource(seed))
+	for i := range x {
+		j := r.Intn(i + 1)
+		x[i], x[j] = x[j], x[i]
+	}
+}
diff --git a/engine/hack/integration-cli-on-swarm/agent/master/set_test.go b/engine/hack/integration-cli-on-swarm/agent/master/set_test.go
new file mode 100644
index 00000000..c172562b
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/master/set_test.go
@@ -0,0 +1,63 @@
+package main
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+	"time"
+)
+
+func generateInput(inputLen int) []string {
+	var input []string
+	for i := 0; i < inputLen; i++ {
+		input = append(input, fmt.Sprintf("s%d", i))
+	}
+
+	return input
+}
+
+func testChunkStrings(t *testing.T, inputLen, numChunks int) {
+	t.Logf("inputLen=%d, numChunks=%d", inputLen, numChunks)
+	input := generateInput(inputLen)
+	result := chunkStrings(input, numChunks)
+	t.Logf("result has %d chunks", len(result))
+	var inputReconstructedFromResult []string
+	for i, chunk := range result {
+		t.Logf("chunk %d has %d elements", i, len(chunk))
+		inputReconstructedFromResult = append(inputReconstructedFromResult, chunk...)
+	}
+	if !reflect.DeepEqual(input, inputReconstructedFromResult) {
+		t.Fatal("input != inputReconstructedFromResult")
+	}
+}
+
+func TestChunkStrings_4_4(t *testing.T) {
+	testChunkStrings(t, 4, 4)
+}
+
+func TestChunkStrings_4_1(t *testing.T) {
+	testChunkStrings(t, 4, 1)
+}
+
+func TestChunkStrings_1_4(t *testing.T) {
+	testChunkStrings(t, 1, 4)
+}
+
+func TestChunkStrings_1000_8(t *testing.T) {
+	testChunkStrings(t, 1000, 8)
+}
+
+func TestChunkStrings_1000_9(t *testing.T) {
+	testChunkStrings(t, 1000, 9)
+}
+
+func testShuffleStrings(t *testing.T, inputLen int, seed int64) {
+	t.Logf("inputLen=%d, seed=%d", inputLen, seed)
+	x := generateInput(inputLen)
+	shuffleStrings(x, seed)
+	t.Logf("shuffled: %v", x)
+}
+
+func TestShuffleStrings_100(t *testing.T) {
+	testShuffleStrings(t, 100, time.Now().UnixNano())
+}
diff --git a/engine/hack/integration-cli-on-swarm/agent/types/types.go b/engine/hack/integration-cli-on-swarm/agent/types/types.go
new file mode 100644
index 00000000..fc598f03
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/types/types.go
@@ -0,0 +1,18 @@
+package types
+
+// Args is the type for funker args
+type Args struct {
+	// ChunkID is an unique number of the chunk
+	ChunkID int `json:"chunk_id"`
+	// Tests is the set of the strings that are passed as `-check.f` filters
+	Tests []string `json:"tests"`
+}
+
+// Result is the type for funker result
+type Result struct {
+	// ChunkID corresponds to Args.ChunkID
+	ChunkID int `json:"chunk_id"`
+	// Code is the exit code
+	Code   int    `json:"code"`
+	RawLog string `json:"raw_log"`
+}
diff --git a/engine/hack/integration-cli-on-swarm/agent/vendor.conf b/engine/hack/integration-cli-on-swarm/agent/vendor.conf
new file mode 100644
index 00000000..efd6d6d0
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/vendor.conf
@@ -0,0 +1,2 @@
+# dependencies specific to worker (i.e. github.com/docker/docker/...) are not vendored here
+github.com/bfirsh/funker-go eaa0a2e06f30e72c9a0b7f858951e581e26ef773
diff --git a/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/LICENSE b/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/LICENSE
new file mode 100644
index 00000000..75191a4d
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2016 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/call.go b/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/call.go
new file mode 100644
index 00000000..ac0338d2
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/call.go
@@ -0,0 +1,50 @@
+package funker
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"net"
+	"time"
+)
+
+// Call a Funker function
+func Call(name string, args interface{}) (interface{}, error) {
+	argsJSON, err := json.Marshal(args)
+	if err != nil {
+		return nil, err
+	}
+
+	addr, err := net.ResolveTCPAddr("tcp", name+":9999")
+	if err != nil {
+		return nil, err
+	}
+
+	conn, err := net.DialTCP("tcp", nil, addr)
+	if err != nil {
+		return nil, err
+	}
+	// Keepalive is a workaround for docker/docker#29655 .
+	// The implementation of FIN_WAIT2 seems weird on Swarm-mode.
+	// It seems always refuseing any packet after 60 seconds.
+	//
+	// TODO: remove this workaround if the issue gets resolved on the Docker side
+	if err := conn.SetKeepAlive(true); err != nil {
+		return nil, err
+	}
+	if err := conn.SetKeepAlivePeriod(30 * time.Second); err != nil {
+		return nil, err
+	}
+	if _, err = conn.Write(argsJSON); err != nil {
+		return nil, err
+	}
+	if err = conn.CloseWrite(); err != nil {
+		return nil, err
+	}
+	retJSON, err := ioutil.ReadAll(conn)
+	if err != nil {
+		return nil, err
+	}
+	var ret interface{}
+	err = json.Unmarshal(retJSON, &ret)
+	return ret, err
+}
diff --git a/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/handle.go b/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/handle.go
new file mode 100644
index 00000000..89878994
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/vendor/github.com/bfirsh/funker-go/handle.go
@@ -0,0 +1,54 @@
+package funker
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"reflect"
+)
+
+// Handle a Funker function.
+func Handle(handler interface{}) error {
+	handlerValue := reflect.ValueOf(handler)
+	handlerType := handlerValue.Type()
+	if handlerType.Kind() != reflect.Func || handlerType.NumIn() != 1 || handlerType.NumOut() != 1 {
+		return fmt.Errorf("Handler must be a function with a single parameter and single return value.")
+	}
+	argsValue := reflect.New(handlerType.In(0))
+
+	listener, err := net.Listen("tcp", ":9999")
+	if err != nil {
+		return err
+	}
+	conn, err := listener.Accept()
+	if err != nil {
+		return err
+	}
+	// We close listener, because we only allow single request.
+	// Note that TCP "backlog" cannot be used for that purpose.
+	// http://www.perlmonks.org/?node_id=940662
+	if err = listener.Close(); err != nil {
+		return err
+	}
+	argsJSON, err := ioutil.ReadAll(conn)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(argsJSON, argsValue.Interface())
+	if err != nil {
+		return err
+	}
+
+	ret := handlerValue.Call([]reflect.Value{argsValue.Elem()})[0].Interface()
+	retJSON, err := json.Marshal(ret)
+	if err != nil {
+		return err
+	}
+
+	if _, err = conn.Write(retJSON); err != nil {
+		return err
+	}
+
+	return conn.Close()
+}
diff --git a/engine/hack/integration-cli-on-swarm/agent/worker/executor.go b/engine/hack/integration-cli-on-swarm/agent/worker/executor.go
new file mode 100644
index 00000000..eef80d46
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/worker/executor.go
@@ -0,0 +1,118 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/stdcopy"
+)
+
+// testChunkExecutor executes integration-cli binary.
+// image needs to be the worker image itself. testFlags are OR-set of regexp for filtering tests.
+type testChunkExecutor func(image string, tests []string) (int64, string, error)
+
+func dryTestChunkExecutor() testChunkExecutor {
+	return func(image string, tests []string) (int64, string, error) {
+		return 0, fmt.Sprintf("DRY RUN (image=%q, tests=%v)", image, tests), nil
+	}
+}
+
+// privilegedTestChunkExecutor invokes a privileged container from the worker
+// service via bind-mounted API socket so as to execute the test chunk
+func privilegedTestChunkExecutor(autoRemove bool) testChunkExecutor {
+	return func(image string, tests []string) (int64, string, error) {
+		cli, err := client.NewEnvClient()
+		if err != nil {
+			return 0, "", err
+		}
+		// propagate variables from the host (needs to be defined in the compose file)
+		experimental := os.Getenv("DOCKER_EXPERIMENTAL")
+		graphdriver := os.Getenv("DOCKER_GRAPHDRIVER")
+		if graphdriver == "" {
+			info, err := cli.Info(context.Background())
+			if err != nil {
+				return 0, "", err
+			}
+			graphdriver = info.Driver
+		}
+		// `daemon_dest` is similar to `$DEST` (e.g. `bundles/VERSION/test-integration`)
+		// but it exists outside of `bundles` so as to make `$DOCKER_GRAPHDRIVER` work.
+		//
+		// Without this hack, `$DOCKER_GRAPHDRIVER` fails because of (e.g.) `overlay2 is not supported over overlayfs`
+		//
+		// see integration-cli/daemon/daemon.go
+		daemonDest := "/daemon_dest"
+		config := container.Config{
+			Image: image,
+			Env: []string{
+				"TESTFLAGS=-check.f " + strings.Join(tests, "|"),
+				"KEEPBUNDLE=1",
+				"DOCKER_INTEGRATION_TESTS_VERIFIED=1", // for avoiding rebuilding integration-cli
+				"DOCKER_EXPERIMENTAL=" + experimental,
+				"DOCKER_GRAPHDRIVER=" + graphdriver,
+				"DOCKER_INTEGRATION_DAEMON_DEST=" + daemonDest,
+			},
+			Labels: map[string]string{
+				"org.dockerproject.integration-cli-on-swarm":         "",
+				"org.dockerproject.integration-cli-on-swarm.comment": "this non-service container is created for running privileged programs on Swarm. you can remove this container manually if the corresponding service is already stopped.",
+			},
+			Entrypoint: []string{"hack/dind"},
+			Cmd:        []string{"hack/make.sh", "test-integration"},
+		}
+		hostConfig := container.HostConfig{
+			AutoRemove: autoRemove,
+			Privileged: true,
+			Mounts: []mount.Mount{
+				{
+					Type:   mount.TypeVolume,
+					Target: daemonDest,
+				},
+			},
+		}
+		id, stream, err := runContainer(context.Background(), cli, config, hostConfig)
+		if err != nil {
+			return 0, "", err
+		}
+		var b bytes.Buffer
+		teeContainerStream(&b, os.Stdout, os.Stderr, stream)
+		resultC, errC := cli.ContainerWait(context.Background(), id, "")
+		select {
+		case err := <-errC:
+			return 0, "", err
+		case result := <-resultC:
+			return result.StatusCode, b.String(), nil
+		}
+	}
+}
+
+func runContainer(ctx context.Context, cli *client.Client, config container.Config, hostConfig container.HostConfig) (string, io.ReadCloser, error) {
+	created, err := cli.ContainerCreate(context.Background(),
+		&config, &hostConfig, nil, "")
+	if err != nil {
+		return "", nil, err
+	}
+	if err = cli.ContainerStart(ctx, created.ID, types.ContainerStartOptions{}); err != nil {
+		return "", nil, err
+	}
+	stream, err := cli.ContainerLogs(ctx,
+		created.ID,
+		types.ContainerLogsOptions{
+			ShowStdout: true,
+			ShowStderr: true,
+			Follow:     true,
+		})
+	return created.ID, stream, err
+}
+
+func teeContainerStream(w, stdout, stderr io.Writer, stream io.ReadCloser) {
+	stdcopy.StdCopy(io.MultiWriter(w, stdout), io.MultiWriter(w, stderr), stream)
+	stream.Close()
+}
diff --git a/engine/hack/integration-cli-on-swarm/agent/worker/worker.go b/engine/hack/integration-cli-on-swarm/agent/worker/worker.go
new file mode 100644
index 00000000..ea8bb3fe
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/agent/worker/worker.go
@@ -0,0 +1,69 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/bfirsh/funker-go"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/hack/integration-cli-on-swarm/agent/types"
+)
+
+func main() {
+	if err := xmain(); err != nil {
+		log.Fatalf("fatal error: %v", err)
+	}
+}
+
+func validImageDigest(s string) bool {
+	return reference.DigestRegexp.FindString(s) != ""
+}
+
+func xmain() error {
+	workerImageDigest := flag.String("worker-image-digest", "", "Needs to be the digest of this worker image itself")
+	dryRun := flag.Bool("dry-run", false, "Dry run")
+	keepExecutor := flag.Bool("keep-executor", false, "Do not auto-remove executor containers, which is used for running privileged programs on Swarm")
+	flag.Parse()
+	if !validImageDigest(*workerImageDigest) {
+		// Because of issue #29582.
+		// `docker service create localregistry.example.com/blahblah:latest` pulls the image data to local, but not a tag.
+		// So, `docker run localregistry.example.com/blahblah:latest` fails: `Unable to find image 'localregistry.example.com/blahblah:latest' locally`
+		return fmt.Errorf("worker-image-digest must be a digest, got %q", *workerImageDigest)
+	}
+	executor := privilegedTestChunkExecutor(!*keepExecutor)
+	if *dryRun {
+		executor = dryTestChunkExecutor()
+	}
+	return handle(*workerImageDigest, executor)
+}
+
+func handle(workerImageDigest string, executor testChunkExecutor) error {
+	log.Printf("Waiting for a funker request")
+	return funker.Handle(func(args *types.Args) types.Result {
+		log.Printf("Executing chunk %d, contains %d test filters",
+			args.ChunkID, len(args.Tests))
+		begin := time.Now()
+		code, rawLog, err := executor(workerImageDigest, args.Tests)
+		if err != nil {
+			log.Printf("Error while executing chunk %d: %v", args.ChunkID, err)
+			if code == 0 {
+				// Make sure this is a failure
+				code = 1
+			}
+			return types.Result{
+				ChunkID: args.ChunkID,
+				Code:    int(code),
+				RawLog:  rawLog,
+			}
+		}
+		elapsed := time.Since(begin)
+		log.Printf("Finished chunk %d, code=%d, elapsed=%v", args.ChunkID, code, elapsed)
+		return types.Result{
+			ChunkID: args.ChunkID,
+			Code:    int(code),
+			RawLog:  rawLog,
+		}
+	})
+}
diff --git a/engine/hack/integration-cli-on-swarm/host/compose.go b/engine/hack/integration-cli-on-swarm/host/compose.go
new file mode 100644
index 00000000..a92282a1
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/host/compose.go
@@ -0,0 +1,122 @@
+package main
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"text/template"
+
+	"github.com/docker/docker/client"
+)
+
+const composeTemplate = `# generated by integration-cli-on-swarm
+version: "3"
+
+services:
+  worker:
+    image: "{{.WorkerImage}}"
+    command: ["-worker-image-digest={{.WorkerImageDigest}}", "-dry-run={{.DryRun}}", "-keep-executor={{.KeepExecutor}}"]
+    networks:
+      - net
+    volumes:
+# Bind-mount the API socket so that we can invoke "docker run --privileged" within the service containers
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - DOCKER_GRAPHDRIVER={{.EnvDockerGraphDriver}}
+      - DOCKER_EXPERIMENTAL={{.EnvDockerExperimental}}
+    deploy:
+      mode: replicated
+      replicas: {{.Replicas}}
+      restart_policy:
+# The restart condition needs to be any for funker function
+        condition: any
+
+  master:
+    image: "{{.MasterImage}}"
+    command: ["-worker-service=worker", "-input=/mnt/input", "-chunks={{.Chunks}}", "-shuffle={{.Shuffle}}", "-rand-seed={{.RandSeed}}"]
+    networks:
+      - net
+    volumes:
+      - {{.Volume}}:/mnt
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      placement:
+# Make sure the master can access the volume
+        constraints: [node.id == {{.SelfNodeID}}]
+
+networks:
+  net:
+
+volumes:
+  {{.Volume}}:
+    external: true
+`
+
+type composeOptions struct {
+	Replicas     int
+	Chunks       int
+	MasterImage  string
+	WorkerImage  string
+	Volume       string
+	Shuffle      bool
+	RandSeed     int64
+	DryRun       bool
+	KeepExecutor bool
+}
+
+type composeTemplateOptions struct {
+	composeOptions
+	WorkerImageDigest     string
+	SelfNodeID            string
+	EnvDockerGraphDriver  string
+	EnvDockerExperimental string
+}
+
+// createCompose creates "dir/docker-compose.yml".
+// If dir is empty, TempDir() is used.
+func createCompose(dir string, cli *client.Client, opts composeOptions) (string, error) {
+	if dir == "" {
+		var err error
+		dir, err = ioutil.TempDir("", "integration-cli-on-swarm-")
+		if err != nil {
+			return "", err
+		}
+	}
+	resolved := composeTemplateOptions{}
+	resolved.composeOptions = opts
+	workerImageInspect, _, err := cli.ImageInspectWithRaw(context.Background(), defaultWorkerImageName)
+	if err != nil {
+		return "", err
+	}
+	if len(workerImageInspect.RepoDigests) > 0 {
+		resolved.WorkerImageDigest = workerImageInspect.RepoDigests[0]
+	} else {
+		// fall back for non-pushed image
+		resolved.WorkerImageDigest = workerImageInspect.ID
+	}
+	info, err := cli.Info(context.Background())
+	if err != nil {
+		return "", err
+	}
+	resolved.SelfNodeID = info.Swarm.NodeID
+	resolved.EnvDockerGraphDriver = os.Getenv("DOCKER_GRAPHDRIVER")
+	resolved.EnvDockerExperimental = os.Getenv("DOCKER_EXPERIMENTAL")
+	composeFilePath := filepath.Join(dir, "docker-compose.yml")
+	tmpl, err := template.New("").Parse(composeTemplate)
+	if err != nil {
+		return "", err
+	}
+	f, err := os.Create(composeFilePath)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	if err = tmpl.Execute(f, resolved); err != nil {
+		return "", err
+	}
+	return composeFilePath, nil
+}
diff --git a/engine/hack/integration-cli-on-swarm/host/dockercmd.go b/engine/hack/integration-cli-on-swarm/host/dockercmd.go
new file mode 100644
index 00000000..c08b763a
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/host/dockercmd.go
@@ -0,0 +1,64 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/client"
+)
+
+func system(commands [][]string) error {
+	for _, c := range commands {
+		cmd := exec.Command(c[0], c[1:]...)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		cmd.Env = os.Environ()
+		if err := cmd.Run(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func pushImage(unusedCli *client.Client, remote, local string) error {
+	// FIXME: eliminate os/exec (but it is hard to pass auth without os/exec ...)
+	return system([][]string{
+		{"docker", "image", "tag", local, remote},
+		{"docker", "image", "push", remote},
+	})
+}
+
+func deployStack(unusedCli *client.Client, stackName, composeFilePath string) error {
+	// FIXME: eliminate os/exec (but stack is implemented in CLI ...)
+	return system([][]string{
+		{"docker", "stack", "deploy",
+			"--compose-file", composeFilePath,
+			"--with-registry-auth",
+			stackName},
+	})
+}
+
+func hasStack(unusedCli *client.Client, stackName string) bool {
+	// FIXME: eliminate os/exec (but stack is implemented in CLI ...)
+	out, err := exec.Command("docker", "stack", "ls").CombinedOutput()
+	if err != nil {
+		panic(fmt.Errorf("`docker stack ls` failed with: %s", string(out)))
+	}
+	// FIXME: not accurate
+	return strings.Contains(string(out), stackName)
+}
+
+func removeStack(unusedCli *client.Client, stackName string) error {
+	// FIXME: eliminate os/exec (but stack is implemented in CLI ...)
+	if err := system([][]string{
+		{"docker", "stack", "rm", stackName},
+	}); err != nil {
+		return err
+	}
+	// FIXME
+	time.Sleep(10 * time.Second)
+	return nil
+}
diff --git a/engine/hack/integration-cli-on-swarm/host/enumerate.go b/engine/hack/integration-cli-on-swarm/host/enumerate.go
new file mode 100644
index 00000000..3354c23c
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/host/enumerate.go
@@ -0,0 +1,55 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"regexp"
+)
+
+var testFuncRegexp *regexp.Regexp
+
+func init() {
+	testFuncRegexp = regexp.MustCompile(`(?m)^\s*func\s+\(\w*\s*\*(\w+Suite)\)\s+(Test\w+)`)
+}
+
+func enumerateTestsForBytes(b []byte) ([]string, error) {
+	var tests []string
+	submatches := testFuncRegexp.FindAllSubmatch(b, -1)
+	for _, submatch := range submatches {
+		if len(submatch) == 3 {
+			tests = append(tests, fmt.Sprintf("%s.%s$", submatch[1], submatch[2]))
+		}
+	}
+	return tests, nil
+}
+
+// enumerateTests enumerates valid `-check.f` strings for all the test functions.
+// Note that we use regexp rather than parsing Go files for performance reason.
+// (Try `TESTFLAGS=-check.list make test-integration` to see the slowness of parsing)
+// The files needs to be `gofmt`-ed
+//
+// The result will be as follows, but unsorted ('$' is appended because they are regexp for `-check.f`):
+//  "DockerAuthzSuite.TestAuthZPluginAPIDenyResponse$"
+//  "DockerAuthzSuite.TestAuthZPluginAllowEventStream$"
+//  ...
+//  "DockerTrustedSwarmSuite.TestTrustedServiceUpdate$"
+func enumerateTests(wd string) ([]string, error) {
+	testGoFiles, err := filepath.Glob(filepath.Join(wd, "integration-cli", "*_test.go"))
+	if err != nil {
+		return nil, err
+	}
+	var allTests []string
+	for _, testGoFile := range testGoFiles {
+		b, err := ioutil.ReadFile(testGoFile)
+		if err != nil {
+			return nil, err
+		}
+		tests, err := enumerateTestsForBytes(b)
+		if err != nil {
+			return nil, err
+		}
+		allTests = append(allTests, tests...)
+	}
+	return allTests, nil
+}
diff --git a/engine/hack/integration-cli-on-swarm/host/enumerate_test.go b/engine/hack/integration-cli-on-swarm/host/enumerate_test.go
new file mode 100644
index 00000000..d6049ae5
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/host/enumerate_test.go
@@ -0,0 +1,84 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"strings"
+	"testing"
+)
+
+func getRepoTopDir(t *testing.T) string {
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+	wd = filepath.Clean(wd)
+	suffix := "hack/integration-cli-on-swarm/host"
+	if !strings.HasSuffix(wd, suffix) {
+		t.Skipf("cwd seems strange (needs to have suffix %s): %v", suffix, wd)
+	}
+	return filepath.Clean(filepath.Join(wd, "../../.."))
+}
+
+func TestEnumerateTests(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping in short mode")
+	}
+	tests, err := enumerateTests(getRepoTopDir(t))
+	if err != nil {
+		t.Fatal(err)
+	}
+	sort.Strings(tests)
+	t.Logf("enumerated %d test filter strings:", len(tests))
+	for _, s := range tests {
+		t.Logf("- %q", s)
+	}
+}
+
+func TestEnumerateTestsForBytes(t *testing.T) {
+	b := []byte(`package main
+import (
+	"github.com/go-check/check"
+)
+
+func (s *FooSuite) TestA(c *check.C) {
+}
+
+func (s *FooSuite) TestAAA(c *check.C) {
+}
+
+func (s *BarSuite) TestBar(c *check.C) {
+}
+
+func (x *FooSuite) TestC(c *check.C) {
+}
+
+func (*FooSuite) TestD(c *check.C) {
+}
+
+// should not be counted
+func (s *FooSuite) testE(c *check.C) {
+}
+
+// counted, although we don't support ungofmt file
+  func   (s *FooSuite)    TestF  (c   *check.C){}
+`)
+	expected := []string{
+		"FooSuite.TestA$",
+		"FooSuite.TestAAA$",
+		"BarSuite.TestBar$",
+		"FooSuite.TestC$",
+		"FooSuite.TestD$",
+		"FooSuite.TestF$",
+	}
+
+	actual, err := enumerateTestsForBytes(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(expected, actual) {
+		t.Fatalf("expected %q, got %q", expected, actual)
+	}
+}
diff --git a/engine/hack/integration-cli-on-swarm/host/host.go b/engine/hack/integration-cli-on-swarm/host/host.go
new file mode 100644
index 00000000..fdc2a83e
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/host/host.go
@@ -0,0 +1,198 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	defaultStackName       = "integration-cli-on-swarm"
+	defaultVolumeName      = "integration-cli-on-swarm"
+	defaultMasterImageName = "integration-cli-master"
+	defaultWorkerImageName = "integration-cli-worker"
+)
+
+func main() {
+	rc, err := xmain()
+	if err != nil {
+		logrus.Fatalf("fatal error: %v", err)
+	}
+	os.Exit(rc)
+}
+
+func xmain() (int, error) {
+	// Should we use cobra maybe?
+	replicas := flag.Int("replicas", 1, "Number of worker service replica")
+	chunks := flag.Int("chunks", 0, "Number of test chunks executed in batch (0 == replicas)")
+	pushWorkerImage := flag.String("push-worker-image", "", "Push the worker image to the registry. Required for distributed execution. (empty == not to push)")
+	shuffle := flag.Bool("shuffle", false, "Shuffle the input so as to mitigate makespan nonuniformity")
+	// flags below are rarely used
+	randSeed := flag.Int64("rand-seed", int64(0), "Random seed used for shuffling (0 == current time)")
+	filtersFile := flag.String("filters-file", "", "Path to optional file composed of `-check.f` filter strings")
+	dryRun := flag.Bool("dry-run", false, "Dry run")
+	keepExecutor := flag.Bool("keep-executor", false, "Do not auto-remove executor containers, which is used for running privileged programs on Swarm")
+	flag.Parse()
+	if *chunks == 0 {
+		*chunks = *replicas
+	}
+	if *randSeed == int64(0) {
+		*randSeed = time.Now().UnixNano()
+	}
+	cli, err := client.NewEnvClient()
+	if err != nil {
+		return 1, err
+	}
+	if hasStack(cli, defaultStackName) {
+		logrus.Infof("Removing stack %s", defaultStackName)
+		removeStack(cli, defaultStackName)
+	}
+	if hasVolume(cli, defaultVolumeName) {
+		logrus.Infof("Removing volume %s", defaultVolumeName)
+		removeVolume(cli, defaultVolumeName)
+	}
+	if err = ensureImages(cli, []string{defaultWorkerImageName, defaultMasterImageName}); err != nil {
+		return 1, err
+	}
+	workerImageForStack := defaultWorkerImageName
+	if *pushWorkerImage != "" {
+		logrus.Infof("Pushing %s to %s", defaultWorkerImageName, *pushWorkerImage)
+		if err = pushImage(cli, *pushWorkerImage, defaultWorkerImageName); err != nil {
+			return 1, err
+		}
+		workerImageForStack = *pushWorkerImage
+	}
+	compose, err := createCompose("", cli, composeOptions{
+		Replicas:     *replicas,
+		Chunks:       *chunks,
+		MasterImage:  defaultMasterImageName,
+		WorkerImage:  workerImageForStack,
+		Volume:       defaultVolumeName,
+		Shuffle:      *shuffle,
+		RandSeed:     *randSeed,
+		DryRun:       *dryRun,
+		KeepExecutor: *keepExecutor,
+	})
+	if err != nil {
+		return 1, err
+	}
+	filters, err := filtersBytes(*filtersFile)
+	if err != nil {
+		return 1, err
+	}
+	logrus.Infof("Creating volume %s with input data", defaultVolumeName)
+	if err = createVolumeWithData(cli,
+		defaultVolumeName,
+		map[string][]byte{"/input": filters},
+		defaultMasterImageName); err != nil {
+		return 1, err
+	}
+	logrus.Infof("Deploying stack %s from %s", defaultStackName, compose)
+	defer func() {
+		logrus.Infof("NOTE: You may want to inspect or clean up following resources:")
+		logrus.Infof(" - Stack: %s", defaultStackName)
+		logrus.Infof(" - Volume: %s", defaultVolumeName)
+		logrus.Infof(" - Compose file: %s", compose)
+		logrus.Infof(" - Master image: %s", defaultMasterImageName)
+		logrus.Infof(" - Worker image: %s", workerImageForStack)
+	}()
+	if err = deployStack(cli, defaultStackName, compose); err != nil {
+		return 1, err
+	}
+	logrus.Infof("The log will be displayed here after some duration."+
+		"You can watch the live status via `docker service logs %s_worker`",
+		defaultStackName)
+	masterContainerID, err := waitForMasterUp(cli, defaultStackName)
+	if err != nil {
+		return 1, err
+	}
+	rc, err := waitForContainerCompletion(cli, os.Stdout, os.Stderr, masterContainerID)
+	if err != nil {
+		return 1, err
+	}
+	logrus.Infof("Exit status: %d", rc)
+	return int(rc), nil
+}
+
+func ensureImages(cli *client.Client, images []string) error {
+	for _, image := range images {
+		_, _, err := cli.ImageInspectWithRaw(context.Background(), image)
+		if err != nil {
+			return fmt.Errorf("could not find image %s, please run `make build-integration-cli-on-swarm`: %v",
+				image, err)
+		}
+	}
+	return nil
+}
+
+func filtersBytes(optionalFiltersFile string) ([]byte, error) {
+	var b []byte
+	if optionalFiltersFile == "" {
+		tests, err := enumerateTests(".")
+		if err != nil {
+			return b, err
+		}
+		b = []byte(strings.Join(tests, "\n") + "\n")
+	} else {
+		var err error
+		b, err = ioutil.ReadFile(optionalFiltersFile)
+		if err != nil {
+			return b, err
+		}
+	}
+	return b, nil
+}
+
+func waitForMasterUp(cli *client.Client, stackName string) (string, error) {
+	// FIXME(AkihiroSuda): it should retry until master is up, rather than pre-sleeping
+	time.Sleep(10 * time.Second)
+
+	fil := filters.NewArgs()
+	fil.Add("label", "com.docker.stack.namespace="+stackName)
+	// FIXME(AkihiroSuda): we should not rely on internal service naming convention
+	fil.Add("label", "com.docker.swarm.service.name="+stackName+"_master")
+	masters, err := cli.ContainerList(context.Background(), types.ContainerListOptions{
+		All:     true,
+		Filters: fil,
+	})
+	if err != nil {
+		return "", err
+	}
+	if len(masters) == 0 {
+		return "", fmt.Errorf("master not running in stack %s?", stackName)
+	}
+	return masters[0].ID, nil
+}
+
+func waitForContainerCompletion(cli *client.Client, stdout, stderr io.Writer, containerID string) (int64, error) {
+	stream, err := cli.ContainerLogs(context.Background(),
+		containerID,
+		types.ContainerLogsOptions{
+			ShowStdout: true,
+			ShowStderr: true,
+			Follow:     true,
+		})
+	if err != nil {
+		return 1, err
+	}
+	stdcopy.StdCopy(stdout, stderr, stream)
+	stream.Close()
+	resultC, errC := cli.ContainerWait(context.Background(), containerID, "")
+	select {
+	case err := <-errC:
+		return 1, err
+	case result := <-resultC:
+		return result.StatusCode, nil
+	}
+}
diff --git a/engine/hack/integration-cli-on-swarm/host/volume.go b/engine/hack/integration-cli-on-swarm/host/volume.go
new file mode 100644
index 00000000..a6ddc6fa
--- /dev/null
+++ b/engine/hack/integration-cli-on-swarm/host/volume.go
@@ -0,0 +1,88 @@
+package main
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"io"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/volume"
+	"github.com/docker/docker/client"
+)
+
+func createTar(data map[string][]byte) (io.Reader, error) {
+	var b bytes.Buffer
+	tw := tar.NewWriter(&b)
+	for path, datum := range data {
+		hdr := tar.Header{
+			Name: path,
+			Mode: 0644,
+			Size: int64(len(datum)),
+		}
+		if err := tw.WriteHeader(&hdr); err != nil {
+			return nil, err
+		}
+		_, err := tw.Write(datum)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if err := tw.Close(); err != nil {
+		return nil, err
+	}
+	return &b, nil
+}
+
+// createVolumeWithData creates a volume with the given data (e.g. data["/foo"] = []byte("bar"))
+// Internally, a container is created from the image so as to provision the data to the volume,
+// which is attached to the container.
+func createVolumeWithData(cli *client.Client, volumeName string, data map[string][]byte, image string) error {
+	_, err := cli.VolumeCreate(context.Background(),
+		volume.VolumeCreateBody{
+			Driver: "local",
+			Name:   volumeName,
+		})
+	if err != nil {
+		return err
+	}
+	mnt := "/mnt"
+	miniContainer, err := cli.ContainerCreate(context.Background(),
+		&container.Config{
+			Image: image,
+		},
+		&container.HostConfig{
+			Mounts: []mount.Mount{
+				{
+					Type:   mount.TypeVolume,
+					Source: volumeName,
+					Target: mnt,
+				},
+			},
+		}, nil, "")
+	if err != nil {
+		return err
+	}
+	tr, err := createTar(data)
+	if err != nil {
+		return err
+	}
+	if cli.CopyToContainer(context.Background(),
+		miniContainer.ID, mnt, tr, types.CopyToContainerOptions{}); err != nil {
+		return err
+	}
+	return cli.ContainerRemove(context.Background(),
+		miniContainer.ID,
+		types.ContainerRemoveOptions{})
+}
+
+func hasVolume(cli *client.Client, volumeName string) bool {
+	_, err := cli.VolumeInspect(context.Background(), volumeName)
+	return err == nil
+}
+
+func removeVolume(cli *client.Client, volumeName string) error {
+	return cli.VolumeRemove(context.Background(), volumeName, true)
+}
diff --git a/engine/hack/make.ps1 b/engine/hack/make.ps1
new file mode 100644
index 00000000..e1e91e52
--- /dev/null
+++ b/engine/hack/make.ps1
@@ -0,0 +1,457 @@
+<#
+.NOTES
+    Author:  @jhowardmsft
+
+    Summary: Windows native build script. This is similar to functionality provided
+             by hack\make.sh, but uses native Windows PowerShell semantics. It does
+             not support the full set of options provided by the Linux counterpart.
+             For example:
+
+             - You can't cross-build Linux docker binaries on Windows
+             - Hashes aren't generated on binaries
+             - 'Releasing' isn't supported.
+             - Integration tests. This is because they currently cannot run inside a container,
+               and require significant external setup.
+
+             It does however provided the minimum necessary to support parts of local Windows
+             development and Windows to Windows CI.
+
+             Usage Examples (run from repo root):
+                "hack\make.ps1 -Client" to build docker.exe client 64-bit binary (remote repo)
+                "hack\make.ps1 -TestUnit" to run unit tests
+                "hack\make.ps1 -Daemon -TestUnit" to build the daemon and run unit tests
+                "hack\make.ps1 -All" to run everything this script knows about that can run in a container
+                "hack\make.ps1" to build the daemon binary (same as -Daemon)
+                "hack\make.ps1 -Binary" shortcut to -Client and -Daemon
+
+.PARAMETER Client
+     Builds the client binaries.
+
+.PARAMETER Daemon
+     Builds the daemon binary.
+
+.PARAMETER Binary
+     Builds the client and daemon binaries. A convenient shortcut to `make.ps1 -Client -Daemon`.
+
+.PARAMETER Race
+     Use -race in go build and go test.
+
+.PARAMETER Noisy
+     Use -v in go build.
+
+.PARAMETER ForceBuildAll
+     Use -a in go build.
+
+.PARAMETER NoOpt
+     Use -gcflags -N -l in go build to disable optimisation (can aide debugging).
+
+.PARAMETER CommitSuffix
+     Adds a custom string to be appended to the commit ID (spaces are stripped).
+
+.PARAMETER DCO
+     Runs the DCO (Developer Certificate Of Origin) test (must be run outside a container).
+
+.PARAMETER PkgImports
+     Runs the pkg\ directory imports test (must be run outside a container).
+
+.PARAMETER GoFormat
+     Runs the Go formatting test (must be run outside a container).
+
+.PARAMETER TestUnit
+     Runs unit tests.
+
+.PARAMETER All
+     Runs everything this script knows about that can run in a container.
+
+
+TODO
+- Unify the head commit
+- Add golint and other checks (swagger maybe?)
+
+#>
+
+
+param(
+    [Parameter(Mandatory=$False)][switch]$Client,
+    [Parameter(Mandatory=$False)][switch]$Daemon,
+    [Parameter(Mandatory=$False)][switch]$Binary,
+    [Parameter(Mandatory=$False)][switch]$Race,
+    [Parameter(Mandatory=$False)][switch]$Noisy,
+    [Parameter(Mandatory=$False)][switch]$ForceBuildAll,
+    [Parameter(Mandatory=$False)][switch]$NoOpt,
+    [Parameter(Mandatory=$False)][string]$CommitSuffix="",
+    [Parameter(Mandatory=$False)][switch]$DCO,
+    [Parameter(Mandatory=$False)][switch]$PkgImports,
+    [Parameter(Mandatory=$False)][switch]$GoFormat,
+    [Parameter(Mandatory=$False)][switch]$TestUnit,
+    [Parameter(Mandatory=$False)][switch]$All
+)
+
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+$pushed=$False  # To restore the directory if we have temporarily pushed to one.
+
+# Utility function to get the commit ID of the repository
+Function Get-GitCommit() {
+    if (-not (Test-Path ".\.git")) {
+        # If we don't have a .git directory, but we do have the environment
+        # variable DOCKER_GITCOMMIT set, that can override it.
+        if ($env:DOCKER_GITCOMMIT.Length -eq 0) {
+            Throw ".git directory missing and DOCKER_GITCOMMIT environment variable not specified."
+        }
+        Write-Host "INFO: Git commit ($env:DOCKER_GITCOMMIT) assumed from DOCKER_GITCOMMIT environment variable"
+        return $env:DOCKER_GITCOMMIT
+    }
+    $gitCommit=$(git rev-parse --short HEAD)
+    if ($(git status --porcelain --untracked-files=no).Length -ne 0) {
+        $gitCommit="$gitCommit-unsupported"
+        Write-Host ""
+        Write-Warning "This version is unsupported because there are uncommitted file(s)."
+        Write-Warning "Either commit these changes, or add them to .gitignore."
+        git status --porcelain --untracked-files=no | Write-Warning
+        Write-Host ""
+    }
+    return $gitCommit
+}
+
+# Utility function to determine if we are running in a container or not.
+# In Windows, we get this through an environment variable set in `Dockerfile.Windows`
+Function Check-InContainer() {
+    if ($env:FROM_DOCKERFILE.Length -eq 0) {
+        Write-Host ""
+        Write-Warning "Not running in a container. The result might be an incorrect build."
+        Write-Host ""
+        return $False
+    }
+    return $True
+}
+
+# Utility function to warn if the version of go is correct. Used for local builds
+# outside of a container where it may be out of date with master.
+Function Verify-GoVersion() {
+    Try {
+        $goVersionDockerfile=(Get-Content ".\Dockerfile" | Select-String "ENV GO_VERSION").ToString().Split(" ")[2]
+        $goVersionInstalled=(go version).ToString().Split(" ")[2].SubString(2)
+    }
+    Catch [Exception] {
+        Throw "Failed to validate go version correctness: $_"
+    }
+    if (-not($goVersionInstalled -eq $goVersionDockerfile)) {
+        Write-Host ""
+        Write-Warning "Building with golang version $goVersionInstalled. You should update to $goVersionDockerfile"
+        Write-Host ""
+    }
+}
+
+# Utility function to get the commit for HEAD
+Function Get-HeadCommit() {
+    $head = Invoke-Expression "git rev-parse --verify HEAD"
+    if ($LASTEXITCODE -ne 0) { Throw "Failed getting HEAD commit" }
+
+    return $head
+}
+
+# Utility function to get the commit for upstream
+Function Get-UpstreamCommit() {
+    Invoke-Expression "git fetch -q https://github.com/docker/docker.git refs/heads/master"
+    if ($LASTEXITCODE -ne 0) { Throw "Failed fetching" }
+
+    $upstream = Invoke-Expression "git rev-parse --verify FETCH_HEAD"
+    if ($LASTEXITCODE -ne 0) { Throw "Failed getting upstream commit" }
+
+    return $upstream
+}
+
+# Build a binary (client or daemon)
+Function Execute-Build($type, $additionalBuildTags, $directory) {
+    # Generate the build flags
+    $buildTags = "autogen"
+    if ($Noisy)                     { $verboseParm=" -v" }
+    if ($Race)                      { Write-Warning "Using race detector"; $raceParm=" -race"}
+    if ($ForceBuildAll)             { $allParm=" -a" }
+    if ($NoOpt)                     { $optParm=" -gcflags "+""""+"-N -l"+"""" }
+    if ($additionalBuildTags -ne "") { $buildTags += $(" " + $additionalBuildTags) }
+
+    # Do the go build in the appropriate directory
+    # Note -linkmode=internal is required to be able to debug on Windows.
+    # https://github.com/golang/go/issues/14319#issuecomment-189576638
+    Write-Host "INFO: Building $type..."
+    Push-Location $root\cmd\$directory; $global:pushed=$True
+    $buildCommand = "go build" + `
+                    $raceParm + `
+                    $verboseParm + `
+                    $allParm + `
+                    $optParm + `
+                    " -tags """ + $buildTags + """" + `
+                    " -ldflags """ + "-linkmode=internal" + """" + `
+                    " -o $root\bundles\"+$directory+".exe"
+    Invoke-Expression $buildCommand
+    if ($LASTEXITCODE -ne 0) { Throw "Failed to compile $type" }
+    Pop-Location; $global:pushed=$False
+}
+
+
+# Validates the DCO marker is present on each commit
+Function Validate-DCO($headCommit, $upstreamCommit) {
+    Write-Host "INFO: Validating Developer Certificate of Origin..."
+    # Username may only contain alphanumeric characters or dashes and cannot begin with a dash
+    $usernameRegex='[a-zA-Z0-9][a-zA-Z0-9-]+'
+
+    $dcoPrefix="Signed-off-by:"
+    $dcoRegex="^(Docker-DCO-1.1-)?$dcoPrefix ([^<]+) <([^<>@]+@[^<>]+)>( \(github: ($usernameRegex)\))?$"
+
+    $counts = Invoke-Expression "git diff --numstat $upstreamCommit...$headCommit"
+    if ($LASTEXITCODE -ne 0) { Throw "Failed git diff --numstat" }
+
+    # Counts of adds and deletes after removing multiple white spaces. AWK anyone? :(
+    $adds=0; $dels=0; $($counts -replace '\s+', ' ') | %{ 
+        $a=$_.Split(" "); 
+        if ($a[0] -ne "-") { $adds+=[int]$a[0] }
+        if ($a[1] -ne "-") { $dels+=[int]$a[1] }
+    }
+    if (($adds -eq 0) -and ($dels -eq 0)) { 
+        Write-Warning "DCO validation - nothing to validate!"
+        return
+    }
+
+    $commits = Invoke-Expression "git log  $upstreamCommit..$headCommit --format=format:%H%n"
+    if ($LASTEXITCODE -ne 0) { Throw "Failed git log --format" }
+    $commits = $($commits -split '\s+' -match '\S')
+    $badCommits=@()
+    $commits | %{
+        # Skip commits with no content such as merge commits etc
+        if ($(git log -1 --format=format: --name-status $_).Length -gt 0) {
+            # Ignore exit code on next call - always process regardless
+            $commitMessage = Invoke-Expression "git log -1 --format=format:%B --name-status $_"
+            if (($commitMessage -match $dcoRegex).Length -eq 0) { $badCommits+=$_ }
+        }
+    }
+    if ($badCommits.Length -eq 0) {
+        Write-Host "Congratulations!  All commits are properly signed with the DCO!"
+    } else {
+        $e = "`nThese commits do not have a proper '$dcoPrefix' marker:`n"
+        $badCommits | %{ $e+=" - $_`n"}
+        $e += "`nPlease amend each commit to include a properly formatted DCO marker.`n`n"
+        $e += "Visit the following URL for information about the Docker DCO:`n"
+        $e += "https://github.com/docker/docker/blob/master/CONTRIBUTING.md#sign-your-work`n"
+        Throw $e
+    }
+}
+
+# Validates that .\pkg\... is safely isolated from internal code
+Function Validate-PkgImports($headCommit, $upstreamCommit) {
+    Write-Host "INFO: Validating pkg import isolation..."
+
+    # Get a list of go source-code files which have changed under pkg\. Ignore exit code on next call - always process regardless
+    $files=@(); $files = Invoke-Expression "git diff $upstreamCommit...$headCommit --diff-filter=ACMR --name-only -- `'pkg\*.go`'"
+    $badFiles=@(); $files | %{
+        $file=$_
+        # For the current changed file, get its list of dependencies, sorted and uniqued.
+        $imports = Invoke-Expression "go list -e -f `'{{ .Deps }}`' $file"
+        if ($LASTEXITCODE -ne 0) { Throw "Failed go list for dependencies on $file" }
+        $imports = $imports -Replace "\[" -Replace "\]", "" -Split(" ") | Sort-Object | Get-Unique
+        # Filter out what we are looking for
+        $imports = @() + $imports -NotMatch "^github.com/docker/docker/pkg/" `
+                                  -NotMatch "^github.com/docker/docker/vendor" `
+                                  -Match "^github.com/docker/docker" `
+                                  -Replace "`n", ""
+        $imports | % { $badFiles+="$file imports $_`n" }
+    }
+    if ($badFiles.Length -eq 0) {
+        Write-Host 'Congratulations!  ".\pkg\*.go" is safely isolated from internal code.'
+    } else {
+        $e = "`nThese files import internal code: (either directly or indirectly)`n"
+        $badFiles | %{ $e+=" - $_"}
+        Throw $e
+    }
+}
+
+# Validates that changed files are correctly go-formatted
+Function Validate-GoFormat($headCommit, $upstreamCommit) {
+    Write-Host "INFO: Validating go formatting on changed files..."
+
+    # Verify gofmt is installed
+    if ($(Get-Command gofmt -ErrorAction SilentlyContinue) -eq $nil) { Throw "gofmt does not appear to be installed" }
+
+    # Get a list of all go source-code files which have changed.  Ignore exit code on next call - always process regardless
+    $files=@(); $files = Invoke-Expression "git diff $upstreamCommit...$headCommit --diff-filter=ACMR --name-only -- `'*.go`'"
+    $files = $files | Select-String -NotMatch "^vendor/"
+    $badFiles=@(); $files | %{
+        # Deliberately ignore error on next line - treat as failed
+        $content=Invoke-Expression "git show $headCommit`:$_"
+
+        # Next set of hoops are to ensure we have LF not CRLF semantics as otherwise gofmt on Windows will not succeed.
+        # Also note that gofmt on Windows does not appear to support stdin piping correctly. Hence go through a temporary file.
+        $content=$content -join "`n"
+        $content+="`n"
+        $outputFile=[System.IO.Path]::GetTempFileName()
+        if (Test-Path $outputFile) { Remove-Item $outputFile }
+        [System.IO.File]::WriteAllText($outputFile, $content, (New-Object System.Text.UTF8Encoding($False)))
+        $currentFile = $_ -Replace("/","\")
+        Write-Host Checking $currentFile
+        Invoke-Expression "gofmt -s -l $outputFile"
+        if ($LASTEXITCODE -ne 0) { $badFiles+=$currentFile }
+        if (Test-Path $outputFile) { Remove-Item $outputFile }
+    }
+    if ($badFiles.Length -eq 0) {
+        Write-Host 'Congratulations!  All Go source files are properly formatted.'
+    } else {
+        $e = "`nThese files are not properly gofmt`'d:`n"
+        $badFiles | %{ $e+=" - $_`n"}
+        $e+= "`nPlease reformat the above files using `"gofmt -s -w`" and commit the result."
+        Throw $e
+    }
+}
+
+# Run the unit tests
+Function Run-UnitTests() {
+    Write-Host "INFO: Running unit tests..."
+    $testPath="./..."
+    $goListCommand = "go list -e -f '{{if ne .Name """ + '\"github.com/docker/docker\"' + """}}{{.ImportPath}}{{end}}' $testPath"
+    $pkgList = $(Invoke-Expression $goListCommand)
+    if ($LASTEXITCODE -ne 0) { Throw "go list for unit tests failed" }
+    $pkgList = $pkgList | Select-String -Pattern "github.com/docker/docker"
+    $pkgList = $pkgList | Select-String -NotMatch "github.com/docker/docker/vendor"
+    $pkgList = $pkgList | Select-String -NotMatch "github.com/docker/docker/man"
+    $pkgList = $pkgList | Select-String -NotMatch "github.com/docker/docker/integration"
+    $pkgList = $pkgList -replace "`r`n", " "
+    $goTestCommand = "go test" + $raceParm + " -cover -ldflags -w -tags """ + "autogen daemon" + """ -a """ + "-test.timeout=10m" + """ $pkgList"
+    Invoke-Expression $goTestCommand
+    if ($LASTEXITCODE -ne 0) { Throw "Unit tests failed" }
+}
+
+# Start of main code.
+Try {
+    Write-Host -ForegroundColor Cyan "INFO: make.ps1 starting at $(Get-Date)"
+
+    # Get to the root of the repo
+    $root = $(Split-Path $MyInvocation.MyCommand.Definition -Parent | Split-Path -Parent)
+    Push-Location $root
+
+    # Handle the "-All" shortcut to turn on all things we can handle.
+    # Note we expressly only include the items which can run in a container - the validations tests cannot
+    # as they require the .git directory which is excluded from the image by .dockerignore
+    if ($All) { $Client=$True; $Daemon=$True; $TestUnit=$True }
+
+    # Handle the "-Binary" shortcut to build both client and daemon.
+    if ($Binary) { $Client = $True; $Daemon = $True }
+
+    # Default to building the daemon if not asked for anything explicitly.
+    if (-not($Client) -and -not($Daemon) -and -not($DCO) -and -not($PkgImports) -and -not($GoFormat) -and -not($TestUnit)) { $Daemon=$True }
+
+    # Verify git is installed
+    if ($(Get-Command git -ErrorAction SilentlyContinue) -eq $nil) { Throw "Git does not appear to be installed" }
+
+    # Verify go is installed
+    if ($(Get-Command go -ErrorAction SilentlyContinue) -eq $nil) { Throw "GoLang does not appear to be installed" }
+
+    # Get the git commit. This will also verify if we are in a repo or not. Then add a custom string if supplied.
+    $gitCommit=Get-GitCommit
+    if ($CommitSuffix -ne "") { $gitCommit += "-"+$CommitSuffix -Replace ' ', '' }
+
+    # Get the version of docker (eg 17.04.0-dev)
+    $dockerVersion="0.0.0-dev"
+
+    # Give a warning if we are not running in a container and are building binaries or running unit tests.
+    # Not relevant for validation tests as these are fine to run outside of a container.
+    if ($Client -or $Daemon -or $TestUnit) { $inContainer=Check-InContainer }
+
+    # If we are not in a container, validate the version of GO that is installed.
+    if (-not $inContainer) { Verify-GoVersion }
+
+    # Verify GOPATH is set
+    if ($env:GOPATH.Length -eq 0) { Throw "Missing GOPATH environment variable. See https://golang.org/doc/code.html#GOPATH" }
+
+    # Run autogen if building binaries or running unit tests.
+    if ($Client -or $Daemon -or $TestUnit) {
+        Write-Host "INFO: Invoking autogen..."
+        Try { .\hack\make\.go-autogen.ps1 -CommitString $gitCommit -DockerVersion $dockerVersion -Platform "$env:PLATFORM" -Product "$env:PRODUCT" }
+        Catch [Exception] { Throw $_ }
+    }
+
+    # DCO, Package import and Go formatting tests.
+    if ($DCO -or $PkgImports -or $GoFormat) {
+        # We need the head and upstream commits for these
+        $headCommit=Get-HeadCommit
+        $upstreamCommit=Get-UpstreamCommit
+
+        # Run DCO validation
+        if ($DCO) { Validate-DCO $headCommit $upstreamCommit }
+
+        # Run `gofmt` validation
+        if ($GoFormat) { Validate-GoFormat $headCommit $upstreamCommit }
+
+        # Run pkg isolation validation
+        if ($PkgImports) { Validate-PkgImports $headCommit $upstreamCommit }
+    }
+
+    # Build the binaries
+    if ($Client -or $Daemon) {
+        # Create the bundles directory if it doesn't exist
+        if (-not (Test-Path ".\bundles")) { New-Item ".\bundles" -ItemType Directory | Out-Null }
+
+        # Perform the actual build
+        if ($Daemon) { Execute-Build "daemon" "daemon" "dockerd" }
+        if ($Client) {
+            # Get the Docker channel and version from the environment, or use the defaults.
+            if (-not ($channel = $env:DOCKERCLI_CHANNEL)) { $channel = "edge" }
+            if (-not ($version = $env:DOCKERCLI_VERSION)) { $version = "17.06.0-ce" }
+
+            # Download the zip file and extract the client executable.
+            Write-Host "INFO: Downloading docker/cli version $version from $channel..."
+            $url = "https://download.docker.com/win/static/$channel/x86_64/docker-$version.zip"
+            Invoke-WebRequest $url -OutFile "docker.zip"
+            Try {
+                Add-Type -AssemblyName System.IO.Compression.FileSystem
+                $zip = [System.IO.Compression.ZipFile]::OpenRead("$PWD\docker.zip")
+                Try {
+                    if (-not ($entry = $zip.Entries | Where-Object { $_.Name -eq "docker.exe" })) {
+                        Throw "Cannot find docker.exe in $url"
+                    }
+                    [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, "$PWD\bundles\docker.exe", $true)
+                }
+                Finally {
+                    $zip.Dispose()
+                }
+            }
+            Finally {
+                Remove-Item -Force "docker.zip"
+            }
+        }
+    }
+
+    # Run unit tests
+    if ($TestUnit) { Run-UnitTests }
+
+    # Gratuitous ASCII art.
+    if ($Daemon -or $Client) {
+        Write-Host
+        Write-Host -ForegroundColor Green " ________   ____  __."
+        Write-Host -ForegroundColor Green " \_____  \ `|    `|/ _`|"
+        Write-Host -ForegroundColor Green " /   `|   \`|      `<"
+        Write-Host -ForegroundColor Green " /    `|    \    `|  \"
+        Write-Host -ForegroundColor Green " \_______  /____`|__ \"
+        Write-Host -ForegroundColor Green "         \/        \/"
+        Write-Host
+    }
+}
+Catch [Exception] {
+    Write-Host -ForegroundColor Red ("`nERROR: make.ps1 failed:`n$_")
+
+    # More gratuitous ASCII art.
+    Write-Host
+    Write-Host -ForegroundColor Red  "___________      .__.__             .___"
+    Write-Host -ForegroundColor Red  "\_   _____/____  `|__`|  `|   ____   __`| _/"
+    Write-Host -ForegroundColor Red  " `|    __) \__  \ `|  `|  `| _/ __ \ / __ `| "
+    Write-Host -ForegroundColor Red  " `|     \   / __ \`|  `|  `|_\  ___// /_/ `| "
+    Write-Host -ForegroundColor Red  " \___  /  (____  /__`|____/\___  `>____ `| "
+    Write-Host -ForegroundColor Red  "     \/        \/             \/     \/ "
+    Write-Host
+
+    Throw $_
+}
+Finally {
+    Pop-Location # As we pushed to the root of the repo as the very first thing
+    if ($global:pushed) { Pop-Location }
+    Write-Host -ForegroundColor Cyan "INFO: make.ps1 ended at $(Get-Date)"
+}
diff --git a/engine/hack/make.sh b/engine/hack/make.sh
new file mode 100755
index 00000000..cd9232a4
--- /dev/null
+++ b/engine/hack/make.sh
@@ -0,0 +1,224 @@
+#!/usr/bin/env bash
+set -e
+
+# This script builds various binary artifacts from a checkout of the docker
+# source code.
+#
+# Requirements:
+# - The current directory should be a checkout of the docker source code
+#   (https://github.com/docker/docker). Whatever version is checked out
+#   will be built.
+# - The VERSION file, at the root of the repository, should exist, and
+#   will be used as Docker binary version and package version.
+# - The hash of the git commit will also be included in the Docker binary,
+#   with the suffix -unsupported if the repository isn't clean.
+# - The script is intended to be run inside the docker container specified
+#   in the Dockerfile at the root of the source. In other words:
+#   DO NOT CALL THIS SCRIPT DIRECTLY.
+# - The right way to call this script is to invoke "make" from
+#   your checkout of the Docker repository.
+#   the Makefile will do a "docker build -t docker ." and then
+#   "docker run hack/make.sh" in the resulting image.
+#
+
+set -o pipefail
+
+export DOCKER_PKG='github.com/docker/docker'
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+export MAKEDIR="$SCRIPTDIR/make"
+export PKG_CONFIG=${PKG_CONFIG:-pkg-config}
+
+# We're a nice, sexy, little shell script, and people might try to run us;
+# but really, they shouldn't. We want to be in a container!
+inContainer="AssumeSoInitially"
+if [ "$(go env GOHOSTOS)" = 'windows' ]; then
+	if [ -z "$FROM_DOCKERFILE" ]; then
+		unset inContainer
+	fi
+else
+	if [ "$PWD" != "/go/src/$DOCKER_PKG" ]; then
+		unset inContainer
+	fi
+fi
+
+if [ -z "$inContainer" ]; then
+	{
+		echo "# WARNING! I don't seem to be running in a Docker container."
+		echo "# The result of this command might be an incorrect build, and will not be"
+		echo "# officially supported."
+		echo "#"
+		echo "# Try this instead: make all"
+		echo "#"
+	} >&2
+fi
+
+echo
+
+# List of bundles to create when no argument is passed
+DEFAULT_BUNDLES=(
+	binary-daemon
+	dynbinary
+
+	test-integration
+	test-docker-py
+
+	cross
+)
+
+VERSION=${VERSION:-dev}
+! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
+if [ "$DOCKER_GITCOMMIT" ]; then
+	GITCOMMIT="$DOCKER_GITCOMMIT"
+elif command -v git &> /dev/null && [ -e .git ] && git rev-parse &> /dev/null; then
+	GITCOMMIT=$(git rev-parse --short HEAD)
+	if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
+		GITCOMMIT="$GITCOMMIT-unsupported"
+		echo "#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
+		echo "# GITCOMMIT = $GITCOMMIT"
+		echo "# The version you are building is listed as unsupported because"
+		echo "# there are some files in the git repository that are in an uncommitted state."
+		echo "# Commit these changes, or add to .gitignore to remove the -unsupported from the version."
+		echo "# Here is the current list:"
+		git status --porcelain --untracked-files=no
+		echo "#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
+	fi
+else
+	echo >&2 'error: .git directory missing and DOCKER_GITCOMMIT not specified'
+	echo >&2 '  Please either build with the .git directory accessible, or specify the'
+	echo >&2 '  exact (--short) commit hash you are building using DOCKER_GITCOMMIT for'
+	echo >&2 '  future accountability in diagnosing build issues.  Thanks!'
+	exit 1
+fi
+
+if [ "$AUTO_GOPATH" ]; then
+	rm -rf .gopath
+	mkdir -p .gopath/src/"$(dirname "${DOCKER_PKG}")"
+	ln -sf ../../../.. .gopath/src/"${DOCKER_PKG}"
+	export GOPATH="${PWD}/.gopath"
+fi
+
+if [ ! "$GOPATH" ]; then
+	echo >&2 'error: missing GOPATH; please see https://golang.org/doc/code.html#GOPATH'
+	echo >&2 '  alternatively, set AUTO_GOPATH=1'
+	exit 1
+fi
+
+# Adds $1_$2 to DOCKER_BUILDTAGS unless it already
+# contains a word starting from $1_
+add_buildtag() {
+	[[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2"
+}
+
+if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then
+	DOCKER_BUILDTAGS+=" journald"
+elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then
+	DOCKER_BUILDTAGS+=" journald journald_compat"
+fi
+
+# test whether "btrfs/version.h" exists and apply btrfs_noversion appropriately
+if \
+	command -v gcc &> /dev/null \
+	&& ! gcc -E - -o /dev/null &> /dev/null <<<'#include <btrfs/version.h>' \
+; then
+	DOCKER_BUILDTAGS+=' btrfs_noversion'
+fi
+
+# test whether "libdevmapper.h" is new enough to support deferred remove
+# functionality. We favour libdm_dlsym_deferred_remove over
+# libdm_no_deferred_remove in dynamic cases because the binary could be shipped
+# with a newer libdevmapper than the one it was built wih.
+if \
+	command -v gcc &> /dev/null \
+	&& ! ( echo -e  '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
+; then
+	add_buildtag libdm dlsym_deferred_remove
+fi
+
+# Use these flags when compiling the tests and final binary
+
+IAMSTATIC='true'
+if [ -z "$DOCKER_DEBUG" ]; then
+	LDFLAGS='-w'
+fi
+
+LDFLAGS_STATIC=''
+EXTLDFLAGS_STATIC='-static'
+# ORIG_BUILDFLAGS is necessary for the cross target which cannot always build
+# with options like -race.
+ORIG_BUILDFLAGS=( -tags "autogen netgo static_build $DOCKER_BUILDTAGS" -installsuffix netgo )
+# see https://github.com/golang/go/issues/9369#issuecomment-69864440 for why -installsuffix is necessary here
+
+# When $DOCKER_INCREMENTAL_BINARY is set in the environment, enable incremental
+# builds by installing dependent packages to the GOPATH.
+REBUILD_FLAG="-a"
+if [ "$DOCKER_INCREMENTAL_BINARY" == "1" ] || [ "$DOCKER_INCREMENTAL_BINARY" == "true" ]; then
+	REBUILD_FLAG="-i"
+fi
+ORIG_BUILDFLAGS+=( $REBUILD_FLAG )
+
+BUILDFLAGS=( $BUILDFLAGS "${ORIG_BUILDFLAGS[@]}" )
+
+# Test timeout.
+if [ "${DOCKER_ENGINE_GOARCH}" == "arm64" ] || [ "${DOCKER_ENGINE_GOARCH}" == "arm" ]; then
+	: ${TIMEOUT:=10m}
+elif [ "${DOCKER_ENGINE_GOARCH}" == "windows" ]; then
+	: ${TIMEOUT:=8m}
+else
+	: ${TIMEOUT:=5m}
+fi
+
+LDFLAGS_STATIC_DOCKER="
+	$LDFLAGS_STATIC
+	-extldflags \"$EXTLDFLAGS_STATIC\"
+"
+
+if [ "$(uname -s)" = 'FreeBSD' ]; then
+	# Tell cgo the compiler is Clang, not GCC
+	# https://code.google.com/p/go/source/browse/src/cmd/cgo/gcc.go?spec=svne77e74371f2340ee08622ce602e9f7b15f29d8d3&r=e6794866ebeba2bf8818b9261b54e2eef1c9e588#752
+	export CC=clang
+
+	# "-extld clang" is a workaround for
+	# https://code.google.com/p/go/issues/detail?id=6845
+	LDFLAGS="$LDFLAGS -extld clang"
+fi
+
+bundle() {
+	local bundle="$1"; shift
+	echo "---> Making bundle: $(basename "$bundle") (in $DEST)"
+	source "$SCRIPTDIR/make/$bundle" "$@"
+}
+
+main() {
+	if [ -z "${KEEPBUNDLE-}" ]; then
+		echo "Removing bundles/"
+		rm -rf "bundles/*"
+		echo
+	fi
+	mkdir -p bundles
+
+	# Windows and symlinks don't get along well
+	if [ "$(go env GOHOSTOS)" != 'windows' ]; then
+		rm -f bundles/latest
+		# preserve latest symlink for backward compatibility
+		ln -sf . bundles/latest
+	fi
+
+	if [ $# -lt 1 ]; then
+		bundles=(${DEFAULT_BUNDLES[@]})
+	else
+		bundles=($@)
+	fi
+	for bundle in ${bundles[@]}; do
+		export DEST="bundles/$(basename "$bundle")"
+		# Cygdrive paths don't play well with go build -o.
+		if [[ "$(uname -s)" == CYGWIN* ]]; then
+			export DEST="$(cygpath -mw "$DEST")"
+		fi
+		mkdir -p "$DEST"
+		ABS_DEST="$(cd "$DEST" && pwd -P)"
+		bundle "$bundle"
+		echo
+	done
+}
+
+main "$@"
diff --git a/engine/hack/make/.binary b/engine/hack/make/.binary
new file mode 100644
index 00000000..9375926d
--- /dev/null
+++ b/engine/hack/make/.binary
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+set -e
+
+# a helper to provide ".exe" when it's appropriate
+binary_extension() {
+	if [ "$(go env GOOS)" = 'windows' ]; then
+		echo -n '.exe'
+	fi
+}
+
+GO_PACKAGE='github.com/docker/docker/cmd/dockerd'
+BINARY_SHORT_NAME='dockerd'
+BINARY_NAME="$BINARY_SHORT_NAME-$VERSION"
+BINARY_EXTENSION="$(binary_extension)"
+BINARY_FULLNAME="$BINARY_NAME$BINARY_EXTENSION"
+
+source "${MAKEDIR}/.go-autogen"
+
+hash_files() {
+	while [ $# -gt 0 ]; do
+		f="$1"
+		shift
+		dir="$(dirname "$f")"
+		base="$(basename "$f")"
+		for hashAlgo in md5 sha256; do
+			if command -v "${hashAlgo}sum" &> /dev/null; then
+				(
+					# subshell and cd so that we get output files like:
+					#   $HASH docker-$VERSION
+					# instead of:
+					#   $HASH /go/src/github.com/.../$VERSION/binary/docker-$VERSION
+					cd "$dir"
+					"${hashAlgo}sum" "$base" > "$base.$hashAlgo"
+				)
+			fi
+		done
+	done
+}
+
+(
+export GOGC=${DOCKER_BUILD_GOGC:-1000}
+
+if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARCH)" ]; then
+	# must be cross-compiling!
+	case "$(go env GOOS)/$(go env GOARCH)" in
+		windows/amd64)
+			export CC=x86_64-w64-mingw32-gcc
+			export CGO_ENABLED=1
+			;;
+	esac
+fi
+
+# -buildmode=pie is not supported on Windows.
+if [ "$(go env GOOS)" != "windows" ]; then
+	BUILDFLAGS+=( "-buildmode=pie" )
+fi
+
+echo "Building: $DEST/$BINARY_FULLNAME"
+go build \
+	-o "$DEST/$BINARY_FULLNAME" \
+	"${BUILDFLAGS[@]}" \
+	-ldflags "
+		$LDFLAGS
+		$LDFLAGS_STATIC_DOCKER
+		$DOCKER_LDFLAGS
+	" \
+	$GO_PACKAGE
+)
+
+echo "Created binary: $DEST/$BINARY_FULLNAME"
+ln -sf "$BINARY_FULLNAME" "$DEST/$BINARY_SHORT_NAME$BINARY_EXTENSION"
+
+hash_files "$DEST/$BINARY_FULLNAME"
diff --git a/engine/hack/make/.binary-setup b/engine/hack/make/.binary-setup
new file mode 100644
index 00000000..15de89fe
--- /dev/null
+++ b/engine/hack/make/.binary-setup
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+DOCKER_DAEMON_BINARY_NAME='dockerd'
+DOCKER_RUNC_BINARY_NAME='docker-runc'
+DOCKER_CONTAINERD_BINARY_NAME='docker-containerd'
+DOCKER_CONTAINERD_CTR_BINARY_NAME='docker-containerd-ctr'
+DOCKER_CONTAINERD_SHIM_BINARY_NAME='docker-containerd-shim'
+DOCKER_PROXY_BINARY_NAME='docker-proxy'
+DOCKER_INIT_BINARY_NAME='docker-init'
diff --git a/engine/hack/make/.detect-daemon-osarch b/engine/hack/make/.detect-daemon-osarch
new file mode 100644
index 00000000..91e2c53c
--- /dev/null
+++ b/engine/hack/make/.detect-daemon-osarch
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -e
+
+docker-version-osarch() {
+	if ! type docker &>/dev/null; then
+		# docker is not installed
+		return
+	fi
+	local target="$1" # "Client" or "Server"
+	local fmtStr="{{.${target}.Os}}/{{.${target}.Arch}}"
+	if docker version -f "$fmtStr" 2>/dev/null; then
+		# if "docker version -f" works, let's just use that!
+		return
+	fi
+	docker version | awk '
+		$1 ~ /^(Client|Server):$/ { section = 0 }
+		$1 == "'"$target"':" { section = 1; next }
+		section && $1 == "OS/Arch:" { print $2 }
+
+		# old versions of Docker
+		$1 == "OS/Arch" && $2 == "('"${target,,}"'):" { print $3 }
+	'
+}
+
+# Retrieve OS/ARCH of docker daemon, e.g. linux/amd64
+export DOCKER_ENGINE_OSARCH="${DOCKER_ENGINE_OSARCH:=$(docker-version-osarch 'Server')}"
+export DOCKER_ENGINE_GOOS="${DOCKER_ENGINE_OSARCH%/*}"
+export DOCKER_ENGINE_GOARCH="${DOCKER_ENGINE_OSARCH##*/}"
+DOCKER_ENGINE_GOARCH=${DOCKER_ENGINE_GOARCH:=amd64}
+
+# and the client, just in case
+export DOCKER_CLIENT_OSARCH="$(docker-version-osarch 'Client')"
+export DOCKER_CLIENT_GOOS="${DOCKER_CLIENT_OSARCH%/*}"
+export DOCKER_CLIENT_GOARCH="${DOCKER_CLIENT_OSARCH##*/}"
+DOCKER_CLIENT_GOARCH=${DOCKER_CLIENT_GOARCH:=amd64}
+
+DOCKERFILE='Dockerfile'
+
+if [ "${DOCKER_ENGINE_GOOS:-$DOCKER_CLIENT_GOOS}" = "windows" ]; then
+	DOCKERFILE='Dockerfile.windows'
+fi
+
+export DOCKERFILE
diff --git a/engine/hack/make/.ensure-emptyfs b/engine/hack/make/.ensure-emptyfs
new file mode 100644
index 00000000..898cc228
--- /dev/null
+++ b/engine/hack/make/.ensure-emptyfs
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -e
+
+if ! docker image inspect emptyfs > /dev/null; then
+	# build a "docker save" tarball for "emptyfs"
+	# see https://github.com/docker/docker/pull/5262
+	# and also https://github.com/docker/docker/issues/4242
+	dir="$DEST/emptyfs"
+	uuid=511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158
+	mkdir -p "$dir/$uuid"
+	(
+		echo '{"emptyfs":{"latest":"511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158"}}' > "$dir/repositories"
+		cd "$dir/$uuid"
+		echo '{"id":"511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158","comment":"Imported from -","created":"2013-06-13T14:03:50.821769-07:00","container_config":{"Hostname":"","Domainname":"","User":"","Memory":0,"MemorySwap":0,"CpuShares":0,"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"PortSpecs":null,"ExposedPorts":null,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"OnBuild":null},"docker_version":"0.4.0","architecture":"x86_64","Size":0}' > json
+		echo '1.0' > VERSION
+		tar -cf layer.tar --files-from /dev/null
+	)
+	(
+		[ -n "$TESTDEBUG" ] && set -x
+		tar -cC "$dir" . | docker load
+	)
+	rm -rf "$dir"
+fi
diff --git a/engine/hack/make/.go-autogen b/engine/hack/make/.go-autogen
new file mode 100644
index 00000000..342f5ec9
--- /dev/null
+++ b/engine/hack/make/.go-autogen
@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+
+rm -rf autogen
+
+source hack/dockerfile/install/runc.installer
+source hack/dockerfile/install/tini.installer
+source hack/dockerfile/install/containerd.installer
+
+cat > dockerversion/version_autogen.go <<DVEOF
+// +build autogen
+
+// Package dockerversion is auto-generated at build-time
+package dockerversion
+
+// Default build-time variable for library-import.
+// This file is overridden on build with build-time informations.
+const (
+	GitCommit          string = "$GITCOMMIT"
+	Version            string = "$VERSION"
+	BuildTime          string = "$BUILDTIME"
+	IAmStatic          string = "${IAMSTATIC:-true}"
+	ContainerdCommitID string = "${CONTAINERD_COMMIT}"
+	PlatformName       string = "${PLATFORM}"
+	ProductName        string = "${PRODUCT}"
+)
+
+// AUTOGENERATED FILE; see /go/src/github.com/docker/docker/hack/make/.go-autogen
+DVEOF
+
+cat > dockerversion/version_autogen_unix.go <<DVEOF
+// +build autogen,!windows
+
+// Package dockerversion is auto-generated at build-time
+package dockerversion
+
+// Default build-time variable for library-import.
+// This file is overridden on build with build-time informations.
+const (
+	RuncCommitID string = "${RUNC_COMMIT}"
+	InitCommitID string = "${TINI_COMMIT}"
+)
+
+// AUTOGENERATED FILE; see /go/src/github.com/docker/docker/hack/make/.go-autogen
+DVEOF
+
+# Compile the Windows resources into the sources
+if [ "$(go env GOOS)" = "windows" ]; then
+	mkdir -p autogen/winresources/tmp autogen/winresources/docker autogen/winresources/dockerd
+	cp hack/make/.resources-windows/resources.go autogen/winresources/docker/
+	cp hack/make/.resources-windows/resources.go autogen/winresources/dockerd/
+
+	if [ "$(go env GOHOSTOS)" == "windows" ]; then
+		WINDRES=windres
+		WINDMC=windmc
+	else
+		# Cross compiling
+		WINDRES=x86_64-w64-mingw32-windres
+		WINDMC=x86_64-w64-mingw32-windmc
+	fi
+
+	# Generate a Windows file version of the form major,minor,patch,build (with any part optional)
+	VERSION_QUAD=$(echo -n $VERSION | sed -re 's/^([0-9.]*).*$/\1/' | tr . ,)
+
+	# Pass version and commit information into the resource compiler
+	defs=
+	[ ! -z $VERSION ]      && defs="$defs -D DOCKER_VERSION=\"$VERSION\""
+	[ ! -z $VERSION_QUAD ] && defs="$defs -D DOCKER_VERSION_QUAD=$VERSION_QUAD"
+	[ ! -z $GITCOMMIT ]    && defs="$defs -D DOCKER_COMMIT=\"$GITCOMMIT\""
+
+	function makeres {
+		$WINDRES \
+			-i hack/make/.resources-windows/$1 \
+			-o $3 \
+			-F $2 \
+			--use-temp-file \
+			-I autogen/winresources/tmp \
+			$defs
+	}
+
+	$WINDMC \
+		hack/make/.resources-windows/event_messages.mc \
+		-h autogen/winresources/tmp \
+		-r autogen/winresources/tmp
+
+	makeres docker.rc pe-x86-64 autogen/winresources/docker/rsrc_amd64.syso
+	makeres docker.rc pe-i386 autogen/winresources/docker/rsrc_386.syso
+	makeres dockerd.rc pe-x86-64 autogen/winresources/dockerd/rsrc_amd64.syso
+
+	rm -r autogen/winresources/tmp
+fi
diff --git a/engine/hack/make/.go-autogen.ps1 b/engine/hack/make/.go-autogen.ps1
new file mode 100644
index 00000000..98686e13
--- /dev/null
+++ b/engine/hack/make/.go-autogen.ps1
@@ -0,0 +1,95 @@
+<#
+.NOTES
+    Author:  @jhowardmsft
+
+    Summary: Windows native version of .go-autogen which generates the
+             .go source code for building, and performs resource compilation.
+
+.PARAMETER CommitString
+     The commit string. This is calculated externally to this script.
+
+.PARAMETER DockerVersion
+     The version such as 17.04.0-dev. This is calculated externally to this script.
+#>
+
+param(
+    [Parameter(Mandatory=$true)][string]$CommitString,
+    [Parameter(Mandatory=$true)][string]$DockerVersion,
+    [Parameter(Mandatory=$false)][string]$Platform,
+    [Parameter(Mandatory=$false)][string]$Product
+)
+
+$ErrorActionPreference = "Stop"
+
+# Utility function to get the build date/time in UTC
+Function Get-BuildDateTime() {
+    return $(Get-Date).ToUniversalTime()
+}
+
+try {
+    $buildDateTime=Get-BuildDateTime
+
+    if (Test-Path ".\autogen") {
+        Remove-Item ".\autogen" -Recurse -Force | Out-Null
+    }
+
+    $fileContents = '
+// +build autogen
+
+// Package dockerversion is auto-generated at build-time
+package dockerversion
+
+// Default build-time variable for library-import.
+// This file is overridden on build with build-time informations.
+const (
+    GitCommit          string = "'+$CommitString+'"
+    Version            string = "'+$DockerVersion+'"
+    BuildTime          string = "'+$buildDateTime+'"
+    PlatformName       string = "'+$Platform+'"
+    ProductName        string = "'+$Product+'"
+)
+
+// AUTOGENERATED FILE; see hack\make\.go-autogen.ps1
+'
+
+    # Write the file without BOM
+    $outputFile="$(pwd)\dockerversion\version_autogen.go"
+    if (Test-Path $outputFile) { Remove-Item $outputFile }
+    [System.IO.File]::WriteAllText($outputFile, $fileContents, (New-Object System.Text.UTF8Encoding($False)))
+
+    New-Item -ItemType Directory -Path "autogen\winresources\tmp" | Out-Null
+    New-Item -ItemType Directory -Path "autogen\winresources\docker" | Out-Null
+    New-Item -ItemType Directory -Path "autogen\winresources\dockerd" | Out-Null
+    Copy-Item "hack\make\.resources-windows\resources.go" "autogen\winresources\docker"
+    Copy-Item "hack\make\.resources-windows\resources.go" "autogen\winresources\dockerd"
+
+    # Generate a version in the form major,minor,patch,build
+    $versionQuad=$DockerVersion -replace "[^0-9.]*" -replace "\.", ","
+
+    # Compile the messages
+    windmc hack\make\.resources-windows\event_messages.mc -h autogen\winresources\tmp -r autogen\winresources\tmp
+    if ($LASTEXITCODE -ne 0) { Throw "Failed to compile event message resources" }
+
+    # If you really want to understand this madness below, search the Internet for powershell variables after verbatim arguments... Needed to get double-quotes passed through to the compiler options.
+    # Generate the .syso files containing all the resources and manifest needed to compile the final docker binaries. Both 32 and 64-bit clients.
+    $env:_ag_dockerVersion=$DockerVersion
+    $env:_ag_gitCommit=$CommitString
+
+    windres -i hack/make/.resources-windows/docker.rc  -o autogen/winresources/docker/rsrc_amd64.syso  -F pe-x86-64 --use-temp-file -I autogen/winresources/tmp -D DOCKER_VERSION_QUAD=$versionQuad --% -D DOCKER_VERSION=\"%_ag_dockerVersion%\" -D DOCKER_COMMIT=\"%_ag_gitCommit%\"
+    if ($LASTEXITCODE -ne 0) { Throw "Failed to compile client 64-bit resources" }
+
+    windres -i hack/make/.resources-windows/docker.rc  -o autogen/winresources/docker/rsrc_386.syso    -F pe-i386   --use-temp-file -I autogen/winresources/tmp -D DOCKER_VERSION_QUAD=$versionQuad --% -D DOCKER_VERSION=\"%_ag_dockerVersion%\" -D DOCKER_COMMIT=\"%_ag_gitCommit%\"
+    if ($LASTEXITCODE -ne 0) { Throw "Failed to compile client 32-bit resources" }
+
+    windres -i hack/make/.resources-windows/dockerd.rc -o autogen/winresources/dockerd/rsrc_amd64.syso -F pe-x86-64 --use-temp-file -I autogen/winresources/tmp -D DOCKER_VERSION_QUAD=$versionQuad --% -D DOCKER_VERSION=\"%_ag_dockerVersion%\" -D DOCKER_COMMIT=\"%_ag_gitCommit%\"
+    if ($LASTEXITCODE -ne 0) { Throw "Failed to compile daemon resources" }
+}
+Catch [Exception] {
+    # Throw the error onto the caller to display errors. We don't expect this script to be called directly 
+    Throw ".go-autogen.ps1 failed with error $_"
+}
+Finally {
+    Remove-Item .\autogen\winresources\tmp -Recurse -Force -ErrorAction SilentlyContinue | Out-Null
+    $env:_ag_dockerVersion=""
+    $env:_ag_gitCommit=""
+}
diff --git a/engine/hack/make/.integration-daemon-setup b/engine/hack/make/.integration-daemon-setup
new file mode 100644
index 00000000..c130e235
--- /dev/null
+++ b/engine/hack/make/.integration-daemon-setup
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -e
+
+source "$MAKEDIR/.detect-daemon-osarch"
+if [ "$DOCKER_ENGINE_GOOS" != "windows" ]; then
+	bundle .ensure-emptyfs
+fi
diff --git a/engine/hack/make/.integration-daemon-start b/engine/hack/make/.integration-daemon-start
new file mode 100644
index 00000000..20801fcc
--- /dev/null
+++ b/engine/hack/make/.integration-daemon-start
@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+
+# see test-integration for example usage of this script
+
+base="$ABS_DEST/.."
+export PATH="$base/binary-daemon:$base/dynbinary-daemon:$PATH"
+
+export TEST_CLIENT_BINARY=docker
+
+if [ -n "$DOCKER_CLI_PATH" ]; then
+	export TEST_CLIENT_BINARY=/usr/local/cli/$(basename "$DOCKER_CLI_PATH")
+fi
+
+echo "Using test binary $TEST_CLIENT_BINARY"
+if ! command -v "$TEST_CLIENT_BINARY" &> /dev/null; then
+	echo >&2 'error: missing test client $TEST_CLIENT_BINARY'
+	false
+fi
+
+# This is a temporary hack for split-binary mode. It can be removed once
+# https://github.com/docker/docker/pull/22134 is merged into docker master
+if [ "$(go env GOOS)" = 'windows' ]; then
+       return
+fi
+
+if [ -z "$DOCKER_TEST_HOST" ]; then
+	if docker version &> /dev/null; then
+		echo >&2 'skipping daemon start, since daemon appears to be already started'
+		return
+	fi
+fi
+
+if ! command -v dockerd &> /dev/null; then
+	echo >&2 'error: binary-daemon or dynbinary-daemon must be run before .integration-daemon-start'
+	false
+fi
+
+# intentionally open a couple bogus file descriptors to help test that they get scrubbed in containers
+exec 41>&1 42>&2
+
+export DOCKER_GRAPHDRIVER=${DOCKER_GRAPHDRIVER:-vfs}
+export DOCKER_USERLANDPROXY=${DOCKER_USERLANDPROXY:-true}
+
+# example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G"
+storage_params=""
+if [ -n "$DOCKER_STORAGE_OPTS" ]; then
+	IFS=','
+	for i in ${DOCKER_STORAGE_OPTS}; do
+		storage_params="--storage-opt $i $storage_params"
+	done
+	unset IFS
+fi
+
+# example usage: DOCKER_REMAP_ROOT=default
+extra_params=""
+if [ "$DOCKER_REMAP_ROOT" ]; then
+	extra_params="--userns-remap $DOCKER_REMAP_ROOT"
+fi
+
+# example usage: DOCKER_EXPERIMENTAL=1
+if [  "$DOCKER_EXPERIMENTAL" ]; then
+	echo >&2 '# DOCKER_EXPERIMENTAL is set: starting daemon with experimental features enabled! '
+	extra_params="$extra_params --experimental"
+fi
+
+if [ -z "$DOCKER_TEST_HOST" ]; then
+	# Start apparmor if it is enabled
+	if [ -e "/sys/module/apparmor/parameters/enabled" ] && [ "$(cat /sys/module/apparmor/parameters/enabled)" == "Y" ]; then
+		# reset container variable so apparmor profile is applied to process
+		# see https://github.com/docker/libcontainer/blob/master/apparmor/apparmor.go#L16
+		export container=""
+		(
+			[ -n "$TESTDEBUG" ] && set -x
+			/etc/init.d/apparmor start
+		)
+	fi
+
+	# "pwd" tricks to make sure $DEST is an absolute path, not a relative one
+	export DOCKER_HOST="unix://$(cd "$DEST" && pwd)/docker.sock"
+	(
+		echo "Starting dockerd"
+		[ -n "$TESTDEBUG" ] && set -x
+		exec \
+			dockerd --debug \
+			--host "$DOCKER_HOST" \
+			--storage-driver "$DOCKER_GRAPHDRIVER" \
+			--pidfile "$DEST/docker.pid" \
+			--userland-proxy="$DOCKER_USERLANDPROXY" \
+			$storage_params \
+			$extra_params \
+				&> "$DEST/docker.log"
+	) &
+else
+	export DOCKER_HOST="$DOCKER_TEST_HOST"
+fi
+
+# give it a little time to come up so it's "ready"
+tries=60
+echo "INFO: Waiting for daemon to start..."
+while ! $TEST_CLIENT_BINARY version &> /dev/null; do
+	(( tries-- ))
+	if [ $tries -le 0 ]; then
+		printf "\n"
+		if [ -z "$DOCKER_HOST" ]; then
+			echo >&2 "error: daemon failed to start"
+			echo >&2 "  check $DEST/docker.log for details"
+		else
+			echo >&2 "error: daemon at $DOCKER_HOST fails to '$TEST_CLIENT_BINARY version':"
+			$TEST_CLIENT_BINARY version >&2 || true
+			# Additional Windows CI debugging as this is a common error as of
+			# January 2016
+			if [ "$(go env GOOS)" = 'windows' ]; then
+				echo >&2 "Container log below:"
+				echo >&2 "---"
+				# Important - use the docker on the CI host, not the one built locally
+				# which is currently in our path.
+				! /c/bin/docker -H=$MAIN_DOCKER_HOST logs docker-$COMMITHASH
+				echo >&2 "---"
+			fi
+		fi
+		false
+	fi
+	printf "."
+	sleep 2
+done
+printf "\n"
diff --git a/engine/hack/make/.integration-daemon-stop b/engine/hack/make/.integration-daemon-stop
new file mode 100644
index 00000000..c1d43e1a
--- /dev/null
+++ b/engine/hack/make/.integration-daemon-stop
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+if [ ! "$(go env GOOS)" = 'windows' ]; then
+	for pidFile in $(find "$DEST" -name docker.pid); do
+		pid=$([ -n "$TESTDEBUG" ] && set -x; cat "$pidFile")
+		(
+			[ -n "$TESTDEBUG" ] && set -x
+			kill "$pid"
+		)
+		if ! wait "$pid"; then
+			echo >&2 "warning: PID $pid from $pidFile had a nonzero exit code"
+		fi
+	done
+
+	if [ -z "$DOCKER_TEST_HOST" ]; then
+		# Stop apparmor if it is enabled
+		if [ -e "/sys/module/apparmor/parameters/enabled" ] && [ "$(cat /sys/module/apparmor/parameters/enabled)" == "Y" ]; then
+			(
+				[ -n "$TESTDEBUG" ] && set -x
+				/etc/init.d/apparmor stop
+			)
+		fi
+	fi
+else
+	# Note this script is not actionable on Windows to Linux CI. Instead the 
+	# DIND daemon under test is torn down by the Jenkins tear-down script
+	echo "INFO: Not stopping daemon on Windows CI"
+fi
diff --git a/engine/hack/make/.integration-test-helpers b/engine/hack/make/.integration-test-helpers
new file mode 100644
index 00000000..da2bb7ca
--- /dev/null
+++ b/engine/hack/make/.integration-test-helpers
@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+#
+# For integration-cli test, we use [gocheck](https://labix.org/gocheck), if you want
+# to run certain tests on your local host, you should run with command:
+#
+#     TESTFLAGS='-check.f DockerSuite.TestBuild*' ./hack/make.sh binary test-integration
+#
+if [ -z $MAKEDIR ]; then
+	export MAKEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+fi
+source "$MAKEDIR/.go-autogen"
+
+# Set defaults
+: ${TEST_REPEAT:=1}
+: ${TESTFLAGS:=}
+: ${TESTDEBUG:=}
+
+integration_api_dirs=${TEST_INTEGRATION_DIR:-"$(
+	find ./integration -type d |
+	grep -vE '(^./integration($|/internal)|/testdata)')"}
+
+run_test_integration() {
+	[[ "$TESTFLAGS" != *-check.f* ]] && run_test_integration_suites
+	run_test_integration_legacy_suites
+}
+
+run_test_integration_suites() {
+	local flags="-test.v -test.timeout=${TIMEOUT} $TESTFLAGS"
+	for dir in $integration_api_dirs; do
+		if ! (
+			cd $dir
+			echo "Running $PWD"
+			test_env ./test.main $flags
+		); then exit 1; fi
+	done
+}
+
+run_test_integration_legacy_suites() {
+	(
+		flags="-check.v -check.timeout=${TIMEOUT} -test.timeout=360m $TESTFLAGS"
+		cd integration-cli
+		echo "Running $PWD"
+		test_env ./test.main $flags
+	)
+}
+
+build_test_suite_binaries() {
+	if [ ${DOCKER_INTEGRATION_TESTS_VERIFIED-} ]; then
+		echo "Skipping building test binaries; as DOCKER_INTEGRATION_TESTS_VERIFIED is set"
+		return
+	fi
+	build_test_suite_binary ./integration-cli "test.main"
+	for dir in $integration_api_dirs; do
+		build_test_suite_binary "$dir" "test.main"
+	done
+}
+
+# Build a binary for a test suite package
+build_test_suite_binary() {
+	local dir="$1"
+	local out="$2"
+	echo Building test suite binary "$dir/$out"
+	go test -c -o "$dir/$out" -ldflags "$LDFLAGS" "${BUILDFLAGS[@]}" "$dir"
+}
+
+cleanup_test_suite_binaries() {
+	[ -n "$TESTDEBUG" ] && return
+	echo "Removing test suite binaries"
+	find integration* -name test.main | xargs -r rm
+}
+
+repeat() {
+	for i in $(seq 1 $TEST_REPEAT); do
+		echo "Running integration-test (iteration $i)"
+		$@
+	done
+}
+
+# use "env -i" to tightly control the environment variables that bleed into the tests
+test_env() {
+	(
+		set -e
+		[ -n "$TESTDEBUG" ] && set -x
+		env -i \
+			DEST="$ABS_DEST" \
+			DOCKER_API_VERSION="$DOCKER_API_VERSION" \
+			DOCKER_BUILDKIT="$DOCKER_BUILDKIT" \
+			DOCKER_INTEGRATION_DAEMON_DEST="$DOCKER_INTEGRATION_DAEMON_DEST" \
+			DOCKER_TLS_VERIFY="$DOCKER_TEST_TLS_VERIFY" \
+			DOCKER_CERT_PATH="$DOCKER_TEST_CERT_PATH" \
+			DOCKER_ENGINE_GOARCH="$DOCKER_ENGINE_GOARCH" \
+			DOCKER_GRAPHDRIVER="$DOCKER_GRAPHDRIVER" \
+			DOCKER_USERLANDPROXY="$DOCKER_USERLANDPROXY" \
+			DOCKER_HOST="$DOCKER_HOST" \
+			DOCKER_REMAP_ROOT="$DOCKER_REMAP_ROOT" \
+			DOCKER_REMOTE_DAEMON="$DOCKER_REMOTE_DAEMON" \
+			DOCKERFILE="$DOCKERFILE" \
+			GOPATH="$GOPATH" \
+			GOTRACEBACK=all \
+			HOME="$ABS_DEST/fake-HOME" \
+			PATH="$PATH" \
+			TEMP="$TEMP" \
+			TEST_CLIENT_BINARY="$TEST_CLIENT_BINARY" \
+			"$@"
+	)
+}
+   
+
+error_on_leaked_containerd_shims() {
+	if [ "$(go env GOOS)" == 'windows' ]; then
+		return
+	fi
+
+	leftovers=$(ps -ax -o pid,cmd |
+	            awk '$2 == "docker-containerd-shim" && $4 ~ /.*\/bundles\/.*\/test-integration/ { print $1 }')
+	if [ -n "$leftovers" ]; then
+		ps aux
+		kill -9 $leftovers 2> /dev/null
+		echo "!!!! WARNING you have left over shim(s), Cleanup your test !!!!"
+		exit 1
+	fi
+}
diff --git a/engine/hack/make/.resources-windows/common.rc b/engine/hack/make/.resources-windows/common.rc
new file mode 100644
index 00000000..000fb353
--- /dev/null
+++ b/engine/hack/make/.resources-windows/common.rc
@@ -0,0 +1,38 @@
+// Application icon
+1 ICON "docker.ico"
+
+// Windows executable manifest
+1 24 /* RT_MANIFEST */ "docker.exe.manifest"
+
+// Version information
+1 VERSIONINFO
+
+#ifdef DOCKER_VERSION_QUAD
+FILEVERSION     DOCKER_VERSION_QUAD
+PRODUCTVERSION  DOCKER_VERSION_QUAD
+#endif
+
+BEGIN
+  BLOCK "StringFileInfo"
+  BEGIN
+    BLOCK "000004B0"
+    BEGIN
+      VALUE "ProductName", DOCKER_NAME
+
+#ifdef DOCKER_VERSION
+      VALUE "FileVersion", DOCKER_VERSION
+      VALUE "ProductVersion", DOCKER_VERSION
+#endif
+
+#ifdef DOCKER_COMMIT
+      VALUE "OriginalFileName", DOCKER_COMMIT
+#endif
+
+    END
+  END
+
+  BLOCK "VarFileInfo"
+  BEGIN
+    VALUE "Translation", 0x0000, 0x04B0
+  END
+END
diff --git a/engine/hack/make/.resources-windows/docker.exe.manifest b/engine/hack/make/.resources-windows/docker.exe.manifest
new file mode 100644
index 00000000..674bc942
--- /dev/null
+++ b/engine/hack/make/.resources-windows/docker.exe.manifest
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <description>Docker</description>
+    <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
+        <application> 
+            <!-- Windows 10 -->
+            <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
+            <!-- Windows 8.1 -->
+            <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
+            <!-- Windows Vista -->
+            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
+            <!-- Windows 7 -->
+            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
+            <!-- Windows 8 -->
+            <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
+        </application> 
+    </compatibility>
+</assembly>
\ No newline at end of file
diff --git a/engine/hack/make/.resources-windows/docker.ico b/engine/hack/make/.resources-windows/docker.ico
new file mode 100644
index 0000000000000000000000000000000000000000..c6506ec8dbd8e295d98a084412e9d2c358a6ba39
GIT binary patch
literal 370070
zcmeEP2Y405+TL?c0%F4sD!rrFr6_v!{$4AJ1?*S7-fQo@E1)91i}a!b(rX$m0Ro|S
zl8_#Huc9K5%>TY~c9PA>Nlzf<JJ0iGW_NaHXWy^PH?y-F%W_$jEdE?p9ji&50P7Xx
zJ9f0U&vIG4vG2}1?d|`wtdJ&w*7etWx5qcMtmHQWtvYq=?F%gHhrWT<1xQ)nYXO#Z
z?azT$6V!<vmgV;D=cZ+$P=3OIFdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F
z1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^
zFdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o
z2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|l
zfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!
z3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit
z!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynX
zAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F
z1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^
zFdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o
z2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fi>m^YzX_0Ys1`^UF*YMa1~pn
zQjstq44g3rHUvNJ**NcYPxRuB0h?D14oKMWTR>{++JN8Fl)E5}8uGT~8vB{$p7Fiq
z3GHSD%<W|b%<p3bEa+ziME+=b7XM^<q6S&+rGqW;9R(p)jui%q$UyXhk6dwUhP#qu
zXS(B-_wdB6>>rR6Jw0Ie?|buO<F2ROmb;r}1&q4R3LM|wsx+#V71+~b1-xfjo|`LM
z?ltT3Z`0GiwOnD{y}lv5uN4r{&+@=exZy8c3kO)PC4=%`R}pEE(}jU@%RubnuibI0
ze+o=anD5EyCKvUz0#=S`boIKR$L`q}{$ab=WxbzH*f{>Fq?qadi(lEl=jLTyr^ZHo
z7akkcdFke*UDm`d?HV1stb2UylFl*Mw>EBh&(-lO`z&8Q{gHVQeLchH_qMvv>*e}n
zb`R@6u;-^>-%l(WU_HF#C+qHIL#^iPMp?BEg<AnRwa4tA{Eg*?PY8@0Xayi%$d8XQ
zr%EaeR7eIkFYn<_ikaa~-W=>n-W;06W+I1Ne$J)^pInx>VeC~g3qScfHtL7TiJK;c
zro@FsC2sibAoeS4E1a*A<HA%*e7H(UT&Pl$76FkCEW-W;YD>y8wPnjH6}NVbS~}?=
zHMiddDy*BO!n(Tvrj~*aP;+{E0bihiKd`-Zc6VzT(lGdjX$$&WgBJa0y}Pi#)e_s)
zR*keSKCsZL<SW2goppTRL7nb-y)F0Rff6J5awOXolY!04dwUYrkIm>)V-|m<$Jfyd
z-o1A7ioUNV$IkjTe$BAx#ElbAr6kOUZO^qaPo*S8*tWem9d>>)HF4pIl*EV=DGA}g
zd>)^cf%v&;h$Yguq%KQO*f=45`IJY~X7>zC3+`;Cg?6>lVDqPJoJ4xU#!1WtoC4B;
z4BvpVY<c*EG}!jO@IKZO_=@i6|6fPk&~Ehzs}?1@d}vmiM;&gA9Ri~yKB$<AUxDvB
z4mO{fvcj|XxN@xzc|zO!hS|?wl(cC|^SD+02PSTsvIhP5!KBz(u<>xOjiWzj9ySk~
zj(}}PoWwS5JlzJ$;2-ocJkEi*xoS)D61{KjocGk+{+Fnb&USy_!wp-`?DzfIHuk04
zFn)qQ!uShQrsyM#pD^(Q(w*=PD-kP9!Cc~th!YyYCtT(f|D>-i*VK-P5qe^taiEMB
zoZLvh{4lV2c^`MurtuklJ?{+T@Ou+CP3WDpX;QL|-4nuL&#+y@>4@QJ<Lt}Xk7u=M
zr+w#?k7v9vU&s5KSC3GOM%|$8KC~<BUE6*3emn>J&(`1Pa2$OBeT0r57&rJH2VbBt
z&#)aa!U*_-k1#*b+*iUO-7F8EIr#3EZDF7+G7!IZxM%mlR9EbhuDY*}jqF%Ee(i|&
zF=mfTiJN^qIev~xO~lw-_wC`Zb@uDFAIQnJ^V*MbLTVD{03y|zu(#CgUgxNgA7Jma
z`yP4r_xZK=ypA*ez{Cpl4SFmQYR@qsKKKLUhB(9rLos&v=c?h}@q&?aw-+oIVupaF
zc=l-aNh%DK1qL>+=z}@@p`PtqmU-=dafj;@H;x~H`T0Z1@p}B8o{|`W{+?rY_VJFG
zy(oFu{+8q@l^8ukEgAa{ZTF$wX!nfui@nb;Or7)t977Q1{B({P;0tyDzu?)yODjiM
z=NdV~U%0p)0dtKqe`rXNv{W(>z2IXv*5T;*b?R%Dd-Jj$EfUs^o|YUNl*V`*^K`U%
z_VLAM^TuD$_EVRu&8vs0@Ike`<NW-M@r@mx?$jA0q;dX$egH_v7~v4+2*+TY&}Qu@
zs~Uy9ezfHZ>Iz?gm|(@QtaFN`QW>OC6^eoQHN)Mh3E?_c-8BELrU~mtO-zmr{uBK?
z;`;@(dyMIev9C9F&lE8QZGY3^E^1Ei^HgXT+L7mU+jCK`XJP|0caY9G1NeeC_=3Jz
zU({47uiaz3;6kk6VN6h=luT~6)G-jf@MAZg*Xg;v^+D|}k6$yiJK}uUI_y4i0sH!*
zkLjJZ?whCW<GKF2`Jci50u-L<oz8K7QEfh_^XUWl{E^Vdz!#)r955gA1y4m!w9YY#
z5YZQNhVtyd&>`t*Vqksn<1UWzdAZ-(S?-u6ou0xNe=DEUd*l2PwtLg>rz}_N=6wvi
zcYB|~m7cMFPPSdp{bml4_h({)&F}+XE*s{3o;c=RtWCxmBg6?351c0bugI6#IPW#r
z#<{O*+h055!J6@_hfT!#J=#6S^&H>x*?ck0>E%=p$NRAT_2FN5pTBp{*Yo^>+Fofp
zUdIGx?hs>u!+1u}W9bm95%rPpAn=(1)*p!<sK^Fdg7+R1)fMx4y|jKsFYfec!ul}>
z>{uVRUqa)1UmsxGKF9lE-79(5@SeVBd!@lA=$L@<0DS@04;{fcU@-hZUA4nIM}T=m
zJ}(eIP=dBl(W;JH(M|XHk^QYISku!xDK-et@vuHGF`Vml3cgOKFz0Z*k7s<FR}EKl
z`kY^0#`}f!DYSn+OZ57IUe*!x|9zJav96?U;+<x`kECT*(R5Yrw|E(dj_jcIXyd#O
zuZ&yu(@J}sPrEPiSU(xh4!z*ofpEO@GhIatuIHWS@98nm&9bE?PUak%FTC&lWITf}
zto@ai^JxEken9Y<!6D8MtQcZlKrNW?1?C1YPguMfA+=Q$24L@cet*-VFIwXHezG0!
z^Lbve+P<-K)N98Q5o$})0<|q=vD&d^iQ2VwiQ2nolft_L3i_-T4GvV1gWWk|(IB@X
z7XIW`3kJGX!~nON-`}O?_jRecy<Pe}KjR~q8Xw`@SH|-60~{N8*A(@#67X$;XQ`(l
zT`U)Tf*bLHUXxW(bXV@P@C;y$KEAyXtZhGfaffFUqo*Ik93SI-KGQ3Pc;EEvSgWt?
zJW}o48l`q`U!nHxTCEQ5U8fH1+n^5b--vXb`u#|<+7UBSMGX%CJQ?W{<el)Au{=BU
zal>%DjmRM$?IRZa=vLwV-D+MR_y#<8=USW$e_%g@D?`3O`vJ6H`vHsr=HY$A>!=Ci
z5DUNuNGwozv#1bf;$3?eY+c(v*73cIHGC>1X%YH+zF%8-+c$lDYGOESev#U>ZJEQ?
zH>x8CqJd2sw0kc$==}$FuTU$-HAH`J!QKNiY}nXxp;L#SU>%F$6CwwDblfl>K4ETe
zuRoyuXZQr<%YZ+~cy@^O1Ha?>;1BD6vCg6bW1H_BN-R(zthwMfnH)D;_YrZchjiex
zJ*?%y8s2%F<43=*L0{ktQ)Z``eu8$-^R^~0LjS%@?ccpd+jgd{Z?bLO*nDQnzW?aq
z6t#Kbt7_3t7W(x{#b^7DSRjl4@Z%FWj$n+yu|pY)5BS_rzjJ_RhU@W7!@H;voD;xz
zjwBW+xOtT8Gg6b6>V5&=*y)rUhj;Xn7N5dAKfblW@9Ow|TPN#xc37Umclx|*{nKIh
z@DUMd7{8~%=1(2kzu^@6_*3ZDZ7{y~#`u~2eWvXn-nU*IJ(Qq!Cr?*VBhFKchq_?<
z0VQw$e*A(NPtZ?r-huvra|v9hYhr^^921zi0k$_Cw*N!iB=0&xt|i8^Lx}~-wN>Zu
z<`UNas`Vf#W@cx`{P-3}T4MARmALUYm9SyVse}z<PsXnseIkC{sN)Iie*QCl-Oqnv
z8+l+o%g3ehn_P*}(-gkvrN{FJ_N>i_;}2sz?;X?A<`L%~+?;;oV9ZJ6PaNL2@g&OA
zv-$zV{)gh##?ZE>ukZI``&nWGlp9~bbjeVR6)?Xzzn|Od3+(3&rPLSjU86L{FPIlt
ziM2w_s2Ruy;+tmT1M+7k<@%_^b-%b$;^#C-ik(?!^NN0TVxqpUyK&w-bvDd?vG#`9
z|Es-j)?>BS&TLz2-K<AzuATKrtu-?rM*fjn8^WHevtiCFb)px3UN>fG&${phb&ej2
zYqEbw<RjZ+Ms?d3GjiIFgvs;wZd(|6Xz%)k2luXt*|#ksZU4?C>d@Y`-m(9|&F~A+
z^bPa_CyyRZJh?MryjncWea8BIU)%S$ZT!Jv_yRt22=9lu0N)QRrE!6oALO&b!+1vU
zsyc4DKD^KSjG$aAx7=Kg4B+{YCmi3s59@3NOvRe=91kpFK|<tfy6)A}A3Zm2(R&Z3
zZXEK`zFjL{*qc0cz|OdFNA~YrdIJ6+{m`D3==&4YhTwbBBL`V0G44<EXM3e>pVJrU
zxBz1W_P1Pf!1=>c6c_0ELADKZgCot{ApC*M2^3Ms%i8If6UuR|s5*R$XHR(bb7Ci)
zbLpmWRW9E&?ySq#{ZgsU+Mg@cBQ}hwTyxE+v#wY>x@xnHV=inIJE8jJ2f}X2_C4IZ
zI2nAa6%aMN=_T6}C!L=d`9{0#vA;~&kuZMt^3fOkv3LmP{D%dkmo{6^t37&r!1)3^
zQ{ego&K;Jrn1Hc>nHyZOe3*4L<%IEoe)f}>%%r^RGk~=r+V(O2dmhh*r$Y7<5Eo8`
zUQ9>dFdOqli-FbH7YiiV*ou_jv)hic6g)pqTsl1P;L_m%yMaVJqhE?~@hrr{(-#j3
zn6_kSz|>{KD*d)%MCHM&Mpk}r#fVDv7Y#YL>Z)IBT$&Qr<~*g+{l*)S&sd)2L#nh~
zHazgzs9^!Iw!QiB1Dq2)GxLIZ`2bUHd;!M?^D#bPzgvo)Cu$!6dG5t?!TYGyd_Ex0
z2+O{G=XM9?8xrXM?}Y62yb$}RoZ!?~lMf%@!n}Ouni`|;xu!!sr*O{SQNsfNTt2)~
z!m{B3-QXu)TsgAJvm1Xo{|dHw{m<uVp8(&X{nL^mfpw7Q+<%7sd!GejZh+4P&<4GY
z^+CB_J0J6VC3(IXA8?I91lA+Y>E$Xdet>g>{QgiH#)7X<20=f-|N4BxocrZh_8Gwc
zwbS;s{%7k#JOhfRJ;Uz*2G|!kVb+nDHRj$qWPJO6;UIS!^qJ#wU!20elYYSc{>Sk{
zJ?VOF-!M-y?0n&hk(K)|9bT!?+EM3JC)-g&1Dj{qzis0S2U=<|p2aO0Q3XCI0Q2zJ
z9*XVaTpv_|{zAtD@LOD;%ymZeyS5y1^uau)1i`fex*x!tz_;Wb-zj(JHa_Gr@+*4`
z1b6k$^FYqMZGF-)U|zaK{hZU&rPs*$uBU}<7qstXUrx|hoB-$_OdaX8cf|gwONV<p
zA^zW`%Z3N0>-m7;XQ|EM&#Ha#!_>j8Q`Nqt(JCSGRkd`~Meqs5yhbpyO{Q(dnwqfz
z=L_fdIpcmn&k1mRg7M(6#7W*YgYsR0vS;HtwHV)-_r}yeS*<aCPvdu~^Rj!Edu`v+
z^I1k`9rjvWHo^G7#0eR(zSs5xus+vP%YUh^_9Ttd>jGCU4^y+I4OdZ-Gu6QZN$Sv!
zFtuuY<1*(1cz=e|g+F=py9kE!{K%%5kI7gs1RpRhak6zDb&3BAIVYWx{bhpz^S`Xs
zZp(wXf01qbjPY~#0lMEWaohLjL+B3>8+hmcBQe(B5i?lr*%PNaeeqxQ;J>a_58i!)
zdf={W)rW6Cu96d1sr_4KV7=fu-g$viJ};>KnooRT`~c?)`A*Uqe0Hc~Ld*ruTRYn8
z15DphHnd$@>B|7(I{kbX&v~C_j0d~VSKQBIIcHT2F~2_>&wC%n^jHU=)=X`o{`w<T
z_3HAjy64Vj>WN2gQ;$E~TBrB@-?i$?kDpgZ@V-FI-1ce_<^xX4`vN}p>(8bOvoFIB
zV6CzC1N70Se+_}|8{h*LZW?1<M17L~Z|rMTWovuyY^%~dJkPV|n)G)g^6LK=K?jXK
z7Dktge2#7ZNlV^TJGQP<|9;|5_1J?gRr|KLs&)_EqSHs)v{Vn@caw_Uv{-H5&;|ZV
zuN%nQx0I0m7Wtli+QoMcxQ2jovt^fi%$8S7m;Z9zM_??lFm8%<Hnm;8FIKi}o~^}m
z9lfpt>3eqHpJ&`pJ&VBm@n_WbX$P?XMd<&xto&TX$1YaSwEu^qz0>|5d$1MqE!3+o
zKBOLbpt)MUG+6D99e{ZX+JDA;Vwuky8Sr@l=U`8>574>-9}tpYzdM9ygEAjbM%;i|
z%dzoS{k(6Ztvk8){XAwq#-F9ahV1@7cHWcf@WDj&+J7HVZSQNYo_O>&_3-`8)!+eN
zt35kbsrg|e)%I;0Rm$>@^*cjl<yl}sIM#ju&kebzkbe9$`T-LMjHlZ7dDU{^9b&(0
zx5|iFRG4N$PqeSbxc`~__WkT*3cR+br21Rfzn=U5^-6W@&{{P+c$8{;?+vQW-8Z7o
zZ=seio~%y(m8AYS9E<k~V=zx}lb$aq%j5sNd;<Ld*B0|VWIcX6J#z!z`G9^_e;Utk
zUrG#67M#e;@4Rxt`rZ}xSU=akpU3cdw23+M(#6wKZeoD>&#1rt+^!<#j#D4M`;>bA
zsk_wA!@pO@4#(l0p%j%E^`Up{kK<2EyGqLE<+on=frW!S`klkm6bqbUAA+?bUsCr&
z?6o9i!44{78xi~KIsd4itb6&q-?o1~<Mlg#L>=OMbE&d@hb?e@PxPF2>gc{D>d#}T
zYR@iwS785Ub#V7G6}RwZy%u;0*8w`tDerkBs|c*eK22kSQ_v-aHRR9GrjW`zL#5QY
zOz-HmfAsx*ZJW>anIH9s-?%wr&-(JT+W;NgFCBG(T0ip+tOI;nZ3?+pE&sKecioSE
zPoQ+a2T)S}$czc*nK3~QK0YVkUx59(AHn+qe_&nEom743m%KY%%6tIE`+9x`?{-$l
zdY}Dve3)zB&+k{5{-mVzw5at)aXtWRf%uG%&jq+Pfb#>~U)tXVEb6`I=X}bK&kNZ{
zm*AK{`vB-wD*i8d9jd;0ucVZjL4|D&p7ZN@Kg`oUWY7EMX#4d2y6?xFQhs#o%pZe3
zp7w4~2G{zPB!~0?oWJF_$@DtUl9?aWu_XHbxjSZBfiyJptf|5pT`9V8_+}lGVXkJH
z9oyyj%%A;4S?K#q(q_tI-6j^8U2?I&N%kAiv0hYtj0t2MPzrp&GW)x(DO0U;Ap02G
z{>}Vfwz)sba8aoq_m`Epr1Z5jGZyf^Pf&nyel|Vvb8b5Njx>%nA_rRSsQOqZB=do1
z*azU7K3WENf4ePwGRJ|8{r$%O?EB}I;yM5F*e{=ndor=W9QgWTewTngfZr6|xpKI7
zE&y{+vOe$(`T)p7+dswt?}Sm_-K`UTe7E-RlwGNN-k;}lfYR5`o(Y>S=rwgLfH@vM
z<E7kl(uqRs_pTA{V}&VYxd*>txmJyk^?_%?1(<nQ$^o%hs4eH5V}HbM{NGmv)g?K;
zY;(qUJ80*{=m+%LAoTqoQST9BRQS07yr1Se-RS&wEggGB4RKXP|9{YyZ;r7)pBI<j
z=lx~d#!9u1#4`eZXMq2&pqP9>I-fP5zT;7YTsP7O4Ef?x&%<q6pLQE4sLiph<>j}i
zzx~{QkX0M=GTJ9|e$Ou;uZ06$YUv2B_Z3t$4k-5}_#Z3y{|{=m{S4Tzp5&xI+4p<j
z5$IzrP^sQA=;~n=ZyW&sQyI7zxDvPwI2Yi)D!|#mIVFYHpS|{c`m)eomEH{M>Q+Hr
z-01+*YzRhq_`pE5U~tJ|A?nWyCEbRi)Spw^i&AGvpPN&go%`7a?{+0Mr*B|3{qUzV
z`Pg?dxSLyr^sJ=E0k1rD?fLE7mYlv9(2i((v_aY;^OpcMfJ=cY#T5gfu6n==z#t$J
zI0*2273sj=!0*6e;8-z%^&Pcw<gtftIrP*cEl)i2XbbhU15Z8DLJ?1Dv_#rcJ@qKS
zw5UKmyw)?1wNTFj-s^g=!RtKnaL!=4X^XQC*2V2&Yh!NrsN3H%qy64%+wJ$$_9wAV
zw;6Ssdp75szV>?g&bYpVE6u5&b{jc3+fR<4ZHKy$YQ7!%VPsR_^x>A&bzl89dU^z9
z1Z}_x?lXGKV|~vr?6#@*IO<FTXp5|C1uzPD1Gok#_U9I;vnp@{@Cq;kI0W$eB?kCg
z_27NCsr&A}UEP20?dk!b4YnV8ptZtyOu;|c*Y<uxr`<#RmPWzB^UQrb+U8bV^Hz1=
zJ+0N<ceTbfajgeXCysgi;alKeym<Q2TVO9<aNm=_<7jU?T)!=jZ-YASy}Px#_g|<3
zbv=abN3h>q$D4ZVEliuUoTJ;HSvT9ucHe_*-;Xx1J-o*!(0;b_X-B)cuRY4LoP+kZ
zz2D2DX)o_T%QXwZGtYN&&AQ1qxnX<B)xH0^P3PHW9#2l$Msoa&%{jR@a$p(T#`d?d
z@0q-}xv#Z)1a+JCGo`*1^d5K~^{{>0R$1zD)_Vr>f8d(ozz0Ap;L_si^PTmeUe0-V
z2(zF2m`8dc@H`L#Fcu&`rvUmT`pn#L(mu|Y)4#Ak1z6Sop<Cv{#wULA@>RRPf2V=!
z@Mfd*FJEh-K7RRX^~Q78sTUq^t{#2R>mR5;1a$!CLSI^GnK7RmcpS^A>pY)!|Ma7+
z)cgN!t~$SWqZ;_tb!u#vW-6%P)hc30Q?-0lW3_Iq7n{a6QZW;}SU;|@TK#Kde7n1e
zS}?S!3hIBgn$Z0kHKNnCs?Vp_s}677q~3k8xqANbmik(}4)GAK`$!wF-^g#9o%ch%
zr2dl!-UI8T-MsX4OZD{|H>rM~U$1`Ye65<%=W4ZZSW~s~m&R)Cn8qp^ZI4FVc`w`-
zIUH@qJ&x^ijT-pn^{Ug`H>%hF-9pz(KgM=G%68&f+Q;R=tG_n#Jl0{_X*hWHu~zD>
z7n-ZD(B7UO-=KzexK{nv^%^y^@6{@Na8nfpPFJCgY%AML&e?t=hZUn6>w60saFrV0
zt(hA9&2_5l2REpXU%FX6*S=MTT-)A{{(}C*mbtTyzIiXN&<(WtVe~Z*-G5s;V04Lk
zeE^6776PHbRA3x1(awh<T@EAw?ElTVCS@JQ26D3#meHno9`lQVw}C5d8`QRF=iS&(
zTg}+V{l)cTy>|Usu3_(MjdU(x+R3(>do?Njg1Hy&V}1t^1bhPA1vCPxBMv<Om1nNe
z&;FCASPN68SSo3<bt-<MrDDgs)cP?2YQ^ZvYSGXtYDTY%)yQwJQs2CJGxWZNwtM#7
zZ6EOZZR#E6iFz}@?Z;p<_v1MD8TB^wkG4*Iqke6h*+3ndQ&0W1psxB8I2K+{9i3lK
z9hp~89h&O^j^T0KcNkzf!Q*+}@r8BO9})G`zOedg%ZvtU^Q4Aq`RFEUO3!B6FVN2z
zpTIWL7qD%4*_b&-_t`j){o%(iH;1iXqw7zc+EDEct*`!A;Jt@qXan1S*tFl-Znha^
zrp;{k{@L|a^0bE9r%mkMO#2er68l%$uerXHQ{TMdoxbV*d%W?`zuVE)Td3|I-2hv?
z2LJb@sfwN0NTp71p!S3`P``sWa^}l<M!U(q&9{*Q%Xn`*_s@vB>Mxv68SDsZpyI&y
z68N@Z9j{jJ{^wfw%9e;N@ZB}|0e}5D_wn8sliYvL?OI1(c>Lyc^g*io2lckYcRY>z
zydJ0nTmn?~XJ6P)TjX3>HK0Cl8$i3A03-n?0Hcqz3&LzWQ?q|9${zwUu7`XUd*rsi
zwv^O9$MyAC!`}W7DeukrG;=Ssb>kB_ZWsYP3S7wcA<feEgo)m{)=gvG7sO4pHpWe`
z6jE*f_;wq8fr4L9^b1?3dtiGtp#$~RR@g23xuG4d(>87T8q}}lYEt$+>^FOTa)Vlg
z<7q3@A!FkQ=G52wc8Ao5UfRGhJT5Qn!7&;*PoIx%+CS^0k8ob+5cbjEu<z~j+4bsw
zPqoy2INQgz`tt+ar(<0l^U5<V;QOxAeLC&J)J@yik883W8TXJ&+fAE!>~6cg2T>pG
z$Z*1Tjzhov9^x1iXZUL$?T0><F$0gI-{|tejcRJItI=mS(!S-WT`%jV{T>7l^f{)z
zhBt2K#W%}M`zb4)%YCfR_y%5QPsrseVsKT}=aX9M-|buIab&xPyzw8~OSJX&_3EXk
zZd5%#s;j2=x=5}0B`_W9&s8e0eTMZI^%ZGGJZ$tA@}kYtCbQ@=%bh=zbH46wpbx<Q
zkFut1IBkUcjO`CVUeD<v<uw9;T(9B0UP<TK7JxB<<^<`>fU$etgSn4g$bSdu*u}I9
z+q|bN7~l0$U03vYS55T!sqFWGG^X$aO8W!&gw5kEl{mQy<X<mC=IjRu`v3Xp&%Z(J
z&A5+oG4+)?$yk$dF!lR)=mzc6SI@YwIAQ8{>NM*=G`GI)x7e1{=?zubk5{WNUuT=W
zHe_tf=xCdJZ&fco*;4nPTM<*R-=?0M`b}EYwwroPN}s}5W@m5%6^!xCo6o_9&=$xp
z!%rFCM8EsN|C*~Qy_zY;BD8Pz&1@&zW$JWtvA2ZyHrLu0#&*<DJ7#*+@{xh+hxZy_
z4$0eo&J!@sfB(g13c82*(xdHt>vZTB`Wxt5THFK|QrD^tzk2ll68Zk!1|G~cYkLO=
z+8&wu!00vYL+6d&GsV7(0LBIJfbj!Po9SjB$8%Xnsj++Keb{Z}z3Z4ADdz`yKlEu#
zhXb`7$MJr0^kcAd9aA7}2<)NV1KR%WJhmwh!~oOIfv<1q)hp<b>8}sK|FfSt4EtIz
z^eXkvf12w#y}@5!r~6{so9;KzUli3=igG^nlWk^7J7Hf%pTM}}qnDcNc|?x8$s_yJ
z9vCAh!KP^Uj48~yMQKBR&Nc01zpDM~tOkgyuho8v;}*tKoGW<k*%m5zz}1>l9>;s4
zZELyU9`kdpk~(H@XhXyY_0+Z*Ra7cs$6vm$uI>ImPuvW<zeFWWa;YuT*r(9uU1~FJ
z-m81mKOKJ}eVuxYG)oM?efjx8j#>Iko`Ze#1DycQ>uXsf-2`Ox`}wK+Odo^xniznw
zJ?~>LpkpSa#)swkY{GDh^jhEuK>pM1l=%$%-!lDt*ncDFmA7xn&>h;94fb0c&ra*z
zOzYnP#I`KUIJTJkp2F6vZOm>nZD&tt12y1_>-Bs%eE{bTj?9CffPc_&?ipyev1R%J
z`XJ7WzVJj#{j7uYhN&|eX3Tk*{=Kk#l+1Yz;A<Nw>J7(`6T4liB8Q&C*dDg7`*^3#
z+q#ye|4D}aT})d;TBQEi*Cw#t65zZdZAX8b5NV<O%$e{7rmaZ-3DEYNu^rq`<hM=W
zRUeD=2H+3CkNtbc0b6HWX!rj<_V2I_>LKF+XRKc`x>bBWh5aSl%(%Pjhc{pjznPwo
zEG;%gKft*H&ebg)*;IY~=1poFVgknayMv35hmw&~1Ni=in3KIo$N8L3Vt;SzS#GI`
z0Y0TJ<M@2*bZ)v2+tBeak3pXEiu3{R*xNd$&h7ltQie90aZn57Z#L~W`}5mQ!z<Dj
zzzM*={bT?3nU`e5|9R<3Y3%cJYcu14eeeN1hQ44Qw;g`1G~~^=g>7L>pxa!^+L#kh
z95-&AacO>S->HL)0rcE8(jvtGPMd(8Xn%sVF7Pkgeu}Mr=e0^QkG7k6fIMS;f9(LL
zrvJ~?{^=KX%&L}e`_D-a%EJEQo*ygDdoImw%j-Vr1E@osPoh5M17;rTW9qKaReyS1
zn0>Gv^E|Co&-dkaZ@34}aTMBb8BUSr8vj#PJ7!g{5cZ#!9!q)QV<Y;2ok5qw_T73;
znR=BAjQwxMF&EJekQQ3k{n=4b?Z;o8WoaMyH2r@r^M76$?F_mC_RsNL;pH#q3U~AY
zyMnL8GXPI+wr|Q#+Ww(P&jQMlO`guSf?M<auQBp_ZLW>qH8RlYF0p^{eZ}Pa_hU|Q
zcW@0n^Y`Qx2N+#k2i?@)3_hLqQQoiRu>V@fZ^?)Kr=t%S2nW=GQ#MW_CAggi<jYSo
z4%i)B6FwjyOFv`lpmU#j9^Ibyi1K227Es=8J3sdaF7<c{>4m^XfV?y2qTkJeT^P4<
z-r4*7pU(gV6`6y*S>$hQp5wy?^a1n-Oif?m*C#Lz*b_n@5SUvWV4ejA+xG8*ZWil2
zKz?kcJRbu--N5z0KY&|-*1p&_<D&MM1AHEHxX%eHEC>JI5p>y$JA<mdwR6_xUt><F
z*Y1#-!}o^P9ScP638{TxPiP%~w$9jqK7sxqOSz5%v=0c#X+4nX|CzS1eSpLO<=G+0
zy_GozHvMLul{)?WMmvM5x84(4s~zU}e%=#OD;_b@?|bpyh}Z7*{IMA)WcUKF52&Tb
z0$ghjJNJc&0eai^U#REZWscO-*kEwZ7$8S%n|ZMZJ|C!_3#xgJM%-C!u^F!AHrFdo
zDonj4Q77A5T=hnMW4X3ZujYYG6<eKbo4J3(ZGqDu=t0mG0kH7^jNt=e+kwX-T4a$s
z+N`&sH;piM{1~yp1mF+vn29k!1KK}h0__{<1H5AazjJ~n2G{`|<ye(^S_$yjd8gh6
zU|%4>RF@Z*JfxnS8Q3t{J0?R~7w8Uj27V|czQ=jJ0R3Iq<dE|N4lb(w7SJ8&4E#_C
ze2;T_0so1f7NB(#^|!XK!|N5Mt-QxBz;_#`xN4G}eG6(-#WgwtU4X*0ljpFleS!N8
z<G4mUfSeSit=(|`$H2L)7ikuoHP<Rk3OjdgpLLlVKEVUq4mh?Tt3TK<)(Y4@<Ko&o
zgRl56;(`^JKlsy*3FrqnSCHnN6Re@14LaTjGO>Vp7Vt9LNBb^FJ8?Yc4d^GtClrLZ
zd>#v3(lHs*e*y|fw^QZ|ij(#^TGpwdRja@jHUbJrvs2~^f>ZYKVF|O&(Yk|cyl-FU
zR3X~vyvKCd|81lS_Fo6r`MZE^^SzIg_W3;x{b=9MMQm%Def}1tm$P1^B_2m_n|X-~
z&yEB4hc(C&!|a%K>Ft<17_ld`?s3}>&<C9I`T(pC$i7C%*#8RH@Vh`)pg%Aa7-?fT
z(!RjAz&k)YpgExZo#B!x_K6>G5>mvx(Iup}1GJ4NfyaR(z)ipx0PU;_Fdc{hE(g{D
z!+}cyp7%8Hke&Yzn-xE^N+sAsG_VRd57-Cv0BQq=fR})~0NT;@z^A|gpgJ%f;Ca=6
zL|_5y<PX<)*S^lpNWTNN1GRv$0NYgwNCEl)O@O_?YrypY+sgDS=3)POZVL8)C9XkV
zGZd%+uuabacLT?PmcT~<@8LpVDzFJ)+^`xL1=Iyj0DZkJ)ouL+*ZCW`2$%-s#NV?h
zy9+pKr!OI8TQ2}60J{PG9Xq5YZvUqJOyLLIuyMo(^}Kz>FP0nrp#jDaBQbx7v4I{7
z&<CXL4EC-Qgq@oH-=t<NV7Bv0`Ci*jAQGToxC_wl6|zmpGcKSnD7ILL^;Wc>(IuqD
z{uu|{0UQEo=dS>YydWJ9gxL8N$oI4J)Ki|<0$~0{?vI;!7VUpCu$0?KcLN;&4{#88
z6le<2)@bLi0sHJ@M<5?%=VOpx%shXn|2_LU)scP#q}uz3AivtqCn4VvI1ixh(5LZu
zw(nx#ZRUOKpY729;}$9NZGh_l+J8;pzrbGBk8~Wc#?CKAzCXb64v+26{ruq?V}Rp!
z{x{@9?Yu94|3cZ-0R1l0wt(S%6!QCkOYCz`tNrtu=C=cL8nAQBBUICNw`102H(~rg
z+nyi59AU$>9YK6wz_0!D88zQmBbax>>^F0U&N__mh{rjDfLl#_kk@kvW?RyNF#w(N
z`t(fuzZ?7h51<~_1l|PFSu0ZZL$mGtD&)1EBc)B<1Keuowf)CuxBtDc4cb5b!eO92
za4kSvyBv5OIKcXmjs}+5dHRq@=J~@ljQz8Hp90%}K!EXxvHxV`85>*(u>XGwxB_5X
z>DS(2-jDrr{7(PGHa!U30I*N52fP9p|3v#=&-Nf)4h#f1-r=#@FWPOT{r_#}=|6Mg
z?|zhB2eALY7T~;rvH#J?mkRsmeekDaf;mk*C)PZ!{Q%w%cpc9W_tOu+KcsJ;$@d1c
z`2eR)=a#3v6J{+7eS#TB@I2<jf%^cxz7VOz0$$M+=r8oj*Z$cLu`j3nUkSVc82isn
zf9W?`0kp52`hVL0Hvs!d+J8IX8i2M|9bo@&?0*#UdD(vrT<a5HE8qeA*?(2+r~N+x
znEt;S@;UYYeQ;eDz&1Squ>Yq`*8yGz{Mr99?Eev{4CH42?EiDJ|NBsO4M6*6`WRsB
zztr^qzRI;L_zKVO;Wug>+BWmj`j{h(;dp>!0jxdA&BhB;M!RRsVB!JhX8}#wE~JbF
zv_JA~r)>LY06Hf24{Gf3KW$#@-@mHlxEFJRdX6x4+PRlvZg81BAAos5d_x4^5%Tj)
zpfI-YJjcWaW~}f#?EY;wkoHeMkYi(|APWOx|5@h$#Qw8rN8TG)TdMopq$y`#0^47o
zY5SS$1yiP;Q<SlQ)9!uq^aJz(CLS1#{Ml@^_<+1+$0Nl4#s2fBDcO(OGQFy{{aM{D
z4{U!X)(>z^5Z4LX>jpUv;P(XU;+yo9OUeh(C(!;m7GOREFy9`MI3T;&vg{H27yHkm
z5Cz!4|4`6zKh_R?Y|sCnaN2%mz5%|+T3f$2Y}=@BKVDqhP9IQ-w}R`*d_XQT75f+a
z&qY0QEW&)hwySM3E^f3pw2oN=knwInrtN306NaCFo#*>IVukey#s>^x<6-|21LP=0
ziU0jP|C9N@T=c~h!M^ocOneVylx^!-;(lNI=Qf@R;Cr-1dM=nBpJ3($c<ifeFVZY)
z7|lIMD)uk-UvMih?=@|odGYla+y8El`*ZC3oxXrR0P_Z%3!t5vdAt1BbwQ3X_3pzp
z8uAX2$~eG}s3rcF_}`CO<htw7yk<J4-W5{wOWU?H-UoErdT#lYsb?E|=KQ^Rj%W52
zHKqL@2UyQ^-V9Rt{)iu`iv5fI`%#NLcg2peJXq_KY}<Ig`hIgPV}M=3HSyg__kP<(
zX{TJ<LqEWj$ZvdLjx*;up9gZ^7~mY<5K@T&d?f3~{<#i~Yx%hTuQtGSvS$6?MC9iH
zZeTU=BdbHoHGdBPx7qm@x!<w=*R12?yEB~tu9M~Zzb62$ujO-hzH{>?!1n^&z|R2J
z)p9Lf9N=&LZyj9kGl1)V&jLmOdQCo3uK(=}Tmo?I>@xt@3$v|UH>lST`-%Vi;aXgu
z%r><JZUVTbuOYzoiTinPNPh!1*m<^d5O6M#+xkDQpU#QD2T^t-@H=n=!1an|{ol{X
zmx}ejSnsd<evIR9#+?7(#-?-Y>wU`fJOO;iuhHYID=;7UIqWhDF!OfKzMr<u{pQ^O
z<_);d_Z%M2^A7+&1OK3Wkc!=t2tPmQm6j*c+o^BBEdbxI=bBl*+xI+>##51UExV4V
zkVXQ1?EU6EzAwnUwtxHmpNw~RU>n<k4ghU>H^BAv^#Q&&dl^9c+QB-J4hFQ%BV7mh
zd;f>;#=Q?D*zM?t{3<&ikNoEV{Q~_1*VA&{KihX6@CNff_MeXHbhoe1Hu3!*u223Q
z;QLAc22A_7{@=XU6p4H<`@CbwJJ<jJit8M++msuB<h(IJJ7-ECZ0vs+@_T?Y{{9cY
zAHsXV{C_9!w*<33@At9wjCBBx{a6>s=YcgMg8O;r<q{^j&w`EK2z&tW`F$#I6fpMe
z^a=j*T>qB@Oah(<Y605jP0BXQFFOO!DP#Y4P~U*@HclWN1k44vzatO_qyXK3-M|`v
z-``+4`!?!2^Z(<Ol7i3UdU(DgYx?~^k*BTn1o*D~bYLXFzLxLL%mw)VTvveS?E-!P
zXjAi-{+iKN^Zw63Tx%h~KC=g~9-!a)2H-mSD1biUFJKn%Bf$0z0K%Dv{kLLUvHq9u
z_tED0E-$}V!Zu9-Mg#N<Lx3=V?fV|!d(C{GfqAxbEzkqtdHQ=-tQXhd`@g*Acfe*K
z1@On;MC>00kawnhSJ-*pPHb1R>(nx1{&fHNjSyZF^L`_3n=a_s-?smn^FsSuo^8{s
zdbZBIC`<ngn>`2M|F(GycnjzN^ag&k!EXh82k?6Wj{`jREGHM(=KDZ0@9!kVPaZmD
z?4SJ)ZHD@H5;zE?1IK~=0Ckae#$%X20{mg;S<Z9*w($%vl@fCPS+Iq0fVNJ%U~K<~
zBhOel4cKp|e<9^DJeD?p1YkKae)IH7TAsMZtM+wxP1-i!Rc4#mp2K#Y`&h>P%(HE2
z0R00~-q$YJ|IKWxz5ag-uERF)`Ue2EkKY7fo<4y0VcK^Td5&RtEZfQZ;<4QBz&iQE
zHTnbOl-JCQzf(Adyz^L|LtZHZ=2roi*>#=~`{%cUc>OiMSZD1CtsUiWy`Q6>_t*Dx
zAL4)X|G_nN9Lf5UCI{+wcww(adY9LnZ>L#&3a=x-oEd;_oef+KF!m&_0vb8;4UunZ
z!{nP_n|X6AkLSB<7w}5S!RNUSEUeW4Xa+R0)2om+w)0JqHnH>E$L*^D9?RoQ{u<=#
znAXE)F9xm!8Usy%tL^+%jy(6VjK?(d$!DCmX{uYV7vCFkWuSdcXZzSTXZx6Eo7h%o
z`?!zWZ1;6Qb<<XGaRtx}Fr1M?lXvn*&dHzQ(#XIZ%T)KhrtZ_7nz29L>1lxR`vKej
z3o`dd``7UTzA4z1?f*Uerfj|p_N(9FLF)TWK;5TfKU01ykdS`<bSr{fuR=0_F~5$#
zF!y&O>=(AIzXe)Q`^OsLdVD89j}ejT_xCF#p{4Am(Z6tBzc`Q)d!c{59H_Nvs^>~?
z>aLNQ_b?Bb@+|q9C?j}YZ9sqfij?hNQ1d*X&VGEe3#fs7EpNVN&8+zv*yb_19LHtk
zxlf;mxW6*%jGZ3n!8M%MWSgCBMLV4B<FWd9?&q<lt#z<pzkkAd!KbU3IL+2ivi{Tg
zL(H!2e^=0zEn&B`e~jfb-}T8~zCjw+3-f;pw`beoQ_g5ib2|B}XxD<?2LLMpj=?#O
z<@lCkTW*`wnddQPKlA1s9utHZUF#pl*YDWlY%|{G`~b(@X0E{GIc7I`rUcJ1`~O0$
z-jZ^OhW+9iX6}I3V_SLsoZ82B`nHwx5j<YUwn%k*%ZuC*^XvP;n%`T!_FtH}|N89v
zx28@zrv`c1KJ$_@?$^qTd`jDWQ2&8V0OzjX2aW;rfUf|~&5Z>(KSrDB0?YvZ1o%v!
z&la`<{Jsz88t1E++jLw3`+d*0<t|7$C(rq}uYi@nPT+0e5Wu;|ZvoCF{s!=P`T#yt
z2x1=gujl_^|21$8&a*`UUjS?q=kEEefOgL33!IbZ9OFm8I$#&@A+QZt2JpUko}T|l
zTE6T*w6@p&Lu=l;H;ny%f$iUZ_Fr=@broZXa>Y++v%fRl9_T;E5`5;RzvGFN_R;~M
zUpN3f0&otDHd76F4bb1$L^>QW=S3sG*xV27*4RJS415HnvJ5HL;OOW7NRxmL0N3R3
z`P}0`b%6GN0q_>{uz&siU)cYZxCYyypX1y4Hb}1p=&R@-{tN8kwUGV>thV#?8T|m>
z7oRKW=l|Shd3pI^&cCSkkMTl1g_!>Za)Nk5`u_5w9DeQt`fu!Cum8jLUV!#r31F<<
z9=Hym-EnQs>%ak4g>)2P&f~g+NOK9;t+D@F$bSlK0|J5JfVN4b$pD|tUkLCy{Zqgd
z0PX*B;9chZ*neMKi+0R5JqX+YFfOPEyaMR&{~;X*thd{`9QlDj6@bT<OZ&$+KD7Pg
zJ>FIv!xwP;k9ood_+LS_cW;?~fqssOwL}^7L`JrfmLCRS2gd&OIyr39{=We@FF^Zm
z2k?0zZLK=M{@<VdGluYI|21I4p8#6{58!M6-(g=>fcF0cVEX@R$a9R~&;I-1TAZ_E
zn;rn@pJ>x{fR_P(_RrY=N1!rLZtWlTs_lRK%*zTh|F56>Vea4uYWRWKjdWe*N89C2
zd>Mc(i2eJLQiiuNXRqV+t<x`PjDGwm`*X|z<mdUHJ_a$vZv3y&TBHDLi6r(f!@7{4
zri=ZTukk<sCm7`(Gr>9^_P@rq|2)6@;hiU}r|>@mKIQrNKLOJBlZbNu6Z<b;_D^*^
zFuRFa|NpD~yg#q?|K@$a)k#yToX<MUH-nj%U-@M~?7#fkKi2-}^?K;byYCIH$M`=t
z``2@Rc;0^!{}b$=)bt%emrLAVeoa2hor(RIKl_IrYx~9j48PAY_Rnb!-~`_h#{UTV
zmWqMA#Qj+;q<n9P{g*%cHyWEbwNfRl2iR?o0sPs&cfLQQ=H%d?EVo+so@?vO3*>p9
zA+Q3ZV*lmS{{LQlhqhxp%Nt_bzwaC%w)M0AWyzDz((i)enW5Nz1+aPNEsFh@Py5IE
zA05ZzJHY?6-veU*Z(;!S`>_4c+KF3dUR;OzVBQ;a>W1XYKLcX_<<tJR;{SfBRqb_u
z4m%HbJO?zkpR{$xh1XKUcLaIA7g+waUGC7A0f+sYb-c3v*O#O+x{djNJr9UAK@ZsP
z0_yQT{6XB785isS$Gs~=-t8@;;w_eDJM7=A|J{v!9RRMc=Xb97{?Ana*V>x*f6V&Y
z5!h$Wi$UJs`#)UI`!TSE4MsW`Fzf&M{!d5XJb>RCb-w>|5w>$$|J#do*=^$cKV1LI
zcY109{{zhXKV1L6#y)l_@_dhx>zd2$`#-!_=kMtJ8?+C=cL7H5y&k;Jvp99yd3AUU
zo)gGizmu#An1?NJ{qF`~H9-5`1M~)(0DS-N4S+Uw3b+N}`?LE1zH2iP;5YB;0tvu;
zL!q%<q_+Wlr<d#h8w0-q>j1v<!}os%05<}A0NVR40N?*%+KG9*|I?iH+VB7I8-aZ9
zuo1vE(cT{d_)hYjz~=z(f$s`V12zIz0KC7SfvW-5VSGrrwgJ4mug3uRAAmJ6C-5!4
z3#7l%BDQZdwPL2wf2|itD*=3WhyA<xmIm_$0qu~-&q)ofs@I;tZu!nH?f8_PGG7p+
z<9LGhe}`@V^f`rXqq!gR{f`P^|3<s9o>$BJNcfE|yd$V%0#hbw#bp5Y#Qy(HpgYhN
z=nQlLy4iW|GyA!ZWju!YA8fF^7x2RFaPQhN*zK(Vzah@PpXdy9^U3oYA1vd3mh+q9
z&OEojh5gs0gwX$2#Wgwryq>dtCePHgmG{H8vW?6$<u=g=xQ}%r)po&rdH(H~bt&w=
zhJ44XJPTRwO&Aacgn<GwfIg6OVu8hgjQ$1vHvc~uzxPobs1SX00mUYV3j-B`0r(JY
z|42D!_zN%<m<CMr$#dTnU=lDLnC!@NAIpeP;NK(<sf>jygciw7mQ@CfjUwf@gv|f@
z*^fNu6Zt=W_-#?<4+H%FWz4huIKcVG0|4g|dG0=d<vqy<(sDijUsh!<?G^?M1F%uk
z|8p$?zaQQQs07fC9|HLQe`)ItfL8(i{2%E!U>)m0x(pZyoD1;SzV?2xe?zpS!aylx
z0JiG1f7-nMb~jSy+W^-A{J(#-ftLaOePX1(_WvXH(Qoir{ryj*V*jO3=F%i#z%T$C
z^|gQY|D0bm_J2L{jP2_Hw12%m5h?9ofBzRL`+wU1Spbg}`!@tjDh!lj24JiH?B9j`
zwEqVH_W${{|H}5UV*jOB=F&7_z%T%N75g`2NGc3eFb2f_E11CLc7*{417iOUG9)Vu
zR4@j_{wtWk<#vSu2LodN4l*Pw3{)@%#QrOoz~y#@0S5zO{|+)FD-2XH2E_g=n84+B
zg#iZxV*d^@Br6P5Fb4eCe?RQwI)1MIYYXuGAFlu7`#-M%`$-Yf-+&EvemU|#0et^Q
z*8f&89g^EEy9~fyo$LSj{$F?7rcWZz^}p8uzXR2P=YZ{YIoJQ|?-L_k1eo`Rjv+7W
zf6J~)NXsh_1F%*7jSi$&0(_r81>iS8*#9pDBJBKZr2MupkC_Z?1^7(>e*1&p2;h0s
z0G_A6|A|!I|EoZ{B)3}j7=VqM{{J%MR{*r*T|hKI8{cl{cOu;a!~%POL}0U>k3-7;
zH?R%haUYTir1JfrvZoT#;tI$BZ581E1>twV&Ic|As@gF53$V>&SkB{2-g(|7*nf5f
zq)={I7!U@80bxKGD3c7J-{yP&j01`aJ*Fs=BuJx$0bxKG5C((+VL%uV2801&Ko}4P
zgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV2801&
zKo}4PgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV
z2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+
zVL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG
z5C((+VL%uV2801&Ko}4PgaKhd7!U@80bxKG5C((+VL%uV2801&Ko}4PgaKhd7!U@8
z0bxKG5C((+VL%uV2801&Ko}4PgaKio%rT(kCkzM!!hkR!3<v|lfG|*D8A!D{<aX~1
z5ZqSI`GDg(_N|@c0UdR@l~egCZ?RQ1hXW4V<vCSgS8rMVTaa!}w>*9?;BCD=sDr-)
zQZvr?e}M&=<$gKJEVlgJL1y!C;2qf;;Ao!ZkD?5AcpX0tNacR>b7il8fhp5zhinIQ
z%u-%ETX~k^><u)+wGYcCf-JXZS$-O*va}%E^|51tqYZcXIl$S5+CJr}B-K%YuM)E8
z4jg2Dz6^Infh*ONX1{^V5<BN}{cPnOvK){_JM^)4<WXKbOS$vby_d>*gW1co-k^_o
zP(@Y=W-rew!7SRT8<1CdRvSt6Hrn~OgYyRcl;4p@d2MI;0%y(Md=`QVQJ#fBKj&v5
zu%q{y&cAt;XCctf`B@0et=wN(Mnk|-cG+f>dhIlGGh0rRxWMX=tpGb}t5mO}JM2;Z
z%TIZ`qvKWmmZR>DT878($f<mxE<dIGmP0_l>+-Z5%TMZZ{PEX5r+^Am?i8TE^Ybcq
z3fSNId6suDcjqUi&~qzSu;@GdoR_)Fr##iF+|jztvUJKbZQ+{}u-~$3u-xPA!H-)P
zI8E@tn9znnBN~M42pZ5JWE9S#OT5FJtrW_y2^ujbvz+~f!v?dLr)Kfe*~{s(I%HhH
ze|csDvX`TNM?aXod;!Wc8|c40Q^&HGcf|RbI+DE{#d(%z>WKgIGYQC6?(LE?2tqmJ
z<KREta&^ph{jr(yIc2#HJNWU+KOj^7C|6$l)iTJ`59mp4>|%Ltzr4#c$@N#yDW5Km
zPQa_5-lMaZHwYNsz}g-#Ag6NZr@ntvo+*6q9;3g-Rqiw&*6CY+ZSRFL{uZ?Sj*K(C
znXKohJFQb6;9K4ykMn(secG?Gi9c)oDw}wH%Dd!Ie;?m+`kx^9AA5g_Z+TYz@GV7e
zMgMo$Ve{D!Df%ARNv@T^zvfz=d4K*7lX4^fvdK?g^3O|u{NJ_g6$XR>VL%uta||@W
zFrlL!D`2=_)nN`lmp75W!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|l
zfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!
z3<v|lfG{8o2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``E5gAw?^oVPH$kVP3
zbN=UAANGQ4eejd6b<^*W4_+0K*V1%)+{*s0_|=2m3G03iNKJ|a76+sxE(qAUE5V&p
zJI8%)xkI~I0Zz>AWd(%ywLJ5BTdv3-<)dghad)QoC#)UrN?8A^Cpm6Tz?Lm*a+ERK
zIk>jvne~!&R>&vrv#0*os<L~-5By?ouIHHh3+`&UL%Lc4^Pm^=`&e$#3B$~pNnzh^
z+V%F`TeA4?4RhW<Z}ajVH^i?U^<?74ai7Jn89pv4X6B^i%^`CVH%*96SU)B?DQ4=n
zl(^t68^S+L4*&7u^|QNM^Je#OO@+;mhinHU{Rnt^L4WJ+h`v_MHKVL^{M}{H50;01
z0>|V_hy2wc`wGTD;>HP{EvcDyz9ID0!1#5eS|n|n{8e)7%sI)MgZC!K&q+&;pRH07
z!hH~-wr*Xc5;sj%ODDEbvwK!j@cAmNdv?t3VJQM-$LI94wgK~D`~Bzlww_zi&$@d3
z&-||inZIe@TJAYLtN@gWE@aYDY&rON_qNpK8QjLN8QM50dRk}L_2!iLxsdaGAVR?>
zFii(eLjGRF&pV0zr?#XlO<Onj!?ZcQ&Q1&d-bxGW=1PNniBrHyKVVrl{eWJiK_3!f
z`@h0pJilmwRnvK+vpVaz0sqZHenn*<X32N1<jp~zJ%20h=i}FoYz==tBPDLmi42)*
zd23mpg3KX%huuRr5C^K1_<1Vox4TquXA3s(f^B=U$<?2%u`k_*(GjLu&V@ew30(+B
ztoR0W;YxGQGrqT6(360L{Uv@hoD?KQAMQp!t?g*@iUCcNVy4YZiJ#-O^GuniWs$e9
z?30(M#F&|C!O*4(Ht&^t4_6lX`N}h&+w=|e8AczdC+sthK^G=r>~Qb;U-%zwENl9=
zmJ9m>7Rfjw-{ObA58%OzhFukyuwiVc<jtXfYyX}QL3z`!Ll1HR>^(Jku}X@Wp~45%
zRUxqZ**yb_L+<|SpzNs!S#$xmzXAQj%gY8^XY*cW{eT#ur&lMqEkFMZB*jkCvX5Ev
zLzATFsjE`r(YGf?(6<x0%N^y(kbN>@fuy)ODq`qW+U~>P?-}bk5tc*jM>{S8s0;K9
z^bgu6K;|jXgV&Z1v(DljQwI=BX2df7S*VzMVdq-*acf3AoD>^$%p1>Xd(Yah+j@`;
z-7uhTq$2*?k`$qKZeOcbO?yzyMGPM?AW(((cWKP;=Th_fy42j>E;XlDMvR|TFN!9A
zr|y{8(&)iv=)t3u?4+-BY#=eBL(RACjMp{+-~TqoaIpD>wD;pcW-O09<b4V@&VC?m
zYx1J>om->S-kmGefjw*0!M$tL(ZeZf+oqq?;=z`R8WE_XhI_JM$uN&177z8P$iW`9
z@FzF)1iH}&v0+cI{Tp9V1Yclu!Ndw$4-g-OVw~8Jx6Zf#I#J<$!IoXII=;u4ZUE-;
z=;PD$xDLLYv3mw!<B+-9y?uq2_u&JZ)X{@6=|>JkpE|OC<4L4xhxV>XUoo~G<Z7uU
z!vnRPjlBJ)KKii)I<aUF^}(&?LLb85LyAckGGYYAiI_`xk2>)4CzcC3QDJ?-`nhlE
zdryp>-Xtk@*6_qlQ@SN?7}ptdb>AcQ`!-?2nC}xePV9_%n;u(}7xdk~Giv7k9SdV2
z=fs1%m;Zin_X>4r-&%EO?^^Zy(XA?B$%pBS23l!R!z<-2d)p8A>V@$cOQ0Kzhj`S2
zfo|;^=nJR|MT{LX^Z;_7jd8&h)C0r?y6<DYBK^Q=mN{H=?{By)R~!7l;TO-b+~Y5{
zDw+Mx^vK~I=lzwY>hIqX`6P5=(B7?cV^@r+d1~<x*#58pZU5ARqUZv3!{`HbA>v2)
z1;h{30j&##ix*6ss37-U7%%=G?+aW6U=G1AAI|$O5BY`meMSznE`c3{&F<-n#uzPj
zPEXIaIlVmlfP=^%UN|t|VAP1p$ADc+hF6YRGOW_ZrNb+&iW(j;3Vr<7kprxDv);FA
zO?l9*?Puk%i!Xo=4@J3(9OOE+V1T6-{Aj7g+SZ{HIoN!D_fr>mEc=N0h$T(`P{=re
zz91d_K^o$KHz?Pc-&+BT2bO;w2=3zT^C0`7Hg{(HY~m*Ecj<$3mW|WKEANJ#Pg^#k
z(gRV$1H&Q*S!&&+`lnK({-+YdA4V*A7JRwO>lccs18k4+36by#9A7|&h4lw|oWS!j
zhuD=m5Cm@U{Hfgf0o<qV^WpdI;eA8?ls$PcNJmVb9yP*~4z8U@!?wXm<cU-EF<w1E
z%(v(#OKqCbT&-O`Np<=D6ZPxpA64qQJ}Rmh<c@1)(?{w8#}bSgIesWazmU-%fSX~|
zfl1$#|L4r;`=WeppWHFtGJe({-#P4~UO*QDPoiH)Pg>Jkz5dFx>YjfzR;{kDp?)6O
zM<vd?NB0H!8W;GHa}L+d(1#2?D7-&7K|Y`ZKN}q=Z}Y}xtb_jUDTnQApHJC`_b-&}
zGi1QHFKU>j;#d8so_+E@_2AvtsxF;gRbe6H)aJPlsf7bEFHnTBL0&q*a-#>FZ=yU4
z=nuR)(90S`9hmW5`5GGzdBfYUK@S!=ZJ!)5uFem?xgA5<QpSl9kE>ZT#;E^1*H$GZ
zty6y;T%wkYI9DwhYL5*HVc)r3*Iya+V9{Xjc%gtgz&T|4f$ymUIJaEP4`9wi-v{Qu
zZnbS+&xzT3pkwMn_<cV*gV-PQKk@S)QAw+Nsm)71Qy3TOIl(0u7x<G^N$u1313h4$
z#(OS+9_V-&e)1LS0M0G*^8;K%$9uu^kAAkywVsm`&dV2%>`i<Yp#1>n0yq{}Jj9Lp
zfYU2`r%v(S7$b7bm`@#`ZE$RO0&()~nm5~im@jKT6US_sX$2zgi?`*^cwhICk?@nn
zD}VOGoCD-D0HkM7_P%<+=MDMv1)3l5l@c|`x{NYE)8oQ+58dJ_3`Tx+f%g6L`?zl6
zy;HX-d)h*A^!rYZOKYBUQ1k(u)8M=TpEvRTLv0%{w&0VVWI3K!PNw|3zImzV?dO}h
z9&g*KP;$sgcC5Q3f9U(Q@5g%Ccd=Gd0VkPa{Vn{oOD!AWR!fKH6Fe5s=h%5}=llG;
zuH&q;gz9D6myL8|t^&`ZF=s%VuzB&9YOWUcwO*r)aO@e02cbJ2;BufIPy@IKI2Wi2
zT;K=Xe_s2xx19Ux)7MmG+h=wS96hUxM+J59oDAxU6qrA-64vPeKV?S*_Aej?dsA-D
zA6Qw<^TB+atB>VzHn{DtPTzgb^CD1>vwr4zyt56y=lk1s*2(smw)nO?d=TzsKqVF2
z-OB~}m<fJn{t)0qI=5$a2{<tN>x-M!X!gWe&$YYhJa9|ynHq50?8{9iJmx}xGNdf8
z1Oh3a+<rKwGSD1&510<@1{Cl+upc;N<AA+=6zNHT#}Mg{J$Os{qit?c#3K(dZKWQ6
zxP^N5u@>sz?V9WK8RX6OQ;)Pzk3QH^J<_J7dJHMIpKsq>z4%0P_1`DGcmermaqi=7
zTV@=~<J-4wp`L!!TQBQoy#}oRIn=}Lb`N>$=XIWB{g0!5)J?pAJg>=XvrZoS4C>^$
zti#mDlx@)0LHXmj_M<qS=dj-PXxp=odFwOn<~{IU*hbd>@B=s=c=BQIvCllpGPDuE
zx#>K=-GjFrd$>*OzhF}toRU`?X5T4nlY7d9vT(}f2)20~%R+#Ufm?toxyjzQ49Bzo
zsSk7lSU>AzJ4_px{spW6hC%M1KmKs5SH^U%wrhOXOV!9uSETp(q_+C%jb`fQXIiPY
z58SHm`B!Vz_WoPJ)vbE_-n(1lzFVnp-n>bT`t~|Cd*Ib-+32Qf!*7jM?8HVYesUuf
zH>r_|p3qpW`L&5!JOb-H`!`dgzq?NT@cxbJt>-C+TNLYg;GWjt_*RW}58Vpc+^Y9K
zg7m%rwopHPeLc=a{iB+yji`S!>Sf&<$2V5Xam~;luU11kT&F&IskyG>UbL0xvMyaO
z(l+<D)^(DD*Pm;tzJKo~H3IFP)vuX~9DbErjW$N3KGw~)^B#Du<)fRZxj$W{e(8Lz
z>h$)F(4m{vefQiB4qAhYTNLDt?SH5T@4xNTOHbdZ{`b_4>)YPnx@Y^gtth+y0?z?2
z0iObcfF-~mfKwJmHpj5P2hbEK@Y)le1F#>^@dxz+`C7mRz+5i|`8NQ)9y<J|i}bUM
z;}O<*+h<tYw@tUyw&|`krh7v!QhP!gsg*xBRztqIPW|VJmWtf|yL~G)zS}h_Wm-dZ
zbbdYc=YqQGSVUcQG`yZVJg=TQG&d86kw1cczoYCA9HWm#et%ef6$6f^^=_s<fAuEl
z7W~bF;1hm_ZSD8@^=jSN#_Hf4Z~Z)%*K*d+JolM;dEHIFHBy7Vz7D>km3j#J3f)!@
z-ghf><7PFfM>Dl)d?U3tw7xoqHn1%`mu)-3x*hFiU8a8Cn`w8_)GO84&eh<1Zq#z8
zU+ML69X0pI^G?P5=2ly$TXV?!!*^$YMuhv)TqC^<coA3w7`Y@Pf0ZpWEkA5imIc-W
zyAJAteisJmy#TNC1(4B~An*F(wI+Id`N+z(HcxOJ0ThrPJKj>;XI57S<}}pu<Nc>j
zZ>R=*aXsw0vHE*aU6j?=T<!^}ul9gbg53IpDL2RNgZ#<&9}!;tSTw9D{B}$A>a#7>
z+A)pQpZ5N}IL@5ouYPB}ye?(-=Yo1FW<n$N-iyuE6A!mia|T|eb&}U&Ij^nHD@3~w
zf{$b2)ztEl=csNU)KM!(S5~kal{(c@36rd}IPeEO_%~(H=aV|@lPSXh2Qr==VjpEh
zTcm9CIY@a<p=8c$I)A9g=vzbN_4-Dnrak%^Nt3;6+~Ox%b$~ws1*9|G6?~=IKf7TD
zSF}ai&7rwonUHUCSy=FVBirK(>uGzBpWIOE#BRu@F!l2sp38QoKwnq>(pde4y3Mr;
zQ>XL(c>dndM(|%X)sC3~3jEPtG{9M!&EHz2dK`c>L*7O<lrKP?(8nOX54euyNQ*`G
z=2~{0rccnRvkdLi*F#GA{{c|`ypQzV!8OwN&u);8``5s|r^9a2nVNmYl|p9e@VV*G
zF@24q*2{Jtm|Z^|_MXnVi%_2*{iY9T2tBI@`JbiYCTPyc8*$1`pC!-8=Q<vw4gmD`
zxgO_~Sz+=y=@r^%<bNgdN9?x4{$04gn$YtGe(t~UHV--ESfAInaxTy9Tz_T7SYI0I
zKLwn$f$e&<4ctpTl{}@2tphG&J4~17S5A}-bs)dT7w2(kr@k)I3xTZwegARD|8K}Y
zopBoP(O_>VeQDk>$LBXaQ+4ij+?&6)vOM#cEV@ab0)1#ey-+Dr&-SMS_fl5ivqWvX
zIP?K+bOG!G8UYQ7?XxbsVQ0`4H}4F({3aVW?+vMa)#0#4^$vwLtbaHRuv2amM^Lse
zq;^vrfAh9!)f#P`a#_7?Q>)eAHl<qqt$<Fs4Pd+8j#<^OMVxWNA=G8+(5by`>OUCT
zpuw)-D{k5`vwAb0XX<2qzIAS&UcCvgzdxjIW8GFq-K@`Chh=+$Yc}Jt_WharbfzuQ
zzJKivt@H5iklLRj9kVyIZVYsVzQFcn4d@?ELI={leSypL0eW5-Tm}H-mv93ffcuDI
z@9&F4AAIZBIK}HHR!y|(ubpJI0q(YOk0bvt<R4fw(Q3-`4=t|K3b+rr8@R`Y$uqtG
zj};9s3>|J&#(AvASr_X!`<VXoy_YTbk*In#ab6qXUjXZH*2nw<hnCdQvDBJL)(trC
z0f6mtwwLwkwyvJ&eJ>ct=G*_qjrVw<i%s{0)P4`Tunf8Y`Rjf%EqQ7ci~%y@0mjn}
z$VF~)W*KnCeT3Z(wgqsxcg(8h-W6QKy)*a<cl@-o^*C|EWNRo84MYJefn~r78_aJ6
zep70q=is8+Yk*b25@3Z7mSH>T=#mEiUNP2czG1Q}3Fj@h!Fo-dyw0+XlU<4PhgsDR
zN7nro=fwj{f#m?}WnE0UZygZaxxMAWdGmqQJRe})tkdL|A|DHMqI}|}RjC9!$Ngpl
zWL?7pyAObz1JLJZlM~8Y?g_0k1wH_M0%F1`IwsU(C~&z3hyYdrD}hL0GSCHR59oIc
zjE-QtRQdz(r0*MPU*Kcl9pEeAL*P9-{S4^`>nB+QRs5Z2Lk?qr4}cGW_w4jjd*25K
z7S-zZdsKtxmyfk>+c?Gb6V83##-~U>a%_Ky^3e-NTD1=^uJ;wrCq4l_0^YarHPUx&
z42_*0coxq81$fJ@hwc0vcpG4QS$_wD+#@Z}8V-z&+=y8M4$ZsHjWM$J9lL_AxE-;=
zCin!EIJpx00_uR#1IC0-nEk(F|4iU6TL*L>!F*}@fgdCP{>Xm=P)6U`>6b{q0H_aN
zLH>hO;=igu7UO|00LuJxfO6yZmrNo5{*eC*kbi5)cO=fGd`w*?rLKL6^05m>TD2g5
z%DJ;$2kT^A)P?VW&j9Wl89mig8Rv}yC}&gG*T}Qoybjy?EzprXBQ22powC^-Qp*F|
z*XO59t6CjCVE3NT+L#aWPzN}cW<21FllDI9gwX}+f&OL*(rkXldCk+E2R}~vlRL_#
zlbw=J+CFvQ3oZYI|D*l?X3OMbq(%pfj6Q?>``YrS{SU{vMmDU=)JePj4CP}Wf7(Cg
zPgy(lihiIIKs_Lg{Kw+l5A3>FH}!z+W}a>BNRUgUg_b|hKN8Vg`vCL<KQk_bPe_B0
zfNb@c&}sL+dCK0Y3%jx1iglJI9RNQfe+tFV4?bUWvnQn1%alF9@qnH?#rVd|4;dTx
zmA`YFdcf@iz_q*-(ozu*i2VHs9=i}PYP;Vy^P=<7?<YIu&scE(>_%$ajEjs8urHvD
z_53PQr|eDsZ+k!IkoEWNkm_srZ^7x=>yUpx<n!|XKdHpK*#D0M=<kjHH$I!G)Bm&o
z&yW9S|IZlWd%)Di{@&OBkFfiHr~hZ4;?MsVD*iL9!{2M$M-1?+Eqgs5Wast#0OwFK
zH*my`2aTMWI%5OoO_|9*&g)>mzJ|HxnMfV-XZ**$)5OoFKQ(>oXXyV2tN4Gi|7ZNi
z{+RM-n$h<o|0(+a-j4o%80!24aK-@KX8-?*qyPT~=W+~a<j=T*^6v=nI>d;WX#tG?
z#{i7=DSOsSz18(0WqiT-r4#u?TB!d2;M^u&-yd3MTn_Tr`hdCAH)4LX{)Kp8BIKD2
z7&|vIXL<ri0EPj#0HwnB+x+PJ1W%NIBCrbB0IUVp+36aj3F{|Y!+8$my8?&<)&m=X
zO-v7ZQ|{Y&bV<F(myNNm!}xwXumRZQ16;!uy>YTTG59CzqQjAO=r?wt4&ORsu%G)9
zQ8v?Vb12#q1F&7rb~4X>oOAftKDNN}-w{+z`{jw9Ef;+MrmVi-%nj=21`4s@e|epQ
zbFbpuUnPKZtp5NW1RetJ1UUDa@qC`gm$o1Hx)5jx)boS7*w+BKnC(v6{>a%X<-V%G
z`Hqx%jr7#}t18ve-Jpu)n%K*A{**qJFREgn#`vDDb6KZ4@p=Hxzd)tlZ|Y(FRqgGn
zD*4_E)Sf5w_ngp<YIb|rF5mW=ww}j&3-iOAv9`}`vo5Ux`5&|8&*uX6yl`eLh}iH>
zUSsR@3;cdB!Fhe?0CnVy`+R4c3Yy<A$qGO}@X@+SRyUwC@B@K;Iz|3_<om21Z#DaS
z)z#GwMb_z#xxLQ74~GDzHn^_~%D+?F?ytOdqV-Rl+ZX5ZeAcDwMxN>SKriH9W_yt@
z(YOhHzLx*4keUrJ1~76rDRn^SF;8@C=d9{=*rr`US8{&U`5ZvY+LpO4<8h_+2Rm{B
z?p$E{3HpfzzyyH(@I+t|Fxk#egr5&zGr@Z9ujNf!!EZ;R-<}9e044*I?Cr5g$Dw?M
z+R)<4brbcR(`?i+-qd5~SvU8we*N49X>RQ_Wrfxe%<*XX?+LBd0I|N2yGbd3-S@*c
zL{Of`>^XwcD%;{{7dY2^BE1wC4RB8P1HjA?GhXEO2ata^*#Gm8f9nGaYYl{)&0H>H
zMa~(U?GI2sO0B!GHso*S8BJ`+`U%E%?*g2cW-M7~x#pJ#J{#e&=m+XS#wPC1CV%+;
z|M57C6$%_<@Vv70GrS|c1mO6K@}jI5Z*%-*(k~$Y{*eC*w){sx-W<y@t|#;yF;d3!
zUqJq2)w-J~f6n1{_Nj~Ye+w|iCq@A!F8>`t)%7*D%((C(`1n0O{lA_Af?jM$o>E!I
zBRlQm%aS|`+E&9mQrbWLKF3~Wj7ZsM%<V${eQo*Q2Kf$$oU_dlV;}v%XDA=zkUyV0
zP_HO!*2%GGCxCiDoEG_$n<L>jX&r!^m)i0-egJ7buA#!GvS9lmwaauo$9u@n58P`$
zkX8u!@0;CF`*isBUbg(XF60FBka-VshGzj4LiW5@ANkY&(>`gFw0qjDNk51E_w(`p
zoFAg^H~oN_+xy(d{=fIBi~i-b`+wdq>|4tg^T4;$-XZtDwd_OdO#Sss%k|fy+e*A2
zVmnI94{~tY|IgT_Z|0mEK{-(un0^fT_jJU6gCTd$;}Pr!7y~lT^#dP4{-f>qk1+(F
z+tc^6Zi4Y7pGh-iEXcX!)5iOW$baf<!3WH?Wj`Zj`gyv~$2y_Y){fGk1BQ2`7X!0^
zK0ptkFVG+8mkHN6TmH9Vd^Zhp?rWnzQlcNw1L%$NP__Q%nu!0{&vUJSv##FQ9tiMS
ztbg3;<O1=%cN`c}vo*$qLy~8lqvv?cv!T=3mNR`VaBu9N>o4g4!+}s>whuzEy%gjB
ze;!|PRXxaf5fBE<_5t_J!JO`FtSLDcb2=~JJgx}~23T*HBjrBMIrJqDNKdQn;aQ))
z9{PJX`i0Ya?K3TRxxQs#4CvzeK+Fe-?7jBKIX2E05*hPt&TZJg>(6CPT=4I1*tvnr
zk>@^c>*pd!-vKrN3xUNBaE&SVtp@b-C!`{Wa$=Z}r5<M??G7+5=n8NhU>AVv!FmE*
z7r=eLmXq6-+prmcOpW}1K)wUOu_EUN&0I0}ajuBqT%y>1Ino};)5xFp{w=_H0*(`z
zQV%)-)CFP`Ao8ym@;7rtBL8wEZ{J&iJ?CWqB7a}9%Hg(;{2AwQ9Vlh*`~C;x0`dRl
zOa~xSWB-irDR=hyjP>|l8P^F=A2>E7h62+6mm?j3JdON0&YKTR1*Y3zeg-fFm<3Gb
zts@m3C?`4qS?W1<q_+bc1JK?%=Hq&BlYWgn{e%9N5>k<WIg!8IhA=<|VAGrr4#)!)
zX1#@Ig)krt2m``^Fdz&F1HynXAPfit!hkR!3<v|lfG{8o2m``^Fdz&F1HynXAPfit
z!hkR!3<v|lfG{8o2m``^Fdz&F1HwSrVL-`G7&y}mq+9rgx8t|KvT8dvPr;mAj_t!V
zuRAh#;Bd>ToVm?S#|i0r+v;ErV0HM_HrvO&+Zh$4dbd5M+}^g#wo(i95gqIu9bMiU
z?y$ElOMkU1<DR_LWwg+4j%C>w$k?`T(QY2j^490OZ8sO?9rOX2+jsbE*Y>-u+0$(z
z>6x|bT}oNk>kR+64x@>Yna6t+&N$@UPC*Ts+uj?<dE0wKndJ^f+0x^gBH|{#>fS*o
z$6eNc&T>KEsooP#rgeDtP#VgPdu4d?>kjW8IMCq^+>4fB#`bY9#g1*=!i;USgcq>4
zJMd2QHtN^)rB>I+^ZMty(74pvEYAF8Y<K+6xfEu`HrwmmW_!7P2mbKK`jKSY?!ZF)
zOnC>rm9c%;-bA^s?}*v9uXi$Y`&_Rq%#Lj7DWCG=KHDeRUdQimw%741=(cZtzSm33
zXuIPgk}Y`#n!wKQ1UdpPs}BC+cc=a<e}n;HKo}4PgaKhd7!U@80bxKG5C((+VL%uV
z28x-1*d-lZn^*L5t(y8kx&P)+Qp^l@a@_2I)Z}FW`w#E&d%vSTv|K?ySf0>sR>15Y
zR=}K|mS<k?)B8RC;uLY>#__I{_;~?awyeo^zf+&GT;V+f&OWeb<$1@CCR7=GUC#G8
z<2%buKIZi*J^$M`FP>83=Xkbl^WJyNq7I&<=*ib7#m;;ud2{gSq}W-DljFjow<Is#
z9v#(lPsE^F+rqk8(X)HFR^UEoLGC{SZ_Vvx-4W5(`+s50^@6)tZj|Zox|w~YDNWoo
z*`1OQuD>Oeuy*7{xZjV!#U|)MI`*rSg!w8paiQ9hyhN=EdQr{p5vW4DS}Lr&e}Ip}
zKsfICW7tANbFU#?wN8|(Zx$s*Pjl}&{Fl~s<X=sRo3qz@&k?wHV*W{NpG-+ycxv&O
zJJNzWS!to&-05N6U1_*~gOkV`aG#T#6X0SV^y1+aL%sj&7QVuRZT+3M|8MU);Ho&b
z{_ee(rYLGGFDQZ(yHP`oG0i+<UV5xAF`5`PF-DChcB4`h6<a`1P@-6(u>jJ0mtwHQ
zihv;9LY1P%20P#X%)JW;SfkIp_p!g<|DM^I*_m_Bl-)ZsXGYe|v!KawHeBwsBhGEI
zQUimioFQ{{R(jOU%yW^qKp}f%b$;G4>4^6yEYx0Lk?XZs_|GB>Tc?&0vM?ES<c5BP
zDveIaO+dX7PC@RENLF7vLB#zts|%@zow)w9QUiLRkI&9NAH!vb{46g!o)uh3V#SvZ
zvx+MjEbp`vi{B)$L+-jPajS|YZc(y?Uz9A~P00?rDp<6$$RZp>Ugr1F1?fZ9LqL?H
zU_^R=4xUNB@Voa{T>kVE+XtRI<}xw)pw-Bfgr#FMPwyO6oFDz|)v|MQuT|!5xLTQ;
z@P|k5>v66EbRcrMNq&y4N_I$tL{QR4%mxM5MF`59bV21_2XdVtzcSQ?k)#8}Q=!jn
z@V=q2r*Q?LAEI>8Ke>e13;BU|=*L$J+3~JIPQoT3HEyHu$H5IkV63ySF=3PH3;3@&
zx~nxy_P4A~+NKK~h-&#|J=CG357JHCCIyRHUt1^Y=zwG=J@9@4JS-tz@QzT%I6ZwG
zAV1#bp!@gLJc&}c1J!3Ol%*ExH&N{x#G{@c+o@gcw__rkG5s4B?>UksZ4p?)7R0S1
zcYU{9FXA`fQx7CR^_dJjIm$X9`ZTYd^VB*<yNl)WuN7{i-b&zCf((Re4XQxz#Jee~
zPVClWyEjc@R@PQ5Ip#-}uvviY_m>~fs`aC3AMu-&EW%N&-zKO(xUJEFJ;{xC<X`R+
zM}0g<Yz*#;Tk*aI{r4-BC)%Av?UmXt^=Ap-xgk_&*8)5GTSt~0@;*DV(}3S6Y*955
zx3TBdX>)xbpI8?K-UAKvAlHK_q=RjX3{)S#|AzSQPhM$Mj=Hi@{D-|FG<|K1qhJ?-
z_ZPlR@BF?+!G7PWMv}XN9p2VBe&2#Nk8(fs5b-G;IZaM+&(j7yvK{GzqJLqL!~+0c
zr0}(Z1bXYBlQ59viE?<n?*ol)+Jl+{&jSWP%h4YXYV-Ms0Y<%E9?@Zsjb6Nmtq${B
zrCk-hNt?w2F+kV`9Tw=Q%K{wkM&No~7V50aqFnV@>}DMn?W%qze4`EvLKwyO*E~b_
z<WFhJ@uFOH@O-_rk&m~%4%=s=#SYkMu>gBjRe-&c`K?qP|M0!n|1tWLLB^v$d8G?@
zHvu{UZAcD)<RQ68K9cjU_Xgbqroh)g5^xi!0!l}IJSh6pVXy4An_+&{X1WENIibHa
zX86l&#D@dfsE=P}-;cLsYv%N2TWx!@T`PLAUzhh{Zq~io>e+qS?5|&B<3<i(BR(3)
zKBH$qza9G$TRE#X{??_v*($`HGVZ0j;*G^~vnIXB!!{$mok*9`cSn56@B8un*{F|R
zX2U;twR-G`0c^sjmU+WJe02|WumybY0HT3nfaD-~jsa5u3*avKsqV;rpgI8QVDD$c
z2X>>d3w}cD9B-jG>wv)W{f(;s*ws^7@#BlqzSVuCf?#v0BGOE{8f_|F(}3LMSBS7P
z`?^VP)_tY1BL_*lSH2+S`dLWjb>dT8y3g~s;OUJUHAr$<+)p~aw>wX}Zd^*AryXU6
zvx8099(xmJHO)eba&5s<_9{wqeT0t0Zzj&u0{;XvU^{Re(5Eoa2C~ck2;==Is3B1E
zjdkWXEyHvBg=^^^A}b2%3?9tb)#xtlYE&0i8g9x8LvWsLJrv=-B+QIeM47T{h@0bQ
z&gm7zr?9&5>HbQ%8M_{%jz?)%;yHT0eq8yv(r~ltt5GI*E(hvWp=|DCcnU1tLs&<$
z_&c`N-n+6rmlJJRN%Cl9B=>#)Lm*u4Kb1DqyKx<4c#3V1c0TA$oZEY&FvR?JVX)bs
zMIq)_ibKt>lxTqSJ+Bvsn3V%pz&D{3{9Z*pxLOu&URo!9InIOqlj3ROmQnnIV6*Gc
zLj}bnsM9s8KwO*|Y>KmEImj)MUJ!>Bg<7y|@0L|*`$>MW1bqI3WWDGwh_>HbDBYJC
zYHwZMNil0e@B7M4&&U_)Kz0+&@KlOOw?l@9*b(Q~nG^*Z8|C`9eIeafe`JQQ{xD#8
zx=-_wxdCnal|&i8TO8GSWN~EYVW6W+B8^|q^fefi=G}a>Chmv~AN>ysLOb>?iRwHY
zaR|fU9#s@(^kSN~{yT`r(@pnnJ}T3<<&dJ_&YcT_I&}d|h~iAmo<$)h?*i7)#ZjE8
zDCPPZ+(8{B9n2!0!LJTc`NF*dxJxcM>`~|`FZH(u=n!BxumNz!*^@g`eYM9{B$)n;
z^C&lA58{o$j`D;q^G<jQGZ1Gdu<?|a=yKdc*l;nT-DhR-Cfg8a1I2}VM^Q}2FA%m0
zaojZNZUMD>5PztXuc59)Wc%nd=%5TbI0soXfy00sFqqN+eQX`jvnYQ>hHrCz)*jC1
zeH&->tpMn}-Z`f{g=OdbbiRcAi*Oz<owG#eFIknxcOluQA`YF)J0H)@J>el(LH=<F
zqqCamoQC<3-=;9ya6H23>|Z(uT0R$g!G*vM%JQ&oipxQr6m*^{&QVq1Om!vNo2od>
zoVU@!kS?#_zB=oG9_c^=ztkTPWcPl!n``v&*!2K>@jeptp8(0v&lraMOVj*xsQl?X
zYC3;{U=10kBWw!dk^CeZ$-e~hk3krnOGNU|gZ#FTe;mT*o;e`W`NgDH(gUU6D8B{4
zow<M3fo3Y4FNt=5{vf1F)p;*1S!R;|jt1mD2yp&E8%^^;bq&18@(+dE1+XJPMrX)B
z0rF#y{myg-3!TO0i26SpVKWei&iGw<+Do*9jH@93SCF61^riFp>>$4*<o^m`w$RaP
z#3kLX0c`KZ6V(9<!`aGj)7i?v9rOhZXX~Ctf9Q{PPzgCn7lcwE6lhP+fIhDLydMQ$
z-2p0}A2e8y;-l3c@=t&~bT&1eHL|cW(d@kwIL8)p<E(RWCNKx*6n}d;vO^!pOlALr
z1`A3L8d)N2Jkq1Gr*x?ed`A3&HsF`)KZQXLi!}1zR8!O4<e%xK-41g01bP8&$nR-f
zC^OC*Xmh|CSO(YtYmV&`zPNhG{NK>aTEGVNVHxfho%3%t80UMg)WoB>>wq_iKhTGI
zSJldI>Y$PT22s2h7En5<3tT_srVBcF?EX)kLhUb=2cXn|=L2^Kfa)x@-zBKW%kf_L
z0p&amZGz68Sc1OcC+K16`GDr*(Jt%}2lYZAP@VsTasbr^<g|Gmug$sERV#lNJB|ER
zcpp}vUofFq`F?Gb8kwJ%+_kyay1*+hf6%r7+BomCNC!5Me>&u!0@<mrTY$4%=R<z0
zjDTiiApbH=T&m~P-uXBu=sjhw&6U@CP5n3dR3kt2e{(4g?jI_Ry6HWx8~n=hw}X2X
zKz%lqsV(H60r{tD<fnH7$#0GF{{r%_MER4R2=>6o!~^I<@s9UC&-Zd*$2KVU%A!!y
zZS;I;c=v~DKNR;#T;Nxhza`w805`xD*oFS=2lVq){<{HJzzu!ChIIdC@1y;%M_XS7
z*aI$z`!?|d`cU#yT$DG@8@hNA-v<2sPX5p8g3P)=bD$ZZk2CC5*OR&_(f*r5_GW-S
z<X4~`7?s3!`ms2+(==czFdKe7iSLqwMvqi}1)6$*I*;$8zxTN|ke`<==wM)LS)2)d
zC(xNan}OjZKj=f3KgFjDeLj5`^17h*c{aZ&b9yh-fX=WcP9T%00q?WmehnbG>3lN!
zUZC$F-v5C<vi#3R+DFe-mJPJN{PbVo|C9Vw|Mvm>{~zdY0H50d{a-GBxjnRooI?Q8
z17RreyxdkEy=FB%@!zBYlr{B-crV_CXWoDRH|em6*Cq`#X`o31O&Vy@K$8ZVH1IeY
zc=|gL{M8()G~0>fXf|H4Rc`@9+pE|hZQAI>nDW3bAGGmFIsRVjsBd}19MTHzWg1KO
zHk!R&2Ftsg7~kUl#)H*+z#t)hPYKcmDz%DhWfN<|q-=@r2m+eTVhuF@nuzg;dpjkY
z*@OO>uBJD#ve^l`*U<7fW8BrbBxCiBlwFS+tM8xcFYOc2510Vd>=R**o2IKt15Fxe
z(m<02nl#X)fhG+!Y2b-yAmii?G5z>v@p#}k5%v>*`|(cL@Ns+2-0Z`uOGSAN`1Q0F
zM6$!c+IViu`FF6<qJkp6b21Ye%%gZM6tu1s9&cG$az@{8PUGuL0#*tl$pcv$$ooVp
z!2=S3O_}n-<t(0e=2>r(thC^1u%p}q8^dF{IZ0WmM>ZD5Y&N+Zx?0G9UBDl(%kT%*
zVm<ulupKn5n>^(BkJ`;;r$_L)>+{K;WFzJQS#FVSU{-o0%gsK*PDU+cp=-5SFzn)B
z4_MdENp_R%-(lFd%z-R?Eo(5^3CU4cuBYLSbMMXbIDgj1ChJ@{c#dFM=Llg{`FY20
zo;kR<3if=};p-Gq_|Ig|NOp}JRVWLx#~>Rel7ri<fmT8mN65j~oWV_H@l@*6A0g8@
z@A-Lue4m^BdjWKPCO_}Q+2X>p#pPvLRfV}Buup2i;>aEYwn~Y0ZSkB$*e8N-wOu0d
zF58@OIly-*%40m~oNR5Lv<wlB`n=9WIBI<q?PBN@;h?=TajV`c*w5IV@_E@d_m5=@
z&xVb0f(_NJlY3gQ1UHQ>nZ{1&F8eXa61uj=j*j@Ja^ZGkkYihdtDyDU0zrII{S@?~
z=G{T)jeKs9jc@Em5jIf@*ayMp3wA(puHucPUxbw4Z9{HtSUs5?-DAZ46JZZjWAg+%
zBH8{c0XBhTA6Z8Z;-A|*L52v}*zt8Pu*G@gx>RR<yEuNdrMUGc1HK*s>Fy-k!{`l)
zn}^(0u;Y@URh_U!2R1kY^K~1_+&3>{$2~20J!)XjMD|dCY_~+VjgheDqjU)*1KBu2
zu8`<Wddi8zdx}3zHdoxwX6b(IJl<I?f0C=vA?j!03hYDK@9qi-XlRq<E=tFL)nRA$
zw}Cy9NbwrRfgO`<ha}rIk?qkT*e*sRZH@iYZS=DY`E4ZL4%jyS4rz>U=$>p#$Tp`l
z(BjKcmYt0HjOpM!r`?3T);eU{Q%!b1kuEwc0Jc8dK8S3KG;V(f9TvP^1-m017UiPN
zg6hPPZHXc@c0^=PM0QE!FWV=1*lDvp)>_PaxmK0Gy^6Wad2VcL)34fnG3ur6;D>BQ
zh%d4g>Y%xASyvAD=>e|+UI2rw(UJH5^``amndbh#SQ)~ur+3waPX|a}jvgR6E_gxm
zTH8|!cJ3|(0sGhVlr}7SL7FwmQi2^2>|q8-tLF5TJP{{kLwCv7p$F_<`be-3l0JEV
zpfm+^&D<AYGt)~7Sl^w;@pJ4UxmopMQ^xjVpA8!zE&8teE#$R!*axqE4?7PV@Du>t
z0Zs#>fVTDc=j{dlB;WMqKXlcn@H}5(Ilw9+JKs6GuRA-wyBlm(Okv|fAX^tR^*!uv
zVDG_v9D1`v_a59&9gpIe!hXe+rF(T{dsg*fSw0rrhK2mEY0@C~pRuOwoTo`u#Kx94
zv%Ca$(O+$^aM)dsw?o)3jR9}35nrIZZy~pQk)P~;a<_^<ld?~=KIfr;O^``tMWpHV
z$|$p<q7aKhpn&X1V5?FL+mb@if|5|vD>q`ziosK1F~VV+!ov|(NO8)-O|RTMXj)tz
zVP5z78)WYS+&~<uEW#Z2I)+k)hmxi36Y|sc>$M{Ol7CZi{f4==R?M5+OVz7?<NKX}
zf3mSrE}db)<72&k^K?(qurSETFw@7-^sJZOH)%e)Q&YWlW}NqH@xhhYF5^q0ji;5y
z7|$q-F#7Pchwhh%Gc8RW{vpD@l*0?cJAZU)zwQ^Q-nt0aoe3L~_e(>~J6sO#WK<Ar
zWQ28My)Fltd{z|FbuaF(!M26$1?HXiRCERHd2n-cJ(A^7*9ybNfy)Bg23QT)VeRL-
z6kn|wwC)+}URPip=+8wlhTp@+!xlCk_6T2d)<-oH>j5czCBoOi286<`5WW&=H~<rg
zAJCe*a3#D4&#NM;ui525!@P8qJ@}<H?ze$#U?ITk1}Kk9Y253A++wPy$kR_gprkdd
zO8~OzSOlAvDd2A&)+WxwT0JYQ(Vq(cdC3P9v}Sd2s*m<mgwLgQtq5OI6m9q&)^E<j
zx>i~POX-ZGe6##osjxPY>^2D8HV5l9|3&NdF9!TWUZYQPQ~^XoWquz<2IRx#1Z@Ls
z1f0O98`k8{yn4uD3D%&lz*_uuC9y`|VNIshNe^))*5<8E_Et^Rgs-ej;NerjKi1-k
z&PZbm@D1?+TBHBc@NV3VHMc>u?wDlA^=-Kodh`LWXMrQYCZGj93;Mt^pm=mqK0ptk
z5AZ^=x56khQ2#q%{`o-t#h^nkM6{ihAO75e3*l`SgT8~c#1rAa09bN9u=x<Ir8UO0
zeKp|U&~S4e<n^IBzO7W?KSN$OT^!oQlJbXNjhuA<xEFNK^8;-IeXa(Ug0Hn_y|rdk
z9x}H<U0;EAu^Q`MXP_LcPkCakyoca`Ht{9p33sD>)Z;%*&A;h!=w1spAN(28H=ueH
zz1Ni!x}q}R-_xMa0am~)$g()qSBu)i9Nr${O@2aqo&x{5Xb)uDM7AqqC@oMGo}qLa
zlznMfSDrR>9YFk}PkNi4fejD$C-+~y<a|Np_OKp&{*vOOnpF<HgMYF)+l>C^N3@3}
z)E-bi>!JTIC~vqM)jx&Fe4-tX1i1Y<<hW;idggI2jShQ)Qhn}^_FxG9yP?1AhqYt<
zuvWTre%NzUs6BvMfexX(;C^U+ux|dL<36q&^`C?8dA$HNKz&*TECU?TPx1N>_XByt
zw}=9Ie`0l}K9BOfrVOYqE6#c=Md)8a>-H!dl-6-B0cHc%0Jm2HeIWmG`p<%bKdygJ
z1HcJz0JZ>=G;;l|`ImJDeyJ>a1O0)Q0B-9H+MwT&pJ}2`Rs+yAm4S>Vy+2v?Hl^02
zfhG++V-2VmA*l~i!eLUHHCg`&N{h9S&rMq01zJw4x<GR%Z{Q#u83t-g%fLXPCj$-D
zsYCPNFJi|mS~jNC_=`kwRS?ZLv#c^!-&f(^Da*GsyGaz+O$wJR2Xo3;%q@OzHkjv6
z5$K*t54e}(JszcXS|-3-K+QTWKI#IGrmIN<O&a*G)Ie5>k9aa{ni#gG;W)w55D4?h
zVpe)M_GeCP@W0V}sUXt)9_DFiPv$57{|ED^%AD+^nsg_lE4zNRpm|xrQG?JGf_8m*
zpXA=Rzwc9zMW-EJr<Ii!G9oiA_&4a_%()Z4UW#!uFT%WCj%F@>Kjy+_L4IzFO*}y#
z%D<wI6XCPC%(<Bd-@;z0*|cYDZg!%SacVb<+|ZVV(!Ri&{rxoaWHeV+4L;(K?|Z}p
z?T3u}8r_lK!(8W%x$*xa$#F|Mrk~v9eLmSE_F{HaFy@4hoH{Vz+9B-Gnz%(<!dzW7
z_GPWc{+oA@&mHg~g%U7dhkI|#m-4w3xEs`)`g~}{_r;%oe4g`*y%XCby=2Ur<;A%O
zY1k7r1#`I(;lK3E_xoiC_VyDcK5vNmT)wX&<_&3&#jtf^70QM0a|k{%p`)&pm+QQ?
z$`9UsQ^fp}yjNGF|G6+<$H%~<e-^B1{_gNL)tw{TRV-<n7CX94U@_afv#?#m*s&b~
zpZAmZ8|3>LZdcC_f?wKi@HWl;VSmBwBp3A_YjIBZE(^%t7V}ZYpAH*n^3S)28tt~y
zJLbI#b9YX<cQ7AU4O)#o|Ehu<wW`CM6jHF0js$;DT?un_93dLNAo6q2k@hduy1ma<
z3-fo)LUr0rZi_iP+RKmT>}a1qV}OsTlYZcChy1r-KfGTjkL@?c-=THIPP^{RZe~B4
zi^G1D7A$GI1q*lS&eqNA%NBgwp9MOp{S)20GS?-2*qm=(Wcyb4WN}-%vZKFRutVFr
zvW<&+-dZ-pggGrVc7Nl|w_hDMYQSvF-6kTx;Uhn)-7k)Km^8+c&ruf!3a#^f6?vFj
zyICG#QF1-TtmtZ#SxIH2X))%@ipwI*N(zE4ivPr%RAr=D3Fgy^%Hel8i2D^`?yVei
zTGudl_Gd+uS=GgWmMqUlI3*o@o|o;wmxt^2=|B9gb^(6G&qoYYy#B^J;_OL1R7u<P
z+NJL6`W)tj#+~-mwoUPF_DxZ=$;_fClSR3~Z6~JrsD3)-q5b2f@Q&nfT@cx6@;P6v
z=@d8FOaHB$1HD?OdKh)O5MX9m64uQ+%ezH!%3jPZ>{U$3Iv~D8^4{;l+zqdvpkHAO
zb~)yJ=3?A$KF0X0b3$7EfcYM4jJqx<jDCI&{A_4U7UQope`1ek-lViKZm!Hefa6MW
zVZI?e$EO9&ThV+E&6VsY|9f32nz<d!X^cAUDOh0)cml?MX}<~E+>q82vEP&pFsC5;
z`N{BGfidlG!6)rmWsPU}yg*)Hd)_}|ta<>=fnw}B1^G`w-mbuWfbR=-FCNIBk01I7
zBGSe_A>smz@h`~^HuxH2o>tJuY|JH5o;3Hu*P6hs1#p=$&dmEAP|aRXrduh^M;ZT=
z(*nhqxM)Lj63BlxbiNe%FG}&zo&&uv1Akvr+MqS{3i)z3s0GcNV9zO2ij(c#OdGQE
zx=8mAb0L2n;6s%8aOD3g<R4KM-{qaGpqAq>$FmmmIAbZD%pi4n*G&`iA4=?V(YmhR
zUv*<1hU*x5p#972F}^#I(yT}{<No#2NBN7;L8D>y<KF8Y`d2`HWp;>x0=nn=!yYM<
z0PLIB`8#?JWBiTgfjZcz|Gn~hkiR@u3fdm%2Jktv2R-+{7EXEqXdLs2>i2(5Pk(25
zXmsJBE|{`0jFd<i4XMJA3e4y*#3I-v3Bo|o!OW&?J7CAkY&PMb>g}x9CI%Eq%Yd_y
zi^eHvSi%IT8K-!p-VqNzqYLMhh-c!KiCE+LNcBH6HAu`kAA6US^xp;Fth6TjzG>kb
z8)rJS<?ohTj43Z>MH^sktgfsAd^g{7?W>dXTK?SSvP%8@OPTh$=cCRi?C4XBZ{`aj
ztHng{uqbSuq8+8>I=`)Q=+Ge|zDYSh@y;Tr_9{Vncz192)R?a>oeCa#G0v?S*1KWN
zqKhceH#7d17RNXU?@}5;D{J3}^Cop|rZk$|ddK3HU;C|AvhejnRfv;;<mcQOYtvNN
z&sq=rT<b}pj@q<W^{o}(wSRNK>z}pxc5L4+pN|+M{xqdmi{6&+4G48^<rw>mS=E_+
zJqlAjOv{6v&C8SbnwKBmVO|#I()~)Nw^{Mgon}(lhBjvhy!@(pmmZ^g5ijz^*jr*j
zoX*=hK{~5%AL%;(a-`nE%MmRX-a2Z!FfUZK>QY3Dmlzw_tTeLSx;$U4GZ+1Y@8xG_
zPwvUTDGu!x+Me)K{xdVE<-*J$gGE`v20vv4=+8K^M|ky&moDEou{gBrt_uOr?>PCZ
z@Mb}<Va>Nrs+W4r)0qRRW|&7GUmVlv%S#dMr=2;Vn88wB6Dz`d%HIt`@$JCN0`#sr
zLEj~S;!<RL&JW&)mcaZ&yK41KJfHVc(LR1Wjx0l6itjp}F23RPfamIl;eCy{;=lIJ
puAAP2+z)z(sK-oc+_V<uHiD323>XMPEdI^h2te4?+VHw@{||kfaxDM=

literal 0
HcmV?d00001

diff --git a/engine/hack/make/.resources-windows/docker.png b/engine/hack/make/.resources-windows/docker.png
new file mode 100644
index 0000000000000000000000000000000000000000..88df0b66dfcf0b298de8cd296b793b9220c4a914
GIT binary patch
literal 658195
zcmeI52VfLM-^S;9dgxUo6akTtgq{#WZz3H8tb`;KDWNHduM$KQ)K9@e6$LBOqzFor
zPy}pLL3-~cKzhILKbJeW9LeSS?%qA4!|l#a{mo{dow~Dn_2}&HQ^kid=HInThdzwS
zW^?PMCYOZm&Hknz@3CD5O<>HoEVnYY@QX@}`ScvozJ0G=!{aB$PZ%CQHmGa+_CaIE
z#}6GbDvq(qCl~h}*01l43av8Ernc)gGvTvt@qNmB1@&q7K|;AXb?VpfF7@=x8cR=<
z@4cgR$BxRX`<Bd9eDqPmhvj=W@O$6qxaM+=uRogp&CK`z%(?K!HzSX2&A9qc{)Yde
zuB}X2y#9bD(aUdcm&U!DCiwl>?(x#+r|;dp=fdTNZKnCu9?MF3t&goSA+MH<Wxf>|
z`BcqB&2LOL`G~I<OYFWVG4!$bw1GF<EqFne@Qy5T;+z)Uyb{W>Hd8)o_dRRVNtUp9
zex1H-iINTeD`v<g)+?9|t~>SW5tgtxbHN)j_WWlx%FC9_VL@f%W_Do1Te6i0o_)U~
z8yL#U4eho&oE;Blp<M?I?ZVdl!V>qF@?FQg{8(u3nKPbb$~V~HeYI*$X74Ou<vJw~
zh`j&Q>QdM06R8F3A~)3z?>Oywui$Z-0RtL7UT=Tbicghm7A=on*rwsm*B4Z7G_6VC
z`4p;$C3DJCX;bnh?+;kLe}A)&HU_*Ld~>^6TXV>eOZit0tQgydu?rL5I+WiaWPO!{
zmg<Dj`CmVgq#XW|?~+$DJ{Y<#u+0Xx<i^PXDPuXCj!S26I&tF4<;%yP-rer`=syR%
znLljj%ZUT>MrFMfnVXSz{<n*@r!{(UT4!bE`JI2KKJ(pU2R`wBXUOTRA9v3E#aEkK
z?MThtU59KMSijt*-etyp)M4R=DUH6XIjh|#PyYVIVQuWia}9D7QRkYnHLpa;-k1}-
z?8O*Gdbhfz22M=8n88@`miQh2*7H&%44;1Cz$ES6)_I+mJi!u%cKu`=V=r~6-LT)E
z>s#;jVywfGY4z8%t(v-{QiDYGV>?u*clhQGZuU;Q+PinQE7i^?HsP`HgP&aacDs7-
z{<Ef9{lOvswyD-6vG?$IKOGy;aA*Ht16qv@%#QZ@a!0+b)4Y{!_j#3#u5ogvY{>fq
zYklNZalwqt8auiu%Y0Bf=#QD@de`hWr)ih4KJWJn>ffbWa;x$3@b_Nmw0Ta;eXP;j
zx$kc69QN6?b-i2t>$jo(re)2mywmAx--EFe!xnyAVacL{<A1Kw>ceJBuN_=5Jn-bl
zQSJAJCSI?kX}o(>Xv00b+O2KT!28pfzt+}V>9=A}l{L?<RBV}*7IR?jBxRXt9TUBq
zDJQiHihjIpmx0d=>~XxyvY^LmHz|G6yScaGo!&d^*8Fr?x1Z~5E}gZz(vU`B?+xtI
zpw_W6AD0a&^~TKhyPMZ8Gpl{0x|?RpyRQAV-{CTcI~^X=r`C-IKQ3z0rAn<&|2P>t
za-Ampvj#y=?VE9V@#S5Y8(*$^xkmEyK8uI68TV~w-;4G7{Q1h$m9Lb#(&UOdZhoV-
z{l8h*=ghLD{Yp3e__=ngmTv6xQ}6edm2L9s!tj5lSLoX9yH#I*ex%Cqio-KT{B(Wd
z=F(?Af4s-Mg98r#b))n3dDj)Gll=VOEkAwl%whE^FRG-eG_3NZN<Yni=KIP=KB&C6
zUug5NTl23i2wV`~e_;KM_5W9X&YwP?KmB=~&#TrC>G$LE@0Xul?%O}5|6lz+{_&;0
zZ?5jtzj5D7KYIT=cSZl@i+kPbTea`7A6qVaZ~3rg@%>tV`_`bmS?WQ%p4rv2{kOfB
ztbO^?);&SKF_qU(Zct;S|B82Coz`@Bowfg*_}^>wx6IG0w&jCX%YR%N-oEkEjR&mn
zlk(Zn)|yN6$7Oyov4{7ydOyrddF%bN<?cRt@yV*+H+g1LSlkOEm(QIyci@UHD|)Z!
zd}~{?)pvea{Qb6$TL$G!3uwFd>AEk}?L6$`{i?;+`kv@}<_Di2Ds*oZk+!<w@{!+F
zUAm>ir0rvVNSgoUZ!aZ$`Aqx|XJ6lTE&H)IL-P9Njn4idt+U@i^?JYB>QjFED@Fd^
zbX<I7wUE81?)Ps0;;uIBzl;7ndftV1=4?6?`OVQz|JNz-!x4L4xK#Vn=slzNd{akV
zr$(J_-EVeJTG*%irthEpzU4D5pV|A*-~W95&#?tf7qtreuhF$d*B1S^=-e-ZpPT$#
zgN@5J{u<YH-R0-LAC$Cl>zEnOg%A2}VE^Y{T;FNc;#E%^+p=oQ52b(D)Z^10E51B7
zY}cCm8~@n&<1dxhTsf{jwR+>|jc-N|8&YxDFTbzemGtShPv6}9=Ktlj()ho3B49<e
z=c>Im;pg$?BA$&nyKw&(Nv+@fJ$3GlkYNK4lsa&{@uiJr|9W!wh{b&u9qBx*;;>B<
zrl-vOU{<%c|7tids^Oxld(Q0JcKPXvY2#kJFy(OC;zjEh?Yy(>)K5vxl13!GclxWp
zn|$@;mxCHlIJj$H`}4i89BS?R)#srj&#io`XZxPhhHbc3D<mdl&VW__t@-7<Ny{^$
z?^cXTj~f5grKn4h&CfPEJLu)Vn<xIV@0Y)N?u!5N<r(MNPpzem)lShKVm~B2AseQc
zHLdNm=jAz>Q~p<D`$w%KPQ|6KJ8`G&hf6lKE#LOzw^zM=Wyh)-!}r~uy{bmWwfXz!
z>>m*@qt{#4j~&!RUyc4?*IRydXS_FKz`LzK8as1fl|y0knoc@&y8VQ69kM&j?QnL{
zu&|!tKLtPCw0_j`hOb1PY`(e4=GJ=}4juIO(SeHxb{*C2vG9iVS2r6o>bG;bcT(QF
zxcH*)r8g?h583zP*w>ft-<dk&hYCM7EYl!jZkuOj_Gt0hy|$(5FRSq36Uk*KJ@Jvx
z>pQFM99A>rP_sibkGFrJ{^LE8yVUPK<&)cUwl;me_V10qYj9=LJ9U4Yz4aOYXU;5&
z__D&n*MdejY8A09Z2Bj2W{+#Pyhis=Hx9cw?CQ|h{#qF~V_p95V?OvL<nhlne~er|
zd!=enu+PSJ-(T<dT)qG5Yt{{m8!&YHKePS}pS$AAr~bL~_xe9i&2Ik1-LJHF%Iqw2
z;ggNuz1wX-aJ7L~x2=37d|l+Y*H8IeDzAF#-DlM+BY%B=WBt)bd#<=MVBYGtw$+)^
zedM&4cKrGFjt#Prw|x8iT$%Cat<(SAd9mlfkU{4*L}$OdxN21SS?{kdcdFvN@>7r3
zJ3aYI)%W86+`i!SXFvbAV)v%l149oFy>azy@R!dA%w0b3>b!t4{wGfU?0@drpYNol
zcRUp`@1J_7woKpHe$zMGBY)i*_ro9i|7qE}-?#lz`(^iQmUQ^chUot?#~ezk`o`Au
zCby5CdVXt0Ueq7Io$4>^-~H&&qj5Q1bJl0HUOj91jm)_@qhDOrWAwN?dliQjd74@Q
z8~@w%@6l?9TlMSn@v*0Fbq?5D{kQzZcP9n=H}miRe_!mmSZi#D*Dv45@IIIExPQdS
z*FJn><ps@=>aSHBRxRX}b_<gic3RYTVb1eIp5NT_@2Eq^Zl0Zz+xb-Wz%QCa4to9R
zlzxAVIC<mkBcBdSKJek<&lkV>R>Q2*gHL_E@r`RS`_H`+7=L$jsfia3chr7xt>xC1
z`(H@@bz<_mQ&-9k_;tX-pCVo!eRJZ?$ox-_^xV7Ui!BRRZ+c<mrlcv`HoP%3<3`ml
zo9{o9y6yG*6|~2Wei`2C%(j#%@fp8oq@Am9=B@E{^Y;I><;0}ANvpQ@-1>5An>%e!
zv_JFS(bmuBpFV!~^wd`pCoM@ibh>kfddBnv`E$}f4s5Ubc)`biz3cz(tuI?dg@<2k
zJwES7?how`#2%>gWySoj^Z#01u|mjOnMZH^xBt-mLrdo+&---y=>L6}cQf%;<)2RN
z*}3QO-~O1~IP9g=XLIiCm~?tlwY%S(3+#FMe?e30X@_U6P3wE`hn!C<fBLCbshFRV
z8`C)W6k`!BM)VsvabWjnB4Xl4H;j&r9}?Ga^60VjBFb1~>&auIV@AeJ3>p$QY{ZyW
zHSccOUNdM!Y^$0BnsyKEKDK?_@DW|6jF0O(rANP*DI;UTV{5jK@`;=rK@p6On;0E5
zdGx3;6Cx(Js;P@Nf{wX!NX;Ofmx&`=)ojZX3>w(IS5W)-@o_;-8#WD&32hV>)I7Xl
zSktD>n>T6@)F?EpNl0i|NLb_Gu<(c`O(H@=gY>3mln)(6j*lH0(WgTveR6cxs^;*C
z6URn`giM+=so|u?4dcfT3keGk4-W}#6w;_sF!>0c@cNjE(UXJ6OsG{5i6Nd2aT8+3
zj~F{~MEsZ_9&hxJ_*W;ks#%jK^uXxLHG1rWgvLzJvm=TjlcUFmgf$EeDJD?&?&gDy
z9$jR}2@^ZMMmf=!tjGi>^m~15Tu7g|3GuIvkBRH}THKh4wTj9_Y|Mjr#=bg!l#Wkq
zOi0|QxX~130%bm|$SjOCv_KvNFO-c3my0d^#1TUuR!*U?{7SLG;wFzMCK$g`5KMO~
z6x2{8-G347$Hzraj33`GK7LeG!Cm&S{Y1?tepdz6>mD65VhnFoJsBBd8t7q-Ka4M~
zL-fSBC<@y&IJ8-CXybliP3d-wXiCS;>A)zG0-q*vbf>#NHhN;TC9xFpYZ^~{?1-VS
zTNKMfpM~S--aVr0m<bc3$Hc^S?GQy}Z#ZH^Y($G@Lz)k19@Zi_u2IwI;3hHjHy7Qk
zMdRSOnC30Q!{VBShc;`ZD`er|k3`)eKIT<^D^b)1fBLcUF%<oS8zdsGNnBiPqb4!I
zjpG^*4Gs%y-Xgd~c;m*wLu0}l4{c1z#0@Q=NeLN6_DDiK$B&>VQ}ie!KfElllvvZD
zEt-T6iES1f8yhn;xJhX2kl^r`A+f>H;mu>CW1EFGj*X5sl%<Gh9!aXphzWE*y>4`$
z(cPwd_VkS#SJ>5XVbloSGh}S^_z7|RPqS4`!{6qEht7j%3J;_E6OV|F;ZL8a7=8oC
z#YTn{a($Ss2O;&rMm$=bmLVvJ-za$TX-pa(H^$uUUl5hfSMiZdh#xv}QuO$^w!`QS
zvFvZNAl||OO%sR=;m_+)Bb-nb6QW<UuOck_yK<9?cz7qr438c&EG{-G#BdWE94xE5
zf*LLS*Jb#Nee|y}GBze+X#Dum(G#OajE)`_7czFtu*i^yjt|p}eE1w{A3rL7eE0a+
zxTwaFAw@YC8H)PfdKGlPMNR0_xm{4#j_sR;g*R&!+^AugaWqE$jN;)^7eP-Py8EMb
zf9VwF5jRu+1NoC<)T=uG%^QW12?^u>>Vq0zHVrz+d{E=dra>Qu>_2A2#3*|9>oRKM
zY!r&?afA+PUwU<ni=v{LI+^<JHDYqysDT|ukX}sS&%GwRP`W^-SBeZdsMwH3SM(tZ
zZYZNyJl(URz?EJg>D@Kt!OQC-kC6w@TSp!|ERrK*HHiy}m;f<<3S8#-m|O)e6CmbK
zfy+D}ldHgG0>u0&aGB?0auv8tfS5l8F7td$t^$_{5c8+NWuA}8Rp2rKV*V7k%=0n1
z3S1^Y%%1|6c|Imrfy)Gl`BUIB&&T8{aG3xxe+pdY`IuY<E)yW;Pl3xkACs%VWdg+f
zDR7zRV{#R^On{g_1upY^Os)c#2@vzAz-69~$yMMo0b>3XxXkl0xe8n+K+K;4mw7%W
zSAoj}i1}0CGSA24DsY(qF@FkN=J}Xh1uhdH=1+mkJRg&*z-0o&{3&pm=VNjexJ-bU
zKQ)WX=izeDxG}T_bP_H0%;}f-4=of8is{m)J7ZIxpj}L+GnS>L-y4j*8p_zs!L-J7
zK4TT*KY980PR#rF?5-W!_M0qYTJj{*@_%7K00ck)1VF$_0&*+;!#fCo00@8p2<Qkv
zKyV{~00@8p2-rjb0%8+31OfpN009tyfZ!eg0T2KI5U_~=1jHt62m}Hk00JNY0l_^0
z0w4eaAYc;#2#8JC5C{Z700ck)0)l%01V8`;K)@yf5D=TNArJ_F00@8p1O)d02!H?x
zfPhT|ARsnjLm&_U0T2KI2ng;05C8!X00El_KtOE5hCm<y0w4ea5D?r0AOHd&00K4<
zfPmP94S_%a1V8`;ARxF0KmY_l00e9z00FTH8v=m<2!H?xKtOO0fB*=900`Jb00LqY
zHUt6z5C8!XfPmm0009sH0T8f>00hJ)YzPDbAOHd&00F^000JNY0w7=$0SJgq*boQ=
zKmY_l00M%000ck)1VF$h0uT_Juptl#fB*=900ad000@8p2!Mc11Rx+bVM8Dg009sH
z0SE~00T2KI5C8$22tYt=!iGQ~00JNY0uT_~10VnbAOHe35rBZ$gbjf}00ck)1Rx-|
z2S5M>KmY`6A^-ug2^#`|00@8p2tYt^4}bs&fB*>CL;wO}6E*|_0T2KI5P*Q-9smIl
z009uNi2ww|CTs`<0w4eaAOHcuJpckA00JOj69EW_P1q0!1V8`;KmY=QdjJGL00i8N
zfGi<@s_RMw6>%MFqyz#W00M4B00QDx)rrD@00@A9>j*$VT*n$IfdB}AfLjrOfVfq4
zqA(x;0wCZz0uT__u|`TD00JQ3Rs<j*ZdIKq3<!V#2)K>_1jKc$krD`i00_7h0SJg&
zRVNAq0w4eat|I^eaUE-<1Ogxc0&YbB0^(NHiNb&Y2!Md=2tYtw#~LYt00@A9TM>YO
zxK(wcFdzT|AmBOz5D?d~MoJ(60wCa41Rx-8Rh=jd2!H?xxQ+k>#C5EZ5(t0*2)Gpi
z2#8x%Ckg`sAOHfcBLD$$9c!cn0w4eaZbbkB;#Sp(!hiq>fPm`=KtNo_8YzJQ2!McF
z5rBZWRdu2;AOHd&;5q^j5ZAFrO2rUJ&`vGp3Y<Xz1Vm2&DkAzSLIyzq1VBKX1Rx;d
ztQX`81V8`;L{9($BKj&q20;J>KtP-XARywb7vu^AKmY_pPXGcU`YJ*OK>!3mK%4|1
zAmXeS<O&2p00cx&00JWVDnbT900clloCF{s;;a|s3Isp^1Vm2&0wVe<LIyzq1VBKX
z1Rx;dtQX`81V8`;L{9($BKj&q20;J>KtP-Xl-6WRCX-p?9ezPT^aQH!Od3L&3~+Hq
zzq=4s=9Y`oL~<bT2m!5D`-q!04ps?>H4(!v2uOs$Ta?f0F3xKrr3V3VF?1y7cmn9c
zay(PS2m&Ag0v<sC0^$+Xj6zyKU@3Jg@jlubdcXJix!!Gu-mSO(JX(Lg*2s_EiPg~i
znWJ}@ray0M@PJ<sa2Em)5O=9blmi4n00dl200QD-;7ASxKmY{Xg#ZM^U1}2L009sH
z0T&a1fVdbqk^=z{00DO)00D8AnnXE300cx&AVE7-^m(*8gHRExks$yGfB*=904D$e
z!F>P%AOHd&U=sldh)viK2n0X?1V8`+f_nf2KmY_lz$O9^5Sy?e5D0((2!H?t1or?4
zfB*=9fK3D-AU0t`AP@in5C8!P2<`z8009sH0h<UwKy1Q>Kp+4DAOHdo5ZnVG00JNY
z0yYtVfY^i$fj|HRKmY_FAh-uW00ck)1Z*Mz0kH`i0)YSsfB*<UKyVL$00@8p2-rjb
z0%8+31OfpN009tyfZ!eg0T2KI5U_~=1jHt62m}Hk00JNY0l_^00w4eaAYc;#nO3W{
zIG{`>v)C^@f`AkVRNt9&p7L3pY#Q0yWR+yAlI4FG7s+x{iL8d~Ewbrk{m7Ojn?d#_
zS#Ee7+*~1>OSTMIf3o+<-XrTpwjx<>!Y)LWIaqLre?dSv0@ghLi^?VcV}Sty5Ma!g
zAaH9i{B6k~3I@0Gh6DYtcM*QL_!yf&I^h-u1l*1Q1jOyC)L{im&`xz&T%wO?CFQW3
zi*uRe;`ERl2sniR`mvmX6_J7f2!Me23E10@g^_ge*D-Pk0w4eaq9gzT5oNU?Qy>5W
zARvAM5D@X#5poCuAOHfQB!H20QC5qSGqv(?BBjvU$*Gt|-<$PoxW?c}b7*_f@lS?x
z7ya&_IkasGrM2?#c{(?pa#hHS6Hda21?KWP0W6|)EdjJZT+17&fdB}AfZGs23&d@z
z(x!r3pioQ5@|A9r$Z|8S;D_-RLI~MSWcQH`BKtDg8)WB`<z_5dzR+O-+3RH6kmW6#
zLuA*G<*V?9kuAv>!W+`uK>-rU8p87xd9%rKGn_16mA91ad9p3Yb|z~`lMdNb{tua1
zWHZSQCR<V~!w|j{`Hd%=MRq1xZU&R(;eRB1oNOrBo@7suT}GB0Lz;8w_#W9VWSf&U
zlqHCcUnUD9Ab~P#FR7DyR?8MJ3vQJ(S|Dy!omLm-JawfcP$<KLlIhM1+z#qv`&I8}
ziT?b$kstn`<YvC!PonOOv4i^a`TFyce&$oxQUZB0q?xEcH-x{(&-HHC^^q;npZ}^q
zKWOAf@5E;6{hT*AnE5s2dA8n9rcpT!;g{*lwMOsfxRD=2)U)+|_URoG_2)|r9`Gv+
zfpY6Ezv-(|-7CBHQlv0BaKBU`AnsSEC=m#NfC&K-jWB<edYW3U@b*`0c9dOr39UgB
zMz)+nKy0CgFdzT|k|N-xRBn*#cl1-pWb#0@W(l=O5+qd!5oQ(wBEm{RmOuam97lkJ
z;&m^Dva)fEGA3gIYR%O0>o0$1?2cpW2tYur;|1R!00I&sK!fITAEolmqOvR_#{iXP
zB#Fq}qOQZOWC9S7k{Q7V2!Mb@2~fAycomI%n9Dwi$OwptIYPx>gMbvz23J4;1SC#C
zqfkt=qzF0@S$BDcC4S-OApr=;Ll!s!0T6H_0yOg~ipD++U-BxkWd3UP6dErXUZO{M
zct8LG@&E-6KmY{XiGWfrpJGjU_`o_%^_@#od|O)+&XfH@Ks>qjQFah;V*+Z0!s-Qs
ze5$XnQoV@=-wVy!a$`((6%7Jn7d`|A0T2))0cu6Gphbhm-zl~@n<}|nL+eKVvN(VT
zdxU^^aOI=uAmFY96f$|7J!SJ&D63Xje`UEnad<*l2#6=tGRg=79!7vxn_JU;m7q0j
zg=xykPo?fp&6!@N?l^x)04nm31&%-f1l)uGEdU9!w<vtIp^sAa9Sw?j*&CO;hKGQ-
zYt5ouAmE_{=z(921~b%-C_W9Q_)uJiEtnk<rCY@T0dcG9L}5Sx1Y|PS!I2bvm8#CP
zu%xjg<8+s}ARz8ilPCuWfPjtw&Bu*!BnrNhuSTI<>Bu<UB`yevyVNAg0RkYPBcNci
z`i@57tyBilfchXu$1C;tARtn&LF69<K%fu-YB7{6<lvwa+8gB~2Sw#J(Lg}lrYcbo
z5C8#AfV!|sIfDcVNF{28^mj(wQjHS=BGsBhzCi#4iX=b+;#1@W2RPEKthXHyjoU;4
z0dbqEL_t6R1ULcO8Byab64VN*OVfm_IxBvu#R~zET8$yUAOHep3DBe|z6Q`KhVQsY
zTm8;*O5_rZR4KtcBg>8>P>HQPJeZ<;*yJxb=PA_Y|Bz{>_fxOnl$Ft+^HV>)TMu#z
zrDJZnsjc_(c)@9j|MsZ9Gl_>aq!~)*gX!E5-cNtdBPzrHA=8E2g6OvyKOs}w$WMU_
zW6zOWI-OK9IGFi0<k>I)t2Qd9A$&V><NfP~y)qs*@?(g)AGzJ86T?iPP`w`mKZ8H~
zN|XRCEbJ`NtUEm0GObo?ain}cG>jV%Sa~>+O5y4cAM|GZ8m=+WqX&C0I{wLU?xNov
z7oy6vDU{aA!{_O|dLcLGpM(*MgU(OJGgGMk%Z(hROzyOoWB$avmzDW=QqO9aq)ynH
z=YLUUMHg04RNw{zARt)+^iG`T%*^xGXxg!Hj5E`aO59FUX{iA4(0o2a<#u)5r<t(c
zK<A}R+?;)yTSNj4$<5U-QYl5`15OSiKyTIA6qVBk(s?!&a(Ns6>*)qvSe||dp!^`<
zW(2BkxORhPOI2`Yv9j~>QZ99?6yVG>ToE_Auv|eIX@CF-NQOYZR_pW@9u1`XO9qG&
zGwSN5yAz9os6hY(K!7n4kSosSz$X;ZdJw}*J7*^++W1}F4=!2|F3H%+!+bjEaF?X@
zFp+yS<7f86Q<`#AFhw@V*v$pU%V-AF@dxRwJj|!H4t#L#nuGJiVu^85#9}O+moj#9
z!SQ@zas5F$D-XAz<1P=*U2|~IcvhTil5|Zf`AmD1Qi^hRYNR2}DUD;!PDjk~LqJ?x
zJ6u4fx;9C6fzm4^Aap*MtgEN-9;7rM3J7CdKwQmY2c@}$tg+z&Qr+0W1;=YBjfVol
z7#9#%vsg-L@_e|Rp%%y<D%1#P7fjA%PdGabvBwVq5qk|Ge;@z?RuQ0SyxXh_V7q6P
z?LqY+m!ITgDSS3!DYC{x3R!fXO7;$WwhmtmD@tRWVNqt#jWgAjx)Au3@@e`q&e5OO
zcu;13y}-{}y<0S63EHW8$KHC!9lG-ZkN5R%HS~U#K8URN1HQUWMwj_rtTX&v?`8-;
zPJiB3@8yt@p9^}oFuk8?`tzmw^DzB+Nk4pbos2v!)q9+#KR1NGU{uaSdOvOTe#Ys~
zmm2xeJ5jj`;@x3zF!O83a}B+p`$pw7gzv2{SG3;GS|dM(sB7r`%+Whc)1S9Bcqrl5
zkmt2}f6@9f^wyv6Fe>MLy;}{vpK1DY(;Mo(QJ6z|KW_U&tNgCz<mY8LyMWY>RobF7
zmY?)y%TGp<9YOYUvRlcXB%4X$lgVBn%j@NUk>&kk7s;lPzq@3Qko}2l0@=P~d6$OZ
z2F(z`s{k1Q0T6IBft>vOQ!2TFFZ6Mm(K1H=7h#s4<O@++lI=>iHQ6w-_B?BO6NTFb
zWP6b<Fw0M#po8sX*OJ{v&6S*j3$FXuo<g}Umq-Z&KmY`+Ads7%&mXK#6%dk-s}HiY
z{3P$w;<F*1CEJ^<FIi`sx|9I7!^!ei$}0MuOG3h1GA=O?5SL&^A|L<)t|XAB)qYOt
z#XB=iYJOZ+tT<gGPn#b{=?o!T(V6L$5O-<19;>s<Pwu7P_sOm$F`;Za&tM?Ld2A6g
z2!Mb<1ZW)OR90TzeP<@GmdmHhW$YxS@j6){#ly6i;pD(~E8Rz}k~XFn9eEA`aU@N|
z1p*)-8Uoq*dF!2-nS0q;6=|$R%)L0xsQkgsWB>tiCSAl00w5q50U8JSpSGBBZhJFz
zH!G8+=em5%+S+WNrT`194P=df2#7Vb;1>iyKr#fV8|y+wZZ4mx<WR$fBPq-2vxFUy
z=aDo9!nY@Ont^~g4J{%D0T2+H0Ci)%>c~9M`Vw{{Bh8UfIxDWFBp#cc6}cf^2#A3M
zen9{P+>XGV9@W-UE99ah3P$^+uxsgQe8)ydMCZ&n&Qs)Lotc0kZU~5h1b#sP1l*E9
zR(|dfM?CU*%Y(N-L~i)N%m8YA+;c@fAt0`xj5I(11Oy{Mt&nXrZt;gb8Mu>~A%#J6
zUc{j!9)H?XR%^mSK&+t!zaRhtk|aQ%5$r-!ZfzP+PR`C^_p<r6RiZajNj#RgGM5k#
zSJFmWAOHe_5TF@Z_tJ8+W327UqVW@UJ5#hf;u^D@MdI<cv4bm)At0`xj5I(11Oz8Q
zU0L6z=45|uX-4>X$MuX<C#@v0G#3{6dz-{#vPC`}><I$mV4#Q&1VBK%1a5Y(`f^%M
z_U|R-koMA|8CR)dpK-+p%!iS9Of9KA&bkf(aTZy`3j!b@N&?rrSB*@|&DmF6=J@LM
z>m(jDW>TCNF}U-cfZLOJEEF;`5D+2hBW(}>0YL~{f2K+}b!YujRN^->(phF+Zc&%S
z;<l195<=p!OXv)Vc_T2P*&uxo00B28P-g9=3QD;=#I$&Pz?{0cOr6DYewi}Dw<lRA
zmJFc<B9@v!K0p8jTtcAix=Y>sRH_SJ3S|}J1o>3m`!r=&geHaZ#6MU3l$gYWb3zM*
zQ-A>h5D+1O1g*nIhpFiyr>4jEq#y%iOjfASDb)1fD+Wbo_(#*{k^PX=<F?51rppdg
zM2xk9Jb?fRIFtZydUz{T-)R(zK+}l%7Q45^wM*g=%Hv$J-;i*KdizEQi0R#ga}WRl
zw;@2Sj_PWKVzrM_)u?crqo9a<#QZvmhqbE=odAgMJ->qNauN+LAd)Z;5J^-MG6@18
zU=0Bhj*2R|d?^V>C%H^kly)%M?_IaxLo3V{yH}_@yUA`Pn@FO;zW^mUBeMoxG4&w1
zLJOARm4`zq?F0JsdDE0n81y2mA<O4~@J?7hyTP9<H--;8`_eHNdw!k!Q<3!{%l8LO
zCCiPWY0gL8_$+pQo%_4M`ZWxq-v_4p&ZI;-X-(D;p8tUbkmbgZrXf7v35X9b^7MH=
zc-%Y<Zg?0Tmgj-TWhe_@<-|9EP>}T_%T4bKQDxQ?9MZol5BH*ff6|{D!W+`$>G5<8
z;rR<9?+@mNv*C;k{5U(Ft|3i2e87T-;bD0mcw9S(MH~8kV2H(eI;l?95WXn>hVZ;h
z+@G4PH(6ePhAswE{`@-kXDEw-A33owVsVfk=*-H)W9j!}{h1-pw$!<SzqxzKz;7wB
z7_3jzZGK2NYLIX&AmM0F!cpu@A->S#N?Hob(^|CP<01j#ag`&>8Cz=j-x6Q6ab9oF
z(C;C#2gNd`Va@ZO^8JY6H#Lkf1o#8O*zku9x5mcsP%^mjhZ462!yk&KehlJc@MG?`
zsPLxo@jn>jKN|jrWa`Ht5{9(6aGClsTr29=G&~mtZViTulxcjX{EAA`Ac}@~%>5P>
z-ZV`vaK?uJ{h0bO<!@RR<M2fto95Y;I=AFrDk^Qsy74g%wOlcSrdNfKaF{JeE{Vpq
zbc@A<zko#11OI|9(&Z=lJy3=$uX|osrXs~(0Ju$}Fczs3`IW4JfVj5mZc%b`T$?1_
z$d8(p<n-_j_|famaN%!X#)hA}nnh9F1Yc4<_yfU}hTjLq<^Y|zn#G^S8Ia;JwKgg!
z<g#fRxpE*4j+e5e41AxGt7%p(HUIU2c<=<Ct;1WP+`<q6bYbB(009t?3;`02QVN-D
zf=aG<fkY#yq}GOU!3xA9MK|_g>|VlgZxW3)CHRr-WprUlw(5{^5C8#72$WrWDNG@k
zk5bCyok%nuvqm%w@fUoPHq~13xJKcBHpGG7M+u+{>rp0f0Ra#YkN~wZno}#|1zPmi
zhFTg=(4e^Sc$n2WGl)l)^_yHRrq&0aC;?Lp0SHJjVBib_AmCgABoq~CyqnLKicl~a
zZ)MaW!6-xGVLC8vb4Co}VZ#oIeDIu)kHMHB;JE^_{A6X~(%cN2M=k}bH8p9bNBKuC
zzySn6;86lHR+_d9QPZ5La%9WUGJrr5i?U<`6f(KDBZcD8#A&{{{=*(NhzE~uGqpa>
z6%{Ys9un|e0b#5yVfgMLijt2s3MKPbna;E=IUIa|00_92fSuyOGyAb?b1co&9M)8n
zVDZaJFwe*`2!KEd1RNk9$0&)-B_xB(M8J~;qyp{$5C8%9BH#e=;6P?m_Z1%lfhmE2
zCwF0)t{5%>6)uAS2#A@0jq5y2i*%bDzBP5kdC>$sSwJjWxmq+fxPkx(h>3u1dlFh<
z&NoQ3)6ApR2j6oJ#sUJKEFi{vN?Cx4dqJz#LQwDq0xl!KH%8=pTk&5z4c~<Fb35bk
zsNkL~AXYC<%7=b<)E@^5D}DloE!lJJ7Y|<8uc-BLL;R%{PYyj<K&+lXzz67HKmY{9
zL4dC;zm}d#Te3Uk?~?a@y(f;6NhcScEFh-aW|vrNT6AHR$Os-lz!d~C=rgqZOM(u3
zsr!~%9|c>syP^PYl7`i9;m#;`c=x_l$eMm@!5K-}6{p#oH9<SouE-G>1VF%Y0;xIK
zy5@)3KT6A^<34#4<Q?mRINvut7}aE}IzJ`bQxJuU=(E3!1GBv-R)@5D*v&!hWvesl
zSpl?6mgTwMT##kc*BBksFXNWC&Hd~wcEj->GUrW@qCOZS7(;p%@-M#qNS6PK)`&tt
z_O4%bl?ZhwyNbZMsyV_x9cGoW@Ee#`#R<=a324q9WTn=9!erT=H=R<Jn@we(&Ad+i
zRTv7+bOi2XWw6_s4u84eqbM`QgqWUz{4<~{$o3+8MND}!&5I}mgn${QMLk0q+)C$_
zOfxEm^IXiua%wdw?%!hm+rMS1o9F34I)}+K4BuaOYO<n;T%MVxE3@jxdFH=!8B^TD
zj37hB@F)CDYIWSpqSl$?%@5T2IPUmpZHtkfeSDh?zL!dGeGE3NIj}8lTSAFKKq%uO
zMwt(%;{yb;wUL`M4y}HbvAYFAE1mpze9yd2{Nar9NIFi{jdQH@s`nXxkaEKxq@`DX
zz?4b6aq8YiarZhaMP*f8<DdGaZ-r79Ug=eIepOVxDuPr3ALroHtx{;*gPU^a53yQ%
zS2MZwANVLL|2gFNW>FV}aHD5lOG=l2<G7Vk`o_;jBWH0Oie)O+KocCi1+txhenP)f
zsEf<$hrLOBMV(sRg~e}X{vYjAT~vH#-S~qrVCxd5ymgUz{kMnZd;78M$DcAA#uF~e
zXiAOm-y4|EetPNB79N&T+`Gw2ub9bFBm1+Ary>c5_1wkIklzdbyMAP{oUB4wm1m~1
z(rf;YrH6H9X-&E^t;*0yFXYXwPxt~4E*^#@=7HBvv08gpk$BKOlXRJ#iRjPLO7l-M
z*lhUH^RqUGc2Gci&hb{p+hoU+HGQdnj@*7HD@r5yhtUaM4I*=tY;jFB-Um2|?Dr%j
zyfy0>v;5>Nis&_KBdg{Y!05vu76;?qFus5P!o2@Yq^}ehJs{<BmeOhf%V-cqak<}v
zu_QoTIJ}PU)rp5Z?S4t#S@vV~SW4?bEU#3>68%cS0~bf$Ri(akti<f*`vkDGrrlU(
zy$GgNs!H_l4j!`d^7IQm3jSs)(zsBKKi4vu(S9Xb`uNn1I?dUY;I=H=+v@%8_zPq$
z5)i%tmLP_nef$rfzdZA2QMF<+kxA|i>DhOxnCo^q+xua3K?Q^W@&WTivP~_Zz(s~n
zwOc_j^DOXh-plfnQ^>;%^PV2PTFKj&`C9N{5apdK%=_?m=5_K9#vhi&8Quy>i5kfA
z0?QZY#jV^G$+vYaFz=(gtRLf`2L=~h{zjhf6DUb8^7Q-6_n%GlLa~EhD6G4U^Syjo
z=2NX$#*;1G`hH2HzZcz1D{Ap;Qt#@7qx6*%#nyK|eXQqpjZk)-1lEcc$(tk|f=u0|
z=N@lm^d-xmL7~MK?BNC8trh8vo*2mr2tni@<ycLYzk*w1E|TX3WS0<7+dIgYpNyk8
z7Fv@q_ghBe%}Q(dB#B22Z*6GK9MH|8QC+p-g@IZ$8TBKnyP_k@3n=$!#1eOrr`;>y
za{3?Y=eNIKUrP^+%zEK0qhVW?Tc(O6=qQt}G4CUZI`NcI7mU3or*bWpRjV<}su{}i
z{L9!IooK?}rGfG!nr+2}qso7~Sw;Q=W`)ouR|wLHNfN!7<#_oOSFY=Hfww-K(KTLN
znv9-#{APWL>~ONxi}hIah27-bkDhrqioR@{t0V=4KyuOenyj@DjVbZ&tVFV0gnlNl
z=jqpSv;1T?^8B;q0SbKb&k|OkR*23}pS|+dC8oY|lBqBLtNXQY4!?|LS8u>F>a}3m
zK@BC_UBUbFxlpJtpCB$r8E=g_%j8t4%`)q@V41ZVF|Ec`Gr%n?4WEkab$UNdn%GAJ
z;#Ry+SQh;QU%6$gvg~U0$<||BShT95UvM4-5a9v;W4@hwkEzZdVdc;4XQeM6Cl~H&
zqoFUZ->+DM-K$!UCDU&jy=d?*FTEK`;<3nZ;>=%q*70W?f7bLN+m`HuOwh5l<}w9%
zk)Cyl)&?xjzoZ0&U_MR-nMQVSaRsu&{S1XoB)f;~-(>$I(8a&%EkD_W{QO1MLc^QW
z_gJa>H(15gJ2Xq^0zD*8(Ru~mMd^6M2Til9Jz4Nzp#J~7QWYGZhy!Be-E+!2mvutQ
zCkUv>DsR($ZZaV5fTYYvL9Mv#s&!Zv2`}fCSGtmU|4zEfXH==_;ioxwm_*|wlR0L#
zkmb3h2WM`%$5>AJ>MXZ>HL{Ph+_H~}_GN@m-Bw=yk7>^yW&y-YPHSPDVe;tjDY-%o
zmKjj)TBYNAM#;4KhbW!1^o+1Wr3&Yio^MKWsZX{s*$A?&$krw6Xv1H=-=w@>v^Qc&
z2nc~~Km{F5Hkz!fMgemvE#6<kU;TJj*EO=d`N!?uw6ax8oom|Tr+h_0cI3HPOhGrV
zf~E^9=vc+Oqp0geO?}q<SCf*YyG~&RG5ORS&!so19C{$+m8nb*g(}qDRo*oZ1`-1W
zi6{SKS0t0=zueNpQc2e3VqrlI@PTLkHl9OW8U+v0Dh?kvk*6o?rWq@5l5o=66+R7@
zk8z03a8V&a<)X^R+VTP`=(<XE$9|=04u?H2#g>(pciZXi8S2VY-nmLI8N`gHY74y9
zCzW!4mh2_H<qu@uy~P(GrIF>=`7t-VS!Zb45j4hUb8ySwRCw3a6J%?Xb=C8YzZ@?i
z`xyzzVfwYnh*m&IG<e7Cvt(Z&+tQ}eAyA0~_=7Ufzbwo54WtKT0L%CCXId{Gmaq0M
z)TN`F25LNeEI*f~j%L#vGTn#tmdv}IxaHGF`Gb-FVaqf4@qOK|wFAB-W?TRdyo)Q(
zw-n2#hbA94$oHdT8jRNx7cKE(G&9c7{UghvmL<)a<K0la4_?QCizxNY%gORzx7c!p
z%Fd^h>+T(z$;4k&I1}#1?-|{FLt{=_dePGI$s=<9lC3wy#d!KL=OO33_%FYI_<ck(
z>=g9!B}!p6ltcQzd#MQDkmVDMteRCODghzUXh?;4T5ow1&hq)L<QWD8KmY_lz-9vZ
z6q1X{2C^GTOn5h)StF=`kYLoK+(nXYLzWMWS0f7p0w4eaARs&e-gUp7>@Ko9NKlTO
zX33=j649d{UslfthFa@?c^@DQ2!H?xfPnZ3+@dV*Buk5sbfR)-&$^X%O(GC<A)(;B
z=l;HcrKSwEB_E0aU+SQ9{@|l6c|#Zw5E}t)W;V;uD7;;ZOY%q)2v|Vivus$46)s6n
zVu{$>0`cr8pj^Ji*80}w@JU`UAOHep3D9ct{L~C##Dizd+h;Gt!)y)Nb<t=_g<bJT
zGq7C#GvjY4bdy_aw7E2MiP5YS7!Uw~A_-`7^H_db!ECl7JviG@siHagif+zM#*^ds
z>=ww-=9x^T;&Z*NHrkv#n}o;egb)A(BuGG;MO{`Yv{Q)j2BNMmhmX%lHX`D#tCRJl
z^gLTYcugynd?Ard2HjXTVM8FP6G+fbHD3fnzg4;bgC52?^Y#6k4G;gq*a^puCjb>u
zD7V{+Rhx~$5L?+Hocj^r{Z@I&X-x39E0rpXX}mhRA7Sy82m+!|EU~p(bblx|45HYY
z9>RfuSPAfHRt5c5)(<K=v`l<p)7vMS#Wua?(0CD9kpw(@F0TQ}N87SlZjMbG*~opo
zm`r0+P($kY1p(<2pn(oPTFzS^qA<RGKeLgM-9?cX31k9uc^y$nYE|){tSKRWK4J(1
z0-i`fo0UUdR_Wpq4~>TQ%2xIC#JUiw%;>`6<Q2*_wpM^PFP~}Y8=Np8;4uUq43yJ6
zU9oiGDirzDb=95?ZO%7^f^iW62nYwQRDG&j6k;QEZ6@Dd83qL0p8%gYl6PMO1LdZu
zef<(hJWAX_&@>p%?IVCO5CgwC+i$Y0EStYht_Y-WXv%2-4+aF>kpORXq|;c37-t^(
z`0in&TH(79Hr#g@1F->GkwH}IUy5|M&@mrlAr_K?H>nZevki6AbHykg8ch;YtJ_MA
zsk`JCU08;iRH<gz)s001ilXTcHk1j!AYcyx-s(uB&8%ocE0!<t^xUG#p-|*9FYj>b
zy24DBqWHML4FY0-9M|k5y~$YhNiRcC-7o)RqisiFK)@XcXtQaC6(8#mW2=J$=IcFt
z{bFgi#FOs8TdHM%fEd@DT5Z?9&wN^=DBskK%ZOtTFh_u|>)>1H@|_UHGQ+B<{QCMW
zrL9Vq7Ig`3t|Nd!bYs?E{8f(KyL*#%fwOruT&7krxv!UTtR8pF;XPT}o7MK$Fn_gz
zC1>Zc6ZbRONwP5FC7}Co2X94-SvWX8AKK??RI8@qB`KYp**l010Wq!XPj?<=8R_*+
zovk^S(-)^?9{9y6Idv=as$Pl>t5=>?^nP@8{)N<RHvhky?AOcpnFxE-t*K(S^2=9|
zYxxW-TGJ$Yqw%`VyuGVq+`}<71p#pk$A_^j*!vv2fB(CO4%Q#ZlnN&I_pv^pghTkL
z6l`{jYOF~)`dp*lB;UW!l9Q8JU|=Bg4+t<gvn^MW*_;1dVVP2RU_HpS8y@g+JKDoa
z*Yzre;;B>_%*Q8)4GX_1h3rZpj}Q=N)Y9zj$t*j|-=3&FX^$)gwLBKJ3Sy1Q7KrA)
zJ$u>4pEt1U*RJUhDwRq$>5VC@dQkNTNVi>0W)uIogqFwyBCb8)qM`fFtk}D&3|JJ3
zJQ_3)r*V(J3{Lp9pMbprf<g46>OiCUvM6V3+;o4OVx0PDO(87w`+V&(55(h}B}>_t
zi@tau9z2RR?b;O*5AN2!N&xFxEs!6=xR8MEQ-SogC%!09^kW?cE^@h+`T4&9@h|`p
z&o2a|sJc)nCe!yY?c3mrcMs4UdUrQ!T74f=r(gm9j_rwT*N&Z!6uE4<vX8iNhY?R!
zDAFB{P9Q)pGkj(h-*R0vJLg(bOg>%L&wm0<*Ij0bcldEF0SHJ@y!rQTy?uTv>XJ2X
zy1_{|UmMc2ye|u+nO3|hykY&%MdIOITDkNgd4oB6<X_!kHD5KW8|c|H)(lLX`O9Zl
z6|5we;GS)M{<Em%@v$@cAa2_UKtPIPr&JE3R*2oxQgnlqV)<4=ab>l`-5>y$FI}P;
z(07ZB>B9N*?7itT*oJlMb=_N^d_0@+0d{VlEahEf7&zKbz_9V5q{cdoi|yzC6@A!z
zvau76#YI3VuIz{?H$$5zvAMf9u+&t$KTgBD4io`2z|5QDZf4483T~m~`^jcYcIo0p
z#;w8JCjkkd*;%Ei^#bEq0=kwjpIs&87Z+dOpV=!dhd7oDVskVBw{L+YXs6oAOsN`d
z_kak`f_{mwow*TZ@O!jUkQ-mWhjVx>$*8X{ZDC9%CC9$;CQH)t7(X;OTDO#3YJ(l7
z73Ax;m5pp=_uHFkv^aM>0k>BXyO8mwh_}yTyW-FX=C6dh=`W6mOhj><OUcsZrrP6=
z(>#647QmD*U!IjITSgb|RB}Oh5fw>#S<!!6RyWu|+viH!`1$Xk@6vXZbQwG-^AM1d
zDqE=>N#DwJ$VMD|0zMzrbSJa-W~y#gphBTw9lLb4sAyfEd0OZ1PF61a_inmHVc@9<
z0(^Q^dX|3YLkW(On-<B}Zx8idwJ~+Zxp)acKuW5cq0RZe(bG%vX6bd^$U5J7(M?Qx
zZa(|=^c`Jkx^{b-HE0-Ywq)TgBUsB;t#p3AIB^RbP@1Jx%tie&a$SqVT|P#m>$Zw)
zSxkxHEK&m45X;hvnUi>(Wo1^h)O$((_^yk5_eFOwK1w<Ju1!r=gLY8Nr|uL!r+3Sy
z%`7wH;bIs+KR@<#_h(r9jvZ)1fs7rzlg?sypJ%xqvf|Pq^~{BXTClqPN9fpXjGzBH
zYI*c@oAOAgAoeathk#gG*$eiypb4mZ9l3<pokWE1pg6x}b)ATCq<rxQpTnDyl0q9|
zmC`Lom&*$pyhrY4urYftvb)rU1!DmL-c>~{4Yv~xUUWWR7gMe*xCxx&1p?w6u0_ZC
z`R=tWEwx9{7j1KOClTQ-k=VNB+4Hr^GL7QVdCO_k-SySU+wAL8w^=q?9wpx}d~lq%
zIOq#cZntw7pV#i|_aTYLt0jYg4`&g8fH;e6QSr{-t6>=#Nh~MZvgt-e#ZiQt+*`wB
zUg{#Qh`@=uN)$3hhFq!MDpx39q88X=IoTP1(xa`|Wq`gUBrPlYv)Ta~7C?(VcuRwS
z5M<BIG?s;JcuTBQzPCD`Y@rj55`9b11K;4v*KaJX6#PVjxp%89LqJ?zo%8qhVJXS0
z9NCq{iy+g`*Qk6%u(t<wt<$?<zCy0NEmNwN%jJr3=`V#8>TB}(`j9d^BPB;mn_<B?
zj)0b?;Ob`TNqs7=IV60eIY0k?w87OHbKY>xH3T3auHjrbmASirqGjs63Om|=ru&$P
zAHCSSa@jg{CCO#-TxwlhlgpLcWD1>N+$*UxszrM<sTHCr$sewlOn|pEbS(~dZ=Lav
zdieUap)W%HSuz#)a0LN-1qAz<*iuVMRbQsj++<l<Mej9hOPmyjFE-3ePG@pInxRGO
zDja6`gdOUNqS;URa+xBX2D2|Sg>pLy$K3RnL;tmQEjVw1WM!miNO>HVMURWfod?E?
zs!WaMI#X-HNIb3=bs28bB!F31w$|H%ePJ}M_h))Ady%F2t6CM)<|}9(tDMg5ezKN0
zE~1;oN&ggdIdOHML}j@$nLJY_m*1n~n@lc0M8|6~UJfgIuUs3-?!EM2hup064f!&y
zNC$0fD3l9>=r*h3Gpe!+^$NN$2LdGJ<GYXkE?TiMtv#sF0&un=Nqbu$5D*)nTNGr$
zzAE%k*N~W0CI9@l9R2!}E!YH#N5X}Nu~Pid$YfGD-F~$im9inV78F{U>>l-MU1eHX
zGPNR(()BYmE^);uj8hN2mmY}C&&f{6%ge2zmGdDI7^?_S>yLL+<?{uk?%qvh42E~b
z`uWeJ!SYv(opCH40uT`K)P>vRq|-0QpA8LE{$FSruPU_yz2qMrxz1K!DA<GDZ3^jv
zf)uniXnccD!}T<yP~_5hM+|+?<7-bVx|GTb0g+N|i7>A(Y&}-SPo<hy!%x|<c7QtY
zF+YvmM^$)e?0Q-j>$3T@2y-vOEb+A)e9tr9MMcLRX*8N!wEa&6&9uTzBk~)-UI8im
zq!4*wkv-c9Y(IbXi5)jHMyX`7j+K0r)hl_cyvup3WZoneCG|;F^3|}&ioR_3jWpXc
z;Lag+T~ss$m(Qk>@`pGaQAfVMTbN4Sg$Bz#R6QL5Q95y83`9D0^+-<txO|<z0Mx#k
znHPL9H77Dp%R*IhS&)xXR*Jqg>s?x{RQjtGGL2F}6Q)X%iASO@<Zv-LgZ0>Uwvd}g
zpK#HjZ<**s!=2Y{SX#;a6P~_)6R68-wxvPfPj~|Mwm={t4ywc7PMr(P%+vlxkLfVJ
zO-DwaR!gg{^K)q%ql{c_9=Y-1(_Ff)n?FU{deH1yS-y-$(&^!@n@LNLBsrgL%d^C%
zRe961pC3`HK~9UimEN?vPbFt^H3bONC}rjSePtT8>n1~u+k2jEzwW`U5S?i7mIhh=
zp?6(PI_L(Hax@yR8_dhA4Ru)^mvS*YG4Bu%5!E`0h|i6Ty!{ou6?I*eE&d%2UoS7_
z3L&{k-=65S$-}y}4c$|Gl{i`&g>P%#s`d5zmiDuHvG4_)NriyD0)p>>IIyPMJy9c_
z#G}!rwA@n;jMi*ad3kv(IW3Ldp%0CxXJ%4+#(A&B6?`;oKn>Gb$7Zu9$%|TI%2$Tx
z)2Ctc?xpI!Bnj~_sY;bPmH7vBf_Rv4@vu{LVL73~sU@O5m7H_ri2zj{Cq!>HO8%`4
zwMxajsB4S=I@+YuTX@vQlkW8$4@1`!AJgEi3@3`PqwB*sz69-5<5MRd^QMQ7?^gO$
zXLlMccgW{DotRrhT>=4n-#VcpB>=YdGAW7TU{coKp=C6ow#H#^IQ|h14Jirl<5DRd
zH|uWG#UwWApKJDJPq^@0HE7C|ZrT)A4r+G5SU^CnPGR0Y18KlxqXoX<MFIpMAR@1%
zcYZ&%C8C0N2cfgcn<rdMc+-T7iQx-Rw&aW7bOX1aVJGfq*%I9KVQ5i?K`?Zp;Ymxv
z9YLG+%Ar=rDr$8MqE-jB(_q|%00cw=HTn9^qu+O^<THr3{>5Sx)H+e=#Y9D;@q9$y
z8gqkI7<S$)!clb+2i-?Cc&maR^Tinw?U%BqKAh&)%j+7`c=e`M#~)5h0}%^G00JTy
zdg~G%x%J4~U90-M$v@pEM#EbuN)i!+<$}VkxkV(a&fI3x58n``IJ{NCTM~v}y>LJ*
z98?`jWe)T4na+ksOm|R>h(?42ARr>Fl;W~9WYghZ9V>gUuIQ~4QCp<A+!nYSgoU?Q
zc()g~hGXs{X4iRk=&pmuQhAGk7Sw3@ejpEyx!Xh0FrRB&wV8l!klbf8Q>yrvpHgg&
z2LUBP00JV3YI>N-*iDD(gqGGEu3uWix8s$(IdLzOjoEdX(W*(^_Y7$fWWiUl%=Xuj
zXYQYigT8x7cO&b?Lh?|gS^#gKGfb`K!f{ZlML@o-BLD%hj+ZEWPfa|m&SLTtovQi<
zi6TRGW@7Exdu+}jfx5En%sYY;0gWb!c0e3S!m$iIJc|GXM8fqQv-$9%-qn0##X2rx
z4chnrxz2vQh<)F!VJ5g=l`5Tt<8AtA$1K6~f(!^k00JTicE=?ev-wEJ@N(*nHT~6&
zTd3i<>{%RBE{$1C{QVL;d^^M9Fz_f40hKC?gkuiPl6W0k=L%E@B1skkB9e-*CmSE_
zJ?eEmOM9eq72n!shYsvX#06oKv-8-f9T(Z<)NB`|h9s;epd{h&_FBjk%JEpwVKqIs
z3;+RfqiTJ5)8WaTD|x?5AMKFLEG<*~H`8<2=$#kYtqiO;Gi4*#xk{bJyfmNDEVeh;
z$W~Z(FIYv0FJTCX`0B*29L?HutV~uu+aFocySiNw2^jc7N;Vs}>ms|Cg=dw3)xZbG
z@6sZ`59mW3?+Ka@BraM45D?K;jeQv#y7kDIh_afG9`{pOw?y2&WE~dzTyhqhu=^53
z#9>4&jEMJvdU>6uPXoS5!hu;;7Gm>MZx9eSuKBO_pHTmolDoNWMeo)ch4gy0AR;cj
zIr(P+y}WkN0>Du;9ru_EQ$|t}CIA7EaOGK=^_lyQH<UB&uT9E&Rkk#YSp4w;^+|g!
zvukNNV#$(w<%4%qsWo5IjH>_9z<8>A6%M6wHUS8Tvk8kR{xQG(`&_*M)xvs#YF`m$
ztHi9_&B|qy_grD8Xw^E50|@ZehQ@0jZL9nS8y24EfEW>lhZ2B*cwoi9z30DiK|acN
zAM;guNu~H1x%q6y-`CilYj{bvsm}P=hQ{kMZK1q`wttyHp96#%+XNDUj0r$MjA?k#
zF@3N~w*5xtq-x&sw`vEdy`@lezWvo#$8NLlPTbLLg(ZbN3!X=f<_-;rucj`lX*9NR
zMezI}18zkC0^(NHX<K1t>^&Y`PA&gG`i^dC+hTBSs9jf6*!%mhv$P!AZ5O660p8M3
ztM8I%Y@%(CXHXZ_zlA;E3<MlU00QDTmXeQY$)Qu>*VFU92ri|n?=8~rju;^GLG|f>
zU1i4|y%oG60V)0JL_>3px~G0-O64pX3_l~K>?5zzB_LG+NzhJ}E_6xcocg!|cHheU
zxQ4ItxvD<m9W3FSXnpnHZT91-B>oK$&ocb0O=|UVntQu~_QC&z`lzrSrDxp%qA0CY
zRYVl<JRuWbA37a%DJ|#2x&f-jWi$#=eiQLnQU;qzTl%{7Mp|;YmIUJ}ZAP_|`lr62
z&;9-83HKk$C~g7}5OLR!XmUrb68ZkS*?sczwNpt<>IbOk`+_1eS$SIa<*{3A^_hDt
zPyeMU5oOQ%tjOj0G?;ON`lbFPyPWI_7SjYPVyq{L5Kbfj0dXQ+ca55h$*Gjwc9+s~
z{#VUg(X6(=+MD;qi@}_|pT%a=7pnffBeA{VRjN$tjyg|Mrhcc7|NcmOiEI%APvijv
z%n^Wqn4^Ph77-vpDZBetR=iTC9az;{5%id^N+q<O@Gn#?K6;zo$rRbvzFcXQN)ij@
zCF+hkKw`m#Vhst#ZHr*T69|Zi00cxtmEkT~`SIT~Wq!Yv`HHVX)~kxQyl!=0m9L*l
z?s84Z%*$uXPu<lGvh&r5E;U>z6v`~7RNSIg#c3v2kXXoeFc}HP(B|nb%?lC(0VffF
zfH(;(qAg6||NcBt>&U(AI6sA~bvcc^R%LHRDVpJ>a>X}!lc*K)_3=Aw<AwW-&)jmD
z;roIp6q(eDxJ&j5*;8Z>l1ThP?tik_rdbY43lV{U2nj$yL|7@Fl%;Wr$Eu!7&FSZ(
zkTvsD%IXBFWR**)<bi=IxtFg>rtnuOWHeyUln!XX+@vp6@ulp)6elFS)xZa@WwKoQ
z%_1R4qu={<P68pLrQEVhbbN~J5pq9(9SA+?PDNRZA^-s?iVECBM<9IFfqEn|!M;k_
z6Eyv+T28(;&|fLn<mBi3QY*%b-1y@^fIfku`v^*Au9gpeq|0TpyzG2!erBFFm$WEd
z&ScrAQ*%%JeJAq*g}6_fL)|7Z;Io~s(=4YuqANHu1Og%^;8Fn*F$ZJ~1V8`;K)}TW
zM70*c#brlwAOHd&00MRpfPmNm4?#fy1VF%(2|z$Rx%N?Z5C8!Xu!8^u#141}3IZSi
z0-j6&0^-TFkFtXR2!Mbc1Rx-Gz(Y_F009v2WC9QnPp*BG9RxrC1neLH0kH!ff`R}D
zfPg0xfPi>%?W61<00JOj2LT9(9q<qo1V8`;JedFl#FJ|uWp@RE1npE;B!e_SKp+B8
z5rM!XSr7mL5Rf_n2#C~c5cvlI5C8#z2tYst0*_=t00cll>I5JlQm;Ye9|S-E1Oy@g
z0TBp1k_7<}00F5JfPhH729bXd009sXhyVmcAn-^Q1V8`;q)q?=BJ~<X{y_i)KtLb@
z5D<aDBUumt0T7Tn0SJiHYY_Pd0T2KIfe1iA1Oks_K>!3mK<We_AX2YE<R1h;00aag
z009vQJdy<g5C8$G6M%q7y#|qg5C8!X5QqQ-L?G};76d>51f)&?0wVPqME*el1VBI_
z0uT^^z#~}@009t?IspiX)N2s=2LTWO0f7iWKm-DhWI+G~KtSpQARtn&LF69<KmY^;
zB48pQ3EHUwWdzBB00@8p2uP5CiHb<D1jsT7fB*=9fFJ}QAc9~=q96bQARv7L5D@9t
zAxZ!OAOHe_5P*OPf*py100@A9^a(&fq+f?90SJHq2na#|0wM@@Bnko`00Pn{00EJH
z9ijvv00JN&2muI)AlQ*82!H?xNS^=%MEZ4z5`X{*fPf$bARvNZN1`AA0w5rL0uT`C
z*C9#(0w4eaf)Id!2!b7nf&d7Bfb<DKK%`%XC;<q700;;|00JTib|eY{AOHf=CjbGF
zejTC&AOHd&AP4~nh#=UJC<uT62uPm*1Vs9Eh!TJR2!Mbf1Rx-SU`L`L00JN&eF6{=
z>DM7j00JNY0)h~LfCz#ei3(33K|59WOdtm!AbkQ*5$V?<N&o^N00M##fPe^s9f^Vf
z2!Md}2|z%kUxz3G2!H?x2toh?A_#UQ3IZSi0@5b{0g-+kq68oS0w5p=0SJg7*pVm*
zfB*<cp8y0z`gMpBfB*=9fFJ}QAc9~=q96bQARv7L5D@9tAxZ!OAOHe_5P*OPf*py1
z00@A9^a(&fq+f?90SJHq2na#|0wM@@Bnko`00Pn{00EJH9ijvv00JN&2muI)AlQ*8
z2!H?xNS^=%MEZ4z5`X{*fPf$bARvNZN1`AA0w5rL0uT`C*C9#(0w4eaf)Id!2!b7n
zf&d7Bfb<DKK%`%XC;<q700;;|00JTib|eY{AOHfcB9Ne+>dd5|BF?0XxIq8}K){U&
zKtSBMa#1u8009tiCIJYDGwC935C8!XaAN`x5I3$|6b%GG00f*#00QDnx`-PDKmY{X
zm;eOCjVl*L0|5{K0cR3`fH;#b;syZ_00B2900D91%0<yY00cn5nFJsp&ZLXDK>!3m
zz>Nt&K-{=;Q8W+$0T6H|0SJgQ=^}0r009tiV*(HmH?CY14Fo^{1e{3#0^&@%h#Lez
z00i8a00hL1D;Grr0T2KIXA*#bIFl~o1_2NN0XHT90deEXMbSV21VF%<1Rx;Jq>H#g
z00cn5jR`<N+_-X4G!Os*5O5{|2#7Q3B5n`>0T6Iw0uT^4u3Qui1V8`;oJjxz;!L`T
z+j;^C+NstDLI@B50l^4BMFc~Sgh2oVKtS3AARyANKja<+KmY^;BLD#r3_TJC0T2KI
zX%m2eNW1=!dk_Et5D<(21Vk|ONEie_00g8>00JWI`a|wP00cllFai(|!O$aN5C8!X
zkTwAbh_veuxd#Cd00F@WKtKdTkAy)01VBLA1Rx;Nu0P}+1V8`;1S0?e5ez*N1_2NN
z0cjI}fJnRkkb4jS0T2+300cxZ^hg*4KmY`!O#lKS?fOIRK>!3mKrjLj5W&zRVGsZT
z5Rf(j2#B=n54i^c5C8$e2tYstLyv?(00cll+5{jV(yl+`9t1!D1Oy`h0TB#65(WVf
z00C(efPhH5{*ZeR00D^-nB6gcvqZCAINMN>!aQ&W0w4eaAYdT@2#AHC;0**o00cmw
zFaZciVIDXG0T2KI5U`K{1jIs6@CE`P00JOTm;eN%Fb|x800@8p2v|q}0%9R3cmn|t
z009svOaKB>m<P^400ck)1S})~0kIGiynz4+fB*;-CIA5`%mZg200JNY0u~a0fLI6$
z-ar5ZKmY^^6M%pe=7BR1009sH0SgJp7}IJ$=+<odSD!chhKK3eu}6p1?FPU7{{_3K
AApigX

literal 0
HcmV?d00001

diff --git a/engine/hack/make/.resources-windows/docker.rc b/engine/hack/make/.resources-windows/docker.rc
new file mode 100644
index 00000000..40c645ad
--- /dev/null
+++ b/engine/hack/make/.resources-windows/docker.rc
@@ -0,0 +1,3 @@
+#define DOCKER_NAME "Docker Client"
+
+#include "common.rc"
diff --git a/engine/hack/make/.resources-windows/dockerd.rc b/engine/hack/make/.resources-windows/dockerd.rc
new file mode 100644
index 00000000..e77fc175
--- /dev/null
+++ b/engine/hack/make/.resources-windows/dockerd.rc
@@ -0,0 +1,4 @@
+#define DOCKER_NAME "Docker Engine"
+
+#include "common.rc"
+#include "event_messages.rc"
diff --git a/engine/hack/make/.resources-windows/event_messages.mc b/engine/hack/make/.resources-windows/event_messages.mc
new file mode 100644
index 00000000..980107a4
--- /dev/null
+++ b/engine/hack/make/.resources-windows/event_messages.mc
@@ -0,0 +1,39 @@
+MessageId=1
+Language=English
+%1
+.
+
+MessageId=2
+Language=English
+debug: %1
+.
+
+MessageId=3
+Language=English
+panic: %1
+.
+
+MessageId=4
+Language=English
+fatal: %1
+.
+
+MessageId=11
+Language=English
+%1 [%2]
+.
+
+MessageId=12
+Language=English
+debug: %1 [%2]
+.
+
+MessageId=13
+Language=English
+panic: %1 [%2]
+.
+
+MessageId=14
+Language=English
+fatal: %1 [%2]
+.
diff --git a/engine/hack/make/.resources-windows/resources.go b/engine/hack/make/.resources-windows/resources.go
new file mode 100644
index 00000000..b171259f
--- /dev/null
+++ b/engine/hack/make/.resources-windows/resources.go
@@ -0,0 +1,18 @@
+/*
+
+Package winresources is used to embed Windows resources into docker.exe.
+These resources are used to provide
+
+    * Version information
+    * An icon
+    * A Windows manifest declaring Windows version support
+
+The resource object files are generated in hack/make/.go-autogen from
+source files in hack/make/.resources-windows. This occurs automatically
+when you run hack/make.sh.
+
+These object files are picked up automatically by go build when this package
+is included.
+
+*/
+package winresources
diff --git a/engine/hack/make/README.md b/engine/hack/make/README.md
new file mode 100644
index 00000000..3d069fa1
--- /dev/null
+++ b/engine/hack/make/README.md
@@ -0,0 +1,16 @@
+This directory holds scripts called by `make.sh` in the parent directory.
+
+Each script is named after the bundle it creates.
+They should not be called directly - instead, pass it as argument to make.sh, for example:
+
+```
+./hack/make.sh binary ubuntu
+
+# Or to run all default bundles:
+./hack/make.sh
+```
+
+To add a bundle:
+
+* Create a shell-compatible file here
+* Add it to $DEFAULT_BUNDLES in make.sh
diff --git a/engine/hack/make/binary b/engine/hack/make/binary
new file mode 100644
index 00000000..eab69bb0
--- /dev/null
+++ b/engine/hack/make/binary
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+rm -rf "$DEST"
+
+# This script exists as backwards compatibility for CI
+(
+	DEST="${DEST}-daemon"
+	ABS_DEST="${ABS_DEST}-daemon"
+	. hack/make/binary-daemon
+)
diff --git a/engine/hack/make/binary-daemon b/engine/hack/make/binary-daemon
new file mode 100644
index 00000000..f6816363
--- /dev/null
+++ b/engine/hack/make/binary-daemon
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -e
+
+copy_binaries() {
+	local dir="$1"
+	local hash="$2"
+	# Add nested executables to bundle dir so we have complete set of
+	# them available, but only if the native OS/ARCH is the same as the
+	# OS/ARCH of the build target
+	if [ "$(go env GOOS)/$(go env GOARCH)" != "$(go env GOHOSTOS)/$(go env GOHOSTARCH)" ]; then
+		return
+	fi
+	if [ ! -x /usr/local/bin/docker-runc ]; then
+		return
+	fi
+	echo "Copying nested executables into $dir"
+	for file in containerd containerd-shim containerd-ctr runc init proxy; do
+		cp -f `which "docker-$file"` "$dir/"
+		if [ "$hash" == "hash" ]; then
+			hash_files "$dir/docker-$file"
+		fi
+	done
+}
+
+[ -z "$KEEPDEST" ] && rm -rf "$DEST"
+source "${MAKEDIR}/.binary"
+copy_binaries "$DEST" 'hash'
diff --git a/engine/hack/make/build-integration-test-binary b/engine/hack/make/build-integration-test-binary
new file mode 100755
index 00000000..bbd5a22b
--- /dev/null
+++ b/engine/hack/make/build-integration-test-binary
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# required by `make build-integration-cli-on-swarm`
+set -e
+
+source hack/make/.integration-test-helpers
+
+build_test_suite_binaries
diff --git a/engine/hack/make/cross b/engine/hack/make/cross
new file mode 100644
index 00000000..85dd3c63
--- /dev/null
+++ b/engine/hack/make/cross
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -e
+
+# if we have our linux/amd64 version compiled, let's symlink it in
+if [ -x "$DEST/../binary-daemon/dockerd-$VERSION" ]; then
+	arch=$(go env GOHOSTARCH)
+	mkdir -p "$DEST/linux/${arch}"
+	(
+		cd "$DEST/linux/${arch}"
+		ln -sf ../../../binary-daemon/* ./
+	)
+	echo "Created symlinks:" "$DEST/linux/${arch}/"*
+fi
+
+DOCKER_CROSSPLATFORMS=${DOCKER_CROSSPLATFORMS:-"linux/amd64 windows/amd64"}
+
+for platform in $DOCKER_CROSSPLATFORMS; do
+	(
+		export KEEPDEST=1
+		export DEST="$DEST/$platform" # bundles/VERSION/cross/GOOS/GOARCH/docker-VERSION
+		export GOOS=${platform%/*}
+		export GOARCH=${platform##*/}
+
+		echo "Cross building: $DEST"
+		mkdir -p "$DEST"
+		ABS_DEST="$(cd "$DEST" && pwd -P)"
+		source "${MAKEDIR}/binary-daemon"
+	)
+done
diff --git a/engine/hack/make/dynbinary b/engine/hack/make/dynbinary
new file mode 100644
index 00000000..981e505e
--- /dev/null
+++ b/engine/hack/make/dynbinary
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+# This script exists as backwards compatibility for CI
+(
+
+    DEST="${DEST}-daemon"
+    ABS_DEST="${ABS_DEST}-daemon"
+    . hack/make/dynbinary-daemon
+)
diff --git a/engine/hack/make/dynbinary-daemon b/engine/hack/make/dynbinary-daemon
new file mode 100644
index 00000000..d1c0070e
--- /dev/null
+++ b/engine/hack/make/dynbinary-daemon
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+(
+	export IAMSTATIC='false'
+	export LDFLAGS_STATIC_DOCKER=''
+	export BUILDFLAGS=( "${BUILDFLAGS[@]/netgo /}" ) # disable netgo, since we don't need it for a dynamic binary
+	export BUILDFLAGS=( "${BUILDFLAGS[@]/static_build /}" ) # we're not building a "static" binary here
+	source "${MAKEDIR}/.binary"
+)
diff --git a/engine/hack/make/install-binary b/engine/hack/make/install-binary
new file mode 100644
index 00000000..f6a4361f
--- /dev/null
+++ b/engine/hack/make/install-binary
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -e
+rm -rf "$DEST"
+
+install_binary() {
+	local file="$1"
+	local target="${DOCKER_MAKE_INSTALL_PREFIX:=/usr/local}/bin/"
+	if [ "$(go env GOOS)" == "linux" ]; then
+		echo "Installing $(basename $file) to ${target}"
+		mkdir -p "$target"
+		cp -f -L "$file" "$target"
+	else
+		echo "Install is only supported on linux"
+		return 1
+	fi
+}
+
+(
+	DEST="$(dirname $DEST)/binary-daemon"
+	source "${MAKEDIR}/.binary-setup"
+	install_binary "${DEST}/${DOCKER_DAEMON_BINARY_NAME}"
+	install_binary "${DEST}/${DOCKER_RUNC_BINARY_NAME}"
+	install_binary "${DEST}/${DOCKER_CONTAINERD_BINARY_NAME}"
+	install_binary "${DEST}/${DOCKER_CONTAINERD_CTR_BINARY_NAME}"
+	install_binary "${DEST}/${DOCKER_CONTAINERD_SHIM_BINARY_NAME}"
+	install_binary "${DEST}/${DOCKER_PROXY_BINARY_NAME}"
+	install_binary "${DEST}/${DOCKER_INIT_BINARY_NAME}"
+)
diff --git a/engine/hack/make/run b/engine/hack/make/run
new file mode 100644
index 00000000..32542802
--- /dev/null
+++ b/engine/hack/make/run
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+set -e
+rm -rf "$DEST"
+
+if ! command -v dockerd &> /dev/null; then
+	echo >&2 'error: binary-daemon or dynbinary-daemon must be run before run'
+	false
+fi
+
+DOCKER_GRAPHDRIVER=${DOCKER_GRAPHDRIVER:-vfs}
+DOCKER_USERLANDPROXY=${DOCKER_USERLANDPROXY:-true}
+
+# example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G"
+storage_params=""
+if [ -n "$DOCKER_STORAGE_OPTS" ]; then
+	IFS=','
+	for i in ${DOCKER_STORAGE_OPTS}; do
+		storage_params="--storage-opt $i $storage_params"
+	done
+	unset IFS
+fi
+
+
+listen_port=2375
+if [ -n "$DOCKER_PORT" ]; then
+	IFS=':' read -r -a ports <<< "$DOCKER_PORT"
+	listen_port="${ports[-1]}"
+fi
+
+extra_params="$DOCKERD_ARGS"
+if [ "$DOCKER_REMAP_ROOT" ]; then
+	extra_params="$extra_params --userns-remap $DOCKER_REMAP_ROOT"
+fi
+
+args="--debug \
+	--host tcp://0.0.0.0:${listen_port} --host unix:///var/run/docker.sock \
+	--storage-driver "$DOCKER_GRAPHDRIVER" \
+	--userland-proxy="$DOCKER_USERLANDPROXY" \
+	$storage_params \
+	$extra_params"
+
+echo dockerd $args
+exec dockerd $args
diff --git a/engine/hack/make/test-docker-py b/engine/hack/make/test-docker-py
new file mode 100644
index 00000000..b30879e3
--- /dev/null
+++ b/engine/hack/make/test-docker-py
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -e
+
+source hack/make/.integration-test-helpers
+
+# subshell so that we can export PATH without breaking other things
+(
+	bundle .integration-daemon-start
+
+	dockerPy='/docker-py'
+	[ -d "$dockerPy" ] || {
+		dockerPy="$DEST/docker-py"
+		git clone https://github.com/docker/docker-py.git "$dockerPy"
+	}
+
+	# exporting PYTHONPATH to import "docker" from our local docker-py
+	test_env PYTHONPATH="$dockerPy" py.test --junitxml="$DEST/results.xml" "$dockerPy/tests/integration"
+
+	bundle .integration-daemon-stop
+) 2>&1 | tee -a "$DEST/test.log"
diff --git a/engine/hack/make/test-integration b/engine/hack/make/test-integration
new file mode 100755
index 00000000..c807cd49
--- /dev/null
+++ b/engine/hack/make/test-integration
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -e -o pipefail
+
+source hack/make/.integration-test-helpers
+
+(
+	build_test_suite_binaries
+	bundle .integration-daemon-start
+	bundle .integration-daemon-setup
+
+	local testexit=0
+	( repeat run_test_integration ) || testexit=$?
+
+	# Always run cleanup, even if the subshell fails
+	bundle .integration-daemon-stop
+	cleanup_test_suite_binaries
+	error_on_leaked_containerd_shims
+
+	exit $testexit
+
+) 2>&1 | tee -a "$DEST/test.log"
diff --git a/engine/hack/make/test-integration-cli b/engine/hack/make/test-integration-cli
new file mode 100755
index 00000000..480851e7
--- /dev/null
+++ b/engine/hack/make/test-integration-cli
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+echo "WARNING: test-integration-cli is DEPRECATED. Use test-integration." >&2
+
+# TODO: remove this and exit 1 once CI has changed to use test-integration
+bundle test-integration
diff --git a/engine/hack/make/test-integration-shell b/engine/hack/make/test-integration-shell
new file mode 100644
index 00000000..bcfa4682
--- /dev/null
+++ b/engine/hack/make/test-integration-shell
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+bundle .integration-daemon-start
+bundle .integration-daemon-setup
+
+export ABS_DEST
+bash +e
+
+bundle .integration-daemon-stop
diff --git a/engine/hack/test/e2e-run.sh b/engine/hack/test/e2e-run.sh
new file mode 100755
index 00000000..122d58f8
--- /dev/null
+++ b/engine/hack/test/e2e-run.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -e -u -o pipefail
+
+ARCH=$(uname -m)
+if [ "$ARCH" == "x86_64" ]; then
+  ARCH="amd64"
+fi
+
+export DOCKER_ENGINE_GOARCH=${DOCKER_ENGINE_GOARCH:-${ARCH}}
+
+# Set defaults
+: ${TESTFLAGS:=}
+: ${TESTDEBUG:=}
+
+integration_api_dirs=${TEST_INTEGRATION_DIR:-"$(
+	find /tests/integration -type d |
+	grep -vE '(^/tests/integration($|/internal)|/testdata)')"}
+
+run_test_integration() {
+	[[ "$TESTFLAGS" != *-check.f* ]] && run_test_integration_suites
+	run_test_integration_legacy_suites
+}
+
+run_test_integration_suites() {
+	local flags="-test.v -test.timeout=${TIMEOUT:-10m} $TESTFLAGS"
+	for dir in $integration_api_dirs; do
+		if ! (
+			cd $dir
+			echo "Running $PWD"
+			test_env ./test.main $flags
+		); then exit 1; fi
+	done
+}
+
+run_test_integration_legacy_suites() {
+	(
+		flags="-check.v -check.timeout=${TIMEOUT:-200m} -test.timeout=360m $TESTFLAGS"
+		cd /tests/integration-cli
+		echo "Running $PWD"
+		test_env ./test.main $flags
+	)
+}
+
+# use "env -i" to tightly control the environment variables that bleed into the tests
+test_env() {
+	(
+		set -e +u
+		[ -n "$TESTDEBUG" ] && set -x
+		env -i \
+			DOCKER_API_VERSION="$DOCKER_API_VERSION" \
+			DOCKER_INTEGRATION_DAEMON_DEST="$DOCKER_INTEGRATION_DAEMON_DEST" \
+			DOCKER_TLS_VERIFY="$DOCKER_TEST_TLS_VERIFY" \
+			DOCKER_CERT_PATH="$DOCKER_TEST_CERT_PATH" \
+			DOCKER_ENGINE_GOARCH="$DOCKER_ENGINE_GOARCH" \
+			DOCKER_GRAPHDRIVER="$DOCKER_GRAPHDRIVER" \
+			DOCKER_USERLANDPROXY="$DOCKER_USERLANDPROXY" \
+			DOCKER_HOST="$DOCKER_HOST" \
+			DOCKER_REMAP_ROOT="$DOCKER_REMAP_ROOT" \
+			DOCKER_REMOTE_DAEMON="$DOCKER_REMOTE_DAEMON" \
+			DOCKERFILE="$DOCKERFILE" \
+			GOPATH="$GOPATH" \
+			GOTRACEBACK=all \
+			HOME="$ABS_DEST/fake-HOME" \
+			PATH="$PATH" \
+			TEMP="$TEMP" \
+			TEST_CLIENT_BINARY="$TEST_CLIENT_BINARY" \
+			"$@"
+	)
+}
+
+sh /scripts/ensure-emptyfs.sh
+run_test_integration
diff --git a/engine/hack/test/unit b/engine/hack/test/unit
new file mode 100755
index 00000000..d0e85f1a
--- /dev/null
+++ b/engine/hack/test/unit
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+#
+# Run unit tests
+#
+# TESTFLAGS - add additional test flags. Ex:
+#
+#   TESTFLAGS="-v -run TestBuild" hack/test/unit
+#
+# TESTDIRS - run tests for specified packages. Ex:
+#
+#    TESTDIRS="./pkg/term" hack/test/unit
+#
+set -eu -o pipefail
+
+TESTFLAGS+=" -test.timeout=${TIMEOUT:-5m}"
+BUILDFLAGS=( -tags "netgo seccomp libdm_no_deferred_remove" )
+TESTDIRS="${TESTDIRS:-"./..."}"
+
+exclude_paths="/vendor/|/integration"
+pkg_list=$(go list $TESTDIRS | grep -vE "($exclude_paths)")
+
+# install test dependencies once before running tests for each package. This
+# significantly reduces the runtime.
+go test -i "${BUILDFLAGS[@]}" $pkg_list
+
+for pkg in $pkg_list; do
+    go test "${BUILDFLAGS[@]}" \
+        -cover \
+        -coverprofile=profile.out \
+        -covermode=atomic \
+        $TESTFLAGS \
+        "${pkg}"
+
+    if test -f profile.out; then
+        cat profile.out >> coverage.txt
+        rm profile.out
+    fi
+done
diff --git a/engine/hack/validate/.swagger-yamllint b/engine/hack/validate/.swagger-yamllint
new file mode 100644
index 00000000..2f00cb66
--- /dev/null
+++ b/engine/hack/validate/.swagger-yamllint
@@ -0,0 +1,4 @@
+extends: default
+rules:
+  document-start: disable
+  line-length: disable
diff --git a/engine/hack/validate/.validate b/engine/hack/validate/.validate
new file mode 100644
index 00000000..32cb6b6d
--- /dev/null
+++ b/engine/hack/validate/.validate
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+
+if [ -z "$VALIDATE_UPSTREAM" ]; then
+	# this is kind of an expensive check, so let's not do this twice if we
+	# are running more than one validate bundlescript
+
+	VALIDATE_REPO='https://github.com/docker/docker.git'
+	VALIDATE_BRANCH='master'
+
+	VALIDATE_HEAD="$(git rev-parse --verify HEAD)"
+
+	git fetch -q "$VALIDATE_REPO" "refs/heads/$VALIDATE_BRANCH"
+	VALIDATE_UPSTREAM="$(git rev-parse --verify FETCH_HEAD)"
+
+	VALIDATE_COMMIT_LOG="$VALIDATE_UPSTREAM..$VALIDATE_HEAD"
+	VALIDATE_COMMIT_DIFF="$VALIDATE_UPSTREAM...$VALIDATE_HEAD"
+
+	validate_diff() {
+		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then
+			git diff "$VALIDATE_COMMIT_DIFF" "$@"
+		fi
+	}
+	validate_log() {
+		if [ "$VALIDATE_UPSTREAM" != "$VALIDATE_HEAD" ]; then
+			git log "$VALIDATE_COMMIT_LOG" "$@"
+		fi
+	}
+fi
diff --git a/engine/hack/validate/all b/engine/hack/validate/all
new file mode 100755
index 00000000..9d95c2d2
--- /dev/null
+++ b/engine/hack/validate/all
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+#
+# Run all validation
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+. $SCRIPTDIR/default
+. $SCRIPTDIR/vendor
diff --git a/engine/hack/validate/changelog-date-descending b/engine/hack/validate/changelog-date-descending
new file mode 100755
index 00000000..b9c3368c
--- /dev/null
+++ b/engine/hack/validate/changelog-date-descending
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+changelogFile=${1:-CHANGELOG.md}
+
+if [ ! -r "$changelogFile" ]; then
+  echo "Unable to read file $changelogFile" >&2
+  exit 1
+fi
+
+grep -e '^## ' "$changelogFile" | awk '{print$3}' | sort -c -r || exit 2
+
+echo "Congratulations!  Changelog $changelogFile dates are in descending order."
diff --git a/engine/hack/validate/changelog-well-formed b/engine/hack/validate/changelog-well-formed
new file mode 100755
index 00000000..6c7ce1a1
--- /dev/null
+++ b/engine/hack/validate/changelog-well-formed
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+changelogFile=${1:-CHANGELOG.md}
+
+if [ ! -r "$changelogFile" ]; then
+  echo "Unable to read file $changelogFile" >&2
+  exit 1
+fi
+
+changelogWellFormed=1
+
+# e.g. "## 1.12.3 (2016-10-26)"
+VER_LINE_REGEX='^## [0-9]+\.[0-9]+\.[0-9]+(-ce)? \([0-9]+-[0-9]+-[0-9]+\)$'
+while read -r line; do
+  if ! [[ "$line" =~ $VER_LINE_REGEX ]]; then
+    echo "Malformed changelog $changelogFile line \"$line\"" >&2
+    changelogWellFormed=0
+  fi
+done < <(grep '^## ' $changelogFile)
+
+if [[ "$changelogWellFormed" == "1" ]]; then
+  echo "Congratulations!  Changelog $changelogFile is well-formed."
+else
+  exit 2
+fi
diff --git a/engine/hack/validate/dco b/engine/hack/validate/dco
new file mode 100755
index 00000000..f3910016
--- /dev/null
+++ b/engine/hack/validate/dco
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+adds=$(validate_diff --numstat | awk '{ s += $1 } END { print s }')
+dels=$(validate_diff --numstat | awk '{ s += $2 } END { print s }')
+#notDocs="$(validate_diff --numstat | awk '$3 !~ /^docs\// { print $3 }')"
+
+: ${adds:=0}
+: ${dels:=0}
+
+# "Username may only contain alphanumeric characters or dashes and cannot begin with a dash"
+githubUsernameRegex='[a-zA-Z0-9][a-zA-Z0-9-]+'
+
+# https://github.com/docker/docker/blob/master/CONTRIBUTING.md#sign-your-work
+dcoPrefix='Signed-off-by:'
+dcoRegex="^(Docker-DCO-1.1-)?$dcoPrefix ([^<]+) <([^<>@]+@[^<>]+)>( \\(github: ($githubUsernameRegex)\\))?$"
+
+check_dco() {
+	grep -qE "$dcoRegex"
+}
+
+if [ $adds -eq 0 -a $dels -eq 0 ]; then
+	echo '0 adds, 0 deletions; nothing to validate! :)'
+else
+	commits=( $(validate_log --format='format:%H%n') )
+	badCommits=()
+	for commit in "${commits[@]}"; do
+		if [ -z "$(git log -1 --format='format:' --name-status "$commit")" ]; then
+			# no content (ie, Merge commit, etc)
+			continue
+		fi
+		if ! git log -1 --format='format:%B' "$commit" | check_dco; then
+			badCommits+=( "$commit" )
+		fi
+	done
+	if [ ${#badCommits[@]} -eq 0 ]; then
+		echo "Congratulations!  All commits are properly signed with the DCO!"
+	else
+		{
+			echo "These commits do not have a proper '$dcoPrefix' marker:"
+			for commit in "${badCommits[@]}"; do
+				echo " - $commit"
+			done
+			echo
+			echo 'Please amend each commit to include a properly formatted DCO marker.'
+			echo
+			echo 'Visit the following URL for information about the Docker DCO:'
+			echo ' https://github.com/docker/docker/blob/master/CONTRIBUTING.md#sign-your-work'
+			echo
+		} >&2
+		false
+	fi
+fi
diff --git a/engine/hack/validate/default b/engine/hack/validate/default
new file mode 100755
index 00000000..8ec97887
--- /dev/null
+++ b/engine/hack/validate/default
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+# Run default validation, exclude vendor because it's slow
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+. $SCRIPTDIR/dco
+. $SCRIPTDIR/default-seccomp
+. $SCRIPTDIR/gometalinter
+. $SCRIPTDIR/pkg-imports
+. $SCRIPTDIR/swagger
+. $SCRIPTDIR/swagger-gen
+. $SCRIPTDIR/test-imports
+. $SCRIPTDIR/toml
+. $SCRIPTDIR/changelog-well-formed
+. $SCRIPTDIR/changelog-date-descending
+. $SCRIPTDIR/deprecate-integration-cli
diff --git a/engine/hack/validate/default-seccomp b/engine/hack/validate/default-seccomp
new file mode 100755
index 00000000..24cbf00d
--- /dev/null
+++ b/engine/hack/validate/default-seccomp
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- 'profiles/seccomp' || true) )
+unset IFS
+
+if [ ${#files[@]} -gt 0 ]; then
+	# We run 'go generate' and see if we have a diff afterwards
+	go generate ./profiles/seccomp/ >/dev/null
+	# Let see if the working directory is clean
+	diffs="$(git status --porcelain -- profiles/seccomp 2>/dev/null)"
+	if [ "$diffs" ]; then
+		{
+			echo 'The result of go generate ./profiles/seccomp/ differs'
+			echo
+			echo "$diffs"
+			echo
+			echo 'Please re-run go generate ./profiles/seccomp/'
+			echo
+		} >&2
+		false
+	else
+		echo 'Congratulations! Seccomp profile generation is done correctly.'
+	fi
+fi
diff --git a/engine/hack/validate/deprecate-integration-cli b/engine/hack/validate/deprecate-integration-cli
new file mode 100755
index 00000000..da6f8310
--- /dev/null
+++ b/engine/hack/validate/deprecate-integration-cli
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Check that no new tests are being added to integration-cli
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+new_tests=$(
+    validate_diff --diff-filter=ACMR --unified=0 -- 'integration-cli/*_cli_*.go' |
+    grep -E '^\+func (.*) Test' || true
+)
+
+if [ -z "$new_tests" ]; then
+	echo 'Congratulations!  No new tests added to integration-cli.'
+    exit
+fi
+
+echo "The following new tests were added to integration-cli:"
+echo
+echo "$new_tests"
+echo
+echo "integration-cli is deprecated. Please add an API integration test to"
+echo "./integration/COMPONENT/. See ./TESTING.md for more details."
+echo
+
+exit 1
diff --git a/engine/hack/validate/gometalinter b/engine/hack/validate/gometalinter
new file mode 100755
index 00000000..8f42597f
--- /dev/null
+++ b/engine/hack/validate/gometalinter
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -e -o pipefail
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# CI platforms differ, so per-platform GOMETALINTER_OPTS can be set
+# from a platform-specific Dockerfile, otherwise let's just set
+# (somewhat pessimistic) default of 10 minutes.
+: ${GOMETALINTER_OPTS=--deadline=10m}
+
+gometalinter \
+	${GOMETALINTER_OPTS} \
+	--config $SCRIPTDIR/gometalinter.json ./...
diff --git a/engine/hack/validate/gometalinter.json b/engine/hack/validate/gometalinter.json
new file mode 100644
index 00000000..81eb1017
--- /dev/null
+++ b/engine/hack/validate/gometalinter.json
@@ -0,0 +1,27 @@
+{
+  "Vendor": true,
+  "EnableGC": true,
+  "Sort": ["linter", "severity", "path"],
+  "Exclude": [
+    ".*\\.pb\\.go",
+    "dockerversion/version_autogen.go",
+    "api/types/container/container_.*",
+    "api/types/volume/volume_.*",
+    "integration-cli/"
+  ],
+  "Skip": ["integration-cli/"],
+
+  "Enable": [
+    "deadcode",
+    "gofmt",
+    "goimports",
+    "golint",
+    "gosimple",
+    "ineffassign",
+    "interfacer",
+    "unconvert",
+    "vet"
+  ],
+
+  "LineLength": 200
+}
diff --git a/engine/hack/validate/pkg-imports b/engine/hack/validate/pkg-imports
new file mode 100755
index 00000000..a9aab645
--- /dev/null
+++ b/engine/hack/validate/pkg-imports
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -e
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- 'pkg/*.go' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+	IFS=$'\n'
+	badImports=( $(go list -e -f '{{ join .Deps "\n" }}' "$f" | sort -u | grep -vE '^github.com/docker/docker/pkg/' | grep -vE '^github.com/docker/docker/vendor' | grep -E '^github.com/docker/docker' || true) )
+	unset IFS
+
+	for import in "${badImports[@]}"; do
+		badFiles+=( "$f imports $import" )
+	done
+done
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  "./pkg/..." is safely isolated from internal code.'
+else
+	{
+		echo 'These files import internal code: (either directly or indirectly)'
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+	} >&2
+	false
+fi
diff --git a/engine/hack/validate/swagger b/engine/hack/validate/swagger
new file mode 100755
index 00000000..0b3c2719
--- /dev/null
+++ b/engine/hack/validate/swagger
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -e
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- 'api/swagger.yaml' || true) )
+unset IFS
+
+if [ ${#files[@]} -gt 0 ]; then
+  yamllint -c ${SCRIPTDIR}/.swagger-yamllint api/swagger.yaml
+  swagger validate api/swagger.yaml
+fi
diff --git a/engine/hack/validate/swagger-gen b/engine/hack/validate/swagger-gen
new file mode 100755
index 00000000..07c22b5a
--- /dev/null
+++ b/engine/hack/validate/swagger-gen
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- 'api/types/' 'api/swagger.yaml' || true) )
+unset IFS
+
+if [ ${#files[@]} -gt 0 ]; then
+	${SCRIPTDIR}/../generate-swagger-api.sh 2> /dev/null
+	# Let see if the working directory is clean
+	diffs="$(git diff -- api/types/)"
+	if [ "$diffs" ]; then
+		{
+			echo 'The result of hack/generate-swagger-api.sh differs'
+			echo
+			echo "$diffs"
+			echo
+			echo 'Please update api/swagger.yaml with any api changes, then '
+			echo 'run `hack/generate-swagger-api.sh`.'
+		} >&2
+		false
+	else
+		echo 'Congratulations! All api changes are done the right way.'
+	fi
+else
+    echo 'No api/types/ or api/swagger.yaml changes in diff.'
+fi
diff --git a/engine/hack/validate/test-imports b/engine/hack/validate/test-imports
new file mode 100755
index 00000000..0e836a31
--- /dev/null
+++ b/engine/hack/validate/test-imports
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# Make sure we're not using gos' Testing package any more in integration-cli
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- 'integration-cli/*.go' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+	# skip check_test.go since it *does* use the testing package
+	if [ "$f" = "integration-cli/check_test.go" ]; then
+		continue
+	fi
+
+	# we use "git show" here to validate that what's committed doesn't contain golang built-in testing
+	if git show "$VALIDATE_HEAD:$f" | grep -q testing.T; then
+		if [ "$(echo $f | grep '_test')" ]; then
+			# allow testing.T for non- _test files
+			badFiles+=( "$f" )
+		fi
+	fi
+done
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  No testing.T found.'
+else
+	{
+		echo "These files use the wrong testing infrastructure:"
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+	} >&2
+	false
+fi
diff --git a/engine/hack/validate/toml b/engine/hack/validate/toml
new file mode 100755
index 00000000..d5b2ce1c
--- /dev/null
+++ b/engine/hack/validate/toml
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+IFS=$'\n'
+files=( $(validate_diff --diff-filter=ACMR --name-only -- 'MAINTAINERS' || true) )
+unset IFS
+
+badFiles=()
+for f in "${files[@]}"; do
+	# we use "git show" here to validate that what's committed has valid toml syntax
+	if ! git show "$VALIDATE_HEAD:$f" | tomlv /proc/self/fd/0 ; then
+		badFiles+=( "$f" )
+	fi
+done
+
+if [ ${#badFiles[@]} -eq 0 ]; then
+	echo 'Congratulations!  All toml source files changed here have valid syntax.'
+else
+	{
+		echo "These files are not valid toml:"
+		for f in "${badFiles[@]}"; do
+			echo " - $f"
+		done
+		echo
+		echo 'Please reformat the above files as valid toml'
+		echo
+	} >&2
+	false
+fi
diff --git a/engine/hack/validate/vendor b/engine/hack/validate/vendor
new file mode 100755
index 00000000..7d753dfb
--- /dev/null
+++ b/engine/hack/validate/vendor
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source "${SCRIPTDIR}/.validate"
+
+validate_vendor_diff(){
+	IFS=$'\n'
+	files=( $(validate_diff --diff-filter=ACMR --name-only -- 'vendor.conf' 'vendor/' || true) )
+	unset IFS
+
+	if [ ${#files[@]} -gt 0 ]; then
+		# Remove vendor/ first so  that anything not included in vendor.conf will
+		# cause the validation to fail. archive/tar is a special case, see vendor.conf
+		# for details.
+		ls -d vendor/* | grep -v vendor/archive | xargs rm -rf
+		# run vndr to recreate vendor/
+		vndr
+		# check if any files have changed
+		diffs="$(git status --porcelain -- vendor 2>/dev/null)"
+		if [ "$diffs" ]; then
+			{
+				echo 'The result of vndr differs'
+				echo
+				echo "$diffs"
+				echo
+				echo 'Please vendor your package with github.com/LK4D4/vndr.'
+				echo
+			} >&2
+			false
+		else
+			echo 'Congratulations! All vendoring changes are done the right way.'
+		fi
+	else
+		echo 'No vendor changes in diff.'
+	fi
+}
+
+# 1. make sure all the vendored packages are used
+# 2. make sure all the packages contain license information (just warning, because it can cause false-positive)
+validate_vendor_used() {
+	pkgs=$(mawk '/^[a-zA-Z0-9]/ { print $1 }' < vendor.conf)
+	for f in $pkgs; do
+	if ls -d vendor/$f  > /dev/null 2>&1; then
+		found=$(find vendor/$f -iregex '.*LICENSE.*' -or -iregex '.*COPYRIGHT.*' -or -iregex '.*COPYING.*' | wc -l)
+		if [ $found -eq 0 ]; then
+		echo "WARNING: could not find copyright information for $f"
+		fi
+	else
+		echo "WARNING: $f is vendored but unused"
+	fi
+	done
+}
+
+validate_vendor_diff
+validate_vendor_used
diff --git a/engine/hack/vendor.sh b/engine/hack/vendor.sh
new file mode 100755
index 00000000..a7a571e7
--- /dev/null
+++ b/engine/hack/vendor.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+# This file is just wrapper around vndr (github.com/LK4D4/vndr) tool.
+# For updating dependencies you should change `vendor.conf` file in root of the
+# project. Please refer to https://github.com/LK4D4/vndr/blob/master/README.md for
+# vndr usage.
+
+set -e
+
+if ! hash vndr; then
+	echo "Please install vndr with \"go get github.com/LK4D4/vndr\" and put it in your \$GOPATH"
+	exit 1
+fi
+
+vndr "$@"
diff --git a/engine/image/cache/cache.go b/engine/image/cache/cache.go
new file mode 100644
index 00000000..6d3f4c57
--- /dev/null
+++ b/engine/image/cache/cache.go
@@ -0,0 +1,253 @@
+package cache // import "github.com/docker/docker/image/cache"
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"strings"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/pkg/errors"
+)
+
+// NewLocal returns a local image cache, based on parent chain
+func NewLocal(store image.Store) *LocalImageCache {
+	return &LocalImageCache{
+		store: store,
+	}
+}
+
+// LocalImageCache is cache based on parent chain.
+type LocalImageCache struct {
+	store image.Store
+}
+
+// GetCache returns the image id found in the cache
+func (lic *LocalImageCache) GetCache(imgID string, config *containertypes.Config) (string, error) {
+	return getImageIDAndError(getLocalCachedImage(lic.store, image.ID(imgID), config))
+}
+
+// New returns an image cache, based on history objects
+func New(store image.Store) *ImageCache {
+	return &ImageCache{
+		store:           store,
+		localImageCache: NewLocal(store),
+	}
+}
+
+// ImageCache is cache based on history objects. Requires initial set of images.
+type ImageCache struct {
+	sources         []*image.Image
+	store           image.Store
+	localImageCache *LocalImageCache
+}
+
+// Populate adds an image to the cache (to be queried later)
+func (ic *ImageCache) Populate(image *image.Image) {
+	ic.sources = append(ic.sources, image)
+}
+
+// GetCache returns the image id found in the cache
+func (ic *ImageCache) GetCache(parentID string, cfg *containertypes.Config) (string, error) {
+	imgID, err := ic.localImageCache.GetCache(parentID, cfg)
+	if err != nil {
+		return "", err
+	}
+	if imgID != "" {
+		for _, s := range ic.sources {
+			if ic.isParent(s.ID(), image.ID(imgID)) {
+				return imgID, nil
+			}
+		}
+	}
+
+	var parent *image.Image
+	lenHistory := 0
+	if parentID != "" {
+		parent, err = ic.store.Get(image.ID(parentID))
+		if err != nil {
+			return "", errors.Wrapf(err, "unable to find image %v", parentID)
+		}
+		lenHistory = len(parent.History)
+	}
+
+	for _, target := range ic.sources {
+		if !isValidParent(target, parent) || !isValidConfig(cfg, target.History[lenHistory]) {
+			continue
+		}
+
+		if len(target.History)-1 == lenHistory { // last
+			if parent != nil {
+				if err := ic.store.SetParent(target.ID(), parent.ID()); err != nil {
+					return "", errors.Wrapf(err, "failed to set parent for %v to %v", target.ID(), parent.ID())
+				}
+			}
+			return target.ID().String(), nil
+		}
+
+		imgID, err := ic.restoreCachedImage(parent, target, cfg)
+		if err != nil {
+			return "", errors.Wrapf(err, "failed to restore cached image from %q to %v", parentID, target.ID())
+		}
+
+		ic.sources = []*image.Image{target} // avoid jumping to different target, tuned for safety atm
+		return imgID.String(), nil
+	}
+
+	return "", nil
+}
+
+func (ic *ImageCache) restoreCachedImage(parent, target *image.Image, cfg *containertypes.Config) (image.ID, error) {
+	var history []image.History
+	rootFS := image.NewRootFS()
+	lenHistory := 0
+	if parent != nil {
+		history = parent.History
+		rootFS = parent.RootFS
+		lenHistory = len(parent.History)
+	}
+	history = append(history, target.History[lenHistory])
+	if layer := getLayerForHistoryIndex(target, lenHistory); layer != "" {
+		rootFS.Append(layer)
+	}
+
+	config, err := json.Marshal(&image.Image{
+		V1Image: image.V1Image{
+			DockerVersion: dockerversion.Version,
+			Config:        cfg,
+			Architecture:  target.Architecture,
+			OS:            target.OS,
+			Author:        target.Author,
+			Created:       history[len(history)-1].Created,
+		},
+		RootFS:     rootFS,
+		History:    history,
+		OSFeatures: target.OSFeatures,
+		OSVersion:  target.OSVersion,
+	})
+	if err != nil {
+		return "", errors.Wrap(err, "failed to marshal image config")
+	}
+
+	imgID, err := ic.store.Create(config)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to create cache image")
+	}
+
+	if parent != nil {
+		if err := ic.store.SetParent(imgID, parent.ID()); err != nil {
+			return "", errors.Wrapf(err, "failed to set parent for %v to %v", target.ID(), parent.ID())
+		}
+	}
+	return imgID, nil
+}
+
+func (ic *ImageCache) isParent(imgID, parentID image.ID) bool {
+	nextParent, err := ic.store.GetParent(imgID)
+	if err != nil {
+		return false
+	}
+	if nextParent == parentID {
+		return true
+	}
+	return ic.isParent(nextParent, parentID)
+}
+
+func getLayerForHistoryIndex(image *image.Image, index int) layer.DiffID {
+	layerIndex := 0
+	for i, h := range image.History {
+		if i == index {
+			if h.EmptyLayer {
+				return ""
+			}
+			break
+		}
+		if !h.EmptyLayer {
+			layerIndex++
+		}
+	}
+	return image.RootFS.DiffIDs[layerIndex] // validate?
+}
+
+func isValidConfig(cfg *containertypes.Config, h image.History) bool {
+	// todo: make this format better than join that loses data
+	return strings.Join(cfg.Cmd, " ") == h.CreatedBy
+}
+
+func isValidParent(img, parent *image.Image) bool {
+	if len(img.History) == 0 {
+		return false
+	}
+	if parent == nil || len(parent.History) == 0 && len(parent.RootFS.DiffIDs) == 0 {
+		return true
+	}
+	if len(parent.History) >= len(img.History) {
+		return false
+	}
+	if len(parent.RootFS.DiffIDs) > len(img.RootFS.DiffIDs) {
+		return false
+	}
+
+	for i, h := range parent.History {
+		if !reflect.DeepEqual(h, img.History[i]) {
+			return false
+		}
+	}
+	for i, d := range parent.RootFS.DiffIDs {
+		if d != img.RootFS.DiffIDs[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func getImageIDAndError(img *image.Image, err error) (string, error) {
+	if img == nil || err != nil {
+		return "", err
+	}
+	return img.ID().String(), nil
+}
+
+// getLocalCachedImage returns the most recent created image that is a child
+// of the image with imgID, that had the same config when it was
+// created. nil is returned if a child cannot be found. An error is
+// returned if the parent image cannot be found.
+func getLocalCachedImage(imageStore image.Store, imgID image.ID, config *containertypes.Config) (*image.Image, error) {
+	// Loop on the children of the given image and check the config
+	getMatch := func(siblings []image.ID) (*image.Image, error) {
+		var match *image.Image
+		for _, id := range siblings {
+			img, err := imageStore.Get(id)
+			if err != nil {
+				return nil, fmt.Errorf("unable to find image %q", id)
+			}
+
+			if compare(&img.ContainerConfig, config) {
+				// check for the most up to date match
+				if match == nil || match.Created.Before(img.Created) {
+					match = img
+				}
+			}
+		}
+		return match, nil
+	}
+
+	// In this case, this is `FROM scratch`, which isn't an actual image.
+	if imgID == "" {
+		images := imageStore.Map()
+		var siblings []image.ID
+		for id, img := range images {
+			if img.Parent == imgID {
+				siblings = append(siblings, id)
+			}
+		}
+		return getMatch(siblings)
+	}
+
+	// find match from child images
+	siblings := imageStore.Children(imgID)
+	return getMatch(siblings)
+}
diff --git a/engine/image/cache/compare.go b/engine/image/cache/compare.go
new file mode 100644
index 00000000..e31e9c8b
--- /dev/null
+++ b/engine/image/cache/compare.go
@@ -0,0 +1,63 @@
+package cache // import "github.com/docker/docker/image/cache"
+
+import (
+	"github.com/docker/docker/api/types/container"
+)
+
+// compare two Config struct. Do not compare the "Image" nor "Hostname" fields
+// If OpenStdin is set, then it differs
+func compare(a, b *container.Config) bool {
+	if a == nil || b == nil ||
+		a.OpenStdin || b.OpenStdin {
+		return false
+	}
+	if a.AttachStdout != b.AttachStdout ||
+		a.AttachStderr != b.AttachStderr ||
+		a.User != b.User ||
+		a.OpenStdin != b.OpenStdin ||
+		a.Tty != b.Tty {
+		return false
+	}
+
+	if len(a.Cmd) != len(b.Cmd) ||
+		len(a.Env) != len(b.Env) ||
+		len(a.Labels) != len(b.Labels) ||
+		len(a.ExposedPorts) != len(b.ExposedPorts) ||
+		len(a.Entrypoint) != len(b.Entrypoint) ||
+		len(a.Volumes) != len(b.Volumes) {
+		return false
+	}
+
+	for i := 0; i < len(a.Cmd); i++ {
+		if a.Cmd[i] != b.Cmd[i] {
+			return false
+		}
+	}
+	for i := 0; i < len(a.Env); i++ {
+		if a.Env[i] != b.Env[i] {
+			return false
+		}
+	}
+	for k, v := range a.Labels {
+		if v != b.Labels[k] {
+			return false
+		}
+	}
+	for k := range a.ExposedPorts {
+		if _, exists := b.ExposedPorts[k]; !exists {
+			return false
+		}
+	}
+
+	for i := 0; i < len(a.Entrypoint); i++ {
+		if a.Entrypoint[i] != b.Entrypoint[i] {
+			return false
+		}
+	}
+	for key := range a.Volumes {
+		if _, exists := b.Volumes[key]; !exists {
+			return false
+		}
+	}
+	return true
+}
diff --git a/engine/image/cache/compare_test.go b/engine/image/cache/compare_test.go
new file mode 100644
index 00000000..939e99f0
--- /dev/null
+++ b/engine/image/cache/compare_test.go
@@ -0,0 +1,126 @@
+package cache // import "github.com/docker/docker/image/cache"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/go-connections/nat"
+)
+
+// Just to make life easier
+func newPortNoError(proto, port string) nat.Port {
+	p, _ := nat.NewPort(proto, port)
+	return p
+}
+
+func TestCompare(t *testing.T) {
+	ports1 := make(nat.PortSet)
+	ports1[newPortNoError("tcp", "1111")] = struct{}{}
+	ports1[newPortNoError("tcp", "2222")] = struct{}{}
+	ports2 := make(nat.PortSet)
+	ports2[newPortNoError("tcp", "3333")] = struct{}{}
+	ports2[newPortNoError("tcp", "4444")] = struct{}{}
+	ports3 := make(nat.PortSet)
+	ports3[newPortNoError("tcp", "1111")] = struct{}{}
+	ports3[newPortNoError("tcp", "2222")] = struct{}{}
+	ports3[newPortNoError("tcp", "5555")] = struct{}{}
+	volumes1 := make(map[string]struct{})
+	volumes1["/test1"] = struct{}{}
+	volumes2 := make(map[string]struct{})
+	volumes2["/test2"] = struct{}{}
+	volumes3 := make(map[string]struct{})
+	volumes3["/test1"] = struct{}{}
+	volumes3["/test3"] = struct{}{}
+	envs1 := []string{"ENV1=value1", "ENV2=value2"}
+	envs2 := []string{"ENV1=value1", "ENV3=value3"}
+	entrypoint1 := strslice.StrSlice{"/bin/sh", "-c"}
+	entrypoint2 := strslice.StrSlice{"/bin/sh", "-d"}
+	entrypoint3 := strslice.StrSlice{"/bin/sh", "-c", "echo"}
+	cmd1 := strslice.StrSlice{"/bin/sh", "-c"}
+	cmd2 := strslice.StrSlice{"/bin/sh", "-d"}
+	cmd3 := strslice.StrSlice{"/bin/sh", "-c", "echo"}
+	labels1 := map[string]string{"LABEL1": "value1", "LABEL2": "value2"}
+	labels2 := map[string]string{"LABEL1": "value1", "LABEL2": "value3"}
+	labels3 := map[string]string{"LABEL1": "value1", "LABEL2": "value2", "LABEL3": "value3"}
+
+	sameConfigs := map[*container.Config]*container.Config{
+		// Empty config
+		{}: {},
+		// Does not compare hostname, domainname & image
+		{
+			Hostname:   "host1",
+			Domainname: "domain1",
+			Image:      "image1",
+			User:       "user",
+		}: {
+			Hostname:   "host2",
+			Domainname: "domain2",
+			Image:      "image2",
+			User:       "user",
+		},
+		// only OpenStdin
+		{OpenStdin: false}: {OpenStdin: false},
+		// only env
+		{Env: envs1}: {Env: envs1},
+		// only cmd
+		{Cmd: cmd1}: {Cmd: cmd1},
+		// only labels
+		{Labels: labels1}: {Labels: labels1},
+		// only exposedPorts
+		{ExposedPorts: ports1}: {ExposedPorts: ports1},
+		// only entrypoints
+		{Entrypoint: entrypoint1}: {Entrypoint: entrypoint1},
+		// only volumes
+		{Volumes: volumes1}: {Volumes: volumes1},
+	}
+	differentConfigs := map[*container.Config]*container.Config{
+		nil: nil,
+		{
+			Hostname:   "host1",
+			Domainname: "domain1",
+			Image:      "image1",
+			User:       "user1",
+		}: {
+			Hostname:   "host1",
+			Domainname: "domain1",
+			Image:      "image1",
+			User:       "user2",
+		},
+		// only OpenStdin
+		{OpenStdin: false}: {OpenStdin: true},
+		{OpenStdin: true}:  {OpenStdin: false},
+		// only env
+		{Env: envs1}: {Env: envs2},
+		// only cmd
+		{Cmd: cmd1}: {Cmd: cmd2},
+		// not the same number of parts
+		{Cmd: cmd1}: {Cmd: cmd3},
+		// only labels
+		{Labels: labels1}: {Labels: labels2},
+		// not the same number of labels
+		{Labels: labels1}: {Labels: labels3},
+		// only exposedPorts
+		{ExposedPorts: ports1}: {ExposedPorts: ports2},
+		// not the same number of ports
+		{ExposedPorts: ports1}: {ExposedPorts: ports3},
+		// only entrypoints
+		{Entrypoint: entrypoint1}: {Entrypoint: entrypoint2},
+		// not the same number of parts
+		{Entrypoint: entrypoint1}: {Entrypoint: entrypoint3},
+		// only volumes
+		{Volumes: volumes1}: {Volumes: volumes2},
+		// not the same number of labels
+		{Volumes: volumes1}: {Volumes: volumes3},
+	}
+	for config1, config2 := range sameConfigs {
+		if !compare(config1, config2) {
+			t.Fatalf("Compare should be true for [%v] and [%v]", config1, config2)
+		}
+	}
+	for config1, config2 := range differentConfigs {
+		if compare(config1, config2) {
+			t.Fatalf("Compare should be false for [%v] and [%v]", config1, config2)
+		}
+	}
+}
diff --git a/engine/image/fs.go b/engine/image/fs.go
new file mode 100644
index 00000000..7080c8c0
--- /dev/null
+++ b/engine/image/fs.go
@@ -0,0 +1,175 @@
+package image // import "github.com/docker/docker/image"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// DigestWalkFunc is function called by StoreBackend.Walk
+type DigestWalkFunc func(id digest.Digest) error
+
+// StoreBackend provides interface for image.Store persistence
+type StoreBackend interface {
+	Walk(f DigestWalkFunc) error
+	Get(id digest.Digest) ([]byte, error)
+	Set(data []byte) (digest.Digest, error)
+	Delete(id digest.Digest) error
+	SetMetadata(id digest.Digest, key string, data []byte) error
+	GetMetadata(id digest.Digest, key string) ([]byte, error)
+	DeleteMetadata(id digest.Digest, key string) error
+}
+
+// fs implements StoreBackend using the filesystem.
+type fs struct {
+	sync.RWMutex
+	root string
+}
+
+const (
+	contentDirName  = "content"
+	metadataDirName = "metadata"
+)
+
+// NewFSStoreBackend returns new filesystem based backend for image.Store
+func NewFSStoreBackend(root string) (StoreBackend, error) {
+	return newFSStore(root)
+}
+
+func newFSStore(root string) (*fs, error) {
+	s := &fs{
+		root: root,
+	}
+	if err := os.MkdirAll(filepath.Join(root, contentDirName, string(digest.Canonical)), 0700); err != nil {
+		return nil, errors.Wrap(err, "failed to create storage backend")
+	}
+	if err := os.MkdirAll(filepath.Join(root, metadataDirName, string(digest.Canonical)), 0700); err != nil {
+		return nil, errors.Wrap(err, "failed to create storage backend")
+	}
+	return s, nil
+}
+
+func (s *fs) contentFile(dgst digest.Digest) string {
+	return filepath.Join(s.root, contentDirName, string(dgst.Algorithm()), dgst.Hex())
+}
+
+func (s *fs) metadataDir(dgst digest.Digest) string {
+	return filepath.Join(s.root, metadataDirName, string(dgst.Algorithm()), dgst.Hex())
+}
+
+// Walk calls the supplied callback for each image ID in the storage backend.
+func (s *fs) Walk(f DigestWalkFunc) error {
+	// Only Canonical digest (sha256) is currently supported
+	s.RLock()
+	dir, err := ioutil.ReadDir(filepath.Join(s.root, contentDirName, string(digest.Canonical)))
+	s.RUnlock()
+	if err != nil {
+		return err
+	}
+	for _, v := range dir {
+		dgst := digest.NewDigestFromHex(string(digest.Canonical), v.Name())
+		if err := dgst.Validate(); err != nil {
+			logrus.Debugf("skipping invalid digest %s: %s", dgst, err)
+			continue
+		}
+		if err := f(dgst); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Get returns the content stored under a given digest.
+func (s *fs) Get(dgst digest.Digest) ([]byte, error) {
+	s.RLock()
+	defer s.RUnlock()
+
+	return s.get(dgst)
+}
+
+func (s *fs) get(dgst digest.Digest) ([]byte, error) {
+	content, err := ioutil.ReadFile(s.contentFile(dgst))
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to get digest %s", dgst)
+	}
+
+	// todo: maybe optional
+	if digest.FromBytes(content) != dgst {
+		return nil, fmt.Errorf("failed to verify: %v", dgst)
+	}
+
+	return content, nil
+}
+
+// Set stores content by checksum.
+func (s *fs) Set(data []byte) (digest.Digest, error) {
+	s.Lock()
+	defer s.Unlock()
+
+	if len(data) == 0 {
+		return "", fmt.Errorf("invalid empty data")
+	}
+
+	dgst := digest.FromBytes(data)
+	if err := ioutils.AtomicWriteFile(s.contentFile(dgst), data, 0600); err != nil {
+		return "", errors.Wrap(err, "failed to write digest data")
+	}
+
+	return dgst, nil
+}
+
+// Delete removes content and metadata files associated with the digest.
+func (s *fs) Delete(dgst digest.Digest) error {
+	s.Lock()
+	defer s.Unlock()
+
+	if err := os.RemoveAll(s.metadataDir(dgst)); err != nil {
+		return err
+	}
+	return os.Remove(s.contentFile(dgst))
+}
+
+// SetMetadata sets metadata for a given ID. It fails if there's no base file.
+func (s *fs) SetMetadata(dgst digest.Digest, key string, data []byte) error {
+	s.Lock()
+	defer s.Unlock()
+	if _, err := s.get(dgst); err != nil {
+		return err
+	}
+
+	baseDir := filepath.Join(s.metadataDir(dgst))
+	if err := os.MkdirAll(baseDir, 0700); err != nil {
+		return err
+	}
+	return ioutils.AtomicWriteFile(filepath.Join(s.metadataDir(dgst), key), data, 0600)
+}
+
+// GetMetadata returns metadata for a given digest.
+func (s *fs) GetMetadata(dgst digest.Digest, key string) ([]byte, error) {
+	s.RLock()
+	defer s.RUnlock()
+
+	if _, err := s.get(dgst); err != nil {
+		return nil, err
+	}
+	bytes, err := ioutil.ReadFile(filepath.Join(s.metadataDir(dgst), key))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to read metadata")
+	}
+	return bytes, nil
+}
+
+// DeleteMetadata removes the metadata associated with a digest.
+func (s *fs) DeleteMetadata(dgst digest.Digest, key string) error {
+	s.Lock()
+	defer s.Unlock()
+
+	return os.RemoveAll(filepath.Join(s.metadataDir(dgst), key))
+}
diff --git a/engine/image/fs_test.go b/engine/image/fs_test.go
new file mode 100644
index 00000000..6290c2b6
--- /dev/null
+++ b/engine/image/fs_test.go
@@ -0,0 +1,270 @@
+package image // import "github.com/docker/docker/image"
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func defaultFSStoreBackend(t *testing.T) (StoreBackend, func()) {
+	tmpdir, err := ioutil.TempDir("", "images-fs-store")
+	assert.Check(t, err)
+
+	fsBackend, err := NewFSStoreBackend(tmpdir)
+	assert.Check(t, err)
+
+	return fsBackend, func() { os.RemoveAll(tmpdir) }
+}
+
+func TestFSGetInvalidData(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	id, err := store.Set([]byte("foobar"))
+	assert.Check(t, err)
+
+	dgst := digest.Digest(id)
+
+	err = ioutil.WriteFile(filepath.Join(store.(*fs).root, contentDirName, string(dgst.Algorithm()), dgst.Hex()), []byte("foobar2"), 0600)
+	assert.Check(t, err)
+
+	_, err = store.Get(id)
+	assert.Check(t, is.ErrorContains(err, "failed to verify"))
+}
+
+func TestFSInvalidSet(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	id := digest.FromBytes([]byte("foobar"))
+	err := os.Mkdir(filepath.Join(store.(*fs).root, contentDirName, string(id.Algorithm()), id.Hex()), 0700)
+	assert.Check(t, err)
+
+	_, err = store.Set([]byte("foobar"))
+	assert.Check(t, is.ErrorContains(err, "failed to write digest data"))
+}
+
+func TestFSInvalidRoot(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "images-fs-store")
+	assert.Check(t, err)
+	defer os.RemoveAll(tmpdir)
+
+	tcases := []struct {
+		root, invalidFile string
+	}{
+		{"root", "root"},
+		{"root", "root/content"},
+		{"root", "root/metadata"},
+	}
+
+	for _, tc := range tcases {
+		root := filepath.Join(tmpdir, tc.root)
+		filePath := filepath.Join(tmpdir, tc.invalidFile)
+		err := os.MkdirAll(filepath.Dir(filePath), 0700)
+		assert.Check(t, err)
+
+		f, err := os.Create(filePath)
+		assert.Check(t, err)
+		f.Close()
+
+		_, err = NewFSStoreBackend(root)
+		assert.Check(t, is.ErrorContains(err, "failed to create storage backend"))
+
+		os.RemoveAll(root)
+	}
+
+}
+
+func TestFSMetadataGetSet(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	id, err := store.Set([]byte("foo"))
+	assert.Check(t, err)
+
+	id2, err := store.Set([]byte("bar"))
+	assert.Check(t, err)
+
+	tcases := []struct {
+		id    digest.Digest
+		key   string
+		value []byte
+	}{
+		{id, "tkey", []byte("tval1")},
+		{id, "tkey2", []byte("tval2")},
+		{id2, "tkey", []byte("tval3")},
+	}
+
+	for _, tc := range tcases {
+		err = store.SetMetadata(tc.id, tc.key, tc.value)
+		assert.Check(t, err)
+
+		actual, err := store.GetMetadata(tc.id, tc.key)
+		assert.Check(t, err)
+
+		assert.Check(t, is.DeepEqual(tc.value, actual))
+	}
+
+	_, err = store.GetMetadata(id2, "tkey2")
+	assert.Check(t, is.ErrorContains(err, "failed to read metadata"))
+
+	id3 := digest.FromBytes([]byte("baz"))
+	err = store.SetMetadata(id3, "tkey", []byte("tval"))
+	assert.Check(t, is.ErrorContains(err, "failed to get digest"))
+
+	_, err = store.GetMetadata(id3, "tkey")
+	assert.Check(t, is.ErrorContains(err, "failed to get digest"))
+}
+
+func TestFSInvalidWalker(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	fooID, err := store.Set([]byte("foo"))
+	assert.Check(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(store.(*fs).root, contentDirName, "sha256/foobar"), []byte("foobar"), 0600)
+	assert.Check(t, err)
+
+	n := 0
+	err = store.Walk(func(id digest.Digest) error {
+		assert.Check(t, is.Equal(fooID, id))
+		n++
+		return nil
+	})
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(1, n))
+}
+
+func TestFSGetSet(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	type tcase struct {
+		input    []byte
+		expected digest.Digest
+	}
+	tcases := []tcase{
+		{[]byte("foobar"), digest.Digest("sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2")},
+	}
+
+	randomInput := make([]byte, 8*1024)
+	_, err := rand.Read(randomInput)
+	assert.Check(t, err)
+
+	// skipping use of digest pkg because it is used by the implementation
+	h := sha256.New()
+	_, err = h.Write(randomInput)
+	assert.Check(t, err)
+
+	tcases = append(tcases, tcase{
+		input:    randomInput,
+		expected: digest.Digest("sha256:" + hex.EncodeToString(h.Sum(nil))),
+	})
+
+	for _, tc := range tcases {
+		id, err := store.Set([]byte(tc.input))
+		assert.Check(t, err)
+		assert.Check(t, is.Equal(tc.expected, id))
+	}
+
+	for _, tc := range tcases {
+		data, err := store.Get(tc.expected)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(tc.input, data))
+	}
+}
+
+func TestFSGetUnsetKey(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	for _, key := range []digest.Digest{"foobar:abc", "sha256:abc", "sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2a"} {
+		_, err := store.Get(key)
+		assert.Check(t, is.ErrorContains(err, "failed to get digest"))
+	}
+}
+
+func TestFSGetEmptyData(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	for _, emptyData := range [][]byte{nil, {}} {
+		_, err := store.Set(emptyData)
+		assert.Check(t, is.ErrorContains(err, "invalid empty data"))
+	}
+}
+
+func TestFSDelete(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	id, err := store.Set([]byte("foo"))
+	assert.Check(t, err)
+
+	id2, err := store.Set([]byte("bar"))
+	assert.Check(t, err)
+
+	err = store.Delete(id)
+	assert.Check(t, err)
+
+	_, err = store.Get(id)
+	assert.Check(t, is.ErrorContains(err, "failed to get digest"))
+
+	_, err = store.Get(id2)
+	assert.Check(t, err)
+
+	err = store.Delete(id2)
+	assert.Check(t, err)
+
+	_, err = store.Get(id2)
+	assert.Check(t, is.ErrorContains(err, "failed to get digest"))
+}
+
+func TestFSWalker(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	id, err := store.Set([]byte("foo"))
+	assert.Check(t, err)
+
+	id2, err := store.Set([]byte("bar"))
+	assert.Check(t, err)
+
+	tcases := make(map[digest.Digest]struct{})
+	tcases[id] = struct{}{}
+	tcases[id2] = struct{}{}
+	n := 0
+	err = store.Walk(func(id digest.Digest) error {
+		delete(tcases, id)
+		n++
+		return nil
+	})
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(2, n))
+	assert.Check(t, is.Len(tcases, 0))
+}
+
+func TestFSWalkerStopOnError(t *testing.T) {
+	store, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	id, err := store.Set([]byte("foo"))
+	assert.Check(t, err)
+
+	tcases := make(map[digest.Digest]struct{})
+	tcases[id] = struct{}{}
+	err = store.Walk(func(id digest.Digest) error {
+		return errors.New("what")
+	})
+	assert.Check(t, is.ErrorContains(err, "what"))
+}
diff --git a/engine/image/image.go b/engine/image/image.go
new file mode 100644
index 00000000..7e0646f0
--- /dev/null
+++ b/engine/image/image.go
@@ -0,0 +1,232 @@
+package image // import "github.com/docker/docker/image"
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/layer"
+	"github.com/opencontainers/go-digest"
+)
+
+// ID is the content-addressable ID of an image.
+type ID digest.Digest
+
+func (id ID) String() string {
+	return id.Digest().String()
+}
+
+// Digest converts ID into a digest
+func (id ID) Digest() digest.Digest {
+	return digest.Digest(id)
+}
+
+// IDFromDigest creates an ID from a digest
+func IDFromDigest(digest digest.Digest) ID {
+	return ID(digest)
+}
+
+// V1Image stores the V1 image configuration.
+type V1Image struct {
+	// ID is a unique 64 character identifier of the image
+	ID string `json:"id,omitempty"`
+	// Parent is the ID of the parent image
+	Parent string `json:"parent,omitempty"`
+	// Comment is the commit message that was set when committing the image
+	Comment string `json:"comment,omitempty"`
+	// Created is the timestamp at which the image was created
+	Created time.Time `json:"created"`
+	// Container is the id of the container used to commit
+	Container string `json:"container,omitempty"`
+	// ContainerConfig is the configuration of the container that is committed into the image
+	ContainerConfig container.Config `json:"container_config,omitempty"`
+	// DockerVersion specifies the version of Docker that was used to build the image
+	DockerVersion string `json:"docker_version,omitempty"`
+	// Author is the name of the author that was specified when committing the image
+	Author string `json:"author,omitempty"`
+	// Config is the configuration of the container received from the client
+	Config *container.Config `json:"config,omitempty"`
+	// Architecture is the hardware that the image is built and runs on
+	Architecture string `json:"architecture,omitempty"`
+	// OS is the operating system used to build and run the image
+	OS string `json:"os,omitempty"`
+	// Size is the total size of the image including all layers it is composed of
+	Size int64 `json:",omitempty"`
+}
+
+// Image stores the image configuration
+type Image struct {
+	V1Image
+	Parent     ID        `json:"parent,omitempty"`
+	RootFS     *RootFS   `json:"rootfs,omitempty"`
+	History    []History `json:"history,omitempty"`
+	OSVersion  string    `json:"os.version,omitempty"`
+	OSFeatures []string  `json:"os.features,omitempty"`
+
+	// rawJSON caches the immutable JSON associated with this image.
+	rawJSON []byte
+
+	// computedID is the ID computed from the hash of the image config.
+	// Not to be confused with the legacy V1 ID in V1Image.
+	computedID ID
+}
+
+// RawJSON returns the immutable JSON associated with the image.
+func (img *Image) RawJSON() []byte {
+	return img.rawJSON
+}
+
+// ID returns the image's content-addressable ID.
+func (img *Image) ID() ID {
+	return img.computedID
+}
+
+// ImageID stringifies ID.
+func (img *Image) ImageID() string {
+	return img.ID().String()
+}
+
+// RunConfig returns the image's container config.
+func (img *Image) RunConfig() *container.Config {
+	return img.Config
+}
+
+// BaseImgArch returns the image's architecture. If not populated, defaults to the host runtime arch.
+func (img *Image) BaseImgArch() string {
+	arch := img.Architecture
+	if arch == "" {
+		arch = runtime.GOARCH
+	}
+	return arch
+}
+
+// OperatingSystem returns the image's operating system. If not populated, defaults to the host runtime OS.
+func (img *Image) OperatingSystem() string {
+	os := img.OS
+	if os == "" {
+		os = runtime.GOOS
+	}
+	return os
+}
+
+// MarshalJSON serializes the image to JSON. It sorts the top-level keys so
+// that JSON that's been manipulated by a push/pull cycle with a legacy
+// registry won't end up with a different key order.
+func (img *Image) MarshalJSON() ([]byte, error) {
+	type MarshalImage Image
+
+	pass1, err := json.Marshal(MarshalImage(*img))
+	if err != nil {
+		return nil, err
+	}
+
+	var c map[string]*json.RawMessage
+	if err := json.Unmarshal(pass1, &c); err != nil {
+		return nil, err
+	}
+	return json.Marshal(c)
+}
+
+// ChildConfig is the configuration to apply to an Image to create a new
+// Child image. Other properties of the image are copied from the parent.
+type ChildConfig struct {
+	ContainerID     string
+	Author          string
+	Comment         string
+	DiffID          layer.DiffID
+	ContainerConfig *container.Config
+	Config          *container.Config
+}
+
+// NewChildImage creates a new Image as a child of this image.
+func NewChildImage(img *Image, child ChildConfig, platform string) *Image {
+	isEmptyLayer := layer.IsEmpty(child.DiffID)
+	var rootFS *RootFS
+	if img.RootFS != nil {
+		rootFS = img.RootFS.Clone()
+	} else {
+		rootFS = NewRootFS()
+	}
+
+	if !isEmptyLayer {
+		rootFS.Append(child.DiffID)
+	}
+	imgHistory := NewHistory(
+		child.Author,
+		child.Comment,
+		strings.Join(child.ContainerConfig.Cmd, " "),
+		isEmptyLayer)
+
+	return &Image{
+		V1Image: V1Image{
+			DockerVersion:   dockerversion.Version,
+			Config:          child.Config,
+			Architecture:    img.BaseImgArch(),
+			OS:              platform,
+			Container:       child.ContainerID,
+			ContainerConfig: *child.ContainerConfig,
+			Author:          child.Author,
+			Created:         imgHistory.Created,
+		},
+		RootFS:     rootFS,
+		History:    append(img.History, imgHistory),
+		OSFeatures: img.OSFeatures,
+		OSVersion:  img.OSVersion,
+	}
+}
+
+// History stores build commands that were used to create an image
+type History struct {
+	// Created is the timestamp at which the image was created
+	Created time.Time `json:"created"`
+	// Author is the name of the author that was specified when committing the image
+	Author string `json:"author,omitempty"`
+	// CreatedBy keeps the Dockerfile command used while building the image
+	CreatedBy string `json:"created_by,omitempty"`
+	// Comment is the commit message that was set when committing the image
+	Comment string `json:"comment,omitempty"`
+	// EmptyLayer is set to true if this history item did not generate a
+	// layer. Otherwise, the history item is associated with the next
+	// layer in the RootFS section.
+	EmptyLayer bool `json:"empty_layer,omitempty"`
+}
+
+// NewHistory creates a new history struct from arguments, and sets the created
+// time to the current time in UTC
+func NewHistory(author, comment, createdBy string, isEmptyLayer bool) History {
+	return History{
+		Author:     author,
+		Created:    time.Now().UTC(),
+		CreatedBy:  createdBy,
+		Comment:    comment,
+		EmptyLayer: isEmptyLayer,
+	}
+}
+
+// Exporter provides interface for loading and saving images
+type Exporter interface {
+	Load(io.ReadCloser, io.Writer, bool) error
+	// TODO: Load(net.Context, io.ReadCloser, <- chan StatusMessage) error
+	Save([]string, io.Writer) error
+}
+
+// NewFromJSON creates an Image configuration from json.
+func NewFromJSON(src []byte) (*Image, error) {
+	img := &Image{}
+
+	if err := json.Unmarshal(src, img); err != nil {
+		return nil, err
+	}
+	if img.RootFS == nil {
+		return nil, errors.New("invalid image JSON, no RootFS key")
+	}
+
+	img.rawJSON = src
+
+	return img, nil
+}
diff --git a/engine/image/image_test.go b/engine/image/image_test.go
new file mode 100644
index 00000000..981be0b6
--- /dev/null
+++ b/engine/image/image_test.go
@@ -0,0 +1,125 @@
+package image // import "github.com/docker/docker/image"
+
+import (
+	"encoding/json"
+	"runtime"
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/layer"
+	"github.com/google/go-cmp/cmp"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+const sampleImageJSON = `{
+	"architecture": "amd64",
+	"os": "linux",
+	"config": {},
+	"rootfs": {
+		"type": "layers",
+		"diff_ids": []
+	}
+}`
+
+func TestNewFromJSON(t *testing.T) {
+	img, err := NewFromJSON([]byte(sampleImageJSON))
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(sampleImageJSON, string(img.RawJSON())))
+}
+
+func TestNewFromJSONWithInvalidJSON(t *testing.T) {
+	_, err := NewFromJSON([]byte("{}"))
+	assert.Check(t, is.Error(err, "invalid image JSON, no RootFS key"))
+}
+
+func TestMarshalKeyOrder(t *testing.T) {
+	b, err := json.Marshal(&Image{
+		V1Image: V1Image{
+			Comment:      "a",
+			Author:       "b",
+			Architecture: "c",
+		},
+	})
+	assert.Check(t, err)
+
+	expectedOrder := []string{"architecture", "author", "comment"}
+	var indexes []int
+	for _, k := range expectedOrder {
+		indexes = append(indexes, strings.Index(string(b), k))
+	}
+
+	if !sort.IntsAreSorted(indexes) {
+		t.Fatal("invalid key order in JSON: ", string(b))
+	}
+}
+
+func TestImage(t *testing.T) {
+	cid := "50a16564e727"
+	config := &container.Config{
+		Hostname:   "hostname",
+		Domainname: "domain",
+		User:       "root",
+	}
+	os := runtime.GOOS
+
+	img := &Image{
+		V1Image: V1Image{
+			Config: config,
+		},
+		computedID: ID(cid),
+	}
+
+	assert.Check(t, is.Equal(cid, img.ImageID()))
+	assert.Check(t, is.Equal(cid, img.ID().String()))
+	assert.Check(t, is.Equal(os, img.OperatingSystem()))
+	assert.Check(t, is.DeepEqual(config, img.RunConfig()))
+}
+
+func TestImageOSNotEmpty(t *testing.T) {
+	os := "os"
+	img := &Image{
+		V1Image: V1Image{
+			OS: os,
+		},
+		OSVersion: "osversion",
+	}
+	assert.Check(t, is.Equal(os, img.OperatingSystem()))
+}
+
+func TestNewChildImageFromImageWithRootFS(t *testing.T) {
+	rootFS := NewRootFS()
+	rootFS.Append(layer.DiffID("ba5e"))
+	parent := &Image{
+		RootFS: rootFS,
+		History: []History{
+			NewHistory("a", "c", "r", false),
+		},
+	}
+	childConfig := ChildConfig{
+		DiffID:  layer.DiffID("abcdef"),
+		Author:  "author",
+		Comment: "comment",
+		ContainerConfig: &container.Config{
+			Cmd: []string{"echo", "foo"},
+		},
+		Config: &container.Config{},
+	}
+
+	newImage := NewChildImage(parent, childConfig, "platform")
+	expectedDiffIDs := []layer.DiffID{layer.DiffID("ba5e"), layer.DiffID("abcdef")}
+	assert.Check(t, is.DeepEqual(expectedDiffIDs, newImage.RootFS.DiffIDs))
+	assert.Check(t, is.Equal(childConfig.Author, newImage.Author))
+	assert.Check(t, is.DeepEqual(childConfig.Config, newImage.Config))
+	assert.Check(t, is.DeepEqual(*childConfig.ContainerConfig, newImage.ContainerConfig))
+	assert.Check(t, is.Equal("platform", newImage.OS))
+	assert.Check(t, is.DeepEqual(childConfig.Config, newImage.Config))
+
+	assert.Check(t, is.Len(newImage.History, 2))
+	assert.Check(t, is.Equal(childConfig.Comment, newImage.History[1].Comment))
+
+	assert.Check(t, !cmp.Equal(parent.RootFS.DiffIDs, newImage.RootFS.DiffIDs),
+		"RootFS should be copied not mutated")
+}
diff --git a/engine/image/rootfs.go b/engine/image/rootfs.go
new file mode 100644
index 00000000..84843e10
--- /dev/null
+++ b/engine/image/rootfs.go
@@ -0,0 +1,52 @@
+package image // import "github.com/docker/docker/image"
+
+import (
+	"runtime"
+
+	"github.com/docker/docker/layer"
+	"github.com/sirupsen/logrus"
+)
+
+// TypeLayers is used for RootFS.Type for filesystems organized into layers.
+const TypeLayers = "layers"
+
+// typeLayersWithBase is an older format used by Windows up to v1.12. We
+// explicitly handle this as an error case to ensure that a daemon which still
+// has an older image like this on disk can still start, even though the
+// image itself is not usable. See https://github.com/docker/docker/pull/25806.
+const typeLayersWithBase = "layers+base"
+
+// RootFS describes images root filesystem
+// This is currently a placeholder that only supports layers. In the future
+// this can be made into an interface that supports different implementations.
+type RootFS struct {
+	Type    string         `json:"type"`
+	DiffIDs []layer.DiffID `json:"diff_ids,omitempty"`
+}
+
+// NewRootFS returns empty RootFS struct
+func NewRootFS() *RootFS {
+	return &RootFS{Type: TypeLayers}
+}
+
+// Append appends a new diffID to rootfs
+func (r *RootFS) Append(id layer.DiffID) {
+	r.DiffIDs = append(r.DiffIDs, id)
+}
+
+// Clone returns a copy of the RootFS
+func (r *RootFS) Clone() *RootFS {
+	newRoot := NewRootFS()
+	newRoot.Type = r.Type
+	newRoot.DiffIDs = append(r.DiffIDs)
+	return newRoot
+}
+
+// ChainID returns the ChainID for the top layer in RootFS.
+func (r *RootFS) ChainID() layer.ChainID {
+	if runtime.GOOS == "windows" && r.Type == typeLayersWithBase {
+		logrus.Warnf("Layer type is unsupported on this platform. DiffIDs: '%v'", r.DiffIDs)
+		return ""
+	}
+	return layer.CreateChainID(r.DiffIDs)
+}
diff --git a/engine/image/spec/README.md b/engine/image/spec/README.md
new file mode 100644
index 00000000..9769af78
--- /dev/null
+++ b/engine/image/spec/README.md
@@ -0,0 +1,46 @@
+# Docker Image Specification v1.
+
+This directory contains documents about Docker Image Specification v1.X.
+
+The v1 file layout and manifests are no longer used in Moby and Docker, except in `docker save` and `docker load`.
+
+However, v1 Image JSON (`application/vnd.docker.container.image.v1+json`) has been still widely
+used and officially adopted in [V2 manifest](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md)
+and in [OCI Image Format Specification](https://github.com/opencontainers/image-spec).
+
+## v1.X rough Changelog
+
+All 1.X versions are compatible with older ones.
+
+### [v1.2](v1.2.md)
+
+* Implemented in Docker v1.12 (July, 2016)
+* The official spec document was written in August 2016 ([#25750](https://github.com/moby/moby/pull/25750))
+
+Changes:
+
+* `Healthcheck` struct was added to Image JSON
+
+### [v1.1](v1.1.md)
+
+* Implemented in Docker v1.10 (February, 2016)
+* The official spec document was written in April 2016 ([#22264](https://github.com/moby/moby/pull/22264))
+
+Changes:
+
+* IDs were made into SHA256 digest values rather than random values
+* Layer directory names were made into deterministic values rather than random ID values
+* `manifest.json` was added 
+
+### [v1](v1.md)
+
+* The initial revision
+* The official spec document was written in late 2014 ([#9560](https://github.com/moby/moby/pull/9560)), but actual implementations had existed even earlier
+
+
+## Related specifications
+
+* [Open Containers Initiative (OCI) Image Format Specification v1.0.0](https://github.com/opencontainers/image-spec/tree/v1.0.0)
+* [Docker Image Manifest Version 2, Schema 2](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md)
+* [Docker Image Manifest Version 2, Schema 1](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-1.md) (*DEPRECATED*)
+* [Docker Registry HTTP API V2](https://docs.docker.com/registry/spec/api/)
diff --git a/engine/image/spec/v1.1.md b/engine/image/spec/v1.1.md
new file mode 100644
index 00000000..de74d91a
--- /dev/null
+++ b/engine/image/spec/v1.1.md
@@ -0,0 +1,623 @@
+# Docker Image Specification v1.1.0
+
+An *Image* is an ordered collection of root filesystem changes and the
+corresponding execution parameters for use within a container runtime. This
+specification outlines the format of these filesystem changes and corresponding
+parameters and describes how to create and use them for use with a container
+runtime and execution tool.
+
+This version of the image specification was adopted starting in Docker 1.10.
+
+## Terminology
+
+This specification uses the following terms:
+
+<dl>
+    <dt>
+        Layer
+    </dt>
+    <dd>
+        Images are composed of <i>layers</i>. Each layer is a set of filesystem
+        changes. Layers do not have configuration metadata such as environment
+        variables or default arguments - these are properties of the image as a
+        whole rather than any particular layer.
+    </dd>
+    <dt>
+        Image JSON
+    </dt>
+    <dd>
+        Each image has an associated JSON structure which describes some
+        basic information about the image such as date created, author, and the
+        ID of its parent image as well as execution/runtime configuration like
+        its entry point, default arguments, CPU/memory shares, networking, and
+        volumes. The JSON structure also references a cryptographic hash of
+        each layer used by the image, and provides history information for
+        those layers. This JSON is considered to be immutable, because changing
+        it would change the computed ImageID. Changing it means creating a new
+        derived image, instead of changing the existing image.
+    </dd>
+    <dt>
+        Image Filesystem Changeset
+    </dt>
+    <dd>
+        Each layer has an archive of the files which have been added, changed,
+        or deleted relative to its parent layer. Using a layer-based or union
+        filesystem such as AUFS, or by computing the diff from filesystem
+        snapshots, the filesystem changeset can be used to present a series of
+        image layers as if they were one cohesive filesystem.
+    </dd>
+    <dt>
+        Layer DiffID
+    </dt>
+    <dd>
+        Layers are referenced by cryptographic hashes of their serialized
+        representation. This is a SHA256 digest over the tar archive used to
+        transport the layer, represented as a hexadecimal encoding of 256 bits, e.g.,
+        <code>sha256:a9561eb1b190625c9adb5a9513e72c4dedafc1cb2d4c5236c9a6957ec7dfd5a9</code>.
+        Layers must be packed and unpacked reproducibly to avoid changing the
+        layer ID, for example by using tar-split to save the tar headers. Note
+        that the digest used as the layer ID is taken over an uncompressed
+        version of the tar.
+    </dd>
+    <dt>
+        Layer ChainID
+    </dt>
+    <dd>
+        For convenience, it is sometimes useful to refer to a stack of layers
+        with a single identifier. This is called a <code>ChainID</code>. For a
+        single layer (or the layer at the bottom of a stack), the
+        <code>ChainID</code> is equal to the layer's <code>DiffID</code>.
+        Otherwise the <code>ChainID</code> is given by the formula:
+        <code>ChainID(layerN) = SHA256hex(ChainID(layerN-1) + " " + DiffID(layerN))</code>.
+    </dd>
+    <dt>
+        ImageID <a name="id_desc"></a>
+    </dt>
+    <dd>
+        Each image's ID is given by the SHA256 hash of its configuration JSON. It is 
+        represented as a hexadecimal encoding of 256 bits, e.g.,
+        <code>sha256:a9561eb1b190625c9adb5a9513e72c4dedafc1cb2d4c5236c9a6957ec7dfd5a9</code>.
+        Since the configuration JSON that gets hashed references hashes of each
+        layer in the image, this formulation of the ImageID makes images
+        content-addressable.
+    </dd>
+    <dt>
+        Tag
+    </dt>
+    <dd>
+        A tag serves to map a descriptive, user-given name to any single image
+        ID. Tag values are limited to the set of characters
+        <code>[a-zA-Z0-9_.-]</code>, except they may not start with a <code>.</code>
+        or <code>-</code> character. Tags are limited to 128 characters.
+    </dd>
+    <dt>
+        Repository
+    </dt>
+    <dd>
+        A collection of tags grouped under a common prefix (the name component
+        before <code>:</code>). For example, in an image tagged with the name
+        <code>my-app:3.1.4</code>, <code>my-app</code> is the <i>Repository</i>
+        component of the name. A repository name is made up of slash-separated
+        name components, optionally prefixed by a DNS hostname. The hostname
+        must comply with standard DNS rules, but may not contain
+        <code>_</code> characters. If a hostname is present, it may optionally
+        be followed by a port number in the format <code>:8080</code>.
+        Name components may contain lowercase characters, digits, and
+        separators. A separator is defined as a period, one or two underscores,
+        or one or more dashes. A name component may not start or end with
+        a separator.
+    </dd>
+</dl>
+
+## Image JSON Description
+
+Here is an example image JSON file:
+
+```
+{  
+    "created": "2015-10-31T22:22:56.015925234Z",
+    "author": "Alyssa P. Hacker &ltalyspdev@example.com&gt",
+    "architecture": "amd64",
+    "os": "linux",
+    "config": {
+        "User": "alice",
+        "Memory": 2048,
+        "MemorySwap": 4096,
+        "CpuShares": 8,
+        "ExposedPorts": {  
+            "8080/tcp": {}
+        },
+        "Env": [  
+            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+            "FOO=docker_is_a_really",
+            "BAR=great_tool_you_know"
+        ],
+        "Entrypoint": [
+            "/bin/my-app-binary"
+        ],
+        "Cmd": [
+            "--foreground",
+            "--config",
+            "/etc/my-app.d/default.cfg"
+        ],
+        "Volumes": {
+            "/var/job-result-data": {},
+            "/var/log/my-app-logs": {},
+        },
+        "WorkingDir": "/home/alice",
+    },
+    "rootfs": {
+      "diff_ids": [
+        "sha256:c6f988f4874bb0add23a778f753c65efe992244e148a1d2ec2a8b664fb66bbd1",
+        "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+      ],
+      "type": "layers"
+    },
+    "history": [
+      {
+        "created": "2015-10-31T22:22:54.690851953Z",
+        "created_by": "/bin/sh -c #(nop) ADD file:a3bc1e842b69636f9df5256c49c5374fb4eef1e281fe3f282c65fb853ee171c5 in /"
+      },
+      {
+        "created": "2015-10-31T22:22:55.613815829Z",
+        "created_by": "/bin/sh -c #(nop) CMD [\"sh\"]",
+        "empty_layer": true
+      }
+    ]
+}
+```
+
+Note that image JSON files produced by Docker don't contain formatting
+whitespace. It has been added to this example for clarity.
+
+### Image JSON Field Descriptions
+
+<dl>
+    <dt>
+        created <code>string</code>
+    </dt>
+    <dd>
+        ISO-8601 formatted combined date and time at which the image was
+        created.
+    </dd>
+    <dt>
+        author <code>string</code>
+    </dt>
+    <dd>
+        Gives the name and/or email address of the person or entity which
+        created and is responsible for maintaining the image.
+    </dd>
+    <dt>
+        architecture <code>string</code>
+    </dt>
+    <dd>
+        The CPU architecture which the binaries in this image are built to run
+        on. Possible values include:
+        <ul>
+            <li>386</li>
+            <li>amd64</li>
+            <li>arm</li>
+        </ul>
+        More values may be supported in the future and any of these may or may
+        not be supported by a given container runtime implementation.
+    </dd>
+    <dt>
+        os <code>string</code>
+    </dt>
+    <dd>
+        The name of the operating system which the image is built to run on.
+        Possible values include:
+        <ul>
+            <li>darwin</li>
+            <li>freebsd</li>
+            <li>linux</li>
+        </ul>
+        More values may be supported in the future and any of these may or may
+        not be supported by a given container runtime implementation.
+    </dd>
+    <dt>
+        config <code>struct</code>
+    </dt>
+    <dd>
+        The execution parameters which should be used as a base when running a
+        container using the image. This field can be <code>null</code>, in
+        which case any execution parameters should be specified at creation of
+        the container.
+        <h4>Container RunConfig Field Descriptions</h4>
+        <dl>
+            <dt>
+                User <code>string</code>
+            </dt>
+            <dd>
+                <p>The username or UID which the process in the container should
+                run as. This acts as a default value to use when the value is
+                not specified when creating a container.</p>
+                <p>All of the following are valid:</p>
+                <ul>
+                    <li><code>user</code></li>
+                    <li><code>uid</code></li>
+                    <li><code>user:group</code></li>
+                    <li><code>uid:gid</code></li>
+                    <li><code>uid:group</code></li>
+                    <li><code>user:gid</code></li>
+                </ul>
+                <p>If <code>group</code>/<code>gid</code> is not specified, the
+                default group and supplementary groups of the given
+                <code>user</code>/<code>uid</code> in <code>/etc/passwd</code>
+                from the container are applied.</p>
+            </dd>
+            <dt>
+                Memory <code>integer</code>
+            </dt>
+            <dd>
+                Memory limit (in bytes). This acts as a default value to use
+                when the value is not specified when creating a container.
+            </dd>
+            <dt>
+                MemorySwap <code>integer</code>
+            </dt>
+            <dd>
+                Total memory usage (memory + swap); set to <code>-1</code> to
+                disable swap. This acts as a default value to use when the
+                value is not specified when creating a container.
+            </dd>
+            <dt>
+                CpuShares <code>integer</code>
+            </dt>
+            <dd>
+                CPU shares (relative weight vs. other containers). This acts as
+                a default value to use when the value is not specified when
+                creating a container.
+            </dd>
+            <dt>
+                ExposedPorts <code>struct</code>
+            </dt>
+            <dd>
+                A set of ports to expose from a container running this image.
+                This JSON structure value is unusual because it is a direct
+                JSON serialization of the Go type
+                <code>map[string]struct{}</code> and is represented in JSON as
+                an object mapping its keys to an empty object. Here is an
+                example:
+<pre>{
+    "8080": {},
+    "53/udp": {},
+    "2356/tcp": {}
+}</pre>
+                Its keys can be in the format of:
+                <ul>
+                    <li>
+                        <code>"port/tcp"</code>
+                    </li>
+                    <li>
+                        <code>"port/udp"</code>
+                    </li>
+                    <li>
+                        <code>"port"</code>
+                    </li>
+                </ul>
+                with the default protocol being <code>"tcp"</code> if not
+                specified. These values act as defaults and are merged with any
+                specified when creating a container.
+            </dd>
+            <dt>
+                Env <code>array of strings</code>
+            </dt>
+            <dd>
+                Entries are in the format of <code>VARNAME="var value"</code>.
+                These values act as defaults and are merged with any specified
+                when creating a container.
+            </dd>
+            <dt>
+                Entrypoint <code>array of strings</code>
+            </dt>
+            <dd>
+                A list of arguments to use as the command to execute when the
+                container starts. This value acts as a  default and is replaced
+                by an entrypoint specified when creating a container.
+            </dd>
+            <dt>
+                Cmd <code>array of strings</code>
+            </dt>
+            <dd>
+                Default arguments to the entry point of the container. These
+                values act as defaults and are replaced with any specified when
+                creating a container. If an <code>Entrypoint</code> value is
+                not specified, then the first entry of the <code>Cmd</code>
+                array should be interpreted as the executable to run.
+            </dd>
+            <dt>
+                Volumes <code>struct</code>
+            </dt>
+            <dd>
+                A set of directories which should be created as data volumes in
+                a container running this image. This JSON structure value is
+                unusual because it is a direct JSON serialization of the Go
+                type <code>map[string]struct{}</code> and is represented in
+                JSON as an object mapping its keys to an empty object. Here is
+                an example:
+<pre>{
+    "/var/my-app-data/": {},
+    "/etc/some-config.d/": {},
+}</pre>
+            </dd>
+            <dt>
+                WorkingDir <code>string</code>
+            </dt>
+            <dd>
+                Sets the current working directory of the entry point process
+                in the container. This value acts as a default and is replaced
+                by a working directory specified when creating a container.
+            </dd>
+        </dl>
+    </dd>
+    <dt>
+        rootfs <code>struct</code>
+    </dt>
+    <dd>
+        The rootfs key references the layer content addresses used by the
+        image. This makes the image config hash depend on the filesystem hash.
+        rootfs has two subkeys:
+        <ul>
+          <li>
+            <code>type</code> is usually set to <code>layers</code>.
+          </li>
+          <li>
+            <code>diff_ids</code> is an array of layer content hashes (<code>DiffIDs</code>), in order from bottom-most to top-most.
+          </li>
+        </ul>
+        Here is an example rootfs section:
+<pre>"rootfs": {
+  "diff_ids": [
+    "sha256:c6f988f4874bb0add23a778f753c65efe992244e148a1d2ec2a8b664fb66bbd1",
+    "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
+    "sha256:13f53e08df5a220ab6d13c58b2bf83a59cbdc2e04d0a3f041ddf4b0ba4112d49"
+  ],
+  "type": "layers"
+}</pre>
+    </dd>
+    <dt>
+        history <code>struct</code>
+    </dt>
+    <dd>
+        <code>history</code> is an array of objects describing the history of
+        each layer. The array is ordered from bottom-most layer to top-most
+        layer. The object has the following fields.
+        <ul>
+          <li>
+            <code>created</code>: Creation time, expressed as a ISO-8601 formatted
+            combined date and time
+          </li>
+          <li>
+            <code>author</code>: The author of the build point
+          </li>
+          <li>
+            <code>created_by</code>: The command which created the layer
+          </li>
+          <li>
+            <code>comment</code>: A custom message set when creating the layer
+          </li>
+          <li>
+            <code>empty_layer</code>: This field is used to mark if the history
+            item created a filesystem diff. It is set to true if this history
+            item doesn't correspond to an actual layer in the rootfs section
+            (for example, a command like ENV which results in no change to the
+            filesystem).
+          </li>
+        </ul>
+
+Here is an example history section:
+
+<pre>"history": [
+  {
+    "created": "2015-10-31T22:22:54.690851953Z",
+    "created_by": "/bin/sh -c #(nop) ADD file:a3bc1e842b69636f9df5256c49c5374fb4eef1e281fe3f282c65fb853ee171c5 in /"
+  },
+  {
+    "created": "2015-10-31T22:22:55.613815829Z",
+    "created_by": "/bin/sh -c #(nop) CMD [\"sh\"]",
+    "empty_layer": true
+  }
+]</pre>
+    </dd>
+</dl>
+
+Any extra fields in the Image JSON struct are considered implementation
+specific and should be ignored by any implementations which are unable to
+interpret them.
+
+## Creating an Image Filesystem Changeset
+
+An example of creating an Image Filesystem Changeset follows.
+
+An image root filesystem is first created as an empty directory. Here is the
+initial empty directory structure for the a changeset using the
+randomly-generated directory name `c3167915dc9d` ([actual layer DiffIDs are
+generated based on the content](#id_desc)).
+
+```
+c3167915dc9d/
+```
+
+Files and directories are then created:
+
+```
+c3167915dc9d/
+    etc/
+        my-app-config
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+The `c3167915dc9d` directory is then committed as a plain Tar archive with
+entries for the following files:
+
+```
+etc/my-app-config
+bin/my-app-binary
+bin/my-app-tools
+```
+
+To make changes to the filesystem of this container image, create a new
+directory, such as `f60c56784b83`, and initialize it with a snapshot of the
+parent image's root filesystem, so that the directory is identical to that
+of `c3167915dc9d`. NOTE: a copy-on-write or union filesystem can make this very
+efficient:
+
+```
+f60c56784b83/
+    etc/
+        my-app-config
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+This example change is going add a configuration directory at `/etc/my-app.d`
+which contains a default config file. There's also a change to the
+`my-app-tools` binary to handle the config layout change. The `f60c56784b83`
+directory then looks like this:
+
+```
+f60c56784b83/
+    etc/
+        my-app.d/
+            default.cfg
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+This reflects the removal of `/etc/my-app-config` and creation of a file and
+directory at `/etc/my-app.d/default.cfg`. `/bin/my-app-tools` has also been
+replaced with an updated version. Before committing this directory to a
+changeset, because it has a parent image, it is first compared with the
+directory tree of the parent snapshot, `f60c56784b83`, looking for files and
+directories that have been added, modified, or removed. The following changeset
+is found:
+
+```
+Added:      /etc/my-app.d/default.cfg
+Modified:   /bin/my-app-tools
+Deleted:    /etc/my-app-config
+```
+
+A Tar Archive is then created which contains *only* this changeset: The added
+and modified files and directories in their entirety, and for each deleted item
+an entry for an empty file at the same location but with the basename of the
+deleted file or directory prefixed with `.wh.`. The filenames prefixed with
+`.wh.` are known as "whiteout" files. NOTE: For this reason, it is not possible
+to create an image root filesystem which contains a file or directory with a
+name beginning with `.wh.`. The resulting Tar archive for `f60c56784b83` has
+the following entries:
+
+```
+/etc/my-app.d/default.cfg
+/bin/my-app-tools
+/etc/.wh.my-app-config
+```
+
+Any given image is likely to be composed of several of these Image Filesystem
+Changeset tar archives.
+
+## Combined Image JSON + Filesystem Changeset Format
+
+There is also a format for a single archive which contains complete information
+about an image, including:
+
+ - repository names/tags
+ - image configuration JSON file
+ - all tar archives of each layer filesystem changesets
+
+For example, here's what the full archive of `library/busybox` is (displayed in
+`tree` format):
+
+```
+.
+├── 47bcc53f74dc94b1920f0b34f6036096526296767650f223433fe65c35f149eb.json
+├── 5f29f704785248ddb9d06b90a11b5ea36c534865e9035e4022bb2e71d4ecbb9a
+│   ├── VERSION
+│   ├── json
+│   └── layer.tar
+├── a65da33792c5187473faa80fa3e1b975acba06712852d1dea860692ccddf3198
+│   ├── VERSION
+│   ├── json
+│   └── layer.tar
+├── manifest.json
+└── repositories
+```
+
+There is a directory for each layer in the image. Each directory is named with
+a 64 character hex name that is deterministically generated from the layer
+information. These names are not necessarily layer DiffIDs or ChainIDs. Each of
+these directories contains 3 files:
+
+ * `VERSION` - The schema version of the `json` file
+ * `json` - The legacy JSON metadata for an image layer. In this version of
+    the image specification, layers don't have JSON metadata, but in
+    [version 1](v1.md), they did. A file is created for each layer in the
+    v1 format for backward compatibility.
+ * `layer.tar` - The Tar archive of the filesystem changeset for an image
+   layer.
+
+Note that this directory layout is only important for backward compatibility.
+Current implementations use the paths specified in `manifest.json`.
+
+The content of the `VERSION` files is simply the semantic version of the JSON
+metadata schema:
+
+```
+1.0
+```
+
+The `repositories` file is another JSON file which describes names/tags:
+
+```
+{  
+    "busybox":{  
+        "latest":"5f29f704785248ddb9d06b90a11b5ea36c534865e9035e4022bb2e71d4ecbb9a"
+    }
+}
+```
+
+Every key in this object is the name of a repository, and maps to a collection
+of tag suffixes. Each tag maps to the ID of the image represented by that tag.
+This file is only used for backwards compatibility. Current implementations use
+the `manifest.json` file instead.
+
+The `manifest.json` file provides the image JSON for the top-level image, and
+optionally for parent images that this image was derived from. It consists of
+an array of metadata entries:
+
+```
+[
+  {
+    "Config": "47bcc53f74dc94b1920f0b34f6036096526296767650f223433fe65c35f149eb.json",
+    "RepoTags": ["busybox:latest"],
+    "Layers": [
+      "a65da33792c5187473faa80fa3e1b975acba06712852d1dea860692ccddf3198/layer.tar",
+      "5f29f704785248ddb9d06b90a11b5ea36c534865e9035e4022bb2e71d4ecbb9a/layer.tar"
+    ]
+  }
+]
+```
+
+There is an entry in the array for each image.
+
+The `Config` field references another file in the tar which includes the image
+JSON for this image.
+
+The `RepoTags` field lists references pointing to this image.
+
+The `Layers` field points to the filesystem changeset tars.
+
+An optional `Parent` field references the imageID of the parent image. This
+parent must be part of the same `manifest.json` file.
+
+This file shouldn't be confused with the distribution manifest, used to push
+and pull images.
+
+Generally, implementations that support this version of the spec will use
+the `manifest.json` file if available, and older implementations will use the
+legacy `*/json` files and `repositories`.
diff --git a/engine/image/spec/v1.2.md b/engine/image/spec/v1.2.md
new file mode 100644
index 00000000..2ea3feec
--- /dev/null
+++ b/engine/image/spec/v1.2.md
@@ -0,0 +1,677 @@
+# Docker Image Specification v1.2.0
+
+An *Image* is an ordered collection of root filesystem changes and the
+corresponding execution parameters for use within a container runtime. This
+specification outlines the format of these filesystem changes and corresponding
+parameters and describes how to create and use them for use with a container
+runtime and execution tool.
+
+This version of the image specification was adopted starting in Docker 1.12.
+
+## Terminology
+
+This specification uses the following terms:
+
+<dl>
+    <dt>
+        Layer
+    </dt>
+    <dd>
+        Images are composed of <i>layers</i>. Each layer is a set of filesystem
+        changes. Layers do not have configuration metadata such as environment
+        variables or default arguments - these are properties of the image as a
+        whole rather than any particular layer.
+    </dd>
+    <dt>
+        Image JSON
+    </dt>
+    <dd>
+        Each image has an associated JSON structure which describes some
+        basic information about the image such as date created, author, and the
+        ID of its parent image as well as execution/runtime configuration like
+        its entry point, default arguments, CPU/memory shares, networking, and
+        volumes. The JSON structure also references a cryptographic hash of
+        each layer used by the image, and provides history information for
+        those layers. This JSON is considered to be immutable, because changing
+        it would change the computed ImageID. Changing it means creating a new
+        derived image, instead of changing the existing image.
+    </dd>
+    <dt>
+        Image Filesystem Changeset
+    </dt>
+    <dd>
+        Each layer has an archive of the files which have been added, changed,
+        or deleted relative to its parent layer. Using a layer-based or union
+        filesystem such as AUFS, or by computing the diff from filesystem
+        snapshots, the filesystem changeset can be used to present a series of
+        image layers as if they were one cohesive filesystem.
+    </dd>
+    <dt>
+        Layer DiffID
+    </dt>
+    <dd>
+        Layers are referenced by cryptographic hashes of their serialized
+        representation. This is a SHA256 digest over the tar archive used to
+        transport the layer, represented as a hexadecimal encoding of 256 bits, e.g.,
+        <code>sha256:a9561eb1b190625c9adb5a9513e72c4dedafc1cb2d4c5236c9a6957ec7dfd5a9</code>.
+        Layers must be packed and unpacked reproducibly to avoid changing the
+        layer ID, for example by using tar-split to save the tar headers. Note
+        that the digest used as the layer ID is taken over an uncompressed
+        version of the tar.
+    </dd>
+    <dt>
+        Layer ChainID
+    </dt>
+    <dd>
+        For convenience, it is sometimes useful to refer to a stack of layers
+        with a single identifier. This is called a <code>ChainID</code>. For a
+        single layer (or the layer at the bottom of a stack), the
+        <code>ChainID</code> is equal to the layer's <code>DiffID</code>.
+        Otherwise the <code>ChainID</code> is given by the formula:
+        <code>ChainID(layerN) = SHA256hex(ChainID(layerN-1) + " " + DiffID(layerN))</code>.
+    </dd>
+    <dt>
+        ImageID <a name="id_desc"></a>
+    </dt>
+    <dd>
+        Each image's ID is given by the SHA256 hash of its configuration JSON. It is 
+        represented as a hexadecimal encoding of 256 bits, e.g.,
+        <code>sha256:a9561eb1b190625c9adb5a9513e72c4dedafc1cb2d4c5236c9a6957ec7dfd5a9</code>.
+        Since the configuration JSON that gets hashed references hashes of each
+        layer in the image, this formulation of the ImageID makes images
+        content-addressable.
+    </dd>
+    <dt>
+        Tag
+    </dt>
+    <dd>
+        A tag serves to map a descriptive, user-given name to any single image
+        ID. Tag values are limited to the set of characters
+        <code>[a-zA-Z0-9_.-]</code>, except they may not start with a <code>.</code>
+        or <code>-</code> character. Tags are limited to 128 characters.
+    </dd>
+    <dt>
+        Repository
+    </dt>
+    <dd>
+        A collection of tags grouped under a common prefix (the name component
+        before <code>:</code>). For example, in an image tagged with the name
+        <code>my-app:3.1.4</code>, <code>my-app</code> is the <i>Repository</i>
+        component of the name. A repository name is made up of slash-separated
+        name components, optionally prefixed by a DNS hostname. The hostname
+        must comply with standard DNS rules, but may not contain
+        <code>_</code> characters. If a hostname is present, it may optionally
+        be followed by a port number in the format <code>:8080</code>.
+        Name components may contain lowercase characters, digits, and
+        separators. A separator is defined as a period, one or two underscores,
+        or one or more dashes. A name component may not start or end with
+        a separator.
+    </dd>
+</dl>
+
+## Image JSON Description
+
+Here is an example image JSON file:
+
+```
+{  
+    "created": "2015-10-31T22:22:56.015925234Z",
+    "author": "Alyssa P. Hacker &ltalyspdev@example.com&gt",
+    "architecture": "amd64",
+    "os": "linux",
+    "config": {
+        "User": "alice",
+        "Memory": 2048,
+        "MemorySwap": 4096,
+        "CpuShares": 8,
+        "ExposedPorts": {  
+            "8080/tcp": {}
+        },
+        "Env": [  
+            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+            "FOO=docker_is_a_really",
+            "BAR=great_tool_you_know"
+        ],
+        "Entrypoint": [
+            "/bin/my-app-binary"
+        ],
+        "Cmd": [
+            "--foreground",
+            "--config",
+            "/etc/my-app.d/default.cfg"
+        ],
+        "Volumes": {
+            "/var/job-result-data": {},
+            "/var/log/my-app-logs": {},
+        },
+        "WorkingDir": "/home/alice",
+    },
+    "rootfs": {
+      "diff_ids": [
+        "sha256:c6f988f4874bb0add23a778f753c65efe992244e148a1d2ec2a8b664fb66bbd1",
+        "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+      ],
+      "type": "layers"
+    },
+    "history": [
+      {
+        "created": "2015-10-31T22:22:54.690851953Z",
+        "created_by": "/bin/sh -c #(nop) ADD file:a3bc1e842b69636f9df5256c49c5374fb4eef1e281fe3f282c65fb853ee171c5 in /"
+      },
+      {
+        "created": "2015-10-31T22:22:55.613815829Z",
+        "created_by": "/bin/sh -c #(nop) CMD [\"sh\"]",
+        "empty_layer": true
+      }
+    ]
+}
+```
+
+Note that image JSON files produced by Docker don't contain formatting
+whitespace. It has been added to this example for clarity.
+
+### Image JSON Field Descriptions
+
+<dl>
+    <dt>
+        created <code>string</code>
+    </dt>
+    <dd>
+        ISO-8601 formatted combined date and time at which the image was
+        created.
+    </dd>
+    <dt>
+        author <code>string</code>
+    </dt>
+    <dd>
+        Gives the name and/or email address of the person or entity which
+        created and is responsible for maintaining the image.
+    </dd>
+    <dt>
+        architecture <code>string</code>
+    </dt>
+    <dd>
+        The CPU architecture which the binaries in this image are built to run
+        on. Possible values include:
+        <ul>
+            <li>386</li>
+            <li>amd64</li>
+            <li>arm</li>
+        </ul>
+        More values may be supported in the future and any of these may or may
+        not be supported by a given container runtime implementation.
+    </dd>
+    <dt>
+        os <code>string</code>
+    </dt>
+    <dd>
+        The name of the operating system which the image is built to run on.
+        Possible values include:
+        <ul>
+            <li>darwin</li>
+            <li>freebsd</li>
+            <li>linux</li>
+        </ul>
+        More values may be supported in the future and any of these may or may
+        not be supported by a given container runtime implementation.
+    </dd>
+    <dt>
+        config <code>struct</code>
+    </dt>
+    <dd>
+        The execution parameters which should be used as a base when running a
+        container using the image. This field can be <code>null</code>, in
+        which case any execution parameters should be specified at creation of
+        the container.
+        <h4>Container RunConfig Field Descriptions</h4>
+        <dl>
+            <dt>
+                User <code>string</code>
+            </dt>
+            <dd>
+                <p>The username or UID which the process in the container should
+                run as. This acts as a default value to use when the value is
+                not specified when creating a container.</p>
+                <p>All of the following are valid:</p>
+                <ul>
+                    <li><code>user</code></li>
+                    <li><code>uid</code></li>
+                    <li><code>user:group</code></li>
+                    <li><code>uid:gid</code></li>
+                    <li><code>uid:group</code></li>
+                    <li><code>user:gid</code></li>
+                </ul>
+                <p>If <code>group</code>/<code>gid</code> is not specified, the
+                default group and supplementary groups of the given
+                <code>user</code>/<code>uid</code> in <code>/etc/passwd</code>
+                from the container are applied.</p>
+            </dd>
+            <dt>
+                Memory <code>integer</code>
+            </dt>
+            <dd>
+                Memory limit (in bytes). This acts as a default value to use
+                when the value is not specified when creating a container.
+            </dd>
+            <dt>
+                MemorySwap <code>integer</code>
+            </dt>
+            <dd>
+                Total memory usage (memory + swap); set to <code>-1</code> to
+                disable swap. This acts as a default value to use when the
+                value is not specified when creating a container.
+            </dd>
+            <dt>
+                CpuShares <code>integer</code>
+            </dt>
+            <dd>
+                CPU shares (relative weight vs. other containers). This acts as
+                a default value to use when the value is not specified when
+                creating a container.
+            </dd>
+            <dt>
+                ExposedPorts <code>struct</code>
+            </dt>
+            <dd>
+                A set of ports to expose from a container running this image.
+                This JSON structure value is unusual because it is a direct
+                JSON serialization of the Go type
+                <code>map[string]struct{}</code> and is represented in JSON as
+                an object mapping its keys to an empty object. Here is an
+                example:
+<pre>{
+    "8080": {},
+    "53/udp": {},
+    "2356/tcp": {}
+}</pre>
+                Its keys can be in the format of:
+                <ul>
+                    <li>
+                        <code>"port/tcp"</code>
+                    </li>
+                    <li>
+                        <code>"port/udp"</code>
+                    </li>
+                    <li>
+                        <code>"port"</code>
+                    </li>
+                </ul>
+                with the default protocol being <code>"tcp"</code> if not
+                specified. These values act as defaults and are merged with
+                any specified when creating a container.
+            </dd>
+            <dt>
+                Env <code>array of strings</code>
+            </dt>
+            <dd>
+                Entries are in the format of <code>VARNAME="var value"</code>.
+                These values act as defaults and are merged with any specified
+                when creating a container.
+            </dd>
+            <dt>
+                Entrypoint <code>array of strings</code>
+            </dt>
+            <dd>
+                A list of arguments to use as the command to execute when the
+                container starts. This value acts as a  default and is replaced
+                by an entrypoint specified when creating a container.
+            </dd>
+            <dt>
+                Cmd <code>array of strings</code>
+            </dt>
+            <dd>
+                Default arguments to the entry point of the container. These
+                values act as defaults and are replaced with any specified when
+                creating a container. If an <code>Entrypoint</code> value is
+                not specified, then the first entry of the <code>Cmd</code>
+                array should be interpreted as the executable to run.
+            </dd>
+            <dt>
+                Healthcheck <code>struct</code>
+            </dt>
+            <dd>
+                A test to perform to determine whether the container is healthy.
+                Here is an example:
+<pre>{
+  "Test": [
+      "CMD-SHELL",
+      "/usr/bin/check-health localhost"
+  ],
+  "Interval": 30000000000,
+  "Timeout": 10000000000,
+  "Retries": 3
+}</pre>
+                The object has the following fields.
+                <dl>
+                    <dt>
+                        Test <code>array of strings</code>
+                    </dt>
+                    <dd>
+                        The test to perform to check that the container is healthy.
+                        The options are:
+                        <ul>
+                            <li><code>[]</code> : inherit healthcheck from base image</li>
+                            <li><code>["NONE"]</code> : disable healthcheck</li>
+                            <li><code>["CMD", arg1, arg2, ...]</code> : exec arguments directly</li>
+                            <li><code>["CMD-SHELL", command]</code> : run command with system's default shell</li>
+                        </ul>
+                        The test command should exit with a status of 0 if the container is healthy,
+                        or with 1 if it is unhealthy.
+                    </dd>
+                    <dt>
+                        Interval <code>integer</code>
+                    </dt>
+                    <dd>
+                        Number of nanoseconds to wait between probe attempts.
+                    </dd>
+                    <dt>
+                        Timeout <code>integer</code>
+                    </dt>
+                    <dd>
+                        Number of nanoseconds to wait before considering the check to have hung.
+                    </dd>
+                    <dt>
+                        Retries <code>integer</code>
+                    <dt>
+                    <dd>
+                        The number of consecutive failures needed to consider a container as unhealthy.
+                    </dd>
+                </dl>
+                In each case, the field can be omitted to indicate that the
+                value should be inherited from the base layer. These values act
+                as defaults and are merged with any specified when creating a
+                container.
+            </dd>
+            <dt>
+                Volumes <code>struct</code>
+            </dt>
+            <dd>
+                A set of directories which should be created as data volumes in
+                a container running this image. This JSON structure value is
+                unusual because it is a direct JSON serialization of the Go
+                type <code>map[string]struct{}</code> and is represented in
+                JSON as an object mapping its keys to an empty object. Here is
+                an example:
+<pre>{
+    "/var/my-app-data/": {},
+    "/etc/some-config.d/": {},
+}</pre>
+            </dd>
+            <dt>
+                WorkingDir <code>string</code>
+            </dt>
+            <dd>
+                Sets the current working directory of the entry point process
+                in the container. This value acts as a default and is replaced
+                by a working directory specified when creating a container.
+            </dd>
+        </dl>
+    </dd>
+    <dt>
+        rootfs <code>struct</code>
+    </dt>
+    <dd>
+        The rootfs key references the layer content addresses used by the
+        image. This makes the image config hash depend on the filesystem hash.
+        rootfs has two subkeys:
+        <ul>
+          <li>
+            <code>type</code> is usually set to <code>layers</code>.
+          </li>
+          <li>
+            <code>diff_ids</code> is an array of layer content hashes (<code>DiffIDs</code>), in order from bottom-most to top-most.
+          </li>
+        </ul>
+        Here is an example rootfs section:
+<pre>"rootfs": {
+  "diff_ids": [
+    "sha256:c6f988f4874bb0add23a778f753c65efe992244e148a1d2ec2a8b664fb66bbd1",
+    "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
+    "sha256:13f53e08df5a220ab6d13c58b2bf83a59cbdc2e04d0a3f041ddf4b0ba4112d49"
+  ],
+  "type": "layers"
+}</pre>
+    </dd>
+    <dt>
+        history <code>struct</code>
+    </dt>
+    <dd>
+        <code>history</code> is an array of objects describing the history of
+        each layer. The array is ordered from bottom-most layer to top-most
+        layer. The object has the following fields.
+        <ul>
+          <li>
+            <code>created</code>: Creation time, expressed as a ISO-8601 formatted
+            combined date and time
+          </li>
+          <li>
+            <code>author</code>: The author of the build point
+          </li>
+          <li>
+            <code>created_by</code>: The command which created the layer
+          </li>
+          <li>
+            <code>comment</code>: A custom message set when creating the layer
+          </li>
+          <li>
+            <code>empty_layer</code>: This field is used to mark if the history
+            item created a filesystem diff. It is set to true if this history
+            item doesn't correspond to an actual layer in the rootfs section
+            (for example, a command like ENV which results in no change to the
+            filesystem).
+          </li>
+        </ul>
+        Here is an example history section:
+<pre>"history": [
+  {
+    "created": "2015-10-31T22:22:54.690851953Z",
+    "created_by": "/bin/sh -c #(nop) ADD file:a3bc1e842b69636f9df5256c49c5374fb4eef1e281fe3f282c65fb853ee171c5 in /"
+  },
+  {
+    "created": "2015-10-31T22:22:55.613815829Z",
+    "created_by": "/bin/sh -c #(nop) CMD [\"sh\"]",
+    "empty_layer": true
+  }
+]</pre>
+    </dd>
+</dl>
+
+Any extra fields in the Image JSON struct are considered implementation
+specific and should be ignored by any implementations which are unable to
+interpret them.
+
+## Creating an Image Filesystem Changeset
+
+An example of creating an Image Filesystem Changeset follows.
+
+An image root filesystem is first created as an empty directory. Here is the
+initial empty directory structure for the a changeset using the
+randomly-generated directory name `c3167915dc9d` ([actual layer DiffIDs are
+generated based on the content](#id_desc)).
+
+```
+c3167915dc9d/
+```
+
+Files and directories are then created:
+
+```
+c3167915dc9d/
+    etc/
+        my-app-config
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+The `c3167915dc9d` directory is then committed as a plain Tar archive with
+entries for the following files:
+
+```
+etc/my-app-config
+bin/my-app-binary
+bin/my-app-tools
+```
+
+To make changes to the filesystem of this container image, create a new
+directory, such as `f60c56784b83`, and initialize it with a snapshot of the
+parent image's root filesystem, so that the directory is identical to that
+of `c3167915dc9d`. NOTE: a copy-on-write or union filesystem can make this very
+efficient:
+
+```
+f60c56784b83/
+    etc/
+        my-app-config
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+This example change is going add a configuration directory at `/etc/my-app.d`
+which contains a default config file. There's also a change to the
+`my-app-tools` binary to handle the config layout change. The `f60c56784b83`
+directory then looks like this:
+
+```
+f60c56784b83/
+    etc/
+        my-app.d/
+            default.cfg
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+This reflects the removal of `/etc/my-app-config` and creation of a file and
+directory at `/etc/my-app.d/default.cfg`. `/bin/my-app-tools` has also been
+replaced with an updated version. Before committing this directory to a
+changeset, because it has a parent image, it is first compared with the
+directory tree of the parent snapshot, `f60c56784b83`, looking for files and
+directories that have been added, modified, or removed. The following changeset
+is found:
+
+```
+Added:      /etc/my-app.d/default.cfg
+Modified:   /bin/my-app-tools
+Deleted:    /etc/my-app-config
+```
+
+A Tar Archive is then created which contains *only* this changeset: The added
+and modified files and directories in their entirety, and for each deleted item
+an entry for an empty file at the same location but with the basename of the
+deleted file or directory prefixed with `.wh.`. The filenames prefixed with
+`.wh.` are known as "whiteout" files. NOTE: For this reason, it is not possible
+to create an image root filesystem which contains a file or directory with a
+name beginning with `.wh.`. The resulting Tar archive for `f60c56784b83` has
+the following entries:
+
+```
+/etc/my-app.d/default.cfg
+/bin/my-app-tools
+/etc/.wh.my-app-config
+```
+
+Any given image is likely to be composed of several of these Image Filesystem
+Changeset tar archives.
+
+## Combined Image JSON + Filesystem Changeset Format
+
+There is also a format for a single archive which contains complete information
+about an image, including:
+
+ - repository names/tags
+ - image configuration JSON file
+ - all tar archives of each layer filesystem changesets
+
+For example, here's what the full archive of `library/busybox` is (displayed in
+`tree` format):
+
+```
+.
+├── 47bcc53f74dc94b1920f0b34f6036096526296767650f223433fe65c35f149eb.json
+├── 5f29f704785248ddb9d06b90a11b5ea36c534865e9035e4022bb2e71d4ecbb9a
+│   ├── VERSION
+│   ├── json
+│   └── layer.tar
+├── a65da33792c5187473faa80fa3e1b975acba06712852d1dea860692ccddf3198
+│   ├── VERSION
+│   ├── json
+│   └── layer.tar
+├── manifest.json
+└── repositories
+```
+
+There is a directory for each layer in the image. Each directory is named with
+a 64 character hex name that is deterministically generated from the layer
+information. These names are not necessarily layer DiffIDs or ChainIDs. Each of
+these directories contains 3 files:
+
+ * `VERSION` - The schema version of the `json` file
+ * `json` - The legacy JSON metadata for an image layer. In this version of
+    the image specification, layers don't have JSON metadata, but in
+    [version 1](v1.md), they did. A file is created for each layer in the
+    v1 format for backward compatibility.
+ * `layer.tar` - The Tar archive of the filesystem changeset for an image
+   layer.
+
+Note that this directory layout is only important for backward compatibility.
+Current implementations use the paths specified in `manifest.json`.
+
+The content of the `VERSION` files is simply the semantic version of the JSON
+metadata schema:
+
+```
+1.0
+```
+
+The `repositories` file is another JSON file which describes names/tags:
+
+```
+{  
+    "busybox":{  
+        "latest":"5f29f704785248ddb9d06b90a11b5ea36c534865e9035e4022bb2e71d4ecbb9a"
+    }
+}
+```
+
+Every key in this object is the name of a repository, and maps to a collection
+of tag suffixes. Each tag maps to the ID of the image represented by that tag.
+This file is only used for backwards compatibility. Current implementations use
+the `manifest.json` file instead.
+
+The `manifest.json` file provides the image JSON for the top-level image, and
+optionally for parent images that this image was derived from. It consists of
+an array of metadata entries:
+
+```
+[
+  {
+    "Config": "47bcc53f74dc94b1920f0b34f6036096526296767650f223433fe65c35f149eb.json",
+    "RepoTags": ["busybox:latest"],
+    "Layers": [
+      "a65da33792c5187473faa80fa3e1b975acba06712852d1dea860692ccddf3198/layer.tar",
+      "5f29f704785248ddb9d06b90a11b5ea36c534865e9035e4022bb2e71d4ecbb9a/layer.tar"
+    ]
+  }
+]
+```
+
+There is an entry in the array for each image.
+
+The `Config` field references another file in the tar which includes the image
+JSON for this image.
+
+The `RepoTags` field lists references pointing to this image.
+
+The `Layers` field points to the filesystem changeset tars.
+
+An optional `Parent` field references the imageID of the parent image. This
+parent must be part of the same `manifest.json` file.
+
+This file shouldn't be confused with the distribution manifest, used to push
+and pull images.
+
+Generally, implementations that support this version of the spec will use
+the `manifest.json` file if available, and older implementations will use the
+legacy `*/json` files and `repositories`.
diff --git a/engine/image/spec/v1.md b/engine/image/spec/v1.md
new file mode 100644
index 00000000..c1415947
--- /dev/null
+++ b/engine/image/spec/v1.md
@@ -0,0 +1,562 @@
+# Docker Image Specification v1.0.0
+
+An *Image* is an ordered collection of root filesystem changes and the
+corresponding execution parameters for use within a container runtime. This
+specification outlines the format of these filesystem changes and corresponding
+parameters and describes how to create and use them for use with a container
+runtime and execution tool.
+
+## Terminology
+
+This specification uses the following terms:
+
+<dl>
+    <dt>
+        Layer
+    </dt>
+    <dd>
+        Images are composed of <i>layers</i>. <i>Image layer</i> is a general
+        term which may be used to refer to one or both of the following:
+        <ol>
+            <li>The metadata for the layer, described in the JSON format.</li>
+            <li>The filesystem changes described by a layer.</li>
+        </ol>
+        To refer to the former you may use the term <i>Layer JSON</i> or
+        <i>Layer Metadata</i>. To refer to the latter you may use the term
+        <i>Image Filesystem Changeset</i> or <i>Image Diff</i>.
+    </dd>
+    <dt>
+        Image JSON
+    </dt>
+    <dd>
+        Each layer has an associated JSON structure which describes some
+        basic information about the image such as date created, author, and the
+        ID of its parent image as well as execution/runtime configuration like
+        its entry point, default arguments, CPU/memory shares, networking, and
+        volumes.
+    </dd>
+    <dt>
+        Image Filesystem Changeset
+    </dt>
+    <dd>
+        Each layer has an archive of the files which have been added, changed,
+        or deleted relative to its parent layer. Using a layer-based or union
+        filesystem such as AUFS, or by computing the diff from filesystem
+        snapshots, the filesystem changeset can be used to present a series of
+        image layers as if they were one cohesive filesystem.
+    </dd>
+    <dt>
+        Image ID <a name="id_desc"></a>
+    </dt>
+    <dd>
+        Each layer is given an ID upon its creation. It is 
+        represented as a hexadecimal encoding of 256 bits, e.g.,
+        <code>a9561eb1b190625c9adb5a9513e72c4dedafc1cb2d4c5236c9a6957ec7dfd5a9</code>.
+        Image IDs should be sufficiently random so as to be globally unique.
+        32 bytes read from <code>/dev/urandom</code> is sufficient for all
+        practical purposes. Alternatively, an image ID may be derived as a
+        cryptographic hash of image contents as the result is considered
+        indistinguishable from random. The choice is left up to implementors.
+    </dd>
+    <dt>
+        Image Parent
+    </dt>
+    <dd>
+        Most layer metadata structs contain a <code>parent</code> field which
+        refers to the Image from which another directly descends. An image
+        contains a separate JSON metadata file and set of changes relative to
+        the filesystem of its parent image. <i>Image Ancestor</i> and
+        <i>Image Descendant</i> are also common terms.
+    </dd>
+    <dt>
+        Image Checksum
+    </dt>
+    <dd>
+        Layer metadata structs contain a cryptographic hash of the contents of
+        the layer's filesystem changeset. Though the set of changes exists as a
+        simple Tar archive, two archives with identical filenames and content
+        will have different SHA digests if the last-access or last-modified
+        times of any entries differ. For this reason, image checksums are
+        generated using the TarSum algorithm which produces a cryptographic
+        hash of file contents and selected headers only. Details of this
+        algorithm are described in the separate <a href="https://github.com/docker/docker/blob/master/pkg/tarsum/tarsum_spec.md">TarSum specification</a>.
+    </dd>
+    <dt>
+        Tag
+    </dt>
+    <dd>
+        A tag serves to map a descriptive, user-given name to any single image
+        ID. An image name suffix (the name component after <code>:</code>) is
+        often referred to as a tag as well, though it strictly refers to the
+        full name of an image. Acceptable values for a tag suffix are
+        implementation specific, but they SHOULD be limited to the set of
+        alphanumeric characters <code>[a-zA-Z0-9]</code>, punctuation
+        characters <code>[._-]</code>, and MUST NOT contain a <code>:</code>
+        character.
+    </dd>
+    <dt>
+        Repository
+    </dt>
+    <dd>
+        A collection of tags grouped under a common prefix (the name component
+        before <code>:</code>). For example, in an image tagged with the name
+        <code>my-app:3.1.4</code>, <code>my-app</code> is the <i>Repository</i>
+        component of the name. Acceptable values for repository name are
+        implementation specific, but they SHOULD be limited to the set of
+        alphanumeric characters <code>[a-zA-Z0-9]</code>, and punctuation
+        characters <code>[._-]</code>, however it MAY contain additional
+        <code>/</code> and <code>:</code> characters for organizational
+        purposes, with the last <code>:</code> character being interpreted
+        dividing the repository component of the name from the tag suffix
+        component.
+    </dd>
+</dl>
+
+## Image JSON Description
+
+Here is an example image JSON file:
+
+```
+{  
+    "id": "a9561eb1b190625c9adb5a9513e72c4dedafc1cb2d4c5236c9a6957ec7dfd5a9",
+    "parent": "c6e3cedcda2e3982a1a6760e178355e8e65f7b80e4e5248743fa3549d284e024",
+    "checksum": "tarsum.v1+sha256:e58fcf7418d2390dec8e8fb69d88c06ec07039d651fedc3aa72af9972e7d046b",
+    "created": "2014-10-13T21:19:18.674353812Z",
+    "author": "Alyssa P. Hacker &ltalyspdev@example.com&gt",
+    "architecture": "amd64",
+    "os": "linux",
+    "Size": 271828,
+    "config": {
+        "User": "alice",
+        "Memory": 2048,
+        "MemorySwap": 4096,
+        "CpuShares": 8,
+        "ExposedPorts": {  
+            "8080/tcp": {}
+        },
+        "Env": [  
+            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+            "FOO=docker_is_a_really",
+            "BAR=great_tool_you_know"
+        ],
+        "Entrypoint": [
+            "/bin/my-app-binary"
+        ],
+        "Cmd": [
+            "--foreground",
+            "--config",
+            "/etc/my-app.d/default.cfg"
+        ],
+        "Volumes": {
+            "/var/job-result-data": {},
+            "/var/log/my-app-logs": {},
+        },
+        "WorkingDir": "/home/alice",
+    }
+}
+```
+
+### Image JSON Field Descriptions
+
+<dl>
+    <dt>
+        id <code>string</code>
+    </dt>
+    <dd>
+        Randomly generated, 256-bit, hexadecimal encoded. Uniquely identifies
+        the image.
+    </dd>
+    <dt>
+        parent <code>string</code>
+    </dt>
+    <dd>
+        ID of the parent image. If there is no parent image then this field
+        should be omitted. A collection of images may share many of the same
+        ancestor layers. This organizational structure is strictly a tree with
+        any one layer having either no parent or a single parent and zero or
+        more descendant layers. Cycles are not allowed and implementations
+        should be careful to avoid creating them or iterating through a cycle
+        indefinitely.
+    </dd>
+    <dt>
+        created <code>string</code>
+    </dt>
+    <dd>
+        ISO-8601 formatted combined date and time at which the image was
+        created.
+    </dd>
+    <dt>
+        author <code>string</code>
+    </dt>
+    <dd>
+        Gives the name and/or email address of the person or entity which
+        created and is responsible for maintaining the image.
+    </dd>
+    <dt>
+        architecture <code>string</code>
+    </dt>
+    <dd>
+        The CPU architecture which the binaries in this image are built to run
+        on. Possible values include:
+        <ul>
+            <li>386</li>
+            <li>amd64</li>
+            <li>arm</li>
+        </ul>
+        More values may be supported in the future and any of these may or may
+        not be supported by a given container runtime implementation.
+    </dd>
+    <dt>
+        os <code>string</code>
+    </dt>
+    <dd>
+        The name of the operating system which the image is built to run on.
+        Possible values include:
+        <ul>
+            <li>darwin</li>
+            <li>freebsd</li>
+            <li>linux</li>
+        </ul>
+        More values may be supported in the future and any of these may or may
+        not be supported by a given container runtime implementation.
+    </dd>
+    <dt>
+        checksum <code>string</code>
+    </dt>
+    <dd>
+        Image Checksum of the filesystem changeset associated with the image
+        layer.
+    </dd>
+    <dt>
+        Size <code>integer</code>
+    </dt>
+    <dd>
+        The size in bytes of the filesystem changeset associated with the image
+        layer.
+    </dd>
+    <dt>
+        config <code>struct</code>
+    </dt>
+    <dd>
+        The execution parameters which should be used as a base when running a
+        container using the image. This field can be <code>null</code>, in
+        which case any execution parameters should be specified at creation of
+        the container.
+        <h4>Container RunConfig Field Descriptions</h4>
+        <dl>
+            <dt>
+                User <code>string</code>
+            </dt>
+            <dd>
+                <p>The username or UID which the process in the container should
+                run as. This acts as a default value to use when the value is
+                not specified when creating a container.</p>
+                <p>All of the following are valid:</p>
+                <ul>
+                    <li><code>user</code></li>
+                    <li><code>uid</code></li>
+                    <li><code>user:group</code></li>
+                    <li><code>uid:gid</code></li>
+                    <li><code>uid:group</code></li>
+                    <li><code>user:gid</code></li>
+                </ul>
+                <p>If <code>group</code>/<code>gid</code> is not specified, the
+                default group and supplementary groups of the given
+                <code>user</code>/<code>uid</code> in <code>/etc/passwd</code>
+                from the container are applied.</p>
+            </dd>
+            <dt>
+                Memory <code>integer</code>
+            </dt>
+            <dd>
+                Memory limit (in bytes). This acts as a default value to use
+                when the value is not specified when creating a container.
+            </dd>
+            <dt>
+                MemorySwap <code>integer</code>
+            </dt>
+            <dd>
+                Total memory usage (memory + swap); set to <code>-1</code> to
+                disable swap. This acts as a default value to use when the
+                value is not specified when creating a container.
+            </dd>
+            <dt>
+                CpuShares <code>integer</code>
+            </dt>
+            <dd>
+                CPU shares (relative weight vs. other containers). This acts as
+                a default value to use when the value is not specified when
+                creating a container.
+            </dd>
+            <dt>
+                ExposedPorts <code>struct</code>
+            </dt>
+            <dd>
+                A set of ports to expose from a container running this image.
+                This JSON structure value is unusual because it is a direct
+                JSON serialization of the Go type
+                <code>map[string]struct{}</code> and is represented in JSON as
+                an object mapping its keys to an empty object. Here is an
+                example:
+<pre>{
+    "8080": {},
+    "53/udp": {},
+    "2356/tcp": {}
+}</pre>
+                Its keys can be in the format of:
+                <ul>
+                    <li>
+                        <code>"port/tcp"</code>
+                    </li>
+                    <li>
+                        <code>"port/udp"</code>
+                    </li>
+                    <li>
+                        <code>"port"</code>
+                    </li>
+                </ul>
+                with the default protocol being <code>"tcp"</code> if not
+                specified. These values act as defaults and are merged with any specified
+                when creating a container.
+            </dd>
+            <dt>
+                Env <code>array of strings</code>
+            </dt>
+            <dd>
+                Entries are in the format of <code>VARNAME="var value"</code>.
+                These values act as defaults and are merged with any specified
+                when creating a container.
+            </dd>
+            <dt>
+                Entrypoint <code>array of strings</code>
+            </dt>
+            <dd>
+                A list of arguments to use as the command to execute when the
+                container starts. This value acts as a  default and is replaced
+                by an entrypoint specified when creating a container.
+            </dd>
+            <dt>
+                Cmd <code>array of strings</code>
+            </dt>
+            <dd>
+                Default arguments to the entry point of the container. These
+                values act as defaults and are replaced with any specified when
+                creating a container. If an <code>Entrypoint</code> value is
+                not specified, then the first entry of the <code>Cmd</code>
+                array should be interpreted as the executable to run.
+            </dd>
+            <dt>
+                Volumes <code>struct</code>
+            </dt>
+            <dd>
+                A set of directories which should be created as data volumes in
+                a container running this image. This JSON structure value is
+                unusual because it is a direct JSON serialization of the Go
+                type <code>map[string]struct{}</code> and is represented in
+                JSON as an object mapping its keys to an empty object. Here is
+                an example:
+<pre>{
+    "/var/my-app-data/": {},
+    "/etc/some-config.d/": {},
+}</pre>
+            </dd>
+            <dt>
+                WorkingDir <code>string</code>
+            </dt>
+            <dd>
+                Sets the current working directory of the entry point process
+                in the container. This value acts as a default and is replaced
+                by a working directory specified when creating a container.
+            </dd>
+        </dl>
+    </dd>
+</dl>
+
+Any extra fields in the Image JSON struct are considered implementation
+specific and should be ignored by any implementations which are unable to
+interpret them.
+
+## Creating an Image Filesystem Changeset
+
+An example of creating an Image Filesystem Changeset follows.
+
+An image root filesystem is first created as an empty directory named with the
+ID of the image being created. Here is the initial empty directory structure
+for the changeset for an image with ID `c3167915dc9d` ([real IDs are much
+longer](#id_desc), but this example use a truncated one here for brevity.
+Implementations need not name the rootfs directory in this way but it may be
+convenient for keeping record of a large number of image layers.):
+
+```
+c3167915dc9d/
+```
+
+Files and directories are then created:
+
+```
+c3167915dc9d/
+    etc/
+        my-app-config
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+The `c3167915dc9d` directory is then committed as a plain Tar archive with
+entries for the following files:
+
+```
+etc/my-app-config
+bin/my-app-binary
+bin/my-app-tools
+```
+
+The TarSum checksum for the archive file is then computed and placed in the
+JSON metadata along with the execution parameters.
+
+To make changes to the filesystem of this container image, create a new
+directory named with a new ID, such as `f60c56784b83`, and initialize it with
+a snapshot of the parent image's root filesystem, so that the directory is
+identical to that of `c3167915dc9d`. NOTE: a copy-on-write or union filesystem
+can make this very efficient:
+
+```
+f60c56784b83/
+    etc/
+        my-app-config
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+This example change is going to add a configuration directory at `/etc/my-app.d`
+which contains a default config file. There's also a change to the
+`my-app-tools` binary to handle the config layout change. The `f60c56784b83`
+directory then looks like this:
+
+```
+f60c56784b83/
+    etc/
+        my-app.d/
+            default.cfg
+    bin/
+        my-app-binary
+        my-app-tools
+```
+
+This reflects the removal of `/etc/my-app-config` and creation of a file and
+directory at `/etc/my-app.d/default.cfg`. `/bin/my-app-tools` has also been
+replaced with an updated version. Before committing this directory to a
+changeset, because it has a parent image, it is first compared with the
+directory tree of the parent snapshot, `f60c56784b83`, looking for files and
+directories that have been added, modified, or removed. The following changeset
+is found:
+
+```
+Added:      /etc/my-app.d/default.cfg
+Modified:   /bin/my-app-tools
+Deleted:    /etc/my-app-config
+```
+
+A Tar Archive is then created which contains *only* this changeset: The added
+and modified files and directories in their entirety, and for each deleted item
+an entry for an empty file at the same location but with the basename of the
+deleted file or directory prefixed with `.wh.`. The filenames prefixed with
+`.wh.` are known as "whiteout" files. NOTE: For this reason, it is not possible
+to create an image root filesystem which contains a file or directory with a
+name beginning with `.wh.`. The resulting Tar archive for `f60c56784b83` has
+the following entries:
+
+```
+/etc/my-app.d/default.cfg
+/bin/my-app-tools
+/etc/.wh.my-app-config
+```
+
+Any given image is likely to be composed of several of these Image Filesystem
+Changeset tar archives.
+
+## Combined Image JSON + Filesystem Changeset Format
+
+There is also a format for a single archive which contains complete information
+about an image, including:
+
+ - repository names/tags
+ - all image layer JSON files
+ - all tar archives of each layer filesystem changesets
+
+For example, here's what the full archive of `library/busybox` is (displayed in
+`tree` format):
+
+```
+.
+├── 5785b62b697b99a5af6cd5d0aabc804d5748abbb6d3d07da5d1d3795f2dcc83e
+│   ├── VERSION
+│   ├── json
+│   └── layer.tar
+├── a7b8b41220991bfc754d7ad445ad27b7f272ab8b4a2c175b9512b97471d02a8a
+│   ├── VERSION
+│   ├── json
+│   └── layer.tar
+├── a936027c5ca8bf8f517923169a233e391cbb38469a75de8383b5228dc2d26ceb
+│   ├── VERSION
+│   ├── json
+│   └── layer.tar
+├── f60c56784b832dd990022afc120b8136ab3da9528094752ae13fe63a2d28dc8c
+│   ├── VERSION
+│   ├── json
+│   └── layer.tar
+└── repositories
+```
+
+There are one or more directories named with the ID for each layer in a full
+image. Each of these directories contains 3 files:
+
+ * `VERSION` - The schema version of the `json` file
+ * `json` - The JSON metadata for an image layer
+ * `layer.tar` - The Tar archive of the filesystem changeset for an image
+   layer.
+
+The content of the `VERSION` files is simply the semantic version of the JSON
+metadata schema:
+
+```
+1.0
+```
+
+And the `repositories` file is another JSON file which describes names/tags:
+
+```
+{  
+    "busybox":{  
+        "latest":"5785b62b697b99a5af6cd5d0aabc804d5748abbb6d3d07da5d1d3795f2dcc83e"
+    }
+}
+```
+
+Every key in this object is the name of a repository, and maps to a collection
+of tag suffixes. Each tag maps to the ID of the image represented by that tag.
+
+## Loading an Image Filesystem Changeset
+
+Unpacking a bundle of image layer JSON files and their corresponding filesystem
+changesets can be done using a series of steps:
+
+1. Follow the parent IDs of image layers to find the root ancestor (an image
+with no parent ID specified).
+2. For every image layer, in order from root ancestor and descending down,
+extract the contents of that layer's filesystem changeset archive into a
+directory which will be used as the root of a container filesystem.
+
+    - Extract all contents of each archive.
+    - Walk the directory tree once more, removing any files with the prefix
+    `.wh.` and the corresponding file or directory named without this prefix.
+
+
+## Implementations
+
+This specification is an admittedly imperfect description of an
+imperfectly-understood problem. The Docker project is, in turn, an attempt to
+implement this specification. Our goal and our execution toward it will evolve
+over time, but our primary concern in this specification and in our
+implementation is compatibility and interoperability.
diff --git a/engine/image/store.go b/engine/image/store.go
new file mode 100644
index 00000000..1a8a8a24
--- /dev/null
+++ b/engine/image/store.go
@@ -0,0 +1,346 @@
+package image // import "github.com/docker/docker/image"
+
+import (
+	"encoding/json"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/docker/distribution/digestset"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Store is an interface for creating and accessing images
+type Store interface {
+	Create(config []byte) (ID, error)
+	Get(id ID) (*Image, error)
+	Delete(id ID) ([]layer.Metadata, error)
+	Search(partialID string) (ID, error)
+	SetParent(id ID, parent ID) error
+	GetParent(id ID) (ID, error)
+	SetLastUpdated(id ID) error
+	GetLastUpdated(id ID) (time.Time, error)
+	Children(id ID) []ID
+	Map() map[ID]*Image
+	Heads() map[ID]*Image
+	Len() int
+}
+
+// LayerGetReleaser is a minimal interface for getting and releasing images.
+type LayerGetReleaser interface {
+	Get(layer.ChainID) (layer.Layer, error)
+	Release(layer.Layer) ([]layer.Metadata, error)
+}
+
+type imageMeta struct {
+	layer    layer.Layer
+	children map[ID]struct{}
+}
+
+type store struct {
+	sync.RWMutex
+	lss       map[string]LayerGetReleaser
+	images    map[ID]*imageMeta
+	fs        StoreBackend
+	digestSet *digestset.Set
+}
+
+// NewImageStore returns new store object for given set of layer stores
+func NewImageStore(fs StoreBackend, lss map[string]LayerGetReleaser) (Store, error) {
+	is := &store{
+		lss:       lss,
+		images:    make(map[ID]*imageMeta),
+		fs:        fs,
+		digestSet: digestset.NewSet(),
+	}
+
+	// load all current images and retain layers
+	if err := is.restore(); err != nil {
+		return nil, err
+	}
+
+	return is, nil
+}
+
+func (is *store) restore() error {
+	err := is.fs.Walk(func(dgst digest.Digest) error {
+		img, err := is.Get(IDFromDigest(dgst))
+		if err != nil {
+			logrus.Errorf("invalid image %v, %v", dgst, err)
+			return nil
+		}
+		var l layer.Layer
+		if chainID := img.RootFS.ChainID(); chainID != "" {
+			if !system.IsOSSupported(img.OperatingSystem()) {
+				logrus.Errorf("not restoring image with unsupported operating system %v, %v, %s", dgst, chainID, img.OperatingSystem())
+				return nil
+			}
+			l, err = is.lss[img.OperatingSystem()].Get(chainID)
+			if err != nil {
+				if err == layer.ErrLayerDoesNotExist {
+					logrus.Errorf("layer does not exist, not restoring image %v, %v, %s", dgst, chainID, img.OperatingSystem())
+					return nil
+				}
+				return err
+			}
+		}
+		if err := is.digestSet.Add(dgst); err != nil {
+			return err
+		}
+
+		imageMeta := &imageMeta{
+			layer:    l,
+			children: make(map[ID]struct{}),
+		}
+
+		is.images[IDFromDigest(dgst)] = imageMeta
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	// Second pass to fill in children maps
+	for id := range is.images {
+		if parent, err := is.GetParent(id); err == nil {
+			if parentMeta := is.images[parent]; parentMeta != nil {
+				parentMeta.children[id] = struct{}{}
+			}
+		}
+	}
+
+	return nil
+}
+
+func (is *store) Create(config []byte) (ID, error) {
+	var img Image
+	err := json.Unmarshal(config, &img)
+	if err != nil {
+		return "", err
+	}
+
+	// Must reject any config that references diffIDs from the history
+	// which aren't among the rootfs layers.
+	rootFSLayers := make(map[layer.DiffID]struct{})
+	for _, diffID := range img.RootFS.DiffIDs {
+		rootFSLayers[diffID] = struct{}{}
+	}
+
+	layerCounter := 0
+	for _, h := range img.History {
+		if !h.EmptyLayer {
+			layerCounter++
+		}
+	}
+	if layerCounter > len(img.RootFS.DiffIDs) {
+		return "", errors.New("too many non-empty layers in History section")
+	}
+
+	dgst, err := is.fs.Set(config)
+	if err != nil {
+		return "", err
+	}
+	imageID := IDFromDigest(dgst)
+
+	is.Lock()
+	defer is.Unlock()
+
+	if _, exists := is.images[imageID]; exists {
+		return imageID, nil
+	}
+
+	layerID := img.RootFS.ChainID()
+
+	var l layer.Layer
+	if layerID != "" {
+		if !system.IsOSSupported(img.OperatingSystem()) {
+			return "", system.ErrNotSupportedOperatingSystem
+		}
+		l, err = is.lss[img.OperatingSystem()].Get(layerID)
+		if err != nil {
+			return "", errors.Wrapf(err, "failed to get layer %s", layerID)
+		}
+	}
+
+	imageMeta := &imageMeta{
+		layer:    l,
+		children: make(map[ID]struct{}),
+	}
+
+	is.images[imageID] = imageMeta
+	if err := is.digestSet.Add(imageID.Digest()); err != nil {
+		delete(is.images, imageID)
+		return "", err
+	}
+
+	return imageID, nil
+}
+
+type imageNotFoundError string
+
+func (e imageNotFoundError) Error() string {
+	return "No such image: " + string(e)
+}
+
+func (imageNotFoundError) NotFound() {}
+
+func (is *store) Search(term string) (ID, error) {
+	dgst, err := is.digestSet.Lookup(term)
+	if err != nil {
+		if err == digestset.ErrDigestNotFound {
+			err = imageNotFoundError(term)
+		}
+		return "", errors.WithStack(err)
+	}
+	return IDFromDigest(dgst), nil
+}
+
+func (is *store) Get(id ID) (*Image, error) {
+	// todo: Check if image is in images
+	// todo: Detect manual insertions and start using them
+	config, err := is.fs.Get(id.Digest())
+	if err != nil {
+		return nil, err
+	}
+
+	img, err := NewFromJSON(config)
+	if err != nil {
+		return nil, err
+	}
+	img.computedID = id
+
+	img.Parent, err = is.GetParent(id)
+	if err != nil {
+		img.Parent = ""
+	}
+
+	return img, nil
+}
+
+func (is *store) Delete(id ID) ([]layer.Metadata, error) {
+	is.Lock()
+	defer is.Unlock()
+
+	imageMeta := is.images[id]
+	if imageMeta == nil {
+		return nil, fmt.Errorf("unrecognized image ID %s", id.String())
+	}
+	img, err := is.Get(id)
+	if err != nil {
+		return nil, fmt.Errorf("unrecognized image %s, %v", id.String(), err)
+	}
+	if !system.IsOSSupported(img.OperatingSystem()) {
+		return nil, fmt.Errorf("unsupported image operating system %q", img.OperatingSystem())
+	}
+	for id := range imageMeta.children {
+		is.fs.DeleteMetadata(id.Digest(), "parent")
+	}
+	if parent, err := is.GetParent(id); err == nil && is.images[parent] != nil {
+		delete(is.images[parent].children, id)
+	}
+
+	if err := is.digestSet.Remove(id.Digest()); err != nil {
+		logrus.Errorf("error removing %s from digest set: %q", id, err)
+	}
+	delete(is.images, id)
+	is.fs.Delete(id.Digest())
+
+	if imageMeta.layer != nil {
+		return is.lss[img.OperatingSystem()].Release(imageMeta.layer)
+	}
+	return nil, nil
+}
+
+func (is *store) SetParent(id, parent ID) error {
+	is.Lock()
+	defer is.Unlock()
+	parentMeta := is.images[parent]
+	if parentMeta == nil {
+		return fmt.Errorf("unknown parent image ID %s", parent.String())
+	}
+	if parent, err := is.GetParent(id); err == nil && is.images[parent] != nil {
+		delete(is.images[parent].children, id)
+	}
+	parentMeta.children[id] = struct{}{}
+	return is.fs.SetMetadata(id.Digest(), "parent", []byte(parent))
+}
+
+func (is *store) GetParent(id ID) (ID, error) {
+	d, err := is.fs.GetMetadata(id.Digest(), "parent")
+	if err != nil {
+		return "", err
+	}
+	return ID(d), nil // todo: validate?
+}
+
+// SetLastUpdated time for the image ID to the current time
+func (is *store) SetLastUpdated(id ID) error {
+	lastUpdated := []byte(time.Now().Format(time.RFC3339Nano))
+	return is.fs.SetMetadata(id.Digest(), "lastUpdated", lastUpdated)
+}
+
+// GetLastUpdated time for the image ID
+func (is *store) GetLastUpdated(id ID) (time.Time, error) {
+	bytes, err := is.fs.GetMetadata(id.Digest(), "lastUpdated")
+	if err != nil || len(bytes) == 0 {
+		// No lastUpdated time
+		return time.Time{}, nil
+	}
+	return time.Parse(time.RFC3339Nano, string(bytes))
+}
+
+func (is *store) Children(id ID) []ID {
+	is.RLock()
+	defer is.RUnlock()
+
+	return is.children(id)
+}
+
+func (is *store) children(id ID) []ID {
+	var ids []ID
+	if is.images[id] != nil {
+		for id := range is.images[id].children {
+			ids = append(ids, id)
+		}
+	}
+	return ids
+}
+
+func (is *store) Heads() map[ID]*Image {
+	return is.imagesMap(false)
+}
+
+func (is *store) Map() map[ID]*Image {
+	return is.imagesMap(true)
+}
+
+func (is *store) imagesMap(all bool) map[ID]*Image {
+	is.RLock()
+	defer is.RUnlock()
+
+	images := make(map[ID]*Image)
+
+	for id := range is.images {
+		if !all && len(is.children(id)) > 0 {
+			continue
+		}
+		img, err := is.Get(id)
+		if err != nil {
+			logrus.Errorf("invalid image access: %q, error: %q", id, err)
+			continue
+		}
+		images[id] = img
+	}
+	return images
+}
+
+func (is *store) Len() int {
+	is.RLock()
+	defer is.RUnlock()
+	return len(is.images)
+}
diff --git a/engine/image/store_test.go b/engine/image/store_test.go
new file mode 100644
index 00000000..0edf3282
--- /dev/null
+++ b/engine/image/store_test.go
@@ -0,0 +1,197 @@
+package image // import "github.com/docker/docker/image"
+
+import (
+	"fmt"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/layer"
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/assert"
+	"gotest.tools/assert/cmp"
+)
+
+func TestRestore(t *testing.T) {
+	fs, cleanup := defaultFSStoreBackend(t)
+	defer cleanup()
+
+	id1, err := fs.Set([]byte(`{"comment": "abc", "rootfs": {"type": "layers"}}`))
+	assert.NilError(t, err)
+
+	_, err = fs.Set([]byte(`invalid`))
+	assert.NilError(t, err)
+
+	id2, err := fs.Set([]byte(`{"comment": "def", "rootfs": {"type": "layers", "diff_ids": ["2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae"]}}`))
+	assert.NilError(t, err)
+
+	err = fs.SetMetadata(id2, "parent", []byte(id1))
+	assert.NilError(t, err)
+
+	mlgrMap := make(map[string]LayerGetReleaser)
+	mlgrMap[runtime.GOOS] = &mockLayerGetReleaser{}
+	is, err := NewImageStore(fs, mlgrMap)
+	assert.NilError(t, err)
+
+	assert.Check(t, cmp.Len(is.Map(), 2))
+
+	img1, err := is.Get(ID(id1))
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(ID(id1), img1.computedID))
+	assert.Check(t, cmp.Equal(string(id1), img1.computedID.String()))
+
+	img2, err := is.Get(ID(id2))
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal("abc", img1.Comment))
+	assert.Check(t, cmp.Equal("def", img2.Comment))
+
+	_, err = is.GetParent(ID(id1))
+	assert.ErrorContains(t, err, "failed to read metadata")
+
+	p, err := is.GetParent(ID(id2))
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(ID(id1), p))
+
+	children := is.Children(ID(id1))
+	assert.Check(t, cmp.Len(children, 1))
+	assert.Check(t, cmp.Equal(ID(id2), children[0]))
+	assert.Check(t, cmp.Len(is.Heads(), 1))
+
+	sid1, err := is.Search(string(id1)[:10])
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(ID(id1), sid1))
+
+	sid1, err = is.Search(digest.Digest(id1).Hex()[:6])
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(ID(id1), sid1))
+
+	invalidPattern := digest.Digest(id1).Hex()[1:6]
+	_, err = is.Search(invalidPattern)
+	assert.ErrorContains(t, err, "No such image")
+}
+
+func TestAddDelete(t *testing.T) {
+	is, cleanup := defaultImageStore(t)
+	defer cleanup()
+
+	id1, err := is.Create([]byte(`{"comment": "abc", "rootfs": {"type": "layers", "diff_ids": ["2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae"]}}`))
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(ID("sha256:8d25a9c45df515f9d0fe8e4a6b1c64dd3b965a84790ddbcc7954bb9bc89eb993"), id1))
+
+	img, err := is.Get(id1)
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal("abc", img.Comment))
+
+	id2, err := is.Create([]byte(`{"comment": "def", "rootfs": {"type": "layers", "diff_ids": ["2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae"]}}`))
+	assert.NilError(t, err)
+
+	err = is.SetParent(id2, id1)
+	assert.NilError(t, err)
+
+	pid1, err := is.GetParent(id2)
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(pid1, id1))
+
+	_, err = is.Delete(id1)
+	assert.NilError(t, err)
+
+	_, err = is.Get(id1)
+	assert.ErrorContains(t, err, "failed to get digest")
+
+	_, err = is.Get(id2)
+	assert.NilError(t, err)
+
+	_, err = is.GetParent(id2)
+	assert.ErrorContains(t, err, "failed to read metadata")
+}
+
+func TestSearchAfterDelete(t *testing.T) {
+	is, cleanup := defaultImageStore(t)
+	defer cleanup()
+
+	id, err := is.Create([]byte(`{"comment": "abc", "rootfs": {"type": "layers"}}`))
+	assert.NilError(t, err)
+
+	id1, err := is.Search(string(id)[:15])
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(id1, id))
+
+	_, err = is.Delete(id)
+	assert.NilError(t, err)
+
+	_, err = is.Search(string(id)[:15])
+	assert.ErrorContains(t, err, "No such image")
+}
+
+func TestParentReset(t *testing.T) {
+	is, cleanup := defaultImageStore(t)
+	defer cleanup()
+
+	id, err := is.Create([]byte(`{"comment": "abc1", "rootfs": {"type": "layers"}}`))
+	assert.NilError(t, err)
+
+	id2, err := is.Create([]byte(`{"comment": "abc2", "rootfs": {"type": "layers"}}`))
+	assert.NilError(t, err)
+
+	id3, err := is.Create([]byte(`{"comment": "abc3", "rootfs": {"type": "layers"}}`))
+	assert.NilError(t, err)
+
+	assert.Check(t, is.SetParent(id, id2))
+	assert.Check(t, cmp.Len(is.Children(id2), 1))
+
+	assert.Check(t, is.SetParent(id, id3))
+	assert.Check(t, cmp.Len(is.Children(id2), 0))
+	assert.Check(t, cmp.Len(is.Children(id3), 1))
+}
+
+func defaultImageStore(t *testing.T) (Store, func()) {
+	fsBackend, cleanup := defaultFSStoreBackend(t)
+
+	mlgrMap := make(map[string]LayerGetReleaser)
+	mlgrMap[runtime.GOOS] = &mockLayerGetReleaser{}
+	store, err := NewImageStore(fsBackend, mlgrMap)
+	assert.NilError(t, err)
+
+	return store, cleanup
+}
+
+func TestGetAndSetLastUpdated(t *testing.T) {
+	store, cleanup := defaultImageStore(t)
+	defer cleanup()
+
+	id, err := store.Create([]byte(`{"comment": "abc1", "rootfs": {"type": "layers"}}`))
+	assert.NilError(t, err)
+
+	updated, err := store.GetLastUpdated(id)
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(updated.IsZero(), true))
+
+	assert.Check(t, store.SetLastUpdated(id))
+
+	updated, err = store.GetLastUpdated(id)
+	assert.NilError(t, err)
+	assert.Check(t, cmp.Equal(updated.IsZero(), false))
+}
+
+func TestStoreLen(t *testing.T) {
+	store, cleanup := defaultImageStore(t)
+	defer cleanup()
+
+	expected := 10
+	for i := 0; i < expected; i++ {
+		_, err := store.Create([]byte(fmt.Sprintf(`{"comment": "abc%d", "rootfs": {"type": "layers"}}`, i)))
+		assert.NilError(t, err)
+	}
+	numImages := store.Len()
+	assert.Equal(t, expected, numImages)
+	assert.Equal(t, len(store.Map()), numImages)
+}
+
+type mockLayerGetReleaser struct{}
+
+func (ls *mockLayerGetReleaser) Get(layer.ChainID) (layer.Layer, error) {
+	return nil, nil
+}
+
+func (ls *mockLayerGetReleaser) Release(layer.Layer) ([]layer.Metadata, error) {
+	return nil, nil
+}
diff --git a/engine/image/tarexport/load.go b/engine/image/tarexport/load.go
new file mode 100644
index 00000000..78621438
--- /dev/null
+++ b/engine/image/tarexport/load.go
@@ -0,0 +1,432 @@
+package tarexport // import "github.com/docker/docker/image/tarexport"
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"runtime"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/image/v1"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/streamformatter"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/symlink"
+	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+func (l *tarexporter) Load(inTar io.ReadCloser, outStream io.Writer, quiet bool) error {
+	var progressOutput progress.Output
+	if !quiet {
+		progressOutput = streamformatter.NewJSONProgressOutput(outStream, false)
+	}
+	outStream = streamformatter.NewStdoutWriter(outStream)
+
+	tmpDir, err := ioutil.TempDir("", "docker-import-")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tmpDir)
+
+	if err := chrootarchive.Untar(inTar, tmpDir, nil); err != nil {
+		return err
+	}
+	// read manifest, if no file then load in legacy mode
+	manifestPath, err := safePath(tmpDir, manifestFileName)
+	if err != nil {
+		return err
+	}
+	manifestFile, err := os.Open(manifestPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return l.legacyLoad(tmpDir, outStream, progressOutput)
+		}
+		return err
+	}
+	defer manifestFile.Close()
+
+	var manifest []manifestItem
+	if err := json.NewDecoder(manifestFile).Decode(&manifest); err != nil {
+		return err
+	}
+
+	var parentLinks []parentLink
+	var imageIDsStr string
+	var imageRefCount int
+
+	for _, m := range manifest {
+		configPath, err := safePath(tmpDir, m.Config)
+		if err != nil {
+			return err
+		}
+		config, err := ioutil.ReadFile(configPath)
+		if err != nil {
+			return err
+		}
+		img, err := image.NewFromJSON(config)
+		if err != nil {
+			return err
+		}
+		if err := checkCompatibleOS(img.OS); err != nil {
+			return err
+		}
+		rootFS := *img.RootFS
+		rootFS.DiffIDs = nil
+
+		if expected, actual := len(m.Layers), len(img.RootFS.DiffIDs); expected != actual {
+			return fmt.Errorf("invalid manifest, layers length mismatch: expected %d, got %d", expected, actual)
+		}
+
+		// On Windows, validate the platform, defaulting to windows if not present.
+		os := img.OS
+		if os == "" {
+			os = runtime.GOOS
+		}
+		if runtime.GOOS == "windows" {
+			if (os != "windows") && (os != "linux") {
+				return fmt.Errorf("configuration for this image has an unsupported operating system: %s", os)
+			}
+		}
+
+		for i, diffID := range img.RootFS.DiffIDs {
+			layerPath, err := safePath(tmpDir, m.Layers[i])
+			if err != nil {
+				return err
+			}
+			r := rootFS
+			r.Append(diffID)
+			newLayer, err := l.lss[os].Get(r.ChainID())
+			if err != nil {
+				newLayer, err = l.loadLayer(layerPath, rootFS, diffID.String(), os, m.LayerSources[diffID], progressOutput)
+				if err != nil {
+					return err
+				}
+			}
+			defer layer.ReleaseAndLog(l.lss[os], newLayer)
+			if expected, actual := diffID, newLayer.DiffID(); expected != actual {
+				return fmt.Errorf("invalid diffID for layer %d: expected %q, got %q", i, expected, actual)
+			}
+			rootFS.Append(diffID)
+		}
+
+		imgID, err := l.is.Create(config)
+		if err != nil {
+			return err
+		}
+		imageIDsStr += fmt.Sprintf("Loaded image ID: %s\n", imgID)
+
+		imageRefCount = 0
+		for _, repoTag := range m.RepoTags {
+			named, err := reference.ParseNormalizedNamed(repoTag)
+			if err != nil {
+				return err
+			}
+			ref, ok := named.(reference.NamedTagged)
+			if !ok {
+				return fmt.Errorf("invalid tag %q", repoTag)
+			}
+			l.setLoadedTag(ref, imgID.Digest(), outStream)
+			outStream.Write([]byte(fmt.Sprintf("Loaded image: %s\n", reference.FamiliarString(ref))))
+			imageRefCount++
+		}
+
+		parentLinks = append(parentLinks, parentLink{imgID, m.Parent})
+		l.loggerImgEvent.LogImageEvent(imgID.String(), imgID.String(), "load")
+	}
+
+	for _, p := range validatedParentLinks(parentLinks) {
+		if p.parentID != "" {
+			if err := l.setParentID(p.id, p.parentID); err != nil {
+				return err
+			}
+		}
+	}
+
+	if imageRefCount == 0 {
+		outStream.Write([]byte(imageIDsStr))
+	}
+
+	return nil
+}
+
+func (l *tarexporter) setParentID(id, parentID image.ID) error {
+	img, err := l.is.Get(id)
+	if err != nil {
+		return err
+	}
+	parent, err := l.is.Get(parentID)
+	if err != nil {
+		return err
+	}
+	if !checkValidParent(img, parent) {
+		return fmt.Errorf("image %v is not a valid parent for %v", parent.ID(), img.ID())
+	}
+	return l.is.SetParent(id, parentID)
+}
+
+func (l *tarexporter) loadLayer(filename string, rootFS image.RootFS, id string, os string, foreignSrc distribution.Descriptor, progressOutput progress.Output) (layer.Layer, error) {
+	// We use system.OpenSequential to use sequential file access on Windows, avoiding
+	// depleting the standby list. On Linux, this equates to a regular os.Open.
+	rawTar, err := system.OpenSequential(filename)
+	if err != nil {
+		logrus.Debugf("Error reading embedded tar: %v", err)
+		return nil, err
+	}
+	defer rawTar.Close()
+
+	var r io.Reader
+	if progressOutput != nil {
+		fileInfo, err := rawTar.Stat()
+		if err != nil {
+			logrus.Debugf("Error statting file: %v", err)
+			return nil, err
+		}
+
+		r = progress.NewProgressReader(rawTar, progressOutput, fileInfo.Size(), stringid.TruncateID(id), "Loading layer")
+	} else {
+		r = rawTar
+	}
+
+	inflatedLayerData, err := archive.DecompressStream(r)
+	if err != nil {
+		return nil, err
+	}
+	defer inflatedLayerData.Close()
+
+	if ds, ok := l.lss[os].(layer.DescribableStore); ok {
+		return ds.RegisterWithDescriptor(inflatedLayerData, rootFS.ChainID(), foreignSrc)
+	}
+	return l.lss[os].Register(inflatedLayerData, rootFS.ChainID())
+}
+
+func (l *tarexporter) setLoadedTag(ref reference.Named, imgID digest.Digest, outStream io.Writer) error {
+	if prevID, err := l.rs.Get(ref); err == nil && prevID != imgID {
+		fmt.Fprintf(outStream, "The image %s already exists, renaming the old one with ID %s to empty string\n", reference.FamiliarString(ref), string(prevID)) // todo: this message is wrong in case of multiple tags
+	}
+
+	return l.rs.AddTag(ref, imgID, true)
+}
+
+func (l *tarexporter) legacyLoad(tmpDir string, outStream io.Writer, progressOutput progress.Output) error {
+	if runtime.GOOS == "windows" {
+		return errors.New("Windows does not support legacy loading of images")
+	}
+
+	legacyLoadedMap := make(map[string]image.ID)
+
+	dirs, err := ioutil.ReadDir(tmpDir)
+	if err != nil {
+		return err
+	}
+
+	// every dir represents an image
+	for _, d := range dirs {
+		if d.IsDir() {
+			if err := l.legacyLoadImage(d.Name(), tmpDir, legacyLoadedMap, progressOutput); err != nil {
+				return err
+			}
+		}
+	}
+
+	// load tags from repositories file
+	repositoriesPath, err := safePath(tmpDir, legacyRepositoriesFileName)
+	if err != nil {
+		return err
+	}
+	repositoriesFile, err := os.Open(repositoriesPath)
+	if err != nil {
+		return err
+	}
+	defer repositoriesFile.Close()
+
+	repositories := make(map[string]map[string]string)
+	if err := json.NewDecoder(repositoriesFile).Decode(&repositories); err != nil {
+		return err
+	}
+
+	for name, tagMap := range repositories {
+		for tag, oldID := range tagMap {
+			imgID, ok := legacyLoadedMap[oldID]
+			if !ok {
+				return fmt.Errorf("invalid target ID: %v", oldID)
+			}
+			named, err := reference.ParseNormalizedNamed(name)
+			if err != nil {
+				return err
+			}
+			ref, err := reference.WithTag(named, tag)
+			if err != nil {
+				return err
+			}
+			l.setLoadedTag(ref, imgID.Digest(), outStream)
+		}
+	}
+
+	return nil
+}
+
+func (l *tarexporter) legacyLoadImage(oldID, sourceDir string, loadedMap map[string]image.ID, progressOutput progress.Output) error {
+	if _, loaded := loadedMap[oldID]; loaded {
+		return nil
+	}
+	configPath, err := safePath(sourceDir, filepath.Join(oldID, legacyConfigFileName))
+	if err != nil {
+		return err
+	}
+	imageJSON, err := ioutil.ReadFile(configPath)
+	if err != nil {
+		logrus.Debugf("Error reading json: %v", err)
+		return err
+	}
+
+	var img struct {
+		OS     string
+		Parent string
+	}
+	if err := json.Unmarshal(imageJSON, &img); err != nil {
+		return err
+	}
+
+	if err := checkCompatibleOS(img.OS); err != nil {
+		return err
+	}
+	if img.OS == "" {
+		img.OS = runtime.GOOS
+	}
+
+	var parentID image.ID
+	if img.Parent != "" {
+		for {
+			var loaded bool
+			if parentID, loaded = loadedMap[img.Parent]; !loaded {
+				if err := l.legacyLoadImage(img.Parent, sourceDir, loadedMap, progressOutput); err != nil {
+					return err
+				}
+			} else {
+				break
+			}
+		}
+	}
+
+	// todo: try to connect with migrate code
+	rootFS := image.NewRootFS()
+	var history []image.History
+
+	if parentID != "" {
+		parentImg, err := l.is.Get(parentID)
+		if err != nil {
+			return err
+		}
+
+		rootFS = parentImg.RootFS
+		history = parentImg.History
+	}
+
+	layerPath, err := safePath(sourceDir, filepath.Join(oldID, legacyLayerFileName))
+	if err != nil {
+		return err
+	}
+	newLayer, err := l.loadLayer(layerPath, *rootFS, oldID, img.OS, distribution.Descriptor{}, progressOutput)
+	if err != nil {
+		return err
+	}
+	rootFS.Append(newLayer.DiffID())
+
+	h, err := v1.HistoryFromConfig(imageJSON, false)
+	if err != nil {
+		return err
+	}
+	history = append(history, h)
+
+	config, err := v1.MakeConfigFromV1Config(imageJSON, rootFS, history)
+	if err != nil {
+		return err
+	}
+	imgID, err := l.is.Create(config)
+	if err != nil {
+		return err
+	}
+
+	metadata, err := l.lss[img.OS].Release(newLayer)
+	layer.LogReleaseMetadata(metadata)
+	if err != nil {
+		return err
+	}
+
+	if parentID != "" {
+		if err := l.is.SetParent(imgID, parentID); err != nil {
+			return err
+		}
+	}
+
+	loadedMap[oldID] = imgID
+	return nil
+}
+
+func safePath(base, path string) (string, error) {
+	return symlink.FollowSymlinkInScope(filepath.Join(base, path), base)
+}
+
+type parentLink struct {
+	id, parentID image.ID
+}
+
+func validatedParentLinks(pl []parentLink) (ret []parentLink) {
+mainloop:
+	for i, p := range pl {
+		ret = append(ret, p)
+		for _, p2 := range pl {
+			if p2.id == p.parentID && p2.id != p.id {
+				continue mainloop
+			}
+		}
+		ret[i].parentID = ""
+	}
+	return
+}
+
+func checkValidParent(img, parent *image.Image) bool {
+	if len(img.History) == 0 && len(parent.History) == 0 {
+		return true // having history is not mandatory
+	}
+	if len(img.History)-len(parent.History) != 1 {
+		return false
+	}
+	for i, h := range parent.History {
+		if !reflect.DeepEqual(h, img.History[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+func checkCompatibleOS(imageOS string) error {
+	// always compatible if the images OS matches the host OS; also match an empty image OS
+	if imageOS == runtime.GOOS || imageOS == "" {
+		return nil
+	}
+	// On non-Windows hosts, for compatibility, fail if the image is Windows.
+	if runtime.GOOS != "windows" && imageOS == "windows" {
+		return fmt.Errorf("cannot load %s image on %s", imageOS, runtime.GOOS)
+	}
+
+	p, err := platforms.Parse(imageOS)
+	if err != nil {
+		return err
+	}
+
+	return system.ValidatePlatform(p)
+}
diff --git a/engine/image/tarexport/save.go b/engine/image/tarexport/save.go
new file mode 100644
index 00000000..4e734b35
--- /dev/null
+++ b/engine/image/tarexport/save.go
@@ -0,0 +1,431 @@
+package tarexport // import "github.com/docker/docker/image/tarexport"
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/image/v1"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type imageDescriptor struct {
+	refs     []reference.NamedTagged
+	layers   []string
+	image    *image.Image
+	layerRef layer.Layer
+}
+
+type saveSession struct {
+	*tarexporter
+	outDir      string
+	images      map[image.ID]*imageDescriptor
+	savedLayers map[string]struct{}
+	diffIDPaths map[layer.DiffID]string // cache every diffID blob to avoid duplicates
+}
+
+func (l *tarexporter) Save(names []string, outStream io.Writer) error {
+	images, err := l.parseNames(names)
+	if err != nil {
+		return err
+	}
+
+	// Release all the image top layer references
+	defer l.releaseLayerReferences(images)
+	return (&saveSession{tarexporter: l, images: images}).save(outStream)
+}
+
+// parseNames will parse the image names to a map which contains image.ID to *imageDescriptor.
+// Each imageDescriptor holds an image top layer reference named 'layerRef'. It is taken here, should be released later.
+func (l *tarexporter) parseNames(names []string) (desc map[image.ID]*imageDescriptor, rErr error) {
+	imgDescr := make(map[image.ID]*imageDescriptor)
+	defer func() {
+		if rErr != nil {
+			l.releaseLayerReferences(imgDescr)
+		}
+	}()
+
+	addAssoc := func(id image.ID, ref reference.Named) error {
+		if _, ok := imgDescr[id]; !ok {
+			descr := &imageDescriptor{}
+			if err := l.takeLayerReference(id, descr); err != nil {
+				return err
+			}
+			imgDescr[id] = descr
+		}
+
+		if ref != nil {
+			if _, ok := ref.(reference.Canonical); ok {
+				return nil
+			}
+			tagged, ok := reference.TagNameOnly(ref).(reference.NamedTagged)
+			if !ok {
+				return nil
+			}
+
+			for _, t := range imgDescr[id].refs {
+				if tagged.String() == t.String() {
+					return nil
+				}
+			}
+			imgDescr[id].refs = append(imgDescr[id].refs, tagged)
+		}
+		return nil
+	}
+
+	for _, name := range names {
+		ref, err := reference.ParseAnyReference(name)
+		if err != nil {
+			return nil, err
+		}
+		namedRef, ok := ref.(reference.Named)
+		if !ok {
+			// Check if digest ID reference
+			if digested, ok := ref.(reference.Digested); ok {
+				id := image.IDFromDigest(digested.Digest())
+				if err := addAssoc(id, nil); err != nil {
+					return nil, err
+				}
+				continue
+			}
+			return nil, errors.Errorf("invalid reference: %v", name)
+		}
+
+		if reference.FamiliarName(namedRef) == string(digest.Canonical) {
+			imgID, err := l.is.Search(name)
+			if err != nil {
+				return nil, err
+			}
+			if err := addAssoc(imgID, nil); err != nil {
+				return nil, err
+			}
+			continue
+		}
+		if reference.IsNameOnly(namedRef) {
+			assocs := l.rs.ReferencesByName(namedRef)
+			for _, assoc := range assocs {
+				if err := addAssoc(image.IDFromDigest(assoc.ID), assoc.Ref); err != nil {
+					return nil, err
+				}
+			}
+			if len(assocs) == 0 {
+				imgID, err := l.is.Search(name)
+				if err != nil {
+					return nil, err
+				}
+				if err := addAssoc(imgID, nil); err != nil {
+					return nil, err
+				}
+			}
+			continue
+		}
+		id, err := l.rs.Get(namedRef)
+		if err != nil {
+			return nil, err
+		}
+		if err := addAssoc(image.IDFromDigest(id), namedRef); err != nil {
+			return nil, err
+		}
+
+	}
+	return imgDescr, nil
+}
+
+// takeLayerReference will take/Get the image top layer reference
+func (l *tarexporter) takeLayerReference(id image.ID, imgDescr *imageDescriptor) error {
+	img, err := l.is.Get(id)
+	if err != nil {
+		return err
+	}
+	imgDescr.image = img
+	topLayerID := img.RootFS.ChainID()
+	if topLayerID == "" {
+		return nil
+	}
+	os := img.OS
+	if os == "" {
+		os = runtime.GOOS
+	}
+	if !system.IsOSSupported(os) {
+		return fmt.Errorf("os %q is not supported", os)
+	}
+	layer, err := l.lss[os].Get(topLayerID)
+	if err != nil {
+		return err
+	}
+	imgDescr.layerRef = layer
+	return nil
+}
+
+// releaseLayerReferences will release all the image top layer references
+func (l *tarexporter) releaseLayerReferences(imgDescr map[image.ID]*imageDescriptor) error {
+	for _, descr := range imgDescr {
+		if descr.layerRef != nil {
+			os := descr.image.OS
+			if os == "" {
+				os = runtime.GOOS
+			}
+			l.lss[os].Release(descr.layerRef)
+		}
+	}
+	return nil
+}
+
+func (s *saveSession) save(outStream io.Writer) error {
+	s.savedLayers = make(map[string]struct{})
+	s.diffIDPaths = make(map[layer.DiffID]string)
+
+	// get image json
+	tempDir, err := ioutil.TempDir("", "docker-export-")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tempDir)
+
+	s.outDir = tempDir
+	reposLegacy := make(map[string]map[string]string)
+
+	var manifest []manifestItem
+	var parentLinks []parentLink
+
+	for id, imageDescr := range s.images {
+		foreignSrcs, err := s.saveImage(id)
+		if err != nil {
+			return err
+		}
+
+		var repoTags []string
+		var layers []string
+
+		for _, ref := range imageDescr.refs {
+			familiarName := reference.FamiliarName(ref)
+			if _, ok := reposLegacy[familiarName]; !ok {
+				reposLegacy[familiarName] = make(map[string]string)
+			}
+			reposLegacy[familiarName][ref.Tag()] = imageDescr.layers[len(imageDescr.layers)-1]
+			repoTags = append(repoTags, reference.FamiliarString(ref))
+		}
+
+		for _, l := range imageDescr.layers {
+			// IMPORTANT: We use path, not filepath here to ensure the layers
+			// in the manifest use Unix-style forward-slashes. Otherwise, a
+			// Linux image saved from LCOW won't be able to be imported on
+			// LCOL.
+			layers = append(layers, path.Join(l, legacyLayerFileName))
+		}
+
+		manifest = append(manifest, manifestItem{
+			Config:       id.Digest().Hex() + ".json",
+			RepoTags:     repoTags,
+			Layers:       layers,
+			LayerSources: foreignSrcs,
+		})
+
+		parentID, _ := s.is.GetParent(id)
+		parentLinks = append(parentLinks, parentLink{id, parentID})
+		s.tarexporter.loggerImgEvent.LogImageEvent(id.String(), id.String(), "save")
+	}
+
+	for i, p := range validatedParentLinks(parentLinks) {
+		if p.parentID != "" {
+			manifest[i].Parent = p.parentID
+		}
+	}
+
+	if len(reposLegacy) > 0 {
+		reposFile := filepath.Join(tempDir, legacyRepositoriesFileName)
+		rf, err := os.OpenFile(reposFile, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
+		if err != nil {
+			return err
+		}
+
+		if err := json.NewEncoder(rf).Encode(reposLegacy); err != nil {
+			rf.Close()
+			return err
+		}
+
+		rf.Close()
+
+		if err := system.Chtimes(reposFile, time.Unix(0, 0), time.Unix(0, 0)); err != nil {
+			return err
+		}
+	}
+
+	manifestFileName := filepath.Join(tempDir, manifestFileName)
+	f, err := os.OpenFile(manifestFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return err
+	}
+
+	if err := json.NewEncoder(f).Encode(manifest); err != nil {
+		f.Close()
+		return err
+	}
+
+	f.Close()
+
+	if err := system.Chtimes(manifestFileName, time.Unix(0, 0), time.Unix(0, 0)); err != nil {
+		return err
+	}
+
+	fs, err := archive.Tar(tempDir, archive.Uncompressed)
+	if err != nil {
+		return err
+	}
+	defer fs.Close()
+
+	_, err = io.Copy(outStream, fs)
+	return err
+}
+
+func (s *saveSession) saveImage(id image.ID) (map[layer.DiffID]distribution.Descriptor, error) {
+	img := s.images[id].image
+	if len(img.RootFS.DiffIDs) == 0 {
+		return nil, fmt.Errorf("empty export - not implemented")
+	}
+
+	var parent digest.Digest
+	var layers []string
+	var foreignSrcs map[layer.DiffID]distribution.Descriptor
+	for i := range img.RootFS.DiffIDs {
+		v1Img := image.V1Image{
+			// This is for backward compatibility used for
+			// pre v1.9 docker.
+			Created: time.Unix(0, 0),
+		}
+		if i == len(img.RootFS.DiffIDs)-1 {
+			v1Img = img.V1Image
+		}
+		rootFS := *img.RootFS
+		rootFS.DiffIDs = rootFS.DiffIDs[:i+1]
+		v1ID, err := v1.CreateID(v1Img, rootFS.ChainID(), parent)
+		if err != nil {
+			return nil, err
+		}
+
+		v1Img.ID = v1ID.Hex()
+		if parent != "" {
+			v1Img.Parent = parent.Hex()
+		}
+
+		v1Img.OS = img.OS
+		src, err := s.saveLayer(rootFS.ChainID(), v1Img, img.Created)
+		if err != nil {
+			return nil, err
+		}
+		layers = append(layers, v1Img.ID)
+		parent = v1ID
+		if src.Digest != "" {
+			if foreignSrcs == nil {
+				foreignSrcs = make(map[layer.DiffID]distribution.Descriptor)
+			}
+			foreignSrcs[img.RootFS.DiffIDs[i]] = src
+		}
+	}
+
+	configFile := filepath.Join(s.outDir, id.Digest().Hex()+".json")
+	if err := ioutil.WriteFile(configFile, img.RawJSON(), 0644); err != nil {
+		return nil, err
+	}
+	if err := system.Chtimes(configFile, img.Created, img.Created); err != nil {
+		return nil, err
+	}
+
+	s.images[id].layers = layers
+	return foreignSrcs, nil
+}
+
+func (s *saveSession) saveLayer(id layer.ChainID, legacyImg image.V1Image, createdTime time.Time) (distribution.Descriptor, error) {
+	if _, exists := s.savedLayers[legacyImg.ID]; exists {
+		return distribution.Descriptor{}, nil
+	}
+
+	outDir := filepath.Join(s.outDir, legacyImg.ID)
+	if err := os.Mkdir(outDir, 0755); err != nil {
+		return distribution.Descriptor{}, err
+	}
+
+	// todo: why is this version file here?
+	if err := ioutil.WriteFile(filepath.Join(outDir, legacyVersionFileName), []byte("1.0"), 0644); err != nil {
+		return distribution.Descriptor{}, err
+	}
+
+	imageConfig, err := json.Marshal(legacyImg)
+	if err != nil {
+		return distribution.Descriptor{}, err
+	}
+
+	if err := ioutil.WriteFile(filepath.Join(outDir, legacyConfigFileName), imageConfig, 0644); err != nil {
+		return distribution.Descriptor{}, err
+	}
+
+	// serialize filesystem
+	layerPath := filepath.Join(outDir, legacyLayerFileName)
+	operatingSystem := legacyImg.OS
+	if operatingSystem == "" {
+		operatingSystem = runtime.GOOS
+	}
+	l, err := s.lss[operatingSystem].Get(id)
+	if err != nil {
+		return distribution.Descriptor{}, err
+	}
+	defer layer.ReleaseAndLog(s.lss[operatingSystem], l)
+
+	if oldPath, exists := s.diffIDPaths[l.DiffID()]; exists {
+		relPath, err := filepath.Rel(outDir, oldPath)
+		if err != nil {
+			return distribution.Descriptor{}, err
+		}
+		if err := os.Symlink(relPath, layerPath); err != nil {
+			return distribution.Descriptor{}, errors.Wrap(err, "error creating symlink while saving layer")
+		}
+	} else {
+		// Use system.CreateSequential rather than os.Create. This ensures sequential
+		// file access on Windows to avoid eating into MM standby list.
+		// On Linux, this equates to a regular os.Create.
+		tarFile, err := system.CreateSequential(layerPath)
+		if err != nil {
+			return distribution.Descriptor{}, err
+		}
+		defer tarFile.Close()
+
+		arch, err := l.TarStream()
+		if err != nil {
+			return distribution.Descriptor{}, err
+		}
+		defer arch.Close()
+
+		if _, err := io.Copy(tarFile, arch); err != nil {
+			return distribution.Descriptor{}, err
+		}
+
+		for _, fname := range []string{"", legacyVersionFileName, legacyConfigFileName, legacyLayerFileName} {
+			// todo: maybe save layer created timestamp?
+			if err := system.Chtimes(filepath.Join(outDir, fname), createdTime, createdTime); err != nil {
+				return distribution.Descriptor{}, err
+			}
+		}
+
+		s.diffIDPaths[l.DiffID()] = layerPath
+	}
+	s.savedLayers[legacyImg.ID] = struct{}{}
+
+	var src distribution.Descriptor
+	if fs, ok := l.(distribution.Describable); ok {
+		src = fs.Descriptor()
+	}
+	return src, nil
+}
diff --git a/engine/image/tarexport/tarexport.go b/engine/image/tarexport/tarexport.go
new file mode 100644
index 00000000..beff668c
--- /dev/null
+++ b/engine/image/tarexport/tarexport.go
@@ -0,0 +1,47 @@
+package tarexport // import "github.com/docker/docker/image/tarexport"
+
+import (
+	"github.com/docker/distribution"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	refstore "github.com/docker/docker/reference"
+)
+
+const (
+	manifestFileName           = "manifest.json"
+	legacyLayerFileName        = "layer.tar"
+	legacyConfigFileName       = "json"
+	legacyVersionFileName      = "VERSION"
+	legacyRepositoriesFileName = "repositories"
+)
+
+type manifestItem struct {
+	Config       string
+	RepoTags     []string
+	Layers       []string
+	Parent       image.ID                                 `json:",omitempty"`
+	LayerSources map[layer.DiffID]distribution.Descriptor `json:",omitempty"`
+}
+
+type tarexporter struct {
+	is             image.Store
+	lss            map[string]layer.Store
+	rs             refstore.Store
+	loggerImgEvent LogImageEvent
+}
+
+// LogImageEvent defines interface for event generation related to image tar(load and save) operations
+type LogImageEvent interface {
+	//LogImageEvent generates an event related to an image operation
+	LogImageEvent(imageID, refName, action string)
+}
+
+// NewTarExporter returns new Exporter for tar packages
+func NewTarExporter(is image.Store, lss map[string]layer.Store, rs refstore.Store, loggerImgEvent LogImageEvent) image.Exporter {
+	return &tarexporter{
+		is:             is,
+		lss:            lss,
+		rs:             rs,
+		loggerImgEvent: loggerImgEvent,
+	}
+}
diff --git a/engine/image/v1/imagev1.go b/engine/image/v1/imagev1.go
new file mode 100644
index 00000000..c341ceaa
--- /dev/null
+++ b/engine/image/v1/imagev1.go
@@ -0,0 +1,150 @@
+package v1 // import "github.com/docker/docker/image/v1"
+
+import (
+	"encoding/json"
+	"reflect"
+	"strings"
+
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+// noFallbackMinVersion is the minimum version for which v1compatibility
+// information will not be marshaled through the Image struct to remove
+// blank fields.
+var noFallbackMinVersion = "1.8.3"
+
+// HistoryFromConfig creates a History struct from v1 configuration JSON
+func HistoryFromConfig(imageJSON []byte, emptyLayer bool) (image.History, error) {
+	h := image.History{}
+	var v1Image image.V1Image
+	if err := json.Unmarshal(imageJSON, &v1Image); err != nil {
+		return h, err
+	}
+
+	return image.History{
+		Author:     v1Image.Author,
+		Created:    v1Image.Created,
+		CreatedBy:  strings.Join(v1Image.ContainerConfig.Cmd, " "),
+		Comment:    v1Image.Comment,
+		EmptyLayer: emptyLayer,
+	}, nil
+}
+
+// CreateID creates an ID from v1 image, layerID and parent ID.
+// Used for backwards compatibility with old clients.
+func CreateID(v1Image image.V1Image, layerID layer.ChainID, parent digest.Digest) (digest.Digest, error) {
+	v1Image.ID = ""
+	v1JSON, err := json.Marshal(v1Image)
+	if err != nil {
+		return "", err
+	}
+
+	var config map[string]*json.RawMessage
+	if err := json.Unmarshal(v1JSON, &config); err != nil {
+		return "", err
+	}
+
+	// FIXME: note that this is slightly incompatible with RootFS logic
+	config["layer_id"] = rawJSON(layerID)
+	if parent != "" {
+		config["parent"] = rawJSON(parent)
+	}
+
+	configJSON, err := json.Marshal(config)
+	if err != nil {
+		return "", err
+	}
+	logrus.Debugf("CreateV1ID %s", configJSON)
+
+	return digest.FromBytes(configJSON), nil
+}
+
+// MakeConfigFromV1Config creates an image config from the legacy V1 config format.
+func MakeConfigFromV1Config(imageJSON []byte, rootfs *image.RootFS, history []image.History) ([]byte, error) {
+	var dver struct {
+		DockerVersion string `json:"docker_version"`
+	}
+
+	if err := json.Unmarshal(imageJSON, &dver); err != nil {
+		return nil, err
+	}
+
+	useFallback := versions.LessThan(dver.DockerVersion, noFallbackMinVersion)
+
+	if useFallback {
+		var v1Image image.V1Image
+		err := json.Unmarshal(imageJSON, &v1Image)
+		if err != nil {
+			return nil, err
+		}
+		imageJSON, err = json.Marshal(v1Image)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var c map[string]*json.RawMessage
+	if err := json.Unmarshal(imageJSON, &c); err != nil {
+		return nil, err
+	}
+
+	delete(c, "id")
+	delete(c, "parent")
+	delete(c, "Size") // Size is calculated from data on disk and is inconsistent
+	delete(c, "parent_id")
+	delete(c, "layer_id")
+	delete(c, "throwaway")
+
+	c["rootfs"] = rawJSON(rootfs)
+	c["history"] = rawJSON(history)
+
+	return json.Marshal(c)
+}
+
+// MakeV1ConfigFromConfig creates a legacy V1 image config from an Image struct
+func MakeV1ConfigFromConfig(img *image.Image, v1ID, parentV1ID string, throwaway bool) ([]byte, error) {
+	// Top-level v1compatibility string should be a modified version of the
+	// image config.
+	var configAsMap map[string]*json.RawMessage
+	if err := json.Unmarshal(img.RawJSON(), &configAsMap); err != nil {
+		return nil, err
+	}
+
+	// Delete fields that didn't exist in old manifest
+	imageType := reflect.TypeOf(img).Elem()
+	for i := 0; i < imageType.NumField(); i++ {
+		f := imageType.Field(i)
+		jsonName := strings.Split(f.Tag.Get("json"), ",")[0]
+		// Parent is handled specially below.
+		if jsonName != "" && jsonName != "parent" {
+			delete(configAsMap, jsonName)
+		}
+	}
+	configAsMap["id"] = rawJSON(v1ID)
+	if parentV1ID != "" {
+		configAsMap["parent"] = rawJSON(parentV1ID)
+	}
+	if throwaway {
+		configAsMap["throwaway"] = rawJSON(true)
+	}
+
+	return json.Marshal(configAsMap)
+}
+
+func rawJSON(value interface{}) *json.RawMessage {
+	jsonval, err := json.Marshal(value)
+	if err != nil {
+		return nil
+	}
+	return (*json.RawMessage)(&jsonval)
+}
+
+// ValidateID checks whether an ID string is a valid image ID.
+func ValidateID(id string) error {
+	return stringid.ValidateID(id)
+}
diff --git a/engine/image/v1/imagev1_test.go b/engine/image/v1/imagev1_test.go
new file mode 100644
index 00000000..45ae783d
--- /dev/null
+++ b/engine/image/v1/imagev1_test.go
@@ -0,0 +1,55 @@
+package v1 // import "github.com/docker/docker/image/v1"
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/docker/docker/image"
+)
+
+func TestMakeV1ConfigFromConfig(t *testing.T) {
+	img := &image.Image{
+		V1Image: image.V1Image{
+			ID:     "v2id",
+			Parent: "v2parent",
+			OS:     "os",
+		},
+		OSVersion: "osversion",
+		RootFS: &image.RootFS{
+			Type: "layers",
+		},
+	}
+	v2js, err := json.Marshal(img)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Convert the image back in order to get RawJSON() support.
+	img, err = image.NewFromJSON(v2js)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	js, err := MakeV1ConfigFromConfig(img, "v1id", "v1parent", false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	newimg := &image.Image{}
+	err = json.Unmarshal(js, newimg)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if newimg.V1Image.ID != "v1id" || newimg.Parent != "v1parent" {
+		t.Error("ids should have changed", newimg.V1Image.ID, newimg.V1Image.Parent)
+	}
+
+	if newimg.RootFS != nil {
+		t.Error("rootfs should have been removed")
+	}
+
+	if newimg.V1Image.OS != "os" {
+		t.Error("os should have been preserved")
+	}
+}
diff --git a/engine/integration-cli/benchmark_test.go b/engine/integration-cli/benchmark_test.go
new file mode 100644
index 00000000..ae0f67f6
--- /dev/null
+++ b/engine/integration-cli/benchmark_test.go
@@ -0,0 +1,95 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"runtime"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) BenchmarkConcurrentContainerActions(c *check.C) {
+	maxConcurrency := runtime.GOMAXPROCS(0)
+	numIterations := c.N
+	outerGroup := &sync.WaitGroup{}
+	outerGroup.Add(maxConcurrency)
+	chErr := make(chan error, numIterations*2*maxConcurrency)
+
+	for i := 0; i < maxConcurrency; i++ {
+		go func() {
+			defer outerGroup.Done()
+			innerGroup := &sync.WaitGroup{}
+			innerGroup.Add(2)
+
+			go func() {
+				defer innerGroup.Done()
+				for i := 0; i < numIterations; i++ {
+					args := []string{"run", "-d", defaultSleepImage}
+					args = append(args, sleepCommandForDaemonPlatform()...)
+					out, _, err := dockerCmdWithError(args...)
+					if err != nil {
+						chErr <- fmt.Errorf(out)
+						return
+					}
+
+					id := strings.TrimSpace(out)
+					tmpDir, err := ioutil.TempDir("", "docker-concurrent-test-"+id)
+					if err != nil {
+						chErr <- err
+						return
+					}
+					defer os.RemoveAll(tmpDir)
+					out, _, err = dockerCmdWithError("cp", id+":/tmp", tmpDir)
+					if err != nil {
+						chErr <- fmt.Errorf(out)
+						return
+					}
+
+					out, _, err = dockerCmdWithError("kill", id)
+					if err != nil {
+						chErr <- fmt.Errorf(out)
+					}
+
+					out, _, err = dockerCmdWithError("start", id)
+					if err != nil {
+						chErr <- fmt.Errorf(out)
+					}
+
+					out, _, err = dockerCmdWithError("kill", id)
+					if err != nil {
+						chErr <- fmt.Errorf(out)
+					}
+
+					// don't do an rm -f here since it can potentially ignore errors from the graphdriver
+					out, _, err = dockerCmdWithError("rm", id)
+					if err != nil {
+						chErr <- fmt.Errorf(out)
+					}
+				}
+			}()
+
+			go func() {
+				defer innerGroup.Done()
+				for i := 0; i < numIterations; i++ {
+					out, _, err := dockerCmdWithError("ps")
+					if err != nil {
+						chErr <- fmt.Errorf(out)
+					}
+				}
+			}()
+
+			innerGroup.Wait()
+		}()
+	}
+
+	outerGroup.Wait()
+	close(chErr)
+
+	for err := range chErr {
+		c.Assert(err, checker.IsNil)
+	}
+}
diff --git a/engine/integration-cli/check_test.go b/engine/integration-cli/check_test.go
new file mode 100644
index 00000000..76b17627
--- /dev/null
+++ b/engine/integration-cli/check_test.go
@@ -0,0 +1,409 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http/httptest"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/docker/docker/integration-cli/environment"
+	testdaemon "github.com/docker/docker/internal/test/daemon"
+	ienv "github.com/docker/docker/internal/test/environment"
+	"github.com/docker/docker/internal/test/fakestorage"
+	"github.com/docker/docker/internal/test/fixtures/plugin"
+	"github.com/docker/docker/internal/test/registry"
+	"github.com/docker/docker/pkg/reexec"
+	"github.com/go-check/check"
+)
+
+const (
+	// the private registry to use for tests
+	privateRegistryURL = registry.DefaultURL
+
+	// path to containerd's ctr binary
+	ctrBinary = "docker-containerd-ctr"
+
+	// the docker daemon binary to use
+	dockerdBinary = "dockerd"
+)
+
+var (
+	testEnv *environment.Execution
+
+	// the docker client binary to use
+	dockerBinary = ""
+)
+
+func init() {
+	var err error
+
+	reexec.Init() // This is required for external graphdriver tests
+
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}
+
+func TestMain(m *testing.M) {
+	dockerBinary = testEnv.DockerBinary()
+	err := ienv.EnsureFrozenImagesLinux(&testEnv.Execution)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func Test(t *testing.T) {
+	cli.SetTestEnvironment(testEnv)
+	fakestorage.SetTestEnvironment(&testEnv.Execution)
+	ienv.ProtectAll(t, &testEnv.Execution)
+	check.TestingT(t)
+}
+
+func init() {
+	check.Suite(&DockerSuite{})
+}
+
+type DockerSuite struct {
+}
+
+func (s *DockerSuite) OnTimeout(c *check.C) {
+	if testEnv.IsRemoteDaemon() {
+		return
+	}
+	path := filepath.Join(os.Getenv("DEST"), "docker.pid")
+	b, err := ioutil.ReadFile(path)
+	if err != nil {
+		c.Fatalf("Failed to get daemon PID from %s\n", path)
+	}
+
+	rawPid, err := strconv.ParseInt(string(b), 10, 32)
+	if err != nil {
+		c.Fatalf("Failed to parse pid from %s: %s\n", path, err)
+	}
+
+	daemonPid := int(rawPid)
+	if daemonPid > 0 {
+		testdaemon.SignalDaemonDump(daemonPid)
+	}
+}
+
+func (s *DockerSuite) TearDownTest(c *check.C) {
+	testEnv.Clean(c)
+}
+
+func init() {
+	check.Suite(&DockerRegistrySuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type DockerRegistrySuite struct {
+	ds  *DockerSuite
+	reg *registry.V2
+	d   *daemon.Daemon
+}
+
+func (s *DockerRegistrySuite) OnTimeout(c *check.C) {
+	s.d.DumpStackAndQuit()
+}
+
+func (s *DockerRegistrySuite) SetUpTest(c *check.C) {
+	testRequires(c, DaemonIsLinux, RegistryHosting, SameHostDaemon)
+	s.reg = registry.NewV2(c)
+	s.reg.WaitReady(c)
+	s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+}
+
+func (s *DockerRegistrySuite) TearDownTest(c *check.C) {
+	if s.reg != nil {
+		s.reg.Close()
+	}
+	if s.d != nil {
+		s.d.Stop(c)
+	}
+	s.ds.TearDownTest(c)
+}
+
+func init() {
+	check.Suite(&DockerSchema1RegistrySuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type DockerSchema1RegistrySuite struct {
+	ds  *DockerSuite
+	reg *registry.V2
+	d   *daemon.Daemon
+}
+
+func (s *DockerSchema1RegistrySuite) OnTimeout(c *check.C) {
+	s.d.DumpStackAndQuit()
+}
+
+func (s *DockerSchema1RegistrySuite) SetUpTest(c *check.C) {
+	testRequires(c, DaemonIsLinux, RegistryHosting, NotArm64, SameHostDaemon)
+	s.reg = registry.NewV2(c, registry.Schema1)
+	s.reg.WaitReady(c)
+	s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+}
+
+func (s *DockerSchema1RegistrySuite) TearDownTest(c *check.C) {
+	if s.reg != nil {
+		s.reg.Close()
+	}
+	if s.d != nil {
+		s.d.Stop(c)
+	}
+	s.ds.TearDownTest(c)
+}
+
+func init() {
+	check.Suite(&DockerRegistryAuthHtpasswdSuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type DockerRegistryAuthHtpasswdSuite struct {
+	ds  *DockerSuite
+	reg *registry.V2
+	d   *daemon.Daemon
+}
+
+func (s *DockerRegistryAuthHtpasswdSuite) OnTimeout(c *check.C) {
+	s.d.DumpStackAndQuit()
+}
+
+func (s *DockerRegistryAuthHtpasswdSuite) SetUpTest(c *check.C) {
+	testRequires(c, DaemonIsLinux, RegistryHosting, SameHostDaemon)
+	s.reg = registry.NewV2(c, registry.Htpasswd)
+	s.reg.WaitReady(c)
+	s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+}
+
+func (s *DockerRegistryAuthHtpasswdSuite) TearDownTest(c *check.C) {
+	if s.reg != nil {
+		out, err := s.d.Cmd("logout", privateRegistryURL)
+		c.Assert(err, check.IsNil, check.Commentf(out))
+		s.reg.Close()
+	}
+	if s.d != nil {
+		s.d.Stop(c)
+	}
+	s.ds.TearDownTest(c)
+}
+
+func init() {
+	check.Suite(&DockerRegistryAuthTokenSuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type DockerRegistryAuthTokenSuite struct {
+	ds  *DockerSuite
+	reg *registry.V2
+	d   *daemon.Daemon
+}
+
+func (s *DockerRegistryAuthTokenSuite) OnTimeout(c *check.C) {
+	s.d.DumpStackAndQuit()
+}
+
+func (s *DockerRegistryAuthTokenSuite) SetUpTest(c *check.C) {
+	testRequires(c, DaemonIsLinux, RegistryHosting, SameHostDaemon)
+	s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+}
+
+func (s *DockerRegistryAuthTokenSuite) TearDownTest(c *check.C) {
+	if s.reg != nil {
+		out, err := s.d.Cmd("logout", privateRegistryURL)
+		c.Assert(err, check.IsNil, check.Commentf(out))
+		s.reg.Close()
+	}
+	if s.d != nil {
+		s.d.Stop(c)
+	}
+	s.ds.TearDownTest(c)
+}
+
+func (s *DockerRegistryAuthTokenSuite) setupRegistryWithTokenService(c *check.C, tokenURL string) {
+	if s == nil {
+		c.Fatal("registry suite isn't initialized")
+	}
+	s.reg = registry.NewV2(c, registry.Token(tokenURL))
+	s.reg.WaitReady(c)
+}
+
+func init() {
+	check.Suite(&DockerDaemonSuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type DockerDaemonSuite struct {
+	ds *DockerSuite
+	d  *daemon.Daemon
+}
+
+func (s *DockerDaemonSuite) OnTimeout(c *check.C) {
+	s.d.DumpStackAndQuit()
+}
+
+func (s *DockerDaemonSuite) SetUpTest(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+}
+
+func (s *DockerDaemonSuite) TearDownTest(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	if s.d != nil {
+		s.d.Stop(c)
+	}
+	s.ds.TearDownTest(c)
+}
+
+func (s *DockerDaemonSuite) TearDownSuite(c *check.C) {
+	filepath.Walk(testdaemon.SockRoot, func(path string, fi os.FileInfo, err error) error {
+		if err != nil {
+			// ignore errors here
+			// not cleaning up sockets is not really an error
+			return nil
+		}
+		if fi.Mode() == os.ModeSocket {
+			syscall.Unlink(path)
+		}
+		return nil
+	})
+	os.RemoveAll(testdaemon.SockRoot)
+}
+
+const defaultSwarmPort = 2477
+
+func init() {
+	check.Suite(&DockerSwarmSuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type DockerSwarmSuite struct {
+	server      *httptest.Server
+	ds          *DockerSuite
+	daemons     []*daemon.Daemon
+	daemonsLock sync.Mutex // protect access to daemons
+	portIndex   int
+}
+
+func (s *DockerSwarmSuite) OnTimeout(c *check.C) {
+	s.daemonsLock.Lock()
+	defer s.daemonsLock.Unlock()
+	for _, d := range s.daemons {
+		d.DumpStackAndQuit()
+	}
+}
+
+func (s *DockerSwarmSuite) SetUpTest(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+}
+
+func (s *DockerSwarmSuite) AddDaemon(c *check.C, joinSwarm, manager bool) *daemon.Daemon {
+	d := daemon.New(c, dockerBinary, dockerdBinary,
+		testdaemon.WithEnvironment(testEnv.Execution),
+		testdaemon.WithSwarmPort(defaultSwarmPort+s.portIndex),
+	)
+	if joinSwarm {
+		if len(s.daemons) > 0 {
+			d.StartAndSwarmJoin(c, s.daemons[0].Daemon, manager)
+		} else {
+			d.StartAndSwarmInit(c)
+		}
+	} else {
+		d.StartWithBusybox(c, "--iptables=false", "--swarm-default-advertise-addr=lo")
+	}
+
+	s.portIndex++
+	s.daemonsLock.Lock()
+	s.daemons = append(s.daemons, d)
+	s.daemonsLock.Unlock()
+
+	return d
+}
+
+func (s *DockerSwarmSuite) TearDownTest(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	s.daemonsLock.Lock()
+	for _, d := range s.daemons {
+		if d != nil {
+			d.Stop(c)
+			d.Cleanup(c)
+		}
+	}
+	s.daemons = nil
+	s.daemonsLock.Unlock()
+
+	s.portIndex = 0
+	s.ds.TearDownTest(c)
+}
+
+func init() {
+	check.Suite(&DockerPluginSuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type DockerPluginSuite struct {
+	ds       *DockerSuite
+	registry *registry.V2
+}
+
+func (ps *DockerPluginSuite) registryHost() string {
+	return privateRegistryURL
+}
+
+func (ps *DockerPluginSuite) getPluginRepo() string {
+	return path.Join(ps.registryHost(), "plugin", "basic")
+}
+func (ps *DockerPluginSuite) getPluginRepoWithTag() string {
+	return ps.getPluginRepo() + ":" + "latest"
+}
+
+func (ps *DockerPluginSuite) SetUpSuite(c *check.C) {
+	testRequires(c, DaemonIsLinux, RegistryHosting)
+	ps.registry = registry.NewV2(c)
+	ps.registry.WaitReady(c)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
+	err := plugin.CreateInRegistry(ctx, ps.getPluginRepo(), nil)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create plugin"))
+}
+
+func (ps *DockerPluginSuite) TearDownSuite(c *check.C) {
+	if ps.registry != nil {
+		ps.registry.Close()
+	}
+}
+
+func (ps *DockerPluginSuite) TearDownTest(c *check.C) {
+	ps.ds.TearDownTest(c)
+}
+
+func (ps *DockerPluginSuite) OnTimeout(c *check.C) {
+	ps.ds.OnTimeout(c)
+}
diff --git a/engine/integration-cli/checker/checker.go b/engine/integration-cli/checker/checker.go
new file mode 100644
index 00000000..d7fdc412
--- /dev/null
+++ b/engine/integration-cli/checker/checker.go
@@ -0,0 +1,46 @@
+// Package checker provides Docker specific implementations of the go-check.Checker interface.
+package checker // import "github.com/docker/docker/integration-cli/checker"
+
+import (
+	"github.com/go-check/check"
+	"github.com/vdemeester/shakers"
+)
+
+// As a commodity, we bring all check.Checker variables into the current namespace to avoid having
+// to think about check.X versus checker.X.
+var (
+	DeepEquals   = check.DeepEquals
+	ErrorMatches = check.ErrorMatches
+	FitsTypeOf   = check.FitsTypeOf
+	HasLen       = check.HasLen
+	Implements   = check.Implements
+	IsNil        = check.IsNil
+	Matches      = check.Matches
+	Not          = check.Not
+	NotNil       = check.NotNil
+	PanicMatches = check.PanicMatches
+	Panics       = check.Panics
+
+	Contains           = shakers.Contains
+	ContainsAny        = shakers.ContainsAny
+	Count              = shakers.Count
+	Equals             = shakers.Equals
+	EqualFold          = shakers.EqualFold
+	False              = shakers.False
+	GreaterOrEqualThan = shakers.GreaterOrEqualThan
+	GreaterThan        = shakers.GreaterThan
+	HasPrefix          = shakers.HasPrefix
+	HasSuffix          = shakers.HasSuffix
+	Index              = shakers.Index
+	IndexAny           = shakers.IndexAny
+	IsAfter            = shakers.IsAfter
+	IsBefore           = shakers.IsBefore
+	IsBetween          = shakers.IsBetween
+	IsLower            = shakers.IsLower
+	IsUpper            = shakers.IsUpper
+	LessOrEqualThan    = shakers.LessOrEqualThan
+	LessThan           = shakers.LessThan
+	TimeEquals         = shakers.TimeEquals
+	True               = shakers.True
+	TimeIgnore         = shakers.TimeIgnore
+)
diff --git a/engine/integration-cli/cli/build/build.go b/engine/integration-cli/cli/build/build.go
new file mode 100644
index 00000000..0b10ea79
--- /dev/null
+++ b/engine/integration-cli/cli/build/build.go
@@ -0,0 +1,82 @@
+package build // import "github.com/docker/docker/integration-cli/cli/build"
+
+import (
+	"io"
+	"strings"
+
+	"github.com/docker/docker/internal/test/fakecontext"
+	"gotest.tools/icmd"
+)
+
+type testingT interface {
+	Fatal(args ...interface{})
+	Fatalf(string, ...interface{})
+}
+
+// WithStdinContext sets the build context from the standard input with the specified reader
+func WithStdinContext(closer io.ReadCloser) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Command = append(cmd.Command, "-")
+		cmd.Stdin = closer
+		return func() {
+			// FIXME(vdemeester) we should not ignore the error here…
+			closer.Close()
+		}
+	}
+}
+
+// WithDockerfile creates / returns a CmdOperator to set the Dockerfile for a build operation
+func WithDockerfile(dockerfile string) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Command = append(cmd.Command, "-")
+		cmd.Stdin = strings.NewReader(dockerfile)
+		return nil
+	}
+}
+
+// WithoutCache makes the build ignore cache
+func WithoutCache(cmd *icmd.Cmd) func() {
+	cmd.Command = append(cmd.Command, "--no-cache")
+	return nil
+}
+
+// WithContextPath sets the build context path
+func WithContextPath(path string) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Command = append(cmd.Command, path)
+		return nil
+	}
+}
+
+// WithExternalBuildContext use the specified context as build context
+func WithExternalBuildContext(ctx *fakecontext.Fake) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Dir = ctx.Dir
+		cmd.Command = append(cmd.Command, ".")
+		return nil
+	}
+}
+
+// WithBuildContext sets up the build context
+func WithBuildContext(t testingT, contextOperators ...func(*fakecontext.Fake) error) func(*icmd.Cmd) func() {
+	// FIXME(vdemeester) de-duplicate that
+	ctx := fakecontext.New(t, "", contextOperators...)
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Dir = ctx.Dir
+		cmd.Command = append(cmd.Command, ".")
+		return closeBuildContext(t, ctx)
+	}
+}
+
+// WithFile adds the specified file (with content) in the build context
+func WithFile(name, content string) func(*fakecontext.Fake) error {
+	return fakecontext.WithFile(name, content)
+}
+
+func closeBuildContext(t testingT, ctx *fakecontext.Fake) func() {
+	return func() {
+		if err := ctx.Close(); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
diff --git a/engine/integration-cli/cli/cli.go b/engine/integration-cli/cli/cli.go
new file mode 100644
index 00000000..bc3f3c19
--- /dev/null
+++ b/engine/integration-cli/cli/cli.go
@@ -0,0 +1,226 @@
+package cli // import "github.com/docker/docker/integration-cli/cli"
+
+import (
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/docker/docker/integration-cli/environment"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	"gotest.tools/icmd"
+)
+
+var testEnv *environment.Execution
+
+// SetTestEnvironment sets a static test environment
+// TODO: decouple this package from environment
+func SetTestEnvironment(env *environment.Execution) {
+	testEnv = env
+}
+
+// CmdOperator defines functions that can modify a command
+type CmdOperator func(*icmd.Cmd) func()
+
+type testingT interface {
+	assert.TestingT
+	Fatal(args ...interface{})
+	Fatalf(string, ...interface{})
+}
+
+// DockerCmd executes the specified docker command and expect a success
+func DockerCmd(t testingT, args ...string) *icmd.Result {
+	return Docker(Args(args...)).Assert(t, icmd.Success)
+}
+
+// BuildCmd executes the specified docker build command and expect a success
+func BuildCmd(t testingT, name string, cmdOperators ...CmdOperator) *icmd.Result {
+	return Docker(Build(name), cmdOperators...).Assert(t, icmd.Success)
+}
+
+// InspectCmd executes the specified docker inspect command and expect a success
+func InspectCmd(t testingT, name string, cmdOperators ...CmdOperator) *icmd.Result {
+	return Docker(Inspect(name), cmdOperators...).Assert(t, icmd.Success)
+}
+
+// WaitRun will wait for the specified container to be running, maximum 5 seconds.
+func WaitRun(t testingT, name string, cmdOperators ...CmdOperator) {
+	WaitForInspectResult(t, name, "{{.State.Running}}", "true", 5*time.Second, cmdOperators...)
+}
+
+// WaitExited will wait for the specified container to state exit, subject
+// to a maximum time limit in seconds supplied by the caller
+func WaitExited(t testingT, name string, timeout time.Duration, cmdOperators ...CmdOperator) {
+	WaitForInspectResult(t, name, "{{.State.Status}}", "exited", timeout, cmdOperators...)
+}
+
+// WaitRestart will wait for the specified container to restart once
+func WaitRestart(t testingT, name string, timeout time.Duration, cmdOperators ...CmdOperator) {
+	WaitForInspectResult(t, name, "{{.RestartCount}}", "1", timeout, cmdOperators...)
+}
+
+// WaitForInspectResult waits for the specified expression to be equals to the specified expected string in the given time.
+func WaitForInspectResult(t testingT, name, expr, expected string, timeout time.Duration, cmdOperators ...CmdOperator) {
+	after := time.After(timeout)
+
+	args := []string{"inspect", "-f", expr, name}
+	for {
+		result := Docker(Args(args...), cmdOperators...)
+		if result.Error != nil {
+			if !strings.Contains(strings.ToLower(result.Stderr()), "no such") {
+				t.Fatalf("error executing docker inspect: %v\n%s",
+					result.Stderr(), result.Stdout())
+			}
+			select {
+			case <-after:
+				t.Fatal(result.Error)
+			default:
+				time.Sleep(10 * time.Millisecond)
+				continue
+			}
+		}
+
+		out := strings.TrimSpace(result.Stdout())
+		if out == expected {
+			break
+		}
+
+		select {
+		case <-after:
+			t.Fatalf("condition \"%q == %q\" not true in time (%v)", out, expected, timeout)
+		default:
+		}
+
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+
+// Docker executes the specified docker command
+func Docker(cmd icmd.Cmd, cmdOperators ...CmdOperator) *icmd.Result {
+	for _, op := range cmdOperators {
+		deferFn := op(&cmd)
+		if deferFn != nil {
+			defer deferFn()
+		}
+	}
+	appendDocker(&cmd)
+	if err := validateArgs(cmd.Command...); err != nil {
+		return &icmd.Result{
+			Error: err,
+		}
+	}
+	return icmd.RunCmd(cmd)
+}
+
+// validateArgs is a checker to ensure tests are not running commands which are
+// not supported on platforms. Specifically on Windows this is 'busybox top'.
+func validateArgs(args ...string) error {
+	if testEnv.OSType != "windows" {
+		return nil
+	}
+	foundBusybox := -1
+	for key, value := range args {
+		if strings.ToLower(value) == "busybox" {
+			foundBusybox = key
+		}
+		if (foundBusybox != -1) && (key == foundBusybox+1) && (strings.ToLower(value) == "top") {
+			return errors.New("cannot use 'busybox top' in tests on Windows. Use runSleepingContainer()")
+		}
+	}
+	return nil
+}
+
+// Build executes the specified docker build command
+func Build(name string) icmd.Cmd {
+	return icmd.Command("build", "-t", name)
+}
+
+// Inspect executes the specified docker inspect command
+func Inspect(name string) icmd.Cmd {
+	return icmd.Command("inspect", name)
+}
+
+// Format sets the specified format with --format flag
+func Format(format string) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Command = append(
+			[]string{cmd.Command[0]},
+			append([]string{"--format", fmt.Sprintf("{{%s}}", format)}, cmd.Command[1:]...)...,
+		)
+		return nil
+	}
+}
+
+func appendDocker(cmd *icmd.Cmd) {
+	cmd.Command = append([]string{testEnv.DockerBinary()}, cmd.Command...)
+}
+
+// Args build an icmd.Cmd struct from the specified arguments
+func Args(args ...string) icmd.Cmd {
+	switch len(args) {
+	case 0:
+		return icmd.Cmd{}
+	case 1:
+		return icmd.Command(args[0])
+	default:
+		return icmd.Command(args[0], args[1:]...)
+	}
+}
+
+// Daemon points to the specified daemon
+func Daemon(d *daemon.Daemon) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Command = append([]string{"--host", d.Sock()}, cmd.Command...)
+		return nil
+	}
+}
+
+// WithTimeout sets the timeout for the command to run
+func WithTimeout(timeout time.Duration) func(cmd *icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Timeout = timeout
+		return nil
+	}
+}
+
+// WithEnvironmentVariables sets the specified environment variables for the command to run
+func WithEnvironmentVariables(envs ...string) func(cmd *icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Env = envs
+		return nil
+	}
+}
+
+// WithFlags sets the specified flags for the command to run
+func WithFlags(flags ...string) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Command = append(cmd.Command, flags...)
+		return nil
+	}
+}
+
+// InDir sets the folder in which the command should be executed
+func InDir(path string) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Dir = path
+		return nil
+	}
+}
+
+// WithStdout sets the standard output writer of the command
+func WithStdout(writer io.Writer) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Stdout = writer
+		return nil
+	}
+}
+
+// WithStdin sets the standard input reader for the command
+func WithStdin(stdin io.Reader) func(*icmd.Cmd) func() {
+	return func(cmd *icmd.Cmd) func() {
+		cmd.Stdin = stdin
+		return nil
+	}
+}
diff --git a/engine/integration-cli/daemon/daemon.go b/engine/integration-cli/daemon/daemon.go
new file mode 100644
index 00000000..3d1fa38d
--- /dev/null
+++ b/engine/integration-cli/daemon/daemon.go
@@ -0,0 +1,143 @@
+package daemon // import "github.com/docker/docker/integration-cli/daemon"
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/daemon"
+	"github.com/go-check/check"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	"gotest.tools/icmd"
+)
+
+type testingT interface {
+	assert.TestingT
+	logT
+	Fatalf(string, ...interface{})
+}
+
+type logT interface {
+	Logf(string, ...interface{})
+}
+
+// Daemon represents a Docker daemon for the testing framework.
+type Daemon struct {
+	*daemon.Daemon
+	dockerBinary string
+}
+
+// New returns a Daemon instance to be used for testing.
+// This will create a directory such as d123456789 in the folder specified by $DOCKER_INTEGRATION_DAEMON_DEST or $DEST.
+// The daemon will not automatically start.
+func New(t testingT, dockerBinary string, dockerdBinary string, ops ...func(*daemon.Daemon)) *Daemon {
+	ops = append(ops, daemon.WithDockerdBinary(dockerdBinary))
+	d := daemon.New(t, ops...)
+	return &Daemon{
+		Daemon:       d,
+		dockerBinary: dockerBinary,
+	}
+}
+
+// Cmd executes a docker CLI command against this daemon.
+// Example: d.Cmd("version") will run docker -H unix://path/to/unix.sock version
+func (d *Daemon) Cmd(args ...string) (string, error) {
+	result := icmd.RunCmd(d.Command(args...))
+	return result.Combined(), result.Error
+}
+
+// Command creates a docker CLI command against this daemon, to be executed later.
+// Example: d.Command("version") creates a command to run "docker -H unix://path/to/unix.sock version"
+func (d *Daemon) Command(args ...string) icmd.Cmd {
+	return icmd.Command(d.dockerBinary, d.PrependHostArg(args)...)
+}
+
+// PrependHostArg prepend the specified arguments by the daemon host flags
+func (d *Daemon) PrependHostArg(args []string) []string {
+	for _, arg := range args {
+		if arg == "--host" || arg == "-H" {
+			return args
+		}
+	}
+	return append([]string{"--host", d.Sock()}, args...)
+}
+
+// GetIDByName returns the ID of an object (container, volume, …) given its name
+func (d *Daemon) GetIDByName(name string) (string, error) {
+	return d.inspectFieldWithError(name, "Id")
+}
+
+// InspectField returns the field filter by 'filter'
+func (d *Daemon) InspectField(name, filter string) (string, error) {
+	return d.inspectFilter(name, filter)
+}
+
+func (d *Daemon) inspectFilter(name, filter string) (string, error) {
+	format := fmt.Sprintf("{{%s}}", filter)
+	out, err := d.Cmd("inspect", "-f", format, name)
+	if err != nil {
+		return "", errors.Errorf("failed to inspect %s: %s", name, out)
+	}
+	return strings.TrimSpace(out), nil
+}
+
+func (d *Daemon) inspectFieldWithError(name, field string) (string, error) {
+	return d.inspectFilter(name, fmt.Sprintf(".%s", field))
+}
+
+// CheckActiveContainerCount returns the number of active containers
+// FIXME(vdemeester) should re-use ActivateContainers in some way
+func (d *Daemon) CheckActiveContainerCount(c *check.C) (interface{}, check.CommentInterface) {
+	out, err := d.Cmd("ps", "-q")
+	c.Assert(err, checker.IsNil)
+	if len(strings.TrimSpace(out)) == 0 {
+		return 0, nil
+	}
+	return len(strings.Split(strings.TrimSpace(out), "\n")), check.Commentf("output: %q", string(out))
+}
+
+// WaitRun waits for a container to be running for 10s
+func (d *Daemon) WaitRun(contID string) error {
+	args := []string{"--host", d.Sock()}
+	return WaitInspectWithArgs(d.dockerBinary, contID, "{{.State.Running}}", "true", 10*time.Second, args...)
+}
+
+// WaitInspectWithArgs waits for the specified expression to be equals to the specified expected string in the given time.
+// Deprecated: use cli.WaitCmd instead
+func WaitInspectWithArgs(dockerBinary, name, expr, expected string, timeout time.Duration, arg ...string) error {
+	after := time.After(timeout)
+
+	args := append(arg, "inspect", "-f", expr, name)
+	for {
+		result := icmd.RunCommand(dockerBinary, args...)
+		if result.Error != nil {
+			if !strings.Contains(strings.ToLower(result.Stderr()), "no such") {
+				return errors.Errorf("error executing docker inspect: %v\n%s",
+					result.Stderr(), result.Stdout())
+			}
+			select {
+			case <-after:
+				return result.Error
+			default:
+				time.Sleep(10 * time.Millisecond)
+				continue
+			}
+		}
+
+		out := strings.TrimSpace(result.Stdout())
+		if out == expected {
+			break
+		}
+
+		select {
+		case <-after:
+			return errors.Errorf("condition \"%q == %q\" not true in time (%v)", out, expected, timeout)
+		default:
+		}
+
+		time.Sleep(100 * time.Millisecond)
+	}
+	return nil
+}
diff --git a/engine/integration-cli/daemon/daemon_swarm.go b/engine/integration-cli/daemon/daemon_swarm.go
new file mode 100644
index 00000000..4a6ce8a5
--- /dev/null
+++ b/engine/integration-cli/daemon/daemon_swarm.go
@@ -0,0 +1,197 @@
+package daemon // import "github.com/docker/docker/integration-cli/daemon"
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"gotest.tools/assert"
+)
+
+// CheckServiceTasksInState returns the number of tasks with a matching state,
+// and optional message substring.
+func (d *Daemon) CheckServiceTasksInState(service string, state swarm.TaskState, message string) func(*check.C) (interface{}, check.CommentInterface) {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks := d.GetServiceTasks(c, service)
+		var count int
+		for _, task := range tasks {
+			if task.Status.State == state {
+				if message == "" || strings.Contains(task.Status.Message, message) {
+					count++
+				}
+			}
+		}
+		return count, nil
+	}
+}
+
+// CheckServiceTasksInStateWithError returns the number of tasks with a matching state,
+// and optional message substring.
+func (d *Daemon) CheckServiceTasksInStateWithError(service string, state swarm.TaskState, errorMessage string) func(*check.C) (interface{}, check.CommentInterface) {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks := d.GetServiceTasks(c, service)
+		var count int
+		for _, task := range tasks {
+			if task.Status.State == state {
+				if errorMessage == "" || strings.Contains(task.Status.Err, errorMessage) {
+					count++
+				}
+			}
+		}
+		return count, nil
+	}
+}
+
+// CheckServiceRunningTasks returns the number of running tasks for the specified service
+func (d *Daemon) CheckServiceRunningTasks(service string) func(*check.C) (interface{}, check.CommentInterface) {
+	return d.CheckServiceTasksInState(service, swarm.TaskStateRunning, "")
+}
+
+// CheckServiceUpdateState returns the current update state for the specified service
+func (d *Daemon) CheckServiceUpdateState(service string) func(*check.C) (interface{}, check.CommentInterface) {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		service := d.GetService(c, service)
+		if service.UpdateStatus == nil {
+			return "", nil
+		}
+		return service.UpdateStatus.State, nil
+	}
+}
+
+// CheckPluginRunning returns the runtime state of the plugin
+func (d *Daemon) CheckPluginRunning(plugin string) func(c *check.C) (interface{}, check.CommentInterface) {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		apiclient, err := d.NewClient()
+		assert.NilError(c, err)
+		resp, _, err := apiclient.PluginInspectWithRaw(context.Background(), plugin)
+		if client.IsErrNotFound(err) {
+			return false, check.Commentf("%v", err)
+		}
+		assert.NilError(c, err)
+		return resp.Enabled, check.Commentf("%+v", resp)
+	}
+}
+
+// CheckPluginImage returns the runtime state of the plugin
+func (d *Daemon) CheckPluginImage(plugin string) func(c *check.C) (interface{}, check.CommentInterface) {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		apiclient, err := d.NewClient()
+		assert.NilError(c, err)
+		resp, _, err := apiclient.PluginInspectWithRaw(context.Background(), plugin)
+		if client.IsErrNotFound(err) {
+			return false, check.Commentf("%v", err)
+		}
+		assert.NilError(c, err)
+		return resp.PluginReference, check.Commentf("%+v", resp)
+	}
+}
+
+// CheckServiceTasks returns the number of tasks for the specified service
+func (d *Daemon) CheckServiceTasks(service string) func(*check.C) (interface{}, check.CommentInterface) {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks := d.GetServiceTasks(c, service)
+		return len(tasks), nil
+	}
+}
+
+// CheckRunningTaskNetworks returns the number of times each network is referenced from a task.
+func (d *Daemon) CheckRunningTaskNetworks(c *check.C) (interface{}, check.CommentInterface) {
+	cli, err := d.NewClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	filterArgs := filters.NewArgs()
+	filterArgs.Add("desired-state", "running")
+
+	options := types.TaskListOptions{
+		Filters: filterArgs,
+	}
+
+	tasks, err := cli.TaskList(context.Background(), options)
+	c.Assert(err, checker.IsNil)
+
+	result := make(map[string]int)
+	for _, task := range tasks {
+		for _, network := range task.Spec.Networks {
+			result[network.Target]++
+		}
+	}
+	return result, nil
+}
+
+// CheckRunningTaskImages returns the times each image is running as a task.
+func (d *Daemon) CheckRunningTaskImages(c *check.C) (interface{}, check.CommentInterface) {
+	cli, err := d.NewClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	filterArgs := filters.NewArgs()
+	filterArgs.Add("desired-state", "running")
+
+	options := types.TaskListOptions{
+		Filters: filterArgs,
+	}
+
+	tasks, err := cli.TaskList(context.Background(), options)
+	c.Assert(err, checker.IsNil)
+
+	result := make(map[string]int)
+	for _, task := range tasks {
+		if task.Status.State == swarm.TaskStateRunning && task.Spec.ContainerSpec != nil {
+			result[task.Spec.ContainerSpec.Image]++
+		}
+	}
+	return result, nil
+}
+
+// CheckNodeReadyCount returns the number of ready node on the swarm
+func (d *Daemon) CheckNodeReadyCount(c *check.C) (interface{}, check.CommentInterface) {
+	nodes := d.ListNodes(c)
+	var readyCount int
+	for _, node := range nodes {
+		if node.Status.State == swarm.NodeStateReady {
+			readyCount++
+		}
+	}
+	return readyCount, nil
+}
+
+// CheckLocalNodeState returns the current swarm node state
+func (d *Daemon) CheckLocalNodeState(c *check.C) (interface{}, check.CommentInterface) {
+	info := d.SwarmInfo(c)
+	return info.LocalNodeState, nil
+}
+
+// CheckControlAvailable returns the current swarm control available
+func (d *Daemon) CheckControlAvailable(c *check.C) (interface{}, check.CommentInterface) {
+	info := d.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	return info.ControlAvailable, nil
+}
+
+// CheckLeader returns whether there is a leader on the swarm or not
+func (d *Daemon) CheckLeader(c *check.C) (interface{}, check.CommentInterface) {
+	cli, err := d.NewClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	errList := check.Commentf("could not get node list")
+
+	ls, err := cli.NodeList(context.Background(), types.NodeListOptions{})
+	if err != nil {
+		return err, errList
+	}
+
+	for _, node := range ls {
+		if node.ManagerStatus != nil && node.ManagerStatus.Leader {
+			return nil, nil
+		}
+	}
+	return fmt.Errorf("no leader"), check.Commentf("could not find leader")
+}
diff --git a/engine/integration-cli/daemon_swarm_hack_test.go b/engine/integration-cli/daemon_swarm_hack_test.go
new file mode 100644
index 00000000..7a23e84b
--- /dev/null
+++ b/engine/integration-cli/daemon_swarm_hack_test.go
@@ -0,0 +1,23 @@
+package main
+
+import (
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSwarmSuite) getDaemon(c *check.C, nodeID string) *daemon.Daemon {
+	s.daemonsLock.Lock()
+	defer s.daemonsLock.Unlock()
+	for _, d := range s.daemons {
+		if d.NodeID() == nodeID {
+			return d
+		}
+	}
+	c.Fatalf("could not find node with id: %s", nodeID)
+	return nil
+}
+
+// nodeCmd executes a command on a given node via the normal docker socket
+func (s *DockerSwarmSuite) nodeCmd(c *check.C, id string, args ...string) (string, error) {
+	return s.getDaemon(c, id).Cmd(args...)
+}
diff --git a/engine/integration-cli/docker_api_attach_test.go b/engine/integration-cli/docker_api_attach_test.go
new file mode 100644
index 00000000..26633841
--- /dev/null
+++ b/engine/integration-cli/docker_api_attach_test.go
@@ -0,0 +1,260 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/go-check/check"
+	"github.com/pkg/errors"
+	"golang.org/x/net/websocket"
+)
+
+func (s *DockerSuite) TestGetContainersAttachWebsocket(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-dit", "busybox", "cat")
+
+	rwc, err := request.SockConn(time.Duration(10*time.Second), daemonHost())
+	c.Assert(err, checker.IsNil)
+
+	cleanedContainerID := strings.TrimSpace(out)
+	config, err := websocket.NewConfig(
+		"/containers/"+cleanedContainerID+"/attach/ws?stream=1&stdin=1&stdout=1&stderr=1",
+		"http://localhost",
+	)
+	c.Assert(err, checker.IsNil)
+
+	ws, err := websocket.NewClient(config, rwc)
+	c.Assert(err, checker.IsNil)
+	defer ws.Close()
+
+	expected := []byte("hello")
+	actual := make([]byte, len(expected))
+
+	outChan := make(chan error)
+	go func() {
+		_, err := io.ReadFull(ws, actual)
+		outChan <- err
+		close(outChan)
+	}()
+
+	inChan := make(chan error)
+	go func() {
+		_, err := ws.Write(expected)
+		inChan <- err
+		close(inChan)
+	}()
+
+	select {
+	case err := <-inChan:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(5 * time.Second):
+		c.Fatal("Timeout writing to ws")
+	}
+
+	select {
+	case err := <-outChan:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(5 * time.Second):
+		c.Fatal("Timeout reading from ws")
+	}
+
+	c.Assert(actual, checker.DeepEquals, expected, check.Commentf("Websocket didn't return the expected data"))
+}
+
+// regression gh14320
+func (s *DockerSuite) TestPostContainersAttachContainerNotFound(c *check.C) {
+	resp, _, err := request.Post("/containers/doesnotexist/attach")
+	c.Assert(err, checker.IsNil)
+	// connection will shutdown, err should be "persistent connection closed"
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
+	content, err := request.ReadBody(resp.Body)
+	c.Assert(err, checker.IsNil)
+	expected := "No such container: doesnotexist\r\n"
+	c.Assert(string(content), checker.Equals, expected)
+}
+
+func (s *DockerSuite) TestGetContainersWsAttachContainerNotFound(c *check.C) {
+	res, body, err := request.Get("/containers/doesnotexist/attach/ws")
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNotFound)
+	c.Assert(err, checker.IsNil)
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	expected := "No such container: doesnotexist"
+	c.Assert(getErrorMessage(c, b), checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestPostContainersAttach(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	expectSuccess := func(conn net.Conn, br *bufio.Reader, stream string, tty bool) {
+		defer conn.Close()
+		expected := []byte("success")
+		_, err := conn.Write(expected)
+		c.Assert(err, checker.IsNil)
+
+		conn.SetReadDeadline(time.Now().Add(time.Second))
+		lenHeader := 0
+		if !tty {
+			lenHeader = 8
+		}
+		actual := make([]byte, len(expected)+lenHeader)
+		_, err = io.ReadFull(br, actual)
+		c.Assert(err, checker.IsNil)
+		if !tty {
+			fdMap := map[string]byte{
+				"stdin":  0,
+				"stdout": 1,
+				"stderr": 2,
+			}
+			c.Assert(actual[0], checker.Equals, fdMap[stream])
+		}
+		c.Assert(actual[lenHeader:], checker.DeepEquals, expected, check.Commentf("Attach didn't return the expected data from %s", stream))
+	}
+
+	expectTimeout := func(conn net.Conn, br *bufio.Reader, stream string) {
+		defer conn.Close()
+		_, err := conn.Write([]byte{'t'})
+		c.Assert(err, checker.IsNil)
+
+		conn.SetReadDeadline(time.Now().Add(time.Second))
+		actual := make([]byte, 1)
+		_, err = io.ReadFull(br, actual)
+		opErr, ok := err.(*net.OpError)
+		c.Assert(ok, checker.Equals, true, check.Commentf("Error is expected to be *net.OpError, got %v", err))
+		c.Assert(opErr.Timeout(), checker.Equals, true, check.Commentf("Read from %s is expected to timeout", stream))
+	}
+
+	// Create a container that only emits stdout.
+	cid, _ := dockerCmd(c, "run", "-di", "busybox", "cat")
+	cid = strings.TrimSpace(cid)
+	// Attach to the container's stdout stream.
+	conn, br, err := sockRequestHijack("POST", "/containers/"+cid+"/attach?stream=1&stdin=1&stdout=1", nil, "text/plain", daemonHost())
+	c.Assert(err, checker.IsNil)
+	// Check if the data from stdout can be received.
+	expectSuccess(conn, br, "stdout", false)
+	// Attach to the container's stderr stream.
+	conn, br, err = sockRequestHijack("POST", "/containers/"+cid+"/attach?stream=1&stdin=1&stderr=1", nil, "text/plain", daemonHost())
+	c.Assert(err, checker.IsNil)
+	// Since the container only emits stdout, attaching to stderr should return nothing.
+	expectTimeout(conn, br, "stdout")
+
+	// Test the similar functions of the stderr stream.
+	cid, _ = dockerCmd(c, "run", "-di", "busybox", "/bin/sh", "-c", "cat >&2")
+	cid = strings.TrimSpace(cid)
+	conn, br, err = sockRequestHijack("POST", "/containers/"+cid+"/attach?stream=1&stdin=1&stderr=1", nil, "text/plain", daemonHost())
+	c.Assert(err, checker.IsNil)
+	expectSuccess(conn, br, "stderr", false)
+	conn, br, err = sockRequestHijack("POST", "/containers/"+cid+"/attach?stream=1&stdin=1&stdout=1", nil, "text/plain", daemonHost())
+	c.Assert(err, checker.IsNil)
+	expectTimeout(conn, br, "stderr")
+
+	// Test with tty.
+	cid, _ = dockerCmd(c, "run", "-dit", "busybox", "/bin/sh", "-c", "cat >&2")
+	cid = strings.TrimSpace(cid)
+	// Attach to stdout only.
+	conn, br, err = sockRequestHijack("POST", "/containers/"+cid+"/attach?stream=1&stdin=1&stdout=1", nil, "text/plain", daemonHost())
+	c.Assert(err, checker.IsNil)
+	expectSuccess(conn, br, "stdout", true)
+
+	// Attach without stdout stream.
+	conn, br, err = sockRequestHijack("POST", "/containers/"+cid+"/attach?stream=1&stdin=1&stderr=1", nil, "text/plain", daemonHost())
+	c.Assert(err, checker.IsNil)
+	// Nothing should be received because both the stdout and stderr of the container will be
+	// sent to the client as stdout when tty is enabled.
+	expectTimeout(conn, br, "stdout")
+
+	// Test the client API
+	client, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer client.Close()
+
+	cid, _ = dockerCmd(c, "run", "-di", "busybox", "/bin/sh", "-c", "echo hello; cat")
+	cid = strings.TrimSpace(cid)
+
+	// Make sure we don't see "hello" if Logs is false
+	attachOpts := types.ContainerAttachOptions{
+		Stream: true,
+		Stdin:  true,
+		Stdout: true,
+		Stderr: true,
+		Logs:   false,
+	}
+
+	resp, err := client.ContainerAttach(context.Background(), cid, attachOpts)
+	c.Assert(err, checker.IsNil)
+	expectSuccess(resp.Conn, resp.Reader, "stdout", false)
+
+	// Make sure we do see "hello" if Logs is true
+	attachOpts.Logs = true
+	resp, err = client.ContainerAttach(context.Background(), cid, attachOpts)
+	c.Assert(err, checker.IsNil)
+
+	defer resp.Conn.Close()
+	resp.Conn.SetReadDeadline(time.Now().Add(time.Second))
+
+	_, err = resp.Conn.Write([]byte("success"))
+	c.Assert(err, checker.IsNil)
+
+	var outBuf, errBuf bytes.Buffer
+	_, err = stdcopy.StdCopy(&outBuf, &errBuf, resp.Reader)
+	if err != nil && errors.Cause(err).(net.Error).Timeout() {
+		// ignore the timeout error as it is expected
+		err = nil
+	}
+	c.Assert(err, checker.IsNil)
+	c.Assert(errBuf.String(), checker.Equals, "")
+	c.Assert(outBuf.String(), checker.Equals, "hello\nsuccess")
+}
+
+// SockRequestHijack creates a connection to specified host (with method, contenttype, …) and returns a hijacked connection
+// and the output as a `bufio.Reader`
+func sockRequestHijack(method, endpoint string, data io.Reader, ct string, daemon string, modifiers ...func(*http.Request)) (net.Conn, *bufio.Reader, error) {
+	req, client, err := newRequestClient(method, endpoint, data, ct, daemon, modifiers...)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	client.Do(req)
+	conn, br := client.Hijack()
+	return conn, br, nil
+}
+
+// FIXME(vdemeester) httputil.ClientConn is deprecated, use http.Client instead (closer to actual client)
+// Deprecated: Use New instead of NewRequestClient
+// Deprecated: use request.Do (or Get, Delete, Post) instead
+func newRequestClient(method, endpoint string, data io.Reader, ct, daemon string, modifiers ...func(*http.Request)) (*http.Request, *httputil.ClientConn, error) {
+	c, err := request.SockConn(time.Duration(10*time.Second), daemon)
+	if err != nil {
+		return nil, nil, fmt.Errorf("could not dial docker daemon: %v", err)
+	}
+
+	client := httputil.NewClientConn(c, nil)
+
+	req, err := http.NewRequest(method, endpoint, data)
+	if err != nil {
+		client.Close()
+		return nil, nil, fmt.Errorf("could not create new request: %v", err)
+	}
+
+	for _, opt := range modifiers {
+		opt(req)
+	}
+
+	if ct != "" {
+		req.Header.Set("Content-Type", ct)
+	}
+	return req, client, nil
+}
diff --git a/engine/integration-cli/docker_api_build_test.go b/engine/integration-cli/docker_api_build_test.go
new file mode 100644
index 00000000..144acbd0
--- /dev/null
+++ b/engine/integration-cli/docker_api_build_test.go
@@ -0,0 +1,558 @@
+package main
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"regexp"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/internal/test/fakegit"
+	"github.com/docker/docker/internal/test/fakestorage"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func (s *DockerSuite) TestBuildAPIDockerFileRemote(c *check.C) {
+	testRequires(c, NotUserNamespace)
+
+	var testD string
+	if testEnv.OSType == "windows" {
+		testD = `FROM busybox
+RUN find / -name ba*
+RUN find /tmp/`
+	} else {
+		// -xdev is required because sysfs can cause EPERM
+		testD = `FROM busybox
+RUN find / -xdev -name ba*
+RUN find /tmp/`
+	}
+	server := fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{"testD": testD}))
+	defer server.Close()
+
+	res, body, err := request.Post("/build?dockerfile=baz&remote="+server.URL()+"/testD", request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	buf, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	// Make sure Dockerfile exists.
+	// Make sure 'baz' doesn't exist ANYWHERE despite being mentioned in the URL
+	out := string(buf)
+	c.Assert(out, checker.Contains, "RUN find /tmp")
+	c.Assert(out, checker.Not(checker.Contains), "baz")
+}
+
+func (s *DockerSuite) TestBuildAPIRemoteTarballContext(c *check.C) {
+	buffer := new(bytes.Buffer)
+	tw := tar.NewWriter(buffer)
+	defer tw.Close()
+
+	dockerfile := []byte("FROM busybox")
+	err := tw.WriteHeader(&tar.Header{
+		Name: "Dockerfile",
+		Size: int64(len(dockerfile)),
+	})
+	// failed to write tar file header
+	c.Assert(err, checker.IsNil)
+
+	_, err = tw.Write(dockerfile)
+	// failed to write tar file content
+	c.Assert(err, checker.IsNil)
+
+	// failed to close tar archive
+	c.Assert(tw.Close(), checker.IsNil)
+
+	server := fakestorage.New(c, "", fakecontext.WithBinaryFiles(map[string]*bytes.Buffer{
+		"testT.tar": buffer,
+	}))
+	defer server.Close()
+
+	res, b, err := request.Post("/build?remote="+server.URL()+"/testT.tar", request.ContentType("application/tar"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+	b.Close()
+}
+
+func (s *DockerSuite) TestBuildAPIRemoteTarballContextWithCustomDockerfile(c *check.C) {
+	buffer := new(bytes.Buffer)
+	tw := tar.NewWriter(buffer)
+	defer tw.Close()
+
+	dockerfile := []byte(`FROM busybox
+RUN echo 'wrong'`)
+	err := tw.WriteHeader(&tar.Header{
+		Name: "Dockerfile",
+		Size: int64(len(dockerfile)),
+	})
+	// failed to write tar file header
+	c.Assert(err, checker.IsNil)
+
+	_, err = tw.Write(dockerfile)
+	// failed to write tar file content
+	c.Assert(err, checker.IsNil)
+
+	custom := []byte(`FROM busybox
+RUN echo 'right'
+`)
+	err = tw.WriteHeader(&tar.Header{
+		Name: "custom",
+		Size: int64(len(custom)),
+	})
+
+	// failed to write tar file header
+	c.Assert(err, checker.IsNil)
+
+	_, err = tw.Write(custom)
+	// failed to write tar file content
+	c.Assert(err, checker.IsNil)
+
+	// failed to close tar archive
+	c.Assert(tw.Close(), checker.IsNil)
+
+	server := fakestorage.New(c, "", fakecontext.WithBinaryFiles(map[string]*bytes.Buffer{
+		"testT.tar": buffer,
+	}))
+	defer server.Close()
+
+	url := "/build?dockerfile=custom&remote=" + server.URL() + "/testT.tar"
+	res, body, err := request.Post(url, request.ContentType("application/tar"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	defer body.Close()
+	content, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	// Build used the wrong dockerfile.
+	c.Assert(string(content), checker.Not(checker.Contains), "wrong")
+}
+
+func (s *DockerSuite) TestBuildAPILowerDockerfile(c *check.C) {
+	git := fakegit.New(c, "repo", map[string]string{
+		"dockerfile": `FROM busybox
+RUN echo from dockerfile`,
+	}, false)
+	defer git.Close()
+
+	res, body, err := request.Post("/build?remote="+git.RepoURL, request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	buf, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	out := string(buf)
+	c.Assert(out, checker.Contains, "from dockerfile")
+}
+
+func (s *DockerSuite) TestBuildAPIBuildGitWithF(c *check.C) {
+	git := fakegit.New(c, "repo", map[string]string{
+		"baz": `FROM busybox
+RUN echo from baz`,
+		"Dockerfile": `FROM busybox
+RUN echo from Dockerfile`,
+	}, false)
+	defer git.Close()
+
+	// Make sure it tries to 'dockerfile' query param value
+	res, body, err := request.Post("/build?dockerfile=baz&remote="+git.RepoURL, request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	buf, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	out := string(buf)
+	c.Assert(out, checker.Contains, "from baz")
+}
+
+func (s *DockerSuite) TestBuildAPIDoubleDockerfile(c *check.C) {
+	testRequires(c, UnixCli) // dockerfile overwrites Dockerfile on Windows
+	git := fakegit.New(c, "repo", map[string]string{
+		"Dockerfile": `FROM busybox
+RUN echo from Dockerfile`,
+		"dockerfile": `FROM busybox
+RUN echo from dockerfile`,
+	}, false)
+	defer git.Close()
+
+	// Make sure it tries to 'dockerfile' query param value
+	res, body, err := request.Post("/build?remote="+git.RepoURL, request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	buf, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	out := string(buf)
+	c.Assert(out, checker.Contains, "from Dockerfile")
+}
+
+func (s *DockerSuite) TestBuildAPIUnnormalizedTarPaths(c *check.C) {
+	// Make sure that build context tars with entries of the form
+	// x/./y don't cause caching false positives.
+
+	buildFromTarContext := func(fileContents []byte) string {
+		buffer := new(bytes.Buffer)
+		tw := tar.NewWriter(buffer)
+		defer tw.Close()
+
+		dockerfile := []byte(`FROM busybox
+	COPY dir /dir/`)
+		err := tw.WriteHeader(&tar.Header{
+			Name: "Dockerfile",
+			Size: int64(len(dockerfile)),
+		})
+		//failed to write tar file header
+		c.Assert(err, checker.IsNil)
+
+		_, err = tw.Write(dockerfile)
+		// failed to write Dockerfile in tar file content
+		c.Assert(err, checker.IsNil)
+
+		err = tw.WriteHeader(&tar.Header{
+			Name: "dir/./file",
+			Size: int64(len(fileContents)),
+		})
+		//failed to write tar file header
+		c.Assert(err, checker.IsNil)
+
+		_, err = tw.Write(fileContents)
+		// failed to write file contents in tar file content
+		c.Assert(err, checker.IsNil)
+
+		// failed to close tar archive
+		c.Assert(tw.Close(), checker.IsNil)
+
+		res, body, err := request.Post("/build", request.RawContent(ioutil.NopCloser(buffer)), request.ContentType("application/x-tar"))
+		c.Assert(err, checker.IsNil)
+		c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+		out, err := request.ReadBody(body)
+		c.Assert(err, checker.IsNil)
+		lines := strings.Split(string(out), "\n")
+		c.Assert(len(lines), checker.GreaterThan, 1)
+		c.Assert(lines[len(lines)-2], checker.Matches, ".*Successfully built [0-9a-f]{12}.*")
+
+		re := regexp.MustCompile("Successfully built ([0-9a-f]{12})")
+		matches := re.FindStringSubmatch(lines[len(lines)-2])
+		return matches[1]
+	}
+
+	imageA := buildFromTarContext([]byte("abc"))
+	imageB := buildFromTarContext([]byte("def"))
+
+	c.Assert(imageA, checker.Not(checker.Equals), imageB)
+}
+
+func (s *DockerSuite) TestBuildOnBuildWithCopy(c *check.C) {
+	dockerfile := `
+		FROM ` + minimalBaseImage() + ` as onbuildbase
+		ONBUILD COPY file /file
+
+		FROM onbuildbase
+	`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFile("file", "some content"),
+	)
+	defer ctx.Close()
+
+	res, body, err := request.Post(
+		"/build",
+		request.RawContent(ctx.AsTarReader(c)),
+		request.ContentType("application/x-tar"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	out, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(out), checker.Contains, "Successfully built")
+}
+
+func (s *DockerSuite) TestBuildOnBuildCache(c *check.C) {
+	build := func(dockerfile string) []byte {
+		ctx := fakecontext.New(c, "",
+			fakecontext.WithDockerfile(dockerfile),
+		)
+		defer ctx.Close()
+
+		res, body, err := request.Post(
+			"/build",
+			request.RawContent(ctx.AsTarReader(c)),
+			request.ContentType("application/x-tar"))
+		assert.NilError(c, err)
+		assert.Check(c, is.DeepEqual(http.StatusOK, res.StatusCode))
+
+		out, err := request.ReadBody(body)
+		assert.NilError(c, err)
+		assert.Check(c, is.Contains(string(out), "Successfully built"))
+		return out
+	}
+
+	dockerfile := `
+		FROM ` + minimalBaseImage() + ` as onbuildbase
+		ENV something=bar
+		ONBUILD ENV foo=bar
+	`
+	build(dockerfile)
+
+	dockerfile += "FROM onbuildbase"
+	out := build(dockerfile)
+
+	imageIDs := getImageIDsFromBuild(c, out)
+	assert.Check(c, is.Len(imageIDs, 2))
+	parentID, childID := imageIDs[0], imageIDs[1]
+
+	client := testEnv.APIClient()
+
+	// check parentID is correct
+	image, _, err := client.ImageInspectWithRaw(context.Background(), childID)
+	assert.NilError(c, err)
+	assert.Check(c, is.Equal(parentID, image.Parent))
+}
+
+func (s *DockerRegistrySuite) TestBuildCopyFromForcePull(c *check.C) {
+	client := testEnv.APIClient()
+
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+	// tag the image to upload it to the private registry
+	err := client.ImageTag(context.TODO(), "busybox", repoName)
+	assert.Check(c, err)
+	// push the image to the registry
+	rc, err := client.ImagePush(context.TODO(), repoName, types.ImagePushOptions{RegistryAuth: "{}"})
+	assert.Check(c, err)
+	_, err = io.Copy(ioutil.Discard, rc)
+	assert.Check(c, err)
+
+	dockerfile := fmt.Sprintf(`
+		FROM %s AS foo
+		RUN touch abc
+		FROM %s
+		COPY --from=foo /abc /
+		`, repoName, repoName)
+
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+	)
+	defer ctx.Close()
+
+	res, body, err := request.Post(
+		"/build?pull=1",
+		request.RawContent(ctx.AsTarReader(c)),
+		request.ContentType("application/x-tar"))
+	assert.NilError(c, err)
+	assert.Check(c, is.DeepEqual(http.StatusOK, res.StatusCode))
+
+	out, err := request.ReadBody(body)
+	assert.NilError(c, err)
+	assert.Check(c, is.Contains(string(out), "Successfully built"))
+}
+
+func (s *DockerSuite) TestBuildAddRemoteNoDecompress(c *check.C) {
+	buffer := new(bytes.Buffer)
+	tw := tar.NewWriter(buffer)
+	dt := []byte("contents")
+	err := tw.WriteHeader(&tar.Header{
+		Name:     "foo",
+		Size:     int64(len(dt)),
+		Mode:     0600,
+		Typeflag: tar.TypeReg,
+	})
+	assert.NilError(c, err)
+	_, err = tw.Write(dt)
+	assert.NilError(c, err)
+	err = tw.Close()
+	assert.NilError(c, err)
+
+	server := fakestorage.New(c, "", fakecontext.WithBinaryFiles(map[string]*bytes.Buffer{
+		"test.tar": buffer,
+	}))
+	defer server.Close()
+
+	dockerfile := fmt.Sprintf(`
+		FROM busybox
+		ADD %s/test.tar /
+		RUN [ -f test.tar ]
+		`, server.URL())
+
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+	)
+	defer ctx.Close()
+
+	res, body, err := request.Post(
+		"/build",
+		request.RawContent(ctx.AsTarReader(c)),
+		request.ContentType("application/x-tar"))
+	assert.NilError(c, err)
+	assert.Check(c, is.DeepEqual(http.StatusOK, res.StatusCode))
+
+	out, err := request.ReadBody(body)
+	assert.NilError(c, err)
+	assert.Check(c, is.Contains(string(out), "Successfully built"))
+}
+
+func (s *DockerSuite) TestBuildChownOnCopy(c *check.C) {
+	// new feature added in 1.31 - https://github.com/moby/moby/pull/34263
+	testRequires(c, DaemonIsLinux, MinimumAPIVersion("1.31"))
+	dockerfile := `FROM busybox
+		RUN echo 'test1:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+		RUN echo 'test1:x:1001:' >> /etc/group
+		RUN echo 'test2:x:1002:' >> /etc/group
+		COPY --chown=test1:1002 . /new_dir
+		RUN ls -l /
+		RUN [ $(ls -l / | grep new_dir | awk '{print $3":"$4}') = 'test1:test2' ]
+		RUN [ $(ls -nl / | grep new_dir | awk '{print $3":"$4}') = '1001:1002' ]
+	`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFile("test_file1", "some test content"),
+	)
+	defer ctx.Close()
+
+	res, body, err := request.Post(
+		"/build",
+		request.RawContent(ctx.AsTarReader(c)),
+		request.ContentType("application/x-tar"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	out, err := request.ReadBody(body)
+	assert.NilError(c, err)
+	assert.Check(c, is.Contains(string(out), "Successfully built"))
+}
+
+func (s *DockerSuite) TestBuildCopyCacheOnFileChange(c *check.C) {
+
+	dockerfile := `FROM busybox
+COPY file /file`
+
+	ctx1 := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFile("file", "foo"))
+	ctx2 := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFile("file", "bar"))
+
+	var build = func(ctx *fakecontext.Fake) string {
+		res, body, err := request.Post("/build",
+			request.RawContent(ctx.AsTarReader(c)),
+			request.ContentType("application/x-tar"))
+
+		assert.NilError(c, err)
+		assert.Check(c, is.DeepEqual(http.StatusOK, res.StatusCode))
+
+		out, err := request.ReadBody(body)
+		assert.NilError(c, err)
+
+		ids := getImageIDsFromBuild(c, out)
+		return ids[len(ids)-1]
+	}
+
+	id1 := build(ctx1)
+	id2 := build(ctx1)
+	id3 := build(ctx2)
+
+	if id1 != id2 {
+		c.Fatal("didn't use the cache")
+	}
+	if id1 == id3 {
+		c.Fatal("COPY With different source file should not share same cache")
+	}
+}
+
+func (s *DockerSuite) TestBuildAddCacheOnFileChange(c *check.C) {
+
+	dockerfile := `FROM busybox
+ADD file /file`
+
+	ctx1 := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFile("file", "foo"))
+	ctx2 := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFile("file", "bar"))
+
+	var build = func(ctx *fakecontext.Fake) string {
+		res, body, err := request.Post("/build",
+			request.RawContent(ctx.AsTarReader(c)),
+			request.ContentType("application/x-tar"))
+
+		assert.NilError(c, err)
+		assert.Check(c, is.DeepEqual(http.StatusOK, res.StatusCode))
+
+		out, err := request.ReadBody(body)
+		assert.NilError(c, err)
+
+		ids := getImageIDsFromBuild(c, out)
+		return ids[len(ids)-1]
+	}
+
+	id1 := build(ctx1)
+	id2 := build(ctx1)
+	id3 := build(ctx2)
+
+	if id1 != id2 {
+		c.Fatal("didn't use the cache")
+	}
+	if id1 == id3 {
+		c.Fatal("COPY With different source file should not share same cache")
+	}
+}
+
+func (s *DockerSuite) TestBuildScratchCopy(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerfile := `FROM scratch
+ADD Dockerfile /
+ENV foo bar`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+	)
+	defer ctx.Close()
+
+	res, body, err := request.Post(
+		"/build",
+		request.RawContent(ctx.AsTarReader(c)),
+		request.ContentType("application/x-tar"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	out, err := request.ReadBody(body)
+	assert.NilError(c, err)
+	assert.Check(c, is.Contains(string(out), "Successfully built"))
+}
+
+type buildLine struct {
+	Stream string
+	Aux    struct {
+		ID string
+	}
+}
+
+func getImageIDsFromBuild(c *check.C, output []byte) []string {
+	var ids []string
+	for _, line := range bytes.Split(output, []byte("\n")) {
+		if len(line) == 0 {
+			continue
+		}
+		entry := buildLine{}
+		assert.NilError(c, json.Unmarshal(line, &entry))
+		if entry.Aux.ID != "" {
+			ids = append(ids, entry.Aux.ID)
+		}
+	}
+	return ids
+}
diff --git a/engine/integration-cli/docker_api_build_windows_test.go b/engine/integration-cli/docker_api_build_windows_test.go
new file mode 100644
index 00000000..a605c5be
--- /dev/null
+++ b/engine/integration-cli/docker_api_build_windows_test.go
@@ -0,0 +1,39 @@
+// +build windows
+
+package main
+
+import (
+	"net/http"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func (s *DockerSuite) TestBuildWithRecycleBin(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+
+	dockerfile := "" +
+		"FROM " + testEnv.PlatformDefaults.BaseImage + "\n" +
+		"RUN md $REcycLE.biN && md missing\n" +
+		"RUN dir $Recycle.Bin && exit 1 || exit 0\n" +
+		"RUN dir missing\n"
+
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(dockerfile))
+	defer ctx.Close()
+
+	res, body, err := request.Post(
+		"/build",
+		request.RawContent(ctx.AsTarReader(c)),
+		request.ContentType("application/x-tar"))
+
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	out, err := request.ReadBody(body)
+	assert.NilError(c, err)
+	assert.Check(c, is.Contains(string(out), "Successfully built"))
+}
diff --git a/engine/integration-cli/docker_api_containers_test.go b/engine/integration-cli/docker_api_containers_test.go
new file mode 100644
index 00000000..e8e47bd8
--- /dev/null
+++ b/engine/integration-cli/docker_api_containers_test.go
@@ -0,0 +1,2207 @@
+package main
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	mounttypes "github.com/docker/docker/api/types/mount"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/volume"
+	"github.com/docker/go-connections/nat"
+	"github.com/go-check/check"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+)
+
+func (s *DockerSuite) TestContainerAPIGetAll(c *check.C) {
+	startCount := getContainerCount(c)
+	name := "getall"
+	dockerCmd(c, "run", "--name", name, "busybox", "true")
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	options := types.ContainerListOptions{
+		All: true,
+	}
+	containers, err := cli.ContainerList(context.Background(), options)
+	c.Assert(err, checker.IsNil)
+	c.Assert(containers, checker.HasLen, startCount+1)
+	actual := containers[0].Names[0]
+	c.Assert(actual, checker.Equals, "/"+name)
+}
+
+// regression test for empty json field being omitted #13691
+func (s *DockerSuite) TestContainerAPIGetJSONNoFieldsOmitted(c *check.C) {
+	startCount := getContainerCount(c)
+	dockerCmd(c, "run", "busybox", "true")
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	options := types.ContainerListOptions{
+		All: true,
+	}
+	containers, err := cli.ContainerList(context.Background(), options)
+	c.Assert(err, checker.IsNil)
+	c.Assert(containers, checker.HasLen, startCount+1)
+	actual := fmt.Sprintf("%+v", containers[0])
+
+	// empty Labels field triggered this bug, make sense to check for everything
+	// cause even Ports for instance can trigger this bug
+	// better safe than sorry..
+	fields := []string{
+		"ID",
+		"Names",
+		"Image",
+		"Command",
+		"Created",
+		"Ports",
+		"Labels",
+		"Status",
+		"NetworkSettings",
+	}
+
+	// decoding into types.Container do not work since it eventually unmarshal
+	// and empty field to an empty go map, so we just check for a string
+	for _, f := range fields {
+		if !strings.Contains(actual, f) {
+			c.Fatalf("Field %s is missing and it shouldn't", f)
+		}
+	}
+}
+
+type containerPs struct {
+	Names []string
+	Ports []types.Port
+}
+
+// regression test for non-empty fields from #13901
+func (s *DockerSuite) TestContainerAPIPsOmitFields(c *check.C) {
+	// Problematic for Windows porting due to networking not yet being passed back
+	testRequires(c, DaemonIsLinux)
+	name := "pstest"
+	port := 80
+	runSleepingContainer(c, "--name", name, "--expose", strconv.Itoa(port))
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	options := types.ContainerListOptions{
+		All: true,
+	}
+	containers, err := cli.ContainerList(context.Background(), options)
+	c.Assert(err, checker.IsNil)
+	var foundContainer containerPs
+	for _, c := range containers {
+		for _, testName := range c.Names {
+			if "/"+name == testName {
+				foundContainer.Names = c.Names
+				foundContainer.Ports = c.Ports
+				break
+			}
+		}
+	}
+
+	c.Assert(foundContainer.Ports, checker.HasLen, 1)
+	c.Assert(foundContainer.Ports[0].PrivatePort, checker.Equals, uint16(port))
+	c.Assert(foundContainer.Ports[0].PublicPort, checker.NotNil)
+	c.Assert(foundContainer.Ports[0].IP, checker.NotNil)
+}
+
+func (s *DockerSuite) TestContainerAPIGetExport(c *check.C) {
+	// Not supported on Windows as Windows does not support docker export
+	testRequires(c, DaemonIsLinux)
+	name := "exportcontainer"
+	dockerCmd(c, "run", "--name", name, "busybox", "touch", "/test")
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	body, err := cli.ContainerExport(context.Background(), name)
+	c.Assert(err, checker.IsNil)
+	defer body.Close()
+	found := false
+	for tarReader := tar.NewReader(body); ; {
+		h, err := tarReader.Next()
+		if err != nil && err == io.EOF {
+			break
+		}
+		if h.Name == "test" {
+			found = true
+			break
+		}
+	}
+	c.Assert(found, checker.True, check.Commentf("The created test file has not been found in the exported image"))
+}
+
+func (s *DockerSuite) TestContainerAPIGetChanges(c *check.C) {
+	// Not supported on Windows as Windows does not support docker diff (/containers/name/changes)
+	testRequires(c, DaemonIsLinux)
+	name := "changescontainer"
+	dockerCmd(c, "run", "--name", name, "busybox", "rm", "/etc/passwd")
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	changes, err := cli.ContainerDiff(context.Background(), name)
+	c.Assert(err, checker.IsNil)
+
+	// Check the changelog for removal of /etc/passwd
+	success := false
+	for _, elem := range changes {
+		if elem.Path == "/etc/passwd" && elem.Kind == 2 {
+			success = true
+		}
+	}
+	c.Assert(success, checker.True, check.Commentf("/etc/passwd has been removed but is not present in the diff"))
+}
+
+func (s *DockerSuite) TestGetContainerStats(c *check.C) {
+	var (
+		name = "statscontainer"
+	)
+	runSleepingContainer(c, "--name", name)
+
+	type b struct {
+		stats types.ContainerStats
+		err   error
+	}
+
+	bc := make(chan b, 1)
+	go func() {
+		cli, err := client.NewEnvClient()
+		c.Assert(err, checker.IsNil)
+		defer cli.Close()
+
+		stats, err := cli.ContainerStats(context.Background(), name, true)
+		c.Assert(err, checker.IsNil)
+		bc <- b{stats, err}
+	}()
+
+	// allow some time to stream the stats from the container
+	time.Sleep(4 * time.Second)
+	dockerCmd(c, "rm", "-f", name)
+
+	// collect the results from the stats stream or timeout and fail
+	// if the stream was not disconnected.
+	select {
+	case <-time.After(2 * time.Second):
+		c.Fatal("stream was not closed after container was removed")
+	case sr := <-bc:
+		dec := json.NewDecoder(sr.stats.Body)
+		defer sr.stats.Body.Close()
+		var s *types.Stats
+		// decode only one object from the stream
+		c.Assert(dec.Decode(&s), checker.IsNil)
+	}
+}
+
+func (s *DockerSuite) TestGetContainerStatsRmRunning(c *check.C) {
+	out := runSleepingContainer(c)
+	id := strings.TrimSpace(out)
+
+	buf := &ChannelBuffer{C: make(chan []byte, 1)}
+	defer buf.Close()
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	stats, err := cli.ContainerStats(context.Background(), id, true)
+	c.Assert(err, checker.IsNil)
+	defer stats.Body.Close()
+
+	chErr := make(chan error, 1)
+	go func() {
+		_, err = io.Copy(buf, stats.Body)
+		chErr <- err
+	}()
+
+	b := make([]byte, 32)
+	// make sure we've got some stats
+	_, err = buf.ReadTimeout(b, 2*time.Second)
+	c.Assert(err, checker.IsNil)
+
+	// Now remove without `-f` and make sure we are still pulling stats
+	_, _, err = dockerCmdWithError("rm", id)
+	c.Assert(err, checker.Not(checker.IsNil), check.Commentf("rm should have failed but didn't"))
+	_, err = buf.ReadTimeout(b, 2*time.Second)
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "rm", "-f", id)
+	c.Assert(<-chErr, checker.IsNil)
+}
+
+// ChannelBuffer holds a chan of byte array that can be populate in a goroutine.
+type ChannelBuffer struct {
+	C chan []byte
+}
+
+// Write implements Writer.
+func (c *ChannelBuffer) Write(b []byte) (int, error) {
+	c.C <- b
+	return len(b), nil
+}
+
+// Close closes the go channel.
+func (c *ChannelBuffer) Close() error {
+	close(c.C)
+	return nil
+}
+
+// ReadTimeout reads the content of the channel in the specified byte array with
+// the specified duration as timeout.
+func (c *ChannelBuffer) ReadTimeout(p []byte, n time.Duration) (int, error) {
+	select {
+	case b := <-c.C:
+		return copy(p[0:], b), nil
+	case <-time.After(n):
+		return -1, fmt.Errorf("timeout reading from channel")
+	}
+}
+
+// regression test for gh13421
+// previous test was just checking one stat entry so it didn't fail (stats with
+// stream false always return one stat)
+func (s *DockerSuite) TestGetContainerStatsStream(c *check.C) {
+	name := "statscontainer"
+	runSleepingContainer(c, "--name", name)
+
+	type b struct {
+		stats types.ContainerStats
+		err   error
+	}
+
+	bc := make(chan b, 1)
+	go func() {
+		cli, err := client.NewEnvClient()
+		c.Assert(err, checker.IsNil)
+		defer cli.Close()
+
+		stats, err := cli.ContainerStats(context.Background(), name, true)
+		c.Assert(err, checker.IsNil)
+		bc <- b{stats, err}
+	}()
+
+	// allow some time to stream the stats from the container
+	time.Sleep(4 * time.Second)
+	dockerCmd(c, "rm", "-f", name)
+
+	// collect the results from the stats stream or timeout and fail
+	// if the stream was not disconnected.
+	select {
+	case <-time.After(2 * time.Second):
+		c.Fatal("stream was not closed after container was removed")
+	case sr := <-bc:
+		b, err := ioutil.ReadAll(sr.stats.Body)
+		defer sr.stats.Body.Close()
+		c.Assert(err, checker.IsNil)
+		s := string(b)
+		// count occurrences of "read" of types.Stats
+		if l := strings.Count(s, "read"); l < 2 {
+			c.Fatalf("Expected more than one stat streamed, got %d", l)
+		}
+	}
+}
+
+func (s *DockerSuite) TestGetContainerStatsNoStream(c *check.C) {
+	name := "statscontainer"
+	runSleepingContainer(c, "--name", name)
+
+	type b struct {
+		stats types.ContainerStats
+		err   error
+	}
+
+	bc := make(chan b, 1)
+
+	go func() {
+		cli, err := client.NewEnvClient()
+		c.Assert(err, checker.IsNil)
+		defer cli.Close()
+
+		stats, err := cli.ContainerStats(context.Background(), name, false)
+		c.Assert(err, checker.IsNil)
+		bc <- b{stats, err}
+	}()
+
+	// allow some time to stream the stats from the container
+	time.Sleep(4 * time.Second)
+	dockerCmd(c, "rm", "-f", name)
+
+	// collect the results from the stats stream or timeout and fail
+	// if the stream was not disconnected.
+	select {
+	case <-time.After(2 * time.Second):
+		c.Fatal("stream was not closed after container was removed")
+	case sr := <-bc:
+		b, err := ioutil.ReadAll(sr.stats.Body)
+		defer sr.stats.Body.Close()
+		c.Assert(err, checker.IsNil)
+		s := string(b)
+		// count occurrences of `"read"` of types.Stats
+		c.Assert(strings.Count(s, `"read"`), checker.Equals, 1, check.Commentf("Expected only one stat streamed, got %d", strings.Count(s, `"read"`)))
+	}
+}
+
+func (s *DockerSuite) TestGetStoppedContainerStats(c *check.C) {
+	name := "statscontainer"
+	dockerCmd(c, "create", "--name", name, "busybox", "ps")
+
+	chResp := make(chan error)
+
+	// We expect an immediate response, but if it's not immediate, the test would hang, so put it in a goroutine
+	// below we'll check this on a timeout.
+	go func() {
+		cli, err := client.NewEnvClient()
+		c.Assert(err, checker.IsNil)
+		defer cli.Close()
+
+		resp, err := cli.ContainerStats(context.Background(), name, false)
+		defer resp.Body.Close()
+		chResp <- err
+	}()
+
+	select {
+	case err := <-chResp:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(10 * time.Second):
+		c.Fatal("timeout waiting for stats response for stopped container")
+	}
+}
+
+func (s *DockerSuite) TestContainerAPIPause(c *check.C) {
+	// Problematic on Windows as Windows does not support pause
+	testRequires(c, DaemonIsLinux)
+
+	getPaused := func(c *check.C) []string {
+		return strings.Fields(cli.DockerCmd(c, "ps", "-f", "status=paused", "-q", "-a").Combined())
+	}
+
+	out := cli.DockerCmd(c, "run", "-d", "busybox", "sleep", "30").Combined()
+	ContainerID := strings.TrimSpace(out)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerPause(context.Background(), ContainerID)
+	c.Assert(err, checker.IsNil)
+
+	pausedContainers := getPaused(c)
+
+	if len(pausedContainers) != 1 || stringid.TruncateID(ContainerID) != pausedContainers[0] {
+		c.Fatalf("there should be one paused container and not %d", len(pausedContainers))
+	}
+
+	err = cli.ContainerUnpause(context.Background(), ContainerID)
+	c.Assert(err, checker.IsNil)
+
+	pausedContainers = getPaused(c)
+	c.Assert(pausedContainers, checker.HasLen, 0, check.Commentf("There should be no paused container."))
+}
+
+func (s *DockerSuite) TestContainerAPITop(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "top")
+	id := strings.TrimSpace(string(out))
+	c.Assert(waitRun(id), checker.IsNil)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	// sort by comm[andline] to make sure order stays the same in case of PID rollover
+	top, err := cli.ContainerTop(context.Background(), id, []string{"aux", "--sort=comm"})
+	c.Assert(err, checker.IsNil)
+	c.Assert(top.Titles, checker.HasLen, 11, check.Commentf("expected 11 titles, found %d: %v", len(top.Titles), top.Titles))
+
+	if top.Titles[0] != "USER" || top.Titles[10] != "COMMAND" {
+		c.Fatalf("expected `USER` at `Titles[0]` and `COMMAND` at Titles[10]: %v", top.Titles)
+	}
+	c.Assert(top.Processes, checker.HasLen, 2, check.Commentf("expected 2 processes, found %d: %v", len(top.Processes), top.Processes))
+	c.Assert(top.Processes[0][10], checker.Equals, "/bin/sh -c top")
+	c.Assert(top.Processes[1][10], checker.Equals, "top")
+}
+
+func (s *DockerSuite) TestContainerAPITopWindows(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	out := runSleepingContainer(c, "-d")
+	id := strings.TrimSpace(string(out))
+	c.Assert(waitRun(id), checker.IsNil)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	top, err := cli.ContainerTop(context.Background(), id, nil)
+	c.Assert(err, checker.IsNil)
+	c.Assert(top.Titles, checker.HasLen, 4, check.Commentf("expected 4 titles, found %d: %v", len(top.Titles), top.Titles))
+
+	if top.Titles[0] != "Name" || top.Titles[3] != "Private Working Set" {
+		c.Fatalf("expected `Name` at `Titles[0]` and `Private Working Set` at Titles[3]: %v", top.Titles)
+	}
+	c.Assert(len(top.Processes), checker.GreaterOrEqualThan, 2, check.Commentf("expected at least 2 processes, found %d: %v", len(top.Processes), top.Processes))
+
+	foundProcess := false
+	expectedProcess := "busybox.exe"
+	for _, process := range top.Processes {
+		if process[0] == expectedProcess {
+			foundProcess = true
+			break
+		}
+	}
+
+	c.Assert(foundProcess, checker.Equals, true, check.Commentf("expected to find %s: %v", expectedProcess, top.Processes))
+}
+
+func (s *DockerSuite) TestContainerAPICommit(c *check.C) {
+	cName := "testapicommit"
+	dockerCmd(c, "run", "--name="+cName, "busybox", "/bin/sh", "-c", "touch /test")
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	options := types.ContainerCommitOptions{
+		Reference: "testcontainerapicommit:testtag",
+	}
+
+	img, err := cli.ContainerCommit(context.Background(), cName, options)
+	c.Assert(err, checker.IsNil)
+
+	cmd := inspectField(c, img.ID, "Config.Cmd")
+	c.Assert(cmd, checker.Equals, "[/bin/sh -c touch /test]", check.Commentf("got wrong Cmd from commit: %q", cmd))
+
+	// sanity check, make sure the image is what we think it is
+	dockerCmd(c, "run", img.ID, "ls", "/test")
+}
+
+func (s *DockerSuite) TestContainerAPICommitWithLabelInConfig(c *check.C) {
+	cName := "testapicommitwithconfig"
+	dockerCmd(c, "run", "--name="+cName, "busybox", "/bin/sh", "-c", "touch /test")
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	config := containertypes.Config{
+		Labels: map[string]string{"key1": "value1", "key2": "value2"}}
+
+	options := types.ContainerCommitOptions{
+		Reference: "testcontainerapicommitwithconfig",
+		Config:    &config,
+	}
+
+	img, err := cli.ContainerCommit(context.Background(), cName, options)
+	c.Assert(err, checker.IsNil)
+
+	label1 := inspectFieldMap(c, img.ID, "Config.Labels", "key1")
+	c.Assert(label1, checker.Equals, "value1")
+
+	label2 := inspectFieldMap(c, img.ID, "Config.Labels", "key2")
+	c.Assert(label2, checker.Equals, "value2")
+
+	cmd := inspectField(c, img.ID, "Config.Cmd")
+	c.Assert(cmd, checker.Equals, "[/bin/sh -c touch /test]", check.Commentf("got wrong Cmd from commit: %q", cmd))
+
+	// sanity check, make sure the image is what we think it is
+	dockerCmd(c, "run", img.ID, "ls", "/test")
+}
+
+func (s *DockerSuite) TestContainerAPIBadPort(c *check.C) {
+	// TODO Windows to Windows CI - Port this test
+	testRequires(c, DaemonIsLinux)
+
+	config := containertypes.Config{
+		Image: "busybox",
+		Cmd:   []string{"/bin/sh", "-c", "echo test"},
+	}
+
+	hostConfig := containertypes.HostConfig{
+		PortBindings: nat.PortMap{
+			"8080/tcp": []nat.PortBinding{
+				{
+					HostIP:   "",
+					HostPort: "aa80"},
+			},
+		},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err.Error(), checker.Contains, `invalid port specification: "aa80"`)
+}
+
+func (s *DockerSuite) TestContainerAPICreate(c *check.C) {
+	config := containertypes.Config{
+		Image: "busybox",
+		Cmd:   []string{"/bin/sh", "-c", "touch /test && ls /test"},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, checker.IsNil)
+
+	out, _ := dockerCmd(c, "start", "-a", container.ID)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "/test")
+}
+
+func (s *DockerSuite) TestContainerAPICreateEmptyConfig(c *check.C) {
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &containertypes.Config{}, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "")
+
+	expected := "No command specified"
+	c.Assert(err.Error(), checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestContainerAPICreateMultipleNetworksConfig(c *check.C) {
+	// Container creation must fail if client specified configurations for more than one network
+	config := containertypes.Config{
+		Image: "busybox",
+	}
+
+	networkingConfig := networktypes.NetworkingConfig{
+		EndpointsConfig: map[string]*networktypes.EndpointSettings{
+			"net1": {},
+			"net2": {},
+			"net3": {},
+		},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networkingConfig, "")
+	msg := err.Error()
+	// network name order in error message is not deterministic
+	c.Assert(msg, checker.Contains, "Container cannot be connected to network endpoints")
+	c.Assert(msg, checker.Contains, "net1")
+	c.Assert(msg, checker.Contains, "net2")
+	c.Assert(msg, checker.Contains, "net3")
+}
+
+func (s *DockerSuite) TestContainerAPICreateWithHostName(c *check.C) {
+	domainName := "test-domain"
+	hostName := "test-hostname"
+	config := containertypes.Config{
+		Image:      "busybox",
+		Hostname:   hostName,
+		Domainname: domainName,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, checker.IsNil)
+
+	containerJSON, err := cli.ContainerInspect(context.Background(), container.ID)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(containerJSON.Config.Hostname, checker.Equals, hostName, check.Commentf("Mismatched Hostname"))
+	c.Assert(containerJSON.Config.Domainname, checker.Equals, domainName, check.Commentf("Mismatched Domainname"))
+}
+
+func (s *DockerSuite) TestContainerAPICreateBridgeNetworkMode(c *check.C) {
+	// Windows does not support bridge
+	testRequires(c, DaemonIsLinux)
+	UtilCreateNetworkMode(c, "bridge")
+}
+
+func (s *DockerSuite) TestContainerAPICreateOtherNetworkModes(c *check.C) {
+	// Windows does not support these network modes
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	UtilCreateNetworkMode(c, "host")
+	UtilCreateNetworkMode(c, "container:web1")
+}
+
+func UtilCreateNetworkMode(c *check.C, networkMode containertypes.NetworkMode) {
+	config := containertypes.Config{
+		Image: "busybox",
+	}
+
+	hostConfig := containertypes.HostConfig{
+		NetworkMode: networkMode,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, checker.IsNil)
+
+	containerJSON, err := cli.ContainerInspect(context.Background(), container.ID)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(containerJSON.HostConfig.NetworkMode, checker.Equals, containertypes.NetworkMode(networkMode), check.Commentf("Mismatched NetworkMode"))
+}
+
+func (s *DockerSuite) TestContainerAPICreateWithCpuSharesCpuset(c *check.C) {
+	// TODO Windows to Windows CI. The CpuShares part could be ported.
+	testRequires(c, DaemonIsLinux)
+	config := containertypes.Config{
+		Image: "busybox",
+	}
+
+	hostConfig := containertypes.HostConfig{
+		Resources: containertypes.Resources{
+			CPUShares:  512,
+			CpusetCpus: "0",
+		},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, checker.IsNil)
+
+	containerJSON, err := cli.ContainerInspect(context.Background(), container.ID)
+	c.Assert(err, checker.IsNil)
+
+	out := inspectField(c, containerJSON.ID, "HostConfig.CpuShares")
+	c.Assert(out, checker.Equals, "512")
+
+	outCpuset := inspectField(c, containerJSON.ID, "HostConfig.CpusetCpus")
+	c.Assert(outCpuset, checker.Equals, "0")
+}
+
+func (s *DockerSuite) TestContainerAPIVerifyHeader(c *check.C) {
+	config := map[string]interface{}{
+		"Image": "busybox",
+	}
+
+	create := func(ct string) (*http.Response, io.ReadCloser, error) {
+		jsonData := bytes.NewBuffer(nil)
+		c.Assert(json.NewEncoder(jsonData).Encode(config), checker.IsNil)
+		return request.Post("/containers/create", request.RawContent(ioutil.NopCloser(jsonData)), request.ContentType(ct))
+	}
+
+	// Try with no content-type
+	res, body, err := create("")
+	c.Assert(err, checker.IsNil)
+	// todo: we need to figure out a better way to compare between dockerd versions
+	// comparing between daemon API version is not precise.
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	} else {
+		c.Assert(res.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+	}
+	body.Close()
+
+	// Try with wrong content-type
+	res, body, err = create("application/xml")
+	c.Assert(err, checker.IsNil)
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	} else {
+		c.Assert(res.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+	}
+	body.Close()
+
+	// now application/json
+	res, body, err = create("application/json")
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusCreated)
+	body.Close()
+}
+
+//Issue 14230. daemon should return 500 for invalid port syntax
+func (s *DockerSuite) TestContainerAPIInvalidPortSyntax(c *check.C) {
+	config := `{
+				  "Image": "busybox",
+				  "HostConfig": {
+					"NetworkMode": "default",
+					"PortBindings": {
+					  "19039;1230": [
+						{}
+					  ]
+					}
+				  }
+				}`
+
+	res, body, err := request.Post("/containers/create", request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	} else {
+		c.Assert(res.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+	}
+
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b[:]), checker.Contains, "invalid port")
+}
+
+func (s *DockerSuite) TestContainerAPIRestartPolicyInvalidPolicyName(c *check.C) {
+	config := `{
+		"Image": "busybox",
+		"HostConfig": {
+			"RestartPolicy": {
+				"Name": "something",
+				"MaximumRetryCount": 0
+			}
+		}
+	}`
+
+	res, body, err := request.Post("/containers/create", request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	} else {
+		c.Assert(res.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+	}
+
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b[:]), checker.Contains, "invalid restart policy")
+}
+
+func (s *DockerSuite) TestContainerAPIRestartPolicyRetryMismatch(c *check.C) {
+	config := `{
+		"Image": "busybox",
+		"HostConfig": {
+			"RestartPolicy": {
+				"Name": "always",
+				"MaximumRetryCount": 2
+			}
+		}
+	}`
+
+	res, body, err := request.Post("/containers/create", request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	} else {
+		c.Assert(res.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+	}
+
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b[:]), checker.Contains, "maximum retry count cannot be used with restart policy")
+}
+
+func (s *DockerSuite) TestContainerAPIRestartPolicyNegativeRetryCount(c *check.C) {
+	config := `{
+		"Image": "busybox",
+		"HostConfig": {
+			"RestartPolicy": {
+				"Name": "on-failure",
+				"MaximumRetryCount": -2
+			}
+		}
+	}`
+
+	res, body, err := request.Post("/containers/create", request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	} else {
+		c.Assert(res.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+	}
+
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b[:]), checker.Contains, "maximum retry count cannot be negative")
+}
+
+func (s *DockerSuite) TestContainerAPIRestartPolicyDefaultRetryCount(c *check.C) {
+	config := `{
+		"Image": "busybox",
+		"HostConfig": {
+			"RestartPolicy": {
+				"Name": "on-failure",
+				"MaximumRetryCount": 0
+			}
+		}
+	}`
+
+	res, _, err := request.Post("/containers/create", request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusCreated)
+}
+
+// Issue 7941 - test to make sure a "null" in JSON is just ignored.
+// W/o this fix a null in JSON would be parsed into a string var as "null"
+func (s *DockerSuite) TestContainerAPIPostCreateNull(c *check.C) {
+	config := `{
+		"Hostname":"",
+		"Domainname":"",
+		"Memory":0,
+		"MemorySwap":0,
+		"CpuShares":0,
+		"Cpuset":null,
+		"AttachStdin":true,
+		"AttachStdout":true,
+		"AttachStderr":true,
+		"ExposedPorts":{},
+		"Tty":true,
+		"OpenStdin":true,
+		"StdinOnce":true,
+		"Env":[],
+		"Cmd":"ls",
+		"Image":"busybox",
+		"Volumes":{},
+		"WorkingDir":"",
+		"Entrypoint":null,
+		"NetworkDisabled":false,
+		"OnBuild":null}`
+
+	res, body, err := request.Post("/containers/create", request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusCreated)
+
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	type createResp struct {
+		ID string
+	}
+	var container createResp
+	c.Assert(json.Unmarshal(b, &container), checker.IsNil)
+	out := inspectField(c, container.ID, "HostConfig.CpusetCpus")
+	c.Assert(out, checker.Equals, "")
+
+	outMemory := inspectField(c, container.ID, "HostConfig.Memory")
+	c.Assert(outMemory, checker.Equals, "0")
+	outMemorySwap := inspectField(c, container.ID, "HostConfig.MemorySwap")
+	c.Assert(outMemorySwap, checker.Equals, "0")
+}
+
+func (s *DockerSuite) TestCreateWithTooLowMemoryLimit(c *check.C) {
+	// TODO Windows: Port once memory is supported
+	testRequires(c, DaemonIsLinux)
+	config := `{
+		"Image":     "busybox",
+		"Cmd":       "ls",
+		"OpenStdin": true,
+		"CpuShares": 100,
+		"Memory":    524287
+	}`
+
+	res, body, err := request.Post("/containers/create", request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	b, err2 := request.ReadBody(body)
+	c.Assert(err2, checker.IsNil)
+
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	} else {
+		c.Assert(res.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+	}
+	c.Assert(string(b), checker.Contains, "Minimum memory limit allowed is 4MB")
+}
+
+func (s *DockerSuite) TestContainerAPIRename(c *check.C) {
+	out, _ := dockerCmd(c, "run", "--name", "TestContainerAPIRename", "-d", "busybox", "sh")
+
+	containerID := strings.TrimSpace(out)
+	newName := "TestContainerAPIRenameNew"
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRename(context.Background(), containerID, newName)
+	c.Assert(err, checker.IsNil)
+
+	name := inspectField(c, containerID, "Name")
+	c.Assert(name, checker.Equals, "/"+newName, check.Commentf("Failed to rename container"))
+}
+
+func (s *DockerSuite) TestContainerAPIKill(c *check.C) {
+	name := "test-api-kill"
+	runSleepingContainer(c, "-i", "--name", name)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerKill(context.Background(), name, "SIGKILL")
+	c.Assert(err, checker.IsNil)
+
+	state := inspectField(c, name, "State.Running")
+	c.Assert(state, checker.Equals, "false", check.Commentf("got wrong State from container %s: %q", name, state))
+}
+
+func (s *DockerSuite) TestContainerAPIRestart(c *check.C) {
+	name := "test-api-restart"
+	runSleepingContainer(c, "-di", "--name", name)
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	timeout := 1 * time.Second
+	err = cli.ContainerRestart(context.Background(), name, &timeout)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(waitInspect(name, "{{ .State.Restarting  }} {{ .State.Running  }}", "false true", 15*time.Second), checker.IsNil)
+}
+
+func (s *DockerSuite) TestContainerAPIRestartNotimeoutParam(c *check.C) {
+	name := "test-api-restart-no-timeout-param"
+	out := runSleepingContainer(c, "-di", "--name", name)
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRestart(context.Background(), name, nil)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(waitInspect(name, "{{ .State.Restarting  }} {{ .State.Running  }}", "false true", 15*time.Second), checker.IsNil)
+}
+
+func (s *DockerSuite) TestContainerAPIStart(c *check.C) {
+	name := "testing-start"
+	config := containertypes.Config{
+		Image:     "busybox",
+		Cmd:       append([]string{"/bin/sh", "-c"}, sleepCommandForDaemonPlatform()...),
+		OpenStdin: true,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, name)
+	c.Assert(err, checker.IsNil)
+
+	err = cli.ContainerStart(context.Background(), name, types.ContainerStartOptions{})
+	c.Assert(err, checker.IsNil)
+
+	// second call to start should give 304
+	// maybe add ContainerStartWithRaw to test it
+	err = cli.ContainerStart(context.Background(), name, types.ContainerStartOptions{})
+	c.Assert(err, checker.IsNil)
+
+	// TODO(tibor): figure out why this doesn't work on windows
+}
+
+func (s *DockerSuite) TestContainerAPIStop(c *check.C) {
+	name := "test-api-stop"
+	runSleepingContainer(c, "-i", "--name", name)
+	timeout := 30 * time.Second
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerStop(context.Background(), name, &timeout)
+	c.Assert(err, checker.IsNil)
+	c.Assert(waitInspect(name, "{{ .State.Running  }}", "false", 60*time.Second), checker.IsNil)
+
+	// second call to start should give 304
+	// maybe add ContainerStartWithRaw to test it
+	err = cli.ContainerStop(context.Background(), name, &timeout)
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerSuite) TestContainerAPIWait(c *check.C) {
+	name := "test-api-wait"
+
+	sleepCmd := "/bin/sleep"
+	if testEnv.OSType == "windows" {
+		sleepCmd = "sleep"
+	}
+	dockerCmd(c, "run", "--name", name, "busybox", sleepCmd, "2")
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	waitresC, errC := cli.ContainerWait(context.Background(), name, "")
+
+	select {
+	case err = <-errC:
+		c.Assert(err, checker.IsNil)
+	case waitres := <-waitresC:
+		c.Assert(waitres.StatusCode, checker.Equals, int64(0))
+	}
+}
+
+func (s *DockerSuite) TestContainerAPICopyNotExistsAnyMore(c *check.C) {
+	name := "test-container-api-copy"
+	dockerCmd(c, "run", "--name", name, "busybox", "touch", "/test.txt")
+
+	postData := types.CopyConfig{
+		Resource: "/test.txt",
+	}
+	// no copy in client/
+	res, _, err := request.Post("/containers/"+name+"/copy", request.JSONBody(postData))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNotFound)
+}
+
+func (s *DockerSuite) TestContainerAPICopyPre124(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows only supports 1.25 or later
+	name := "test-container-api-copy"
+	dockerCmd(c, "run", "--name", name, "busybox", "touch", "/test.txt")
+
+	postData := types.CopyConfig{
+		Resource: "/test.txt",
+	}
+
+	res, body, err := request.Post("/v1.23/containers/"+name+"/copy", request.JSONBody(postData))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	found := false
+	for tarReader := tar.NewReader(body); ; {
+		h, err := tarReader.Next()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			c.Fatal(err)
+		}
+		if h.Name == "test.txt" {
+			found = true
+			break
+		}
+	}
+	c.Assert(found, checker.True)
+}
+
+func (s *DockerSuite) TestContainerAPICopyResourcePathEmptyPre124(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows only supports 1.25 or later
+	name := "test-container-api-copy-resource-empty"
+	dockerCmd(c, "run", "--name", name, "busybox", "touch", "/test.txt")
+
+	postData := types.CopyConfig{
+		Resource: "",
+	}
+
+	res, body, err := request.Post("/v1.23/containers/"+name+"/copy", request.JSONBody(postData))
+	c.Assert(err, checker.IsNil)
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	} else {
+		c.Assert(res.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+	}
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Matches, "Path cannot be empty\n")
+}
+
+func (s *DockerSuite) TestContainerAPICopyResourcePathNotFoundPre124(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows only supports 1.25 or later
+	name := "test-container-api-copy-resource-not-found"
+	dockerCmd(c, "run", "--name", name, "busybox")
+
+	postData := types.CopyConfig{
+		Resource: "/notexist",
+	}
+
+	res, body, err := request.Post("/v1.23/containers/"+name+"/copy", request.JSONBody(postData))
+	c.Assert(err, checker.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusNotFound)
+	}
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Matches, "Could not find the file /notexist in container "+name+"\n")
+}
+
+func (s *DockerSuite) TestContainerAPICopyContainerNotFoundPr124(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows only supports 1.25 or later
+	postData := types.CopyConfig{
+		Resource: "/something",
+	}
+
+	res, _, err := request.Post("/v1.23/containers/notexists/copy", request.JSONBody(postData))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNotFound)
+}
+
+func (s *DockerSuite) TestContainerAPIDelete(c *check.C) {
+	out := runSleepingContainer(c)
+
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	dockerCmd(c, "stop", id)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRemove(context.Background(), id, types.ContainerRemoveOptions{})
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerSuite) TestContainerAPIDeleteNotExist(c *check.C) {
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRemove(context.Background(), "doesnotexist", types.ContainerRemoveOptions{})
+	c.Assert(err.Error(), checker.Contains, "No such container: doesnotexist")
+}
+
+func (s *DockerSuite) TestContainerAPIDeleteForce(c *check.C) {
+	out := runSleepingContainer(c)
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	removeOptions := types.ContainerRemoveOptions{
+		Force: true,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRemove(context.Background(), id, removeOptions)
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerSuite) TestContainerAPIDeleteRemoveLinks(c *check.C) {
+	// Windows does not support links
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "--name", "tlink1", "busybox", "top")
+
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	out, _ = dockerCmd(c, "run", "--link", "tlink1:tlink1", "--name", "tlink2", "-d", "busybox", "top")
+
+	id2 := strings.TrimSpace(out)
+	c.Assert(waitRun(id2), checker.IsNil)
+
+	links := inspectFieldJSON(c, id2, "HostConfig.Links")
+	c.Assert(links, checker.Equals, "[\"/tlink1:/tlink2/tlink1\"]", check.Commentf("expected to have links between containers"))
+
+	removeOptions := types.ContainerRemoveOptions{
+		RemoveLinks: true,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRemove(context.Background(), "tlink2/tlink1", removeOptions)
+	c.Assert(err, check.IsNil)
+
+	linksPostRm := inspectFieldJSON(c, id2, "HostConfig.Links")
+	c.Assert(linksPostRm, checker.Equals, "null", check.Commentf("call to api deleteContainer links should have removed the specified links"))
+}
+
+func (s *DockerSuite) TestContainerAPIDeleteConflict(c *check.C) {
+	out := runSleepingContainer(c)
+
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRemove(context.Background(), id, types.ContainerRemoveOptions{})
+	expected := "cannot remove a running container"
+	c.Assert(err.Error(), checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestContainerAPIDeleteRemoveVolume(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	vol := "/testvolume"
+	if testEnv.OSType == "windows" {
+		vol = `c:\testvolume`
+	}
+
+	out := runSleepingContainer(c, "-v", vol)
+
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	source, err := inspectMountSourceField(id, vol)
+	_, err = os.Stat(source)
+	c.Assert(err, checker.IsNil)
+
+	removeOptions := types.ContainerRemoveOptions{
+		Force:         true,
+		RemoveVolumes: true,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRemove(context.Background(), id, removeOptions)
+	c.Assert(err, check.IsNil)
+
+	_, err = os.Stat(source)
+	c.Assert(os.IsNotExist(err), checker.True, check.Commentf("expected to get ErrNotExist error, got %v", err))
+}
+
+// Regression test for https://github.com/docker/docker/issues/6231
+func (s *DockerSuite) TestContainerAPIChunkedEncoding(c *check.C) {
+
+	config := map[string]interface{}{
+		"Image":     "busybox",
+		"Cmd":       append([]string{"/bin/sh", "-c"}, sleepCommandForDaemonPlatform()...),
+		"OpenStdin": true,
+	}
+
+	resp, _, err := request.Post("/containers/create", request.JSONBody(config), request.With(func(req *http.Request) error {
+		// This is a cheat to make the http request do chunked encoding
+		// Otherwise (just setting the Content-Encoding to chunked) net/http will overwrite
+		// https://golang.org/src/pkg/net/http/request.go?s=11980:12172
+		req.ContentLength = -1
+		return nil
+	}))
+	c.Assert(err, checker.IsNil, check.Commentf("error creating container with chunked encoding"))
+	defer resp.Body.Close()
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusCreated)
+}
+
+func (s *DockerSuite) TestContainerAPIPostContainerStop(c *check.C) {
+	out := runSleepingContainer(c)
+
+	containerID := strings.TrimSpace(out)
+	c.Assert(waitRun(containerID), checker.IsNil)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerStop(context.Background(), containerID, nil)
+	c.Assert(err, checker.IsNil)
+	c.Assert(waitInspect(containerID, "{{ .State.Running  }}", "false", 60*time.Second), checker.IsNil)
+}
+
+// #14170
+func (s *DockerSuite) TestPostContainerAPICreateWithStringOrSliceEntrypoint(c *check.C) {
+	config := containertypes.Config{
+		Image:      "busybox",
+		Entrypoint: []string{"echo"},
+		Cmd:        []string{"hello", "world"},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "echotest")
+	c.Assert(err, checker.IsNil)
+	out, _ := dockerCmd(c, "start", "-a", "echotest")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello world")
+
+	config2 := struct {
+		Image      string
+		Entrypoint string
+		Cmd        []string
+	}{"busybox", "echo", []string{"hello", "world"}}
+	_, _, err = request.Post("/containers/create?name=echotest2", request.JSONBody(config2))
+	c.Assert(err, checker.IsNil)
+	out, _ = dockerCmd(c, "start", "-a", "echotest2")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello world")
+}
+
+// #14170
+func (s *DockerSuite) TestPostContainersCreateWithStringOrSliceCmd(c *check.C) {
+	config := containertypes.Config{
+		Image: "busybox",
+		Cmd:   []string{"echo", "hello", "world"},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "echotest")
+	c.Assert(err, checker.IsNil)
+	out, _ := dockerCmd(c, "start", "-a", "echotest")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello world")
+
+	config2 := struct {
+		Image      string
+		Entrypoint string
+		Cmd        string
+	}{"busybox", "echo", "hello world"}
+	_, _, err = request.Post("/containers/create?name=echotest2", request.JSONBody(config2))
+	c.Assert(err, checker.IsNil)
+	out, _ = dockerCmd(c, "start", "-a", "echotest2")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello world")
+}
+
+// regression #14318
+func (s *DockerSuite) TestPostContainersCreateWithStringOrSliceCapAddDrop(c *check.C) {
+	// Windows doesn't support CapAdd/CapDrop
+	testRequires(c, DaemonIsLinux)
+	config := struct {
+		Image   string
+		CapAdd  string
+		CapDrop string
+	}{"busybox", "NET_ADMIN", "SYS_ADMIN"}
+	res, _, err := request.Post("/containers/create?name=capaddtest0", request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusCreated)
+
+	config2 := containertypes.Config{
+		Image: "busybox",
+	}
+	hostConfig := containertypes.HostConfig{
+		CapAdd:  []string{"NET_ADMIN", "SYS_ADMIN"},
+		CapDrop: []string{"SETGID"},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config2, &hostConfig, &networktypes.NetworkingConfig{}, "capaddtest1")
+	c.Assert(err, checker.IsNil)
+}
+
+// #14915
+func (s *DockerSuite) TestContainerAPICreateNoHostConfig118(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows only support 1.25 or later
+	config := containertypes.Config{
+		Image: "busybox",
+	}
+
+	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithVersion("v1.18"))
+	c.Assert(err, checker.IsNil)
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, checker.IsNil)
+}
+
+// Ensure an error occurs when you have a container read-only rootfs but you
+// extract an archive to a symlink in a writable volume which points to a
+// directory outside of the volume.
+func (s *DockerSuite) TestPutContainerArchiveErrSymlinkInVolumeToReadOnlyRootfs(c *check.C) {
+	// Windows does not support read-only rootfs
+	// Requires local volume mount bind.
+	// --read-only + userns has remount issues
+	testRequires(c, SameHostDaemon, NotUserNamespace, DaemonIsLinux)
+
+	testVol := getTestDir(c, "test-put-container-archive-err-symlink-in-volume-to-read-only-rootfs-")
+	defer os.RemoveAll(testVol)
+
+	makeTestContentInDir(c, testVol)
+
+	cID := makeTestContainer(c, testContainerOptions{
+		readOnly: true,
+		volumes:  defaultVolumes(testVol), // Our bind mount is at /vol2
+	})
+
+	// Attempt to extract to a symlink in the volume which points to a
+	// directory outside the volume. This should cause an error because the
+	// rootfs is read-only.
+	var httpClient *http.Client
+	cli, err := client.NewClient(daemonHost(), "v1.20", httpClient, map[string]string{})
+	c.Assert(err, checker.IsNil)
+
+	err = cli.CopyToContainer(context.Background(), cID, "/vol2/symlinkToAbsDir", nil, types.CopyToContainerOptions{})
+	c.Assert(err.Error(), checker.Contains, "container rootfs is marked read-only")
+}
+
+func (s *DockerSuite) TestPostContainersCreateWithWrongCpusetValues(c *check.C) {
+	// Not supported on Windows
+	testRequires(c, DaemonIsLinux)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	config := containertypes.Config{
+		Image: "busybox",
+	}
+	hostConfig1 := containertypes.HostConfig{
+		Resources: containertypes.Resources{
+			CpusetCpus: "1-42,,",
+		},
+	}
+	name := "wrong-cpuset-cpus"
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig1, &networktypes.NetworkingConfig{}, name)
+	expected := "Invalid value 1-42,, for cpuset cpus"
+	c.Assert(err.Error(), checker.Contains, expected)
+
+	hostConfig2 := containertypes.HostConfig{
+		Resources: containertypes.Resources{
+			CpusetMems: "42-3,1--",
+		},
+	}
+	name = "wrong-cpuset-mems"
+	_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig2, &networktypes.NetworkingConfig{}, name)
+	expected = "Invalid value 42-3,1-- for cpuset mems"
+	c.Assert(err.Error(), checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestPostContainersCreateShmSizeNegative(c *check.C) {
+	// ShmSize is not supported on Windows
+	testRequires(c, DaemonIsLinux)
+	config := containertypes.Config{
+		Image: "busybox",
+	}
+	hostConfig := containertypes.HostConfig{
+		ShmSize: -1,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err.Error(), checker.Contains, "SHM size can not be less than 0")
+}
+
+func (s *DockerSuite) TestPostContainersCreateShmSizeHostConfigOmitted(c *check.C) {
+	// ShmSize is not supported on Windows
+	testRequires(c, DaemonIsLinux)
+	var defaultSHMSize int64 = 67108864
+	config := containertypes.Config{
+		Image: "busybox",
+		Cmd:   []string{"mount"},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, check.IsNil)
+
+	containerJSON, err := cli.ContainerInspect(context.Background(), container.ID)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(containerJSON.HostConfig.ShmSize, check.Equals, defaultSHMSize)
+
+	out, _ := dockerCmd(c, "start", "-i", containerJSON.ID)
+	shmRegexp := regexp.MustCompile(`shm on /dev/shm type tmpfs(.*)size=65536k`)
+	if !shmRegexp.MatchString(out) {
+		c.Fatalf("Expected shm of 64MB in mount command, got %v", out)
+	}
+}
+
+func (s *DockerSuite) TestPostContainersCreateShmSizeOmitted(c *check.C) {
+	// ShmSize is not supported on Windows
+	testRequires(c, DaemonIsLinux)
+	config := containertypes.Config{
+		Image: "busybox",
+		Cmd:   []string{"mount"},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, check.IsNil)
+
+	containerJSON, err := cli.ContainerInspect(context.Background(), container.ID)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(containerJSON.HostConfig.ShmSize, check.Equals, int64(67108864))
+
+	out, _ := dockerCmd(c, "start", "-i", containerJSON.ID)
+	shmRegexp := regexp.MustCompile(`shm on /dev/shm type tmpfs(.*)size=65536k`)
+	if !shmRegexp.MatchString(out) {
+		c.Fatalf("Expected shm of 64MB in mount command, got %v", out)
+	}
+}
+
+func (s *DockerSuite) TestPostContainersCreateWithShmSize(c *check.C) {
+	// ShmSize is not supported on Windows
+	testRequires(c, DaemonIsLinux)
+	config := containertypes.Config{
+		Image: "busybox",
+		Cmd:   []string{"mount"},
+	}
+
+	hostConfig := containertypes.HostConfig{
+		ShmSize: 1073741824,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, check.IsNil)
+
+	containerJSON, err := cli.ContainerInspect(context.Background(), container.ID)
+	c.Assert(err, check.IsNil)
+
+	c.Assert(containerJSON.HostConfig.ShmSize, check.Equals, int64(1073741824))
+
+	out, _ := dockerCmd(c, "start", "-i", containerJSON.ID)
+	shmRegex := regexp.MustCompile(`shm on /dev/shm type tmpfs(.*)size=1048576k`)
+	if !shmRegex.MatchString(out) {
+		c.Fatalf("Expected shm of 1GB in mount command, got %v", out)
+	}
+}
+
+func (s *DockerSuite) TestPostContainersCreateMemorySwappinessHostConfigOmitted(c *check.C) {
+	// Swappiness is not supported on Windows
+	testRequires(c, DaemonIsLinux)
+	config := containertypes.Config{
+		Image: "busybox",
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, "")
+	c.Assert(err, check.IsNil)
+
+	containerJSON, err := cli.ContainerInspect(context.Background(), container.ID)
+	c.Assert(err, check.IsNil)
+
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.31") {
+		c.Assert(*containerJSON.HostConfig.MemorySwappiness, check.Equals, int64(-1))
+	} else {
+		c.Assert(containerJSON.HostConfig.MemorySwappiness, check.IsNil)
+	}
+}
+
+// check validation is done daemon side and not only in cli
+func (s *DockerSuite) TestPostContainersCreateWithOomScoreAdjInvalidRange(c *check.C) {
+	// OomScoreAdj is not supported on Windows
+	testRequires(c, DaemonIsLinux)
+
+	config := containertypes.Config{
+		Image: "busybox",
+	}
+
+	hostConfig := containertypes.HostConfig{
+		OomScoreAdj: 1001,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	name := "oomscoreadj-over"
+	_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, name)
+
+	expected := "Invalid value 1001, range for oom score adj is [-1000, 1000]"
+	c.Assert(err.Error(), checker.Contains, expected)
+
+	hostConfig = containertypes.HostConfig{
+		OomScoreAdj: -1001,
+	}
+
+	name = "oomscoreadj-low"
+	_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, name)
+
+	expected = "Invalid value -1001, range for oom score adj is [-1000, 1000]"
+	c.Assert(err.Error(), checker.Contains, expected)
+}
+
+// test case for #22210 where an empty container name caused panic.
+func (s *DockerSuite) TestContainerAPIDeleteWithEmptyName(c *check.C) {
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	err = cli.ContainerRemove(context.Background(), "", types.ContainerRemoveOptions{})
+	c.Assert(err.Error(), checker.Contains, "No such container")
+}
+
+func (s *DockerSuite) TestContainerAPIStatsWithNetworkDisabled(c *check.C) {
+	// Problematic on Windows as Windows does not support stats
+	testRequires(c, DaemonIsLinux)
+
+	name := "testing-network-disabled"
+
+	config := containertypes.Config{
+		Image:           "busybox",
+		Cmd:             []string{"top"},
+		NetworkDisabled: true,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &containertypes.HostConfig{}, &networktypes.NetworkingConfig{}, name)
+	c.Assert(err, checker.IsNil)
+
+	err = cli.ContainerStart(context.Background(), name, types.ContainerStartOptions{})
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(waitRun(name), check.IsNil)
+
+	type b struct {
+		stats types.ContainerStats
+		err   error
+	}
+	bc := make(chan b, 1)
+	go func() {
+		stats, err := cli.ContainerStats(context.Background(), name, false)
+		bc <- b{stats, err}
+	}()
+
+	// allow some time to stream the stats from the container
+	time.Sleep(4 * time.Second)
+	dockerCmd(c, "rm", "-f", name)
+
+	// collect the results from the stats stream or timeout and fail
+	// if the stream was not disconnected.
+	select {
+	case <-time.After(2 * time.Second):
+		c.Fatal("stream was not closed after container was removed")
+	case sr := <-bc:
+		c.Assert(sr.err, checker.IsNil)
+		sr.stats.Body.Close()
+	}
+}
+
+func (s *DockerSuite) TestContainersAPICreateMountsValidation(c *check.C) {
+	type testCase struct {
+		config     containertypes.Config
+		hostConfig containertypes.HostConfig
+		msg        string
+	}
+
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	destPath := prefix + slash + "foo"
+	notExistPath := prefix + slash + "notexist"
+
+	cases := []testCase{
+		{
+			config: containertypes.Config{
+				Image: "busybox",
+			},
+			hostConfig: containertypes.HostConfig{
+				Mounts: []mounttypes.Mount{{
+					Type:   "notreal",
+					Target: destPath,
+				},
+				},
+			},
+
+			msg: "mount type unknown",
+		},
+		{
+			config: containertypes.Config{
+				Image: "busybox",
+			},
+			hostConfig: containertypes.HostConfig{
+				Mounts: []mounttypes.Mount{{
+					Type: "bind"}}},
+			msg: "Target must not be empty",
+		},
+		{
+			config: containertypes.Config{
+				Image: "busybox",
+			},
+			hostConfig: containertypes.HostConfig{
+				Mounts: []mounttypes.Mount{{
+					Type:   "bind",
+					Target: destPath}}},
+			msg: "Source must not be empty",
+		},
+		{
+			config: containertypes.Config{
+				Image: "busybox",
+			},
+			hostConfig: containertypes.HostConfig{
+				Mounts: []mounttypes.Mount{{
+					Type:   "bind",
+					Source: notExistPath,
+					Target: destPath}}},
+			msg: "source path does not exist",
+			// FIXME(vdemeester) fails into e2e, migrate to integration/container anyway
+			// msg: "bind mount source path does not exist: " + notExistPath,
+		},
+		{
+			config: containertypes.Config{
+				Image: "busybox",
+			},
+			hostConfig: containertypes.HostConfig{
+				Mounts: []mounttypes.Mount{{
+					Type: "volume"}}},
+			msg: "Target must not be empty",
+		},
+		{
+			config: containertypes.Config{
+				Image: "busybox",
+			},
+			hostConfig: containertypes.HostConfig{
+				Mounts: []mounttypes.Mount{{
+					Type:   "volume",
+					Source: "hello",
+					Target: destPath}}},
+			msg: "",
+		},
+		{
+			config: containertypes.Config{
+				Image: "busybox",
+			},
+			hostConfig: containertypes.HostConfig{
+				Mounts: []mounttypes.Mount{{
+					Type:   "volume",
+					Source: "hello2",
+					Target: destPath,
+					VolumeOptions: &mounttypes.VolumeOptions{
+						DriverConfig: &mounttypes.Driver{
+							Name: "local"}}}}},
+			msg: "",
+		},
+	}
+
+	if SameHostDaemon() {
+		tmpDir, err := ioutils.TempDir("", "test-mounts-api")
+		c.Assert(err, checker.IsNil)
+		defer os.RemoveAll(tmpDir)
+		cases = append(cases, []testCase{
+			{
+				config: containertypes.Config{
+					Image: "busybox",
+				},
+				hostConfig: containertypes.HostConfig{
+					Mounts: []mounttypes.Mount{{
+						Type:   "bind",
+						Source: tmpDir,
+						Target: destPath}}},
+				msg: "",
+			},
+			{
+				config: containertypes.Config{
+					Image: "busybox",
+				},
+				hostConfig: containertypes.HostConfig{
+					Mounts: []mounttypes.Mount{{
+						Type:          "bind",
+						Source:        tmpDir,
+						Target:        destPath,
+						VolumeOptions: &mounttypes.VolumeOptions{}}}},
+				msg: "VolumeOptions must not be specified",
+			},
+		}...)
+	}
+
+	if DaemonIsLinux() {
+		cases = append(cases, []testCase{
+			{
+				config: containertypes.Config{
+					Image: "busybox",
+				},
+				hostConfig: containertypes.HostConfig{
+					Mounts: []mounttypes.Mount{{
+						Type:   "volume",
+						Source: "hello3",
+						Target: destPath,
+						VolumeOptions: &mounttypes.VolumeOptions{
+							DriverConfig: &mounttypes.Driver{
+								Name:    "local",
+								Options: map[string]string{"o": "size=1"}}}}}},
+				msg: "",
+			},
+			{
+				config: containertypes.Config{
+					Image: "busybox",
+				},
+				hostConfig: containertypes.HostConfig{
+					Mounts: []mounttypes.Mount{{
+						Type:   "tmpfs",
+						Target: destPath}}},
+				msg: "",
+			},
+			{
+				config: containertypes.Config{
+					Image: "busybox",
+				},
+				hostConfig: containertypes.HostConfig{
+					Mounts: []mounttypes.Mount{{
+						Type:   "tmpfs",
+						Target: destPath,
+						TmpfsOptions: &mounttypes.TmpfsOptions{
+							SizeBytes: 4096 * 1024,
+							Mode:      0700,
+						}}}},
+				msg: "",
+			},
+
+			{
+				config: containertypes.Config{
+					Image: "busybox",
+				},
+				hostConfig: containertypes.HostConfig{
+					Mounts: []mounttypes.Mount{{
+						Type:   "tmpfs",
+						Source: "/shouldnotbespecified",
+						Target: destPath}}},
+				msg: "Source must not be specified",
+			},
+		}...)
+
+	}
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	for i, x := range cases {
+		c.Logf("case %d", i)
+		_, err = cli.ContainerCreate(context.Background(), &x.config, &x.hostConfig, &networktypes.NetworkingConfig{}, "")
+		if len(x.msg) > 0 {
+			c.Assert(err.Error(), checker.Contains, x.msg, check.Commentf("%v", cases[i].config))
+		} else {
+			c.Assert(err, checker.IsNil)
+		}
+	}
+}
+
+func (s *DockerSuite) TestContainerAPICreateMountsBindRead(c *check.C) {
+	testRequires(c, NotUserNamespace, SameHostDaemon)
+	// also with data in the host side
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	destPath := prefix + slash + "foo"
+	tmpDir, err := ioutil.TempDir("", "test-mounts-api-bind")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpDir)
+	err = ioutil.WriteFile(filepath.Join(tmpDir, "bar"), []byte("hello"), 666)
+	c.Assert(err, checker.IsNil)
+	config := containertypes.Config{
+		Image: "busybox",
+		Cmd:   []string{"/bin/sh", "-c", "cat /foo/bar"},
+	}
+	hostConfig := containertypes.HostConfig{
+		Mounts: []mounttypes.Mount{
+			{Type: "bind", Source: tmpDir, Target: destPath},
+		},
+	}
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, "test")
+	c.Assert(err, checker.IsNil)
+
+	out, _ := dockerCmd(c, "start", "-a", "test")
+	c.Assert(out, checker.Equals, "hello")
+}
+
+// Test Mounts comes out as expected for the MountPoint
+func (s *DockerSuite) TestContainersAPICreateMountsCreate(c *check.C) {
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	destPath := prefix + slash + "foo"
+
+	var (
+		testImg string
+	)
+	if testEnv.OSType != "windows" {
+		testImg = "test-mount-config"
+		buildImageSuccessfully(c, testImg, build.WithDockerfile(`
+	FROM busybox
+	RUN mkdir `+destPath+` && touch `+destPath+slash+`bar
+	CMD cat `+destPath+slash+`bar
+	`))
+	} else {
+		testImg = "busybox"
+	}
+
+	type testCase struct {
+		spec     mounttypes.Mount
+		expected types.MountPoint
+	}
+
+	var selinuxSharedLabel string
+	// this test label was added after a bug fix in 1.32, thus add requirements min API >= 1.32
+	// for the sake of making test pass in earlier versions
+	// bug fixed in https://github.com/moby/moby/pull/34684
+	if !versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		if runtime.GOOS == "linux" {
+			selinuxSharedLabel = "z"
+		}
+	}
+
+	cases := []testCase{
+		// use literal strings here for `Type` instead of the defined constants in the volume package to keep this honest
+		// Validation of the actual `Mount` struct is done in another test is not needed here
+		{
+			spec:     mounttypes.Mount{Type: "volume", Target: destPath},
+			expected: types.MountPoint{Driver: volume.DefaultDriverName, Type: "volume", RW: true, Destination: destPath, Mode: selinuxSharedLabel},
+		},
+		{
+			spec:     mounttypes.Mount{Type: "volume", Target: destPath + slash},
+			expected: types.MountPoint{Driver: volume.DefaultDriverName, Type: "volume", RW: true, Destination: destPath, Mode: selinuxSharedLabel},
+		},
+		{
+			spec:     mounttypes.Mount{Type: "volume", Target: destPath, Source: "test1"},
+			expected: types.MountPoint{Type: "volume", Name: "test1", RW: true, Destination: destPath, Mode: selinuxSharedLabel},
+		},
+		{
+			spec:     mounttypes.Mount{Type: "volume", Target: destPath, ReadOnly: true, Source: "test2"},
+			expected: types.MountPoint{Type: "volume", Name: "test2", RW: false, Destination: destPath, Mode: selinuxSharedLabel},
+		},
+		{
+			spec:     mounttypes.Mount{Type: "volume", Target: destPath, Source: "test3", VolumeOptions: &mounttypes.VolumeOptions{DriverConfig: &mounttypes.Driver{Name: volume.DefaultDriverName}}},
+			expected: types.MountPoint{Driver: volume.DefaultDriverName, Type: "volume", Name: "test3", RW: true, Destination: destPath, Mode: selinuxSharedLabel},
+		},
+	}
+
+	if SameHostDaemon() {
+		// setup temp dir for testing binds
+		tmpDir1, err := ioutil.TempDir("", "test-mounts-api-1")
+		c.Assert(err, checker.IsNil)
+		defer os.RemoveAll(tmpDir1)
+		cases = append(cases, []testCase{
+			{
+				spec: mounttypes.Mount{
+					Type:   "bind",
+					Source: tmpDir1,
+					Target: destPath,
+				},
+				expected: types.MountPoint{
+					Type:        "bind",
+					RW:          true,
+					Destination: destPath,
+					Source:      tmpDir1,
+				},
+			},
+			{
+				spec:     mounttypes.Mount{Type: "bind", Source: tmpDir1, Target: destPath, ReadOnly: true},
+				expected: types.MountPoint{Type: "bind", RW: false, Destination: destPath, Source: tmpDir1},
+			},
+		}...)
+
+		// for modes only supported on Linux
+		if DaemonIsLinux() {
+			tmpDir3, err := ioutils.TempDir("", "test-mounts-api-3")
+			c.Assert(err, checker.IsNil)
+			defer os.RemoveAll(tmpDir3)
+
+			c.Assert(mount.Mount(tmpDir3, tmpDir3, "none", "bind,rw"), checker.IsNil)
+			c.Assert(mount.ForceMount("", tmpDir3, "none", "shared"), checker.IsNil)
+
+			cases = append(cases, []testCase{
+				{
+					spec:     mounttypes.Mount{Type: "bind", Source: tmpDir3, Target: destPath},
+					expected: types.MountPoint{Type: "bind", RW: true, Destination: destPath, Source: tmpDir3},
+				},
+				{
+					spec:     mounttypes.Mount{Type: "bind", Source: tmpDir3, Target: destPath, ReadOnly: true},
+					expected: types.MountPoint{Type: "bind", RW: false, Destination: destPath, Source: tmpDir3},
+				},
+				{
+					spec:     mounttypes.Mount{Type: "bind", Source: tmpDir3, Target: destPath, ReadOnly: true, BindOptions: &mounttypes.BindOptions{Propagation: "shared"}},
+					expected: types.MountPoint{Type: "bind", RW: false, Destination: destPath, Source: tmpDir3, Propagation: "shared"},
+				},
+			}...)
+		}
+	}
+
+	if testEnv.OSType != "windows" { // Windows does not support volume populate
+		cases = append(cases, []testCase{
+			{
+				spec:     mounttypes.Mount{Type: "volume", Target: destPath, VolumeOptions: &mounttypes.VolumeOptions{NoCopy: true}},
+				expected: types.MountPoint{Driver: volume.DefaultDriverName, Type: "volume", RW: true, Destination: destPath, Mode: selinuxSharedLabel},
+			},
+			{
+				spec:     mounttypes.Mount{Type: "volume", Target: destPath + slash, VolumeOptions: &mounttypes.VolumeOptions{NoCopy: true}},
+				expected: types.MountPoint{Driver: volume.DefaultDriverName, Type: "volume", RW: true, Destination: destPath, Mode: selinuxSharedLabel},
+			},
+			{
+				spec:     mounttypes.Mount{Type: "volume", Target: destPath, Source: "test4", VolumeOptions: &mounttypes.VolumeOptions{NoCopy: true}},
+				expected: types.MountPoint{Type: "volume", Name: "test4", RW: true, Destination: destPath, Mode: selinuxSharedLabel},
+			},
+			{
+				spec:     mounttypes.Mount{Type: "volume", Target: destPath, Source: "test5", ReadOnly: true, VolumeOptions: &mounttypes.VolumeOptions{NoCopy: true}},
+				expected: types.MountPoint{Type: "volume", Name: "test5", RW: false, Destination: destPath, Mode: selinuxSharedLabel},
+			},
+		}...)
+	}
+
+	type wrapper struct {
+		containertypes.Config
+		HostConfig containertypes.HostConfig
+	}
+	type createResp struct {
+		ID string `json:"Id"`
+	}
+
+	ctx := context.Background()
+	apiclient := testEnv.APIClient()
+	for i, x := range cases {
+		c.Logf("case %d - config: %v", i, x.spec)
+		container, err := apiclient.ContainerCreate(
+			ctx,
+			&containertypes.Config{Image: testImg},
+			&containertypes.HostConfig{Mounts: []mounttypes.Mount{x.spec}},
+			&networktypes.NetworkingConfig{},
+			"")
+		assert.NilError(c, err)
+
+		containerInspect, err := apiclient.ContainerInspect(ctx, container.ID)
+		assert.NilError(c, err)
+		mps := containerInspect.Mounts
+		assert.Assert(c, is.Len(mps, 1))
+		mountPoint := mps[0]
+
+		if x.expected.Source != "" {
+			assert.Check(c, is.Equal(x.expected.Source, mountPoint.Source))
+		}
+		if x.expected.Name != "" {
+			assert.Check(c, is.Equal(x.expected.Name, mountPoint.Name))
+		}
+		if x.expected.Driver != "" {
+			assert.Check(c, is.Equal(x.expected.Driver, mountPoint.Driver))
+		}
+		if x.expected.Propagation != "" {
+			assert.Check(c, is.Equal(x.expected.Propagation, mountPoint.Propagation))
+		}
+		assert.Check(c, is.Equal(x.expected.RW, mountPoint.RW))
+		assert.Check(c, is.Equal(x.expected.Type, mountPoint.Type))
+		assert.Check(c, is.Equal(x.expected.Mode, mountPoint.Mode))
+		assert.Check(c, is.Equal(x.expected.Destination, mountPoint.Destination))
+
+		err = apiclient.ContainerStart(ctx, container.ID, types.ContainerStartOptions{})
+		assert.NilError(c, err)
+		poll.WaitOn(c, containerExit(apiclient, container.ID), poll.WithDelay(time.Second))
+
+		err = apiclient.ContainerRemove(ctx, container.ID, types.ContainerRemoveOptions{
+			RemoveVolumes: true,
+			Force:         true,
+		})
+		assert.NilError(c, err)
+
+		switch {
+
+		// Named volumes still exist after the container is removed
+		case x.spec.Type == "volume" && len(x.spec.Source) > 0:
+			_, err := apiclient.VolumeInspect(ctx, mountPoint.Name)
+			assert.NilError(c, err)
+
+		// Bind mounts are never removed with the container
+		case x.spec.Type == "bind":
+
+		// anonymous volumes are removed
+		default:
+			_, err := apiclient.VolumeInspect(ctx, mountPoint.Name)
+			assert.Check(c, client.IsErrNotFound(err))
+		}
+	}
+}
+
+func containerExit(apiclient client.APIClient, name string) func(poll.LogT) poll.Result {
+	return func(logT poll.LogT) poll.Result {
+		container, err := apiclient.ContainerInspect(context.Background(), name)
+		if err != nil {
+			return poll.Error(err)
+		}
+		switch container.State.Status {
+		case "created", "running":
+			return poll.Continue("container %s is %s, waiting for exit", name, container.State.Status)
+		}
+		return poll.Success()
+	}
+}
+
+func (s *DockerSuite) TestContainersAPICreateMountsTmpfs(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	type testCase struct {
+		cfg             mounttypes.Mount
+		expectedOptions []string
+	}
+	target := "/foo"
+	cases := []testCase{
+		{
+			cfg: mounttypes.Mount{
+				Type:   "tmpfs",
+				Target: target},
+			expectedOptions: []string{"rw", "nosuid", "nodev", "noexec", "relatime"},
+		},
+		{
+			cfg: mounttypes.Mount{
+				Type:   "tmpfs",
+				Target: target,
+				TmpfsOptions: &mounttypes.TmpfsOptions{
+					SizeBytes: 4096 * 1024, Mode: 0700}},
+			expectedOptions: []string{"rw", "nosuid", "nodev", "noexec", "relatime", "size=4096k", "mode=700"},
+		},
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	config := containertypes.Config{
+		Image: "busybox",
+		Cmd:   []string{"/bin/sh", "-c", fmt.Sprintf("mount | grep 'tmpfs on %s'", target)},
+	}
+	for i, x := range cases {
+		cName := fmt.Sprintf("test-tmpfs-%d", i)
+		hostConfig := containertypes.HostConfig{
+			Mounts: []mounttypes.Mount{x.cfg},
+		}
+
+		_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, cName)
+		c.Assert(err, checker.IsNil)
+		out, _ := dockerCmd(c, "start", "-a", cName)
+		for _, option := range x.expectedOptions {
+			c.Assert(out, checker.Contains, option)
+		}
+	}
+}
+
+// Regression test for #33334
+// Makes sure that when a container which has a custom stop signal + restart=always
+// gets killed (with SIGKILL) by the kill API, that the restart policy is cancelled.
+func (s *DockerSuite) TestContainerKillCustomStopSignal(c *check.C) {
+	id := strings.TrimSpace(runSleepingContainer(c, "--stop-signal=SIGTERM", "--restart=always"))
+	res, _, err := request.Post("/containers/" + id + "/kill")
+	c.Assert(err, checker.IsNil)
+	defer res.Body.Close()
+
+	b, err := ioutil.ReadAll(res.Body)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNoContent, check.Commentf(string(b)))
+	err = waitInspect(id, "{{.State.Running}} {{.State.Restarting}}", "false false", 30*time.Second)
+	c.Assert(err, checker.IsNil)
+}
diff --git a/engine/integration-cli/docker_api_containers_windows_test.go b/engine/integration-cli/docker_api_containers_windows_test.go
new file mode 100644
index 00000000..c569574d
--- /dev/null
+++ b/engine/integration-cli/docker_api_containers_windows_test.go
@@ -0,0 +1,76 @@
+// +build windows
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"math/rand"
+	"strings"
+
+	winio "github.com/Microsoft/go-winio"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/go-check/check"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func (s *DockerSuite) TestContainersAPICreateMountsBindNamedPipe(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsWindowsAtLeastBuild(16299)) // Named pipe support was added in RS3
+
+	// Create a host pipe to map into the container
+	hostPipeName := fmt.Sprintf(`\\.\pipe\docker-cli-test-pipe-%x`, rand.Uint64())
+	pc := &winio.PipeConfig{
+		SecurityDescriptor: "D:P(A;;GA;;;AU)", // Allow all users access to the pipe
+	}
+	l, err := winio.ListenPipe(hostPipeName, pc)
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer l.Close()
+
+	// Asynchronously read data that the container writes to the mapped pipe.
+	var b []byte
+	ch := make(chan error)
+	go func() {
+		conn, err := l.Accept()
+		if err == nil {
+			b, err = ioutil.ReadAll(conn)
+			conn.Close()
+		}
+		ch <- err
+	}()
+
+	containerPipeName := `\\.\pipe\docker-cli-test-pipe`
+	text := "hello from a pipe"
+	cmd := fmt.Sprintf("echo %s > %s", text, containerPipeName)
+	name := "test-bind-npipe"
+
+	ctx := context.Background()
+	client := testEnv.APIClient()
+	_, err = client.ContainerCreate(ctx,
+		&container.Config{
+			Image: testEnv.PlatformDefaults.BaseImage,
+			Cmd:   []string{"cmd", "/c", cmd},
+		}, &container.HostConfig{
+			Mounts: []mount.Mount{
+				{
+					Type:   "npipe",
+					Source: hostPipeName,
+					Target: containerPipeName,
+				},
+			},
+		},
+		nil, name)
+	assert.NilError(c, err)
+
+	err = client.ContainerStart(ctx, name, types.ContainerStartOptions{})
+	assert.NilError(c, err)
+
+	err = <-ch
+	assert.NilError(c, err)
+	assert.Check(c, is.Equal(text, strings.TrimSpace(string(b))))
+}
diff --git a/engine/integration-cli/docker_api_create_test.go b/engine/integration-cli/docker_api_create_test.go
new file mode 100644
index 00000000..8c7fff47
--- /dev/null
+++ b/engine/integration-cli/docker_api_create_test.go
@@ -0,0 +1,136 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestAPICreateWithInvalidHealthcheckParams(c *check.C) {
+	// test invalid Interval in Healthcheck: less than 0s
+	name := "test1"
+	config := map[string]interface{}{
+		"Image": "busybox",
+		"Healthcheck": map[string]interface{}{
+			"Interval": -10 * time.Millisecond,
+			"Timeout":  time.Second,
+			"Retries":  int(1000),
+		},
+	}
+
+	res, body, err := request.Post("/containers/create?name="+name, request.JSONBody(config))
+	c.Assert(err, check.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, check.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, check.Equals, http.StatusBadRequest)
+	}
+
+	buf, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	expected := fmt.Sprintf("Interval in Healthcheck cannot be less than %s", container.MinimumDuration)
+	c.Assert(getErrorMessage(c, buf), checker.Contains, expected)
+
+	// test invalid Interval in Healthcheck: larger than 0s but less than 1ms
+	name = "test2"
+	config = map[string]interface{}{
+		"Image": "busybox",
+		"Healthcheck": map[string]interface{}{
+			"Interval": 500 * time.Microsecond,
+			"Timeout":  time.Second,
+			"Retries":  int(1000),
+		},
+	}
+	res, body, err = request.Post("/containers/create?name="+name, request.JSONBody(config))
+	c.Assert(err, check.IsNil)
+
+	buf, err = request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, check.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, check.Equals, http.StatusBadRequest)
+	}
+	c.Assert(getErrorMessage(c, buf), checker.Contains, expected)
+
+	// test invalid Timeout in Healthcheck: less than 1ms
+	name = "test3"
+	config = map[string]interface{}{
+		"Image": "busybox",
+		"Healthcheck": map[string]interface{}{
+			"Interval": time.Second,
+			"Timeout":  -100 * time.Millisecond,
+			"Retries":  int(1000),
+		},
+	}
+	res, body, err = request.Post("/containers/create?name="+name, request.JSONBody(config))
+	c.Assert(err, check.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, check.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, check.Equals, http.StatusBadRequest)
+	}
+
+	buf, err = request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	expected = fmt.Sprintf("Timeout in Healthcheck cannot be less than %s", container.MinimumDuration)
+	c.Assert(getErrorMessage(c, buf), checker.Contains, expected)
+
+	// test invalid Retries in Healthcheck: less than 0
+	name = "test4"
+	config = map[string]interface{}{
+		"Image": "busybox",
+		"Healthcheck": map[string]interface{}{
+			"Interval": time.Second,
+			"Timeout":  time.Second,
+			"Retries":  int(-10),
+		},
+	}
+	res, body, err = request.Post("/containers/create?name="+name, request.JSONBody(config))
+	c.Assert(err, check.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, check.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, check.Equals, http.StatusBadRequest)
+	}
+
+	buf, err = request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	expected = "Retries in Healthcheck cannot be negative"
+	c.Assert(getErrorMessage(c, buf), checker.Contains, expected)
+
+	// test invalid StartPeriod in Healthcheck: not 0 and less than 1ms
+	name = "test3"
+	config = map[string]interface{}{
+		"Image": "busybox",
+		"Healthcheck": map[string]interface{}{
+			"Interval":    time.Second,
+			"Timeout":     time.Second,
+			"Retries":     int(1000),
+			"StartPeriod": 100 * time.Microsecond,
+		},
+	}
+	res, body, err = request.Post("/containers/create?name="+name, request.JSONBody(config))
+	c.Assert(err, check.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, check.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, check.Equals, http.StatusBadRequest)
+	}
+
+	buf, err = request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	expected = fmt.Sprintf("StartPeriod in Healthcheck cannot be less than %s", container.MinimumDuration)
+	c.Assert(getErrorMessage(c, buf), checker.Contains, expected)
+}
diff --git a/engine/integration-cli/docker_api_exec_resize_test.go b/engine/integration-cli/docker_api_exec_resize_test.go
new file mode 100644
index 00000000..2db3d3e3
--- /dev/null
+++ b/engine/integration-cli/docker_api_exec_resize_test.go
@@ -0,0 +1,113 @@
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestExecResizeAPIHeightWidthNoInt(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	cleanedContainerID := strings.TrimSpace(out)
+
+	endpoint := "/exec/" + cleanedContainerID + "/resize?h=foo&w=bar"
+	res, _, err := request.Post(endpoint)
+	c.Assert(err, checker.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	}
+}
+
+// Part of #14845
+func (s *DockerSuite) TestExecResizeImmediatelyAfterExecStart(c *check.C) {
+	name := "exec_resize_test"
+	dockerCmd(c, "run", "-d", "-i", "-t", "--name", name, "--restart", "always", "busybox", "/bin/sh")
+
+	testExecResize := func() error {
+		data := map[string]interface{}{
+			"AttachStdin": true,
+			"Cmd":         []string{"/bin/sh"},
+		}
+		uri := fmt.Sprintf("/containers/%s/exec", name)
+		res, body, err := request.Post(uri, request.JSONBody(data))
+		if err != nil {
+			return err
+		}
+		if res.StatusCode != http.StatusCreated {
+			return fmt.Errorf("POST %s is expected to return %d, got %d", uri, http.StatusCreated, res.StatusCode)
+		}
+
+		buf, err := request.ReadBody(body)
+		c.Assert(err, checker.IsNil)
+
+		out := map[string]string{}
+		err = json.Unmarshal(buf, &out)
+		if err != nil {
+			return fmt.Errorf("ExecCreate returned invalid json. Error: %q", err.Error())
+		}
+
+		execID := out["Id"]
+		if len(execID) < 1 {
+			return fmt.Errorf("ExecCreate got invalid execID")
+		}
+
+		payload := bytes.NewBufferString(`{"Tty":true}`)
+		conn, _, err := sockRequestHijack("POST", fmt.Sprintf("/exec/%s/start", execID), payload, "application/json", daemonHost())
+		if err != nil {
+			return fmt.Errorf("Failed to start the exec: %q", err.Error())
+		}
+		defer conn.Close()
+
+		_, rc, err := request.Post(fmt.Sprintf("/exec/%s/resize?h=24&w=80", execID), request.ContentType("text/plain"))
+		if err != nil {
+			// It's probably a panic of the daemon if io.ErrUnexpectedEOF is returned.
+			if err == io.ErrUnexpectedEOF {
+				return fmt.Errorf("The daemon might have crashed.")
+			}
+			// Other error happened, should be reported.
+			return fmt.Errorf("Fail to exec resize immediately after start. Error: %q", err.Error())
+		}
+
+		rc.Close()
+
+		return nil
+	}
+
+	// The panic happens when daemon.ContainerExecStart is called but the
+	// container.Exec is not called.
+	// Because the panic is not 100% reproducible, we send the requests concurrently
+	// to increase the probability that the problem is triggered.
+	var (
+		n  = 10
+		ch = make(chan error, n)
+		wg sync.WaitGroup
+	)
+	for i := 0; i < n; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			if err := testExecResize(); err != nil {
+				ch <- err
+			}
+		}()
+	}
+
+	wg.Wait()
+	select {
+	case err := <-ch:
+		c.Fatal(err.Error())
+	default:
+	}
+}
diff --git a/engine/integration-cli/docker_api_exec_test.go b/engine/integration-cli/docker_api_exec_test.go
new file mode 100644
index 00000000..118f9971
--- /dev/null
+++ b/engine/integration-cli/docker_api_exec_test.go
@@ -0,0 +1,313 @@
+// +build !test_no_exec
+
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+// Regression test for #9414
+func (s *DockerSuite) TestExecAPICreateNoCmd(c *check.C) {
+	name := "exec_test"
+	dockerCmd(c, "run", "-d", "-t", "--name", name, "busybox", "/bin/sh")
+
+	res, body, err := request.Post(fmt.Sprintf("/containers/%s/exec", name), request.JSONBody(map[string]interface{}{"Cmd": nil}))
+	c.Assert(err, checker.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	}
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	comment := check.Commentf("Expected message when creating exec command with no Cmd specified")
+	c.Assert(getErrorMessage(c, b), checker.Contains, "No exec command specified", comment)
+}
+
+func (s *DockerSuite) TestExecAPICreateNoValidContentType(c *check.C) {
+	name := "exec_test"
+	dockerCmd(c, "run", "-d", "-t", "--name", name, "busybox", "/bin/sh")
+
+	jsonData := bytes.NewBuffer(nil)
+	if err := json.NewEncoder(jsonData).Encode(map[string]interface{}{"Cmd": nil}); err != nil {
+		c.Fatalf("Can not encode data to json %s", err)
+	}
+
+	res, body, err := request.Post(fmt.Sprintf("/containers/%s/exec", name), request.RawContent(ioutil.NopCloser(jsonData)), request.ContentType("test/plain"))
+	c.Assert(err, checker.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	}
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	comment := check.Commentf("Expected message when creating exec command with invalid Content-Type specified")
+	c.Assert(getErrorMessage(c, b), checker.Contains, "Content-Type specified", comment)
+}
+
+func (s *DockerSuite) TestExecAPICreateContainerPaused(c *check.C) {
+	// Not relevant on Windows as Windows containers cannot be paused
+	testRequires(c, DaemonIsLinux)
+	name := "exec_create_test"
+	dockerCmd(c, "run", "-d", "-t", "--name", name, "busybox", "/bin/sh")
+
+	dockerCmd(c, "pause", name)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	config := types.ExecConfig{
+		Cmd: []string{"true"},
+	}
+	_, err = cli.ContainerExecCreate(context.Background(), name, config)
+
+	comment := check.Commentf("Expected message when creating exec command with Container %s is paused", name)
+	c.Assert(err.Error(), checker.Contains, "Container "+name+" is paused, unpause the container before exec", comment)
+}
+
+func (s *DockerSuite) TestExecAPIStart(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Uses pause/unpause but bits may be salvageable to Windows to Windows CI
+	dockerCmd(c, "run", "-d", "--name", "test", "busybox", "top")
+
+	id := createExec(c, "test")
+	startExec(c, id, http.StatusOK)
+
+	var execJSON struct{ PID int }
+	inspectExec(c, id, &execJSON)
+	c.Assert(execJSON.PID, checker.GreaterThan, 1)
+
+	id = createExec(c, "test")
+	dockerCmd(c, "stop", "test")
+
+	startExec(c, id, http.StatusNotFound)
+
+	dockerCmd(c, "start", "test")
+	startExec(c, id, http.StatusNotFound)
+
+	// make sure exec is created before pausing
+	id = createExec(c, "test")
+	dockerCmd(c, "pause", "test")
+	startExec(c, id, http.StatusConflict)
+	dockerCmd(c, "unpause", "test")
+	startExec(c, id, http.StatusOK)
+}
+
+func (s *DockerSuite) TestExecAPIStartEnsureHeaders(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "test", "busybox", "top")
+
+	id := createExec(c, "test")
+	resp, _, err := request.Post(fmt.Sprintf("/exec/%s/start", id), request.RawString(`{"Detach": true}`), request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.Header.Get("Server"), checker.Not(checker.Equals), "")
+}
+
+func (s *DockerSuite) TestExecAPIStartBackwardsCompatible(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows only supports 1.25 or later
+	runSleepingContainer(c, "-d", "--name", "test")
+	id := createExec(c, "test")
+
+	resp, body, err := request.Post(fmt.Sprintf("/v1.20/exec/%s/start", id), request.RawString(`{"Detach": true}`), request.ContentType("text/plain"))
+	c.Assert(err, checker.IsNil)
+
+	b, err := request.ReadBody(body)
+	comment := check.Commentf("response body: %s", b)
+	c.Assert(err, checker.IsNil, comment)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK, comment)
+}
+
+// #19362
+func (s *DockerSuite) TestExecAPIStartMultipleTimesError(c *check.C) {
+	runSleepingContainer(c, "-d", "--name", "test")
+	execID := createExec(c, "test")
+	startExec(c, execID, http.StatusOK)
+	waitForExec(c, execID)
+
+	startExec(c, execID, http.StatusConflict)
+}
+
+// #20638
+func (s *DockerSuite) TestExecAPIStartWithDetach(c *check.C) {
+	name := "foo"
+	runSleepingContainer(c, "-d", "-t", "--name", name)
+
+	config := types.ExecConfig{
+		Cmd:          []string{"true"},
+		AttachStderr: true,
+	}
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	createResp, err := cli.ContainerExecCreate(context.Background(), name, config)
+	c.Assert(err, checker.IsNil)
+
+	_, body, err := request.Post(fmt.Sprintf("/exec/%s/start", createResp.ID), request.RawString(`{"Detach": true}`), request.JSON)
+	c.Assert(err, checker.IsNil)
+
+	b, err := request.ReadBody(body)
+	comment := check.Commentf("response body: %s", b)
+	c.Assert(err, checker.IsNil, comment)
+
+	resp, _, err := request.Get("/_ping")
+	c.Assert(err, checker.IsNil)
+	if resp.StatusCode != http.StatusOK {
+		c.Fatal("daemon is down, it should alive")
+	}
+}
+
+// #30311
+func (s *DockerSuite) TestExecAPIStartValidCommand(c *check.C) {
+	name := "exec_test"
+	dockerCmd(c, "run", "-d", "-t", "--name", name, "busybox", "/bin/sh")
+
+	id := createExecCmd(c, name, "true")
+	startExec(c, id, http.StatusOK)
+
+	waitForExec(c, id)
+
+	var inspectJSON struct{ ExecIDs []string }
+	inspectContainer(c, name, &inspectJSON)
+
+	c.Assert(inspectJSON.ExecIDs, checker.IsNil)
+}
+
+// #30311
+func (s *DockerSuite) TestExecAPIStartInvalidCommand(c *check.C) {
+	name := "exec_test"
+	dockerCmd(c, "run", "-d", "-t", "--name", name, "busybox", "/bin/sh")
+
+	id := createExecCmd(c, name, "invalid")
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		startExec(c, id, http.StatusNotFound)
+	} else {
+		startExec(c, id, http.StatusBadRequest)
+	}
+	waitForExec(c, id)
+
+	var inspectJSON struct{ ExecIDs []string }
+	inspectContainer(c, name, &inspectJSON)
+
+	c.Assert(inspectJSON.ExecIDs, checker.IsNil)
+}
+
+func (s *DockerSuite) TestExecStateCleanup(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	// This test checks accidental regressions. Not part of stable API.
+
+	name := "exec_cleanup"
+	cid, _ := dockerCmd(c, "run", "-d", "-t", "--name", name, "busybox", "/bin/sh")
+	cid = strings.TrimSpace(cid)
+
+	stateDir := "/var/run/docker/containerd/" + cid
+
+	checkReadDir := func(c *check.C) (interface{}, check.CommentInterface) {
+		fi, err := ioutil.ReadDir(stateDir)
+		c.Assert(err, checker.IsNil)
+		return len(fi), nil
+	}
+
+	fi, err := ioutil.ReadDir(stateDir)
+	c.Assert(err, checker.IsNil)
+	c.Assert(len(fi), checker.GreaterThan, 1)
+
+	id := createExecCmd(c, name, "ls")
+	startExec(c, id, http.StatusOK)
+	waitForExec(c, id)
+
+	waitAndAssert(c, 5*time.Second, checkReadDir, checker.Equals, len(fi))
+
+	id = createExecCmd(c, name, "invalid")
+	startExec(c, id, http.StatusBadRequest)
+	waitForExec(c, id)
+
+	waitAndAssert(c, 5*time.Second, checkReadDir, checker.Equals, len(fi))
+
+	dockerCmd(c, "stop", name)
+	_, err = os.Stat(stateDir)
+	c.Assert(err, checker.NotNil)
+	c.Assert(os.IsNotExist(err), checker.True)
+}
+
+func createExec(c *check.C, name string) string {
+	return createExecCmd(c, name, "true")
+}
+
+func createExecCmd(c *check.C, name string, cmd string) string {
+	_, reader, err := request.Post(fmt.Sprintf("/containers/%s/exec", name), request.JSONBody(map[string]interface{}{"Cmd": []string{cmd}}))
+	c.Assert(err, checker.IsNil)
+	b, err := ioutil.ReadAll(reader)
+	c.Assert(err, checker.IsNil)
+	defer reader.Close()
+	createResp := struct {
+		ID string `json:"Id"`
+	}{}
+	c.Assert(json.Unmarshal(b, &createResp), checker.IsNil, check.Commentf(string(b)))
+	return createResp.ID
+}
+
+func startExec(c *check.C, id string, code int) {
+	resp, body, err := request.Post(fmt.Sprintf("/exec/%s/start", id), request.RawString(`{"Detach": true}`), request.JSON)
+	c.Assert(err, checker.IsNil)
+
+	b, err := request.ReadBody(body)
+	comment := check.Commentf("response body: %s", b)
+	c.Assert(err, checker.IsNil, comment)
+	c.Assert(resp.StatusCode, checker.Equals, code, comment)
+}
+
+func inspectExec(c *check.C, id string, out interface{}) {
+	resp, body, err := request.Get(fmt.Sprintf("/exec/%s/json", id))
+	c.Assert(err, checker.IsNil)
+	defer body.Close()
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+	err = json.NewDecoder(body).Decode(out)
+	c.Assert(err, checker.IsNil)
+}
+
+func waitForExec(c *check.C, id string) {
+	timeout := time.After(60 * time.Second)
+	var execJSON struct{ Running bool }
+	for {
+		select {
+		case <-timeout:
+			c.Fatal("timeout waiting for exec to start")
+		default:
+		}
+
+		inspectExec(c, id, &execJSON)
+		if !execJSON.Running {
+			break
+		}
+	}
+}
+
+func inspectContainer(c *check.C, id string, out interface{}) {
+	resp, body, err := request.Get(fmt.Sprintf("/containers/%s/json", id))
+	c.Assert(err, checker.IsNil)
+	defer body.Close()
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+	err = json.NewDecoder(body).Decode(out)
+	c.Assert(err, checker.IsNil)
+}
diff --git a/engine/integration-cli/docker_api_images_test.go b/engine/integration-cli/docker_api_images_test.go
new file mode 100644
index 00000000..da1c8c8f
--- /dev/null
+++ b/engine/integration-cli/docker_api_images_test.go
@@ -0,0 +1,187 @@
+package main
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestAPIImagesFilter(c *check.C) {
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	name := "utest:tag1"
+	name2 := "utest/docker:tag2"
+	name3 := "utest:5000/docker:tag3"
+	for _, n := range []string{name, name2, name3} {
+		dockerCmd(c, "tag", "busybox", n)
+	}
+	getImages := func(filter string) []types.ImageSummary {
+		filters := filters.NewArgs()
+		filters.Add("reference", filter)
+		options := types.ImageListOptions{
+			All:     false,
+			Filters: filters,
+		}
+		images, err := cli.ImageList(context.Background(), options)
+		c.Assert(err, checker.IsNil)
+
+		return images
+	}
+
+	//incorrect number of matches returned
+	images := getImages("utest*/*")
+	c.Assert(images[0].RepoTags, checker.HasLen, 2)
+
+	images = getImages("utest")
+	c.Assert(images[0].RepoTags, checker.HasLen, 1)
+
+	images = getImages("utest*")
+	c.Assert(images[0].RepoTags, checker.HasLen, 1)
+
+	images = getImages("*5000*/*")
+	c.Assert(images[0].RepoTags, checker.HasLen, 1)
+}
+
+func (s *DockerSuite) TestAPIImagesSaveAndLoad(c *check.C) {
+	testRequires(c, Network)
+	buildImageSuccessfully(c, "saveandload", build.WithDockerfile("FROM busybox\nENV FOO bar"))
+	id := getIDByName(c, "saveandload")
+
+	res, body, err := request.Get("/images/" + id + "/get")
+	c.Assert(err, checker.IsNil)
+	defer body.Close()
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	dockerCmd(c, "rmi", id)
+
+	res, loadBody, err := request.Post("/images/load", request.RawContent(body), request.ContentType("application/x-tar"))
+	c.Assert(err, checker.IsNil)
+	defer loadBody.Close()
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	inspectOut := cli.InspectCmd(c, id, cli.Format(".Id")).Combined()
+	c.Assert(strings.TrimSpace(string(inspectOut)), checker.Equals, id, check.Commentf("load did not work properly"))
+}
+
+func (s *DockerSuite) TestAPIImagesDelete(c *check.C) {
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	if testEnv.OSType != "windows" {
+		testRequires(c, Network)
+	}
+	name := "test-api-images-delete"
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nENV FOO bar"))
+	id := getIDByName(c, name)
+
+	dockerCmd(c, "tag", name, "test:tag1")
+
+	_, err = cli.ImageRemove(context.Background(), id, types.ImageRemoveOptions{})
+	c.Assert(err.Error(), checker.Contains, "unable to delete")
+
+	_, err = cli.ImageRemove(context.Background(), "test:noexist", types.ImageRemoveOptions{})
+	c.Assert(err.Error(), checker.Contains, "No such image")
+
+	_, err = cli.ImageRemove(context.Background(), "test:tag1", types.ImageRemoveOptions{})
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerSuite) TestAPIImagesHistory(c *check.C) {
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	if testEnv.OSType != "windows" {
+		testRequires(c, Network)
+	}
+	name := "test-api-images-history"
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nENV FOO bar"))
+	id := getIDByName(c, name)
+
+	historydata, err := cli.ImageHistory(context.Background(), id)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(historydata, checker.Not(checker.HasLen), 0)
+	var found bool
+	for _, tag := range historydata[0].Tags {
+		if tag == "test-api-images-history:latest" {
+			found = true
+			break
+		}
+	}
+	c.Assert(found, checker.True)
+}
+
+func (s *DockerSuite) TestAPIImagesImportBadSrc(c *check.C) {
+	testRequires(c, Network, SameHostDaemon)
+
+	server := httptest.NewServer(http.NewServeMux())
+	defer server.Close()
+
+	tt := []struct {
+		statusExp int
+		fromSrc   string
+	}{
+		{http.StatusNotFound, server.URL + "/nofile.tar"},
+		{http.StatusNotFound, strings.TrimPrefix(server.URL, "http://") + "/nofile.tar"},
+		{http.StatusNotFound, strings.TrimPrefix(server.URL, "http://") + "%2Fdata%2Ffile.tar"},
+		{http.StatusInternalServerError, "%2Fdata%2Ffile.tar"},
+	}
+
+	for _, te := range tt {
+		res, _, err := request.Post(strings.Join([]string{"/images/create?fromSrc=", te.fromSrc}, ""), request.JSON)
+		c.Assert(err, check.IsNil)
+		c.Assert(res.StatusCode, checker.Equals, te.statusExp)
+		c.Assert(res.Header.Get("Content-Type"), checker.Equals, "application/json")
+	}
+
+}
+
+// #14846
+func (s *DockerSuite) TestAPIImagesSearchJSONContentType(c *check.C) {
+	testRequires(c, Network)
+
+	res, b, err := request.Get("/images/search?term=test", request.JSON)
+	c.Assert(err, check.IsNil)
+	b.Close()
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+	c.Assert(res.Header.Get("Content-Type"), checker.Equals, "application/json")
+}
+
+// Test case for 30027: image size reported as -1 in v1.12 client against v1.13 daemon.
+// This test checks to make sure both v1.12 and v1.13 client against v1.13 daemon get correct `Size` after the fix.
+func (s *DockerSuite) TestAPIImagesSizeCompatibility(c *check.C) {
+	apiclient := testEnv.APIClient()
+	defer apiclient.Close()
+
+	images, err := apiclient.ImageList(context.Background(), types.ImageListOptions{})
+	c.Assert(err, checker.IsNil)
+	c.Assert(len(images), checker.Not(checker.Equals), 0)
+	for _, image := range images {
+		c.Assert(image.Size, checker.Not(checker.Equals), int64(-1))
+	}
+
+	apiclient, err = client.NewClientWithOpts(client.FromEnv, client.WithVersion("v1.24"))
+	c.Assert(err, checker.IsNil)
+	defer apiclient.Close()
+
+	v124Images, err := apiclient.ImageList(context.Background(), types.ImageListOptions{})
+	c.Assert(err, checker.IsNil)
+	c.Assert(len(v124Images), checker.Not(checker.Equals), 0)
+	for _, image := range v124Images {
+		c.Assert(image.Size, checker.Not(checker.Equals), int64(-1))
+	}
+}
diff --git a/engine/integration-cli/docker_api_inspect_test.go b/engine/integration-cli/docker_api_inspect_test.go
new file mode 100644
index 00000000..68055b6c
--- /dev/null
+++ b/engine/integration-cli/docker_api_inspect_test.go
@@ -0,0 +1,181 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions/v1p20"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func (s *DockerSuite) TestInspectAPIContainerResponse(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+
+	cleanedContainerID := strings.TrimSpace(out)
+	keysBase := []string{"Id", "State", "Created", "Path", "Args", "Config", "Image", "NetworkSettings",
+		"ResolvConfPath", "HostnamePath", "HostsPath", "LogPath", "Name", "Driver", "MountLabel", "ProcessLabel", "GraphDriver"}
+
+	type acase struct {
+		version string
+		keys    []string
+	}
+
+	var cases []acase
+
+	if testEnv.OSType == "windows" {
+		cases = []acase{
+			{"v1.25", append(keysBase, "Mounts")},
+		}
+
+	} else {
+		cases = []acase{
+			{"v1.20", append(keysBase, "Mounts")},
+			{"v1.19", append(keysBase, "Volumes", "VolumesRW")},
+		}
+	}
+
+	for _, cs := range cases {
+		body := getInspectBody(c, cs.version, cleanedContainerID)
+
+		var inspectJSON map[string]interface{}
+		err := json.Unmarshal(body, &inspectJSON)
+		c.Assert(err, checker.IsNil, check.Commentf("Unable to unmarshal body for version %s", cs.version))
+
+		for _, key := range cs.keys {
+			_, ok := inspectJSON[key]
+			c.Check(ok, checker.True, check.Commentf("%s does not exist in response for version %s", key, cs.version))
+		}
+
+		//Issue #6830: type not properly converted to JSON/back
+		_, ok := inspectJSON["Path"].(bool)
+		c.Assert(ok, checker.False, check.Commentf("Path of `true` should not be converted to boolean `true` via JSON marshalling"))
+	}
+}
+
+func (s *DockerSuite) TestInspectAPIContainerVolumeDriverLegacy(c *check.C) {
+	// No legacy implications for Windows
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	cases := []string{"v1.19", "v1.20"}
+	for _, version := range cases {
+		body := getInspectBody(c, version, cleanedContainerID)
+
+		var inspectJSON map[string]interface{}
+		err := json.Unmarshal(body, &inspectJSON)
+		c.Assert(err, checker.IsNil, check.Commentf("Unable to unmarshal body for version %s", version))
+
+		config, ok := inspectJSON["Config"]
+		c.Assert(ok, checker.True, check.Commentf("Unable to find 'Config'"))
+		cfg := config.(map[string]interface{})
+		_, ok = cfg["VolumeDriver"]
+		c.Assert(ok, checker.True, check.Commentf("API version %s expected to include VolumeDriver in 'Config'", version))
+	}
+}
+
+func (s *DockerSuite) TestInspectAPIContainerVolumeDriver(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "--volume-driver", "local", "busybox", "true")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	body := getInspectBody(c, "v1.25", cleanedContainerID)
+
+	var inspectJSON map[string]interface{}
+	err := json.Unmarshal(body, &inspectJSON)
+	c.Assert(err, checker.IsNil, check.Commentf("Unable to unmarshal body for version 1.25"))
+
+	config, ok := inspectJSON["Config"]
+	c.Assert(ok, checker.True, check.Commentf("Unable to find 'Config'"))
+	cfg := config.(map[string]interface{})
+	_, ok = cfg["VolumeDriver"]
+	c.Assert(ok, checker.False, check.Commentf("API version 1.25 expected to not include VolumeDriver in 'Config'"))
+
+	config, ok = inspectJSON["HostConfig"]
+	c.Assert(ok, checker.True, check.Commentf("Unable to find 'HostConfig'"))
+	cfg = config.(map[string]interface{})
+	_, ok = cfg["VolumeDriver"]
+	c.Assert(ok, checker.True, check.Commentf("API version 1.25 expected to include VolumeDriver in 'HostConfig'"))
+}
+
+func (s *DockerSuite) TestInspectAPIImageResponse(c *check.C) {
+	dockerCmd(c, "tag", "busybox:latest", "busybox:mytag")
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	imageJSON, _, err := cli.ImageInspectWithRaw(context.Background(), "busybox")
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(imageJSON.RepoTags, checker.HasLen, 2)
+	assert.Check(c, is.Contains(imageJSON.RepoTags, "busybox:latest"))
+	assert.Check(c, is.Contains(imageJSON.RepoTags, "busybox:mytag"))
+}
+
+// #17131, #17139, #17173
+func (s *DockerSuite) TestInspectAPIEmptyFieldsInConfigPre121(c *check.C) {
+	// Not relevant on Windows
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	cases := []string{"v1.19", "v1.20"}
+	for _, version := range cases {
+		body := getInspectBody(c, version, cleanedContainerID)
+
+		var inspectJSON map[string]interface{}
+		err := json.Unmarshal(body, &inspectJSON)
+		c.Assert(err, checker.IsNil, check.Commentf("Unable to unmarshal body for version %s", version))
+		config, ok := inspectJSON["Config"]
+		c.Assert(ok, checker.True, check.Commentf("Unable to find 'Config'"))
+		cfg := config.(map[string]interface{})
+		for _, f := range []string{"MacAddress", "NetworkDisabled", "ExposedPorts"} {
+			_, ok := cfg[f]
+			c.Check(ok, checker.True, check.Commentf("API version %s expected to include %s in 'Config'", version, f))
+		}
+	}
+}
+
+func (s *DockerSuite) TestInspectAPIBridgeNetworkSettings120(c *check.C) {
+	// Not relevant on Windows, and besides it doesn't have any bridge network settings
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	containerID := strings.TrimSpace(out)
+	waitRun(containerID)
+
+	body := getInspectBody(c, "v1.20", containerID)
+
+	var inspectJSON v1p20.ContainerJSON
+	err := json.Unmarshal(body, &inspectJSON)
+	c.Assert(err, checker.IsNil)
+
+	settings := inspectJSON.NetworkSettings
+	c.Assert(settings.IPAddress, checker.Not(checker.HasLen), 0)
+}
+
+func (s *DockerSuite) TestInspectAPIBridgeNetworkSettings121(c *check.C) {
+	// Windows doesn't have any bridge network settings
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	containerID := strings.TrimSpace(out)
+	waitRun(containerID)
+
+	body := getInspectBody(c, "v1.21", containerID)
+
+	var inspectJSON types.ContainerJSON
+	err := json.Unmarshal(body, &inspectJSON)
+	c.Assert(err, checker.IsNil)
+
+	settings := inspectJSON.NetworkSettings
+	c.Assert(settings.IPAddress, checker.Not(checker.HasLen), 0)
+	c.Assert(settings.Networks["bridge"], checker.Not(checker.IsNil))
+	c.Assert(settings.IPAddress, checker.Equals, settings.Networks["bridge"].IPAddress)
+}
diff --git a/engine/integration-cli/docker_api_ipcmode_test.go b/engine/integration-cli/docker_api_ipcmode_test.go
new file mode 100644
index 00000000..886ff88d
--- /dev/null
+++ b/engine/integration-cli/docker_api_ipcmode_test.go
@@ -0,0 +1,213 @@
+// build +linux
+package main
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/go-check/check"
+)
+
+/* testIpcCheckDevExists checks whether a given mount (identified by its
+ * major:minor pair from /proc/self/mountinfo) exists on the host system.
+ *
+ * The format of /proc/self/mountinfo is like:
+ *
+ * 29 23 0:24 / /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw
+ *       ^^^^\
+ *            - this is the minor:major we look for
+ */
+func testIpcCheckDevExists(mm string) (bool, error) {
+	f, err := os.Open("/proc/self/mountinfo")
+	if err != nil {
+		return false, err
+	}
+	defer f.Close()
+
+	s := bufio.NewScanner(f)
+	for s.Scan() {
+		fields := strings.Fields(s.Text())
+		if len(fields) < 7 {
+			continue
+		}
+		if fields[2] == mm {
+			return true, nil
+		}
+	}
+
+	return false, s.Err()
+}
+
+// testIpcNonePrivateShareable is a helper function to test "none",
+// "private" and "shareable" modes.
+func testIpcNonePrivateShareable(c *check.C, mode string, mustBeMounted bool, mustBeShared bool) {
+	cfg := container.Config{
+		Image: "busybox",
+		Cmd:   []string{"top"},
+	}
+	hostCfg := container.HostConfig{
+		IpcMode: container.IpcMode(mode),
+	}
+	ctx := context.Background()
+
+	client := testEnv.APIClient()
+
+	resp, err := client.ContainerCreate(ctx, &cfg, &hostCfg, nil, "")
+	c.Assert(err, checker.IsNil)
+	c.Assert(len(resp.Warnings), checker.Equals, 0)
+
+	err = client.ContainerStart(ctx, resp.ID, types.ContainerStartOptions{})
+	c.Assert(err, checker.IsNil)
+
+	// get major:minor pair for /dev/shm from container's /proc/self/mountinfo
+	cmd := "awk '($5 == \"/dev/shm\") {printf $3}' /proc/self/mountinfo"
+	mm := cli.DockerCmd(c, "exec", "-i", resp.ID, "sh", "-c", cmd).Combined()
+	if !mustBeMounted {
+		c.Assert(mm, checker.Equals, "")
+		// no more checks to perform
+		return
+	}
+	c.Assert(mm, checker.Matches, "^[0-9]+:[0-9]+$")
+
+	shared, err := testIpcCheckDevExists(mm)
+	c.Assert(err, checker.IsNil)
+	c.Logf("[testIpcPrivateShareable] ipcmode: %v, ipcdev: %v, shared: %v, mustBeShared: %v\n", mode, mm, shared, mustBeShared)
+	c.Assert(shared, checker.Equals, mustBeShared)
+}
+
+/* TestAPIIpcModeNone checks the container "none" IPC mode
+ * (--ipc none) works as expected. It makes sure there is no
+ * /dev/shm mount inside the container.
+ */
+func (s *DockerSuite) TestAPIIpcModeNone(c *check.C) {
+	testRequires(c, DaemonIsLinux, MinimumAPIVersion("1.32"))
+	testIpcNonePrivateShareable(c, "none", false, false)
+}
+
+/* TestAPIIpcModePrivate checks the container private IPC mode
+ * (--ipc private) works as expected. It gets the minor:major pair
+ * of /dev/shm mount from the container, and makes sure there is no
+ * such pair on the host.
+ */
+func (s *DockerSuite) TestAPIIpcModePrivate(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	testIpcNonePrivateShareable(c, "private", true, false)
+}
+
+/* TestAPIIpcModeShareable checks the container shareable IPC mode
+ * (--ipc shareable) works as expected. It gets the minor:major pair
+ * of /dev/shm mount from the container, and makes sure such pair
+ * also exists on the host.
+ */
+func (s *DockerSuite) TestAPIIpcModeShareable(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	testIpcNonePrivateShareable(c, "shareable", true, true)
+}
+
+// testIpcContainer is a helper function to test --ipc container:NNN mode in various scenarios
+func testIpcContainer(s *DockerSuite, c *check.C, donorMode string, mustWork bool) {
+	cfg := container.Config{
+		Image: "busybox",
+		Cmd:   []string{"top"},
+	}
+	hostCfg := container.HostConfig{
+		IpcMode: container.IpcMode(donorMode),
+	}
+	ctx := context.Background()
+
+	client := testEnv.APIClient()
+
+	// create and start the "donor" container
+	resp, err := client.ContainerCreate(ctx, &cfg, &hostCfg, nil, "")
+	c.Assert(err, checker.IsNil)
+	c.Assert(len(resp.Warnings), checker.Equals, 0)
+	name1 := resp.ID
+
+	err = client.ContainerStart(ctx, name1, types.ContainerStartOptions{})
+	c.Assert(err, checker.IsNil)
+
+	// create and start the second container
+	hostCfg.IpcMode = container.IpcMode("container:" + name1)
+	resp, err = client.ContainerCreate(ctx, &cfg, &hostCfg, nil, "")
+	c.Assert(err, checker.IsNil)
+	c.Assert(len(resp.Warnings), checker.Equals, 0)
+	name2 := resp.ID
+
+	err = client.ContainerStart(ctx, name2, types.ContainerStartOptions{})
+	if !mustWork {
+		// start should fail with a specific error
+		c.Assert(err, checker.NotNil)
+		c.Assert(fmt.Sprintf("%v", err), checker.Contains, "non-shareable IPC")
+		// no more checks to perform here
+		return
+	}
+
+	// start should succeed
+	c.Assert(err, checker.IsNil)
+
+	// check that IPC is shared
+	// 1. create a file in the first container
+	cli.DockerCmd(c, "exec", name1, "sh", "-c", "printf covfefe > /dev/shm/bar")
+	// 2. check it's the same file in the second one
+	out := cli.DockerCmd(c, "exec", "-i", name2, "cat", "/dev/shm/bar").Combined()
+	c.Assert(out, checker.Matches, "^covfefe$")
+}
+
+/* TestAPIIpcModeShareableAndContainer checks that a container created with
+ * --ipc container:ID can use IPC of another shareable container.
+ */
+func (s *DockerSuite) TestAPIIpcModeShareableAndContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testIpcContainer(s, c, "shareable", true)
+}
+
+/* TestAPIIpcModePrivateAndContainer checks that a container created with
+ * --ipc container:ID can NOT use IPC of another private container.
+ */
+func (s *DockerSuite) TestAPIIpcModePrivateAndContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux, MinimumAPIVersion("1.32"))
+	testIpcContainer(s, c, "private", false)
+}
+
+/* TestAPIIpcModeHost checks that a container created with --ipc host
+ * can use IPC of the host system.
+ */
+func (s *DockerSuite) TestAPIIpcModeHost(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon, NotUserNamespace)
+
+	cfg := container.Config{
+		Image: "busybox",
+		Cmd:   []string{"top"},
+	}
+	hostCfg := container.HostConfig{
+		IpcMode: container.IpcMode("host"),
+	}
+	ctx := context.Background()
+
+	client := testEnv.APIClient()
+	resp, err := client.ContainerCreate(ctx, &cfg, &hostCfg, nil, "")
+	c.Assert(err, checker.IsNil)
+	c.Assert(len(resp.Warnings), checker.Equals, 0)
+	name := resp.ID
+
+	err = client.ContainerStart(ctx, name, types.ContainerStartOptions{})
+	c.Assert(err, checker.IsNil)
+
+	// check that IPC is shared
+	// 1. create a file inside container
+	cli.DockerCmd(c, "exec", name, "sh", "-c", "printf covfefe > /dev/shm/."+name)
+	// 2. check it's the same on the host
+	bytes, err := ioutil.ReadFile("/dev/shm/." + name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(bytes), checker.Matches, "^covfefe$")
+	// 3. clean up
+	cli.DockerCmd(c, "exec", name, "rm", "-f", "/dev/shm/."+name)
+}
diff --git a/engine/integration-cli/docker_api_logs_test.go b/engine/integration-cli/docker_api_logs_test.go
new file mode 100644
index 00000000..e809b46c
--- /dev/null
+++ b/engine/integration-cli/docker_api_logs_test.go
@@ -0,0 +1,216 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestLogsAPIWithStdout(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "-t", "busybox", "/bin/sh", "-c", "while true; do echo hello; sleep 1; done")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	type logOut struct {
+		out string
+		err error
+	}
+
+	chLog := make(chan logOut)
+	res, body, err := request.Get(fmt.Sprintf("/containers/%s/logs?follow=1&stdout=1&timestamps=1", id))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+
+	go func() {
+		defer body.Close()
+		out, err := bufio.NewReader(body).ReadString('\n')
+		if err != nil {
+			chLog <- logOut{"", err}
+			return
+		}
+		chLog <- logOut{strings.TrimSpace(out), err}
+	}()
+
+	select {
+	case l := <-chLog:
+		c.Assert(l.err, checker.IsNil)
+		if !strings.HasSuffix(l.out, "hello") {
+			c.Fatalf("expected log output to container 'hello', but it does not")
+		}
+	case <-time.After(30 * time.Second):
+		c.Fatal("timeout waiting for logs to exit")
+	}
+}
+
+func (s *DockerSuite) TestLogsAPINoStdoutNorStderr(c *check.C) {
+	name := "logs_test"
+	dockerCmd(c, "run", "-d", "-t", "--name", name, "busybox", "/bin/sh")
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerLogs(context.Background(), name, types.ContainerLogsOptions{})
+	expected := "Bad parameters: you must choose at least one stream"
+	c.Assert(err.Error(), checker.Contains, expected)
+}
+
+// Regression test for #12704
+func (s *DockerSuite) TestLogsAPIFollowEmptyOutput(c *check.C) {
+	name := "logs_test"
+	t0 := time.Now()
+	dockerCmd(c, "run", "-d", "-t", "--name", name, "busybox", "sleep", "10")
+
+	_, body, err := request.Get(fmt.Sprintf("/containers/%s/logs?follow=1&stdout=1&stderr=1&tail=all", name))
+	t1 := time.Now()
+	c.Assert(err, checker.IsNil)
+	body.Close()
+	elapsed := t1.Sub(t0).Seconds()
+	if elapsed > 20.0 {
+		c.Fatalf("HTTP response was not immediate (elapsed %.1fs)", elapsed)
+	}
+}
+
+func (s *DockerSuite) TestLogsAPIContainerNotFound(c *check.C) {
+	name := "nonExistentContainer"
+	resp, _, err := request.Get(fmt.Sprintf("/containers/%s/logs?follow=1&stdout=1&stderr=1&tail=all", name))
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusNotFound)
+}
+
+func (s *DockerSuite) TestLogsAPIUntilFutureFollow(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "logsuntilfuturefollow"
+	dockerCmd(c, "run", "-d", "--name", name, "busybox", "/bin/sh", "-c", "while true; do date +%s; sleep 1; done")
+	c.Assert(waitRun(name), checker.IsNil)
+
+	untilSecs := 5
+	untilDur, err := time.ParseDuration(fmt.Sprintf("%ds", untilSecs))
+	c.Assert(err, checker.IsNil)
+	until := daemonTime(c).Add(untilDur)
+
+	client, err := client.NewEnvClient()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	cfg := types.ContainerLogsOptions{Until: until.Format(time.RFC3339Nano), Follow: true, ShowStdout: true, Timestamps: true}
+	reader, err := client.ContainerLogs(context.Background(), name, cfg)
+	c.Assert(err, checker.IsNil)
+
+	type logOut struct {
+		out string
+		err error
+	}
+
+	chLog := make(chan logOut)
+
+	go func() {
+		bufReader := bufio.NewReader(reader)
+		defer reader.Close()
+		for i := 0; i < untilSecs; i++ {
+			out, _, err := bufReader.ReadLine()
+			if err != nil {
+				if err == io.EOF {
+					return
+				}
+				chLog <- logOut{"", err}
+				return
+			}
+
+			chLog <- logOut{strings.TrimSpace(string(out)), err}
+		}
+	}()
+
+	for i := 0; i < untilSecs; i++ {
+		select {
+		case l := <-chLog:
+			c.Assert(l.err, checker.IsNil)
+			i, err := strconv.ParseInt(strings.Split(l.out, " ")[1], 10, 64)
+			c.Assert(err, checker.IsNil)
+			c.Assert(time.Unix(i, 0).UnixNano(), checker.LessOrEqualThan, until.UnixNano())
+		case <-time.After(20 * time.Second):
+			c.Fatal("timeout waiting for logs to exit")
+		}
+	}
+}
+
+func (s *DockerSuite) TestLogsAPIUntil(c *check.C) {
+	testRequires(c, MinimumAPIVersion("1.34"))
+	name := "logsuntil"
+	dockerCmd(c, "run", "--name", name, "busybox", "/bin/sh", "-c", "for i in $(seq 1 3); do echo log$i; sleep 1; done")
+
+	client, err := client.NewEnvClient()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	extractBody := func(c *check.C, cfg types.ContainerLogsOptions) []string {
+		reader, err := client.ContainerLogs(context.Background(), name, cfg)
+		c.Assert(err, checker.IsNil)
+
+		actualStdout := new(bytes.Buffer)
+		actualStderr := ioutil.Discard
+		_, err = stdcopy.StdCopy(actualStdout, actualStderr, reader)
+		c.Assert(err, checker.IsNil)
+
+		return strings.Split(actualStdout.String(), "\n")
+	}
+
+	// Get timestamp of second log line
+	allLogs := extractBody(c, types.ContainerLogsOptions{Timestamps: true, ShowStdout: true})
+	c.Assert(len(allLogs), checker.GreaterOrEqualThan, 3)
+
+	t, err := time.Parse(time.RFC3339Nano, strings.Split(allLogs[1], " ")[0])
+	c.Assert(err, checker.IsNil)
+	until := t.Format(time.RFC3339Nano)
+
+	// Get logs until the timestamp of second line, i.e. first two lines
+	logs := extractBody(c, types.ContainerLogsOptions{Timestamps: true, ShowStdout: true, Until: until})
+
+	// Ensure log lines after cut-off are excluded
+	logsString := strings.Join(logs, "\n")
+	c.Assert(logsString, checker.Not(checker.Contains), "log3", check.Commentf("unexpected log message returned, until=%v", until))
+}
+
+func (s *DockerSuite) TestLogsAPIUntilDefaultValue(c *check.C) {
+	name := "logsuntildefaultval"
+	dockerCmd(c, "run", "--name", name, "busybox", "/bin/sh", "-c", "for i in $(seq 1 3); do echo log$i; done")
+
+	client, err := client.NewEnvClient()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	extractBody := func(c *check.C, cfg types.ContainerLogsOptions) []string {
+		reader, err := client.ContainerLogs(context.Background(), name, cfg)
+		c.Assert(err, checker.IsNil)
+
+		actualStdout := new(bytes.Buffer)
+		actualStderr := ioutil.Discard
+		_, err = stdcopy.StdCopy(actualStdout, actualStderr, reader)
+		c.Assert(err, checker.IsNil)
+
+		return strings.Split(actualStdout.String(), "\n")
+	}
+
+	// Get timestamp of second log line
+	allLogs := extractBody(c, types.ContainerLogsOptions{Timestamps: true, ShowStdout: true})
+
+	// Test with default value specified and parameter omitted
+	defaultLogs := extractBody(c, types.ContainerLogsOptions{Timestamps: true, ShowStdout: true, Until: "0"})
+	c.Assert(defaultLogs, checker.DeepEquals, allLogs)
+}
diff --git a/engine/integration-cli/docker_api_network_test.go b/engine/integration-cli/docker_api_network_test.go
new file mode 100644
index 00000000..9ec2ba90
--- /dev/null
+++ b/engine/integration-cli/docker_api_network_test.go
@@ -0,0 +1,376 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestAPINetworkGetDefaults(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// By default docker daemon creates 3 networks. check if they are present
+	defaults := []string{"bridge", "host", "none"}
+	for _, nn := range defaults {
+		c.Assert(isNetworkAvailable(c, nn), checker.Equals, true)
+	}
+}
+
+func (s *DockerSuite) TestAPINetworkCreateCheckDuplicate(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testcheckduplicate"
+	configOnCheck := types.NetworkCreateRequest{
+		Name: name,
+		NetworkCreate: types.NetworkCreate{
+			CheckDuplicate: true,
+		},
+	}
+	configNotCheck := types.NetworkCreateRequest{
+		Name: name,
+		NetworkCreate: types.NetworkCreate{
+			CheckDuplicate: false,
+		},
+	}
+
+	// Creating a new network first
+	createNetwork(c, configOnCheck, http.StatusCreated)
+	c.Assert(isNetworkAvailable(c, name), checker.Equals, true)
+
+	// Creating another network with same name and CheckDuplicate must fail
+	isOlderAPI := versions.LessThan(testEnv.DaemonAPIVersion(), "1.34")
+	expectedStatus := http.StatusConflict
+	if isOlderAPI {
+		// In the early test code it uses bool value to represent
+		// whether createNetwork() is expected to fail or not.
+		// Therefore, we use negation to handle the same logic after
+		// the code was changed in https://github.com/moby/moby/pull/35030
+		// -http.StatusCreated will also be checked as NOT equal to
+		// http.StatusCreated in createNetwork() function.
+		expectedStatus = -http.StatusCreated
+	}
+	createNetwork(c, configOnCheck, expectedStatus)
+
+	// Creating another network with same name and not CheckDuplicate must succeed
+	createNetwork(c, configNotCheck, http.StatusCreated)
+}
+
+func (s *DockerSuite) TestAPINetworkFilter(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	nr := getNetworkResource(c, getNetworkIDByName(c, "bridge"))
+	c.Assert(nr.Name, checker.Equals, "bridge")
+}
+
+func (s *DockerSuite) TestAPINetworkInspectBridge(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// Inspect default bridge network
+	nr := getNetworkResource(c, "bridge")
+	c.Assert(nr.Name, checker.Equals, "bridge")
+
+	// run a container and attach it to the default bridge network
+	out, _ := dockerCmd(c, "run", "-d", "--name", "test", "busybox", "top")
+	containerID := strings.TrimSpace(out)
+	containerIP := findContainerIP(c, "test", "bridge")
+
+	// inspect default bridge network again and make sure the container is connected
+	nr = getNetworkResource(c, nr.ID)
+	c.Assert(nr.Driver, checker.Equals, "bridge")
+	c.Assert(nr.Scope, checker.Equals, "local")
+	c.Assert(nr.Internal, checker.Equals, false)
+	c.Assert(nr.EnableIPv6, checker.Equals, false)
+	c.Assert(nr.IPAM.Driver, checker.Equals, "default")
+	c.Assert(nr.Containers[containerID], checker.NotNil)
+
+	ip, _, err := net.ParseCIDR(nr.Containers[containerID].IPv4Address)
+	c.Assert(err, checker.IsNil)
+	c.Assert(ip.String(), checker.Equals, containerIP)
+}
+
+func (s *DockerSuite) TestAPINetworkInspectUserDefinedNetwork(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// IPAM configuration inspect
+	ipam := &network.IPAM{
+		Driver: "default",
+		Config: []network.IPAMConfig{{Subnet: "172.28.0.0/16", IPRange: "172.28.5.0/24", Gateway: "172.28.5.254"}},
+	}
+	config := types.NetworkCreateRequest{
+		Name: "br0",
+		NetworkCreate: types.NetworkCreate{
+			Driver:  "bridge",
+			IPAM:    ipam,
+			Options: map[string]string{"foo": "bar", "opts": "dopts"},
+		},
+	}
+	id0 := createNetwork(c, config, http.StatusCreated)
+	c.Assert(isNetworkAvailable(c, "br0"), checker.Equals, true)
+
+	nr := getNetworkResource(c, id0)
+	c.Assert(len(nr.IPAM.Config), checker.Equals, 1)
+	c.Assert(nr.IPAM.Config[0].Subnet, checker.Equals, "172.28.0.0/16")
+	c.Assert(nr.IPAM.Config[0].IPRange, checker.Equals, "172.28.5.0/24")
+	c.Assert(nr.IPAM.Config[0].Gateway, checker.Equals, "172.28.5.254")
+	c.Assert(nr.Options["foo"], checker.Equals, "bar")
+	c.Assert(nr.Options["opts"], checker.Equals, "dopts")
+
+	// delete the network and make sure it is deleted
+	deleteNetwork(c, id0, true)
+	c.Assert(isNetworkAvailable(c, "br0"), checker.Equals, false)
+}
+
+func (s *DockerSuite) TestAPINetworkConnectDisconnect(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// Create test network
+	name := "testnetwork"
+	config := types.NetworkCreateRequest{
+		Name: name,
+	}
+	id := createNetwork(c, config, http.StatusCreated)
+	nr := getNetworkResource(c, id)
+	c.Assert(nr.Name, checker.Equals, name)
+	c.Assert(nr.ID, checker.Equals, id)
+	c.Assert(len(nr.Containers), checker.Equals, 0)
+
+	// run a container
+	out, _ := dockerCmd(c, "run", "-d", "--name", "test", "busybox", "top")
+	containerID := strings.TrimSpace(out)
+
+	// connect the container to the test network
+	connectNetwork(c, nr.ID, containerID)
+
+	// inspect the network to make sure container is connected
+	nr = getNetworkResource(c, nr.ID)
+	c.Assert(len(nr.Containers), checker.Equals, 1)
+	c.Assert(nr.Containers[containerID], checker.NotNil)
+
+	// check if container IP matches network inspect
+	ip, _, err := net.ParseCIDR(nr.Containers[containerID].IPv4Address)
+	c.Assert(err, checker.IsNil)
+	containerIP := findContainerIP(c, "test", "testnetwork")
+	c.Assert(ip.String(), checker.Equals, containerIP)
+
+	// disconnect container from the network
+	disconnectNetwork(c, nr.ID, containerID)
+	nr = getNetworkResource(c, nr.ID)
+	c.Assert(nr.Name, checker.Equals, name)
+	c.Assert(len(nr.Containers), checker.Equals, 0)
+
+	// delete the network
+	deleteNetwork(c, nr.ID, true)
+}
+
+func (s *DockerSuite) TestAPINetworkIPAMMultipleBridgeNetworks(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// test0 bridge network
+	ipam0 := &network.IPAM{
+		Driver: "default",
+		Config: []network.IPAMConfig{{Subnet: "192.178.0.0/16", IPRange: "192.178.128.0/17", Gateway: "192.178.138.100"}},
+	}
+	config0 := types.NetworkCreateRequest{
+		Name: "test0",
+		NetworkCreate: types.NetworkCreate{
+			Driver: "bridge",
+			IPAM:   ipam0,
+		},
+	}
+	id0 := createNetwork(c, config0, http.StatusCreated)
+	c.Assert(isNetworkAvailable(c, "test0"), checker.Equals, true)
+
+	ipam1 := &network.IPAM{
+		Driver: "default",
+		Config: []network.IPAMConfig{{Subnet: "192.178.128.0/17", Gateway: "192.178.128.1"}},
+	}
+	// test1 bridge network overlaps with test0
+	config1 := types.NetworkCreateRequest{
+		Name: "test1",
+		NetworkCreate: types.NetworkCreate{
+			Driver: "bridge",
+			IPAM:   ipam1,
+		},
+	}
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		createNetwork(c, config1, http.StatusInternalServerError)
+	} else {
+		createNetwork(c, config1, http.StatusForbidden)
+	}
+	c.Assert(isNetworkAvailable(c, "test1"), checker.Equals, false)
+
+	ipam2 := &network.IPAM{
+		Driver: "default",
+		Config: []network.IPAMConfig{{Subnet: "192.169.0.0/16", Gateway: "192.169.100.100"}},
+	}
+	// test2 bridge network does not overlap
+	config2 := types.NetworkCreateRequest{
+		Name: "test2",
+		NetworkCreate: types.NetworkCreate{
+			Driver: "bridge",
+			IPAM:   ipam2,
+		},
+	}
+	createNetwork(c, config2, http.StatusCreated)
+	c.Assert(isNetworkAvailable(c, "test2"), checker.Equals, true)
+
+	// remove test0 and retry to create test1
+	deleteNetwork(c, id0, true)
+	createNetwork(c, config1, http.StatusCreated)
+	c.Assert(isNetworkAvailable(c, "test1"), checker.Equals, true)
+
+	// for networks w/o ipam specified, docker will choose proper non-overlapping subnets
+	createNetwork(c, types.NetworkCreateRequest{Name: "test3"}, http.StatusCreated)
+	c.Assert(isNetworkAvailable(c, "test3"), checker.Equals, true)
+	createNetwork(c, types.NetworkCreateRequest{Name: "test4"}, http.StatusCreated)
+	c.Assert(isNetworkAvailable(c, "test4"), checker.Equals, true)
+	createNetwork(c, types.NetworkCreateRequest{Name: "test5"}, http.StatusCreated)
+	c.Assert(isNetworkAvailable(c, "test5"), checker.Equals, true)
+
+	for i := 1; i < 6; i++ {
+		deleteNetwork(c, fmt.Sprintf("test%d", i), true)
+	}
+}
+
+func (s *DockerSuite) TestAPICreateDeletePredefinedNetworks(c *check.C) {
+	testRequires(c, DaemonIsLinux, SwarmInactive)
+	createDeletePredefinedNetwork(c, "bridge")
+	createDeletePredefinedNetwork(c, "none")
+	createDeletePredefinedNetwork(c, "host")
+}
+
+func createDeletePredefinedNetwork(c *check.C, name string) {
+	// Create pre-defined network
+	config := types.NetworkCreateRequest{
+		Name: name,
+		NetworkCreate: types.NetworkCreate{
+			CheckDuplicate: true,
+		},
+	}
+	expectedStatus := http.StatusForbidden
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.34") {
+		// In the early test code it uses bool value to represent
+		// whether createNetwork() is expected to fail or not.
+		// Therefore, we use negation to handle the same logic after
+		// the code was changed in https://github.com/moby/moby/pull/35030
+		// -http.StatusCreated will also be checked as NOT equal to
+		// http.StatusCreated in createNetwork() function.
+		expectedStatus = -http.StatusCreated
+	}
+	createNetwork(c, config, expectedStatus)
+	deleteNetwork(c, name, false)
+}
+
+func isNetworkAvailable(c *check.C, name string) bool {
+	resp, body, err := request.Get("/networks")
+	c.Assert(err, checker.IsNil)
+	defer resp.Body.Close()
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+
+	var nJSON []types.NetworkResource
+	err = json.NewDecoder(body).Decode(&nJSON)
+	c.Assert(err, checker.IsNil)
+
+	for _, n := range nJSON {
+		if n.Name == name {
+			return true
+		}
+	}
+	return false
+}
+
+func getNetworkIDByName(c *check.C, name string) string {
+	var (
+		v          = url.Values{}
+		filterArgs = filters.NewArgs()
+	)
+	filterArgs.Add("name", name)
+	filterJSON, err := filters.ToJSON(filterArgs)
+	c.Assert(err, checker.IsNil)
+	v.Set("filters", filterJSON)
+
+	resp, body, err := request.Get("/networks?" + v.Encode())
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+	c.Assert(err, checker.IsNil)
+
+	var nJSON []types.NetworkResource
+	err = json.NewDecoder(body).Decode(&nJSON)
+	c.Assert(err, checker.IsNil)
+	var res string
+	for _, n := range nJSON {
+		// Find exact match
+		if n.Name == name {
+			res = n.ID
+		}
+	}
+	c.Assert(res, checker.Not(checker.Equals), "")
+
+	return res
+}
+
+func getNetworkResource(c *check.C, id string) *types.NetworkResource {
+	_, obj, err := request.Get("/networks/" + id)
+	c.Assert(err, checker.IsNil)
+
+	nr := types.NetworkResource{}
+	err = json.NewDecoder(obj).Decode(&nr)
+	c.Assert(err, checker.IsNil)
+
+	return &nr
+}
+
+func createNetwork(c *check.C, config types.NetworkCreateRequest, expectedStatusCode int) string {
+	resp, body, err := request.Post("/networks/create", request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	defer resp.Body.Close()
+
+	if expectedStatusCode >= 0 {
+		c.Assert(resp.StatusCode, checker.Equals, expectedStatusCode)
+	} else {
+		c.Assert(resp.StatusCode, checker.Not(checker.Equals), -expectedStatusCode)
+	}
+
+	if expectedStatusCode == http.StatusCreated || expectedStatusCode < 0 {
+		var nr types.NetworkCreateResponse
+		err = json.NewDecoder(body).Decode(&nr)
+		c.Assert(err, checker.IsNil)
+
+		return nr.ID
+	}
+	return ""
+}
+
+func connectNetwork(c *check.C, nid, cid string) {
+	config := types.NetworkConnect{
+		Container: cid,
+	}
+
+	resp, _, err := request.Post("/networks/"+nid+"/connect", request.JSONBody(config))
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+	c.Assert(err, checker.IsNil)
+}
+
+func disconnectNetwork(c *check.C, nid, cid string) {
+	config := types.NetworkConnect{
+		Container: cid,
+	}
+
+	resp, _, err := request.Post("/networks/"+nid+"/disconnect", request.JSONBody(config))
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+	c.Assert(err, checker.IsNil)
+}
+
+func deleteNetwork(c *check.C, id string, shouldSucceed bool) {
+	resp, _, err := request.Delete("/networks/" + id)
+	c.Assert(err, checker.IsNil)
+	defer resp.Body.Close()
+	if !shouldSucceed {
+		c.Assert(resp.StatusCode, checker.Not(checker.Equals), http.StatusOK)
+		return
+	}
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusNoContent)
+}
diff --git a/engine/integration-cli/docker_api_stats_test.go b/engine/integration-cli/docker_api_stats_test.go
new file mode 100644
index 00000000..3954e4b2
--- /dev/null
+++ b/engine/integration-cli/docker_api_stats_test.go
@@ -0,0 +1,314 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+var expectedNetworkInterfaceStats = strings.Split("rx_bytes rx_dropped rx_errors rx_packets tx_bytes tx_dropped tx_errors tx_packets", " ")
+
+func (s *DockerSuite) TestAPIStatsNoStreamGetCpu(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "while true;usleep 100; do echo 'Hello'; done")
+
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+	resp, body, err := request.Get(fmt.Sprintf("/containers/%s/stats?stream=false", id))
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+	c.Assert(resp.Header.Get("Content-Type"), checker.Equals, "application/json")
+
+	var v *types.Stats
+	err = json.NewDecoder(body).Decode(&v)
+	c.Assert(err, checker.IsNil)
+	body.Close()
+
+	var cpuPercent = 0.0
+
+	if testEnv.OSType != "windows" {
+		cpuDelta := float64(v.CPUStats.CPUUsage.TotalUsage - v.PreCPUStats.CPUUsage.TotalUsage)
+		systemDelta := float64(v.CPUStats.SystemUsage - v.PreCPUStats.SystemUsage)
+		cpuPercent = (cpuDelta / systemDelta) * float64(len(v.CPUStats.CPUUsage.PercpuUsage)) * 100.0
+	} else {
+		// Max number of 100ns intervals between the previous time read and now
+		possIntervals := uint64(v.Read.Sub(v.PreRead).Nanoseconds()) // Start with number of ns intervals
+		possIntervals /= 100                                         // Convert to number of 100ns intervals
+		possIntervals *= uint64(v.NumProcs)                          // Multiple by the number of processors
+
+		// Intervals used
+		intervalsUsed := v.CPUStats.CPUUsage.TotalUsage - v.PreCPUStats.CPUUsage.TotalUsage
+
+		// Percentage avoiding divide-by-zero
+		if possIntervals > 0 {
+			cpuPercent = float64(intervalsUsed) / float64(possIntervals) * 100.0
+		}
+	}
+
+	c.Assert(cpuPercent, check.Not(checker.Equals), 0.0, check.Commentf("docker stats with no-stream get cpu usage failed: was %v", cpuPercent))
+}
+
+func (s *DockerSuite) TestAPIStatsStoppedContainerInGoroutines(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "echo 1")
+	id := strings.TrimSpace(out)
+
+	getGoRoutines := func() int {
+		_, body, err := request.Get(fmt.Sprintf("/info"))
+		c.Assert(err, checker.IsNil)
+		info := types.Info{}
+		err = json.NewDecoder(body).Decode(&info)
+		c.Assert(err, checker.IsNil)
+		body.Close()
+		return info.NGoroutines
+	}
+
+	// When the HTTP connection is closed, the number of goroutines should not increase.
+	routines := getGoRoutines()
+	_, body, err := request.Get(fmt.Sprintf("/containers/%s/stats", id))
+	c.Assert(err, checker.IsNil)
+	body.Close()
+
+	t := time.After(30 * time.Second)
+	for {
+		select {
+		case <-t:
+			c.Assert(getGoRoutines(), checker.LessOrEqualThan, routines)
+			return
+		default:
+			if n := getGoRoutines(); n <= routines {
+				return
+			}
+			time.Sleep(200 * time.Millisecond)
+		}
+	}
+}
+
+func (s *DockerSuite) TestAPIStatsNetworkStats(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	out := runSleepingContainer(c)
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	// Retrieve the container address
+	net := "bridge"
+	if testEnv.OSType == "windows" {
+		net = "nat"
+	}
+	contIP := findContainerIP(c, id, net)
+	numPings := 1
+
+	var preRxPackets uint64
+	var preTxPackets uint64
+	var postRxPackets uint64
+	var postTxPackets uint64
+
+	// Get the container networking stats before and after pinging the container
+	nwStatsPre := getNetworkStats(c, id)
+	for _, v := range nwStatsPre {
+		preRxPackets += v.RxPackets
+		preTxPackets += v.TxPackets
+	}
+
+	countParam := "-c"
+	if runtime.GOOS == "windows" {
+		countParam = "-n" // Ping count parameter is -n on Windows
+	}
+	pingout, err := exec.Command("ping", contIP, countParam, strconv.Itoa(numPings)).CombinedOutput()
+	if err != nil && runtime.GOOS == "linux" {
+		// If it fails then try a work-around, but just for linux.
+		// If this fails too then go back to the old error for reporting.
+		//
+		// The ping will sometimes fail due to an apparmor issue where it
+		// denies access to the libc.so.6 shared library - running it
+		// via /lib64/ld-linux-x86-64.so.2 seems to work around it.
+		pingout2, err2 := exec.Command("/lib64/ld-linux-x86-64.so.2", "/bin/ping", contIP, "-c", strconv.Itoa(numPings)).CombinedOutput()
+		if err2 == nil {
+			pingout = pingout2
+			err = err2
+		}
+	}
+	c.Assert(err, checker.IsNil)
+	pingouts := string(pingout[:])
+	nwStatsPost := getNetworkStats(c, id)
+	for _, v := range nwStatsPost {
+		postRxPackets += v.RxPackets
+		postTxPackets += v.TxPackets
+	}
+
+	// Verify the stats contain at least the expected number of packets
+	// On Linux, account for ARP.
+	expRxPkts := preRxPackets + uint64(numPings)
+	expTxPkts := preTxPackets + uint64(numPings)
+	if testEnv.OSType != "windows" {
+		expRxPkts++
+		expTxPkts++
+	}
+	c.Assert(postTxPackets, checker.GreaterOrEqualThan, expTxPkts,
+		check.Commentf("Reported less TxPackets than expected. Expected >= %d. Found %d. %s", expTxPkts, postTxPackets, pingouts))
+	c.Assert(postRxPackets, checker.GreaterOrEqualThan, expRxPkts,
+		check.Commentf("Reported less RxPackets than expected. Expected >= %d. Found %d. %s", expRxPkts, postRxPackets, pingouts))
+}
+
+func (s *DockerSuite) TestAPIStatsNetworkStatsVersioning(c *check.C) {
+	// Windows doesn't support API versions less than 1.25, so no point testing 1.17 .. 1.21
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	out := runSleepingContainer(c)
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+	wg := sync.WaitGroup{}
+
+	for i := 17; i <= 21; i++ {
+		wg.Add(1)
+		go func(i int) {
+			defer wg.Done()
+			apiVersion := fmt.Sprintf("v1.%d", i)
+			statsJSONBlob := getVersionedStats(c, id, apiVersion)
+			if versions.LessThan(apiVersion, "v1.21") {
+				c.Assert(jsonBlobHasLTv121NetworkStats(statsJSONBlob), checker.Equals, true,
+					check.Commentf("Stats JSON blob from API %s %#v does not look like a <v1.21 API stats structure", apiVersion, statsJSONBlob))
+			} else {
+				c.Assert(jsonBlobHasGTE121NetworkStats(statsJSONBlob), checker.Equals, true,
+					check.Commentf("Stats JSON blob from API %s %#v does not look like a >=v1.21 API stats structure", apiVersion, statsJSONBlob))
+			}
+		}(i)
+	}
+	wg.Wait()
+}
+
+func getNetworkStats(c *check.C, id string) map[string]types.NetworkStats {
+	var st *types.StatsJSON
+
+	_, body, err := request.Get(fmt.Sprintf("/containers/%s/stats?stream=false", id))
+	c.Assert(err, checker.IsNil)
+
+	err = json.NewDecoder(body).Decode(&st)
+	c.Assert(err, checker.IsNil)
+	body.Close()
+
+	return st.Networks
+}
+
+// getVersionedStats returns stats result for the
+// container with id using an API call with version apiVersion. Since the
+// stats result type differs between API versions, we simply return
+// map[string]interface{}.
+func getVersionedStats(c *check.C, id string, apiVersion string) map[string]interface{} {
+	stats := make(map[string]interface{})
+
+	_, body, err := request.Get(fmt.Sprintf("/%s/containers/%s/stats?stream=false", apiVersion, id))
+	c.Assert(err, checker.IsNil)
+	defer body.Close()
+
+	err = json.NewDecoder(body).Decode(&stats)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to decode stat: %s", err))
+
+	return stats
+}
+
+func jsonBlobHasLTv121NetworkStats(blob map[string]interface{}) bool {
+	networkStatsIntfc, ok := blob["network"]
+	if !ok {
+		return false
+	}
+	networkStats, ok := networkStatsIntfc.(map[string]interface{})
+	if !ok {
+		return false
+	}
+	for _, expectedKey := range expectedNetworkInterfaceStats {
+		if _, ok := networkStats[expectedKey]; !ok {
+			return false
+		}
+	}
+	return true
+}
+
+func jsonBlobHasGTE121NetworkStats(blob map[string]interface{}) bool {
+	networksStatsIntfc, ok := blob["networks"]
+	if !ok {
+		return false
+	}
+	networksStats, ok := networksStatsIntfc.(map[string]interface{})
+	if !ok {
+		return false
+	}
+	for _, networkInterfaceStatsIntfc := range networksStats {
+		networkInterfaceStats, ok := networkInterfaceStatsIntfc.(map[string]interface{})
+		if !ok {
+			return false
+		}
+		for _, expectedKey := range expectedNetworkInterfaceStats {
+			if _, ok := networkInterfaceStats[expectedKey]; !ok {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+func (s *DockerSuite) TestAPIStatsContainerNotFound(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	expected := "No such container: nonexistent"
+
+	_, err = cli.ContainerStats(context.Background(), "nonexistent", true)
+	c.Assert(err.Error(), checker.Contains, expected)
+	_, err = cli.ContainerStats(context.Background(), "nonexistent", false)
+	c.Assert(err.Error(), checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestAPIStatsNoStreamConnectedContainers(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	out1 := runSleepingContainer(c)
+	id1 := strings.TrimSpace(out1)
+	c.Assert(waitRun(id1), checker.IsNil)
+
+	out2 := runSleepingContainer(c, "--net", "container:"+id1)
+	id2 := strings.TrimSpace(out2)
+	c.Assert(waitRun(id2), checker.IsNil)
+
+	ch := make(chan error, 1)
+	go func() {
+		resp, body, err := request.Get(fmt.Sprintf("/containers/%s/stats?stream=false", id2))
+		defer body.Close()
+		if err != nil {
+			ch <- err
+		}
+		if resp.StatusCode != http.StatusOK {
+			ch <- fmt.Errorf("Invalid StatusCode %v", resp.StatusCode)
+		}
+		if resp.Header.Get("Content-Type") != "application/json" {
+			ch <- fmt.Errorf("Invalid 'Content-Type' %v", resp.Header.Get("Content-Type"))
+		}
+		var v *types.Stats
+		if err := json.NewDecoder(body).Decode(&v); err != nil {
+			ch <- err
+		}
+		ch <- nil
+	}()
+
+	select {
+	case err := <-ch:
+		c.Assert(err, checker.IsNil, check.Commentf("Error in stats Engine API: %v", err))
+	case <-time.After(15 * time.Second):
+		c.Fatalf("Stats did not return after timeout")
+	}
+}
diff --git a/engine/integration-cli/docker_api_swarm_node_test.go b/engine/integration-cli/docker_api_swarm_node_test.go
new file mode 100644
index 00000000..19139162
--- /dev/null
+++ b/engine/integration-cli/docker_api_swarm_node_test.go
@@ -0,0 +1,127 @@
+// +build !windows
+
+package main
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSwarmSuite) TestAPISwarmListNodes(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, false)
+	d3 := s.AddDaemon(c, true, false)
+
+	nodes := d1.ListNodes(c)
+	c.Assert(len(nodes), checker.Equals, 3, check.Commentf("nodes: %#v", nodes))
+
+loop0:
+	for _, n := range nodes {
+		for _, d := range []*daemon.Daemon{d1, d2, d3} {
+			if n.ID == d.NodeID() {
+				continue loop0
+			}
+		}
+		c.Errorf("unknown nodeID %v", n.ID)
+	}
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmNodeUpdate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	nodes := d.ListNodes(c)
+
+	d.UpdateNode(c, nodes[0].ID, func(n *swarm.Node) {
+		n.Spec.Availability = swarm.NodeAvailabilityPause
+	})
+
+	n := d.GetNode(c, nodes[0].ID)
+	c.Assert(n.Spec.Availability, checker.Equals, swarm.NodeAvailabilityPause)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmNodeRemove(c *check.C) {
+	testRequires(c, Network)
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, false)
+	_ = s.AddDaemon(c, true, false)
+
+	nodes := d1.ListNodes(c)
+	c.Assert(len(nodes), checker.Equals, 3, check.Commentf("nodes: %#v", nodes))
+
+	// Getting the info so we can take the NodeID
+	d2Info := d2.SwarmInfo(c)
+
+	// forceful removal of d2 should work
+	d1.RemoveNode(c, d2Info.NodeID, true)
+
+	nodes = d1.ListNodes(c)
+	c.Assert(len(nodes), checker.Equals, 2, check.Commentf("nodes: %#v", nodes))
+
+	// Restart the node that was removed
+	d2.Restart(c)
+
+	// Give some time for the node to rejoin
+	time.Sleep(1 * time.Second)
+
+	// Make sure the node didn't rejoin
+	nodes = d1.ListNodes(c)
+	c.Assert(len(nodes), checker.Equals, 2, check.Commentf("nodes: %#v", nodes))
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmNodeDrainPause(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, false)
+
+	time.Sleep(1 * time.Second) // make sure all daemons are ready to accept tasks
+
+	// start a service, expect balanced distribution
+	instances := 8
+	id := d1.CreateService(c, simpleTestService, setInstances(instances))
+
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckActiveContainerCount, checker.GreaterThan, 0)
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckActiveContainerCount, checker.GreaterThan, 0)
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount), checker.Equals, instances)
+
+	// drain d2, all containers should move to d1
+	d1.UpdateNode(c, d2.NodeID(), func(n *swarm.Node) {
+		n.Spec.Availability = swarm.NodeAvailabilityDrain
+	})
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckActiveContainerCount, checker.Equals, instances)
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckActiveContainerCount, checker.Equals, 0)
+
+	// set d2 back to active
+	d1.UpdateNode(c, d2.NodeID(), func(n *swarm.Node) {
+		n.Spec.Availability = swarm.NodeAvailabilityActive
+	})
+
+	instances = 1
+	d1.UpdateService(c, d1.GetService(c, id), setInstances(instances))
+
+	waitAndAssert(c, defaultReconciliationTimeout*2, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount), checker.Equals, instances)
+
+	instances = 8
+	d1.UpdateService(c, d1.GetService(c, id), setInstances(instances))
+
+	// drained node first so we don't get any old containers
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckActiveContainerCount, checker.GreaterThan, 0)
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckActiveContainerCount, checker.GreaterThan, 0)
+	waitAndAssert(c, defaultReconciliationTimeout*2, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount), checker.Equals, instances)
+
+	d2ContainerCount := len(d2.ActiveContainers(c))
+
+	// set d2 to paused, scale service up, only d1 gets new tasks
+	d1.UpdateNode(c, d2.NodeID(), func(n *swarm.Node) {
+		n.Spec.Availability = swarm.NodeAvailabilityPause
+	})
+
+	instances = 14
+	d1.UpdateService(c, d1.GetService(c, id), setInstances(instances))
+
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckActiveContainerCount, checker.Equals, instances-d2ContainerCount)
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckActiveContainerCount, checker.Equals, d2ContainerCount)
+
+}
diff --git a/engine/integration-cli/docker_api_swarm_service_test.go b/engine/integration-cli/docker_api_swarm_service_test.go
new file mode 100644
index 00000000..1a826c99
--- /dev/null
+++ b/engine/integration-cli/docker_api_swarm_service_test.go
@@ -0,0 +1,612 @@
+// +build !windows
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/integration-cli/daemon"
+	testdaemon "github.com/docker/docker/internal/test/daemon"
+	"github.com/go-check/check"
+	"golang.org/x/sys/unix"
+	"gotest.tools/icmd"
+)
+
+func setPortConfig(portConfig []swarm.PortConfig) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		if s.Spec.EndpointSpec == nil {
+			s.Spec.EndpointSpec = &swarm.EndpointSpec{}
+		}
+		s.Spec.EndpointSpec.Ports = portConfig
+	}
+}
+
+func (s *DockerSwarmSuite) TestAPIServiceUpdatePort(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Create a service with a port mapping of 8080:8081.
+	portConfig := []swarm.PortConfig{{TargetPort: 8081, PublishedPort: 8080}}
+	serviceID := d.CreateService(c, simpleTestService, setInstances(1), setPortConfig(portConfig))
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	// Update the service: changed the port mapping from 8080:8081 to 8082:8083.
+	updatedPortConfig := []swarm.PortConfig{{TargetPort: 8083, PublishedPort: 8082}}
+	remoteService := d.GetService(c, serviceID)
+	d.UpdateService(c, remoteService, setPortConfig(updatedPortConfig))
+
+	// Inspect the service and verify port mapping.
+	updatedService := d.GetService(c, serviceID)
+	c.Assert(updatedService.Spec.EndpointSpec, check.NotNil)
+	c.Assert(len(updatedService.Spec.EndpointSpec.Ports), check.Equals, 1)
+	c.Assert(updatedService.Spec.EndpointSpec.Ports[0].TargetPort, check.Equals, uint32(8083))
+	c.Assert(updatedService.Spec.EndpointSpec.Ports[0].PublishedPort, check.Equals, uint32(8082))
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesEmptyList(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	services := d.ListServices(c)
+	c.Assert(services, checker.NotNil)
+	c.Assert(len(services), checker.Equals, 0, check.Commentf("services: %#v", services))
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesCreate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	instances := 2
+	id := d.CreateService(c, simpleTestService, setInstances(instances))
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, instances)
+
+	cli, err := d.NewClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	options := types.ServiceInspectOptions{InsertDefaults: true}
+
+	// insertDefaults inserts UpdateConfig when service is fetched by ID
+	resp, _, err := cli.ServiceInspectWithRaw(context.Background(), id, options)
+	out := fmt.Sprintf("%+v", resp)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "UpdateConfig")
+
+	// insertDefaults inserts UpdateConfig when service is fetched by ID
+	resp, _, err = cli.ServiceInspectWithRaw(context.Background(), "top", options)
+	out = fmt.Sprintf("%+v", resp)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(out), checker.Contains, "UpdateConfig")
+
+	service := d.GetService(c, id)
+	instances = 5
+	d.UpdateService(c, service, setInstances(instances))
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, instances)
+
+	d.RemoveService(c, service.ID)
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 0)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesMultipleAgents(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, false)
+	d3 := s.AddDaemon(c, true, false)
+
+	time.Sleep(1 * time.Second) // make sure all daemons are ready to accept tasks
+
+	instances := 9
+	id := d1.CreateService(c, simpleTestService, setInstances(instances))
+
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckActiveContainerCount, checker.GreaterThan, 0)
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckActiveContainerCount, checker.GreaterThan, 0)
+	waitAndAssert(c, defaultReconciliationTimeout, d3.CheckActiveContainerCount, checker.GreaterThan, 0)
+
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount, d3.CheckActiveContainerCount), checker.Equals, instances)
+
+	// reconciliation on d2 node down
+	d2.Stop(c)
+
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d3.CheckActiveContainerCount), checker.Equals, instances)
+
+	// test downscaling
+	instances = 5
+	d1.UpdateService(c, d1.GetService(c, id), setInstances(instances))
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d3.CheckActiveContainerCount), checker.Equals, instances)
+
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesCreateGlobal(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, false)
+	d3 := s.AddDaemon(c, true, false)
+
+	d1.CreateService(c, simpleTestService, setGlobalMode)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckActiveContainerCount, checker.Equals, 1)
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckActiveContainerCount, checker.Equals, 1)
+	waitAndAssert(c, defaultReconciliationTimeout, d3.CheckActiveContainerCount, checker.Equals, 1)
+
+	d4 := s.AddDaemon(c, true, false)
+	d5 := s.AddDaemon(c, true, false)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d4.CheckActiveContainerCount, checker.Equals, 1)
+	waitAndAssert(c, defaultReconciliationTimeout, d5.CheckActiveContainerCount, checker.Equals, 1)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesUpdate(c *check.C) {
+	const nodeCount = 3
+	var daemons [nodeCount]*daemon.Daemon
+	for i := 0; i < nodeCount; i++ {
+		daemons[i] = s.AddDaemon(c, true, i == 0)
+	}
+	// wait for nodes ready
+	waitAndAssert(c, 5*time.Second, daemons[0].CheckNodeReadyCount, checker.Equals, nodeCount)
+
+	// service image at start
+	image1 := "busybox:latest"
+	// target image in update
+	image2 := "busybox:test"
+
+	// create a different tag
+	for _, d := range daemons {
+		out, err := d.Cmd("tag", image1, image2)
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+	}
+
+	// create service
+	instances := 5
+	parallelism := 2
+	rollbackParallelism := 3
+	id := daemons[0].CreateService(c, serviceForUpdate, setInstances(instances))
+
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances})
+
+	// issue service update
+	service := daemons[0].GetService(c, id)
+	daemons[0].UpdateService(c, service, setImage(image2))
+
+	// first batch
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances - parallelism, image2: parallelism})
+
+	// 2nd batch
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances - 2*parallelism, image2: 2 * parallelism})
+
+	// 3nd batch
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image2: instances})
+
+	// Roll back to the previous version. This uses the CLI because
+	// rollback used to be a client-side operation.
+	out, err := daemons[0].Cmd("service", "update", "--detach", "--rollback", id)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// first batch
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image2: instances - rollbackParallelism, image1: rollbackParallelism})
+
+	// 2nd batch
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances})
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesUpdateStartFirst(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// service image at start
+	image1 := "busybox:latest"
+	// target image in update
+	image2 := "testhealth:latest"
+
+	// service started from this image won't pass health check
+	result := cli.BuildCmd(c, image2, cli.Daemon(d),
+		build.WithDockerfile(`FROM busybox
+		HEALTHCHECK --interval=1s --timeout=30s --retries=1024 \
+		  CMD cat /status`),
+	)
+	result.Assert(c, icmd.Success)
+
+	// create service
+	instances := 5
+	parallelism := 2
+	rollbackParallelism := 3
+	id := d.CreateService(c, serviceForUpdate, setInstances(instances), setUpdateOrder(swarm.UpdateOrderStartFirst), setRollbackOrder(swarm.UpdateOrderStartFirst))
+
+	checkStartingTasks := func(expected int) []swarm.Task {
+		var startingTasks []swarm.Task
+		waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+			tasks := d.GetServiceTasks(c, id)
+			startingTasks = nil
+			for _, t := range tasks {
+				if t.Status.State == swarm.TaskStateStarting {
+					startingTasks = append(startingTasks, t)
+				}
+			}
+			return startingTasks, nil
+		}, checker.HasLen, expected)
+
+		return startingTasks
+	}
+
+	makeTasksHealthy := func(tasks []swarm.Task) {
+		for _, t := range tasks {
+			containerID := t.Status.ContainerStatus.ContainerID
+			d.Cmd("exec", containerID, "touch", "/status")
+		}
+	}
+
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances})
+
+	// issue service update
+	service := d.GetService(c, id)
+	d.UpdateService(c, service, setImage(image2))
+
+	// first batch
+
+	// The old tasks should be running, and the new ones should be starting.
+	startingTasks := checkStartingTasks(parallelism)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances})
+
+	// make it healthy
+	makeTasksHealthy(startingTasks)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances - parallelism, image2: parallelism})
+
+	// 2nd batch
+
+	// The old tasks should be running, and the new ones should be starting.
+	startingTasks = checkStartingTasks(parallelism)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances - parallelism, image2: parallelism})
+
+	// make it healthy
+	makeTasksHealthy(startingTasks)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances - 2*parallelism, image2: 2 * parallelism})
+
+	// 3nd batch
+
+	// The old tasks should be running, and the new ones should be starting.
+	startingTasks = checkStartingTasks(1)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances - 2*parallelism, image2: 2 * parallelism})
+
+	// make it healthy
+	makeTasksHealthy(startingTasks)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image2: instances})
+
+	// Roll back to the previous version. This uses the CLI because
+	// rollback is a client-side operation.
+	out, err := d.Cmd("service", "update", "--detach", "--rollback", id)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// first batch
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image2: instances - rollbackParallelism, image1: rollbackParallelism})
+
+	// 2nd batch
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances})
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesFailedUpdate(c *check.C) {
+	const nodeCount = 3
+	var daemons [nodeCount]*daemon.Daemon
+	for i := 0; i < nodeCount; i++ {
+		daemons[i] = s.AddDaemon(c, true, i == 0)
+	}
+	// wait for nodes ready
+	waitAndAssert(c, 5*time.Second, daemons[0].CheckNodeReadyCount, checker.Equals, nodeCount)
+
+	// service image at start
+	image1 := "busybox:latest"
+	// target image in update
+	image2 := "busybox:badtag"
+
+	// create service
+	instances := 5
+	id := daemons[0].CreateService(c, serviceForUpdate, setInstances(instances))
+
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances})
+
+	// issue service update
+	service := daemons[0].GetService(c, id)
+	daemons[0].UpdateService(c, service, setImage(image2), setFailureAction(swarm.UpdateFailureActionPause), setMaxFailureRatio(0.25), setParallelism(1))
+
+	// should update 2 tasks and then pause
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceUpdateState(id), checker.Equals, swarm.UpdateStatePaused)
+	v, _ := daemons[0].CheckServiceRunningTasks(id)(c)
+	c.Assert(v, checker.Equals, instances-2)
+
+	// Roll back to the previous version. This uses the CLI because
+	// rollback used to be a client-side operation.
+	out, err := daemons[0].Cmd("service", "update", "--detach", "--rollback", id)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image1: instances})
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServiceConstraintRole(c *check.C) {
+	const nodeCount = 3
+	var daemons [nodeCount]*daemon.Daemon
+	for i := 0; i < nodeCount; i++ {
+		daemons[i] = s.AddDaemon(c, true, i == 0)
+	}
+	// wait for nodes ready
+	waitAndAssert(c, 5*time.Second, daemons[0].CheckNodeReadyCount, checker.Equals, nodeCount)
+
+	// create service
+	constraints := []string{"node.role==worker"}
+	instances := 3
+	id := daemons[0].CreateService(c, simpleTestService, setConstraints(constraints), setInstances(instances))
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceRunningTasks(id), checker.Equals, instances)
+	// validate tasks are running on worker nodes
+	tasks := daemons[0].GetServiceTasks(c, id)
+	for _, task := range tasks {
+		node := daemons[0].GetNode(c, task.NodeID)
+		c.Assert(node.Spec.Role, checker.Equals, swarm.NodeRoleWorker)
+	}
+	//remove service
+	daemons[0].RemoveService(c, id)
+
+	// create service
+	constraints = []string{"node.role!=worker"}
+	id = daemons[0].CreateService(c, simpleTestService, setConstraints(constraints), setInstances(instances))
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceRunningTasks(id), checker.Equals, instances)
+	tasks = daemons[0].GetServiceTasks(c, id)
+	// validate tasks are running on manager nodes
+	for _, task := range tasks {
+		node := daemons[0].GetNode(c, task.NodeID)
+		c.Assert(node.Spec.Role, checker.Equals, swarm.NodeRoleManager)
+	}
+	//remove service
+	daemons[0].RemoveService(c, id)
+
+	// create service
+	constraints = []string{"node.role==nosuchrole"}
+	id = daemons[0].CreateService(c, simpleTestService, setConstraints(constraints), setInstances(instances))
+	// wait for tasks created
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceTasks(id), checker.Equals, instances)
+	// let scheduler try
+	time.Sleep(250 * time.Millisecond)
+	// validate tasks are not assigned to any node
+	tasks = daemons[0].GetServiceTasks(c, id)
+	for _, task := range tasks {
+		c.Assert(task.NodeID, checker.Equals, "")
+	}
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServiceConstraintLabel(c *check.C) {
+	const nodeCount = 3
+	var daemons [nodeCount]*daemon.Daemon
+	for i := 0; i < nodeCount; i++ {
+		daemons[i] = s.AddDaemon(c, true, i == 0)
+	}
+	// wait for nodes ready
+	waitAndAssert(c, 5*time.Second, daemons[0].CheckNodeReadyCount, checker.Equals, nodeCount)
+	nodes := daemons[0].ListNodes(c)
+	c.Assert(len(nodes), checker.Equals, nodeCount)
+
+	// add labels to nodes
+	daemons[0].UpdateNode(c, nodes[0].ID, func(n *swarm.Node) {
+		n.Spec.Annotations.Labels = map[string]string{
+			"security": "high",
+		}
+	})
+	for i := 1; i < nodeCount; i++ {
+		daemons[0].UpdateNode(c, nodes[i].ID, func(n *swarm.Node) {
+			n.Spec.Annotations.Labels = map[string]string{
+				"security": "low",
+			}
+		})
+	}
+
+	// create service
+	instances := 3
+	constraints := []string{"node.labels.security==high"}
+	id := daemons[0].CreateService(c, simpleTestService, setConstraints(constraints), setInstances(instances))
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceRunningTasks(id), checker.Equals, instances)
+	tasks := daemons[0].GetServiceTasks(c, id)
+	// validate all tasks are running on nodes[0]
+	for _, task := range tasks {
+		c.Assert(task.NodeID, checker.Equals, nodes[0].ID)
+	}
+	//remove service
+	daemons[0].RemoveService(c, id)
+
+	// create service
+	constraints = []string{"node.labels.security!=high"}
+	id = daemons[0].CreateService(c, simpleTestService, setConstraints(constraints), setInstances(instances))
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceRunningTasks(id), checker.Equals, instances)
+	tasks = daemons[0].GetServiceTasks(c, id)
+	// validate all tasks are NOT running on nodes[0]
+	for _, task := range tasks {
+		c.Assert(task.NodeID, checker.Not(checker.Equals), nodes[0].ID)
+	}
+	//remove service
+	daemons[0].RemoveService(c, id)
+
+	constraints = []string{"node.labels.security==medium"}
+	id = daemons[0].CreateService(c, simpleTestService, setConstraints(constraints), setInstances(instances))
+	// wait for tasks created
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceTasks(id), checker.Equals, instances)
+	// let scheduler try
+	time.Sleep(250 * time.Millisecond)
+	tasks = daemons[0].GetServiceTasks(c, id)
+	// validate tasks are not assigned
+	for _, task := range tasks {
+		c.Assert(task.NodeID, checker.Equals, "")
+	}
+	//remove service
+	daemons[0].RemoveService(c, id)
+
+	// multiple constraints
+	constraints = []string{
+		"node.labels.security==high",
+		fmt.Sprintf("node.id==%s", nodes[1].ID),
+	}
+	id = daemons[0].CreateService(c, simpleTestService, setConstraints(constraints), setInstances(instances))
+	// wait for tasks created
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceTasks(id), checker.Equals, instances)
+	// let scheduler try
+	time.Sleep(250 * time.Millisecond)
+	tasks = daemons[0].GetServiceTasks(c, id)
+	// validate tasks are not assigned
+	for _, task := range tasks {
+		c.Assert(task.NodeID, checker.Equals, "")
+	}
+	// make nodes[1] fulfills the constraints
+	daemons[0].UpdateNode(c, nodes[1].ID, func(n *swarm.Node) {
+		n.Spec.Annotations.Labels = map[string]string{
+			"security": "high",
+		}
+	})
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceRunningTasks(id), checker.Equals, instances)
+	tasks = daemons[0].GetServiceTasks(c, id)
+	for _, task := range tasks {
+		c.Assert(task.NodeID, checker.Equals, nodes[1].ID)
+	}
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicePlacementPrefs(c *check.C) {
+	const nodeCount = 3
+	var daemons [nodeCount]*daemon.Daemon
+	for i := 0; i < nodeCount; i++ {
+		daemons[i] = s.AddDaemon(c, true, i == 0)
+	}
+	// wait for nodes ready
+	waitAndAssert(c, 5*time.Second, daemons[0].CheckNodeReadyCount, checker.Equals, nodeCount)
+	nodes := daemons[0].ListNodes(c)
+	c.Assert(len(nodes), checker.Equals, nodeCount)
+
+	// add labels to nodes
+	daemons[0].UpdateNode(c, nodes[0].ID, func(n *swarm.Node) {
+		n.Spec.Annotations.Labels = map[string]string{
+			"rack": "a",
+		}
+	})
+	for i := 1; i < nodeCount; i++ {
+		daemons[0].UpdateNode(c, nodes[i].ID, func(n *swarm.Node) {
+			n.Spec.Annotations.Labels = map[string]string{
+				"rack": "b",
+			}
+		})
+	}
+
+	// create service
+	instances := 4
+	prefs := []swarm.PlacementPreference{{Spread: &swarm.SpreadOver{SpreadDescriptor: "node.labels.rack"}}}
+	id := daemons[0].CreateService(c, simpleTestService, setPlacementPrefs(prefs), setInstances(instances))
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, daemons[0].CheckServiceRunningTasks(id), checker.Equals, instances)
+	tasks := daemons[0].GetServiceTasks(c, id)
+	// validate all tasks are running on nodes[0]
+	tasksOnNode := make(map[string]int)
+	for _, task := range tasks {
+		tasksOnNode[task.NodeID]++
+	}
+	c.Assert(tasksOnNode[nodes[0].ID], checker.Equals, 2)
+	c.Assert(tasksOnNode[nodes[1].ID], checker.Equals, 1)
+	c.Assert(tasksOnNode[nodes[2].ID], checker.Equals, 1)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesStateReporting(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	testRequires(c, DaemonIsLinux)
+
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, true)
+	d3 := s.AddDaemon(c, true, false)
+
+	time.Sleep(1 * time.Second) // make sure all daemons are ready to accept
+
+	instances := 9
+	d1.CreateService(c, simpleTestService, setInstances(instances))
+
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount, d3.CheckActiveContainerCount), checker.Equals, instances)
+
+	getContainers := func() map[string]*daemon.Daemon {
+		m := make(map[string]*daemon.Daemon)
+		for _, d := range []*daemon.Daemon{d1, d2, d3} {
+			for _, id := range d.ActiveContainers(c) {
+				m[id] = d
+			}
+		}
+		return m
+	}
+
+	containers := getContainers()
+	c.Assert(containers, checker.HasLen, instances)
+	var toRemove string
+	for i := range containers {
+		toRemove = i
+	}
+
+	_, err := containers[toRemove].Cmd("stop", toRemove)
+	c.Assert(err, checker.IsNil)
+
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount, d3.CheckActiveContainerCount), checker.Equals, instances)
+
+	containers2 := getContainers()
+	c.Assert(containers2, checker.HasLen, instances)
+	for i := range containers {
+		if i == toRemove {
+			c.Assert(containers2[i], checker.IsNil)
+		} else {
+			c.Assert(containers2[i], checker.NotNil)
+		}
+	}
+
+	containers = containers2
+	for i := range containers {
+		toRemove = i
+	}
+
+	// try with killing process outside of docker
+	pidStr, err := containers[toRemove].Cmd("inspect", "-f", "{{.State.Pid}}", toRemove)
+	c.Assert(err, checker.IsNil)
+	pid, err := strconv.Atoi(strings.TrimSpace(pidStr))
+	c.Assert(err, checker.IsNil)
+	c.Assert(unix.Kill(pid, unix.SIGKILL), checker.IsNil)
+
+	time.Sleep(time.Second) // give some time to handle the signal
+
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount, d3.CheckActiveContainerCount), checker.Equals, instances)
+
+	containers2 = getContainers()
+	c.Assert(containers2, checker.HasLen, instances)
+	for i := range containers {
+		if i == toRemove {
+			c.Assert(containers2[i], checker.IsNil)
+		} else {
+			c.Assert(containers2[i], checker.NotNil)
+		}
+	}
+}
diff --git a/engine/integration-cli/docker_api_swarm_test.go b/engine/integration-cli/docker_api_swarm_test.go
new file mode 100644
index 00000000..6a31dd20
--- /dev/null
+++ b/engine/integration-cli/docker_api_swarm_test.go
@@ -0,0 +1,1034 @@
+// +build !windows
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/cloudflare/cfssl/csr"
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/cloudflare/cfssl/initca"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/daemon"
+	testdaemon "github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/swarmkit/ca"
+	"github.com/go-check/check"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var defaultReconciliationTimeout = 30 * time.Second
+
+func (s *DockerSwarmSuite) TestAPISwarmInit(c *check.C) {
+	// todo: should find a better way to verify that components are running than /info
+	d1 := s.AddDaemon(c, true, true)
+	info := d1.SwarmInfo(c)
+	c.Assert(info.ControlAvailable, checker.True)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	c.Assert(info.Cluster.RootRotationInProgress, checker.False)
+
+	d2 := s.AddDaemon(c, true, false)
+	info = d2.SwarmInfo(c)
+	c.Assert(info.ControlAvailable, checker.False)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+
+	// Leaving cluster
+	c.Assert(d2.SwarmLeave(false), checker.IsNil)
+
+	info = d2.SwarmInfo(c)
+	c.Assert(info.ControlAvailable, checker.False)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	d2.SwarmJoin(c, swarm.JoinRequest{
+		ListenAddr:  d1.SwarmListenAddr(),
+		JoinToken:   d1.JoinTokens(c).Worker,
+		RemoteAddrs: []string{d1.SwarmListenAddr()},
+	})
+
+	info = d2.SwarmInfo(c)
+	c.Assert(info.ControlAvailable, checker.False)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+
+	// Current state restoring after restarts
+	d1.Stop(c)
+	d2.Stop(c)
+
+	d1.Start(c)
+	d2.Start(c)
+
+	info = d1.SwarmInfo(c)
+	c.Assert(info.ControlAvailable, checker.True)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+
+	info = d2.SwarmInfo(c)
+	c.Assert(info.ControlAvailable, checker.False)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmJoinToken(c *check.C) {
+	d1 := s.AddDaemon(c, false, false)
+	d1.SwarmInit(c, swarm.InitRequest{})
+
+	// todo: error message differs depending if some components of token are valid
+
+	d2 := s.AddDaemon(c, false, false)
+	c2 := d2.NewClientT(c)
+	err := c2.SwarmJoin(context.Background(), swarm.JoinRequest{
+		ListenAddr:  d2.SwarmListenAddr(),
+		RemoteAddrs: []string{d1.SwarmListenAddr()},
+	})
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "join token is necessary")
+	info := d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	err = c2.SwarmJoin(context.Background(), swarm.JoinRequest{
+		ListenAddr:  d2.SwarmListenAddr(),
+		JoinToken:   "foobaz",
+		RemoteAddrs: []string{d1.SwarmListenAddr()},
+	})
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "invalid join token")
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	workerToken := d1.JoinTokens(c).Worker
+
+	d2.SwarmJoin(c, swarm.JoinRequest{
+		ListenAddr:  d2.SwarmListenAddr(),
+		JoinToken:   workerToken,
+		RemoteAddrs: []string{d1.SwarmListenAddr()},
+	})
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	c.Assert(d2.SwarmLeave(false), checker.IsNil)
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	// change tokens
+	d1.RotateTokens(c)
+
+	err = c2.SwarmJoin(context.Background(), swarm.JoinRequest{
+		ListenAddr:  d2.SwarmListenAddr(),
+		JoinToken:   workerToken,
+		RemoteAddrs: []string{d1.SwarmListenAddr()},
+	})
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "join token is necessary")
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	workerToken = d1.JoinTokens(c).Worker
+
+	d2.SwarmJoin(c, swarm.JoinRequest{JoinToken: workerToken, RemoteAddrs: []string{d1.SwarmListenAddr()}})
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	c.Assert(d2.SwarmLeave(false), checker.IsNil)
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	// change spec, don't change tokens
+	d1.UpdateSwarm(c, func(s *swarm.Spec) {})
+
+	err = c2.SwarmJoin(context.Background(), swarm.JoinRequest{
+		ListenAddr:  d2.SwarmListenAddr(),
+		RemoteAddrs: []string{d1.SwarmListenAddr()},
+	})
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "join token is necessary")
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	d2.SwarmJoin(c, swarm.JoinRequest{JoinToken: workerToken, RemoteAddrs: []string{d1.SwarmListenAddr()}})
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	c.Assert(d2.SwarmLeave(false), checker.IsNil)
+	info = d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+}
+
+func (s *DockerSwarmSuite) TestUpdateSwarmAddExternalCA(c *check.C) {
+	d1 := s.AddDaemon(c, false, false)
+	d1.SwarmInit(c, swarm.InitRequest{})
+	d1.UpdateSwarm(c, func(s *swarm.Spec) {
+		s.CAConfig.ExternalCAs = []*swarm.ExternalCA{
+			{
+				Protocol: swarm.ExternalCAProtocolCFSSL,
+				URL:      "https://thishasnoca.org",
+			},
+			{
+				Protocol: swarm.ExternalCAProtocolCFSSL,
+				URL:      "https://thishasacacert.org",
+				CACert:   "cacert",
+			},
+		}
+	})
+	info := d1.SwarmInfo(c)
+	c.Assert(info.Cluster.Spec.CAConfig.ExternalCAs, checker.HasLen, 2)
+	c.Assert(info.Cluster.Spec.CAConfig.ExternalCAs[0].CACert, checker.Equals, "")
+	c.Assert(info.Cluster.Spec.CAConfig.ExternalCAs[1].CACert, checker.Equals, "cacert")
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmCAHash(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, false, false)
+	splitToken := strings.Split(d1.JoinTokens(c).Worker, "-")
+	splitToken[2] = "1kxftv4ofnc6mt30lmgipg6ngf9luhwqopfk1tz6bdmnkubg0e"
+	replacementToken := strings.Join(splitToken, "-")
+	c2 := d2.NewClientT(c)
+	err := c2.SwarmJoin(context.Background(), swarm.JoinRequest{
+		ListenAddr:  d2.SwarmListenAddr(),
+		JoinToken:   replacementToken,
+		RemoteAddrs: []string{d1.SwarmListenAddr()},
+	})
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "remote CA does not match fingerprint")
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmPromoteDemote(c *check.C) {
+	d1 := s.AddDaemon(c, false, false)
+	d1.SwarmInit(c, swarm.InitRequest{})
+	d2 := s.AddDaemon(c, true, false)
+
+	info := d2.SwarmInfo(c)
+	c.Assert(info.ControlAvailable, checker.False)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+
+	d1.UpdateNode(c, d2.NodeID(), func(n *swarm.Node) {
+		n.Spec.Role = swarm.NodeRoleManager
+	})
+
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckControlAvailable, checker.True)
+
+	d1.UpdateNode(c, d2.NodeID(), func(n *swarm.Node) {
+		n.Spec.Role = swarm.NodeRoleWorker
+	})
+
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckControlAvailable, checker.False)
+
+	// Wait for the role to change to worker in the cert. This is partially
+	// done because it's something worth testing in its own right, and
+	// partially because changing the role from manager to worker and then
+	// back to manager quickly might cause the node to pause for awhile
+	// while waiting for the role to change to worker, and the test can
+	// time out during this interval.
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		certBytes, err := ioutil.ReadFile(filepath.Join(d2.Folder, "root", "swarm", "certificates", "swarm-node.crt"))
+		if err != nil {
+			return "", check.Commentf("error: %v", err)
+		}
+		certs, err := helpers.ParseCertificatesPEM(certBytes)
+		if err == nil && len(certs) > 0 && len(certs[0].Subject.OrganizationalUnit) > 0 {
+			return certs[0].Subject.OrganizationalUnit[0], nil
+		}
+		return "", check.Commentf("could not get organizational unit from certificate")
+	}, checker.Equals, "swarm-worker")
+
+	// Demoting last node should fail
+	node := d1.GetNode(c, d1.NodeID())
+	node.Spec.Role = swarm.NodeRoleWorker
+	url := fmt.Sprintf("/nodes/%s/update?version=%d", node.ID, node.Version.Index)
+	res, body, err := request.Post(url, request.Host(d1.Sock()), request.JSONBody(node.Spec))
+	c.Assert(err, checker.IsNil)
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest, check.Commentf("output: %q", string(b)))
+
+	// The warning specific to demoting the last manager is best-effort and
+	// won't appear until the Role field of the demoted manager has been
+	// updated.
+	// Yes, I know this looks silly, but checker.Matches is broken, since
+	// it anchors the regexp contrary to the documentation, and this makes
+	// it impossible to match something that includes a line break.
+	if !strings.Contains(string(b), "last manager of the swarm") {
+		c.Assert(string(b), checker.Contains, "this would result in a loss of quorum")
+	}
+	info = d1.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	c.Assert(info.ControlAvailable, checker.True)
+
+	// Promote already demoted node
+	d1.UpdateNode(c, d2.NodeID(), func(n *swarm.Node) {
+		n.Spec.Role = swarm.NodeRoleManager
+	})
+
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckControlAvailable, checker.True)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmLeaderProxy(c *check.C) {
+	// add three managers, one of these is leader
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, true)
+	d3 := s.AddDaemon(c, true, true)
+
+	// start a service by hitting each of the 3 managers
+	d1.CreateService(c, simpleTestService, func(s *swarm.Service) {
+		s.Spec.Name = "test1"
+	})
+	d2.CreateService(c, simpleTestService, func(s *swarm.Service) {
+		s.Spec.Name = "test2"
+	})
+	d3.CreateService(c, simpleTestService, func(s *swarm.Service) {
+		s.Spec.Name = "test3"
+	})
+
+	// 3 services should be started now, because the requests were proxied to leader
+	// query each node and make sure it returns 3 services
+	for _, d := range []*daemon.Daemon{d1, d2, d3} {
+		services := d.ListServices(c)
+		c.Assert(services, checker.HasLen, 3)
+	}
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmLeaderElection(c *check.C) {
+	// Create 3 nodes
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, true)
+	d3 := s.AddDaemon(c, true, true)
+
+	// assert that the first node we made is the leader, and the other two are followers
+	c.Assert(d1.GetNode(c, d1.NodeID()).ManagerStatus.Leader, checker.True)
+	c.Assert(d1.GetNode(c, d2.NodeID()).ManagerStatus.Leader, checker.False)
+	c.Assert(d1.GetNode(c, d3.NodeID()).ManagerStatus.Leader, checker.False)
+
+	d1.Stop(c)
+
+	var (
+		leader    *daemon.Daemon   // keep track of leader
+		followers []*daemon.Daemon // keep track of followers
+	)
+	checkLeader := func(nodes ...*daemon.Daemon) checkF {
+		return func(c *check.C) (interface{}, check.CommentInterface) {
+			// clear these out before each run
+			leader = nil
+			followers = nil
+			for _, d := range nodes {
+				if d.GetNode(c, d.NodeID()).ManagerStatus.Leader {
+					leader = d
+				} else {
+					followers = append(followers, d)
+				}
+			}
+
+			if leader == nil {
+				return false, check.Commentf("no leader elected")
+			}
+
+			return true, check.Commentf("elected %v", leader.ID())
+		}
+	}
+
+	// wait for an election to occur
+	waitAndAssert(c, defaultReconciliationTimeout, checkLeader(d2, d3), checker.True)
+
+	// assert that we have a new leader
+	c.Assert(leader, checker.NotNil)
+
+	// Keep track of the current leader, since we want that to be chosen.
+	stableleader := leader
+
+	// add the d1, the initial leader, back
+	d1.Start(c)
+
+	// TODO(stevvooe): may need to wait for rejoin here
+
+	// wait for possible election
+	waitAndAssert(c, defaultReconciliationTimeout, checkLeader(d1, d2, d3), checker.True)
+	// pick out the leader and the followers again
+
+	// verify that we still only have 1 leader and 2 followers
+	c.Assert(leader, checker.NotNil)
+	c.Assert(followers, checker.HasLen, 2)
+	// and that after we added d1 back, the leader hasn't changed
+	c.Assert(leader.NodeID(), checker.Equals, stableleader.NodeID())
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmRaftQuorum(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, true)
+	d3 := s.AddDaemon(c, true, true)
+
+	d1.CreateService(c, simpleTestService)
+
+	d2.Stop(c)
+
+	// make sure there is a leader
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckLeader, checker.IsNil)
+
+	d1.CreateService(c, simpleTestService, func(s *swarm.Service) {
+		s.Spec.Name = "top1"
+	})
+
+	d3.Stop(c)
+
+	var service swarm.Service
+	simpleTestService(&service)
+	service.Spec.Name = "top2"
+	cli, err := d1.NewClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	// d1 will eventually step down from leader because there is no longer an active quorum, wait for that to happen
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		_, err = cli.ServiceCreate(context.Background(), service.Spec, types.ServiceCreateOptions{})
+		return err.Error(), nil
+	}, checker.Contains, "Make sure more than half of the managers are online.")
+
+	d2.Start(c)
+
+	// make sure there is a leader
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckLeader, checker.IsNil)
+
+	d1.CreateService(c, simpleTestService, func(s *swarm.Service) {
+		s.Spec.Name = "top3"
+	})
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmLeaveRemovesContainer(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	instances := 2
+	d.CreateService(c, simpleTestService, setInstances(instances))
+
+	id, err := d.Cmd("run", "-d", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	id = strings.TrimSpace(id)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, instances+1)
+
+	c.Assert(d.SwarmLeave(false), checker.NotNil)
+	c.Assert(d.SwarmLeave(true), checker.IsNil)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	id2, err := d.Cmd("ps", "-q")
+	c.Assert(err, checker.IsNil)
+	c.Assert(id, checker.HasPrefix, strings.TrimSpace(id2))
+}
+
+// #23629
+func (s *DockerSwarmSuite) TestAPISwarmLeaveOnPendingJoin(c *check.C) {
+	testRequires(c, Network)
+	s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, false, false)
+
+	id, err := d2.Cmd("run", "-d", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	id = strings.TrimSpace(id)
+
+	c2 := d2.NewClientT(c)
+	err = c2.SwarmJoin(context.Background(), swarm.JoinRequest{
+		ListenAddr:  d2.SwarmListenAddr(),
+		RemoteAddrs: []string{"123.123.123.123:1234"},
+	})
+	c.Assert(err, check.NotNil)
+	c.Assert(err.Error(), checker.Contains, "Timeout was reached")
+
+	info := d2.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStatePending)
+
+	c.Assert(d2.SwarmLeave(true), checker.IsNil)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckActiveContainerCount, checker.Equals, 1)
+
+	id2, err := d2.Cmd("ps", "-q")
+	c.Assert(err, checker.IsNil)
+	c.Assert(id, checker.HasPrefix, strings.TrimSpace(id2))
+}
+
+// #23705
+func (s *DockerSwarmSuite) TestAPISwarmRestoreOnPendingJoin(c *check.C) {
+	testRequires(c, Network)
+	d := s.AddDaemon(c, false, false)
+	client := d.NewClientT(c)
+	err := client.SwarmJoin(context.Background(), swarm.JoinRequest{
+		ListenAddr:  d.SwarmListenAddr(),
+		RemoteAddrs: []string{"123.123.123.123:1234"},
+	})
+	c.Assert(err, check.NotNil)
+	c.Assert(err.Error(), checker.Contains, "Timeout was reached")
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckLocalNodeState, checker.Equals, swarm.LocalNodeStatePending)
+
+	d.Stop(c)
+	d.Start(c)
+
+	info := d.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmManagerRestore(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+
+	instances := 2
+	id := d1.CreateService(c, simpleTestService, setInstances(instances))
+
+	d1.GetService(c, id)
+	d1.Stop(c)
+	d1.Start(c)
+	d1.GetService(c, id)
+
+	d2 := s.AddDaemon(c, true, true)
+	d2.GetService(c, id)
+	d2.Stop(c)
+	d2.Start(c)
+	d2.GetService(c, id)
+
+	d3 := s.AddDaemon(c, true, true)
+	d3.GetService(c, id)
+	d3.Stop(c)
+	d3.Start(c)
+	d3.GetService(c, id)
+
+	d3.Kill()
+	time.Sleep(1 * time.Second) // time to handle signal
+	d3.Start(c)
+	d3.GetService(c, id)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmScaleNoRollingUpdate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	instances := 2
+	id := d.CreateService(c, simpleTestService, setInstances(instances))
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, instances)
+	containers := d.ActiveContainers(c)
+	instances = 4
+	d.UpdateService(c, d.GetService(c, id), setInstances(instances))
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, instances)
+	containers2 := d.ActiveContainers(c)
+
+loop0:
+	for _, c1 := range containers {
+		for _, c2 := range containers2 {
+			if c1 == c2 {
+				continue loop0
+			}
+		}
+		c.Errorf("container %v not found in new set %#v", c1, containers2)
+	}
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmInvalidAddress(c *check.C) {
+	d := s.AddDaemon(c, false, false)
+	req := swarm.InitRequest{
+		ListenAddr: "",
+	}
+	res, _, err := request.Post("/swarm/init", request.Host(d.Sock()), request.JSONBody(req))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+
+	req2 := swarm.JoinRequest{
+		ListenAddr:  "0.0.0.0:2377",
+		RemoteAddrs: []string{""},
+	}
+	res, _, err = request.Post("/swarm/join", request.Host(d.Sock()), request.JSONBody(req2))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmForceNewCluster(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, true)
+
+	instances := 2
+	id := d1.CreateService(c, simpleTestService, setInstances(instances))
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount), checker.Equals, instances)
+
+	// drain d2, all containers should move to d1
+	d1.UpdateNode(c, d2.NodeID(), func(n *swarm.Node) {
+		n.Spec.Availability = swarm.NodeAvailabilityDrain
+	})
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckActiveContainerCount, checker.Equals, instances)
+	waitAndAssert(c, defaultReconciliationTimeout, d2.CheckActiveContainerCount, checker.Equals, 0)
+
+	d2.Stop(c)
+
+	d1.SwarmInit(c, swarm.InitRequest{
+		ForceNewCluster: true,
+		Spec:            swarm.Spec{},
+	})
+
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckActiveContainerCount, checker.Equals, instances)
+
+	d3 := s.AddDaemon(c, true, true)
+	info := d3.SwarmInfo(c)
+	c.Assert(info.ControlAvailable, checker.True)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+
+	instances = 4
+	d3.UpdateService(c, d3.GetService(c, id), setInstances(instances))
+
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d3.CheckActiveContainerCount), checker.Equals, instances)
+}
+
+func simpleTestService(s *swarm.Service) {
+	ureplicas := uint64(1)
+	restartDelay := time.Duration(100 * time.Millisecond)
+
+	s.Spec = swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Image:   "busybox:latest",
+				Command: []string{"/bin/top"},
+			},
+			RestartPolicy: &swarm.RestartPolicy{
+				Delay: &restartDelay,
+			},
+		},
+		Mode: swarm.ServiceMode{
+			Replicated: &swarm.ReplicatedService{
+				Replicas: &ureplicas,
+			},
+		},
+	}
+	s.Spec.Name = "top"
+}
+
+func serviceForUpdate(s *swarm.Service) {
+	ureplicas := uint64(1)
+	restartDelay := time.Duration(100 * time.Millisecond)
+
+	s.Spec = swarm.ServiceSpec{
+		TaskTemplate: swarm.TaskSpec{
+			ContainerSpec: &swarm.ContainerSpec{
+				Image:   "busybox:latest",
+				Command: []string{"/bin/top"},
+			},
+			RestartPolicy: &swarm.RestartPolicy{
+				Delay: &restartDelay,
+			},
+		},
+		Mode: swarm.ServiceMode{
+			Replicated: &swarm.ReplicatedService{
+				Replicas: &ureplicas,
+			},
+		},
+		UpdateConfig: &swarm.UpdateConfig{
+			Parallelism:   2,
+			Delay:         4 * time.Second,
+			FailureAction: swarm.UpdateFailureActionContinue,
+		},
+		RollbackConfig: &swarm.UpdateConfig{
+			Parallelism:   3,
+			Delay:         4 * time.Second,
+			FailureAction: swarm.UpdateFailureActionContinue,
+		},
+	}
+	s.Spec.Name = "updatetest"
+}
+
+func setInstances(replicas int) testdaemon.ServiceConstructor {
+	ureplicas := uint64(replicas)
+	return func(s *swarm.Service) {
+		s.Spec.Mode = swarm.ServiceMode{
+			Replicated: &swarm.ReplicatedService{
+				Replicas: &ureplicas,
+			},
+		}
+	}
+}
+
+func setUpdateOrder(order string) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		if s.Spec.UpdateConfig == nil {
+			s.Spec.UpdateConfig = &swarm.UpdateConfig{}
+		}
+		s.Spec.UpdateConfig.Order = order
+	}
+}
+
+func setRollbackOrder(order string) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		if s.Spec.RollbackConfig == nil {
+			s.Spec.RollbackConfig = &swarm.UpdateConfig{}
+		}
+		s.Spec.RollbackConfig.Order = order
+	}
+}
+
+func setImage(image string) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		if s.Spec.TaskTemplate.ContainerSpec == nil {
+			s.Spec.TaskTemplate.ContainerSpec = &swarm.ContainerSpec{}
+		}
+		s.Spec.TaskTemplate.ContainerSpec.Image = image
+	}
+}
+
+func setFailureAction(failureAction string) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		s.Spec.UpdateConfig.FailureAction = failureAction
+	}
+}
+
+func setMaxFailureRatio(maxFailureRatio float32) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		s.Spec.UpdateConfig.MaxFailureRatio = maxFailureRatio
+	}
+}
+
+func setParallelism(parallelism uint64) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		s.Spec.UpdateConfig.Parallelism = parallelism
+	}
+}
+
+func setConstraints(constraints []string) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		if s.Spec.TaskTemplate.Placement == nil {
+			s.Spec.TaskTemplate.Placement = &swarm.Placement{}
+		}
+		s.Spec.TaskTemplate.Placement.Constraints = constraints
+	}
+}
+
+func setPlacementPrefs(prefs []swarm.PlacementPreference) testdaemon.ServiceConstructor {
+	return func(s *swarm.Service) {
+		if s.Spec.TaskTemplate.Placement == nil {
+			s.Spec.TaskTemplate.Placement = &swarm.Placement{}
+		}
+		s.Spec.TaskTemplate.Placement.Preferences = prefs
+	}
+}
+
+func setGlobalMode(s *swarm.Service) {
+	s.Spec.Mode = swarm.ServiceMode{
+		Global: &swarm.GlobalService{},
+	}
+}
+
+func checkClusterHealth(c *check.C, cl []*daemon.Daemon, managerCount, workerCount int) {
+	var totalMCount, totalWCount int
+
+	for _, d := range cl {
+		var (
+			info swarm.Info
+		)
+
+		// check info in a waitAndAssert, because if the cluster doesn't have a leader, `info` will return an error
+		checkInfo := func(c *check.C) (interface{}, check.CommentInterface) {
+			client := d.NewClientT(c)
+			daemonInfo, err := client.Info(context.Background())
+			info = daemonInfo.Swarm
+			return err, check.Commentf("cluster not ready in time")
+		}
+		waitAndAssert(c, defaultReconciliationTimeout, checkInfo, checker.IsNil)
+		if !info.ControlAvailable {
+			totalWCount++
+			continue
+		}
+
+		var leaderFound bool
+		totalMCount++
+		var mCount, wCount int
+
+		for _, n := range d.ListNodes(c) {
+			waitReady := func(c *check.C) (interface{}, check.CommentInterface) {
+				if n.Status.State == swarm.NodeStateReady {
+					return true, nil
+				}
+				nn := d.GetNode(c, n.ID)
+				n = *nn
+				return n.Status.State == swarm.NodeStateReady, check.Commentf("state of node %s, reported by %s", n.ID, d.NodeID())
+			}
+			waitAndAssert(c, defaultReconciliationTimeout, waitReady, checker.True)
+
+			waitActive := func(c *check.C) (interface{}, check.CommentInterface) {
+				if n.Spec.Availability == swarm.NodeAvailabilityActive {
+					return true, nil
+				}
+				nn := d.GetNode(c, n.ID)
+				n = *nn
+				return n.Spec.Availability == swarm.NodeAvailabilityActive, check.Commentf("availability of node %s, reported by %s", n.ID, d.NodeID())
+			}
+			waitAndAssert(c, defaultReconciliationTimeout, waitActive, checker.True)
+
+			if n.Spec.Role == swarm.NodeRoleManager {
+				c.Assert(n.ManagerStatus, checker.NotNil, check.Commentf("manager status of node %s (manager), reported by %s", n.ID, d.NodeID()))
+				if n.ManagerStatus.Leader {
+					leaderFound = true
+				}
+				mCount++
+			} else {
+				c.Assert(n.ManagerStatus, checker.IsNil, check.Commentf("manager status of node %s (worker), reported by %s", n.ID, d.NodeID()))
+				wCount++
+			}
+		}
+		c.Assert(leaderFound, checker.True, check.Commentf("lack of leader reported by node %s", info.NodeID))
+		c.Assert(mCount, checker.Equals, managerCount, check.Commentf("managers count reported by node %s", info.NodeID))
+		c.Assert(wCount, checker.Equals, workerCount, check.Commentf("workers count reported by node %s", info.NodeID))
+	}
+	c.Assert(totalMCount, checker.Equals, managerCount)
+	c.Assert(totalWCount, checker.Equals, workerCount)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmRestartCluster(c *check.C) {
+	mCount, wCount := 5, 1
+
+	var nodes []*daemon.Daemon
+	for i := 0; i < mCount; i++ {
+		manager := s.AddDaemon(c, true, true)
+		info := manager.SwarmInfo(c)
+		c.Assert(info.ControlAvailable, checker.True)
+		c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+		nodes = append(nodes, manager)
+	}
+
+	for i := 0; i < wCount; i++ {
+		worker := s.AddDaemon(c, true, false)
+		info := worker.SwarmInfo(c)
+		c.Assert(info.ControlAvailable, checker.False)
+		c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+		nodes = append(nodes, worker)
+	}
+
+	// stop whole cluster
+	{
+		var wg sync.WaitGroup
+		wg.Add(len(nodes))
+		errs := make(chan error, len(nodes))
+
+		for _, d := range nodes {
+			go func(daemon *daemon.Daemon) {
+				defer wg.Done()
+				if err := daemon.StopWithError(); err != nil {
+					errs <- err
+				}
+			}(d)
+		}
+		wg.Wait()
+		close(errs)
+		for err := range errs {
+			c.Assert(err, check.IsNil)
+		}
+	}
+
+	// start whole cluster
+	{
+		var wg sync.WaitGroup
+		wg.Add(len(nodes))
+		errs := make(chan error, len(nodes))
+
+		for _, d := range nodes {
+			go func(daemon *daemon.Daemon) {
+				defer wg.Done()
+				if err := daemon.StartWithError("--iptables=false"); err != nil {
+					errs <- err
+				}
+			}(d)
+		}
+		wg.Wait()
+		close(errs)
+		for err := range errs {
+			c.Assert(err, check.IsNil)
+		}
+	}
+
+	checkClusterHealth(c, nodes, mCount, wCount)
+}
+
+func (s *DockerSwarmSuite) TestAPISwarmServicesUpdateWithName(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	instances := 2
+	id := d.CreateService(c, simpleTestService, setInstances(instances))
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, instances)
+
+	service := d.GetService(c, id)
+	instances = 5
+
+	setInstances(instances)(service)
+	cli, err := d.NewClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+	_, err = cli.ServiceUpdate(context.Background(), service.Spec.Name, service.Version, service.Spec, types.ServiceUpdateOptions{})
+	c.Assert(err, checker.IsNil)
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, instances)
+}
+
+// Unlocking an unlocked swarm results in an error
+func (s *DockerSwarmSuite) TestAPISwarmUnlockNotLocked(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	err := d.SwarmUnlock(swarm.UnlockRequest{UnlockKey: "wrong-key"})
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "swarm is not locked")
+}
+
+// #29885
+func (s *DockerSwarmSuite) TestAPISwarmErrorHandling(c *check.C) {
+	ln, err := net.Listen("tcp", fmt.Sprintf(":%d", defaultSwarmPort))
+	c.Assert(err, checker.IsNil)
+	defer ln.Close()
+	d := s.AddDaemon(c, false, false)
+	client := d.NewClientT(c)
+	_, err = client.SwarmInit(context.Background(), swarm.InitRequest{
+		ListenAddr: d.SwarmListenAddr(),
+	})
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "address already in use")
+}
+
+// Test case for 30242, where duplicate networks, with different drivers `bridge` and `overlay`,
+// caused both scopes to be `swarm` for `docker network inspect` and `docker network ls`.
+// This test makes sure the fixes correctly output scopes instead.
+func (s *DockerSwarmSuite) TestAPIDuplicateNetworks(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	cli, err := d.NewClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	name := "foo"
+	networkCreate := types.NetworkCreate{
+		CheckDuplicate: false,
+	}
+
+	networkCreate.Driver = "bridge"
+
+	n1, err := cli.NetworkCreate(context.Background(), name, networkCreate)
+	c.Assert(err, checker.IsNil)
+
+	networkCreate.Driver = "overlay"
+
+	n2, err := cli.NetworkCreate(context.Background(), name, networkCreate)
+	c.Assert(err, checker.IsNil)
+
+	r1, err := cli.NetworkInspect(context.Background(), n1.ID, types.NetworkInspectOptions{})
+	c.Assert(err, checker.IsNil)
+	c.Assert(r1.Scope, checker.Equals, "local")
+
+	r2, err := cli.NetworkInspect(context.Background(), n2.ID, types.NetworkInspectOptions{})
+	c.Assert(err, checker.IsNil)
+	c.Assert(r2.Scope, checker.Equals, "swarm")
+}
+
+// Test case for 30178
+func (s *DockerSwarmSuite) TestAPISwarmHealthcheckNone(c *check.C) {
+	// Issue #36386 can be a independent one, which is worth further investigation.
+	c.Skip("Root cause of Issue #36386 is needed")
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("network", "create", "-d", "overlay", "lb")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	instances := 1
+	d.CreateService(c, simpleTestService, setInstances(instances), func(s *swarm.Service) {
+		if s.Spec.TaskTemplate.ContainerSpec == nil {
+			s.Spec.TaskTemplate.ContainerSpec = &swarm.ContainerSpec{}
+		}
+		s.Spec.TaskTemplate.ContainerSpec.Healthcheck = &container.HealthConfig{}
+		s.Spec.TaskTemplate.Networks = []swarm.NetworkAttachmentConfig{
+			{Target: "lb"},
+		}
+	})
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, instances)
+
+	containers := d.ActiveContainers(c)
+
+	out, err = d.Cmd("exec", containers[0], "ping", "-c1", "-W3", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func (s *DockerSwarmSuite) TestSwarmRepeatedRootRotation(c *check.C) {
+	m := s.AddDaemon(c, true, true)
+	w := s.AddDaemon(c, true, false)
+
+	info := m.SwarmInfo(c)
+
+	currentTrustRoot := info.Cluster.TLSInfo.TrustRoot
+
+	// rotate multiple times
+	for i := 0; i < 4; i++ {
+		var err error
+		var cert, key []byte
+		if i%2 != 0 {
+			cert, _, key, err = initca.New(&csr.CertificateRequest{
+				CN:         "newRoot",
+				KeyRequest: csr.NewBasicKeyRequest(),
+				CA:         &csr.CAConfig{Expiry: ca.RootCAExpiration},
+			})
+			c.Assert(err, checker.IsNil)
+		}
+		expectedCert := string(cert)
+		m.UpdateSwarm(c, func(s *swarm.Spec) {
+			s.CAConfig.SigningCACert = expectedCert
+			s.CAConfig.SigningCAKey = string(key)
+			s.CAConfig.ForceRotate++
+		})
+
+		// poll to make sure update succeeds
+		var clusterTLSInfo swarm.TLSInfo
+		for j := 0; j < 18; j++ {
+			info := m.SwarmInfo(c)
+
+			// the desired CA cert and key is always redacted
+			c.Assert(info.Cluster.Spec.CAConfig.SigningCAKey, checker.Equals, "")
+			c.Assert(info.Cluster.Spec.CAConfig.SigningCACert, checker.Equals, "")
+
+			clusterTLSInfo = info.Cluster.TLSInfo
+
+			// if root rotation is done and the trust root has changed, we don't have to poll anymore
+			if !info.Cluster.RootRotationInProgress && clusterTLSInfo.TrustRoot != currentTrustRoot {
+				break
+			}
+
+			// root rotation not done
+			time.Sleep(250 * time.Millisecond)
+		}
+		if cert != nil {
+			c.Assert(clusterTLSInfo.TrustRoot, checker.Equals, expectedCert)
+		}
+		// could take another second or two for the nodes to trust the new roots after they've all gotten
+		// new TLS certificates
+		for j := 0; j < 18; j++ {
+			mInfo := m.GetNode(c, m.NodeID()).Description.TLSInfo
+			wInfo := m.GetNode(c, w.NodeID()).Description.TLSInfo
+
+			if mInfo.TrustRoot == clusterTLSInfo.TrustRoot && wInfo.TrustRoot == clusterTLSInfo.TrustRoot {
+				break
+			}
+
+			// nodes don't trust root certs yet
+			time.Sleep(250 * time.Millisecond)
+		}
+
+		c.Assert(m.GetNode(c, m.NodeID()).Description.TLSInfo, checker.DeepEquals, clusterTLSInfo)
+		c.Assert(m.GetNode(c, w.NodeID()).Description.TLSInfo, checker.DeepEquals, clusterTLSInfo)
+		currentTrustRoot = clusterTLSInfo.TrustRoot
+	}
+}
+
+func (s *DockerSwarmSuite) TestAPINetworkInspectWithScope(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "test-scoped-network"
+	ctx := context.Background()
+	apiclient, err := d.NewClient()
+	assert.NilError(c, err)
+
+	resp, err := apiclient.NetworkCreate(ctx, name, types.NetworkCreate{Driver: "overlay"})
+	assert.NilError(c, err)
+
+	network, err := apiclient.NetworkInspect(ctx, name, types.NetworkInspectOptions{})
+	assert.NilError(c, err)
+	assert.Check(c, is.Equal("swarm", network.Scope))
+	assert.Check(c, is.Equal(resp.ID, network.ID))
+
+	_, err = apiclient.NetworkInspect(ctx, name, types.NetworkInspectOptions{Scope: "local"})
+	assert.Check(c, client.IsErrNotFound(err))
+}
diff --git a/engine/integration-cli/docker_api_test.go b/engine/integration-cli/docker_api_test.go
new file mode 100644
index 00000000..5b7e3e97
--- /dev/null
+++ b/engine/integration-cli/docker_api_test.go
@@ -0,0 +1,110 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestAPIOptionsRoute(c *check.C) {
+	resp, _, err := request.Do("/", request.Method(http.MethodOptions))
+	c.Assert(err, checker.IsNil)
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusOK)
+}
+
+func (s *DockerSuite) TestAPIGetEnabledCORS(c *check.C) {
+	res, body, err := request.Get("/version")
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusOK)
+	body.Close()
+	// TODO: @runcom incomplete tests, why old integration tests had this headers
+	// and here none of the headers below are in the response?
+	//c.Log(res.Header)
+	//c.Assert(res.Header.Get("Access-Control-Allow-Origin"), check.Equals, "*")
+	//c.Assert(res.Header.Get("Access-Control-Allow-Headers"), check.Equals, "Origin, X-Requested-With, Content-Type, Accept, X-Registry-Auth")
+}
+
+func (s *DockerSuite) TestAPIClientVersionOldNotSupported(c *check.C) {
+	if testEnv.OSType != runtime.GOOS {
+		c.Skip("Daemon platform doesn't match test platform")
+	}
+	if api.MinVersion == api.DefaultVersion {
+		c.Skip("API MinVersion==DefaultVersion")
+	}
+	v := strings.Split(api.MinVersion, ".")
+	vMinInt, err := strconv.Atoi(v[1])
+	c.Assert(err, checker.IsNil)
+	vMinInt--
+	v[1] = strconv.Itoa(vMinInt)
+	version := strings.Join(v, ".")
+
+	resp, body, err := request.Get("/v" + version + "/version")
+	c.Assert(err, checker.IsNil)
+	defer body.Close()
+	c.Assert(resp.StatusCode, checker.Equals, http.StatusBadRequest)
+	expected := fmt.Sprintf("client version %s is too old. Minimum supported API version is %s, please upgrade your client to a newer version", version, api.MinVersion)
+	content, err := ioutil.ReadAll(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(string(content)), checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestAPIErrorJSON(c *check.C) {
+	httpResp, body, err := request.Post("/containers/create", request.JSONBody(struct{}{}))
+	c.Assert(err, checker.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(httpResp.StatusCode, checker.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(httpResp.StatusCode, checker.Equals, http.StatusBadRequest)
+	}
+	c.Assert(httpResp.Header.Get("Content-Type"), checker.Equals, "application/json")
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(getErrorMessage(c, b), checker.Equals, "Config cannot be empty in order to create a container")
+}
+
+func (s *DockerSuite) TestAPIErrorPlainText(c *check.C) {
+	// Windows requires API 1.25 or later. This test is validating a behaviour which was present
+	// in v1.23, but changed in 1.24, hence not applicable on Windows. See apiVersionSupportsJSONErrors
+	testRequires(c, DaemonIsLinux)
+	httpResp, body, err := request.Post("/v1.23/containers/create", request.JSONBody(struct{}{}))
+	c.Assert(err, checker.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(httpResp.StatusCode, checker.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(httpResp.StatusCode, checker.Equals, http.StatusBadRequest)
+	}
+	c.Assert(httpResp.Header.Get("Content-Type"), checker.Contains, "text/plain")
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(string(b)), checker.Equals, "Config cannot be empty in order to create a container")
+}
+
+func (s *DockerSuite) TestAPIErrorNotFoundJSON(c *check.C) {
+	// 404 is a different code path to normal errors, so test separately
+	httpResp, body, err := request.Get("/notfound", request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(httpResp.StatusCode, checker.Equals, http.StatusNotFound)
+	c.Assert(httpResp.Header.Get("Content-Type"), checker.Equals, "application/json")
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(getErrorMessage(c, b), checker.Equals, "page not found")
+}
+
+func (s *DockerSuite) TestAPIErrorNotFoundPlainText(c *check.C) {
+	httpResp, body, err := request.Get("/v1.23/notfound", request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(httpResp.StatusCode, checker.Equals, http.StatusNotFound)
+	c.Assert(httpResp.Header.Get("Content-Type"), checker.Contains, "text/plain")
+	b, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(string(b)), checker.Equals, "page not found")
+}
diff --git a/engine/integration-cli/docker_cli_attach_test.go b/engine/integration-cli/docker_cli_attach_test.go
new file mode 100644
index 00000000..ef2c708b
--- /dev/null
+++ b/engine/integration-cli/docker_cli_attach_test.go
@@ -0,0 +1,179 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os/exec"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+const attachWait = 5 * time.Second
+
+func (s *DockerSuite) TestAttachMultipleAndRestart(c *check.C) {
+	endGroup := &sync.WaitGroup{}
+	startGroup := &sync.WaitGroup{}
+	endGroup.Add(3)
+	startGroup.Add(3)
+
+	cli.DockerCmd(c, "run", "--name", "attacher", "-d", "busybox", "/bin/sh", "-c", "while true; do sleep 1; echo hello; done")
+	cli.WaitRun(c, "attacher")
+
+	startDone := make(chan struct{})
+	endDone := make(chan struct{})
+
+	go func() {
+		endGroup.Wait()
+		close(endDone)
+	}()
+
+	go func() {
+		startGroup.Wait()
+		close(startDone)
+	}()
+
+	for i := 0; i < 3; i++ {
+		go func() {
+			cmd := exec.Command(dockerBinary, "attach", "attacher")
+
+			defer func() {
+				cmd.Wait()
+				endGroup.Done()
+			}()
+
+			out, err := cmd.StdoutPipe()
+			if err != nil {
+				c.Fatal(err)
+			}
+			defer out.Close()
+
+			if err := cmd.Start(); err != nil {
+				c.Fatal(err)
+			}
+
+			buf := make([]byte, 1024)
+
+			if _, err := out.Read(buf); err != nil && err != io.EOF {
+				c.Fatal(err)
+			}
+
+			startGroup.Done()
+
+			if !strings.Contains(string(buf), "hello") {
+				c.Fatalf("unexpected output %s expected hello\n", string(buf))
+			}
+		}()
+	}
+
+	select {
+	case <-startDone:
+	case <-time.After(attachWait):
+		c.Fatalf("Attaches did not initialize properly")
+	}
+
+	cli.DockerCmd(c, "kill", "attacher")
+
+	select {
+	case <-endDone:
+	case <-time.After(attachWait):
+		c.Fatalf("Attaches did not finish properly")
+	}
+}
+
+func (s *DockerSuite) TestAttachTTYWithoutStdin(c *check.C) {
+	// TODO @jhowardmsft. Figure out how to get this running again reliable on Windows.
+	// It works by accident at the moment. Sometimes. I've gone back to v1.13.0 and see the same.
+	// On Windows, docker run -d -ti busybox causes the container to exit immediately.
+	// Obviously a year back when I updated the test, that was not the case. However,
+	// with this, and the test racing with the tear-down which panic's, sometimes CI
+	// will just fail and `MISS` all the other tests. For now, disabling it. Will
+	// open an issue to track re-enabling this and root-causing the problem.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "-ti", "busybox")
+
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), check.IsNil)
+
+	done := make(chan error)
+	go func() {
+		defer close(done)
+
+		cmd := exec.Command(dockerBinary, "attach", id)
+		if _, err := cmd.StdinPipe(); err != nil {
+			done <- err
+			return
+		}
+
+		expected := "the input device is not a TTY"
+		if runtime.GOOS == "windows" {
+			expected += ".  If you are using mintty, try prefixing the command with 'winpty'"
+		}
+		if out, _, err := runCommandWithOutput(cmd); err == nil {
+			done <- fmt.Errorf("attach should have failed")
+			return
+		} else if !strings.Contains(out, expected) {
+			done <- fmt.Errorf("attach failed with error %q: expected %q", out, expected)
+			return
+		}
+	}()
+
+	select {
+	case err := <-done:
+		c.Assert(err, check.IsNil)
+	case <-time.After(attachWait):
+		c.Fatal("attach is running but should have failed")
+	}
+}
+
+func (s *DockerSuite) TestAttachDisconnect(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-di", "busybox", "/bin/cat")
+	id := strings.TrimSpace(out)
+
+	cmd := exec.Command(dockerBinary, "attach", id)
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer stdin.Close()
+	stdout, err := cmd.StdoutPipe()
+	c.Assert(err, check.IsNil)
+	defer stdout.Close()
+	c.Assert(cmd.Start(), check.IsNil)
+	defer func() {
+		cmd.Process.Kill()
+		cmd.Wait()
+	}()
+
+	_, err = stdin.Write([]byte("hello\n"))
+	c.Assert(err, check.IsNil)
+	out, err = bufio.NewReader(stdout).ReadString('\n')
+	c.Assert(err, check.IsNil)
+	c.Assert(strings.TrimSpace(out), check.Equals, "hello")
+
+	c.Assert(stdin.Close(), check.IsNil)
+
+	// Expect container to still be running after stdin is closed
+	running := inspectField(c, id, "State.Running")
+	c.Assert(running, check.Equals, "true")
+}
+
+func (s *DockerSuite) TestAttachPausedContainer(c *check.C) {
+	testRequires(c, IsPausable)
+	runSleepingContainer(c, "-d", "--name=test")
+	dockerCmd(c, "pause", "test")
+
+	result := dockerCmdWithResult("attach", "test")
+	result.Assert(c, icmd.Expected{
+		Error:    "exit status 1",
+		ExitCode: 1,
+		Err:      "You cannot attach to a paused container, unpause it first",
+	})
+}
diff --git a/engine/integration-cli/docker_cli_attach_unix_test.go b/engine/integration-cli/docker_cli_attach_unix_test.go
new file mode 100644
index 00000000..9affb944
--- /dev/null
+++ b/engine/integration-cli/docker_cli_attach_unix_test.go
@@ -0,0 +1,229 @@
+// +build !windows
+
+package main
+
+import (
+	"bufio"
+	"io/ioutil"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/go-check/check"
+	"github.com/kr/pty"
+)
+
+// #9860 Make sure attach ends when container ends (with no errors)
+func (s *DockerSuite) TestAttachClosedOnContainerStop(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	out, _ := dockerCmd(c, "run", "-dti", "busybox", "/bin/sh", "-c", `trap 'exit 0' SIGTERM; while true; do sleep 1; done`)
+
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), check.IsNil)
+
+	pty, tty, err := pty.Open()
+	c.Assert(err, check.IsNil)
+
+	attachCmd := exec.Command(dockerBinary, "attach", id)
+	attachCmd.Stdin = tty
+	attachCmd.Stdout = tty
+	attachCmd.Stderr = tty
+	err = attachCmd.Start()
+	c.Assert(err, check.IsNil)
+
+	errChan := make(chan error)
+	go func() {
+		time.Sleep(300 * time.Millisecond)
+		defer close(errChan)
+		// Container is waiting for us to signal it to stop
+		dockerCmd(c, "stop", id)
+		// And wait for the attach command to end
+		errChan <- attachCmd.Wait()
+	}()
+
+	// Wait for the docker to end (should be done by the
+	// stop command in the go routine)
+	dockerCmd(c, "wait", id)
+
+	select {
+	case err := <-errChan:
+		tty.Close()
+		out, _ := ioutil.ReadAll(pty)
+		c.Assert(err, check.IsNil, check.Commentf("out: %v", string(out)))
+	case <-time.After(attachWait):
+		c.Fatal("timed out without attach returning")
+	}
+
+}
+
+func (s *DockerSuite) TestAttachAfterDetach(c *check.C) {
+	name := "detachtest"
+
+	cpty, tty, err := pty.Open()
+	c.Assert(err, checker.IsNil, check.Commentf("Could not open pty: %v", err))
+	cmd := exec.Command(dockerBinary, "run", "-ti", "--name", name, "busybox")
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+
+	cmdExit := make(chan error)
+	go func() {
+		cmdExit <- cmd.Run()
+		close(cmdExit)
+	}()
+
+	c.Assert(waitRun(name), check.IsNil)
+
+	cpty.Write([]byte{16})
+	time.Sleep(100 * time.Millisecond)
+	cpty.Write([]byte{17})
+
+	select {
+	case <-cmdExit:
+	case <-time.After(5 * time.Second):
+		c.Fatal("timeout while detaching")
+	}
+
+	cpty, tty, err = pty.Open()
+	c.Assert(err, checker.IsNil, check.Commentf("Could not open pty: %v", err))
+
+	cmd = exec.Command(dockerBinary, "attach", name)
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+
+	err = cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	bytes := make([]byte, 10)
+	var nBytes int
+	readErr := make(chan error, 1)
+
+	go func() {
+		time.Sleep(500 * time.Millisecond)
+		cpty.Write([]byte("\n"))
+		time.Sleep(500 * time.Millisecond)
+
+		nBytes, err = cpty.Read(bytes)
+		cpty.Close()
+		readErr <- err
+	}()
+
+	select {
+	case err := <-readErr:
+		c.Assert(err, check.IsNil)
+	case <-time.After(2 * time.Second):
+		c.Fatal("timeout waiting for attach read")
+	}
+
+	c.Assert(string(bytes[:nBytes]), checker.Contains, "/ #")
+}
+
+// TestAttachDetach checks that attach in tty mode can be detached using the long container ID
+func (s *DockerSuite) TestAttachDetach(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-itd", "busybox", "cat")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), check.IsNil)
+
+	cpty, tty, err := pty.Open()
+	c.Assert(err, check.IsNil)
+	defer cpty.Close()
+
+	cmd := exec.Command(dockerBinary, "attach", id)
+	cmd.Stdin = tty
+	stdout, err := cmd.StdoutPipe()
+	c.Assert(err, check.IsNil)
+	defer stdout.Close()
+	err = cmd.Start()
+	c.Assert(err, check.IsNil)
+	c.Assert(waitRun(id), check.IsNil)
+
+	_, err = cpty.Write([]byte("hello\n"))
+	c.Assert(err, check.IsNil)
+	out, err = bufio.NewReader(stdout).ReadString('\n')
+	c.Assert(err, check.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello", check.Commentf("expected 'hello', got %q", out))
+
+	// escape sequence
+	_, err = cpty.Write([]byte{16})
+	c.Assert(err, checker.IsNil)
+	time.Sleep(100 * time.Millisecond)
+	_, err = cpty.Write([]byte{17})
+	c.Assert(err, checker.IsNil)
+
+	ch := make(chan struct{})
+	go func() {
+		cmd.Wait()
+		ch <- struct{}{}
+	}()
+
+	running := inspectField(c, id, "State.Running")
+	c.Assert(running, checker.Equals, "true", check.Commentf("expected container to still be running"))
+
+	go func() {
+		dockerCmdWithResult("kill", id)
+	}()
+
+	select {
+	case <-ch:
+	case <-time.After(10 * time.Millisecond):
+		c.Fatal("timed out waiting for container to exit")
+	}
+
+}
+
+// TestAttachDetachTruncatedID checks that attach in tty mode can be detached
+func (s *DockerSuite) TestAttachDetachTruncatedID(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-itd", "busybox", "cat")
+	id := stringid.TruncateID(strings.TrimSpace(out))
+	c.Assert(waitRun(id), check.IsNil)
+
+	cpty, tty, err := pty.Open()
+	c.Assert(err, checker.IsNil)
+	defer cpty.Close()
+
+	cmd := exec.Command(dockerBinary, "attach", id)
+	cmd.Stdin = tty
+	stdout, err := cmd.StdoutPipe()
+	c.Assert(err, checker.IsNil)
+	defer stdout.Close()
+	err = cmd.Start()
+	c.Assert(err, checker.IsNil)
+
+	_, err = cpty.Write([]byte("hello\n"))
+	c.Assert(err, checker.IsNil)
+	out, err = bufio.NewReader(stdout).ReadString('\n')
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello", check.Commentf("expected 'hello', got %q", out))
+
+	// escape sequence
+	_, err = cpty.Write([]byte{16})
+	c.Assert(err, checker.IsNil)
+	time.Sleep(100 * time.Millisecond)
+	_, err = cpty.Write([]byte{17})
+	c.Assert(err, checker.IsNil)
+
+	ch := make(chan struct{})
+	go func() {
+		cmd.Wait()
+		ch <- struct{}{}
+	}()
+
+	running := inspectField(c, id, "State.Running")
+	c.Assert(running, checker.Equals, "true", check.Commentf("expected container to still be running"))
+
+	go func() {
+		dockerCmdWithResult("kill", id)
+	}()
+
+	select {
+	case <-ch:
+	case <-time.After(10 * time.Millisecond):
+		c.Fatal("timed out waiting for container to exit")
+	}
+
+}
diff --git a/engine/integration-cli/docker_cli_build_test.go b/engine/integration-cli/docker_cli_build_test.go
new file mode 100644
index 00000000..1e88b1ba
--- /dev/null
+++ b/engine/integration-cli/docker_cli_build_test.go
@@ -0,0 +1,6209 @@
+package main
+
+import (
+	"archive/tar"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+	"text/template"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/internal/test/fakegit"
+	"github.com/docker/docker/internal/test/fakestorage"
+	"github.com/docker/docker/internal/testutil"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/go-check/check"
+	"github.com/moby/buildkit/frontend/dockerfile/command"
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestBuildJSONEmptyRun(c *check.C) {
+	cli.BuildCmd(c, "testbuildjsonemptyrun", build.WithDockerfile(`
+    FROM busybox
+    RUN []
+    `))
+}
+
+func (s *DockerSuite) TestBuildShCmdJSONEntrypoint(c *check.C) {
+	name := "testbuildshcmdjsonentrypoint"
+	expected := "/bin/sh -c echo test"
+	if testEnv.OSType == "windows" {
+		expected = "cmd /S /C echo test"
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+    FROM busybox
+    ENTRYPOINT ["echo"]
+    CMD echo test
+    `))
+	out, _ := dockerCmd(c, "run", "--rm", name)
+
+	if strings.TrimSpace(out) != expected {
+		c.Fatalf("CMD did not contain %q : %q", expected, out)
+	}
+}
+
+func (s *DockerSuite) TestBuildEnvironmentReplacementUser(c *check.C) {
+	// Windows does not support FROM scratch or the USER command
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildenvironmentreplacement"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  FROM scratch
+  ENV user foo
+  USER ${user}
+  `))
+	res := inspectFieldJSON(c, name, "Config.User")
+
+	if res != `"foo"` {
+		c.Fatal("User foo from environment not in Config.User on image")
+	}
+}
+
+func (s *DockerSuite) TestBuildEnvironmentReplacementVolume(c *check.C) {
+	name := "testbuildenvironmentreplacement"
+
+	var volumePath string
+
+	if testEnv.OSType == "windows" {
+		volumePath = "c:/quux"
+	} else {
+		volumePath = "/quux"
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  FROM `+minimalBaseImage()+`
+  ENV volume `+volumePath+`
+  VOLUME ${volume}
+  `))
+
+	var volumes map[string]interface{}
+	inspectFieldAndUnmarshall(c, name, "Config.Volumes", &volumes)
+	if _, ok := volumes[volumePath]; !ok {
+		c.Fatal("Volume " + volumePath + " from environment not in Config.Volumes on image")
+	}
+
+}
+
+func (s *DockerSuite) TestBuildEnvironmentReplacementExpose(c *check.C) {
+	// Windows does not support FROM scratch or the EXPOSE command
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildenvironmentreplacement"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  FROM scratch
+  ENV port 80
+  EXPOSE ${port}
+  ENV ports "  99   100 "
+  EXPOSE ${ports}
+  `))
+
+	var exposedPorts map[string]interface{}
+	inspectFieldAndUnmarshall(c, name, "Config.ExposedPorts", &exposedPorts)
+	exp := []int{80, 99, 100}
+	for _, p := range exp {
+		tmp := fmt.Sprintf("%d/tcp", p)
+		if _, ok := exposedPorts[tmp]; !ok {
+			c.Fatalf("Exposed port %d from environment not in Config.ExposedPorts on image", p)
+		}
+	}
+
+}
+
+func (s *DockerSuite) TestBuildEnvironmentReplacementWorkdir(c *check.C) {
+	name := "testbuildenvironmentreplacement"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  FROM busybox
+  ENV MYWORKDIR /work
+  RUN mkdir ${MYWORKDIR}
+  WORKDIR ${MYWORKDIR}
+  `))
+	res := inspectFieldJSON(c, name, "Config.WorkingDir")
+
+	expected := `"/work"`
+	if testEnv.OSType == "windows" {
+		expected = `"C:\\work"`
+	}
+	if res != expected {
+		c.Fatalf("Workdir /workdir from environment not in Config.WorkingDir on image: %s", res)
+	}
+}
+
+func (s *DockerSuite) TestBuildEnvironmentReplacementAddCopy(c *check.C) {
+	name := "testbuildenvironmentreplacement"
+
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+  FROM `+minimalBaseImage()+`
+  ENV baz foo
+  ENV quux bar
+  ENV dot .
+  ENV fee fff
+  ENV gee ggg
+
+  ADD ${baz} ${dot}
+  COPY ${quux} ${dot}
+  ADD ${zzz:-${fee}} ${dot}
+  COPY ${zzz:-${gee}} ${dot}
+  `),
+		build.WithFile("foo", "test1"),
+		build.WithFile("bar", "test2"),
+		build.WithFile("fff", "test3"),
+		build.WithFile("ggg", "test4"),
+	))
+}
+
+func (s *DockerSuite) TestBuildEnvironmentReplacementEnv(c *check.C) {
+	// ENV expansions work differently in Windows
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildenvironmentreplacement"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  FROM busybox
+  ENV foo zzz
+  ENV bar ${foo}
+  ENV abc1='$foo'
+  ENV env1=$foo env2=${foo} env3="$foo" env4="${foo}"
+  RUN [ "$abc1" = '$foo' ] && (echo "$abc1" | grep -q foo)
+  ENV abc2="\$foo"
+  RUN [ "$abc2" = '$foo' ] && (echo "$abc2" | grep -q foo)
+  ENV abc3 '$foo'
+  RUN [ "$abc3" = '$foo' ] && (echo "$abc3" | grep -q foo)
+  ENV abc4 "\$foo"
+  RUN [ "$abc4" = '$foo' ] && (echo "$abc4" | grep -q foo)
+  ENV foo2="abc\def"
+  RUN [ "$foo2" = 'abc\def' ]
+  ENV foo3="abc\\def"
+  RUN [ "$foo3" = 'abc\def' ]
+  ENV foo4='abc\\def'
+  RUN [ "$foo4" = 'abc\\def' ]
+  ENV foo5='abc\def'
+  RUN [ "$foo5" = 'abc\def' ]
+  `))
+
+	var envResult []string
+	inspectFieldAndUnmarshall(c, name, "Config.Env", &envResult)
+	found := false
+	envCount := 0
+
+	for _, env := range envResult {
+		parts := strings.SplitN(env, "=", 2)
+		if parts[0] == "bar" {
+			found = true
+			if parts[1] != "zzz" {
+				c.Fatalf("Could not find replaced var for env `bar`: got %q instead of `zzz`", parts[1])
+			}
+		} else if strings.HasPrefix(parts[0], "env") {
+			envCount++
+			if parts[1] != "zzz" {
+				c.Fatalf("%s should be 'zzz' but instead its %q", parts[0], parts[1])
+			}
+		} else if strings.HasPrefix(parts[0], "env") {
+			envCount++
+			if parts[1] != "foo" {
+				c.Fatalf("%s should be 'foo' but instead its %q", parts[0], parts[1])
+			}
+		}
+	}
+
+	if !found {
+		c.Fatal("Never found the `bar` env variable")
+	}
+
+	if envCount != 4 {
+		c.Fatalf("Didn't find all env vars - only saw %d\n%s", envCount, envResult)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildHandleEscapesInVolume(c *check.C) {
+	// The volume paths used in this test are invalid on Windows
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildhandleescapes"
+
+	testCases := []struct {
+		volumeValue string
+		expected    string
+	}{
+		{
+			volumeValue: "${FOO}",
+			expected:    "bar",
+		},
+		{
+			volumeValue: `\${FOO}`,
+			expected:    "${FOO}",
+		},
+		// this test in particular provides *7* backslashes and expects 6 to come back.
+		// Like above, the first escape is swallowed and the rest are treated as
+		// literals, this one is just less obvious because of all the character noise.
+		{
+			volumeValue: `\\\\\\\${FOO}`,
+			expected:    `\\\${FOO}`,
+		},
+	}
+
+	for _, tc := range testCases {
+		buildImageSuccessfully(c, name, build.WithDockerfile(fmt.Sprintf(`
+  FROM scratch
+  ENV FOO bar
+  VOLUME %s
+  `, tc.volumeValue)))
+
+		var result map[string]map[string]struct{}
+		inspectFieldAndUnmarshall(c, name, "Config.Volumes", &result)
+		if _, ok := result[tc.expected]; !ok {
+			c.Fatalf("Could not find volume %s set from env foo in volumes table, got %q", tc.expected, result)
+		}
+
+		// Remove the image for the next iteration
+		dockerCmd(c, "rmi", name)
+	}
+}
+
+func (s *DockerSuite) TestBuildOnBuildLowercase(c *check.C) {
+	name := "testbuildonbuildlowercase"
+	name2 := "testbuildonbuildlowercase2"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  FROM busybox
+  onbuild run echo quux
+  `))
+
+	result := buildImage(name2, build.WithDockerfile(fmt.Sprintf(`
+  FROM %s
+  `, name)))
+	result.Assert(c, icmd.Success)
+
+	if !strings.Contains(result.Combined(), "quux") {
+		c.Fatalf("Did not receive the expected echo text, got %s", result.Combined())
+	}
+
+	if strings.Contains(result.Combined(), "ONBUILD ONBUILD") {
+		c.Fatalf("Got an ONBUILD ONBUILD error with no error: got %s", result.Combined())
+	}
+
+}
+
+func (s *DockerSuite) TestBuildEnvEscapes(c *check.C) {
+	// ENV expansions work differently in Windows
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildenvescapes"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+    FROM busybox
+    ENV TEST foo
+    CMD echo \$
+    `))
+
+	out, _ := dockerCmd(c, "run", "-t", name)
+	if strings.TrimSpace(out) != "$" {
+		c.Fatalf("Env TEST was not overwritten with bar when foo was supplied to dockerfile: was %q", strings.TrimSpace(out))
+	}
+
+}
+
+func (s *DockerSuite) TestBuildEnvOverwrite(c *check.C) {
+	// ENV expansions work differently in Windows
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildenvoverwrite"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+    FROM busybox
+    ENV TEST foo
+    CMD echo ${TEST}
+    `))
+
+	out, _ := dockerCmd(c, "run", "-e", "TEST=bar", "-t", name)
+	if strings.TrimSpace(out) != "bar" {
+		c.Fatalf("Env TEST was not overwritten with bar when foo was supplied to dockerfile: was %q", strings.TrimSpace(out))
+	}
+
+}
+
+// FIXME(vdemeester) why we disabled cache here ?
+func (s *DockerSuite) TestBuildOnBuildCmdEntrypointJSON(c *check.C) {
+	name1 := "onbuildcmd"
+	name2 := "onbuildgenerated"
+
+	cli.BuildCmd(c, name1, build.WithDockerfile(`
+FROM busybox
+ONBUILD CMD ["hello world"]
+ONBUILD ENTRYPOINT ["echo"]
+ONBUILD RUN ["true"]`))
+
+	cli.BuildCmd(c, name2, build.WithDockerfile(fmt.Sprintf(`FROM %s`, name1)))
+
+	result := cli.DockerCmd(c, "run", name2)
+	result.Assert(c, icmd.Expected{Out: "hello world"})
+}
+
+// FIXME(vdemeester) why we disabled cache here ?
+func (s *DockerSuite) TestBuildOnBuildEntrypointJSON(c *check.C) {
+	name1 := "onbuildcmd"
+	name2 := "onbuildgenerated"
+
+	buildImageSuccessfully(c, name1, build.WithDockerfile(`
+FROM busybox
+ONBUILD ENTRYPOINT ["echo"]`))
+
+	buildImageSuccessfully(c, name2, build.WithDockerfile(fmt.Sprintf("FROM %s\nCMD [\"hello world\"]\n", name1)))
+
+	out, _ := dockerCmd(c, "run", name2)
+	if !regexp.MustCompile(`(?m)^hello world`).MatchString(out) {
+		c.Fatal("got malformed output from onbuild", out)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildCacheAdd(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows doesn't have httpserver image yet
+	name := "testbuildtwoimageswithadd"
+	server := fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{
+		"robots.txt": "hello",
+		"index.html": "world",
+	}))
+	defer server.Close()
+
+	cli.BuildCmd(c, name, build.WithDockerfile(fmt.Sprintf(`FROM scratch
+		ADD %s/robots.txt /`, server.URL())))
+
+	result := cli.Docker(cli.Build(name), build.WithDockerfile(fmt.Sprintf(`FROM scratch
+		ADD %s/index.html /`, server.URL())))
+	result.Assert(c, icmd.Success)
+	if strings.Contains(result.Combined(), "Using cache") {
+		c.Fatal("2nd build used cache on ADD, it shouldn't")
+	}
+}
+
+func (s *DockerSuite) TestBuildLastModified(c *check.C) {
+	// Temporary fix for #30890. TODO @jhowardmsft figure out what
+	// has changed in the master busybox image.
+	testRequires(c, DaemonIsLinux)
+
+	name := "testbuildlastmodified"
+
+	server := fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{
+		"file": "hello",
+	}))
+	defer server.Close()
+
+	var out, out2 string
+	args := []string{"run", name, "ls", "-l", "--full-time", "/file"}
+
+	dFmt := `FROM busybox
+ADD %s/file /`
+	dockerfile := fmt.Sprintf(dFmt, server.URL())
+
+	cli.BuildCmd(c, name, build.WithoutCache, build.WithDockerfile(dockerfile))
+	out = cli.DockerCmd(c, args...).Combined()
+
+	// Build it again and make sure the mtime of the file didn't change.
+	// Wait a few seconds to make sure the time changed enough to notice
+	time.Sleep(2 * time.Second)
+
+	cli.BuildCmd(c, name, build.WithoutCache, build.WithDockerfile(dockerfile))
+	out2 = cli.DockerCmd(c, args...).Combined()
+
+	if out != out2 {
+		c.Fatalf("MTime changed:\nOrigin:%s\nNew:%s", out, out2)
+	}
+
+	// Now 'touch' the file and make sure the timestamp DID change this time
+	// Create a new fakeStorage instead of just using Add() to help windows
+	server = fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{
+		"file": "hello",
+	}))
+	defer server.Close()
+
+	dockerfile = fmt.Sprintf(dFmt, server.URL())
+	cli.BuildCmd(c, name, build.WithoutCache, build.WithDockerfile(dockerfile))
+	out2 = cli.DockerCmd(c, args...).Combined()
+
+	if out == out2 {
+		c.Fatalf("MTime didn't change:\nOrigin:%s\nNew:%s", out, out2)
+	}
+
+}
+
+// Regression for https://github.com/docker/docker/pull/27805
+// Makes sure that we don't use the cache if the contents of
+// a file in a subfolder of the context is modified and we re-build.
+func (s *DockerSuite) TestBuildModifyFileInFolder(c *check.C) {
+	name := "testbuildmodifyfileinfolder"
+
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(`FROM busybox
+RUN ["mkdir", "/test"]
+ADD folder/file /test/changetarget`))
+	defer ctx.Close()
+	if err := ctx.Add("folder/file", "first"); err != nil {
+		c.Fatal(err)
+	}
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+	if err := ctx.Add("folder/file", "second"); err != nil {
+		c.Fatal(err)
+	}
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name)
+	if id1 == id2 {
+		c.Fatal("cache was used even though file contents in folder was changed")
+	}
+}
+
+func (s *DockerSuite) TestBuildAddSingleFileToRoot(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testaddimg", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", fmt.Sprintf(`FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN touch /exists
+RUN chown dockerio.dockerio /exists
+ADD test_file /
+RUN [ $(ls -l /test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /test_file | awk '{print $1}') = '%s' ]
+RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`, expectedFileChmod)),
+		build.WithFile("test_file", "test1")))
+}
+
+// Issue #3960: "ADD src ." hangs
+func (s *DockerSuite) TestBuildAddSingleFileToWorkdir(c *check.C) {
+	name := "testaddsinglefiletoworkdir"
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(
+		`FROM busybox
+	       ADD test_file .`),
+		fakecontext.WithFiles(map[string]string{
+			"test_file": "test1",
+		}))
+	defer ctx.Close()
+
+	errChan := make(chan error)
+	go func() {
+		errChan <- buildImage(name, build.WithExternalBuildContext(ctx)).Error
+		close(errChan)
+	}()
+	select {
+	case <-time.After(15 * time.Second):
+		c.Fatal("Build with adding to workdir timed out")
+	case err := <-errChan:
+		c.Assert(err, check.IsNil)
+	}
+}
+
+func (s *DockerSuite) TestBuildAddSingleFileToExistDir(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	cli.BuildCmd(c, "testaddsinglefiletoexistdir", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN mkdir /exists
+RUN touch /exists/exists_file
+RUN chown -R dockerio.dockerio /exists
+ADD test_file /exists/
+RUN [ $(ls -l / | grep exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]
+RUN [ $(ls -l /exists/test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists/exists_file | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`),
+		build.WithFile("test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildCopyAddMultipleFiles(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	server := fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{
+		"robots.txt": "hello",
+	}))
+	defer server.Close()
+
+	cli.BuildCmd(c, "testcopymultiplefilestofile", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", fmt.Sprintf(`FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN mkdir /exists
+RUN touch /exists/exists_file
+RUN chown -R dockerio.dockerio /exists
+COPY test_file1 test_file2 /exists/
+ADD test_file3 test_file4 %s/robots.txt /exists/
+RUN [ $(ls -l / | grep exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]
+RUN [ $(ls -l /exists/test_file1 | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists/test_file2 | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists/test_file3 | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists/test_file4 | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists/robots.txt | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists/exists_file | awk '{print $3":"$4}') = 'dockerio:dockerio' ]
+`, server.URL())),
+		build.WithFile("test_file1", "test1"),
+		build.WithFile("test_file2", "test2"),
+		build.WithFile("test_file3", "test3"),
+		build.WithFile("test_file3", "test3"),
+		build.WithFile("test_file4", "test4")))
+}
+
+// These tests are mainly for user namespaces to verify that new directories
+// are created as the remapped root uid/gid pair
+func (s *DockerSuite) TestBuildUsernamespaceValidateRemappedRoot(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testCases := []string{
+		"ADD . /new_dir",
+		"COPY test_dir /new_dir",
+		"WORKDIR /new_dir",
+	}
+	name := "testbuildusernamespacevalidateremappedroot"
+	for _, tc := range testCases {
+		cli.BuildCmd(c, name, build.WithBuildContext(c,
+			build.WithFile("Dockerfile", fmt.Sprintf(`FROM busybox
+%s
+RUN [ $(ls -l / | grep new_dir | awk '{print $3":"$4}') = 'root:root' ]`, tc)),
+			build.WithFile("test_dir/test_file", "test file")))
+
+		cli.DockerCmd(c, "rmi", name)
+	}
+}
+
+func (s *DockerSuite) TestBuildAddAndCopyFileWithWhitespace(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Not currently passing on Windows
+	name := "testaddfilewithwhitespace"
+
+	for _, command := range []string{"ADD", "COPY"} {
+		cli.BuildCmd(c, name, build.WithBuildContext(c,
+			build.WithFile("Dockerfile", fmt.Sprintf(`FROM busybox
+RUN mkdir "/test dir"
+RUN mkdir "/test_dir"
+%s [ "test file1", "/test_file1" ]
+%s [ "test_file2", "/test file2" ]
+%s [ "test file3", "/test file3" ]
+%s [ "test dir/test_file4", "/test_dir/test_file4" ]
+%s [ "test_dir/test_file5", "/test dir/test_file5" ]
+%s [ "test dir/test_file6", "/test dir/test_file6" ]
+RUN [ $(cat "/test_file1") = 'test1' ]
+RUN [ $(cat "/test file2") = 'test2' ]
+RUN [ $(cat "/test file3") = 'test3' ]
+RUN [ $(cat "/test_dir/test_file4") = 'test4' ]
+RUN [ $(cat "/test dir/test_file5") = 'test5' ]
+RUN [ $(cat "/test dir/test_file6") = 'test6' ]`, command, command, command, command, command, command)),
+			build.WithFile("test file1", "test1"),
+			build.WithFile("test_file2", "test2"),
+			build.WithFile("test file3", "test3"),
+			build.WithFile("test dir/test_file4", "test4"),
+			build.WithFile("test_dir/test_file5", "test5"),
+			build.WithFile("test dir/test_file6", "test6"),
+		))
+
+		cli.DockerCmd(c, "rmi", name)
+	}
+}
+
+func (s *DockerSuite) TestBuildCopyFileWithWhitespaceOnWindows(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	dockerfile := `FROM ` + testEnv.PlatformDefaults.BaseImage + `
+RUN mkdir "C:/test dir"
+RUN mkdir "C:/test_dir"
+COPY [ "test file1", "/test_file1" ]
+COPY [ "test_file2", "/test file2" ]
+COPY [ "test file3", "/test file3" ]
+COPY [ "test dir/test_file4", "/test_dir/test_file4" ]
+COPY [ "test_dir/test_file5", "/test dir/test_file5" ]
+COPY [ "test dir/test_file6", "/test dir/test_file6" ]
+RUN find "test1" "C:/test_file1"
+RUN find "test2" "C:/test file2"
+RUN find "test3" "C:/test file3"
+RUN find "test4" "C:/test_dir/test_file4"
+RUN find "test5" "C:/test dir/test_file5"
+RUN find "test6" "C:/test dir/test_file6"`
+
+	name := "testcopyfilewithwhitespace"
+	cli.BuildCmd(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile("test file1", "test1"),
+		build.WithFile("test_file2", "test2"),
+		build.WithFile("test file3", "test3"),
+		build.WithFile("test dir/test_file4", "test4"),
+		build.WithFile("test_dir/test_file5", "test5"),
+		build.WithFile("test dir/test_file6", "test6"),
+	))
+}
+
+func (s *DockerSuite) TestBuildCopyWildcard(c *check.C) {
+	name := "testcopywildcard"
+	server := fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{
+		"robots.txt": "hello",
+		"index.html": "world",
+	}))
+	defer server.Close()
+
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(fmt.Sprintf(`FROM busybox
+	COPY file*.txt /tmp/
+	RUN ls /tmp/file1.txt /tmp/file2.txt
+	RUN [ "mkdir",  "/tmp1" ]
+	COPY dir* /tmp1/
+	RUN ls /tmp1/dirt /tmp1/nested_file /tmp1/nested_dir/nest_nest_file
+	RUN [ "mkdir",  "/tmp2" ]
+        ADD dir/*dir %s/robots.txt /tmp2/
+	RUN ls /tmp2/nest_nest_file /tmp2/robots.txt
+	`, server.URL())),
+		fakecontext.WithFiles(map[string]string{
+			"file1.txt":                     "test1",
+			"file2.txt":                     "test2",
+			"dir/nested_file":               "nested file",
+			"dir/nested_dir/nest_nest_file": "2 times nested",
+			"dirt": "dirty",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+
+	// Now make sure we use a cache the 2nd time
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name)
+
+	if id1 != id2 {
+		c.Fatal("didn't use the cache")
+	}
+
+}
+
+func (s *DockerSuite) TestBuildCopyWildcardInName(c *check.C) {
+	// Run this only on Linux
+	// Below is the original comment (that I don't agree with — vdemeester)
+	// Normally we would do c.Fatal(err) here but given that
+	// the odds of this failing are so rare, it must be because
+	// the OS we're running the client on doesn't support * in
+	// filenames (like windows).  So, instead of failing the test
+	// just let it pass. Then we don't need to explicitly
+	// say which OSs this works on or not.
+	testRequires(c, DaemonIsLinux, UnixCli)
+
+	buildImageSuccessfully(c, "testcopywildcardinname", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+	COPY *.txt /tmp/
+	RUN [ "$(cat /tmp/\*.txt)" = 'hi there' ]
+	`),
+		build.WithFile("*.txt", "hi there"),
+	))
+}
+
+func (s *DockerSuite) TestBuildCopyWildcardCache(c *check.C) {
+	name := "testcopywildcardcache"
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(`FROM busybox
+	COPY file1.txt /tmp/`),
+		fakecontext.WithFiles(map[string]string{
+			"file1.txt": "test1",
+		}))
+	defer ctx.Close()
+
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+
+	// Now make sure we use a cache the 2nd time even with wild cards.
+	// Use the same context so the file is the same and the checksum will match
+	ctx.Add("Dockerfile", `FROM busybox
+	COPY file*.txt /tmp/`)
+
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name)
+
+	if id1 != id2 {
+		c.Fatal("didn't use the cache")
+	}
+
+}
+
+func (s *DockerSuite) TestBuildAddSingleFileToNonExistingDir(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testaddsinglefiletononexistingdir", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN touch /exists
+RUN chown dockerio.dockerio /exists
+ADD test_file /test_dir/
+RUN [ $(ls -l / | grep test_dir | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /test_dir/test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`),
+		build.WithFile("test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildAddDirContentToRoot(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testadddircontenttoroot", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN touch /exists
+RUN chown dockerio.dockerio exists
+ADD test_dir /
+RUN [ $(ls -l /test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`),
+		build.WithFile("test_dir/test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildAddDirContentToExistingDir(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testadddircontenttoexistingdir", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN mkdir /exists
+RUN touch /exists/exists_file
+RUN chown -R dockerio.dockerio /exists
+ADD test_dir/ /exists/
+RUN [ $(ls -l / | grep exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]
+RUN [ $(ls -l /exists/exists_file | awk '{print $3":"$4}') = 'dockerio:dockerio' ]
+RUN [ $(ls -l /exists/test_file | awk '{print $3":"$4}') = 'root:root' ]`),
+		build.WithFile("test_dir/test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildAddWholeDirToRoot(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testaddwholedirtoroot", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", fmt.Sprintf(`FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN touch /exists
+RUN chown dockerio.dockerio exists
+ADD test_dir /test_dir
+RUN [ $(ls -l / | grep test_dir | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l / | grep test_dir | awk '{print $1}') = 'drwxr-xr-x' ]
+RUN [ $(ls -l /test_dir/test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /test_dir/test_file | awk '{print $1}') = '%s' ]
+RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`, expectedFileChmod)),
+		build.WithFile("test_dir/test_file", "test1")))
+}
+
+// Testing #5941 : Having an etc directory in context conflicts with the /etc/mtab
+func (s *DockerSuite) TestBuildAddOrCopyEtcToRootShouldNotConflict(c *check.C) {
+	buildImageSuccessfully(c, "testaddetctoroot", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM `+minimalBaseImage()+`
+ADD . /`),
+		build.WithFile("etc/test_file", "test1")))
+	buildImageSuccessfully(c, "testcopyetctoroot", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM `+minimalBaseImage()+`
+COPY . /`),
+		build.WithFile("etc/test_file", "test1")))
+}
+
+// Testing #9401 : Losing setuid flag after a ADD
+func (s *DockerSuite) TestBuildAddPreservesFilesSpecialBits(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testaddetctoroot", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+ADD suidbin /usr/bin/suidbin
+RUN chmod 4755 /usr/bin/suidbin
+RUN [ $(ls -l /usr/bin/suidbin | awk '{print $1}') = '-rwsr-xr-x' ]
+ADD ./data/ /
+RUN [ $(ls -l /usr/bin/suidbin | awk '{print $1}') = '-rwsr-xr-x' ]`),
+		build.WithFile("suidbin", "suidbin"),
+		build.WithFile("/data/usr/test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildCopySingleFileToRoot(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testcopysinglefiletoroot", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", fmt.Sprintf(`FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN touch /exists
+RUN chown dockerio.dockerio /exists
+COPY test_file /
+RUN [ $(ls -l /test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /test_file | awk '{print $1}') = '%s' ]
+RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`, expectedFileChmod)),
+		build.WithFile("test_file", "test1")))
+}
+
+// Issue #3960: "ADD src ." hangs - adapted for COPY
+func (s *DockerSuite) TestBuildCopySingleFileToWorkdir(c *check.C) {
+	name := "testcopysinglefiletoworkdir"
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(`FROM busybox
+COPY test_file .`),
+		fakecontext.WithFiles(map[string]string{
+			"test_file": "test1",
+		}))
+	defer ctx.Close()
+
+	errChan := make(chan error)
+	go func() {
+		errChan <- buildImage(name, build.WithExternalBuildContext(ctx)).Error
+		close(errChan)
+	}()
+	select {
+	case <-time.After(15 * time.Second):
+		c.Fatal("Build with adding to workdir timed out")
+	case err := <-errChan:
+		c.Assert(err, check.IsNil)
+	}
+}
+
+func (s *DockerSuite) TestBuildCopySingleFileToExistDir(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testcopysinglefiletoexistdir", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN mkdir /exists
+RUN touch /exists/exists_file
+RUN chown -R dockerio.dockerio /exists
+COPY test_file /exists/
+RUN [ $(ls -l / | grep exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]
+RUN [ $(ls -l /exists/test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists/exists_file | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`),
+		build.WithFile("test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildCopySingleFileToNonExistDir(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific
+	buildImageSuccessfully(c, "testcopysinglefiletononexistdir", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN touch /exists
+RUN chown dockerio.dockerio /exists
+COPY test_file /test_dir/
+RUN [ $(ls -l / | grep test_dir | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /test_dir/test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`),
+		build.WithFile("test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildCopyDirContentToRoot(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testcopydircontenttoroot", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN touch /exists
+RUN chown dockerio.dockerio exists
+COPY test_dir /
+RUN [ $(ls -l /test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`),
+		build.WithFile("test_dir/test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildCopyDirContentToExistDir(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testcopydircontenttoexistdir", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN mkdir /exists
+RUN touch /exists/exists_file
+RUN chown -R dockerio.dockerio /exists
+COPY test_dir/ /exists/
+RUN [ $(ls -l / | grep exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]
+RUN [ $(ls -l /exists/exists_file | awk '{print $3":"$4}') = 'dockerio:dockerio' ]
+RUN [ $(ls -l /exists/test_file | awk '{print $3":"$4}') = 'root:root' ]`),
+		build.WithFile("test_dir/test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildCopyWholeDirToRoot(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Linux specific test
+	buildImageSuccessfully(c, "testcopywholedirtoroot", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", fmt.Sprintf(`FROM busybox
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+RUN echo 'dockerio:x:1001:' >> /etc/group
+RUN touch /exists
+RUN chown dockerio.dockerio exists
+COPY test_dir /test_dir
+RUN [ $(ls -l / | grep test_dir | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l / | grep test_dir | awk '{print $1}') = 'drwxr-xr-x' ]
+RUN [ $(ls -l /test_dir/test_file | awk '{print $3":"$4}') = 'root:root' ]
+RUN [ $(ls -l /test_dir/test_file | awk '{print $1}') = '%s' ]
+RUN [ $(ls -l /exists | awk '{print $3":"$4}') = 'dockerio:dockerio' ]`, expectedFileChmod)),
+		build.WithFile("test_dir/test_file", "test1")))
+}
+
+func (s *DockerSuite) TestBuildAddBadLinks(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Not currently working on Windows
+
+	dockerfile := `
+		FROM scratch
+		ADD links.tar /
+		ADD foo.txt /symlink/
+		`
+	targetFile := "foo.txt"
+	var (
+		name = "test-link-absolute"
+	)
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(dockerfile))
+	defer ctx.Close()
+
+	tempDir, err := ioutil.TempDir("", "test-link-absolute-temp-")
+	if err != nil {
+		c.Fatalf("failed to create temporary directory: %s", tempDir)
+	}
+	defer os.RemoveAll(tempDir)
+
+	var symlinkTarget string
+	if runtime.GOOS == "windows" {
+		var driveLetter string
+		if abs, err := filepath.Abs(tempDir); err != nil {
+			c.Fatal(err)
+		} else {
+			driveLetter = abs[:1]
+		}
+		tempDirWithoutDrive := tempDir[2:]
+		symlinkTarget = fmt.Sprintf(`%s:\..\..\..\..\..\..\..\..\..\..\..\..%s`, driveLetter, tempDirWithoutDrive)
+	} else {
+		symlinkTarget = fmt.Sprintf("/../../../../../../../../../../../..%s", tempDir)
+	}
+
+	tarPath := filepath.Join(ctx.Dir, "links.tar")
+	nonExistingFile := filepath.Join(tempDir, targetFile)
+	fooPath := filepath.Join(ctx.Dir, targetFile)
+
+	tarOut, err := os.Create(tarPath)
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	tarWriter := tar.NewWriter(tarOut)
+
+	header := &tar.Header{
+		Name:     "symlink",
+		Typeflag: tar.TypeSymlink,
+		Linkname: symlinkTarget,
+		Mode:     0755,
+		Uid:      0,
+		Gid:      0,
+	}
+
+	err = tarWriter.WriteHeader(header)
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	tarWriter.Close()
+	tarOut.Close()
+
+	foo, err := os.Create(fooPath)
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer foo.Close()
+
+	if _, err := foo.WriteString("test"); err != nil {
+		c.Fatal(err)
+	}
+
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	if _, err := os.Stat(nonExistingFile); err == nil || err != nil && !os.IsNotExist(err) {
+		c.Fatalf("%s shouldn't have been written and it shouldn't exist", nonExistingFile)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildAddBadLinksVolume(c *check.C) {
+	testRequires(c, DaemonIsLinux) // ln not implemented on Windows busybox
+	const (
+		dockerfileTemplate = `
+		FROM busybox
+		RUN ln -s /../../../../../../../../%s /x
+		VOLUME /x
+		ADD foo.txt /x/`
+		targetFile = "foo.txt"
+	)
+	var (
+		name       = "test-link-absolute-volume"
+		dockerfile = ""
+	)
+
+	tempDir, err := ioutil.TempDir("", "test-link-absolute-volume-temp-")
+	if err != nil {
+		c.Fatalf("failed to create temporary directory: %s", tempDir)
+	}
+	defer os.RemoveAll(tempDir)
+
+	dockerfile = fmt.Sprintf(dockerfileTemplate, tempDir)
+	nonExistingFile := filepath.Join(tempDir, targetFile)
+
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(dockerfile))
+	defer ctx.Close()
+	fooPath := filepath.Join(ctx.Dir, targetFile)
+
+	foo, err := os.Create(fooPath)
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer foo.Close()
+
+	if _, err := foo.WriteString("test"); err != nil {
+		c.Fatal(err)
+	}
+
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	if _, err := os.Stat(nonExistingFile); err == nil || err != nil && !os.IsNotExist(err) {
+		c.Fatalf("%s shouldn't have been written and it shouldn't exist", nonExistingFile)
+	}
+
+}
+
+// Issue #5270 - ensure we throw a better error than "unexpected EOF"
+// when we can't access files in the context.
+func (s *DockerSuite) TestBuildWithInaccessibleFilesInContext(c *check.C) {
+	testRequires(c, DaemonIsLinux, UnixCli, SameHostDaemon) // test uses chown/chmod: not available on windows
+
+	{
+		name := "testbuildinaccessiblefiles"
+		ctx := fakecontext.New(c, "",
+			fakecontext.WithDockerfile("FROM scratch\nADD . /foo/"),
+			fakecontext.WithFiles(map[string]string{"fileWithoutReadAccess": "foo"}),
+		)
+		defer ctx.Close()
+		// This is used to ensure we detect inaccessible files early during build in the cli client
+		pathToFileWithoutReadAccess := filepath.Join(ctx.Dir, "fileWithoutReadAccess")
+
+		if err := os.Chown(pathToFileWithoutReadAccess, 0, 0); err != nil {
+			c.Fatalf("failed to chown file to root: %s", err)
+		}
+		if err := os.Chmod(pathToFileWithoutReadAccess, 0700); err != nil {
+			c.Fatalf("failed to chmod file to 700: %s", err)
+		}
+		result := icmd.RunCmd(icmd.Cmd{
+			Command: []string{"su", "unprivilegeduser", "-c", fmt.Sprintf("%s build -t %s .", dockerBinary, name)},
+			Dir:     ctx.Dir,
+		})
+		if result.Error == nil {
+			c.Fatalf("build should have failed: %s %s", result.Error, result.Combined())
+		}
+
+		// check if we've detected the failure before we started building
+		if !strings.Contains(result.Combined(), "no permission to read from ") {
+			c.Fatalf("output should've contained the string: no permission to read from but contained: %s", result.Combined())
+		}
+
+		if !strings.Contains(result.Combined(), "error checking context") {
+			c.Fatalf("output should've contained the string: error checking context")
+		}
+	}
+	{
+		name := "testbuildinaccessibledirectory"
+		ctx := fakecontext.New(c, "",
+			fakecontext.WithDockerfile("FROM scratch\nADD . /foo/"),
+			fakecontext.WithFiles(map[string]string{"directoryWeCantStat/bar": "foo"}),
+		)
+		defer ctx.Close()
+		// This is used to ensure we detect inaccessible directories early during build in the cli client
+		pathToDirectoryWithoutReadAccess := filepath.Join(ctx.Dir, "directoryWeCantStat")
+		pathToFileInDirectoryWithoutReadAccess := filepath.Join(pathToDirectoryWithoutReadAccess, "bar")
+
+		if err := os.Chown(pathToDirectoryWithoutReadAccess, 0, 0); err != nil {
+			c.Fatalf("failed to chown directory to root: %s", err)
+		}
+		if err := os.Chmod(pathToDirectoryWithoutReadAccess, 0444); err != nil {
+			c.Fatalf("failed to chmod directory to 444: %s", err)
+		}
+		if err := os.Chmod(pathToFileInDirectoryWithoutReadAccess, 0700); err != nil {
+			c.Fatalf("failed to chmod file to 700: %s", err)
+		}
+
+		result := icmd.RunCmd(icmd.Cmd{
+			Command: []string{"su", "unprivilegeduser", "-c", fmt.Sprintf("%s build -t %s .", dockerBinary, name)},
+			Dir:     ctx.Dir,
+		})
+		if result.Error == nil {
+			c.Fatalf("build should have failed: %s %s", result.Error, result.Combined())
+		}
+
+		// check if we've detected the failure before we started building
+		if !strings.Contains(result.Combined(), "can't stat") {
+			c.Fatalf("output should've contained the string: can't access %s", result.Combined())
+		}
+
+		if !strings.Contains(result.Combined(), "error checking context") {
+			c.Fatalf("output should've contained the string: error checking context\ngot:%s", result.Combined())
+		}
+
+	}
+	{
+		name := "testlinksok"
+		ctx := fakecontext.New(c, "", fakecontext.WithDockerfile("FROM scratch\nADD . /foo/"))
+		defer ctx.Close()
+
+		target := "../../../../../../../../../../../../../../../../../../../azA"
+		if err := os.Symlink(filepath.Join(ctx.Dir, "g"), target); err != nil {
+			c.Fatal(err)
+		}
+		defer os.Remove(target)
+		// This is used to ensure we don't follow links when checking if everything in the context is accessible
+		// This test doesn't require that we run commands as an unprivileged user
+		buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	}
+	{
+		name := "testbuildignoredinaccessible"
+		ctx := fakecontext.New(c, "",
+			fakecontext.WithDockerfile("FROM scratch\nADD . /foo/"),
+			fakecontext.WithFiles(map[string]string{
+				"directoryWeCantStat/bar": "foo",
+				".dockerignore":           "directoryWeCantStat",
+			}),
+		)
+		defer ctx.Close()
+		// This is used to ensure we don't try to add inaccessible files when they are ignored by a .dockerignore pattern
+		pathToDirectoryWithoutReadAccess := filepath.Join(ctx.Dir, "directoryWeCantStat")
+		pathToFileInDirectoryWithoutReadAccess := filepath.Join(pathToDirectoryWithoutReadAccess, "bar")
+		if err := os.Chown(pathToDirectoryWithoutReadAccess, 0, 0); err != nil {
+			c.Fatalf("failed to chown directory to root: %s", err)
+		}
+		if err := os.Chmod(pathToDirectoryWithoutReadAccess, 0444); err != nil {
+			c.Fatalf("failed to chmod directory to 444: %s", err)
+		}
+		if err := os.Chmod(pathToFileInDirectoryWithoutReadAccess, 0700); err != nil {
+			c.Fatalf("failed to chmod file to 700: %s", err)
+		}
+
+		result := icmd.RunCmd(icmd.Cmd{
+			Dir: ctx.Dir,
+			Command: []string{"su", "unprivilegeduser", "-c",
+				fmt.Sprintf("%s build -t %s .", dockerBinary, name)},
+		})
+		result.Assert(c, icmd.Expected{})
+	}
+}
+
+func (s *DockerSuite) TestBuildForceRm(c *check.C) {
+	containerCountBefore := getContainerCount(c)
+	name := "testbuildforcerm"
+
+	r := buildImage(name, cli.WithFlags("--force-rm"), build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+	RUN true
+	RUN thiswillfail`)))
+	if r.ExitCode != 1 && r.ExitCode != 127 { // different on Linux / Windows
+		c.Fatalf("Wrong exit code")
+	}
+
+	containerCountAfter := getContainerCount(c)
+	if containerCountBefore != containerCountAfter {
+		c.Fatalf("--force-rm shouldn't have left containers behind")
+	}
+
+}
+
+func (s *DockerSuite) TestBuildRm(c *check.C) {
+	name := "testbuildrm"
+
+	testCases := []struct {
+		buildflags                []string
+		shouldLeftContainerBehind bool
+	}{
+		// Default case (i.e. --rm=true)
+		{
+			buildflags:                []string{},
+			shouldLeftContainerBehind: false,
+		},
+		{
+			buildflags:                []string{"--rm"},
+			shouldLeftContainerBehind: false,
+		},
+		{
+			buildflags:                []string{"--rm=false"},
+			shouldLeftContainerBehind: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		containerCountBefore := getContainerCount(c)
+
+		buildImageSuccessfully(c, name, cli.WithFlags(tc.buildflags...), build.WithDockerfile(`FROM busybox
+	RUN echo hello world`))
+
+		containerCountAfter := getContainerCount(c)
+		if tc.shouldLeftContainerBehind {
+			if containerCountBefore == containerCountAfter {
+				c.Fatalf("flags %v should have left containers behind", tc.buildflags)
+			}
+		} else {
+			if containerCountBefore != containerCountAfter {
+				c.Fatalf("flags %v shouldn't have left containers behind", tc.buildflags)
+			}
+		}
+
+		dockerCmd(c, "rmi", name)
+	}
+}
+
+func (s *DockerSuite) TestBuildWithVolumes(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Invalid volume paths on Windows
+	var (
+		result   map[string]map[string]struct{}
+		name     = "testbuildvolumes"
+		emptyMap = make(map[string]struct{})
+		expected = map[string]map[string]struct{}{
+			"/test1":  emptyMap,
+			"/test2":  emptyMap,
+			"/test3":  emptyMap,
+			"/test4":  emptyMap,
+			"/test5":  emptyMap,
+			"/test6":  emptyMap,
+			"[/test7": emptyMap,
+			"/test8]": emptyMap,
+		}
+	)
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM scratch
+		VOLUME /test1
+		VOLUME /test2
+    VOLUME /test3 /test4
+    VOLUME ["/test5", "/test6"]
+    VOLUME [/test7 /test8]
+    `))
+
+	inspectFieldAndUnmarshall(c, name, "Config.Volumes", &result)
+
+	equal := reflect.DeepEqual(&result, &expected)
+	if !equal {
+		c.Fatalf("Volumes %s, expected %s", result, expected)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildMaintainer(c *check.C) {
+	name := "testbuildmaintainer"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+        MAINTAINER dockerio`))
+
+	expected := "dockerio"
+	res := inspectField(c, name, "Author")
+	if res != expected {
+		c.Fatalf("Maintainer %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildUser(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuilduser"
+	expected := "dockerio"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+		USER dockerio
+		RUN [ $(whoami) = 'dockerio' ]`))
+	res := inspectField(c, name, "Config.User")
+	if res != expected {
+		c.Fatalf("User %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildRelativeWorkdir(c *check.C) {
+	name := "testbuildrelativeworkdir"
+
+	var (
+		expected1     string
+		expected2     string
+		expected3     string
+		expected4     string
+		expectedFinal string
+	)
+
+	if testEnv.OSType == "windows" {
+		expected1 = `C:/`
+		expected2 = `C:/test1`
+		expected3 = `C:/test2`
+		expected4 = `C:/test2/test3`
+		expectedFinal = `C:\test2\test3` // Note inspect is going to return Windows paths, as it's not in busybox
+	} else {
+		expected1 = `/`
+		expected2 = `/test1`
+		expected3 = `/test2`
+		expected4 = `/test2/test3`
+		expectedFinal = `/test2/test3`
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		RUN sh -c "[ "$PWD" = "`+expected1+`" ]"
+		WORKDIR test1
+		RUN sh -c "[ "$PWD" = "`+expected2+`" ]"
+		WORKDIR /test2
+		RUN sh -c "[ "$PWD" = "`+expected3+`" ]"
+		WORKDIR test3
+		RUN sh -c "[ "$PWD" = "`+expected4+`" ]"`))
+
+	res := inspectField(c, name, "Config.WorkingDir")
+	if res != expectedFinal {
+		c.Fatalf("Workdir %s, expected %s", res, expectedFinal)
+	}
+}
+
+// #22181 Regression test. Single end-to-end test of using
+// Windows semantics. Most path handling verifications are in unit tests
+func (s *DockerSuite) TestBuildWindowsWorkdirProcessing(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	buildImageSuccessfully(c, "testbuildwindowsworkdirprocessing", build.WithDockerfile(`FROM busybox
+		WORKDIR C:\\foo
+		WORKDIR bar
+		RUN sh -c "[ "$PWD" = "C:/foo/bar" ]"
+		`))
+}
+
+// #22181 Regression test. Most paths handling verifications are in unit test.
+// One functional test for end-to-end
+func (s *DockerSuite) TestBuildWindowsAddCopyPathProcessing(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	// TODO Windows (@jhowardmsft). Needs a follow-up PR to 22181 to
+	// support backslash such as .\\ being equivalent to ./ and c:\\ being
+	// equivalent to c:/. This is not currently (nor ever has been) supported
+	// by docker on the Windows platform.
+	buildImageSuccessfully(c, "testbuildwindowsaddcopypathprocessing", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+			# No trailing slash on COPY/ADD
+			# Results in dir being changed to a file
+			WORKDIR /wc1
+			COPY wc1 c:/wc1
+			WORKDIR /wc2
+			ADD wc2 c:/wc2
+			WORKDIR c:/
+			RUN sh -c "[ $(cat c:/wc1/wc1) = 'hellowc1' ]"
+			RUN sh -c "[ $(cat c:/wc2/wc2) = 'worldwc2' ]"
+
+			# Trailing slash on COPY/ADD, Windows-style path.
+			WORKDIR /wd1
+			COPY wd1 c:/wd1/
+			WORKDIR /wd2
+			ADD wd2 c:/wd2/
+			RUN sh -c "[ $(cat c:/wd1/wd1) = 'hellowd1' ]"
+			RUN sh -c "[ $(cat c:/wd2/wd2) = 'worldwd2' ]"
+			`),
+		build.WithFile("wc1", "hellowc1"),
+		build.WithFile("wc2", "worldwc2"),
+		build.WithFile("wd1", "hellowd1"),
+		build.WithFile("wd2", "worldwd2"),
+	))
+}
+
+func (s *DockerSuite) TestBuildWorkdirWithEnvVariables(c *check.C) {
+	name := "testbuildworkdirwithenvvariables"
+
+	var expected string
+	if testEnv.OSType == "windows" {
+		expected = `C:\test1\test2`
+	} else {
+		expected = `/test1/test2`
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		ENV DIRPATH /test1
+		ENV SUBDIRNAME test2
+		WORKDIR $DIRPATH
+		WORKDIR $SUBDIRNAME/$MISSING_VAR`))
+	res := inspectField(c, name, "Config.WorkingDir")
+	if res != expected {
+		c.Fatalf("Workdir %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildRelativeCopy(c *check.C) {
+	// cat /test1/test2/foo gets permission denied for the user
+	testRequires(c, NotUserNamespace)
+
+	var expected string
+	if testEnv.OSType == "windows" {
+		expected = `C:/test1/test2`
+	} else {
+		expected = `/test1/test2`
+	}
+
+	buildImageSuccessfully(c, "testbuildrelativecopy", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+			WORKDIR /test1
+			WORKDIR test2
+			RUN sh -c "[ "$PWD" = '`+expected+`' ]"
+			COPY foo ./
+			RUN sh -c "[ $(cat /test1/test2/foo) = 'hello' ]"
+			ADD foo ./bar/baz
+			RUN sh -c "[ $(cat /test1/test2/bar/baz) = 'hello' ]"
+			COPY foo ./bar/baz2
+			RUN sh -c "[ $(cat /test1/test2/bar/baz2) = 'hello' ]"
+			WORKDIR ..
+			COPY foo ./
+			RUN sh -c "[ $(cat /test1/foo) = 'hello' ]"
+			COPY foo /test3/
+			RUN sh -c "[ $(cat /test3/foo) = 'hello' ]"
+			WORKDIR /test4
+			COPY . .
+			RUN sh -c "[ $(cat /test4/foo) = 'hello' ]"
+			WORKDIR /test5/test6
+			COPY foo ../
+			RUN sh -c "[ $(cat /test5/foo) = 'hello' ]"
+			`),
+		build.WithFile("foo", "hello"),
+	))
+}
+
+// FIXME(vdemeester) should be unit test
+func (s *DockerSuite) TestBuildBlankName(c *check.C) {
+	name := "testbuildblankname"
+	testCases := []struct {
+		expression     string
+		expectedStderr string
+	}{
+		{
+			expression:     "ENV =",
+			expectedStderr: "ENV names can not be blank",
+		},
+		{
+			expression:     "LABEL =",
+			expectedStderr: "LABEL names can not be blank",
+		},
+		{
+			expression:     "ARG =foo",
+			expectedStderr: "ARG names can not be blank",
+		},
+	}
+
+	for _, tc := range testCases {
+		buildImage(name, build.WithDockerfile(fmt.Sprintf(`FROM busybox
+		%s`, tc.expression))).Assert(c, icmd.Expected{
+			ExitCode: 1,
+			Err:      tc.expectedStderr,
+		})
+	}
+}
+
+func (s *DockerSuite) TestBuildEnv(c *check.C) {
+	testRequires(c, DaemonIsLinux) // ENV expansion is different in Windows
+	name := "testbuildenv"
+	expected := "[PATH=/test:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PORT=2375]"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		ENV PATH /test:$PATH
+		ENV PORT 2375
+		RUN [ $(env | grep PORT) = 'PORT=2375' ]`))
+	res := inspectField(c, name, "Config.Env")
+	if res != expected {
+		c.Fatalf("Env %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildPATH(c *check.C) {
+	testRequires(c, DaemonIsLinux) // ENV expansion is different in Windows
+
+	defPath := "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+	fn := func(dockerfile string, expected string) {
+		buildImageSuccessfully(c, "testbldpath", build.WithDockerfile(dockerfile))
+		res := inspectField(c, "testbldpath", "Config.Env")
+		if res != expected {
+			c.Fatalf("Env %q, expected %q for dockerfile:%q", res, expected, dockerfile)
+		}
+	}
+
+	tests := []struct{ dockerfile, exp string }{
+		{"FROM scratch\nMAINTAINER me", "[PATH=" + defPath + "]"},
+		{"FROM busybox\nMAINTAINER me", "[PATH=" + defPath + "]"},
+		{"FROM scratch\nENV FOO=bar", "[PATH=" + defPath + " FOO=bar]"},
+		{"FROM busybox\nENV FOO=bar", "[PATH=" + defPath + " FOO=bar]"},
+		{"FROM scratch\nENV PATH=/test", "[PATH=/test]"},
+		{"FROM busybox\nENV PATH=/test", "[PATH=/test]"},
+		{"FROM scratch\nENV PATH=''", "[PATH=]"},
+		{"FROM busybox\nENV PATH=''", "[PATH=]"},
+	}
+
+	for _, test := range tests {
+		fn(test.dockerfile, test.exp)
+	}
+}
+
+func (s *DockerSuite) TestBuildContextCleanup(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	name := "testbuildcontextcleanup"
+	entries, err := ioutil.ReadDir(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "tmp"))
+	if err != nil {
+		c.Fatalf("failed to list contents of tmp dir: %s", err)
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+        ENTRYPOINT ["/bin/echo"]`))
+
+	entriesFinal, err := ioutil.ReadDir(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "tmp"))
+	if err != nil {
+		c.Fatalf("failed to list contents of tmp dir: %s", err)
+	}
+	if err = compareDirectoryEntries(entries, entriesFinal); err != nil {
+		c.Fatalf("context should have been deleted, but wasn't")
+	}
+
+}
+
+func (s *DockerSuite) TestBuildContextCleanupFailedBuild(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	name := "testbuildcontextcleanup"
+	entries, err := ioutil.ReadDir(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "tmp"))
+	if err != nil {
+		c.Fatalf("failed to list contents of tmp dir: %s", err)
+	}
+
+	buildImage(name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+	RUN /non/existing/command`)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	entriesFinal, err := ioutil.ReadDir(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "tmp"))
+	if err != nil {
+		c.Fatalf("failed to list contents of tmp dir: %s", err)
+	}
+	if err = compareDirectoryEntries(entries, entriesFinal); err != nil {
+		c.Fatalf("context should have been deleted, but wasn't")
+	}
+
+}
+
+// compareDirectoryEntries compares two sets of FileInfo (usually taken from a directory)
+// and returns an error if different.
+func compareDirectoryEntries(e1 []os.FileInfo, e2 []os.FileInfo) error {
+	var (
+		e1Entries = make(map[string]struct{})
+		e2Entries = make(map[string]struct{})
+	)
+	for _, e := range e1 {
+		e1Entries[e.Name()] = struct{}{}
+	}
+	for _, e := range e2 {
+		e2Entries[e.Name()] = struct{}{}
+	}
+	if !reflect.DeepEqual(e1Entries, e2Entries) {
+		return fmt.Errorf("entries differ")
+	}
+	return nil
+}
+
+func (s *DockerSuite) TestBuildCmd(c *check.C) {
+	name := "testbuildcmd"
+	expected := "[/bin/echo Hello World]"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+        CMD ["/bin/echo", "Hello World"]`))
+
+	res := inspectField(c, name, "Config.Cmd")
+	if res != expected {
+		c.Fatalf("Cmd %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildExpose(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Expose not implemented on Windows
+	name := "testbuildexpose"
+	expected := "map[2375/tcp:{}]"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM scratch
+        EXPOSE 2375`))
+
+	res := inspectField(c, name, "Config.ExposedPorts")
+	if res != expected {
+		c.Fatalf("Exposed ports %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildExposeMorePorts(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Expose not implemented on Windows
+	// start building docker file with a large number of ports
+	portList := make([]string, 50)
+	line := make([]string, 100)
+	expectedPorts := make([]int, len(portList)*len(line))
+	for i := 0; i < len(portList); i++ {
+		for j := 0; j < len(line); j++ {
+			p := i*len(line) + j + 1
+			line[j] = strconv.Itoa(p)
+			expectedPorts[p-1] = p
+		}
+		if i == len(portList)-1 {
+			portList[i] = strings.Join(line, " ")
+		} else {
+			portList[i] = strings.Join(line, " ") + ` \`
+		}
+	}
+
+	dockerfile := `FROM scratch
+	EXPOSE {{range .}} {{.}}
+	{{end}}`
+	tmpl := template.Must(template.New("dockerfile").Parse(dockerfile))
+	buf := bytes.NewBuffer(nil)
+	tmpl.Execute(buf, portList)
+
+	name := "testbuildexpose"
+	buildImageSuccessfully(c, name, build.WithDockerfile(buf.String()))
+
+	// check if all the ports are saved inside Config.ExposedPorts
+	res := inspectFieldJSON(c, name, "Config.ExposedPorts")
+	var exposedPorts map[string]interface{}
+	if err := json.Unmarshal([]byte(res), &exposedPorts); err != nil {
+		c.Fatal(err)
+	}
+
+	for _, p := range expectedPorts {
+		ep := fmt.Sprintf("%d/tcp", p)
+		if _, ok := exposedPorts[ep]; !ok {
+			c.Errorf("Port(%s) is not exposed", ep)
+		} else {
+			delete(exposedPorts, ep)
+		}
+	}
+	if len(exposedPorts) != 0 {
+		c.Errorf("Unexpected extra exposed ports %v", exposedPorts)
+	}
+}
+
+func (s *DockerSuite) TestBuildExposeOrder(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Expose not implemented on Windows
+	buildID := func(name, exposed string) string {
+		buildImageSuccessfully(c, name, build.WithDockerfile(fmt.Sprintf(`FROM scratch
+		EXPOSE %s`, exposed)))
+		id := inspectField(c, name, "Id")
+		return id
+	}
+
+	id1 := buildID("testbuildexpose1", "80 2375")
+	id2 := buildID("testbuildexpose2", "2375 80")
+	if id1 != id2 {
+		c.Errorf("EXPOSE should invalidate the cache only when ports actually changed")
+	}
+}
+
+func (s *DockerSuite) TestBuildExposeUpperCaseProto(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Expose not implemented on Windows
+	name := "testbuildexposeuppercaseproto"
+	expected := "map[5678/udp:{}]"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM scratch
+        EXPOSE 5678/UDP`))
+	res := inspectField(c, name, "Config.ExposedPorts")
+	if res != expected {
+		c.Fatalf("Exposed ports %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildEmptyEntrypointInheritance(c *check.C) {
+	name := "testbuildentrypointinheritance"
+	name2 := "testbuildentrypointinheritance2"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+        ENTRYPOINT ["/bin/echo"]`))
+	res := inspectField(c, name, "Config.Entrypoint")
+
+	expected := "[/bin/echo]"
+	if res != expected {
+		c.Fatalf("Entrypoint %s, expected %s", res, expected)
+	}
+
+	buildImageSuccessfully(c, name2, build.WithDockerfile(fmt.Sprintf(`FROM %s
+        ENTRYPOINT []`, name)))
+	res = inspectField(c, name2, "Config.Entrypoint")
+
+	expected = "[]"
+	if res != expected {
+		c.Fatalf("Entrypoint %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildEmptyEntrypoint(c *check.C) {
+	name := "testbuildentrypoint"
+	expected := "[]"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+        ENTRYPOINT []`))
+
+	res := inspectField(c, name, "Config.Entrypoint")
+	if res != expected {
+		c.Fatalf("Entrypoint %s, expected %s", res, expected)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildEntrypoint(c *check.C) {
+	name := "testbuildentrypoint"
+
+	expected := "[/bin/echo]"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+        ENTRYPOINT ["/bin/echo"]`))
+
+	res := inspectField(c, name, "Config.Entrypoint")
+	if res != expected {
+		c.Fatalf("Entrypoint %s, expected %s", res, expected)
+	}
+
+}
+
+// #6445 ensure ONBUILD triggers aren't committed to grandchildren
+func (s *DockerSuite) TestBuildOnBuildLimitedInheritance(c *check.C) {
+	buildImageSuccessfully(c, "testonbuildtrigger1", build.WithDockerfile(`
+		FROM busybox
+		RUN echo "GRANDPARENT"
+		ONBUILD RUN echo "ONBUILD PARENT"
+		`))
+	// ONBUILD should be run in second build.
+	buildImage("testonbuildtrigger2", build.WithDockerfile("FROM testonbuildtrigger1")).Assert(c, icmd.Expected{
+		Out: "ONBUILD PARENT",
+	})
+	// ONBUILD should *not* be run in third build.
+	result := buildImage("testonbuildtrigger3", build.WithDockerfile("FROM testonbuildtrigger2"))
+	result.Assert(c, icmd.Success)
+	if strings.Contains(result.Combined(), "ONBUILD PARENT") {
+		c.Fatalf("ONBUILD instruction ran in grandchild of ONBUILD parent")
+	}
+}
+
+func (s *DockerSuite) TestBuildSameDockerfileWithAndWithoutCache(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Expose not implemented on Windows
+	name := "testbuildwithcache"
+	dockerfile := `FROM scratch
+		MAINTAINER dockerio
+		EXPOSE 5432
+        ENTRYPOINT ["/bin/echo"]`
+	buildImageSuccessfully(c, name, build.WithDockerfile(dockerfile))
+	id1 := getIDByName(c, name)
+	buildImageSuccessfully(c, name, build.WithDockerfile(dockerfile))
+	id2 := getIDByName(c, name)
+	buildImageSuccessfully(c, name, build.WithoutCache, build.WithDockerfile(dockerfile))
+	id3 := getIDByName(c, name)
+	if id1 != id2 {
+		c.Fatal("The cache should have been used but hasn't.")
+	}
+	if id1 == id3 {
+		c.Fatal("The cache should have been invalided but hasn't.")
+	}
+}
+
+// Make sure that ADD/COPY still populate the cache even if they don't use it
+func (s *DockerSuite) TestBuildConditionalCache(c *check.C) {
+	name := "testbuildconditionalcache"
+
+	dockerfile := `
+		FROM busybox
+        ADD foo /tmp/`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "hello",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+
+	if err := ctx.Add("foo", "bye"); err != nil {
+		c.Fatalf("Error modifying foo: %s", err)
+	}
+
+	// Updating a file should invalidate the cache
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name)
+	if id2 == id1 {
+		c.Fatal("Should not have used the cache")
+	}
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id3 := getIDByName(c, name)
+	if id3 != id2 {
+		c.Fatal("Should have used the cache")
+	}
+}
+
+func (s *DockerSuite) TestBuildAddMultipleLocalFileWithAndWithoutCache(c *check.C) {
+	name := "testbuildaddmultiplelocalfilewithcache"
+	baseName := name + "-base"
+
+	cli.BuildCmd(c, baseName, build.WithDockerfile(`
+		FROM busybox
+		ENTRYPOINT ["/bin/sh"]
+	`))
+
+	dockerfile := `
+		FROM testbuildaddmultiplelocalfilewithcache-base
+        MAINTAINER dockerio
+        ADD foo Dockerfile /usr/lib/bla/
+		RUN sh -c "[ $(cat /usr/lib/bla/foo) = "hello" ]"`
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(dockerfile), fakecontext.WithFiles(map[string]string{
+		"foo": "hello",
+	}))
+	defer ctx.Close()
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+	result2 := cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name)
+	result3 := cli.BuildCmd(c, name, build.WithoutCache, build.WithExternalBuildContext(ctx))
+	id3 := getIDByName(c, name)
+	if id1 != id2 {
+		c.Fatalf("The cache should have been used but hasn't: %s", result2.Stdout())
+	}
+	if id1 == id3 {
+		c.Fatalf("The cache should have been invalided but hasn't: %s", result3.Stdout())
+	}
+}
+
+func (s *DockerSuite) TestBuildCopyDirButNotFile(c *check.C) {
+	name := "testbuildcopydirbutnotfile"
+	name2 := "testbuildcopydirbutnotfile2"
+
+	dockerfile := `
+        FROM ` + minimalBaseImage() + `
+        COPY dir /tmp/`
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(dockerfile), fakecontext.WithFiles(map[string]string{
+		"dir/foo": "hello",
+	}))
+	defer ctx.Close()
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+	// Check that adding file with similar name doesn't mess with cache
+	if err := ctx.Add("dir_file", "hello2"); err != nil {
+		c.Fatal(err)
+	}
+	cli.BuildCmd(c, name2, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name2)
+	if id1 != id2 {
+		c.Fatal("The cache should have been used but wasn't")
+	}
+}
+
+func (s *DockerSuite) TestBuildAddCurrentDirWithCache(c *check.C) {
+	name := "testbuildaddcurrentdirwithcache"
+	name2 := name + "2"
+	name3 := name + "3"
+	name4 := name + "4"
+	dockerfile := `
+        FROM ` + minimalBaseImage() + `
+        MAINTAINER dockerio
+        ADD . /usr/lib/bla`
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(dockerfile), fakecontext.WithFiles(map[string]string{
+		"foo": "hello",
+	}))
+	defer ctx.Close()
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+	// Check that adding file invalidate cache of "ADD ."
+	if err := ctx.Add("bar", "hello2"); err != nil {
+		c.Fatal(err)
+	}
+	buildImageSuccessfully(c, name2, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name2)
+	if id1 == id2 {
+		c.Fatal("The cache should have been invalided but hasn't.")
+	}
+	// Check that changing file invalidate cache of "ADD ."
+	if err := ctx.Add("foo", "hello1"); err != nil {
+		c.Fatal(err)
+	}
+	buildImageSuccessfully(c, name3, build.WithExternalBuildContext(ctx))
+	id3 := getIDByName(c, name3)
+	if id2 == id3 {
+		c.Fatal("The cache should have been invalided but hasn't.")
+	}
+	// Check that changing file to same content with different mtime does not
+	// invalidate cache of "ADD ."
+	time.Sleep(1 * time.Second) // wait second because of mtime precision
+	if err := ctx.Add("foo", "hello1"); err != nil {
+		c.Fatal(err)
+	}
+	buildImageSuccessfully(c, name4, build.WithExternalBuildContext(ctx))
+	id4 := getIDByName(c, name4)
+	if id3 != id4 {
+		c.Fatal("The cache should have been used but hasn't.")
+	}
+}
+
+// FIXME(vdemeester) this really seems to test the same thing as before (TestBuildAddMultipleLocalFileWithAndWithoutCache)
+func (s *DockerSuite) TestBuildAddCurrentDirWithoutCache(c *check.C) {
+	name := "testbuildaddcurrentdirwithoutcache"
+	dockerfile := `
+        FROM ` + minimalBaseImage() + `
+        MAINTAINER dockerio
+        ADD . /usr/lib/bla`
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(dockerfile), fakecontext.WithFiles(map[string]string{
+		"foo": "hello",
+	}))
+	defer ctx.Close()
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+	buildImageSuccessfully(c, name, build.WithoutCache, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name)
+	if id1 == id2 {
+		c.Fatal("The cache should have been invalided but hasn't.")
+	}
+}
+
+func (s *DockerSuite) TestBuildAddRemoteFileWithAndWithoutCache(c *check.C) {
+	name := "testbuildaddremotefilewithcache"
+	server := fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{
+		"baz": "hello",
+	}))
+	defer server.Close()
+
+	dockerfile := fmt.Sprintf(`FROM `+minimalBaseImage()+`
+        MAINTAINER dockerio
+        ADD %s/baz /usr/lib/baz/quux`, server.URL())
+	cli.BuildCmd(c, name, build.WithDockerfile(dockerfile))
+	id1 := getIDByName(c, name)
+	cli.BuildCmd(c, name, build.WithDockerfile(dockerfile))
+	id2 := getIDByName(c, name)
+	cli.BuildCmd(c, name, build.WithoutCache, build.WithDockerfile(dockerfile))
+	id3 := getIDByName(c, name)
+
+	if id1 != id2 {
+		c.Fatal("The cache should have been used but hasn't.")
+	}
+	if id1 == id3 {
+		c.Fatal("The cache should have been invalided but hasn't.")
+	}
+}
+
+func (s *DockerSuite) TestBuildAddRemoteFileMTime(c *check.C) {
+	name := "testbuildaddremotefilemtime"
+	name2 := name + "2"
+	name3 := name + "3"
+
+	files := map[string]string{"baz": "hello"}
+	server := fakestorage.New(c, "", fakecontext.WithFiles(files))
+	defer server.Close()
+
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(fmt.Sprintf(`FROM `+minimalBaseImage()+`
+        MAINTAINER dockerio
+        ADD %s/baz /usr/lib/baz/quux`, server.URL())))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+	cli.BuildCmd(c, name2, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name2)
+	if id1 != id2 {
+		c.Fatal("The cache should have been used but wasn't - #1")
+	}
+
+	// Now create a different server with same contents (causes different mtime)
+	// The cache should still be used
+
+	// allow some time for clock to pass as mtime precision is only 1s
+	time.Sleep(2 * time.Second)
+
+	server2 := fakestorage.New(c, "", fakecontext.WithFiles(files))
+	defer server2.Close()
+
+	ctx2 := fakecontext.New(c, "", fakecontext.WithDockerfile(fmt.Sprintf(`FROM `+minimalBaseImage()+`
+        MAINTAINER dockerio
+        ADD %s/baz /usr/lib/baz/quux`, server2.URL())))
+	defer ctx2.Close()
+	cli.BuildCmd(c, name3, build.WithExternalBuildContext(ctx2))
+	id3 := getIDByName(c, name3)
+	if id1 != id3 {
+		c.Fatal("The cache should have been used but wasn't")
+	}
+}
+
+// FIXME(vdemeester) this really seems to test the same thing as before (combined)
+func (s *DockerSuite) TestBuildAddLocalAndRemoteFilesWithAndWithoutCache(c *check.C) {
+	name := "testbuildaddlocalandremotefilewithcache"
+	server := fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{
+		"baz": "hello",
+	}))
+	defer server.Close()
+
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(fmt.Sprintf(`FROM `+minimalBaseImage()+`
+        MAINTAINER dockerio
+        ADD foo /usr/lib/bla/bar
+        ADD %s/baz /usr/lib/baz/quux`, server.URL())),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "hello world",
+		}))
+	defer ctx.Close()
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name)
+	buildImageSuccessfully(c, name, build.WithoutCache, build.WithExternalBuildContext(ctx))
+	id3 := getIDByName(c, name)
+	if id1 != id2 {
+		c.Fatal("The cache should have been used but hasn't.")
+	}
+	if id1 == id3 {
+		c.Fatal("The cache should have been invalidated but hasn't.")
+	}
+}
+
+func testContextTar(c *check.C, compression archive.Compression) {
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(`FROM busybox
+ADD foo /foo
+CMD ["cat", "/foo"]`),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "bar",
+		}),
+	)
+	defer ctx.Close()
+	context, err := archive.Tar(ctx.Dir, compression)
+	if err != nil {
+		c.Fatalf("failed to build context tar: %v", err)
+	}
+	name := "contexttar"
+
+	cli.BuildCmd(c, name, build.WithStdinContext(context))
+}
+
+func (s *DockerSuite) TestBuildContextTarGzip(c *check.C) {
+	testContextTar(c, archive.Gzip)
+}
+
+func (s *DockerSuite) TestBuildContextTarNoCompression(c *check.C) {
+	testContextTar(c, archive.Uncompressed)
+}
+
+func (s *DockerSuite) TestBuildNoContext(c *check.C) {
+	name := "nocontext"
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "build", "-t", name, "-"},
+		Stdin: strings.NewReader(
+			`FROM busybox
+			CMD ["echo", "ok"]`),
+	}).Assert(c, icmd.Success)
+
+	if out, _ := dockerCmd(c, "run", "--rm", "nocontext"); out != "ok\n" {
+		c.Fatalf("run produced invalid output: %q, expected %q", out, "ok")
+	}
+}
+
+// FIXME(vdemeester) migrate to docker/cli e2e
+func (s *DockerSuite) TestBuildDockerfileStdin(c *check.C) {
+	name := "stdindockerfile"
+	tmpDir, err := ioutil.TempDir("", "fake-context")
+	c.Assert(err, check.IsNil)
+	err = ioutil.WriteFile(filepath.Join(tmpDir, "foo"), []byte("bar"), 0600)
+	c.Assert(err, check.IsNil)
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "build", "-t", name, "-f", "-", tmpDir},
+		Stdin: strings.NewReader(
+			`FROM busybox
+ADD foo /foo
+CMD ["cat", "/foo"]`),
+	}).Assert(c, icmd.Success)
+
+	res := inspectField(c, name, "Config.Cmd")
+	c.Assert(strings.TrimSpace(string(res)), checker.Equals, `[cat /foo]`)
+}
+
+// FIXME(vdemeester) migrate to docker/cli tests (unit or e2e)
+func (s *DockerSuite) TestBuildDockerfileStdinConflict(c *check.C) {
+	name := "stdindockerfiletarcontext"
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "build", "-t", name, "-f", "-", "-"},
+	}).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "use stdin for both build context and dockerfile",
+	})
+}
+
+func (s *DockerSuite) TestBuildDockerfileStdinNoExtraFiles(c *check.C) {
+	s.testBuildDockerfileStdinNoExtraFiles(c, false, false)
+}
+
+func (s *DockerSuite) TestBuildDockerfileStdinDockerignore(c *check.C) {
+	s.testBuildDockerfileStdinNoExtraFiles(c, true, false)
+}
+
+func (s *DockerSuite) TestBuildDockerfileStdinDockerignoreIgnored(c *check.C) {
+	s.testBuildDockerfileStdinNoExtraFiles(c, true, true)
+}
+
+func (s *DockerSuite) testBuildDockerfileStdinNoExtraFiles(c *check.C, hasDockerignore, ignoreDockerignore bool) {
+	name := "stdindockerfilenoextra"
+	tmpDir, err := ioutil.TempDir("", "fake-context")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	writeFile := func(filename, content string) {
+		err = ioutil.WriteFile(filepath.Join(tmpDir, filename), []byte(content), 0600)
+		c.Assert(err, check.IsNil)
+	}
+
+	writeFile("foo", "bar")
+
+	if hasDockerignore {
+		// Add an empty Dockerfile to verify that it is not added to the image
+		writeFile("Dockerfile", "")
+
+		ignores := "Dockerfile\n"
+		if ignoreDockerignore {
+			ignores += ".dockerignore\n"
+		}
+		writeFile(".dockerignore", ignores)
+	}
+
+	result := icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "build", "-t", name, "-f", "-", tmpDir},
+		Stdin: strings.NewReader(
+			`FROM busybox
+COPY . /baz`),
+	})
+	result.Assert(c, icmd.Success)
+
+	result = cli.DockerCmd(c, "run", "--rm", name, "ls", "-A", "/baz")
+	if hasDockerignore && !ignoreDockerignore {
+		c.Assert(result.Stdout(), checker.Equals, ".dockerignore\nfoo\n")
+	} else {
+		c.Assert(result.Stdout(), checker.Equals, "foo\n")
+	}
+}
+
+func (s *DockerSuite) TestBuildWithVolumeOwnership(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildimg"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox:latest
+        RUN mkdir /test && chown daemon:daemon /test && chmod 0600 /test
+        VOLUME /test`))
+
+	out, _ := dockerCmd(c, "run", "--rm", "testbuildimg", "ls", "-la", "/test")
+	if expected := "drw-------"; !strings.Contains(out, expected) {
+		c.Fatalf("expected %s received %s", expected, out)
+	}
+	if expected := "daemon   daemon"; !strings.Contains(out, expected) {
+		c.Fatalf("expected %s received %s", expected, out)
+	}
+
+}
+
+// testing #1405 - config.Cmd does not get cleaned up if
+// utilizing cache
+func (s *DockerSuite) TestBuildEntrypointRunCleanup(c *check.C) {
+	name := "testbuildcmdcleanup"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+        RUN echo "hello"`))
+
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+        RUN echo "hello"
+        ADD foo /foo
+        ENTRYPOINT ["/bin/echo"]`),
+		build.WithFile("foo", "hello")))
+
+	res := inspectField(c, name, "Config.Cmd")
+	// Cmd must be cleaned up
+	if res != "[]" {
+		c.Fatalf("Cmd %s, expected nil", res)
+	}
+}
+
+func (s *DockerSuite) TestBuildAddFileNotFound(c *check.C) {
+	name := "testbuildaddnotfound"
+	expected := "foo: no such file or directory"
+
+	if testEnv.OSType == "windows" {
+		expected = "foo: The system cannot find the file specified"
+	}
+
+	buildImage(name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM `+minimalBaseImage()+`
+        ADD foo /usr/local/bar`),
+		build.WithFile("bar", "hello"))).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      expected,
+	})
+}
+
+func (s *DockerSuite) TestBuildInheritance(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildinheritance"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM scratch
+		EXPOSE 2375`))
+	ports1 := inspectField(c, name, "Config.ExposedPorts")
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(fmt.Sprintf(`FROM %s
+		ENTRYPOINT ["/bin/echo"]`, name)))
+
+	res := inspectField(c, name, "Config.Entrypoint")
+	if expected := "[/bin/echo]"; res != expected {
+		c.Fatalf("Entrypoint %s, expected %s", res, expected)
+	}
+	ports2 := inspectField(c, name, "Config.ExposedPorts")
+	if ports1 != ports2 {
+		c.Fatalf("Ports must be same: %s != %s", ports1, ports2)
+	}
+}
+
+func (s *DockerSuite) TestBuildFails(c *check.C) {
+	name := "testbuildfails"
+	buildImage(name, build.WithDockerfile(`FROM busybox
+		RUN sh -c "exit 23"`)).Assert(c, icmd.Expected{
+		ExitCode: 23,
+		Err:      "returned a non-zero code: 23",
+	})
+}
+
+func (s *DockerSuite) TestBuildOnBuild(c *check.C) {
+	name := "testbuildonbuild"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		ONBUILD RUN touch foobar`))
+	buildImageSuccessfully(c, name, build.WithDockerfile(fmt.Sprintf(`FROM %s
+		RUN [ -f foobar ]`, name)))
+}
+
+// gh #2446
+func (s *DockerSuite) TestBuildAddToSymlinkDest(c *check.C) {
+	makeLink := `ln -s /foo /bar`
+	if testEnv.OSType == "windows" {
+		makeLink = `mklink /D C:\bar C:\foo`
+	}
+	name := "testbuildaddtosymlinkdest"
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+		FROM busybox
+		RUN sh -c "mkdir /foo"
+		RUN `+makeLink+`
+		ADD foo /bar/
+		RUN sh -c "[ -f /bar/foo ]"
+		RUN sh -c "[ -f /foo/foo ]"`),
+		build.WithFile("foo", "hello"),
+	))
+}
+
+func (s *DockerSuite) TestBuildEscapeWhitespace(c *check.C) {
+	name := "testbuildescapewhitespace"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  # ESCAPE=\
+  FROM busybox
+  MAINTAINER "Docker \
+IO <io@\
+docker.com>"
+  `))
+
+	res := inspectField(c, name, "Author")
+	if res != "\"Docker IO <io@docker.com>\"" {
+		c.Fatalf("Parsed string did not match the escaped string. Got: %q", res)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildVerifyIntString(c *check.C) {
+	// Verify that strings that look like ints are still passed as strings
+	name := "testbuildstringing"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+	FROM busybox
+	MAINTAINER 123`))
+
+	out, _ := dockerCmd(c, "inspect", name)
+	if !strings.Contains(out, "\"123\"") {
+		c.Fatalf("Output does not contain the int as a string:\n%s", out)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildDockerignore(c *check.C) {
+	name := "testbuilddockerignore"
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+		FROM busybox
+		 ADD . /bla
+		RUN sh -c "[[ -f /bla/src/x.go ]]"
+		RUN sh -c "[[ -f /bla/Makefile ]]"
+		RUN sh -c "[[ ! -e /bla/src/_vendor ]]"
+		RUN sh -c "[[ ! -e /bla/.gitignore ]]"
+		RUN sh -c "[[ ! -e /bla/README.md ]]"
+		RUN sh -c "[[ ! -e /bla/dir/foo ]]"
+		RUN sh -c "[[ ! -e /bla/foo ]]"
+		RUN sh -c "[[ ! -e /bla/.git ]]"
+		RUN sh -c "[[ ! -e v.cc ]]"
+		RUN sh -c "[[ ! -e src/v.cc ]]"
+		RUN sh -c "[[ ! -e src/_vendor/v.cc ]]"`),
+		build.WithFile("Makefile", "all:"),
+		build.WithFile(".git/HEAD", "ref: foo"),
+		build.WithFile("src/x.go", "package main"),
+		build.WithFile("src/_vendor/v.go", "package main"),
+		build.WithFile("src/_vendor/v.cc", "package main"),
+		build.WithFile("src/v.cc", "package main"),
+		build.WithFile("v.cc", "package main"),
+		build.WithFile("dir/foo", ""),
+		build.WithFile(".gitignore", ""),
+		build.WithFile("README.md", "readme"),
+		build.WithFile(".dockerignore", `
+.git
+pkg
+.gitignore
+src/_vendor
+*.md
+**/*.cc
+dir`),
+	))
+}
+
+func (s *DockerSuite) TestBuildDockerignoreCleanPaths(c *check.C) {
+	name := "testbuilddockerignorecleanpaths"
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+        FROM busybox
+        ADD . /tmp/
+        RUN sh -c "(! ls /tmp/foo) && (! ls /tmp/foo2) && (! ls /tmp/dir1/foo)"`),
+		build.WithFile("foo", "foo"),
+		build.WithFile("foo2", "foo2"),
+		build.WithFile("dir1/foo", "foo in dir1"),
+		build.WithFile(".dockerignore", "./foo\ndir1//foo\n./dir1/../foo2"),
+	))
+}
+
+func (s *DockerSuite) TestBuildDockerignoreExceptions(c *check.C) {
+	name := "testbuilddockerignoreexceptions"
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+		FROM busybox
+		ADD . /bla
+		RUN sh -c "[[ -f /bla/src/x.go ]]"
+		RUN sh -c "[[ -f /bla/Makefile ]]"
+		RUN sh -c "[[ ! -e /bla/src/_vendor ]]"
+		RUN sh -c "[[ ! -e /bla/.gitignore ]]"
+		RUN sh -c "[[ ! -e /bla/README.md ]]"
+		RUN sh -c "[[  -e /bla/dir/dir/foo ]]"
+		RUN sh -c "[[ ! -e /bla/dir/foo1 ]]"
+		RUN sh -c "[[ -f /bla/dir/e ]]"
+		RUN sh -c "[[ -f /bla/dir/e-dir/foo ]]"
+		RUN sh -c "[[ ! -e /bla/foo ]]"
+		RUN sh -c "[[ ! -e /bla/.git ]]"
+		RUN sh -c "[[ -e /bla/dir/a.cc ]]"`),
+		build.WithFile("Makefile", "all:"),
+		build.WithFile(".git/HEAD", "ref: foo"),
+		build.WithFile("src/x.go", "package main"),
+		build.WithFile("src/_vendor/v.go", "package main"),
+		build.WithFile("dir/foo", ""),
+		build.WithFile("dir/foo1", ""),
+		build.WithFile("dir/dir/f1", ""),
+		build.WithFile("dir/dir/foo", ""),
+		build.WithFile("dir/e", ""),
+		build.WithFile("dir/e-dir/foo", ""),
+		build.WithFile(".gitignore", ""),
+		build.WithFile("README.md", "readme"),
+		build.WithFile("dir/a.cc", "hello"),
+		build.WithFile(".dockerignore", `
+.git
+pkg
+.gitignore
+src/_vendor
+*.md
+dir
+!dir/e*
+!dir/dir/foo
+**/*.cc
+!**/*.cc`),
+	))
+}
+
+func (s *DockerSuite) TestBuildDockerignoringDockerfile(c *check.C) {
+	name := "testbuilddockerignoredockerfile"
+	dockerfile := `
+		FROM busybox
+		ADD . /tmp/
+		RUN sh -c "! ls /tmp/Dockerfile"
+		RUN ls /tmp/.dockerignore`
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile(".dockerignore", "Dockerfile\n"),
+	))
+	// FIXME(vdemeester) why twice ?
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile(".dockerignore", "./Dockerfile\n"),
+	))
+}
+
+func (s *DockerSuite) TestBuildDockerignoringRenamedDockerfile(c *check.C) {
+	name := "testbuilddockerignoredockerfile"
+	dockerfile := `
+		FROM busybox
+		ADD . /tmp/
+		RUN ls /tmp/Dockerfile
+		RUN sh -c "! ls /tmp/MyDockerfile"
+		RUN ls /tmp/.dockerignore`
+	buildImageSuccessfully(c, name, cli.WithFlags("-f", "MyDockerfile"), build.WithBuildContext(c,
+		build.WithFile("Dockerfile", "Should not use me"),
+		build.WithFile("MyDockerfile", dockerfile),
+		build.WithFile(".dockerignore", "MyDockerfile\n"),
+	))
+	// FIXME(vdemeester) why twice ?
+	buildImageSuccessfully(c, name, cli.WithFlags("-f", "MyDockerfile"), build.WithBuildContext(c,
+		build.WithFile("Dockerfile", "Should not use me"),
+		build.WithFile("MyDockerfile", dockerfile),
+		build.WithFile(".dockerignore", "./MyDockerfile\n"),
+	))
+}
+
+func (s *DockerSuite) TestBuildDockerignoringDockerignore(c *check.C) {
+	name := "testbuilddockerignoredockerignore"
+	dockerfile := `
+		FROM busybox
+		ADD . /tmp/
+		RUN sh -c "! ls /tmp/.dockerignore"
+		RUN ls /tmp/Dockerfile`
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile(".dockerignore", ".dockerignore\n"),
+	))
+}
+
+func (s *DockerSuite) TestBuildDockerignoreTouchDockerfile(c *check.C) {
+	name := "testbuilddockerignoretouchdockerfile"
+	dockerfile := `
+        FROM busybox
+		ADD . /tmp/`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			".dockerignore": "Dockerfile\n",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, name)
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, name)
+	if id1 != id2 {
+		c.Fatalf("Didn't use the cache - 1")
+	}
+
+	// Now make sure touching Dockerfile doesn't invalidate the cache
+	if err := ctx.Add("Dockerfile", dockerfile+"\n# hi"); err != nil {
+		c.Fatalf("Didn't add Dockerfile: %s", err)
+	}
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id2 = getIDByName(c, name)
+	if id1 != id2 {
+		c.Fatalf("Didn't use the cache - 2")
+	}
+
+	// One more time but just 'touch' it instead of changing the content
+	if err := ctx.Add("Dockerfile", dockerfile+"\n# hi"); err != nil {
+		c.Fatalf("Didn't add Dockerfile: %s", err)
+	}
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	id2 = getIDByName(c, name)
+	if id1 != id2 {
+		c.Fatalf("Didn't use the cache - 3")
+	}
+}
+
+func (s *DockerSuite) TestBuildDockerignoringWholeDir(c *check.C) {
+	name := "testbuilddockerignorewholedir"
+
+	dockerfile := `
+		FROM busybox
+		COPY . /
+		RUN sh -c "[[ ! -e /.gitignore ]]"
+		RUN sh -c "[[ ! -e /Makefile ]]"`
+
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile(".dockerignore", "*\n"),
+		build.WithFile("Makefile", "all:"),
+		build.WithFile(".gitignore", ""),
+	))
+}
+
+func (s *DockerSuite) TestBuildDockerignoringOnlyDotfiles(c *check.C) {
+	name := "testbuilddockerignorewholedir"
+
+	dockerfile := `
+		FROM busybox
+		COPY . /
+		RUN sh -c "[[ ! -e /.gitignore ]]"
+		RUN sh -c "[[ -f /Makefile ]]"`
+
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile(".dockerignore", ".*"),
+		build.WithFile("Makefile", "all:"),
+		build.WithFile(".gitignore", ""),
+	))
+}
+
+func (s *DockerSuite) TestBuildDockerignoringBadExclusion(c *check.C) {
+	name := "testbuilddockerignorebadexclusion"
+	buildImage(name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+		FROM busybox
+		COPY . /
+		RUN sh -c "[[ ! -e /.gitignore ]]"
+		RUN sh -c "[[ -f /Makefile ]]"`),
+		build.WithFile("Makefile", "all:"),
+		build.WithFile(".gitignore", ""),
+		build.WithFile(".dockerignore", "!\n"),
+	)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      `illegal exclusion pattern: "!"`,
+	})
+}
+
+func (s *DockerSuite) TestBuildDockerignoringWildTopDir(c *check.C) {
+	dockerfile := `
+		FROM busybox
+		COPY . /
+		RUN sh -c "[[ ! -e /.dockerignore ]]"
+		RUN sh -c "[[ ! -e /Dockerfile ]]"
+		RUN sh -c "[[ ! -e /file1 ]]"
+		RUN sh -c "[[ ! -e /dir ]]"`
+
+	// All of these should result in ignoring all files
+	for _, variant := range []string{"**", "**/", "**/**", "*"} {
+		buildImageSuccessfully(c, "noname", build.WithBuildContext(c,
+			build.WithFile("Dockerfile", dockerfile),
+			build.WithFile("file1", ""),
+			build.WithFile("dir/file1", ""),
+			build.WithFile(".dockerignore", variant),
+		))
+
+		dockerCmd(c, "rmi", "noname")
+	}
+}
+
+func (s *DockerSuite) TestBuildDockerignoringWildDirs(c *check.C) {
+	dockerfile := `
+        FROM busybox
+		COPY . /
+		#RUN sh -c "[[ -e /.dockerignore ]]"
+		RUN sh -c "[[ -e /Dockerfile ]]           && \
+		           [[ ! -e /file0 ]]              && \
+		           [[ ! -e /dir1/file0 ]]         && \
+		           [[ ! -e /dir2/file0 ]]         && \
+		           [[ ! -e /file1 ]]              && \
+		           [[ ! -e /dir1/file1 ]]         && \
+		           [[ ! -e /dir1/dir2/file1 ]]    && \
+		           [[ ! -e /dir1/file2 ]]         && \
+		           [[   -e /dir1/dir2/file2 ]]    && \
+		           [[ ! -e /dir1/dir2/file4 ]]    && \
+		           [[ ! -e /dir1/dir2/file5 ]]    && \
+		           [[ ! -e /dir1/dir2/file6 ]]    && \
+		           [[ ! -e /dir1/dir3/file7 ]]    && \
+		           [[ ! -e /dir1/dir3/file8 ]]    && \
+		           [[   -e /dir1/dir3 ]]          && \
+		           [[   -e /dir1/dir4 ]]          && \
+		           [[ ! -e 'dir1/dir5/fileAA' ]]  && \
+		           [[   -e 'dir1/dir5/fileAB' ]]  && \
+		           [[   -e 'dir1/dir5/fileB' ]]"   # "." in pattern means nothing
+
+		RUN echo all done!`
+
+	dockerignore := `
+**/file0
+**/*file1
+**/dir1/file2
+dir1/**/file4
+**/dir2/file5
+**/dir1/dir2/file6
+dir1/dir3/**
+**/dir4/**
+**/file?A
+**/file\?B
+**/dir5/file.
+`
+
+	buildImageSuccessfully(c, "noname", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile(".dockerignore", dockerignore),
+		build.WithFile("dir1/file0", ""),
+		build.WithFile("dir1/dir2/file0", ""),
+		build.WithFile("file1", ""),
+		build.WithFile("dir1/file1", ""),
+		build.WithFile("dir1/dir2/file1", ""),
+		build.WithFile("dir1/file2", ""),
+		build.WithFile("dir1/dir2/file2", ""), // remains
+		build.WithFile("dir1/dir2/file4", ""),
+		build.WithFile("dir1/dir2/file5", ""),
+		build.WithFile("dir1/dir2/file6", ""),
+		build.WithFile("dir1/dir3/file7", ""),
+		build.WithFile("dir1/dir3/file8", ""),
+		build.WithFile("dir1/dir4/file9", ""),
+		build.WithFile("dir1/dir5/fileAA", ""),
+		build.WithFile("dir1/dir5/fileAB", ""),
+		build.WithFile("dir1/dir5/fileB", ""),
+	))
+}
+
+func (s *DockerSuite) TestBuildLineBreak(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildlinebreak"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM  busybox
+RUN    sh -c 'echo root:testpass \
+	> /tmp/passwd'
+RUN    mkdir -p /var/run/sshd
+RUN    sh -c "[ "$(cat /tmp/passwd)" = "root:testpass" ]"
+RUN    sh -c "[ "$(ls -d /var/run/sshd)" = "/var/run/sshd" ]"`))
+}
+
+func (s *DockerSuite) TestBuildEOLInLine(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildeolinline"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM   busybox
+RUN    sh -c 'echo root:testpass > /tmp/passwd'
+RUN    echo "foo \n bar"; echo "baz"
+RUN    mkdir -p /var/run/sshd
+RUN    sh -c "[ "$(cat /tmp/passwd)" = "root:testpass" ]"
+RUN    sh -c "[ "$(ls -d /var/run/sshd)" = "/var/run/sshd" ]"`))
+}
+
+func (s *DockerSuite) TestBuildCommentsShebangs(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildcomments"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+# This is an ordinary comment.
+RUN { echo '#!/bin/sh'; echo 'echo hello world'; } > /hello.sh
+RUN [ ! -x /hello.sh ]
+# comment with line break \
+RUN chmod +x /hello.sh
+RUN [ -x /hello.sh ]
+RUN [ "$(cat /hello.sh)" = $'#!/bin/sh\necho hello world' ]
+RUN [ "$(/hello.sh)" = "hello world" ]`))
+}
+
+func (s *DockerSuite) TestBuildUsersAndGroups(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildusers"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+
+# Make sure our defaults work
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)" = '0:0/root:root' ]
+
+# TODO decide if "args.user = strconv.Itoa(syscall.Getuid())" is acceptable behavior for changeUser in sysvinit instead of "return nil" when "USER" isn't specified (so that we get the proper group list even if that is the empty list, even in the default case of not supplying an explicit USER to run as, which implies USER 0)
+USER root
+RUN [ "$(id -G):$(id -Gn)" = '0 10:root wheel' ]
+
+# Setup dockerio user and group
+RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd && \
+	echo 'dockerio:x:1001:' >> /etc/group
+
+# Make sure we can switch to our user and all the information is exactly as we expect it to be
+USER dockerio
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1001/dockerio:dockerio/1001:dockerio' ]
+
+# Switch back to root and double check that worked exactly as we might expect it to
+USER root
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '0:0/root:root/0 10:root wheel' ] && \
+        # Add a "supplementary" group for our dockerio user
+	echo 'supplementary:x:1002:dockerio' >> /etc/group
+
+# ... and then go verify that we get it like we expect
+USER dockerio
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1001/dockerio:dockerio/1001 1002:dockerio supplementary' ]
+USER 1001
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1001/dockerio:dockerio/1001 1002:dockerio supplementary' ]
+
+# super test the new "user:group" syntax
+USER dockerio:dockerio
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1001/dockerio:dockerio/1001:dockerio' ]
+USER 1001:dockerio
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1001/dockerio:dockerio/1001:dockerio' ]
+USER dockerio:1001
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1001/dockerio:dockerio/1001:dockerio' ]
+USER 1001:1001
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1001/dockerio:dockerio/1001:dockerio' ]
+USER dockerio:supplementary
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1002/dockerio:supplementary/1002:supplementary' ]
+USER dockerio:1002
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1002/dockerio:supplementary/1002:supplementary' ]
+USER 1001:supplementary
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1002/dockerio:supplementary/1002:supplementary' ]
+USER 1001:1002
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1001:1002/dockerio:supplementary/1002:supplementary' ]
+
+# make sure unknown uid/gid still works properly
+USER 1042:1043
+RUN [ "$(id -u):$(id -g)/$(id -un):$(id -gn)/$(id -G):$(id -Gn)" = '1042:1043/1042:1043/1043:1043' ]`))
+}
+
+// FIXME(vdemeester) rename this test (and probably "merge" it with the one below TestBuildEnvUsage2)
+func (s *DockerSuite) TestBuildEnvUsage(c *check.C) {
+	// /docker/world/hello is not owned by the correct user
+	testRequires(c, NotUserNamespace)
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildenvusage"
+	dockerfile := `FROM busybox
+ENV    HOME /root
+ENV    PATH $HOME/bin:$PATH
+ENV    PATH /tmp:$PATH
+RUN    [ "$PATH" = "/tmp:$HOME/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ]
+ENV    FOO /foo/baz
+ENV    BAR /bar
+ENV    BAZ $BAR
+ENV    FOOPATH $PATH:$FOO
+RUN    [ "$BAR" = "$BAZ" ]
+RUN    [ "$FOOPATH" = "$PATH:/foo/baz" ]
+ENV    FROM hello/docker/world
+ENV    TO /docker/world/hello
+ADD    $FROM $TO
+RUN    [ "$(cat $TO)" = "hello" ]
+ENV    abc=def
+ENV    ghi=$abc
+RUN    [ "$ghi" = "def" ]
+`
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile("hello/docker/world", "hello"),
+	))
+}
+
+// FIXME(vdemeester) rename this test (and probably "merge" it with the one above TestBuildEnvUsage)
+func (s *DockerSuite) TestBuildEnvUsage2(c *check.C) {
+	// /docker/world/hello is not owned by the correct user
+	testRequires(c, NotUserNamespace)
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildenvusage2"
+	dockerfile := `FROM busybox
+ENV    abc=def def="hello world"
+RUN    [ "$abc,$def" = "def,hello world" ]
+ENV    def=hello\ world v1=abc v2="hi there" v3='boogie nights' v4="with'quotes too"
+RUN    [ "$def,$v1,$v2,$v3,$v4" = "hello world,abc,hi there,boogie nights,with'quotes too" ]
+ENV    abc=zzz FROM=hello/docker/world
+ENV    abc=zzz TO=/docker/world/hello
+ADD    $FROM $TO
+RUN    [ "$abc,$(cat $TO)" = "zzz,hello" ]
+ENV    abc 'yyy'
+RUN    [ $abc = 'yyy' ]
+ENV    abc=
+RUN    [ "$abc" = "" ]
+
+# use grep to make sure if the builder substitutes \$foo by mistake
+# we don't get a false positive
+ENV    abc=\$foo
+RUN    [ "$abc" = "\$foo" ] && (echo "$abc" | grep foo)
+ENV    abc \$foo
+RUN    [ "$abc" = "\$foo" ] && (echo "$abc" | grep foo)
+
+ENV    abc=\'foo\' abc2=\"foo\"
+RUN    [ "$abc,$abc2" = "'foo',\"foo\"" ]
+ENV    abc "foo"
+RUN    [ "$abc" = "foo" ]
+ENV    abc 'foo'
+RUN    [ "$abc" = 'foo' ]
+ENV    abc \'foo\'
+RUN    [ "$abc" = "'foo'" ]
+ENV    abc \"foo\"
+RUN    [ "$abc" = '"foo"' ]
+
+ENV    abc=ABC
+RUN    [ "$abc" = "ABC" ]
+ENV    def1=${abc:-DEF} def2=${ccc:-DEF}
+ENV    def3=${ccc:-${def2}xx} def4=${abc:+ALT} def5=${def2:+${abc}:} def6=${ccc:-\$abc:} def7=${ccc:-\${abc}:}
+RUN    [ "$def1,$def2,$def3,$def4,$def5,$def6,$def7" = 'ABC,DEF,DEFxx,ALT,ABC:,$abc:,${abc:}' ]
+ENV    mypath=${mypath:+$mypath:}/home
+ENV    mypath=${mypath:+$mypath:}/away
+RUN    [ "$mypath" = '/home:/away' ]
+
+ENV    e1=bar
+ENV    e2=$e1 e3=$e11 e4=\$e1 e5=\$e11
+RUN    [ "$e0,$e1,$e2,$e3,$e4,$e5" = ',bar,bar,,$e1,$e11' ]
+
+ENV    ee1 bar
+ENV    ee2 $ee1
+ENV    ee3 $ee11
+ENV    ee4 \$ee1
+ENV    ee5 \$ee11
+RUN    [ "$ee1,$ee2,$ee3,$ee4,$ee5" = 'bar,bar,,$ee1,$ee11' ]
+
+ENV    eee1="foo" eee2='foo'
+ENV    eee3 "foo"
+ENV    eee4 'foo'
+RUN    [ "$eee1,$eee2,$eee3,$eee4" = 'foo,foo,foo,foo' ]
+
+`
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile("hello/docker/world", "hello"),
+	))
+}
+
+func (s *DockerSuite) TestBuildAddScript(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildaddscript"
+	dockerfile := `
+FROM busybox
+ADD test /test
+RUN ["chmod","+x","/test"]
+RUN ["/test"]
+RUN [ "$(cat /testfile)" = 'test!' ]`
+
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile("test", "#!/bin/sh\necho 'test!' > /testfile"),
+	))
+}
+
+func (s *DockerSuite) TestBuildAddTar(c *check.C) {
+	// /test/foo is not owned by the correct user
+	testRequires(c, NotUserNamespace)
+	name := "testbuildaddtar"
+
+	ctx := func() *fakecontext.Fake {
+		dockerfile := `
+FROM busybox
+ADD test.tar /
+RUN cat /test/foo | grep Hi
+ADD test.tar /test.tar
+RUN cat /test.tar/test/foo | grep Hi
+ADD test.tar /unlikely-to-exist
+RUN cat /unlikely-to-exist/test/foo | grep Hi
+ADD test.tar /unlikely-to-exist-trailing-slash/
+RUN cat /unlikely-to-exist-trailing-slash/test/foo | grep Hi
+RUN sh -c "mkdir /existing-directory" #sh -c is needed on Windows to use the correct mkdir
+ADD test.tar /existing-directory
+RUN cat /existing-directory/test/foo | grep Hi
+ADD test.tar /existing-directory-trailing-slash/
+RUN cat /existing-directory-trailing-slash/test/foo | grep Hi`
+		tmpDir, err := ioutil.TempDir("", "fake-context")
+		c.Assert(err, check.IsNil)
+		testTar, err := os.Create(filepath.Join(tmpDir, "test.tar"))
+		if err != nil {
+			c.Fatalf("failed to create test.tar archive: %v", err)
+		}
+		defer testTar.Close()
+
+		tw := tar.NewWriter(testTar)
+
+		if err := tw.WriteHeader(&tar.Header{
+			Name: "test/foo",
+			Size: 2,
+		}); err != nil {
+			c.Fatalf("failed to write tar file header: %v", err)
+		}
+		if _, err := tw.Write([]byte("Hi")); err != nil {
+			c.Fatalf("failed to write tar file content: %v", err)
+		}
+		if err := tw.Close(); err != nil {
+			c.Fatalf("failed to close tar archive: %v", err)
+		}
+
+		if err := ioutil.WriteFile(filepath.Join(tmpDir, "Dockerfile"), []byte(dockerfile), 0644); err != nil {
+			c.Fatalf("failed to open destination dockerfile: %v", err)
+		}
+		return fakecontext.New(c, tmpDir)
+	}()
+	defer ctx.Close()
+
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+}
+
+func (s *DockerSuite) TestBuildAddBrokenTar(c *check.C) {
+	name := "testbuildaddbrokentar"
+
+	ctx := func() *fakecontext.Fake {
+		dockerfile := `
+FROM busybox
+ADD test.tar /`
+		tmpDir, err := ioutil.TempDir("", "fake-context")
+		c.Assert(err, check.IsNil)
+		testTar, err := os.Create(filepath.Join(tmpDir, "test.tar"))
+		if err != nil {
+			c.Fatalf("failed to create test.tar archive: %v", err)
+		}
+		defer testTar.Close()
+
+		tw := tar.NewWriter(testTar)
+
+		if err := tw.WriteHeader(&tar.Header{
+			Name: "test/foo",
+			Size: 2,
+		}); err != nil {
+			c.Fatalf("failed to write tar file header: %v", err)
+		}
+		if _, err := tw.Write([]byte("Hi")); err != nil {
+			c.Fatalf("failed to write tar file content: %v", err)
+		}
+		if err := tw.Close(); err != nil {
+			c.Fatalf("failed to close tar archive: %v", err)
+		}
+
+		// Corrupt the tar by removing one byte off the end
+		stat, err := testTar.Stat()
+		if err != nil {
+			c.Fatalf("failed to stat tar archive: %v", err)
+		}
+		if err := testTar.Truncate(stat.Size() - 1); err != nil {
+			c.Fatalf("failed to truncate tar archive: %v", err)
+		}
+
+		if err := ioutil.WriteFile(filepath.Join(tmpDir, "Dockerfile"), []byte(dockerfile), 0644); err != nil {
+			c.Fatalf("failed to open destination dockerfile: %v", err)
+		}
+		return fakecontext.New(c, tmpDir)
+	}()
+	defer ctx.Close()
+
+	buildImage(name, build.WithExternalBuildContext(ctx)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+}
+
+func (s *DockerSuite) TestBuildAddNonTar(c *check.C) {
+	name := "testbuildaddnontar"
+
+	// Should not try to extract test.tar
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+		FROM busybox
+		ADD test.tar /
+		RUN test -f /test.tar`),
+		build.WithFile("test.tar", "not_a_tar_file"),
+	))
+}
+
+func (s *DockerSuite) TestBuildAddTarXz(c *check.C) {
+	// /test/foo is not owned by the correct user
+	testRequires(c, NotUserNamespace)
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildaddtarxz"
+
+	ctx := func() *fakecontext.Fake {
+		dockerfile := `
+			FROM busybox
+			ADD test.tar.xz /
+			RUN cat /test/foo | grep Hi`
+		tmpDir, err := ioutil.TempDir("", "fake-context")
+		c.Assert(err, check.IsNil)
+		testTar, err := os.Create(filepath.Join(tmpDir, "test.tar"))
+		if err != nil {
+			c.Fatalf("failed to create test.tar archive: %v", err)
+		}
+		defer testTar.Close()
+
+		tw := tar.NewWriter(testTar)
+
+		if err := tw.WriteHeader(&tar.Header{
+			Name: "test/foo",
+			Size: 2,
+		}); err != nil {
+			c.Fatalf("failed to write tar file header: %v", err)
+		}
+		if _, err := tw.Write([]byte("Hi")); err != nil {
+			c.Fatalf("failed to write tar file content: %v", err)
+		}
+		if err := tw.Close(); err != nil {
+			c.Fatalf("failed to close tar archive: %v", err)
+		}
+
+		icmd.RunCmd(icmd.Cmd{
+			Command: []string{"xz", "-k", "test.tar"},
+			Dir:     tmpDir,
+		}).Assert(c, icmd.Success)
+		if err := ioutil.WriteFile(filepath.Join(tmpDir, "Dockerfile"), []byte(dockerfile), 0644); err != nil {
+			c.Fatalf("failed to open destination dockerfile: %v", err)
+		}
+		return fakecontext.New(c, tmpDir)
+	}()
+
+	defer ctx.Close()
+
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+}
+
+func (s *DockerSuite) TestBuildAddTarXzGz(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildaddtarxzgz"
+
+	ctx := func() *fakecontext.Fake {
+		dockerfile := `
+			FROM busybox
+			ADD test.tar.xz.gz /
+			RUN ls /test.tar.xz.gz`
+		tmpDir, err := ioutil.TempDir("", "fake-context")
+		c.Assert(err, check.IsNil)
+		testTar, err := os.Create(filepath.Join(tmpDir, "test.tar"))
+		if err != nil {
+			c.Fatalf("failed to create test.tar archive: %v", err)
+		}
+		defer testTar.Close()
+
+		tw := tar.NewWriter(testTar)
+
+		if err := tw.WriteHeader(&tar.Header{
+			Name: "test/foo",
+			Size: 2,
+		}); err != nil {
+			c.Fatalf("failed to write tar file header: %v", err)
+		}
+		if _, err := tw.Write([]byte("Hi")); err != nil {
+			c.Fatalf("failed to write tar file content: %v", err)
+		}
+		if err := tw.Close(); err != nil {
+			c.Fatalf("failed to close tar archive: %v", err)
+		}
+
+		icmd.RunCmd(icmd.Cmd{
+			Command: []string{"xz", "-k", "test.tar"},
+			Dir:     tmpDir,
+		}).Assert(c, icmd.Success)
+
+		icmd.RunCmd(icmd.Cmd{
+			Command: []string{"gzip", "test.tar.xz"},
+			Dir:     tmpDir,
+		})
+		if err := ioutil.WriteFile(filepath.Join(tmpDir, "Dockerfile"), []byte(dockerfile), 0644); err != nil {
+			c.Fatalf("failed to open destination dockerfile: %v", err)
+		}
+		return fakecontext.New(c, tmpDir)
+	}()
+
+	defer ctx.Close()
+
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+}
+
+// FIXME(vdemeester) most of the from git tests could be moved to `docker/cli` e2e tests
+func (s *DockerSuite) TestBuildFromGit(c *check.C) {
+	name := "testbuildfromgit"
+	git := fakegit.New(c, "repo", map[string]string{
+		"Dockerfile": `FROM busybox
+		ADD first /first
+		RUN [ -f /first ]
+		MAINTAINER docker`,
+		"first": "test git data",
+	}, true)
+	defer git.Close()
+
+	buildImageSuccessfully(c, name, build.WithContextPath(git.RepoURL))
+
+	res := inspectField(c, name, "Author")
+	if res != "docker" {
+		c.Fatalf("Maintainer should be docker, got %s", res)
+	}
+}
+
+func (s *DockerSuite) TestBuildFromGitWithContext(c *check.C) {
+	name := "testbuildfromgit"
+	git := fakegit.New(c, "repo", map[string]string{
+		"docker/Dockerfile": `FROM busybox
+					ADD first /first
+					RUN [ -f /first ]
+					MAINTAINER docker`,
+		"docker/first": "test git data",
+	}, true)
+	defer git.Close()
+
+	buildImageSuccessfully(c, name, build.WithContextPath(fmt.Sprintf("%s#master:docker", git.RepoURL)))
+
+	res := inspectField(c, name, "Author")
+	if res != "docker" {
+		c.Fatalf("Maintainer should be docker, got %s", res)
+	}
+}
+
+func (s *DockerSuite) TestBuildFromGitWithF(c *check.C) {
+	name := "testbuildfromgitwithf"
+	git := fakegit.New(c, "repo", map[string]string{
+		"myApp/myDockerfile": `FROM busybox
+					RUN echo hi from Dockerfile`,
+	}, true)
+	defer git.Close()
+
+	buildImage(name, cli.WithFlags("-f", "myApp/myDockerfile"), build.WithContextPath(git.RepoURL)).Assert(c, icmd.Expected{
+		Out: "hi from Dockerfile",
+	})
+}
+
+func (s *DockerSuite) TestBuildFromRemoteTarball(c *check.C) {
+	name := "testbuildfromremotetarball"
+
+	buffer := new(bytes.Buffer)
+	tw := tar.NewWriter(buffer)
+	defer tw.Close()
+
+	dockerfile := []byte(`FROM busybox
+					MAINTAINER docker`)
+	if err := tw.WriteHeader(&tar.Header{
+		Name: "Dockerfile",
+		Size: int64(len(dockerfile)),
+	}); err != nil {
+		c.Fatalf("failed to write tar file header: %v", err)
+	}
+	if _, err := tw.Write(dockerfile); err != nil {
+		c.Fatalf("failed to write tar file content: %v", err)
+	}
+	if err := tw.Close(); err != nil {
+		c.Fatalf("failed to close tar archive: %v", err)
+	}
+
+	server := fakestorage.New(c, "", fakecontext.WithBinaryFiles(map[string]*bytes.Buffer{
+		"testT.tar": buffer,
+	}))
+	defer server.Close()
+
+	cli.BuildCmd(c, name, build.WithContextPath(server.URL()+"/testT.tar"))
+
+	res := inspectField(c, name, "Author")
+	if res != "docker" {
+		c.Fatalf("Maintainer should be docker, got %s", res)
+	}
+}
+
+func (s *DockerSuite) TestBuildCleanupCmdOnEntrypoint(c *check.C) {
+	name := "testbuildcmdcleanuponentrypoint"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+		CMD ["test"]
+		ENTRYPOINT ["echo"]`))
+	buildImageSuccessfully(c, name, build.WithDockerfile(fmt.Sprintf(`FROM %s
+		ENTRYPOINT ["cat"]`, name)))
+
+	res := inspectField(c, name, "Config.Cmd")
+	if res != "[]" {
+		c.Fatalf("Cmd %s, expected nil", res)
+	}
+	res = inspectField(c, name, "Config.Entrypoint")
+	if expected := "[cat]"; res != expected {
+		c.Fatalf("Entrypoint %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildClearCmd(c *check.C) {
+	name := "testbuildclearcmd"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+   ENTRYPOINT ["/bin/bash"]
+   CMD []`))
+
+	res := inspectFieldJSON(c, name, "Config.Cmd")
+	if res != "[]" {
+		c.Fatalf("Cmd %s, expected %s", res, "[]")
+	}
+}
+
+func (s *DockerSuite) TestBuildEmptyCmd(c *check.C) {
+	// Skip on Windows. Base image on Windows has a CMD set in the image.
+	testRequires(c, DaemonIsLinux)
+
+	name := "testbuildemptycmd"
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM "+minimalBaseImage()+"\nMAINTAINER quux\n"))
+
+	res := inspectFieldJSON(c, name, "Config.Cmd")
+	if res != "null" {
+		c.Fatalf("Cmd %s, expected %s", res, "null")
+	}
+}
+
+func (s *DockerSuite) TestBuildOnBuildOutput(c *check.C) {
+	name := "testbuildonbuildparent"
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nONBUILD RUN echo foo\n"))
+
+	buildImage(name, build.WithDockerfile("FROM "+name+"\nMAINTAINER quux\n")).Assert(c, icmd.Expected{
+		Out: "# Executing 1 build trigger",
+	})
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestBuildInvalidTag(c *check.C) {
+	name := "abcd:" + testutil.GenerateRandomAlphaOnlyString(200)
+	buildImage(name, build.WithDockerfile("FROM "+minimalBaseImage()+"\nMAINTAINER quux\n")).Assert(c, icmd.Expected{
+		ExitCode: 125,
+		Err:      "invalid reference format",
+	})
+}
+
+func (s *DockerSuite) TestBuildCmdShDashC(c *check.C) {
+	name := "testbuildcmdshc"
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nCMD echo cmd\n"))
+
+	res := inspectFieldJSON(c, name, "Config.Cmd")
+	expected := `["/bin/sh","-c","echo cmd"]`
+	if testEnv.OSType == "windows" {
+		expected = `["cmd","/S","/C","echo cmd"]`
+	}
+	if res != expected {
+		c.Fatalf("Expected value %s not in Config.Cmd: %s", expected, res)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildCmdSpaces(c *check.C) {
+	// Test to make sure that when we strcat arrays we take into account
+	// the arg separator to make sure ["echo","hi"] and ["echo hi"] don't
+	// look the same
+	name := "testbuildcmdspaces"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nCMD [\"echo hi\"]\n"))
+	id1 := getIDByName(c, name)
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nCMD [\"echo\", \"hi\"]\n"))
+	id2 := getIDByName(c, name)
+
+	if id1 == id2 {
+		c.Fatal("Should not have resulted in the same CMD")
+	}
+
+	// Now do the same with ENTRYPOINT
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nENTRYPOINT [\"echo hi\"]\n"))
+	id1 = getIDByName(c, name)
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nENTRYPOINT [\"echo\", \"hi\"]\n"))
+	id2 = getIDByName(c, name)
+
+	if id1 == id2 {
+		c.Fatal("Should not have resulted in the same ENTRYPOINT")
+	}
+}
+
+func (s *DockerSuite) TestBuildCmdJSONNoShDashC(c *check.C) {
+	name := "testbuildcmdjson"
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nCMD [\"echo\", \"cmd\"]"))
+
+	res := inspectFieldJSON(c, name, "Config.Cmd")
+	expected := `["echo","cmd"]`
+	if res != expected {
+		c.Fatalf("Expected value %s not in Config.Cmd: %s", expected, res)
+	}
+}
+
+func (s *DockerSuite) TestBuildEntrypointCanBeOverriddenByChild(c *check.C) {
+	buildImageSuccessfully(c, "parent", build.WithDockerfile(`
+    FROM busybox
+    ENTRYPOINT exit 130
+    `))
+
+	icmd.RunCommand(dockerBinary, "run", "parent").Assert(c, icmd.Expected{
+		ExitCode: 130,
+	})
+
+	buildImageSuccessfully(c, "child", build.WithDockerfile(`
+    FROM parent
+    ENTRYPOINT exit 5
+    `))
+
+	icmd.RunCommand(dockerBinary, "run", "child").Assert(c, icmd.Expected{
+		ExitCode: 5,
+	})
+}
+
+func (s *DockerSuite) TestBuildEntrypointCanBeOverriddenByChildInspect(c *check.C) {
+	var (
+		name     = "testbuildepinherit"
+		name2    = "testbuildepinherit2"
+		expected = `["/bin/sh","-c","echo quux"]`
+	)
+
+	if testEnv.OSType == "windows" {
+		expected = `["cmd","/S","/C","echo quux"]`
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nENTRYPOINT /foo/bar"))
+	buildImageSuccessfully(c, name2, build.WithDockerfile(fmt.Sprintf("FROM %s\nENTRYPOINT echo quux", name)))
+
+	res := inspectFieldJSON(c, name2, "Config.Entrypoint")
+	if res != expected {
+		c.Fatalf("Expected value %s not in Config.Entrypoint: %s", expected, res)
+	}
+
+	icmd.RunCommand(dockerBinary, "run", name2).Assert(c, icmd.Expected{
+		Out: "quux",
+	})
+}
+
+func (s *DockerSuite) TestBuildRunShEntrypoint(c *check.C) {
+	name := "testbuildentrypoint"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+                                ENTRYPOINT echo`))
+	dockerCmd(c, "run", "--rm", name)
+}
+
+func (s *DockerSuite) TestBuildExoticShellInterpolation(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildexoticshellinterpolation"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+		FROM busybox
+
+		ENV SOME_VAR a.b.c
+
+		RUN [ "$SOME_VAR"       = 'a.b.c' ]
+		RUN [ "${SOME_VAR}"     = 'a.b.c' ]
+		RUN [ "${SOME_VAR%.*}"  = 'a.b'   ]
+		RUN [ "${SOME_VAR%%.*}" = 'a'     ]
+		RUN [ "${SOME_VAR#*.}"  = 'b.c'   ]
+		RUN [ "${SOME_VAR##*.}" = 'c'     ]
+		RUN [ "${SOME_VAR/c/d}" = 'a.b.d' ]
+		RUN [ "${#SOME_VAR}"    = '5'     ]
+
+		RUN [ "${SOME_UNSET_VAR:-$SOME_VAR}" = 'a.b.c' ]
+		RUN [ "${SOME_VAR:+Version: ${SOME_VAR}}" = 'Version: a.b.c' ]
+		RUN [ "${SOME_UNSET_VAR:+${SOME_VAR}}" = '' ]
+		RUN [ "${SOME_UNSET_VAR:-${SOME_VAR:-d.e.f}}" = 'a.b.c' ]
+	`))
+}
+
+func (s *DockerSuite) TestBuildVerifySingleQuoteFails(c *check.C) {
+	// This testcase is supposed to generate an error because the
+	// JSON array we're passing in on the CMD uses single quotes instead
+	// of double quotes (per the JSON spec). This means we interpret it
+	// as a "string" instead of "JSON array" and pass it on to "sh -c" and
+	// it should barf on it.
+	name := "testbuildsinglequotefails"
+	expectedExitCode := 2
+	if testEnv.OSType == "windows" {
+		expectedExitCode = 127
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		CMD [ '/bin/sh', '-c', 'echo hi' ]`))
+
+	icmd.RunCommand(dockerBinary, "run", "--rm", name).Assert(c, icmd.Expected{
+		ExitCode: expectedExitCode,
+	})
+}
+
+func (s *DockerSuite) TestBuildVerboseOut(c *check.C) {
+	name := "testbuildverboseout"
+	expected := "\n123\n"
+
+	if testEnv.OSType == "windows" {
+		expected = "\n123\r\n"
+	}
+
+	buildImage(name, build.WithDockerfile(`FROM busybox
+RUN echo 123`)).Assert(c, icmd.Expected{
+		Out: expected,
+	})
+}
+
+func (s *DockerSuite) TestBuildWithTabs(c *check.C) {
+	name := "testbuildwithtabs"
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nRUN echo\tone\t\ttwo"))
+	res := inspectFieldJSON(c, name, "ContainerConfig.Cmd")
+	expected1 := `["/bin/sh","-c","echo\tone\t\ttwo"]`
+	expected2 := `["/bin/sh","-c","echo\u0009one\u0009\u0009two"]` // syntactically equivalent, and what Go 1.3 generates
+	if testEnv.OSType == "windows" {
+		expected1 = `["cmd","/S","/C","echo\tone\t\ttwo"]`
+		expected2 = `["cmd","/S","/C","echo\u0009one\u0009\u0009two"]` // syntactically equivalent, and what Go 1.3 generates
+	}
+	if res != expected1 && res != expected2 {
+		c.Fatalf("Missing tabs.\nGot: %s\nExp: %s or %s", res, expected1, expected2)
+	}
+}
+
+func (s *DockerSuite) TestBuildLabels(c *check.C) {
+	name := "testbuildlabel"
+	expected := `{"License":"GPL","Vendor":"Acme"}`
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		LABEL Vendor=Acme
+                LABEL License GPL`))
+	res := inspectFieldJSON(c, name, "Config.Labels")
+	if res != expected {
+		c.Fatalf("Labels %s, expected %s", res, expected)
+	}
+}
+
+func (s *DockerSuite) TestBuildLabelsCache(c *check.C) {
+	name := "testbuildlabelcache"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		LABEL Vendor=Acme`))
+	id1 := getIDByName(c, name)
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		LABEL Vendor=Acme`))
+	id2 := getIDByName(c, name)
+	if id1 != id2 {
+		c.Fatalf("Build 2 should have worked & used cache(%s,%s)", id1, id2)
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		LABEL Vendor=Acme1`))
+	id2 = getIDByName(c, name)
+	if id1 == id2 {
+		c.Fatalf("Build 3 should have worked & NOT used cache(%s,%s)", id1, id2)
+	}
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		LABEL Vendor Acme`))
+	id2 = getIDByName(c, name)
+	if id1 != id2 {
+		c.Fatalf("Build 4 should have worked & used cache(%s,%s)", id1, id2)
+	}
+
+	// Now make sure the cache isn't used by mistake
+	buildImageSuccessfully(c, name, build.WithoutCache, build.WithDockerfile(`FROM busybox
+       LABEL f1=b1 f2=b2`))
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+       LABEL f1=b1 f2=b2`))
+	id2 = getIDByName(c, name)
+	if id1 == id2 {
+		c.Fatalf("Build 6 should have worked & NOT used the cache(%s,%s)", id1, id2)
+	}
+
+}
+
+// FIXME(vdemeester) port to docker/cli e2e tests (api tests should test suppressOutput option though)
+func (s *DockerSuite) TestBuildNotVerboseSuccess(c *check.C) {
+	// This test makes sure that -q works correctly when build is successful:
+	// stdout has only the image ID (long image ID) and stderr is empty.
+	outRegexp := regexp.MustCompile("^(sha256:|)[a-z0-9]{64}\\n$")
+	buildFlags := cli.WithFlags("-q")
+
+	tt := []struct {
+		Name      string
+		BuildFunc func(string) *icmd.Result
+	}{
+		{
+			Name: "quiet_build_stdin_success",
+			BuildFunc: func(name string) *icmd.Result {
+				return buildImage(name, buildFlags, build.WithDockerfile("FROM busybox"))
+			},
+		},
+		{
+			Name: "quiet_build_ctx_success",
+			BuildFunc: func(name string) *icmd.Result {
+				return buildImage(name, buildFlags, build.WithBuildContext(c,
+					build.WithFile("Dockerfile", "FROM busybox"),
+					build.WithFile("quiet_build_success_fctx", "test"),
+				))
+			},
+		},
+		{
+			Name: "quiet_build_git_success",
+			BuildFunc: func(name string) *icmd.Result {
+				git := fakegit.New(c, "repo", map[string]string{
+					"Dockerfile": "FROM busybox",
+				}, true)
+				return buildImage(name, buildFlags, build.WithContextPath(git.RepoURL))
+			},
+		},
+	}
+
+	for _, te := range tt {
+		result := te.BuildFunc(te.Name)
+		result.Assert(c, icmd.Success)
+		if outRegexp.Find([]byte(result.Stdout())) == nil {
+			c.Fatalf("Test %s expected stdout to match the [%v] regexp, but it is [%v]", te.Name, outRegexp, result.Stdout())
+		}
+
+		if result.Stderr() != "" {
+			c.Fatalf("Test %s expected stderr to be empty, but it is [%#v]", te.Name, result.Stderr())
+		}
+	}
+
+}
+
+// FIXME(vdemeester) migrate to docker/cli tests
+func (s *DockerSuite) TestBuildNotVerboseFailureWithNonExistImage(c *check.C) {
+	// This test makes sure that -q works correctly when build fails by
+	// comparing between the stderr output in quiet mode and in stdout
+	// and stderr output in verbose mode
+	testRequires(c, Network)
+	testName := "quiet_build_not_exists_image"
+	dockerfile := "FROM busybox11"
+	quietResult := buildImage(testName, cli.WithFlags("-q"), build.WithDockerfile(dockerfile))
+	quietResult.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+	result := buildImage(testName, build.WithDockerfile(dockerfile))
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+	if quietResult.Stderr() != result.Combined() {
+		c.Fatal(fmt.Errorf("Test[%s] expected that quiet stderr and verbose stdout are equal; quiet [%v], verbose [%v]", testName, quietResult.Stderr(), result.Combined()))
+	}
+}
+
+// FIXME(vdemeester) migrate to docker/cli tests
+func (s *DockerSuite) TestBuildNotVerboseFailure(c *check.C) {
+	// This test makes sure that -q works correctly when build fails by
+	// comparing between the stderr output in quiet mode and in stdout
+	// and stderr output in verbose mode
+	testCases := []struct {
+		testName   string
+		dockerfile string
+	}{
+		{"quiet_build_no_from_at_the_beginning", "RUN whoami"},
+		{"quiet_build_unknown_instr", "FROMD busybox"},
+	}
+
+	for _, tc := range testCases {
+		quietResult := buildImage(tc.testName, cli.WithFlags("-q"), build.WithDockerfile(tc.dockerfile))
+		quietResult.Assert(c, icmd.Expected{
+			ExitCode: 1,
+		})
+		result := buildImage(tc.testName, build.WithDockerfile(tc.dockerfile))
+		result.Assert(c, icmd.Expected{
+			ExitCode: 1,
+		})
+		if quietResult.Stderr() != result.Combined() {
+			c.Fatal(fmt.Errorf("Test[%s] expected that quiet stderr and verbose stdout are equal; quiet [%v], verbose [%v]", tc.testName, quietResult.Stderr(), result.Combined()))
+		}
+	}
+}
+
+// FIXME(vdemeester) migrate to docker/cli tests
+func (s *DockerSuite) TestBuildNotVerboseFailureRemote(c *check.C) {
+	// This test ensures that when given a wrong URL, stderr in quiet mode and
+	// stderr in verbose mode are identical.
+	// TODO(vdemeester) with cobra, stdout has a carriage return too much so this test should not check stdout
+	URL := "http://something.invalid"
+	name := "quiet_build_wrong_remote"
+	quietResult := buildImage(name, cli.WithFlags("-q"), build.WithContextPath(URL))
+	quietResult.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+	result := buildImage(name, build.WithContextPath(URL))
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	// An error message should contain name server IP and port, like this:
+	//  "dial tcp: lookup something.invalid on 172.29.128.11:53: no such host"
+	// The IP:port need to be removed in order to not trigger a test failur
+	// when more than one nameserver is configured.
+	// While at it, also strip excessive newlines.
+	normalize := func(msg string) string {
+		return strings.TrimSpace(regexp.MustCompile("[1-9][0-9.]+:[0-9]+").ReplaceAllLiteralString(msg, "<ip:port>"))
+	}
+
+	if normalize(quietResult.Stderr()) != normalize(result.Combined()) {
+		c.Fatal(fmt.Errorf("Test[%s] expected that quiet stderr and verbose stdout are equal; quiet [%v], verbose [%v]", name, quietResult.Stderr(), result.Combined()))
+	}
+}
+
+// FIXME(vdemeester) migrate to docker/cli tests
+func (s *DockerSuite) TestBuildStderr(c *check.C) {
+	// This test just makes sure that no non-error output goes
+	// to stderr
+	name := "testbuildstderr"
+	result := buildImage(name, build.WithDockerfile("FROM busybox\nRUN echo one"))
+	result.Assert(c, icmd.Success)
+
+	// Windows to non-Windows should have a security warning
+	if runtime.GOOS == "windows" && testEnv.OSType != "windows" && !strings.Contains(result.Stdout(), "SECURITY WARNING:") {
+		c.Fatalf("Stdout contains unexpected output: %q", result.Stdout())
+	}
+
+	// Stderr should always be empty
+	if result.Stderr() != "" {
+		c.Fatalf("Stderr should have been empty, instead it's: %q", result.Stderr())
+	}
+}
+
+func (s *DockerSuite) TestBuildChownSingleFile(c *check.C) {
+	testRequires(c, UnixCli, DaemonIsLinux) // test uses chown: not available on windows
+
+	name := "testbuildchownsinglefile"
+
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(`
+FROM busybox
+COPY test /
+RUN ls -l /test
+RUN [ $(ls -l /test | awk '{print $3":"$4}') = 'root:root' ]
+`),
+		fakecontext.WithFiles(map[string]string{
+			"test": "test",
+		}))
+	defer ctx.Close()
+
+	if err := os.Chown(filepath.Join(ctx.Dir, "test"), 4242, 4242); err != nil {
+		c.Fatal(err)
+	}
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+}
+
+func (s *DockerSuite) TestBuildSymlinkBreakout(c *check.C) {
+	name := "testbuildsymlinkbreakout"
+	tmpdir, err := ioutil.TempDir("", name)
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmpdir)
+	ctx := filepath.Join(tmpdir, "context")
+	if err := os.MkdirAll(ctx, 0755); err != nil {
+		c.Fatal(err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(ctx, "Dockerfile"), []byte(`
+	from busybox
+	add symlink.tar /
+	add inject /symlink/
+	`), 0644); err != nil {
+		c.Fatal(err)
+	}
+	inject := filepath.Join(ctx, "inject")
+	if err := ioutil.WriteFile(inject, nil, 0644); err != nil {
+		c.Fatal(err)
+	}
+	f, err := os.Create(filepath.Join(ctx, "symlink.tar"))
+	if err != nil {
+		c.Fatal(err)
+	}
+	w := tar.NewWriter(f)
+	w.WriteHeader(&tar.Header{
+		Name:     "symlink2",
+		Typeflag: tar.TypeSymlink,
+		Linkname: "/../../../../../../../../../../../../../../",
+		Uid:      os.Getuid(),
+		Gid:      os.Getgid(),
+	})
+	w.WriteHeader(&tar.Header{
+		Name:     "symlink",
+		Typeflag: tar.TypeSymlink,
+		Linkname: filepath.Join("symlink2", tmpdir),
+		Uid:      os.Getuid(),
+		Gid:      os.Getgid(),
+	})
+	w.Close()
+	f.Close()
+
+	buildImageSuccessfully(c, name, build.WithoutCache, build.WithExternalBuildContext(fakecontext.New(c, ctx)))
+	if _, err := os.Lstat(filepath.Join(tmpdir, "inject")); err == nil {
+		c.Fatal("symlink breakout - inject")
+	} else if !os.IsNotExist(err) {
+		c.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func (s *DockerSuite) TestBuildXZHost(c *check.C) {
+	// /usr/local/sbin/xz gets permission denied for the user
+	testRequires(c, NotUserNamespace)
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildxzhost"
+
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+FROM busybox
+ADD xz /usr/local/sbin/
+RUN chmod 755 /usr/local/sbin/xz
+ADD test.xz /
+RUN [ ! -e /injected ]`),
+		build.WithFile("test.xz", "\xfd\x37\x7a\x58\x5a\x00\x00\x04\xe6\xd6\xb4\x46\x02\x00"+"\x21\x01\x16\x00\x00\x00\x74\x2f\xe5\xa3\x01\x00\x3f\xfd"+"\x37\x7a\x58\x5a\x00\x00\x04\xe6\xd6\xb4\x46\x02\x00\x21"),
+		build.WithFile("xz", "#!/bin/sh\ntouch /injected"),
+	))
+}
+
+func (s *DockerSuite) TestBuildVolumesRetainContents(c *check.C) {
+	// /foo/file gets permission denied for the user
+	testRequires(c, NotUserNamespace)
+	testRequires(c, DaemonIsLinux) // TODO Windows: Issue #20127
+	var (
+		name     = "testbuildvolumescontent"
+		expected = "some text"
+		volName  = "/foo"
+	)
+
+	if testEnv.OSType == "windows" {
+		volName = "C:/foo"
+	}
+
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+FROM busybox
+COPY content /foo/file
+VOLUME `+volName+`
+CMD cat /foo/file`),
+		build.WithFile("content", expected),
+	))
+
+	out, _ := dockerCmd(c, "run", "--rm", name)
+	if out != expected {
+		c.Fatalf("expected file contents for /foo/file to be %q but received %q", expected, out)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildFromMixedcaseDockerfile(c *check.C) {
+	testRequires(c, UnixCli) // Dockerfile overwrites dockerfile on windows
+	testRequires(c, DaemonIsLinux)
+
+	// If Dockerfile is not present, use dockerfile
+	buildImage("test1", build.WithBuildContext(c,
+		build.WithFile("dockerfile", `FROM busybox
+	RUN echo from dockerfile`),
+	)).Assert(c, icmd.Expected{
+		Out: "from dockerfile",
+	})
+
+	// Prefer Dockerfile in place of dockerfile
+	buildImage("test1", build.WithBuildContext(c,
+		build.WithFile("dockerfile", `FROM busybox
+	RUN echo from dockerfile`),
+		build.WithFile("Dockerfile", `FROM busybox
+	RUN echo from Dockerfile`),
+	)).Assert(c, icmd.Expected{
+		Out: "from Dockerfile",
+	})
+}
+
+// FIXME(vdemeester) should migrate to docker/cli tests
+func (s *DockerSuite) TestBuildFromURLWithF(c *check.C) {
+	server := fakestorage.New(c, "", fakecontext.WithFiles(map[string]string{"baz": `FROM busybox
+RUN echo from baz
+COPY * /tmp/
+RUN find /tmp/`}))
+	defer server.Close()
+
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(`FROM busybox
+	RUN echo from Dockerfile`))
+	defer ctx.Close()
+
+	// Make sure that -f is ignored and that we don't use the Dockerfile
+	// that's in the current dir
+	result := cli.BuildCmd(c, "test1", cli.WithFlags("-f", "baz", server.URL()+"/baz"), func(cmd *icmd.Cmd) func() {
+		cmd.Dir = ctx.Dir
+		return nil
+	})
+
+	if !strings.Contains(result.Combined(), "from baz") ||
+		strings.Contains(result.Combined(), "/tmp/baz") ||
+		!strings.Contains(result.Combined(), "/tmp/Dockerfile") {
+		c.Fatalf("Missing proper output: %s", result.Combined())
+	}
+
+}
+
+// FIXME(vdemeester) should migrate to docker/cli tests
+func (s *DockerSuite) TestBuildFromStdinWithF(c *check.C) {
+	testRequires(c, DaemonIsLinux) // TODO Windows: This test is flaky; no idea why
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(`FROM busybox
+RUN echo "from Dockerfile"`))
+	defer ctx.Close()
+
+	// Make sure that -f is ignored and that we don't use the Dockerfile
+	// that's in the current dir
+	result := cli.BuildCmd(c, "test1", cli.WithFlags("-f", "baz", "-"), func(cmd *icmd.Cmd) func() {
+		cmd.Dir = ctx.Dir
+		cmd.Stdin = strings.NewReader(`FROM busybox
+RUN echo "from baz"
+COPY * /tmp/
+RUN sh -c "find /tmp/" # sh -c is needed on Windows to use the correct find`)
+		return nil
+	})
+
+	if !strings.Contains(result.Combined(), "from baz") ||
+		strings.Contains(result.Combined(), "/tmp/baz") ||
+		!strings.Contains(result.Combined(), "/tmp/Dockerfile") {
+		c.Fatalf("Missing proper output: %s", result.Combined())
+	}
+
+}
+
+func (s *DockerSuite) TestBuildFromOfficialNames(c *check.C) {
+	name := "testbuildfromofficial"
+	fromNames := []string{
+		"busybox",
+		"docker.io/busybox",
+		"index.docker.io/busybox",
+		"library/busybox",
+		"docker.io/library/busybox",
+		"index.docker.io/library/busybox",
+	}
+	for idx, fromName := range fromNames {
+		imgName := fmt.Sprintf("%s%d", name, idx)
+		buildImageSuccessfully(c, imgName, build.WithDockerfile("FROM "+fromName))
+		dockerCmd(c, "rmi", imgName)
+	}
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestBuildSpaces(c *check.C) {
+	// Test to make sure that leading/trailing spaces on a command
+	// doesn't change the error msg we get
+	name := "testspaces"
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile("FROM busybox\nCOPY\n"))
+	defer ctx.Close()
+
+	result1 := cli.Docker(cli.Build(name), build.WithExternalBuildContext(ctx))
+	result1.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	ctx.Add("Dockerfile", "FROM busybox\nCOPY    ")
+	result2 := cli.Docker(cli.Build(name), build.WithExternalBuildContext(ctx))
+	result2.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	removeLogTimestamps := func(s string) string {
+		return regexp.MustCompile(`time="(.*?)"`).ReplaceAllString(s, `time=[TIMESTAMP]`)
+	}
+
+	// Skip over the times
+	e1 := removeLogTimestamps(result1.Error.Error())
+	e2 := removeLogTimestamps(result2.Error.Error())
+
+	// Ignore whitespace since that's what were verifying doesn't change stuff
+	if strings.Replace(e1, " ", "", -1) != strings.Replace(e2, " ", "", -1) {
+		c.Fatalf("Build 2's error wasn't the same as build 1's\n1:%s\n2:%s", result1.Error, result2.Error)
+	}
+
+	ctx.Add("Dockerfile", "FROM busybox\n   COPY")
+	result2 = cli.Docker(cli.Build(name), build.WithoutCache, build.WithExternalBuildContext(ctx))
+	result2.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	// Skip over the times
+	e1 = removeLogTimestamps(result1.Error.Error())
+	e2 = removeLogTimestamps(result2.Error.Error())
+
+	// Ignore whitespace since that's what were verifying doesn't change stuff
+	if strings.Replace(e1, " ", "", -1) != strings.Replace(e2, " ", "", -1) {
+		c.Fatalf("Build 3's error wasn't the same as build 1's\n1:%s\n3:%s", result1.Error, result2.Error)
+	}
+
+	ctx.Add("Dockerfile", "FROM busybox\n   COPY    ")
+	result2 = cli.Docker(cli.Build(name), build.WithoutCache, build.WithExternalBuildContext(ctx))
+	result2.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	// Skip over the times
+	e1 = removeLogTimestamps(result1.Error.Error())
+	e2 = removeLogTimestamps(result2.Error.Error())
+
+	// Ignore whitespace since that's what were verifying doesn't change stuff
+	if strings.Replace(e1, " ", "", -1) != strings.Replace(e2, " ", "", -1) {
+		c.Fatalf("Build 4's error wasn't the same as build 1's\n1:%s\n4:%s", result1.Error, result2.Error)
+	}
+
+}
+
+func (s *DockerSuite) TestBuildSpacesWithQuotes(c *check.C) {
+	// Test to make sure that spaces in quotes aren't lost
+	name := "testspacesquotes"
+
+	dockerfile := `FROM busybox
+RUN echo "  \
+  foo  "`
+
+	expected := "\n    foo  \n"
+	// Windows uses the builtin echo, which preserves quotes
+	if testEnv.OSType == "windows" {
+		expected = "\"    foo  \""
+	}
+
+	buildImage(name, build.WithDockerfile(dockerfile)).Assert(c, icmd.Expected{
+		Out: expected,
+	})
+}
+
+// #4393
+func (s *DockerSuite) TestBuildVolumeFileExistsinContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux) // TODO Windows: This should error out
+	buildImage("docker-test-errcreatevolumewithfile", build.WithDockerfile(`
+	FROM busybox
+	RUN touch /foo
+	VOLUME /foo
+	`)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "file exists",
+	})
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestBuildMissingArgs(c *check.C) {
+	// Test to make sure that all Dockerfile commands (except the ones listed
+	// in skipCmds) will generate an error if no args are provided.
+	// Note: INSERT is deprecated so we exclude it because of that.
+	skipCmds := map[string]struct{}{
+		"CMD":        {},
+		"RUN":        {},
+		"ENTRYPOINT": {},
+		"INSERT":     {},
+	}
+
+	if testEnv.OSType == "windows" {
+		skipCmds = map[string]struct{}{
+			"CMD":        {},
+			"RUN":        {},
+			"ENTRYPOINT": {},
+			"INSERT":     {},
+			"STOPSIGNAL": {},
+			"ARG":        {},
+			"USER":       {},
+			"EXPOSE":     {},
+		}
+	}
+
+	for cmd := range command.Commands {
+		cmd = strings.ToUpper(cmd)
+		if _, ok := skipCmds[cmd]; ok {
+			continue
+		}
+		var dockerfile string
+		if cmd == "FROM" {
+			dockerfile = cmd
+		} else {
+			// Add FROM to make sure we don't complain about it missing
+			dockerfile = "FROM busybox\n" + cmd
+		}
+
+		buildImage("args", build.WithDockerfile(dockerfile)).Assert(c, icmd.Expected{
+			ExitCode: 1,
+			Err:      cmd + " requires",
+		})
+	}
+
+}
+
+func (s *DockerSuite) TestBuildEmptyScratch(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	buildImage("sc", build.WithDockerfile("FROM scratch")).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "No image was generated",
+	})
+}
+
+func (s *DockerSuite) TestBuildDotDotFile(c *check.C) {
+	buildImageSuccessfully(c, "sc", build.WithBuildContext(c,
+		build.WithFile("Dockerfile", "FROM busybox\n"),
+		build.WithFile("..gitme", ""),
+	))
+}
+
+func (s *DockerSuite) TestBuildRUNoneJSON(c *check.C) {
+	testRequires(c, DaemonIsLinux) // No hello-world Windows image
+	name := "testbuildrunonejson"
+
+	buildImage(name, build.WithDockerfile(`FROM hello-world:frozen
+RUN [ "/hello" ]`)).Assert(c, icmd.Expected{
+		Out: "Hello from Docker",
+	})
+}
+
+func (s *DockerSuite) TestBuildEmptyStringVolume(c *check.C) {
+	name := "testbuildemptystringvolume"
+
+	buildImage(name, build.WithDockerfile(`
+  FROM busybox
+  ENV foo=""
+  VOLUME $foo
+  `)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+}
+
+func (s *DockerSuite) TestBuildContainerWithCgroupParent(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	cgroupParent := "test"
+	data, err := ioutil.ReadFile("/proc/self/cgroup")
+	if err != nil {
+		c.Fatalf("failed to read '/proc/self/cgroup - %v", err)
+	}
+	selfCgroupPaths := ParseCgroupPaths(string(data))
+	_, found := selfCgroupPaths["memory"]
+	if !found {
+		c.Fatalf("unable to find self memory cgroup path. CgroupsPath: %v", selfCgroupPaths)
+	}
+	result := buildImage("buildcgroupparent",
+		cli.WithFlags("--cgroup-parent", cgroupParent),
+		build.WithDockerfile(`
+FROM busybox
+RUN cat /proc/self/cgroup
+`))
+	result.Assert(c, icmd.Success)
+	m, err := regexp.MatchString(fmt.Sprintf("memory:.*/%s/.*", cgroupParent), result.Combined())
+	c.Assert(err, check.IsNil)
+	if !m {
+		c.Fatalf("There is no expected memory cgroup with parent /%s/: %s", cgroupParent, result.Combined())
+	}
+}
+
+// FIXME(vdemeester) could be a unit test
+func (s *DockerSuite) TestBuildNoDupOutput(c *check.C) {
+	// Check to make sure our build output prints the Dockerfile cmd
+	// property - there was a bug that caused it to be duplicated on the
+	// Step X  line
+	name := "testbuildnodupoutput"
+	result := buildImage(name, build.WithDockerfile(`
+  FROM busybox
+  RUN env`))
+	result.Assert(c, icmd.Success)
+	exp := "\nStep 2/2 : RUN env\n"
+	if !strings.Contains(result.Combined(), exp) {
+		c.Fatalf("Bad output\nGot:%s\n\nExpected to contain:%s\n", result.Combined(), exp)
+	}
+}
+
+// GH15826
+// FIXME(vdemeester) could be a unit test
+func (s *DockerSuite) TestBuildStartsFromOne(c *check.C) {
+	// Explicit check to ensure that build starts from step 1 rather than 0
+	name := "testbuildstartsfromone"
+	result := buildImage(name, build.WithDockerfile(`FROM busybox`))
+	result.Assert(c, icmd.Success)
+	exp := "\nStep 1/1 : FROM busybox\n"
+	if !strings.Contains(result.Combined(), exp) {
+		c.Fatalf("Bad output\nGot:%s\n\nExpected to contain:%s\n", result.Combined(), exp)
+	}
+}
+
+func (s *DockerSuite) TestBuildRUNErrMsg(c *check.C) {
+	// Test to make sure the bad command is quoted with just "s and
+	// not as a Go []string
+	name := "testbuildbadrunerrmsg"
+	shell := "/bin/sh -c"
+	exitCode := 127
+	if testEnv.OSType == "windows" {
+		shell = "cmd /S /C"
+		// architectural - Windows has to start the container to determine the exe is bad, Linux does not
+		exitCode = 1
+	}
+	exp := fmt.Sprintf(`The command '%s badEXE a1 \& a2	a3' returned a non-zero code: %d`, shell, exitCode)
+
+	buildImage(name, build.WithDockerfile(`
+  FROM busybox
+  RUN badEXE a1 \& a2	a3`)).Assert(c, icmd.Expected{
+		ExitCode: exitCode,
+		Err:      exp,
+	})
+}
+
+// Issue #15634: COPY fails when path starts with "null"
+func (s *DockerSuite) TestBuildNullStringInAddCopyVolume(c *check.C) {
+	name := "testbuildnullstringinaddcopyvolume"
+	volName := "nullvolume"
+	if testEnv.OSType == "windows" {
+		volName = `C:\\nullvolume`
+	}
+
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `
+		FROM busybox
+
+		ADD null /
+		COPY nullfile /
+		VOLUME `+volName+`
+		`),
+		build.WithFile("null", "test1"),
+		build.WithFile("nullfile", "test2"),
+	))
+}
+
+func (s *DockerSuite) TestBuildStopSignal(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support STOPSIGNAL yet
+	imgName := "test_build_stop_signal"
+	buildImageSuccessfully(c, imgName, build.WithDockerfile(`FROM busybox
+		 STOPSIGNAL SIGKILL`))
+	res := inspectFieldJSON(c, imgName, "Config.StopSignal")
+	if res != `"SIGKILL"` {
+		c.Fatalf("Signal %s, expected SIGKILL", res)
+	}
+
+	containerName := "test-container-stop-signal"
+	dockerCmd(c, "run", "-d", "--name", containerName, imgName, "top")
+	res = inspectFieldJSON(c, containerName, "Config.StopSignal")
+	if res != `"SIGKILL"` {
+		c.Fatalf("Signal %s, expected SIGKILL", res)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArg(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	var dockerfile string
+	if testEnv.OSType == "windows" {
+		// Bugs in Windows busybox port - use the default base image and native cmd stuff
+		dockerfile = fmt.Sprintf(`FROM `+minimalBaseImage()+`
+			ARG %s
+			RUN echo %%%s%%
+			CMD setlocal enableextensions && if defined %s (echo %%%s%%)`, envKey, envKey, envKey, envKey)
+	} else {
+		dockerfile = fmt.Sprintf(`FROM busybox
+			ARG %s
+			RUN echo $%s
+			CMD echo $%s`, envKey, envKey, envKey)
+
+	}
+	buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	).Assert(c, icmd.Expected{
+		Out: envVal,
+	})
+
+	containerName := "bldargCont"
+	out, _ := dockerCmd(c, "run", "--name", containerName, imgName)
+	out = strings.Trim(out, " \r\n'")
+	if out != "" {
+		c.Fatalf("run produced invalid output: %q, expected empty string", out)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgHistory(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	envDef := "bar1"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s=%s`, envKey, envDef)
+	buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	).Assert(c, icmd.Expected{
+		Out: envVal,
+	})
+
+	out, _ := dockerCmd(c, "history", "--no-trunc", imgName)
+	outputTabs := strings.Split(out, "\n")[1]
+	if !strings.Contains(outputTabs, envDef) {
+		c.Fatalf("failed to find arg default in image history output: %q expected: %q", outputTabs, envDef)
+	}
+}
+
+func (s *DockerSuite) TestBuildTimeArgHistoryExclusions(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	proxy := "HTTP_PROXY=http://user:password@proxy.example.com"
+	explicitProxyKey := "http_proxy"
+	explicitProxyVal := "http://user:password@someproxy.example.com"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s
+		ARG %s
+		RUN echo "Testing Build Args!"`, envKey, explicitProxyKey)
+
+	buildImage := func(imgName string) string {
+		cli.BuildCmd(c, imgName,
+			cli.WithFlags("--build-arg", "https_proxy=https://proxy.example.com",
+				"--build-arg", fmt.Sprintf("%s=%s", envKey, envVal),
+				"--build-arg", fmt.Sprintf("%s=%s", explicitProxyKey, explicitProxyVal),
+				"--build-arg", proxy),
+			build.WithDockerfile(dockerfile),
+		)
+		return getIDByName(c, imgName)
+	}
+
+	origID := buildImage(imgName)
+	result := cli.DockerCmd(c, "history", "--no-trunc", imgName)
+	out := result.Stdout()
+
+	if strings.Contains(out, proxy) {
+		c.Fatalf("failed to exclude proxy settings from history!")
+	}
+	if strings.Contains(out, "https_proxy") {
+		c.Fatalf("failed to exclude proxy settings from history!")
+	}
+	result.Assert(c, icmd.Expected{Out: fmt.Sprintf("%s=%s", envKey, envVal)})
+	result.Assert(c, icmd.Expected{Out: fmt.Sprintf("%s=%s", explicitProxyKey, explicitProxyVal)})
+
+	cacheID := buildImage(imgName + "-two")
+	c.Assert(origID, checker.Equals, cacheID)
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgCacheHit(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s
+		RUN echo $%s`, envKey, envKey)
+	buildImageSuccessfully(c, imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	origImgID := getIDByName(c, imgName)
+
+	imgNameCache := "bldargtestcachehit"
+	buildImageSuccessfully(c, imgNameCache,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	newImgID := getIDByName(c, imgName)
+	if newImgID != origImgID {
+		c.Fatalf("build didn't use cache! expected image id: %q built image id: %q", origImgID, newImgID)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgCacheMissExtraArg(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	extraEnvKey := "foo1"
+	extraEnvVal := "bar1"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s
+		ARG %s
+		RUN echo $%s`, envKey, extraEnvKey, envKey)
+	buildImageSuccessfully(c, imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	origImgID := getIDByName(c, imgName)
+
+	imgNameCache := "bldargtestcachemiss"
+	buildImageSuccessfully(c, imgNameCache,
+		cli.WithFlags(
+			"--build-arg", fmt.Sprintf("%s=%s", envKey, envVal),
+			"--build-arg", fmt.Sprintf("%s=%s", extraEnvKey, extraEnvVal),
+		),
+		build.WithDockerfile(dockerfile),
+	)
+	newImgID := getIDByName(c, imgNameCache)
+
+	if newImgID == origImgID {
+		c.Fatalf("build used cache, expected a miss!")
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgCacheMissSameArgDiffVal(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	newEnvVal := "bar1"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s
+		RUN echo $%s`, envKey, envKey)
+	buildImageSuccessfully(c, imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	origImgID := getIDByName(c, imgName)
+
+	imgNameCache := "bldargtestcachemiss"
+	buildImageSuccessfully(c, imgNameCache,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, newEnvVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	newImgID := getIDByName(c, imgNameCache)
+	if newImgID == origImgID {
+		c.Fatalf("build used cache, expected a miss!")
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgOverrideArgDefinedBeforeEnv(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support ARG
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	envValOverride := "barOverride"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s
+		ENV %s %s
+		RUN echo $%s
+		CMD echo $%s
+        `, envKey, envKey, envValOverride, envKey, envKey)
+
+	result := buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	result.Assert(c, icmd.Success)
+	if strings.Count(result.Combined(), envValOverride) != 2 {
+		c.Fatalf("failed to access environment variable in output: %q expected: %q", result.Combined(), envValOverride)
+	}
+
+	containerName := "bldargCont"
+	if out, _ := dockerCmd(c, "run", "--name", containerName, imgName); !strings.Contains(out, envValOverride) {
+		c.Fatalf("run produced invalid output: %q, expected %q", out, envValOverride)
+	}
+}
+
+// FIXME(vdemeester) might be useful to merge with the one above ?
+func (s *DockerSuite) TestBuildBuildTimeArgOverrideEnvDefinedBeforeArg(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support ARG
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	envValOverride := "barOverride"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ENV %s %s
+		ARG %s
+		RUN echo $%s
+		CMD echo $%s
+        `, envKey, envValOverride, envKey, envKey, envKey)
+	result := buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	result.Assert(c, icmd.Success)
+	if strings.Count(result.Combined(), envValOverride) != 2 {
+		c.Fatalf("failed to access environment variable in output: %q expected: %q", result.Combined(), envValOverride)
+	}
+
+	containerName := "bldargCont"
+	if out, _ := dockerCmd(c, "run", "--name", containerName, imgName); !strings.Contains(out, envValOverride) {
+		c.Fatalf("run produced invalid output: %q, expected %q", out, envValOverride)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgExpansion(c *check.C) {
+	imgName := "bldvarstest"
+
+	wdVar := "WDIR"
+	wdVal := "/tmp/"
+	addVar := "AFILE"
+	addVal := "addFile"
+	copyVar := "CFILE"
+	copyVal := "copyFile"
+	envVar := "foo"
+	envVal := "bar"
+	exposeVar := "EPORT"
+	exposeVal := "9999"
+	userVar := "USER"
+	userVal := "testUser"
+	volVar := "VOL"
+	volVal := "/testVol/"
+	if DaemonIsWindows() {
+		volVal = "C:\\testVol"
+		wdVal = "C:\\tmp"
+	}
+
+	buildImageSuccessfully(c, imgName,
+		cli.WithFlags(
+			"--build-arg", fmt.Sprintf("%s=%s", wdVar, wdVal),
+			"--build-arg", fmt.Sprintf("%s=%s", addVar, addVal),
+			"--build-arg", fmt.Sprintf("%s=%s", copyVar, copyVal),
+			"--build-arg", fmt.Sprintf("%s=%s", envVar, envVal),
+			"--build-arg", fmt.Sprintf("%s=%s", exposeVar, exposeVal),
+			"--build-arg", fmt.Sprintf("%s=%s", userVar, userVal),
+			"--build-arg", fmt.Sprintf("%s=%s", volVar, volVal),
+		),
+		build.WithBuildContext(c,
+			build.WithFile("Dockerfile", fmt.Sprintf(`FROM busybox
+		ARG %s
+		WORKDIR ${%s}
+		ARG %s
+		ADD ${%s} testDir/
+		ARG %s
+		COPY $%s testDir/
+		ARG %s
+		ENV %s=${%s}
+		ARG %s
+		EXPOSE $%s
+		ARG %s
+		USER $%s
+		ARG %s
+		VOLUME ${%s}`,
+				wdVar, wdVar, addVar, addVar, copyVar, copyVar, envVar, envVar,
+				envVar, exposeVar, exposeVar, userVar, userVar, volVar, volVar)),
+			build.WithFile(addVal, "some stuff"),
+			build.WithFile(copyVal, "some stuff"),
+		),
+	)
+
+	res := inspectField(c, imgName, "Config.WorkingDir")
+	c.Check(filepath.ToSlash(res), check.Equals, filepath.ToSlash(wdVal))
+
+	var resArr []string
+	inspectFieldAndUnmarshall(c, imgName, "Config.Env", &resArr)
+
+	found := false
+	for _, v := range resArr {
+		if fmt.Sprintf("%s=%s", envVar, envVal) == v {
+			found = true
+			break
+		}
+	}
+	if !found {
+		c.Fatalf("Config.Env value mismatch. Expected <key=value> to exist: %s=%s, got: %v",
+			envVar, envVal, resArr)
+	}
+
+	var resMap map[string]interface{}
+	inspectFieldAndUnmarshall(c, imgName, "Config.ExposedPorts", &resMap)
+	if _, ok := resMap[fmt.Sprintf("%s/tcp", exposeVal)]; !ok {
+		c.Fatalf("Config.ExposedPorts value mismatch. Expected exposed port: %s/tcp, got: %v", exposeVal, resMap)
+	}
+
+	res = inspectField(c, imgName, "Config.User")
+	if res != userVal {
+		c.Fatalf("Config.User value mismatch. Expected: %s, got: %s", userVal, res)
+	}
+
+	inspectFieldAndUnmarshall(c, imgName, "Config.Volumes", &resMap)
+	if _, ok := resMap[volVal]; !ok {
+		c.Fatalf("Config.Volumes value mismatch. Expected volume: %s, got: %v", volVal, resMap)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgExpansionOverride(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support ARG
+	imgName := "bldvarstest"
+	envKey := "foo"
+	envVal := "bar"
+	envKey1 := "foo1"
+	envValOverride := "barOverride"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s
+		ENV %s %s
+		ENV %s ${%s}
+		RUN echo $%s
+		CMD echo $%s`, envKey, envKey, envValOverride, envKey1, envKey, envKey1, envKey1)
+	result := buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	result.Assert(c, icmd.Success)
+	if strings.Count(result.Combined(), envValOverride) != 2 {
+		c.Fatalf("failed to access environment variable in output: %q expected: %q", result.Combined(), envValOverride)
+	}
+
+	containerName := "bldargCont"
+	if out, _ := dockerCmd(c, "run", "--name", containerName, imgName); !strings.Contains(out, envValOverride) {
+		c.Fatalf("run produced invalid output: %q, expected %q", out, envValOverride)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgUntrustedDefinedAfterUse(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support ARG
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		RUN echo $%s
+		ARG %s
+		CMD echo $%s`, envKey, envKey, envKey)
+	result := buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	result.Assert(c, icmd.Success)
+	if strings.Contains(result.Combined(), envVal) {
+		c.Fatalf("able to access environment variable in output: %q expected to be missing", result.Combined())
+	}
+
+	containerName := "bldargCont"
+	if out, _ := dockerCmd(c, "run", "--name", containerName, imgName); out != "\n" {
+		c.Fatalf("run produced invalid output: %q, expected empty string", out)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgBuiltinArg(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support --build-arg
+	imgName := "bldargtest"
+	envKey := "HTTP_PROXY"
+	envVal := "bar"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		RUN echo $%s
+		CMD echo $%s`, envKey, envKey)
+
+	result := buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	)
+	result.Assert(c, icmd.Success)
+	if !strings.Contains(result.Combined(), envVal) {
+		c.Fatalf("failed to access environment variable in output: %q expected: %q", result.Combined(), envVal)
+	}
+	containerName := "bldargCont"
+	if out, _ := dockerCmd(c, "run", "--name", containerName, imgName); out != "\n" {
+		c.Fatalf("run produced invalid output: %q, expected empty string", out)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgDefaultOverride(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support ARG
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	envValOverride := "barOverride"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s=%s
+		ENV %s $%s
+		RUN echo $%s
+		CMD echo $%s`, envKey, envVal, envKey, envKey, envKey, envKey)
+	result := buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envValOverride)),
+		build.WithDockerfile(dockerfile),
+	)
+	result.Assert(c, icmd.Success)
+	if strings.Count(result.Combined(), envValOverride) != 1 {
+		c.Fatalf("failed to access environment variable in output: %q expected: %q", result.Combined(), envValOverride)
+	}
+
+	containerName := "bldargCont"
+	if out, _ := dockerCmd(c, "run", "--name", containerName, imgName); !strings.Contains(out, envValOverride) {
+		c.Fatalf("run produced invalid output: %q, expected %q", out, envValOverride)
+	}
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgUnconsumedArg(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	envVal := "bar"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		RUN echo $%s
+		CMD echo $%s`, envKey, envKey)
+	warnStr := "[Warning] One or more build-args"
+	buildImage(imgName,
+		cli.WithFlags("--build-arg", fmt.Sprintf("%s=%s", envKey, envVal)),
+		build.WithDockerfile(dockerfile),
+	).Assert(c, icmd.Expected{
+		Out: warnStr,
+	})
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgEnv(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support ARG
+	dockerfile := `FROM busybox
+		ARG FOO1=fromfile
+		ARG FOO2=fromfile
+		ARG FOO3=fromfile
+		ARG FOO4=fromfile
+		ARG FOO5
+		ARG FOO6
+		ARG FO10
+		RUN env
+		RUN [ "$FOO1" == "fromcmd" ]
+		RUN [ "$FOO2" == "" ]
+		RUN [ "$FOO3" == "fromenv" ]
+		RUN [ "$FOO4" == "fromfile" ]
+		RUN [ "$FOO5" == "fromcmd" ]
+		# The following should not exist at all in the env
+		RUN [ "$(env | grep FOO6)" == "" ]
+		RUN [ "$(env | grep FOO7)" == "" ]
+		RUN [ "$(env | grep FOO8)" == "" ]
+		RUN [ "$(env | grep FOO9)" == "" ]
+		RUN [ "$FO10" == "" ]
+	    `
+	result := buildImage("testbuildtimeargenv",
+		cli.WithFlags(
+			"--build-arg", fmt.Sprintf("FOO1=fromcmd"),
+			"--build-arg", fmt.Sprintf("FOO2="),
+			"--build-arg", fmt.Sprintf("FOO3"), // set in env
+			"--build-arg", fmt.Sprintf("FOO4"), // not set in env
+			"--build-arg", fmt.Sprintf("FOO5=fromcmd"),
+			// FOO6 is not set at all
+			"--build-arg", fmt.Sprintf("FOO7=fromcmd"), // should produce a warning
+			"--build-arg", fmt.Sprintf("FOO8="), // should produce a warning
+			"--build-arg", fmt.Sprintf("FOO9"), // should produce a warning
+			"--build-arg", fmt.Sprintf("FO10"), // not set in env, empty value
+		),
+		cli.WithEnvironmentVariables(append(os.Environ(),
+			"FOO1=fromenv",
+			"FOO2=fromenv",
+			"FOO3=fromenv")...),
+		build.WithBuildContext(c,
+			build.WithFile("Dockerfile", dockerfile),
+		),
+	)
+	result.Assert(c, icmd.Success)
+
+	// Now check to make sure we got a warning msg about unused build-args
+	i := strings.Index(result.Combined(), "[Warning]")
+	if i < 0 {
+		c.Fatalf("Missing the build-arg warning in %q", result.Combined())
+	}
+
+	out := result.Combined()[i:] // "out" should contain just the warning message now
+
+	// These were specified on a --build-arg but no ARG was in the Dockerfile
+	c.Assert(out, checker.Contains, "FOO7")
+	c.Assert(out, checker.Contains, "FOO8")
+	c.Assert(out, checker.Contains, "FOO9")
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgQuotedValVariants(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	envKey1 := "foo1"
+	envKey2 := "foo2"
+	envKey3 := "foo3"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s=""
+		ARG %s=''
+		ARG %s="''"
+		ARG %s='""'
+		RUN [ "$%s" != "$%s" ]
+		RUN [ "$%s" != "$%s" ]
+		RUN [ "$%s" != "$%s" ]
+		RUN [ "$%s" != "$%s" ]
+		RUN [ "$%s" != "$%s" ]`, envKey, envKey1, envKey2, envKey3,
+		envKey, envKey2, envKey, envKey3, envKey1, envKey2, envKey1, envKey3,
+		envKey2, envKey3)
+	buildImageSuccessfully(c, imgName, build.WithDockerfile(dockerfile))
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgEmptyValVariants(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support ARG
+	imgName := "bldargtest"
+	envKey := "foo"
+	envKey1 := "foo1"
+	envKey2 := "foo2"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s=
+		ARG %s=""
+		ARG %s=''
+		RUN [ "$%s" == "$%s" ]
+		RUN [ "$%s" == "$%s" ]
+		RUN [ "$%s" == "$%s" ]`, envKey, envKey1, envKey2, envKey, envKey1, envKey1, envKey2, envKey, envKey2)
+	buildImageSuccessfully(c, imgName, build.WithDockerfile(dockerfile))
+}
+
+func (s *DockerSuite) TestBuildBuildTimeArgDefinitionWithNoEnvInjection(c *check.C) {
+	imgName := "bldargtest"
+	envKey := "foo"
+	dockerfile := fmt.Sprintf(`FROM busybox
+		ARG %s
+		RUN env`, envKey)
+
+	result := cli.BuildCmd(c, imgName, build.WithDockerfile(dockerfile))
+	result.Assert(c, icmd.Success)
+	if strings.Count(result.Combined(), envKey) != 1 {
+		c.Fatalf("unexpected number of occurrences of the arg in output: %q expected: 1", result.Combined())
+	}
+}
+
+func (s *DockerSuite) TestBuildMultiStageArg(c *check.C) {
+	imgName := "multifrombldargtest"
+	dockerfile := `FROM busybox
+    ARG foo=abc
+    LABEL multifromtest=1
+    RUN env > /out
+    FROM busybox
+    ARG bar=def
+    RUN env > /out`
+
+	result := cli.BuildCmd(c, imgName, build.WithDockerfile(dockerfile))
+	result.Assert(c, icmd.Success)
+
+	result = cli.DockerCmd(c, "images", "-q", "-f", "label=multifromtest=1")
+	parentID := strings.TrimSpace(result.Stdout())
+
+	result = cli.DockerCmd(c, "run", "--rm", parentID, "cat", "/out")
+	c.Assert(result.Stdout(), checker.Contains, "foo=abc")
+
+	result = cli.DockerCmd(c, "run", "--rm", imgName, "cat", "/out")
+	c.Assert(result.Stdout(), checker.Not(checker.Contains), "foo")
+	c.Assert(result.Stdout(), checker.Contains, "bar=def")
+}
+
+func (s *DockerSuite) TestBuildMultiStageGlobalArg(c *check.C) {
+	imgName := "multifrombldargtest"
+	dockerfile := `ARG tag=nosuchtag
+     FROM busybox:${tag}
+     LABEL multifromtest=1
+     RUN env > /out
+     FROM busybox:${tag}
+     ARG tag
+     RUN env > /out`
+
+	result := cli.BuildCmd(c, imgName,
+		build.WithDockerfile(dockerfile),
+		cli.WithFlags("--build-arg", fmt.Sprintf("tag=latest")))
+	result.Assert(c, icmd.Success)
+
+	result = cli.DockerCmd(c, "images", "-q", "-f", "label=multifromtest=1")
+	parentID := strings.TrimSpace(result.Stdout())
+
+	result = cli.DockerCmd(c, "run", "--rm", parentID, "cat", "/out")
+	c.Assert(result.Stdout(), checker.Not(checker.Contains), "tag")
+
+	result = cli.DockerCmd(c, "run", "--rm", imgName, "cat", "/out")
+	c.Assert(result.Stdout(), checker.Contains, "tag=latest")
+}
+
+func (s *DockerSuite) TestBuildMultiStageUnusedArg(c *check.C) {
+	imgName := "multifromunusedarg"
+	dockerfile := `FROM busybox
+    ARG foo
+    FROM busybox
+    ARG bar
+    RUN env > /out`
+
+	result := cli.BuildCmd(c, imgName,
+		build.WithDockerfile(dockerfile),
+		cli.WithFlags("--build-arg", fmt.Sprintf("baz=abc")))
+	result.Assert(c, icmd.Success)
+	c.Assert(result.Combined(), checker.Contains, "[Warning]")
+	c.Assert(result.Combined(), checker.Contains, "[baz] were not consumed")
+
+	result = cli.DockerCmd(c, "run", "--rm", imgName, "cat", "/out")
+	c.Assert(result.Stdout(), checker.Not(checker.Contains), "bar")
+	c.Assert(result.Stdout(), checker.Not(checker.Contains), "baz")
+}
+
+func (s *DockerSuite) TestBuildNoNamedVolume(c *check.C) {
+	volName := "testname:/foo"
+
+	if testEnv.OSType == "windows" {
+		volName = "testname:C:\\foo"
+	}
+	dockerCmd(c, "run", "-v", volName, "busybox", "sh", "-c", "touch /foo/oops")
+
+	dockerFile := `FROM busybox
+	VOLUME ` + volName + `
+	RUN ls /foo/oops
+	`
+	buildImage("test", build.WithDockerfile(dockerFile)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+}
+
+func (s *DockerSuite) TestBuildTagEvent(c *check.C) {
+	since := daemonUnixTime(c)
+
+	dockerFile := `FROM busybox
+	RUN echo events
+	`
+	buildImageSuccessfully(c, "test", build.WithDockerfile(dockerFile))
+
+	until := daemonUnixTime(c)
+	out, _ := dockerCmd(c, "events", "--since", since, "--until", until, "--filter", "type=image")
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	actions := eventActionsByIDAndType(c, events, "test:latest", "image")
+	var foundTag bool
+	for _, a := range actions {
+		if a == "tag" {
+			foundTag = true
+			break
+		}
+	}
+
+	c.Assert(foundTag, checker.True, check.Commentf("No tag event found:\n%s", out))
+}
+
+// #15780
+func (s *DockerSuite) TestBuildMultipleTags(c *check.C) {
+	dockerfile := `
+	FROM busybox
+	MAINTAINER test-15780
+	`
+	buildImageSuccessfully(c, "tag1", cli.WithFlags("-t", "tag2:v2", "-t", "tag1:latest", "-t", "tag1"), build.WithDockerfile(dockerfile))
+
+	id1 := getIDByName(c, "tag1")
+	id2 := getIDByName(c, "tag2:v2")
+	c.Assert(id1, check.Equals, id2)
+}
+
+// #17290
+func (s *DockerSuite) TestBuildCacheBrokenSymlink(c *check.C) {
+	name := "testbuildbrokensymlink"
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(`
+	FROM busybox
+	COPY . ./`),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "bar",
+		}))
+	defer ctx.Close()
+
+	err := os.Symlink(filepath.Join(ctx.Dir, "nosuchfile"), filepath.Join(ctx.Dir, "asymlink"))
+	c.Assert(err, checker.IsNil)
+
+	// warm up cache
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+
+	// add new file to context, should invalidate cache
+	err = ioutil.WriteFile(filepath.Join(ctx.Dir, "newfile"), []byte("foo"), 0644)
+	c.Assert(err, checker.IsNil)
+
+	result := cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	if strings.Contains(result.Combined(), "Using cache") {
+		c.Fatal("2nd build used cache on ADD, it shouldn't")
+	}
+}
+
+func (s *DockerSuite) TestBuildFollowSymlinkToFile(c *check.C) {
+	name := "testbuildbrokensymlink"
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(`
+	FROM busybox
+	COPY asymlink target`),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "bar",
+		}))
+	defer ctx.Close()
+
+	err := os.Symlink("foo", filepath.Join(ctx.Dir, "asymlink"))
+	c.Assert(err, checker.IsNil)
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+
+	out := cli.DockerCmd(c, "run", "--rm", name, "cat", "target").Combined()
+	c.Assert(out, checker.Matches, "bar")
+
+	// change target file should invalidate cache
+	err = ioutil.WriteFile(filepath.Join(ctx.Dir, "foo"), []byte("baz"), 0644)
+	c.Assert(err, checker.IsNil)
+
+	result := cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	c.Assert(result.Combined(), checker.Not(checker.Contains), "Using cache")
+
+	out = cli.DockerCmd(c, "run", "--rm", name, "cat", "target").Combined()
+	c.Assert(out, checker.Matches, "baz")
+}
+
+func (s *DockerSuite) TestBuildFollowSymlinkToDir(c *check.C) {
+	name := "testbuildbrokensymlink"
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(`
+	FROM busybox
+	COPY asymlink /`),
+		fakecontext.WithFiles(map[string]string{
+			"foo/abc": "bar",
+			"foo/def": "baz",
+		}))
+	defer ctx.Close()
+
+	err := os.Symlink("foo", filepath.Join(ctx.Dir, "asymlink"))
+	c.Assert(err, checker.IsNil)
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+
+	out := cli.DockerCmd(c, "run", "--rm", name, "cat", "abc", "def").Combined()
+	c.Assert(out, checker.Matches, "barbaz")
+
+	// change target file should invalidate cache
+	err = ioutil.WriteFile(filepath.Join(ctx.Dir, "foo/def"), []byte("bax"), 0644)
+	c.Assert(err, checker.IsNil)
+
+	result := cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+	c.Assert(result.Combined(), checker.Not(checker.Contains), "Using cache")
+
+	out = cli.DockerCmd(c, "run", "--rm", name, "cat", "abc", "def").Combined()
+	c.Assert(out, checker.Matches, "barbax")
+
+}
+
+// TestBuildSymlinkBasename tests that target file gets basename from symlink,
+// not from the target file.
+func (s *DockerSuite) TestBuildSymlinkBasename(c *check.C) {
+	name := "testbuildbrokensymlink"
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(`
+	FROM busybox
+	COPY asymlink /`),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "bar",
+		}))
+	defer ctx.Close()
+
+	err := os.Symlink("foo", filepath.Join(ctx.Dir, "asymlink"))
+	c.Assert(err, checker.IsNil)
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+
+	out := cli.DockerCmd(c, "run", "--rm", name, "cat", "asymlink").Combined()
+	c.Assert(out, checker.Matches, "bar")
+}
+
+// #17827
+func (s *DockerSuite) TestBuildCacheRootSource(c *check.C) {
+	name := "testbuildrootsource"
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(`
+	FROM busybox
+	COPY / /data`),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "bar",
+		}))
+	defer ctx.Close()
+
+	// warm up cache
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+
+	// change file, should invalidate cache
+	err := ioutil.WriteFile(filepath.Join(ctx.Dir, "foo"), []byte("baz"), 0644)
+	c.Assert(err, checker.IsNil)
+
+	result := cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+
+	c.Assert(result.Combined(), checker.Not(checker.Contains), "Using cache")
+}
+
+// #19375
+// FIXME(vdemeester) should migrate to docker/cli tests
+func (s *DockerSuite) TestBuildFailsGitNotCallable(c *check.C) {
+	buildImage("gitnotcallable", cli.WithEnvironmentVariables("PATH="),
+		build.WithContextPath("github.com/docker/v1.10-migrator.git")).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "unable to prepare context: unable to find 'git': ",
+	})
+
+	buildImage("gitnotcallable", cli.WithEnvironmentVariables("PATH="),
+		build.WithContextPath("https://github.com/docker/v1.10-migrator.git")).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "unable to prepare context: unable to find 'git': ",
+	})
+}
+
+// TestBuildWorkdirWindowsPath tests that a Windows style path works as a workdir
+func (s *DockerSuite) TestBuildWorkdirWindowsPath(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	name := "testbuildworkdirwindowspath"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+	FROM `+testEnv.PlatformDefaults.BaseImage+`
+	RUN mkdir C:\\work
+	WORKDIR C:\\work
+	RUN if "%CD%" NEQ "C:\work" exit -1
+	`))
+}
+
+func (s *DockerSuite) TestBuildLabel(c *check.C) {
+	name := "testbuildlabel"
+	testLabel := "foo"
+
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", testLabel),
+		build.WithDockerfile(`
+  FROM `+minimalBaseImage()+`
+  LABEL default foo
+`))
+
+	var labels map[string]string
+	inspectFieldAndUnmarshall(c, name, "Config.Labels", &labels)
+	if _, ok := labels[testLabel]; !ok {
+		c.Fatal("label not found in image")
+	}
+}
+
+func (s *DockerSuite) TestBuildLabelOneNode(c *check.C) {
+	name := "testbuildlabel"
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", "foo=bar"),
+		build.WithDockerfile("FROM busybox"))
+
+	var labels map[string]string
+	inspectFieldAndUnmarshall(c, name, "Config.Labels", &labels)
+	v, ok := labels["foo"]
+	if !ok {
+		c.Fatal("label `foo` not found in image")
+	}
+	c.Assert(v, checker.Equals, "bar")
+}
+
+func (s *DockerSuite) TestBuildLabelCacheCommit(c *check.C) {
+	name := "testbuildlabelcachecommit"
+	testLabel := "foo"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  FROM `+minimalBaseImage()+`
+  LABEL default foo
+  `))
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", testLabel),
+		build.WithDockerfile(`
+  FROM `+minimalBaseImage()+`
+  LABEL default foo
+  `))
+
+	var labels map[string]string
+	inspectFieldAndUnmarshall(c, name, "Config.Labels", &labels)
+	if _, ok := labels[testLabel]; !ok {
+		c.Fatal("label not found in image")
+	}
+}
+
+func (s *DockerSuite) TestBuildLabelMultiple(c *check.C) {
+	name := "testbuildlabelmultiple"
+	testLabels := map[string]string{
+		"foo": "bar",
+		"123": "456",
+	}
+	var labelArgs []string
+	for k, v := range testLabels {
+		labelArgs = append(labelArgs, "--label", k+"="+v)
+	}
+
+	buildImageSuccessfully(c, name, cli.WithFlags(labelArgs...),
+		build.WithDockerfile(`
+  FROM `+minimalBaseImage()+`
+  LABEL default foo
+`))
+
+	var labels map[string]string
+	inspectFieldAndUnmarshall(c, name, "Config.Labels", &labels)
+	for k, v := range testLabels {
+		if x, ok := labels[k]; !ok || x != v {
+			c.Fatalf("label %s=%s not found in image", k, v)
+		}
+	}
+}
+
+func (s *DockerRegistryAuthHtpasswdSuite) TestBuildFromAuthenticatedRegistry(c *check.C) {
+	dockerCmd(c, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL)
+	baseImage := privateRegistryURL + "/baseimage"
+
+	buildImageSuccessfully(c, baseImage, build.WithDockerfile(`
+	FROM busybox
+	ENV env1 val1
+	`))
+
+	dockerCmd(c, "push", baseImage)
+	dockerCmd(c, "rmi", baseImage)
+
+	buildImageSuccessfully(c, baseImage, build.WithDockerfile(fmt.Sprintf(`
+	FROM %s
+	ENV env2 val2
+	`, baseImage)))
+}
+
+func (s *DockerRegistryAuthHtpasswdSuite) TestBuildWithExternalAuth(c *check.C) {
+	osPath := os.Getenv("PATH")
+	defer os.Setenv("PATH", osPath)
+
+	workingDir, err := os.Getwd()
+	c.Assert(err, checker.IsNil)
+	absolute, err := filepath.Abs(filepath.Join(workingDir, "fixtures", "auth"))
+	c.Assert(err, checker.IsNil)
+	testPath := fmt.Sprintf("%s%c%s", osPath, filepath.ListSeparator, absolute)
+
+	os.Setenv("PATH", testPath)
+
+	repoName := fmt.Sprintf("%v/dockercli/busybox:authtest", privateRegistryURL)
+
+	tmp, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+
+	externalAuthConfig := `{ "credsStore": "shell-test" }`
+
+	configPath := filepath.Join(tmp, "config.json")
+	err = ioutil.WriteFile(configPath, []byte(externalAuthConfig), 0644)
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "--config", tmp, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL)
+
+	b, err := ioutil.ReadFile(configPath)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Not(checker.Contains), "\"auth\":")
+
+	dockerCmd(c, "--config", tmp, "tag", "busybox", repoName)
+	dockerCmd(c, "--config", tmp, "push", repoName)
+
+	// make sure the image is pulled when building
+	dockerCmd(c, "rmi", repoName)
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "--config", tmp, "build", "-"},
+		Stdin:   strings.NewReader(fmt.Sprintf("FROM %s", repoName)),
+	}).Assert(c, icmd.Success)
+}
+
+// Test cases in #22036
+func (s *DockerSuite) TestBuildLabelsOverride(c *check.C) {
+	// Command line option labels will always override
+	name := "scratchy"
+	expected := `{"bar":"from-flag","foo":"from-flag"}`
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", "foo=from-flag", "--label", "bar=from-flag"),
+		build.WithDockerfile(`FROM `+minimalBaseImage()+`
+                LABEL foo=from-dockerfile`))
+	res := inspectFieldJSON(c, name, "Config.Labels")
+	if res != expected {
+		c.Fatalf("Labels %s, expected %s", res, expected)
+	}
+
+	name = "from"
+	expected = `{"foo":"from-dockerfile"}`
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+                LABEL foo from-dockerfile`))
+	res = inspectFieldJSON(c, name, "Config.Labels")
+	if res != expected {
+		c.Fatalf("Labels %s, expected %s", res, expected)
+	}
+
+	// Command line option label will override even via `FROM`
+	name = "new"
+	expected = `{"bar":"from-dockerfile2","foo":"new"}`
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", "foo=new"),
+		build.WithDockerfile(`FROM from
+                LABEL bar from-dockerfile2`))
+	res = inspectFieldJSON(c, name, "Config.Labels")
+	if res != expected {
+		c.Fatalf("Labels %s, expected %s", res, expected)
+	}
+
+	// Command line option without a value set (--label foo, --label bar=)
+	// will be treated as --label foo="", --label bar=""
+	name = "scratchy2"
+	expected = `{"bar":"","foo":""}`
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", "foo", "--label", "bar="),
+		build.WithDockerfile(`FROM `+minimalBaseImage()+`
+                LABEL foo=from-dockerfile`))
+	res = inspectFieldJSON(c, name, "Config.Labels")
+	if res != expected {
+		c.Fatalf("Labels %s, expected %s", res, expected)
+	}
+
+	// Command line option without a value set (--label foo, --label bar=)
+	// will be treated as --label foo="", --label bar=""
+	// This time is for inherited images
+	name = "new2"
+	expected = `{"bar":"","foo":""}`
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", "foo=", "--label", "bar"),
+		build.WithDockerfile(`FROM from
+                LABEL bar from-dockerfile2`))
+	res = inspectFieldJSON(c, name, "Config.Labels")
+	if res != expected {
+		c.Fatalf("Labels %s, expected %s", res, expected)
+	}
+
+	// Command line option labels with only `FROM`
+	name = "scratchy"
+	expected = `{"bar":"from-flag","foo":"from-flag"}`
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", "foo=from-flag", "--label", "bar=from-flag"),
+		build.WithDockerfile(`FROM `+minimalBaseImage()))
+	res = inspectFieldJSON(c, name, "Config.Labels")
+	if res != expected {
+		c.Fatalf("Labels %s, expected %s", res, expected)
+	}
+
+	// Command line option labels with env var
+	name = "scratchz"
+	expected = `{"bar":"$PATH"}`
+	buildImageSuccessfully(c, name, cli.WithFlags("--label", "bar=$PATH"),
+		build.WithDockerfile(`FROM `+minimalBaseImage()))
+	res = inspectFieldJSON(c, name, "Config.Labels")
+	if res != expected {
+		c.Fatalf("Labels %s, expected %s", res, expected)
+	}
+}
+
+// Test case for #22855
+func (s *DockerSuite) TestBuildDeleteCommittedFile(c *check.C) {
+	name := "test-delete-committed-file"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		RUN echo test > file
+		RUN test -e file
+		RUN rm file
+		RUN sh -c "! test -e file"`))
+}
+
+// #20083
+func (s *DockerSuite) TestBuildDockerignoreComment(c *check.C) {
+	// TODO Windows: Figure out why this test is flakey on TP5. If you add
+	// something like RUN sleep 5, or even RUN ls /tmp after the ADD line,
+	// it is more reliable, but that's not a good fix.
+	testRequires(c, DaemonIsLinux)
+
+	name := "testbuilddockerignorecleanpaths"
+	dockerfile := `
+        FROM busybox
+        ADD . /tmp/
+        RUN sh -c "(ls -la /tmp/#1)"
+        RUN sh -c "(! ls -la /tmp/#2)"
+        RUN sh -c "(! ls /tmp/foo) && (! ls /tmp/foo2) && (ls /tmp/dir1/foo)"`
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile("foo", "foo"),
+		build.WithFile("foo2", "foo2"),
+		build.WithFile("dir1/foo", "foo in dir1"),
+		build.WithFile("#1", "# file 1"),
+		build.WithFile("#2", "# file 2"),
+		build.WithFile(".dockerignore", `# Visual C++ cache files
+# because we have git ;-)
+# The above comment is from #20083
+foo
+#dir1/foo
+foo2
+# The following is considered as comment as # is at the beginning
+#1
+# The following is not considered as comment as # is not at the beginning
+  #2
+`)))
+}
+
+// Test case for #23221
+func (s *DockerSuite) TestBuildWithUTF8BOM(c *check.C) {
+	name := "test-with-utf8-bom"
+	dockerfile := []byte(`FROM busybox`)
+	bomDockerfile := append([]byte{0xEF, 0xBB, 0xBF}, dockerfile...)
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", string(bomDockerfile)),
+	))
+}
+
+// Test case for UTF-8 BOM in .dockerignore, related to #23221
+func (s *DockerSuite) TestBuildWithUTF8BOMDockerignore(c *check.C) {
+	name := "test-with-utf8-bom-dockerignore"
+	dockerfile := `
+        FROM busybox
+		ADD . /tmp/
+		RUN ls -la /tmp
+		RUN sh -c "! ls /tmp/Dockerfile"
+		RUN ls /tmp/.dockerignore`
+	dockerignore := []byte("./Dockerfile\n")
+	bomDockerignore := append([]byte{0xEF, 0xBB, 0xBF}, dockerignore...)
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile(".dockerignore", string(bomDockerignore)),
+	))
+}
+
+// #22489 Shell test to confirm config gets updated correctly
+func (s *DockerSuite) TestBuildShellUpdatesConfig(c *check.C) {
+	name := "testbuildshellupdatesconfig"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+        SHELL ["foo", "-bar"]`))
+	expected := `["foo","-bar","#(nop) ","SHELL [foo -bar]"]`
+	res := inspectFieldJSON(c, name, "ContainerConfig.Cmd")
+	if res != expected {
+		c.Fatalf("%s, expected %s", res, expected)
+	}
+	res = inspectFieldJSON(c, name, "ContainerConfig.Shell")
+	if res != `["foo","-bar"]` {
+		c.Fatalf(`%s, expected ["foo","-bar"]`, res)
+	}
+}
+
+// #22489 Changing the shell multiple times and CMD after.
+func (s *DockerSuite) TestBuildShellMultiple(c *check.C) {
+	name := "testbuildshellmultiple"
+
+	result := buildImage(name, build.WithDockerfile(`FROM busybox
+		RUN echo defaultshell
+		SHELL ["echo"]
+		RUN echoshell
+		SHELL ["ls"]
+		RUN -l
+		CMD -l`))
+	result.Assert(c, icmd.Success)
+
+	// Must contain 'defaultshell' twice
+	if len(strings.Split(result.Combined(), "defaultshell")) != 3 {
+		c.Fatalf("defaultshell should have appeared twice in %s", result.Combined())
+	}
+
+	// Must contain 'echoshell' twice
+	if len(strings.Split(result.Combined(), "echoshell")) != 3 {
+		c.Fatalf("echoshell should have appeared twice in %s", result.Combined())
+	}
+
+	// Must contain "total " (part of ls -l)
+	if !strings.Contains(result.Combined(), "total ") {
+		c.Fatalf("%s should have contained 'total '", result.Combined())
+	}
+
+	// A container started from the image uses the shell-form CMD.
+	// Last shell is ls. CMD is -l. So should contain 'total '.
+	outrun, _ := dockerCmd(c, "run", "--rm", name)
+	if !strings.Contains(outrun, "total ") {
+		c.Fatalf("Expected started container to run ls -l. %s", outrun)
+	}
+}
+
+// #22489. Changed SHELL with ENTRYPOINT
+func (s *DockerSuite) TestBuildShellEntrypoint(c *check.C) {
+	name := "testbuildshellentrypoint"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		SHELL ["ls"]
+		ENTRYPOINT -l`))
+	// A container started from the image uses the shell-form ENTRYPOINT.
+	// Shell is ls. ENTRYPOINT is -l. So should contain 'total '.
+	outrun, _ := dockerCmd(c, "run", "--rm", name)
+	if !strings.Contains(outrun, "total ") {
+		c.Fatalf("Expected started container to run ls -l. %s", outrun)
+	}
+}
+
+// #22489 Shell test to confirm shell is inherited in a subsequent build
+func (s *DockerSuite) TestBuildShellInherited(c *check.C) {
+	name1 := "testbuildshellinherited1"
+	buildImageSuccessfully(c, name1, build.WithDockerfile(`FROM busybox
+        SHELL ["ls"]`))
+	name2 := "testbuildshellinherited2"
+	buildImage(name2, build.WithDockerfile(`FROM `+name1+`
+        RUN -l`)).Assert(c, icmd.Expected{
+		// ls -l has "total " followed by some number in it, ls without -l does not.
+		Out: "total ",
+	})
+}
+
+// #22489 Shell test to confirm non-JSON doesn't work
+func (s *DockerSuite) TestBuildShellNotJSON(c *check.C) {
+	name := "testbuildshellnotjson"
+
+	buildImage(name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+        sHeLl exec -form`, // Casing explicit to ensure error is upper-cased.
+	)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "SHELL requires the arguments to be in JSON form",
+	})
+}
+
+// #22489 Windows shell test to confirm native is powershell if executing a PS command
+// This would error if the default shell were still cmd.
+func (s *DockerSuite) TestBuildShellWindowsPowershell(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	name := "testbuildshellpowershell"
+	buildImage(name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+        SHELL ["powershell", "-command"]
+		RUN Write-Host John`)).Assert(c, icmd.Expected{
+		Out: "\nJohn\n",
+	})
+}
+
+// Verify that escape is being correctly applied to words when escape directive is not \.
+// Tests WORKDIR, ADD
+func (s *DockerSuite) TestBuildEscapeNotBackslashWordTest(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	name := "testbuildescapenotbackslashwordtesta"
+	buildImage(name, build.WithDockerfile(`# escape= `+"`"+`
+		FROM `+minimalBaseImage()+`
+        WORKDIR c:\windows
+		RUN dir /w`)).Assert(c, icmd.Expected{
+		Out: "[System32]",
+	})
+
+	name = "testbuildescapenotbackslashwordtestb"
+	buildImage(name, build.WithDockerfile(`# escape= `+"`"+`
+		FROM `+minimalBaseImage()+`
+		SHELL ["powershell.exe"]
+        WORKDIR c:\foo
+		ADD Dockerfile c:\foo\
+		RUN dir Dockerfile`)).Assert(c, icmd.Expected{
+		Out: "-a----",
+	})
+}
+
+// #22868. Make sure shell-form CMD is marked as escaped in the config of the image
+func (s *DockerSuite) TestBuildCmdShellArgsEscaped(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	name := "testbuildcmdshellescaped"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+  FROM `+minimalBaseImage()+`
+  CMD "ipconfig"
+  `))
+	res := inspectFieldJSON(c, name, "Config.ArgsEscaped")
+	if res != "true" {
+		c.Fatalf("CMD did not update Config.ArgsEscaped on image: %v", res)
+	}
+	dockerCmd(c, "run", "--name", "inspectme", name)
+	dockerCmd(c, "wait", "inspectme")
+	res = inspectFieldJSON(c, name, "Config.Cmd")
+
+	if res != `["cmd","/S","/C","\"ipconfig\""]` {
+		c.Fatalf("CMD was not escaped Config.Cmd: got %v", res)
+	}
+}
+
+// Test case for #24912.
+func (s *DockerSuite) TestBuildStepsWithProgress(c *check.C) {
+	name := "testbuildstepswithprogress"
+	totalRun := 5
+	result := buildImage(name, build.WithDockerfile("FROM busybox\n"+strings.Repeat("RUN echo foo\n", totalRun)))
+	result.Assert(c, icmd.Success)
+	c.Assert(result.Combined(), checker.Contains, fmt.Sprintf("Step 1/%d : FROM busybox", 1+totalRun))
+	for i := 2; i <= 1+totalRun; i++ {
+		c.Assert(result.Combined(), checker.Contains, fmt.Sprintf("Step %d/%d : RUN echo foo", i, 1+totalRun))
+	}
+}
+
+func (s *DockerSuite) TestBuildWithFailure(c *check.C) {
+	name := "testbuildwithfailure"
+
+	// First test case can only detect `nobody` in runtime so all steps will show up
+	dockerfile := "FROM busybox\nRUN nobody"
+	result := buildImage(name, build.WithDockerfile(dockerfile))
+	c.Assert(result.Error, checker.NotNil)
+	c.Assert(result.Stdout(), checker.Contains, "Step 1/2 : FROM busybox")
+	c.Assert(result.Stdout(), checker.Contains, "Step 2/2 : RUN nobody")
+
+	// Second test case `FFOM` should have been detected before build runs so no steps
+	dockerfile = "FFOM nobody\nRUN nobody"
+	result = buildImage(name, build.WithDockerfile(dockerfile))
+	c.Assert(result.Error, checker.NotNil)
+	c.Assert(result.Stdout(), checker.Not(checker.Contains), "Step 1/2 : FROM busybox")
+	c.Assert(result.Stdout(), checker.Not(checker.Contains), "Step 2/2 : RUN nobody")
+}
+
+func (s *DockerSuite) TestBuildCacheFromEqualDiffIDsLength(c *check.C) {
+	dockerfile := `
+		FROM busybox
+		RUN echo "test"
+		ENTRYPOINT ["sh"]`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"Dockerfile": dockerfile,
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, "build1")
+
+	// rebuild with cache-from
+	result := cli.BuildCmd(c, "build2", cli.WithFlags("--cache-from=build1"), build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, "build2")
+	c.Assert(id1, checker.Equals, id2)
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 2)
+}
+
+func (s *DockerSuite) TestBuildCacheFrom(c *check.C) {
+	testRequires(c, DaemonIsLinux) // All tests that do save are skipped in windows
+	dockerfile := `
+		FROM busybox
+		ENV FOO=bar
+		ADD baz /
+		RUN touch bax`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"Dockerfile": dockerfile,
+			"baz":        "baz",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+	id1 := getIDByName(c, "build1")
+
+	// rebuild with cache-from
+	result := cli.BuildCmd(c, "build2", cli.WithFlags("--cache-from=build1"), build.WithExternalBuildContext(ctx))
+	id2 := getIDByName(c, "build2")
+	c.Assert(id1, checker.Equals, id2)
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 3)
+	cli.DockerCmd(c, "rmi", "build2")
+
+	// no cache match with unknown source
+	result = cli.BuildCmd(c, "build2", cli.WithFlags("--cache-from=nosuchtag"), build.WithExternalBuildContext(ctx))
+	id2 = getIDByName(c, "build2")
+	c.Assert(id1, checker.Not(checker.Equals), id2)
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 0)
+	cli.DockerCmd(c, "rmi", "build2")
+
+	// clear parent images
+	tempDir, err := ioutil.TempDir("", "test-build-cache-from-")
+	if err != nil {
+		c.Fatalf("failed to create temporary directory: %s", tempDir)
+	}
+	defer os.RemoveAll(tempDir)
+	tempFile := filepath.Join(tempDir, "img.tar")
+	cli.DockerCmd(c, "save", "-o", tempFile, "build1")
+	cli.DockerCmd(c, "rmi", "build1")
+	cli.DockerCmd(c, "load", "-i", tempFile)
+	parentID := cli.DockerCmd(c, "inspect", "-f", "{{.Parent}}", "build1").Combined()
+	c.Assert(strings.TrimSpace(parentID), checker.Equals, "")
+
+	// cache still applies without parents
+	result = cli.BuildCmd(c, "build2", cli.WithFlags("--cache-from=build1"), build.WithExternalBuildContext(ctx))
+	id2 = getIDByName(c, "build2")
+	c.Assert(id1, checker.Equals, id2)
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 3)
+	history1 := cli.DockerCmd(c, "history", "-q", "build2").Combined()
+
+	// Retry, no new intermediate images
+	result = cli.BuildCmd(c, "build3", cli.WithFlags("--cache-from=build1"), build.WithExternalBuildContext(ctx))
+	id3 := getIDByName(c, "build3")
+	c.Assert(id1, checker.Equals, id3)
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 3)
+	history2 := cli.DockerCmd(c, "history", "-q", "build3").Combined()
+
+	c.Assert(history1, checker.Equals, history2)
+	cli.DockerCmd(c, "rmi", "build2")
+	cli.DockerCmd(c, "rmi", "build3")
+	cli.DockerCmd(c, "rmi", "build1")
+	cli.DockerCmd(c, "load", "-i", tempFile)
+
+	// Modify file, everything up to last command and layers are reused
+	dockerfile = `
+		FROM busybox
+		ENV FOO=bar
+		ADD baz /
+		RUN touch newfile`
+	err = ioutil.WriteFile(filepath.Join(ctx.Dir, "Dockerfile"), []byte(dockerfile), 0644)
+	c.Assert(err, checker.IsNil)
+
+	result = cli.BuildCmd(c, "build2", cli.WithFlags("--cache-from=build1"), build.WithExternalBuildContext(ctx))
+	id2 = getIDByName(c, "build2")
+	c.Assert(id1, checker.Not(checker.Equals), id2)
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 2)
+
+	layers1Str := cli.DockerCmd(c, "inspect", "-f", "{{json .RootFS.Layers}}", "build1").Combined()
+	layers2Str := cli.DockerCmd(c, "inspect", "-f", "{{json .RootFS.Layers}}", "build2").Combined()
+
+	var layers1 []string
+	var layers2 []string
+	c.Assert(json.Unmarshal([]byte(layers1Str), &layers1), checker.IsNil)
+	c.Assert(json.Unmarshal([]byte(layers2Str), &layers2), checker.IsNil)
+
+	c.Assert(len(layers1), checker.Equals, len(layers2))
+	for i := 0; i < len(layers1)-1; i++ {
+		c.Assert(layers1[i], checker.Equals, layers2[i])
+	}
+	c.Assert(layers1[len(layers1)-1], checker.Not(checker.Equals), layers2[len(layers1)-1])
+}
+
+func (s *DockerSuite) TestBuildMultiStageCache(c *check.C) {
+	testRequires(c, DaemonIsLinux) // All tests that do save are skipped in windows
+	dockerfile := `
+		FROM busybox
+		ADD baz /
+		FROM busybox
+    ADD baz /`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"Dockerfile": dockerfile,
+			"baz":        "baz",
+		}))
+	defer ctx.Close()
+
+	result := cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+	// second part of dockerfile was a repeat of first so should be cached
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 1)
+
+	result = cli.BuildCmd(c, "build2", cli.WithFlags("--cache-from=build1"), build.WithExternalBuildContext(ctx))
+	// now both parts of dockerfile should be cached
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 2)
+}
+
+func (s *DockerSuite) TestBuildNetNone(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildnetnone"
+	buildImage(name, cli.WithFlags("--network=none"), build.WithDockerfile(`
+  FROM busybox
+  RUN ping -c 1 8.8.8.8
+  `)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Out:      "unreachable",
+	})
+}
+
+func (s *DockerSuite) TestBuildNetContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	id, _ := dockerCmd(c, "run", "--hostname", "foobar", "-d", "busybox", "nc", "-ll", "-p", "1234", "-e", "hostname")
+
+	name := "testbuildnetcontainer"
+	buildImageSuccessfully(c, name, cli.WithFlags("--network=container:"+strings.TrimSpace(id)),
+		build.WithDockerfile(`
+  FROM busybox
+  RUN nc localhost 1234 > /otherhost
+  `))
+
+	host, _ := dockerCmd(c, "run", "testbuildnetcontainer", "cat", "/otherhost")
+	c.Assert(strings.TrimSpace(host), check.Equals, "foobar")
+}
+
+func (s *DockerSuite) TestBuildWithExtraHost(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	name := "testbuildwithextrahost"
+	buildImageSuccessfully(c, name,
+		cli.WithFlags(
+			"--add-host", "foo:127.0.0.1",
+			"--add-host", "bar:127.0.0.1",
+		),
+		build.WithDockerfile(`
+  FROM busybox
+  RUN ping -c 1 foo
+  RUN ping -c 1 bar
+  `))
+}
+
+func (s *DockerSuite) TestBuildWithExtraHostInvalidFormat(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerfile := `
+		FROM busybox
+		RUN ping -c 1 foo`
+
+	testCases := []struct {
+		testName   string
+		dockerfile string
+		buildFlag  string
+	}{
+		{"extra_host_missing_ip", dockerfile, "--add-host=foo"},
+		{"extra_host_missing_ip_with_delimiter", dockerfile, "--add-host=foo:"},
+		{"extra_host_missing_hostname", dockerfile, "--add-host=:127.0.0.1"},
+		{"extra_host_invalid_ipv4", dockerfile, "--add-host=foo:101.10.2"},
+		{"extra_host_invalid_ipv6", dockerfile, "--add-host=foo:2001::1::3F"},
+	}
+
+	for _, tc := range testCases {
+		result := buildImage(tc.testName, cli.WithFlags(tc.buildFlag), build.WithDockerfile(tc.dockerfile))
+		result.Assert(c, icmd.Expected{
+			ExitCode: 125,
+		})
+	}
+
+}
+
+func (s *DockerSuite) TestBuildContChar(c *check.C) {
+	name := "testbuildcontchar"
+
+	buildImage(name, build.WithDockerfile(`FROM busybox\`)).Assert(c, icmd.Expected{
+		Out: "Step 1/1 : FROM busybox",
+	})
+
+	result := buildImage(name, build.WithDockerfile(`FROM busybox
+		 RUN echo hi \`))
+	result.Assert(c, icmd.Success)
+	c.Assert(result.Combined(), checker.Contains, "Step 1/2 : FROM busybox")
+	c.Assert(result.Combined(), checker.Contains, "Step 2/2 : RUN echo hi\n")
+
+	result = buildImage(name, build.WithDockerfile(`FROM busybox
+		 RUN echo hi \\`))
+	result.Assert(c, icmd.Success)
+	c.Assert(result.Combined(), checker.Contains, "Step 1/2 : FROM busybox")
+	c.Assert(result.Combined(), checker.Contains, "Step 2/2 : RUN echo hi \\\n")
+
+	result = buildImage(name, build.WithDockerfile(`FROM busybox
+		 RUN echo hi \\\`))
+	result.Assert(c, icmd.Success)
+	c.Assert(result.Combined(), checker.Contains, "Step 1/2 : FROM busybox")
+	c.Assert(result.Combined(), checker.Contains, "Step 2/2 : RUN echo hi \\\\\n")
+}
+
+func (s *DockerSuite) TestBuildMultiStageCopyFromSyntax(c *check.C) {
+	dockerfile := `
+		FROM busybox AS first
+		COPY foo bar
+
+		FROM busybox
+		%s
+		COPY baz baz
+		RUN echo mno > baz/cc
+
+		FROM busybox
+		COPY bar /
+		COPY --from=1 baz sub/
+		COPY --from=0 bar baz
+		COPY --from=first bar bay`
+
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(fmt.Sprintf(dockerfile, "")),
+		fakecontext.WithFiles(map[string]string{
+			"foo":    "abc",
+			"bar":    "def",
+			"baz/aa": "ghi",
+			"baz/bb": "jkl",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+
+	cli.DockerCmd(c, "run", "build1", "cat", "bar").Assert(c, icmd.Expected{Out: "def"})
+	cli.DockerCmd(c, "run", "build1", "cat", "sub/aa").Assert(c, icmd.Expected{Out: "ghi"})
+	cli.DockerCmd(c, "run", "build1", "cat", "sub/cc").Assert(c, icmd.Expected{Out: "mno"})
+	cli.DockerCmd(c, "run", "build1", "cat", "baz").Assert(c, icmd.Expected{Out: "abc"})
+	cli.DockerCmd(c, "run", "build1", "cat", "bay").Assert(c, icmd.Expected{Out: "abc"})
+
+	result := cli.BuildCmd(c, "build2", build.WithExternalBuildContext(ctx))
+
+	// all commands should be cached
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 7)
+	c.Assert(getIDByName(c, "build1"), checker.Equals, getIDByName(c, "build2"))
+
+	err := ioutil.WriteFile(filepath.Join(ctx.Dir, "Dockerfile"), []byte(fmt.Sprintf(dockerfile, "COPY baz/aa foo")), 0644)
+	c.Assert(err, checker.IsNil)
+
+	// changing file in parent block should not affect last block
+	result = cli.BuildCmd(c, "build3", build.WithExternalBuildContext(ctx))
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 5)
+
+	err = ioutil.WriteFile(filepath.Join(ctx.Dir, "foo"), []byte("pqr"), 0644)
+	c.Assert(err, checker.IsNil)
+
+	// changing file in parent block should affect both first and last block
+	result = cli.BuildCmd(c, "build4", build.WithExternalBuildContext(ctx))
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 5)
+
+	cli.DockerCmd(c, "run", "build4", "cat", "bay").Assert(c, icmd.Expected{Out: "pqr"})
+	cli.DockerCmd(c, "run", "build4", "cat", "baz").Assert(c, icmd.Expected{Out: "pqr"})
+}
+
+func (s *DockerSuite) TestBuildMultiStageCopyFromErrors(c *check.C) {
+	testCases := []struct {
+		dockerfile    string
+		expectedError string
+	}{
+		{
+			dockerfile: `
+		FROM busybox
+		COPY --from=foo foo bar`,
+			expectedError: "invalid from flag value foo",
+		},
+		{
+			dockerfile: `
+		FROM busybox
+		COPY --from=0 foo bar`,
+			expectedError: "invalid from flag value 0: refers to current build stage",
+		},
+		{
+			dockerfile: `
+		FROM busybox AS foo
+		COPY --from=bar foo bar`,
+			expectedError: "invalid from flag value bar",
+		},
+		{
+			dockerfile: `
+		FROM busybox AS 1
+		COPY --from=1 foo bar`,
+			expectedError: "invalid name for build stage",
+		},
+	}
+
+	for _, tc := range testCases {
+		ctx := fakecontext.New(c, "",
+			fakecontext.WithDockerfile(tc.dockerfile),
+			fakecontext.WithFiles(map[string]string{
+				"foo": "abc",
+			}))
+
+		cli.Docker(cli.Build("build1"), build.WithExternalBuildContext(ctx)).Assert(c, icmd.Expected{
+			ExitCode: 1,
+			Err:      tc.expectedError,
+		})
+
+		ctx.Close()
+	}
+}
+
+func (s *DockerSuite) TestBuildMultiStageMultipleBuilds(c *check.C) {
+	dockerfile := `
+		FROM busybox
+		COPY foo bar`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "abc",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+
+	dockerfile = `
+		FROM build1:latest AS foo
+    FROM busybox
+		COPY --from=foo bar /
+		COPY foo /`
+	ctx = fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "def",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build2", build.WithExternalBuildContext(ctx))
+
+	out := cli.DockerCmd(c, "run", "build2", "cat", "bar").Combined()
+	c.Assert(strings.TrimSpace(out), check.Equals, "abc")
+	out = cli.DockerCmd(c, "run", "build2", "cat", "foo").Combined()
+	c.Assert(strings.TrimSpace(out), check.Equals, "def")
+}
+
+func (s *DockerSuite) TestBuildMultiStageImplicitFrom(c *check.C) {
+	dockerfile := `
+		FROM busybox
+		COPY --from=busybox /etc/passwd /mypasswd
+		RUN cmp /etc/passwd /mypasswd`
+
+	if DaemonIsWindows() {
+		dockerfile = `
+			FROM busybox
+			COPY --from=busybox License.txt foo`
+	}
+
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+	)
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+
+	if DaemonIsWindows() {
+		out := cli.DockerCmd(c, "run", "build1", "cat", "License.txt").Combined()
+		c.Assert(len(out), checker.GreaterThan, 10)
+		out2 := cli.DockerCmd(c, "run", "build1", "cat", "foo").Combined()
+		c.Assert(out, check.Equals, out2)
+	}
+}
+
+func (s *DockerRegistrySuite) TestBuildMultiStageImplicitPull(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/testf", privateRegistryURL)
+
+	dockerfile := `
+		FROM busybox
+		COPY foo bar`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "abc",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, repoName, build.WithExternalBuildContext(ctx))
+
+	cli.DockerCmd(c, "push", repoName)
+	cli.DockerCmd(c, "rmi", repoName)
+
+	dockerfile = `
+		FROM busybox
+		COPY --from=%s bar baz`
+
+	ctx = fakecontext.New(c, "", fakecontext.WithDockerfile(fmt.Sprintf(dockerfile, repoName)))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+
+	cli.Docker(cli.Args("run", "build1", "cat", "baz")).Assert(c, icmd.Expected{Out: "abc"})
+}
+
+func (s *DockerSuite) TestBuildMultiStageNameVariants(c *check.C) {
+	dockerfile := `
+		FROM busybox as foo
+		COPY foo /
+		FROM foo as foo1
+		RUN echo 1 >> foo
+		FROM foo as foO2
+		RUN echo 2 >> foo
+		FROM foo
+		COPY --from=foo1 foo f1
+		COPY --from=FOo2 foo f2
+		` // foo2 case also tests that names are case insensitive
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "bar",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+	cli.Docker(cli.Args("run", "build1", "cat", "foo")).Assert(c, icmd.Expected{Out: "bar"})
+	cli.Docker(cli.Args("run", "build1", "cat", "f1")).Assert(c, icmd.Expected{Out: "bar1"})
+	cli.Docker(cli.Args("run", "build1", "cat", "f2")).Assert(c, icmd.Expected{Out: "bar2"})
+}
+
+func (s *DockerSuite) TestBuildMultiStageMultipleBuildsWindows(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	dockerfile := `
+		FROM ` + testEnv.PlatformDefaults.BaseImage + `
+		COPY foo c:\\bar`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "abc",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+
+	dockerfile = `
+		FROM build1:latest
+    	FROM ` + testEnv.PlatformDefaults.BaseImage + `
+		COPY --from=0 c:\\bar /
+		COPY foo /`
+	ctx = fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"foo": "def",
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build2", build.WithExternalBuildContext(ctx))
+
+	out := cli.DockerCmd(c, "run", "build2", "cmd.exe", "/s", "/c", "type", "c:\\bar").Combined()
+	c.Assert(strings.TrimSpace(out), check.Equals, "abc")
+	out = cli.DockerCmd(c, "run", "build2", "cmd.exe", "/s", "/c", "type", "c:\\foo").Combined()
+	c.Assert(strings.TrimSpace(out), check.Equals, "def")
+}
+
+func (s *DockerSuite) TestBuildCopyFromForbidWindowsSystemPaths(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	dockerfile := `
+		FROM ` + testEnv.PlatformDefaults.BaseImage + `
+		FROM ` + testEnv.PlatformDefaults.BaseImage + `
+		COPY --from=0 %s c:\\oscopy
+		`
+	exp := icmd.Expected{
+		ExitCode: 1,
+		Err:      "copy from c:\\ or c:\\windows is not allowed on windows",
+	}
+	buildImage("testforbidsystempaths1", build.WithDockerfile(fmt.Sprintf(dockerfile, "c:\\\\"))).Assert(c, exp)
+	buildImage("testforbidsystempaths2", build.WithDockerfile(fmt.Sprintf(dockerfile, "C:\\\\"))).Assert(c, exp)
+	buildImage("testforbidsystempaths3", build.WithDockerfile(fmt.Sprintf(dockerfile, "c:\\\\windows"))).Assert(c, exp)
+	buildImage("testforbidsystempaths4", build.WithDockerfile(fmt.Sprintf(dockerfile, "c:\\\\wInDows"))).Assert(c, exp)
+}
+
+func (s *DockerSuite) TestBuildCopyFromForbidWindowsRelativePaths(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	dockerfile := `
+		FROM ` + testEnv.PlatformDefaults.BaseImage + `
+		FROM ` + testEnv.PlatformDefaults.BaseImage + `
+		COPY --from=0 %s c:\\oscopy
+		`
+	exp := icmd.Expected{
+		ExitCode: 1,
+		Err:      "copy from c:\\ or c:\\windows is not allowed on windows",
+	}
+	buildImage("testforbidsystempaths1", build.WithDockerfile(fmt.Sprintf(dockerfile, "c:"))).Assert(c, exp)
+	buildImage("testforbidsystempaths2", build.WithDockerfile(fmt.Sprintf(dockerfile, "."))).Assert(c, exp)
+	buildImage("testforbidsystempaths3", build.WithDockerfile(fmt.Sprintf(dockerfile, "..\\\\"))).Assert(c, exp)
+	buildImage("testforbidsystempaths4", build.WithDockerfile(fmt.Sprintf(dockerfile, ".\\\\windows"))).Assert(c, exp)
+	buildImage("testforbidsystempaths5", build.WithDockerfile(fmt.Sprintf(dockerfile, "\\\\windows"))).Assert(c, exp)
+}
+
+func (s *DockerSuite) TestBuildCopyFromWindowsIsCaseInsensitive(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	dockerfile := `
+		FROM ` + testEnv.PlatformDefaults.BaseImage + `
+		COPY foo /
+		FROM ` + testEnv.PlatformDefaults.BaseImage + `
+		COPY --from=0 c:\\fOo c:\\copied
+		RUN type c:\\copied
+		`
+	cli.Docker(cli.Build("copyfrom-windows-insensitive"), build.WithBuildContext(c,
+		build.WithFile("Dockerfile", dockerfile),
+		build.WithFile("foo", "hello world"),
+	)).Assert(c, icmd.Expected{
+		ExitCode: 0,
+		Out:      "hello world",
+	})
+}
+
+// #33176
+func (s *DockerSuite) TestBuildMulitStageResetScratch(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	dockerfile := `
+		FROM busybox
+		WORKDIR /foo/bar
+		FROM scratch
+		ENV FOO=bar
+		`
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+	)
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx))
+
+	res := cli.InspectCmd(c, "build1", cli.Format(".Config.WorkingDir")).Combined()
+	c.Assert(strings.TrimSpace(res), checker.Equals, "")
+}
+
+func (s *DockerSuite) TestBuildIntermediateTarget(c *check.C) {
+	//todo: need to be removed after 18.06 release
+	if strings.Contains(testEnv.DaemonInfo.ServerVersion, "18.05.0") {
+		c.Skip(fmt.Sprintf("Bug fixed in 18.06 or higher.Skipping it for %s", testEnv.DaemonInfo.ServerVersion))
+	}
+	dockerfile := `
+		FROM busybox AS build-env
+		CMD ["/dev"]
+		FROM busybox
+		CMD ["/dist"]
+		`
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(dockerfile))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx),
+		cli.WithFlags("--target", "build-env"))
+
+	res := cli.InspectCmd(c, "build1", cli.Format("json .Config.Cmd")).Combined()
+	c.Assert(strings.TrimSpace(res), checker.Equals, `["/dev"]`)
+
+	// Stage name is case-insensitive by design
+	cli.BuildCmd(c, "build1", build.WithExternalBuildContext(ctx),
+		cli.WithFlags("--target", "BUIld-EnV"))
+
+	res = cli.InspectCmd(c, "build1", cli.Format("json .Config.Cmd")).Combined()
+	c.Assert(strings.TrimSpace(res), checker.Equals, `["/dev"]`)
+
+	result := cli.Docker(cli.Build("build1"), build.WithExternalBuildContext(ctx),
+		cli.WithFlags("--target", "nosuchtarget"))
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "failed to reach build target",
+	})
+}
+
+// TestBuildOpaqueDirectory tests that a build succeeds which
+// creates opaque directories.
+// See https://github.com/docker/docker/issues/25244
+func (s *DockerSuite) TestBuildOpaqueDirectory(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerFile := `
+		FROM busybox
+		RUN mkdir /dir1 && touch /dir1/f1
+		RUN rm -rf /dir1 && mkdir /dir1 && touch /dir1/f2
+		RUN touch /dir1/f3
+		RUN [ -f /dir1/f2 ]
+		`
+	// Test that build succeeds, last command fails if opaque directory
+	// was not handled correctly
+	buildImageSuccessfully(c, "testopaquedirectory", build.WithDockerfile(dockerFile))
+}
+
+// Windows test for USER in dockerfile
+func (s *DockerSuite) TestBuildWindowsUser(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	name := "testbuildwindowsuser"
+	buildImage(name, build.WithDockerfile(`FROM `+testEnv.PlatformDefaults.BaseImage+`
+		RUN net user user /add
+		USER user
+		RUN set username
+		`)).Assert(c, icmd.Expected{
+		Out: "USERNAME=user",
+	})
+}
+
+// Verifies if COPY file . when WORKDIR is set to a non-existing directory,
+// the directory is created and the file is copied into the directory,
+// as opposed to the file being copied as a file with the name of the
+// directory. Fix for 27545 (found on Windows, but regression good for Linux too).
+// Note 27545 was reverted in 28505, but a new fix was added subsequently in 28514.
+func (s *DockerSuite) TestBuildCopyFileDotWithWorkdir(c *check.C) {
+	name := "testbuildcopyfiledotwithworkdir"
+	buildImageSuccessfully(c, name, build.WithBuildContext(c,
+		build.WithFile("Dockerfile", `FROM busybox
+WORKDIR /foo
+COPY file .
+RUN ["cat", "/foo/file"]
+`),
+		build.WithFile("file", "content"),
+	))
+}
+
+// Case-insensitive environment variables on Windows
+func (s *DockerSuite) TestBuildWindowsEnvCaseInsensitive(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	name := "testbuildwindowsenvcaseinsensitive"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+		FROM `+testEnv.PlatformDefaults.BaseImage+`
+		ENV FOO=bar foo=baz
+  `))
+	res := inspectFieldJSON(c, name, "Config.Env")
+	if res != `["foo=baz"]` { // Should not have FOO=bar in it - takes the last one processed. And only one entry as deduped.
+		c.Fatalf("Case insensitive environment variables on Windows failed. Got %s", res)
+	}
+}
+
+// Test case for 29667
+func (s *DockerSuite) TestBuildWorkdirImageCmd(c *check.C) {
+	image := "testworkdirimagecmd"
+	buildImageSuccessfully(c, image, build.WithDockerfile(`
+FROM busybox
+WORKDIR /foo/bar
+`))
+	out, _ := dockerCmd(c, "inspect", "--format", "{{ json .Config.Cmd }}", image)
+
+	// The Windows busybox image has a blank `cmd`
+	lookingFor := `["sh"]`
+	if testEnv.OSType == "windows" {
+		lookingFor = "null"
+	}
+	c.Assert(strings.TrimSpace(out), checker.Equals, lookingFor)
+
+	image = "testworkdirlabelimagecmd"
+	buildImageSuccessfully(c, image, build.WithDockerfile(`
+FROM busybox
+WORKDIR /foo/bar
+LABEL a=b
+`))
+
+	out, _ = dockerCmd(c, "inspect", "--format", "{{ json .Config.Cmd }}", image)
+	c.Assert(strings.TrimSpace(out), checker.Equals, lookingFor)
+}
+
+// Test case for 28902/28909
+func (s *DockerSuite) TestBuildWorkdirCmd(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildworkdircmd"
+	dockerFile := `
+                FROM busybox
+                WORKDIR /
+                `
+	buildImageSuccessfully(c, name, build.WithDockerfile(dockerFile))
+	result := buildImage(name, build.WithDockerfile(dockerFile))
+	result.Assert(c, icmd.Success)
+	c.Assert(strings.Count(result.Combined(), "Using cache"), checker.Equals, 1)
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestBuildLineErrorOnBuild(c *check.C) {
+	name := "test_build_line_error_onbuild"
+	buildImage(name, build.WithDockerfile(`FROM busybox
+  ONBUILD
+  `)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Dockerfile parse error line 2: ONBUILD requires at least one argument",
+	})
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestBuildLineErrorUnknownInstruction(c *check.C) {
+	name := "test_build_line_error_unknown_instruction"
+	cli.Docker(cli.Build(name), build.WithDockerfile(`FROM busybox
+  RUN echo hello world
+  NOINSTRUCTION echo ba
+  RUN echo hello
+  ERROR
+  `)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Dockerfile parse error line 3: unknown instruction: NOINSTRUCTION",
+	})
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestBuildLineErrorWithEmptyLines(c *check.C) {
+	name := "test_build_line_error_with_empty_lines"
+	cli.Docker(cli.Build(name), build.WithDockerfile(`
+  FROM busybox
+
+  RUN echo hello world
+
+  NOINSTRUCTION echo ba
+
+  CMD ["/bin/init"]
+  `)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Dockerfile parse error line 6: unknown instruction: NOINSTRUCTION",
+	})
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestBuildLineErrorWithComments(c *check.C) {
+	name := "test_build_line_error_with_comments"
+	cli.Docker(cli.Build(name), build.WithDockerfile(`FROM busybox
+  # This will print hello world
+  # and then ba
+  RUN echo hello world
+  NOINSTRUCTION echo ba
+  `)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Dockerfile parse error line 5: unknown instruction: NOINSTRUCTION",
+	})
+}
+
+// #31957
+func (s *DockerSuite) TestBuildSetCommandWithDefinedShell(c *check.C) {
+	buildImageSuccessfully(c, "build1", build.WithDockerfile(`
+FROM busybox
+SHELL ["/bin/sh", "-c"]
+`))
+	buildImageSuccessfully(c, "build2", build.WithDockerfile(`
+FROM build1
+CMD echo foo
+`))
+
+	out, _ := dockerCmd(c, "inspect", "--format", "{{ json .Config.Cmd }}", "build2")
+	c.Assert(strings.TrimSpace(out), checker.Equals, `["/bin/sh","-c","echo foo"]`)
+}
+
+// FIXME(vdemeester) should migrate to docker/cli tests
+func (s *DockerSuite) TestBuildIidFile(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "TestBuildIidFile")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+	tmpIidFile := filepath.Join(tmpDir, "iid")
+
+	name := "testbuildiidfile"
+	// Use a Dockerfile with multiple stages to ensure we get the last one
+	cli.BuildCmd(c, name,
+		build.WithDockerfile(`FROM `+minimalBaseImage()+` AS stage1
+ENV FOO FOO
+FROM `+minimalBaseImage()+`
+ENV BAR BAZ`),
+		cli.WithFlags("--iidfile", tmpIidFile))
+
+	id, err := ioutil.ReadFile(tmpIidFile)
+	c.Assert(err, check.IsNil)
+	d, err := digest.Parse(string(id))
+	c.Assert(err, check.IsNil)
+	c.Assert(d.String(), checker.Equals, getIDByName(c, name))
+}
+
+// FIXME(vdemeester) should migrate to docker/cli tests
+func (s *DockerSuite) TestBuildIidFileCleanupOnFail(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "TestBuildIidFileCleanupOnFail")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+	tmpIidFile := filepath.Join(tmpDir, "iid")
+
+	err = ioutil.WriteFile(tmpIidFile, []byte("Dummy"), 0666)
+	c.Assert(err, check.IsNil)
+
+	cli.Docker(cli.Build("testbuildiidfilecleanuponfail"),
+		build.WithDockerfile(`FROM `+minimalBaseImage()+`
+	RUN /non/existing/command`),
+		cli.WithFlags("--iidfile", tmpIidFile)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+	_, err = os.Stat(tmpIidFile)
+	c.Assert(err, check.NotNil)
+	c.Assert(os.IsNotExist(err), check.Equals, true)
+}
diff --git a/engine/integration-cli/docker_cli_build_unix_test.go b/engine/integration-cli/docker_cli_build_unix_test.go
new file mode 100644
index 00000000..8cad28f4
--- /dev/null
+++ b/engine/integration-cli/docker_cli_build_unix_test.go
@@ -0,0 +1,228 @@
+// +build !windows
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/go-units"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestBuildResourceConstraintsAreUsed(c *check.C) {
+	testRequires(c, cpuCfsQuota)
+	name := "testbuildresourceconstraints"
+	buildLabel := "DockerSuite.TestBuildResourceConstraintsAreUsed"
+
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile(`
+	FROM hello-world:frozen
+	RUN ["/hello"]
+	`))
+	cli.Docker(
+		cli.Args("build", "--no-cache", "--rm=false", "--memory=64m", "--memory-swap=-1", "--cpuset-cpus=0", "--cpuset-mems=0", "--cpu-shares=100", "--cpu-quota=8000", "--ulimit", "nofile=42", "--label="+buildLabel, "-t", name, "."),
+		cli.InDir(ctx.Dir),
+	).Assert(c, icmd.Success)
+
+	out := cli.DockerCmd(c, "ps", "-lq", "--filter", "label="+buildLabel).Combined()
+	cID := strings.TrimSpace(out)
+
+	type hostConfig struct {
+		Memory     int64
+		MemorySwap int64
+		CpusetCpus string
+		CpusetMems string
+		CPUShares  int64
+		CPUQuota   int64
+		Ulimits    []*units.Ulimit
+	}
+
+	cfg := inspectFieldJSON(c, cID, "HostConfig")
+
+	var c1 hostConfig
+	err := json.Unmarshal([]byte(cfg), &c1)
+	c.Assert(err, checker.IsNil, check.Commentf(cfg))
+
+	c.Assert(c1.Memory, checker.Equals, int64(64*1024*1024), check.Commentf("resource constraints not set properly for Memory"))
+	c.Assert(c1.MemorySwap, checker.Equals, int64(-1), check.Commentf("resource constraints not set properly for MemorySwap"))
+	c.Assert(c1.CpusetCpus, checker.Equals, "0", check.Commentf("resource constraints not set properly for CpusetCpus"))
+	c.Assert(c1.CpusetMems, checker.Equals, "0", check.Commentf("resource constraints not set properly for CpusetMems"))
+	c.Assert(c1.CPUShares, checker.Equals, int64(100), check.Commentf("resource constraints not set properly for CPUShares"))
+	c.Assert(c1.CPUQuota, checker.Equals, int64(8000), check.Commentf("resource constraints not set properly for CPUQuota"))
+	c.Assert(c1.Ulimits[0].Name, checker.Equals, "nofile", check.Commentf("resource constraints not set properly for Ulimits"))
+	c.Assert(c1.Ulimits[0].Hard, checker.Equals, int64(42), check.Commentf("resource constraints not set properly for Ulimits"))
+
+	// Make sure constraints aren't saved to image
+	cli.DockerCmd(c, "run", "--name=test", name)
+
+	cfg = inspectFieldJSON(c, "test", "HostConfig")
+
+	var c2 hostConfig
+	err = json.Unmarshal([]byte(cfg), &c2)
+	c.Assert(err, checker.IsNil, check.Commentf(cfg))
+
+	c.Assert(c2.Memory, check.Not(checker.Equals), int64(64*1024*1024), check.Commentf("resource leaked from build for Memory"))
+	c.Assert(c2.MemorySwap, check.Not(checker.Equals), int64(-1), check.Commentf("resource leaked from build for MemorySwap"))
+	c.Assert(c2.CpusetCpus, check.Not(checker.Equals), "0", check.Commentf("resource leaked from build for CpusetCpus"))
+	c.Assert(c2.CpusetMems, check.Not(checker.Equals), "0", check.Commentf("resource leaked from build for CpusetMems"))
+	c.Assert(c2.CPUShares, check.Not(checker.Equals), int64(100), check.Commentf("resource leaked from build for CPUShares"))
+	c.Assert(c2.CPUQuota, check.Not(checker.Equals), int64(8000), check.Commentf("resource leaked from build for CPUQuota"))
+	c.Assert(c2.Ulimits, checker.IsNil, check.Commentf("resource leaked from build for Ulimits"))
+}
+
+func (s *DockerSuite) TestBuildAddChangeOwnership(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testbuildaddown"
+
+	ctx := func() *fakecontext.Fake {
+		dockerfile := `
+			FROM busybox
+			ADD foo /bar/
+			RUN [ $(stat -c %U:%G "/bar") = 'root:root' ]
+			RUN [ $(stat -c %U:%G "/bar/foo") = 'root:root' ]
+			`
+		tmpDir, err := ioutil.TempDir("", "fake-context")
+		c.Assert(err, check.IsNil)
+		testFile, err := os.Create(filepath.Join(tmpDir, "foo"))
+		if err != nil {
+			c.Fatalf("failed to create foo file: %v", err)
+		}
+		defer testFile.Close()
+
+		icmd.RunCmd(icmd.Cmd{
+			Command: []string{"chown", "daemon:daemon", "foo"},
+			Dir:     tmpDir,
+		}).Assert(c, icmd.Success)
+
+		if err := ioutil.WriteFile(filepath.Join(tmpDir, "Dockerfile"), []byte(dockerfile), 0644); err != nil {
+			c.Fatalf("failed to open destination dockerfile: %v", err)
+		}
+		return fakecontext.New(c, tmpDir)
+	}()
+
+	defer ctx.Close()
+
+	buildImageSuccessfully(c, name, build.WithExternalBuildContext(ctx))
+}
+
+// Test that an infinite sleep during a build is killed if the client disconnects.
+// This test is fairly hairy because there are lots of ways to race.
+// Strategy:
+// * Monitor the output of docker events starting from before
+// * Run a 1-year-long sleep from a docker build.
+// * When docker events sees container start, close the "docker build" command
+// * Wait for docker events to emit a dying event.
+//
+// TODO(buildkit): this test needs to be rewritten for buildkit.
+// It has been manually tested positive. Confirmed issue: docker build output parsing.
+// Potential issue: newEventObserver uses docker events, which is not hooked up to buildkit.
+func (s *DockerSuite) TestBuildCancellationKillsSleep(c *check.C) {
+	testRequires(c, DaemonIsLinux, TODOBuildkit)
+	name := "testbuildcancellation"
+
+	observer, err := newEventObserver(c)
+	c.Assert(err, checker.IsNil)
+	err = observer.Start()
+	c.Assert(err, checker.IsNil)
+	defer observer.Stop()
+
+	// (Note: one year, will never finish)
+	ctx := fakecontext.New(c, "", fakecontext.WithDockerfile("FROM busybox\nRUN sleep 31536000"))
+	defer ctx.Close()
+
+	buildCmd := exec.Command(dockerBinary, "build", "-t", name, ".")
+	buildCmd.Dir = ctx.Dir
+
+	stdoutBuild, err := buildCmd.StdoutPipe()
+	c.Assert(err, checker.IsNil)
+
+	if err := buildCmd.Start(); err != nil {
+		c.Fatalf("failed to run build: %s", err)
+	}
+	// always clean up
+	defer func() {
+		buildCmd.Process.Kill()
+		buildCmd.Wait()
+	}()
+
+	matchCID := regexp.MustCompile("Running in (.+)")
+	scanner := bufio.NewScanner(stdoutBuild)
+
+	outputBuffer := new(bytes.Buffer)
+	var buildID string
+	for scanner.Scan() {
+		line := scanner.Text()
+		outputBuffer.WriteString(line)
+		outputBuffer.WriteString("\n")
+		if matches := matchCID.FindStringSubmatch(line); len(matches) > 0 {
+			buildID = matches[1]
+			break
+		}
+	}
+
+	if buildID == "" {
+		c.Fatalf("Unable to find build container id in build output:\n%s", outputBuffer.String())
+	}
+
+	testActions := map[string]chan bool{
+		"start": make(chan bool, 1),
+		"die":   make(chan bool, 1),
+	}
+
+	matcher := matchEventLine(buildID, "container", testActions)
+	processor := processEventMatch(testActions)
+	go observer.Match(matcher, processor)
+
+	select {
+	case <-time.After(10 * time.Second):
+		observer.CheckEventError(c, buildID, "start", matcher)
+	case <-testActions["start"]:
+		// ignore, done
+	}
+
+	// Send a kill to the `docker build` command.
+	// Causes the underlying build to be cancelled due to socket close.
+	if err := buildCmd.Process.Kill(); err != nil {
+		c.Fatalf("error killing build command: %s", err)
+	}
+
+	// Get the exit status of `docker build`, check it exited because killed.
+	if err := buildCmd.Wait(); err != nil && !isKilled(err) {
+		c.Fatalf("wait failed during build run: %T %s", err, err)
+	}
+
+	select {
+	case <-time.After(10 * time.Second):
+		observer.CheckEventError(c, buildID, "die", matcher)
+	case <-testActions["die"]:
+		// ignore, done
+	}
+}
+
+func isKilled(err error) bool {
+	if exitErr, ok := err.(*exec.ExitError); ok {
+		status, ok := exitErr.Sys().(syscall.WaitStatus)
+		if !ok {
+			return false
+		}
+		// status.ExitStatus() is required on Windows because it does not
+		// implement Signal() nor Signaled(). Just check it had a bad exit
+		// status could mean it was killed (and in tests we do kill)
+		return (status.Signaled() && status.Signal() == os.Kill) || status.ExitStatus() != 0
+	}
+	return false
+}
diff --git a/engine/integration-cli/docker_cli_by_digest_test.go b/engine/integration-cli/docker_cli_by_digest_test.go
new file mode 100644
index 00000000..006cf11e
--- /dev/null
+++ b/engine/integration-cli/docker_cli_by_digest_test.go
@@ -0,0 +1,693 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/docker/distribution/manifest/schema1"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var (
+	remoteRepoName  = "dockercli/busybox-by-dgst"
+	repoName        = fmt.Sprintf("%s/%s", privateRegistryURL, remoteRepoName)
+	pushDigestRegex = regexp.MustCompile("[\\S]+: digest: ([\\S]+) size: [0-9]+")
+	digestRegex     = regexp.MustCompile("Digest: ([\\S]+)")
+)
+
+func setupImage(c *check.C) (digest.Digest, error) {
+	return setupImageWithTag(c, "latest")
+}
+
+func setupImageWithTag(c *check.C, tag string) (digest.Digest, error) {
+	containerName := "busyboxbydigest"
+
+	// new file is committed because this layer is used for detecting malicious
+	// changes. if this was committed as empty layer it would be skipped on pull
+	// and malicious changes would never be detected.
+	cli.DockerCmd(c, "run", "-e", "digest=1", "--name", containerName, "busybox", "touch", "anewfile")
+
+	// tag the image to upload it to the private registry
+	repoAndTag := repoName + ":" + tag
+	cli.DockerCmd(c, "commit", containerName, repoAndTag)
+
+	// delete the container as we don't need it any more
+	cli.DockerCmd(c, "rm", "-fv", containerName)
+
+	// push the image
+	out := cli.DockerCmd(c, "push", repoAndTag).Combined()
+
+	// delete our local repo that we previously tagged
+	cli.DockerCmd(c, "rmi", repoAndTag)
+
+	matches := pushDigestRegex.FindStringSubmatch(out)
+	c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from push output: %s", out))
+	pushDigest := matches[1]
+
+	return digest.Digest(pushDigest), nil
+}
+
+func testPullByTagDisplaysDigest(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	pushDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	// pull from the registry using the tag
+	out, _ := dockerCmd(c, "pull", repoName)
+
+	// the pull output includes "Digest: <digest>", so find that
+	matches := digestRegex.FindStringSubmatch(out)
+	c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", out))
+	pullDigest := matches[1]
+
+	// make sure the pushed and pull digests match
+	c.Assert(pushDigest.String(), checker.Equals, pullDigest)
+}
+
+func (s *DockerRegistrySuite) TestPullByTagDisplaysDigest(c *check.C) {
+	testPullByTagDisplaysDigest(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPullByTagDisplaysDigest(c *check.C) {
+	testPullByTagDisplaysDigest(c)
+}
+
+func testPullByDigest(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	pushDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	// pull from the registry using the <name>@<digest> reference
+	imageReference := fmt.Sprintf("%s@%s", repoName, pushDigest)
+	out, _ := dockerCmd(c, "pull", imageReference)
+
+	// the pull output includes "Digest: <digest>", so find that
+	matches := digestRegex.FindStringSubmatch(out)
+	c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", out))
+	pullDigest := matches[1]
+
+	// make sure the pushed and pull digests match
+	c.Assert(pushDigest.String(), checker.Equals, pullDigest)
+}
+
+func (s *DockerRegistrySuite) TestPullByDigest(c *check.C) {
+	testPullByDigest(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPullByDigest(c *check.C) {
+	testPullByDigest(c)
+}
+
+func testPullByDigestNoFallback(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// pull from the registry using the <name>@<digest> reference
+	imageReference := fmt.Sprintf("%s@sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", repoName)
+	out, _, err := dockerCmdWithError("pull", imageReference)
+	c.Assert(err, checker.NotNil, check.Commentf("expected non-zero exit status and correct error message when pulling non-existing image"))
+	c.Assert(out, checker.Contains, fmt.Sprintf("manifest for %s not found", imageReference), check.Commentf("expected non-zero exit status and correct error message when pulling non-existing image"))
+}
+
+func (s *DockerRegistrySuite) TestPullByDigestNoFallback(c *check.C) {
+	testPullByDigestNoFallback(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPullByDigestNoFallback(c *check.C) {
+	testPullByDigestNoFallback(c)
+}
+
+func (s *DockerRegistrySuite) TestCreateByDigest(c *check.C) {
+	pushDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	imageReference := fmt.Sprintf("%s@%s", repoName, pushDigest)
+
+	containerName := "createByDigest"
+	dockerCmd(c, "create", "--name", containerName, imageReference)
+
+	res := inspectField(c, containerName, "Config.Image")
+	c.Assert(res, checker.Equals, imageReference)
+}
+
+func (s *DockerRegistrySuite) TestRunByDigest(c *check.C) {
+	pushDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil)
+
+	imageReference := fmt.Sprintf("%s@%s", repoName, pushDigest)
+
+	containerName := "runByDigest"
+	out, _ := dockerCmd(c, "run", "--name", containerName, imageReference, "sh", "-c", "echo found=$digest")
+
+	foundRegex := regexp.MustCompile("found=([^\n]+)")
+	matches := foundRegex.FindStringSubmatch(out)
+	c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", out))
+	c.Assert(matches[1], checker.Equals, "1", check.Commentf("Expected %q, got %q", "1", matches[1]))
+
+	res := inspectField(c, containerName, "Config.Image")
+	c.Assert(res, checker.Equals, imageReference)
+}
+
+func (s *DockerRegistrySuite) TestRemoveImageByDigest(c *check.C) {
+	digest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	imageReference := fmt.Sprintf("%s@%s", repoName, digest)
+
+	// pull from the registry using the <name>@<digest> reference
+	dockerCmd(c, "pull", imageReference)
+
+	// make sure inspect runs ok
+	inspectField(c, imageReference, "Id")
+
+	// do the delete
+	err = deleteImages(imageReference)
+	c.Assert(err, checker.IsNil, check.Commentf("unexpected error deleting image"))
+
+	// try to inspect again - it should error this time
+	_, err = inspectFieldWithError(imageReference, "Id")
+	//unexpected nil err trying to inspect what should be a non-existent image
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "No such object")
+}
+
+func (s *DockerRegistrySuite) TestBuildByDigest(c *check.C) {
+	digest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	imageReference := fmt.Sprintf("%s@%s", repoName, digest)
+
+	// pull from the registry using the <name>@<digest> reference
+	dockerCmd(c, "pull", imageReference)
+
+	// get the image id
+	imageID := inspectField(c, imageReference, "Id")
+
+	// do the build
+	name := "buildbydigest"
+	buildImageSuccessfully(c, name, build.WithDockerfile(fmt.Sprintf(
+		`FROM %s
+     CMD ["/bin/echo", "Hello World"]`, imageReference)))
+	c.Assert(err, checker.IsNil)
+
+	// get the build's image id
+	res := inspectField(c, name, "Config.Image")
+	// make sure they match
+	c.Assert(res, checker.Equals, imageID)
+}
+
+func (s *DockerRegistrySuite) TestTagByDigest(c *check.C) {
+	digest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	imageReference := fmt.Sprintf("%s@%s", repoName, digest)
+
+	// pull from the registry using the <name>@<digest> reference
+	dockerCmd(c, "pull", imageReference)
+
+	// tag it
+	tag := "tagbydigest"
+	dockerCmd(c, "tag", imageReference, tag)
+
+	expectedID := inspectField(c, imageReference, "Id")
+
+	tagID := inspectField(c, tag, "Id")
+	c.Assert(tagID, checker.Equals, expectedID)
+}
+
+func (s *DockerRegistrySuite) TestListImagesWithoutDigests(c *check.C) {
+	digest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	imageReference := fmt.Sprintf("%s@%s", repoName, digest)
+
+	// pull from the registry using the <name>@<digest> reference
+	dockerCmd(c, "pull", imageReference)
+
+	out, _ := dockerCmd(c, "images")
+	c.Assert(out, checker.Not(checker.Contains), "DIGEST", check.Commentf("list output should not have contained DIGEST header"))
+}
+
+func (s *DockerRegistrySuite) TestListImagesWithDigests(c *check.C) {
+
+	// setup image1
+	digest1, err := setupImageWithTag(c, "tag1")
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+	imageReference1 := fmt.Sprintf("%s@%s", repoName, digest1)
+	c.Logf("imageReference1 = %s", imageReference1)
+
+	// pull image1 by digest
+	dockerCmd(c, "pull", imageReference1)
+
+	// list images
+	out, _ := dockerCmd(c, "images", "--digests")
+
+	// make sure repo shown, tag=<none>, digest = $digest1
+	re1 := regexp.MustCompile(`\s*` + repoName + `\s*<none>\s*` + digest1.String() + `\s`)
+	c.Assert(re1.MatchString(out), checker.True, check.Commentf("expected %q: %s", re1.String(), out))
+	// setup image2
+	digest2, err := setupImageWithTag(c, "tag2")
+	//error setting up image
+	c.Assert(err, checker.IsNil)
+	imageReference2 := fmt.Sprintf("%s@%s", repoName, digest2)
+	c.Logf("imageReference2 = %s", imageReference2)
+
+	// pull image1 by digest
+	dockerCmd(c, "pull", imageReference1)
+
+	// pull image2 by digest
+	dockerCmd(c, "pull", imageReference2)
+
+	// list images
+	out, _ = dockerCmd(c, "images", "--digests")
+
+	// make sure repo shown, tag=<none>, digest = $digest1
+	c.Assert(re1.MatchString(out), checker.True, check.Commentf("expected %q: %s", re1.String(), out))
+
+	// make sure repo shown, tag=<none>, digest = $digest2
+	re2 := regexp.MustCompile(`\s*` + repoName + `\s*<none>\s*` + digest2.String() + `\s`)
+	c.Assert(re2.MatchString(out), checker.True, check.Commentf("expected %q: %s", re2.String(), out))
+
+	// pull tag1
+	dockerCmd(c, "pull", repoName+":tag1")
+
+	// list images
+	out, _ = dockerCmd(c, "images", "--digests")
+
+	// make sure image 1 has repo, tag, <none> AND repo, <none>, digest
+	reWithDigest1 := regexp.MustCompile(`\s*` + repoName + `\s*tag1\s*` + digest1.String() + `\s`)
+	c.Assert(reWithDigest1.MatchString(out), checker.True, check.Commentf("expected %q: %s", reWithDigest1.String(), out))
+	// make sure image 2 has repo, <none>, digest
+	c.Assert(re2.MatchString(out), checker.True, check.Commentf("expected %q: %s", re2.String(), out))
+
+	// pull tag 2
+	dockerCmd(c, "pull", repoName+":tag2")
+
+	// list images
+	out, _ = dockerCmd(c, "images", "--digests")
+
+	// make sure image 1 has repo, tag, digest
+	c.Assert(reWithDigest1.MatchString(out), checker.True, check.Commentf("expected %q: %s", reWithDigest1.String(), out))
+
+	// make sure image 2 has repo, tag, digest
+	reWithDigest2 := regexp.MustCompile(`\s*` + repoName + `\s*tag2\s*` + digest2.String() + `\s`)
+	c.Assert(reWithDigest2.MatchString(out), checker.True, check.Commentf("expected %q: %s", reWithDigest2.String(), out))
+
+	// list images
+	out, _ = dockerCmd(c, "images", "--digests")
+
+	// make sure image 1 has repo, tag, digest
+	c.Assert(reWithDigest1.MatchString(out), checker.True, check.Commentf("expected %q: %s", reWithDigest1.String(), out))
+	// make sure image 2 has repo, tag, digest
+	c.Assert(reWithDigest2.MatchString(out), checker.True, check.Commentf("expected %q: %s", reWithDigest2.String(), out))
+	// make sure busybox has tag, but not digest
+	busyboxRe := regexp.MustCompile(`\s*busybox\s*latest\s*<none>\s`)
+	c.Assert(busyboxRe.MatchString(out), checker.True, check.Commentf("expected %q: %s", busyboxRe.String(), out))
+}
+
+func (s *DockerRegistrySuite) TestListDanglingImagesWithDigests(c *check.C) {
+	// setup image1
+	digest1, err := setupImageWithTag(c, "dangle1")
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+	imageReference1 := fmt.Sprintf("%s@%s", repoName, digest1)
+	c.Logf("imageReference1 = %s", imageReference1)
+
+	// pull image1 by digest
+	dockerCmd(c, "pull", imageReference1)
+
+	// list images
+	out, _ := dockerCmd(c, "images", "--digests")
+
+	// make sure repo shown, tag=<none>, digest = $digest1
+	re1 := regexp.MustCompile(`\s*` + repoName + `\s*<none>\s*` + digest1.String() + `\s`)
+	c.Assert(re1.MatchString(out), checker.True, check.Commentf("expected %q: %s", re1.String(), out))
+	// setup image2
+	digest2, err := setupImageWithTag(c, "dangle2")
+	//error setting up image
+	c.Assert(err, checker.IsNil)
+	imageReference2 := fmt.Sprintf("%s@%s", repoName, digest2)
+	c.Logf("imageReference2 = %s", imageReference2)
+
+	// pull image1 by digest
+	dockerCmd(c, "pull", imageReference1)
+
+	// pull image2 by digest
+	dockerCmd(c, "pull", imageReference2)
+
+	// list images
+	out, _ = dockerCmd(c, "images", "--digests", "--filter=dangling=true")
+
+	// make sure repo shown, tag=<none>, digest = $digest1
+	c.Assert(re1.MatchString(out), checker.True, check.Commentf("expected %q: %s", re1.String(), out))
+
+	// make sure repo shown, tag=<none>, digest = $digest2
+	re2 := regexp.MustCompile(`\s*` + repoName + `\s*<none>\s*` + digest2.String() + `\s`)
+	c.Assert(re2.MatchString(out), checker.True, check.Commentf("expected %q: %s", re2.String(), out))
+
+	// pull dangle1 tag
+	dockerCmd(c, "pull", repoName+":dangle1")
+
+	// list images
+	out, _ = dockerCmd(c, "images", "--digests", "--filter=dangling=true")
+
+	// make sure image 1 has repo, tag, <none> AND repo, <none>, digest
+	reWithDigest1 := regexp.MustCompile(`\s*` + repoName + `\s*dangle1\s*` + digest1.String() + `\s`)
+	c.Assert(reWithDigest1.MatchString(out), checker.False, check.Commentf("unexpected %q: %s", reWithDigest1.String(), out))
+	// make sure image 2 has repo, <none>, digest
+	c.Assert(re2.MatchString(out), checker.True, check.Commentf("expected %q: %s", re2.String(), out))
+
+	// pull dangle2 tag
+	dockerCmd(c, "pull", repoName+":dangle2")
+
+	// list images, show tagged images
+	out, _ = dockerCmd(c, "images", "--digests")
+
+	// make sure image 1 has repo, tag, digest
+	c.Assert(reWithDigest1.MatchString(out), checker.True, check.Commentf("expected %q: %s", reWithDigest1.String(), out))
+
+	// make sure image 2 has repo, tag, digest
+	reWithDigest2 := regexp.MustCompile(`\s*` + repoName + `\s*dangle2\s*` + digest2.String() + `\s`)
+	c.Assert(reWithDigest2.MatchString(out), checker.True, check.Commentf("expected %q: %s", reWithDigest2.String(), out))
+
+	// list images, no longer dangling, should not match
+	out, _ = dockerCmd(c, "images", "--digests", "--filter=dangling=true")
+
+	// make sure image 1 has repo, tag, digest
+	c.Assert(reWithDigest1.MatchString(out), checker.False, check.Commentf("unexpected %q: %s", reWithDigest1.String(), out))
+	// make sure image 2 has repo, tag, digest
+	c.Assert(reWithDigest2.MatchString(out), checker.False, check.Commentf("unexpected %q: %s", reWithDigest2.String(), out))
+}
+
+func (s *DockerRegistrySuite) TestInspectImageWithDigests(c *check.C) {
+	digest, err := setupImage(c)
+	c.Assert(err, check.IsNil, check.Commentf("error setting up image"))
+
+	imageReference := fmt.Sprintf("%s@%s", repoName, digest)
+
+	// pull from the registry using the <name>@<digest> reference
+	dockerCmd(c, "pull", imageReference)
+
+	out, _ := dockerCmd(c, "inspect", imageReference)
+
+	var imageJSON []types.ImageInspect
+	err = json.Unmarshal([]byte(out), &imageJSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(imageJSON, checker.HasLen, 1)
+	c.Assert(imageJSON[0].RepoDigests, checker.HasLen, 1)
+	assert.Check(c, is.Contains(imageJSON[0].RepoDigests, imageReference))
+}
+
+func (s *DockerRegistrySuite) TestPsListContainersFilterAncestorImageByDigest(c *check.C) {
+	existingContainers := ExistingContainerIDs(c)
+
+	digest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	imageReference := fmt.Sprintf("%s@%s", repoName, digest)
+
+	// pull from the registry using the <name>@<digest> reference
+	dockerCmd(c, "pull", imageReference)
+
+	// build an image from it
+	imageName1 := "images_ps_filter_test"
+	buildImageSuccessfully(c, imageName1, build.WithDockerfile(fmt.Sprintf(
+		`FROM %s
+		 LABEL match me 1`, imageReference)))
+
+	// run a container based on that
+	dockerCmd(c, "run", "--name=test1", imageReference, "echo", "hello")
+	expectedID := getIDByName(c, "test1")
+
+	// run a container based on the a descendant of that too
+	dockerCmd(c, "run", "--name=test2", imageName1, "echo", "hello")
+	expectedID1 := getIDByName(c, "test2")
+
+	expectedIDs := []string{expectedID, expectedID1}
+
+	// Invalid imageReference
+	out, _ := dockerCmd(c, "ps", "-a", "-q", "--no-trunc", fmt.Sprintf("--filter=ancestor=busybox@%s", digest))
+	// Filter container for ancestor filter should be empty
+	c.Assert(strings.TrimSpace(out), checker.Equals, "")
+
+	// Valid imageReference
+	out, _ = dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=ancestor="+imageReference)
+	checkPsAncestorFilterOutput(c, RemoveOutputForExistingElements(out, existingContainers), imageReference, expectedIDs)
+}
+
+func (s *DockerRegistrySuite) TestDeleteImageByIDOnlyPulledByDigest(c *check.C) {
+	pushDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	// pull from the registry using the <name>@<digest> reference
+	imageReference := fmt.Sprintf("%s@%s", repoName, pushDigest)
+	dockerCmd(c, "pull", imageReference)
+	// just in case...
+
+	dockerCmd(c, "tag", imageReference, repoName+":sometag")
+
+	imageID := inspectField(c, imageReference, "Id")
+
+	dockerCmd(c, "rmi", imageID)
+
+	_, err = inspectFieldWithError(imageID, "Id")
+	c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
+}
+
+func (s *DockerRegistrySuite) TestDeleteImageWithDigestAndTag(c *check.C) {
+	pushDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	// pull from the registry using the <name>@<digest> reference
+	imageReference := fmt.Sprintf("%s@%s", repoName, pushDigest)
+	dockerCmd(c, "pull", imageReference)
+
+	imageID := inspectField(c, imageReference, "Id")
+
+	repoTag := repoName + ":sometag"
+	repoTag2 := repoName + ":othertag"
+	dockerCmd(c, "tag", imageReference, repoTag)
+	dockerCmd(c, "tag", imageReference, repoTag2)
+
+	dockerCmd(c, "rmi", repoTag2)
+
+	// rmi should have deleted only repoTag2, because there's another tag
+	inspectField(c, repoTag, "Id")
+
+	dockerCmd(c, "rmi", repoTag)
+
+	// rmi should have deleted the tag, the digest reference, and the image itself
+	_, err = inspectFieldWithError(imageID, "Id")
+	c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
+}
+
+func (s *DockerRegistrySuite) TestDeleteImageWithDigestAndMultiRepoTag(c *check.C) {
+	pushDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	repo2 := fmt.Sprintf("%s/%s", repoName, "repo2")
+
+	// pull from the registry using the <name>@<digest> reference
+	imageReference := fmt.Sprintf("%s@%s", repoName, pushDigest)
+	dockerCmd(c, "pull", imageReference)
+
+	imageID := inspectField(c, imageReference, "Id")
+
+	repoTag := repoName + ":sometag"
+	repoTag2 := repo2 + ":othertag"
+	dockerCmd(c, "tag", imageReference, repoTag)
+	dockerCmd(c, "tag", imageReference, repoTag2)
+
+	dockerCmd(c, "rmi", repoTag)
+
+	// rmi should have deleted repoTag and image reference, but left repoTag2
+	inspectField(c, repoTag2, "Id")
+	_, err = inspectFieldWithError(imageReference, "Id")
+	c.Assert(err, checker.NotNil, check.Commentf("image digest reference should have been removed"))
+
+	_, err = inspectFieldWithError(repoTag, "Id")
+	c.Assert(err, checker.NotNil, check.Commentf("image tag reference should have been removed"))
+
+	dockerCmd(c, "rmi", repoTag2)
+
+	// rmi should have deleted the tag, the digest reference, and the image itself
+	_, err = inspectFieldWithError(imageID, "Id")
+	c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))
+}
+
+// TestPullFailsWithAlteredManifest tests that a `docker pull` fails when
+// we have modified a manifest blob and its digest cannot be verified.
+// This is the schema2 version of the test.
+func (s *DockerRegistrySuite) TestPullFailsWithAlteredManifest(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	manifestDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	// Load the target manifest blob.
+	manifestBlob := s.reg.ReadBlobContents(c, manifestDigest)
+
+	var imgManifest schema2.Manifest
+	err = json.Unmarshal(manifestBlob, &imgManifest)
+	c.Assert(err, checker.IsNil, check.Commentf("unable to decode image manifest from blob"))
+
+	// Change a layer in the manifest.
+	imgManifest.Layers[0].Digest = digest.Digest("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
+
+	// Move the existing data file aside, so that we can replace it with a
+	// malicious blob of data. NOTE: we defer the returned undo func.
+	undo := s.reg.TempMoveBlobData(c, manifestDigest)
+	defer undo()
+
+	alteredManifestBlob, err := json.MarshalIndent(imgManifest, "", "   ")
+	c.Assert(err, checker.IsNil, check.Commentf("unable to encode altered image manifest to JSON"))
+
+	s.reg.WriteBlobContents(c, manifestDigest, alteredManifestBlob)
+
+	// Now try pulling that image by digest. We should get an error about
+	// digest verification for the manifest digest.
+
+	// Pull from the registry using the <name>@<digest> reference.
+	imageReference := fmt.Sprintf("%s@%s", repoName, manifestDigest)
+	out, exitStatus, _ := dockerCmdWithError("pull", imageReference)
+	c.Assert(exitStatus, checker.Not(check.Equals), 0)
+
+	expectedErrorMsg := fmt.Sprintf("manifest verification failed for digest %s", manifestDigest)
+	c.Assert(out, checker.Contains, expectedErrorMsg)
+}
+
+// TestPullFailsWithAlteredManifest tests that a `docker pull` fails when
+// we have modified a manifest blob and its digest cannot be verified.
+// This is the schema1 version of the test.
+func (s *DockerSchema1RegistrySuite) TestPullFailsWithAlteredManifest(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	manifestDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	// Load the target manifest blob.
+	manifestBlob := s.reg.ReadBlobContents(c, manifestDigest)
+
+	var imgManifest schema1.Manifest
+	err = json.Unmarshal(manifestBlob, &imgManifest)
+	c.Assert(err, checker.IsNil, check.Commentf("unable to decode image manifest from blob"))
+
+	// Change a layer in the manifest.
+	imgManifest.FSLayers[0] = schema1.FSLayer{
+		BlobSum: digest.Digest("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"),
+	}
+
+	// Move the existing data file aside, so that we can replace it with a
+	// malicious blob of data. NOTE: we defer the returned undo func.
+	undo := s.reg.TempMoveBlobData(c, manifestDigest)
+	defer undo()
+
+	alteredManifestBlob, err := json.MarshalIndent(imgManifest, "", "   ")
+	c.Assert(err, checker.IsNil, check.Commentf("unable to encode altered image manifest to JSON"))
+
+	s.reg.WriteBlobContents(c, manifestDigest, alteredManifestBlob)
+
+	// Now try pulling that image by digest. We should get an error about
+	// digest verification for the manifest digest.
+
+	// Pull from the registry using the <name>@<digest> reference.
+	imageReference := fmt.Sprintf("%s@%s", repoName, manifestDigest)
+	out, exitStatus, _ := dockerCmdWithError("pull", imageReference)
+	c.Assert(exitStatus, checker.Not(check.Equals), 0)
+
+	expectedErrorMsg := fmt.Sprintf("image verification failed for digest %s", manifestDigest)
+	c.Assert(out, checker.Contains, expectedErrorMsg)
+}
+
+// TestPullFailsWithAlteredLayer tests that a `docker pull` fails when
+// we have modified a layer blob and its digest cannot be verified.
+// This is the schema2 version of the test.
+func (s *DockerRegistrySuite) TestPullFailsWithAlteredLayer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	manifestDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil)
+
+	// Load the target manifest blob.
+	manifestBlob := s.reg.ReadBlobContents(c, manifestDigest)
+
+	var imgManifest schema2.Manifest
+	err = json.Unmarshal(manifestBlob, &imgManifest)
+	c.Assert(err, checker.IsNil)
+
+	// Next, get the digest of one of the layers from the manifest.
+	targetLayerDigest := imgManifest.Layers[0].Digest
+
+	// Move the existing data file aside, so that we can replace it with a
+	// malicious blob of data. NOTE: we defer the returned undo func.
+	undo := s.reg.TempMoveBlobData(c, targetLayerDigest)
+	defer undo()
+
+	// Now make a fake data blob in this directory.
+	s.reg.WriteBlobContents(c, targetLayerDigest, []byte("This is not the data you are looking for."))
+
+	// Now try pulling that image by digest. We should get an error about
+	// digest verification for the target layer digest.
+
+	// Remove distribution cache to force a re-pull of the blobs
+	if err := os.RemoveAll(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "image", s.d.StorageDriver(), "distribution")); err != nil {
+		c.Fatalf("error clearing distribution cache: %v", err)
+	}
+
+	// Pull from the registry using the <name>@<digest> reference.
+	imageReference := fmt.Sprintf("%s@%s", repoName, manifestDigest)
+	out, exitStatus, _ := dockerCmdWithError("pull", imageReference)
+	c.Assert(exitStatus, checker.Not(check.Equals), 0, check.Commentf("expected a non-zero exit status"))
+
+	expectedErrorMsg := fmt.Sprintf("filesystem layer verification failed for digest %s", targetLayerDigest)
+	c.Assert(out, checker.Contains, expectedErrorMsg, check.Commentf("expected error message in output: %s", out))
+}
+
+// TestPullFailsWithAlteredLayer tests that a `docker pull` fails when
+// we have modified a layer blob and its digest cannot be verified.
+// This is the schema1 version of the test.
+func (s *DockerSchema1RegistrySuite) TestPullFailsWithAlteredLayer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	manifestDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil)
+
+	// Load the target manifest blob.
+	manifestBlob := s.reg.ReadBlobContents(c, manifestDigest)
+
+	var imgManifest schema1.Manifest
+	err = json.Unmarshal(manifestBlob, &imgManifest)
+	c.Assert(err, checker.IsNil)
+
+	// Next, get the digest of one of the layers from the manifest.
+	targetLayerDigest := imgManifest.FSLayers[0].BlobSum
+
+	// Move the existing data file aside, so that we can replace it with a
+	// malicious blob of data. NOTE: we defer the returned undo func.
+	undo := s.reg.TempMoveBlobData(c, targetLayerDigest)
+	defer undo()
+
+	// Now make a fake data blob in this directory.
+	s.reg.WriteBlobContents(c, targetLayerDigest, []byte("This is not the data you are looking for."))
+
+	// Now try pulling that image by digest. We should get an error about
+	// digest verification for the target layer digest.
+
+	// Remove distribution cache to force a re-pull of the blobs
+	if err := os.RemoveAll(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "image", s.d.StorageDriver(), "distribution")); err != nil {
+		c.Fatalf("error clearing distribution cache: %v", err)
+	}
+
+	// Pull from the registry using the <name>@<digest> reference.
+	imageReference := fmt.Sprintf("%s@%s", repoName, manifestDigest)
+	out, exitStatus, _ := dockerCmdWithError("pull", imageReference)
+	c.Assert(exitStatus, checker.Not(check.Equals), 0, check.Commentf("expected a non-zero exit status"))
+
+	expectedErrorMsg := fmt.Sprintf("filesystem layer verification failed for digest %s", targetLayerDigest)
+	c.Assert(out, checker.Contains, expectedErrorMsg, check.Commentf("expected error message in output: %s", out))
+}
diff --git a/engine/integration-cli/docker_cli_commit_test.go b/engine/integration-cli/docker_cli_commit_test.go
new file mode 100644
index 00000000..79c5f731
--- /dev/null
+++ b/engine/integration-cli/docker_cli_commit_test.go
@@ -0,0 +1,168 @@
+package main
+
+import (
+	"strings"
+
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestCommitAfterContainerIsDone(c *check.C) {
+	out := cli.DockerCmd(c, "run", "-i", "-a", "stdin", "busybox", "echo", "foo").Combined()
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	cli.DockerCmd(c, "wait", cleanedContainerID)
+
+	out = cli.DockerCmd(c, "commit", cleanedContainerID).Combined()
+
+	cleanedImageID := strings.TrimSpace(out)
+
+	cli.DockerCmd(c, "inspect", cleanedImageID)
+}
+
+func (s *DockerSuite) TestCommitWithoutPause(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-i", "-a", "stdin", "busybox", "echo", "foo")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	dockerCmd(c, "wait", cleanedContainerID)
+
+	out, _ = dockerCmd(c, "commit", "-p=false", cleanedContainerID)
+
+	cleanedImageID := strings.TrimSpace(out)
+
+	dockerCmd(c, "inspect", cleanedImageID)
+}
+
+//test commit a paused container should not unpause it after commit
+func (s *DockerSuite) TestCommitPausedContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-i", "-d", "busybox")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	dockerCmd(c, "pause", cleanedContainerID)
+
+	out, _ = dockerCmd(c, "commit", cleanedContainerID)
+
+	out = inspectField(c, cleanedContainerID, "State.Paused")
+	// commit should not unpause a paused container
+	c.Assert(out, checker.Contains, "true")
+}
+
+func (s *DockerSuite) TestCommitNewFile(c *check.C) {
+	dockerCmd(c, "run", "--name", "committer", "busybox", "/bin/sh", "-c", "echo koye > /foo")
+
+	imageID, _ := dockerCmd(c, "commit", "committer")
+	imageID = strings.TrimSpace(imageID)
+
+	out, _ := dockerCmd(c, "run", imageID, "cat", "/foo")
+	actual := strings.TrimSpace(out)
+	c.Assert(actual, checker.Equals, "koye")
+}
+
+func (s *DockerSuite) TestCommitHardlink(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	firstOutput, _ := dockerCmd(c, "run", "-t", "--name", "hardlinks", "busybox", "sh", "-c", "touch file1 && ln file1 file2 && ls -di file1 file2")
+
+	chunks := strings.Split(strings.TrimSpace(firstOutput), " ")
+	inode := chunks[0]
+	chunks = strings.SplitAfterN(strings.TrimSpace(firstOutput), " ", 2)
+	c.Assert(chunks[1], checker.Contains, chunks[0], check.Commentf("Failed to create hardlink in a container. Expected to find %q in %q", inode, chunks[1:]))
+
+	imageID, _ := dockerCmd(c, "commit", "hardlinks", "hardlinks")
+	imageID = strings.TrimSpace(imageID)
+
+	secondOutput, _ := dockerCmd(c, "run", "-t", imageID, "ls", "-di", "file1", "file2")
+
+	chunks = strings.Split(strings.TrimSpace(secondOutput), " ")
+	inode = chunks[0]
+	chunks = strings.SplitAfterN(strings.TrimSpace(secondOutput), " ", 2)
+	c.Assert(chunks[1], checker.Contains, chunks[0], check.Commentf("Failed to create hardlink in a container. Expected to find %q in %q", inode, chunks[1:]))
+}
+
+func (s *DockerSuite) TestCommitTTY(c *check.C) {
+	dockerCmd(c, "run", "-t", "--name", "tty", "busybox", "/bin/ls")
+
+	imageID, _ := dockerCmd(c, "commit", "tty", "ttytest")
+	imageID = strings.TrimSpace(imageID)
+
+	dockerCmd(c, "run", imageID, "/bin/ls")
+}
+
+func (s *DockerSuite) TestCommitWithHostBindMount(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "--name", "bind-commit", "-v", "/dev/null:/winning", "busybox", "true")
+
+	imageID, _ := dockerCmd(c, "commit", "bind-commit", "bindtest")
+	imageID = strings.TrimSpace(imageID)
+
+	dockerCmd(c, "run", imageID, "true")
+}
+
+func (s *DockerSuite) TestCommitChange(c *check.C) {
+	dockerCmd(c, "run", "--name", "test", "busybox", "true")
+
+	imageID, _ := dockerCmd(c, "commit",
+		"--change", "EXPOSE 8080",
+		"--change", "ENV DEBUG true",
+		"--change", "ENV test 1",
+		"--change", "ENV PATH /foo",
+		"--change", "LABEL foo bar",
+		"--change", "CMD [\"/bin/sh\"]",
+		"--change", "WORKDIR /opt",
+		"--change", "ENTRYPOINT [\"/bin/sh\"]",
+		"--change", "USER testuser",
+		"--change", "VOLUME /var/lib/docker",
+		"--change", "ONBUILD /usr/local/bin/python-build --dir /app/src",
+		"test", "test-commit")
+	imageID = strings.TrimSpace(imageID)
+
+	expectedEnv := "[DEBUG=true test=1 PATH=/foo]"
+	// bug fixed in 1.36, add min APi >= 1.36 requirement
+	// PR record https://github.com/moby/moby/pull/35582
+	if versions.GreaterThan(testEnv.DaemonAPIVersion(), "1.35") && testEnv.OSType != "windows" {
+		// The ordering here is due to `PATH` being overridden from the container's
+		// ENV.  On windows, the container doesn't have a `PATH` ENV variable so
+		// the ordering is the same as the cli.
+		expectedEnv = "[PATH=/foo DEBUG=true test=1]"
+	}
+
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	prefix = strings.ToUpper(prefix) // Force C: as that's how WORKDIR is normalized on Windows
+	expected := map[string]string{
+		"Config.ExposedPorts": "map[8080/tcp:{}]",
+		"Config.Env":          expectedEnv,
+		"Config.Labels":       "map[foo:bar]",
+		"Config.Cmd":          "[/bin/sh]",
+		"Config.WorkingDir":   prefix + slash + "opt",
+		"Config.Entrypoint":   "[/bin/sh]",
+		"Config.User":         "testuser",
+		"Config.Volumes":      "map[/var/lib/docker:{}]",
+		"Config.OnBuild":      "[/usr/local/bin/python-build --dir /app/src]",
+	}
+
+	for conf, value := range expected {
+		res := inspectField(c, imageID, conf)
+		if res != value {
+			c.Errorf("%s('%s'), expected %s", conf, res, value)
+		}
+	}
+}
+
+func (s *DockerSuite) TestCommitChangeLabels(c *check.C) {
+	dockerCmd(c, "run", "--name", "test", "--label", "some=label", "busybox", "true")
+
+	imageID, _ := dockerCmd(c, "commit",
+		"--change", "LABEL some=label2",
+		"test", "test-commit")
+	imageID = strings.TrimSpace(imageID)
+
+	c.Assert(inspectField(c, imageID, "Config.Labels"), checker.Equals, "map[some:label2]")
+	// check that container labels didn't change
+	c.Assert(inspectField(c, "test", "Config.Labels"), checker.Equals, "map[some:label]")
+}
diff --git a/engine/integration-cli/docker_cli_config_create_test.go b/engine/integration-cli/docker_cli_config_create_test.go
new file mode 100644
index 00000000..b8232548
--- /dev/null
+++ b/engine/integration-cli/docker_cli_config_create_test.go
@@ -0,0 +1,131 @@
+// +build !windows
+
+package main
+
+import (
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSwarmSuite) TestConfigCreate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	testName := "test_config"
+	id := d.CreateConfig(c, swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name: testName,
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("configs: %s", id))
+
+	config := d.GetConfig(c, id)
+	c.Assert(config.Spec.Name, checker.Equals, testName)
+}
+
+func (s *DockerSwarmSuite) TestConfigCreateWithLabels(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	testName := "test_config"
+	id := d.CreateConfig(c, swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name: testName,
+			Labels: map[string]string{
+				"key1": "value1",
+				"key2": "value2",
+			},
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("configs: %s", id))
+
+	config := d.GetConfig(c, id)
+	c.Assert(config.Spec.Name, checker.Equals, testName)
+	c.Assert(len(config.Spec.Labels), checker.Equals, 2)
+	c.Assert(config.Spec.Labels["key1"], checker.Equals, "value1")
+	c.Assert(config.Spec.Labels["key2"], checker.Equals, "value2")
+}
+
+// Test case for 28884
+func (s *DockerSwarmSuite) TestConfigCreateResolve(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "test_config"
+	id := d.CreateConfig(c, swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name: name,
+		},
+		Data: []byte("foo"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("configs: %s", id))
+
+	fake := d.CreateConfig(c, swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name: id,
+		},
+		Data: []byte("fake foo"),
+	})
+	c.Assert(fake, checker.Not(checker.Equals), "", check.Commentf("configs: %s", fake))
+
+	out, err := d.Cmd("config", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+	c.Assert(out, checker.Contains, fake)
+
+	out, err = d.Cmd("config", "rm", id)
+	c.Assert(out, checker.Contains, id)
+
+	// Fake one will remain
+	out, err = d.Cmd("config", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+	c.Assert(out, checker.Contains, fake)
+
+	// Remove based on name prefix of the fake one
+	// (which is the same as the ID of foo one) should not work
+	// as search is only done based on:
+	// - Full ID
+	// - Full Name
+	// - Partial ID (prefix)
+	out, err = d.Cmd("config", "rm", id[:5])
+	c.Assert(out, checker.Not(checker.Contains), id)
+	out, err = d.Cmd("config", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+	c.Assert(out, checker.Contains, fake)
+
+	// Remove based on ID prefix of the fake one should succeed
+	out, err = d.Cmd("config", "rm", fake[:5])
+	c.Assert(out, checker.Contains, fake[:5])
+	out, err = d.Cmd("config", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+	c.Assert(out, checker.Not(checker.Contains), id)
+	c.Assert(out, checker.Not(checker.Contains), fake)
+}
+
+func (s *DockerSwarmSuite) TestConfigCreateWithFile(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	testFile, err := ioutil.TempFile("", "configCreateTest")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create temporary file"))
+	defer os.Remove(testFile.Name())
+
+	testData := "TESTINGDATA"
+	_, err = testFile.Write([]byte(testData))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to write to temporary file"))
+
+	testName := "test_config"
+	out, err := d.Cmd("config", "create", testName, testFile.Name())
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "", check.Commentf(out))
+
+	id := strings.TrimSpace(out)
+	config := d.GetConfig(c, id)
+	c.Assert(config.Spec.Name, checker.Equals, testName)
+}
diff --git a/engine/integration-cli/docker_cli_cp_from_container_test.go b/engine/integration-cli/docker_cli_cp_from_container_test.go
new file mode 100644
index 00000000..499be545
--- /dev/null
+++ b/engine/integration-cli/docker_cli_cp_from_container_test.go
@@ -0,0 +1,399 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+// Try all of the test cases from the archive package which implements the
+// internals of `docker cp` and ensure that the behavior matches when actually
+// copying to and from containers.
+
+// Basic assumptions about SRC and DST:
+// 1. SRC must exist.
+// 2. If SRC ends with a trailing separator, it must be a directory.
+// 3. DST parent directory must exist.
+// 4. If DST exists as a file, it must not end with a trailing separator.
+
+// Check that copying from a container to a local symlink copies to the symlink
+// target and does not overwrite the local symlink itself.
+// TODO: move to docker/cli and/or integration/container/copy_test.go
+func (s *DockerSuite) TestCpFromSymlinkDestination(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{addContent: true})
+
+	tmpDir := getTestDir(c, "test-cp-from-err-dst-not-dir")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	// First, copy a file from the container to a symlink to a file. This
+	// should overwrite the symlink target contents with the source contents.
+	srcPath := containerCpPath(containerID, "/file2")
+	dstPath := cpPath(tmpDir, "symlinkToFile1")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, dstPath, "file1"), checker.IsNil)
+
+	// The file should have the contents of "file2" now.
+	c.Assert(fileContentEquals(c, cpPath(tmpDir, "file1"), "file2\n"), checker.IsNil)
+
+	// Next, copy a file from the container to a symlink to a directory. This
+	// should copy the file into the symlink target directory.
+	dstPath = cpPath(tmpDir, "symlinkToDir1")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, dstPath, "dir1"), checker.IsNil)
+
+	// The file should have the contents of "file2" now.
+	c.Assert(fileContentEquals(c, cpPath(tmpDir, "file2"), "file2\n"), checker.IsNil)
+
+	// Next, copy a file from the container to a symlink to a file that does
+	// not exist (a broken symlink). This should create the target file with
+	// the contents of the source file.
+	dstPath = cpPath(tmpDir, "brokenSymlinkToFileX")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, dstPath, "fileX"), checker.IsNil)
+
+	// The file should have the contents of "file2" now.
+	c.Assert(fileContentEquals(c, cpPath(tmpDir, "fileX"), "file2\n"), checker.IsNil)
+
+	// Next, copy a directory from the container to a symlink to a local
+	// directory. This should copy the directory into the symlink target
+	// directory and not modify the symlink.
+	srcPath = containerCpPath(containerID, "/dir2")
+	dstPath = cpPath(tmpDir, "symlinkToDir1")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, dstPath, "dir1"), checker.IsNil)
+
+	// The directory should now contain a copy of "dir2".
+	c.Assert(fileContentEquals(c, cpPath(tmpDir, "dir1/dir2/file2-1"), "file2-1\n"), checker.IsNil)
+
+	// Next, copy a directory from the container to a symlink to a local
+	// directory that does not exist (a broken symlink). This should create
+	// the target as a directory with the contents of the source directory. It
+	// should not modify the symlink.
+	dstPath = cpPath(tmpDir, "brokenSymlinkToDirX")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, dstPath, "dirX"), checker.IsNil)
+
+	// The "dirX" directory should now be a copy of "dir2".
+	c.Assert(fileContentEquals(c, cpPath(tmpDir, "dirX/file2-1"), "file2-1\n"), checker.IsNil)
+}
+
+// Possibilities are reduced to the remaining 10 cases:
+//
+//  case | srcIsDir | onlyDirContents | dstExists | dstIsDir | dstTrSep | action
+// ===================================================================================================
+//   A   |  no      |  -              |  no       |  -       |  no      |  create file
+//   B   |  no      |  -              |  no       |  -       |  yes     |  error
+//   C   |  no      |  -              |  yes      |  no      |  -       |  overwrite file
+//   D   |  no      |  -              |  yes      |  yes     |  -       |  create file in dst dir
+//   E   |  yes     |  no             |  no       |  -       |  -       |  create dir, copy contents
+//   F   |  yes     |  no             |  yes      |  no      |  -       |  error
+//   G   |  yes     |  no             |  yes      |  yes     |  -       |  copy dir and contents
+//   H   |  yes     |  yes            |  no       |  -       |  -       |  create dir, copy contents
+//   I   |  yes     |  yes            |  yes      |  no      |  -       |  error
+//   J   |  yes     |  yes            |  yes      |  yes     |  -       |  copy dir contents
+//
+
+// A. SRC specifies a file and DST (no trailing path separator) doesn't
+//    exist. This should create a file with the name DST and copy the
+//    contents of the source file into it.
+func (s *DockerSuite) TestCpFromCaseA(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+	})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-a")
+	defer os.RemoveAll(tmpDir)
+
+	srcPath := containerCpPath(containerID, "/root/file1")
+	dstPath := cpPath(tmpDir, "itWorks.txt")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1\n"), checker.IsNil)
+}
+
+// B. SRC specifies a file and DST (with trailing path separator) doesn't
+//    exist. This should cause an error because the copy operation cannot
+//    create a directory when copying a single file.
+func (s *DockerSuite) TestCpFromCaseB(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{addContent: true})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-b")
+	defer os.RemoveAll(tmpDir)
+
+	srcPath := containerCpPath(containerID, "/file1")
+	dstDir := cpPathTrailingSep(tmpDir, "testDir")
+
+	err := runDockerCp(c, srcPath, dstDir, nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(isCpDirNotExist(err), checker.True, check.Commentf("expected DirNotExists error, but got %T: %s", err, err))
+}
+
+// C. SRC specifies a file and DST exists as a file. This should overwrite
+//    the file at DST with the contents of the source file.
+func (s *DockerSuite) TestCpFromCaseC(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+	})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-c")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcPath := containerCpPath(containerID, "/root/file1")
+	dstPath := cpPath(tmpDir, "file2")
+
+	// Ensure the local file starts with different content.
+	c.Assert(fileContentEquals(c, dstPath, "file2\n"), checker.IsNil)
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1\n"), checker.IsNil)
+}
+
+// D. SRC specifies a file and DST exists as a directory. This should place
+//    a copy of the source file inside it using the basename from SRC. Ensure
+//    this works whether DST has a trailing path separator or not.
+func (s *DockerSuite) TestCpFromCaseD(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{addContent: true})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-d")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcPath := containerCpPath(containerID, "/file1")
+	dstDir := cpPath(tmpDir, "dir1")
+	dstPath := filepath.Join(dstDir, "file1")
+
+	// Ensure that dstPath doesn't exist.
+	_, err := os.Stat(dstPath)
+	c.Assert(os.IsNotExist(err), checker.True, check.Commentf("did not expect dstPath %q to exist", dstPath))
+
+	c.Assert(runDockerCp(c, srcPath, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// unable to remove dstDir
+	c.Assert(os.RemoveAll(dstDir), checker.IsNil)
+
+	// unable to make dstDir
+	c.Assert(os.MkdirAll(dstDir, os.FileMode(0755)), checker.IsNil)
+
+	dstDir = cpPathTrailingSep(tmpDir, "dir1")
+
+	c.Assert(runDockerCp(c, srcPath, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1\n"), checker.IsNil)
+}
+
+// E. SRC specifies a directory and DST does not exist. This should create a
+//    directory at DST and copy the contents of the SRC directory into the DST
+//    directory. Ensure this works whether DST has a trailing path separator or
+//    not.
+func (s *DockerSuite) TestCpFromCaseE(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{addContent: true})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-e")
+	defer os.RemoveAll(tmpDir)
+
+	srcDir := containerCpPath(containerID, "dir1")
+	dstDir := cpPath(tmpDir, "testDir")
+	dstPath := filepath.Join(dstDir, "file1-1")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1-1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// unable to remove dstDir
+	c.Assert(os.RemoveAll(dstDir), checker.IsNil)
+
+	dstDir = cpPathTrailingSep(tmpDir, "testDir")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1-1\n"), checker.IsNil)
+}
+
+// F. SRC specifies a directory and DST exists as a file. This should cause an
+//    error as it is not possible to overwrite a file with a directory.
+func (s *DockerSuite) TestCpFromCaseF(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+	})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-f")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := containerCpPath(containerID, "/root/dir1")
+	dstFile := cpPath(tmpDir, "file1")
+
+	err := runDockerCp(c, srcDir, dstFile, nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(isCpCannotCopyDir(err), checker.True, check.Commentf("expected ErrCannotCopyDir error, but got %T: %s", err, err))
+}
+
+// G. SRC specifies a directory and DST exists as a directory. This should copy
+//    the SRC directory and all its contents to the DST directory. Ensure this
+//    works whether DST has a trailing path separator or not.
+func (s *DockerSuite) TestCpFromCaseG(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+	})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-g")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := containerCpPath(containerID, "/root/dir1")
+	dstDir := cpPath(tmpDir, "dir2")
+	resultDir := filepath.Join(dstDir, "dir1")
+	dstPath := filepath.Join(resultDir, "file1-1")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1-1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// unable to remove dstDir
+	c.Assert(os.RemoveAll(dstDir), checker.IsNil)
+
+	// unable to make dstDir
+	c.Assert(os.MkdirAll(dstDir, os.FileMode(0755)), checker.IsNil)
+
+	dstDir = cpPathTrailingSep(tmpDir, "dir2")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1-1\n"), checker.IsNil)
+}
+
+// H. SRC specifies a directory's contents only and DST does not exist. This
+//    should create a directory at DST and copy the contents of the SRC
+//    directory (but not the directory itself) into the DST directory. Ensure
+//    this works whether DST has a trailing path separator or not.
+func (s *DockerSuite) TestCpFromCaseH(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{addContent: true})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-h")
+	defer os.RemoveAll(tmpDir)
+
+	srcDir := containerCpPathTrailingSep(containerID, "dir1") + "."
+	dstDir := cpPath(tmpDir, "testDir")
+	dstPath := filepath.Join(dstDir, "file1-1")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1-1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// unable to remove resultDir
+	c.Assert(os.RemoveAll(dstDir), checker.IsNil)
+
+	dstDir = cpPathTrailingSep(tmpDir, "testDir")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1-1\n"), checker.IsNil)
+}
+
+// I. SRC specifies a directory's contents only and DST exists as a file. This
+//    should cause an error as it is not possible to overwrite a file with a
+//    directory.
+func (s *DockerSuite) TestCpFromCaseI(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+	})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-i")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := containerCpPathTrailingSep(containerID, "/root/dir1") + "."
+	dstFile := cpPath(tmpDir, "file1")
+
+	err := runDockerCp(c, srcDir, dstFile, nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(isCpCannotCopyDir(err), checker.True, check.Commentf("expected ErrCannotCopyDir error, but got %T: %s", err, err))
+}
+
+// J. SRC specifies a directory's contents only and DST exists as a directory.
+//    This should copy the contents of the SRC directory (but not the directory
+//    itself) into the DST directory. Ensure this works whether DST has a
+//    trailing path separator or not.
+func (s *DockerSuite) TestCpFromCaseJ(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+	})
+
+	tmpDir := getTestDir(c, "test-cp-from-case-j")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := containerCpPathTrailingSep(containerID, "/root/dir1") + "."
+	dstDir := cpPath(tmpDir, "dir2")
+	dstPath := filepath.Join(dstDir, "file1-1")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1-1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// unable to remove dstDir
+	c.Assert(os.RemoveAll(dstDir), checker.IsNil)
+
+	// unable to make dstDir
+	c.Assert(os.MkdirAll(dstDir, os.FileMode(0755)), checker.IsNil)
+
+	dstDir = cpPathTrailingSep(tmpDir, "dir2")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	c.Assert(fileContentEquals(c, dstPath, "file1-1\n"), checker.IsNil)
+}
diff --git a/engine/integration-cli/docker_cli_cp_test.go b/engine/integration-cli/docker_cli_cp_test.go
new file mode 100644
index 00000000..ec53712f
--- /dev/null
+++ b/engine/integration-cli/docker_cli_cp_test.go
@@ -0,0 +1,664 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+const (
+	cpTestPathParent = "/some"
+	cpTestPath       = "/some/path"
+	cpTestName       = "test"
+	cpFullPath       = "/some/path/test"
+
+	cpContainerContents = "holla, i am the container"
+	cpHostContents      = "hello, i am the host"
+)
+
+// Ensure that an all-local path case returns an error.
+func (s *DockerSuite) TestCpLocalOnly(c *check.C) {
+	err := runDockerCp(c, "foo", "bar", nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(err.Error(), checker.Contains, "must specify at least one container source")
+}
+
+// Test for #5656
+// Check that garbage paths don't escape the container's rootfs
+func (s *DockerSuite) TestCpGarbagePath(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath)
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	c.Assert(os.MkdirAll(cpTestPath, os.ModeDir), checker.IsNil)
+
+	hostFile, err := os.Create(cpFullPath)
+	c.Assert(err, checker.IsNil)
+	defer hostFile.Close()
+	defer os.RemoveAll(cpTestPathParent)
+
+	fmt.Fprintf(hostFile, "%s", cpHostContents)
+
+	tmpdir, err := ioutil.TempDir("", "docker-integration")
+	c.Assert(err, checker.IsNil)
+
+	tmpname := filepath.Join(tmpdir, cpTestName)
+	defer os.RemoveAll(tmpdir)
+
+	path := path.Join("../../../../../../../../../../../../", cpFullPath)
+
+	dockerCmd(c, "cp", containerID+":"+path, tmpdir)
+
+	file, _ := os.Open(tmpname)
+	defer file.Close()
+
+	test, err := ioutil.ReadAll(file)
+	c.Assert(err, checker.IsNil)
+
+	// output matched host file -- garbage path can escape container rootfs
+	c.Assert(string(test), checker.Not(checker.Equals), cpHostContents)
+
+	// output doesn't match the input for garbage path
+	c.Assert(string(test), checker.Equals, cpContainerContents)
+}
+
+// Check that relative paths are relative to the container's rootfs
+func (s *DockerSuite) TestCpRelativePath(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath)
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	c.Assert(os.MkdirAll(cpTestPath, os.ModeDir), checker.IsNil)
+
+	hostFile, err := os.Create(cpFullPath)
+	c.Assert(err, checker.IsNil)
+	defer hostFile.Close()
+	defer os.RemoveAll(cpTestPathParent)
+
+	fmt.Fprintf(hostFile, "%s", cpHostContents)
+
+	tmpdir, err := ioutil.TempDir("", "docker-integration")
+	c.Assert(err, checker.IsNil)
+
+	tmpname := filepath.Join(tmpdir, cpTestName)
+	defer os.RemoveAll(tmpdir)
+
+	var relPath string
+	if path.IsAbs(cpFullPath) {
+		// normally this is `filepath.Rel("/", cpFullPath)` but we cannot
+		// get this unix-path manipulation on windows with filepath.
+		relPath = cpFullPath[1:]
+	}
+	c.Assert(path.IsAbs(cpFullPath), checker.True, check.Commentf("path %s was assumed to be an absolute path", cpFullPath))
+
+	dockerCmd(c, "cp", containerID+":"+relPath, tmpdir)
+
+	file, _ := os.Open(tmpname)
+	defer file.Close()
+
+	test, err := ioutil.ReadAll(file)
+	c.Assert(err, checker.IsNil)
+
+	// output matched host file -- relative path can escape container rootfs
+	c.Assert(string(test), checker.Not(checker.Equals), cpHostContents)
+
+	// output doesn't match the input for relative path
+	c.Assert(string(test), checker.Equals, cpContainerContents)
+}
+
+// Check that absolute paths are relative to the container's rootfs
+func (s *DockerSuite) TestCpAbsolutePath(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath)
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	c.Assert(os.MkdirAll(cpTestPath, os.ModeDir), checker.IsNil)
+
+	hostFile, err := os.Create(cpFullPath)
+	c.Assert(err, checker.IsNil)
+	defer hostFile.Close()
+	defer os.RemoveAll(cpTestPathParent)
+
+	fmt.Fprintf(hostFile, "%s", cpHostContents)
+
+	tmpdir, err := ioutil.TempDir("", "docker-integration")
+	c.Assert(err, checker.IsNil)
+
+	tmpname := filepath.Join(tmpdir, cpTestName)
+	defer os.RemoveAll(tmpdir)
+
+	path := cpFullPath
+
+	dockerCmd(c, "cp", containerID+":"+path, tmpdir)
+
+	file, _ := os.Open(tmpname)
+	defer file.Close()
+
+	test, err := ioutil.ReadAll(file)
+	c.Assert(err, checker.IsNil)
+
+	// output matched host file -- absolute path can escape container rootfs
+	c.Assert(string(test), checker.Not(checker.Equals), cpHostContents)
+
+	// output doesn't match the input for absolute path
+	c.Assert(string(test), checker.Equals, cpContainerContents)
+}
+
+// Test for #5619
+// Check that absolute symlinks are still relative to the container's rootfs
+func (s *DockerSuite) TestCpAbsoluteSymlink(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath+" && ln -s "+cpFullPath+" container_path")
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	c.Assert(os.MkdirAll(cpTestPath, os.ModeDir), checker.IsNil)
+
+	hostFile, err := os.Create(cpFullPath)
+	c.Assert(err, checker.IsNil)
+	defer hostFile.Close()
+	defer os.RemoveAll(cpTestPathParent)
+
+	fmt.Fprintf(hostFile, "%s", cpHostContents)
+
+	tmpdir, err := ioutil.TempDir("", "docker-integration")
+	c.Assert(err, checker.IsNil)
+
+	tmpname := filepath.Join(tmpdir, "container_path")
+	defer os.RemoveAll(tmpdir)
+
+	path := path.Join("/", "container_path")
+
+	dockerCmd(c, "cp", containerID+":"+path, tmpdir)
+
+	// We should have copied a symlink *NOT* the file itself!
+	linkTarget, err := os.Readlink(tmpname)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(linkTarget, checker.Equals, filepath.FromSlash(cpFullPath))
+}
+
+// Check that symlinks to a directory behave as expected when copying one from
+// a container.
+func (s *DockerSuite) TestCpFromSymlinkToDirectory(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath+" && ln -s "+cpTestPathParent+" /dir_link")
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	testDir, err := ioutil.TempDir("", "test-cp-from-symlink-to-dir-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(testDir)
+
+	// This copy command should copy the symlink, not the target, into the
+	// temporary directory.
+	dockerCmd(c, "cp", containerID+":"+"/dir_link", testDir)
+
+	expectedPath := filepath.Join(testDir, "dir_link")
+	linkTarget, err := os.Readlink(expectedPath)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(linkTarget, checker.Equals, filepath.FromSlash(cpTestPathParent))
+
+	os.Remove(expectedPath)
+
+	// This copy command should resolve the symlink (note the trailing
+	// separator), copying the target into the temporary directory.
+	dockerCmd(c, "cp", containerID+":"+"/dir_link/", testDir)
+
+	// It *should not* have copied the directory using the target's name, but
+	// used the given name instead.
+	unexpectedPath := filepath.Join(testDir, cpTestPathParent)
+	stat, err := os.Lstat(unexpectedPath)
+	if err == nil {
+		out = fmt.Sprintf("target name was copied: %q - %q", stat.Mode(), stat.Name())
+	}
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+
+	// It *should* have copied the directory using the asked name "dir_link".
+	stat, err = os.Lstat(expectedPath)
+	c.Assert(err, checker.IsNil, check.Commentf("unable to stat resource at %q", expectedPath))
+
+	c.Assert(stat.IsDir(), checker.True, check.Commentf("should have copied a directory but got %q instead", stat.Mode()))
+}
+
+// Check that symlinks to a directory behave as expected when copying one to a
+// container.
+func (s *DockerSuite) TestCpToSymlinkToDirectory(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, SameHostDaemon) // Requires local volume mount bind.
+
+	testVol, err := ioutil.TempDir("", "test-cp-to-symlink-to-dir-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(testVol)
+
+	// Create a test container with a local volume. We will test by copying
+	// to the volume path in the container which we can then verify locally.
+	out, _ := dockerCmd(c, "create", "-v", testVol+":/testVol", "busybox")
+
+	containerID := strings.TrimSpace(out)
+
+	// Create a temp directory to hold a test file nested in a directory.
+	testDir, err := ioutil.TempDir("", "test-cp-to-symlink-to-dir-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(testDir)
+
+	// This file will be at "/testDir/some/path/test" and will be copied into
+	// the test volume later.
+	hostTestFilename := filepath.Join(testDir, cpFullPath)
+	c.Assert(os.MkdirAll(filepath.Dir(hostTestFilename), os.FileMode(0700)), checker.IsNil)
+	c.Assert(ioutil.WriteFile(hostTestFilename, []byte(cpHostContents), os.FileMode(0600)), checker.IsNil)
+
+	// Now create another temp directory to hold a symlink to the
+	// "/testDir/some" directory.
+	linkDir, err := ioutil.TempDir("", "test-cp-to-symlink-to-dir-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(linkDir)
+
+	// Then symlink "/linkDir/dir_link" to "/testdir/some".
+	linkTarget := filepath.Join(testDir, cpTestPathParent)
+	localLink := filepath.Join(linkDir, "dir_link")
+	c.Assert(os.Symlink(linkTarget, localLink), checker.IsNil)
+
+	// Now copy that symlink into the test volume in the container.
+	dockerCmd(c, "cp", localLink, containerID+":/testVol")
+
+	// This copy command should have copied the symlink *not* the target.
+	expectedPath := filepath.Join(testVol, "dir_link")
+	actualLinkTarget, err := os.Readlink(expectedPath)
+	c.Assert(err, checker.IsNil, check.Commentf("unable to read symlink at %q", expectedPath))
+
+	c.Assert(actualLinkTarget, checker.Equals, linkTarget)
+
+	// Good, now remove that copied link for the next test.
+	os.Remove(expectedPath)
+
+	// This copy command should resolve the symlink (note the trailing
+	// separator), copying the target into the test volume directory in the
+	// container.
+	dockerCmd(c, "cp", localLink+"/", containerID+":/testVol")
+
+	// It *should not* have copied the directory using the target's name, but
+	// used the given name instead.
+	unexpectedPath := filepath.Join(testVol, cpTestPathParent)
+	stat, err := os.Lstat(unexpectedPath)
+	if err == nil {
+		out = fmt.Sprintf("target name was copied: %q - %q", stat.Mode(), stat.Name())
+	}
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+
+	// It *should* have copied the directory using the asked name "dir_link".
+	stat, err = os.Lstat(expectedPath)
+	c.Assert(err, checker.IsNil, check.Commentf("unable to stat resource at %q", expectedPath))
+
+	c.Assert(stat.IsDir(), checker.True, check.Commentf("should have copied a directory but got %q instead", stat.Mode()))
+
+	// And this directory should contain the file copied from the host at the
+	// expected location: "/testVol/dir_link/path/test"
+	expectedFilepath := filepath.Join(testVol, "dir_link/path/test")
+	fileContents, err := ioutil.ReadFile(expectedFilepath)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(string(fileContents), checker.Equals, cpHostContents)
+}
+
+// Test for #5619
+// Check that symlinks which are part of the resource path are still relative to the container's rootfs
+func (s *DockerSuite) TestCpSymlinkComponent(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath+" && ln -s "+cpTestPath+" container_path")
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	c.Assert(os.MkdirAll(cpTestPath, os.ModeDir), checker.IsNil)
+
+	hostFile, err := os.Create(cpFullPath)
+	c.Assert(err, checker.IsNil)
+	defer hostFile.Close()
+	defer os.RemoveAll(cpTestPathParent)
+
+	fmt.Fprintf(hostFile, "%s", cpHostContents)
+
+	tmpdir, err := ioutil.TempDir("", "docker-integration")
+
+	c.Assert(err, checker.IsNil)
+
+	tmpname := filepath.Join(tmpdir, cpTestName)
+	defer os.RemoveAll(tmpdir)
+
+	path := path.Join("/", "container_path", cpTestName)
+
+	dockerCmd(c, "cp", containerID+":"+path, tmpdir)
+
+	file, _ := os.Open(tmpname)
+	defer file.Close()
+
+	test, err := ioutil.ReadAll(file)
+	c.Assert(err, checker.IsNil)
+
+	// output matched host file -- symlink path component can escape container rootfs
+	c.Assert(string(test), checker.Not(checker.Equals), cpHostContents)
+
+	// output doesn't match the input for symlink path component
+	c.Assert(string(test), checker.Equals, cpContainerContents)
+}
+
+// Check that cp with unprivileged user doesn't return any error
+func (s *DockerSuite) TestCpUnprivilegedUser(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	testRequires(c, UnixCli) // uses chmod/su: not available on windows
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "touch "+cpTestName)
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	tmpdir, err := ioutil.TempDir("", "docker-integration")
+	c.Assert(err, checker.IsNil)
+
+	defer os.RemoveAll(tmpdir)
+
+	c.Assert(os.Chmod(tmpdir, 0777), checker.IsNil)
+
+	result := icmd.RunCommand("su", "unprivilegeduser", "-c",
+		fmt.Sprintf("%s cp %s:%s %s", dockerBinary, containerID, cpTestName, tmpdir))
+	result.Assert(c, icmd.Expected{})
+}
+
+func (s *DockerSuite) TestCpSpecialFiles(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, SameHostDaemon)
+
+	outDir, err := ioutil.TempDir("", "cp-test-special-files")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(outDir)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "touch /foo")
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	// Copy actual /etc/resolv.conf
+	dockerCmd(c, "cp", containerID+":/etc/resolv.conf", outDir)
+
+	expected := readContainerFile(c, containerID, "resolv.conf")
+	actual, err := ioutil.ReadFile(outDir + "/resolv.conf")
+
+	// Expected copied file to be duplicate of the container resolvconf
+	c.Assert(bytes.Equal(actual, expected), checker.True)
+
+	// Copy actual /etc/hosts
+	dockerCmd(c, "cp", containerID+":/etc/hosts", outDir)
+
+	expected = readContainerFile(c, containerID, "hosts")
+	actual, err = ioutil.ReadFile(outDir + "/hosts")
+
+	// Expected copied file to be duplicate of the container hosts
+	c.Assert(bytes.Equal(actual, expected), checker.True)
+
+	// Copy actual /etc/resolv.conf
+	dockerCmd(c, "cp", containerID+":/etc/hostname", outDir)
+
+	expected = readContainerFile(c, containerID, "hostname")
+	actual, err = ioutil.ReadFile(outDir + "/hostname")
+	c.Assert(err, checker.IsNil)
+
+	// Expected copied file to be duplicate of the container resolvconf
+	c.Assert(bytes.Equal(actual, expected), checker.True)
+}
+
+func (s *DockerSuite) TestCpVolumePath(c *check.C) {
+	//  stat /tmp/cp-test-volumepath851508420/test gets permission denied for the user
+	testRequires(c, NotUserNamespace)
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, SameHostDaemon)
+
+	tmpDir, err := ioutil.TempDir("", "cp-test-volumepath")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpDir)
+	outDir, err := ioutil.TempDir("", "cp-test-volumepath-out")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(outDir)
+	_, err = os.Create(tmpDir + "/test")
+	c.Assert(err, checker.IsNil)
+
+	out, _ := dockerCmd(c, "run", "-d", "-v", "/foo", "-v", tmpDir+"/test:/test", "-v", tmpDir+":/baz", "busybox", "/bin/sh", "-c", "touch /foo/bar")
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	// Copy actual volume path
+	dockerCmd(c, "cp", containerID+":/foo", outDir)
+
+	stat, err := os.Stat(outDir + "/foo")
+	c.Assert(err, checker.IsNil)
+	// expected copied content to be dir
+	c.Assert(stat.IsDir(), checker.True)
+	stat, err = os.Stat(outDir + "/foo/bar")
+	c.Assert(err, checker.IsNil)
+	// Expected file `bar` to be a file
+	c.Assert(stat.IsDir(), checker.False)
+
+	// Copy file nested in volume
+	dockerCmd(c, "cp", containerID+":/foo/bar", outDir)
+
+	stat, err = os.Stat(outDir + "/bar")
+	c.Assert(err, checker.IsNil)
+	// Expected file `bar` to be a file
+	c.Assert(stat.IsDir(), checker.False)
+
+	// Copy Bind-mounted dir
+	dockerCmd(c, "cp", containerID+":/baz", outDir)
+	stat, err = os.Stat(outDir + "/baz")
+	c.Assert(err, checker.IsNil)
+	// Expected `baz` to be a dir
+	c.Assert(stat.IsDir(), checker.True)
+
+	// Copy file nested in bind-mounted dir
+	dockerCmd(c, "cp", containerID+":/baz/test", outDir)
+	fb, err := ioutil.ReadFile(outDir + "/baz/test")
+	c.Assert(err, checker.IsNil)
+	fb2, err := ioutil.ReadFile(tmpDir + "/test")
+	c.Assert(err, checker.IsNil)
+	// Expected copied file to be duplicate of bind-mounted file
+	c.Assert(bytes.Equal(fb, fb2), checker.True)
+
+	// Copy bind-mounted file
+	dockerCmd(c, "cp", containerID+":/test", outDir)
+	fb, err = ioutil.ReadFile(outDir + "/test")
+	c.Assert(err, checker.IsNil)
+	fb2, err = ioutil.ReadFile(tmpDir + "/test")
+	c.Assert(err, checker.IsNil)
+	// Expected copied file to be duplicate of bind-mounted file
+	c.Assert(bytes.Equal(fb, fb2), checker.True)
+}
+
+func (s *DockerSuite) TestCpToDot(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "echo lololol > /test")
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	tmpdir, err := ioutil.TempDir("", "docker-integration")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpdir)
+	cwd, err := os.Getwd()
+	c.Assert(err, checker.IsNil)
+	defer os.Chdir(cwd)
+	c.Assert(os.Chdir(tmpdir), checker.IsNil)
+	dockerCmd(c, "cp", containerID+":/test", ".")
+	content, err := ioutil.ReadFile("./test")
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Equals, "lololol\n")
+}
+
+func (s *DockerSuite) TestCpToStdout(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "echo lololol > /test")
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "cp", containerID+":/test", "-"),
+		exec.Command("tar", "-vtf", "-"))
+
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(out, checker.Contains, "test")
+	c.Assert(out, checker.Contains, "-rw")
+}
+
+func (s *DockerSuite) TestCpNameHasColon(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "echo lololol > /te:s:t")
+
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	tmpdir, err := ioutil.TempDir("", "docker-integration")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpdir)
+	dockerCmd(c, "cp", containerID+":/te:s:t", tmpdir)
+	content, err := ioutil.ReadFile(tmpdir + "/te:s:t")
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Equals, "lololol\n")
+}
+
+func (s *DockerSuite) TestCopyAndRestart(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	expectedMsg := "hello"
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "echo", expectedMsg)
+	containerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	// failed to set up container
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	tmpDir, err := ioutil.TempDir("", "test-docker-restart-after-copy-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	dockerCmd(c, "cp", fmt.Sprintf("%s:/etc/group", containerID), tmpDir)
+
+	out, _ = dockerCmd(c, "start", "-a", containerID)
+
+	c.Assert(strings.TrimSpace(out), checker.Equals, expectedMsg)
+}
+
+func (s *DockerSuite) TestCopyCreatedContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "create", "--name", "test_cp", "-v", "/test", "busybox")
+
+	tmpDir, err := ioutil.TempDir("", "test")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpDir)
+	dockerCmd(c, "cp", "test_cp:/bin/sh", tmpDir)
+}
+
+// test copy with option `-L`: following symbol link
+// Check that symlinks to a file behave as expected when copying one from
+// a container to host following symbol link
+func (s *DockerSuite) TestCpSymlinkFromConToHostFollowSymlink(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, exitCode := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir -p '"+cpTestPath+"' && echo -n '"+cpContainerContents+"' > "+cpFullPath+" && ln -s "+cpFullPath+" /dir_link")
+	if exitCode != 0 {
+		c.Fatal("failed to create a container", out)
+	}
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", cleanedContainerID)
+	if strings.TrimSpace(out) != "0" {
+		c.Fatal("failed to set up container", out)
+	}
+
+	testDir, err := ioutil.TempDir("", "test-cp-symlink-container-to-host-follow-symlink")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(testDir)
+
+	// This copy command should copy the symlink, not the target, into the
+	// temporary directory.
+	dockerCmd(c, "cp", "-L", cleanedContainerID+":"+"/dir_link", testDir)
+
+	expectedPath := filepath.Join(testDir, "dir_link")
+
+	expected := []byte(cpContainerContents)
+	actual, err := ioutil.ReadFile(expectedPath)
+
+	if !bytes.Equal(actual, expected) {
+		c.Fatalf("Expected copied file to be duplicate of the container symbol link target")
+	}
+	os.Remove(expectedPath)
+
+	// now test copy symbol link to a non-existing file in host
+	expectedPath = filepath.Join(testDir, "somefile_host")
+	// expectedPath shouldn't exist, if exists, remove it
+	if _, err := os.Lstat(expectedPath); err == nil {
+		os.Remove(expectedPath)
+	}
+
+	dockerCmd(c, "cp", "-L", cleanedContainerID+":"+"/dir_link", expectedPath)
+
+	actual, err = ioutil.ReadFile(expectedPath)
+	c.Assert(err, checker.IsNil)
+
+	if !bytes.Equal(actual, expected) {
+		c.Fatalf("Expected copied file to be duplicate of the container symbol link target")
+	}
+	defer os.Remove(expectedPath)
+}
diff --git a/engine/integration-cli/docker_cli_cp_to_container_test.go b/engine/integration-cli/docker_cli_cp_to_container_test.go
new file mode 100644
index 00000000..77567a3b
--- /dev/null
+++ b/engine/integration-cli/docker_cli_cp_to_container_test.go
@@ -0,0 +1,495 @@
+package main
+
+import (
+	"os"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+// Try all of the test cases from the archive package which implements the
+// internals of `docker cp` and ensure that the behavior matches when actually
+// copying to and from containers.
+
+// Basic assumptions about SRC and DST:
+// 1. SRC must exist.
+// 2. If SRC ends with a trailing separator, it must be a directory.
+// 3. DST parent directory must exist.
+// 4. If DST exists as a file, it must not end with a trailing separator.
+
+// Check that copying from a local path to a symlink in a container copies to
+// the symlink target and does not overwrite the container symlink itself.
+func (s *DockerSuite) TestCpToSymlinkDestination(c *check.C) {
+	//  stat /tmp/test-cp-to-symlink-destination-262430901/vol3 gets permission denied for the user
+	testRequires(c, NotUserNamespace)
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, SameHostDaemon) // Requires local volume mount bind.
+
+	testVol := getTestDir(c, "test-cp-to-symlink-destination-")
+	defer os.RemoveAll(testVol)
+
+	makeTestContentInDir(c, testVol)
+
+	containerID := makeTestContainer(c, testContainerOptions{
+		volumes: defaultVolumes(testVol), // Our bind mount is at /vol2
+	})
+
+	// First, copy a local file to a symlink to a file in the container. This
+	// should overwrite the symlink target contents with the source contents.
+	srcPath := cpPath(testVol, "file2")
+	dstPath := containerCpPath(containerID, "/vol2/symlinkToFile1")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, cpPath(testVol, "symlinkToFile1"), "file1"), checker.IsNil)
+
+	// The file should have the contents of "file2" now.
+	c.Assert(fileContentEquals(c, cpPath(testVol, "file1"), "file2\n"), checker.IsNil)
+
+	// Next, copy a local file to a symlink to a directory in the container.
+	// This should copy the file into the symlink target directory.
+	dstPath = containerCpPath(containerID, "/vol2/symlinkToDir1")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, cpPath(testVol, "symlinkToDir1"), "dir1"), checker.IsNil)
+
+	// The file should have the contents of "file2" now.
+	c.Assert(fileContentEquals(c, cpPath(testVol, "file2"), "file2\n"), checker.IsNil)
+
+	// Next, copy a file to a symlink to a file that does not exist (a broken
+	// symlink) in the container. This should create the target file with the
+	// contents of the source file.
+	dstPath = containerCpPath(containerID, "/vol2/brokenSymlinkToFileX")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, cpPath(testVol, "brokenSymlinkToFileX"), "fileX"), checker.IsNil)
+
+	// The file should have the contents of "file2" now.
+	c.Assert(fileContentEquals(c, cpPath(testVol, "fileX"), "file2\n"), checker.IsNil)
+
+	// Next, copy a local directory to a symlink to a directory in the
+	// container. This should copy the directory into the symlink target
+	// directory and not modify the symlink.
+	srcPath = cpPath(testVol, "/dir2")
+	dstPath = containerCpPath(containerID, "/vol2/symlinkToDir1")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, cpPath(testVol, "symlinkToDir1"), "dir1"), checker.IsNil)
+
+	// The directory should now contain a copy of "dir2".
+	c.Assert(fileContentEquals(c, cpPath(testVol, "dir1/dir2/file2-1"), "file2-1\n"), checker.IsNil)
+
+	// Next, copy a local directory to a symlink to a local directory that does
+	// not exist (a broken symlink) in the container. This should create the
+	// target as a directory with the contents of the source directory. It
+	// should not modify the symlink.
+	dstPath = containerCpPath(containerID, "/vol2/brokenSymlinkToDirX")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// The symlink should not have been modified.
+	c.Assert(symlinkTargetEquals(c, cpPath(testVol, "brokenSymlinkToDirX"), "dirX"), checker.IsNil)
+
+	// The "dirX" directory should now be a copy of "dir2".
+	c.Assert(fileContentEquals(c, cpPath(testVol, "dirX/file2-1"), "file2-1\n"), checker.IsNil)
+}
+
+// Possibilities are reduced to the remaining 10 cases:
+//
+//  case | srcIsDir | onlyDirContents | dstExists | dstIsDir | dstTrSep | action
+// ===================================================================================================
+//   A   |  no      |  -              |  no       |  -       |  no      |  create file
+//   B   |  no      |  -              |  no       |  -       |  yes     |  error
+//   C   |  no      |  -              |  yes      |  no      |  -       |  overwrite file
+//   D   |  no      |  -              |  yes      |  yes     |  -       |  create file in dst dir
+//   E   |  yes     |  no             |  no       |  -       |  -       |  create dir, copy contents
+//   F   |  yes     |  no             |  yes      |  no      |  -       |  error
+//   G   |  yes     |  no             |  yes      |  yes     |  -       |  copy dir and contents
+//   H   |  yes     |  yes            |  no       |  -       |  -       |  create dir, copy contents
+//   I   |  yes     |  yes            |  yes      |  no      |  -       |  error
+//   J   |  yes     |  yes            |  yes      |  yes     |  -       |  copy dir contents
+//
+
+// A. SRC specifies a file and DST (no trailing path separator) doesn't
+//    exist. This should create a file with the name DST and copy the
+//    contents of the source file into it.
+func (s *DockerSuite) TestCpToCaseA(c *check.C) {
+	containerID := makeTestContainer(c, testContainerOptions{
+		workDir: "/root", command: makeCatFileCommand("itWorks.txt"),
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-a")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcPath := cpPath(tmpDir, "file1")
+	dstPath := containerCpPath(containerID, "/root/itWorks.txt")
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	c.Assert(containerStartOutputEquals(c, containerID, "file1\n"), checker.IsNil)
+}
+
+// B. SRC specifies a file and DST (with trailing path separator) doesn't
+//    exist. This should cause an error because the copy operation cannot
+//    create a directory when copying a single file.
+func (s *DockerSuite) TestCpToCaseB(c *check.C) {
+	containerID := makeTestContainer(c, testContainerOptions{
+		command: makeCatFileCommand("testDir/file1"),
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-b")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcPath := cpPath(tmpDir, "file1")
+	dstDir := containerCpPathTrailingSep(containerID, "testDir")
+
+	err := runDockerCp(c, srcPath, dstDir, nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(isCpDirNotExist(err), checker.True, check.Commentf("expected DirNotExists error, but got %T: %s", err, err))
+}
+
+// C. SRC specifies a file and DST exists as a file. This should overwrite
+//    the file at DST with the contents of the source file.
+func (s *DockerSuite) TestCpToCaseC(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+		command: makeCatFileCommand("file2"),
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-c")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcPath := cpPath(tmpDir, "file1")
+	dstPath := containerCpPath(containerID, "/root/file2")
+
+	// Ensure the container's file starts with the original content.
+	c.Assert(containerStartOutputEquals(c, containerID, "file2\n"), checker.IsNil)
+
+	c.Assert(runDockerCp(c, srcPath, dstPath, nil), checker.IsNil)
+
+	// Should now contain file1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1\n"), checker.IsNil)
+}
+
+// D. SRC specifies a file and DST exists as a directory. This should place
+//    a copy of the source file inside it using the basename from SRC. Ensure
+//    this works whether DST has a trailing path separator or not.
+func (s *DockerSuite) TestCpToCaseD(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true,
+		command:    makeCatFileCommand("/dir1/file1"),
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-d")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcPath := cpPath(tmpDir, "file1")
+	dstDir := containerCpPath(containerID, "dir1")
+
+	// Ensure that dstPath doesn't exist.
+	c.Assert(containerStartOutputEquals(c, containerID, ""), checker.IsNil)
+
+	c.Assert(runDockerCp(c, srcPath, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// Make new destination container.
+	containerID = makeTestContainer(c, testContainerOptions{
+		addContent: true,
+		command:    makeCatFileCommand("/dir1/file1"),
+	})
+
+	dstDir = containerCpPathTrailingSep(containerID, "dir1")
+
+	// Ensure that dstPath doesn't exist.
+	c.Assert(containerStartOutputEquals(c, containerID, ""), checker.IsNil)
+
+	c.Assert(runDockerCp(c, srcPath, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1\n"), checker.IsNil)
+}
+
+// E. SRC specifies a directory and DST does not exist. This should create a
+//    directory at DST and copy the contents of the SRC directory into the DST
+//    directory. Ensure this works whether DST has a trailing path separator or
+//    not.
+func (s *DockerSuite) TestCpToCaseE(c *check.C) {
+	containerID := makeTestContainer(c, testContainerOptions{
+		command: makeCatFileCommand("/testDir/file1-1"),
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-e")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := cpPath(tmpDir, "dir1")
+	dstDir := containerCpPath(containerID, "testDir")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1-1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1-1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// Make new destination container.
+	containerID = makeTestContainer(c, testContainerOptions{
+		command: makeCatFileCommand("/testDir/file1-1"),
+	})
+
+	dstDir = containerCpPathTrailingSep(containerID, "testDir")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1-1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1-1\n"), checker.IsNil)
+}
+
+// F. SRC specifies a directory and DST exists as a file. This should cause an
+//    error as it is not possible to overwrite a file with a directory.
+func (s *DockerSuite) TestCpToCaseF(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-f")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := cpPath(tmpDir, "dir1")
+	dstFile := containerCpPath(containerID, "/root/file1")
+
+	err := runDockerCp(c, srcDir, dstFile, nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(isCpCannotCopyDir(err), checker.True, check.Commentf("expected ErrCannotCopyDir error, but got %T: %s", err, err))
+}
+
+// G. SRC specifies a directory and DST exists as a directory. This should copy
+//    the SRC directory and all its contents to the DST directory. Ensure this
+//    works whether DST has a trailing path separator or not.
+func (s *DockerSuite) TestCpToCaseG(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+		command: makeCatFileCommand("dir2/dir1/file1-1"),
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-g")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := cpPath(tmpDir, "dir1")
+	dstDir := containerCpPath(containerID, "/root/dir2")
+
+	// Ensure that dstPath doesn't exist.
+	c.Assert(containerStartOutputEquals(c, containerID, ""), checker.IsNil)
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1-1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1-1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// Make new destination container.
+	containerID = makeTestContainer(c, testContainerOptions{
+		addContent: true,
+		command:    makeCatFileCommand("/dir2/dir1/file1-1"),
+	})
+
+	dstDir = containerCpPathTrailingSep(containerID, "/dir2")
+
+	// Ensure that dstPath doesn't exist.
+	c.Assert(containerStartOutputEquals(c, containerID, ""), checker.IsNil)
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1-1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1-1\n"), checker.IsNil)
+}
+
+// H. SRC specifies a directory's contents only and DST does not exist. This
+//    should create a directory at DST and copy the contents of the SRC
+//    directory (but not the directory itself) into the DST directory. Ensure
+//    this works whether DST has a trailing path separator or not.
+func (s *DockerSuite) TestCpToCaseH(c *check.C) {
+	containerID := makeTestContainer(c, testContainerOptions{
+		command: makeCatFileCommand("/testDir/file1-1"),
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-h")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := cpPathTrailingSep(tmpDir, "dir1") + "."
+	dstDir := containerCpPath(containerID, "testDir")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1-1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1-1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// Make new destination container.
+	containerID = makeTestContainer(c, testContainerOptions{
+		command: makeCatFileCommand("/testDir/file1-1"),
+	})
+
+	dstDir = containerCpPathTrailingSep(containerID, "testDir")
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1-1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1-1\n"), checker.IsNil)
+}
+
+// I. SRC specifies a directory's contents only and DST exists as a file. This
+//    should cause an error as it is not possible to overwrite a file with a
+//    directory.
+func (s *DockerSuite) TestCpToCaseI(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-i")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := cpPathTrailingSep(tmpDir, "dir1") + "."
+	dstFile := containerCpPath(containerID, "/root/file1")
+
+	err := runDockerCp(c, srcDir, dstFile, nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(isCpCannotCopyDir(err), checker.True, check.Commentf("expected ErrCannotCopyDir error, but got %T: %s", err, err))
+}
+
+// J. SRC specifies a directory's contents only and DST exists as a directory.
+//    This should copy the contents of the SRC directory (but not the directory
+//    itself) into the DST directory. Ensure this works whether DST has a
+//    trailing path separator or not.
+func (s *DockerSuite) TestCpToCaseJ(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := makeTestContainer(c, testContainerOptions{
+		addContent: true, workDir: "/root",
+		command: makeCatFileCommand("/dir2/file1-1"),
+	})
+
+	tmpDir := getTestDir(c, "test-cp-to-case-j")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcDir := cpPathTrailingSep(tmpDir, "dir1") + "."
+	dstDir := containerCpPath(containerID, "/dir2")
+
+	// Ensure that dstPath doesn't exist.
+	c.Assert(containerStartOutputEquals(c, containerID, ""), checker.IsNil)
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1-1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1-1\n"), checker.IsNil)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	// Make new destination container.
+	containerID = makeTestContainer(c, testContainerOptions{
+		command: makeCatFileCommand("/dir2/file1-1"),
+	})
+
+	dstDir = containerCpPathTrailingSep(containerID, "/dir2")
+
+	// Ensure that dstPath doesn't exist.
+	c.Assert(containerStartOutputEquals(c, containerID, ""), checker.IsNil)
+
+	c.Assert(runDockerCp(c, srcDir, dstDir, nil), checker.IsNil)
+
+	// Should now contain file1-1's contents.
+	c.Assert(containerStartOutputEquals(c, containerID, "file1-1\n"), checker.IsNil)
+}
+
+// The `docker cp` command should also ensure that you cannot
+// write to a container rootfs that is marked as read-only.
+func (s *DockerSuite) TestCpToErrReadOnlyRootfs(c *check.C) {
+	// --read-only + userns has remount issues
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	tmpDir := getTestDir(c, "test-cp-to-err-read-only-rootfs")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	containerID := makeTestContainer(c, testContainerOptions{
+		readOnly: true, workDir: "/root",
+		command: makeCatFileCommand("shouldNotExist"),
+	})
+
+	srcPath := cpPath(tmpDir, "file1")
+	dstPath := containerCpPath(containerID, "/root/shouldNotExist")
+
+	err := runDockerCp(c, srcPath, dstPath, nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(isCpCannotCopyReadOnly(err), checker.True, check.Commentf("expected ErrContainerRootfsReadonly error, but got %T: %s", err, err))
+
+	// Ensure that dstPath doesn't exist.
+	c.Assert(containerStartOutputEquals(c, containerID, ""), checker.IsNil)
+}
+
+// The `docker cp` command should also ensure that you
+// cannot write to a volume that is mounted as read-only.
+func (s *DockerSuite) TestCpToErrReadOnlyVolume(c *check.C) {
+	// --read-only + userns has remount issues
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	tmpDir := getTestDir(c, "test-cp-to-err-read-only-volume")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	containerID := makeTestContainer(c, testContainerOptions{
+		volumes: defaultVolumes(tmpDir), workDir: "/root",
+		command: makeCatFileCommand("/vol_ro/shouldNotExist"),
+	})
+
+	srcPath := cpPath(tmpDir, "file1")
+	dstPath := containerCpPath(containerID, "/vol_ro/shouldNotExist")
+
+	err := runDockerCp(c, srcPath, dstPath, nil)
+	c.Assert(err, checker.NotNil)
+
+	c.Assert(isCpCannotCopyReadOnly(err), checker.True, check.Commentf("expected ErrVolumeReadonly error, but got %T: %s", err, err))
+
+	// Ensure that dstPath doesn't exist.
+	c.Assert(containerStartOutputEquals(c, containerID, ""), checker.IsNil)
+}
diff --git a/engine/integration-cli/docker_cli_cp_to_container_unix_test.go b/engine/integration-cli/docker_cli_cp_to_container_unix_test.go
new file mode 100644
index 00000000..8f830dcf
--- /dev/null
+++ b/engine/integration-cli/docker_cli_cp_to_container_unix_test.go
@@ -0,0 +1,81 @@
+// +build !windows
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/pkg/system"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestCpToContainerWithPermissions(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	tmpDir := getTestDir(c, "test-cp-to-host-with-permissions")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	containerName := "permtest"
+
+	_, exc := dockerCmd(c, "create", "--name", containerName, "debian:jessie", "/bin/bash", "-c", "stat -c '%u %g %a' /permdirtest /permdirtest/permtest")
+	c.Assert(exc, checker.Equals, 0)
+	defer dockerCmd(c, "rm", "-f", containerName)
+
+	srcPath := cpPath(tmpDir, "permdirtest")
+	dstPath := containerCpPath(containerName, "/")
+	c.Assert(runDockerCp(c, srcPath, dstPath, []string{"-a"}), checker.IsNil)
+
+	out, err := startContainerGetOutput(c, containerName)
+	c.Assert(err, checker.IsNil, check.Commentf("output: %v", out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "2 2 700\n65534 65534 400", check.Commentf("output: %v", out))
+}
+
+// Check ownership is root, both in non-userns and userns enabled modes
+func (s *DockerSuite) TestCpCheckDestOwnership(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	tmpVolDir := getTestDir(c, "test-cp-tmpvol")
+	containerID := makeTestContainer(c,
+		testContainerOptions{volumes: []string{fmt.Sprintf("%s:/tmpvol", tmpVolDir)}})
+
+	tmpDir := getTestDir(c, "test-cp-to-check-ownership")
+	defer os.RemoveAll(tmpDir)
+
+	makeTestContentInDir(c, tmpDir)
+
+	srcPath := cpPath(tmpDir, "file1")
+	dstPath := containerCpPath(containerID, "/tmpvol", "file1")
+
+	err := runDockerCp(c, srcPath, dstPath, nil)
+	c.Assert(err, checker.IsNil)
+
+	stat, err := system.Stat(filepath.Join(tmpVolDir, "file1"))
+	c.Assert(err, checker.IsNil)
+	uid, gid, err := getRootUIDGID()
+	c.Assert(err, checker.IsNil)
+	c.Assert(stat.UID(), checker.Equals, uint32(uid), check.Commentf("Copied file not owned by container root UID"))
+	c.Assert(stat.GID(), checker.Equals, uint32(gid), check.Commentf("Copied file not owned by container root GID"))
+}
+
+func getRootUIDGID() (int, int, error) {
+	uidgid := strings.Split(filepath.Base(testEnv.DaemonInfo.DockerRootDir), ".")
+	if len(uidgid) == 1 {
+		//user namespace remapping is not turned on; return 0
+		return 0, 0, nil
+	}
+	uid, err := strconv.Atoi(uidgid[0])
+	if err != nil {
+		return 0, 0, err
+	}
+	gid, err := strconv.Atoi(uidgid[1])
+	if err != nil {
+		return 0, 0, err
+	}
+	return uid, gid, nil
+}
diff --git a/engine/integration-cli/docker_cli_cp_utils_test.go b/engine/integration-cli/docker_cli_cp_utils_test.go
new file mode 100644
index 00000000..79a016f0
--- /dev/null
+++ b/engine/integration-cli/docker_cli_cp_utils_test.go
@@ -0,0 +1,305 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/go-check/check"
+)
+
+type fileType uint32
+
+const (
+	ftRegular fileType = iota
+	ftDir
+	ftSymlink
+)
+
+type fileData struct {
+	filetype fileType
+	path     string
+	contents string
+	uid      int
+	gid      int
+	mode     int
+}
+
+func (fd fileData) creationCommand() string {
+	var command string
+
+	switch fd.filetype {
+	case ftRegular:
+		// Don't overwrite the file if it already exists!
+		command = fmt.Sprintf("if [ ! -f %s ]; then echo %q > %s; fi", fd.path, fd.contents, fd.path)
+	case ftDir:
+		command = fmt.Sprintf("mkdir -p %s", fd.path)
+	case ftSymlink:
+		command = fmt.Sprintf("ln -fs %s %s", fd.contents, fd.path)
+	}
+
+	return command
+}
+
+func mkFilesCommand(fds []fileData) string {
+	commands := make([]string, len(fds))
+
+	for i, fd := range fds {
+		commands[i] = fd.creationCommand()
+	}
+
+	return strings.Join(commands, " && ")
+}
+
+var defaultFileData = []fileData{
+	{ftRegular, "file1", "file1", 0, 0, 0666},
+	{ftRegular, "file2", "file2", 0, 0, 0666},
+	{ftRegular, "file3", "file3", 0, 0, 0666},
+	{ftRegular, "file4", "file4", 0, 0, 0666},
+	{ftRegular, "file5", "file5", 0, 0, 0666},
+	{ftRegular, "file6", "file6", 0, 0, 0666},
+	{ftRegular, "file7", "file7", 0, 0, 0666},
+	{ftDir, "dir1", "", 0, 0, 0777},
+	{ftRegular, "dir1/file1-1", "file1-1", 0, 0, 0666},
+	{ftRegular, "dir1/file1-2", "file1-2", 0, 0, 0666},
+	{ftDir, "dir2", "", 0, 0, 0666},
+	{ftRegular, "dir2/file2-1", "file2-1", 0, 0, 0666},
+	{ftRegular, "dir2/file2-2", "file2-2", 0, 0, 0666},
+	{ftDir, "dir3", "", 0, 0, 0666},
+	{ftRegular, "dir3/file3-1", "file3-1", 0, 0, 0666},
+	{ftRegular, "dir3/file3-2", "file3-2", 0, 0, 0666},
+	{ftDir, "dir4", "", 0, 0, 0666},
+	{ftRegular, "dir4/file3-1", "file4-1", 0, 0, 0666},
+	{ftRegular, "dir4/file3-2", "file4-2", 0, 0, 0666},
+	{ftDir, "dir5", "", 0, 0, 0666},
+	{ftSymlink, "symlinkToFile1", "file1", 0, 0, 0666},
+	{ftSymlink, "symlinkToDir1", "dir1", 0, 0, 0666},
+	{ftSymlink, "brokenSymlinkToFileX", "fileX", 0, 0, 0666},
+	{ftSymlink, "brokenSymlinkToDirX", "dirX", 0, 0, 0666},
+	{ftSymlink, "symlinkToAbsDir", "/root", 0, 0, 0666},
+	{ftDir, "permdirtest", "", 2, 2, 0700},
+	{ftRegular, "permdirtest/permtest", "perm_test", 65534, 65534, 0400},
+}
+
+func defaultMkContentCommand() string {
+	return mkFilesCommand(defaultFileData)
+}
+
+func makeTestContentInDir(c *check.C, dir string) {
+	for _, fd := range defaultFileData {
+		path := filepath.Join(dir, filepath.FromSlash(fd.path))
+		switch fd.filetype {
+		case ftRegular:
+			c.Assert(ioutil.WriteFile(path, []byte(fd.contents+"\n"), os.FileMode(fd.mode)), checker.IsNil)
+		case ftDir:
+			c.Assert(os.Mkdir(path, os.FileMode(fd.mode)), checker.IsNil)
+		case ftSymlink:
+			c.Assert(os.Symlink(fd.contents, path), checker.IsNil)
+		}
+
+		if fd.filetype != ftSymlink && runtime.GOOS != "windows" {
+			c.Assert(os.Chown(path, fd.uid, fd.gid), checker.IsNil)
+		}
+	}
+}
+
+type testContainerOptions struct {
+	addContent bool
+	readOnly   bool
+	volumes    []string
+	workDir    string
+	command    string
+}
+
+func makeTestContainer(c *check.C, options testContainerOptions) (containerID string) {
+	if options.addContent {
+		mkContentCmd := defaultMkContentCommand()
+		if options.command == "" {
+			options.command = mkContentCmd
+		} else {
+			options.command = fmt.Sprintf("%s && %s", defaultMkContentCommand(), options.command)
+		}
+	}
+
+	if options.command == "" {
+		options.command = "#(nop)"
+	}
+
+	args := []string{"run", "-d"}
+
+	for _, volume := range options.volumes {
+		args = append(args, "-v", volume)
+	}
+
+	if options.workDir != "" {
+		args = append(args, "-w", options.workDir)
+	}
+
+	if options.readOnly {
+		args = append(args, "--read-only")
+	}
+
+	args = append(args, "busybox", "/bin/sh", "-c", options.command)
+
+	out, _ := dockerCmd(c, args...)
+
+	containerID = strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "wait", containerID)
+
+	exitCode := strings.TrimSpace(out)
+	if exitCode != "0" {
+		out, _ = dockerCmd(c, "logs", containerID)
+	}
+	c.Assert(exitCode, checker.Equals, "0", check.Commentf("failed to make test container: %s", out))
+
+	return
+}
+
+func makeCatFileCommand(path string) string {
+	return fmt.Sprintf("if [ -f %s ]; then cat %s; fi", path, path)
+}
+
+func cpPath(pathElements ...string) string {
+	localizedPathElements := make([]string, len(pathElements))
+	for i, path := range pathElements {
+		localizedPathElements[i] = filepath.FromSlash(path)
+	}
+	return strings.Join(localizedPathElements, string(filepath.Separator))
+}
+
+func cpPathTrailingSep(pathElements ...string) string {
+	return fmt.Sprintf("%s%c", cpPath(pathElements...), filepath.Separator)
+}
+
+func containerCpPath(containerID string, pathElements ...string) string {
+	joined := strings.Join(pathElements, "/")
+	return fmt.Sprintf("%s:%s", containerID, joined)
+}
+
+func containerCpPathTrailingSep(containerID string, pathElements ...string) string {
+	return fmt.Sprintf("%s/", containerCpPath(containerID, pathElements...))
+}
+
+func runDockerCp(c *check.C, src, dst string, params []string) (err error) {
+	c.Logf("running `docker cp %s %s %s`", strings.Join(params, " "), src, dst)
+
+	args := []string{"cp"}
+
+	args = append(args, params...)
+
+	args = append(args, src, dst)
+
+	out, _, err := runCommandWithOutput(exec.Command(dockerBinary, args...))
+	if err != nil {
+		err = fmt.Errorf("error executing `docker cp` command: %s: %s", err, out)
+	}
+
+	return
+}
+
+func startContainerGetOutput(c *check.C, containerID string) (out string, err error) {
+	c.Logf("running `docker start -a %s`", containerID)
+
+	args := []string{"start", "-a", containerID}
+
+	out, _, err = runCommandWithOutput(exec.Command(dockerBinary, args...))
+	if err != nil {
+		err = fmt.Errorf("error executing `docker start` command: %s: %s", err, out)
+	}
+
+	return
+}
+
+func getTestDir(c *check.C, label string) (tmpDir string) {
+	var err error
+
+	tmpDir, err = ioutil.TempDir("", label)
+	// unable to make temporary directory
+	c.Assert(err, checker.IsNil)
+
+	return
+}
+
+func isCpDirNotExist(err error) bool {
+	return strings.Contains(err.Error(), archive.ErrDirNotExists.Error())
+}
+
+func isCpCannotCopyDir(err error) bool {
+	return strings.Contains(err.Error(), archive.ErrCannotCopyDir.Error())
+}
+
+func isCpCannotCopyReadOnly(err error) bool {
+	return strings.Contains(err.Error(), "marked read-only")
+}
+
+func fileContentEquals(c *check.C, filename, contents string) (err error) {
+	c.Logf("checking that file %q contains %q\n", filename, contents)
+
+	fileBytes, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return
+	}
+
+	expectedBytes, err := ioutil.ReadAll(strings.NewReader(contents))
+	if err != nil {
+		return
+	}
+
+	if !bytes.Equal(fileBytes, expectedBytes) {
+		err = fmt.Errorf("file content not equal - expected %q, got %q", string(expectedBytes), string(fileBytes))
+	}
+
+	return
+}
+
+func symlinkTargetEquals(c *check.C, symlink, expectedTarget string) (err error) {
+	c.Logf("checking that the symlink %q points to %q\n", symlink, expectedTarget)
+
+	actualTarget, err := os.Readlink(symlink)
+	if err != nil {
+		return
+	}
+
+	if actualTarget != expectedTarget {
+		err = fmt.Errorf("symlink target points to %q not %q", actualTarget, expectedTarget)
+	}
+
+	return
+}
+
+func containerStartOutputEquals(c *check.C, containerID, contents string) (err error) {
+	c.Logf("checking that container %q start output contains %q\n", containerID, contents)
+
+	out, err := startContainerGetOutput(c, containerID)
+	if err != nil {
+		return
+	}
+
+	if out != contents {
+		err = fmt.Errorf("output contents not equal - expected %q, got %q", contents, out)
+	}
+
+	return
+}
+
+func defaultVolumes(tmpDir string) []string {
+	if SameHostDaemon() {
+		return []string{
+			"/vol1",
+			fmt.Sprintf("%s:/vol2", tmpDir),
+			fmt.Sprintf("%s:/vol3", filepath.Join(tmpDir, "vol3")),
+			fmt.Sprintf("%s:/vol_ro:ro", filepath.Join(tmpDir, "vol_ro")),
+		}
+	}
+
+	// Can't bind-mount volumes with separate host daemon.
+	return []string{"/vol1", "/vol2", "/vol3", "/vol_ro:/vol_ro:ro"}
+}
diff --git a/engine/integration-cli/docker_cli_create_test.go b/engine/integration-cli/docker_cli_create_test.go
new file mode 100644
index 00000000..9ec400b2
--- /dev/null
+++ b/engine/integration-cli/docker_cli_create_test.go
@@ -0,0 +1,374 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/go-connections/nat"
+	"github.com/go-check/check"
+)
+
+// Make sure we can create a simple container with some args
+func (s *DockerSuite) TestCreateArgs(c *check.C) {
+	// Intentionally clear entrypoint, as the Windows busybox image needs an entrypoint, which breaks this test
+	out, _ := dockerCmd(c, "create", "--entrypoint=", "busybox", "command", "arg1", "arg2", "arg with space", "-c", "flags")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "inspect", cleanedContainerID)
+
+	var containers []struct {
+		ID      string
+		Created time.Time
+		Path    string
+		Args    []string
+		Image   string
+	}
+
+	err := json.Unmarshal([]byte(out), &containers)
+	c.Assert(err, check.IsNil, check.Commentf("Error inspecting the container: %s", err))
+	c.Assert(containers, checker.HasLen, 1)
+
+	cont := containers[0]
+	c.Assert(string(cont.Path), checker.Equals, "command", check.Commentf("Unexpected container path. Expected command, received: %s", cont.Path))
+
+	b := false
+	expected := []string{"arg1", "arg2", "arg with space", "-c", "flags"}
+	for i, arg := range expected {
+		if arg != cont.Args[i] {
+			b = true
+			break
+		}
+	}
+	if len(cont.Args) != len(expected) || b {
+		c.Fatalf("Unexpected args. Expected %v, received: %v", expected, cont.Args)
+	}
+
+}
+
+// Make sure we can grow the container's rootfs at creation time.
+func (s *DockerSuite) TestCreateGrowRootfs(c *check.C) {
+	// Windows and Devicemapper support growing the rootfs
+	if testEnv.OSType != "windows" {
+		testRequires(c, Devicemapper)
+	}
+	out, _ := dockerCmd(c, "create", "--storage-opt", "size=120G", "busybox")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	inspectOut := inspectField(c, cleanedContainerID, "HostConfig.StorageOpt")
+	c.Assert(inspectOut, checker.Equals, "map[size:120G]")
+}
+
+// Make sure we cannot shrink the container's rootfs at creation time.
+func (s *DockerSuite) TestCreateShrinkRootfs(c *check.C) {
+	testRequires(c, Devicemapper)
+
+	// Ensure this fails because of the defaultBaseFsSize is 10G
+	out, _, err := dockerCmdWithError("create", "--storage-opt", "size=5G", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Container size cannot be smaller than")
+}
+
+// Make sure we can set hostconfig options too
+func (s *DockerSuite) TestCreateHostConfig(c *check.C) {
+	out, _ := dockerCmd(c, "create", "-P", "busybox", "echo")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "inspect", cleanedContainerID)
+
+	var containers []struct {
+		HostConfig *struct {
+			PublishAllPorts bool
+		}
+	}
+
+	err := json.Unmarshal([]byte(out), &containers)
+	c.Assert(err, check.IsNil, check.Commentf("Error inspecting the container: %s", err))
+	c.Assert(containers, checker.HasLen, 1)
+
+	cont := containers[0]
+	c.Assert(cont.HostConfig, check.NotNil, check.Commentf("Expected HostConfig, got none"))
+	c.Assert(cont.HostConfig.PublishAllPorts, check.NotNil, check.Commentf("Expected PublishAllPorts, got false"))
+}
+
+func (s *DockerSuite) TestCreateWithPortRange(c *check.C) {
+	out, _ := dockerCmd(c, "create", "-p", "3300-3303:3300-3303/tcp", "busybox", "echo")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "inspect", cleanedContainerID)
+
+	var containers []struct {
+		HostConfig *struct {
+			PortBindings map[nat.Port][]nat.PortBinding
+		}
+	}
+	err := json.Unmarshal([]byte(out), &containers)
+	c.Assert(err, check.IsNil, check.Commentf("Error inspecting the container: %s", err))
+	c.Assert(containers, checker.HasLen, 1)
+
+	cont := containers[0]
+
+	c.Assert(cont.HostConfig, check.NotNil, check.Commentf("Expected HostConfig, got none"))
+	c.Assert(cont.HostConfig.PortBindings, checker.HasLen, 4, check.Commentf("Expected 4 ports bindings, got %d", len(cont.HostConfig.PortBindings)))
+
+	for k, v := range cont.HostConfig.PortBindings {
+		c.Assert(v, checker.HasLen, 1, check.Commentf("Expected 1 ports binding, for the port  %s but found %s", k, v))
+		c.Assert(k.Port(), checker.Equals, v[0].HostPort, check.Commentf("Expected host port %s to match published port %s", k.Port(), v[0].HostPort))
+
+	}
+
+}
+
+func (s *DockerSuite) TestCreateWithLargePortRange(c *check.C) {
+	out, _ := dockerCmd(c, "create", "-p", "1-65535:1-65535/tcp", "busybox", "echo")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "inspect", cleanedContainerID)
+
+	var containers []struct {
+		HostConfig *struct {
+			PortBindings map[nat.Port][]nat.PortBinding
+		}
+	}
+
+	err := json.Unmarshal([]byte(out), &containers)
+	c.Assert(err, check.IsNil, check.Commentf("Error inspecting the container: %s", err))
+	c.Assert(containers, checker.HasLen, 1)
+
+	cont := containers[0]
+	c.Assert(cont.HostConfig, check.NotNil, check.Commentf("Expected HostConfig, got none"))
+	c.Assert(cont.HostConfig.PortBindings, checker.HasLen, 65535)
+
+	for k, v := range cont.HostConfig.PortBindings {
+		c.Assert(v, checker.HasLen, 1)
+		c.Assert(k.Port(), checker.Equals, v[0].HostPort, check.Commentf("Expected host port %s to match published port %s", k.Port(), v[0].HostPort))
+	}
+
+}
+
+// "test123" should be printed by docker create + start
+func (s *DockerSuite) TestCreateEchoStdout(c *check.C) {
+	out, _ := dockerCmd(c, "create", "busybox", "echo", "test123")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "start", "-ai", cleanedContainerID)
+	c.Assert(out, checker.Equals, "test123\n", check.Commentf("container should've printed 'test123', got %q", out))
+
+}
+
+func (s *DockerSuite) TestCreateVolumesCreated(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+
+	name := "test_create_volume"
+	dockerCmd(c, "create", "--name", name, "-v", prefix+slash+"foo", "busybox")
+
+	dir, err := inspectMountSourceField(name, prefix+slash+"foo")
+	c.Assert(err, check.IsNil, check.Commentf("Error getting volume host path: %q", err))
+
+	if _, err := os.Stat(dir); err != nil && os.IsNotExist(err) {
+		c.Fatalf("Volume was not created")
+	}
+	if err != nil {
+		c.Fatalf("Error statting volume host path: %q", err)
+	}
+
+}
+
+func (s *DockerSuite) TestCreateLabels(c *check.C) {
+	name := "test_create_labels"
+	expected := map[string]string{"k1": "v1", "k2": "v2"}
+	dockerCmd(c, "create", "--name", name, "-l", "k1=v1", "--label", "k2=v2", "busybox")
+
+	actual := make(map[string]string)
+	inspectFieldAndUnmarshall(c, name, "Config.Labels", &actual)
+
+	if !reflect.DeepEqual(expected, actual) {
+		c.Fatalf("Expected %s got %s", expected, actual)
+	}
+}
+
+func (s *DockerSuite) TestCreateLabelFromImage(c *check.C) {
+	imageName := "testcreatebuildlabel"
+	buildImageSuccessfully(c, imageName, build.WithDockerfile(`FROM busybox
+		LABEL k1=v1 k2=v2`))
+
+	name := "test_create_labels_from_image"
+	expected := map[string]string{"k2": "x", "k3": "v3", "k1": "v1"}
+	dockerCmd(c, "create", "--name", name, "-l", "k2=x", "--label", "k3=v3", imageName)
+
+	actual := make(map[string]string)
+	inspectFieldAndUnmarshall(c, name, "Config.Labels", &actual)
+
+	if !reflect.DeepEqual(expected, actual) {
+		c.Fatalf("Expected %s got %s", expected, actual)
+	}
+}
+
+func (s *DockerSuite) TestCreateHostnameWithNumber(c *check.C) {
+	image := "busybox"
+	// Busybox on Windows does not implement hostname command
+	if testEnv.OSType == "windows" {
+		image = testEnv.PlatformDefaults.BaseImage
+	}
+	out, _ := dockerCmd(c, "run", "-h", "web.0", image, "hostname")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "web.0", check.Commentf("hostname not set, expected `web.0`, got: %s", out))
+
+}
+
+func (s *DockerSuite) TestCreateRM(c *check.C) {
+	// Test to make sure we can 'rm' a new container that is in
+	// "Created" state, and has ever been run. Test "rm -f" too.
+
+	// create a container
+	out, _ := dockerCmd(c, "create", "busybox")
+	cID := strings.TrimSpace(out)
+
+	dockerCmd(c, "rm", cID)
+
+	// Now do it again so we can "rm -f" this time
+	out, _ = dockerCmd(c, "create", "busybox")
+
+	cID = strings.TrimSpace(out)
+	dockerCmd(c, "rm", "-f", cID)
+}
+
+func (s *DockerSuite) TestCreateModeIpcContainer(c *check.C) {
+	// Uses Linux specific functionality (--ipc)
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	out, _ := dockerCmd(c, "create", "busybox")
+	id := strings.TrimSpace(out)
+
+	dockerCmd(c, "create", fmt.Sprintf("--ipc=container:%s", id), "busybox")
+}
+
+func (s *DockerSuite) TestCreateByImageID(c *check.C) {
+	imageName := "testcreatebyimageid"
+	buildImageSuccessfully(c, imageName, build.WithDockerfile(`FROM busybox
+		MAINTAINER dockerio`))
+	imageID := getIDByName(c, imageName)
+	truncatedImageID := stringid.TruncateID(imageID)
+
+	dockerCmd(c, "create", imageID)
+	dockerCmd(c, "create", truncatedImageID)
+
+	// Ensure this fails
+	out, exit, _ := dockerCmdWithError("create", fmt.Sprintf("%s:%s", imageName, imageID))
+	if exit == 0 {
+		c.Fatalf("expected non-zero exit code; received %d", exit)
+	}
+
+	if expected := "invalid reference format"; !strings.Contains(out, expected) {
+		c.Fatalf(`Expected %q in output; got: %s`, expected, out)
+	}
+
+	if i := strings.IndexRune(imageID, ':'); i >= 0 {
+		imageID = imageID[i+1:]
+	}
+	out, exit, _ = dockerCmdWithError("create", fmt.Sprintf("%s:%s", "wrongimage", imageID))
+	if exit == 0 {
+		c.Fatalf("expected non-zero exit code; received %d", exit)
+	}
+
+	if expected := "Unable to find image"; !strings.Contains(out, expected) {
+		c.Fatalf(`Expected %q in output; got: %s`, expected, out)
+	}
+}
+
+func (s *DockerSuite) TestCreateStopSignal(c *check.C) {
+	name := "test_create_stop_signal"
+	dockerCmd(c, "create", "--name", name, "--stop-signal", "9", "busybox")
+
+	res := inspectFieldJSON(c, name, "Config.StopSignal")
+	c.Assert(res, checker.Contains, "9")
+
+}
+
+func (s *DockerSuite) TestCreateWithWorkdir(c *check.C) {
+	name := "foo"
+
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	dir := prefix + slash + "home" + slash + "foo" + slash + "bar"
+
+	dockerCmd(c, "create", "--name", name, "-w", dir, "busybox")
+	// Windows does not create the workdir until the container is started
+	if testEnv.OSType == "windows" {
+		dockerCmd(c, "start", name)
+	}
+	dockerCmd(c, "cp", fmt.Sprintf("%s:%s", name, dir), prefix+slash+"tmp")
+}
+
+func (s *DockerSuite) TestCreateWithInvalidLogOpts(c *check.C) {
+	name := "test-invalidate-log-opts"
+	out, _, err := dockerCmdWithError("create", "--name", name, "--log-opt", "invalid=true", "busybox")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "unknown log opt")
+
+	out, _ = dockerCmd(c, "ps", "-a")
+	c.Assert(out, checker.Not(checker.Contains), name)
+}
+
+// #20972
+func (s *DockerSuite) TestCreate64ByteHexID(c *check.C) {
+	out := inspectField(c, "busybox", "Id")
+	imageID := strings.TrimPrefix(strings.TrimSpace(string(out)), "sha256:")
+
+	dockerCmd(c, "create", imageID)
+}
+
+// Test case for #23498
+func (s *DockerSuite) TestCreateUnsetEntrypoint(c *check.C) {
+	name := "test-entrypoint"
+	dockerfile := `FROM busybox
+ADD entrypoint.sh /entrypoint.sh
+RUN chmod 755 /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
+CMD echo foobar`
+
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"entrypoint.sh": `#!/bin/sh
+echo "I am an entrypoint"
+exec "$@"`,
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+
+	out := cli.DockerCmd(c, "create", "--entrypoint=", name, "echo", "foo").Combined()
+	id := strings.TrimSpace(out)
+	c.Assert(id, check.Not(check.Equals), "")
+	out = cli.DockerCmd(c, "start", "-a", id).Combined()
+	c.Assert(strings.TrimSpace(out), check.Equals, "foo")
+}
+
+// #22471
+func (s *DockerSuite) TestCreateStopTimeout(c *check.C) {
+	name1 := "test_create_stop_timeout_1"
+	dockerCmd(c, "create", "--name", name1, "--stop-timeout", "15", "busybox")
+
+	res := inspectFieldJSON(c, name1, "Config.StopTimeout")
+	c.Assert(res, checker.Contains, "15")
+
+	name2 := "test_create_stop_timeout_2"
+	dockerCmd(c, "create", "--name", name2, "busybox")
+
+	res = inspectFieldJSON(c, name2, "Config.StopTimeout")
+	c.Assert(res, checker.Contains, "null")
+}
diff --git a/engine/integration-cli/docker_cli_daemon_plugins_test.go b/engine/integration-cli/docker_cli_daemon_plugins_test.go
new file mode 100644
index 00000000..69e190c3
--- /dev/null
+++ b/engine/integration-cli/docker_cli_daemon_plugins_test.go
@@ -0,0 +1,328 @@
+// +build linux
+
+package main
+
+import (
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/go-check/check"
+	"golang.org/x/sys/unix"
+	"gotest.tools/icmd"
+)
+
+// TestDaemonRestartWithPluginEnabled tests state restore for an enabled plugin
+func (s *DockerDaemonSuite) TestDaemonRestartWithPluginEnabled(c *check.C) {
+	testRequires(c, IsAmd64, Network)
+
+	s.d.Start(c)
+
+	if out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pName); err != nil {
+		c.Fatalf("Could not install plugin: %v %s", err, out)
+	}
+
+	defer func() {
+		if out, err := s.d.Cmd("plugin", "disable", pName); err != nil {
+			c.Fatalf("Could not disable plugin: %v %s", err, out)
+		}
+		if out, err := s.d.Cmd("plugin", "remove", pName); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	s.d.Restart(c)
+
+	out, err := s.d.Cmd("plugin", "ls")
+	if err != nil {
+		c.Fatalf("Could not list plugins: %v %s", err, out)
+	}
+	c.Assert(out, checker.Contains, pName)
+	c.Assert(out, checker.Contains, "true")
+}
+
+// TestDaemonRestartWithPluginDisabled tests state restore for a disabled plugin
+func (s *DockerDaemonSuite) TestDaemonRestartWithPluginDisabled(c *check.C) {
+	testRequires(c, IsAmd64, Network)
+
+	s.d.Start(c)
+
+	if out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pName, "--disable"); err != nil {
+		c.Fatalf("Could not install plugin: %v %s", err, out)
+	}
+
+	defer func() {
+		if out, err := s.d.Cmd("plugin", "remove", pName); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	s.d.Restart(c)
+
+	out, err := s.d.Cmd("plugin", "ls")
+	if err != nil {
+		c.Fatalf("Could not list plugins: %v %s", err, out)
+	}
+	c.Assert(out, checker.Contains, pName)
+	c.Assert(out, checker.Contains, "false")
+}
+
+// TestDaemonKillLiveRestoreWithPlugins SIGKILLs daemon started with --live-restore.
+// Plugins should continue to run.
+func (s *DockerDaemonSuite) TestDaemonKillLiveRestoreWithPlugins(c *check.C) {
+	testRequires(c, IsAmd64, Network)
+
+	s.d.Start(c, "--live-restore")
+	if out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pName); err != nil {
+		c.Fatalf("Could not install plugin: %v %s", err, out)
+	}
+	defer func() {
+		s.d.Restart(c, "--live-restore")
+		if out, err := s.d.Cmd("plugin", "disable", pName); err != nil {
+			c.Fatalf("Could not disable plugin: %v %s", err, out)
+		}
+		if out, err := s.d.Cmd("plugin", "remove", pName); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	if err := s.d.Kill(); err != nil {
+		c.Fatalf("Could not kill daemon: %v", err)
+	}
+
+	icmd.RunCommand("pgrep", "-f", pluginProcessName).Assert(c, icmd.Success)
+}
+
+// TestDaemonShutdownLiveRestoreWithPlugins SIGTERMs daemon started with --live-restore.
+// Plugins should continue to run.
+func (s *DockerDaemonSuite) TestDaemonShutdownLiveRestoreWithPlugins(c *check.C) {
+	testRequires(c, IsAmd64, Network)
+
+	s.d.Start(c, "--live-restore")
+	if out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pName); err != nil {
+		c.Fatalf("Could not install plugin: %v %s", err, out)
+	}
+	defer func() {
+		s.d.Restart(c, "--live-restore")
+		if out, err := s.d.Cmd("plugin", "disable", pName); err != nil {
+			c.Fatalf("Could not disable plugin: %v %s", err, out)
+		}
+		if out, err := s.d.Cmd("plugin", "remove", pName); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	if err := s.d.Interrupt(); err != nil {
+		c.Fatalf("Could not kill daemon: %v", err)
+	}
+
+	icmd.RunCommand("pgrep", "-f", pluginProcessName).Assert(c, icmd.Success)
+}
+
+// TestDaemonShutdownWithPlugins shuts down running plugins.
+func (s *DockerDaemonSuite) TestDaemonShutdownWithPlugins(c *check.C) {
+	testRequires(c, IsAmd64, Network, SameHostDaemon)
+
+	s.d.Start(c)
+	if out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pName); err != nil {
+		c.Fatalf("Could not install plugin: %v %s", err, out)
+	}
+
+	defer func() {
+		s.d.Restart(c)
+		if out, err := s.d.Cmd("plugin", "disable", pName); err != nil {
+			c.Fatalf("Could not disable plugin: %v %s", err, out)
+		}
+		if out, err := s.d.Cmd("plugin", "remove", pName); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	if err := s.d.Interrupt(); err != nil {
+		c.Fatalf("Could not kill daemon: %v", err)
+	}
+
+	for {
+		if err := unix.Kill(s.d.Pid(), 0); err == unix.ESRCH {
+			break
+		}
+	}
+
+	icmd.RunCommand("pgrep", "-f", pluginProcessName).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Error:    "exit status 1",
+	})
+
+	s.d.Start(c)
+	icmd.RunCommand("pgrep", "-f", pluginProcessName).Assert(c, icmd.Success)
+}
+
+// TestDaemonKillWithPlugins leaves plugins running.
+func (s *DockerDaemonSuite) TestDaemonKillWithPlugins(c *check.C) {
+	testRequires(c, IsAmd64, Network, SameHostDaemon)
+
+	s.d.Start(c)
+	if out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pName); err != nil {
+		c.Fatalf("Could not install plugin: %v %s", err, out)
+	}
+
+	defer func() {
+		s.d.Restart(c)
+		if out, err := s.d.Cmd("plugin", "disable", pName); err != nil {
+			c.Fatalf("Could not disable plugin: %v %s", err, out)
+		}
+		if out, err := s.d.Cmd("plugin", "remove", pName); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	if err := s.d.Kill(); err != nil {
+		c.Fatalf("Could not kill daemon: %v", err)
+	}
+
+	// assert that plugins are running.
+	icmd.RunCommand("pgrep", "-f", pluginProcessName).Assert(c, icmd.Success)
+}
+
+// TestVolumePlugin tests volume creation using a plugin.
+func (s *DockerDaemonSuite) TestVolumePlugin(c *check.C) {
+	testRequires(c, IsAmd64, Network)
+
+	volName := "plugin-volume"
+	destDir := "/tmp/data/"
+	destFile := "foo"
+
+	s.d.Start(c)
+	out, err := s.d.Cmd("plugin", "install", pName, "--grant-all-permissions")
+	if err != nil {
+		c.Fatalf("Could not install plugin: %v %s", err, out)
+	}
+	defer func() {
+		if out, err := s.d.Cmd("plugin", "disable", pName); err != nil {
+			c.Fatalf("Could not disable plugin: %v %s", err, out)
+		}
+
+		if out, err := s.d.Cmd("plugin", "remove", pName); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	out, err = s.d.Cmd("volume", "create", "-d", pName, volName)
+	if err != nil {
+		c.Fatalf("Could not create volume: %v %s", err, out)
+	}
+	defer func() {
+		if out, err := s.d.Cmd("volume", "remove", volName); err != nil {
+			c.Fatalf("Could not remove volume: %v %s", err, out)
+		}
+	}()
+
+	out, err = s.d.Cmd("volume", "ls")
+	if err != nil {
+		c.Fatalf("Could not list volume: %v %s", err, out)
+	}
+	c.Assert(out, checker.Contains, volName)
+	c.Assert(out, checker.Contains, pName)
+
+	out, err = s.d.Cmd("run", "--rm", "-v", volName+":"+destDir, "busybox", "touch", destDir+destFile)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("run", "--rm", "-v", volName+":"+destDir, "busybox", "ls", destDir+destFile)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func (s *DockerDaemonSuite) TestPluginVolumeRemoveOnRestart(c *check.C) {
+	testRequires(c, DaemonIsLinux, Network, IsAmd64)
+
+	s.d.Start(c, "--live-restore=true")
+
+	out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Contains, pName)
+
+	out, err = s.d.Cmd("volume", "create", "--driver", pName, "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	s.d.Restart(c, "--live-restore=true")
+
+	out, err = s.d.Cmd("plugin", "disable", pName)
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "in use")
+
+	out, err = s.d.Cmd("volume", "rm", "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("plugin", "disable", pName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("plugin", "rm", pName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func existsMountpointWithPrefix(mountpointPrefix string) (bool, error) {
+	mounts, err := mount.GetMounts(nil)
+	if err != nil {
+		return false, err
+	}
+	for _, mnt := range mounts {
+		if strings.HasPrefix(mnt.Mountpoint, mountpointPrefix) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func (s *DockerDaemonSuite) TestPluginListFilterEnabled(c *check.C) {
+	testRequires(c, IsAmd64, Network)
+
+	s.d.Start(c)
+
+	out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pNameWithTag, "--disable")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	defer func() {
+		if out, err := s.d.Cmd("plugin", "remove", pNameWithTag); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	out, err = s.d.Cmd("plugin", "ls", "--filter", "enabled=true")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), pName)
+
+	out, err = s.d.Cmd("plugin", "ls", "--filter", "enabled=false")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pName)
+	c.Assert(out, checker.Contains, "false")
+
+	out, err = s.d.Cmd("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pName)
+}
+
+func (s *DockerDaemonSuite) TestPluginListFilterCapability(c *check.C) {
+	testRequires(c, IsAmd64, Network)
+
+	s.d.Start(c)
+
+	out, err := s.d.Cmd("plugin", "install", "--grant-all-permissions", pNameWithTag, "--disable")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	defer func() {
+		if out, err := s.d.Cmd("plugin", "remove", pNameWithTag); err != nil {
+			c.Fatalf("Could not remove plugin: %v %s", err, out)
+		}
+	}()
+
+	out, err = s.d.Cmd("plugin", "ls", "--filter", "capability=volumedriver")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pName)
+
+	out, err = s.d.Cmd("plugin", "ls", "--filter", "capability=authz")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), pName)
+
+	out, err = s.d.Cmd("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pName)
+}
diff --git a/engine/integration-cli/docker_cli_daemon_test.go b/engine/integration-cli/docker_cli_daemon_test.go
new file mode 100644
index 00000000..bd5f6d56
--- /dev/null
+++ b/engine/integration-cli/docker_cli_daemon_test.go
@@ -0,0 +1,3131 @@
+// +build linux
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/docker/docker/api"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	moby_daemon "github.com/docker/docker/daemon"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/integration-cli/daemon"
+	testdaemon "github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/go-units"
+	"github.com/docker/libnetwork/iptables"
+	"github.com/docker/libtrust"
+	"github.com/go-check/check"
+	"github.com/kr/pty"
+	"golang.org/x/sys/unix"
+	"gotest.tools/icmd"
+)
+
+// TestLegacyDaemonCommand test starting docker daemon using "deprecated" docker daemon
+// command. Remove this test when we remove this.
+func (s *DockerDaemonSuite) TestLegacyDaemonCommand(c *check.C) {
+	cmd := exec.Command(dockerBinary, "daemon", "--storage-driver=vfs", "--debug")
+	err := cmd.Start()
+	go cmd.Wait()
+	c.Assert(err, checker.IsNil, check.Commentf("could not start daemon using 'docker daemon'"))
+
+	c.Assert(cmd.Process.Kill(), checker.IsNil)
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithRunningContainersPorts(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	cli.Docker(
+		cli.Args("run", "-d", "--name", "top1", "-p", "1234:80", "--restart", "always", "busybox:latest", "top"),
+		cli.Daemon(s.d),
+	).Assert(c, icmd.Success)
+
+	cli.Docker(
+		cli.Args("run", "-d", "--name", "top2", "-p", "80", "busybox:latest", "top"),
+		cli.Daemon(s.d),
+	).Assert(c, icmd.Success)
+
+	testRun := func(m map[string]bool, prefix string) {
+		var format string
+		for cont, shouldRun := range m {
+			out := cli.Docker(cli.Args("ps"), cli.Daemon(s.d)).Assert(c, icmd.Success).Combined()
+			if shouldRun {
+				format = "%scontainer %q is not running"
+			} else {
+				format = "%scontainer %q is running"
+			}
+			if shouldRun != strings.Contains(out, cont) {
+				c.Fatalf(format, prefix, cont)
+			}
+		}
+	}
+
+	testRun(map[string]bool{"top1": true, "top2": true}, "")
+
+	s.d.Restart(c)
+	testRun(map[string]bool{"top1": true, "top2": false}, "After daemon restart: ")
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithVolumesRefs(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	if out, err := s.d.Cmd("run", "--name", "volrestarttest1", "-v", "/foo", "busybox"); err != nil {
+		c.Fatal(err, out)
+	}
+
+	s.d.Restart(c)
+
+	if out, err := s.d.Cmd("run", "-d", "--volumes-from", "volrestarttest1", "--name", "volrestarttest2", "busybox", "top"); err != nil {
+		c.Fatal(err, out)
+	}
+
+	if out, err := s.d.Cmd("rm", "-fv", "volrestarttest2"); err != nil {
+		c.Fatal(err, out)
+	}
+
+	out, err := s.d.Cmd("inspect", "-f", "{{json .Mounts}}", "volrestarttest1")
+	c.Assert(err, check.IsNil)
+
+	if _, err := inspectMountPointJSON(out, "/foo"); err != nil {
+		c.Fatalf("Expected volume to exist: /foo, error: %v\n", err)
+	}
+}
+
+// #11008
+func (s *DockerDaemonSuite) TestDaemonRestartUnlessStopped(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "-d", "--name", "top1", "--restart", "always", "busybox:latest", "top")
+	c.Assert(err, check.IsNil, check.Commentf("run top1: %v", out))
+
+	out, err = s.d.Cmd("run", "-d", "--name", "top2", "--restart", "unless-stopped", "busybox:latest", "top")
+	c.Assert(err, check.IsNil, check.Commentf("run top2: %v", out))
+
+	testRun := func(m map[string]bool, prefix string) {
+		var format string
+		for name, shouldRun := range m {
+			out, err := s.d.Cmd("ps")
+			c.Assert(err, check.IsNil, check.Commentf("run ps: %v", out))
+			if shouldRun {
+				format = "%scontainer %q is not running"
+			} else {
+				format = "%scontainer %q is running"
+			}
+			c.Assert(strings.Contains(out, name), check.Equals, shouldRun, check.Commentf(format, prefix, name))
+		}
+	}
+
+	// both running
+	testRun(map[string]bool{"top1": true, "top2": true}, "")
+
+	out, err = s.d.Cmd("stop", "top1")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("stop", "top2")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// both stopped
+	testRun(map[string]bool{"top1": false, "top2": false}, "")
+
+	s.d.Restart(c)
+
+	// restart=always running
+	testRun(map[string]bool{"top1": true, "top2": false}, "After daemon restart: ")
+
+	out, err = s.d.Cmd("start", "top2")
+	c.Assert(err, check.IsNil, check.Commentf("start top2: %v", out))
+
+	s.d.Restart(c)
+
+	// both running
+	testRun(map[string]bool{"top1": true, "top2": true}, "After second daemon restart: ")
+
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartOnFailure(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "-d", "--name", "test1", "--restart", "on-failure:3", "busybox:latest", "false")
+	c.Assert(err, check.IsNil, check.Commentf("run top1: %v", out))
+
+	// wait test1 to stop
+	hostArgs := []string{"--host", s.d.Sock()}
+	err = waitInspectWithArgs("test1", "{{.State.Running}} {{.State.Restarting}}", "false false", 10*time.Second, hostArgs...)
+	c.Assert(err, checker.IsNil, check.Commentf("test1 should exit but not"))
+
+	// record last start time
+	out, err = s.d.Cmd("inspect", "-f={{.State.StartedAt}}", "test1")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+	lastStartTime := out
+
+	s.d.Restart(c)
+
+	// test1 shouldn't restart at all
+	err = waitInspectWithArgs("test1", "{{.State.Running}} {{.State.Restarting}}", "false false", 0, hostArgs...)
+	c.Assert(err, checker.IsNil, check.Commentf("test1 should exit but not"))
+
+	// make sure test1 isn't restarted when daemon restart
+	// if "StartAt" time updates, means test1 was once restarted.
+	out, err = s.d.Cmd("inspect", "-f={{.State.StartedAt}}", "test1")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+	c.Assert(out, checker.Equals, lastStartTime, check.Commentf("test1 shouldn't start after daemon restarts"))
+}
+
+func (s *DockerDaemonSuite) TestDaemonStartIptablesFalse(c *check.C) {
+	s.d.Start(c, "--iptables=false")
+}
+
+// Make sure we cannot shrink base device at daemon restart.
+func (s *DockerDaemonSuite) TestDaemonRestartWithInvalidBasesize(c *check.C) {
+	testRequires(c, Devicemapper)
+	s.d.Start(c)
+
+	oldBasesizeBytes := getBaseDeviceSize(c, s.d)
+	var newBasesizeBytes int64 = 1073741824 //1GB in bytes
+
+	if newBasesizeBytes < oldBasesizeBytes {
+		err := s.d.RestartWithError("--storage-opt", fmt.Sprintf("dm.basesize=%d", newBasesizeBytes))
+		c.Assert(err, check.NotNil, check.Commentf("daemon should not have started as new base device size is less than existing base device size: %v", err))
+		// 'err != nil' is expected behaviour, no new daemon started,
+		// so no need to stop daemon.
+		if err != nil {
+			return
+		}
+	}
+	s.d.Stop(c)
+}
+
+// Make sure we can grow base device at daemon restart.
+func (s *DockerDaemonSuite) TestDaemonRestartWithIncreasedBasesize(c *check.C) {
+	testRequires(c, Devicemapper)
+	s.d.Start(c)
+
+	oldBasesizeBytes := getBaseDeviceSize(c, s.d)
+
+	var newBasesizeBytes int64 = 53687091200 //50GB in bytes
+
+	if newBasesizeBytes < oldBasesizeBytes {
+		c.Skip(fmt.Sprintf("New base device size (%v) must be greater than (%s)", units.HumanSize(float64(newBasesizeBytes)), units.HumanSize(float64(oldBasesizeBytes))))
+	}
+
+	err := s.d.RestartWithError("--storage-opt", fmt.Sprintf("dm.basesize=%d", newBasesizeBytes))
+	c.Assert(err, check.IsNil, check.Commentf("we should have been able to start the daemon with increased base device size: %v", err))
+
+	basesizeAfterRestart := getBaseDeviceSize(c, s.d)
+	newBasesize, err := convertBasesize(newBasesizeBytes)
+	c.Assert(err, check.IsNil, check.Commentf("Error in converting base device size: %v", err))
+	c.Assert(newBasesize, check.Equals, basesizeAfterRestart, check.Commentf("Basesize passed is not equal to Basesize set"))
+	s.d.Stop(c)
+}
+
+func getBaseDeviceSize(c *check.C, d *daemon.Daemon) int64 {
+	info := d.Info(c)
+	for _, statusLine := range info.DriverStatus {
+		key, value := statusLine[0], statusLine[1]
+		if key == "Base Device Size" {
+			return parseDeviceSize(c, value)
+		}
+	}
+	c.Fatal("failed to parse Base Device Size from info")
+	return int64(0)
+}
+
+func parseDeviceSize(c *check.C, raw string) int64 {
+	size, err := units.RAMInBytes(strings.TrimSpace(raw))
+	c.Assert(err, check.IsNil)
+	return size
+}
+
+func convertBasesize(basesizeBytes int64) (int64, error) {
+	basesize := units.HumanSize(float64(basesizeBytes))
+	basesize = strings.Trim(basesize, " ")[:len(basesize)-3]
+	basesizeFloat, err := strconv.ParseFloat(strings.Trim(basesize, " "), 64)
+	if err != nil {
+		return 0, err
+	}
+	return int64(basesizeFloat) * 1024 * 1024 * 1024, nil
+}
+
+// Issue #8444: If docker0 bridge is modified (intentionally or unintentionally) and
+// no longer has an IP associated, we should gracefully handle that case and associate
+// an IP with it rather than fail daemon start
+func (s *DockerDaemonSuite) TestDaemonStartBridgeWithoutIPAssociation(c *check.C) {
+	// rather than depending on brctl commands to verify docker0 is created and up
+	// let's start the daemon and stop it, and then make a modification to run the
+	// actual test
+	s.d.Start(c)
+	s.d.Stop(c)
+
+	// now we will remove the ip from docker0 and then try starting the daemon
+	icmd.RunCommand("ip", "addr", "flush", "dev", "docker0").Assert(c, icmd.Success)
+
+	if err := s.d.StartWithError(); err != nil {
+		warning := "**WARNING: Docker bridge network in bad state--delete docker0 bridge interface to fix"
+		c.Fatalf("Could not start daemon when docker0 has no IP address: %v\n%s", err, warning)
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonIptablesClean(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	if out, err := s.d.Cmd("run", "-d", "--name", "top", "-p", "80", "busybox:latest", "top"); err != nil {
+		c.Fatalf("Could not run top: %s, %v", out, err)
+	}
+
+	ipTablesSearchString := "tcp dpt:80"
+
+	// get output from iptables with container running
+	verifyIPTablesContains(c, ipTablesSearchString)
+
+	s.d.Stop(c)
+
+	// get output from iptables after restart
+	verifyIPTablesDoesNotContains(c, ipTablesSearchString)
+}
+
+func (s *DockerDaemonSuite) TestDaemonIptablesCreate(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	if out, err := s.d.Cmd("run", "-d", "--name", "top", "--restart=always", "-p", "80", "busybox:latest", "top"); err != nil {
+		c.Fatalf("Could not run top: %s, %v", out, err)
+	}
+
+	// get output from iptables with container running
+	ipTablesSearchString := "tcp dpt:80"
+	verifyIPTablesContains(c, ipTablesSearchString)
+
+	s.d.Restart(c)
+
+	// make sure the container is not running
+	runningOut, err := s.d.Cmd("inspect", "--format={{.State.Running}}", "top")
+	if err != nil {
+		c.Fatalf("Could not inspect on container: %s, %v", runningOut, err)
+	}
+	if strings.TrimSpace(runningOut) != "true" {
+		c.Fatalf("Container should have been restarted after daemon restart. Status running should have been true but was: %q", strings.TrimSpace(runningOut))
+	}
+
+	// get output from iptables after restart
+	verifyIPTablesContains(c, ipTablesSearchString)
+}
+
+func verifyIPTablesContains(c *check.C, ipTablesSearchString string) {
+	result := icmd.RunCommand("iptables", "-nvL")
+	result.Assert(c, icmd.Success)
+	if !strings.Contains(result.Combined(), ipTablesSearchString) {
+		c.Fatalf("iptables output should have contained %q, but was %q", ipTablesSearchString, result.Combined())
+	}
+}
+
+func verifyIPTablesDoesNotContains(c *check.C, ipTablesSearchString string) {
+	result := icmd.RunCommand("iptables", "-nvL")
+	result.Assert(c, icmd.Success)
+	if strings.Contains(result.Combined(), ipTablesSearchString) {
+		c.Fatalf("iptables output should not have contained %q, but was %q", ipTablesSearchString, result.Combined())
+	}
+}
+
+// TestDaemonIPv6Enabled checks that when the daemon is started with --ipv6=true that the docker0 bridge
+// has the fe80::1 address and that a container is assigned a link-local address
+func (s *DockerDaemonSuite) TestDaemonIPv6Enabled(c *check.C) {
+	testRequires(c, IPv6)
+
+	setupV6(c)
+	defer teardownV6(c)
+
+	s.d.StartWithBusybox(c, "--ipv6")
+
+	iface, err := net.InterfaceByName("docker0")
+	if err != nil {
+		c.Fatalf("Error getting docker0 interface: %v", err)
+	}
+
+	addrs, err := iface.Addrs()
+	if err != nil {
+		c.Fatalf("Error getting addresses for docker0 interface: %v", err)
+	}
+
+	var found bool
+	expected := "fe80::1/64"
+
+	for i := range addrs {
+		if addrs[i].String() == expected {
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		c.Fatalf("Bridge does not have an IPv6 Address")
+	}
+
+	if out, err := s.d.Cmd("run", "-itd", "--name=ipv6test", "busybox:latest"); err != nil {
+		c.Fatalf("Could not run container: %s, %v", out, err)
+	}
+
+	out, err := s.d.Cmd("inspect", "--format", "'{{.NetworkSettings.Networks.bridge.LinkLocalIPv6Address}}'", "ipv6test")
+	out = strings.Trim(out, " \r\n'")
+
+	if err != nil {
+		c.Fatalf("Error inspecting container: %s, %v", out, err)
+	}
+
+	if ip := net.ParseIP(out); ip == nil {
+		c.Fatalf("Container should have a link-local IPv6 address")
+	}
+
+	out, err = s.d.Cmd("inspect", "--format", "'{{.NetworkSettings.Networks.bridge.GlobalIPv6Address}}'", "ipv6test")
+	out = strings.Trim(out, " \r\n'")
+
+	if err != nil {
+		c.Fatalf("Error inspecting container: %s, %v", out, err)
+	}
+
+	if ip := net.ParseIP(out); ip != nil {
+		c.Fatalf("Container should not have a global IPv6 address: %v", out)
+	}
+}
+
+// TestDaemonIPv6FixedCIDR checks that when the daemon is started with --ipv6=true and a fixed CIDR
+// that running containers are given a link-local and global IPv6 address
+func (s *DockerDaemonSuite) TestDaemonIPv6FixedCIDR(c *check.C) {
+	// IPv6 setup is messing with local bridge address.
+	testRequires(c, SameHostDaemon)
+	// Delete the docker0 bridge if its left around from previous daemon. It has to be recreated with
+	// ipv6 enabled
+	deleteInterface(c, "docker0")
+
+	s.d.StartWithBusybox(c, "--ipv6", "--fixed-cidr-v6=2001:db8:2::/64", "--default-gateway-v6=2001:db8:2::100")
+
+	out, err := s.d.Cmd("run", "-itd", "--name=ipv6test", "busybox:latest")
+	c.Assert(err, checker.IsNil, check.Commentf("Could not run container: %s, %v", out, err))
+
+	out, err = s.d.Cmd("inspect", "--format", "{{.NetworkSettings.Networks.bridge.GlobalIPv6Address}}", "ipv6test")
+	out = strings.Trim(out, " \r\n'")
+
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	ip := net.ParseIP(out)
+	c.Assert(ip, checker.NotNil, check.Commentf("Container should have a global IPv6 address"))
+
+	out, err = s.d.Cmd("inspect", "--format", "{{.NetworkSettings.Networks.bridge.IPv6Gateway}}", "ipv6test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	c.Assert(strings.Trim(out, " \r\n'"), checker.Equals, "2001:db8:2::100", check.Commentf("Container should have a global IPv6 gateway"))
+}
+
+// TestDaemonIPv6FixedCIDRAndMac checks that when the daemon is started with ipv6 fixed CIDR
+// the running containers are given an IPv6 address derived from the MAC address and the ipv6 fixed CIDR
+func (s *DockerDaemonSuite) TestDaemonIPv6FixedCIDRAndMac(c *check.C) {
+	// IPv6 setup is messing with local bridge address.
+	testRequires(c, SameHostDaemon)
+	// Delete the docker0 bridge if its left around from previous daemon. It has to be recreated with
+	// ipv6 enabled
+	deleteInterface(c, "docker0")
+
+	s.d.StartWithBusybox(c, "--ipv6", "--fixed-cidr-v6=2001:db8:1::/64")
+
+	out, err := s.d.Cmd("run", "-itd", "--name=ipv6test", "--mac-address", "AA:BB:CC:DD:EE:FF", "busybox")
+	c.Assert(err, checker.IsNil)
+
+	out, err = s.d.Cmd("inspect", "--format", "{{.NetworkSettings.Networks.bridge.GlobalIPv6Address}}", "ipv6test")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.Trim(out, " \r\n'"), checker.Equals, "2001:db8:1::aabb:ccdd:eeff")
+}
+
+// TestDaemonIPv6HostMode checks that when the running a container with
+// network=host the host ipv6 addresses are not removed
+func (s *DockerDaemonSuite) TestDaemonIPv6HostMode(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	deleteInterface(c, "docker0")
+
+	s.d.StartWithBusybox(c, "--ipv6", "--fixed-cidr-v6=2001:db8:2::/64")
+	out, err := s.d.Cmd("run", "-itd", "--name=hostcnt", "--network=host", "busybox:latest")
+	c.Assert(err, checker.IsNil, check.Commentf("Could not run container: %s, %v", out, err))
+
+	out, err = s.d.Cmd("exec", "hostcnt", "ip", "-6", "addr", "show", "docker0")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.Trim(out, " \r\n'"), checker.Contains, "2001:db8:2::1")
+}
+
+func (s *DockerDaemonSuite) TestDaemonLogLevelWrong(c *check.C) {
+	c.Assert(s.d.StartWithError("--log-level=bogus"), check.NotNil, check.Commentf("Daemon shouldn't start with wrong log level"))
+}
+
+func (s *DockerDaemonSuite) TestDaemonLogLevelDebug(c *check.C) {
+	s.d.Start(c, "--log-level=debug")
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	if !strings.Contains(string(content), `level=debug`) {
+		c.Fatalf(`Missing level="debug" in log file:\n%s`, string(content))
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonLogLevelFatal(c *check.C) {
+	// we creating new daemons to create new logFile
+	s.d.Start(c, "--log-level=fatal")
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	if strings.Contains(string(content), `level=debug`) {
+		c.Fatalf(`Should not have level="debug" in log file:\n%s`, string(content))
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonFlagD(c *check.C) {
+	s.d.Start(c, "-D")
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	if !strings.Contains(string(content), `level=debug`) {
+		c.Fatalf(`Should have level="debug" in log file using -D:\n%s`, string(content))
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonFlagDebug(c *check.C) {
+	s.d.Start(c, "--debug")
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	if !strings.Contains(string(content), `level=debug`) {
+		c.Fatalf(`Should have level="debug" in log file using --debug:\n%s`, string(content))
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonFlagDebugLogLevelFatal(c *check.C) {
+	s.d.Start(c, "--debug", "--log-level=fatal")
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	if !strings.Contains(string(content), `level=debug`) {
+		c.Fatalf(`Should have level="debug" in log file when using both --debug and --log-level=fatal:\n%s`, string(content))
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonAllocatesListeningPort(c *check.C) {
+	listeningPorts := [][]string{
+		{"0.0.0.0", "0.0.0.0", "5678"},
+		{"127.0.0.1", "127.0.0.1", "1234"},
+		{"localhost", "127.0.0.1", "1235"},
+	}
+
+	cmdArgs := make([]string, 0, len(listeningPorts)*2)
+	for _, hostDirective := range listeningPorts {
+		cmdArgs = append(cmdArgs, "--host", fmt.Sprintf("tcp://%s:%s", hostDirective[0], hostDirective[2]))
+	}
+
+	s.d.StartWithBusybox(c, cmdArgs...)
+
+	for _, hostDirective := range listeningPorts {
+		output, err := s.d.Cmd("run", "-p", fmt.Sprintf("%s:%s:80", hostDirective[1], hostDirective[2]), "busybox", "true")
+		if err == nil {
+			c.Fatalf("Container should not start, expected port already allocated error: %q", output)
+		} else if !strings.Contains(output, "port is already allocated") {
+			c.Fatalf("Expected port is already allocated error: %q", output)
+		}
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonKeyGeneration(c *check.C) {
+	// TODO: skip or update for Windows daemon
+	os.Remove("/etc/docker/key.json")
+	s.d.Start(c)
+	s.d.Stop(c)
+
+	k, err := libtrust.LoadKeyFile("/etc/docker/key.json")
+	if err != nil {
+		c.Fatalf("Error opening key file")
+	}
+	kid := k.KeyID()
+	// Test Key ID is a valid fingerprint (e.g. QQXN:JY5W:TBXI:MK3X:GX6P:PD5D:F56N:NHCS:LVRZ:JA46:R24J:XEFF)
+	if len(kid) != 59 {
+		c.Fatalf("Bad key ID: %s", kid)
+	}
+}
+
+// GH#11320 - verify that the daemon exits on failure properly
+// Note that this explicitly tests the conflict of {-b,--bridge} and {--bip} options as the means
+// to get a daemon init failure; no other tests for -b/--bip conflict are therefore required
+func (s *DockerDaemonSuite) TestDaemonExitOnFailure(c *check.C) {
+	//attempt to start daemon with incorrect flags (we know -b and --bip conflict)
+	if err := s.d.StartWithError("--bridge", "nosuchbridge", "--bip", "1.1.1.1"); err != nil {
+		//verify we got the right error
+		if !strings.Contains(err.Error(), "Daemon exited") {
+			c.Fatalf("Expected daemon not to start, got %v", err)
+		}
+		// look in the log and make sure we got the message that daemon is shutting down
+		icmd.RunCommand("grep", "Error starting daemon", s.d.LogFileName()).Assert(c, icmd.Success)
+	} else {
+		//if we didn't get an error and the daemon is running, this is a failure
+		c.Fatal("Conflicting options should cause the daemon to error out with a failure")
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonBridgeExternal(c *check.C) {
+	d := s.d
+	err := d.StartWithError("--bridge", "nosuchbridge")
+	c.Assert(err, check.NotNil, check.Commentf("--bridge option with an invalid bridge should cause the daemon to fail"))
+	defer d.Restart(c)
+
+	bridgeName := "external-bridge"
+	bridgeIP := "192.169.1.1/24"
+	_, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)
+
+	createInterface(c, "bridge", bridgeName, bridgeIP)
+	defer deleteInterface(c, bridgeName)
+
+	d.StartWithBusybox(c, "--bridge", bridgeName)
+
+	ipTablesSearchString := bridgeIPNet.String()
+	icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{
+		Out: ipTablesSearchString,
+	})
+
+	_, err = d.Cmd("run", "-d", "--name", "ExtContainer", "busybox", "top")
+	c.Assert(err, check.IsNil)
+
+	containerIP := d.FindContainerIP(c, "ExtContainer")
+	ip := net.ParseIP(containerIP)
+	c.Assert(bridgeIPNet.Contains(ip), check.Equals, true,
+		check.Commentf("Container IP-Address must be in the same subnet range : %s",
+			containerIP))
+}
+
+func (s *DockerDaemonSuite) TestDaemonBridgeNone(c *check.C) {
+	// start with bridge none
+	d := s.d
+	d.StartWithBusybox(c, "--bridge", "none")
+	defer d.Restart(c)
+
+	// verify docker0 iface is not there
+	icmd.RunCommand("ifconfig", "docker0").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Error:    "exit status 1",
+		Err:      "Device not found",
+	})
+
+	// verify default "bridge" network is not there
+	out, err := d.Cmd("network", "inspect", "bridge")
+	c.Assert(err, check.NotNil, check.Commentf("\"bridge\" network should not be present if daemon started with --bridge=none"))
+	c.Assert(strings.Contains(out, "No such network"), check.Equals, true)
+}
+
+func createInterface(c *check.C, ifType string, ifName string, ipNet string) {
+	icmd.RunCommand("ip", "link", "add", "name", ifName, "type", ifType).Assert(c, icmd.Success)
+	icmd.RunCommand("ifconfig", ifName, ipNet, "up").Assert(c, icmd.Success)
+}
+
+func deleteInterface(c *check.C, ifName string) {
+	icmd.RunCommand("ip", "link", "delete", ifName).Assert(c, icmd.Success)
+	icmd.RunCommand("iptables", "-t", "nat", "--flush").Assert(c, icmd.Success)
+	icmd.RunCommand("iptables", "--flush").Assert(c, icmd.Success)
+}
+
+func (s *DockerDaemonSuite) TestDaemonBridgeIP(c *check.C) {
+	// TestDaemonBridgeIP Steps
+	// 1. Delete the existing docker0 Bridge
+	// 2. Set --bip daemon configuration and start the new Docker Daemon
+	// 3. Check if the bip config has taken effect using ifconfig and iptables commands
+	// 4. Launch a Container and make sure the IP-Address is in the expected subnet
+	// 5. Delete the docker0 Bridge
+	// 6. Restart the Docker Daemon (via deferred action)
+	//    This Restart takes care of bringing docker0 interface back to auto-assigned IP
+
+	defaultNetworkBridge := "docker0"
+	deleteInterface(c, defaultNetworkBridge)
+
+	d := s.d
+
+	bridgeIP := "192.169.1.1/24"
+	ip, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)
+
+	d.StartWithBusybox(c, "--bip", bridgeIP)
+	defer d.Restart(c)
+
+	ifconfigSearchString := ip.String()
+	icmd.RunCommand("ifconfig", defaultNetworkBridge).Assert(c, icmd.Expected{
+		Out: ifconfigSearchString,
+	})
+
+	ipTablesSearchString := bridgeIPNet.String()
+	icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{
+		Out: ipTablesSearchString,
+	})
+
+	_, err := d.Cmd("run", "-d", "--name", "test", "busybox", "top")
+	c.Assert(err, check.IsNil)
+
+	containerIP := d.FindContainerIP(c, "test")
+	ip = net.ParseIP(containerIP)
+	c.Assert(bridgeIPNet.Contains(ip), check.Equals, true,
+		check.Commentf("Container IP-Address must be in the same subnet range : %s",
+			containerIP))
+	deleteInterface(c, defaultNetworkBridge)
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithBridgeIPChange(c *check.C) {
+	s.d.Start(c)
+	defer s.d.Restart(c)
+	s.d.Stop(c)
+
+	// now we will change the docker0's IP and then try starting the daemon
+	bridgeIP := "192.169.100.1/24"
+	_, bridgeIPNet, _ := net.ParseCIDR(bridgeIP)
+
+	icmd.RunCommand("ifconfig", "docker0", bridgeIP).Assert(c, icmd.Success)
+
+	s.d.Start(c, "--bip", bridgeIP)
+
+	//check if the iptables contains new bridgeIP MASQUERADE rule
+	ipTablesSearchString := bridgeIPNet.String()
+	icmd.RunCommand("iptables", "-t", "nat", "-nvL").Assert(c, icmd.Expected{
+		Out: ipTablesSearchString,
+	})
+}
+
+func (s *DockerDaemonSuite) TestDaemonBridgeFixedCidr(c *check.C) {
+	d := s.d
+
+	bridgeName := "external-bridge"
+	bridgeIP := "192.169.1.1/24"
+
+	createInterface(c, "bridge", bridgeName, bridgeIP)
+	defer deleteInterface(c, bridgeName)
+
+	args := []string{"--bridge", bridgeName, "--fixed-cidr", "192.169.1.0/30"}
+	d.StartWithBusybox(c, args...)
+	defer d.Restart(c)
+
+	for i := 0; i < 4; i++ {
+		cName := "Container" + strconv.Itoa(i)
+		out, err := d.Cmd("run", "-d", "--name", cName, "busybox", "top")
+		if err != nil {
+			c.Assert(strings.Contains(out, "no available IPv4 addresses"), check.Equals, true,
+				check.Commentf("Could not run a Container : %s %s", err.Error(), out))
+		}
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonBridgeFixedCidr2(c *check.C) {
+	d := s.d
+
+	bridgeName := "external-bridge"
+	bridgeIP := "10.2.2.1/16"
+
+	createInterface(c, "bridge", bridgeName, bridgeIP)
+	defer deleteInterface(c, bridgeName)
+
+	d.StartWithBusybox(c, "--bip", bridgeIP, "--fixed-cidr", "10.2.2.0/24")
+	defer s.d.Restart(c)
+
+	out, err := d.Cmd("run", "-d", "--name", "bb", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	defer d.Cmd("stop", "bb")
+
+	out, err = d.Cmd("exec", "bb", "/bin/sh", "-c", "ifconfig eth0 | awk '/inet addr/{print substr($2,6)}'")
+	c.Assert(out, checker.Equals, "10.2.2.0\n")
+
+	out, err = d.Cmd("run", "--rm", "busybox", "/bin/sh", "-c", "ifconfig eth0 | awk '/inet addr/{print substr($2,6)}'")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Equals, "10.2.2.2\n")
+}
+
+func (s *DockerDaemonSuite) TestDaemonBridgeFixedCIDREqualBridgeNetwork(c *check.C) {
+	d := s.d
+
+	bridgeName := "external-bridge"
+	bridgeIP := "172.27.42.1/16"
+
+	createInterface(c, "bridge", bridgeName, bridgeIP)
+	defer deleteInterface(c, bridgeName)
+
+	d.StartWithBusybox(c, "--bridge", bridgeName, "--fixed-cidr", bridgeIP)
+	defer s.d.Restart(c)
+
+	out, err := d.Cmd("run", "-d", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	cid1 := strings.TrimSpace(out)
+	defer d.Cmd("stop", cid1)
+}
+
+func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4Implicit(c *check.C) {
+	defaultNetworkBridge := "docker0"
+	deleteInterface(c, defaultNetworkBridge)
+
+	d := s.d
+
+	bridgeIP := "192.169.1.1"
+	bridgeIPNet := fmt.Sprintf("%s/24", bridgeIP)
+
+	d.StartWithBusybox(c, "--bip", bridgeIPNet)
+	defer d.Restart(c)
+
+	expectedMessage := fmt.Sprintf("default via %s dev", bridgeIP)
+	out, err := d.Cmd("run", "busybox", "ip", "-4", "route", "list", "0/0")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.Contains(out, expectedMessage), check.Equals, true,
+		check.Commentf("Implicit default gateway should be bridge IP %s, but default route was '%s'",
+			bridgeIP, strings.TrimSpace(out)))
+	deleteInterface(c, defaultNetworkBridge)
+}
+
+func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4Explicit(c *check.C) {
+	defaultNetworkBridge := "docker0"
+	deleteInterface(c, defaultNetworkBridge)
+
+	d := s.d
+
+	bridgeIP := "192.169.1.1"
+	bridgeIPNet := fmt.Sprintf("%s/24", bridgeIP)
+	gatewayIP := "192.169.1.254"
+
+	d.StartWithBusybox(c, "--bip", bridgeIPNet, "--default-gateway", gatewayIP)
+	defer d.Restart(c)
+
+	expectedMessage := fmt.Sprintf("default via %s dev", gatewayIP)
+	out, err := d.Cmd("run", "busybox", "ip", "-4", "route", "list", "0/0")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.Contains(out, expectedMessage), check.Equals, true,
+		check.Commentf("Explicit default gateway should be %s, but default route was '%s'",
+			gatewayIP, strings.TrimSpace(out)))
+	deleteInterface(c, defaultNetworkBridge)
+}
+
+func (s *DockerDaemonSuite) TestDaemonDefaultGatewayIPv4ExplicitOutsideContainerSubnet(c *check.C) {
+	defaultNetworkBridge := "docker0"
+	deleteInterface(c, defaultNetworkBridge)
+
+	// Program a custom default gateway outside of the container subnet, daemon should accept it and start
+	s.d.StartWithBusybox(c, "--bip", "172.16.0.10/16", "--fixed-cidr", "172.16.1.0/24", "--default-gateway", "172.16.0.254")
+
+	deleteInterface(c, defaultNetworkBridge)
+	s.d.Restart(c)
+}
+
+func (s *DockerDaemonSuite) TestDaemonDefaultNetworkInvalidClusterConfig(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	// Start daemon without docker0 bridge
+	defaultNetworkBridge := "docker0"
+	deleteInterface(c, defaultNetworkBridge)
+
+	discoveryBackend := "consul://consuladdr:consulport/some/path"
+	s.d.Start(c, fmt.Sprintf("--cluster-store=%s", discoveryBackend))
+
+	// Start daemon with docker0 bridge
+	result := icmd.RunCommand("ifconfig", defaultNetworkBridge)
+	result.Assert(c, icmd.Success)
+
+	s.d.Restart(c, fmt.Sprintf("--cluster-store=%s", discoveryBackend))
+}
+
+func (s *DockerDaemonSuite) TestDaemonIP(c *check.C) {
+	d := s.d
+
+	ipStr := "192.170.1.1/24"
+	ip, _, _ := net.ParseCIDR(ipStr)
+	args := []string{"--ip", ip.String()}
+	d.StartWithBusybox(c, args...)
+	defer d.Restart(c)
+
+	out, err := d.Cmd("run", "-d", "-p", "8000:8000", "busybox", "top")
+	c.Assert(err, check.NotNil,
+		check.Commentf("Running a container must fail with an invalid --ip option"))
+	c.Assert(strings.Contains(out, "Error starting userland proxy"), check.Equals, true)
+
+	ifName := "dummy"
+	createInterface(c, "dummy", ifName, ipStr)
+	defer deleteInterface(c, ifName)
+
+	_, err = d.Cmd("run", "-d", "-p", "8000:8000", "busybox", "top")
+	c.Assert(err, check.IsNil)
+
+	result := icmd.RunCommand("iptables", "-t", "nat", "-nvL")
+	result.Assert(c, icmd.Success)
+	regex := fmt.Sprintf("DNAT.*%s.*dpt:8000", ip.String())
+	matched, _ := regexp.MatchString(regex, result.Combined())
+	c.Assert(matched, check.Equals, true,
+		check.Commentf("iptables output should have contained %q, but was %q", regex, result.Combined()))
+}
+
+func (s *DockerDaemonSuite) TestDaemonICCPing(c *check.C) {
+	testRequires(c, bridgeNfIptables)
+	d := s.d
+
+	bridgeName := "external-bridge"
+	bridgeIP := "192.169.1.1/24"
+
+	createInterface(c, "bridge", bridgeName, bridgeIP)
+	defer deleteInterface(c, bridgeName)
+
+	d.StartWithBusybox(c, "--bridge", bridgeName, "--icc=false")
+	defer d.Restart(c)
+
+	result := icmd.RunCommand("iptables", "-nvL", "FORWARD")
+	result.Assert(c, icmd.Success)
+	regex := fmt.Sprintf("DROP.*all.*%s.*%s", bridgeName, bridgeName)
+	matched, _ := regexp.MatchString(regex, result.Combined())
+	c.Assert(matched, check.Equals, true,
+		check.Commentf("iptables output should have contained %q, but was %q", regex, result.Combined()))
+
+	// Pinging another container must fail with --icc=false
+	pingContainers(c, d, true)
+
+	ipStr := "192.171.1.1/24"
+	ip, _, _ := net.ParseCIDR(ipStr)
+	ifName := "icc-dummy"
+
+	createInterface(c, "dummy", ifName, ipStr)
+
+	// But, Pinging external or a Host interface must succeed
+	pingCmd := fmt.Sprintf("ping -c 1 %s -W 1", ip.String())
+	runArgs := []string{"run", "--rm", "busybox", "sh", "-c", pingCmd}
+	_, err := d.Cmd(runArgs...)
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerDaemonSuite) TestDaemonICCLinkExpose(c *check.C) {
+	d := s.d
+
+	bridgeName := "external-bridge"
+	bridgeIP := "192.169.1.1/24"
+
+	createInterface(c, "bridge", bridgeName, bridgeIP)
+	defer deleteInterface(c, bridgeName)
+
+	d.StartWithBusybox(c, "--bridge", bridgeName, "--icc=false")
+	defer d.Restart(c)
+
+	result := icmd.RunCommand("iptables", "-nvL", "FORWARD")
+	result.Assert(c, icmd.Success)
+	regex := fmt.Sprintf("DROP.*all.*%s.*%s", bridgeName, bridgeName)
+	matched, _ := regexp.MatchString(regex, result.Combined())
+	c.Assert(matched, check.Equals, true,
+		check.Commentf("iptables output should have contained %q, but was %q", regex, result.Combined()))
+
+	out, err := d.Cmd("run", "-d", "--expose", "4567", "--name", "icc1", "busybox", "nc", "-l", "-p", "4567")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("run", "--link", "icc1:icc1", "busybox", "nc", "icc1", "4567")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+}
+
+func (s *DockerDaemonSuite) TestDaemonLinksIpTablesRulesWhenLinkAndUnlink(c *check.C) {
+	bridgeName := "external-bridge"
+	bridgeIP := "192.169.1.1/24"
+
+	createInterface(c, "bridge", bridgeName, bridgeIP)
+	defer deleteInterface(c, bridgeName)
+
+	s.d.StartWithBusybox(c, "--bridge", bridgeName, "--icc=false")
+	defer s.d.Restart(c)
+
+	_, err := s.d.Cmd("run", "-d", "--name", "child", "--publish", "8080:80", "busybox", "top")
+	c.Assert(err, check.IsNil)
+	_, err = s.d.Cmd("run", "-d", "--name", "parent", "--link", "child:http", "busybox", "top")
+	c.Assert(err, check.IsNil)
+
+	childIP := s.d.FindContainerIP(c, "child")
+	parentIP := s.d.FindContainerIP(c, "parent")
+
+	sourceRule := []string{"-i", bridgeName, "-o", bridgeName, "-p", "tcp", "-s", childIP, "--sport", "80", "-d", parentIP, "-j", "ACCEPT"}
+	destinationRule := []string{"-i", bridgeName, "-o", bridgeName, "-p", "tcp", "-s", parentIP, "--dport", "80", "-d", childIP, "-j", "ACCEPT"}
+	if !iptables.Exists("filter", "DOCKER", sourceRule...) || !iptables.Exists("filter", "DOCKER", destinationRule...) {
+		c.Fatal("Iptables rules not found")
+	}
+
+	s.d.Cmd("rm", "--link", "parent/http")
+	if iptables.Exists("filter", "DOCKER", sourceRule...) || iptables.Exists("filter", "DOCKER", destinationRule...) {
+		c.Fatal("Iptables rules should be removed when unlink")
+	}
+
+	s.d.Cmd("kill", "child")
+	s.d.Cmd("kill", "parent")
+}
+
+func (s *DockerDaemonSuite) TestDaemonUlimitDefaults(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	s.d.StartWithBusybox(c, "--default-ulimit", "nofile=42:42", "--default-ulimit", "nproc=1024:1024")
+
+	out, err := s.d.Cmd("run", "--ulimit", "nproc=2048", "--name=test", "busybox", "/bin/sh", "-c", "echo $(ulimit -n); echo $(ulimit -p)")
+	if err != nil {
+		c.Fatal(out, err)
+	}
+
+	outArr := strings.Split(out, "\n")
+	if len(outArr) < 2 {
+		c.Fatalf("got unexpected output: %s", out)
+	}
+	nofile := strings.TrimSpace(outArr[0])
+	nproc := strings.TrimSpace(outArr[1])
+
+	if nofile != "42" {
+		c.Fatalf("expected `ulimit -n` to be `42`, got: %s", nofile)
+	}
+	if nproc != "2048" {
+		c.Fatalf("expected `ulimit -p` to be 2048, got: %s", nproc)
+	}
+
+	// Now restart daemon with a new default
+	s.d.Restart(c, "--default-ulimit", "nofile=43")
+
+	out, err = s.d.Cmd("start", "-a", "test")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	outArr = strings.Split(out, "\n")
+	if len(outArr) < 2 {
+		c.Fatalf("got unexpected output: %s", out)
+	}
+	nofile = strings.TrimSpace(outArr[0])
+	nproc = strings.TrimSpace(outArr[1])
+
+	if nofile != "43" {
+		c.Fatalf("expected `ulimit -n` to be `43`, got: %s", nofile)
+	}
+	if nproc != "2048" {
+		c.Fatalf("expected `ulimit -p` to be 2048, got: %s", nproc)
+	}
+}
+
+// #11315
+func (s *DockerDaemonSuite) TestDaemonRestartRenameContainer(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	if out, err := s.d.Cmd("run", "--name=test", "busybox"); err != nil {
+		c.Fatal(err, out)
+	}
+
+	if out, err := s.d.Cmd("rename", "test", "test2"); err != nil {
+		c.Fatal(err, out)
+	}
+
+	s.d.Restart(c)
+
+	if out, err := s.d.Cmd("start", "test2"); err != nil {
+		c.Fatal(err, out)
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonLoggingDriverDefault(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "--name=test", "busybox", "echo", "testline")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	id, err := s.d.GetIDByName("test")
+	c.Assert(err, check.IsNil)
+
+	logPath := filepath.Join(s.d.Root, "containers", id, id+"-json.log")
+
+	if _, err := os.Stat(logPath); err != nil {
+		c.Fatal(err)
+	}
+	f, err := os.Open(logPath)
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer f.Close()
+
+	var res struct {
+		Log    string    `json:"log"`
+		Stream string    `json:"stream"`
+		Time   time.Time `json:"time"`
+	}
+	if err := json.NewDecoder(f).Decode(&res); err != nil {
+		c.Fatal(err)
+	}
+	if res.Log != "testline\n" {
+		c.Fatalf("Unexpected log line: %q, expected: %q", res.Log, "testline\n")
+	}
+	if res.Stream != "stdout" {
+		c.Fatalf("Unexpected stream: %q, expected: %q", res.Stream, "stdout")
+	}
+	if !time.Now().After(res.Time) {
+		c.Fatalf("Log time %v in future", res.Time)
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonLoggingDriverDefaultOverride(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "--name=test", "--log-driver=none", "busybox", "echo", "testline")
+	if err != nil {
+		c.Fatal(out, err)
+	}
+	id, err := s.d.GetIDByName("test")
+	c.Assert(err, check.IsNil)
+
+	logPath := filepath.Join(s.d.Root, "containers", id, id+"-json.log")
+
+	if _, err := os.Stat(logPath); err == nil || !os.IsNotExist(err) {
+		c.Fatalf("%s shouldn't exits, error on Stat: %s", logPath, err)
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonLoggingDriverNone(c *check.C) {
+	s.d.StartWithBusybox(c, "--log-driver=none")
+
+	out, err := s.d.Cmd("run", "--name=test", "busybox", "echo", "testline")
+	if err != nil {
+		c.Fatal(out, err)
+	}
+	id, err := s.d.GetIDByName("test")
+	c.Assert(err, check.IsNil)
+
+	logPath := filepath.Join(s.d.Root, "containers", id, id+"-json.log")
+
+	if _, err := os.Stat(logPath); err == nil || !os.IsNotExist(err) {
+		c.Fatalf("%s shouldn't exits, error on Stat: %s", logPath, err)
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonLoggingDriverNoneOverride(c *check.C) {
+	s.d.StartWithBusybox(c, "--log-driver=none")
+
+	out, err := s.d.Cmd("run", "--name=test", "--log-driver=json-file", "busybox", "echo", "testline")
+	if err != nil {
+		c.Fatal(out, err)
+	}
+	id, err := s.d.GetIDByName("test")
+	c.Assert(err, check.IsNil)
+
+	logPath := filepath.Join(s.d.Root, "containers", id, id+"-json.log")
+
+	if _, err := os.Stat(logPath); err != nil {
+		c.Fatal(err)
+	}
+	f, err := os.Open(logPath)
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer f.Close()
+
+	var res struct {
+		Log    string    `json:"log"`
+		Stream string    `json:"stream"`
+		Time   time.Time `json:"time"`
+	}
+	if err := json.NewDecoder(f).Decode(&res); err != nil {
+		c.Fatal(err)
+	}
+	if res.Log != "testline\n" {
+		c.Fatalf("Unexpected log line: %q, expected: %q", res.Log, "testline\n")
+	}
+	if res.Stream != "stdout" {
+		c.Fatalf("Unexpected stream: %q, expected: %q", res.Stream, "stdout")
+	}
+	if !time.Now().After(res.Time) {
+		c.Fatalf("Log time %v in future", res.Time)
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonLoggingDriverNoneLogsError(c *check.C) {
+	s.d.StartWithBusybox(c, "--log-driver=none")
+
+	out, err := s.d.Cmd("run", "--name=test", "busybox", "echo", "testline")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("logs", "test")
+	c.Assert(err, check.NotNil, check.Commentf("Logs should fail with 'none' driver"))
+	expected := `configured logging driver does not support reading`
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerDaemonSuite) TestDaemonLoggingDriverShouldBeIgnoredForBuild(c *check.C) {
+	s.d.StartWithBusybox(c, "--log-driver=splunk")
+
+	result := cli.BuildCmd(c, "busyboxs", cli.Daemon(s.d),
+		build.WithDockerfile(`
+        FROM busybox
+        RUN echo foo`),
+		build.WithoutCache,
+	)
+	comment := check.Commentf("Failed to build image. output %s, exitCode %d, err %v", result.Combined(), result.ExitCode, result.Error)
+	c.Assert(result.Error, check.IsNil, comment)
+	c.Assert(result.ExitCode, check.Equals, 0, comment)
+	c.Assert(result.Combined(), checker.Contains, "foo", comment)
+}
+
+func (s *DockerDaemonSuite) TestDaemonUnixSockCleanedUp(c *check.C) {
+	dir, err := ioutil.TempDir("", "socket-cleanup-test")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	sockPath := filepath.Join(dir, "docker.sock")
+	s.d.Start(c, "--host", "unix://"+sockPath)
+
+	if _, err := os.Stat(sockPath); err != nil {
+		c.Fatal("socket does not exist")
+	}
+
+	s.d.Stop(c)
+
+	if _, err := os.Stat(sockPath); err == nil || !os.IsNotExist(err) {
+		c.Fatal("unix socket is not cleaned up")
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonWithWrongkey(c *check.C) {
+	type Config struct {
+		Crv string `json:"crv"`
+		D   string `json:"d"`
+		Kid string `json:"kid"`
+		Kty string `json:"kty"`
+		X   string `json:"x"`
+		Y   string `json:"y"`
+	}
+
+	os.Remove("/etc/docker/key.json")
+	s.d.Start(c)
+	s.d.Stop(c)
+
+	config := &Config{}
+	bytes, err := ioutil.ReadFile("/etc/docker/key.json")
+	if err != nil {
+		c.Fatalf("Error reading key.json file: %s", err)
+	}
+
+	// byte[] to Data-Struct
+	if err := json.Unmarshal(bytes, &config); err != nil {
+		c.Fatalf("Error Unmarshal: %s", err)
+	}
+
+	//replace config.Kid with the fake value
+	config.Kid = "VSAJ:FUYR:X3H2:B2VZ:KZ6U:CJD5:K7BX:ZXHY:UZXT:P4FT:MJWG:HRJ4"
+
+	// NEW Data-Struct to byte[]
+	newBytes, err := json.Marshal(&config)
+	if err != nil {
+		c.Fatalf("Error Marshal: %s", err)
+	}
+
+	// write back
+	if err := ioutil.WriteFile("/etc/docker/key.json", newBytes, 0400); err != nil {
+		c.Fatalf("Error ioutil.WriteFile: %s", err)
+	}
+
+	defer os.Remove("/etc/docker/key.json")
+
+	if err := s.d.StartWithError(); err == nil {
+		c.Fatalf("It should not be successful to start daemon with wrong key: %v", err)
+	}
+
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+
+	if !strings.Contains(string(content), "Public Key ID does not match") {
+		c.Fatalf("Missing KeyID message from daemon logs: %s", string(content))
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartKillWait(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "-id", "busybox", "/bin/cat")
+	if err != nil {
+		c.Fatalf("Could not run /bin/cat: err=%v\n%s", err, out)
+	}
+	containerID := strings.TrimSpace(out)
+
+	if out, err := s.d.Cmd("kill", containerID); err != nil {
+		c.Fatalf("Could not kill %s: err=%v\n%s", containerID, err, out)
+	}
+
+	s.d.Restart(c)
+
+	errchan := make(chan error)
+	go func() {
+		if out, err := s.d.Cmd("wait", containerID); err != nil {
+			errchan <- fmt.Errorf("%v:\n%s", err, out)
+		}
+		close(errchan)
+	}()
+
+	select {
+	case <-time.After(5 * time.Second):
+		c.Fatal("Waiting on a stopped (killed) container timed out")
+	case err := <-errchan:
+		if err != nil {
+			c.Fatal(err)
+		}
+	}
+}
+
+// TestHTTPSInfo connects via two-way authenticated HTTPS to the info endpoint
+func (s *DockerDaemonSuite) TestHTTPSInfo(c *check.C) {
+	const (
+		testDaemonHTTPSAddr = "tcp://localhost:4271"
+	)
+
+	s.d.Start(c,
+		"--tlsverify",
+		"--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/server-cert.pem",
+		"--tlskey", "fixtures/https/server-key.pem",
+		"-H", testDaemonHTTPSAddr)
+
+	args := []string{
+		"--host", testDaemonHTTPSAddr,
+		"--tlsverify",
+		"--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/client-cert.pem",
+		"--tlskey", "fixtures/https/client-key.pem",
+		"info",
+	}
+	out, err := s.d.Cmd(args...)
+	if err != nil {
+		c.Fatalf("Error Occurred: %s and output: %s", err, out)
+	}
+}
+
+// TestHTTPSRun connects via two-way authenticated HTTPS to the create, attach, start, and wait endpoints.
+// https://github.com/docker/docker/issues/19280
+func (s *DockerDaemonSuite) TestHTTPSRun(c *check.C) {
+	const (
+		testDaemonHTTPSAddr = "tcp://localhost:4271"
+	)
+
+	s.d.StartWithBusybox(c, "--tlsverify", "--tlscacert", "fixtures/https/ca.pem", "--tlscert", "fixtures/https/server-cert.pem",
+		"--tlskey", "fixtures/https/server-key.pem", "-H", testDaemonHTTPSAddr)
+
+	args := []string{
+		"--host", testDaemonHTTPSAddr,
+		"--tlsverify", "--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/client-cert.pem",
+		"--tlskey", "fixtures/https/client-key.pem",
+		"run", "busybox", "echo", "TLS response",
+	}
+	out, err := s.d.Cmd(args...)
+	if err != nil {
+		c.Fatalf("Error Occurred: %s and output: %s", err, out)
+	}
+
+	if !strings.Contains(out, "TLS response") {
+		c.Fatalf("expected output to include `TLS response`, got %v", out)
+	}
+}
+
+// TestTLSVerify verifies that --tlsverify=false turns on tls
+func (s *DockerDaemonSuite) TestTLSVerify(c *check.C) {
+	out, err := exec.Command(dockerdBinary, "--tlsverify=false").CombinedOutput()
+	if err == nil || !strings.Contains(string(out), "Could not load X509 key pair") {
+		c.Fatalf("Daemon should not have started due to missing certs: %v\n%s", err, string(out))
+	}
+}
+
+// TestHTTPSInfoRogueCert connects via two-way authenticated HTTPS to the info endpoint
+// by using a rogue client certificate and checks that it fails with the expected error.
+func (s *DockerDaemonSuite) TestHTTPSInfoRogueCert(c *check.C) {
+	const (
+		errBadCertificate   = "bad certificate"
+		testDaemonHTTPSAddr = "tcp://localhost:4271"
+	)
+
+	s.d.Start(c,
+		"--tlsverify",
+		"--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/server-cert.pem",
+		"--tlskey", "fixtures/https/server-key.pem",
+		"-H", testDaemonHTTPSAddr)
+
+	args := []string{
+		"--host", testDaemonHTTPSAddr,
+		"--tlsverify",
+		"--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/client-rogue-cert.pem",
+		"--tlskey", "fixtures/https/client-rogue-key.pem",
+		"info",
+	}
+	out, err := s.d.Cmd(args...)
+	if err == nil || !strings.Contains(out, errBadCertificate) {
+		c.Fatalf("Expected err: %s, got instead: %s and output: %s", errBadCertificate, err, out)
+	}
+}
+
+// TestHTTPSInfoRogueServerCert connects via two-way authenticated HTTPS to the info endpoint
+// which provides a rogue server certificate and checks that it fails with the expected error
+func (s *DockerDaemonSuite) TestHTTPSInfoRogueServerCert(c *check.C) {
+	const (
+		errCaUnknown             = "x509: certificate signed by unknown authority"
+		testDaemonRogueHTTPSAddr = "tcp://localhost:4272"
+	)
+	s.d.Start(c,
+		"--tlsverify",
+		"--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/server-rogue-cert.pem",
+		"--tlskey", "fixtures/https/server-rogue-key.pem",
+		"-H", testDaemonRogueHTTPSAddr)
+
+	args := []string{
+		"--host", testDaemonRogueHTTPSAddr,
+		"--tlsverify",
+		"--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/client-rogue-cert.pem",
+		"--tlskey", "fixtures/https/client-rogue-key.pem",
+		"info",
+	}
+	out, err := s.d.Cmd(args...)
+	if err == nil || !strings.Contains(out, errCaUnknown) {
+		c.Fatalf("Expected err: %s, got instead: %s and output: %s", errCaUnknown, err, out)
+	}
+}
+
+func pingContainers(c *check.C, d *daemon.Daemon, expectFailure bool) {
+	var dargs []string
+	if d != nil {
+		dargs = []string{"--host", d.Sock()}
+	}
+
+	args := append(dargs, "run", "-d", "--name", "container1", "busybox", "top")
+	dockerCmd(c, args...)
+
+	args = append(dargs, "run", "--rm", "--link", "container1:alias1", "busybox", "sh", "-c")
+	pingCmd := "ping -c 1 %s -W 1"
+	args = append(args, fmt.Sprintf(pingCmd, "alias1"))
+	_, _, err := dockerCmdWithError(args...)
+
+	if expectFailure {
+		c.Assert(err, check.NotNil)
+	} else {
+		c.Assert(err, check.IsNil)
+	}
+
+	args = append(dargs, "rm", "-f", "container1")
+	dockerCmd(c, args...)
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithSocketAsVolume(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	socket := filepath.Join(s.d.Folder, "docker.sock")
+
+	out, err := s.d.Cmd("run", "--restart=always", "-v", socket+":/sock", "busybox")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	s.d.Restart(c)
+}
+
+// os.Kill should kill daemon ungracefully, leaving behind container mounts.
+// A subsequent daemon restart should clean up said mounts.
+func (s *DockerDaemonSuite) TestCleanupMountsAfterDaemonAndContainerKill(c *check.C) {
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	d.StartWithBusybox(c)
+
+	out, err := d.Cmd("run", "-d", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	id := strings.TrimSpace(out)
+
+	// If there are no mounts with container id visible from the host
+	// (as those are in container's own mount ns), there is nothing
+	// to check here and the test should be skipped.
+	mountOut, err := ioutil.ReadFile("/proc/self/mountinfo")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", mountOut))
+	if !strings.Contains(string(mountOut), id) {
+		d.Stop(c)
+		c.Skip("no container mounts visible in host ns")
+	}
+
+	// kill the daemon
+	c.Assert(d.Kill(), check.IsNil)
+
+	// kill the container
+	icmd.RunCommand(ctrBinary, "--address", "/var/run/docker/containerd/docker-containerd.sock",
+		"--namespace", moby_daemon.ContainersNamespace, "tasks", "kill", id).Assert(c, icmd.Success)
+
+	// restart daemon.
+	d.Restart(c)
+
+	// Now, container mounts should be gone.
+	mountOut, err = ioutil.ReadFile("/proc/self/mountinfo")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", mountOut))
+	comment := check.Commentf("%s is still mounted from older daemon start:\nDaemon root repository %s\n%s", id, d.Root, mountOut)
+	c.Assert(strings.Contains(string(mountOut), id), check.Equals, false, comment)
+
+	d.Stop(c)
+}
+
+// os.Interrupt should perform a graceful daemon shutdown and hence cleanup mounts.
+func (s *DockerDaemonSuite) TestCleanupMountsAfterGracefulShutdown(c *check.C) {
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	d.StartWithBusybox(c)
+
+	out, err := d.Cmd("run", "-d", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	id := strings.TrimSpace(out)
+
+	// Send SIGINT and daemon should clean up
+	c.Assert(d.Signal(os.Interrupt), check.IsNil)
+	// Wait for the daemon to stop.
+	c.Assert(<-d.Wait, checker.IsNil)
+
+	mountOut, err := ioutil.ReadFile("/proc/self/mountinfo")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", mountOut))
+
+	comment := check.Commentf("%s is still mounted from older daemon start:\nDaemon root repository %s\n%s", id, d.Root, mountOut)
+	c.Assert(strings.Contains(string(mountOut), id), check.Equals, false, comment)
+}
+
+func (s *DockerDaemonSuite) TestRunContainerWithBridgeNone(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	s.d.StartWithBusybox(c, "-b", "none")
+
+	out, err := s.d.Cmd("run", "--rm", "busybox", "ip", "l")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(strings.Contains(out, "eth0"), check.Equals, false,
+		check.Commentf("There shouldn't be eth0 in container in default(bridge) mode when bridge network is disabled: %s", out))
+
+	out, err = s.d.Cmd("run", "--rm", "--net=bridge", "busybox", "ip", "l")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(strings.Contains(out, "eth0"), check.Equals, false,
+		check.Commentf("There shouldn't be eth0 in container in bridge mode when bridge network is disabled: %s", out))
+	// the extra grep and awk clean up the output of `ip` to only list the number and name of
+	// interfaces, allowing for different versions of ip (e.g. inside and outside the container) to
+	// be used while still verifying that the interface list is the exact same
+	cmd := exec.Command("sh", "-c", "ip l | grep -E '^[0-9]+:' | awk -F: ' { print $1\":\"$2 } '")
+	stdout := bytes.NewBuffer(nil)
+	cmd.Stdout = stdout
+	if err := cmd.Run(); err != nil {
+		c.Fatal("Failed to get host network interface")
+	}
+	out, err = s.d.Cmd("run", "--rm", "--net=host", "busybox", "sh", "-c", "ip l | grep -E '^[0-9]+:' | awk -F: ' { print $1\":\"$2 } '")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(out, check.Equals, fmt.Sprintf("%s", stdout),
+		check.Commentf("The network interfaces in container should be the same with host when --net=host when bridge network is disabled: %s", out))
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithContainerRunning(t *check.C) {
+	s.d.StartWithBusybox(t)
+	if out, err := s.d.Cmd("run", "-d", "--name", "test", "busybox", "top"); err != nil {
+		t.Fatal(out, err)
+	}
+
+	s.d.Restart(t)
+	// Container 'test' should be removed without error
+	if out, err := s.d.Cmd("rm", "test"); err != nil {
+		t.Fatal(out, err)
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartCleanupNetns(c *check.C) {
+	s.d.StartWithBusybox(c)
+	out, err := s.d.Cmd("run", "--name", "netns", "-d", "busybox", "top")
+	if err != nil {
+		c.Fatal(out, err)
+	}
+
+	// Get sandbox key via inspect
+	out, err = s.d.Cmd("inspect", "--format", "'{{.NetworkSettings.SandboxKey}}'", "netns")
+	if err != nil {
+		c.Fatalf("Error inspecting container: %s, %v", out, err)
+	}
+	fileName := strings.Trim(out, " \r\n'")
+
+	if out, err := s.d.Cmd("stop", "netns"); err != nil {
+		c.Fatal(out, err)
+	}
+
+	// Test if the file still exists
+	icmd.RunCommand("stat", "-c", "%n", fileName).Assert(c, icmd.Expected{
+		Out: fileName,
+	})
+
+	// Remove the container and restart the daemon
+	if out, err := s.d.Cmd("rm", "netns"); err != nil {
+		c.Fatal(out, err)
+	}
+
+	s.d.Restart(c)
+
+	// Test again and see now the netns file does not exist
+	icmd.RunCommand("stat", "-c", "%n", fileName).Assert(c, icmd.Expected{
+		Err:      "No such file or directory",
+		ExitCode: 1,
+	})
+}
+
+// tests regression detailed in #13964 where DOCKER_TLS_VERIFY env is ignored
+func (s *DockerDaemonSuite) TestDaemonTLSVerifyIssue13964(c *check.C) {
+	host := "tcp://localhost:4271"
+	s.d.Start(c, "-H", host)
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "-H", host, "info"},
+		Env:     []string{"DOCKER_TLS_VERIFY=1", "DOCKER_CERT_PATH=fixtures/https"},
+	}).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "error during connect",
+	})
+}
+
+func setupV6(c *check.C) {
+	// Hack to get the right IPv6 address on docker0, which has already been created
+	result := icmd.RunCommand("ip", "addr", "add", "fe80::1/64", "dev", "docker0")
+	result.Assert(c, icmd.Success)
+}
+
+func teardownV6(c *check.C) {
+	result := icmd.RunCommand("ip", "addr", "del", "fe80::1/64", "dev", "docker0")
+	result.Assert(c, icmd.Success)
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithContainerWithRestartPolicyAlways(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "-d", "--restart", "always", "busybox", "top")
+	c.Assert(err, check.IsNil)
+	id := strings.TrimSpace(out)
+
+	_, err = s.d.Cmd("stop", id)
+	c.Assert(err, check.IsNil)
+	_, err = s.d.Cmd("wait", id)
+	c.Assert(err, check.IsNil)
+
+	out, err = s.d.Cmd("ps", "-q")
+	c.Assert(err, check.IsNil)
+	c.Assert(out, check.Equals, "")
+
+	s.d.Restart(c)
+
+	out, err = s.d.Cmd("ps", "-q")
+	c.Assert(err, check.IsNil)
+	c.Assert(strings.TrimSpace(out), check.Equals, id[:12])
+}
+
+func (s *DockerDaemonSuite) TestDaemonWideLogConfig(c *check.C) {
+	s.d.StartWithBusybox(c, "--log-opt=max-size=1k")
+	name := "logtest"
+	out, err := s.d.Cmd("run", "-d", "--log-opt=max-file=5", "--name", name, "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s, err: %v", out, err))
+
+	out, err = s.d.Cmd("inspect", "-f", "{{ .HostConfig.LogConfig.Config }}", name)
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(out, checker.Contains, "max-size:1k")
+	c.Assert(out, checker.Contains, "max-file:5")
+
+	out, err = s.d.Cmd("inspect", "-f", "{{ .HostConfig.LogConfig.Type }}", name)
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "json-file")
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithPausedContainer(c *check.C) {
+	s.d.StartWithBusybox(c)
+	if out, err := s.d.Cmd("run", "-i", "-d", "--name", "test", "busybox", "top"); err != nil {
+		c.Fatal(err, out)
+	}
+	if out, err := s.d.Cmd("pause", "test"); err != nil {
+		c.Fatal(err, out)
+	}
+	s.d.Restart(c)
+
+	errchan := make(chan error)
+	go func() {
+		out, err := s.d.Cmd("start", "test")
+		if err != nil {
+			errchan <- fmt.Errorf("%v:\n%s", err, out)
+		}
+		name := strings.TrimSpace(out)
+		if name != "test" {
+			errchan <- fmt.Errorf("Paused container start error on docker daemon restart, expected 'test' but got '%s'", name)
+		}
+		close(errchan)
+	}()
+
+	select {
+	case <-time.After(5 * time.Second):
+		c.Fatal("Waiting on start a container timed out")
+	case err := <-errchan:
+		if err != nil {
+			c.Fatal(err)
+		}
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartRmVolumeInUse(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("create", "-v", "test:/foo", "busybox")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	s.d.Restart(c)
+
+	out, err = s.d.Cmd("volume", "rm", "test")
+	c.Assert(err, check.NotNil, check.Commentf("should not be able to remove in use volume after daemon restart"))
+	c.Assert(out, checker.Contains, "in use")
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartLocalVolumes(c *check.C) {
+	s.d.Start(c)
+
+	_, err := s.d.Cmd("volume", "create", "test")
+	c.Assert(err, check.IsNil)
+	s.d.Restart(c)
+
+	_, err = s.d.Cmd("volume", "inspect", "test")
+	c.Assert(err, check.IsNil)
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerDaemonSuite) TestDaemonCorruptedLogDriverAddress(c *check.C) {
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	c.Assert(d.StartWithError("--log-driver=syslog", "--log-opt", "syslog-address=corrupted:42"), check.NotNil)
+	expected := "syslog-address should be in form proto://address"
+	icmd.RunCommand("grep", expected, d.LogFileName()).Assert(c, icmd.Success)
+}
+
+// FIXME(vdemeester) should be a unit test
+func (s *DockerDaemonSuite) TestDaemonCorruptedFluentdAddress(c *check.C) {
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	c.Assert(d.StartWithError("--log-driver=fluentd", "--log-opt", "fluentd-address=corrupted:c"), check.NotNil)
+	expected := "invalid fluentd-address corrupted:c: "
+	icmd.RunCommand("grep", expected, d.LogFileName()).Assert(c, icmd.Success)
+}
+
+// FIXME(vdemeester) Use a new daemon instance instead of the Suite one
+func (s *DockerDaemonSuite) TestDaemonStartWithoutHost(c *check.C) {
+	s.d.UseDefaultHost = true
+	defer func() {
+		s.d.UseDefaultHost = false
+	}()
+	s.d.Start(c)
+}
+
+// FIXME(vdemeester) Use a new daemon instance instead of the Suite one
+func (s *DockerDaemonSuite) TestDaemonStartWithDefaultTLSHost(c *check.C) {
+	s.d.UseDefaultTLSHost = true
+	defer func() {
+		s.d.UseDefaultTLSHost = false
+	}()
+	s.d.Start(c,
+		"--tlsverify",
+		"--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/server-cert.pem",
+		"--tlskey", "fixtures/https/server-key.pem")
+
+	// The client with --tlsverify should also use default host localhost:2376
+	tmpHost := os.Getenv("DOCKER_HOST")
+	defer func() {
+		os.Setenv("DOCKER_HOST", tmpHost)
+	}()
+
+	os.Setenv("DOCKER_HOST", "")
+
+	out, _ := dockerCmd(
+		c,
+		"--tlsverify",
+		"--tlscacert", "fixtures/https/ca.pem",
+		"--tlscert", "fixtures/https/client-cert.pem",
+		"--tlskey", "fixtures/https/client-key.pem",
+		"version",
+	)
+	if !strings.Contains(out, "Server") {
+		c.Fatalf("docker version should return information of server side")
+	}
+
+	// ensure when connecting to the server that only a single acceptable CA is requested
+	contents, err := ioutil.ReadFile("fixtures/https/ca.pem")
+	c.Assert(err, checker.IsNil)
+	rootCert, err := helpers.ParseCertificatePEM(contents)
+	c.Assert(err, checker.IsNil)
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCert)
+
+	var certRequestInfo *tls.CertificateRequestInfo
+	conn, err := tls.Dial("tcp", fmt.Sprintf("%s:%d", opts.DefaultHTTPHost, opts.DefaultTLSHTTPPort), &tls.Config{
+		RootCAs: rootPool,
+		GetClientCertificate: func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			certRequestInfo = cri
+			cert, err := tls.LoadX509KeyPair("fixtures/https/client-cert.pem", "fixtures/https/client-key.pem")
+			if err != nil {
+				return nil, err
+			}
+			return &cert, nil
+		},
+	})
+	c.Assert(err, checker.IsNil)
+	conn.Close()
+
+	c.Assert(certRequestInfo, checker.NotNil)
+	c.Assert(certRequestInfo.AcceptableCAs, checker.HasLen, 1)
+	c.Assert(certRequestInfo.AcceptableCAs[0], checker.DeepEquals, rootCert.RawSubject)
+}
+
+func (s *DockerDaemonSuite) TestBridgeIPIsExcludedFromAllocatorPool(c *check.C) {
+	defaultNetworkBridge := "docker0"
+	deleteInterface(c, defaultNetworkBridge)
+
+	bridgeIP := "192.169.1.1"
+	bridgeRange := bridgeIP + "/30"
+
+	s.d.StartWithBusybox(c, "--bip", bridgeRange)
+	defer s.d.Restart(c)
+
+	var cont int
+	for {
+		contName := fmt.Sprintf("container%d", cont)
+		_, err := s.d.Cmd("run", "--name", contName, "-d", "busybox", "/bin/sleep", "2")
+		if err != nil {
+			// pool exhausted
+			break
+		}
+		ip, err := s.d.Cmd("inspect", "--format", "'{{.NetworkSettings.IPAddress}}'", contName)
+		c.Assert(err, check.IsNil)
+
+		c.Assert(ip, check.Not(check.Equals), bridgeIP)
+		cont++
+	}
+}
+
+// Test daemon for no space left on device error
+func (s *DockerDaemonSuite) TestDaemonNoSpaceLeftOnDeviceError(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux, Network)
+
+	testDir, err := ioutil.TempDir("", "no-space-left-on-device-test")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(testDir)
+	c.Assert(mount.MakeRShared(testDir), checker.IsNil)
+	defer mount.Unmount(testDir)
+
+	// create a 3MiB image (with a 2MiB ext4 fs) and mount it as graph root
+	// Why in a container? Because `mount` sometimes behaves weirdly and often fails outright on this test in debian:jessie (which is what the test suite runs under if run from the Makefile)
+	dockerCmd(c, "run", "--rm", "-v", testDir+":/test", "busybox", "sh", "-c", "dd of=/test/testfs.img bs=1M seek=3 count=0")
+	icmd.RunCommand("mkfs.ext4", "-F", filepath.Join(testDir, "testfs.img")).Assert(c, icmd.Success)
+
+	dockerCmd(c, "run", "--privileged", "--rm", "-v", testDir+":/test:shared", "busybox", "sh", "-c", "mkdir -p /test/test-mount/vfs && mount -n /test/testfs.img /test/test-mount/vfs")
+	defer mount.Unmount(filepath.Join(testDir, "test-mount"))
+
+	s.d.Start(c, "--storage-driver", "vfs", "--data-root", filepath.Join(testDir, "test-mount"))
+	defer s.d.Stop(c)
+
+	// pull a repository large enough to overfill the mounted filesystem
+	pullOut, err := s.d.Cmd("pull", "debian:stretch")
+	c.Assert(err, checker.NotNil, check.Commentf(pullOut))
+	c.Assert(pullOut, checker.Contains, "no space left on device")
+}
+
+// Test daemon restart with container links + auto restart
+func (s *DockerDaemonSuite) TestDaemonRestartContainerLinksRestart(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	var parent1Args []string
+	var parent2Args []string
+	wg := sync.WaitGroup{}
+	maxChildren := 10
+	chErr := make(chan error, maxChildren)
+
+	for i := 0; i < maxChildren; i++ {
+		wg.Add(1)
+		name := fmt.Sprintf("test%d", i)
+
+		if i < maxChildren/2 {
+			parent1Args = append(parent1Args, []string{"--link", name}...)
+		} else {
+			parent2Args = append(parent2Args, []string{"--link", name}...)
+		}
+
+		go func() {
+			_, err := s.d.Cmd("run", "-d", "--name", name, "--restart=always", "busybox", "top")
+			chErr <- err
+			wg.Done()
+		}()
+	}
+
+	wg.Wait()
+	close(chErr)
+	for err := range chErr {
+		c.Assert(err, check.IsNil)
+	}
+
+	parent1Args = append([]string{"run", "-d"}, parent1Args...)
+	parent1Args = append(parent1Args, []string{"--name=parent1", "--restart=always", "busybox", "top"}...)
+	parent2Args = append([]string{"run", "-d"}, parent2Args...)
+	parent2Args = append(parent2Args, []string{"--name=parent2", "--restart=always", "busybox", "top"}...)
+
+	_, err := s.d.Cmd(parent1Args...)
+	c.Assert(err, check.IsNil)
+	_, err = s.d.Cmd(parent2Args...)
+	c.Assert(err, check.IsNil)
+
+	s.d.Stop(c)
+	// clear the log file -- we don't need any of it but may for the next part
+	// can ignore the error here, this is just a cleanup
+	os.Truncate(s.d.LogFileName(), 0)
+	s.d.Start(c)
+
+	for _, num := range []string{"1", "2"} {
+		out, err := s.d.Cmd("inspect", "-f", "{{ .State.Running }}", "parent"+num)
+		c.Assert(err, check.IsNil)
+		if strings.TrimSpace(out) != "true" {
+			log, _ := ioutil.ReadFile(s.d.LogFileName())
+			c.Fatalf("parent container is not running\n%s", string(log))
+		}
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonCgroupParent(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	cgroupParent := "test"
+	name := "cgroup-test"
+
+	s.d.StartWithBusybox(c, "--cgroup-parent", cgroupParent)
+	defer s.d.Restart(c)
+
+	out, err := s.d.Cmd("run", "--name", name, "busybox", "cat", "/proc/self/cgroup")
+	c.Assert(err, checker.IsNil)
+	cgroupPaths := ParseCgroupPaths(string(out))
+	c.Assert(len(cgroupPaths), checker.Not(checker.Equals), 0, check.Commentf("unexpected output - %q", string(out)))
+	out, err = s.d.Cmd("inspect", "-f", "{{.Id}}", name)
+	c.Assert(err, checker.IsNil)
+	id := strings.TrimSpace(string(out))
+	expectedCgroup := path.Join(cgroupParent, id)
+	found := false
+	for _, path := range cgroupPaths {
+		if strings.HasSuffix(path, expectedCgroup) {
+			found = true
+			break
+		}
+	}
+	c.Assert(found, checker.True, check.Commentf("Cgroup path for container (%s) doesn't found in cgroups file: %s", expectedCgroup, cgroupPaths))
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithLinks(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support links
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "-d", "--name=test", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("run", "--name=test2", "--link", "test:abc", "busybox", "sh", "-c", "ping -c 1 -w 1 abc")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	s.d.Restart(c)
+
+	// should fail since test is not running yet
+	out, err = s.d.Cmd("start", "test2")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("start", "test")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	out, err = s.d.Cmd("start", "-a", "test2")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	c.Assert(strings.Contains(out, "1 packets transmitted, 1 packets received"), check.Equals, true, check.Commentf(out))
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithNames(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support links
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("create", "--name=test", "busybox")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("run", "-d", "--name=test2", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	test2ID := strings.TrimSpace(out)
+
+	out, err = s.d.Cmd("run", "-d", "--name=test3", "--link", "test2:abc", "busybox", "top")
+	test3ID := strings.TrimSpace(out)
+
+	s.d.Restart(c)
+
+	out, err = s.d.Cmd("create", "--name=test", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf("expected error trying to create container with duplicate name"))
+	// this one is no longer needed, removing simplifies the remainder of the test
+	out, err = s.d.Cmd("rm", "-f", "test")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("ps", "-a", "--no-trunc")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	lines := strings.Split(strings.TrimSpace(out), "\n")[1:]
+
+	test2validated := false
+	test3validated := false
+	for _, line := range lines {
+		fields := strings.Fields(line)
+		names := fields[len(fields)-1]
+		switch fields[0] {
+		case test2ID:
+			c.Assert(names, check.Equals, "test2,test3/abc")
+			test2validated = true
+		case test3ID:
+			c.Assert(names, check.Equals, "test3")
+			test3validated = true
+		}
+	}
+
+	c.Assert(test2validated, check.Equals, true)
+	c.Assert(test3validated, check.Equals, true)
+}
+
+// TestDaemonRestartWithKilledRunningContainer requires live restore of running containers
+func (s *DockerDaemonSuite) TestDaemonRestartWithKilledRunningContainer(t *check.C) {
+	testRequires(t, DaemonIsLinux)
+	s.d.StartWithBusybox(t)
+
+	cid, err := s.d.Cmd("run", "-d", "--name", "test", "busybox", "top")
+	defer s.d.Stop(t)
+	if err != nil {
+		t.Fatal(cid, err)
+	}
+	cid = strings.TrimSpace(cid)
+
+	pid, err := s.d.Cmd("inspect", "-f", "{{.State.Pid}}", cid)
+	t.Assert(err, check.IsNil)
+	pid = strings.TrimSpace(pid)
+
+	// Kill the daemon
+	if err := s.d.Kill(); err != nil {
+		t.Fatal(err)
+	}
+
+	// kill the container
+	icmd.RunCommand(ctrBinary, "--address", "/var/run/docker/containerd/docker-containerd.sock",
+		"--namespace", moby_daemon.ContainersNamespace, "tasks", "kill", cid).Assert(t, icmd.Success)
+
+	// Give time to containerd to process the command if we don't
+	// the exit event might be received after we do the inspect
+	result := icmd.RunCommand("kill", "-0", pid)
+	for result.ExitCode == 0 {
+		time.Sleep(1 * time.Second)
+		// FIXME(vdemeester) should we check it doesn't error out ?
+		result = icmd.RunCommand("kill", "-0", pid)
+	}
+
+	// restart the daemon
+	s.d.Start(t)
+
+	// Check that we've got the correct exit code
+	out, err := s.d.Cmd("inspect", "-f", "{{.State.ExitCode}}", cid)
+	t.Assert(err, check.IsNil)
+
+	out = strings.TrimSpace(out)
+	if out != "143" {
+		t.Fatalf("Expected exit code '%s' got '%s' for container '%s'\n", "143", out, cid)
+	}
+
+}
+
+// os.Kill should kill daemon ungracefully, leaving behind live containers.
+// The live containers should be known to the restarted daemon. Stopping
+// them now, should remove the mounts.
+func (s *DockerDaemonSuite) TestCleanupMountsAfterDaemonCrash(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	s.d.StartWithBusybox(c, "--live-restore")
+
+	out, err := s.d.Cmd("run", "-d", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	id := strings.TrimSpace(out)
+
+	// kill the daemon
+	c.Assert(s.d.Kill(), check.IsNil)
+
+	// Check if there are mounts with container id visible from the host.
+	// If not, those mounts exist in container's own mount ns, and so
+	// the following check for mounts being cleared is pointless.
+	skipMountCheck := false
+	mountOut, err := ioutil.ReadFile("/proc/self/mountinfo")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", mountOut))
+	if !strings.Contains(string(mountOut), id) {
+		skipMountCheck = true
+	}
+
+	// restart daemon.
+	s.d.Start(c, "--live-restore")
+
+	// container should be running.
+	out, err = s.d.Cmd("inspect", "--format={{.State.Running}}", id)
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	out = strings.TrimSpace(out)
+	if out != "true" {
+		c.Fatalf("Container %s expected to stay alive after daemon restart", id)
+	}
+
+	// 'docker stop' should work.
+	out, err = s.d.Cmd("stop", id)
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+
+	if skipMountCheck {
+		return
+	}
+	// Now, container mounts should be gone.
+	mountOut, err = ioutil.ReadFile("/proc/self/mountinfo")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", mountOut))
+	comment := check.Commentf("%s is still mounted from older daemon start:\nDaemon root repository %s\n%s", id, s.d.Root, mountOut)
+	c.Assert(strings.Contains(string(mountOut), id), check.Equals, false, comment)
+}
+
+// TestDaemonRestartWithUnpausedRunningContainer requires live restore of running containers.
+func (s *DockerDaemonSuite) TestDaemonRestartWithUnpausedRunningContainer(t *check.C) {
+	testRequires(t, DaemonIsLinux)
+	s.d.StartWithBusybox(t, "--live-restore")
+
+	cid, err := s.d.Cmd("run", "-d", "--name", "test", "busybox", "top")
+	defer s.d.Stop(t)
+	if err != nil {
+		t.Fatal(cid, err)
+	}
+	cid = strings.TrimSpace(cid)
+
+	pid, err := s.d.Cmd("inspect", "-f", "{{.State.Pid}}", cid)
+	t.Assert(err, check.IsNil)
+
+	// pause the container
+	if _, err := s.d.Cmd("pause", cid); err != nil {
+		t.Fatal(cid, err)
+	}
+
+	// Kill the daemon
+	if err := s.d.Kill(); err != nil {
+		t.Fatal(err)
+	}
+
+	// resume the container
+	result := icmd.RunCommand(
+		ctrBinary,
+		"--address", "/var/run/docker/containerd/docker-containerd.sock",
+		"--namespace", moby_daemon.ContainersNamespace,
+		"tasks", "resume", cid)
+	result.Assert(t, icmd.Success)
+
+	// Give time to containerd to process the command if we don't
+	// the resume event might be received after we do the inspect
+	waitAndAssert(t, defaultReconciliationTimeout, func(*check.C) (interface{}, check.CommentInterface) {
+		result := icmd.RunCommand("kill", "-0", strings.TrimSpace(pid))
+		return result.ExitCode, nil
+	}, checker.Equals, 0)
+
+	// restart the daemon
+	s.d.Start(t, "--live-restore")
+
+	// Check that we've got the correct status
+	out, err := s.d.Cmd("inspect", "-f", "{{.State.Status}}", cid)
+	t.Assert(err, check.IsNil)
+
+	out = strings.TrimSpace(out)
+	if out != "running" {
+		t.Fatalf("Expected exit code '%s' got '%s' for container '%s'\n", "running", out, cid)
+	}
+	if _, err := s.d.Cmd("kill", cid); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// TestRunLinksChanged checks that creating a new container with the same name does not update links
+// this ensures that the old, pre gh#16032 functionality continues on
+func (s *DockerDaemonSuite) TestRunLinksChanged(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support links
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "-d", "--name=test", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("run", "--name=test2", "--link=test:abc", "busybox", "sh", "-c", "ping -c 1 abc")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "1 packets transmitted, 1 packets received")
+
+	out, err = s.d.Cmd("rm", "-f", "test")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("run", "-d", "--name=test", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	out, err = s.d.Cmd("start", "-a", "test2")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, check.Not(checker.Contains), "1 packets transmitted, 1 packets received")
+
+	s.d.Restart(c)
+	out, err = s.d.Cmd("start", "-a", "test2")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, check.Not(checker.Contains), "1 packets transmitted, 1 packets received")
+}
+
+func (s *DockerDaemonSuite) TestDaemonStartWithoutColors(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	infoLog := "\x1b[36mINFO\x1b"
+
+	b := bytes.NewBuffer(nil)
+	done := make(chan bool)
+
+	p, tty, err := pty.Open()
+	c.Assert(err, checker.IsNil)
+	defer func() {
+		tty.Close()
+		p.Close()
+	}()
+
+	go func() {
+		io.Copy(b, p)
+		done <- true
+	}()
+
+	// Enable coloring explicitly
+	s.d.StartWithLogFile(tty, "--raw-logs=false")
+	s.d.Stop(c)
+	// Wait for io.Copy() before checking output
+	<-done
+	c.Assert(b.String(), checker.Contains, infoLog)
+
+	b.Reset()
+
+	// "tty" is already closed in prev s.d.Stop(),
+	// we have to close the other side "p" and open another pair of
+	// pty for the next test.
+	p.Close()
+	p, tty, err = pty.Open()
+	c.Assert(err, checker.IsNil)
+
+	go func() {
+		io.Copy(b, p)
+		done <- true
+	}()
+
+	// Disable coloring explicitly
+	s.d.StartWithLogFile(tty, "--raw-logs=true")
+	s.d.Stop(c)
+	// Wait for io.Copy() before checking output
+	<-done
+	c.Assert(b.String(), check.Not(check.Equals), "")
+	c.Assert(b.String(), check.Not(checker.Contains), infoLog)
+}
+
+func (s *DockerDaemonSuite) TestDaemonDebugLog(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	debugLog := "\x1b[37mDEBU\x1b"
+
+	p, tty, err := pty.Open()
+	c.Assert(err, checker.IsNil)
+	defer func() {
+		tty.Close()
+		p.Close()
+	}()
+
+	b := bytes.NewBuffer(nil)
+	go io.Copy(b, p)
+
+	s.d.StartWithLogFile(tty, "--debug")
+	s.d.Stop(c)
+	c.Assert(b.String(), checker.Contains, debugLog)
+}
+
+func (s *DockerDaemonSuite) TestDaemonDiscoveryBackendConfigReload(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	// daemon config file
+	daemonConfig := `{ "debug" : false }`
+	configFile, err := ioutil.TempFile("", "test-daemon-discovery-backend-config-reload-config")
+	c.Assert(err, checker.IsNil, check.Commentf("could not create temp file for config reload"))
+	configFilePath := configFile.Name()
+	defer func() {
+		configFile.Close()
+		os.RemoveAll(configFile.Name())
+	}()
+
+	_, err = configFile.Write([]byte(daemonConfig))
+	c.Assert(err, checker.IsNil)
+
+	// --log-level needs to be set so that d.Start() doesn't add --debug causing
+	// a conflict with the config
+	s.d.Start(c, "--config-file", configFilePath, "--log-level=info")
+
+	// daemon config file
+	daemonConfig = `{
+	      "cluster-store": "consul://consuladdr:consulport/some/path",
+	      "cluster-advertise": "192.168.56.100:0",
+	      "debug" : false
+	}`
+
+	err = configFile.Truncate(0)
+	c.Assert(err, checker.IsNil)
+	_, err = configFile.Seek(0, os.SEEK_SET)
+	c.Assert(err, checker.IsNil)
+
+	_, err = configFile.Write([]byte(daemonConfig))
+	c.Assert(err, checker.IsNil)
+
+	err = s.d.ReloadConfig()
+	c.Assert(err, checker.IsNil, check.Commentf("error reloading daemon config"))
+
+	out, err := s.d.Cmd("info")
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(out, checker.Contains, fmt.Sprintf("Cluster Store: consul://consuladdr:consulport/some/path"))
+	c.Assert(out, checker.Contains, fmt.Sprintf("Cluster Advertise: 192.168.56.100:0"))
+}
+
+// Test for #21956
+func (s *DockerDaemonSuite) TestDaemonLogOptions(c *check.C) {
+	s.d.StartWithBusybox(c, "--log-driver=syslog", "--log-opt=syslog-address=udp://127.0.0.1:514")
+
+	out, err := s.d.Cmd("run", "-d", "--log-driver=json-file", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	id := strings.TrimSpace(out)
+
+	out, err = s.d.Cmd("inspect", "--format='{{.HostConfig.LogConfig}}'", id)
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "{json-file map[]}")
+}
+
+// Test case for #20936, #22443
+func (s *DockerDaemonSuite) TestDaemonMaxConcurrency(c *check.C) {
+	s.d.Start(c, "--max-concurrent-uploads=6", "--max-concurrent-downloads=8")
+
+	expectedMaxConcurrentUploads := `level=debug msg="Max Concurrent Uploads: 6"`
+	expectedMaxConcurrentDownloads := `level=debug msg="Max Concurrent Downloads: 8"`
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentUploads)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentDownloads)
+}
+
+// Test case for #20936, #22443
+func (s *DockerDaemonSuite) TestDaemonMaxConcurrencyWithConfigFile(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	// daemon config file
+	configFilePath := "test.json"
+	configFile, err := os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	defer os.Remove(configFilePath)
+
+	daemonConfig := `{ "max-concurrent-downloads" : 8 }`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+	s.d.Start(c, fmt.Sprintf("--config-file=%s", configFilePath))
+
+	expectedMaxConcurrentUploads := `level=debug msg="Max Concurrent Uploads: 5"`
+	expectedMaxConcurrentDownloads := `level=debug msg="Max Concurrent Downloads: 8"`
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentUploads)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentDownloads)
+
+	configFile, err = os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	daemonConfig = `{ "max-concurrent-uploads" : 7, "max-concurrent-downloads" : 9 }`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+	// unix.Kill(s.d.cmd.Process.Pid, unix.SIGHUP)
+
+	time.Sleep(3 * time.Second)
+
+	expectedMaxConcurrentUploads = `level=debug msg="Reset Max Concurrent Uploads: 7"`
+	expectedMaxConcurrentDownloads = `level=debug msg="Reset Max Concurrent Downloads: 9"`
+	content, err = s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentUploads)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentDownloads)
+}
+
+// Test case for #20936, #22443
+func (s *DockerDaemonSuite) TestDaemonMaxConcurrencyWithConfigFileReload(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	// daemon config file
+	configFilePath := "test.json"
+	configFile, err := os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	defer os.Remove(configFilePath)
+
+	daemonConfig := `{ "max-concurrent-uploads" : null }`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+	s.d.Start(c, fmt.Sprintf("--config-file=%s", configFilePath))
+
+	expectedMaxConcurrentUploads := `level=debug msg="Max Concurrent Uploads: 5"`
+	expectedMaxConcurrentDownloads := `level=debug msg="Max Concurrent Downloads: 3"`
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentUploads)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentDownloads)
+
+	configFile, err = os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	daemonConfig = `{ "max-concurrent-uploads" : 1, "max-concurrent-downloads" : null }`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+	// unix.Kill(s.d.cmd.Process.Pid, unix.SIGHUP)
+
+	time.Sleep(3 * time.Second)
+
+	expectedMaxConcurrentUploads = `level=debug msg="Reset Max Concurrent Uploads: 1"`
+	expectedMaxConcurrentDownloads = `level=debug msg="Reset Max Concurrent Downloads: 3"`
+	content, err = s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentUploads)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentDownloads)
+
+	configFile, err = os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	daemonConfig = `{ "labels":["foo=bar"] }`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+
+	time.Sleep(3 * time.Second)
+
+	expectedMaxConcurrentUploads = `level=debug msg="Reset Max Concurrent Uploads: 5"`
+	expectedMaxConcurrentDownloads = `level=debug msg="Reset Max Concurrent Downloads: 3"`
+	content, err = s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentUploads)
+	c.Assert(string(content), checker.Contains, expectedMaxConcurrentDownloads)
+}
+
+func (s *DockerDaemonSuite) TestBuildOnDisabledBridgeNetworkDaemon(c *check.C) {
+	s.d.StartWithBusybox(c, "-b=none", "--iptables=false")
+
+	result := cli.BuildCmd(c, "busyboxs", cli.Daemon(s.d),
+		build.WithDockerfile(`
+        FROM busybox
+        RUN cat /etc/hosts`),
+		build.WithoutCache,
+	)
+	comment := check.Commentf("Failed to build image. output %s, exitCode %d, err %v", result.Combined(), result.ExitCode, result.Error)
+	c.Assert(result.Error, check.IsNil, comment)
+	c.Assert(result.ExitCode, check.Equals, 0, comment)
+}
+
+// Test case for #21976
+func (s *DockerDaemonSuite) TestDaemonDNSFlagsInHostMode(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	s.d.StartWithBusybox(c, "--dns", "1.2.3.4", "--dns-search", "example.com", "--dns-opt", "timeout:3")
+
+	expectedOutput := "nameserver 1.2.3.4"
+	out, _ := s.d.Cmd("run", "--net=host", "busybox", "cat", "/etc/resolv.conf")
+	c.Assert(out, checker.Contains, expectedOutput, check.Commentf("Expected '%s', but got %q", expectedOutput, out))
+	expectedOutput = "search example.com"
+	c.Assert(out, checker.Contains, expectedOutput, check.Commentf("Expected '%s', but got %q", expectedOutput, out))
+	expectedOutput = "options timeout:3"
+	c.Assert(out, checker.Contains, expectedOutput, check.Commentf("Expected '%s', but got %q", expectedOutput, out))
+}
+
+func (s *DockerDaemonSuite) TestRunWithRuntimeFromConfigFile(c *check.C) {
+	conf, err := ioutil.TempFile("", "config-file-")
+	c.Assert(err, check.IsNil)
+	configName := conf.Name()
+	conf.Close()
+	defer os.Remove(configName)
+
+	config := `
+{
+    "runtimes": {
+        "oci": {
+            "path": "docker-runc"
+        },
+        "vm": {
+            "path": "/usr/local/bin/vm-manager",
+            "runtimeArgs": [
+                "--debug"
+            ]
+        }
+    }
+}
+`
+	ioutil.WriteFile(configName, []byte(config), 0644)
+	s.d.StartWithBusybox(c, "--config-file", configName)
+
+	// Run with default runtime
+	out, err := s.d.Cmd("run", "--rm", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Run with default runtime explicitly
+	out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Run with oci (same path as default) but keep it around
+	out, err = s.d.Cmd("run", "--name", "oci-runtime-ls", "--runtime=oci", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Run with "vm"
+	out, err = s.d.Cmd("run", "--rm", "--runtime=vm", "busybox", "ls")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "/usr/local/bin/vm-manager: no such file or directory")
+
+	// Reset config to only have the default
+	config = `
+{
+    "runtimes": {
+    }
+}
+`
+	ioutil.WriteFile(configName, []byte(config), 0644)
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+	// Give daemon time to reload config
+	<-time.After(1 * time.Second)
+
+	// Run with default runtime
+	out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Run with "oci"
+	out, err = s.d.Cmd("run", "--rm", "--runtime=oci", "busybox", "ls")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Unknown runtime specified oci")
+
+	// Start previously created container with oci
+	out, err = s.d.Cmd("start", "oci-runtime-ls")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Unknown runtime specified oci")
+
+	// Check that we can't override the default runtime
+	config = `
+{
+    "runtimes": {
+        "runc": {
+            "path": "my-runc"
+        }
+    }
+}
+`
+	ioutil.WriteFile(configName, []byte(config), 0644)
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+	// Give daemon time to reload config
+	<-time.After(1 * time.Second)
+
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, `file configuration validation failed (runtime name 'runc' is reserved)`)
+
+	// Check that we can select a default runtime
+	config = `
+{
+    "default-runtime": "vm",
+    "runtimes": {
+        "oci": {
+            "path": "docker-runc"
+        },
+        "vm": {
+            "path": "/usr/local/bin/vm-manager",
+            "runtimeArgs": [
+                "--debug"
+            ]
+        }
+    }
+}
+`
+	ioutil.WriteFile(configName, []byte(config), 0644)
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+	// Give daemon time to reload config
+	<-time.After(1 * time.Second)
+
+	out, err = s.d.Cmd("run", "--rm", "busybox", "ls")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "/usr/local/bin/vm-manager: no such file or directory")
+
+	// Run with default runtime explicitly
+	out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+}
+
+func (s *DockerDaemonSuite) TestRunWithRuntimeFromCommandLine(c *check.C) {
+	s.d.StartWithBusybox(c, "--add-runtime", "oci=docker-runc", "--add-runtime", "vm=/usr/local/bin/vm-manager")
+
+	// Run with default runtime
+	out, err := s.d.Cmd("run", "--rm", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Run with default runtime explicitly
+	out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Run with oci (same path as default) but keep it around
+	out, err = s.d.Cmd("run", "--name", "oci-runtime-ls", "--runtime=oci", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Run with "vm"
+	out, err = s.d.Cmd("run", "--rm", "--runtime=vm", "busybox", "ls")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "/usr/local/bin/vm-manager: no such file or directory")
+
+	// Start a daemon without any extra runtimes
+	s.d.Stop(c)
+	s.d.StartWithBusybox(c)
+
+	// Run with default runtime
+	out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	// Run with "oci"
+	out, err = s.d.Cmd("run", "--rm", "--runtime=oci", "busybox", "ls")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Unknown runtime specified oci")
+
+	// Start previously created container with oci
+	out, err = s.d.Cmd("start", "oci-runtime-ls")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Unknown runtime specified oci")
+
+	// Check that we can't override the default runtime
+	s.d.Stop(c)
+	c.Assert(s.d.StartWithError("--add-runtime", "runc=my-runc"), checker.NotNil)
+
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, `runtime name 'runc' is reserved`)
+
+	// Check that we can select a default runtime
+	s.d.Stop(c)
+	s.d.StartWithBusybox(c, "--default-runtime=vm", "--add-runtime", "oci=docker-runc", "--add-runtime", "vm=/usr/local/bin/vm-manager")
+
+	out, err = s.d.Cmd("run", "--rm", "busybox", "ls")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "/usr/local/bin/vm-manager: no such file or directory")
+
+	// Run with default runtime explicitly
+	out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartWithAutoRemoveContainer(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	// top1 will exist after daemon restarts
+	out, err := s.d.Cmd("run", "-d", "--name", "top1", "busybox:latest", "top")
+	c.Assert(err, checker.IsNil, check.Commentf("run top1: %v", out))
+	// top2 will be removed after daemon restarts
+	out, err = s.d.Cmd("run", "-d", "--rm", "--name", "top2", "busybox:latest", "top")
+	c.Assert(err, checker.IsNil, check.Commentf("run top2: %v", out))
+
+	out, err = s.d.Cmd("ps")
+	c.Assert(out, checker.Contains, "top1", check.Commentf("top1 should be running"))
+	c.Assert(out, checker.Contains, "top2", check.Commentf("top2 should be running"))
+
+	// now restart daemon gracefully
+	s.d.Restart(c)
+
+	out, err = s.d.Cmd("ps", "-a")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+	c.Assert(out, checker.Contains, "top1", check.Commentf("top1 should exist after daemon restarts"))
+	c.Assert(out, checker.Not(checker.Contains), "top2", check.Commentf("top2 should be removed after daemon restarts"))
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartSaveContainerExitCode(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	containerName := "error-values"
+	// Make a container with both a non 0 exit code and an error message
+	// We explicitly disable `--init` for this test, because `--init` is enabled by default
+	// on "experimental". Enabling `--init` results in a different behavior; because the "init"
+	// process itself is PID1, the container does not fail on _startup_ (i.e., `docker-init` starting),
+	// but directly after. The exit code of the container is still 127, but the Error Message is not
+	// captured, so `.State.Error` is empty.
+	// See the discussion on https://github.com/docker/docker/pull/30227#issuecomment-274161426,
+	// and https://github.com/docker/docker/pull/26061#r78054578 for more information.
+	out, err := s.d.Cmd("run", "--name", containerName, "--init=false", "busybox", "toto")
+	c.Assert(err, checker.NotNil)
+
+	// Check that those values were saved on disk
+	out, err = s.d.Cmd("inspect", "-f", "{{.State.ExitCode}}", containerName)
+	out = strings.TrimSpace(out)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Equals, "127")
+
+	errMsg1, err := s.d.Cmd("inspect", "-f", "{{.State.Error}}", containerName)
+	errMsg1 = strings.TrimSpace(errMsg1)
+	c.Assert(err, checker.IsNil)
+	c.Assert(errMsg1, checker.Contains, "executable file not found")
+
+	// now restart daemon
+	s.d.Restart(c)
+
+	// Check that those values are still around
+	out, err = s.d.Cmd("inspect", "-f", "{{.State.ExitCode}}", containerName)
+	out = strings.TrimSpace(out)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Equals, "127")
+
+	out, err = s.d.Cmd("inspect", "-f", "{{.State.Error}}", containerName)
+	out = strings.TrimSpace(out)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Equals, errMsg1)
+}
+
+func (s *DockerDaemonSuite) TestDaemonWithUserlandProxyPath(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	dockerProxyPath, err := exec.LookPath("docker-proxy")
+	c.Assert(err, checker.IsNil)
+	tmpDir, err := ioutil.TempDir("", "test-docker-proxy")
+	c.Assert(err, checker.IsNil)
+
+	newProxyPath := filepath.Join(tmpDir, "docker-proxy")
+	cmd := exec.Command("cp", dockerProxyPath, newProxyPath)
+	c.Assert(cmd.Run(), checker.IsNil)
+
+	// custom one
+	s.d.StartWithBusybox(c, "--userland-proxy-path", newProxyPath)
+	out, err := s.d.Cmd("run", "-p", "5000:5000", "busybox:latest", "true")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// try with the original one
+	s.d.Restart(c, "--userland-proxy-path", dockerProxyPath)
+	out, err = s.d.Cmd("run", "-p", "5000:5000", "busybox:latest", "true")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// not exist
+	s.d.Restart(c, "--userland-proxy-path", "/does/not/exist")
+	out, err = s.d.Cmd("run", "-p", "5000:5000", "busybox:latest", "true")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "driver failed programming external connectivity on endpoint")
+	c.Assert(out, checker.Contains, "/does/not/exist: no such file or directory")
+}
+
+// Test case for #22471
+func (s *DockerDaemonSuite) TestDaemonShutdownTimeout(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	s.d.StartWithBusybox(c, "--shutdown-timeout=3")
+
+	_, err := s.d.Cmd("run", "-d", "busybox", "top")
+	c.Assert(err, check.IsNil)
+
+	c.Assert(s.d.Signal(unix.SIGINT), checker.IsNil)
+
+	select {
+	case <-s.d.Wait:
+	case <-time.After(5 * time.Second):
+	}
+
+	expectedMessage := `level=debug msg="daemon configured with a 3 seconds minimum shutdown timeout"`
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, expectedMessage)
+}
+
+// Test case for #22471
+func (s *DockerDaemonSuite) TestDaemonShutdownTimeoutWithConfigFile(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	// daemon config file
+	configFilePath := "test.json"
+	configFile, err := os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	defer os.Remove(configFilePath)
+
+	daemonConfig := `{ "shutdown-timeout" : 8 }`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+	s.d.Start(c, fmt.Sprintf("--config-file=%s", configFilePath))
+
+	configFile, err = os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	daemonConfig = `{ "shutdown-timeout" : 5 }`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+
+	select {
+	case <-s.d.Wait:
+	case <-time.After(3 * time.Second):
+	}
+
+	expectedMessage := `level=debug msg="Reset Shutdown Timeout: 5"`
+	content, err := s.d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, expectedMessage)
+}
+
+// Test case for 29342
+func (s *DockerDaemonSuite) TestExecWithUserAfterLiveRestore(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	s.d.StartWithBusybox(c, "--live-restore")
+
+	out, err := s.d.Cmd("run", "-d", "--name=top", "busybox", "sh", "-c", "addgroup -S test && adduser -S -G test test -D -s /bin/sh && touch /adduser_end && top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+
+	s.d.WaitRun("top")
+
+	// Wait for shell command to be completed
+	_, err = s.d.Cmd("exec", "top", "sh", "-c", `for i in $(seq 1 5); do if [ -e /adduser_end ]; then rm -f /adduser_end && break; else sleep 1 && false; fi; done`)
+	c.Assert(err, check.IsNil, check.Commentf("Timeout waiting for shell command to be completed"))
+
+	out1, err := s.d.Cmd("exec", "-u", "test", "top", "id")
+	// uid=100(test) gid=101(test) groups=101(test)
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out1))
+
+	// restart daemon.
+	s.d.Restart(c, "--live-restore")
+
+	out2, err := s.d.Cmd("exec", "-u", "test", "top", "id")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out2))
+	c.Assert(out2, check.Equals, out1, check.Commentf("Output: before restart '%s', after restart '%s'", out1, out2))
+
+	out, err = s.d.Cmd("stop", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+}
+
+func (s *DockerDaemonSuite) TestRemoveContainerAfterLiveRestore(c *check.C) {
+	testRequires(c, DaemonIsLinux, overlayFSSupported, SameHostDaemon)
+	s.d.StartWithBusybox(c, "--live-restore", "--storage-driver", "overlay")
+	out, err := s.d.Cmd("run", "-d", "--name=top", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+
+	s.d.WaitRun("top")
+
+	// restart daemon.
+	s.d.Restart(c, "--live-restore", "--storage-driver", "overlay")
+
+	out, err = s.d.Cmd("stop", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+
+	// test if the rootfs mountpoint still exist
+	mountpoint, err := s.d.InspectField("top", ".GraphDriver.Data.MergedDir")
+	c.Assert(err, check.IsNil)
+	f, err := os.Open("/proc/self/mountinfo")
+	c.Assert(err, check.IsNil)
+	defer f.Close()
+	sc := bufio.NewScanner(f)
+	for sc.Scan() {
+		line := sc.Text()
+		if strings.Contains(line, mountpoint) {
+			c.Fatalf("mountinfo should not include the mountpoint of stop container")
+		}
+	}
+
+	out, err = s.d.Cmd("rm", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+}
+
+// #29598
+func (s *DockerDaemonSuite) TestRestartPolicyWithLiveRestore(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	s.d.StartWithBusybox(c, "--live-restore")
+
+	out, err := s.d.Cmd("run", "-d", "--restart", "always", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf("output: %s", out))
+	id := strings.TrimSpace(out)
+
+	type state struct {
+		Running   bool
+		StartedAt time.Time
+	}
+	out, err = s.d.Cmd("inspect", "-f", "{{json .State}}", id)
+	c.Assert(err, checker.IsNil, check.Commentf("output: %s", out))
+
+	var origState state
+	err = json.Unmarshal([]byte(strings.TrimSpace(out)), &origState)
+	c.Assert(err, checker.IsNil)
+
+	s.d.Restart(c, "--live-restore")
+
+	pid, err := s.d.Cmd("inspect", "-f", "{{.State.Pid}}", id)
+	c.Assert(err, check.IsNil)
+	pidint, err := strconv.Atoi(strings.TrimSpace(pid))
+	c.Assert(err, check.IsNil)
+	c.Assert(pidint, checker.GreaterThan, 0)
+	c.Assert(unix.Kill(pidint, unix.SIGKILL), check.IsNil)
+
+	ticker := time.NewTicker(50 * time.Millisecond)
+	timeout := time.After(10 * time.Second)
+
+	for range ticker.C {
+		select {
+		case <-timeout:
+			c.Fatal("timeout waiting for container restart")
+		default:
+		}
+
+		out, err := s.d.Cmd("inspect", "-f", "{{json .State}}", id)
+		c.Assert(err, checker.IsNil, check.Commentf("output: %s", out))
+
+		var newState state
+		err = json.Unmarshal([]byte(strings.TrimSpace(out)), &newState)
+		c.Assert(err, checker.IsNil)
+
+		if !newState.Running {
+			continue
+		}
+		if newState.StartedAt.After(origState.StartedAt) {
+			break
+		}
+	}
+
+	out, err = s.d.Cmd("stop", id)
+	c.Assert(err, check.IsNil, check.Commentf("output: %s", out))
+}
+
+func (s *DockerDaemonSuite) TestShmSize(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	size := 67108864 * 2
+	pattern := regexp.MustCompile(fmt.Sprintf("shm on /dev/shm type tmpfs(.*)size=%dk", size/1024))
+
+	s.d.StartWithBusybox(c, "--default-shm-size", fmt.Sprintf("%v", size))
+
+	name := "shm1"
+	out, err := s.d.Cmd("run", "--name", name, "busybox", "mount")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(pattern.MatchString(out), checker.True)
+	out, err = s.d.Cmd("inspect", "--format", "{{.HostConfig.ShmSize}}", name)
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(strings.TrimSpace(out), check.Equals, fmt.Sprintf("%v", size))
+}
+
+func (s *DockerDaemonSuite) TestShmSizeReload(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	configPath, err := ioutil.TempDir("", "test-daemon-shm-size-reload-config")
+	c.Assert(err, checker.IsNil, check.Commentf("could not create temp file for config reload"))
+	defer os.RemoveAll(configPath) // clean up
+	configFile := filepath.Join(configPath, "config.json")
+
+	size := 67108864 * 2
+	configData := []byte(fmt.Sprintf(`{"default-shm-size": "%dM"}`, size/1024/1024))
+	c.Assert(ioutil.WriteFile(configFile, configData, 0666), checker.IsNil, check.Commentf("could not write temp file for config reload"))
+	pattern := regexp.MustCompile(fmt.Sprintf("shm on /dev/shm type tmpfs(.*)size=%dk", size/1024))
+
+	s.d.StartWithBusybox(c, "--config-file", configFile)
+
+	name := "shm1"
+	out, err := s.d.Cmd("run", "--name", name, "busybox", "mount")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(pattern.MatchString(out), checker.True)
+	out, err = s.d.Cmd("inspect", "--format", "{{.HostConfig.ShmSize}}", name)
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(strings.TrimSpace(out), check.Equals, fmt.Sprintf("%v", size))
+
+	size = 67108864 * 3
+	configData = []byte(fmt.Sprintf(`{"default-shm-size": "%dM"}`, size/1024/1024))
+	c.Assert(ioutil.WriteFile(configFile, configData, 0666), checker.IsNil, check.Commentf("could not write temp file for config reload"))
+	pattern = regexp.MustCompile(fmt.Sprintf("shm on /dev/shm type tmpfs(.*)size=%dk", size/1024))
+
+	err = s.d.ReloadConfig()
+	c.Assert(err, checker.IsNil, check.Commentf("error reloading daemon config"))
+
+	name = "shm2"
+	out, err = s.d.Cmd("run", "--name", name, "busybox", "mount")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(pattern.MatchString(out), checker.True)
+	out, err = s.d.Cmd("inspect", "--format", "{{.HostConfig.ShmSize}}", name)
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	c.Assert(strings.TrimSpace(out), check.Equals, fmt.Sprintf("%v", size))
+}
+
+// this is used to test both "private" and "shareable" daemon default ipc modes
+func testDaemonIpcPrivateShareable(d *daemon.Daemon, c *check.C, mustExist bool) {
+	name := "test-ipcmode"
+	_, err := d.Cmd("run", "-d", "--name", name, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+
+	// get major:minor pair for /dev/shm from container's /proc/self/mountinfo
+	cmd := "awk '($5 == \"/dev/shm\") {printf $3}' /proc/self/mountinfo"
+	mm, err := d.Cmd("exec", "-i", name, "sh", "-c", cmd)
+	c.Assert(err, checker.IsNil)
+	c.Assert(mm, checker.Matches, "^[0-9]+:[0-9]+$")
+
+	exists, err := testIpcCheckDevExists(mm)
+	c.Assert(err, checker.IsNil)
+	c.Logf("[testDaemonIpcPrivateShareable] ipcdev: %v, exists: %v, mustExist: %v\n", mm, exists, mustExist)
+	c.Assert(exists, checker.Equals, mustExist)
+}
+
+// TestDaemonIpcModeShareable checks that --default-ipc-mode shareable works as intended.
+func (s *DockerDaemonSuite) TestDaemonIpcModeShareable(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	s.d.StartWithBusybox(c, "--default-ipc-mode", "shareable")
+	testDaemonIpcPrivateShareable(s.d, c, true)
+}
+
+// TestDaemonIpcModePrivate checks that --default-ipc-mode private works as intended.
+func (s *DockerDaemonSuite) TestDaemonIpcModePrivate(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	s.d.StartWithBusybox(c, "--default-ipc-mode", "private")
+	testDaemonIpcPrivateShareable(s.d, c, false)
+}
+
+// used to check if an IpcMode given in config works as intended
+func testDaemonIpcFromConfig(s *DockerDaemonSuite, c *check.C, mode string, mustExist bool) {
+	f, err := ioutil.TempFile("", "test-daemon-ipc-config")
+	c.Assert(err, checker.IsNil)
+	defer os.Remove(f.Name())
+
+	config := `{"default-ipc-mode": "` + mode + `"}`
+	_, err = f.WriteString(config)
+	c.Assert(f.Close(), checker.IsNil)
+	c.Assert(err, checker.IsNil)
+
+	s.d.StartWithBusybox(c, "--config-file", f.Name())
+	testDaemonIpcPrivateShareable(s.d, c, mustExist)
+}
+
+// TestDaemonIpcModePrivateFromConfig checks that "default-ipc-mode: private" config works as intended.
+func (s *DockerDaemonSuite) TestDaemonIpcModePrivateFromConfig(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	testDaemonIpcFromConfig(s, c, "private", false)
+}
+
+// TestDaemonIpcModeShareableFromConfig checks that "default-ipc-mode: shareable" config works as intended.
+func (s *DockerDaemonSuite) TestDaemonIpcModeShareableFromConfig(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	testDaemonIpcFromConfig(s, c, "shareable", true)
+}
+
+func testDaemonStartIpcMode(c *check.C, from, mode string, valid bool) {
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	c.Logf("Checking IpcMode %s set from %s\n", mode, from)
+	var serr error
+	switch from {
+	case "config":
+		f, err := ioutil.TempFile("", "test-daemon-ipc-config")
+		c.Assert(err, checker.IsNil)
+		defer os.Remove(f.Name())
+		config := `{"default-ipc-mode": "` + mode + `"}`
+		_, err = f.WriteString(config)
+		c.Assert(f.Close(), checker.IsNil)
+		c.Assert(err, checker.IsNil)
+
+		serr = d.StartWithError("--config-file", f.Name())
+	case "cli":
+		serr = d.StartWithError("--default-ipc-mode", mode)
+	default:
+		c.Fatalf("testDaemonStartIpcMode: invalid 'from' argument")
+	}
+	if serr == nil {
+		d.Stop(c)
+	}
+
+	if valid {
+		c.Assert(serr, check.IsNil)
+	} else {
+		c.Assert(serr, check.NotNil)
+		icmd.RunCommand("grep", "-E", "IPC .* is (invalid|not supported)", d.LogFileName()).Assert(c, icmd.Success)
+	}
+}
+
+// TestDaemonStartWithIpcModes checks that daemon starts fine given correct
+// arguments for default IPC mode, and bails out with incorrect ones.
+// Both CLI option (--default-ipc-mode) and config parameter are tested.
+func (s *DockerDaemonSuite) TestDaemonStartWithIpcModes(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	ipcModes := []struct {
+		mode  string
+		valid bool
+	}{
+		{"private", true},
+		{"shareable", true},
+
+		{"host", false},
+		{"container:123", false},
+		{"nosuchmode", false},
+	}
+
+	for _, from := range []string{"config", "cli"} {
+		for _, m := range ipcModes {
+			testDaemonStartIpcMode(c, from, m.mode, m.valid)
+		}
+	}
+}
+
+// TestDaemonRestartIpcMode makes sure a container keeps its ipc mode
+// (derived from daemon default) even after the daemon is restarted
+// with a different default ipc mode.
+func (s *DockerDaemonSuite) TestDaemonRestartIpcMode(c *check.C) {
+	f, err := ioutil.TempFile("", "test-daemon-ipc-config-restart")
+	c.Assert(err, checker.IsNil)
+	file := f.Name()
+	defer os.Remove(file)
+	c.Assert(f.Close(), checker.IsNil)
+
+	config := []byte(`{"default-ipc-mode": "private"}`)
+	c.Assert(ioutil.WriteFile(file, config, 0644), checker.IsNil)
+	s.d.StartWithBusybox(c, "--config-file", file)
+
+	// check the container is created with private ipc mode as per daemon default
+	name := "ipc1"
+	_, err = s.d.Cmd("run", "-d", "--name", name, "--restart=always", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	m, err := s.d.InspectField(name, ".HostConfig.IpcMode")
+	c.Assert(err, check.IsNil)
+	c.Assert(m, checker.Equals, "private")
+
+	// restart the daemon with shareable default ipc mode
+	config = []byte(`{"default-ipc-mode": "shareable"}`)
+	c.Assert(ioutil.WriteFile(file, config, 0644), checker.IsNil)
+	s.d.Restart(c, "--config-file", file)
+
+	// check the container is still having private ipc mode
+	m, err = s.d.InspectField(name, ".HostConfig.IpcMode")
+	c.Assert(err, check.IsNil)
+	c.Assert(m, checker.Equals, "private")
+
+	// check a new container is created with shareable ipc mode as per new daemon default
+	name = "ipc2"
+	_, err = s.d.Cmd("run", "-d", "--name", name, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	m, err = s.d.InspectField(name, ".HostConfig.IpcMode")
+	c.Assert(err, check.IsNil)
+	c.Assert(m, checker.Equals, "shareable")
+}
+
+// TestFailedPluginRemove makes sure that a failed plugin remove does not block
+// the daemon from starting
+func (s *DockerDaemonSuite) TestFailedPluginRemove(c *check.C) {
+	testRequires(c, DaemonIsLinux, IsAmd64, SameHostDaemon)
+	d := daemon.New(c, dockerBinary, dockerdBinary)
+	d.Start(c)
+	cli, err := client.NewClient(d.Sock(), api.DefaultVersion, nil, nil)
+	c.Assert(err, checker.IsNil)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 300*time.Second)
+	defer cancel()
+
+	name := "test-plugin-rm-fail"
+	out, err := cli.PluginInstall(ctx, name, types.PluginInstallOptions{
+		Disabled:             true,
+		AcceptAllPermissions: true,
+		RemoteRef:            "cpuguy83/docker-logdriver-test",
+	})
+	c.Assert(err, checker.IsNil)
+	defer out.Close()
+	io.Copy(ioutil.Discard, out)
+
+	ctx, cancel = context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	p, _, err := cli.PluginInspectWithRaw(ctx, name)
+	c.Assert(err, checker.IsNil)
+
+	// simulate a bad/partial removal by removing the plugin config.
+	configPath := filepath.Join(d.Root, "plugins", p.ID, "config.json")
+	c.Assert(os.Remove(configPath), checker.IsNil)
+
+	d.Restart(c)
+	ctx, cancel = context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	_, err = cli.Ping(ctx)
+	c.Assert(err, checker.IsNil)
+
+	_, _, err = cli.PluginInspectWithRaw(ctx, name)
+	// plugin should be gone since the config.json is gone
+	c.Assert(err, checker.NotNil)
+}
diff --git a/engine/integration-cli/docker_cli_events_test.go b/engine/integration-cli/docker_cli_events_test.go
new file mode 100644
index 00000000..db1e3402
--- /dev/null
+++ b/engine/integration-cli/docker_cli_events_test.go
@@ -0,0 +1,769 @@
+package main
+
+import (
+	"bufio"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/client"
+	eventstestutils "github.com/docker/docker/daemon/events/testutils"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestEventsTimestampFormats(c *check.C) {
+	name := "events-time-format-test"
+
+	// Start stopwatch, generate an event
+	start := daemonTime(c)
+	time.Sleep(1100 * time.Millisecond) // so that first event occur in different second from since (just for the case)
+	dockerCmd(c, "run", "--rm", "--name", name, "busybox", "true")
+	time.Sleep(1100 * time.Millisecond) // so that until > since
+	end := daemonTime(c)
+
+	// List of available time formats to --since
+	unixTs := func(t time.Time) string { return fmt.Sprintf("%v", t.Unix()) }
+	rfc3339 := func(t time.Time) string { return t.Format(time.RFC3339) }
+	duration := func(t time.Time) string { return time.Since(t).String() }
+
+	// --since=$start must contain only the 'untag' event
+	for _, f := range []func(time.Time) string{unixTs, rfc3339, duration} {
+		since, until := f(start), f(end)
+		out, _ := dockerCmd(c, "events", "--since="+since, "--until="+until)
+		events := strings.Split(out, "\n")
+		events = events[:len(events)-1]
+
+		nEvents := len(events)
+		c.Assert(nEvents, checker.GreaterOrEqualThan, 5) //Missing expected event
+		containerEvents := eventActionsByIDAndType(c, events, name, "container")
+		c.Assert(containerEvents, checker.HasLen, 5, check.Commentf("events: %v", events))
+
+		c.Assert(containerEvents[0], checker.Equals, "create", check.Commentf(out))
+		c.Assert(containerEvents[1], checker.Equals, "attach", check.Commentf(out))
+		c.Assert(containerEvents[2], checker.Equals, "start", check.Commentf(out))
+		c.Assert(containerEvents[3], checker.Equals, "die", check.Commentf(out))
+		c.Assert(containerEvents[4], checker.Equals, "destroy", check.Commentf(out))
+	}
+}
+
+func (s *DockerSuite) TestEventsUntag(c *check.C) {
+	image := "busybox"
+	dockerCmd(c, "tag", image, "utest:tag1")
+	dockerCmd(c, "tag", image, "utest:tag2")
+	dockerCmd(c, "rmi", "utest:tag1")
+	dockerCmd(c, "rmi", "utest:tag2")
+
+	result := icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "events", "--since=1"},
+		Timeout: time.Millisecond * 2500,
+	})
+	result.Assert(c, icmd.Expected{Timeout: true})
+
+	events := strings.Split(result.Stdout(), "\n")
+	nEvents := len(events)
+	// The last element after the split above will be an empty string, so we
+	// get the two elements before the last, which are the untags we're
+	// looking for.
+	for _, v := range events[nEvents-3 : nEvents-1] {
+		c.Assert(v, checker.Contains, "untag", check.Commentf("event should be untag"))
+	}
+}
+
+func (s *DockerSuite) TestEventsContainerEvents(c *check.C) {
+	dockerCmd(c, "run", "--rm", "--name", "container-events-test", "busybox", "true")
+
+	out, _ := dockerCmd(c, "events", "--until", daemonUnixTime(c))
+	events := strings.Split(out, "\n")
+	events = events[:len(events)-1]
+
+	nEvents := len(events)
+	c.Assert(nEvents, checker.GreaterOrEqualThan, 5) //Missing expected event
+	containerEvents := eventActionsByIDAndType(c, events, "container-events-test", "container")
+	c.Assert(containerEvents, checker.HasLen, 5, check.Commentf("events: %v", events))
+
+	c.Assert(containerEvents[0], checker.Equals, "create", check.Commentf(out))
+	c.Assert(containerEvents[1], checker.Equals, "attach", check.Commentf(out))
+	c.Assert(containerEvents[2], checker.Equals, "start", check.Commentf(out))
+	c.Assert(containerEvents[3], checker.Equals, "die", check.Commentf(out))
+	c.Assert(containerEvents[4], checker.Equals, "destroy", check.Commentf(out))
+}
+
+func (s *DockerSuite) TestEventsContainerEventsAttrSort(c *check.C) {
+	since := daemonUnixTime(c)
+	dockerCmd(c, "run", "--rm", "--name", "container-events-test", "busybox", "true")
+
+	out, _ := dockerCmd(c, "events", "--filter", "container=container-events-test", "--since", since, "--until", daemonUnixTime(c))
+	events := strings.Split(out, "\n")
+
+	nEvents := len(events)
+	c.Assert(nEvents, checker.GreaterOrEqualThan, 3) //Missing expected event
+	matchedEvents := 0
+	for _, event := range events {
+		matches := eventstestutils.ScanMap(event)
+		if matches["eventType"] == "container" && matches["action"] == "create" {
+			matchedEvents++
+			c.Assert(out, checker.Contains, "(image=busybox, name=container-events-test)", check.Commentf("Event attributes not sorted"))
+		} else if matches["eventType"] == "container" && matches["action"] == "start" {
+			matchedEvents++
+			c.Assert(out, checker.Contains, "(image=busybox, name=container-events-test)", check.Commentf("Event attributes not sorted"))
+		}
+	}
+	c.Assert(matchedEvents, checker.Equals, 2, check.Commentf("missing events for container container-events-test:\n%s", out))
+}
+
+func (s *DockerSuite) TestEventsContainerEventsSinceUnixEpoch(c *check.C) {
+	dockerCmd(c, "run", "--rm", "--name", "since-epoch-test", "busybox", "true")
+	timeBeginning := time.Unix(0, 0).Format(time.RFC3339Nano)
+	timeBeginning = strings.Replace(timeBeginning, "Z", ".000000000Z", -1)
+	out, _ := dockerCmd(c, "events", "--since", timeBeginning, "--until", daemonUnixTime(c))
+	events := strings.Split(out, "\n")
+	events = events[:len(events)-1]
+
+	nEvents := len(events)
+	c.Assert(nEvents, checker.GreaterOrEqualThan, 5) //Missing expected event
+	containerEvents := eventActionsByIDAndType(c, events, "since-epoch-test", "container")
+	c.Assert(containerEvents, checker.HasLen, 5, check.Commentf("events: %v", events))
+
+	c.Assert(containerEvents[0], checker.Equals, "create", check.Commentf(out))
+	c.Assert(containerEvents[1], checker.Equals, "attach", check.Commentf(out))
+	c.Assert(containerEvents[2], checker.Equals, "start", check.Commentf(out))
+	c.Assert(containerEvents[3], checker.Equals, "die", check.Commentf(out))
+	c.Assert(containerEvents[4], checker.Equals, "destroy", check.Commentf(out))
+}
+
+func (s *DockerSuite) TestEventsImageTag(c *check.C) {
+	time.Sleep(1 * time.Second) // because API has seconds granularity
+	since := daemonUnixTime(c)
+	image := "testimageevents:tag"
+	dockerCmd(c, "tag", "busybox", image)
+
+	out, _ := dockerCmd(c, "events",
+		"--since", since, "--until", daemonUnixTime(c))
+
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(events, checker.HasLen, 1, check.Commentf("was expecting 1 event. out=%s", out))
+	event := strings.TrimSpace(events[0])
+
+	matches := eventstestutils.ScanMap(event)
+	c.Assert(matchEventID(matches, image), checker.True, check.Commentf("matches: %v\nout:\n%s", matches, out))
+	c.Assert(matches["action"], checker.Equals, "tag")
+}
+
+func (s *DockerSuite) TestEventsImagePull(c *check.C) {
+	// TODO Windows: Enable this test once pull and reliable image names are available
+	testRequires(c, DaemonIsLinux)
+	since := daemonUnixTime(c)
+	testRequires(c, Network)
+
+	dockerCmd(c, "pull", "hello-world")
+
+	out, _ := dockerCmd(c, "events",
+		"--since", since, "--until", daemonUnixTime(c))
+
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	event := strings.TrimSpace(events[len(events)-1])
+	matches := eventstestutils.ScanMap(event)
+	c.Assert(matches["id"], checker.Equals, "hello-world:latest")
+	c.Assert(matches["action"], checker.Equals, "pull")
+
+}
+
+func (s *DockerSuite) TestEventsImageImport(c *check.C) {
+	// TODO Windows CI. This should be portable once export/import are
+	// more reliable (@swernli)
+	testRequires(c, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+	cleanedContainerID := strings.TrimSpace(out)
+
+	since := daemonUnixTime(c)
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "export", cleanedContainerID),
+		exec.Command(dockerBinary, "import", "-"),
+	)
+	c.Assert(err, checker.IsNil, check.Commentf("import failed with output: %q", out))
+	imageRef := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "events", "--since", since, "--until", daemonUnixTime(c), "--filter", "event=import")
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(events, checker.HasLen, 1)
+	matches := eventstestutils.ScanMap(events[0])
+	c.Assert(matches["id"], checker.Equals, imageRef, check.Commentf("matches: %v\nout:\n%s\n", matches, out))
+	c.Assert(matches["action"], checker.Equals, "import", check.Commentf("matches: %v\nout:\n%s\n", matches, out))
+}
+
+func (s *DockerSuite) TestEventsImageLoad(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	myImageName := "footest:v1"
+	dockerCmd(c, "tag", "busybox", myImageName)
+	since := daemonUnixTime(c)
+
+	out, _ := dockerCmd(c, "images", "-q", "--no-trunc", myImageName)
+	longImageID := strings.TrimSpace(out)
+	c.Assert(longImageID, checker.Not(check.Equals), "", check.Commentf("Id should not be empty"))
+
+	dockerCmd(c, "save", "-o", "saveimg.tar", myImageName)
+	dockerCmd(c, "rmi", myImageName)
+	out, _ = dockerCmd(c, "images", "-q", myImageName)
+	noImageID := strings.TrimSpace(out)
+	c.Assert(noImageID, checker.Equals, "", check.Commentf("Should not have any image"))
+	dockerCmd(c, "load", "-i", "saveimg.tar")
+
+	result := icmd.RunCommand("rm", "-rf", "saveimg.tar")
+	result.Assert(c, icmd.Success)
+
+	out, _ = dockerCmd(c, "images", "-q", "--no-trunc", myImageName)
+	imageID := strings.TrimSpace(out)
+	c.Assert(imageID, checker.Equals, longImageID, check.Commentf("Should have same image id as before"))
+
+	out, _ = dockerCmd(c, "events", "--since", since, "--until", daemonUnixTime(c), "--filter", "event=load")
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(events, checker.HasLen, 1)
+	matches := eventstestutils.ScanMap(events[0])
+	c.Assert(matches["id"], checker.Equals, imageID, check.Commentf("matches: %v\nout:\n%s\n", matches, out))
+	c.Assert(matches["action"], checker.Equals, "load", check.Commentf("matches: %v\nout:\n%s\n", matches, out))
+
+	out, _ = dockerCmd(c, "events", "--since", since, "--until", daemonUnixTime(c), "--filter", "event=save")
+	events = strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(events, checker.HasLen, 1)
+	matches = eventstestutils.ScanMap(events[0])
+	c.Assert(matches["id"], checker.Equals, imageID, check.Commentf("matches: %v\nout:\n%s\n", matches, out))
+	c.Assert(matches["action"], checker.Equals, "save", check.Commentf("matches: %v\nout:\n%s\n", matches, out))
+}
+
+func (s *DockerSuite) TestEventsPluginOps(c *check.C) {
+	testRequires(c, DaemonIsLinux, IsAmd64, Network)
+
+	since := daemonUnixTime(c)
+
+	dockerCmd(c, "plugin", "install", pNameWithTag, "--grant-all-permissions")
+	dockerCmd(c, "plugin", "disable", pNameWithTag)
+	dockerCmd(c, "plugin", "remove", pNameWithTag)
+
+	out, _ := dockerCmd(c, "events", "--since", since, "--until", daemonUnixTime(c))
+	events := strings.Split(out, "\n")
+	events = events[:len(events)-1]
+
+	nEvents := len(events)
+	c.Assert(nEvents, checker.GreaterOrEqualThan, 4)
+
+	pluginEvents := eventActionsByIDAndType(c, events, pNameWithTag, "plugin")
+	c.Assert(pluginEvents, checker.HasLen, 4, check.Commentf("events: %v", events))
+
+	c.Assert(pluginEvents[0], checker.Equals, "pull", check.Commentf(out))
+	c.Assert(pluginEvents[1], checker.Equals, "enable", check.Commentf(out))
+	c.Assert(pluginEvents[2], checker.Equals, "disable", check.Commentf(out))
+	c.Assert(pluginEvents[3], checker.Equals, "remove", check.Commentf(out))
+}
+
+func (s *DockerSuite) TestEventsFilters(c *check.C) {
+	since := daemonUnixTime(c)
+	dockerCmd(c, "run", "--rm", "busybox", "true")
+	dockerCmd(c, "run", "--rm", "busybox", "true")
+	out, _ := dockerCmd(c, "events", "--since", since, "--until", daemonUnixTime(c), "--filter", "event=die")
+	parseEvents(c, out, "die")
+
+	out, _ = dockerCmd(c, "events", "--since", since, "--until", daemonUnixTime(c), "--filter", "event=die", "--filter", "event=start")
+	parseEvents(c, out, "die|start")
+
+	// make sure we at least got 2 start events
+	count := strings.Count(out, "start")
+	c.Assert(strings.Count(out, "start"), checker.GreaterOrEqualThan, 2, check.Commentf("should have had 2 start events but had %d, out: %s", count, out))
+
+}
+
+func (s *DockerSuite) TestEventsFilterImageName(c *check.C) {
+	since := daemonUnixTime(c)
+
+	out, _ := dockerCmd(c, "run", "--name", "container_1", "-d", "busybox:latest", "true")
+	container1 := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "run", "--name", "container_2", "-d", "busybox", "true")
+	container2 := strings.TrimSpace(out)
+
+	name := "busybox"
+	out, _ = dockerCmd(c, "events", "--since", since, "--until", daemonUnixTime(c), "--filter", fmt.Sprintf("image=%s", name))
+	events := strings.Split(out, "\n")
+	events = events[:len(events)-1]
+	c.Assert(events, checker.Not(checker.HasLen), 0) //Expected events but found none for the image busybox:latest
+	count1 := 0
+	count2 := 0
+
+	for _, e := range events {
+		if strings.Contains(e, container1) {
+			count1++
+		} else if strings.Contains(e, container2) {
+			count2++
+		}
+	}
+	c.Assert(count1, checker.Not(checker.Equals), 0, check.Commentf("Expected event from container but got %d from %s", count1, container1))
+	c.Assert(count2, checker.Not(checker.Equals), 0, check.Commentf("Expected event from container but got %d from %s", count2, container2))
+
+}
+
+func (s *DockerSuite) TestEventsFilterLabels(c *check.C) {
+	since := daemonUnixTime(c)
+	label := "io.docker.testing=foo"
+
+	out, _ := dockerCmd(c, "run", "-d", "-l", label, "busybox:latest", "true")
+	container1 := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "run", "-d", "busybox", "true")
+	container2 := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(
+		c,
+		"events",
+		"--since", since,
+		"--until", daemonUnixTime(c),
+		"--filter", fmt.Sprintf("label=%s", label))
+
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(events), checker.Equals, 3)
+
+	for _, e := range events {
+		c.Assert(e, checker.Contains, container1)
+		c.Assert(e, checker.Not(checker.Contains), container2)
+	}
+}
+
+func (s *DockerSuite) TestEventsFilterImageLabels(c *check.C) {
+	since := daemonUnixTime(c)
+	name := "labelfiltertest"
+	label := "io.docker.testing=image"
+
+	// Build a test image.
+	buildImageSuccessfully(c, name, build.WithDockerfile(fmt.Sprintf(`
+		FROM busybox:latest
+		LABEL %s`, label)))
+	dockerCmd(c, "tag", name, "labelfiltertest:tag1")
+	dockerCmd(c, "tag", name, "labelfiltertest:tag2")
+	dockerCmd(c, "tag", "busybox:latest", "labelfiltertest:tag3")
+
+	out, _ := dockerCmd(
+		c,
+		"events",
+		"--since", since,
+		"--until", daemonUnixTime(c),
+		"--filter", fmt.Sprintf("label=%s", label),
+		"--filter", "type=image")
+
+	events := strings.Split(strings.TrimSpace(out), "\n")
+
+	// 2 events from the "docker tag" command, another one is from "docker build"
+	c.Assert(events, checker.HasLen, 3, check.Commentf("Events == %s", events))
+	for _, e := range events {
+		c.Assert(e, checker.Contains, "labelfiltertest")
+	}
+}
+
+func (s *DockerSuite) TestEventsFilterContainer(c *check.C) {
+	since := daemonUnixTime(c)
+	nameID := make(map[string]string)
+
+	for _, name := range []string{"container_1", "container_2"} {
+		dockerCmd(c, "run", "--name", name, "busybox", "true")
+		id := inspectField(c, name, "Id")
+		nameID[name] = id
+	}
+
+	until := daemonUnixTime(c)
+
+	checkEvents := func(id string, events []string) error {
+		if len(events) != 4 { // create, attach, start, die
+			return fmt.Errorf("expected 4 events, got %v", events)
+		}
+		for _, event := range events {
+			matches := eventstestutils.ScanMap(event)
+			if !matchEventID(matches, id) {
+				return fmt.Errorf("expected event for container id %s: %s - parsed container id: %s", id, event, matches["id"])
+			}
+		}
+		return nil
+	}
+
+	for name, ID := range nameID {
+		// filter by names
+		out, _ := dockerCmd(c, "events", "--since", since, "--until", until, "--filter", "container="+name)
+		events := strings.Split(strings.TrimSuffix(out, "\n"), "\n")
+		c.Assert(checkEvents(ID, events), checker.IsNil)
+
+		// filter by ID's
+		out, _ = dockerCmd(c, "events", "--since", since, "--until", until, "--filter", "container="+ID)
+		events = strings.Split(strings.TrimSuffix(out, "\n"), "\n")
+		c.Assert(checkEvents(ID, events), checker.IsNil)
+	}
+}
+
+func (s *DockerSuite) TestEventsCommit(c *check.C) {
+	// Problematic on Windows as cannot commit a running container
+	testRequires(c, DaemonIsLinux)
+
+	out := runSleepingContainer(c)
+	cID := strings.TrimSpace(out)
+	cli.WaitRun(c, cID)
+
+	cli.DockerCmd(c, "commit", "-m", "test", cID)
+	cli.DockerCmd(c, "stop", cID)
+	cli.WaitExited(c, cID, 5*time.Second)
+
+	until := daemonUnixTime(c)
+	out = cli.DockerCmd(c, "events", "-f", "container="+cID, "--until="+until).Combined()
+	c.Assert(out, checker.Contains, "commit", check.Commentf("Missing 'commit' log event"))
+}
+
+func (s *DockerSuite) TestEventsCopy(c *check.C) {
+	// Build a test image.
+	buildImageSuccessfully(c, "cpimg", build.WithDockerfile(`
+		  FROM busybox
+		  RUN echo HI > /file`))
+	id := getIDByName(c, "cpimg")
+
+	// Create an empty test file.
+	tempFile, err := ioutil.TempFile("", "test-events-copy-")
+	c.Assert(err, checker.IsNil)
+	defer os.Remove(tempFile.Name())
+
+	c.Assert(tempFile.Close(), checker.IsNil)
+
+	dockerCmd(c, "create", "--name=cptest", id)
+
+	dockerCmd(c, "cp", "cptest:/file", tempFile.Name())
+
+	until := daemonUnixTime(c)
+	out, _ := dockerCmd(c, "events", "--since=0", "-f", "container=cptest", "--until="+until)
+	c.Assert(out, checker.Contains, "archive-path", check.Commentf("Missing 'archive-path' log event\n"))
+
+	dockerCmd(c, "cp", tempFile.Name(), "cptest:/filecopy")
+
+	until = daemonUnixTime(c)
+	out, _ = dockerCmd(c, "events", "-f", "container=cptest", "--until="+until)
+	c.Assert(out, checker.Contains, "extract-to-dir", check.Commentf("Missing 'extract-to-dir' log event"))
+}
+
+func (s *DockerSuite) TestEventsResize(c *check.C) {
+	out := runSleepingContainer(c, "-d")
+	cID := strings.TrimSpace(out)
+	c.Assert(waitRun(cID), checker.IsNil)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	options := types.ResizeOptions{
+		Height: 80,
+		Width:  24,
+	}
+	err = cli.ContainerResize(context.Background(), cID, options)
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "stop", cID)
+
+	until := daemonUnixTime(c)
+	out, _ = dockerCmd(c, "events", "-f", "container="+cID, "--until="+until)
+	c.Assert(out, checker.Contains, "resize", check.Commentf("Missing 'resize' log event"))
+}
+
+func (s *DockerSuite) TestEventsAttach(c *check.C) {
+	// TODO Windows CI: Figure out why this test fails intermittently (TP5).
+	testRequires(c, DaemonIsLinux)
+
+	out := cli.DockerCmd(c, "run", "-di", "busybox", "cat").Combined()
+	cID := strings.TrimSpace(out)
+	cli.WaitRun(c, cID)
+
+	cmd := exec.Command(dockerBinary, "attach", cID)
+	stdin, err := cmd.StdinPipe()
+	c.Assert(err, checker.IsNil)
+	defer stdin.Close()
+	stdout, err := cmd.StdoutPipe()
+	c.Assert(err, checker.IsNil)
+	defer stdout.Close()
+	c.Assert(cmd.Start(), checker.IsNil)
+	defer func() {
+		cmd.Process.Kill()
+		cmd.Wait()
+	}()
+
+	// Make sure we're done attaching by writing/reading some stuff
+	_, err = stdin.Write([]byte("hello\n"))
+	c.Assert(err, checker.IsNil)
+	out, err = bufio.NewReader(stdout).ReadString('\n')
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello", check.Commentf("expected 'hello'"))
+
+	c.Assert(stdin.Close(), checker.IsNil)
+
+	cli.DockerCmd(c, "kill", cID)
+	cli.WaitExited(c, cID, 5*time.Second)
+
+	until := daemonUnixTime(c)
+	out = cli.DockerCmd(c, "events", "-f", "container="+cID, "--until="+until).Combined()
+	c.Assert(out, checker.Contains, "attach", check.Commentf("Missing 'attach' log event"))
+}
+
+func (s *DockerSuite) TestEventsRename(c *check.C) {
+	out, _ := dockerCmd(c, "run", "--name", "oldName", "busybox", "true")
+	cID := strings.TrimSpace(out)
+	dockerCmd(c, "rename", "oldName", "newName")
+
+	until := daemonUnixTime(c)
+	// filter by the container id because the name in the event will be the new name.
+	out, _ = dockerCmd(c, "events", "-f", "container="+cID, "--until", until)
+	c.Assert(out, checker.Contains, "rename", check.Commentf("Missing 'rename' log event\n"))
+}
+
+func (s *DockerSuite) TestEventsTop(c *check.C) {
+	// Problematic on Windows as Windows does not support top
+	testRequires(c, DaemonIsLinux)
+
+	out := runSleepingContainer(c, "-d")
+	cID := strings.TrimSpace(out)
+	c.Assert(waitRun(cID), checker.IsNil)
+
+	dockerCmd(c, "top", cID)
+	dockerCmd(c, "stop", cID)
+
+	until := daemonUnixTime(c)
+	out, _ = dockerCmd(c, "events", "-f", "container="+cID, "--until="+until)
+	c.Assert(out, checker.Contains, " top", check.Commentf("Missing 'top' log event"))
+}
+
+// #14316
+func (s *DockerRegistrySuite) TestEventsImageFilterPush(c *check.C) {
+	// Problematic to port for Windows CI during TP5 timeframe until
+	// supporting push
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, Network)
+	repoName := fmt.Sprintf("%v/dockercli/testf", privateRegistryURL)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	cID := strings.TrimSpace(out)
+	c.Assert(waitRun(cID), checker.IsNil)
+
+	dockerCmd(c, "commit", cID, repoName)
+	dockerCmd(c, "stop", cID)
+	dockerCmd(c, "push", repoName)
+
+	until := daemonUnixTime(c)
+	out, _ = dockerCmd(c, "events", "-f", "image="+repoName, "-f", "event=push", "--until", until)
+	c.Assert(out, checker.Contains, repoName, check.Commentf("Missing 'push' log event for %s", repoName))
+}
+
+func (s *DockerSuite) TestEventsFilterType(c *check.C) {
+	// FIXME(vdemeester) fails on e2e run
+	testRequires(c, SameHostDaemon)
+	since := daemonUnixTime(c)
+	name := "labelfiltertest"
+	label := "io.docker.testing=image"
+
+	// Build a test image.
+	buildImageSuccessfully(c, name, build.WithDockerfile(fmt.Sprintf(`
+		FROM busybox:latest
+		LABEL %s`, label)))
+	dockerCmd(c, "tag", name, "labelfiltertest:tag1")
+	dockerCmd(c, "tag", name, "labelfiltertest:tag2")
+	dockerCmd(c, "tag", "busybox:latest", "labelfiltertest:tag3")
+
+	out, _ := dockerCmd(
+		c,
+		"events",
+		"--since", since,
+		"--until", daemonUnixTime(c),
+		"--filter", fmt.Sprintf("label=%s", label),
+		"--filter", "type=image")
+
+	events := strings.Split(strings.TrimSpace(out), "\n")
+
+	// 2 events from the "docker tag" command, another one is from "docker build"
+	c.Assert(events, checker.HasLen, 3, check.Commentf("Events == %s", events))
+	for _, e := range events {
+		c.Assert(e, checker.Contains, "labelfiltertest")
+	}
+
+	out, _ = dockerCmd(
+		c,
+		"events",
+		"--since", since,
+		"--until", daemonUnixTime(c),
+		"--filter", fmt.Sprintf("label=%s", label),
+		"--filter", "type=container")
+	events = strings.Split(strings.TrimSpace(out), "\n")
+
+	// Events generated by the container that builds the image
+	c.Assert(events, checker.HasLen, 2, check.Commentf("Events == %s", events))
+
+	out, _ = dockerCmd(
+		c,
+		"events",
+		"--since", since,
+		"--until", daemonUnixTime(c),
+		"--filter", "type=network")
+	events = strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(events), checker.GreaterOrEqualThan, 1, check.Commentf("Events == %s", events))
+}
+
+// #25798
+func (s *DockerSuite) TestEventsSpecialFiltersWithExecCreate(c *check.C) {
+	since := daemonUnixTime(c)
+	runSleepingContainer(c, "--name", "test-container", "-d")
+	waitRun("test-container")
+
+	dockerCmd(c, "exec", "test-container", "echo", "hello-world")
+
+	out, _ := dockerCmd(
+		c,
+		"events",
+		"--since", since,
+		"--until", daemonUnixTime(c),
+		"--filter",
+		"event='exec_create: echo hello-world'",
+	)
+
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(events), checker.Equals, 1, check.Commentf(out))
+
+	out, _ = dockerCmd(
+		c,
+		"events",
+		"--since", since,
+		"--until", daemonUnixTime(c),
+		"--filter",
+		"event=exec_create",
+	)
+	c.Assert(len(events), checker.Equals, 1, check.Commentf(out))
+}
+
+func (s *DockerSuite) TestEventsFilterImageInContainerAction(c *check.C) {
+	since := daemonUnixTime(c)
+	dockerCmd(c, "run", "--name", "test-container", "-d", "busybox", "true")
+	waitRun("test-container")
+
+	out, _ := dockerCmd(c, "events", "--filter", "image=busybox", "--since", since, "--until", daemonUnixTime(c))
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(events), checker.GreaterThan, 1, check.Commentf(out))
+}
+
+func (s *DockerSuite) TestEventsContainerRestart(c *check.C) {
+	dockerCmd(c, "run", "-d", "--name=testEvent", "--restart=on-failure:3", "busybox", "false")
+
+	// wait until test2 is auto removed.
+	waitTime := 10 * time.Second
+	if testEnv.OSType == "windows" {
+		// Windows takes longer...
+		waitTime = 90 * time.Second
+	}
+
+	err := waitInspect("testEvent", "{{ .State.Restarting }} {{ .State.Running }}", "false false", waitTime)
+	c.Assert(err, checker.IsNil)
+
+	var (
+		createCount int
+		startCount  int
+		dieCount    int
+	)
+	out, _ := dockerCmd(c, "events", "--since=0", "--until", daemonUnixTime(c), "-f", "container=testEvent")
+	events := strings.Split(strings.TrimSpace(out), "\n")
+
+	nEvents := len(events)
+	c.Assert(nEvents, checker.GreaterOrEqualThan, 1) //Missing expected event
+	actions := eventActionsByIDAndType(c, events, "testEvent", "container")
+
+	for _, a := range actions {
+		switch a {
+		case "create":
+			createCount++
+		case "start":
+			startCount++
+		case "die":
+			dieCount++
+		}
+	}
+	c.Assert(createCount, checker.Equals, 1, check.Commentf("testEvent should be created 1 times: %v", actions))
+	c.Assert(startCount, checker.Equals, 4, check.Commentf("testEvent should start 4 times: %v", actions))
+	c.Assert(dieCount, checker.Equals, 4, check.Commentf("testEvent should die 4 times: %v", actions))
+}
+
+func (s *DockerSuite) TestEventsSinceInTheFuture(c *check.C) {
+	dockerCmd(c, "run", "--name", "test-container", "-d", "busybox", "true")
+	waitRun("test-container")
+
+	since := daemonTime(c)
+	until := since.Add(time.Duration(-24) * time.Hour)
+	out, _, err := dockerCmdWithError("events", "--filter", "image=busybox", "--since", parseEventTime(since), "--until", parseEventTime(until))
+
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "cannot be after `until`")
+}
+
+func (s *DockerSuite) TestEventsUntilInThePast(c *check.C) {
+	since := daemonUnixTime(c)
+
+	dockerCmd(c, "run", "--name", "test-container", "-d", "busybox", "true")
+	waitRun("test-container")
+
+	until := daemonUnixTime(c)
+
+	dockerCmd(c, "run", "--name", "test-container2", "-d", "busybox", "true")
+	waitRun("test-container2")
+
+	out, _ := dockerCmd(c, "events", "--filter", "image=busybox", "--since", since, "--until", until)
+
+	c.Assert(out, checker.Not(checker.Contains), "test-container2")
+	c.Assert(out, checker.Contains, "test-container")
+}
+
+func (s *DockerSuite) TestEventsFormat(c *check.C) {
+	since := daemonUnixTime(c)
+	dockerCmd(c, "run", "--rm", "busybox", "true")
+	dockerCmd(c, "run", "--rm", "busybox", "true")
+	out, _ := dockerCmd(c, "events", "--since", since, "--until", daemonUnixTime(c), "--format", "{{json .}}")
+	dec := json.NewDecoder(strings.NewReader(out))
+	// make sure we got 2 start events
+	startCount := 0
+	for {
+		var err error
+		var ev eventtypes.Message
+		if err = dec.Decode(&ev); err == io.EOF {
+			break
+		}
+		c.Assert(err, checker.IsNil)
+		if ev.Status == "start" {
+			startCount++
+		}
+	}
+
+	c.Assert(startCount, checker.Equals, 2, check.Commentf("should have had 2 start events but had %d, out: %s", startCount, out))
+}
+
+func (s *DockerSuite) TestEventsFormatBadFunc(c *check.C) {
+	// make sure it fails immediately, without receiving any event
+	result := dockerCmdWithResult("events", "--format", "{{badFuncString .}}")
+	result.Assert(c, icmd.Expected{
+		Error:    "exit status 64",
+		ExitCode: 64,
+		Err:      "Error parsing format: template: :1: function \"badFuncString\" not defined",
+	})
+}
+
+func (s *DockerSuite) TestEventsFormatBadField(c *check.C) {
+	// make sure it fails immediately, without receiving any event
+	result := dockerCmdWithResult("events", "--format", "{{.badFieldString}}")
+	result.Assert(c, icmd.Expected{
+		Error:    "exit status 64",
+		ExitCode: 64,
+		Err:      "Error parsing format: template: :1:2: executing \"\" at <.badFieldString>: can't evaluate field badFieldString in type *events.Message",
+	})
+}
diff --git a/engine/integration-cli/docker_cli_events_unix_test.go b/engine/integration-cli/docker_cli_events_unix_test.go
new file mode 100644
index 00000000..343b9003
--- /dev/null
+++ b/engine/integration-cli/docker_cli_events_unix_test.go
@@ -0,0 +1,511 @@
+// +build !windows
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+	"unicode"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"github.com/kr/pty"
+	"golang.org/x/sys/unix"
+)
+
+// #5979
+func (s *DockerSuite) TestEventsRedirectStdout(c *check.C) {
+	since := daemonUnixTime(c)
+	dockerCmd(c, "run", "busybox", "true")
+
+	file, err := ioutil.TempFile("", "")
+	c.Assert(err, checker.IsNil, check.Commentf("could not create temp file"))
+	defer os.Remove(file.Name())
+
+	command := fmt.Sprintf("%s events --since=%s --until=%s > %s", dockerBinary, since, daemonUnixTime(c), file.Name())
+	_, tty, err := pty.Open()
+	c.Assert(err, checker.IsNil, check.Commentf("Could not open pty"))
+	cmd := exec.Command("sh", "-c", command)
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+	c.Assert(cmd.Run(), checker.IsNil, check.Commentf("run err for command %q", command))
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		for _, ch := range scanner.Text() {
+			c.Assert(unicode.IsControl(ch), checker.False, check.Commentf("found control character %v", []byte(string(ch))))
+		}
+	}
+	c.Assert(scanner.Err(), checker.IsNil, check.Commentf("Scan err for command %q", command))
+
+}
+
+func (s *DockerSuite) TestEventsOOMDisableFalse(c *check.C) {
+	testRequires(c, DaemonIsLinux, oomControl, memoryLimitSupport, swapMemorySupport, NotPpc64le)
+
+	errChan := make(chan error)
+	go func() {
+		defer close(errChan)
+		out, exitCode, _ := dockerCmdWithError("run", "--name", "oomFalse", "-m", "10MB", "busybox", "sh", "-c", "x=a; while true; do x=$x$x$x$x; done")
+		if expected := 137; exitCode != expected {
+			errChan <- fmt.Errorf("wrong exit code for OOM container: expected %d, got %d (output: %q)", expected, exitCode, out)
+		}
+	}()
+	select {
+	case err := <-errChan:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(30 * time.Second):
+		c.Fatal("Timeout waiting for container to die on OOM")
+	}
+
+	out, _ := dockerCmd(c, "events", "--since=0", "-f", "container=oomFalse", "--until", daemonUnixTime(c))
+	events := strings.Split(strings.TrimSuffix(out, "\n"), "\n")
+	nEvents := len(events)
+
+	c.Assert(nEvents, checker.GreaterOrEqualThan, 5) //Missing expected event
+	c.Assert(parseEventAction(c, events[nEvents-5]), checker.Equals, "create")
+	c.Assert(parseEventAction(c, events[nEvents-4]), checker.Equals, "attach")
+	c.Assert(parseEventAction(c, events[nEvents-3]), checker.Equals, "start")
+	c.Assert(parseEventAction(c, events[nEvents-2]), checker.Equals, "oom")
+	c.Assert(parseEventAction(c, events[nEvents-1]), checker.Equals, "die")
+}
+
+func (s *DockerSuite) TestEventsOOMDisableTrue(c *check.C) {
+	testRequires(c, DaemonIsLinux, oomControl, memoryLimitSupport, NotArm, swapMemorySupport, NotPpc64le)
+
+	errChan := make(chan error)
+	observer, err := newEventObserver(c)
+	c.Assert(err, checker.IsNil)
+	err = observer.Start()
+	c.Assert(err, checker.IsNil)
+	defer observer.Stop()
+
+	go func() {
+		defer close(errChan)
+		out, exitCode, _ := dockerCmdWithError("run", "--oom-kill-disable=true", "--name", "oomTrue", "-m", "10MB", "busybox", "sh", "-c", "x=a; while true; do x=$x$x$x$x; done")
+		if expected := 137; exitCode != expected {
+			errChan <- fmt.Errorf("wrong exit code for OOM container: expected %d, got %d (output: %q)", expected, exitCode, out)
+		}
+	}()
+
+	c.Assert(waitRun("oomTrue"), checker.IsNil)
+	defer dockerCmdWithResult("kill", "oomTrue")
+	containerID := inspectField(c, "oomTrue", "Id")
+
+	testActions := map[string]chan bool{
+		"oom": make(chan bool),
+	}
+
+	matcher := matchEventLine(containerID, "container", testActions)
+	processor := processEventMatch(testActions)
+	go observer.Match(matcher, processor)
+
+	select {
+	case <-time.After(20 * time.Second):
+		observer.CheckEventError(c, containerID, "oom", matcher)
+	case <-testActions["oom"]:
+	// ignore, done
+	case errRun := <-errChan:
+		if errRun != nil {
+			c.Fatalf("%v", errRun)
+		} else {
+			c.Fatalf("container should be still running but it's not")
+		}
+	}
+
+	status := inspectField(c, "oomTrue", "State.Status")
+	c.Assert(strings.TrimSpace(status), checker.Equals, "running", check.Commentf("container should be still running"))
+}
+
+// #18453
+func (s *DockerSuite) TestEventsContainerFilterByName(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	cOut, _ := dockerCmd(c, "run", "--name=foo", "-d", "busybox", "top")
+	c1 := strings.TrimSpace(cOut)
+	waitRun("foo")
+	cOut, _ = dockerCmd(c, "run", "--name=bar", "-d", "busybox", "top")
+	c2 := strings.TrimSpace(cOut)
+	waitRun("bar")
+	out, _ := dockerCmd(c, "events", "-f", "container=foo", "--since=0", "--until", daemonUnixTime(c))
+	c.Assert(out, checker.Contains, c1, check.Commentf(out))
+	c.Assert(out, checker.Not(checker.Contains), c2, check.Commentf(out))
+}
+
+// #18453
+func (s *DockerSuite) TestEventsContainerFilterBeforeCreate(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	buf := &bytes.Buffer{}
+	cmd := exec.Command(dockerBinary, "events", "-f", "container=foo", "--since=0")
+	cmd.Stdout = buf
+	c.Assert(cmd.Start(), check.IsNil)
+	defer cmd.Wait()
+	defer cmd.Process.Kill()
+
+	// Sleep for a second to make sure we are testing the case where events are listened before container starts.
+	time.Sleep(time.Second)
+	id, _ := dockerCmd(c, "run", "--name=foo", "-d", "busybox", "top")
+	cID := strings.TrimSpace(id)
+	for i := 0; ; i++ {
+		out := buf.String()
+		if strings.Contains(out, cID) {
+			break
+		}
+		if i > 30 {
+			c.Fatalf("Missing event of container (foo, %v), got %q", cID, out)
+		}
+		time.Sleep(500 * time.Millisecond)
+	}
+}
+
+func (s *DockerSuite) TestVolumeEvents(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	since := daemonUnixTime(c)
+
+	// Observe create/mount volume actions
+	dockerCmd(c, "volume", "create", "test-event-volume-local")
+	dockerCmd(c, "run", "--name", "test-volume-container", "--volume", "test-event-volume-local:/foo", "-d", "busybox", "true")
+	waitRun("test-volume-container")
+
+	// Observe unmount/destroy volume actions
+	dockerCmd(c, "rm", "-f", "test-volume-container")
+	dockerCmd(c, "volume", "rm", "test-event-volume-local")
+
+	until := daemonUnixTime(c)
+	out, _ := dockerCmd(c, "events", "--since", since, "--until", until)
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(events), checker.GreaterThan, 4)
+
+	volumeEvents := eventActionsByIDAndType(c, events, "test-event-volume-local", "volume")
+	c.Assert(volumeEvents, checker.HasLen, 5)
+	c.Assert(volumeEvents[0], checker.Equals, "create")
+	c.Assert(volumeEvents[1], checker.Equals, "create")
+	c.Assert(volumeEvents[2], checker.Equals, "mount")
+	c.Assert(volumeEvents[3], checker.Equals, "unmount")
+	c.Assert(volumeEvents[4], checker.Equals, "destroy")
+}
+
+func (s *DockerSuite) TestNetworkEvents(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	since := daemonUnixTime(c)
+
+	// Observe create/connect network actions
+	dockerCmd(c, "network", "create", "test-event-network-local")
+	dockerCmd(c, "run", "--name", "test-network-container", "--net", "test-event-network-local", "-d", "busybox", "true")
+	waitRun("test-network-container")
+
+	// Observe disconnect/destroy network actions
+	dockerCmd(c, "rm", "-f", "test-network-container")
+	dockerCmd(c, "network", "rm", "test-event-network-local")
+
+	until := daemonUnixTime(c)
+	out, _ := dockerCmd(c, "events", "--since", since, "--until", until)
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(events), checker.GreaterThan, 4)
+
+	netEvents := eventActionsByIDAndType(c, events, "test-event-network-local", "network")
+	c.Assert(netEvents, checker.HasLen, 4)
+	c.Assert(netEvents[0], checker.Equals, "create")
+	c.Assert(netEvents[1], checker.Equals, "connect")
+	c.Assert(netEvents[2], checker.Equals, "disconnect")
+	c.Assert(netEvents[3], checker.Equals, "destroy")
+}
+
+func (s *DockerSuite) TestEventsContainerWithMultiNetwork(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	// Observe create/connect network actions
+	dockerCmd(c, "network", "create", "test-event-network-local-1")
+	dockerCmd(c, "network", "create", "test-event-network-local-2")
+	dockerCmd(c, "run", "--name", "test-network-container", "--net", "test-event-network-local-1", "-td", "busybox", "sh")
+	waitRun("test-network-container")
+	dockerCmd(c, "network", "connect", "test-event-network-local-2", "test-network-container")
+
+	since := daemonUnixTime(c)
+
+	dockerCmd(c, "stop", "-t", "1", "test-network-container")
+
+	until := daemonUnixTime(c)
+	out, _ := dockerCmd(c, "events", "--since", since, "--until", until, "-f", "type=network")
+	netEvents := strings.Split(strings.TrimSpace(out), "\n")
+
+	// received two network disconnect events
+	c.Assert(len(netEvents), checker.Equals, 2)
+	c.Assert(netEvents[0], checker.Contains, "disconnect")
+	c.Assert(netEvents[1], checker.Contains, "disconnect")
+
+	//both networks appeared in the network event output
+	c.Assert(out, checker.Contains, "test-event-network-local-1")
+	c.Assert(out, checker.Contains, "test-event-network-local-2")
+}
+
+func (s *DockerSuite) TestEventsStreaming(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	observer, err := newEventObserver(c)
+	c.Assert(err, checker.IsNil)
+	err = observer.Start()
+	c.Assert(err, checker.IsNil)
+	defer observer.Stop()
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox:latest", "true")
+	containerID := strings.TrimSpace(out)
+
+	testActions := map[string]chan bool{
+		"create":  make(chan bool, 1),
+		"start":   make(chan bool, 1),
+		"die":     make(chan bool, 1),
+		"destroy": make(chan bool, 1),
+	}
+
+	matcher := matchEventLine(containerID, "container", testActions)
+	processor := processEventMatch(testActions)
+	go observer.Match(matcher, processor)
+
+	select {
+	case <-time.After(5 * time.Second):
+		observer.CheckEventError(c, containerID, "create", matcher)
+	case <-testActions["create"]:
+		// ignore, done
+	}
+
+	select {
+	case <-time.After(5 * time.Second):
+		observer.CheckEventError(c, containerID, "start", matcher)
+	case <-testActions["start"]:
+		// ignore, done
+	}
+
+	select {
+	case <-time.After(5 * time.Second):
+		observer.CheckEventError(c, containerID, "die", matcher)
+	case <-testActions["die"]:
+		// ignore, done
+	}
+
+	dockerCmd(c, "rm", containerID)
+
+	select {
+	case <-time.After(5 * time.Second):
+		observer.CheckEventError(c, containerID, "destroy", matcher)
+	case <-testActions["destroy"]:
+		// ignore, done
+	}
+}
+
+func (s *DockerSuite) TestEventsImageUntagDelete(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	observer, err := newEventObserver(c)
+	c.Assert(err, checker.IsNil)
+	err = observer.Start()
+	c.Assert(err, checker.IsNil)
+	defer observer.Stop()
+
+	name := "testimageevents"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM scratch
+		MAINTAINER "docker"`))
+	imageID := getIDByName(c, name)
+	c.Assert(deleteImages(name), checker.IsNil)
+
+	testActions := map[string]chan bool{
+		"untag":  make(chan bool, 1),
+		"delete": make(chan bool, 1),
+	}
+
+	matcher := matchEventLine(imageID, "image", testActions)
+	processor := processEventMatch(testActions)
+	go observer.Match(matcher, processor)
+
+	select {
+	case <-time.After(10 * time.Second):
+		observer.CheckEventError(c, imageID, "untag", matcher)
+	case <-testActions["untag"]:
+		// ignore, done
+	}
+
+	select {
+	case <-time.After(10 * time.Second):
+		observer.CheckEventError(c, imageID, "delete", matcher)
+	case <-testActions["delete"]:
+		// ignore, done
+	}
+}
+
+func (s *DockerSuite) TestEventsFilterVolumeAndNetworkType(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	since := daemonUnixTime(c)
+
+	dockerCmd(c, "network", "create", "test-event-network-type")
+	dockerCmd(c, "volume", "create", "test-event-volume-type")
+
+	out, _ := dockerCmd(c, "events", "--filter", "type=volume", "--filter", "type=network", "--since", since, "--until", daemonUnixTime(c))
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(events), checker.GreaterOrEqualThan, 2, check.Commentf(out))
+
+	networkActions := eventActionsByIDAndType(c, events, "test-event-network-type", "network")
+	volumeActions := eventActionsByIDAndType(c, events, "test-event-volume-type", "volume")
+
+	c.Assert(volumeActions[0], checker.Equals, "create")
+	c.Assert(networkActions[0], checker.Equals, "create")
+}
+
+func (s *DockerSuite) TestEventsFilterVolumeID(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	since := daemonUnixTime(c)
+
+	dockerCmd(c, "volume", "create", "test-event-volume-id")
+	out, _ := dockerCmd(c, "events", "--filter", "volume=test-event-volume-id", "--since", since, "--until", daemonUnixTime(c))
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(events, checker.HasLen, 1)
+
+	c.Assert(events[0], checker.Contains, "test-event-volume-id")
+	c.Assert(events[0], checker.Contains, "driver=local")
+}
+
+func (s *DockerSuite) TestEventsFilterNetworkID(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	since := daemonUnixTime(c)
+
+	dockerCmd(c, "network", "create", "test-event-network-local")
+	out, _ := dockerCmd(c, "events", "--filter", "network=test-event-network-local", "--since", since, "--until", daemonUnixTime(c))
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(events, checker.HasLen, 1)
+
+	c.Assert(events[0], checker.Contains, "test-event-network-local")
+	c.Assert(events[0], checker.Contains, "type=bridge")
+}
+
+func (s *DockerDaemonSuite) TestDaemonEvents(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	// daemon config file
+	configFilePath := "test.json"
+	configFile, err := os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	defer os.Remove(configFilePath)
+
+	daemonConfig := `{"labels":["foo=bar"]}`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+	s.d.Start(c, fmt.Sprintf("--config-file=%s", configFilePath))
+
+	// Get daemon ID
+	out, err := s.d.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	daemonID := ""
+	daemonName := ""
+	for _, line := range strings.Split(out, "\n") {
+		if strings.HasPrefix(line, "ID: ") {
+			daemonID = strings.TrimPrefix(line, "ID: ")
+		} else if strings.HasPrefix(line, "Name: ") {
+			daemonName = strings.TrimPrefix(line, "Name: ")
+		}
+	}
+	c.Assert(daemonID, checker.Not(checker.Equals), "")
+
+	configFile, err = os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	daemonConfig = `{"max-concurrent-downloads":1,"labels":["bar=foo"], "shutdown-timeout": 10}`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+
+	time.Sleep(3 * time.Second)
+
+	out, err = s.d.Cmd("events", "--since=0", "--until", daemonUnixTime(c))
+	c.Assert(err, checker.IsNil)
+
+	// only check for values known (daemon ID/name) or explicitly set above,
+	// otherwise just check for names being present.
+	expectedSubstrings := []string{
+		" daemon reload " + daemonID + " ",
+		"(allow-nondistributable-artifacts=[",
+		" cluster-advertise=, ",
+		" cluster-store=, ",
+		" cluster-store-opts=",
+		" debug=true, ",
+		" default-ipc-mode=",
+		" default-runtime=",
+		" default-shm-size=",
+		" insecure-registries=[",
+		" labels=[\"bar=foo\"], ",
+		" live-restore=",
+		" max-concurrent-downloads=1, ",
+		" max-concurrent-uploads=5, ",
+		" name=" + daemonName,
+		" registry-mirrors=[",
+		" runtimes=",
+		" shutdown-timeout=10)",
+	}
+
+	for _, s := range expectedSubstrings {
+		c.Assert(out, checker.Contains, s)
+	}
+}
+
+func (s *DockerDaemonSuite) TestDaemonEventsWithFilters(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	// daemon config file
+	configFilePath := "test.json"
+	configFile, err := os.Create(configFilePath)
+	c.Assert(err, checker.IsNil)
+	defer os.Remove(configFilePath)
+
+	daemonConfig := `{"labels":["foo=bar"]}`
+	fmt.Fprintf(configFile, "%s", daemonConfig)
+	configFile.Close()
+	s.d.Start(c, fmt.Sprintf("--config-file=%s", configFilePath))
+
+	// Get daemon ID
+	out, err := s.d.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	daemonID := ""
+	daemonName := ""
+	for _, line := range strings.Split(out, "\n") {
+		if strings.HasPrefix(line, "ID: ") {
+			daemonID = strings.TrimPrefix(line, "ID: ")
+		} else if strings.HasPrefix(line, "Name: ") {
+			daemonName = strings.TrimPrefix(line, "Name: ")
+		}
+	}
+	c.Assert(daemonID, checker.Not(checker.Equals), "")
+
+	c.Assert(s.d.Signal(unix.SIGHUP), checker.IsNil)
+
+	time.Sleep(3 * time.Second)
+
+	out, err = s.d.Cmd("events", "--since=0", "--until", daemonUnixTime(c), "--filter", fmt.Sprintf("daemon=%s", daemonID))
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, fmt.Sprintf("daemon reload %s", daemonID))
+
+	out, err = s.d.Cmd("events", "--since=0", "--until", daemonUnixTime(c), "--filter", fmt.Sprintf("daemon=%s", daemonName))
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, fmt.Sprintf("daemon reload %s", daemonID))
+
+	out, err = s.d.Cmd("events", "--since=0", "--until", daemonUnixTime(c), "--filter", "daemon=foo")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), fmt.Sprintf("daemon reload %s", daemonID))
+
+	out, err = s.d.Cmd("events", "--since=0", "--until", daemonUnixTime(c), "--filter", "type=daemon")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, fmt.Sprintf("daemon reload %s", daemonID))
+
+	out, err = s.d.Cmd("events", "--since=0", "--until", daemonUnixTime(c), "--filter", "type=container")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), fmt.Sprintf("daemon reload %s", daemonID))
+}
diff --git a/engine/integration-cli/docker_cli_exec_test.go b/engine/integration-cli/docker_cli_exec_test.go
new file mode 100644
index 00000000..e97fb851
--- /dev/null
+++ b/engine/integration-cli/docker_cli_exec_test.go
@@ -0,0 +1,607 @@
+// +build !test_no_exec
+
+package main
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"reflect"
+	"runtime"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestExec(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "--name", "testing", "busybox", "sh", "-c", "echo test > /tmp/file && top")
+	c.Assert(waitRun(strings.TrimSpace(out)), check.IsNil)
+
+	out, _ = dockerCmd(c, "exec", "testing", "cat", "/tmp/file")
+	out = strings.Trim(out, "\r\n")
+	c.Assert(out, checker.Equals, "test")
+
+}
+
+func (s *DockerSuite) TestExecInteractive(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "testing", "busybox", "sh", "-c", "echo test > /tmp/file && top")
+
+	execCmd := exec.Command(dockerBinary, "exec", "-i", "testing", "sh")
+	stdin, err := execCmd.StdinPipe()
+	c.Assert(err, checker.IsNil)
+	stdout, err := execCmd.StdoutPipe()
+	c.Assert(err, checker.IsNil)
+
+	err = execCmd.Start()
+	c.Assert(err, checker.IsNil)
+	_, err = stdin.Write([]byte("cat /tmp/file\n"))
+	c.Assert(err, checker.IsNil)
+
+	r := bufio.NewReader(stdout)
+	line, err := r.ReadString('\n')
+	c.Assert(err, checker.IsNil)
+	line = strings.TrimSpace(line)
+	c.Assert(line, checker.Equals, "test")
+	err = stdin.Close()
+	c.Assert(err, checker.IsNil)
+	errChan := make(chan error)
+	go func() {
+		errChan <- execCmd.Wait()
+		close(errChan)
+	}()
+	select {
+	case err := <-errChan:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(1 * time.Second):
+		c.Fatal("docker exec failed to exit on stdin close")
+	}
+
+}
+
+func (s *DockerSuite) TestExecAfterContainerRestart(c *check.C) {
+	out := runSleepingContainer(c)
+	cleanedContainerID := strings.TrimSpace(out)
+	c.Assert(waitRun(cleanedContainerID), check.IsNil)
+	dockerCmd(c, "restart", cleanedContainerID)
+	c.Assert(waitRun(cleanedContainerID), check.IsNil)
+
+	out, _ = dockerCmd(c, "exec", cleanedContainerID, "echo", "hello")
+	outStr := strings.TrimSpace(out)
+	c.Assert(outStr, checker.Equals, "hello")
+}
+
+func (s *DockerDaemonSuite) TestExecAfterDaemonRestart(c *check.C) {
+	// TODO Windows CI: Requires a little work to get this ported.
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "-d", "--name", "top", "-p", "80", "busybox:latest", "top")
+	c.Assert(err, checker.IsNil, check.Commentf("Could not run top: %s", out))
+
+	s.d.Restart(c)
+
+	out, err = s.d.Cmd("start", "top")
+	c.Assert(err, checker.IsNil, check.Commentf("Could not start top after daemon restart: %s", out))
+
+	out, err = s.d.Cmd("exec", "top", "echo", "hello")
+	c.Assert(err, checker.IsNil, check.Commentf("Could not exec on container top: %s", out))
+
+	outStr := strings.TrimSpace(string(out))
+	c.Assert(outStr, checker.Equals, "hello")
+}
+
+// Regression test for #9155, #9044
+func (s *DockerSuite) TestExecEnv(c *check.C) {
+	// TODO Windows CI: This one is interesting and may just end up being a feature
+	// difference between Windows and Linux. On Windows, the environment is passed
+	// into the process that is launched, not into the machine environment. Hence
+	// a subsequent exec will not have LALA set/
+	testRequires(c, DaemonIsLinux)
+	runSleepingContainer(c, "-e", "LALA=value1", "-e", "LALA=value2", "-d", "--name", "testing")
+	c.Assert(waitRun("testing"), check.IsNil)
+
+	out, _ := dockerCmd(c, "exec", "testing", "env")
+	c.Assert(out, checker.Not(checker.Contains), "LALA=value1")
+	c.Assert(out, checker.Contains, "LALA=value2")
+	c.Assert(out, checker.Contains, "HOME=/root")
+}
+
+func (s *DockerSuite) TestExecSetEnv(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	runSleepingContainer(c, "-e", "HOME=/root", "-d", "--name", "testing")
+	c.Assert(waitRun("testing"), check.IsNil)
+
+	out, _ := dockerCmd(c, "exec", "-e", "HOME=/another", "-e", "ABC=xyz", "testing", "env")
+	c.Assert(out, checker.Not(checker.Contains), "HOME=/root")
+	c.Assert(out, checker.Contains, "HOME=/another")
+	c.Assert(out, checker.Contains, "ABC=xyz")
+}
+
+func (s *DockerSuite) TestExecExitStatus(c *check.C) {
+	runSleepingContainer(c, "-d", "--name", "top")
+
+	result := icmd.RunCommand(dockerBinary, "exec", "top", "sh", "-c", "exit 23")
+	result.Assert(c, icmd.Expected{ExitCode: 23, Error: "exit status 23"})
+}
+
+func (s *DockerSuite) TestExecPausedContainer(c *check.C) {
+	testRequires(c, IsPausable)
+
+	out := runSleepingContainer(c, "-d", "--name", "testing")
+	ContainerID := strings.TrimSpace(out)
+
+	dockerCmd(c, "pause", "testing")
+	out, _, err := dockerCmdWithError("exec", ContainerID, "echo", "hello")
+	c.Assert(err, checker.NotNil, check.Commentf("container should fail to exec new command if it is paused"))
+
+	expected := ContainerID + " is paused, unpause the container before exec"
+	c.Assert(out, checker.Contains, expected, check.Commentf("container should not exec new command if it is paused"))
+}
+
+// regression test for #9476
+func (s *DockerSuite) TestExecTTYCloseStdin(c *check.C) {
+	// TODO Windows CI: This requires some work to port to Windows.
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "-it", "--name", "exec_tty_stdin", "busybox")
+
+	cmd := exec.Command(dockerBinary, "exec", "-i", "exec_tty_stdin", "cat")
+	stdinRw, err := cmd.StdinPipe()
+	c.Assert(err, checker.IsNil)
+
+	stdinRw.Write([]byte("test"))
+	stdinRw.Close()
+
+	out, _, err := runCommandWithOutput(cmd)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, _ = dockerCmd(c, "top", "exec_tty_stdin")
+	outArr := strings.Split(out, "\n")
+	c.Assert(len(outArr), checker.LessOrEqualThan, 3, check.Commentf("exec process left running"))
+	c.Assert(out, checker.Not(checker.Contains), "nsenter-exec")
+}
+
+func (s *DockerSuite) TestExecTTYWithoutStdin(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "-ti", "busybox")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	errChan := make(chan error)
+	go func() {
+		defer close(errChan)
+
+		cmd := exec.Command(dockerBinary, "exec", "-ti", id, "true")
+		if _, err := cmd.StdinPipe(); err != nil {
+			errChan <- err
+			return
+		}
+
+		expected := "the input device is not a TTY"
+		if runtime.GOOS == "windows" {
+			expected += ".  If you are using mintty, try prefixing the command with 'winpty'"
+		}
+		if out, _, err := runCommandWithOutput(cmd); err == nil {
+			errChan <- fmt.Errorf("exec should have failed")
+			return
+		} else if !strings.Contains(out, expected) {
+			errChan <- fmt.Errorf("exec failed with error %q: expected %q", out, expected)
+			return
+		}
+	}()
+
+	select {
+	case err := <-errChan:
+		c.Assert(err, check.IsNil)
+	case <-time.After(3 * time.Second):
+		c.Fatal("exec is running but should have failed")
+	}
+}
+
+// FIXME(vdemeester) this should be a unit tests on cli/command/container package
+func (s *DockerSuite) TestExecParseError(c *check.C) {
+	// TODO Windows CI: Requires some extra work. Consider copying the
+	// runSleepingContainer helper to have an exec version.
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "top", "busybox", "top")
+
+	// Test normal (non-detached) case first
+	icmd.RunCommand(dockerBinary, "exec", "top").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Error:    "exit status 1",
+		Err:      "See 'docker exec --help'",
+	})
+}
+
+func (s *DockerSuite) TestExecStopNotHanging(c *check.C) {
+	// TODO Windows CI: Requires some extra work. Consider copying the
+	// runSleepingContainer helper to have an exec version.
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "testing", "busybox", "top")
+
+	result := icmd.StartCmd(icmd.Command(dockerBinary, "exec", "testing", "top"))
+	result.Assert(c, icmd.Success)
+	go icmd.WaitOnCmd(0, result)
+
+	type dstop struct {
+		out string
+		err error
+	}
+	ch := make(chan dstop)
+	go func() {
+		result := icmd.RunCommand(dockerBinary, "stop", "testing")
+		ch <- dstop{result.Combined(), result.Error}
+		close(ch)
+	}()
+	select {
+	case <-time.After(3 * time.Second):
+		c.Fatal("Container stop timed out")
+	case s := <-ch:
+		c.Assert(s.err, check.IsNil)
+	}
+}
+
+func (s *DockerSuite) TestExecCgroup(c *check.C) {
+	// Not applicable on Windows - using Linux specific functionality
+	testRequires(c, NotUserNamespace)
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "testing", "busybox", "top")
+
+	out, _ := dockerCmd(c, "exec", "testing", "cat", "/proc/1/cgroup")
+	containerCgroups := sort.StringSlice(strings.Split(out, "\n"))
+
+	var wg sync.WaitGroup
+	var mu sync.Mutex
+	var execCgroups []sort.StringSlice
+	errChan := make(chan error)
+	// exec a few times concurrently to get consistent failure
+	for i := 0; i < 5; i++ {
+		wg.Add(1)
+		go func() {
+			out, _, err := dockerCmdWithError("exec", "testing", "cat", "/proc/self/cgroup")
+			if err != nil {
+				errChan <- err
+				return
+			}
+			cg := sort.StringSlice(strings.Split(out, "\n"))
+
+			mu.Lock()
+			execCgroups = append(execCgroups, cg)
+			mu.Unlock()
+			wg.Done()
+		}()
+	}
+	wg.Wait()
+	close(errChan)
+
+	for err := range errChan {
+		c.Assert(err, checker.IsNil)
+	}
+
+	for _, cg := range execCgroups {
+		if !reflect.DeepEqual(cg, containerCgroups) {
+			fmt.Println("exec cgroups:")
+			for _, name := range cg {
+				fmt.Printf(" %s\n", name)
+			}
+
+			fmt.Println("container cgroups:")
+			for _, name := range containerCgroups {
+				fmt.Printf(" %s\n", name)
+			}
+			c.Fatal("cgroups mismatched")
+		}
+	}
+}
+
+func (s *DockerSuite) TestExecInspectID(c *check.C) {
+	out := runSleepingContainer(c, "-d")
+	id := strings.TrimSuffix(out, "\n")
+
+	out = inspectField(c, id, "ExecIDs")
+	c.Assert(out, checker.Equals, "[]", check.Commentf("ExecIDs should be empty, got: %s", out))
+
+	// Start an exec, have it block waiting so we can do some checking
+	cmd := exec.Command(dockerBinary, "exec", id, "sh", "-c",
+		"while ! test -e /execid1; do sleep 1; done")
+
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil, check.Commentf("failed to start the exec cmd"))
+
+	// Give the exec 10 chances/seconds to start then give up and stop the test
+	tries := 10
+	for i := 0; i < tries; i++ {
+		// Since its still running we should see exec as part of the container
+		out = strings.TrimSpace(inspectField(c, id, "ExecIDs"))
+
+		if out != "[]" && out != "<no value>" {
+			break
+		}
+		c.Assert(i+1, checker.Not(checker.Equals), tries, check.Commentf("ExecIDs still empty after 10 second"))
+		time.Sleep(1 * time.Second)
+	}
+
+	// Save execID for later
+	execID, err := inspectFilter(id, "index .ExecIDs 0")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to get the exec id"))
+
+	// End the exec by creating the missing file
+	err = exec.Command(dockerBinary, "exec", id,
+		"sh", "-c", "touch /execid1").Run()
+
+	c.Assert(err, checker.IsNil, check.Commentf("failed to run the 2nd exec cmd"))
+
+	// Wait for 1st exec to complete
+	cmd.Wait()
+
+	// Give the exec 10 chances/seconds to stop then give up and stop the test
+	for i := 0; i < tries; i++ {
+		// Since its still running we should see exec as part of the container
+		out = strings.TrimSpace(inspectField(c, id, "ExecIDs"))
+
+		if out == "[]" {
+			break
+		}
+		c.Assert(i+1, checker.Not(checker.Equals), tries, check.Commentf("ExecIDs still not empty after 10 second"))
+		time.Sleep(1 * time.Second)
+	}
+
+	// But we should still be able to query the execID
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	_, err = cli.ContainerExecInspect(context.Background(), execID)
+	c.Assert(err, checker.IsNil)
+
+	// Now delete the container and then an 'inspect' on the exec should
+	// result in a 404 (not 'container not running')
+	out, ec := dockerCmd(c, "rm", "-f", id)
+	c.Assert(ec, checker.Equals, 0, check.Commentf("error removing container: %s", out))
+
+	_, err = cli.ContainerExecInspect(context.Background(), execID)
+	expected := "No such exec instance"
+	c.Assert(err.Error(), checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestLinksPingLinkedContainersOnRename(c *check.C) {
+	// Problematic on Windows as Windows does not support links
+	testRequires(c, DaemonIsLinux)
+	var out string
+	out, _ = dockerCmd(c, "run", "-d", "--name", "container1", "busybox", "top")
+	idA := strings.TrimSpace(out)
+	c.Assert(idA, checker.Not(checker.Equals), "", check.Commentf("%s, id should not be nil", out))
+	out, _ = dockerCmd(c, "run", "-d", "--link", "container1:alias1", "--name", "container2", "busybox", "top")
+	idB := strings.TrimSpace(out)
+	c.Assert(idB, checker.Not(checker.Equals), "", check.Commentf("%s, id should not be nil", out))
+
+	dockerCmd(c, "exec", "container2", "ping", "-c", "1", "alias1", "-W", "1")
+	dockerCmd(c, "rename", "container1", "container_new")
+	dockerCmd(c, "exec", "container2", "ping", "-c", "1", "alias1", "-W", "1")
+}
+
+func (s *DockerSuite) TestRunMutableNetworkFiles(c *check.C) {
+	// Not applicable on Windows to Windows CI.
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+	for _, fn := range []string{"resolv.conf", "hosts"} {
+		containers := cli.DockerCmd(c, "ps", "-q", "-a").Combined()
+		if containers != "" {
+			cli.DockerCmd(c, append([]string{"rm", "-fv"}, strings.Split(strings.TrimSpace(containers), "\n")...)...)
+		}
+
+		content := runCommandAndReadContainerFile(c, fn, dockerBinary, "run", "-d", "--name", "c1", "busybox", "sh", "-c", fmt.Sprintf("echo success >/etc/%s && top", fn))
+
+		c.Assert(strings.TrimSpace(string(content)), checker.Equals, "success", check.Commentf("Content was not what was modified in the container", string(content)))
+
+		out, _ := dockerCmd(c, "run", "-d", "--name", "c2", "busybox", "top")
+		contID := strings.TrimSpace(out)
+		netFilePath := containerStorageFile(contID, fn)
+
+		f, err := os.OpenFile(netFilePath, os.O_WRONLY|os.O_SYNC|os.O_APPEND, 0644)
+		c.Assert(err, checker.IsNil)
+
+		if _, err := f.Seek(0, 0); err != nil {
+			f.Close()
+			c.Fatal(err)
+		}
+
+		if err := f.Truncate(0); err != nil {
+			f.Close()
+			c.Fatal(err)
+		}
+
+		if _, err := f.Write([]byte("success2\n")); err != nil {
+			f.Close()
+			c.Fatal(err)
+		}
+		f.Close()
+
+		res, _ := dockerCmd(c, "exec", contID, "cat", "/etc/"+fn)
+		c.Assert(res, checker.Equals, "success2\n")
+	}
+}
+
+func (s *DockerSuite) TestExecWithUser(c *check.C) {
+	// TODO Windows CI: This may be fixable in the future once Windows
+	// supports users
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "parent", "busybox", "top")
+
+	out, _ := dockerCmd(c, "exec", "-u", "1", "parent", "id")
+	c.Assert(out, checker.Contains, "uid=1(daemon) gid=1(daemon)")
+
+	out, _ = dockerCmd(c, "exec", "-u", "root", "parent", "id")
+	c.Assert(out, checker.Contains, "uid=0(root) gid=0(root)", check.Commentf("exec with user by id expected daemon user got %s", out))
+}
+
+func (s *DockerSuite) TestExecWithPrivileged(c *check.C) {
+	// Not applicable on Windows
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	// Start main loop which attempts mknod repeatedly
+	dockerCmd(c, "run", "-d", "--name", "parent", "--cap-drop=ALL", "busybox", "sh", "-c", `while (true); do if [ -e /exec_priv ]; then cat /exec_priv && mknod /tmp/sda b 8 0 && echo "Success"; else echo "Privileged exec has not run yet"; fi; usleep 10000; done`)
+
+	// Check exec mknod doesn't work
+	icmd.RunCommand(dockerBinary, "exec", "parent", "sh", "-c", "mknod /tmp/sdb b 8 16").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+
+	// Check exec mknod does work with --privileged
+	result := icmd.RunCommand(dockerBinary, "exec", "--privileged", "parent", "sh", "-c", `echo "Running exec --privileged" > /exec_priv && mknod /tmp/sdb b 8 16 && usleep 50000 && echo "Finished exec --privileged" > /exec_priv && echo ok`)
+	result.Assert(c, icmd.Success)
+
+	actual := strings.TrimSpace(result.Combined())
+	c.Assert(actual, checker.Equals, "ok", check.Commentf("exec mknod in --cap-drop=ALL container with --privileged failed, output: %q", result.Combined()))
+
+	// Check subsequent unprivileged exec cannot mknod
+	icmd.RunCommand(dockerBinary, "exec", "parent", "sh", "-c", "mknod /tmp/sdc b 8 32").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+	// Confirm at no point was mknod allowed
+	result = icmd.RunCommand(dockerBinary, "logs", "parent")
+	result.Assert(c, icmd.Success)
+	c.Assert(result.Combined(), checker.Not(checker.Contains), "Success")
+
+}
+
+func (s *DockerSuite) TestExecWithImageUser(c *check.C) {
+	// Not applicable on Windows
+	testRequires(c, DaemonIsLinux)
+	name := "testbuilduser"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+		USER dockerio`))
+	dockerCmd(c, "run", "-d", "--name", "dockerioexec", name, "top")
+
+	out, _ := dockerCmd(c, "exec", "dockerioexec", "whoami")
+	c.Assert(out, checker.Contains, "dockerio", check.Commentf("exec with user by id expected dockerio user got %s", out))
+}
+
+func (s *DockerSuite) TestExecOnReadonlyContainer(c *check.C) {
+	// Windows does not support read-only
+	// --read-only + userns has remount issues
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	dockerCmd(c, "run", "-d", "--read-only", "--name", "parent", "busybox", "top")
+	dockerCmd(c, "exec", "parent", "true")
+}
+
+func (s *DockerSuite) TestExecUlimits(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "testexeculimits"
+	runSleepingContainer(c, "-d", "--ulimit", "nofile=511:511", "--name", name)
+	c.Assert(waitRun(name), checker.IsNil)
+
+	out, _, err := dockerCmdWithError("exec", name, "sh", "-c", "ulimit -n")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "511")
+}
+
+// #15750
+func (s *DockerSuite) TestExecStartFails(c *check.C) {
+	// TODO Windows CI. This test should be portable. Figure out why it fails
+	// currently.
+	testRequires(c, DaemonIsLinux)
+	name := "exec-15750"
+	runSleepingContainer(c, "-d", "--name", name)
+	c.Assert(waitRun(name), checker.IsNil)
+
+	out, _, err := dockerCmdWithError("exec", name, "no-such-cmd")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "executable file not found")
+}
+
+// Fix regression in https://github.com/docker/docker/pull/26461#issuecomment-250287297
+func (s *DockerSuite) TestExecWindowsPathNotWiped(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	out, _ := dockerCmd(c, "run", "-d", "--name", "testing", minimalBaseImage(), "powershell", "start-sleep", "60")
+	c.Assert(waitRun(strings.TrimSpace(out)), check.IsNil)
+
+	out, _ = dockerCmd(c, "exec", "testing", "powershell", "write-host", "$env:PATH")
+	out = strings.ToLower(strings.Trim(out, "\r\n"))
+	c.Assert(out, checker.Contains, `windowspowershell\v1.0`)
+}
+
+func (s *DockerSuite) TestExecEnvLinksHost(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	runSleepingContainer(c, "-d", "--name", "foo")
+	runSleepingContainer(c, "-d", "--link", "foo:db", "--hostname", "myhost", "--name", "bar")
+	out, _ := dockerCmd(c, "exec", "bar", "env")
+	c.Assert(out, checker.Contains, "HOSTNAME=myhost")
+	c.Assert(out, checker.Contains, "DB_NAME=/bar/db")
+}
+
+func (s *DockerSuite) TestExecWindowsOpenHandles(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	runSleepingContainer(c, "-d", "--name", "test")
+	exec := make(chan bool)
+	go func() {
+		dockerCmd(c, "exec", "test", "cmd", "/c", "start sleep 10")
+		exec <- true
+	}()
+
+	count := 0
+	for {
+		top := make(chan string)
+		var out string
+		go func() {
+			out, _ := dockerCmd(c, "top", "test")
+			top <- out
+		}()
+
+		select {
+		case <-time.After(time.Second * 5):
+			c.Fatal("timed out waiting for top while exec is exiting")
+		case out = <-top:
+			break
+		}
+
+		if strings.Count(out, "busybox.exe") == 2 && !strings.Contains(out, "cmd.exe") {
+			// The initial exec process (cmd.exe) has exited, and both sleeps are currently running
+			break
+		}
+		count++
+		if count >= 30 {
+			c.Fatal("too many retries")
+		}
+		time.Sleep(1 * time.Second)
+	}
+
+	inspect := make(chan bool)
+	go func() {
+		dockerCmd(c, "inspect", "test")
+		inspect <- true
+	}()
+
+	select {
+	case <-time.After(time.Second * 5):
+		c.Fatal("timed out waiting for inspect while exec is exiting")
+	case <-inspect:
+		break
+	}
+
+	// Ensure the background sleep is still running
+	out, _ := dockerCmd(c, "top", "test")
+	c.Assert(strings.Count(out, "busybox.exe"), checker.Equals, 2)
+
+	// The exec should exit when the background sleep exits
+	select {
+	case <-time.After(time.Second * 15):
+		c.Fatal("timed out waiting for async exec to exit")
+	case <-exec:
+		// Ensure the background sleep has actually exited
+		out, _ := dockerCmd(c, "top", "test")
+		c.Assert(strings.Count(out, "busybox.exe"), checker.Equals, 1)
+		break
+	}
+}
diff --git a/engine/integration-cli/docker_cli_exec_unix_test.go b/engine/integration-cli/docker_cli_exec_unix_test.go
new file mode 100644
index 00000000..4c77df4f
--- /dev/null
+++ b/engine/integration-cli/docker_cli_exec_unix_test.go
@@ -0,0 +1,97 @@
+// +build !windows,!test_no_exec
+
+package main
+
+import (
+	"bytes"
+	"io"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"github.com/kr/pty"
+)
+
+// regression test for #12546
+func (s *DockerSuite) TestExecInteractiveStdinClose(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-itd", "busybox", "/bin/cat")
+	contID := strings.TrimSpace(out)
+
+	cmd := exec.Command(dockerBinary, "exec", "-i", contID, "echo", "-n", "hello")
+	p, err := pty.Start(cmd)
+	c.Assert(err, checker.IsNil)
+
+	b := bytes.NewBuffer(nil)
+
+	ch := make(chan error)
+	go func() { ch <- cmd.Wait() }()
+
+	select {
+	case err := <-ch:
+		c.Assert(err, checker.IsNil)
+		io.Copy(b, p)
+		p.Close()
+		bs := b.Bytes()
+		bs = bytes.Trim(bs, "\x00")
+		output := string(bs[:])
+		c.Assert(strings.TrimSpace(output), checker.Equals, "hello")
+	case <-time.After(5 * time.Second):
+		p.Close()
+		c.Fatal("timed out running docker exec")
+	}
+}
+
+func (s *DockerSuite) TestExecTTY(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	dockerCmd(c, "run", "-d", "--name=test", "busybox", "sh", "-c", "echo hello > /foo && top")
+
+	cmd := exec.Command(dockerBinary, "exec", "-it", "test", "sh")
+	p, err := pty.Start(cmd)
+	c.Assert(err, checker.IsNil)
+	defer p.Close()
+
+	_, err = p.Write([]byte("cat /foo && exit\n"))
+	c.Assert(err, checker.IsNil)
+
+	chErr := make(chan error)
+	go func() {
+		chErr <- cmd.Wait()
+	}()
+	select {
+	case err := <-chErr:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(3 * time.Second):
+		c.Fatal("timeout waiting for exec to exit")
+	}
+
+	buf := make([]byte, 256)
+	read, err := p.Read(buf)
+	c.Assert(err, checker.IsNil)
+	c.Assert(bytes.Contains(buf, []byte("hello")), checker.Equals, true, check.Commentf(string(buf[:read])))
+}
+
+// Test the TERM env var is set when -t is provided on exec
+func (s *DockerSuite) TestExecWithTERM(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	out, _ := dockerCmd(c, "run", "-id", "busybox", "/bin/cat")
+	contID := strings.TrimSpace(out)
+	cmd := exec.Command(dockerBinary, "exec", "-t", contID, "sh", "-c", "if [ -z $TERM ]; then exit 1; else exit 0; fi")
+	if err := cmd.Run(); err != nil {
+		c.Assert(err, checker.IsNil)
+	}
+}
+
+// Test that the TERM env var is not set on exec when -t is not provided, even if it was set
+// on run
+func (s *DockerSuite) TestExecWithNoTERM(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	out, _ := dockerCmd(c, "run", "-itd", "busybox", "/bin/cat")
+	contID := strings.TrimSpace(out)
+	cmd := exec.Command(dockerBinary, "exec", contID, "sh", "-c", "if [ -z $TERM ]; then exit 0; else exit 1; fi")
+	if err := cmd.Run(); err != nil {
+		c.Assert(err, checker.IsNil)
+	}
+}
diff --git a/engine/integration-cli/docker_cli_export_import_test.go b/engine/integration-cli/docker_cli_export_import_test.go
new file mode 100644
index 00000000..d0dac973
--- /dev/null
+++ b/engine/integration-cli/docker_cli_export_import_test.go
@@ -0,0 +1,34 @@
+package main
+
+import (
+	"os"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+// TODO: Move this test to docker/cli, as it is essentially the same test
+// as TestExportContainerAndImportImage except output to a file.
+// Used to test output flag in the export command
+func (s *DockerSuite) TestExportContainerWithOutputAndImportImage(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	containerID := "testexportcontainerwithoutputandimportimage"
+
+	dockerCmd(c, "run", "--name", containerID, "busybox", "true")
+	dockerCmd(c, "export", "--output=testexp.tar", containerID)
+	defer os.Remove("testexp.tar")
+
+	resultCat := icmd.RunCommand("cat", "testexp.tar")
+	resultCat.Assert(c, icmd.Success)
+
+	result := icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "import", "-", "repo/testexp:v1"},
+		Stdin:   strings.NewReader(resultCat.Combined()),
+	})
+	result.Assert(c, icmd.Success)
+
+	cleanedImageID := strings.TrimSpace(result.Combined())
+	c.Assert(cleanedImageID, checker.Not(checker.Equals), "", check.Commentf("output should have been an image id"))
+}
diff --git a/engine/integration-cli/docker_cli_external_volume_driver_unix_test.go b/engine/integration-cli/docker_cli_external_volume_driver_unix_test.go
new file mode 100644
index 00000000..719473b1
--- /dev/null
+++ b/engine/integration-cli/docker_cli_external_volume_driver_unix_test.go
@@ -0,0 +1,631 @@
+// +build !windows
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/daemon"
+	testdaemon "github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/volume"
+	"github.com/go-check/check"
+)
+
+const volumePluginName = "test-external-volume-driver"
+
+func init() {
+	check.Suite(&DockerExternalVolumeSuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type eventCounter struct {
+	activations int
+	creations   int
+	removals    int
+	mounts      int
+	unmounts    int
+	paths       int
+	lists       int
+	gets        int
+	caps        int
+}
+
+type DockerExternalVolumeSuite struct {
+	ds *DockerSuite
+	d  *daemon.Daemon
+	*volumePlugin
+}
+
+func (s *DockerExternalVolumeSuite) SetUpTest(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	s.ec = &eventCounter{}
+}
+
+func (s *DockerExternalVolumeSuite) TearDownTest(c *check.C) {
+	if s.d != nil {
+		s.d.Stop(c)
+		s.ds.TearDownTest(c)
+	}
+}
+
+func (s *DockerExternalVolumeSuite) SetUpSuite(c *check.C) {
+	s.volumePlugin = newVolumePlugin(c, volumePluginName)
+}
+
+type volumePlugin struct {
+	ec *eventCounter
+	*httptest.Server
+	vols map[string]vol
+}
+
+type vol struct {
+	Name       string
+	Mountpoint string
+	Ninja      bool // hack used to trigger a null volume return on `Get`
+	Status     map[string]interface{}
+	Options    map[string]string
+}
+
+func (p *volumePlugin) Close() {
+	p.Server.Close()
+}
+
+func newVolumePlugin(c *check.C, name string) *volumePlugin {
+	mux := http.NewServeMux()
+	s := &volumePlugin{Server: httptest.NewServer(mux), ec: &eventCounter{}, vols: make(map[string]vol)}
+
+	type pluginRequest struct {
+		Name string
+		Opts map[string]string
+		ID   string
+	}
+
+	type pluginResp struct {
+		Mountpoint string `json:",omitempty"`
+		Err        string `json:",omitempty"`
+	}
+
+	read := func(b io.ReadCloser) (pluginRequest, error) {
+		defer b.Close()
+		var pr pluginRequest
+		err := json.NewDecoder(b).Decode(&pr)
+		return pr, err
+	}
+
+	send := func(w http.ResponseWriter, data interface{}) {
+		switch t := data.(type) {
+		case error:
+			http.Error(w, t.Error(), 500)
+		case string:
+			w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+			fmt.Fprintln(w, t)
+		default:
+			w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+			json.NewEncoder(w).Encode(&data)
+		}
+	}
+
+	mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.activations++
+		send(w, `{"Implements": ["VolumeDriver"]}`)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Create", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.creations++
+		pr, err := read(r.Body)
+		if err != nil {
+			send(w, err)
+			return
+		}
+		_, isNinja := pr.Opts["ninja"]
+		status := map[string]interface{}{"Hello": "world"}
+		s.vols[pr.Name] = vol{Name: pr.Name, Ninja: isNinja, Status: status, Options: pr.Opts}
+		send(w, nil)
+	})
+
+	mux.HandleFunc("/VolumeDriver.List", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.lists++
+		vols := make([]vol, 0, len(s.vols))
+		for _, v := range s.vols {
+			if v.Ninja {
+				continue
+			}
+			vols = append(vols, v)
+		}
+		send(w, map[string][]vol{"Volumes": vols})
+	})
+
+	mux.HandleFunc("/VolumeDriver.Get", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.gets++
+		pr, err := read(r.Body)
+		if err != nil {
+			send(w, err)
+			return
+		}
+
+		v, exists := s.vols[pr.Name]
+		if !exists {
+			send(w, `{"Err": "no such volume"}`)
+		}
+
+		if v.Ninja {
+			send(w, map[string]vol{})
+			return
+		}
+
+		v.Mountpoint = hostVolumePath(pr.Name)
+		send(w, map[string]vol{"Volume": v})
+		return
+	})
+
+	mux.HandleFunc("/VolumeDriver.Remove", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.removals++
+		pr, err := read(r.Body)
+		if err != nil {
+			send(w, err)
+			return
+		}
+
+		v, ok := s.vols[pr.Name]
+		if !ok {
+			send(w, nil)
+			return
+		}
+
+		if err := os.RemoveAll(hostVolumePath(v.Name)); err != nil {
+			send(w, &pluginResp{Err: err.Error()})
+			return
+		}
+		delete(s.vols, v.Name)
+		send(w, nil)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Path", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.paths++
+
+		pr, err := read(r.Body)
+		if err != nil {
+			send(w, err)
+			return
+		}
+		p := hostVolumePath(pr.Name)
+		send(w, &pluginResp{Mountpoint: p})
+	})
+
+	mux.HandleFunc("/VolumeDriver.Mount", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.mounts++
+
+		pr, err := read(r.Body)
+		if err != nil {
+			send(w, err)
+			return
+		}
+
+		if v, exists := s.vols[pr.Name]; exists {
+			// Use this to simulate a mount failure
+			if _, exists := v.Options["invalidOption"]; exists {
+				send(w, fmt.Errorf("invalid argument"))
+				return
+			}
+		}
+
+		p := hostVolumePath(pr.Name)
+		if err := os.MkdirAll(p, 0755); err != nil {
+			send(w, &pluginResp{Err: err.Error()})
+			return
+		}
+
+		if err := ioutil.WriteFile(filepath.Join(p, "test"), []byte(s.Server.URL), 0644); err != nil {
+			send(w, err)
+			return
+		}
+
+		if err := ioutil.WriteFile(filepath.Join(p, "mountID"), []byte(pr.ID), 0644); err != nil {
+			send(w, err)
+			return
+		}
+
+		send(w, &pluginResp{Mountpoint: p})
+	})
+
+	mux.HandleFunc("/VolumeDriver.Unmount", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.unmounts++
+
+		_, err := read(r.Body)
+		if err != nil {
+			send(w, err)
+			return
+		}
+
+		send(w, nil)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Capabilities", func(w http.ResponseWriter, r *http.Request) {
+		s.ec.caps++
+
+		_, err := read(r.Body)
+		if err != nil {
+			send(w, err)
+			return
+		}
+
+		send(w, `{"Capabilities": { "Scope": "global" }}`)
+	})
+
+	err := os.MkdirAll("/etc/docker/plugins", 0755)
+	c.Assert(err, checker.IsNil)
+
+	err = ioutil.WriteFile("/etc/docker/plugins/"+name+".spec", []byte(s.Server.URL), 0644)
+	c.Assert(err, checker.IsNil)
+	return s
+}
+
+func (s *DockerExternalVolumeSuite) TearDownSuite(c *check.C) {
+	s.volumePlugin.Close()
+
+	err := os.RemoveAll("/etc/docker/plugins")
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerExternalVolumeSuite) TestVolumeCLICreateOptionConflict(c *check.C) {
+	dockerCmd(c, "volume", "create", "test")
+
+	out, _, err := dockerCmdWithError("volume", "create", "test", "--driver", volumePluginName)
+	c.Assert(err, check.NotNil, check.Commentf("volume create exception name already in use with another driver"))
+	c.Assert(out, checker.Contains, "must be unique")
+
+	out, _ = dockerCmd(c, "volume", "inspect", "--format={{ .Driver }}", "test")
+	_, _, err = dockerCmdWithError("volume", "create", "test", "--driver", strings.TrimSpace(out))
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverNamed(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "--rm", "--name", "test-data", "-v", "external-volume-test:/tmp/external-volume-test", "--volume-driver", volumePluginName, "busybox:latest", "cat", "/tmp/external-volume-test/test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, s.Server.URL)
+
+	_, err = s.d.Cmd("volume", "rm", "external-volume-test")
+	c.Assert(err, checker.IsNil)
+
+	p := hostVolumePath("external-volume-test")
+	_, err = os.Lstat(p)
+	c.Assert(err, checker.NotNil)
+	c.Assert(os.IsNotExist(err), checker.True, check.Commentf("Expected volume path in host to not exist: %s, %v\n", p, err))
+
+	c.Assert(s.ec.activations, checker.Equals, 1)
+	c.Assert(s.ec.creations, checker.Equals, 1)
+	c.Assert(s.ec.removals, checker.Equals, 1)
+	c.Assert(s.ec.mounts, checker.Equals, 1)
+	c.Assert(s.ec.unmounts, checker.Equals, 1)
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverUnnamed(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "--rm", "--name", "test-data", "-v", "/tmp/external-volume-test", "--volume-driver", volumePluginName, "busybox:latest", "cat", "/tmp/external-volume-test/test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, s.Server.URL)
+
+	c.Assert(s.ec.activations, checker.Equals, 1)
+	c.Assert(s.ec.creations, checker.Equals, 1)
+	c.Assert(s.ec.removals, checker.Equals, 1)
+	c.Assert(s.ec.mounts, checker.Equals, 1)
+	c.Assert(s.ec.unmounts, checker.Equals, 1)
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverVolumesFrom(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "--name", "vol-test1", "-v", "/foo", "--volume-driver", volumePluginName, "busybox:latest")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("run", "--rm", "--volumes-from", "vol-test1", "--name", "vol-test2", "busybox", "ls", "/tmp")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("rm", "-fv", "vol-test1")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	c.Assert(s.ec.activations, checker.Equals, 1)
+	c.Assert(s.ec.creations, checker.Equals, 1)
+	c.Assert(s.ec.removals, checker.Equals, 1)
+	c.Assert(s.ec.mounts, checker.Equals, 2)
+	c.Assert(s.ec.unmounts, checker.Equals, 2)
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverDeleteContainer(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "--name", "vol-test1", "-v", "/foo", "--volume-driver", volumePluginName, "busybox:latest")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("rm", "-fv", "vol-test1")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	c.Assert(s.ec.activations, checker.Equals, 1)
+	c.Assert(s.ec.creations, checker.Equals, 1)
+	c.Assert(s.ec.removals, checker.Equals, 1)
+	c.Assert(s.ec.mounts, checker.Equals, 1)
+	c.Assert(s.ec.unmounts, checker.Equals, 1)
+}
+
+func hostVolumePath(name string) string {
+	return fmt.Sprintf("/var/lib/docker/volumes/%s", name)
+}
+
+// Make sure a request to use a down driver doesn't block other requests
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverLookupNotBlocked(c *check.C) {
+	specPath := "/etc/docker/plugins/down-driver.spec"
+	err := ioutil.WriteFile(specPath, []byte("tcp://127.0.0.7:9999"), 0644)
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(specPath)
+
+	chCmd1 := make(chan struct{})
+	chCmd2 := make(chan error)
+	cmd1 := exec.Command(dockerBinary, "volume", "create", "-d", "down-driver")
+	cmd2 := exec.Command(dockerBinary, "volume", "create")
+
+	c.Assert(cmd1.Start(), checker.IsNil)
+	defer cmd1.Process.Kill()
+	time.Sleep(100 * time.Millisecond) // ensure API has been called
+	c.Assert(cmd2.Start(), checker.IsNil)
+
+	go func() {
+		cmd1.Wait()
+		close(chCmd1)
+	}()
+	go func() {
+		chCmd2 <- cmd2.Wait()
+	}()
+
+	select {
+	case <-chCmd1:
+		cmd2.Process.Kill()
+		c.Fatalf("volume create with down driver finished unexpectedly")
+	case err := <-chCmd2:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(5 * time.Second):
+		cmd2.Process.Kill()
+		c.Fatal("volume creates are blocked by previous create requests when previous driver is down")
+	}
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverRetryNotImmediatelyExists(c *check.C) {
+	s.d.StartWithBusybox(c)
+	driverName := "test-external-volume-driver-retry"
+
+	errchan := make(chan error)
+	started := make(chan struct{})
+	go func() {
+		close(started)
+		if out, err := s.d.Cmd("run", "--rm", "--name", "test-data-retry", "-v", "external-volume-test:/tmp/external-volume-test", "--volume-driver", driverName, "busybox:latest"); err != nil {
+			errchan <- fmt.Errorf("%v:\n%s", err, out)
+		}
+		close(errchan)
+	}()
+
+	<-started
+	// wait for a retry to occur, then create spec to allow plugin to register
+	time.Sleep(2 * time.Second)
+	p := newVolumePlugin(c, driverName)
+	defer p.Close()
+
+	select {
+	case err := <-errchan:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(8 * time.Second):
+		c.Fatal("volume creates fail when plugin not immediately available")
+	}
+
+	_, err := s.d.Cmd("volume", "rm", "external-volume-test")
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(p.ec.activations, checker.Equals, 1)
+	c.Assert(p.ec.creations, checker.Equals, 1)
+	c.Assert(p.ec.removals, checker.Equals, 1)
+	c.Assert(p.ec.mounts, checker.Equals, 1)
+	c.Assert(p.ec.unmounts, checker.Equals, 1)
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverBindExternalVolume(c *check.C) {
+	dockerCmd(c, "volume", "create", "-d", volumePluginName, "foo")
+	dockerCmd(c, "run", "-d", "--name", "testing", "-v", "foo:/bar", "busybox", "top")
+
+	var mounts []struct {
+		Name   string
+		Driver string
+	}
+	out := inspectFieldJSON(c, "testing", "Mounts")
+	c.Assert(json.NewDecoder(strings.NewReader(out)).Decode(&mounts), checker.IsNil)
+	c.Assert(len(mounts), checker.Equals, 1, check.Commentf(out))
+	c.Assert(mounts[0].Name, checker.Equals, "foo")
+	c.Assert(mounts[0].Driver, checker.Equals, volumePluginName)
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverList(c *check.C) {
+	dockerCmd(c, "volume", "create", "-d", volumePluginName, "abc3")
+	out, _ := dockerCmd(c, "volume", "ls")
+	ls := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(ls), check.Equals, 2, check.Commentf("\n%s", out))
+
+	vol := strings.Fields(ls[len(ls)-1])
+	c.Assert(len(vol), check.Equals, 2, check.Commentf("%v", vol))
+	c.Assert(vol[0], check.Equals, volumePluginName)
+	c.Assert(vol[1], check.Equals, "abc3")
+
+	c.Assert(s.ec.lists, check.Equals, 1)
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverGet(c *check.C) {
+	out, _, err := dockerCmdWithError("volume", "inspect", "dummy")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "No such volume")
+	c.Assert(s.ec.gets, check.Equals, 1)
+
+	dockerCmd(c, "volume", "create", "test", "-d", volumePluginName)
+	out, _ = dockerCmd(c, "volume", "inspect", "test")
+
+	type vol struct {
+		Status map[string]string
+	}
+	var st []vol
+
+	c.Assert(json.Unmarshal([]byte(out), &st), checker.IsNil)
+	c.Assert(st, checker.HasLen, 1)
+	c.Assert(st[0].Status, checker.HasLen, 1, check.Commentf("%v", st[0]))
+	c.Assert(st[0].Status["Hello"], checker.Equals, "world", check.Commentf("%v", st[0].Status))
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverWithDaemonRestart(c *check.C) {
+	dockerCmd(c, "volume", "create", "-d", volumePluginName, "abc1")
+	s.d.Restart(c)
+
+	dockerCmd(c, "run", "--name=test", "-v", "abc1:/foo", "busybox", "true")
+	var mounts []types.MountPoint
+	inspectFieldAndUnmarshall(c, "test", "Mounts", &mounts)
+	c.Assert(mounts, checker.HasLen, 1)
+	c.Assert(mounts[0].Driver, checker.Equals, volumePluginName)
+}
+
+// Ensures that the daemon handles when the plugin responds to a `Get` request with a null volume and a null error.
+// Prior the daemon would panic in this scenario.
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverGetEmptyResponse(c *check.C) {
+	s.d.Start(c)
+
+	out, err := s.d.Cmd("volume", "create", "-d", volumePluginName, "abc2", "--opt", "ninja=1")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("volume", "inspect", "abc2")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "No such volume")
+}
+
+// Ensure only cached paths are used in volume list to prevent N+1 calls to `VolumeDriver.Path`
+//
+// TODO(@cpuguy83): This test is testing internal implementation. In all the cases here, there may not even be a path
+// 	available because the volume is not even mounted. Consider removing this test.
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverPathCalls(c *check.C) {
+	s.d.Start(c)
+	c.Assert(s.ec.paths, checker.Equals, 0)
+
+	out, err := s.d.Cmd("volume", "create", "test", "--driver=test-external-volume-driver")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(s.ec.paths, checker.Equals, 0)
+
+	out, err = s.d.Cmd("volume", "ls")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(s.ec.paths, checker.Equals, 0)
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverMountID(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("run", "--rm", "-v", "external-volume-test:/tmp/external-volume-test", "--volume-driver", volumePluginName, "busybox:latest", "cat", "/tmp/external-volume-test/test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+}
+
+// Check that VolumeDriver.Capabilities gets called, and only called once
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverCapabilities(c *check.C) {
+	s.d.Start(c)
+	c.Assert(s.ec.caps, checker.Equals, 0)
+
+	for i := 0; i < 3; i++ {
+		out, err := s.d.Cmd("volume", "create", "-d", volumePluginName, fmt.Sprintf("test%d", i))
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+		c.Assert(s.ec.caps, checker.Equals, 1)
+		out, err = s.d.Cmd("volume", "inspect", "--format={{.Scope}}", fmt.Sprintf("test%d", i))
+		c.Assert(err, checker.IsNil)
+		c.Assert(strings.TrimSpace(out), checker.Equals, volume.GlobalScope)
+	}
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverOutOfBandDelete(c *check.C) {
+	driverName := stringid.GenerateNonCryptoID()
+	p := newVolumePlugin(c, driverName)
+	defer p.Close()
+
+	s.d.StartWithBusybox(c)
+
+	out, err := s.d.Cmd("volume", "create", "-d", driverName, "--name", "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("volume", "create", "-d", "local", "--name", "test")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "must be unique")
+
+	// simulate out of band volume deletion on plugin level
+	delete(p.vols, "test")
+
+	// test re-create with same driver
+	out, err = s.d.Cmd("volume", "create", "-d", driverName, "--opt", "foo=bar", "--name", "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	out, err = s.d.Cmd("volume", "inspect", "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	var vs []types.Volume
+	err = json.Unmarshal([]byte(out), &vs)
+	c.Assert(err, checker.IsNil)
+	c.Assert(vs, checker.HasLen, 1)
+	c.Assert(vs[0].Driver, checker.Equals, driverName)
+	c.Assert(vs[0].Options, checker.NotNil)
+	c.Assert(vs[0].Options["foo"], checker.Equals, "bar")
+	c.Assert(vs[0].Driver, checker.Equals, driverName)
+
+	// simulate out of band volume deletion on plugin level
+	delete(p.vols, "test")
+
+	// test create with different driver
+	out, err = s.d.Cmd("volume", "create", "-d", "local", "--name", "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = s.d.Cmd("volume", "inspect", "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	vs = nil
+	err = json.Unmarshal([]byte(out), &vs)
+	c.Assert(err, checker.IsNil)
+	c.Assert(vs, checker.HasLen, 1)
+	c.Assert(vs[0].Options, checker.HasLen, 0)
+	c.Assert(vs[0].Driver, checker.Equals, "local")
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverUnmountOnMountFail(c *check.C) {
+	s.d.StartWithBusybox(c)
+	s.d.Cmd("volume", "create", "-d", "test-external-volume-driver", "--opt=invalidOption=1", "--name=testumount")
+
+	out, _ := s.d.Cmd("run", "-v", "testumount:/foo", "busybox", "true")
+	c.Assert(s.ec.unmounts, checker.Equals, 0, check.Commentf(out))
+	out, _ = s.d.Cmd("run", "-w", "/foo", "-v", "testumount:/foo", "busybox", "true")
+	c.Assert(s.ec.unmounts, checker.Equals, 0, check.Commentf(out))
+}
+
+func (s *DockerExternalVolumeSuite) TestExternalVolumeDriverUnmountOnCp(c *check.C) {
+	s.d.StartWithBusybox(c)
+	s.d.Cmd("volume", "create", "-d", "test-external-volume-driver", "--name=test")
+
+	out, _ := s.d.Cmd("run", "-d", "--name=test", "-v", "test:/foo", "busybox", "/bin/sh", "-c", "touch /test && top")
+	c.Assert(s.ec.mounts, checker.Equals, 1, check.Commentf(out))
+
+	out, _ = s.d.Cmd("cp", "test:/test", "/tmp/test")
+	c.Assert(s.ec.mounts, checker.Equals, 2, check.Commentf(out))
+	c.Assert(s.ec.unmounts, checker.Equals, 1, check.Commentf(out))
+
+	out, _ = s.d.Cmd("kill", "test")
+	c.Assert(s.ec.unmounts, checker.Equals, 2, check.Commentf(out))
+}
diff --git a/engine/integration-cli/docker_cli_health_test.go b/engine/integration-cli/docker_cli_health_test.go
new file mode 100644
index 00000000..a06b6c88
--- /dev/null
+++ b/engine/integration-cli/docker_cli_health_test.go
@@ -0,0 +1,167 @@
+package main
+
+import (
+	"encoding/json"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+)
+
+func waitForHealthStatus(c *check.C, name string, prev string, expected string) {
+	prev = prev + "\n"
+	expected = expected + "\n"
+	for {
+		out, _ := dockerCmd(c, "inspect", "--format={{.State.Health.Status}}", name)
+		if out == expected {
+			return
+		}
+		c.Check(out, checker.Equals, prev)
+		if out != prev {
+			return
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+
+func getHealth(c *check.C, name string) *types.Health {
+	out, _ := dockerCmd(c, "inspect", "--format={{json .State.Health}}", name)
+	var health types.Health
+	err := json.Unmarshal([]byte(out), &health)
+	c.Check(err, checker.Equals, nil)
+	return &health
+}
+
+func (s *DockerSuite) TestHealth(c *check.C) {
+	testRequires(c, DaemonIsLinux) // busybox doesn't work on Windows
+
+	existingContainers := ExistingContainerIDs(c)
+
+	imageName := "testhealth"
+	buildImageSuccessfully(c, imageName, build.WithDockerfile(`FROM busybox
+		RUN echo OK > /status
+		CMD ["/bin/sleep", "120"]
+		STOPSIGNAL SIGKILL
+		HEALTHCHECK --interval=1s --timeout=30s \
+		  CMD cat /status`))
+
+	// No health status before starting
+	name := "test_health"
+	cid, _ := dockerCmd(c, "create", "--name", name, imageName)
+	out, _ := dockerCmd(c, "ps", "-a", "--format={{.ID}} {{.Status}}")
+	out = RemoveOutputForExistingElements(out, existingContainers)
+	c.Check(out, checker.Equals, cid[:12]+" Created\n")
+
+	// Inspect the options
+	out, _ = dockerCmd(c, "inspect",
+		"--format=timeout={{.Config.Healthcheck.Timeout}} interval={{.Config.Healthcheck.Interval}} retries={{.Config.Healthcheck.Retries}} test={{.Config.Healthcheck.Test}}", name)
+	c.Check(out, checker.Equals, "timeout=30s interval=1s retries=0 test=[CMD-SHELL cat /status]\n")
+
+	// Start
+	dockerCmd(c, "start", name)
+	waitForHealthStatus(c, name, "starting", "healthy")
+
+	// Make it fail
+	dockerCmd(c, "exec", name, "rm", "/status")
+	waitForHealthStatus(c, name, "healthy", "unhealthy")
+
+	// Inspect the status
+	out, _ = dockerCmd(c, "inspect", "--format={{.State.Health.Status}}", name)
+	c.Check(out, checker.Equals, "unhealthy\n")
+
+	// Make it healthy again
+	dockerCmd(c, "exec", name, "touch", "/status")
+	waitForHealthStatus(c, name, "unhealthy", "healthy")
+
+	// Remove container
+	dockerCmd(c, "rm", "-f", name)
+
+	// Disable the check from the CLI
+	out, _ = dockerCmd(c, "create", "--name=noh", "--no-healthcheck", imageName)
+	out, _ = dockerCmd(c, "inspect", "--format={{.Config.Healthcheck.Test}}", "noh")
+	c.Check(out, checker.Equals, "[NONE]\n")
+	dockerCmd(c, "rm", "noh")
+
+	// Disable the check with a new build
+	buildImageSuccessfully(c, "no_healthcheck", build.WithDockerfile(`FROM testhealth
+		HEALTHCHECK NONE`))
+
+	out, _ = dockerCmd(c, "inspect", "--format={{.Config.Healthcheck.Test}}", "no_healthcheck")
+	c.Check(out, checker.Equals, "[NONE]\n")
+
+	// Enable the checks from the CLI
+	_, _ = dockerCmd(c, "run", "-d", "--name=fatal_healthcheck",
+		"--health-interval=1s",
+		"--health-retries=3",
+		"--health-cmd=cat /status",
+		"no_healthcheck")
+	waitForHealthStatus(c, "fatal_healthcheck", "starting", "healthy")
+	health := getHealth(c, "fatal_healthcheck")
+	c.Check(health.Status, checker.Equals, "healthy")
+	c.Check(health.FailingStreak, checker.Equals, 0)
+	last := health.Log[len(health.Log)-1]
+	c.Check(last.ExitCode, checker.Equals, 0)
+	c.Check(last.Output, checker.Equals, "OK\n")
+
+	// Fail the check
+	dockerCmd(c, "exec", "fatal_healthcheck", "rm", "/status")
+	waitForHealthStatus(c, "fatal_healthcheck", "healthy", "unhealthy")
+
+	failsStr, _ := dockerCmd(c, "inspect", "--format={{.State.Health.FailingStreak}}", "fatal_healthcheck")
+	fails, err := strconv.Atoi(strings.TrimSpace(failsStr))
+	c.Check(err, check.IsNil)
+	c.Check(fails >= 3, checker.Equals, true)
+	dockerCmd(c, "rm", "-f", "fatal_healthcheck")
+
+	// Check timeout
+	// Note: if the interval is too small, it seems that Docker spends all its time running health
+	// checks and never gets around to killing it.
+	_, _ = dockerCmd(c, "run", "-d", "--name=test",
+		"--health-interval=1s", "--health-cmd=sleep 5m", "--health-timeout=1s", imageName)
+	waitForHealthStatus(c, "test", "starting", "unhealthy")
+	health = getHealth(c, "test")
+	last = health.Log[len(health.Log)-1]
+	c.Check(health.Status, checker.Equals, "unhealthy")
+	c.Check(last.ExitCode, checker.Equals, -1)
+	c.Check(last.Output, checker.Equals, "Health check exceeded timeout (1s)")
+	dockerCmd(c, "rm", "-f", "test")
+
+	// Check JSON-format
+	buildImageSuccessfully(c, imageName, build.WithDockerfile(`FROM busybox
+		RUN echo OK > /status
+		CMD ["/bin/sleep", "120"]
+		STOPSIGNAL SIGKILL
+		HEALTHCHECK --interval=1s --timeout=30s \
+		  CMD ["cat", "/my status"]`))
+	out, _ = dockerCmd(c, "inspect",
+		"--format={{.Config.Healthcheck.Test}}", imageName)
+	c.Check(out, checker.Equals, "[CMD cat /my status]\n")
+
+}
+
+// GitHub #33021
+func (s *DockerSuite) TestUnsetEnvVarHealthCheck(c *check.C) {
+	testRequires(c, DaemonIsLinux) // busybox doesn't work on Windows
+
+	imageName := "testhealth"
+	buildImageSuccessfully(c, imageName, build.WithDockerfile(`FROM busybox
+HEALTHCHECK --interval=1s --timeout=5s --retries=5 CMD /bin/sh -c "sleep 1"
+ENTRYPOINT /bin/sh -c "sleep 600"`))
+
+	name := "env_test_health"
+	// No health status before starting
+	dockerCmd(c, "run", "-d", "--name", name, "-e", "FOO", imageName)
+	defer func() {
+		dockerCmd(c, "rm", "-f", name)
+		dockerCmd(c, "rmi", imageName)
+	}()
+
+	// Start
+	dockerCmd(c, "start", name)
+	waitForHealthStatus(c, name, "starting", "healthy")
+
+}
diff --git a/engine/integration-cli/docker_cli_history_test.go b/engine/integration-cli/docker_cli_history_test.go
new file mode 100644
index 00000000..43c4b943
--- /dev/null
+++ b/engine/integration-cli/docker_cli_history_test.go
@@ -0,0 +1,119 @@
+package main
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+)
+
+// This is a heisen-test.  Because the created timestamp of images and the behavior of
+// sort is not predictable it doesn't always fail.
+func (s *DockerSuite) TestBuildHistory(c *check.C) {
+	name := "testbuildhistory"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM `+minimalBaseImage()+`
+LABEL label.A="A"
+LABEL label.B="B"
+LABEL label.C="C"
+LABEL label.D="D"
+LABEL label.E="E"
+LABEL label.F="F"
+LABEL label.G="G"
+LABEL label.H="H"
+LABEL label.I="I"
+LABEL label.J="J"
+LABEL label.K="K"
+LABEL label.L="L"
+LABEL label.M="M"
+LABEL label.N="N"
+LABEL label.O="O"
+LABEL label.P="P"
+LABEL label.Q="Q"
+LABEL label.R="R"
+LABEL label.S="S"
+LABEL label.T="T"
+LABEL label.U="U"
+LABEL label.V="V"
+LABEL label.W="W"
+LABEL label.X="X"
+LABEL label.Y="Y"
+LABEL label.Z="Z"`))
+
+	out, _ := dockerCmd(c, "history", name)
+	actualValues := strings.Split(out, "\n")[1:27]
+	expectedValues := [26]string{"Z", "Y", "X", "W", "V", "U", "T", "S", "R", "Q", "P", "O", "N", "M", "L", "K", "J", "I", "H", "G", "F", "E", "D", "C", "B", "A"}
+
+	for i := 0; i < 26; i++ {
+		echoValue := fmt.Sprintf("LABEL label.%s=%s", expectedValues[i], expectedValues[i])
+		actualValue := actualValues[i]
+		c.Assert(actualValue, checker.Contains, echoValue)
+	}
+
+}
+
+func (s *DockerSuite) TestHistoryExistentImage(c *check.C) {
+	dockerCmd(c, "history", "busybox")
+}
+
+func (s *DockerSuite) TestHistoryNonExistentImage(c *check.C) {
+	_, _, err := dockerCmdWithError("history", "testHistoryNonExistentImage")
+	c.Assert(err, checker.NotNil, check.Commentf("history on a non-existent image should fail."))
+}
+
+func (s *DockerSuite) TestHistoryImageWithComment(c *check.C) {
+	name := "testhistoryimagewithcomment"
+
+	// make an image through docker commit <container id> [ -m messages ]
+
+	dockerCmd(c, "run", "--name", name, "busybox", "true")
+	dockerCmd(c, "wait", name)
+
+	comment := "This_is_a_comment"
+	dockerCmd(c, "commit", "-m="+comment, name, name)
+
+	// test docker history <image id> to check comment messages
+
+	out, _ := dockerCmd(c, "history", name)
+	outputTabs := strings.Fields(strings.Split(out, "\n")[1])
+	actualValue := outputTabs[len(outputTabs)-1]
+	c.Assert(actualValue, checker.Contains, comment)
+}
+
+func (s *DockerSuite) TestHistoryHumanOptionFalse(c *check.C) {
+	out, _ := dockerCmd(c, "history", "--human=false", "busybox")
+	lines := strings.Split(out, "\n")
+	sizeColumnRegex, _ := regexp.Compile("SIZE +")
+	indices := sizeColumnRegex.FindStringIndex(lines[0])
+	startIndex := indices[0]
+	endIndex := indices[1]
+	for i := 1; i < len(lines)-1; i++ {
+		if endIndex > len(lines[i]) {
+			endIndex = len(lines[i])
+		}
+		sizeString := lines[i][startIndex:endIndex]
+
+		_, err := strconv.Atoi(strings.TrimSpace(sizeString))
+		c.Assert(err, checker.IsNil, check.Commentf("The size '%s' was not an Integer", sizeString))
+	}
+}
+
+func (s *DockerSuite) TestHistoryHumanOptionTrue(c *check.C) {
+	out, _ := dockerCmd(c, "history", "--human=true", "busybox")
+	lines := strings.Split(out, "\n")
+	sizeColumnRegex, _ := regexp.Compile("SIZE +")
+	humanSizeRegexRaw := "\\d+.*B" // Matches human sizes like 10 MB, 3.2 KB, etc
+	indices := sizeColumnRegex.FindStringIndex(lines[0])
+	startIndex := indices[0]
+	endIndex := indices[1]
+	for i := 1; i < len(lines)-1; i++ {
+		if endIndex > len(lines[i]) {
+			endIndex = len(lines[i])
+		}
+		sizeString := lines[i][startIndex:endIndex]
+		c.Assert(strings.TrimSpace(sizeString), checker.Matches, humanSizeRegexRaw, check.Commentf("The size '%s' was not in human format", sizeString))
+	}
+}
diff --git a/engine/integration-cli/docker_cli_images_test.go b/engine/integration-cli/docker_cli_images_test.go
new file mode 100644
index 00000000..0dd319fb
--- /dev/null
+++ b/engine/integration-cli/docker_cli_images_test.go
@@ -0,0 +1,366 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestImagesEnsureImageIsListed(c *check.C) {
+	imagesOut, _ := dockerCmd(c, "images")
+	c.Assert(imagesOut, checker.Contains, "busybox")
+}
+
+func (s *DockerSuite) TestImagesEnsureImageWithTagIsListed(c *check.C) {
+	name := "imagewithtag"
+	dockerCmd(c, "tag", "busybox", name+":v1")
+	dockerCmd(c, "tag", "busybox", name+":v1v1")
+	dockerCmd(c, "tag", "busybox", name+":v2")
+
+	imagesOut, _ := dockerCmd(c, "images", name+":v1")
+	c.Assert(imagesOut, checker.Contains, name)
+	c.Assert(imagesOut, checker.Contains, "v1")
+	c.Assert(imagesOut, checker.Not(checker.Contains), "v2")
+	c.Assert(imagesOut, checker.Not(checker.Contains), "v1v1")
+
+	imagesOut, _ = dockerCmd(c, "images", name)
+	c.Assert(imagesOut, checker.Contains, name)
+	c.Assert(imagesOut, checker.Contains, "v1")
+	c.Assert(imagesOut, checker.Contains, "v1v1")
+	c.Assert(imagesOut, checker.Contains, "v2")
+}
+
+func (s *DockerSuite) TestImagesEnsureImageWithBadTagIsNotListed(c *check.C) {
+	imagesOut, _ := dockerCmd(c, "images", "busybox:nonexistent")
+	c.Assert(imagesOut, checker.Not(checker.Contains), "busybox")
+}
+
+func (s *DockerSuite) TestImagesOrderedByCreationDate(c *check.C) {
+	buildImageSuccessfully(c, "order:test_a", build.WithDockerfile(`FROM busybox
+                MAINTAINER dockerio1`))
+	id1 := getIDByName(c, "order:test_a")
+	time.Sleep(1 * time.Second)
+	buildImageSuccessfully(c, "order:test_c", build.WithDockerfile(`FROM busybox
+                MAINTAINER dockerio2`))
+	id2 := getIDByName(c, "order:test_c")
+	time.Sleep(1 * time.Second)
+	buildImageSuccessfully(c, "order:test_b", build.WithDockerfile(`FROM busybox
+                MAINTAINER dockerio3`))
+	id3 := getIDByName(c, "order:test_b")
+
+	out, _ := dockerCmd(c, "images", "-q", "--no-trunc")
+	imgs := strings.Split(out, "\n")
+	c.Assert(imgs[0], checker.Equals, id3, check.Commentf("First image must be %s, got %s", id3, imgs[0]))
+	c.Assert(imgs[1], checker.Equals, id2, check.Commentf("First image must be %s, got %s", id2, imgs[1]))
+	c.Assert(imgs[2], checker.Equals, id1, check.Commentf("First image must be %s, got %s", id1, imgs[2]))
+}
+
+func (s *DockerSuite) TestImagesErrorWithInvalidFilterNameTest(c *check.C) {
+	out, _, err := dockerCmdWithError("images", "-f", "FOO=123")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "Invalid filter")
+}
+
+func (s *DockerSuite) TestImagesFilterLabelMatch(c *check.C) {
+	imageName1 := "images_filter_test1"
+	imageName2 := "images_filter_test2"
+	imageName3 := "images_filter_test3"
+	buildImageSuccessfully(c, imageName1, build.WithDockerfile(`FROM busybox
+                 LABEL match me`))
+	image1ID := getIDByName(c, imageName1)
+
+	buildImageSuccessfully(c, imageName2, build.WithDockerfile(`FROM busybox
+                 LABEL match="me too"`))
+	image2ID := getIDByName(c, imageName2)
+
+	buildImageSuccessfully(c, imageName3, build.WithDockerfile(`FROM busybox
+                 LABEL nomatch me`))
+	image3ID := getIDByName(c, imageName3)
+
+	out, _ := dockerCmd(c, "images", "--no-trunc", "-q", "-f", "label=match")
+	out = strings.TrimSpace(out)
+	c.Assert(out, check.Matches, fmt.Sprintf("[\\s\\w:]*%s[\\s\\w:]*", image1ID))
+	c.Assert(out, check.Matches, fmt.Sprintf("[\\s\\w:]*%s[\\s\\w:]*", image2ID))
+	c.Assert(out, check.Not(check.Matches), fmt.Sprintf("[\\s\\w:]*%s[\\s\\w:]*", image3ID))
+
+	out, _ = dockerCmd(c, "images", "--no-trunc", "-q", "-f", "label=match=me too")
+	out = strings.TrimSpace(out)
+	c.Assert(out, check.Equals, image2ID)
+}
+
+// Regression : #15659
+func (s *DockerSuite) TestCommitWithFilterLabel(c *check.C) {
+	// Create a container
+	dockerCmd(c, "run", "--name", "bar", "busybox", "/bin/sh")
+	// Commit with labels "using changes"
+	out, _ := dockerCmd(c, "commit", "-c", "LABEL foo.version=1.0.0-1", "-c", "LABEL foo.name=bar", "-c", "LABEL foo.author=starlord", "bar", "bar:1.0.0-1")
+	imageID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "images", "--no-trunc", "-q", "-f", "label=foo.version=1.0.0-1")
+	out = strings.TrimSpace(out)
+	c.Assert(out, check.Equals, imageID)
+}
+
+func (s *DockerSuite) TestImagesFilterSinceAndBefore(c *check.C) {
+	buildImageSuccessfully(c, "image:1", build.WithDockerfile(`FROM `+minimalBaseImage()+`
+LABEL number=1`))
+	imageID1 := getIDByName(c, "image:1")
+	buildImageSuccessfully(c, "image:2", build.WithDockerfile(`FROM `+minimalBaseImage()+`
+LABEL number=2`))
+	imageID2 := getIDByName(c, "image:2")
+	buildImageSuccessfully(c, "image:3", build.WithDockerfile(`FROM `+minimalBaseImage()+`
+LABEL number=3`))
+	imageID3 := getIDByName(c, "image:3")
+
+	expected := []string{imageID3, imageID2}
+
+	out, _ := dockerCmd(c, "images", "-f", "since=image:1", "image")
+	c.Assert(assertImageList(out, expected), checker.Equals, true, check.Commentf("SINCE filter: Image list is not in the correct order: %v\n%s", expected, out))
+
+	out, _ = dockerCmd(c, "images", "-f", "since="+imageID1, "image")
+	c.Assert(assertImageList(out, expected), checker.Equals, true, check.Commentf("SINCE filter: Image list is not in the correct order: %v\n%s", expected, out))
+
+	expected = []string{imageID3}
+
+	out, _ = dockerCmd(c, "images", "-f", "since=image:2", "image")
+	c.Assert(assertImageList(out, expected), checker.Equals, true, check.Commentf("SINCE filter: Image list is not in the correct order: %v\n%s", expected, out))
+
+	out, _ = dockerCmd(c, "images", "-f", "since="+imageID2, "image")
+	c.Assert(assertImageList(out, expected), checker.Equals, true, check.Commentf("SINCE filter: Image list is not in the correct order: %v\n%s", expected, out))
+
+	expected = []string{imageID2, imageID1}
+
+	out, _ = dockerCmd(c, "images", "-f", "before=image:3", "image")
+	c.Assert(assertImageList(out, expected), checker.Equals, true, check.Commentf("BEFORE filter: Image list is not in the correct order: %v\n%s", expected, out))
+
+	out, _ = dockerCmd(c, "images", "-f", "before="+imageID3, "image")
+	c.Assert(assertImageList(out, expected), checker.Equals, true, check.Commentf("BEFORE filter: Image list is not in the correct order: %v\n%s", expected, out))
+
+	expected = []string{imageID1}
+
+	out, _ = dockerCmd(c, "images", "-f", "before=image:2", "image")
+	c.Assert(assertImageList(out, expected), checker.Equals, true, check.Commentf("BEFORE filter: Image list is not in the correct order: %v\n%s", expected, out))
+
+	out, _ = dockerCmd(c, "images", "-f", "before="+imageID2, "image")
+	c.Assert(assertImageList(out, expected), checker.Equals, true, check.Commentf("BEFORE filter: Image list is not in the correct order: %v\n%s", expected, out))
+}
+
+func assertImageList(out string, expected []string) bool {
+	lines := strings.Split(strings.Trim(out, "\n "), "\n")
+
+	if len(lines)-1 != len(expected) {
+		return false
+	}
+
+	imageIDIndex := strings.Index(lines[0], "IMAGE ID")
+	for i := 0; i < len(expected); i++ {
+		imageID := lines[i+1][imageIDIndex : imageIDIndex+12]
+		found := false
+		for _, e := range expected {
+			if imageID == e[7:19] {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+
+	return true
+}
+
+// FIXME(vdemeester) should be a unit test on `docker image ls`
+func (s *DockerSuite) TestImagesFilterSpaceTrimCase(c *check.C) {
+	imageName := "images_filter_test"
+	// Build a image and fail to build so that we have dangling images ?
+	buildImage(imageName, build.WithDockerfile(`FROM busybox
+                 RUN touch /test/foo
+                 RUN touch /test/bar
+                 RUN touch /test/baz`)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	filters := []string{
+		"dangling=true",
+		"Dangling=true",
+		" dangling=true",
+		"dangling=true ",
+		"dangling = true",
+	}
+
+	imageListings := make([][]string, 5, 5)
+	for idx, filter := range filters {
+		out, _ := dockerCmd(c, "images", "-q", "-f", filter)
+		listing := strings.Split(out, "\n")
+		sort.Strings(listing)
+		imageListings[idx] = listing
+	}
+
+	for idx, listing := range imageListings {
+		if idx < 4 && !reflect.DeepEqual(listing, imageListings[idx+1]) {
+			for idx, errListing := range imageListings {
+				fmt.Printf("out %d\n", idx)
+				for _, image := range errListing {
+					fmt.Print(image)
+				}
+				fmt.Print("")
+			}
+			c.Fatalf("All output must be the same")
+		}
+	}
+}
+
+func (s *DockerSuite) TestImagesEnsureDanglingImageOnlyListedOnce(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// create container 1
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+	containerID1 := strings.TrimSpace(out)
+
+	// tag as foobox
+	out, _ = dockerCmd(c, "commit", containerID1, "foobox")
+	imageID := stringid.TruncateID(strings.TrimSpace(out))
+
+	// overwrite the tag, making the previous image dangling
+	dockerCmd(c, "tag", "busybox", "foobox")
+
+	out, _ = dockerCmd(c, "images", "-q", "-f", "dangling=true")
+	// Expect one dangling image
+	c.Assert(strings.Count(out, imageID), checker.Equals, 1)
+
+	out, _ = dockerCmd(c, "images", "-q", "-f", "dangling=false")
+	//dangling=false would not include dangling images
+	c.Assert(out, checker.Not(checker.Contains), imageID)
+
+	out, _ = dockerCmd(c, "images")
+	//docker images still include dangling images
+	c.Assert(out, checker.Contains, imageID)
+
+}
+
+// FIXME(vdemeester) should be a unit test for `docker image ls`
+func (s *DockerSuite) TestImagesWithIncorrectFilter(c *check.C) {
+	out, _, err := dockerCmdWithError("images", "-f", "dangling=invalid")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, "Invalid filter")
+}
+
+func (s *DockerSuite) TestImagesEnsureOnlyHeadsImagesShown(c *check.C) {
+	dockerfile := `
+        FROM busybox
+        MAINTAINER docker
+        ENV foo bar`
+	name := "scratch-image"
+	result := buildImage(name, build.WithDockerfile(dockerfile))
+	result.Assert(c, icmd.Success)
+	id := getIDByName(c, name)
+
+	// this is just the output of docker build
+	// we're interested in getting the image id of the MAINTAINER instruction
+	// and that's located at output, line 5, from 7 to end
+	split := strings.Split(result.Combined(), "\n")
+	intermediate := strings.TrimSpace(split[5][7:])
+
+	out, _ := dockerCmd(c, "images")
+	// images shouldn't show non-heads images
+	c.Assert(out, checker.Not(checker.Contains), intermediate)
+	// images should contain final built images
+	c.Assert(out, checker.Contains, stringid.TruncateID(id))
+}
+
+func (s *DockerSuite) TestImagesEnsureImagesFromScratchShown(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support FROM scratch
+	dockerfile := `
+        FROM scratch
+        MAINTAINER docker`
+
+	name := "scratch-image"
+	buildImageSuccessfully(c, name, build.WithDockerfile(dockerfile))
+	id := getIDByName(c, name)
+
+	out, _ := dockerCmd(c, "images")
+	// images should contain images built from scratch
+	c.Assert(out, checker.Contains, stringid.TruncateID(id))
+}
+
+// For W2W - equivalent to TestImagesEnsureImagesFromScratchShown but Windows
+// doesn't support from scratch
+func (s *DockerSuite) TestImagesEnsureImagesFromBusyboxShown(c *check.C) {
+	dockerfile := `
+        FROM busybox
+        MAINTAINER docker`
+	name := "busybox-image"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile(dockerfile))
+	id := getIDByName(c, name)
+
+	out, _ := dockerCmd(c, "images")
+	// images should contain images built from busybox
+	c.Assert(out, checker.Contains, stringid.TruncateID(id))
+}
+
+// #18181
+func (s *DockerSuite) TestImagesFilterNameWithPort(c *check.C) {
+	tag := "a.b.c.d:5000/hello"
+	dockerCmd(c, "tag", "busybox", tag)
+	out, _ := dockerCmd(c, "images", tag)
+	c.Assert(out, checker.Contains, tag)
+
+	out, _ = dockerCmd(c, "images", tag+":latest")
+	c.Assert(out, checker.Contains, tag)
+
+	out, _ = dockerCmd(c, "images", tag+":no-such-tag")
+	c.Assert(out, checker.Not(checker.Contains), tag)
+}
+
+func (s *DockerSuite) TestImagesFormat(c *check.C) {
+	// testRequires(c, DaemonIsLinux)
+	tag := "myimage"
+	dockerCmd(c, "tag", "busybox", tag+":v1")
+	dockerCmd(c, "tag", "busybox", tag+":v2")
+
+	out, _ := dockerCmd(c, "images", "--format", "{{.Repository}}", tag)
+	lines := strings.Split(strings.TrimSpace(string(out)), "\n")
+
+	expected := []string{"myimage", "myimage"}
+	var names []string
+	names = append(names, lines...)
+	c.Assert(names, checker.DeepEquals, expected, check.Commentf("Expected array with truncated names: %v, got: %v", expected, names))
+}
+
+// ImagesDefaultFormatAndQuiet
+func (s *DockerSuite) TestImagesFormatDefaultFormat(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	// create container 1
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+	containerID1 := strings.TrimSpace(out)
+
+	// tag as foobox
+	out, _ = dockerCmd(c, "commit", containerID1, "myimage")
+	imageID := stringid.TruncateID(strings.TrimSpace(out))
+
+	config := `{
+		"imagesFormat": "{{ .ID }} default"
+}`
+	d, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(d)
+
+	err = ioutil.WriteFile(filepath.Join(d, "config.json"), []byte(config), 0644)
+	c.Assert(err, checker.IsNil)
+
+	out, _ = dockerCmd(c, "--config", d, "images", "-q", "myimage")
+	c.Assert(out, checker.Equals, imageID+"\n", check.Commentf("Expected to print only the image id, got %v\n", out))
+}
diff --git a/engine/integration-cli/docker_cli_import_test.go b/engine/integration-cli/docker_cli_import_test.go
new file mode 100644
index 00000000..9f8e9158
--- /dev/null
+++ b/engine/integration-cli/docker_cli_import_test.go
@@ -0,0 +1,142 @@
+package main
+
+import (
+	"bufio"
+	"compress/gzip"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"regexp"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestImportDisplay(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "export", cleanedContainerID),
+		exec.Command(dockerBinary, "import", "-"),
+	)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(out, checker.Count, "\n", 1, check.Commentf("display is expected 1 '\\n' but didn't"))
+
+	image := strings.TrimSpace(out)
+	out, _ = dockerCmd(c, "run", "--rm", image, "true")
+	c.Assert(out, checker.Equals, "", check.Commentf("command output should've been nothing."))
+}
+
+func (s *DockerSuite) TestImportBadURL(c *check.C) {
+	out, _, err := dockerCmdWithError("import", "http://nourl/bad")
+	c.Assert(err, checker.NotNil, check.Commentf("import was supposed to fail but didn't"))
+	// Depending on your system you can get either of these errors
+	if !strings.Contains(out, "dial tcp") &&
+		!strings.Contains(out, "ApplyLayer exit status 1 stdout:  stderr: archive/tar: invalid tar header") &&
+		!strings.Contains(out, "Error processing tar file") {
+		c.Fatalf("expected an error msg but didn't get one.\nErr: %v\nOut: %v", err, out)
+	}
+}
+
+func (s *DockerSuite) TestImportFile(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "--name", "test-import", "busybox", "true")
+
+	temporaryFile, err := ioutil.TempFile("", "exportImportTest")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create temporary file"))
+	defer os.Remove(temporaryFile.Name())
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "export", "test-import"},
+		Stdout:  bufio.NewWriter(temporaryFile),
+	}).Assert(c, icmd.Success)
+
+	out, _ := dockerCmd(c, "import", temporaryFile.Name())
+	c.Assert(out, checker.Count, "\n", 1, check.Commentf("display is expected 1 '\\n' but didn't"))
+	image := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "run", "--rm", image, "true")
+	c.Assert(out, checker.Equals, "", check.Commentf("command output should've been nothing."))
+}
+
+func (s *DockerSuite) TestImportGzipped(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "--name", "test-import", "busybox", "true")
+
+	temporaryFile, err := ioutil.TempFile("", "exportImportTest")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create temporary file"))
+	defer os.Remove(temporaryFile.Name())
+
+	w := gzip.NewWriter(temporaryFile)
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "export", "test-import"},
+		Stdout:  w,
+	}).Assert(c, icmd.Success)
+	c.Assert(w.Close(), checker.IsNil, check.Commentf("failed to close gzip writer"))
+	temporaryFile.Close()
+	out, _ := dockerCmd(c, "import", temporaryFile.Name())
+	c.Assert(out, checker.Count, "\n", 1, check.Commentf("display is expected 1 '\\n' but didn't"))
+	image := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "run", "--rm", image, "true")
+	c.Assert(out, checker.Equals, "", check.Commentf("command output should've been nothing."))
+}
+
+func (s *DockerSuite) TestImportFileWithMessage(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "--name", "test-import", "busybox", "true")
+
+	temporaryFile, err := ioutil.TempFile("", "exportImportTest")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create temporary file"))
+	defer os.Remove(temporaryFile.Name())
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "export", "test-import"},
+		Stdout:  bufio.NewWriter(temporaryFile),
+	}).Assert(c, icmd.Success)
+
+	message := "Testing commit message"
+	out, _ := dockerCmd(c, "import", "-m", message, temporaryFile.Name())
+	c.Assert(out, checker.Count, "\n", 1, check.Commentf("display is expected 1 '\\n' but didn't"))
+	image := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "history", image)
+	split := strings.Split(out, "\n")
+
+	c.Assert(split, checker.HasLen, 3, check.Commentf("expected 3 lines from image history"))
+	r := regexp.MustCompile("[\\s]{2,}")
+	split = r.Split(split[1], -1)
+
+	c.Assert(message, checker.Equals, split[3], check.Commentf("didn't get expected value in commit message"))
+
+	out, _ = dockerCmd(c, "run", "--rm", image, "true")
+	c.Assert(out, checker.Equals, "", check.Commentf("command output should've been nothing"))
+}
+
+func (s *DockerSuite) TestImportFileNonExistentFile(c *check.C) {
+	_, _, err := dockerCmdWithError("import", "example.com/myImage.tar")
+	c.Assert(err, checker.NotNil, check.Commentf("import non-existing file must failed"))
+}
+
+func (s *DockerSuite) TestImportWithQuotedChanges(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	cli.DockerCmd(c, "run", "--name", "test-import", "busybox", "true")
+
+	temporaryFile, err := ioutil.TempFile("", "exportImportTest")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create temporary file"))
+	defer os.Remove(temporaryFile.Name())
+
+	cli.Docker(cli.Args("export", "test-import"), cli.WithStdout(bufio.NewWriter(temporaryFile))).Assert(c, icmd.Success)
+
+	result := cli.DockerCmd(c, "import", "-c", `ENTRYPOINT ["/bin/sh", "-c"]`, temporaryFile.Name())
+	image := strings.TrimSpace(result.Stdout())
+
+	result = cli.DockerCmd(c, "run", "--rm", image, "true")
+	result.Assert(c, icmd.Expected{Out: icmd.None})
+}
diff --git a/engine/integration-cli/docker_cli_info_test.go b/engine/integration-cli/docker_cli_info_test.go
new file mode 100644
index 00000000..65091029
--- /dev/null
+++ b/engine/integration-cli/docker_cli_info_test.go
@@ -0,0 +1,238 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/daemon"
+	testdaemon "github.com/docker/docker/internal/test/daemon"
+	"github.com/go-check/check"
+)
+
+// ensure docker info succeeds
+func (s *DockerSuite) TestInfoEnsureSucceeds(c *check.C) {
+	out, _ := dockerCmd(c, "info")
+
+	// always shown fields
+	stringsToCheck := []string{
+		"ID:",
+		"Containers:",
+		" Running:",
+		" Paused:",
+		" Stopped:",
+		"Images:",
+		"OSType:",
+		"Architecture:",
+		"Logging Driver:",
+		"Operating System:",
+		"CPUs:",
+		"Total Memory:",
+		"Kernel Version:",
+		"Storage Driver:",
+		"Volume:",
+		"Network:",
+		"Live Restore Enabled:",
+	}
+
+	if testEnv.OSType == "linux" {
+		stringsToCheck = append(stringsToCheck, "Init Binary:", "Security Options:", "containerd version:", "runc version:", "init version:")
+	}
+
+	if DaemonIsLinux() {
+		stringsToCheck = append(stringsToCheck, "Runtimes:", "Default Runtime: runc")
+	}
+
+	if testEnv.DaemonInfo.ExperimentalBuild {
+		stringsToCheck = append(stringsToCheck, "Experimental: true")
+	} else {
+		stringsToCheck = append(stringsToCheck, "Experimental: false")
+	}
+
+	for _, linePrefix := range stringsToCheck {
+		c.Assert(out, checker.Contains, linePrefix, check.Commentf("couldn't find string %v in output", linePrefix))
+	}
+}
+
+// TestInfoFormat tests `docker info --format`
+func (s *DockerSuite) TestInfoFormat(c *check.C) {
+	out, status := dockerCmd(c, "info", "--format", "{{json .}}")
+	c.Assert(status, checker.Equals, 0)
+	var m map[string]interface{}
+	err := json.Unmarshal([]byte(out), &m)
+	c.Assert(err, checker.IsNil)
+	_, _, err = dockerCmdWithError("info", "--format", "{{.badString}}")
+	c.Assert(err, checker.NotNil)
+}
+
+// TestInfoDiscoveryBackend verifies that a daemon run with `--cluster-advertise` and
+// `--cluster-store` properly show the backend's endpoint in info output.
+func (s *DockerSuite) TestInfoDiscoveryBackend(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	discoveryBackend := "consul://consuladdr:consulport/some/path"
+	discoveryAdvertise := "1.1.1.1:2375"
+	d.Start(c, fmt.Sprintf("--cluster-store=%s", discoveryBackend), fmt.Sprintf("--cluster-advertise=%s", discoveryAdvertise))
+	defer d.Stop(c)
+
+	out, err := d.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, fmt.Sprintf("Cluster Store: %s\n", discoveryBackend))
+	c.Assert(out, checker.Contains, fmt.Sprintf("Cluster Advertise: %s\n", discoveryAdvertise))
+}
+
+// TestInfoDiscoveryInvalidAdvertise verifies that a daemon run with
+// an invalid `--cluster-advertise` configuration
+func (s *DockerSuite) TestInfoDiscoveryInvalidAdvertise(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	discoveryBackend := "consul://consuladdr:consulport/some/path"
+
+	// --cluster-advertise with an invalid string is an error
+	err := d.StartWithError(fmt.Sprintf("--cluster-store=%s", discoveryBackend), "--cluster-advertise=invalid")
+	c.Assert(err, checker.NotNil)
+
+	// --cluster-advertise without --cluster-store is also an error
+	err = d.StartWithError("--cluster-advertise=1.1.1.1:2375")
+	c.Assert(err, checker.NotNil)
+}
+
+// TestInfoDiscoveryAdvertiseInterfaceName verifies that a daemon run with `--cluster-advertise`
+// configured with interface name properly show the advertise ip-address in info output.
+func (s *DockerSuite) TestInfoDiscoveryAdvertiseInterfaceName(c *check.C) {
+	testRequires(c, SameHostDaemon, Network, DaemonIsLinux)
+
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	discoveryBackend := "consul://consuladdr:consulport/some/path"
+	discoveryAdvertise := "eth0"
+
+	d.Start(c, fmt.Sprintf("--cluster-store=%s", discoveryBackend), fmt.Sprintf("--cluster-advertise=%s:2375", discoveryAdvertise))
+	defer d.Stop(c)
+
+	iface, err := net.InterfaceByName(discoveryAdvertise)
+	c.Assert(err, checker.IsNil)
+	addrs, err := iface.Addrs()
+	c.Assert(err, checker.IsNil)
+	c.Assert(len(addrs), checker.GreaterThan, 0)
+	ip, _, err := net.ParseCIDR(addrs[0].String())
+	c.Assert(err, checker.IsNil)
+
+	out, err := d.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, fmt.Sprintf("Cluster Store: %s\n", discoveryBackend))
+	c.Assert(out, checker.Contains, fmt.Sprintf("Cluster Advertise: %s:2375\n", ip.String()))
+}
+
+func (s *DockerSuite) TestInfoDisplaysRunningContainers(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	existing := existingContainerStates(c)
+
+	dockerCmd(c, "run", "-d", "busybox", "top")
+	out, _ := dockerCmd(c, "info")
+	c.Assert(out, checker.Contains, fmt.Sprintf("Containers: %d\n", existing["Containers"]+1))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Running: %d\n", existing["ContainersRunning"]+1))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Paused: %d\n", existing["ContainersPaused"]))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Stopped: %d\n", existing["ContainersStopped"]))
+}
+
+func (s *DockerSuite) TestInfoDisplaysPausedContainers(c *check.C) {
+	testRequires(c, IsPausable)
+
+	existing := existingContainerStates(c)
+
+	out := runSleepingContainer(c, "-d")
+	cleanedContainerID := strings.TrimSpace(out)
+
+	dockerCmd(c, "pause", cleanedContainerID)
+
+	out, _ = dockerCmd(c, "info")
+	c.Assert(out, checker.Contains, fmt.Sprintf("Containers: %d\n", existing["Containers"]+1))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Running: %d\n", existing["ContainersRunning"]))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Paused: %d\n", existing["ContainersPaused"]+1))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Stopped: %d\n", existing["ContainersStopped"]))
+}
+
+func (s *DockerSuite) TestInfoDisplaysStoppedContainers(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	existing := existingContainerStates(c)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	cleanedContainerID := strings.TrimSpace(out)
+
+	dockerCmd(c, "stop", cleanedContainerID)
+
+	out, _ = dockerCmd(c, "info")
+	c.Assert(out, checker.Contains, fmt.Sprintf("Containers: %d\n", existing["Containers"]+1))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Running: %d\n", existing["ContainersRunning"]))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Paused: %d\n", existing["ContainersPaused"]))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" Stopped: %d\n", existing["ContainersStopped"]+1))
+}
+
+func (s *DockerSuite) TestInfoDebug(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	d.Start(c, "--debug")
+	defer d.Stop(c)
+
+	out, err := d.Cmd("--debug", "info")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "Debug Mode (client): true\n")
+	c.Assert(out, checker.Contains, "Debug Mode (server): true\n")
+	c.Assert(out, checker.Contains, "File Descriptors")
+	c.Assert(out, checker.Contains, "Goroutines")
+	c.Assert(out, checker.Contains, "System Time")
+	c.Assert(out, checker.Contains, "EventsListeners")
+	c.Assert(out, checker.Contains, "Docker Root Dir")
+}
+
+func (s *DockerSuite) TestInsecureRegistries(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	registryCIDR := "192.168.1.0/24"
+	registryHost := "insecurehost.com:5000"
+
+	d := daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	d.Start(c, "--insecure-registry="+registryCIDR, "--insecure-registry="+registryHost)
+	defer d.Stop(c)
+
+	out, err := d.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "Insecure Registries:\n")
+	c.Assert(out, checker.Contains, fmt.Sprintf(" %s\n", registryHost))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" %s\n", registryCIDR))
+}
+
+func (s *DockerDaemonSuite) TestRegistryMirrors(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	registryMirror1 := "https://192.168.1.2"
+	registryMirror2 := "http://registry.mirror.com:5000"
+
+	s.d.Start(c, "--registry-mirror="+registryMirror1, "--registry-mirror="+registryMirror2)
+
+	out, err := s.d.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "Registry Mirrors:\n")
+	c.Assert(out, checker.Contains, fmt.Sprintf(" %s", registryMirror1))
+	c.Assert(out, checker.Contains, fmt.Sprintf(" %s", registryMirror2))
+}
+
+func existingContainerStates(c *check.C) map[string]int {
+	out, _ := dockerCmd(c, "info", "--format", "{{json .}}")
+	var m map[string]interface{}
+	err := json.Unmarshal([]byte(out), &m)
+	c.Assert(err, checker.IsNil)
+	res := map[string]int{}
+	res["Containers"] = int(m["Containers"].(float64))
+	res["ContainersRunning"] = int(m["ContainersRunning"].(float64))
+	res["ContainersPaused"] = int(m["ContainersPaused"].(float64))
+	res["ContainersStopped"] = int(m["ContainersStopped"].(float64))
+	return res
+}
diff --git a/engine/integration-cli/docker_cli_info_unix_test.go b/engine/integration-cli/docker_cli_info_unix_test.go
new file mode 100644
index 00000000..d55c05c4
--- /dev/null
+++ b/engine/integration-cli/docker_cli_info_unix_test.go
@@ -0,0 +1,15 @@
+// +build !windows
+
+package main
+
+import (
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestInfoSecurityOptions(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, Apparmor, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "info")
+	c.Assert(out, checker.Contains, "Security Options:\n apparmor\n seccomp\n  Profile: default\n")
+}
diff --git a/engine/integration-cli/docker_cli_inspect_test.go b/engine/integration-cli/docker_cli_inspect_test.go
new file mode 100644
index 00000000..d027c447
--- /dev/null
+++ b/engine/integration-cli/docker_cli_inspect_test.go
@@ -0,0 +1,460 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func checkValidGraphDriver(c *check.C, name string) {
+	if name != "devicemapper" && name != "overlay" && name != "vfs" && name != "zfs" && name != "btrfs" && name != "aufs" {
+		c.Fatalf("%v is not a valid graph driver name", name)
+	}
+}
+
+func (s *DockerSuite) TestInspectImage(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	imageTest := "emptyfs"
+	// It is important that this ID remain stable. If a code change causes
+	// it to be different, this is equivalent to a cache bust when pulling
+	// a legacy-format manifest. If the check at the end of this function
+	// fails, fix the difference in the image serialization instead of
+	// updating this hash.
+	imageTestID := "sha256:11f64303f0f7ffdc71f001788132bca5346831939a956e3e975c93267d89a16d"
+	id := inspectField(c, imageTest, "Id")
+
+	c.Assert(id, checker.Equals, imageTestID)
+}
+
+func (s *DockerSuite) TestInspectInt64(c *check.C) {
+	dockerCmd(c, "run", "-d", "-m=300M", "--name", "inspectTest", "busybox", "true")
+	inspectOut := inspectField(c, "inspectTest", "HostConfig.Memory")
+	c.Assert(inspectOut, checker.Equals, "314572800")
+}
+
+func (s *DockerSuite) TestInspectDefault(c *check.C) {
+	//Both the container and image are named busybox. docker inspect will fetch the container JSON.
+	//If the container JSON is not available, it will go for the image JSON.
+
+	out, _ := dockerCmd(c, "run", "--name=busybox", "-d", "busybox", "true")
+	containerID := strings.TrimSpace(out)
+
+	inspectOut := inspectField(c, "busybox", "Id")
+	c.Assert(strings.TrimSpace(inspectOut), checker.Equals, containerID)
+}
+
+func (s *DockerSuite) TestInspectStatus(c *check.C) {
+	out := runSleepingContainer(c, "-d")
+	out = strings.TrimSpace(out)
+
+	inspectOut := inspectField(c, out, "State.Status")
+	c.Assert(inspectOut, checker.Equals, "running")
+
+	// Windows does not support pause/unpause on Windows Server Containers.
+	// (RS1 does for Hyper-V Containers, but production CI is not setup for that)
+	if testEnv.OSType != "windows" {
+		dockerCmd(c, "pause", out)
+		inspectOut = inspectField(c, out, "State.Status")
+		c.Assert(inspectOut, checker.Equals, "paused")
+
+		dockerCmd(c, "unpause", out)
+		inspectOut = inspectField(c, out, "State.Status")
+		c.Assert(inspectOut, checker.Equals, "running")
+	}
+
+	dockerCmd(c, "stop", out)
+	inspectOut = inspectField(c, out, "State.Status")
+	c.Assert(inspectOut, checker.Equals, "exited")
+
+}
+
+func (s *DockerSuite) TestInspectTypeFlagContainer(c *check.C) {
+	//Both the container and image are named busybox. docker inspect will fetch container
+	//JSON State.Running field. If the field is true, it's a container.
+	runSleepingContainer(c, "--name=busybox", "-d")
+
+	formatStr := "--format={{.State.Running}}"
+	out, _ := dockerCmd(c, "inspect", "--type=container", formatStr, "busybox")
+	c.Assert(out, checker.Equals, "true\n") // not a container JSON
+}
+
+func (s *DockerSuite) TestInspectTypeFlagWithNoContainer(c *check.C) {
+	//Run this test on an image named busybox. docker inspect will try to fetch container
+	//JSON. Since there is no container named busybox and --type=container, docker inspect will
+	//not try to get the image JSON. It will throw an error.
+
+	dockerCmd(c, "run", "-d", "busybox", "true")
+
+	_, _, err := dockerCmdWithError("inspect", "--type=container", "busybox")
+	// docker inspect should fail, as there is no container named busybox
+	c.Assert(err, checker.NotNil)
+}
+
+func (s *DockerSuite) TestInspectTypeFlagWithImage(c *check.C) {
+	//Both the container and image are named busybox. docker inspect will fetch image
+	//JSON as --type=image. if there is no image with name busybox, docker inspect
+	//will throw an error.
+
+	dockerCmd(c, "run", "--name=busybox", "-d", "busybox", "true")
+
+	out, _ := dockerCmd(c, "inspect", "--type=image", "busybox")
+	c.Assert(out, checker.Not(checker.Contains), "State") // not an image JSON
+}
+
+func (s *DockerSuite) TestInspectTypeFlagWithInvalidValue(c *check.C) {
+	//Both the container and image are named busybox. docker inspect will fail
+	//as --type=foobar is not a valid value for the flag.
+
+	dockerCmd(c, "run", "--name=busybox", "-d", "busybox", "true")
+
+	out, exitCode, err := dockerCmdWithError("inspect", "--type=foobar", "busybox")
+	c.Assert(err, checker.NotNil, check.Commentf("%s", exitCode))
+	c.Assert(exitCode, checker.Equals, 1, check.Commentf("%s", err))
+	c.Assert(out, checker.Contains, "not a valid value for --type")
+}
+
+func (s *DockerSuite) TestInspectImageFilterInt(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	imageTest := "emptyfs"
+	out := inspectField(c, imageTest, "Size")
+
+	size, err := strconv.Atoi(out)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to inspect size of the image: %s, %v", out, err))
+
+	//now see if the size turns out to be the same
+	formatStr := fmt.Sprintf("--format={{eq .Size %d}}", size)
+	out, _ = dockerCmd(c, "inspect", formatStr, imageTest)
+	result, err := strconv.ParseBool(strings.TrimSuffix(out, "\n"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(result, checker.Equals, true)
+}
+
+func (s *DockerSuite) TestInspectContainerFilterInt(c *check.C) {
+	result := icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "run", "-i", "-a", "stdin", "busybox", "cat"},
+		Stdin:   strings.NewReader("blahblah"),
+	})
+	result.Assert(c, icmd.Success)
+	out := result.Stdout()
+	id := strings.TrimSpace(out)
+
+	out = inspectField(c, id, "State.ExitCode")
+
+	exitCode, err := strconv.Atoi(out)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to inspect exitcode of the container: %s, %v", out, err))
+
+	//now get the exit code to verify
+	formatStr := fmt.Sprintf("--format={{eq .State.ExitCode %d}}", exitCode)
+	out, _ = dockerCmd(c, "inspect", formatStr, id)
+	inspectResult, err := strconv.ParseBool(strings.TrimSuffix(out, "\n"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(inspectResult, checker.Equals, true)
+}
+
+func (s *DockerSuite) TestInspectImageGraphDriver(c *check.C) {
+	testRequires(c, DaemonIsLinux, Devicemapper)
+	imageTest := "emptyfs"
+	name := inspectField(c, imageTest, "GraphDriver.Name")
+
+	checkValidGraphDriver(c, name)
+
+	deviceID := inspectField(c, imageTest, "GraphDriver.Data.DeviceId")
+
+	_, err := strconv.Atoi(deviceID)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to inspect DeviceId of the image: %s, %v", deviceID, err))
+
+	deviceSize := inspectField(c, imageTest, "GraphDriver.Data.DeviceSize")
+
+	_, err = strconv.ParseUint(deviceSize, 10, 64)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to inspect DeviceSize of the image: %s, %v", deviceSize, err))
+}
+
+func (s *DockerSuite) TestInspectContainerGraphDriver(c *check.C) {
+	testRequires(c, DaemonIsLinux, Devicemapper)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+	out = strings.TrimSpace(out)
+
+	name := inspectField(c, out, "GraphDriver.Name")
+
+	checkValidGraphDriver(c, name)
+
+	imageDeviceID := inspectField(c, "busybox", "GraphDriver.Data.DeviceId")
+
+	deviceID := inspectField(c, out, "GraphDriver.Data.DeviceId")
+
+	c.Assert(imageDeviceID, checker.Not(checker.Equals), deviceID)
+
+	_, err := strconv.Atoi(deviceID)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to inspect DeviceId of the image: %s, %v", deviceID, err))
+
+	deviceSize := inspectField(c, out, "GraphDriver.Data.DeviceSize")
+
+	_, err = strconv.ParseUint(deviceSize, 10, 64)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to inspect DeviceSize of the image: %s, %v", deviceSize, err))
+}
+
+func (s *DockerSuite) TestInspectBindMountPoint(c *check.C) {
+	modifier := ",z"
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	if testEnv.OSType == "windows" {
+		modifier = ""
+		// Linux creates the host directory if it doesn't exist. Windows does not.
+		os.Mkdir(`c:\data`, os.ModeDir)
+	}
+
+	dockerCmd(c, "run", "-d", "--name", "test", "-v", prefix+slash+"data:"+prefix+slash+"data:ro"+modifier, "busybox", "cat")
+
+	vol := inspectFieldJSON(c, "test", "Mounts")
+
+	var mp []types.MountPoint
+	err := json.Unmarshal([]byte(vol), &mp)
+	c.Assert(err, checker.IsNil)
+
+	// check that there is only one mountpoint
+	c.Assert(mp, check.HasLen, 1)
+
+	m := mp[0]
+
+	c.Assert(m.Name, checker.Equals, "")
+	c.Assert(m.Driver, checker.Equals, "")
+	c.Assert(m.Source, checker.Equals, prefix+slash+"data")
+	c.Assert(m.Destination, checker.Equals, prefix+slash+"data")
+	if testEnv.OSType != "windows" { // Windows does not set mode
+		c.Assert(m.Mode, checker.Equals, "ro"+modifier)
+	}
+	c.Assert(m.RW, checker.Equals, false)
+}
+
+func (s *DockerSuite) TestInspectNamedMountPoint(c *check.C) {
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+
+	dockerCmd(c, "run", "-d", "--name", "test", "-v", "data:"+prefix+slash+"data", "busybox", "cat")
+
+	vol := inspectFieldJSON(c, "test", "Mounts")
+
+	var mp []types.MountPoint
+	err := json.Unmarshal([]byte(vol), &mp)
+	c.Assert(err, checker.IsNil)
+
+	// check that there is only one mountpoint
+	c.Assert(mp, checker.HasLen, 1)
+
+	m := mp[0]
+
+	c.Assert(m.Name, checker.Equals, "data")
+	c.Assert(m.Driver, checker.Equals, "local")
+	c.Assert(m.Source, checker.Not(checker.Equals), "")
+	c.Assert(m.Destination, checker.Equals, prefix+slash+"data")
+	c.Assert(m.RW, checker.Equals, true)
+}
+
+// #14947
+func (s *DockerSuite) TestInspectTimesAsRFC3339Nano(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+	id := strings.TrimSpace(out)
+	startedAt := inspectField(c, id, "State.StartedAt")
+	finishedAt := inspectField(c, id, "State.FinishedAt")
+	created := inspectField(c, id, "Created")
+
+	_, err := time.Parse(time.RFC3339Nano, startedAt)
+	c.Assert(err, checker.IsNil)
+	_, err = time.Parse(time.RFC3339Nano, finishedAt)
+	c.Assert(err, checker.IsNil)
+	_, err = time.Parse(time.RFC3339Nano, created)
+	c.Assert(err, checker.IsNil)
+
+	created = inspectField(c, "busybox", "Created")
+
+	_, err = time.Parse(time.RFC3339Nano, created)
+	c.Assert(err, checker.IsNil)
+}
+
+// #15633
+func (s *DockerSuite) TestInspectLogConfigNoType(c *check.C) {
+	dockerCmd(c, "create", "--name=test", "--log-opt", "max-file=42", "busybox")
+	var logConfig container.LogConfig
+
+	out := inspectFieldJSON(c, "test", "HostConfig.LogConfig")
+
+	err := json.NewDecoder(strings.NewReader(out)).Decode(&logConfig)
+	c.Assert(err, checker.IsNil, check.Commentf("%v", out))
+
+	c.Assert(logConfig.Type, checker.Equals, "json-file")
+	c.Assert(logConfig.Config["max-file"], checker.Equals, "42", check.Commentf("%v", logConfig))
+}
+
+func (s *DockerSuite) TestInspectNoSizeFlagContainer(c *check.C) {
+
+	//Both the container and image are named busybox. docker inspect will fetch container
+	//JSON SizeRw and SizeRootFs field. If there is no flag --size/-s, there are no size fields.
+
+	runSleepingContainer(c, "--name=busybox", "-d")
+
+	formatStr := "--format={{.SizeRw}},{{.SizeRootFs}}"
+	out, _ := dockerCmd(c, "inspect", "--type=container", formatStr, "busybox")
+	c.Assert(strings.TrimSpace(out), check.Equals, "<nil>,<nil>", check.Commentf("Expected not to display size info: %s", out))
+}
+
+func (s *DockerSuite) TestInspectSizeFlagContainer(c *check.C) {
+	runSleepingContainer(c, "--name=busybox", "-d")
+
+	formatStr := "--format='{{.SizeRw}},{{.SizeRootFs}}'"
+	out, _ := dockerCmd(c, "inspect", "-s", "--type=container", formatStr, "busybox")
+	sz := strings.Split(out, ",")
+
+	c.Assert(strings.TrimSpace(sz[0]), check.Not(check.Equals), "<nil>")
+	c.Assert(strings.TrimSpace(sz[1]), check.Not(check.Equals), "<nil>")
+}
+
+func (s *DockerSuite) TestInspectTemplateError(c *check.C) {
+	// Template parsing error for both the container and image.
+
+	runSleepingContainer(c, "--name=container1", "-d")
+
+	out, _, err := dockerCmdWithError("inspect", "--type=container", "--format='Format container: {{.ThisDoesNotExist}}'", "container1")
+	c.Assert(err, check.Not(check.IsNil))
+	c.Assert(out, checker.Contains, "Template parsing error")
+
+	out, _, err = dockerCmdWithError("inspect", "--type=image", "--format='Format container: {{.ThisDoesNotExist}}'", "busybox")
+	c.Assert(err, check.Not(check.IsNil))
+	c.Assert(out, checker.Contains, "Template parsing error")
+}
+
+func (s *DockerSuite) TestInspectJSONFields(c *check.C) {
+	runSleepingContainer(c, "--name=busybox", "-d")
+	out, _, err := dockerCmdWithError("inspect", "--type=container", "--format={{.HostConfig.Dns}}", "busybox")
+
+	c.Assert(err, check.IsNil)
+	c.Assert(out, checker.Equals, "[]\n")
+}
+
+func (s *DockerSuite) TestInspectByPrefix(c *check.C) {
+	id := inspectField(c, "busybox", "Id")
+	c.Assert(id, checker.HasPrefix, "sha256:")
+
+	id2 := inspectField(c, id[:12], "Id")
+	c.Assert(id, checker.Equals, id2)
+
+	id3 := inspectField(c, strings.TrimPrefix(id, "sha256:")[:12], "Id")
+	c.Assert(id, checker.Equals, id3)
+}
+
+func (s *DockerSuite) TestInspectStopWhenNotFound(c *check.C) {
+	runSleepingContainer(c, "--name=busybox1", "-d")
+	runSleepingContainer(c, "--name=busybox2", "-d")
+	result := dockerCmdWithResult("inspect", "--type=container", "--format='{{.Name}}'", "busybox1", "busybox2", "missing")
+
+	c.Assert(result.Error, checker.Not(check.IsNil))
+	c.Assert(result.Stdout(), checker.Contains, "busybox1")
+	c.Assert(result.Stdout(), checker.Contains, "busybox2")
+	c.Assert(result.Stderr(), checker.Contains, "Error: No such container: missing")
+
+	// test inspect would not fast fail
+	result = dockerCmdWithResult("inspect", "--type=container", "--format='{{.Name}}'", "missing", "busybox1", "busybox2")
+
+	c.Assert(result.Error, checker.Not(check.IsNil))
+	c.Assert(result.Stdout(), checker.Contains, "busybox1")
+	c.Assert(result.Stdout(), checker.Contains, "busybox2")
+	c.Assert(result.Stderr(), checker.Contains, "Error: No such container: missing")
+}
+
+func (s *DockerSuite) TestInspectHistory(c *check.C) {
+	dockerCmd(c, "run", "--name=testcont", "busybox", "echo", "hello")
+	dockerCmd(c, "commit", "-m", "test comment", "testcont", "testimg")
+	out, _, err := dockerCmdWithError("inspect", "--format='{{.Comment}}'", "testimg")
+	c.Assert(err, check.IsNil)
+	c.Assert(out, checker.Contains, "test comment")
+}
+
+func (s *DockerSuite) TestInspectContainerNetworkDefault(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	contName := "test1"
+	dockerCmd(c, "run", "--name", contName, "-d", "busybox", "top")
+	netOut, _ := dockerCmd(c, "network", "inspect", "--format={{.ID}}", "bridge")
+	out := inspectField(c, contName, "NetworkSettings.Networks")
+	c.Assert(out, checker.Contains, "bridge")
+	out = inspectField(c, contName, "NetworkSettings.Networks.bridge.NetworkID")
+	c.Assert(strings.TrimSpace(out), checker.Equals, strings.TrimSpace(netOut))
+}
+
+func (s *DockerSuite) TestInspectContainerNetworkCustom(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	netOut, _ := dockerCmd(c, "network", "create", "net1")
+	dockerCmd(c, "run", "--name=container1", "--net=net1", "-d", "busybox", "top")
+	out := inspectField(c, "container1", "NetworkSettings.Networks")
+	c.Assert(out, checker.Contains, "net1")
+	out = inspectField(c, "container1", "NetworkSettings.Networks.net1.NetworkID")
+	c.Assert(strings.TrimSpace(out), checker.Equals, strings.TrimSpace(netOut))
+}
+
+func (s *DockerSuite) TestInspectRootFS(c *check.C) {
+	out, _, err := dockerCmdWithError("inspect", "busybox")
+	c.Assert(err, check.IsNil)
+
+	var imageJSON []types.ImageInspect
+	err = json.Unmarshal([]byte(out), &imageJSON)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(len(imageJSON[0].RootFS.Layers), checker.GreaterOrEqualThan, 1)
+}
+
+func (s *DockerSuite) TestInspectAmpersand(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	name := "test"
+	out, _ := dockerCmd(c, "run", "--name", name, "--env", `TEST_ENV="soanni&rtr"`, "busybox", "env")
+	c.Assert(out, checker.Contains, `soanni&rtr`)
+	out, _ = dockerCmd(c, "inspect", name)
+	c.Assert(out, checker.Contains, `soanni&rtr`)
+}
+
+func (s *DockerSuite) TestInspectPlugin(c *check.C) {
+	testRequires(c, DaemonIsLinux, IsAmd64, Network)
+	_, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err := dockerCmdWithError("inspect", "--type", "plugin", "--format", "{{.Name}}", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, pNameWithTag)
+
+	out, _, err = dockerCmdWithError("inspect", "--format", "{{.Name}}", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, pNameWithTag)
+
+	// Even without tag the inspect still work
+	out, _, err = dockerCmdWithError("inspect", "--type", "plugin", "--format", "{{.Name}}", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, pNameWithTag)
+
+	out, _, err = dockerCmdWithError("inspect", "--format", "{{.Name}}", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, pNameWithTag)
+
+	_, _, err = dockerCmdWithError("plugin", "disable", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pNameWithTag)
+}
+
+// Test case for 29185
+func (s *DockerSuite) TestInspectUnknownObject(c *check.C) {
+	// This test should work on both Windows and Linux
+	out, _, err := dockerCmdWithError("inspect", "foobar")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "Error: No such object: foobar")
+	c.Assert(err.Error(), checker.Contains, "Error: No such object: foobar")
+}
diff --git a/engine/integration-cli/docker_cli_links_test.go b/engine/integration-cli/docker_cli_links_test.go
new file mode 100644
index 00000000..17b25d79
--- /dev/null
+++ b/engine/integration-cli/docker_cli_links_test.go
@@ -0,0 +1,239 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"sort"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/runconfig"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestLinksPingUnlinkedContainers(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	_, exitCode, err := dockerCmdWithError("run", "--rm", "busybox", "sh", "-c", "ping -c 1 alias1 -W 1 && ping -c 1 alias2 -W 1")
+
+	// run ping failed with error
+	c.Assert(exitCode, checker.Equals, 1, check.Commentf("error: %v", err))
+}
+
+// Test for appropriate error when calling --link with an invalid target container
+func (s *DockerSuite) TestLinksInvalidContainerTarget(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--link", "bogus:alias", "busybox", "true")
+
+	// an invalid container target should produce an error
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	// an invalid container target should produce an error
+	// note: convert the output to lowercase first as the error string
+	// capitalization was changed after API version 1.32
+	c.Assert(strings.ToLower(out), checker.Contains, "could not get container")
+}
+
+func (s *DockerSuite) TestLinksPingLinkedContainers(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// Test with the three different ways of specifying the default network on Linux
+	testLinkPingOnNetwork(c, "")
+	testLinkPingOnNetwork(c, "default")
+	testLinkPingOnNetwork(c, "bridge")
+}
+
+func testLinkPingOnNetwork(c *check.C, network string) {
+	var postArgs []string
+	if network != "" {
+		postArgs = append(postArgs, []string{"--net", network}...)
+	}
+	postArgs = append(postArgs, []string{"busybox", "top"}...)
+	runArgs1 := append([]string{"run", "-d", "--name", "container1", "--hostname", "fred"}, postArgs...)
+	runArgs2 := append([]string{"run", "-d", "--name", "container2", "--hostname", "wilma"}, postArgs...)
+
+	// Run the two named containers
+	dockerCmd(c, runArgs1...)
+	dockerCmd(c, runArgs2...)
+
+	postArgs = []string{}
+	if network != "" {
+		postArgs = append(postArgs, []string{"--net", network}...)
+	}
+	postArgs = append(postArgs, []string{"busybox", "sh", "-c"}...)
+
+	// Format a run for a container which links to the other two
+	runArgs := append([]string{"run", "--rm", "--link", "container1:alias1", "--link", "container2:alias2"}, postArgs...)
+	pingCmd := "ping -c 1 %s -W 1 && ping -c 1 %s -W 1"
+
+	// test ping by alias, ping by name, and ping by hostname
+	// 1. Ping by alias
+	dockerCmd(c, append(runArgs, fmt.Sprintf(pingCmd, "alias1", "alias2"))...)
+	// 2. Ping by container name
+	dockerCmd(c, append(runArgs, fmt.Sprintf(pingCmd, "container1", "container2"))...)
+	// 3. Ping by hostname
+	dockerCmd(c, append(runArgs, fmt.Sprintf(pingCmd, "fred", "wilma"))...)
+
+	// Clean for next round
+	dockerCmd(c, "rm", "-f", "container1")
+	dockerCmd(c, "rm", "-f", "container2")
+}
+
+func (s *DockerSuite) TestLinksPingLinkedContainersAfterRename(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "--name", "container1", "busybox", "top")
+	idA := strings.TrimSpace(out)
+	out, _ = dockerCmd(c, "run", "-d", "--name", "container2", "busybox", "top")
+	idB := strings.TrimSpace(out)
+	dockerCmd(c, "rename", "container1", "container_new")
+	dockerCmd(c, "run", "--rm", "--link", "container_new:alias1", "--link", "container2:alias2", "busybox", "sh", "-c", "ping -c 1 alias1 -W 1 && ping -c 1 alias2 -W 1")
+	dockerCmd(c, "kill", idA)
+	dockerCmd(c, "kill", idB)
+
+}
+
+func (s *DockerSuite) TestLinksInspectLinksStarted(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "container1", "busybox", "top")
+	dockerCmd(c, "run", "-d", "--name", "container2", "busybox", "top")
+	dockerCmd(c, "run", "-d", "--name", "testinspectlink", "--link", "container1:alias1", "--link", "container2:alias2", "busybox", "top")
+	links := inspectFieldJSON(c, "testinspectlink", "HostConfig.Links")
+
+	var result []string
+	err := json.Unmarshal([]byte(links), &result)
+	c.Assert(err, checker.IsNil)
+
+	var expected = []string{
+		"/container1:/testinspectlink/alias1",
+		"/container2:/testinspectlink/alias2",
+	}
+	sort.Strings(result)
+	c.Assert(result, checker.DeepEquals, expected)
+}
+
+func (s *DockerSuite) TestLinksInspectLinksStopped(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	dockerCmd(c, "run", "-d", "--name", "container1", "busybox", "top")
+	dockerCmd(c, "run", "-d", "--name", "container2", "busybox", "top")
+	dockerCmd(c, "run", "-d", "--name", "testinspectlink", "--link", "container1:alias1", "--link", "container2:alias2", "busybox", "true")
+	links := inspectFieldJSON(c, "testinspectlink", "HostConfig.Links")
+
+	var result []string
+	err := json.Unmarshal([]byte(links), &result)
+	c.Assert(err, checker.IsNil)
+
+	var expected = []string{
+		"/container1:/testinspectlink/alias1",
+		"/container2:/testinspectlink/alias2",
+	}
+	sort.Strings(result)
+	c.Assert(result, checker.DeepEquals, expected)
+}
+
+func (s *DockerSuite) TestLinksNotStartedParentNotFail(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "create", "--name=first", "busybox", "top")
+	dockerCmd(c, "create", "--name=second", "--link=first:first", "busybox", "top")
+	dockerCmd(c, "start", "first")
+
+}
+
+func (s *DockerSuite) TestLinksHostsFilesInject(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, SameHostDaemon, ExecSupport)
+
+	out, _ := dockerCmd(c, "run", "-itd", "--name", "one", "busybox", "top")
+	idOne := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "run", "-itd", "--name", "two", "--link", "one:onetwo", "busybox", "top")
+	idTwo := strings.TrimSpace(out)
+
+	c.Assert(waitRun(idTwo), checker.IsNil)
+
+	readContainerFileWithExec(c, idOne, "/etc/hosts")
+	contentTwo := readContainerFileWithExec(c, idTwo, "/etc/hosts")
+	// Host is not present in updated hosts file
+	c.Assert(string(contentTwo), checker.Contains, "onetwo")
+}
+
+func (s *DockerSuite) TestLinksUpdateOnRestart(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, SameHostDaemon, ExecSupport)
+	dockerCmd(c, "run", "-d", "--name", "one", "busybox", "top")
+	out, _ := dockerCmd(c, "run", "-d", "--name", "two", "--link", "one:onetwo", "--link", "one:one", "busybox", "top")
+	id := strings.TrimSpace(string(out))
+
+	realIP := inspectField(c, "one", "NetworkSettings.Networks.bridge.IPAddress")
+	content := readContainerFileWithExec(c, id, "/etc/hosts")
+
+	getIP := func(hosts []byte, hostname string) string {
+		re := regexp.MustCompile(fmt.Sprintf(`(\S*)\t%s`, regexp.QuoteMeta(hostname)))
+		matches := re.FindSubmatch(hosts)
+		c.Assert(matches, checker.NotNil, check.Commentf("Hostname %s have no matches in hosts", hostname))
+		return string(matches[1])
+	}
+	ip := getIP(content, "one")
+	c.Assert(ip, checker.Equals, realIP)
+
+	ip = getIP(content, "onetwo")
+	c.Assert(ip, checker.Equals, realIP)
+
+	dockerCmd(c, "restart", "one")
+	realIP = inspectField(c, "one", "NetworkSettings.Networks.bridge.IPAddress")
+
+	content = readContainerFileWithExec(c, id, "/etc/hosts")
+	ip = getIP(content, "one")
+	c.Assert(ip, checker.Equals, realIP)
+
+	ip = getIP(content, "onetwo")
+	c.Assert(ip, checker.Equals, realIP)
+}
+
+func (s *DockerSuite) TestLinksEnvs(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "-e", "e1=", "-e", "e2=v2", "-e", "e3=v3=v3", "--name=first", "busybox", "top")
+	out, _ := dockerCmd(c, "run", "--name=second", "--link=first:first", "busybox", "env")
+	c.Assert(out, checker.Contains, "FIRST_ENV_e1=\n")
+	c.Assert(out, checker.Contains, "FIRST_ENV_e2=v2")
+	c.Assert(out, checker.Contains, "FIRST_ENV_e3=v3=v3")
+}
+
+func (s *DockerSuite) TestLinkShortDefinition(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "--name", "shortlinkdef", "busybox", "top")
+
+	cid := strings.TrimSpace(out)
+	c.Assert(waitRun(cid), checker.IsNil)
+
+	out, _ = dockerCmd(c, "run", "-d", "--name", "link2", "--link", "shortlinkdef", "busybox", "top")
+
+	cid2 := strings.TrimSpace(out)
+	c.Assert(waitRun(cid2), checker.IsNil)
+
+	links := inspectFieldJSON(c, cid2, "HostConfig.Links")
+	c.Assert(links, checker.Equals, "[\"/shortlinkdef:/link2/shortlinkdef\"]")
+}
+
+func (s *DockerSuite) TestLinksNetworkHostContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	dockerCmd(c, "run", "-d", "--net", "host", "--name", "host_container", "busybox", "top")
+	out, _, err := dockerCmdWithError("run", "--name", "should_fail", "--link", "host_container:tester", "busybox", "true")
+
+	// Running container linking to a container with --net host should have failed
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	// Running container linking to a container with --net host should have failed
+	c.Assert(out, checker.Contains, runconfig.ErrConflictHostNetworkAndLinks.Error())
+}
+
+func (s *DockerSuite) TestLinksEtcHostsRegularFile(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "--net=host", "busybox", "ls", "-la", "/etc/hosts")
+	// /etc/hosts should be a regular file
+	c.Assert(out, checker.Matches, "^-.+\n")
+}
+
+func (s *DockerSuite) TestLinksMultipleWithSameName(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name=upstream-a", "busybox", "top")
+	dockerCmd(c, "run", "-d", "--name=upstream-b", "busybox", "top")
+	dockerCmd(c, "run", "--link", "upstream-a:upstream", "--link", "upstream-b:upstream", "busybox", "sh", "-c", "ping -c 1 upstream")
+}
diff --git a/engine/integration-cli/docker_cli_login_test.go b/engine/integration-cli/docker_cli_login_test.go
new file mode 100644
index 00000000..cb261bed
--- /dev/null
+++ b/engine/integration-cli/docker_cli_login_test.go
@@ -0,0 +1,30 @@
+package main
+
+import (
+	"bytes"
+	"os/exec"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestLoginWithoutTTY(c *check.C) {
+	cmd := exec.Command(dockerBinary, "login")
+
+	// Send to stdin so the process does not get the TTY
+	cmd.Stdin = bytes.NewBufferString("buffer test string \n")
+
+	// run the command and block until it's done
+	err := cmd.Run()
+	c.Assert(err, checker.NotNil) //"Expected non nil err when logging in & TTY not available"
+}
+
+func (s *DockerRegistryAuthHtpasswdSuite) TestLoginToPrivateRegistry(c *check.C) {
+	// wrong credentials
+	out, _, err := dockerCmdWithError("login", "-u", s.reg.Username(), "-p", "WRONGPASSWORD", privateRegistryURL)
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "401 Unauthorized")
+
+	// now it's fine
+	dockerCmd(c, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL)
+}
diff --git a/engine/integration-cli/docker_cli_logout_test.go b/engine/integration-cli/docker_cli_logout_test.go
new file mode 100644
index 00000000..e0752f48
--- /dev/null
+++ b/engine/integration-cli/docker_cli_logout_test.go
@@ -0,0 +1,106 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerRegistryAuthHtpasswdSuite) TestLogoutWithExternalAuth(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	osPath := os.Getenv("PATH")
+	defer os.Setenv("PATH", osPath)
+
+	workingDir, err := os.Getwd()
+	c.Assert(err, checker.IsNil)
+	absolute, err := filepath.Abs(filepath.Join(workingDir, "fixtures", "auth"))
+	c.Assert(err, checker.IsNil)
+	testPath := fmt.Sprintf("%s%c%s", osPath, filepath.ListSeparator, absolute)
+
+	os.Setenv("PATH", testPath)
+
+	repoName := fmt.Sprintf("%v/dockercli/busybox:authtest", privateRegistryURL)
+
+	tmp, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmp)
+
+	externalAuthConfig := `{ "credsStore": "shell-test" }`
+
+	configPath := filepath.Join(tmp, "config.json")
+	err = ioutil.WriteFile(configPath, []byte(externalAuthConfig), 0644)
+	c.Assert(err, checker.IsNil)
+
+	_, err = s.d.Cmd("--config", tmp, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL)
+	c.Assert(err, checker.IsNil)
+
+	b, err := ioutil.ReadFile(configPath)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Not(checker.Contains), "\"auth\":")
+	c.Assert(string(b), checker.Contains, privateRegistryURL)
+
+	_, err = s.d.Cmd("--config", tmp, "tag", "busybox", repoName)
+	c.Assert(err, checker.IsNil)
+	_, err = s.d.Cmd("--config", tmp, "push", repoName)
+	c.Assert(err, checker.IsNil)
+	_, err = s.d.Cmd("--config", tmp, "logout", privateRegistryURL)
+	c.Assert(err, checker.IsNil)
+
+	b, err = ioutil.ReadFile(configPath)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Not(checker.Contains), privateRegistryURL)
+
+	// check I cannot pull anymore
+	out, err := s.d.Cmd("--config", tmp, "pull", repoName)
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "no basic auth credentials")
+}
+
+// #23100
+func (s *DockerRegistryAuthHtpasswdSuite) TestLogoutWithWrongHostnamesStored(c *check.C) {
+	osPath := os.Getenv("PATH")
+	defer os.Setenv("PATH", osPath)
+
+	workingDir, err := os.Getwd()
+	c.Assert(err, checker.IsNil)
+	absolute, err := filepath.Abs(filepath.Join(workingDir, "fixtures", "auth"))
+	c.Assert(err, checker.IsNil)
+	testPath := fmt.Sprintf("%s%c%s", osPath, filepath.ListSeparator, absolute)
+
+	os.Setenv("PATH", testPath)
+
+	cmd := exec.Command("docker-credential-shell-test", "store")
+	stdin := bytes.NewReader([]byte(fmt.Sprintf(`{"ServerURL": "https://%s", "Username": "%s", "Secret": "%s"}`, privateRegistryURL, s.reg.Username(), s.reg.Password())))
+	cmd.Stdin = stdin
+	c.Assert(cmd.Run(), checker.IsNil)
+
+	tmp, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+
+	externalAuthConfig := fmt.Sprintf(`{ "auths": {"https://%s": {}}, "credsStore": "shell-test" }`, privateRegistryURL)
+
+	configPath := filepath.Join(tmp, "config.json")
+	err = ioutil.WriteFile(configPath, []byte(externalAuthConfig), 0644)
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "--config", tmp, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL)
+
+	b, err := ioutil.ReadFile(configPath)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Contains, fmt.Sprintf("\"https://%s\": {}", privateRegistryURL))
+	c.Assert(string(b), checker.Contains, fmt.Sprintf("\"%s\": {}", privateRegistryURL))
+
+	dockerCmd(c, "--config", tmp, "logout", privateRegistryURL)
+
+	b, err = ioutil.ReadFile(configPath)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Not(checker.Contains), fmt.Sprintf("\"https://%s\": {}", privateRegistryURL))
+	c.Assert(string(b), checker.Not(checker.Contains), fmt.Sprintf("\"%s\": {}", privateRegistryURL))
+}
diff --git a/engine/integration-cli/docker_cli_logs_bench_test.go b/engine/integration-cli/docker_cli_logs_bench_test.go
new file mode 100644
index 00000000..eeb008de
--- /dev/null
+++ b/engine/integration-cli/docker_cli_logs_bench_test.go
@@ -0,0 +1,32 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) BenchmarkLogsCLIRotateFollow(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "--log-opt", "max-size=1b", "--log-opt", "max-file=10", "busybox", "sh", "-c", "while true; do usleep 50000; echo hello; done")
+	id := strings.TrimSpace(out)
+	ch := make(chan error, 1)
+	go func() {
+		ch <- nil
+		out, _, _ := dockerCmdWithError("logs", "-f", id)
+		// if this returns at all, it's an error
+		ch <- fmt.Errorf(out)
+	}()
+
+	<-ch
+	select {
+	case <-time.After(30 * time.Second):
+		// ran for 30 seconds with no problem
+		return
+	case err := <-ch:
+		if err != nil {
+			c.Fatal(err)
+		}
+	}
+}
diff --git a/engine/integration-cli/docker_cli_logs_test.go b/engine/integration-cli/docker_cli_logs_test.go
new file mode 100644
index 00000000..17ee5dea
--- /dev/null
+++ b/engine/integration-cli/docker_cli_logs_test.go
@@ -0,0 +1,336 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"os/exec"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+// This used to work, it test a log of PageSize-1 (gh#4851)
+func (s *DockerSuite) TestLogsContainerSmallerThanPage(c *check.C) {
+	testLogsContainerPagination(c, 32767)
+}
+
+// Regression test: When going over the PageSize, it used to panic (gh#4851)
+func (s *DockerSuite) TestLogsContainerBiggerThanPage(c *check.C) {
+	testLogsContainerPagination(c, 32768)
+}
+
+// Regression test: When going much over the PageSize, it used to block (gh#4851)
+func (s *DockerSuite) TestLogsContainerMuchBiggerThanPage(c *check.C) {
+	testLogsContainerPagination(c, 33000)
+}
+
+func testLogsContainerPagination(c *check.C, testLen int) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", fmt.Sprintf("for i in $(seq 1 %d); do echo -n = >> a.a; done; echo >> a.a; cat a.a", testLen))
+	id := strings.TrimSpace(out)
+	dockerCmd(c, "wait", id)
+	out, _ = dockerCmd(c, "logs", id)
+	c.Assert(out, checker.HasLen, testLen+1)
+}
+
+func (s *DockerSuite) TestLogsTimestamps(c *check.C) {
+	testLen := 100
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", fmt.Sprintf("for i in $(seq 1 %d); do echo = >> a.a; done; cat a.a", testLen))
+
+	id := strings.TrimSpace(out)
+	dockerCmd(c, "wait", id)
+
+	out, _ = dockerCmd(c, "logs", "-t", id)
+
+	lines := strings.Split(out, "\n")
+
+	c.Assert(lines, checker.HasLen, testLen+1)
+
+	ts := regexp.MustCompile(`^.* `)
+
+	for _, l := range lines {
+		if l != "" {
+			_, err := time.Parse(jsonmessage.RFC3339NanoFixed+" ", ts.FindString(l))
+			c.Assert(err, checker.IsNil, check.Commentf("Failed to parse timestamp from %v", l))
+			// ensure we have padded 0's
+			c.Assert(l[29], checker.Equals, uint8('Z'))
+		}
+	}
+}
+
+func (s *DockerSuite) TestLogsSeparateStderr(c *check.C) {
+	msg := "stderr_log"
+	out := cli.DockerCmd(c, "run", "-d", "busybox", "sh", "-c", fmt.Sprintf("echo %s 1>&2", msg)).Combined()
+	id := strings.TrimSpace(out)
+	cli.DockerCmd(c, "wait", id)
+	cli.DockerCmd(c, "logs", id).Assert(c, icmd.Expected{
+		Out: "",
+		Err: msg,
+	})
+}
+
+func (s *DockerSuite) TestLogsStderrInStdout(c *check.C) {
+	// TODO Windows: Needs investigation why this fails. Obtained string includes
+	// a bunch of ANSI escape sequences before the "stderr_log" message.
+	testRequires(c, DaemonIsLinux)
+	msg := "stderr_log"
+	out := cli.DockerCmd(c, "run", "-d", "-t", "busybox", "sh", "-c", fmt.Sprintf("echo %s 1>&2", msg)).Combined()
+	id := strings.TrimSpace(out)
+	cli.DockerCmd(c, "wait", id)
+
+	cli.DockerCmd(c, "logs", id).Assert(c, icmd.Expected{
+		Out: msg,
+		Err: "",
+	})
+}
+
+func (s *DockerSuite) TestLogsTail(c *check.C) {
+	testLen := 100
+	out := cli.DockerCmd(c, "run", "-d", "busybox", "sh", "-c", fmt.Sprintf("for i in $(seq 1 %d); do echo =; done;", testLen)).Combined()
+
+	id := strings.TrimSpace(out)
+	cli.DockerCmd(c, "wait", id)
+
+	out = cli.DockerCmd(c, "logs", "--tail", "0", id).Combined()
+	lines := strings.Split(out, "\n")
+	c.Assert(lines, checker.HasLen, 1)
+
+	out = cli.DockerCmd(c, "logs", "--tail", "5", id).Combined()
+	lines = strings.Split(out, "\n")
+	c.Assert(lines, checker.HasLen, 6)
+
+	out = cli.DockerCmd(c, "logs", "--tail", "99", id).Combined()
+	lines = strings.Split(out, "\n")
+	c.Assert(lines, checker.HasLen, 100)
+
+	out = cli.DockerCmd(c, "logs", "--tail", "all", id).Combined()
+	lines = strings.Split(out, "\n")
+	c.Assert(lines, checker.HasLen, testLen+1)
+
+	out = cli.DockerCmd(c, "logs", "--tail", "-1", id).Combined()
+	lines = strings.Split(out, "\n")
+	c.Assert(lines, checker.HasLen, testLen+1)
+
+	out = cli.DockerCmd(c, "logs", "--tail", "random", id).Combined()
+	lines = strings.Split(out, "\n")
+	c.Assert(lines, checker.HasLen, testLen+1)
+}
+
+func (s *DockerSuite) TestLogsFollowStopped(c *check.C) {
+	dockerCmd(c, "run", "--name=test", "busybox", "echo", "hello")
+	id := getIDByName(c, "test")
+
+	logsCmd := exec.Command(dockerBinary, "logs", "-f", id)
+	c.Assert(logsCmd.Start(), checker.IsNil)
+
+	errChan := make(chan error)
+	go func() {
+		errChan <- logsCmd.Wait()
+		close(errChan)
+	}()
+
+	select {
+	case err := <-errChan:
+		c.Assert(err, checker.IsNil)
+	case <-time.After(30 * time.Second):
+		c.Fatal("Following logs is hanged")
+	}
+}
+
+func (s *DockerSuite) TestLogsSince(c *check.C) {
+	name := "testlogssince"
+	dockerCmd(c, "run", "--name="+name, "busybox", "/bin/sh", "-c", "for i in $(seq 1 3); do sleep 2; echo log$i; done")
+	out, _ := dockerCmd(c, "logs", "-t", name)
+
+	log2Line := strings.Split(strings.Split(out, "\n")[1], " ")
+	t, err := time.Parse(time.RFC3339Nano, log2Line[0]) // the timestamp log2 is written
+	c.Assert(err, checker.IsNil)
+	since := t.Unix() + 1 // add 1s so log1 & log2 doesn't show up
+	out, _ = dockerCmd(c, "logs", "-t", fmt.Sprintf("--since=%v", since), name)
+
+	// Skip 2 seconds
+	unexpected := []string{"log1", "log2"}
+	for _, v := range unexpected {
+		c.Assert(out, checker.Not(checker.Contains), v, check.Commentf("unexpected log message returned, since=%v", since))
+	}
+
+	// Test to make sure a bad since format is caught by the client
+	out, _, _ = dockerCmdWithError("logs", "-t", "--since=2006-01-02T15:04:0Z", name)
+	c.Assert(out, checker.Contains, "cannot parse \"0Z\" as \"05\"", check.Commentf("bad since format passed to server"))
+
+	// Test with default value specified and parameter omitted
+	expected := []string{"log1", "log2", "log3"}
+	for _, cmd := range [][]string{
+		{"logs", "-t", name},
+		{"logs", "-t", "--since=0", name},
+	} {
+		result := icmd.RunCommand(dockerBinary, cmd...)
+		result.Assert(c, icmd.Success)
+		for _, v := range expected {
+			c.Assert(result.Combined(), checker.Contains, v)
+		}
+	}
+}
+
+func (s *DockerSuite) TestLogsSinceFutureFollow(c *check.C) {
+	// TODO Windows TP5 - Figure out why this test is so flakey. Disabled for now.
+	testRequires(c, DaemonIsLinux)
+	name := "testlogssincefuturefollow"
+	out, _ := dockerCmd(c, "run", "-d", "--name", name, "busybox", "/bin/sh", "-c", `for i in $(seq 1 5); do echo log$i; sleep 1; done`)
+
+	// Extract one timestamp from the log file to give us a starting point for
+	// our `--since` argument. Because the log producer runs in the background,
+	// we need to check repeatedly for some output to be produced.
+	var timestamp string
+	for i := 0; i != 100 && timestamp == ""; i++ {
+		if out, _ = dockerCmd(c, "logs", "-t", name); out == "" {
+			time.Sleep(time.Millisecond * 100) // Retry
+		} else {
+			timestamp = strings.Split(strings.Split(out, "\n")[0], " ")[0]
+		}
+	}
+
+	c.Assert(timestamp, checker.Not(checker.Equals), "")
+	t, err := time.Parse(time.RFC3339Nano, timestamp)
+	c.Assert(err, check.IsNil)
+
+	since := t.Unix() + 2
+	out, _ = dockerCmd(c, "logs", "-t", "-f", fmt.Sprintf("--since=%v", since), name)
+	c.Assert(out, checker.Not(checker.HasLen), 0, check.Commentf("cannot read from empty log"))
+	lines := strings.Split(strings.TrimSpace(out), "\n")
+	for _, v := range lines {
+		ts, err := time.Parse(time.RFC3339Nano, strings.Split(v, " ")[0])
+		c.Assert(err, checker.IsNil, check.Commentf("cannot parse timestamp output from log: '%v'", v))
+		c.Assert(ts.Unix() >= since, checker.Equals, true, check.Commentf("earlier log found. since=%v logdate=%v", since, ts))
+	}
+}
+
+// Regression test for #8832
+func (s *DockerSuite) TestLogsFollowSlowStdoutConsumer(c *check.C) {
+	// TODO Windows: Fix this test for TP5.
+	testRequires(c, DaemonIsLinux)
+	expected := 150000
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", fmt.Sprintf("usleep 600000; yes X | head -c %d", expected))
+
+	id := strings.TrimSpace(out)
+
+	stopSlowRead := make(chan bool)
+
+	go func() {
+		dockerCmd(c, "wait", id)
+		stopSlowRead <- true
+	}()
+
+	logCmd := exec.Command(dockerBinary, "logs", "-f", id)
+	stdout, err := logCmd.StdoutPipe()
+	c.Assert(err, checker.IsNil)
+	c.Assert(logCmd.Start(), checker.IsNil)
+	defer func() { go logCmd.Wait() }()
+
+	// First read slowly
+	bytes1, err := ConsumeWithSpeed(stdout, 10, 50*time.Millisecond, stopSlowRead)
+	c.Assert(err, checker.IsNil)
+
+	// After the container has finished we can continue reading fast
+	bytes2, err := ConsumeWithSpeed(stdout, 32*1024, 0, nil)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(logCmd.Wait(), checker.IsNil)
+
+	actual := bytes1 + bytes2
+	c.Assert(actual, checker.Equals, expected)
+}
+
+// ConsumeWithSpeed reads chunkSize bytes from reader before sleeping
+// for interval duration. Returns total read bytes. Send true to the
+// stop channel to return before reading to EOF on the reader.
+func ConsumeWithSpeed(reader io.Reader, chunkSize int, interval time.Duration, stop chan bool) (n int, err error) {
+	buffer := make([]byte, chunkSize)
+	for {
+		var readBytes int
+		readBytes, err = reader.Read(buffer)
+		n += readBytes
+		if err != nil {
+			if err == io.EOF {
+				err = nil
+			}
+			return
+		}
+		select {
+		case <-stop:
+			return
+		case <-time.After(interval):
+		}
+	}
+}
+
+func (s *DockerSuite) TestLogsFollowGoroutinesWithStdout(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "while true; do echo hello; sleep 2; done")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	nroutines, err := getGoroutineNumber()
+	c.Assert(err, checker.IsNil)
+	cmd := exec.Command(dockerBinary, "logs", "-f", id)
+	r, w := io.Pipe()
+	cmd.Stdout = w
+	c.Assert(cmd.Start(), checker.IsNil)
+	go cmd.Wait()
+
+	// Make sure pipe is written to
+	chErr := make(chan error)
+	go func() {
+		b := make([]byte, 1)
+		_, err := r.Read(b)
+		chErr <- err
+	}()
+	c.Assert(<-chErr, checker.IsNil)
+	c.Assert(cmd.Process.Kill(), checker.IsNil)
+	r.Close()
+	cmd.Wait()
+	// NGoroutines is not updated right away, so we need to wait before failing
+	c.Assert(waitForGoroutines(nroutines), checker.IsNil)
+}
+
+func (s *DockerSuite) TestLogsFollowGoroutinesNoOutput(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "while true; do sleep 2; done")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	nroutines, err := getGoroutineNumber()
+	c.Assert(err, checker.IsNil)
+	cmd := exec.Command(dockerBinary, "logs", "-f", id)
+	c.Assert(cmd.Start(), checker.IsNil)
+	go cmd.Wait()
+	time.Sleep(200 * time.Millisecond)
+	c.Assert(cmd.Process.Kill(), checker.IsNil)
+	cmd.Wait()
+
+	// NGoroutines is not updated right away, so we need to wait before failing
+	c.Assert(waitForGoroutines(nroutines), checker.IsNil)
+}
+
+func (s *DockerSuite) TestLogsCLIContainerNotFound(c *check.C) {
+	name := "testlogsnocontainer"
+	out, _, _ := dockerCmdWithError("logs", name)
+	message := fmt.Sprintf("No such container: %s\n", name)
+	c.Assert(out, checker.Contains, message)
+}
+
+func (s *DockerSuite) TestLogsWithDetails(c *check.C) {
+	dockerCmd(c, "run", "--name=test", "--label", "foo=bar", "-e", "baz=qux", "--log-opt", "labels=foo", "--log-opt", "env=baz", "busybox", "echo", "hello")
+	out, _ := dockerCmd(c, "logs", "--details", "--timestamps", "test")
+
+	logFields := strings.Fields(strings.TrimSpace(out))
+	c.Assert(len(logFields), checker.Equals, 3, check.Commentf(out))
+
+	details := strings.Split(logFields[1], ",")
+	c.Assert(details, checker.HasLen, 2)
+	c.Assert(details[0], checker.Equals, "baz=qux")
+	c.Assert(details[1], checker.Equals, "foo=bar")
+}
diff --git a/engine/integration-cli/docker_cli_netmode_test.go b/engine/integration-cli/docker_cli_netmode_test.go
new file mode 100644
index 00000000..76f9898d
--- /dev/null
+++ b/engine/integration-cli/docker_cli_netmode_test.go
@@ -0,0 +1,96 @@
+package main
+
+import (
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/runconfig"
+	"github.com/go-check/check"
+)
+
+// GH14530. Validates combinations of --net= with other options
+
+// stringCheckPS is how the output of PS starts in order to validate that
+// the command executed in a container did really run PS correctly.
+const stringCheckPS = "PID   USER"
+
+// DockerCmdWithFail executes a docker command that is supposed to fail and returns
+// the output, the exit code. If the command returns a Nil error, it will fail and
+// stop the tests.
+func dockerCmdWithFail(c *check.C, args ...string) (string, int) {
+	out, status, err := dockerCmdWithError(args...)
+	c.Assert(err, check.NotNil, check.Commentf("%v", out))
+	return out, status
+}
+
+func (s *DockerSuite) TestNetHostnameWithNetHost(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+
+	out, _ := dockerCmd(c, "run", "--net=host", "busybox", "ps")
+	c.Assert(out, checker.Contains, stringCheckPS)
+}
+
+func (s *DockerSuite) TestNetHostname(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "-h=name", "busybox", "ps")
+	c.Assert(out, checker.Contains, stringCheckPS)
+
+	out, _ = dockerCmd(c, "run", "-h=name", "--net=bridge", "busybox", "ps")
+	c.Assert(out, checker.Contains, stringCheckPS)
+
+	out, _ = dockerCmd(c, "run", "-h=name", "--net=none", "busybox", "ps")
+	c.Assert(out, checker.Contains, stringCheckPS)
+
+	out, _ = dockerCmdWithFail(c, "run", "-h=name", "--net=container:other", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictNetworkHostname.Error())
+
+	out, _ = dockerCmdWithFail(c, "run", "--net=container", "busybox", "ps")
+	c.Assert(out, checker.Contains, "invalid container format container:<name|id>")
+
+	out, _ = dockerCmdWithFail(c, "run", "--net=weird", "busybox", "ps")
+	c.Assert(strings.ToLower(out), checker.Contains, "not found")
+}
+
+func (s *DockerSuite) TestConflictContainerNetworkAndLinks(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	out, _ := dockerCmdWithFail(c, "run", "--net=container:other", "--link=zip:zap", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictContainerNetworkAndLinks.Error())
+}
+
+func (s *DockerSuite) TestConflictContainerNetworkHostAndLinks(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+
+	out, _ := dockerCmdWithFail(c, "run", "--net=host", "--link=zip:zap", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictHostNetworkAndLinks.Error())
+}
+
+func (s *DockerSuite) TestConflictNetworkModeNetHostAndOptions(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+
+	out, _ := dockerCmdWithFail(c, "run", "--net=host", "--mac-address=92:d0:c6:0a:29:33", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictContainerNetworkAndMac.Error())
+}
+
+func (s *DockerSuite) TestConflictNetworkModeAndOptions(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	out, _ := dockerCmdWithFail(c, "run", "--net=container:other", "--dns=8.8.8.8", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictNetworkAndDNS.Error())
+
+	out, _ = dockerCmdWithFail(c, "run", "--net=container:other", "--add-host=name:8.8.8.8", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictNetworkHosts.Error())
+
+	out, _ = dockerCmdWithFail(c, "run", "--net=container:other", "--mac-address=92:d0:c6:0a:29:33", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictContainerNetworkAndMac.Error())
+
+	out, _ = dockerCmdWithFail(c, "run", "--net=container:other", "-P", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictNetworkPublishPorts.Error())
+
+	out, _ = dockerCmdWithFail(c, "run", "--net=container:other", "-p", "8080", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictNetworkPublishPorts.Error())
+
+	out, _ = dockerCmdWithFail(c, "run", "--net=container:other", "--expose", "8000-9000", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictNetworkExposePorts.Error())
+}
diff --git a/engine/integration-cli/docker_cli_network_unix_test.go b/engine/integration-cli/docker_cli_network_unix_test.go
new file mode 100644
index 00000000..807af370
--- /dev/null
+++ b/engine/integration-cli/docker_cli_network_unix_test.go
@@ -0,0 +1,1835 @@
+// +build !windows
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions/v1p20"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/daemon"
+	testdaemon "github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/runconfig"
+	"github.com/docker/libnetwork/driverapi"
+	remoteapi "github.com/docker/libnetwork/drivers/remote/api"
+	"github.com/docker/libnetwork/ipamapi"
+	remoteipam "github.com/docker/libnetwork/ipams/remote/api"
+	"github.com/docker/libnetwork/netlabel"
+	"github.com/go-check/check"
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+	"gotest.tools/icmd"
+)
+
+const dummyNetworkDriver = "dummy-network-driver"
+const dummyIPAMDriver = "dummy-ipam-driver"
+
+var remoteDriverNetworkRequest remoteapi.CreateNetworkRequest
+
+func init() {
+	check.Suite(&DockerNetworkSuite{
+		ds: &DockerSuite{},
+	})
+}
+
+type DockerNetworkSuite struct {
+	server *httptest.Server
+	ds     *DockerSuite
+	d      *daemon.Daemon
+}
+
+func (s *DockerNetworkSuite) SetUpTest(c *check.C) {
+	s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+}
+
+func (s *DockerNetworkSuite) TearDownTest(c *check.C) {
+	if s.d != nil {
+		s.d.Stop(c)
+		s.ds.TearDownTest(c)
+	}
+}
+
+func (s *DockerNetworkSuite) SetUpSuite(c *check.C) {
+	mux := http.NewServeMux()
+	s.server = httptest.NewServer(mux)
+	c.Assert(s.server, check.NotNil, check.Commentf("Failed to start an HTTP Server"))
+	setupRemoteNetworkDrivers(c, mux, s.server.URL, dummyNetworkDriver, dummyIPAMDriver)
+}
+
+func setupRemoteNetworkDrivers(c *check.C, mux *http.ServeMux, url, netDrv, ipamDrv string) {
+
+	mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, `{"Implements": ["%s", "%s"]}`, driverapi.NetworkPluginEndpointType, ipamapi.PluginEndpointType)
+	})
+
+	// Network driver implementation
+	mux.HandleFunc(fmt.Sprintf("/%s.GetCapabilities", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, `{"Scope":"local"}`)
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.CreateNetwork", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&remoteDriverNetworkRequest)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, "null")
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.DeleteNetwork", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, "null")
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.CreateEndpoint", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, `{"Interface":{"MacAddress":"a0:b1:c2:d3:e4:f5"}}`)
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.Join", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+
+		veth := &netlink.Veth{
+			LinkAttrs: netlink.LinkAttrs{Name: "randomIfName", TxQLen: 0}, PeerName: "cnt0"}
+		if err := netlink.LinkAdd(veth); err != nil {
+			fmt.Fprintf(w, `{"Error":"failed to add veth pair: `+err.Error()+`"}`)
+		} else {
+			fmt.Fprintf(w, `{"InterfaceName":{ "SrcName":"cnt0", "DstPrefix":"veth"}}`)
+		}
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.Leave", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, "null")
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.DeleteEndpoint", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		if link, err := netlink.LinkByName("cnt0"); err == nil {
+			netlink.LinkDel(link)
+		}
+		fmt.Fprintf(w, "null")
+	})
+
+	// IPAM Driver implementation
+	var (
+		poolRequest       remoteipam.RequestPoolRequest
+		poolReleaseReq    remoteipam.ReleasePoolRequest
+		addressRequest    remoteipam.RequestAddressRequest
+		addressReleaseReq remoteipam.ReleaseAddressRequest
+		lAS               = "localAS"
+		gAS               = "globalAS"
+		pool              = "172.28.0.0/16"
+		poolID            = lAS + "/" + pool
+		gw                = "172.28.255.254/16"
+	)
+
+	mux.HandleFunc(fmt.Sprintf("/%s.GetDefaultAddressSpaces", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, `{"LocalDefaultAddressSpace":"`+lAS+`", "GlobalDefaultAddressSpace": "`+gAS+`"}`)
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.RequestPool", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&poolRequest)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		if poolRequest.AddressSpace != lAS && poolRequest.AddressSpace != gAS {
+			fmt.Fprintf(w, `{"Error":"Unknown address space in pool request: `+poolRequest.AddressSpace+`"}`)
+		} else if poolRequest.Pool != "" && poolRequest.Pool != pool {
+			fmt.Fprintf(w, `{"Error":"Cannot handle explicit pool requests yet"}`)
+		} else {
+			fmt.Fprintf(w, `{"PoolID":"`+poolID+`", "Pool":"`+pool+`"}`)
+		}
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.RequestAddress", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&addressRequest)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		// make sure libnetwork is now querying on the expected pool id
+		if addressRequest.PoolID != poolID {
+			fmt.Fprintf(w, `{"Error":"unknown pool id"}`)
+		} else if addressRequest.Address != "" {
+			fmt.Fprintf(w, `{"Error":"Cannot handle explicit address requests yet"}`)
+		} else {
+			fmt.Fprintf(w, `{"Address":"`+gw+`"}`)
+		}
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.ReleaseAddress", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&addressReleaseReq)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		// make sure libnetwork is now asking to release the expected address from the expected poolid
+		if addressRequest.PoolID != poolID {
+			fmt.Fprintf(w, `{"Error":"unknown pool id"}`)
+		} else if addressReleaseReq.Address != gw {
+			fmt.Fprintf(w, `{"Error":"unknown address"}`)
+		} else {
+			fmt.Fprintf(w, "null")
+		}
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.ReleasePool", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&poolReleaseReq)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		// make sure libnetwork is now asking to release the expected poolid
+		if addressRequest.PoolID != poolID {
+			fmt.Fprintf(w, `{"Error":"unknown pool id"}`)
+		} else {
+			fmt.Fprintf(w, "null")
+		}
+	})
+
+	err := os.MkdirAll("/etc/docker/plugins", 0755)
+	c.Assert(err, checker.IsNil)
+
+	fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", netDrv)
+	err = ioutil.WriteFile(fileName, []byte(url), 0644)
+	c.Assert(err, checker.IsNil)
+
+	ipamFileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", ipamDrv)
+	err = ioutil.WriteFile(ipamFileName, []byte(url), 0644)
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerNetworkSuite) TearDownSuite(c *check.C) {
+	if s.server == nil {
+		return
+	}
+
+	s.server.Close()
+
+	err := os.RemoveAll("/etc/docker/plugins")
+	c.Assert(err, checker.IsNil)
+}
+
+func assertNwIsAvailable(c *check.C, name string) {
+	if !isNwPresent(c, name) {
+		c.Fatalf("Network %s not found in network ls o/p", name)
+	}
+}
+
+func assertNwNotAvailable(c *check.C, name string) {
+	if isNwPresent(c, name) {
+		c.Fatalf("Found network %s in network ls o/p", name)
+	}
+}
+
+func isNwPresent(c *check.C, name string) bool {
+	out, _ := dockerCmd(c, "network", "ls")
+	lines := strings.Split(out, "\n")
+	for i := 1; i < len(lines)-1; i++ {
+		netFields := strings.Fields(lines[i])
+		if netFields[1] == name {
+			return true
+		}
+	}
+	return false
+}
+
+// assertNwList checks network list retrieved with ls command
+// equals to expected network list
+// note: out should be `network ls [option]` result
+func assertNwList(c *check.C, out string, expectNws []string) {
+	lines := strings.Split(out, "\n")
+	var nwList []string
+	for _, line := range lines[1 : len(lines)-1] {
+		netFields := strings.Fields(line)
+		// wrap all network name in nwList
+		nwList = append(nwList, netFields[1])
+	}
+
+	// network ls should contains all expected networks
+	c.Assert(nwList, checker.DeepEquals, expectNws)
+}
+
+func getNwResource(c *check.C, name string) *types.NetworkResource {
+	out, _ := dockerCmd(c, "network", "inspect", name)
+	var nr []types.NetworkResource
+	err := json.Unmarshal([]byte(out), &nr)
+	c.Assert(err, check.IsNil)
+	return &nr[0]
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkLsDefault(c *check.C) {
+	defaults := []string{"bridge", "host", "none"}
+	for _, nn := range defaults {
+		assertNwIsAvailable(c, nn)
+	}
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkCreatePredefined(c *check.C) {
+	predefined := []string{"bridge", "host", "none", "default"}
+	for _, net := range predefined {
+		// predefined networks can't be created again
+		out, _, err := dockerCmdWithError("network", "create", net)
+		c.Assert(err, checker.NotNil, check.Commentf("%v", out))
+	}
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkCreateHostBind(c *check.C) {
+	dockerCmd(c, "network", "create", "--subnet=192.168.10.0/24", "--gateway=192.168.10.1", "-o", "com.docker.network.bridge.host_binding_ipv4=192.168.10.1", "testbind")
+	assertNwIsAvailable(c, "testbind")
+
+	out := runSleepingContainer(c, "--net=testbind", "-p", "5000:5000")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+	out, _ = dockerCmd(c, "ps")
+	c.Assert(out, checker.Contains, "192.168.10.1:5000->5000/tcp")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkRmPredefined(c *check.C) {
+	predefined := []string{"bridge", "host", "none", "default"}
+	for _, net := range predefined {
+		// predefined networks can't be removed
+		out, _, err := dockerCmdWithError("network", "rm", net)
+		c.Assert(err, checker.NotNil, check.Commentf("%v", out))
+	}
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkLsFilter(c *check.C) {
+	testRequires(c, OnlyDefaultNetworks)
+	testNet := "testnet1"
+	testLabel := "foo"
+	testValue := "bar"
+	out, _ := dockerCmd(c, "network", "create", "dev")
+	defer func() {
+		dockerCmd(c, "network", "rm", "dev")
+		dockerCmd(c, "network", "rm", testNet)
+	}()
+	networkID := strings.TrimSpace(out)
+
+	// filter with partial ID
+	// only show 'dev' network
+	out, _ = dockerCmd(c, "network", "ls", "-f", "id="+networkID[0:5])
+	assertNwList(c, out, []string{"dev"})
+
+	out, _ = dockerCmd(c, "network", "ls", "-f", "name=dge")
+	assertNwList(c, out, []string{"bridge"})
+
+	// only show built-in network (bridge, none, host)
+	out, _ = dockerCmd(c, "network", "ls", "-f", "type=builtin")
+	assertNwList(c, out, []string{"bridge", "host", "none"})
+
+	// only show custom networks (dev)
+	out, _ = dockerCmd(c, "network", "ls", "-f", "type=custom")
+	assertNwList(c, out, []string{"dev"})
+
+	// show all networks with filter
+	// it should be equivalent of ls without option
+	out, _ = dockerCmd(c, "network", "ls", "-f", "type=custom", "-f", "type=builtin")
+	assertNwList(c, out, []string{"bridge", "dev", "host", "none"})
+
+	out, _ = dockerCmd(c, "network", "create", "--label", testLabel+"="+testValue, testNet)
+	assertNwIsAvailable(c, testNet)
+
+	out, _ = dockerCmd(c, "network", "ls", "-f", "label="+testLabel)
+	assertNwList(c, out, []string{testNet})
+
+	out, _ = dockerCmd(c, "network", "ls", "-f", "label="+testLabel+"="+testValue)
+	assertNwList(c, out, []string{testNet})
+
+	out, _ = dockerCmd(c, "network", "ls", "-f", "label=nonexistent")
+	outArr := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(outArr), check.Equals, 1, check.Commentf("%s\n", out))
+
+	out, _ = dockerCmd(c, "network", "ls", "-f", "driver=null")
+	assertNwList(c, out, []string{"none"})
+
+	out, _ = dockerCmd(c, "network", "ls", "-f", "driver=host")
+	assertNwList(c, out, []string{"host"})
+
+	out, _ = dockerCmd(c, "network", "ls", "-f", "driver=bridge")
+	assertNwList(c, out, []string{"bridge", "dev", testNet})
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkCreateDelete(c *check.C) {
+	dockerCmd(c, "network", "create", "test")
+	assertNwIsAvailable(c, "test")
+
+	dockerCmd(c, "network", "rm", "test")
+	assertNwNotAvailable(c, "test")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkCreateLabel(c *check.C) {
+	testNet := "testnetcreatelabel"
+	testLabel := "foo"
+	testValue := "bar"
+
+	dockerCmd(c, "network", "create", "--label", testLabel+"="+testValue, testNet)
+	assertNwIsAvailable(c, testNet)
+
+	out, _, err := dockerCmdWithError("network", "inspect", "--format={{ .Labels."+testLabel+" }}", testNet)
+	c.Assert(err, check.IsNil)
+	c.Assert(strings.TrimSpace(out), check.Equals, testValue)
+
+	dockerCmd(c, "network", "rm", testNet)
+	assertNwNotAvailable(c, testNet)
+}
+
+func (s *DockerSuite) TestDockerNetworkDeleteNotExists(c *check.C) {
+	out, _, err := dockerCmdWithError("network", "rm", "test")
+	c.Assert(err, checker.NotNil, check.Commentf("%v", out))
+}
+
+func (s *DockerSuite) TestDockerNetworkDeleteMultiple(c *check.C) {
+	dockerCmd(c, "network", "create", "testDelMulti0")
+	assertNwIsAvailable(c, "testDelMulti0")
+	dockerCmd(c, "network", "create", "testDelMulti1")
+	assertNwIsAvailable(c, "testDelMulti1")
+	dockerCmd(c, "network", "create", "testDelMulti2")
+	assertNwIsAvailable(c, "testDelMulti2")
+	out, _ := dockerCmd(c, "run", "-d", "--net", "testDelMulti2", "busybox", "top")
+	containerID := strings.TrimSpace(out)
+	waitRun(containerID)
+
+	// delete three networks at the same time, since testDelMulti2
+	// contains active container, its deletion should fail.
+	out, _, err := dockerCmdWithError("network", "rm", "testDelMulti0", "testDelMulti1", "testDelMulti2")
+	// err should not be nil due to deleting testDelMulti2 failed.
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	// testDelMulti2 should fail due to network has active endpoints
+	c.Assert(out, checker.Contains, "has active endpoints")
+	assertNwNotAvailable(c, "testDelMulti0")
+	assertNwNotAvailable(c, "testDelMulti1")
+	// testDelMulti2 can't be deleted, so it should exist
+	assertNwIsAvailable(c, "testDelMulti2")
+}
+
+func (s *DockerSuite) TestDockerNetworkInspect(c *check.C) {
+	out, _ := dockerCmd(c, "network", "inspect", "host")
+	var networkResources []types.NetworkResource
+	err := json.Unmarshal([]byte(out), &networkResources)
+	c.Assert(err, check.IsNil)
+	c.Assert(networkResources, checker.HasLen, 1)
+
+	out, _ = dockerCmd(c, "network", "inspect", "--format={{ .Name }}", "host")
+	c.Assert(strings.TrimSpace(out), check.Equals, "host")
+}
+
+func (s *DockerSuite) TestDockerNetworkInspectWithID(c *check.C) {
+	out, _ := dockerCmd(c, "network", "create", "test2")
+	networkID := strings.TrimSpace(out)
+	assertNwIsAvailable(c, "test2")
+	out, _ = dockerCmd(c, "network", "inspect", "--format={{ .Id }}", "test2")
+	c.Assert(strings.TrimSpace(out), check.Equals, networkID)
+
+	out, _ = dockerCmd(c, "network", "inspect", "--format={{ .ID }}", "test2")
+	c.Assert(strings.TrimSpace(out), check.Equals, networkID)
+}
+
+func (s *DockerSuite) TestDockerInspectMultipleNetwork(c *check.C) {
+	result := dockerCmdWithResult("network", "inspect", "host", "none")
+	result.Assert(c, icmd.Success)
+
+	var networkResources []types.NetworkResource
+	err := json.Unmarshal([]byte(result.Stdout()), &networkResources)
+	c.Assert(err, check.IsNil)
+	c.Assert(networkResources, checker.HasLen, 2)
+}
+
+func (s *DockerSuite) TestDockerInspectMultipleNetworksIncludingNonexistent(c *check.C) {
+	// non-existent network was not at the beginning of the inspect list
+	// This should print an error, return an exitCode 1 and print the host network
+	result := dockerCmdWithResult("network", "inspect", "host", "nonexistent")
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Error: No such network: nonexistent",
+		Out:      "host",
+	})
+
+	var networkResources []types.NetworkResource
+	err := json.Unmarshal([]byte(result.Stdout()), &networkResources)
+	c.Assert(err, check.IsNil)
+	c.Assert(networkResources, checker.HasLen, 1)
+
+	// Only one non-existent network to inspect
+	// Should print an error and return an exitCode, nothing else
+	result = dockerCmdWithResult("network", "inspect", "nonexistent")
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Error: No such network: nonexistent",
+		Out:      "[]",
+	})
+
+	// non-existent network was at the beginning of the inspect list
+	// Should not fail fast, and still print host network but print an error
+	result = dockerCmdWithResult("network", "inspect", "nonexistent", "host")
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Error: No such network: nonexistent",
+		Out:      "host",
+	})
+
+	networkResources = []types.NetworkResource{}
+	err = json.Unmarshal([]byte(result.Stdout()), &networkResources)
+	c.Assert(err, check.IsNil)
+	c.Assert(networkResources, checker.HasLen, 1)
+}
+
+func (s *DockerSuite) TestDockerInspectNetworkWithContainerName(c *check.C) {
+	dockerCmd(c, "network", "create", "brNetForInspect")
+	assertNwIsAvailable(c, "brNetForInspect")
+	defer func() {
+		dockerCmd(c, "network", "rm", "brNetForInspect")
+		assertNwNotAvailable(c, "brNetForInspect")
+	}()
+
+	out, _ := dockerCmd(c, "run", "-d", "--name", "testNetInspect1", "--net", "brNetForInspect", "busybox", "top")
+	c.Assert(waitRun("testNetInspect1"), check.IsNil)
+	containerID := strings.TrimSpace(out)
+	defer func() {
+		// we don't stop container by name, because we'll rename it later
+		dockerCmd(c, "stop", containerID)
+	}()
+
+	out, _ = dockerCmd(c, "network", "inspect", "brNetForInspect")
+	var networkResources []types.NetworkResource
+	err := json.Unmarshal([]byte(out), &networkResources)
+	c.Assert(err, check.IsNil)
+	c.Assert(networkResources, checker.HasLen, 1)
+	container, ok := networkResources[0].Containers[containerID]
+	c.Assert(ok, checker.True)
+	c.Assert(container.Name, checker.Equals, "testNetInspect1")
+
+	// rename container and check docker inspect output update
+	newName := "HappyNewName"
+	dockerCmd(c, "rename", "testNetInspect1", newName)
+
+	// check whether network inspect works properly
+	out, _ = dockerCmd(c, "network", "inspect", "brNetForInspect")
+	var newNetRes []types.NetworkResource
+	err = json.Unmarshal([]byte(out), &newNetRes)
+	c.Assert(err, check.IsNil)
+	c.Assert(newNetRes, checker.HasLen, 1)
+	container1, ok := newNetRes[0].Containers[containerID]
+	c.Assert(ok, checker.True)
+	c.Assert(container1.Name, checker.Equals, newName)
+
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectDisconnect(c *check.C) {
+	dockerCmd(c, "network", "create", "test")
+	assertNwIsAvailable(c, "test")
+	nr := getNwResource(c, "test")
+
+	c.Assert(nr.Name, checker.Equals, "test")
+	c.Assert(len(nr.Containers), checker.Equals, 0)
+
+	// run a container
+	out, _ := dockerCmd(c, "run", "-d", "--name", "test", "busybox", "top")
+	c.Assert(waitRun("test"), check.IsNil)
+	containerID := strings.TrimSpace(out)
+
+	// connect the container to the test network
+	dockerCmd(c, "network", "connect", "test", containerID)
+
+	// inspect the network to make sure container is connected
+	nr = getNetworkResource(c, nr.ID)
+	c.Assert(len(nr.Containers), checker.Equals, 1)
+	c.Assert(nr.Containers[containerID], check.NotNil)
+
+	// check if container IP matches network inspect
+	ip, _, err := net.ParseCIDR(nr.Containers[containerID].IPv4Address)
+	c.Assert(err, check.IsNil)
+	containerIP := findContainerIP(c, "test", "test")
+	c.Assert(ip.String(), checker.Equals, containerIP)
+
+	// disconnect container from the network
+	dockerCmd(c, "network", "disconnect", "test", containerID)
+	nr = getNwResource(c, "test")
+	c.Assert(nr.Name, checker.Equals, "test")
+	c.Assert(len(nr.Containers), checker.Equals, 0)
+
+	// run another container
+	out, _ = dockerCmd(c, "run", "-d", "--net", "test", "--name", "test2", "busybox", "top")
+	c.Assert(waitRun("test2"), check.IsNil)
+	containerID = strings.TrimSpace(out)
+
+	nr = getNwResource(c, "test")
+	c.Assert(nr.Name, checker.Equals, "test")
+	c.Assert(len(nr.Containers), checker.Equals, 1)
+
+	// force disconnect the container to the test network
+	dockerCmd(c, "network", "disconnect", "-f", "test", containerID)
+
+	nr = getNwResource(c, "test")
+	c.Assert(nr.Name, checker.Equals, "test")
+	c.Assert(len(nr.Containers), checker.Equals, 0)
+
+	dockerCmd(c, "network", "rm", "test")
+	assertNwNotAvailable(c, "test")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkIPAMMultipleNetworks(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	// test0 bridge network
+	dockerCmd(c, "network", "create", "--subnet=192.168.0.0/16", "test1")
+	assertNwIsAvailable(c, "test1")
+
+	// test2 bridge network does not overlap
+	dockerCmd(c, "network", "create", "--subnet=192.169.0.0/16", "test2")
+	assertNwIsAvailable(c, "test2")
+
+	// for networks w/o ipam specified, docker will choose proper non-overlapping subnets
+	dockerCmd(c, "network", "create", "test3")
+	assertNwIsAvailable(c, "test3")
+	dockerCmd(c, "network", "create", "test4")
+	assertNwIsAvailable(c, "test4")
+	dockerCmd(c, "network", "create", "test5")
+	assertNwIsAvailable(c, "test5")
+
+	// test network with multiple subnets
+	// bridge network doesn't support multiple subnets. hence, use a dummy driver that supports
+
+	dockerCmd(c, "network", "create", "-d", dummyNetworkDriver, "--subnet=192.170.0.0/16", "--subnet=192.171.0.0/16", "test6")
+	assertNwIsAvailable(c, "test6")
+
+	// test network with multiple subnets with valid ipam combinations
+	// also check same subnet across networks when the driver supports it.
+	dockerCmd(c, "network", "create", "-d", dummyNetworkDriver,
+		"--subnet=192.172.0.0/16", "--subnet=192.173.0.0/16",
+		"--gateway=192.172.0.100", "--gateway=192.173.0.100",
+		"--ip-range=192.172.1.0/24",
+		"--aux-address", "a=192.172.1.5", "--aux-address", "b=192.172.1.6",
+		"--aux-address", "c=192.173.1.5", "--aux-address", "d=192.173.1.6",
+		"test7")
+	assertNwIsAvailable(c, "test7")
+
+	// cleanup
+	for i := 1; i < 8; i++ {
+		dockerCmd(c, "network", "rm", fmt.Sprintf("test%d", i))
+	}
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkCustomIPAM(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	// Create a bridge network using custom ipam driver
+	dockerCmd(c, "network", "create", "--ipam-driver", dummyIPAMDriver, "br0")
+	assertNwIsAvailable(c, "br0")
+
+	// Verify expected network ipam fields are there
+	nr := getNetworkResource(c, "br0")
+	c.Assert(nr.Driver, checker.Equals, "bridge")
+	c.Assert(nr.IPAM.Driver, checker.Equals, dummyIPAMDriver)
+
+	// remove network and exercise remote ipam driver
+	dockerCmd(c, "network", "rm", "br0")
+	assertNwNotAvailable(c, "br0")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkIPAMOptions(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	// Create a bridge network using custom ipam driver and options
+	dockerCmd(c, "network", "create", "--ipam-driver", dummyIPAMDriver, "--ipam-opt", "opt1=drv1", "--ipam-opt", "opt2=drv2", "br0")
+	assertNwIsAvailable(c, "br0")
+
+	// Verify expected network ipam options
+	nr := getNetworkResource(c, "br0")
+	opts := nr.IPAM.Options
+	c.Assert(opts["opt1"], checker.Equals, "drv1")
+	c.Assert(opts["opt2"], checker.Equals, "drv2")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkNullIPAMDriver(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	// Create a network with null ipam driver
+	_, _, err := dockerCmdWithError("network", "create", "-d", dummyNetworkDriver, "--ipam-driver", "null", "test000")
+	c.Assert(err, check.IsNil)
+	assertNwIsAvailable(c, "test000")
+
+	// Verify the inspect data contains the default subnet provided by the null
+	// ipam driver and no gateway, as the null ipam driver does not provide one
+	nr := getNetworkResource(c, "test000")
+	c.Assert(nr.IPAM.Driver, checker.Equals, "null")
+	c.Assert(len(nr.IPAM.Config), checker.Equals, 1)
+	c.Assert(nr.IPAM.Config[0].Subnet, checker.Equals, "0.0.0.0/0")
+	c.Assert(nr.IPAM.Config[0].Gateway, checker.Equals, "")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkInspectDefault(c *check.C) {
+	nr := getNetworkResource(c, "none")
+	c.Assert(nr.Driver, checker.Equals, "null")
+	c.Assert(nr.Scope, checker.Equals, "local")
+	c.Assert(nr.Internal, checker.Equals, false)
+	c.Assert(nr.EnableIPv6, checker.Equals, false)
+	c.Assert(nr.IPAM.Driver, checker.Equals, "default")
+	c.Assert(len(nr.IPAM.Config), checker.Equals, 0)
+
+	nr = getNetworkResource(c, "host")
+	c.Assert(nr.Driver, checker.Equals, "host")
+	c.Assert(nr.Scope, checker.Equals, "local")
+	c.Assert(nr.Internal, checker.Equals, false)
+	c.Assert(nr.EnableIPv6, checker.Equals, false)
+	c.Assert(nr.IPAM.Driver, checker.Equals, "default")
+	c.Assert(len(nr.IPAM.Config), checker.Equals, 0)
+
+	nr = getNetworkResource(c, "bridge")
+	c.Assert(nr.Driver, checker.Equals, "bridge")
+	c.Assert(nr.Scope, checker.Equals, "local")
+	c.Assert(nr.Internal, checker.Equals, false)
+	c.Assert(nr.EnableIPv6, checker.Equals, false)
+	c.Assert(nr.IPAM.Driver, checker.Equals, "default")
+	c.Assert(len(nr.IPAM.Config), checker.Equals, 1)
+	c.Assert(nr.IPAM.Config[0].Subnet, checker.NotNil)
+	c.Assert(nr.IPAM.Config[0].Gateway, checker.NotNil)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkInspectCustomUnspecified(c *check.C) {
+	// if unspecified, network subnet will be selected from inside preferred pool
+	dockerCmd(c, "network", "create", "test01")
+	assertNwIsAvailable(c, "test01")
+
+	nr := getNetworkResource(c, "test01")
+	c.Assert(nr.Driver, checker.Equals, "bridge")
+	c.Assert(nr.Scope, checker.Equals, "local")
+	c.Assert(nr.Internal, checker.Equals, false)
+	c.Assert(nr.EnableIPv6, checker.Equals, false)
+	c.Assert(nr.IPAM.Driver, checker.Equals, "default")
+	c.Assert(len(nr.IPAM.Config), checker.Equals, 1)
+	c.Assert(nr.IPAM.Config[0].Subnet, checker.NotNil)
+	c.Assert(nr.IPAM.Config[0].Gateway, checker.NotNil)
+
+	dockerCmd(c, "network", "rm", "test01")
+	assertNwNotAvailable(c, "test01")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkInspectCustomSpecified(c *check.C) {
+	dockerCmd(c, "network", "create", "--driver=bridge", "--ipv6", "--subnet=fd80:24e2:f998:72d6::/64", "--subnet=172.28.0.0/16", "--ip-range=172.28.5.0/24", "--gateway=172.28.5.254", "br0")
+	assertNwIsAvailable(c, "br0")
+
+	nr := getNetworkResource(c, "br0")
+	c.Assert(nr.Driver, checker.Equals, "bridge")
+	c.Assert(nr.Scope, checker.Equals, "local")
+	c.Assert(nr.Internal, checker.Equals, false)
+	c.Assert(nr.EnableIPv6, checker.Equals, true)
+	c.Assert(nr.IPAM.Driver, checker.Equals, "default")
+	c.Assert(len(nr.IPAM.Config), checker.Equals, 2)
+	c.Assert(nr.IPAM.Config[0].Subnet, checker.Equals, "172.28.0.0/16")
+	c.Assert(nr.IPAM.Config[0].IPRange, checker.Equals, "172.28.5.0/24")
+	c.Assert(nr.IPAM.Config[0].Gateway, checker.Equals, "172.28.5.254")
+	c.Assert(nr.Internal, checker.False)
+	dockerCmd(c, "network", "rm", "br0")
+	assertNwNotAvailable(c, "br0")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkIPAMInvalidCombinations(c *check.C) {
+	// network with ip-range out of subnet range
+	_, _, err := dockerCmdWithError("network", "create", "--subnet=192.168.0.0/16", "--ip-range=192.170.0.0/16", "test")
+	c.Assert(err, check.NotNil)
+
+	// network with multiple gateways for a single subnet
+	_, _, err = dockerCmdWithError("network", "create", "--subnet=192.168.0.0/16", "--gateway=192.168.0.1", "--gateway=192.168.0.2", "test")
+	c.Assert(err, check.NotNil)
+
+	// Multiple overlapping subnets in the same network must fail
+	_, _, err = dockerCmdWithError("network", "create", "--subnet=192.168.0.0/16", "--subnet=192.168.1.0/16", "test")
+	c.Assert(err, check.NotNil)
+
+	// overlapping subnets across networks must fail
+	// create a valid test0 network
+	dockerCmd(c, "network", "create", "--subnet=192.168.0.0/16", "test0")
+	assertNwIsAvailable(c, "test0")
+	// create an overlapping test1 network
+	_, _, err = dockerCmdWithError("network", "create", "--subnet=192.168.128.0/17", "test1")
+	c.Assert(err, check.NotNil)
+	dockerCmd(c, "network", "rm", "test0")
+	assertNwNotAvailable(c, "test0")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkDriverOptions(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	dockerCmd(c, "network", "create", "-d", dummyNetworkDriver, "-o", "opt1=drv1", "-o", "opt2=drv2", "testopt")
+	assertNwIsAvailable(c, "testopt")
+	gopts := remoteDriverNetworkRequest.Options[netlabel.GenericData]
+	c.Assert(gopts, checker.NotNil)
+	opts, ok := gopts.(map[string]interface{})
+	c.Assert(ok, checker.Equals, true)
+	c.Assert(opts["opt1"], checker.Equals, "drv1")
+	c.Assert(opts["opt2"], checker.Equals, "drv2")
+	dockerCmd(c, "network", "rm", "testopt")
+	assertNwNotAvailable(c, "testopt")
+
+}
+
+func (s *DockerNetworkSuite) TestDockerPluginV2NetworkDriver(c *check.C) {
+	testRequires(c, DaemonIsLinux, IsAmd64, Network)
+
+	var (
+		npName        = "tiborvass/test-docker-netplugin"
+		npTag         = "latest"
+		npNameWithTag = npName + ":" + npTag
+	)
+	_, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", npNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err := dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, npName)
+	c.Assert(out, checker.Contains, npTag)
+	c.Assert(out, checker.Contains, "true")
+
+	dockerCmd(c, "network", "create", "-d", npNameWithTag, "v2net")
+	assertNwIsAvailable(c, "v2net")
+	dockerCmd(c, "network", "rm", "v2net")
+	assertNwNotAvailable(c, "v2net")
+
+}
+
+func (s *DockerDaemonSuite) TestDockerNetworkNoDiscoveryDefaultBridgeNetwork(c *check.C) {
+	testRequires(c, ExecSupport)
+	// On default bridge network built-in service discovery should not happen
+	hostsFile := "/etc/hosts"
+	bridgeName := "external-bridge"
+	bridgeIP := "192.169.255.254/24"
+	createInterface(c, "bridge", bridgeName, bridgeIP)
+	defer deleteInterface(c, bridgeName)
+
+	s.d.StartWithBusybox(c, "--bridge", bridgeName)
+	defer s.d.Restart(c)
+
+	// run two containers and store first container's etc/hosts content
+	out, err := s.d.Cmd("run", "-d", "busybox", "top")
+	c.Assert(err, check.IsNil)
+	cid1 := strings.TrimSpace(out)
+	defer s.d.Cmd("stop", cid1)
+
+	hosts, err := s.d.Cmd("exec", cid1, "cat", hostsFile)
+	c.Assert(err, checker.IsNil)
+
+	out, err = s.d.Cmd("run", "-d", "--name", "container2", "busybox", "top")
+	c.Assert(err, check.IsNil)
+	cid2 := strings.TrimSpace(out)
+
+	// verify first container's etc/hosts file has not changed after spawning the second named container
+	hostsPost, err := s.d.Cmd("exec", cid1, "cat", hostsFile)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(hosts), checker.Equals, string(hostsPost),
+		check.Commentf("Unexpected %s change on second container creation", hostsFile))
+
+	// stop container 2 and verify first container's etc/hosts has not changed
+	_, err = s.d.Cmd("stop", cid2)
+	c.Assert(err, check.IsNil)
+
+	hostsPost, err = s.d.Cmd("exec", cid1, "cat", hostsFile)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(hosts), checker.Equals, string(hostsPost),
+		check.Commentf("Unexpected %s change on second container creation", hostsFile))
+
+	// but discovery is on when connecting to non default bridge network
+	network := "anotherbridge"
+	out, err = s.d.Cmd("network", "create", network)
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	defer s.d.Cmd("network", "rm", network)
+
+	out, err = s.d.Cmd("network", "connect", network, cid1)
+	c.Assert(err, check.IsNil, check.Commentf(out))
+
+	hosts, err = s.d.Cmd("exec", cid1, "cat", hostsFile)
+	c.Assert(err, checker.IsNil)
+
+	hostsPost, err = s.d.Cmd("exec", cid1, "cat", hostsFile)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(hosts), checker.Equals, string(hostsPost),
+		check.Commentf("Unexpected %s change on second network connection", hostsFile))
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkAnonymousEndpoint(c *check.C) {
+	testRequires(c, ExecSupport, NotArm)
+	hostsFile := "/etc/hosts"
+	cstmBridgeNw := "custom-bridge-nw"
+	cstmBridgeNw1 := "custom-bridge-nw1"
+
+	dockerCmd(c, "network", "create", "-d", "bridge", cstmBridgeNw)
+	assertNwIsAvailable(c, cstmBridgeNw)
+
+	// run two anonymous containers and store their etc/hosts content
+	out, _ := dockerCmd(c, "run", "-d", "--net", cstmBridgeNw, "busybox", "top")
+	cid1 := strings.TrimSpace(out)
+
+	hosts1 := readContainerFileWithExec(c, cid1, hostsFile)
+
+	out, _ = dockerCmd(c, "run", "-d", "--net", cstmBridgeNw, "busybox", "top")
+	cid2 := strings.TrimSpace(out)
+
+	hosts2 := readContainerFileWithExec(c, cid2, hostsFile)
+
+	// verify first container etc/hosts file has not changed
+	hosts1post := readContainerFileWithExec(c, cid1, hostsFile)
+	c.Assert(string(hosts1), checker.Equals, string(hosts1post),
+		check.Commentf("Unexpected %s change on anonymous container creation", hostsFile))
+
+	// Connect the 2nd container to a new network and verify the
+	// first container /etc/hosts file still hasn't changed.
+	dockerCmd(c, "network", "create", "-d", "bridge", cstmBridgeNw1)
+	assertNwIsAvailable(c, cstmBridgeNw1)
+
+	dockerCmd(c, "network", "connect", cstmBridgeNw1, cid2)
+
+	hosts2 = readContainerFileWithExec(c, cid2, hostsFile)
+	hosts1post = readContainerFileWithExec(c, cid1, hostsFile)
+	c.Assert(string(hosts1), checker.Equals, string(hosts1post),
+		check.Commentf("Unexpected %s change on container connect", hostsFile))
+
+	// start a named container
+	cName := "AnyName"
+	out, _ = dockerCmd(c, "run", "-d", "--net", cstmBridgeNw, "--name", cName, "busybox", "top")
+	cid3 := strings.TrimSpace(out)
+
+	// verify that container 1 and 2 can ping the named container
+	dockerCmd(c, "exec", cid1, "ping", "-c", "1", cName)
+	dockerCmd(c, "exec", cid2, "ping", "-c", "1", cName)
+
+	// Stop named container and verify first two containers' etc/hosts file hasn't changed
+	dockerCmd(c, "stop", cid3)
+	hosts1post = readContainerFileWithExec(c, cid1, hostsFile)
+	c.Assert(string(hosts1), checker.Equals, string(hosts1post),
+		check.Commentf("Unexpected %s change on name container creation", hostsFile))
+
+	hosts2post := readContainerFileWithExec(c, cid2, hostsFile)
+	c.Assert(string(hosts2), checker.Equals, string(hosts2post),
+		check.Commentf("Unexpected %s change on name container creation", hostsFile))
+
+	// verify that container 1 and 2 can't ping the named container now
+	_, _, err := dockerCmdWithError("exec", cid1, "ping", "-c", "1", cName)
+	c.Assert(err, check.NotNil)
+	_, _, err = dockerCmdWithError("exec", cid2, "ping", "-c", "1", cName)
+	c.Assert(err, check.NotNil)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkLinkOnDefaultNetworkOnly(c *check.C) {
+	// Legacy Link feature must work only on default network, and not across networks
+	cnt1 := "container1"
+	cnt2 := "container2"
+	network := "anotherbridge"
+
+	// Run first container on default network
+	dockerCmd(c, "run", "-d", "--name", cnt1, "busybox", "top")
+
+	// Create another network and run the second container on it
+	dockerCmd(c, "network", "create", network)
+	assertNwIsAvailable(c, network)
+	dockerCmd(c, "run", "-d", "--net", network, "--name", cnt2, "busybox", "top")
+
+	// Try launching a container on default network, linking to the first container. Must succeed
+	dockerCmd(c, "run", "-d", "--link", fmt.Sprintf("%s:%s", cnt1, cnt1), "busybox", "top")
+
+	// Try launching a container on default network, linking to the second container. Must fail
+	_, _, err := dockerCmdWithError("run", "-d", "--link", fmt.Sprintf("%s:%s", cnt2, cnt2), "busybox", "top")
+	c.Assert(err, checker.NotNil)
+
+	// Connect second container to default network. Now a container on default network can link to it
+	dockerCmd(c, "network", "connect", "bridge", cnt2)
+	dockerCmd(c, "run", "-d", "--link", fmt.Sprintf("%s:%s", cnt2, cnt2), "busybox", "top")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkOverlayPortMapping(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	// Verify exposed ports are present in ps output when running a container on
+	// a network managed by a driver which does not provide the default gateway
+	// for the container
+	nwn := "ov"
+	ctn := "bb"
+	port1 := 80
+	port2 := 443
+	expose1 := fmt.Sprintf("--expose=%d", port1)
+	expose2 := fmt.Sprintf("--expose=%d", port2)
+
+	dockerCmd(c, "network", "create", "-d", dummyNetworkDriver, nwn)
+	assertNwIsAvailable(c, nwn)
+
+	dockerCmd(c, "run", "-d", "--net", nwn, "--name", ctn, expose1, expose2, "busybox", "top")
+
+	// Check docker ps o/p for last created container reports the unpublished ports
+	unpPort1 := fmt.Sprintf("%d/tcp", port1)
+	unpPort2 := fmt.Sprintf("%d/tcp", port2)
+	out, _ := dockerCmd(c, "ps", "-n=1")
+	// Missing unpublished ports in docker ps output
+	c.Assert(out, checker.Contains, unpPort1)
+	// Missing unpublished ports in docker ps output
+	c.Assert(out, checker.Contains, unpPort2)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkDriverUngracefulRestart(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, SameHostDaemon)
+	dnd := "dnd"
+	did := "did"
+
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	setupRemoteNetworkDrivers(c, mux, server.URL, dnd, did)
+
+	s.d.StartWithBusybox(c)
+	_, err := s.d.Cmd("network", "create", "-d", dnd, "--subnet", "1.1.1.0/24", "net1")
+	c.Assert(err, checker.IsNil)
+
+	_, err = s.d.Cmd("run", "-itd", "--net", "net1", "--name", "foo", "--ip", "1.1.1.10", "busybox", "sh")
+	c.Assert(err, checker.IsNil)
+
+	// Kill daemon and restart
+	c.Assert(s.d.Kill(), checker.IsNil)
+
+	server.Close()
+
+	startTime := time.Now().Unix()
+	s.d.Restart(c)
+	lapse := time.Now().Unix() - startTime
+	if lapse > 60 {
+		// In normal scenarios, daemon restart takes ~1 second.
+		// Plugin retry mechanism can delay the daemon start. systemd may not like it.
+		// Avoid accessing plugins during daemon bootup
+		c.Logf("daemon restart took too long : %d seconds", lapse)
+	}
+
+	// Restart the custom dummy plugin
+	mux = http.NewServeMux()
+	server = httptest.NewServer(mux)
+	setupRemoteNetworkDrivers(c, mux, server.URL, dnd, did)
+
+	// trying to reuse the same ip must succeed
+	_, err = s.d.Cmd("run", "-itd", "--net", "net1", "--name", "bar", "--ip", "1.1.1.10", "busybox", "sh")
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkMacInspect(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	// Verify endpoint MAC address is correctly populated in container's network settings
+	nwn := "ov"
+	ctn := "bb"
+
+	dockerCmd(c, "network", "create", "-d", dummyNetworkDriver, nwn)
+	assertNwIsAvailable(c, nwn)
+
+	dockerCmd(c, "run", "-d", "--net", nwn, "--name", ctn, "busybox", "top")
+
+	mac := inspectField(c, ctn, "NetworkSettings.Networks."+nwn+".MacAddress")
+	c.Assert(mac, checker.Equals, "a0:b1:c2:d3:e4:f5")
+}
+
+func (s *DockerSuite) TestInspectAPIMultipleNetworks(c *check.C) {
+	dockerCmd(c, "network", "create", "mybridge1")
+	dockerCmd(c, "network", "create", "mybridge2")
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), check.IsNil)
+
+	dockerCmd(c, "network", "connect", "mybridge1", id)
+	dockerCmd(c, "network", "connect", "mybridge2", id)
+
+	body := getInspectBody(c, "v1.20", id)
+	var inspect120 v1p20.ContainerJSON
+	err := json.Unmarshal(body, &inspect120)
+	c.Assert(err, checker.IsNil)
+
+	versionedIP := inspect120.NetworkSettings.IPAddress
+
+	body = getInspectBody(c, "v1.21", id)
+	var inspect121 types.ContainerJSON
+	err = json.Unmarshal(body, &inspect121)
+	c.Assert(err, checker.IsNil)
+	c.Assert(inspect121.NetworkSettings.Networks, checker.HasLen, 3)
+
+	bridge := inspect121.NetworkSettings.Networks["bridge"]
+	c.Assert(bridge.IPAddress, checker.Equals, versionedIP)
+	c.Assert(bridge.IPAddress, checker.Equals, inspect121.NetworkSettings.IPAddress)
+}
+
+func connectContainerToNetworks(c *check.C, d *daemon.Daemon, cName string, nws []string) {
+	// Run a container on the default network
+	out, err := d.Cmd("run", "-d", "--name", cName, "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Attach the container to other networks
+	for _, nw := range nws {
+		out, err = d.Cmd("network", "create", nw)
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+		out, err = d.Cmd("network", "connect", nw, cName)
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+	}
+}
+
+func verifyContainerIsConnectedToNetworks(c *check.C, d *daemon.Daemon, cName string, nws []string) {
+	// Verify container is connected to all the networks
+	for _, nw := range nws {
+		out, err := d.Cmd("inspect", "-f", fmt.Sprintf("{{.NetworkSettings.Networks.%s}}", nw), cName)
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+		c.Assert(out, checker.Not(checker.Equals), "<no value>\n")
+	}
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkMultipleNetworksGracefulDaemonRestart(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	cName := "bb"
+	nwList := []string{"nw1", "nw2", "nw3"}
+
+	s.d.StartWithBusybox(c)
+
+	connectContainerToNetworks(c, s.d, cName, nwList)
+	verifyContainerIsConnectedToNetworks(c, s.d, cName, nwList)
+
+	// Reload daemon
+	s.d.Restart(c)
+
+	_, err := s.d.Cmd("start", cName)
+	c.Assert(err, checker.IsNil)
+
+	verifyContainerIsConnectedToNetworks(c, s.d, cName, nwList)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkMultipleNetworksUngracefulDaemonRestart(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	cName := "cc"
+	nwList := []string{"nw1", "nw2", "nw3"}
+
+	s.d.StartWithBusybox(c)
+
+	connectContainerToNetworks(c, s.d, cName, nwList)
+	verifyContainerIsConnectedToNetworks(c, s.d, cName, nwList)
+
+	// Kill daemon and restart
+	c.Assert(s.d.Kill(), checker.IsNil)
+	s.d.Restart(c)
+
+	// Restart container
+	_, err := s.d.Cmd("start", cName)
+	c.Assert(err, checker.IsNil)
+
+	verifyContainerIsConnectedToNetworks(c, s.d, cName, nwList)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkRunNetByID(c *check.C) {
+	out, _ := dockerCmd(c, "network", "create", "one")
+	containerOut, _, err := dockerCmdWithError("run", "-d", "--net", strings.TrimSpace(out), "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(containerOut))
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkHostModeUngracefulDaemonRestart(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, SameHostDaemon)
+	s.d.StartWithBusybox(c)
+
+	// Run a few containers on host network
+	for i := 0; i < 10; i++ {
+		cName := fmt.Sprintf("hostc-%d", i)
+		out, err := s.d.Cmd("run", "-d", "--name", cName, "--net=host", "--restart=always", "busybox", "top")
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+
+		// verify container has finished starting before killing daemon
+		err = s.d.WaitRun(cName)
+		c.Assert(err, checker.IsNil)
+	}
+
+	// Kill daemon ungracefully and restart
+	c.Assert(s.d.Kill(), checker.IsNil)
+	s.d.Restart(c)
+
+	// make sure all the containers are up and running
+	for i := 0; i < 10; i++ {
+		err := s.d.WaitRun(fmt.Sprintf("hostc-%d", i))
+		c.Assert(err, checker.IsNil)
+	}
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectToHostFromOtherNetwork(c *check.C) {
+	dockerCmd(c, "run", "-d", "--name", "container1", "busybox", "top")
+	c.Assert(waitRun("container1"), check.IsNil)
+	dockerCmd(c, "network", "disconnect", "bridge", "container1")
+	out, _, err := dockerCmdWithError("network", "connect", "host", "container1")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, runconfig.ErrConflictHostNetwork.Error())
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkDisconnectFromHost(c *check.C) {
+	dockerCmd(c, "run", "-d", "--name", "container1", "--net=host", "busybox", "top")
+	c.Assert(waitRun("container1"), check.IsNil)
+	out, _, err := dockerCmdWithError("network", "disconnect", "host", "container1")
+	c.Assert(err, checker.NotNil, check.Commentf("Should err out disconnect from host"))
+	c.Assert(out, checker.Contains, runconfig.ErrConflictHostNetwork.Error())
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectWithPortMapping(c *check.C) {
+	testRequires(c, NotArm)
+	dockerCmd(c, "network", "create", "test1")
+	dockerCmd(c, "run", "-d", "--name", "c1", "-p", "5000:5000", "busybox", "top")
+	c.Assert(waitRun("c1"), check.IsNil)
+	dockerCmd(c, "network", "connect", "test1", "c1")
+}
+
+func verifyPortMap(c *check.C, container, port, originalMapping string, mustBeEqual bool) {
+	chk := checker.Equals
+	if !mustBeEqual {
+		chk = checker.Not(checker.Equals)
+	}
+	currentMapping, _ := dockerCmd(c, "port", container, port)
+	c.Assert(currentMapping, chk, originalMapping)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectDisconnectWithPortMapping(c *check.C) {
+	// Connect and disconnect a container with explicit and non-explicit
+	// host port mapping to/from networks which do cause and do not cause
+	// the container default gateway to change, and verify docker port cmd
+	// returns congruent information
+	testRequires(c, NotArm)
+	cnt := "c1"
+	dockerCmd(c, "network", "create", "aaa")
+	dockerCmd(c, "network", "create", "ccc")
+
+	dockerCmd(c, "run", "-d", "--name", cnt, "-p", "9000:90", "-p", "70", "busybox", "top")
+	c.Assert(waitRun(cnt), check.IsNil)
+	curPortMap, _ := dockerCmd(c, "port", cnt, "70")
+	curExplPortMap, _ := dockerCmd(c, "port", cnt, "90")
+
+	// Connect to a network which causes the container's default gw switch
+	dockerCmd(c, "network", "connect", "aaa", cnt)
+	verifyPortMap(c, cnt, "70", curPortMap, false)
+	verifyPortMap(c, cnt, "90", curExplPortMap, true)
+
+	// Read current mapping
+	curPortMap, _ = dockerCmd(c, "port", cnt, "70")
+
+	// Disconnect from a network which causes the container's default gw switch
+	dockerCmd(c, "network", "disconnect", "aaa", cnt)
+	verifyPortMap(c, cnt, "70", curPortMap, false)
+	verifyPortMap(c, cnt, "90", curExplPortMap, true)
+
+	// Read current mapping
+	curPortMap, _ = dockerCmd(c, "port", cnt, "70")
+
+	// Connect to a network which does not cause the container's default gw switch
+	dockerCmd(c, "network", "connect", "ccc", cnt)
+	verifyPortMap(c, cnt, "70", curPortMap, true)
+	verifyPortMap(c, cnt, "90", curExplPortMap, true)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectWithMac(c *check.C) {
+	macAddress := "02:42:ac:11:00:02"
+	dockerCmd(c, "network", "create", "mynetwork")
+	dockerCmd(c, "run", "--name=test", "-d", "--mac-address", macAddress, "busybox", "top")
+	c.Assert(waitRun("test"), check.IsNil)
+	mac1 := inspectField(c, "test", "NetworkSettings.Networks.bridge.MacAddress")
+	c.Assert(strings.TrimSpace(mac1), checker.Equals, macAddress)
+	dockerCmd(c, "network", "connect", "mynetwork", "test")
+	mac2 := inspectField(c, "test", "NetworkSettings.Networks.mynetwork.MacAddress")
+	c.Assert(strings.TrimSpace(mac2), checker.Not(checker.Equals), strings.TrimSpace(mac1))
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkInspectCreatedContainer(c *check.C) {
+	dockerCmd(c, "create", "--name", "test", "busybox")
+	networks := inspectField(c, "test", "NetworkSettings.Networks")
+	c.Assert(networks, checker.Contains, "bridge", check.Commentf("Should return 'bridge' network"))
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkRestartWithMultipleNetworks(c *check.C) {
+	dockerCmd(c, "network", "create", "test")
+	dockerCmd(c, "run", "--name=foo", "-d", "busybox", "top")
+	c.Assert(waitRun("foo"), checker.IsNil)
+	dockerCmd(c, "network", "connect", "test", "foo")
+	dockerCmd(c, "restart", "foo")
+	networks := inspectField(c, "foo", "NetworkSettings.Networks")
+	c.Assert(networks, checker.Contains, "bridge", check.Commentf("Should contain 'bridge' network"))
+	c.Assert(networks, checker.Contains, "test", check.Commentf("Should contain 'test' network"))
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectDisconnectToStoppedContainer(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	dockerCmd(c, "network", "create", "test")
+	dockerCmd(c, "create", "--name=foo", "busybox", "top")
+	dockerCmd(c, "network", "connect", "test", "foo")
+	networks := inspectField(c, "foo", "NetworkSettings.Networks")
+	c.Assert(networks, checker.Contains, "test", check.Commentf("Should contain 'test' network"))
+
+	// Restart docker daemon to test the config has persisted to disk
+	s.d.Restart(c)
+	networks = inspectField(c, "foo", "NetworkSettings.Networks")
+	c.Assert(networks, checker.Contains, "test", check.Commentf("Should contain 'test' network"))
+
+	// start the container and test if we can ping it from another container in the same network
+	dockerCmd(c, "start", "foo")
+	c.Assert(waitRun("foo"), checker.IsNil)
+	ip := inspectField(c, "foo", "NetworkSettings.Networks.test.IPAddress")
+	ip = strings.TrimSpace(ip)
+	dockerCmd(c, "run", "--net=test", "busybox", "sh", "-c", fmt.Sprintf("ping -c 1 %s", ip))
+
+	dockerCmd(c, "stop", "foo")
+
+	// Test disconnect
+	dockerCmd(c, "network", "disconnect", "test", "foo")
+	networks = inspectField(c, "foo", "NetworkSettings.Networks")
+	c.Assert(networks, checker.Not(checker.Contains), "test", check.Commentf("Should not contain 'test' network"))
+
+	// Restart docker daemon to test the config has persisted to disk
+	s.d.Restart(c)
+	networks = inspectField(c, "foo", "NetworkSettings.Networks")
+	c.Assert(networks, checker.Not(checker.Contains), "test", check.Commentf("Should not contain 'test' network"))
+
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkDisconnectContainerNonexistingNetwork(c *check.C) {
+	dockerCmd(c, "network", "create", "test")
+	dockerCmd(c, "run", "--net=test", "-d", "--name=foo", "busybox", "top")
+	networks := inspectField(c, "foo", "NetworkSettings.Networks")
+	c.Assert(networks, checker.Contains, "test", check.Commentf("Should contain 'test' network"))
+
+	// Stop container and remove network
+	dockerCmd(c, "stop", "foo")
+	dockerCmd(c, "network", "rm", "test")
+
+	// Test disconnecting stopped container from nonexisting network
+	dockerCmd(c, "network", "disconnect", "-f", "test", "foo")
+	networks = inspectField(c, "foo", "NetworkSettings.Networks")
+	c.Assert(networks, checker.Not(checker.Contains), "test", check.Commentf("Should not contain 'test' network"))
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectPreferredIP(c *check.C) {
+	// create two networks
+	dockerCmd(c, "network", "create", "--ipv6", "--subnet=172.28.0.0/16", "--subnet=2001:db8:1234::/64", "n0")
+	assertNwIsAvailable(c, "n0")
+
+	dockerCmd(c, "network", "create", "--ipv6", "--subnet=172.30.0.0/16", "--ip-range=172.30.5.0/24", "--subnet=2001:db8:abcd::/64", "--ip-range=2001:db8:abcd::/80", "n1")
+	assertNwIsAvailable(c, "n1")
+
+	// run a container on first network specifying the ip addresses
+	dockerCmd(c, "run", "-d", "--name", "c0", "--net=n0", "--ip", "172.28.99.88", "--ip6", "2001:db8:1234::9988", "busybox", "top")
+	c.Assert(waitRun("c0"), check.IsNil)
+	verifyIPAddressConfig(c, "c0", "n0", "172.28.99.88", "2001:db8:1234::9988")
+	verifyIPAddresses(c, "c0", "n0", "172.28.99.88", "2001:db8:1234::9988")
+
+	// connect the container to the second network specifying an ip addresses
+	dockerCmd(c, "network", "connect", "--ip", "172.30.55.44", "--ip6", "2001:db8:abcd::5544", "n1", "c0")
+	verifyIPAddressConfig(c, "c0", "n1", "172.30.55.44", "2001:db8:abcd::5544")
+	verifyIPAddresses(c, "c0", "n1", "172.30.55.44", "2001:db8:abcd::5544")
+
+	// Stop and restart the container
+	dockerCmd(c, "stop", "c0")
+	dockerCmd(c, "start", "c0")
+
+	// verify requested addresses are applied and configs are still there
+	verifyIPAddressConfig(c, "c0", "n0", "172.28.99.88", "2001:db8:1234::9988")
+	verifyIPAddresses(c, "c0", "n0", "172.28.99.88", "2001:db8:1234::9988")
+	verifyIPAddressConfig(c, "c0", "n1", "172.30.55.44", "2001:db8:abcd::5544")
+	verifyIPAddresses(c, "c0", "n1", "172.30.55.44", "2001:db8:abcd::5544")
+
+	// Still it should fail to connect to the default network with a specified IP (whatever ip)
+	out, _, err := dockerCmdWithError("network", "connect", "--ip", "172.21.55.44", "bridge", "c0")
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	c.Assert(out, checker.Contains, runconfig.ErrUnsupportedNetworkAndIP.Error())
+
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectPreferredIPStoppedContainer(c *check.C) {
+	// create a container
+	dockerCmd(c, "create", "--name", "c0", "busybox", "top")
+
+	// create a network
+	dockerCmd(c, "network", "create", "--ipv6", "--subnet=172.30.0.0/16", "--subnet=2001:db8:abcd::/64", "n0")
+	assertNwIsAvailable(c, "n0")
+
+	// connect the container to the network specifying an ip addresses
+	dockerCmd(c, "network", "connect", "--ip", "172.30.55.44", "--ip6", "2001:db8:abcd::5544", "n0", "c0")
+	verifyIPAddressConfig(c, "c0", "n0", "172.30.55.44", "2001:db8:abcd::5544")
+
+	// start the container, verify config has not changed and ip addresses are assigned
+	dockerCmd(c, "start", "c0")
+	c.Assert(waitRun("c0"), check.IsNil)
+	verifyIPAddressConfig(c, "c0", "n0", "172.30.55.44", "2001:db8:abcd::5544")
+	verifyIPAddresses(c, "c0", "n0", "172.30.55.44", "2001:db8:abcd::5544")
+
+	// stop the container and check ip config has not changed
+	dockerCmd(c, "stop", "c0")
+	verifyIPAddressConfig(c, "c0", "n0", "172.30.55.44", "2001:db8:abcd::5544")
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkUnsupportedRequiredIP(c *check.C) {
+	// requested IP is not supported on predefined networks
+	for _, mode := range []string{"none", "host", "bridge", "default"} {
+		checkUnsupportedNetworkAndIP(c, mode)
+	}
+
+	// requested IP is not supported on networks with no user defined subnets
+	dockerCmd(c, "network", "create", "n0")
+	assertNwIsAvailable(c, "n0")
+
+	out, _, err := dockerCmdWithError("run", "-d", "--ip", "172.28.99.88", "--net", "n0", "busybox", "top")
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	c.Assert(out, checker.Contains, runconfig.ErrUnsupportedNetworkNoSubnetAndIP.Error())
+
+	out, _, err = dockerCmdWithError("run", "-d", "--ip6", "2001:db8:1234::9988", "--net", "n0", "busybox", "top")
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	c.Assert(out, checker.Contains, runconfig.ErrUnsupportedNetworkNoSubnetAndIP.Error())
+
+	dockerCmd(c, "network", "rm", "n0")
+	assertNwNotAvailable(c, "n0")
+}
+
+func checkUnsupportedNetworkAndIP(c *check.C, nwMode string) {
+	out, _, err := dockerCmdWithError("run", "-d", "--net", nwMode, "--ip", "172.28.99.88", "--ip6", "2001:db8:1234::9988", "busybox", "top")
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	c.Assert(out, checker.Contains, runconfig.ErrUnsupportedNetworkAndIP.Error())
+}
+
+func verifyIPAddressConfig(c *check.C, cName, nwname, ipv4, ipv6 string) {
+	if ipv4 != "" {
+		out := inspectField(c, cName, fmt.Sprintf("NetworkSettings.Networks.%s.IPAMConfig.IPv4Address", nwname))
+		c.Assert(strings.TrimSpace(out), check.Equals, ipv4)
+	}
+
+	if ipv6 != "" {
+		out := inspectField(c, cName, fmt.Sprintf("NetworkSettings.Networks.%s.IPAMConfig.IPv6Address", nwname))
+		c.Assert(strings.TrimSpace(out), check.Equals, ipv6)
+	}
+}
+
+func verifyIPAddresses(c *check.C, cName, nwname, ipv4, ipv6 string) {
+	out := inspectField(c, cName, fmt.Sprintf("NetworkSettings.Networks.%s.IPAddress", nwname))
+	c.Assert(strings.TrimSpace(out), check.Equals, ipv4)
+
+	out = inspectField(c, cName, fmt.Sprintf("NetworkSettings.Networks.%s.GlobalIPv6Address", nwname))
+	c.Assert(strings.TrimSpace(out), check.Equals, ipv6)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectLinkLocalIP(c *check.C) {
+	// create one test network
+	dockerCmd(c, "network", "create", "--ipv6", "--subnet=2001:db8:1234::/64", "n0")
+	assertNwIsAvailable(c, "n0")
+
+	// run a container with incorrect link-local address
+	_, _, err := dockerCmdWithError("run", "--link-local-ip", "169.253.5.5", "busybox", "top")
+	c.Assert(err, check.NotNil)
+	_, _, err = dockerCmdWithError("run", "--link-local-ip", "2001:db8::89", "busybox", "top")
+	c.Assert(err, check.NotNil)
+
+	// run two containers with link-local ip on the test network
+	dockerCmd(c, "run", "-d", "--name", "c0", "--net=n0", "--link-local-ip", "169.254.7.7", "--link-local-ip", "fe80::254:77", "busybox", "top")
+	c.Assert(waitRun("c0"), check.IsNil)
+	dockerCmd(c, "run", "-d", "--name", "c1", "--net=n0", "--link-local-ip", "169.254.8.8", "--link-local-ip", "fe80::254:88", "busybox", "top")
+	c.Assert(waitRun("c1"), check.IsNil)
+
+	// run a container on the default network and connect it to the test network specifying a link-local address
+	dockerCmd(c, "run", "-d", "--name", "c2", "busybox", "top")
+	c.Assert(waitRun("c2"), check.IsNil)
+	dockerCmd(c, "network", "connect", "--link-local-ip", "169.254.9.9", "n0", "c2")
+
+	// verify the three containers can ping each other via the link-local addresses
+	_, _, err = dockerCmdWithError("exec", "c0", "ping", "-c", "1", "169.254.8.8")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "c1", "ping", "-c", "1", "169.254.9.9")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "c2", "ping", "-c", "1", "169.254.7.7")
+	c.Assert(err, check.IsNil)
+
+	// Stop and restart the three containers
+	dockerCmd(c, "stop", "c0")
+	dockerCmd(c, "stop", "c1")
+	dockerCmd(c, "stop", "c2")
+	dockerCmd(c, "start", "c0")
+	dockerCmd(c, "start", "c1")
+	dockerCmd(c, "start", "c2")
+
+	// verify the ping again
+	_, _, err = dockerCmdWithError("exec", "c0", "ping", "-c", "1", "169.254.8.8")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "c1", "ping", "-c", "1", "169.254.9.9")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "c2", "ping", "-c", "1", "169.254.7.7")
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerSuite) TestUserDefinedNetworkConnectDisconnectLink(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	dockerCmd(c, "network", "create", "-d", "bridge", "foo1")
+	dockerCmd(c, "network", "create", "-d", "bridge", "foo2")
+
+	dockerCmd(c, "run", "-d", "--net=foo1", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	// run a container in a user-defined network with a link for an existing container
+	// and a link for a container that doesn't exist
+	dockerCmd(c, "run", "-d", "--net=foo1", "--name=second", "--link=first:FirstInFoo1",
+		"--link=third:bar", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// ping to first and its alias FirstInFoo1 must succeed
+	_, _, err := dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "FirstInFoo1")
+	c.Assert(err, check.IsNil)
+
+	// connect first container to foo2 network
+	dockerCmd(c, "network", "connect", "foo2", "first")
+	// connect second container to foo2 network with a different alias for first container
+	dockerCmd(c, "network", "connect", "--link=first:FirstInFoo2", "foo2", "second")
+
+	// ping the new alias in network foo2
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "FirstInFoo2")
+	c.Assert(err, check.IsNil)
+
+	// disconnect first container from foo1 network
+	dockerCmd(c, "network", "disconnect", "foo1", "first")
+
+	// link in foo1 network must fail
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "FirstInFoo1")
+	c.Assert(err, check.NotNil)
+
+	// link in foo2 network must succeed
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "FirstInFoo2")
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkDisconnectDefault(c *check.C) {
+	netWorkName1 := "test1"
+	netWorkName2 := "test2"
+	containerName := "foo"
+
+	dockerCmd(c, "network", "create", netWorkName1)
+	dockerCmd(c, "network", "create", netWorkName2)
+	dockerCmd(c, "create", "--name", containerName, "busybox", "top")
+	dockerCmd(c, "network", "connect", netWorkName1, containerName)
+	dockerCmd(c, "network", "connect", netWorkName2, containerName)
+	dockerCmd(c, "network", "disconnect", "bridge", containerName)
+
+	dockerCmd(c, "start", containerName)
+	c.Assert(waitRun(containerName), checker.IsNil)
+	networks := inspectField(c, containerName, "NetworkSettings.Networks")
+	c.Assert(networks, checker.Contains, netWorkName1, check.Commentf(fmt.Sprintf("Should contain '%s' network", netWorkName1)))
+	c.Assert(networks, checker.Contains, netWorkName2, check.Commentf(fmt.Sprintf("Should contain '%s' network", netWorkName2)))
+	c.Assert(networks, checker.Not(checker.Contains), "bridge", check.Commentf("Should not contain 'bridge' network"))
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkConnectWithAliasOnDefaultNetworks(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+
+	defaults := []string{"bridge", "host", "none"}
+	out, _ := dockerCmd(c, "run", "-d", "--net=none", "busybox", "top")
+	containerID := strings.TrimSpace(out)
+	for _, net := range defaults {
+		res, _, err := dockerCmdWithError("network", "connect", "--alias", "alias"+net, net, containerID)
+		c.Assert(err, checker.NotNil)
+		c.Assert(res, checker.Contains, runconfig.ErrUnsupportedNetworkAndAlias.Error())
+	}
+}
+
+func (s *DockerSuite) TestUserDefinedNetworkConnectDisconnectAlias(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	dockerCmd(c, "network", "create", "-d", "bridge", "net1")
+	dockerCmd(c, "network", "create", "-d", "bridge", "net2")
+
+	cid, _ := dockerCmd(c, "run", "-d", "--net=net1", "--name=first", "--net-alias=foo", "busybox:glibc", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	dockerCmd(c, "run", "-d", "--net=net1", "--name=second", "busybox:glibc", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// ping first container and its alias
+	_, _, err := dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo")
+	c.Assert(err, check.IsNil)
+
+	// ping first container's short-id alias
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", stringid.TruncateID(cid))
+	c.Assert(err, check.IsNil)
+
+	// connect first container to net2 network
+	dockerCmd(c, "network", "connect", "--alias=bar", "net2", "first")
+	// connect second container to foo2 network with a different alias for first container
+	dockerCmd(c, "network", "connect", "net2", "second")
+
+	// ping the new alias in network foo2
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "bar")
+	c.Assert(err, check.IsNil)
+
+	// disconnect first container from net1 network
+	dockerCmd(c, "network", "disconnect", "net1", "first")
+
+	// ping to net1 scoped alias "foo" must fail
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo")
+	c.Assert(err, check.NotNil)
+
+	// ping to net2 scoped alias "bar" must still succeed
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "bar")
+	c.Assert(err, check.IsNil)
+	// ping to net2 scoped alias short-id must still succeed
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", stringid.TruncateID(cid))
+	c.Assert(err, check.IsNil)
+
+	// verify the alias option is rejected when running on predefined network
+	out, _, err := dockerCmdWithError("run", "--rm", "--name=any", "--net-alias=any", "busybox:glibc", "top")
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	c.Assert(out, checker.Contains, runconfig.ErrUnsupportedNetworkAndAlias.Error())
+
+	// verify the alias option is rejected when connecting to predefined network
+	out, _, err = dockerCmdWithError("network", "connect", "--alias=any", "bridge", "first")
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	c.Assert(out, checker.Contains, runconfig.ErrUnsupportedNetworkAndAlias.Error())
+}
+
+func (s *DockerSuite) TestUserDefinedNetworkConnectivity(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	dockerCmd(c, "network", "create", "-d", "bridge", "br.net1")
+
+	dockerCmd(c, "run", "-d", "--net=br.net1", "--name=c1.net1", "busybox:glibc", "top")
+	c.Assert(waitRun("c1.net1"), check.IsNil)
+
+	dockerCmd(c, "run", "-d", "--net=br.net1", "--name=c2.net1", "busybox:glibc", "top")
+	c.Assert(waitRun("c2.net1"), check.IsNil)
+
+	// ping first container by its unqualified name
+	_, _, err := dockerCmdWithError("exec", "c2.net1", "ping", "-c", "1", "c1.net1")
+	c.Assert(err, check.IsNil)
+
+	// ping first container by its qualified name
+	_, _, err = dockerCmdWithError("exec", "c2.net1", "ping", "-c", "1", "c1.net1.br.net1")
+	c.Assert(err, check.IsNil)
+
+	// ping with first qualified name masked by an additional domain. should fail
+	_, _, err = dockerCmdWithError("exec", "c2.net1", "ping", "-c", "1", "c1.net1.br.net1.google.com")
+	c.Assert(err, check.NotNil)
+}
+
+func (s *DockerSuite) TestEmbeddedDNSInvalidInput(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	dockerCmd(c, "network", "create", "-d", "bridge", "nw1")
+
+	// Sending garbage to embedded DNS shouldn't crash the daemon
+	dockerCmd(c, "run", "-i", "--net=nw1", "--name=c1", "debian:jessie", "bash", "-c", "echo InvalidQuery > /dev/udp/127.0.0.11/53")
+}
+
+func (s *DockerSuite) TestDockerNetworkConnectFailsNoInspectChange(c *check.C) {
+	dockerCmd(c, "run", "-d", "--name=bb", "busybox", "top")
+	c.Assert(waitRun("bb"), check.IsNil)
+	defer dockerCmd(c, "stop", "bb")
+
+	ns0 := inspectField(c, "bb", "NetworkSettings.Networks.bridge")
+
+	// A failing redundant network connect should not alter current container's endpoint settings
+	_, _, err := dockerCmdWithError("network", "connect", "bridge", "bb")
+	c.Assert(err, check.NotNil)
+
+	ns1 := inspectField(c, "bb", "NetworkSettings.Networks.bridge")
+	c.Assert(ns1, check.Equals, ns0)
+}
+
+func (s *DockerSuite) TestDockerNetworkInternalMode(c *check.C) {
+	dockerCmd(c, "network", "create", "--driver=bridge", "--internal", "internal")
+	assertNwIsAvailable(c, "internal")
+	nr := getNetworkResource(c, "internal")
+	c.Assert(nr.Internal, checker.True)
+
+	dockerCmd(c, "run", "-d", "--net=internal", "--name=first", "busybox:glibc", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+	dockerCmd(c, "run", "-d", "--net=internal", "--name=second", "busybox:glibc", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+	out, _, err := dockerCmdWithError("exec", "first", "ping", "-W", "4", "-c", "1", "8.8.8.8")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, "100% packet loss")
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+}
+
+// Test for #21401
+func (s *DockerNetworkSuite) TestDockerNetworkCreateDeleteSpecialCharacters(c *check.C) {
+	dockerCmd(c, "network", "create", "test@#$")
+	assertNwIsAvailable(c, "test@#$")
+	dockerCmd(c, "network", "rm", "test@#$")
+	assertNwNotAvailable(c, "test@#$")
+
+	dockerCmd(c, "network", "create", "kiwl$%^")
+	assertNwIsAvailable(c, "kiwl$%^")
+	dockerCmd(c, "network", "rm", "kiwl$%^")
+	assertNwNotAvailable(c, "kiwl$%^")
+}
+
+func (s *DockerDaemonSuite) TestDaemonRestartRestoreBridgeNetwork(t *check.C) {
+	testRequires(t, DaemonIsLinux)
+	s.d.StartWithBusybox(t, "--live-restore")
+	defer s.d.Stop(t)
+	oldCon := "old"
+
+	_, err := s.d.Cmd("run", "-d", "--name", oldCon, "-p", "80:80", "busybox", "top")
+	if err != nil {
+		t.Fatal(err)
+	}
+	oldContainerIP, err := s.d.Cmd("inspect", "-f", "{{ .NetworkSettings.Networks.bridge.IPAddress }}", oldCon)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Kill the daemon
+	if err := s.d.Kill(); err != nil {
+		t.Fatal(err)
+	}
+
+	// restart the daemon
+	s.d.Start(t, "--live-restore")
+
+	// start a new container, the new container's ip should not be the same with
+	// old running container.
+	newCon := "new"
+	_, err = s.d.Cmd("run", "-d", "--name", newCon, "busybox", "top")
+	if err != nil {
+		t.Fatal(err)
+	}
+	newContainerIP, err := s.d.Cmd("inspect", "-f", "{{ .NetworkSettings.Networks.bridge.IPAddress }}", newCon)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if strings.Compare(strings.TrimSpace(oldContainerIP), strings.TrimSpace(newContainerIP)) == 0 {
+		t.Fatalf("new container ip should not equal to old running container  ip")
+	}
+
+	// start a new container, the new container should ping old running container
+	_, err = s.d.Cmd("run", "-t", "busybox", "ping", "-c", "1", oldContainerIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// start a new container, trying to publish port 80:80 should fail
+	out, err := s.d.Cmd("run", "-p", "80:80", "-d", "busybox", "top")
+	if err == nil || !strings.Contains(out, "Bind for 0.0.0.0:80 failed: port is already allocated") {
+		t.Fatalf("80 port is allocated to old running container, it should failed on allocating to new container")
+	}
+
+	// kill old running container and try to allocate again
+	_, err = s.d.Cmd("kill", oldCon)
+	if err != nil {
+		t.Fatal(err)
+	}
+	id, err := s.d.Cmd("run", "-p", "80:80", "-d", "busybox", "top")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Cleanup because these containers will not be shut down by daemon
+	out, err = s.d.Cmd("stop", newCon)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, string(out))
+	}
+	_, err = s.d.Cmd("stop", strings.TrimSpace(id))
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkFlagAlias(c *check.C) {
+	dockerCmd(c, "network", "create", "user")
+	output, status := dockerCmd(c, "run", "--rm", "--network=user", "--network-alias=foo", "busybox", "true")
+	c.Assert(status, checker.Equals, 0, check.Commentf("unexpected status code %d (%s)", status, output))
+
+	output, status, _ = dockerCmdWithError("run", "--rm", "--net=user", "--network=user", "busybox", "true")
+	c.Assert(status, checker.Equals, 0, check.Commentf("unexpected status code %d (%s)", status, output))
+
+	output, status, _ = dockerCmdWithError("run", "--rm", "--network=user", "--net-alias=foo", "--network-alias=bar", "busybox", "true")
+	c.Assert(status, checker.Equals, 0, check.Commentf("unexpected status code %d (%s)", status, output))
+}
+
+func (s *DockerNetworkSuite) TestDockerNetworkValidateIP(c *check.C) {
+	_, _, err := dockerCmdWithError("network", "create", "--ipv6", "--subnet=172.28.0.0/16", "--subnet=2001:db8:1234::/64", "mynet")
+	c.Assert(err, check.IsNil)
+	assertNwIsAvailable(c, "mynet")
+
+	_, _, err = dockerCmdWithError("run", "-d", "--name", "mynet0", "--net=mynet", "--ip", "172.28.99.88", "--ip6", "2001:db8:1234::9988", "busybox", "top")
+	c.Assert(err, check.IsNil)
+	c.Assert(waitRun("mynet0"), check.IsNil)
+	verifyIPAddressConfig(c, "mynet0", "mynet", "172.28.99.88", "2001:db8:1234::9988")
+	verifyIPAddresses(c, "mynet0", "mynet", "172.28.99.88", "2001:db8:1234::9988")
+
+	_, _, err = dockerCmdWithError("run", "--net=mynet", "--ip", "mynet_ip", "--ip6", "2001:db8:1234::9999", "busybox", "top")
+	c.Assert(err.Error(), checker.Contains, "invalid IPv4 address")
+	_, _, err = dockerCmdWithError("run", "--net=mynet", "--ip", "172.28.99.99", "--ip6", "mynet_ip6", "busybox", "top")
+	c.Assert(err.Error(), checker.Contains, "invalid IPv6 address")
+	// This is a case of IPv4 address to `--ip6`
+	_, _, err = dockerCmdWithError("run", "--net=mynet", "--ip6", "172.28.99.99", "busybox", "top")
+	c.Assert(err.Error(), checker.Contains, "invalid IPv6 address")
+	// This is a special case of an IPv4-mapped IPv6 address
+	_, _, err = dockerCmdWithError("run", "--net=mynet", "--ip6", "::ffff:172.28.99.99", "busybox", "top")
+	c.Assert(err.Error(), checker.Contains, "invalid IPv6 address")
+}
+
+// Test case for 26220
+func (s *DockerNetworkSuite) TestDockerNetworkDisconnectFromBridge(c *check.C) {
+	out, _ := dockerCmd(c, "network", "inspect", "--format", "{{.Id}}", "bridge")
+
+	network := strings.TrimSpace(out)
+
+	name := "test"
+	dockerCmd(c, "create", "--name", name, "busybox", "top")
+
+	_, _, err := dockerCmdWithError("network", "disconnect", network, name)
+	c.Assert(err, check.IsNil)
+}
+
+// TestConntrackFlowsLeak covers the failure scenario of ticket: https://github.com/docker/docker/issues/8795
+// Validates that conntrack is correctly cleaned once a container is destroyed
+func (s *DockerNetworkSuite) TestConntrackFlowsLeak(c *check.C) {
+	testRequires(c, IsAmd64, DaemonIsLinux, Network, SameHostDaemon)
+
+	// Create a new network
+	cli.DockerCmd(c, "network", "create", "--subnet=192.168.10.0/24", "--gateway=192.168.10.1", "-o", "com.docker.network.bridge.host_binding_ipv4=192.168.10.1", "testbind")
+	assertNwIsAvailable(c, "testbind")
+
+	// Launch the server, this will remain listening on an exposed port and reply to any request in a ping/pong fashion
+	cmd := "while true; do echo hello | nc -w 1 -lu 8080; done"
+	cli.DockerCmd(c, "run", "-d", "--name", "server", "--net", "testbind", "-p", "8080:8080/udp", "appropriate/nc", "sh", "-c", cmd)
+
+	// Launch a container client, here the objective is to create a flow that is natted in order to expose the bug
+	cmd = "echo world | nc -q 1 -u 192.168.10.1 8080"
+	cli.DockerCmd(c, "run", "-d", "--name", "client", "--net=host", "appropriate/nc", "sh", "-c", cmd)
+
+	// Get all the flows using netlink
+	flows, err := netlink.ConntrackTableList(netlink.ConntrackTable, unix.AF_INET)
+	c.Assert(err, check.IsNil)
+	var flowMatch int
+	for _, flow := range flows {
+		// count only the flows that we are interested in, skipping others that can be laying around the host
+		if flow.Forward.Protocol == unix.IPPROTO_UDP &&
+			flow.Forward.DstIP.Equal(net.ParseIP("192.168.10.1")) &&
+			flow.Forward.DstPort == 8080 {
+			flowMatch++
+		}
+	}
+	// The client should have created only 1 flow
+	c.Assert(flowMatch, checker.Equals, 1)
+
+	// Now delete the server, this will trigger the conntrack cleanup
+	cli.DockerCmd(c, "rm", "-fv", "server")
+
+	// Fetch again all the flows and validate that there is no server flow in the conntrack laying around
+	flows, err = netlink.ConntrackTableList(netlink.ConntrackTable, unix.AF_INET)
+	c.Assert(err, check.IsNil)
+	flowMatch = 0
+	for _, flow := range flows {
+		if flow.Forward.Protocol == unix.IPPROTO_UDP &&
+			flow.Forward.DstIP.Equal(net.ParseIP("192.168.10.1")) &&
+			flow.Forward.DstPort == 8080 {
+			flowMatch++
+		}
+	}
+	// All the flows have to be gone
+	c.Assert(flowMatch, checker.Equals, 0)
+}
diff --git a/engine/integration-cli/docker_cli_plugins_logdriver_test.go b/engine/integration-cli/docker_cli_plugins_logdriver_test.go
new file mode 100644
index 00000000..7d1ffcb6
--- /dev/null
+++ b/engine/integration-cli/docker_cli_plugins_logdriver_test.go
@@ -0,0 +1,48 @@
+package main
+
+import (
+	"context"
+	"strings"
+
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestPluginLogDriver(c *check.C) {
+	testRequires(c, IsAmd64, DaemonIsLinux)
+
+	pluginName := "cpuguy83/docker-logdriver-test:latest"
+
+	dockerCmd(c, "plugin", "install", pluginName)
+	dockerCmd(c, "run", "--log-driver", pluginName, "--name=test", "busybox", "echo", "hello")
+	out, _ := dockerCmd(c, "logs", "test")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello")
+
+	dockerCmd(c, "start", "-a", "test")
+	out, _ = dockerCmd(c, "logs", "test")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello\nhello")
+
+	dockerCmd(c, "rm", "test")
+	dockerCmd(c, "plugin", "disable", pluginName)
+	dockerCmd(c, "plugin", "rm", pluginName)
+}
+
+// Make sure log drivers are listed in info, and v2 plugins are not.
+func (s *DockerSuite) TestPluginLogDriverInfoList(c *check.C) {
+	testRequires(c, IsAmd64, DaemonIsLinux)
+	pluginName := "cpuguy83/docker-logdriver-test"
+
+	dockerCmd(c, "plugin", "install", pluginName)
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	info, err := cli.Info(context.Background())
+	c.Assert(err, checker.IsNil)
+
+	drivers := strings.Join(info.Plugins.Log, " ")
+	c.Assert(drivers, checker.Contains, "json-file")
+	c.Assert(drivers, checker.Not(checker.Contains), pluginName)
+}
diff --git a/engine/integration-cli/docker_cli_plugins_test.go b/engine/integration-cli/docker_cli_plugins_test.go
new file mode 100644
index 00000000..391c74aa
--- /dev/null
+++ b/engine/integration-cli/docker_cli_plugins_test.go
@@ -0,0 +1,493 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/docker/docker/internal/test/fixtures/plugin"
+	"github.com/go-check/check"
+)
+
+var (
+	pluginProcessName = "sample-volume-plugin"
+	pName             = "tiborvass/sample-volume-plugin"
+	npName            = "tiborvass/test-docker-netplugin"
+	pTag              = "latest"
+	pNameWithTag      = pName + ":" + pTag
+	npNameWithTag     = npName + ":" + pTag
+)
+
+func (ps *DockerPluginSuite) TestPluginBasicOps(c *check.C) {
+	plugin := ps.getPluginRepoWithTag()
+	_, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", plugin)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err := dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, plugin)
+	c.Assert(out, checker.Contains, "true")
+
+	id, _, err := dockerCmdWithError("plugin", "inspect", "-f", "{{.Id}}", plugin)
+	id = strings.TrimSpace(id)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", plugin)
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "is enabled")
+
+	_, _, err = dockerCmdWithError("plugin", "disable", plugin)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", plugin)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, plugin)
+
+	_, err = os.Stat(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "plugins", id))
+	if !os.IsNotExist(err) {
+		c.Fatal(err)
+	}
+}
+
+func (ps *DockerPluginSuite) TestPluginForceRemove(c *check.C) {
+	pNameWithTag := ps.getPluginRepoWithTag()
+
+	out, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", pNameWithTag)
+	c.Assert(out, checker.Contains, "is enabled")
+
+	out, _, err = dockerCmdWithError("plugin", "remove", "--force", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pNameWithTag)
+}
+
+func (s *DockerSuite) TestPluginActive(c *check.C) {
+	testRequires(c, DaemonIsLinux, IsAmd64, Network)
+
+	_, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	_, _, err = dockerCmdWithError("volume", "create", "-d", pNameWithTag, "--name", "testvol1")
+	c.Assert(err, checker.IsNil)
+
+	out, _, err := dockerCmdWithError("plugin", "disable", pNameWithTag)
+	c.Assert(out, checker.Contains, "in use")
+
+	_, _, err = dockerCmdWithError("volume", "rm", "testvol1")
+	c.Assert(err, checker.IsNil)
+
+	_, _, err = dockerCmdWithError("plugin", "disable", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pNameWithTag)
+}
+
+func (s *DockerSuite) TestPluginActiveNetwork(c *check.C) {
+	testRequires(c, DaemonIsLinux, IsAmd64, Network)
+	out, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", npNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("network", "create", "-d", npNameWithTag, "test")
+	c.Assert(err, checker.IsNil)
+
+	nID := strings.TrimSpace(out)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", npNameWithTag)
+	c.Assert(out, checker.Contains, "is in use")
+
+	_, _, err = dockerCmdWithError("network", "rm", nID)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", npNameWithTag)
+	c.Assert(out, checker.Contains, "is enabled")
+
+	_, _, err = dockerCmdWithError("plugin", "disable", npNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", npNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, npNameWithTag)
+}
+
+func (ps *DockerPluginSuite) TestPluginInstallDisable(c *check.C) {
+	pName := ps.getPluginRepoWithTag()
+
+	out, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", "--disable", pName)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, pName)
+
+	out, _, err = dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "false")
+
+	out, _, err = dockerCmdWithError("plugin", "enable", pName)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, pName)
+
+	out, _, err = dockerCmdWithError("plugin", "disable", pName)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, pName)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", pName)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, pName)
+}
+
+func (s *DockerSuite) TestPluginInstallDisableVolumeLs(c *check.C) {
+	testRequires(c, DaemonIsLinux, IsAmd64, Network)
+	out, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", "--disable", pName)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, pName)
+
+	dockerCmd(c, "volume", "ls")
+}
+
+func (ps *DockerPluginSuite) TestPluginSet(c *check.C) {
+	client := testEnv.APIClient()
+
+	name := "test"
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
+	initialValue := "0"
+	mntSrc := "foo"
+	devPath := "/dev/bar"
+
+	// Create a new plugin with extra settings
+	err := plugin.Create(ctx, client, name, func(cfg *plugin.Config) {
+		cfg.Env = []types.PluginEnv{{Name: "DEBUG", Value: &initialValue, Settable: []string{"value"}}}
+		cfg.Mounts = []types.PluginMount{
+			{Name: "pmount1", Settable: []string{"source"}, Type: "none", Source: &mntSrc},
+			{Name: "pmount2", Settable: []string{"source"}, Type: "none"}, // Mount without source is invalid.
+		}
+		cfg.Linux.Devices = []types.PluginDevice{
+			{Name: "pdev1", Path: &devPath, Settable: []string{"path"}},
+			{Name: "pdev2", Settable: []string{"path"}}, // Device without Path is invalid.
+		}
+	})
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create test plugin"))
+
+	env, _ := dockerCmd(c, "plugin", "inspect", "-f", "{{.Settings.Env}}", name)
+	c.Assert(strings.TrimSpace(env), checker.Equals, "[DEBUG=0]")
+
+	dockerCmd(c, "plugin", "set", name, "DEBUG=1")
+
+	env, _ = dockerCmd(c, "plugin", "inspect", "-f", "{{.Settings.Env}}", name)
+	c.Assert(strings.TrimSpace(env), checker.Equals, "[DEBUG=1]")
+
+	env, _ = dockerCmd(c, "plugin", "inspect", "-f", "{{with $mount := index .Settings.Mounts 0}}{{$mount.Source}}{{end}}", name)
+	c.Assert(strings.TrimSpace(env), checker.Contains, mntSrc)
+
+	dockerCmd(c, "plugin", "set", name, "pmount1.source=bar")
+
+	env, _ = dockerCmd(c, "plugin", "inspect", "-f", "{{with $mount := index .Settings.Mounts 0}}{{$mount.Source}}{{end}}", name)
+	c.Assert(strings.TrimSpace(env), checker.Contains, "bar")
+
+	out, _, err := dockerCmdWithError("plugin", "set", name, "pmount2.source=bar2")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "Plugin config has no mount source")
+
+	out, _, err = dockerCmdWithError("plugin", "set", name, "pdev2.path=/dev/bar2")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "Plugin config has no device path")
+
+}
+
+func (ps *DockerPluginSuite) TestPluginInstallArgs(c *check.C) {
+	pName := path.Join(ps.registryHost(), "plugin", "testplugininstallwithargs")
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
+	plugin.CreateInRegistry(ctx, pName, nil, func(cfg *plugin.Config) {
+		cfg.Env = []types.PluginEnv{{Name: "DEBUG", Settable: []string{"value"}}}
+	})
+
+	out, _ := dockerCmd(c, "plugin", "install", "--grant-all-permissions", "--disable", pName, "DEBUG=1")
+	c.Assert(strings.TrimSpace(out), checker.Contains, pName)
+
+	env, _ := dockerCmd(c, "plugin", "inspect", "-f", "{{.Settings.Env}}", pName)
+	c.Assert(strings.TrimSpace(env), checker.Equals, "[DEBUG=1]")
+}
+
+func (ps *DockerPluginSuite) TestPluginInstallImage(c *check.C) {
+	testRequires(c, IsAmd64)
+
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+	// tag the image to upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+	// push the image to the registry
+	dockerCmd(c, "push", repoName)
+
+	out, _, err := dockerCmdWithError("plugin", "install", repoName)
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, `Encountered remote "application/vnd.docker.container.image.v1+json"(image) when fetching`)
+}
+
+func (ps *DockerPluginSuite) TestPluginEnableDisableNegative(c *check.C) {
+	pName := ps.getPluginRepoWithTag()
+
+	out, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", pName)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, pName)
+
+	out, _, err = dockerCmdWithError("plugin", "enable", pName)
+	c.Assert(err, checker.NotNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, "already enabled")
+
+	_, _, err = dockerCmdWithError("plugin", "disable", pName)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "disable", pName)
+	c.Assert(err, checker.NotNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, "already disabled")
+
+	_, _, err = dockerCmdWithError("plugin", "remove", pName)
+	c.Assert(err, checker.IsNil)
+}
+
+func (ps *DockerPluginSuite) TestPluginCreate(c *check.C) {
+	name := "foo/bar-driver"
+	temp, err := ioutil.TempDir("", "foo")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(temp)
+
+	data := `{"description": "foo plugin"}`
+	err = ioutil.WriteFile(filepath.Join(temp, "config.json"), []byte(data), 0644)
+	c.Assert(err, checker.IsNil)
+
+	err = os.MkdirAll(filepath.Join(temp, "rootfs"), 0700)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err := dockerCmdWithError("plugin", "create", name, temp)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+
+	out, _, err = dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+
+	out, _, err = dockerCmdWithError("plugin", "create", name, temp)
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "already exist")
+
+	out, _, err = dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+	// The output will consists of one HEADER line and one line of foo/bar-driver
+	c.Assert(len(strings.Split(strings.TrimSpace(out), "\n")), checker.Equals, 2)
+}
+
+func (ps *DockerPluginSuite) TestPluginInspect(c *check.C) {
+	pNameWithTag := ps.getPluginRepoWithTag()
+
+	_, _, err := dockerCmdWithError("plugin", "install", "--grant-all-permissions", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err := dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pNameWithTag)
+	c.Assert(out, checker.Contains, "true")
+
+	// Find the ID first
+	out, _, err = dockerCmdWithError("plugin", "inspect", "-f", "{{.Id}}", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	id := strings.TrimSpace(out)
+	c.Assert(id, checker.Not(checker.Equals), "")
+
+	// Long form
+	out, _, err = dockerCmdWithError("plugin", "inspect", "-f", "{{.Id}}", id)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, id)
+
+	// Short form
+	out, _, err = dockerCmdWithError("plugin", "inspect", "-f", "{{.Id}}", id[:5])
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, id)
+
+	// Name with tag form
+	out, _, err = dockerCmdWithError("plugin", "inspect", "-f", "{{.Id}}", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, id)
+
+	// Name without tag form
+	out, _, err = dockerCmdWithError("plugin", "inspect", "-f", "{{.Id}}", ps.getPluginRepo())
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, id)
+
+	_, _, err = dockerCmdWithError("plugin", "disable", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+
+	out, _, err = dockerCmdWithError("plugin", "remove", pNameWithTag)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, pNameWithTag)
+
+	// After remove nothing should be found
+	_, _, err = dockerCmdWithError("plugin", "inspect", "-f", "{{.Id}}", id[:5])
+	c.Assert(err, checker.NotNil)
+}
+
+// Test case for https://github.com/docker/docker/pull/29186#discussion_r91277345
+func (s *DockerSuite) TestPluginInspectOnWindows(c *check.C) {
+	// This test should work on Windows only
+	testRequires(c, DaemonIsWindows)
+
+	out, _, err := dockerCmdWithError("plugin", "inspect", "foobar")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "plugins are not supported on this platform")
+	c.Assert(err.Error(), checker.Contains, "plugins are not supported on this platform")
+}
+
+func (ps *DockerPluginSuite) TestPluginIDPrefix(c *check.C) {
+	name := "test"
+	client := testEnv.APIClient()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	initialValue := "0"
+	err := plugin.Create(ctx, client, name, func(cfg *plugin.Config) {
+		cfg.Env = []types.PluginEnv{{Name: "DEBUG", Value: &initialValue, Settable: []string{"value"}}}
+	})
+	cancel()
+
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create test plugin"))
+
+	// Find ID first
+	id, _, err := dockerCmdWithError("plugin", "inspect", "-f", "{{.Id}}", name)
+	id = strings.TrimSpace(id)
+	c.Assert(err, checker.IsNil)
+
+	// List current state
+	out, _, err := dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+	c.Assert(out, checker.Contains, "false")
+
+	env, _ := dockerCmd(c, "plugin", "inspect", "-f", "{{.Settings.Env}}", id[:5])
+	c.Assert(strings.TrimSpace(env), checker.Equals, "[DEBUG=0]")
+
+	dockerCmd(c, "plugin", "set", id[:5], "DEBUG=1")
+
+	env, _ = dockerCmd(c, "plugin", "inspect", "-f", "{{.Settings.Env}}", id[:5])
+	c.Assert(strings.TrimSpace(env), checker.Equals, "[DEBUG=1]")
+
+	// Enable
+	_, _, err = dockerCmdWithError("plugin", "enable", id[:5])
+	c.Assert(err, checker.IsNil)
+	out, _, err = dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+	c.Assert(out, checker.Contains, "true")
+
+	// Disable
+	_, _, err = dockerCmdWithError("plugin", "disable", id[:5])
+	c.Assert(err, checker.IsNil)
+	out, _, err = dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+	c.Assert(out, checker.Contains, "false")
+
+	// Remove
+	out, _, err = dockerCmdWithError("plugin", "remove", id[:5])
+	c.Assert(err, checker.IsNil)
+	// List returns none
+	out, _, err = dockerCmdWithError("plugin", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+}
+
+func (ps *DockerPluginSuite) TestPluginListDefaultFormat(c *check.C) {
+	config, err := ioutil.TempDir("", "config-file-")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(config)
+
+	err = ioutil.WriteFile(filepath.Join(config, "config.json"), []byte(`{"pluginsFormat": "raw"}`), 0644)
+	c.Assert(err, check.IsNil)
+
+	name := "test:latest"
+	client := testEnv.APIClient()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+	err = plugin.Create(ctx, client, name, func(cfg *plugin.Config) {
+		cfg.Description = "test plugin"
+	})
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create test plugin"))
+
+	out, _ := dockerCmd(c, "plugin", "inspect", "--format", "{{.ID}}", name)
+	id := strings.TrimSpace(out)
+
+	// We expect the format to be in `raw + --no-trunc`
+	expectedOutput := fmt.Sprintf(`plugin_id: %s
+name: %s
+description: test plugin
+enabled: false`, id, name)
+
+	out, _ = dockerCmd(c, "--config", config, "plugin", "ls", "--no-trunc")
+	c.Assert(strings.TrimSpace(out), checker.Contains, expectedOutput)
+}
+
+func (s *DockerSuite) TestPluginUpgrade(c *check.C) {
+	testRequires(c, DaemonIsLinux, Network, SameHostDaemon, IsAmd64, NotUserNamespace)
+	plugin := "cpuguy83/docker-volume-driver-plugin-local:latest"
+	pluginV2 := "cpuguy83/docker-volume-driver-plugin-local:v2"
+
+	dockerCmd(c, "plugin", "install", "--grant-all-permissions", plugin)
+	dockerCmd(c, "volume", "create", "--driver", plugin, "bananas")
+	dockerCmd(c, "run", "--rm", "-v", "bananas:/apple", "busybox", "sh", "-c", "touch /apple/core")
+
+	out, _, err := dockerCmdWithError("plugin", "upgrade", "--grant-all-permissions", plugin, pluginV2)
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "disabled before upgrading")
+
+	out, _ = dockerCmd(c, "plugin", "inspect", "--format={{.ID}}", plugin)
+	id := strings.TrimSpace(out)
+
+	// make sure "v2" does not exists
+	_, err = os.Stat(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "plugins", id, "rootfs", "v2"))
+	c.Assert(os.IsNotExist(err), checker.True, check.Commentf(out))
+
+	dockerCmd(c, "plugin", "disable", "-f", plugin)
+	dockerCmd(c, "plugin", "upgrade", "--grant-all-permissions", "--skip-remote-check", plugin, pluginV2)
+
+	// make sure "v2" file exists
+	_, err = os.Stat(filepath.Join(testEnv.DaemonInfo.DockerRootDir, "plugins", id, "rootfs", "v2"))
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "plugin", "enable", plugin)
+	dockerCmd(c, "volume", "inspect", "bananas")
+	dockerCmd(c, "run", "--rm", "-v", "bananas:/apple", "busybox", "sh", "-c", "ls -lh /apple/core")
+}
+
+func (s *DockerSuite) TestPluginMetricsCollector(c *check.C) {
+	testRequires(c, DaemonIsLinux, Network, SameHostDaemon, IsAmd64)
+	d := daemon.New(c, dockerBinary, dockerdBinary)
+	d.Start(c)
+	defer d.Stop(c)
+
+	name := "cpuguy83/docker-metrics-plugin-test:latest"
+	r := cli.Docker(cli.Args("plugin", "install", "--grant-all-permissions", name), cli.Daemon(d))
+	c.Assert(r.Error, checker.IsNil, check.Commentf(r.Combined()))
+
+	// plugin lisens on localhost:19393 and proxies the metrics
+	resp, err := http.Get("http://localhost:19393/metrics")
+	c.Assert(err, checker.IsNil)
+	defer resp.Body.Close()
+
+	b, err := ioutil.ReadAll(resp.Body)
+	c.Assert(err, checker.IsNil)
+	// check that a known metric is there... don't expect this metric to change over time.. probably safe
+	c.Assert(string(b), checker.Contains, "container_actions")
+}
diff --git a/engine/integration-cli/docker_cli_port_test.go b/engine/integration-cli/docker_cli_port_test.go
new file mode 100644
index 00000000..84058cda
--- /dev/null
+++ b/engine/integration-cli/docker_cli_port_test.go
@@ -0,0 +1,351 @@
+package main
+
+import (
+	"fmt"
+	"net"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestPortList(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// one port
+	out, _ := dockerCmd(c, "run", "-d", "-p", "9876:80", "busybox", "top")
+	firstID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "port", firstID, "80")
+
+	err := assertPortList(c, out, []string{"0.0.0.0:9876"})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+
+	out, _ = dockerCmd(c, "port", firstID)
+
+	err = assertPortList(c, out, []string{"80/tcp -> 0.0.0.0:9876"})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "rm", "-f", firstID)
+
+	// three port
+	out, _ = dockerCmd(c, "run", "-d",
+		"-p", "9876:80",
+		"-p", "9877:81",
+		"-p", "9878:82",
+		"busybox", "top")
+	ID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "port", ID, "80")
+
+	err = assertPortList(c, out, []string{"0.0.0.0:9876"})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+
+	out, _ = dockerCmd(c, "port", ID)
+
+	err = assertPortList(c, out, []string{
+		"80/tcp -> 0.0.0.0:9876",
+		"81/tcp -> 0.0.0.0:9877",
+		"82/tcp -> 0.0.0.0:9878"})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "rm", "-f", ID)
+
+	// more and one port mapped to the same container port
+	out, _ = dockerCmd(c, "run", "-d",
+		"-p", "9876:80",
+		"-p", "9999:80",
+		"-p", "9877:81",
+		"-p", "9878:82",
+		"busybox", "top")
+	ID = strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "port", ID, "80")
+
+	err = assertPortList(c, out, []string{"0.0.0.0:9876", "0.0.0.0:9999"})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+
+	out, _ = dockerCmd(c, "port", ID)
+
+	err = assertPortList(c, out, []string{
+		"80/tcp -> 0.0.0.0:9876",
+		"80/tcp -> 0.0.0.0:9999",
+		"81/tcp -> 0.0.0.0:9877",
+		"82/tcp -> 0.0.0.0:9878"})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+	dockerCmd(c, "rm", "-f", ID)
+
+	testRange := func() {
+		// host port ranges used
+		IDs := make([]string, 3)
+		for i := 0; i < 3; i++ {
+			out, _ = dockerCmd(c, "run", "-d",
+				"-p", "9090-9092:80",
+				"busybox", "top")
+			IDs[i] = strings.TrimSpace(out)
+
+			out, _ = dockerCmd(c, "port", IDs[i])
+
+			err = assertPortList(c, out, []string{fmt.Sprintf("80/tcp -> 0.0.0.0:%d", 9090+i)})
+			// Port list is not correct
+			c.Assert(err, checker.IsNil)
+		}
+
+		// test port range exhaustion
+		out, _, err = dockerCmdWithError("run", "-d",
+			"-p", "9090-9092:80",
+			"busybox", "top")
+		// Exhausted port range did not return an error
+		c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+
+		for i := 0; i < 3; i++ {
+			dockerCmd(c, "rm", "-f", IDs[i])
+		}
+	}
+	testRange()
+	// Verify we ran re-use port ranges after they are no longer in use.
+	testRange()
+
+	// test invalid port ranges
+	for _, invalidRange := range []string{"9090-9089:80", "9090-:80", "-9090:80"} {
+		out, _, err = dockerCmdWithError("run", "-d",
+			"-p", invalidRange,
+			"busybox", "top")
+		// Port range should have returned an error
+		c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	}
+
+	// test host range:container range spec.
+	out, _ = dockerCmd(c, "run", "-d",
+		"-p", "9800-9803:80-83",
+		"busybox", "top")
+	ID = strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "port", ID)
+
+	err = assertPortList(c, out, []string{
+		"80/tcp -> 0.0.0.0:9800",
+		"81/tcp -> 0.0.0.0:9801",
+		"82/tcp -> 0.0.0.0:9802",
+		"83/tcp -> 0.0.0.0:9803"})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+	dockerCmd(c, "rm", "-f", ID)
+
+	// test mixing protocols in same port range
+	out, _ = dockerCmd(c, "run", "-d",
+		"-p", "8000-8080:80",
+		"-p", "8000-8080:80/udp",
+		"busybox", "top")
+	ID = strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "port", ID)
+
+	// Running this test multiple times causes the TCP port to increment.
+	err = assertPortRange(c, out, []int{8000, 8080}, []int{8000, 8080})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+	dockerCmd(c, "rm", "-f", ID)
+}
+
+func assertPortList(c *check.C, out string, expected []string) error {
+	lines := strings.Split(strings.Trim(out, "\n "), "\n")
+	if len(lines) != len(expected) {
+		return fmt.Errorf("different size lists %s, %d, %d", out, len(lines), len(expected))
+	}
+	sort.Strings(lines)
+	sort.Strings(expected)
+
+	for i := 0; i < len(expected); i++ {
+		if lines[i] != expected[i] {
+			return fmt.Errorf("|" + lines[i] + "!=" + expected[i] + "|")
+		}
+	}
+
+	return nil
+}
+
+func assertPortRange(c *check.C, out string, expectedTcp, expectedUdp []int) error {
+	lines := strings.Split(strings.Trim(out, "\n "), "\n")
+
+	var validTcp, validUdp bool
+	for _, l := range lines {
+		// 80/tcp -> 0.0.0.0:8015
+		port, err := strconv.Atoi(strings.Split(l, ":")[1])
+		if err != nil {
+			return err
+		}
+		if strings.Contains(l, "tcp") && expectedTcp != nil {
+			if port < expectedTcp[0] || port > expectedTcp[1] {
+				return fmt.Errorf("tcp port (%d) not in range expected range %d-%d", port, expectedTcp[0], expectedTcp[1])
+			}
+			validTcp = true
+		}
+		if strings.Contains(l, "udp") && expectedUdp != nil {
+			if port < expectedUdp[0] || port > expectedUdp[1] {
+				return fmt.Errorf("udp port (%d) not in range expected range %d-%d", port, expectedUdp[0], expectedUdp[1])
+			}
+			validUdp = true
+		}
+	}
+	if !validTcp {
+		return fmt.Errorf("tcp port not found")
+	}
+	if !validUdp {
+		return fmt.Errorf("udp port not found")
+	}
+	return nil
+}
+
+func stopRemoveContainer(id string, c *check.C) {
+	dockerCmd(c, "rm", "-f", id)
+}
+
+func (s *DockerSuite) TestUnpublishedPortsInPsOutput(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	// Run busybox with command line expose (equivalent to EXPOSE in image's Dockerfile) for the following ports
+	port1 := 80
+	port2 := 443
+	expose1 := fmt.Sprintf("--expose=%d", port1)
+	expose2 := fmt.Sprintf("--expose=%d", port2)
+	dockerCmd(c, "run", "-d", expose1, expose2, "busybox", "sleep", "5")
+
+	// Check docker ps o/p for last created container reports the unpublished ports
+	unpPort1 := fmt.Sprintf("%d/tcp", port1)
+	unpPort2 := fmt.Sprintf("%d/tcp", port2)
+	out, _ := dockerCmd(c, "ps", "-n=1")
+	// Missing unpublished ports in docker ps output
+	c.Assert(out, checker.Contains, unpPort1)
+	// Missing unpublished ports in docker ps output
+	c.Assert(out, checker.Contains, unpPort2)
+
+	// Run the container forcing to publish the exposed ports
+	dockerCmd(c, "run", "-d", "-P", expose1, expose2, "busybox", "sleep", "5")
+
+	// Check docker ps o/p for last created container reports the exposed ports in the port bindings
+	expBndRegx1 := regexp.MustCompile(`0.0.0.0:\d\d\d\d\d->` + unpPort1)
+	expBndRegx2 := regexp.MustCompile(`0.0.0.0:\d\d\d\d\d->` + unpPort2)
+	out, _ = dockerCmd(c, "ps", "-n=1")
+	// Cannot find expected port binding port (0.0.0.0:xxxxx->unpPort1) in docker ps output
+	c.Assert(expBndRegx1.MatchString(out), checker.Equals, true, check.Commentf("out: %s; unpPort1: %s", out, unpPort1))
+	// Cannot find expected port binding port (0.0.0.0:xxxxx->unpPort2) in docker ps output
+	c.Assert(expBndRegx2.MatchString(out), checker.Equals, true, check.Commentf("out: %s; unpPort2: %s", out, unpPort2))
+
+	// Run the container specifying explicit port bindings for the exposed ports
+	offset := 10000
+	pFlag1 := fmt.Sprintf("%d:%d", offset+port1, port1)
+	pFlag2 := fmt.Sprintf("%d:%d", offset+port2, port2)
+	out, _ = dockerCmd(c, "run", "-d", "-p", pFlag1, "-p", pFlag2, expose1, expose2, "busybox", "sleep", "5")
+	id := strings.TrimSpace(out)
+
+	// Check docker ps o/p for last created container reports the specified port mappings
+	expBnd1 := fmt.Sprintf("0.0.0.0:%d->%s", offset+port1, unpPort1)
+	expBnd2 := fmt.Sprintf("0.0.0.0:%d->%s", offset+port2, unpPort2)
+	out, _ = dockerCmd(c, "ps", "-n=1")
+	// Cannot find expected port binding (expBnd1) in docker ps output
+	c.Assert(out, checker.Contains, expBnd1)
+	// Cannot find expected port binding (expBnd2) in docker ps output
+	c.Assert(out, checker.Contains, expBnd2)
+
+	// Remove container now otherwise it will interfere with next test
+	stopRemoveContainer(id, c)
+
+	// Run the container with explicit port bindings and no exposed ports
+	out, _ = dockerCmd(c, "run", "-d", "-p", pFlag1, "-p", pFlag2, "busybox", "sleep", "5")
+	id = strings.TrimSpace(out)
+
+	// Check docker ps o/p for last created container reports the specified port mappings
+	out, _ = dockerCmd(c, "ps", "-n=1")
+	// Cannot find expected port binding (expBnd1) in docker ps output
+	c.Assert(out, checker.Contains, expBnd1)
+	// Cannot find expected port binding (expBnd2) in docker ps output
+	c.Assert(out, checker.Contains, expBnd2)
+	// Remove container now otherwise it will interfere with next test
+	stopRemoveContainer(id, c)
+
+	// Run the container with one unpublished exposed port and one explicit port binding
+	dockerCmd(c, "run", "-d", expose1, "-p", pFlag2, "busybox", "sleep", "5")
+
+	// Check docker ps o/p for last created container reports the specified unpublished port and port mapping
+	out, _ = dockerCmd(c, "ps", "-n=1")
+	// Missing unpublished exposed ports (unpPort1) in docker ps output
+	c.Assert(out, checker.Contains, unpPort1)
+	// Missing port binding (expBnd2) in docker ps output
+	c.Assert(out, checker.Contains, expBnd2)
+}
+
+func (s *DockerSuite) TestPortHostBinding(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "-d", "-p", "9876:80", "busybox",
+		"nc", "-l", "-p", "80")
+	firstID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "port", firstID, "80")
+
+	err := assertPortList(c, out, []string{"0.0.0.0:9876"})
+	// Port list is not correct
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "run", "--net=host", "busybox",
+		"nc", "localhost", "9876")
+
+	dockerCmd(c, "rm", "-f", firstID)
+
+	out, _, err = dockerCmdWithError("run", "--net=host", "busybox", "nc", "localhost", "9876")
+	// Port is still bound after the Container is removed
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+}
+
+func (s *DockerSuite) TestPortExposeHostBinding(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "-d", "-P", "--expose", "80", "busybox",
+		"nc", "-l", "-p", "80")
+	firstID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "port", firstID, "80")
+
+	_, exposedPort, err := net.SplitHostPort(out)
+	c.Assert(err, checker.IsNil, check.Commentf("out: %s", out))
+
+	dockerCmd(c, "run", "--net=host", "busybox",
+		"nc", "localhost", strings.TrimSpace(exposedPort))
+
+	dockerCmd(c, "rm", "-f", firstID)
+
+	out, _, err = dockerCmdWithError("run", "--net=host", "busybox",
+		"nc", "localhost", strings.TrimSpace(exposedPort))
+	// Port is still bound after the Container is removed
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+}
+
+func (s *DockerSuite) TestPortBindingOnSandbox(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	dockerCmd(c, "network", "create", "--internal", "-d", "bridge", "internal-net")
+	nr := getNetworkResource(c, "internal-net")
+	c.Assert(nr.Internal, checker.Equals, true)
+
+	dockerCmd(c, "run", "--net", "internal-net", "-d", "--name", "c1",
+		"-p", "8080:8080", "busybox", "nc", "-l", "-p", "8080")
+	c.Assert(waitRun("c1"), check.IsNil)
+
+	_, _, err := dockerCmdWithError("run", "--net=host", "busybox", "nc", "localhost", "8080")
+	c.Assert(err, check.NotNil,
+		check.Commentf("Port mapping on internal network is expected to fail"))
+
+	// Connect container to another normal bridge network
+	dockerCmd(c, "network", "create", "-d", "bridge", "foo-net")
+	dockerCmd(c, "network", "connect", "foo-net", "c1")
+
+	_, _, err = dockerCmdWithError("run", "--net=host", "busybox", "nc", "localhost", "8080")
+	c.Assert(err, check.IsNil,
+		check.Commentf("Port mapping on the new network is expected to succeed"))
+
+}
diff --git a/engine/integration-cli/docker_cli_proxy_test.go b/engine/integration-cli/docker_cli_proxy_test.go
new file mode 100644
index 00000000..52159aa9
--- /dev/null
+++ b/engine/integration-cli/docker_cli_proxy_test.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+	"net"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestCLIProxyDisableProxyUnixSock(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "info"},
+		Env:     appendBaseEnv(false, "HTTP_PROXY=http://127.0.0.1:9999"),
+	}).Assert(c, icmd.Success)
+}
+
+// Can't use localhost here since go has a special case to not use proxy if connecting to localhost
+// See https://golang.org/pkg/net/http/#ProxyFromEnvironment
+func (s *DockerDaemonSuite) TestCLIProxyProxyTCPSock(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	// get the IP to use to connect since we can't use localhost
+	addrs, err := net.InterfaceAddrs()
+	c.Assert(err, checker.IsNil)
+	var ip string
+	for _, addr := range addrs {
+		sAddr := addr.String()
+		if !strings.Contains(sAddr, "127.0.0.1") {
+			addrArr := strings.Split(sAddr, "/")
+			ip = addrArr[0]
+			break
+		}
+	}
+
+	c.Assert(ip, checker.Not(checker.Equals), "")
+
+	s.d.Start(c, "-H", "tcp://"+ip+":2375")
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "info"},
+		Env:     []string{"DOCKER_HOST=tcp://" + ip + ":2375", "HTTP_PROXY=127.0.0.1:9999"},
+	}).Assert(c, icmd.Expected{Error: "exit status 1", ExitCode: 1})
+	// Test with no_proxy
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "info"},
+		Env:     []string{"DOCKER_HOST=tcp://" + ip + ":2375", "HTTP_PROXY=127.0.0.1:9999", "NO_PROXY=" + ip},
+	}).Assert(c, icmd.Success)
+}
diff --git a/engine/integration-cli/docker_cli_prune_unix_test.go b/engine/integration-cli/docker_cli_prune_unix_test.go
new file mode 100644
index 00000000..d60420b5
--- /dev/null
+++ b/engine/integration-cli/docker_cli_prune_unix_test.go
@@ -0,0 +1,309 @@
+// +build !windows
+
+package main
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func pruneNetworkAndVerify(c *check.C, d *daemon.Daemon, kept, pruned []string) {
+	_, err := d.Cmd("network", "prune", "--force")
+	c.Assert(err, checker.IsNil)
+
+	for _, s := range kept {
+		waitAndAssert(c, defaultReconciliationTimeout, func(*check.C) (interface{}, check.CommentInterface) {
+			out, err := d.Cmd("network", "ls", "--format", "{{.Name}}")
+			c.Assert(err, checker.IsNil)
+			return out, nil
+		}, checker.Contains, s)
+	}
+
+	for _, s := range pruned {
+		waitAndAssert(c, defaultReconciliationTimeout, func(*check.C) (interface{}, check.CommentInterface) {
+			out, err := d.Cmd("network", "ls", "--format", "{{.Name}}")
+			c.Assert(err, checker.IsNil)
+			return out, nil
+		}, checker.Not(checker.Contains), s)
+	}
+}
+
+func (s *DockerSwarmSuite) TestPruneNetwork(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	_, err := d.Cmd("network", "create", "n1") // used by container (testprune)
+	c.Assert(err, checker.IsNil)
+	_, err = d.Cmd("network", "create", "n2")
+	c.Assert(err, checker.IsNil)
+	_, err = d.Cmd("network", "create", "n3", "--driver", "overlay") // used by service (testprunesvc)
+	c.Assert(err, checker.IsNil)
+	_, err = d.Cmd("network", "create", "n4", "--driver", "overlay")
+	c.Assert(err, checker.IsNil)
+
+	cName := "testprune"
+	_, err = d.Cmd("run", "-d", "--name", cName, "--net", "n1", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+
+	serviceName := "testprunesvc"
+	replicas := 1
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image",
+		"--name", serviceName,
+		"--replicas", strconv.Itoa(replicas),
+		"--network", "n3",
+		"busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, replicas+1)
+
+	// prune and verify
+	pruneNetworkAndVerify(c, d, []string{"n1", "n3"}, []string{"n2", "n4"})
+
+	// remove containers, then prune and verify again
+	_, err = d.Cmd("rm", "-f", cName)
+	c.Assert(err, checker.IsNil)
+	_, err = d.Cmd("service", "rm", serviceName)
+	c.Assert(err, checker.IsNil)
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 0)
+
+	pruneNetworkAndVerify(c, d, []string{}, []string{"n1", "n3"})
+}
+
+func (s *DockerDaemonSuite) TestPruneImageDangling(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	result := cli.BuildCmd(c, "test", cli.Daemon(s.d),
+		build.WithDockerfile(`FROM busybox
+                 LABEL foo=bar`),
+		cli.WithFlags("-q"),
+	)
+	result.Assert(c, icmd.Success)
+	id := strings.TrimSpace(result.Combined())
+
+	out, err := s.d.Cmd("images", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id)
+
+	out, err = s.d.Cmd("image", "prune", "--force")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id)
+
+	out, err = s.d.Cmd("images", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id)
+
+	out, err = s.d.Cmd("image", "prune", "--force", "--all")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id)
+
+	out, err = s.d.Cmd("images", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id)
+}
+
+func (s *DockerSuite) TestPruneContainerUntil(c *check.C) {
+	out := cli.DockerCmd(c, "run", "-d", "busybox").Combined()
+	id1 := strings.TrimSpace(out)
+	cli.WaitExited(c, id1, 5*time.Second)
+
+	until := daemonUnixTime(c)
+
+	out = cli.DockerCmd(c, "run", "-d", "busybox").Combined()
+	id2 := strings.TrimSpace(out)
+	cli.WaitExited(c, id2, 5*time.Second)
+
+	out = cli.DockerCmd(c, "container", "prune", "--force", "--filter", "until="+until).Combined()
+	c.Assert(strings.TrimSpace(out), checker.Contains, id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+
+	out = cli.DockerCmd(c, "ps", "-a", "-q", "--no-trunc").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id1)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+}
+
+func (s *DockerSuite) TestPruneContainerLabel(c *check.C) {
+	out := cli.DockerCmd(c, "run", "-d", "--label", "foo", "busybox").Combined()
+	id1 := strings.TrimSpace(out)
+	cli.WaitExited(c, id1, 5*time.Second)
+
+	out = cli.DockerCmd(c, "run", "-d", "--label", "bar", "busybox").Combined()
+	id2 := strings.TrimSpace(out)
+	cli.WaitExited(c, id2, 5*time.Second)
+
+	out = cli.DockerCmd(c, "run", "-d", "busybox").Combined()
+	id3 := strings.TrimSpace(out)
+	cli.WaitExited(c, id3, 5*time.Second)
+
+	out = cli.DockerCmd(c, "run", "-d", "--label", "foobar", "busybox").Combined()
+	id4 := strings.TrimSpace(out)
+	cli.WaitExited(c, id4, 5*time.Second)
+
+	// Add a config file of label=foobar, that will have no impact if cli is label!=foobar
+	config := `{"pruneFilters": ["label=foobar"]}`
+	d, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(d)
+	err = ioutil.WriteFile(filepath.Join(d, "config.json"), []byte(config), 0644)
+	c.Assert(err, checker.IsNil)
+
+	// With config.json only, prune based on label=foobar
+	out = cli.DockerCmd(c, "--config", d, "container", "prune", "--force").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id3)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id4)
+
+	out = cli.DockerCmd(c, "container", "prune", "--force", "--filter", "label=foo").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Contains, id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id3)
+
+	out = cli.DockerCmd(c, "ps", "-a", "-q", "--no-trunc").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id1)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id3)
+
+	out = cli.DockerCmd(c, "container", "prune", "--force", "--filter", "label!=bar").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id3)
+
+	out = cli.DockerCmd(c, "ps", "-a", "-q", "--no-trunc").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id3)
+
+	// With config.json label=foobar and CLI label!=foobar, CLI label!=foobar supersede
+	out = cli.DockerCmd(c, "--config", d, "container", "prune", "--force", "--filter", "label!=foobar").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+
+	out = cli.DockerCmd(c, "ps", "-a", "-q", "--no-trunc").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+}
+
+func (s *DockerSuite) TestPruneVolumeLabel(c *check.C) {
+	out, _ := dockerCmd(c, "volume", "create", "--label", "foo")
+	id1 := strings.TrimSpace(out)
+	c.Assert(id1, checker.Not(checker.Equals), "")
+
+	out, _ = dockerCmd(c, "volume", "create", "--label", "bar")
+	id2 := strings.TrimSpace(out)
+	c.Assert(id2, checker.Not(checker.Equals), "")
+
+	out, _ = dockerCmd(c, "volume", "create")
+	id3 := strings.TrimSpace(out)
+	c.Assert(id3, checker.Not(checker.Equals), "")
+
+	out, _ = dockerCmd(c, "volume", "create", "--label", "foobar")
+	id4 := strings.TrimSpace(out)
+	c.Assert(id4, checker.Not(checker.Equals), "")
+
+	// Add a config file of label=foobar, that will have no impact if cli is label!=foobar
+	config := `{"pruneFilters": ["label=foobar"]}`
+	d, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(d)
+	err = ioutil.WriteFile(filepath.Join(d, "config.json"), []byte(config), 0644)
+	c.Assert(err, checker.IsNil)
+
+	// With config.json only, prune based on label=foobar
+	out, _ = dockerCmd(c, "--config", d, "volume", "prune", "--force")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id3)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id4)
+
+	out, _ = dockerCmd(c, "volume", "prune", "--force", "--filter", "label=foo")
+	c.Assert(strings.TrimSpace(out), checker.Contains, id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id3)
+
+	out, _ = dockerCmd(c, "volume", "ls", "--format", "{{.Name}}")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id1)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id3)
+
+	out, _ = dockerCmd(c, "volume", "prune", "--force", "--filter", "label!=bar")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id3)
+
+	out, _ = dockerCmd(c, "volume", "ls", "--format", "{{.Name}}")
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id3)
+
+	// With config.json label=foobar and CLI label!=foobar, CLI label!=foobar supersede
+	out, _ = dockerCmd(c, "--config", d, "volume", "prune", "--force", "--filter", "label!=foobar")
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+
+	out, _ = dockerCmd(c, "volume", "ls", "--format", "{{.Name}}")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+}
+
+func (s *DockerSuite) TestPruneNetworkLabel(c *check.C) {
+	dockerCmd(c, "network", "create", "--label", "foo", "n1")
+	dockerCmd(c, "network", "create", "--label", "bar", "n2")
+	dockerCmd(c, "network", "create", "n3")
+
+	out, _ := dockerCmd(c, "network", "prune", "--force", "--filter", "label=foo")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "n1")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), "n2")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), "n3")
+
+	out, _ = dockerCmd(c, "network", "prune", "--force", "--filter", "label!=bar")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), "n1")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), "n2")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "n3")
+
+	out, _ = dockerCmd(c, "network", "prune", "--force")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), "n1")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "n2")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), "n3")
+}
+
+func (s *DockerDaemonSuite) TestPruneImageLabel(c *check.C) {
+	s.d.StartWithBusybox(c)
+
+	result := cli.BuildCmd(c, "test1", cli.Daemon(s.d),
+		build.WithDockerfile(`FROM busybox
+                 LABEL foo=bar`),
+		cli.WithFlags("-q"),
+	)
+	result.Assert(c, icmd.Success)
+	id1 := strings.TrimSpace(result.Combined())
+	out, err := s.d.Cmd("images", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id1)
+
+	result = cli.BuildCmd(c, "test2", cli.Daemon(s.d),
+		build.WithDockerfile(`FROM busybox
+                 LABEL bar=foo`),
+		cli.WithFlags("-q"),
+	)
+	result.Assert(c, icmd.Success)
+	id2 := strings.TrimSpace(result.Combined())
+	out, err = s.d.Cmd("images", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+
+	out, err = s.d.Cmd("image", "prune", "--force", "--all", "--filter", "label=foo=bar")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+
+	out, err = s.d.Cmd("image", "prune", "--force", "--all", "--filter", "label!=bar=foo")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id2)
+
+	out, err = s.d.Cmd("image", "prune", "--force", "--all", "--filter", "label=bar=foo")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), id1)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+}
diff --git a/engine/integration-cli/docker_cli_ps_test.go b/engine/integration-cli/docker_cli_ps_test.go
new file mode 100644
index 00000000..a975bc35
--- /dev/null
+++ b/engine/integration-cli/docker_cli_ps_test.go
@@ -0,0 +1,874 @@
+package main
+
+import (
+	"fmt"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestPsListContainersBase(c *check.C) {
+	existingContainers := ExistingContainerIDs(c)
+
+	out := runSleepingContainer(c, "-d")
+	firstID := strings.TrimSpace(out)
+
+	out = runSleepingContainer(c, "-d")
+	secondID := strings.TrimSpace(out)
+
+	// not long running
+	out, _ = dockerCmd(c, "run", "-d", "busybox", "true")
+	thirdID := strings.TrimSpace(out)
+
+	out = runSleepingContainer(c, "-d")
+	fourthID := strings.TrimSpace(out)
+
+	// make sure the second is running
+	c.Assert(waitRun(secondID), checker.IsNil)
+
+	// make sure third one is not running
+	dockerCmd(c, "wait", thirdID)
+
+	// make sure the forth is running
+	c.Assert(waitRun(fourthID), checker.IsNil)
+
+	// all
+	out, _ = dockerCmd(c, "ps", "-a")
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), []string{fourthID, thirdID, secondID, firstID}), checker.Equals, true, check.Commentf("ALL: Container list is not in the correct order: \n%s", out))
+
+	// running
+	out, _ = dockerCmd(c, "ps")
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), []string{fourthID, secondID, firstID}), checker.Equals, true, check.Commentf("RUNNING: Container list is not in the correct order: \n%s", out))
+
+	// limit
+	out, _ = dockerCmd(c, "ps", "-n=2", "-a")
+	expected := []string{fourthID, thirdID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("LIMIT & ALL: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-n=2")
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("LIMIT: Container list is not in the correct order: \n%s", out))
+
+	// filter since
+	out, _ = dockerCmd(c, "ps", "-f", "since="+firstID, "-a")
+	expected = []string{fourthID, thirdID, secondID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter & ALL: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-f", "since="+firstID)
+	expected = []string{fourthID, secondID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-f", "since="+thirdID)
+	expected = []string{fourthID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter: Container list is not in the correct order: \n%s", out))
+
+	// filter before
+	out, _ = dockerCmd(c, "ps", "-f", "before="+fourthID, "-a")
+	expected = []string{thirdID, secondID, firstID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("BEFORE filter & ALL: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-f", "before="+fourthID)
+	expected = []string{secondID, firstID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("BEFORE filter: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-f", "before="+thirdID)
+	expected = []string{secondID, firstID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter: Container list is not in the correct order: \n%s", out))
+
+	// filter since & before
+	out, _ = dockerCmd(c, "ps", "-f", "since="+firstID, "-f", "before="+fourthID, "-a")
+	expected = []string{thirdID, secondID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter, BEFORE filter & ALL: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-f", "since="+firstID, "-f", "before="+fourthID)
+	expected = []string{secondID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter, BEFORE filter: Container list is not in the correct order: \n%s", out))
+
+	// filter since & limit
+	out, _ = dockerCmd(c, "ps", "-f", "since="+firstID, "-n=2", "-a")
+	expected = []string{fourthID, thirdID}
+
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter, LIMIT & ALL: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-f", "since="+firstID, "-n=2")
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter, LIMIT: Container list is not in the correct order: \n%s", out))
+
+	// filter before & limit
+	out, _ = dockerCmd(c, "ps", "-f", "before="+fourthID, "-n=1", "-a")
+	expected = []string{thirdID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("BEFORE filter, LIMIT & ALL: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-f", "before="+fourthID, "-n=1")
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("BEFORE filter, LIMIT: Container list is not in the correct order: \n%s", out))
+
+	// filter since & filter before & limit
+	out, _ = dockerCmd(c, "ps", "-f", "since="+firstID, "-f", "before="+fourthID, "-n=1", "-a")
+	expected = []string{thirdID}
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter, BEFORE filter, LIMIT & ALL: Container list is not in the correct order: \n%s", out))
+
+	out, _ = dockerCmd(c, "ps", "-f", "since="+firstID, "-f", "before="+fourthID, "-n=1")
+	c.Assert(assertContainerList(RemoveOutputForExistingElements(out, existingContainers), expected), checker.Equals, true, check.Commentf("SINCE filter, BEFORE filter, LIMIT: Container list is not in the correct order: \n%s", out))
+
+}
+
+func assertContainerList(out string, expected []string) bool {
+	lines := strings.Split(strings.Trim(out, "\n "), "\n")
+
+	if len(lines)-1 != len(expected) {
+		return false
+	}
+
+	containerIDIndex := strings.Index(lines[0], "CONTAINER ID")
+	for i := 0; i < len(expected); i++ {
+		foundID := lines[i+1][containerIDIndex : containerIDIndex+12]
+		if foundID != expected[i][:12] {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (s *DockerSuite) TestPsListContainersSize(c *check.C) {
+	// Problematic on Windows as it doesn't report the size correctly @swernli
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "busybox")
+
+	baseOut, _ := dockerCmd(c, "ps", "-s", "-n=1")
+	baseLines := strings.Split(strings.Trim(baseOut, "\n "), "\n")
+	baseSizeIndex := strings.Index(baseLines[0], "SIZE")
+	baseFoundsize := baseLines[1][baseSizeIndex:]
+	baseBytes, err := strconv.Atoi(strings.Split(baseFoundsize, "B")[0])
+	c.Assert(err, checker.IsNil)
+
+	name := "test_size"
+	dockerCmd(c, "run", "--name", name, "busybox", "sh", "-c", "echo 1 > test")
+	id := getIDByName(c, name)
+
+	var result *icmd.Result
+
+	wait := make(chan struct{})
+	go func() {
+		result = icmd.RunCommand(dockerBinary, "ps", "-s", "-n=1")
+		close(wait)
+	}()
+	select {
+	case <-wait:
+	case <-time.After(3 * time.Second):
+		c.Fatalf("Calling \"docker ps -s\" timed out!")
+	}
+	result.Assert(c, icmd.Success)
+	lines := strings.Split(strings.Trim(result.Combined(), "\n "), "\n")
+	c.Assert(lines, checker.HasLen, 2, check.Commentf("Expected 2 lines for 'ps -s -n=1' output, got %d", len(lines)))
+	sizeIndex := strings.Index(lines[0], "SIZE")
+	idIndex := strings.Index(lines[0], "CONTAINER ID")
+	foundID := lines[1][idIndex : idIndex+12]
+	c.Assert(foundID, checker.Equals, id[:12], check.Commentf("Expected id %s, got %s", id[:12], foundID))
+	expectedSize := fmt.Sprintf("%dB", 2+baseBytes)
+	foundSize := lines[1][sizeIndex:]
+	c.Assert(foundSize, checker.Contains, expectedSize, check.Commentf("Expected size %q, got %q", expectedSize, foundSize))
+}
+
+func (s *DockerSuite) TestPsListContainersFilterStatus(c *check.C) {
+	existingContainers := ExistingContainerIDs(c)
+
+	// start exited container
+	out := cli.DockerCmd(c, "run", "-d", "busybox").Combined()
+	firstID := strings.TrimSpace(out)
+
+	// make sure the exited container is not running
+	cli.DockerCmd(c, "wait", firstID)
+
+	// start running container
+	out = cli.DockerCmd(c, "run", "-itd", "busybox").Combined()
+	secondID := strings.TrimSpace(out)
+
+	// filter containers by exited
+	out = cli.DockerCmd(c, "ps", "--no-trunc", "-q", "--filter=status=exited").Combined()
+	containerOut := strings.TrimSpace(out)
+	c.Assert(RemoveOutputForExistingElements(containerOut, existingContainers), checker.Equals, firstID)
+
+	out = cli.DockerCmd(c, "ps", "-a", "--no-trunc", "-q", "--filter=status=running").Combined()
+	containerOut = strings.TrimSpace(out)
+	c.Assert(RemoveOutputForExistingElements(containerOut, existingContainers), checker.Equals, secondID)
+
+	result := cli.Docker(cli.Args("ps", "-a", "-q", "--filter=status=rubbish"), cli.WithTimeout(time.Second*60))
+	err := "Invalid filter 'status=rubbish'"
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		err = "Unrecognised filter value for status: rubbish"
+	}
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      err,
+	})
+	// Windows doesn't support pausing of containers
+	if testEnv.OSType != "windows" {
+		// pause running container
+		out = cli.DockerCmd(c, "run", "-itd", "busybox").Combined()
+		pausedID := strings.TrimSpace(out)
+		cli.DockerCmd(c, "pause", pausedID)
+		// make sure the container is unpaused to let the daemon stop it properly
+		defer func() { cli.DockerCmd(c, "unpause", pausedID) }()
+
+		out = cli.DockerCmd(c, "ps", "--no-trunc", "-q", "--filter=status=paused").Combined()
+		containerOut = strings.TrimSpace(out)
+		c.Assert(RemoveOutputForExistingElements(containerOut, existingContainers), checker.Equals, pausedID)
+	}
+}
+
+func (s *DockerSuite) TestPsListContainersFilterHealth(c *check.C) {
+	existingContainers := ExistingContainerIDs(c)
+	// Test legacy no health check
+	out := runSleepingContainer(c, "--name=none_legacy")
+	containerID := strings.TrimSpace(out)
+
+	cli.WaitRun(c, containerID)
+
+	out = cli.DockerCmd(c, "ps", "-q", "-l", "--no-trunc", "--filter=health=none").Combined()
+	containerOut := strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Equals, containerID, check.Commentf("Expected id %s, got %s for legacy none filter, output: %q", containerID, containerOut, out))
+
+	// Test no health check specified explicitly
+	out = runSleepingContainer(c, "--name=none", "--no-healthcheck")
+	containerID = strings.TrimSpace(out)
+
+	cli.WaitRun(c, containerID)
+
+	out = cli.DockerCmd(c, "ps", "-q", "-l", "--no-trunc", "--filter=health=none").Combined()
+	containerOut = strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Equals, containerID, check.Commentf("Expected id %s, got %s for none filter, output: %q", containerID, containerOut, out))
+
+	// Test failing health check
+	out = runSleepingContainer(c, "--name=failing_container", "--health-cmd=exit 1", "--health-interval=1s")
+	containerID = strings.TrimSpace(out)
+
+	waitForHealthStatus(c, "failing_container", "starting", "unhealthy")
+
+	out = cli.DockerCmd(c, "ps", "-q", "--no-trunc", "--filter=health=unhealthy").Combined()
+	containerOut = strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Equals, containerID, check.Commentf("Expected containerID %s, got %s for unhealthy filter, output: %q", containerID, containerOut, out))
+
+	// Check passing healthcheck
+	out = runSleepingContainer(c, "--name=passing_container", "--health-cmd=exit 0", "--health-interval=1s")
+	containerID = strings.TrimSpace(out)
+
+	waitForHealthStatus(c, "passing_container", "starting", "healthy")
+
+	out = cli.DockerCmd(c, "ps", "-q", "--no-trunc", "--filter=health=healthy").Combined()
+	containerOut = strings.TrimSpace(RemoveOutputForExistingElements(out, existingContainers))
+	c.Assert(containerOut, checker.Equals, containerID, check.Commentf("Expected containerID %s, got %s for healthy filter, output: %q", containerID, containerOut, out))
+}
+
+func (s *DockerSuite) TestPsListContainersFilterID(c *check.C) {
+	// start container
+	out, _ := dockerCmd(c, "run", "-d", "busybox")
+	firstID := strings.TrimSpace(out)
+
+	// start another container
+	runSleepingContainer(c)
+
+	// filter containers by id
+	out, _ = dockerCmd(c, "ps", "-a", "-q", "--filter=id="+firstID)
+	containerOut := strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Equals, firstID[:12], check.Commentf("Expected id %s, got %s for exited filter, output: %q", firstID[:12], containerOut, out))
+}
+
+func (s *DockerSuite) TestPsListContainersFilterName(c *check.C) {
+	// start container
+	dockerCmd(c, "run", "--name=a_name_to_match", "busybox")
+	id := getIDByName(c, "a_name_to_match")
+
+	// start another container
+	runSleepingContainer(c, "--name=b_name_to_match")
+
+	// filter containers by name
+	out, _ := dockerCmd(c, "ps", "-a", "-q", "--filter=name=a_name_to_match")
+	containerOut := strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Equals, id[:12], check.Commentf("Expected id %s, got %s for exited filter, output: %q", id[:12], containerOut, out))
+}
+
+// Test for the ancestor filter for ps.
+// There is also the same test but with image:tag@digest in docker_cli_by_digest_test.go
+//
+// What the test setups :
+// - Create 2 image based on busybox using the same repository but different tags
+// - Create an image based on the previous image (images_ps_filter_test2)
+// - Run containers for each of those image (busybox, images_ps_filter_test1, images_ps_filter_test2)
+// - Filter them out :P
+func (s *DockerSuite) TestPsListContainersFilterAncestorImage(c *check.C) {
+	existingContainers := ExistingContainerIDs(c)
+
+	// Build images
+	imageName1 := "images_ps_filter_test1"
+	buildImageSuccessfully(c, imageName1, build.WithDockerfile(`FROM busybox
+		 LABEL match me 1`))
+	imageID1 := getIDByName(c, imageName1)
+
+	imageName1Tagged := "images_ps_filter_test1:tag"
+	buildImageSuccessfully(c, imageName1Tagged, build.WithDockerfile(`FROM busybox
+		 LABEL match me 1 tagged`))
+	imageID1Tagged := getIDByName(c, imageName1Tagged)
+
+	imageName2 := "images_ps_filter_test2"
+	buildImageSuccessfully(c, imageName2, build.WithDockerfile(fmt.Sprintf(`FROM %s
+		 LABEL match me 2`, imageName1)))
+	imageID2 := getIDByName(c, imageName2)
+
+	// start containers
+	dockerCmd(c, "run", "--name=first", "busybox", "echo", "hello")
+	firstID := getIDByName(c, "first")
+
+	// start another container
+	dockerCmd(c, "run", "--name=second", "busybox", "echo", "hello")
+	secondID := getIDByName(c, "second")
+
+	// start third container
+	dockerCmd(c, "run", "--name=third", imageName1, "echo", "hello")
+	thirdID := getIDByName(c, "third")
+
+	// start fourth container
+	dockerCmd(c, "run", "--name=fourth", imageName1Tagged, "echo", "hello")
+	fourthID := getIDByName(c, "fourth")
+
+	// start fifth container
+	dockerCmd(c, "run", "--name=fifth", imageName2, "echo", "hello")
+	fifthID := getIDByName(c, "fifth")
+
+	var filterTestSuite = []struct {
+		filterName  string
+		expectedIDs []string
+	}{
+		// non existent stuff
+		{"nonexistent", []string{}},
+		{"nonexistent:tag", []string{}},
+		// image
+		{"busybox", []string{firstID, secondID, thirdID, fourthID, fifthID}},
+		{imageName1, []string{thirdID, fifthID}},
+		{imageName2, []string{fifthID}},
+		// image:tag
+		{fmt.Sprintf("%s:latest", imageName1), []string{thirdID, fifthID}},
+		{imageName1Tagged, []string{fourthID}},
+		// short-id
+		{stringid.TruncateID(imageID1), []string{thirdID, fifthID}},
+		{stringid.TruncateID(imageID2), []string{fifthID}},
+		// full-id
+		{imageID1, []string{thirdID, fifthID}},
+		{imageID1Tagged, []string{fourthID}},
+		{imageID2, []string{fifthID}},
+	}
+
+	var out string
+	for _, filter := range filterTestSuite {
+		out, _ = dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=ancestor="+filter.filterName)
+		checkPsAncestorFilterOutput(c, RemoveOutputForExistingElements(out, existingContainers), filter.filterName, filter.expectedIDs)
+	}
+
+	// Multiple ancestor filter
+	out, _ = dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=ancestor="+imageName2, "--filter=ancestor="+imageName1Tagged)
+	checkPsAncestorFilterOutput(c, RemoveOutputForExistingElements(out, existingContainers), imageName2+","+imageName1Tagged, []string{fourthID, fifthID})
+}
+
+func checkPsAncestorFilterOutput(c *check.C, out string, filterName string, expectedIDs []string) {
+	var actualIDs []string
+	if out != "" {
+		actualIDs = strings.Split(out[:len(out)-1], "\n")
+	}
+	sort.Strings(actualIDs)
+	sort.Strings(expectedIDs)
+
+	c.Assert(actualIDs, checker.HasLen, len(expectedIDs), check.Commentf("Expected filtered container(s) for %s ancestor filter to be %v:%v, got %v:%v", filterName, len(expectedIDs), expectedIDs, len(actualIDs), actualIDs))
+	if len(expectedIDs) > 0 {
+		same := true
+		for i := range expectedIDs {
+			if actualIDs[i] != expectedIDs[i] {
+				c.Logf("%s, %s", actualIDs[i], expectedIDs[i])
+				same = false
+				break
+			}
+		}
+		c.Assert(same, checker.Equals, true, check.Commentf("Expected filtered container(s) for %s ancestor filter to be %v, got %v", filterName, expectedIDs, actualIDs))
+	}
+}
+
+func (s *DockerSuite) TestPsListContainersFilterLabel(c *check.C) {
+	// start container
+	dockerCmd(c, "run", "--name=first", "-l", "match=me", "-l", "second=tag", "busybox")
+	firstID := getIDByName(c, "first")
+
+	// start another container
+	dockerCmd(c, "run", "--name=second", "-l", "match=me too", "busybox")
+	secondID := getIDByName(c, "second")
+
+	// start third container
+	dockerCmd(c, "run", "--name=third", "-l", "nomatch=me", "busybox")
+	thirdID := getIDByName(c, "third")
+
+	// filter containers by exact match
+	out, _ := dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=label=match=me")
+	containerOut := strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Equals, firstID, check.Commentf("Expected id %s, got %s for exited filter, output: %q", firstID, containerOut, out))
+
+	// filter containers by two labels
+	out, _ = dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=label=match=me", "--filter=label=second=tag")
+	containerOut = strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Equals, firstID, check.Commentf("Expected id %s, got %s for exited filter, output: %q", firstID, containerOut, out))
+
+	// filter containers by two labels, but expect not found because of AND behavior
+	out, _ = dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=label=match=me", "--filter=label=second=tag-no")
+	containerOut = strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Equals, "", check.Commentf("Expected nothing, got %s for exited filter, output: %q", containerOut, out))
+
+	// filter containers by exact key
+	out, _ = dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=label=match")
+	containerOut = strings.TrimSpace(out)
+	c.Assert(containerOut, checker.Contains, firstID)
+	c.Assert(containerOut, checker.Contains, secondID)
+	c.Assert(containerOut, checker.Not(checker.Contains), thirdID)
+}
+
+func (s *DockerSuite) TestPsListContainersFilterExited(c *check.C) {
+	runSleepingContainer(c, "--name=sleep")
+
+	dockerCmd(c, "run", "--name", "zero1", "busybox", "true")
+	firstZero := getIDByName(c, "zero1")
+
+	dockerCmd(c, "run", "--name", "zero2", "busybox", "true")
+	secondZero := getIDByName(c, "zero2")
+
+	out, _, err := dockerCmdWithError("run", "--name", "nonzero1", "busybox", "false")
+	c.Assert(err, checker.NotNil, check.Commentf("Should fail.", out, err))
+
+	firstNonZero := getIDByName(c, "nonzero1")
+
+	out, _, err = dockerCmdWithError("run", "--name", "nonzero2", "busybox", "false")
+	c.Assert(err, checker.NotNil, check.Commentf("Should fail.", out, err))
+	secondNonZero := getIDByName(c, "nonzero2")
+
+	// filter containers by exited=0
+	out, _ = dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=exited=0")
+	ids := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(ids, checker.HasLen, 2, check.Commentf("Should be 2 zero exited containers got %d: %s", len(ids), out))
+	c.Assert(ids[0], checker.Equals, secondZero, check.Commentf("First in list should be %q, got %q", secondZero, ids[0]))
+	c.Assert(ids[1], checker.Equals, firstZero, check.Commentf("Second in list should be %q, got %q", firstZero, ids[1]))
+
+	out, _ = dockerCmd(c, "ps", "-a", "-q", "--no-trunc", "--filter=exited=1")
+	ids = strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(ids, checker.HasLen, 2, check.Commentf("Should be 2 zero exited containers got %d", len(ids)))
+	c.Assert(ids[0], checker.Equals, secondNonZero, check.Commentf("First in list should be %q, got %q", secondNonZero, ids[0]))
+	c.Assert(ids[1], checker.Equals, firstNonZero, check.Commentf("Second in list should be %q, got %q", firstNonZero, ids[1]))
+
+}
+
+func (s *DockerSuite) TestPsRightTagName(c *check.C) {
+	// TODO Investigate further why this fails on Windows to Windows CI
+	testRequires(c, DaemonIsLinux)
+
+	existingContainers := ExistingContainerNames(c)
+
+	tag := "asybox:shmatest"
+	dockerCmd(c, "tag", "busybox", tag)
+
+	var id1 string
+	out := runSleepingContainer(c)
+	id1 = strings.TrimSpace(string(out))
+
+	var id2 string
+	out = runSleepingContainerInImage(c, tag)
+	id2 = strings.TrimSpace(string(out))
+
+	var imageID string
+	out = inspectField(c, "busybox", "Id")
+	imageID = strings.TrimSpace(string(out))
+
+	var id3 string
+	out = runSleepingContainerInImage(c, imageID)
+	id3 = strings.TrimSpace(string(out))
+
+	out, _ = dockerCmd(c, "ps", "--no-trunc")
+	lines := strings.Split(strings.TrimSpace(string(out)), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	// skip header
+	lines = lines[1:]
+	c.Assert(lines, checker.HasLen, 3, check.Commentf("There should be 3 running container, got %d", len(lines)))
+	for _, line := range lines {
+		f := strings.Fields(line)
+		switch f[0] {
+		case id1:
+			c.Assert(f[1], checker.Equals, "busybox", check.Commentf("Expected %s tag for id %s, got %s", "busybox", id1, f[1]))
+		case id2:
+			c.Assert(f[1], checker.Equals, tag, check.Commentf("Expected %s tag for id %s, got %s", tag, id2, f[1]))
+		case id3:
+			c.Assert(f[1], checker.Equals, imageID, check.Commentf("Expected %s imageID for id %s, got %s", tag, id3, f[1]))
+		default:
+			c.Fatalf("Unexpected id %s, expected %s and %s and %s", f[0], id1, id2, id3)
+		}
+	}
+}
+
+func (s *DockerSuite) TestPsListContainersFilterCreated(c *check.C) {
+	// create a container
+	out, _ := dockerCmd(c, "create", "busybox")
+	cID := strings.TrimSpace(out)
+	shortCID := cID[:12]
+
+	// Make sure it DOESN'T show up w/o a '-a' for normal 'ps'
+	out, _ = dockerCmd(c, "ps", "-q")
+	c.Assert(out, checker.Not(checker.Contains), shortCID, check.Commentf("Should have not seen '%s' in ps output:\n%s", shortCID, out))
+
+	// Make sure it DOES show up as 'Created' for 'ps -a'
+	out, _ = dockerCmd(c, "ps", "-a")
+
+	hits := 0
+	for _, line := range strings.Split(out, "\n") {
+		if !strings.Contains(line, shortCID) {
+			continue
+		}
+		hits++
+		c.Assert(line, checker.Contains, "Created", check.Commentf("Missing 'Created' on '%s'", line))
+	}
+
+	c.Assert(hits, checker.Equals, 1, check.Commentf("Should have seen '%s' in ps -a output once:%d\n%s", shortCID, hits, out))
+
+	// filter containers by 'create' - note, no -a needed
+	out, _ = dockerCmd(c, "ps", "-q", "-f", "status=created")
+	containerOut := strings.TrimSpace(out)
+	c.Assert(cID, checker.HasPrefix, containerOut)
+}
+
+// Test for GitHub issue #12595
+func (s *DockerSuite) TestPsImageIDAfterUpdate(c *check.C) {
+	// TODO: Investigate why this fails on Windows to Windows CI further.
+	testRequires(c, DaemonIsLinux)
+	originalImageName := "busybox:TestPsImageIDAfterUpdate-original"
+	updatedImageName := "busybox:TestPsImageIDAfterUpdate-updated"
+
+	existingContainers := ExistingContainerIDs(c)
+
+	icmd.RunCommand(dockerBinary, "tag", "busybox:latest", originalImageName).Assert(c, icmd.Success)
+
+	originalImageID := getIDByName(c, originalImageName)
+
+	result := icmd.RunCommand(dockerBinary, append([]string{"run", "-d", originalImageName}, sleepCommandForDaemonPlatform()...)...)
+	result.Assert(c, icmd.Success)
+	containerID := strings.TrimSpace(result.Combined())
+
+	result = icmd.RunCommand(dockerBinary, "ps", "--no-trunc")
+	result.Assert(c, icmd.Success)
+
+	lines := strings.Split(strings.TrimSpace(string(result.Combined())), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	// skip header
+	lines = lines[1:]
+	c.Assert(len(lines), checker.Equals, 1)
+
+	for _, line := range lines {
+		f := strings.Fields(line)
+		c.Assert(f[1], checker.Equals, originalImageName)
+	}
+
+	icmd.RunCommand(dockerBinary, "commit", containerID, updatedImageName).Assert(c, icmd.Success)
+	icmd.RunCommand(dockerBinary, "tag", updatedImageName, originalImageName).Assert(c, icmd.Success)
+
+	result = icmd.RunCommand(dockerBinary, "ps", "--no-trunc")
+	result.Assert(c, icmd.Success)
+
+	lines = strings.Split(strings.TrimSpace(string(result.Combined())), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	// skip header
+	lines = lines[1:]
+	c.Assert(len(lines), checker.Equals, 1)
+
+	for _, line := range lines {
+		f := strings.Fields(line)
+		c.Assert(f[1], checker.Equals, originalImageID)
+	}
+
+}
+
+func (s *DockerSuite) TestPsNotShowPortsOfStoppedContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "--name=foo", "-d", "-p", "5000:5000", "busybox", "top")
+	c.Assert(waitRun("foo"), checker.IsNil)
+	out, _ := dockerCmd(c, "ps")
+	lines := strings.Split(strings.TrimSpace(string(out)), "\n")
+	expected := "0.0.0.0:5000->5000/tcp"
+	fields := strings.Fields(lines[1])
+	c.Assert(fields[len(fields)-2], checker.Equals, expected, check.Commentf("Expected: %v, got: %v", expected, fields[len(fields)-2]))
+
+	dockerCmd(c, "kill", "foo")
+	dockerCmd(c, "wait", "foo")
+	out, _ = dockerCmd(c, "ps", "-l")
+	lines = strings.Split(strings.TrimSpace(string(out)), "\n")
+	fields = strings.Fields(lines[1])
+	c.Assert(fields[len(fields)-2], checker.Not(checker.Equals), expected, check.Commentf("Should not got %v", expected))
+}
+
+func (s *DockerSuite) TestPsShowMounts(c *check.C) {
+	existingContainers := ExistingContainerNames(c)
+
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+
+	mp := prefix + slash + "test"
+
+	dockerCmd(c, "volume", "create", "ps-volume-test")
+	// volume mount containers
+	runSleepingContainer(c, "--name=volume-test-1", "--volume", "ps-volume-test:"+mp)
+	c.Assert(waitRun("volume-test-1"), checker.IsNil)
+	runSleepingContainer(c, "--name=volume-test-2", "--volume", mp)
+	c.Assert(waitRun("volume-test-2"), checker.IsNil)
+	// bind mount container
+	var bindMountSource string
+	var bindMountDestination string
+	if DaemonIsWindows() {
+		bindMountSource = "c:\\"
+		bindMountDestination = "c:\\t"
+	} else {
+		bindMountSource = "/tmp"
+		bindMountDestination = "/t"
+	}
+	runSleepingContainer(c, "--name=bind-mount-test", "-v", bindMountSource+":"+bindMountDestination)
+	c.Assert(waitRun("bind-mount-test"), checker.IsNil)
+
+	out, _ := dockerCmd(c, "ps", "--format", "{{.Names}} {{.Mounts}}")
+
+	lines := strings.Split(strings.TrimSpace(string(out)), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	c.Assert(lines, checker.HasLen, 3)
+
+	fields := strings.Fields(lines[0])
+	c.Assert(fields, checker.HasLen, 2)
+	c.Assert(fields[0], checker.Equals, "bind-mount-test")
+	c.Assert(fields[1], checker.Equals, bindMountSource)
+
+	fields = strings.Fields(lines[1])
+	c.Assert(fields, checker.HasLen, 2)
+
+	anonymousVolumeID := fields[1]
+
+	fields = strings.Fields(lines[2])
+	c.Assert(fields[1], checker.Equals, "ps-volume-test")
+
+	// filter by volume name
+	out, _ = dockerCmd(c, "ps", "--format", "{{.Names}} {{.Mounts}}", "--filter", "volume=ps-volume-test")
+
+	lines = strings.Split(strings.TrimSpace(string(out)), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	c.Assert(lines, checker.HasLen, 1)
+
+	fields = strings.Fields(lines[0])
+	c.Assert(fields[1], checker.Equals, "ps-volume-test")
+
+	// empty results filtering by unknown volume
+	out, _ = dockerCmd(c, "ps", "--format", "{{.Names}} {{.Mounts}}", "--filter", "volume=this-volume-should-not-exist")
+	c.Assert(strings.TrimSpace(string(out)), checker.HasLen, 0)
+
+	// filter by mount destination
+	out, _ = dockerCmd(c, "ps", "--format", "{{.Names}} {{.Mounts}}", "--filter", "volume="+mp)
+
+	lines = strings.Split(strings.TrimSpace(string(out)), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	c.Assert(lines, checker.HasLen, 2)
+
+	fields = strings.Fields(lines[0])
+	c.Assert(fields[1], checker.Equals, anonymousVolumeID)
+	fields = strings.Fields(lines[1])
+	c.Assert(fields[1], checker.Equals, "ps-volume-test")
+
+	// filter by bind mount source
+	out, _ = dockerCmd(c, "ps", "--format", "{{.Names}} {{.Mounts}}", "--filter", "volume="+bindMountSource)
+
+	lines = strings.Split(strings.TrimSpace(string(out)), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	c.Assert(lines, checker.HasLen, 1)
+
+	fields = strings.Fields(lines[0])
+	c.Assert(fields, checker.HasLen, 2)
+	c.Assert(fields[0], checker.Equals, "bind-mount-test")
+	c.Assert(fields[1], checker.Equals, bindMountSource)
+
+	// filter by bind mount destination
+	out, _ = dockerCmd(c, "ps", "--format", "{{.Names}} {{.Mounts}}", "--filter", "volume="+bindMountDestination)
+
+	lines = strings.Split(strings.TrimSpace(string(out)), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	c.Assert(lines, checker.HasLen, 1)
+
+	fields = strings.Fields(lines[0])
+	c.Assert(fields, checker.HasLen, 2)
+	c.Assert(fields[0], checker.Equals, "bind-mount-test")
+	c.Assert(fields[1], checker.Equals, bindMountSource)
+
+	// empty results filtering by unknown mount point
+	out, _ = dockerCmd(c, "ps", "--format", "{{.Names}} {{.Mounts}}", "--filter", "volume="+prefix+slash+"this-path-was-never-mounted")
+	c.Assert(strings.TrimSpace(string(out)), checker.HasLen, 0)
+}
+
+func (s *DockerSuite) TestPsListContainersFilterNetwork(c *check.C) {
+	existing := ExistingContainerIDs(c)
+
+	// TODO default network on Windows is not called "bridge", and creating a
+	// custom network fails on Windows fails with "Error response from daemon: plugin not found")
+	testRequires(c, DaemonIsLinux)
+
+	// create some containers
+	runSleepingContainer(c, "--net=bridge", "--name=onbridgenetwork")
+	runSleepingContainer(c, "--net=none", "--name=onnonenetwork")
+
+	// Filter docker ps on non existing network
+	out, _ := dockerCmd(c, "ps", "--filter", "network=doesnotexist")
+	containerOut := strings.TrimSpace(string(out))
+	lines := strings.Split(containerOut, "\n")
+
+	// skip header
+	lines = lines[1:]
+
+	// ps output should have no containers
+	c.Assert(RemoveLinesForExistingElements(lines, existing), checker.HasLen, 0)
+
+	// Filter docker ps on network bridge
+	out, _ = dockerCmd(c, "ps", "--filter", "network=bridge")
+	containerOut = strings.TrimSpace(string(out))
+
+	lines = strings.Split(containerOut, "\n")
+
+	// skip header
+	lines = lines[1:]
+
+	// ps output should have only one container
+	c.Assert(RemoveLinesForExistingElements(lines, existing), checker.HasLen, 1)
+
+	// Making sure onbridgenetwork is on the output
+	c.Assert(containerOut, checker.Contains, "onbridgenetwork", check.Commentf("Missing the container on network\n"))
+
+	// Filter docker ps on networks bridge and none
+	out, _ = dockerCmd(c, "ps", "--filter", "network=bridge", "--filter", "network=none")
+	containerOut = strings.TrimSpace(string(out))
+
+	lines = strings.Split(containerOut, "\n")
+
+	// skip header
+	lines = lines[1:]
+
+	//ps output should have both the containers
+	c.Assert(RemoveLinesForExistingElements(lines, existing), checker.HasLen, 2)
+
+	// Making sure onbridgenetwork and onnonenetwork is on the output
+	c.Assert(containerOut, checker.Contains, "onnonenetwork", check.Commentf("Missing the container on none network\n"))
+	c.Assert(containerOut, checker.Contains, "onbridgenetwork", check.Commentf("Missing the container on bridge network\n"))
+
+	nwID, _ := dockerCmd(c, "network", "inspect", "--format", "{{.ID}}", "bridge")
+
+	// Filter by network ID
+	out, _ = dockerCmd(c, "ps", "--filter", "network="+nwID)
+	containerOut = strings.TrimSpace(string(out))
+
+	c.Assert(containerOut, checker.Contains, "onbridgenetwork")
+
+	// Filter by partial network ID
+	partialnwID := string(nwID[0:4])
+
+	out, _ = dockerCmd(c, "ps", "--filter", "network="+partialnwID)
+	containerOut = strings.TrimSpace(string(out))
+
+	lines = strings.Split(containerOut, "\n")
+
+	// skip header
+	lines = lines[1:]
+
+	// ps output should have only one container
+	c.Assert(RemoveLinesForExistingElements(lines, existing), checker.HasLen, 1)
+
+	// Making sure onbridgenetwork is on the output
+	c.Assert(containerOut, checker.Contains, "onbridgenetwork", check.Commentf("Missing the container on network\n"))
+
+}
+
+func (s *DockerSuite) TestPsByOrder(c *check.C) {
+	name1 := "xyz-abc"
+	out := runSleepingContainer(c, "--name", name1)
+	container1 := strings.TrimSpace(out)
+
+	name2 := "xyz-123"
+	out = runSleepingContainer(c, "--name", name2)
+	container2 := strings.TrimSpace(out)
+
+	name3 := "789-abc"
+	out = runSleepingContainer(c, "--name", name3)
+
+	name4 := "789-123"
+	out = runSleepingContainer(c, "--name", name4)
+
+	// Run multiple time should have the same result
+	out = cli.DockerCmd(c, "ps", "--no-trunc", "-q", "-f", "name=xyz").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Equals, fmt.Sprintf("%s\n%s", container2, container1))
+
+	// Run multiple time should have the same result
+	out = cli.DockerCmd(c, "ps", "--no-trunc", "-q", "-f", "name=xyz").Combined()
+	c.Assert(strings.TrimSpace(out), checker.Equals, fmt.Sprintf("%s\n%s", container2, container1))
+}
+
+func (s *DockerSuite) TestPsListContainersFilterPorts(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	existingContainers := ExistingContainerIDs(c)
+
+	out, _ := dockerCmd(c, "run", "-d", "--publish=80", "busybox", "top")
+	id1 := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "run", "-d", "--expose=8080", "busybox", "top")
+	id2 := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "ps", "--no-trunc", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Contains, id1)
+	c.Assert(strings.TrimSpace(out), checker.Contains, id2)
+
+	out, _ = dockerCmd(c, "ps", "--no-trunc", "-q", "--filter", "publish=80-8080/udp")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), id2)
+
+	out, _ = dockerCmd(c, "ps", "--no-trunc", "-q", "--filter", "expose=8081")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), id2)
+
+	out, _ = dockerCmd(c, "ps", "--no-trunc", "-q", "--filter", "publish=80-81")
+	c.Assert(strings.TrimSpace(out), checker.Equals, id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), id2)
+
+	out, _ = dockerCmd(c, "ps", "--no-trunc", "-q", "--filter", "expose=80/tcp")
+	c.Assert(strings.TrimSpace(out), checker.Equals, id1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), id2)
+
+	out, _ = dockerCmd(c, "ps", "--no-trunc", "-q", "--filter", "expose=8080/tcp")
+	out = RemoveOutputForExistingElements(out, existingContainers)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), id1)
+	c.Assert(strings.TrimSpace(out), checker.Equals, id2)
+}
+
+func (s *DockerSuite) TestPsNotShowLinknamesOfDeletedContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux, MinimumAPIVersion("1.31"))
+	existingContainers := ExistingContainerNames(c)
+
+	dockerCmd(c, "create", "--name=aaa", "busybox", "top")
+	dockerCmd(c, "create", "--name=bbb", "--link=aaa", "busybox", "top")
+
+	out, _ := dockerCmd(c, "ps", "--no-trunc", "-a", "--format", "{{.Names}}")
+	lines := strings.Split(strings.TrimSpace(string(out)), "\n")
+	lines = RemoveLinesForExistingElements(lines, existingContainers)
+	expected := []string{"bbb", "aaa,bbb/aaa"}
+	var names []string
+	names = append(names, lines...)
+	c.Assert(expected, checker.DeepEquals, names, check.Commentf("Expected array with non-truncated names: %v, got: %v", expected, names))
+
+	dockerCmd(c, "rm", "bbb")
+
+	out, _ = dockerCmd(c, "ps", "--no-trunc", "-a", "--format", "{{.Names}}")
+	out = RemoveOutputForExistingElements(out, existingContainers)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "aaa")
+}
diff --git a/engine/integration-cli/docker_cli_pull_local_test.go b/engine/integration-cli/docker_cli_pull_local_test.go
new file mode 100644
index 00000000..33d4ae5e
--- /dev/null
+++ b/engine/integration-cli/docker_cli_pull_local_test.go
@@ -0,0 +1,470 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/docker/distribution"
+	"github.com/docker/distribution/manifest"
+	"github.com/docker/distribution/manifest/manifestlist"
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/icmd"
+)
+
+// testPullImageWithAliases pulls a specific image tag and verifies that any aliases (i.e., other
+// tags for the same image) are not also pulled down.
+//
+// Ref: docker/docker#8141
+func testPullImageWithAliases(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+
+	var repos []string
+	for _, tag := range []string{"recent", "fresh"} {
+		repos = append(repos, fmt.Sprintf("%v:%v", repoName, tag))
+	}
+
+	// Tag and push the same image multiple times.
+	for _, repo := range repos {
+		dockerCmd(c, "tag", "busybox", repo)
+		dockerCmd(c, "push", repo)
+	}
+
+	// Clear local images store.
+	args := append([]string{"rmi"}, repos...)
+	dockerCmd(c, args...)
+
+	// Pull a single tag and verify it doesn't bring down all aliases.
+	dockerCmd(c, "pull", repos[0])
+	dockerCmd(c, "inspect", repos[0])
+	for _, repo := range repos[1:] {
+		_, _, err := dockerCmdWithError("inspect", repo)
+		c.Assert(err, checker.NotNil, check.Commentf("Image %v shouldn't have been pulled down", repo))
+	}
+}
+
+func (s *DockerRegistrySuite) TestPullImageWithAliases(c *check.C) {
+	testPullImageWithAliases(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPullImageWithAliases(c *check.C) {
+	testPullImageWithAliases(c)
+}
+
+// testConcurrentPullWholeRepo pulls the same repo concurrently.
+func testConcurrentPullWholeRepo(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+
+	var repos []string
+	for _, tag := range []string{"recent", "fresh", "todays"} {
+		repo := fmt.Sprintf("%v:%v", repoName, tag)
+		buildImageSuccessfully(c, repo, build.WithDockerfile(fmt.Sprintf(`
+		    FROM busybox
+		    ENTRYPOINT ["/bin/echo"]
+		    ENV FOO foo
+		    ENV BAR bar
+		    CMD echo %s
+		`, repo)))
+		dockerCmd(c, "push", repo)
+		repos = append(repos, repo)
+	}
+
+	// Clear local images store.
+	args := append([]string{"rmi"}, repos...)
+	dockerCmd(c, args...)
+
+	// Run multiple re-pulls concurrently
+	results := make(chan error)
+	numPulls := 3
+
+	for i := 0; i != numPulls; i++ {
+		go func() {
+			result := icmd.RunCommand(dockerBinary, "pull", "-a", repoName)
+			results <- result.Error
+		}()
+	}
+
+	// These checks are separate from the loop above because the check
+	// package is not goroutine-safe.
+	for i := 0; i != numPulls; i++ {
+		err := <-results
+		c.Assert(err, checker.IsNil, check.Commentf("concurrent pull failed with error: %v", err))
+	}
+
+	// Ensure all tags were pulled successfully
+	for _, repo := range repos {
+		dockerCmd(c, "inspect", repo)
+		out, _ := dockerCmd(c, "run", "--rm", repo)
+		c.Assert(strings.TrimSpace(out), checker.Equals, "/bin/sh -c echo "+repo)
+	}
+}
+
+func (s *DockerRegistrySuite) testConcurrentPullWholeRepo(c *check.C) {
+	testConcurrentPullWholeRepo(c)
+}
+
+func (s *DockerSchema1RegistrySuite) testConcurrentPullWholeRepo(c *check.C) {
+	testConcurrentPullWholeRepo(c)
+}
+
+// testConcurrentFailingPull tries a concurrent pull that doesn't succeed.
+func testConcurrentFailingPull(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+
+	// Run multiple pulls concurrently
+	results := make(chan error)
+	numPulls := 3
+
+	for i := 0; i != numPulls; i++ {
+		go func() {
+			result := icmd.RunCommand(dockerBinary, "pull", repoName+":asdfasdf")
+			results <- result.Error
+		}()
+	}
+
+	// These checks are separate from the loop above because the check
+	// package is not goroutine-safe.
+	for i := 0; i != numPulls; i++ {
+		err := <-results
+		c.Assert(err, checker.NotNil, check.Commentf("expected pull to fail"))
+	}
+}
+
+func (s *DockerRegistrySuite) testConcurrentFailingPull(c *check.C) {
+	testConcurrentFailingPull(c)
+}
+
+func (s *DockerSchema1RegistrySuite) testConcurrentFailingPull(c *check.C) {
+	testConcurrentFailingPull(c)
+}
+
+// testConcurrentPullMultipleTags pulls multiple tags from the same repo
+// concurrently.
+func testConcurrentPullMultipleTags(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+
+	var repos []string
+	for _, tag := range []string{"recent", "fresh", "todays"} {
+		repo := fmt.Sprintf("%v:%v", repoName, tag)
+		buildImageSuccessfully(c, repo, build.WithDockerfile(fmt.Sprintf(`
+		    FROM busybox
+		    ENTRYPOINT ["/bin/echo"]
+		    ENV FOO foo
+		    ENV BAR bar
+		    CMD echo %s
+		`, repo)))
+		dockerCmd(c, "push", repo)
+		repos = append(repos, repo)
+	}
+
+	// Clear local images store.
+	args := append([]string{"rmi"}, repos...)
+	dockerCmd(c, args...)
+
+	// Re-pull individual tags, in parallel
+	results := make(chan error)
+
+	for _, repo := range repos {
+		go func(repo string) {
+			result := icmd.RunCommand(dockerBinary, "pull", repo)
+			results <- result.Error
+		}(repo)
+	}
+
+	// These checks are separate from the loop above because the check
+	// package is not goroutine-safe.
+	for range repos {
+		err := <-results
+		c.Assert(err, checker.IsNil, check.Commentf("concurrent pull failed with error: %v", err))
+	}
+
+	// Ensure all tags were pulled successfully
+	for _, repo := range repos {
+		dockerCmd(c, "inspect", repo)
+		out, _ := dockerCmd(c, "run", "--rm", repo)
+		c.Assert(strings.TrimSpace(out), checker.Equals, "/bin/sh -c echo "+repo)
+	}
+}
+
+func (s *DockerRegistrySuite) TestConcurrentPullMultipleTags(c *check.C) {
+	testConcurrentPullMultipleTags(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestConcurrentPullMultipleTags(c *check.C) {
+	testConcurrentPullMultipleTags(c)
+}
+
+// testPullIDStability verifies that pushing an image and pulling it back
+// preserves the image ID.
+func testPullIDStability(c *check.C) {
+	derivedImage := privateRegistryURL + "/dockercli/id-stability"
+	baseImage := "busybox"
+
+	buildImageSuccessfully(c, derivedImage, build.WithDockerfile(fmt.Sprintf(`
+	    FROM %s
+	    ENV derived true
+	    ENV asdf true
+	    RUN dd if=/dev/zero of=/file bs=1024 count=1024
+	    CMD echo %s
+	`, baseImage, derivedImage)))
+
+	originalID := getIDByName(c, derivedImage)
+	dockerCmd(c, "push", derivedImage)
+
+	// Pull
+	out, _ := dockerCmd(c, "pull", derivedImage)
+	if strings.Contains(out, "Pull complete") {
+		c.Fatalf("repull redownloaded a layer: %s", out)
+	}
+
+	derivedIDAfterPull := getIDByName(c, derivedImage)
+
+	if derivedIDAfterPull != originalID {
+		c.Fatal("image's ID unexpectedly changed after a repush/repull")
+	}
+
+	// Make sure the image runs correctly
+	out, _ = dockerCmd(c, "run", "--rm", derivedImage)
+	if strings.TrimSpace(out) != derivedImage {
+		c.Fatalf("expected %s; got %s", derivedImage, out)
+	}
+
+	// Confirm that repushing and repulling does not change the computed ID
+	dockerCmd(c, "push", derivedImage)
+	dockerCmd(c, "rmi", derivedImage)
+	dockerCmd(c, "pull", derivedImage)
+
+	derivedIDAfterPull = getIDByName(c, derivedImage)
+
+	if derivedIDAfterPull != originalID {
+		c.Fatal("image's ID unexpectedly changed after a repush/repull")
+	}
+
+	// Make sure the image still runs
+	out, _ = dockerCmd(c, "run", "--rm", derivedImage)
+	if strings.TrimSpace(out) != derivedImage {
+		c.Fatalf("expected %s; got %s", derivedImage, out)
+	}
+}
+
+func (s *DockerRegistrySuite) TestPullIDStability(c *check.C) {
+	testPullIDStability(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPullIDStability(c *check.C) {
+	testPullIDStability(c)
+}
+
+// #21213
+func testPullNoLayers(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/scratch", privateRegistryURL)
+
+	buildImageSuccessfully(c, repoName, build.WithDockerfile(`
+	FROM scratch
+	ENV foo bar`))
+	dockerCmd(c, "push", repoName)
+	dockerCmd(c, "rmi", repoName)
+	dockerCmd(c, "pull", repoName)
+}
+
+func (s *DockerRegistrySuite) TestPullNoLayers(c *check.C) {
+	testPullNoLayers(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPullNoLayers(c *check.C) {
+	testPullNoLayers(c)
+}
+
+func (s *DockerRegistrySuite) TestPullManifestList(c *check.C) {
+	testRequires(c, NotArm)
+	pushDigest, err := setupImage(c)
+	c.Assert(err, checker.IsNil, check.Commentf("error setting up image"))
+
+	// Inject a manifest list into the registry
+	manifestList := &manifestlist.ManifestList{
+		Versioned: manifest.Versioned{
+			SchemaVersion: 2,
+			MediaType:     manifestlist.MediaTypeManifestList,
+		},
+		Manifests: []manifestlist.ManifestDescriptor{
+			{
+				Descriptor: distribution.Descriptor{
+					Digest:    "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b",
+					Size:      3253,
+					MediaType: schema2.MediaTypeManifest,
+				},
+				Platform: manifestlist.PlatformSpec{
+					Architecture: "bogus_arch",
+					OS:           "bogus_os",
+				},
+			},
+			{
+				Descriptor: distribution.Descriptor{
+					Digest:    pushDigest,
+					Size:      3253,
+					MediaType: schema2.MediaTypeManifest,
+				},
+				Platform: manifestlist.PlatformSpec{
+					Architecture: runtime.GOARCH,
+					OS:           runtime.GOOS,
+				},
+			},
+		},
+	}
+
+	manifestListJSON, err := json.MarshalIndent(manifestList, "", "   ")
+	c.Assert(err, checker.IsNil, check.Commentf("error marshalling manifest list"))
+
+	manifestListDigest := digest.FromBytes(manifestListJSON)
+	hexDigest := manifestListDigest.Hex()
+
+	registryV2Path := s.reg.Path()
+
+	// Write manifest list to blob store
+	blobDir := filepath.Join(registryV2Path, "blobs", "sha256", hexDigest[:2], hexDigest)
+	err = os.MkdirAll(blobDir, 0755)
+	c.Assert(err, checker.IsNil, check.Commentf("error creating blob dir"))
+	blobPath := filepath.Join(blobDir, "data")
+	err = ioutil.WriteFile(blobPath, []byte(manifestListJSON), 0644)
+	c.Assert(err, checker.IsNil, check.Commentf("error writing manifest list"))
+
+	// Add to revision store
+	revisionDir := filepath.Join(registryV2Path, "repositories", remoteRepoName, "_manifests", "revisions", "sha256", hexDigest)
+	err = os.Mkdir(revisionDir, 0755)
+	c.Assert(err, checker.IsNil, check.Commentf("error creating revision dir"))
+	revisionPath := filepath.Join(revisionDir, "link")
+	err = ioutil.WriteFile(revisionPath, []byte(manifestListDigest.String()), 0644)
+	c.Assert(err, checker.IsNil, check.Commentf("error writing revision link"))
+
+	// Update tag
+	tagPath := filepath.Join(registryV2Path, "repositories", remoteRepoName, "_manifests", "tags", "latest", "current", "link")
+	err = ioutil.WriteFile(tagPath, []byte(manifestListDigest.String()), 0644)
+	c.Assert(err, checker.IsNil, check.Commentf("error writing tag link"))
+
+	// Verify that the image can be pulled through the manifest list.
+	out, _ := dockerCmd(c, "pull", repoName)
+
+	// The pull output includes "Digest: <digest>", so find that
+	matches := digestRegex.FindStringSubmatch(out)
+	c.Assert(matches, checker.HasLen, 2, check.Commentf("unable to parse digest from pull output: %s", out))
+	pullDigest := matches[1]
+
+	// Make sure the pushed and pull digests match
+	c.Assert(manifestListDigest.String(), checker.Equals, pullDigest)
+
+	// Was the image actually created?
+	dockerCmd(c, "inspect", repoName)
+
+	dockerCmd(c, "rmi", repoName)
+}
+
+// #23100
+func (s *DockerRegistryAuthHtpasswdSuite) TestPullWithExternalAuthLoginWithScheme(c *check.C) {
+	osPath := os.Getenv("PATH")
+	defer os.Setenv("PATH", osPath)
+
+	workingDir, err := os.Getwd()
+	c.Assert(err, checker.IsNil)
+	absolute, err := filepath.Abs(filepath.Join(workingDir, "fixtures", "auth"))
+	c.Assert(err, checker.IsNil)
+	testPath := fmt.Sprintf("%s%c%s", osPath, filepath.ListSeparator, absolute)
+
+	os.Setenv("PATH", testPath)
+
+	repoName := fmt.Sprintf("%v/dockercli/busybox:authtest", privateRegistryURL)
+
+	tmp, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+
+	externalAuthConfig := `{ "credsStore": "shell-test" }`
+
+	configPath := filepath.Join(tmp, "config.json")
+	err = ioutil.WriteFile(configPath, []byte(externalAuthConfig), 0644)
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "--config", tmp, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL)
+
+	b, err := ioutil.ReadFile(configPath)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Not(checker.Contains), "\"auth\":")
+
+	dockerCmd(c, "--config", tmp, "tag", "busybox", repoName)
+	dockerCmd(c, "--config", tmp, "push", repoName)
+
+	dockerCmd(c, "--config", tmp, "logout", privateRegistryURL)
+	dockerCmd(c, "--config", tmp, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), "https://"+privateRegistryURL)
+	dockerCmd(c, "--config", tmp, "pull", repoName)
+
+	// likewise push should work
+	repoName2 := fmt.Sprintf("%v/dockercli/busybox:nocreds", privateRegistryURL)
+	dockerCmd(c, "tag", repoName, repoName2)
+	dockerCmd(c, "--config", tmp, "push", repoName2)
+
+	// logout should work w scheme also because it will be stripped
+	dockerCmd(c, "--config", tmp, "logout", "https://"+privateRegistryURL)
+}
+
+func (s *DockerRegistryAuthHtpasswdSuite) TestPullWithExternalAuth(c *check.C) {
+	osPath := os.Getenv("PATH")
+	defer os.Setenv("PATH", osPath)
+
+	workingDir, err := os.Getwd()
+	c.Assert(err, checker.IsNil)
+	absolute, err := filepath.Abs(filepath.Join(workingDir, "fixtures", "auth"))
+	c.Assert(err, checker.IsNil)
+	testPath := fmt.Sprintf("%s%c%s", osPath, filepath.ListSeparator, absolute)
+
+	os.Setenv("PATH", testPath)
+
+	repoName := fmt.Sprintf("%v/dockercli/busybox:authtest", privateRegistryURL)
+
+	tmp, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+
+	externalAuthConfig := `{ "credsStore": "shell-test" }`
+
+	configPath := filepath.Join(tmp, "config.json")
+	err = ioutil.WriteFile(configPath, []byte(externalAuthConfig), 0644)
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "--config", tmp, "login", "-u", s.reg.Username(), "-p", s.reg.Password(), privateRegistryURL)
+
+	b, err := ioutil.ReadFile(configPath)
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(b), checker.Not(checker.Contains), "\"auth\":")
+
+	dockerCmd(c, "--config", tmp, "tag", "busybox", repoName)
+	dockerCmd(c, "--config", tmp, "push", repoName)
+
+	dockerCmd(c, "--config", tmp, "pull", repoName)
+}
+
+// TestRunImplicitPullWithNoTag should pull implicitly only the default tag (latest)
+func (s *DockerRegistrySuite) TestRunImplicitPullWithNoTag(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	repo := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+	repoTag1 := fmt.Sprintf("%v:latest", repo)
+	repoTag2 := fmt.Sprintf("%v:t1", repo)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoTag1)
+	dockerCmd(c, "tag", "busybox", repoTag2)
+	dockerCmd(c, "push", repo)
+	dockerCmd(c, "rmi", repoTag1)
+	dockerCmd(c, "rmi", repoTag2)
+
+	out, _ := dockerCmd(c, "run", repo)
+	c.Assert(out, checker.Contains, fmt.Sprintf("Unable to find image '%s:latest' locally", repo))
+
+	// There should be only one line for repo, the one with repo:latest
+	outImageCmd, _ := dockerCmd(c, "images", repo)
+	splitOutImageCmd := strings.Split(strings.TrimSpace(outImageCmd), "\n")
+	c.Assert(splitOutImageCmd, checker.HasLen, 2)
+}
diff --git a/engine/integration-cli/docker_cli_pull_test.go b/engine/integration-cli/docker_cli_pull_test.go
new file mode 100644
index 00000000..0e88b1e5
--- /dev/null
+++ b/engine/integration-cli/docker_cli_pull_test.go
@@ -0,0 +1,274 @@
+package main
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"github.com/opencontainers/go-digest"
+)
+
+// TestPullFromCentralRegistry pulls an image from the central registry and verifies that the client
+// prints all expected output.
+func (s *DockerHubPullSuite) TestPullFromCentralRegistry(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out := s.Cmd(c, "pull", "hello-world")
+	defer deleteImages("hello-world")
+
+	c.Assert(out, checker.Contains, "Using default tag: latest", check.Commentf("expected the 'latest' tag to be automatically assumed"))
+	c.Assert(out, checker.Contains, "Pulling from library/hello-world", check.Commentf("expected the 'library/' prefix to be automatically assumed"))
+	c.Assert(out, checker.Contains, "Downloaded newer image for hello-world:latest")
+
+	matches := regexp.MustCompile(`Digest: (.+)\n`).FindAllStringSubmatch(out, -1)
+	c.Assert(len(matches), checker.Equals, 1, check.Commentf("expected exactly one image digest in the output"))
+	c.Assert(len(matches[0]), checker.Equals, 2, check.Commentf("unexpected number of submatches for the digest"))
+	_, err := digest.Parse(matches[0][1])
+	c.Check(err, checker.IsNil, check.Commentf("invalid digest %q in output", matches[0][1]))
+
+	// We should have a single entry in images.
+	img := strings.TrimSpace(s.Cmd(c, "images"))
+	splitImg := strings.Split(img, "\n")
+	c.Assert(splitImg, checker.HasLen, 2)
+	c.Assert(splitImg[1], checker.Matches, `hello-world\s+latest.*?`, check.Commentf("invalid output for `docker images` (expected image and tag name"))
+}
+
+// TestPullNonExistingImage pulls non-existing images from the central registry, with different
+// combinations of implicit tag and library prefix.
+func (s *DockerHubPullSuite) TestPullNonExistingImage(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	type entry struct {
+		repo  string
+		alias string
+		tag   string
+	}
+
+	entries := []entry{
+		{"asdfasdf", "asdfasdf", "foobar"},
+		{"asdfasdf", "library/asdfasdf", "foobar"},
+		{"asdfasdf", "asdfasdf", ""},
+		{"asdfasdf", "asdfasdf", "latest"},
+		{"asdfasdf", "library/asdfasdf", ""},
+		{"asdfasdf", "library/asdfasdf", "latest"},
+	}
+
+	// The option field indicates "-a" or not.
+	type record struct {
+		e      entry
+		option string
+		out    string
+		err    error
+	}
+
+	// Execute 'docker pull' in parallel, pass results (out, err) and
+	// necessary information ("-a" or not, and the image name) to channel.
+	var group sync.WaitGroup
+	recordChan := make(chan record, len(entries)*2)
+	for _, e := range entries {
+		group.Add(1)
+		go func(e entry) {
+			defer group.Done()
+			repoName := e.alias
+			if e.tag != "" {
+				repoName += ":" + e.tag
+			}
+			out, err := s.CmdWithError("pull", repoName)
+			recordChan <- record{e, "", out, err}
+		}(e)
+		if e.tag == "" {
+			// pull -a on a nonexistent registry should fall back as well
+			group.Add(1)
+			go func(e entry) {
+				defer group.Done()
+				out, err := s.CmdWithError("pull", "-a", e.alias)
+				recordChan <- record{e, "-a", out, err}
+			}(e)
+		}
+	}
+
+	// Wait for completion
+	group.Wait()
+	close(recordChan)
+
+	// Process the results (out, err).
+	for record := range recordChan {
+		if len(record.option) == 0 {
+			c.Assert(record.err, checker.NotNil, check.Commentf("expected non-zero exit status when pulling non-existing image: %s", record.out))
+			c.Assert(record.out, checker.Contains, fmt.Sprintf("pull access denied for %s, repository does not exist or may require 'docker login'", record.e.repo), check.Commentf("expected image not found error messages"))
+		} else {
+			// pull -a on a nonexistent registry should fall back as well
+			c.Assert(record.err, checker.NotNil, check.Commentf("expected non-zero exit status when pulling non-existing image: %s", record.out))
+			c.Assert(record.out, checker.Contains, fmt.Sprintf("pull access denied for %s, repository does not exist or may require 'docker login'", record.e.repo), check.Commentf("expected image not found error messages"))
+			c.Assert(record.out, checker.Not(checker.Contains), "unauthorized", check.Commentf(`message should not contain "unauthorized"`))
+		}
+	}
+
+}
+
+// TestPullFromCentralRegistryImplicitRefParts pulls an image from the central registry and verifies
+// that pulling the same image with different combinations of implicit elements of the image
+// reference (tag, repository, central registry url, ...) doesn't trigger a new pull nor leads to
+// multiple images.
+func (s *DockerHubPullSuite) TestPullFromCentralRegistryImplicitRefParts(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	// Pull hello-world from v2
+	pullFromV2 := func(ref string) (int, string) {
+		out := s.Cmd(c, "pull", "hello-world")
+		v1Retries := 0
+		for strings.Contains(out, "this image was pulled from a legacy registry") {
+			// Some network errors may cause fallbacks to the v1
+			// protocol, which would violate the test's assumption
+			// that it will get the same images. To make the test
+			// more robust against these network glitches, allow a
+			// few retries if we end up with a v1 pull.
+
+			if v1Retries > 2 {
+				c.Fatalf("too many v1 fallback incidents when pulling %s", ref)
+			}
+
+			s.Cmd(c, "rmi", ref)
+			out = s.Cmd(c, "pull", ref)
+
+			v1Retries++
+		}
+
+		return v1Retries, out
+	}
+
+	pullFromV2("hello-world")
+	defer deleteImages("hello-world")
+
+	s.Cmd(c, "tag", "hello-world", "hello-world-backup")
+
+	for _, ref := range []string{
+		"hello-world",
+		"hello-world:latest",
+		"library/hello-world",
+		"library/hello-world:latest",
+		"docker.io/library/hello-world",
+		"index.docker.io/library/hello-world",
+	} {
+		var out string
+		for {
+			var v1Retries int
+			v1Retries, out = pullFromV2(ref)
+
+			// Keep repeating the test case until we don't hit a v1
+			// fallback case. We won't get the right "Image is up
+			// to date" message if the local image was replaced
+			// with one pulled from v1.
+			if v1Retries == 0 {
+				break
+			}
+			s.Cmd(c, "rmi", ref)
+			s.Cmd(c, "tag", "hello-world-backup", "hello-world")
+		}
+		c.Assert(out, checker.Contains, "Image is up to date for hello-world:latest")
+	}
+
+	s.Cmd(c, "rmi", "hello-world-backup")
+
+	// We should have a single entry in images.
+	img := strings.TrimSpace(s.Cmd(c, "images"))
+	splitImg := strings.Split(img, "\n")
+	c.Assert(splitImg, checker.HasLen, 2)
+	c.Assert(splitImg[1], checker.Matches, `hello-world\s+latest.*?`, check.Commentf("invalid output for `docker images` (expected image and tag name"))
+}
+
+// TestPullScratchNotAllowed verifies that pulling 'scratch' is rejected.
+func (s *DockerHubPullSuite) TestPullScratchNotAllowed(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, err := s.CmdWithError("pull", "scratch")
+	c.Assert(err, checker.NotNil, check.Commentf("expected pull of scratch to fail"))
+	c.Assert(out, checker.Contains, "'scratch' is a reserved name")
+	c.Assert(out, checker.Not(checker.Contains), "Pulling repository scratch")
+}
+
+// TestPullAllTagsFromCentralRegistry pulls using `all-tags` for a given image and verifies that it
+// results in more images than a naked pull.
+func (s *DockerHubPullSuite) TestPullAllTagsFromCentralRegistry(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	s.Cmd(c, "pull", "dockercore/engine-pull-all-test-fixture")
+	outImageCmd := s.Cmd(c, "images", "dockercore/engine-pull-all-test-fixture")
+	splitOutImageCmd := strings.Split(strings.TrimSpace(outImageCmd), "\n")
+	c.Assert(splitOutImageCmd, checker.HasLen, 2)
+
+	s.Cmd(c, "pull", "--all-tags=true", "dockercore/engine-pull-all-test-fixture")
+	outImageAllTagCmd := s.Cmd(c, "images", "dockercore/engine-pull-all-test-fixture")
+	linesCount := strings.Count(outImageAllTagCmd, "\n")
+	c.Assert(linesCount, checker.GreaterThan, 2, check.Commentf("pulling all tags should provide more than two images, got %s", outImageAllTagCmd))
+
+	// Verify that the line for 'dockercore/engine-pull-all-test-fixture:latest' is left unchanged.
+	var latestLine string
+	for _, line := range strings.Split(outImageAllTagCmd, "\n") {
+		if strings.HasPrefix(line, "dockercore/engine-pull-all-test-fixture") && strings.Contains(line, "latest") {
+			latestLine = line
+			break
+		}
+	}
+	c.Assert(latestLine, checker.Not(checker.Equals), "", check.Commentf("no entry for dockercore/engine-pull-all-test-fixture:latest found after pulling all tags"))
+
+	splitLatest := strings.Fields(latestLine)
+	splitCurrent := strings.Fields(splitOutImageCmd[1])
+
+	// Clear relative creation times, since these can easily change between
+	// two invocations of "docker images". Without this, the test can fail
+	// like this:
+	// ... obtained []string = []string{"busybox", "latest", "d9551b4026f0", "27", "minutes", "ago", "1.113", "MB"}
+	// ... expected []string = []string{"busybox", "latest", "d9551b4026f0", "26", "minutes", "ago", "1.113", "MB"}
+	splitLatest[3] = ""
+	splitLatest[4] = ""
+	splitLatest[5] = ""
+	splitCurrent[3] = ""
+	splitCurrent[4] = ""
+	splitCurrent[5] = ""
+
+	c.Assert(splitLatest, checker.DeepEquals, splitCurrent, check.Commentf("dockercore/engine-pull-all-test-fixture:latest was changed after pulling all tags"))
+}
+
+// TestPullClientDisconnect kills the client during a pull operation and verifies that the operation
+// gets cancelled.
+//
+// Ref: docker/docker#15589
+func (s *DockerHubPullSuite) TestPullClientDisconnect(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	repoName := "hello-world:latest"
+
+	pullCmd := s.MakeCmd("pull", repoName)
+	stdout, err := pullCmd.StdoutPipe()
+	c.Assert(err, checker.IsNil)
+	err = pullCmd.Start()
+	c.Assert(err, checker.IsNil)
+	go pullCmd.Wait()
+
+	// Cancel as soon as we get some output.
+	buf := make([]byte, 10)
+	_, err = stdout.Read(buf)
+	c.Assert(err, checker.IsNil)
+
+	err = pullCmd.Process.Kill()
+	c.Assert(err, checker.IsNil)
+
+	time.Sleep(2 * time.Second)
+	_, err = s.CmdWithError("inspect", repoName)
+	c.Assert(err, checker.NotNil, check.Commentf("image was pulled after client disconnected"))
+}
+
+// Regression test for https://github.com/docker/docker/issues/26429
+func (s *DockerSuite) TestPullLinuxImageFailsOnWindows(c *check.C) {
+	testRequires(c, DaemonIsWindows, Network)
+	_, _, err := dockerCmdWithError("pull", "ubuntu")
+	c.Assert(err.Error(), checker.Contains, "no matching manifest")
+}
+
+// Regression test for https://github.com/docker/docker/issues/28892
+func (s *DockerSuite) TestPullWindowsImageFailsOnLinux(c *check.C) {
+	testRequires(c, DaemonIsLinux, Network)
+	_, _, err := dockerCmdWithError("pull", "microsoft/nanoserver")
+	c.Assert(err.Error(), checker.Contains, "cannot be used on this platform")
+}
diff --git a/engine/integration-cli/docker_cli_push_test.go b/engine/integration-cli/docker_cli_push_test.go
new file mode 100644
index 00000000..01ad8291
--- /dev/null
+++ b/engine/integration-cli/docker_cli_push_test.go
@@ -0,0 +1,382 @@
+package main
+
+import (
+	"archive/tar"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+// Pushing an image to a private registry.
+func testPushBusyboxImage(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+	// tag the image to upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoName)
+	// push the image to the registry
+	dockerCmd(c, "push", repoName)
+}
+
+func (s *DockerRegistrySuite) TestPushBusyboxImage(c *check.C) {
+	testPushBusyboxImage(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPushBusyboxImage(c *check.C) {
+	testPushBusyboxImage(c)
+}
+
+// pushing an image without a prefix should throw an error
+func (s *DockerSuite) TestPushUnprefixedRepo(c *check.C) {
+	out, _, err := dockerCmdWithError("push", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf("pushing an unprefixed repo didn't result in a non-zero exit status: %s", out))
+}
+
+func testPushUntagged(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+	expected := "An image does not exist locally with the tag"
+
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out))
+	c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed"))
+}
+
+func (s *DockerRegistrySuite) TestPushUntagged(c *check.C) {
+	testPushUntagged(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPushUntagged(c *check.C) {
+	testPushUntagged(c)
+}
+
+func testPushBadTag(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox:latest", privateRegistryURL)
+	expected := "does not exist"
+
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf("pushing the image to the private registry should have failed: output %q", out))
+	c.Assert(out, checker.Contains, expected, check.Commentf("pushing the image failed"))
+}
+
+func (s *DockerRegistrySuite) TestPushBadTag(c *check.C) {
+	testPushBadTag(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPushBadTag(c *check.C) {
+	testPushBadTag(c)
+}
+
+func testPushMultipleTags(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+	repoTag1 := fmt.Sprintf("%v/dockercli/busybox:t1", privateRegistryURL)
+	repoTag2 := fmt.Sprintf("%v/dockercli/busybox:t2", privateRegistryURL)
+	// tag the image and upload it to the private registry
+	dockerCmd(c, "tag", "busybox", repoTag1)
+
+	dockerCmd(c, "tag", "busybox", repoTag2)
+
+	dockerCmd(c, "push", repoName)
+
+	// Ensure layer list is equivalent for repoTag1 and repoTag2
+	out1, _ := dockerCmd(c, "pull", repoTag1)
+
+	imageAlreadyExists := ": Image already exists"
+	var out1Lines []string
+	for _, outputLine := range strings.Split(out1, "\n") {
+		if strings.Contains(outputLine, imageAlreadyExists) {
+			out1Lines = append(out1Lines, outputLine)
+		}
+	}
+
+	out2, _ := dockerCmd(c, "pull", repoTag2)
+
+	var out2Lines []string
+	for _, outputLine := range strings.Split(out2, "\n") {
+		if strings.Contains(outputLine, imageAlreadyExists) {
+			out1Lines = append(out1Lines, outputLine)
+		}
+	}
+	c.Assert(out2Lines, checker.HasLen, len(out1Lines))
+
+	for i := range out1Lines {
+		c.Assert(out1Lines[i], checker.Equals, out2Lines[i])
+	}
+}
+
+func (s *DockerRegistrySuite) TestPushMultipleTags(c *check.C) {
+	testPushMultipleTags(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPushMultipleTags(c *check.C) {
+	testPushMultipleTags(c)
+}
+
+func testPushEmptyLayer(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/emptylayer", privateRegistryURL)
+	emptyTarball, err := ioutil.TempFile("", "empty_tarball")
+	c.Assert(err, check.IsNil, check.Commentf("Unable to create test file"))
+
+	tw := tar.NewWriter(emptyTarball)
+	err = tw.Close()
+	c.Assert(err, check.IsNil, check.Commentf("Error creating empty tarball"))
+
+	freader, err := os.Open(emptyTarball.Name())
+	c.Assert(err, check.IsNil, check.Commentf("Could not open test tarball"))
+	defer freader.Close()
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "import", "-", repoName},
+		Stdin:   freader,
+	}).Assert(c, icmd.Success)
+
+	// Now verify we can push it
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out))
+}
+
+func (s *DockerRegistrySuite) TestPushEmptyLayer(c *check.C) {
+	testPushEmptyLayer(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestPushEmptyLayer(c *check.C) {
+	testPushEmptyLayer(c)
+}
+
+// testConcurrentPush pushes multiple tags to the same repo
+// concurrently.
+func testConcurrentPush(c *check.C) {
+	repoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+
+	var repos []string
+	for _, tag := range []string{"push1", "push2", "push3"} {
+		repo := fmt.Sprintf("%v:%v", repoName, tag)
+		buildImageSuccessfully(c, repo, build.WithDockerfile(fmt.Sprintf(`
+	FROM busybox
+	ENTRYPOINT ["/bin/echo"]
+	ENV FOO foo
+	ENV BAR bar
+	CMD echo %s
+`, repo)))
+		repos = append(repos, repo)
+	}
+
+	// Push tags, in parallel
+	results := make(chan error)
+
+	for _, repo := range repos {
+		go func(repo string) {
+			result := icmd.RunCommand(dockerBinary, "push", repo)
+			results <- result.Error
+		}(repo)
+	}
+
+	for range repos {
+		err := <-results
+		c.Assert(err, checker.IsNil, check.Commentf("concurrent push failed with error: %v", err))
+	}
+
+	// Clear local images store.
+	args := append([]string{"rmi"}, repos...)
+	dockerCmd(c, args...)
+
+	// Re-pull and run individual tags, to make sure pushes succeeded
+	for _, repo := range repos {
+		dockerCmd(c, "pull", repo)
+		dockerCmd(c, "inspect", repo)
+		out, _ := dockerCmd(c, "run", "--rm", repo)
+		c.Assert(strings.TrimSpace(out), checker.Equals, "/bin/sh -c echo "+repo)
+	}
+}
+
+func (s *DockerRegistrySuite) TestConcurrentPush(c *check.C) {
+	testConcurrentPush(c)
+}
+
+func (s *DockerSchema1RegistrySuite) TestConcurrentPush(c *check.C) {
+	testConcurrentPush(c)
+}
+
+func (s *DockerRegistrySuite) TestCrossRepositoryLayerPush(c *check.C) {
+	sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+	// tag the image to upload it to the private registry
+	dockerCmd(c, "tag", "busybox", sourceRepoName)
+	// push the image to the registry
+	out1, _, err := dockerCmdWithError("push", sourceRepoName)
+	c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1))
+	// ensure that none of the layers were mounted from another repository during push
+	c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false)
+
+	digest1 := reference.DigestRegexp.FindString(out1)
+	c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
+
+	destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL)
+	// retag the image to upload the same layers to another repo in the same registry
+	dockerCmd(c, "tag", "busybox", destRepoName)
+	// push the image to the registry
+	out2, _, err := dockerCmdWithError("push", destRepoName)
+	c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2))
+	// ensure that layers were mounted from the first repo during push
+	c.Assert(strings.Contains(out2, "Mounted from dockercli/busybox"), check.Equals, true)
+
+	digest2 := reference.DigestRegexp.FindString(out2)
+	c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
+	c.Assert(digest1, check.Equals, digest2)
+
+	// ensure that pushing again produces the same digest
+	out3, _, err := dockerCmdWithError("push", destRepoName)
+	c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2))
+
+	digest3 := reference.DigestRegexp.FindString(out3)
+	c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
+	c.Assert(digest3, check.Equals, digest2)
+
+	// ensure that we can pull and run the cross-repo-pushed repository
+	dockerCmd(c, "rmi", destRepoName)
+	dockerCmd(c, "pull", destRepoName)
+	out4, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world")
+	c.Assert(out4, check.Equals, "hello world")
+}
+
+func (s *DockerSchema1RegistrySuite) TestCrossRepositoryLayerPushNotSupported(c *check.C) {
+	sourceRepoName := fmt.Sprintf("%v/dockercli/busybox", privateRegistryURL)
+	// tag the image to upload it to the private registry
+	dockerCmd(c, "tag", "busybox", sourceRepoName)
+	// push the image to the registry
+	out1, _, err := dockerCmdWithError("push", sourceRepoName)
+	c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out1))
+	// ensure that none of the layers were mounted from another repository during push
+	c.Assert(strings.Contains(out1, "Mounted from"), check.Equals, false)
+
+	digest1 := reference.DigestRegexp.FindString(out1)
+	c.Assert(len(digest1), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
+
+	destRepoName := fmt.Sprintf("%v/dockercli/crossrepopush", privateRegistryURL)
+	// retag the image to upload the same layers to another repo in the same registry
+	dockerCmd(c, "tag", "busybox", destRepoName)
+	// push the image to the registry
+	out2, _, err := dockerCmdWithError("push", destRepoName)
+	c.Assert(err, check.IsNil, check.Commentf("pushing the image to the private registry has failed: %s", out2))
+	// schema1 registry should not support cross-repo layer mounts, so ensure that this does not happen
+	c.Assert(strings.Contains(out2, "Mounted from"), check.Equals, false)
+
+	digest2 := reference.DigestRegexp.FindString(out2)
+	c.Assert(len(digest2), checker.GreaterThan, 0, check.Commentf("no digest found for pushed manifest"))
+	c.Assert(digest1, check.Not(check.Equals), digest2)
+
+	// ensure that we can pull and run the second pushed repository
+	dockerCmd(c, "rmi", destRepoName)
+	dockerCmd(c, "pull", destRepoName)
+	out3, _ := dockerCmd(c, "run", destRepoName, "echo", "-n", "hello world")
+	c.Assert(out3, check.Equals, "hello world")
+}
+
+func (s *DockerRegistryAuthHtpasswdSuite) TestPushNoCredentialsNoRetry(c *check.C) {
+	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
+	dockerCmd(c, "tag", "busybox", repoName)
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, check.Not(checker.Contains), "Retrying")
+	c.Assert(out, checker.Contains, "no basic auth credentials")
+}
+
+// This may be flaky but it's needed not to regress on unauthorized push, see #21054
+func (s *DockerSuite) TestPushToCentralRegistryUnauthorized(c *check.C) {
+	testRequires(c, Network)
+	repoName := "test/busybox"
+	dockerCmd(c, "tag", "busybox", repoName)
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, check.Not(checker.Contains), "Retrying")
+}
+
+func getTestTokenService(status int, body string, retries int) *httptest.Server {
+	var mu sync.Mutex
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mu.Lock()
+		if retries > 0 {
+			w.WriteHeader(http.StatusServiceUnavailable)
+			w.Header().Set("Content-Type", "application/json")
+			w.Write([]byte(`{"errors":[{"code":"UNAVAILABLE","message":"cannot create token at this time"}]}`))
+			retries--
+		} else {
+			w.WriteHeader(status)
+			w.Header().Set("Content-Type", "application/json")
+			w.Write([]byte(body))
+		}
+		mu.Unlock()
+	}))
+}
+
+func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *check.C) {
+	ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`, 0)
+	defer ts.Close()
+	s.setupRegistryWithTokenService(c, ts.URL)
+	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
+	dockerCmd(c, "tag", "busybox", repoName)
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Not(checker.Contains), "Retrying")
+	c.Assert(out, checker.Contains, "unauthorized: a message")
+}
+
+func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnauthorized(c *check.C) {
+	ts := getTestTokenService(http.StatusUnauthorized, `{"error": "unauthorized"}`, 0)
+	defer ts.Close()
+	s.setupRegistryWithTokenService(c, ts.URL)
+	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
+	dockerCmd(c, "tag", "busybox", repoName)
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Not(checker.Contains), "Retrying")
+	split := strings.Split(out, "\n")
+	c.Assert(split[len(split)-2], check.Equals, "unauthorized: authentication required")
+}
+
+func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseError(c *check.C) {
+	ts := getTestTokenService(http.StatusTooManyRequests, `{"errors": [{"code":"TOOMANYREQUESTS","message":"out of tokens"}]}`, 3)
+	defer ts.Close()
+	s.setupRegistryWithTokenService(c, ts.URL)
+	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
+	dockerCmd(c, "tag", "busybox", repoName)
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	// TODO: isolate test so that it can be guaranteed that the 503 will trigger xfer retries
+	//c.Assert(out, checker.Contains, "Retrying")
+	//c.Assert(out, checker.Not(checker.Contains), "Retrying in 15")
+	split := strings.Split(out, "\n")
+	c.Assert(split[len(split)-2], check.Equals, "toomanyrequests: out of tokens")
+}
+
+func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnparsable(c *check.C) {
+	ts := getTestTokenService(http.StatusForbidden, `no way`, 0)
+	defer ts.Close()
+	s.setupRegistryWithTokenService(c, ts.URL)
+	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
+	dockerCmd(c, "tag", "busybox", repoName)
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Not(checker.Contains), "Retrying")
+	split := strings.Split(out, "\n")
+	c.Assert(split[len(split)-2], checker.Contains, "error parsing HTTP 403 response body: ")
+}
+
+func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseNoToken(c *check.C) {
+	ts := getTestTokenService(http.StatusOK, `{"something": "wrong"}`, 0)
+	defer ts.Close()
+	s.setupRegistryWithTokenService(c, ts.URL)
+	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)
+	dockerCmd(c, "tag", "busybox", repoName)
+	out, _, err := dockerCmdWithError("push", repoName)
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Not(checker.Contains), "Retrying")
+	split := strings.Split(out, "\n")
+	c.Assert(split[len(split)-2], check.Equals, "authorization server did not include a token in the response")
+}
diff --git a/engine/integration-cli/docker_cli_registry_user_agent_test.go b/engine/integration-cli/docker_cli_registry_user_agent_test.go
new file mode 100644
index 00000000..7ee3c3d1
--- /dev/null
+++ b/engine/integration-cli/docker_cli_registry_user_agent_test.go
@@ -0,0 +1,103 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"regexp"
+
+	"github.com/docker/docker/internal/test/registry"
+	"github.com/go-check/check"
+)
+
+// unescapeBackslashSemicolonParens unescapes \;()
+func unescapeBackslashSemicolonParens(s string) string {
+	re := regexp.MustCompile(`\\;`)
+	ret := re.ReplaceAll([]byte(s), []byte(";"))
+
+	re = regexp.MustCompile(`\\\(`)
+	ret = re.ReplaceAll([]byte(ret), []byte("("))
+
+	re = regexp.MustCompile(`\\\)`)
+	ret = re.ReplaceAll([]byte(ret), []byte(")"))
+
+	re = regexp.MustCompile(`\\\\`)
+	ret = re.ReplaceAll([]byte(ret), []byte(`\`))
+
+	return string(ret)
+}
+
+func regexpCheckUA(c *check.C, ua string) {
+	re := regexp.MustCompile("(?P<dockerUA>.+) UpstreamClient(?P<upstreamUA>.+)")
+	substrArr := re.FindStringSubmatch(ua)
+
+	c.Assert(substrArr, check.HasLen, 3, check.Commentf("Expected 'UpstreamClient()' with upstream client UA"))
+	dockerUA := substrArr[1]
+	upstreamUAEscaped := substrArr[2]
+
+	// check dockerUA looks correct
+	reDockerUA := regexp.MustCompile("^docker/[0-9A-Za-z+]")
+	bMatchDockerUA := reDockerUA.MatchString(dockerUA)
+	c.Assert(bMatchDockerUA, check.Equals, true, check.Commentf("Docker Engine User-Agent malformed"))
+
+	// check upstreamUA looks correct
+	// Expecting something like:  Docker-Client/1.11.0-dev (linux)
+	upstreamUA := unescapeBackslashSemicolonParens(upstreamUAEscaped)
+	reUpstreamUA := regexp.MustCompile("^\\(Docker-Client/[0-9A-Za-z+]")
+	bMatchUpstreamUA := reUpstreamUA.MatchString(upstreamUA)
+	c.Assert(bMatchUpstreamUA, check.Equals, true, check.Commentf("(Upstream) Docker Client User-Agent malformed"))
+}
+
+// registerUserAgentHandler registers a handler for the `/v2/*` endpoint.
+// Note that a 404 is returned to prevent the client to proceed.
+// We are only checking if the client sent a valid User Agent string along
+// with the request.
+func registerUserAgentHandler(reg *registry.Mock, result *string) {
+	reg.RegisterHandler("/v2/", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(404)
+		w.Write([]byte(`{"errors":[{"code": "UNSUPPORTED","message": "this is a mock registry"}]}`))
+		var ua string
+		for k, v := range r.Header {
+			if k == "User-Agent" {
+				ua = v[0]
+			}
+		}
+		*result = ua
+	})
+}
+
+// TestUserAgentPassThrough verifies that when an image is pulled from
+// a registry, the registry should see a User-Agent string of the form
+// [docker engine UA] UpstreamClientSTREAM-CLIENT([client UA])
+func (s *DockerRegistrySuite) TestUserAgentPassThrough(c *check.C) {
+	var ua string
+
+	reg, err := registry.NewMock(c)
+	defer reg.Close()
+	c.Assert(err, check.IsNil)
+	registerUserAgentHandler(reg, &ua)
+	repoName := fmt.Sprintf("%s/busybox", reg.URL())
+
+	s.d.StartWithBusybox(c, "--insecure-registry", reg.URL())
+
+	tmp, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmp)
+
+	dockerfile, err := makefile(tmp, fmt.Sprintf("FROM %s", repoName))
+	c.Assert(err, check.IsNil, check.Commentf("Unable to create test dockerfile"))
+
+	s.d.Cmd("build", "--file", dockerfile, tmp)
+	regexpCheckUA(c, ua)
+
+	s.d.Cmd("login", "-u", "richard", "-p", "testtest", reg.URL())
+	regexpCheckUA(c, ua)
+
+	s.d.Cmd("pull", repoName)
+	regexpCheckUA(c, ua)
+
+	s.d.Cmd("tag", "busybox", repoName)
+	s.d.Cmd("push", repoName)
+	regexpCheckUA(c, ua)
+}
diff --git a/engine/integration-cli/docker_cli_restart_test.go b/engine/integration-cli/docker_cli_restart_test.go
new file mode 100644
index 00000000..1b4c928b
--- /dev/null
+++ b/engine/integration-cli/docker_cli_restart_test.go
@@ -0,0 +1,309 @@
+package main
+
+import (
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestRestartStoppedContainer(c *check.C) {
+	dockerCmd(c, "run", "--name=test", "busybox", "echo", "foobar")
+	cleanedContainerID := getIDByName(c, "test")
+
+	out, _ := dockerCmd(c, "logs", cleanedContainerID)
+	c.Assert(out, checker.Equals, "foobar\n")
+
+	dockerCmd(c, "restart", cleanedContainerID)
+
+	// Wait until the container has stopped
+	err := waitInspect(cleanedContainerID, "{{.State.Running}}", "false", 20*time.Second)
+	c.Assert(err, checker.IsNil)
+
+	out, _ = dockerCmd(c, "logs", cleanedContainerID)
+	c.Assert(out, checker.Equals, "foobar\nfoobar\n")
+}
+
+func (s *DockerSuite) TestRestartRunningContainer(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "echo foobar && sleep 30 && echo 'should not print this'")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	c.Assert(waitRun(cleanedContainerID), checker.IsNil)
+
+	getLogs := func(c *check.C) (interface{}, check.CommentInterface) {
+		out, _ := dockerCmd(c, "logs", cleanedContainerID)
+		return out, nil
+	}
+
+	// Wait 10 seconds for the 'echo' to appear in the logs
+	waitAndAssert(c, 10*time.Second, getLogs, checker.Equals, "foobar\n")
+
+	dockerCmd(c, "restart", "-t", "1", cleanedContainerID)
+	c.Assert(waitRun(cleanedContainerID), checker.IsNil)
+
+	// Wait 10 seconds for first 'echo' appear (again) in the logs
+	waitAndAssert(c, 10*time.Second, getLogs, checker.Equals, "foobar\nfoobar\n")
+}
+
+// Test that restarting a container with a volume does not create a new volume on restart. Regression test for #819.
+func (s *DockerSuite) TestRestartWithVolumes(c *check.C) {
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	out := runSleepingContainer(c, "-d", "-v", prefix+slash+"test")
+
+	cleanedContainerID := strings.TrimSpace(out)
+	out, err := inspectFilter(cleanedContainerID, "len .Mounts")
+	c.Assert(err, check.IsNil, check.Commentf("failed to inspect %s: %s", cleanedContainerID, out))
+	out = strings.Trim(out, " \n\r")
+	c.Assert(out, checker.Equals, "1")
+
+	source, err := inspectMountSourceField(cleanedContainerID, prefix+slash+"test")
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "restart", cleanedContainerID)
+
+	out, err = inspectFilter(cleanedContainerID, "len .Mounts")
+	c.Assert(err, check.IsNil, check.Commentf("failed to inspect %s: %s", cleanedContainerID, out))
+	out = strings.Trim(out, " \n\r")
+	c.Assert(out, checker.Equals, "1")
+
+	sourceAfterRestart, err := inspectMountSourceField(cleanedContainerID, prefix+slash+"test")
+	c.Assert(err, checker.IsNil)
+	c.Assert(source, checker.Equals, sourceAfterRestart)
+}
+
+func (s *DockerSuite) TestRestartDisconnectedContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon, NotUserNamespace, NotArm)
+
+	// Run a container on the default bridge network
+	out, _ := dockerCmd(c, "run", "-d", "--name", "c0", "busybox", "top")
+	cleanedContainerID := strings.TrimSpace(out)
+	c.Assert(waitRun(cleanedContainerID), checker.IsNil)
+
+	// Disconnect the container from the network
+	out, err := dockerCmd(c, "network", "disconnect", "bridge", "c0")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+
+	// Restart the container
+	dockerCmd(c, "restart", "c0")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+}
+
+func (s *DockerSuite) TestRestartPolicyNO(c *check.C) {
+	out, _ := dockerCmd(c, "create", "--restart=no", "busybox")
+
+	id := strings.TrimSpace(string(out))
+	name := inspectField(c, id, "HostConfig.RestartPolicy.Name")
+	c.Assert(name, checker.Equals, "no")
+}
+
+func (s *DockerSuite) TestRestartPolicyAlways(c *check.C) {
+	out, _ := dockerCmd(c, "create", "--restart=always", "busybox")
+
+	id := strings.TrimSpace(string(out))
+	name := inspectField(c, id, "HostConfig.RestartPolicy.Name")
+	c.Assert(name, checker.Equals, "always")
+
+	MaximumRetryCount := inspectField(c, id, "HostConfig.RestartPolicy.MaximumRetryCount")
+
+	// MaximumRetryCount=0 if the restart policy is always
+	c.Assert(MaximumRetryCount, checker.Equals, "0")
+}
+
+func (s *DockerSuite) TestRestartPolicyOnFailure(c *check.C) {
+	out, _, err := dockerCmdWithError("create", "--restart=on-failure:-1", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "maximum retry count cannot be negative")
+
+	out, _ = dockerCmd(c, "create", "--restart=on-failure:1", "busybox")
+
+	id := strings.TrimSpace(string(out))
+	name := inspectField(c, id, "HostConfig.RestartPolicy.Name")
+	maxRetry := inspectField(c, id, "HostConfig.RestartPolicy.MaximumRetryCount")
+
+	c.Assert(name, checker.Equals, "on-failure")
+	c.Assert(maxRetry, checker.Equals, "1")
+
+	out, _ = dockerCmd(c, "create", "--restart=on-failure:0", "busybox")
+
+	id = strings.TrimSpace(string(out))
+	name = inspectField(c, id, "HostConfig.RestartPolicy.Name")
+	maxRetry = inspectField(c, id, "HostConfig.RestartPolicy.MaximumRetryCount")
+
+	c.Assert(name, checker.Equals, "on-failure")
+	c.Assert(maxRetry, checker.Equals, "0")
+
+	out, _ = dockerCmd(c, "create", "--restart=on-failure", "busybox")
+
+	id = strings.TrimSpace(string(out))
+	name = inspectField(c, id, "HostConfig.RestartPolicy.Name")
+	maxRetry = inspectField(c, id, "HostConfig.RestartPolicy.MaximumRetryCount")
+
+	c.Assert(name, checker.Equals, "on-failure")
+	c.Assert(maxRetry, checker.Equals, "0")
+}
+
+// a good container with --restart=on-failure:3
+// MaximumRetryCount!=0; RestartCount=0
+func (s *DockerSuite) TestRestartContainerwithGoodContainer(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "--restart=on-failure:3", "busybox", "true")
+
+	id := strings.TrimSpace(string(out))
+	err := waitInspect(id, "{{ .State.Restarting }} {{ .State.Running }}", "false false", 30*time.Second)
+	c.Assert(err, checker.IsNil)
+
+	count := inspectField(c, id, "RestartCount")
+	c.Assert(count, checker.Equals, "0")
+
+	MaximumRetryCount := inspectField(c, id, "HostConfig.RestartPolicy.MaximumRetryCount")
+	c.Assert(MaximumRetryCount, checker.Equals, "3")
+
+}
+
+func (s *DockerSuite) TestRestartContainerSuccess(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	out := runSleepingContainer(c, "-d", "--restart=always")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), check.IsNil)
+
+	pidStr := inspectField(c, id, "State.Pid")
+
+	pid, err := strconv.Atoi(pidStr)
+	c.Assert(err, check.IsNil)
+
+	p, err := os.FindProcess(pid)
+	c.Assert(err, check.IsNil)
+	c.Assert(p, check.NotNil)
+
+	err = p.Kill()
+	c.Assert(err, check.IsNil)
+
+	err = waitInspect(id, "{{.RestartCount}}", "1", 30*time.Second)
+	c.Assert(err, check.IsNil)
+
+	err = waitInspect(id, "{{.State.Status}}", "running", 30*time.Second)
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerSuite) TestRestartWithPolicyUserDefinedNetwork(c *check.C) {
+	// TODO Windows. This may be portable following HNS integration post TP5.
+	testRequires(c, DaemonIsLinux, SameHostDaemon, NotUserNamespace, NotArm)
+	dockerCmd(c, "network", "create", "-d", "bridge", "udNet")
+
+	dockerCmd(c, "run", "-d", "--net=udNet", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	dockerCmd(c, "run", "-d", "--restart=always", "--net=udNet", "--name=second",
+		"--link=first:foo", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// ping to first and its alias foo must succeed
+	_, _, err := dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo")
+	c.Assert(err, check.IsNil)
+
+	// Now kill the second container and let the restart policy kick in
+	pidStr := inspectField(c, "second", "State.Pid")
+
+	pid, err := strconv.Atoi(pidStr)
+	c.Assert(err, check.IsNil)
+
+	p, err := os.FindProcess(pid)
+	c.Assert(err, check.IsNil)
+	c.Assert(p, check.NotNil)
+
+	err = p.Kill()
+	c.Assert(err, check.IsNil)
+
+	err = waitInspect("second", "{{.RestartCount}}", "1", 5*time.Second)
+	c.Assert(err, check.IsNil)
+
+	err = waitInspect("second", "{{.State.Status}}", "running", 5*time.Second)
+
+	// ping to first and its alias foo must still succeed
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo")
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerSuite) TestRestartPolicyAfterRestart(c *check.C) {
+	testRequires(c, SameHostDaemon)
+
+	out := runSleepingContainer(c, "-d", "--restart=always")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), check.IsNil)
+
+	dockerCmd(c, "restart", id)
+
+	c.Assert(waitRun(id), check.IsNil)
+
+	pidStr := inspectField(c, id, "State.Pid")
+
+	pid, err := strconv.Atoi(pidStr)
+	c.Assert(err, check.IsNil)
+
+	p, err := os.FindProcess(pid)
+	c.Assert(err, check.IsNil)
+	c.Assert(p, check.NotNil)
+
+	err = p.Kill()
+	c.Assert(err, check.IsNil)
+
+	err = waitInspect(id, "{{.RestartCount}}", "1", 30*time.Second)
+	c.Assert(err, check.IsNil)
+
+	err = waitInspect(id, "{{.State.Status}}", "running", 30*time.Second)
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerSuite) TestRestartContainerwithRestartPolicy(c *check.C) {
+	out1, _ := dockerCmd(c, "run", "-d", "--restart=on-failure:3", "busybox", "false")
+	out2, _ := dockerCmd(c, "run", "-d", "--restart=always", "busybox", "false")
+
+	id1 := strings.TrimSpace(string(out1))
+	id2 := strings.TrimSpace(string(out2))
+	waitTimeout := 15 * time.Second
+	if testEnv.OSType == "windows" {
+		waitTimeout = 150 * time.Second
+	}
+	err := waitInspect(id1, "{{ .State.Restarting }} {{ .State.Running }}", "false false", waitTimeout)
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "restart", id1)
+	dockerCmd(c, "restart", id2)
+
+	// Make sure we can stop/start (regression test from a705e166cf3bcca62543150c2b3f9bfeae45ecfa)
+	dockerCmd(c, "stop", id1)
+	dockerCmd(c, "stop", id2)
+	dockerCmd(c, "start", id1)
+	dockerCmd(c, "start", id2)
+
+	// Kill the containers, making sure the are stopped at the end of the test
+	dockerCmd(c, "kill", id1)
+	dockerCmd(c, "kill", id2)
+	err = waitInspect(id1, "{{ .State.Restarting }} {{ .State.Running }}", "false false", waitTimeout)
+	c.Assert(err, checker.IsNil)
+	err = waitInspect(id2, "{{ .State.Restarting }} {{ .State.Running }}", "false false", waitTimeout)
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerSuite) TestRestartAutoRemoveContainer(c *check.C) {
+	out := runSleepingContainer(c, "--rm")
+
+	id := strings.TrimSpace(string(out))
+	dockerCmd(c, "restart", id)
+	err := waitInspect(id, "{{ .State.Restarting }} {{ .State.Running }}", "false true", 15*time.Second)
+	c.Assert(err, checker.IsNil)
+
+	out, _ = dockerCmd(c, "ps")
+	c.Assert(out, checker.Contains, id[:12], check.Commentf("container should be restarted instead of removed: %v", out))
+
+	// Kill the container to make sure it will be removed
+	dockerCmd(c, "kill", id)
+}
diff --git a/engine/integration-cli/docker_cli_rmi_test.go b/engine/integration-cli/docker_cli_rmi_test.go
new file mode 100644
index 00000000..66228568
--- /dev/null
+++ b/engine/integration-cli/docker_cli_rmi_test.go
@@ -0,0 +1,338 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestRmiWithContainerFails(c *check.C) {
+	errSubstr := "is using it"
+
+	// create a container
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+
+	cleanedContainerID := strings.TrimSpace(out)
+
+	// try to delete the image
+	out, _, err := dockerCmdWithError("rmi", "busybox")
+	// Container is using image, should not be able to rmi
+	c.Assert(err, checker.NotNil)
+	// Container is using image, error message should contain errSubstr
+	c.Assert(out, checker.Contains, errSubstr, check.Commentf("Container: %q", cleanedContainerID))
+
+	// make sure it didn't delete the busybox name
+	images, _ := dockerCmd(c, "images")
+	// The name 'busybox' should not have been removed from images
+	c.Assert(images, checker.Contains, "busybox")
+}
+
+func (s *DockerSuite) TestRmiTag(c *check.C) {
+	imagesBefore, _ := dockerCmd(c, "images", "-a")
+	dockerCmd(c, "tag", "busybox", "utest:tag1")
+	dockerCmd(c, "tag", "busybox", "utest/docker:tag2")
+	dockerCmd(c, "tag", "busybox", "utest:5000/docker:tag3")
+	{
+		imagesAfter, _ := dockerCmd(c, "images", "-a")
+		c.Assert(strings.Count(imagesAfter, "\n"), checker.Equals, strings.Count(imagesBefore, "\n")+3, check.Commentf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter))
+	}
+	dockerCmd(c, "rmi", "utest/docker:tag2")
+	{
+		imagesAfter, _ := dockerCmd(c, "images", "-a")
+		c.Assert(strings.Count(imagesAfter, "\n"), checker.Equals, strings.Count(imagesBefore, "\n")+2, check.Commentf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter))
+	}
+	dockerCmd(c, "rmi", "utest:5000/docker:tag3")
+	{
+		imagesAfter, _ := dockerCmd(c, "images", "-a")
+		c.Assert(strings.Count(imagesAfter, "\n"), checker.Equals, strings.Count(imagesBefore, "\n")+1, check.Commentf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter))
+
+	}
+	dockerCmd(c, "rmi", "utest:tag1")
+	{
+		imagesAfter, _ := dockerCmd(c, "images", "-a")
+		c.Assert(strings.Count(imagesAfter, "\n"), checker.Equals, strings.Count(imagesBefore, "\n"), check.Commentf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter))
+
+	}
+}
+
+func (s *DockerSuite) TestRmiImgIDMultipleTag(c *check.C) {
+	out := cli.DockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir '/busybox-one'").Combined()
+	containerID := strings.TrimSpace(out)
+
+	// Wait for it to exit as cannot commit a running container on Windows, and
+	// it will take a few seconds to exit
+	if testEnv.OSType == "windows" {
+		cli.WaitExited(c, containerID, 60*time.Second)
+	}
+
+	cli.DockerCmd(c, "commit", containerID, "busybox-one")
+
+	imagesBefore := cli.DockerCmd(c, "images", "-a").Combined()
+	cli.DockerCmd(c, "tag", "busybox-one", "busybox-one:tag1")
+	cli.DockerCmd(c, "tag", "busybox-one", "busybox-one:tag2")
+
+	imagesAfter := cli.DockerCmd(c, "images", "-a").Combined()
+	// tag busybox to create 2 more images with same imageID
+	c.Assert(strings.Count(imagesAfter, "\n"), checker.Equals, strings.Count(imagesBefore, "\n")+2, check.Commentf("docker images shows: %q\n", imagesAfter))
+
+	imgID := inspectField(c, "busybox-one:tag1", "Id")
+
+	// run a container with the image
+	out = runSleepingContainerInImage(c, "busybox-one")
+	containerID = strings.TrimSpace(out)
+
+	// first checkout without force it fails
+	// rmi tagged in multiple repos should have failed without force
+	cli.Docker(cli.Args("rmi", imgID)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      fmt.Sprintf("conflict: unable to delete %s (cannot be forced) - image is being used by running container %s", stringid.TruncateID(imgID), stringid.TruncateID(containerID)),
+	})
+
+	cli.DockerCmd(c, "stop", containerID)
+	cli.DockerCmd(c, "rmi", "-f", imgID)
+
+	imagesAfter = cli.DockerCmd(c, "images", "-a").Combined()
+	// rmi -f failed, image still exists
+	c.Assert(imagesAfter, checker.Not(checker.Contains), imgID[:12], check.Commentf("ImageID:%q; ImagesAfter: %q", imgID, imagesAfter))
+}
+
+func (s *DockerSuite) TestRmiImgIDForce(c *check.C) {
+	out := cli.DockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "mkdir '/busybox-test'").Combined()
+	containerID := strings.TrimSpace(out)
+
+	// Wait for it to exit as cannot commit a running container on Windows, and
+	// it will take a few seconds to exit
+	if testEnv.OSType == "windows" {
+		cli.WaitExited(c, containerID, 60*time.Second)
+	}
+
+	cli.DockerCmd(c, "commit", containerID, "busybox-test")
+
+	imagesBefore := cli.DockerCmd(c, "images", "-a").Combined()
+	cli.DockerCmd(c, "tag", "busybox-test", "utest:tag1")
+	cli.DockerCmd(c, "tag", "busybox-test", "utest:tag2")
+	cli.DockerCmd(c, "tag", "busybox-test", "utest/docker:tag3")
+	cli.DockerCmd(c, "tag", "busybox-test", "utest:5000/docker:tag4")
+	{
+		imagesAfter := cli.DockerCmd(c, "images", "-a").Combined()
+		c.Assert(strings.Count(imagesAfter, "\n"), checker.Equals, strings.Count(imagesBefore, "\n")+4, check.Commentf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter))
+	}
+	imgID := inspectField(c, "busybox-test", "Id")
+
+	// first checkout without force it fails
+	cli.Docker(cli.Args("rmi", imgID)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "(must be forced) - image is referenced in multiple repositories",
+	})
+
+	cli.DockerCmd(c, "rmi", "-f", imgID)
+	{
+		imagesAfter := cli.DockerCmd(c, "images", "-a").Combined()
+		// rmi failed, image still exists
+		c.Assert(imagesAfter, checker.Not(checker.Contains), imgID[:12])
+	}
+}
+
+// See https://github.com/docker/docker/issues/14116
+func (s *DockerSuite) TestRmiImageIDForceWithRunningContainersAndMultipleTags(c *check.C) {
+	dockerfile := "FROM busybox\nRUN echo test 14116\n"
+	buildImageSuccessfully(c, "test-14116", build.WithDockerfile(dockerfile))
+	imgID := getIDByName(c, "test-14116")
+
+	newTag := "newtag"
+	dockerCmd(c, "tag", imgID, newTag)
+	runSleepingContainerInImage(c, imgID)
+
+	out, _, err := dockerCmdWithError("rmi", "-f", imgID)
+	// rmi -f should not delete image with running containers
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "(cannot be forced) - image is being used by running container")
+}
+
+func (s *DockerSuite) TestRmiTagWithExistingContainers(c *check.C) {
+	container := "test-delete-tag"
+	newtag := "busybox:newtag"
+	bb := "busybox:latest"
+	dockerCmd(c, "tag", bb, newtag)
+
+	dockerCmd(c, "run", "--name", container, bb, "/bin/true")
+
+	out, _ := dockerCmd(c, "rmi", newtag)
+	c.Assert(strings.Count(out, "Untagged: "), checker.Equals, 1)
+}
+
+func (s *DockerSuite) TestRmiForceWithExistingContainers(c *check.C) {
+	image := "busybox-clone"
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "build", "--no-cache", "-t", image, "-"},
+		Stdin: strings.NewReader(`FROM busybox
+MAINTAINER foo`),
+	}).Assert(c, icmd.Success)
+
+	dockerCmd(c, "run", "--name", "test-force-rmi", image, "/bin/true")
+
+	dockerCmd(c, "rmi", "-f", image)
+}
+
+func (s *DockerSuite) TestRmiWithMultipleRepositories(c *check.C) {
+	newRepo := "127.0.0.1:5000/busybox"
+	oldRepo := "busybox"
+	newTag := "busybox:test"
+	dockerCmd(c, "tag", oldRepo, newRepo)
+
+	dockerCmd(c, "run", "--name", "test", oldRepo, "touch", "/abcd")
+
+	dockerCmd(c, "commit", "test", newTag)
+
+	out, _ := dockerCmd(c, "rmi", newTag)
+	c.Assert(out, checker.Contains, "Untagged: "+newTag)
+}
+
+func (s *DockerSuite) TestRmiForceWithMultipleRepositories(c *check.C) {
+	imageName := "rmiimage"
+	tag1 := imageName + ":tag1"
+	tag2 := imageName + ":tag2"
+
+	buildImageSuccessfully(c, tag1, build.WithDockerfile(`FROM busybox
+		MAINTAINER "docker"`))
+	dockerCmd(c, "tag", tag1, tag2)
+
+	out, _ := dockerCmd(c, "rmi", "-f", tag2)
+	c.Assert(out, checker.Contains, "Untagged: "+tag2)
+	c.Assert(out, checker.Not(checker.Contains), "Untagged: "+tag1)
+
+	// Check built image still exists
+	images, _ := dockerCmd(c, "images", "-a")
+	c.Assert(images, checker.Contains, imageName, check.Commentf("Built image missing %q; Images: %q", imageName, images))
+}
+
+func (s *DockerSuite) TestRmiBlank(c *check.C) {
+	out, _, err := dockerCmdWithError("rmi", " ")
+	// Should have failed to delete ' ' image
+	c.Assert(err, checker.NotNil)
+	// Wrong error message generated
+	c.Assert(out, checker.Not(checker.Contains), "no such id", check.Commentf("out: %s", out))
+	// Expected error message not generated
+	c.Assert(out, checker.Contains, "image name cannot be blank", check.Commentf("out: %s", out))
+}
+
+func (s *DockerSuite) TestRmiContainerImageNotFound(c *check.C) {
+	// Build 2 images for testing.
+	imageNames := []string{"test1", "test2"}
+	imageIds := make([]string, 2)
+	for i, name := range imageNames {
+		dockerfile := fmt.Sprintf("FROM busybox\nMAINTAINER %s\nRUN echo %s\n", name, name)
+		buildImageSuccessfully(c, name, build.WithoutCache, build.WithDockerfile(dockerfile))
+		id := getIDByName(c, name)
+		imageIds[i] = id
+	}
+
+	// Create a long-running container.
+	runSleepingContainerInImage(c, imageNames[0])
+
+	// Create a stopped container, and then force remove its image.
+	dockerCmd(c, "run", imageNames[1], "true")
+	dockerCmd(c, "rmi", "-f", imageIds[1])
+
+	// Try to remove the image of the running container and see if it fails as expected.
+	out, _, err := dockerCmdWithError("rmi", "-f", imageIds[0])
+	// The image of the running container should not be removed.
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "image is being used by running container", check.Commentf("out: %s", out))
+}
+
+// #13422
+func (s *DockerSuite) TestRmiUntagHistoryLayer(c *check.C) {
+	image := "tmp1"
+	// Build an image for testing.
+	dockerfile := `FROM busybox
+MAINTAINER foo
+RUN echo 0 #layer0
+RUN echo 1 #layer1
+RUN echo 2 #layer2
+`
+	buildImageSuccessfully(c, image, build.WithoutCache, build.WithDockerfile(dockerfile))
+	out, _ := dockerCmd(c, "history", "-q", image)
+	ids := strings.Split(out, "\n")
+	idToTag := ids[2]
+
+	// Tag layer0 to "tmp2".
+	newTag := "tmp2"
+	dockerCmd(c, "tag", idToTag, newTag)
+	// Create a container based on "tmp1".
+	dockerCmd(c, "run", "-d", image, "true")
+
+	// See if the "tmp2" can be untagged.
+	out, _ = dockerCmd(c, "rmi", newTag)
+	// Expected 1 untagged entry
+	c.Assert(strings.Count(out, "Untagged: "), checker.Equals, 1, check.Commentf("out: %s", out))
+
+	// Now let's add the tag again and create a container based on it.
+	dockerCmd(c, "tag", idToTag, newTag)
+	out, _ = dockerCmd(c, "run", "-d", newTag, "true")
+	cid := strings.TrimSpace(out)
+
+	// At this point we have 2 containers, one based on layer2 and another based on layer0.
+	// Try to untag "tmp2" without the -f flag.
+	out, _, err := dockerCmdWithError("rmi", newTag)
+	// should not be untagged without the -f flag
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, cid[:12])
+	c.Assert(out, checker.Contains, "(must force)")
+
+	// Add the -f flag and test again.
+	out, _ = dockerCmd(c, "rmi", "-f", newTag)
+	// should be allowed to untag with the -f flag
+	c.Assert(out, checker.Contains, fmt.Sprintf("Untagged: %s:latest", newTag))
+}
+
+func (*DockerSuite) TestRmiParentImageFail(c *check.C) {
+	buildImageSuccessfully(c, "test", build.WithDockerfile(`
+	FROM busybox
+	RUN echo hello`))
+
+	id := inspectField(c, "busybox", "ID")
+	out, _, err := dockerCmdWithError("rmi", id)
+	c.Assert(err, check.NotNil)
+	if !strings.Contains(out, "image has dependent child images") {
+		c.Fatalf("rmi should have failed because it's a parent image, got %s", out)
+	}
+}
+
+func (s *DockerSuite) TestRmiWithParentInUse(c *check.C) {
+	out, _ := dockerCmd(c, "create", "busybox")
+	cID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "commit", cID)
+	imageID := strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "create", imageID)
+	cID = strings.TrimSpace(out)
+
+	out, _ = dockerCmd(c, "commit", cID)
+	imageID = strings.TrimSpace(out)
+
+	dockerCmd(c, "rmi", imageID)
+}
+
+// #18873
+func (s *DockerSuite) TestRmiByIDHardConflict(c *check.C) {
+	dockerCmd(c, "create", "busybox")
+
+	imgID := inspectField(c, "busybox:latest", "Id")
+
+	_, _, err := dockerCmdWithError("rmi", imgID[:12])
+	c.Assert(err, checker.NotNil)
+
+	// check that tag was not removed
+	imgID2 := inspectField(c, "busybox:latest", "Id")
+	c.Assert(imgID, checker.Equals, imgID2)
+}
diff --git a/engine/integration-cli/docker_cli_run_test.go b/engine/integration-cli/docker_cli_run_test.go
new file mode 100644
index 00000000..c2147e96
--- /dev/null
+++ b/engine/integration-cli/docker_cli_run_test.go
@@ -0,0 +1,4540 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"reflect"
+	"regexp"
+	"runtime"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/internal/testutil"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/runconfig"
+	"github.com/docker/go-connections/nat"
+	"github.com/docker/libnetwork/resolvconf"
+	"github.com/docker/libnetwork/types"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+// "test123" should be printed by docker run
+func (s *DockerSuite) TestRunEchoStdout(c *check.C) {
+	out, _ := dockerCmd(c, "run", "busybox", "echo", "test123")
+	if out != "test123\n" {
+		c.Fatalf("container should've printed 'test123', got '%s'", out)
+	}
+}
+
+// "test" should be printed
+func (s *DockerSuite) TestRunEchoNamedContainer(c *check.C) {
+	out, _ := dockerCmd(c, "run", "--name", "testfoonamedcontainer", "busybox", "echo", "test")
+	if out != "test\n" {
+		c.Errorf("container should've printed 'test'")
+	}
+}
+
+// docker run should not leak file descriptors. This test relies on Unix
+// specific functionality and cannot run on Windows.
+func (s *DockerSuite) TestRunLeakyFileDescriptors(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "busybox", "ls", "-C", "/proc/self/fd")
+
+	// normally, we should only get 0, 1, and 2, but 3 gets created by "ls" when it does "opendir" on the "fd" directory
+	if out != "0  1  2  3\n" {
+		c.Errorf("container should've printed '0  1  2  3', not: %s", out)
+	}
+}
+
+// it should be possible to lookup Google DNS
+// this will fail when Internet access is unavailable
+func (s *DockerSuite) TestRunLookupGoogleDNS(c *check.C) {
+	testRequires(c, Network, NotArm)
+	if testEnv.OSType == "windows" {
+		// nslookup isn't present in Windows busybox. Is built-in. Further,
+		// nslookup isn't present in nanoserver. Hence just use PowerShell...
+		dockerCmd(c, "run", testEnv.PlatformDefaults.BaseImage, "powershell", "Resolve-DNSName", "google.com")
+	} else {
+		dockerCmd(c, "run", "busybox", "nslookup", "google.com")
+	}
+
+}
+
+// the exit code should be 0
+func (s *DockerSuite) TestRunExitCodeZero(c *check.C) {
+	dockerCmd(c, "run", "busybox", "true")
+}
+
+// the exit code should be 1
+func (s *DockerSuite) TestRunExitCodeOne(c *check.C) {
+	_, exitCode, err := dockerCmdWithError("run", "busybox", "false")
+	c.Assert(err, checker.NotNil)
+	c.Assert(exitCode, checker.Equals, 1)
+}
+
+// it should be possible to pipe in data via stdin to a process running in a container
+func (s *DockerSuite) TestRunStdinPipe(c *check.C) {
+	// TODO Windows: This needs some work to make compatible.
+	testRequires(c, DaemonIsLinux)
+	result := icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "run", "-i", "-a", "stdin", "busybox", "cat"},
+		Stdin:   strings.NewReader("blahblah"),
+	})
+	result.Assert(c, icmd.Success)
+	out := result.Stdout()
+
+	out = strings.TrimSpace(out)
+	dockerCmd(c, "wait", out)
+
+	logsOut, _ := dockerCmd(c, "logs", out)
+
+	containerLogs := strings.TrimSpace(logsOut)
+	if containerLogs != "blahblah" {
+		c.Errorf("logs didn't print the container's logs %s", containerLogs)
+	}
+
+	dockerCmd(c, "rm", out)
+}
+
+// the container's ID should be printed when starting a container in detached mode
+func (s *DockerSuite) TestRunDetachedContainerIDPrinting(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "true")
+
+	out = strings.TrimSpace(out)
+	dockerCmd(c, "wait", out)
+
+	rmOut, _ := dockerCmd(c, "rm", out)
+
+	rmOut = strings.TrimSpace(rmOut)
+	if rmOut != out {
+		c.Errorf("rm didn't print the container ID %s %s", out, rmOut)
+	}
+}
+
+// the working directory should be set correctly
+func (s *DockerSuite) TestRunWorkingDirectory(c *check.C) {
+	dir := "/root"
+	image := "busybox"
+	if testEnv.OSType == "windows" {
+		dir = `C:/Windows`
+	}
+
+	// First with -w
+	out, _ := dockerCmd(c, "run", "-w", dir, image, "pwd")
+	out = strings.TrimSpace(out)
+	if out != dir {
+		c.Errorf("-w failed to set working directory")
+	}
+
+	// Then with --workdir
+	out, _ = dockerCmd(c, "run", "--workdir", dir, image, "pwd")
+	out = strings.TrimSpace(out)
+	if out != dir {
+		c.Errorf("--workdir failed to set working directory")
+	}
+}
+
+// pinging Google's DNS resolver should fail when we disable the networking
+func (s *DockerSuite) TestRunWithoutNetworking(c *check.C) {
+	count := "-c"
+	image := "busybox"
+	if testEnv.OSType == "windows" {
+		count = "-n"
+		image = testEnv.PlatformDefaults.BaseImage
+	}
+
+	// First using the long form --net
+	out, exitCode, err := dockerCmdWithError("run", "--net=none", image, "ping", count, "1", "8.8.8.8")
+	if err != nil && exitCode != 1 {
+		c.Fatal(out, err)
+	}
+	if exitCode != 1 {
+		c.Errorf("--net=none should've disabled the network; the container shouldn't have been able to ping 8.8.8.8")
+	}
+}
+
+//test --link use container name to link target
+func (s *DockerSuite) TestRunLinksContainerWithContainerName(c *check.C) {
+	// TODO Windows: This test cannot run on a Windows daemon as the networking
+	// settings are not populated back yet on inspect.
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-i", "-t", "-d", "--name", "parent", "busybox")
+
+	ip := inspectField(c, "parent", "NetworkSettings.Networks.bridge.IPAddress")
+
+	out, _ := dockerCmd(c, "run", "--link", "parent:test", "busybox", "/bin/cat", "/etc/hosts")
+	if !strings.Contains(out, ip+"	test") {
+		c.Fatalf("use a container name to link target failed")
+	}
+}
+
+//test --link use container id to link target
+func (s *DockerSuite) TestRunLinksContainerWithContainerID(c *check.C) {
+	// TODO Windows: This test cannot run on a Windows daemon as the networking
+	// settings are not populated back yet on inspect.
+	testRequires(c, DaemonIsLinux)
+	cID, _ := dockerCmd(c, "run", "-i", "-t", "-d", "busybox")
+
+	cID = strings.TrimSpace(cID)
+	ip := inspectField(c, cID, "NetworkSettings.Networks.bridge.IPAddress")
+
+	out, _ := dockerCmd(c, "run", "--link", cID+":test", "busybox", "/bin/cat", "/etc/hosts")
+	if !strings.Contains(out, ip+"	test") {
+		c.Fatalf("use a container id to link target failed")
+	}
+}
+
+func (s *DockerSuite) TestUserDefinedNetworkLinks(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	dockerCmd(c, "network", "create", "-d", "bridge", "udlinkNet")
+
+	dockerCmd(c, "run", "-d", "--net=udlinkNet", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	// run a container in user-defined network udlinkNet with a link for an existing container
+	// and a link for a container that doesn't exist
+	dockerCmd(c, "run", "-d", "--net=udlinkNet", "--name=second", "--link=first:foo",
+		"--link=third:bar", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// ping to first and its alias foo must succeed
+	_, _, err := dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo")
+	c.Assert(err, check.IsNil)
+
+	// ping to third and its alias must fail
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "third")
+	c.Assert(err, check.NotNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "bar")
+	c.Assert(err, check.NotNil)
+
+	// start third container now
+	dockerCmd(c, "run", "-d", "--net=udlinkNet", "--name=third", "busybox", "top")
+	c.Assert(waitRun("third"), check.IsNil)
+
+	// ping to third and its alias must succeed now
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "third")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "bar")
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerSuite) TestUserDefinedNetworkLinksWithRestart(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	dockerCmd(c, "network", "create", "-d", "bridge", "udlinkNet")
+
+	dockerCmd(c, "run", "-d", "--net=udlinkNet", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	dockerCmd(c, "run", "-d", "--net=udlinkNet", "--name=second", "--link=first:foo",
+		"busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// ping to first and its alias foo must succeed
+	_, _, err := dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo")
+	c.Assert(err, check.IsNil)
+
+	// Restart first container
+	dockerCmd(c, "restart", "first")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	// ping to first and its alias foo must still succeed
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo")
+	c.Assert(err, check.IsNil)
+
+	// Restart second container
+	dockerCmd(c, "restart", "second")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// ping to first and its alias foo must still succeed
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo")
+	c.Assert(err, check.IsNil)
+}
+
+func (s *DockerSuite) TestRunWithNetAliasOnDefaultNetworks(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+
+	defaults := []string{"bridge", "host", "none"}
+	for _, net := range defaults {
+		out, _, err := dockerCmdWithError("run", "-d", "--net", net, "--net-alias", "alias_"+net, "busybox", "top")
+		c.Assert(err, checker.NotNil)
+		c.Assert(out, checker.Contains, runconfig.ErrUnsupportedNetworkAndAlias.Error())
+	}
+}
+
+func (s *DockerSuite) TestUserDefinedNetworkAlias(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	dockerCmd(c, "network", "create", "-d", "bridge", "net1")
+
+	cid1, _ := dockerCmd(c, "run", "-d", "--net=net1", "--name=first", "--net-alias=foo1", "--net-alias=foo2", "busybox:glibc", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	// Check if default short-id alias is added automatically
+	id := strings.TrimSpace(cid1)
+	aliases := inspectField(c, id, "NetworkSettings.Networks.net1.Aliases")
+	c.Assert(aliases, checker.Contains, stringid.TruncateID(id))
+
+	cid2, _ := dockerCmd(c, "run", "-d", "--net=net1", "--name=second", "busybox:glibc", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// Check if default short-id alias is added automatically
+	id = strings.TrimSpace(cid2)
+	aliases = inspectField(c, id, "NetworkSettings.Networks.net1.Aliases")
+	c.Assert(aliases, checker.Contains, stringid.TruncateID(id))
+
+	// ping to first and its network-scoped aliases
+	_, _, err := dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo1")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo2")
+	c.Assert(err, check.IsNil)
+	// ping first container's short-id alias
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", stringid.TruncateID(cid1))
+	c.Assert(err, check.IsNil)
+
+	// Restart first container
+	dockerCmd(c, "restart", "first")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	// ping to first and its network-scoped aliases must succeed
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo1")
+	c.Assert(err, check.IsNil)
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", "foo2")
+	c.Assert(err, check.IsNil)
+	// ping first container's short-id alias
+	_, _, err = dockerCmdWithError("exec", "second", "ping", "-c", "1", stringid.TruncateID(cid1))
+	c.Assert(err, check.IsNil)
+}
+
+// Issue 9677.
+func (s *DockerSuite) TestRunWithDaemonFlags(c *check.C) {
+	out, _, err := dockerCmdWithError("--exec-opt", "foo=bar", "run", "-i", "busybox", "true")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "unknown flag: --exec-opt")
+}
+
+// Regression test for #4979
+func (s *DockerSuite) TestRunWithVolumesFromExited(c *check.C) {
+
+	var (
+		out      string
+		exitCode int
+	)
+
+	// Create a file in a volume
+	if testEnv.OSType == "windows" {
+		out, exitCode = dockerCmd(c, "run", "--name", "test-data", "--volume", `c:\some\dir`, testEnv.PlatformDefaults.BaseImage, "cmd", "/c", `echo hello > c:\some\dir\file`)
+	} else {
+		out, exitCode = dockerCmd(c, "run", "--name", "test-data", "--volume", "/some/dir", "busybox", "touch", "/some/dir/file")
+	}
+	if exitCode != 0 {
+		c.Fatal("1", out, exitCode)
+	}
+
+	// Read the file from another container using --volumes-from to access the volume in the second container
+	if testEnv.OSType == "windows" {
+		out, exitCode = dockerCmd(c, "run", "--volumes-from", "test-data", testEnv.PlatformDefaults.BaseImage, "cmd", "/c", `type c:\some\dir\file`)
+	} else {
+		out, exitCode = dockerCmd(c, "run", "--volumes-from", "test-data", "busybox", "cat", "/some/dir/file")
+	}
+	if exitCode != 0 {
+		c.Fatal("2", out, exitCode)
+	}
+}
+
+// Volume path is a symlink which also exists on the host, and the host side is a file not a dir
+// But the volume call is just a normal volume, not a bind mount
+func (s *DockerSuite) TestRunCreateVolumesInSymlinkDir(c *check.C) {
+	var (
+		dockerFile    string
+		containerPath string
+		cmd           string
+	)
+	// This test cannot run on a Windows daemon as
+	// Windows does not support symlinks inside a volume path
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+	name := "test-volume-symlink"
+
+	dir, err := ioutil.TempDir("", name)
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	// In the case of Windows to Windows CI, if the machine is setup so that
+	// the temp directory is not the C: drive, this test is invalid and will
+	// not work.
+	if testEnv.OSType == "windows" && strings.ToLower(dir[:1]) != "c" {
+		c.Skip("Requires TEMP to point to C: drive")
+	}
+
+	f, err := os.OpenFile(filepath.Join(dir, "test"), os.O_CREATE, 0700)
+	if err != nil {
+		c.Fatal(err)
+	}
+	f.Close()
+
+	if testEnv.OSType == "windows" {
+		dockerFile = fmt.Sprintf("FROM %s\nRUN mkdir %s\nRUN mklink /D c:\\test %s", testEnv.PlatformDefaults.BaseImage, dir, dir)
+		containerPath = `c:\test\test`
+		cmd = "tasklist"
+	} else {
+		dockerFile = fmt.Sprintf("FROM busybox\nRUN mkdir -p %s\nRUN ln -s %s /test", dir, dir)
+		containerPath = "/test/test"
+		cmd = "true"
+	}
+	buildImageSuccessfully(c, name, build.WithDockerfile(dockerFile))
+	dockerCmd(c, "run", "-v", containerPath, name, cmd)
+}
+
+// Volume path is a symlink in the container
+func (s *DockerSuite) TestRunCreateVolumesInSymlinkDir2(c *check.C) {
+	var (
+		dockerFile    string
+		containerPath string
+		cmd           string
+	)
+	// This test cannot run on a Windows daemon as
+	// Windows does not support symlinks inside a volume path
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+	name := "test-volume-symlink2"
+
+	if testEnv.OSType == "windows" {
+		dockerFile = fmt.Sprintf("FROM %s\nRUN mkdir c:\\%s\nRUN mklink /D c:\\test c:\\%s", testEnv.PlatformDefaults.BaseImage, name, name)
+		containerPath = `c:\test\test`
+		cmd = "tasklist"
+	} else {
+		dockerFile = fmt.Sprintf("FROM busybox\nRUN mkdir -p /%s\nRUN ln -s /%s /test", name, name)
+		containerPath = "/test/test"
+		cmd = "true"
+	}
+	buildImageSuccessfully(c, name, build.WithDockerfile(dockerFile))
+	dockerCmd(c, "run", "-v", containerPath, name, cmd)
+}
+
+func (s *DockerSuite) TestRunVolumesMountedAsReadonly(c *check.C) {
+	if _, code, err := dockerCmdWithError("run", "-v", "/test:/test:ro", "busybox", "touch", "/test/somefile"); err == nil || code == 0 {
+		c.Fatalf("run should fail because volume is ro: exit code %d", code)
+	}
+}
+
+func (s *DockerSuite) TestRunVolumesFromInReadonlyModeFails(c *check.C) {
+	var (
+		volumeDir string
+		fileInVol string
+	)
+	if testEnv.OSType == "windows" {
+		volumeDir = `c:/test` // Forward-slash as using busybox
+		fileInVol = `c:/test/file`
+	} else {
+		testRequires(c, DaemonIsLinux)
+		volumeDir = "/test"
+		fileInVol = `/test/file`
+	}
+	dockerCmd(c, "run", "--name", "parent", "-v", volumeDir, "busybox", "true")
+
+	if _, code, err := dockerCmdWithError("run", "--volumes-from", "parent:ro", "busybox", "touch", fileInVol); err == nil || code == 0 {
+		c.Fatalf("run should fail because volume is ro: exit code %d", code)
+	}
+}
+
+// Regression test for #1201
+func (s *DockerSuite) TestRunVolumesFromInReadWriteMode(c *check.C) {
+	var (
+		volumeDir string
+		fileInVol string
+	)
+	if testEnv.OSType == "windows" {
+		volumeDir = `c:/test` // Forward-slash as using busybox
+		fileInVol = `c:/test/file`
+	} else {
+		volumeDir = "/test"
+		fileInVol = "/test/file"
+	}
+
+	dockerCmd(c, "run", "--name", "parent", "-v", volumeDir, "busybox", "true")
+	dockerCmd(c, "run", "--volumes-from", "parent:rw", "busybox", "touch", fileInVol)
+
+	if out, _, err := dockerCmdWithError("run", "--volumes-from", "parent:bar", "busybox", "touch", fileInVol); err == nil || !strings.Contains(out, `invalid mode: bar`) {
+		c.Fatalf("running --volumes-from parent:bar should have failed with invalid mode: %q", out)
+	}
+
+	dockerCmd(c, "run", "--volumes-from", "parent", "busybox", "touch", fileInVol)
+}
+
+func (s *DockerSuite) TestVolumesFromGetsProperMode(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	hostpath := RandomTmpDirPath("test", testEnv.OSType)
+	if err := os.MkdirAll(hostpath, 0755); err != nil {
+		c.Fatalf("Failed to create %s: %q", hostpath, err)
+	}
+	defer os.RemoveAll(hostpath)
+
+	dockerCmd(c, "run", "--name", "parent", "-v", hostpath+":"+prefix+slash+"test:ro", "busybox", "true")
+
+	// Expect this "rw" mode to be be ignored since the inherited volume is "ro"
+	if _, _, err := dockerCmdWithError("run", "--volumes-from", "parent:rw", "busybox", "touch", prefix+slash+"test"+slash+"file"); err == nil {
+		c.Fatal("Expected volumes-from to inherit read-only volume even when passing in `rw`")
+	}
+
+	dockerCmd(c, "run", "--name", "parent2", "-v", hostpath+":"+prefix+slash+"test:ro", "busybox", "true")
+
+	// Expect this to be read-only since both are "ro"
+	if _, _, err := dockerCmdWithError("run", "--volumes-from", "parent2:ro", "busybox", "touch", prefix+slash+"test"+slash+"file"); err == nil {
+		c.Fatal("Expected volumes-from to inherit read-only volume even when passing in `ro`")
+	}
+}
+
+// Test for GH#10618
+func (s *DockerSuite) TestRunNoDupVolumes(c *check.C) {
+	path1 := RandomTmpDirPath("test1", testEnv.OSType)
+	path2 := RandomTmpDirPath("test2", testEnv.OSType)
+
+	someplace := ":/someplace"
+	if testEnv.OSType == "windows" {
+		// Windows requires that the source directory exists before calling HCS
+		testRequires(c, SameHostDaemon)
+		someplace = `:c:\someplace`
+		if err := os.MkdirAll(path1, 0755); err != nil {
+			c.Fatalf("Failed to create %s: %q", path1, err)
+		}
+		defer os.RemoveAll(path1)
+		if err := os.MkdirAll(path2, 0755); err != nil {
+			c.Fatalf("Failed to create %s: %q", path1, err)
+		}
+		defer os.RemoveAll(path2)
+	}
+	mountstr1 := path1 + someplace
+	mountstr2 := path2 + someplace
+
+	if out, _, err := dockerCmdWithError("run", "-v", mountstr1, "-v", mountstr2, "busybox", "true"); err == nil {
+		c.Fatal("Expected error about duplicate mount definitions")
+	} else {
+		if !strings.Contains(out, "Duplicate mount point") {
+			c.Fatalf("Expected 'duplicate mount point' error, got %v", out)
+		}
+	}
+
+	// Test for https://github.com/docker/docker/issues/22093
+	volumename1 := "test1"
+	volumename2 := "test2"
+	volume1 := volumename1 + someplace
+	volume2 := volumename2 + someplace
+	if out, _, err := dockerCmdWithError("run", "-v", volume1, "-v", volume2, "busybox", "true"); err == nil {
+		c.Fatal("Expected error about duplicate mount definitions")
+	} else {
+		if !strings.Contains(out, "Duplicate mount point") {
+			c.Fatalf("Expected 'duplicate mount point' error, got %v", out)
+		}
+	}
+	// create failed should have create volume volumename1 or volumename2
+	// we should remove volumename2 or volumename2 successfully
+	out, _ := dockerCmd(c, "volume", "ls")
+	if strings.Contains(out, volumename1) {
+		dockerCmd(c, "volume", "rm", volumename1)
+	} else {
+		dockerCmd(c, "volume", "rm", volumename2)
+	}
+}
+
+// Test for #1351
+func (s *DockerSuite) TestRunApplyVolumesFromBeforeVolumes(c *check.C) {
+	prefix := ""
+	if testEnv.OSType == "windows" {
+		prefix = `c:`
+	}
+	dockerCmd(c, "run", "--name", "parent", "-v", prefix+"/test", "busybox", "touch", prefix+"/test/foo")
+	dockerCmd(c, "run", "--volumes-from", "parent", "-v", prefix+"/test", "busybox", "cat", prefix+"/test/foo")
+}
+
+func (s *DockerSuite) TestRunMultipleVolumesFrom(c *check.C) {
+	prefix := ""
+	if testEnv.OSType == "windows" {
+		prefix = `c:`
+	}
+	dockerCmd(c, "run", "--name", "parent1", "-v", prefix+"/test", "busybox", "touch", prefix+"/test/foo")
+	dockerCmd(c, "run", "--name", "parent2", "-v", prefix+"/other", "busybox", "touch", prefix+"/other/bar")
+	dockerCmd(c, "run", "--volumes-from", "parent1", "--volumes-from", "parent2", "busybox", "sh", "-c", "cat /test/foo && cat /other/bar")
+}
+
+// this tests verifies the ID format for the container
+func (s *DockerSuite) TestRunVerifyContainerID(c *check.C) {
+	out, exit, err := dockerCmdWithError("run", "-d", "busybox", "true")
+	if err != nil {
+		c.Fatal(err)
+	}
+	if exit != 0 {
+		c.Fatalf("expected exit code 0 received %d", exit)
+	}
+
+	match, err := regexp.MatchString("^[0-9a-f]{64}$", strings.TrimSuffix(out, "\n"))
+	if err != nil {
+		c.Fatal(err)
+	}
+	if !match {
+		c.Fatalf("Invalid container ID: %s", out)
+	}
+}
+
+// Test that creating a container with a volume doesn't crash. Regression test for #995.
+func (s *DockerSuite) TestRunCreateVolume(c *check.C) {
+	prefix := ""
+	if testEnv.OSType == "windows" {
+		prefix = `c:`
+	}
+	dockerCmd(c, "run", "-v", prefix+"/var/lib/data", "busybox", "true")
+}
+
+// Test that creating a volume with a symlink in its path works correctly. Test for #5152.
+// Note that this bug happens only with symlinks with a target that starts with '/'.
+func (s *DockerSuite) TestRunCreateVolumeWithSymlink(c *check.C) {
+	// Cannot run on Windows as relies on Linux-specific functionality (sh -c mount...)
+	testRequires(c, DaemonIsLinux)
+	workingDirectory, err := ioutil.TempDir("", "TestRunCreateVolumeWithSymlink")
+	image := "docker-test-createvolumewithsymlink"
+
+	buildCmd := exec.Command(dockerBinary, "build", "-t", image, "-")
+	buildCmd.Stdin = strings.NewReader(`FROM busybox
+		RUN ln -s home /bar`)
+	buildCmd.Dir = workingDirectory
+	err = buildCmd.Run()
+	if err != nil {
+		c.Fatalf("could not build '%s': %v", image, err)
+	}
+
+	_, exitCode, err := dockerCmdWithError("run", "-v", "/bar/foo", "--name", "test-createvolumewithsymlink", image, "sh", "-c", "mount | grep -q /home/foo")
+	if err != nil || exitCode != 0 {
+		c.Fatalf("[run] err: %v, exitcode: %d", err, exitCode)
+	}
+
+	volPath, err := inspectMountSourceField("test-createvolumewithsymlink", "/bar/foo")
+	c.Assert(err, checker.IsNil)
+
+	_, exitCode, err = dockerCmdWithError("rm", "-v", "test-createvolumewithsymlink")
+	if err != nil || exitCode != 0 {
+		c.Fatalf("[rm] err: %v, exitcode: %d", err, exitCode)
+	}
+
+	_, err = os.Stat(volPath)
+	if !os.IsNotExist(err) {
+		c.Fatalf("[open] (expecting 'file does not exist' error) err: %v, volPath: %s", err, volPath)
+	}
+}
+
+// Tests that a volume path that has a symlink exists in a container mounting it with `--volumes-from`.
+func (s *DockerSuite) TestRunVolumesFromSymlinkPath(c *check.C) {
+	// This test cannot run on a Windows daemon as
+	// Windows does not support symlinks inside a volume path
+	testRequires(c, DaemonIsLinux)
+
+	workingDirectory, err := ioutil.TempDir("", "TestRunVolumesFromSymlinkPath")
+	c.Assert(err, checker.IsNil)
+	name := "docker-test-volumesfromsymlinkpath"
+	prefix := ""
+	dfContents := `FROM busybox
+		RUN ln -s home /foo
+		VOLUME ["/foo/bar"]`
+
+	if testEnv.OSType == "windows" {
+		prefix = `c:`
+		dfContents = `FROM ` + testEnv.PlatformDefaults.BaseImage + `
+	    RUN mkdir c:\home
+		RUN mklink /D c:\foo c:\home
+		VOLUME ["c:/foo/bar"]
+		ENTRYPOINT c:\windows\system32\cmd.exe`
+	}
+
+	buildCmd := exec.Command(dockerBinary, "build", "-t", name, "-")
+	buildCmd.Stdin = strings.NewReader(dfContents)
+	buildCmd.Dir = workingDirectory
+	err = buildCmd.Run()
+	if err != nil {
+		c.Fatalf("could not build 'docker-test-volumesfromsymlinkpath': %v", err)
+	}
+
+	out, exitCode, err := dockerCmdWithError("run", "--name", "test-volumesfromsymlinkpath", name)
+	if err != nil || exitCode != 0 {
+		c.Fatalf("[run] (volume) err: %v, exitcode: %d, out: %s", err, exitCode, out)
+	}
+
+	_, exitCode, err = dockerCmdWithError("run", "--volumes-from", "test-volumesfromsymlinkpath", "busybox", "sh", "-c", "ls "+prefix+"/foo | grep -q bar")
+	if err != nil || exitCode != 0 {
+		c.Fatalf("[run] err: %v, exitcode: %d", err, exitCode)
+	}
+}
+
+func (s *DockerSuite) TestRunExitCode(c *check.C) {
+	var (
+		exit int
+		err  error
+	)
+
+	_, exit, err = dockerCmdWithError("run", "busybox", "/bin/sh", "-c", "exit 72")
+
+	if err == nil {
+		c.Fatal("should not have a non nil error")
+	}
+	if exit != 72 {
+		c.Fatalf("expected exit code 72 received %d", exit)
+	}
+}
+
+func (s *DockerSuite) TestRunUserDefaults(c *check.C) {
+	expected := "uid=0(root) gid=0(root)"
+	if testEnv.OSType == "windows" {
+		expected = "uid=1000(ContainerAdministrator) gid=1000(ContainerAdministrator)"
+	}
+	out, _ := dockerCmd(c, "run", "busybox", "id")
+	if !strings.Contains(out, expected) {
+		c.Fatalf("expected '%s' got %s", expected, out)
+	}
+}
+
+func (s *DockerSuite) TestRunUserByName(c *check.C) {
+	// TODO Windows: This test cannot run on a Windows daemon as Windows does
+	// not support the use of -u
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-u", "root", "busybox", "id")
+	if !strings.Contains(out, "uid=0(root) gid=0(root)") {
+		c.Fatalf("expected root user got %s", out)
+	}
+}
+
+func (s *DockerSuite) TestRunUserByID(c *check.C) {
+	// TODO Windows: This test cannot run on a Windows daemon as Windows does
+	// not support the use of -u
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-u", "1", "busybox", "id")
+	if !strings.Contains(out, "uid=1(daemon) gid=1(daemon)") {
+		c.Fatalf("expected daemon user got %s", out)
+	}
+}
+
+func (s *DockerSuite) TestRunUserByIDBig(c *check.C) {
+	// TODO Windows: This test cannot run on a Windows daemon as Windows does
+	// not support the use of -u
+	testRequires(c, DaemonIsLinux, NotArm)
+	out, _, err := dockerCmdWithError("run", "-u", "2147483648", "busybox", "id")
+	if err == nil {
+		c.Fatal("No error, but must be.", out)
+	}
+	if !strings.Contains(strings.ToLower(out), "uids and gids must be in range") {
+		c.Fatalf("expected error about uids range, got %s", out)
+	}
+}
+
+func (s *DockerSuite) TestRunUserByIDNegative(c *check.C) {
+	// TODO Windows: This test cannot run on a Windows daemon as Windows does
+	// not support the use of -u
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "-u", "-1", "busybox", "id")
+	if err == nil {
+		c.Fatal("No error, but must be.", out)
+	}
+	if !strings.Contains(strings.ToLower(out), "uids and gids must be in range") {
+		c.Fatalf("expected error about uids range, got %s", out)
+	}
+}
+
+func (s *DockerSuite) TestRunUserByIDZero(c *check.C) {
+	// TODO Windows: This test cannot run on a Windows daemon as Windows does
+	// not support the use of -u
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "-u", "0", "busybox", "id")
+	if err != nil {
+		c.Fatal(err, out)
+	}
+	if !strings.Contains(out, "uid=0(root) gid=0(root) groups=10(wheel)") {
+		c.Fatalf("expected daemon user got %s", out)
+	}
+}
+
+func (s *DockerSuite) TestRunUserNotFound(c *check.C) {
+	// TODO Windows: This test cannot run on a Windows daemon as Windows does
+	// not support the use of -u
+	testRequires(c, DaemonIsLinux)
+	_, _, err := dockerCmdWithError("run", "-u", "notme", "busybox", "id")
+	if err == nil {
+		c.Fatal("unknown user should cause container to fail")
+	}
+}
+
+func (s *DockerSuite) TestRunTwoConcurrentContainers(c *check.C) {
+	sleepTime := "2"
+	group := sync.WaitGroup{}
+	group.Add(2)
+
+	errChan := make(chan error, 2)
+	for i := 0; i < 2; i++ {
+		go func() {
+			defer group.Done()
+			_, _, err := dockerCmdWithError("run", "busybox", "sleep", sleepTime)
+			errChan <- err
+		}()
+	}
+
+	group.Wait()
+	close(errChan)
+
+	for err := range errChan {
+		c.Assert(err, check.IsNil)
+	}
+}
+
+func (s *DockerSuite) TestRunEnvironment(c *check.C) {
+	// TODO Windows: Environment handling is different between Linux and
+	// Windows and this test relies currently on unix functionality.
+	testRequires(c, DaemonIsLinux)
+	result := icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "run", "-h", "testing", "-e=FALSE=true", "-e=TRUE", "-e=TRICKY", "-e=HOME=", "busybox", "env"},
+		Env: append(os.Environ(),
+			"TRUE=false",
+			"TRICKY=tri\ncky\n",
+		),
+	})
+	result.Assert(c, icmd.Success)
+
+	actualEnv := strings.Split(strings.TrimSuffix(result.Stdout(), "\n"), "\n")
+	sort.Strings(actualEnv)
+
+	goodEnv := []string{
+		// The first two should not be tested here, those are "inherent" environment variable. This test validates
+		// the -e behavior, not the default environment variable (that could be subject to change)
+		"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+		"HOSTNAME=testing",
+		"FALSE=true",
+		"TRUE=false",
+		"TRICKY=tri",
+		"cky",
+		"",
+		"HOME=/root",
+	}
+	sort.Strings(goodEnv)
+	if len(goodEnv) != len(actualEnv) {
+		c.Fatalf("Wrong environment: should be %d variables, not %d: %q", len(goodEnv), len(actualEnv), strings.Join(actualEnv, ", "))
+	}
+	for i := range goodEnv {
+		if actualEnv[i] != goodEnv[i] {
+			c.Fatalf("Wrong environment variable: should be %s, not %s", goodEnv[i], actualEnv[i])
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunEnvironmentErase(c *check.C) {
+	// TODO Windows: Environment handling is different between Linux and
+	// Windows and this test relies currently on unix functionality.
+	testRequires(c, DaemonIsLinux)
+
+	// Test to make sure that when we use -e on env vars that are
+	// not set in our local env that they're removed (if present) in
+	// the container
+
+	result := icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "run", "-e", "FOO", "-e", "HOSTNAME", "busybox", "env"},
+		Env:     appendBaseEnv(true),
+	})
+	result.Assert(c, icmd.Success)
+
+	actualEnv := strings.Split(strings.TrimSpace(result.Combined()), "\n")
+	sort.Strings(actualEnv)
+
+	goodEnv := []string{
+		"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+		"HOME=/root",
+	}
+	sort.Strings(goodEnv)
+	if len(goodEnv) != len(actualEnv) {
+		c.Fatalf("Wrong environment: should be %d variables, not %d: %q", len(goodEnv), len(actualEnv), strings.Join(actualEnv, ", "))
+	}
+	for i := range goodEnv {
+		if actualEnv[i] != goodEnv[i] {
+			c.Fatalf("Wrong environment variable: should be %s, not %s", goodEnv[i], actualEnv[i])
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunEnvironmentOverride(c *check.C) {
+	// TODO Windows: Environment handling is different between Linux and
+	// Windows and this test relies currently on unix functionality.
+	testRequires(c, DaemonIsLinux)
+
+	// Test to make sure that when we use -e on env vars that are
+	// already in the env that we're overriding them
+
+	result := icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "run", "-e", "HOSTNAME", "-e", "HOME=/root2", "busybox", "env"},
+		Env:     appendBaseEnv(true, "HOSTNAME=bar"),
+	})
+	result.Assert(c, icmd.Success)
+
+	actualEnv := strings.Split(strings.TrimSpace(result.Combined()), "\n")
+	sort.Strings(actualEnv)
+
+	goodEnv := []string{
+		"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+		"HOME=/root2",
+		"HOSTNAME=bar",
+	}
+	sort.Strings(goodEnv)
+	if len(goodEnv) != len(actualEnv) {
+		c.Fatalf("Wrong environment: should be %d variables, not %d: %q", len(goodEnv), len(actualEnv), strings.Join(actualEnv, ", "))
+	}
+	for i := range goodEnv {
+		if actualEnv[i] != goodEnv[i] {
+			c.Fatalf("Wrong environment variable: should be %s, not %s", goodEnv[i], actualEnv[i])
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunContainerNetwork(c *check.C) {
+	if testEnv.OSType == "windows" {
+		// Windows busybox does not have ping. Use built in ping instead.
+		dockerCmd(c, "run", testEnv.PlatformDefaults.BaseImage, "ping", "-n", "1", "127.0.0.1")
+	} else {
+		dockerCmd(c, "run", "busybox", "ping", "-c", "1", "127.0.0.1")
+	}
+}
+
+func (s *DockerSuite) TestRunNetHostNotAllowedWithLinks(c *check.C) {
+	// TODO Windows: This is Linux specific as --link is not supported and
+	// this will be deprecated in favor of container networking model.
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	dockerCmd(c, "run", "--name", "linked", "busybox", "true")
+
+	_, _, err := dockerCmdWithError("run", "--net=host", "--link", "linked:linked", "busybox", "true")
+	if err == nil {
+		c.Fatal("Expected error")
+	}
+}
+
+// #7851 hostname outside container shows FQDN, inside only shortname
+// For testing purposes it is not required to set host's hostname directly
+// and use "--net=host" (as the original issue submitter did), as the same
+// codepath is executed with "docker run -h <hostname>".  Both were manually
+// tested, but this testcase takes the simpler path of using "run -h .."
+func (s *DockerSuite) TestRunFullHostnameSet(c *check.C) {
+	// TODO Windows: -h is not yet functional.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-h", "foo.bar.baz", "busybox", "hostname")
+	if actual := strings.Trim(out, "\r\n"); actual != "foo.bar.baz" {
+		c.Fatalf("expected hostname 'foo.bar.baz', received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunPrivilegedCanMknod(c *check.C) {
+	// Not applicable for Windows as Windows daemon does not support
+	// the concept of --privileged, and mknod is a Unix concept.
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "--privileged", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
+		c.Fatalf("expected output ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunUnprivilegedCanMknod(c *check.C) {
+	// Not applicable for Windows as Windows daemon does not support
+	// the concept of --privileged, and mknod is a Unix concept.
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
+		c.Fatalf("expected output ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunCapDropInvalid(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-drop
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--cap-drop=CHPASS", "busybox", "ls")
+	if err == nil {
+		c.Fatal(err, out)
+	}
+}
+
+func (s *DockerSuite) TestRunCapDropCannotMknod(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-drop or mknod
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--cap-drop=MKNOD", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+
+	if err == nil {
+		c.Fatal(err, out)
+	}
+	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
+		c.Fatalf("expected output not ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunCapDropCannotMknodLowerCase(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-drop or mknod
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--cap-drop=mknod", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+
+	if err == nil {
+		c.Fatal(err, out)
+	}
+	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
+		c.Fatalf("expected output not ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunCapDropALLCannotMknod(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-drop or mknod
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--cap-drop=ALL", "--cap-add=SETGID", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+	if err == nil {
+		c.Fatal(err, out)
+	}
+	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
+		c.Fatalf("expected output not ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunCapDropALLAddMknodCanMknod(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-drop or mknod
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "--cap-drop=ALL", "--cap-add=MKNOD", "--cap-add=SETGID", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+
+	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
+		c.Fatalf("expected output ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunCapAddInvalid(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-add
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--cap-add=CHPASS", "busybox", "ls")
+	if err == nil {
+		c.Fatal(err, out)
+	}
+}
+
+func (s *DockerSuite) TestRunCapAddCanDownInterface(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-add
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
+
+	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
+		c.Fatalf("expected output ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunCapAddALLCanDownInterface(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-add
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "--cap-add=ALL", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
+
+	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
+		c.Fatalf("expected output ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunCapAddALLDropNetAdminCanDownInterface(c *check.C) {
+	// Not applicable for Windows as there is no concept of --cap-add
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--cap-add=ALL", "--cap-drop=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
+	if err == nil {
+		c.Fatal(err, out)
+	}
+	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
+		c.Fatalf("expected output not ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunGroupAdd(c *check.C) {
+	// Not applicable for Windows as there is no concept of --group-add
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "--group-add=audio", "--group-add=staff", "--group-add=777", "busybox", "sh", "-c", "id")
+
+	groupsList := "uid=0(root) gid=0(root) groups=10(wheel),29(audio),50(staff),777"
+	if actual := strings.Trim(out, "\r\n"); actual != groupsList {
+		c.Fatalf("expected output %s received %s", groupsList, actual)
+	}
+}
+
+func (s *DockerSuite) TestRunPrivilegedCanMount(c *check.C) {
+	// Not applicable for Windows as there is no concept of --privileged
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
+
+	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
+		c.Fatalf("expected output ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunUnprivilegedCannotMount(c *check.C) {
+	// Not applicable for Windows as there is no concept of unprivileged
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
+
+	if err == nil {
+		c.Fatal(err, out)
+	}
+	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
+		c.Fatalf("expected output not ok received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunSysNotWritableInNonPrivilegedContainers(c *check.C) {
+	// Not applicable for Windows as there is no concept of unprivileged
+	testRequires(c, DaemonIsLinux, NotArm)
+	if _, code, err := dockerCmdWithError("run", "busybox", "touch", "/sys/kernel/profiling"); err == nil || code == 0 {
+		c.Fatal("sys should not be writable in a non privileged container")
+	}
+}
+
+func (s *DockerSuite) TestRunSysWritableInPrivilegedContainers(c *check.C) {
+	// Not applicable for Windows as there is no concept of unprivileged
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	if _, code, err := dockerCmdWithError("run", "--privileged", "busybox", "touch", "/sys/kernel/profiling"); err != nil || code != 0 {
+		c.Fatalf("sys should be writable in privileged container")
+	}
+}
+
+func (s *DockerSuite) TestRunProcNotWritableInNonPrivilegedContainers(c *check.C) {
+	// Not applicable for Windows as there is no concept of unprivileged
+	testRequires(c, DaemonIsLinux)
+	if _, code, err := dockerCmdWithError("run", "busybox", "touch", "/proc/sysrq-trigger"); err == nil || code == 0 {
+		c.Fatal("proc should not be writable in a non privileged container")
+	}
+}
+
+func (s *DockerSuite) TestRunProcWritableInPrivilegedContainers(c *check.C) {
+	// Not applicable for Windows as there is no concept of --privileged
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	if _, code := dockerCmd(c, "run", "--privileged", "busybox", "sh", "-c", "touch /proc/sysrq-trigger"); code != 0 {
+		c.Fatalf("proc should be writable in privileged container")
+	}
+}
+
+func (s *DockerSuite) TestRunDeviceNumbers(c *check.C) {
+	// Not applicable on Windows as /dev/ is a Unix specific concept
+	// TODO: NotUserNamespace could be removed here if "root" "root" is replaced w user
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "busybox", "sh", "-c", "ls -l /dev/null")
+	deviceLineFields := strings.Fields(out)
+	deviceLineFields[6] = ""
+	deviceLineFields[7] = ""
+	deviceLineFields[8] = ""
+	expected := []string{"crw-rw-rw-", "1", "root", "root", "1,", "3", "", "", "", "/dev/null"}
+
+	if !(reflect.DeepEqual(deviceLineFields, expected)) {
+		c.Fatalf("expected output\ncrw-rw-rw- 1 root root 1, 3 May 24 13:29 /dev/null\n received\n %s\n", out)
+	}
+}
+
+func (s *DockerSuite) TestRunThatCharacterDevicesActLikeCharacterDevices(c *check.C) {
+	// Not applicable on Windows as /dev/ is a Unix specific concept
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "busybox", "sh", "-c", "dd if=/dev/zero of=/zero bs=1k count=5 2> /dev/null ; du -h /zero")
+	if actual := strings.Trim(out, "\r\n"); actual[0] == '0' {
+		c.Fatalf("expected a new file called /zero to be create that is greater than 0 bytes long, but du says: %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunUnprivilegedWithChroot(c *check.C) {
+	// Not applicable on Windows as it does not support chroot
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "busybox", "chroot", "/", "true")
+}
+
+func (s *DockerSuite) TestRunAddingOptionalDevices(c *check.C) {
+	// Not applicable on Windows as Windows does not support --device
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "--device", "/dev/zero:/dev/nulo", "busybox", "sh", "-c", "ls /dev/nulo")
+	if actual := strings.Trim(out, "\r\n"); actual != "/dev/nulo" {
+		c.Fatalf("expected output /dev/nulo, received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunAddingOptionalDevicesNoSrc(c *check.C) {
+	// Not applicable on Windows as Windows does not support --device
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "--device", "/dev/zero:rw", "busybox", "sh", "-c", "ls /dev/zero")
+	if actual := strings.Trim(out, "\r\n"); actual != "/dev/zero" {
+		c.Fatalf("expected output /dev/zero, received %s", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunAddingOptionalDevicesInvalidMode(c *check.C) {
+	// Not applicable on Windows as Windows does not support --device
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	_, _, err := dockerCmdWithError("run", "--device", "/dev/zero:ro", "busybox", "sh", "-c", "ls /dev/zero")
+	if err == nil {
+		c.Fatalf("run container with device mode ro should fail")
+	}
+}
+
+func (s *DockerSuite) TestRunModeHostname(c *check.C) {
+	// Not applicable on Windows as Windows does not support -h
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+
+	out, _ := dockerCmd(c, "run", "-h=testhostname", "busybox", "cat", "/etc/hostname")
+
+	if actual := strings.Trim(out, "\r\n"); actual != "testhostname" {
+		c.Fatalf("expected 'testhostname', but says: %q", actual)
+	}
+
+	out, _ = dockerCmd(c, "run", "--net=host", "busybox", "cat", "/etc/hostname")
+
+	hostname, err := os.Hostname()
+	if err != nil {
+		c.Fatal(err)
+	}
+	if actual := strings.Trim(out, "\r\n"); actual != hostname {
+		c.Fatalf("expected %q, but says: %q", hostname, actual)
+	}
+}
+
+func (s *DockerSuite) TestRunRootWorkdir(c *check.C) {
+	out, _ := dockerCmd(c, "run", "--workdir", "/", "busybox", "pwd")
+	expected := "/\n"
+	if testEnv.OSType == "windows" {
+		expected = "C:" + expected
+	}
+	if out != expected {
+		c.Fatalf("pwd returned %q (expected %s)", s, expected)
+	}
+}
+
+func (s *DockerSuite) TestRunAllowBindMountingRoot(c *check.C) {
+	if testEnv.OSType == "windows" {
+		// Windows busybox will fail with Permission Denied on items such as pagefile.sys
+		dockerCmd(c, "run", "-v", `c:\:c:\host`, testEnv.PlatformDefaults.BaseImage, "cmd", "-c", "dir", `c:\host`)
+	} else {
+		dockerCmd(c, "run", "-v", "/:/host", "busybox", "ls", "/host")
+	}
+}
+
+func (s *DockerSuite) TestRunDisallowBindMountingRootToRoot(c *check.C) {
+	mount := "/:/"
+	targetDir := "/host"
+	if testEnv.OSType == "windows" {
+		mount = `c:\:c\`
+		targetDir = "c:/host" // Forward slash as using busybox
+	}
+	out, _, err := dockerCmdWithError("run", "-v", mount, "busybox", "ls", targetDir)
+	if err == nil {
+		c.Fatal(out, err)
+	}
+}
+
+// Verify that a container gets default DNS when only localhost resolvers exist
+func (s *DockerSuite) TestRunDNSDefaultOptions(c *check.C) {
+	// Not applicable on Windows as this is testing Unix specific functionality
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	// preserve original resolv.conf for restoring after test
+	origResolvConf, err := ioutil.ReadFile("/etc/resolv.conf")
+	if os.IsNotExist(err) {
+		c.Fatalf("/etc/resolv.conf does not exist")
+	}
+	// defer restored original conf
+	defer func() {
+		if err := ioutil.WriteFile("/etc/resolv.conf", origResolvConf, 0644); err != nil {
+			c.Fatal(err)
+		}
+	}()
+
+	// test 3 cases: standard IPv4 localhost, commented out localhost, and IPv6 localhost
+	// 2 are removed from the file at container start, and the 3rd (commented out) one is ignored by
+	// GetNameservers(), leading to a replacement of nameservers with the default set
+	tmpResolvConf := []byte("nameserver 127.0.0.1\n#nameserver 127.0.2.1\nnameserver ::1")
+	if err := ioutil.WriteFile("/etc/resolv.conf", tmpResolvConf, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	actual, _ := dockerCmd(c, "run", "busybox", "cat", "/etc/resolv.conf")
+	// check that the actual defaults are appended to the commented out
+	// localhost resolver (which should be preserved)
+	// NOTE: if we ever change the defaults from google dns, this will break
+	expected := "#nameserver 127.0.2.1\n\nnameserver 8.8.8.8\nnameserver 8.8.4.4\n"
+	if actual != expected {
+		c.Fatalf("expected resolv.conf be: %q, but was: %q", expected, actual)
+	}
+}
+
+func (s *DockerSuite) TestRunDNSOptions(c *check.C) {
+	// Not applicable on Windows as Windows does not support --dns*, or
+	// the Unix-specific functionality of resolv.conf.
+	testRequires(c, DaemonIsLinux)
+	result := cli.DockerCmd(c, "run", "--dns=127.0.0.1", "--dns-search=mydomain", "--dns-opt=ndots:9", "busybox", "cat", "/etc/resolv.conf")
+
+	// The client will get a warning on stderr when setting DNS to a localhost address; verify this:
+	if !strings.Contains(result.Stderr(), "Localhost DNS setting") {
+		c.Fatalf("Expected warning on stderr about localhost resolver, but got %q", result.Stderr())
+	}
+
+	actual := strings.Replace(strings.Trim(result.Stdout(), "\r\n"), "\n", " ", -1)
+	if actual != "search mydomain nameserver 127.0.0.1 options ndots:9" {
+		c.Fatalf("expected 'search mydomain nameserver 127.0.0.1 options ndots:9', but says: %q", actual)
+	}
+
+	out := cli.DockerCmd(c, "run", "--dns=1.1.1.1", "--dns-search=.", "--dns-opt=ndots:3", "busybox", "cat", "/etc/resolv.conf").Combined()
+
+	actual = strings.Replace(strings.Trim(strings.Trim(out, "\r\n"), " "), "\n", " ", -1)
+	if actual != "nameserver 1.1.1.1 options ndots:3" {
+		c.Fatalf("expected 'nameserver 1.1.1.1 options ndots:3', but says: %q", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunDNSRepeatOptions(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out := cli.DockerCmd(c, "run", "--dns=1.1.1.1", "--dns=2.2.2.2", "--dns-search=mydomain", "--dns-search=mydomain2", "--dns-opt=ndots:9", "--dns-opt=timeout:3", "busybox", "cat", "/etc/resolv.conf").Stdout()
+
+	actual := strings.Replace(strings.Trim(out, "\r\n"), "\n", " ", -1)
+	if actual != "search mydomain mydomain2 nameserver 1.1.1.1 nameserver 2.2.2.2 options ndots:9 timeout:3" {
+		c.Fatalf("expected 'search mydomain mydomain2 nameserver 1.1.1.1 nameserver 2.2.2.2 options ndots:9 timeout:3', but says: %q", actual)
+	}
+}
+
+func (s *DockerSuite) TestRunDNSOptionsBasedOnHostResolvConf(c *check.C) {
+	// Not applicable on Windows as testing Unix specific functionality
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	origResolvConf, err := ioutil.ReadFile("/etc/resolv.conf")
+	if os.IsNotExist(err) {
+		c.Fatalf("/etc/resolv.conf does not exist")
+	}
+
+	hostNameservers := resolvconf.GetNameservers(origResolvConf, types.IP)
+	hostSearch := resolvconf.GetSearchDomains(origResolvConf)
+
+	var out string
+	out, _ = dockerCmd(c, "run", "--dns=127.0.0.1", "busybox", "cat", "/etc/resolv.conf")
+
+	if actualNameservers := resolvconf.GetNameservers([]byte(out), types.IP); string(actualNameservers[0]) != "127.0.0.1" {
+		c.Fatalf("expected '127.0.0.1', but says: %q", string(actualNameservers[0]))
+	}
+
+	actualSearch := resolvconf.GetSearchDomains([]byte(out))
+	if len(actualSearch) != len(hostSearch) {
+		c.Fatalf("expected %q search domain(s), but it has: %q", len(hostSearch), len(actualSearch))
+	}
+	for i := range actualSearch {
+		if actualSearch[i] != hostSearch[i] {
+			c.Fatalf("expected %q domain, but says: %q", actualSearch[i], hostSearch[i])
+		}
+	}
+
+	out, _ = dockerCmd(c, "run", "--dns-search=mydomain", "busybox", "cat", "/etc/resolv.conf")
+
+	actualNameservers := resolvconf.GetNameservers([]byte(out), types.IP)
+	if len(actualNameservers) != len(hostNameservers) {
+		c.Fatalf("expected %q nameserver(s), but it has: %q", len(hostNameservers), len(actualNameservers))
+	}
+	for i := range actualNameservers {
+		if actualNameservers[i] != hostNameservers[i] {
+			c.Fatalf("expected %q nameserver, but says: %q", actualNameservers[i], hostNameservers[i])
+		}
+	}
+
+	if actualSearch = resolvconf.GetSearchDomains([]byte(out)); string(actualSearch[0]) != "mydomain" {
+		c.Fatalf("expected 'mydomain', but says: %q", string(actualSearch[0]))
+	}
+
+	// test with file
+	tmpResolvConf := []byte("search example.com\nnameserver 12.34.56.78\nnameserver 127.0.0.1")
+	if err := ioutil.WriteFile("/etc/resolv.conf", tmpResolvConf, 0644); err != nil {
+		c.Fatal(err)
+	}
+	// put the old resolvconf back
+	defer func() {
+		if err := ioutil.WriteFile("/etc/resolv.conf", origResolvConf, 0644); err != nil {
+			c.Fatal(err)
+		}
+	}()
+
+	resolvConf, err := ioutil.ReadFile("/etc/resolv.conf")
+	if os.IsNotExist(err) {
+		c.Fatalf("/etc/resolv.conf does not exist")
+	}
+
+	hostSearch = resolvconf.GetSearchDomains(resolvConf)
+
+	out, _ = dockerCmd(c, "run", "busybox", "cat", "/etc/resolv.conf")
+	if actualNameservers = resolvconf.GetNameservers([]byte(out), types.IP); string(actualNameservers[0]) != "12.34.56.78" || len(actualNameservers) != 1 {
+		c.Fatalf("expected '12.34.56.78', but has: %v", actualNameservers)
+	}
+
+	actualSearch = resolvconf.GetSearchDomains([]byte(out))
+	if len(actualSearch) != len(hostSearch) {
+		c.Fatalf("expected %q search domain(s), but it has: %q", len(hostSearch), len(actualSearch))
+	}
+	for i := range actualSearch {
+		if actualSearch[i] != hostSearch[i] {
+			c.Fatalf("expected %q domain, but says: %q", actualSearch[i], hostSearch[i])
+		}
+	}
+}
+
+// Test to see if a non-root user can resolve a DNS name. Also
+// check if the container resolv.conf file has at least 0644 perm.
+func (s *DockerSuite) TestRunNonRootUserResolvName(c *check.C) {
+	// Not applicable on Windows as Windows does not support --user
+	testRequires(c, SameHostDaemon, Network, DaemonIsLinux, NotArm)
+
+	dockerCmd(c, "run", "--name=testperm", "--user=nobody", "busybox", "nslookup", "apt.dockerproject.org")
+
+	cID := getIDByName(c, "testperm")
+
+	fmode := (os.FileMode)(0644)
+	finfo, err := os.Stat(containerStorageFile(cID, "resolv.conf"))
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	if (finfo.Mode() & fmode) != fmode {
+		c.Fatalf("Expected container resolv.conf mode to be at least %s, instead got %s", fmode.String(), finfo.Mode().String())
+	}
+}
+
+// Test if container resolv.conf gets updated the next time it restarts
+// if host /etc/resolv.conf has changed. This only applies if the container
+// uses the host's /etc/resolv.conf and does not have any dns options provided.
+func (s *DockerSuite) TestRunResolvconfUpdate(c *check.C) {
+	// Not applicable on Windows as testing unix specific functionality
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+	c.Skip("Unstable test, to be re-activated once #19937 is resolved")
+
+	tmpResolvConf := []byte("search pommesfrites.fr\nnameserver 12.34.56.78\n")
+	tmpLocalhostResolvConf := []byte("nameserver 127.0.0.1")
+
+	//take a copy of resolv.conf for restoring after test completes
+	resolvConfSystem, err := ioutil.ReadFile("/etc/resolv.conf")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	// This test case is meant to test monitoring resolv.conf when it is
+	// a regular file not a bind mounc. So we unmount resolv.conf and replace
+	// it with a file containing the original settings.
+	mounted, err := mount.Mounted("/etc/resolv.conf")
+	if err != nil {
+		c.Fatal(err)
+	}
+	if mounted {
+		icmd.RunCommand("umount", "/etc/resolv.conf").Assert(c, icmd.Success)
+	}
+
+	//cleanup
+	defer func() {
+		if err := ioutil.WriteFile("/etc/resolv.conf", resolvConfSystem, 0644); err != nil {
+			c.Fatal(err)
+		}
+	}()
+
+	//1. test that a restarting container gets an updated resolv.conf
+	dockerCmd(c, "run", "--name=first", "busybox", "true")
+	containerID1 := getIDByName(c, "first")
+
+	// replace resolv.conf with our temporary copy
+	bytesResolvConf := []byte(tmpResolvConf)
+	if err := ioutil.WriteFile("/etc/resolv.conf", bytesResolvConf, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	// start the container again to pickup changes
+	dockerCmd(c, "start", "first")
+
+	// check for update in container
+	containerResolv := readContainerFile(c, containerID1, "resolv.conf")
+	if !bytes.Equal(containerResolv, bytesResolvConf) {
+		c.Fatalf("Restarted container does not have updated resolv.conf; expected %q, got %q", tmpResolvConf, string(containerResolv))
+	}
+
+	/*	//make a change to resolv.conf (in this case replacing our tmp copy with orig copy)
+		if err := ioutil.WriteFile("/etc/resolv.conf", resolvConfSystem, 0644); err != nil {
+						c.Fatal(err)
+								} */
+	//2. test that a restarting container does not receive resolv.conf updates
+	//   if it modified the container copy of the starting point resolv.conf
+	dockerCmd(c, "run", "--name=second", "busybox", "sh", "-c", "echo 'search mylittlepony.com' >>/etc/resolv.conf")
+	containerID2 := getIDByName(c, "second")
+
+	//make a change to resolv.conf (in this case replacing our tmp copy with orig copy)
+	if err := ioutil.WriteFile("/etc/resolv.conf", resolvConfSystem, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	// start the container again
+	dockerCmd(c, "start", "second")
+
+	// check for update in container
+	containerResolv = readContainerFile(c, containerID2, "resolv.conf")
+	if bytes.Equal(containerResolv, resolvConfSystem) {
+		c.Fatalf("Container's resolv.conf should not have been updated with host resolv.conf: %q", string(containerResolv))
+	}
+
+	//3. test that a running container's resolv.conf is not modified while running
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	runningContainerID := strings.TrimSpace(out)
+
+	// replace resolv.conf
+	if err := ioutil.WriteFile("/etc/resolv.conf", bytesResolvConf, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	// check for update in container
+	containerResolv = readContainerFile(c, runningContainerID, "resolv.conf")
+	if bytes.Equal(containerResolv, bytesResolvConf) {
+		c.Fatalf("Running container should not have updated resolv.conf; expected %q, got %q", string(resolvConfSystem), string(containerResolv))
+	}
+
+	//4. test that a running container's resolv.conf is updated upon restart
+	//   (the above container is still running..)
+	dockerCmd(c, "restart", runningContainerID)
+
+	// check for update in container
+	containerResolv = readContainerFile(c, runningContainerID, "resolv.conf")
+	if !bytes.Equal(containerResolv, bytesResolvConf) {
+		c.Fatalf("Restarted container should have updated resolv.conf; expected %q, got %q", string(bytesResolvConf), string(containerResolv))
+	}
+
+	//5. test that additions of a localhost resolver are cleaned from
+	//   host resolv.conf before updating container's resolv.conf copies
+
+	// replace resolv.conf with a localhost-only nameserver copy
+	bytesResolvConf = []byte(tmpLocalhostResolvConf)
+	if err = ioutil.WriteFile("/etc/resolv.conf", bytesResolvConf, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	// start the container again to pickup changes
+	dockerCmd(c, "start", "first")
+
+	// our first exited container ID should have been updated, but with default DNS
+	// after the cleanup of resolv.conf found only a localhost nameserver:
+	containerResolv = readContainerFile(c, containerID1, "resolv.conf")
+	expected := "\nnameserver 8.8.8.8\nnameserver 8.8.4.4\n"
+	if !bytes.Equal(containerResolv, []byte(expected)) {
+		c.Fatalf("Container does not have cleaned/replaced DNS in resolv.conf; expected %q, got %q", expected, string(containerResolv))
+	}
+
+	//6. Test that replacing (as opposed to modifying) resolv.conf triggers an update
+	//   of containers' resolv.conf.
+
+	// Restore the original resolv.conf
+	if err := ioutil.WriteFile("/etc/resolv.conf", resolvConfSystem, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	// Run the container so it picks up the old settings
+	dockerCmd(c, "run", "--name=third", "busybox", "true")
+	containerID3 := getIDByName(c, "third")
+
+	// Create a modified resolv.conf.aside and override resolv.conf with it
+	bytesResolvConf = []byte(tmpResolvConf)
+	if err := ioutil.WriteFile("/etc/resolv.conf.aside", bytesResolvConf, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	err = os.Rename("/etc/resolv.conf.aside", "/etc/resolv.conf")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	// start the container again to pickup changes
+	dockerCmd(c, "start", "third")
+
+	// check for update in container
+	containerResolv = readContainerFile(c, containerID3, "resolv.conf")
+	if !bytes.Equal(containerResolv, bytesResolvConf) {
+		c.Fatalf("Stopped container does not have updated resolv.conf; expected\n%q\n got\n%q", tmpResolvConf, string(containerResolv))
+	}
+
+	//cleanup, restore original resolv.conf happens in defer func()
+}
+
+func (s *DockerSuite) TestRunAddHost(c *check.C) {
+	// Not applicable on Windows as it does not support --add-host
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "--add-host=extra:86.75.30.9", "busybox", "grep", "extra", "/etc/hosts")
+
+	actual := strings.Trim(out, "\r\n")
+	if actual != "86.75.30.9\textra" {
+		c.Fatalf("expected '86.75.30.9\textra', but says: %q", actual)
+	}
+}
+
+// Regression test for #6983
+func (s *DockerSuite) TestRunAttachStdErrOnlyTTYMode(c *check.C) {
+	_, exitCode := dockerCmd(c, "run", "-t", "-a", "stderr", "busybox", "true")
+	if exitCode != 0 {
+		c.Fatalf("Container should have exited with error code 0")
+	}
+}
+
+// Regression test for #6983
+func (s *DockerSuite) TestRunAttachStdOutOnlyTTYMode(c *check.C) {
+	_, exitCode := dockerCmd(c, "run", "-t", "-a", "stdout", "busybox", "true")
+	if exitCode != 0 {
+		c.Fatalf("Container should have exited with error code 0")
+	}
+}
+
+// Regression test for #6983
+func (s *DockerSuite) TestRunAttachStdOutAndErrTTYMode(c *check.C) {
+	_, exitCode := dockerCmd(c, "run", "-t", "-a", "stdout", "-a", "stderr", "busybox", "true")
+	if exitCode != 0 {
+		c.Fatalf("Container should have exited with error code 0")
+	}
+}
+
+// Test for #10388 - this will run the same test as TestRunAttachStdOutAndErrTTYMode
+// but using --attach instead of -a to make sure we read the flag correctly
+func (s *DockerSuite) TestRunAttachWithDetach(c *check.C) {
+	icmd.RunCommand(dockerBinary, "run", "-d", "--attach", "stdout", "busybox", "true").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Error:    "exit status 1",
+		Err:      "Conflicting options: -a and -d",
+	})
+}
+
+func (s *DockerSuite) TestRunState(c *check.C) {
+	// TODO Windows: This needs some rework as Windows busybox does not support top
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+
+	id := strings.TrimSpace(out)
+	state := inspectField(c, id, "State.Running")
+	if state != "true" {
+		c.Fatal("Container state is 'not running'")
+	}
+	pid1 := inspectField(c, id, "State.Pid")
+	if pid1 == "0" {
+		c.Fatal("Container state Pid 0")
+	}
+
+	dockerCmd(c, "stop", id)
+	state = inspectField(c, id, "State.Running")
+	if state != "false" {
+		c.Fatal("Container state is 'running'")
+	}
+	pid2 := inspectField(c, id, "State.Pid")
+	if pid2 == pid1 {
+		c.Fatalf("Container state Pid %s, but expected %s", pid2, pid1)
+	}
+
+	dockerCmd(c, "start", id)
+	state = inspectField(c, id, "State.Running")
+	if state != "true" {
+		c.Fatal("Container state is 'not running'")
+	}
+	pid3 := inspectField(c, id, "State.Pid")
+	if pid3 == pid1 {
+		c.Fatalf("Container state Pid %s, but expected %s", pid2, pid1)
+	}
+}
+
+// Test for #1737
+func (s *DockerSuite) TestRunCopyVolumeUIDGID(c *check.C) {
+	// Not applicable on Windows as it does not support uid or gid in this way
+	testRequires(c, DaemonIsLinux)
+	name := "testrunvolumesuidgid"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+		RUN echo 'dockerio:x:1001:' >> /etc/group
+		RUN mkdir -p /hello && touch /hello/test && chown dockerio.dockerio /hello`))
+
+	// Test that the uid and gid is copied from the image to the volume
+	out, _ := dockerCmd(c, "run", "--rm", "-v", "/hello", name, "sh", "-c", "ls -l / | grep hello | awk '{print $3\":\"$4}'")
+	out = strings.TrimSpace(out)
+	if out != "dockerio:dockerio" {
+		c.Fatalf("Wrong /hello ownership: %s, expected dockerio:dockerio", out)
+	}
+}
+
+// Test for #1582
+func (s *DockerSuite) TestRunCopyVolumeContent(c *check.C) {
+	// TODO Windows, post RS1. Windows does not yet support volume functionality
+	// that copies from the image to the volume.
+	testRequires(c, DaemonIsLinux)
+	name := "testruncopyvolumecontent"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		RUN mkdir -p /hello/local && echo hello > /hello/local/world`))
+
+	// Test that the content is copied from the image to the volume
+	out, _ := dockerCmd(c, "run", "--rm", "-v", "/hello", name, "find", "/hello")
+	if !(strings.Contains(out, "/hello/local/world") && strings.Contains(out, "/hello/local")) {
+		c.Fatal("Container failed to transfer content to volume")
+	}
+}
+
+func (s *DockerSuite) TestRunCleanupCmdOnEntrypoint(c *check.C) {
+	name := "testrunmdcleanuponentrypoint"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		ENTRYPOINT ["echo"]
+		CMD ["testingpoint"]`))
+
+	out, exit := dockerCmd(c, "run", "--entrypoint", "whoami", name)
+	if exit != 0 {
+		c.Fatalf("expected exit code 0 received %d, out: %q", exit, out)
+	}
+	out = strings.TrimSpace(out)
+	expected := "root"
+	if testEnv.OSType == "windows" {
+		if strings.Contains(testEnv.PlatformDefaults.BaseImage, "windowsservercore") {
+			expected = `user manager\containeradministrator`
+		} else {
+			expected = `ContainerAdministrator` // nanoserver
+		}
+	}
+	if out != expected {
+		c.Fatalf("Expected output %s, got %q. %s", expected, out, testEnv.PlatformDefaults.BaseImage)
+	}
+}
+
+// TestRunWorkdirExistsAndIsFile checks that if 'docker run -w' with existing file can be detected
+func (s *DockerSuite) TestRunWorkdirExistsAndIsFile(c *check.C) {
+	existingFile := "/bin/cat"
+	expected := "not a directory"
+	if testEnv.OSType == "windows" {
+		existingFile = `\windows\system32\ntdll.dll`
+		expected = `The directory name is invalid.`
+	}
+
+	out, exitCode, err := dockerCmdWithError("run", "-w", existingFile, "busybox")
+	if !(err != nil && exitCode == 125 && strings.Contains(out, expected)) {
+		c.Fatalf("Existing binary as a directory should error out with exitCode 125; we got: %s, exitCode: %d", out, exitCode)
+	}
+}
+
+func (s *DockerSuite) TestRunExitOnStdinClose(c *check.C) {
+	name := "testrunexitonstdinclose"
+
+	meow := "/bin/cat"
+	delay := 60
+	if testEnv.OSType == "windows" {
+		meow = "cat"
+	}
+	runCmd := exec.Command(dockerBinary, "run", "--name", name, "-i", "busybox", meow)
+
+	stdin, err := runCmd.StdinPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+	stdout, err := runCmd.StdoutPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	if err := runCmd.Start(); err != nil {
+		c.Fatal(err)
+	}
+	if _, err := stdin.Write([]byte("hello\n")); err != nil {
+		c.Fatal(err)
+	}
+
+	r := bufio.NewReader(stdout)
+	line, err := r.ReadString('\n')
+	if err != nil {
+		c.Fatal(err)
+	}
+	line = strings.TrimSpace(line)
+	if line != "hello" {
+		c.Fatalf("Output should be 'hello', got '%q'", line)
+	}
+	if err := stdin.Close(); err != nil {
+		c.Fatal(err)
+	}
+	finish := make(chan error)
+	go func() {
+		finish <- runCmd.Wait()
+		close(finish)
+	}()
+	select {
+	case err := <-finish:
+		c.Assert(err, check.IsNil)
+	case <-time.After(time.Duration(delay) * time.Second):
+		c.Fatal("docker run failed to exit on stdin close")
+	}
+	state := inspectField(c, name, "State.Running")
+
+	if state != "false" {
+		c.Fatal("Container must be stopped after stdin closing")
+	}
+}
+
+// Test run -i --restart xxx doesn't hang
+func (s *DockerSuite) TestRunInteractiveWithRestartPolicy(c *check.C) {
+	name := "test-inter-restart"
+
+	result := icmd.StartCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "run", "-i", "--name", name, "--restart=always", "busybox", "sh"},
+		Stdin:   bytes.NewBufferString("exit 11"),
+	})
+	c.Assert(result.Error, checker.IsNil)
+	defer func() {
+		dockerCmdWithResult("stop", name).Assert(c, icmd.Success)
+	}()
+
+	result = icmd.WaitOnCmd(60*time.Second, result)
+	result.Assert(c, icmd.Expected{ExitCode: 11})
+}
+
+// Test for #2267
+func (s *DockerSuite) TestRunWriteSpecialFilesAndNotCommit(c *check.C) {
+	// Cannot run on Windows as this files are not present in Windows
+	testRequires(c, DaemonIsLinux)
+
+	testRunWriteSpecialFilesAndNotCommit(c, "writehosts", "/etc/hosts")
+	testRunWriteSpecialFilesAndNotCommit(c, "writehostname", "/etc/hostname")
+	testRunWriteSpecialFilesAndNotCommit(c, "writeresolv", "/etc/resolv.conf")
+}
+
+func testRunWriteSpecialFilesAndNotCommit(c *check.C, name, path string) {
+	command := fmt.Sprintf("echo test2267 >> %s && cat %s", path, path)
+	out, _ := dockerCmd(c, "run", "--name", name, "busybox", "sh", "-c", command)
+	if !strings.Contains(out, "test2267") {
+		c.Fatalf("%s should contain 'test2267'", path)
+	}
+
+	out, _ = dockerCmd(c, "diff", name)
+	if len(strings.Trim(out, "\r\n")) != 0 && !eqToBaseDiff(out, c) {
+		c.Fatal("diff should be empty")
+	}
+}
+
+func eqToBaseDiff(out string, c *check.C) bool {
+	name := "eqToBaseDiff" + testutil.GenerateRandomAlphaOnlyString(32)
+	dockerCmd(c, "run", "--name", name, "busybox", "echo", "hello")
+	cID := getIDByName(c, name)
+	baseDiff, _ := dockerCmd(c, "diff", cID)
+	baseArr := strings.Split(baseDiff, "\n")
+	sort.Strings(baseArr)
+	outArr := strings.Split(out, "\n")
+	sort.Strings(outArr)
+	return sliceEq(baseArr, outArr)
+}
+
+func sliceEq(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+
+	return true
+}
+
+func (s *DockerSuite) TestRunWithBadDevice(c *check.C) {
+	// Cannot run on Windows as Windows does not support --device
+	testRequires(c, DaemonIsLinux)
+	name := "baddevice"
+	out, _, err := dockerCmdWithError("run", "--name", name, "--device", "/etc", "busybox", "true")
+
+	if err == nil {
+		c.Fatal("Run should fail with bad device")
+	}
+	expected := `"/etc": not a device node`
+	if !strings.Contains(out, expected) {
+		c.Fatalf("Output should contain %q, actual out: %q", expected, out)
+	}
+}
+
+func (s *DockerSuite) TestRunEntrypoint(c *check.C) {
+	name := "entrypoint"
+
+	out, _ := dockerCmd(c, "run", "--name", name, "--entrypoint", "echo", "busybox", "-n", "foobar")
+	expected := "foobar"
+
+	if out != expected {
+		c.Fatalf("Output should be %q, actual out: %q", expected, out)
+	}
+}
+
+func (s *DockerSuite) TestRunBindMounts(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	if testEnv.OSType == "linux" {
+		testRequires(c, DaemonIsLinux, NotUserNamespace)
+	}
+
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+
+	tmpDir, err := ioutil.TempDir("", "docker-test-container")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	defer os.RemoveAll(tmpDir)
+	writeFile(path.Join(tmpDir, "touch-me"), "", c)
+
+	// Test reading from a read-only bind mount
+	out, _ := dockerCmd(c, "run", "-v", fmt.Sprintf("%s:%s/tmp:ro", tmpDir, prefix), "busybox", "ls", prefix+"/tmp")
+	if !strings.Contains(out, "touch-me") {
+		c.Fatal("Container failed to read from bind mount")
+	}
+
+	// test writing to bind mount
+	if testEnv.OSType == "windows" {
+		dockerCmd(c, "run", "-v", fmt.Sprintf(`%s:c:\tmp:rw`, tmpDir), "busybox", "touch", "c:/tmp/holla")
+	} else {
+		dockerCmd(c, "run", "-v", fmt.Sprintf("%s:/tmp:rw", tmpDir), "busybox", "touch", "/tmp/holla")
+	}
+
+	readFile(path.Join(tmpDir, "holla"), c) // Will fail if the file doesn't exist
+
+	// test mounting to an illegal destination directory
+	_, _, err = dockerCmdWithError("run", "-v", fmt.Sprintf("%s:.", tmpDir), "busybox", "ls", ".")
+	if err == nil {
+		c.Fatal("Container bind mounted illegal directory")
+	}
+
+	// Windows does not (and likely never will) support mounting a single file
+	if testEnv.OSType != "windows" {
+		// test mount a file
+		dockerCmd(c, "run", "-v", fmt.Sprintf("%s/holla:/tmp/holla:rw", tmpDir), "busybox", "sh", "-c", "echo -n 'yotta' > /tmp/holla")
+		content := readFile(path.Join(tmpDir, "holla"), c) // Will fail if the file doesn't exist
+		expected := "yotta"
+		if content != expected {
+			c.Fatalf("Output should be %q, actual out: %q", expected, content)
+		}
+	}
+}
+
+// Ensure that CIDFile gets deleted if it's empty
+// Perform this test by making `docker run` fail
+func (s *DockerSuite) TestRunCidFileCleanupIfEmpty(c *check.C) {
+	// Skip on Windows. Base image on Windows has a CMD set in the image.
+	testRequires(c, DaemonIsLinux)
+
+	tmpDir, err := ioutil.TempDir("", "TestRunCidFile")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+	tmpCidFile := path.Join(tmpDir, "cid")
+
+	image := "emptyfs"
+	if testEnv.OSType == "windows" {
+		// Windows can't support an emptyfs image. Just use the regular Windows image
+		image = testEnv.PlatformDefaults.BaseImage
+	}
+	out, _, err := dockerCmdWithError("run", "--cidfile", tmpCidFile, image)
+	if err == nil {
+		c.Fatalf("Run without command must fail. out=%s", out)
+	} else if !strings.Contains(out, "No command specified") {
+		c.Fatalf("Run without command failed with wrong output. out=%s\nerr=%v", out, err)
+	}
+
+	if _, err := os.Stat(tmpCidFile); err == nil {
+		c.Fatalf("empty CIDFile %q should've been deleted", tmpCidFile)
+	}
+}
+
+// #2098 - Docker cidFiles only contain short version of the containerId
+//sudo docker run --cidfile /tmp/docker_tesc.cid ubuntu echo "test"
+// TestRunCidFile tests that run --cidfile returns the longid
+func (s *DockerSuite) TestRunCidFileCheckIDLength(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "TestRunCidFile")
+	if err != nil {
+		c.Fatal(err)
+	}
+	tmpCidFile := path.Join(tmpDir, "cid")
+	defer os.RemoveAll(tmpDir)
+
+	out, _ := dockerCmd(c, "run", "-d", "--cidfile", tmpCidFile, "busybox", "true")
+
+	id := strings.TrimSpace(out)
+	buffer, err := ioutil.ReadFile(tmpCidFile)
+	if err != nil {
+		c.Fatal(err)
+	}
+	cid := string(buffer)
+	if len(cid) != 64 {
+		c.Fatalf("--cidfile should be a long id, not %q", id)
+	}
+	if cid != id {
+		c.Fatalf("cid must be equal to %s, got %s", id, cid)
+	}
+}
+
+func (s *DockerSuite) TestRunSetMacAddress(c *check.C) {
+	mac := "12:34:56:78:9a:bc"
+	var out string
+	if testEnv.OSType == "windows" {
+		out, _ = dockerCmd(c, "run", "-i", "--rm", fmt.Sprintf("--mac-address=%s", mac), "busybox", "sh", "-c", "ipconfig /all | grep 'Physical Address' | awk '{print $12}'")
+		mac = strings.Replace(strings.ToUpper(mac), ":", "-", -1) // To Windows-style MACs
+	} else {
+		out, _ = dockerCmd(c, "run", "-i", "--rm", fmt.Sprintf("--mac-address=%s", mac), "busybox", "/bin/sh", "-c", "ip link show eth0 | tail -1 | awk '{print $2}'")
+	}
+
+	actualMac := strings.TrimSpace(out)
+	if actualMac != mac {
+		c.Fatalf("Set MAC address with --mac-address failed. The container has an incorrect MAC address: %q, expected: %q", actualMac, mac)
+	}
+}
+
+func (s *DockerSuite) TestRunInspectMacAddress(c *check.C) {
+	// TODO Windows. Network settings are not propagated back to inspect.
+	testRequires(c, DaemonIsLinux)
+	mac := "12:34:56:78:9a:bc"
+	out, _ := dockerCmd(c, "run", "-d", "--mac-address="+mac, "busybox", "top")
+
+	id := strings.TrimSpace(out)
+	inspectedMac := inspectField(c, id, "NetworkSettings.Networks.bridge.MacAddress")
+	if inspectedMac != mac {
+		c.Fatalf("docker inspect outputs wrong MAC address: %q, should be: %q", inspectedMac, mac)
+	}
+}
+
+// test docker run use an invalid mac address
+func (s *DockerSuite) TestRunWithInvalidMacAddress(c *check.C) {
+	out, _, err := dockerCmdWithError("run", "--mac-address", "92:d0:c6:0a:29", "busybox")
+	//use an invalid mac address should with an error out
+	if err == nil || !strings.Contains(out, "is not a valid mac address") {
+		c.Fatalf("run with an invalid --mac-address should with error out")
+	}
+}
+
+func (s *DockerSuite) TestRunDeallocatePortOnMissingIptablesRule(c *check.C) {
+	// TODO Windows. Network settings are not propagated back to inspect.
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	out := cli.DockerCmd(c, "run", "-d", "-p", "23:23", "busybox", "top").Combined()
+
+	id := strings.TrimSpace(out)
+	ip := inspectField(c, id, "NetworkSettings.Networks.bridge.IPAddress")
+	icmd.RunCommand("iptables", "-D", "DOCKER", "-d", fmt.Sprintf("%s/32", ip),
+		"!", "-i", "docker0", "-o", "docker0", "-p", "tcp", "-m", "tcp", "--dport", "23", "-j", "ACCEPT").Assert(c, icmd.Success)
+
+	cli.DockerCmd(c, "rm", "-fv", id)
+
+	cli.DockerCmd(c, "run", "-d", "-p", "23:23", "busybox", "top")
+}
+
+func (s *DockerSuite) TestRunPortInUse(c *check.C) {
+	// TODO Windows. The duplicate NAT message returned by Windows will be
+	// changing as is currently completely undecipherable. Does need modifying
+	// to run sh rather than top though as top isn't in Windows busybox.
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	port := "1234"
+	dockerCmd(c, "run", "-d", "-p", port+":80", "busybox", "top")
+
+	out, _, err := dockerCmdWithError("run", "-d", "-p", port+":80", "busybox", "top")
+	if err == nil {
+		c.Fatalf("Binding on used port must fail")
+	}
+	if !strings.Contains(out, "port is already allocated") {
+		c.Fatalf("Out must be about \"port is already allocated\", got %s", out)
+	}
+}
+
+// https://github.com/docker/docker/issues/12148
+func (s *DockerSuite) TestRunAllocatePortInReservedRange(c *check.C) {
+	// TODO Windows. -P is not yet supported
+	testRequires(c, DaemonIsLinux)
+	// allocate a dynamic port to get the most recent
+	out, _ := dockerCmd(c, "run", "-d", "-P", "-p", "80", "busybox", "top")
+
+	id := strings.TrimSpace(out)
+	out, _ = dockerCmd(c, "port", id, "80")
+
+	strPort := strings.Split(strings.TrimSpace(out), ":")[1]
+	port, err := strconv.ParseInt(strPort, 10, 64)
+	if err != nil {
+		c.Fatalf("invalid port, got: %s, error: %s", strPort, err)
+	}
+
+	// allocate a static port and a dynamic port together, with static port
+	// takes the next recent port in dynamic port range.
+	dockerCmd(c, "run", "-d", "-P", "-p", "80", "-p", fmt.Sprintf("%d:8080", port+1), "busybox", "top")
+}
+
+// Regression test for #7792
+func (s *DockerSuite) TestRunMountOrdering(c *check.C) {
+	// TODO Windows: Post RS1. Windows does not support nested mounts.
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+
+	tmpDir, err := ioutil.TempDir("", "docker_nested_mount_test")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	tmpDir2, err := ioutil.TempDir("", "docker_nested_mount_test2")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir2)
+
+	// Create a temporary tmpfs mounc.
+	fooDir := filepath.Join(tmpDir, "foo")
+	if err := os.MkdirAll(filepath.Join(tmpDir, "foo"), 0755); err != nil {
+		c.Fatalf("failed to mkdir at %s - %s", fooDir, err)
+	}
+
+	if err := ioutil.WriteFile(fmt.Sprintf("%s/touch-me", fooDir), []byte{}, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	if err := ioutil.WriteFile(fmt.Sprintf("%s/touch-me", tmpDir), []byte{}, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	if err := ioutil.WriteFile(fmt.Sprintf("%s/touch-me", tmpDir2), []byte{}, 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	dockerCmd(c, "run",
+		"-v", fmt.Sprintf("%s:"+prefix+"/tmp", tmpDir),
+		"-v", fmt.Sprintf("%s:"+prefix+"/tmp/foo", fooDir),
+		"-v", fmt.Sprintf("%s:"+prefix+"/tmp/tmp2", tmpDir2),
+		"-v", fmt.Sprintf("%s:"+prefix+"/tmp/tmp2/foo", fooDir),
+		"busybox:latest", "sh", "-c",
+		"ls "+prefix+"/tmp/touch-me && ls "+prefix+"/tmp/foo/touch-me && ls "+prefix+"/tmp/tmp2/touch-me && ls "+prefix+"/tmp/tmp2/foo/touch-me")
+}
+
+// Regression test for https://github.com/docker/docker/issues/8259
+func (s *DockerSuite) TestRunReuseBindVolumeThatIsSymlink(c *check.C) {
+	// Not applicable on Windows as Windows does not support volumes
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+
+	tmpDir, err := ioutil.TempDir(os.TempDir(), "testlink")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	linkPath := os.TempDir() + "/testlink2"
+	if err := os.Symlink(tmpDir, linkPath); err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(linkPath)
+
+	// Create first container
+	dockerCmd(c, "run", "-v", fmt.Sprintf("%s:"+prefix+"/tmp/test", linkPath), "busybox", "ls", prefix+"/tmp/test")
+
+	// Create second container with same symlinked path
+	// This will fail if the referenced issue is hit with a "Volume exists" error
+	dockerCmd(c, "run", "-v", fmt.Sprintf("%s:"+prefix+"/tmp/test", linkPath), "busybox", "ls", prefix+"/tmp/test")
+}
+
+//GH#10604: Test an "/etc" volume doesn't overlay special bind mounts in container
+func (s *DockerSuite) TestRunCreateVolumeEtc(c *check.C) {
+	// While Windows supports volumes, it does not support --add-host hence
+	// this test is not applicable on Windows.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "--dns=127.0.0.1", "-v", "/etc", "busybox", "cat", "/etc/resolv.conf")
+	if !strings.Contains(out, "nameserver 127.0.0.1") {
+		c.Fatal("/etc volume mount hides /etc/resolv.conf")
+	}
+
+	out, _ = dockerCmd(c, "run", "-h=test123", "-v", "/etc", "busybox", "cat", "/etc/hostname")
+	if !strings.Contains(out, "test123") {
+		c.Fatal("/etc volume mount hides /etc/hostname")
+	}
+
+	out, _ = dockerCmd(c, "run", "--add-host=test:192.168.0.1", "-v", "/etc", "busybox", "cat", "/etc/hosts")
+	out = strings.Replace(out, "\n", " ", -1)
+	if !strings.Contains(out, "192.168.0.1\ttest") || !strings.Contains(out, "127.0.0.1\tlocalhost") {
+		c.Fatal("/etc volume mount hides /etc/hosts")
+	}
+}
+
+func (s *DockerSuite) TestVolumesNoCopyData(c *check.C) {
+	// TODO Windows (Post RS1). Windows does not support volumes which
+	// are pre-populated such as is built in the dockerfile used in this test.
+	testRequires(c, DaemonIsLinux)
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	buildImageSuccessfully(c, "dataimage", build.WithDockerfile(`FROM busybox
+		RUN ["mkdir", "-p", "/foo"]
+		RUN ["touch", "/foo/bar"]`))
+	dockerCmd(c, "run", "--name", "test", "-v", prefix+slash+"foo", "busybox")
+
+	if out, _, err := dockerCmdWithError("run", "--volumes-from", "test", "dataimage", "ls", "-lh", "/foo/bar"); err == nil || !strings.Contains(out, "No such file or directory") {
+		c.Fatalf("Data was copied on volumes-from but shouldn't be:\n%q", out)
+	}
+
+	tmpDir := RandomTmpDirPath("docker_test_bind_mount_copy_data", testEnv.OSType)
+	if out, _, err := dockerCmdWithError("run", "-v", tmpDir+":/foo", "dataimage", "ls", "-lh", "/foo/bar"); err == nil || !strings.Contains(out, "No such file or directory") {
+		c.Fatalf("Data was copied on bind mount but shouldn't be:\n%q", out)
+	}
+}
+
+func (s *DockerSuite) TestRunNoOutputFromPullInStdout(c *check.C) {
+	// just run with unknown image
+	cmd := exec.Command(dockerBinary, "run", "asdfsg")
+	stdout := bytes.NewBuffer(nil)
+	cmd.Stdout = stdout
+	if err := cmd.Run(); err == nil {
+		c.Fatal("Run with unknown image should fail")
+	}
+	if stdout.Len() != 0 {
+		c.Fatalf("Stdout contains output from pull: %s", stdout)
+	}
+}
+
+func (s *DockerSuite) TestRunVolumesCleanPaths(c *check.C) {
+	testRequires(c, SameHostDaemon)
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	buildImageSuccessfully(c, "run_volumes_clean_paths", build.WithDockerfile(`FROM busybox
+		VOLUME `+prefix+`/foo/`))
+	dockerCmd(c, "run", "-v", prefix+"/foo", "-v", prefix+"/bar/", "--name", "dark_helmet", "run_volumes_clean_paths")
+
+	out, err := inspectMountSourceField("dark_helmet", prefix+slash+"foo"+slash)
+	if err != errMountNotFound {
+		c.Fatalf("Found unexpected volume entry for '%s/foo/' in volumes\n%q", prefix, out)
+	}
+
+	out, err = inspectMountSourceField("dark_helmet", prefix+slash+`foo`)
+	c.Assert(err, check.IsNil)
+	if !strings.Contains(strings.ToLower(out), strings.ToLower(testEnv.PlatformDefaults.VolumesConfigPath)) {
+		c.Fatalf("Volume was not defined for %s/foo\n%q", prefix, out)
+	}
+
+	out, err = inspectMountSourceField("dark_helmet", prefix+slash+"bar"+slash)
+	if err != errMountNotFound {
+		c.Fatalf("Found unexpected volume entry for '%s/bar/' in volumes\n%q", prefix, out)
+	}
+
+	out, err = inspectMountSourceField("dark_helmet", prefix+slash+"bar")
+	c.Assert(err, check.IsNil)
+	if !strings.Contains(strings.ToLower(out), strings.ToLower(testEnv.PlatformDefaults.VolumesConfigPath)) {
+		c.Fatalf("Volume was not defined for %s/bar\n%q", prefix, out)
+	}
+}
+
+// Regression test for #3631
+func (s *DockerSuite) TestRunSlowStdoutConsumer(c *check.C) {
+	// TODO Windows: This should be able to run on Windows if can find an
+	// alternate to /dev/zero and /dev/stdout.
+	testRequires(c, DaemonIsLinux)
+
+	args := []string{"run", "--rm", "busybox", "/bin/sh", "-c", "dd if=/dev/zero of=/dev/stdout bs=1024 count=2000 | cat -v"}
+	cont := exec.Command(dockerBinary, args...)
+
+	stdout, err := cont.StdoutPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	if err := cont.Start(); err != nil {
+		c.Fatal(err)
+	}
+	defer func() { go cont.Wait() }()
+	n, err := ConsumeWithSpeed(stdout, 10000, 5*time.Millisecond, nil)
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	expected := 2 * 1024 * 2000
+	if n != expected {
+		c.Fatalf("Expected %d, got %d", expected, n)
+	}
+}
+
+func (s *DockerSuite) TestRunAllowPortRangeThroughExpose(c *check.C) {
+	// TODO Windows: -P is not currently supported. Also network
+	// settings are not propagated back.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "--expose", "3000-3003", "-P", "busybox", "top")
+
+	id := strings.TrimSpace(out)
+	portstr := inspectFieldJSON(c, id, "NetworkSettings.Ports")
+	var ports nat.PortMap
+	if err := json.Unmarshal([]byte(portstr), &ports); err != nil {
+		c.Fatal(err)
+	}
+	for port, binding := range ports {
+		portnum, _ := strconv.Atoi(strings.Split(string(port), "/")[0])
+		if portnum < 3000 || portnum > 3003 {
+			c.Fatalf("Port %d is out of range ", portnum)
+		}
+		if binding == nil || len(binding) != 1 || len(binding[0].HostPort) == 0 {
+			c.Fatalf("Port is not mapped for the port %s", port)
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunExposePort(c *check.C) {
+	out, _, err := dockerCmdWithError("run", "--expose", "80000", "busybox")
+	c.Assert(err, checker.NotNil, check.Commentf("--expose with an invalid port should error out"))
+	c.Assert(out, checker.Contains, "invalid range format for --expose")
+}
+
+func (s *DockerSuite) TestRunModeIpcHost(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+
+	hostIpc, err := os.Readlink("/proc/1/ns/ipc")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	out, _ := dockerCmd(c, "run", "--ipc=host", "busybox", "readlink", "/proc/self/ns/ipc")
+	out = strings.Trim(out, "\n")
+	if hostIpc != out {
+		c.Fatalf("IPC different with --ipc=host %s != %s\n", hostIpc, out)
+	}
+
+	out, _ = dockerCmd(c, "run", "busybox", "readlink", "/proc/self/ns/ipc")
+	out = strings.Trim(out, "\n")
+	if hostIpc == out {
+		c.Fatalf("IPC should be different without --ipc=host %s == %s\n", hostIpc, out)
+	}
+}
+
+func (s *DockerSuite) TestRunModeIpcContainerNotExists(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "-d", "--ipc", "container:abcd1234", "busybox", "top")
+	if !strings.Contains(out, "abcd1234") || err == nil {
+		c.Fatalf("run IPC from a non exists container should with correct error out")
+	}
+}
+
+func (s *DockerSuite) TestRunModeIpcContainerNotRunning(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "create", "busybox")
+
+	id := strings.TrimSpace(out)
+	out, _, err := dockerCmdWithError("run", fmt.Sprintf("--ipc=container:%s", id), "busybox")
+	if err == nil {
+		c.Fatalf("Run container with ipc mode container should fail with non running container: %s\n%s", out, err)
+	}
+}
+
+func (s *DockerSuite) TestRunModePIDContainer(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "top")
+
+	id := strings.TrimSpace(out)
+	state := inspectField(c, id, "State.Running")
+	if state != "true" {
+		c.Fatal("Container state is 'not running'")
+	}
+	pid1 := inspectField(c, id, "State.Pid")
+
+	parentContainerPid, err := os.Readlink(fmt.Sprintf("/proc/%s/ns/pid", pid1))
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	out, _ = dockerCmd(c, "run", fmt.Sprintf("--pid=container:%s", id), "busybox", "readlink", "/proc/self/ns/pid")
+	out = strings.Trim(out, "\n")
+	if parentContainerPid != out {
+		c.Fatalf("PID different with --pid=container:%s %s != %s\n", id, parentContainerPid, out)
+	}
+}
+
+func (s *DockerSuite) TestRunModePIDContainerNotExists(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "-d", "--pid", "container:abcd1234", "busybox", "top")
+	if !strings.Contains(out, "abcd1234") || err == nil {
+		c.Fatalf("run PID from a non exists container should with correct error out")
+	}
+}
+
+func (s *DockerSuite) TestRunModePIDContainerNotRunning(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "create", "busybox")
+
+	id := strings.TrimSpace(out)
+	out, _, err := dockerCmdWithError("run", fmt.Sprintf("--pid=container:%s", id), "busybox")
+	if err == nil {
+		c.Fatalf("Run container with pid mode container should fail with non running container: %s\n%s", out, err)
+	}
+}
+
+func (s *DockerSuite) TestRunMountShmMqueueFromHost(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+
+	dockerCmd(c, "run", "-d", "--name", "shmfromhost", "-v", "/dev/shm:/dev/shm", "-v", "/dev/mqueue:/dev/mqueue", "busybox", "sh", "-c", "echo -n test > /dev/shm/test && touch /dev/mqueue/toto && top")
+	defer os.Remove("/dev/mqueue/toto")
+	defer os.Remove("/dev/shm/test")
+	volPath, err := inspectMountSourceField("shmfromhost", "/dev/shm")
+	c.Assert(err, checker.IsNil)
+	if volPath != "/dev/shm" {
+		c.Fatalf("volumePath should have been /dev/shm, was %s", volPath)
+	}
+
+	out, _ := dockerCmd(c, "run", "--name", "ipchost", "--ipc", "host", "busybox", "cat", "/dev/shm/test")
+	if out != "test" {
+		c.Fatalf("Output of /dev/shm/test expected test but found: %s", out)
+	}
+
+	// Check that the mq was created
+	if _, err := os.Stat("/dev/mqueue/toto"); err != nil {
+		c.Fatalf("Failed to confirm '/dev/mqueue/toto' presence on host: %s", err.Error())
+	}
+}
+
+func (s *DockerSuite) TestContainerNetworkMode(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), check.IsNil)
+	pid1 := inspectField(c, id, "State.Pid")
+
+	parentContainerNet, err := os.Readlink(fmt.Sprintf("/proc/%s/ns/net", pid1))
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	out, _ = dockerCmd(c, "run", fmt.Sprintf("--net=container:%s", id), "busybox", "readlink", "/proc/self/ns/net")
+	out = strings.Trim(out, "\n")
+	if parentContainerNet != out {
+		c.Fatalf("NET different with --net=container:%s %s != %s\n", id, parentContainerNet, out)
+	}
+}
+
+func (s *DockerSuite) TestRunModePIDHost(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+
+	hostPid, err := os.Readlink("/proc/1/ns/pid")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	out, _ := dockerCmd(c, "run", "--pid=host", "busybox", "readlink", "/proc/self/ns/pid")
+	out = strings.Trim(out, "\n")
+	if hostPid != out {
+		c.Fatalf("PID different with --pid=host %s != %s\n", hostPid, out)
+	}
+
+	out, _ = dockerCmd(c, "run", "busybox", "readlink", "/proc/self/ns/pid")
+	out = strings.Trim(out, "\n")
+	if hostPid == out {
+		c.Fatalf("PID should be different without --pid=host %s == %s\n", hostPid, out)
+	}
+}
+
+func (s *DockerSuite) TestRunModeUTSHost(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	hostUTS, err := os.Readlink("/proc/1/ns/uts")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	out, _ := dockerCmd(c, "run", "--uts=host", "busybox", "readlink", "/proc/self/ns/uts")
+	out = strings.Trim(out, "\n")
+	if hostUTS != out {
+		c.Fatalf("UTS different with --uts=host %s != %s\n", hostUTS, out)
+	}
+
+	out, _ = dockerCmd(c, "run", "busybox", "readlink", "/proc/self/ns/uts")
+	out = strings.Trim(out, "\n")
+	if hostUTS == out {
+		c.Fatalf("UTS should be different without --uts=host %s == %s\n", hostUTS, out)
+	}
+
+	out, _ = dockerCmdWithFail(c, "run", "-h=name", "--uts=host", "busybox", "ps")
+	c.Assert(out, checker.Contains, runconfig.ErrConflictUTSHostname.Error())
+}
+
+func (s *DockerSuite) TestRunTLSVerify(c *check.C) {
+	// Remote daemons use TLS and this test is not applicable when TLS is required.
+	testRequires(c, SameHostDaemon)
+	if out, code, err := dockerCmdWithError("ps"); err != nil || code != 0 {
+		c.Fatalf("Should have worked: %v:\n%v", err, out)
+	}
+
+	// Regardless of whether we specify true or false we need to
+	// test to make sure tls is turned on if --tlsverify is specified at all
+	result := dockerCmdWithResult("--tlsverify=false", "ps")
+	result.Assert(c, icmd.Expected{ExitCode: 1, Err: "error during connect"})
+
+	result = dockerCmdWithResult("--tlsverify=true", "ps")
+	result.Assert(c, icmd.Expected{ExitCode: 1, Err: "cert"})
+}
+
+func (s *DockerSuite) TestRunPortFromDockerRangeInUse(c *check.C) {
+	// TODO Windows. Once moved to libnetwork/CNM, this may be able to be
+	// re-instated.
+	testRequires(c, DaemonIsLinux)
+	// first find allocator current position
+	out, _ := dockerCmd(c, "run", "-d", "-p", ":80", "busybox", "top")
+
+	id := strings.TrimSpace(out)
+	out, _ = dockerCmd(c, "port", id)
+
+	out = strings.TrimSpace(out)
+	if out == "" {
+		c.Fatal("docker port command output is empty")
+	}
+	out = strings.Split(out, ":")[1]
+	lastPort, err := strconv.Atoi(out)
+	if err != nil {
+		c.Fatal(err)
+	}
+	port := lastPort + 1
+	l, err := net.Listen("tcp", ":"+strconv.Itoa(port))
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer l.Close()
+
+	out, _ = dockerCmd(c, "run", "-d", "-p", ":80", "busybox", "top")
+
+	id = strings.TrimSpace(out)
+	dockerCmd(c, "port", id)
+}
+
+func (s *DockerSuite) TestRunTTYWithPipe(c *check.C) {
+	errChan := make(chan error)
+	go func() {
+		defer close(errChan)
+
+		cmd := exec.Command(dockerBinary, "run", "-ti", "busybox", "true")
+		if _, err := cmd.StdinPipe(); err != nil {
+			errChan <- err
+			return
+		}
+
+		expected := "the input device is not a TTY"
+		if runtime.GOOS == "windows" {
+			expected += ".  If you are using mintty, try prefixing the command with 'winpty'"
+		}
+		if out, _, err := runCommandWithOutput(cmd); err == nil {
+			errChan <- fmt.Errorf("run should have failed")
+			return
+		} else if !strings.Contains(out, expected) {
+			errChan <- fmt.Errorf("run failed with error %q: expected %q", out, expected)
+			return
+		}
+	}()
+
+	select {
+	case err := <-errChan:
+		c.Assert(err, check.IsNil)
+	case <-time.After(30 * time.Second):
+		c.Fatal("container is running but should have failed")
+	}
+}
+
+func (s *DockerSuite) TestRunNonLocalMacAddress(c *check.C) {
+	addr := "00:16:3E:08:00:50"
+	args := []string{"run", "--mac-address", addr}
+	expected := addr
+
+	if testEnv.OSType != "windows" {
+		args = append(args, "busybox", "ifconfig")
+	} else {
+		args = append(args, testEnv.PlatformDefaults.BaseImage, "ipconfig", "/all")
+		expected = strings.Replace(strings.ToUpper(addr), ":", "-", -1)
+	}
+
+	if out, _ := dockerCmd(c, args...); !strings.Contains(out, expected) {
+		c.Fatalf("Output should have contained %q: %s", expected, out)
+	}
+}
+
+func (s *DockerSuite) TestRunNetHost(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+
+	hostNet, err := os.Readlink("/proc/1/ns/net")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	out, _ := dockerCmd(c, "run", "--net=host", "busybox", "readlink", "/proc/self/ns/net")
+	out = strings.Trim(out, "\n")
+	if hostNet != out {
+		c.Fatalf("Net namespace different with --net=host %s != %s\n", hostNet, out)
+	}
+
+	out, _ = dockerCmd(c, "run", "busybox", "readlink", "/proc/self/ns/net")
+	out = strings.Trim(out, "\n")
+	if hostNet == out {
+		c.Fatalf("Net namespace should be different without --net=host %s == %s\n", hostNet, out)
+	}
+}
+
+func (s *DockerSuite) TestRunNetHostTwiceSameName(c *check.C) {
+	// TODO Windows. As Windows networking evolves and converges towards
+	// CNM, this test may be possible to enable on Windows.
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+
+	dockerCmd(c, "run", "--rm", "--name=thost", "--net=host", "busybox", "true")
+	dockerCmd(c, "run", "--rm", "--name=thost", "--net=host", "busybox", "true")
+}
+
+func (s *DockerSuite) TestRunNetContainerWhichHost(c *check.C) {
+	// Not applicable on Windows as uses Unix-specific capabilities
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+
+	hostNet, err := os.Readlink("/proc/1/ns/net")
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	dockerCmd(c, "run", "-d", "--net=host", "--name=test", "busybox", "top")
+
+	out, _ := dockerCmd(c, "run", "--net=container:test", "busybox", "readlink", "/proc/self/ns/net")
+	out = strings.Trim(out, "\n")
+	if hostNet != out {
+		c.Fatalf("Container should have host network namespace")
+	}
+}
+
+func (s *DockerSuite) TestRunAllowPortRangeThroughPublish(c *check.C) {
+	// TODO Windows. This may be possible to enable in the future. However,
+	// Windows does not currently support --expose, or populate the network
+	// settings seen through inspect.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "--expose", "3000-3003", "-p", "3000-3003", "busybox", "top")
+
+	id := strings.TrimSpace(out)
+	portstr := inspectFieldJSON(c, id, "NetworkSettings.Ports")
+
+	var ports nat.PortMap
+	err := json.Unmarshal([]byte(portstr), &ports)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to unmarshal: %v", portstr))
+	for port, binding := range ports {
+		portnum, _ := strconv.Atoi(strings.Split(string(port), "/")[0])
+		if portnum < 3000 || portnum > 3003 {
+			c.Fatalf("Port %d is out of range ", portnum)
+		}
+		if binding == nil || len(binding) != 1 || len(binding[0].HostPort) == 0 {
+			c.Fatal("Port is not mapped for the port "+port, out)
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunSetDefaultRestartPolicy(c *check.C) {
+	runSleepingContainer(c, "--name=testrunsetdefaultrestartpolicy")
+	out := inspectField(c, "testrunsetdefaultrestartpolicy", "HostConfig.RestartPolicy.Name")
+	if out != "no" {
+		c.Fatalf("Set default restart policy failed")
+	}
+}
+
+func (s *DockerSuite) TestRunRestartMaxRetries(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "--restart=on-failure:3", "busybox", "false")
+	timeout := 10 * time.Second
+	if testEnv.OSType == "windows" {
+		timeout = 120 * time.Second
+	}
+
+	id := strings.TrimSpace(string(out))
+	if err := waitInspect(id, "{{ .State.Restarting }} {{ .State.Running }}", "false false", timeout); err != nil {
+		c.Fatal(err)
+	}
+
+	count := inspectField(c, id, "RestartCount")
+	if count != "3" {
+		c.Fatalf("Container was restarted %s times, expected %d", count, 3)
+	}
+
+	MaximumRetryCount := inspectField(c, id, "HostConfig.RestartPolicy.MaximumRetryCount")
+	if MaximumRetryCount != "3" {
+		c.Fatalf("Container Maximum Retry Count is %s, expected %s", MaximumRetryCount, "3")
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithWritableRootfs(c *check.C) {
+	dockerCmd(c, "run", "--rm", "busybox", "touch", "/file")
+}
+
+func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) {
+	// Not applicable on Windows which does not support --read-only
+	testRequires(c, DaemonIsLinux, UserNamespaceROMount)
+
+	testPriv := true
+	// don't test privileged mode subtest if user namespaces enabled
+	if root := os.Getenv("DOCKER_REMAP_ROOT"); root != "" {
+		testPriv = false
+	}
+	testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname")
+}
+
+func (s *DockerSuite) TestPermissionsPtsReadonlyRootfs(c *check.C) {
+	// Not applicable on Windows due to use of Unix specific functionality, plus
+	// the use of --read-only which is not supported.
+	testRequires(c, DaemonIsLinux, UserNamespaceROMount)
+
+	// Ensure we have not broken writing /dev/pts
+	out, status := dockerCmd(c, "run", "--read-only", "--rm", "busybox", "mount")
+	if status != 0 {
+		c.Fatal("Could not obtain mounts when checking /dev/pts mntpnt.")
+	}
+	expected := "type devpts (rw,"
+	if !strings.Contains(string(out), expected) {
+		c.Fatalf("expected output to contain %s but contains %s", expected, out)
+	}
+}
+
+func testReadOnlyFile(c *check.C, testPriv bool, filenames ...string) {
+	touch := "touch " + strings.Join(filenames, " ")
+	out, _, err := dockerCmdWithError("run", "--read-only", "--rm", "busybox", "sh", "-c", touch)
+	c.Assert(err, checker.NotNil)
+
+	for _, f := range filenames {
+		expected := "touch: " + f + ": Read-only file system"
+		c.Assert(out, checker.Contains, expected)
+	}
+
+	if !testPriv {
+		return
+	}
+
+	out, _, err = dockerCmdWithError("run", "--read-only", "--privileged", "--rm", "busybox", "sh", "-c", touch)
+	c.Assert(err, checker.NotNil)
+
+	for _, f := range filenames {
+		expected := "touch: " + f + ": Read-only file system"
+		c.Assert(out, checker.Contains, expected)
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithReadonlyEtcHostsAndLinkedContainer(c *check.C) {
+	// Not applicable on Windows which does not support --link
+	testRequires(c, DaemonIsLinux, UserNamespaceROMount)
+
+	dockerCmd(c, "run", "-d", "--name", "test-etc-hosts-ro-linked", "busybox", "top")
+
+	out, _ := dockerCmd(c, "run", "--read-only", "--link", "test-etc-hosts-ro-linked:testlinked", "busybox", "cat", "/etc/hosts")
+	if !strings.Contains(string(out), "testlinked") {
+		c.Fatal("Expected /etc/hosts to be updated even if --read-only enabled")
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithReadonlyRootfsWithDNSFlag(c *check.C) {
+	// Not applicable on Windows which does not support either --read-only or --dns.
+	testRequires(c, DaemonIsLinux, UserNamespaceROMount)
+
+	out, _ := dockerCmd(c, "run", "--read-only", "--dns", "1.1.1.1", "busybox", "/bin/cat", "/etc/resolv.conf")
+	if !strings.Contains(string(out), "1.1.1.1") {
+		c.Fatal("Expected /etc/resolv.conf to be updated even if --read-only enabled and --dns flag used")
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithReadonlyRootfsWithAddHostFlag(c *check.C) {
+	// Not applicable on Windows which does not support --read-only
+	testRequires(c, DaemonIsLinux, UserNamespaceROMount)
+
+	out, _ := dockerCmd(c, "run", "--read-only", "--add-host", "testreadonly:127.0.0.1", "busybox", "/bin/cat", "/etc/hosts")
+	if !strings.Contains(string(out), "testreadonly") {
+		c.Fatal("Expected /etc/hosts to be updated even if --read-only enabled and --add-host flag used")
+	}
+}
+
+func (s *DockerSuite) TestRunVolumesFromRestartAfterRemoved(c *check.C) {
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+	runSleepingContainer(c, "--name=voltest", "-v", prefix+"/foo")
+	runSleepingContainer(c, "--name=restarter", "--volumes-from", "voltest")
+
+	// Remove the main volume container and restart the consuming container
+	dockerCmd(c, "rm", "-f", "voltest")
+
+	// This should not fail since the volumes-from were already applied
+	dockerCmd(c, "restart", "restarter")
+}
+
+// run container with --rm should remove container if exit code != 0
+func (s *DockerSuite) TestRunContainerWithRmFlagExitCodeNotEqualToZero(c *check.C) {
+	existingContainers := ExistingContainerIDs(c)
+	name := "flowers"
+	cli.Docker(cli.Args("run", "--name", name, "--rm", "busybox", "ls", "/notexists")).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	out := cli.DockerCmd(c, "ps", "-q", "-a").Combined()
+	out = RemoveOutputForExistingElements(out, existingContainers)
+	if out != "" {
+		c.Fatal("Expected not to have containers", out)
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithRmFlagCannotStartContainer(c *check.C) {
+	existingContainers := ExistingContainerIDs(c)
+	name := "sparkles"
+	cli.Docker(cli.Args("run", "--name", name, "--rm", "busybox", "commandNotFound")).Assert(c, icmd.Expected{
+		ExitCode: 127,
+	})
+	out := cli.DockerCmd(c, "ps", "-q", "-a").Combined()
+	out = RemoveOutputForExistingElements(out, existingContainers)
+	if out != "" {
+		c.Fatal("Expected not to have containers", out)
+	}
+}
+
+func (s *DockerSuite) TestRunPIDHostWithChildIsKillable(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	name := "ibuildthecloud"
+	dockerCmd(c, "run", "-d", "--pid=host", "--name", name, "busybox", "sh", "-c", "sleep 30; echo hi")
+
+	c.Assert(waitRun(name), check.IsNil)
+
+	errchan := make(chan error)
+	go func() {
+		if out, _, err := dockerCmdWithError("kill", name); err != nil {
+			errchan <- fmt.Errorf("%v:\n%s", err, out)
+		}
+		close(errchan)
+	}()
+	select {
+	case err := <-errchan:
+		c.Assert(err, check.IsNil)
+	case <-time.After(5 * time.Second):
+		c.Fatal("Kill container timed out")
+	}
+}
+
+func (s *DockerSuite) TestRunWithTooSmallMemoryLimit(c *check.C) {
+	// TODO Windows. This may be possible to enable once Windows supports
+	// memory limits on containers
+	testRequires(c, DaemonIsLinux)
+	// this memory limit is 1 byte less than the min, which is 4MB
+	// https://github.com/docker/docker/blob/v1.5.0/daemon/create.go#L22
+	out, _, err := dockerCmdWithError("run", "-m", "4194303", "busybox")
+	if err == nil || !strings.Contains(out, "Minimum memory limit allowed is 4MB") {
+		c.Fatalf("expected run to fail when using too low a memory limit: %q", out)
+	}
+}
+
+func (s *DockerSuite) TestRunWriteToProcAsound(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+	_, code, err := dockerCmdWithError("run", "busybox", "sh", "-c", "echo 111 >> /proc/asound/version")
+	if err == nil || code == 0 {
+		c.Fatal("standard container should not be able to write to /proc/asound")
+	}
+}
+
+func (s *DockerSuite) TestRunReadProcTimer(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+	out, code, err := dockerCmdWithError("run", "busybox", "cat", "/proc/timer_stats")
+	if code != 0 {
+		return
+	}
+	if err != nil {
+		c.Fatal(err)
+	}
+	if strings.Trim(out, "\n ") != "" {
+		c.Fatalf("expected to receive no output from /proc/timer_stats but received %q", out)
+	}
+}
+
+func (s *DockerSuite) TestRunReadProcLatency(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+	// some kernels don't have this configured so skip the test if this file is not found
+	// on the host running the tests.
+	if _, err := os.Stat("/proc/latency_stats"); err != nil {
+		c.Skip("kernel doesn't have latency_stats configured")
+		return
+	}
+	out, code, err := dockerCmdWithError("run", "busybox", "cat", "/proc/latency_stats")
+	if code != 0 {
+		return
+	}
+	if err != nil {
+		c.Fatal(err)
+	}
+	if strings.Trim(out, "\n ") != "" {
+		c.Fatalf("expected to receive no output from /proc/latency_stats but received %q", out)
+	}
+}
+
+func (s *DockerSuite) TestRunReadFilteredProc(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, Apparmor, DaemonIsLinux, NotUserNamespace)
+
+	testReadPaths := []string{
+		"/proc/latency_stats",
+		"/proc/timer_stats",
+		"/proc/kcore",
+	}
+	for i, filePath := range testReadPaths {
+		name := fmt.Sprintf("procsieve-%d", i)
+		shellCmd := fmt.Sprintf("exec 3<%s", filePath)
+
+		out, exitCode, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor=docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
+		if exitCode != 0 {
+			return
+		}
+		if err != nil {
+			c.Fatalf("Open FD for read should have failed with permission denied, got: %s, %v", out, err)
+		}
+	}
+}
+
+func (s *DockerSuite) TestMountIntoProc(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+	_, code, err := dockerCmdWithError("run", "-v", "/proc//sys", "busybox", "true")
+	if err == nil || code == 0 {
+		c.Fatal("container should not be able to mount into /proc")
+	}
+}
+
+func (s *DockerSuite) TestMountIntoSys(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, NotUserNamespace)
+	dockerCmd(c, "run", "-v", "/sys/fs/cgroup", "busybox", "true")
+}
+
+func (s *DockerSuite) TestRunUnshareProc(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, Apparmor, DaemonIsLinux, NotUserNamespace)
+
+	// In this test goroutines are used to run test cases in parallel to prevent the test from taking a long time to run.
+	errChan := make(chan error)
+
+	go func() {
+		name := "acidburn"
+		out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "--mount-proc=/proc", "mount")
+		if err == nil ||
+			!(strings.Contains(strings.ToLower(out), "permission denied") ||
+				strings.Contains(strings.ToLower(out), "operation not permitted")) {
+			errChan <- fmt.Errorf("unshare with --mount-proc should have failed with 'permission denied' or 'operation not permitted', got: %s, %v", out, err)
+		} else {
+			errChan <- nil
+		}
+	}()
+
+	go func() {
+		name := "cereal"
+		out, _, err := dockerCmdWithError("run", "--name", name, "--security-opt", "seccomp=unconfined", "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
+		if err == nil ||
+			!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
+				strings.Contains(strings.ToLower(out), "permission denied") ||
+				strings.Contains(strings.ToLower(out), "operation not permitted")) {
+			errChan <- fmt.Errorf("unshare and mount of /proc should have failed with 'mount: cannot mount none' or 'permission denied', got: %s, %v", out, err)
+		} else {
+			errChan <- nil
+		}
+	}()
+
+	/* Ensure still fails if running privileged with the default policy */
+	go func() {
+		name := "crashoverride"
+		out, _, err := dockerCmdWithError("run", "--privileged", "--security-opt", "seccomp=unconfined", "--security-opt", "apparmor=docker-default", "--name", name, "debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc")
+		if err == nil ||
+			!(strings.Contains(strings.ToLower(out), "mount: cannot mount none") ||
+				strings.Contains(strings.ToLower(out), "permission denied") ||
+				strings.Contains(strings.ToLower(out), "operation not permitted")) {
+			errChan <- fmt.Errorf("privileged unshare with apparmor should have failed with 'mount: cannot mount none' or 'permission denied', got: %s, %v", out, err)
+		} else {
+			errChan <- nil
+		}
+	}()
+
+	var retErr error
+	for i := 0; i < 3; i++ {
+		err := <-errChan
+		if retErr == nil && err != nil {
+			retErr = err
+		}
+	}
+	if retErr != nil {
+		c.Fatal(retErr)
+	}
+}
+
+func (s *DockerSuite) TestRunPublishPort(c *check.C) {
+	// TODO Windows: This may be possible once Windows moves to libnetwork and CNM
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "test", "--expose", "8080", "busybox", "top")
+	out, _ := dockerCmd(c, "port", "test")
+	out = strings.Trim(out, "\r\n")
+	if out != "" {
+		c.Fatalf("run without --publish-all should not publish port, out should be nil, but got: %s", out)
+	}
+}
+
+// Issue #10184.
+func (s *DockerSuite) TestDevicePermissions(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+	const permissions = "crw-rw-rw-"
+	out, status := dockerCmd(c, "run", "--device", "/dev/fuse:/dev/fuse:mrw", "busybox:latest", "ls", "-l", "/dev/fuse")
+	if status != 0 {
+		c.Fatalf("expected status 0, got %d", status)
+	}
+	if !strings.HasPrefix(out, permissions) {
+		c.Fatalf("output should begin with %q, got %q", permissions, out)
+	}
+}
+
+func (s *DockerSuite) TestRunCapAddCHOWN(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "--cap-drop=ALL", "--cap-add=CHOWN", "busybox", "sh", "-c", "adduser -D -H newuser && chown newuser /home && echo ok")
+
+	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
+		c.Fatalf("expected output ok received %s", actual)
+	}
+}
+
+// https://github.com/docker/docker/pull/14498
+func (s *DockerSuite) TestVolumeFromMixedRWOptions(c *check.C) {
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+
+	dockerCmd(c, "run", "--name", "parent", "-v", prefix+"/test", "busybox", "true")
+
+	dockerCmd(c, "run", "--volumes-from", "parent:ro", "--name", "test-volumes-1", "busybox", "true")
+	dockerCmd(c, "run", "--volumes-from", "parent:rw", "--name", "test-volumes-2", "busybox", "true")
+
+	if testEnv.OSType != "windows" {
+		mRO, err := inspectMountPoint("test-volumes-1", prefix+slash+"test")
+		c.Assert(err, checker.IsNil, check.Commentf("failed to inspect mount point"))
+		if mRO.RW {
+			c.Fatalf("Expected RO volume was RW")
+		}
+	}
+
+	mRW, err := inspectMountPoint("test-volumes-2", prefix+slash+"test")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to inspect mount point"))
+	if !mRW.RW {
+		c.Fatalf("Expected RW volume was RO")
+	}
+}
+
+func (s *DockerSuite) TestRunWriteFilteredProc(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, Apparmor, DaemonIsLinux, NotUserNamespace)
+
+	testWritePaths := []string{
+		/* modprobe and core_pattern should both be denied by generic
+		 * policy of denials for /proc/sys/kernel. These files have been
+		 * picked to be checked as they are particularly sensitive to writes */
+		"/proc/sys/kernel/modprobe",
+		"/proc/sys/kernel/core_pattern",
+		"/proc/sysrq-trigger",
+		"/proc/kcore",
+	}
+	for i, filePath := range testWritePaths {
+		name := fmt.Sprintf("writeprocsieve-%d", i)
+
+		shellCmd := fmt.Sprintf("exec 3>%s", filePath)
+		out, code, err := dockerCmdWithError("run", "--privileged", "--security-opt", "apparmor=docker-default", "--name", name, "busybox", "sh", "-c", shellCmd)
+		if code != 0 {
+			return
+		}
+		if err != nil {
+			c.Fatalf("Open FD for write should have failed with permission denied, got: %s, %v", out, err)
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunNetworkFilesBindMount(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	expected := "test123"
+
+	filename := createTmpFile(c, expected)
+	defer os.Remove(filename)
+
+	// for user namespaced test runs, the temp file must be accessible to unprivileged root
+	if err := os.Chmod(filename, 0646); err != nil {
+		c.Fatalf("error modifying permissions of %s: %v", filename, err)
+	}
+
+	nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
+
+	for i := range nwfiles {
+		actual, _ := dockerCmd(c, "run", "-v", filename+":"+nwfiles[i], "busybox", "cat", nwfiles[i])
+		if actual != expected {
+			c.Fatalf("expected %s be: %q, but was: %q", nwfiles[i], expected, actual)
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunNetworkFilesBindMountRO(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	filename := createTmpFile(c, "test123")
+	defer os.Remove(filename)
+
+	// for user namespaced test runs, the temp file must be accessible to unprivileged root
+	if err := os.Chmod(filename, 0646); err != nil {
+		c.Fatalf("error modifying permissions of %s: %v", filename, err)
+	}
+
+	nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
+
+	for i := range nwfiles {
+		_, exitCode, err := dockerCmdWithError("run", "-v", filename+":"+nwfiles[i]+":ro", "busybox", "touch", nwfiles[i])
+		if err == nil || exitCode == 0 {
+			c.Fatalf("run should fail because bind mount of %s is ro: exit code %d", nwfiles[i], exitCode)
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunNetworkFilesBindMountROFilesystem(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, SameHostDaemon, DaemonIsLinux, UserNamespaceROMount)
+
+	filename := createTmpFile(c, "test123")
+	defer os.Remove(filename)
+
+	// for user namespaced test runs, the temp file must be accessible to unprivileged root
+	if err := os.Chmod(filename, 0646); err != nil {
+		c.Fatalf("error modifying permissions of %s: %v", filename, err)
+	}
+
+	nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
+
+	for i := range nwfiles {
+		_, exitCode := dockerCmd(c, "run", "-v", filename+":"+nwfiles[i], "--read-only", "busybox", "touch", nwfiles[i])
+		if exitCode != 0 {
+			c.Fatalf("run should not fail because %s is mounted writable on read-only root filesystem: exit code %d", nwfiles[i], exitCode)
+		}
+	}
+
+	for i := range nwfiles {
+		_, exitCode, err := dockerCmdWithError("run", "-v", filename+":"+nwfiles[i]+":ro", "--read-only", "busybox", "touch", nwfiles[i])
+		if err == nil || exitCode == 0 {
+			c.Fatalf("run should fail because %s is mounted read-only on read-only root filesystem: exit code %d", nwfiles[i], exitCode)
+		}
+	}
+}
+
+func (s *DockerSuite) TestPtraceContainerProcsFromHost(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), check.IsNil)
+	pid1 := inspectField(c, id, "State.Pid")
+
+	_, err := os.Readlink(fmt.Sprintf("/proc/%s/ns/net", pid1))
+	if err != nil {
+		c.Fatal(err)
+	}
+}
+
+func (s *DockerSuite) TestAppArmorDeniesPtrace(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, SameHostDaemon, Apparmor, DaemonIsLinux)
+
+	// Run through 'sh' so we are NOT pid 1. Pid 1 may be able to trace
+	// itself, but pid>1 should not be able to trace pid1.
+	_, exitCode, _ := dockerCmdWithError("run", "busybox", "sh", "-c", "sh -c readlink /proc/1/ns/net")
+	if exitCode == 0 {
+		c.Fatal("ptrace was not successfully restricted by AppArmor")
+	}
+}
+
+func (s *DockerSuite) TestAppArmorTraceSelf(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux, SameHostDaemon, Apparmor)
+
+	_, exitCode, _ := dockerCmdWithError("run", "busybox", "readlink", "/proc/1/ns/net")
+	if exitCode != 0 {
+		c.Fatal("ptrace of self failed.")
+	}
+}
+
+func (s *DockerSuite) TestAppArmorDeniesChmodProc(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, SameHostDaemon, Apparmor, DaemonIsLinux, NotUserNamespace)
+	_, exitCode, _ := dockerCmdWithError("run", "busybox", "chmod", "744", "/proc/cpuinfo")
+	if exitCode == 0 {
+		// If our test failed, attempt to repair the host system...
+		_, exitCode, _ := dockerCmdWithError("run", "busybox", "chmod", "444", "/proc/cpuinfo")
+		if exitCode == 0 {
+			c.Fatal("AppArmor was unsuccessful in prohibiting chmod of /proc/* files.")
+		}
+	}
+}
+
+func (s *DockerSuite) TestRunCapAddSYSTIME(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+
+	dockerCmd(c, "run", "--cap-drop=ALL", "--cap-add=SYS_TIME", "busybox", "sh", "-c", "grep ^CapEff /proc/self/status | sed 's/^CapEff:\t//' | grep ^0000000002000000$")
+}
+
+// run create container failed should clean up the container
+func (s *DockerSuite) TestRunCreateContainerFailedCleanUp(c *check.C) {
+	// TODO Windows. This may be possible to enable once link is supported
+	testRequires(c, DaemonIsLinux)
+	name := "unique_name"
+	_, _, err := dockerCmdWithError("run", "--name", name, "--link", "nothing:nothing", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf("Expected docker run to fail!"))
+
+	containerID, err := inspectFieldWithError(name, "Id")
+	c.Assert(err, checker.NotNil, check.Commentf("Expected not to have this container: %s!", containerID))
+	c.Assert(containerID, check.Equals, "", check.Commentf("Expected not to have this container: %s!", containerID))
+}
+
+func (s *DockerSuite) TestRunNamedVolume(c *check.C) {
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "--name=test", "-v", "testing:"+prefix+"/foo", "busybox", "sh", "-c", "echo hello > "+prefix+"/foo/bar")
+
+	out, _ := dockerCmd(c, "run", "--volumes-from", "test", "busybox", "sh", "-c", "cat "+prefix+"/foo/bar")
+	c.Assert(strings.TrimSpace(out), check.Equals, "hello")
+
+	out, _ = dockerCmd(c, "run", "-v", "testing:"+prefix+"/foo", "busybox", "sh", "-c", "cat "+prefix+"/foo/bar")
+	c.Assert(strings.TrimSpace(out), check.Equals, "hello")
+}
+
+func (s *DockerSuite) TestRunWithUlimits(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "--name=testulimits", "--ulimit", "nofile=42", "busybox", "/bin/sh", "-c", "ulimit -n")
+	ul := strings.TrimSpace(out)
+	if ul != "42" {
+		c.Fatalf("expected `ulimit -n` to be 42, got %s", ul)
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithCgroupParent(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+
+	// cgroup-parent relative path
+	testRunContainerWithCgroupParent(c, "test", "cgroup-test")
+
+	// cgroup-parent absolute path
+	testRunContainerWithCgroupParent(c, "/cgroup-parent/test", "cgroup-test-absolute")
+}
+
+func testRunContainerWithCgroupParent(c *check.C, cgroupParent, name string) {
+	out, _, err := dockerCmdWithError("run", "--cgroup-parent", cgroupParent, "--name", name, "busybox", "cat", "/proc/self/cgroup")
+	if err != nil {
+		c.Fatalf("unexpected failure when running container with --cgroup-parent option - %s\n%v", string(out), err)
+	}
+	cgroupPaths := ParseCgroupPaths(string(out))
+	if len(cgroupPaths) == 0 {
+		c.Fatalf("unexpected output - %q", string(out))
+	}
+	id := getIDByName(c, name)
+	expectedCgroup := path.Join(cgroupParent, id)
+	found := false
+	for _, path := range cgroupPaths {
+		if strings.HasSuffix(path, expectedCgroup) {
+			found = true
+			break
+		}
+	}
+	if !found {
+		c.Fatalf("unexpected cgroup paths. Expected at least one cgroup path to have suffix %q. Cgroup Paths: %v", expectedCgroup, cgroupPaths)
+	}
+}
+
+// TestRunInvalidCgroupParent checks that a specially-crafted cgroup parent doesn't cause Docker to crash or start modifying /.
+func (s *DockerSuite) TestRunInvalidCgroupParent(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	testRequires(c, DaemonIsLinux)
+
+	testRunInvalidCgroupParent(c, "../../../../../../../../SHOULD_NOT_EXIST", "SHOULD_NOT_EXIST", "cgroup-invalid-test")
+
+	testRunInvalidCgroupParent(c, "/../../../../../../../../SHOULD_NOT_EXIST", "/SHOULD_NOT_EXIST", "cgroup-absolute-invalid-test")
+}
+
+func testRunInvalidCgroupParent(c *check.C, cgroupParent, cleanCgroupParent, name string) {
+	out, _, err := dockerCmdWithError("run", "--cgroup-parent", cgroupParent, "--name", name, "busybox", "cat", "/proc/self/cgroup")
+	if err != nil {
+		// XXX: This may include a daemon crash.
+		c.Fatalf("unexpected failure when running container with --cgroup-parent option - %s\n%v", string(out), err)
+	}
+
+	// We expect "/SHOULD_NOT_EXIST" to not exist. If not, we have a security issue.
+	if _, err := os.Stat("/SHOULD_NOT_EXIST"); err == nil || !os.IsNotExist(err) {
+		c.Fatalf("SECURITY: --cgroup-parent with ../../ relative paths cause files to be created in the host (this is bad) !!")
+	}
+
+	cgroupPaths := ParseCgroupPaths(string(out))
+	if len(cgroupPaths) == 0 {
+		c.Fatalf("unexpected output - %q", string(out))
+	}
+	id := getIDByName(c, name)
+	expectedCgroup := path.Join(cleanCgroupParent, id)
+	found := false
+	for _, path := range cgroupPaths {
+		if strings.HasSuffix(path, expectedCgroup) {
+			found = true
+			break
+		}
+	}
+	if !found {
+		c.Fatalf("unexpected cgroup paths. Expected at least one cgroup path to have suffix %q. Cgroup Paths: %v", expectedCgroup, cgroupPaths)
+	}
+}
+
+func (s *DockerSuite) TestRunContainerWithCgroupMountRO(c *check.C) {
+	// Not applicable on Windows as uses Unix specific functionality
+	// --read-only + userns has remount issues
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+
+	filename := "/sys/fs/cgroup/devices/test123"
+	out, _, err := dockerCmdWithError("run", "busybox", "touch", filename)
+	if err == nil {
+		c.Fatal("expected cgroup mount point to be read-only, touch file should fail")
+	}
+	expected := "Read-only file system"
+	if !strings.Contains(out, expected) {
+		c.Fatalf("expected output from failure to contain %s but contains %s", expected, out)
+	}
+}
+
+func (s *DockerSuite) TestRunContainerNetworkModeToSelf(c *check.C) {
+	// Not applicable on Windows which does not support --net=container
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--name=me", "--net=container:me", "busybox", "true")
+	if err == nil || !strings.Contains(out, "cannot join own network") {
+		c.Fatalf("using container net mode to self should result in an error\nerr: %q\nout: %s", err, out)
+	}
+}
+
+func (s *DockerSuite) TestRunContainerNetModeWithDNSMacHosts(c *check.C) {
+	// Not applicable on Windows which does not support --net=container
+	testRequires(c, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "-d", "--name", "parent", "busybox", "top")
+	if err != nil {
+		c.Fatalf("failed to run container: %v, output: %q", err, out)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--dns", "1.2.3.4", "--net=container:parent", "busybox")
+	if err == nil || !strings.Contains(out, runconfig.ErrConflictNetworkAndDNS.Error()) {
+		c.Fatalf("run --net=container with --dns should error out")
+	}
+
+	out, _, err = dockerCmdWithError("run", "--mac-address", "92:d0:c6:0a:29:33", "--net=container:parent", "busybox")
+	if err == nil || !strings.Contains(out, runconfig.ErrConflictContainerNetworkAndMac.Error()) {
+		c.Fatalf("run --net=container with --mac-address should error out")
+	}
+
+	out, _, err = dockerCmdWithError("run", "--add-host", "test:192.168.2.109", "--net=container:parent", "busybox")
+	if err == nil || !strings.Contains(out, runconfig.ErrConflictNetworkHosts.Error()) {
+		c.Fatalf("run --net=container with --add-host should error out")
+	}
+}
+
+func (s *DockerSuite) TestRunContainerNetModeWithExposePort(c *check.C) {
+	// Not applicable on Windows which does not support --net=container
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name", "parent", "busybox", "top")
+
+	out, _, err := dockerCmdWithError("run", "-p", "5000:5000", "--net=container:parent", "busybox")
+	if err == nil || !strings.Contains(out, runconfig.ErrConflictNetworkPublishPorts.Error()) {
+		c.Fatalf("run --net=container with -p should error out")
+	}
+
+	out, _, err = dockerCmdWithError("run", "-P", "--net=container:parent", "busybox")
+	if err == nil || !strings.Contains(out, runconfig.ErrConflictNetworkPublishPorts.Error()) {
+		c.Fatalf("run --net=container with -P should error out")
+	}
+
+	out, _, err = dockerCmdWithError("run", "--expose", "5000", "--net=container:parent", "busybox")
+	if err == nil || !strings.Contains(out, runconfig.ErrConflictNetworkExposePorts.Error()) {
+		c.Fatalf("run --net=container with --expose should error out")
+	}
+}
+
+func (s *DockerSuite) TestRunLinkToContainerNetMode(c *check.C) {
+	// Not applicable on Windows which does not support --net=container or --link
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "--name", "test", "-d", "busybox", "top")
+	dockerCmd(c, "run", "--name", "parent", "-d", "--net=container:test", "busybox", "top")
+	dockerCmd(c, "run", "-d", "--link=parent:parent", "busybox", "top")
+	dockerCmd(c, "run", "--name", "child", "-d", "--net=container:parent", "busybox", "top")
+	dockerCmd(c, "run", "-d", "--link=child:child", "busybox", "top")
+}
+
+func (s *DockerSuite) TestRunLoopbackOnlyExistsWhenNetworkingDisabled(c *check.C) {
+	// TODO Windows: This may be possible to convert.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "--net=none", "busybox", "ip", "-o", "-4", "a", "show", "up")
+
+	var (
+		count = 0
+		parts = strings.Split(out, "\n")
+	)
+
+	for _, l := range parts {
+		if l != "" {
+			count++
+		}
+	}
+
+	if count != 1 {
+		c.Fatalf("Wrong interface count in container %d", count)
+	}
+
+	if !strings.HasPrefix(out, "1: lo") {
+		c.Fatalf("Wrong interface in test container: expected [1: lo], got %s", out)
+	}
+}
+
+// Issue #4681
+func (s *DockerSuite) TestRunLoopbackWhenNetworkDisabled(c *check.C) {
+	if testEnv.OSType == "windows" {
+		dockerCmd(c, "run", "--net=none", testEnv.PlatformDefaults.BaseImage, "ping", "-n", "1", "127.0.0.1")
+	} else {
+		dockerCmd(c, "run", "--net=none", "busybox", "ping", "-c", "1", "127.0.0.1")
+	}
+}
+
+func (s *DockerSuite) TestRunModeNetContainerHostname(c *check.C) {
+	// Windows does not support --net=container
+	testRequires(c, DaemonIsLinux, ExecSupport)
+
+	dockerCmd(c, "run", "-i", "-d", "--name", "parent", "busybox", "top")
+	out, _ := dockerCmd(c, "exec", "parent", "cat", "/etc/hostname")
+	out1, _ := dockerCmd(c, "run", "--net=container:parent", "busybox", "cat", "/etc/hostname")
+
+	if out1 != out {
+		c.Fatal("containers with shared net namespace should have same hostname")
+	}
+}
+
+func (s *DockerSuite) TestRunNetworkNotInitializedNoneMode(c *check.C) {
+	// TODO Windows: Network settings are not currently propagated. This may
+	// be resolved in the future with the move to libnetwork and CNM.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "--net=none", "busybox", "top")
+	id := strings.TrimSpace(out)
+	res := inspectField(c, id, "NetworkSettings.Networks.none.IPAddress")
+	if res != "" {
+		c.Fatalf("For 'none' mode network must not be initialized, but container got IP: %s", res)
+	}
+}
+
+func (s *DockerSuite) TestTwoContainersInNetHost(c *check.C) {
+	// Not applicable as Windows does not support --net=host
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotUserNamespace)
+	dockerCmd(c, "run", "-d", "--net=host", "--name=first", "busybox", "top")
+	dockerCmd(c, "run", "-d", "--net=host", "--name=second", "busybox", "top")
+	dockerCmd(c, "stop", "first")
+	dockerCmd(c, "stop", "second")
+}
+
+func (s *DockerSuite) TestContainersInUserDefinedNetwork(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork")
+	dockerCmd(c, "run", "-d", "--net=testnetwork", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+	dockerCmd(c, "run", "-t", "--net=testnetwork", "--name=second", "busybox", "ping", "-c", "1", "first")
+}
+
+func (s *DockerSuite) TestContainersInMultipleNetworks(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	// Create 2 networks using bridge driver
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork1")
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork2")
+	// Run and connect containers to testnetwork1
+	dockerCmd(c, "run", "-d", "--net=testnetwork1", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+	dockerCmd(c, "run", "-d", "--net=testnetwork1", "--name=second", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+	// Check connectivity between containers in testnetwork2
+	dockerCmd(c, "exec", "first", "ping", "-c", "1", "second.testnetwork1")
+	// Connect containers to testnetwork2
+	dockerCmd(c, "network", "connect", "testnetwork2", "first")
+	dockerCmd(c, "network", "connect", "testnetwork2", "second")
+	// Check connectivity between containers
+	dockerCmd(c, "exec", "second", "ping", "-c", "1", "first.testnetwork2")
+}
+
+func (s *DockerSuite) TestContainersNetworkIsolation(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	// Create 2 networks using bridge driver
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork1")
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork2")
+	// Run 1 container in testnetwork1 and another in testnetwork2
+	dockerCmd(c, "run", "-d", "--net=testnetwork1", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+	dockerCmd(c, "run", "-d", "--net=testnetwork2", "--name=second", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// Check Isolation between containers : ping must fail
+	_, _, err := dockerCmdWithError("exec", "first", "ping", "-c", "1", "second")
+	c.Assert(err, check.NotNil)
+	// Connect first container to testnetwork2
+	dockerCmd(c, "network", "connect", "testnetwork2", "first")
+	// ping must succeed now
+	_, _, err = dockerCmdWithError("exec", "first", "ping", "-c", "1", "second")
+	c.Assert(err, check.IsNil)
+
+	// Disconnect first container from testnetwork2
+	dockerCmd(c, "network", "disconnect", "testnetwork2", "first")
+	// ping must fail again
+	_, _, err = dockerCmdWithError("exec", "first", "ping", "-c", "1", "second")
+	c.Assert(err, check.NotNil)
+}
+
+func (s *DockerSuite) TestNetworkRmWithActiveContainers(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	// Create 2 networks using bridge driver
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork1")
+	// Run and connect containers to testnetwork1
+	dockerCmd(c, "run", "-d", "--net=testnetwork1", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+	dockerCmd(c, "run", "-d", "--net=testnetwork1", "--name=second", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+	// Network delete with active containers must fail
+	_, _, err := dockerCmdWithError("network", "rm", "testnetwork1")
+	c.Assert(err, check.NotNil)
+
+	dockerCmd(c, "stop", "first")
+	_, _, err = dockerCmdWithError("network", "rm", "testnetwork1")
+	c.Assert(err, check.NotNil)
+}
+
+func (s *DockerSuite) TestContainerRestartInMultipleNetworks(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	// Create 2 networks using bridge driver
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork1")
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork2")
+
+	// Run and connect containers to testnetwork1
+	dockerCmd(c, "run", "-d", "--net=testnetwork1", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+	dockerCmd(c, "run", "-d", "--net=testnetwork1", "--name=second", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+	// Check connectivity between containers in testnetwork2
+	dockerCmd(c, "exec", "first", "ping", "-c", "1", "second.testnetwork1")
+	// Connect containers to testnetwork2
+	dockerCmd(c, "network", "connect", "testnetwork2", "first")
+	dockerCmd(c, "network", "connect", "testnetwork2", "second")
+	// Check connectivity between containers
+	dockerCmd(c, "exec", "second", "ping", "-c", "1", "first.testnetwork2")
+
+	// Stop second container and test ping failures on both networks
+	dockerCmd(c, "stop", "second")
+	_, _, err := dockerCmdWithError("exec", "first", "ping", "-c", "1", "second.testnetwork1")
+	c.Assert(err, check.NotNil)
+	_, _, err = dockerCmdWithError("exec", "first", "ping", "-c", "1", "second.testnetwork2")
+	c.Assert(err, check.NotNil)
+
+	// Start second container and connectivity must be restored on both networks
+	dockerCmd(c, "start", "second")
+	dockerCmd(c, "exec", "first", "ping", "-c", "1", "second.testnetwork1")
+	dockerCmd(c, "exec", "second", "ping", "-c", "1", "first.testnetwork2")
+}
+
+func (s *DockerSuite) TestContainerWithConflictingHostNetworks(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	// Run a container with --net=host
+	dockerCmd(c, "run", "-d", "--net=host", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	// Create a network using bridge driver
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork1")
+
+	// Connecting to the user defined network must fail
+	_, _, err := dockerCmdWithError("network", "connect", "testnetwork1", "first")
+	c.Assert(err, check.NotNil)
+}
+
+func (s *DockerSuite) TestContainerWithConflictingSharedNetwork(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+	// Run second container in first container's network namespace
+	dockerCmd(c, "run", "-d", "--net=container:first", "--name=second", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// Create a network using bridge driver
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork1")
+
+	// Connecting to the user defined network must fail
+	out, _, err := dockerCmdWithError("network", "connect", "testnetwork1", "second")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, runconfig.ErrConflictSharedNetwork.Error())
+}
+
+func (s *DockerSuite) TestContainerWithConflictingNoneNetwork(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "-d", "--net=none", "--name=first", "busybox", "top")
+	c.Assert(waitRun("first"), check.IsNil)
+
+	// Create a network using bridge driver
+	dockerCmd(c, "network", "create", "-d", "bridge", "testnetwork1")
+
+	// Connecting to the user defined network must fail
+	out, _, err := dockerCmdWithError("network", "connect", "testnetwork1", "first")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, runconfig.ErrConflictNoNetwork.Error())
+
+	// create a container connected to testnetwork1
+	dockerCmd(c, "run", "-d", "--net=testnetwork1", "--name=second", "busybox", "top")
+	c.Assert(waitRun("second"), check.IsNil)
+
+	// Connect second container to none network. it must fail as well
+	_, _, err = dockerCmdWithError("network", "connect", "none", "second")
+	c.Assert(err, check.NotNil)
+}
+
+// #11957 - stdin with no tty does not exit if stdin is not closed even though container exited
+func (s *DockerSuite) TestRunStdinBlockedAfterContainerExit(c *check.C) {
+	cmd := exec.Command(dockerBinary, "run", "-i", "--name=test", "busybox", "true")
+	in, err := cmd.StdinPipe()
+	c.Assert(err, check.IsNil)
+	defer in.Close()
+	stdout := bytes.NewBuffer(nil)
+	cmd.Stdout = stdout
+	cmd.Stderr = stdout
+	c.Assert(cmd.Start(), check.IsNil)
+
+	waitChan := make(chan error)
+	go func() {
+		waitChan <- cmd.Wait()
+	}()
+
+	select {
+	case err := <-waitChan:
+		c.Assert(err, check.IsNil, check.Commentf(stdout.String()))
+	case <-time.After(30 * time.Second):
+		c.Fatal("timeout waiting for command to exit")
+	}
+}
+
+func (s *DockerSuite) TestRunWrongCpusetCpusFlagValue(c *check.C) {
+	// TODO Windows: This needs validation (error out) in the daemon.
+	testRequires(c, DaemonIsLinux)
+	out, exitCode, err := dockerCmdWithError("run", "--cpuset-cpus", "1-10,11--", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := "Error response from daemon: Invalid value 1-10,11-- for cpuset cpus.\n"
+	if !(strings.Contains(out, expected) || exitCode == 125) {
+		c.Fatalf("Expected output to contain %q with exitCode 125, got out: %q exitCode: %v", expected, out, exitCode)
+	}
+}
+
+func (s *DockerSuite) TestRunWrongCpusetMemsFlagValue(c *check.C) {
+	// TODO Windows: This needs validation (error out) in the daemon.
+	testRequires(c, DaemonIsLinux)
+	out, exitCode, err := dockerCmdWithError("run", "--cpuset-mems", "1-42--", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := "Error response from daemon: Invalid value 1-42-- for cpuset mems.\n"
+	if !(strings.Contains(out, expected) || exitCode == 125) {
+		c.Fatalf("Expected output to contain %q with exitCode 125, got out: %q exitCode: %v", expected, out, exitCode)
+	}
+}
+
+// TestRunNonExecutableCmd checks that 'docker run busybox foo' exits with error code 127'
+func (s *DockerSuite) TestRunNonExecutableCmd(c *check.C) {
+	name := "testNonExecutableCmd"
+	icmd.RunCommand(dockerBinary, "run", "--name", name, "busybox", "foo").Assert(c, icmd.Expected{
+		ExitCode: 127,
+		Error:    "exit status 127",
+	})
+}
+
+// TestRunNonExistingCmd checks that 'docker run busybox /bin/foo' exits with code 127.
+func (s *DockerSuite) TestRunNonExistingCmd(c *check.C) {
+	name := "testNonExistingCmd"
+	icmd.RunCommand(dockerBinary, "run", "--name", name, "busybox", "/bin/foo").Assert(c, icmd.Expected{
+		ExitCode: 127,
+		Error:    "exit status 127",
+	})
+}
+
+// TestCmdCannotBeInvoked checks that 'docker run busybox /etc' exits with 126, or
+// 127 on Windows. The difference is that in Windows, the container must be started
+// as that's when the check is made (and yes, by its design...)
+func (s *DockerSuite) TestCmdCannotBeInvoked(c *check.C) {
+	expected := 126
+	if testEnv.OSType == "windows" {
+		expected = 127
+	}
+	name := "testCmdCannotBeInvoked"
+	icmd.RunCommand(dockerBinary, "run", "--name", name, "busybox", "/etc").Assert(c, icmd.Expected{
+		ExitCode: expected,
+		Error:    fmt.Sprintf("exit status %d", expected),
+	})
+}
+
+// TestRunNonExistingImage checks that 'docker run foo' exits with error msg 125 and contains  'Unable to find image'
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestRunNonExistingImage(c *check.C) {
+	icmd.RunCommand(dockerBinary, "run", "foo").Assert(c, icmd.Expected{
+		ExitCode: 125,
+		Err:      "Unable to find image",
+	})
+}
+
+// TestDockerFails checks that 'docker run -foo busybox' exits with 125 to signal docker run failed
+// FIXME(vdemeester) should be a unit test
+func (s *DockerSuite) TestDockerFails(c *check.C) {
+	icmd.RunCommand(dockerBinary, "run", "-foo", "busybox").Assert(c, icmd.Expected{
+		ExitCode: 125,
+		Error:    "exit status 125",
+	})
+}
+
+// TestRunInvalidReference invokes docker run with a bad reference.
+func (s *DockerSuite) TestRunInvalidReference(c *check.C) {
+	out, exit, _ := dockerCmdWithError("run", "busybox@foo")
+	if exit == 0 {
+		c.Fatalf("expected non-zero exist code; received %d", exit)
+	}
+
+	if !strings.Contains(out, "invalid reference format") {
+		c.Fatalf(`Expected "invalid reference format" in output; got: %s`, out)
+	}
+}
+
+// Test fix for issue #17854
+func (s *DockerSuite) TestRunInitLayerPathOwnership(c *check.C) {
+	// Not applicable on Windows as it does not support Linux uid/gid ownership
+	testRequires(c, DaemonIsLinux)
+	name := "testetcfileownership"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+		RUN echo 'dockerio:x:1001:1001::/bin:/bin/false' >> /etc/passwd
+		RUN echo 'dockerio:x:1001:' >> /etc/group
+		RUN chown dockerio:dockerio /etc`))
+
+	// Test that dockerio ownership of /etc is retained at runtime
+	out, _ := dockerCmd(c, "run", "--rm", name, "stat", "-c", "%U:%G", "/etc")
+	out = strings.TrimSpace(out)
+	if out != "dockerio:dockerio" {
+		c.Fatalf("Wrong /etc ownership: expected dockerio:dockerio, got %q", out)
+	}
+}
+
+func (s *DockerSuite) TestRunWithOomScoreAdj(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	expected := "642"
+	out, _ := dockerCmd(c, "run", "--oom-score-adj", expected, "busybox", "cat", "/proc/self/oom_score_adj")
+	oomScoreAdj := strings.TrimSpace(out)
+	if oomScoreAdj != "642" {
+		c.Fatalf("Expected oom_score_adj set to %q, got %q instead", expected, oomScoreAdj)
+	}
+}
+
+func (s *DockerSuite) TestRunWithOomScoreAdjInvalidRange(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	out, _, err := dockerCmdWithError("run", "--oom-score-adj", "1001", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := "Invalid value 1001, range for oom score adj is [-1000, 1000]."
+	if !strings.Contains(out, expected) {
+		c.Fatalf("Expected output to contain %q, got %q instead", expected, out)
+	}
+	out, _, err = dockerCmdWithError("run", "--oom-score-adj", "-1001", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected = "Invalid value -1001, range for oom score adj is [-1000, 1000]."
+	if !strings.Contains(out, expected) {
+		c.Fatalf("Expected output to contain %q, got %q instead", expected, out)
+	}
+}
+
+func (s *DockerSuite) TestRunVolumesMountedAsShared(c *check.C) {
+	// Volume propagation is linux only. Also it creates directories for
+	// bind mounting, so needs to be same host.
+	testRequires(c, DaemonIsLinux, SameHostDaemon, NotUserNamespace)
+
+	// Prepare a source directory to bind mount
+	tmpDir, err := ioutil.TempDir("", "volume-source")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	if err := os.Mkdir(path.Join(tmpDir, "mnt1"), 0755); err != nil {
+		c.Fatal(err)
+	}
+
+	// Convert this directory into a shared mount point so that we do
+	// not rely on propagation properties of parent mount.
+	icmd.RunCommand("mount", "--bind", tmpDir, tmpDir).Assert(c, icmd.Success)
+	icmd.RunCommand("mount", "--make-private", "--make-shared", tmpDir).Assert(c, icmd.Success)
+
+	dockerCmd(c, "run", "--privileged", "-v", fmt.Sprintf("%s:/volume-dest:shared", tmpDir), "busybox", "mount", "--bind", "/volume-dest/mnt1", "/volume-dest/mnt1")
+
+	// Make sure a bind mount under a shared volume propagated to host.
+	if mounted, _ := mount.Mounted(path.Join(tmpDir, "mnt1")); !mounted {
+		c.Fatalf("Bind mount under shared volume did not propagate to host")
+	}
+
+	mount.Unmount(path.Join(tmpDir, "mnt1"))
+}
+
+func (s *DockerSuite) TestRunVolumesMountedAsSlave(c *check.C) {
+	// Volume propagation is linux only. Also it creates directories for
+	// bind mounting, so needs to be same host.
+	testRequires(c, DaemonIsLinux, SameHostDaemon, NotUserNamespace)
+
+	// Prepare a source directory to bind mount
+	tmpDir, err := ioutil.TempDir("", "volume-source")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	if err := os.Mkdir(path.Join(tmpDir, "mnt1"), 0755); err != nil {
+		c.Fatal(err)
+	}
+
+	// Prepare a source directory with file in it. We will bind mount this
+	// directory and see if file shows up.
+	tmpDir2, err := ioutil.TempDir("", "volume-source2")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir2)
+
+	if err := ioutil.WriteFile(path.Join(tmpDir2, "slave-testfile"), []byte("Test"), 0644); err != nil {
+		c.Fatal(err)
+	}
+
+	// Convert this directory into a shared mount point so that we do
+	// not rely on propagation properties of parent mount.
+	icmd.RunCommand("mount", "--bind", tmpDir, tmpDir).Assert(c, icmd.Success)
+	icmd.RunCommand("mount", "--make-private", "--make-shared", tmpDir).Assert(c, icmd.Success)
+
+	dockerCmd(c, "run", "-i", "-d", "--name", "parent", "-v", fmt.Sprintf("%s:/volume-dest:slave", tmpDir), "busybox", "top")
+
+	// Bind mount tmpDir2/ onto tmpDir/mnt1. If mount propagates inside
+	// container then contents of tmpDir2/slave-testfile should become
+	// visible at "/volume-dest/mnt1/slave-testfile"
+	icmd.RunCommand("mount", "--bind", tmpDir2, path.Join(tmpDir, "mnt1")).Assert(c, icmd.Success)
+
+	out, _ := dockerCmd(c, "exec", "parent", "cat", "/volume-dest/mnt1/slave-testfile")
+
+	mount.Unmount(path.Join(tmpDir, "mnt1"))
+
+	if out != "Test" {
+		c.Fatalf("Bind mount under slave volume did not propagate to container")
+	}
+}
+
+func (s *DockerSuite) TestRunNamedVolumesMountedAsShared(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, exitCode, _ := dockerCmdWithError("run", "-v", "foo:/test:shared", "busybox", "touch", "/test/somefile")
+	c.Assert(exitCode, checker.Not(checker.Equals), 0)
+	c.Assert(out, checker.Contains, "invalid mount config")
+}
+
+func (s *DockerSuite) TestRunNamedVolumeCopyImageData(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	testImg := "testvolumecopy"
+	buildImageSuccessfully(c, testImg, build.WithDockerfile(`
+	FROM busybox
+	RUN mkdir -p /foo && echo hello > /foo/hello
+	`))
+
+	dockerCmd(c, "run", "-v", "foo:/foo", testImg)
+	out, _ := dockerCmd(c, "run", "-v", "foo:/foo", "busybox", "cat", "/foo/hello")
+	c.Assert(strings.TrimSpace(out), check.Equals, "hello")
+}
+
+func (s *DockerSuite) TestRunNamedVolumeNotRemoved(c *check.C) {
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+
+	dockerCmd(c, "volume", "create", "test")
+
+	dockerCmd(c, "run", "--rm", "-v", "test:"+prefix+"/foo", "-v", prefix+"/bar", "busybox", "true")
+	dockerCmd(c, "volume", "inspect", "test")
+	out, _ := dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "test")
+
+	dockerCmd(c, "run", "--name=test", "-v", "test:"+prefix+"/foo", "-v", prefix+"/bar", "busybox", "true")
+	dockerCmd(c, "rm", "-fv", "test")
+	dockerCmd(c, "volume", "inspect", "test")
+	out, _ = dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "test")
+}
+
+func (s *DockerSuite) TestRunNamedVolumesFromNotRemoved(c *check.C) {
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+
+	dockerCmd(c, "volume", "create", "test")
+	cid, _ := dockerCmd(c, "run", "-d", "--name=parent", "-v", "test:"+prefix+"/foo", "-v", prefix+"/bar", "busybox", "true")
+	dockerCmd(c, "run", "--name=child", "--volumes-from=parent", "busybox", "true")
+
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	container, err := cli.ContainerInspect(context.Background(), strings.TrimSpace(cid))
+	c.Assert(err, checker.IsNil)
+	var vname string
+	for _, v := range container.Mounts {
+		if v.Name != "test" {
+			vname = v.Name
+		}
+	}
+	c.Assert(vname, checker.Not(checker.Equals), "")
+
+	// Remove the parent so there are not other references to the volumes
+	dockerCmd(c, "rm", "-f", "parent")
+	// now remove the child and ensure the named volume (and only the named volume) still exists
+	dockerCmd(c, "rm", "-fv", "child")
+	dockerCmd(c, "volume", "inspect", "test")
+	out, _ := dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "test")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), vname)
+}
+
+func (s *DockerSuite) TestRunAttachFailedNoLeak(c *check.C) {
+	// TODO @msabansal - https://github.com/moby/moby/issues/35023. Duplicate
+	// port mappings are not errored out on RS3 builds. Temporarily disabling
+	// this test pending further investigation. Note we parse kernel.GetKernelVersion
+	// rather than system.GetOSVersion as test binaries aren't manifested, so would
+	// otherwise report build 9200.
+	if runtime.GOOS == "windows" {
+		v, err := kernel.GetKernelVersion()
+		c.Assert(err, checker.IsNil)
+		build, _ := strconv.Atoi(strings.Split(strings.SplitN(v.String(), " ", 3)[2][1:], ".")[0])
+		if build == 16299 {
+			c.Skip("Temporarily disabled on RS3 builds")
+		}
+	}
+
+	nroutines, err := getGoroutineNumber()
+	c.Assert(err, checker.IsNil)
+
+	runSleepingContainer(c, "--name=test", "-p", "8000:8000")
+
+	// Wait until container is fully up and running
+	c.Assert(waitRun("test"), check.IsNil)
+
+	out, _, err := dockerCmdWithError("run", "--name=fail", "-p", "8000:8000", "busybox", "true")
+	// We will need the following `inspect` to diagnose the issue if test fails (#21247)
+	out1, err1 := dockerCmd(c, "inspect", "--format", "{{json .State}}", "test")
+	out2, err2 := dockerCmd(c, "inspect", "--format", "{{json .State}}", "fail")
+	c.Assert(err, checker.NotNil, check.Commentf("Command should have failed but succeeded with: %s\nContainer 'test' [%+v]: %s\nContainer 'fail' [%+v]: %s", out, err1, out1, err2, out2))
+	// check for windows error as well
+	// TODO Windows Post TP5. Fix the error message string
+	c.Assert(strings.Contains(string(out), "port is already allocated") ||
+		strings.Contains(string(out), "were not connected because a duplicate name exists") ||
+		strings.Contains(string(out), "The specified port already exists") ||
+		strings.Contains(string(out), "HNS failed with error : Failed to create endpoint") ||
+		strings.Contains(string(out), "HNS failed with error : The object already exists"), checker.Equals, true, check.Commentf("Output: %s", out))
+	dockerCmd(c, "rm", "-f", "test")
+
+	// NGoroutines is not updated right away, so we need to wait before failing
+	c.Assert(waitForGoroutines(nroutines), checker.IsNil)
+}
+
+// Test for one character directory name case (#20122)
+func (s *DockerSuite) TestRunVolumeWithOneCharacter(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "-v", "/tmp/q:/foo", "busybox", "sh", "-c", "find /foo")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "/foo")
+}
+
+func (s *DockerSuite) TestRunVolumeCopyFlag(c *check.C) {
+	testRequires(c, DaemonIsLinux) // Windows does not support copying data from image to the volume
+	buildImageSuccessfully(c, "volumecopy", build.WithDockerfile(`FROM busybox
+		RUN mkdir /foo && echo hello > /foo/bar
+		CMD cat /foo/bar`))
+	dockerCmd(c, "volume", "create", "test")
+
+	// test with the nocopy flag
+	out, _, err := dockerCmdWithError("run", "-v", "test:/foo:nocopy", "volumecopy")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	// test default behavior which is to copy for non-binds
+	out, _ = dockerCmd(c, "run", "-v", "test:/foo", "volumecopy")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello")
+	// error out when the volume is already populated
+	out, _, err = dockerCmdWithError("run", "-v", "test:/foo:copy", "volumecopy")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	// do not error out when copy isn't explicitly set even though it's already populated
+	out, _ = dockerCmd(c, "run", "-v", "test:/foo", "volumecopy")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello")
+
+	// do not allow copy modes on volumes-from
+	dockerCmd(c, "run", "--name=test", "-v", "/foo", "busybox", "true")
+	out, _, err = dockerCmdWithError("run", "--volumes-from=test:copy", "busybox", "true")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	out, _, err = dockerCmdWithError("run", "--volumes-from=test:nocopy", "busybox", "true")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+
+	// do not allow copy modes on binds
+	out, _, err = dockerCmdWithError("run", "-v", "/foo:/bar:copy", "busybox", "true")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	out, _, err = dockerCmdWithError("run", "-v", "/foo:/bar:nocopy", "busybox", "true")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+}
+
+// Test case for #21976
+func (s *DockerSuite) TestRunDNSInHostMode(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+
+	expectedOutput := "nameserver 127.0.0.1"
+	expectedWarning := "Localhost DNS setting"
+	cli.DockerCmd(c, "run", "--dns=127.0.0.1", "--net=host", "busybox", "cat", "/etc/resolv.conf").Assert(c, icmd.Expected{
+		Out: expectedOutput,
+		Err: expectedWarning,
+	})
+
+	expectedOutput = "nameserver 1.2.3.4"
+	cli.DockerCmd(c, "run", "--dns=1.2.3.4", "--net=host", "busybox", "cat", "/etc/resolv.conf").Assert(c, icmd.Expected{
+		Out: expectedOutput,
+	})
+
+	expectedOutput = "search example.com"
+	cli.DockerCmd(c, "run", "--dns-search=example.com", "--net=host", "busybox", "cat", "/etc/resolv.conf").Assert(c, icmd.Expected{
+		Out: expectedOutput,
+	})
+
+	expectedOutput = "options timeout:3"
+	cli.DockerCmd(c, "run", "--dns-opt=timeout:3", "--net=host", "busybox", "cat", "/etc/resolv.conf").Assert(c, icmd.Expected{
+		Out: expectedOutput,
+	})
+
+	expectedOutput1 := "nameserver 1.2.3.4"
+	expectedOutput2 := "search example.com"
+	expectedOutput3 := "options timeout:3"
+	out := cli.DockerCmd(c, "run", "--dns=1.2.3.4", "--dns-search=example.com", "--dns-opt=timeout:3", "--net=host", "busybox", "cat", "/etc/resolv.conf").Combined()
+	c.Assert(out, checker.Contains, expectedOutput1, check.Commentf("Expected '%s', but got %q", expectedOutput1, out))
+	c.Assert(out, checker.Contains, expectedOutput2, check.Commentf("Expected '%s', but got %q", expectedOutput2, out))
+	c.Assert(out, checker.Contains, expectedOutput3, check.Commentf("Expected '%s', but got %q", expectedOutput3, out))
+}
+
+// Test case for #21976
+func (s *DockerSuite) TestRunAddHostInHostMode(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+
+	expectedOutput := "1.2.3.4\textra"
+	out, _ := dockerCmd(c, "run", "--add-host=extra:1.2.3.4", "--net=host", "busybox", "cat", "/etc/hosts")
+	c.Assert(out, checker.Contains, expectedOutput, check.Commentf("Expected '%s', but got %q", expectedOutput, out))
+}
+
+func (s *DockerSuite) TestRunRmAndWait(c *check.C) {
+	dockerCmd(c, "run", "--name=test", "--rm", "-d", "busybox", "sh", "-c", "sleep 3;exit 2")
+
+	out, code, err := dockerCmdWithError("wait", "test")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %s; exit code: %d", out, code))
+	c.Assert(out, checker.Equals, "2\n", check.Commentf("exit code: %d", code))
+	c.Assert(code, checker.Equals, 0)
+}
+
+// Test that auto-remove is performed by the daemon (API 1.25 and above)
+func (s *DockerSuite) TestRunRm(c *check.C) {
+	name := "miss-me-when-im-gone"
+	cli.DockerCmd(c, "run", "--name="+name, "--rm", "busybox")
+
+	cli.Docker(cli.Inspect(name), cli.Format(".name")).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "No such object: " + name,
+	})
+}
+
+// Test that auto-remove is performed by the client on API versions that do not support daemon-side api-remove (API < 1.25)
+func (s *DockerSuite) TestRunRmPre125Api(c *check.C) {
+	name := "miss-me-when-im-gone"
+	envs := appendBaseEnv(os.Getenv("DOCKER_TLS_VERIFY") != "", "DOCKER_API_VERSION=1.24")
+	cli.Docker(cli.Args("run", "--name="+name, "--rm", "busybox"), cli.WithEnvironmentVariables(envs...)).Assert(c, icmd.Success)
+
+	cli.Docker(cli.Inspect(name), cli.Format(".name")).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "No such object: " + name,
+	})
+}
+
+// Test case for #23498
+func (s *DockerSuite) TestRunUnsetEntrypoint(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "test-entrypoint"
+	dockerfile := `FROM busybox
+ADD entrypoint.sh /entrypoint.sh
+RUN chmod 755 /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
+CMD echo foobar`
+
+	ctx := fakecontext.New(c, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFiles(map[string]string{
+			"entrypoint.sh": `#!/bin/sh
+echo "I am an entrypoint"
+exec "$@"`,
+		}))
+	defer ctx.Close()
+
+	cli.BuildCmd(c, name, build.WithExternalBuildContext(ctx))
+
+	out := cli.DockerCmd(c, "run", "--entrypoint=", "-t", name, "echo", "foo").Combined()
+	c.Assert(strings.TrimSpace(out), check.Equals, "foo")
+
+	// CMD will be reset as well (the same as setting a custom entrypoint)
+	cli.Docker(cli.Args("run", "--entrypoint=", "-t", name)).Assert(c, icmd.Expected{
+		ExitCode: 125,
+		Err:      "No command specified",
+	})
+}
+
+func (s *DockerDaemonSuite) TestRunWithUlimitAndDaemonDefault(c *check.C) {
+	s.d.StartWithBusybox(c, "--debug", "--default-ulimit=nofile=65535")
+
+	name := "test-A"
+	_, err := s.d.Cmd("run", "--name", name, "-d", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(s.d.WaitRun(name), check.IsNil)
+
+	out, err := s.d.Cmd("inspect", "--format", "{{.HostConfig.Ulimits}}", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "[nofile=65535:65535]")
+
+	name = "test-B"
+	_, err = s.d.Cmd("run", "--name", name, "--ulimit=nofile=42", "-d", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(s.d.WaitRun(name), check.IsNil)
+
+	out, err = s.d.Cmd("inspect", "--format", "{{.HostConfig.Ulimits}}", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "[nofile=42:42]")
+}
+
+func (s *DockerSuite) TestRunStoppedLoggingDriverNoLeak(c *check.C) {
+	nroutines, err := getGoroutineNumber()
+	c.Assert(err, checker.IsNil)
+
+	out, _, err := dockerCmdWithError("run", "--name=fail", "--log-driver=splunk", "busybox", "true")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "failed to initialize logging driver", check.Commentf("error should be about logging driver, got output %s", out))
+
+	// NGoroutines is not updated right away, so we need to wait before failing
+	c.Assert(waitForGoroutines(nroutines), checker.IsNil)
+}
+
+// Handles error conditions for --credentialspec. Validating E2E success cases
+// requires additional infrastructure (AD for example) on CI servers.
+func (s *DockerSuite) TestRunCredentialSpecFailures(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	attempts := []struct{ value, expectedError string }{
+		{"rubbish", "invalid credential spec security option - value must be prefixed file:// or registry://"},
+		{"rubbish://", "invalid credential spec security option - value must be prefixed file:// or registry://"},
+		{"file://", "no value supplied for file:// credential spec security option"},
+		{"registry://", "no value supplied for registry:// credential spec security option"},
+		{`file://c:\blah.txt`, "path cannot be absolute"},
+		{`file://doesnotexist.txt`, "The system cannot find the file specified"},
+	}
+	for _, attempt := range attempts {
+		_, _, err := dockerCmdWithError("run", "--security-opt=credentialspec="+attempt.value, "busybox", "true")
+		c.Assert(err, checker.NotNil, check.Commentf("%s expected non-nil err", attempt.value))
+		c.Assert(err.Error(), checker.Contains, attempt.expectedError, check.Commentf("%s expected %s got %s", attempt.value, attempt.expectedError, err))
+	}
+}
+
+// Windows specific test to validate credential specs with a well-formed spec.
+// Note it won't actually do anything in CI configuration with the spec, but
+// it should not fail to run a container.
+func (s *DockerSuite) TestRunCredentialSpecWellFormed(c *check.C) {
+	testRequires(c, DaemonIsWindows, SameHostDaemon)
+	validCS := readFile(`fixtures\credentialspecs\valid.json`, c)
+	writeFile(filepath.Join(testEnv.DaemonInfo.DockerRootDir, `credentialspecs\valid.json`), validCS, c)
+	dockerCmd(c, "run", `--security-opt=credentialspec=file://valid.json`, "busybox", "true")
+}
+
+func (s *DockerSuite) TestRunDuplicateMount(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+
+	tmpFile, err := ioutil.TempFile("", "touch-me")
+	c.Assert(err, checker.IsNil)
+	defer tmpFile.Close()
+
+	data := "touch-me-foo-bar\n"
+	if _, err := tmpFile.Write([]byte(data)); err != nil {
+		c.Fatal(err)
+	}
+
+	name := "test"
+	out, _ := dockerCmd(c, "run", "--name", name, "-v", "/tmp:/tmp", "-v", "/tmp:/tmp", "busybox", "sh", "-c", "cat "+tmpFile.Name()+" && ls /")
+	c.Assert(out, checker.Not(checker.Contains), "tmp:")
+	c.Assert(out, checker.Contains, data)
+
+	out = inspectFieldJSON(c, name, "Config.Volumes")
+	c.Assert(out, checker.Contains, "null")
+}
+
+func (s *DockerSuite) TestRunWindowsWithCPUCount(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+
+	out, _ := dockerCmd(c, "run", "--cpu-count=1", "--name", "test", "busybox", "echo", "testing")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "testing")
+
+	out = inspectField(c, "test", "HostConfig.CPUCount")
+	c.Assert(out, check.Equals, "1")
+}
+
+func (s *DockerSuite) TestRunWindowsWithCPUShares(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+
+	out, _ := dockerCmd(c, "run", "--cpu-shares=1000", "--name", "test", "busybox", "echo", "testing")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "testing")
+
+	out = inspectField(c, "test", "HostConfig.CPUShares")
+	c.Assert(out, check.Equals, "1000")
+}
+
+func (s *DockerSuite) TestRunWindowsWithCPUPercent(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+
+	out, _ := dockerCmd(c, "run", "--cpu-percent=80", "--name", "test", "busybox", "echo", "testing")
+	c.Assert(strings.TrimSpace(out), checker.Equals, "testing")
+
+	out = inspectField(c, "test", "HostConfig.CPUPercent")
+	c.Assert(out, check.Equals, "80")
+}
+
+func (s *DockerSuite) TestRunProcessIsolationWithCPUCountCPUSharesAndCPUPercent(c *check.C) {
+	testRequires(c, DaemonIsWindows, IsolationIsProcess)
+
+	out, _ := dockerCmd(c, "run", "--cpu-count=1", "--cpu-shares=1000", "--cpu-percent=80", "--name", "test", "busybox", "echo", "testing")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "WARNING: Conflicting options: CPU count takes priority over CPU shares on Windows Server Containers. CPU shares discarded")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "WARNING: Conflicting options: CPU count takes priority over CPU percent on Windows Server Containers. CPU percent discarded")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "testing")
+
+	out = inspectField(c, "test", "HostConfig.CPUCount")
+	c.Assert(out, check.Equals, "1")
+
+	out = inspectField(c, "test", "HostConfig.CPUShares")
+	c.Assert(out, check.Equals, "0")
+
+	out = inspectField(c, "test", "HostConfig.CPUPercent")
+	c.Assert(out, check.Equals, "0")
+}
+
+func (s *DockerSuite) TestRunHypervIsolationWithCPUCountCPUSharesAndCPUPercent(c *check.C) {
+	testRequires(c, DaemonIsWindows, IsolationIsHyperv)
+
+	out, _ := dockerCmd(c, "run", "--cpu-count=1", "--cpu-shares=1000", "--cpu-percent=80", "--name", "test", "busybox", "echo", "testing")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "testing")
+
+	out = inspectField(c, "test", "HostConfig.CPUCount")
+	c.Assert(out, check.Equals, "1")
+
+	out = inspectField(c, "test", "HostConfig.CPUShares")
+	c.Assert(out, check.Equals, "1000")
+
+	out = inspectField(c, "test", "HostConfig.CPUPercent")
+	c.Assert(out, check.Equals, "80")
+}
+
+// Test for #25099
+func (s *DockerSuite) TestRunEmptyEnv(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	expectedOutput := "invalid environment variable:"
+
+	out, _, err := dockerCmdWithError("run", "-e", "", "busybox", "true")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, expectedOutput)
+
+	out, _, err = dockerCmdWithError("run", "-e", "=", "busybox", "true")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, expectedOutput)
+
+	out, _, err = dockerCmdWithError("run", "-e", "=foo", "busybox", "true")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, expectedOutput)
+}
+
+// #28658
+func (s *DockerSuite) TestSlowStdinClosing(c *check.C) {
+	name := "testslowstdinclosing"
+	repeat := 3 // regression happened 50% of the time
+	for i := 0; i < repeat; i++ {
+		cmd := icmd.Cmd{
+			Command: []string{dockerBinary, "run", "--rm", "--name", name, "-i", "busybox", "cat"},
+			Stdin:   &delayedReader{},
+		}
+		done := make(chan error, 1)
+		go func() {
+			err := icmd.RunCmd(cmd).Error
+			done <- err
+		}()
+
+		select {
+		case <-time.After(30 * time.Second):
+			c.Fatal("running container timed out") // cleanup in teardown
+		case err := <-done:
+			c.Assert(err, checker.IsNil)
+		}
+	}
+}
+
+type delayedReader struct{}
+
+func (s *delayedReader) Read([]byte) (int, error) {
+	time.Sleep(500 * time.Millisecond)
+	return 0, io.EOF
+}
+
+// #28823 (originally #28639)
+func (s *DockerSuite) TestRunMountReadOnlyDevShm(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux, NotUserNamespace)
+	emptyDir, err := ioutil.TempDir("", "test-read-only-dev-shm")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(emptyDir)
+	out, _, err := dockerCmdWithError("run", "--rm", "--read-only",
+		"-v", fmt.Sprintf("%s:/dev/shm:ro", emptyDir),
+		"busybox", "touch", "/dev/shm/foo")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Read-only file system")
+}
+
+func (s *DockerSuite) TestRunMount(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon, NotUserNamespace)
+
+	// mnt1, mnt2, and testCatFooBar are commonly used in multiple test cases
+	tmpDir, err := ioutil.TempDir("", "mount")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+	mnt1, mnt2 := path.Join(tmpDir, "mnt1"), path.Join(tmpDir, "mnt2")
+	if err := os.Mkdir(mnt1, 0755); err != nil {
+		c.Fatal(err)
+	}
+	if err := os.Mkdir(mnt2, 0755); err != nil {
+		c.Fatal(err)
+	}
+	if err := ioutil.WriteFile(path.Join(mnt1, "test1"), []byte("test1"), 0644); err != nil {
+		c.Fatal(err)
+	}
+	if err := ioutil.WriteFile(path.Join(mnt2, "test2"), []byte("test2"), 0644); err != nil {
+		c.Fatal(err)
+	}
+	testCatFooBar := func(cName string) error {
+		out, _ := dockerCmd(c, "exec", cName, "cat", "/foo/test1")
+		if out != "test1" {
+			return fmt.Errorf("%s not mounted on /foo", mnt1)
+		}
+		out, _ = dockerCmd(c, "exec", cName, "cat", "/bar/test2")
+		if out != "test2" {
+			return fmt.Errorf("%s not mounted on /bar", mnt2)
+		}
+		return nil
+	}
+
+	type testCase struct {
+		equivalents [][]string
+		valid       bool
+		// fn should be nil if valid==false
+		fn func(cName string) error
+	}
+	cases := []testCase{
+		{
+			equivalents: [][]string{
+				{
+					"--mount", fmt.Sprintf("type=bind,src=%s,dst=/foo", mnt1),
+					"--mount", fmt.Sprintf("type=bind,src=%s,dst=/bar", mnt2),
+				},
+				{
+					"--mount", fmt.Sprintf("type=bind,src=%s,dst=/foo", mnt1),
+					"--mount", fmt.Sprintf("type=bind,src=%s,target=/bar", mnt2),
+				},
+				{
+					"--volume", mnt1 + ":/foo",
+					"--mount", fmt.Sprintf("type=bind,src=%s,target=/bar", mnt2),
+				},
+			},
+			valid: true,
+			fn:    testCatFooBar,
+		},
+		{
+			equivalents: [][]string{
+				{
+					"--mount", fmt.Sprintf("type=volume,src=%s,dst=/foo", mnt1),
+					"--mount", fmt.Sprintf("type=volume,src=%s,dst=/bar", mnt2),
+				},
+				{
+					"--mount", fmt.Sprintf("type=volume,src=%s,dst=/foo", mnt1),
+					"--mount", fmt.Sprintf("type=volume,src=%s,target=/bar", mnt2),
+				},
+			},
+			valid: false,
+		},
+		{
+			equivalents: [][]string{
+				{
+					"--mount", fmt.Sprintf("type=bind,src=%s,dst=/foo", mnt1),
+					"--mount", fmt.Sprintf("type=volume,src=%s,dst=/bar", mnt2),
+				},
+				{
+					"--volume", mnt1 + ":/foo",
+					"--mount", fmt.Sprintf("type=volume,src=%s,target=/bar", mnt2),
+				},
+			},
+			valid: false,
+			fn:    testCatFooBar,
+		},
+		{
+			equivalents: [][]string{
+				{
+					"--read-only",
+					"--mount", "type=volume,dst=/bar",
+				},
+			},
+			valid: true,
+			fn: func(cName string) error {
+				_, _, err := dockerCmdWithError("exec", cName, "touch", "/bar/icanwritehere")
+				return err
+			},
+		},
+		{
+			equivalents: [][]string{
+				{
+					"--read-only",
+					"--mount", fmt.Sprintf("type=bind,src=%s,dst=/foo", mnt1),
+					"--mount", "type=volume,dst=/bar",
+				},
+				{
+					"--read-only",
+					"--volume", fmt.Sprintf("%s:/foo", mnt1),
+					"--mount", "type=volume,dst=/bar",
+				},
+			},
+			valid: true,
+			fn: func(cName string) error {
+				out, _ := dockerCmd(c, "exec", cName, "cat", "/foo/test1")
+				if out != "test1" {
+					return fmt.Errorf("%s not mounted on /foo", mnt1)
+				}
+				_, _, err := dockerCmdWithError("exec", cName, "touch", "/bar/icanwritehere")
+				return err
+			},
+		},
+		{
+			equivalents: [][]string{
+				{
+					"--mount", fmt.Sprintf("type=bind,src=%s,dst=/foo", mnt1),
+					"--mount", fmt.Sprintf("type=bind,src=%s,dst=/foo", mnt2),
+				},
+				{
+					"--mount", fmt.Sprintf("type=bind,src=%s,dst=/foo", mnt1),
+					"--mount", fmt.Sprintf("type=bind,src=%s,target=/foo", mnt2),
+				},
+				{
+					"--volume", fmt.Sprintf("%s:/foo", mnt1),
+					"--mount", fmt.Sprintf("type=bind,src=%s,target=/foo", mnt2),
+				},
+			},
+			valid: false,
+		},
+		{
+			equivalents: [][]string{
+				{
+					"--volume", fmt.Sprintf("%s:/foo", mnt1),
+					"--mount", fmt.Sprintf("type=volume,src=%s,target=/foo", mnt2),
+				},
+			},
+			valid: false,
+		},
+		{
+			equivalents: [][]string{
+				{
+					"--mount", "type=volume,target=/foo",
+					"--mount", "type=volume,target=/foo",
+				},
+			},
+			valid: false,
+		},
+	}
+
+	for i, testCase := range cases {
+		for j, opts := range testCase.equivalents {
+			cName := fmt.Sprintf("mount-%d-%d", i, j)
+			_, _, err := dockerCmdWithError(append([]string{"run", "-i", "-d", "--name", cName},
+				append(opts, []string{"busybox", "top"}...)...)...)
+			if testCase.valid {
+				c.Assert(err, check.IsNil,
+					check.Commentf("got error while creating a container with %v (%s)", opts, cName))
+				c.Assert(testCase.fn(cName), check.IsNil,
+					check.Commentf("got error while executing test for %v (%s)", opts, cName))
+				dockerCmd(c, "rm", "-f", cName)
+			} else {
+				c.Assert(err, checker.NotNil,
+					check.Commentf("got nil while creating a container with %v (%s)", opts, cName))
+			}
+		}
+	}
+}
+
+// Test that passing a FQDN as hostname properly sets hostname, and
+// /etc/hostname. Test case for 29100
+func (s *DockerSuite) TestRunHostnameFQDN(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	expectedOutput := "foobar.example.com\nfoobar.example.com\nfoobar\nexample.com\nfoobar.example.com"
+	out, _ := dockerCmd(c, "run", "--hostname=foobar.example.com", "busybox", "sh", "-c", `cat /etc/hostname && hostname && hostname -s && hostname -d && hostname -f`)
+	c.Assert(strings.TrimSpace(out), checker.Equals, expectedOutput)
+
+	out, _ = dockerCmd(c, "run", "--hostname=foobar.example.com", "busybox", "sh", "-c", `cat /etc/hosts`)
+	expectedOutput = "foobar.example.com foobar"
+	c.Assert(strings.TrimSpace(out), checker.Contains, expectedOutput)
+}
+
+// Test case for 29129
+func (s *DockerSuite) TestRunHostnameInHostMode(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+
+	expectedOutput := "foobar\nfoobar"
+	out, _ := dockerCmd(c, "run", "--net=host", "--hostname=foobar", "busybox", "sh", "-c", `echo $HOSTNAME && hostname`)
+	c.Assert(strings.TrimSpace(out), checker.Equals, expectedOutput)
+}
+
+func (s *DockerSuite) TestRunAddDeviceCgroupRule(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	deviceRule := "c 7:128 rwm"
+
+	out, _ := dockerCmd(c, "run", "--rm", "busybox", "cat", "/sys/fs/cgroup/devices/devices.list")
+	if strings.Contains(out, deviceRule) {
+		c.Fatalf("%s shouldn't been in the device.list", deviceRule)
+	}
+
+	out, _ = dockerCmd(c, "run", "--rm", fmt.Sprintf("--device-cgroup-rule=%s", deviceRule), "busybox", "grep", deviceRule, "/sys/fs/cgroup/devices/devices.list")
+	c.Assert(strings.TrimSpace(out), checker.Equals, deviceRule)
+}
+
+// Verifies that running as local system is operating correctly on Windows
+func (s *DockerSuite) TestWindowsRunAsSystem(c *check.C) {
+	testRequires(c, DaemonIsWindowsAtLeastBuild(15000))
+	out, _ := dockerCmd(c, "run", "--net=none", `--user=nt authority\system`, "--hostname=XYZZY", minimalBaseImage(), "cmd", "/c", `@echo %USERNAME%`)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "XYZZY$")
+}
diff --git a/engine/integration-cli/docker_cli_run_unix_test.go b/engine/integration-cli/docker_cli_run_unix_test.go
new file mode 100644
index 00000000..3444d22b
--- /dev/null
+++ b/engine/integration-cli/docker_cli_run_unix_test.go
@@ -0,0 +1,1585 @@
+// +build !windows
+
+package main
+
+import (
+	"bufio"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/parsers"
+	"github.com/docker/docker/pkg/sysinfo"
+	"github.com/go-check/check"
+	"github.com/kr/pty"
+	"gotest.tools/icmd"
+)
+
+// #6509
+func (s *DockerSuite) TestRunRedirectStdout(c *check.C) {
+	checkRedirect := func(command string) {
+		_, tty, err := pty.Open()
+		c.Assert(err, checker.IsNil, check.Commentf("Could not open pty"))
+		cmd := exec.Command("sh", "-c", command)
+		cmd.Stdin = tty
+		cmd.Stdout = tty
+		cmd.Stderr = tty
+		c.Assert(cmd.Start(), checker.IsNil)
+		ch := make(chan error)
+		go func() {
+			ch <- cmd.Wait()
+			close(ch)
+		}()
+
+		select {
+		case <-time.After(10 * time.Second):
+			c.Fatal("command timeout")
+		case err := <-ch:
+			c.Assert(err, checker.IsNil, check.Commentf("wait err"))
+		}
+	}
+
+	checkRedirect(dockerBinary + " run -i busybox cat /etc/passwd | grep -q root")
+	checkRedirect(dockerBinary + " run busybox cat /etc/passwd | grep -q root")
+}
+
+// Test recursive bind mount works by default
+func (s *DockerSuite) TestRunWithVolumesIsRecursive(c *check.C) {
+	// /tmp gets permission denied
+	testRequires(c, NotUserNamespace, SameHostDaemon)
+	tmpDir, err := ioutil.TempDir("", "docker_recursive_mount_test")
+	c.Assert(err, checker.IsNil)
+
+	defer os.RemoveAll(tmpDir)
+
+	// Create a temporary tmpfs mount.
+	tmpfsDir := filepath.Join(tmpDir, "tmpfs")
+	c.Assert(os.MkdirAll(tmpfsDir, 0777), checker.IsNil, check.Commentf("failed to mkdir at %s", tmpfsDir))
+	c.Assert(mount.Mount("tmpfs", tmpfsDir, "tmpfs", ""), checker.IsNil, check.Commentf("failed to create a tmpfs mount at %s", tmpfsDir))
+
+	f, err := ioutil.TempFile(tmpfsDir, "touch-me")
+	c.Assert(err, checker.IsNil)
+	defer f.Close()
+
+	out, _ := dockerCmd(c, "run", "--name", "test-data", "--volume", fmt.Sprintf("%s:/tmp:ro", tmpDir), "busybox:latest", "ls", "/tmp/tmpfs")
+	c.Assert(out, checker.Contains, filepath.Base(f.Name()), check.Commentf("Recursive bind mount test failed. Expected file not found"))
+}
+
+func (s *DockerSuite) TestRunDeviceDirectory(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm)
+	if _, err := os.Stat("/dev/snd"); err != nil {
+		c.Skip("Host does not have /dev/snd")
+	}
+
+	out, _ := dockerCmd(c, "run", "--device", "/dev/snd:/dev/snd", "busybox", "sh", "-c", "ls /dev/snd/")
+	c.Assert(strings.Trim(out, "\r\n"), checker.Contains, "timer", check.Commentf("expected output /dev/snd/timer"))
+
+	out, _ = dockerCmd(c, "run", "--device", "/dev/snd:/dev/othersnd", "busybox", "sh", "-c", "ls /dev/othersnd/")
+	c.Assert(strings.Trim(out, "\r\n"), checker.Contains, "seq", check.Commentf("expected output /dev/othersnd/seq"))
+}
+
+// TestRunAttachDetach checks attaching and detaching with the default escape sequence.
+func (s *DockerSuite) TestRunAttachDetach(c *check.C) {
+	name := "attach-detach"
+
+	dockerCmd(c, "run", "--name", name, "-itd", "busybox", "cat")
+
+	cmd := exec.Command(dockerBinary, "attach", name)
+	stdout, err := cmd.StdoutPipe()
+	c.Assert(err, checker.IsNil)
+	cpty, tty, err := pty.Open()
+	c.Assert(err, checker.IsNil)
+	defer cpty.Close()
+	cmd.Stdin = tty
+	c.Assert(cmd.Start(), checker.IsNil)
+	c.Assert(waitRun(name), check.IsNil)
+
+	_, err = cpty.Write([]byte("hello\n"))
+	c.Assert(err, checker.IsNil)
+
+	out, err := bufio.NewReader(stdout).ReadString('\n')
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "hello")
+
+	// escape sequence
+	_, err = cpty.Write([]byte{16})
+	c.Assert(err, checker.IsNil)
+	time.Sleep(100 * time.Millisecond)
+	_, err = cpty.Write([]byte{17})
+	c.Assert(err, checker.IsNil)
+
+	ch := make(chan struct{})
+	go func() {
+		cmd.Wait()
+		ch <- struct{}{}
+	}()
+
+	select {
+	case <-ch:
+	case <-time.After(10 * time.Second):
+		c.Fatal("timed out waiting for container to exit")
+	}
+
+	running := inspectField(c, name, "State.Running")
+	c.Assert(running, checker.Equals, "true", check.Commentf("expected container to still be running"))
+
+	out, _ = dockerCmd(c, "events", "--since=0", "--until", daemonUnixTime(c), "-f", "container="+name)
+	// attach and detach event should be monitored
+	c.Assert(out, checker.Contains, "attach")
+	c.Assert(out, checker.Contains, "detach")
+}
+
+// TestRunAttachDetachFromFlag checks attaching and detaching with the escape sequence specified via flags.
+func (s *DockerSuite) TestRunAttachDetachFromFlag(c *check.C) {
+	name := "attach-detach"
+	keyCtrlA := []byte{1}
+	keyA := []byte{97}
+
+	dockerCmd(c, "run", "--name", name, "-itd", "busybox", "cat")
+
+	cmd := exec.Command(dockerBinary, "attach", "--detach-keys=ctrl-a,a", name)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+	cpty, tty, err := pty.Open()
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer cpty.Close()
+	cmd.Stdin = tty
+	if err := cmd.Start(); err != nil {
+		c.Fatal(err)
+	}
+	c.Assert(waitRun(name), check.IsNil)
+
+	if _, err := cpty.Write([]byte("hello\n")); err != nil {
+		c.Fatal(err)
+	}
+
+	out, err := bufio.NewReader(stdout).ReadString('\n')
+	if err != nil {
+		c.Fatal(err)
+	}
+	if strings.TrimSpace(out) != "hello" {
+		c.Fatalf("expected 'hello', got %q", out)
+	}
+
+	// escape sequence
+	if _, err := cpty.Write(keyCtrlA); err != nil {
+		c.Fatal(err)
+	}
+	time.Sleep(100 * time.Millisecond)
+	if _, err := cpty.Write(keyA); err != nil {
+		c.Fatal(err)
+	}
+
+	ch := make(chan struct{})
+	go func() {
+		cmd.Wait()
+		ch <- struct{}{}
+	}()
+
+	select {
+	case <-ch:
+	case <-time.After(10 * time.Second):
+		c.Fatal("timed out waiting for container to exit")
+	}
+
+	running := inspectField(c, name, "State.Running")
+	c.Assert(running, checker.Equals, "true", check.Commentf("expected container to still be running"))
+}
+
+// TestRunAttachDetachFromInvalidFlag checks attaching and detaching with the escape sequence specified via flags.
+func (s *DockerSuite) TestRunAttachDetachFromInvalidFlag(c *check.C) {
+	name := "attach-detach"
+	dockerCmd(c, "run", "--name", name, "-itd", "busybox", "top")
+	c.Assert(waitRun(name), check.IsNil)
+
+	// specify an invalid detach key, container will ignore it and use default
+	cmd := exec.Command(dockerBinary, "attach", "--detach-keys=ctrl-A,a", name)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+	cpty, tty, err := pty.Open()
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer cpty.Close()
+	cmd.Stdin = tty
+	if err := cmd.Start(); err != nil {
+		c.Fatal(err)
+	}
+	go cmd.Wait()
+
+	bufReader := bufio.NewReader(stdout)
+	out, err := bufReader.ReadString('\n')
+	if err != nil {
+		c.Fatal(err)
+	}
+	// it should print a warning to indicate the detach key flag is invalid
+	errStr := "Invalid detach keys (ctrl-A,a) provided"
+	c.Assert(strings.TrimSpace(out), checker.Equals, errStr)
+}
+
+// TestRunAttachDetachFromConfig checks attaching and detaching with the escape sequence specified via config file.
+func (s *DockerSuite) TestRunAttachDetachFromConfig(c *check.C) {
+	keyCtrlA := []byte{1}
+	keyA := []byte{97}
+
+	// Setup config
+	homeKey := homedir.Key()
+	homeVal := homedir.Get()
+	tmpDir, err := ioutil.TempDir("", "fake-home")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	dotDocker := filepath.Join(tmpDir, ".docker")
+	os.Mkdir(dotDocker, 0600)
+	tmpCfg := filepath.Join(dotDocker, "config.json")
+
+	defer func() { os.Setenv(homeKey, homeVal) }()
+	os.Setenv(homeKey, tmpDir)
+
+	data := `{
+		"detachKeys": "ctrl-a,a"
+	}`
+
+	err = ioutil.WriteFile(tmpCfg, []byte(data), 0600)
+	c.Assert(err, checker.IsNil)
+
+	// Then do the work
+	name := "attach-detach"
+	dockerCmd(c, "run", "--name", name, "-itd", "busybox", "cat")
+
+	cmd := exec.Command(dockerBinary, "attach", name)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+	cpty, tty, err := pty.Open()
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer cpty.Close()
+	cmd.Stdin = tty
+	if err := cmd.Start(); err != nil {
+		c.Fatal(err)
+	}
+	c.Assert(waitRun(name), check.IsNil)
+
+	if _, err := cpty.Write([]byte("hello\n")); err != nil {
+		c.Fatal(err)
+	}
+
+	out, err := bufio.NewReader(stdout).ReadString('\n')
+	if err != nil {
+		c.Fatal(err)
+	}
+	if strings.TrimSpace(out) != "hello" {
+		c.Fatalf("expected 'hello', got %q", out)
+	}
+
+	// escape sequence
+	if _, err := cpty.Write(keyCtrlA); err != nil {
+		c.Fatal(err)
+	}
+	time.Sleep(100 * time.Millisecond)
+	if _, err := cpty.Write(keyA); err != nil {
+		c.Fatal(err)
+	}
+
+	ch := make(chan struct{})
+	go func() {
+		cmd.Wait()
+		ch <- struct{}{}
+	}()
+
+	select {
+	case <-ch:
+	case <-time.After(10 * time.Second):
+		c.Fatal("timed out waiting for container to exit")
+	}
+
+	running := inspectField(c, name, "State.Running")
+	c.Assert(running, checker.Equals, "true", check.Commentf("expected container to still be running"))
+}
+
+// TestRunAttachDetachKeysOverrideConfig checks attaching and detaching with the detach flags, making sure it overrides config file
+func (s *DockerSuite) TestRunAttachDetachKeysOverrideConfig(c *check.C) {
+	keyCtrlA := []byte{1}
+	keyA := []byte{97}
+
+	// Setup config
+	homeKey := homedir.Key()
+	homeVal := homedir.Get()
+	tmpDir, err := ioutil.TempDir("", "fake-home")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	dotDocker := filepath.Join(tmpDir, ".docker")
+	os.Mkdir(dotDocker, 0600)
+	tmpCfg := filepath.Join(dotDocker, "config.json")
+
+	defer func() { os.Setenv(homeKey, homeVal) }()
+	os.Setenv(homeKey, tmpDir)
+
+	data := `{
+		"detachKeys": "ctrl-e,e"
+	}`
+
+	err = ioutil.WriteFile(tmpCfg, []byte(data), 0600)
+	c.Assert(err, checker.IsNil)
+
+	// Then do the work
+	name := "attach-detach"
+	dockerCmd(c, "run", "--name", name, "-itd", "busybox", "cat")
+
+	cmd := exec.Command(dockerBinary, "attach", "--detach-keys=ctrl-a,a", name)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+	cpty, tty, err := pty.Open()
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer cpty.Close()
+	cmd.Stdin = tty
+	if err := cmd.Start(); err != nil {
+		c.Fatal(err)
+	}
+	c.Assert(waitRun(name), check.IsNil)
+
+	if _, err := cpty.Write([]byte("hello\n")); err != nil {
+		c.Fatal(err)
+	}
+
+	out, err := bufio.NewReader(stdout).ReadString('\n')
+	if err != nil {
+		c.Fatal(err)
+	}
+	if strings.TrimSpace(out) != "hello" {
+		c.Fatalf("expected 'hello', got %q", out)
+	}
+
+	// escape sequence
+	if _, err := cpty.Write(keyCtrlA); err != nil {
+		c.Fatal(err)
+	}
+	time.Sleep(100 * time.Millisecond)
+	if _, err := cpty.Write(keyA); err != nil {
+		c.Fatal(err)
+	}
+
+	ch := make(chan struct{})
+	go func() {
+		cmd.Wait()
+		ch <- struct{}{}
+	}()
+
+	select {
+	case <-ch:
+	case <-time.After(10 * time.Second):
+		c.Fatal("timed out waiting for container to exit")
+	}
+
+	running := inspectField(c, name, "State.Running")
+	c.Assert(running, checker.Equals, "true", check.Commentf("expected container to still be running"))
+}
+
+func (s *DockerSuite) TestRunAttachInvalidDetachKeySequencePreserved(c *check.C) {
+	name := "attach-detach"
+	keyA := []byte{97}
+	keyB := []byte{98}
+
+	dockerCmd(c, "run", "--name", name, "-itd", "busybox", "cat")
+
+	cmd := exec.Command(dockerBinary, "attach", "--detach-keys=a,b,c", name)
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		c.Fatal(err)
+	}
+	cpty, tty, err := pty.Open()
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer cpty.Close()
+	cmd.Stdin = tty
+	if err := cmd.Start(); err != nil {
+		c.Fatal(err)
+	}
+	go cmd.Wait()
+	c.Assert(waitRun(name), check.IsNil)
+
+	// Invalid escape sequence aba, should print aba in output
+	if _, err := cpty.Write(keyA); err != nil {
+		c.Fatal(err)
+	}
+	time.Sleep(100 * time.Millisecond)
+	if _, err := cpty.Write(keyB); err != nil {
+		c.Fatal(err)
+	}
+	time.Sleep(100 * time.Millisecond)
+	if _, err := cpty.Write(keyA); err != nil {
+		c.Fatal(err)
+	}
+	time.Sleep(100 * time.Millisecond)
+	if _, err := cpty.Write([]byte("\n")); err != nil {
+		c.Fatal(err)
+	}
+
+	out, err := bufio.NewReader(stdout).ReadString('\n')
+	if err != nil {
+		c.Fatal(err)
+	}
+	if strings.TrimSpace(out) != "aba" {
+		c.Fatalf("expected 'aba', got %q", out)
+	}
+}
+
+// "test" should be printed
+func (s *DockerSuite) TestRunWithCPUQuota(c *check.C) {
+	testRequires(c, cpuCfsQuota)
+
+	file := "/sys/fs/cgroup/cpu/cpu.cfs_quota_us"
+	out, _ := dockerCmd(c, "run", "--cpu-quota", "8000", "--name", "test", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "8000")
+
+	out = inspectField(c, "test", "HostConfig.CpuQuota")
+	c.Assert(out, checker.Equals, "8000", check.Commentf("setting the CPU CFS quota failed"))
+}
+
+func (s *DockerSuite) TestRunWithCpuPeriod(c *check.C) {
+	testRequires(c, cpuCfsPeriod)
+
+	file := "/sys/fs/cgroup/cpu/cpu.cfs_period_us"
+	out, _ := dockerCmd(c, "run", "--cpu-period", "50000", "--name", "test", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "50000")
+
+	out, _ = dockerCmd(c, "run", "--cpu-period", "0", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "100000")
+
+	out = inspectField(c, "test", "HostConfig.CpuPeriod")
+	c.Assert(out, checker.Equals, "50000", check.Commentf("setting the CPU CFS period failed"))
+}
+
+func (s *DockerSuite) TestRunWithInvalidCpuPeriod(c *check.C) {
+	testRequires(c, cpuCfsPeriod)
+	out, _, err := dockerCmdWithError("run", "--cpu-period", "900", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := "CPU cfs period can not be less than 1ms (i.e. 1000) or larger than 1s (i.e. 1000000)"
+	c.Assert(out, checker.Contains, expected)
+
+	out, _, err = dockerCmdWithError("run", "--cpu-period", "2000000", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, expected)
+
+	out, _, err = dockerCmdWithError("run", "--cpu-period", "-3", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestRunWithKernelMemory(c *check.C) {
+	testRequires(c, kernelMemorySupport)
+
+	file := "/sys/fs/cgroup/memory/memory.kmem.limit_in_bytes"
+	cli.DockerCmd(c, "run", "--kernel-memory", "50M", "--name", "test1", "busybox", "cat", file).Assert(c, icmd.Expected{
+		Out: "52428800",
+	})
+
+	cli.InspectCmd(c, "test1", cli.Format(".HostConfig.KernelMemory")).Assert(c, icmd.Expected{
+		Out: "52428800",
+	})
+}
+
+func (s *DockerSuite) TestRunWithInvalidKernelMemory(c *check.C) {
+	testRequires(c, kernelMemorySupport)
+
+	out, _, err := dockerCmdWithError("run", "--kernel-memory", "2M", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := "Minimum kernel memory limit allowed is 4MB"
+	c.Assert(out, checker.Contains, expected)
+
+	out, _, err = dockerCmdWithError("run", "--kernel-memory", "-16m", "--name", "test2", "busybox", "echo", "test")
+	c.Assert(err, check.NotNil)
+	expected = "invalid size"
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestRunWithCPUShares(c *check.C) {
+	testRequires(c, cpuShare)
+
+	file := "/sys/fs/cgroup/cpu/cpu.shares"
+	out, _ := dockerCmd(c, "run", "--cpu-shares", "1000", "--name", "test", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "1000")
+
+	out = inspectField(c, "test", "HostConfig.CPUShares")
+	c.Assert(out, check.Equals, "1000")
+}
+
+// "test" should be printed
+func (s *DockerSuite) TestRunEchoStdoutWithCPUSharesAndMemoryLimit(c *check.C) {
+	testRequires(c, cpuShare)
+	testRequires(c, memoryLimitSupport)
+	cli.DockerCmd(c, "run", "--cpu-shares", "1000", "-m", "32m", "busybox", "echo", "test").Assert(c, icmd.Expected{
+		Out: "test\n",
+	})
+}
+
+func (s *DockerSuite) TestRunWithCpusetCpus(c *check.C) {
+	testRequires(c, cgroupCpuset)
+
+	file := "/sys/fs/cgroup/cpuset/cpuset.cpus"
+	out, _ := dockerCmd(c, "run", "--cpuset-cpus", "0", "--name", "test", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	out = inspectField(c, "test", "HostConfig.CpusetCpus")
+	c.Assert(out, check.Equals, "0")
+}
+
+func (s *DockerSuite) TestRunWithCpusetMems(c *check.C) {
+	testRequires(c, cgroupCpuset)
+
+	file := "/sys/fs/cgroup/cpuset/cpuset.mems"
+	out, _ := dockerCmd(c, "run", "--cpuset-mems", "0", "--name", "test", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	out = inspectField(c, "test", "HostConfig.CpusetMems")
+	c.Assert(out, check.Equals, "0")
+}
+
+func (s *DockerSuite) TestRunWithBlkioWeight(c *check.C) {
+	testRequires(c, blkioWeight)
+
+	file := "/sys/fs/cgroup/blkio/blkio.weight"
+	out, _ := dockerCmd(c, "run", "--blkio-weight", "300", "--name", "test", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "300")
+
+	out = inspectField(c, "test", "HostConfig.BlkioWeight")
+	c.Assert(out, check.Equals, "300")
+}
+
+func (s *DockerSuite) TestRunWithInvalidBlkioWeight(c *check.C) {
+	testRequires(c, blkioWeight)
+	out, _, err := dockerCmdWithError("run", "--blkio-weight", "5", "busybox", "true")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	expected := "Range of blkio weight is from 10 to 1000"
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestRunWithInvalidPathforBlkioWeightDevice(c *check.C) {
+	testRequires(c, blkioWeight)
+	out, _, err := dockerCmdWithError("run", "--blkio-weight-device", "/dev/sdX:100", "busybox", "true")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+}
+
+func (s *DockerSuite) TestRunWithInvalidPathforBlkioDeviceReadBps(c *check.C) {
+	testRequires(c, blkioWeight)
+	out, _, err := dockerCmdWithError("run", "--device-read-bps", "/dev/sdX:500", "busybox", "true")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+}
+
+func (s *DockerSuite) TestRunWithInvalidPathforBlkioDeviceWriteBps(c *check.C) {
+	testRequires(c, blkioWeight)
+	out, _, err := dockerCmdWithError("run", "--device-write-bps", "/dev/sdX:500", "busybox", "true")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+}
+
+func (s *DockerSuite) TestRunWithInvalidPathforBlkioDeviceReadIOps(c *check.C) {
+	testRequires(c, blkioWeight)
+	out, _, err := dockerCmdWithError("run", "--device-read-iops", "/dev/sdX:500", "busybox", "true")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+}
+
+func (s *DockerSuite) TestRunWithInvalidPathforBlkioDeviceWriteIOps(c *check.C) {
+	testRequires(c, blkioWeight)
+	out, _, err := dockerCmdWithError("run", "--device-write-iops", "/dev/sdX:500", "busybox", "true")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+}
+
+func (s *DockerSuite) TestRunOOMExitCode(c *check.C) {
+	testRequires(c, memoryLimitSupport, swapMemorySupport, NotPpc64le)
+	errChan := make(chan error)
+	go func() {
+		defer close(errChan)
+		// memory limit lower than 8MB will raise an error of "device or resource busy" from docker-runc.
+		out, exitCode, _ := dockerCmdWithError("run", "-m", "8MB", "busybox", "sh", "-c", "x=a; while true; do x=$x$x$x$x; done")
+		if expected := 137; exitCode != expected {
+			errChan <- fmt.Errorf("wrong exit code for OOM container: expected %d, got %d (output: %q)", expected, exitCode, out)
+		}
+	}()
+
+	select {
+	case err := <-errChan:
+		c.Assert(err, check.IsNil)
+	case <-time.After(600 * time.Second):
+		c.Fatal("Timeout waiting for container to die on OOM")
+	}
+}
+
+func (s *DockerSuite) TestRunWithMemoryLimit(c *check.C) {
+	testRequires(c, memoryLimitSupport)
+
+	file := "/sys/fs/cgroup/memory/memory.limit_in_bytes"
+	cli.DockerCmd(c, "run", "-m", "32M", "--name", "test", "busybox", "cat", file).Assert(c, icmd.Expected{
+		Out: "33554432",
+	})
+	cli.InspectCmd(c, "test", cli.Format(".HostConfig.Memory")).Assert(c, icmd.Expected{
+		Out: "33554432",
+	})
+}
+
+// TestRunWithoutMemoryswapLimit sets memory limit and disables swap
+// memory limit, this means the processes in the container can use
+// 16M memory and as much swap memory as they need (if the host
+// supports swap memory).
+func (s *DockerSuite) TestRunWithoutMemoryswapLimit(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+	testRequires(c, swapMemorySupport)
+	dockerCmd(c, "run", "-m", "32m", "--memory-swap", "-1", "busybox", "true")
+}
+
+func (s *DockerSuite) TestRunWithSwappiness(c *check.C) {
+	testRequires(c, memorySwappinessSupport)
+	file := "/sys/fs/cgroup/memory/memory.swappiness"
+	out, _ := dockerCmd(c, "run", "--memory-swappiness", "0", "--name", "test", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0")
+
+	out = inspectField(c, "test", "HostConfig.MemorySwappiness")
+	c.Assert(out, check.Equals, "0")
+}
+
+func (s *DockerSuite) TestRunWithSwappinessInvalid(c *check.C) {
+	testRequires(c, memorySwappinessSupport)
+	out, _, err := dockerCmdWithError("run", "--memory-swappiness", "101", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := "Valid memory swappiness range is 0-100"
+	c.Assert(out, checker.Contains, expected, check.Commentf("Expected output to contain %q, not %q", out, expected))
+
+	out, _, err = dockerCmdWithError("run", "--memory-swappiness", "-10", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, expected, check.Commentf("Expected output to contain %q, not %q", out, expected))
+}
+
+func (s *DockerSuite) TestRunWithMemoryReservation(c *check.C) {
+	testRequires(c, SameHostDaemon, memoryReservationSupport)
+
+	file := "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes"
+	out, _ := dockerCmd(c, "run", "--memory-reservation", "200M", "--name", "test", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "209715200")
+
+	out = inspectField(c, "test", "HostConfig.MemoryReservation")
+	c.Assert(out, check.Equals, "209715200")
+}
+
+func (s *DockerSuite) TestRunWithMemoryReservationInvalid(c *check.C) {
+	testRequires(c, memoryLimitSupport)
+	testRequires(c, SameHostDaemon, memoryReservationSupport)
+	out, _, err := dockerCmdWithError("run", "-m", "500M", "--memory-reservation", "800M", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := "Minimum memory limit can not be less than memory reservation limit"
+	c.Assert(strings.TrimSpace(out), checker.Contains, expected, check.Commentf("run container should fail with invalid memory reservation"))
+
+	out, _, err = dockerCmdWithError("run", "--memory-reservation", "1k", "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected = "Minimum memory reservation allowed is 4MB"
+	c.Assert(strings.TrimSpace(out), checker.Contains, expected, check.Commentf("run container should fail with invalid memory reservation"))
+}
+
+func (s *DockerSuite) TestStopContainerSignal(c *check.C) {
+	out, _ := dockerCmd(c, "run", "--stop-signal", "SIGUSR1", "-d", "busybox", "/bin/sh", "-c", `trap 'echo "exit trapped"; exit 0' USR1; while true; do sleep 1; done`)
+	containerID := strings.TrimSpace(out)
+
+	c.Assert(waitRun(containerID), checker.IsNil)
+
+	dockerCmd(c, "stop", containerID)
+	out, _ = dockerCmd(c, "logs", containerID)
+
+	c.Assert(out, checker.Contains, "exit trapped", check.Commentf("Expected `exit trapped` in the log"))
+}
+
+func (s *DockerSuite) TestRunSwapLessThanMemoryLimit(c *check.C) {
+	testRequires(c, memoryLimitSupport)
+	testRequires(c, swapMemorySupport)
+	out, _, err := dockerCmdWithError("run", "-m", "16m", "--memory-swap", "15m", "busybox", "echo", "test")
+	expected := "Minimum memoryswap limit should be larger than memory limit"
+	c.Assert(err, check.NotNil)
+
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestRunInvalidCpusetCpusFlagValue(c *check.C) {
+	testRequires(c, cgroupCpuset, SameHostDaemon)
+
+	sysInfo := sysinfo.New(true)
+	cpus, err := parsers.ParseUintList(sysInfo.Cpus)
+	c.Assert(err, check.IsNil)
+	var invalid int
+	for i := 0; i <= len(cpus)+1; i++ {
+		if !cpus[i] {
+			invalid = i
+			break
+		}
+	}
+	out, _, err := dockerCmdWithError("run", "--cpuset-cpus", strconv.Itoa(invalid), "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := fmt.Sprintf("Error response from daemon: Requested CPUs are not available - requested %s, available: %s", strconv.Itoa(invalid), sysInfo.Cpus)
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestRunInvalidCpusetMemsFlagValue(c *check.C) {
+	testRequires(c, cgroupCpuset)
+
+	sysInfo := sysinfo.New(true)
+	mems, err := parsers.ParseUintList(sysInfo.Mems)
+	c.Assert(err, check.IsNil)
+	var invalid int
+	for i := 0; i <= len(mems)+1; i++ {
+		if !mems[i] {
+			invalid = i
+			break
+		}
+	}
+	out, _, err := dockerCmdWithError("run", "--cpuset-mems", strconv.Itoa(invalid), "busybox", "true")
+	c.Assert(err, check.NotNil)
+	expected := fmt.Sprintf("Error response from daemon: Requested memory nodes are not available - requested %s, available: %s", strconv.Itoa(invalid), sysInfo.Mems)
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestRunInvalidCPUShares(c *check.C) {
+	testRequires(c, cpuShare, DaemonIsLinux)
+	out, _, err := dockerCmdWithError("run", "--cpu-shares", "1", "busybox", "echo", "test")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	expected := "The minimum allowed cpu-shares is 2"
+	c.Assert(out, checker.Contains, expected)
+
+	out, _, err = dockerCmdWithError("run", "--cpu-shares", "-1", "busybox", "echo", "test")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	expected = "shares: invalid argument"
+	c.Assert(out, checker.Contains, expected)
+
+	out, _, err = dockerCmdWithError("run", "--cpu-shares", "99999999", "busybox", "echo", "test")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	expected = "The maximum allowed cpu-shares is"
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestRunWithDefaultShmSize(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	name := "shm-default"
+	out, _ := dockerCmd(c, "run", "--name", name, "busybox", "mount")
+	shmRegex := regexp.MustCompile(`shm on /dev/shm type tmpfs(.*)size=65536k`)
+	if !shmRegex.MatchString(out) {
+		c.Fatalf("Expected shm of 64MB in mount command, got %v", out)
+	}
+	shmSize := inspectField(c, name, "HostConfig.ShmSize")
+	c.Assert(shmSize, check.Equals, "67108864")
+}
+
+func (s *DockerSuite) TestRunWithShmSize(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	name := "shm"
+	out, _ := dockerCmd(c, "run", "--name", name, "--shm-size=1G", "busybox", "mount")
+	shmRegex := regexp.MustCompile(`shm on /dev/shm type tmpfs(.*)size=1048576k`)
+	if !shmRegex.MatchString(out) {
+		c.Fatalf("Expected shm of 1GB in mount command, got %v", out)
+	}
+	shmSize := inspectField(c, name, "HostConfig.ShmSize")
+	c.Assert(shmSize, check.Equals, "1073741824")
+}
+
+func (s *DockerSuite) TestRunTmpfsMountsEnsureOrdered(c *check.C) {
+	tmpFile, err := ioutil.TempFile("", "test")
+	c.Assert(err, check.IsNil)
+	defer tmpFile.Close()
+	out, _ := dockerCmd(c, "run", "--tmpfs", "/run", "-v", tmpFile.Name()+":/run/test", "busybox", "ls", "/run")
+	c.Assert(out, checker.Contains, "test")
+}
+
+func (s *DockerSuite) TestRunTmpfsMounts(c *check.C) {
+	// TODO Windows (Post TP5): This test cannot run on a Windows daemon as
+	// Windows does not support tmpfs mounts.
+	testRequires(c, DaemonIsLinux)
+	if out, _, err := dockerCmdWithError("run", "--tmpfs", "/run", "busybox", "touch", "/run/somefile"); err != nil {
+		c.Fatalf("/run directory not mounted on tmpfs %q %s", err, out)
+	}
+	if out, _, err := dockerCmdWithError("run", "--tmpfs", "/run:noexec", "busybox", "touch", "/run/somefile"); err != nil {
+		c.Fatalf("/run directory not mounted on tmpfs %q %s", err, out)
+	}
+	if out, _, err := dockerCmdWithError("run", "--tmpfs", "/run:noexec,nosuid,rw,size=5k,mode=700", "busybox", "touch", "/run/somefile"); err != nil {
+		c.Fatalf("/run failed to mount on tmpfs with valid options %q %s", err, out)
+	}
+	if _, _, err := dockerCmdWithError("run", "--tmpfs", "/run:foobar", "busybox", "touch", "/run/somefile"); err == nil {
+		c.Fatalf("/run mounted on tmpfs when it should have vailed within invalid mount option")
+	}
+	if _, _, err := dockerCmdWithError("run", "--tmpfs", "/run", "-v", "/run:/run", "busybox", "touch", "/run/somefile"); err == nil {
+		c.Fatalf("Should have generated an error saying Duplicate mount  points")
+	}
+}
+
+func (s *DockerSuite) TestRunTmpfsMountsOverrideImageVolumes(c *check.C) {
+	name := "img-with-volumes"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`
+    FROM busybox
+    VOLUME /run
+    RUN touch /run/stuff
+    `))
+	out, _ := dockerCmd(c, "run", "--tmpfs", "/run", name, "ls", "/run")
+	c.Assert(out, checker.Not(checker.Contains), "stuff")
+}
+
+// Test case for #22420
+func (s *DockerSuite) TestRunTmpfsMountsWithOptions(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	expectedOptions := []string{"rw", "nosuid", "nodev", "noexec", "relatime"}
+	out, _ := dockerCmd(c, "run", "--tmpfs", "/tmp", "busybox", "sh", "-c", "mount | grep 'tmpfs on /tmp'")
+	for _, option := range expectedOptions {
+		c.Assert(out, checker.Contains, option)
+	}
+	c.Assert(out, checker.Not(checker.Contains), "size=")
+
+	expectedOptions = []string{"rw", "nosuid", "nodev", "noexec", "relatime"}
+	out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:rw", "busybox", "sh", "-c", "mount | grep 'tmpfs on /tmp'")
+	for _, option := range expectedOptions {
+		c.Assert(out, checker.Contains, option)
+	}
+	c.Assert(out, checker.Not(checker.Contains), "size=")
+
+	expectedOptions = []string{"rw", "nosuid", "nodev", "relatime", "size=8192k"}
+	out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:rw,exec,size=8192k", "busybox", "sh", "-c", "mount | grep 'tmpfs on /tmp'")
+	for _, option := range expectedOptions {
+		c.Assert(out, checker.Contains, option)
+	}
+
+	expectedOptions = []string{"rw", "nosuid", "nodev", "noexec", "relatime", "size=4096k"}
+	out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:rw,size=8192k,exec,size=4096k,noexec", "busybox", "sh", "-c", "mount | grep 'tmpfs on /tmp'")
+	for _, option := range expectedOptions {
+		c.Assert(out, checker.Contains, option)
+	}
+
+	// We use debian:jessie as there is no findmnt in busybox. Also the output will be in the format of
+	// TARGET PROPAGATION
+	// /tmp   shared
+	// so we only capture `shared` here.
+	expectedOptions = []string{"shared"}
+	out, _ = dockerCmd(c, "run", "--tmpfs", "/tmp:shared", "debian:jessie", "findmnt", "-o", "TARGET,PROPAGATION", "/tmp")
+	for _, option := range expectedOptions {
+		c.Assert(out, checker.Contains, option)
+	}
+}
+
+func (s *DockerSuite) TestRunSysctls(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	var err error
+
+	out, _ := dockerCmd(c, "run", "--sysctl", "net.ipv4.ip_forward=1", "--name", "test", "busybox", "cat", "/proc/sys/net/ipv4/ip_forward")
+	c.Assert(strings.TrimSpace(out), check.Equals, "1")
+
+	out = inspectFieldJSON(c, "test", "HostConfig.Sysctls")
+
+	sysctls := make(map[string]string)
+	err = json.Unmarshal([]byte(out), &sysctls)
+	c.Assert(err, check.IsNil)
+	c.Assert(sysctls["net.ipv4.ip_forward"], check.Equals, "1")
+
+	out, _ = dockerCmd(c, "run", "--sysctl", "net.ipv4.ip_forward=0", "--name", "test1", "busybox", "cat", "/proc/sys/net/ipv4/ip_forward")
+	c.Assert(strings.TrimSpace(out), check.Equals, "0")
+
+	out = inspectFieldJSON(c, "test1", "HostConfig.Sysctls")
+
+	err = json.Unmarshal([]byte(out), &sysctls)
+	c.Assert(err, check.IsNil)
+	c.Assert(sysctls["net.ipv4.ip_forward"], check.Equals, "0")
+
+	icmd.RunCommand(dockerBinary, "run", "--sysctl", "kernel.foobar=1", "--name", "test2",
+		"busybox", "cat", "/proc/sys/kernel/foobar").Assert(c, icmd.Expected{
+		ExitCode: 125,
+		Err:      "invalid argument",
+	})
+}
+
+// TestRunSeccompProfileDenyUnshare checks that 'docker run --security-opt seccomp=/tmp/profile.json debian:jessie unshare' exits with operation not permitted.
+func (s *DockerSuite) TestRunSeccompProfileDenyUnshare(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, NotArm, Apparmor)
+	jsonData := `{
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"name": "unshare",
+			"action": "SCMP_ACT_ERRNO"
+		}
+	]
+}`
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer tmpFile.Close()
+
+	if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
+		c.Fatal(err)
+	}
+	icmd.RunCommand(dockerBinary, "run", "--security-opt", "apparmor=unconfined",
+		"--security-opt", "seccomp="+tmpFile.Name(),
+		"debian:jessie", "unshare", "-p", "-m", "-f", "-r", "mount", "-t", "proc", "none", "/proc").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+// TestRunSeccompProfileDenyChmod checks that 'docker run --security-opt seccomp=/tmp/profile.json busybox chmod 400 /etc/hostname' exits with operation not permitted.
+func (s *DockerSuite) TestRunSeccompProfileDenyChmod(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+	jsonData := `{
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"name": "chmod",
+			"action": "SCMP_ACT_ERRNO"
+		},
+		{
+			"name":"fchmod",
+			"action": "SCMP_ACT_ERRNO"
+		},
+		{
+			"name": "fchmodat",
+			"action":"SCMP_ACT_ERRNO"
+		}
+	]
+}`
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	c.Assert(err, check.IsNil)
+	defer tmpFile.Close()
+
+	if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
+		c.Fatal(err)
+	}
+	icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp="+tmpFile.Name(),
+		"busybox", "chmod", "400", "/etc/hostname").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+// TestRunSeccompProfileDenyUnshareUserns checks that 'docker run debian:jessie unshare --map-root-user --user sh -c whoami' with a specific profile to
+// deny unshare of a userns exits with operation not permitted.
+func (s *DockerSuite) TestRunSeccompProfileDenyUnshareUserns(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, NotArm, Apparmor)
+	// from sched.h
+	jsonData := fmt.Sprintf(`{
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"name": "unshare",
+			"action": "SCMP_ACT_ERRNO",
+			"args": [
+				{
+					"index": 0,
+					"value": %d,
+					"op": "SCMP_CMP_EQ"
+				}
+			]
+		}
+	]
+}`, uint64(0x10000000))
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer tmpFile.Close()
+
+	if _, err := tmpFile.Write([]byte(jsonData)); err != nil {
+		c.Fatal(err)
+	}
+	icmd.RunCommand(dockerBinary, "run",
+		"--security-opt", "apparmor=unconfined", "--security-opt", "seccomp="+tmpFile.Name(),
+		"debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+// TestRunSeccompProfileDenyCloneUserns checks that 'docker run syscall-test'
+// with a the default seccomp profile exits with operation not permitted.
+func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+	ensureSyscallTest(c)
+
+	icmd.RunCommand(dockerBinary, "run", "syscall-test", "userns-test", "id").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "clone failed: Operation not permitted",
+	})
+}
+
+// TestRunSeccompUnconfinedCloneUserns checks that
+// 'docker run --security-opt seccomp=unconfined syscall-test' allows creating a userns.
+func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace, unprivilegedUsernsClone)
+	ensureSyscallTest(c)
+
+	// make sure running w privileged is ok
+	icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp=unconfined",
+		"syscall-test", "userns-test", "id").Assert(c, icmd.Expected{
+		Out: "nobody",
+	})
+}
+
+// TestRunSeccompAllowPrivCloneUserns checks that 'docker run --privileged syscall-test'
+// allows creating a userns.
+func (s *DockerSuite) TestRunSeccompAllowPrivCloneUserns(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace)
+	ensureSyscallTest(c)
+
+	// make sure running w privileged is ok
+	icmd.RunCommand(dockerBinary, "run", "--privileged", "syscall-test", "userns-test", "id").Assert(c, icmd.Expected{
+		Out: "nobody",
+	})
+}
+
+// TestRunSeccompProfileAllow32Bit checks that 32 bit code can run on x86_64
+// with the default seccomp profile.
+func (s *DockerSuite) TestRunSeccompProfileAllow32Bit(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, IsAmd64)
+	ensureSyscallTest(c)
+
+	icmd.RunCommand(dockerBinary, "run", "syscall-test", "exit32-test").Assert(c, icmd.Success)
+}
+
+// TestRunSeccompAllowSetrlimit checks that 'docker run debian:jessie ulimit -v 1048510' succeeds.
+func (s *DockerSuite) TestRunSeccompAllowSetrlimit(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	// ulimit uses setrlimit, so we want to make sure we don't break it
+	icmd.RunCommand(dockerBinary, "run", "debian:jessie", "bash", "-c", "ulimit -v 1048510").Assert(c, icmd.Success)
+}
+
+func (s *DockerSuite) TestRunSeccompDefaultProfileAcct(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace)
+	ensureSyscallTest(c)
+
+	out, _, err := dockerCmdWithError("run", "syscall-test", "acct-test")
+	if err == nil || !strings.Contains(out, "Operation not permitted") {
+		c.Fatalf("test 0: expected Operation not permitted, got: %s", out)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-add", "sys_admin", "syscall-test", "acct-test")
+	if err == nil || !strings.Contains(out, "Operation not permitted") {
+		c.Fatalf("test 1: expected Operation not permitted, got: %s", out)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-add", "sys_pacct", "syscall-test", "acct-test")
+	if err == nil || !strings.Contains(out, "No such file or directory") {
+		c.Fatalf("test 2: expected No such file or directory, got: %s", out)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "acct-test")
+	if err == nil || !strings.Contains(out, "No such file or directory") {
+		c.Fatalf("test 3: expected No such file or directory, got: %s", out)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-drop", "ALL", "--cap-add", "sys_pacct", "syscall-test", "acct-test")
+	if err == nil || !strings.Contains(out, "No such file or directory") {
+		c.Fatalf("test 4: expected No such file or directory, got: %s", out)
+	}
+}
+
+func (s *DockerSuite) TestRunSeccompDefaultProfileNS(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled, NotUserNamespace)
+	ensureSyscallTest(c)
+
+	out, _, err := dockerCmdWithError("run", "syscall-test", "ns-test", "echo", "hello0")
+	if err == nil || !strings.Contains(out, "Operation not permitted") {
+		c.Fatalf("test 0: expected Operation not permitted, got: %s", out)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-add", "sys_admin", "syscall-test", "ns-test", "echo", "hello1")
+	if err != nil || !strings.Contains(out, "hello1") {
+		c.Fatalf("test 1: expected hello1, got: %s, %v", out, err)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-drop", "all", "--cap-add", "sys_admin", "syscall-test", "ns-test", "echo", "hello2")
+	if err != nil || !strings.Contains(out, "hello2") {
+		c.Fatalf("test 2: expected hello2, got: %s, %v", out, err)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-add", "ALL", "syscall-test", "ns-test", "echo", "hello3")
+	if err != nil || !strings.Contains(out, "hello3") {
+		c.Fatalf("test 3: expected hello3, got: %s, %v", out, err)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-add", "ALL", "--security-opt", "seccomp=unconfined", "syscall-test", "acct-test")
+	if err == nil || !strings.Contains(out, "No such file or directory") {
+		c.Fatalf("test 4: expected No such file or directory, got: %s", out)
+	}
+
+	out, _, err = dockerCmdWithError("run", "--cap-add", "ALL", "--security-opt", "seccomp=unconfined", "syscall-test", "ns-test", "echo", "hello4")
+	if err != nil || !strings.Contains(out, "hello4") {
+		c.Fatalf("test 5: expected hello4, got: %s, %v", out, err)
+	}
+}
+
+// TestRunNoNewPrivSetuid checks that --security-opt='no-new-privileges=true' prevents
+// effective uid transtions on executing setuid binaries.
+func (s *DockerSuite) TestRunNoNewPrivSetuid(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, SameHostDaemon)
+	ensureNNPTest(c)
+
+	// test that running a setuid binary results in no effective uid transition
+	icmd.RunCommand(dockerBinary, "run", "--security-opt", "no-new-privileges=true", "--user", "1000",
+		"nnp-test", "/usr/bin/nnp-test").Assert(c, icmd.Expected{
+		Out: "EUID=1000",
+	})
+}
+
+// TestLegacyRunNoNewPrivSetuid checks that --security-opt=no-new-privileges prevents
+// effective uid transtions on executing setuid binaries.
+func (s *DockerSuite) TestLegacyRunNoNewPrivSetuid(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, SameHostDaemon)
+	ensureNNPTest(c)
+
+	// test that running a setuid binary results in no effective uid transition
+	icmd.RunCommand(dockerBinary, "run", "--security-opt", "no-new-privileges", "--user", "1000",
+		"nnp-test", "/usr/bin/nnp-test").Assert(c, icmd.Expected{
+		Out: "EUID=1000",
+	})
+}
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChown(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_CHOWN
+	dockerCmd(c, "run", "busybox", "chown", "100", "/tmp")
+	// test that non root user does not have default capability CAP_CHOWN
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chown", "100", "/tmp").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+	// test that root user can drop default capability CAP_CHOWN
+	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "chown", "busybox", "chown", "100", "/tmp").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesDacOverride(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_DAC_OVERRIDE
+	dockerCmd(c, "run", "busybox", "sh", "-c", "echo test > /etc/passwd")
+	// test that non root user does not have default capability CAP_DAC_OVERRIDE
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "sh", "-c", "echo test > /etc/passwd").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Permission denied",
+	})
+}
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesFowner(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_FOWNER
+	dockerCmd(c, "run", "busybox", "chmod", "777", "/etc/passwd")
+	// test that non root user does not have default capability CAP_FOWNER
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chmod", "777", "/etc/passwd").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+	// TODO test that root user can drop default capability CAP_FOWNER
+}
+
+// TODO CAP_KILL
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetuid(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_SETUID
+	dockerCmd(c, "run", "syscall-test", "setuid-test")
+	// test that non root user does not have default capability CAP_SETUID
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setuid-test").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+	// test that root user can drop default capability CAP_SETUID
+	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "setuid", "syscall-test", "setuid-test").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesSetgid(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_SETGID
+	dockerCmd(c, "run", "syscall-test", "setgid-test")
+	// test that non root user does not have default capability CAP_SETGID
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "setgid-test").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+	// test that root user can drop default capability CAP_SETGID
+	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "setgid", "syscall-test", "setgid-test").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+// TODO CAP_SETPCAP
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetBindService(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_NET_BIND_SERVICE
+	dockerCmd(c, "run", "syscall-test", "socket-test")
+	// test that non root user does not have default capability CAP_NET_BIND_SERVICE
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "socket-test").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Permission denied",
+	})
+	// test that root user can drop default capability CAP_NET_BIND_SERVICE
+	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_bind_service", "syscall-test", "socket-test").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Permission denied",
+	})
+}
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesNetRaw(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_NET_RAW
+	dockerCmd(c, "run", "syscall-test", "raw-test")
+	// test that non root user does not have default capability CAP_NET_RAW
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "syscall-test", "raw-test").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+	// test that root user can drop default capability CAP_NET_RAW
+	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "net_raw", "syscall-test", "raw-test").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesChroot(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_SYS_CHROOT
+	dockerCmd(c, "run", "busybox", "chroot", "/", "/bin/true")
+	// test that non root user does not have default capability CAP_SYS_CHROOT
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "chroot", "/", "/bin/true").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+	// test that root user can drop default capability CAP_SYS_CHROOT
+	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "sys_chroot", "busybox", "chroot", "/", "/bin/true").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+func (s *DockerSuite) TestUserNoEffectiveCapabilitiesMknod(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, SameHostDaemon)
+	ensureSyscallTest(c)
+
+	// test that a root user has default capability CAP_MKNOD
+	dockerCmd(c, "run", "busybox", "mknod", "/tmp/node", "b", "1", "2")
+	// test that non root user does not have default capability CAP_MKNOD
+	// test that root user can drop default capability CAP_SYS_CHROOT
+	icmd.RunCommand(dockerBinary, "run", "--user", "1000:1000", "busybox", "mknod", "/tmp/node", "b", "1", "2").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+	// test that root user can drop default capability CAP_MKNOD
+	icmd.RunCommand(dockerBinary, "run", "--cap-drop", "mknod", "busybox", "mknod", "/tmp/node", "b", "1", "2").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "Operation not permitted",
+	})
+}
+
+// TODO CAP_AUDIT_WRITE
+// TODO CAP_SETFCAP
+
+func (s *DockerSuite) TestRunApparmorProcDirectory(c *check.C) {
+	testRequires(c, SameHostDaemon, Apparmor)
+
+	// running w seccomp unconfined tests the apparmor profile
+	result := icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "busybox", "chmod", "777", "/proc/1/cgroup")
+	result.Assert(c, icmd.Expected{ExitCode: 1})
+	if !(strings.Contains(result.Combined(), "Permission denied") || strings.Contains(result.Combined(), "Operation not permitted")) {
+		c.Fatalf("expected chmod 777 /proc/1/cgroup to fail, got %s: %v", result.Combined(), result.Error)
+	}
+
+	result = icmd.RunCommand(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "busybox", "chmod", "777", "/proc/1/attr/current")
+	result.Assert(c, icmd.Expected{ExitCode: 1})
+	if !(strings.Contains(result.Combined(), "Permission denied") || strings.Contains(result.Combined(), "Operation not permitted")) {
+		c.Fatalf("expected chmod 777 /proc/1/attr/current to fail, got %s: %v", result.Combined(), result.Error)
+	}
+}
+
+// make sure the default profile can be successfully parsed (using unshare as it is
+// something which we know is blocked in the default profile)
+func (s *DockerSuite) TestRunSeccompWithDefaultProfile(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	out, _, err := dockerCmdWithError("run", "--security-opt", "seccomp=../profiles/seccomp/default.json", "debian:jessie", "unshare", "--map-root-user", "--user", "sh", "-c", "whoami")
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "unshare: unshare failed: Operation not permitted")
+}
+
+// TestRunDeviceSymlink checks run with device that follows symlink (#13840 and #22271)
+func (s *DockerSuite) TestRunDeviceSymlink(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace, NotArm, SameHostDaemon)
+	if _, err := os.Stat("/dev/zero"); err != nil {
+		c.Skip("Host does not have /dev/zero")
+	}
+
+	// Create a temporary directory to create symlink
+	tmpDir, err := ioutil.TempDir("", "docker_device_follow_symlink_tests")
+	c.Assert(err, checker.IsNil)
+
+	defer os.RemoveAll(tmpDir)
+
+	// Create a symbolic link to /dev/zero
+	symZero := filepath.Join(tmpDir, "zero")
+	err = os.Symlink("/dev/zero", symZero)
+	c.Assert(err, checker.IsNil)
+
+	// Create a temporary file "temp" inside tmpDir, write some data to "tmpDir/temp",
+	// then create a symlink "tmpDir/file" to the temporary file "tmpDir/temp".
+	tmpFile := filepath.Join(tmpDir, "temp")
+	err = ioutil.WriteFile(tmpFile, []byte("temp"), 0666)
+	c.Assert(err, checker.IsNil)
+	symFile := filepath.Join(tmpDir, "file")
+	err = os.Symlink(tmpFile, symFile)
+	c.Assert(err, checker.IsNil)
+
+	// Create a symbolic link to /dev/zero, this time with a relative path (#22271)
+	err = os.Symlink("zero", "/dev/symzero")
+	if err != nil {
+		c.Fatal("/dev/symzero creation failed")
+	}
+	// We need to remove this symbolic link here as it is created in /dev/, not temporary directory as above
+	defer os.Remove("/dev/symzero")
+
+	// md5sum of 'dd if=/dev/zero bs=4K count=8' is bb7df04e1b0a2570657527a7e108ae23
+	out, _ := dockerCmd(c, "run", "--device", symZero+":/dev/symzero", "busybox", "sh", "-c", "dd if=/dev/symzero bs=4K count=8 | md5sum")
+	c.Assert(strings.Trim(out, "\r\n"), checker.Contains, "bb7df04e1b0a2570657527a7e108ae23", check.Commentf("expected output bb7df04e1b0a2570657527a7e108ae23"))
+
+	// symlink "tmpDir/file" to a file "tmpDir/temp" will result in an error as it is not a device.
+	out, _, err = dockerCmdWithError("run", "--device", symFile+":/dev/symzero", "busybox", "sh", "-c", "dd if=/dev/symzero bs=4K count=8 | md5sum")
+	c.Assert(err, check.NotNil)
+	c.Assert(strings.Trim(out, "\r\n"), checker.Contains, "not a device node", check.Commentf("expected output 'not a device node'"))
+
+	// md5sum of 'dd if=/dev/zero bs=4K count=8' is bb7df04e1b0a2570657527a7e108ae23 (this time check with relative path backed, see #22271)
+	out, _ = dockerCmd(c, "run", "--device", "/dev/symzero:/dev/symzero", "busybox", "sh", "-c", "dd if=/dev/symzero bs=4K count=8 | md5sum")
+	c.Assert(strings.Trim(out, "\r\n"), checker.Contains, "bb7df04e1b0a2570657527a7e108ae23", check.Commentf("expected output bb7df04e1b0a2570657527a7e108ae23"))
+}
+
+// TestRunPIDsLimit makes sure the pids cgroup is set with --pids-limit
+func (s *DockerSuite) TestRunPIDsLimit(c *check.C) {
+	testRequires(c, SameHostDaemon, pidsLimit)
+
+	file := "/sys/fs/cgroup/pids/pids.max"
+	out, _ := dockerCmd(c, "run", "--name", "skittles", "--pids-limit", "4", "busybox", "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "4")
+
+	out = inspectField(c, "skittles", "HostConfig.PidsLimit")
+	c.Assert(out, checker.Equals, "4", check.Commentf("setting the pids limit failed"))
+}
+
+func (s *DockerSuite) TestRunPrivilegedAllowedDevices(c *check.C) {
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+
+	file := "/sys/fs/cgroup/devices/devices.list"
+	out, _ := dockerCmd(c, "run", "--privileged", "busybox", "cat", file)
+	c.Logf("out: %q", out)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "a *:* rwm")
+}
+
+func (s *DockerSuite) TestRunUserDeviceAllowed(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	fi, err := os.Stat("/dev/snd/timer")
+	if err != nil {
+		c.Skip("Host does not have /dev/snd/timer")
+	}
+	stat, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		c.Skip("Could not stat /dev/snd/timer")
+	}
+
+	file := "/sys/fs/cgroup/devices/devices.list"
+	out, _ := dockerCmd(c, "run", "--device", "/dev/snd/timer:w", "busybox", "cat", file)
+	c.Assert(out, checker.Contains, fmt.Sprintf("c %d:%d w", stat.Rdev/256, stat.Rdev%256))
+}
+
+func (s *DockerDaemonSuite) TestRunSeccompJSONNewFormat(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	s.d.StartWithBusybox(c)
+
+	jsonData := `{
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"names": ["chmod", "fchmod", "fchmodat"],
+			"action": "SCMP_ACT_ERRNO"
+		}
+	]
+}`
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	c.Assert(err, check.IsNil)
+	defer tmpFile.Close()
+	_, err = tmpFile.Write([]byte(jsonData))
+	c.Assert(err, check.IsNil)
+
+	out, err := s.d.Cmd("run", "--security-opt", "seccomp="+tmpFile.Name(), "busybox", "chmod", "777", ".")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, "Operation not permitted")
+}
+
+func (s *DockerDaemonSuite) TestRunSeccompJSONNoNameAndNames(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	s.d.StartWithBusybox(c)
+
+	jsonData := `{
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"name": "chmod",
+			"names": ["fchmod", "fchmodat"],
+			"action": "SCMP_ACT_ERRNO"
+		}
+	]
+}`
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	c.Assert(err, check.IsNil)
+	defer tmpFile.Close()
+	_, err = tmpFile.Write([]byte(jsonData))
+	c.Assert(err, check.IsNil)
+
+	out, err := s.d.Cmd("run", "--security-opt", "seccomp="+tmpFile.Name(), "busybox", "chmod", "777", ".")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, "'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
+}
+
+func (s *DockerDaemonSuite) TestRunSeccompJSONNoArchAndArchMap(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	s.d.StartWithBusybox(c)
+
+	jsonData := `{
+	"archMap": [
+		{
+			"architecture": "SCMP_ARCH_X86_64",
+			"subArchitectures": [
+				"SCMP_ARCH_X86",
+				"SCMP_ARCH_X32"
+			]
+		}
+	],
+	"architectures": [
+		"SCMP_ARCH_X32"
+	],
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"names": ["chmod", "fchmod", "fchmodat"],
+			"action": "SCMP_ACT_ERRNO"
+		}
+	]
+}`
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	c.Assert(err, check.IsNil)
+	defer tmpFile.Close()
+	_, err = tmpFile.Write([]byte(jsonData))
+	c.Assert(err, check.IsNil)
+
+	out, err := s.d.Cmd("run", "--security-opt", "seccomp="+tmpFile.Name(), "busybox", "chmod", "777", ".")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, "'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
+}
+
+func (s *DockerDaemonSuite) TestRunWithDaemonDefaultSeccompProfile(c *check.C) {
+	testRequires(c, SameHostDaemon, seccompEnabled)
+
+	s.d.StartWithBusybox(c)
+
+	// 1) verify I can run containers with the Docker default shipped profile which allows chmod
+	_, err := s.d.Cmd("run", "busybox", "chmod", "777", ".")
+	c.Assert(err, check.IsNil)
+
+	jsonData := `{
+	"defaultAction": "SCMP_ACT_ALLOW",
+	"syscalls": [
+		{
+			"name": "chmod",
+			"action": "SCMP_ACT_ERRNO"
+		}
+	]
+}`
+	tmpFile, err := ioutil.TempFile("", "profile.json")
+	c.Assert(err, check.IsNil)
+	defer tmpFile.Close()
+	_, err = tmpFile.Write([]byte(jsonData))
+	c.Assert(err, check.IsNil)
+
+	// 2) restart the daemon and add a custom seccomp profile in which we deny chmod
+	s.d.Restart(c, "--seccomp-profile="+tmpFile.Name())
+
+	out, err := s.d.Cmd("run", "busybox", "chmod", "777", ".")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, "Operation not permitted")
+}
+
+func (s *DockerSuite) TestRunWithNanoCPUs(c *check.C) {
+	testRequires(c, cpuCfsQuota, cpuCfsPeriod)
+
+	file1 := "/sys/fs/cgroup/cpu/cpu.cfs_quota_us"
+	file2 := "/sys/fs/cgroup/cpu/cpu.cfs_period_us"
+	out, _ := dockerCmd(c, "run", "--cpus", "0.5", "--name", "test", "busybox", "sh", "-c", fmt.Sprintf("cat %s && cat %s", file1, file2))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "50000\n100000")
+
+	clt, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	inspect, err := clt.ContainerInspect(context.Background(), "test")
+	c.Assert(err, checker.IsNil)
+	c.Assert(inspect.HostConfig.NanoCPUs, checker.Equals, int64(500000000))
+
+	out = inspectField(c, "test", "HostConfig.CpuQuota")
+	c.Assert(out, checker.Equals, "0", check.Commentf("CPU CFS quota should be 0"))
+	out = inspectField(c, "test", "HostConfig.CpuPeriod")
+	c.Assert(out, checker.Equals, "0", check.Commentf("CPU CFS period should be 0"))
+
+	out, _, err = dockerCmdWithError("run", "--cpus", "0.5", "--cpu-quota", "50000", "--cpu-period", "100000", "busybox", "sh")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, "Conflicting options: Nano CPUs and CPU Period cannot both be set")
+}
diff --git a/engine/integration-cli/docker_cli_save_load_test.go b/engine/integration-cli/docker_cli_save_load_test.go
new file mode 100644
index 00000000..688eac68
--- /dev/null
+++ b/engine/integration-cli/docker_cli_save_load_test.go
@@ -0,0 +1,405 @@
+package main
+
+import (
+	"archive/tar"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"reflect"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/icmd"
+)
+
+// save a repo using gz compression and try to load it using stdout
+func (s *DockerSuite) TestSaveXzAndLoadRepoStdout(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "test-save-xz-and-load-repo-stdout"
+	dockerCmd(c, "run", "--name", name, "busybox", "true")
+
+	repoName := "foobar-save-load-test-xz-gz"
+	out, _ := dockerCmd(c, "commit", name, repoName)
+
+	dockerCmd(c, "inspect", repoName)
+
+	repoTarball, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", repoName),
+		exec.Command("xz", "-c"),
+		exec.Command("gzip", "-c"))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save repo: %v %v", out, err))
+	deleteImages(repoName)
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "load"},
+		Stdin:   strings.NewReader(repoTarball),
+	}).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	after, _, err := dockerCmdWithError("inspect", repoName)
+	c.Assert(err, checker.NotNil, check.Commentf("the repo should not exist: %v", after))
+}
+
+// save a repo using xz+gz compression and try to load it using stdout
+func (s *DockerSuite) TestSaveXzGzAndLoadRepoStdout(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "test-save-xz-gz-and-load-repo-stdout"
+	dockerCmd(c, "run", "--name", name, "busybox", "true")
+
+	repoName := "foobar-save-load-test-xz-gz"
+	dockerCmd(c, "commit", name, repoName)
+
+	dockerCmd(c, "inspect", repoName)
+
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", repoName),
+		exec.Command("xz", "-c"),
+		exec.Command("gzip", "-c"))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save repo: %v %v", out, err))
+
+	deleteImages(repoName)
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "load"},
+		Stdin:   strings.NewReader(out),
+	}).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+
+	after, _, err := dockerCmdWithError("inspect", repoName)
+	c.Assert(err, checker.NotNil, check.Commentf("the repo should not exist: %v", after))
+}
+
+func (s *DockerSuite) TestSaveSingleTag(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	repoName := "foobar-save-single-tag-test"
+	dockerCmd(c, "tag", "busybox:latest", fmt.Sprintf("%v:latest", repoName))
+
+	out, _ := dockerCmd(c, "images", "-q", "--no-trunc", repoName)
+	cleanedImageID := strings.TrimSpace(out)
+
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", fmt.Sprintf("%v:latest", repoName)),
+		exec.Command("tar", "t"),
+		exec.Command("grep", "-E", fmt.Sprintf("(^repositories$|%v)", cleanedImageID)))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save repo with image ID and 'repositories' file: %s, %v", out, err))
+}
+
+func (s *DockerSuite) TestSaveCheckTimes(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	repoName := "busybox:latest"
+	out, _ := dockerCmd(c, "inspect", repoName)
+	var data []struct {
+		ID      string
+		Created time.Time
+	}
+	err := json.Unmarshal([]byte(out), &data)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to marshal from %q: err %v", repoName, err))
+	c.Assert(len(data), checker.Not(checker.Equals), 0, check.Commentf("failed to marshal the data from %q", repoName))
+	tarTvTimeFormat := "2006-01-02 15:04"
+	out, err = RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", repoName),
+		exec.Command("tar", "tv"),
+		exec.Command("grep", "-E", fmt.Sprintf("%s %s", data[0].Created.Format(tarTvTimeFormat), digest.Digest(data[0].ID).Hex())))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save repo with image ID and 'repositories' file: %s, %v", out, err))
+}
+
+func (s *DockerSuite) TestSaveImageId(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	repoName := "foobar-save-image-id-test"
+	dockerCmd(c, "tag", "emptyfs:latest", fmt.Sprintf("%v:latest", repoName))
+
+	out, _ := dockerCmd(c, "images", "-q", "--no-trunc", repoName)
+	cleanedLongImageID := strings.TrimPrefix(strings.TrimSpace(out), "sha256:")
+
+	out, _ = dockerCmd(c, "images", "-q", repoName)
+	cleanedShortImageID := strings.TrimSpace(out)
+
+	// Make sure IDs are not empty
+	c.Assert(cleanedLongImageID, checker.Not(check.Equals), "", check.Commentf("Id should not be empty."))
+	c.Assert(cleanedShortImageID, checker.Not(check.Equals), "", check.Commentf("Id should not be empty."))
+
+	saveCmd := exec.Command(dockerBinary, "save", cleanedShortImageID)
+	tarCmd := exec.Command("tar", "t")
+
+	var err error
+	tarCmd.Stdin, err = saveCmd.StdoutPipe()
+	c.Assert(err, checker.IsNil, check.Commentf("cannot set stdout pipe for tar: %v", err))
+	grepCmd := exec.Command("grep", cleanedLongImageID)
+	grepCmd.Stdin, err = tarCmd.StdoutPipe()
+	c.Assert(err, checker.IsNil, check.Commentf("cannot set stdout pipe for grep: %v", err))
+
+	c.Assert(tarCmd.Start(), checker.IsNil, check.Commentf("tar failed with error: %v", err))
+	c.Assert(saveCmd.Start(), checker.IsNil, check.Commentf("docker save failed with error: %v", err))
+	defer func() {
+		saveCmd.Wait()
+		tarCmd.Wait()
+		dockerCmd(c, "rmi", repoName)
+	}()
+
+	out, _, err = runCommandWithOutput(grepCmd)
+
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save repo with image ID: %s, %v", out, err))
+}
+
+// save a repo and try to load it using flags
+func (s *DockerSuite) TestSaveAndLoadRepoFlags(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	name := "test-save-and-load-repo-flags"
+	dockerCmd(c, "run", "--name", name, "busybox", "true")
+
+	repoName := "foobar-save-load-test"
+
+	deleteImages(repoName)
+	dockerCmd(c, "commit", name, repoName)
+
+	before, _ := dockerCmd(c, "inspect", repoName)
+
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", repoName),
+		exec.Command(dockerBinary, "load"))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save and load repo: %s, %v", out, err))
+
+	after, _ := dockerCmd(c, "inspect", repoName)
+	c.Assert(before, checker.Equals, after, check.Commentf("inspect is not the same after a save / load"))
+}
+
+func (s *DockerSuite) TestSaveWithNoExistImage(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	imgName := "foobar-non-existing-image"
+
+	out, _, err := dockerCmdWithError("save", "-o", "test-img.tar", imgName)
+	c.Assert(err, checker.NotNil, check.Commentf("save image should fail for non-existing image"))
+	c.Assert(out, checker.Contains, fmt.Sprintf("No such image: %s", imgName))
+}
+
+func (s *DockerSuite) TestSaveMultipleNames(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	repoName := "foobar-save-multi-name-test"
+
+	// Make one image
+	dockerCmd(c, "tag", "emptyfs:latest", fmt.Sprintf("%v-one:latest", repoName))
+
+	// Make two images
+	dockerCmd(c, "tag", "emptyfs:latest", fmt.Sprintf("%v-two:latest", repoName))
+
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", fmt.Sprintf("%v-one", repoName), fmt.Sprintf("%v-two:latest", repoName)),
+		exec.Command("tar", "xO", "repositories"),
+		exec.Command("grep", "-q", "-E", "(-one|-two)"),
+	)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save multiple repos: %s, %v", out, err))
+}
+
+func (s *DockerSuite) TestSaveRepoWithMultipleImages(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	makeImage := func(from string, tag string) string {
+		var (
+			out string
+		)
+		out, _ = dockerCmd(c, "run", "-d", from, "true")
+		cleanedContainerID := strings.TrimSpace(out)
+
+		out, _ = dockerCmd(c, "commit", cleanedContainerID, tag)
+		imageID := strings.TrimSpace(out)
+		return imageID
+	}
+
+	repoName := "foobar-save-multi-images-test"
+	tagFoo := repoName + ":foo"
+	tagBar := repoName + ":bar"
+
+	idFoo := makeImage("busybox:latest", tagFoo)
+	idBar := makeImage("busybox:latest", tagBar)
+
+	deleteImages(repoName)
+
+	// create the archive
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", repoName, "busybox:latest"),
+		exec.Command("tar", "t"))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save multiple images: %s, %v", out, err))
+
+	lines := strings.Split(strings.TrimSpace(out), "\n")
+	var actual []string
+	for _, l := range lines {
+		if regexp.MustCompile("^[a-f0-9]{64}\\.json$").Match([]byte(l)) {
+			actual = append(actual, strings.TrimSuffix(l, ".json"))
+		}
+	}
+
+	// make the list of expected layers
+	out = inspectField(c, "busybox:latest", "Id")
+	expected := []string{strings.TrimSpace(out), idFoo, idBar}
+
+	// prefixes are not in tar
+	for i := range expected {
+		expected[i] = digest.Digest(expected[i]).Hex()
+	}
+
+	sort.Strings(actual)
+	sort.Strings(expected)
+	c.Assert(actual, checker.DeepEquals, expected, check.Commentf("archive does not contains the right layers: got %v, expected %v, output: %q", actual, expected, out))
+}
+
+// Issue #6722 #5892 ensure directories are included in changes
+func (s *DockerSuite) TestSaveDirectoryPermissions(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	layerEntries := []string{"opt/", "opt/a/", "opt/a/b/", "opt/a/b/c"}
+	layerEntriesAUFS := []string{"./", ".wh..wh.aufs", ".wh..wh.orph/", ".wh..wh.plnk/", "opt/", "opt/a/", "opt/a/b/", "opt/a/b/c"}
+
+	name := "save-directory-permissions"
+	tmpDir, err := ioutil.TempDir("", "save-layers-with-directories")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create temporary directory: %s", err))
+	extractionDirectory := filepath.Join(tmpDir, "image-extraction-dir")
+	os.Mkdir(extractionDirectory, 0777)
+
+	defer os.RemoveAll(tmpDir)
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+	RUN adduser -D user && mkdir -p /opt/a/b && chown -R user:user /opt/a
+	RUN touch /opt/a/b/c && chown user:user /opt/a/b/c`))
+
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", name),
+		exec.Command("tar", "-xf", "-", "-C", extractionDirectory),
+	)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save and extract image: %s", out))
+
+	dirs, err := ioutil.ReadDir(extractionDirectory)
+	c.Assert(err, checker.IsNil, check.Commentf("failed to get a listing of the layer directories: %s", err))
+
+	found := false
+	for _, entry := range dirs {
+		var entriesSansDev []string
+		if entry.IsDir() {
+			layerPath := filepath.Join(extractionDirectory, entry.Name(), "layer.tar")
+
+			f, err := os.Open(layerPath)
+			c.Assert(err, checker.IsNil, check.Commentf("failed to open %s: %s", layerPath, err))
+			defer f.Close()
+
+			entries, err := listTar(f)
+			for _, e := range entries {
+				if !strings.Contains(e, "dev/") {
+					entriesSansDev = append(entriesSansDev, e)
+				}
+			}
+			c.Assert(err, checker.IsNil, check.Commentf("encountered error while listing tar entries: %s", err))
+
+			if reflect.DeepEqual(entriesSansDev, layerEntries) || reflect.DeepEqual(entriesSansDev, layerEntriesAUFS) {
+				found = true
+				break
+			}
+		}
+	}
+
+	c.Assert(found, checker.Equals, true, check.Commentf("failed to find the layer with the right content listing"))
+
+}
+
+func listTar(f io.Reader) ([]string, error) {
+	tr := tar.NewReader(f)
+	var entries []string
+
+	for {
+		th, err := tr.Next()
+		if err == io.EOF {
+			// end of tar archive
+			return entries, nil
+		}
+		if err != nil {
+			return entries, err
+		}
+		entries = append(entries, th.Name)
+	}
+}
+
+// Test loading a weird image where one of the layers is of zero size.
+// The layer.tar file is actually zero bytes, no padding or anything else.
+// See issue: 18170
+func (s *DockerSuite) TestLoadZeroSizeLayer(c *check.C) {
+	// this will definitely not work if using remote daemon
+	// very weird test
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+	dockerCmd(c, "load", "-i", "testdata/emptyLayer.tar")
+}
+
+func (s *DockerSuite) TestSaveLoadParents(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	makeImage := func(from string, addfile string) string {
+		var (
+			out string
+		)
+		out, _ = dockerCmd(c, "run", "-d", from, "touch", addfile)
+		cleanedContainerID := strings.TrimSpace(out)
+
+		out, _ = dockerCmd(c, "commit", cleanedContainerID)
+		imageID := strings.TrimSpace(out)
+
+		dockerCmd(c, "rm", "-f", cleanedContainerID)
+		return imageID
+	}
+
+	idFoo := makeImage("busybox", "foo")
+	idBar := makeImage(idFoo, "bar")
+
+	tmpDir, err := ioutil.TempDir("", "save-load-parents")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(tmpDir)
+
+	c.Log("tmpdir", tmpDir)
+
+	outfile := filepath.Join(tmpDir, "out.tar")
+
+	dockerCmd(c, "save", "-o", outfile, idBar, idFoo)
+	dockerCmd(c, "rmi", idBar)
+	dockerCmd(c, "load", "-i", outfile)
+
+	inspectOut := inspectField(c, idBar, "Parent")
+	c.Assert(inspectOut, checker.Equals, idFoo)
+
+	inspectOut = inspectField(c, idFoo, "Parent")
+	c.Assert(inspectOut, checker.Equals, "")
+}
+
+func (s *DockerSuite) TestSaveLoadNoTag(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	name := "saveloadnotag"
+
+	buildImageSuccessfully(c, name, build.WithDockerfile("FROM busybox\nENV foo=bar"))
+	id := inspectField(c, name, "Id")
+
+	// Test to make sure that save w/o name just shows imageID during load
+	out, err := RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", id),
+		exec.Command(dockerBinary, "load"))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save and load repo: %s, %v", out, err))
+
+	// Should not show 'name' but should show the image ID during the load
+	c.Assert(out, checker.Not(checker.Contains), "Loaded image: ")
+	c.Assert(out, checker.Contains, "Loaded image ID:")
+	c.Assert(out, checker.Contains, id)
+
+	// Test to make sure that save by name shows that name during load
+	out, err = RunCommandPipelineWithOutput(
+		exec.Command(dockerBinary, "save", name),
+		exec.Command(dockerBinary, "load"))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to save and load repo: %s, %v", out, err))
+	c.Assert(out, checker.Contains, "Loaded image: "+name+":latest")
+	c.Assert(out, checker.Not(checker.Contains), "Loaded image ID:")
+}
diff --git a/engine/integration-cli/docker_cli_save_load_unix_test.go b/engine/integration-cli/docker_cli_save_load_unix_test.go
new file mode 100644
index 00000000..da520e41
--- /dev/null
+++ b/engine/integration-cli/docker_cli_save_load_unix_test.go
@@ -0,0 +1,107 @@
+// +build !windows
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"github.com/kr/pty"
+	"gotest.tools/icmd"
+)
+
+// save a repo and try to load it using stdout
+func (s *DockerSuite) TestSaveAndLoadRepoStdout(c *check.C) {
+	name := "test-save-and-load-repo-stdout"
+	dockerCmd(c, "run", "--name", name, "busybox", "true")
+
+	repoName := "foobar-save-load-test"
+	before, _ := dockerCmd(c, "commit", name, repoName)
+	before = strings.TrimRight(before, "\n")
+
+	tmpFile, err := ioutil.TempFile("", "foobar-save-load-test.tar")
+	c.Assert(err, check.IsNil)
+	defer os.Remove(tmpFile.Name())
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "save", repoName},
+		Stdout:  tmpFile,
+	}).Assert(c, icmd.Success)
+
+	tmpFile, err = os.Open(tmpFile.Name())
+	c.Assert(err, check.IsNil)
+	defer tmpFile.Close()
+
+	deleteImages(repoName)
+
+	icmd.RunCmd(icmd.Cmd{
+		Command: []string{dockerBinary, "load"},
+		Stdin:   tmpFile,
+	}).Assert(c, icmd.Success)
+
+	after := inspectField(c, repoName, "Id")
+	after = strings.TrimRight(after, "\n")
+
+	c.Assert(after, check.Equals, before) //inspect is not the same after a save / load
+
+	deleteImages(repoName)
+
+	pty, tty, err := pty.Open()
+	c.Assert(err, check.IsNil)
+	cmd := exec.Command(dockerBinary, "save", repoName)
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+	c.Assert(cmd.Start(), check.IsNil)
+	c.Assert(cmd.Wait(), check.NotNil) //did not break writing to a TTY
+
+	buf := make([]byte, 1024)
+
+	n, err := pty.Read(buf)
+	c.Assert(err, check.IsNil) //could not read tty output
+	c.Assert(string(buf[:n]), checker.Contains, "cowardly refusing", check.Commentf("help output is not being yielded"))
+}
+
+func (s *DockerSuite) TestSaveAndLoadWithProgressBar(c *check.C) {
+	name := "test-load"
+	buildImageSuccessfully(c, name, build.WithDockerfile(`FROM busybox
+	RUN touch aa
+	`))
+
+	tmptar := name + ".tar"
+	dockerCmd(c, "save", "-o", tmptar, name)
+	defer os.Remove(tmptar)
+
+	dockerCmd(c, "rmi", name)
+	dockerCmd(c, "tag", "busybox", name)
+	out, _ := dockerCmd(c, "load", "-i", tmptar)
+	expected := fmt.Sprintf("The image %s:latest already exists, renaming the old one with ID", name)
+	c.Assert(out, checker.Contains, expected)
+}
+
+// fail because load didn't receive data from stdin
+func (s *DockerSuite) TestLoadNoStdinFail(c *check.C) {
+	pty, tty, err := pty.Open()
+	c.Assert(err, check.IsNil)
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	cmd := exec.CommandContext(ctx, dockerBinary, "load")
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+	c.Assert(cmd.Run(), check.NotNil) // docker-load should fail
+
+	buf := make([]byte, 1024)
+
+	n, err := pty.Read(buf)
+	c.Assert(err, check.IsNil) //could not read tty output
+	c.Assert(string(buf[:n]), checker.Contains, "requested load from stdin, but stdin is empty")
+}
diff --git a/engine/integration-cli/docker_cli_search_test.go b/engine/integration-cli/docker_cli_search_test.go
new file mode 100644
index 00000000..2c3312d9
--- /dev/null
+++ b/engine/integration-cli/docker_cli_search_test.go
@@ -0,0 +1,131 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+// search for repos named  "registry" on the central registry
+func (s *DockerSuite) TestSearchOnCentralRegistry(c *check.C) {
+	testRequires(c, Network, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "search", "busybox")
+	c.Assert(out, checker.Contains, "Busybox base image.", check.Commentf("couldn't find any repository named (or containing) 'Busybox base image.'"))
+}
+
+func (s *DockerSuite) TestSearchStarsOptionWithWrongParameter(c *check.C) {
+	out, _, err := dockerCmdWithError("search", "--filter", "stars=a", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Invalid filter", check.Commentf("couldn't find the invalid filter warning"))
+
+	out, _, err = dockerCmdWithError("search", "-f", "stars=a", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Invalid filter", check.Commentf("couldn't find the invalid filter warning"))
+
+	out, _, err = dockerCmdWithError("search", "-f", "is-automated=a", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Invalid filter", check.Commentf("couldn't find the invalid filter warning"))
+
+	out, _, err = dockerCmdWithError("search", "-f", "is-official=a", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "Invalid filter", check.Commentf("couldn't find the invalid filter warning"))
+
+	// -s --stars deprecated since Docker 1.13
+	out, _, err = dockerCmdWithError("search", "--stars=a", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "invalid syntax", check.Commentf("couldn't find the invalid value warning"))
+
+	// -s --stars deprecated since Docker 1.13
+	out, _, err = dockerCmdWithError("search", "-s=-1", "busybox")
+	c.Assert(err, check.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "invalid syntax", check.Commentf("couldn't find the invalid value warning"))
+}
+
+func (s *DockerSuite) TestSearchCmdOptions(c *check.C) {
+	testRequires(c, Network, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "search", "--help")
+	c.Assert(out, checker.Contains, "Usage:\tdocker search [OPTIONS] TERM")
+
+	outSearchCmd, _ := dockerCmd(c, "search", "busybox")
+	outSearchCmdNotrunc, _ := dockerCmd(c, "search", "--no-trunc=true", "busybox")
+
+	c.Assert(len(outSearchCmd) > len(outSearchCmdNotrunc), check.Equals, false, check.Commentf("The no-trunc option can't take effect."))
+
+	outSearchCmdautomated, _ := dockerCmd(c, "search", "--filter", "is-automated=true", "busybox") //The busybox is a busybox base image, not an AUTOMATED image.
+	outSearchCmdautomatedSlice := strings.Split(outSearchCmdautomated, "\n")
+	for i := range outSearchCmdautomatedSlice {
+		c.Assert(strings.HasPrefix(outSearchCmdautomatedSlice[i], "busybox "), check.Equals, false, check.Commentf("The busybox is not an AUTOMATED image: %s", outSearchCmdautomated))
+	}
+
+	outSearchCmdNotOfficial, _ := dockerCmd(c, "search", "--filter", "is-official=false", "busybox") //The busybox is a busybox base image, official image.
+	outSearchCmdNotOfficialSlice := strings.Split(outSearchCmdNotOfficial, "\n")
+	for i := range outSearchCmdNotOfficialSlice {
+		c.Assert(strings.HasPrefix(outSearchCmdNotOfficialSlice[i], "busybox "), check.Equals, false, check.Commentf("The busybox is not an OFFICIAL image: %s", outSearchCmdNotOfficial))
+	}
+
+	outSearchCmdOfficial, _ := dockerCmd(c, "search", "--filter", "is-official=true", "busybox") //The busybox is a busybox base image, official image.
+	outSearchCmdOfficialSlice := strings.Split(outSearchCmdOfficial, "\n")
+	c.Assert(outSearchCmdOfficialSlice, checker.HasLen, 3) // 1 header, 1 line, 1 carriage return
+	c.Assert(strings.HasPrefix(outSearchCmdOfficialSlice[1], "busybox "), check.Equals, true, check.Commentf("The busybox is an OFFICIAL image: %s", outSearchCmdNotOfficial))
+
+	outSearchCmdStars, _ := dockerCmd(c, "search", "--filter", "stars=2", "busybox")
+	c.Assert(strings.Count(outSearchCmdStars, "[OK]") > strings.Count(outSearchCmd, "[OK]"), check.Equals, false, check.Commentf("The quantity of images with stars should be less than that of all images: %s", outSearchCmdStars))
+
+	dockerCmd(c, "search", "--filter", "is-automated=true", "--filter", "stars=2", "--no-trunc=true", "busybox")
+
+	// --automated deprecated since Docker 1.13
+	outSearchCmdautomated1, _ := dockerCmd(c, "search", "--automated=true", "busybox") //The busybox is a busybox base image, not an AUTOMATED image.
+	outSearchCmdautomatedSlice1 := strings.Split(outSearchCmdautomated1, "\n")
+	for i := range outSearchCmdautomatedSlice1 {
+		c.Assert(strings.HasPrefix(outSearchCmdautomatedSlice1[i], "busybox "), check.Equals, false, check.Commentf("The busybox is not an AUTOMATED image: %s", outSearchCmdautomated))
+	}
+
+	// -s --stars deprecated since Docker 1.13
+	outSearchCmdStars1, _ := dockerCmd(c, "search", "--stars=2", "busybox")
+	c.Assert(strings.Count(outSearchCmdStars1, "[OK]") > strings.Count(outSearchCmd, "[OK]"), check.Equals, false, check.Commentf("The quantity of images with stars should be less than that of all images: %s", outSearchCmdStars1))
+
+	// -s --stars deprecated since Docker 1.13
+	dockerCmd(c, "search", "--stars=2", "--automated=true", "--no-trunc=true", "busybox")
+}
+
+// search for repos which start with "ubuntu-" on the central registry
+func (s *DockerSuite) TestSearchOnCentralRegistryWithDash(c *check.C) {
+	testRequires(c, Network, DaemonIsLinux)
+
+	dockerCmd(c, "search", "ubuntu-")
+}
+
+// test case for #23055
+func (s *DockerSuite) TestSearchWithLimit(c *check.C) {
+	testRequires(c, Network, DaemonIsLinux)
+
+	limit := 10
+	out, _, err := dockerCmdWithError("search", fmt.Sprintf("--limit=%d", limit), "docker")
+	c.Assert(err, checker.IsNil)
+	outSlice := strings.Split(out, "\n")
+	c.Assert(outSlice, checker.HasLen, limit+2) // 1 header, 1 carriage return
+
+	limit = 50
+	out, _, err = dockerCmdWithError("search", fmt.Sprintf("--limit=%d", limit), "docker")
+	c.Assert(err, checker.IsNil)
+	outSlice = strings.Split(out, "\n")
+	c.Assert(outSlice, checker.HasLen, limit+2) // 1 header, 1 carriage return
+
+	limit = 100
+	out, _, err = dockerCmdWithError("search", fmt.Sprintf("--limit=%d", limit), "docker")
+	c.Assert(err, checker.IsNil)
+	outSlice = strings.Split(out, "\n")
+	c.Assert(outSlice, checker.HasLen, limit+2) // 1 header, 1 carriage return
+
+	limit = 0
+	_, _, err = dockerCmdWithError("search", fmt.Sprintf("--limit=%d", limit), "docker")
+	c.Assert(err, checker.Not(checker.IsNil))
+
+	limit = 200
+	_, _, err = dockerCmdWithError("search", fmt.Sprintf("--limit=%d", limit), "docker")
+	c.Assert(err, checker.Not(checker.IsNil))
+}
diff --git a/engine/integration-cli/docker_cli_secret_create_test.go b/engine/integration-cli/docker_cli_secret_create_test.go
new file mode 100644
index 00000000..a807e4e7
--- /dev/null
+++ b/engine/integration-cli/docker_cli_secret_create_test.go
@@ -0,0 +1,92 @@
+// +build !windows
+
+package main
+
+import (
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+// Test case for 28884
+func (s *DockerSwarmSuite) TestSecretCreateResolve(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "test_secret"
+	id := d.CreateSecret(c, swarm.SecretSpec{
+		Annotations: swarm.Annotations{
+			Name: name,
+		},
+		Data: []byte("foo"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("secrets: %s", id))
+
+	fake := d.CreateSecret(c, swarm.SecretSpec{
+		Annotations: swarm.Annotations{
+			Name: id,
+		},
+		Data: []byte("fake foo"),
+	})
+	c.Assert(fake, checker.Not(checker.Equals), "", check.Commentf("secrets: %s", fake))
+
+	out, err := d.Cmd("secret", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+	c.Assert(out, checker.Contains, fake)
+
+	out, err = d.Cmd("secret", "rm", id)
+	c.Assert(out, checker.Contains, id)
+
+	// Fake one will remain
+	out, err = d.Cmd("secret", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+	c.Assert(out, checker.Contains, fake)
+
+	// Remove based on name prefix of the fake one
+	// (which is the same as the ID of foo one) should not work
+	// as search is only done based on:
+	// - Full ID
+	// - Full Name
+	// - Partial ID (prefix)
+	out, err = d.Cmd("secret", "rm", id[:5])
+	c.Assert(out, checker.Not(checker.Contains), id)
+	out, err = d.Cmd("secret", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+	c.Assert(out, checker.Contains, fake)
+
+	// Remove based on ID prefix of the fake one should succeed
+	out, err = d.Cmd("secret", "rm", fake[:5])
+	c.Assert(out, checker.Contains, fake[:5])
+	out, err = d.Cmd("secret", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+	c.Assert(out, checker.Not(checker.Contains), id)
+	c.Assert(out, checker.Not(checker.Contains), fake)
+}
+
+func (s *DockerSwarmSuite) TestSecretCreateWithFile(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	testFile, err := ioutil.TempFile("", "secretCreateTest")
+	c.Assert(err, checker.IsNil, check.Commentf("failed to create temporary file"))
+	defer os.Remove(testFile.Name())
+
+	testData := "TESTINGDATA"
+	_, err = testFile.Write([]byte(testData))
+	c.Assert(err, checker.IsNil, check.Commentf("failed to write to temporary file"))
+
+	testName := "test_secret"
+	out, err := d.Cmd("secret", "create", testName, testFile.Name())
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "", check.Commentf(out))
+
+	id := strings.TrimSpace(out)
+	secret := d.GetSecret(c, id)
+	c.Assert(secret.Spec.Name, checker.Equals, testName)
+}
diff --git a/engine/integration-cli/docker_cli_service_create_test.go b/engine/integration-cli/docker_cli_service_create_test.go
new file mode 100644
index 00000000..d690b7e4
--- /dev/null
+++ b/engine/integration-cli/docker_cli_service_create_test.go
@@ -0,0 +1,447 @@
+// +build !windows
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSwarmSuite) TestServiceCreateMountVolume(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	out, err := d.Cmd("service", "create", "--no-resolve-image", "--detach=true", "--mount", "type=volume,source=foo,target=/foo,volume-nocopy", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	id := strings.TrimSpace(out)
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, id)
+		return len(tasks) > 0, nil
+	}, checker.Equals, true)
+
+	task := tasks[0]
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		if task.NodeID == "" || task.Status.ContainerStatus == nil {
+			task = d.GetTask(c, task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil, nil
+	}, checker.Equals, true)
+
+	// check container mount config
+	out, err = s.nodeCmd(c, task.NodeID, "inspect", "--format", "{{json .HostConfig.Mounts}}", task.Status.ContainerStatus.ContainerID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	var mountConfig []mount.Mount
+	c.Assert(json.Unmarshal([]byte(out), &mountConfig), checker.IsNil)
+	c.Assert(mountConfig, checker.HasLen, 1)
+
+	c.Assert(mountConfig[0].Source, checker.Equals, "foo")
+	c.Assert(mountConfig[0].Target, checker.Equals, "/foo")
+	c.Assert(mountConfig[0].Type, checker.Equals, mount.TypeVolume)
+	c.Assert(mountConfig[0].VolumeOptions, checker.NotNil)
+	c.Assert(mountConfig[0].VolumeOptions.NoCopy, checker.True)
+
+	// check container mounts actual
+	out, err = s.nodeCmd(c, task.NodeID, "inspect", "--format", "{{json .Mounts}}", task.Status.ContainerStatus.ContainerID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	var mounts []types.MountPoint
+	c.Assert(json.Unmarshal([]byte(out), &mounts), checker.IsNil)
+	c.Assert(mounts, checker.HasLen, 1)
+
+	c.Assert(mounts[0].Type, checker.Equals, mount.TypeVolume)
+	c.Assert(mounts[0].Name, checker.Equals, "foo")
+	c.Assert(mounts[0].Destination, checker.Equals, "/foo")
+	c.Assert(mounts[0].RW, checker.Equals, true)
+}
+
+func (s *DockerSwarmSuite) TestServiceCreateWithSecretSimple(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	serviceName := "test-service-secret"
+	testName := "test_secret"
+	id := d.CreateSecret(c, swarm.SecretSpec{
+		Annotations: swarm.Annotations{
+			Name: testName,
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("secrets: %s", id))
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", serviceName, "--secret", testName, "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	var refs []swarm.SecretReference
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, 1)
+
+	c.Assert(refs[0].SecretName, checker.Equals, testName)
+	c.Assert(refs[0].File, checker.Not(checker.IsNil))
+	c.Assert(refs[0].File.Name, checker.Equals, testName)
+	c.Assert(refs[0].File.UID, checker.Equals, "0")
+	c.Assert(refs[0].File.GID, checker.Equals, "0")
+
+	out, err = d.Cmd("service", "rm", serviceName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	d.DeleteSecret(c, testName)
+}
+
+func (s *DockerSwarmSuite) TestServiceCreateWithSecretSourceTargetPaths(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	testPaths := map[string]string{
+		"app":                  "/etc/secret",
+		"test_secret":          "test_secret",
+		"relative_secret":      "relative/secret",
+		"escapes_in_container": "../secret",
+	}
+
+	var secretFlags []string
+
+	for testName, testTarget := range testPaths {
+		id := d.CreateSecret(c, swarm.SecretSpec{
+			Annotations: swarm.Annotations{
+				Name: testName,
+			},
+			Data: []byte("TESTINGDATA " + testName + " " + testTarget),
+		})
+		c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("secrets: %s", id))
+
+		secretFlags = append(secretFlags, "--secret", fmt.Sprintf("source=%s,target=%s", testName, testTarget))
+	}
+
+	serviceName := "svc"
+	serviceCmd := []string{"service", "create", "--detach", "--no-resolve-image", "--name", serviceName}
+	serviceCmd = append(serviceCmd, secretFlags...)
+	serviceCmd = append(serviceCmd, "busybox", "top")
+	out, err := d.Cmd(serviceCmd...)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	var refs []swarm.SecretReference
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, len(testPaths))
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, serviceName)
+		return len(tasks) > 0, nil
+	}, checker.Equals, true)
+
+	task := tasks[0]
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		if task.NodeID == "" || task.Status.ContainerStatus == nil {
+			task = d.GetTask(c, task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil, nil
+	}, checker.Equals, true)
+
+	for testName, testTarget := range testPaths {
+		path := testTarget
+		if !filepath.IsAbs(path) {
+			path = filepath.Join("/run/secrets", path)
+		}
+		out, err := d.Cmd("exec", task.Status.ContainerStatus.ContainerID, "cat", path)
+		c.Assert(err, checker.IsNil)
+		c.Assert(out, checker.Equals, "TESTINGDATA "+testName+" "+testTarget)
+	}
+
+	out, err = d.Cmd("service", "rm", serviceName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func (s *DockerSwarmSuite) TestServiceCreateWithSecretReferencedTwice(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	id := d.CreateSecret(c, swarm.SecretSpec{
+		Annotations: swarm.Annotations{
+			Name: "mysecret",
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("secrets: %s", id))
+
+	serviceName := "svc"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", serviceName, "--secret", "source=mysecret,target=target1", "--secret", "source=mysecret,target=target2", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	var refs []swarm.SecretReference
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, 2)
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, serviceName)
+		return len(tasks) > 0, nil
+	}, checker.Equals, true)
+
+	task := tasks[0]
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		if task.NodeID == "" || task.Status.ContainerStatus == nil {
+			task = d.GetTask(c, task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil, nil
+	}, checker.Equals, true)
+
+	for _, target := range []string{"target1", "target2"} {
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+		path := filepath.Join("/run/secrets", target)
+		out, err := d.Cmd("exec", task.Status.ContainerStatus.ContainerID, "cat", path)
+		c.Assert(err, checker.IsNil)
+		c.Assert(out, checker.Equals, "TESTINGDATA")
+	}
+
+	out, err = d.Cmd("service", "rm", serviceName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func (s *DockerSwarmSuite) TestServiceCreateWithConfigSimple(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	serviceName := "test-service-config"
+	testName := "test_config"
+	id := d.CreateConfig(c, swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name: testName,
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("configs: %s", id))
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", serviceName, "--config", testName, "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Configs }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	var refs []swarm.ConfigReference
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, 1)
+
+	c.Assert(refs[0].ConfigName, checker.Equals, testName)
+	c.Assert(refs[0].File, checker.Not(checker.IsNil))
+	c.Assert(refs[0].File.Name, checker.Equals, testName)
+	c.Assert(refs[0].File.UID, checker.Equals, "0")
+	c.Assert(refs[0].File.GID, checker.Equals, "0")
+
+	out, err = d.Cmd("service", "rm", serviceName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	d.DeleteConfig(c, testName)
+}
+
+func (s *DockerSwarmSuite) TestServiceCreateWithConfigSourceTargetPaths(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	testPaths := map[string]string{
+		"app":             "/etc/config",
+		"test_config":     "test_config",
+		"relative_config": "relative/config",
+	}
+
+	var configFlags []string
+
+	for testName, testTarget := range testPaths {
+		id := d.CreateConfig(c, swarm.ConfigSpec{
+			Annotations: swarm.Annotations{
+				Name: testName,
+			},
+			Data: []byte("TESTINGDATA " + testName + " " + testTarget),
+		})
+		c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("configs: %s", id))
+
+		configFlags = append(configFlags, "--config", fmt.Sprintf("source=%s,target=%s", testName, testTarget))
+	}
+
+	serviceName := "svc"
+	serviceCmd := []string{"service", "create", "--detach", "--no-resolve-image", "--name", serviceName}
+	serviceCmd = append(serviceCmd, configFlags...)
+	serviceCmd = append(serviceCmd, "busybox", "top")
+	out, err := d.Cmd(serviceCmd...)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Configs }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	var refs []swarm.ConfigReference
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, len(testPaths))
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, serviceName)
+		return len(tasks) > 0, nil
+	}, checker.Equals, true)
+
+	task := tasks[0]
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		if task.NodeID == "" || task.Status.ContainerStatus == nil {
+			task = d.GetTask(c, task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil, nil
+	}, checker.Equals, true)
+
+	for testName, testTarget := range testPaths {
+		path := testTarget
+		if !filepath.IsAbs(path) {
+			path = filepath.Join("/", path)
+		}
+		out, err := d.Cmd("exec", task.Status.ContainerStatus.ContainerID, "cat", path)
+		c.Assert(err, checker.IsNil)
+		c.Assert(out, checker.Equals, "TESTINGDATA "+testName+" "+testTarget)
+	}
+
+	out, err = d.Cmd("service", "rm", serviceName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func (s *DockerSwarmSuite) TestServiceCreateWithConfigReferencedTwice(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	id := d.CreateConfig(c, swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name: "myconfig",
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("configs: %s", id))
+
+	serviceName := "svc"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", serviceName, "--config", "source=myconfig,target=target1", "--config", "source=myconfig,target=target2", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Configs }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	var refs []swarm.ConfigReference
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, 2)
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, serviceName)
+		return len(tasks) > 0, nil
+	}, checker.Equals, true)
+
+	task := tasks[0]
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		if task.NodeID == "" || task.Status.ContainerStatus == nil {
+			task = d.GetTask(c, task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil, nil
+	}, checker.Equals, true)
+
+	for _, target := range []string{"target1", "target2"} {
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+		path := filepath.Join("/", target)
+		out, err := d.Cmd("exec", task.Status.ContainerStatus.ContainerID, "cat", path)
+		c.Assert(err, checker.IsNil)
+		c.Assert(out, checker.Equals, "TESTINGDATA")
+	}
+
+	out, err = d.Cmd("service", "rm", serviceName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func (s *DockerSwarmSuite) TestServiceCreateMountTmpfs(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	out, err := d.Cmd("service", "create", "--no-resolve-image", "--detach=true", "--mount", "type=tmpfs,target=/foo,tmpfs-size=1MB", "busybox", "sh", "-c", "mount | grep foo; tail -f /dev/null")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	id := strings.TrimSpace(out)
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, id)
+		return len(tasks) > 0, nil
+	}, checker.Equals, true)
+
+	task := tasks[0]
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		if task.NodeID == "" || task.Status.ContainerStatus == nil {
+			task = d.GetTask(c, task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil, nil
+	}, checker.Equals, true)
+
+	// check container mount config
+	out, err = s.nodeCmd(c, task.NodeID, "inspect", "--format", "{{json .HostConfig.Mounts}}", task.Status.ContainerStatus.ContainerID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	var mountConfig []mount.Mount
+	c.Assert(json.Unmarshal([]byte(out), &mountConfig), checker.IsNil)
+	c.Assert(mountConfig, checker.HasLen, 1)
+
+	c.Assert(mountConfig[0].Source, checker.Equals, "")
+	c.Assert(mountConfig[0].Target, checker.Equals, "/foo")
+	c.Assert(mountConfig[0].Type, checker.Equals, mount.TypeTmpfs)
+	c.Assert(mountConfig[0].TmpfsOptions, checker.NotNil)
+	c.Assert(mountConfig[0].TmpfsOptions.SizeBytes, checker.Equals, int64(1048576))
+
+	// check container mounts actual
+	out, err = s.nodeCmd(c, task.NodeID, "inspect", "--format", "{{json .Mounts}}", task.Status.ContainerStatus.ContainerID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	var mounts []types.MountPoint
+	c.Assert(json.Unmarshal([]byte(out), &mounts), checker.IsNil)
+	c.Assert(mounts, checker.HasLen, 1)
+
+	c.Assert(mounts[0].Type, checker.Equals, mount.TypeTmpfs)
+	c.Assert(mounts[0].Name, checker.Equals, "")
+	c.Assert(mounts[0].Destination, checker.Equals, "/foo")
+	c.Assert(mounts[0].RW, checker.Equals, true)
+
+	out, err = s.nodeCmd(c, task.NodeID, "logs", task.Status.ContainerStatus.ContainerID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.HasPrefix, "tmpfs on /foo type tmpfs")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "size=1024k")
+}
+
+func (s *DockerSwarmSuite) TestServiceCreateWithNetworkAlias(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	out, err := d.Cmd("network", "create", "--scope=swarm", "test_swarm_br")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "create", "--no-resolve-image", "--detach=true", "--network=name=test_swarm_br,alias=srv_alias", "--name=alias_tst_container", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	id := strings.TrimSpace(out)
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, id)
+		return len(tasks) > 0, nil
+	}, checker.Equals, true)
+
+	task := tasks[0]
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		if task.NodeID == "" || task.Status.ContainerStatus == nil {
+			task = d.GetTask(c, task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil, nil
+	}, checker.Equals, true)
+
+	// check container alias config
+	out, err = s.nodeCmd(c, task.NodeID, "inspect", "--format", "{{json .NetworkSettings.Networks.test_swarm_br.Aliases}}", task.Status.ContainerStatus.ContainerID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Make sure the only alias seen is the container-id
+	var aliases []string
+	c.Assert(json.Unmarshal([]byte(out), &aliases), checker.IsNil)
+	c.Assert(aliases, checker.HasLen, 1)
+
+	c.Assert(task.Status.ContainerStatus.ContainerID, checker.Contains, aliases[0])
+}
diff --git a/engine/integration-cli/docker_cli_service_health_test.go b/engine/integration-cli/docker_cli_service_health_test.go
new file mode 100644
index 00000000..ae9e7868
--- /dev/null
+++ b/engine/integration-cli/docker_cli_service_health_test.go
@@ -0,0 +1,136 @@
+// +build !windows
+
+package main
+
+import (
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/daemon/cluster/executor/container"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+// start a service, and then make its task unhealthy during running
+// finally, unhealthy task should be detected and killed
+func (s *DockerSwarmSuite) TestServiceHealthRun(c *check.C) {
+	testRequires(c, DaemonIsLinux) // busybox doesn't work on Windows
+
+	d := s.AddDaemon(c, true, true)
+
+	// build image with health-check
+	imageName := "testhealth"
+	result := cli.BuildCmd(c, imageName, cli.Daemon(d),
+		build.WithDockerfile(`FROM busybox
+		RUN touch /status
+		HEALTHCHECK --interval=1s --timeout=1s --retries=1\
+		  CMD cat /status`),
+	)
+	result.Assert(c, icmd.Success)
+
+	serviceName := "healthServiceRun"
+	out, err := d.Cmd("service", "create", "--no-resolve-image", "--detach=true", "--name", serviceName, imageName, "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	id := strings.TrimSpace(out)
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, id)
+		return tasks, nil
+	}, checker.HasLen, 1)
+
+	task := tasks[0]
+
+	// wait for task to start
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		task = d.GetTask(c, task.ID)
+		return task.Status.State, nil
+	}, checker.Equals, swarm.TaskStateRunning)
+	containerID := task.Status.ContainerStatus.ContainerID
+
+	// wait for container to be healthy
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		out, _ := d.Cmd("inspect", "--format={{.State.Health.Status}}", containerID)
+		return strings.TrimSpace(out), nil
+	}, checker.Equals, "healthy")
+
+	// make it fail
+	d.Cmd("exec", containerID, "rm", "/status")
+	// wait for container to be unhealthy
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		out, _ := d.Cmd("inspect", "--format={{.State.Health.Status}}", containerID)
+		return strings.TrimSpace(out), nil
+	}, checker.Equals, "unhealthy")
+
+	// Task should be terminated
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		task = d.GetTask(c, task.ID)
+		return task.Status.State, nil
+	}, checker.Equals, swarm.TaskStateFailed)
+
+	if !strings.Contains(task.Status.Err, container.ErrContainerUnhealthy.Error()) {
+		c.Fatal("unhealthy task exits because of other error")
+	}
+}
+
+// start a service whose task is unhealthy at beginning
+// its tasks should be blocked in starting stage, until health check is passed
+func (s *DockerSwarmSuite) TestServiceHealthStart(c *check.C) {
+	testRequires(c, DaemonIsLinux) // busybox doesn't work on Windows
+
+	d := s.AddDaemon(c, true, true)
+
+	// service started from this image won't pass health check
+	imageName := "testhealth"
+	result := cli.BuildCmd(c, imageName, cli.Daemon(d),
+		build.WithDockerfile(`FROM busybox
+		HEALTHCHECK --interval=1s --timeout=1s --retries=1024\
+		  CMD cat /status`),
+	)
+	result.Assert(c, icmd.Success)
+
+	serviceName := "healthServiceStart"
+	out, err := d.Cmd("service", "create", "--no-resolve-image", "--detach=true", "--name", serviceName, imageName, "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	id := strings.TrimSpace(out)
+
+	var tasks []swarm.Task
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		tasks = d.GetServiceTasks(c, id)
+		return tasks, nil
+	}, checker.HasLen, 1)
+
+	task := tasks[0]
+
+	// wait for task to start
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		task = d.GetTask(c, task.ID)
+		return task.Status.State, nil
+	}, checker.Equals, swarm.TaskStateStarting)
+
+	containerID := task.Status.ContainerStatus.ContainerID
+
+	// wait for health check to work
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		out, _ := d.Cmd("inspect", "--format={{.State.Health.FailingStreak}}", containerID)
+		failingStreak, _ := strconv.Atoi(strings.TrimSpace(out))
+		return failingStreak, nil
+	}, checker.GreaterThan, 0)
+
+	// task should be blocked at starting status
+	task = d.GetTask(c, task.ID)
+	c.Assert(task.Status.State, check.Equals, swarm.TaskStateStarting)
+
+	// make it healthy
+	d.Cmd("exec", containerID, "touch", "/status")
+
+	// Task should be at running status
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		task = d.GetTask(c, task.ID)
+		return task.Status.State, nil
+	}, checker.Equals, swarm.TaskStateRunning)
+}
diff --git a/engine/integration-cli/docker_cli_service_logs_test.go b/engine/integration-cli/docker_cli_service_logs_test.go
new file mode 100644
index 00000000..ba337491
--- /dev/null
+++ b/engine/integration-cli/docker_cli_service_logs_test.go
@@ -0,0 +1,388 @@
+// +build !windows
+
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+type logMessage struct {
+	err  error
+	data []byte
+}
+
+func (s *DockerSwarmSuite) TestServiceLogs(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// we have multiple services here for detecting the goroutine issue #28915
+	services := map[string]string{
+		"TestServiceLogs1": "hello1",
+		"TestServiceLogs2": "hello2",
+	}
+
+	for name, message := range services {
+		out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox",
+			"sh", "-c", fmt.Sprintf("echo %s; tail -f /dev/null", message))
+		c.Assert(err, checker.IsNil)
+		c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+	}
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout,
+		d.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{"busybox:latest": len(services)})
+
+	for name, message := range services {
+		out, err := d.Cmd("service", "logs", name)
+		c.Assert(err, checker.IsNil)
+		c.Logf("log for %q: %q", name, out)
+		c.Assert(out, checker.Contains, message)
+	}
+}
+
+// countLogLines returns a closure that can be used with waitAndAssert to
+// verify that a minimum number of expected container log messages have been
+// output.
+func countLogLines(d *daemon.Daemon, name string) func(*check.C) (interface{}, check.CommentInterface) {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		result := icmd.RunCmd(d.Command("service", "logs", "-t", "--raw", name))
+		result.Assert(c, icmd.Expected{})
+		// if this returns an emptystring, trying to split it later will return
+		// an array containing emptystring. a valid log line will NEVER be
+		// emptystring because we ask for the timestamp.
+		if result.Stdout() == "" {
+			return 0, check.Commentf("Empty stdout")
+		}
+		lines := strings.Split(strings.TrimSpace(result.Stdout()), "\n")
+		return len(lines), check.Commentf("output, %q", string(result.Stdout()))
+	}
+}
+
+func (s *DockerSwarmSuite) TestServiceLogsCompleteness(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "TestServiceLogsCompleteness"
+
+	// make a service that prints 6 lines
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox", "sh", "-c", "for line in $(seq 0 5); do echo log test $line; done; sleep 100000")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+	// and make sure we have all the log lines
+	waitAndAssert(c, defaultReconciliationTimeout, countLogLines(d, name), checker.Equals, 6)
+
+	out, err = d.Cmd("service", "logs", name)
+	c.Assert(err, checker.IsNil)
+	lines := strings.Split(strings.TrimSpace(out), "\n")
+
+	// i have heard anecdotal reports that logs may come back from the engine
+	// mis-ordered. if this tests fails, consider the possibility that that
+	// might be occurring
+	for i, line := range lines {
+		c.Assert(line, checker.Contains, fmt.Sprintf("log test %v", i))
+	}
+}
+
+func (s *DockerSwarmSuite) TestServiceLogsTail(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "TestServiceLogsTail"
+
+	// make a service that prints 6 lines
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox", "sh", "-c", "for line in $(seq 1 6); do echo log test $line; done; sleep 100000")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+	waitAndAssert(c, defaultReconciliationTimeout, countLogLines(d, name), checker.Equals, 6)
+
+	out, err = d.Cmd("service", "logs", "--tail=2", name)
+	c.Assert(err, checker.IsNil)
+	lines := strings.Split(strings.TrimSpace(out), "\n")
+
+	for i, line := range lines {
+		// doing i+5 is hacky but not too fragile, it's good enough. if it flakes something else is wrong
+		c.Assert(line, checker.Contains, fmt.Sprintf("log test %v", i+5))
+	}
+}
+
+func (s *DockerSwarmSuite) TestServiceLogsSince(c *check.C) {
+	// See DockerSuite.TestLogsSince, which is where this comes from
+	d := s.AddDaemon(c, true, true)
+
+	name := "TestServiceLogsSince"
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox", "sh", "-c", "for i in $(seq 1 3); do sleep .1; echo log$i; done; sleep 10000000")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+	// wait a sec for the logs to come in
+	waitAndAssert(c, defaultReconciliationTimeout, countLogLines(d, name), checker.Equals, 3)
+
+	out, err = d.Cmd("service", "logs", "-t", name)
+	c.Assert(err, checker.IsNil)
+
+	log2Line := strings.Split(strings.Split(out, "\n")[1], " ")
+	t, err := time.Parse(time.RFC3339Nano, log2Line[0]) // timestamp log2 is written
+	c.Assert(err, checker.IsNil)
+	u := t.Add(50 * time.Millisecond) // add .05s so log1 & log2 don't show up
+	since := u.Format(time.RFC3339Nano)
+
+	out, err = d.Cmd("service", "logs", "-t", fmt.Sprintf("--since=%v", since), name)
+	c.Assert(err, checker.IsNil)
+
+	unexpected := []string{"log1", "log2"}
+	expected := []string{"log3"}
+	for _, v := range unexpected {
+		c.Assert(out, checker.Not(checker.Contains), v, check.Commentf("unexpected log message returned, since=%v", u))
+	}
+	for _, v := range expected {
+		c.Assert(out, checker.Contains, v, check.Commentf("expected log message %v, was not present, since=%v", u))
+	}
+}
+
+func (s *DockerSwarmSuite) TestServiceLogsFollow(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "TestServiceLogsFollow"
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox", "sh", "-c", "while true; do echo log test; sleep 0.1; done")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	args := []string{"service", "logs", "-f", name}
+	cmd := exec.Command(dockerBinary, d.PrependHostArg(args)...)
+	r, w := io.Pipe()
+	cmd.Stdout = w
+	cmd.Stderr = w
+	c.Assert(cmd.Start(), checker.IsNil)
+	go cmd.Wait()
+
+	// Make sure pipe is written to
+	ch := make(chan *logMessage)
+	done := make(chan struct{})
+	go func() {
+		reader := bufio.NewReader(r)
+		for {
+			msg := &logMessage{}
+			msg.data, _, msg.err = reader.ReadLine()
+			select {
+			case ch <- msg:
+			case <-done:
+				return
+			}
+		}
+	}()
+
+	for i := 0; i < 3; i++ {
+		msg := <-ch
+		c.Assert(msg.err, checker.IsNil)
+		c.Assert(string(msg.data), checker.Contains, "log test")
+	}
+	close(done)
+
+	c.Assert(cmd.Process.Kill(), checker.IsNil)
+}
+
+func (s *DockerSwarmSuite) TestServiceLogsTaskLogs(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "TestServicelogsTaskLogs"
+	replicas := 2
+
+	result := icmd.RunCmd(d.Command(
+		// create a service with the name
+		"service", "create", "--detach", "--no-resolve-image", "--name", name,
+		// which has some number of replicas
+		fmt.Sprintf("--replicas=%v", replicas),
+		// which has this the task id as an environment variable templated in
+		"--env", "TASK={{.Task.ID}}",
+		// and runs this command to print exactly 6 logs lines
+		"busybox", "sh", "-c", "for line in $(seq 0 5); do echo $TASK log test $line; done; sleep 100000",
+	))
+	result.Assert(c, icmd.Expected{})
+	// ^^ verify that we get no error
+	// then verify that we have an id in stdout
+	id := strings.TrimSpace(result.Stdout())
+	c.Assert(id, checker.Not(checker.Equals), "")
+	// so, right here, we're basically inspecting by id and returning only
+	// the ID. if they don't match, the service doesn't exist.
+	result = icmd.RunCmd(d.Command("service", "inspect", "--format=\"{{.ID}}\"", id))
+	result.Assert(c, icmd.Expected{Out: id})
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, replicas)
+	waitAndAssert(c, defaultReconciliationTimeout, countLogLines(d, name), checker.Equals, 6*replicas)
+
+	// get the task ids
+	result = icmd.RunCmd(d.Command("service", "ps", "-q", name))
+	result.Assert(c, icmd.Expected{})
+	// make sure we have two tasks
+	taskIDs := strings.Split(strings.TrimSpace(result.Stdout()), "\n")
+	c.Assert(taskIDs, checker.HasLen, replicas)
+
+	for _, taskID := range taskIDs {
+		c.Logf("checking task %v", taskID)
+		result := icmd.RunCmd(d.Command("service", "logs", taskID))
+		result.Assert(c, icmd.Expected{})
+		lines := strings.Split(strings.TrimSpace(result.Stdout()), "\n")
+
+		c.Logf("checking messages for %v", taskID)
+		for i, line := range lines {
+			// make sure the message is in order
+			c.Assert(line, checker.Contains, fmt.Sprintf("log test %v", i))
+			// make sure it contains the task id
+			c.Assert(line, checker.Contains, taskID)
+		}
+	}
+}
+
+func (s *DockerSwarmSuite) TestServiceLogsTTY(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "TestServiceLogsTTY"
+
+	result := icmd.RunCmd(d.Command(
+		// create a service
+		"service", "create", "--detach", "--no-resolve-image",
+		// name it $name
+		"--name", name,
+		// use a TTY
+		"-t",
+		// busybox image, shell string
+		"busybox", "sh", "-c",
+		// echo to stdout and stderr
+		"echo out; (echo err 1>&2); sleep 10000",
+	))
+
+	result.Assert(c, icmd.Expected{})
+	id := strings.TrimSpace(result.Stdout())
+	c.Assert(id, checker.Not(checker.Equals), "")
+	// so, right here, we're basically inspecting by id and returning only
+	// the ID. if they don't match, the service doesn't exist.
+	result = icmd.RunCmd(d.Command("service", "inspect", "--format=\"{{.ID}}\"", id))
+	result.Assert(c, icmd.Expected{Out: id})
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+	// and make sure we have all the log lines
+	waitAndAssert(c, defaultReconciliationTimeout, countLogLines(d, name), checker.Equals, 2)
+
+	cmd := d.Command("service", "logs", "--raw", name)
+	result = icmd.RunCmd(cmd)
+	// for some reason there is carriage return in the output. i think this is
+	// just expected.
+	result.Assert(c, icmd.Expected{Out: "out\r\nerr\r\n"})
+}
+
+func (s *DockerSwarmSuite) TestServiceLogsNoHangDeletedContainer(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "TestServiceLogsNoHangDeletedContainer"
+
+	result := icmd.RunCmd(d.Command(
+		// create a service
+		"service", "create", "--detach", "--no-resolve-image",
+		// name it $name
+		"--name", name,
+		// busybox image, shell string
+		"busybox", "sh", "-c",
+		// echo to stdout and stderr
+		"while true; do echo line; sleep 2; done",
+	))
+
+	// confirm that the command succeeded
+	result.Assert(c, icmd.Expected{})
+	// get the service id
+	id := strings.TrimSpace(result.Stdout())
+	c.Assert(id, checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+	// and make sure we have all the log lines
+	waitAndAssert(c, defaultReconciliationTimeout, countLogLines(d, name), checker.Equals, 2)
+
+	// now find and nuke the container
+	result = icmd.RunCmd(d.Command("ps", "-q"))
+	containerID := strings.TrimSpace(result.Stdout())
+	c.Assert(containerID, checker.Not(checker.Equals), "")
+	result = icmd.RunCmd(d.Command("stop", containerID))
+	result.Assert(c, icmd.Expected{Out: containerID})
+	result = icmd.RunCmd(d.Command("rm", containerID))
+	result.Assert(c, icmd.Expected{Out: containerID})
+
+	// run logs. use tail 2 to make sure we don't try to get a bunch of logs
+	// somehow and slow down execution time
+	cmd := d.Command("service", "logs", "--tail", "2", id)
+	// start the command and then wait for it to finish with a 3 second timeout
+	result = icmd.StartCmd(cmd)
+	result = icmd.WaitOnCmd(3*time.Second, result)
+
+	// then, assert that the result matches expected. if the command timed out,
+	// if the command is timed out, result.Timeout will be true, but the
+	// Expected defaults to false
+	result.Assert(c, icmd.Expected{})
+}
+
+func (s *DockerSwarmSuite) TestServiceLogsDetails(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "TestServiceLogsDetails"
+
+	result := icmd.RunCmd(d.Command(
+		// create a service
+		"service", "create", "--detach", "--no-resolve-image",
+		// name it $name
+		"--name", name,
+		// add an environment variable
+		"--env", "asdf=test1",
+		// add a log driver (without explicitly setting a driver, log-opt doesn't work)
+		"--log-driver", "json-file",
+		// add a log option to print the environment variable
+		"--log-opt", "env=asdf",
+		// busybox image, shell string
+		"busybox", "sh", "-c",
+		// make a log line
+		"echo LogLine; while true; do sleep 1; done;",
+	))
+
+	result.Assert(c, icmd.Expected{})
+	id := strings.TrimSpace(result.Stdout())
+	c.Assert(id, checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+	// and make sure we have all the log lines
+	waitAndAssert(c, defaultReconciliationTimeout, countLogLines(d, name), checker.Equals, 1)
+
+	// First, test without pretty printing
+	// call service logs with details. set raw to skip pretty printing
+	result = icmd.RunCmd(d.Command("service", "logs", "--raw", "--details", name))
+	// in this case, we should get details and we should get log message, but
+	// there will also be context as details (which will fall after the detail
+	// we inserted in alphabetical order
+	result.Assert(c, icmd.Expected{Out: "asdf=test1"})
+	result.Assert(c, icmd.Expected{Out: "LogLine"})
+
+	// call service logs with details. this time, don't pass raw
+	result = icmd.RunCmd(d.Command("service", "logs", "--details", id))
+	// in this case, we should get details space logmessage as well. the context
+	// is part of the pretty part of the logline
+	result.Assert(c, icmd.Expected{Out: "asdf=test1 LogLine"})
+}
diff --git a/engine/integration-cli/docker_cli_service_scale_test.go b/engine/integration-cli/docker_cli_service_scale_test.go
new file mode 100644
index 00000000..41b49d64
--- /dev/null
+++ b/engine/integration-cli/docker_cli_service_scale_test.go
@@ -0,0 +1,57 @@
+// +build !windows
+
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSwarmSuite) TestServiceScale(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	service1Name := "TestService1"
+	service1Args := append([]string{"service", "create", "--detach", "--no-resolve-image", "--name", service1Name, defaultSleepImage}, sleepCommandForDaemonPlatform()...)
+
+	// global mode
+	service2Name := "TestService2"
+	service2Args := append([]string{"service", "create", "--detach", "--no-resolve-image", "--name", service2Name, "--mode=global", defaultSleepImage}, sleepCommandForDaemonPlatform()...)
+
+	// Create services
+	out, err := d.Cmd(service1Args...)
+	c.Assert(err, checker.IsNil)
+
+	out, err = d.Cmd(service2Args...)
+	c.Assert(err, checker.IsNil)
+
+	out, err = d.Cmd("service", "scale", "TestService1=2")
+	c.Assert(err, checker.IsNil)
+
+	out, err = d.Cmd("service", "scale", "TestService1=foobar")
+	c.Assert(err, checker.NotNil)
+
+	str := fmt.Sprintf("%s: invalid replicas value %s", service1Name, "foobar")
+	if !strings.Contains(out, str) {
+		c.Errorf("got: %s, expected has sub string: %s", out, str)
+	}
+
+	out, err = d.Cmd("service", "scale", "TestService1=-1")
+	c.Assert(err, checker.NotNil)
+
+	str = fmt.Sprintf("%s: invalid replicas value %s", service1Name, "-1")
+	if !strings.Contains(out, str) {
+		c.Errorf("got: %s, expected has sub string: %s", out, str)
+	}
+
+	// TestService2 is a global mode
+	out, err = d.Cmd("service", "scale", "TestService2=2")
+	c.Assert(err, checker.NotNil)
+
+	str = fmt.Sprintf("%s: scale can only be used with replicated mode\n", service2Name)
+	if out != str {
+		c.Errorf("got: %s, expected: %s", out, str)
+	}
+}
diff --git a/engine/integration-cli/docker_cli_service_update_test.go b/engine/integration-cli/docker_cli_service_update_test.go
new file mode 100644
index 00000000..a281327a
--- /dev/null
+++ b/engine/integration-cli/docker_cli_service_update_test.go
@@ -0,0 +1,137 @@
+// +build !windows
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSwarmSuite) TestServiceUpdateLabel(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name=test", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	service := d.GetService(c, "test")
+	c.Assert(service.Spec.Labels, checker.HasLen, 0)
+
+	// add label to empty set
+	out, err = d.Cmd("service", "update", "--detach", "test", "--label-add", "foo=bar")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	service = d.GetService(c, "test")
+	c.Assert(service.Spec.Labels, checker.HasLen, 1)
+	c.Assert(service.Spec.Labels["foo"], checker.Equals, "bar")
+
+	// add label to non-empty set
+	out, err = d.Cmd("service", "update", "--detach", "test", "--label-add", "foo2=bar")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	service = d.GetService(c, "test")
+	c.Assert(service.Spec.Labels, checker.HasLen, 2)
+	c.Assert(service.Spec.Labels["foo2"], checker.Equals, "bar")
+
+	out, err = d.Cmd("service", "update", "--detach", "test", "--label-rm", "foo2")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	service = d.GetService(c, "test")
+	c.Assert(service.Spec.Labels, checker.HasLen, 1)
+	c.Assert(service.Spec.Labels["foo2"], checker.Equals, "")
+
+	out, err = d.Cmd("service", "update", "--detach", "test", "--label-rm", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	service = d.GetService(c, "test")
+	c.Assert(service.Spec.Labels, checker.HasLen, 0)
+	c.Assert(service.Spec.Labels["foo"], checker.Equals, "")
+
+	// now make sure we can add again
+	out, err = d.Cmd("service", "update", "--detach", "test", "--label-add", "foo=bar")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	service = d.GetService(c, "test")
+	c.Assert(service.Spec.Labels, checker.HasLen, 1)
+	c.Assert(service.Spec.Labels["foo"], checker.Equals, "bar")
+}
+
+func (s *DockerSwarmSuite) TestServiceUpdateSecrets(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	testName := "test_secret"
+	id := d.CreateSecret(c, swarm.SecretSpec{
+		Annotations: swarm.Annotations{
+			Name: testName,
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("secrets: %s", id))
+	testTarget := "testing"
+	serviceName := "test"
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", serviceName, "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// add secret
+	out, err = d.Cmd("service", "update", "--detach", "test", "--secret-add", fmt.Sprintf("source=%s,target=%s", testName, testTarget))
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	var refs []swarm.SecretReference
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, 1)
+
+	c.Assert(refs[0].SecretName, checker.Equals, testName)
+	c.Assert(refs[0].File, checker.Not(checker.IsNil))
+	c.Assert(refs[0].File.Name, checker.Equals, testTarget)
+
+	// remove
+	out, err = d.Cmd("service", "update", "--detach", "test", "--secret-rm", testName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, 0)
+}
+
+func (s *DockerSwarmSuite) TestServiceUpdateConfigs(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	testName := "test_config"
+	id := d.CreateConfig(c, swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name: testName,
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("configs: %s", id))
+	testTarget := "/testing"
+	serviceName := "test"
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", serviceName, "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// add config
+	out, err = d.Cmd("service", "update", "--detach", "test", "--config-add", fmt.Sprintf("source=%s,target=%s", testName, testTarget))
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Configs }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	var refs []swarm.ConfigReference
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, 1)
+
+	c.Assert(refs[0].ConfigName, checker.Equals, testName)
+	c.Assert(refs[0].File, checker.Not(checker.IsNil))
+	c.Assert(refs[0].File.Name, checker.Equals, testTarget)
+
+	// remove
+	out, err = d.Cmd("service", "update", "--detach", "test", "--config-rm", testName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ json .Spec.TaskTemplate.ContainerSpec.Configs }}", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(json.Unmarshal([]byte(out), &refs), checker.IsNil)
+	c.Assert(refs, checker.HasLen, 0)
+}
diff --git a/engine/integration-cli/docker_cli_sni_test.go b/engine/integration-cli/docker_cli_sni_test.go
new file mode 100644
index 00000000..f50b5bbf
--- /dev/null
+++ b/engine/integration-cli/docker_cli_sni_test.go
@@ -0,0 +1,44 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os/exec"
+	"strings"
+
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestClientSetsTLSServerName(c *check.C) {
+	c.Skip("Flakey test")
+	// there may be more than one hit to the server for each registry request
+	var serverNameReceived []string
+	var serverName string
+
+	virtualHostServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		serverNameReceived = append(serverNameReceived, r.TLS.ServerName)
+	}))
+	defer virtualHostServer.Close()
+	// discard TLS handshake errors written by default to os.Stderr
+	virtualHostServer.Config.ErrorLog = log.New(ioutil.Discard, "", 0)
+
+	u, err := url.Parse(virtualHostServer.URL)
+	c.Assert(err, check.IsNil)
+	hostPort := u.Host
+	serverName = strings.Split(hostPort, ":")[0]
+
+	repoName := fmt.Sprintf("%v/dockercli/image:latest", hostPort)
+	cmd := exec.Command(dockerBinary, "pull", repoName)
+	cmd.Run()
+
+	// check that the fake server was hit at least once
+	c.Assert(len(serverNameReceived) > 0, check.Equals, true)
+	// check that for each hit the right server name was received
+	for _, item := range serverNameReceived {
+		c.Check(item, check.Equals, serverName)
+	}
+}
diff --git a/engine/integration-cli/docker_cli_start_test.go b/engine/integration-cli/docker_cli_start_test.go
new file mode 100644
index 00000000..cbe917bf
--- /dev/null
+++ b/engine/integration-cli/docker_cli_start_test.go
@@ -0,0 +1,199 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+// Regression test for https://github.com/docker/docker/issues/7843
+func (s *DockerSuite) TestStartAttachReturnsOnError(c *check.C) {
+	// Windows does not support link
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "run", "--name", "test", "busybox")
+
+	// Expect this to fail because the above container is stopped, this is what we want
+	out, _, err := dockerCmdWithError("run", "--name", "test2", "--link", "test:test", "busybox")
+	// err shouldn't be nil because container test2 try to link to stopped container
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+
+	ch := make(chan error)
+	go func() {
+		// Attempt to start attached to the container that won't start
+		// This should return an error immediately since the container can't be started
+		if out, _, err := dockerCmdWithError("start", "-a", "test2"); err == nil {
+			ch <- fmt.Errorf("Expected error but got none:\n%s", out)
+		}
+		close(ch)
+	}()
+
+	select {
+	case err := <-ch:
+		c.Assert(err, check.IsNil)
+	case <-time.After(5 * time.Second):
+		c.Fatalf("Attach did not exit properly")
+	}
+}
+
+// gh#8555: Exit code should be passed through when using start -a
+func (s *DockerSuite) TestStartAttachCorrectExitCode(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	out := cli.DockerCmd(c, "run", "-d", "busybox", "sh", "-c", "sleep 2; exit 1").Stdout()
+	out = strings.TrimSpace(out)
+
+	// make sure the container has exited before trying the "start -a"
+	cli.DockerCmd(c, "wait", out)
+
+	cli.Docker(cli.Args("start", "-a", out)).Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+}
+
+func (s *DockerSuite) TestStartAttachSilent(c *check.C) {
+	name := "teststartattachcorrectexitcode"
+	dockerCmd(c, "run", "--name", name, "busybox", "echo", "test")
+
+	// make sure the container has exited before trying the "start -a"
+	dockerCmd(c, "wait", name)
+
+	startOut, _ := dockerCmd(c, "start", "-a", name)
+	// start -a produced unexpected output
+	c.Assert(startOut, checker.Equals, "test\n")
+}
+
+func (s *DockerSuite) TestStartRecordError(c *check.C) {
+	// TODO Windows CI: Requires further porting work. Should be possible.
+	testRequires(c, DaemonIsLinux)
+	// when container runs successfully, we should not have state.Error
+	dockerCmd(c, "run", "-d", "-p", "9999:9999", "--name", "test", "busybox", "top")
+	stateErr := inspectField(c, "test", "State.Error")
+	// Expected to not have state error
+	c.Assert(stateErr, checker.Equals, "")
+
+	// Expect this to fail and records error because of ports conflict
+	out, _, err := dockerCmdWithError("run", "-d", "--name", "test2", "-p", "9999:9999", "busybox", "top")
+	// err shouldn't be nil because docker run will fail
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+
+	stateErr = inspectField(c, "test2", "State.Error")
+	c.Assert(stateErr, checker.Contains, "port is already allocated")
+
+	// Expect the conflict to be resolved when we stop the initial container
+	dockerCmd(c, "stop", "test")
+	dockerCmd(c, "start", "test2")
+	stateErr = inspectField(c, "test2", "State.Error")
+	// Expected to not have state error but got one
+	c.Assert(stateErr, checker.Equals, "")
+}
+
+func (s *DockerSuite) TestStartPausedContainer(c *check.C) {
+	// Windows does not support pausing containers
+	testRequires(c, IsPausable)
+
+	runSleepingContainer(c, "-d", "--name", "testing")
+
+	dockerCmd(c, "pause", "testing")
+
+	out, _, err := dockerCmdWithError("start", "testing")
+	// an error should have been shown that you cannot start paused container
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	// an error should have been shown that you cannot start paused container
+	c.Assert(strings.ToLower(out), checker.Contains, "cannot start a paused container, try unpause instead")
+}
+
+func (s *DockerSuite) TestStartMultipleContainers(c *check.C) {
+	// Windows does not support --link
+	testRequires(c, DaemonIsLinux)
+	// run a container named 'parent' and create two container link to `parent`
+	dockerCmd(c, "run", "-d", "--name", "parent", "busybox", "top")
+
+	for _, container := range []string{"child_first", "child_second"} {
+		dockerCmd(c, "create", "--name", container, "--link", "parent:parent", "busybox", "top")
+	}
+
+	// stop 'parent' container
+	dockerCmd(c, "stop", "parent")
+
+	out := inspectField(c, "parent", "State.Running")
+	// Container should be stopped
+	c.Assert(out, checker.Equals, "false")
+
+	// start all the three containers, container `child_first` start first which should be failed
+	// container 'parent' start second and then start container 'child_second'
+	expOut := "Cannot link to a non running container"
+	expErr := "failed to start containers: [child_first]"
+	out, _, err := dockerCmdWithError("start", "child_first", "parent", "child_second")
+	// err shouldn't be nil because start will fail
+	c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+	// output does not correspond to what was expected
+	if !(strings.Contains(out, expOut) || strings.Contains(err.Error(), expErr)) {
+		c.Fatalf("Expected out: %v with err: %v  but got out: %v with err: %v", expOut, expErr, out, err)
+	}
+
+	for container, expected := range map[string]string{"parent": "true", "child_first": "false", "child_second": "true"} {
+		out := inspectField(c, container, "State.Running")
+		// Container running state wrong
+		c.Assert(out, checker.Equals, expected)
+	}
+}
+
+func (s *DockerSuite) TestStartAttachMultipleContainers(c *check.C) {
+	// run  multiple containers to test
+	for _, container := range []string{"test1", "test2", "test3"} {
+		runSleepingContainer(c, "--name", container)
+	}
+
+	// stop all the containers
+	for _, container := range []string{"test1", "test2", "test3"} {
+		dockerCmd(c, "stop", container)
+	}
+
+	// test start and attach multiple containers at once, expected error
+	for _, option := range []string{"-a", "-i", "-ai"} {
+		out, _, err := dockerCmdWithError("start", option, "test1", "test2", "test3")
+		// err shouldn't be nil because start will fail
+		c.Assert(err, checker.NotNil, check.Commentf("out: %s", out))
+		// output does not correspond to what was expected
+		c.Assert(out, checker.Contains, "you cannot start and attach multiple containers at once")
+	}
+
+	// confirm the state of all the containers be stopped
+	for container, expected := range map[string]string{"test1": "false", "test2": "false", "test3": "false"} {
+		out := inspectField(c, container, "State.Running")
+		// Container running state wrong
+		c.Assert(out, checker.Equals, expected)
+	}
+}
+
+// Test case for #23716
+func (s *DockerSuite) TestStartAttachWithRename(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	cli.DockerCmd(c, "create", "-t", "--name", "before", "busybox")
+	go func() {
+		cli.WaitRun(c, "before")
+		cli.DockerCmd(c, "rename", "before", "after")
+		cli.DockerCmd(c, "stop", "--time=2", "after")
+	}()
+	// FIXME(vdemeester) the intent is not clear and potentially racey
+	result := cli.Docker(cli.Args("start", "-a", "before")).Assert(c, icmd.Expected{
+		ExitCode: 137,
+	})
+	c.Assert(result.Stderr(), checker.Not(checker.Contains), "No such container")
+}
+
+func (s *DockerSuite) TestStartReturnCorrectExitCode(c *check.C) {
+	dockerCmd(c, "create", "--restart=on-failure:2", "--name", "withRestart", "busybox", "sh", "-c", "exit 11")
+	dockerCmd(c, "create", "--rm", "--name", "withRm", "busybox", "sh", "-c", "exit 12")
+
+	_, exitCode, err := dockerCmdWithError("start", "-a", "withRestart")
+	c.Assert(err, checker.NotNil)
+	c.Assert(exitCode, checker.Equals, 11)
+	_, exitCode, err = dockerCmdWithError("start", "-a", "withRm")
+	c.Assert(err, checker.NotNil)
+	c.Assert(exitCode, checker.Equals, 12)
+}
diff --git a/engine/integration-cli/docker_cli_stats_test.go b/engine/integration-cli/docker_cli_stats_test.go
new file mode 100644
index 00000000..45483636
--- /dev/null
+++ b/engine/integration-cli/docker_cli_stats_test.go
@@ -0,0 +1,180 @@
+package main
+
+import (
+	"bufio"
+	"os/exec"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSuite) TestStatsNoStream(c *check.C) {
+	// Windows does not support stats
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	id := strings.TrimSpace(out)
+	c.Assert(waitRun(id), checker.IsNil)
+
+	statsCmd := exec.Command(dockerBinary, "stats", "--no-stream", id)
+	type output struct {
+		out []byte
+		err error
+	}
+
+	ch := make(chan output)
+	go func() {
+		out, err := statsCmd.Output()
+		ch <- output{out, err}
+	}()
+
+	select {
+	case outerr := <-ch:
+		c.Assert(outerr.err, checker.IsNil, check.Commentf("Error running stats: %v", outerr.err))
+		c.Assert(string(outerr.out), checker.Contains, id[:12]) //running container wasn't present in output
+	case <-time.After(3 * time.Second):
+		statsCmd.Process.Kill()
+		c.Fatalf("stats did not return immediately when not streaming")
+	}
+}
+
+func (s *DockerSuite) TestStatsContainerNotFound(c *check.C) {
+	// Windows does not support stats
+	testRequires(c, DaemonIsLinux)
+
+	out, _, err := dockerCmdWithError("stats", "notfound")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "No such container: notfound", check.Commentf("Expected to fail on not found container stats, got %q instead", out))
+
+	out, _, err = dockerCmdWithError("stats", "--no-stream", "notfound")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "No such container: notfound", check.Commentf("Expected to fail on not found container stats with --no-stream, got %q instead", out))
+}
+
+func (s *DockerSuite) TestStatsAllRunningNoStream(c *check.C) {
+	// Windows does not support stats
+	testRequires(c, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	id1 := strings.TrimSpace(out)[:12]
+	c.Assert(waitRun(id1), check.IsNil)
+	out, _ = dockerCmd(c, "run", "-d", "busybox", "top")
+	id2 := strings.TrimSpace(out)[:12]
+	c.Assert(waitRun(id2), check.IsNil)
+	out, _ = dockerCmd(c, "run", "-d", "busybox", "top")
+	id3 := strings.TrimSpace(out)[:12]
+	c.Assert(waitRun(id3), check.IsNil)
+	dockerCmd(c, "stop", id3)
+
+	out, _ = dockerCmd(c, "stats", "--no-stream")
+	if !strings.Contains(out, id1) || !strings.Contains(out, id2) {
+		c.Fatalf("Expected stats output to contain both %s and %s, got %s", id1, id2, out)
+	}
+	if strings.Contains(out, id3) {
+		c.Fatalf("Did not expect %s in stats, got %s", id3, out)
+	}
+
+	// check output contains real data, but not all zeros
+	reg, _ := regexp.Compile("[1-9]+")
+	// split output with "\n", outLines[1] is id2's output
+	// outLines[2] is id1's output
+	outLines := strings.Split(out, "\n")
+	// check stat result of id2 contains real data
+	realData := reg.Find([]byte(outLines[1][12:]))
+	c.Assert(realData, checker.NotNil, check.Commentf("stat result are empty: %s", out))
+	// check stat result of id1 contains real data
+	realData = reg.Find([]byte(outLines[2][12:]))
+	c.Assert(realData, checker.NotNil, check.Commentf("stat result are empty: %s", out))
+}
+
+func (s *DockerSuite) TestStatsAllNoStream(c *check.C) {
+	// Windows does not support stats
+	testRequires(c, DaemonIsLinux)
+
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "top")
+	id1 := strings.TrimSpace(out)[:12]
+	c.Assert(waitRun(id1), check.IsNil)
+	dockerCmd(c, "stop", id1)
+	out, _ = dockerCmd(c, "run", "-d", "busybox", "top")
+	id2 := strings.TrimSpace(out)[:12]
+	c.Assert(waitRun(id2), check.IsNil)
+
+	out, _ = dockerCmd(c, "stats", "--all", "--no-stream")
+	if !strings.Contains(out, id1) || !strings.Contains(out, id2) {
+		c.Fatalf("Expected stats output to contain both %s and %s, got %s", id1, id2, out)
+	}
+
+	// check output contains real data, but not all zeros
+	reg, _ := regexp.Compile("[1-9]+")
+	// split output with "\n", outLines[1] is id2's output
+	outLines := strings.Split(out, "\n")
+	// check stat result of id2 contains real data
+	realData := reg.Find([]byte(outLines[1][12:]))
+	c.Assert(realData, checker.NotNil, check.Commentf("stat result of %s is empty: %s", id2, out))
+	// check stat result of id1 contains all zero
+	realData = reg.Find([]byte(outLines[2][12:]))
+	c.Assert(realData, checker.IsNil, check.Commentf("stat result of %s should be empty : %s", id1, out))
+}
+
+func (s *DockerSuite) TestStatsAllNewContainersAdded(c *check.C) {
+	// Windows does not support stats
+	testRequires(c, DaemonIsLinux)
+
+	id := make(chan string)
+	addedChan := make(chan struct{})
+
+	runSleepingContainer(c, "-d")
+	statsCmd := exec.Command(dockerBinary, "stats")
+	stdout, err := statsCmd.StdoutPipe()
+	c.Assert(err, check.IsNil)
+	c.Assert(statsCmd.Start(), check.IsNil)
+	go statsCmd.Wait()
+	defer statsCmd.Process.Kill()
+
+	go func() {
+		containerID := <-id
+		matchID := regexp.MustCompile(containerID)
+
+		scanner := bufio.NewScanner(stdout)
+		for scanner.Scan() {
+			switch {
+			case matchID.MatchString(scanner.Text()):
+				close(addedChan)
+				return
+			}
+		}
+	}()
+
+	out := runSleepingContainer(c, "-d")
+	c.Assert(waitRun(strings.TrimSpace(out)), check.IsNil)
+	id <- strings.TrimSpace(out)[:12]
+
+	select {
+	case <-time.After(30 * time.Second):
+		c.Fatal("failed to observe new container created added to stats")
+	case <-addedChan:
+		// ignore, done
+	}
+}
+
+func (s *DockerSuite) TestStatsFormatAll(c *check.C) {
+	// Windows does not support stats
+	testRequires(c, DaemonIsLinux)
+
+	cli.DockerCmd(c, "run", "-d", "--name=RunningOne", "busybox", "top")
+	cli.WaitRun(c, "RunningOne")
+	cli.DockerCmd(c, "run", "-d", "--name=ExitedOne", "busybox", "top")
+	cli.DockerCmd(c, "stop", "ExitedOne")
+	cli.WaitExited(c, "ExitedOne", 5*time.Second)
+
+	out := cli.DockerCmd(c, "stats", "--no-stream", "--format", "{{.Name}}").Combined()
+	c.Assert(out, checker.Contains, "RunningOne")
+	c.Assert(out, checker.Not(checker.Contains), "ExitedOne")
+
+	out = cli.DockerCmd(c, "stats", "--all", "--no-stream", "--format", "{{.Name}}").Combined()
+	c.Assert(out, checker.Contains, "RunningOne")
+	c.Assert(out, checker.Contains, "ExitedOne")
+}
diff --git a/engine/integration-cli/docker_cli_swarm_test.go b/engine/integration-cli/docker_cli_swarm_test.go
new file mode 100644
index 00000000..057c0d94
--- /dev/null
+++ b/engine/integration-cli/docker_cli_swarm_test.go
@@ -0,0 +1,2062 @@
+// +build !windows
+
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/docker/libnetwork/driverapi"
+	"github.com/docker/libnetwork/ipamapi"
+	remoteipam "github.com/docker/libnetwork/ipams/remote/api"
+	"github.com/docker/swarmkit/ca/keyutils"
+	"github.com/go-check/check"
+	"github.com/vishvananda/netlink"
+	"gotest.tools/fs"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSwarmSuite) TestSwarmUpdate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	getSpec := func() swarm.Spec {
+		sw := d.GetSwarm(c)
+		return sw.Spec
+	}
+
+	out, err := d.Cmd("swarm", "update", "--cert-expiry", "30h", "--dispatcher-heartbeat", "11s")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+
+	spec := getSpec()
+	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour)
+	c.Assert(spec.Dispatcher.HeartbeatPeriod, checker.Equals, 11*time.Second)
+
+	// setting anything under 30m for cert-expiry is not allowed
+	out, err = d.Cmd("swarm", "update", "--cert-expiry", "15m")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "minimum certificate expiry time")
+	spec = getSpec()
+	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour)
+
+	// passing an external CA (this is without starting a root rotation) does not fail
+	cli.Docker(cli.Args("swarm", "update", "--external-ca", "protocol=cfssl,url=https://something.org",
+		"--external-ca", "protocol=cfssl,url=https://somethingelse.org,cacert=fixtures/https/ca.pem"),
+		cli.Daemon(d)).Assert(c, icmd.Success)
+
+	expected, err := ioutil.ReadFile("fixtures/https/ca.pem")
+	c.Assert(err, checker.IsNil)
+
+	spec = getSpec()
+	c.Assert(spec.CAConfig.ExternalCAs, checker.HasLen, 2)
+	c.Assert(spec.CAConfig.ExternalCAs[0].CACert, checker.Equals, "")
+	c.Assert(spec.CAConfig.ExternalCAs[1].CACert, checker.Equals, string(expected))
+
+	// passing an invalid external CA fails
+	tempFile := fs.NewFile(c, "testfile", fs.WithContent("fakecert"))
+	defer tempFile.Remove()
+
+	result := cli.Docker(cli.Args("swarm", "update",
+		"--external-ca", fmt.Sprintf("protocol=cfssl,url=https://something.org,cacert=%s", tempFile.Path())),
+		cli.Daemon(d))
+	result.Assert(c, icmd.Expected{
+		ExitCode: 125,
+		Err:      "must be in PEM format",
+	})
+}
+
+func (s *DockerSwarmSuite) TestSwarmInit(c *check.C) {
+	d := s.AddDaemon(c, false, false)
+
+	getSpec := func() swarm.Spec {
+		sw := d.GetSwarm(c)
+		return sw.Spec
+	}
+
+	// passing an invalid external CA fails
+	tempFile := fs.NewFile(c, "testfile", fs.WithContent("fakecert"))
+	defer tempFile.Remove()
+
+	result := cli.Docker(cli.Args("swarm", "init", "--cert-expiry", "30h", "--dispatcher-heartbeat", "11s",
+		"--external-ca", fmt.Sprintf("protocol=cfssl,url=https://somethingelse.org,cacert=%s", tempFile.Path())),
+		cli.Daemon(d))
+	result.Assert(c, icmd.Expected{
+		ExitCode: 125,
+		Err:      "must be in PEM format",
+	})
+
+	cli.Docker(cli.Args("swarm", "init", "--cert-expiry", "30h", "--dispatcher-heartbeat", "11s",
+		"--external-ca", "protocol=cfssl,url=https://something.org",
+		"--external-ca", "protocol=cfssl,url=https://somethingelse.org,cacert=fixtures/https/ca.pem"),
+		cli.Daemon(d)).Assert(c, icmd.Success)
+
+	expected, err := ioutil.ReadFile("fixtures/https/ca.pem")
+	c.Assert(err, checker.IsNil)
+
+	spec := getSpec()
+	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour)
+	c.Assert(spec.Dispatcher.HeartbeatPeriod, checker.Equals, 11*time.Second)
+	c.Assert(spec.CAConfig.ExternalCAs, checker.HasLen, 2)
+	c.Assert(spec.CAConfig.ExternalCAs[0].CACert, checker.Equals, "")
+	c.Assert(spec.CAConfig.ExternalCAs[1].CACert, checker.Equals, string(expected))
+
+	c.Assert(d.SwarmLeave(true), checker.IsNil)
+	cli.Docker(cli.Args("swarm", "init"), cli.Daemon(d)).Assert(c, icmd.Success)
+
+	spec = getSpec()
+	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 90*24*time.Hour)
+	c.Assert(spec.Dispatcher.HeartbeatPeriod, checker.Equals, 5*time.Second)
+}
+
+func (s *DockerSwarmSuite) TestSwarmInitIPv6(c *check.C) {
+	testRequires(c, IPv6)
+	d1 := s.AddDaemon(c, false, false)
+	cli.Docker(cli.Args("swarm", "init", "--listen-add", "::1"), cli.Daemon(d1)).Assert(c, icmd.Success)
+
+	d2 := s.AddDaemon(c, false, false)
+	cli.Docker(cli.Args("swarm", "join", "::1"), cli.Daemon(d2)).Assert(c, icmd.Success)
+
+	out := cli.Docker(cli.Args("info"), cli.Daemon(d2)).Assert(c, icmd.Success).Combined()
+	c.Assert(out, checker.Contains, "Swarm: active")
+}
+
+func (s *DockerSwarmSuite) TestSwarmInitUnspecifiedAdvertiseAddr(c *check.C) {
+	d := s.AddDaemon(c, false, false)
+	out, err := d.Cmd("swarm", "init", "--advertise-addr", "0.0.0.0")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "advertise address must be a non-zero IP address")
+}
+
+func (s *DockerSwarmSuite) TestSwarmIncompatibleDaemon(c *check.C) {
+	// init swarm mode and stop a daemon
+	d := s.AddDaemon(c, true, true)
+	info := d.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	d.Stop(c)
+
+	// start a daemon with --cluster-store and --cluster-advertise
+	err := d.StartWithError("--cluster-store=consul://consuladdr:consulport/some/path", "--cluster-advertise=1.1.1.1:2375")
+	c.Assert(err, checker.NotNil)
+	content, err := d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, "--cluster-store and --cluster-advertise daemon configurations are incompatible with swarm mode")
+
+	// start a daemon with --live-restore
+	err = d.StartWithError("--live-restore")
+	c.Assert(err, checker.NotNil)
+	content, err = d.ReadLogFile()
+	c.Assert(err, checker.IsNil)
+	c.Assert(string(content), checker.Contains, "--live-restore daemon configuration is incompatible with swarm mode")
+	// restart for teardown
+	d.Start(c)
+}
+
+func (s *DockerSwarmSuite) TestSwarmServiceTemplatingHostname(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	hostname, err := d.Cmd("node", "inspect", "--format", "{{.Description.Hostname}}", "self")
+	c.Assert(err, checker.IsNil, check.Commentf(hostname))
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "test", "--hostname", "{{.Service.Name}}-{{.Task.Slot}}-{{.Node.Hostname}}", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	containers := d.ActiveContainers(c)
+	out, err = d.Cmd("inspect", "--type", "container", "--format", "{{.Config.Hostname}}", containers[0])
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.Split(out, "\n")[0], checker.Equals, "test-1-"+strings.Split(hostname, "\n")[0], check.Commentf("hostname with templating invalid"))
+}
+
+// Test case for #24270
+func (s *DockerSwarmSuite) TestSwarmServiceListFilter(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name1 := "redis-cluster-md5"
+	name2 := "redis-cluster"
+	name3 := "other-cluster"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name1, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name2, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name3, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	filter1 := "name=redis-cluster-md5"
+	filter2 := "name=redis-cluster"
+
+	// We search checker.Contains with `name+" "` to prevent prefix only.
+	out, err = d.Cmd("service", "ls", "--filter", filter1)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name1+" ")
+	c.Assert(out, checker.Not(checker.Contains), name2+" ")
+	c.Assert(out, checker.Not(checker.Contains), name3+" ")
+
+	out, err = d.Cmd("service", "ls", "--filter", filter2)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name1+" ")
+	c.Assert(out, checker.Contains, name2+" ")
+	c.Assert(out, checker.Not(checker.Contains), name3+" ")
+
+	out, err = d.Cmd("service", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name1+" ")
+	c.Assert(out, checker.Contains, name2+" ")
+	c.Assert(out, checker.Contains, name3+" ")
+}
+
+func (s *DockerSwarmSuite) TestSwarmNodeListFilter(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("node", "inspect", "--format", "{{ .Description.Hostname }}", "self")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+	name := strings.TrimSpace(out)
+
+	filter := "name=" + name[:4]
+
+	out, err = d.Cmd("node", "ls", "--filter", filter)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+
+	out, err = d.Cmd("node", "ls", "--filter", "name=none")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+}
+
+func (s *DockerSwarmSuite) TestSwarmNodeTaskListFilter(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "redis-cluster-md5"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "--replicas=3", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 3)
+
+	filter := "name=redis-cluster"
+
+	out, err = d.Cmd("node", "ps", "--filter", filter, "self")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name+".1")
+	c.Assert(out, checker.Contains, name+".2")
+	c.Assert(out, checker.Contains, name+".3")
+
+	out, err = d.Cmd("node", "ps", "--filter", "name=none", "self")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name+".1")
+	c.Assert(out, checker.Not(checker.Contains), name+".2")
+	c.Assert(out, checker.Not(checker.Contains), name+".3")
+}
+
+// Test case for #25375
+func (s *DockerSwarmSuite) TestSwarmPublishAdd(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "top"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "--label", "x=y", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, err = d.Cmd("service", "update", "--detach", "--publish-add", "80:80", name)
+	c.Assert(err, checker.IsNil)
+
+	out, err = d.Cmd("service", "update", "--detach", "--publish-add", "80:80", name)
+	c.Assert(err, checker.IsNil)
+
+	out, err = d.Cmd("service", "update", "--detach", "--publish-add", "80:80", "--publish-add", "80:20", name)
+	c.Assert(err, checker.NotNil)
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ .Spec.EndpointSpec.Ports }}", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "[{ tcp 80 80 ingress}]")
+}
+
+func (s *DockerSwarmSuite) TestSwarmServiceWithGroup(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "top"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "--user", "root:root", "--group", "wheel", "--group", "audio", "--group", "staff", "--group", "777", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	out, err = d.Cmd("ps", "-q")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	container := strings.TrimSpace(out)
+
+	out, err = d.Cmd("exec", container, "id")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "uid=0(root) gid=0(root) groups=10(wheel),29(audio),50(staff),777")
+}
+
+func (s *DockerSwarmSuite) TestSwarmContainerAutoStart(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("network", "create", "--attachable", "-d", "overlay", "foo")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, err = d.Cmd("run", "-id", "--restart=always", "--net=foo", "--name=test", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, err = d.Cmd("ps", "-q")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	d.Restart(c)
+
+	out, err = d.Cmd("ps", "-q")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+}
+
+func (s *DockerSwarmSuite) TestSwarmContainerEndpointOptions(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("network", "create", "--attachable", "-d", "overlay", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	_, err = d.Cmd("run", "-d", "--net=foo", "--name=first", "--net-alias=first-alias", "busybox:glibc", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	_, err = d.Cmd("run", "-d", "--net=foo", "--name=second", "busybox:glibc", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	_, err = d.Cmd("run", "-d", "--net=foo", "--net-alias=third-alias", "busybox:glibc", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// ping first container and its alias, also ping third and anonymous container by its alias
+	_, err = d.Cmd("exec", "second", "ping", "-c", "1", "first")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	_, err = d.Cmd("exec", "second", "ping", "-c", "1", "first-alias")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	_, err = d.Cmd("exec", "second", "ping", "-c", "1", "third-alias")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+}
+
+func (s *DockerSwarmSuite) TestSwarmContainerAttachByNetworkId(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("network", "create", "--attachable", "-d", "overlay", "testnet")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+	networkID := strings.TrimSpace(out)
+
+	out, err = d.Cmd("run", "-d", "--net", networkID, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	cID := strings.TrimSpace(out)
+	d.WaitRun(cID)
+
+	_, err = d.Cmd("rm", "-f", cID)
+	c.Assert(err, checker.IsNil)
+
+	_, err = d.Cmd("network", "rm", "testnet")
+	c.Assert(err, checker.IsNil)
+
+	checkNetwork := func(*check.C) (interface{}, check.CommentInterface) {
+		out, err := d.Cmd("network", "ls")
+		c.Assert(err, checker.IsNil)
+		return out, nil
+	}
+
+	waitAndAssert(c, 3*time.Second, checkNetwork, checker.Not(checker.Contains), "testnet")
+}
+
+func (s *DockerSwarmSuite) TestOverlayAttachable(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("network", "create", "-d", "overlay", "--attachable", "ovnet")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// validate attachable
+	out, err = d.Cmd("network", "inspect", "--format", "{{json .Attachable}}", "ovnet")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "true")
+
+	// validate containers can attache to this overlay network
+	out, err = d.Cmd("run", "-d", "--network", "ovnet", "--name", "c1", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// redo validation, there was a bug that the value of attachable changes after
+	// containers attach to the network
+	out, err = d.Cmd("network", "inspect", "--format", "{{json .Attachable}}", "ovnet")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "true")
+}
+
+func (s *DockerSwarmSuite) TestOverlayAttachableOnSwarmLeave(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Create an attachable swarm network
+	nwName := "attovl"
+	out, err := d.Cmd("network", "create", "-d", "overlay", "--attachable", nwName)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Connect a container to the network
+	out, err = d.Cmd("run", "-d", "--network", nwName, "--name", "c1", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Leave the swarm
+	err = d.SwarmLeave(true)
+	c.Assert(err, checker.IsNil)
+
+	// Check the container is disconnected
+	out, err = d.Cmd("inspect", "c1", "--format", "{{.NetworkSettings.Networks."+nwName+"}}")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "<no value>")
+
+	// Check the network is gone
+	out, err = d.Cmd("network", "ls", "--format", "{{.Name}}")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), nwName)
+}
+
+func (s *DockerSwarmSuite) TestOverlayAttachableReleaseResourcesOnFailure(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Create attachable network
+	out, err := d.Cmd("network", "create", "-d", "overlay", "--attachable", "--subnet", "10.10.9.0/24", "ovnet")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Attach a container with specific IP
+	out, err = d.Cmd("run", "-d", "--network", "ovnet", "--name", "c1", "--ip", "10.10.9.33", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Attempt to attach another container with same IP, must fail
+	_, err = d.Cmd("run", "-d", "--network", "ovnet", "--name", "c2", "--ip", "10.10.9.33", "busybox", "top")
+	c.Assert(err, checker.NotNil)
+
+	// Remove first container
+	out, err = d.Cmd("rm", "-f", "c1")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Verify the network can be removed, no phantom network attachment task left over
+	out, err = d.Cmd("network", "rm", "ovnet")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func (s *DockerSwarmSuite) TestSwarmIngressNetwork(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Ingress network can be removed
+	removeNetwork := func(name string) *icmd.Result {
+		return cli.Docker(
+			cli.Args("-H", d.Sock(), "network", "rm", name),
+			cli.WithStdin(strings.NewReader("Y")))
+	}
+
+	result := removeNetwork("ingress")
+	result.Assert(c, icmd.Success)
+
+	// And recreated
+	out, err := d.Cmd("network", "create", "-d", "overlay", "--ingress", "new-ingress")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// But only one is allowed
+	out, err = d.Cmd("network", "create", "-d", "overlay", "--ingress", "another-ingress")
+	c.Assert(err, checker.NotNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, "is already present")
+
+	// It cannot be removed if it is being used
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "srv1", "-p", "9000:8000", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	result = removeNetwork("new-ingress")
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "ingress network cannot be removed because service",
+	})
+
+	// But it can be removed once no more services depend on it
+	out, err = d.Cmd("service", "update", "--detach", "--publish-rm", "9000:8000", "srv1")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	result = removeNetwork("new-ingress")
+	result.Assert(c, icmd.Success)
+
+	// A service which needs the ingress network cannot be created if no ingress is present
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "srv2", "-p", "500:500", "busybox", "top")
+	c.Assert(err, checker.NotNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, "no ingress network is present")
+
+	// An existing service cannot be updated to use the ingress nw if the nw is not present
+	out, err = d.Cmd("service", "update", "--detach", "--publish-add", "9000:8000", "srv1")
+	c.Assert(err, checker.NotNil)
+	c.Assert(strings.TrimSpace(out), checker.Contains, "no ingress network is present")
+
+	// But services which do not need routing mesh can be created regardless
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "srv3", "--endpoint-mode", "dnsrr", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+func (s *DockerSwarmSuite) TestSwarmCreateServiceWithNoIngressNetwork(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Remove ingress network
+	result := cli.Docker(
+		cli.Args("-H", d.Sock(), "network", "rm", "ingress"),
+		cli.WithStdin(strings.NewReader("Y")))
+	result.Assert(c, icmd.Success)
+
+	// Create a overlay network and launch a service on it
+	// Make sure nothing panics because ingress network is missing
+	out, err := d.Cmd("network", "create", "-d", "overlay", "another-network")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "srv4", "--network", "another-network", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+}
+
+// Test case for #24108, also the case from:
+// https://github.com/docker/docker/pull/24620#issuecomment-233715656
+func (s *DockerSwarmSuite) TestSwarmTaskListFilter(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "redis-cluster-md5"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "--replicas=3", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	filter := "name=redis-cluster"
+
+	checkNumTasks := func(*check.C) (interface{}, check.CommentInterface) {
+		out, err := d.Cmd("service", "ps", "--filter", filter, name)
+		c.Assert(err, checker.IsNil)
+		return len(strings.Split(out, "\n")) - 2, nil // includes header and nl in last line
+	}
+
+	// wait until all tasks have been created
+	waitAndAssert(c, defaultReconciliationTimeout, checkNumTasks, checker.Equals, 3)
+
+	out, err = d.Cmd("service", "ps", "--filter", filter, name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name+".1")
+	c.Assert(out, checker.Contains, name+".2")
+	c.Assert(out, checker.Contains, name+".3")
+
+	out, err = d.Cmd("service", "ps", "--filter", "name="+name+".1", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name+".1")
+	c.Assert(out, checker.Not(checker.Contains), name+".2")
+	c.Assert(out, checker.Not(checker.Contains), name+".3")
+
+	out, err = d.Cmd("service", "ps", "--filter", "name=none", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name+".1")
+	c.Assert(out, checker.Not(checker.Contains), name+".2")
+	c.Assert(out, checker.Not(checker.Contains), name+".3")
+
+	name = "redis-cluster-sha1"
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "--mode=global", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	waitAndAssert(c, defaultReconciliationTimeout, checkNumTasks, checker.Equals, 1)
+
+	filter = "name=redis-cluster"
+	out, err = d.Cmd("service", "ps", "--filter", filter, name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+
+	out, err = d.Cmd("service", "ps", "--filter", "name="+name, name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, name)
+
+	out, err = d.Cmd("service", "ps", "--filter", "name=none", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), name)
+}
+
+func (s *DockerSwarmSuite) TestPsListContainersFilterIsTask(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Create a bare container
+	out, err := d.Cmd("run", "-d", "--name=bare-container", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	bareID := strings.TrimSpace(out)[:12]
+	// Create a service
+	name := "busybox-top"
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckServiceRunningTasks(name), checker.Equals, 1)
+
+	// Filter non-tasks
+	out, err = d.Cmd("ps", "-a", "-q", "--filter=is-task=false")
+	c.Assert(err, checker.IsNil)
+	psOut := strings.TrimSpace(out)
+	c.Assert(psOut, checker.Equals, bareID, check.Commentf("Expected id %s, got %s for is-task label, output %q", bareID, psOut, out))
+
+	// Filter tasks
+	out, err = d.Cmd("ps", "-a", "-q", "--filter=is-task=true")
+	c.Assert(err, checker.IsNil)
+	lines := strings.Split(strings.Trim(out, "\n "), "\n")
+	c.Assert(lines, checker.HasLen, 1)
+	c.Assert(lines[0], checker.Not(checker.Equals), bareID, check.Commentf("Expected not %s, but got it for is-task label, output %q", bareID, out))
+}
+
+const globalNetworkPlugin = "global-network-plugin"
+const globalIPAMPlugin = "global-ipam-plugin"
+
+func setupRemoteGlobalNetworkPlugin(c *check.C, mux *http.ServeMux, url, netDrv, ipamDrv string) {
+
+	mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, `{"Implements": ["%s", "%s"]}`, driverapi.NetworkPluginEndpointType, ipamapi.PluginEndpointType)
+	})
+
+	// Network driver implementation
+	mux.HandleFunc(fmt.Sprintf("/%s.GetCapabilities", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, `{"Scope":"global"}`)
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.AllocateNetwork", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&remoteDriverNetworkRequest)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, "null")
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.FreeNetwork", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, "null")
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.CreateNetwork", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&remoteDriverNetworkRequest)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, "null")
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.DeleteNetwork", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, "null")
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.CreateEndpoint", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, `{"Interface":{"MacAddress":"a0:b1:c2:d3:e4:f5"}}`)
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.Join", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+
+		veth := &netlink.Veth{
+			LinkAttrs: netlink.LinkAttrs{Name: "randomIfName", TxQLen: 0}, PeerName: "cnt0"}
+		if err := netlink.LinkAdd(veth); err != nil {
+			fmt.Fprintf(w, `{"Error":"failed to add veth pair: `+err.Error()+`"}`)
+		} else {
+			fmt.Fprintf(w, `{"InterfaceName":{ "SrcName":"cnt0", "DstPrefix":"veth"}}`)
+		}
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.Leave", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, "null")
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.DeleteEndpoint", driverapi.NetworkPluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		if link, err := netlink.LinkByName("cnt0"); err == nil {
+			netlink.LinkDel(link)
+		}
+		fmt.Fprintf(w, "null")
+	})
+
+	// IPAM Driver implementation
+	var (
+		poolRequest       remoteipam.RequestPoolRequest
+		poolReleaseReq    remoteipam.ReleasePoolRequest
+		addressRequest    remoteipam.RequestAddressRequest
+		addressReleaseReq remoteipam.ReleaseAddressRequest
+		lAS               = "localAS"
+		gAS               = "globalAS"
+		pool              = "172.28.0.0/16"
+		poolID            = lAS + "/" + pool
+		gw                = "172.28.255.254/16"
+	)
+
+	mux.HandleFunc(fmt.Sprintf("/%s.GetDefaultAddressSpaces", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintf(w, `{"LocalDefaultAddressSpace":"`+lAS+`", "GlobalDefaultAddressSpace": "`+gAS+`"}`)
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.RequestPool", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&poolRequest)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		if poolRequest.AddressSpace != lAS && poolRequest.AddressSpace != gAS {
+			fmt.Fprintf(w, `{"Error":"Unknown address space in pool request: `+poolRequest.AddressSpace+`"}`)
+		} else if poolRequest.Pool != "" && poolRequest.Pool != pool {
+			fmt.Fprintf(w, `{"Error":"Cannot handle explicit pool requests yet"}`)
+		} else {
+			fmt.Fprintf(w, `{"PoolID":"`+poolID+`", "Pool":"`+pool+`"}`)
+		}
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.RequestAddress", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&addressRequest)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		// make sure libnetwork is now querying on the expected pool id
+		if addressRequest.PoolID != poolID {
+			fmt.Fprintf(w, `{"Error":"unknown pool id"}`)
+		} else if addressRequest.Address != "" {
+			fmt.Fprintf(w, `{"Error":"Cannot handle explicit address requests yet"}`)
+		} else {
+			fmt.Fprintf(w, `{"Address":"`+gw+`"}`)
+		}
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.ReleaseAddress", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&addressReleaseReq)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		// make sure libnetwork is now asking to release the expected address from the expected poolid
+		if addressRequest.PoolID != poolID {
+			fmt.Fprintf(w, `{"Error":"unknown pool id"}`)
+		} else if addressReleaseReq.Address != gw {
+			fmt.Fprintf(w, `{"Error":"unknown address"}`)
+		} else {
+			fmt.Fprintf(w, "null")
+		}
+	})
+
+	mux.HandleFunc(fmt.Sprintf("/%s.ReleasePool", ipamapi.PluginEndpointType), func(w http.ResponseWriter, r *http.Request) {
+		err := json.NewDecoder(r.Body).Decode(&poolReleaseReq)
+		if err != nil {
+			http.Error(w, "Unable to decode JSON payload: "+err.Error(), http.StatusBadRequest)
+			return
+		}
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		// make sure libnetwork is now asking to release the expected poolid
+		if addressRequest.PoolID != poolID {
+			fmt.Fprintf(w, `{"Error":"unknown pool id"}`)
+		} else {
+			fmt.Fprintf(w, "null")
+		}
+	})
+
+	err := os.MkdirAll("/etc/docker/plugins", 0755)
+	c.Assert(err, checker.IsNil)
+
+	fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", netDrv)
+	err = ioutil.WriteFile(fileName, []byte(url), 0644)
+	c.Assert(err, checker.IsNil)
+
+	ipamFileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", ipamDrv)
+	err = ioutil.WriteFile(ipamFileName, []byte(url), 0644)
+	c.Assert(err, checker.IsNil)
+}
+
+func (s *DockerSwarmSuite) TestSwarmNetworkPlugin(c *check.C) {
+	mux := http.NewServeMux()
+	s.server = httptest.NewServer(mux)
+	c.Assert(s.server, check.NotNil, check.Commentf("Failed to start an HTTP Server"))
+	setupRemoteGlobalNetworkPlugin(c, mux, s.server.URL, globalNetworkPlugin, globalIPAMPlugin)
+	defer func() {
+		s.server.Close()
+		err := os.RemoveAll("/etc/docker/plugins")
+		c.Assert(err, checker.IsNil)
+	}()
+
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("network", "create", "-d", globalNetworkPlugin, "foo")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "not supported in swarm mode")
+}
+
+// Test case for #24712
+func (s *DockerSwarmSuite) TestSwarmServiceEnvFile(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	path := filepath.Join(d.Folder, "env.txt")
+	err := ioutil.WriteFile(path, []byte("VAR1=A\nVAR2=A\n"), 0644)
+	c.Assert(err, checker.IsNil)
+
+	name := "worker"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--env-file", path, "--env", "VAR1=B", "--env", "VAR1=C", "--env", "VAR2=", "--env", "VAR2", "--name", name, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	// The complete env is [VAR1=A VAR2=A VAR1=B VAR1=C VAR2= VAR2] and duplicates will be removed => [VAR1=C VAR2]
+	out, err = d.Cmd("inspect", "--format", "{{ .Spec.TaskTemplate.ContainerSpec.Env }}", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "[VAR1=C VAR2]")
+}
+
+func (s *DockerSwarmSuite) TestSwarmServiceTTY(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "top"
+
+	ttyCheck := "if [ -t 0 ]; then echo TTY > /status && top; else echo none > /status && top; fi"
+
+	// Without --tty
+	expectedOutput := "none"
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox", "sh", "-c", ttyCheck)
+	c.Assert(err, checker.IsNil)
+
+	// Make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	// We need to get the container id.
+	out, err = d.Cmd("ps", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	id := strings.TrimSpace(out)
+
+	out, err = d.Cmd("exec", id, "cat", "/status")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, expectedOutput, check.Commentf("Expected '%s', but got %q", expectedOutput, out))
+
+	// Remove service
+	out, err = d.Cmd("service", "rm", name)
+	c.Assert(err, checker.IsNil)
+	// Make sure container has been destroyed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 0)
+
+	// With --tty
+	expectedOutput = "TTY"
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "--tty", "busybox", "sh", "-c", ttyCheck)
+	c.Assert(err, checker.IsNil)
+
+	// Make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	// We need to get the container id.
+	out, err = d.Cmd("ps", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	id = strings.TrimSpace(out)
+
+	out, err = d.Cmd("exec", id, "cat", "/status")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, expectedOutput, check.Commentf("Expected '%s', but got %q", expectedOutput, out))
+}
+
+func (s *DockerSwarmSuite) TestSwarmServiceTTYUpdate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Create a service
+	name := "top"
+	_, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+
+	// Make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	out, err := d.Cmd("service", "inspect", "--format", "{{ .Spec.TaskTemplate.ContainerSpec.TTY }}", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "false")
+
+	_, err = d.Cmd("service", "update", "--detach", "--tty", name)
+	c.Assert(err, checker.IsNil)
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ .Spec.TaskTemplate.ContainerSpec.TTY }}", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "true")
+}
+
+func (s *DockerSwarmSuite) TestSwarmServiceNetworkUpdate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	result := icmd.RunCmd(d.Command("network", "create", "-d", "overlay", "foo"))
+	result.Assert(c, icmd.Success)
+	fooNetwork := strings.TrimSpace(string(result.Combined()))
+
+	result = icmd.RunCmd(d.Command("network", "create", "-d", "overlay", "bar"))
+	result.Assert(c, icmd.Success)
+	barNetwork := strings.TrimSpace(string(result.Combined()))
+
+	result = icmd.RunCmd(d.Command("network", "create", "-d", "overlay", "baz"))
+	result.Assert(c, icmd.Success)
+	bazNetwork := strings.TrimSpace(string(result.Combined()))
+
+	// Create a service
+	name := "top"
+	result = icmd.RunCmd(d.Command("service", "create", "--detach", "--no-resolve-image", "--network", "foo", "--network", "bar", "--name", name, "busybox", "top"))
+	result.Assert(c, icmd.Success)
+
+	// Make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskNetworks, checker.DeepEquals,
+		map[string]int{fooNetwork: 1, barNetwork: 1})
+
+	// Remove a network
+	result = icmd.RunCmd(d.Command("service", "update", "--detach", "--network-rm", "foo", name))
+	result.Assert(c, icmd.Success)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskNetworks, checker.DeepEquals,
+		map[string]int{barNetwork: 1})
+
+	// Add a network
+	result = icmd.RunCmd(d.Command("service", "update", "--detach", "--network-add", "baz", name))
+	result.Assert(c, icmd.Success)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckRunningTaskNetworks, checker.DeepEquals,
+		map[string]int{barNetwork: 1, bazNetwork: 1})
+}
+
+func (s *DockerSwarmSuite) TestDNSConfig(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Create a service
+	name := "top"
+	_, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "--dns=1.2.3.4", "--dns-search=example.com", "--dns-option=timeout:3", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+
+	// Make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	// We need to get the container id.
+	out, err := d.Cmd("ps", "-a", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	id := strings.TrimSpace(out)
+
+	// Compare against expected output.
+	expectedOutput1 := "nameserver 1.2.3.4"
+	expectedOutput2 := "search example.com"
+	expectedOutput3 := "options timeout:3"
+	out, err = d.Cmd("exec", id, "cat", "/etc/resolv.conf")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, expectedOutput1, check.Commentf("Expected '%s', but got %q", expectedOutput1, out))
+	c.Assert(out, checker.Contains, expectedOutput2, check.Commentf("Expected '%s', but got %q", expectedOutput2, out))
+	c.Assert(out, checker.Contains, expectedOutput3, check.Commentf("Expected '%s', but got %q", expectedOutput3, out))
+}
+
+func (s *DockerSwarmSuite) TestDNSConfigUpdate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Create a service
+	name := "top"
+	_, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+
+	// Make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	_, err = d.Cmd("service", "update", "--detach", "--dns-add=1.2.3.4", "--dns-search-add=example.com", "--dns-option-add=timeout:3", name)
+	c.Assert(err, checker.IsNil)
+
+	out, err := d.Cmd("service", "inspect", "--format", "{{ .Spec.TaskTemplate.ContainerSpec.DNSConfig }}", name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "{[1.2.3.4] [example.com] [timeout:3]}")
+}
+
+func getNodeStatus(c *check.C, d *daemon.Daemon) swarm.LocalNodeState {
+	info := d.SwarmInfo(c)
+	return info.LocalNodeState
+}
+
+func checkKeyIsEncrypted(d *daemon.Daemon) func(*check.C) (interface{}, check.CommentInterface) {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		keyBytes, err := ioutil.ReadFile(filepath.Join(d.Folder, "root", "swarm", "certificates", "swarm-node.key"))
+		if err != nil {
+			return fmt.Errorf("error reading key: %v", err), nil
+		}
+
+		keyBlock, _ := pem.Decode(keyBytes)
+		if keyBlock == nil {
+			return fmt.Errorf("invalid PEM-encoded private key"), nil
+		}
+
+		return keyutils.IsEncryptedPEMBlock(keyBlock), nil
+	}
+}
+
+func checkSwarmLockedToUnlocked(c *check.C, d *daemon.Daemon, unlockKey string) {
+	// Wait for the PEM file to become unencrypted
+	waitAndAssert(c, defaultReconciliationTimeout, checkKeyIsEncrypted(d), checker.Equals, false)
+
+	d.Restart(c)
+	c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
+}
+
+func checkSwarmUnlockedToLocked(c *check.C, d *daemon.Daemon) {
+	// Wait for the PEM file to become encrypted
+	waitAndAssert(c, defaultReconciliationTimeout, checkKeyIsEncrypted(d), checker.Equals, true)
+
+	d.Restart(c)
+	c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateLocked)
+}
+
+func (s *DockerSwarmSuite) TestUnlockEngineAndUnlockedSwarm(c *check.C) {
+	d := s.AddDaemon(c, false, false)
+
+	// unlocking a normal engine should return an error - it does not even ask for the key
+	cmd := d.Command("swarm", "unlock")
+	result := icmd.RunCmd(cmd)
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+	c.Assert(result.Combined(), checker.Contains, "Error: This node is not part of a swarm")
+	c.Assert(result.Combined(), checker.Not(checker.Contains), "Please enter unlock key")
+
+	_, err := d.Cmd("swarm", "init")
+	c.Assert(err, checker.IsNil)
+
+	// unlocking an unlocked swarm should return an error - it does not even ask for the key
+	cmd = d.Command("swarm", "unlock")
+	result = icmd.RunCmd(cmd)
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+	})
+	c.Assert(result.Combined(), checker.Contains, "Error: swarm is not locked")
+	c.Assert(result.Combined(), checker.Not(checker.Contains), "Please enter unlock key")
+}
+
+func (s *DockerSwarmSuite) TestSwarmInitLocked(c *check.C) {
+	d := s.AddDaemon(c, false, false)
+
+	outs, err := d.Cmd("swarm", "init", "--autolock")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	c.Assert(outs, checker.Contains, "docker swarm unlock")
+
+	var unlockKey string
+	for _, line := range strings.Split(outs, "\n") {
+		if strings.Contains(line, "SWMKEY") {
+			unlockKey = strings.TrimSpace(line)
+			break
+		}
+	}
+
+	c.Assert(unlockKey, checker.Not(checker.Equals), "")
+
+	outs, err = d.Cmd("swarm", "unlock-key", "-q")
+	c.Assert(outs, checker.Equals, unlockKey+"\n")
+
+	c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
+
+	// It starts off locked
+	d.Restart(c)
+	c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateLocked)
+
+	cmd := d.Command("swarm", "unlock")
+	cmd.Stdin = bytes.NewBufferString("wrong-secret-key")
+	icmd.RunCmd(cmd).Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "invalid key",
+	})
+
+	c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateLocked)
+
+	cmd = d.Command("swarm", "unlock")
+	cmd.Stdin = bytes.NewBufferString(unlockKey)
+	icmd.RunCmd(cmd).Assert(c, icmd.Success)
+
+	c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
+
+	outs, err = d.Cmd("node", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(outs, checker.Not(checker.Contains), "Swarm is encrypted and needs to be unlocked")
+
+	outs, err = d.Cmd("swarm", "update", "--autolock=false")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	checkSwarmLockedToUnlocked(c, d, unlockKey)
+
+	outs, err = d.Cmd("node", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(outs, checker.Not(checker.Contains), "Swarm is encrypted and needs to be unlocked")
+}
+
+func (s *DockerSwarmSuite) TestSwarmLeaveLocked(c *check.C) {
+	d := s.AddDaemon(c, false, false)
+
+	outs, err := d.Cmd("swarm", "init", "--autolock")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	// It starts off locked
+	d.Restart(c, "--swarm-default-advertise-addr=lo")
+
+	info := d.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateLocked)
+
+	outs, _ = d.Cmd("node", "ls")
+	c.Assert(outs, checker.Contains, "Swarm is encrypted and needs to be unlocked")
+
+	// `docker swarm leave` a locked swarm without --force will return an error
+	outs, _ = d.Cmd("swarm", "leave")
+	c.Assert(outs, checker.Contains, "Swarm is encrypted and locked.")
+
+	// It is OK for user to leave a locked swarm with --force
+	outs, err = d.Cmd("swarm", "leave", "--force")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	info = d.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	outs, err = d.Cmd("swarm", "init")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	info = d.SwarmInfo(c)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+}
+
+func (s *DockerSwarmSuite) TestSwarmLockUnlockCluster(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, true)
+	d3 := s.AddDaemon(c, true, true)
+
+	// they start off unlocked
+	d2.Restart(c)
+	c.Assert(getNodeStatus(c, d2), checker.Equals, swarm.LocalNodeStateActive)
+
+	// stop this one so it does not get autolock info
+	d2.Stop(c)
+
+	// enable autolock
+	outs, err := d1.Cmd("swarm", "update", "--autolock")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	c.Assert(outs, checker.Contains, "docker swarm unlock")
+
+	var unlockKey string
+	for _, line := range strings.Split(outs, "\n") {
+		if strings.Contains(line, "SWMKEY") {
+			unlockKey = strings.TrimSpace(line)
+			break
+		}
+	}
+
+	c.Assert(unlockKey, checker.Not(checker.Equals), "")
+
+	outs, err = d1.Cmd("swarm", "unlock-key", "-q")
+	c.Assert(outs, checker.Equals, unlockKey+"\n")
+
+	// The ones that got the cluster update should be set to locked
+	for _, d := range []*daemon.Daemon{d1, d3} {
+		checkSwarmUnlockedToLocked(c, d)
+
+		cmd := d.Command("swarm", "unlock")
+		cmd.Stdin = bytes.NewBufferString(unlockKey)
+		icmd.RunCmd(cmd).Assert(c, icmd.Success)
+		c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
+	}
+
+	// d2 never got the cluster update, so it is still set to unlocked
+	d2.Start(c)
+	c.Assert(getNodeStatus(c, d2), checker.Equals, swarm.LocalNodeStateActive)
+
+	// d2 is now set to lock
+	checkSwarmUnlockedToLocked(c, d2)
+
+	// leave it locked, and set the cluster to no longer autolock
+	outs, err = d1.Cmd("swarm", "update", "--autolock=false")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	// the ones that got the update are now set to unlocked
+	for _, d := range []*daemon.Daemon{d1, d3} {
+		checkSwarmLockedToUnlocked(c, d, unlockKey)
+	}
+
+	// d2 still locked
+	c.Assert(getNodeStatus(c, d2), checker.Equals, swarm.LocalNodeStateLocked)
+
+	// unlock it
+	cmd := d2.Command("swarm", "unlock")
+	cmd.Stdin = bytes.NewBufferString(unlockKey)
+	icmd.RunCmd(cmd).Assert(c, icmd.Success)
+	c.Assert(getNodeStatus(c, d2), checker.Equals, swarm.LocalNodeStateActive)
+
+	// once it's caught up, d2 is set to not be locked
+	checkSwarmLockedToUnlocked(c, d2, unlockKey)
+
+	// managers who join now are never set to locked in the first place
+	d4 := s.AddDaemon(c, true, true)
+	d4.Restart(c)
+	c.Assert(getNodeStatus(c, d4), checker.Equals, swarm.LocalNodeStateActive)
+}
+
+func (s *DockerSwarmSuite) TestSwarmJoinPromoteLocked(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+
+	// enable autolock
+	outs, err := d1.Cmd("swarm", "update", "--autolock")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	c.Assert(outs, checker.Contains, "docker swarm unlock")
+
+	var unlockKey string
+	for _, line := range strings.Split(outs, "\n") {
+		if strings.Contains(line, "SWMKEY") {
+			unlockKey = strings.TrimSpace(line)
+			break
+		}
+	}
+
+	c.Assert(unlockKey, checker.Not(checker.Equals), "")
+
+	outs, err = d1.Cmd("swarm", "unlock-key", "-q")
+	c.Assert(outs, checker.Equals, unlockKey+"\n")
+
+	// joined workers start off unlocked
+	d2 := s.AddDaemon(c, true, false)
+	d2.Restart(c)
+	c.Assert(getNodeStatus(c, d2), checker.Equals, swarm.LocalNodeStateActive)
+
+	// promote worker
+	outs, err = d1.Cmd("node", "promote", d2.NodeID())
+	c.Assert(err, checker.IsNil)
+	c.Assert(outs, checker.Contains, "promoted to a manager in the swarm")
+
+	// join new manager node
+	d3 := s.AddDaemon(c, true, true)
+
+	// both new nodes are locked
+	for _, d := range []*daemon.Daemon{d2, d3} {
+		checkSwarmUnlockedToLocked(c, d)
+
+		cmd := d.Command("swarm", "unlock")
+		cmd.Stdin = bytes.NewBufferString(unlockKey)
+		icmd.RunCmd(cmd).Assert(c, icmd.Success)
+		c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
+	}
+
+	// demote manager back to worker - workers are not locked
+	outs, err = d1.Cmd("node", "demote", d3.NodeID())
+	c.Assert(err, checker.IsNil)
+	c.Assert(outs, checker.Contains, "demoted in the swarm")
+
+	// Wait for it to actually be demoted, for the key and cert to be replaced.
+	// Then restart and assert that the node is not locked.  If we don't wait for the cert
+	// to be replaced, then the node still has the manager TLS key which is still locked
+	// (because we never want a manager TLS key to be on disk unencrypted if the cluster
+	// is set to autolock)
+	waitAndAssert(c, defaultReconciliationTimeout, d3.CheckControlAvailable, checker.False)
+	waitAndAssert(c, defaultReconciliationTimeout, func(c *check.C) (interface{}, check.CommentInterface) {
+		certBytes, err := ioutil.ReadFile(filepath.Join(d3.Folder, "root", "swarm", "certificates", "swarm-node.crt"))
+		if err != nil {
+			return "", check.Commentf("error: %v", err)
+		}
+		certs, err := helpers.ParseCertificatesPEM(certBytes)
+		if err == nil && len(certs) > 0 && len(certs[0].Subject.OrganizationalUnit) > 0 {
+			return certs[0].Subject.OrganizationalUnit[0], nil
+		}
+		return "", check.Commentf("could not get organizational unit from certificate")
+	}, checker.Equals, "swarm-worker")
+
+	// by now, it should *never* be locked on restart
+	d3.Restart(c)
+	c.Assert(getNodeStatus(c, d3), checker.Equals, swarm.LocalNodeStateActive)
+}
+
+func (s *DockerSwarmSuite) TestSwarmRotateUnlockKey(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	outs, err := d.Cmd("swarm", "update", "--autolock")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	c.Assert(outs, checker.Contains, "docker swarm unlock")
+
+	var unlockKey string
+	for _, line := range strings.Split(outs, "\n") {
+		if strings.Contains(line, "SWMKEY") {
+			unlockKey = strings.TrimSpace(line)
+			break
+		}
+	}
+
+	c.Assert(unlockKey, checker.Not(checker.Equals), "")
+
+	outs, err = d.Cmd("swarm", "unlock-key", "-q")
+	c.Assert(outs, checker.Equals, unlockKey+"\n")
+
+	// Rotate multiple times
+	for i := 0; i != 3; i++ {
+		outs, err = d.Cmd("swarm", "unlock-key", "-q", "--rotate")
+		c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+		// Strip \n
+		newUnlockKey := outs[:len(outs)-1]
+		c.Assert(newUnlockKey, checker.Not(checker.Equals), "")
+		c.Assert(newUnlockKey, checker.Not(checker.Equals), unlockKey)
+
+		d.Restart(c)
+		c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateLocked)
+
+		outs, _ = d.Cmd("node", "ls")
+		c.Assert(outs, checker.Contains, "Swarm is encrypted and needs to be unlocked")
+
+		cmd := d.Command("swarm", "unlock")
+		cmd.Stdin = bytes.NewBufferString(unlockKey)
+		result := icmd.RunCmd(cmd)
+
+		if result.Error == nil {
+			// On occasion, the daemon may not have finished
+			// rotating the KEK before restarting. The test is
+			// intentionally written to explore this behavior.
+			// When this happens, unlocking with the old key will
+			// succeed. If we wait for the rotation to happen and
+			// restart again, the new key should be required this
+			// time.
+
+			time.Sleep(3 * time.Second)
+
+			d.Restart(c)
+
+			cmd = d.Command("swarm", "unlock")
+			cmd.Stdin = bytes.NewBufferString(unlockKey)
+			result = icmd.RunCmd(cmd)
+		}
+		result.Assert(c, icmd.Expected{
+			ExitCode: 1,
+			Err:      "invalid key",
+		})
+
+		outs, _ = d.Cmd("node", "ls")
+		c.Assert(outs, checker.Contains, "Swarm is encrypted and needs to be unlocked")
+
+		cmd = d.Command("swarm", "unlock")
+		cmd.Stdin = bytes.NewBufferString(newUnlockKey)
+		icmd.RunCmd(cmd).Assert(c, icmd.Success)
+
+		c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
+
+		outs, err = d.Cmd("node", "ls")
+		c.Assert(err, checker.IsNil)
+		c.Assert(outs, checker.Not(checker.Contains), "Swarm is encrypted and needs to be unlocked")
+
+		unlockKey = newUnlockKey
+	}
+}
+
+// This differs from `TestSwarmRotateUnlockKey` because that one rotates a single node, which is the leader.
+// This one keeps the leader up, and asserts that other manager nodes in the cluster also have their unlock
+// key rotated.
+func (s *DockerSwarmSuite) TestSwarmClusterRotateUnlockKey(c *check.C) {
+	d1 := s.AddDaemon(c, true, true) // leader - don't restart this one, we don't want leader election delays
+	d2 := s.AddDaemon(c, true, true)
+	d3 := s.AddDaemon(c, true, true)
+
+	outs, err := d1.Cmd("swarm", "update", "--autolock")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+	c.Assert(outs, checker.Contains, "docker swarm unlock")
+
+	var unlockKey string
+	for _, line := range strings.Split(outs, "\n") {
+		if strings.Contains(line, "SWMKEY") {
+			unlockKey = strings.TrimSpace(line)
+			break
+		}
+	}
+
+	c.Assert(unlockKey, checker.Not(checker.Equals), "")
+
+	outs, err = d1.Cmd("swarm", "unlock-key", "-q")
+	c.Assert(outs, checker.Equals, unlockKey+"\n")
+
+	// Rotate multiple times
+	for i := 0; i != 3; i++ {
+		outs, err = d1.Cmd("swarm", "unlock-key", "-q", "--rotate")
+		c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+		// Strip \n
+		newUnlockKey := outs[:len(outs)-1]
+		c.Assert(newUnlockKey, checker.Not(checker.Equals), "")
+		c.Assert(newUnlockKey, checker.Not(checker.Equals), unlockKey)
+
+		d2.Restart(c)
+		d3.Restart(c)
+
+		for _, d := range []*daemon.Daemon{d2, d3} {
+			c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateLocked)
+
+			outs, _ := d.Cmd("node", "ls")
+			c.Assert(outs, checker.Contains, "Swarm is encrypted and needs to be unlocked")
+
+			cmd := d.Command("swarm", "unlock")
+			cmd.Stdin = bytes.NewBufferString(unlockKey)
+			result := icmd.RunCmd(cmd)
+
+			if result.Error == nil {
+				// On occasion, the daemon may not have finished
+				// rotating the KEK before restarting. The test is
+				// intentionally written to explore this behavior.
+				// When this happens, unlocking with the old key will
+				// succeed. If we wait for the rotation to happen and
+				// restart again, the new key should be required this
+				// time.
+
+				time.Sleep(3 * time.Second)
+
+				d.Restart(c)
+
+				cmd = d.Command("swarm", "unlock")
+				cmd.Stdin = bytes.NewBufferString(unlockKey)
+				result = icmd.RunCmd(cmd)
+			}
+			result.Assert(c, icmd.Expected{
+				ExitCode: 1,
+				Err:      "invalid key",
+			})
+
+			outs, _ = d.Cmd("node", "ls")
+			c.Assert(outs, checker.Contains, "Swarm is encrypted and needs to be unlocked")
+
+			cmd = d.Command("swarm", "unlock")
+			cmd.Stdin = bytes.NewBufferString(newUnlockKey)
+			icmd.RunCmd(cmd).Assert(c, icmd.Success)
+
+			c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
+
+			outs, err = d.Cmd("node", "ls")
+			c.Assert(err, checker.IsNil)
+			c.Assert(outs, checker.Not(checker.Contains), "Swarm is encrypted and needs to be unlocked")
+		}
+
+		unlockKey = newUnlockKey
+	}
+}
+
+func (s *DockerSwarmSuite) TestSwarmAlternateLockUnlock(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	var unlockKey string
+	for i := 0; i < 2; i++ {
+		// set to lock
+		outs, err := d.Cmd("swarm", "update", "--autolock")
+		c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+		c.Assert(outs, checker.Contains, "docker swarm unlock")
+
+		for _, line := range strings.Split(outs, "\n") {
+			if strings.Contains(line, "SWMKEY") {
+				unlockKey = strings.TrimSpace(line)
+				break
+			}
+		}
+
+		c.Assert(unlockKey, checker.Not(checker.Equals), "")
+		checkSwarmUnlockedToLocked(c, d)
+
+		cmd := d.Command("swarm", "unlock")
+		cmd.Stdin = bytes.NewBufferString(unlockKey)
+		icmd.RunCmd(cmd).Assert(c, icmd.Success)
+
+		c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
+
+		outs, err = d.Cmd("swarm", "update", "--autolock=false")
+		c.Assert(err, checker.IsNil, check.Commentf("out: %v", outs))
+
+		checkSwarmLockedToUnlocked(c, d, unlockKey)
+	}
+}
+
+func (s *DockerSwarmSuite) TestExtraHosts(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// Create a service
+	name := "top"
+	_, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", name, "--host=example.com:1.2.3.4", "busybox", "top")
+	c.Assert(err, checker.IsNil)
+
+	// Make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	// We need to get the container id.
+	out, err := d.Cmd("ps", "-a", "-q", "--no-trunc")
+	c.Assert(err, checker.IsNil)
+	id := strings.TrimSpace(out)
+
+	// Compare against expected output.
+	expectedOutput := "1.2.3.4\texample.com"
+	out, err = d.Cmd("exec", id, "cat", "/etc/hosts")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, expectedOutput, check.Commentf("Expected '%s', but got %q", expectedOutput, out))
+}
+
+func (s *DockerSwarmSuite) TestSwarmManagerAddress(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, false)
+	d3 := s.AddDaemon(c, true, false)
+
+	// Manager Addresses will always show Node 1's address
+	expectedOutput := fmt.Sprintf("Manager Addresses:\n  127.0.0.1:%d\n", d1.SwarmPort)
+
+	out, err := d1.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, expectedOutput)
+
+	out, err = d2.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, expectedOutput)
+
+	out, err = d3.Cmd("info")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, expectedOutput)
+}
+
+func (s *DockerSwarmSuite) TestSwarmNetworkIPAMOptions(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("network", "create", "-d", "overlay", "--ipam-opt", "foo=bar", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, err = d.Cmd("network", "inspect", "--format", "{{.IPAM.Options}}", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Contains, "foo:bar")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "com.docker.network.ipam.serial:true")
+
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--network=foo", "--name", "top", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	out, err = d.Cmd("network", "inspect", "--format", "{{.IPAM.Options}}", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Contains, "foo:bar")
+	c.Assert(strings.TrimSpace(out), checker.Contains, "com.docker.network.ipam.serial:true")
+}
+
+// Test case for issue #27866, which did not allow NW name that is the prefix of a swarm NW ID.
+// e.g. if the ingress ID starts with "n1", it was impossible to create a NW named "n1".
+func (s *DockerSwarmSuite) TestSwarmNetworkCreateIssue27866(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	out, err := d.Cmd("network", "inspect", "-f", "{{.Id}}", "ingress")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+	ingressID := strings.TrimSpace(out)
+	c.Assert(ingressID, checker.Not(checker.Equals), "")
+
+	// create a network of which name is the prefix of the ID of an overlay network
+	// (ingressID in this case)
+	newNetName := ingressID[0:2]
+	out, err = d.Cmd("network", "create", "--driver", "overlay", newNetName)
+	// In #27866, it was failing because of "network with name %s already exists"
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+	out, err = d.Cmd("network", "rm", newNetName)
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+}
+
+// Test case for https://github.com/docker/docker/pull/27938#issuecomment-265768303
+// This test creates two networks with the same name sequentially, with various drivers.
+// Since the operations in this test are done sequentially, the 2nd call should fail with
+// "network with name FOO already exists".
+// Note that it is to ok have multiple networks with the same name if the operations are done
+// in parallel. (#18864)
+func (s *DockerSwarmSuite) TestSwarmNetworkCreateDup(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+	drivers := []string{"bridge", "overlay"}
+	for i, driver1 := range drivers {
+		nwName := fmt.Sprintf("network-test-%d", i)
+		for _, driver2 := range drivers {
+			c.Logf("Creating a network named %q with %q, then %q",
+				nwName, driver1, driver2)
+			out, err := d.Cmd("network", "create", "--driver", driver1, nwName)
+			c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+			out, err = d.Cmd("network", "create", "--driver", driver2, nwName)
+			c.Assert(out, checker.Contains,
+				fmt.Sprintf("network with name %s already exists", nwName))
+			c.Assert(err, checker.NotNil)
+			c.Logf("As expected, the attempt to network %q with %q failed: %s",
+				nwName, driver2, out)
+			out, err = d.Cmd("network", "rm", nwName)
+			c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+		}
+	}
+}
+
+func (s *DockerSwarmSuite) TestSwarmPublishDuplicatePorts(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("service", "create", "--no-resolve-image", "--detach=true", "--publish", "5005:80", "--publish", "5006:80", "--publish", "80", "--publish", "80", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	id := strings.TrimSpace(out)
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	// Total len = 4, with 2 dynamic ports and 2 non-dynamic ports
+	// Dynamic ports are likely to be 30000 and 30001 but doesn't matter
+	out, err = d.Cmd("service", "inspect", "--format", "{{.Endpoint.Ports}} len={{len .Endpoint.Ports}}", id)
+	c.Assert(err, check.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "len=4")
+	c.Assert(out, checker.Contains, "{ tcp 80 5005 ingress}")
+	c.Assert(out, checker.Contains, "{ tcp 80 5006 ingress}")
+}
+
+func (s *DockerSwarmSuite) TestSwarmJoinWithDrain(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("node", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Not(checker.Contains), "Drain")
+
+	out, err = d.Cmd("swarm", "join-token", "-q", "manager")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	token := strings.TrimSpace(out)
+
+	d1 := s.AddDaemon(c, false, false)
+
+	out, err = d1.Cmd("swarm", "join", "--availability=drain", "--token", token, d.SwarmListenAddr())
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, err = d.Cmd("node", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "Drain")
+
+	out, err = d1.Cmd("node", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "Drain")
+}
+
+func (s *DockerSwarmSuite) TestSwarmInitWithDrain(c *check.C) {
+	d := s.AddDaemon(c, false, false)
+
+	out, err := d.Cmd("swarm", "init", "--availability", "drain")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+
+	out, err = d.Cmd("node", "ls")
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "Drain")
+}
+
+func (s *DockerSwarmSuite) TestSwarmReadonlyRootfs(c *check.C) {
+	testRequires(c, DaemonIsLinux, UserNamespaceROMount)
+
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "top", "--read-only", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ .Spec.TaskTemplate.ContainerSpec.ReadOnly }}", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "true")
+
+	containers := d.ActiveContainers(c)
+	out, err = d.Cmd("inspect", "--type", "container", "--format", "{{.HostConfig.ReadonlyRootfs}}", containers[0])
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "true")
+}
+
+func (s *DockerSwarmSuite) TestNetworkInspectWithDuplicateNames(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	name := "foo"
+	options := types.NetworkCreate{
+		CheckDuplicate: false,
+		Driver:         "bridge",
+	}
+
+	cli, err := d.NewClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	n1, err := cli.NetworkCreate(context.Background(), name, options)
+	c.Assert(err, checker.IsNil)
+
+	// Full ID always works
+	out, err := d.Cmd("network", "inspect", "--format", "{{.ID}}", n1.ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, n1.ID)
+
+	// Name works if it is unique
+	out, err = d.Cmd("network", "inspect", "--format", "{{.ID}}", name)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, n1.ID)
+
+	n2, err := cli.NetworkCreate(context.Background(), name, options)
+	c.Assert(err, checker.IsNil)
+	// Full ID always works
+	out, err = d.Cmd("network", "inspect", "--format", "{{.ID}}", n1.ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, n1.ID)
+
+	out, err = d.Cmd("network", "inspect", "--format", "{{.ID}}", n2.ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, n2.ID)
+
+	// Name with duplicates
+	out, err = d.Cmd("network", "inspect", "--format", "{{.ID}}", name)
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "2 matches found based on name")
+
+	out, err = d.Cmd("network", "rm", n2.ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Dupliates with name but with different driver
+	options.Driver = "overlay"
+
+	n2, err = cli.NetworkCreate(context.Background(), name, options)
+	c.Assert(err, checker.IsNil)
+
+	// Full ID always works
+	out, err = d.Cmd("network", "inspect", "--format", "{{.ID}}", n1.ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, n1.ID)
+
+	out, err = d.Cmd("network", "inspect", "--format", "{{.ID}}", n2.ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, n2.ID)
+
+	// Name with duplicates
+	out, err = d.Cmd("network", "inspect", "--format", "{{.ID}}", name)
+	c.Assert(err, checker.NotNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "2 matches found based on name")
+}
+
+func (s *DockerSwarmSuite) TestSwarmStopSignal(c *check.C) {
+	testRequires(c, DaemonIsLinux, UserNamespaceROMount)
+
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "top", "--stop-signal=SIGHUP", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ .Spec.TaskTemplate.ContainerSpec.StopSignal }}", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "SIGHUP")
+
+	containers := d.ActiveContainers(c)
+	out, err = d.Cmd("inspect", "--type", "container", "--format", "{{.Config.StopSignal}}", containers[0])
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "SIGHUP")
+
+	out, err = d.Cmd("service", "update", "--detach", "--stop-signal=SIGUSR1", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "inspect", "--format", "{{ .Spec.TaskTemplate.ContainerSpec.StopSignal }}", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "SIGUSR1")
+}
+
+func (s *DockerSwarmSuite) TestSwarmServiceLsFilterMode(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "top1", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, err = d.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", "top2", "--mode=global", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 2)
+
+	out, err = d.Cmd("service", "ls")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "top1")
+	c.Assert(out, checker.Contains, "top2")
+	c.Assert(out, checker.Not(checker.Contains), "localnet")
+
+	out, err = d.Cmd("service", "ls", "--filter", "mode=global")
+	c.Assert(out, checker.Not(checker.Contains), "top1")
+	c.Assert(out, checker.Contains, "top2")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out, err = d.Cmd("service", "ls", "--filter", "mode=replicated")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	c.Assert(out, checker.Contains, "top1")
+	c.Assert(out, checker.Not(checker.Contains), "top2")
+}
+
+func (s *DockerSwarmSuite) TestSwarmInitUnspecifiedDataPathAddr(c *check.C) {
+	d := s.AddDaemon(c, false, false)
+
+	out, err := d.Cmd("swarm", "init", "--data-path-addr", "0.0.0.0")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "data path address must be a non-zero IP")
+
+	out, err = d.Cmd("swarm", "init", "--data-path-addr", "0.0.0.0:2000")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "data path address must be a non-zero IP")
+}
+
+func (s *DockerSwarmSuite) TestSwarmJoinLeave(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("swarm", "join-token", "-q", "worker")
+	c.Assert(err, checker.IsNil)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	token := strings.TrimSpace(out)
+
+	// Verify that back to back join/leave does not cause panics
+	d1 := s.AddDaemon(c, false, false)
+	for i := 0; i < 10; i++ {
+		out, err = d1.Cmd("swarm", "join", "--token", token, d.SwarmListenAddr())
+		c.Assert(err, checker.IsNil)
+		c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+		_, err = d1.Cmd("swarm", "leave")
+		c.Assert(err, checker.IsNil)
+	}
+}
+
+const defaultRetryCount = 10
+
+func waitForEvent(c *check.C, d *daemon.Daemon, since string, filter string, event string, retry int) string {
+	if retry < 1 {
+		c.Fatalf("retry count %d is invalid. It should be no less than 1", retry)
+		return ""
+	}
+	var out string
+	for i := 0; i < retry; i++ {
+		until := daemonUnixTime(c)
+		var err error
+		if len(filter) > 0 {
+			out, err = d.Cmd("events", "--since", since, "--until", until, filter)
+		} else {
+			out, err = d.Cmd("events", "--since", since, "--until", until)
+		}
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+		if strings.Contains(out, event) {
+			return strings.TrimSpace(out)
+		}
+		// no need to sleep after last retry
+		if i < retry-1 {
+			time.Sleep(200 * time.Millisecond)
+		}
+	}
+	c.Fatalf("docker events output '%s' doesn't contain event '%s'", out, event)
+	return ""
+}
+
+func (s *DockerSwarmSuite) TestSwarmClusterEventsSource(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, true)
+	d3 := s.AddDaemon(c, true, false)
+
+	// create a network
+	out, err := d1.Cmd("network", "create", "--attachable", "-d", "overlay", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	networkID := strings.TrimSpace(out)
+	c.Assert(networkID, checker.Not(checker.Equals), "")
+
+	// d1, d2 are managers that can get swarm events
+	waitForEvent(c, d1, "0", "-f scope=swarm", "network create "+networkID, defaultRetryCount)
+	waitForEvent(c, d2, "0", "-f scope=swarm", "network create "+networkID, defaultRetryCount)
+
+	// d3 is a worker, not able to get cluster events
+	out = waitForEvent(c, d3, "0", "-f scope=swarm", "", 1)
+	c.Assert(out, checker.Not(checker.Contains), "network create ")
+}
+
+func (s *DockerSwarmSuite) TestSwarmClusterEventsScope(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// create a service
+	out, err := d.Cmd("service", "create", "--no-resolve-image", "--name", "test", "--detach=false", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	serviceID := strings.Split(out, "\n")[0]
+
+	// scope swarm filters cluster events
+	out = waitForEvent(c, d, "0", "-f scope=swarm", "service create "+serviceID, defaultRetryCount)
+	c.Assert(out, checker.Not(checker.Contains), "container create ")
+
+	// all events are returned if scope is not specified
+	waitForEvent(c, d, "0", "", "service create "+serviceID, 1)
+	waitForEvent(c, d, "0", "", "container create ", defaultRetryCount)
+
+	// scope local only shows non-cluster events
+	out = waitForEvent(c, d, "0", "-f scope=local", "container create ", 1)
+	c.Assert(out, checker.Not(checker.Contains), "service create ")
+}
+
+func (s *DockerSwarmSuite) TestSwarmClusterEventsType(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// create a service
+	out, err := d.Cmd("service", "create", "--no-resolve-image", "--name", "test", "--detach=false", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	serviceID := strings.Split(out, "\n")[0]
+
+	// create a network
+	out, err = d.Cmd("network", "create", "--attachable", "-d", "overlay", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	networkID := strings.TrimSpace(out)
+	c.Assert(networkID, checker.Not(checker.Equals), "")
+
+	// filter by service
+	out = waitForEvent(c, d, "0", "-f type=service", "service create "+serviceID, defaultRetryCount)
+	c.Assert(out, checker.Not(checker.Contains), "network create")
+
+	// filter by network
+	out = waitForEvent(c, d, "0", "-f type=network", "network create "+networkID, defaultRetryCount)
+	c.Assert(out, checker.Not(checker.Contains), "service create")
+}
+
+func (s *DockerSwarmSuite) TestSwarmClusterEventsService(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// create a service
+	out, err := d.Cmd("service", "create", "--no-resolve-image", "--name", "test", "--detach=false", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	serviceID := strings.Split(out, "\n")[0]
+
+	// validate service create event
+	waitForEvent(c, d, "0", "-f scope=swarm", "service create "+serviceID, defaultRetryCount)
+
+	t1 := daemonUnixTime(c)
+	out, err = d.Cmd("service", "update", "--force", "--detach=false", "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// wait for service update start
+	out = waitForEvent(c, d, t1, "-f scope=swarm", "service update "+serviceID, defaultRetryCount)
+	c.Assert(out, checker.Contains, "updatestate.new=updating")
+
+	// allow service update complete. This is a service with 1 instance
+	time.Sleep(400 * time.Millisecond)
+	out = waitForEvent(c, d, t1, "-f scope=swarm", "service update "+serviceID, defaultRetryCount)
+	c.Assert(out, checker.Contains, "updatestate.new=completed, updatestate.old=updating")
+
+	// scale service
+	t2 := daemonUnixTime(c)
+	out, err = d.Cmd("service", "scale", "test=3")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	out = waitForEvent(c, d, t2, "-f scope=swarm", "service update "+serviceID, defaultRetryCount)
+	c.Assert(out, checker.Contains, "replicas.new=3, replicas.old=1")
+
+	// remove service
+	t3 := daemonUnixTime(c)
+	out, err = d.Cmd("service", "rm", "test")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	waitForEvent(c, d, t3, "-f scope=swarm", "service remove "+serviceID, defaultRetryCount)
+}
+
+func (s *DockerSwarmSuite) TestSwarmClusterEventsNode(c *check.C) {
+	d1 := s.AddDaemon(c, true, true)
+	s.AddDaemon(c, true, true)
+	d3 := s.AddDaemon(c, true, true)
+
+	d3ID := d3.NodeID()
+	waitForEvent(c, d1, "0", "-f scope=swarm", "node create "+d3ID, defaultRetryCount)
+
+	t1 := daemonUnixTime(c)
+	out, err := d1.Cmd("node", "update", "--availability=pause", d3ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// filter by type
+	out = waitForEvent(c, d1, t1, "-f type=node", "node update "+d3ID, defaultRetryCount)
+	c.Assert(out, checker.Contains, "availability.new=pause, availability.old=active")
+
+	t2 := daemonUnixTime(c)
+	out, err = d1.Cmd("node", "demote", d3ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	waitForEvent(c, d1, t2, "-f type=node", "node update "+d3ID, defaultRetryCount)
+
+	t3 := daemonUnixTime(c)
+	out, err = d1.Cmd("node", "rm", "-f", d3ID)
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// filter by scope
+	waitForEvent(c, d1, t3, "-f scope=swarm", "node remove "+d3ID, defaultRetryCount)
+}
+
+func (s *DockerSwarmSuite) TestSwarmClusterEventsNetwork(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	// create a network
+	out, err := d.Cmd("network", "create", "--attachable", "-d", "overlay", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+	networkID := strings.TrimSpace(out)
+
+	waitForEvent(c, d, "0", "-f scope=swarm", "network create "+networkID, defaultRetryCount)
+
+	// remove network
+	t1 := daemonUnixTime(c)
+	out, err = d.Cmd("network", "rm", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// filtered by network
+	waitForEvent(c, d, t1, "-f type=network", "network remove "+networkID, defaultRetryCount)
+}
+
+func (s *DockerSwarmSuite) TestSwarmClusterEventsSecret(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	testName := "test_secret"
+	id := d.CreateSecret(c, swarm.SecretSpec{
+		Annotations: swarm.Annotations{
+			Name: testName,
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("secrets: %s", id))
+
+	waitForEvent(c, d, "0", "-f scope=swarm", "secret create "+id, defaultRetryCount)
+
+	t1 := daemonUnixTime(c)
+	d.DeleteSecret(c, id)
+	// filtered by secret
+	waitForEvent(c, d, t1, "-f type=secret", "secret remove "+id, defaultRetryCount)
+}
+
+func (s *DockerSwarmSuite) TestSwarmClusterEventsConfig(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	testName := "test_config"
+	id := d.CreateConfig(c, swarm.ConfigSpec{
+		Annotations: swarm.Annotations{
+			Name: testName,
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	c.Assert(id, checker.Not(checker.Equals), "", check.Commentf("configs: %s", id))
+
+	waitForEvent(c, d, "0", "-f scope=swarm", "config create "+id, defaultRetryCount)
+
+	t1 := daemonUnixTime(c)
+	d.DeleteConfig(c, id)
+	// filtered by config
+	waitForEvent(c, d, t1, "-f type=config", "config remove "+id, defaultRetryCount)
+}
diff --git a/engine/integration-cli/docker_cli_swarm_unix_test.go b/engine/integration-cli/docker_cli_swarm_unix_test.go
new file mode 100644
index 00000000..3b890bcc
--- /dev/null
+++ b/engine/integration-cli/docker_cli_swarm_unix_test.go
@@ -0,0 +1,104 @@
+// +build !windows
+
+package main
+
+import (
+	"encoding/json"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSwarmSuite) TestSwarmVolumePlugin(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	out, err := d.Cmd("service", "create", "--detach", "--no-resolve-image", "--mount", "type=volume,source=my-volume,destination=/foo,volume-driver=customvolumedriver", "--name", "top", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf(out))
+
+	// Make sure task stays pending before plugin is available
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckServiceTasksInStateWithError("top", swarm.TaskStatePending, "missing plugin on 1 node"), checker.Equals, 1)
+
+	plugin := newVolumePlugin(c, "customvolumedriver")
+	defer plugin.Close()
+
+	// create a dummy volume to trigger lazy loading of the plugin
+	out, err = d.Cmd("volume", "create", "-d", "customvolumedriver", "hello")
+
+	// TODO(aaronl): It will take about 15 seconds for swarm to realize the
+	// plugin was loaded. Switching the test over to plugin v2 would avoid
+	// this long delay.
+
+	// make sure task has been deployed.
+	waitAndAssert(c, defaultReconciliationTimeout, d.CheckActiveContainerCount, checker.Equals, 1)
+
+	out, err = d.Cmd("ps", "-q")
+	c.Assert(err, checker.IsNil)
+	containerID := strings.TrimSpace(out)
+
+	out, err = d.Cmd("inspect", "-f", "{{json .Mounts}}", containerID)
+	c.Assert(err, checker.IsNil)
+
+	var mounts []struct {
+		Name   string
+		Driver string
+	}
+
+	c.Assert(json.NewDecoder(strings.NewReader(out)).Decode(&mounts), checker.IsNil)
+	c.Assert(len(mounts), checker.Equals, 1, check.Commentf(out))
+	c.Assert(mounts[0].Name, checker.Equals, "my-volume")
+	c.Assert(mounts[0].Driver, checker.Equals, "customvolumedriver")
+}
+
+// Test network plugin filter in swarm
+func (s *DockerSwarmSuite) TestSwarmNetworkPluginV2(c *check.C) {
+	testRequires(c, IsAmd64)
+	d1 := s.AddDaemon(c, true, true)
+	d2 := s.AddDaemon(c, true, false)
+
+	// install plugin on d1 and d2
+	pluginName := "aragunathan/global-net-plugin:latest"
+
+	_, err := d1.Cmd("plugin", "install", pluginName, "--grant-all-permissions")
+	c.Assert(err, checker.IsNil)
+
+	_, err = d2.Cmd("plugin", "install", pluginName, "--grant-all-permissions")
+	c.Assert(err, checker.IsNil)
+
+	// create network
+	networkName := "globalnet"
+	_, err = d1.Cmd("network", "create", "--driver", pluginName, networkName)
+	c.Assert(err, checker.IsNil)
+
+	// create a global service to ensure that both nodes will have an instance
+	serviceName := "my-service"
+	_, err = d1.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", serviceName, "--mode=global", "--network", networkName, "busybox", "top")
+	c.Assert(err, checker.IsNil)
+
+	// wait for tasks ready
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount), checker.Equals, 2)
+
+	// remove service
+	_, err = d1.Cmd("service", "rm", serviceName)
+	c.Assert(err, checker.IsNil)
+
+	// wait to ensure all containers have exited before removing the plugin. Else there's a
+	// possibility of container exits erroring out due to plugins being unavailable.
+	waitAndAssert(c, defaultReconciliationTimeout, reducedCheck(sumAsIntegers, d1.CheckActiveContainerCount, d2.CheckActiveContainerCount), checker.Equals, 0)
+
+	// disable plugin on worker
+	_, err = d2.Cmd("plugin", "disable", "-f", pluginName)
+	c.Assert(err, checker.IsNil)
+
+	time.Sleep(20 * time.Second)
+
+	image := "busybox:latest"
+	// create a new global service again.
+	_, err = d1.Cmd("service", "create", "--detach", "--no-resolve-image", "--name", serviceName, "--mode=global", "--network", networkName, image, "top")
+	c.Assert(err, checker.IsNil)
+
+	waitAndAssert(c, defaultReconciliationTimeout, d1.CheckRunningTaskImages, checker.DeepEquals,
+		map[string]int{image: 1})
+}
diff --git a/engine/integration-cli/docker_cli_top_test.go b/engine/integration-cli/docker_cli_top_test.go
new file mode 100644
index 00000000..50744b01
--- /dev/null
+++ b/engine/integration-cli/docker_cli_top_test.go
@@ -0,0 +1,73 @@
+package main
+
+import (
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestTopMultipleArgs(c *check.C) {
+	out := runSleepingContainer(c, "-d")
+	cleanedContainerID := strings.TrimSpace(out)
+
+	var expected icmd.Expected
+	switch testEnv.OSType {
+	case "windows":
+		expected = icmd.Expected{ExitCode: 1, Err: "Windows does not support arguments to top"}
+	default:
+		expected = icmd.Expected{Out: "PID"}
+	}
+	result := dockerCmdWithResult("top", cleanedContainerID, "-o", "pid")
+	result.Assert(c, expected)
+}
+
+func (s *DockerSuite) TestTopNonPrivileged(c *check.C) {
+	out := runSleepingContainer(c, "-d")
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out1, _ := dockerCmd(c, "top", cleanedContainerID)
+	out2, _ := dockerCmd(c, "top", cleanedContainerID)
+	dockerCmd(c, "kill", cleanedContainerID)
+
+	// Windows will list the name of the launched executable which in this case is busybox.exe, without the parameters.
+	// Linux will display the command executed in the container
+	var lookingFor string
+	if testEnv.OSType == "windows" {
+		lookingFor = "busybox.exe"
+	} else {
+		lookingFor = "top"
+	}
+
+	c.Assert(out1, checker.Contains, lookingFor, check.Commentf("top should've listed `%s` in the process list, but failed the first time", lookingFor))
+	c.Assert(out2, checker.Contains, lookingFor, check.Commentf("top should've listed `%s` in the process list, but failed the second time", lookingFor))
+}
+
+// TestTopWindowsCoreProcesses validates that there are lines for the critical
+// processes which are found in a Windows container. Note Windows is architecturally
+// very different to Linux in this regard.
+func (s *DockerSuite) TestTopWindowsCoreProcesses(c *check.C) {
+	testRequires(c, DaemonIsWindows)
+	out := runSleepingContainer(c, "-d")
+	cleanedContainerID := strings.TrimSpace(out)
+	out1, _ := dockerCmd(c, "top", cleanedContainerID)
+	lookingFor := []string{"smss.exe", "csrss.exe", "wininit.exe", "services.exe", "lsass.exe", "CExecSvc.exe"}
+	for i, s := range lookingFor {
+		c.Assert(out1, checker.Contains, s, check.Commentf("top should've listed `%s` in the process list, but failed. Test case %d", s, i))
+	}
+}
+
+func (s *DockerSuite) TestTopPrivileged(c *check.C) {
+	// Windows does not support --privileged
+	testRequires(c, DaemonIsLinux, NotUserNamespace)
+	out, _ := dockerCmd(c, "run", "--privileged", "-i", "-d", "busybox", "top")
+	cleanedContainerID := strings.TrimSpace(out)
+
+	out1, _ := dockerCmd(c, "top", cleanedContainerID)
+	out2, _ := dockerCmd(c, "top", cleanedContainerID)
+	dockerCmd(c, "kill", cleanedContainerID)
+
+	c.Assert(out1, checker.Contains, "top", check.Commentf("top should've listed `top` in the process list, but failed the first time"))
+	c.Assert(out2, checker.Contains, "top", check.Commentf("top should've listed `top` in the process list, but failed the second time"))
+}
diff --git a/engine/integration-cli/docker_cli_update_unix_test.go b/engine/integration-cli/docker_cli_update_unix_test.go
new file mode 100644
index 00000000..564c50f3
--- /dev/null
+++ b/engine/integration-cli/docker_cli_update_unix_test.go
@@ -0,0 +1,339 @@
+// +build !windows
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/go-check/check"
+	"github.com/kr/pty"
+)
+
+func (s *DockerSuite) TestUpdateRunningContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "-m", "300M", "busybox", "top")
+	dockerCmd(c, "update", "-m", "500M", name)
+
+	c.Assert(inspectField(c, name, "HostConfig.Memory"), checker.Equals, "524288000")
+
+	file := "/sys/fs/cgroup/memory/memory.limit_in_bytes"
+	out, _ := dockerCmd(c, "exec", name, "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "524288000")
+}
+
+func (s *DockerSuite) TestUpdateRunningContainerWithRestart(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "-m", "300M", "busybox", "top")
+	dockerCmd(c, "update", "-m", "500M", name)
+	dockerCmd(c, "restart", name)
+
+	c.Assert(inspectField(c, name, "HostConfig.Memory"), checker.Equals, "524288000")
+
+	file := "/sys/fs/cgroup/memory/memory.limit_in_bytes"
+	out, _ := dockerCmd(c, "exec", name, "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "524288000")
+}
+
+func (s *DockerSuite) TestUpdateStoppedContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+
+	name := "test-update-container"
+	file := "/sys/fs/cgroup/memory/memory.limit_in_bytes"
+	dockerCmd(c, "run", "--name", name, "-m", "300M", "busybox", "cat", file)
+	dockerCmd(c, "update", "-m", "500M", name)
+
+	c.Assert(inspectField(c, name, "HostConfig.Memory"), checker.Equals, "524288000")
+
+	out, _ := dockerCmd(c, "start", "-a", name)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "524288000")
+}
+
+func (s *DockerSuite) TestUpdatePausedContainer(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, cpuShare)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "--cpu-shares", "1000", "busybox", "top")
+	dockerCmd(c, "pause", name)
+	dockerCmd(c, "update", "--cpu-shares", "500", name)
+
+	c.Assert(inspectField(c, name, "HostConfig.CPUShares"), checker.Equals, "500")
+
+	dockerCmd(c, "unpause", name)
+	file := "/sys/fs/cgroup/cpu/cpu.shares"
+	out, _ := dockerCmd(c, "exec", name, "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "500")
+}
+
+func (s *DockerSuite) TestUpdateWithUntouchedFields(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+	testRequires(c, cpuShare)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "-m", "300M", "--cpu-shares", "800", "busybox", "top")
+	dockerCmd(c, "update", "-m", "500M", name)
+
+	// Update memory and not touch cpus, `cpuset.cpus` should still have the old value
+	out := inspectField(c, name, "HostConfig.CPUShares")
+	c.Assert(out, check.Equals, "800")
+
+	file := "/sys/fs/cgroup/cpu/cpu.shares"
+	out, _ = dockerCmd(c, "exec", name, "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "800")
+}
+
+func (s *DockerSuite) TestUpdateContainerInvalidValue(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "-m", "300M", "busybox", "true")
+	out, _, err := dockerCmdWithError("update", "-m", "2M", name)
+	c.Assert(err, check.NotNil)
+	expected := "Minimum memory limit allowed is 4MB"
+	c.Assert(out, checker.Contains, expected)
+}
+
+func (s *DockerSuite) TestUpdateContainerWithoutFlags(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "-m", "300M", "busybox", "true")
+	_, _, err := dockerCmdWithError("update", name)
+	c.Assert(err, check.NotNil)
+}
+
+func (s *DockerSuite) TestUpdateKernelMemory(c *check.C) {
+	testRequires(c, DaemonIsLinux, kernelMemorySupport)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "--kernel-memory", "50M", "busybox", "top")
+	dockerCmd(c, "update", "--kernel-memory", "100M", name)
+
+	c.Assert(inspectField(c, name, "HostConfig.KernelMemory"), checker.Equals, "104857600")
+
+	file := "/sys/fs/cgroup/memory/memory.kmem.limit_in_bytes"
+	out, _ := dockerCmd(c, "exec", name, "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "104857600")
+}
+
+func (s *DockerSuite) TestUpdateKernelMemoryUninitialized(c *check.C) {
+	testRequires(c, DaemonIsLinux, kernelMemorySupport)
+
+	isNewKernel := CheckKernelVersion(4, 6, 0)
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "busybox", "top")
+	_, _, err := dockerCmdWithError("update", "--kernel-memory", "100M", name)
+	// Update kernel memory to a running container without kernel memory initialized
+	// is not allowed before kernel version 4.6.
+	if !isNewKernel {
+		c.Assert(err, check.NotNil)
+	} else {
+		c.Assert(err, check.IsNil)
+	}
+
+	dockerCmd(c, "pause", name)
+	_, _, err = dockerCmdWithError("update", "--kernel-memory", "200M", name)
+	if !isNewKernel {
+		c.Assert(err, check.NotNil)
+	} else {
+		c.Assert(err, check.IsNil)
+	}
+	dockerCmd(c, "unpause", name)
+
+	dockerCmd(c, "stop", name)
+	dockerCmd(c, "update", "--kernel-memory", "300M", name)
+	dockerCmd(c, "start", name)
+
+	c.Assert(inspectField(c, name, "HostConfig.KernelMemory"), checker.Equals, "314572800")
+
+	file := "/sys/fs/cgroup/memory/memory.kmem.limit_in_bytes"
+	out, _ := dockerCmd(c, "exec", name, "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "314572800")
+}
+
+// GetKernelVersion gets the current kernel version.
+func GetKernelVersion() *kernel.VersionInfo {
+	v, _ := kernel.ParseRelease(testEnv.DaemonInfo.KernelVersion)
+	return v
+}
+
+// CheckKernelVersion checks if current kernel is newer than (or equal to)
+// the given version.
+func CheckKernelVersion(k, major, minor int) bool {
+	return kernel.CompareKernelVersion(*GetKernelVersion(), kernel.VersionInfo{Kernel: k, Major: major, Minor: minor}) >= 0
+}
+
+func (s *DockerSuite) TestUpdateSwapMemoryOnly(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+	testRequires(c, swapMemorySupport)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "--memory", "300M", "--memory-swap", "500M", "busybox", "top")
+	dockerCmd(c, "update", "--memory-swap", "600M", name)
+
+	c.Assert(inspectField(c, name, "HostConfig.MemorySwap"), checker.Equals, "629145600")
+
+	file := "/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes"
+	out, _ := dockerCmd(c, "exec", name, "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "629145600")
+}
+
+func (s *DockerSuite) TestUpdateInvalidSwapMemory(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+	testRequires(c, swapMemorySupport)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "--memory", "300M", "--memory-swap", "500M", "busybox", "top")
+	_, _, err := dockerCmdWithError("update", "--memory-swap", "200M", name)
+	// Update invalid swap memory should fail.
+	// This will pass docker config validation, but failed at kernel validation
+	c.Assert(err, check.NotNil)
+
+	// Update invalid swap memory with failure should not change HostConfig
+	c.Assert(inspectField(c, name, "HostConfig.Memory"), checker.Equals, "314572800")
+	c.Assert(inspectField(c, name, "HostConfig.MemorySwap"), checker.Equals, "524288000")
+
+	dockerCmd(c, "update", "--memory-swap", "600M", name)
+
+	c.Assert(inspectField(c, name, "HostConfig.MemorySwap"), checker.Equals, "629145600")
+
+	file := "/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes"
+	out, _ := dockerCmd(c, "exec", name, "cat", file)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "629145600")
+}
+
+func (s *DockerSuite) TestUpdateStats(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+	testRequires(c, cpuCfsQuota)
+	name := "foo"
+	dockerCmd(c, "run", "-d", "-ti", "--name", name, "-m", "500m", "busybox")
+
+	c.Assert(waitRun(name), checker.IsNil)
+
+	getMemLimit := func(id string) uint64 {
+		resp, body, err := request.Get(fmt.Sprintf("/containers/%s/stats?stream=false", id))
+		c.Assert(err, checker.IsNil)
+		c.Assert(resp.Header.Get("Content-Type"), checker.Equals, "application/json")
+
+		var v *types.Stats
+		err = json.NewDecoder(body).Decode(&v)
+		c.Assert(err, checker.IsNil)
+		body.Close()
+
+		return v.MemoryStats.Limit
+	}
+	preMemLimit := getMemLimit(name)
+
+	dockerCmd(c, "update", "--cpu-quota", "2000", name)
+
+	curMemLimit := getMemLimit(name)
+
+	c.Assert(preMemLimit, checker.Equals, curMemLimit)
+
+}
+
+func (s *DockerSuite) TestUpdateMemoryWithSwapMemory(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+	testRequires(c, memoryLimitSupport)
+	testRequires(c, swapMemorySupport)
+
+	name := "test-update-container"
+	dockerCmd(c, "run", "-d", "--name", name, "--memory", "300M", "busybox", "top")
+	out, _, err := dockerCmdWithError("update", "--memory", "800M", name)
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "Memory limit should be smaller than already set memoryswap limit")
+
+	dockerCmd(c, "update", "--memory", "800M", "--memory-swap", "1000M", name)
+}
+
+func (s *DockerSuite) TestUpdateNotAffectMonitorRestartPolicy(c *check.C) {
+	testRequires(c, DaemonIsLinux, cpuShare)
+
+	out, _ := dockerCmd(c, "run", "-tid", "--restart=always", "busybox", "sh")
+	id := strings.TrimSpace(string(out))
+	dockerCmd(c, "update", "--cpu-shares", "512", id)
+
+	cpty, tty, err := pty.Open()
+	c.Assert(err, checker.IsNil)
+	defer cpty.Close()
+
+	cmd := exec.Command(dockerBinary, "attach", id)
+	cmd.Stdin = tty
+
+	c.Assert(cmd.Start(), checker.IsNil)
+	defer cmd.Process.Kill()
+
+	_, err = cpty.Write([]byte("exit\n"))
+	c.Assert(err, checker.IsNil)
+
+	c.Assert(cmd.Wait(), checker.IsNil)
+
+	// container should restart again and keep running
+	err = waitInspect(id, "{{.RestartCount}}", "1", 30*time.Second)
+	c.Assert(err, checker.IsNil)
+	c.Assert(waitRun(id), checker.IsNil)
+}
+
+func (s *DockerSuite) TestUpdateWithNanoCPUs(c *check.C) {
+	testRequires(c, cpuCfsQuota, cpuCfsPeriod)
+
+	file1 := "/sys/fs/cgroup/cpu/cpu.cfs_quota_us"
+	file2 := "/sys/fs/cgroup/cpu/cpu.cfs_period_us"
+
+	out, _ := dockerCmd(c, "run", "-d", "--cpus", "0.5", "--name", "top", "busybox", "top")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+
+	out, _ = dockerCmd(c, "exec", "top", "sh", "-c", fmt.Sprintf("cat %s && cat %s", file1, file2))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "50000\n100000")
+
+	clt, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	inspect, err := clt.ContainerInspect(context.Background(), "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(inspect.HostConfig.NanoCPUs, checker.Equals, int64(500000000))
+
+	out = inspectField(c, "top", "HostConfig.CpuQuota")
+	c.Assert(out, checker.Equals, "0", check.Commentf("CPU CFS quota should be 0"))
+	out = inspectField(c, "top", "HostConfig.CpuPeriod")
+	c.Assert(out, checker.Equals, "0", check.Commentf("CPU CFS period should be 0"))
+
+	out, _, err = dockerCmdWithError("update", "--cpu-quota", "80000", "top")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "Conflicting options: CPU Quota cannot be updated as NanoCPUs has already been set")
+
+	out, _ = dockerCmd(c, "update", "--cpus", "0.8", "top")
+	inspect, err = clt.ContainerInspect(context.Background(), "top")
+	c.Assert(err, checker.IsNil)
+	c.Assert(inspect.HostConfig.NanoCPUs, checker.Equals, int64(800000000))
+
+	out = inspectField(c, "top", "HostConfig.CpuQuota")
+	c.Assert(out, checker.Equals, "0", check.Commentf("CPU CFS quota should be 0"))
+	out = inspectField(c, "top", "HostConfig.CpuPeriod")
+	c.Assert(out, checker.Equals, "0", check.Commentf("CPU CFS period should be 0"))
+
+	out, _ = dockerCmd(c, "exec", "top", "sh", "-c", fmt.Sprintf("cat %s && cat %s", file1, file2))
+	c.Assert(strings.TrimSpace(out), checker.Equals, "80000\n100000")
+}
diff --git a/engine/integration-cli/docker_cli_userns_test.go b/engine/integration-cli/docker_cli_userns_test.go
new file mode 100644
index 00000000..54cfdd17
--- /dev/null
+++ b/engine/integration-cli/docker_cli_userns_test.go
@@ -0,0 +1,98 @@
+// +build !windows
+
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	"github.com/go-check/check"
+)
+
+// user namespaces test: run daemon with remapped root setting
+// 1. validate uid/gid maps are set properly
+// 2. verify that files created are owned by remapped root
+func (s *DockerDaemonSuite) TestDaemonUserNamespaceRootSetting(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon, UserNamespaceInKernel)
+
+	s.d.StartWithBusybox(c, "--userns-remap", "default")
+
+	tmpDir, err := ioutil.TempDir("", "userns")
+	c.Assert(err, checker.IsNil)
+
+	defer os.RemoveAll(tmpDir)
+
+	// Set a non-existent path
+	tmpDirNotExists := path.Join(os.TempDir(), "userns"+stringid.GenerateRandomID())
+	defer os.RemoveAll(tmpDirNotExists)
+
+	// we need to find the uid and gid of the remapped root from the daemon's root dir info
+	uidgid := strings.Split(filepath.Base(s.d.Root), ".")
+	c.Assert(uidgid, checker.HasLen, 2, check.Commentf("Should have gotten uid/gid strings from root dirname: %s", filepath.Base(s.d.Root)))
+	uid, err := strconv.Atoi(uidgid[0])
+	c.Assert(err, checker.IsNil, check.Commentf("Can't parse uid"))
+	gid, err := strconv.Atoi(uidgid[1])
+	c.Assert(err, checker.IsNil, check.Commentf("Can't parse gid"))
+
+	// writable by the remapped root UID/GID pair
+	c.Assert(os.Chown(tmpDir, uid, gid), checker.IsNil)
+
+	out, err := s.d.Cmd("run", "-d", "--name", "userns", "-v", tmpDir+":/goofy", "-v", tmpDirNotExists+":/donald", "busybox", "sh", "-c", "touch /goofy/testfile; top")
+	c.Assert(err, checker.IsNil, check.Commentf("Output: %s", out))
+	user := s.findUser(c, "userns")
+	c.Assert(uidgid[0], checker.Equals, user)
+
+	// check that the created directory is owned by remapped uid:gid
+	statNotExists, err := system.Stat(tmpDirNotExists)
+	c.Assert(err, checker.IsNil)
+	c.Assert(statNotExists.UID(), checker.Equals, uint32(uid), check.Commentf("Created directory not owned by remapped root UID"))
+	c.Assert(statNotExists.GID(), checker.Equals, uint32(gid), check.Commentf("Created directory not owned by remapped root GID"))
+
+	pid, err := s.d.Cmd("inspect", "--format={{.State.Pid}}", "userns")
+	c.Assert(err, checker.IsNil, check.Commentf("Could not inspect running container: out: %q", pid))
+	// check the uid and gid maps for the PID to ensure root is remapped
+	// (cmd = cat /proc/<pid>/uid_map | grep -E '0\s+9999\s+1')
+	out, err = RunCommandPipelineWithOutput(
+		exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/uid_map"),
+		exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", uid)))
+	c.Assert(err, check.IsNil)
+
+	out, err = RunCommandPipelineWithOutput(
+		exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/gid_map"),
+		exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", gid)))
+	c.Assert(err, check.IsNil)
+
+	// check that the touched file is owned by remapped uid:gid
+	stat, err := system.Stat(filepath.Join(tmpDir, "testfile"))
+	c.Assert(err, checker.IsNil)
+	c.Assert(stat.UID(), checker.Equals, uint32(uid), check.Commentf("Touched file not owned by remapped root UID"))
+	c.Assert(stat.GID(), checker.Equals, uint32(gid), check.Commentf("Touched file not owned by remapped root GID"))
+
+	// use host usernamespace
+	out, err = s.d.Cmd("run", "-d", "--name", "userns_skip", "--userns", "host", "busybox", "sh", "-c", "touch /goofy/testfile; top")
+	c.Assert(err, checker.IsNil, check.Commentf("Output: %s", out))
+	user = s.findUser(c, "userns_skip")
+	// userns are skipped, user is root
+	c.Assert(user, checker.Equals, "root")
+}
+
+// findUser finds the uid or name of the user of the first process that runs in a container
+func (s *DockerDaemonSuite) findUser(c *check.C, container string) string {
+	out, err := s.d.Cmd("top", container)
+	c.Assert(err, checker.IsNil, check.Commentf("Output: %s", out))
+	rows := strings.Split(out, "\n")
+	if len(rows) < 2 {
+		// No process rows founds
+		c.FailNow()
+	}
+	return strings.Fields(rows[1])[0]
+}
diff --git a/engine/integration-cli/docker_cli_v2_only_test.go b/engine/integration-cli/docker_cli_v2_only_test.go
new file mode 100644
index 00000000..df0c01a5
--- /dev/null
+++ b/engine/integration-cli/docker_cli_v2_only_test.go
@@ -0,0 +1,58 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+
+	"github.com/docker/docker/internal/test/registry"
+	"github.com/go-check/check"
+)
+
+func makefile(path string, contents string) (string, error) {
+	f, err := ioutil.TempFile(path, "tmp")
+	if err != nil {
+		return "", err
+	}
+	err = ioutil.WriteFile(f.Name(), []byte(contents), os.ModePerm)
+	if err != nil {
+		return "", err
+	}
+	return f.Name(), nil
+}
+
+// TestV2Only ensures that a daemon does not
+// attempt to contact any v1 registry endpoints.
+func (s *DockerRegistrySuite) TestV2Only(c *check.C) {
+	reg, err := registry.NewMock(c)
+	defer reg.Close()
+	c.Assert(err, check.IsNil)
+
+	reg.RegisterHandler("/v2/", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(404)
+	})
+
+	reg.RegisterHandler("/v1/.*", func(w http.ResponseWriter, r *http.Request) {
+		c.Fatal("V1 registry contacted")
+	})
+
+	repoName := fmt.Sprintf("%s/busybox", reg.URL())
+
+	s.d.Start(c, "--insecure-registry", reg.URL())
+
+	tmp, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, check.IsNil)
+	defer os.RemoveAll(tmp)
+
+	dockerfileName, err := makefile(tmp, fmt.Sprintf("FROM %s/busybox", reg.URL()))
+	c.Assert(err, check.IsNil, check.Commentf("Unable to create test dockerfile"))
+
+	s.d.Cmd("build", "--file", dockerfileName, tmp)
+
+	s.d.Cmd("run", repoName)
+	s.d.Cmd("login", "-u", "richard", "-p", "testtest", reg.URL())
+	s.d.Cmd("tag", "busybox", repoName)
+	s.d.Cmd("push", repoName)
+	s.d.Cmd("pull", repoName)
+}
diff --git a/engine/integration-cli/docker_cli_volume_test.go b/engine/integration-cli/docker_cli_volume_test.go
new file mode 100644
index 00000000..340bdfe2
--- /dev/null
+++ b/engine/integration-cli/docker_cli_volume_test.go
@@ -0,0 +1,639 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli/build"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+func (s *DockerSuite) TestVolumeCLICreate(c *check.C) {
+	dockerCmd(c, "volume", "create")
+
+	_, _, err := dockerCmdWithError("volume", "create", "-d", "nosuchdriver")
+	c.Assert(err, check.NotNil)
+
+	// test using hidden --name option
+	out, _ := dockerCmd(c, "volume", "create", "--name=test")
+	name := strings.TrimSpace(out)
+	c.Assert(name, check.Equals, "test")
+
+	out, _ = dockerCmd(c, "volume", "create", "test2")
+	name = strings.TrimSpace(out)
+	c.Assert(name, check.Equals, "test2")
+}
+
+func (s *DockerSuite) TestVolumeCLIInspect(c *check.C) {
+	c.Assert(
+		exec.Command(dockerBinary, "volume", "inspect", "doesnotexist").Run(),
+		check.Not(check.IsNil),
+		check.Commentf("volume inspect should error on non-existent volume"),
+	)
+
+	out, _ := dockerCmd(c, "volume", "create")
+	name := strings.TrimSpace(out)
+	out, _ = dockerCmd(c, "volume", "inspect", "--format={{ .Name }}", name)
+	c.Assert(strings.TrimSpace(out), check.Equals, name)
+
+	dockerCmd(c, "volume", "create", "test")
+	out, _ = dockerCmd(c, "volume", "inspect", "--format={{ .Name }}", "test")
+	c.Assert(strings.TrimSpace(out), check.Equals, "test")
+}
+
+func (s *DockerSuite) TestVolumeCLIInspectMulti(c *check.C) {
+	dockerCmd(c, "volume", "create", "test1")
+	dockerCmd(c, "volume", "create", "test2")
+	dockerCmd(c, "volume", "create", "test3")
+
+	result := dockerCmdWithResult("volume", "inspect", "--format={{ .Name }}", "test1", "test2", "doesnotexist", "test3")
+	result.Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Err:      "No such volume: doesnotexist",
+	})
+
+	out := result.Stdout()
+	c.Assert(out, checker.Contains, "test1")
+	c.Assert(out, checker.Contains, "test2")
+	c.Assert(out, checker.Contains, "test3")
+}
+
+func (s *DockerSuite) TestVolumeCLILs(c *check.C) {
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+	dockerCmd(c, "volume", "create", "aaa")
+
+	dockerCmd(c, "volume", "create", "test")
+
+	dockerCmd(c, "volume", "create", "soo")
+	dockerCmd(c, "run", "-v", "soo:"+prefix+"/foo", "busybox", "ls", "/")
+
+	out, _ := dockerCmd(c, "volume", "ls", "-q")
+	assertVolumesInList(c, out, []string{"aaa", "soo", "test"})
+}
+
+func (s *DockerSuite) TestVolumeLsFormat(c *check.C) {
+	dockerCmd(c, "volume", "create", "aaa")
+	dockerCmd(c, "volume", "create", "test")
+	dockerCmd(c, "volume", "create", "soo")
+
+	out, _ := dockerCmd(c, "volume", "ls", "--format", "{{.Name}}")
+	assertVolumesInList(c, out, []string{"aaa", "soo", "test"})
+}
+
+func (s *DockerSuite) TestVolumeLsFormatDefaultFormat(c *check.C) {
+	dockerCmd(c, "volume", "create", "aaa")
+	dockerCmd(c, "volume", "create", "test")
+	dockerCmd(c, "volume", "create", "soo")
+
+	config := `{
+		"volumesFormat": "{{ .Name }} default"
+}`
+	d, err := ioutil.TempDir("", "integration-cli-")
+	c.Assert(err, checker.IsNil)
+	defer os.RemoveAll(d)
+
+	err = ioutil.WriteFile(filepath.Join(d, "config.json"), []byte(config), 0644)
+	c.Assert(err, checker.IsNil)
+
+	out, _ := dockerCmd(c, "--config", d, "volume", "ls")
+	assertVolumesInList(c, out, []string{"aaa default", "soo default", "test default"})
+}
+
+// assertVolList checks volume retrieved with ls command
+// equals to expected volume list
+// note: out should be `volume ls [option]` result
+func assertVolList(c *check.C, out string, expectVols []string) {
+	lines := strings.Split(out, "\n")
+	var volList []string
+	for _, line := range lines[1 : len(lines)-1] {
+		volFields := strings.Fields(line)
+		// wrap all volume name in volList
+		volList = append(volList, volFields[1])
+	}
+
+	// volume ls should contains all expected volumes
+	c.Assert(volList, checker.DeepEquals, expectVols)
+}
+
+func assertVolumesInList(c *check.C, out string, expected []string) {
+	lines := strings.Split(strings.TrimSpace(string(out)), "\n")
+	for _, expect := range expected {
+		found := false
+		for _, v := range lines {
+			found = v == expect
+			if found {
+				break
+			}
+		}
+		c.Assert(found, checker.Equals, true, check.Commentf("Expected volume not found: %v, got: %v", expect, lines))
+	}
+}
+
+func (s *DockerSuite) TestVolumeCLILsFilterDangling(c *check.C) {
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+	dockerCmd(c, "volume", "create", "testnotinuse1")
+	dockerCmd(c, "volume", "create", "testisinuse1")
+	dockerCmd(c, "volume", "create", "testisinuse2")
+
+	// Make sure both "created" (but not started), and started
+	// containers are included in reference counting
+	dockerCmd(c, "run", "--name", "volume-test1", "-v", "testisinuse1:"+prefix+"/foo", "busybox", "true")
+	dockerCmd(c, "create", "--name", "volume-test2", "-v", "testisinuse2:"+prefix+"/foo", "busybox", "true")
+
+	out, _ := dockerCmd(c, "volume", "ls")
+
+	// No filter, all volumes should show
+	c.Assert(out, checker.Contains, "testnotinuse1\n", check.Commentf("expected volume 'testnotinuse1' in output"))
+	c.Assert(out, checker.Contains, "testisinuse1\n", check.Commentf("expected volume 'testisinuse1' in output"))
+	c.Assert(out, checker.Contains, "testisinuse2\n", check.Commentf("expected volume 'testisinuse2' in output"))
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "dangling=false")
+
+	// Explicitly disabling dangling
+	c.Assert(out, check.Not(checker.Contains), "testnotinuse1\n", check.Commentf("expected volume 'testnotinuse1' in output"))
+	c.Assert(out, checker.Contains, "testisinuse1\n", check.Commentf("expected volume 'testisinuse1' in output"))
+	c.Assert(out, checker.Contains, "testisinuse2\n", check.Commentf("expected volume 'testisinuse2' in output"))
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "dangling=true")
+
+	// Filter "dangling" volumes; only "dangling" (unused) volumes should be in the output
+	c.Assert(out, checker.Contains, "testnotinuse1\n", check.Commentf("expected volume 'testnotinuse1' in output"))
+	c.Assert(out, check.Not(checker.Contains), "testisinuse1\n", check.Commentf("volume 'testisinuse1' in output, but not expected"))
+	c.Assert(out, check.Not(checker.Contains), "testisinuse2\n", check.Commentf("volume 'testisinuse2' in output, but not expected"))
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "dangling=1")
+	// Filter "dangling" volumes; only "dangling" (unused) volumes should be in the output, dangling also accept 1
+	c.Assert(out, checker.Contains, "testnotinuse1\n", check.Commentf("expected volume 'testnotinuse1' in output"))
+	c.Assert(out, check.Not(checker.Contains), "testisinuse1\n", check.Commentf("volume 'testisinuse1' in output, but not expected"))
+	c.Assert(out, check.Not(checker.Contains), "testisinuse2\n", check.Commentf("volume 'testisinuse2' in output, but not expected"))
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "dangling=0")
+	// dangling=0 is same as dangling=false case
+	c.Assert(out, check.Not(checker.Contains), "testnotinuse1\n", check.Commentf("expected volume 'testnotinuse1' in output"))
+	c.Assert(out, checker.Contains, "testisinuse1\n", check.Commentf("expected volume 'testisinuse1' in output"))
+	c.Assert(out, checker.Contains, "testisinuse2\n", check.Commentf("expected volume 'testisinuse2' in output"))
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "name=testisin")
+	c.Assert(out, check.Not(checker.Contains), "testnotinuse1\n", check.Commentf("expected volume 'testnotinuse1' in output"))
+	c.Assert(out, checker.Contains, "testisinuse1\n", check.Commentf("expected volume 'testisinuse1' in output"))
+	c.Assert(out, checker.Contains, "testisinuse2\n", check.Commentf("expected volume 'testisinuse2' in output"))
+}
+
+func (s *DockerSuite) TestVolumeCLILsErrorWithInvalidFilterName(c *check.C) {
+	out, _, err := dockerCmdWithError("volume", "ls", "-f", "FOO=123")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "Invalid filter")
+}
+
+func (s *DockerSuite) TestVolumeCLILsWithIncorrectFilterValue(c *check.C) {
+	out, _, err := dockerCmdWithError("volume", "ls", "-f", "dangling=invalid")
+	c.Assert(err, check.NotNil)
+	c.Assert(out, checker.Contains, "Invalid filter")
+}
+
+func (s *DockerSuite) TestVolumeCLIRm(c *check.C) {
+	prefix, _ := getPrefixAndSlashFromDaemonPlatform()
+	out, _ := dockerCmd(c, "volume", "create")
+	id := strings.TrimSpace(out)
+
+	dockerCmd(c, "volume", "create", "test")
+	dockerCmd(c, "volume", "rm", id)
+	dockerCmd(c, "volume", "rm", "test")
+
+	volumeID := "testing"
+	dockerCmd(c, "run", "-v", volumeID+":"+prefix+"/foo", "--name=test", "busybox", "sh", "-c", "echo hello > /foo/bar")
+
+	icmd.RunCommand(dockerBinary, "volume", "rm", "testing").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Error:    "exit status 1",
+	})
+
+	out, _ = dockerCmd(c, "run", "--volumes-from=test", "--name=test2", "busybox", "sh", "-c", "cat /foo/bar")
+	c.Assert(strings.TrimSpace(out), check.Equals, "hello")
+	dockerCmd(c, "rm", "-fv", "test2")
+	dockerCmd(c, "volume", "inspect", volumeID)
+	dockerCmd(c, "rm", "-f", "test")
+
+	out, _ = dockerCmd(c, "run", "--name=test2", "-v", volumeID+":"+prefix+"/foo", "busybox", "sh", "-c", "cat /foo/bar")
+	c.Assert(strings.TrimSpace(out), check.Equals, "hello", check.Commentf("volume data was removed"))
+	dockerCmd(c, "rm", "test2")
+
+	dockerCmd(c, "volume", "rm", volumeID)
+	c.Assert(
+		exec.Command("volume", "rm", "doesnotexist").Run(),
+		check.Not(check.IsNil),
+		check.Commentf("volume rm should fail with non-existent volume"),
+	)
+}
+
+// FIXME(vdemeester) should be a unit test in cli/command/volume package
+func (s *DockerSuite) TestVolumeCLINoArgs(c *check.C) {
+	out, _ := dockerCmd(c, "volume")
+	// no args should produce the cmd usage output
+	usage := "Usage:	docker volume COMMAND"
+	c.Assert(out, checker.Contains, usage)
+
+	// invalid arg should error and show the command usage on stderr
+	icmd.RunCommand(dockerBinary, "volume", "somearg").Assert(c, icmd.Expected{
+		ExitCode: 1,
+		Error:    "exit status 1",
+		Err:      usage,
+	})
+
+	// invalid flag should error and show the flag error and cmd usage
+	result := icmd.RunCommand(dockerBinary, "volume", "--no-such-flag")
+	result.Assert(c, icmd.Expected{
+		ExitCode: 125,
+		Error:    "exit status 125",
+		Err:      usage,
+	})
+	c.Assert(result.Stderr(), checker.Contains, "unknown flag: --no-such-flag")
+}
+
+func (s *DockerSuite) TestVolumeCLIInspectTmplError(c *check.C) {
+	out, _ := dockerCmd(c, "volume", "create")
+	name := strings.TrimSpace(out)
+
+	out, exitCode, err := dockerCmdWithError("volume", "inspect", "--format='{{ .FooBar }}'", name)
+	c.Assert(err, checker.NotNil, check.Commentf("Output: %s", out))
+	c.Assert(exitCode, checker.Equals, 1, check.Commentf("Output: %s", out))
+	c.Assert(out, checker.Contains, "Template parsing error")
+}
+
+func (s *DockerSuite) TestVolumeCLICreateWithOpts(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	dockerCmd(c, "volume", "create", "-d", "local", "test", "--opt=type=tmpfs", "--opt=device=tmpfs", "--opt=o=size=1m,uid=1000")
+	out, _ := dockerCmd(c, "run", "-v", "test:/foo", "busybox", "mount")
+
+	mounts := strings.Split(out, "\n")
+	var found bool
+	for _, m := range mounts {
+		if strings.Contains(m, "/foo") {
+			found = true
+			info := strings.Fields(m)
+			// tmpfs on <path> type tmpfs (rw,relatime,size=1024k,uid=1000)
+			c.Assert(info[0], checker.Equals, "tmpfs")
+			c.Assert(info[2], checker.Equals, "/foo")
+			c.Assert(info[4], checker.Equals, "tmpfs")
+			c.Assert(info[5], checker.Contains, "uid=1000")
+			c.Assert(info[5], checker.Contains, "size=1024k")
+			break
+		}
+	}
+	c.Assert(found, checker.Equals, true)
+}
+
+func (s *DockerSuite) TestVolumeCLICreateLabel(c *check.C) {
+	testVol := "testvolcreatelabel"
+	testLabel := "foo"
+	testValue := "bar"
+
+	out, _, err := dockerCmdWithError("volume", "create", "--label", testLabel+"="+testValue, testVol)
+	c.Assert(err, check.IsNil)
+
+	out, _ = dockerCmd(c, "volume", "inspect", "--format={{ .Labels."+testLabel+" }}", testVol)
+	c.Assert(strings.TrimSpace(out), check.Equals, testValue)
+}
+
+func (s *DockerSuite) TestVolumeCLICreateLabelMultiple(c *check.C) {
+	testVol := "testvolcreatelabel"
+
+	testLabels := map[string]string{
+		"foo": "bar",
+		"baz": "foo",
+	}
+
+	args := []string{
+		"volume",
+		"create",
+		testVol,
+	}
+
+	for k, v := range testLabels {
+		args = append(args, "--label", k+"="+v)
+	}
+
+	out, _, err := dockerCmdWithError(args...)
+	c.Assert(err, check.IsNil)
+
+	for k, v := range testLabels {
+		out, _ = dockerCmd(c, "volume", "inspect", "--format={{ .Labels."+k+" }}", testVol)
+		c.Assert(strings.TrimSpace(out), check.Equals, v)
+	}
+}
+
+func (s *DockerSuite) TestVolumeCLILsFilterLabels(c *check.C) {
+	testVol1 := "testvolcreatelabel-1"
+	out, _, err := dockerCmdWithError("volume", "create", "--label", "foo=bar1", testVol1)
+	c.Assert(err, check.IsNil)
+
+	testVol2 := "testvolcreatelabel-2"
+	out, _, err = dockerCmdWithError("volume", "create", "--label", "foo=bar2", testVol2)
+	c.Assert(err, check.IsNil)
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "label=foo")
+
+	// filter with label=key
+	c.Assert(out, checker.Contains, "testvolcreatelabel-1\n", check.Commentf("expected volume 'testvolcreatelabel-1' in output"))
+	c.Assert(out, checker.Contains, "testvolcreatelabel-2\n", check.Commentf("expected volume 'testvolcreatelabel-2' in output"))
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "label=foo=bar1")
+
+	// filter with label=key=value
+	c.Assert(out, checker.Contains, "testvolcreatelabel-1\n", check.Commentf("expected volume 'testvolcreatelabel-1' in output"))
+	c.Assert(out, check.Not(checker.Contains), "testvolcreatelabel-2\n", check.Commentf("expected volume 'testvolcreatelabel-2 in output"))
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "label=non-exist")
+	outArr := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(outArr), check.Equals, 1, check.Commentf("\n%s", out))
+
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "label=foo=non-exist")
+	outArr = strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(outArr), check.Equals, 1, check.Commentf("\n%s", out))
+}
+
+func (s *DockerSuite) TestVolumeCLILsFilterDrivers(c *check.C) {
+	// using default volume driver local to create volumes
+	testVol1 := "testvol-1"
+	out, _, err := dockerCmdWithError("volume", "create", testVol1)
+	c.Assert(err, check.IsNil)
+
+	testVol2 := "testvol-2"
+	out, _, err = dockerCmdWithError("volume", "create", testVol2)
+	c.Assert(err, check.IsNil)
+
+	// filter with driver=local
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "driver=local")
+	c.Assert(out, checker.Contains, "testvol-1\n", check.Commentf("expected volume 'testvol-1' in output"))
+	c.Assert(out, checker.Contains, "testvol-2\n", check.Commentf("expected volume 'testvol-2' in output"))
+
+	// filter with driver=invaliddriver
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "driver=invaliddriver")
+	outArr := strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(outArr), check.Equals, 1, check.Commentf("\n%s", out))
+
+	// filter with driver=loca
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "driver=loca")
+	outArr = strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(outArr), check.Equals, 1, check.Commentf("\n%s", out))
+
+	// filter with driver=
+	out, _ = dockerCmd(c, "volume", "ls", "--filter", "driver=")
+	outArr = strings.Split(strings.TrimSpace(out), "\n")
+	c.Assert(len(outArr), check.Equals, 1, check.Commentf("\n%s", out))
+}
+
+func (s *DockerSuite) TestVolumeCLIRmForceUsage(c *check.C) {
+	out, _ := dockerCmd(c, "volume", "create")
+	id := strings.TrimSpace(out)
+
+	dockerCmd(c, "volume", "rm", "-f", id)
+	dockerCmd(c, "volume", "rm", "--force", "nonexist")
+}
+
+func (s *DockerSuite) TestVolumeCLIRmForce(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	name := "test"
+	out, _ := dockerCmd(c, "volume", "create", name)
+	id := strings.TrimSpace(out)
+	c.Assert(id, checker.Equals, name)
+
+	out, _ = dockerCmd(c, "volume", "inspect", "--format", "{{.Mountpoint}}", name)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Equals), "")
+	// Mountpoint is in the form of "/var/lib/docker/volumes/.../_data", removing `/_data`
+	path := strings.TrimSuffix(strings.TrimSpace(out), "/_data")
+	icmd.RunCommand("rm", "-rf", path).Assert(c, icmd.Success)
+
+	dockerCmd(c, "volume", "rm", "-f", name)
+	out, _ = dockerCmd(c, "volume", "ls")
+	c.Assert(out, checker.Not(checker.Contains), name)
+	dockerCmd(c, "volume", "create", name)
+	out, _ = dockerCmd(c, "volume", "ls")
+	c.Assert(out, checker.Contains, name)
+}
+
+// TestVolumeCLIRmForceInUse verifies that repeated `docker volume rm -f` calls does not remove a volume
+// if it is in use. Test case for https://github.com/docker/docker/issues/31446
+func (s *DockerSuite) TestVolumeCLIRmForceInUse(c *check.C) {
+	name := "testvolume"
+	out, _ := dockerCmd(c, "volume", "create", name)
+	id := strings.TrimSpace(out)
+	c.Assert(id, checker.Equals, name)
+
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+	out, e := dockerCmd(c, "create", "-v", "testvolume:"+prefix+slash+"foo", "busybox")
+	cid := strings.TrimSpace(out)
+
+	_, _, err := dockerCmdWithError("volume", "rm", "-f", name)
+	c.Assert(err, check.NotNil)
+	c.Assert(err.Error(), checker.Contains, "volume is in use")
+	out, _ = dockerCmd(c, "volume", "ls")
+	c.Assert(out, checker.Contains, name)
+
+	// The original issue did not _remove_ the volume from the list
+	// the first time. But a second call to `volume rm` removed it.
+	// Calling `volume rm` a second time to confirm it's not removed
+	// when calling twice.
+	_, _, err = dockerCmdWithError("volume", "rm", "-f", name)
+	c.Assert(err, check.NotNil)
+	c.Assert(err.Error(), checker.Contains, "volume is in use")
+	out, _ = dockerCmd(c, "volume", "ls")
+	c.Assert(out, checker.Contains, name)
+
+	// Verify removing the volume after the container is removed works
+	_, e = dockerCmd(c, "rm", cid)
+	c.Assert(e, check.Equals, 0)
+
+	_, e = dockerCmd(c, "volume", "rm", "-f", name)
+	c.Assert(e, check.Equals, 0)
+
+	out, e = dockerCmd(c, "volume", "ls")
+	c.Assert(e, check.Equals, 0)
+	c.Assert(out, checker.Not(checker.Contains), name)
+}
+
+func (s *DockerSuite) TestVolumeCliInspectWithVolumeOpts(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	// Without options
+	name := "test1"
+	dockerCmd(c, "volume", "create", "-d", "local", name)
+	out, _ := dockerCmd(c, "volume", "inspect", "--format={{ .Options }}", name)
+	c.Assert(strings.TrimSpace(out), checker.Contains, "map[]")
+
+	// With options
+	name = "test2"
+	k1, v1 := "type", "tmpfs"
+	k2, v2 := "device", "tmpfs"
+	k3, v3 := "o", "size=1m,uid=1000"
+	dockerCmd(c, "volume", "create", "-d", "local", name, "--opt", fmt.Sprintf("%s=%s", k1, v1), "--opt", fmt.Sprintf("%s=%s", k2, v2), "--opt", fmt.Sprintf("%s=%s", k3, v3))
+	out, _ = dockerCmd(c, "volume", "inspect", "--format={{ .Options }}", name)
+	c.Assert(strings.TrimSpace(out), checker.Contains, fmt.Sprintf("%s:%s", k1, v1))
+	c.Assert(strings.TrimSpace(out), checker.Contains, fmt.Sprintf("%s:%s", k2, v2))
+	c.Assert(strings.TrimSpace(out), checker.Contains, fmt.Sprintf("%s:%s", k3, v3))
+}
+
+// Test case (1) for 21845: duplicate targets for --volumes-from
+func (s *DockerSuite) TestDuplicateMountpointsForVolumesFrom(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	image := "vimage"
+	buildImageSuccessfully(c, image, build.WithDockerfile(`
+		FROM busybox
+		VOLUME ["/tmp/data"]`))
+
+	dockerCmd(c, "run", "--name=data1", image, "true")
+	dockerCmd(c, "run", "--name=data2", image, "true")
+
+	out, _ := dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "data1")
+	data1 := strings.TrimSpace(out)
+	c.Assert(data1, checker.Not(checker.Equals), "")
+
+	out, _ = dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "data2")
+	data2 := strings.TrimSpace(out)
+	c.Assert(data2, checker.Not(checker.Equals), "")
+
+	// Both volume should exist
+	out, _ = dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Contains, data1)
+	c.Assert(strings.TrimSpace(out), checker.Contains, data2)
+
+	out, _, err := dockerCmdWithError("run", "--name=app", "--volumes-from=data1", "--volumes-from=data2", "-d", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf("Out: %s", out))
+
+	// Only the second volume will be referenced, this is backward compatible
+	out, _ = dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "app")
+	c.Assert(strings.TrimSpace(out), checker.Equals, data2)
+
+	dockerCmd(c, "rm", "-f", "-v", "app")
+	dockerCmd(c, "rm", "-f", "-v", "data1")
+	dockerCmd(c, "rm", "-f", "-v", "data2")
+
+	// Both volume should not exist
+	out, _ = dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data2)
+}
+
+// Test case (2) for 21845: duplicate targets for --volumes-from and -v (bind)
+func (s *DockerSuite) TestDuplicateMountpointsForVolumesFromAndBind(c *check.C) {
+	testRequires(c, DaemonIsLinux)
+
+	image := "vimage"
+	buildImageSuccessfully(c, image, build.WithDockerfile(`
+                FROM busybox
+                VOLUME ["/tmp/data"]`))
+
+	dockerCmd(c, "run", "--name=data1", image, "true")
+	dockerCmd(c, "run", "--name=data2", image, "true")
+
+	out, _ := dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "data1")
+	data1 := strings.TrimSpace(out)
+	c.Assert(data1, checker.Not(checker.Equals), "")
+
+	out, _ = dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "data2")
+	data2 := strings.TrimSpace(out)
+	c.Assert(data2, checker.Not(checker.Equals), "")
+
+	// Both volume should exist
+	out, _ = dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Contains, data1)
+	c.Assert(strings.TrimSpace(out), checker.Contains, data2)
+
+	// /tmp/data is automatically created, because we are not using the modern mount API here
+	out, _, err := dockerCmdWithError("run", "--name=app", "--volumes-from=data1", "--volumes-from=data2", "-v", "/tmp/data:/tmp/data", "-d", "busybox", "top")
+	c.Assert(err, checker.IsNil, check.Commentf("Out: %s", out))
+
+	// No volume will be referenced (mount is /tmp/data), this is backward compatible
+	out, _ = dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "app")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data2)
+
+	dockerCmd(c, "rm", "-f", "-v", "app")
+	dockerCmd(c, "rm", "-f", "-v", "data1")
+	dockerCmd(c, "rm", "-f", "-v", "data2")
+
+	// Both volume should not exist
+	out, _ = dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data2)
+}
+
+// Test case (3) for 21845: duplicate targets for --volumes-from and `Mounts` (API only)
+func (s *DockerSuite) TestDuplicateMountpointsForVolumesFromAndMounts(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+
+	image := "vimage"
+	buildImageSuccessfully(c, image, build.WithDockerfile(`
+                FROM busybox
+                VOLUME ["/tmp/data"]`))
+
+	dockerCmd(c, "run", "--name=data1", image, "true")
+	dockerCmd(c, "run", "--name=data2", image, "true")
+
+	out, _ := dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "data1")
+	data1 := strings.TrimSpace(out)
+	c.Assert(data1, checker.Not(checker.Equals), "")
+
+	out, _ = dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "data2")
+	data2 := strings.TrimSpace(out)
+	c.Assert(data2, checker.Not(checker.Equals), "")
+
+	// Both volume should exist
+	out, _ = dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Contains, data1)
+	c.Assert(strings.TrimSpace(out), checker.Contains, data2)
+
+	err := os.MkdirAll("/tmp/data", 0755)
+	c.Assert(err, checker.IsNil)
+	// Mounts is available in API
+	cli, err := client.NewEnvClient()
+	c.Assert(err, checker.IsNil)
+	defer cli.Close()
+
+	config := container.Config{
+		Cmd:   []string{"top"},
+		Image: "busybox",
+	}
+
+	hostConfig := container.HostConfig{
+		VolumesFrom: []string{"data1", "data2"},
+		Mounts: []mount.Mount{
+			{
+				Type:   "bind",
+				Source: "/tmp/data",
+				Target: "/tmp/data",
+			},
+		},
+	}
+	_, err = cli.ContainerCreate(context.Background(), &config, &hostConfig, &network.NetworkingConfig{}, "app")
+
+	c.Assert(err, checker.IsNil)
+
+	// No volume will be referenced (mount is /tmp/data), this is backward compatible
+	out, _ = dockerCmd(c, "inspect", "--format", "{{(index .Mounts 0).Name}}", "app")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data2)
+
+	dockerCmd(c, "rm", "-f", "-v", "app")
+	dockerCmd(c, "rm", "-f", "-v", "data1")
+	dockerCmd(c, "rm", "-f", "-v", "data2")
+
+	// Both volume should not exist
+	out, _ = dockerCmd(c, "volume", "ls", "-q")
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data1)
+	c.Assert(strings.TrimSpace(out), checker.Not(checker.Contains), data2)
+}
diff --git a/engine/integration-cli/docker_cli_wait_test.go b/engine/integration-cli/docker_cli_wait_test.go
new file mode 100644
index 00000000..669e54f1
--- /dev/null
+++ b/engine/integration-cli/docker_cli_wait_test.go
@@ -0,0 +1,98 @@
+package main
+
+import (
+	"bytes"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+// non-blocking wait with 0 exit code
+func (s *DockerSuite) TestWaitNonBlockedExitZero(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "true")
+	containerID := strings.TrimSpace(out)
+
+	err := waitInspect(containerID, "{{.State.Running}}", "false", 30*time.Second)
+	c.Assert(err, checker.IsNil) //Container should have stopped by now
+
+	out, _ = dockerCmd(c, "wait", containerID)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "0", check.Commentf("failed to set up container, %v", out))
+
+}
+
+// blocking wait with 0 exit code
+func (s *DockerSuite) TestWaitBlockedExitZero(c *check.C) {
+	// Windows busybox does not support trap in this way, not sleep with sub-second
+	// granularity. It will always exit 0x40010004.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "trap 'exit 0' TERM; while true; do usleep 10; done")
+	containerID := strings.TrimSpace(out)
+
+	c.Assert(waitRun(containerID), checker.IsNil)
+
+	chWait := make(chan string)
+	go func() {
+		chWait <- ""
+		out := icmd.RunCommand(dockerBinary, "wait", containerID).Combined()
+		chWait <- out
+	}()
+
+	<-chWait // make sure the goroutine is started
+	time.Sleep(100 * time.Millisecond)
+	dockerCmd(c, "stop", containerID)
+
+	select {
+	case status := <-chWait:
+		c.Assert(strings.TrimSpace(status), checker.Equals, "0", check.Commentf("expected exit 0, got %s", status))
+	case <-time.After(2 * time.Second):
+		c.Fatal("timeout waiting for `docker wait` to exit")
+	}
+
+}
+
+// non-blocking wait with random exit code
+func (s *DockerSuite) TestWaitNonBlockedExitRandom(c *check.C) {
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "sh", "-c", "exit 99")
+	containerID := strings.TrimSpace(out)
+
+	err := waitInspect(containerID, "{{.State.Running}}", "false", 30*time.Second)
+	c.Assert(err, checker.IsNil) //Container should have stopped by now
+	out, _ = dockerCmd(c, "wait", containerID)
+	c.Assert(strings.TrimSpace(out), checker.Equals, "99", check.Commentf("failed to set up container, %v", out))
+
+}
+
+// blocking wait with random exit code
+func (s *DockerSuite) TestWaitBlockedExitRandom(c *check.C) {
+	// Cannot run on Windows as trap in Windows busybox does not support trap in this way.
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "run", "-d", "busybox", "/bin/sh", "-c", "trap 'exit 99' TERM; while true; do usleep 10; done")
+	containerID := strings.TrimSpace(out)
+	c.Assert(waitRun(containerID), checker.IsNil)
+
+	chWait := make(chan error)
+	waitCmd := exec.Command(dockerBinary, "wait", containerID)
+	waitCmdOut := bytes.NewBuffer(nil)
+	waitCmd.Stdout = waitCmdOut
+	c.Assert(waitCmd.Start(), checker.IsNil)
+	go func() {
+		chWait <- waitCmd.Wait()
+	}()
+
+	dockerCmd(c, "stop", containerID)
+
+	select {
+	case err := <-chWait:
+		c.Assert(err, checker.IsNil, check.Commentf(waitCmdOut.String()))
+		status, err := waitCmdOut.ReadString('\n')
+		c.Assert(err, checker.IsNil)
+		c.Assert(strings.TrimSpace(status), checker.Equals, "99", check.Commentf("expected exit 99, got %s", status))
+	case <-time.After(2 * time.Second):
+		waitCmd.Process.Kill()
+		c.Fatal("timeout waiting for `docker wait` to exit")
+	}
+}
diff --git a/engine/integration-cli/docker_deprecated_api_v124_test.go b/engine/integration-cli/docker_deprecated_api_v124_test.go
new file mode 100644
index 00000000..ffb06da4
--- /dev/null
+++ b/engine/integration-cli/docker_deprecated_api_v124_test.go
@@ -0,0 +1,250 @@
+// This file will be removed when we completely drop support for
+// passing HostConfig to container start API.
+
+package main
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+func formatV123StartAPIURL(url string) string {
+	return "/v1.23" + url
+}
+
+func (s *DockerSuite) TestDeprecatedContainerAPIStartHostConfig(c *check.C) {
+	name := "test-deprecated-api-124"
+	dockerCmd(c, "create", "--name", name, "busybox")
+	config := map[string]interface{}{
+		"Binds": []string{"/aa:/bb"},
+	}
+	res, body, err := request.Post("/containers/"+name+"/start", request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	if versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), "1.32") {
+		// assertions below won't work before 1.32
+		buf, err := request.ReadBody(body)
+		c.Assert(err, checker.IsNil)
+
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+		c.Assert(string(buf), checker.Contains, "was deprecated since API v1.22")
+	}
+}
+
+func (s *DockerSuite) TestDeprecatedContainerAPIStartVolumeBinds(c *check.C) {
+	// TODO Windows CI: Investigate further why this fails on Windows to Windows CI.
+	testRequires(c, DaemonIsLinux)
+	path := "/foo"
+	if testEnv.OSType == "windows" {
+		path = `c:\foo`
+	}
+	name := "testing"
+	config := map[string]interface{}{
+		"Image":   "busybox",
+		"Volumes": map[string]struct{}{path: {}},
+	}
+
+	res, _, err := request.Post(formatV123StartAPIURL("/containers/create?name="+name), request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusCreated)
+
+	bindPath := RandomTmpDirPath("test", testEnv.OSType)
+	config = map[string]interface{}{
+		"Binds": []string{bindPath + ":" + path},
+	}
+	res, _, err = request.Post(formatV123StartAPIURL("/containers/"+name+"/start"), request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNoContent)
+
+	pth, err := inspectMountSourceField(name, path)
+	c.Assert(err, checker.IsNil)
+	c.Assert(pth, checker.Equals, bindPath, check.Commentf("expected volume host path to be %s, got %s", bindPath, pth))
+}
+
+// Test for GH#10618
+func (s *DockerSuite) TestDeprecatedContainerAPIStartDupVolumeBinds(c *check.C) {
+	// TODO Windows to Windows CI - Port this
+	testRequires(c, DaemonIsLinux)
+	name := "testdups"
+	config := map[string]interface{}{
+		"Image":   "busybox",
+		"Volumes": map[string]struct{}{"/tmp": {}},
+	}
+
+	res, _, err := request.Post(formatV123StartAPIURL("/containers/create?name="+name), request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusCreated)
+
+	bindPath1 := RandomTmpDirPath("test1", testEnv.OSType)
+	bindPath2 := RandomTmpDirPath("test2", testEnv.OSType)
+
+	config = map[string]interface{}{
+		"Binds": []string{bindPath1 + ":/tmp", bindPath2 + ":/tmp"},
+	}
+	res, body, err := request.Post(formatV123StartAPIURL("/containers/"+name+"/start"), request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+
+	buf, err := request.ReadBody(body)
+	c.Assert(err, checker.IsNil)
+
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	}
+	c.Assert(string(buf), checker.Contains, "Duplicate mount point", check.Commentf("Expected failure due to duplicate bind mounts to same path, instead got: %q with error: %v", string(buf), err))
+}
+
+func (s *DockerSuite) TestDeprecatedContainerAPIStartVolumesFrom(c *check.C) {
+	// TODO Windows to Windows CI - Port this
+	testRequires(c, DaemonIsLinux)
+	volName := "voltst"
+	volPath := "/tmp"
+
+	dockerCmd(c, "run", "--name", volName, "-v", volPath, "busybox")
+
+	name := "TestContainerAPIStartVolumesFrom"
+	config := map[string]interface{}{
+		"Image":   "busybox",
+		"Volumes": map[string]struct{}{volPath: {}},
+	}
+
+	res, _, err := request.Post(formatV123StartAPIURL("/containers/create?name="+name), request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusCreated)
+
+	config = map[string]interface{}{
+		"VolumesFrom": []string{volName},
+	}
+	res, _, err = request.Post(formatV123StartAPIURL("/containers/"+name+"/start"), request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNoContent)
+
+	pth, err := inspectMountSourceField(name, volPath)
+	c.Assert(err, checker.IsNil)
+	pth2, err := inspectMountSourceField(volName, volPath)
+	c.Assert(err, checker.IsNil)
+	c.Assert(pth, checker.Equals, pth2, check.Commentf("expected volume host path to be %s, got %s", pth, pth2))
+}
+
+// #9981 - Allow a docker created volume (ie, one in /var/lib/docker/volumes) to be used to overwrite (via passing in Binds on api start) an existing volume
+func (s *DockerSuite) TestDeprecatedPostContainerBindNormalVolume(c *check.C) {
+	// TODO Windows to Windows CI - Port this
+	testRequires(c, DaemonIsLinux)
+	dockerCmd(c, "create", "-v", "/foo", "--name=one", "busybox")
+
+	fooDir, err := inspectMountSourceField("one", "/foo")
+	c.Assert(err, checker.IsNil)
+
+	dockerCmd(c, "create", "-v", "/foo", "--name=two", "busybox")
+
+	bindSpec := map[string][]string{"Binds": {fooDir + ":/foo"}}
+	res, _, err := request.Post(formatV123StartAPIURL("/containers/two/start"), request.JSONBody(bindSpec))
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNoContent)
+
+	fooDir2, err := inspectMountSourceField("two", "/foo")
+	c.Assert(err, checker.IsNil)
+	c.Assert(fooDir2, checker.Equals, fooDir, check.Commentf("expected volume path to be %s, got: %s", fooDir, fooDir2))
+}
+
+func (s *DockerSuite) TestDeprecatedStartWithTooLowMemoryLimit(c *check.C) {
+	// TODO Windows: Port once memory is supported
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "create", "busybox")
+
+	containerID := strings.TrimSpace(out)
+
+	config := `{
+                "CpuShares": 100,
+                "Memory":    524287
+        }`
+
+	res, body, err := request.Post(formatV123StartAPIURL("/containers/"+containerID+"/start"), request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	b, err2 := request.ReadBody(body)
+	c.Assert(err2, checker.IsNil)
+	if versions.LessThan(testEnv.DaemonAPIVersion(), "1.32") {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusInternalServerError)
+	} else {
+		c.Assert(res.StatusCode, checker.Equals, http.StatusBadRequest)
+	}
+	c.Assert(string(b), checker.Contains, "Minimum memory limit allowed is 4MB")
+}
+
+// #14640
+func (s *DockerSuite) TestDeprecatedPostContainersStartWithoutLinksInHostConfig(c *check.C) {
+	// TODO Windows: Windows doesn't support supplying a hostconfig on start.
+	// An alternate test could be written to validate the negative testing aspect of this
+	testRequires(c, DaemonIsLinux)
+	name := "test-host-config-links"
+	dockerCmd(c, append([]string{"create", "--name", name, "busybox"}, sleepCommandForDaemonPlatform()...)...)
+
+	hc := inspectFieldJSON(c, name, "HostConfig")
+	config := `{"HostConfig":` + hc + `}`
+
+	res, b, err := request.Post(formatV123StartAPIURL("/containers/"+name+"/start"), request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNoContent)
+	b.Close()
+}
+
+// #14640
+func (s *DockerSuite) TestDeprecatedPostContainersStartWithLinksInHostConfig(c *check.C) {
+	// TODO Windows: Windows doesn't support supplying a hostconfig on start.
+	// An alternate test could be written to validate the negative testing aspect of this
+	testRequires(c, DaemonIsLinux)
+	name := "test-host-config-links"
+	dockerCmd(c, "run", "--name", "foo", "-d", "busybox", "top")
+	dockerCmd(c, "create", "--name", name, "--link", "foo:bar", "busybox", "top")
+
+	hc := inspectFieldJSON(c, name, "HostConfig")
+	config := `{"HostConfig":` + hc + `}`
+
+	res, b, err := request.Post(formatV123StartAPIURL("/containers/"+name+"/start"), request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNoContent)
+	b.Close()
+}
+
+// #14640
+func (s *DockerSuite) TestDeprecatedPostContainersStartWithLinksInHostConfigIdLinked(c *check.C) {
+	// Windows does not support links
+	testRequires(c, DaemonIsLinux)
+	name := "test-host-config-links"
+	out, _ := dockerCmd(c, "run", "--name", "link0", "-d", "busybox", "top")
+	defer dockerCmd(c, "stop", "link0")
+	id := strings.TrimSpace(out)
+	dockerCmd(c, "create", "--name", name, "--link", id, "busybox", "top")
+	defer dockerCmd(c, "stop", name)
+
+	hc := inspectFieldJSON(c, name, "HostConfig")
+	config := `{"HostConfig":` + hc + `}`
+
+	res, b, err := request.Post(formatV123StartAPIURL("/containers/"+name+"/start"), request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNoContent)
+	b.Close()
+}
+
+func (s *DockerSuite) TestDeprecatedStartWithNilDNS(c *check.C) {
+	// TODO Windows: Add once DNS is supported
+	testRequires(c, DaemonIsLinux)
+	out, _ := dockerCmd(c, "create", "busybox")
+	containerID := strings.TrimSpace(out)
+
+	config := `{"HostConfig": {"Dns": null}}`
+
+	res, b, err := request.Post(formatV123StartAPIURL("/containers/"+containerID+"/start"), request.RawString(config), request.JSON)
+	c.Assert(err, checker.IsNil)
+	c.Assert(res.StatusCode, checker.Equals, http.StatusNoContent)
+	b.Close()
+
+	dns := inspectFieldJSON(c, containerID, "HostConfig.Dns")
+	c.Assert(dns, checker.Equals, "[]")
+}
diff --git a/engine/integration-cli/docker_deprecated_api_v124_unix_test.go b/engine/integration-cli/docker_deprecated_api_v124_unix_test.go
new file mode 100644
index 00000000..c182b2a7
--- /dev/null
+++ b/engine/integration-cli/docker_deprecated_api_v124_unix_test.go
@@ -0,0 +1,31 @@
+// +build !windows
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+)
+
+// #19100 This is a deprecated feature test, it should be removed in Docker 1.12
+func (s *DockerNetworkSuite) TestDeprecatedDockerNetworkStartAPIWithHostconfig(c *check.C) {
+	netName := "test"
+	conName := "foo"
+	dockerCmd(c, "network", "create", netName)
+	dockerCmd(c, "create", "--name", conName, "busybox", "top")
+
+	config := map[string]interface{}{
+		"HostConfig": map[string]interface{}{
+			"NetworkMode": netName,
+		},
+	}
+	_, _, err := request.Post(formatV123StartAPIURL("/containers/"+conName+"/start"), request.JSONBody(config))
+	c.Assert(err, checker.IsNil)
+	c.Assert(waitRun(conName), checker.IsNil)
+	networks := inspectField(c, conName, "NetworkSettings.Networks")
+	c.Assert(networks, checker.Contains, netName, check.Commentf(fmt.Sprintf("Should contain '%s' network", netName)))
+	c.Assert(networks, checker.Not(checker.Contains), "bridge", check.Commentf("Should not contain 'bridge' network"))
+}
diff --git a/engine/integration-cli/docker_hub_pull_suite_test.go b/engine/integration-cli/docker_hub_pull_suite_test.go
new file mode 100644
index 00000000..125b8c10
--- /dev/null
+++ b/engine/integration-cli/docker_hub_pull_suite_test.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+	"os/exec"
+	"runtime"
+	"strings"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/daemon"
+	testdaemon "github.com/docker/docker/internal/test/daemon"
+	"github.com/go-check/check"
+)
+
+func init() {
+	// FIXME. Temporarily turning this off for Windows as GH16039 was breaking
+	// Windows to Linux CI @icecrime
+	if runtime.GOOS != "windows" {
+		check.Suite(newDockerHubPullSuite())
+	}
+}
+
+// DockerHubPullSuite provides an isolated daemon that doesn't have all the
+// images that are baked into our 'global' test environment daemon (e.g.,
+// busybox, httpserver, ...).
+//
+// We use it for push/pull tests where we want to start fresh, and measure the
+// relative impact of each individual operation. As part of this suite, all
+// images are removed after each test.
+type DockerHubPullSuite struct {
+	d  *daemon.Daemon
+	ds *DockerSuite
+}
+
+// newDockerHubPullSuite returns a new instance of a DockerHubPullSuite.
+func newDockerHubPullSuite() *DockerHubPullSuite {
+	return &DockerHubPullSuite{
+		ds: &DockerSuite{},
+	}
+}
+
+// SetUpSuite starts the suite daemon.
+func (s *DockerHubPullSuite) SetUpSuite(c *check.C) {
+	testRequires(c, DaemonIsLinux, SameHostDaemon)
+	s.d = daemon.New(c, dockerBinary, dockerdBinary, testdaemon.WithEnvironment(testEnv.Execution))
+	s.d.Start(c)
+}
+
+// TearDownSuite stops the suite daemon.
+func (s *DockerHubPullSuite) TearDownSuite(c *check.C) {
+	if s.d != nil {
+		s.d.Stop(c)
+	}
+}
+
+// SetUpTest declares that all tests of this suite require network.
+func (s *DockerHubPullSuite) SetUpTest(c *check.C) {
+	testRequires(c, Network)
+}
+
+// TearDownTest removes all images from the suite daemon.
+func (s *DockerHubPullSuite) TearDownTest(c *check.C) {
+	out := s.Cmd(c, "images", "-aq")
+	images := strings.Split(out, "\n")
+	images = append([]string{"rmi", "-f"}, images...)
+	s.d.Cmd(images...)
+	s.ds.TearDownTest(c)
+}
+
+// Cmd executes a command against the suite daemon and returns the combined
+// output. The function fails the test when the command returns an error.
+func (s *DockerHubPullSuite) Cmd(c *check.C, name string, arg ...string) string {
+	out, err := s.CmdWithError(name, arg...)
+	c.Assert(err, checker.IsNil, check.Commentf("%q failed with errors: %s, %v", strings.Join(arg, " "), out, err))
+	return out
+}
+
+// CmdWithError executes a command against the suite daemon and returns the
+// combined output as well as any error.
+func (s *DockerHubPullSuite) CmdWithError(name string, arg ...string) (string, error) {
+	c := s.MakeCmd(name, arg...)
+	b, err := c.CombinedOutput()
+	return string(b), err
+}
+
+// MakeCmd returns an exec.Cmd command to run against the suite daemon.
+func (s *DockerHubPullSuite) MakeCmd(name string, arg ...string) *exec.Cmd {
+	args := []string{"--host", s.d.Sock(), name}
+	args = append(args, arg...)
+	return exec.Command(dockerBinary, args...)
+}
diff --git a/engine/integration-cli/docker_utils_test.go b/engine/integration-cli/docker_utils_test.go
new file mode 100644
index 00000000..1c05bf5d
--- /dev/null
+++ b/engine/integration-cli/docker_utils_test.go
@@ -0,0 +1,466 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/integration-cli/cli"
+	"github.com/docker/docker/integration-cli/daemon"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/go-check/check"
+	"gotest.tools/icmd"
+)
+
+// Deprecated
+func daemonHost() string {
+	return request.DaemonHost()
+}
+
+func deleteImages(images ...string) error {
+	args := []string{dockerBinary, "rmi", "-f"}
+	return icmd.RunCmd(icmd.Cmd{Command: append(args, images...)}).Error
+}
+
+// Deprecated: use cli.Docker or cli.DockerCmd
+func dockerCmdWithError(args ...string) (string, int, error) {
+	result := cli.Docker(cli.Args(args...))
+	if result.Error != nil {
+		return result.Combined(), result.ExitCode, result.Compare(icmd.Success)
+	}
+	return result.Combined(), result.ExitCode, result.Error
+}
+
+// Deprecated: use cli.Docker or cli.DockerCmd
+func dockerCmd(c *check.C, args ...string) (string, int) {
+	result := cli.DockerCmd(c, args...)
+	return result.Combined(), result.ExitCode
+}
+
+// Deprecated: use cli.Docker or cli.DockerCmd
+func dockerCmdWithResult(args ...string) *icmd.Result {
+	return cli.Docker(cli.Args(args...))
+}
+
+func findContainerIP(c *check.C, id string, network string) string {
+	out, _ := dockerCmd(c, "inspect", fmt.Sprintf("--format='{{ .NetworkSettings.Networks.%s.IPAddress }}'", network), id)
+	return strings.Trim(out, " \r\n'")
+}
+
+func getContainerCount(c *check.C) int {
+	const containers = "Containers:"
+
+	result := icmd.RunCommand(dockerBinary, "info")
+	result.Assert(c, icmd.Success)
+
+	lines := strings.Split(result.Combined(), "\n")
+	for _, line := range lines {
+		if strings.Contains(line, containers) {
+			output := strings.TrimSpace(line)
+			output = strings.TrimLeft(output, containers)
+			output = strings.Trim(output, " ")
+			containerCount, err := strconv.Atoi(output)
+			c.Assert(err, checker.IsNil)
+			return containerCount
+		}
+	}
+	return 0
+}
+
+func inspectFieldAndUnmarshall(c *check.C, name, field string, output interface{}) {
+	str := inspectFieldJSON(c, name, field)
+	err := json.Unmarshal([]byte(str), output)
+	if c != nil {
+		c.Assert(err, check.IsNil, check.Commentf("failed to unmarshal: %v", err))
+	}
+}
+
+// Deprecated: use cli.Inspect
+func inspectFilter(name, filter string) (string, error) {
+	format := fmt.Sprintf("{{%s}}", filter)
+	result := icmd.RunCommand(dockerBinary, "inspect", "-f", format, name)
+	if result.Error != nil || result.ExitCode != 0 {
+		return "", fmt.Errorf("failed to inspect %s: %s", name, result.Combined())
+	}
+	return strings.TrimSpace(result.Combined()), nil
+}
+
+// Deprecated: use cli.Inspect
+func inspectFieldWithError(name, field string) (string, error) {
+	return inspectFilter(name, fmt.Sprintf(".%s", field))
+}
+
+// Deprecated: use cli.Inspect
+func inspectField(c *check.C, name, field string) string {
+	out, err := inspectFilter(name, fmt.Sprintf(".%s", field))
+	if c != nil {
+		c.Assert(err, check.IsNil)
+	}
+	return out
+}
+
+// Deprecated: use cli.Inspect
+func inspectFieldJSON(c *check.C, name, field string) string {
+	out, err := inspectFilter(name, fmt.Sprintf("json .%s", field))
+	if c != nil {
+		c.Assert(err, check.IsNil)
+	}
+	return out
+}
+
+// Deprecated: use cli.Inspect
+func inspectFieldMap(c *check.C, name, path, field string) string {
+	out, err := inspectFilter(name, fmt.Sprintf("index .%s %q", path, field))
+	if c != nil {
+		c.Assert(err, check.IsNil)
+	}
+	return out
+}
+
+// Deprecated: use cli.Inspect
+func inspectMountSourceField(name, destination string) (string, error) {
+	m, err := inspectMountPoint(name, destination)
+	if err != nil {
+		return "", err
+	}
+	return m.Source, nil
+}
+
+// Deprecated: use cli.Inspect
+func inspectMountPoint(name, destination string) (types.MountPoint, error) {
+	out, err := inspectFilter(name, "json .Mounts")
+	if err != nil {
+		return types.MountPoint{}, err
+	}
+
+	return inspectMountPointJSON(out, destination)
+}
+
+var errMountNotFound = errors.New("mount point not found")
+
+// Deprecated: use cli.Inspect
+func inspectMountPointJSON(j, destination string) (types.MountPoint, error) {
+	var mp []types.MountPoint
+	if err := json.Unmarshal([]byte(j), &mp); err != nil {
+		return types.MountPoint{}, err
+	}
+
+	var m *types.MountPoint
+	for _, c := range mp {
+		if c.Destination == destination {
+			m = &c
+			break
+		}
+	}
+
+	if m == nil {
+		return types.MountPoint{}, errMountNotFound
+	}
+
+	return *m, nil
+}
+
+// Deprecated: use cli.Inspect
+func inspectImage(c *check.C, name, filter string) string {
+	args := []string{"inspect", "--type", "image"}
+	if filter != "" {
+		format := fmt.Sprintf("{{%s}}", filter)
+		args = append(args, "-f", format)
+	}
+	args = append(args, name)
+	result := icmd.RunCommand(dockerBinary, args...)
+	result.Assert(c, icmd.Success)
+	return strings.TrimSpace(result.Combined())
+}
+
+func getIDByName(c *check.C, name string) string {
+	id, err := inspectFieldWithError(name, "Id")
+	c.Assert(err, checker.IsNil)
+	return id
+}
+
+// Deprecated: use cli.Build
+func buildImageSuccessfully(c *check.C, name string, cmdOperators ...cli.CmdOperator) {
+	buildImage(name, cmdOperators...).Assert(c, icmd.Success)
+}
+
+// Deprecated: use cli.Build
+func buildImage(name string, cmdOperators ...cli.CmdOperator) *icmd.Result {
+	return cli.Docker(cli.Build(name), cmdOperators...)
+}
+
+// Write `content` to the file at path `dst`, creating it if necessary,
+// as well as any missing directories.
+// The file is truncated if it already exists.
+// Fail the test when error occurs.
+func writeFile(dst, content string, c *check.C) {
+	// Create subdirectories if necessary
+	c.Assert(os.MkdirAll(path.Dir(dst), 0700), check.IsNil)
+	f, err := os.OpenFile(dst, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0700)
+	c.Assert(err, check.IsNil)
+	defer f.Close()
+	// Write content (truncate if it exists)
+	_, err = io.Copy(f, strings.NewReader(content))
+	c.Assert(err, check.IsNil)
+}
+
+// Return the contents of file at path `src`.
+// Fail the test when error occurs.
+func readFile(src string, c *check.C) (content string) {
+	data, err := ioutil.ReadFile(src)
+	c.Assert(err, check.IsNil)
+
+	return string(data)
+}
+
+func containerStorageFile(containerID, basename string) string {
+	return filepath.Join(testEnv.PlatformDefaults.ContainerStoragePath, containerID, basename)
+}
+
+// docker commands that use this function must be run with the '-d' switch.
+func runCommandAndReadContainerFile(c *check.C, filename string, command string, args ...string) []byte {
+	result := icmd.RunCommand(command, args...)
+	result.Assert(c, icmd.Success)
+	contID := strings.TrimSpace(result.Combined())
+	if err := waitRun(contID); err != nil {
+		c.Fatalf("%v: %q", contID, err)
+	}
+	return readContainerFile(c, contID, filename)
+}
+
+func readContainerFile(c *check.C, containerID, filename string) []byte {
+	f, err := os.Open(containerStorageFile(containerID, filename))
+	c.Assert(err, checker.IsNil)
+	defer f.Close()
+
+	content, err := ioutil.ReadAll(f)
+	c.Assert(err, checker.IsNil)
+	return content
+}
+
+func readContainerFileWithExec(c *check.C, containerID, filename string) []byte {
+	result := icmd.RunCommand(dockerBinary, "exec", containerID, "cat", filename)
+	result.Assert(c, icmd.Success)
+	return []byte(result.Combined())
+}
+
+// daemonTime provides the current time on the daemon host
+func daemonTime(c *check.C) time.Time {
+	if testEnv.IsLocalDaemon() {
+		return time.Now()
+	}
+	cli, err := client.NewEnvClient()
+	c.Assert(err, check.IsNil)
+	defer cli.Close()
+
+	info, err := cli.Info(context.Background())
+	c.Assert(err, check.IsNil)
+
+	dt, err := time.Parse(time.RFC3339Nano, info.SystemTime)
+	c.Assert(err, check.IsNil, check.Commentf("invalid time format in GET /info response"))
+	return dt
+}
+
+// daemonUnixTime returns the current time on the daemon host with nanoseconds precision.
+// It return the time formatted how the client sends timestamps to the server.
+func daemonUnixTime(c *check.C) string {
+	return parseEventTime(daemonTime(c))
+}
+
+func parseEventTime(t time.Time) string {
+	return fmt.Sprintf("%d.%09d", t.Unix(), int64(t.Nanosecond()))
+}
+
+// appendBaseEnv appends the minimum set of environment variables to exec the
+// docker cli binary for testing with correct configuration to the given env
+// list.
+func appendBaseEnv(isTLS bool, env ...string) []string {
+	preserveList := []string{
+		// preserve remote test host
+		"DOCKER_HOST",
+
+		// windows: requires preserving SystemRoot, otherwise dial tcp fails
+		// with "GetAddrInfoW: A non-recoverable error occurred during a database lookup."
+		"SystemRoot",
+
+		// testing help text requires the $PATH to dockerd is set
+		"PATH",
+	}
+	if isTLS {
+		preserveList = append(preserveList, "DOCKER_TLS_VERIFY", "DOCKER_CERT_PATH")
+	}
+
+	for _, key := range preserveList {
+		if val := os.Getenv(key); val != "" {
+			env = append(env, fmt.Sprintf("%s=%s", key, val))
+		}
+	}
+	return env
+}
+
+func createTmpFile(c *check.C, content string) string {
+	f, err := ioutil.TempFile("", "testfile")
+	c.Assert(err, check.IsNil)
+
+	filename := f.Name()
+
+	err = ioutil.WriteFile(filename, []byte(content), 0644)
+	c.Assert(err, check.IsNil)
+
+	return filename
+}
+
+// waitRun will wait for the specified container to be running, maximum 5 seconds.
+// Deprecated: use cli.WaitFor
+func waitRun(contID string) error {
+	return waitInspect(contID, "{{.State.Running}}", "true", 5*time.Second)
+}
+
+// waitInspect will wait for the specified container to have the specified string
+// in the inspect output. It will wait until the specified timeout (in seconds)
+// is reached.
+// Deprecated: use cli.WaitFor
+func waitInspect(name, expr, expected string, timeout time.Duration) error {
+	return waitInspectWithArgs(name, expr, expected, timeout)
+}
+
+// Deprecated: use cli.WaitFor
+func waitInspectWithArgs(name, expr, expected string, timeout time.Duration, arg ...string) error {
+	return daemon.WaitInspectWithArgs(dockerBinary, name, expr, expected, timeout, arg...)
+}
+
+func getInspectBody(c *check.C, version, id string) []byte {
+	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithVersion(version))
+	c.Assert(err, check.IsNil)
+	defer cli.Close()
+	_, body, err := cli.ContainerInspectWithRaw(context.Background(), id, false)
+	c.Assert(err, check.IsNil)
+	return body
+}
+
+// Run a long running idle task in a background container using the
+// system-specific default image and command.
+func runSleepingContainer(c *check.C, extraArgs ...string) string {
+	return runSleepingContainerInImage(c, defaultSleepImage, extraArgs...)
+}
+
+// Run a long running idle task in a background container using the specified
+// image and the system-specific command.
+func runSleepingContainerInImage(c *check.C, image string, extraArgs ...string) string {
+	args := []string{"run", "-d"}
+	args = append(args, extraArgs...)
+	args = append(args, image)
+	args = append(args, sleepCommandForDaemonPlatform()...)
+	return strings.TrimSpace(cli.DockerCmd(c, args...).Combined())
+}
+
+// minimalBaseImage returns the name of the minimal base image for the current
+// daemon platform.
+func minimalBaseImage() string {
+	return testEnv.PlatformDefaults.BaseImage
+}
+
+func getGoroutineNumber() (int, error) {
+	cli, err := client.NewEnvClient()
+	if err != nil {
+		return 0, err
+	}
+	defer cli.Close()
+
+	info, err := cli.Info(context.Background())
+	if err != nil {
+		return 0, err
+	}
+	return info.NGoroutines, nil
+}
+
+func waitForGoroutines(expected int) error {
+	t := time.After(30 * time.Second)
+	for {
+		select {
+		case <-t:
+			n, err := getGoroutineNumber()
+			if err != nil {
+				return err
+			}
+			if n > expected {
+				return fmt.Errorf("leaked goroutines: expected less than or equal to %d, got: %d", expected, n)
+			}
+		default:
+			n, err := getGoroutineNumber()
+			if err != nil {
+				return err
+			}
+			if n <= expected {
+				return nil
+			}
+			time.Sleep(200 * time.Millisecond)
+		}
+	}
+}
+
+// getErrorMessage returns the error message from an error API response
+func getErrorMessage(c *check.C, body []byte) string {
+	var resp types.ErrorResponse
+	c.Assert(json.Unmarshal(body, &resp), check.IsNil)
+	return strings.TrimSpace(resp.Message)
+}
+
+func waitAndAssert(c *check.C, timeout time.Duration, f checkF, checker check.Checker, args ...interface{}) {
+	after := time.After(timeout)
+	for {
+		v, comment := f(c)
+		assert, _ := checker.Check(append([]interface{}{v}, args...), checker.Info().Params)
+		select {
+		case <-after:
+			assert = true
+		default:
+		}
+		if assert {
+			if comment != nil {
+				args = append(args, comment)
+			}
+			c.Assert(v, checker, args...)
+			return
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+
+type checkF func(*check.C) (interface{}, check.CommentInterface)
+type reducer func(...interface{}) interface{}
+
+func reducedCheck(r reducer, funcs ...checkF) checkF {
+	return func(c *check.C) (interface{}, check.CommentInterface) {
+		var values []interface{}
+		var comments []string
+		for _, f := range funcs {
+			v, comment := f(c)
+			values = append(values, v)
+			if comment != nil {
+				comments = append(comments, comment.CheckCommentString())
+			}
+		}
+		return r(values...), check.Commentf("%v", strings.Join(comments, ", "))
+	}
+}
+
+func sumAsIntegers(vals ...interface{}) interface{} {
+	var s int
+	for _, v := range vals {
+		s += v.(int)
+	}
+	return s
+}
diff --git a/engine/integration-cli/environment/environment.go b/engine/integration-cli/environment/environment.go
new file mode 100644
index 00000000..82cf9965
--- /dev/null
+++ b/engine/integration-cli/environment/environment.go
@@ -0,0 +1,49 @@
+package environment // import "github.com/docker/docker/integration-cli/environment"
+
+import (
+	"os"
+	"os/exec"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var (
+	// DefaultClientBinary is the name of the docker binary
+	DefaultClientBinary = os.Getenv("TEST_CLIENT_BINARY")
+)
+
+func init() {
+	if DefaultClientBinary == "" {
+		DefaultClientBinary = "docker"
+	}
+}
+
+// Execution contains information about the current test execution and daemon
+// under test
+type Execution struct {
+	environment.Execution
+	dockerBinary string
+}
+
+// DockerBinary returns the docker binary for this testing environment
+func (e *Execution) DockerBinary() string {
+	return e.dockerBinary
+}
+
+// New returns details about the testing environment
+func New() (*Execution, error) {
+	env, err := environment.New()
+	if err != nil {
+		return nil, err
+	}
+
+	dockerBinary, err := exec.LookPath(DefaultClientBinary)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Execution{
+		Execution:    *env,
+		dockerBinary: dockerBinary,
+	}, nil
+}
diff --git a/engine/integration-cli/events_utils_test.go b/engine/integration-cli/events_utils_test.go
new file mode 100644
index 00000000..356b2c32
--- /dev/null
+++ b/engine/integration-cli/events_utils_test.go
@@ -0,0 +1,206 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"os/exec"
+	"regexp"
+	"strconv"
+	"strings"
+
+	eventstestutils "github.com/docker/docker/daemon/events/testutils"
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/go-check/check"
+	"github.com/sirupsen/logrus"
+)
+
+// eventMatcher is a function that tries to match an event input.
+// It returns true if the event matches and a map with
+// a set of key/value to identify the match.
+type eventMatcher func(text string) (map[string]string, bool)
+
+// eventMatchProcessor is a function to handle an event match.
+// It receives a map of key/value with the information extracted in a match.
+type eventMatchProcessor func(matches map[string]string)
+
+// eventObserver runs an events commands and observes its output.
+type eventObserver struct {
+	buffer             *bytes.Buffer
+	command            *exec.Cmd
+	scanner            *bufio.Scanner
+	startTime          string
+	disconnectionError error
+}
+
+// newEventObserver creates the observer and initializes the command
+// without running it. Users must call `eventObserver.Start` to start the command.
+func newEventObserver(c *check.C, args ...string) (*eventObserver, error) {
+	since := daemonTime(c).Unix()
+	return newEventObserverWithBacklog(c, since, args...)
+}
+
+// newEventObserverWithBacklog creates a new observer changing the start time of the backlog to return.
+func newEventObserverWithBacklog(c *check.C, since int64, args ...string) (*eventObserver, error) {
+	startTime := strconv.FormatInt(since, 10)
+	cmdArgs := []string{"events", "--since", startTime}
+	if len(args) > 0 {
+		cmdArgs = append(cmdArgs, args...)
+	}
+	eventsCmd := exec.Command(dockerBinary, cmdArgs...)
+	stdout, err := eventsCmd.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+
+	return &eventObserver{
+		buffer:    new(bytes.Buffer),
+		command:   eventsCmd,
+		scanner:   bufio.NewScanner(stdout),
+		startTime: startTime,
+	}, nil
+}
+
+// Start starts the events command.
+func (e *eventObserver) Start() error {
+	return e.command.Start()
+}
+
+// Stop stops the events command.
+func (e *eventObserver) Stop() {
+	e.command.Process.Kill()
+	e.command.Wait()
+}
+
+// Match tries to match the events output with a given matcher.
+func (e *eventObserver) Match(match eventMatcher, process eventMatchProcessor) {
+	for e.scanner.Scan() {
+		text := e.scanner.Text()
+		e.buffer.WriteString(text)
+		e.buffer.WriteString("\n")
+
+		if matches, ok := match(text); ok {
+			process(matches)
+		}
+	}
+
+	err := e.scanner.Err()
+	if err == nil {
+		err = io.EOF
+	}
+
+	logrus.Debugf("EventObserver scanner loop finished: %v", err)
+	e.disconnectionError = err
+}
+
+func (e *eventObserver) CheckEventError(c *check.C, id, event string, match eventMatcher) {
+	var foundEvent bool
+	scannerOut := e.buffer.String()
+
+	if e.disconnectionError != nil {
+		until := daemonUnixTime(c)
+		out, _ := dockerCmd(c, "events", "--since", e.startTime, "--until", until)
+		events := strings.Split(strings.TrimSpace(out), "\n")
+		for _, e := range events {
+			if _, ok := match(e); ok {
+				foundEvent = true
+				break
+			}
+		}
+		scannerOut = out
+	}
+	if !foundEvent {
+		c.Fatalf("failed to observe event `%s` for %s. Disconnection error: %v\nout:\n%v", event, id, e.disconnectionError, scannerOut)
+	}
+}
+
+// matchEventLine matches a text with the event regular expression.
+// It returns the matches and true if the regular expression matches with the given id and event type.
+// It returns an empty map and false if there is no match.
+func matchEventLine(id, eventType string, actions map[string]chan bool) eventMatcher {
+	return func(text string) (map[string]string, bool) {
+		matches := eventstestutils.ScanMap(text)
+		if len(matches) == 0 {
+			return matches, false
+		}
+
+		if matchIDAndEventType(matches, id, eventType) {
+			if _, ok := actions[matches["action"]]; ok {
+				return matches, true
+			}
+		}
+		return matches, false
+	}
+}
+
+// processEventMatch closes an action channel when an event line matches the expected action.
+func processEventMatch(actions map[string]chan bool) eventMatchProcessor {
+	return func(matches map[string]string) {
+		if ch, ok := actions[matches["action"]]; ok {
+			ch <- true
+		}
+	}
+}
+
+// parseEventAction parses an event text and returns the action.
+// It fails if the text is not in the event format.
+func parseEventAction(c *check.C, text string) string {
+	matches := eventstestutils.ScanMap(text)
+	return matches["action"]
+}
+
+// eventActionsByIDAndType returns the actions for a given id and type.
+// It fails if the text is not in the event format.
+func eventActionsByIDAndType(c *check.C, events []string, id, eventType string) []string {
+	var filtered []string
+	for _, event := range events {
+		matches := eventstestutils.ScanMap(event)
+		c.Assert(matches, checker.Not(checker.IsNil))
+		if matchIDAndEventType(matches, id, eventType) {
+			filtered = append(filtered, matches["action"])
+		}
+	}
+	return filtered
+}
+
+// matchIDAndEventType returns true if an event matches a given id and type.
+// It also resolves names in the event attributes if the id doesn't match.
+func matchIDAndEventType(matches map[string]string, id, eventType string) bool {
+	return matchEventID(matches, id) && matches["eventType"] == eventType
+}
+
+func matchEventID(matches map[string]string, id string) bool {
+	matchID := matches["id"] == id || strings.HasPrefix(matches["id"], id)
+	if !matchID && matches["attributes"] != "" {
+		// try matching a name in the attributes
+		attributes := map[string]string{}
+		for _, a := range strings.Split(matches["attributes"], ", ") {
+			kv := strings.Split(a, "=")
+			attributes[kv[0]] = kv[1]
+		}
+		matchID = attributes["name"] == id
+	}
+	return matchID
+}
+
+func parseEvents(c *check.C, out, match string) {
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	for _, event := range events {
+		matches := eventstestutils.ScanMap(event)
+		matched, err := regexp.MatchString(match, matches["action"])
+		c.Assert(err, checker.IsNil)
+		c.Assert(matched, checker.True, check.Commentf("Matcher: %s did not match %s", match, matches["action"]))
+	}
+}
+
+func parseEventsWithID(c *check.C, out, match, id string) {
+	events := strings.Split(strings.TrimSpace(out), "\n")
+	for _, event := range events {
+		matches := eventstestutils.ScanMap(event)
+		c.Assert(matchEventID(matches, id), checker.True)
+
+		matched, err := regexp.MatchString(match, matches["action"])
+		c.Assert(err, checker.IsNil)
+		c.Assert(matched, checker.True, check.Commentf("Matcher: %s did not match %s", match, matches["action"]))
+	}
+}
diff --git a/engine/integration-cli/fixtures/auth/docker-credential-shell-test b/engine/integration-cli/fixtures/auth/docker-credential-shell-test
new file mode 100755
index 00000000..97b3f148
--- /dev/null
+++ b/engine/integration-cli/fixtures/auth/docker-credential-shell-test
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+set -e
+
+listFile=shell_test_list.json
+
+case $1 in
+	"store")
+		in=$(</dev/stdin)
+		server=$(echo "$in" | jq --raw-output ".ServerURL")
+		serverHash=$(echo "$server" | sha1sum - | awk '{print $1}')
+
+		username=$(echo "$in" | jq --raw-output ".Username")
+		password=$(echo "$in" | jq --raw-output ".Secret")
+		echo "{ \"Username\": \"${username}\", \"Secret\": \"${password}\" }" > $TEMP/$serverHash
+		# add the server to the list file
+		if [[ ! -f $TEMP/$listFile ]]; then
+			echo "{ \"${server}\": \"${username}\" }" > $TEMP/$listFile
+		else
+			list=$(<$TEMP/$listFile)
+			echo "$list" | jq ". + {\"${server}\": \"${username}\"}" > $TEMP/$listFile
+		fi
+		;;
+	"get")
+		in=$(</dev/stdin)
+		serverHash=$(echo "$in" | sha1sum - | awk '{print $1}')
+		if [[ ! -f $TEMP/$serverHash ]]; then
+			echo "credentials not found in native keychain"
+			exit 1
+		fi
+		payload=$(<$TEMP/$serverHash)
+		echo "$payload"
+		;;
+	"erase")
+		in=$(</dev/stdin)
+		serverHash=$(echo "$in" | sha1sum - | awk '{print $1}')
+		rm -f $TEMP/$serverHash
+
+		# Remove the server from the list
+		list=$(<$TEMP/$listFile)
+		echo "$list" | jq "del(.[\"${in}\"])" > $TEMP/$listFile
+		;;
+	"list")
+		if [[ ! -f $TEMP/$listFile ]]; then
+			echo "{}"
+		else
+			payload=$(<$TEMP/$listFile)
+			echo "$payload"
+		fi
+		;;
+	*)
+		echo "unknown credential option"
+		exit 1
+		;;
+esac
diff --git a/engine/integration-cli/fixtures/credentialspecs/valid.json b/engine/integration-cli/fixtures/credentialspecs/valid.json
new file mode 100644
index 00000000..28913e49
--- /dev/null
+++ b/engine/integration-cli/fixtures/credentialspecs/valid.json
@@ -0,0 +1,25 @@
+{
+    "CmsPlugins":  [
+                       "ActiveDirectory"
+                   ],
+    "DomainJoinConfig":  {
+                             "Sid":  "S-1-5-21-4288985-3632099173-1864715694",
+                             "MachineAccountName":  "MusicStoreAcct",
+                             "Guid":  "3705d4c3-0b80-42a9-ad97-ebc1801c74b9",
+                             "DnsTreeName":  "hyperv.local",
+                             "DnsName":  "hyperv.local",
+                             "NetBiosName":  "hyperv"
+                         },
+    "ActiveDirectoryConfig":  {
+                                  "GroupManagedServiceAccounts":  [
+                                                                      {
+                                                                          "Name":  "MusicStoreAcct",
+                                                                          "Scope":  "hyperv.local"
+                                                                      },
+                                                                      {
+                                                                          "Name":  "MusicStoreAcct",
+                                                                          "Scope":  "hyperv"
+                                                                      }
+                                                                  ]
+                              }
+}
diff --git a/engine/integration-cli/fixtures/https/ca.pem b/engine/integration-cli/fixtures/https/ca.pem
new file mode 120000
index 00000000..70a3e6ce
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/ca.pem
@@ -0,0 +1 @@
+../../../integration/testdata/https/ca.pem
\ No newline at end of file
diff --git a/engine/integration-cli/fixtures/https/client-cert.pem b/engine/integration-cli/fixtures/https/client-cert.pem
new file mode 120000
index 00000000..45888202
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/client-cert.pem
@@ -0,0 +1 @@
+../../../integration/testdata/https/client-cert.pem
\ No newline at end of file
diff --git a/engine/integration-cli/fixtures/https/client-key.pem b/engine/integration-cli/fixtures/https/client-key.pem
new file mode 120000
index 00000000..d5f6bbee
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/client-key.pem
@@ -0,0 +1 @@
+../../../integration/testdata/https/client-key.pem
\ No newline at end of file
diff --git a/engine/integration-cli/fixtures/https/client-rogue-cert.pem b/engine/integration-cli/fixtures/https/client-rogue-cert.pem
new file mode 100644
index 00000000..21ae4bd5
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/client-rogue-cert.pem
@@ -0,0 +1,73 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=SanFrancisco, O=Evil Inc, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain
+        Validity
+            Not Before: Feb 24 17:54:59 2014 GMT
+            Not After : Feb 22 17:54:59 2024 GMT
+        Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client/name=changeme/emailAddress=mail@host.domain
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:e8:e2:2c:b8:d4:db:89:50:4f:47:1e:68:db:f7:
+                    e4:cc:47:41:63:75:03:37:50:7a:a8:4d:27:36:d5:
+                    15:01:08:b6:cf:56:f7:56:6d:3d:f9:e2:8d:1a:5d:
+                    bf:a0:24:5e:07:55:8e:d0:dc:f1:fa:19:87:1d:d6:
+                    b6:58:82:2e:ba:69:6d:e9:d9:c8:16:0d:1d:59:7f:
+                    f4:8e:58:10:01:3d:21:14:16:3c:ec:cd:8c:b7:0e:
+                    e6:7b:77:b4:f9:90:a5:17:01:bb:84:c6:b2:12:87:
+                    70:eb:9f:6d:4f:d0:68:8b:96:c0:e7:0b:51:b4:9d:
+                    1d:7b:6c:7b:be:89:6b:88:8b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                9E:F8:49:D0:A2:76:30:5C:AB:2B:8A:B5:8D:C6:45:1F:A7:F8:CF:85
+            X509v3 Authority Key Identifier: 
+                keyid:DC:A5:F1:76:DB:4E:CD:8E:EF:B1:23:56:1D:92:80:99:74:3B:EA:6F
+                DirName:/C=US/ST=CA/L=SanFrancisco/O=Evil Inc/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
+                serial:E7:21:1E:18:41:1B:96:83
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         48:76:c0:18:fa:0a:ee:4e:1a:ec:02:9d:d4:83:ca:94:54:a1:
+         3f:51:2f:3e:4b:95:c3:42:9b:71:a0:4b:d9:af:47:23:b9:1c:
+         fb:85:ba:76:e2:09:cb:65:bb:d2:7d:44:3d:4b:67:ba:80:83:
+         be:a8:ed:c4:b9:ea:1a:1b:c7:59:3b:d9:5c:0d:46:d8:c9:92:
+         cb:10:c5:f2:1a:38:a4:aa:07:2c:e3:84:16:79:c7:95:09:e3:
+         01:d2:15:a2:77:0b:8b:bf:94:04:e9:7f:c0:cd:e6:2e:64:cd:
+         1e:a3:32:ec:11:cc:62:ce:c7:4e:cd:ad:48:5c:b1:b8:e9:76:
+         b3:f9
+-----BEGIN CERTIFICATE-----
+MIIEDTCCA3agAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xETAPBgNVBAoTCEV2
+aWwgSW5jMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAP
+BgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWlu
+MB4XDTE0MDIyNDE3NTQ1OVoXDTI0MDIyMjE3NTQ1OVowgaAxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxG
+b3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMQ8wDQYDVQQDEwZjbGllbnQx
+ETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9t
+YWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo4iy41NuJUE9HHmjb9+TM
+R0FjdQM3UHqoTSc21RUBCLbPVvdWbT354o0aXb+gJF4HVY7Q3PH6GYcd1rZYgi66
+aW3p2cgWDR1Zf/SOWBABPSEUFjzszYy3DuZ7d7T5kKUXAbuExrISh3Drn21P0GiL
+lsDnC1G0nR17bHu+iWuIiwIDAQABo4IBVTCCAVEwCQYDVR0TBAIwADAtBglghkgB
+hvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
+BBSe+EnQonYwXKsrirWNxkUfp/jPhTCB0wYDVR0jBIHLMIHIgBTcpfF2207Nju+x
+I1YdkoCZdDvqb6GBpKSBoTCBnjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw
+EwYDVQQHEwxTYW5GcmFuY2lzY28xETAPBgNVBAoTCEV2aWwgSW5jMREwDwYDVQQL
+EwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAPBgNVBCkTCGNoYW5nZW1l
+MR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluggkA5yEeGEEbloMwEwYD
+VR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4GB
+AEh2wBj6Cu5OGuwCndSDypRUoT9RLz5LlcNCm3GgS9mvRyO5HPuFunbiCctlu9J9
+RD1LZ7qAg76o7cS56hobx1k72VwNRtjJkssQxfIaOKSqByzjhBZ5x5UJ4wHSFaJ3
+C4u/lATpf8DN5i5kzR6jMuwRzGLOx07NrUhcsbjpdrP5
+-----END CERTIFICATE-----
diff --git a/engine/integration-cli/fixtures/https/client-rogue-key.pem b/engine/integration-cli/fixtures/https/client-rogue-key.pem
new file mode 100644
index 00000000..53c122ab
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/client-rogue-key.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOjiLLjU24lQT0ce
+aNv35MxHQWN1AzdQeqhNJzbVFQEIts9W91ZtPfnijRpdv6AkXgdVjtDc8foZhx3W
+tliCLrppbenZyBYNHVl/9I5YEAE9IRQWPOzNjLcO5nt3tPmQpRcBu4TGshKHcOuf
+bU/QaIuWwOcLUbSdHXtse76Ja4iLAgMBAAECgYADs+TmI2xCKKa6CL++D5jxrohZ
+nnionnz0xBVFh+nHlG3jqgxQsXf0yydXLfpn/2wHTdLxezHVuiYt0UYg7iD0CglW
++IjcgMebzyjLeYqYOE5llPlMvhp2HoEMYJNb+7bRrZ1WCITbu+Su0w1cgA7Cs+Ej
+VlfvGzN+qqnDThRUYQJBAPY0sMWZJKly8QhUmUvmcXdPczzSOf6Mm7gc5LR6wzxd
+vW7syuqk50qjqVqFpN81vCV7GoDxRUWbTM9ftf7JGFkCQQDyJc/1RMygE2o+enU1
+6UBxJyclXITEYtDn8aoEpLNc7RakP1WoPUKjZOnjkcoKcIkFNkSPeCfQujrb5f3F
+MkuDAkByAI/hzzmkpK5rFxEsjfX4Mve/L/DepyjrpaVY1IdWimlO1aJX6CeY7hNa
+8QsYt/74s/nfvtg+lNyKIV1aLq9xAkB+WSSNgfyTeg3x08vc+Xxajmdqoz/TiQwg
+OoTQL3A3iK5LvZBgXLasszcnOycFE3srcQmNItEDpGiZ3QPxJTEpAkEA45EE9NMJ
+SA7EGWSFlbz4f4u4oBeiDiJRJbGGfAyVxZlpCWUjPpg9+swsWoFEOjnGYaChAMk5
+nrOdMf15T6QF7Q==
+-----END PRIVATE KEY-----
diff --git a/engine/integration-cli/fixtures/https/server-cert.pem b/engine/integration-cli/fixtures/https/server-cert.pem
new file mode 120000
index 00000000..c1860106
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/server-cert.pem
@@ -0,0 +1 @@
+../../../integration/testdata/https/server-cert.pem
\ No newline at end of file
diff --git a/engine/integration-cli/fixtures/https/server-key.pem b/engine/integration-cli/fixtures/https/server-key.pem
new file mode 120000
index 00000000..48b9c2df
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/server-key.pem
@@ -0,0 +1 @@
+../../../integration/testdata/https/server-key.pem
\ No newline at end of file
diff --git a/engine/integration-cli/fixtures/https/server-rogue-cert.pem b/engine/integration-cli/fixtures/https/server-rogue-cert.pem
new file mode 100644
index 00000000..28feba66
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/server-rogue-cert.pem
@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=SanFrancisco, O=Evil Inc, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain
+        Validity
+            Not Before: Feb 28 18:49:31 2014 GMT
+            Not After : Feb 26 18:49:31 2024 GMT
+        Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=localhost/name=changeme/emailAddress=mail@host.domain
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:d1:08:58:24:60:a1:69:65:4b:76:46:8f:88:75:
+                    7c:49:3a:d8:03:cc:5b:58:c5:d1:bb:e5:f9:54:b9:
+                    75:65:df:7e:bb:fb:54:d4:b2:e9:6f:58:a2:a4:84:
+                    43:94:77:24:81:38:36:36:f0:66:65:26:e5:5b:2a:
+                    14:1c:a9:ae:57:7f:75:00:23:14:4b:61:58:e4:82:
+                    aa:15:97:94:bd:50:35:0d:5d:18:18:ed:10:6a:bb:
+                    d3:64:5a:eb:36:98:5b:58:a7:fe:67:48:c1:6c:3f:
+                    51:2f:02:65:96:54:77:9b:34:f9:a7:d2:63:54:6a:
+                    9e:02:5c:be:65:98:a4:b4:b5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                1F:E0:57:CA:CB:76:C9:C4:86:B9:EA:69:17:C0:F3:51:CE:95:40:EC
+            X509v3 Authority Key Identifier: 
+                keyid:DC:A5:F1:76:DB:4E:CD:8E:EF:B1:23:56:1D:92:80:99:74:3B:EA:6F
+                DirName:/C=US/ST=CA/L=SanFrancisco/O=Evil Inc/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
+                serial:E7:21:1E:18:41:1B:96:83
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+         04:93:0e:28:01:94:18:f0:8c:7c:d3:0c:ad:e9:b7:46:b1:30:
+         65:ed:68:7c:8c:91:cd:1a:86:66:87:4a:4f:c0:97:bc:f7:85:
+         4b:38:79:31:b2:65:88:b1:76:16:9e:80:93:38:f4:b9:eb:65:
+         00:6d:bb:89:e0:a1:bf:95:5e:80:13:8e:01:73:d3:f1:08:73:
+         85:a5:33:75:0b:42:8a:a3:07:09:35:ef:d7:c6:58:eb:60:a3:
+         06:89:a0:53:99:e2:aa:41:90:e0:1a:d2:12:4b:48:7d:c3:9c:
+         ad:bd:0e:5e:5f:f7:09:0c:5d:7c:86:24:dd:92:d5:b3:14:06:
+         c7:9f
+-----BEGIN CERTIFICATE-----
+MIIEKjCCA5OgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xETAPBgNVBAoTCEV2
+aWwgSW5jMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAP
+BgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWlu
+MB4XDTE0MDIyODE4NDkzMVoXDTI0MDIyNjE4NDkzMVowgaMxCzAJBgNVBAYTAlVT
+MQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxG
+b3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMRIwEAYDVQQDEwlsb2NhbGhv
+c3QxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3Qu
+ZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRCFgkYKFpZUt2Ro+I
+dXxJOtgDzFtYxdG75flUuXVl3367+1TUsulvWKKkhEOUdySBODY28GZlJuVbKhQc
+qa5Xf3UAIxRLYVjkgqoVl5S9UDUNXRgY7RBqu9NkWus2mFtYp/5nSMFsP1EvAmWW
+VHebNPmn0mNUap4CXL5lmKS0tQIDAQABo4IBbzCCAWswCQYDVR0TBAIwADARBglg
+hkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4QgENBCcWJUVhc3ktUlNBIEdlbmVyYXRl
+ZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFB/gV8rLdsnEhrnqaRfA81HO
+lUDsMIHTBgNVHSMEgcswgciAFNyl8XbbTs2O77EjVh2SgJl0O+pvoYGkpIGhMIGe
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNj
+bzERMA8GA1UEChMIRXZpbCBJbmMxETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQD
+EwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1h
+aWxAaG9zdC5kb21haW6CCQDnIR4YQRuWgzATBgNVHSUEDDAKBggrBgEFBQcDATAL
+BgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQEFBQADgYEABJMOKAGUGPCMfNMMrem3RrEw
+Ze1ofIyRzRqGZodKT8CXvPeFSzh5MbJliLF2Fp6Akzj0uetlAG27ieChv5VegBOO
+AXPT8QhzhaUzdQtCiqMHCTXv18ZY62CjBomgU5niqkGQ4BrSEktIfcOcrb0OXl/3
+CQxdfIYk3ZLVsxQGx58=
+-----END CERTIFICATE-----
diff --git a/engine/integration-cli/fixtures/https/server-rogue-key.pem b/engine/integration-cli/fixtures/https/server-rogue-key.pem
new file mode 100644
index 00000000..10f7c650
--- /dev/null
+++ b/engine/integration-cli/fixtures/https/server-rogue-key.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANEIWCRgoWllS3ZG
+j4h1fEk62APMW1jF0bvl+VS5dWXffrv7VNSy6W9YoqSEQ5R3JIE4NjbwZmUm5Vsq
+FByprld/dQAjFEthWOSCqhWXlL1QNQ1dGBjtEGq702Ra6zaYW1in/mdIwWw/US8C
+ZZZUd5s0+afSY1RqngJcvmWYpLS1AgMBAAECgYAJXh9dGfuB1qlIFqduDR3RxlJR
+8UGSu+LHUeoXkuwg8aAjWoMVuSLe+5DmYIsKx0AajmNXmPRtyg1zRXJ7SltmubJ8
+6qQVDsRk6biMdkpkl6a9Gk2av40psD9/VPGxagEoop7IKYhf3AeKPvPiwVB2qFrl
+1aYMZm0aMR55pgRajQJBAOk8IsJDf0beooDZXVdv/oe4hcbM9fxO8Cn3qzoGImqD
+37LL+PCzDP7AEV3fk43SsZDeSk+LDX+h0o9nPyhzHasCQQDlb3aDgcQY9NaGLUWO
+moOCB3148eBVcAwCocu+OSkf7sbQdvXxgThBOrZl11wwRIMQqh99c2yeUwj+tELl
+3VcfAkBZTiNpCvtDIaBLge9RuZpWUXs3wec2cutWxnSTxSGMc25GQf/R+l0xdk2w
+ChmvpktDUzpU9sN2aXn8WuY+EMX9AkEApbLpUbKPUELLB958RLA819TW/lkZXjrs
+wZ3eSoR3ufM1rOqtVvyvBxUDE+wETWu9iHSFB5Ir2PA5J9JCGkbPmwJAFI1ndfBj
+iuyU93nFX0p+JE2wVHKx4dMzKCearNKiJh/lGDtUq3REGgamTNUnG8RAITUbxFs+
+Z1hrIq8xYl2LOQ==
+-----END PRIVATE KEY-----
diff --git a/engine/integration-cli/fixtures/registry/cert.pem b/engine/integration-cli/fixtures/registry/cert.pem
new file mode 100644
index 00000000..37605403
--- /dev/null
+++ b/engine/integration-cli/fixtures/registry/cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIJAKZjzF7N4zFJMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
+Q29tcGFueSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNjAzMTQxOTAzMDZa
+Fw0xNzAzMTQxOTAzMDZaMFYxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0
+IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAVEPA6tSNy
+MoExHvT8CWvbe0MyYqZjMmUUdGVYyAaoZgmj9HvtGKaUWY/hCtgTond3OKhPq69u
+fQSDlHQA/scq4KZovKQJhvBaRb2DqD31KcbcDyh5KUAL1aalbjTLbKmAYSFSoY93
+57KiBei2BmvS55HLhOiO8ccQOq3feH/J/XcszAdAaiGXW3woDOIumYzur6Q8Suyn
+cIUEX5Ik7mxS7oGYN1IM++Y+B6aAFT7htAZEvF7RF7sjG7QBfxNPOFg9lBWXzVSv
+0vRbVme9OCDD2QOpj8O7XAPuLDwW5b2A8Iex3CJRngBI9vAK5h1Wssst8117bur9
+AiubOrF6cxUCAwEAAaNQME4wHQYDVR0OBBYEFNTGYK7uX19yjCPeGXhmel98amoA
+MB8GA1UdIwQYMBaAFNTGYK7uX19yjCPeGXhmel98amoAMAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBACW/oF6RgLbTPxb8oPI9424Uv/erYYdxdqIaO3Mz
+fQfBEvGu62A0ZLH+av4BTeqBM6iVhN6/Y3hUb8UzbbZAIo/dVJSglW7PXAfUITMM
+ca9U2r2cFqgXELZkhde6mTFTYwM3swMCP0HUEo+Hu62NX5gunKr4QMNfTlE3vHEj
+jitnkTR0ZVEKHvmdTJC9S92j+NuaJVcwe5UNP1Nj/Ksd/iUUCa2DBnw2N7YwHTDB
+jb9cQb8aNVNSrjKP3sknMslVy1JVbUB1LXsth/h+kkVFNP4dsk+dZHn20uIA/VeJ
+mJ3Wo54CeTAa3DysiWbIIYsFSASCPvki08ZKI373tCf2RvE=
+-----END CERTIFICATE-----
diff --git a/engine/integration-cli/fixtures_linux_daemon_test.go b/engine/integration-cli/fixtures_linux_daemon_test.go
new file mode 100644
index 00000000..2387a9eb
--- /dev/null
+++ b/engine/integration-cli/fixtures_linux_daemon_test.go
@@ -0,0 +1,139 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/integration-cli/checker"
+	"github.com/docker/docker/internal/test/fixtures/load"
+	"github.com/go-check/check"
+)
+
+type testingT interface {
+	logT
+	Fatalf(string, ...interface{})
+}
+
+type logT interface {
+	Logf(string, ...interface{})
+}
+
+var ensureSyscallTestOnce sync.Once
+
+func ensureSyscallTest(c *check.C) {
+	var doIt bool
+	ensureSyscallTestOnce.Do(func() {
+		doIt = true
+	})
+	if !doIt {
+		return
+	}
+	defer testEnv.ProtectImage(c, "syscall-test:latest")
+
+	// if no match, must build in docker, which is significantly slower
+	// (slower mostly because of the vfs graphdriver)
+	if testEnv.OSType != runtime.GOOS {
+		ensureSyscallTestBuild(c)
+		return
+	}
+
+	tmp, err := ioutil.TempDir("", "syscall-test-build")
+	c.Assert(err, checker.IsNil, check.Commentf("couldn't create temp dir"))
+	defer os.RemoveAll(tmp)
+
+	gcc, err := exec.LookPath("gcc")
+	c.Assert(err, checker.IsNil, check.Commentf("could not find gcc"))
+
+	tests := []string{"userns", "ns", "acct", "setuid", "setgid", "socket", "raw"}
+	for _, test := range tests {
+		out, err := exec.Command(gcc, "-g", "-Wall", "-static", fmt.Sprintf("../contrib/syscall-test/%s.c", test), "-o", fmt.Sprintf("%s/%s-test", tmp, test)).CombinedOutput()
+		c.Assert(err, checker.IsNil, check.Commentf(string(out)))
+	}
+
+	if runtime.GOOS == "linux" && runtime.GOARCH == "amd64" {
+		out, err := exec.Command(gcc, "-s", "-m32", "-nostdlib", "-static", "../contrib/syscall-test/exit32.s", "-o", tmp+"/"+"exit32-test").CombinedOutput()
+		c.Assert(err, checker.IsNil, check.Commentf(string(out)))
+	}
+
+	dockerFile := filepath.Join(tmp, "Dockerfile")
+	content := []byte(`
+	FROM debian:jessie
+	COPY . /usr/bin/
+	`)
+	err = ioutil.WriteFile(dockerFile, content, 600)
+	c.Assert(err, checker.IsNil)
+
+	var buildArgs []string
+	if arg := os.Getenv("DOCKER_BUILD_ARGS"); strings.TrimSpace(arg) != "" {
+		buildArgs = strings.Split(arg, " ")
+	}
+	buildArgs = append(buildArgs, []string{"-q", "-t", "syscall-test", tmp}...)
+	buildArgs = append([]string{"build"}, buildArgs...)
+	dockerCmd(c, buildArgs...)
+}
+
+func ensureSyscallTestBuild(c *check.C) {
+	err := load.FrozenImagesLinux(testEnv.APIClient(), "buildpack-deps:jessie")
+	c.Assert(err, checker.IsNil)
+
+	var buildArgs []string
+	if arg := os.Getenv("DOCKER_BUILD_ARGS"); strings.TrimSpace(arg) != "" {
+		buildArgs = strings.Split(arg, " ")
+	}
+	buildArgs = append(buildArgs, []string{"-q", "-t", "syscall-test", "../contrib/syscall-test"}...)
+	buildArgs = append([]string{"build"}, buildArgs...)
+	dockerCmd(c, buildArgs...)
+}
+
+func ensureNNPTest(c *check.C) {
+	defer testEnv.ProtectImage(c, "nnp-test:latest")
+	if testEnv.OSType != runtime.GOOS {
+		ensureNNPTestBuild(c)
+		return
+	}
+
+	tmp, err := ioutil.TempDir("", "docker-nnp-test")
+	c.Assert(err, checker.IsNil)
+
+	gcc, err := exec.LookPath("gcc")
+	c.Assert(err, checker.IsNil, check.Commentf("could not find gcc"))
+
+	out, err := exec.Command(gcc, "-g", "-Wall", "-static", "../contrib/nnp-test/nnp-test.c", "-o", filepath.Join(tmp, "nnp-test")).CombinedOutput()
+	c.Assert(err, checker.IsNil, check.Commentf(string(out)))
+
+	dockerfile := filepath.Join(tmp, "Dockerfile")
+	content := `
+	FROM debian:jessie
+	COPY . /usr/bin
+	RUN chmod +s /usr/bin/nnp-test
+	`
+	err = ioutil.WriteFile(dockerfile, []byte(content), 600)
+	c.Assert(err, checker.IsNil, check.Commentf("could not write Dockerfile for nnp-test image"))
+
+	var buildArgs []string
+	if arg := os.Getenv("DOCKER_BUILD_ARGS"); strings.TrimSpace(arg) != "" {
+		buildArgs = strings.Split(arg, " ")
+	}
+	buildArgs = append(buildArgs, []string{"-q", "-t", "nnp-test", tmp}...)
+	buildArgs = append([]string{"build"}, buildArgs...)
+	dockerCmd(c, buildArgs...)
+}
+
+func ensureNNPTestBuild(c *check.C) {
+	err := load.FrozenImagesLinux(testEnv.APIClient(), "buildpack-deps:jessie")
+	c.Assert(err, checker.IsNil)
+
+	var buildArgs []string
+	if arg := os.Getenv("DOCKER_BUILD_ARGS"); strings.TrimSpace(arg) != "" {
+		buildArgs = strings.Split(arg, " ")
+	}
+	buildArgs = append(buildArgs, []string{"-q", "-t", "npp-test", "../contrib/nnp-test"}...)
+	buildArgs = append([]string{"build"}, buildArgs...)
+	dockerCmd(c, buildArgs...)
+}
diff --git a/engine/integration-cli/requirement/requirement.go b/engine/integration-cli/requirement/requirement.go
new file mode 100644
index 00000000..45a1bcab
--- /dev/null
+++ b/engine/integration-cli/requirement/requirement.go
@@ -0,0 +1,34 @@
+package requirement // import "github.com/docker/docker/integration-cli/requirement"
+
+import (
+	"fmt"
+	"path"
+	"reflect"
+	"runtime"
+	"strings"
+)
+
+// SkipT is the interface required to skip tests
+type SkipT interface {
+	Skip(reason string)
+}
+
+// Test represent a function that can be used as a requirement validation.
+type Test func() bool
+
+// Is checks if the environment satisfies the requirements
+// for the test to run or skips the tests.
+func Is(s SkipT, requirements ...Test) {
+	for _, r := range requirements {
+		isValid := r()
+		if !isValid {
+			requirementFunc := runtime.FuncForPC(reflect.ValueOf(r).Pointer()).Name()
+			s.Skip(fmt.Sprintf("unmatched requirement %s", extractRequirement(requirementFunc)))
+		}
+	}
+}
+
+func extractRequirement(requirementFunc string) string {
+	requirement := path.Base(requirementFunc)
+	return strings.SplitN(requirement, ".", 2)[1]
+}
diff --git a/engine/integration-cli/requirements_test.go b/engine/integration-cli/requirements_test.go
new file mode 100644
index 00000000..28be59cd
--- /dev/null
+++ b/engine/integration-cli/requirements_test.go
@@ -0,0 +1,219 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration-cli/requirement"
+	"github.com/docker/docker/internal/test/registry"
+)
+
+func ArchitectureIsNot(arch string) bool {
+	return os.Getenv("DOCKER_ENGINE_GOARCH") != arch
+}
+
+func DaemonIsWindows() bool {
+	return testEnv.OSType == "windows"
+}
+
+func DaemonIsWindowsAtLeastBuild(buildNumber int) func() bool {
+	return func() bool {
+		if testEnv.OSType != "windows" {
+			return false
+		}
+		version := testEnv.DaemonInfo.KernelVersion
+		numVersion, _ := strconv.Atoi(strings.Split(version, " ")[1])
+		return numVersion >= buildNumber
+	}
+}
+
+func DaemonIsLinux() bool {
+	return testEnv.OSType == "linux"
+}
+
+func MinimumAPIVersion(version string) func() bool {
+	return func() bool {
+		return versions.GreaterThanOrEqualTo(testEnv.DaemonAPIVersion(), version)
+	}
+}
+
+func OnlyDefaultNetworks() bool {
+	cli, err := client.NewEnvClient()
+	if err != nil {
+		return false
+	}
+	networks, err := cli.NetworkList(context.TODO(), types.NetworkListOptions{})
+	if err != nil || len(networks) > 0 {
+		return false
+	}
+	return true
+}
+
+// Deprecated: use skip.If(t, !testEnv.DaemonInfo.ExperimentalBuild)
+func ExperimentalDaemon() bool {
+	return testEnv.DaemonInfo.ExperimentalBuild
+}
+
+func IsAmd64() bool {
+	return os.Getenv("DOCKER_ENGINE_GOARCH") == "amd64"
+}
+
+func NotArm() bool {
+	return ArchitectureIsNot("arm")
+}
+
+func NotArm64() bool {
+	return ArchitectureIsNot("arm64")
+}
+
+func NotPpc64le() bool {
+	return ArchitectureIsNot("ppc64le")
+}
+
+func NotS390X() bool {
+	return ArchitectureIsNot("s390x")
+}
+
+func SameHostDaemon() bool {
+	return testEnv.IsLocalDaemon()
+}
+
+func UnixCli() bool {
+	return isUnixCli
+}
+
+func ExecSupport() bool {
+	return supportsExec
+}
+
+func Network() bool {
+	// Set a timeout on the GET at 15s
+	var timeout = time.Duration(15 * time.Second)
+	var url = "https://hub.docker.com"
+
+	client := http.Client{
+		Timeout: timeout,
+	}
+
+	resp, err := client.Get(url)
+	if err != nil && strings.Contains(err.Error(), "use of closed network connection") {
+		panic(fmt.Sprintf("Timeout for GET request on %s", url))
+	}
+	if resp != nil {
+		resp.Body.Close()
+	}
+	return err == nil
+}
+
+func Apparmor() bool {
+	if strings.HasPrefix(testEnv.DaemonInfo.OperatingSystem, "SUSE Linux Enterprise Server ") {
+		return false
+	}
+	buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")
+	return err == nil && len(buf) > 1 && buf[0] == 'Y'
+}
+
+func Devicemapper() bool {
+	return strings.HasPrefix(testEnv.DaemonInfo.Driver, "devicemapper")
+}
+
+func IPv6() bool {
+	cmd := exec.Command("test", "-f", "/proc/net/if_inet6")
+	return cmd.Run() != nil
+}
+
+func UserNamespaceROMount() bool {
+	// quick case--userns not enabled in this test run
+	if os.Getenv("DOCKER_REMAP_ROOT") == "" {
+		return true
+	}
+	if _, _, err := dockerCmdWithError("run", "--rm", "--read-only", "busybox", "date"); err != nil {
+		return false
+	}
+	return true
+}
+
+func NotUserNamespace() bool {
+	root := os.Getenv("DOCKER_REMAP_ROOT")
+	return root == ""
+}
+
+func UserNamespaceInKernel() bool {
+	if _, err := os.Stat("/proc/self/uid_map"); os.IsNotExist(err) {
+		/*
+		 * This kernel-provided file only exists if user namespaces are
+		 * supported
+		 */
+		return false
+	}
+
+	// We need extra check on redhat based distributions
+	if f, err := os.Open("/sys/module/user_namespace/parameters/enable"); err == nil {
+		defer f.Close()
+		b := make([]byte, 1)
+		_, _ = f.Read(b)
+		return string(b) != "N"
+	}
+
+	return true
+}
+
+func IsPausable() bool {
+	if testEnv.OSType == "windows" {
+		return testEnv.DaemonInfo.Isolation == "hyperv"
+	}
+	return true
+}
+
+func NotPausable() bool {
+	if testEnv.OSType == "windows" {
+		return testEnv.DaemonInfo.Isolation == "process"
+	}
+	return false
+}
+
+func IsolationIs(expectedIsolation string) bool {
+	return testEnv.OSType == "windows" && string(testEnv.DaemonInfo.Isolation) == expectedIsolation
+}
+
+func IsolationIsHyperv() bool {
+	return IsolationIs("hyperv")
+}
+
+func IsolationIsProcess() bool {
+	return IsolationIs("process")
+}
+
+// RegistryHosting returns wether the host can host a registry (v2) or not
+func RegistryHosting() bool {
+	// for now registry binary is built only if we're running inside
+	// container through `make test`. Figure that out by testing if
+	// registry binary is in PATH.
+	_, err := exec.LookPath(registry.V2binary)
+	return err == nil
+}
+
+func SwarmInactive() bool {
+	return testEnv.DaemonInfo.Swarm.LocalNodeState == swarm.LocalNodeStateInactive
+}
+
+func TODOBuildkit() bool {
+	return os.Getenv("DOCKER_BUILDKIT") == ""
+}
+
+// testRequires checks if the environment satisfies the requirements
+// for the test to run or skips the tests.
+func testRequires(c requirement.SkipT, requirements ...requirement.Test) {
+	requirement.Is(c, requirements...)
+}
diff --git a/engine/integration-cli/requirements_unix_test.go b/engine/integration-cli/requirements_unix_test.go
new file mode 100644
index 00000000..7c594f7d
--- /dev/null
+++ b/engine/integration-cli/requirements_unix_test.go
@@ -0,0 +1,117 @@
+// +build !windows
+
+package main
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os/exec"
+	"strings"
+
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"github.com/docker/docker/pkg/sysinfo"
+)
+
+var (
+	// SysInfo stores information about which features a kernel supports.
+	SysInfo *sysinfo.SysInfo
+)
+
+func cpuCfsPeriod() bool {
+	return testEnv.DaemonInfo.CPUCfsPeriod
+}
+
+func cpuCfsQuota() bool {
+	return testEnv.DaemonInfo.CPUCfsQuota
+}
+
+func cpuShare() bool {
+	return testEnv.DaemonInfo.CPUShares
+}
+
+func oomControl() bool {
+	return testEnv.DaemonInfo.OomKillDisable
+}
+
+func pidsLimit() bool {
+	return SysInfo.PidsLimit
+}
+
+func kernelMemorySupport() bool {
+	return testEnv.DaemonInfo.KernelMemory
+}
+
+func memoryLimitSupport() bool {
+	return testEnv.DaemonInfo.MemoryLimit
+}
+
+func memoryReservationSupport() bool {
+	return SysInfo.MemoryReservation
+}
+
+func swapMemorySupport() bool {
+	return testEnv.DaemonInfo.SwapLimit
+}
+
+func memorySwappinessSupport() bool {
+	return SameHostDaemon() && SysInfo.MemorySwappiness
+}
+
+func blkioWeight() bool {
+	return SameHostDaemon() && SysInfo.BlkioWeight
+}
+
+func cgroupCpuset() bool {
+	return testEnv.DaemonInfo.CPUSet
+}
+
+func seccompEnabled() bool {
+	return supportsSeccomp && SysInfo.Seccomp
+}
+
+func bridgeNfIptables() bool {
+	return !SysInfo.BridgeNFCallIPTablesDisabled
+}
+
+func bridgeNfIP6tables() bool {
+	return !SysInfo.BridgeNFCallIP6TablesDisabled
+}
+
+func unprivilegedUsernsClone() bool {
+	content, err := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
+	return err != nil || !strings.Contains(string(content), "0")
+}
+
+func ambientCapabilities() bool {
+	content, err := ioutil.ReadFile("/proc/self/status")
+	return err != nil || strings.Contains(string(content), "CapAmb:")
+}
+
+func overlayFSSupported() bool {
+	cmd := exec.Command(dockerBinary, "run", "--rm", "busybox", "/bin/sh", "-c", "cat /proc/filesystems")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return false
+	}
+	return bytes.Contains(out, []byte("overlay\n"))
+}
+
+func overlay2Supported() bool {
+	if !overlayFSSupported() {
+		return false
+	}
+
+	daemonV, err := kernel.ParseRelease(testEnv.DaemonInfo.KernelVersion)
+	if err != nil {
+		return false
+	}
+	requiredV := kernel.VersionInfo{Kernel: 4}
+	return kernel.CompareKernelVersion(*daemonV, requiredV) > -1
+
+}
+
+func init() {
+	if SameHostDaemon() {
+		SysInfo = sysinfo.New(true)
+	}
+}
diff --git a/engine/integration-cli/test_vars_exec_test.go b/engine/integration-cli/test_vars_exec_test.go
new file mode 100644
index 00000000..7633b346
--- /dev/null
+++ b/engine/integration-cli/test_vars_exec_test.go
@@ -0,0 +1,8 @@
+// +build !test_no_exec
+
+package main
+
+const (
+	// indicates docker daemon tested supports 'docker exec'
+	supportsExec = true
+)
diff --git a/engine/integration-cli/test_vars_noexec_test.go b/engine/integration-cli/test_vars_noexec_test.go
new file mode 100644
index 00000000..08450905
--- /dev/null
+++ b/engine/integration-cli/test_vars_noexec_test.go
@@ -0,0 +1,8 @@
+// +build test_no_exec
+
+package main
+
+const (
+	// indicates docker daemon tested supports 'docker exec'
+	supportsExec = false
+)
diff --git a/engine/integration-cli/test_vars_noseccomp_test.go b/engine/integration-cli/test_vars_noseccomp_test.go
new file mode 100644
index 00000000..2f47ab07
--- /dev/null
+++ b/engine/integration-cli/test_vars_noseccomp_test.go
@@ -0,0 +1,8 @@
+// +build !seccomp
+
+package main
+
+const (
+	// indicates docker daemon built with seccomp support
+	supportsSeccomp = false
+)
diff --git a/engine/integration-cli/test_vars_seccomp_test.go b/engine/integration-cli/test_vars_seccomp_test.go
new file mode 100644
index 00000000..00cf6972
--- /dev/null
+++ b/engine/integration-cli/test_vars_seccomp_test.go
@@ -0,0 +1,8 @@
+// +build seccomp
+
+package main
+
+const (
+	// indicates docker daemon built with seccomp support
+	supportsSeccomp = true
+)
diff --git a/engine/integration-cli/test_vars_test.go b/engine/integration-cli/test_vars_test.go
new file mode 100644
index 00000000..82ec58e9
--- /dev/null
+++ b/engine/integration-cli/test_vars_test.go
@@ -0,0 +1,11 @@
+package main
+
+// sleepCommandForDaemonPlatform is a helper function that determines what
+// the command is for a sleeping container based on the daemon platform.
+// The Windows busybox image does not have a `top` command.
+func sleepCommandForDaemonPlatform() []string {
+	if testEnv.OSType == "windows" {
+		return []string{"sleep", "240"}
+	}
+	return []string{"top"}
+}
diff --git a/engine/integration-cli/test_vars_unix_test.go b/engine/integration-cli/test_vars_unix_test.go
new file mode 100644
index 00000000..f9ecc011
--- /dev/null
+++ b/engine/integration-cli/test_vars_unix_test.go
@@ -0,0 +1,14 @@
+// +build !windows
+
+package main
+
+const (
+	// identifies if test suite is running on a unix platform
+	isUnixCli = true
+
+	expectedFileChmod = "-rw-r--r--"
+
+	// On Unix variants, the busybox image comes with the `top` command which
+	// runs indefinitely while still being interruptible by a signal.
+	defaultSleepImage = "busybox"
+)
diff --git a/engine/integration-cli/test_vars_windows_test.go b/engine/integration-cli/test_vars_windows_test.go
new file mode 100644
index 00000000..bfc9a5a9
--- /dev/null
+++ b/engine/integration-cli/test_vars_windows_test.go
@@ -0,0 +1,15 @@
+// +build windows
+
+package main
+
+const (
+	// identifies if test suite is running on a unix platform
+	isUnixCli = false
+
+	// this is the expected file permission set on windows: gh#11395
+	expectedFileChmod = "-rwxr-xr-x"
+
+	// On Windows, the busybox image doesn't have the `top` command, so we rely
+	// on `sleep` with a high duration.
+	defaultSleepImage = "busybox"
+)
diff --git a/engine/integration-cli/testdata/emptyLayer.tar b/engine/integration-cli/testdata/emptyLayer.tar
new file mode 100644
index 0000000000000000000000000000000000000000..beabb569ac1e7fea69848f79ffd77fb17b2487b0
GIT binary patch
literal 30720
zcmeI4ZExeo5y$<ypF&{Yw7^N;*=GtU&};619MHx=&P{<{i^D$JOeE5vs36zFefJLa
z6wA3-%2759cnH`McbB{5Z+6L@5&sJ&f)qMsQ)-ua4x9rEL6{)5;Ym3MUi09YbwT=4
z#Ry6mE;s;FPV4it!yCiRD0S9<;&%6Ql?EJ?mIAcaXN)th<k?6au6lTh<)U-#Xmr*#
zO?O{yhw|?`_6g^~Q2T%X`n$JpF21?%5_<z{Deu~SyN|izY~TJMK%I@)eU+Xn@44H5
z@+g!~Wi6`b!~_P9{~s1jec+r9jDKL7-yQ!T4UPW;SWlAuv8ZA(Erxc3;zbdf`8?Gf
zR`zCo)3jZRque(0(YViRlfwke;|#=@=`n~)kW(h6icKsBqsuWfQ^r;m)t#&A)V>c*
zovW*2`my-BS#-6VC#(TWylUoH;FtY>E>gSBdD(R?T)*vNRTtCjW{dQq*rhc~JiEJz
zsl`J#iI?4n-S>-|RPWcb+PkO&p2Vj7>-wi+S}$j_7sXd|yt?(*H*<HjInnQ%*>av1
z+nj$j?T=M`^{U#O?d!U0Kio7`Pi=kdMg6yBHQQD7cjwb=bNHthMQp;4h~=l$E~*AE
zuwWB8>5;iMTvuHR-Lmal{@LpHT4MUleZcZ73oou6S9)q>^d-k>oX_}Qcxyo^p;T#I
z4yBjEs}MP78A@rGh|&6(B$v4q&IKEaPbcYiRLK(|Fm&Lbue#U-=g_}>K?m>u=o9SE
z|2Wfh|Nm{EC(M}~<G>AUk1=_?|0jAs(MS-F>HlGq1Fv!G%<Mjg*7r!qqoXaAV>u}F
zxq~RdI2NK#f|*#Nn~(V{vFLOO8UqEuV@wWH0lWbP;+XE!kN?B|zvfDCV+{KLI33XJ
zG420+{r|!CKbik8jnddl(C`@lF&t?A{}{IbApid{FhAKg29N*Y{y*OI0q1{v<6mif
z{ttd8A4C0_$Nx6||IluLzUGZ<*Y1BAOz<VJXr++aiR`lof&0Xy&Qki!Ts9dXc^f@X
z8M0KV6ag^opV7(0y7uA)YRoWXATK#gg`Fxr!C(Q$pDVcdcVD#GL<`XGMb9;0RorvO
zQf3yiaUmz1Ot|D+_IO664N`KOBcuR=#gwg1CX`OvtZ!HM`QXFt7O?b_3PijszI}Q5
z^<U1Hi}rlh1UEZh_^O`X+TZQ|lCer!@8Z|uzne(LyW$*o&llHtk>lPXfBaM3-28d;
z^3|(Ru4ZY9j6K(!m62PF7=SBvvY>6u9_MkwI>$<kEJWr?r&CnYl@fb^k7Wr`Y8X}Z
z=)7-k8!b^DurHutlwn$NVVt%?Fj2Y?STb4LBs6vs6|M6aq`>54a7OCT$T3-m=lJE(
zmUnm}hhi;&u@=Bq+_JlF`T)-5bsBwzUH;<j=-amW0i!RY|19yhj1XqcGLD;@#a{zv
zH;YNrUafM{XgqTB>iw#FV;!sB`|AkTbLnLJ;j*XJ0q(@q+&r#AY7K_tidj`Je@64Y
zt^SAcHvH+*phv{y_9nO&aXZ27@H1gNA7uuCn|I7u4AJ4h5%>!(#?o<k<!p`c+$L)^
zx^aqS1vV?0O%ft<p?6`tp*Q~F@gFYHJ;dk##{a{>4@01sM9=?Y<}U-wbn}~IT=+q)
zpnU-y`(0?Hj|bqk-Cup*+8<p&^#3tnME?IE=Eok~+dntWvBkfrTyNm}fB%=e@xQh|
zFhleIFJk?B4?^4j;rAXx<%s|hAOb{y2oM1xKm>>Y5g-CYfCvx)B0vO)01+SpM1Tko
z0U|&IhyW2F0z`la5CI}U1c(3;cp3zTzMXo^%Y*&<Ux)R7DEY*<#88FUzyApw^}n?K
z&%^hT!S+9${_mFkaX|=r|M%gIk1de??@=&6*+vGB|5NDyr0Vs5x5qyd^#1Ro^qGzR
zZ)i6_EzC~;H*`snUKVwGy&yRTHfC_i*;MK&hzUw<N?cO{?#lmi>eXctdy*>?6A8Sq
zp|r}Cz7&k%LWj}|qk_p<LR6?ql%?k;qVj|#&~dHDx^L~F+bv+}XD9#r$ICb0T;kvB
z??%JbZ@0yN0Dy~7IuUS9NtwBp-dL}s5V+`sO9AD;z=W3(*CgT@HBTnW$aQHG=O_uZ
zXp4sy|MB%gOAjvodoEq<j`;71b%0~Uf9o6Gp4RUKx4vI%{ZKola&SUrubqqnf|6h)
z4wvLm5vzh1fiZ4bz#)UhAj(uq8Delo+A{96exG}w488FW*Z=k2VXyz&d;a4BK&1cs
zoV`w+)~1_gQFTpQrNyc1-qzO}_&)s?;QEh!nazg!KaT4Fll`~+9`f^JF?U^ey}Y_k
zi}P9KTi1RVuVw4~x{G>@3pT0=6BEu*_dHZBTzvXOYO{wlC)G^^hyW2F0z`la5CI}U
k1c(3;AOb{y2oM1xKm>>Y5g-CYfCvx)B0vO)z%wTBe{YUtx&QzG

literal 0
HcmV?d00001

diff --git a/engine/integration-cli/utils_test.go b/engine/integration-cli/utils_test.go
new file mode 100644
index 00000000..fd083681
--- /dev/null
+++ b/engine/integration-cli/utils_test.go
@@ -0,0 +1,183 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/internal/testutil"
+	"github.com/go-check/check"
+	"github.com/pkg/errors"
+	"gotest.tools/icmd"
+)
+
+func getPrefixAndSlashFromDaemonPlatform() (prefix, slash string) {
+	if testEnv.OSType == "windows" {
+		return "c:", `\`
+	}
+	return "", "/"
+}
+
+// TODO: update code to call cmd.RunCmd directly, and remove this function
+// Deprecated: use gotest.tools/icmd
+func runCommandWithOutput(execCmd *exec.Cmd) (string, int, error) {
+	result := icmd.RunCmd(transformCmd(execCmd))
+	return result.Combined(), result.ExitCode, result.Error
+}
+
+// Temporary shim for migrating commands to the new function
+func transformCmd(execCmd *exec.Cmd) icmd.Cmd {
+	return icmd.Cmd{
+		Command: execCmd.Args,
+		Env:     execCmd.Env,
+		Dir:     execCmd.Dir,
+		Stdin:   execCmd.Stdin,
+		Stdout:  execCmd.Stdout,
+	}
+}
+
+// ParseCgroupPaths parses 'procCgroupData', which is output of '/proc/<pid>/cgroup', and returns
+// a map which cgroup name as key and path as value.
+func ParseCgroupPaths(procCgroupData string) map[string]string {
+	cgroupPaths := map[string]string{}
+	for _, line := range strings.Split(procCgroupData, "\n") {
+		parts := strings.Split(line, ":")
+		if len(parts) != 3 {
+			continue
+		}
+		cgroupPaths[parts[1]] = parts[2]
+	}
+	return cgroupPaths
+}
+
+// RandomTmpDirPath provides a temporary path with rand string appended.
+// does not create or checks if it exists.
+func RandomTmpDirPath(s string, platform string) string {
+	// TODO: why doesn't this use os.TempDir() ?
+	tmp := "/tmp"
+	if platform == "windows" {
+		tmp = os.Getenv("TEMP")
+	}
+	path := filepath.Join(tmp, fmt.Sprintf("%s.%s", s, testutil.GenerateRandomAlphaOnlyString(10)))
+	if platform == "windows" {
+		return filepath.FromSlash(path) // Using \
+	}
+	return filepath.ToSlash(path) // Using /
+}
+
+// RunCommandPipelineWithOutput runs the array of commands with the output
+// of each pipelined with the following (like cmd1 | cmd2 | cmd3 would do).
+// It returns the final output, the exitCode different from 0 and the error
+// if something bad happened.
+// Deprecated: use icmd instead
+func RunCommandPipelineWithOutput(cmds ...*exec.Cmd) (output string, err error) {
+	if len(cmds) < 2 {
+		return "", errors.New("pipeline does not have multiple cmds")
+	}
+
+	// connect stdin of each cmd to stdout pipe of previous cmd
+	for i, cmd := range cmds {
+		if i > 0 {
+			prevCmd := cmds[i-1]
+			cmd.Stdin, err = prevCmd.StdoutPipe()
+
+			if err != nil {
+				return "", fmt.Errorf("cannot set stdout pipe for %s: %v", cmd.Path, err)
+			}
+		}
+	}
+
+	// start all cmds except the last
+	for _, cmd := range cmds[:len(cmds)-1] {
+		if err = cmd.Start(); err != nil {
+			return "", fmt.Errorf("starting %s failed with error: %v", cmd.Path, err)
+		}
+	}
+
+	defer func() {
+		var pipeErrMsgs []string
+		// wait all cmds except the last to release their resources
+		for _, cmd := range cmds[:len(cmds)-1] {
+			if pipeErr := cmd.Wait(); pipeErr != nil {
+				pipeErrMsgs = append(pipeErrMsgs, fmt.Sprintf("command %s failed with error: %v", cmd.Path, pipeErr))
+			}
+		}
+		if len(pipeErrMsgs) > 0 && err == nil {
+			err = fmt.Errorf("pipelineError from Wait: %v", strings.Join(pipeErrMsgs, ", "))
+		}
+	}()
+
+	// wait on last cmd
+	out, err := cmds[len(cmds)-1].CombinedOutput()
+	return string(out), err
+}
+
+type elementListOptions struct {
+	element, format string
+}
+
+func existingElements(c *check.C, opts elementListOptions) []string {
+	var args []string
+	switch opts.element {
+	case "container":
+		args = append(args, "ps", "-a")
+	case "image":
+		args = append(args, "images", "-a")
+	case "network":
+		args = append(args, "network", "ls")
+	case "plugin":
+		args = append(args, "plugin", "ls")
+	case "volume":
+		args = append(args, "volume", "ls")
+	}
+	if opts.format != "" {
+		args = append(args, "--format", opts.format)
+	}
+	out, _ := dockerCmd(c, args...)
+	var lines []string
+	for _, l := range strings.Split(out, "\n") {
+		if l != "" {
+			lines = append(lines, l)
+		}
+	}
+	return lines
+}
+
+// ExistingContainerIDs returns a list of currently existing container IDs.
+func ExistingContainerIDs(c *check.C) []string {
+	return existingElements(c, elementListOptions{element: "container", format: "{{.ID}}"})
+}
+
+// ExistingContainerNames returns a list of existing container names.
+func ExistingContainerNames(c *check.C) []string {
+	return existingElements(c, elementListOptions{element: "container", format: "{{.Names}}"})
+}
+
+// RemoveLinesForExistingElements removes existing elements from the output of a
+// docker command.
+// This function takes an output []string and returns a []string.
+func RemoveLinesForExistingElements(output, existing []string) []string {
+	for _, e := range existing {
+		index := -1
+		for i, line := range output {
+			if strings.Contains(line, e) {
+				index = i
+				break
+			}
+		}
+		if index != -1 {
+			output = append(output[:index], output[index+1:]...)
+		}
+	}
+	return output
+}
+
+// RemoveOutputForExistingElements removes existing elements from the output of
+// a docker command.
+// This function takes an output string and returns a string.
+func RemoveOutputForExistingElements(output string, existing []string) string {
+	res := RemoveLinesForExistingElements(strings.Split(output, "\n"), existing)
+	return strings.Join(res, "\n")
+}
diff --git a/engine/integration/build/build_session_test.go b/engine/integration/build/build_session_test.go
new file mode 100644
index 00000000..dde4b427
--- /dev/null
+++ b/engine/integration/build/build_session_test.go
@@ -0,0 +1,129 @@
+package build
+
+import (
+	"context"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	dclient "github.com/docker/docker/client"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/filesync"
+	"golang.org/x/sync/errgroup"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestBuildWithSession(t *testing.T) {
+	skip.If(t, !testEnv.DaemonInfo.ExperimentalBuild)
+
+	client := testEnv.APIClient()
+
+	dockerfile := `
+		FROM busybox
+		COPY file /
+		RUN cat /file
+	`
+
+	fctx := fakecontext.New(t, "",
+		fakecontext.WithFile("file", "some content"),
+	)
+	defer fctx.Close()
+
+	out := testBuildWithSession(t, client, client.DaemonHost(), fctx.Dir, dockerfile)
+	assert.Check(t, is.Contains(out, "some content"))
+
+	fctx.Add("second", "contentcontent")
+
+	dockerfile += `
+	COPY second /
+	RUN cat /second
+	`
+
+	out = testBuildWithSession(t, client, client.DaemonHost(), fctx.Dir, dockerfile)
+	assert.Check(t, is.Equal(strings.Count(out, "Using cache"), 2))
+	assert.Check(t, is.Contains(out, "contentcontent"))
+
+	du, err := client.DiskUsage(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, du.BuilderSize > 10)
+
+	out = testBuildWithSession(t, client, client.DaemonHost(), fctx.Dir, dockerfile)
+	assert.Check(t, is.Equal(strings.Count(out, "Using cache"), 4))
+
+	du2, err := client.DiskUsage(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(du.BuilderSize, du2.BuilderSize))
+
+	// rebuild with regular tar, confirm cache still applies
+	fctx.Add("Dockerfile", dockerfile)
+	// FIXME(vdemeester) use sock here
+	res, body, err := request.Do(
+		"/build",
+		request.Host(client.DaemonHost()),
+		request.Method(http.MethodPost),
+		request.RawContent(fctx.AsTarReader(t)),
+		request.ContentType("application/x-tar"))
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(http.StatusOK, res.StatusCode))
+
+	outBytes, err := request.ReadBody(body)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(string(outBytes), "Successfully built"))
+	assert.Check(t, is.Equal(strings.Count(string(outBytes), "Using cache"), 4))
+
+	_, err = client.BuildCachePrune(context.TODO())
+	assert.Check(t, err)
+
+	du, err = client.DiskUsage(context.TODO())
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(du.BuilderSize, int64(0)))
+}
+
+func testBuildWithSession(t *testing.T, client dclient.APIClient, daemonHost string, dir, dockerfile string) (outStr string) {
+	ctx := context.Background()
+	sess, err := session.NewSession(ctx, "foo1", "foo")
+	assert.Check(t, err)
+
+	fsProvider := filesync.NewFSSyncProvider([]filesync.SyncedDir{
+		{Dir: dir},
+	})
+	sess.Allow(fsProvider)
+
+	g, ctx := errgroup.WithContext(ctx)
+
+	g.Go(func() error {
+		return sess.Run(ctx, client.DialSession)
+	})
+
+	g.Go(func() error {
+		// FIXME use sock here
+		res, body, err := request.Do(
+			"/build?remote=client-session&session="+sess.ID(),
+			request.Host(daemonHost),
+			request.Method(http.MethodPost),
+			request.With(func(req *http.Request) error {
+				req.Body = ioutil.NopCloser(strings.NewReader(dockerfile))
+				return nil
+			}),
+		)
+		if err != nil {
+			return err
+		}
+		assert.Check(t, is.DeepEqual(res.StatusCode, http.StatusOK))
+		out, err := request.ReadBody(body)
+		assert.NilError(t, err)
+		assert.Check(t, is.Contains(string(out), "Successfully built"))
+		sess.Close()
+		outStr = string(out)
+		return nil
+	})
+
+	err = g.Wait()
+	assert.Check(t, err)
+	return
+}
diff --git a/engine/integration/build/build_squash_test.go b/engine/integration/build/build_squash_test.go
new file mode 100644
index 00000000..4cd282a9
--- /dev/null
+++ b/engine/integration/build/build_squash_test.go
@@ -0,0 +1,103 @@
+package build
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/pkg/stdcopy"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestBuildSquashParent(t *testing.T) {
+	skip.If(t, !testEnv.DaemonInfo.ExperimentalBuild)
+
+	client := testEnv.APIClient()
+
+	dockerfile := `
+		FROM busybox
+		RUN echo hello > /hello
+		RUN echo world >> /hello
+		RUN echo hello > /remove_me
+		ENV HELLO world
+		RUN rm /remove_me
+		`
+
+	// build and get the ID that we can use later for history comparison
+	ctx := context.Background()
+	source := fakecontext.New(t, "", fakecontext.WithDockerfile(dockerfile))
+	defer source.Close()
+
+	name := "test"
+	resp, err := client.ImageBuild(ctx,
+		source.AsTarReader(t),
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+			Tags:        []string{name},
+		})
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+
+	inspect, _, err := client.ImageInspectWithRaw(ctx, name)
+	assert.NilError(t, err)
+	origID := inspect.ID
+
+	// build with squash
+	resp, err = client.ImageBuild(ctx,
+		source.AsTarReader(t),
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+			Squash:      true,
+			Tags:        []string{name},
+		})
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+
+	cid := container.Run(t, ctx, client,
+		container.WithImage(name),
+		container.WithCmd("/bin/sh", "-c", "cat /hello"),
+	)
+	reader, err := client.ContainerLogs(ctx, cid, types.ContainerLogsOptions{
+		ShowStdout: true,
+	})
+	assert.NilError(t, err)
+
+	actualStdout := new(bytes.Buffer)
+	actualStderr := ioutil.Discard
+	_, err = stdcopy.StdCopy(actualStdout, actualStderr, reader)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(strings.TrimSpace(actualStdout.String()), "hello\nworld"))
+
+	container.Run(t, ctx, client,
+		container.WithImage(name),
+		container.WithCmd("/bin/sh", "-c", "[ ! -f /remove_me ]"),
+	)
+	container.Run(t, ctx, client,
+		container.WithImage(name),
+		container.WithCmd("/bin/sh", "-c", `[ "$(echo $HELLO)" == "world" ]`),
+	)
+
+	origHistory, err := client.ImageHistory(ctx, origID)
+	assert.NilError(t, err)
+	testHistory, err := client.ImageHistory(ctx, name)
+	assert.NilError(t, err)
+
+	inspect, _, err = client.ImageInspectWithRaw(ctx, name)
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(testHistory, len(origHistory)+1))
+	assert.Check(t, is.Len(inspect.RootFS.Layers, 2))
+}
diff --git a/engine/integration/build/build_test.go b/engine/integration/build/build_test.go
new file mode 100644
index 00000000..25c5e635
--- /dev/null
+++ b/engine/integration/build/build_test.go
@@ -0,0 +1,460 @@
+package build // import "github.com/docker/docker/integration/build"
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestBuildWithRemoveAndForceRemove(t *testing.T) {
+	defer setupTest(t)()
+	t.Parallel()
+	cases := []struct {
+		name                           string
+		dockerfile                     string
+		numberOfIntermediateContainers int
+		rm                             bool
+		forceRm                        bool
+	}{
+		{
+			name: "successful build with no removal",
+			dockerfile: `FROM busybox
+			RUN exit 0
+			RUN exit 0`,
+			numberOfIntermediateContainers: 2,
+			rm:      false,
+			forceRm: false,
+		},
+		{
+			name: "successful build with remove",
+			dockerfile: `FROM busybox
+			RUN exit 0
+			RUN exit 0`,
+			numberOfIntermediateContainers: 0,
+			rm:      true,
+			forceRm: false,
+		},
+		{
+			name: "successful build with remove and force remove",
+			dockerfile: `FROM busybox
+			RUN exit 0
+			RUN exit 0`,
+			numberOfIntermediateContainers: 0,
+			rm:      true,
+			forceRm: true,
+		},
+		{
+			name: "failed build with no removal",
+			dockerfile: `FROM busybox
+			RUN exit 0
+			RUN exit 1`,
+			numberOfIntermediateContainers: 2,
+			rm:      false,
+			forceRm: false,
+		},
+		{
+			name: "failed build with remove",
+			dockerfile: `FROM busybox
+			RUN exit 0
+			RUN exit 1`,
+			numberOfIntermediateContainers: 1,
+			rm:      true,
+			forceRm: false,
+		},
+		{
+			name: "failed build with remove and force remove",
+			dockerfile: `FROM busybox
+			RUN exit 0
+			RUN exit 1`,
+			numberOfIntermediateContainers: 0,
+			rm:      true,
+			forceRm: true,
+		},
+	}
+
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			t.Parallel()
+			dockerfile := []byte(c.dockerfile)
+
+			buff := bytes.NewBuffer(nil)
+			tw := tar.NewWriter(buff)
+			assert.NilError(t, tw.WriteHeader(&tar.Header{
+				Name: "Dockerfile",
+				Size: int64(len(dockerfile)),
+			}))
+			_, err := tw.Write(dockerfile)
+			assert.NilError(t, err)
+			assert.NilError(t, tw.Close())
+			resp, err := client.ImageBuild(ctx, buff, types.ImageBuildOptions{Remove: c.rm, ForceRemove: c.forceRm, NoCache: true})
+			assert.NilError(t, err)
+			defer resp.Body.Close()
+			filter, err := buildContainerIdsFilter(resp.Body)
+			assert.NilError(t, err)
+			remainingContainers, err := client.ContainerList(ctx, types.ContainerListOptions{Filters: filter, All: true})
+			assert.NilError(t, err)
+			assert.Equal(t, c.numberOfIntermediateContainers, len(remainingContainers), "Expected %v remaining intermediate containers, got %v", c.numberOfIntermediateContainers, len(remainingContainers))
+		})
+	}
+}
+
+func buildContainerIdsFilter(buildOutput io.Reader) (filters.Args, error) {
+	const intermediateContainerPrefix = " ---> Running in "
+	filter := filters.NewArgs()
+
+	dec := json.NewDecoder(buildOutput)
+	for {
+		m := jsonmessage.JSONMessage{}
+		err := dec.Decode(&m)
+		if err == io.EOF {
+			return filter, nil
+		}
+		if err != nil {
+			return filter, err
+		}
+		if ix := strings.Index(m.Stream, intermediateContainerPrefix); ix != -1 {
+			filter.Add("id", strings.TrimSpace(m.Stream[ix+len(intermediateContainerPrefix):]))
+		}
+	}
+}
+
+func TestBuildMultiStageParentConfig(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.35"), "broken in earlier versions")
+	dockerfile := `
+		FROM busybox AS stage0
+		ENV WHO=parent
+		WORKDIR /foo
+
+		FROM stage0
+		ENV WHO=sibling1
+		WORKDIR sub1
+
+		FROM stage0
+		WORKDIR sub2
+	`
+	ctx := context.Background()
+	source := fakecontext.New(t, "", fakecontext.WithDockerfile(dockerfile))
+	defer source.Close()
+
+	apiclient := testEnv.APIClient()
+	resp, err := apiclient.ImageBuild(ctx,
+		source.AsTarReader(t),
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+			Tags:        []string{"build1"},
+		})
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+
+	image, _, err := apiclient.ImageInspectWithRaw(ctx, "build1")
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal("/foo/sub2", image.Config.WorkingDir))
+	assert.Check(t, is.Contains(image.Config.Env, "WHO=parent"))
+}
+
+// Test cases in #36996
+func TestBuildLabelWithTargets(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.38"), "test added after 1.38")
+	bldName := "build-a"
+	testLabels := map[string]string{
+		"foo":  "bar",
+		"dead": "beef",
+	}
+
+	dockerfile := `
+		FROM busybox AS target-a
+		CMD ["/dev"]
+		LABEL label-a=inline-a
+		FROM busybox AS target-b
+		CMD ["/dist"]
+		LABEL label-b=inline-b
+		`
+
+	ctx := context.Background()
+	source := fakecontext.New(t, "", fakecontext.WithDockerfile(dockerfile))
+	defer source.Close()
+
+	apiclient := testEnv.APIClient()
+	// For `target-a` build
+	resp, err := apiclient.ImageBuild(ctx,
+		source.AsTarReader(t),
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+			Tags:        []string{bldName},
+			Labels:      testLabels,
+			Target:      "target-a",
+		})
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+
+	image, _, err := apiclient.ImageInspectWithRaw(ctx, bldName)
+	assert.NilError(t, err)
+
+	testLabels["label-a"] = "inline-a"
+	for k, v := range testLabels {
+		x, ok := image.Config.Labels[k]
+		assert.Assert(t, ok)
+		assert.Assert(t, x == v)
+	}
+
+	// For `target-b` build
+	bldName = "build-b"
+	delete(testLabels, "label-a")
+	resp, err = apiclient.ImageBuild(ctx,
+		source.AsTarReader(t),
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+			Tags:        []string{bldName},
+			Labels:      testLabels,
+			Target:      "target-b",
+		})
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+
+	image, _, err = apiclient.ImageInspectWithRaw(ctx, bldName)
+	assert.NilError(t, err)
+
+	testLabels["label-b"] = "inline-b"
+	for k, v := range testLabels {
+		x, ok := image.Config.Labels[k]
+		assert.Assert(t, ok)
+		assert.Assert(t, x == v)
+	}
+}
+
+func TestBuildWithEmptyLayers(t *testing.T) {
+	dockerfile := `
+		FROM    busybox
+		COPY    1/ /target/
+		COPY    2/ /target/
+		COPY    3/ /target/
+	`
+	ctx := context.Background()
+	source := fakecontext.New(t, "",
+		fakecontext.WithDockerfile(dockerfile),
+		fakecontext.WithFile("1/a", "asdf"),
+		fakecontext.WithFile("2/a", "asdf"),
+		fakecontext.WithFile("3/a", "asdf"))
+	defer source.Close()
+
+	apiclient := testEnv.APIClient()
+	resp, err := apiclient.ImageBuild(ctx,
+		source.AsTarReader(t),
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+		})
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+}
+
+// TestBuildMultiStageOnBuild checks that ONBUILD commands are applied to
+// multiple subsequent stages
+// #35652
+func TestBuildMultiStageOnBuild(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.33"), "broken in earlier versions")
+	defer setupTest(t)()
+	// test both metadata and layer based commands as they may be implemented differently
+	dockerfile := `FROM busybox AS stage1
+ONBUILD RUN echo 'foo' >somefile
+ONBUILD ENV bar=baz
+
+FROM stage1
+RUN cat somefile # fails if ONBUILD RUN fails
+
+FROM stage1
+RUN cat somefile`
+
+	ctx := context.Background()
+	source := fakecontext.New(t, "",
+		fakecontext.WithDockerfile(dockerfile))
+	defer source.Close()
+
+	apiclient := testEnv.APIClient()
+	resp, err := apiclient.ImageBuild(ctx,
+		source.AsTarReader(t),
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+		})
+
+	out := bytes.NewBuffer(nil)
+	assert.NilError(t, err)
+	_, err = io.Copy(out, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Contains(out.String(), "Successfully built"))
+
+	imageIDs, err := getImageIDsFromBuild(out.Bytes())
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(3, len(imageIDs)))
+
+	image, _, err := apiclient.ImageInspectWithRaw(context.Background(), imageIDs[2])
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(image.Config.Env, "bar=baz"))
+}
+
+// #35403 #36122
+func TestBuildUncleanTarFilenames(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.37"), "broken in earlier versions")
+	ctx := context.TODO()
+	defer setupTest(t)()
+
+	dockerfile := `FROM scratch
+COPY foo /
+FROM scratch
+COPY bar /`
+
+	buf := bytes.NewBuffer(nil)
+	w := tar.NewWriter(buf)
+	writeTarRecord(t, w, "Dockerfile", dockerfile)
+	writeTarRecord(t, w, "../foo", "foocontents0")
+	writeTarRecord(t, w, "/bar", "barcontents0")
+	err := w.Close()
+	assert.NilError(t, err)
+
+	apiclient := testEnv.APIClient()
+	resp, err := apiclient.ImageBuild(ctx,
+		buf,
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+		})
+
+	out := bytes.NewBuffer(nil)
+	assert.NilError(t, err)
+	_, err = io.Copy(out, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+
+	// repeat with changed data should not cause cache hits
+
+	buf = bytes.NewBuffer(nil)
+	w = tar.NewWriter(buf)
+	writeTarRecord(t, w, "Dockerfile", dockerfile)
+	writeTarRecord(t, w, "../foo", "foocontents1")
+	writeTarRecord(t, w, "/bar", "barcontents1")
+	err = w.Close()
+	assert.NilError(t, err)
+
+	resp, err = apiclient.ImageBuild(ctx,
+		buf,
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+		})
+
+	out = bytes.NewBuffer(nil)
+	assert.NilError(t, err)
+	_, err = io.Copy(out, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+	assert.Assert(t, !strings.Contains(out.String(), "Using cache"))
+}
+
+// docker/for-linux#135
+// #35641
+func TestBuildMultiStageLayerLeak(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.37"), "broken in earlier versions")
+	ctx := context.TODO()
+	defer setupTest(t)()
+
+	// all commands need to match until COPY
+	dockerfile := `FROM busybox
+WORKDIR /foo
+COPY foo .
+FROM busybox
+WORKDIR /foo
+COPY bar .
+RUN [ -f bar ]
+RUN [ ! -f foo ]
+`
+
+	source := fakecontext.New(t, "",
+		fakecontext.WithFile("foo", "0"),
+		fakecontext.WithFile("bar", "1"),
+		fakecontext.WithDockerfile(dockerfile))
+	defer source.Close()
+
+	apiclient := testEnv.APIClient()
+	resp, err := apiclient.ImageBuild(ctx,
+		source.AsTarReader(t),
+		types.ImageBuildOptions{
+			Remove:      true,
+			ForceRemove: true,
+		})
+
+	out := bytes.NewBuffer(nil)
+	assert.NilError(t, err)
+	_, err = io.Copy(out, resp.Body)
+	resp.Body.Close()
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Contains(out.String(), "Successfully built"))
+}
+
+func writeTarRecord(t *testing.T, w *tar.Writer, fn, contents string) {
+	err := w.WriteHeader(&tar.Header{
+		Name:     fn,
+		Mode:     0600,
+		Size:     int64(len(contents)),
+		Typeflag: '0',
+	})
+	assert.NilError(t, err)
+	_, err = w.Write([]byte(contents))
+	assert.NilError(t, err)
+}
+
+type buildLine struct {
+	Stream string
+	Aux    struct {
+		ID string
+	}
+}
+
+func getImageIDsFromBuild(output []byte) ([]string, error) {
+	var ids []string
+	for _, line := range bytes.Split(output, []byte("\n")) {
+		if len(line) == 0 {
+			continue
+		}
+		entry := buildLine{}
+		if err := json.Unmarshal(line, &entry); err != nil {
+			return nil, err
+		}
+		if entry.Aux.ID != "" {
+			ids = append(ids, entry.Aux.ID)
+		}
+	}
+	return ids, nil
+}
diff --git a/engine/integration/build/main_test.go b/engine/integration/build/main_test.go
new file mode 100644
index 00000000..fef3909f
--- /dev/null
+++ b/engine/integration/build/main_test.go
@@ -0,0 +1,33 @@
+package build // import "github.com/docker/docker/integration/build"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/config/config_test.go b/engine/integration/config/config_test.go
new file mode 100644
index 00000000..3cbca238
--- /dev/null
+++ b/engine/integration/config/config_test.go
@@ -0,0 +1,356 @@
+package config // import "github.com/docker/docker/integration/config"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/swarm"
+	"github.com/docker/docker/pkg/stdcopy"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestConfigList(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	ctx := context.Background()
+
+	// This test case is ported from the original TestConfigsEmptyList
+	configs, err := client.ConfigList(ctx, types.ConfigListOptions{})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(configs), 0))
+
+	testName0 := "test0-" + t.Name()
+	testName1 := "test1-" + t.Name()
+	testNames := []string{testName0, testName1}
+	sort.Strings(testNames)
+
+	// create config test0
+	createConfig(ctx, t, client, testName0, []byte("TESTINGDATA0"), map[string]string{"type": "test"})
+
+	config1ID := createConfig(ctx, t, client, testName1, []byte("TESTINGDATA1"), map[string]string{"type": "production"})
+
+	names := func(entries []swarmtypes.Config) []string {
+		var values []string
+		for _, entry := range entries {
+			values = append(values, entry.Spec.Name)
+		}
+		sort.Strings(values)
+		return values
+	}
+
+	// test by `config ls`
+	entries, err := client.ConfigList(ctx, types.ConfigListOptions{})
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(names(entries), testNames))
+
+	testCases := []struct {
+		filters  filters.Args
+		expected []string
+	}{
+		// test filter by name `config ls --filter name=xxx`
+		{
+			filters:  filters.NewArgs(filters.Arg("name", testName0)),
+			expected: []string{testName0},
+		},
+		// test filter by id `config ls --filter id=xxx`
+		{
+			filters:  filters.NewArgs(filters.Arg("id", config1ID)),
+			expected: []string{testName1},
+		},
+		// test filter by label `config ls --filter label=xxx`
+		{
+			filters:  filters.NewArgs(filters.Arg("label", "type")),
+			expected: testNames,
+		},
+		{
+			filters:  filters.NewArgs(filters.Arg("label", "type=test")),
+			expected: []string{testName0},
+		},
+		{
+			filters:  filters.NewArgs(filters.Arg("label", "type=production")),
+			expected: []string{testName1},
+		},
+	}
+	for _, tc := range testCases {
+		entries, err = client.ConfigList(ctx, types.ConfigListOptions{
+			Filters: tc.filters,
+		})
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(names(entries), tc.expected))
+
+	}
+}
+
+func createConfig(ctx context.Context, t *testing.T, client client.APIClient, name string, data []byte, labels map[string]string) string {
+	config, err := client.ConfigCreate(ctx, swarmtypes.ConfigSpec{
+		Annotations: swarmtypes.Annotations{
+			Name:   name,
+			Labels: labels,
+		},
+		Data: data,
+	})
+	assert.NilError(t, err)
+	assert.Check(t, config.ID != "")
+	return config.ID
+}
+
+func TestConfigsCreateAndDelete(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	ctx := context.Background()
+
+	testName := "test_config-" + t.Name()
+
+	// This test case is ported from the original TestConfigsCreate
+	configID := createConfig(ctx, t, client, testName, []byte("TESTINGDATA"), nil)
+
+	insp, _, err := client.ConfigInspectWithRaw(ctx, configID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Name, testName))
+
+	// This test case is ported from the original TestConfigsDelete
+	err = client.ConfigRemove(ctx, configID)
+	assert.NilError(t, err)
+
+	insp, _, err = client.ConfigInspectWithRaw(ctx, configID)
+	assert.Check(t, is.ErrorContains(err, "No such config"))
+}
+
+func TestConfigsUpdate(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	ctx := context.Background()
+
+	testName := "test_config-" + t.Name()
+
+	// This test case is ported from the original TestConfigsCreate
+	configID := createConfig(ctx, t, client, testName, []byte("TESTINGDATA"), nil)
+
+	insp, _, err := client.ConfigInspectWithRaw(ctx, configID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.ID, configID))
+
+	// test UpdateConfig with full ID
+	insp.Spec.Labels = map[string]string{"test": "test1"}
+	err = client.ConfigUpdate(ctx, configID, insp.Version, insp.Spec)
+	assert.NilError(t, err)
+
+	insp, _, err = client.ConfigInspectWithRaw(ctx, configID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Labels["test"], "test1"))
+
+	// test UpdateConfig with full name
+	insp.Spec.Labels = map[string]string{"test": "test2"}
+	err = client.ConfigUpdate(ctx, testName, insp.Version, insp.Spec)
+	assert.NilError(t, err)
+
+	insp, _, err = client.ConfigInspectWithRaw(ctx, configID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Labels["test"], "test2"))
+
+	// test UpdateConfig with prefix ID
+	insp.Spec.Labels = map[string]string{"test": "test3"}
+	err = client.ConfigUpdate(ctx, configID[:1], insp.Version, insp.Spec)
+	assert.NilError(t, err)
+
+	insp, _, err = client.ConfigInspectWithRaw(ctx, configID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Labels["test"], "test3"))
+
+	// test UpdateConfig in updating Data which is not supported in daemon
+	// this test will produce an error in func UpdateConfig
+	insp.Spec.Data = []byte("TESTINGDATA2")
+	err = client.ConfigUpdate(ctx, configID, insp.Version, insp.Spec)
+	assert.Check(t, is.ErrorContains(err, "only updates to Labels are allowed"))
+}
+
+func TestTemplatedConfig(t *testing.T) {
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+	ctx := context.Background()
+
+	referencedSecretName := "referencedsecret-" + t.Name()
+	referencedSecretSpec := swarmtypes.SecretSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: referencedSecretName,
+		},
+		Data: []byte("this is a secret"),
+	}
+	referencedSecret, err := client.SecretCreate(ctx, referencedSecretSpec)
+	assert.Check(t, err)
+
+	referencedConfigName := "referencedconfig-" + t.Name()
+	referencedConfigSpec := swarmtypes.ConfigSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: referencedConfigName,
+		},
+		Data: []byte("this is a config"),
+	}
+	referencedConfig, err := client.ConfigCreate(ctx, referencedConfigSpec)
+	assert.Check(t, err)
+
+	templatedConfigName := "templated_config-" + t.Name()
+	configSpec := swarmtypes.ConfigSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: templatedConfigName,
+		},
+		Templating: &swarmtypes.Driver{
+			Name: "golang",
+		},
+		Data: []byte("SERVICE_NAME={{.Service.Name}}\n" +
+			"{{secret \"referencedsecrettarget\"}}\n" +
+			"{{config \"referencedconfigtarget\"}}\n"),
+	}
+
+	templatedConfig, err := client.ConfigCreate(ctx, configSpec)
+	assert.Check(t, err)
+
+	serviceID := swarm.CreateService(t, d,
+		swarm.ServiceWithConfig(
+			&swarmtypes.ConfigReference{
+				File: &swarmtypes.ConfigReferenceFileTarget{
+					Name: "/" + templatedConfigName,
+					UID:  "0",
+					GID:  "0",
+					Mode: 0600,
+				},
+				ConfigID:   templatedConfig.ID,
+				ConfigName: templatedConfigName,
+			},
+		),
+		swarm.ServiceWithConfig(
+			&swarmtypes.ConfigReference{
+				File: &swarmtypes.ConfigReferenceFileTarget{
+					Name: "referencedconfigtarget",
+					UID:  "0",
+					GID:  "0",
+					Mode: 0600,
+				},
+				ConfigID:   referencedConfig.ID,
+				ConfigName: referencedConfigName,
+			},
+		),
+		swarm.ServiceWithSecret(
+			&swarmtypes.SecretReference{
+				File: &swarmtypes.SecretReferenceFileTarget{
+					Name: "referencedsecrettarget",
+					UID:  "0",
+					GID:  "0",
+					Mode: 0600,
+				},
+				SecretID:   referencedSecret.ID,
+				SecretName: referencedSecretName,
+			},
+		),
+		swarm.ServiceWithName("svc"),
+	)
+
+	var tasks []swarmtypes.Task
+	waitAndAssert(t, 60*time.Second, func(t *testing.T) bool {
+		tasks = swarm.GetRunningTasks(t, d, serviceID)
+		return len(tasks) > 0
+	})
+
+	task := tasks[0]
+	waitAndAssert(t, 60*time.Second, func(t *testing.T) bool {
+		if task.NodeID == "" || (task.Status.ContainerStatus == nil || task.Status.ContainerStatus.ContainerID == "") {
+			task, _, _ = client.TaskInspectWithRaw(context.Background(), task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil && task.Status.ContainerStatus.ContainerID != ""
+	})
+
+	attach := swarm.ExecTask(t, d, task, types.ExecConfig{
+		Cmd:          []string{"/bin/cat", "/" + templatedConfigName},
+		AttachStdout: true,
+		AttachStderr: true,
+	})
+
+	expect := "SERVICE_NAME=svc\n" +
+		"this is a secret\n" +
+		"this is a config\n"
+	assertAttachedStream(t, attach, expect)
+
+	attach = swarm.ExecTask(t, d, task, types.ExecConfig{
+		Cmd:          []string{"mount"},
+		AttachStdout: true,
+		AttachStderr: true,
+	})
+	assertAttachedStream(t, attach, "tmpfs on /"+templatedConfigName+" type tmpfs")
+}
+
+func assertAttachedStream(t *testing.T, attach types.HijackedResponse, expect string) {
+	buf := bytes.NewBuffer(nil)
+	_, err := stdcopy.StdCopy(buf, buf, attach.Reader)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(buf.String(), expect))
+}
+
+func waitAndAssert(t *testing.T, timeout time.Duration, f func(*testing.T) bool) {
+	t.Helper()
+	after := time.After(timeout)
+	for {
+		select {
+		case <-after:
+			t.Fatalf("timed out waiting for condition")
+		default:
+		}
+		if f(t) {
+			return
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+
+func TestConfigInspect(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	ctx := context.Background()
+
+	testName := t.Name()
+	configID := createConfig(ctx, t, client, testName, []byte("TESTINGDATA"), nil)
+
+	insp, body, err := client.ConfigInspectWithRaw(ctx, configID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Name, testName))
+
+	var config swarmtypes.Config
+	err = json.Unmarshal(body, &config)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(config, insp))
+}
diff --git a/engine/integration/config/main_test.go b/engine/integration/config/main_test.go
new file mode 100644
index 00000000..3c8f0483
--- /dev/null
+++ b/engine/integration/config/main_test.go
@@ -0,0 +1,33 @@
+package config // import "github.com/docker/docker/integration/config"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/container/copy_test.go b/engine/integration/container/copy_test.go
new file mode 100644
index 00000000..241b719e
--- /dev/null
+++ b/engine/integration/container/copy_test.go
@@ -0,0 +1,65 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/container"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestCopyFromContainerPathDoesNotExist(t *testing.T) {
+	defer setupTest(t)()
+
+	ctx := context.Background()
+	apiclient := testEnv.APIClient()
+	cid := container.Create(t, ctx, apiclient)
+
+	_, _, err := apiclient.CopyFromContainer(ctx, cid, "/dne")
+	assert.Check(t, client.IsErrNotFound(err))
+	expected := fmt.Sprintf("No such container:path: %s:%s", cid, "/dne")
+	assert.Check(t, is.ErrorContains(err, expected))
+}
+
+func TestCopyFromContainerPathIsNotDir(t *testing.T) {
+	defer setupTest(t)()
+	skip.If(t, testEnv.OSType == "windows")
+
+	ctx := context.Background()
+	apiclient := testEnv.APIClient()
+	cid := container.Create(t, ctx, apiclient)
+
+	_, _, err := apiclient.CopyFromContainer(ctx, cid, "/etc/passwd/")
+	assert.Assert(t, is.ErrorContains(err, "not a directory"))
+}
+
+func TestCopyToContainerPathDoesNotExist(t *testing.T) {
+	defer setupTest(t)()
+	skip.If(t, testEnv.OSType == "windows")
+
+	ctx := context.Background()
+	apiclient := testEnv.APIClient()
+	cid := container.Create(t, ctx, apiclient)
+
+	err := apiclient.CopyToContainer(ctx, cid, "/dne", nil, types.CopyToContainerOptions{})
+	assert.Check(t, client.IsErrNotFound(err))
+	expected := fmt.Sprintf("No such container:path: %s:%s", cid, "/dne")
+	assert.Check(t, is.ErrorContains(err, expected))
+}
+
+func TestCopyToContainerPathIsNotDir(t *testing.T) {
+	defer setupTest(t)()
+	skip.If(t, testEnv.OSType == "windows")
+
+	ctx := context.Background()
+	apiclient := testEnv.APIClient()
+	cid := container.Create(t, ctx, apiclient)
+
+	err := apiclient.CopyToContainer(ctx, cid, "/etc/passwd/", nil, types.CopyToContainerOptions{})
+	assert.Assert(t, is.ErrorContains(err, "not a directory"))
+}
diff --git a/engine/integration/container/create_test.go b/engine/integration/container/create_test.go
new file mode 100644
index 00000000..f94eb4a3
--- /dev/null
+++ b/engine/integration/container/create_test.go
@@ -0,0 +1,303 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	ctr "github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/oci"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestCreateFailsWhenIdentifierDoesNotExist(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+
+	testCases := []struct {
+		doc           string
+		image         string
+		expectedError string
+	}{
+		{
+			doc:           "image and tag",
+			image:         "test456:v1",
+			expectedError: "No such image: test456:v1",
+		},
+		{
+			doc:           "image no tag",
+			image:         "test456",
+			expectedError: "No such image: test456",
+		},
+		{
+			doc:           "digest",
+			image:         "sha256:0cb40641836c461bc97c793971d84d758371ed682042457523e4ae701efeaaaa",
+			expectedError: "No such image: sha256:0cb40641836c461bc97c793971d84d758371ed682042457523e4ae701efeaaaa",
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.doc, func(t *testing.T) {
+			t.Parallel()
+			_, err := client.ContainerCreate(context.Background(),
+				&container.Config{Image: tc.image},
+				&container.HostConfig{},
+				&network.NetworkingConfig{},
+				"",
+			)
+			assert.Check(t, is.ErrorContains(err, tc.expectedError))
+		})
+	}
+}
+
+func TestCreateWithInvalidEnv(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+
+	testCases := []struct {
+		env           string
+		expectedError string
+	}{
+		{
+			env:           "",
+			expectedError: "invalid environment variable:",
+		},
+		{
+			env:           "=",
+			expectedError: "invalid environment variable: =",
+		},
+		{
+			env:           "=foo",
+			expectedError: "invalid environment variable: =foo",
+		},
+	}
+
+	for index, tc := range testCases {
+		tc := tc
+		t.Run(strconv.Itoa(index), func(t *testing.T) {
+			t.Parallel()
+			_, err := client.ContainerCreate(context.Background(),
+				&container.Config{
+					Image: "busybox",
+					Env:   []string{tc.env},
+				},
+				&container.HostConfig{},
+				&network.NetworkingConfig{},
+				"",
+			)
+			assert.Check(t, is.ErrorContains(err, tc.expectedError))
+		})
+	}
+}
+
+// Test case for #30166 (target was not validated)
+func TestCreateTmpfsMountsTarget(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+
+	testCases := []struct {
+		target        string
+		expectedError string
+	}{
+		{
+			target:        ".",
+			expectedError: "mount path must be absolute",
+		},
+		{
+			target:        "foo",
+			expectedError: "mount path must be absolute",
+		},
+		{
+			target:        "/",
+			expectedError: "destination can't be '/'",
+		},
+		{
+			target:        "//",
+			expectedError: "destination can't be '/'",
+		},
+	}
+
+	for _, tc := range testCases {
+		_, err := client.ContainerCreate(context.Background(),
+			&container.Config{
+				Image: "busybox",
+			},
+			&container.HostConfig{
+				Tmpfs: map[string]string{tc.target: ""},
+			},
+			&network.NetworkingConfig{},
+			"",
+		)
+		assert.Check(t, is.ErrorContains(err, tc.expectedError))
+	}
+}
+func TestCreateWithCustomMaskedPaths(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	testCases := []struct {
+		maskedPaths []string
+		expected    []string
+	}{
+		{
+			maskedPaths: []string{},
+			expected:    []string{},
+		},
+		{
+			maskedPaths: nil,
+			expected:    oci.DefaultSpec().Linux.MaskedPaths,
+		},
+		{
+			maskedPaths: []string{"/proc/kcore", "/proc/keys"},
+			expected:    []string{"/proc/kcore", "/proc/keys"},
+		},
+	}
+
+	checkInspect := func(t *testing.T, ctx context.Context, name string, expected []string) {
+		_, b, err := client.ContainerInspectWithRaw(ctx, name, false)
+		assert.NilError(t, err)
+
+		var inspectJSON map[string]interface{}
+		err = json.Unmarshal(b, &inspectJSON)
+		assert.NilError(t, err)
+
+		cfg, ok := inspectJSON["HostConfig"].(map[string]interface{})
+		assert.Check(t, is.Equal(true, ok), name)
+
+		maskedPaths, ok := cfg["MaskedPaths"].([]interface{})
+		assert.Check(t, is.Equal(true, ok), name)
+
+		mps := []string{}
+		for _, mp := range maskedPaths {
+			mps = append(mps, mp.(string))
+		}
+
+		assert.DeepEqual(t, expected, mps)
+	}
+
+	for i, tc := range testCases {
+		name := fmt.Sprintf("create-masked-paths-%d", i)
+		config := container.Config{
+			Image: "busybox",
+			Cmd:   []string{"true"},
+		}
+		hc := container.HostConfig{}
+		if tc.maskedPaths != nil {
+			hc.MaskedPaths = tc.maskedPaths
+		}
+
+		// Create the container.
+		c, err := client.ContainerCreate(context.Background(),
+			&config,
+			&hc,
+			&network.NetworkingConfig{},
+			name,
+		)
+		assert.NilError(t, err)
+
+		checkInspect(t, ctx, name, tc.expected)
+
+		// Start the container.
+		err = client.ContainerStart(ctx, c.ID, types.ContainerStartOptions{})
+		assert.NilError(t, err)
+
+		poll.WaitOn(t, ctr.IsInState(ctx, client, c.ID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+		checkInspect(t, ctx, name, tc.expected)
+	}
+}
+
+func TestCreateWithCustomReadonlyPaths(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	testCases := []struct {
+		doc           string
+		readonlyPaths []string
+		expected      []string
+	}{
+		{
+			readonlyPaths: []string{},
+			expected:      []string{},
+		},
+		{
+			readonlyPaths: nil,
+			expected:      oci.DefaultSpec().Linux.ReadonlyPaths,
+		},
+		{
+			readonlyPaths: []string{"/proc/asound", "/proc/bus"},
+			expected:      []string{"/proc/asound", "/proc/bus"},
+		},
+	}
+
+	checkInspect := func(t *testing.T, ctx context.Context, name string, expected []string) {
+		_, b, err := client.ContainerInspectWithRaw(ctx, name, false)
+		assert.NilError(t, err)
+
+		var inspectJSON map[string]interface{}
+		err = json.Unmarshal(b, &inspectJSON)
+		assert.NilError(t, err)
+
+		cfg, ok := inspectJSON["HostConfig"].(map[string]interface{})
+		assert.Check(t, is.Equal(true, ok), name)
+
+		readonlyPaths, ok := cfg["ReadonlyPaths"].([]interface{})
+		assert.Check(t, is.Equal(true, ok), name)
+
+		rops := []string{}
+		for _, rop := range readonlyPaths {
+			rops = append(rops, rop.(string))
+		}
+		assert.DeepEqual(t, expected, rops)
+	}
+
+	for i, tc := range testCases {
+		name := fmt.Sprintf("create-readonly-paths-%d", i)
+		config := container.Config{
+			Image: "busybox",
+			Cmd:   []string{"true"},
+		}
+		hc := container.HostConfig{}
+		if tc.readonlyPaths != nil {
+			hc.ReadonlyPaths = tc.readonlyPaths
+		}
+
+		// Create the container.
+		c, err := client.ContainerCreate(context.Background(),
+			&config,
+			&hc,
+			&network.NetworkingConfig{},
+			name,
+		)
+		assert.NilError(t, err)
+
+		checkInspect(t, ctx, name, tc.expected)
+
+		// Start the container.
+		err = client.ContainerStart(ctx, c.ID, types.ContainerStartOptions{})
+		assert.NilError(t, err)
+
+		poll.WaitOn(t, ctr.IsInState(ctx, client, c.ID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+		checkInspect(t, ctx, name, tc.expected)
+	}
+}
diff --git a/engine/integration/container/daemon_linux_test.go b/engine/integration/container/daemon_linux_test.go
new file mode 100644
index 00000000..bc5c5076
--- /dev/null
+++ b/engine/integration/container/daemon_linux_test.go
@@ -0,0 +1,78 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/daemon"
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+// This is a regression test for #36145
+// It ensures that a container can be started when the daemon was improperly
+// shutdown when the daemon is brought back up.
+//
+// The regression is due to improper error handling preventing a container from
+// being restored and as such have the resources cleaned up.
+//
+// To test this, we need to kill dockerd, then kill both the containerd-shim and
+// the container process, then start dockerd back up and attempt to start the
+// container again.
+func TestContainerStartOnDaemonRestart(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot start daemon on remote test run")
+	t.Parallel()
+
+	d := daemon.New(t)
+	d.StartWithBusybox(t, "--iptables=false")
+	defer d.Stop(t)
+
+	client, err := d.NewClient()
+	assert.Check(t, err, "error creating client")
+
+	ctx := context.Background()
+
+	cID := container.Create(t, ctx, client)
+	defer client.ContainerRemove(ctx, cID, types.ContainerRemoveOptions{Force: true})
+
+	err = client.ContainerStart(ctx, cID, types.ContainerStartOptions{})
+	assert.Check(t, err, "error starting test container")
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.Check(t, err, "error getting inspect data")
+
+	ppid := getContainerdShimPid(t, inspect)
+
+	err = d.Kill()
+	assert.Check(t, err, "failed to kill test daemon")
+
+	err = unix.Kill(inspect.State.Pid, unix.SIGKILL)
+	assert.Check(t, err, "failed to kill container process")
+
+	err = unix.Kill(ppid, unix.SIGKILL)
+	assert.Check(t, err, "failed to kill containerd-shim")
+
+	d.Start(t, "--iptables=false")
+
+	err = client.ContainerStart(ctx, cID, types.ContainerStartOptions{})
+	assert.Check(t, err, "failed to start test container")
+}
+
+func getContainerdShimPid(t *testing.T, c types.ContainerJSON) int {
+	statB, err := ioutil.ReadFile(fmt.Sprintf("/proc/%d/stat", c.State.Pid))
+	assert.Check(t, err, "error looking up containerd-shim pid")
+
+	// ppid is the 4th entry in `/proc/pid/stat`
+	ppid, err := strconv.Atoi(strings.Fields(string(statB))[3])
+	assert.Check(t, err, "error converting ppid field to int")
+
+	assert.Check(t, ppid != 1, "got unexpected ppid")
+	return ppid
+}
diff --git a/engine/integration/container/diff_test.go b/engine/integration/container/diff_test.go
new file mode 100644
index 00000000..b4219c36
--- /dev/null
+++ b/engine/integration/container/diff_test.go
@@ -0,0 +1,42 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/archive"
+	"gotest.tools/assert"
+	"gotest.tools/poll"
+)
+
+func TestDiff(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, container.WithCmd("sh", "-c", `mkdir /foo; echo xyzzy > /foo/bar`))
+
+	// Wait for it to exit as cannot diff a running container on Windows, and
+	// it will take a few seconds to exit. Also there's no way in Windows to
+	// differentiate between an Add or a Modify, and all files are under
+	// a "Files/" prefix.
+	expected := []containertypes.ContainerChangeResponseItem{
+		{Kind: archive.ChangeAdd, Path: "/foo"},
+		{Kind: archive.ChangeAdd, Path: "/foo/bar"},
+	}
+	if testEnv.OSType == "windows" {
+		poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond), poll.WithTimeout(60*time.Second))
+		expected = []containertypes.ContainerChangeResponseItem{
+			{Kind: archive.ChangeModify, Path: "Files/foo"},
+			{Kind: archive.ChangeModify, Path: "Files/foo/bar"},
+		}
+	}
+
+	items, err := client.ContainerDiff(ctx, cID)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, expected, items)
+}
diff --git a/engine/integration/container/exec_test.go b/engine/integration/container/exec_test.go
new file mode 100644
index 00000000..85f9e059
--- /dev/null
+++ b/engine/integration/container/exec_test.go
@@ -0,0 +1,50 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestExec(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.35"), "broken in earlier versions")
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	cID := container.Run(t, ctx, client, container.WithTty(true), container.WithWorkingDir("/root"))
+
+	id, err := client.ContainerExecCreate(ctx, cID,
+		types.ExecConfig{
+			WorkingDir:   "/tmp",
+			Env:          strslice.StrSlice([]string{"FOO=BAR"}),
+			AttachStdout: true,
+			Cmd:          strslice.StrSlice([]string{"sh", "-c", "env"}),
+		},
+	)
+	assert.NilError(t, err)
+
+	resp, err := client.ContainerExecAttach(ctx, id.ID,
+		types.ExecStartCheck{
+			Detach: false,
+			Tty:    false,
+		},
+	)
+	assert.NilError(t, err)
+	defer resp.Close()
+	r, err := ioutil.ReadAll(resp.Reader)
+	assert.NilError(t, err)
+	out := string(r)
+	assert.NilError(t, err)
+	assert.Assert(t, is.Contains(out, "PWD=/tmp"), "exec command not running in expected /tmp working directory")
+	assert.Assert(t, is.Contains(out, "FOO=BAR"), "exec command not running with expected environment variable FOO")
+}
diff --git a/engine/integration/container/export_test.go b/engine/integration/container/export_test.go
new file mode 100644
index 00000000..7a9ed0aa
--- /dev/null
+++ b/engine/integration/container/export_test.go
@@ -0,0 +1,78 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+// export an image and try to import it into a new one
+func TestExportContainerAndImportImage(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, container.WithCmd("true"))
+	poll.WaitOn(t, container.IsStopped(ctx, client, cID), poll.WithDelay(100*time.Millisecond))
+
+	reference := "repo/testexp:v1"
+	exportResp, err := client.ContainerExport(ctx, cID)
+	assert.NilError(t, err)
+	importResp, err := client.ImageImport(ctx, types.ImageImportSource{
+		Source:     exportResp,
+		SourceName: "-",
+	}, reference, types.ImageImportOptions{})
+	assert.NilError(t, err)
+
+	// If the import is successfully, then the message output should contain
+	// the image ID and match with the output from `docker images`.
+
+	dec := json.NewDecoder(importResp)
+	var jm jsonmessage.JSONMessage
+	err = dec.Decode(&jm)
+	assert.NilError(t, err)
+
+	images, err := client.ImageList(ctx, types.ImageListOptions{
+		Filters: filters.NewArgs(filters.Arg("reference", reference)),
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(jm.Status, images[0].ID))
+}
+
+// TestExportContainerAfterDaemonRestart checks that a container
+// created before start of the currently running dockerd
+// can be exported (as reported in #36561). To satisfy this
+// condition, daemon restart is needed after container creation.
+func TestExportContainerAfterDaemonRestart(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	skip.If(t, testEnv.IsRemoteDaemon())
+
+	d := daemon.New(t)
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	d.StartWithBusybox(t)
+	defer d.Stop(t)
+
+	ctx := context.Background()
+	ctrID := container.Create(t, ctx, client)
+
+	d.Restart(t)
+
+	_, err = client.ContainerExport(ctx, ctrID)
+	assert.NilError(t, err)
+}
diff --git a/engine/integration/container/health_test.go b/engine/integration/container/health_test.go
new file mode 100644
index 00000000..7cc196e4
--- /dev/null
+++ b/engine/integration/container/health_test.go
@@ -0,0 +1,47 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/poll"
+)
+
+// TestHealthCheckWorkdir verifies that health-checks inherit the containers'
+// working-dir.
+func TestHealthCheckWorkdir(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	cID := container.Run(t, ctx, client, container.WithTty(true), container.WithWorkingDir("/foo"), func(c *container.TestContainerConfig) {
+		c.Config.Healthcheck = &containertypes.HealthConfig{
+			Test:     []string{"CMD-SHELL", "if [ \"$PWD\" = \"/foo\" ]; then exit 0; else exit 1; fi;"},
+			Interval: 50 * time.Millisecond,
+			Retries:  3,
+		}
+	})
+
+	poll.WaitOn(t, pollForHealthStatus(ctx, client, cID, types.Healthy), poll.WithDelay(100*time.Millisecond))
+}
+
+func pollForHealthStatus(ctx context.Context, client client.APIClient, containerID string, healthStatus string) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		inspect, err := client.ContainerInspect(ctx, containerID)
+
+		switch {
+		case err != nil:
+			return poll.Error(err)
+		case inspect.State.Health.Status == healthStatus:
+			return poll.Success()
+		default:
+			return poll.Continue("waiting for container to become %s", healthStatus)
+		}
+	}
+}
diff --git a/engine/integration/container/inspect_test.go b/engine/integration/container/inspect_test.go
new file mode 100644
index 00000000..d034c536
--- /dev/null
+++ b/engine/integration/container/inspect_test.go
@@ -0,0 +1,48 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestInspectCpusetInConfigPre120(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux" || !testEnv.DaemonInfo.CPUSet)
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t, client.WithVersion("1.19"))
+	ctx := context.Background()
+
+	name := "cpusetinconfig-pre120-" + t.Name()
+	// Create container with up to-date-API
+	container.Run(t, ctx, request.NewAPIClient(t), container.WithName(name),
+		container.WithCmd("true"),
+		func(c *container.TestContainerConfig) {
+			c.HostConfig.Resources.CpusetCpus = "0"
+		},
+	)
+	poll.WaitOn(t, container.IsInState(ctx, client, name, "exited"), poll.WithDelay(100*time.Millisecond))
+
+	_, body, err := client.ContainerInspectWithRaw(ctx, name, false)
+	assert.NilError(t, err)
+
+	var inspectJSON map[string]interface{}
+	err = json.Unmarshal(body, &inspectJSON)
+	assert.NilError(t, err, "unable to unmarshal body for version 1.19: %s", err)
+
+	config, ok := inspectJSON["Config"]
+	assert.Check(t, is.Equal(true, ok), "Unable to find 'Config'")
+
+	cfg := config.(map[string]interface{})
+	_, ok = cfg["Cpuset"]
+	assert.Check(t, is.Equal(true, ok), "API version 1.19 expected to include Cpuset in 'Config'")
+}
diff --git a/engine/integration/container/kill_test.go b/engine/integration/container/kill_test.go
new file mode 100644
index 00000000..12a9083c
--- /dev/null
+++ b/engine/integration/container/kill_test.go
@@ -0,0 +1,183 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestKillContainerInvalidSignal(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+	id := container.Run(t, ctx, client)
+
+	err := client.ContainerKill(ctx, id, "0")
+	assert.Error(t, err, "Error response from daemon: Invalid signal: 0")
+	poll.WaitOn(t, container.IsInState(ctx, client, id, "running"), poll.WithDelay(100*time.Millisecond))
+
+	err = client.ContainerKill(ctx, id, "SIG42")
+	assert.Error(t, err, "Error response from daemon: Invalid signal: SIG42")
+	poll.WaitOn(t, container.IsInState(ctx, client, id, "running"), poll.WithDelay(100*time.Millisecond))
+}
+
+func TestKillContainer(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+
+	testCases := []struct {
+		doc    string
+		signal string
+		status string
+	}{
+		{
+			doc:    "no signal",
+			signal: "",
+			status: "exited",
+		},
+		{
+			doc:    "non killing signal",
+			signal: "SIGWINCH",
+			status: "running",
+		},
+		{
+			doc:    "killing signal",
+			signal: "SIGTERM",
+			status: "exited",
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.doc, func(t *testing.T) {
+			ctx := context.Background()
+			id := container.Run(t, ctx, client)
+			err := client.ContainerKill(ctx, id, tc.signal)
+			assert.NilError(t, err)
+
+			poll.WaitOn(t, container.IsInState(ctx, client, id, tc.status), poll.WithDelay(100*time.Millisecond))
+		})
+	}
+}
+
+func TestKillWithStopSignalAndRestartPolicies(t *testing.T) {
+	skip.If(t, testEnv.OSType != "linux", "Windows only supports 1.25 or later")
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+
+	testCases := []struct {
+		doc        string
+		stopsignal string
+		status     string
+	}{
+		{
+			doc:        "same-signal-disables-restart-policy",
+			stopsignal: "TERM",
+			status:     "exited",
+		},
+		{
+			doc:        "different-signal-keep-restart-policy",
+			stopsignal: "CONT",
+			status:     "running",
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.doc, func(t *testing.T) {
+			ctx := context.Background()
+			id := container.Run(t, ctx, client, func(c *container.TestContainerConfig) {
+				c.Config.StopSignal = tc.stopsignal
+				c.HostConfig.RestartPolicy = containertypes.RestartPolicy{
+					Name: "always",
+				}
+			})
+			err := client.ContainerKill(ctx, id, "TERM")
+			assert.NilError(t, err)
+
+			poll.WaitOn(t, container.IsInState(ctx, client, id, tc.status), poll.WithDelay(100*time.Millisecond))
+		})
+	}
+}
+
+func TestKillStoppedContainer(t *testing.T) {
+	skip.If(t, testEnv.OSType != "linux") // Windows only supports 1.25 or later
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+	id := container.Create(t, ctx, client)
+	err := client.ContainerKill(ctx, id, "SIGKILL")
+	assert.Assert(t, is.ErrorContains(err, ""))
+	assert.Assert(t, is.Contains(err.Error(), "is not running"))
+}
+
+func TestKillStoppedContainerAPIPre120(t *testing.T) {
+	skip.If(t, testEnv.OSType != "linux") // Windows only supports 1.25 or later
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t, client.WithVersion("1.19"))
+	id := container.Create(t, ctx, client)
+	err := client.ContainerKill(ctx, id, "SIGKILL")
+	assert.NilError(t, err)
+}
+
+func TestKillDifferentUserContainer(t *testing.T) {
+	// TODO Windows: Windows does not yet support -u (Feb 2016).
+	skip.If(t, testEnv.OSType != "linux", "User containers (container.Config.User) are not yet supported on %q platform", testEnv.OSType)
+
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t, client.WithVersion("1.19"))
+
+	id := container.Run(t, ctx, client, func(c *container.TestContainerConfig) {
+		c.Config.User = "daemon"
+	})
+	poll.WaitOn(t, container.IsInState(ctx, client, id, "running"), poll.WithDelay(100*time.Millisecond))
+
+	err := client.ContainerKill(ctx, id, "SIGKILL")
+	assert.NilError(t, err)
+	poll.WaitOn(t, container.IsInState(ctx, client, id, "exited"), poll.WithDelay(100*time.Millisecond))
+}
+
+func TestInspectOomKilledTrue(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux" || !testEnv.DaemonInfo.MemoryLimit || !testEnv.DaemonInfo.SwapLimit)
+
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	cID := container.Run(t, ctx, client, container.WithCmd("sh", "-c", "x=a; while true; do x=$x$x$x$x; done"), func(c *container.TestContainerConfig) {
+		c.HostConfig.Resources.Memory = 32 * 1024 * 1024
+	})
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(true, inspect.State.OOMKilled))
+}
+
+func TestInspectOomKilledFalse(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux" || !testEnv.DaemonInfo.MemoryLimit || !testEnv.DaemonInfo.SwapLimit)
+
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	cID := container.Run(t, ctx, client, container.WithCmd("sh", "-c", "echo hello world"))
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(false, inspect.State.OOMKilled))
+}
diff --git a/engine/integration/container/links_linux_test.go b/engine/integration/container/links_linux_test.go
new file mode 100644
index 00000000..f9f3cbe5
--- /dev/null
+++ b/engine/integration/container/links_linux_test.go
@@ -0,0 +1,57 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestLinksEtcHostsContentMatch(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+
+	hosts, err := ioutil.ReadFile("/etc/hosts")
+	skip.If(t, os.IsNotExist(err))
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, container.WithNetworkMode("host"))
+	res, err := container.Exec(ctx, client, cID, []string{"cat", "/etc/hosts"})
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(res.Stderr(), 0))
+	assert.Equal(t, 0, res.ExitCode)
+
+	assert.Check(t, is.Equal(string(hosts), res.Stdout()))
+}
+
+func TestLinksContainerNames(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	containerA := "first_" + t.Name()
+	containerB := "second_" + t.Name()
+	container.Run(t, ctx, client, container.WithName(containerA))
+	container.Run(t, ctx, client, container.WithName(containerB), container.WithLinks(containerA+":"+containerA))
+
+	f := filters.NewArgs(filters.Arg("name", containerA))
+
+	containers, err := client.ContainerList(ctx, types.ContainerListOptions{
+		Filters: f,
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(1, len(containers)))
+	assert.Check(t, is.DeepEqual([]string{"/" + containerA, "/" + containerB + "/" + containerA}, containers[0].Names))
+}
diff --git a/engine/integration/container/logs_test.go b/engine/integration/container/logs_test.go
new file mode 100644
index 00000000..68fbe13a
--- /dev/null
+++ b/engine/integration/container/logs_test.go
@@ -0,0 +1,35 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/stdcopy"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+// Regression test for #35370
+// Makes sure that when following we don't get an EOF error when there are no logs
+func TestLogsFollowTailEmpty(t *testing.T) {
+	// FIXME(vdemeester) fails on a e2e run on linux...
+	skip.If(t, testEnv.IsRemoteDaemon())
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	id := container.Run(t, ctx, client, container.WithCmd("sleep", "100000"))
+
+	logs, err := client.ContainerLogs(ctx, id, types.ContainerLogsOptions{ShowStdout: true, Tail: "2"})
+	if logs != nil {
+		defer logs.Close()
+	}
+	assert.Check(t, err)
+
+	_, err = stdcopy.StdCopy(ioutil.Discard, ioutil.Discard, logs)
+	assert.Check(t, err)
+}
diff --git a/engine/integration/container/main_test.go b/engine/integration/container/main_test.go
new file mode 100644
index 00000000..fb87fddc
--- /dev/null
+++ b/engine/integration/container/main_test.go
@@ -0,0 +1,33 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/container/mounts_linux_test.go b/engine/integration/container/mounts_linux_test.go
new file mode 100644
index 00000000..a0a8836c
--- /dev/null
+++ b/engine/integration/container/mounts_linux_test.go
@@ -0,0 +1,208 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/system"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+	"gotest.tools/skip"
+)
+
+func TestContainerNetworkMountsNoChown(t *testing.T) {
+	// chown only applies to Linux bind mounted volumes; must be same host to verify
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux" || testEnv.IsRemoteDaemon())
+
+	defer setupTest(t)()
+
+	ctx := context.Background()
+
+	tmpDir := fs.NewDir(t, "network-file-mounts", fs.WithMode(0755), fs.WithFile("nwfile", "network file bind mount", fs.WithMode(0644)))
+	defer tmpDir.Remove()
+
+	tmpNWFileMount := tmpDir.Join("nwfile")
+
+	config := container.Config{
+		Image: "busybox",
+	}
+	hostConfig := container.HostConfig{
+		Mounts: []mount.Mount{
+			{
+				Type:   "bind",
+				Source: tmpNWFileMount,
+				Target: "/etc/resolv.conf",
+			},
+			{
+				Type:   "bind",
+				Source: tmpNWFileMount,
+				Target: "/etc/hostname",
+			},
+			{
+				Type:   "bind",
+				Source: tmpNWFileMount,
+				Target: "/etc/hosts",
+			},
+		},
+	}
+
+	cli, err := client.NewEnvClient()
+	assert.NilError(t, err)
+	defer cli.Close()
+
+	ctrCreate, err := cli.ContainerCreate(ctx, &config, &hostConfig, &network.NetworkingConfig{}, "")
+	assert.NilError(t, err)
+	// container will exit immediately because of no tty, but we only need the start sequence to test the condition
+	err = cli.ContainerStart(ctx, ctrCreate.ID, types.ContainerStartOptions{})
+	assert.NilError(t, err)
+
+	// Check that host-located bind mount network file did not change ownership when the container was started
+	// Note: If the user specifies a mountpath from the host, we should not be
+	// attempting to chown files outside the daemon's metadata directory
+	// (represented by `daemon.repository` at init time).
+	// This forces users who want to use user namespaces to handle the
+	// ownership needs of any external files mounted as network files
+	// (/etc/resolv.conf, /etc/hosts, /etc/hostname) separately from the
+	// daemon. In all other volume/bind mount situations we have taken this
+	// same line--we don't chown host file content.
+	// See GitHub PR 34224 for details.
+	statT, err := system.Stat(tmpNWFileMount)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(uint32(0), statT.UID()), "bind mounted network file should not change ownership from root")
+}
+
+func TestMountDaemonRoot(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux" || testEnv.IsRemoteDaemon())
+	t.Parallel()
+
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+	info, err := client.Info(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, test := range []struct {
+		desc        string
+		propagation mount.Propagation
+		expected    mount.Propagation
+	}{
+		{
+			desc:        "default",
+			propagation: "",
+			expected:    mount.PropagationRSlave,
+		},
+		{
+			desc:        "private",
+			propagation: mount.PropagationPrivate,
+		},
+		{
+			desc:        "rprivate",
+			propagation: mount.PropagationRPrivate,
+		},
+		{
+			desc:        "slave",
+			propagation: mount.PropagationSlave,
+		},
+		{
+			desc:        "rslave",
+			propagation: mount.PropagationRSlave,
+			expected:    mount.PropagationRSlave,
+		},
+		{
+			desc:        "shared",
+			propagation: mount.PropagationShared,
+		},
+		{
+			desc:        "rshared",
+			propagation: mount.PropagationRShared,
+			expected:    mount.PropagationRShared,
+		},
+	} {
+		t.Run(test.desc, func(t *testing.T) {
+			test := test
+			t.Parallel()
+
+			propagationSpec := fmt.Sprintf(":%s", test.propagation)
+			if test.propagation == "" {
+				propagationSpec = ""
+			}
+			bindSpecRoot := info.DockerRootDir + ":" + "/foo" + propagationSpec
+			bindSpecSub := filepath.Join(info.DockerRootDir, "containers") + ":/foo" + propagationSpec
+
+			for name, hc := range map[string]*container.HostConfig{
+				"bind root":    {Binds: []string{bindSpecRoot}},
+				"bind subpath": {Binds: []string{bindSpecSub}},
+				"mount root": {
+					Mounts: []mount.Mount{
+						{
+							Type:        mount.TypeBind,
+							Source:      info.DockerRootDir,
+							Target:      "/foo",
+							BindOptions: &mount.BindOptions{Propagation: test.propagation},
+						},
+					},
+				},
+				"mount subpath": {
+					Mounts: []mount.Mount{
+						{
+							Type:        mount.TypeBind,
+							Source:      filepath.Join(info.DockerRootDir, "containers"),
+							Target:      "/foo",
+							BindOptions: &mount.BindOptions{Propagation: test.propagation},
+						},
+					},
+				},
+			} {
+				t.Run(name, func(t *testing.T) {
+					hc := hc
+					t.Parallel()
+
+					c, err := client.ContainerCreate(ctx, &container.Config{
+						Image: "busybox",
+						Cmd:   []string{"true"},
+					}, hc, nil, "")
+
+					if err != nil {
+						if test.expected != "" {
+							t.Fatal(err)
+						}
+						// expected an error, so this is ok and should not continue
+						return
+					}
+					if test.expected == "" {
+						t.Fatal("expected create to fail")
+					}
+
+					defer func() {
+						if err := client.ContainerRemove(ctx, c.ID, types.ContainerRemoveOptions{Force: true}); err != nil {
+							panic(err)
+						}
+					}()
+
+					inspect, err := client.ContainerInspect(ctx, c.ID)
+					if err != nil {
+						t.Fatal(err)
+					}
+					if len(inspect.Mounts) != 1 {
+						t.Fatalf("unexpected number of mounts: %+v", inspect.Mounts)
+					}
+
+					m := inspect.Mounts[0]
+					if m.Propagation != test.expected {
+						t.Fatalf("got unexpected propagation mode, expected %q, got: %v", test.expected, m.Propagation)
+					}
+				})
+			}
+		})
+	}
+}
diff --git a/engine/integration/container/nat_test.go b/engine/integration/container/nat_test.go
new file mode 100644
index 00000000..0dbed897
--- /dev/null
+++ b/engine/integration/container/nat_test.go
@@ -0,0 +1,120 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/go-connections/nat"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestNetworkNat(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+
+	defer setupTest(t)()
+
+	msg := "it works"
+	startServerContainer(t, msg, 8080)
+
+	endpoint := getExternalAddress(t)
+	conn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", endpoint.String(), 8080))
+	assert.NilError(t, err)
+	defer conn.Close()
+
+	data, err := ioutil.ReadAll(conn)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(msg, strings.TrimSpace(string(data))))
+}
+
+func TestNetworkLocalhostTCPNat(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+
+	defer setupTest(t)()
+
+	msg := "hi yall"
+	startServerContainer(t, msg, 8081)
+
+	conn, err := net.Dial("tcp", "localhost:8081")
+	assert.NilError(t, err)
+	defer conn.Close()
+
+	data, err := ioutil.ReadAll(conn)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(msg, strings.TrimSpace(string(data))))
+}
+
+func TestNetworkLoopbackNat(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+
+	defer setupTest(t)()
+
+	msg := "it works"
+	serverContainerID := startServerContainer(t, msg, 8080)
+
+	endpoint := getExternalAddress(t)
+
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, container.WithCmd("sh", "-c", fmt.Sprintf("stty raw && nc -w 5 %s 8080", endpoint.String())), container.WithTty(true), container.WithNetworkMode("container:"+serverContainerID))
+
+	poll.WaitOn(t, container.IsStopped(ctx, client, cID), poll.WithDelay(100*time.Millisecond))
+
+	body, err := client.ContainerLogs(ctx, cID, types.ContainerLogsOptions{
+		ShowStdout: true,
+	})
+	assert.NilError(t, err)
+	defer body.Close()
+
+	var b bytes.Buffer
+	_, err = io.Copy(&b, body)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(msg, strings.TrimSpace(b.String())))
+}
+
+func startServerContainer(t *testing.T, msg string, port int) string {
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, container.WithName("server-"+t.Name()), container.WithCmd("sh", "-c", fmt.Sprintf("echo %q | nc -lp %d", msg, port)), container.WithExposedPorts(fmt.Sprintf("%d/tcp", port)), func(c *container.TestContainerConfig) {
+		c.HostConfig.PortBindings = nat.PortMap{
+			nat.Port(fmt.Sprintf("%d/tcp", port)): []nat.PortBinding{
+				{
+					HostPort: fmt.Sprintf("%d", port),
+				},
+			},
+		}
+	})
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	return cID
+}
+
+func getExternalAddress(t *testing.T) net.IP {
+	iface, err := net.InterfaceByName("eth0")
+	skip.If(t, err != nil, "Test not running with `make test-integration`. Interface eth0 not found: %s", err)
+
+	ifaceAddrs, err := iface.Addrs()
+	assert.NilError(t, err)
+	assert.Check(t, 0 != len(ifaceAddrs))
+
+	ifaceIP, _, err := net.ParseCIDR(ifaceAddrs[0].String())
+	assert.NilError(t, err)
+
+	return ifaceIP
+}
diff --git a/engine/integration/container/pause_test.go b/engine/integration/container/pause_test.go
new file mode 100644
index 00000000..8dd2d784
--- /dev/null
+++ b/engine/integration/container/pause_test.go
@@ -0,0 +1,98 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"io"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestPause(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType == "windows" && testEnv.DaemonInfo.Isolation == "process")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client)
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	since := request.DaemonUnixTime(ctx, t, client, testEnv)
+
+	err := client.ContainerPause(ctx, cID)
+	assert.NilError(t, err)
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(true, inspect.State.Paused))
+
+	err = client.ContainerUnpause(ctx, cID)
+	assert.NilError(t, err)
+
+	until := request.DaemonUnixTime(ctx, t, client, testEnv)
+
+	messages, errs := client.Events(ctx, types.EventsOptions{
+		Since:   since,
+		Until:   until,
+		Filters: filters.NewArgs(filters.Arg("container", cID)),
+	})
+	assert.Check(t, is.DeepEqual([]string{"pause", "unpause"}, getEventActions(t, messages, errs)))
+}
+
+func TestPauseFailsOnWindowsServerContainers(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "windows" || testEnv.DaemonInfo.Isolation != "process")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client)
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	err := client.ContainerPause(ctx, cID)
+	assert.Check(t, is.ErrorContains(err, "cannot pause Windows Server Containers"))
+}
+
+func TestPauseStopPausedContainer(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.31"), "broken in earlier versions")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client)
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	err := client.ContainerPause(ctx, cID)
+	assert.NilError(t, err)
+
+	err = client.ContainerStop(ctx, cID, nil)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, container.IsStopped(ctx, client, cID), poll.WithDelay(100*time.Millisecond))
+}
+
+func getEventActions(t *testing.T, messages <-chan events.Message, errs <-chan error) []string {
+	var actions []string
+	for {
+		select {
+		case err := <-errs:
+			assert.Check(t, err == nil || err == io.EOF)
+			return actions
+		case e := <-messages:
+			actions = append(actions, e.Status)
+		}
+	}
+}
diff --git a/engine/integration/container/ps_test.go b/engine/integration/container/ps_test.go
new file mode 100644
index 00000000..4ae07043
--- /dev/null
+++ b/engine/integration/container/ps_test.go
@@ -0,0 +1,49 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestPsFilter(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	prev := container.Create(t, ctx, client)
+	top := container.Create(t, ctx, client)
+	next := container.Create(t, ctx, client)
+
+	containerIDs := func(containers []types.Container) []string {
+		var entries []string
+		for _, container := range containers {
+			entries = append(entries, container.ID)
+		}
+		return entries
+	}
+
+	f1 := filters.NewArgs()
+	f1.Add("since", top)
+	q1, err := client.ContainerList(ctx, types.ContainerListOptions{
+		All:     true,
+		Filters: f1,
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(containerIDs(q1), next))
+
+	f2 := filters.NewArgs()
+	f2.Add("before", top)
+	q2, err := client.ContainerList(ctx, types.ContainerListOptions{
+		All:     true,
+		Filters: f2,
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(containerIDs(q2), prev))
+}
diff --git a/engine/integration/container/remove_test.go b/engine/integration/container/remove_test.go
new file mode 100644
index 00000000..5de13f22
--- /dev/null
+++ b/engine/integration/container/remove_test.go
@@ -0,0 +1,112 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/fs"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func getPrefixAndSlashFromDaemonPlatform() (prefix, slash string) {
+	if testEnv.OSType == "windows" {
+		return "c:", `\`
+	}
+	return "", "/"
+}
+
+// Test case for #5244: `docker rm` fails if bind dir doesn't exist anymore
+func TestRemoveContainerWithRemovedVolume(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+
+	tempDir := fs.NewDir(t, "test-rm-container-with-removed-volume", fs.WithMode(0755))
+	defer tempDir.Remove()
+
+	cID := container.Run(t, ctx, client, container.WithCmd("true"), container.WithBind(tempDir.Path(), prefix+slash+"test"))
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+	err := os.RemoveAll(tempDir.Path())
+	assert.NilError(t, err)
+
+	err = client.ContainerRemove(ctx, cID, types.ContainerRemoveOptions{
+		RemoveVolumes: true,
+	})
+	assert.NilError(t, err)
+
+	_, _, err = client.ContainerInspectWithRaw(ctx, cID, true)
+	assert.Check(t, is.ErrorContains(err, "No such container"))
+}
+
+// Test case for #2099/#2125
+func TestRemoveContainerWithVolume(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+
+	cID := container.Run(t, ctx, client, container.WithCmd("true"), container.WithVolume(prefix+slash+"srv"))
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+	insp, _, err := client.ContainerInspectWithRaw(ctx, cID, true)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(1, len(insp.Mounts)))
+	volName := insp.Mounts[0].Name
+
+	err = client.ContainerRemove(ctx, cID, types.ContainerRemoveOptions{
+		RemoveVolumes: true,
+	})
+	assert.NilError(t, err)
+
+	volumes, err := client.VolumeList(ctx, filters.NewArgs(filters.Arg("name", volName)))
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(0, len(volumes.Volumes)))
+}
+
+func TestRemoveContainerRunning(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	cID := container.Run(t, ctx, client)
+
+	err := client.ContainerRemove(ctx, cID, types.ContainerRemoveOptions{})
+	assert.Check(t, is.ErrorContains(err, "cannot remove a running container"))
+}
+
+func TestRemoveContainerForceRemoveRunning(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	cID := container.Run(t, ctx, client)
+
+	err := client.ContainerRemove(ctx, cID, types.ContainerRemoveOptions{
+		Force: true,
+	})
+	assert.NilError(t, err)
+}
+
+func TestRemoveInvalidContainer(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	err := client.ContainerRemove(ctx, "unknown", types.ContainerRemoveOptions{})
+	assert.Check(t, is.ErrorContains(err, "No such container"))
+}
diff --git a/engine/integration/container/rename_test.go b/engine/integration/container/rename_test.go
new file mode 100644
index 00000000..c3f46e10
--- /dev/null
+++ b/engine/integration/container/rename_test.go
@@ -0,0 +1,213 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/stringid"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+// This test simulates the scenario mentioned in #31392:
+// Having two linked container, renaming the target and bringing a replacement
+// and then deleting and recreating the source container linked to the new target.
+// This checks that "rename" updates source container correctly and doesn't set it to null.
+func TestRenameLinkedContainer(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.32"), "broken in earlier versions")
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	aName := "a0" + t.Name()
+	bName := "b0" + t.Name()
+	aID := container.Run(t, ctx, client, container.WithName(aName))
+	bID := container.Run(t, ctx, client, container.WithName(bName), container.WithLinks(aName))
+
+	err := client.ContainerRename(ctx, aID, "a1"+t.Name())
+	assert.NilError(t, err)
+
+	container.Run(t, ctx, client, container.WithName(aName))
+
+	err = client.ContainerRemove(ctx, bID, types.ContainerRemoveOptions{Force: true})
+	assert.NilError(t, err)
+
+	bID = container.Run(t, ctx, client, container.WithName(bName), container.WithLinks(aName))
+
+	inspect, err := client.ContainerInspect(ctx, bID)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]string{"/" + aName + ":/" + bName + "/" + aName}, inspect.HostConfig.Links))
+}
+
+func TestRenameStoppedContainer(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	oldName := "first_name" + t.Name()
+	cID := container.Run(t, ctx, client, container.WithName(oldName), container.WithCmd("sh"))
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("/"+oldName, inspect.Name))
+
+	newName := "new_name" + stringid.GenerateNonCryptoID()
+	err = client.ContainerRename(ctx, oldName, newName)
+	assert.NilError(t, err)
+
+	inspect, err = client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("/"+newName, inspect.Name))
+}
+
+func TestRenameRunningContainerAndReuse(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	oldName := "first_name" + t.Name()
+	cID := container.Run(t, ctx, client, container.WithName(oldName))
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	newName := "new_name" + stringid.GenerateNonCryptoID()
+	err := client.ContainerRename(ctx, oldName, newName)
+	assert.NilError(t, err)
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("/"+newName, inspect.Name))
+
+	_, err = client.ContainerInspect(ctx, oldName)
+	assert.Check(t, is.ErrorContains(err, "No such container: "+oldName))
+
+	cID = container.Run(t, ctx, client, container.WithName(oldName))
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	inspect, err = client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal("/"+oldName, inspect.Name))
+}
+
+func TestRenameInvalidName(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	oldName := "first_name" + t.Name()
+	cID := container.Run(t, ctx, client, container.WithName(oldName))
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	err := client.ContainerRename(ctx, oldName, "new:invalid")
+	assert.Check(t, is.ErrorContains(err, "Invalid container name"))
+
+	inspect, err := client.ContainerInspect(ctx, oldName)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(cID, inspect.ID))
+}
+
+// Test case for GitHub issue 22466
+// Docker's service discovery works for named containers so
+// ping to a named container should work, and an anonymous
+// container without a name does not work with service discovery.
+// However, an anonymous could be renamed to a named container.
+// This test is to make sure once the container has been renamed,
+// the service discovery for the (re)named container works.
+func TestRenameAnonymousContainer(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	networkName := "network1" + t.Name()
+	_, err := client.NetworkCreate(ctx, networkName, types.NetworkCreate{})
+
+	assert.NilError(t, err)
+	cID := container.Run(t, ctx, client, func(c *container.TestContainerConfig) {
+		c.NetworkingConfig.EndpointsConfig = map[string]*network.EndpointSettings{
+			networkName: {},
+		}
+		c.HostConfig.NetworkMode = containertypes.NetworkMode(networkName)
+	})
+
+	container1Name := "container1" + t.Name()
+	err = client.ContainerRename(ctx, cID, container1Name)
+	assert.NilError(t, err)
+	// Stop/Start the container to get registered
+	// FIXME(vdemeester) this is a really weird behavior as it fails otherwise
+	err = client.ContainerStop(ctx, container1Name, nil)
+	assert.NilError(t, err)
+	err = client.ContainerStart(ctx, container1Name, types.ContainerStartOptions{})
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	count := "-c"
+	if testEnv.OSType == "windows" {
+		count = "-n"
+	}
+	cID = container.Run(t, ctx, client, func(c *container.TestContainerConfig) {
+		c.NetworkingConfig.EndpointsConfig = map[string]*network.EndpointSettings{
+			networkName: {},
+		}
+		c.HostConfig.NetworkMode = containertypes.NetworkMode(networkName)
+	}, container.WithCmd("ping", count, "1", container1Name))
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(0, inspect.State.ExitCode), "container %s exited with the wrong exitcode: %+v", cID, inspect)
+}
+
+// TODO: should be a unit test
+func TestRenameContainerWithSameName(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	oldName := "old" + t.Name()
+	cID := container.Run(t, ctx, client, container.WithName(oldName))
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+	err := client.ContainerRename(ctx, oldName, oldName)
+	assert.Check(t, is.ErrorContains(err, "Renaming a container with the same name"))
+	err = client.ContainerRename(ctx, cID, oldName)
+	assert.Check(t, is.ErrorContains(err, "Renaming a container with the same name"))
+}
+
+// Test case for GitHub issue 23973
+// When a container is being renamed, the container might
+// be linked to another container. In that case, the meta data
+// of the linked container should be updated so that the other
+// container could still reference to the container that is renamed.
+func TestRenameContainerWithLinkedContainer(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	db1Name := "db1" + t.Name()
+	db1ID := container.Run(t, ctx, client, container.WithName(db1Name))
+	poll.WaitOn(t, container.IsInState(ctx, client, db1ID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	app1Name := "app1" + t.Name()
+	app2Name := "app2" + t.Name()
+	app1ID := container.Run(t, ctx, client, container.WithName(app1Name), container.WithLinks(db1Name+":/mysql"))
+	poll.WaitOn(t, container.IsInState(ctx, client, app1ID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	err := client.ContainerRename(ctx, app1Name, app2Name)
+	assert.NilError(t, err)
+
+	inspect, err := client.ContainerInspect(ctx, app2Name+"/mysql")
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(db1ID, inspect.ID))
+}
diff --git a/engine/integration/container/resize_test.go b/engine/integration/container/resize_test.go
new file mode 100644
index 00000000..5961af0a
--- /dev/null
+++ b/engine/integration/container/resize_test.go
@@ -0,0 +1,66 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	req "github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestResize(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client)
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	err := client.ContainerResize(ctx, cID, types.ResizeOptions{
+		Height: 40,
+		Width:  40,
+	})
+	assert.NilError(t, err)
+}
+
+func TestResizeWithInvalidSize(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.32"), "broken in earlier versions")
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client)
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	endpoint := "/containers/" + cID + "/resize?h=foo&w=bar"
+	res, _, err := req.Post(endpoint)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(http.StatusBadRequest, res.StatusCode))
+}
+
+func TestResizeWhenContainerNotStarted(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, container.WithCmd("echo"))
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond))
+
+	err := client.ContainerResize(ctx, cID, types.ResizeOptions{
+		Height: 40,
+		Width:  40,
+	})
+	assert.Check(t, is.ErrorContains(err, "is not running"))
+}
diff --git a/engine/integration/container/restart_test.go b/engine/integration/container/restart_test.go
new file mode 100644
index 00000000..69007218
--- /dev/null
+++ b/engine/integration/container/restart_test.go
@@ -0,0 +1,114 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/internal/test/daemon"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+func TestDaemonRestartKillContainers(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot start daemon on remote test run")
+	type testCase struct {
+		desc       string
+		config     *container.Config
+		hostConfig *container.HostConfig
+
+		xRunning            bool
+		xRunningLiveRestore bool
+		xStart              bool
+	}
+
+	for _, c := range []testCase{
+		{
+			desc:                "container without restart policy",
+			config:              &container.Config{Image: "busybox", Cmd: []string{"top"}},
+			xRunningLiveRestore: true,
+			xStart:              true,
+		},
+		{
+			desc:                "container with restart=always",
+			config:              &container.Config{Image: "busybox", Cmd: []string{"top"}},
+			hostConfig:          &container.HostConfig{RestartPolicy: container.RestartPolicy{Name: "always"}},
+			xRunning:            true,
+			xRunningLiveRestore: true,
+			xStart:              true,
+		},
+		{
+			desc:       "container created should not be restarted",
+			config:     &container.Config{Image: "busybox", Cmd: []string{"top"}},
+			hostConfig: &container.HostConfig{RestartPolicy: container.RestartPolicy{Name: "always"}},
+		},
+	} {
+		for _, liveRestoreEnabled := range []bool{false, true} {
+			for fnName, stopDaemon := range map[string]func(*testing.T, *daemon.Daemon){
+				"kill-daemon": func(t *testing.T, d *daemon.Daemon) {
+					err := d.Kill()
+					assert.NilError(t, err)
+				},
+				"stop-daemon": func(t *testing.T, d *daemon.Daemon) {
+					d.Stop(t)
+				},
+			} {
+				t.Run(fmt.Sprintf("live-restore=%v/%s/%s", liveRestoreEnabled, c.desc, fnName), func(t *testing.T) {
+					c := c
+					liveRestoreEnabled := liveRestoreEnabled
+					stopDaemon := stopDaemon
+
+					t.Parallel()
+
+					d := daemon.New(t)
+					client, err := d.NewClient()
+					assert.NilError(t, err)
+
+					args := []string{"--iptables=false"}
+					if liveRestoreEnabled {
+						args = append(args, "--live-restore")
+					}
+
+					d.StartWithBusybox(t, args...)
+					defer d.Stop(t)
+					ctx := context.Background()
+
+					resp, err := client.ContainerCreate(ctx, c.config, c.hostConfig, nil, "")
+					assert.NilError(t, err)
+					defer client.ContainerRemove(ctx, resp.ID, types.ContainerRemoveOptions{Force: true})
+
+					if c.xStart {
+						err = client.ContainerStart(ctx, resp.ID, types.ContainerStartOptions{})
+						assert.NilError(t, err)
+					}
+
+					stopDaemon(t, d)
+					d.Start(t, args...)
+
+					expected := c.xRunning
+					if liveRestoreEnabled {
+						expected = c.xRunningLiveRestore
+					}
+
+					var running bool
+					for i := 0; i < 30; i++ {
+						inspect, err := client.ContainerInspect(ctx, resp.ID)
+						assert.NilError(t, err)
+
+						running = inspect.State.Running
+						if running == expected {
+							break
+						}
+						time.Sleep(2 * time.Second)
+
+					}
+					assert.Equal(t, expected, running, "got unexpected running state, expected %v, got: %v", expected, running)
+					// TODO(cpuguy83): test pause states... this seems to be rather undefined currently
+				})
+			}
+		}
+	}
+}
diff --git a/engine/integration/container/stats_test.go b/engine/integration/container/stats_test.go
new file mode 100644
index 00000000..6493a305
--- /dev/null
+++ b/engine/integration/container/stats_test.go
@@ -0,0 +1,43 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestStats(t *testing.T) {
+	skip.If(t, !testEnv.DaemonInfo.MemoryLimit)
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	info, err := client.Info(ctx)
+	assert.NilError(t, err)
+
+	cID := container.Run(t, ctx, client)
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	resp, err := client.ContainerStats(ctx, cID, false)
+	assert.NilError(t, err)
+	defer resp.Body.Close()
+
+	var v *types.Stats
+	err = json.NewDecoder(resp.Body).Decode(&v)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(int64(v.MemoryStats.Limit), info.MemTotal))
+	err = json.NewDecoder(resp.Body).Decode(&v)
+	assert.Assert(t, is.ErrorContains(err, ""), io.EOF)
+}
diff --git a/engine/integration/container/stop_test.go b/engine/integration/container/stop_test.go
new file mode 100644
index 00000000..7a2fa201
--- /dev/null
+++ b/engine/integration/container/stop_test.go
@@ -0,0 +1,127 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	"gotest.tools/icmd"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestStopContainerWithRestartPolicyAlways(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	names := []string{"verifyRestart1-" + t.Name(), "verifyRestart2-" + t.Name()}
+	for _, name := range names {
+		container.Run(t, ctx, client, container.WithName(name), container.WithCmd("false"), func(c *container.TestContainerConfig) {
+			c.HostConfig.RestartPolicy.Name = "always"
+		})
+	}
+
+	for _, name := range names {
+		poll.WaitOn(t, container.IsInState(ctx, client, name, "running", "restarting"), poll.WithDelay(100*time.Millisecond))
+	}
+
+	for _, name := range names {
+		err := client.ContainerStop(ctx, name, nil)
+		assert.NilError(t, err)
+	}
+
+	for _, name := range names {
+		poll.WaitOn(t, container.IsStopped(ctx, client, name), poll.WithDelay(100*time.Millisecond))
+	}
+}
+
+// TestStopContainerWithTimeout checks that ContainerStop with
+// a timeout works as documented, i.e. in case of negative timeout
+// waiting is not limited (issue #35311).
+func TestStopContainerWithTimeout(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	testCmd := container.WithCmd("sh", "-c", "sleep 2 && exit 42")
+	testData := []struct {
+		doc              string
+		timeout          int
+		expectedExitCode int
+	}{
+		// In case container is forcefully killed, 137 is returned,
+		// otherwise the exit code from the above script
+		{
+			"zero timeout: expect forceful container kill",
+			0, 137,
+		},
+		{
+			"too small timeout: expect forceful container kill",
+			1, 137,
+		},
+		{
+			"big enough timeout: expect graceful container stop",
+			3, 42,
+		},
+		{
+			"unlimited timeout: expect graceful container stop",
+			-1, 42,
+		},
+	}
+
+	for _, d := range testData {
+		d := d
+		t.Run(strconv.Itoa(d.timeout), func(t *testing.T) {
+			t.Parallel()
+			id := container.Run(t, ctx, client, testCmd)
+
+			timeout := time.Duration(d.timeout) * time.Second
+			err := client.ContainerStop(ctx, id, &timeout)
+			assert.NilError(t, err)
+
+			poll.WaitOn(t, container.IsStopped(ctx, client, id),
+				poll.WithDelay(100*time.Millisecond))
+
+			inspect, err := client.ContainerInspect(ctx, id)
+			assert.NilError(t, err)
+			assert.Equal(t, inspect.State.ExitCode, d.expectedExitCode)
+		})
+	}
+}
+
+func TestDeleteDevicemapper(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.Driver != "devicemapper")
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot start daemon on remote test run")
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	id := container.Run(t, ctx, client, container.WithName("foo-"+t.Name()), container.WithCmd("echo"))
+
+	poll.WaitOn(t, container.IsStopped(ctx, client, id), poll.WithDelay(100*time.Millisecond))
+
+	inspect, err := client.ContainerInspect(ctx, id)
+	assert.NilError(t, err)
+
+	deviceID := inspect.GraphDriver.Data["DeviceId"]
+
+	// Find pool name from device name
+	deviceName := inspect.GraphDriver.Data["DeviceName"]
+	devicePrefix := deviceName[:strings.LastIndex(deviceName, "-")]
+	devicePool := fmt.Sprintf("/dev/mapper/%s-pool", devicePrefix)
+
+	result := icmd.RunCommand("dmsetup", "message", devicePool, "0", fmt.Sprintf("delete %s", deviceID))
+	result.Assert(t, icmd.Success)
+
+	err = client.ContainerRemove(ctx, id, types.ContainerRemoveOptions{})
+	assert.NilError(t, err)
+}
diff --git a/engine/integration/container/update_linux_test.go b/engine/integration/container/update_linux_test.go
new file mode 100644
index 00000000..0e410a14
--- /dev/null
+++ b/engine/integration/container/update_linux_test.go
@@ -0,0 +1,107 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestUpdateMemory(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	skip.If(t, !testEnv.DaemonInfo.MemoryLimit)
+	skip.If(t, !testEnv.DaemonInfo.SwapLimit)
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, func(c *container.TestContainerConfig) {
+		c.HostConfig.Resources = containertypes.Resources{
+			Memory: 200 * 1024 * 1024,
+		}
+	})
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "running"), poll.WithDelay(100*time.Millisecond))
+
+	const (
+		setMemory     int64 = 314572800
+		setMemorySwap int64 = 524288000
+	)
+
+	_, err := client.ContainerUpdate(ctx, cID, containertypes.UpdateConfig{
+		Resources: containertypes.Resources{
+			Memory:     setMemory,
+			MemorySwap: setMemorySwap,
+		},
+	})
+	assert.NilError(t, err)
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(setMemory, inspect.HostConfig.Memory))
+	assert.Check(t, is.Equal(setMemorySwap, inspect.HostConfig.MemorySwap))
+
+	res, err := container.Exec(ctx, client, cID,
+		[]string{"cat", "/sys/fs/cgroup/memory/memory.limit_in_bytes"})
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(res.Stderr(), 0))
+	assert.Equal(t, 0, res.ExitCode)
+	assert.Check(t, is.Equal(strconv.FormatInt(setMemory, 10), strings.TrimSpace(res.Stdout())))
+
+	res, err = container.Exec(ctx, client, cID,
+		[]string{"cat", "/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes"})
+	assert.NilError(t, err)
+	assert.Assert(t, is.Len(res.Stderr(), 0))
+	assert.Equal(t, 0, res.ExitCode)
+	assert.Check(t, is.Equal(strconv.FormatInt(setMemorySwap, 10), strings.TrimSpace(res.Stdout())))
+}
+
+func TestUpdateCPUQuota(t *testing.T) {
+	t.Parallel()
+
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client)
+
+	for _, test := range []struct {
+		desc   string
+		update int64
+	}{
+		{desc: "some random value", update: 15000},
+		{desc: "a higher value", update: 20000},
+		{desc: "a lower value", update: 10000},
+		{desc: "unset value", update: -1},
+	} {
+		if _, err := client.ContainerUpdate(ctx, cID, containertypes.UpdateConfig{
+			Resources: containertypes.Resources{
+				CPUQuota: test.update,
+			},
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		inspect, err := client.ContainerInspect(ctx, cID)
+		assert.NilError(t, err)
+		assert.Check(t, is.Equal(test.update, inspect.HostConfig.CPUQuota))
+
+		res, err := container.Exec(ctx, client, cID,
+			[]string{"/bin/cat", "/sys/fs/cgroup/cpu/cpu.cfs_quota_us"})
+		assert.NilError(t, err)
+		assert.Assert(t, is.Len(res.Stderr(), 0))
+		assert.Equal(t, 0, res.ExitCode)
+
+		assert.Check(t, is.Equal(strconv.FormatInt(test.update, 10), strings.TrimSpace(res.Stdout())))
+	}
+}
diff --git a/engine/integration/container/update_test.go b/engine/integration/container/update_test.go
new file mode 100644
index 00000000..0e32184d
--- /dev/null
+++ b/engine/integration/container/update_test.go
@@ -0,0 +1,64 @@
+package container // import "github.com/docker/docker/integration/container"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+)
+
+func TestUpdateRestartPolicy(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, container.WithCmd("sh", "-c", "sleep 1 && false"), func(c *container.TestContainerConfig) {
+		c.HostConfig.RestartPolicy = containertypes.RestartPolicy{
+			Name:              "on-failure",
+			MaximumRetryCount: 3,
+		}
+	})
+
+	_, err := client.ContainerUpdate(ctx, cID, containertypes.UpdateConfig{
+		RestartPolicy: containertypes.RestartPolicy{
+			Name:              "on-failure",
+			MaximumRetryCount: 5,
+		},
+	})
+	assert.NilError(t, err)
+
+	timeout := 60 * time.Second
+	if testEnv.OSType == "windows" {
+		timeout = 180 * time.Second
+	}
+
+	poll.WaitOn(t, container.IsInState(ctx, client, cID, "exited"), poll.WithDelay(100*time.Millisecond), poll.WithTimeout(timeout))
+
+	inspect, err := client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(inspect.RestartCount, 5))
+	assert.Check(t, is.Equal(inspect.HostConfig.RestartPolicy.MaximumRetryCount, 5))
+}
+
+func TestUpdateRestartWithAutoRemove(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID := container.Run(t, ctx, client, func(c *container.TestContainerConfig) {
+		c.HostConfig.AutoRemove = true
+	})
+
+	_, err := client.ContainerUpdate(ctx, cID, containertypes.UpdateConfig{
+		RestartPolicy: containertypes.RestartPolicy{
+			Name: "always",
+		},
+	})
+	assert.Check(t, is.ErrorContains(err, "Restart policy cannot be updated because AutoRemove is enabled for the container"))
+}
diff --git a/engine/integration/doc.go b/engine/integration/doc.go
new file mode 100644
index 00000000..ee4bf504
--- /dev/null
+++ b/engine/integration/doc.go
@@ -0,0 +1,3 @@
+// Package integration provides integrations tests for Moby (API).
+// These tests require a daemon (dockerd for now) to run.
+package integration // import "github.com/docker/docker/integration"
diff --git a/engine/integration/image/commit_test.go b/engine/integration/image/commit_test.go
new file mode 100644
index 00000000..45553912
--- /dev/null
+++ b/engine/integration/image/commit_test.go
@@ -0,0 +1,48 @@
+package image // import "github.com/docker/docker/integration/image"
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestCommitInheritsEnv(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.36"), "broken in earlier versions")
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	cID1 := container.Create(t, ctx, client)
+
+	commitResp1, err := client.ContainerCommit(ctx, cID1, types.ContainerCommitOptions{
+		Changes:   []string{"ENV PATH=/bin"},
+		Reference: "test-commit-image",
+	})
+	assert.NilError(t, err)
+
+	image1, _, err := client.ImageInspectWithRaw(ctx, commitResp1.ID)
+	assert.NilError(t, err)
+
+	expectedEnv1 := []string{"PATH=/bin"}
+	assert.Check(t, is.DeepEqual(expectedEnv1, image1.Config.Env))
+
+	cID2 := container.Create(t, ctx, client, container.WithImage(image1.ID))
+
+	commitResp2, err := client.ContainerCommit(ctx, cID2, types.ContainerCommitOptions{
+		Changes:   []string{"ENV PATH=/usr/bin:$PATH"},
+		Reference: "test-commit-image",
+	})
+	assert.NilError(t, err)
+
+	image2, _, err := client.ImageInspectWithRaw(ctx, commitResp2.ID)
+	assert.NilError(t, err)
+	expectedEnv2 := []string{"PATH=/usr/bin:/bin"}
+	assert.Check(t, is.DeepEqual(expectedEnv2, image2.Config.Env))
+}
diff --git a/engine/integration/image/import_test.go b/engine/integration/image/import_test.go
new file mode 100644
index 00000000..89dddf2c
--- /dev/null
+++ b/engine/integration/image/import_test.go
@@ -0,0 +1,42 @@
+package image // import "github.com/docker/docker/integration/image"
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"io"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/internal/testutil"
+)
+
+// Ensure we don't regress on CVE-2017-14992.
+func TestImportExtremelyLargeImageWorks(t *testing.T) {
+	if runtime.GOARCH == "arm64" {
+		t.Skip("effective test will be time out")
+	}
+
+	client := request.NewAPIClient(t)
+
+	// Construct an empty tar archive with about 8GB of junk padding at the
+	// end. This should not cause any crashes (the padding should be mostly
+	// ignored).
+	var tarBuffer bytes.Buffer
+
+	tw := tar.NewWriter(&tarBuffer)
+	if err := tw.Close(); err != nil {
+		t.Fatal(err)
+	}
+	imageRdr := io.MultiReader(&tarBuffer, io.LimitReader(testutil.DevZero, 8*1024*1024*1024))
+
+	_, err := client.ImageImport(context.Background(),
+		types.ImageImportSource{Source: imageRdr, SourceName: "-"},
+		"test1234:v42",
+		types.ImageImportOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/integration/image/main_test.go b/engine/integration/image/main_test.go
new file mode 100644
index 00000000..1b4270df
--- /dev/null
+++ b/engine/integration/image/main_test.go
@@ -0,0 +1,33 @@
+package image // import "github.com/docker/docker/integration/image"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/image/remove_test.go b/engine/integration/image/remove_test.go
new file mode 100644
index 00000000..4f9122a5
--- /dev/null
+++ b/engine/integration/image/remove_test.go
@@ -0,0 +1,59 @@
+package image // import "github.com/docker/docker/integration/image"
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestRemoveImageOrphaning(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	img := "test-container-orphaning"
+
+	// Create a container from busybox, and commit a small change so we have a new image
+	cID1 := container.Create(t, ctx, client, container.WithCmd(""))
+	commitResp1, err := client.ContainerCommit(ctx, cID1, types.ContainerCommitOptions{
+		Changes:   []string{`ENTRYPOINT ["true"]`},
+		Reference: img,
+	})
+	assert.NilError(t, err)
+
+	// verifies that reference now points to first image
+	resp, _, err := client.ImageInspectWithRaw(ctx, img)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(resp.ID, commitResp1.ID))
+
+	// Create a container from created image, and commit a small change with same reference name
+	cID2 := container.Create(t, ctx, client, container.WithImage(img), container.WithCmd(""))
+	commitResp2, err := client.ContainerCommit(ctx, cID2, types.ContainerCommitOptions{
+		Changes:   []string{`LABEL Maintainer="Integration Tests"`},
+		Reference: img,
+	})
+	assert.NilError(t, err)
+
+	// verifies that reference now points to second image
+	resp, _, err = client.ImageInspectWithRaw(ctx, img)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(resp.ID, commitResp2.ID))
+
+	// try to remove the image, should not error out.
+	_, err = client.ImageRemove(ctx, img, types.ImageRemoveOptions{})
+	assert.NilError(t, err)
+
+	// check if the first image is still there
+	resp, _, err = client.ImageInspectWithRaw(ctx, commitResp1.ID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(resp.ID, commitResp1.ID))
+
+	// check if the second image has been deleted
+	_, _, err = client.ImageInspectWithRaw(ctx, commitResp2.ID)
+	assert.Check(t, is.ErrorContains(err, "No such image:"))
+}
diff --git a/engine/integration/image/tag_test.go b/engine/integration/image/tag_test.go
new file mode 100644
index 00000000..55c3ff7b
--- /dev/null
+++ b/engine/integration/image/tag_test.go
@@ -0,0 +1,140 @@
+package image // import "github.com/docker/docker/integration/image"
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/internal/testutil"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// tagging a named image in a new unprefixed repo should work
+func TestTagUnprefixedRepoByNameOrName(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	// By name
+	err := client.ImageTag(ctx, "busybox:latest", "testfoobarbaz")
+	assert.NilError(t, err)
+
+	// By ID
+	insp, _, err := client.ImageInspectWithRaw(ctx, "busybox")
+	assert.NilError(t, err)
+	err = client.ImageTag(ctx, insp.ID, "testfoobarbaz")
+	assert.NilError(t, err)
+}
+
+// ensure we don't allow the use of invalid repository names or tags; these tag operations should fail
+// TODO (yongtang): Migrate to unit tests
+func TestTagInvalidReference(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	invalidRepos := []string{"fo$z$", "Foo@3cc", "Foo$3", "Foo*3", "Fo^3", "Foo!3", "F)xcz(", "fo%asd", "FOO/bar"}
+
+	for _, repo := range invalidRepos {
+		err := client.ImageTag(ctx, "busybox", repo)
+		assert.Check(t, is.ErrorContains(err, "not a valid repository/tag"))
+	}
+
+	longTag := testutil.GenerateRandomAlphaOnlyString(121)
+
+	invalidTags := []string{"repo:fo$z$", "repo:Foo@3cc", "repo:Foo$3", "repo:Foo*3", "repo:Fo^3", "repo:Foo!3", "repo:%goodbye", "repo:#hashtagit", "repo:F)xcz(", "repo:-foo", "repo:..", longTag}
+
+	for _, repotag := range invalidTags {
+		err := client.ImageTag(ctx, "busybox", repotag)
+		assert.Check(t, is.ErrorContains(err, "not a valid repository/tag"))
+	}
+
+	// test repository name begin with '-'
+	err := client.ImageTag(ctx, "busybox:latest", "-busybox:test")
+	assert.Check(t, is.ErrorContains(err, "Error parsing reference"))
+
+	// test namespace name begin with '-'
+	err = client.ImageTag(ctx, "busybox:latest", "-test/busybox:test")
+	assert.Check(t, is.ErrorContains(err, "Error parsing reference"))
+
+	// test index name begin with '-'
+	err = client.ImageTag(ctx, "busybox:latest", "-index:5000/busybox:test")
+	assert.Check(t, is.ErrorContains(err, "Error parsing reference"))
+
+	// test setting tag fails
+	err = client.ImageTag(ctx, "busybox:latest", "sha256:sometag")
+	assert.Check(t, is.ErrorContains(err, "refusing to create an ambiguous tag using digest algorithm as name"))
+}
+
+// ensure we allow the use of valid tags
+func TestTagValidPrefixedRepo(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	validRepos := []string{"fooo/bar", "fooaa/test", "foooo:t", "HOSTNAME.DOMAIN.COM:443/foo/bar"}
+
+	for _, repo := range validRepos {
+		err := client.ImageTag(ctx, "busybox", repo)
+		assert.NilError(t, err)
+	}
+}
+
+// tag an image with an existed tag name without -f option should work
+func TestTagExistedNameWithoutForce(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	err := client.ImageTag(ctx, "busybox:latest", "busybox:test")
+	assert.NilError(t, err)
+}
+
+// ensure tagging using official names works
+// ensure all tags result in the same name
+func TestTagOfficialNames(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	names := []string{
+		"docker.io/busybox",
+		"index.docker.io/busybox",
+		"library/busybox",
+		"docker.io/library/busybox",
+		"index.docker.io/library/busybox",
+	}
+
+	for _, name := range names {
+		err := client.ImageTag(ctx, "busybox", name+":latest")
+		assert.NilError(t, err)
+
+		// ensure we don't have multiple tag names.
+		insp, _, err := client.ImageInspectWithRaw(ctx, "busybox")
+		assert.NilError(t, err)
+		assert.Assert(t, !is.Contains(insp.RepoTags, name)().Success())
+	}
+
+	for _, name := range names {
+		err := client.ImageTag(ctx, name+":latest", "fooo/bar:latest")
+		assert.NilError(t, err)
+	}
+}
+
+// ensure tags can not match digests
+func TestTagMatchesDigest(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	digest := "busybox@sha256:abcdef76720241213f5303bda7704ec4c2ef75613173910a56fb1b6e20251507"
+	// test setting tag fails
+	err := client.ImageTag(ctx, "busybox:latest", digest)
+	assert.Check(t, is.ErrorContains(err, "refusing to create a tag with a digest reference"))
+
+	// check that no new image matches the digest
+	_, _, err = client.ImageInspectWithRaw(ctx, digest)
+	assert.Check(t, is.ErrorContains(err, fmt.Sprintf("No such image: %s", digest)))
+}
diff --git a/engine/integration/internal/container/container.go b/engine/integration/internal/container/container.go
new file mode 100644
index 00000000..489e0715
--- /dev/null
+++ b/engine/integration/internal/container/container.go
@@ -0,0 +1,54 @@
+package container
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+	"gotest.tools/assert"
+)
+
+// TestContainerConfig holds container configuration struct that
+// are used in api calls.
+type TestContainerConfig struct {
+	Name             string
+	Config           *container.Config
+	HostConfig       *container.HostConfig
+	NetworkingConfig *network.NetworkingConfig
+}
+
+// Create creates a container with the specified options
+func Create(t *testing.T, ctx context.Context, client client.APIClient, ops ...func(*TestContainerConfig)) string { // nolint: golint
+	t.Helper()
+	config := &TestContainerConfig{
+		Config: &container.Config{
+			Image: "busybox",
+			Cmd:   []string{"top"},
+		},
+		HostConfig:       &container.HostConfig{},
+		NetworkingConfig: &network.NetworkingConfig{},
+	}
+
+	for _, op := range ops {
+		op(config)
+	}
+
+	c, err := client.ContainerCreate(ctx, config.Config, config.HostConfig, config.NetworkingConfig, config.Name)
+	assert.NilError(t, err)
+
+	return c.ID
+}
+
+// Run creates and start a container with the specified options
+func Run(t *testing.T, ctx context.Context, client client.APIClient, ops ...func(*TestContainerConfig)) string { // nolint: golint
+	t.Helper()
+	id := Create(t, ctx, client, ops...)
+
+	err := client.ContainerStart(ctx, id, types.ContainerStartOptions{})
+	assert.NilError(t, err)
+
+	return id
+}
diff --git a/engine/integration/internal/container/exec.go b/engine/integration/internal/container/exec.go
new file mode 100644
index 00000000..55ad23ae
--- /dev/null
+++ b/engine/integration/internal/container/exec.go
@@ -0,0 +1,86 @@
+package container
+
+import (
+	"bytes"
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/stdcopy"
+)
+
+// ExecResult represents a result returned from Exec()
+type ExecResult struct {
+	ExitCode  int
+	outBuffer *bytes.Buffer
+	errBuffer *bytes.Buffer
+}
+
+// Stdout returns stdout output of a command run by Exec()
+func (res *ExecResult) Stdout() string {
+	return res.outBuffer.String()
+}
+
+// Stderr returns stderr output of a command run by Exec()
+func (res *ExecResult) Stderr() string {
+	return res.errBuffer.String()
+}
+
+// Combined returns combined stdout and stderr output of a command run by Exec()
+func (res *ExecResult) Combined() string {
+	return res.outBuffer.String() + res.errBuffer.String()
+}
+
+// Exec executes a command inside a container, returning the result
+// containing stdout, stderr, and exit code. Note:
+//  - this is a synchronous operation;
+//  - cmd stdin is closed.
+func Exec(ctx context.Context, cli client.APIClient, id string, cmd []string) (ExecResult, error) {
+	// prepare exec
+	execConfig := types.ExecConfig{
+		AttachStdout: true,
+		AttachStderr: true,
+		Cmd:          cmd,
+	}
+	cresp, err := cli.ContainerExecCreate(ctx, id, execConfig)
+	if err != nil {
+		return ExecResult{}, err
+	}
+	execID := cresp.ID
+
+	// run it, with stdout/stderr attached
+	aresp, err := cli.ContainerExecAttach(ctx, execID, types.ExecStartCheck{})
+	if err != nil {
+		return ExecResult{}, err
+	}
+	defer aresp.Close()
+
+	// read the output
+	var outBuf, errBuf bytes.Buffer
+	outputDone := make(chan error)
+
+	go func() {
+		// StdCopy demultiplexes the stream into two buffers
+		_, err = stdcopy.StdCopy(&outBuf, &errBuf, aresp.Reader)
+		outputDone <- err
+	}()
+
+	select {
+	case err := <-outputDone:
+		if err != nil {
+			return ExecResult{}, err
+		}
+		break
+
+	case <-ctx.Done():
+		return ExecResult{}, ctx.Err()
+	}
+
+	// get the exit code
+	iresp, err := cli.ContainerExecInspect(ctx, execID)
+	if err != nil {
+		return ExecResult{}, err
+	}
+
+	return ExecResult{ExitCode: iresp.ExitCode, outBuffer: &outBuf, errBuffer: &errBuf}, nil
+}
diff --git a/engine/integration/internal/container/ops.go b/engine/integration/internal/container/ops.go
new file mode 100644
index 00000000..df5598b6
--- /dev/null
+++ b/engine/integration/internal/container/ops.go
@@ -0,0 +1,136 @@
+package container
+
+import (
+	"fmt"
+
+	containertypes "github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/go-connections/nat"
+)
+
+// WithName sets the name of the container
+func WithName(name string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.Name = name
+	}
+}
+
+// WithLinks sets the links of the container
+func WithLinks(links ...string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.HostConfig.Links = links
+	}
+}
+
+// WithImage sets the image of the container
+func WithImage(image string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.Config.Image = image
+	}
+}
+
+// WithCmd sets the comannds of the container
+func WithCmd(cmds ...string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.Config.Cmd = strslice.StrSlice(cmds)
+	}
+}
+
+// WithNetworkMode sets the network mode of the container
+func WithNetworkMode(mode string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.HostConfig.NetworkMode = containertypes.NetworkMode(mode)
+	}
+}
+
+// WithExposedPorts sets the exposed ports of the container
+func WithExposedPorts(ports ...string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.Config.ExposedPorts = map[nat.Port]struct{}{}
+		for _, port := range ports {
+			c.Config.ExposedPorts[nat.Port(port)] = struct{}{}
+		}
+	}
+}
+
+// WithTty sets the TTY mode of the container
+func WithTty(tty bool) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.Config.Tty = tty
+	}
+}
+
+// WithWorkingDir sets the working dir of the container
+func WithWorkingDir(dir string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.Config.WorkingDir = dir
+	}
+}
+
+// WithVolume sets the volume of the container
+func WithVolume(name string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		if c.Config.Volumes == nil {
+			c.Config.Volumes = map[string]struct{}{}
+		}
+		c.Config.Volumes[name] = struct{}{}
+	}
+}
+
+// WithBind sets the bind mount of the container
+func WithBind(src, target string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		c.HostConfig.Binds = append(c.HostConfig.Binds, fmt.Sprintf("%s:%s", src, target))
+	}
+}
+
+// WithIPv4 sets the specified ip for the specified network of the container
+func WithIPv4(network, ip string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		if c.NetworkingConfig.EndpointsConfig == nil {
+			c.NetworkingConfig.EndpointsConfig = map[string]*networktypes.EndpointSettings{}
+		}
+		if v, ok := c.NetworkingConfig.EndpointsConfig[network]; !ok || v == nil {
+			c.NetworkingConfig.EndpointsConfig[network] = &networktypes.EndpointSettings{}
+		}
+		if c.NetworkingConfig.EndpointsConfig[network].IPAMConfig == nil {
+			c.NetworkingConfig.EndpointsConfig[network].IPAMConfig = &networktypes.EndpointIPAMConfig{}
+		}
+		c.NetworkingConfig.EndpointsConfig[network].IPAMConfig.IPv4Address = ip
+	}
+}
+
+// WithIPv6 sets the specified ip6 for the specified network of the container
+func WithIPv6(network, ip string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		if c.NetworkingConfig.EndpointsConfig == nil {
+			c.NetworkingConfig.EndpointsConfig = map[string]*networktypes.EndpointSettings{}
+		}
+		if v, ok := c.NetworkingConfig.EndpointsConfig[network]; !ok || v == nil {
+			c.NetworkingConfig.EndpointsConfig[network] = &networktypes.EndpointSettings{}
+		}
+		if c.NetworkingConfig.EndpointsConfig[network].IPAMConfig == nil {
+			c.NetworkingConfig.EndpointsConfig[network].IPAMConfig = &networktypes.EndpointIPAMConfig{}
+		}
+		c.NetworkingConfig.EndpointsConfig[network].IPAMConfig.IPv6Address = ip
+	}
+}
+
+// WithLogDriver sets the log driver to use for the container
+func WithLogDriver(driver string) func(*TestContainerConfig) {
+	return func(c *TestContainerConfig) {
+		if c.HostConfig == nil {
+			c.HostConfig = &containertypes.HostConfig{}
+		}
+		c.HostConfig.LogConfig.Type = driver
+	}
+}
+
+// WithAutoRemove sets the container to be removed on exit
+func WithAutoRemove(c *TestContainerConfig) {
+	if c.HostConfig == nil {
+		c.HostConfig = &containertypes.HostConfig{}
+	}
+	c.HostConfig.AutoRemove = true
+}
diff --git a/engine/integration/internal/container/states.go b/engine/integration/internal/container/states.go
new file mode 100644
index 00000000..088407de
--- /dev/null
+++ b/engine/integration/internal/container/states.go
@@ -0,0 +1,41 @@
+package container
+
+import (
+	"context"
+	"strings"
+
+	"github.com/docker/docker/client"
+	"gotest.tools/poll"
+)
+
+// IsStopped verifies the container is in stopped state.
+func IsStopped(ctx context.Context, client client.APIClient, containerID string) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		inspect, err := client.ContainerInspect(ctx, containerID)
+
+		switch {
+		case err != nil:
+			return poll.Error(err)
+		case !inspect.State.Running:
+			return poll.Success()
+		default:
+			return poll.Continue("waiting for container to be stopped")
+		}
+	}
+}
+
+// IsInState verifies the container is in one of the specified state, e.g., "running", "exited", etc.
+func IsInState(ctx context.Context, client client.APIClient, containerID string, state ...string) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		inspect, err := client.ContainerInspect(ctx, containerID)
+		if err != nil {
+			return poll.Error(err)
+		}
+		for _, v := range state {
+			if inspect.State.Status == v {
+				return poll.Success()
+			}
+		}
+		return poll.Continue("waiting for container to be one of (%s), currently %s", strings.Join(state, ", "), inspect.State.Status)
+	}
+}
diff --git a/engine/integration/internal/network/network.go b/engine/integration/internal/network/network.go
new file mode 100644
index 00000000..9c13114f
--- /dev/null
+++ b/engine/integration/internal/network/network.go
@@ -0,0 +1,35 @@
+package network
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"gotest.tools/assert"
+)
+
+func createNetwork(ctx context.Context, client client.APIClient, name string, ops ...func(*types.NetworkCreate)) (string, error) {
+	config := types.NetworkCreate{}
+
+	for _, op := range ops {
+		op(&config)
+	}
+
+	n, err := client.NetworkCreate(ctx, name, config)
+	return n.ID, err
+}
+
+// Create creates a network with the specified options
+func Create(ctx context.Context, client client.APIClient, name string, ops ...func(*types.NetworkCreate)) (string, error) {
+	return createNetwork(ctx, client, name, ops...)
+}
+
+// CreateNoError creates a network with the specified options and verifies there were no errors
+func CreateNoError(t *testing.T, ctx context.Context, client client.APIClient, name string, ops ...func(*types.NetworkCreate)) string { // nolint: golint
+	t.Helper()
+
+	name, err := createNetwork(ctx, client, name, ops...)
+	assert.NilError(t, err)
+	return name
+}
diff --git a/engine/integration/internal/network/ops.go b/engine/integration/internal/network/ops.go
new file mode 100644
index 00000000..33bd3d05
--- /dev/null
+++ b/engine/integration/internal/network/ops.go
@@ -0,0 +1,94 @@
+package network
+
+import (
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+)
+
+// WithDriver sets the driver of the network
+func WithDriver(driver string) func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		n.Driver = driver
+	}
+}
+
+// WithIPv6 Enables IPv6 on the network
+func WithIPv6() func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		n.EnableIPv6 = true
+	}
+}
+
+// WithCheckDuplicate sets the CheckDuplicate field on create network request
+func WithCheckDuplicate() func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		n.CheckDuplicate = true
+	}
+}
+
+// WithInternal enables Internal flag on the create network request
+func WithInternal() func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		n.Internal = true
+	}
+}
+
+// WithAttachable sets Attachable flag on the create network request
+func WithAttachable() func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		n.Attachable = true
+	}
+}
+
+// WithMacvlan sets the network as macvlan with the specified parent
+func WithMacvlan(parent string) func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		n.Driver = "macvlan"
+		if parent != "" {
+			n.Options = map[string]string{
+				"parent": parent,
+			}
+		}
+	}
+}
+
+// WithIPvlan sets the network as ipvlan with the specified parent and mode
+func WithIPvlan(parent, mode string) func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		n.Driver = "ipvlan"
+		if n.Options == nil {
+			n.Options = map[string]string{}
+		}
+		if parent != "" {
+			n.Options["parent"] = parent
+		}
+		if mode != "" {
+			n.Options["ipvlan_mode"] = mode
+		}
+	}
+}
+
+// WithOption adds the specified key/value pair to network's options
+func WithOption(key, value string) func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		if n.Options == nil {
+			n.Options = map[string]string{}
+		}
+		n.Options[key] = value
+	}
+}
+
+// WithIPAM adds an IPAM with the specified Subnet and Gateway to the network
+func WithIPAM(subnet, gateway string) func(*types.NetworkCreate) {
+	return func(n *types.NetworkCreate) {
+		if n.IPAM == nil {
+			n.IPAM = &network.IPAM{}
+		}
+
+		n.IPAM.Config = append(n.IPAM.Config, network.IPAMConfig{
+			Subnet:     subnet,
+			Gateway:    gateway,
+			AuxAddress: map[string]string{},
+		})
+	}
+}
diff --git a/engine/integration/internal/requirement/requirement.go b/engine/integration/internal/requirement/requirement.go
new file mode 100644
index 00000000..004383bd
--- /dev/null
+++ b/engine/integration/internal/requirement/requirement.go
@@ -0,0 +1,53 @@
+package requirement // import "github.com/docker/docker/integration/internal/requirement"
+
+import (
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"gotest.tools/icmd"
+)
+
+// HasHubConnectivity checks to see if https://hub.docker.com is
+// accessible from the present environment
+func HasHubConnectivity(t *testing.T) bool {
+	t.Helper()
+	// Set a timeout on the GET at 15s
+	var timeout = 15 * time.Second
+	var url = "https://hub.docker.com"
+
+	client := http.Client{Timeout: timeout}
+	resp, err := client.Get(url)
+	if err != nil && strings.Contains(err.Error(), "use of closed network connection") {
+		t.Fatalf("Timeout for GET request on %s", url)
+	}
+	if resp != nil {
+		resp.Body.Close()
+	}
+	return err == nil
+}
+
+func overlayFSSupported() bool {
+	result := icmd.RunCommand("/bin/sh", "-c", "cat /proc/filesystems")
+	if result.Error != nil {
+		return false
+	}
+	return strings.Contains(result.Combined(), "overlay\n")
+}
+
+// Overlay2Supported returns true if the current system supports overlay2 as graphdriver
+func Overlay2Supported(kernelVersion string) bool {
+	if !overlayFSSupported() {
+		return false
+	}
+
+	daemonV, err := kernel.ParseRelease(kernelVersion)
+	if err != nil {
+		return false
+	}
+	requiredV := kernel.VersionInfo{Kernel: 4}
+	return kernel.CompareKernelVersion(*daemonV, requiredV) > -1
+
+}
diff --git a/engine/integration/internal/swarm/service.go b/engine/integration/internal/swarm/service.go
new file mode 100644
index 00000000..d8b16224
--- /dev/null
+++ b/engine/integration/internal/swarm/service.go
@@ -0,0 +1,200 @@
+package swarm
+
+import (
+	"context"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/internal/test/environment"
+	"gotest.tools/assert"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+// ServicePoll tweaks the pollSettings for `service`
+func ServicePoll(config *poll.Settings) {
+	// Override the default pollSettings for `service` resource here ...
+	config.Timeout = 30 * time.Second
+	config.Delay = 100 * time.Millisecond
+	if runtime.GOARCH == "arm64" || runtime.GOARCH == "arm" {
+		config.Timeout = 90 * time.Second
+	}
+}
+
+// NetworkPoll tweaks the pollSettings for `network`
+func NetworkPoll(config *poll.Settings) {
+	// Override the default pollSettings for `network` resource here ...
+	config.Timeout = 30 * time.Second
+	config.Delay = 100 * time.Millisecond
+
+	if runtime.GOARCH == "arm64" || runtime.GOARCH == "arm" {
+		config.Timeout = 50 * time.Second
+	}
+}
+
+// ContainerPoll tweaks the pollSettings for `container`
+func ContainerPoll(config *poll.Settings) {
+	// Override the default pollSettings for `container` resource here ...
+
+	if runtime.GOARCH == "arm64" || runtime.GOARCH == "arm" {
+		config.Timeout = 30 * time.Second
+		config.Delay = 100 * time.Millisecond
+	}
+}
+
+// NewSwarm creates a swarm daemon for testing
+func NewSwarm(t *testing.T, testEnv *environment.Execution, ops ...func(*daemon.Daemon)) *daemon.Daemon {
+	t.Helper()
+	skip.If(t, testEnv.IsRemoteDaemon)
+	if testEnv.DaemonInfo.ExperimentalBuild {
+		ops = append(ops, daemon.WithExperimental)
+	}
+	d := daemon.New(t, ops...)
+	d.StartAndSwarmInit(t)
+	return d
+}
+
+// ServiceSpecOpt is used with `CreateService` to pass in service spec modifiers
+type ServiceSpecOpt func(*swarmtypes.ServiceSpec)
+
+// CreateService creates a service on the passed in swarm daemon.
+func CreateService(t *testing.T, d *daemon.Daemon, opts ...ServiceSpecOpt) string {
+	t.Helper()
+	spec := defaultServiceSpec()
+	for _, o := range opts {
+		o(&spec)
+	}
+
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	resp, err := client.ServiceCreate(context.Background(), spec, types.ServiceCreateOptions{})
+	assert.NilError(t, err, "error creating service")
+	return resp.ID
+}
+
+func defaultServiceSpec() swarmtypes.ServiceSpec {
+	var spec swarmtypes.ServiceSpec
+	ServiceWithImage("busybox:latest")(&spec)
+	ServiceWithCommand([]string{"/bin/top"})(&spec)
+	ServiceWithReplicas(1)(&spec)
+	return spec
+}
+
+// ServiceWithInit sets whether the service should use init or not
+func ServiceWithInit(b *bool) func(*swarmtypes.ServiceSpec) {
+	return func(spec *swarmtypes.ServiceSpec) {
+		ensureContainerSpec(spec)
+		spec.TaskTemplate.ContainerSpec.Init = b
+	}
+}
+
+// ServiceWithImage sets the image to use for the service
+func ServiceWithImage(image string) func(*swarmtypes.ServiceSpec) {
+	return func(spec *swarmtypes.ServiceSpec) {
+		ensureContainerSpec(spec)
+		spec.TaskTemplate.ContainerSpec.Image = image
+	}
+}
+
+// ServiceWithCommand sets the command to use for the service
+func ServiceWithCommand(cmd []string) ServiceSpecOpt {
+	return func(spec *swarmtypes.ServiceSpec) {
+		ensureContainerSpec(spec)
+		spec.TaskTemplate.ContainerSpec.Command = cmd
+	}
+}
+
+// ServiceWithConfig adds the config reference to the service
+func ServiceWithConfig(configRef *swarmtypes.ConfigReference) ServiceSpecOpt {
+	return func(spec *swarmtypes.ServiceSpec) {
+		ensureContainerSpec(spec)
+		spec.TaskTemplate.ContainerSpec.Configs = append(spec.TaskTemplate.ContainerSpec.Configs, configRef)
+	}
+}
+
+// ServiceWithSecret adds the secret reference to the service
+func ServiceWithSecret(secretRef *swarmtypes.SecretReference) ServiceSpecOpt {
+	return func(spec *swarmtypes.ServiceSpec) {
+		ensureContainerSpec(spec)
+		spec.TaskTemplate.ContainerSpec.Secrets = append(spec.TaskTemplate.ContainerSpec.Secrets, secretRef)
+	}
+}
+
+// ServiceWithReplicas sets the replicas for the service
+func ServiceWithReplicas(n uint64) ServiceSpecOpt {
+	return func(spec *swarmtypes.ServiceSpec) {
+		spec.Mode = swarmtypes.ServiceMode{
+			Replicated: &swarmtypes.ReplicatedService{
+				Replicas: &n,
+			},
+		}
+	}
+}
+
+// ServiceWithName sets the name of the service
+func ServiceWithName(name string) ServiceSpecOpt {
+	return func(spec *swarmtypes.ServiceSpec) {
+		spec.Annotations.Name = name
+	}
+}
+
+// ServiceWithNetwork sets the network of the service
+func ServiceWithNetwork(network string) ServiceSpecOpt {
+	return func(spec *swarmtypes.ServiceSpec) {
+		spec.TaskTemplate.Networks = append(spec.TaskTemplate.Networks,
+			swarmtypes.NetworkAttachmentConfig{Target: network})
+	}
+}
+
+// ServiceWithEndpoint sets the Endpoint of the service
+func ServiceWithEndpoint(endpoint *swarmtypes.EndpointSpec) ServiceSpecOpt {
+	return func(spec *swarmtypes.ServiceSpec) {
+		spec.EndpointSpec = endpoint
+	}
+}
+
+// GetRunningTasks gets the list of running tasks for a service
+func GetRunningTasks(t *testing.T, d *daemon.Daemon, serviceID string) []swarmtypes.Task {
+	t.Helper()
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	filterArgs := filters.NewArgs()
+	filterArgs.Add("desired-state", "running")
+	filterArgs.Add("service", serviceID)
+
+	options := types.TaskListOptions{
+		Filters: filterArgs,
+	}
+	tasks, err := client.TaskList(context.Background(), options)
+	assert.NilError(t, err)
+	return tasks
+}
+
+// ExecTask runs the passed in exec config on the given task
+func ExecTask(t *testing.T, d *daemon.Daemon, task swarmtypes.Task, config types.ExecConfig) types.HijackedResponse {
+	t.Helper()
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	ctx := context.Background()
+	resp, err := client.ContainerExecCreate(ctx, task.Status.ContainerStatus.ContainerID, config)
+	assert.NilError(t, err, "error creating exec")
+
+	startCheck := types.ExecStartCheck{}
+	attach, err := client.ContainerExecAttach(ctx, resp.ID, startCheck)
+	assert.NilError(t, err, "error attaching to exec")
+	return attach
+}
+
+func ensureContainerSpec(spec *swarmtypes.ServiceSpec) {
+	if spec.TaskTemplate.ContainerSpec == nil {
+		spec.TaskTemplate.ContainerSpec = &swarmtypes.ContainerSpec{}
+	}
+}
diff --git a/engine/integration/network/delete_test.go b/engine/integration/network/delete_test.go
new file mode 100644
index 00000000..c9099f48
--- /dev/null
+++ b/engine/integration/network/delete_test.go
@@ -0,0 +1,91 @@
+package network // import "github.com/docker/docker/integration/network"
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration/internal/network"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func containsNetwork(nws []types.NetworkResource, networkID string) bool {
+	for _, n := range nws {
+		if n.ID == networkID {
+			return true
+		}
+	}
+	return false
+}
+
+// createAmbiguousNetworks creates three networks, of which the second network
+// uses a prefix of the first network's ID as name. The third network uses the
+// first network's ID as name.
+//
+// After successful creation, properties of all three networks is returned
+func createAmbiguousNetworks(t *testing.T) (string, string, string) {
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	testNet := network.CreateNoError(t, ctx, client, "testNet")
+	idPrefixNet := network.CreateNoError(t, ctx, client, testNet[:12])
+	fullIDNet := network.CreateNoError(t, ctx, client, testNet)
+
+	nws, err := client.NetworkList(ctx, types.NetworkListOptions{})
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(true, containsNetwork(nws, testNet)), "failed to create network testNet")
+	assert.Check(t, is.Equal(true, containsNetwork(nws, idPrefixNet)), "failed to create network idPrefixNet")
+	assert.Check(t, is.Equal(true, containsNetwork(nws, fullIDNet)), "failed to create network fullIDNet")
+	return testNet, idPrefixNet, fullIDNet
+}
+
+func TestNetworkCreateDelete(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	netName := "testnetwork_" + t.Name()
+	network.CreateNoError(t, ctx, client, netName,
+		network.WithCheckDuplicate(),
+	)
+	assert.Check(t, IsNetworkAvailable(client, netName))
+
+	// delete the network and make sure it is deleted
+	err := client.NetworkRemove(ctx, netName)
+	assert.NilError(t, err)
+	assert.Check(t, IsNetworkNotAvailable(client, netName))
+}
+
+// TestDockerNetworkDeletePreferID tests that if a network with a name
+// equal to another network's ID exists, the Network with the given
+// ID is removed, and not the network with the given name.
+func TestDockerNetworkDeletePreferID(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.34"), "broken in earlier versions")
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+	testNet, idPrefixNet, fullIDNet := createAmbiguousNetworks(t)
+
+	// Delete the network using a prefix of the first network's ID as name.
+	// This should the network name with the id-prefix, not the original network.
+	err := client.NetworkRemove(ctx, testNet[:12])
+	assert.NilError(t, err)
+
+	// Delete the network using networkID. This should remove the original
+	// network, not the network with the name equal to the networkID
+	err = client.NetworkRemove(ctx, testNet)
+	assert.NilError(t, err)
+
+	// networks "testNet" and "idPrefixNet" should be removed, but "fullIDNet" should still exist
+	nws, err := client.NetworkList(ctx, types.NetworkListOptions{})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(false, containsNetwork(nws, testNet)), "Network testNet not removed")
+	assert.Check(t, is.Equal(false, containsNetwork(nws, idPrefixNet)), "Network idPrefixNet not removed")
+	assert.Check(t, is.Equal(true, containsNetwork(nws, fullIDNet)), "Network fullIDNet not found")
+}
diff --git a/engine/integration/network/helpers.go b/engine/integration/network/helpers.go
new file mode 100644
index 00000000..c0d70a16
--- /dev/null
+++ b/engine/integration/network/helpers.go
@@ -0,0 +1,85 @@
+package network
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/parsers/kernel"
+	"gotest.tools/assert/cmp"
+	"gotest.tools/icmd"
+)
+
+// CreateMasterDummy creates a dummy network interface
+func CreateMasterDummy(t *testing.T, master string) {
+	// ip link add <dummy_name> type dummy
+	icmd.RunCommand("ip", "link", "add", master, "type", "dummy").Assert(t, icmd.Success)
+	icmd.RunCommand("ip", "link", "set", master, "up").Assert(t, icmd.Success)
+}
+
+// CreateVlanInterface creates a vlan network interface
+func CreateVlanInterface(t *testing.T, master, slave, id string) {
+	// ip link add link <master> name <master>.<VID> type vlan id <VID>
+	icmd.RunCommand("ip", "link", "add", "link", master, "name", slave, "type", "vlan", "id", id).Assert(t, icmd.Success)
+	// ip link set <sub_interface_name> up
+	icmd.RunCommand("ip", "link", "set", slave, "up").Assert(t, icmd.Success)
+}
+
+// DeleteInterface deletes a network interface
+func DeleteInterface(t *testing.T, ifName string) {
+	icmd.RunCommand("ip", "link", "delete", ifName).Assert(t, icmd.Success)
+	icmd.RunCommand("iptables", "-t", "nat", "--flush").Assert(t, icmd.Success)
+	icmd.RunCommand("iptables", "--flush").Assert(t, icmd.Success)
+}
+
+// LinkExists verifies that a link exists
+func LinkExists(t *testing.T, master string) {
+	// verify the specified link exists, ip link show <link_name>
+	icmd.RunCommand("ip", "link", "show", master).Assert(t, icmd.Success)
+}
+
+// IsNetworkAvailable provides a comparison to check if a docker network is available
+func IsNetworkAvailable(c client.NetworkAPIClient, name string) cmp.Comparison {
+	return func() cmp.Result {
+		networks, err := c.NetworkList(context.Background(), types.NetworkListOptions{})
+		if err != nil {
+			return cmp.ResultFromError(err)
+		}
+		for _, network := range networks {
+			if network.Name == name {
+				return cmp.ResultSuccess
+			}
+		}
+		return cmp.ResultFailure(fmt.Sprintf("could not find network %s", name))
+	}
+}
+
+// IsNetworkNotAvailable provides a comparison to check if a docker network is not available
+func IsNetworkNotAvailable(c client.NetworkAPIClient, name string) cmp.Comparison {
+	return func() cmp.Result {
+		networks, err := c.NetworkList(context.Background(), types.NetworkListOptions{})
+		if err != nil {
+			return cmp.ResultFromError(err)
+		}
+		for _, network := range networks {
+			if network.Name == name {
+				return cmp.ResultFailure(fmt.Sprintf("network %s is still present", name))
+			}
+		}
+		return cmp.ResultSuccess
+	}
+}
+
+// CheckKernelMajorVersionGreaterOrEqualThen returns whether the kernel version is greater or equal than the one provided
+func CheckKernelMajorVersionGreaterOrEqualThen(kernelVersion int, majorVersion int) bool {
+	kv, err := kernel.GetKernelVersion()
+	if err != nil {
+		return false
+	}
+	if kv.Kernel < kernelVersion || (kv.Kernel == kernelVersion && kv.Major < majorVersion) {
+		return false
+	}
+	return true
+}
diff --git a/engine/integration/network/inspect_test.go b/engine/integration/network/inspect_test.go
new file mode 100644
index 00000000..815ffb4c
--- /dev/null
+++ b/engine/integration/network/inspect_test.go
@@ -0,0 +1,177 @@
+package network // import "github.com/docker/docker/integration/network"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/network"
+	"github.com/docker/docker/integration/internal/swarm"
+	"gotest.tools/assert"
+	"gotest.tools/poll"
+)
+
+const defaultSwarmPort = 2477
+
+func TestInspectNetwork(t *testing.T) {
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	overlayName := "overlay1"
+	overlayID := network.CreateNoError(t, context.Background(), client, overlayName,
+		network.WithDriver("overlay"),
+		network.WithCheckDuplicate(),
+	)
+
+	var instances uint64 = 4
+	serviceName := "TestService" + t.Name()
+
+	serviceID := swarm.CreateService(t, d,
+		swarm.ServiceWithReplicas(instances),
+		swarm.ServiceWithName(serviceName),
+		swarm.ServiceWithNetwork(overlayName),
+	)
+
+	poll.WaitOn(t, serviceRunningTasksCount(client, serviceID, instances), swarm.ServicePoll)
+
+	_, _, err := client.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
+	assert.NilError(t, err)
+
+	// Test inspect verbose with full NetworkID
+	networkVerbose, err := client.NetworkInspect(context.Background(), overlayID, types.NetworkInspectOptions{
+		Verbose: true,
+	})
+	assert.NilError(t, err)
+	assert.Assert(t, validNetworkVerbose(networkVerbose, serviceName, instances))
+
+	// Test inspect verbose with partial NetworkID
+	networkVerbose, err = client.NetworkInspect(context.Background(), overlayID[0:11], types.NetworkInspectOptions{
+		Verbose: true,
+	})
+	assert.NilError(t, err)
+	assert.Assert(t, validNetworkVerbose(networkVerbose, serviceName, instances))
+
+	// Test inspect verbose with Network name and swarm scope
+	networkVerbose, err = client.NetworkInspect(context.Background(), overlayName, types.NetworkInspectOptions{
+		Verbose: true,
+		Scope:   "swarm",
+	})
+	assert.NilError(t, err)
+	assert.Assert(t, validNetworkVerbose(networkVerbose, serviceName, instances))
+
+	err = client.ServiceRemove(context.Background(), serviceID)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID), swarm.ServicePoll)
+	poll.WaitOn(t, noTasks(client), swarm.ServicePoll)
+
+	serviceID2 := swarm.CreateService(t, d,
+		swarm.ServiceWithReplicas(instances),
+		swarm.ServiceWithName(serviceName),
+		swarm.ServiceWithNetwork(overlayName),
+	)
+
+	poll.WaitOn(t, serviceRunningTasksCount(client, serviceID2, instances), swarm.ServicePoll)
+
+	err = client.ServiceRemove(context.Background(), serviceID2)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID2), swarm.ServicePoll)
+	poll.WaitOn(t, noTasks(client), swarm.ServicePoll)
+
+	err = client.NetworkRemove(context.Background(), overlayID)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, networkIsRemoved(client, overlayID), poll.WithTimeout(1*time.Minute), poll.WithDelay(10*time.Second))
+}
+
+func serviceRunningTasksCount(client client.ServiceAPIClient, serviceID string, instances uint64) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		filter := filters.NewArgs()
+		filter.Add("service", serviceID)
+		tasks, err := client.TaskList(context.Background(), types.TaskListOptions{
+			Filters: filter,
+		})
+		switch {
+		case err != nil:
+			return poll.Error(err)
+		case len(tasks) == int(instances):
+			for _, task := range tasks {
+				if task.Status.State != swarmtypes.TaskStateRunning {
+					return poll.Continue("waiting for tasks to enter run state")
+				}
+			}
+			return poll.Success()
+		default:
+			return poll.Continue("task count at %d waiting for %d", len(tasks), instances)
+		}
+	}
+}
+
+func networkIsRemoved(client client.NetworkAPIClient, networkID string) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		_, err := client.NetworkInspect(context.Background(), networkID, types.NetworkInspectOptions{})
+		if err == nil {
+			return poll.Continue("waiting for network %s to be removed", networkID)
+		}
+		return poll.Success()
+	}
+}
+
+func serviceIsRemoved(client client.ServiceAPIClient, serviceID string) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		filter := filters.NewArgs()
+		filter.Add("service", serviceID)
+		_, err := client.TaskList(context.Background(), types.TaskListOptions{
+			Filters: filter,
+		})
+		if err == nil {
+			return poll.Continue("waiting for service %s to be deleted", serviceID)
+		}
+		return poll.Success()
+	}
+}
+
+func noTasks(client client.ServiceAPIClient) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		filter := filters.NewArgs()
+		tasks, err := client.TaskList(context.Background(), types.TaskListOptions{
+			Filters: filter,
+		})
+		switch {
+		case err != nil:
+			return poll.Error(err)
+		case len(tasks) == 0:
+			return poll.Success()
+		default:
+			return poll.Continue("task count at %d waiting for 0", len(tasks))
+		}
+	}
+}
+
+// Check to see if Service and Tasks info are part of the inspect verbose response
+func validNetworkVerbose(network types.NetworkResource, service string, instances uint64) bool {
+	if service, ok := network.Services[service]; ok {
+		if len(service.Tasks) != int(instances) {
+			return false
+		}
+	}
+
+	if network.IPAM.Config == nil {
+		return false
+	}
+
+	for _, cfg := range network.IPAM.Config {
+		if cfg.Gateway == "" || cfg.Subnet == "" {
+			return false
+		}
+	}
+	return true
+}
diff --git a/engine/integration/network/ipvlan/ipvlan_test.go b/engine/integration/network/ipvlan/ipvlan_test.go
new file mode 100644
index 00000000..3da255e7
--- /dev/null
+++ b/engine/integration/network/ipvlan/ipvlan_test.go
@@ -0,0 +1,432 @@
+package ipvlan
+
+import (
+	"context"
+	"strings"
+	"testing"
+	"time"
+
+	dclient "github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/container"
+	net "github.com/docker/docker/integration/internal/network"
+	n "github.com/docker/docker/integration/network"
+	"github.com/docker/docker/internal/test/daemon"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+func TestDockerNetworkIpvlanPersistance(t *testing.T) {
+	// verify the driver automatically provisions the 802.1q link (di-dummy0.70)
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, !ipvlanKernelSupport(), "Kernel doesn't support ipvlan")
+
+	d := daemon.New(t, daemon.WithExperimental)
+	d.StartWithBusybox(t)
+	defer d.Stop(t)
+
+	// master dummy interface 'di' notation represent 'docker ipvlan'
+	master := "di-dummy0"
+	n.CreateMasterDummy(t, master)
+	defer n.DeleteInterface(t, master)
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	// create a network specifying the desired sub-interface name
+	netName := "di-persist"
+	net.CreateNoError(t, context.Background(), client, netName,
+		net.WithIPvlan("di-dummy0.70", ""),
+	)
+
+	assert.Check(t, n.IsNetworkAvailable(client, netName))
+	// Restart docker daemon to test the config has persisted to disk
+	d.Restart(t)
+	assert.Check(t, n.IsNetworkAvailable(client, netName))
+}
+
+func TestDockerNetworkIpvlan(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, !ipvlanKernelSupport(), "Kernel doesn't support ipvlan")
+
+	for _, tc := range []struct {
+		name string
+		test func(dclient.APIClient) func(*testing.T)
+	}{
+		{
+			name: "Subinterface",
+			test: testIpvlanSubinterface,
+		}, {
+			name: "OverlapParent",
+			test: testIpvlanOverlapParent,
+		}, {
+			name: "L2NilParent",
+			test: testIpvlanL2NilParent,
+		}, {
+			name: "L2InternalMode",
+			test: testIpvlanL2InternalMode,
+		}, {
+			name: "L3NilParent",
+			test: testIpvlanL3NilParent,
+		}, {
+			name: "L3InternalMode",
+			test: testIpvlanL3InternalMode,
+		}, {
+			name: "L2MultiSubnet",
+			test: testIpvlanL2MultiSubnet,
+		}, {
+			name: "L3MultiSubnet",
+			test: testIpvlanL3MultiSubnet,
+		}, {
+			name: "Addressing",
+			test: testIpvlanAddressing,
+		},
+	} {
+		d := daemon.New(t, daemon.WithExperimental)
+		d.StartWithBusybox(t)
+
+		client, err := d.NewClient()
+		assert.NilError(t, err)
+
+		t.Run(tc.name, tc.test(client))
+
+		d.Stop(t)
+		// FIXME(vdemeester) clean network
+	}
+}
+
+func testIpvlanSubinterface(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		master := "di-dummy0"
+		n.CreateMasterDummy(t, master)
+		defer n.DeleteInterface(t, master)
+
+		netName := "di-subinterface"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithIPvlan("di-dummy0.60", ""),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		// delete the network while preserving the parent link
+		err := client.NetworkRemove(context.Background(), netName)
+		assert.NilError(t, err)
+
+		assert.Check(t, n.IsNetworkNotAvailable(client, netName))
+		// verify the network delete did not delete the predefined link
+		n.LinkExists(t, "di-dummy0")
+	}
+}
+
+func testIpvlanOverlapParent(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		// verify the same parent interface cannot be used if already in use by an existing network
+		master := "di-dummy0"
+		parent := master + ".30"
+		n.CreateMasterDummy(t, master)
+		defer n.DeleteInterface(t, master)
+		n.CreateVlanInterface(t, master, parent, "30")
+
+		netName := "di-subinterface"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithIPvlan(parent, ""),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		_, err := net.Create(context.Background(), client, netName,
+			net.WithIPvlan(parent, ""),
+		)
+		// verify that the overlap returns an error
+		assert.Check(t, err != nil)
+	}
+}
+
+func testIpvlanL2NilParent(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		// ipvlan l2 mode - dummy parent interface is provisioned dynamically
+		netName := "di-nil-parent"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithIPvlan("", ""),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client, container.WithNetworkMode(netName))
+		id2 := container.Run(t, ctx, client, container.WithNetworkMode(netName))
+
+		_, err := container.Exec(ctx, client, id2, []string{"ping", "-c", "1", id1})
+		assert.NilError(t, err)
+	}
+}
+
+func testIpvlanL2InternalMode(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		netName := "di-internal"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithIPvlan("", ""),
+			net.WithInternal(),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client, container.WithNetworkMode(netName))
+		id2 := container.Run(t, ctx, client, container.WithNetworkMode(netName))
+
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+		_, err := container.Exec(timeoutCtx, client, id1, []string{"ping", "-c", "1", "-w", "1", "8.8.8.8"})
+		// FIXME(vdemeester) check the time of error ?
+		assert.Check(t, err != nil)
+		assert.Check(t, timeoutCtx.Err() == context.DeadlineExceeded)
+
+		_, err = container.Exec(ctx, client, id2, []string{"ping", "-c", "1", id1})
+		assert.NilError(t, err)
+	}
+}
+
+func testIpvlanL3NilParent(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		netName := "di-nil-parent-l3"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithIPvlan("", "l3"),
+			net.WithIPAM("172.28.230.0/24", ""),
+			net.WithIPAM("172.28.220.0/24", ""),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.220.10"),
+		)
+		id2 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.230.10"),
+		)
+
+		_, err := container.Exec(ctx, client, id2, []string{"ping", "-c", "1", id1})
+		assert.NilError(t, err)
+	}
+}
+
+func testIpvlanL3InternalMode(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		netName := "di-internal-l3"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithIPvlan("", "l3"),
+			net.WithInternal(),
+			net.WithIPAM("172.28.230.0/24", ""),
+			net.WithIPAM("172.28.220.0/24", ""),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.220.10"),
+		)
+		id2 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.230.10"),
+		)
+
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+		_, err := container.Exec(timeoutCtx, client, id1, []string{"ping", "-c", "1", "-w", "1", "8.8.8.8"})
+		// FIXME(vdemeester) check the time of error ?
+		assert.Check(t, err != nil)
+		assert.Check(t, timeoutCtx.Err() == context.DeadlineExceeded)
+
+		_, err = container.Exec(ctx, client, id2, []string{"ping", "-c", "1", id1})
+		assert.NilError(t, err)
+	}
+}
+
+func testIpvlanL2MultiSubnet(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		netName := "dualstackl2"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithIPvlan("", ""),
+			net.WithIPv6(),
+			net.WithIPAM("172.28.200.0/24", ""),
+			net.WithIPAM("172.28.202.0/24", "172.28.202.254"),
+			net.WithIPAM("2001:db8:abc8::/64", ""),
+			net.WithIPAM("2001:db8:abc6::/64", "2001:db8:abc6::254"),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		// start dual stack containers and verify the user specified --ip and --ip6 addresses on subnets 172.28.100.0/24 and 2001:db8:abc2::/64
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.200.20"),
+			container.WithIPv6(netName, "2001:db8:abc8::20"),
+		)
+		id2 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.200.21"),
+			container.WithIPv6(netName, "2001:db8:abc8::21"),
+		)
+		c1, err := client.ContainerInspect(ctx, id1)
+		assert.NilError(t, err)
+
+		// verify ipv4 connectivity to the explicit --ipv address second to first
+		_, err = container.Exec(ctx, client, id2, []string{"ping", "-c", "1", c1.NetworkSettings.Networks[netName].IPAddress})
+		assert.NilError(t, err)
+		// verify ipv6 connectivity to the explicit --ipv6 address second to first
+		_, err = container.Exec(ctx, client, id2, []string{"ping6", "-c", "1", c1.NetworkSettings.Networks[netName].GlobalIPv6Address})
+		assert.NilError(t, err)
+
+		// start dual stack containers and verify the user specified --ip and --ip6 addresses on subnets 172.28.102.0/24 and 2001:db8:abc4::/64
+		id3 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.202.20"),
+			container.WithIPv6(netName, "2001:db8:abc6::20"),
+		)
+		id4 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.202.21"),
+			container.WithIPv6(netName, "2001:db8:abc6::21"),
+		)
+		c3, err := client.ContainerInspect(ctx, id3)
+		assert.NilError(t, err)
+
+		// verify ipv4 connectivity to the explicit --ipv address from third to fourth
+		_, err = container.Exec(ctx, client, id4, []string{"ping", "-c", "1", c3.NetworkSettings.Networks[netName].IPAddress})
+		assert.NilError(t, err)
+		// verify ipv6 connectivity to the explicit --ipv6 address from third to fourth
+		_, err = container.Exec(ctx, client, id4, []string{"ping6", "-c", "1", c3.NetworkSettings.Networks[netName].GlobalIPv6Address})
+		assert.NilError(t, err)
+
+		// Inspect the v4 gateway to ensure the proper default GW was assigned
+		assert.Equal(t, c1.NetworkSettings.Networks[netName].Gateway, "172.28.200.1")
+		// Inspect the v6 gateway to ensure the proper default GW was assigned
+		assert.Equal(t, c1.NetworkSettings.Networks[netName].IPv6Gateway, "2001:db8:abc8::1")
+		// Inspect the v4 gateway to ensure the proper explicitly assigned default GW was assigned
+		assert.Equal(t, c3.NetworkSettings.Networks[netName].Gateway, "172.28.202.254")
+		// Inspect the v6 gateway to ensure the proper explicitly assigned default GW was assigned
+		assert.Equal(t, c3.NetworkSettings.Networks[netName].IPv6Gateway, "2001:db8:abc6::254")
+	}
+}
+
+func testIpvlanL3MultiSubnet(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		netName := "dualstackl3"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithIPvlan("", "l3"),
+			net.WithIPv6(),
+			net.WithIPAM("172.28.10.0/24", ""),
+			net.WithIPAM("172.28.12.0/24", "172.28.12.254"),
+			net.WithIPAM("2001:db8:abc9::/64", ""),
+			net.WithIPAM("2001:db8:abc7::/64", "2001:db8:abc7::254"),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		// start dual stack containers and verify the user specified --ip and --ip6 addresses on subnets 172.28.100.0/24 and 2001:db8:abc2::/64
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.10.20"),
+			container.WithIPv6(netName, "2001:db8:abc9::20"),
+		)
+		id2 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.10.21"),
+			container.WithIPv6(netName, "2001:db8:abc9::21"),
+		)
+		c1, err := client.ContainerInspect(ctx, id1)
+		assert.NilError(t, err)
+
+		// verify ipv4 connectivity to the explicit --ipv address second to first
+		_, err = container.Exec(ctx, client, id2, []string{"ping", "-c", "1", c1.NetworkSettings.Networks[netName].IPAddress})
+		assert.NilError(t, err)
+		// verify ipv6 connectivity to the explicit --ipv6 address second to first
+		_, err = container.Exec(ctx, client, id2, []string{"ping6", "-c", "1", c1.NetworkSettings.Networks[netName].GlobalIPv6Address})
+		assert.NilError(t, err)
+
+		// start dual stack containers and verify the user specified --ip and --ip6 addresses on subnets 172.28.102.0/24 and 2001:db8:abc4::/64
+		id3 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.12.20"),
+			container.WithIPv6(netName, "2001:db8:abc7::20"),
+		)
+		id4 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netName),
+			container.WithIPv4(netName, "172.28.12.21"),
+			container.WithIPv6(netName, "2001:db8:abc7::21"),
+		)
+		c3, err := client.ContainerInspect(ctx, id3)
+		assert.NilError(t, err)
+
+		// verify ipv4 connectivity to the explicit --ipv address from third to fourth
+		_, err = container.Exec(ctx, client, id4, []string{"ping", "-c", "1", c3.NetworkSettings.Networks[netName].IPAddress})
+		assert.NilError(t, err)
+		// verify ipv6 connectivity to the explicit --ipv6 address from third to fourth
+		_, err = container.Exec(ctx, client, id4, []string{"ping6", "-c", "1", c3.NetworkSettings.Networks[netName].GlobalIPv6Address})
+		assert.NilError(t, err)
+
+		// Inspect the v4 gateway to ensure no next hop is assigned in L3 mode
+		assert.Equal(t, c1.NetworkSettings.Networks[netName].Gateway, "")
+		// Inspect the v6 gateway to ensure the explicitly specified default GW is ignored per L3 mode enabled
+		assert.Equal(t, c1.NetworkSettings.Networks[netName].IPv6Gateway, "")
+		// Inspect the v4 gateway to ensure no next hop is assigned in L3 mode
+		assert.Equal(t, c3.NetworkSettings.Networks[netName].Gateway, "")
+		// Inspect the v6 gateway to ensure the explicitly specified default GW is ignored per L3 mode enabled
+		assert.Equal(t, c3.NetworkSettings.Networks[netName].IPv6Gateway, "")
+	}
+}
+
+func testIpvlanAddressing(client dclient.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		// Verify ipvlan l2 mode sets the proper default gateway routes via netlink
+		// for either an explicitly set route by the user or inferred via default IPAM
+		netNameL2 := "dualstackl2"
+		net.CreateNoError(t, context.Background(), client, netNameL2,
+			net.WithIPvlan("", "l2"),
+			net.WithIPv6(),
+			net.WithIPAM("172.28.140.0/24", "172.28.140.254"),
+			net.WithIPAM("2001:db8:abcb::/64", ""),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netNameL2))
+
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netNameL2),
+		)
+		// Validate ipvlan l2 mode defaults gateway sets the default IPAM next-hop inferred from the subnet
+		result, err := container.Exec(ctx, client, id1, []string{"ip", "route"})
+		assert.NilError(t, err)
+		assert.Check(t, strings.Contains(result.Combined(), "default via 172.28.140.254 dev eth0"))
+		// Validate ipvlan l2 mode sets the v6 gateway to the user specified default gateway/next-hop
+		result, err = container.Exec(ctx, client, id1, []string{"ip", "-6", "route"})
+		assert.NilError(t, err)
+		assert.Check(t, strings.Contains(result.Combined(), "default via 2001:db8:abcb::1 dev eth0"))
+
+		// Validate ipvlan l3 mode sets the v4 gateway to dev eth0 and disregards any explicit or inferred next-hops
+		netNameL3 := "dualstackl3"
+		net.CreateNoError(t, context.Background(), client, netNameL3,
+			net.WithIPvlan("", "l3"),
+			net.WithIPv6(),
+			net.WithIPAM("172.28.160.0/24", "172.28.160.254"),
+			net.WithIPAM("2001:db8:abcd::/64", "2001:db8:abcd::254"),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netNameL3))
+
+		id2 := container.Run(t, ctx, client,
+			container.WithNetworkMode(netNameL3),
+		)
+		// Validate ipvlan l3 mode sets the v4 gateway to dev eth0 and disregards any explicit or inferred next-hops
+		result, err = container.Exec(ctx, client, id2, []string{"ip", "route"})
+		assert.NilError(t, err)
+		assert.Check(t, strings.Contains(result.Combined(), "default dev eth0"))
+		// Validate ipvlan l3 mode sets the v6 gateway to dev eth0 and disregards any explicit or inferred next-hops
+		result, err = container.Exec(ctx, client, id2, []string{"ip", "-6", "route"})
+		assert.NilError(t, err)
+		assert.Check(t, strings.Contains(result.Combined(), "default dev eth0"))
+	}
+}
+
+// ensure Kernel version is >= v4.2 for ipvlan support
+func ipvlanKernelSupport() bool {
+	return n.CheckKernelMajorVersionGreaterOrEqualThen(4, 2)
+}
diff --git a/engine/integration/network/ipvlan/main_test.go b/engine/integration/network/ipvlan/main_test.go
new file mode 100644
index 00000000..2d5f6245
--- /dev/null
+++ b/engine/integration/network/ipvlan/main_test.go
@@ -0,0 +1,33 @@
+package ipvlan // import "github.com/docker/docker/integration/network/ipvlan"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/network/macvlan/macvlan_test.go b/engine/integration/network/macvlan/macvlan_test.go
new file mode 100644
index 00000000..9c0fd407
--- /dev/null
+++ b/engine/integration/network/macvlan/macvlan_test.go
@@ -0,0 +1,281 @@
+package macvlan
+
+import (
+	"context"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/container"
+	net "github.com/docker/docker/integration/internal/network"
+	n "github.com/docker/docker/integration/network"
+	"github.com/docker/docker/internal/test/daemon"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+func TestDockerNetworkMacvlanPersistance(t *testing.T) {
+	// verify the driver automatically provisions the 802.1q link (dm-dummy0.60)
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, !macvlanKernelSupport(), "Kernel doesn't support macvlan")
+
+	d := daemon.New(t)
+	d.StartWithBusybox(t)
+	defer d.Stop(t)
+
+	master := "dm-dummy0"
+	n.CreateMasterDummy(t, master)
+	defer n.DeleteInterface(t, master)
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	netName := "dm-persist"
+	net.CreateNoError(t, context.Background(), client, netName,
+		net.WithMacvlan("dm-dummy0.60"),
+	)
+	assert.Check(t, n.IsNetworkAvailable(client, netName))
+	d.Restart(t)
+	assert.Check(t, n.IsNetworkAvailable(client, netName))
+}
+
+func TestDockerNetworkMacvlan(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, !macvlanKernelSupport(), "Kernel doesn't support macvlan")
+
+	for _, tc := range []struct {
+		name string
+		test func(client.APIClient) func(*testing.T)
+	}{
+		{
+			name: "Subinterface",
+			test: testMacvlanSubinterface,
+		}, {
+			name: "OverlapParent",
+			test: testMacvlanOverlapParent,
+		}, {
+			name: "NilParent",
+			test: testMacvlanNilParent,
+		}, {
+			name: "InternalMode",
+			test: testMacvlanInternalMode,
+		}, {
+			name: "Addressing",
+			test: testMacvlanAddressing,
+		},
+	} {
+		d := daemon.New(t)
+		d.StartWithBusybox(t)
+
+		client, err := d.NewClient()
+		assert.NilError(t, err)
+
+		t.Run(tc.name, tc.test(client))
+
+		d.Stop(t)
+		// FIXME(vdemeester) clean network
+	}
+}
+
+func testMacvlanOverlapParent(client client.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		// verify the same parent interface cannot be used if already in use by an existing network
+		master := "dm-dummy0"
+		n.CreateMasterDummy(t, master)
+		defer n.DeleteInterface(t, master)
+
+		netName := "dm-subinterface"
+		parentName := "dm-dummy0.40"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithMacvlan(parentName),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		_, err := net.Create(context.Background(), client, "dm-parent-net-overlap",
+			net.WithMacvlan(parentName),
+		)
+		assert.Check(t, err != nil)
+
+		// delete the network while preserving the parent link
+		err = client.NetworkRemove(context.Background(), netName)
+		assert.NilError(t, err)
+
+		assert.Check(t, n.IsNetworkNotAvailable(client, netName))
+		// verify the network delete did not delete the predefined link
+		n.LinkExists(t, master)
+	}
+}
+
+func testMacvlanSubinterface(client client.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		// verify the same parent interface cannot be used if already in use by an existing network
+		master := "dm-dummy0"
+		parentName := "dm-dummy0.20"
+		n.CreateMasterDummy(t, master)
+		defer n.DeleteInterface(t, master)
+		n.CreateVlanInterface(t, master, parentName, "20")
+
+		netName := "dm-subinterface"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithMacvlan(parentName),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		// delete the network while preserving the parent link
+		err := client.NetworkRemove(context.Background(), netName)
+		assert.NilError(t, err)
+
+		assert.Check(t, n.IsNetworkNotAvailable(client, netName))
+		// verify the network delete did not delete the predefined link
+		n.LinkExists(t, parentName)
+	}
+}
+
+func testMacvlanNilParent(client client.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		// macvlan bridge mode - dummy parent interface is provisioned dynamically
+		netName := "dm-nil-parent"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithMacvlan(""),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client, container.WithNetworkMode(netName))
+		id2 := container.Run(t, ctx, client, container.WithNetworkMode(netName))
+
+		_, err := container.Exec(ctx, client, id2, []string{"ping", "-c", "1", id1})
+		assert.Check(t, err == nil)
+	}
+}
+
+func testMacvlanInternalMode(client client.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		// macvlan bridge mode - dummy parent interface is provisioned dynamically
+		netName := "dm-internal"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithMacvlan(""),
+			net.WithInternal(),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client, container.WithNetworkMode(netName))
+		id2 := container.Run(t, ctx, client, container.WithNetworkMode(netName))
+
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+		_, err := container.Exec(timeoutCtx, client, id1, []string{"ping", "-c", "1", "-w", "1", "8.8.8.8"})
+		// FIXME(vdemeester) check the time of error ?
+		assert.Check(t, err != nil)
+		assert.Check(t, timeoutCtx.Err() == context.DeadlineExceeded)
+
+		_, err = container.Exec(ctx, client, id2, []string{"ping", "-c", "1", id1})
+		assert.Check(t, err == nil)
+	}
+}
+
+func testMacvlanMultiSubnet(client client.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		netName := "dualstackbridge"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithMacvlan(""),
+			net.WithIPv6(),
+			net.WithIPAM("172.28.100.0/24", ""),
+			net.WithIPAM("172.28.102.0/24", "172.28.102.254"),
+			net.WithIPAM("2001:db8:abc2::/64", ""),
+			net.WithIPAM("2001:db8:abc4::/64", "2001:db8:abc4::254"),
+		)
+
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		// start dual stack containers and verify the user specified --ip and --ip6 addresses on subnets 172.28.100.0/24 and 2001:db8:abc2::/64
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client,
+			container.WithNetworkMode("dualstackbridge"),
+			container.WithIPv4("dualstackbridge", "172.28.100.20"),
+			container.WithIPv6("dualstackbridge", "2001:db8:abc2::20"),
+		)
+		id2 := container.Run(t, ctx, client,
+			container.WithNetworkMode("dualstackbridge"),
+			container.WithIPv4("dualstackbridge", "172.28.100.21"),
+			container.WithIPv6("dualstackbridge", "2001:db8:abc2::21"),
+		)
+		c1, err := client.ContainerInspect(ctx, id1)
+		assert.NilError(t, err)
+
+		// verify ipv4 connectivity to the explicit --ipv address second to first
+		_, err = container.Exec(ctx, client, id2, []string{"ping", "-c", "1", c1.NetworkSettings.Networks["dualstackbridge"].IPAddress})
+		assert.NilError(t, err)
+		// verify ipv6 connectivity to the explicit --ipv6 address second to first
+		_, err = container.Exec(ctx, client, id2, []string{"ping6", "-c", "1", c1.NetworkSettings.Networks["dualstackbridge"].GlobalIPv6Address})
+		assert.NilError(t, err)
+
+		// start dual stack containers and verify the user specified --ip and --ip6 addresses on subnets 172.28.102.0/24 and 2001:db8:abc4::/64
+		id3 := container.Run(t, ctx, client,
+			container.WithNetworkMode("dualstackbridge"),
+			container.WithIPv4("dualstackbridge", "172.28.102.20"),
+			container.WithIPv6("dualstackbridge", "2001:db8:abc4::20"),
+		)
+		id4 := container.Run(t, ctx, client,
+			container.WithNetworkMode("dualstackbridge"),
+			container.WithIPv4("dualstackbridge", "172.28.102.21"),
+			container.WithIPv6("dualstackbridge", "2001:db8:abc4::21"),
+		)
+		c3, err := client.ContainerInspect(ctx, id3)
+		assert.NilError(t, err)
+
+		// verify ipv4 connectivity to the explicit --ipv address from third to fourth
+		_, err = container.Exec(ctx, client, id4, []string{"ping", "-c", "1", c3.NetworkSettings.Networks["dualstackbridge"].IPAddress})
+		assert.NilError(t, err)
+		// verify ipv6 connectivity to the explicit --ipv6 address from third to fourth
+		_, err = container.Exec(ctx, client, id4, []string{"ping6", "-c", "1", c3.NetworkSettings.Networks["dualstackbridge"].GlobalIPv6Address})
+		assert.NilError(t, err)
+
+		// Inspect the v4 gateway to ensure the proper default GW was assigned
+		assert.Equal(t, c1.NetworkSettings.Networks["dualstackbridge"].Gateway, "172.28.100.1")
+		// Inspect the v6 gateway to ensure the proper default GW was assigned
+		assert.Equal(t, c1.NetworkSettings.Networks["dualstackbridge"].IPv6Gateway, "2001:db8:abc2::1")
+		// Inspect the v4 gateway to ensure the proper explicitly assigned default GW was assigned
+		assert.Equal(t, c3.NetworkSettings.Networks["dualstackbridge"].Gateway, "172.28.102.254")
+		// Inspect the v6 gateway to ensure the proper explicitly assigned default GW was assigned
+		assert.Equal(t, c3.NetworkSettings.Networks["dualstackbridge"].IPv6Gateway, "2001:db8.abc4::254")
+	}
+}
+
+func testMacvlanAddressing(client client.APIClient) func(*testing.T) {
+	return func(t *testing.T) {
+		// Ensure the default gateways, next-hops and default dev devices are properly set
+		netName := "dualstackbridge"
+		net.CreateNoError(t, context.Background(), client, netName,
+			net.WithMacvlan(""),
+			net.WithIPv6(),
+			net.WithOption("macvlan_mode", "bridge"),
+			net.WithIPAM("172.28.130.0/24", ""),
+			net.WithIPAM("2001:db8:abca::/64", "2001:db8:abca::254"),
+		)
+		assert.Check(t, n.IsNetworkAvailable(client, netName))
+
+		ctx := context.Background()
+		id1 := container.Run(t, ctx, client,
+			container.WithNetworkMode("dualstackbridge"),
+		)
+
+		// Validate macvlan bridge mode defaults gateway sets the default IPAM next-hop inferred from the subnet
+		result, err := container.Exec(ctx, client, id1, []string{"ip", "route"})
+		assert.NilError(t, err)
+		assert.Check(t, strings.Contains(result.Combined(), "default via 172.28.130.1 dev eth0"))
+		// Validate macvlan bridge mode sets the v6 gateway to the user specified default gateway/next-hop
+		result, err = container.Exec(ctx, client, id1, []string{"ip", "-6", "route"})
+		assert.NilError(t, err)
+		assert.Check(t, strings.Contains(result.Combined(), "default via 2001:db8:abca::254 dev eth0"))
+	}
+}
+
+// ensure Kernel version is >= v3.9 for macvlan support
+func macvlanKernelSupport() bool {
+	return n.CheckKernelMajorVersionGreaterOrEqualThen(3, 9)
+}
diff --git a/engine/integration/network/macvlan/main_test.go b/engine/integration/network/macvlan/main_test.go
new file mode 100644
index 00000000..31cf111b
--- /dev/null
+++ b/engine/integration/network/macvlan/main_test.go
@@ -0,0 +1,33 @@
+package macvlan // import "github.com/docker/docker/integration/network/macvlan"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/network/main_test.go b/engine/integration/network/main_test.go
new file mode 100644
index 00000000..36ed19ca
--- /dev/null
+++ b/engine/integration/network/main_test.go
@@ -0,0 +1,33 @@
+package network // import "github.com/docker/docker/integration/network"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/network/service_test.go b/engine/integration/network/service_test.go
new file mode 100644
index 00000000..b276c510
--- /dev/null
+++ b/engine/integration/network/service_test.go
@@ -0,0 +1,315 @@
+package network // import "github.com/docker/docker/integration/network"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/network"
+	"github.com/docker/docker/integration/internal/swarm"
+	"github.com/docker/docker/internal/test/daemon"
+	"gotest.tools/assert"
+	"gotest.tools/icmd"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+// delInterface removes given network interface
+func delInterface(t *testing.T, ifName string) {
+	icmd.RunCommand("ip", "link", "delete", ifName).Assert(t, icmd.Success)
+	icmd.RunCommand("iptables", "-t", "nat", "--flush").Assert(t, icmd.Success)
+	icmd.RunCommand("iptables", "--flush").Assert(t, icmd.Success)
+}
+
+func TestDaemonRestartWithLiveRestore(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.38"), "skip test from new feature")
+	d := daemon.New(t)
+	defer d.Stop(t)
+	d.Start(t)
+	d.Restart(t, "--live-restore=true",
+		"--default-address-pool", "base=175.30.0.0/16,size=16",
+		"--default-address-pool", "base=175.33.0.0/16,size=24")
+
+	// Verify bridge network's subnet
+	cli, err := d.NewClient()
+	assert.Assert(t, err)
+	defer cli.Close()
+	out, err := cli.NetworkInspect(context.Background(), "bridge", types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	// Make sure docker0 doesn't get override with new IP in live restore case
+	assert.Equal(t, out.IPAM.Config[0].Subnet, "172.18.0.0/16")
+}
+
+func TestDaemonDefaultNetworkPools(t *testing.T) {
+	// Remove docker0 bridge and the start daemon defining the predefined address pools
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.38"), "skip test from new feature")
+	defaultNetworkBridge := "docker0"
+	delInterface(t, defaultNetworkBridge)
+	d := daemon.New(t)
+	defer d.Stop(t)
+	d.Start(t,
+		"--default-address-pool", "base=175.30.0.0/16,size=16",
+		"--default-address-pool", "base=175.33.0.0/16,size=24")
+
+	// Verify bridge network's subnet
+	cli, err := d.NewClient()
+	assert.Assert(t, err)
+	defer cli.Close()
+	out, err := cli.NetworkInspect(context.Background(), "bridge", types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	assert.Equal(t, out.IPAM.Config[0].Subnet, "175.30.0.0/16")
+
+	// Create a bridge network and verify its subnet is the second default pool
+	name := "elango" + t.Name()
+	network.CreateNoError(t, context.Background(), cli, name,
+		network.WithDriver("bridge"),
+	)
+	out, err = cli.NetworkInspect(context.Background(), name, types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	assert.Equal(t, out.IPAM.Config[0].Subnet, "175.33.0.0/24")
+
+	// Create a bridge network and verify its subnet is the third default pool
+	name = "saanvi" + t.Name()
+	network.CreateNoError(t, context.Background(), cli, name,
+		network.WithDriver("bridge"),
+	)
+	out, err = cli.NetworkInspect(context.Background(), name, types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	assert.Equal(t, out.IPAM.Config[0].Subnet, "175.33.1.0/24")
+	delInterface(t, defaultNetworkBridge)
+
+}
+
+func TestDaemonRestartWithExistingNetwork(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.38"), "skip test from new feature")
+	defaultNetworkBridge := "docker0"
+	d := daemon.New(t)
+	d.Start(t)
+	defer d.Stop(t)
+	// Verify bridge network's subnet
+	cli, err := d.NewClient()
+	assert.Assert(t, err)
+	defer cli.Close()
+
+	// Create a bridge network
+	name := "elango" + t.Name()
+	network.CreateNoError(t, context.Background(), cli, name,
+		network.WithDriver("bridge"),
+	)
+	out, err := cli.NetworkInspect(context.Background(), name, types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	networkip := out.IPAM.Config[0].Subnet
+
+	// Restart daemon with default address pool option
+	d.Restart(t,
+		"--default-address-pool", "base=175.30.0.0/16,size=16",
+		"--default-address-pool", "base=175.33.0.0/16,size=24")
+
+	out1, err := cli.NetworkInspect(context.Background(), name, types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	assert.Equal(t, out1.IPAM.Config[0].Subnet, networkip)
+	delInterface(t, defaultNetworkBridge)
+}
+
+func TestDaemonRestartWithExistingNetworkWithDefaultPoolRange(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.38"), "skip test from new feature")
+	defaultNetworkBridge := "docker0"
+	d := daemon.New(t)
+	d.Start(t)
+	defer d.Stop(t)
+	// Verify bridge network's subnet
+	cli, err := d.NewClient()
+	assert.Assert(t, err)
+	defer cli.Close()
+
+	// Create a bridge network
+	name := "elango" + t.Name()
+	network.CreateNoError(t, context.Background(), cli, name,
+		network.WithDriver("bridge"),
+	)
+	out, err := cli.NetworkInspect(context.Background(), name, types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	networkip := out.IPAM.Config[0].Subnet
+
+	// Create a bridge network
+	name = "sthira" + t.Name()
+	network.CreateNoError(t, context.Background(), cli, name,
+		network.WithDriver("bridge"),
+	)
+	out, err = cli.NetworkInspect(context.Background(), name, types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	networkip2 := out.IPAM.Config[0].Subnet
+
+	// Restart daemon with default address pool option
+	d.Restart(t,
+		"--default-address-pool", "base=175.18.0.0/16,size=16",
+		"--default-address-pool", "base=175.19.0.0/16,size=24")
+
+	// Create a bridge network
+	name = "saanvi" + t.Name()
+	network.CreateNoError(t, context.Background(), cli, name,
+		network.WithDriver("bridge"),
+	)
+	out1, err := cli.NetworkInspect(context.Background(), name, types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+
+	assert.Check(t, out1.IPAM.Config[0].Subnet != networkip)
+	assert.Check(t, out1.IPAM.Config[0].Subnet != networkip2)
+	delInterface(t, defaultNetworkBridge)
+}
+
+func TestDaemonWithBipAndDefaultNetworkPool(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.38"), "skip test from new feature")
+	defaultNetworkBridge := "docker0"
+	d := daemon.New(t)
+	defer d.Stop(t)
+	d.Start(t, "--bip=172.60.0.1/16",
+		"--default-address-pool", "base=175.30.0.0/16,size=16",
+		"--default-address-pool", "base=175.33.0.0/16,size=24")
+
+	// Verify bridge network's subnet
+	cli, err := d.NewClient()
+	assert.Assert(t, err)
+	defer cli.Close()
+	out, err := cli.NetworkInspect(context.Background(), "bridge", types.NetworkInspectOptions{})
+	assert.NilError(t, err)
+	// Make sure BIP IP doesn't get override with new default address pool .
+	assert.Equal(t, out.IPAM.Config[0].Subnet, "172.60.0.1/16")
+	delInterface(t, defaultNetworkBridge)
+}
+
+func TestServiceWithPredefinedNetwork(t *testing.T) {
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	hostName := "host"
+	var instances uint64 = 1
+	serviceName := "TestService" + t.Name()
+
+	serviceID := swarm.CreateService(t, d,
+		swarm.ServiceWithReplicas(instances),
+		swarm.ServiceWithName(serviceName),
+		swarm.ServiceWithNetwork(hostName),
+	)
+
+	poll.WaitOn(t, serviceRunningCount(client, serviceID, instances), swarm.ServicePoll)
+
+	_, _, err := client.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
+	assert.NilError(t, err)
+
+	err = client.ServiceRemove(context.Background(), serviceID)
+	assert.NilError(t, err)
+}
+
+const ingressNet = "ingress"
+
+func TestServiceRemoveKeepsIngressNetwork(t *testing.T) {
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	poll.WaitOn(t, swarmIngressReady(client), swarm.NetworkPoll)
+
+	var instances uint64 = 1
+
+	serviceID := swarm.CreateService(t, d,
+		swarm.ServiceWithReplicas(instances),
+		swarm.ServiceWithName(t.Name()+"-service"),
+		swarm.ServiceWithEndpoint(&swarmtypes.EndpointSpec{
+			Ports: []swarmtypes.PortConfig{
+				{
+					Protocol:    swarmtypes.PortConfigProtocolTCP,
+					TargetPort:  80,
+					PublishMode: swarmtypes.PortConfigPublishModeIngress,
+				},
+			},
+		}),
+	)
+
+	poll.WaitOn(t, serviceRunningCount(client, serviceID, instances), swarm.ServicePoll)
+
+	_, _, err := client.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
+	assert.NilError(t, err)
+
+	err = client.ServiceRemove(context.Background(), serviceID)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID), swarm.ServicePoll)
+	poll.WaitOn(t, noServices(client), swarm.ServicePoll)
+
+	// Ensure that "ingress" is not removed or corrupted
+	time.Sleep(10 * time.Second)
+	netInfo, err := client.NetworkInspect(context.Background(), ingressNet, types.NetworkInspectOptions{
+		Verbose: true,
+		Scope:   "swarm",
+	})
+	assert.NilError(t, err, "Ingress network was removed after removing service!")
+	assert.Assert(t, len(netInfo.Containers) != 0, "No load balancing endpoints in ingress network")
+	assert.Assert(t, len(netInfo.Peers) != 0, "No peers (including self) in ingress network")
+	_, ok := netInfo.Containers["ingress-sbox"]
+	assert.Assert(t, ok, "ingress-sbox not present in ingress network")
+}
+
+func serviceRunningCount(client client.ServiceAPIClient, serviceID string, instances uint64) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		services, err := client.ServiceList(context.Background(), types.ServiceListOptions{})
+		if err != nil {
+			return poll.Error(err)
+		}
+
+		if len(services) != int(instances) {
+			return poll.Continue("Service count at %d waiting for %d", len(services), instances)
+		}
+		return poll.Success()
+	}
+}
+
+func swarmIngressReady(client client.NetworkAPIClient) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		netInfo, err := client.NetworkInspect(context.Background(), ingressNet, types.NetworkInspectOptions{
+			Verbose: true,
+			Scope:   "swarm",
+		})
+		if err != nil {
+			return poll.Error(err)
+		}
+		np := len(netInfo.Peers)
+		nc := len(netInfo.Containers)
+		if np == 0 || nc == 0 {
+			return poll.Continue("ingress not ready: %d peers and %d containers", nc, np)
+		}
+		_, ok := netInfo.Containers["ingress-sbox"]
+		if !ok {
+			return poll.Continue("ingress not ready: does not contain the ingress-sbox")
+		}
+		return poll.Success()
+	}
+}
+
+func noServices(client client.ServiceAPIClient) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		services, err := client.ServiceList(context.Background(), types.ServiceListOptions{})
+		switch {
+		case err != nil:
+			return poll.Error(err)
+		case len(services) == 0:
+			return poll.Success()
+		default:
+			return poll.Continue("Service count at %d waiting for 0", len(services))
+		}
+	}
+}
diff --git a/engine/integration/plugin/authz/authz_plugin_test.go b/engine/integration/plugin/authz/authz_plugin_test.go
new file mode 100644
index 00000000..105affc1
--- /dev/null
+++ b/engine/integration/plugin/authz/authz_plugin_test.go
@@ -0,0 +1,521 @@
+// +build !windows
+
+package authz // import "github.com/docker/docker/integration/plugin/authz"
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	eventtypes "github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/environment"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/authorization"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+const (
+	testAuthZPlugin     = "authzplugin"
+	unauthorizedMessage = "User unauthorized authz plugin"
+	errorMessage        = "something went wrong..."
+	serverVersionAPI    = "/version"
+)
+
+var (
+	alwaysAllowed = []string{"/_ping", "/info"}
+	ctrl          *authorizationController
+)
+
+type authorizationController struct {
+	reqRes          authorization.Response // reqRes holds the plugin response to the initial client request
+	resRes          authorization.Response // resRes holds the plugin response to the daemon response
+	versionReqCount int                    // versionReqCount counts the number of requests to the server version API endpoint
+	versionResCount int                    // versionResCount counts the number of responses from the server version API endpoint
+	requestsURIs    []string               // requestsURIs stores all request URIs that are sent to the authorization controller
+	reqUser         string
+	resUser         string
+}
+
+func setupTestV1(t *testing.T) func() {
+	ctrl = &authorizationController{}
+	teardown := setupTest(t)
+
+	err := os.MkdirAll("/etc/docker/plugins", 0755)
+	assert.NilError(t, err)
+
+	fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", testAuthZPlugin)
+	err = ioutil.WriteFile(fileName, []byte(server.URL), 0644)
+	assert.NilError(t, err)
+
+	return func() {
+		err := os.RemoveAll("/etc/docker/plugins")
+		assert.NilError(t, err)
+
+		teardown()
+		ctrl = nil
+	}
+}
+
+// check for always allowed endpoints to not inhibit test framework functions
+func isAllowed(reqURI string) bool {
+	for _, endpoint := range alwaysAllowed {
+		if strings.HasSuffix(reqURI, endpoint) {
+			return true
+		}
+	}
+	return false
+}
+
+func TestAuthZPluginAllowRequest(t *testing.T) {
+	defer setupTestV1(t)()
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Allow = true
+	d.StartWithBusybox(t, "--authorization-plugin="+testAuthZPlugin)
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	ctx := context.Background()
+
+	// Ensure command successful
+	cID := container.Run(t, ctx, client)
+
+	assertURIRecorded(t, ctrl.requestsURIs, "/containers/create")
+	assertURIRecorded(t, ctrl.requestsURIs, fmt.Sprintf("/containers/%s/start", cID))
+
+	_, err = client.ServerVersion(ctx)
+	assert.NilError(t, err)
+	assert.Equal(t, 1, ctrl.versionReqCount)
+	assert.Equal(t, 1, ctrl.versionResCount)
+}
+
+func TestAuthZPluginTLS(t *testing.T) {
+	defer setupTestV1(t)()
+	const (
+		testDaemonHTTPSAddr = "tcp://localhost:4271"
+		cacertPath          = "../../testdata/https/ca.pem"
+		serverCertPath      = "../../testdata/https/server-cert.pem"
+		serverKeyPath       = "../../testdata/https/server-key.pem"
+		clientCertPath      = "../../testdata/https/client-cert.pem"
+		clientKeyPath       = "../../testdata/https/client-key.pem"
+	)
+
+	d.Start(t,
+		"--authorization-plugin="+testAuthZPlugin,
+		"--tlsverify",
+		"--tlscacert", cacertPath,
+		"--tlscert", serverCertPath,
+		"--tlskey", serverKeyPath,
+		"-H", testDaemonHTTPSAddr)
+
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Allow = true
+
+	client, err := newTLSAPIClient(testDaemonHTTPSAddr, cacertPath, clientCertPath, clientKeyPath)
+	assert.NilError(t, err)
+
+	_, err = client.ServerVersion(context.Background())
+	assert.NilError(t, err)
+
+	assert.Equal(t, "client", ctrl.reqUser)
+	assert.Equal(t, "client", ctrl.resUser)
+}
+
+func newTLSAPIClient(host, cacertPath, certPath, keyPath string) (client.APIClient, error) {
+	dialer := &net.Dialer{
+		KeepAlive: 30 * time.Second,
+		Timeout:   30 * time.Second,
+	}
+	return client.NewClientWithOpts(
+		client.WithTLSClientConfig(cacertPath, certPath, keyPath),
+		client.WithDialer(dialer),
+		client.WithHost(host))
+}
+
+func TestAuthZPluginDenyRequest(t *testing.T) {
+	defer setupTestV1(t)()
+	d.Start(t, "--authorization-plugin="+testAuthZPlugin)
+	ctrl.reqRes.Allow = false
+	ctrl.reqRes.Msg = unauthorizedMessage
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	// Ensure command is blocked
+	_, err = client.ServerVersion(context.Background())
+	assert.Assert(t, err != nil)
+	assert.Equal(t, 1, ctrl.versionReqCount)
+	assert.Equal(t, 0, ctrl.versionResCount)
+
+	// Ensure unauthorized message appears in response
+	assert.Equal(t, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s", testAuthZPlugin, unauthorizedMessage), err.Error())
+}
+
+// TestAuthZPluginAPIDenyResponse validates that when authorization
+// plugin deny the request, the status code is forbidden
+func TestAuthZPluginAPIDenyResponse(t *testing.T) {
+	defer setupTestV1(t)()
+	d.Start(t, "--authorization-plugin="+testAuthZPlugin)
+	ctrl.reqRes.Allow = false
+	ctrl.resRes.Msg = unauthorizedMessage
+
+	daemonURL, err := url.Parse(d.Sock())
+	assert.NilError(t, err)
+
+	conn, err := net.DialTimeout(daemonURL.Scheme, daemonURL.Path, time.Second*10)
+	assert.NilError(t, err)
+	client := httputil.NewClientConn(conn, nil)
+	req, err := http.NewRequest("GET", "/version", nil)
+	assert.NilError(t, err)
+	resp, err := client.Do(req)
+
+	assert.NilError(t, err)
+	assert.DeepEqual(t, http.StatusForbidden, resp.StatusCode)
+}
+
+func TestAuthZPluginDenyResponse(t *testing.T) {
+	defer setupTestV1(t)()
+	d.Start(t, "--authorization-plugin="+testAuthZPlugin)
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Allow = false
+	ctrl.resRes.Msg = unauthorizedMessage
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	// Ensure command is blocked
+	_, err = client.ServerVersion(context.Background())
+	assert.Assert(t, err != nil)
+	assert.Equal(t, 1, ctrl.versionReqCount)
+	assert.Equal(t, 1, ctrl.versionResCount)
+
+	// Ensure unauthorized message appears in response
+	assert.Equal(t, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s", testAuthZPlugin, unauthorizedMessage), err.Error())
+}
+
+// TestAuthZPluginAllowEventStream verifies event stream propagates
+// correctly after request pass through by the authorization plugin
+func TestAuthZPluginAllowEventStream(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTestV1(t)()
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Allow = true
+	d.StartWithBusybox(t, "--authorization-plugin="+testAuthZPlugin)
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	ctx := context.Background()
+
+	startTime := strconv.FormatInt(systemTime(t, client, testEnv).Unix(), 10)
+	events, errs, cancel := systemEventsSince(client, startTime)
+	defer cancel()
+
+	// Create a container and wait for the creation events
+	cID := container.Run(t, ctx, client)
+
+	for i := 0; i < 100; i++ {
+		c, err := client.ContainerInspect(ctx, cID)
+		assert.NilError(t, err)
+		if c.State.Running {
+			break
+		}
+		if i == 99 {
+			t.Fatal("Container didn't run within 10s")
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+
+	created := false
+	started := false
+	for !created && !started {
+		select {
+		case event := <-events:
+			if event.Type == eventtypes.ContainerEventType && event.Actor.ID == cID {
+				if event.Action == "create" {
+					created = true
+				}
+				if event.Action == "start" {
+					started = true
+				}
+			}
+		case err := <-errs:
+			if err == io.EOF {
+				t.Fatal("premature end of event stream")
+			}
+			assert.NilError(t, err)
+		case <-time.After(30 * time.Second):
+			// Fail the test
+			t.Fatal("event stream timeout")
+		}
+	}
+
+	// Ensure both events and container endpoints are passed to the
+	// authorization plugin
+	assertURIRecorded(t, ctrl.requestsURIs, "/events")
+	assertURIRecorded(t, ctrl.requestsURIs, "/containers/create")
+	assertURIRecorded(t, ctrl.requestsURIs, fmt.Sprintf("/containers/%s/start", cID))
+}
+
+func systemTime(t *testing.T, client client.APIClient, testEnv *environment.Execution) time.Time {
+	if testEnv.IsLocalDaemon() {
+		return time.Now()
+	}
+
+	ctx := context.Background()
+	info, err := client.Info(ctx)
+	assert.NilError(t, err)
+
+	dt, err := time.Parse(time.RFC3339Nano, info.SystemTime)
+	assert.NilError(t, err, "invalid time format in GET /info response")
+	return dt
+}
+
+func systemEventsSince(client client.APIClient, since string) (<-chan eventtypes.Message, <-chan error, func()) {
+	eventOptions := types.EventsOptions{
+		Since: since,
+	}
+	ctx, cancel := context.WithCancel(context.Background())
+	events, errs := client.Events(ctx, eventOptions)
+
+	return events, errs, cancel
+}
+
+func TestAuthZPluginErrorResponse(t *testing.T) {
+	defer setupTestV1(t)()
+	d.Start(t, "--authorization-plugin="+testAuthZPlugin)
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Err = errorMessage
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	// Ensure command is blocked
+	_, err = client.ServerVersion(context.Background())
+	assert.Assert(t, err != nil)
+	assert.Equal(t, fmt.Sprintf("Error response from daemon: plugin %s failed with error: %s: %s", testAuthZPlugin, authorization.AuthZApiResponse, errorMessage), err.Error())
+}
+
+func TestAuthZPluginErrorRequest(t *testing.T) {
+	defer setupTestV1(t)()
+	d.Start(t, "--authorization-plugin="+testAuthZPlugin)
+	ctrl.reqRes.Err = errorMessage
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	// Ensure command is blocked
+	_, err = client.ServerVersion(context.Background())
+	assert.Assert(t, err != nil)
+	assert.Equal(t, fmt.Sprintf("Error response from daemon: plugin %s failed with error: %s: %s", testAuthZPlugin, authorization.AuthZApiRequest, errorMessage), err.Error())
+}
+
+func TestAuthZPluginEnsureNoDuplicatePluginRegistration(t *testing.T) {
+	defer setupTestV1(t)()
+	d.Start(t, "--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin)
+
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Allow = true
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	_, err = client.ServerVersion(context.Background())
+	assert.NilError(t, err)
+
+	// assert plugin is only called once..
+	assert.Equal(t, 1, ctrl.versionReqCount)
+	assert.Equal(t, 1, ctrl.versionResCount)
+}
+
+func TestAuthZPluginEnsureLoadImportWorking(t *testing.T) {
+	defer setupTestV1(t)()
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Allow = true
+	d.StartWithBusybox(t, "--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin)
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	ctx := context.Background()
+
+	tmp, err := ioutil.TempDir("", "test-authz-load-import")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmp)
+
+	savedImagePath := filepath.Join(tmp, "save.tar")
+
+	err = imageSave(client, savedImagePath, "busybox")
+	assert.NilError(t, err)
+	err = imageLoad(client, savedImagePath)
+	assert.NilError(t, err)
+
+	exportedImagePath := filepath.Join(tmp, "export.tar")
+
+	cID := container.Run(t, ctx, client)
+
+	responseReader, err := client.ContainerExport(context.Background(), cID)
+	assert.NilError(t, err)
+	defer responseReader.Close()
+	file, err := os.Create(exportedImagePath)
+	assert.NilError(t, err)
+	defer file.Close()
+	_, err = io.Copy(file, responseReader)
+	assert.NilError(t, err)
+
+	err = imageImport(client, exportedImagePath)
+	assert.NilError(t, err)
+}
+
+func TestAuthzPluginEnsureContainerCopyToFrom(t *testing.T) {
+	defer setupTestV1(t)()
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Allow = true
+	d.StartWithBusybox(t, "--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin)
+
+	dir, err := ioutil.TempDir("", t.Name())
+	assert.Assert(t, err)
+	defer os.RemoveAll(dir)
+
+	f, err := ioutil.TempFile(dir, "send")
+	assert.Assert(t, err)
+	defer f.Close()
+
+	buf := make([]byte, 1024)
+	fileSize := len(buf) * 1024 * 10
+	for written := 0; written < fileSize; {
+		n, err := f.Write(buf)
+		assert.Assert(t, err)
+		written += n
+	}
+
+	ctx := context.Background()
+	client, err := d.NewClient()
+	assert.Assert(t, err)
+
+	cID := container.Run(t, ctx, client)
+	defer client.ContainerRemove(ctx, cID, types.ContainerRemoveOptions{Force: true})
+
+	_, err = f.Seek(0, io.SeekStart)
+	assert.Assert(t, err)
+
+	srcInfo, err := archive.CopyInfoSourcePath(f.Name(), false)
+	assert.Assert(t, err)
+	srcArchive, err := archive.TarResource(srcInfo)
+	assert.Assert(t, err)
+	defer srcArchive.Close()
+
+	dstDir, preparedArchive, err := archive.PrepareArchiveCopy(srcArchive, srcInfo, archive.CopyInfo{Path: "/test"})
+	assert.Assert(t, err)
+
+	err = client.CopyToContainer(ctx, cID, dstDir, preparedArchive, types.CopyToContainerOptions{})
+	assert.Assert(t, err)
+
+	rdr, _, err := client.CopyFromContainer(ctx, cID, "/test")
+	assert.Assert(t, err)
+	_, err = io.Copy(ioutil.Discard, rdr)
+	assert.Assert(t, err)
+}
+
+func imageSave(client client.APIClient, path, image string) error {
+	ctx := context.Background()
+	responseReader, err := client.ImageSave(ctx, []string{image})
+	if err != nil {
+		return err
+	}
+	defer responseReader.Close()
+	file, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	_, err = io.Copy(file, responseReader)
+	return err
+}
+
+func imageLoad(client client.APIClient, path string) error {
+	file, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	quiet := true
+	ctx := context.Background()
+	response, err := client.ImageLoad(ctx, file, quiet)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+	return nil
+}
+
+func imageImport(client client.APIClient, path string) error {
+	file, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	options := types.ImageImportOptions{}
+	ref := ""
+	source := types.ImageImportSource{
+		Source:     file,
+		SourceName: "-",
+	}
+	ctx := context.Background()
+	responseReader, err := client.ImageImport(ctx, source, ref, options)
+	if err != nil {
+		return err
+	}
+	defer responseReader.Close()
+	return nil
+}
+
+func TestAuthZPluginHeader(t *testing.T) {
+	defer setupTestV1(t)()
+	ctrl.reqRes.Allow = true
+	ctrl.resRes.Allow = true
+	d.StartWithBusybox(t, "--debug", "--authorization-plugin="+testAuthZPlugin)
+
+	daemonURL, err := url.Parse(d.Sock())
+	assert.NilError(t, err)
+
+	conn, err := net.DialTimeout(daemonURL.Scheme, daemonURL.Path, time.Second*10)
+	assert.NilError(t, err)
+	client := httputil.NewClientConn(conn, nil)
+	req, err := http.NewRequest("GET", "/version", nil)
+	assert.NilError(t, err)
+	resp, err := client.Do(req)
+	assert.NilError(t, err)
+	assert.Equal(t, "application/json", resp.Header["Content-Type"][0])
+}
+
+// assertURIRecorded verifies that the given URI was sent and recorded
+// in the authz plugin
+func assertURIRecorded(t *testing.T, uris []string, uri string) {
+	var found bool
+	for _, u := range uris {
+		if strings.Contains(u, uri) {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Fatalf("Expected to find URI '%s', recorded uris '%s'", uri, strings.Join(uris, ","))
+	}
+}
diff --git a/engine/integration/plugin/authz/authz_plugin_v2_test.go b/engine/integration/plugin/authz/authz_plugin_v2_test.go
new file mode 100644
index 00000000..5ebaca41
--- /dev/null
+++ b/engine/integration/plugin/authz/authz_plugin_v2_test.go
@@ -0,0 +1,175 @@
+// +build !windows
+
+package authz // import "github.com/docker/docker/integration/plugin/authz"
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	volumetypes "github.com/docker/docker/api/types/volume"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/integration/internal/requirement"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+var (
+	authzPluginName            = "riyaz/authz-no-volume-plugin"
+	authzPluginTag             = "latest"
+	authzPluginNameWithTag     = authzPluginName + ":" + authzPluginTag
+	authzPluginBadManifestName = "riyaz/authz-plugin-bad-manifest"
+	nonexistentAuthzPluginName = "riyaz/nonexistent-authz-plugin"
+)
+
+func setupTestV2(t *testing.T) func() {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+	skip.If(t, !requirement.HasHubConnectivity(t))
+
+	teardown := setupTest(t)
+
+	d.Start(t)
+
+	return teardown
+}
+
+func TestAuthZPluginV2AllowNonVolumeRequest(t *testing.T) {
+	skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
+	defer setupTestV2(t)()
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	ctx := context.Background()
+
+	// Install authz plugin
+	err = pluginInstallGrantAllPermissions(client, authzPluginNameWithTag)
+	assert.NilError(t, err)
+	// start the daemon with the plugin and load busybox, --net=none build fails otherwise
+	// because it needs to pull busybox
+	d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
+	d.LoadBusybox(t)
+
+	// Ensure docker run command and accompanying docker ps are successful
+	cID := container.Run(t, ctx, client)
+
+	_, err = client.ContainerInspect(ctx, cID)
+	assert.NilError(t, err)
+}
+
+func TestAuthZPluginV2Disable(t *testing.T) {
+	skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
+	defer setupTestV2(t)()
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	// Install authz plugin
+	err = pluginInstallGrantAllPermissions(client, authzPluginNameWithTag)
+	assert.NilError(t, err)
+
+	d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
+	d.LoadBusybox(t)
+
+	_, err = client.VolumeCreate(context.Background(), volumetypes.VolumeCreateBody{Driver: "local"})
+	assert.Assert(t, err != nil)
+	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
+
+	// disable the plugin
+	err = client.PluginDisable(context.Background(), authzPluginNameWithTag, types.PluginDisableOptions{})
+	assert.NilError(t, err)
+
+	// now test to see if the docker api works.
+	_, err = client.VolumeCreate(context.Background(), volumetypes.VolumeCreateBody{Driver: "local"})
+	assert.NilError(t, err)
+}
+
+func TestAuthZPluginV2RejectVolumeRequests(t *testing.T) {
+	skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
+	defer setupTestV2(t)()
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	// Install authz plugin
+	err = pluginInstallGrantAllPermissions(client, authzPluginNameWithTag)
+	assert.NilError(t, err)
+
+	// restart the daemon with the plugin
+	d.Restart(t, "--authorization-plugin="+authzPluginNameWithTag)
+
+	_, err = client.VolumeCreate(context.Background(), volumetypes.VolumeCreateBody{Driver: "local"})
+	assert.Assert(t, err != nil)
+	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
+
+	_, err = client.VolumeList(context.Background(), filters.Args{})
+	assert.Assert(t, err != nil)
+	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
+
+	// The plugin will block the command before it can determine the volume does not exist
+	err = client.VolumeRemove(context.Background(), "test", false)
+	assert.Assert(t, err != nil)
+	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
+
+	_, err = client.VolumeInspect(context.Background(), "test")
+	assert.Assert(t, err != nil)
+	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
+
+	_, err = client.VolumesPrune(context.Background(), filters.Args{})
+	assert.Assert(t, err != nil)
+	assert.Assert(t, strings.Contains(err.Error(), fmt.Sprintf("Error response from daemon: plugin %s failed with error:", authzPluginNameWithTag)))
+}
+
+func TestAuthZPluginV2BadManifestFailsDaemonStart(t *testing.T) {
+	skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
+	defer setupTestV2(t)()
+
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+
+	// Install authz plugin with bad manifest
+	err = pluginInstallGrantAllPermissions(client, authzPluginBadManifestName)
+	assert.NilError(t, err)
+
+	// start the daemon with the plugin, it will error
+	err = d.RestartWithError("--authorization-plugin=" + authzPluginBadManifestName)
+	assert.Assert(t, err != nil)
+
+	// restarting the daemon without requiring the plugin will succeed
+	d.Start(t)
+}
+
+func TestAuthZPluginV2NonexistentFailsDaemonStart(t *testing.T) {
+	defer setupTestV2(t)()
+
+	// start the daemon with a non-existent authz plugin, it will error
+	err := d.RestartWithError("--authorization-plugin=" + nonexistentAuthzPluginName)
+	assert.Assert(t, err != nil)
+
+	// restarting the daemon without requiring the plugin will succeed
+	d.Start(t)
+}
+
+func pluginInstallGrantAllPermissions(client client.APIClient, name string) error {
+	ctx := context.Background()
+	options := types.PluginInstallOptions{
+		RemoteRef:            name,
+		AcceptAllPermissions: true,
+	}
+	responseReader, err := client.PluginInstall(ctx, "", options)
+	if err != nil {
+		return err
+	}
+	defer responseReader.Close()
+	// we have to read the response out here because the client API
+	// actually starts a goroutine which we can only be sure has
+	// completed when we get EOF from reading responseBody
+	_, err = ioutil.ReadAll(responseReader)
+	return err
+}
diff --git a/engine/integration/plugin/authz/main_test.go b/engine/integration/plugin/authz/main_test.go
new file mode 100644
index 00000000..75555dc9
--- /dev/null
+++ b/engine/integration/plugin/authz/main_test.go
@@ -0,0 +1,180 @@
+// +build !windows
+
+package authz // import "github.com/docker/docker/integration/plugin/authz"
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/internal/test/environment"
+	"github.com/docker/docker/pkg/authorization"
+	"github.com/docker/docker/pkg/plugins"
+	"gotest.tools/skip"
+)
+
+var (
+	testEnv *environment.Execution
+	d       *daemon.Daemon
+	server  *httptest.Server
+)
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	setupSuite()
+	exitCode := m.Run()
+	teardownSuite()
+
+	os.Exit(exitCode)
+}
+
+func setupTest(t *testing.T) func() {
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
+	environment.ProtectAll(t, testEnv)
+
+	d = daemon.New(t, daemon.WithExperimental)
+
+	return func() {
+		if d != nil {
+			d.Stop(t)
+		}
+		testEnv.Clean(t)
+	}
+}
+
+func setupSuite() {
+	mux := http.NewServeMux()
+	server = httptest.NewServer(mux)
+
+	mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
+		b, err := json.Marshal(plugins.Manifest{Implements: []string{authorization.AuthZApiImplements}})
+		if err != nil {
+			panic("could not marshal json for /Plugin.Activate: " + err.Error())
+		}
+		w.Write(b)
+	})
+
+	mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		body, err := ioutil.ReadAll(r.Body)
+		if err != nil {
+			panic("could not read body for /AuthZPlugin.AuthZReq: " + err.Error())
+		}
+		authReq := authorization.Request{}
+		err = json.Unmarshal(body, &authReq)
+		if err != nil {
+			panic("could not unmarshal json for /AuthZPlugin.AuthZReq: " + err.Error())
+		}
+
+		assertBody(authReq.RequestURI, authReq.RequestHeaders, authReq.RequestBody)
+		assertAuthHeaders(authReq.RequestHeaders)
+
+		// Count only server version api
+		if strings.HasSuffix(authReq.RequestURI, serverVersionAPI) {
+			ctrl.versionReqCount++
+		}
+
+		ctrl.requestsURIs = append(ctrl.requestsURIs, authReq.RequestURI)
+
+		reqRes := ctrl.reqRes
+		if isAllowed(authReq.RequestURI) {
+			reqRes = authorization.Response{Allow: true}
+		}
+		if reqRes.Err != "" {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		b, err := json.Marshal(reqRes)
+		if err != nil {
+			panic("could not marshal json for /AuthZPlugin.AuthZReq: " + err.Error())
+		}
+
+		ctrl.reqUser = authReq.User
+		w.Write(b)
+	})
+
+	mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
+		defer r.Body.Close()
+		body, err := ioutil.ReadAll(r.Body)
+		if err != nil {
+			panic("could not read body for /AuthZPlugin.AuthZRes: " + err.Error())
+		}
+		authReq := authorization.Request{}
+		err = json.Unmarshal(body, &authReq)
+		if err != nil {
+			panic("could not unmarshal json for /AuthZPlugin.AuthZRes: " + err.Error())
+		}
+
+		assertBody(authReq.RequestURI, authReq.ResponseHeaders, authReq.ResponseBody)
+		assertAuthHeaders(authReq.ResponseHeaders)
+
+		// Count only server version api
+		if strings.HasSuffix(authReq.RequestURI, serverVersionAPI) {
+			ctrl.versionResCount++
+		}
+		resRes := ctrl.resRes
+		if isAllowed(authReq.RequestURI) {
+			resRes = authorization.Response{Allow: true}
+		}
+		if resRes.Err != "" {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
+		b, err := json.Marshal(resRes)
+		if err != nil {
+			panic("could not marshal json for /AuthZPlugin.AuthZRes: " + err.Error())
+		}
+		ctrl.resUser = authReq.User
+		w.Write(b)
+	})
+}
+
+func teardownSuite() {
+	if server == nil {
+		return
+	}
+
+	server.Close()
+}
+
+// assertAuthHeaders validates authentication headers are removed
+func assertAuthHeaders(headers map[string]string) error {
+	for k := range headers {
+		if strings.Contains(strings.ToLower(k), "auth") || strings.Contains(strings.ToLower(k), "x-registry") {
+			panic(fmt.Sprintf("Found authentication headers in request '%v'", headers))
+		}
+	}
+	return nil
+}
+
+// assertBody asserts that body is removed for non text/json requests
+func assertBody(requestURI string, headers map[string]string, body []byte) {
+	if strings.Contains(strings.ToLower(requestURI), "auth") && len(body) > 0 {
+		panic("Body included for authentication endpoint " + string(body))
+	}
+
+	for k, v := range headers {
+		if strings.EqualFold(k, "Content-Type") && strings.HasPrefix(v, "text/") || v == "application/json" {
+			return
+		}
+	}
+	if len(body) > 0 {
+		panic(fmt.Sprintf("Body included while it should not (Headers: '%v')", headers))
+	}
+}
diff --git a/engine/integration/plugin/graphdriver/external_test.go b/engine/integration/plugin/graphdriver/external_test.go
new file mode 100644
index 00000000..e34e55ec
--- /dev/null
+++ b/engine/integration/plugin/graphdriver/external_test.go
@@ -0,0 +1,462 @@
+package graphdriver
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/vfs"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/integration/internal/requirement"
+	"github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/plugins"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+type graphEventsCounter struct {
+	activations int
+	creations   int
+	removals    int
+	gets        int
+	puts        int
+	stats       int
+	cleanups    int
+	exists      int
+	init        int
+	metadata    int
+	diff        int
+	applydiff   int
+	changes     int
+	diffsize    int
+}
+
+func TestExternalGraphDriver(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
+	skip.If(t, !requirement.HasHubConnectivity(t))
+
+	// Setup plugin(s)
+	ec := make(map[string]*graphEventsCounter)
+	sserver := setupPluginViaSpecFile(t, ec)
+	jserver := setupPluginViaJSONFile(t, ec)
+	// Create daemon
+	d := daemon.New(t, daemon.WithExperimental)
+	c := d.NewClientT(t)
+
+	for _, tc := range []struct {
+		name string
+		test func(client.APIClient, *daemon.Daemon) func(*testing.T)
+	}{
+		{
+			name: "json",
+			test: testExternalGraphDriver("json", ec),
+		},
+		{
+			name: "spec",
+			test: testExternalGraphDriver("spec", ec),
+		},
+		{
+			name: "pull",
+			test: testGraphDriverPull,
+		},
+	} {
+		t.Run(tc.name, tc.test(c, d))
+	}
+
+	sserver.Close()
+	jserver.Close()
+	err := os.RemoveAll("/etc/docker/plugins")
+	assert.NilError(t, err)
+}
+
+func setupPluginViaSpecFile(t *testing.T, ec map[string]*graphEventsCounter) *httptest.Server {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+
+	setupPlugin(t, ec, "spec", mux, []byte(server.URL))
+
+	return server
+}
+
+func setupPluginViaJSONFile(t *testing.T, ec map[string]*graphEventsCounter) *httptest.Server {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+
+	p := plugins.NewLocalPlugin("json-external-graph-driver", server.URL)
+	b, err := json.Marshal(p)
+	assert.NilError(t, err)
+
+	setupPlugin(t, ec, "json", mux, b)
+
+	return server
+}
+
+func setupPlugin(t *testing.T, ec map[string]*graphEventsCounter, ext string, mux *http.ServeMux, b []byte) {
+	name := fmt.Sprintf("%s-external-graph-driver", ext)
+	type graphDriverRequest struct {
+		ID         string `json:",omitempty"`
+		Parent     string `json:",omitempty"`
+		MountLabel string `json:",omitempty"`
+		ReadOnly   bool   `json:",omitempty"`
+	}
+
+	type graphDriverResponse struct {
+		Err      error             `json:",omitempty"`
+		Dir      string            `json:",omitempty"`
+		Exists   bool              `json:",omitempty"`
+		Status   [][2]string       `json:",omitempty"`
+		Metadata map[string]string `json:",omitempty"`
+		Changes  []archive.Change  `json:",omitempty"`
+		Size     int64             `json:",omitempty"`
+	}
+
+	respond := func(w http.ResponseWriter, data interface{}) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		switch t := data.(type) {
+		case error:
+			fmt.Fprintln(w, fmt.Sprintf(`{"Err": %q}`, t.Error()))
+		case string:
+			fmt.Fprintln(w, t)
+		default:
+			json.NewEncoder(w).Encode(&data)
+		}
+	}
+
+	decReq := func(b io.ReadCloser, out interface{}, w http.ResponseWriter) error {
+		defer b.Close()
+		if err := json.NewDecoder(b).Decode(&out); err != nil {
+			http.Error(w, fmt.Sprintf("error decoding json: %s", err.Error()), 500)
+		}
+		return nil
+	}
+
+	base, err := ioutil.TempDir("", name)
+	assert.NilError(t, err)
+	vfsProto, err := vfs.Init(base, []string{}, nil, nil)
+	assert.NilError(t, err, "error initializing graph driver")
+	driver := graphdriver.NewNaiveDiffDriver(vfsProto, nil, nil)
+
+	ec[ext] = &graphEventsCounter{}
+	mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].activations++
+		respond(w, `{"Implements": ["GraphDriver"]}`)
+	})
+
+	mux.HandleFunc("/GraphDriver.Init", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].init++
+		respond(w, "{}")
+	})
+
+	mux.HandleFunc("/GraphDriver.CreateReadWrite", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].creations++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+		if err := driver.CreateReadWrite(req.ID, req.Parent, nil); err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, "{}")
+	})
+
+	mux.HandleFunc("/GraphDriver.Create", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].creations++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+		if err := driver.Create(req.ID, req.Parent, nil); err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, "{}")
+	})
+
+	mux.HandleFunc("/GraphDriver.Remove", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].removals++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+
+		if err := driver.Remove(req.ID); err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, "{}")
+	})
+
+	mux.HandleFunc("/GraphDriver.Get", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].gets++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+
+		// TODO @gupta-ak: Figure out what to do here.
+		dir, err := driver.Get(req.ID, req.MountLabel)
+		if err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, &graphDriverResponse{Dir: dir.Path()})
+	})
+
+	mux.HandleFunc("/GraphDriver.Put", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].puts++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+
+		if err := driver.Put(req.ID); err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, "{}")
+	})
+
+	mux.HandleFunc("/GraphDriver.Exists", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].exists++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+		respond(w, &graphDriverResponse{Exists: driver.Exists(req.ID)})
+	})
+
+	mux.HandleFunc("/GraphDriver.Status", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].stats++
+		respond(w, &graphDriverResponse{Status: driver.Status()})
+	})
+
+	mux.HandleFunc("/GraphDriver.Cleanup", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].cleanups++
+		err := driver.Cleanup()
+		if err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, `{}`)
+	})
+
+	mux.HandleFunc("/GraphDriver.GetMetadata", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].metadata++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+
+		data, err := driver.GetMetadata(req.ID)
+		if err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, &graphDriverResponse{Metadata: data})
+	})
+
+	mux.HandleFunc("/GraphDriver.Diff", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].diff++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+
+		diff, err := driver.Diff(req.ID, req.Parent)
+		if err != nil {
+			respond(w, err)
+			return
+		}
+		io.Copy(w, diff)
+	})
+
+	mux.HandleFunc("/GraphDriver.Changes", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].changes++
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+
+		changes, err := driver.Changes(req.ID, req.Parent)
+		if err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, &graphDriverResponse{Changes: changes})
+	})
+
+	mux.HandleFunc("/GraphDriver.ApplyDiff", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].applydiff++
+		diff := r.Body
+		defer r.Body.Close()
+
+		id := r.URL.Query().Get("id")
+		parent := r.URL.Query().Get("parent")
+
+		if id == "" {
+			http.Error(w, fmt.Sprintf("missing id"), 409)
+		}
+
+		size, err := driver.ApplyDiff(id, parent, diff)
+		if err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, &graphDriverResponse{Size: size})
+	})
+
+	mux.HandleFunc("/GraphDriver.DiffSize", func(w http.ResponseWriter, r *http.Request) {
+		ec[ext].diffsize++
+
+		var req graphDriverRequest
+		if err := decReq(r.Body, &req, w); err != nil {
+			return
+		}
+
+		size, err := driver.DiffSize(req.ID, req.Parent)
+		if err != nil {
+			respond(w, err)
+			return
+		}
+		respond(w, &graphDriverResponse{Size: size})
+	})
+
+	err = os.MkdirAll("/etc/docker/plugins", 0755)
+	assert.NilError(t, err)
+
+	specFile := "/etc/docker/plugins/" + name + "." + ext
+	err = ioutil.WriteFile(specFile, b, 0644)
+	assert.NilError(t, err)
+}
+
+func testExternalGraphDriver(ext string, ec map[string]*graphEventsCounter) func(client.APIClient, *daemon.Daemon) func(*testing.T) {
+	return func(c client.APIClient, d *daemon.Daemon) func(*testing.T) {
+		return func(t *testing.T) {
+			driverName := fmt.Sprintf("%s-external-graph-driver", ext)
+			d.StartWithBusybox(t, "-s", driverName)
+
+			ctx := context.Background()
+
+			testGraphDriver(t, c, ctx, driverName, func(t *testing.T) {
+				d.Restart(t, "-s", driverName)
+			})
+
+			_, err := c.Info(ctx)
+			assert.NilError(t, err)
+
+			d.Stop(t)
+
+			// Don't check ec.exists, because the daemon no longer calls the
+			// Exists function.
+			assert.Check(t, is.Equal(ec[ext].activations, 2))
+			assert.Check(t, is.Equal(ec[ext].init, 2))
+			assert.Check(t, ec[ext].creations >= 1)
+			assert.Check(t, ec[ext].removals >= 1)
+			assert.Check(t, ec[ext].gets >= 1)
+			assert.Check(t, ec[ext].puts >= 1)
+			assert.Check(t, is.Equal(ec[ext].stats, 5))
+			assert.Check(t, is.Equal(ec[ext].cleanups, 2))
+			assert.Check(t, ec[ext].applydiff >= 1)
+			assert.Check(t, is.Equal(ec[ext].changes, 1))
+			assert.Check(t, is.Equal(ec[ext].diffsize, 0))
+			assert.Check(t, is.Equal(ec[ext].diff, 0))
+			assert.Check(t, is.Equal(ec[ext].metadata, 1))
+		}
+	}
+}
+
+func testGraphDriverPull(c client.APIClient, d *daemon.Daemon) func(*testing.T) {
+	return func(t *testing.T) {
+		d.Start(t)
+		defer d.Stop(t)
+		ctx := context.Background()
+
+		r, err := c.ImagePull(ctx, "busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0", types.ImagePullOptions{})
+		assert.NilError(t, err)
+		_, err = io.Copy(ioutil.Discard, r)
+		assert.NilError(t, err)
+
+		container.Run(t, ctx, c, container.WithImage("busybox:latest@sha256:bbc3a03235220b170ba48a157dd097dd1379299370e1ed99ce976df0355d24f0"))
+	}
+}
+
+func TestGraphdriverPluginV2(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
+	skip.If(t, !requirement.HasHubConnectivity(t))
+	skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
+	skip.If(t, !requirement.Overlay2Supported(testEnv.DaemonInfo.KernelVersion))
+
+	d := daemon.New(t, daemon.WithExperimental)
+	d.Start(t)
+	defer d.Stop(t)
+
+	client := d.NewClientT(t)
+	defer client.Close()
+	ctx := context.Background()
+
+	// install the plugin
+	plugin := "cpuguy83/docker-overlay2-graphdriver-plugin"
+	responseReader, err := client.PluginInstall(ctx, plugin, types.PluginInstallOptions{
+		RemoteRef:            plugin,
+		AcceptAllPermissions: true,
+	})
+	defer responseReader.Close()
+	assert.NilError(t, err)
+	// ensure it's done by waiting for EOF on the response
+	_, err = io.Copy(ioutil.Discard, responseReader)
+	assert.NilError(t, err)
+
+	// restart the daemon with the plugin set as the storage driver
+	d.Stop(t)
+	d.StartWithBusybox(t, "-s", plugin, "--storage-opt", "overlay2.override_kernel_check=1")
+
+	testGraphDriver(t, client, ctx, plugin, nil)
+}
+
+func testGraphDriver(t *testing.T, c client.APIClient, ctx context.Context, driverName string, afterContainerRunFn func(*testing.T)) { //nolint: golint
+	id := container.Run(t, ctx, c, container.WithCmd("sh", "-c", "echo hello > /hello"))
+
+	if afterContainerRunFn != nil {
+		afterContainerRunFn(t)
+	}
+
+	i, err := c.ContainerInspect(ctx, id)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(i.GraphDriver.Name, driverName))
+
+	diffs, err := c.ContainerDiff(ctx, id)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(diffs, containertypes.ContainerChangeResponseItem{
+		Kind: archive.ChangeAdd,
+		Path: "/hello",
+	}), "diffs: %v", diffs)
+
+	err = c.ContainerRemove(ctx, id, types.ContainerRemoveOptions{
+		Force: true,
+	})
+	assert.NilError(t, err)
+}
diff --git a/engine/integration/plugin/graphdriver/main_test.go b/engine/integration/plugin/graphdriver/main_test.go
new file mode 100644
index 00000000..6b6c1a12
--- /dev/null
+++ b/engine/integration/plugin/graphdriver/main_test.go
@@ -0,0 +1,36 @@
+package graphdriver // import "github.com/docker/docker/integration/plugin/graphdriver"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+	"github.com/docker/docker/pkg/reexec"
+)
+
+var (
+	testEnv *environment.Execution
+)
+
+func init() {
+	reexec.Init() // This is required for external graphdriver tests
+}
+
+const dockerdBinary = "dockerd"
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	testEnv.Print()
+	os.Exit(m.Run())
+}
diff --git a/engine/integration/plugin/logging/cmd/close_on_start/main.go b/engine/integration/plugin/logging/cmd/close_on_start/main.go
new file mode 100644
index 00000000..6891d6a9
--- /dev/null
+++ b/engine/integration/plugin/logging/cmd/close_on_start/main.go
@@ -0,0 +1,48 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+)
+
+type start struct {
+	File string
+}
+
+func main() {
+	l, err := net.Listen("unix", "/run/docker/plugins/plugin.sock")
+	if err != nil {
+		panic(err)
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/LogDriver.StartLogging", func(w http.ResponseWriter, req *http.Request) {
+		startReq := &start{}
+		if err := json.NewDecoder(req.Body).Decode(startReq); err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		f, err := os.OpenFile(startReq.File, os.O_RDONLY, 0600)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		// Close the file immediately, this allows us to test what happens in the daemon when the plugin has closed the
+		// file or, for example, the plugin has crashed.
+		f.Close()
+
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintln(w, `{}`)
+	})
+	server := http.Server{
+		Addr:    l.Addr().String(),
+		Handler: mux,
+	}
+
+	server.Serve(l)
+}
diff --git a/engine/integration/plugin/logging/cmd/close_on_start/main_test.go b/engine/integration/plugin/logging/cmd/close_on_start/main_test.go
new file mode 100644
index 00000000..06ab7d0f
--- /dev/null
+++ b/engine/integration/plugin/logging/cmd/close_on_start/main_test.go
@@ -0,0 +1 @@
+package main
diff --git a/engine/integration/plugin/logging/cmd/cmd_test.go b/engine/integration/plugin/logging/cmd/cmd_test.go
new file mode 100644
index 00000000..1d619dd0
--- /dev/null
+++ b/engine/integration/plugin/logging/cmd/cmd_test.go
@@ -0,0 +1 @@
+package cmd
diff --git a/engine/integration/plugin/logging/cmd/dummy/main.go b/engine/integration/plugin/logging/cmd/dummy/main.go
new file mode 100644
index 00000000..f91b4f3b
--- /dev/null
+++ b/engine/integration/plugin/logging/cmd/dummy/main.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	"net"
+	"net/http"
+)
+
+func main() {
+	l, err := net.Listen("unix", "/run/docker/plugins/plugin.sock")
+	if err != nil {
+		panic(err)
+	}
+
+	server := http.Server{
+		Addr:    l.Addr().String(),
+		Handler: http.NewServeMux(),
+	}
+	server.Serve(l)
+}
diff --git a/engine/integration/plugin/logging/cmd/dummy/main_test.go b/engine/integration/plugin/logging/cmd/dummy/main_test.go
new file mode 100644
index 00000000..06ab7d0f
--- /dev/null
+++ b/engine/integration/plugin/logging/cmd/dummy/main_test.go
@@ -0,0 +1 @@
+package main
diff --git a/engine/integration/plugin/logging/helpers_test.go b/engine/integration/plugin/logging/helpers_test.go
new file mode 100644
index 00000000..dbdd36b9
--- /dev/null
+++ b/engine/integration/plugin/logging/helpers_test.go
@@ -0,0 +1,67 @@
+package logging
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/internal/test/fixtures/plugin"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/pkg/errors"
+)
+
+var pluginBuildLock = locker.New()
+
+func ensurePlugin(t *testing.T, name string) string {
+	pluginBuildLock.Lock(name)
+	defer pluginBuildLock.Unlock(name)
+
+	installPath := filepath.Join(os.Getenv("GOPATH"), "bin", name)
+	if _, err := os.Stat(installPath); err == nil {
+		return installPath
+	}
+
+	goBin, err := exec.LookPath("go")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cmd := exec.Command(goBin, "build", "-o", installPath, "./"+filepath.Join("cmd", name))
+	cmd.Env = append(cmd.Env, "CGO_ENABLED=0")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		t.Fatal(errors.Wrapf(err, "error building basic plugin bin: %s", string(out)))
+	}
+
+	return installPath
+}
+
+func withSockPath(name string) func(*plugin.Config) {
+	return func(cfg *plugin.Config) {
+		cfg.Interface.Socket = name
+	}
+}
+
+func createPlugin(t *testing.T, client plugin.CreateClient, alias, bin string, opts ...plugin.CreateOpt) {
+	pluginBin := ensurePlugin(t, bin)
+
+	opts = append(opts, withSockPath("plugin.sock"))
+	opts = append(opts, plugin.WithBinary(pluginBin))
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	err := plugin.Create(ctx, client, alias, opts...)
+	cancel()
+
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func asLogDriver(cfg *plugin.Config) {
+	cfg.Interface.Types = []types.PluginInterfaceType{
+		{Capability: "logdriver", Prefix: "docker", Version: "1.0"},
+	}
+}
diff --git a/engine/integration/plugin/logging/logging_test.go b/engine/integration/plugin/logging/logging_test.go
new file mode 100644
index 00000000..3921fa6e
--- /dev/null
+++ b/engine/integration/plugin/logging/logging_test.go
@@ -0,0 +1,79 @@
+package logging
+
+import (
+	"bufio"
+	"context"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/daemon"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+func TestContinueAfterPluginCrash(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon(), "test requires daemon on the same host")
+	t.Parallel()
+
+	d := daemon.New(t)
+	d.StartWithBusybox(t, "--iptables=false", "--init")
+	defer d.Stop(t)
+
+	client := d.NewClientT(t)
+	createPlugin(t, client, "test", "close_on_start", asLogDriver)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	assert.Assert(t, client.PluginEnable(ctx, "test", types.PluginEnableOptions{Timeout: 30}))
+	cancel()
+	defer client.PluginRemove(context.Background(), "test", types.PluginRemoveOptions{Force: true})
+
+	ctx, cancel = context.WithTimeout(context.Background(), 60*time.Second)
+
+	id := container.Run(t, ctx, client,
+		container.WithAutoRemove,
+		container.WithLogDriver("test"),
+		container.WithCmd(
+			"/bin/sh", "-c", "while true; do sleep 1; echo hello; done",
+		),
+	)
+	cancel()
+	defer client.ContainerRemove(context.Background(), id, types.ContainerRemoveOptions{Force: true})
+
+	// Attach to the container to make sure it's written a few times to stdout
+	attach, err := client.ContainerAttach(context.Background(), id, types.ContainerAttachOptions{Stream: true, Stdout: true})
+	assert.Assert(t, err)
+
+	chErr := make(chan error)
+	go func() {
+		defer close(chErr)
+		rdr := bufio.NewReader(attach.Reader)
+		for i := 0; i < 5; i++ {
+			_, _, err := rdr.ReadLine()
+			if err != nil {
+				chErr <- err
+				return
+			}
+		}
+	}()
+
+	select {
+	case err := <-chErr:
+		assert.Assert(t, err)
+	case <-time.After(60 * time.Second):
+		t.Fatal("timeout waiting for container i/o")
+	}
+
+	// check daemon logs for "broken pipe"
+	// TODO(@cpuguy83): This is horribly hacky but is the only way to really test this case right now.
+	// It would be nice if there was a way to know that a broken pipe has occurred without looking through the logs.
+	log, err := os.Open(d.LogFileName())
+	assert.Assert(t, err)
+	scanner := bufio.NewScanner(log)
+	for scanner.Scan() {
+		assert.Assert(t, !strings.Contains(scanner.Text(), "broken pipe"))
+	}
+}
diff --git a/engine/integration/plugin/logging/main_test.go b/engine/integration/plugin/logging/main_test.go
new file mode 100644
index 00000000..e1292a57
--- /dev/null
+++ b/engine/integration/plugin/logging/main_test.go
@@ -0,0 +1,29 @@
+package logging // import "github.com/docker/docker/integration/plugin/logging"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var (
+	testEnv *environment.Execution
+)
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	testEnv.Print()
+	os.Exit(m.Run())
+}
diff --git a/engine/integration/plugin/logging/validation_test.go b/engine/integration/plugin/logging/validation_test.go
new file mode 100644
index 00000000..0d9b15ef
--- /dev/null
+++ b/engine/integration/plugin/logging/validation_test.go
@@ -0,0 +1,35 @@
+package logging
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/internal/test/daemon"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+// Regression test for #35553
+// Ensure that a daemon with a log plugin set as the default logger for containers
+// does not keep the daemon from starting.
+func TestDaemonStartWithLogOpt(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
+	t.Parallel()
+
+	d := daemon.New(t)
+	d.Start(t, "--iptables=false")
+	defer d.Stop(t)
+
+	client, err := d.NewClient()
+	assert.Check(t, err)
+	ctx := context.Background()
+
+	createPlugin(t, client, "test", "dummy", asLogDriver)
+	err = client.PluginEnable(ctx, "test", types.PluginEnableOptions{Timeout: 30})
+	assert.Check(t, err)
+	defer client.PluginRemove(ctx, "test", types.PluginRemoveOptions{Force: true})
+
+	d.Stop(t)
+	d.Start(t, "--iptables=false", "--log-driver=test", "--log-opt=foo=bar")
+}
diff --git a/engine/integration/plugin/pkg_test.go b/engine/integration/plugin/pkg_test.go
new file mode 100644
index 00000000..b56d3e2b
--- /dev/null
+++ b/engine/integration/plugin/pkg_test.go
@@ -0,0 +1 @@
+package plugin // import "github.com/docker/docker/integration/plugin"
diff --git a/engine/integration/plugin/volumes/cmd/cmd_test.go b/engine/integration/plugin/volumes/cmd/cmd_test.go
new file mode 100644
index 00000000..1d619dd0
--- /dev/null
+++ b/engine/integration/plugin/volumes/cmd/cmd_test.go
@@ -0,0 +1 @@
+package cmd
diff --git a/engine/integration/plugin/volumes/cmd/dummy/main.go b/engine/integration/plugin/volumes/cmd/dummy/main.go
new file mode 100644
index 00000000..f91b4f3b
--- /dev/null
+++ b/engine/integration/plugin/volumes/cmd/dummy/main.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	"net"
+	"net/http"
+)
+
+func main() {
+	l, err := net.Listen("unix", "/run/docker/plugins/plugin.sock")
+	if err != nil {
+		panic(err)
+	}
+
+	server := http.Server{
+		Addr:    l.Addr().String(),
+		Handler: http.NewServeMux(),
+	}
+	server.Serve(l)
+}
diff --git a/engine/integration/plugin/volumes/cmd/dummy/main_test.go b/engine/integration/plugin/volumes/cmd/dummy/main_test.go
new file mode 100644
index 00000000..06ab7d0f
--- /dev/null
+++ b/engine/integration/plugin/volumes/cmd/dummy/main_test.go
@@ -0,0 +1 @@
+package main
diff --git a/engine/integration/plugin/volumes/helpers_test.go b/engine/integration/plugin/volumes/helpers_test.go
new file mode 100644
index 00000000..36aafd59
--- /dev/null
+++ b/engine/integration/plugin/volumes/helpers_test.go
@@ -0,0 +1,73 @@
+package volumes
+
+import (
+	"context"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/internal/test/fixtures/plugin"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/pkg/errors"
+)
+
+var pluginBuildLock = locker.New()
+
+// ensurePlugin makes the that a plugin binary has been installed on the system.
+// Plugins that have not been installed are built from `cmd/<name>`.
+func ensurePlugin(t *testing.T, name string) string {
+	pluginBuildLock.Lock(name)
+	defer pluginBuildLock.Unlock(name)
+
+	goPath := os.Getenv("GOPATH")
+	if goPath == "" {
+		goPath = "/go"
+	}
+	installPath := filepath.Join(goPath, "bin", name)
+	if _, err := os.Stat(installPath); err == nil {
+		return installPath
+	}
+
+	goBin, err := exec.LookPath("go")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cmd := exec.Command(goBin, "build", "-o", installPath, "./"+filepath.Join("cmd", name))
+	cmd.Env = append(cmd.Env, "CGO_ENABLED=0")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		t.Fatal(errors.Wrapf(err, "error building basic plugin bin: %s", string(out)))
+	}
+
+	return installPath
+}
+
+func withSockPath(name string) func(*plugin.Config) {
+	return func(cfg *plugin.Config) {
+		cfg.Interface.Socket = name
+	}
+}
+
+func createPlugin(t *testing.T, client plugin.CreateClient, alias, bin string, opts ...plugin.CreateOpt) {
+	pluginBin := ensurePlugin(t, bin)
+
+	opts = append(opts, withSockPath("plugin.sock"))
+	opts = append(opts, plugin.WithBinary(pluginBin))
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	err := plugin.Create(ctx, client, alias, opts...)
+	cancel()
+
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func asVolumeDriver(cfg *plugin.Config) {
+	cfg.Interface.Types = []types.PluginInterfaceType{
+		{Capability: "volumedriver", Prefix: "docker", Version: "1.0"},
+	}
+}
diff --git a/engine/integration/plugin/volumes/main_test.go b/engine/integration/plugin/volumes/main_test.go
new file mode 100644
index 00000000..5a5678d9
--- /dev/null
+++ b/engine/integration/plugin/volumes/main_test.go
@@ -0,0 +1,32 @@
+package volumes // import "github.com/docker/docker/integration/plugin/volumes"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var (
+	testEnv *environment.Execution
+)
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	if testEnv.OSType != "linux" {
+		os.Exit(0)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	testEnv.Print()
+	os.Exit(m.Run())
+}
diff --git a/engine/integration/plugin/volumes/mounts_test.go b/engine/integration/plugin/volumes/mounts_test.go
new file mode 100644
index 00000000..4b422ee5
--- /dev/null
+++ b/engine/integration/plugin/volumes/mounts_test.go
@@ -0,0 +1,58 @@
+package volumes
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/internal/test/fixtures/plugin"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+// TestPluginWithDevMounts tests very specific regression caused by mounts ordering
+// (sorted in the daemon). See #36698
+func TestPluginWithDevMounts(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
+	t.Parallel()
+
+	d := daemon.New(t)
+	d.Start(t, "--iptables=false")
+	defer d.Stop(t)
+
+	client, err := d.NewClient()
+	assert.Assert(t, err)
+	ctx := context.Background()
+
+	testDir, err := ioutil.TempDir("", "test-dir")
+	assert.Assert(t, err)
+	defer os.RemoveAll(testDir)
+
+	createPlugin(t, client, "test", "dummy", asVolumeDriver, func(c *plugin.Config) {
+		root := "/"
+		dev := "/dev"
+		mounts := []types.PluginMount{
+			{Type: "bind", Source: &root, Destination: "/host", Options: []string{"rbind"}},
+			{Type: "bind", Source: &dev, Destination: "/dev", Options: []string{"rbind"}},
+			{Type: "bind", Source: &testDir, Destination: "/etc/foo", Options: []string{"rbind"}},
+		}
+		c.PluginConfig.Mounts = append(c.PluginConfig.Mounts, mounts...)
+		c.PropagatedMount = "/propagated"
+		c.Network = types.PluginConfigNetwork{Type: "host"}
+		c.IpcHost = true
+	})
+
+	err = client.PluginEnable(ctx, "test", types.PluginEnableOptions{Timeout: 30})
+	assert.Assert(t, err)
+	defer func() {
+		err := client.PluginRemove(ctx, "test", types.PluginRemoveOptions{Force: true})
+		assert.Check(t, err)
+	}()
+
+	p, _, err := client.PluginInspectWithRaw(ctx, "test")
+	assert.Assert(t, err)
+	assert.Assert(t, p.Enabled)
+}
diff --git a/engine/integration/secret/main_test.go b/engine/integration/secret/main_test.go
new file mode 100644
index 00000000..abd4eef9
--- /dev/null
+++ b/engine/integration/secret/main_test.go
@@ -0,0 +1,33 @@
+package secret // import "github.com/docker/docker/integration/secret"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/secret/secret_test.go b/engine/integration/secret/secret_test.go
new file mode 100644
index 00000000..ecc3108f
--- /dev/null
+++ b/engine/integration/secret/secret_test.go
@@ -0,0 +1,366 @@
+package secret // import "github.com/docker/docker/integration/secret"
+
+import (
+	"bytes"
+	"context"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/swarm"
+	"github.com/docker/docker/pkg/stdcopy"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestSecretInspect(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	ctx := context.Background()
+
+	testName := "test_secret_" + t.Name()
+	secretID := createSecret(ctx, t, client, testName, []byte("TESTINGDATA"), nil)
+
+	secret, _, err := client.SecretInspectWithRaw(context.Background(), secretID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(secret.Spec.Name, testName))
+
+	secret, _, err = client.SecretInspectWithRaw(context.Background(), testName)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(secretID, secretID))
+}
+
+func TestSecretList(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+	ctx := context.Background()
+
+	testName0 := "test0_" + t.Name()
+	testName1 := "test1_" + t.Name()
+	testNames := []string{testName0, testName1}
+	sort.Strings(testNames)
+
+	// create secret test0
+	createSecret(ctx, t, client, testName0, []byte("TESTINGDATA0"), map[string]string{"type": "test"})
+
+	// create secret test1
+	secret1ID := createSecret(ctx, t, client, testName1, []byte("TESTINGDATA1"), map[string]string{"type": "production"})
+
+	names := func(entries []swarmtypes.Secret) []string {
+		var values []string
+		for _, entry := range entries {
+			values = append(values, entry.Spec.Name)
+		}
+		sort.Strings(values)
+		return values
+	}
+
+	// test by `secret ls`
+	entries, err := client.SecretList(ctx, types.SecretListOptions{})
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(names(entries), testNames))
+
+	testCases := []struct {
+		filters  filters.Args
+		expected []string
+	}{
+		// test filter by name `secret ls --filter name=xxx`
+		{
+			filters:  filters.NewArgs(filters.Arg("name", testName0)),
+			expected: []string{testName0},
+		},
+		// test filter by id `secret ls --filter id=xxx`
+		{
+			filters:  filters.NewArgs(filters.Arg("id", secret1ID)),
+			expected: []string{testName1},
+		},
+		// test filter by label `secret ls --filter label=xxx`
+		{
+			filters:  filters.NewArgs(filters.Arg("label", "type")),
+			expected: testNames,
+		},
+		{
+			filters:  filters.NewArgs(filters.Arg("label", "type=test")),
+			expected: []string{testName0},
+		},
+		{
+			filters:  filters.NewArgs(filters.Arg("label", "type=production")),
+			expected: []string{testName1},
+		},
+	}
+	for _, tc := range testCases {
+		entries, err = client.SecretList(ctx, types.SecretListOptions{
+			Filters: tc.filters,
+		})
+		assert.NilError(t, err)
+		assert.Check(t, is.DeepEqual(names(entries), tc.expected))
+
+	}
+}
+
+func createSecret(ctx context.Context, t *testing.T, client client.APIClient, name string, data []byte, labels map[string]string) string {
+	secret, err := client.SecretCreate(ctx, swarmtypes.SecretSpec{
+		Annotations: swarmtypes.Annotations{
+			Name:   name,
+			Labels: labels,
+		},
+		Data: data,
+	})
+	assert.NilError(t, err)
+	assert.Check(t, secret.ID != "")
+	return secret.ID
+}
+
+func TestSecretsCreateAndDelete(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+	ctx := context.Background()
+
+	testName := "test_secret_" + t.Name()
+	secretID := createSecret(ctx, t, client, testName, []byte("TESTINGDATA"), nil)
+
+	// create an already existin secret, daemon should return a status code of 409
+	_, err := client.SecretCreate(ctx, swarmtypes.SecretSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: testName,
+		},
+		Data: []byte("TESTINGDATA"),
+	})
+	assert.Check(t, is.ErrorContains(err, "already exists"))
+
+	// Ported from original TestSecretsDelete
+	err = client.SecretRemove(ctx, secretID)
+	assert.NilError(t, err)
+
+	_, _, err = client.SecretInspectWithRaw(ctx, secretID)
+	assert.Check(t, is.ErrorContains(err, "No such secret"))
+
+	err = client.SecretRemove(ctx, "non-existin")
+	assert.Check(t, is.ErrorContains(err, "No such secret: non-existin"))
+
+	// Ported from original TestSecretsCreteaWithLabels
+	testName = "test_secret_with_labels_" + t.Name()
+	secretID = createSecret(ctx, t, client, testName, []byte("TESTINGDATA"), map[string]string{
+		"key1": "value1",
+		"key2": "value2",
+	})
+
+	insp, _, err := client.SecretInspectWithRaw(ctx, secretID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Name, testName))
+	assert.Check(t, is.Equal(len(insp.Spec.Labels), 2))
+	assert.Check(t, is.Equal(insp.Spec.Labels["key1"], "value1"))
+	assert.Check(t, is.Equal(insp.Spec.Labels["key2"], "value2"))
+}
+
+func TestSecretsUpdate(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "linux")
+
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+	ctx := context.Background()
+
+	testName := "test_secret_" + t.Name()
+	secretID := createSecret(ctx, t, client, testName, []byte("TESTINGDATA"), nil)
+
+	insp, _, err := client.SecretInspectWithRaw(ctx, secretID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.ID, secretID))
+
+	// test UpdateSecret with full ID
+	insp.Spec.Labels = map[string]string{"test": "test1"}
+	err = client.SecretUpdate(ctx, secretID, insp.Version, insp.Spec)
+	assert.NilError(t, err)
+
+	insp, _, err = client.SecretInspectWithRaw(ctx, secretID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Labels["test"], "test1"))
+
+	// test UpdateSecret with full name
+	insp.Spec.Labels = map[string]string{"test": "test2"}
+	err = client.SecretUpdate(ctx, testName, insp.Version, insp.Spec)
+	assert.NilError(t, err)
+
+	insp, _, err = client.SecretInspectWithRaw(ctx, secretID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Labels["test"], "test2"))
+
+	// test UpdateSecret with prefix ID
+	insp.Spec.Labels = map[string]string{"test": "test3"}
+	err = client.SecretUpdate(ctx, secretID[:1], insp.Version, insp.Spec)
+	assert.NilError(t, err)
+
+	insp, _, err = client.SecretInspectWithRaw(ctx, secretID)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(insp.Spec.Labels["test"], "test3"))
+
+	// test UpdateSecret in updating Data which is not supported in daemon
+	// this test will produce an error in func UpdateSecret
+	insp.Spec.Data = []byte("TESTINGDATA2")
+	err = client.SecretUpdate(ctx, secretID, insp.Version, insp.Spec)
+	assert.Check(t, is.ErrorContains(err, "only updates to Labels are allowed"))
+}
+
+func TestTemplatedSecret(t *testing.T) {
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+	ctx := context.Background()
+
+	referencedSecretName := "referencedsecret_" + t.Name()
+	referencedSecretSpec := swarmtypes.SecretSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: referencedSecretName,
+		},
+		Data: []byte("this is a secret"),
+	}
+	referencedSecret, err := client.SecretCreate(ctx, referencedSecretSpec)
+	assert.Check(t, err)
+
+	referencedConfigName := "referencedconfig_" + t.Name()
+	referencedConfigSpec := swarmtypes.ConfigSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: referencedConfigName,
+		},
+		Data: []byte("this is a config"),
+	}
+	referencedConfig, err := client.ConfigCreate(ctx, referencedConfigSpec)
+	assert.Check(t, err)
+
+	templatedSecretName := "templated_secret_" + t.Name()
+	secretSpec := swarmtypes.SecretSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: templatedSecretName,
+		},
+		Templating: &swarmtypes.Driver{
+			Name: "golang",
+		},
+		Data: []byte("SERVICE_NAME={{.Service.Name}}\n" +
+			"{{secret \"referencedsecrettarget\"}}\n" +
+			"{{config \"referencedconfigtarget\"}}\n"),
+	}
+
+	templatedSecret, err := client.SecretCreate(ctx, secretSpec)
+	assert.Check(t, err)
+
+	serviceName := "svc_" + t.Name()
+	serviceID := swarm.CreateService(t, d,
+		swarm.ServiceWithSecret(
+			&swarmtypes.SecretReference{
+				File: &swarmtypes.SecretReferenceFileTarget{
+					Name: "templated_secret",
+					UID:  "0",
+					GID:  "0",
+					Mode: 0600,
+				},
+				SecretID:   templatedSecret.ID,
+				SecretName: templatedSecretName,
+			},
+		),
+		swarm.ServiceWithConfig(
+			&swarmtypes.ConfigReference{
+				File: &swarmtypes.ConfigReferenceFileTarget{
+					Name: "referencedconfigtarget",
+					UID:  "0",
+					GID:  "0",
+					Mode: 0600,
+				},
+				ConfigID:   referencedConfig.ID,
+				ConfigName: referencedConfigName,
+			},
+		),
+		swarm.ServiceWithSecret(
+			&swarmtypes.SecretReference{
+				File: &swarmtypes.SecretReferenceFileTarget{
+					Name: "referencedsecrettarget",
+					UID:  "0",
+					GID:  "0",
+					Mode: 0600,
+				},
+				SecretID:   referencedSecret.ID,
+				SecretName: referencedSecretName,
+			},
+		),
+		swarm.ServiceWithName(serviceName),
+	)
+
+	var tasks []swarmtypes.Task
+	waitAndAssert(t, 60*time.Second, func(t *testing.T) bool {
+		tasks = swarm.GetRunningTasks(t, d, serviceID)
+		return len(tasks) > 0
+	})
+
+	task := tasks[0]
+	waitAndAssert(t, 60*time.Second, func(t *testing.T) bool {
+		if task.NodeID == "" || (task.Status.ContainerStatus == nil || task.Status.ContainerStatus.ContainerID == "") {
+			task, _, _ = client.TaskInspectWithRaw(context.Background(), task.ID)
+		}
+		return task.NodeID != "" && task.Status.ContainerStatus != nil && task.Status.ContainerStatus.ContainerID != ""
+	})
+
+	attach := swarm.ExecTask(t, d, task, types.ExecConfig{
+		Cmd:          []string{"/bin/cat", "/run/secrets/templated_secret"},
+		AttachStdout: true,
+		AttachStderr: true,
+	})
+
+	expect := "SERVICE_NAME=" + serviceName + "\n" +
+		"this is a secret\n" +
+		"this is a config\n"
+	assertAttachedStream(t, attach, expect)
+
+	attach = swarm.ExecTask(t, d, task, types.ExecConfig{
+		Cmd:          []string{"mount"},
+		AttachStdout: true,
+		AttachStderr: true,
+	})
+	assertAttachedStream(t, attach, "tmpfs on /run/secrets/templated_secret type tmpfs")
+}
+
+func assertAttachedStream(t *testing.T, attach types.HijackedResponse, expect string) {
+	buf := bytes.NewBuffer(nil)
+	_, err := stdcopy.StdCopy(buf, buf, attach.Reader)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(buf.String(), expect))
+}
+
+func waitAndAssert(t *testing.T, timeout time.Duration, f func(*testing.T) bool) {
+	t.Helper()
+	after := time.After(timeout)
+	for {
+		select {
+		case <-after:
+			t.Fatalf("timed out waiting for condition")
+		default:
+		}
+		if f(t) {
+			return
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+}
diff --git a/engine/integration/service/create_test.go b/engine/integration/service/create_test.go
new file mode 100644
index 00000000..a89ae0a1
--- /dev/null
+++ b/engine/integration/service/create_test.go
@@ -0,0 +1,374 @@
+package service // import "github.com/docker/docker/integration/service"
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/network"
+	"github.com/docker/docker/integration/internal/swarm"
+	"github.com/docker/docker/internal/test/daemon"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+)
+
+func TestServiceCreateInit(t *testing.T) {
+	defer setupTest(t)()
+	t.Run("daemonInitDisabled", testServiceCreateInit(false))
+	t.Run("daemonInitEnabled", testServiceCreateInit(true))
+}
+
+func testServiceCreateInit(daemonEnabled bool) func(t *testing.T) {
+	return func(t *testing.T) {
+		var ops = []func(*daemon.Daemon){}
+
+		if daemonEnabled {
+			ops = append(ops, daemon.WithInit)
+		}
+		d := swarm.NewSwarm(t, testEnv, ops...)
+		defer d.Stop(t)
+		client := d.NewClientT(t)
+		defer client.Close()
+
+		booleanTrue := true
+		booleanFalse := false
+
+		serviceID := swarm.CreateService(t, d)
+		poll.WaitOn(t, serviceRunningTasksCount(client, serviceID, 1), swarm.ServicePoll)
+		i := inspectServiceContainer(t, client, serviceID)
+		// HostConfig.Init == nil means that it delegates to daemon configuration
+		assert.Check(t, i.HostConfig.Init == nil)
+
+		serviceID = swarm.CreateService(t, d, swarm.ServiceWithInit(&booleanTrue))
+		poll.WaitOn(t, serviceRunningTasksCount(client, serviceID, 1), swarm.ServicePoll)
+		i = inspectServiceContainer(t, client, serviceID)
+		assert.Check(t, is.Equal(true, *i.HostConfig.Init))
+
+		serviceID = swarm.CreateService(t, d, swarm.ServiceWithInit(&booleanFalse))
+		poll.WaitOn(t, serviceRunningTasksCount(client, serviceID, 1), swarm.ServicePoll)
+		i = inspectServiceContainer(t, client, serviceID)
+		assert.Check(t, is.Equal(false, *i.HostConfig.Init))
+	}
+}
+
+func inspectServiceContainer(t *testing.T, client client.APIClient, serviceID string) types.ContainerJSON {
+	t.Helper()
+	filter := filters.NewArgs()
+	filter.Add("label", fmt.Sprintf("com.docker.swarm.service.id=%s", serviceID))
+	containers, err := client.ContainerList(context.Background(), types.ContainerListOptions{Filters: filter})
+	assert.NilError(t, err)
+	assert.Check(t, is.Len(containers, 1))
+
+	i, err := client.ContainerInspect(context.Background(), containers[0].ID)
+	assert.NilError(t, err)
+	return i
+}
+
+func TestCreateServiceMultipleTimes(t *testing.T) {
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	overlayName := "overlay1_" + t.Name()
+	overlayID := network.CreateNoError(t, context.Background(), client, overlayName,
+		network.WithCheckDuplicate(),
+		network.WithDriver("overlay"),
+	)
+
+	var instances uint64 = 4
+
+	serviceName := "TestService_" + t.Name()
+	serviceSpec := []swarm.ServiceSpecOpt{
+		swarm.ServiceWithReplicas(instances),
+		swarm.ServiceWithName(serviceName),
+		swarm.ServiceWithNetwork(overlayName),
+	}
+
+	serviceID := swarm.CreateService(t, d, serviceSpec...)
+	poll.WaitOn(t, serviceRunningTasksCount(client, serviceID, instances), swarm.ServicePoll)
+
+	_, _, err := client.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
+	assert.NilError(t, err)
+
+	err = client.ServiceRemove(context.Background(), serviceID)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID), swarm.ServicePoll)
+	poll.WaitOn(t, noTasks(client), swarm.ServicePoll)
+
+	serviceID2 := swarm.CreateService(t, d, serviceSpec...)
+	poll.WaitOn(t, serviceRunningTasksCount(client, serviceID2, instances), swarm.ServicePoll)
+
+	err = client.ServiceRemove(context.Background(), serviceID2)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID2), swarm.ServicePoll)
+	poll.WaitOn(t, noTasks(client), swarm.ServicePoll)
+
+	err = client.NetworkRemove(context.Background(), overlayID)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, networkIsRemoved(client, overlayID), poll.WithTimeout(1*time.Minute), poll.WithDelay(10*time.Second))
+}
+
+func TestCreateWithDuplicateNetworkNames(t *testing.T) {
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	name := "foo_" + t.Name()
+	n1 := network.CreateNoError(t, context.Background(), client, name,
+		network.WithDriver("bridge"),
+	)
+	n2 := network.CreateNoError(t, context.Background(), client, name,
+		network.WithDriver("bridge"),
+	)
+
+	// Dupliates with name but with different driver
+	n3 := network.CreateNoError(t, context.Background(), client, name,
+		network.WithDriver("overlay"),
+	)
+
+	// Create Service with the same name
+	var instances uint64 = 1
+
+	serviceName := "top_" + t.Name()
+	serviceID := swarm.CreateService(t, d,
+		swarm.ServiceWithReplicas(instances),
+		swarm.ServiceWithName(serviceName),
+		swarm.ServiceWithNetwork(name),
+	)
+
+	poll.WaitOn(t, serviceRunningTasksCount(client, serviceID, instances), swarm.ServicePoll)
+
+	resp, _, err := client.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(n3, resp.Spec.TaskTemplate.Networks[0].Target))
+
+	// Remove Service
+	err = client.ServiceRemove(context.Background(), serviceID)
+	assert.NilError(t, err)
+
+	// Make sure task has been destroyed.
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID), swarm.ServicePoll)
+
+	// Remove networks
+	err = client.NetworkRemove(context.Background(), n3)
+	assert.NilError(t, err)
+
+	err = client.NetworkRemove(context.Background(), n2)
+	assert.NilError(t, err)
+
+	err = client.NetworkRemove(context.Background(), n1)
+	assert.NilError(t, err)
+
+	// Make sure networks have been destroyed.
+	poll.WaitOn(t, networkIsRemoved(client, n3), poll.WithTimeout(1*time.Minute), poll.WithDelay(10*time.Second))
+	poll.WaitOn(t, networkIsRemoved(client, n2), poll.WithTimeout(1*time.Minute), poll.WithDelay(10*time.Second))
+	poll.WaitOn(t, networkIsRemoved(client, n1), poll.WithTimeout(1*time.Minute), poll.WithDelay(10*time.Second))
+}
+
+func TestCreateServiceSecretFileMode(t *testing.T) {
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	ctx := context.Background()
+	secretName := "TestSecret_" + t.Name()
+	secretResp, err := client.SecretCreate(ctx, swarmtypes.SecretSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: secretName,
+		},
+		Data: []byte("TESTSECRET"),
+	})
+	assert.NilError(t, err)
+
+	var instances uint64 = 1
+	serviceName := "TestService_" + t.Name()
+	serviceID := swarm.CreateService(t, d,
+		swarm.ServiceWithReplicas(instances),
+		swarm.ServiceWithName(serviceName),
+		swarm.ServiceWithCommand([]string{"/bin/sh", "-c", "ls -l /etc/secret || /bin/top"}),
+		swarm.ServiceWithSecret(&swarmtypes.SecretReference{
+			File: &swarmtypes.SecretReferenceFileTarget{
+				Name: "/etc/secret",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0777,
+			},
+			SecretID:   secretResp.ID,
+			SecretName: secretName,
+		}),
+	)
+
+	poll.WaitOn(t, serviceRunningTasksCount(client, serviceID, instances), swarm.ServicePoll)
+
+	filter := filters.NewArgs()
+	filter.Add("service", serviceID)
+	tasks, err := client.TaskList(ctx, types.TaskListOptions{
+		Filters: filter,
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(tasks), 1))
+
+	body, err := client.ContainerLogs(ctx, tasks[0].Status.ContainerStatus.ContainerID, types.ContainerLogsOptions{
+		ShowStdout: true,
+	})
+	assert.NilError(t, err)
+	defer body.Close()
+
+	content, err := ioutil.ReadAll(body)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(string(content), "-rwxrwxrwx"))
+
+	err = client.ServiceRemove(ctx, serviceID)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID), swarm.ServicePoll)
+	poll.WaitOn(t, noTasks(client), swarm.ServicePoll)
+
+	err = client.SecretRemove(ctx, secretName)
+	assert.NilError(t, err)
+}
+
+func TestCreateServiceConfigFileMode(t *testing.T) {
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	ctx := context.Background()
+	configName := "TestConfig_" + t.Name()
+	configResp, err := client.ConfigCreate(ctx, swarmtypes.ConfigSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: configName,
+		},
+		Data: []byte("TESTCONFIG"),
+	})
+	assert.NilError(t, err)
+
+	var instances uint64 = 1
+	serviceName := "TestService_" + t.Name()
+	serviceID := swarm.CreateService(t, d,
+		swarm.ServiceWithName(serviceName),
+		swarm.ServiceWithCommand([]string{"/bin/sh", "-c", "ls -l /etc/config || /bin/top"}),
+		swarm.ServiceWithReplicas(instances),
+		swarm.ServiceWithConfig(&swarmtypes.ConfigReference{
+			File: &swarmtypes.ConfigReferenceFileTarget{
+				Name: "/etc/config",
+				UID:  "0",
+				GID:  "0",
+				Mode: 0777,
+			},
+			ConfigID:   configResp.ID,
+			ConfigName: configName,
+		}),
+	)
+
+	poll.WaitOn(t, serviceRunningTasksCount(client, serviceID, instances))
+
+	filter := filters.NewArgs()
+	filter.Add("service", serviceID)
+	tasks, err := client.TaskList(ctx, types.TaskListOptions{
+		Filters: filter,
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(tasks), 1))
+
+	body, err := client.ContainerLogs(ctx, tasks[0].Status.ContainerStatus.ContainerID, types.ContainerLogsOptions{
+		ShowStdout: true,
+	})
+	assert.NilError(t, err)
+	defer body.Close()
+
+	content, err := ioutil.ReadAll(body)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(string(content), "-rwxrwxrwx"))
+
+	err = client.ServiceRemove(ctx, serviceID)
+	assert.NilError(t, err)
+
+	poll.WaitOn(t, serviceIsRemoved(client, serviceID))
+	poll.WaitOn(t, noTasks(client))
+
+	err = client.ConfigRemove(ctx, configName)
+	assert.NilError(t, err)
+}
+
+func serviceRunningTasksCount(client client.ServiceAPIClient, serviceID string, instances uint64) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		filter := filters.NewArgs()
+		filter.Add("service", serviceID)
+		tasks, err := client.TaskList(context.Background(), types.TaskListOptions{
+			Filters: filter,
+		})
+		switch {
+		case err != nil:
+			return poll.Error(err)
+		case len(tasks) == int(instances):
+			for _, task := range tasks {
+				if task.Status.State != swarmtypes.TaskStateRunning {
+					return poll.Continue("waiting for tasks to enter run state")
+				}
+			}
+			return poll.Success()
+		default:
+			return poll.Continue("task count at %d waiting for %d", len(tasks), instances)
+		}
+	}
+}
+
+func noTasks(client client.ServiceAPIClient) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		filter := filters.NewArgs()
+		tasks, err := client.TaskList(context.Background(), types.TaskListOptions{
+			Filters: filter,
+		})
+		switch {
+		case err != nil:
+			return poll.Error(err)
+		case len(tasks) == 0:
+			return poll.Success()
+		default:
+			return poll.Continue("task count at %d waiting for 0", len(tasks))
+		}
+	}
+}
+
+func serviceIsRemoved(client client.ServiceAPIClient, serviceID string) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		filter := filters.NewArgs()
+		filter.Add("service", serviceID)
+		_, err := client.TaskList(context.Background(), types.TaskListOptions{
+			Filters: filter,
+		})
+		if err == nil {
+			return poll.Continue("waiting for service %s to be deleted", serviceID)
+		}
+		return poll.Success()
+	}
+}
+
+func networkIsRemoved(client client.NetworkAPIClient, networkID string) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		_, err := client.NetworkInspect(context.Background(), networkID, types.NetworkInspectOptions{})
+		if err == nil {
+			return poll.Continue("waiting for network %s to be removed", networkID)
+		}
+		return poll.Success()
+	}
+}
diff --git a/engine/integration/service/inspect_test.go b/engine/integration/service/inspect_test.go
new file mode 100644
index 00000000..daeabcfe
--- /dev/null
+++ b/engine/integration/service/inspect_test.go
@@ -0,0 +1,153 @@
+package service // import "github.com/docker/docker/integration/service"
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/integration/internal/swarm"
+	"github.com/google/go-cmp/cmp"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestInspect(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon())
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+
+	var now = time.Now()
+	var instances uint64 = 2
+	serviceSpec := fullSwarmServiceSpec("test-service-inspect", instances)
+
+	ctx := context.Background()
+	resp, err := client.ServiceCreate(ctx, serviceSpec, types.ServiceCreateOptions{
+		QueryRegistry: false,
+	})
+	assert.NilError(t, err)
+
+	id := resp.ID
+	poll.WaitOn(t, serviceContainerCount(client, id, instances))
+
+	service, _, err := client.ServiceInspectWithRaw(ctx, id, types.ServiceInspectOptions{})
+	assert.NilError(t, err)
+
+	expected := swarmtypes.Service{
+		ID:   id,
+		Spec: serviceSpec,
+		Meta: swarmtypes.Meta{
+			Version:   swarmtypes.Version{Index: uint64(11)},
+			CreatedAt: now,
+			UpdatedAt: now,
+		},
+	}
+	assert.Check(t, is.DeepEqual(service, expected, cmpServiceOpts()))
+}
+
+// TODO: use helpers from gotest.tools/assert/opt when available
+func cmpServiceOpts() cmp.Option {
+	const threshold = 20 * time.Second
+
+	metaTimeFields := func(path cmp.Path) bool {
+		switch path.String() {
+		case "Meta.CreatedAt", "Meta.UpdatedAt":
+			return true
+		}
+		return false
+	}
+	withinThreshold := cmp.Comparer(func(x, y time.Time) bool {
+		delta := x.Sub(y)
+		return delta < threshold && delta > -threshold
+	})
+
+	return cmp.FilterPath(metaTimeFields, withinThreshold)
+}
+
+func fullSwarmServiceSpec(name string, replicas uint64) swarmtypes.ServiceSpec {
+	restartDelay := 100 * time.Millisecond
+	maxAttempts := uint64(4)
+
+	return swarmtypes.ServiceSpec{
+		Annotations: swarmtypes.Annotations{
+			Name: name,
+			Labels: map[string]string{
+				"service-label": "service-label-value",
+			},
+		},
+		TaskTemplate: swarmtypes.TaskSpec{
+			ContainerSpec: &swarmtypes.ContainerSpec{
+				Image:           "busybox:latest",
+				Labels:          map[string]string{"container-label": "container-value"},
+				Command:         []string{"/bin/top"},
+				Args:            []string{"-u", "root"},
+				Hostname:        "hostname",
+				Env:             []string{"envvar=envvalue"},
+				Dir:             "/work",
+				User:            "root",
+				StopSignal:      "SIGINT",
+				StopGracePeriod: &restartDelay,
+				Hosts:           []string{"8.8.8.8  google"},
+				DNSConfig: &swarmtypes.DNSConfig{
+					Nameservers: []string{"8.8.8.8"},
+					Search:      []string{"somedomain"},
+				},
+				Isolation: container.IsolationDefault,
+			},
+			RestartPolicy: &swarmtypes.RestartPolicy{
+				Delay:       &restartDelay,
+				Condition:   swarmtypes.RestartPolicyConditionOnFailure,
+				MaxAttempts: &maxAttempts,
+			},
+			Runtime: swarmtypes.RuntimeContainer,
+		},
+		Mode: swarmtypes.ServiceMode{
+			Replicated: &swarmtypes.ReplicatedService{
+				Replicas: &replicas,
+			},
+		},
+		UpdateConfig: &swarmtypes.UpdateConfig{
+			Parallelism:     2,
+			Delay:           200 * time.Second,
+			FailureAction:   swarmtypes.UpdateFailureActionContinue,
+			Monitor:         2 * time.Second,
+			MaxFailureRatio: 0.2,
+			Order:           swarmtypes.UpdateOrderStopFirst,
+		},
+		RollbackConfig: &swarmtypes.UpdateConfig{
+			Parallelism:     3,
+			Delay:           300 * time.Second,
+			FailureAction:   swarmtypes.UpdateFailureActionPause,
+			Monitor:         3 * time.Second,
+			MaxFailureRatio: 0.3,
+			Order:           swarmtypes.UpdateOrderStartFirst,
+		},
+	}
+}
+
+func serviceContainerCount(client client.ServiceAPIClient, id string, count uint64) func(log poll.LogT) poll.Result {
+	return func(log poll.LogT) poll.Result {
+		filter := filters.NewArgs()
+		filter.Add("service", id)
+		tasks, err := client.TaskList(context.Background(), types.TaskListOptions{
+			Filters: filter,
+		})
+		switch {
+		case err != nil:
+			return poll.Error(err)
+		case len(tasks) == int(count):
+			return poll.Success()
+		default:
+			return poll.Continue("task count at %d waiting for %d", len(tasks), count)
+		}
+	}
+}
diff --git a/engine/integration/service/main_test.go b/engine/integration/service/main_test.go
new file mode 100644
index 00000000..28fd19df
--- /dev/null
+++ b/engine/integration/service/main_test.go
@@ -0,0 +1,33 @@
+package service // import "github.com/docker/docker/integration/service"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/service/network_test.go b/engine/integration/service/network_test.go
new file mode 100644
index 00000000..ba170fce
--- /dev/null
+++ b/engine/integration/service/network_test.go
@@ -0,0 +1,75 @@
+package service // import "github.com/docker/docker/integration/service"
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/integration/internal/container"
+	net "github.com/docker/docker/integration/internal/network"
+	"github.com/docker/docker/integration/internal/swarm"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestDockerNetworkConnectAlias(t *testing.T) {
+	defer setupTest(t)()
+	d := swarm.NewSwarm(t, testEnv)
+	defer d.Stop(t)
+	client := d.NewClientT(t)
+	defer client.Close()
+	ctx := context.Background()
+
+	name := t.Name() + "test-alias"
+	net.CreateNoError(t, ctx, client, name,
+		net.WithDriver("overlay"),
+		net.WithAttachable(),
+	)
+
+	cID1 := container.Create(t, ctx, client, func(c *container.TestContainerConfig) {
+		c.NetworkingConfig = &network.NetworkingConfig{
+			EndpointsConfig: map[string]*network.EndpointSettings{
+				name: {},
+			},
+		}
+	})
+
+	err := client.NetworkConnect(ctx, name, cID1, &network.EndpointSettings{
+		Aliases: []string{
+			"aaa",
+		},
+	})
+	assert.NilError(t, err)
+
+	err = client.ContainerStart(ctx, cID1, types.ContainerStartOptions{})
+	assert.NilError(t, err)
+
+	ng1, err := client.ContainerInspect(ctx, cID1)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(ng1.NetworkSettings.Networks[name].Aliases), 2))
+	assert.Check(t, is.Equal(ng1.NetworkSettings.Networks[name].Aliases[0], "aaa"))
+
+	cID2 := container.Create(t, ctx, client, func(c *container.TestContainerConfig) {
+		c.NetworkingConfig = &network.NetworkingConfig{
+			EndpointsConfig: map[string]*network.EndpointSettings{
+				name: {},
+			},
+		}
+	})
+
+	err = client.NetworkConnect(ctx, name, cID2, &network.EndpointSettings{
+		Aliases: []string{
+			"bbb",
+		},
+	})
+	assert.NilError(t, err)
+
+	err = client.ContainerStart(ctx, cID2, types.ContainerStartOptions{})
+	assert.NilError(t, err)
+
+	ng2, err := client.ContainerInspect(ctx, cID2)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(ng2.NetworkSettings.Networks[name].Aliases), 2))
+	assert.Check(t, is.Equal(ng2.NetworkSettings.Networks[name].Aliases[0], "bbb"))
+}
diff --git a/engine/integration/service/plugin_test.go b/engine/integration/service/plugin_test.go
new file mode 100644
index 00000000..6c618252
--- /dev/null
+++ b/engine/integration/service/plugin_test.go
@@ -0,0 +1,121 @@
+package service
+
+import (
+	"context"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/swarm/runtime"
+	"github.com/docker/docker/integration/internal/swarm"
+	"github.com/docker/docker/internal/test/daemon"
+	"github.com/docker/docker/internal/test/fixtures/plugin"
+	"github.com/docker/docker/internal/test/registry"
+	"gotest.tools/assert"
+	"gotest.tools/poll"
+	"gotest.tools/skip"
+)
+
+func TestServicePlugin(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
+	skip.If(t, testEnv.DaemonInfo.OSType == "windows")
+	skip.If(t, os.Getenv("DOCKER_ENGINE_GOARCH") != "amd64")
+	defer setupTest(t)()
+
+	reg := registry.NewV2(t)
+	defer reg.Close()
+
+	repo := path.Join(registry.DefaultURL, "swarm", "test:v1")
+	repo2 := path.Join(registry.DefaultURL, "swarm", "test:v2")
+	name := "test"
+
+	d := daemon.New(t)
+	d.StartWithBusybox(t)
+	apiclient := d.NewClientT(t)
+	err := plugin.Create(context.Background(), apiclient, repo)
+	assert.NilError(t, err)
+	r, err := apiclient.PluginPush(context.Background(), repo, "")
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, r)
+	assert.NilError(t, err)
+	err = apiclient.PluginRemove(context.Background(), repo, types.PluginRemoveOptions{})
+	assert.NilError(t, err)
+	err = plugin.Create(context.Background(), apiclient, repo2)
+	assert.NilError(t, err)
+	r, err = apiclient.PluginPush(context.Background(), repo2, "")
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, r)
+	assert.NilError(t, err)
+	err = apiclient.PluginRemove(context.Background(), repo2, types.PluginRemoveOptions{})
+	assert.NilError(t, err)
+	d.Stop(t)
+
+	d1 := swarm.NewSwarm(t, testEnv, daemon.WithExperimental)
+	defer d1.Stop(t)
+	d2 := daemon.New(t, daemon.WithExperimental, daemon.WithSwarmPort(daemon.DefaultSwarmPort+1))
+	d2.StartAndSwarmJoin(t, d1, true)
+	defer d2.Stop(t)
+	d3 := daemon.New(t, daemon.WithExperimental, daemon.WithSwarmPort(daemon.DefaultSwarmPort+2))
+	d3.StartAndSwarmJoin(t, d1, false)
+	defer d3.Stop(t)
+
+	id := d1.CreateService(t, makePlugin(repo, name, nil))
+	poll.WaitOn(t, d1.PluginIsRunning(name), swarm.ServicePoll)
+	poll.WaitOn(t, d2.PluginIsRunning(name), swarm.ServicePoll)
+	poll.WaitOn(t, d3.PluginIsRunning(name), swarm.ServicePoll)
+
+	service := d1.GetService(t, id)
+	d1.UpdateService(t, service, makePlugin(repo2, name, nil))
+	poll.WaitOn(t, d1.PluginReferenceIs(name, repo2), swarm.ServicePoll)
+	poll.WaitOn(t, d2.PluginReferenceIs(name, repo2), swarm.ServicePoll)
+	poll.WaitOn(t, d3.PluginReferenceIs(name, repo2), swarm.ServicePoll)
+	poll.WaitOn(t, d1.PluginIsRunning(name), swarm.ServicePoll)
+	poll.WaitOn(t, d2.PluginIsRunning(name), swarm.ServicePoll)
+	poll.WaitOn(t, d3.PluginIsRunning(name), swarm.ServicePoll)
+
+	d1.RemoveService(t, id)
+	poll.WaitOn(t, d1.PluginIsNotPresent(name), swarm.ServicePoll)
+	poll.WaitOn(t, d2.PluginIsNotPresent(name), swarm.ServicePoll)
+	poll.WaitOn(t, d3.PluginIsNotPresent(name), swarm.ServicePoll)
+
+	// constrain to managers only
+	id = d1.CreateService(t, makePlugin(repo, name, []string{"node.role==manager"}))
+	poll.WaitOn(t, d1.PluginIsRunning(name), swarm.ServicePoll)
+	poll.WaitOn(t, d2.PluginIsRunning(name), swarm.ServicePoll)
+	poll.WaitOn(t, d3.PluginIsNotPresent(name), swarm.ServicePoll)
+
+	d1.RemoveService(t, id)
+	poll.WaitOn(t, d1.PluginIsNotPresent(name), swarm.ServicePoll)
+	poll.WaitOn(t, d2.PluginIsNotPresent(name), swarm.ServicePoll)
+	poll.WaitOn(t, d3.PluginIsNotPresent(name), swarm.ServicePoll)
+
+	// with no name
+	id = d1.CreateService(t, makePlugin(repo, "", nil))
+	poll.WaitOn(t, d1.PluginIsRunning(repo), swarm.ServicePoll)
+	poll.WaitOn(t, d2.PluginIsRunning(repo), swarm.ServicePoll)
+	poll.WaitOn(t, d3.PluginIsRunning(repo), swarm.ServicePoll)
+
+	d1.RemoveService(t, id)
+	poll.WaitOn(t, d1.PluginIsNotPresent(repo), swarm.ServicePoll)
+	poll.WaitOn(t, d2.PluginIsNotPresent(repo), swarm.ServicePoll)
+	poll.WaitOn(t, d3.PluginIsNotPresent(repo), swarm.ServicePoll)
+}
+
+func makePlugin(repo, name string, constraints []string) func(*swarmtypes.Service) {
+	return func(s *swarmtypes.Service) {
+		s.Spec.TaskTemplate.Runtime = "plugin"
+		s.Spec.TaskTemplate.PluginSpec = &runtime.PluginSpec{
+			Name:   name,
+			Remote: repo,
+		}
+		if constraints != nil {
+			s.Spec.TaskTemplate.Placement = &swarmtypes.Placement{
+				Constraints: constraints,
+			}
+		}
+	}
+}
diff --git a/engine/integration/session/main_test.go b/engine/integration/session/main_test.go
new file mode 100644
index 00000000..fc33025e
--- /dev/null
+++ b/engine/integration/session/main_test.go
@@ -0,0 +1,33 @@
+package session // import "github.com/docker/docker/integration/session"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/session/session_test.go b/engine/integration/session/session_test.go
new file mode 100644
index 00000000..67a3773a
--- /dev/null
+++ b/engine/integration/session/session_test.go
@@ -0,0 +1,48 @@
+package session // import "github.com/docker/docker/integration/session"
+
+import (
+	"net/http"
+	"testing"
+
+	req "github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestSessionCreate(t *testing.T) {
+	skip.If(t, !testEnv.DaemonInfo.ExperimentalBuild)
+
+	defer setupTest(t)()
+
+	res, body, err := req.Post("/session", req.With(func(r *http.Request) error {
+		r.Header.Set("X-Docker-Expose-Session-Uuid", "testsessioncreate") // so we don't block default name if something else is using it
+		r.Header.Set("Upgrade", "h2c")
+		return nil
+	}))
+	assert.NilError(t, err)
+	assert.NilError(t, body.Close())
+	assert.Check(t, is.DeepEqual(res.StatusCode, http.StatusSwitchingProtocols))
+	assert.Check(t, is.Equal(res.Header.Get("Upgrade"), "h2c"))
+}
+
+func TestSessionCreateWithBadUpgrade(t *testing.T) {
+	skip.If(t, !testEnv.DaemonInfo.ExperimentalBuild)
+
+	res, body, err := req.Post("/session")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(res.StatusCode, http.StatusBadRequest))
+	buf, err := req.ReadBody(body)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(string(buf), "no upgrade"))
+
+	res, body, err = req.Post("/session", req.With(func(r *http.Request) error {
+		r.Header.Set("Upgrade", "foo")
+		return nil
+	}))
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(res.StatusCode, http.StatusBadRequest))
+	buf, err = req.ReadBody(body)
+	assert.NilError(t, err)
+	assert.Check(t, is.Contains(string(buf), "not supported"))
+}
diff --git a/engine/integration/system/cgroupdriver_systemd_test.go b/engine/integration/system/cgroupdriver_systemd_test.go
new file mode 100644
index 00000000..449c83fd
--- /dev/null
+++ b/engine/integration/system/cgroupdriver_systemd_test.go
@@ -0,0 +1,56 @@
+package system
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/daemon"
+
+	"gotest.tools/assert"
+)
+
+// hasSystemd checks whether the host was booted with systemd as its init
+// system. Stolen from
+// https://github.com/coreos/go-systemd/blob/176f85496f4e/util/util.go#L68
+func hasSystemd() bool {
+	fi, err := os.Lstat("/run/systemd/system")
+	if err != nil {
+		return false
+	}
+	return fi.IsDir()
+}
+
+// TestCgroupDriverSystemdMemoryLimit checks that container
+// memory limit can be set when using systemd cgroupdriver.
+//  https://github.com/moby/moby/issues/35123
+func TestCgroupDriverSystemdMemoryLimit(t *testing.T) {
+	t.Parallel()
+
+	if !hasSystemd() {
+		t.Skip("systemd not available")
+	}
+
+	d := daemon.New(t)
+	client, err := d.NewClient()
+	assert.NilError(t, err)
+	d.StartWithBusybox(t, "--exec-opt", "native.cgroupdriver=systemd", "--iptables=false")
+	defer d.Stop(t)
+
+	const mem = 64 * 1024 * 1024 // 64 MB
+
+	ctx := context.Background()
+	ctrID := container.Create(t, ctx, client, func(c *container.TestContainerConfig) {
+		c.HostConfig.Resources.Memory = mem
+	})
+	defer client.ContainerRemove(ctx, ctrID, types.ContainerRemoveOptions{Force: true})
+
+	err = client.ContainerStart(ctx, ctrID, types.ContainerStartOptions{})
+	assert.NilError(t, err)
+
+	s, err := client.ContainerInspect(ctx, ctrID)
+	assert.NilError(t, err)
+	assert.Equal(t, s.HostConfig.Memory, mem)
+}
diff --git a/engine/integration/system/event_test.go b/engine/integration/system/event_test.go
new file mode 100644
index 00000000..6e86f4ad
--- /dev/null
+++ b/engine/integration/system/event_test.go
@@ -0,0 +1,122 @@
+package system // import "github.com/docker/docker/integration/system"
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	req "github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestEventsExecDie(t *testing.T) {
+	skip.If(t, versions.LessThan(testEnv.DaemonAPIVersion(), "1.36"), "broken in earlier versions")
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	cID := container.Run(t, ctx, client)
+
+	id, err := client.ContainerExecCreate(ctx, cID,
+		types.ExecConfig{
+			Cmd: strslice.StrSlice([]string{"echo", "hello"}),
+		},
+	)
+	assert.NilError(t, err)
+
+	filters := filters.NewArgs(
+		filters.Arg("container", cID),
+		filters.Arg("event", "exec_die"),
+	)
+	msg, errors := client.Events(ctx, types.EventsOptions{
+		Filters: filters,
+	})
+
+	err = client.ContainerExecStart(ctx, id.ID,
+		types.ExecStartCheck{
+			Detach: true,
+			Tty:    false,
+		},
+	)
+	assert.NilError(t, err)
+
+	select {
+	case m := <-msg:
+		assert.Equal(t, m.Type, "container")
+		assert.Equal(t, m.Actor.ID, cID)
+		assert.Equal(t, m.Action, "exec_die")
+		assert.Equal(t, m.Actor.Attributes["execID"], id.ID)
+		assert.Equal(t, m.Actor.Attributes["exitCode"], "0")
+	case err = <-errors:
+		t.Fatal(err)
+	case <-time.After(time.Second * 3):
+		t.Fatal("timeout hit")
+	}
+
+}
+
+// Test case for #18888: Events messages have been switched from generic
+// `JSONMessage` to `events.Message` types. The switch does not break the
+// backward compatibility so old `JSONMessage` could still be used.
+// This test verifies that backward compatibility maintains.
+func TestEventsBackwardsCompatible(t *testing.T) {
+	defer setupTest(t)()
+	ctx := context.Background()
+	client := request.NewAPIClient(t)
+
+	since := request.DaemonTime(ctx, t, client, testEnv)
+	ts := strconv.FormatInt(since.Unix(), 10)
+
+	cID := container.Create(t, ctx, client)
+
+	// In case there is no events, the API should have responded immediately (not blocking),
+	// The test here makes sure the response time is less than 3 sec.
+	expectedTime := time.Now().Add(3 * time.Second)
+	emptyResp, emptyBody, err := req.Get("/events")
+	assert.NilError(t, err)
+	defer emptyBody.Close()
+	assert.Check(t, is.DeepEqual(http.StatusOK, emptyResp.StatusCode))
+	assert.Check(t, time.Now().Before(expectedTime), "timeout waiting for events api to respond, should have responded immediately")
+
+	// We also test to make sure the `events.Message` is compatible with `JSONMessage`
+	q := url.Values{}
+	q.Set("since", ts)
+	_, body, err := req.Get("/events?" + q.Encode())
+	assert.NilError(t, err)
+	defer body.Close()
+
+	dec := json.NewDecoder(body)
+	var containerCreateEvent *jsonmessage.JSONMessage
+	for {
+		var event jsonmessage.JSONMessage
+		if err := dec.Decode(&event); err != nil {
+			if err == io.EOF {
+				break
+			}
+			t.Fatal(err)
+		}
+		if event.Status == "create" && event.ID == cID {
+			containerCreateEvent = &event
+			break
+		}
+	}
+
+	assert.Check(t, containerCreateEvent != nil)
+	assert.Check(t, is.Equal("create", containerCreateEvent.Status))
+	assert.Check(t, is.Equal(cID, containerCreateEvent.ID))
+	assert.Check(t, is.Equal("busybox", containerCreateEvent.From))
+}
diff --git a/engine/integration/system/info_linux_test.go b/engine/integration/system/info_linux_test.go
new file mode 100644
index 00000000..50fa9874
--- /dev/null
+++ b/engine/integration/system/info_linux_test.go
@@ -0,0 +1,48 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/integration/system"
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/docker/docker/internal/test/request"
+	req "github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestInfoBinaryCommits(t *testing.T) {
+	client := request.NewAPIClient(t)
+
+	info, err := client.Info(context.Background())
+	assert.NilError(t, err)
+
+	assert.Check(t, "N/A" != info.ContainerdCommit.ID)
+	assert.Check(t, is.Equal(testEnv.DaemonInfo.ContainerdCommit.Expected, info.ContainerdCommit.Expected))
+	assert.Check(t, is.Equal(info.ContainerdCommit.Expected, info.ContainerdCommit.ID))
+
+	assert.Check(t, "N/A" != info.InitCommit.ID)
+	assert.Check(t, is.Equal(testEnv.DaemonInfo.InitCommit.Expected, info.InitCommit.Expected))
+	assert.Check(t, is.Equal(info.InitCommit.Expected, info.InitCommit.ID))
+
+	assert.Check(t, "N/A" != info.RuncCommit.ID)
+	assert.Check(t, is.Equal(testEnv.DaemonInfo.RuncCommit.Expected, info.RuncCommit.Expected))
+	assert.Check(t, is.Equal(info.RuncCommit.Expected, info.RuncCommit.ID))
+}
+
+func TestInfoAPIVersioned(t *testing.T) {
+	// Windows only supports 1.25 or later
+
+	res, body, err := req.Get("/v1.20/info")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(res.StatusCode, http.StatusOK))
+
+	b, err := req.ReadBody(body)
+	assert.NilError(t, err)
+
+	out := string(b)
+	assert.Check(t, is.Contains(out, "ExecutionDriver"))
+	assert.Check(t, is.Contains(out, "not supported"))
+}
diff --git a/engine/integration/system/info_test.go b/engine/integration/system/info_test.go
new file mode 100644
index 00000000..2a05dfbb
--- /dev/null
+++ b/engine/integration/system/info_test.go
@@ -0,0 +1,42 @@
+package system // import "github.com/docker/docker/integration/system"
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestInfoAPI(t *testing.T) {
+	client := request.NewAPIClient(t)
+
+	info, err := client.Info(context.Background())
+	assert.NilError(t, err)
+
+	// always shown fields
+	stringsToCheck := []string{
+		"ID",
+		"Containers",
+		"ContainersRunning",
+		"ContainersPaused",
+		"ContainersStopped",
+		"Images",
+		"LoggingDriver",
+		"OperatingSystem",
+		"NCPU",
+		"OSType",
+		"Architecture",
+		"MemTotal",
+		"KernelVersion",
+		"Driver",
+		"ServerVersion",
+		"SecurityOptions"}
+
+	out := fmt.Sprintf("%+v", info)
+	for _, linePrefix := range stringsToCheck {
+		assert.Check(t, is.Contains(out, linePrefix))
+	}
+}
diff --git a/engine/integration/system/login_test.go b/engine/integration/system/login_test.go
new file mode 100644
index 00000000..ad1a8756
--- /dev/null
+++ b/engine/integration/system/login_test.go
@@ -0,0 +1,28 @@
+package system // import "github.com/docker/docker/integration/system"
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/internal/requirement"
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+// Test case for GitHub 22244
+func TestLoginFailsWithBadCredentials(t *testing.T) {
+	skip.If(t, !requirement.HasHubConnectivity(t))
+
+	client := request.NewAPIClient(t)
+
+	config := types.AuthConfig{
+		Username: "no-user",
+		Password: "no-password",
+	}
+	_, err := client.RegistryLogin(context.Background(), config)
+	expected := "Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password"
+	assert.Check(t, is.Error(err, expected))
+}
diff --git a/engine/integration/system/main_test.go b/engine/integration/system/main_test.go
new file mode 100644
index 00000000..f19a3157
--- /dev/null
+++ b/engine/integration/system/main_test.go
@@ -0,0 +1,33 @@
+package system // import "github.com/docker/docker/integration/system"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/system/version_test.go b/engine/integration/system/version_test.go
new file mode 100644
index 00000000..8904c09b
--- /dev/null
+++ b/engine/integration/system/version_test.go
@@ -0,0 +1,23 @@
+package system // import "github.com/docker/docker/integration/system"
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/docker/internal/test/request"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestVersion(t *testing.T) {
+	client := request.NewAPIClient(t)
+
+	version, err := client.ServerVersion(context.Background())
+	assert.NilError(t, err)
+
+	assert.Check(t, version.APIVersion != "")
+	assert.Check(t, version.Version != "")
+	assert.Check(t, version.MinAPIVersion != "")
+	assert.Check(t, is.Equal(testEnv.DaemonInfo.ExperimentalBuild, version.Experimental))
+	assert.Check(t, is.Equal(testEnv.OSType, version.Os))
+}
diff --git a/engine/integration/testdata/https/ca.pem b/engine/integration/testdata/https/ca.pem
new file mode 100644
index 00000000..6825d6d1
--- /dev/null
+++ b/engine/integration/testdata/https/ca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0TCCAzqgAwIBAgIJAP2r7GqEJwSnMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
+A1UEChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMI
+Y2hhbmdlbWUxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWls
+QGhvc3QuZG9tYWluMB4XDTEzMTIwMzE2NTYzMFoXDTIzMTIwMTE2NTYzMFowgaIx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2Nv
+MRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMREwDwYD
+VQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEW
+EG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALAn
+0xDw+5y7ZptQacq66pUhRu82JP2WU6IDgo5QUtNU6/CX5PwQATe/OnYTZQFbksxp
+AU9boG0FCkgxfsgPYXEuZxVEGKI2fxfKHOZZI8mrkWmj6eWU/0cvCjGVc9rTITP5
+sNQvg+hORyVDdNp2IdsbMJayiB3AQYMFx3vSDOMTAgMBAAGjggELMIIBBzAdBgNV
+HQ4EFgQUZu7DFz09q0QBa2+ymRm9qgK1NPswgdcGA1UdIwSBzzCBzIAUZu7DFz09
+q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
+QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x
+ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI
+Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq
+hCcEpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAF8fJKKM+/oOdnNi
+zEd0M1+PmZOyqvjYQn/2ZR8UHH6Imgc/OPQKZXf0bVE1Txc/DaUNn9Isd1SuCuaE
+ic3vAIYYU7PmgeNN6vwec48V96T7jr+GAi6AVMhQEc2hHCfVtx11Xx+x6aHDZzJt
+Zxtf5lL6KSO9Y+EFwM+rju6hm5hW
+-----END CERTIFICATE-----
diff --git a/engine/integration/testdata/https/client-cert.pem b/engine/integration/testdata/https/client-cert.pem
new file mode 100644
index 00000000..c05ed47c
--- /dev/null
+++ b/engine/integration/testdata/https/client-cert.pem
@@ -0,0 +1,73 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain
+        Validity
+            Not Before: Dec  4 14:17:54 2013 GMT
+            Not After : Dec  2 14:17:54 2023 GMT
+        Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client/name=changeme/emailAddress=mail@host.domain
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:ca:c9:05:d0:09:4e:3e:a4:fc:d5:14:f4:a5:e8:
+                    34:d3:6b:51:e3:f3:62:ea:a1:f0:e8:ed:c4:2a:bc:
+                    f0:4f:ca:07:df:e3:88:fa:f4:21:99:35:0e:3d:ea:
+                    b0:86:e7:c4:d2:8a:83:2b:42:b8:ec:a3:99:62:70:
+                    81:46:cc:fc:a5:1d:d2:63:e8:eb:07:25:9a:e2:25:
+                    6d:11:56:f2:1a:51:a1:b6:3e:1c:57:32:e9:7b:2c:
+                    aa:1b:cc:97:2d:89:2d:b1:c9:5e:35:28:4d:7c:fa:
+                    65:31:3e:f7:70:dd:6e:0b:3c:58:af:a8:2e:24:c0:
+                    7e:4e:78:7d:0a:9e:8f:42:43
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                Easy-RSA Generated Certificate
+            X509v3 Subject Key Identifier: 
+                DE:42:EF:2D:98:A3:6C:A8:AA:E0:8C:71:2C:9D:64:23:A9:E2:7E:81
+            X509v3 Authority Key Identifier: 
+                keyid:66:EE:C3:17:3D:3D:AB:44:01:6B:6F:B2:99:19:BD:AA:02:B5:34:FB
+                DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
+                serial:FD:AB:EC:6A:84:27:04:A7
+
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Key Usage: 
+                Digital Signature
+    Signature Algorithm: sha1WithRSAEncryption
+         1c:44:26:ea:e1:66:25:cb:e4:8e:57:1c:f6:b9:17:22:62:40:
+         12:90:8f:3b:b2:61:7a:54:94:8f:b1:20:0b:bf:a3:51:e3:fa:
+         1c:a1:be:92:3a:d0:76:44:c0:57:83:ab:6a:e4:1a:45:49:a4:
+         af:39:0d:60:32:fc:3a:be:d7:fb:5d:99:7a:1f:87:e7:d5:ab:
+         84:a2:5e:90:d8:bf:fa:89:6d:32:26:02:5e:31:35:68:7f:31:
+         f5:6b:51:46:bc:af:70:ed:5a:09:7d:ec:b2:48:4f:fe:c5:2f:
+         56:04:ad:f6:c1:d2:2a:e4:6a:c4:87:fe:08:35:c5:38:cb:5e:
+         4a:c4
+-----BEGIN CERTIFICATE-----
+MIIEFTCCA36gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
+cnQtRnVuc3RvbjERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1l
+MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRv
+bWFpbjAeFw0xMzEyMDQxNDE3NTRaFw0yMzEyMDIxNDE3NTRaMIGgMQswCQYDVQQG
+EwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UE
+ChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTEPMA0GA1UEAxMGY2xp
+ZW50MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0
+LmRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyskF0AlOPqT81RT0
+peg002tR4/Ni6qHw6O3EKrzwT8oH3+OI+vQhmTUOPeqwhufE0oqDK0K47KOZYnCB
+Rsz8pR3SY+jrByWa4iVtEVbyGlGhtj4cVzLpeyyqG8yXLYktscleNShNfPplMT73
+cN1uCzxYr6guJMB+Tnh9Cp6PQkMCAwEAAaOCAVkwggFVMAkGA1UdEwQCMAAwLQYJ
+YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
+HQ4EFgQU3kLvLZijbKiq4IxxLJ1kI6nifoEwgdcGA1UdIwSBzzCBzIAUZu7DFz09
+q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
+QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x
+ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI
+Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq
+hCcEpzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcN
+AQEFBQADgYEAHEQm6uFmJcvkjlcc9rkXImJAEpCPO7JhelSUj7EgC7+jUeP6HKG+
+kjrQdkTAV4OrauQaRUmkrzkNYDL8Or7X+12Zeh+H59WrhKJekNi/+oltMiYCXjE1
+aH8x9WtRRryvcO1aCX3sskhP/sUvVgSt9sHSKuRqxIf+CDXFOMteSsQ=
+-----END CERTIFICATE-----
diff --git a/engine/integration/testdata/https/client-key.pem b/engine/integration/testdata/https/client-key.pem
new file mode 100644
index 00000000..b5c15f8d
--- /dev/null
+++ b/engine/integration/testdata/https/client-key.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMrJBdAJTj6k/NUU
+9KXoNNNrUePzYuqh8OjtxCq88E/KB9/jiPr0IZk1Dj3qsIbnxNKKgytCuOyjmWJw
+gUbM/KUd0mPo6wclmuIlbRFW8hpRobY+HFcy6XssqhvMly2JLbHJXjUoTXz6ZTE+
+93Ddbgs8WK+oLiTAfk54fQqej0JDAgMBAAECgYBOFEzKp2qbMEexe9ofL2N3rDDh
+xkrl8OijpzkLA6i78BxMFn4dsnZlWUpciMrjhsYAExkiRRSS+QMMJimAq1jzQqc3
+FAQV2XGYwkd0cUn7iZGvfNnEPysjsfyYQM+m+sT0ATj4BZjVShC6kkSjTdm1leLN
+OSvcHdcu3Xxg9ufF0QJBAPYdnNt5sIndt2WECePuRVi+uF4mlxTobFY0fjn26yhC
+4RsnhhD3Vldygo9gvnkwrAZYaALGSPBewes2InxvjA8CQQDS7erKiNXpwoqz5XiU
+SVEsIIVTdWzBjGbIqMOu/hUwM5FK4j6JTBks0aTGMyh0YV9L1EzM0X79J29JahCe
+iQKNAkBKNMOGqTpBV0hko1sYDk96YobUXG5RL4L6uvkUIQ7mJMQam+AgXXL7Ctuy
+v0iu4a38e8tgisiTMP7nHHtpaXihAkAOiN54/lzfMsykANgCP9scE1GcoqbP34Dl
+qttxH4kOPT9xzY1JoLjLYdbc4YGUI3GRpBt2sajygNkmUey7P+2xAkBBsVCZFvTw
+qHvOpPS2kX5ml5xoc/QAHK9N7kR+X7XFYx82RTVSqJEK4lPb+aEWn+CjiIewO4Q5
+ksDFuNxAzbhl
+-----END PRIVATE KEY-----
diff --git a/engine/integration/testdata/https/server-cert.pem b/engine/integration/testdata/https/server-cert.pem
new file mode 100644
index 00000000..08abfd1a
--- /dev/null
+++ b/engine/integration/testdata/https/server-cert.pem
@@ -0,0 +1,76 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain
+        Validity
+            Not Before: Dec  4 15:01:20 2013 GMT
+            Not After : Dec  2 15:01:20 2023 GMT
+        Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=*/name=changeme/emailAddress=mail@host.domain
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:c1:ff:7d:30:6f:64:4a:b1:92:b1:71:d1:c1:74:
+                    e2:1d:db:2d:11:24:e1:00:d4:00:ae:6f:c8:9e:ae:
+                    67:b3:4a:bd:f7:e6:9e:57:6d:19:4c:3c:23:94:2d:
+                    3d:d6:63:84:d8:fa:76:2b:38:12:c1:ed:20:9d:32:
+                    e0:e8:c2:bf:9a:77:70:04:3f:7f:ca:8c:2c:82:d6:
+                    3d:25:5c:02:1a:4f:64:93:03:dd:9c:42:97:5e:09:
+                    49:af:f0:c2:e1:30:08:0e:21:46:95:d1:13:59:c0:
+                    c8:76:be:94:0d:8b:43:67:21:33:b2:08:60:9d:76:
+                    a8:05:32:1e:f9:95:09:14:75
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            Netscape Comment: 
+                Easy-RSA Generated Server Certificate
+            X509v3 Subject Key Identifier: 
+                14:02:FD:FD:DD:13:38:E0:71:EA:D1:BE:C0:0E:89:1A:2D:B6:19:06
+            X509v3 Authority Key Identifier: 
+                keyid:66:EE:C3:17:3D:3D:AB:44:01:6B:6F:B2:99:19:BD:AA:02:B5:34:FB
+                DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
+                serial:FD:AB:EC:6A:84:27:04:A7
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+    Signature Algorithm: sha1WithRSAEncryption
+         40:0f:10:39:c4:b7:0f:0d:2f:bf:d2:16:cc:8e:d3:9a:fb:8b:
+         ce:4b:7b:0d:48:77:ce:f1:fe:d5:8f:ea:b1:71:ed:49:1d:9f:
+         23:3a:16:d4:70:7c:c5:29:bf:e4:90:34:d0:f0:00:24:f4:e4:
+         df:2c:c3:83:01:66:61:c9:a8:ab:29:e7:98:6d:27:89:4a:76:
+         c9:2e:19:8e:fe:6e:d5:f8:99:11:0e:97:67:4b:34:e3:1e:e3:
+         9f:35:00:a5:32:f9:b5:2c:f2:e0:c5:2e:cc:81:bd:18:dd:5c:
+         12:c8:6b:fa:0c:17:74:30:55:f6:6e:20:9a:6c:1e:09:b4:0c:
+         15:42
+-----BEGIN CERTIFICATE-----
+MIIEKjCCA5OgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv
+cnQtRnVuc3RvbjERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1l
+MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRv
+bWFpbjAeFw0xMzEyMDQxNTAxMjBaFw0yMzEyMDIxNTAxMjBaMIGbMQswCQYDVQQG
+EwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UE
+ChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTEKMAgGA1UEAxQBKjER
+MA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21h
+aW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMH/fTBvZEqxkrFx0cF04h3b
+LREk4QDUAK5vyJ6uZ7NKvffmnldtGUw8I5QtPdZjhNj6dis4EsHtIJ0y4OjCv5p3
+cAQ/f8qMLILWPSVcAhpPZJMD3ZxCl14JSa/wwuEwCA4hRpXRE1nAyHa+lA2LQ2ch
+M7IIYJ12qAUyHvmVCRR1AgMBAAGjggFzMIIBbzAJBgNVHRMEAjAAMBEGCWCGSAGG
++EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNl
+cnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUFAL9/d0TOOBx6tG+wA6JGi22GQYw
+gdcGA1UdIwSBzzCBzIAUZu7DFz09q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJ
+BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUw
+EwYDVQQKEwxGb3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQD
+EwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1h
+aWxAaG9zdC5kb21haW6CCQD9q+xqhCcEpzATBgNVHSUEDDAKBggrBgEFBQcDATAL
+BgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQEFBQADgYEAQA8QOcS3Dw0vv9IWzI7TmvuL
+zkt7DUh3zvH+1Y/qsXHtSR2fIzoW1HB8xSm/5JA00PAAJPTk3yzDgwFmYcmoqynn
+mG0niUp2yS4Zjv5u1fiZEQ6XZ0s04x7jnzUApTL5tSzy4MUuzIG9GN1cEshr+gwX
+dDBV9m4gmmweCbQMFUI=
+-----END CERTIFICATE-----
diff --git a/engine/integration/testdata/https/server-key.pem b/engine/integration/testdata/https/server-key.pem
new file mode 100644
index 00000000..c269320e
--- /dev/null
+++ b/engine/integration/testdata/https/server-key.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMH/fTBvZEqxkrFx
+0cF04h3bLREk4QDUAK5vyJ6uZ7NKvffmnldtGUw8I5QtPdZjhNj6dis4EsHtIJ0y
+4OjCv5p3cAQ/f8qMLILWPSVcAhpPZJMD3ZxCl14JSa/wwuEwCA4hRpXRE1nAyHa+
+lA2LQ2chM7IIYJ12qAUyHvmVCRR1AgMBAAECgYAmwckb9RUfSwyYgLm8IYLPHiuJ
+wkllZfVg5Bo7gXJcQnFjZmJ56uTj8xvUjZlODIHM63TSO5ibv6kFXtXKCqZGd2M+
+wGbhZ0f+2GvKcwMmJERnIQjuoNaYSQLT0tM0VB9Iz0rJlZC+tzPZ+5pPqEumRdsS
+IzWNXfF42AhcbwAQYQJBAPVXtMYIJc9EZsz86ZcQiMPWUpCX5vnRmtwL8kKyR8D5
+4KfYeiowyFffSRMMcclwNHq7TgSXN+nIXM9WyzyzwikCQQDKbNA28AgZp9aT54HP
+WnbeE2pmt+uk/zl/BtxJSoK6H+69Jec+lf7EgL7HgOWYRSNot4uQWu8IhsHLTiUq
++0FtAkEAqwlRxRy4/x24bP+D+QRV0/D97j93joFJbE4Hved7jlSlAV4xDGilwlyv
+HNB4Iu5OJ6Gcaibhm+FKkmD3noHSwQJBAIpu3fokLzX0bS+bDFBU6qO3HXX/47xj
++tsfQvkwZrSI8AkU6c8IX0HdVhsz0FBRQAT2ORDQz1XCarfxykNZrwUCQQCGCBIc
+BBCWzhHlswlGidWJg3HqqO6hPPClEr3B5G87oCsdeYwiO23XT6rUnoJXfJHp6oCW
+5nCwDu5ZTP+khltg
+-----END PRIVATE KEY-----
diff --git a/engine/integration/volume/main_test.go b/engine/integration/volume/main_test.go
new file mode 100644
index 00000000..206f7377
--- /dev/null
+++ b/engine/integration/volume/main_test.go
@@ -0,0 +1,33 @@
+package volume // import "github.com/docker/docker/integration/volume"
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/internal/test/environment"
+)
+
+var testEnv *environment.Execution
+
+func TestMain(m *testing.M) {
+	var err error
+	testEnv, err = environment.New()
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	err = environment.EnsureFrozenImagesLinux(testEnv)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	testEnv.Print()
+	os.Exit(m.Run())
+}
+
+func setupTest(t *testing.T) func() {
+	environment.ProtectAll(t, testEnv)
+	return func() { testEnv.Clean(t) }
+}
diff --git a/engine/integration/volume/volume_test.go b/engine/integration/volume/volume_test.go
new file mode 100644
index 00000000..ce42bb30
--- /dev/null
+++ b/engine/integration/volume/volume_test.go
@@ -0,0 +1,116 @@
+package volume
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	volumetypes "github.com/docker/docker/api/types/volume"
+	"github.com/docker/docker/integration/internal/container"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestVolumesCreateAndList(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	name := t.Name()
+	vol, err := client.VolumeCreate(ctx, volumetypes.VolumeCreateBody{
+		Name: name,
+	})
+	assert.NilError(t, err)
+
+	expected := types.Volume{
+		// Ignore timestamp of CreatedAt
+		CreatedAt:  vol.CreatedAt,
+		Driver:     "local",
+		Scope:      "local",
+		Name:       name,
+		Mountpoint: fmt.Sprintf("%s/volumes/%s/_data", testEnv.DaemonInfo.DockerRootDir, name),
+	}
+	assert.Check(t, is.DeepEqual(vol, expected, cmpopts.EquateEmpty()))
+
+	volumes, err := client.VolumeList(ctx, filters.Args{})
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(len(volumes.Volumes), 1))
+	assert.Check(t, volumes.Volumes[0] != nil)
+	assert.Check(t, is.DeepEqual(*volumes.Volumes[0], expected, cmpopts.EquateEmpty()))
+}
+
+func TestVolumesRemove(t *testing.T) {
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	prefix, slash := getPrefixAndSlashFromDaemonPlatform()
+
+	id := container.Create(t, ctx, client, container.WithVolume(prefix+slash+"foo"))
+
+	c, err := client.ContainerInspect(ctx, id)
+	assert.NilError(t, err)
+	vname := c.Mounts[0].Name
+
+	err = client.VolumeRemove(ctx, vname, false)
+	assert.Check(t, is.ErrorContains(err, "volume is in use"))
+
+	err = client.ContainerRemove(ctx, id, types.ContainerRemoveOptions{
+		Force: true,
+	})
+	assert.NilError(t, err)
+
+	err = client.VolumeRemove(ctx, vname, false)
+	assert.NilError(t, err)
+}
+
+func TestVolumesInspect(t *testing.T) {
+	skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
+	defer setupTest(t)()
+	client := request.NewAPIClient(t)
+	ctx := context.Background()
+
+	// sampling current time minus a minute so to now have false positive in case of delays
+	now := time.Now().Truncate(time.Minute)
+
+	name := t.Name()
+	_, err := client.VolumeCreate(ctx, volumetypes.VolumeCreateBody{
+		Name: name,
+	})
+	assert.NilError(t, err)
+
+	vol, err := client.VolumeInspect(ctx, name)
+	assert.NilError(t, err)
+
+	expected := types.Volume{
+		// Ignore timestamp of CreatedAt
+		CreatedAt:  vol.CreatedAt,
+		Driver:     "local",
+		Scope:      "local",
+		Name:       name,
+		Mountpoint: fmt.Sprintf("%s/volumes/%s/_data", testEnv.DaemonInfo.DockerRootDir, name),
+	}
+	assert.Check(t, is.DeepEqual(vol, expected, cmpopts.EquateEmpty()))
+
+	// comparing CreatedAt field time for the new volume to now. Removing a minute from both to avoid false positive
+	testCreatedAt, err := time.Parse(time.RFC3339, strings.TrimSpace(vol.CreatedAt))
+	assert.NilError(t, err)
+	testCreatedAt = testCreatedAt.Truncate(time.Minute)
+	assert.Check(t, is.Equal(testCreatedAt.Equal(now), true), "Time Volume is CreatedAt not equal to current time")
+}
+
+func getPrefixAndSlashFromDaemonPlatform() (prefix, slash string) {
+	if testEnv.OSType == "windows" {
+		return "c:", `\`
+	}
+	return "", "/"
+}
diff --git a/engine/internal/test/daemon/config.go b/engine/internal/test/daemon/config.go
new file mode 100644
index 00000000..ce99222b
--- /dev/null
+++ b/engine/internal/test/daemon/config.go
@@ -0,0 +1,82 @@
+package daemon
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/internal/test"
+	"gotest.tools/assert"
+)
+
+// ConfigConstructor defines a swarm config constructor
+type ConfigConstructor func(*swarm.Config)
+
+// CreateConfig creates a config given the specified spec
+func (d *Daemon) CreateConfig(t assert.TestingT, configSpec swarm.ConfigSpec) string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	scr, err := cli.ConfigCreate(context.Background(), configSpec)
+	assert.NilError(t, err)
+	return scr.ID
+}
+
+// ListConfigs returns the list of the current swarm configs
+func (d *Daemon) ListConfigs(t assert.TestingT) []swarm.Config {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	configs, err := cli.ConfigList(context.Background(), types.ConfigListOptions{})
+	assert.NilError(t, err)
+	return configs
+}
+
+// GetConfig returns a swarm config identified by the specified id
+func (d *Daemon) GetConfig(t assert.TestingT, id string) *swarm.Config {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	config, _, err := cli.ConfigInspectWithRaw(context.Background(), id)
+	assert.NilError(t, err)
+	return &config
+}
+
+// DeleteConfig removes the swarm config identified by the specified id
+func (d *Daemon) DeleteConfig(t assert.TestingT, id string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	err := cli.ConfigRemove(context.Background(), id)
+	assert.NilError(t, err)
+}
+
+// UpdateConfig updates the swarm config identified by the specified id
+// Currently, only label update is supported.
+func (d *Daemon) UpdateConfig(t assert.TestingT, id string, f ...ConfigConstructor) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	config := d.GetConfig(t, id)
+	for _, fn := range f {
+		fn(config)
+	}
+
+	err := cli.ConfigUpdate(context.Background(), config.ID, config.Version, config.Spec)
+	assert.NilError(t, err)
+}
diff --git a/engine/internal/test/daemon/container.go b/engine/internal/test/daemon/container.go
new file mode 100644
index 00000000..3aa69e19
--- /dev/null
+++ b/engine/internal/test/daemon/container.go
@@ -0,0 +1,40 @@
+package daemon
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/internal/test"
+	"gotest.tools/assert"
+)
+
+// ActiveContainers returns the list of ids of the currently running containers
+func (d *Daemon) ActiveContainers(t assert.TestingT) []string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{})
+	assert.NilError(t, err)
+
+	ids := make([]string, len(containers))
+	for i, c := range containers {
+		ids[i] = c.ID
+	}
+	return ids
+}
+
+// FindContainerIP returns the ip of the specified container
+func (d *Daemon) FindContainerIP(t assert.TestingT, id string) string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	i, err := cli.ContainerInspect(context.Background(), id)
+	assert.NilError(t, err)
+	return i.NetworkSettings.IPAddress
+}
diff --git a/engine/internal/test/daemon/daemon.go b/engine/internal/test/daemon/daemon.go
new file mode 100644
index 00000000..98f1ee1b
--- /dev/null
+++ b/engine/internal/test/daemon/daemon.go
@@ -0,0 +1,681 @@
+package daemon // import "github.com/docker/docker/internal/test/daemon"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/internal/test"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/go-connections/sockets"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+type testingT interface {
+	assert.TestingT
+	logT
+	Fatalf(string, ...interface{})
+}
+
+type logT interface {
+	Logf(string, ...interface{})
+}
+
+const defaultDockerdBinary = "dockerd"
+
+var errDaemonNotStarted = errors.New("daemon not started")
+
+// SockRoot holds the path of the default docker integration daemon socket
+var SockRoot = filepath.Join(os.TempDir(), "docker-integration")
+
+type clientConfig struct {
+	transport *http.Transport
+	scheme    string
+	addr      string
+}
+
+// Daemon represents a Docker daemon for the testing framework
+type Daemon struct {
+	GlobalFlags       []string
+	Root              string
+	Folder            string
+	Wait              chan error
+	UseDefaultHost    bool
+	UseDefaultTLSHost bool
+
+	id            string
+	logFile       *os.File
+	cmd           *exec.Cmd
+	storageDriver string
+	userlandProxy bool
+	execRoot      string
+	experimental  bool
+	init          bool
+	dockerdBinary string
+	log           logT
+
+	// swarm related field
+	swarmListenAddr string
+	SwarmPort       int // FIXME(vdemeester) should probably not be exported
+
+	// cached information
+	CachedInfo types.Info
+}
+
+// New returns a Daemon instance to be used for testing.
+// This will create a directory such as d123456789 in the folder specified by $DOCKER_INTEGRATION_DAEMON_DEST or $DEST.
+// The daemon will not automatically start.
+func New(t testingT, ops ...func(*Daemon)) *Daemon {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	dest := os.Getenv("DOCKER_INTEGRATION_DAEMON_DEST")
+	if dest == "" {
+		dest = os.Getenv("DEST")
+	}
+	assert.Check(t, dest != "", "Please set the DOCKER_INTEGRATION_DAEMON_DEST or the DEST environment variable")
+
+	storageDriver := os.Getenv("DOCKER_GRAPHDRIVER")
+
+	assert.NilError(t, os.MkdirAll(SockRoot, 0700), "could not create daemon socket root")
+
+	id := fmt.Sprintf("d%s", stringid.TruncateID(stringid.GenerateRandomID()))
+	dir := filepath.Join(dest, id)
+	daemonFolder, err := filepath.Abs(dir)
+	assert.NilError(t, err, "Could not make %q an absolute path", dir)
+	daemonRoot := filepath.Join(daemonFolder, "root")
+
+	assert.NilError(t, os.MkdirAll(daemonRoot, 0755), "Could not create daemon root %q", dir)
+
+	userlandProxy := true
+	if env := os.Getenv("DOCKER_USERLANDPROXY"); env != "" {
+		if val, err := strconv.ParseBool(env); err != nil {
+			userlandProxy = val
+		}
+	}
+	d := &Daemon{
+		id:              id,
+		Folder:          daemonFolder,
+		Root:            daemonRoot,
+		storageDriver:   storageDriver,
+		userlandProxy:   userlandProxy,
+		execRoot:        filepath.Join(os.TempDir(), "docker-execroot", id),
+		dockerdBinary:   defaultDockerdBinary,
+		swarmListenAddr: defaultSwarmListenAddr,
+		SwarmPort:       DefaultSwarmPort,
+		log:             t,
+	}
+
+	for _, op := range ops {
+		op(d)
+	}
+
+	return d
+}
+
+// RootDir returns the root directory of the daemon.
+func (d *Daemon) RootDir() string {
+	return d.Root
+}
+
+// ID returns the generated id of the daemon
+func (d *Daemon) ID() string {
+	return d.id
+}
+
+// StorageDriver returns the configured storage driver of the daemon
+func (d *Daemon) StorageDriver() string {
+	return d.storageDriver
+}
+
+// Sock returns the socket path of the daemon
+func (d *Daemon) Sock() string {
+	return fmt.Sprintf("unix://" + d.sockPath())
+}
+
+func (d *Daemon) sockPath() string {
+	return filepath.Join(SockRoot, d.id+".sock")
+}
+
+// LogFileName returns the path the daemon's log file
+func (d *Daemon) LogFileName() string {
+	return d.logFile.Name()
+}
+
+// ReadLogFile returns the content of the daemon log file
+func (d *Daemon) ReadLogFile() ([]byte, error) {
+	return ioutil.ReadFile(d.logFile.Name())
+}
+
+// NewClient creates new client based on daemon's socket path
+// FIXME(vdemeester): replace NewClient with NewClientT
+func (d *Daemon) NewClient() (*client.Client, error) {
+	return client.NewClientWithOpts(
+		client.FromEnv,
+		client.WithHost(d.Sock()))
+}
+
+// NewClientT creates new client based on daemon's socket path
+// FIXME(vdemeester): replace NewClient with NewClientT
+func (d *Daemon) NewClientT(t assert.TestingT) *client.Client {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	c, err := client.NewClientWithOpts(
+		client.FromEnv,
+		client.WithHost(d.Sock()))
+	assert.NilError(t, err, "cannot create daemon client")
+	return c
+}
+
+// Cleanup cleans the daemon files : exec root (network namespaces, ...), swarmkit files
+func (d *Daemon) Cleanup(t testingT) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	// Cleanup swarmkit wal files if present
+	cleanupRaftDir(t, d.Root)
+	cleanupNetworkNamespace(t, d.execRoot)
+}
+
+// Start starts the daemon and return once it is ready to receive requests.
+func (d *Daemon) Start(t testingT, args ...string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	if err := d.StartWithError(args...); err != nil {
+		t.Fatalf("Error starting daemon with arguments: %v", args)
+	}
+}
+
+// StartWithError starts the daemon and return once it is ready to receive requests.
+// It returns an error in case it couldn't start.
+func (d *Daemon) StartWithError(args ...string) error {
+	logFile, err := os.OpenFile(filepath.Join(d.Folder, "docker.log"), os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
+	if err != nil {
+		return errors.Wrapf(err, "[%s] Could not create %s/docker.log", d.id, d.Folder)
+	}
+
+	return d.StartWithLogFile(logFile, args...)
+}
+
+// StartWithLogFile will start the daemon and attach its streams to a given file.
+func (d *Daemon) StartWithLogFile(out *os.File, providedArgs ...string) error {
+	d.handleUserns()
+	dockerdBinary, err := exec.LookPath(d.dockerdBinary)
+	if err != nil {
+		return errors.Wrapf(err, "[%s] could not find docker binary in $PATH", d.id)
+	}
+	args := append(d.GlobalFlags,
+		"--containerd", "/var/run/docker/containerd/docker-containerd.sock",
+		"--data-root", d.Root,
+		"--exec-root", d.execRoot,
+		"--pidfile", fmt.Sprintf("%s/docker.pid", d.Folder),
+		fmt.Sprintf("--userland-proxy=%t", d.userlandProxy),
+	)
+	if d.experimental {
+		args = append(args, "--experimental")
+	}
+	if d.init {
+		args = append(args, "--init")
+	}
+	if !(d.UseDefaultHost || d.UseDefaultTLSHost) {
+		args = append(args, []string{"--host", d.Sock()}...)
+	}
+	if root := os.Getenv("DOCKER_REMAP_ROOT"); root != "" {
+		args = append(args, []string{"--userns-remap", root}...)
+	}
+
+	// If we don't explicitly set the log-level or debug flag(-D) then
+	// turn on debug mode
+	foundLog := false
+	foundSd := false
+	for _, a := range providedArgs {
+		if strings.Contains(a, "--log-level") || strings.Contains(a, "-D") || strings.Contains(a, "--debug") {
+			foundLog = true
+		}
+		if strings.Contains(a, "--storage-driver") {
+			foundSd = true
+		}
+	}
+	if !foundLog {
+		args = append(args, "--debug")
+	}
+	if d.storageDriver != "" && !foundSd {
+		args = append(args, "--storage-driver", d.storageDriver)
+	}
+
+	args = append(args, providedArgs...)
+	d.cmd = exec.Command(dockerdBinary, args...)
+	d.cmd.Env = append(os.Environ(), "DOCKER_SERVICE_PREFER_OFFLINE_IMAGE=1")
+	d.cmd.Stdout = out
+	d.cmd.Stderr = out
+	d.logFile = out
+
+	if err := d.cmd.Start(); err != nil {
+		return errors.Errorf("[%s] could not start daemon container: %v", d.id, err)
+	}
+
+	wait := make(chan error)
+
+	go func() {
+		wait <- d.cmd.Wait()
+		d.log.Logf("[%s] exiting daemon", d.id)
+		close(wait)
+	}()
+
+	d.Wait = wait
+
+	tick := time.Tick(500 * time.Millisecond)
+	// make sure daemon is ready to receive requests
+	startTime := time.Now().Unix()
+	for {
+		d.log.Logf("[%s] waiting for daemon to start", d.id)
+		if time.Now().Unix()-startTime > 5 {
+			// After 5 seconds, give up
+			return errors.Errorf("[%s] Daemon exited and never started", d.id)
+		}
+		select {
+		case <-time.After(2 * time.Second):
+			return errors.Errorf("[%s] timeout: daemon does not respond", d.id)
+		case <-tick:
+			clientConfig, err := d.getClientConfig()
+			if err != nil {
+				return err
+			}
+
+			client := &http.Client{
+				Transport: clientConfig.transport,
+			}
+
+			req, err := http.NewRequest("GET", "/_ping", nil)
+			if err != nil {
+				return errors.Wrapf(err, "[%s] could not create new request", d.id)
+			}
+			req.URL.Host = clientConfig.addr
+			req.URL.Scheme = clientConfig.scheme
+			resp, err := client.Do(req)
+			if err != nil {
+				continue
+			}
+			resp.Body.Close()
+			if resp.StatusCode != http.StatusOK {
+				d.log.Logf("[%s] received status != 200 OK: %s\n", d.id, resp.Status)
+			}
+			d.log.Logf("[%s] daemon started\n", d.id)
+			d.Root, err = d.queryRootDir()
+			if err != nil {
+				return errors.Errorf("[%s] error querying daemon for root directory: %v", d.id, err)
+			}
+			return nil
+		case <-d.Wait:
+			return errors.Errorf("[%s] Daemon exited during startup", d.id)
+		}
+	}
+}
+
+// StartWithBusybox will first start the daemon with Daemon.Start()
+// then save the busybox image from the main daemon and load it into this Daemon instance.
+func (d *Daemon) StartWithBusybox(t testingT, arg ...string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	d.Start(t, arg...)
+	d.LoadBusybox(t)
+}
+
+// Kill will send a SIGKILL to the daemon
+func (d *Daemon) Kill() error {
+	if d.cmd == nil || d.Wait == nil {
+		return errDaemonNotStarted
+	}
+
+	defer func() {
+		d.logFile.Close()
+		d.cmd = nil
+	}()
+
+	if err := d.cmd.Process.Kill(); err != nil {
+		return err
+	}
+
+	return os.Remove(fmt.Sprintf("%s/docker.pid", d.Folder))
+}
+
+// Pid returns the pid of the daemon
+func (d *Daemon) Pid() int {
+	return d.cmd.Process.Pid
+}
+
+// Interrupt stops the daemon by sending it an Interrupt signal
+func (d *Daemon) Interrupt() error {
+	return d.Signal(os.Interrupt)
+}
+
+// Signal sends the specified signal to the daemon if running
+func (d *Daemon) Signal(signal os.Signal) error {
+	if d.cmd == nil || d.Wait == nil {
+		return errDaemonNotStarted
+	}
+	return d.cmd.Process.Signal(signal)
+}
+
+// DumpStackAndQuit sends SIGQUIT to the daemon, which triggers it to dump its
+// stack to its log file and exit
+// This is used primarily for gathering debug information on test timeout
+func (d *Daemon) DumpStackAndQuit() {
+	if d.cmd == nil || d.cmd.Process == nil {
+		return
+	}
+	SignalDaemonDump(d.cmd.Process.Pid)
+}
+
+// Stop will send a SIGINT every second and wait for the daemon to stop.
+// If it times out, a SIGKILL is sent.
+// Stop will not delete the daemon directory. If a purged daemon is needed,
+// instantiate a new one with NewDaemon.
+// If an error occurs while starting the daemon, the test will fail.
+func (d *Daemon) Stop(t testingT) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	err := d.StopWithError()
+	if err != nil {
+		if err != errDaemonNotStarted {
+			t.Fatalf("Error while stopping the daemon %s : %v", d.id, err)
+		} else {
+			t.Logf("Daemon %s is not started", d.id)
+		}
+	}
+}
+
+// StopWithError will send a SIGINT every second and wait for the daemon to stop.
+// If it timeouts, a SIGKILL is sent.
+// Stop will not delete the daemon directory. If a purged daemon is needed,
+// instantiate a new one with NewDaemon.
+func (d *Daemon) StopWithError() error {
+	if d.cmd == nil || d.Wait == nil {
+		return errDaemonNotStarted
+	}
+
+	defer func() {
+		d.logFile.Close()
+		d.cmd = nil
+	}()
+
+	i := 1
+	tick := time.Tick(time.Second)
+
+	if err := d.cmd.Process.Signal(os.Interrupt); err != nil {
+		if strings.Contains(err.Error(), "os: process already finished") {
+			return errDaemonNotStarted
+		}
+		return errors.Errorf("could not send signal: %v", err)
+	}
+out1:
+	for {
+		select {
+		case err := <-d.Wait:
+			return err
+		case <-time.After(20 * time.Second):
+			// time for stopping jobs and run onShutdown hooks
+			d.log.Logf("[%s] daemon started", d.id)
+			break out1
+		}
+	}
+
+out2:
+	for {
+		select {
+		case err := <-d.Wait:
+			return err
+		case <-tick:
+			i++
+			if i > 5 {
+				d.log.Logf("tried to interrupt daemon for %d times, now try to kill it", i)
+				break out2
+			}
+			d.log.Logf("Attempt #%d: daemon is still running with pid %d", i, d.cmd.Process.Pid)
+			if err := d.cmd.Process.Signal(os.Interrupt); err != nil {
+				return errors.Errorf("could not send signal: %v", err)
+			}
+		}
+	}
+
+	if err := d.cmd.Process.Kill(); err != nil {
+		d.log.Logf("Could not kill daemon: %v", err)
+		return err
+	}
+
+	d.cmd.Wait()
+
+	return os.Remove(fmt.Sprintf("%s/docker.pid", d.Folder))
+}
+
+// Restart will restart the daemon by first stopping it and the starting it.
+// If an error occurs while starting the daemon, the test will fail.
+func (d *Daemon) Restart(t testingT, args ...string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	d.Stop(t)
+	d.Start(t, args...)
+}
+
+// RestartWithError will restart the daemon by first stopping it and then starting it.
+func (d *Daemon) RestartWithError(arg ...string) error {
+	if err := d.StopWithError(); err != nil {
+		return err
+	}
+	return d.StartWithError(arg...)
+}
+
+func (d *Daemon) handleUserns() {
+	// in the case of tests running a user namespace-enabled daemon, we have resolved
+	// d.Root to be the actual final path of the graph dir after the "uid.gid" of
+	// remapped root is added--we need to subtract it from the path before calling
+	// start or else we will continue making subdirectories rather than truly restarting
+	// with the same location/root:
+	if root := os.Getenv("DOCKER_REMAP_ROOT"); root != "" {
+		d.Root = filepath.Dir(d.Root)
+	}
+}
+
+// ReloadConfig asks the daemon to reload its configuration
+func (d *Daemon) ReloadConfig() error {
+	if d.cmd == nil || d.cmd.Process == nil {
+		return errors.New("daemon is not running")
+	}
+
+	errCh := make(chan error)
+	started := make(chan struct{})
+	go func() {
+		_, body, err := request.Get("/events", request.Host(d.Sock()))
+		close(started)
+		if err != nil {
+			errCh <- err
+		}
+		defer body.Close()
+		dec := json.NewDecoder(body)
+		for {
+			var e events.Message
+			if err := dec.Decode(&e); err != nil {
+				errCh <- err
+				return
+			}
+			if e.Type != events.DaemonEventType {
+				continue
+			}
+			if e.Action != "reload" {
+				continue
+			}
+			close(errCh) // notify that we are done
+			return
+		}
+	}()
+
+	<-started
+	if err := signalDaemonReload(d.cmd.Process.Pid); err != nil {
+		return errors.Errorf("error signaling daemon reload: %v", err)
+	}
+	select {
+	case err := <-errCh:
+		if err != nil {
+			return errors.Errorf("error waiting for daemon reload event: %v", err)
+		}
+	case <-time.After(30 * time.Second):
+		return errors.New("timeout waiting for daemon reload event")
+	}
+	return nil
+}
+
+// LoadBusybox image into the daemon
+func (d *Daemon) LoadBusybox(t assert.TestingT) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	clientHost, err := client.NewEnvClient()
+	assert.NilError(t, err, "failed to create client")
+	defer clientHost.Close()
+
+	ctx := context.Background()
+	reader, err := clientHost.ImageSave(ctx, []string{"busybox:latest"})
+	assert.NilError(t, err, "failed to download busybox")
+	defer reader.Close()
+
+	client, err := d.NewClient()
+	assert.NilError(t, err, "failed to create client")
+	defer client.Close()
+
+	resp, err := client.ImageLoad(ctx, reader, true)
+	assert.NilError(t, err, "failed to load busybox")
+	defer resp.Body.Close()
+}
+
+func (d *Daemon) getClientConfig() (*clientConfig, error) {
+	var (
+		transport *http.Transport
+		scheme    string
+		addr      string
+		proto     string
+	)
+	if d.UseDefaultTLSHost {
+		option := &tlsconfig.Options{
+			CAFile:   "fixtures/https/ca.pem",
+			CertFile: "fixtures/https/client-cert.pem",
+			KeyFile:  "fixtures/https/client-key.pem",
+		}
+		tlsConfig, err := tlsconfig.Client(*option)
+		if err != nil {
+			return nil, err
+		}
+		transport = &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+		addr = fmt.Sprintf("%s:%d", opts.DefaultHTTPHost, opts.DefaultTLSHTTPPort)
+		scheme = "https"
+		proto = "tcp"
+	} else if d.UseDefaultHost {
+		addr = opts.DefaultUnixSocket
+		proto = "unix"
+		scheme = "http"
+		transport = &http.Transport{}
+	} else {
+		addr = d.sockPath()
+		proto = "unix"
+		scheme = "http"
+		transport = &http.Transport{}
+	}
+
+	if err := sockets.ConfigureTransport(transport, proto, addr); err != nil {
+		return nil, err
+	}
+	transport.DisableKeepAlives = true
+
+	return &clientConfig{
+		transport: transport,
+		scheme:    scheme,
+		addr:      addr,
+	}, nil
+}
+
+func (d *Daemon) queryRootDir() (string, error) {
+	// update daemon root by asking /info endpoint (to support user
+	// namespaced daemon with root remapped uid.gid directory)
+	clientConfig, err := d.getClientConfig()
+	if err != nil {
+		return "", err
+	}
+
+	client := &http.Client{
+		Transport: clientConfig.transport,
+	}
+
+	req, err := http.NewRequest("GET", "/info", nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.URL.Host = clientConfig.addr
+	req.URL.Scheme = clientConfig.scheme
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	body := ioutils.NewReadCloserWrapper(resp.Body, func() error {
+		return resp.Body.Close()
+	})
+
+	type Info struct {
+		DockerRootDir string
+	}
+	var b []byte
+	var i Info
+	b, err = request.ReadBody(body)
+	if err == nil && resp.StatusCode == http.StatusOK {
+		// read the docker root dir
+		if err = json.Unmarshal(b, &i); err == nil {
+			return i.DockerRootDir, nil
+		}
+	}
+	return "", err
+}
+
+// Info returns the info struct for this daemon
+func (d *Daemon) Info(t assert.TestingT) types.Info {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	apiclient, err := d.NewClient()
+	assert.NilError(t, err)
+	info, err := apiclient.Info(context.Background())
+	assert.NilError(t, err)
+	return info
+}
+
+func cleanupRaftDir(t testingT, rootPath string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	walDir := filepath.Join(rootPath, "swarm/raft/wal")
+	if err := os.RemoveAll(walDir); err != nil {
+		t.Logf("error removing %v: %v", walDir, err)
+	}
+}
diff --git a/engine/internal/test/daemon/daemon_unix.go b/engine/internal/test/daemon/daemon_unix.go
new file mode 100644
index 00000000..9dd9e36f
--- /dev/null
+++ b/engine/internal/test/daemon/daemon_unix.go
@@ -0,0 +1,39 @@
+// +build !windows
+
+package daemon // import "github.com/docker/docker/internal/test/daemon"
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/internal/test"
+	"golang.org/x/sys/unix"
+)
+
+func cleanupNetworkNamespace(t testingT, execRoot string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	// Cleanup network namespaces in the exec root of this
+	// daemon because this exec root is specific to this
+	// daemon instance and has no chance of getting
+	// cleaned up when a new daemon is instantiated with a
+	// new exec root.
+	netnsPath := filepath.Join(execRoot, "netns")
+	filepath.Walk(netnsPath, func(path string, info os.FileInfo, err error) error {
+		if err := unix.Unmount(path, unix.MNT_FORCE); err != nil {
+			t.Logf("unmount of %s failed: %v", path, err)
+		}
+		os.Remove(path)
+		return nil
+	})
+}
+
+// SignalDaemonDump sends a signal to the daemon to write a dump file
+func SignalDaemonDump(pid int) {
+	unix.Kill(pid, unix.SIGQUIT)
+}
+
+func signalDaemonReload(pid int) error {
+	return unix.Kill(pid, unix.SIGHUP)
+}
diff --git a/engine/internal/test/daemon/daemon_windows.go b/engine/internal/test/daemon/daemon_windows.go
new file mode 100644
index 00000000..cb6bb6a4
--- /dev/null
+++ b/engine/internal/test/daemon/daemon_windows.go
@@ -0,0 +1,25 @@
+package daemon // import "github.com/docker/docker/internal/test/daemon"
+
+import (
+	"fmt"
+	"strconv"
+
+	"golang.org/x/sys/windows"
+)
+
+// SignalDaemonDump sends a signal to the daemon to write a dump file
+func SignalDaemonDump(pid int) {
+	ev, _ := windows.UTF16PtrFromString("Global\\docker-daemon-" + strconv.Itoa(pid))
+	h2, err := windows.OpenEvent(0x0002, false, ev)
+	if h2 == 0 || err != nil {
+		return
+	}
+	windows.PulseEvent(h2)
+}
+
+func signalDaemonReload(pid int) error {
+	return fmt.Errorf("daemon reload not supported")
+}
+
+func cleanupNetworkNamespace(t testingT, execRoot string) {
+}
diff --git a/engine/internal/test/daemon/node.go b/engine/internal/test/daemon/node.go
new file mode 100644
index 00000000..d9263a7f
--- /dev/null
+++ b/engine/internal/test/daemon/node.go
@@ -0,0 +1,82 @@
+package daemon
+
+import (
+	"context"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/internal/test"
+	"gotest.tools/assert"
+)
+
+// NodeConstructor defines a swarm node constructor
+type NodeConstructor func(*swarm.Node)
+
+// GetNode returns a swarm node identified by the specified id
+func (d *Daemon) GetNode(t assert.TestingT, id string) *swarm.Node {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	node, _, err := cli.NodeInspectWithRaw(context.Background(), id)
+	assert.NilError(t, err)
+	assert.Check(t, node.ID == id)
+	return &node
+}
+
+// RemoveNode removes the specified node
+func (d *Daemon) RemoveNode(t assert.TestingT, id string, force bool) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	options := types.NodeRemoveOptions{
+		Force: force,
+	}
+	err := cli.NodeRemove(context.Background(), id, options)
+	assert.NilError(t, err)
+}
+
+// UpdateNode updates a swarm node with the specified node constructor
+func (d *Daemon) UpdateNode(t assert.TestingT, id string, f ...NodeConstructor) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	for i := 0; ; i++ {
+		node := d.GetNode(t, id)
+		for _, fn := range f {
+			fn(node)
+		}
+
+		err := cli.NodeUpdate(context.Background(), node.ID, node.Version, node.Spec)
+		if i < 10 && err != nil && strings.Contains(err.Error(), "update out of sequence") {
+			time.Sleep(100 * time.Millisecond)
+			continue
+		}
+		assert.NilError(t, err)
+		return
+	}
+}
+
+// ListNodes returns the list of the current swarm nodes
+func (d *Daemon) ListNodes(t assert.TestingT) []swarm.Node {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	nodes, err := cli.NodeList(context.Background(), types.NodeListOptions{})
+	assert.NilError(t, err)
+
+	return nodes
+}
diff --git a/engine/internal/test/daemon/ops.go b/engine/internal/test/daemon/ops.go
new file mode 100644
index 00000000..34db073b
--- /dev/null
+++ b/engine/internal/test/daemon/ops.go
@@ -0,0 +1,44 @@
+package daemon
+
+import "github.com/docker/docker/internal/test/environment"
+
+// WithExperimental sets the daemon in experimental mode
+func WithExperimental(d *Daemon) {
+	d.experimental = true
+	d.init = true
+}
+
+// WithInit sets the daemon init
+func WithInit(d *Daemon) {
+	d.init = true
+}
+
+// WithDockerdBinary sets the dockerd binary to the specified one
+func WithDockerdBinary(dockerdBinary string) func(*Daemon) {
+	return func(d *Daemon) {
+		d.dockerdBinary = dockerdBinary
+	}
+}
+
+// WithSwarmPort sets the swarm port to use for swarm mode
+func WithSwarmPort(port int) func(*Daemon) {
+	return func(d *Daemon) {
+		d.SwarmPort = port
+	}
+}
+
+// WithSwarmListenAddr sets the swarm listen addr to use for swarm mode
+func WithSwarmListenAddr(listenAddr string) func(*Daemon) {
+	return func(d *Daemon) {
+		d.swarmListenAddr = listenAddr
+	}
+}
+
+// WithEnvironment sets options from internal/test/environment.Execution struct
+func WithEnvironment(e environment.Execution) func(*Daemon) {
+	return func(d *Daemon) {
+		if e.DaemonInfo.ExperimentalBuild {
+			d.experimental = true
+		}
+	}
+}
diff --git a/engine/internal/test/daemon/plugin.go b/engine/internal/test/daemon/plugin.go
new file mode 100644
index 00000000..63bbeed2
--- /dev/null
+++ b/engine/internal/test/daemon/plugin.go
@@ -0,0 +1,77 @@
+package daemon
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"gotest.tools/poll"
+)
+
+// PluginIsRunning provides a poller to check if the specified plugin is running
+func (d *Daemon) PluginIsRunning(name string) func(poll.LogT) poll.Result {
+	return withClient(d, withPluginInspect(name, func(plugin *types.Plugin, t poll.LogT) poll.Result {
+		if plugin.Enabled {
+			return poll.Success()
+		}
+		return poll.Continue("plugin %q is not enabled", name)
+	}))
+}
+
+// PluginIsNotRunning provides a poller to check if the specified plugin is not running
+func (d *Daemon) PluginIsNotRunning(name string) func(poll.LogT) poll.Result {
+	return withClient(d, withPluginInspect(name, func(plugin *types.Plugin, t poll.LogT) poll.Result {
+		if !plugin.Enabled {
+			return poll.Success()
+		}
+		return poll.Continue("plugin %q is enabled", name)
+	}))
+}
+
+// PluginIsNotPresent provides a poller to check if the specified plugin is not present
+func (d *Daemon) PluginIsNotPresent(name string) func(poll.LogT) poll.Result {
+	return withClient(d, func(c client.APIClient, t poll.LogT) poll.Result {
+		_, _, err := c.PluginInspectWithRaw(context.Background(), name)
+		if client.IsErrNotFound(err) {
+			return poll.Success()
+		}
+		if err != nil {
+			return poll.Error(err)
+		}
+		return poll.Continue("plugin %q exists", name)
+	})
+}
+
+// PluginReferenceIs provides a poller to check if the specified plugin has the specified reference
+func (d *Daemon) PluginReferenceIs(name, expectedRef string) func(poll.LogT) poll.Result {
+	return withClient(d, withPluginInspect(name, func(plugin *types.Plugin, t poll.LogT) poll.Result {
+		if plugin.PluginReference == expectedRef {
+			return poll.Success()
+		}
+		return poll.Continue("plugin %q reference is not %q", name, expectedRef)
+	}))
+}
+
+func withPluginInspect(name string, f func(*types.Plugin, poll.LogT) poll.Result) func(client.APIClient, poll.LogT) poll.Result {
+	return func(c client.APIClient, t poll.LogT) poll.Result {
+		plugin, _, err := c.PluginInspectWithRaw(context.Background(), name)
+		if client.IsErrNotFound(err) {
+			return poll.Continue("plugin %q not found", name)
+		}
+		if err != nil {
+			return poll.Error(err)
+		}
+		return f(plugin, t)
+	}
+
+}
+
+func withClient(d *Daemon, f func(client.APIClient, poll.LogT) poll.Result) func(poll.LogT) poll.Result {
+	return func(t poll.LogT) poll.Result {
+		c, err := d.NewClient()
+		if err != nil {
+			poll.Error(err)
+		}
+		return f(c, t)
+	}
+}
diff --git a/engine/internal/test/daemon/secret.go b/engine/internal/test/daemon/secret.go
new file mode 100644
index 00000000..f3db7a42
--- /dev/null
+++ b/engine/internal/test/daemon/secret.go
@@ -0,0 +1,84 @@
+package daemon
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/internal/test"
+	"gotest.tools/assert"
+)
+
+// SecretConstructor defines a swarm secret constructor
+type SecretConstructor func(*swarm.Secret)
+
+// CreateSecret creates a secret given the specified spec
+func (d *Daemon) CreateSecret(t assert.TestingT, secretSpec swarm.SecretSpec) string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	scr, err := cli.SecretCreate(context.Background(), secretSpec)
+	assert.NilError(t, err)
+
+	return scr.ID
+}
+
+// ListSecrets returns the list of the current swarm secrets
+func (d *Daemon) ListSecrets(t assert.TestingT) []swarm.Secret {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	secrets, err := cli.SecretList(context.Background(), types.SecretListOptions{})
+	assert.NilError(t, err)
+	return secrets
+}
+
+// GetSecret returns a swarm secret identified by the specified id
+func (d *Daemon) GetSecret(t assert.TestingT, id string) *swarm.Secret {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	secret, _, err := cli.SecretInspectWithRaw(context.Background(), id)
+	assert.NilError(t, err)
+	return &secret
+}
+
+// DeleteSecret removes the swarm secret identified by the specified id
+func (d *Daemon) DeleteSecret(t assert.TestingT, id string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	err := cli.SecretRemove(context.Background(), id)
+	assert.NilError(t, err)
+}
+
+// UpdateSecret updates the swarm secret identified by the specified id
+// Currently, only label update is supported.
+func (d *Daemon) UpdateSecret(t assert.TestingT, id string, f ...SecretConstructor) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	secret := d.GetSecret(t, id)
+	for _, fn := range f {
+		fn(secret)
+	}
+
+	err := cli.SecretUpdate(context.Background(), secret.ID, secret.Version, secret.Spec)
+
+	assert.NilError(t, err)
+}
diff --git a/engine/internal/test/daemon/service.go b/engine/internal/test/daemon/service.go
new file mode 100644
index 00000000..0f88ca78
--- /dev/null
+++ b/engine/internal/test/daemon/service.go
@@ -0,0 +1,131 @@
+package daemon
+
+import (
+	"context"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/internal/test"
+	"gotest.tools/assert"
+)
+
+// ServiceConstructor defines a swarm service constructor function
+type ServiceConstructor func(*swarm.Service)
+
+func (d *Daemon) createServiceWithOptions(t assert.TestingT, opts types.ServiceCreateOptions, f ...ServiceConstructor) string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	var service swarm.Service
+	for _, fn := range f {
+		fn(&service)
+	}
+
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	res, err := cli.ServiceCreate(ctx, service.Spec, opts)
+	assert.NilError(t, err)
+	return res.ID
+}
+
+// CreateService creates a swarm service given the specified service constructor
+func (d *Daemon) CreateService(t assert.TestingT, f ...ServiceConstructor) string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	return d.createServiceWithOptions(t, types.ServiceCreateOptions{}, f...)
+}
+
+// GetService returns the swarm service corresponding to the specified id
+func (d *Daemon) GetService(t assert.TestingT, id string) *swarm.Service {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	service, _, err := cli.ServiceInspectWithRaw(context.Background(), id, types.ServiceInspectOptions{})
+	assert.NilError(t, err)
+	return &service
+}
+
+// GetServiceTasks returns the swarm tasks for the specified service
+func (d *Daemon) GetServiceTasks(t assert.TestingT, service string) []swarm.Task {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	filterArgs := filters.NewArgs()
+	filterArgs.Add("desired-state", "running")
+	filterArgs.Add("service", service)
+
+	options := types.TaskListOptions{
+		Filters: filterArgs,
+	}
+
+	tasks, err := cli.TaskList(context.Background(), options)
+	assert.NilError(t, err)
+	return tasks
+}
+
+// UpdateService updates a swarm service with the specified service constructor
+func (d *Daemon) UpdateService(t assert.TestingT, service *swarm.Service, f ...ServiceConstructor) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	for _, fn := range f {
+		fn(service)
+	}
+
+	_, err := cli.ServiceUpdate(context.Background(), service.ID, service.Version, service.Spec, types.ServiceUpdateOptions{})
+	assert.NilError(t, err)
+}
+
+// RemoveService removes the specified service
+func (d *Daemon) RemoveService(t assert.TestingT, id string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	err := cli.ServiceRemove(context.Background(), id)
+	assert.NilError(t, err)
+}
+
+// ListServices returns the list of the current swarm services
+func (d *Daemon) ListServices(t assert.TestingT) []swarm.Service {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	services, err := cli.ServiceList(context.Background(), types.ServiceListOptions{})
+	assert.NilError(t, err)
+	return services
+}
+
+// GetTask returns the swarm task identified by the specified id
+func (d *Daemon) GetTask(t assert.TestingT, id string) swarm.Task {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	task, _, err := cli.TaskInspectWithRaw(context.Background(), id)
+	assert.NilError(t, err)
+	return task
+}
diff --git a/engine/internal/test/daemon/swarm.go b/engine/internal/test/daemon/swarm.go
new file mode 100644
index 00000000..e8e8b945
--- /dev/null
+++ b/engine/internal/test/daemon/swarm.go
@@ -0,0 +1,194 @@
+package daemon
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/internal/test"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+const (
+	// DefaultSwarmPort is the default port use for swarm in the tests
+	DefaultSwarmPort       = 2477
+	defaultSwarmListenAddr = "0.0.0.0"
+)
+
+// StartAndSwarmInit starts the daemon (with busybox) and init the swarm
+func (d *Daemon) StartAndSwarmInit(t testingT) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	// avoid networking conflicts
+	args := []string{"--iptables=false", "--swarm-default-advertise-addr=lo"}
+	d.StartWithBusybox(t, args...)
+
+	d.SwarmInit(t, swarm.InitRequest{})
+}
+
+// StartAndSwarmJoin starts the daemon (with busybox) and join the specified swarm as worker or manager
+func (d *Daemon) StartAndSwarmJoin(t testingT, leader *Daemon, manager bool) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	// avoid networking conflicts
+	args := []string{"--iptables=false", "--swarm-default-advertise-addr=lo"}
+	d.StartWithBusybox(t, args...)
+
+	tokens := leader.JoinTokens(t)
+	token := tokens.Worker
+	if manager {
+		token = tokens.Manager
+	}
+	d.SwarmJoin(t, swarm.JoinRequest{
+		RemoteAddrs: []string{leader.SwarmListenAddr()},
+		JoinToken:   token,
+	})
+}
+
+// SpecConstructor defines a swarm spec constructor
+type SpecConstructor func(*swarm.Spec)
+
+// SwarmListenAddr returns the listen-addr used for the daemon
+func (d *Daemon) SwarmListenAddr() string {
+	return fmt.Sprintf("%s:%d", d.swarmListenAddr, d.SwarmPort)
+}
+
+// NodeID returns the swarm mode node ID
+func (d *Daemon) NodeID() string {
+	return d.CachedInfo.Swarm.NodeID
+}
+
+// SwarmInit initializes a new swarm cluster.
+func (d *Daemon) SwarmInit(t assert.TestingT, req swarm.InitRequest) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	if req.ListenAddr == "" {
+		req.ListenAddr = fmt.Sprintf("%s:%d", d.swarmListenAddr, d.SwarmPort)
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+	_, err := cli.SwarmInit(context.Background(), req)
+	assert.NilError(t, err, "initializing swarm")
+	d.CachedInfo = d.Info(t)
+}
+
+// SwarmJoin joins a daemon to an existing cluster.
+func (d *Daemon) SwarmJoin(t assert.TestingT, req swarm.JoinRequest) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	if req.ListenAddr == "" {
+		req.ListenAddr = fmt.Sprintf("%s:%d", d.swarmListenAddr, d.SwarmPort)
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+	err := cli.SwarmJoin(context.Background(), req)
+	assert.NilError(t, err, "initializing swarm")
+	d.CachedInfo = d.Info(t)
+}
+
+// SwarmLeave forces daemon to leave current cluster.
+func (d *Daemon) SwarmLeave(force bool) error {
+	cli, err := d.NewClient()
+	if err != nil {
+		return fmt.Errorf("leaving swarm: failed to create client %v", err)
+	}
+	defer cli.Close()
+	err = cli.SwarmLeave(context.Background(), force)
+	if err != nil {
+		err = fmt.Errorf("leaving swarm: %v", err)
+	}
+	return err
+}
+
+// SwarmInfo returns the swarm information of the daemon
+func (d *Daemon) SwarmInfo(t assert.TestingT) swarm.Info {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	info, err := cli.Info(context.Background())
+	assert.NilError(t, err, "get swarm info")
+	return info.Swarm
+}
+
+// SwarmUnlock tries to unlock a locked swarm
+func (d *Daemon) SwarmUnlock(req swarm.UnlockRequest) error {
+	cli, err := d.NewClient()
+	if err != nil {
+		return fmt.Errorf("unlocking swarm: failed to create client %v", err)
+	}
+	defer cli.Close()
+	err = cli.SwarmUnlock(context.Background(), req)
+	if err != nil {
+		err = errors.Wrap(err, "unlocking swarm")
+	}
+	return err
+}
+
+// GetSwarm returns the current swarm object
+func (d *Daemon) GetSwarm(t assert.TestingT) swarm.Swarm {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	sw, err := cli.SwarmInspect(context.Background())
+	assert.NilError(t, err)
+	return sw
+}
+
+// UpdateSwarm updates the current swarm object with the specified spec constructors
+func (d *Daemon) UpdateSwarm(t assert.TestingT, f ...SpecConstructor) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	sw := d.GetSwarm(t)
+	for _, fn := range f {
+		fn(&sw.Spec)
+	}
+
+	err := cli.SwarmUpdate(context.Background(), sw.Version, sw.Spec, swarm.UpdateFlags{})
+	assert.NilError(t, err)
+}
+
+// RotateTokens update the swarm to rotate tokens
+func (d *Daemon) RotateTokens(t assert.TestingT) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	sw, err := cli.SwarmInspect(context.Background())
+	assert.NilError(t, err)
+
+	flags := swarm.UpdateFlags{
+		RotateManagerToken: true,
+		RotateWorkerToken:  true,
+	}
+
+	err = cli.SwarmUpdate(context.Background(), sw.Version, sw.Spec, flags)
+	assert.NilError(t, err)
+}
+
+// JoinTokens returns the current swarm join tokens
+func (d *Daemon) JoinTokens(t assert.TestingT) swarm.JoinTokens {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	cli := d.NewClientT(t)
+	defer cli.Close()
+
+	sw, err := cli.SwarmInspect(context.Background())
+	assert.NilError(t, err)
+	return sw.JoinTokens
+}
diff --git a/engine/internal/test/environment/clean.go b/engine/internal/test/environment/clean.go
new file mode 100644
index 00000000..93dee593
--- /dev/null
+++ b/engine/internal/test/environment/clean.go
@@ -0,0 +1,217 @@
+package environment // import "github.com/docker/docker/internal/test/environment"
+
+import (
+	"context"
+	"regexp"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/internal/test"
+	"gotest.tools/assert"
+)
+
+type testingT interface {
+	assert.TestingT
+	logT
+	Fatalf(string, ...interface{})
+}
+
+type logT interface {
+	Logf(string, ...interface{})
+}
+
+// Clean the environment, preserving protected objects (images, containers, ...)
+// and removing everything else. It's meant to run after any tests so that they don't
+// depend on each others.
+func (e *Execution) Clean(t assert.TestingT) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	client := e.APIClient()
+
+	platform := e.OSType
+	if (platform != "windows") || (platform == "windows" && e.DaemonInfo.Isolation == "hyperv") {
+		unpauseAllContainers(t, client)
+	}
+	deleteAllContainers(t, client, e.protectedElements.containers)
+	deleteAllImages(t, client, e.protectedElements.images)
+	deleteAllVolumes(t, client, e.protectedElements.volumes)
+	deleteAllNetworks(t, client, platform, e.protectedElements.networks)
+	if platform == "linux" {
+		deleteAllPlugins(t, client, e.protectedElements.plugins)
+	}
+}
+
+func unpauseAllContainers(t assert.TestingT, client client.ContainerAPIClient) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	ctx := context.Background()
+	containers := getPausedContainers(ctx, t, client)
+	if len(containers) > 0 {
+		for _, container := range containers {
+			err := client.ContainerUnpause(ctx, container.ID)
+			assert.Check(t, err, "failed to unpause container %s", container.ID)
+		}
+	}
+}
+
+func getPausedContainers(ctx context.Context, t assert.TestingT, client client.ContainerAPIClient) []types.Container {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	filter := filters.NewArgs()
+	filter.Add("status", "paused")
+	containers, err := client.ContainerList(ctx, types.ContainerListOptions{
+		Filters: filter,
+		Quiet:   true,
+		All:     true,
+	})
+	assert.Check(t, err, "failed to list containers")
+	return containers
+}
+
+var alreadyExists = regexp.MustCompile(`Error response from daemon: removal of container (\w+) is already in progress`)
+
+func deleteAllContainers(t assert.TestingT, apiclient client.ContainerAPIClient, protectedContainers map[string]struct{}) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	ctx := context.Background()
+	containers := getAllContainers(ctx, t, apiclient)
+	if len(containers) == 0 {
+		return
+	}
+
+	for _, container := range containers {
+		if _, ok := protectedContainers[container.ID]; ok {
+			continue
+		}
+		err := apiclient.ContainerRemove(ctx, container.ID, types.ContainerRemoveOptions{
+			Force:         true,
+			RemoveVolumes: true,
+		})
+		if err == nil || client.IsErrNotFound(err) || alreadyExists.MatchString(err.Error()) || isErrNotFoundSwarmClassic(err) {
+			continue
+		}
+		assert.Check(t, err, "failed to remove %s", container.ID)
+	}
+}
+
+func getAllContainers(ctx context.Context, t assert.TestingT, client client.ContainerAPIClient) []types.Container {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	containers, err := client.ContainerList(ctx, types.ContainerListOptions{
+		Quiet: true,
+		All:   true,
+	})
+	assert.Check(t, err, "failed to list containers")
+	return containers
+}
+
+func deleteAllImages(t assert.TestingT, apiclient client.ImageAPIClient, protectedImages map[string]struct{}) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	images, err := apiclient.ImageList(context.Background(), types.ImageListOptions{})
+	assert.Check(t, err, "failed to list images")
+
+	ctx := context.Background()
+	for _, image := range images {
+		tags := tagsFromImageSummary(image)
+		if len(tags) == 0 {
+			removeImage(ctx, t, apiclient, image.ID)
+			continue
+		}
+		for _, tag := range tags {
+			if _, ok := protectedImages[tag]; !ok {
+				removeImage(ctx, t, apiclient, tag)
+			}
+		}
+	}
+}
+
+func removeImage(ctx context.Context, t assert.TestingT, apiclient client.ImageAPIClient, ref string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	_, err := apiclient.ImageRemove(ctx, ref, types.ImageRemoveOptions{
+		Force: true,
+	})
+	if client.IsErrNotFound(err) {
+		return
+	}
+	assert.Check(t, err, "failed to remove image %s", ref)
+}
+
+func deleteAllVolumes(t assert.TestingT, c client.VolumeAPIClient, protectedVolumes map[string]struct{}) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	volumes, err := c.VolumeList(context.Background(), filters.Args{})
+	assert.Check(t, err, "failed to list volumes")
+
+	for _, v := range volumes.Volumes {
+		if _, ok := protectedVolumes[v.Name]; ok {
+			continue
+		}
+		err := c.VolumeRemove(context.Background(), v.Name, true)
+		// Docker EE may list volumes that no longer exist.
+		if isErrNotFoundSwarmClassic(err) {
+			continue
+		}
+		assert.Check(t, err, "failed to remove volume %s", v.Name)
+	}
+}
+
+func deleteAllNetworks(t assert.TestingT, c client.NetworkAPIClient, daemonPlatform string, protectedNetworks map[string]struct{}) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	networks, err := c.NetworkList(context.Background(), types.NetworkListOptions{})
+	assert.Check(t, err, "failed to list networks")
+
+	for _, n := range networks {
+		if n.Name == "bridge" || n.Name == "none" || n.Name == "host" {
+			continue
+		}
+		if _, ok := protectedNetworks[n.ID]; ok {
+			continue
+		}
+		if daemonPlatform == "windows" && strings.ToLower(n.Name) == "nat" {
+			// nat is a pre-defined network on Windows and cannot be removed
+			continue
+		}
+		err := c.NetworkRemove(context.Background(), n.ID)
+		assert.Check(t, err, "failed to remove network %s", n.ID)
+	}
+}
+
+func deleteAllPlugins(t assert.TestingT, c client.PluginAPIClient, protectedPlugins map[string]struct{}) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	plugins, err := c.PluginList(context.Background(), filters.Args{})
+	// Docker EE does not allow cluster-wide plugin management.
+	if client.IsErrNotImplemented(err) {
+		return
+	}
+	assert.Check(t, err, "failed to list plugins")
+
+	for _, p := range plugins {
+		if _, ok := protectedPlugins[p.Name]; ok {
+			continue
+		}
+		err := c.PluginRemove(context.Background(), p.Name, types.PluginRemoveOptions{Force: true})
+		assert.Check(t, err, "failed to remove plugin %s", p.ID)
+	}
+}
+
+// Swarm classic aggregates node errors and returns a 500 so we need to check
+// the error string instead of just IsErrNotFound().
+func isErrNotFoundSwarmClassic(err error) bool {
+	return err != nil && strings.Contains(strings.ToLower(err.Error()), "no such")
+}
diff --git a/engine/internal/test/environment/environment.go b/engine/internal/test/environment/environment.go
new file mode 100644
index 00000000..74c8e2ce
--- /dev/null
+++ b/engine/internal/test/environment/environment.go
@@ -0,0 +1,158 @@
+package environment // import "github.com/docker/docker/internal/test/environment"
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/internal/test/fixtures/load"
+	"github.com/pkg/errors"
+)
+
+// Execution contains information about the current test execution and daemon
+// under test
+type Execution struct {
+	client            client.APIClient
+	DaemonInfo        types.Info
+	OSType            string
+	PlatformDefaults  PlatformDefaults
+	protectedElements protectedElements
+}
+
+// PlatformDefaults are defaults values for the platform of the daemon under test
+type PlatformDefaults struct {
+	BaseImage            string
+	VolumesConfigPath    string
+	ContainerStoragePath string
+}
+
+// New creates a new Execution struct
+func New() (*Execution, error) {
+	client, err := client.NewClientWithOpts(client.FromEnv)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to create client")
+	}
+
+	info, err := client.Info(context.Background())
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to get info from daemon")
+	}
+
+	osType := getOSType(info)
+
+	return &Execution{
+		client:            client,
+		DaemonInfo:        info,
+		OSType:            osType,
+		PlatformDefaults:  getPlatformDefaults(info, osType),
+		protectedElements: newProtectedElements(),
+	}, nil
+}
+
+func getOSType(info types.Info) string {
+	// Docker EE does not set the OSType so allow the user to override this value.
+	userOsType := os.Getenv("TEST_OSTYPE")
+	if userOsType != "" {
+		return userOsType
+	}
+	return info.OSType
+}
+
+func getPlatformDefaults(info types.Info, osType string) PlatformDefaults {
+	volumesPath := filepath.Join(info.DockerRootDir, "volumes")
+	containersPath := filepath.Join(info.DockerRootDir, "containers")
+
+	switch osType {
+	case "linux":
+		return PlatformDefaults{
+			BaseImage:            "scratch",
+			VolumesConfigPath:    toSlash(volumesPath),
+			ContainerStoragePath: toSlash(containersPath),
+		}
+	case "windows":
+		baseImage := "microsoft/windowsservercore"
+		if override := os.Getenv("WINDOWS_BASE_IMAGE"); override != "" {
+			baseImage = override
+			fmt.Println("INFO: Windows Base image is ", baseImage)
+		}
+		return PlatformDefaults{
+			BaseImage:            baseImage,
+			VolumesConfigPath:    filepath.FromSlash(volumesPath),
+			ContainerStoragePath: filepath.FromSlash(containersPath),
+		}
+	default:
+		panic(fmt.Sprintf("unknown OSType for daemon: %s", osType))
+	}
+}
+
+// Make sure in context of daemon, not the local platform. Note we can't
+// use filepath.FromSlash or ToSlash here as they are a no-op on Unix.
+func toSlash(path string) string {
+	return strings.Replace(path, `\`, `/`, -1)
+}
+
+// IsLocalDaemon is true if the daemon under test is on the same
+// host as the test process.
+//
+// Deterministically working out the environment in which CI is running
+// to evaluate whether the daemon is local or remote is not possible through
+// a build tag.
+//
+// For example Windows to Linux CI under Jenkins tests the 64-bit
+// Windows binary build with the daemon build tag, but calls a remote
+// Linux daemon.
+//
+// We can't just say if Windows then assume the daemon is local as at
+// some point, we will be testing the Windows CLI against a Windows daemon.
+//
+// Similarly, it will be perfectly valid to also run CLI tests from
+// a Linux CLI (built with the daemon tag) against a Windows daemon.
+func (e *Execution) IsLocalDaemon() bool {
+	return os.Getenv("DOCKER_REMOTE_DAEMON") == ""
+}
+
+// IsRemoteDaemon is true if the daemon under test is on different host
+// as the test process.
+func (e *Execution) IsRemoteDaemon() bool {
+	return !e.IsLocalDaemon()
+}
+
+// DaemonAPIVersion returns the negotiated daemon api version
+func (e *Execution) DaemonAPIVersion() string {
+	version, err := e.APIClient().ServerVersion(context.TODO())
+	if err != nil {
+		return ""
+	}
+	return version.APIVersion
+}
+
+// Print the execution details to stdout
+// TODO: print everything
+func (e *Execution) Print() {
+	if e.IsLocalDaemon() {
+		fmt.Println("INFO: Testing against a local daemon")
+	} else {
+		fmt.Println("INFO: Testing against a remote daemon")
+	}
+}
+
+// APIClient returns an APIClient connected to the daemon under test
+func (e *Execution) APIClient() client.APIClient {
+	return e.client
+}
+
+// EnsureFrozenImagesLinux loads frozen test images into the daemon
+// if they aren't already loaded
+func EnsureFrozenImagesLinux(testEnv *Execution) error {
+	if testEnv.OSType == "linux" {
+		err := load.FrozenImagesLinux(testEnv.APIClient(), frozenImages...)
+		if err != nil {
+			return errors.Wrap(err, "error loading frozen images")
+		}
+	}
+	return nil
+}
diff --git a/engine/internal/test/environment/protect.go b/engine/internal/test/environment/protect.go
new file mode 100644
index 00000000..b5b27d2d
--- /dev/null
+++ b/engine/internal/test/environment/protect.go
@@ -0,0 +1,254 @@
+package environment // import "github.com/docker/docker/internal/test/environment"
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	dclient "github.com/docker/docker/client"
+	"github.com/docker/docker/internal/test"
+	"gotest.tools/assert"
+)
+
+var frozenImages = []string{"busybox:latest", "busybox:glibc", "hello-world:frozen", "debian:jessie"}
+
+type protectedElements struct {
+	containers map[string]struct{}
+	images     map[string]struct{}
+	networks   map[string]struct{}
+	plugins    map[string]struct{}
+	volumes    map[string]struct{}
+}
+
+func newProtectedElements() protectedElements {
+	return protectedElements{
+		containers: map[string]struct{}{},
+		images:     map[string]struct{}{},
+		networks:   map[string]struct{}{},
+		plugins:    map[string]struct{}{},
+		volumes:    map[string]struct{}{},
+	}
+}
+
+// ProtectAll protects the existing environment (containers, images, networks,
+// volumes, and, on Linux, plugins) from being cleaned up at the end of test
+// runs
+func ProtectAll(t testingT, testEnv *Execution) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	ProtectContainers(t, testEnv)
+	ProtectImages(t, testEnv)
+	ProtectNetworks(t, testEnv)
+	ProtectVolumes(t, testEnv)
+	if testEnv.OSType == "linux" {
+		ProtectPlugins(t, testEnv)
+	}
+}
+
+// ProtectContainer adds the specified container(s) to be protected in case of
+// clean
+func (e *Execution) ProtectContainer(t testingT, containers ...string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	for _, container := range containers {
+		e.protectedElements.containers[container] = struct{}{}
+	}
+}
+
+// ProtectContainers protects existing containers from being cleaned up at the
+// end of test runs
+func ProtectContainers(t testingT, testEnv *Execution) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	containers := getExistingContainers(t, testEnv)
+	testEnv.ProtectContainer(t, containers...)
+}
+
+func getExistingContainers(t assert.TestingT, testEnv *Execution) []string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	client := testEnv.APIClient()
+	containerList, err := client.ContainerList(context.Background(), types.ContainerListOptions{
+		All: true,
+	})
+	assert.NilError(t, err, "failed to list containers")
+
+	var containers []string
+	for _, container := range containerList {
+		containers = append(containers, container.ID)
+	}
+	return containers
+}
+
+// ProtectImage adds the specified image(s) to be protected in case of clean
+func (e *Execution) ProtectImage(t testingT, images ...string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	for _, image := range images {
+		e.protectedElements.images[image] = struct{}{}
+	}
+}
+
+// ProtectImages protects existing images and on linux frozen images from being
+// cleaned up at the end of test runs
+func ProtectImages(t testingT, testEnv *Execution) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	images := getExistingImages(t, testEnv)
+
+	if testEnv.OSType == "linux" {
+		images = append(images, frozenImages...)
+	}
+	testEnv.ProtectImage(t, images...)
+}
+
+func getExistingImages(t assert.TestingT, testEnv *Execution) []string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	client := testEnv.APIClient()
+	filter := filters.NewArgs()
+	filter.Add("dangling", "false")
+	imageList, err := client.ImageList(context.Background(), types.ImageListOptions{
+		All:     true,
+		Filters: filter,
+	})
+	assert.NilError(t, err, "failed to list images")
+
+	var images []string
+	for _, image := range imageList {
+		images = append(images, tagsFromImageSummary(image)...)
+	}
+	return images
+}
+
+func tagsFromImageSummary(image types.ImageSummary) []string {
+	var result []string
+	for _, tag := range image.RepoTags {
+		if tag != "<none>:<none>" {
+			result = append(result, tag)
+		}
+	}
+	for _, digest := range image.RepoDigests {
+		if digest != "<none>@<none>" {
+			result = append(result, digest)
+		}
+	}
+	return result
+}
+
+// ProtectNetwork adds the specified network(s) to be protected in case of
+// clean
+func (e *Execution) ProtectNetwork(t testingT, networks ...string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	for _, network := range networks {
+		e.protectedElements.networks[network] = struct{}{}
+	}
+}
+
+// ProtectNetworks protects existing networks from being cleaned up at the end
+// of test runs
+func ProtectNetworks(t testingT, testEnv *Execution) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	networks := getExistingNetworks(t, testEnv)
+	testEnv.ProtectNetwork(t, networks...)
+}
+
+func getExistingNetworks(t assert.TestingT, testEnv *Execution) []string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	client := testEnv.APIClient()
+	networkList, err := client.NetworkList(context.Background(), types.NetworkListOptions{})
+	assert.NilError(t, err, "failed to list networks")
+
+	var networks []string
+	for _, network := range networkList {
+		networks = append(networks, network.ID)
+	}
+	return networks
+}
+
+// ProtectPlugin adds the specified plugin(s) to be protected in case of clean
+func (e *Execution) ProtectPlugin(t testingT, plugins ...string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	for _, plugin := range plugins {
+		e.protectedElements.plugins[plugin] = struct{}{}
+	}
+}
+
+// ProtectPlugins protects existing plugins from being cleaned up at the end of
+// test runs
+func ProtectPlugins(t testingT, testEnv *Execution) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	plugins := getExistingPlugins(t, testEnv)
+	testEnv.ProtectPlugin(t, plugins...)
+}
+
+func getExistingPlugins(t assert.TestingT, testEnv *Execution) []string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	client := testEnv.APIClient()
+	pluginList, err := client.PluginList(context.Background(), filters.Args{})
+	// Docker EE does not allow cluster-wide plugin management.
+	if dclient.IsErrNotImplemented(err) {
+		return []string{}
+	}
+	assert.NilError(t, err, "failed to list plugins")
+
+	var plugins []string
+	for _, plugin := range pluginList {
+		plugins = append(plugins, plugin.Name)
+	}
+	return plugins
+}
+
+// ProtectVolume adds the specified volume(s) to be protected in case of clean
+func (e *Execution) ProtectVolume(t testingT, volumes ...string) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	for _, volume := range volumes {
+		e.protectedElements.volumes[volume] = struct{}{}
+	}
+}
+
+// ProtectVolumes protects existing volumes from being cleaned up at the end of
+// test runs
+func ProtectVolumes(t testingT, testEnv *Execution) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	volumes := getExistingVolumes(t, testEnv)
+	testEnv.ProtectVolume(t, volumes...)
+}
+
+func getExistingVolumes(t assert.TestingT, testEnv *Execution) []string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	client := testEnv.APIClient()
+	volumeList, err := client.VolumeList(context.Background(), filters.Args{})
+	assert.NilError(t, err, "failed to list volumes")
+
+	var volumes []string
+	for _, volume := range volumeList.Volumes {
+		volumes = append(volumes, volume.Name)
+	}
+	return volumes
+}
diff --git a/engine/internal/test/fakecontext/context.go b/engine/internal/test/fakecontext/context.go
new file mode 100644
index 00000000..8b11da20
--- /dev/null
+++ b/engine/internal/test/fakecontext/context.go
@@ -0,0 +1,131 @@
+package fakecontext // import "github.com/docker/docker/internal/test/fakecontext"
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/internal/test"
+	"github.com/docker/docker/pkg/archive"
+)
+
+type testingT interface {
+	Fatal(args ...interface{})
+	Fatalf(string, ...interface{})
+}
+
+// New creates a fake build context
+func New(t testingT, dir string, modifiers ...func(*Fake) error) *Fake {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	fakeContext := &Fake{Dir: dir}
+	if dir == "" {
+		if err := newDir(fakeContext); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	for _, modifier := range modifiers {
+		if err := modifier(fakeContext); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	return fakeContext
+}
+
+func newDir(fake *Fake) error {
+	tmp, err := ioutil.TempDir("", "fake-context")
+	if err != nil {
+		return err
+	}
+	if err := os.Chmod(tmp, 0755); err != nil {
+		return err
+	}
+	fake.Dir = tmp
+	return nil
+}
+
+// WithFile adds the specified file (with content) in the build context
+func WithFile(name, content string) func(*Fake) error {
+	return func(ctx *Fake) error {
+		return ctx.Add(name, content)
+	}
+}
+
+// WithDockerfile adds the specified content as Dockerfile in the build context
+func WithDockerfile(content string) func(*Fake) error {
+	return WithFile("Dockerfile", content)
+}
+
+// WithFiles adds the specified files in the build context, content is a string
+func WithFiles(files map[string]string) func(*Fake) error {
+	return func(fakeContext *Fake) error {
+		for file, content := range files {
+			if err := fakeContext.Add(file, content); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+// WithBinaryFiles adds the specified files in the build context, content is binary
+func WithBinaryFiles(files map[string]*bytes.Buffer) func(*Fake) error {
+	return func(fakeContext *Fake) error {
+		for file, content := range files {
+			if err := fakeContext.Add(file, content.String()); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+// Fake creates directories that can be used as a build context
+type Fake struct {
+	Dir string
+}
+
+// Add a file at a path, creating directories where necessary
+func (f *Fake) Add(file, content string) error {
+	return f.addFile(file, []byte(content))
+}
+
+func (f *Fake) addFile(file string, content []byte) error {
+	fp := filepath.Join(f.Dir, filepath.FromSlash(file))
+	dirpath := filepath.Dir(fp)
+	if dirpath != "." {
+		if err := os.MkdirAll(dirpath, 0755); err != nil {
+			return err
+		}
+	}
+	return ioutil.WriteFile(fp, content, 0644)
+
+}
+
+// Delete a file at a path
+func (f *Fake) Delete(file string) error {
+	fp := filepath.Join(f.Dir, filepath.FromSlash(file))
+	return os.RemoveAll(fp)
+}
+
+// Close deletes the context
+func (f *Fake) Close() error {
+	return os.RemoveAll(f.Dir)
+}
+
+// AsTarReader returns a ReadCloser with the contents of Dir as a tar archive.
+func (f *Fake) AsTarReader(t testingT) io.ReadCloser {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	reader, err := archive.TarWithOptions(f.Dir, &archive.TarOptions{})
+	if err != nil {
+		t.Fatalf("Failed to create tar from %s: %s", f.Dir, err)
+	}
+	return reader
+}
diff --git a/engine/internal/test/fakegit/fakegit.go b/engine/internal/test/fakegit/fakegit.go
new file mode 100644
index 00000000..605d1baa
--- /dev/null
+++ b/engine/internal/test/fakegit/fakegit.go
@@ -0,0 +1,136 @@
+package fakegit // import "github.com/docker/docker/internal/test/fakegit"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/docker/docker/internal/test"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/internal/test/fakestorage"
+	"gotest.tools/assert"
+)
+
+type testingT interface {
+	assert.TestingT
+	logT
+	skipT
+	Fatal(args ...interface{})
+	Fatalf(string, ...interface{})
+}
+
+type logT interface {
+	Logf(string, ...interface{})
+}
+
+type skipT interface {
+	Skip(reason string)
+}
+
+type gitServer interface {
+	URL() string
+	Close() error
+}
+
+type localGitServer struct {
+	*httptest.Server
+}
+
+func (r *localGitServer) Close() error {
+	r.Server.Close()
+	return nil
+}
+
+func (r *localGitServer) URL() string {
+	return r.Server.URL
+}
+
+// FakeGit is a fake git server
+type FakeGit struct {
+	root    string
+	server  gitServer
+	RepoURL string
+}
+
+// Close closes the server, implements Closer interface
+func (g *FakeGit) Close() {
+	g.server.Close()
+	os.RemoveAll(g.root)
+}
+
+// New create a fake git server that can be used for git related tests
+func New(c testingT, name string, files map[string]string, enforceLocalServer bool) *FakeGit {
+	if ht, ok := c.(test.HelperT); ok {
+		ht.Helper()
+	}
+	ctx := fakecontext.New(c, "", fakecontext.WithFiles(files))
+	defer ctx.Close()
+	curdir, err := os.Getwd()
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.Chdir(curdir)
+
+	if output, err := exec.Command("git", "init", ctx.Dir).CombinedOutput(); err != nil {
+		c.Fatalf("error trying to init repo: %s (%s)", err, output)
+	}
+	err = os.Chdir(ctx.Dir)
+	if err != nil {
+		c.Fatal(err)
+	}
+	if output, err := exec.Command("git", "config", "user.name", "Fake User").CombinedOutput(); err != nil {
+		c.Fatalf("error trying to set 'user.name': %s (%s)", err, output)
+	}
+	if output, err := exec.Command("git", "config", "user.email", "fake.user@example.com").CombinedOutput(); err != nil {
+		c.Fatalf("error trying to set 'user.email': %s (%s)", err, output)
+	}
+	if output, err := exec.Command("git", "add", "*").CombinedOutput(); err != nil {
+		c.Fatalf("error trying to add files to repo: %s (%s)", err, output)
+	}
+	if output, err := exec.Command("git", "commit", "-a", "-m", "Initial commit").CombinedOutput(); err != nil {
+		c.Fatalf("error trying to commit to repo: %s (%s)", err, output)
+	}
+
+	root, err := ioutil.TempDir("", "docker-test-git-repo")
+	if err != nil {
+		c.Fatal(err)
+	}
+	repoPath := filepath.Join(root, name+".git")
+	if output, err := exec.Command("git", "clone", "--bare", ctx.Dir, repoPath).CombinedOutput(); err != nil {
+		os.RemoveAll(root)
+		c.Fatalf("error trying to clone --bare: %s (%s)", err, output)
+	}
+	err = os.Chdir(repoPath)
+	if err != nil {
+		os.RemoveAll(root)
+		c.Fatal(err)
+	}
+	if output, err := exec.Command("git", "update-server-info").CombinedOutput(); err != nil {
+		os.RemoveAll(root)
+		c.Fatalf("error trying to git update-server-info: %s (%s)", err, output)
+	}
+	err = os.Chdir(curdir)
+	if err != nil {
+		os.RemoveAll(root)
+		c.Fatal(err)
+	}
+
+	var server gitServer
+	if !enforceLocalServer {
+		// use fakeStorage server, which might be local or remote (at test daemon)
+		server = fakestorage.New(c, root)
+	} else {
+		// always start a local http server on CLI test machine
+		httpServer := httptest.NewServer(http.FileServer(http.Dir(root)))
+		server = &localGitServer{httpServer}
+	}
+	return &FakeGit{
+		root:    root,
+		server:  server,
+		RepoURL: fmt.Sprintf("%s/%s.git", server.URL(), name),
+	}
+}
diff --git a/engine/internal/test/fakestorage/fixtures.go b/engine/internal/test/fakestorage/fixtures.go
new file mode 100644
index 00000000..ad8f7631
--- /dev/null
+++ b/engine/internal/test/fakestorage/fixtures.go
@@ -0,0 +1,92 @@
+package fakestorage // import "github.com/docker/docker/internal/test/fakestorage"
+
+import (
+	"context"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sync"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/internal/test"
+	"github.com/docker/docker/pkg/archive"
+	"gotest.tools/assert"
+)
+
+var ensureHTTPServerOnce sync.Once
+
+func ensureHTTPServerImage(t testingT) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	var doIt bool
+	ensureHTTPServerOnce.Do(func() {
+		doIt = true
+	})
+
+	if !doIt {
+		return
+	}
+
+	defer testEnv.ProtectImage(t, "httpserver:latest")
+
+	tmp, err := ioutil.TempDir("", "docker-http-server-test")
+	if err != nil {
+		t.Fatalf("could not build http server: %v", err)
+	}
+	defer os.RemoveAll(tmp)
+
+	goos := testEnv.OSType
+	if goos == "" {
+		goos = "linux"
+	}
+	goarch := os.Getenv("DOCKER_ENGINE_GOARCH")
+	if goarch == "" {
+		goarch = "amd64"
+	}
+
+	cpCmd, lookErr := exec.LookPath("cp")
+	if lookErr != nil {
+		t.Fatalf("could not build http server: %v", lookErr)
+	}
+
+	if _, err = os.Stat("../contrib/httpserver/httpserver"); os.IsNotExist(err) {
+		goCmd, lookErr := exec.LookPath("go")
+		if lookErr != nil {
+			t.Fatalf("could not build http server: %v", lookErr)
+		}
+
+		cmd := exec.Command(goCmd, "build", "-o", filepath.Join(tmp, "httpserver"), "github.com/docker/docker/contrib/httpserver")
+		cmd.Env = append(os.Environ(), []string{
+			"CGO_ENABLED=0",
+			"GOOS=" + goos,
+			"GOARCH=" + goarch,
+		}...)
+		var out []byte
+		if out, err = cmd.CombinedOutput(); err != nil {
+			t.Fatalf("could not build http server: %s", string(out))
+		}
+	} else {
+		if out, err := exec.Command(cpCmd, "../contrib/httpserver/httpserver", filepath.Join(tmp, "httpserver")).CombinedOutput(); err != nil {
+			t.Fatalf("could not copy http server: %v", string(out))
+		}
+	}
+
+	if out, err := exec.Command(cpCmd, "../contrib/httpserver/Dockerfile", filepath.Join(tmp, "Dockerfile")).CombinedOutput(); err != nil {
+		t.Fatalf("could not build http server: %v", string(out))
+	}
+
+	c := testEnv.APIClient()
+	reader, err := archive.TarWithOptions(tmp, &archive.TarOptions{})
+	assert.NilError(t, err)
+	resp, err := c.ImageBuild(context.Background(), reader, types.ImageBuildOptions{
+		Remove:      true,
+		ForceRemove: true,
+		Tags:        []string{"httpserver"},
+	})
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, resp.Body)
+	assert.NilError(t, err)
+}
diff --git a/engine/internal/test/fakestorage/storage.go b/engine/internal/test/fakestorage/storage.go
new file mode 100644
index 00000000..b091cbc3
--- /dev/null
+++ b/engine/internal/test/fakestorage/storage.go
@@ -0,0 +1,200 @@
+package fakestorage // import "github.com/docker/docker/internal/test/fakestorage"
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/internal/test"
+	"github.com/docker/docker/internal/test/environment"
+	"github.com/docker/docker/internal/test/fakecontext"
+	"github.com/docker/docker/internal/test/request"
+	"github.com/docker/docker/internal/testutil"
+	"github.com/docker/go-connections/nat"
+	"gotest.tools/assert"
+)
+
+var testEnv *environment.Execution
+
+type testingT interface {
+	assert.TestingT
+	logT
+	skipT
+	Fatal(args ...interface{})
+	Fatalf(string, ...interface{})
+}
+
+type logT interface {
+	Logf(string, ...interface{})
+}
+
+type skipT interface {
+	Skip(reason string)
+}
+
+// Fake is a static file server. It might be running locally or remotely
+// on test host.
+type Fake interface {
+	Close() error
+	URL() string
+	CtxDir() string
+}
+
+// SetTestEnvironment sets a static test environment
+// TODO: decouple this package from environment
+func SetTestEnvironment(env *environment.Execution) {
+	testEnv = env
+}
+
+// New returns a static file server that will be use as build context.
+func New(t testingT, dir string, modifiers ...func(*fakecontext.Fake) error) Fake {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	if testEnv == nil {
+		t.Fatal("fakstorage package requires SetTestEnvironment() to be called before use.")
+	}
+	ctx := fakecontext.New(t, dir, modifiers...)
+	switch {
+	case testEnv.IsRemoteDaemon() && strings.HasPrefix(request.DaemonHost(), "unix:///"):
+		t.Skip(fmt.Sprintf("e2e run : daemon is remote but docker host points to a unix socket"))
+	case testEnv.IsLocalDaemon():
+		return newLocalFakeStorage(ctx)
+	default:
+		return newRemoteFileServer(t, ctx, testEnv.APIClient())
+	}
+	return nil
+}
+
+// localFileStorage is a file storage on the running machine
+type localFileStorage struct {
+	*fakecontext.Fake
+	*httptest.Server
+}
+
+func (s *localFileStorage) URL() string {
+	return s.Server.URL
+}
+
+func (s *localFileStorage) CtxDir() string {
+	return s.Fake.Dir
+}
+
+func (s *localFileStorage) Close() error {
+	defer s.Server.Close()
+	return s.Fake.Close()
+}
+
+func newLocalFakeStorage(ctx *fakecontext.Fake) *localFileStorage {
+	handler := http.FileServer(http.Dir(ctx.Dir))
+	server := httptest.NewServer(handler)
+	return &localFileStorage{
+		Fake:   ctx,
+		Server: server,
+	}
+}
+
+// remoteFileServer is a containerized static file server started on the remote
+// testing machine to be used in URL-accepting docker build functionality.
+type remoteFileServer struct {
+	host      string // hostname/port web server is listening to on docker host e.g. 0.0.0.0:43712
+	container string
+	image     string
+	client    client.APIClient
+	ctx       *fakecontext.Fake
+}
+
+func (f *remoteFileServer) URL() string {
+	u := url.URL{
+		Scheme: "http",
+		Host:   f.host}
+	return u.String()
+}
+
+func (f *remoteFileServer) CtxDir() string {
+	return f.ctx.Dir
+}
+
+func (f *remoteFileServer) Close() error {
+	defer func() {
+		if f.ctx != nil {
+			f.ctx.Close()
+		}
+		if f.image != "" {
+			if _, err := f.client.ImageRemove(context.Background(), f.image, types.ImageRemoveOptions{
+				Force: true,
+			}); err != nil {
+				fmt.Fprintf(os.Stderr, "Error closing remote file server : %v\n", err)
+			}
+		}
+		if err := f.client.Close(); err != nil {
+			fmt.Fprintf(os.Stderr, "Error closing remote file server : %v\n", err)
+		}
+	}()
+	if f.container == "" {
+		return nil
+	}
+	return f.client.ContainerRemove(context.Background(), f.container, types.ContainerRemoveOptions{
+		Force:         true,
+		RemoveVolumes: true,
+	})
+}
+
+func newRemoteFileServer(t testingT, ctx *fakecontext.Fake, c client.APIClient) *remoteFileServer {
+	var (
+		image     = fmt.Sprintf("fileserver-img-%s", strings.ToLower(testutil.GenerateRandomAlphaOnlyString(10)))
+		container = fmt.Sprintf("fileserver-cnt-%s", strings.ToLower(testutil.GenerateRandomAlphaOnlyString(10)))
+	)
+
+	ensureHTTPServerImage(t)
+
+	// Build the image
+	if err := ctx.Add("Dockerfile", `FROM httpserver
+COPY . /static`); err != nil {
+		t.Fatal(err)
+	}
+	resp, err := c.ImageBuild(context.Background(), ctx.AsTarReader(t), types.ImageBuildOptions{
+		NoCache: true,
+		Tags:    []string{image},
+	})
+	assert.NilError(t, err)
+	_, err = io.Copy(ioutil.Discard, resp.Body)
+	assert.NilError(t, err)
+
+	// Start the container
+	b, err := c.ContainerCreate(context.Background(), &containertypes.Config{
+		Image: image,
+	}, &containertypes.HostConfig{}, nil, container)
+	assert.NilError(t, err)
+	err = c.ContainerStart(context.Background(), b.ID, types.ContainerStartOptions{})
+	assert.NilError(t, err)
+
+	// Find out the system assigned port
+	i, err := c.ContainerInspect(context.Background(), b.ID)
+	assert.NilError(t, err)
+	newP, err := nat.NewPort("tcp", "80")
+	assert.NilError(t, err)
+	ports, exists := i.NetworkSettings.Ports[newP]
+	if !exists || len(ports) != 1 {
+		t.Fatalf("unable to find port 80/tcp for %s", container)
+	}
+	host := ports[0].HostIP
+	port := ports[0].HostPort
+
+	return &remoteFileServer{
+		container: container,
+		image:     image,
+		host:      fmt.Sprintf("%s:%s", host, port),
+		ctx:       ctx,
+		client:    c,
+	}
+}
diff --git a/engine/internal/test/fixtures/load/frozen.go b/engine/internal/test/fixtures/load/frozen.go
new file mode 100644
index 00000000..94f3680f
--- /dev/null
+++ b/engine/internal/test/fixtures/load/frozen.go
@@ -0,0 +1,196 @@
+package load // import "github.com/docker/docker/internal/test/fixtures/load"
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/term"
+	"github.com/pkg/errors"
+)
+
+const frozenImgDir = "/docker-frozen-images"
+
+// FrozenImagesLinux loads the frozen image set for the integration suite
+// If the images are not available locally it will download them
+// TODO: This loads whatever is in the frozen image dir, regardless of what
+// images were passed in. If the images need to be downloaded, then it will respect
+// the passed in images
+func FrozenImagesLinux(client client.APIClient, images ...string) error {
+	var loadImages []struct{ srcName, destName string }
+	for _, img := range images {
+		if !imageExists(client, img) {
+			srcName := img
+			// hello-world:latest gets re-tagged as hello-world:frozen
+			// there are some tests that use hello-world:latest specifically so it pulls
+			// the image and hello-world:frozen is used for when we just want a super
+			// small image
+			if img == "hello-world:frozen" {
+				srcName = "hello-world:latest"
+			}
+			loadImages = append(loadImages, struct{ srcName, destName string }{
+				srcName:  srcName,
+				destName: img,
+			})
+		}
+	}
+	if len(loadImages) == 0 {
+		// everything is loaded, we're done
+		return nil
+	}
+
+	ctx := context.Background()
+	fi, err := os.Stat(frozenImgDir)
+	if err != nil || !fi.IsDir() {
+		srcImages := make([]string, 0, len(loadImages))
+		for _, img := range loadImages {
+			srcImages = append(srcImages, img.srcName)
+		}
+		if err := pullImages(ctx, client, srcImages); err != nil {
+			return errors.Wrap(err, "error pulling image list")
+		}
+	} else {
+		if err := loadFrozenImages(ctx, client); err != nil {
+			return err
+		}
+	}
+
+	for _, img := range loadImages {
+		if img.srcName != img.destName {
+			if err := client.ImageTag(ctx, img.srcName, img.destName); err != nil {
+				return errors.Wrapf(err, "failed to tag %s as %s", img.srcName, img.destName)
+			}
+			if _, err := client.ImageRemove(ctx, img.srcName, types.ImageRemoveOptions{}); err != nil {
+				return errors.Wrapf(err, "failed to remove %s", img.srcName)
+			}
+		}
+	}
+	return nil
+}
+
+func imageExists(client client.APIClient, name string) bool {
+	_, _, err := client.ImageInspectWithRaw(context.Background(), name)
+	return err == nil
+}
+
+func loadFrozenImages(ctx context.Context, client client.APIClient) error {
+	tar, err := exec.LookPath("tar")
+	if err != nil {
+		return errors.Wrap(err, "could not find tar binary")
+	}
+	tarCmd := exec.Command(tar, "-cC", frozenImgDir, ".")
+	out, err := tarCmd.StdoutPipe()
+	if err != nil {
+		return errors.Wrap(err, "error getting stdout pipe for tar command")
+	}
+
+	errBuf := bytes.NewBuffer(nil)
+	tarCmd.Stderr = errBuf
+	tarCmd.Start()
+	defer tarCmd.Wait()
+
+	resp, err := client.ImageLoad(ctx, out, true)
+	if err != nil {
+		return errors.Wrap(err, "failed to load frozen images")
+	}
+	defer resp.Body.Close()
+	fd, isTerminal := term.GetFdInfo(os.Stdout)
+	return jsonmessage.DisplayJSONMessagesStream(resp.Body, os.Stdout, fd, isTerminal, nil)
+}
+
+func pullImages(ctx context.Context, client client.APIClient, images []string) error {
+	cwd, err := os.Getwd()
+	if err != nil {
+		return errors.Wrap(err, "error getting path to dockerfile")
+	}
+	dockerfile := os.Getenv("DOCKERFILE")
+	if dockerfile == "" {
+		dockerfile = "Dockerfile"
+	}
+	dockerfilePath := filepath.Join(filepath.Dir(filepath.Clean(cwd)), dockerfile)
+	pullRefs, err := readFrozenImageList(dockerfilePath, images)
+	if err != nil {
+		return errors.Wrap(err, "error reading frozen image list")
+	}
+
+	var wg sync.WaitGroup
+	chErr := make(chan error, len(images))
+	for tag, ref := range pullRefs {
+		wg.Add(1)
+		go func(tag, ref string) {
+			defer wg.Done()
+			if err := pullTagAndRemove(ctx, client, ref, tag); err != nil {
+				chErr <- err
+				return
+			}
+		}(tag, ref)
+	}
+	wg.Wait()
+	close(chErr)
+	return <-chErr
+}
+
+func pullTagAndRemove(ctx context.Context, client client.APIClient, ref string, tag string) error {
+	resp, err := client.ImagePull(ctx, ref, types.ImagePullOptions{})
+	if err != nil {
+		return errors.Wrapf(err, "failed to pull %s", ref)
+	}
+	defer resp.Close()
+	fd, isTerminal := term.GetFdInfo(os.Stdout)
+	if err := jsonmessage.DisplayJSONMessagesStream(resp, os.Stdout, fd, isTerminal, nil); err != nil {
+		return err
+	}
+
+	if err := client.ImageTag(ctx, ref, tag); err != nil {
+		return errors.Wrapf(err, "failed to tag %s as %s", ref, tag)
+	}
+	_, err = client.ImageRemove(ctx, ref, types.ImageRemoveOptions{})
+	return errors.Wrapf(err, "failed to remove %s", ref)
+
+}
+
+func readFrozenImageList(dockerfilePath string, images []string) (map[string]string, error) {
+	f, err := os.Open(dockerfilePath)
+	if err != nil {
+		return nil, errors.Wrap(err, "error reading dockerfile")
+	}
+	defer f.Close()
+	ls := make(map[string]string)
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := strings.Fields(scanner.Text())
+		if len(line) < 3 {
+			continue
+		}
+		if !(line[0] == "RUN" && line[1] == "./contrib/download-frozen-image-v2.sh") {
+			continue
+		}
+
+		for scanner.Scan() {
+			img := strings.TrimSpace(scanner.Text())
+			img = strings.TrimSuffix(img, "\\")
+			img = strings.TrimSpace(img)
+			split := strings.Split(img, "@")
+			if len(split) < 2 {
+				break
+			}
+
+			for _, i := range images {
+				if split[0] == i {
+					ls[i] = img
+					break
+				}
+			}
+		}
+	}
+	return ls, nil
+}
diff --git a/engine/internal/test/fixtures/plugin/basic/basic.go b/engine/internal/test/fixtures/plugin/basic/basic.go
new file mode 100644
index 00000000..89227282
--- /dev/null
+++ b/engine/internal/test/fixtures/plugin/basic/basic.go
@@ -0,0 +1,34 @@
+package main
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+)
+
+func main() {
+	p, err := filepath.Abs(filepath.Join("run", "docker", "plugins"))
+	if err != nil {
+		panic(err)
+	}
+	if err := os.MkdirAll(p, 0755); err != nil {
+		panic(err)
+	}
+	l, err := net.Listen("unix", filepath.Join(p, "basic.sock"))
+	if err != nil {
+		panic(err)
+	}
+
+	mux := http.NewServeMux()
+	server := http.Server{
+		Addr:    l.Addr().String(),
+		Handler: http.NewServeMux(),
+	}
+	mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1.1+json")
+		fmt.Println(w, `{"Implements": ["dummy"]}`)
+	})
+	server.Serve(l)
+}
diff --git a/engine/internal/test/fixtures/plugin/plugin.go b/engine/internal/test/fixtures/plugin/plugin.go
new file mode 100644
index 00000000..523a261a
--- /dev/null
+++ b/engine/internal/test/fixtures/plugin/plugin.go
@@ -0,0 +1,216 @@
+package plugin // import "github.com/docker/docker/internal/test/fixtures/plugin"
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/plugin"
+	"github.com/docker/docker/registry"
+	"github.com/pkg/errors"
+)
+
+// CreateOpt is is passed used to change the default plugin config before
+// creating it
+type CreateOpt func(*Config)
+
+// Config wraps types.PluginConfig to provide some extra state for options
+// extra customizations on the plugin details, such as using a custom binary to
+// create the plugin with.
+type Config struct {
+	*types.PluginConfig
+	binPath string
+}
+
+// WithBinary is a CreateOpt to set an custom binary to create the plugin with.
+// This binary must be statically compiled.
+func WithBinary(bin string) CreateOpt {
+	return func(cfg *Config) {
+		cfg.binPath = bin
+	}
+}
+
+// CreateClient is the interface used for `BuildPlugin` to interact with the
+// daemon.
+type CreateClient interface {
+	PluginCreate(context.Context, io.Reader, types.PluginCreateOptions) error
+}
+
+// Create creates a new plugin with the specified name
+func Create(ctx context.Context, c CreateClient, name string, opts ...CreateOpt) error {
+	tmpDir, err := ioutil.TempDir("", "create-test-plugin")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tmpDir)
+
+	tar, err := makePluginBundle(tmpDir, opts...)
+	if err != nil {
+		return err
+	}
+	defer tar.Close()
+
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	return c.PluginCreate(ctx, tar, types.PluginCreateOptions{RepoName: name})
+}
+
+// CreateInRegistry makes a plugin (locally) and pushes it to a registry.
+// This does not use a dockerd instance to create or push the plugin.
+// If you just want to create a plugin in some daemon, use `Create`.
+//
+// This can be useful when testing plugins on swarm where you don't really want
+// the plugin to exist on any of the daemons (immediately) and there needs to be
+// some way to distribute the plugin.
+func CreateInRegistry(ctx context.Context, repo string, auth *types.AuthConfig, opts ...CreateOpt) error {
+	tmpDir, err := ioutil.TempDir("", "create-test-plugin-local")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tmpDir)
+
+	inPath := filepath.Join(tmpDir, "plugin")
+	if err := os.MkdirAll(inPath, 0755); err != nil {
+		return errors.Wrap(err, "error creating plugin root")
+	}
+
+	tar, err := makePluginBundle(inPath, opts...)
+	if err != nil {
+		return err
+	}
+	defer tar.Close()
+
+	dummyExec := func(m *plugin.Manager) (plugin.Executor, error) {
+		return nil, nil
+	}
+
+	regService, err := registry.NewService(registry.ServiceOptions{V2Only: true})
+	if err != nil {
+		return err
+	}
+
+	managerConfig := plugin.ManagerConfig{
+		Store:           plugin.NewStore(),
+		RegistryService: regService,
+		Root:            filepath.Join(tmpDir, "root"),
+		ExecRoot:        "/run/docker", // manager init fails if not set
+		CreateExecutor:  dummyExec,
+		LogPluginEvent:  func(id, name, action string) {}, // panics when not set
+	}
+	manager, err := plugin.NewManager(managerConfig)
+	if err != nil {
+		return errors.Wrap(err, "error creating plugin manager")
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+	if err := manager.CreateFromContext(ctx, tar, &types.PluginCreateOptions{RepoName: repo}); err != nil {
+		return err
+	}
+
+	if auth == nil {
+		auth = &types.AuthConfig{}
+	}
+	err = manager.Push(ctx, repo, nil, auth, ioutil.Discard)
+	return errors.Wrap(err, "error pushing plugin")
+}
+
+func makePluginBundle(inPath string, opts ...CreateOpt) (io.ReadCloser, error) {
+	p := &types.PluginConfig{
+		Interface: types.PluginConfigInterface{
+			Socket: "basic.sock",
+			Types:  []types.PluginInterfaceType{{Capability: "docker.dummy/1.0"}},
+		},
+		Entrypoint: []string{"/basic"},
+	}
+	cfg := &Config{
+		PluginConfig: p,
+	}
+	for _, o := range opts {
+		o(cfg)
+	}
+	if cfg.binPath == "" {
+		binPath, err := ensureBasicPluginBin()
+		if err != nil {
+			return nil, err
+		}
+		cfg.binPath = binPath
+	}
+
+	configJSON, err := json.Marshal(p)
+	if err != nil {
+		return nil, err
+	}
+	if err := ioutil.WriteFile(filepath.Join(inPath, "config.json"), configJSON, 0644); err != nil {
+		return nil, err
+	}
+	if err := os.MkdirAll(filepath.Join(inPath, "rootfs", filepath.Dir(p.Entrypoint[0])), 0755); err != nil {
+		return nil, errors.Wrap(err, "error creating plugin rootfs dir")
+	}
+
+	// Ensure the mount target paths exist
+	for _, m := range p.Mounts {
+		var stat os.FileInfo
+		if m.Source != nil {
+			stat, err = os.Stat(*m.Source)
+			if err != nil && !os.IsNotExist(err) {
+				return nil, err
+			}
+		}
+
+		if stat == nil || stat.IsDir() {
+			var mode os.FileMode = 0755
+			if stat != nil {
+				mode = stat.Mode()
+			}
+			if err := os.MkdirAll(filepath.Join(inPath, "rootfs", m.Destination), mode); err != nil {
+				return nil, errors.Wrap(err, "error preparing plugin mount destination path")
+			}
+		} else {
+			if err := os.MkdirAll(filepath.Join(inPath, "rootfs", filepath.Dir(m.Destination)), 0755); err != nil {
+				return nil, errors.Wrap(err, "error preparing plugin mount destination dir")
+			}
+			f, err := os.Create(filepath.Join(inPath, "rootfs", m.Destination))
+			if err != nil && !os.IsExist(err) {
+				return nil, errors.Wrap(err, "error preparing plugin mount destination file")
+			}
+			if f != nil {
+				f.Close()
+			}
+		}
+	}
+	if err := archive.NewDefaultArchiver().CopyFileWithTar(cfg.binPath, filepath.Join(inPath, "rootfs", p.Entrypoint[0])); err != nil {
+		return nil, errors.Wrap(err, "error copying plugin binary to rootfs path")
+	}
+	tar, err := archive.Tar(inPath, archive.Uncompressed)
+	return tar, errors.Wrap(err, "error making plugin archive")
+}
+
+func ensureBasicPluginBin() (string, error) {
+	name := "docker-basic-plugin"
+	p, err := exec.LookPath(name)
+	if err == nil {
+		return p, nil
+	}
+
+	goBin, err := exec.LookPath("go")
+	if err != nil {
+		return "", err
+	}
+	installPath := filepath.Join(os.Getenv("GOPATH"), "bin", name)
+	sourcePath := filepath.Join("github.com", "docker", "docker", "internal", "test", "fixtures", "plugin", "basic")
+	cmd := exec.Command(goBin, "build", "-o", installPath, sourcePath)
+	cmd.Env = append(cmd.Env, "GOPATH="+os.Getenv("GOPATH"), "CGO_ENABLED=0")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return "", errors.Wrapf(err, "error building basic plugin bin: %s", string(out))
+	}
+	return installPath, nil
+}
diff --git a/engine/internal/test/helper.go b/engine/internal/test/helper.go
new file mode 100644
index 00000000..1b9fd750
--- /dev/null
+++ b/engine/internal/test/helper.go
@@ -0,0 +1,6 @@
+package test
+
+// HelperT is a subset of testing.T that implements the Helper function
+type HelperT interface {
+	Helper()
+}
diff --git a/engine/internal/test/registry/ops.go b/engine/internal/test/registry/ops.go
new file mode 100644
index 00000000..c004f374
--- /dev/null
+++ b/engine/internal/test/registry/ops.go
@@ -0,0 +1,26 @@
+package registry
+
+// Schema1 sets the registry to serve v1 api
+func Schema1(c *Config) {
+	c.schema1 = true
+}
+
+// Htpasswd sets the auth method with htpasswd
+func Htpasswd(c *Config) {
+	c.auth = "htpasswd"
+}
+
+// Token sets the auth method to token, with the specified token url
+func Token(tokenURL string) func(*Config) {
+	return func(c *Config) {
+		c.auth = "token"
+		c.tokenURL = tokenURL
+	}
+}
+
+// URL sets the registry url
+func URL(registryURL string) func(*Config) {
+	return func(c *Config) {
+		c.registryURL = registryURL
+	}
+}
diff --git a/engine/internal/test/registry/registry.go b/engine/internal/test/registry/registry.go
new file mode 100644
index 00000000..b6128d3b
--- /dev/null
+++ b/engine/internal/test/registry/registry.go
@@ -0,0 +1,255 @@
+package registry // import "github.com/docker/docker/internal/test/registry"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+
+	"github.com/docker/docker/internal/test"
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/assert"
+)
+
+const (
+	// V2binary is the name of the registry v2 binary
+	V2binary = "registry-v2"
+	// V2binarySchema1 is the name of the registry that serve schema1
+	V2binarySchema1 = "registry-v2-schema1"
+	// DefaultURL is the default url that will be used by the registry (if not specified otherwise)
+	DefaultURL = "127.0.0.1:5000"
+)
+
+type testingT interface {
+	assert.TestingT
+	logT
+	Fatal(...interface{})
+	Fatalf(string, ...interface{})
+}
+
+type logT interface {
+	Logf(string, ...interface{})
+}
+
+// V2 represent a registry version 2
+type V2 struct {
+	cmd         *exec.Cmd
+	registryURL string
+	dir         string
+	auth        string
+	username    string
+	password    string
+	email       string
+}
+
+// Config contains the test registry configuration
+type Config struct {
+	schema1     bool
+	auth        string
+	tokenURL    string
+	registryURL string
+}
+
+// NewV2 creates a v2 registry server
+func NewV2(t testingT, ops ...func(*Config)) *V2 {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	c := &Config{
+		registryURL: DefaultURL,
+	}
+	for _, op := range ops {
+		op(c)
+	}
+	tmp, err := ioutil.TempDir("", "registry-test-")
+	assert.NilError(t, err)
+	template := `version: 0.1
+loglevel: debug
+storage:
+    filesystem:
+        rootdirectory: %s
+http:
+    addr: %s
+%s`
+	var (
+		authTemplate string
+		username     string
+		password     string
+		email        string
+	)
+	switch c.auth {
+	case "htpasswd":
+		htpasswdPath := filepath.Join(tmp, "htpasswd")
+		// generated with: htpasswd -Bbn testuser testpassword
+		userpasswd := "testuser:$2y$05$sBsSqk0OpSD1uTZkHXc4FeJ0Z70wLQdAX/82UiHuQOKbNbBrzs63m"
+		username = "testuser"
+		password = "testpassword"
+		email = "test@test.org"
+		err := ioutil.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644))
+		assert.NilError(t, err)
+		authTemplate = fmt.Sprintf(`auth:
+    htpasswd:
+        realm: basic-realm
+        path: %s
+`, htpasswdPath)
+	case "token":
+		authTemplate = fmt.Sprintf(`auth:
+    token:
+        realm: %s
+        service: "registry"
+        issuer: "auth-registry"
+        rootcertbundle: "fixtures/registry/cert.pem"
+`, c.tokenURL)
+	}
+
+	confPath := filepath.Join(tmp, "config.yaml")
+	config, err := os.Create(confPath)
+	assert.NilError(t, err)
+	defer config.Close()
+
+	if _, err := fmt.Fprintf(config, template, tmp, c.registryURL, authTemplate); err != nil {
+		// FIXME(vdemeester) use a defer/clean func
+		os.RemoveAll(tmp)
+		t.Fatal(err)
+	}
+
+	binary := V2binary
+	if c.schema1 {
+		binary = V2binarySchema1
+	}
+	cmd := exec.Command(binary, confPath)
+	if err := cmd.Start(); err != nil {
+		// FIXME(vdemeester) use a defer/clean func
+		os.RemoveAll(tmp)
+		t.Fatal(err)
+	}
+	return &V2{
+		cmd:         cmd,
+		dir:         tmp,
+		auth:        c.auth,
+		username:    username,
+		password:    password,
+		email:       email,
+		registryURL: c.registryURL,
+	}
+}
+
+// WaitReady waits for the registry to be ready to serve requests (or fail after a while)
+func (r *V2) WaitReady(t testingT) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	var err error
+	for i := 0; i != 50; i++ {
+		if err = r.Ping(); err == nil {
+			return
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+	t.Fatalf("timeout waiting for test registry to become available: %v", err)
+}
+
+// Ping sends an http request to the current registry, and fail if it doesn't respond correctly
+func (r *V2) Ping() error {
+	// We always ping through HTTP for our test registry.
+	resp, err := http.Get(fmt.Sprintf("http://%s/v2/", r.registryURL))
+	if err != nil {
+		return err
+	}
+	resp.Body.Close()
+
+	fail := resp.StatusCode != http.StatusOK
+	if r.auth != "" {
+		// unauthorized is a _good_ status when pinging v2/ and it needs auth
+		fail = fail && resp.StatusCode != http.StatusUnauthorized
+	}
+	if fail {
+		return fmt.Errorf("registry ping replied with an unexpected status code %d", resp.StatusCode)
+	}
+	return nil
+}
+
+// Close kills the registry server
+func (r *V2) Close() {
+	r.cmd.Process.Kill()
+	r.cmd.Process.Wait()
+	os.RemoveAll(r.dir)
+}
+
+func (r *V2) getBlobFilename(blobDigest digest.Digest) string {
+	// Split the digest into its algorithm and hex components.
+	dgstAlg, dgstHex := blobDigest.Algorithm(), blobDigest.Hex()
+
+	// The path to the target blob data looks something like:
+	//   baseDir + "docker/registry/v2/blobs/sha256/a3/a3ed...46d4/data"
+	return fmt.Sprintf("%s/docker/registry/v2/blobs/%s/%s/%s/data", r.dir, dgstAlg, dgstHex[:2], dgstHex)
+}
+
+// ReadBlobContents read the file corresponding to the specified digest
+func (r *V2) ReadBlobContents(t assert.TestingT, blobDigest digest.Digest) []byte {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	// Load the target manifest blob.
+	manifestBlob, err := ioutil.ReadFile(r.getBlobFilename(blobDigest))
+	assert.NilError(t, err, "unable to read blob")
+	return manifestBlob
+}
+
+// WriteBlobContents write the file corresponding to the specified digest with the given content
+func (r *V2) WriteBlobContents(t assert.TestingT, blobDigest digest.Digest, data []byte) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	err := ioutil.WriteFile(r.getBlobFilename(blobDigest), data, os.FileMode(0644))
+	assert.NilError(t, err, "unable to write malicious data blob")
+}
+
+// TempMoveBlobData moves the existing data file aside, so that we can replace it with a
+// malicious blob of data for example.
+func (r *V2) TempMoveBlobData(t testingT, blobDigest digest.Digest) (undo func()) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	tempFile, err := ioutil.TempFile("", "registry-temp-blob-")
+	assert.NilError(t, err, "unable to get temporary blob file")
+	tempFile.Close()
+
+	blobFilename := r.getBlobFilename(blobDigest)
+
+	// Move the existing data file aside, so that we can replace it with a
+	// another blob of data.
+	if err := os.Rename(blobFilename, tempFile.Name()); err != nil {
+		// FIXME(vdemeester) use a defer/clean func
+		os.Remove(tempFile.Name())
+		t.Fatalf("unable to move data blob: %s", err)
+	}
+
+	return func() {
+		os.Rename(tempFile.Name(), blobFilename)
+		os.Remove(tempFile.Name())
+	}
+}
+
+// Username returns the configured user name of the server
+func (r *V2) Username() string {
+	return r.username
+}
+
+// Password returns the configured password of the server
+func (r *V2) Password() string {
+	return r.password
+}
+
+// Email returns the configured email of the server
+func (r *V2) Email() string {
+	return r.email
+}
+
+// Path returns the path where the registry write data
+func (r *V2) Path() string {
+	return filepath.Join(r.dir, "docker", "registry", "v2")
+}
diff --git a/engine/internal/test/registry/registry_mock.go b/engine/internal/test/registry/registry_mock.go
new file mode 100644
index 00000000..d139401a
--- /dev/null
+++ b/engine/internal/test/registry/registry_mock.go
@@ -0,0 +1,71 @@
+package registry // import "github.com/docker/docker/internal/test/registry"
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"regexp"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/internal/test"
+)
+
+type handlerFunc func(w http.ResponseWriter, r *http.Request)
+
+// Mock represent a registry mock
+type Mock struct {
+	server   *httptest.Server
+	hostport string
+	handlers map[string]handlerFunc
+	mu       sync.Mutex
+}
+
+// RegisterHandler register the specified handler for the registry mock
+func (tr *Mock) RegisterHandler(path string, h handlerFunc) {
+	tr.mu.Lock()
+	defer tr.mu.Unlock()
+	tr.handlers[path] = h
+}
+
+// NewMock creates a registry mock
+func NewMock(t testingT) (*Mock, error) {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	testReg := &Mock{handlers: make(map[string]handlerFunc)}
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		url := r.URL.String()
+
+		var matched bool
+		var err error
+		for re, function := range testReg.handlers {
+			matched, err = regexp.MatchString(re, url)
+			if err != nil {
+				t.Fatal("Error with handler regexp")
+			}
+			if matched {
+				function(w, r)
+				break
+			}
+		}
+
+		if !matched {
+			t.Fatalf("Unable to match %s with regexp", url)
+		}
+	}))
+
+	testReg.server = ts
+	testReg.hostport = strings.Replace(ts.URL, "http://", "", 1)
+	return testReg, nil
+}
+
+// URL returns the url of the registry
+func (tr *Mock) URL() string {
+	return tr.hostport
+}
+
+// Close closes mock and releases resources
+func (tr *Mock) Close() {
+	tr.server.Close()
+}
diff --git a/engine/internal/test/request/npipe.go b/engine/internal/test/request/npipe.go
new file mode 100644
index 00000000..e6ab0394
--- /dev/null
+++ b/engine/internal/test/request/npipe.go
@@ -0,0 +1,12 @@
+// +build !windows
+
+package request
+
+import (
+	"net"
+	"time"
+)
+
+func npipeDial(path string, timeout time.Duration) (net.Conn, error) {
+	panic("npipe protocol only supported on Windows")
+}
diff --git a/engine/internal/test/request/npipe_windows.go b/engine/internal/test/request/npipe_windows.go
new file mode 100644
index 00000000..a268aac9
--- /dev/null
+++ b/engine/internal/test/request/npipe_windows.go
@@ -0,0 +1,12 @@
+package request
+
+import (
+	"net"
+	"time"
+
+	"github.com/Microsoft/go-winio"
+)
+
+func npipeDial(path string, timeout time.Duration) (net.Conn, error) {
+	return winio.DialPipe(path, &timeout)
+}
diff --git a/engine/internal/test/request/ops.go b/engine/internal/test/request/ops.go
new file mode 100644
index 00000000..c85308c4
--- /dev/null
+++ b/engine/internal/test/request/ops.go
@@ -0,0 +1,78 @@
+package request
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strings"
+)
+
+// Options defines request options, like request modifiers and which host to target
+type Options struct {
+	host             string
+	requestModifiers []func(*http.Request) error
+}
+
+// Host creates a modifier that sets the specified host as the request URL host
+func Host(host string) func(*Options) {
+	return func(o *Options) {
+		o.host = host
+	}
+}
+
+// With adds a request modifier to the options
+func With(f func(*http.Request) error) func(*Options) {
+	return func(o *Options) {
+		o.requestModifiers = append(o.requestModifiers, f)
+	}
+}
+
+// Method creates a modifier that sets the specified string as the request method
+func Method(method string) func(*Options) {
+	return With(func(req *http.Request) error {
+		req.Method = method
+		return nil
+	})
+}
+
+// RawString sets the specified string as body for the request
+func RawString(content string) func(*Options) {
+	return RawContent(ioutil.NopCloser(strings.NewReader(content)))
+}
+
+// RawContent sets the specified reader as body for the request
+func RawContent(reader io.ReadCloser) func(*Options) {
+	return With(func(req *http.Request) error {
+		req.Body = reader
+		return nil
+	})
+}
+
+// ContentType sets the specified Content-Type request header
+func ContentType(contentType string) func(*Options) {
+	return With(func(req *http.Request) error {
+		req.Header.Set("Content-Type", contentType)
+		return nil
+	})
+}
+
+// JSON sets the Content-Type request header to json
+func JSON(o *Options) {
+	ContentType("application/json")(o)
+}
+
+// JSONBody creates a modifier that encodes the specified data to a JSON string and set it as request body. It also sets
+// the Content-Type header of the request.
+func JSONBody(data interface{}) func(*Options) {
+	return With(func(req *http.Request) error {
+		jsonData := bytes.NewBuffer(nil)
+		if err := json.NewEncoder(jsonData).Encode(data); err != nil {
+			return err
+		}
+		req.Body = ioutil.NopCloser(jsonData)
+		req.Header.Set("Content-Type", "application/json")
+		return nil
+	})
+}
diff --git a/engine/internal/test/request/request.go b/engine/internal/test/request/request.go
new file mode 100644
index 00000000..1986d370
--- /dev/null
+++ b/engine/internal/test/request/request.go
@@ -0,0 +1,218 @@
+package request // import "github.com/docker/docker/internal/test/request"
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/internal/test"
+	"github.com/docker/docker/internal/test/environment"
+	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/go-connections/sockets"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+// NewAPIClient returns a docker API client configured from environment variables
+func NewAPIClient(t assert.TestingT, ops ...func(*client.Client) error) client.APIClient {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	ops = append([]func(*client.Client) error{client.FromEnv}, ops...)
+	clt, err := client.NewClientWithOpts(ops...)
+	assert.NilError(t, err)
+	return clt
+}
+
+// DaemonTime provides the current time on the daemon host
+func DaemonTime(ctx context.Context, t assert.TestingT, client client.APIClient, testEnv *environment.Execution) time.Time {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	if testEnv.IsLocalDaemon() {
+		return time.Now()
+	}
+
+	info, err := client.Info(ctx)
+	assert.NilError(t, err)
+
+	dt, err := time.Parse(time.RFC3339Nano, info.SystemTime)
+	assert.NilError(t, err, "invalid time format in GET /info response")
+	return dt
+}
+
+// DaemonUnixTime returns the current time on the daemon host with nanoseconds precision.
+// It return the time formatted how the client sends timestamps to the server.
+func DaemonUnixTime(ctx context.Context, t assert.TestingT, client client.APIClient, testEnv *environment.Execution) string {
+	if ht, ok := t.(test.HelperT); ok {
+		ht.Helper()
+	}
+	dt := DaemonTime(ctx, t, client, testEnv)
+	return fmt.Sprintf("%d.%09d", dt.Unix(), int64(dt.Nanosecond()))
+}
+
+// Post creates and execute a POST request on the specified host and endpoint, with the specified request modifiers
+func Post(endpoint string, modifiers ...func(*Options)) (*http.Response, io.ReadCloser, error) {
+	return Do(endpoint, append(modifiers, Method(http.MethodPost))...)
+}
+
+// Delete creates and execute a DELETE request on the specified host and endpoint, with the specified request modifiers
+func Delete(endpoint string, modifiers ...func(*Options)) (*http.Response, io.ReadCloser, error) {
+	return Do(endpoint, append(modifiers, Method(http.MethodDelete))...)
+}
+
+// Get creates and execute a GET request on the specified host and endpoint, with the specified request modifiers
+func Get(endpoint string, modifiers ...func(*Options)) (*http.Response, io.ReadCloser, error) {
+	return Do(endpoint, modifiers...)
+}
+
+// Do creates and execute a request on the specified endpoint, with the specified request modifiers
+func Do(endpoint string, modifiers ...func(*Options)) (*http.Response, io.ReadCloser, error) {
+	opts := &Options{
+		host: DaemonHost(),
+	}
+	for _, mod := range modifiers {
+		mod(opts)
+	}
+	req, err := newRequest(endpoint, opts)
+	if err != nil {
+		return nil, nil, err
+	}
+	client, err := newHTTPClient(opts.host)
+	if err != nil {
+		return nil, nil, err
+	}
+	resp, err := client.Do(req)
+	var body io.ReadCloser
+	if resp != nil {
+		body = ioutils.NewReadCloserWrapper(resp.Body, func() error {
+			defer resp.Body.Close()
+			return nil
+		})
+	}
+	return resp, body, err
+}
+
+// ReadBody read the specified ReadCloser content and returns it
+func ReadBody(b io.ReadCloser) ([]byte, error) {
+	defer b.Close()
+	return ioutil.ReadAll(b)
+}
+
+// newRequest creates a new http Request to the specified host and endpoint, with the specified request modifiers
+func newRequest(endpoint string, opts *Options) (*http.Request, error) {
+	hostURL, err := client.ParseHostURL(opts.host)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed parsing url %q", opts.host)
+	}
+	req, err := http.NewRequest("GET", endpoint, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create request")
+	}
+
+	if os.Getenv("DOCKER_TLS_VERIFY") != "" {
+		req.URL.Scheme = "https"
+	} else {
+		req.URL.Scheme = "http"
+	}
+	req.URL.Host = hostURL.Host
+
+	for _, config := range opts.requestModifiers {
+		if err := config(req); err != nil {
+			return nil, err
+		}
+	}
+
+	return req, nil
+}
+
+// newHTTPClient creates an http client for the specific host
+// TODO: Share more code with client.defaultHTTPClient
+func newHTTPClient(host string) (*http.Client, error) {
+	// FIXME(vdemeester) 10*time.Second timeout of SockRequest… ?
+	hostURL, err := client.ParseHostURL(host)
+	if err != nil {
+		return nil, err
+	}
+	transport := new(http.Transport)
+	if hostURL.Scheme == "tcp" && os.Getenv("DOCKER_TLS_VERIFY") != "" {
+		// Setup the socket TLS configuration.
+		tlsConfig, err := getTLSConfig()
+		if err != nil {
+			return nil, err
+		}
+		transport = &http.Transport{TLSClientConfig: tlsConfig}
+	}
+	transport.DisableKeepAlives = true
+	err = sockets.ConfigureTransport(transport, hostURL.Scheme, hostURL.Host)
+	return &http.Client{Transport: transport}, err
+}
+
+func getTLSConfig() (*tls.Config, error) {
+	dockerCertPath := os.Getenv("DOCKER_CERT_PATH")
+
+	if dockerCertPath == "" {
+		return nil, errors.New("DOCKER_TLS_VERIFY specified, but no DOCKER_CERT_PATH environment variable")
+	}
+
+	option := &tlsconfig.Options{
+		CAFile:   filepath.Join(dockerCertPath, "ca.pem"),
+		CertFile: filepath.Join(dockerCertPath, "cert.pem"),
+		KeyFile:  filepath.Join(dockerCertPath, "key.pem"),
+	}
+	tlsConfig, err := tlsconfig.Client(*option)
+	if err != nil {
+		return nil, err
+	}
+
+	return tlsConfig, nil
+}
+
+// DaemonHost return the daemon host string for this test execution
+func DaemonHost() string {
+	daemonURLStr := "unix://" + opts.DefaultUnixSocket
+	if daemonHostVar := os.Getenv("DOCKER_HOST"); daemonHostVar != "" {
+		daemonURLStr = daemonHostVar
+	}
+	return daemonURLStr
+}
+
+// SockConn opens a connection on the specified socket
+func SockConn(timeout time.Duration, daemon string) (net.Conn, error) {
+	daemonURL, err := url.Parse(daemon)
+	if err != nil {
+		return nil, errors.Wrapf(err, "could not parse url %q", daemon)
+	}
+
+	var c net.Conn
+	switch daemonURL.Scheme {
+	case "npipe":
+		return npipeDial(daemonURL.Path, timeout)
+	case "unix":
+		return net.DialTimeout(daemonURL.Scheme, daemonURL.Path, timeout)
+	case "tcp":
+		if os.Getenv("DOCKER_TLS_VERIFY") != "" {
+			// Setup the socket TLS configuration.
+			tlsConfig, err := getTLSConfig()
+			if err != nil {
+				return nil, err
+			}
+			dialer := &net.Dialer{Timeout: timeout}
+			return tls.DialWithDialer(dialer, daemonURL.Scheme, daemonURL.Host, tlsConfig)
+		}
+		return net.DialTimeout(daemonURL.Scheme, daemonURL.Host, timeout)
+	default:
+		return c, errors.Errorf("unknown scheme %v (%s)", daemonURL.Scheme, daemon)
+	}
+}
diff --git a/engine/internal/testutil/helpers.go b/engine/internal/testutil/helpers.go
new file mode 100644
index 00000000..38cd1693
--- /dev/null
+++ b/engine/internal/testutil/helpers.go
@@ -0,0 +1,17 @@
+package testutil // import "github.com/docker/docker/internal/testutil"
+
+import (
+	"io"
+)
+
+// DevZero acts like /dev/zero but in an OS-independent fashion.
+var DevZero io.Reader = devZero{}
+
+type devZero struct{}
+
+func (d devZero) Read(p []byte) (n int, err error) {
+	for i := range p {
+		p[i] = 0
+	}
+	return len(p), nil
+}
diff --git a/engine/internal/testutil/stringutils.go b/engine/internal/testutil/stringutils.go
new file mode 100644
index 00000000..574aeb51
--- /dev/null
+++ b/engine/internal/testutil/stringutils.go
@@ -0,0 +1,14 @@
+package testutil // import "github.com/docker/docker/internal/testutil"
+
+import "math/rand"
+
+// GenerateRandomAlphaOnlyString generates an alphabetical random string with length n.
+func GenerateRandomAlphaOnlyString(n int) string {
+	// make a really long string
+	letters := []byte("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
+	b := make([]byte, n)
+	for i := range b {
+		b[i] = letters[rand.Intn(len(letters))]
+	}
+	return string(b)
+}
diff --git a/engine/internal/testutil/stringutils_test.go b/engine/internal/testutil/stringutils_test.go
new file mode 100644
index 00000000..753aac96
--- /dev/null
+++ b/engine/internal/testutil/stringutils_test.go
@@ -0,0 +1,34 @@
+package testutil // import "github.com/docker/docker/internal/testutil"
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func testLengthHelper(generator func(int) string, t *testing.T) {
+	expectedLength := 20
+	s := generator(expectedLength)
+	assert.Check(t, is.Equal(expectedLength, len(s)))
+}
+
+func testUniquenessHelper(generator func(int) string, t *testing.T) {
+	repeats := 25
+	set := make(map[string]struct{}, repeats)
+	for i := 0; i < repeats; i = i + 1 {
+		str := generator(64)
+		assert.Check(t, is.Equal(64, len(str)))
+		_, ok := set[str]
+		assert.Check(t, !ok, "Random number is repeated")
+		set[str] = struct{}{}
+	}
+}
+
+func TestGenerateRandomAlphaOnlyStringLength(t *testing.T) {
+	testLengthHelper(GenerateRandomAlphaOnlyString, t)
+}
+
+func TestGenerateRandomAlphaOnlyStringUniqueness(t *testing.T) {
+	testUniquenessHelper(GenerateRandomAlphaOnlyString, t)
+}
diff --git a/engine/layer/empty.go b/engine/layer/empty.go
new file mode 100644
index 00000000..c81c7021
--- /dev/null
+++ b/engine/layer/empty.go
@@ -0,0 +1,61 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"archive/tar"
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+)
+
+// DigestSHA256EmptyTar is the canonical sha256 digest of empty tar file -
+// (1024 NULL bytes)
+const DigestSHA256EmptyTar = DiffID("sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef")
+
+type emptyLayer struct{}
+
+// EmptyLayer is a layer that corresponds to empty tar.
+var EmptyLayer = &emptyLayer{}
+
+func (el *emptyLayer) TarStream() (io.ReadCloser, error) {
+	buf := new(bytes.Buffer)
+	tarWriter := tar.NewWriter(buf)
+	tarWriter.Close()
+	return ioutil.NopCloser(buf), nil
+}
+
+func (el *emptyLayer) TarStreamFrom(p ChainID) (io.ReadCloser, error) {
+	if p == "" {
+		return el.TarStream()
+	}
+	return nil, fmt.Errorf("can't get parent tar stream of an empty layer")
+}
+
+func (el *emptyLayer) ChainID() ChainID {
+	return ChainID(DigestSHA256EmptyTar)
+}
+
+func (el *emptyLayer) DiffID() DiffID {
+	return DigestSHA256EmptyTar
+}
+
+func (el *emptyLayer) Parent() Layer {
+	return nil
+}
+
+func (el *emptyLayer) Size() (size int64, err error) {
+	return 0, nil
+}
+
+func (el *emptyLayer) DiffSize() (size int64, err error) {
+	return 0, nil
+}
+
+func (el *emptyLayer) Metadata() (map[string]string, error) {
+	return make(map[string]string), nil
+}
+
+// IsEmpty returns true if the layer is an EmptyLayer
+func IsEmpty(diffID DiffID) bool {
+	return diffID == DigestSHA256EmptyTar
+}
diff --git a/engine/layer/empty_test.go b/engine/layer/empty_test.go
new file mode 100644
index 00000000..ec9fbc1a
--- /dev/null
+++ b/engine/layer/empty_test.go
@@ -0,0 +1,52 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"io"
+	"testing"
+
+	"github.com/opencontainers/go-digest"
+)
+
+func TestEmptyLayer(t *testing.T) {
+	if EmptyLayer.ChainID() != ChainID(DigestSHA256EmptyTar) {
+		t.Fatal("wrong ChainID for empty layer")
+	}
+
+	if EmptyLayer.DiffID() != DigestSHA256EmptyTar {
+		t.Fatal("wrong DiffID for empty layer")
+	}
+
+	if EmptyLayer.Parent() != nil {
+		t.Fatal("expected no parent for empty layer")
+	}
+
+	if size, err := EmptyLayer.Size(); err != nil || size != 0 {
+		t.Fatal("expected zero size for empty layer")
+	}
+
+	if diffSize, err := EmptyLayer.DiffSize(); err != nil || diffSize != 0 {
+		t.Fatal("expected zero diffsize for empty layer")
+	}
+
+	meta, err := EmptyLayer.Metadata()
+
+	if len(meta) != 0 || err != nil {
+		t.Fatal("expected zero length metadata for empty layer")
+	}
+
+	tarStream, err := EmptyLayer.TarStream()
+	if err != nil {
+		t.Fatalf("error streaming tar for empty layer: %v", err)
+	}
+
+	digester := digest.Canonical.Digester()
+	_, err = io.Copy(digester.Hash(), tarStream)
+
+	if err != nil {
+		t.Fatalf("error hashing empty tar layer: %v", err)
+	}
+
+	if digester.Digest() != digest.Digest(DigestSHA256EmptyTar) {
+		t.Fatal("empty layer tar stream hashes to wrong value")
+	}
+}
diff --git a/engine/layer/filestore.go b/engine/layer/filestore.go
new file mode 100644
index 00000000..208a0c3a
--- /dev/null
+++ b/engine/layer/filestore.go
@@ -0,0 +1,355 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"compress/gzip"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/docker/distribution"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	stringIDRegexp      = regexp.MustCompile(`^[a-f0-9]{64}(-init)?$`)
+	supportedAlgorithms = []digest.Algorithm{
+		digest.SHA256,
+		// digest.SHA384, // Currently not used
+		// digest.SHA512, // Currently not used
+	}
+)
+
+type fileMetadataStore struct {
+	root string
+}
+
+type fileMetadataTransaction struct {
+	store *fileMetadataStore
+	ws    *ioutils.AtomicWriteSet
+}
+
+// newFSMetadataStore returns an instance of a metadata store
+// which is backed by files on disk using the provided root
+// as the root of metadata files.
+func newFSMetadataStore(root string) (*fileMetadataStore, error) {
+	if err := os.MkdirAll(root, 0700); err != nil {
+		return nil, err
+	}
+	return &fileMetadataStore{
+		root: root,
+	}, nil
+}
+
+func (fms *fileMetadataStore) getLayerDirectory(layer ChainID) string {
+	dgst := digest.Digest(layer)
+	return filepath.Join(fms.root, string(dgst.Algorithm()), dgst.Hex())
+}
+
+func (fms *fileMetadataStore) getLayerFilename(layer ChainID, filename string) string {
+	return filepath.Join(fms.getLayerDirectory(layer), filename)
+}
+
+func (fms *fileMetadataStore) getMountDirectory(mount string) string {
+	return filepath.Join(fms.root, "mounts", mount)
+}
+
+func (fms *fileMetadataStore) getMountFilename(mount, filename string) string {
+	return filepath.Join(fms.getMountDirectory(mount), filename)
+}
+
+func (fms *fileMetadataStore) StartTransaction() (*fileMetadataTransaction, error) {
+	tmpDir := filepath.Join(fms.root, "tmp")
+	if err := os.MkdirAll(tmpDir, 0755); err != nil {
+		return nil, err
+	}
+	ws, err := ioutils.NewAtomicWriteSet(tmpDir)
+	if err != nil {
+		return nil, err
+	}
+
+	return &fileMetadataTransaction{
+		store: fms,
+		ws:    ws,
+	}, nil
+}
+
+func (fm *fileMetadataTransaction) SetSize(size int64) error {
+	content := fmt.Sprintf("%d", size)
+	return fm.ws.WriteFile("size", []byte(content), 0644)
+}
+
+func (fm *fileMetadataTransaction) SetParent(parent ChainID) error {
+	return fm.ws.WriteFile("parent", []byte(digest.Digest(parent).String()), 0644)
+}
+
+func (fm *fileMetadataTransaction) SetDiffID(diff DiffID) error {
+	return fm.ws.WriteFile("diff", []byte(digest.Digest(diff).String()), 0644)
+}
+
+func (fm *fileMetadataTransaction) SetCacheID(cacheID string) error {
+	return fm.ws.WriteFile("cache-id", []byte(cacheID), 0644)
+}
+
+func (fm *fileMetadataTransaction) SetDescriptor(ref distribution.Descriptor) error {
+	jsonRef, err := json.Marshal(ref)
+	if err != nil {
+		return err
+	}
+	return fm.ws.WriteFile("descriptor.json", jsonRef, 0644)
+}
+
+func (fm *fileMetadataTransaction) TarSplitWriter(compressInput bool) (io.WriteCloser, error) {
+	f, err := fm.ws.FileWriter("tar-split.json.gz", os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return nil, err
+	}
+	var wc io.WriteCloser
+	if compressInput {
+		wc = gzip.NewWriter(f)
+	} else {
+		wc = f
+	}
+
+	return ioutils.NewWriteCloserWrapper(wc, func() error {
+		wc.Close()
+		return f.Close()
+	}), nil
+}
+
+func (fm *fileMetadataTransaction) Commit(layer ChainID) error {
+	finalDir := fm.store.getLayerDirectory(layer)
+	if err := os.MkdirAll(filepath.Dir(finalDir), 0755); err != nil {
+		return err
+	}
+
+	return fm.ws.Commit(finalDir)
+}
+
+func (fm *fileMetadataTransaction) Cancel() error {
+	return fm.ws.Cancel()
+}
+
+func (fm *fileMetadataTransaction) String() string {
+	return fm.ws.String()
+}
+
+func (fms *fileMetadataStore) GetSize(layer ChainID) (int64, error) {
+	content, err := ioutil.ReadFile(fms.getLayerFilename(layer, "size"))
+	if err != nil {
+		return 0, err
+	}
+
+	size, err := strconv.ParseInt(string(content), 10, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	return size, nil
+}
+
+func (fms *fileMetadataStore) GetParent(layer ChainID) (ChainID, error) {
+	content, err := ioutil.ReadFile(fms.getLayerFilename(layer, "parent"))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return "", nil
+		}
+		return "", err
+	}
+
+	dgst, err := digest.Parse(strings.TrimSpace(string(content)))
+	if err != nil {
+		return "", err
+	}
+
+	return ChainID(dgst), nil
+}
+
+func (fms *fileMetadataStore) GetDiffID(layer ChainID) (DiffID, error) {
+	content, err := ioutil.ReadFile(fms.getLayerFilename(layer, "diff"))
+	if err != nil {
+		return "", err
+	}
+
+	dgst, err := digest.Parse(strings.TrimSpace(string(content)))
+	if err != nil {
+		return "", err
+	}
+
+	return DiffID(dgst), nil
+}
+
+func (fms *fileMetadataStore) GetCacheID(layer ChainID) (string, error) {
+	contentBytes, err := ioutil.ReadFile(fms.getLayerFilename(layer, "cache-id"))
+	if err != nil {
+		return "", err
+	}
+	content := strings.TrimSpace(string(contentBytes))
+
+	if content == "" {
+		return "", errors.Errorf("invalid cache id value")
+	}
+
+	return content, nil
+}
+
+func (fms *fileMetadataStore) GetDescriptor(layer ChainID) (distribution.Descriptor, error) {
+	content, err := ioutil.ReadFile(fms.getLayerFilename(layer, "descriptor.json"))
+	if err != nil {
+		if os.IsNotExist(err) {
+			// only return empty descriptor to represent what is stored
+			return distribution.Descriptor{}, nil
+		}
+		return distribution.Descriptor{}, err
+	}
+
+	var ref distribution.Descriptor
+	err = json.Unmarshal(content, &ref)
+	if err != nil {
+		return distribution.Descriptor{}, err
+	}
+	return ref, err
+}
+
+func (fms *fileMetadataStore) TarSplitReader(layer ChainID) (io.ReadCloser, error) {
+	fz, err := os.Open(fms.getLayerFilename(layer, "tar-split.json.gz"))
+	if err != nil {
+		return nil, err
+	}
+	f, err := gzip.NewReader(fz)
+	if err != nil {
+		fz.Close()
+		return nil, err
+	}
+
+	return ioutils.NewReadCloserWrapper(f, func() error {
+		f.Close()
+		return fz.Close()
+	}), nil
+}
+
+func (fms *fileMetadataStore) SetMountID(mount string, mountID string) error {
+	if err := os.MkdirAll(fms.getMountDirectory(mount), 0755); err != nil {
+		return err
+	}
+	return ioutil.WriteFile(fms.getMountFilename(mount, "mount-id"), []byte(mountID), 0644)
+}
+
+func (fms *fileMetadataStore) SetInitID(mount string, init string) error {
+	if err := os.MkdirAll(fms.getMountDirectory(mount), 0755); err != nil {
+		return err
+	}
+	return ioutil.WriteFile(fms.getMountFilename(mount, "init-id"), []byte(init), 0644)
+}
+
+func (fms *fileMetadataStore) SetMountParent(mount string, parent ChainID) error {
+	if err := os.MkdirAll(fms.getMountDirectory(mount), 0755); err != nil {
+		return err
+	}
+	return ioutil.WriteFile(fms.getMountFilename(mount, "parent"), []byte(digest.Digest(parent).String()), 0644)
+}
+
+func (fms *fileMetadataStore) GetMountID(mount string) (string, error) {
+	contentBytes, err := ioutil.ReadFile(fms.getMountFilename(mount, "mount-id"))
+	if err != nil {
+		return "", err
+	}
+	content := strings.TrimSpace(string(contentBytes))
+
+	if !stringIDRegexp.MatchString(content) {
+		return "", errors.New("invalid mount id value")
+	}
+
+	return content, nil
+}
+
+func (fms *fileMetadataStore) GetInitID(mount string) (string, error) {
+	contentBytes, err := ioutil.ReadFile(fms.getMountFilename(mount, "init-id"))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return "", nil
+		}
+		return "", err
+	}
+	content := strings.TrimSpace(string(contentBytes))
+
+	if !stringIDRegexp.MatchString(content) {
+		return "", errors.New("invalid init id value")
+	}
+
+	return content, nil
+}
+
+func (fms *fileMetadataStore) GetMountParent(mount string) (ChainID, error) {
+	content, err := ioutil.ReadFile(fms.getMountFilename(mount, "parent"))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return "", nil
+		}
+		return "", err
+	}
+
+	dgst, err := digest.Parse(strings.TrimSpace(string(content)))
+	if err != nil {
+		return "", err
+	}
+
+	return ChainID(dgst), nil
+}
+
+func (fms *fileMetadataStore) List() ([]ChainID, []string, error) {
+	var ids []ChainID
+	for _, algorithm := range supportedAlgorithms {
+		fileInfos, err := ioutil.ReadDir(filepath.Join(fms.root, string(algorithm)))
+		if err != nil {
+			if os.IsNotExist(err) {
+				continue
+			}
+			return nil, nil, err
+		}
+
+		for _, fi := range fileInfos {
+			if fi.IsDir() && fi.Name() != "mounts" {
+				dgst := digest.NewDigestFromHex(string(algorithm), fi.Name())
+				if err := dgst.Validate(); err != nil {
+					logrus.Debugf("Ignoring invalid digest %s:%s", algorithm, fi.Name())
+				} else {
+					ids = append(ids, ChainID(dgst))
+				}
+			}
+		}
+	}
+
+	fileInfos, err := ioutil.ReadDir(filepath.Join(fms.root, "mounts"))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return ids, []string{}, nil
+		}
+		return nil, nil, err
+	}
+
+	var mounts []string
+	for _, fi := range fileInfos {
+		if fi.IsDir() {
+			mounts = append(mounts, fi.Name())
+		}
+	}
+
+	return ids, mounts, nil
+}
+
+func (fms *fileMetadataStore) Remove(layer ChainID) error {
+	return os.RemoveAll(fms.getLayerDirectory(layer))
+}
+
+func (fms *fileMetadataStore) RemoveMount(mount string) error {
+	return os.RemoveAll(fms.getMountDirectory(mount))
+}
diff --git a/engine/layer/filestore_test.go b/engine/layer/filestore_test.go
new file mode 100644
index 00000000..498379e3
--- /dev/null
+++ b/engine/layer/filestore_test.go
@@ -0,0 +1,104 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"math/rand"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"testing"
+
+	"github.com/opencontainers/go-digest"
+)
+
+func randomLayerID(seed int64) ChainID {
+	r := rand.New(rand.NewSource(seed))
+
+	return ChainID(digest.FromBytes([]byte(fmt.Sprintf("%d", r.Int63()))))
+}
+
+func newFileMetadataStore(t *testing.T) (*fileMetadataStore, string, func()) {
+	td, err := ioutil.TempDir("", "layers-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	fms, err := newFSMetadataStore(td)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return fms, td, func() {
+		if err := os.RemoveAll(td); err != nil {
+			t.Logf("Failed to cleanup %q: %s", td, err)
+		}
+	}
+}
+
+func assertNotDirectoryError(t *testing.T, err error) {
+	perr, ok := err.(*os.PathError)
+	if !ok {
+		t.Fatalf("Unexpected error %#v, expected path error", err)
+	}
+
+	if perr.Err != syscall.ENOTDIR {
+		t.Fatalf("Unexpected error %s, expected %s", perr.Err, syscall.ENOTDIR)
+	}
+}
+
+func TestCommitFailure(t *testing.T) {
+	fms, td, cleanup := newFileMetadataStore(t)
+	defer cleanup()
+
+	if err := ioutil.WriteFile(filepath.Join(td, "sha256"), []byte("was here first!"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	tx, err := fms.StartTransaction()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := tx.SetSize(0); err != nil {
+		t.Fatal(err)
+	}
+
+	err = tx.Commit(randomLayerID(5))
+	if err == nil {
+		t.Fatalf("Expected error committing with invalid layer parent directory")
+	}
+	assertNotDirectoryError(t, err)
+}
+
+func TestStartTransactionFailure(t *testing.T) {
+	fms, td, cleanup := newFileMetadataStore(t)
+	defer cleanup()
+
+	if err := ioutil.WriteFile(filepath.Join(td, "tmp"), []byte("was here first!"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	_, err := fms.StartTransaction()
+	if err == nil {
+		t.Fatalf("Expected error starting transaction with invalid layer parent directory")
+	}
+	assertNotDirectoryError(t, err)
+
+	if err := os.Remove(filepath.Join(td, "tmp")); err != nil {
+		t.Fatal(err)
+	}
+
+	tx, err := fms.StartTransaction()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := filepath.Join(td, "tmp"); strings.HasPrefix(expected, tx.String()) {
+		t.Fatalf("Unexpected transaction string %q, expected prefix %q", tx.String(), expected)
+	}
+
+	if err := tx.Cancel(); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/layer/filestore_unix.go b/engine/layer/filestore_unix.go
new file mode 100644
index 00000000..68e7f907
--- /dev/null
+++ b/engine/layer/filestore_unix.go
@@ -0,0 +1,15 @@
+// +build !windows
+
+package layer // import "github.com/docker/docker/layer"
+
+import "runtime"
+
+// setOS writes the "os" file to the layer filestore
+func (fm *fileMetadataTransaction) setOS(os string) error {
+	return nil
+}
+
+// getOS reads the "os" file from the layer filestore
+func (fms *fileMetadataStore) getOS(layer ChainID) (string, error) {
+	return runtime.GOOS, nil
+}
diff --git a/engine/layer/filestore_windows.go b/engine/layer/filestore_windows.go
new file mode 100644
index 00000000..cecad426
--- /dev/null
+++ b/engine/layer/filestore_windows.go
@@ -0,0 +1,35 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+)
+
+// setOS writes the "os" file to the layer filestore
+func (fm *fileMetadataTransaction) setOS(os string) error {
+	if os == "" {
+		return nil
+	}
+	return fm.ws.WriteFile("os", []byte(os), 0644)
+}
+
+// getOS reads the "os" file from the layer filestore
+func (fms *fileMetadataStore) getOS(layer ChainID) (string, error) {
+	contentBytes, err := ioutil.ReadFile(fms.getLayerFilename(layer, "os"))
+	if err != nil {
+		// For backwards compatibility, the os file may not exist. Default to "windows" if missing.
+		if os.IsNotExist(err) {
+			return "windows", nil
+		}
+		return "", err
+	}
+	content := strings.TrimSpace(string(contentBytes))
+
+	if content != "windows" && content != "linux" {
+		return "", fmt.Errorf("invalid operating system value: %s", content)
+	}
+
+	return content, nil
+}
diff --git a/engine/layer/layer.go b/engine/layer/layer.go
new file mode 100644
index 00000000..d0c7fa86
--- /dev/null
+++ b/engine/layer/layer.go
@@ -0,0 +1,237 @@
+// Package layer is package for managing read-only
+// and read-write mounts on the union file system
+// driver. Read-only mounts are referenced using a
+// content hash and are protected from mutation in
+// the exposed interface. The tar format is used
+// to create read-only layers and export both
+// read-only and writable layers. The exported
+// tar data for a read-only layer should match
+// the tar used to create the layer.
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"errors"
+	"io"
+
+	"github.com/docker/distribution"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// ErrLayerDoesNotExist is used when an operation is
+	// attempted on a layer which does not exist.
+	ErrLayerDoesNotExist = errors.New("layer does not exist")
+
+	// ErrLayerNotRetained is used when a release is
+	// attempted on a layer which is not retained.
+	ErrLayerNotRetained = errors.New("layer not retained")
+
+	// ErrMountDoesNotExist is used when an operation is
+	// attempted on a mount layer which does not exist.
+	ErrMountDoesNotExist = errors.New("mount does not exist")
+
+	// ErrMountNameConflict is used when a mount is attempted
+	// to be created but there is already a mount with the name
+	// used for creation.
+	ErrMountNameConflict = errors.New("mount already exists with name")
+
+	// ErrActiveMount is used when an operation on a
+	// mount is attempted but the layer is still
+	// mounted and the operation cannot be performed.
+	ErrActiveMount = errors.New("mount still active")
+
+	// ErrNotMounted is used when requesting an active
+	// mount but the layer is not mounted.
+	ErrNotMounted = errors.New("not mounted")
+
+	// ErrMaxDepthExceeded is used when a layer is attempted
+	// to be created which would result in a layer depth
+	// greater than the 125 max.
+	ErrMaxDepthExceeded = errors.New("max depth exceeded")
+
+	// ErrNotSupported is used when the action is not supported
+	// on the current host operating system.
+	ErrNotSupported = errors.New("not support on this host operating system")
+)
+
+// ChainID is the content-addressable ID of a layer.
+type ChainID digest.Digest
+
+// String returns a string rendition of a layer ID
+func (id ChainID) String() string {
+	return string(id)
+}
+
+// DiffID is the hash of an individual layer tar.
+type DiffID digest.Digest
+
+// String returns a string rendition of a layer DiffID
+func (diffID DiffID) String() string {
+	return string(diffID)
+}
+
+// TarStreamer represents an object which may
+// have its contents exported as a tar stream.
+type TarStreamer interface {
+	// TarStream returns a tar archive stream
+	// for the contents of a layer.
+	TarStream() (io.ReadCloser, error)
+}
+
+// Layer represents a read-only layer
+type Layer interface {
+	TarStreamer
+
+	// TarStreamFrom returns a tar archive stream for all the layer chain with
+	// arbitrary depth.
+	TarStreamFrom(ChainID) (io.ReadCloser, error)
+
+	// ChainID returns the content hash of the entire layer chain. The hash
+	// chain is made up of DiffID of top layer and all of its parents.
+	ChainID() ChainID
+
+	// DiffID returns the content hash of the layer
+	// tar stream used to create this layer.
+	DiffID() DiffID
+
+	// Parent returns the next layer in the layer chain.
+	Parent() Layer
+
+	// Size returns the size of the entire layer chain. The size
+	// is calculated from the total size of all files in the layers.
+	Size() (int64, error)
+
+	// DiffSize returns the size difference of the top layer
+	// from parent layer.
+	DiffSize() (int64, error)
+
+	// Metadata returns the low level storage metadata associated
+	// with layer.
+	Metadata() (map[string]string, error)
+}
+
+// RWLayer represents a layer which is
+// read and writable
+type RWLayer interface {
+	TarStreamer
+
+	// Name of mounted layer
+	Name() string
+
+	// Parent returns the layer which the writable
+	// layer was created from.
+	Parent() Layer
+
+	// Mount mounts the RWLayer and returns the filesystem path
+	// the to the writable layer.
+	Mount(mountLabel string) (containerfs.ContainerFS, error)
+
+	// Unmount unmounts the RWLayer. This should be called
+	// for every mount. If there are multiple mount calls
+	// this operation will only decrement the internal mount counter.
+	Unmount() error
+
+	// Size represents the size of the writable layer
+	// as calculated by the total size of the files
+	// changed in the mutable layer.
+	Size() (int64, error)
+
+	// Changes returns the set of changes for the mutable layer
+	// from the base layer.
+	Changes() ([]archive.Change, error)
+
+	// Metadata returns the low level metadata for the mutable layer
+	Metadata() (map[string]string, error)
+}
+
+// Metadata holds information about a
+// read-only layer
+type Metadata struct {
+	// ChainID is the content hash of the layer
+	ChainID ChainID
+
+	// DiffID is the hash of the tar data used to
+	// create the layer
+	DiffID DiffID
+
+	// Size is the size of the layer and all parents
+	Size int64
+
+	// DiffSize is the size of the top layer
+	DiffSize int64
+}
+
+// MountInit is a function to initialize a
+// writable mount. Changes made here will
+// not be included in the Tar stream of the
+// RWLayer.
+type MountInit func(root containerfs.ContainerFS) error
+
+// CreateRWLayerOpts contains optional arguments to be passed to CreateRWLayer
+type CreateRWLayerOpts struct {
+	MountLabel string
+	InitFunc   MountInit
+	StorageOpt map[string]string
+}
+
+// Store represents a backend for managing both
+// read-only and read-write layers.
+type Store interface {
+	Register(io.Reader, ChainID) (Layer, error)
+	Get(ChainID) (Layer, error)
+	Map() map[ChainID]Layer
+	Release(Layer) ([]Metadata, error)
+
+	CreateRWLayer(id string, parent ChainID, opts *CreateRWLayerOpts) (RWLayer, error)
+	GetRWLayer(id string) (RWLayer, error)
+	GetMountID(id string) (string, error)
+	ReleaseRWLayer(RWLayer) ([]Metadata, error)
+
+	Cleanup() error
+	DriverStatus() [][2]string
+	DriverName() string
+}
+
+// DescribableStore represents a layer store capable of storing
+// descriptors for layers.
+type DescribableStore interface {
+	RegisterWithDescriptor(io.Reader, ChainID, distribution.Descriptor) (Layer, error)
+}
+
+// CreateChainID returns ID for a layerDigest slice
+func CreateChainID(dgsts []DiffID) ChainID {
+	return createChainIDFromParent("", dgsts...)
+}
+
+func createChainIDFromParent(parent ChainID, dgsts ...DiffID) ChainID {
+	if len(dgsts) == 0 {
+		return parent
+	}
+	if parent == "" {
+		return createChainIDFromParent(ChainID(dgsts[0]), dgsts[1:]...)
+	}
+	// H = "H(n-1) SHA256(n)"
+	dgst := digest.FromBytes([]byte(string(parent) + " " + string(dgsts[0])))
+	return createChainIDFromParent(ChainID(dgst), dgsts[1:]...)
+}
+
+// ReleaseAndLog releases the provided layer from the given layer
+// store, logging any error and release metadata
+func ReleaseAndLog(ls Store, l Layer) {
+	metadata, err := ls.Release(l)
+	if err != nil {
+		logrus.Errorf("Error releasing layer %s: %v", l.ChainID(), err)
+	}
+	LogReleaseMetadata(metadata)
+}
+
+// LogReleaseMetadata logs a metadata array, uses this to
+// ensure consistent logging for release metadata
+func LogReleaseMetadata(metadatas []Metadata) {
+	for _, metadata := range metadatas {
+		logrus.Infof("Layer %s cleaned up", metadata.ChainID)
+	}
+}
diff --git a/engine/layer/layer_store.go b/engine/layer/layer_store.go
new file mode 100644
index 00000000..c1fbf850
--- /dev/null
+++ b/engine/layer/layer_store.go
@@ -0,0 +1,754 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"sync"
+
+	"github.com/docker/distribution"
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+	"github.com/vbatts/tar-split/tar/asm"
+	"github.com/vbatts/tar-split/tar/storage"
+)
+
+// maxLayerDepth represents the maximum number of
+// layers which can be chained together. 125 was
+// chosen to account for the 127 max in some
+// graphdrivers plus the 2 additional layers
+// used to create a rwlayer.
+const maxLayerDepth = 125
+
+type layerStore struct {
+	store       *fileMetadataStore
+	driver      graphdriver.Driver
+	useTarSplit bool
+
+	layerMap map[ChainID]*roLayer
+	layerL   sync.Mutex
+
+	mounts map[string]*mountedLayer
+	mountL sync.Mutex
+	os     string
+}
+
+// StoreOptions are the options used to create a new Store instance
+type StoreOptions struct {
+	Root                      string
+	MetadataStorePathTemplate string
+	GraphDriver               string
+	GraphDriverOptions        []string
+	IDMappings                *idtools.IDMappings
+	PluginGetter              plugingetter.PluginGetter
+	ExperimentalEnabled       bool
+	OS                        string
+}
+
+// NewStoreFromOptions creates a new Store instance
+func NewStoreFromOptions(options StoreOptions) (Store, error) {
+	driver, err := graphdriver.New(options.GraphDriver, options.PluginGetter, graphdriver.Options{
+		Root:                options.Root,
+		DriverOptions:       options.GraphDriverOptions,
+		UIDMaps:             options.IDMappings.UIDs(),
+		GIDMaps:             options.IDMappings.GIDs(),
+		ExperimentalEnabled: options.ExperimentalEnabled,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("error initializing graphdriver: %v", err)
+	}
+	logrus.Debugf("Initialized graph driver %s", driver)
+
+	root := fmt.Sprintf(options.MetadataStorePathTemplate, driver)
+
+	return newStoreFromGraphDriver(root, driver, options.OS)
+}
+
+// newStoreFromGraphDriver creates a new Store instance using the provided
+// metadata store and graph driver. The metadata store will be used to restore
+// the Store.
+func newStoreFromGraphDriver(root string, driver graphdriver.Driver, os string) (Store, error) {
+	if !system.IsOSSupported(os) {
+		return nil, fmt.Errorf("failed to initialize layer store as operating system '%s' is not supported", os)
+	}
+	caps := graphdriver.Capabilities{}
+	if capDriver, ok := driver.(graphdriver.CapabilityDriver); ok {
+		caps = capDriver.Capabilities()
+	}
+
+	ms, err := newFSMetadataStore(root)
+	if err != nil {
+		return nil, err
+	}
+
+	ls := &layerStore{
+		store:       ms,
+		driver:      driver,
+		layerMap:    map[ChainID]*roLayer{},
+		mounts:      map[string]*mountedLayer{},
+		useTarSplit: !caps.ReproducesExactDiffs,
+		os:          os,
+	}
+
+	ids, mounts, err := ms.List()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, id := range ids {
+		l, err := ls.loadLayer(id)
+		if err != nil {
+			logrus.Debugf("Failed to load layer %s: %s", id, err)
+			continue
+		}
+		if l.parent != nil {
+			l.parent.referenceCount++
+		}
+	}
+
+	for _, mount := range mounts {
+		if err := ls.loadMount(mount); err != nil {
+			logrus.Debugf("Failed to load mount %s: %s", mount, err)
+		}
+	}
+
+	return ls, nil
+}
+
+func (ls *layerStore) Driver() graphdriver.Driver {
+	return ls.driver
+}
+
+func (ls *layerStore) loadLayer(layer ChainID) (*roLayer, error) {
+	cl, ok := ls.layerMap[layer]
+	if ok {
+		return cl, nil
+	}
+
+	diff, err := ls.store.GetDiffID(layer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get diff id for %s: %s", layer, err)
+	}
+
+	size, err := ls.store.GetSize(layer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get size for %s: %s", layer, err)
+	}
+
+	cacheID, err := ls.store.GetCacheID(layer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get cache id for %s: %s", layer, err)
+	}
+
+	parent, err := ls.store.GetParent(layer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get parent for %s: %s", layer, err)
+	}
+
+	descriptor, err := ls.store.GetDescriptor(layer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get descriptor for %s: %s", layer, err)
+	}
+
+	os, err := ls.store.getOS(layer)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get operating system for %s: %s", layer, err)
+	}
+
+	if os != ls.os {
+		return nil, fmt.Errorf("failed to load layer with os %s into layerstore for %s", os, ls.os)
+	}
+
+	cl = &roLayer{
+		chainID:    layer,
+		diffID:     diff,
+		size:       size,
+		cacheID:    cacheID,
+		layerStore: ls,
+		references: map[Layer]struct{}{},
+		descriptor: descriptor,
+	}
+
+	if parent != "" {
+		p, err := ls.loadLayer(parent)
+		if err != nil {
+			return nil, err
+		}
+		cl.parent = p
+	}
+
+	ls.layerMap[cl.chainID] = cl
+
+	return cl, nil
+}
+
+func (ls *layerStore) loadMount(mount string) error {
+	if _, ok := ls.mounts[mount]; ok {
+		return nil
+	}
+
+	mountID, err := ls.store.GetMountID(mount)
+	if err != nil {
+		return err
+	}
+
+	initID, err := ls.store.GetInitID(mount)
+	if err != nil {
+		return err
+	}
+
+	parent, err := ls.store.GetMountParent(mount)
+	if err != nil {
+		return err
+	}
+
+	ml := &mountedLayer{
+		name:       mount,
+		mountID:    mountID,
+		initID:     initID,
+		layerStore: ls,
+		references: map[RWLayer]*referencedRWLayer{},
+	}
+
+	if parent != "" {
+		p, err := ls.loadLayer(parent)
+		if err != nil {
+			return err
+		}
+		ml.parent = p
+
+		p.referenceCount++
+	}
+
+	ls.mounts[ml.name] = ml
+
+	return nil
+}
+
+func (ls *layerStore) applyTar(tx *fileMetadataTransaction, ts io.Reader, parent string, layer *roLayer) error {
+	digester := digest.Canonical.Digester()
+	tr := io.TeeReader(ts, digester.Hash())
+
+	rdr := tr
+	if ls.useTarSplit {
+		tsw, err := tx.TarSplitWriter(true)
+		if err != nil {
+			return err
+		}
+		metaPacker := storage.NewJSONPacker(tsw)
+		defer tsw.Close()
+
+		// we're passing nil here for the file putter, because the ApplyDiff will
+		// handle the extraction of the archive
+		rdr, err = asm.NewInputTarStream(tr, metaPacker, nil)
+		if err != nil {
+			return err
+		}
+	}
+
+	applySize, err := ls.driver.ApplyDiff(layer.cacheID, parent, rdr)
+	if err != nil {
+		return err
+	}
+
+	// Discard trailing data but ensure metadata is picked up to reconstruct stream
+	io.Copy(ioutil.Discard, rdr) // ignore error as reader may be closed
+
+	layer.size = applySize
+	layer.diffID = DiffID(digester.Digest())
+
+	logrus.Debugf("Applied tar %s to %s, size: %d", layer.diffID, layer.cacheID, applySize)
+
+	return nil
+}
+
+func (ls *layerStore) Register(ts io.Reader, parent ChainID) (Layer, error) {
+	return ls.registerWithDescriptor(ts, parent, distribution.Descriptor{})
+}
+
+func (ls *layerStore) registerWithDescriptor(ts io.Reader, parent ChainID, descriptor distribution.Descriptor) (Layer, error) {
+	// err is used to hold the error which will always trigger
+	// cleanup of creates sources but may not be an error returned
+	// to the caller (already exists).
+	var err error
+	var pid string
+	var p *roLayer
+
+	if string(parent) != "" {
+		p = ls.get(parent)
+		if p == nil {
+			return nil, ErrLayerDoesNotExist
+		}
+		pid = p.cacheID
+		// Release parent chain if error
+		defer func() {
+			if err != nil {
+				ls.layerL.Lock()
+				ls.releaseLayer(p)
+				ls.layerL.Unlock()
+			}
+		}()
+		if p.depth() >= maxLayerDepth {
+			err = ErrMaxDepthExceeded
+			return nil, err
+		}
+	}
+
+	// Create new roLayer
+	layer := &roLayer{
+		parent:         p,
+		cacheID:        stringid.GenerateRandomID(),
+		referenceCount: 1,
+		layerStore:     ls,
+		references:     map[Layer]struct{}{},
+		descriptor:     descriptor,
+	}
+
+	if err = ls.driver.Create(layer.cacheID, pid, nil); err != nil {
+		return nil, err
+	}
+
+	tx, err := ls.store.StartTransaction()
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			logrus.Debugf("Cleaning up layer %s: %v", layer.cacheID, err)
+			if err := ls.driver.Remove(layer.cacheID); err != nil {
+				logrus.Errorf("Error cleaning up cache layer %s: %v", layer.cacheID, err)
+			}
+			if err := tx.Cancel(); err != nil {
+				logrus.Errorf("Error canceling metadata transaction %q: %s", tx.String(), err)
+			}
+		}
+	}()
+
+	if err = ls.applyTar(tx, ts, pid, layer); err != nil {
+		return nil, err
+	}
+
+	if layer.parent == nil {
+		layer.chainID = ChainID(layer.diffID)
+	} else {
+		layer.chainID = createChainIDFromParent(layer.parent.chainID, layer.diffID)
+	}
+
+	if err = storeLayer(tx, layer); err != nil {
+		return nil, err
+	}
+
+	ls.layerL.Lock()
+	defer ls.layerL.Unlock()
+
+	if existingLayer := ls.getWithoutLock(layer.chainID); existingLayer != nil {
+		// Set error for cleanup, but do not return the error
+		err = errors.New("layer already exists")
+		return existingLayer.getReference(), nil
+	}
+
+	if err = tx.Commit(layer.chainID); err != nil {
+		return nil, err
+	}
+
+	ls.layerMap[layer.chainID] = layer
+
+	return layer.getReference(), nil
+}
+
+func (ls *layerStore) getWithoutLock(layer ChainID) *roLayer {
+	l, ok := ls.layerMap[layer]
+	if !ok {
+		return nil
+	}
+
+	l.referenceCount++
+
+	return l
+}
+
+func (ls *layerStore) get(l ChainID) *roLayer {
+	ls.layerL.Lock()
+	defer ls.layerL.Unlock()
+	return ls.getWithoutLock(l)
+}
+
+func (ls *layerStore) Get(l ChainID) (Layer, error) {
+	ls.layerL.Lock()
+	defer ls.layerL.Unlock()
+
+	layer := ls.getWithoutLock(l)
+	if layer == nil {
+		return nil, ErrLayerDoesNotExist
+	}
+
+	return layer.getReference(), nil
+}
+
+func (ls *layerStore) Map() map[ChainID]Layer {
+	ls.layerL.Lock()
+	defer ls.layerL.Unlock()
+
+	layers := map[ChainID]Layer{}
+
+	for k, v := range ls.layerMap {
+		layers[k] = v
+	}
+
+	return layers
+}
+
+func (ls *layerStore) deleteLayer(layer *roLayer, metadata *Metadata) error {
+	err := ls.driver.Remove(layer.cacheID)
+	if err != nil {
+		return err
+	}
+	err = ls.store.Remove(layer.chainID)
+	if err != nil {
+		return err
+	}
+	metadata.DiffID = layer.diffID
+	metadata.ChainID = layer.chainID
+	metadata.Size, err = layer.Size()
+	if err != nil {
+		return err
+	}
+	metadata.DiffSize = layer.size
+
+	return nil
+}
+
+func (ls *layerStore) releaseLayer(l *roLayer) ([]Metadata, error) {
+	depth := 0
+	removed := []Metadata{}
+	for {
+		if l.referenceCount == 0 {
+			panic("layer not retained")
+		}
+		l.referenceCount--
+		if l.referenceCount != 0 {
+			return removed, nil
+		}
+
+		if len(removed) == 0 && depth > 0 {
+			panic("cannot remove layer with child")
+		}
+		if l.hasReferences() {
+			panic("cannot delete referenced layer")
+		}
+		var metadata Metadata
+		if err := ls.deleteLayer(l, &metadata); err != nil {
+			return nil, err
+		}
+
+		delete(ls.layerMap, l.chainID)
+		removed = append(removed, metadata)
+
+		if l.parent == nil {
+			return removed, nil
+		}
+
+		depth++
+		l = l.parent
+	}
+}
+
+func (ls *layerStore) Release(l Layer) ([]Metadata, error) {
+	ls.layerL.Lock()
+	defer ls.layerL.Unlock()
+	layer, ok := ls.layerMap[l.ChainID()]
+	if !ok {
+		return []Metadata{}, nil
+	}
+	if !layer.hasReference(l) {
+		return nil, ErrLayerNotRetained
+	}
+
+	layer.deleteReference(l)
+
+	return ls.releaseLayer(layer)
+}
+
+func (ls *layerStore) CreateRWLayer(name string, parent ChainID, opts *CreateRWLayerOpts) (RWLayer, error) {
+	var (
+		storageOpt map[string]string
+		initFunc   MountInit
+		mountLabel string
+	)
+
+	if opts != nil {
+		mountLabel = opts.MountLabel
+		storageOpt = opts.StorageOpt
+		initFunc = opts.InitFunc
+	}
+
+	ls.mountL.Lock()
+	defer ls.mountL.Unlock()
+	m, ok := ls.mounts[name]
+	if ok {
+		return nil, ErrMountNameConflict
+	}
+
+	var err error
+	var pid string
+	var p *roLayer
+	if string(parent) != "" {
+		p = ls.get(parent)
+		if p == nil {
+			return nil, ErrLayerDoesNotExist
+		}
+		pid = p.cacheID
+
+		// Release parent chain if error
+		defer func() {
+			if err != nil {
+				ls.layerL.Lock()
+				ls.releaseLayer(p)
+				ls.layerL.Unlock()
+			}
+		}()
+	}
+
+	m = &mountedLayer{
+		name:       name,
+		parent:     p,
+		mountID:    ls.mountID(name),
+		layerStore: ls,
+		references: map[RWLayer]*referencedRWLayer{},
+	}
+
+	if initFunc != nil {
+		pid, err = ls.initMount(m.mountID, pid, mountLabel, initFunc, storageOpt)
+		if err != nil {
+			return nil, err
+		}
+		m.initID = pid
+	}
+
+	createOpts := &graphdriver.CreateOpts{
+		StorageOpt: storageOpt,
+	}
+
+	if err = ls.driver.CreateReadWrite(m.mountID, pid, createOpts); err != nil {
+		return nil, err
+	}
+	if err = ls.saveMount(m); err != nil {
+		return nil, err
+	}
+
+	return m.getReference(), nil
+}
+
+func (ls *layerStore) GetRWLayer(id string) (RWLayer, error) {
+	ls.mountL.Lock()
+	defer ls.mountL.Unlock()
+	mount, ok := ls.mounts[id]
+	if !ok {
+		return nil, ErrMountDoesNotExist
+	}
+
+	return mount.getReference(), nil
+}
+
+func (ls *layerStore) GetMountID(id string) (string, error) {
+	ls.mountL.Lock()
+	defer ls.mountL.Unlock()
+	mount, ok := ls.mounts[id]
+	if !ok {
+		return "", ErrMountDoesNotExist
+	}
+	logrus.Debugf("GetMountID id: %s -> mountID: %s", id, mount.mountID)
+
+	return mount.mountID, nil
+}
+
+func (ls *layerStore) ReleaseRWLayer(l RWLayer) ([]Metadata, error) {
+	ls.mountL.Lock()
+	defer ls.mountL.Unlock()
+	m, ok := ls.mounts[l.Name()]
+	if !ok {
+		return []Metadata{}, nil
+	}
+
+	if err := m.deleteReference(l); err != nil {
+		return nil, err
+	}
+
+	if m.hasReferences() {
+		return []Metadata{}, nil
+	}
+
+	if err := ls.driver.Remove(m.mountID); err != nil {
+		logrus.Errorf("Error removing mounted layer %s: %s", m.name, err)
+		m.retakeReference(l)
+		return nil, err
+	}
+
+	if m.initID != "" {
+		if err := ls.driver.Remove(m.initID); err != nil {
+			logrus.Errorf("Error removing init layer %s: %s", m.name, err)
+			m.retakeReference(l)
+			return nil, err
+		}
+	}
+
+	if err := ls.store.RemoveMount(m.name); err != nil {
+		logrus.Errorf("Error removing mount metadata: %s: %s", m.name, err)
+		m.retakeReference(l)
+		return nil, err
+	}
+
+	delete(ls.mounts, m.Name())
+
+	ls.layerL.Lock()
+	defer ls.layerL.Unlock()
+	if m.parent != nil {
+		return ls.releaseLayer(m.parent)
+	}
+
+	return []Metadata{}, nil
+}
+
+func (ls *layerStore) saveMount(mount *mountedLayer) error {
+	if err := ls.store.SetMountID(mount.name, mount.mountID); err != nil {
+		return err
+	}
+
+	if mount.initID != "" {
+		if err := ls.store.SetInitID(mount.name, mount.initID); err != nil {
+			return err
+		}
+	}
+
+	if mount.parent != nil {
+		if err := ls.store.SetMountParent(mount.name, mount.parent.chainID); err != nil {
+			return err
+		}
+	}
+
+	ls.mounts[mount.name] = mount
+
+	return nil
+}
+
+func (ls *layerStore) initMount(graphID, parent, mountLabel string, initFunc MountInit, storageOpt map[string]string) (string, error) {
+	// Use "<graph-id>-init" to maintain compatibility with graph drivers
+	// which are expecting this layer with this special name. If all
+	// graph drivers can be updated to not rely on knowing about this layer
+	// then the initID should be randomly generated.
+	initID := fmt.Sprintf("%s-init", graphID)
+
+	createOpts := &graphdriver.CreateOpts{
+		MountLabel: mountLabel,
+		StorageOpt: storageOpt,
+	}
+
+	if err := ls.driver.CreateReadWrite(initID, parent, createOpts); err != nil {
+		return "", err
+	}
+	p, err := ls.driver.Get(initID, "")
+	if err != nil {
+		return "", err
+	}
+
+	if err := initFunc(p); err != nil {
+		ls.driver.Put(initID)
+		return "", err
+	}
+
+	if err := ls.driver.Put(initID); err != nil {
+		return "", err
+	}
+
+	return initID, nil
+}
+
+func (ls *layerStore) getTarStream(rl *roLayer) (io.ReadCloser, error) {
+	if !ls.useTarSplit {
+		var parentCacheID string
+		if rl.parent != nil {
+			parentCacheID = rl.parent.cacheID
+		}
+
+		return ls.driver.Diff(rl.cacheID, parentCacheID)
+	}
+
+	r, err := ls.store.TarSplitReader(rl.chainID)
+	if err != nil {
+		return nil, err
+	}
+
+	pr, pw := io.Pipe()
+	go func() {
+		err := ls.assembleTarTo(rl.cacheID, r, nil, pw)
+		if err != nil {
+			pw.CloseWithError(err)
+		} else {
+			pw.Close()
+		}
+	}()
+
+	return pr, nil
+}
+
+func (ls *layerStore) assembleTarTo(graphID string, metadata io.ReadCloser, size *int64, w io.Writer) error {
+	diffDriver, ok := ls.driver.(graphdriver.DiffGetterDriver)
+	if !ok {
+		diffDriver = &naiveDiffPathDriver{ls.driver}
+	}
+
+	defer metadata.Close()
+
+	// get our relative path to the container
+	fileGetCloser, err := diffDriver.DiffGetter(graphID)
+	if err != nil {
+		return err
+	}
+	defer fileGetCloser.Close()
+
+	metaUnpacker := storage.NewJSONUnpacker(metadata)
+	upackerCounter := &unpackSizeCounter{metaUnpacker, size}
+	logrus.Debugf("Assembling tar data for %s", graphID)
+	return asm.WriteOutputTarStream(fileGetCloser, upackerCounter, w)
+}
+
+func (ls *layerStore) Cleanup() error {
+	return ls.driver.Cleanup()
+}
+
+func (ls *layerStore) DriverStatus() [][2]string {
+	return ls.driver.Status()
+}
+
+func (ls *layerStore) DriverName() string {
+	return ls.driver.String()
+}
+
+type naiveDiffPathDriver struct {
+	graphdriver.Driver
+}
+
+type fileGetPutter struct {
+	storage.FileGetter
+	driver graphdriver.Driver
+	id     string
+}
+
+func (w *fileGetPutter) Close() error {
+	return w.driver.Put(w.id)
+}
+
+func (n *naiveDiffPathDriver) DiffGetter(id string) (graphdriver.FileGetCloser, error) {
+	p, err := n.Driver.Get(id, "")
+	if err != nil {
+		return nil, err
+	}
+	return &fileGetPutter{storage.NewPathFileGetter(p.Path()), n.Driver, id}, nil
+}
diff --git a/engine/layer/layer_store_windows.go b/engine/layer/layer_store_windows.go
new file mode 100644
index 00000000..eca1f6a8
--- /dev/null
+++ b/engine/layer/layer_store_windows.go
@@ -0,0 +1,11 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"io"
+
+	"github.com/docker/distribution"
+)
+
+func (ls *layerStore) RegisterWithDescriptor(ts io.Reader, parent ChainID, descriptor distribution.Descriptor) (Layer, error) {
+	return ls.registerWithDescriptor(ts, parent, descriptor)
+}
diff --git a/engine/layer/layer_test.go b/engine/layer/layer_test.go
new file mode 100644
index 00000000..5c4e8fab
--- /dev/null
+++ b/engine/layer/layer_test.go
@@ -0,0 +1,768 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/containerd/continuity/driver"
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/daemon/graphdriver/vfs"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/opencontainers/go-digest"
+)
+
+func init() {
+	graphdriver.ApplyUncompressedLayer = archive.UnpackLayer
+	defaultArchiver := archive.NewDefaultArchiver()
+	vfs.CopyDir = defaultArchiver.CopyWithTar
+}
+
+func newVFSGraphDriver(td string) (graphdriver.Driver, error) {
+	uidMap := []idtools.IDMap{
+		{
+			ContainerID: 0,
+			HostID:      os.Getuid(),
+			Size:        1,
+		},
+	}
+	gidMap := []idtools.IDMap{
+		{
+			ContainerID: 0,
+			HostID:      os.Getgid(),
+			Size:        1,
+		},
+	}
+
+	options := graphdriver.Options{Root: td, UIDMaps: uidMap, GIDMaps: gidMap}
+	return graphdriver.GetDriver("vfs", nil, options)
+}
+
+func newTestGraphDriver(t *testing.T) (graphdriver.Driver, func()) {
+	td, err := ioutil.TempDir("", "graph-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	driver, err := newVFSGraphDriver(td)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return driver, func() {
+		os.RemoveAll(td)
+	}
+}
+
+func newTestStore(t *testing.T) (Store, string, func()) {
+	td, err := ioutil.TempDir("", "layerstore-")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	graph, graphcleanup := newTestGraphDriver(t)
+
+	ls, err := newStoreFromGraphDriver(td, graph, runtime.GOOS)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return ls, td, func() {
+		graphcleanup()
+		os.RemoveAll(td)
+	}
+}
+
+type layerInit func(root containerfs.ContainerFS) error
+
+func createLayer(ls Store, parent ChainID, layerFunc layerInit) (Layer, error) {
+	containerID := stringid.GenerateRandomID()
+	mount, err := ls.CreateRWLayer(containerID, parent, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	pathFS, err := mount.Mount("")
+	if err != nil {
+		return nil, err
+	}
+
+	if err := layerFunc(pathFS); err != nil {
+		return nil, err
+	}
+
+	ts, err := mount.TarStream()
+	if err != nil {
+		return nil, err
+	}
+	defer ts.Close()
+
+	layer, err := ls.Register(ts, parent)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := mount.Unmount(); err != nil {
+		return nil, err
+	}
+
+	if _, err := ls.ReleaseRWLayer(mount); err != nil {
+		return nil, err
+	}
+
+	return layer, nil
+}
+
+type FileApplier interface {
+	ApplyFile(root containerfs.ContainerFS) error
+}
+
+type testFile struct {
+	name       string
+	content    []byte
+	permission os.FileMode
+}
+
+func newTestFile(name string, content []byte, perm os.FileMode) FileApplier {
+	return &testFile{
+		name:       name,
+		content:    content,
+		permission: perm,
+	}
+}
+
+func (tf *testFile) ApplyFile(root containerfs.ContainerFS) error {
+	fullPath := root.Join(root.Path(), tf.name)
+	if err := root.MkdirAll(root.Dir(fullPath), 0755); err != nil {
+		return err
+	}
+	// Check if already exists
+	if stat, err := root.Stat(fullPath); err == nil && stat.Mode().Perm() != tf.permission {
+		if err := root.Lchmod(fullPath, tf.permission); err != nil {
+			return err
+		}
+	}
+	return driver.WriteFile(root, fullPath, tf.content, tf.permission)
+}
+
+func initWithFiles(files ...FileApplier) layerInit {
+	return func(root containerfs.ContainerFS) error {
+		for _, f := range files {
+			if err := f.ApplyFile(root); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+func getCachedLayer(l Layer) *roLayer {
+	if rl, ok := l.(*referencedCacheLayer); ok {
+		return rl.roLayer
+	}
+	return l.(*roLayer)
+}
+
+func getMountLayer(l RWLayer) *mountedLayer {
+	return l.(*referencedRWLayer).mountedLayer
+}
+
+func createMetadata(layers ...Layer) []Metadata {
+	metadata := make([]Metadata, len(layers))
+	for i := range layers {
+		size, err := layers[i].Size()
+		if err != nil {
+			panic(err)
+		}
+
+		metadata[i].ChainID = layers[i].ChainID()
+		metadata[i].DiffID = layers[i].DiffID()
+		metadata[i].Size = size
+		metadata[i].DiffSize = getCachedLayer(layers[i]).size
+	}
+
+	return metadata
+}
+
+func assertMetadata(t *testing.T, metadata, expectedMetadata []Metadata) {
+	if len(metadata) != len(expectedMetadata) {
+		t.Fatalf("Unexpected number of deletes %d, expected %d", len(metadata), len(expectedMetadata))
+	}
+
+	for i := range metadata {
+		if metadata[i] != expectedMetadata[i] {
+			t.Errorf("Unexpected metadata\n\tExpected: %#v\n\tActual: %#v", expectedMetadata[i], metadata[i])
+		}
+	}
+	if t.Failed() {
+		t.FailNow()
+	}
+}
+
+func releaseAndCheckDeleted(t *testing.T, ls Store, layer Layer, removed ...Layer) {
+	layerCount := len(ls.(*layerStore).layerMap)
+	expectedMetadata := createMetadata(removed...)
+	metadata, err := ls.Release(layer)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertMetadata(t, metadata, expectedMetadata)
+
+	if expected := layerCount - len(removed); len(ls.(*layerStore).layerMap) != expected {
+		t.Fatalf("Unexpected number of layers %d, expected %d", len(ls.(*layerStore).layerMap), expected)
+	}
+}
+
+func cacheID(l Layer) string {
+	return getCachedLayer(l).cacheID
+}
+
+func assertLayerEqual(t *testing.T, l1, l2 Layer) {
+	if l1.ChainID() != l2.ChainID() {
+		t.Fatalf("Mismatched ChainID: %s vs %s", l1.ChainID(), l2.ChainID())
+	}
+	if l1.DiffID() != l2.DiffID() {
+		t.Fatalf("Mismatched DiffID: %s vs %s", l1.DiffID(), l2.DiffID())
+	}
+
+	size1, err := l1.Size()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	size2, err := l2.Size()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if size1 != size2 {
+		t.Fatalf("Mismatched size: %d vs %d", size1, size2)
+	}
+
+	if cacheID(l1) != cacheID(l2) {
+		t.Fatalf("Mismatched cache id: %s vs %s", cacheID(l1), cacheID(l2))
+	}
+
+	p1 := l1.Parent()
+	p2 := l2.Parent()
+	if p1 != nil && p2 != nil {
+		assertLayerEqual(t, p1, p2)
+	} else if p1 != nil || p2 != nil {
+		t.Fatalf("Mismatched parents: %v vs %v", p1, p2)
+	}
+}
+
+func TestMountAndRegister(t *testing.T) {
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	li := initWithFiles(newTestFile("testfile.txt", []byte("some test data"), 0644))
+	layer, err := createLayer(ls, "", li)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	size, _ := layer.Size()
+	t.Logf("Layer size: %d", size)
+
+	mount2, err := ls.CreateRWLayer("new-test-mount", layer.ChainID(), nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	path2, err := mount2.Mount("")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	b, err := driver.ReadFile(path2, path2.Join(path2.Path(), "testfile.txt"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := "some test data"; string(b) != expected {
+		t.Fatalf("Wrong file data, expected %q, got %q", expected, string(b))
+	}
+
+	if err := mount2.Unmount(); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := ls.ReleaseRWLayer(mount2); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestLayerRelease(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	layer1, err := createLayer(ls, "", initWithFiles(newTestFile("layer1.txt", []byte("layer 1 file"), 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer2, err := createLayer(ls, layer1.ChainID(), initWithFiles(newTestFile("layer2.txt", []byte("layer 2 file"), 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := ls.Release(layer1); err != nil {
+		t.Fatal(err)
+	}
+
+	layer3a, err := createLayer(ls, layer2.ChainID(), initWithFiles(newTestFile("layer3.txt", []byte("layer 3a file"), 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer3b, err := createLayer(ls, layer2.ChainID(), initWithFiles(newTestFile("layer3.txt", []byte("layer 3b file"), 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := ls.Release(layer2); err != nil {
+		t.Fatal(err)
+	}
+
+	t.Logf("Layer1:  %s", layer1.ChainID())
+	t.Logf("Layer2:  %s", layer2.ChainID())
+	t.Logf("Layer3a: %s", layer3a.ChainID())
+	t.Logf("Layer3b: %s", layer3b.ChainID())
+
+	if expected := 4; len(ls.(*layerStore).layerMap) != expected {
+		t.Fatalf("Unexpected number of layers %d, expected %d", len(ls.(*layerStore).layerMap), expected)
+	}
+
+	releaseAndCheckDeleted(t, ls, layer3b, layer3b)
+	releaseAndCheckDeleted(t, ls, layer3a, layer3a, layer2, layer1)
+}
+
+func TestStoreRestore(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	layer1, err := createLayer(ls, "", initWithFiles(newTestFile("layer1.txt", []byte("layer 1 file"), 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer2, err := createLayer(ls, layer1.ChainID(), initWithFiles(newTestFile("layer2.txt", []byte("layer 2 file"), 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := ls.Release(layer1); err != nil {
+		t.Fatal(err)
+	}
+
+	layer3, err := createLayer(ls, layer2.ChainID(), initWithFiles(newTestFile("layer3.txt", []byte("layer 3 file"), 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := ls.Release(layer2); err != nil {
+		t.Fatal(err)
+	}
+
+	m, err := ls.CreateRWLayer("some-mount_name", layer3.ChainID(), nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pathFS, err := m.Mount("")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := driver.WriteFile(pathFS, pathFS.Join(pathFS.Path(), "testfile.txt"), []byte("nothing here"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := m.Unmount(); err != nil {
+		t.Fatal(err)
+	}
+
+	ls2, err := newStoreFromGraphDriver(ls.(*layerStore).store.root, ls.(*layerStore).driver, runtime.GOOS)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer3b, err := ls2.Get(layer3.ChainID())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertLayerEqual(t, layer3b, layer3)
+
+	// Create again with same name, should return error
+	if _, err := ls2.CreateRWLayer("some-mount_name", layer3b.ChainID(), nil); err == nil {
+		t.Fatal("Expected error creating mount with same name")
+	} else if err != ErrMountNameConflict {
+		t.Fatal(err)
+	}
+
+	m2, err := ls2.GetRWLayer("some-mount_name")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if mountPath, err := m2.Mount(""); err != nil {
+		t.Fatal(err)
+	} else if pathFS.Path() != mountPath.Path() {
+		t.Fatalf("Unexpected path %s, expected %s", mountPath.Path(), pathFS.Path())
+	}
+
+	if mountPath, err := m2.Mount(""); err != nil {
+		t.Fatal(err)
+	} else if pathFS.Path() != mountPath.Path() {
+		t.Fatalf("Unexpected path %s, expected %s", mountPath.Path(), pathFS.Path())
+	}
+	if err := m2.Unmount(); err != nil {
+		t.Fatal(err)
+	}
+
+	b, err := driver.ReadFile(pathFS, pathFS.Join(pathFS.Path(), "testfile.txt"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if expected := "nothing here"; string(b) != expected {
+		t.Fatalf("Unexpected content %q, expected %q", string(b), expected)
+	}
+
+	if err := m2.Unmount(); err != nil {
+		t.Fatal(err)
+	}
+
+	if metadata, err := ls2.ReleaseRWLayer(m2); err != nil {
+		t.Fatal(err)
+	} else if len(metadata) != 0 {
+		t.Fatalf("Unexpectedly deleted layers: %#v", metadata)
+	}
+
+	if metadata, err := ls2.ReleaseRWLayer(m2); err != nil {
+		t.Fatal(err)
+	} else if len(metadata) != 0 {
+		t.Fatalf("Unexpectedly deleted layers: %#v", metadata)
+	}
+
+	releaseAndCheckDeleted(t, ls2, layer3b, layer3, layer2, layer1)
+}
+
+func TestTarStreamStability(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	files1 := []FileApplier{
+		newTestFile("/etc/hosts", []byte("mydomain 10.0.0.1"), 0644),
+		newTestFile("/etc/profile", []byte("PATH=/usr/bin"), 0644),
+	}
+	addedFile := newTestFile("/etc/shadow", []byte("root:::::::"), 0644)
+	files2 := []FileApplier{
+		newTestFile("/etc/hosts", []byte("mydomain 10.0.0.2"), 0644),
+		newTestFile("/etc/profile", []byte("PATH=/usr/bin"), 0664),
+		newTestFile("/root/.bashrc", []byte("PATH=/usr/sbin:/usr/bin"), 0644),
+	}
+
+	tar1, err := tarFromFiles(files1...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tar2, err := tarFromFiles(files2...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer1, err := ls.Register(bytes.NewReader(tar1), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// hack layer to add file
+	p, err := ls.(*layerStore).driver.Get(layer1.(*referencedCacheLayer).cacheID, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := addedFile.ApplyFile(p); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := ls.(*layerStore).driver.Put(layer1.(*referencedCacheLayer).cacheID); err != nil {
+		t.Fatal(err)
+	}
+
+	layer2, err := ls.Register(bytes.NewReader(tar2), layer1.ChainID())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	id1 := layer1.ChainID()
+	t.Logf("Layer 1: %s", layer1.ChainID())
+	t.Logf("Layer 2: %s", layer2.ChainID())
+
+	if _, err := ls.Release(layer1); err != nil {
+		t.Fatal(err)
+	}
+
+	assertLayerDiff(t, tar2, layer2)
+
+	layer1b, err := ls.Get(id1)
+	if err != nil {
+		t.Logf("Content of layer map: %#v", ls.(*layerStore).layerMap)
+		t.Fatal(err)
+	}
+
+	if _, err := ls.Release(layer2); err != nil {
+		t.Fatal(err)
+	}
+
+	assertLayerDiff(t, tar1, layer1b)
+
+	if _, err := ls.Release(layer1b); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func assertLayerDiff(t *testing.T, expected []byte, layer Layer) {
+	expectedDigest := digest.FromBytes(expected)
+
+	if digest.Digest(layer.DiffID()) != expectedDigest {
+		t.Fatalf("Mismatched diff id for %s, got %s, expected %s", layer.ChainID(), layer.DiffID(), expected)
+	}
+
+	ts, err := layer.TarStream()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer ts.Close()
+
+	actual, err := ioutil.ReadAll(ts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(actual) != len(expected) {
+		logByteDiff(t, actual, expected)
+		t.Fatalf("Mismatched tar stream size for %s, got %d, expected %d", layer.ChainID(), len(actual), len(expected))
+	}
+
+	actualDigest := digest.FromBytes(actual)
+
+	if actualDigest != expectedDigest {
+		logByteDiff(t, actual, expected)
+		t.Fatalf("Wrong digest of tar stream, got %s, expected %s", actualDigest, expectedDigest)
+	}
+}
+
+const maxByteLog = 4 * 1024
+
+func logByteDiff(t *testing.T, actual, expected []byte) {
+	d1, d2 := byteDiff(actual, expected)
+	if len(d1) == 0 && len(d2) == 0 {
+		return
+	}
+
+	prefix := len(actual) - len(d1)
+	if len(d1) > maxByteLog || len(d2) > maxByteLog {
+		t.Logf("Byte diff after %d matching bytes", prefix)
+	} else {
+		t.Logf("Byte diff after %d matching bytes\nActual bytes after prefix:\n%x\nExpected bytes after prefix:\n%x", prefix, d1, d2)
+	}
+}
+
+// byteDiff returns the differing bytes after the matching prefix
+func byteDiff(b1, b2 []byte) ([]byte, []byte) {
+	i := 0
+	for i < len(b1) && i < len(b2) {
+		if b1[i] != b2[i] {
+			break
+		}
+		i++
+	}
+
+	return b1[i:], b2[i:]
+}
+
+func tarFromFiles(files ...FileApplier) ([]byte, error) {
+	td, err := ioutil.TempDir("", "tar-")
+	if err != nil {
+		return nil, err
+	}
+	defer os.RemoveAll(td)
+
+	for _, f := range files {
+		if err := f.ApplyFile(containerfs.NewLocalContainerFS(td)); err != nil {
+			return nil, err
+		}
+	}
+
+	r, err := archive.Tar(td, archive.Uncompressed)
+	if err != nil {
+		return nil, err
+	}
+
+	buf := bytes.NewBuffer(nil)
+	if _, err := io.Copy(buf, r); err != nil {
+		return nil, err
+	}
+
+	return buf.Bytes(), nil
+}
+
+// assertReferences asserts that all the references are to the same
+// image and represent the full set of references to that image.
+func assertReferences(t *testing.T, references ...Layer) {
+	if len(references) == 0 {
+		return
+	}
+	base := references[0].(*referencedCacheLayer).roLayer
+	seenReferences := map[Layer]struct{}{
+		references[0]: {},
+	}
+	for i := 1; i < len(references); i++ {
+		other := references[i].(*referencedCacheLayer).roLayer
+		if base != other {
+			t.Fatalf("Unexpected referenced cache layer %s, expecting %s", other.ChainID(), base.ChainID())
+		}
+		if _, ok := base.references[references[i]]; !ok {
+			t.Fatalf("Reference not part of reference list: %v", references[i])
+		}
+		if _, ok := seenReferences[references[i]]; ok {
+			t.Fatalf("Duplicated reference %v", references[i])
+		}
+	}
+	if rc := len(base.references); rc != len(references) {
+		t.Fatalf("Unexpected number of references %d, expecting %d", rc, len(references))
+	}
+}
+
+func TestRegisterExistingLayer(t *testing.T) {
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	baseFiles := []FileApplier{
+		newTestFile("/etc/profile", []byte("# Base configuration"), 0644),
+	}
+
+	layerFiles := []FileApplier{
+		newTestFile("/root/.bashrc", []byte("# Root configuration"), 0644),
+	}
+
+	li := initWithFiles(baseFiles...)
+	layer1, err := createLayer(ls, "", li)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tar1, err := tarFromFiles(layerFiles...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer2a, err := ls.Register(bytes.NewReader(tar1), layer1.ChainID())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer2b, err := ls.Register(bytes.NewReader(tar1), layer1.ChainID())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertReferences(t, layer2a, layer2b)
+}
+
+func TestTarStreamVerification(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	ls, tmpdir, cleanup := newTestStore(t)
+	defer cleanup()
+
+	files1 := []FileApplier{
+		newTestFile("/foo", []byte("abc"), 0644),
+		newTestFile("/bar", []byte("def"), 0644),
+	}
+	files2 := []FileApplier{
+		newTestFile("/foo", []byte("abc"), 0644),
+		newTestFile("/bar", []byte("def"), 0600), // different perm
+	}
+
+	tar1, err := tarFromFiles(files1...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tar2, err := tarFromFiles(files2...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer1, err := ls.Register(bytes.NewReader(tar1), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer2, err := ls.Register(bytes.NewReader(tar2), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	id1 := digest.Digest(layer1.ChainID())
+	id2 := digest.Digest(layer2.ChainID())
+
+	// Replace tar data files
+	src, err := os.Open(filepath.Join(tmpdir, id1.Algorithm().String(), id1.Hex(), "tar-split.json.gz"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer src.Close()
+
+	dst, err := os.Create(filepath.Join(tmpdir, id2.Algorithm().String(), id2.Hex(), "tar-split.json.gz"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer dst.Close()
+
+	if _, err := io.Copy(dst, src); err != nil {
+		t.Fatal(err)
+	}
+
+	src.Sync()
+	dst.Sync()
+
+	ts, err := layer2.TarStream()
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = io.Copy(ioutil.Discard, ts)
+	if err == nil {
+		t.Fatal("expected data verification to fail")
+	}
+	if !strings.Contains(err.Error(), "could not verify layer data") {
+		t.Fatalf("wrong error returned from tarstream: %q", err)
+	}
+}
diff --git a/engine/layer/layer_unix.go b/engine/layer/layer_unix.go
new file mode 100644
index 00000000..002c7ff8
--- /dev/null
+++ b/engine/layer/layer_unix.go
@@ -0,0 +1,9 @@
+// +build linux freebsd darwin openbsd
+
+package layer // import "github.com/docker/docker/layer"
+
+import "github.com/docker/docker/pkg/stringid"
+
+func (ls *layerStore) mountID(name string) string {
+	return stringid.GenerateRandomID()
+}
diff --git a/engine/layer/layer_unix_test.go b/engine/layer/layer_unix_test.go
new file mode 100644
index 00000000..68301581
--- /dev/null
+++ b/engine/layer/layer_unix_test.go
@@ -0,0 +1,73 @@
+// +build !windows
+
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"testing"
+)
+
+func graphDiffSize(ls Store, l Layer) (int64, error) {
+	cl := getCachedLayer(l)
+	var parent string
+	if cl.parent != nil {
+		parent = cl.parent.cacheID
+	}
+	return ls.(*layerStore).driver.DiffSize(cl.cacheID, parent)
+}
+
+// Unix as Windows graph driver does not support Changes which is indirectly
+// invoked by calling DiffSize on the driver
+func TestLayerSize(t *testing.T) {
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	content1 := []byte("Base contents")
+	content2 := []byte("Added contents")
+
+	layer1, err := createLayer(ls, "", initWithFiles(newTestFile("file1", content1, 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer2, err := createLayer(ls, layer1.ChainID(), initWithFiles(newTestFile("file2", content2, 0644)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer1DiffSize, err := graphDiffSize(ls, layer1)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if int(layer1DiffSize) != len(content1) {
+		t.Fatalf("Unexpected diff size %d, expected %d", layer1DiffSize, len(content1))
+	}
+
+	layer1Size, err := layer1.Size()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := len(content1); int(layer1Size) != expected {
+		t.Fatalf("Unexpected size %d, expected %d", layer1Size, expected)
+	}
+
+	layer2DiffSize, err := graphDiffSize(ls, layer2)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if int(layer2DiffSize) != len(content2) {
+		t.Fatalf("Unexpected diff size %d, expected %d", layer2DiffSize, len(content2))
+	}
+
+	layer2Size, err := layer2.Size()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := len(content1) + len(content2); int(layer2Size) != expected {
+		t.Fatalf("Unexpected size %d, expected %d", layer2Size, expected)
+	}
+
+}
diff --git a/engine/layer/layer_windows.go b/engine/layer/layer_windows.go
new file mode 100644
index 00000000..25ef26af
--- /dev/null
+++ b/engine/layer/layer_windows.go
@@ -0,0 +1,46 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"errors"
+)
+
+// Getter is an interface to get the path to a layer on the host.
+type Getter interface {
+	// GetLayerPath gets the path for the layer. This is different from Get()
+	// since that returns an interface to account for umountable layers.
+	GetLayerPath(id string) (string, error)
+}
+
+// GetLayerPath returns the path to a layer
+func GetLayerPath(s Store, layer ChainID) (string, error) {
+	ls, ok := s.(*layerStore)
+	if !ok {
+		return "", errors.New("unsupported layer store")
+	}
+	ls.layerL.Lock()
+	defer ls.layerL.Unlock()
+
+	rl, ok := ls.layerMap[layer]
+	if !ok {
+		return "", ErrLayerDoesNotExist
+	}
+
+	if layerGetter, ok := ls.driver.(Getter); ok {
+		return layerGetter.GetLayerPath(rl.cacheID)
+	}
+	path, err := ls.driver.Get(rl.cacheID, "")
+	if err != nil {
+		return "", err
+	}
+
+	if err := ls.driver.Put(rl.cacheID); err != nil {
+		return "", err
+	}
+
+	return path.Path(), nil
+}
+
+func (ls *layerStore) mountID(name string) string {
+	// windows has issues if container ID doesn't match mount ID
+	return name
+}
diff --git a/engine/layer/migration.go b/engine/layer/migration.go
new file mode 100644
index 00000000..2668ea96
--- /dev/null
+++ b/engine/layer/migration.go
@@ -0,0 +1,252 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+	"github.com/vbatts/tar-split/tar/asm"
+	"github.com/vbatts/tar-split/tar/storage"
+)
+
+// CreateRWLayerByGraphID creates a RWLayer in the layer store using
+// the provided name with the given graphID. To get the RWLayer
+// after migration the layer may be retrieved by the given name.
+func (ls *layerStore) CreateRWLayerByGraphID(name, graphID string, parent ChainID) (err error) {
+	ls.mountL.Lock()
+	defer ls.mountL.Unlock()
+	m, ok := ls.mounts[name]
+	if ok {
+		if m.parent.chainID != parent {
+			return errors.New("name conflict, mismatched parent")
+		}
+		if m.mountID != graphID {
+			return errors.New("mount already exists")
+		}
+
+		return nil
+	}
+
+	if !ls.driver.Exists(graphID) {
+		return fmt.Errorf("graph ID does not exist: %q", graphID)
+	}
+
+	var p *roLayer
+	if string(parent) != "" {
+		p = ls.get(parent)
+		if p == nil {
+			return ErrLayerDoesNotExist
+		}
+
+		// Release parent chain if error
+		defer func() {
+			if err != nil {
+				ls.layerL.Lock()
+				ls.releaseLayer(p)
+				ls.layerL.Unlock()
+			}
+		}()
+	}
+
+	// TODO: Ensure graphID has correct parent
+
+	m = &mountedLayer{
+		name:       name,
+		parent:     p,
+		mountID:    graphID,
+		layerStore: ls,
+		references: map[RWLayer]*referencedRWLayer{},
+	}
+
+	// Check for existing init layer
+	initID := fmt.Sprintf("%s-init", graphID)
+	if ls.driver.Exists(initID) {
+		m.initID = initID
+	}
+
+	return ls.saveMount(m)
+}
+
+func (ls *layerStore) ChecksumForGraphID(id, parent, oldTarDataPath, newTarDataPath string) (diffID DiffID, size int64, err error) {
+	defer func() {
+		if err != nil {
+			logrus.Debugf("could not get checksum for %q with tar-split: %q", id, err)
+			diffID, size, err = ls.checksumForGraphIDNoTarsplit(id, parent, newTarDataPath)
+		}
+	}()
+
+	if oldTarDataPath == "" {
+		err = errors.New("no tar-split file")
+		return
+	}
+
+	tarDataFile, err := os.Open(oldTarDataPath)
+	if err != nil {
+		return
+	}
+	defer tarDataFile.Close()
+	uncompressed, err := gzip.NewReader(tarDataFile)
+	if err != nil {
+		return
+	}
+
+	dgst := digest.Canonical.Digester()
+	err = ls.assembleTarTo(id, uncompressed, &size, dgst.Hash())
+	if err != nil {
+		return
+	}
+
+	diffID = DiffID(dgst.Digest())
+	err = os.RemoveAll(newTarDataPath)
+	if err != nil {
+		return
+	}
+	err = os.Link(oldTarDataPath, newTarDataPath)
+
+	return
+}
+
+func (ls *layerStore) checksumForGraphIDNoTarsplit(id, parent, newTarDataPath string) (diffID DiffID, size int64, err error) {
+	rawarchive, err := ls.driver.Diff(id, parent)
+	if err != nil {
+		return
+	}
+	defer rawarchive.Close()
+
+	f, err := os.Create(newTarDataPath)
+	if err != nil {
+		return
+	}
+	defer f.Close()
+	mfz := gzip.NewWriter(f)
+	defer mfz.Close()
+	metaPacker := storage.NewJSONPacker(mfz)
+
+	packerCounter := &packSizeCounter{metaPacker, &size}
+
+	archive, err := asm.NewInputTarStream(rawarchive, packerCounter, nil)
+	if err != nil {
+		return
+	}
+	dgst, err := digest.FromReader(archive)
+	if err != nil {
+		return
+	}
+	diffID = DiffID(dgst)
+	return
+}
+
+func (ls *layerStore) RegisterByGraphID(graphID string, parent ChainID, diffID DiffID, tarDataFile string, size int64) (Layer, error) {
+	// err is used to hold the error which will always trigger
+	// cleanup of creates sources but may not be an error returned
+	// to the caller (already exists).
+	var err error
+	var p *roLayer
+	if string(parent) != "" {
+		p = ls.get(parent)
+		if p == nil {
+			return nil, ErrLayerDoesNotExist
+		}
+
+		// Release parent chain if error
+		defer func() {
+			if err != nil {
+				ls.layerL.Lock()
+				ls.releaseLayer(p)
+				ls.layerL.Unlock()
+			}
+		}()
+	}
+
+	// Create new roLayer
+	layer := &roLayer{
+		parent:         p,
+		cacheID:        graphID,
+		referenceCount: 1,
+		layerStore:     ls,
+		references:     map[Layer]struct{}{},
+		diffID:         diffID,
+		size:           size,
+		chainID:        createChainIDFromParent(parent, diffID),
+	}
+
+	ls.layerL.Lock()
+	defer ls.layerL.Unlock()
+
+	if existingLayer := ls.getWithoutLock(layer.chainID); existingLayer != nil {
+		// Set error for cleanup, but do not return
+		err = errors.New("layer already exists")
+		return existingLayer.getReference(), nil
+	}
+
+	tx, err := ls.store.StartTransaction()
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if err != nil {
+			logrus.Debugf("Cleaning up transaction after failed migration for %s: %v", graphID, err)
+			if err := tx.Cancel(); err != nil {
+				logrus.Errorf("Error canceling metadata transaction %q: %s", tx.String(), err)
+			}
+		}
+	}()
+
+	tsw, err := tx.TarSplitWriter(false)
+	if err != nil {
+		return nil, err
+	}
+	defer tsw.Close()
+	tdf, err := os.Open(tarDataFile)
+	if err != nil {
+		return nil, err
+	}
+	defer tdf.Close()
+	_, err = io.Copy(tsw, tdf)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = storeLayer(tx, layer); err != nil {
+		return nil, err
+	}
+
+	if err = tx.Commit(layer.chainID); err != nil {
+		return nil, err
+	}
+
+	ls.layerMap[layer.chainID] = layer
+
+	return layer.getReference(), nil
+}
+
+type unpackSizeCounter struct {
+	unpacker storage.Unpacker
+	size     *int64
+}
+
+func (u *unpackSizeCounter) Next() (*storage.Entry, error) {
+	e, err := u.unpacker.Next()
+	if err == nil && u.size != nil {
+		*u.size += e.Size
+	}
+	return e, err
+}
+
+type packSizeCounter struct {
+	packer storage.Packer
+	size   *int64
+}
+
+func (p *packSizeCounter) AddEntry(e storage.Entry) (int, error) {
+	n, err := p.packer.AddEntry(e)
+	if err == nil && p.size != nil {
+		*p.size += e.Size
+	}
+	return n, err
+}
diff --git a/engine/layer/migration_test.go b/engine/layer/migration_test.go
new file mode 100644
index 00000000..92316637
--- /dev/null
+++ b/engine/layer/migration_test.go
@@ -0,0 +1,429 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/daemon/graphdriver"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/vbatts/tar-split/tar/asm"
+	"github.com/vbatts/tar-split/tar/storage"
+)
+
+func writeTarSplitFile(name string, tarContent []byte) error {
+	f, err := os.OpenFile(name, os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	fz := gzip.NewWriter(f)
+
+	metaPacker := storage.NewJSONPacker(fz)
+	defer fz.Close()
+
+	rdr, err := asm.NewInputTarStream(bytes.NewReader(tarContent), metaPacker, nil)
+	if err != nil {
+		return err
+	}
+
+	if _, err := io.Copy(ioutil.Discard, rdr); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func TestLayerMigration(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	td, err := ioutil.TempDir("", "migration-test-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(td)
+
+	layer1Files := []FileApplier{
+		newTestFile("/root/.bashrc", []byte("# Boring configuration"), 0644),
+		newTestFile("/etc/profile", []byte("# Base configuration"), 0644),
+	}
+
+	layer2Files := []FileApplier{
+		newTestFile("/root/.bashrc", []byte("# Updated configuration"), 0644),
+	}
+
+	tar1, err := tarFromFiles(layer1Files...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tar2, err := tarFromFiles(layer2Files...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	graph, err := newVFSGraphDriver(filepath.Join(td, "graphdriver-"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	graphID1 := stringid.GenerateRandomID()
+	if err := graph.Create(graphID1, "", nil); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := graph.ApplyDiff(graphID1, "", bytes.NewReader(tar1)); err != nil {
+		t.Fatal(err)
+	}
+
+	tf1 := filepath.Join(td, "tar1.json.gz")
+	if err := writeTarSplitFile(tf1, tar1); err != nil {
+		t.Fatal(err)
+	}
+
+	root := filepath.Join(td, "layers")
+	ls, err := newStoreFromGraphDriver(root, graph, runtime.GOOS)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	newTarDataPath := filepath.Join(td, ".migration-tardata")
+	diffID, size, err := ls.(*layerStore).ChecksumForGraphID(graphID1, "", tf1, newTarDataPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer1a, err := ls.(*layerStore).RegisterByGraphID(graphID1, "", diffID, newTarDataPath, size)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer1b, err := ls.Register(bytes.NewReader(tar1), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertReferences(t, layer1a, layer1b)
+	// Attempt register, should be same
+	layer2a, err := ls.Register(bytes.NewReader(tar2), layer1a.ChainID())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	graphID2 := stringid.GenerateRandomID()
+	if err := graph.Create(graphID2, graphID1, nil); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := graph.ApplyDiff(graphID2, graphID1, bytes.NewReader(tar2)); err != nil {
+		t.Fatal(err)
+	}
+
+	tf2 := filepath.Join(td, "tar2.json.gz")
+	if err := writeTarSplitFile(tf2, tar2); err != nil {
+		t.Fatal(err)
+	}
+	diffID, size, err = ls.(*layerStore).ChecksumForGraphID(graphID2, graphID1, tf2, newTarDataPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer2b, err := ls.(*layerStore).RegisterByGraphID(graphID2, layer1a.ChainID(), diffID, tf2, size)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertReferences(t, layer2a, layer2b)
+
+	if metadata, err := ls.Release(layer2a); err != nil {
+		t.Fatal(err)
+	} else if len(metadata) > 0 {
+		t.Fatalf("Unexpected layer removal after first release: %#v", metadata)
+	}
+
+	metadata, err := ls.Release(layer2b)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertMetadata(t, metadata, createMetadata(layer2a))
+}
+
+func tarFromFilesInGraph(graph graphdriver.Driver, graphID, parentID string, files ...FileApplier) ([]byte, error) {
+	t, err := tarFromFiles(files...)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := graph.Create(graphID, parentID, nil); err != nil {
+		return nil, err
+	}
+	if _, err := graph.ApplyDiff(graphID, parentID, bytes.NewReader(t)); err != nil {
+		return nil, err
+	}
+
+	ar, err := graph.Diff(graphID, parentID)
+	if err != nil {
+		return nil, err
+	}
+	defer ar.Close()
+
+	return ioutil.ReadAll(ar)
+}
+
+func TestLayerMigrationNoTarsplit(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	td, err := ioutil.TempDir("", "migration-test-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(td)
+
+	layer1Files := []FileApplier{
+		newTestFile("/root/.bashrc", []byte("# Boring configuration"), 0644),
+		newTestFile("/etc/profile", []byte("# Base configuration"), 0644),
+	}
+
+	layer2Files := []FileApplier{
+		newTestFile("/root/.bashrc", []byte("# Updated configuration"), 0644),
+	}
+
+	graph, err := newVFSGraphDriver(filepath.Join(td, "graphdriver-"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	graphID1 := stringid.GenerateRandomID()
+	graphID2 := stringid.GenerateRandomID()
+
+	tar1, err := tarFromFilesInGraph(graph, graphID1, "", layer1Files...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tar2, err := tarFromFilesInGraph(graph, graphID2, graphID1, layer2Files...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	root := filepath.Join(td, "layers")
+	ls, err := newStoreFromGraphDriver(root, graph, runtime.GOOS)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	newTarDataPath := filepath.Join(td, ".migration-tardata")
+	diffID, size, err := ls.(*layerStore).ChecksumForGraphID(graphID1, "", "", newTarDataPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer1a, err := ls.(*layerStore).RegisterByGraphID(graphID1, "", diffID, newTarDataPath, size)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer1b, err := ls.Register(bytes.NewReader(tar1), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertReferences(t, layer1a, layer1b)
+
+	// Attempt register, should be same
+	layer2a, err := ls.Register(bytes.NewReader(tar2), layer1a.ChainID())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	diffID, size, err = ls.(*layerStore).ChecksumForGraphID(graphID2, graphID1, "", newTarDataPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	layer2b, err := ls.(*layerStore).RegisterByGraphID(graphID2, layer1a.ChainID(), diffID, newTarDataPath, size)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertReferences(t, layer2a, layer2b)
+
+	if metadata, err := ls.Release(layer2a); err != nil {
+		t.Fatal(err)
+	} else if len(metadata) > 0 {
+		t.Fatalf("Unexpected layer removal after first release: %#v", metadata)
+	}
+
+	metadata, err := ls.Release(layer2b)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertMetadata(t, metadata, createMetadata(layer2a))
+}
+
+func TestMountMigration(t *testing.T) {
+	// TODO Windows: Figure out why this is failing (obvious - paths... needs porting)
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	baseFiles := []FileApplier{
+		newTestFile("/root/.bashrc", []byte("# Boring configuration"), 0644),
+		newTestFile("/etc/profile", []byte("# Base configuration"), 0644),
+	}
+	initFiles := []FileApplier{
+		newTestFile("/etc/hosts", []byte{}, 0644),
+		newTestFile("/etc/resolv.conf", []byte{}, 0644),
+	}
+	mountFiles := []FileApplier{
+		newTestFile("/etc/hosts", []byte("localhost 127.0.0.1"), 0644),
+		newTestFile("/root/.bashrc", []byte("# Updated configuration"), 0644),
+		newTestFile("/root/testfile1.txt", []byte("nothing valuable"), 0644),
+	}
+
+	initTar, err := tarFromFiles(initFiles...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mountTar, err := tarFromFiles(mountFiles...)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	graph := ls.(*layerStore).driver
+
+	layer1, err := createLayer(ls, "", initWithFiles(baseFiles...))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	graphID1 := layer1.(*referencedCacheLayer).cacheID
+
+	containerID := stringid.GenerateRandomID()
+	containerInit := fmt.Sprintf("%s-init", containerID)
+
+	if err := graph.Create(containerInit, graphID1, nil); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := graph.ApplyDiff(containerInit, graphID1, bytes.NewReader(initTar)); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := graph.Create(containerID, containerInit, nil); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := graph.ApplyDiff(containerID, containerInit, bytes.NewReader(mountTar)); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := ls.(*layerStore).CreateRWLayerByGraphID("migration-mount", containerID, layer1.ChainID()); err != nil {
+		t.Fatal(err)
+	}
+
+	rwLayer1, err := ls.GetRWLayer("migration-mount")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := rwLayer1.Mount(""); err != nil {
+		t.Fatal(err)
+	}
+
+	changes, err := rwLayer1.Changes()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := 5; len(changes) != expected {
+		t.Logf("Changes %#v", changes)
+		t.Fatalf("Wrong number of changes %d, expected %d", len(changes), expected)
+	}
+
+	sortChanges(changes)
+
+	assertChange(t, changes[0], archive.Change{
+		Path: "/etc",
+		Kind: archive.ChangeModify,
+	})
+	assertChange(t, changes[1], archive.Change{
+		Path: "/etc/hosts",
+		Kind: archive.ChangeModify,
+	})
+	assertChange(t, changes[2], archive.Change{
+		Path: "/root",
+		Kind: archive.ChangeModify,
+	})
+	assertChange(t, changes[3], archive.Change{
+		Path: "/root/.bashrc",
+		Kind: archive.ChangeModify,
+	})
+	assertChange(t, changes[4], archive.Change{
+		Path: "/root/testfile1.txt",
+		Kind: archive.ChangeAdd,
+	})
+
+	if _, err := ls.CreateRWLayer("migration-mount", layer1.ChainID(), nil); err == nil {
+		t.Fatal("Expected error creating mount with same name")
+	} else if err != ErrMountNameConflict {
+		t.Fatal(err)
+	}
+
+	rwLayer2, err := ls.GetRWLayer("migration-mount")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if getMountLayer(rwLayer1) != getMountLayer(rwLayer2) {
+		t.Fatal("Expected same layer from get with same name as from migrate")
+	}
+
+	if _, err := rwLayer2.Mount(""); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := rwLayer2.Mount(""); err != nil {
+		t.Fatal(err)
+	}
+
+	if metadata, err := ls.Release(layer1); err != nil {
+		t.Fatal(err)
+	} else if len(metadata) > 0 {
+		t.Fatalf("Expected no layers to be deleted, deleted %#v", metadata)
+	}
+
+	if err := rwLayer1.Unmount(); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := ls.ReleaseRWLayer(rwLayer1); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := rwLayer2.Unmount(); err != nil {
+		t.Fatal(err)
+	}
+	if err := rwLayer2.Unmount(); err != nil {
+		t.Fatal(err)
+	}
+	metadata, err := ls.ReleaseRWLayer(rwLayer2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(metadata) == 0 {
+		t.Fatal("Expected base layer to be deleted when deleting mount")
+	}
+
+	assertMetadata(t, metadata, createMetadata(layer1))
+}
diff --git a/engine/layer/mount_test.go b/engine/layer/mount_test.go
new file mode 100644
index 00000000..1cfc370e
--- /dev/null
+++ b/engine/layer/mount_test.go
@@ -0,0 +1,239 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"io/ioutil"
+	"runtime"
+	"sort"
+	"testing"
+
+	"github.com/containerd/continuity/driver"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+)
+
+func TestMountInit(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	basefile := newTestFile("testfile.txt", []byte("base data!"), 0644)
+	initfile := newTestFile("testfile.txt", []byte("init data!"), 0777)
+
+	li := initWithFiles(basefile)
+	layer, err := createLayer(ls, "", li)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mountInit := func(root containerfs.ContainerFS) error {
+		return initfile.ApplyFile(root)
+	}
+
+	rwLayerOpts := &CreateRWLayerOpts{
+		InitFunc: mountInit,
+	}
+	m, err := ls.CreateRWLayer("fun-mount", layer.ChainID(), rwLayerOpts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pathFS, err := m.Mount("")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	fi, err := pathFS.Stat(pathFS.Join(pathFS.Path(), "testfile.txt"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	f, err := pathFS.Open(pathFS.Join(pathFS.Path(), "testfile.txt"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	b, err := ioutil.ReadAll(f)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := "init data!"; string(b) != expected {
+		t.Fatalf("Unexpected test file contents %q, expected %q", string(b), expected)
+	}
+
+	if fi.Mode().Perm() != 0777 {
+		t.Fatalf("Unexpected filemode %o, expecting %o", fi.Mode().Perm(), 0777)
+	}
+}
+
+func TestMountSize(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	content1 := []byte("Base contents")
+	content2 := []byte("Mutable contents")
+	contentInit := []byte("why am I excluded from the size ☹")
+
+	li := initWithFiles(newTestFile("file1", content1, 0644))
+	layer, err := createLayer(ls, "", li)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mountInit := func(root containerfs.ContainerFS) error {
+		return newTestFile("file-init", contentInit, 0777).ApplyFile(root)
+	}
+	rwLayerOpts := &CreateRWLayerOpts{
+		InitFunc: mountInit,
+	}
+
+	m, err := ls.CreateRWLayer("mount-size", layer.ChainID(), rwLayerOpts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pathFS, err := m.Mount("")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := driver.WriteFile(pathFS, pathFS.Join(pathFS.Path(), "file2"), content2, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	mountSize, err := m.Size()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := len(content2); int(mountSize) != expected {
+		t.Fatalf("Unexpected mount size %d, expected %d", int(mountSize), expected)
+	}
+}
+
+func TestMountChanges(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	ls, _, cleanup := newTestStore(t)
+	defer cleanup()
+
+	basefiles := []FileApplier{
+		newTestFile("testfile1.txt", []byte("base data!"), 0644),
+		newTestFile("testfile2.txt", []byte("base data!"), 0644),
+		newTestFile("testfile3.txt", []byte("base data!"), 0644),
+	}
+	initfile := newTestFile("testfile1.txt", []byte("init data!"), 0777)
+
+	li := initWithFiles(basefiles...)
+	layer, err := createLayer(ls, "", li)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mountInit := func(root containerfs.ContainerFS) error {
+		return initfile.ApplyFile(root)
+	}
+	rwLayerOpts := &CreateRWLayerOpts{
+		InitFunc: mountInit,
+	}
+
+	m, err := ls.CreateRWLayer("mount-changes", layer.ChainID(), rwLayerOpts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pathFS, err := m.Mount("")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := pathFS.Lchmod(pathFS.Join(pathFS.Path(), "testfile1.txt"), 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := driver.WriteFile(pathFS, pathFS.Join(pathFS.Path(), "testfile1.txt"), []byte("mount data!"), 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := pathFS.Remove(pathFS.Join(pathFS.Path(), "testfile2.txt")); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := pathFS.Lchmod(pathFS.Join(pathFS.Path(), "testfile3.txt"), 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := driver.WriteFile(pathFS, pathFS.Join(pathFS.Path(), "testfile4.txt"), []byte("mount data!"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	changes, err := m.Changes()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected := 4; len(changes) != expected {
+		t.Fatalf("Wrong number of changes %d, expected %d", len(changes), expected)
+	}
+
+	sortChanges(changes)
+
+	assertChange(t, changes[0], archive.Change{
+		Path: "/testfile1.txt",
+		Kind: archive.ChangeModify,
+	})
+	assertChange(t, changes[1], archive.Change{
+		Path: "/testfile2.txt",
+		Kind: archive.ChangeDelete,
+	})
+	assertChange(t, changes[2], archive.Change{
+		Path: "/testfile3.txt",
+		Kind: archive.ChangeModify,
+	})
+	assertChange(t, changes[3], archive.Change{
+		Path: "/testfile4.txt",
+		Kind: archive.ChangeAdd,
+	})
+}
+
+func assertChange(t *testing.T, actual, expected archive.Change) {
+	if actual.Path != expected.Path {
+		t.Fatalf("Unexpected change path %s, expected %s", actual.Path, expected.Path)
+	}
+	if actual.Kind != expected.Kind {
+		t.Fatalf("Unexpected change type %s, expected %s", actual.Kind, expected.Kind)
+	}
+}
+
+func sortChanges(changes []archive.Change) {
+	cs := &changeSorter{
+		changes: changes,
+	}
+	sort.Sort(cs)
+}
+
+type changeSorter struct {
+	changes []archive.Change
+}
+
+func (cs *changeSorter) Len() int {
+	return len(cs.changes)
+}
+
+func (cs *changeSorter) Swap(i, j int) {
+	cs.changes[i], cs.changes[j] = cs.changes[j], cs.changes[i]
+}
+
+func (cs *changeSorter) Less(i, j int) bool {
+	return cs.changes[i].Path < cs.changes[j].Path
+}
diff --git a/engine/layer/mounted_layer.go b/engine/layer/mounted_layer.go
new file mode 100644
index 00000000..d6858c66
--- /dev/null
+++ b/engine/layer/mounted_layer.go
@@ -0,0 +1,100 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"io"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/containerfs"
+)
+
+type mountedLayer struct {
+	name       string
+	mountID    string
+	initID     string
+	parent     *roLayer
+	path       string
+	layerStore *layerStore
+
+	references map[RWLayer]*referencedRWLayer
+}
+
+func (ml *mountedLayer) cacheParent() string {
+	if ml.initID != "" {
+		return ml.initID
+	}
+	if ml.parent != nil {
+		return ml.parent.cacheID
+	}
+	return ""
+}
+
+func (ml *mountedLayer) TarStream() (io.ReadCloser, error) {
+	return ml.layerStore.driver.Diff(ml.mountID, ml.cacheParent())
+}
+
+func (ml *mountedLayer) Name() string {
+	return ml.name
+}
+
+func (ml *mountedLayer) Parent() Layer {
+	if ml.parent != nil {
+		return ml.parent
+	}
+
+	// Return a nil interface instead of an interface wrapping a nil
+	// pointer.
+	return nil
+}
+
+func (ml *mountedLayer) Size() (int64, error) {
+	return ml.layerStore.driver.DiffSize(ml.mountID, ml.cacheParent())
+}
+
+func (ml *mountedLayer) Changes() ([]archive.Change, error) {
+	return ml.layerStore.driver.Changes(ml.mountID, ml.cacheParent())
+}
+
+func (ml *mountedLayer) Metadata() (map[string]string, error) {
+	return ml.layerStore.driver.GetMetadata(ml.mountID)
+}
+
+func (ml *mountedLayer) getReference() RWLayer {
+	ref := &referencedRWLayer{
+		mountedLayer: ml,
+	}
+	ml.references[ref] = ref
+
+	return ref
+}
+
+func (ml *mountedLayer) hasReferences() bool {
+	return len(ml.references) > 0
+}
+
+func (ml *mountedLayer) deleteReference(ref RWLayer) error {
+	if _, ok := ml.references[ref]; !ok {
+		return ErrLayerNotRetained
+	}
+	delete(ml.references, ref)
+	return nil
+}
+
+func (ml *mountedLayer) retakeReference(r RWLayer) {
+	if ref, ok := r.(*referencedRWLayer); ok {
+		ml.references[ref] = ref
+	}
+}
+
+type referencedRWLayer struct {
+	*mountedLayer
+}
+
+func (rl *referencedRWLayer) Mount(mountLabel string) (containerfs.ContainerFS, error) {
+	return rl.layerStore.driver.Get(rl.mountedLayer.mountID, mountLabel)
+}
+
+// Unmount decrements the activity count and unmounts the underlying layer
+// Callers should only call `Unmount` once per call to `Mount`, even on error.
+func (rl *referencedRWLayer) Unmount() error {
+	return rl.layerStore.driver.Put(rl.mountedLayer.mountID)
+}
diff --git a/engine/layer/ro_layer.go b/engine/layer/ro_layer.go
new file mode 100644
index 00000000..3555e8b0
--- /dev/null
+++ b/engine/layer/ro_layer.go
@@ -0,0 +1,182 @@
+package layer // import "github.com/docker/docker/layer"
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/docker/distribution"
+	"github.com/opencontainers/go-digest"
+)
+
+type roLayer struct {
+	chainID    ChainID
+	diffID     DiffID
+	parent     *roLayer
+	cacheID    string
+	size       int64
+	layerStore *layerStore
+	descriptor distribution.Descriptor
+
+	referenceCount int
+	references     map[Layer]struct{}
+}
+
+// TarStream for roLayer guarantees that the data that is produced is the exact
+// data that the layer was registered with.
+func (rl *roLayer) TarStream() (io.ReadCloser, error) {
+	rc, err := rl.layerStore.getTarStream(rl)
+	if err != nil {
+		return nil, err
+	}
+
+	vrc, err := newVerifiedReadCloser(rc, digest.Digest(rl.diffID))
+	if err != nil {
+		return nil, err
+	}
+	return vrc, nil
+}
+
+// TarStreamFrom does not make any guarantees to the correctness of the produced
+// data. As such it should not be used when the layer content must be verified
+// to be an exact match to the registered layer.
+func (rl *roLayer) TarStreamFrom(parent ChainID) (io.ReadCloser, error) {
+	var parentCacheID string
+	for pl := rl.parent; pl != nil; pl = pl.parent {
+		if pl.chainID == parent {
+			parentCacheID = pl.cacheID
+			break
+		}
+	}
+
+	if parent != ChainID("") && parentCacheID == "" {
+		return nil, fmt.Errorf("layer ID '%s' is not a parent of the specified layer: cannot provide diff to non-parent", parent)
+	}
+	return rl.layerStore.driver.Diff(rl.cacheID, parentCacheID)
+}
+
+func (rl *roLayer) CacheID() string {
+	return rl.cacheID
+}
+
+func (rl *roLayer) ChainID() ChainID {
+	return rl.chainID
+}
+
+func (rl *roLayer) DiffID() DiffID {
+	return rl.diffID
+}
+
+func (rl *roLayer) Parent() Layer {
+	if rl.parent == nil {
+		return nil
+	}
+	return rl.parent
+}
+
+func (rl *roLayer) Size() (size int64, err error) {
+	if rl.parent != nil {
+		size, err = rl.parent.Size()
+		if err != nil {
+			return
+		}
+	}
+
+	return size + rl.size, nil
+}
+
+func (rl *roLayer) DiffSize() (size int64, err error) {
+	return rl.size, nil
+}
+
+func (rl *roLayer) Metadata() (map[string]string, error) {
+	return rl.layerStore.driver.GetMetadata(rl.cacheID)
+}
+
+type referencedCacheLayer struct {
+	*roLayer
+}
+
+func (rl *roLayer) getReference() Layer {
+	ref := &referencedCacheLayer{
+		roLayer: rl,
+	}
+	rl.references[ref] = struct{}{}
+
+	return ref
+}
+
+func (rl *roLayer) hasReference(ref Layer) bool {
+	_, ok := rl.references[ref]
+	return ok
+}
+
+func (rl *roLayer) hasReferences() bool {
+	return len(rl.references) > 0
+}
+
+func (rl *roLayer) deleteReference(ref Layer) {
+	delete(rl.references, ref)
+}
+
+func (rl *roLayer) depth() int {
+	if rl.parent == nil {
+		return 1
+	}
+	return rl.parent.depth() + 1
+}
+
+func storeLayer(tx *fileMetadataTransaction, layer *roLayer) error {
+	if err := tx.SetDiffID(layer.diffID); err != nil {
+		return err
+	}
+	if err := tx.SetSize(layer.size); err != nil {
+		return err
+	}
+	if err := tx.SetCacheID(layer.cacheID); err != nil {
+		return err
+	}
+	// Do not store empty descriptors
+	if layer.descriptor.Digest != "" {
+		if err := tx.SetDescriptor(layer.descriptor); err != nil {
+			return err
+		}
+	}
+	if layer.parent != nil {
+		if err := tx.SetParent(layer.parent.chainID); err != nil {
+			return err
+		}
+	}
+	return tx.setOS(layer.layerStore.os)
+}
+
+func newVerifiedReadCloser(rc io.ReadCloser, dgst digest.Digest) (io.ReadCloser, error) {
+	return &verifiedReadCloser{
+		rc:       rc,
+		dgst:     dgst,
+		verifier: dgst.Verifier(),
+	}, nil
+}
+
+type verifiedReadCloser struct {
+	rc       io.ReadCloser
+	dgst     digest.Digest
+	verifier digest.Verifier
+}
+
+func (vrc *verifiedReadCloser) Read(p []byte) (n int, err error) {
+	n, err = vrc.rc.Read(p)
+	if n > 0 {
+		if n, err := vrc.verifier.Write(p[:n]); err != nil {
+			return n, err
+		}
+	}
+	if err == io.EOF {
+		if !vrc.verifier.Verified() {
+			err = fmt.Errorf("could not verify layer data for: %s. This may be because internal files in the layer store were modified. Re-pulling or rebuilding this image may resolve the issue", vrc.dgst)
+		}
+	}
+	return
+}
+func (vrc *verifiedReadCloser) Close() error {
+	return vrc.rc.Close()
+}
diff --git a/engine/layer/ro_layer_windows.go b/engine/layer/ro_layer_windows.go
new file mode 100644
index 00000000..a4f0c808
--- /dev/null
+++ b/engine/layer/ro_layer_windows.go
@@ -0,0 +1,9 @@
+package layer // import "github.com/docker/docker/layer"
+
+import "github.com/docker/distribution"
+
+var _ distribution.Describable = &roLayer{}
+
+func (rl *roLayer) Descriptor() distribution.Descriptor {
+	return rl.descriptor
+}
diff --git a/engine/libcontainerd/client_daemon.go b/engine/libcontainerd/client_daemon.go
new file mode 100644
index 00000000..0706fa4d
--- /dev/null
+++ b/engine/libcontainerd/client_daemon.go
@@ -0,0 +1,894 @@
+// +build !windows
+
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/containerd/containerd"
+	apievents "github.com/containerd/containerd/api/events"
+	"github.com/containerd/containerd/api/types"
+	"github.com/containerd/containerd/archive"
+	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/content"
+	containerderrors "github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/events"
+	"github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/runtime/linux/runctypes"
+	"github.com/containerd/typeurl"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/opencontainers/image-spec/specs-go/v1"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// InitProcessName is the name given to the first process of a
+// container
+const InitProcessName = "init"
+
+type container struct {
+	mu sync.Mutex
+
+	bundleDir string
+	ctr       containerd.Container
+	task      containerd.Task
+	execs     map[string]containerd.Process
+	oomKilled bool
+}
+
+func (c *container) setTask(t containerd.Task) {
+	c.mu.Lock()
+	c.task = t
+	c.mu.Unlock()
+}
+
+func (c *container) getTask() containerd.Task {
+	c.mu.Lock()
+	t := c.task
+	c.mu.Unlock()
+	return t
+}
+
+func (c *container) addProcess(id string, p containerd.Process) {
+	c.mu.Lock()
+	if c.execs == nil {
+		c.execs = make(map[string]containerd.Process)
+	}
+	c.execs[id] = p
+	c.mu.Unlock()
+}
+
+func (c *container) deleteProcess(id string) {
+	c.mu.Lock()
+	delete(c.execs, id)
+	c.mu.Unlock()
+}
+
+func (c *container) getProcess(id string) containerd.Process {
+	c.mu.Lock()
+	p := c.execs[id]
+	c.mu.Unlock()
+	return p
+}
+
+func (c *container) setOOMKilled(killed bool) {
+	c.mu.Lock()
+	c.oomKilled = killed
+	c.mu.Unlock()
+}
+
+func (c *container) getOOMKilled() bool {
+	c.mu.Lock()
+	killed := c.oomKilled
+	c.mu.Unlock()
+	return killed
+}
+
+type client struct {
+	sync.RWMutex // protects containers map
+
+	remote   *containerd.Client
+	stateDir string
+	logger   *logrus.Entry
+
+	namespace  string
+	backend    Backend
+	eventQ     queue
+	containers map[string]*container
+}
+
+func (c *client) reconnect() error {
+	c.Lock()
+	err := c.remote.Reconnect()
+	c.Unlock()
+	return err
+}
+
+func (c *client) setRemote(remote *containerd.Client) {
+	c.Lock()
+	c.remote = remote
+	c.Unlock()
+}
+
+func (c *client) getRemote() *containerd.Client {
+	c.RLock()
+	remote := c.remote
+	c.RUnlock()
+	return remote
+}
+
+func (c *client) Version(ctx context.Context) (containerd.Version, error) {
+	return c.getRemote().Version(ctx)
+}
+
+// Restore loads the containerd container.
+// It should not be called concurrently with any other operation for the given ID.
+func (c *client) Restore(ctx context.Context, id string, attachStdio StdioCallback) (alive bool, pid int, err error) {
+	c.Lock()
+	_, ok := c.containers[id]
+	if ok {
+		c.Unlock()
+		return false, 0, errors.WithStack(newConflictError("id already in use"))
+	}
+
+	cntr := &container{}
+	c.containers[id] = cntr
+	cntr.mu.Lock()
+	defer cntr.mu.Unlock()
+
+	c.Unlock()
+
+	defer func() {
+		if err != nil {
+			c.Lock()
+			delete(c.containers, id)
+			c.Unlock()
+		}
+	}()
+
+	var dio *cio.DirectIO
+	defer func() {
+		if err != nil && dio != nil {
+			dio.Cancel()
+			dio.Close()
+		}
+		err = wrapError(err)
+	}()
+
+	ctr, err := c.getRemote().LoadContainer(ctx, id)
+	if err != nil {
+		return false, -1, errors.WithStack(wrapError(err))
+	}
+
+	attachIO := func(fifos *cio.FIFOSet) (cio.IO, error) {
+		// dio must be assigned to the previously defined dio for the defer above
+		// to handle cleanup
+		dio, err = cio.NewDirectIO(ctx, fifos)
+		if err != nil {
+			return nil, err
+		}
+		return attachStdio(dio)
+	}
+	t, err := ctr.Task(ctx, attachIO)
+	if err != nil && !containerderrors.IsNotFound(err) {
+		return false, -1, errors.Wrap(wrapError(err), "error getting containerd task for container")
+	}
+
+	if t != nil {
+		s, err := t.Status(ctx)
+		if err != nil {
+			return false, -1, errors.Wrap(wrapError(err), "error getting task status")
+		}
+
+		alive = s.Status != containerd.Stopped
+		pid = int(t.Pid())
+	}
+
+	cntr.bundleDir = filepath.Join(c.stateDir, id)
+	cntr.ctr = ctr
+	cntr.task = t
+	// TODO(mlaventure): load execs
+
+	c.logger.WithFields(logrus.Fields{
+		"container": id,
+		"alive":     alive,
+		"pid":       pid,
+	}).Debug("restored container")
+
+	return alive, pid, nil
+}
+
+func (c *client) Create(ctx context.Context, id string, ociSpec *specs.Spec, runtimeOptions interface{}) error {
+	if ctr := c.getContainer(id); ctr != nil {
+		return errors.WithStack(newConflictError("id already in use"))
+	}
+
+	bdir, err := prepareBundleDir(filepath.Join(c.stateDir, id), ociSpec)
+	if err != nil {
+		return errdefs.System(errors.Wrap(err, "prepare bundle dir failed"))
+	}
+
+	c.logger.WithField("bundle", bdir).WithField("root", ociSpec.Root.Path).Debug("bundle dir created")
+
+	cdCtr, err := c.getRemote().NewContainer(ctx, id,
+		containerd.WithSpec(ociSpec),
+		// TODO(mlaventure): when containerd support lcow, revisit runtime value
+		containerd.WithRuntime(fmt.Sprintf("io.containerd.runtime.v1.%s", runtime.GOOS), runtimeOptions))
+	if err != nil {
+		return wrapError(err)
+	}
+
+	c.Lock()
+	c.containers[id] = &container{
+		bundleDir: bdir,
+		ctr:       cdCtr,
+	}
+	c.Unlock()
+
+	return nil
+}
+
+// Start create and start a task for the specified containerd id
+func (c *client) Start(ctx context.Context, id, checkpointDir string, withStdin bool, attachStdio StdioCallback) (int, error) {
+	ctr := c.getContainer(id)
+	if ctr == nil {
+		return -1, errors.WithStack(newNotFoundError("no such container"))
+	}
+	if t := ctr.getTask(); t != nil {
+		return -1, errors.WithStack(newConflictError("container already started"))
+	}
+
+	var (
+		cp             *types.Descriptor
+		t              containerd.Task
+		rio            cio.IO
+		err            error
+		stdinCloseSync = make(chan struct{})
+	)
+
+	if checkpointDir != "" {
+		// write checkpoint to the content store
+		tar := archive.Diff(ctx, "", checkpointDir)
+		cp, err = c.writeContent(ctx, images.MediaTypeContainerd1Checkpoint, checkpointDir, tar)
+		// remove the checkpoint when we're done
+		defer func() {
+			if cp != nil {
+				err := c.getRemote().ContentStore().Delete(context.Background(), cp.Digest)
+				if err != nil {
+					c.logger.WithError(err).WithFields(logrus.Fields{
+						"ref":    checkpointDir,
+						"digest": cp.Digest,
+					}).Warnf("failed to delete temporary checkpoint entry")
+				}
+			}
+		}()
+		if err := tar.Close(); err != nil {
+			return -1, errors.Wrap(err, "failed to close checkpoint tar stream")
+		}
+		if err != nil {
+			return -1, errors.Wrapf(err, "failed to upload checkpoint to containerd")
+		}
+	}
+
+	spec, err := ctr.ctr.Spec(ctx)
+	if err != nil {
+		return -1, errors.Wrap(err, "failed to retrieve spec")
+	}
+	uid, gid := getSpecUser(spec)
+	t, err = ctr.ctr.NewTask(ctx,
+		func(id string) (cio.IO, error) {
+			fifos := newFIFOSet(ctr.bundleDir, InitProcessName, withStdin, spec.Process.Terminal)
+
+			rio, err = c.createIO(fifos, id, InitProcessName, stdinCloseSync, attachStdio)
+			return rio, err
+		},
+		func(_ context.Context, _ *containerd.Client, info *containerd.TaskInfo) error {
+			info.Checkpoint = cp
+			info.Options = &runctypes.CreateOptions{
+				IoUid:       uint32(uid),
+				IoGid:       uint32(gid),
+				NoPivotRoot: os.Getenv("DOCKER_RAMDISK") != "",
+			}
+			return nil
+		})
+	if err != nil {
+		close(stdinCloseSync)
+		if rio != nil {
+			rio.Cancel()
+			rio.Close()
+		}
+		return -1, wrapError(err)
+	}
+
+	ctr.setTask(t)
+
+	// Signal c.createIO that it can call CloseIO
+	close(stdinCloseSync)
+
+	if err := t.Start(ctx); err != nil {
+		if _, err := t.Delete(ctx); err != nil {
+			c.logger.WithError(err).WithField("container", id).
+				Error("failed to delete task after fail start")
+		}
+		ctr.setTask(nil)
+		return -1, wrapError(err)
+	}
+
+	return int(t.Pid()), nil
+}
+
+func (c *client) Exec(ctx context.Context, containerID, processID string, spec *specs.Process, withStdin bool, attachStdio StdioCallback) (int, error) {
+	ctr := c.getContainer(containerID)
+	if ctr == nil {
+		return -1, errors.WithStack(newNotFoundError("no such container"))
+	}
+	t := ctr.getTask()
+	if t == nil {
+		return -1, errors.WithStack(newInvalidParameterError("container is not running"))
+	}
+
+	if p := ctr.getProcess(processID); p != nil {
+		return -1, errors.WithStack(newConflictError("id already in use"))
+	}
+
+	var (
+		p              containerd.Process
+		rio            cio.IO
+		err            error
+		stdinCloseSync = make(chan struct{})
+	)
+
+	fifos := newFIFOSet(ctr.bundleDir, processID, withStdin, spec.Terminal)
+
+	defer func() {
+		if err != nil {
+			if rio != nil {
+				rio.Cancel()
+				rio.Close()
+			}
+		}
+	}()
+
+	p, err = t.Exec(ctx, processID, spec, func(id string) (cio.IO, error) {
+		rio, err = c.createIO(fifos, containerID, processID, stdinCloseSync, attachStdio)
+		return rio, err
+	})
+	if err != nil {
+		close(stdinCloseSync)
+		return -1, wrapError(err)
+	}
+
+	ctr.addProcess(processID, p)
+
+	// Signal c.createIO that it can call CloseIO
+	close(stdinCloseSync)
+
+	if err = p.Start(ctx); err != nil {
+		p.Delete(context.Background())
+		ctr.deleteProcess(processID)
+		return -1, wrapError(err)
+	}
+
+	return int(p.Pid()), nil
+}
+
+func (c *client) SignalProcess(ctx context.Context, containerID, processID string, signal int) error {
+	p, err := c.getProcess(containerID, processID)
+	if err != nil {
+		return err
+	}
+	return wrapError(p.Kill(ctx, syscall.Signal(signal)))
+}
+
+func (c *client) ResizeTerminal(ctx context.Context, containerID, processID string, width, height int) error {
+	p, err := c.getProcess(containerID, processID)
+	if err != nil {
+		return err
+	}
+
+	return p.Resize(ctx, uint32(width), uint32(height))
+}
+
+func (c *client) CloseStdin(ctx context.Context, containerID, processID string) error {
+	p, err := c.getProcess(containerID, processID)
+	if err != nil {
+		return err
+	}
+
+	return p.CloseIO(ctx, containerd.WithStdinCloser)
+}
+
+func (c *client) Pause(ctx context.Context, containerID string) error {
+	p, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return err
+	}
+
+	return wrapError(p.(containerd.Task).Pause(ctx))
+}
+
+func (c *client) Resume(ctx context.Context, containerID string) error {
+	p, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return err
+	}
+
+	return p.(containerd.Task).Resume(ctx)
+}
+
+func (c *client) Stats(ctx context.Context, containerID string) (*Stats, error) {
+	p, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return nil, err
+	}
+
+	m, err := p.(containerd.Task).Metrics(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	v, err := typeurl.UnmarshalAny(m.Data)
+	if err != nil {
+		return nil, err
+	}
+	return interfaceToStats(m.Timestamp, v), nil
+}
+
+func (c *client) ListPids(ctx context.Context, containerID string) ([]uint32, error) {
+	p, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return nil, err
+	}
+
+	pis, err := p.(containerd.Task).Pids(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var pids []uint32
+	for _, i := range pis {
+		pids = append(pids, i.Pid)
+	}
+
+	return pids, nil
+}
+
+func (c *client) Summary(ctx context.Context, containerID string) ([]Summary, error) {
+	p, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return nil, err
+	}
+
+	pis, err := p.(containerd.Task).Pids(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var infos []Summary
+	for _, pi := range pis {
+		i, err := typeurl.UnmarshalAny(pi.Info)
+		if err != nil {
+			return nil, errors.Wrap(err, "unable to decode process details")
+		}
+		s, err := summaryFromInterface(i)
+		if err != nil {
+			return nil, err
+		}
+		infos = append(infos, *s)
+	}
+
+	return infos, nil
+}
+
+func (c *client) DeleteTask(ctx context.Context, containerID string) (uint32, time.Time, error) {
+	p, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return 255, time.Now(), nil
+	}
+
+	status, err := p.(containerd.Task).Delete(ctx)
+	if err != nil {
+		return 255, time.Now(), nil
+	}
+
+	if ctr := c.getContainer(containerID); ctr != nil {
+		ctr.setTask(nil)
+	}
+	return status.ExitCode(), status.ExitTime(), nil
+}
+
+func (c *client) Delete(ctx context.Context, containerID string) error {
+	ctr := c.getContainer(containerID)
+	if ctr == nil {
+		return errors.WithStack(newNotFoundError("no such container"))
+	}
+
+	if err := ctr.ctr.Delete(ctx); err != nil {
+		return wrapError(err)
+	}
+
+	if os.Getenv("LIBCONTAINERD_NOCLEAN") != "1" {
+		if err := os.RemoveAll(ctr.bundleDir); err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container": containerID,
+				"bundle":    ctr.bundleDir,
+			}).Error("failed to remove state dir")
+		}
+	}
+
+	c.removeContainer(containerID)
+
+	return nil
+}
+
+func (c *client) Status(ctx context.Context, containerID string) (Status, error) {
+	ctr := c.getContainer(containerID)
+	if ctr == nil {
+		return StatusUnknown, errors.WithStack(newNotFoundError("no such container"))
+	}
+
+	t := ctr.getTask()
+	if t == nil {
+		return StatusUnknown, errors.WithStack(newNotFoundError("no such task"))
+	}
+
+	s, err := t.Status(ctx)
+	if err != nil {
+		return StatusUnknown, wrapError(err)
+	}
+
+	return Status(s.Status), nil
+}
+
+func (c *client) CreateCheckpoint(ctx context.Context, containerID, checkpointDir string, exit bool) error {
+	p, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return err
+	}
+
+	img, err := p.(containerd.Task).Checkpoint(ctx)
+	if err != nil {
+		return wrapError(err)
+	}
+	// Whatever happens, delete the checkpoint from containerd
+	defer func() {
+		err := c.getRemote().ImageService().Delete(context.Background(), img.Name())
+		if err != nil {
+			c.logger.WithError(err).WithField("digest", img.Target().Digest).
+				Warnf("failed to delete checkpoint image")
+		}
+	}()
+
+	b, err := content.ReadBlob(ctx, c.getRemote().ContentStore(), img.Target())
+	if err != nil {
+		return errdefs.System(errors.Wrapf(err, "failed to retrieve checkpoint data"))
+	}
+	var index v1.Index
+	if err := json.Unmarshal(b, &index); err != nil {
+		return errdefs.System(errors.Wrapf(err, "failed to decode checkpoint data"))
+	}
+
+	var cpDesc *v1.Descriptor
+	for _, m := range index.Manifests {
+		if m.MediaType == images.MediaTypeContainerd1Checkpoint {
+			cpDesc = &m
+			break
+		}
+	}
+	if cpDesc == nil {
+		return errdefs.System(errors.Wrapf(err, "invalid checkpoint"))
+	}
+
+	rat, err := c.getRemote().ContentStore().ReaderAt(ctx, *cpDesc)
+	if err != nil {
+		return errdefs.System(errors.Wrapf(err, "failed to get checkpoint reader"))
+	}
+	defer rat.Close()
+	_, err = archive.Apply(ctx, checkpointDir, content.NewReader(rat))
+	if err != nil {
+		return errdefs.System(errors.Wrapf(err, "failed to read checkpoint reader"))
+	}
+
+	return err
+}
+
+func (c *client) getContainer(id string) *container {
+	c.RLock()
+	ctr := c.containers[id]
+	c.RUnlock()
+
+	return ctr
+}
+
+func (c *client) removeContainer(id string) {
+	c.Lock()
+	delete(c.containers, id)
+	c.Unlock()
+}
+
+func (c *client) getProcess(containerID, processID string) (containerd.Process, error) {
+	ctr := c.getContainer(containerID)
+	if ctr == nil {
+		return nil, errors.WithStack(newNotFoundError("no such container"))
+	}
+
+	t := ctr.getTask()
+	if t == nil {
+		return nil, errors.WithStack(newNotFoundError("container is not running"))
+	}
+	if processID == InitProcessName {
+		return t, nil
+	}
+
+	p := ctr.getProcess(processID)
+	if p == nil {
+		return nil, errors.WithStack(newNotFoundError("no such exec"))
+	}
+	return p, nil
+}
+
+// createIO creates the io to be used by a process
+// This needs to get a pointer to interface as upon closure the process may not have yet been registered
+func (c *client) createIO(fifos *cio.FIFOSet, containerID, processID string, stdinCloseSync chan struct{}, attachStdio StdioCallback) (cio.IO, error) {
+	var (
+		io  *cio.DirectIO
+		err error
+	)
+
+	io, err = cio.NewDirectIO(context.Background(), fifos)
+	if err != nil {
+		return nil, err
+	}
+
+	if io.Stdin != nil {
+		var (
+			err       error
+			stdinOnce sync.Once
+		)
+		pipe := io.Stdin
+		io.Stdin = ioutils.NewWriteCloserWrapper(pipe, func() error {
+			stdinOnce.Do(func() {
+				err = pipe.Close()
+				// Do the rest in a new routine to avoid a deadlock if the
+				// Exec/Start call failed.
+				go func() {
+					<-stdinCloseSync
+					p, err := c.getProcess(containerID, processID)
+					if err == nil {
+						err = p.CloseIO(context.Background(), containerd.WithStdinCloser)
+						if err != nil && strings.Contains(err.Error(), "transport is closing") {
+							err = nil
+						}
+					}
+				}()
+			})
+			return err
+		})
+	}
+
+	rio, err := attachStdio(io)
+	if err != nil {
+		io.Cancel()
+		io.Close()
+	}
+	return rio, err
+}
+
+func (c *client) processEvent(ctr *container, et EventType, ei EventInfo) {
+	c.eventQ.append(ei.ContainerID, func() {
+		err := c.backend.ProcessEvent(ei.ContainerID, et, ei)
+		if err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container":  ei.ContainerID,
+				"event":      et,
+				"event-info": ei,
+			}).Error("failed to process event")
+		}
+
+		if et == EventExit && ei.ProcessID != ei.ContainerID {
+			p := ctr.getProcess(ei.ProcessID)
+			if p == nil {
+				c.logger.WithError(errors.New("no such process")).
+					WithFields(logrus.Fields{
+						"container": ei.ContainerID,
+						"process":   ei.ProcessID,
+					}).Error("exit event")
+				return
+			}
+			_, err = p.Delete(context.Background())
+			if err != nil {
+				c.logger.WithError(err).WithFields(logrus.Fields{
+					"container": ei.ContainerID,
+					"process":   ei.ProcessID,
+				}).Warn("failed to delete process")
+			}
+			ctr.deleteProcess(ei.ProcessID)
+
+			ctr := c.getContainer(ei.ContainerID)
+			if ctr == nil {
+				c.logger.WithFields(logrus.Fields{
+					"container": ei.ContainerID,
+				}).Error("failed to find container")
+			} else {
+				newFIFOSet(ctr.bundleDir, ei.ProcessID, true, false).Close()
+			}
+		}
+	})
+}
+
+func (c *client) processEventStream(ctx context.Context) {
+	var (
+		err error
+		ev  *events.Envelope
+		et  EventType
+		ei  EventInfo
+		ctr *container
+	)
+
+	// Filter on both namespace *and* topic. To create an "and" filter,
+	// this must be a single, comma-separated string
+	eventStream, errC := c.getRemote().EventService().Subscribe(ctx, "namespace=="+c.namespace+",topic~=|^/tasks/|")
+
+	c.logger.WithField("namespace", c.namespace).Debug("processing event stream")
+
+	var oomKilled bool
+	for {
+		select {
+		case err = <-errC:
+			if err != nil {
+				errStatus, ok := status.FromError(err)
+				if !ok || errStatus.Code() != codes.Canceled {
+					c.logger.WithError(err).Error("failed to get event")
+					go c.processEventStream(ctx)
+				} else {
+					c.logger.WithError(ctx.Err()).Info("stopping event stream following graceful shutdown")
+				}
+			}
+			return
+		case ev = <-eventStream:
+			if ev.Event == nil {
+				c.logger.WithField("event", ev).Warn("invalid event")
+				continue
+			}
+
+			v, err := typeurl.UnmarshalAny(ev.Event)
+			if err != nil {
+				c.logger.WithError(err).WithField("event", ev).Warn("failed to unmarshal event")
+				continue
+			}
+
+			c.logger.WithField("topic", ev.Topic).Debug("event")
+
+			switch t := v.(type) {
+			case *apievents.TaskCreate:
+				et = EventCreate
+				ei = EventInfo{
+					ContainerID: t.ContainerID,
+					ProcessID:   t.ContainerID,
+					Pid:         t.Pid,
+				}
+			case *apievents.TaskStart:
+				et = EventStart
+				ei = EventInfo{
+					ContainerID: t.ContainerID,
+					ProcessID:   t.ContainerID,
+					Pid:         t.Pid,
+				}
+			case *apievents.TaskExit:
+				et = EventExit
+				ei = EventInfo{
+					ContainerID: t.ContainerID,
+					ProcessID:   t.ID,
+					Pid:         t.Pid,
+					ExitCode:    t.ExitStatus,
+					ExitedAt:    t.ExitedAt,
+				}
+			case *apievents.TaskOOM:
+				et = EventOOM
+				ei = EventInfo{
+					ContainerID: t.ContainerID,
+					OOMKilled:   true,
+				}
+				oomKilled = true
+			case *apievents.TaskExecAdded:
+				et = EventExecAdded
+				ei = EventInfo{
+					ContainerID: t.ContainerID,
+					ProcessID:   t.ExecID,
+				}
+			case *apievents.TaskExecStarted:
+				et = EventExecStarted
+				ei = EventInfo{
+					ContainerID: t.ContainerID,
+					ProcessID:   t.ExecID,
+					Pid:         t.Pid,
+				}
+			case *apievents.TaskPaused:
+				et = EventPaused
+				ei = EventInfo{
+					ContainerID: t.ContainerID,
+				}
+			case *apievents.TaskResumed:
+				et = EventResumed
+				ei = EventInfo{
+					ContainerID: t.ContainerID,
+				}
+			default:
+				c.logger.WithFields(logrus.Fields{
+					"topic": ev.Topic,
+					"type":  reflect.TypeOf(t)},
+				).Info("ignoring event")
+				continue
+			}
+
+			ctr = c.getContainer(ei.ContainerID)
+			if ctr == nil {
+				c.logger.WithField("container", ei.ContainerID).Warn("unknown container")
+				continue
+			}
+
+			if oomKilled {
+				ctr.setOOMKilled(true)
+				oomKilled = false
+			}
+			ei.OOMKilled = ctr.getOOMKilled()
+
+			c.processEvent(ctr, et, ei)
+		}
+	}
+}
+
+func (c *client) writeContent(ctx context.Context, mediaType, ref string, r io.Reader) (*types.Descriptor, error) {
+	writer, err := c.getRemote().ContentStore().Writer(ctx, content.WithRef(ref))
+	if err != nil {
+		return nil, err
+	}
+	defer writer.Close()
+	size, err := io.Copy(writer, r)
+	if err != nil {
+		return nil, err
+	}
+	labels := map[string]string{
+		"containerd.io/gc.root": time.Now().UTC().Format(time.RFC3339),
+	}
+	if err := writer.Commit(ctx, 0, "", content.WithLabels(labels)); err != nil {
+		return nil, err
+	}
+	return &types.Descriptor{
+		MediaType: mediaType,
+		Digest:    writer.Digest(),
+		Size_:     size,
+	}, nil
+}
+
+func wrapError(err error) error {
+	switch {
+	case err == nil:
+		return nil
+	case containerderrors.IsNotFound(err):
+		return errdefs.NotFound(err)
+	}
+
+	msg := err.Error()
+	for _, s := range []string{"container does not exist", "not found", "no such container"} {
+		if strings.Contains(msg, s) {
+			return errdefs.NotFound(err)
+		}
+	}
+	return err
+}
diff --git a/engine/libcontainerd/client_daemon_linux.go b/engine/libcontainerd/client_daemon_linux.go
new file mode 100644
index 00000000..b57c4d3c
--- /dev/null
+++ b/engine/libcontainerd/client_daemon_linux.go
@@ -0,0 +1,108 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/cio"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/sirupsen/logrus"
+)
+
+func summaryFromInterface(i interface{}) (*Summary, error) {
+	return &Summary{}, nil
+}
+
+func (c *client) UpdateResources(ctx context.Context, containerID string, resources *Resources) error {
+	p, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return err
+	}
+
+	// go doesn't like the alias in 1.8, this means this need to be
+	// platform specific
+	return p.(containerd.Task).Update(ctx, containerd.WithResources((*specs.LinuxResources)(resources)))
+}
+
+func hostIDFromMap(id uint32, mp []specs.LinuxIDMapping) int {
+	for _, m := range mp {
+		if id >= m.ContainerID && id <= m.ContainerID+m.Size-1 {
+			return int(m.HostID + id - m.ContainerID)
+		}
+	}
+	return 0
+}
+
+func getSpecUser(ociSpec *specs.Spec) (int, int) {
+	var (
+		uid int
+		gid int
+	)
+
+	for _, ns := range ociSpec.Linux.Namespaces {
+		if ns.Type == specs.UserNamespace {
+			uid = hostIDFromMap(0, ociSpec.Linux.UIDMappings)
+			gid = hostIDFromMap(0, ociSpec.Linux.GIDMappings)
+			break
+		}
+	}
+
+	return uid, gid
+}
+
+func prepareBundleDir(bundleDir string, ociSpec *specs.Spec) (string, error) {
+	uid, gid := getSpecUser(ociSpec)
+	if uid == 0 && gid == 0 {
+		return bundleDir, idtools.MkdirAllAndChownNew(bundleDir, 0755, idtools.IDPair{UID: 0, GID: 0})
+	}
+
+	p := string(filepath.Separator)
+	components := strings.Split(bundleDir, string(filepath.Separator))
+	for _, d := range components[1:] {
+		p = filepath.Join(p, d)
+		fi, err := os.Stat(p)
+		if err != nil && !os.IsNotExist(err) {
+			return "", err
+		}
+		if os.IsNotExist(err) || fi.Mode()&1 == 0 {
+			p = fmt.Sprintf("%s.%d.%d", p, uid, gid)
+			if err := idtools.MkdirAndChown(p, 0700, idtools.IDPair{UID: uid, GID: gid}); err != nil && !os.IsExist(err) {
+				return "", err
+			}
+		}
+	}
+
+	return p, nil
+}
+
+func newFIFOSet(bundleDir, processID string, withStdin, withTerminal bool) *cio.FIFOSet {
+	config := cio.Config{
+		Terminal: withTerminal,
+		Stdout:   filepath.Join(bundleDir, processID+"-stdout"),
+	}
+	paths := []string{config.Stdout}
+
+	if withStdin {
+		config.Stdin = filepath.Join(bundleDir, processID+"-stdin")
+		paths = append(paths, config.Stdin)
+	}
+	if !withTerminal {
+		config.Stderr = filepath.Join(bundleDir, processID+"-stderr")
+		paths = append(paths, config.Stderr)
+	}
+	closer := func() error {
+		for _, path := range paths {
+			if err := os.RemoveAll(path); err != nil {
+				logrus.Warnf("libcontainerd: failed to remove fifo %v: %v", path, err)
+			}
+		}
+		return nil
+	}
+
+	return cio.NewFIFOSet(config, closer)
+}
diff --git a/engine/libcontainerd/client_daemon_windows.go b/engine/libcontainerd/client_daemon_windows.go
new file mode 100644
index 00000000..4aba33e1
--- /dev/null
+++ b/engine/libcontainerd/client_daemon_windows.go
@@ -0,0 +1,55 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/windows/hcsshimtypes"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+)
+
+func summaryFromInterface(i interface{}) (*Summary, error) {
+	switch pd := i.(type) {
+	case *hcsshimtypes.ProcessDetails:
+		return &Summary{
+			CreateTimestamp:              pd.CreatedAt,
+			ImageName:                    pd.ImageName,
+			KernelTime100ns:              pd.KernelTime_100Ns,
+			MemoryCommitBytes:            pd.MemoryCommitBytes,
+			MemoryWorkingSetPrivateBytes: pd.MemoryWorkingSetPrivateBytes,
+			MemoryWorkingSetSharedBytes:  pd.MemoryWorkingSetSharedBytes,
+			ProcessId:                    pd.ProcessID,
+			UserTime100ns:                pd.UserTime_100Ns,
+		}, nil
+	default:
+		return nil, errors.Errorf("Unknown process details type %T", pd)
+	}
+}
+
+func prepareBundleDir(bundleDir string, ociSpec *specs.Spec) (string, error) {
+	return bundleDir, nil
+}
+
+func pipeName(containerID, processID, name string) string {
+	return fmt.Sprintf(`\\.\pipe\containerd-%s-%s-%s`, containerID, processID, name)
+}
+
+func newFIFOSet(bundleDir, processID string, withStdin, withTerminal bool) *cio.FIFOSet {
+	containerID := filepath.Base(bundleDir)
+	config := cio.Config{
+		Terminal: withTerminal,
+		Stdout:   pipeName(containerID, processID, "stdout"),
+	}
+
+	if withStdin {
+		config.Stdin = pipeName(containerID, processID, "stdin")
+	}
+
+	if !config.Terminal {
+		config.Stderr = pipeName(containerID, processID, "stderr")
+	}
+
+	return cio.NewFIFOSet(config, nil)
+}
diff --git a/engine/libcontainerd/client_local_windows.go b/engine/libcontainerd/client_local_windows.go
new file mode 100644
index 00000000..01435f37
--- /dev/null
+++ b/engine/libcontainerd/client_local_windows.go
@@ -0,0 +1,1328 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/Microsoft/hcsshim"
+	opengcs "github.com/Microsoft/opengcs/client"
+	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/cio"
+	"github.com/docker/docker/pkg/sysinfo"
+	"github.com/docker/docker/pkg/system"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+const InitProcessName = "init"
+
+type process struct {
+	id         string
+	pid        int
+	hcsProcess hcsshim.Process
+}
+
+type container struct {
+	sync.Mutex
+
+	// The ociSpec is required, as client.Create() needs a spec, but can
+	// be called from the RestartManager context which does not otherwise
+	// have access to the Spec
+	ociSpec *specs.Spec
+
+	isWindows    bool
+	hcsContainer hcsshim.Container
+
+	id               string
+	status           Status
+	exitedAt         time.Time
+	exitCode         uint32
+	waitCh           chan struct{}
+	init             *process
+	execs            map[string]*process
+	terminateInvoked bool
+}
+
+// Win32 error codes that are used for various workarounds
+// These really should be ALL_CAPS to match golangs syscall library and standard
+// Win32 error conventions, but golint insists on CamelCase.
+const (
+	CoEClassstring     = syscall.Errno(0x800401F3) // Invalid class string
+	ErrorNoNetwork     = syscall.Errno(1222)       // The network is not present or not started
+	ErrorBadPathname   = syscall.Errno(161)        // The specified path is invalid
+	ErrorInvalidObject = syscall.Errno(0x800710D8) // The object identifier does not represent a valid object
+)
+
+// defaultOwner is a tag passed to HCS to allow it to differentiate between
+// container creator management stacks. We hard code "docker" in the case
+// of docker.
+const defaultOwner = "docker"
+
+func (c *client) Version(ctx context.Context) (containerd.Version, error) {
+	return containerd.Version{}, errors.New("not implemented on Windows")
+}
+
+// Create is the entrypoint to create a container from a spec.
+// Table below shows the fields required for HCS JSON calling parameters,
+// where if not populated, is omitted.
+// +-----------------+--------------------------------------------+---------------------------------------------------+
+// |                 | Isolation=Process                          | Isolation=Hyper-V                                 |
+// +-----------------+--------------------------------------------+---------------------------------------------------+
+// | VolumePath      | \\?\\Volume{GUIDa}                         |                                                   |
+// | LayerFolderPath | %root%\windowsfilter\containerID           |                                                   |
+// | Layers[]        | ID=GUIDb;Path=%root%\windowsfilter\layerID | ID=GUIDb;Path=%root%\windowsfilter\layerID        |
+// | HvRuntime       |                                            | ImagePath=%root%\BaseLayerID\UtilityVM            |
+// +-----------------+--------------------------------------------+---------------------------------------------------+
+//
+// Isolation=Process example:
+//
+// {
+//	"SystemType": "Container",
+//	"Name": "5e0055c814a6005b8e57ac59f9a522066e0af12b48b3c26a9416e23907698776",
+//	"Owner": "docker",
+//	"VolumePath": "\\\\\\\\?\\\\Volume{66d1ef4c-7a00-11e6-8948-00155ddbef9d}",
+//	"IgnoreFlushesDuringBoot": true,
+//	"LayerFolderPath": "C:\\\\control\\\\windowsfilter\\\\5e0055c814a6005b8e57ac59f9a522066e0af12b48b3c26a9416e23907698776",
+//	"Layers": [{
+//		"ID": "18955d65-d45a-557b-bf1c-49d6dfefc526",
+//		"Path": "C:\\\\control\\\\windowsfilter\\\\65bf96e5760a09edf1790cb229e2dfb2dbd0fcdc0bf7451bae099106bfbfea0c"
+//	}],
+//	"HostName": "5e0055c814a6",
+//	"MappedDirectories": [],
+//	"HvPartition": false,
+//	"EndpointList": ["eef2649d-bb17-4d53-9937-295a8efe6f2c"],
+//}
+//
+// Isolation=Hyper-V example:
+//
+//{
+//	"SystemType": "Container",
+//	"Name": "475c2c58933b72687a88a441e7e0ca4bd72d76413c5f9d5031fee83b98f6045d",
+//	"Owner": "docker",
+//	"IgnoreFlushesDuringBoot": true,
+//	"Layers": [{
+//		"ID": "18955d65-d45a-557b-bf1c-49d6dfefc526",
+//		"Path": "C:\\\\control\\\\windowsfilter\\\\65bf96e5760a09edf1790cb229e2dfb2dbd0fcdc0bf7451bae099106bfbfea0c"
+//	}],
+//	"HostName": "475c2c58933b",
+//	"MappedDirectories": [],
+//	"HvPartition": true,
+//	"EndpointList": ["e1bb1e61-d56f-405e-b75d-fd520cefa0cb"],
+//	"DNSSearchList": "a.com,b.com,c.com",
+//	"HvRuntime": {
+//		"ImagePath": "C:\\\\control\\\\windowsfilter\\\\65bf96e5760a09edf1790cb229e2dfb2dbd0fcdc0bf7451bae099106bfbfea0c\\\\UtilityVM"
+//	},
+//}
+func (c *client) Create(_ context.Context, id string, spec *specs.Spec, runtimeOptions interface{}) error {
+	if ctr := c.getContainer(id); ctr != nil {
+		return errors.WithStack(newConflictError("id already in use"))
+	}
+
+	// spec.Linux must be nil for Windows containers, but spec.Windows
+	// will be filled in regardless of container platform.  This is a
+	// temporary workaround due to LCOW requiring layer folder paths,
+	// which are stored under spec.Windows.
+	//
+	// TODO: @darrenstahlmsft fix this once the OCI spec is updated to
+	// support layer folder paths for LCOW
+	if spec.Linux == nil {
+		return c.createWindows(id, spec, runtimeOptions)
+	}
+	return c.createLinux(id, spec, runtimeOptions)
+}
+
+func (c *client) createWindows(id string, spec *specs.Spec, runtimeOptions interface{}) error {
+	logger := c.logger.WithField("container", id)
+	configuration := &hcsshim.ContainerConfig{
+		SystemType: "Container",
+		Name:       id,
+		Owner:      defaultOwner,
+		IgnoreFlushesDuringBoot: spec.Windows.IgnoreFlushesDuringBoot,
+		HostName:                spec.Hostname,
+		HvPartition:             false,
+	}
+
+	if spec.Windows.Resources != nil {
+		if spec.Windows.Resources.CPU != nil {
+			if spec.Windows.Resources.CPU.Count != nil {
+				// This check is being done here rather than in adaptContainerSettings
+				// because we don't want to update the HostConfig in case this container
+				// is moved to a host with more CPUs than this one.
+				cpuCount := *spec.Windows.Resources.CPU.Count
+				hostCPUCount := uint64(sysinfo.NumCPU())
+				if cpuCount > hostCPUCount {
+					c.logger.Warnf("Changing requested CPUCount of %d to current number of processors, %d", cpuCount, hostCPUCount)
+					cpuCount = hostCPUCount
+				}
+				configuration.ProcessorCount = uint32(cpuCount)
+			}
+			if spec.Windows.Resources.CPU.Shares != nil {
+				configuration.ProcessorWeight = uint64(*spec.Windows.Resources.CPU.Shares)
+			}
+			if spec.Windows.Resources.CPU.Maximum != nil {
+				configuration.ProcessorMaximum = int64(*spec.Windows.Resources.CPU.Maximum)
+			}
+		}
+		if spec.Windows.Resources.Memory != nil {
+			if spec.Windows.Resources.Memory.Limit != nil {
+				configuration.MemoryMaximumInMB = int64(*spec.Windows.Resources.Memory.Limit) / 1024 / 1024
+			}
+		}
+		if spec.Windows.Resources.Storage != nil {
+			if spec.Windows.Resources.Storage.Bps != nil {
+				configuration.StorageBandwidthMaximum = *spec.Windows.Resources.Storage.Bps
+			}
+			if spec.Windows.Resources.Storage.Iops != nil {
+				configuration.StorageIOPSMaximum = *spec.Windows.Resources.Storage.Iops
+			}
+		}
+	}
+
+	if spec.Windows.HyperV != nil {
+		configuration.HvPartition = true
+	}
+
+	if spec.Windows.Network != nil {
+		configuration.EndpointList = spec.Windows.Network.EndpointList
+		configuration.AllowUnqualifiedDNSQuery = spec.Windows.Network.AllowUnqualifiedDNSQuery
+		if spec.Windows.Network.DNSSearchList != nil {
+			configuration.DNSSearchList = strings.Join(spec.Windows.Network.DNSSearchList, ",")
+		}
+		configuration.NetworkSharedContainerName = spec.Windows.Network.NetworkSharedContainerName
+	}
+
+	if cs, ok := spec.Windows.CredentialSpec.(string); ok {
+		configuration.Credentials = cs
+	}
+
+	// We must have least two layers in the spec, the bottom one being a
+	// base image, the top one being the RW layer.
+	if spec.Windows.LayerFolders == nil || len(spec.Windows.LayerFolders) < 2 {
+		return fmt.Errorf("OCI spec is invalid - at least two LayerFolders must be supplied to the runtime")
+	}
+
+	// Strip off the top-most layer as that's passed in separately to HCS
+	configuration.LayerFolderPath = spec.Windows.LayerFolders[len(spec.Windows.LayerFolders)-1]
+	layerFolders := spec.Windows.LayerFolders[:len(spec.Windows.LayerFolders)-1]
+
+	if configuration.HvPartition {
+		// We don't currently support setting the utility VM image explicitly.
+		// TODO @swernli/jhowardmsft circa RS5, this may be re-locatable.
+		if spec.Windows.HyperV.UtilityVMPath != "" {
+			return errors.New("runtime does not support an explicit utility VM path for Hyper-V containers")
+		}
+
+		// Find the upper-most utility VM image.
+		var uvmImagePath string
+		for _, path := range layerFolders {
+			fullPath := filepath.Join(path, "UtilityVM")
+			_, err := os.Stat(fullPath)
+			if err == nil {
+				uvmImagePath = fullPath
+				break
+			}
+			if !os.IsNotExist(err) {
+				return err
+			}
+		}
+		if uvmImagePath == "" {
+			return errors.New("utility VM image could not be found")
+		}
+		configuration.HvRuntime = &hcsshim.HvRuntime{ImagePath: uvmImagePath}
+
+		if spec.Root.Path != "" {
+			return errors.New("OCI spec is invalid - Root.Path must be omitted for a Hyper-V container")
+		}
+	} else {
+		const volumeGUIDRegex = `^\\\\\?\\(Volume)\{{0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}\}\\$`
+		if _, err := regexp.MatchString(volumeGUIDRegex, spec.Root.Path); err != nil {
+			return fmt.Errorf(`OCI spec is invalid - Root.Path '%s' must be a volume GUID path in the format '\\?\Volume{GUID}\'`, spec.Root.Path)
+		}
+		// HCS API requires the trailing backslash to be removed
+		configuration.VolumePath = spec.Root.Path[:len(spec.Root.Path)-1]
+	}
+
+	if spec.Root.Readonly {
+		return errors.New(`OCI spec is invalid - Root.Readonly must not be set on Windows`)
+	}
+
+	for _, layerPath := range layerFolders {
+		_, filename := filepath.Split(layerPath)
+		g, err := hcsshim.NameToGuid(filename)
+		if err != nil {
+			return err
+		}
+		configuration.Layers = append(configuration.Layers, hcsshim.Layer{
+			ID:   g.ToString(),
+			Path: layerPath,
+		})
+	}
+
+	// Add the mounts (volumes, bind mounts etc) to the structure
+	var mds []hcsshim.MappedDir
+	var mps []hcsshim.MappedPipe
+	for _, mount := range spec.Mounts {
+		const pipePrefix = `\\.\pipe\`
+		if mount.Type != "" {
+			return fmt.Errorf("OCI spec is invalid - Mount.Type '%s' must not be set", mount.Type)
+		}
+		if strings.HasPrefix(mount.Destination, pipePrefix) {
+			mp := hcsshim.MappedPipe{
+				HostPath:          mount.Source,
+				ContainerPipeName: mount.Destination[len(pipePrefix):],
+			}
+			mps = append(mps, mp)
+		} else {
+			md := hcsshim.MappedDir{
+				HostPath:      mount.Source,
+				ContainerPath: mount.Destination,
+				ReadOnly:      false,
+			}
+			for _, o := range mount.Options {
+				if strings.ToLower(o) == "ro" {
+					md.ReadOnly = true
+				}
+			}
+			mds = append(mds, md)
+		}
+	}
+	configuration.MappedDirectories = mds
+	if len(mps) > 0 && system.GetOSVersion().Build < 16299 { // RS3
+		return errors.New("named pipe mounts are not supported on this version of Windows")
+	}
+	configuration.MappedPipes = mps
+
+	hcsContainer, err := hcsshim.CreateContainer(id, configuration)
+	if err != nil {
+		return err
+	}
+
+	// Construct a container object for calling start on it.
+	ctr := &container{
+		id:           id,
+		execs:        make(map[string]*process),
+		isWindows:    true,
+		ociSpec:      spec,
+		hcsContainer: hcsContainer,
+		status:       StatusCreated,
+		waitCh:       make(chan struct{}),
+	}
+
+	logger.Debug("starting container")
+	if err = hcsContainer.Start(); err != nil {
+		c.logger.WithError(err).Error("failed to start container")
+		ctr.Lock()
+		if err := c.terminateContainer(ctr); err != nil {
+			c.logger.WithError(err).Error("failed to cleanup after a failed Start")
+		} else {
+			c.logger.Debug("cleaned up after failed Start by calling Terminate")
+		}
+		ctr.Unlock()
+		return err
+	}
+
+	c.Lock()
+	c.containers[id] = ctr
+	c.Unlock()
+
+	logger.Debug("createWindows() completed successfully")
+	return nil
+
+}
+
+func (c *client) createLinux(id string, spec *specs.Spec, runtimeOptions interface{}) error {
+	logrus.Debugf("libcontainerd: createLinux(): containerId %s ", id)
+	logger := c.logger.WithField("container", id)
+
+	if runtimeOptions == nil {
+		return fmt.Errorf("lcow option must be supplied to the runtime")
+	}
+	lcowConfig, ok := runtimeOptions.(*opengcs.Config)
+	if !ok {
+		return fmt.Errorf("lcow option must be supplied to the runtime")
+	}
+
+	configuration := &hcsshim.ContainerConfig{
+		HvPartition:   true,
+		Name:          id,
+		SystemType:    "container",
+		ContainerType: "linux",
+		Owner:         defaultOwner,
+		TerminateOnLastHandleClosed: true,
+	}
+
+	if lcowConfig.ActualMode == opengcs.ModeActualVhdx {
+		configuration.HvRuntime = &hcsshim.HvRuntime{
+			ImagePath:          lcowConfig.Vhdx,
+			BootSource:         "Vhd",
+			WritableBootSource: false,
+		}
+	} else {
+		configuration.HvRuntime = &hcsshim.HvRuntime{
+			ImagePath:           lcowConfig.KirdPath,
+			LinuxKernelFile:     lcowConfig.KernelFile,
+			LinuxInitrdFile:     lcowConfig.InitrdFile,
+			LinuxBootParameters: lcowConfig.BootParameters,
+		}
+	}
+
+	if spec.Windows == nil {
+		return fmt.Errorf("spec.Windows must not be nil for LCOW containers")
+	}
+
+	// We must have least one layer in the spec
+	if spec.Windows.LayerFolders == nil || len(spec.Windows.LayerFolders) == 0 {
+		return fmt.Errorf("OCI spec is invalid - at least one LayerFolders must be supplied to the runtime")
+	}
+
+	// Strip off the top-most layer as that's passed in separately to HCS
+	configuration.LayerFolderPath = spec.Windows.LayerFolders[len(spec.Windows.LayerFolders)-1]
+	layerFolders := spec.Windows.LayerFolders[:len(spec.Windows.LayerFolders)-1]
+
+	for _, layerPath := range layerFolders {
+		_, filename := filepath.Split(layerPath)
+		g, err := hcsshim.NameToGuid(filename)
+		if err != nil {
+			return err
+		}
+		configuration.Layers = append(configuration.Layers, hcsshim.Layer{
+			ID:   g.ToString(),
+			Path: filepath.Join(layerPath, "layer.vhd"),
+		})
+	}
+
+	if spec.Windows.Network != nil {
+		configuration.EndpointList = spec.Windows.Network.EndpointList
+		configuration.AllowUnqualifiedDNSQuery = spec.Windows.Network.AllowUnqualifiedDNSQuery
+		if spec.Windows.Network.DNSSearchList != nil {
+			configuration.DNSSearchList = strings.Join(spec.Windows.Network.DNSSearchList, ",")
+		}
+		configuration.NetworkSharedContainerName = spec.Windows.Network.NetworkSharedContainerName
+	}
+
+	// Add the mounts (volumes, bind mounts etc) to the structure. We have to do
+	// some translation for both the mapped directories passed into HCS and in
+	// the spec.
+	//
+	// For HCS, we only pass in the mounts from the spec which are type "bind".
+	// Further, the "ContainerPath" field (which is a little mis-leadingly
+	// named when it applies to the utility VM rather than the container in the
+	// utility VM) is moved to under /tmp/gcs/<ID>/binds, where this is passed
+	// by the caller through a 'uvmpath' option.
+	//
+	// We do similar translation for the mounts in the spec by stripping out
+	// the uvmpath option, and translating the Source path to the location in the
+	// utility VM calculated above.
+	//
+	// From inside the utility VM, you would see a 9p mount such as in the following
+	// where a host folder has been mapped to /target. The line with /tmp/gcs/<ID>/binds
+	// specifically:
+	//
+	//	/ # mount
+	//	rootfs on / type rootfs (rw,size=463736k,nr_inodes=115934)
+	//	proc on /proc type proc (rw,relatime)
+	//	sysfs on /sys type sysfs (rw,relatime)
+	//	udev on /dev type devtmpfs (rw,relatime,size=498100k,nr_inodes=124525,mode=755)
+	//	tmpfs on /run type tmpfs (rw,relatime)
+	//	cgroup on /sys/fs/cgroup type cgroup (rw,relatime,cpuset,cpu,cpuacct,blkio,memory,devices,freezer,net_cls,perf_event,net_prio,hugetlb,pids,rdma)
+	//	mqueue on /dev/mqueue type mqueue (rw,relatime)
+	//	devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
+	//	/binds/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc/target on /binds/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc/target type 9p (rw,sync,dirsync,relatime,trans=fd,rfdno=6,wfdno=6)
+	//	/dev/pmem0 on /tmp/gcs/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc/layer0 type ext4 (ro,relatime,block_validity,delalloc,norecovery,barrier,dax,user_xattr,acl)
+	//	/dev/sda on /tmp/gcs/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc/scratch type ext4 (rw,relatime,block_validity,delalloc,barrier,user_xattr,acl)
+	//	overlay on /tmp/gcs/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc/rootfs type overlay (rw,relatime,lowerdir=/tmp/base/:/tmp/gcs/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc/layer0,upperdir=/tmp/gcs/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc/scratch/upper,workdir=/tmp/gcs/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc/scratch/work)
+	//
+	//  /tmp/gcs/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc # ls -l
+	//	total 16
+	//	drwx------    3 0        0               60 Sep  7 18:54 binds
+	//	-rw-r--r--    1 0        0             3345 Sep  7 18:54 config.json
+	//	drwxr-xr-x   10 0        0             4096 Sep  6 17:26 layer0
+	//	drwxr-xr-x    1 0        0             4096 Sep  7 18:54 rootfs
+	//	drwxr-xr-x    5 0        0             4096 Sep  7 18:54 scratch
+	//
+	//	/tmp/gcs/b3ea9126d67702173647ece2744f7c11181c0150e9890fc9a431849838033edc # ls -l binds
+	//	total 0
+	//	drwxrwxrwt    2 0        0             4096 Sep  7 16:51 target
+
+	mds := []hcsshim.MappedDir{}
+	specMounts := []specs.Mount{}
+	for _, mount := range spec.Mounts {
+		specMount := mount
+		if mount.Type == "bind" {
+			// Strip out the uvmpath from the options
+			updatedOptions := []string{}
+			uvmPath := ""
+			readonly := false
+			for _, opt := range mount.Options {
+				dropOption := false
+				elements := strings.SplitN(opt, "=", 2)
+				switch elements[0] {
+				case "uvmpath":
+					uvmPath = elements[1]
+					dropOption = true
+				case "rw":
+				case "ro":
+					readonly = true
+				case "rbind":
+				default:
+					return fmt.Errorf("unsupported option %q", opt)
+				}
+				if !dropOption {
+					updatedOptions = append(updatedOptions, opt)
+				}
+			}
+			mount.Options = updatedOptions
+			if uvmPath == "" {
+				return fmt.Errorf("no uvmpath for bind mount %+v", mount)
+			}
+			md := hcsshim.MappedDir{
+				HostPath:          mount.Source,
+				ContainerPath:     path.Join(uvmPath, mount.Destination),
+				CreateInUtilityVM: true,
+				ReadOnly:          readonly,
+			}
+			mds = append(mds, md)
+			specMount.Source = path.Join(uvmPath, mount.Destination)
+		}
+		specMounts = append(specMounts, specMount)
+	}
+	configuration.MappedDirectories = mds
+
+	hcsContainer, err := hcsshim.CreateContainer(id, configuration)
+	if err != nil {
+		return err
+	}
+
+	spec.Mounts = specMounts
+
+	// Construct a container object for calling start on it.
+	ctr := &container{
+		id:           id,
+		execs:        make(map[string]*process),
+		isWindows:    false,
+		ociSpec:      spec,
+		hcsContainer: hcsContainer,
+		status:       StatusCreated,
+		waitCh:       make(chan struct{}),
+	}
+
+	// Start the container.
+	logger.Debug("starting container")
+	if err = hcsContainer.Start(); err != nil {
+		c.logger.WithError(err).Error("failed to start container")
+		ctr.debugGCS()
+		ctr.Lock()
+		if err := c.terminateContainer(ctr); err != nil {
+			c.logger.WithError(err).Error("failed to cleanup after a failed Start")
+		} else {
+			c.logger.Debug("cleaned up after failed Start by calling Terminate")
+		}
+		ctr.Unlock()
+		return err
+	}
+	ctr.debugGCS()
+
+	c.Lock()
+	c.containers[id] = ctr
+	c.Unlock()
+
+	c.eventQ.append(id, func() {
+		ei := EventInfo{
+			ContainerID: id,
+		}
+		c.logger.WithFields(logrus.Fields{
+			"container": ctr.id,
+			"event":     EventCreate,
+		}).Info("sending event")
+		err := c.backend.ProcessEvent(id, EventCreate, ei)
+		if err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container": id,
+				"event":     EventCreate,
+			}).Error("failed to process event")
+		}
+	})
+
+	logger.Debug("createLinux() completed successfully")
+	return nil
+}
+
+func (c *client) Start(_ context.Context, id, _ string, withStdin bool, attachStdio StdioCallback) (int, error) {
+	ctr := c.getContainer(id)
+	switch {
+	case ctr == nil:
+		return -1, errors.WithStack(newNotFoundError("no such container"))
+	case ctr.init != nil:
+		return -1, errors.WithStack(newConflictError("container already started"))
+	}
+
+	logger := c.logger.WithField("container", id)
+
+	// Note we always tell HCS to create stdout as it's required
+	// regardless of '-i' or '-t' options, so that docker can always grab
+	// the output through logs. We also tell HCS to always create stdin,
+	// even if it's not used - it will be closed shortly. Stderr is only
+	// created if it we're not -t.
+	var (
+		emulateConsole   bool
+		createStdErrPipe bool
+	)
+	if ctr.ociSpec.Process != nil {
+		emulateConsole = ctr.ociSpec.Process.Terminal
+		createStdErrPipe = !ctr.ociSpec.Process.Terminal
+	}
+
+	createProcessParms := &hcsshim.ProcessConfig{
+		EmulateConsole:   emulateConsole,
+		WorkingDirectory: ctr.ociSpec.Process.Cwd,
+		CreateStdInPipe:  true,
+		CreateStdOutPipe: true,
+		CreateStdErrPipe: createStdErrPipe,
+	}
+
+	if ctr.ociSpec.Process != nil && ctr.ociSpec.Process.ConsoleSize != nil {
+		createProcessParms.ConsoleSize[0] = uint(ctr.ociSpec.Process.ConsoleSize.Height)
+		createProcessParms.ConsoleSize[1] = uint(ctr.ociSpec.Process.ConsoleSize.Width)
+	}
+
+	// Configure the environment for the process
+	createProcessParms.Environment = setupEnvironmentVariables(ctr.ociSpec.Process.Env)
+	if ctr.isWindows {
+		createProcessParms.CommandLine = strings.Join(ctr.ociSpec.Process.Args, " ")
+	} else {
+		createProcessParms.CommandArgs = ctr.ociSpec.Process.Args
+	}
+	createProcessParms.User = ctr.ociSpec.Process.User.Username
+
+	// LCOW requires the raw OCI spec passed through HCS and onwards to
+	// GCS for the utility VM.
+	if !ctr.isWindows {
+		ociBuf, err := json.Marshal(ctr.ociSpec)
+		if err != nil {
+			return -1, err
+		}
+		ociRaw := json.RawMessage(ociBuf)
+		createProcessParms.OCISpecification = &ociRaw
+	}
+
+	ctr.Lock()
+	defer ctr.Unlock()
+
+	// Start the command running in the container.
+	newProcess, err := ctr.hcsContainer.CreateProcess(createProcessParms)
+	if err != nil {
+		logger.WithError(err).Error("CreateProcess() failed")
+		return -1, err
+	}
+	defer func() {
+		if err != nil {
+			if err := newProcess.Kill(); err != nil {
+				logger.WithError(err).Error("failed to kill process")
+			}
+			go func() {
+				if err := newProcess.Wait(); err != nil {
+					logger.WithError(err).Error("failed to wait for process")
+				}
+				if err := newProcess.Close(); err != nil {
+					logger.WithError(err).Error("failed to clean process resources")
+				}
+			}()
+		}
+	}()
+	p := &process{
+		hcsProcess: newProcess,
+		id:         InitProcessName,
+		pid:        newProcess.Pid(),
+	}
+	logger.WithField("pid", p.pid).Debug("init process started")
+
+	dio, err := newIOFromProcess(newProcess, ctr.ociSpec.Process.Terminal)
+	if err != nil {
+		logger.WithError(err).Error("failed to get stdio pipes")
+		return -1, err
+	}
+	_, err = attachStdio(dio)
+	if err != nil {
+		logger.WithError(err).Error("failed to attache stdio")
+		return -1, err
+	}
+	ctr.status = StatusRunning
+	ctr.init = p
+
+	// Spin up a go routine waiting for exit to handle cleanup
+	go c.reapProcess(ctr, p)
+
+	// Generate the associated event
+	c.eventQ.append(id, func() {
+		ei := EventInfo{
+			ContainerID: id,
+			ProcessID:   InitProcessName,
+			Pid:         uint32(p.pid),
+		}
+		c.logger.WithFields(logrus.Fields{
+			"container":  ctr.id,
+			"event":      EventStart,
+			"event-info": ei,
+		}).Info("sending event")
+		err := c.backend.ProcessEvent(ei.ContainerID, EventStart, ei)
+		if err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container":  id,
+				"event":      EventStart,
+				"event-info": ei,
+			}).Error("failed to process event")
+		}
+	})
+	logger.Debug("start() completed")
+	return p.pid, nil
+}
+
+func newIOFromProcess(newProcess hcsshim.Process, terminal bool) (*cio.DirectIO, error) {
+	stdin, stdout, stderr, err := newProcess.Stdio()
+	if err != nil {
+		return nil, err
+	}
+
+	dio := cio.NewDirectIO(createStdInCloser(stdin, newProcess), nil, nil, terminal)
+
+	// Convert io.ReadClosers to io.Readers
+	if stdout != nil {
+		dio.Stdout = ioutil.NopCloser(&autoClosingReader{ReadCloser: stdout})
+	}
+	if stderr != nil {
+		dio.Stderr = ioutil.NopCloser(&autoClosingReader{ReadCloser: stderr})
+	}
+	return dio, nil
+}
+
+// Exec adds a process in an running container
+func (c *client) Exec(ctx context.Context, containerID, processID string, spec *specs.Process, withStdin bool, attachStdio StdioCallback) (int, error) {
+	ctr := c.getContainer(containerID)
+	switch {
+	case ctr == nil:
+		return -1, errors.WithStack(newNotFoundError("no such container"))
+	case ctr.hcsContainer == nil:
+		return -1, errors.WithStack(newInvalidParameterError("container is not running"))
+	case ctr.execs != nil && ctr.execs[processID] != nil:
+		return -1, errors.WithStack(newConflictError("id already in use"))
+	}
+	logger := c.logger.WithFields(logrus.Fields{
+		"container": containerID,
+		"exec":      processID,
+	})
+
+	// Note we always tell HCS to
+	// create stdout as it's required regardless of '-i' or '-t' options, so that
+	// docker can always grab the output through logs. We also tell HCS to always
+	// create stdin, even if it's not used - it will be closed shortly. Stderr
+	// is only created if it we're not -t.
+	createProcessParms := hcsshim.ProcessConfig{
+		CreateStdInPipe:  true,
+		CreateStdOutPipe: true,
+		CreateStdErrPipe: !spec.Terminal,
+	}
+	if spec.Terminal {
+		createProcessParms.EmulateConsole = true
+		if spec.ConsoleSize != nil {
+			createProcessParms.ConsoleSize[0] = uint(spec.ConsoleSize.Height)
+			createProcessParms.ConsoleSize[1] = uint(spec.ConsoleSize.Width)
+		}
+	}
+
+	// Take working directory from the process to add if it is defined,
+	// otherwise take from the first process.
+	if spec.Cwd != "" {
+		createProcessParms.WorkingDirectory = spec.Cwd
+	} else {
+		createProcessParms.WorkingDirectory = ctr.ociSpec.Process.Cwd
+	}
+
+	// Configure the environment for the process
+	createProcessParms.Environment = setupEnvironmentVariables(spec.Env)
+	if ctr.isWindows {
+		createProcessParms.CommandLine = strings.Join(spec.Args, " ")
+	} else {
+		createProcessParms.CommandArgs = spec.Args
+	}
+	createProcessParms.User = spec.User.Username
+
+	logger.Debugf("exec commandLine: %s", createProcessParms.CommandLine)
+
+	// Start the command running in the container.
+	newProcess, err := ctr.hcsContainer.CreateProcess(&createProcessParms)
+	if err != nil {
+		logger.WithError(err).Errorf("exec's CreateProcess() failed")
+		return -1, err
+	}
+	pid := newProcess.Pid()
+	defer func() {
+		if err != nil {
+			if err := newProcess.Kill(); err != nil {
+				logger.WithError(err).Error("failed to kill process")
+			}
+			go func() {
+				if err := newProcess.Wait(); err != nil {
+					logger.WithError(err).Error("failed to wait for process")
+				}
+				if err := newProcess.Close(); err != nil {
+					logger.WithError(err).Error("failed to clean process resources")
+				}
+			}()
+		}
+	}()
+
+	dio, err := newIOFromProcess(newProcess, spec.Terminal)
+	if err != nil {
+		logger.WithError(err).Error("failed to get stdio pipes")
+		return -1, err
+	}
+	// Tell the engine to attach streams back to the client
+	_, err = attachStdio(dio)
+	if err != nil {
+		return -1, err
+	}
+
+	p := &process{
+		id:         processID,
+		pid:        pid,
+		hcsProcess: newProcess,
+	}
+
+	// Add the process to the container's list of processes
+	ctr.Lock()
+	ctr.execs[processID] = p
+	ctr.Unlock()
+
+	// Spin up a go routine waiting for exit to handle cleanup
+	go c.reapProcess(ctr, p)
+
+	c.eventQ.append(ctr.id, func() {
+		ei := EventInfo{
+			ContainerID: ctr.id,
+			ProcessID:   p.id,
+			Pid:         uint32(p.pid),
+		}
+		c.logger.WithFields(logrus.Fields{
+			"container":  ctr.id,
+			"event":      EventExecAdded,
+			"event-info": ei,
+		}).Info("sending event")
+		err := c.backend.ProcessEvent(ctr.id, EventExecAdded, ei)
+		if err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container":  ctr.id,
+				"event":      EventExecAdded,
+				"event-info": ei,
+			}).Error("failed to process event")
+		}
+		err = c.backend.ProcessEvent(ctr.id, EventExecStarted, ei)
+		if err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container":  ctr.id,
+				"event":      EventExecStarted,
+				"event-info": ei,
+			}).Error("failed to process event")
+		}
+	})
+
+	return pid, nil
+}
+
+// Signal handles `docker stop` on Windows. While Linux has support for
+// the full range of signals, signals aren't really implemented on Windows.
+// We fake supporting regular stop and -9 to force kill.
+func (c *client) SignalProcess(_ context.Context, containerID, processID string, signal int) error {
+	ctr, p, err := c.getProcess(containerID, processID)
+	if err != nil {
+		return err
+	}
+
+	logger := c.logger.WithFields(logrus.Fields{
+		"container": containerID,
+		"process":   processID,
+		"pid":       p.pid,
+		"signal":    signal,
+	})
+	logger.Debug("Signal()")
+
+	if processID == InitProcessName {
+		if syscall.Signal(signal) == syscall.SIGKILL {
+			// Terminate the compute system
+			ctr.Lock()
+			ctr.terminateInvoked = true
+			if err := ctr.hcsContainer.Terminate(); err != nil {
+				if !hcsshim.IsPending(err) {
+					logger.WithError(err).Error("failed to terminate hccshim container")
+				}
+			}
+			ctr.Unlock()
+		} else {
+			// Shut down the container
+			if err := ctr.hcsContainer.Shutdown(); err != nil {
+				if !hcsshim.IsPending(err) && !hcsshim.IsAlreadyStopped(err) {
+					// ignore errors
+					logger.WithError(err).Error("failed to shutdown hccshim container")
+				}
+			}
+		}
+	} else {
+		return p.hcsProcess.Kill()
+	}
+
+	return nil
+}
+
+// Resize handles a CLI event to resize an interactive docker run or docker
+// exec window.
+func (c *client) ResizeTerminal(_ context.Context, containerID, processID string, width, height int) error {
+	_, p, err := c.getProcess(containerID, processID)
+	if err != nil {
+		return err
+	}
+
+	c.logger.WithFields(logrus.Fields{
+		"container": containerID,
+		"process":   processID,
+		"height":    height,
+		"width":     width,
+		"pid":       p.pid,
+	}).Debug("resizing")
+	return p.hcsProcess.ResizeConsole(uint16(width), uint16(height))
+}
+
+func (c *client) CloseStdin(_ context.Context, containerID, processID string) error {
+	_, p, err := c.getProcess(containerID, processID)
+	if err != nil {
+		return err
+	}
+
+	return p.hcsProcess.CloseStdin()
+}
+
+// Pause handles pause requests for containers
+func (c *client) Pause(_ context.Context, containerID string) error {
+	ctr, _, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return err
+	}
+
+	if ctr.ociSpec.Windows.HyperV == nil {
+		return errors.New("cannot pause Windows Server Containers")
+	}
+
+	ctr.Lock()
+	defer ctr.Unlock()
+
+	if err = ctr.hcsContainer.Pause(); err != nil {
+		return err
+	}
+
+	ctr.status = StatusPaused
+
+	c.eventQ.append(containerID, func() {
+		err := c.backend.ProcessEvent(containerID, EventPaused, EventInfo{
+			ContainerID: containerID,
+			ProcessID:   InitProcessName,
+		})
+		c.logger.WithFields(logrus.Fields{
+			"container": ctr.id,
+			"event":     EventPaused,
+		}).Info("sending event")
+		if err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container": containerID,
+				"event":     EventPaused,
+			}).Error("failed to process event")
+		}
+	})
+
+	return nil
+}
+
+// Resume handles resume requests for containers
+func (c *client) Resume(_ context.Context, containerID string) error {
+	ctr, _, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return err
+	}
+
+	if ctr.ociSpec.Windows.HyperV == nil {
+		return errors.New("cannot resume Windows Server Containers")
+	}
+
+	ctr.Lock()
+	defer ctr.Unlock()
+
+	if err = ctr.hcsContainer.Resume(); err != nil {
+		return err
+	}
+
+	ctr.status = StatusRunning
+
+	c.eventQ.append(containerID, func() {
+		err := c.backend.ProcessEvent(containerID, EventResumed, EventInfo{
+			ContainerID: containerID,
+			ProcessID:   InitProcessName,
+		})
+		c.logger.WithFields(logrus.Fields{
+			"container": ctr.id,
+			"event":     EventResumed,
+		}).Info("sending event")
+		if err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container": containerID,
+				"event":     EventResumed,
+			}).Error("failed to process event")
+		}
+	})
+
+	return nil
+}
+
+// Stats handles stats requests for containers
+func (c *client) Stats(_ context.Context, containerID string) (*Stats, error) {
+	ctr, _, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return nil, err
+	}
+
+	readAt := time.Now()
+	s, err := ctr.hcsContainer.Statistics()
+	if err != nil {
+		return nil, err
+	}
+	return &Stats{
+		Read:     readAt,
+		HCSStats: &s,
+	}, nil
+}
+
+// Restore is the handler for restoring a container
+func (c *client) Restore(ctx context.Context, id string, attachStdio StdioCallback) (bool, int, error) {
+	c.logger.WithField("container", id).Debug("restore()")
+
+	// TODO Windows: On RS1, a re-attach isn't possible.
+	// However, there is a scenario in which there is an issue.
+	// Consider a background container. The daemon dies unexpectedly.
+	// HCS will still have the compute service alive and running.
+	// For consistence, we call in to shoot it regardless if HCS knows about it
+	// We explicitly just log a warning if the terminate fails.
+	// Then we tell the backend the container exited.
+	if hc, err := hcsshim.OpenContainer(id); err == nil {
+		const terminateTimeout = time.Minute * 2
+		err := hc.Terminate()
+
+		if hcsshim.IsPending(err) {
+			err = hc.WaitTimeout(terminateTimeout)
+		} else if hcsshim.IsAlreadyStopped(err) {
+			err = nil
+		}
+
+		if err != nil {
+			c.logger.WithField("container", id).WithError(err).Debug("terminate failed on restore")
+			return false, -1, err
+		}
+	}
+	return false, -1, nil
+}
+
+// GetPidsForContainer returns a list of process IDs running in a container.
+// Not used on Windows.
+func (c *client) ListPids(_ context.Context, _ string) ([]uint32, error) {
+	return nil, errors.New("not implemented on Windows")
+}
+
+// Summary returns a summary of the processes running in a container.
+// This is present in Windows to support docker top. In linux, the
+// engine shells out to ps to get process information. On Windows, as
+// the containers could be Hyper-V containers, they would not be
+// visible on the container host. However, libcontainerd does have
+// that information.
+func (c *client) Summary(_ context.Context, containerID string) ([]Summary, error) {
+	ctr, _, err := c.getProcess(containerID, InitProcessName)
+	if err != nil {
+		return nil, err
+	}
+
+	p, err := ctr.hcsContainer.ProcessList()
+	if err != nil {
+		return nil, err
+	}
+
+	pl := make([]Summary, len(p))
+	for i := range p {
+		pl[i] = Summary(p[i])
+	}
+	return pl, nil
+}
+
+func (c *client) DeleteTask(ctx context.Context, containerID string) (uint32, time.Time, error) {
+	ec := -1
+	ctr := c.getContainer(containerID)
+	if ctr == nil {
+		return uint32(ec), time.Now(), errors.WithStack(newNotFoundError("no such container"))
+	}
+
+	select {
+	case <-ctx.Done():
+		return uint32(ec), time.Now(), errors.WithStack(ctx.Err())
+	case <-ctr.waitCh:
+	default:
+		return uint32(ec), time.Now(), errors.New("container is not stopped")
+	}
+
+	ctr.Lock()
+	defer ctr.Unlock()
+	return ctr.exitCode, ctr.exitedAt, nil
+}
+
+func (c *client) Delete(_ context.Context, containerID string) error {
+	c.Lock()
+	defer c.Unlock()
+	ctr := c.containers[containerID]
+	if ctr == nil {
+		return errors.WithStack(newNotFoundError("no such container"))
+	}
+
+	ctr.Lock()
+	defer ctr.Unlock()
+
+	switch ctr.status {
+	case StatusCreated:
+		if err := c.shutdownContainer(ctr); err != nil {
+			return err
+		}
+		fallthrough
+	case StatusStopped:
+		delete(c.containers, containerID)
+		return nil
+	}
+
+	return errors.WithStack(newInvalidParameterError("container is not stopped"))
+}
+
+func (c *client) Status(ctx context.Context, containerID string) (Status, error) {
+	c.Lock()
+	defer c.Unlock()
+	ctr := c.containers[containerID]
+	if ctr == nil {
+		return StatusUnknown, errors.WithStack(newNotFoundError("no such container"))
+	}
+
+	ctr.Lock()
+	defer ctr.Unlock()
+	return ctr.status, nil
+}
+
+func (c *client) UpdateResources(ctx context.Context, containerID string, resources *Resources) error {
+	// Updating resource isn't supported on Windows
+	// but we should return nil for enabling updating container
+	return nil
+}
+
+func (c *client) CreateCheckpoint(ctx context.Context, containerID, checkpointDir string, exit bool) error {
+	return errors.New("Windows: Containers do not support checkpoints")
+}
+
+func (c *client) getContainer(id string) *container {
+	c.Lock()
+	ctr := c.containers[id]
+	c.Unlock()
+
+	return ctr
+}
+
+func (c *client) getProcess(containerID, processID string) (*container, *process, error) {
+	ctr := c.getContainer(containerID)
+	switch {
+	case ctr == nil:
+		return nil, nil, errors.WithStack(newNotFoundError("no such container"))
+	case ctr.init == nil:
+		return nil, nil, errors.WithStack(newNotFoundError("container is not running"))
+	case processID == InitProcessName:
+		return ctr, ctr.init, nil
+	default:
+		ctr.Lock()
+		defer ctr.Unlock()
+		if ctr.execs == nil {
+			return nil, nil, errors.WithStack(newNotFoundError("no execs"))
+		}
+	}
+
+	p := ctr.execs[processID]
+	if p == nil {
+		return nil, nil, errors.WithStack(newNotFoundError("no such exec"))
+	}
+
+	return ctr, p, nil
+}
+
+// ctr mutex must be held when calling this function.
+func (c *client) shutdownContainer(ctr *container) error {
+	var err error
+	const waitTimeout = time.Minute * 5
+
+	if !ctr.terminateInvoked {
+		err = ctr.hcsContainer.Shutdown()
+	}
+
+	if hcsshim.IsPending(err) || ctr.terminateInvoked {
+		err = ctr.hcsContainer.WaitTimeout(waitTimeout)
+	} else if hcsshim.IsAlreadyStopped(err) {
+		err = nil
+	}
+
+	if err != nil {
+		c.logger.WithError(err).WithField("container", ctr.id).
+			Debug("failed to shutdown container, terminating it")
+		terminateErr := c.terminateContainer(ctr)
+		if terminateErr != nil {
+			c.logger.WithError(terminateErr).WithField("container", ctr.id).
+				Error("failed to shutdown container, and subsequent terminate also failed")
+			return fmt.Errorf("%s: subsequent terminate failed %s", err, terminateErr)
+		}
+		return err
+	}
+
+	return nil
+}
+
+// ctr mutex must be held when calling this function.
+func (c *client) terminateContainer(ctr *container) error {
+	const terminateTimeout = time.Minute * 5
+	ctr.terminateInvoked = true
+	err := ctr.hcsContainer.Terminate()
+
+	if hcsshim.IsPending(err) {
+		err = ctr.hcsContainer.WaitTimeout(terminateTimeout)
+	} else if hcsshim.IsAlreadyStopped(err) {
+		err = nil
+	}
+
+	if err != nil {
+		c.logger.WithError(err).WithField("container", ctr.id).
+			Debug("failed to terminate container")
+		return err
+	}
+
+	return nil
+}
+
+func (c *client) reapProcess(ctr *container, p *process) int {
+	logger := c.logger.WithFields(logrus.Fields{
+		"container": ctr.id,
+		"process":   p.id,
+	})
+
+	var eventErr error
+
+	// Block indefinitely for the process to exit.
+	if err := p.hcsProcess.Wait(); err != nil {
+		if herr, ok := err.(*hcsshim.ProcessError); ok && herr.Err != windows.ERROR_BROKEN_PIPE {
+			logger.WithError(err).Warnf("Wait() failed (container may have been killed)")
+		}
+		// Fall through here, do not return. This ensures we attempt to
+		// continue the shutdown in HCS and tell the docker engine that the
+		// process/container has exited to avoid a container being dropped on
+		// the floor.
+	}
+	exitedAt := time.Now()
+
+	exitCode, err := p.hcsProcess.ExitCode()
+	if err != nil {
+		if herr, ok := err.(*hcsshim.ProcessError); ok && herr.Err != windows.ERROR_BROKEN_PIPE {
+			logger.WithError(err).Warnf("unable to get exit code for process")
+		}
+		// Since we got an error retrieving the exit code, make sure that the
+		// code we return doesn't incorrectly indicate success.
+		exitCode = -1
+
+		// Fall through here, do not return. This ensures we attempt to
+		// continue the shutdown in HCS and tell the docker engine that the
+		// process/container has exited to avoid a container being dropped on
+		// the floor.
+	}
+
+	if err := p.hcsProcess.Close(); err != nil {
+		logger.WithError(err).Warnf("failed to cleanup hcs process resources")
+		exitCode = -1
+		eventErr = fmt.Errorf("hcsProcess.Close() failed %s", err)
+	}
+
+	if p.id == InitProcessName {
+		// Update container status
+		ctr.Lock()
+		ctr.status = StatusStopped
+		ctr.exitedAt = exitedAt
+		ctr.exitCode = uint32(exitCode)
+		close(ctr.waitCh)
+
+		if err := c.shutdownContainer(ctr); err != nil {
+			exitCode = -1
+			logger.WithError(err).Warn("failed to shutdown container")
+			thisErr := fmt.Errorf("failed to shutdown container: %s", err)
+			if eventErr != nil {
+				eventErr = fmt.Errorf("%s: %s", eventErr, thisErr)
+			} else {
+				eventErr = thisErr
+			}
+		} else {
+			logger.Debug("completed container shutdown")
+		}
+		ctr.Unlock()
+
+		if err := ctr.hcsContainer.Close(); err != nil {
+			exitCode = -1
+			logger.WithError(err).Error("failed to clean hcs container resources")
+			thisErr := fmt.Errorf("failed to terminate container: %s", err)
+			if eventErr != nil {
+				eventErr = fmt.Errorf("%s: %s", eventErr, thisErr)
+			} else {
+				eventErr = thisErr
+			}
+		}
+	}
+
+	c.eventQ.append(ctr.id, func() {
+		ei := EventInfo{
+			ContainerID: ctr.id,
+			ProcessID:   p.id,
+			Pid:         uint32(p.pid),
+			ExitCode:    uint32(exitCode),
+			ExitedAt:    exitedAt,
+			Error:       eventErr,
+		}
+		c.logger.WithFields(logrus.Fields{
+			"container":  ctr.id,
+			"event":      EventExit,
+			"event-info": ei,
+		}).Info("sending event")
+		err := c.backend.ProcessEvent(ctr.id, EventExit, ei)
+		if err != nil {
+			c.logger.WithError(err).WithFields(logrus.Fields{
+				"container":  ctr.id,
+				"event":      EventExit,
+				"event-info": ei,
+			}).Error("failed to process event")
+		}
+		if p.id != InitProcessName {
+			ctr.Lock()
+			delete(ctr.execs, p.id)
+			ctr.Unlock()
+		}
+	})
+
+	return exitCode
+}
diff --git a/engine/libcontainerd/errors.go b/engine/libcontainerd/errors.go
new file mode 100644
index 00000000..bdc26715
--- /dev/null
+++ b/engine/libcontainerd/errors.go
@@ -0,0 +1,13 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"errors"
+
+	"github.com/docker/docker/errdefs"
+)
+
+func newNotFoundError(err string) error { return errdefs.NotFound(errors.New(err)) }
+
+func newInvalidParameterError(err string) error { return errdefs.InvalidParameter(errors.New(err)) }
+
+func newConflictError(err string) error { return errdefs.Conflict(errors.New(err)) }
diff --git a/engine/libcontainerd/process_windows.go b/engine/libcontainerd/process_windows.go
new file mode 100644
index 00000000..8cdf1dac
--- /dev/null
+++ b/engine/libcontainerd/process_windows.go
@@ -0,0 +1,44 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"io"
+	"sync"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/docker/docker/pkg/ioutils"
+)
+
+type autoClosingReader struct {
+	io.ReadCloser
+	sync.Once
+}
+
+func (r *autoClosingReader) Read(b []byte) (n int, err error) {
+	n, err = r.ReadCloser.Read(b)
+	if err != nil {
+		r.Once.Do(func() { r.ReadCloser.Close() })
+	}
+	return
+}
+
+func createStdInCloser(pipe io.WriteCloser, process hcsshim.Process) io.WriteCloser {
+	return ioutils.NewWriteCloserWrapper(pipe, func() error {
+		if err := pipe.Close(); err != nil {
+			return err
+		}
+
+		err := process.CloseStdin()
+		if err != nil && !hcsshim.IsNotExist(err) && !hcsshim.IsAlreadyClosed(err) {
+			// This error will occur if the compute system is currently shutting down
+			if perr, ok := err.(*hcsshim.ProcessError); ok && perr.Err != hcsshim.ErrVmcomputeOperationInvalidState {
+				return err
+			}
+		}
+
+		return nil
+	})
+}
+
+func (p *process) Cleanup() error {
+	return nil
+}
diff --git a/engine/libcontainerd/queue.go b/engine/libcontainerd/queue.go
new file mode 100644
index 00000000..207722c4
--- /dev/null
+++ b/engine/libcontainerd/queue.go
@@ -0,0 +1,35 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import "sync"
+
+type queue struct {
+	sync.Mutex
+	fns map[string]chan struct{}
+}
+
+func (q *queue) append(id string, f func()) {
+	q.Lock()
+	defer q.Unlock()
+
+	if q.fns == nil {
+		q.fns = make(map[string]chan struct{})
+	}
+
+	done := make(chan struct{})
+
+	fn, ok := q.fns[id]
+	q.fns[id] = done
+	go func() {
+		if ok {
+			<-fn
+		}
+		f()
+		close(done)
+
+		q.Lock()
+		if q.fns[id] == done {
+			delete(q.fns, id)
+		}
+		q.Unlock()
+	}()
+}
diff --git a/engine/libcontainerd/queue_test.go b/engine/libcontainerd/queue_test.go
new file mode 100644
index 00000000..e13afca8
--- /dev/null
+++ b/engine/libcontainerd/queue_test.go
@@ -0,0 +1,31 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+)
+
+func TestSerialization(t *testing.T) {
+	var (
+		q             queue
+		serialization = 1
+	)
+
+	q.append("aaa", func() {
+		//simulate a long time task
+		time.Sleep(10 * time.Millisecond)
+		assert.Equal(t, serialization, 1)
+		serialization = 2
+	})
+	q.append("aaa", func() {
+		assert.Equal(t, serialization, 2)
+		serialization = 3
+	})
+	q.append("aaa", func() {
+		assert.Equal(t, serialization, 3)
+		serialization = 4
+	})
+	time.Sleep(20 * time.Millisecond)
+}
diff --git a/engine/libcontainerd/remote_daemon.go b/engine/libcontainerd/remote_daemon.go
new file mode 100644
index 00000000..cd2ac1ce
--- /dev/null
+++ b/engine/libcontainerd/remote_daemon.go
@@ -0,0 +1,344 @@
+// +build !windows
+
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/BurntSushi/toml"
+	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/services/server"
+	"github.com/docker/docker/pkg/system"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	maxConnectionRetryCount = 3
+	healthCheckTimeout      = 3 * time.Second
+	shutdownTimeout         = 15 * time.Second
+	configFile              = "containerd.toml"
+	binaryName              = "docker-containerd"
+	pidFile                 = "docker-containerd.pid"
+)
+
+type pluginConfigs struct {
+	Plugins map[string]interface{} `toml:"plugins"`
+}
+
+type remote struct {
+	sync.RWMutex
+	server.Config
+
+	daemonPid int
+	logger    *logrus.Entry
+
+	daemonWaitCh    chan struct{}
+	clients         []*client
+	shutdownContext context.Context
+	shutdownCancel  context.CancelFunc
+	shutdown        bool
+
+	// Options
+	startDaemon bool
+	rootDir     string
+	stateDir    string
+	snapshotter string
+	pluginConfs pluginConfigs
+}
+
+// New creates a fresh instance of libcontainerd remote.
+func New(rootDir, stateDir string, options ...RemoteOption) (rem Remote, err error) {
+	defer func() {
+		if err != nil {
+			err = errors.Wrap(err, "Failed to connect to containerd")
+		}
+	}()
+
+	r := &remote{
+		rootDir:  rootDir,
+		stateDir: stateDir,
+		Config: server.Config{
+			Root:  filepath.Join(rootDir, "daemon"),
+			State: filepath.Join(stateDir, "daemon"),
+		},
+		pluginConfs: pluginConfigs{make(map[string]interface{})},
+		daemonPid:   -1,
+		logger:      logrus.WithField("module", "libcontainerd"),
+	}
+	r.shutdownContext, r.shutdownCancel = context.WithCancel(context.Background())
+
+	rem = r
+	for _, option := range options {
+		if err = option.Apply(r); err != nil {
+			return
+		}
+	}
+	r.setDefaults()
+
+	if err = system.MkdirAll(stateDir, 0700, ""); err != nil {
+		return
+	}
+
+	if r.startDaemon {
+		os.Remove(r.GRPC.Address)
+		if err = r.startContainerd(); err != nil {
+			return
+		}
+		defer func() {
+			if err != nil {
+				r.Cleanup()
+			}
+		}()
+	}
+
+	// This connection is just used to monitor the connection
+	client, err := containerd.New(r.GRPC.Address)
+	if err != nil {
+		return
+	}
+	if _, err := client.Version(context.Background()); err != nil {
+		system.KillProcess(r.daemonPid)
+		return nil, errors.Wrapf(err, "unable to get containerd version")
+	}
+
+	go r.monitorConnection(client)
+
+	return r, nil
+}
+
+func (r *remote) NewClient(ns string, b Backend) (Client, error) {
+	c := &client{
+		stateDir:   r.stateDir,
+		logger:     r.logger.WithField("namespace", ns),
+		namespace:  ns,
+		backend:    b,
+		containers: make(map[string]*container),
+	}
+
+	rclient, err := containerd.New(r.GRPC.Address, containerd.WithDefaultNamespace(ns))
+	if err != nil {
+		return nil, err
+	}
+	c.remote = rclient
+
+	go c.processEventStream(r.shutdownContext)
+
+	r.Lock()
+	r.clients = append(r.clients, c)
+	r.Unlock()
+	return c, nil
+}
+
+func (r *remote) Cleanup() {
+	if r.daemonPid != -1 {
+		r.shutdownCancel()
+		r.stopDaemon()
+	}
+
+	// cleanup some files
+	os.Remove(filepath.Join(r.stateDir, pidFile))
+
+	r.platformCleanup()
+}
+
+func (r *remote) getContainerdPid() (int, error) {
+	pidFile := filepath.Join(r.stateDir, pidFile)
+	f, err := os.OpenFile(pidFile, os.O_RDWR, 0600)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return -1, nil
+		}
+		return -1, err
+	}
+	defer f.Close()
+
+	b := make([]byte, 8)
+	n, err := f.Read(b)
+	if err != nil && err != io.EOF {
+		return -1, err
+	}
+
+	if n > 0 {
+		pid, err := strconv.ParseUint(string(b[:n]), 10, 64)
+		if err != nil {
+			return -1, err
+		}
+		if system.IsProcessAlive(int(pid)) {
+			return int(pid), nil
+		}
+	}
+
+	return -1, nil
+}
+
+func (r *remote) getContainerdConfig() (string, error) {
+	path := filepath.Join(r.stateDir, configFile)
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to open containerd config file at %s", path)
+	}
+	defer f.Close()
+
+	enc := toml.NewEncoder(f)
+	if err = enc.Encode(r.Config); err != nil {
+		return "", errors.Wrapf(err, "failed to encode general config")
+	}
+	if err = enc.Encode(r.pluginConfs); err != nil {
+		return "", errors.Wrapf(err, "failed to encode plugin configs")
+	}
+
+	return path, nil
+}
+
+func (r *remote) startContainerd() error {
+	pid, err := r.getContainerdPid()
+	if err != nil {
+		return err
+	}
+
+	if pid != -1 {
+		r.daemonPid = pid
+		logrus.WithField("pid", pid).
+			Infof("libcontainerd: %s is still running", binaryName)
+		return nil
+	}
+
+	configFile, err := r.getContainerdConfig()
+	if err != nil {
+		return err
+	}
+
+	args := []string{"--config", configFile}
+	cmd := exec.Command(binaryName, args...)
+	// redirect containerd logs to docker logs
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.SysProcAttr = containerdSysProcAttr()
+	// clear the NOTIFY_SOCKET from the env when starting containerd
+	cmd.Env = nil
+	for _, e := range os.Environ() {
+		if !strings.HasPrefix(e, "NOTIFY_SOCKET") {
+			cmd.Env = append(cmd.Env, e)
+		}
+	}
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+
+	r.daemonWaitCh = make(chan struct{})
+	go func() {
+		// Reap our child when needed
+		if err := cmd.Wait(); err != nil {
+			r.logger.WithError(err).Errorf("containerd did not exit successfully")
+		}
+		close(r.daemonWaitCh)
+	}()
+
+	r.daemonPid = cmd.Process.Pid
+
+	err = ioutil.WriteFile(filepath.Join(r.stateDir, pidFile), []byte(fmt.Sprintf("%d", r.daemonPid)), 0660)
+	if err != nil {
+		system.KillProcess(r.daemonPid)
+		return errors.Wrap(err, "libcontainerd: failed to save daemon pid to disk")
+	}
+
+	logrus.WithField("pid", r.daemonPid).
+		Infof("libcontainerd: started new %s process", binaryName)
+
+	return nil
+}
+
+func (r *remote) monitorConnection(monitor *containerd.Client) {
+	var transientFailureCount = 0
+
+	for {
+		select {
+		case <-r.shutdownContext.Done():
+			r.logger.Info("stopping healthcheck following graceful shutdown")
+			monitor.Close()
+			return
+		case <-time.After(500 * time.Millisecond):
+		}
+
+		ctx, cancel := context.WithTimeout(r.shutdownContext, healthCheckTimeout)
+		_, err := monitor.IsServing(ctx)
+		cancel()
+		if err == nil {
+			transientFailureCount = 0
+			continue
+		}
+
+		select {
+		case <-r.shutdownContext.Done():
+			r.logger.Info("stopping healthcheck following graceful shutdown")
+			monitor.Close()
+			return
+		default:
+		}
+
+		r.logger.WithError(err).WithField("binary", binaryName).Debug("daemon is not responding")
+
+		if r.daemonPid == -1 {
+			continue
+		}
+
+		transientFailureCount++
+		if transientFailureCount < maxConnectionRetryCount || system.IsProcessAlive(r.daemonPid) {
+			continue
+		}
+
+		transientFailureCount = 0
+		if system.IsProcessAlive(r.daemonPid) {
+			r.logger.WithField("pid", r.daemonPid).Info("killing and restarting containerd")
+			// Try to get a stack trace
+			syscall.Kill(r.daemonPid, syscall.SIGUSR1)
+			<-time.After(100 * time.Millisecond)
+			system.KillProcess(r.daemonPid)
+		}
+		if r.daemonWaitCh != nil {
+			<-r.daemonWaitCh
+		}
+
+		os.Remove(r.GRPC.Address)
+		if err := r.startContainerd(); err != nil {
+			r.logger.WithError(err).Error("failed restarting containerd")
+			continue
+		}
+
+		if err := monitor.Reconnect(); err != nil {
+			r.logger.WithError(err).Error("failed connect to containerd")
+			continue
+		}
+
+		var wg sync.WaitGroup
+
+		for _, c := range r.clients {
+			wg.Add(1)
+
+			go func(c *client) {
+				defer wg.Done()
+				c.logger.WithField("namespace", c.namespace).Debug("creating new containerd remote client")
+				if err := c.reconnect(); err != nil {
+					r.logger.WithError(err).Error("failed to connect to containerd")
+					// TODO: Better way to handle this?
+					// This *shouldn't* happen, but this could wind up where the daemon
+					// is not able to communicate with an eventually up containerd
+				}
+			}(c)
+
+			wg.Wait()
+		}
+	}
+}
diff --git a/engine/libcontainerd/remote_daemon_linux.go b/engine/libcontainerd/remote_daemon_linux.go
new file mode 100644
index 00000000..34b04e29
--- /dev/null
+++ b/engine/libcontainerd/remote_daemon_linux.go
@@ -0,0 +1,65 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"os"
+	"path/filepath"
+	"syscall"
+	"time"
+
+	"github.com/containerd/containerd/defaults"
+	"github.com/docker/docker/pkg/system"
+)
+
+const (
+	sockFile      = "docker-containerd.sock"
+	debugSockFile = "docker-containerd-debug.sock"
+)
+
+func (r *remote) setDefaults() {
+	if r.GRPC.Address == "" {
+		r.GRPC.Address = filepath.Join(r.stateDir, sockFile)
+	}
+	if r.GRPC.MaxRecvMsgSize == 0 {
+		r.GRPC.MaxRecvMsgSize = defaults.DefaultMaxRecvMsgSize
+	}
+	if r.GRPC.MaxSendMsgSize == 0 {
+		r.GRPC.MaxSendMsgSize = defaults.DefaultMaxSendMsgSize
+	}
+	if r.Debug.Address == "" {
+		r.Debug.Address = filepath.Join(r.stateDir, debugSockFile)
+	}
+	if r.Debug.Level == "" {
+		r.Debug.Level = "info"
+	}
+	if r.OOMScore == 0 {
+		r.OOMScore = -999
+	}
+	if r.snapshotter == "" {
+		r.snapshotter = "overlay"
+	}
+	// Disable CRI plugin by default if containerd is managed as child-process
+	// of dockerd. See https://github.com/moby/moby/issues/37507
+	r.DisabledPlugins = append(r.DisabledPlugins, "cri")
+	delete(r.pluginConfs.Plugins, "cri")
+}
+
+func (r *remote) stopDaemon() {
+	// Ask the daemon to quit
+	syscall.Kill(r.daemonPid, syscall.SIGTERM)
+	// Wait up to 15secs for it to stop
+	for i := time.Duration(0); i < shutdownTimeout; i += time.Second {
+		if !system.IsProcessAlive(r.daemonPid) {
+			break
+		}
+		time.Sleep(time.Second)
+	}
+
+	if system.IsProcessAlive(r.daemonPid) {
+		r.logger.WithField("pid", r.daemonPid).Warn("daemon didn't stop within 15 secs, killing it")
+		syscall.Kill(r.daemonPid, syscall.SIGKILL)
+	}
+}
+
+func (r *remote) platformCleanup() {
+	os.Remove(filepath.Join(r.stateDir, sockFile))
+}
diff --git a/engine/libcontainerd/remote_daemon_options.go b/engine/libcontainerd/remote_daemon_options.go
new file mode 100644
index 00000000..d40e4c0c
--- /dev/null
+++ b/engine/libcontainerd/remote_daemon_options.go
@@ -0,0 +1,141 @@
+// +build !windows
+
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import "fmt"
+
+// WithRemoteAddr sets the external containerd socket to connect to.
+func WithRemoteAddr(addr string) RemoteOption {
+	return rpcAddr(addr)
+}
+
+type rpcAddr string
+
+func (a rpcAddr) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.GRPC.Address = string(a)
+		return nil
+	}
+	return fmt.Errorf("WithRemoteAddr option not supported for this remote")
+}
+
+// WithRemoteAddrUser sets the uid and gid to create the RPC address with
+func WithRemoteAddrUser(uid, gid int) RemoteOption {
+	return rpcUser{uid, gid}
+}
+
+type rpcUser struct {
+	uid int
+	gid int
+}
+
+func (u rpcUser) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.GRPC.UID = u.uid
+		remote.GRPC.GID = u.gid
+		return nil
+	}
+	return fmt.Errorf("WithRemoteAddr option not supported for this remote")
+}
+
+// WithStartDaemon defines if libcontainerd should also run containerd daemon.
+func WithStartDaemon(start bool) RemoteOption {
+	return startDaemon(start)
+}
+
+type startDaemon bool
+
+func (s startDaemon) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.startDaemon = bool(s)
+		return nil
+	}
+	return fmt.Errorf("WithStartDaemon option not supported for this remote")
+}
+
+// WithLogLevel defines which log level to starts containerd with.
+// This only makes sense if WithStartDaemon() was set to true.
+func WithLogLevel(lvl string) RemoteOption {
+	return logLevel(lvl)
+}
+
+type logLevel string
+
+func (l logLevel) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.Debug.Level = string(l)
+		return nil
+	}
+	return fmt.Errorf("WithDebugLog option not supported for this remote")
+}
+
+// WithDebugAddress defines at which location the debug GRPC connection
+// should be made
+func WithDebugAddress(addr string) RemoteOption {
+	return debugAddress(addr)
+}
+
+type debugAddress string
+
+func (d debugAddress) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.Debug.Address = string(d)
+		return nil
+	}
+	return fmt.Errorf("WithDebugAddress option not supported for this remote")
+}
+
+// WithMetricsAddress defines at which location the debug GRPC connection
+// should be made
+func WithMetricsAddress(addr string) RemoteOption {
+	return metricsAddress(addr)
+}
+
+type metricsAddress string
+
+func (m metricsAddress) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.Metrics.Address = string(m)
+		return nil
+	}
+	return fmt.Errorf("WithMetricsAddress option not supported for this remote")
+}
+
+// WithSnapshotter defines snapshotter driver should be used
+func WithSnapshotter(name string) RemoteOption {
+	return snapshotter(name)
+}
+
+type snapshotter string
+
+func (s snapshotter) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.snapshotter = string(s)
+		return nil
+	}
+	return fmt.Errorf("WithSnapshotter option not supported for this remote")
+}
+
+// WithPlugin allow configuring a containerd plugin
+// configuration values passed needs to be quoted if quotes are needed in
+// the toml format.
+func WithPlugin(name string, conf interface{}) RemoteOption {
+	return pluginConf{
+		name: name,
+		conf: conf,
+	}
+}
+
+type pluginConf struct {
+	// Name is the name of the plugin
+	name string
+	conf interface{}
+}
+
+func (p pluginConf) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.pluginConfs.Plugins[p.name] = p.conf
+		return nil
+	}
+	return fmt.Errorf("WithPlugin option not supported for this remote")
+}
diff --git a/engine/libcontainerd/remote_daemon_options_linux.go b/engine/libcontainerd/remote_daemon_options_linux.go
new file mode 100644
index 00000000..a820fb38
--- /dev/null
+++ b/engine/libcontainerd/remote_daemon_options_linux.go
@@ -0,0 +1,18 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import "fmt"
+
+// WithOOMScore defines the oom_score_adj to set for the containerd process.
+func WithOOMScore(score int) RemoteOption {
+	return oomScore(score)
+}
+
+type oomScore int
+
+func (o oomScore) Apply(r Remote) error {
+	if remote, ok := r.(*remote); ok {
+		remote.OOMScore = int(o)
+		return nil
+	}
+	return fmt.Errorf("WithOOMScore option not supported for this remote")
+}
diff --git a/engine/libcontainerd/remote_daemon_windows.go b/engine/libcontainerd/remote_daemon_windows.go
new file mode 100644
index 00000000..89342d73
--- /dev/null
+++ b/engine/libcontainerd/remote_daemon_windows.go
@@ -0,0 +1,50 @@
+// +build remote_daemon
+
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"os"
+)
+
+const (
+	grpcPipeName  = `\\.\pipe\docker-containerd-containerd`
+	debugPipeName = `\\.\pipe\docker-containerd-debug`
+)
+
+func (r *remote) setDefaults() {
+	if r.GRPC.Address == "" {
+		r.GRPC.Address = grpcPipeName
+	}
+	if r.Debug.Address == "" {
+		r.Debug.Address = debugPipeName
+	}
+	if r.Debug.Level == "" {
+		r.Debug.Level = "info"
+	}
+	if r.snapshotter == "" {
+		r.snapshotter = "naive" // TODO(mlaventure): switch to "windows" once implemented
+	}
+}
+
+func (r *remote) stopDaemon() {
+	p, err := os.FindProcess(r.daemonPid)
+	if err != nil {
+		r.logger.WithField("pid", r.daemonPid).Warn("could not find daemon process")
+		return
+	}
+
+	if err = p.Kill(); err != nil {
+		r.logger.WithError(err).WithField("pid", r.daemonPid).Warn("could not kill daemon process")
+		return
+	}
+
+	_, err = p.Wait()
+	if err != nil {
+		r.logger.WithError(err).WithField("pid", r.daemonPid).Warn("wait for daemon process")
+		return
+	}
+}
+
+func (r *remote) platformCleanup() {
+	// Nothing to do
+}
diff --git a/engine/libcontainerd/remote_local.go b/engine/libcontainerd/remote_local.go
new file mode 100644
index 00000000..8ea5198b
--- /dev/null
+++ b/engine/libcontainerd/remote_local.go
@@ -0,0 +1,59 @@
+// +build windows
+
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"sync"
+
+	"github.com/sirupsen/logrus"
+)
+
+type remote struct {
+	sync.RWMutex
+
+	logger  *logrus.Entry
+	clients []*client
+
+	// Options
+	rootDir  string
+	stateDir string
+}
+
+// New creates a fresh instance of libcontainerd remote.
+func New(rootDir, stateDir string, options ...RemoteOption) (Remote, error) {
+	return &remote{
+		logger:   logrus.WithField("module", "libcontainerd"),
+		rootDir:  rootDir,
+		stateDir: stateDir,
+	}, nil
+}
+
+type client struct {
+	sync.Mutex
+
+	rootDir    string
+	stateDir   string
+	backend    Backend
+	logger     *logrus.Entry
+	eventQ     queue
+	containers map[string]*container
+}
+
+func (r *remote) NewClient(ns string, b Backend) (Client, error) {
+	c := &client{
+		rootDir:    r.rootDir,
+		stateDir:   r.stateDir,
+		backend:    b,
+		logger:     r.logger.WithField("namespace", ns),
+		containers: make(map[string]*container),
+	}
+	r.Lock()
+	r.clients = append(r.clients, c)
+	r.Unlock()
+
+	return c, nil
+}
+
+func (r *remote) Cleanup() {
+	// Nothing to do
+}
diff --git a/engine/libcontainerd/types.go b/engine/libcontainerd/types.go
new file mode 100644
index 00000000..96ffbe26
--- /dev/null
+++ b/engine/libcontainerd/types.go
@@ -0,0 +1,108 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"context"
+	"time"
+
+	"github.com/containerd/containerd"
+	"github.com/containerd/containerd/cio"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// EventType represents a possible event from libcontainerd
+type EventType string
+
+// Event constants used when reporting events
+const (
+	EventUnknown     EventType = "unknown"
+	EventExit        EventType = "exit"
+	EventOOM         EventType = "oom"
+	EventCreate      EventType = "create"
+	EventStart       EventType = "start"
+	EventExecAdded   EventType = "exec-added"
+	EventExecStarted EventType = "exec-started"
+	EventPaused      EventType = "paused"
+	EventResumed     EventType = "resumed"
+)
+
+// Status represents the current status of a container
+type Status string
+
+// Possible container statuses
+const (
+	// Running indicates the process is currently executing
+	StatusRunning Status = "running"
+	// Created indicates the process has been created within containerd but the
+	// user's defined process has not started
+	StatusCreated Status = "created"
+	// Stopped indicates that the process has ran and exited
+	StatusStopped Status = "stopped"
+	// Paused indicates that the process is currently paused
+	StatusPaused Status = "paused"
+	// Pausing indicates that the process is currently switching from a
+	// running state into a paused state
+	StatusPausing Status = "pausing"
+	// Unknown indicates that we could not determine the status from the runtime
+	StatusUnknown Status = "unknown"
+)
+
+// Remote on Linux defines the accesspoint to the containerd grpc API.
+// Remote on Windows is largely an unimplemented interface as there is
+// no remote containerd.
+type Remote interface {
+	// Client returns a new Client instance connected with given Backend.
+	NewClient(namespace string, backend Backend) (Client, error)
+	// Cleanup stops containerd if it was started by libcontainerd.
+	// Note this is not used on Windows as there is no remote containerd.
+	Cleanup()
+}
+
+// RemoteOption allows to configure parameters of remotes.
+// This is unused on Windows.
+type RemoteOption interface {
+	Apply(Remote) error
+}
+
+// EventInfo contains the event info
+type EventInfo struct {
+	ContainerID string
+	ProcessID   string
+	Pid         uint32
+	ExitCode    uint32
+	ExitedAt    time.Time
+	OOMKilled   bool
+	Error       error
+}
+
+// Backend defines callbacks that the client of the library needs to implement.
+type Backend interface {
+	ProcessEvent(containerID string, event EventType, ei EventInfo) error
+}
+
+// Client provides access to containerd features.
+type Client interface {
+	Version(ctx context.Context) (containerd.Version, error)
+
+	Restore(ctx context.Context, containerID string, attachStdio StdioCallback) (alive bool, pid int, err error)
+
+	Create(ctx context.Context, containerID string, spec *specs.Spec, runtimeOptions interface{}) error
+	Start(ctx context.Context, containerID, checkpointDir string, withStdin bool, attachStdio StdioCallback) (pid int, err error)
+	SignalProcess(ctx context.Context, containerID, processID string, signal int) error
+	Exec(ctx context.Context, containerID, processID string, spec *specs.Process, withStdin bool, attachStdio StdioCallback) (int, error)
+	ResizeTerminal(ctx context.Context, containerID, processID string, width, height int) error
+	CloseStdin(ctx context.Context, containerID, processID string) error
+	Pause(ctx context.Context, containerID string) error
+	Resume(ctx context.Context, containerID string) error
+	Stats(ctx context.Context, containerID string) (*Stats, error)
+	ListPids(ctx context.Context, containerID string) ([]uint32, error)
+	Summary(ctx context.Context, containerID string) ([]Summary, error)
+	DeleteTask(ctx context.Context, containerID string) (uint32, time.Time, error)
+	Delete(ctx context.Context, containerID string) error
+	Status(ctx context.Context, containerID string) (Status, error)
+
+	UpdateResources(ctx context.Context, containerID string, resources *Resources) error
+	CreateCheckpoint(ctx context.Context, containerID, checkpointDir string, exit bool) error
+}
+
+// StdioCallback is called to connect a container or process stdio.
+type StdioCallback func(io *cio.DirectIO) (cio.IO, error)
diff --git a/engine/libcontainerd/types_linux.go b/engine/libcontainerd/types_linux.go
new file mode 100644
index 00000000..943382b9
--- /dev/null
+++ b/engine/libcontainerd/types_linux.go
@@ -0,0 +1,30 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"time"
+
+	"github.com/containerd/cgroups"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Summary is not used on linux
+type Summary struct{}
+
+// Stats holds metrics properties as returned by containerd
+type Stats struct {
+	Read    time.Time
+	Metrics *cgroups.Metrics
+}
+
+func interfaceToStats(read time.Time, v interface{}) *Stats {
+	return &Stats{
+		Metrics: v.(*cgroups.Metrics),
+		Read:    read,
+	}
+}
+
+// Resources defines updatable container resource values. TODO: it must match containerd upcoming API
+type Resources specs.LinuxResources
+
+// Checkpoints contains the details of a checkpoint
+type Checkpoints struct{}
diff --git a/engine/libcontainerd/types_windows.go b/engine/libcontainerd/types_windows.go
new file mode 100644
index 00000000..9041a2e8
--- /dev/null
+++ b/engine/libcontainerd/types_windows.go
@@ -0,0 +1,42 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"time"
+
+	"github.com/Microsoft/hcsshim"
+	opengcs "github.com/Microsoft/opengcs/client"
+)
+
+// Summary contains a ProcessList item from HCS to support `top`
+type Summary hcsshim.ProcessListItem
+
+// Stats contains statistics from HCS
+type Stats struct {
+	Read     time.Time
+	HCSStats *hcsshim.Statistics
+}
+
+func interfaceToStats(read time.Time, v interface{}) *Stats {
+	return &Stats{
+		HCSStats: v.(*hcsshim.Statistics),
+		Read:     read,
+	}
+}
+
+// Resources defines updatable container resource values.
+type Resources struct{}
+
+// LCOWOption is a CreateOption required for LCOW configuration
+type LCOWOption struct {
+	Config *opengcs.Config
+}
+
+// Checkpoint holds the details of a checkpoint (not supported in windows)
+type Checkpoint struct {
+	Name string
+}
+
+// Checkpoints contains the details of a checkpoint
+type Checkpoints struct {
+	Checkpoints []*Checkpoint
+}
diff --git a/engine/libcontainerd/utils_linux.go b/engine/libcontainerd/utils_linux.go
new file mode 100644
index 00000000..ce17d196
--- /dev/null
+++ b/engine/libcontainerd/utils_linux.go
@@ -0,0 +1,12 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import "syscall"
+
+// containerdSysProcAttr returns the SysProcAttr to use when exec'ing
+// containerd
+func containerdSysProcAttr() *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Setsid:    true,
+		Pdeathsig: syscall.SIGKILL,
+	}
+}
diff --git a/engine/libcontainerd/utils_windows.go b/engine/libcontainerd/utils_windows.go
new file mode 100644
index 00000000..fbf243d4
--- /dev/null
+++ b/engine/libcontainerd/utils_windows.go
@@ -0,0 +1,46 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"strings"
+
+	"syscall"
+
+	opengcs "github.com/Microsoft/opengcs/client"
+)
+
+// setupEnvironmentVariables converts a string array of environment variables
+// into a map as required by the HCS. Source array is in format [v1=k1] [v2=k2] etc.
+func setupEnvironmentVariables(a []string) map[string]string {
+	r := make(map[string]string)
+	for _, s := range a {
+		arr := strings.SplitN(s, "=", 2)
+		if len(arr) == 2 {
+			r[arr[0]] = arr[1]
+		}
+	}
+	return r
+}
+
+// Apply for the LCOW option is a no-op.
+func (s *LCOWOption) Apply(interface{}) error {
+	return nil
+}
+
+// debugGCS is a dirty hack for debugging for Linux Utility VMs. It simply
+// runs a bunch of commands inside the UVM, but seriously aides in advanced debugging.
+func (c *container) debugGCS() {
+	if c == nil || c.isWindows || c.hcsContainer == nil {
+		return
+	}
+	cfg := opengcs.Config{
+		Uvm:               c.hcsContainer,
+		UvmTimeoutSeconds: 600,
+	}
+	cfg.DebugGCS()
+}
+
+// containerdSysProcAttr returns the SysProcAttr to use when exec'ing
+// containerd
+func containerdSysProcAttr() *syscall.SysProcAttr {
+	return nil
+}
diff --git a/engine/libcontainerd/utils_windows_test.go b/engine/libcontainerd/utils_windows_test.go
new file mode 100644
index 00000000..2e0c260e
--- /dev/null
+++ b/engine/libcontainerd/utils_windows_test.go
@@ -0,0 +1,13 @@
+package libcontainerd // import "github.com/docker/docker/libcontainerd"
+
+import (
+	"testing"
+)
+
+func TestEnvironmentParsing(t *testing.T) {
+	env := []string{"foo=bar", "car=hat", "a=b=c"}
+	result := setupEnvironmentVariables(env)
+	if len(result) != 3 || result["foo"] != "bar" || result["car"] != "hat" || result["a"] != "b=c" {
+		t.Fatalf("Expected map[foo:bar car:hat a:b=c], got %v", result)
+	}
+}
diff --git a/engine/migrate/v1/migratev1.go b/engine/migrate/v1/migratev1.go
new file mode 100644
index 00000000..9cd759a3
--- /dev/null
+++ b/engine/migrate/v1/migratev1.go
@@ -0,0 +1,501 @@
+package v1 // import "github.com/docker/docker/migrate/v1"
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/image"
+	imagev1 "github.com/docker/docker/image/v1"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/ioutils"
+	refstore "github.com/docker/docker/reference"
+	"github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+type graphIDRegistrar interface {
+	RegisterByGraphID(string, layer.ChainID, layer.DiffID, string, int64) (layer.Layer, error)
+	Release(layer.Layer) ([]layer.Metadata, error)
+}
+
+type graphIDMounter interface {
+	CreateRWLayerByGraphID(string, string, layer.ChainID) error
+}
+
+type checksumCalculator interface {
+	ChecksumForGraphID(id, parent, oldTarDataPath, newTarDataPath string) (diffID layer.DiffID, size int64, err error)
+}
+
+const (
+	graphDirName                 = "graph"
+	tarDataFileName              = "tar-data.json.gz"
+	migrationFileName            = ".migration-v1-images.json"
+	migrationTagsFileName        = ".migration-v1-tags"
+	migrationDiffIDFileName      = ".migration-diffid"
+	migrationSizeFileName        = ".migration-size"
+	migrationTarDataFileName     = ".migration-tardata"
+	containersDirName            = "containers"
+	configFileNameLegacy         = "config.json"
+	configFileName               = "config.v2.json"
+	repositoriesFilePrefixLegacy = "repositories-"
+)
+
+var (
+	errUnsupported = errors.New("migration is not supported")
+)
+
+// Migrate takes an old graph directory and transforms the metadata into the
+// new format.
+func Migrate(root, driverName string, ls layer.Store, is image.Store, rs refstore.Store, ms metadata.Store) error {
+	graphDir := filepath.Join(root, graphDirName)
+	if _, err := os.Lstat(graphDir); os.IsNotExist(err) {
+		return nil
+	}
+
+	mappings, err := restoreMappings(root)
+	if err != nil {
+		return err
+	}
+
+	if cc, ok := ls.(checksumCalculator); ok {
+		CalculateLayerChecksums(root, cc, mappings)
+	}
+
+	if registrar, ok := ls.(graphIDRegistrar); !ok {
+		return errUnsupported
+	} else if err := migrateImages(root, registrar, is, ms, mappings); err != nil {
+		return err
+	}
+
+	err = saveMappings(root, mappings)
+	if err != nil {
+		return err
+	}
+
+	if mounter, ok := ls.(graphIDMounter); !ok {
+		return errUnsupported
+	} else if err := migrateContainers(root, mounter, is, mappings); err != nil {
+		return err
+	}
+
+	return migrateRefs(root, driverName, rs, mappings)
+}
+
+// CalculateLayerChecksums walks an old graph directory and calculates checksums
+// for each layer. These checksums are later used for migration.
+func CalculateLayerChecksums(root string, ls checksumCalculator, mappings map[string]image.ID) {
+	graphDir := filepath.Join(root, graphDirName)
+	// spawn some extra workers also for maximum performance because the process is bounded by both cpu and io
+	workers := runtime.NumCPU() * 3
+	workQueue := make(chan string, workers)
+
+	wg := sync.WaitGroup{}
+
+	for i := 0; i < workers; i++ {
+		wg.Add(1)
+		go func() {
+			for id := range workQueue {
+				start := time.Now()
+				if err := calculateLayerChecksum(graphDir, id, ls); err != nil {
+					logrus.Errorf("could not calculate checksum for %q, %q", id, err)
+				}
+				elapsed := time.Since(start)
+				logrus.Debugf("layer %s took %.2f seconds", id, elapsed.Seconds())
+			}
+			wg.Done()
+		}()
+	}
+
+	dir, err := ioutil.ReadDir(graphDir)
+	if err != nil {
+		logrus.Errorf("could not read directory %q", graphDir)
+		return
+	}
+	for _, v := range dir {
+		v1ID := v.Name()
+		if err := imagev1.ValidateID(v1ID); err != nil {
+			continue
+		}
+		if _, ok := mappings[v1ID]; ok { // support old migrations without helper files
+			continue
+		}
+		workQueue <- v1ID
+	}
+	close(workQueue)
+	wg.Wait()
+}
+
+func calculateLayerChecksum(graphDir, id string, ls checksumCalculator) error {
+	diffIDFile := filepath.Join(graphDir, id, migrationDiffIDFileName)
+	if _, err := os.Lstat(diffIDFile); err == nil {
+		return nil
+	} else if !os.IsNotExist(err) {
+		return err
+	}
+
+	parent, err := getParent(filepath.Join(graphDir, id))
+	if err != nil {
+		return err
+	}
+
+	diffID, size, err := ls.ChecksumForGraphID(id, parent, filepath.Join(graphDir, id, tarDataFileName), filepath.Join(graphDir, id, migrationTarDataFileName))
+	if err != nil {
+		return err
+	}
+
+	if err := ioutil.WriteFile(filepath.Join(graphDir, id, migrationSizeFileName), []byte(strconv.Itoa(int(size))), 0600); err != nil {
+		return err
+	}
+
+	if err := ioutils.AtomicWriteFile(filepath.Join(graphDir, id, migrationDiffIDFileName), []byte(diffID), 0600); err != nil {
+		return err
+	}
+
+	logrus.Infof("calculated checksum for layer %s: %s", id, diffID)
+	return nil
+}
+
+func restoreMappings(root string) (map[string]image.ID, error) {
+	mappings := make(map[string]image.ID)
+
+	mfile := filepath.Join(root, migrationFileName)
+	f, err := os.Open(mfile)
+	if err != nil && !os.IsNotExist(err) {
+		return nil, err
+	} else if err == nil {
+		err := json.NewDecoder(f).Decode(&mappings)
+		if err != nil {
+			f.Close()
+			return nil, err
+		}
+		f.Close()
+	}
+
+	return mappings, nil
+}
+
+func saveMappings(root string, mappings map[string]image.ID) error {
+	mfile := filepath.Join(root, migrationFileName)
+	f, err := os.OpenFile(mfile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	return json.NewEncoder(f).Encode(mappings)
+}
+
+func migrateImages(root string, ls graphIDRegistrar, is image.Store, ms metadata.Store, mappings map[string]image.ID) error {
+	graphDir := filepath.Join(root, graphDirName)
+
+	dir, err := ioutil.ReadDir(graphDir)
+	if err != nil {
+		return err
+	}
+	for _, v := range dir {
+		v1ID := v.Name()
+		if err := imagev1.ValidateID(v1ID); err != nil {
+			continue
+		}
+		if _, exists := mappings[v1ID]; exists {
+			continue
+		}
+		if err := migrateImage(v1ID, root, ls, is, ms, mappings); err != nil {
+			continue
+		}
+	}
+
+	return nil
+}
+
+func migrateContainers(root string, ls graphIDMounter, is image.Store, imageMappings map[string]image.ID) error {
+	containersDir := filepath.Join(root, containersDirName)
+	dir, err := ioutil.ReadDir(containersDir)
+	if err != nil {
+		return err
+	}
+	for _, v := range dir {
+		id := v.Name()
+
+		if _, err := os.Stat(filepath.Join(containersDir, id, configFileName)); err == nil {
+			continue
+		}
+
+		containerJSON, err := ioutil.ReadFile(filepath.Join(containersDir, id, configFileNameLegacy))
+		if err != nil {
+			logrus.Errorf("migrate container error: %v", err)
+			continue
+		}
+
+		var c map[string]*json.RawMessage
+		if err := json.Unmarshal(containerJSON, &c); err != nil {
+			logrus.Errorf("migrate container error: %v", err)
+			continue
+		}
+
+		imageStrJSON, ok := c["Image"]
+		if !ok {
+			return fmt.Errorf("invalid container configuration for %v", id)
+		}
+
+		var image string
+		if err := json.Unmarshal([]byte(*imageStrJSON), &image); err != nil {
+			logrus.Errorf("migrate container error: %v", err)
+			continue
+		}
+
+		imageID, ok := imageMappings[image]
+		if !ok {
+			logrus.Errorf("image not migrated %v", imageID) // non-fatal error
+			continue
+		}
+
+		c["Image"] = rawJSON(imageID)
+
+		containerJSON, err = json.Marshal(c)
+		if err != nil {
+			return err
+		}
+
+		if err := ioutil.WriteFile(filepath.Join(containersDir, id, configFileName), containerJSON, 0600); err != nil {
+			return err
+		}
+
+		img, err := is.Get(imageID)
+		if err != nil {
+			return err
+		}
+
+		if err := ls.CreateRWLayerByGraphID(id, id, img.RootFS.ChainID()); err != nil {
+			logrus.Errorf("migrate container error: %v", err)
+			continue
+		}
+
+		logrus.Infof("migrated container %s to point to %s", id, imageID)
+
+	}
+	return nil
+}
+
+type refAdder interface {
+	AddTag(ref reference.Named, id digest.Digest, force bool) error
+	AddDigest(ref reference.Canonical, id digest.Digest, force bool) error
+}
+
+func migrateRefs(root, driverName string, rs refAdder, mappings map[string]image.ID) error {
+	migrationFile := filepath.Join(root, migrationTagsFileName)
+	if _, err := os.Lstat(migrationFile); !os.IsNotExist(err) {
+		return err
+	}
+
+	type repositories struct {
+		Repositories map[string]map[string]string
+	}
+
+	var repos repositories
+
+	f, err := os.Open(filepath.Join(root, repositoriesFilePrefixLegacy+driverName))
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+	defer f.Close()
+	if err := json.NewDecoder(f).Decode(&repos); err != nil {
+		return err
+	}
+
+	for name, repo := range repos.Repositories {
+		for tag, id := range repo {
+			if strongID, exists := mappings[id]; exists {
+				ref, err := reference.ParseNormalizedNamed(name)
+				if err != nil {
+					logrus.Errorf("migrate tags: invalid name %q, %q", name, err)
+					continue
+				}
+				if !reference.IsNameOnly(ref) {
+					logrus.Errorf("migrate tags: invalid name %q, unexpected tag or digest", name)
+					continue
+				}
+				if dgst, err := digest.Parse(tag); err == nil {
+					canonical, err := reference.WithDigest(reference.TrimNamed(ref), dgst)
+					if err != nil {
+						logrus.Errorf("migrate tags: invalid digest %q, %q", dgst, err)
+						continue
+					}
+					if err := rs.AddDigest(canonical, strongID.Digest(), false); err != nil {
+						logrus.Errorf("can't migrate digest %q for %q, err: %q", reference.FamiliarString(ref), strongID, err)
+					}
+				} else {
+					tagRef, err := reference.WithTag(ref, tag)
+					if err != nil {
+						logrus.Errorf("migrate tags: invalid tag %q, %q", tag, err)
+						continue
+					}
+					if err := rs.AddTag(tagRef, strongID.Digest(), false); err != nil {
+						logrus.Errorf("can't migrate tag %q for %q, err: %q", reference.FamiliarString(ref), strongID, err)
+					}
+				}
+				logrus.Infof("migrated tag %s:%s to point to %s", name, tag, strongID)
+			}
+		}
+	}
+
+	mf, err := os.Create(migrationFile)
+	if err != nil {
+		return err
+	}
+	mf.Close()
+
+	return nil
+}
+
+func getParent(confDir string) (string, error) {
+	jsonFile := filepath.Join(confDir, "json")
+	imageJSON, err := ioutil.ReadFile(jsonFile)
+	if err != nil {
+		return "", err
+	}
+	var parent struct {
+		Parent   string
+		ParentID digest.Digest `json:"parent_id"`
+	}
+	if err := json.Unmarshal(imageJSON, &parent); err != nil {
+		return "", err
+	}
+	if parent.Parent == "" && parent.ParentID != "" { // v1.9
+		parent.Parent = parent.ParentID.Hex()
+	}
+	// compatibilityID for parent
+	parentCompatibilityID, err := ioutil.ReadFile(filepath.Join(confDir, "parent"))
+	if err == nil && len(parentCompatibilityID) > 0 {
+		parent.Parent = string(parentCompatibilityID)
+	}
+	return parent.Parent, nil
+}
+
+func migrateImage(id, root string, ls graphIDRegistrar, is image.Store, ms metadata.Store, mappings map[string]image.ID) (err error) {
+	defer func() {
+		if err != nil {
+			logrus.Errorf("migration failed for %v, err: %v", id, err)
+		}
+	}()
+
+	parent, err := getParent(filepath.Join(root, graphDirName, id))
+	if err != nil {
+		return err
+	}
+
+	var parentID image.ID
+	if parent != "" {
+		var exists bool
+		if parentID, exists = mappings[parent]; !exists {
+			if err := migrateImage(parent, root, ls, is, ms, mappings); err != nil {
+				// todo: fail or allow broken chains?
+				return err
+			}
+			parentID = mappings[parent]
+		}
+	}
+
+	rootFS := image.NewRootFS()
+	var history []image.History
+
+	if parentID != "" {
+		parentImg, err := is.Get(parentID)
+		if err != nil {
+			return err
+		}
+
+		rootFS = parentImg.RootFS
+		history = parentImg.History
+	}
+
+	diffIDData, err := ioutil.ReadFile(filepath.Join(root, graphDirName, id, migrationDiffIDFileName))
+	if err != nil {
+		return err
+	}
+	diffID, err := digest.Parse(string(diffIDData))
+	if err != nil {
+		return err
+	}
+
+	sizeStr, err := ioutil.ReadFile(filepath.Join(root, graphDirName, id, migrationSizeFileName))
+	if err != nil {
+		return err
+	}
+	size, err := strconv.ParseInt(string(sizeStr), 10, 64)
+	if err != nil {
+		return err
+	}
+
+	layer, err := ls.RegisterByGraphID(id, rootFS.ChainID(), layer.DiffID(diffID), filepath.Join(root, graphDirName, id, migrationTarDataFileName), size)
+	if err != nil {
+		return err
+	}
+	logrus.Infof("migrated layer %s to %s", id, layer.DiffID())
+
+	jsonFile := filepath.Join(root, graphDirName, id, "json")
+	imageJSON, err := ioutil.ReadFile(jsonFile)
+	if err != nil {
+		return err
+	}
+
+	h, err := imagev1.HistoryFromConfig(imageJSON, false)
+	if err != nil {
+		return err
+	}
+	history = append(history, h)
+
+	rootFS.Append(layer.DiffID())
+
+	config, err := imagev1.MakeConfigFromV1Config(imageJSON, rootFS, history)
+	if err != nil {
+		return err
+	}
+	strongID, err := is.Create(config)
+	if err != nil {
+		return err
+	}
+	logrus.Infof("migrated image %s to %s", id, strongID)
+
+	if parentID != "" {
+		if err := is.SetParent(strongID, parentID); err != nil {
+			return err
+		}
+	}
+
+	checksum, err := ioutil.ReadFile(filepath.Join(root, graphDirName, id, "checksum"))
+	if err == nil { // best effort
+		dgst, err := digest.Parse(string(checksum))
+		if err == nil {
+			V2MetadataService := metadata.NewV2MetadataService(ms)
+			V2MetadataService.Add(layer.DiffID(), metadata.V2Metadata{Digest: dgst})
+		}
+	}
+	_, err = ls.Release(layer)
+	if err != nil {
+		return err
+	}
+
+	mappings[id] = strongID
+	return
+}
+
+func rawJSON(value interface{}) *json.RawMessage {
+	jsonval, err := json.Marshal(value)
+	if err != nil {
+		return nil
+	}
+	return (*json.RawMessage)(&jsonval)
+}
diff --git a/engine/migrate/v1/migratev1_test.go b/engine/migrate/v1/migratev1_test.go
new file mode 100644
index 00000000..09cdac82
--- /dev/null
+++ b/engine/migrate/v1/migratev1_test.go
@@ -0,0 +1,437 @@
+package v1 // import "github.com/docker/docker/migrate/v1"
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"testing"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/distribution/metadata"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/opencontainers/go-digest"
+)
+
+func TestMigrateRefs(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "migrate-tags")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	ioutil.WriteFile(filepath.Join(tmpdir, "repositories-generic"), []byte(`{"Repositories":{"busybox":{"latest":"b3ca410aa2c115c05969a7b2c8cf8a9fcf62c1340ed6a601c9ee50df337ec108","sha256:16a2a52884c2a9481ed267c2d46483eac7693b813a63132368ab098a71303f8a":"b3ca410aa2c115c05969a7b2c8cf8a9fcf62c1340ed6a601c9ee50df337ec108"},"registry":{"2":"5d165b8e4b203685301c815e95663231691d383fd5e3d3185d1ce3f8dddead3d","latest":"8d5547a9f329b1d3f93198cd661fb5117e5a96b721c5cf9a2c389e7dd4877128"}}}`), 0600)
+
+	ta := &mockTagAdder{}
+	err = migrateRefs(tmpdir, "generic", ta, map[string]image.ID{
+		"5d165b8e4b203685301c815e95663231691d383fd5e3d3185d1ce3f8dddead3d": image.ID("sha256:2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae"),
+		"b3ca410aa2c115c05969a7b2c8cf8a9fcf62c1340ed6a601c9ee50df337ec108": image.ID("sha256:fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9"),
+		"abcdef3434c115c05969a7b2c8cf8a9fcf62c1340ed6a601c9ee50df337ec108": image.ID("sha256:56434342345ae68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae"),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := map[string]string{
+		"docker.io/library/busybox:latest":                                                                  "sha256:fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9",
+		"docker.io/library/busybox@sha256:16a2a52884c2a9481ed267c2d46483eac7693b813a63132368ab098a71303f8a": "sha256:fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9",
+		"docker.io/library/registry:2":                                                                      "sha256:2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae",
+	}
+
+	if !reflect.DeepEqual(expected, ta.refs) {
+		t.Fatalf("Invalid migrated tags: expected %q, got %q", expected, ta.refs)
+	}
+
+	// second migration is no-op
+	ioutil.WriteFile(filepath.Join(tmpdir, "repositories-generic"), []byte(`{"Repositories":{"busybox":{"latest":"b3ca410aa2c115c05969a7b2c8cf8a9fcf62c1340ed6a601c9ee50df337ec108"`), 0600)
+	err = migrateRefs(tmpdir, "generic", ta, map[string]image.ID{
+		"b3ca410aa2c115c05969a7b2c8cf8a9fcf62c1340ed6a601c9ee50df337ec108": image.ID("sha256:fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9"),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(expected, ta.refs) {
+		t.Fatalf("Invalid migrated tags: expected %q, got %q", expected, ta.refs)
+	}
+}
+
+func TestMigrateContainers(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	if runtime.GOARCH != "amd64" {
+		t.Skip("Test tailored to amd64 architecture")
+	}
+	tmpdir, err := ioutil.TempDir("", "migrate-containers")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	err = addContainer(tmpdir, `{"State":{"Running":false,"Paused":false,"Restarting":false,"OOMKilled":false,"Dead":false,"Pid":0,"ExitCode":0,"Error":"","StartedAt":"2015-11-10T21:42:40.604267436Z","FinishedAt":"2015-11-10T21:42:41.869265487Z"},"ID":"f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c","Created":"2015-11-10T21:42:40.433831551Z","Path":"sh","Args":[],"Config":{"Hostname":"f780ee3f80e6","Domainname":"","User":"","AttachStdin":true,"AttachStdout":true,"AttachStderr":true,"Tty":true,"OpenStdin":true,"StdinOnce":true,"Env":null,"Cmd":["sh"],"Image":"busybox","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{}},"Image":"2c5ac3f849df8627fcf2822727f87c57f38b7129d3604fbc11d861fe856ff093","NetworkSettings":{"Bridge":"","EndpointID":"","Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"HairpinMode":false,"IPAddress":"","IPPrefixLen":0,"IPv6Gateway":"","LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"MacAddress":"","NetworkID":"","PortMapping":null,"Ports":null,"SandboxKey":"","SecondaryIPAddresses":null,"SecondaryIPv6Addresses":null},"ResolvConfPath":"/var/lib/docker/containers/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c/resolv.conf","HostnamePath":"/var/lib/docker/containers/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c/hostname","HostsPath":"/var/lib/docker/containers/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c/hosts","LogPath":"/var/lib/docker/containers/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c-json.log","Name":"/determined_euclid","Driver":"overlay","ExecDriver":"native-0.2","MountLabel":"","ProcessLabel":"","RestartCount":0,"UpdateDns":false,"HasBeenStartedBefore":false,"MountPoints":{},"Volumes":{},"VolumesRW":{},"AppArmorProfile":""}`)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// container with invalid image
+	err = addContainer(tmpdir, `{"State":{"Running":false,"Paused":false,"Restarting":false,"OOMKilled":false,"Dead":false,"Pid":0,"ExitCode":0,"Error":"","StartedAt":"2015-11-10T21:42:40.604267436Z","FinishedAt":"2015-11-10T21:42:41.869265487Z"},"ID":"e780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c","Created":"2015-11-10T21:42:40.433831551Z","Path":"sh","Args":[],"Config":{"Hostname":"f780ee3f80e6","Domainname":"","User":"","AttachStdin":true,"AttachStdout":true,"AttachStderr":true,"Tty":true,"OpenStdin":true,"StdinOnce":true,"Env":null,"Cmd":["sh"],"Image":"busybox","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{}},"Image":"4c5ac3f849df8627fcf2822727f87c57f38b7129d3604fbc11d861fe856ff093","NetworkSettings":{"Bridge":"","EndpointID":"","Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"HairpinMode":false,"IPAddress":"","IPPrefixLen":0,"IPv6Gateway":"","LinkLocalIPv6Address":"","LinkLocalIPv6PrefixLen":0,"MacAddress":"","NetworkID":"","PortMapping":null,"Ports":null,"SandboxKey":"","SecondaryIPAddresses":null,"SecondaryIPv6Addresses":null},"ResolvConfPath":"/var/lib/docker/containers/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c/resolv.conf","HostnamePath":"/var/lib/docker/containers/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c/hostname","HostsPath":"/var/lib/docker/containers/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c/hosts","LogPath":"/var/lib/docker/containers/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c/f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c-json.log","Name":"/determined_euclid","Driver":"overlay","ExecDriver":"native-0.2","MountLabel":"","ProcessLabel":"","RestartCount":0,"UpdateDns":false,"HasBeenStartedBefore":false,"MountPoints":{},"Volumes":{},"VolumesRW":{},"AppArmorProfile":""}`)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ifs, err := image.NewFSStoreBackend(filepath.Join(tmpdir, "imagedb"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ls := &mockMounter{}
+	mmMap := make(map[string]image.LayerGetReleaser)
+	mmMap[runtime.GOOS] = ls
+	is, err := image.NewImageStore(ifs, mmMap)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	imgID, err := is.Create([]byte(`{"architecture":"amd64","config":{"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Cmd":["sh"],"Entrypoint":null,"Env":null,"Hostname":"23304fc829f9","Image":"d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498","Labels":null,"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"Tty":false,"Volumes":null,"WorkingDir":"","Domainname":"","User":""},"container":"349b014153779e30093d94f6df2a43c7a0a164e05aa207389917b540add39b51","container_config":{"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Entrypoint":null,"Env":null,"Hostname":"23304fc829f9","Image":"d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498","Labels":null,"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"Tty":false,"Volumes":null,"WorkingDir":"","Domainname":"","User":""},"created":"2015-10-31T22:22:55.613815829Z","docker_version":"1.8.2","history":[{"created":"2015-10-31T22:22:54.690851953Z","created_by":"/bin/sh -c #(nop) ADD file:a3bc1e842b69636f9df5256c49c5374fb4eef1e281fe3f282c65fb853ee171c5 in /"},{"created":"2015-10-31T22:22:55.613815829Z","created_by":"/bin/sh -c #(nop) CMD [\"sh\"]"}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:c6f988f4874bb0add23a778f753c65efe992244e148a1d2ec2a8b664fb66bbd1","sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"]}}`))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = migrateContainers(tmpdir, ls, is, map[string]image.ID{
+		"2c5ac3f849df8627fcf2822727f87c57f38b7129d3604fbc11d861fe856ff093": imgID,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := []mountInfo{{
+		"f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c",
+		"f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c",
+		"sha256:c3191d32a37d7159b2e30830937d2e30268ad6c375a773a8994911a3aba9b93f",
+	}}
+	if !reflect.DeepEqual(expected, ls.mounts) {
+		t.Fatalf("invalid mounts: expected %q, got %q", expected, ls.mounts)
+	}
+
+	if actual, expected := ls.count, 0; actual != expected {
+		t.Fatalf("invalid active mounts: expected %d, got %d", expected, actual)
+	}
+
+	config2, err := ioutil.ReadFile(filepath.Join(tmpdir, "containers", "f780ee3f80e66e9b432a57049597118a66aab8932be88e5628d4c824edbee37c", "config.v2.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	var config struct{ Image string }
+	err = json.Unmarshal(config2, &config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if actual, expected := config.Image, string(imgID); actual != expected {
+		t.Fatalf("invalid image pointer in migrated config: expected %q, got %q", expected, actual)
+	}
+
+}
+
+func TestMigrateImages(t *testing.T) {
+	// TODO Windows: Figure out why this is failing
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	if runtime.GOARCH != "amd64" {
+		t.Skip("Test tailored to amd64 architecture")
+	}
+	tmpdir, err := ioutil.TempDir("", "migrate-images")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	// busybox from 1.9
+	id1, err := addImage(tmpdir, `{"architecture":"amd64","config":{"Hostname":"23304fc829f9","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"23304fc829f9b9349416f6eb1afec162907eba3a328f51d53a17f8986f865d65","container_config":{"Hostname":"23304fc829f9","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) ADD file:a3bc1e842b69636f9df5256c49c5374fb4eef1e281fe3f282c65fb853ee171c5 in /"],"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2015-10-31T22:22:54.690851953Z","docker_version":"1.8.2","layer_id":"sha256:55dc925c23d1ed82551fd018c27ac3ee731377b6bad3963a2a4e76e753d70e57","os":"linux"}`, "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	id2, err := addImage(tmpdir, `{"architecture":"amd64","config":{"Hostname":"23304fc829f9","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"349b014153779e30093d94f6df2a43c7a0a164e05aa207389917b540add39b51","container_config":{"Hostname":"23304fc829f9","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"created":"2015-10-31T22:22:55.613815829Z","docker_version":"1.8.2","layer_id":"sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4","os":"linux","parent_id":"sha256:039b63dd2cbaa10d6015ea574392530571ed8d7b174090f032211285a71881d0"}`, id1, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ifs, err := image.NewFSStoreBackend(filepath.Join(tmpdir, "imagedb"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ls := &mockRegistrar{}
+	mrMap := make(map[string]image.LayerGetReleaser)
+	mrMap[runtime.GOOS] = ls
+	is, err := image.NewImageStore(ifs, mrMap)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ms, err := metadata.NewFSMetadataStore(filepath.Join(tmpdir, "distribution"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	mappings := make(map[string]image.ID)
+
+	err = migrateImages(tmpdir, ls, is, ms, mappings)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := map[string]image.ID{
+		id1: image.ID("sha256:ca406eaf9c26898414ff5b7b3a023c33310759d6203be0663dbf1b3a712f432d"),
+		id2: image.ID("sha256:a488bec94bb96b26a968f913d25ef7d8d204d727ca328b52b4b059c7d03260b6"),
+	}
+
+	if !reflect.DeepEqual(mappings, expected) {
+		t.Fatalf("invalid image mappings: expected %q, got %q", expected, mappings)
+	}
+
+	if actual, expected := ls.count, 2; actual != expected {
+		t.Fatalf("invalid register count: expected %q, got %q", expected, actual)
+	}
+	ls.count = 0
+
+	// next images are busybox from 1.8.2
+	_, err = addImage(tmpdir, `{"id":"17583c7dd0dae6244203b8029733bdb7d17fccbb2b5d93e2b24cf48b8bfd06e2","parent":"d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498","created":"2015-10-31T22:22:55.613815829Z","container":"349b014153779e30093d94f6df2a43c7a0a164e05aa207389917b540add39b51","container_config":{"Hostname":"23304fc829f9","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"PublishService":"","Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498","Volumes":null,"VolumeDriver":"","WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":null},"docker_version":"1.8.2","config":{"Hostname":"23304fc829f9","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"PublishService":"","Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498","Volumes":null,"VolumeDriver":"","WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":null},"architecture":"amd64","os":"linux","Size":0}`, "", "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = addImage(tmpdir, `{"id":"d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498","created":"2015-10-31T22:22:54.690851953Z","container":"23304fc829f9b9349416f6eb1afec162907eba3a328f51d53a17f8986f865d65","container_config":{"Hostname":"23304fc829f9","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"PublishService":"","Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) ADD file:a3bc1e842b69636f9df5256c49c5374fb4eef1e281fe3f282c65fb853ee171c5 in /"],"Image":"","Volumes":null,"VolumeDriver":"","WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":null},"docker_version":"1.8.2","config":{"Hostname":"23304fc829f9","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"PublishService":"","Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"VolumeDriver":"","WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"MacAddress":"","OnBuild":null,"Labels":null},"architecture":"amd64","os":"linux","Size":1108935}`, "", "sha256:55dc925c23d1ed82551fd018c27ac3ee731377b6bad3963a2a4e76e753d70e57")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = migrateImages(tmpdir, ls, is, ms, mappings)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected["d1592a710ac323612bd786fa8ac20727c58d8a67847e5a65177c594f43919498"] = image.ID("sha256:c091bb33854e57e6902b74c08719856d30b5593c7db6143b2b48376b8a588395")
+	expected["17583c7dd0dae6244203b8029733bdb7d17fccbb2b5d93e2b24cf48b8bfd06e2"] = image.ID("sha256:d963020e755ff2715b936065949472c1f8a6300144b922992a1a421999e71f07")
+
+	if actual, expected := ls.count, 2; actual != expected {
+		t.Fatalf("invalid register count: expected %q, got %q", expected, actual)
+	}
+
+	v2MetadataService := metadata.NewV2MetadataService(ms)
+	receivedMetadata, err := v2MetadataService.GetMetadata(layer.EmptyLayer.DiffID())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedMetadata := []metadata.V2Metadata{
+		{Digest: digest.Digest("sha256:55dc925c23d1ed82551fd018c27ac3ee731377b6bad3963a2a4e76e753d70e57")},
+		{Digest: digest.Digest("sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4")},
+	}
+
+	if !reflect.DeepEqual(expectedMetadata, receivedMetadata) {
+		t.Fatalf("invalid metadata: expected %q, got %q", expectedMetadata, receivedMetadata)
+	}
+
+}
+
+func TestMigrateUnsupported(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "migrate-empty")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	err = os.MkdirAll(filepath.Join(tmpdir, "graph"), 0700)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = Migrate(tmpdir, "generic", nil, nil, nil, nil)
+	if err != errUnsupported {
+		t.Fatalf("expected unsupported error, got %q", err)
+	}
+}
+
+func TestMigrateEmptyDir(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "migrate-empty")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	err = Migrate(tmpdir, "generic", nil, nil, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func addImage(dest, jsonConfig, parent, checksum string) (string, error) {
+	var config struct{ ID string }
+	if err := json.Unmarshal([]byte(jsonConfig), &config); err != nil {
+		return "", err
+	}
+	if config.ID == "" {
+		b := make([]byte, 32)
+		rand.Read(b)
+		config.ID = hex.EncodeToString(b)
+	}
+	contDir := filepath.Join(dest, "graph", config.ID)
+	if err := os.MkdirAll(contDir, 0700); err != nil {
+		return "", err
+	}
+	if err := ioutil.WriteFile(filepath.Join(contDir, "json"), []byte(jsonConfig), 0600); err != nil {
+		return "", err
+	}
+	if checksum != "" {
+		if err := ioutil.WriteFile(filepath.Join(contDir, "checksum"), []byte(checksum), 0600); err != nil {
+			return "", err
+		}
+	}
+	if err := ioutil.WriteFile(filepath.Join(contDir, ".migration-diffid"), []byte(layer.EmptyLayer.DiffID()), 0600); err != nil {
+		return "", err
+	}
+	if err := ioutil.WriteFile(filepath.Join(contDir, ".migration-size"), []byte("0"), 0600); err != nil {
+		return "", err
+	}
+	if parent != "" {
+		if err := ioutil.WriteFile(filepath.Join(contDir, "parent"), []byte(parent), 0600); err != nil {
+			return "", err
+		}
+	}
+	if checksum != "" {
+		if err := ioutil.WriteFile(filepath.Join(contDir, "checksum"), []byte(checksum), 0600); err != nil {
+			return "", err
+		}
+	}
+	return config.ID, nil
+}
+
+func addContainer(dest, jsonConfig string) error {
+	var config struct{ ID string }
+	if err := json.Unmarshal([]byte(jsonConfig), &config); err != nil {
+		return err
+	}
+	contDir := filepath.Join(dest, "containers", config.ID)
+	if err := os.MkdirAll(contDir, 0700); err != nil {
+		return err
+	}
+	return ioutil.WriteFile(filepath.Join(contDir, "config.json"), []byte(jsonConfig), 0600)
+}
+
+type mockTagAdder struct {
+	refs map[string]string
+}
+
+func (t *mockTagAdder) AddTag(ref reference.Named, id digest.Digest, force bool) error {
+	if t.refs == nil {
+		t.refs = make(map[string]string)
+	}
+	t.refs[ref.String()] = id.String()
+	return nil
+}
+func (t *mockTagAdder) AddDigest(ref reference.Canonical, id digest.Digest, force bool) error {
+	return t.AddTag(ref, id, force)
+}
+
+type mockRegistrar struct {
+	layers map[layer.ChainID]*mockLayer
+	count  int
+}
+
+func (r *mockRegistrar) RegisterByGraphID(graphID string, parent layer.ChainID, diffID layer.DiffID, tarDataFile string, size int64) (layer.Layer, error) {
+	r.count++
+	l := &mockLayer{}
+	if parent != "" {
+		p, exists := r.layers[parent]
+		if !exists {
+			return nil, fmt.Errorf("invalid parent %q", parent)
+		}
+		l.parent = p
+		l.diffIDs = append(l.diffIDs, p.diffIDs...)
+	}
+	l.diffIDs = append(l.diffIDs, diffID)
+	if r.layers == nil {
+		r.layers = make(map[layer.ChainID]*mockLayer)
+	}
+	r.layers[l.ChainID()] = l
+	return l, nil
+}
+func (r *mockRegistrar) Release(l layer.Layer) ([]layer.Metadata, error) {
+	return nil, nil
+}
+func (r *mockRegistrar) Get(layer.ChainID) (layer.Layer, error) {
+	return nil, nil
+}
+
+type mountInfo struct {
+	name, graphID, parent string
+}
+type mockMounter struct {
+	mounts []mountInfo
+	count  int
+}
+
+func (r *mockMounter) CreateRWLayerByGraphID(name string, graphID string, parent layer.ChainID) error {
+	r.mounts = append(r.mounts, mountInfo{name, graphID, string(parent)})
+	return nil
+}
+func (r *mockMounter) Unmount(string) error {
+	r.count--
+	return nil
+}
+func (r *mockMounter) Get(layer.ChainID) (layer.Layer, error) {
+	return nil, nil
+}
+
+func (r *mockMounter) Release(layer.Layer) ([]layer.Metadata, error) {
+	return nil, nil
+}
+
+type mockLayer struct {
+	diffIDs []layer.DiffID
+	parent  *mockLayer
+}
+
+func (l *mockLayer) TarStream() (io.ReadCloser, error) {
+	return nil, nil
+}
+func (l *mockLayer) TarStreamFrom(layer.ChainID) (io.ReadCloser, error) {
+	return nil, nil
+}
+
+func (l *mockLayer) ChainID() layer.ChainID {
+	return layer.CreateChainID(l.diffIDs)
+}
+
+func (l *mockLayer) DiffID() layer.DiffID {
+	return l.diffIDs[len(l.diffIDs)-1]
+}
+
+func (l *mockLayer) Parent() layer.Layer {
+	if l.parent == nil {
+		return nil
+	}
+	return l.parent
+}
+
+func (l *mockLayer) Size() (int64, error) {
+	return 0, nil
+}
+
+func (l *mockLayer) DiffSize() (int64, error) {
+	return 0, nil
+}
+
+func (l *mockLayer) Metadata() (map[string]string, error) {
+	return nil, nil
+}
diff --git a/engine/oci/defaults.go b/engine/oci/defaults.go
new file mode 100644
index 00000000..992157b0
--- /dev/null
+++ b/engine/oci/defaults.go
@@ -0,0 +1,212 @@
+package oci // import "github.com/docker/docker/oci"
+
+import (
+	"os"
+	"runtime"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func iPtr(i int64) *int64        { return &i }
+func u32Ptr(i int64) *uint32     { u := uint32(i); return &u }
+func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
+
+func defaultCapabilities() []string {
+	return []string{
+		"CAP_CHOWN",
+		"CAP_DAC_OVERRIDE",
+		"CAP_FSETID",
+		"CAP_FOWNER",
+		"CAP_MKNOD",
+		"CAP_NET_RAW",
+		"CAP_SETGID",
+		"CAP_SETUID",
+		"CAP_SETFCAP",
+		"CAP_SETPCAP",
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_KILL",
+		"CAP_AUDIT_WRITE",
+	}
+}
+
+// DefaultSpec returns the default spec used by docker for the current Platform
+func DefaultSpec() specs.Spec {
+	return DefaultOSSpec(runtime.GOOS)
+}
+
+// DefaultOSSpec returns the spec for a given OS
+func DefaultOSSpec(osName string) specs.Spec {
+	if osName == "windows" {
+		return DefaultWindowsSpec()
+	}
+	return DefaultLinuxSpec()
+}
+
+// DefaultWindowsSpec create a default spec for running Windows containers
+func DefaultWindowsSpec() specs.Spec {
+	return specs.Spec{
+		Version: specs.Version,
+		Windows: &specs.Windows{},
+		Process: &specs.Process{},
+		Root:    &specs.Root{},
+	}
+}
+
+// DefaultLinuxSpec create a default spec for running Linux containers
+func DefaultLinuxSpec() specs.Spec {
+	s := specs.Spec{
+		Version: specs.Version,
+		Process: &specs.Process{
+			Capabilities: &specs.LinuxCapabilities{
+				Bounding:    defaultCapabilities(),
+				Permitted:   defaultCapabilities(),
+				Inheritable: defaultCapabilities(),
+				Effective:   defaultCapabilities(),
+			},
+		},
+		Root: &specs.Root{},
+	}
+	s.Mounts = []specs.Mount{
+		{
+			Destination: "/proc",
+			Type:        "proc",
+			Source:      "proc",
+			Options:     []string{"nosuid", "noexec", "nodev"},
+		},
+		{
+			Destination: "/dev",
+			Type:        "tmpfs",
+			Source:      "tmpfs",
+			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
+		},
+		{
+			Destination: "/dev/pts",
+			Type:        "devpts",
+			Source:      "devpts",
+			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
+		},
+		{
+			Destination: "/sys",
+			Type:        "sysfs",
+			Source:      "sysfs",
+			Options:     []string{"nosuid", "noexec", "nodev", "ro"},
+		},
+		{
+			Destination: "/sys/fs/cgroup",
+			Type:        "cgroup",
+			Source:      "cgroup",
+			Options:     []string{"ro", "nosuid", "noexec", "nodev"},
+		},
+		{
+			Destination: "/dev/mqueue",
+			Type:        "mqueue",
+			Source:      "mqueue",
+			Options:     []string{"nosuid", "noexec", "nodev"},
+		},
+		{
+			Destination: "/dev/shm",
+			Type:        "tmpfs",
+			Source:      "shm",
+			Options:     []string{"nosuid", "noexec", "nodev", "mode=1777"},
+		},
+	}
+
+	s.Linux = &specs.Linux{
+		MaskedPaths: []string{
+			"/proc/acpi",
+			"/proc/kcore",
+			"/proc/keys",
+			"/proc/latency_stats",
+			"/proc/timer_list",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+			"/proc/scsi",
+			"/sys/firmware",
+		},
+		ReadonlyPaths: []string{
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger",
+		},
+		Namespaces: []specs.LinuxNamespace{
+			{Type: "mount"},
+			{Type: "network"},
+			{Type: "uts"},
+			{Type: "pid"},
+			{Type: "ipc"},
+		},
+		// Devices implicitly contains the following devices:
+		// null, zero, full, random, urandom, tty, console, and ptmx.
+		// ptmx is a bind mount or symlink of the container's ptmx.
+		// See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices
+		Devices: []specs.LinuxDevice{},
+		Resources: &specs.LinuxResources{
+			Devices: []specs.LinuxDeviceCgroup{
+				{
+					Allow:  false,
+					Access: "rwm",
+				},
+				{
+					Allow:  true,
+					Type:   "c",
+					Major:  iPtr(1),
+					Minor:  iPtr(5),
+					Access: "rwm",
+				},
+				{
+					Allow:  true,
+					Type:   "c",
+					Major:  iPtr(1),
+					Minor:  iPtr(3),
+					Access: "rwm",
+				},
+				{
+					Allow:  true,
+					Type:   "c",
+					Major:  iPtr(1),
+					Minor:  iPtr(9),
+					Access: "rwm",
+				},
+				{
+					Allow:  true,
+					Type:   "c",
+					Major:  iPtr(1),
+					Minor:  iPtr(8),
+					Access: "rwm",
+				},
+				{
+					Allow:  true,
+					Type:   "c",
+					Major:  iPtr(5),
+					Minor:  iPtr(0),
+					Access: "rwm",
+				},
+				{
+					Allow:  true,
+					Type:   "c",
+					Major:  iPtr(5),
+					Minor:  iPtr(1),
+					Access: "rwm",
+				},
+				{
+					Allow:  false,
+					Type:   "c",
+					Major:  iPtr(10),
+					Minor:  iPtr(229),
+					Access: "rwm",
+				},
+			},
+		},
+	}
+
+	// For LCOW support, populate a blank Windows spec
+	if runtime.GOOS == "windows" {
+		s.Windows = &specs.Windows{}
+	}
+
+	return s
+}
diff --git a/engine/oci/devices_linux.go b/engine/oci/devices_linux.go
new file mode 100644
index 00000000..46d4e1d3
--- /dev/null
+++ b/engine/oci/devices_linux.go
@@ -0,0 +1,86 @@
+package oci // import "github.com/docker/docker/oci"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/devices"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Device transforms a libcontainer configs.Device to a specs.LinuxDevice object.
+func Device(d *configs.Device) specs.LinuxDevice {
+	return specs.LinuxDevice{
+		Type:     string(d.Type),
+		Path:     d.Path,
+		Major:    d.Major,
+		Minor:    d.Minor,
+		FileMode: fmPtr(int64(d.FileMode)),
+		UID:      u32Ptr(int64(d.Uid)),
+		GID:      u32Ptr(int64(d.Gid)),
+	}
+}
+
+func deviceCgroup(d *configs.Device) specs.LinuxDeviceCgroup {
+	t := string(d.Type)
+	return specs.LinuxDeviceCgroup{
+		Allow:  true,
+		Type:   t,
+		Major:  &d.Major,
+		Minor:  &d.Minor,
+		Access: d.Permissions,
+	}
+}
+
+// DevicesFromPath computes a list of devices and device permissions from paths (pathOnHost and pathInContainer) and cgroup permissions.
+func DevicesFromPath(pathOnHost, pathInContainer, cgroupPermissions string) (devs []specs.LinuxDevice, devPermissions []specs.LinuxDeviceCgroup, err error) {
+	resolvedPathOnHost := pathOnHost
+
+	// check if it is a symbolic link
+	if src, e := os.Lstat(pathOnHost); e == nil && src.Mode()&os.ModeSymlink == os.ModeSymlink {
+		if linkedPathOnHost, e := filepath.EvalSymlinks(pathOnHost); e == nil {
+			resolvedPathOnHost = linkedPathOnHost
+		}
+	}
+
+	device, err := devices.DeviceFromPath(resolvedPathOnHost, cgroupPermissions)
+	// if there was no error, return the device
+	if err == nil {
+		device.Path = pathInContainer
+		return append(devs, Device(device)), append(devPermissions, deviceCgroup(device)), nil
+	}
+
+	// if the device is not a device node
+	// try to see if it's a directory holding many devices
+	if err == devices.ErrNotADevice {
+
+		// check if it is a directory
+		if src, e := os.Stat(resolvedPathOnHost); e == nil && src.IsDir() {
+
+			// mount the internal devices recursively
+			filepath.Walk(resolvedPathOnHost, func(dpath string, f os.FileInfo, e error) error {
+				childDevice, e := devices.DeviceFromPath(dpath, cgroupPermissions)
+				if e != nil {
+					// ignore the device
+					return nil
+				}
+
+				// add the device to userSpecified devices
+				childDevice.Path = strings.Replace(dpath, resolvedPathOnHost, pathInContainer, 1)
+				devs = append(devs, Device(childDevice))
+				devPermissions = append(devPermissions, deviceCgroup(childDevice))
+
+				return nil
+			})
+		}
+	}
+
+	if len(devs) > 0 {
+		return devs, devPermissions, nil
+	}
+
+	return devs, devPermissions, fmt.Errorf("error gathering device information while adding custom device %q: %s", pathOnHost, err)
+}
diff --git a/engine/oci/devices_unsupported.go b/engine/oci/devices_unsupported.go
new file mode 100644
index 00000000..af6dd3bd
--- /dev/null
+++ b/engine/oci/devices_unsupported.go
@@ -0,0 +1,20 @@
+// +build !linux
+
+package oci // import "github.com/docker/docker/oci"
+
+import (
+	"errors"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Device transforms a libcontainer configs.Device to a specs.Device object.
+// Not implemented
+func Device(d *configs.Device) specs.LinuxDevice { return specs.LinuxDevice{} }
+
+// DevicesFromPath computes a list of devices and device permissions from paths (pathOnHost and pathInContainer) and cgroup permissions.
+// Not implemented
+func DevicesFromPath(pathOnHost, pathInContainer, cgroupPermissions string) (devs []specs.LinuxDevice, devPermissions []specs.LinuxDeviceCgroup, err error) {
+	return nil, nil, errors.New("oci/devices: unsupported platform")
+}
diff --git a/engine/oci/namespaces.go b/engine/oci/namespaces.go
new file mode 100644
index 00000000..5a2d8f20
--- /dev/null
+++ b/engine/oci/namespaces.go
@@ -0,0 +1,13 @@
+package oci // import "github.com/docker/docker/oci"
+
+import "github.com/opencontainers/runtime-spec/specs-go"
+
+// RemoveNamespace removes the `nsType` namespace from OCI spec `s`
+func RemoveNamespace(s *specs.Spec, nsType specs.LinuxNamespaceType) {
+	for i, n := range s.Linux.Namespaces {
+		if n.Type == nsType {
+			s.Linux.Namespaces = append(s.Linux.Namespaces[:i], s.Linux.Namespaces[i+1:]...)
+			return
+		}
+	}
+}
diff --git a/engine/opts/address_pools.go b/engine/opts/address_pools.go
new file mode 100644
index 00000000..9b27a628
--- /dev/null
+++ b/engine/opts/address_pools.go
@@ -0,0 +1,84 @@
+package opts
+
+import (
+	"encoding/csv"
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"strings"
+
+	types "github.com/docker/libnetwork/ipamutils"
+)
+
+// PoolsOpt is a Value type for parsing the default address pools definitions
+type PoolsOpt struct {
+	values []*types.NetworkToSplit
+}
+
+// UnmarshalJSON fills values structure  info from JSON input
+func (p *PoolsOpt) UnmarshalJSON(raw []byte) error {
+	return json.Unmarshal(raw, &(p.values))
+}
+
+// Set predefined pools
+func (p *PoolsOpt) Set(value string) error {
+	csvReader := csv.NewReader(strings.NewReader(value))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return err
+	}
+
+	poolsDef := types.NetworkToSplit{}
+
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		if len(parts) != 2 {
+			return fmt.Errorf("invalid field '%s' must be a key=value pair", field)
+		}
+
+		key := strings.ToLower(parts[0])
+		value := strings.ToLower(parts[1])
+
+		switch key {
+		case "base":
+			poolsDef.Base = value
+		case "size":
+			size, err := strconv.Atoi(value)
+			if err != nil {
+				return fmt.Errorf("invalid size value: %q (must be integer): %v", value, err)
+			}
+			poolsDef.Size = size
+		default:
+			return fmt.Errorf("unexpected key '%s' in '%s'", key, field)
+		}
+	}
+
+	p.values = append(p.values, &poolsDef)
+
+	return nil
+}
+
+// Type returns the type of this option
+func (p *PoolsOpt) Type() string {
+	return "pool-options"
+}
+
+// String returns a string repr of this option
+func (p *PoolsOpt) String() string {
+	var pools []string
+	for _, pool := range p.values {
+		repr := fmt.Sprintf("%s %d", pool.Base, pool.Size)
+		pools = append(pools, repr)
+	}
+	return strings.Join(pools, ", ")
+}
+
+// Value returns the mounts
+func (p *PoolsOpt) Value() []*types.NetworkToSplit {
+	return p.values
+}
+
+// Name returns the flag name of this option
+func (p *PoolsOpt) Name() string {
+	return "default-address-pools"
+}
diff --git a/engine/opts/address_pools_test.go b/engine/opts/address_pools_test.go
new file mode 100644
index 00000000..7f9c7099
--- /dev/null
+++ b/engine/opts/address_pools_test.go
@@ -0,0 +1,20 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"testing"
+)
+
+func TestAddressPoolOpt(t *testing.T) {
+	poolopt := &PoolsOpt{}
+	var addresspool = "base=175.30.0.0/16,size=16"
+	var invalidAddresspoolString = "base=175.30.0.0/16,size=16, base=175.33.0.0/16,size=24"
+
+	if err := poolopt.Set(addresspool); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := poolopt.Set(invalidAddresspoolString); err == nil {
+		t.Fatal(err)
+	}
+
+}
diff --git a/engine/opts/env.go b/engine/opts/env.go
new file mode 100644
index 00000000..f6e5e907
--- /dev/null
+++ b/engine/opts/env.go
@@ -0,0 +1,48 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+// ValidateEnv validates an environment variable and returns it.
+// If no value is specified, it returns the current value using os.Getenv.
+//
+// As on ParseEnvFile and related to #16585, environment variable names
+// are not validate what so ever, it's up to application inside docker
+// to validate them or not.
+//
+// The only validation here is to check if name is empty, per #25099
+func ValidateEnv(val string) (string, error) {
+	arr := strings.Split(val, "=")
+	if arr[0] == "" {
+		return "", errors.Errorf("invalid environment variable: %s", val)
+	}
+	if len(arr) > 1 {
+		return val, nil
+	}
+	if !doesEnvExist(val) {
+		return val, nil
+	}
+	return fmt.Sprintf("%s=%s", val, os.Getenv(val)), nil
+}
+
+func doesEnvExist(name string) bool {
+	for _, entry := range os.Environ() {
+		parts := strings.SplitN(entry, "=", 2)
+		if runtime.GOOS == "windows" {
+			// Environment variable are case-insensitive on Windows. PaTh, path and PATH are equivalent.
+			if strings.EqualFold(parts[0], name) {
+				return true
+			}
+		}
+		if parts[0] == name {
+			return true
+		}
+	}
+	return false
+}
diff --git a/engine/opts/env_test.go b/engine/opts/env_test.go
new file mode 100644
index 00000000..1ecf1e2b
--- /dev/null
+++ b/engine/opts/env_test.go
@@ -0,0 +1,124 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"testing"
+)
+
+func TestValidateEnv(t *testing.T) {
+	testcase := []struct {
+		value    string
+		expected string
+		err      error
+	}{
+		{
+			value:    "a",
+			expected: "a",
+		},
+		{
+			value:    "something",
+			expected: "something",
+		},
+		{
+			value:    "_=a",
+			expected: "_=a",
+		},
+		{
+			value:    "env1=value1",
+			expected: "env1=value1",
+		},
+		{
+			value:    "_env1=value1",
+			expected: "_env1=value1",
+		},
+		{
+			value:    "env2=value2=value3",
+			expected: "env2=value2=value3",
+		},
+		{
+			value:    "env3=abc!qwe",
+			expected: "env3=abc!qwe",
+		},
+		{
+			value:    "env_4=value 4",
+			expected: "env_4=value 4",
+		},
+		{
+			value:    "PATH",
+			expected: fmt.Sprintf("PATH=%v", os.Getenv("PATH")),
+		},
+		{
+			value: "=a",
+			err:   fmt.Errorf(fmt.Sprintf("invalid environment variable: %s", "=a")),
+		},
+		{
+			value:    "PATH=something",
+			expected: "PATH=something",
+		},
+		{
+			value:    "asd!qwe",
+			expected: "asd!qwe",
+		},
+		{
+			value:    "1asd",
+			expected: "1asd",
+		},
+		{
+			value:    "123",
+			expected: "123",
+		},
+		{
+			value:    "some space",
+			expected: "some space",
+		},
+		{
+			value:    "  some space before",
+			expected: "  some space before",
+		},
+		{
+			value:    "some space after  ",
+			expected: "some space after  ",
+		},
+		{
+			value: "=",
+			err:   fmt.Errorf(fmt.Sprintf("invalid environment variable: %s", "=")),
+		},
+	}
+
+	// Environment variables are case in-sensitive on Windows
+	if runtime.GOOS == "windows" {
+		tmp := struct {
+			value    string
+			expected string
+			err      error
+		}{
+			value:    "PaTh",
+			expected: fmt.Sprintf("PaTh=%v", os.Getenv("PATH")),
+		}
+		testcase = append(testcase, tmp)
+
+	}
+
+	for _, r := range testcase {
+		actual, err := ValidateEnv(r.value)
+
+		if err != nil {
+			if r.err == nil {
+				t.Fatalf("Expected err is nil, got err[%v]", err)
+			}
+			if err.Error() != r.err.Error() {
+				t.Fatalf("Expected err[%v], got err[%v]", r.err, err)
+			}
+		}
+
+		if err == nil && r.err != nil {
+			t.Fatalf("Expected err[%v], but err is nil", r.err)
+		}
+
+		if actual != r.expected {
+			t.Fatalf("Expected [%v], got [%v]", r.expected, actual)
+		}
+	}
+}
diff --git a/engine/opts/hosts.go b/engine/opts/hosts.go
new file mode 100644
index 00000000..2adf4211
--- /dev/null
+++ b/engine/opts/hosts.go
@@ -0,0 +1,165 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+var (
+	// DefaultHTTPPort Default HTTP Port used if only the protocol is provided to -H flag e.g. dockerd -H tcp://
+	// These are the IANA registered port numbers for use with Docker
+	// see http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=docker
+	DefaultHTTPPort = 2375 // Default HTTP Port
+	// DefaultTLSHTTPPort Default HTTP Port used when TLS enabled
+	DefaultTLSHTTPPort = 2376 // Default TLS encrypted HTTP Port
+	// DefaultUnixSocket Path for the unix socket.
+	// Docker daemon by default always listens on the default unix socket
+	DefaultUnixSocket = "/var/run/docker.sock"
+	// DefaultTCPHost constant defines the default host string used by docker on Windows
+	DefaultTCPHost = fmt.Sprintf("tcp://%s:%d", DefaultHTTPHost, DefaultHTTPPort)
+	// DefaultTLSHost constant defines the default host string used by docker for TLS sockets
+	DefaultTLSHost = fmt.Sprintf("tcp://%s:%d", DefaultHTTPHost, DefaultTLSHTTPPort)
+	// DefaultNamedPipe defines the default named pipe used by docker on Windows
+	DefaultNamedPipe = `//./pipe/docker_engine`
+)
+
+// ValidateHost validates that the specified string is a valid host and returns it.
+func ValidateHost(val string) (string, error) {
+	host := strings.TrimSpace(val)
+	// The empty string means default and is not handled by parseDaemonHost
+	if host != "" {
+		_, err := parseDaemonHost(host)
+		if err != nil {
+			return val, err
+		}
+	}
+	// Note: unlike most flag validators, we don't return the mutated value here
+	//       we need to know what the user entered later (using ParseHost) to adjust for TLS
+	return val, nil
+}
+
+// ParseHost and set defaults for a Daemon host string
+func ParseHost(defaultToTLS bool, val string) (string, error) {
+	host := strings.TrimSpace(val)
+	if host == "" {
+		if defaultToTLS {
+			host = DefaultTLSHost
+		} else {
+			host = DefaultHost
+		}
+	} else {
+		var err error
+		host, err = parseDaemonHost(host)
+		if err != nil {
+			return val, err
+		}
+	}
+	return host, nil
+}
+
+// parseDaemonHost parses the specified address and returns an address that will be used as the host.
+// Depending of the address specified, this may return one of the global Default* strings defined in hosts.go.
+func parseDaemonHost(addr string) (string, error) {
+	addrParts := strings.SplitN(addr, "://", 2)
+	if len(addrParts) == 1 && addrParts[0] != "" {
+		addrParts = []string{"tcp", addrParts[0]}
+	}
+
+	switch addrParts[0] {
+	case "tcp":
+		return ParseTCPAddr(addrParts[1], DefaultTCPHost)
+	case "unix":
+		return parseSimpleProtoAddr("unix", addrParts[1], DefaultUnixSocket)
+	case "npipe":
+		return parseSimpleProtoAddr("npipe", addrParts[1], DefaultNamedPipe)
+	case "fd":
+		return addr, nil
+	default:
+		return "", fmt.Errorf("Invalid bind address format: %s", addr)
+	}
+}
+
+// parseSimpleProtoAddr parses and validates that the specified address is a valid
+// socket address for simple protocols like unix and npipe. It returns a formatted
+// socket address, either using the address parsed from addr, or the contents of
+// defaultAddr if addr is a blank string.
+func parseSimpleProtoAddr(proto, addr, defaultAddr string) (string, error) {
+	addr = strings.TrimPrefix(addr, proto+"://")
+	if strings.Contains(addr, "://") {
+		return "", fmt.Errorf("Invalid proto, expected %s: %s", proto, addr)
+	}
+	if addr == "" {
+		addr = defaultAddr
+	}
+	return fmt.Sprintf("%s://%s", proto, addr), nil
+}
+
+// ParseTCPAddr parses and validates that the specified address is a valid TCP
+// address. It returns a formatted TCP address, either using the address parsed
+// from tryAddr, or the contents of defaultAddr if tryAddr is a blank string.
+// tryAddr is expected to have already been Trim()'d
+// defaultAddr must be in the full `tcp://host:port` form
+func ParseTCPAddr(tryAddr string, defaultAddr string) (string, error) {
+	if tryAddr == "" || tryAddr == "tcp://" {
+		return defaultAddr, nil
+	}
+	addr := strings.TrimPrefix(tryAddr, "tcp://")
+	if strings.Contains(addr, "://") || addr == "" {
+		return "", fmt.Errorf("Invalid proto, expected tcp: %s", tryAddr)
+	}
+
+	defaultAddr = strings.TrimPrefix(defaultAddr, "tcp://")
+	defaultHost, defaultPort, err := net.SplitHostPort(defaultAddr)
+	if err != nil {
+		return "", err
+	}
+	// url.Parse fails for trailing colon on IPv6 brackets on Go 1.5, but
+	// not 1.4. See https://github.com/golang/go/issues/12200 and
+	// https://github.com/golang/go/issues/6530.
+	if strings.HasSuffix(addr, "]:") {
+		addr += defaultPort
+	}
+
+	u, err := url.Parse("tcp://" + addr)
+	if err != nil {
+		return "", err
+	}
+	host, port, err := net.SplitHostPort(u.Host)
+	if err != nil {
+		// try port addition once
+		host, port, err = net.SplitHostPort(net.JoinHostPort(u.Host, defaultPort))
+	}
+	if err != nil {
+		return "", fmt.Errorf("Invalid bind address format: %s", tryAddr)
+	}
+
+	if host == "" {
+		host = defaultHost
+	}
+	if port == "" {
+		port = defaultPort
+	}
+	p, err := strconv.Atoi(port)
+	if err != nil && p == 0 {
+		return "", fmt.Errorf("Invalid bind address format: %s", tryAddr)
+	}
+
+	return fmt.Sprintf("tcp://%s%s", net.JoinHostPort(host, port), u.Path), nil
+}
+
+// ValidateExtraHost validates that the specified string is a valid extrahost and returns it.
+// ExtraHost is in the form of name:ip where the ip has to be a valid ip (IPv4 or IPv6).
+func ValidateExtraHost(val string) (string, error) {
+	// allow for IPv6 addresses in extra hosts by only splitting on first ":"
+	arr := strings.SplitN(val, ":", 2)
+	if len(arr) != 2 || len(arr[0]) == 0 {
+		return "", fmt.Errorf("bad format for add-host: %q", val)
+	}
+	if _, err := ValidateIPAddress(arr[1]); err != nil {
+		return "", fmt.Errorf("invalid IP address in add-host: %q", arr[1])
+	}
+	return val, nil
+}
diff --git a/engine/opts/hosts_test.go b/engine/opts/hosts_test.go
new file mode 100644
index 00000000..cd8c3f91
--- /dev/null
+++ b/engine/opts/hosts_test.go
@@ -0,0 +1,181 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func TestParseHost(t *testing.T) {
+	invalid := []string{
+		"something with spaces",
+		"://",
+		"unknown://",
+		"tcp://:port",
+		"tcp://invalid:port",
+	}
+
+	valid := map[string]string{
+		"":                         DefaultHost,
+		" ":                        DefaultHost,
+		"  ":                       DefaultHost,
+		"fd://":                    "fd://",
+		"fd://something":           "fd://something",
+		"tcp://host:":              fmt.Sprintf("tcp://host:%d", DefaultHTTPPort),
+		"tcp://":                   DefaultTCPHost,
+		"tcp://:2375":              fmt.Sprintf("tcp://%s:2375", DefaultHTTPHost),
+		"tcp://:2376":              fmt.Sprintf("tcp://%s:2376", DefaultHTTPHost),
+		"tcp://0.0.0.0:8080":       "tcp://0.0.0.0:8080",
+		"tcp://192.168.0.0:12000":  "tcp://192.168.0.0:12000",
+		"tcp://192.168:8080":       "tcp://192.168:8080",
+		"tcp://0.0.0.0:1234567890": "tcp://0.0.0.0:1234567890", // yeah it's valid :P
+		" tcp://:7777/path ":       fmt.Sprintf("tcp://%s:7777/path", DefaultHTTPHost),
+		"tcp://docker.com:2375":    "tcp://docker.com:2375",
+		"unix://":                  "unix://" + DefaultUnixSocket,
+		"unix://path/to/socket":    "unix://path/to/socket",
+		"npipe://":                 "npipe://" + DefaultNamedPipe,
+		"npipe:////./pipe/foo":     "npipe:////./pipe/foo",
+	}
+
+	for _, value := range invalid {
+		if _, err := ParseHost(false, value); err == nil {
+			t.Errorf("Expected an error for %v, got [nil]", value)
+		}
+	}
+
+	for value, expected := range valid {
+		if actual, err := ParseHost(false, value); err != nil || actual != expected {
+			t.Errorf("Expected for %v [%v], got [%v, %v]", value, expected, actual, err)
+		}
+	}
+}
+
+func TestParseDockerDaemonHost(t *testing.T) {
+	invalids := map[string]string{
+
+		"tcp:a.b.c.d":                   "Invalid bind address format: tcp:a.b.c.d",
+		"tcp:a.b.c.d/path":              "Invalid bind address format: tcp:a.b.c.d/path",
+		"udp://127.0.0.1":               "Invalid bind address format: udp://127.0.0.1",
+		"udp://127.0.0.1:2375":          "Invalid bind address format: udp://127.0.0.1:2375",
+		"tcp://unix:///run/docker.sock": "Invalid proto, expected tcp: unix:///run/docker.sock",
+		" tcp://:7777/path ":            "Invalid bind address format:  tcp://:7777/path ",
+		"":                              "Invalid bind address format: ",
+	}
+	valids := map[string]string{
+		"0.0.0.1:":                    "tcp://0.0.0.1:2375",
+		"0.0.0.1:5555":                "tcp://0.0.0.1:5555",
+		"0.0.0.1:5555/path":           "tcp://0.0.0.1:5555/path",
+		"[::1]:":                      "tcp://[::1]:2375",
+		"[::1]:5555/path":             "tcp://[::1]:5555/path",
+		"[0:0:0:0:0:0:0:1]:":          "tcp://[0:0:0:0:0:0:0:1]:2375",
+		"[0:0:0:0:0:0:0:1]:5555/path": "tcp://[0:0:0:0:0:0:0:1]:5555/path",
+		":6666":                   fmt.Sprintf("tcp://%s:6666", DefaultHTTPHost),
+		":6666/path":              fmt.Sprintf("tcp://%s:6666/path", DefaultHTTPHost),
+		"tcp://":                  DefaultTCPHost,
+		"tcp://:7777":             fmt.Sprintf("tcp://%s:7777", DefaultHTTPHost),
+		"tcp://:7777/path":        fmt.Sprintf("tcp://%s:7777/path", DefaultHTTPHost),
+		"unix:///run/docker.sock": "unix:///run/docker.sock",
+		"unix://":                 "unix://" + DefaultUnixSocket,
+		"fd://":                   "fd://",
+		"fd://something":          "fd://something",
+		"localhost:":              "tcp://localhost:2375",
+		"localhost:5555":          "tcp://localhost:5555",
+		"localhost:5555/path":     "tcp://localhost:5555/path",
+	}
+	for invalidAddr, expectedError := range invalids {
+		if addr, err := parseDaemonHost(invalidAddr); err == nil || err.Error() != expectedError {
+			t.Errorf("tcp %v address expected error %q return, got %q and addr %v", invalidAddr, expectedError, err, addr)
+		}
+	}
+	for validAddr, expectedAddr := range valids {
+		if addr, err := parseDaemonHost(validAddr); err != nil || addr != expectedAddr {
+			t.Errorf("%v -> expected %v, got (%v) addr (%v)", validAddr, expectedAddr, err, addr)
+		}
+	}
+}
+
+func TestParseTCP(t *testing.T) {
+	var (
+		defaultHTTPHost = "tcp://127.0.0.1:2376"
+	)
+	invalids := map[string]string{
+		"tcp:a.b.c.d":          "Invalid bind address format: tcp:a.b.c.d",
+		"tcp:a.b.c.d/path":     "Invalid bind address format: tcp:a.b.c.d/path",
+		"udp://127.0.0.1":      "Invalid proto, expected tcp: udp://127.0.0.1",
+		"udp://127.0.0.1:2375": "Invalid proto, expected tcp: udp://127.0.0.1:2375",
+	}
+	valids := map[string]string{
+		"":                            defaultHTTPHost,
+		"tcp://":                      defaultHTTPHost,
+		"0.0.0.1:":                    "tcp://0.0.0.1:2376",
+		"0.0.0.1:5555":                "tcp://0.0.0.1:5555",
+		"0.0.0.1:5555/path":           "tcp://0.0.0.1:5555/path",
+		":6666":                       "tcp://127.0.0.1:6666",
+		":6666/path":                  "tcp://127.0.0.1:6666/path",
+		"tcp://:7777":                 "tcp://127.0.0.1:7777",
+		"tcp://:7777/path":            "tcp://127.0.0.1:7777/path",
+		"[::1]:":                      "tcp://[::1]:2376",
+		"[::1]:5555":                  "tcp://[::1]:5555",
+		"[::1]:5555/path":             "tcp://[::1]:5555/path",
+		"[0:0:0:0:0:0:0:1]:":          "tcp://[0:0:0:0:0:0:0:1]:2376",
+		"[0:0:0:0:0:0:0:1]:5555":      "tcp://[0:0:0:0:0:0:0:1]:5555",
+		"[0:0:0:0:0:0:0:1]:5555/path": "tcp://[0:0:0:0:0:0:0:1]:5555/path",
+		"localhost:":                  "tcp://localhost:2376",
+		"localhost:5555":              "tcp://localhost:5555",
+		"localhost:5555/path":         "tcp://localhost:5555/path",
+	}
+	for invalidAddr, expectedError := range invalids {
+		if addr, err := ParseTCPAddr(invalidAddr, defaultHTTPHost); err == nil || err.Error() != expectedError {
+			t.Errorf("tcp %v address expected error %v return, got %s and addr %v", invalidAddr, expectedError, err, addr)
+		}
+	}
+	for validAddr, expectedAddr := range valids {
+		if addr, err := ParseTCPAddr(validAddr, defaultHTTPHost); err != nil || addr != expectedAddr {
+			t.Errorf("%v -> expected %v, got %v and addr %v", validAddr, expectedAddr, err, addr)
+		}
+	}
+}
+
+func TestParseInvalidUnixAddrInvalid(t *testing.T) {
+	if _, err := parseSimpleProtoAddr("unix", "tcp://127.0.0.1", "unix:///var/run/docker.sock"); err == nil || err.Error() != "Invalid proto, expected unix: tcp://127.0.0.1" {
+		t.Fatalf("Expected an error, got %v", err)
+	}
+	if _, err := parseSimpleProtoAddr("unix", "unix://tcp://127.0.0.1", "/var/run/docker.sock"); err == nil || err.Error() != "Invalid proto, expected unix: tcp://127.0.0.1" {
+		t.Fatalf("Expected an error, got %v", err)
+	}
+	if v, err := parseSimpleProtoAddr("unix", "", "/var/run/docker.sock"); err != nil || v != "unix:///var/run/docker.sock" {
+		t.Fatalf("Expected an %v, got %v", v, "unix:///var/run/docker.sock")
+	}
+}
+
+func TestValidateExtraHosts(t *testing.T) {
+	valid := []string{
+		`myhost:192.168.0.1`,
+		`thathost:10.0.2.1`,
+		`anipv6host:2003:ab34:e::1`,
+		`ipv6local:::1`,
+	}
+
+	invalid := map[string]string{
+		`myhost:192.notanipaddress.1`:  `invalid IP`,
+		`thathost-nosemicolon10.0.0.1`: `bad format`,
+		`anipv6host:::::1`:             `invalid IP`,
+		`ipv6local:::0::`:              `invalid IP`,
+	}
+
+	for _, extrahost := range valid {
+		if _, err := ValidateExtraHost(extrahost); err != nil {
+			t.Fatalf("ValidateExtraHost(`"+extrahost+"`) should succeed: error %v", err)
+		}
+	}
+
+	for extraHost, expectedError := range invalid {
+		if _, err := ValidateExtraHost(extraHost); err == nil {
+			t.Fatalf("ValidateExtraHost(`%q`) should have failed validation", extraHost)
+		} else {
+			if !strings.Contains(err.Error(), expectedError) {
+				t.Fatalf("ValidateExtraHost(`%q`) error should contain %q", extraHost, expectedError)
+			}
+		}
+	}
+}
diff --git a/engine/opts/hosts_unix.go b/engine/opts/hosts_unix.go
new file mode 100644
index 00000000..9d5bb645
--- /dev/null
+++ b/engine/opts/hosts_unix.go
@@ -0,0 +1,8 @@
+// +build !windows
+
+package opts // import "github.com/docker/docker/opts"
+
+import "fmt"
+
+// DefaultHost constant defines the default host string used by docker on other hosts than Windows
+var DefaultHost = fmt.Sprintf("unix://%s", DefaultUnixSocket)
diff --git a/engine/opts/hosts_windows.go b/engine/opts/hosts_windows.go
new file mode 100644
index 00000000..906eba53
--- /dev/null
+++ b/engine/opts/hosts_windows.go
@@ -0,0 +1,4 @@
+package opts // import "github.com/docker/docker/opts"
+
+// DefaultHost constant defines the default host string used by docker on Windows
+var DefaultHost = "npipe://" + DefaultNamedPipe
diff --git a/engine/opts/ip.go b/engine/opts/ip.go
new file mode 100644
index 00000000..cfbff3a9
--- /dev/null
+++ b/engine/opts/ip.go
@@ -0,0 +1,47 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+	"net"
+)
+
+// IPOpt holds an IP. It is used to store values from CLI flags.
+type IPOpt struct {
+	*net.IP
+}
+
+// NewIPOpt creates a new IPOpt from a reference net.IP and a
+// string representation of an IP. If the string is not a valid
+// IP it will fallback to the specified reference.
+func NewIPOpt(ref *net.IP, defaultVal string) *IPOpt {
+	o := &IPOpt{
+		IP: ref,
+	}
+	o.Set(defaultVal)
+	return o
+}
+
+// Set sets an IPv4 or IPv6 address from a given string. If the given
+// string is not parsable as an IP address it returns an error.
+func (o *IPOpt) Set(val string) error {
+	ip := net.ParseIP(val)
+	if ip == nil {
+		return fmt.Errorf("%s is not an ip address", val)
+	}
+	*o.IP = ip
+	return nil
+}
+
+// String returns the IP address stored in the IPOpt. If stored IP is a
+// nil pointer, it returns an empty string.
+func (o *IPOpt) String() string {
+	if *o.IP == nil {
+		return ""
+	}
+	return o.IP.String()
+}
+
+// Type returns the type of the option
+func (o *IPOpt) Type() string {
+	return "ip"
+}
diff --git a/engine/opts/ip_test.go b/engine/opts/ip_test.go
new file mode 100644
index 00000000..966d7f21
--- /dev/null
+++ b/engine/opts/ip_test.go
@@ -0,0 +1,54 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"net"
+	"testing"
+)
+
+func TestIpOptString(t *testing.T) {
+	addresses := []string{"", "0.0.0.0"}
+	var ip net.IP
+
+	for _, address := range addresses {
+		stringAddress := NewIPOpt(&ip, address).String()
+		if stringAddress != address {
+			t.Fatalf("IpOpt string should be `%s`, not `%s`", address, stringAddress)
+		}
+	}
+}
+
+func TestNewIpOptInvalidDefaultVal(t *testing.T) {
+	ip := net.IPv4(127, 0, 0, 1)
+	defaultVal := "Not an ip"
+
+	ipOpt := NewIPOpt(&ip, defaultVal)
+
+	expected := "127.0.0.1"
+	if ipOpt.String() != expected {
+		t.Fatalf("Expected [%v], got [%v]", expected, ipOpt.String())
+	}
+}
+
+func TestNewIpOptValidDefaultVal(t *testing.T) {
+	ip := net.IPv4(127, 0, 0, 1)
+	defaultVal := "192.168.1.1"
+
+	ipOpt := NewIPOpt(&ip, defaultVal)
+
+	expected := "192.168.1.1"
+	if ipOpt.String() != expected {
+		t.Fatalf("Expected [%v], got [%v]", expected, ipOpt.String())
+	}
+}
+
+func TestIpOptSetInvalidVal(t *testing.T) {
+	ip := net.IPv4(127, 0, 0, 1)
+	ipOpt := &IPOpt{IP: &ip}
+
+	invalidIP := "invalid ip"
+	expectedError := "invalid ip is not an ip address"
+	err := ipOpt.Set(invalidIP)
+	if err == nil || err.Error() != expectedError {
+		t.Fatalf("Expected an Error with [%v], got [%v]", expectedError, err.Error())
+	}
+}
diff --git a/engine/opts/opts.go b/engine/opts/opts.go
new file mode 100644
index 00000000..de8aacb8
--- /dev/null
+++ b/engine/opts/opts.go
@@ -0,0 +1,337 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+	"net"
+	"path"
+	"regexp"
+	"strings"
+
+	"github.com/docker/go-units"
+)
+
+var (
+	alphaRegexp  = regexp.MustCompile(`[a-zA-Z]`)
+	domainRegexp = regexp.MustCompile(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`)
+)
+
+// ListOpts holds a list of values and a validation function.
+type ListOpts struct {
+	values    *[]string
+	validator ValidatorFctType
+}
+
+// NewListOpts creates a new ListOpts with the specified validator.
+func NewListOpts(validator ValidatorFctType) ListOpts {
+	var values []string
+	return *NewListOptsRef(&values, validator)
+}
+
+// NewListOptsRef creates a new ListOpts with the specified values and validator.
+func NewListOptsRef(values *[]string, validator ValidatorFctType) *ListOpts {
+	return &ListOpts{
+		values:    values,
+		validator: validator,
+	}
+}
+
+func (opts *ListOpts) String() string {
+	if len(*opts.values) == 0 {
+		return ""
+	}
+	return fmt.Sprintf("%v", *opts.values)
+}
+
+// Set validates if needed the input value and adds it to the
+// internal slice.
+func (opts *ListOpts) Set(value string) error {
+	if opts.validator != nil {
+		v, err := opts.validator(value)
+		if err != nil {
+			return err
+		}
+		value = v
+	}
+	*opts.values = append(*opts.values, value)
+	return nil
+}
+
+// Delete removes the specified element from the slice.
+func (opts *ListOpts) Delete(key string) {
+	for i, k := range *opts.values {
+		if k == key {
+			*opts.values = append((*opts.values)[:i], (*opts.values)[i+1:]...)
+			return
+		}
+	}
+}
+
+// GetMap returns the content of values in a map in order to avoid
+// duplicates.
+func (opts *ListOpts) GetMap() map[string]struct{} {
+	ret := make(map[string]struct{})
+	for _, k := range *opts.values {
+		ret[k] = struct{}{}
+	}
+	return ret
+}
+
+// GetAll returns the values of slice.
+func (opts *ListOpts) GetAll() []string {
+	return *opts.values
+}
+
+// GetAllOrEmpty returns the values of the slice
+// or an empty slice when there are no values.
+func (opts *ListOpts) GetAllOrEmpty() []string {
+	v := *opts.values
+	if v == nil {
+		return make([]string, 0)
+	}
+	return v
+}
+
+// Get checks the existence of the specified key.
+func (opts *ListOpts) Get(key string) bool {
+	for _, k := range *opts.values {
+		if k == key {
+			return true
+		}
+	}
+	return false
+}
+
+// Len returns the amount of element in the slice.
+func (opts *ListOpts) Len() int {
+	return len(*opts.values)
+}
+
+// Type returns a string name for this Option type
+func (opts *ListOpts) Type() string {
+	return "list"
+}
+
+// WithValidator returns the ListOpts with validator set.
+func (opts *ListOpts) WithValidator(validator ValidatorFctType) *ListOpts {
+	opts.validator = validator
+	return opts
+}
+
+// NamedOption is an interface that list and map options
+// with names implement.
+type NamedOption interface {
+	Name() string
+}
+
+// NamedListOpts is a ListOpts with a configuration name.
+// This struct is useful to keep reference to the assigned
+// field name in the internal configuration struct.
+type NamedListOpts struct {
+	name string
+	ListOpts
+}
+
+var _ NamedOption = &NamedListOpts{}
+
+// NewNamedListOptsRef creates a reference to a new NamedListOpts struct.
+func NewNamedListOptsRef(name string, values *[]string, validator ValidatorFctType) *NamedListOpts {
+	return &NamedListOpts{
+		name:     name,
+		ListOpts: *NewListOptsRef(values, validator),
+	}
+}
+
+// Name returns the name of the NamedListOpts in the configuration.
+func (o *NamedListOpts) Name() string {
+	return o.name
+}
+
+// MapOpts holds a map of values and a validation function.
+type MapOpts struct {
+	values    map[string]string
+	validator ValidatorFctType
+}
+
+// Set validates if needed the input value and add it to the
+// internal map, by splitting on '='.
+func (opts *MapOpts) Set(value string) error {
+	if opts.validator != nil {
+		v, err := opts.validator(value)
+		if err != nil {
+			return err
+		}
+		value = v
+	}
+	vals := strings.SplitN(value, "=", 2)
+	if len(vals) == 1 {
+		(opts.values)[vals[0]] = ""
+	} else {
+		(opts.values)[vals[0]] = vals[1]
+	}
+	return nil
+}
+
+// GetAll returns the values of MapOpts as a map.
+func (opts *MapOpts) GetAll() map[string]string {
+	return opts.values
+}
+
+func (opts *MapOpts) String() string {
+	return fmt.Sprintf("%v", opts.values)
+}
+
+// Type returns a string name for this Option type
+func (opts *MapOpts) Type() string {
+	return "map"
+}
+
+// NewMapOpts creates a new MapOpts with the specified map of values and a validator.
+func NewMapOpts(values map[string]string, validator ValidatorFctType) *MapOpts {
+	if values == nil {
+		values = make(map[string]string)
+	}
+	return &MapOpts{
+		values:    values,
+		validator: validator,
+	}
+}
+
+// NamedMapOpts is a MapOpts struct with a configuration name.
+// This struct is useful to keep reference to the assigned
+// field name in the internal configuration struct.
+type NamedMapOpts struct {
+	name string
+	MapOpts
+}
+
+var _ NamedOption = &NamedMapOpts{}
+
+// NewNamedMapOpts creates a reference to a new NamedMapOpts struct.
+func NewNamedMapOpts(name string, values map[string]string, validator ValidatorFctType) *NamedMapOpts {
+	return &NamedMapOpts{
+		name:    name,
+		MapOpts: *NewMapOpts(values, validator),
+	}
+}
+
+// Name returns the name of the NamedMapOpts in the configuration.
+func (o *NamedMapOpts) Name() string {
+	return o.name
+}
+
+// ValidatorFctType defines a validator function that returns a validated string and/or an error.
+type ValidatorFctType func(val string) (string, error)
+
+// ValidatorFctListType defines a validator function that returns a validated list of string and/or an error
+type ValidatorFctListType func(val string) ([]string, error)
+
+// ValidateIPAddress validates an Ip address.
+func ValidateIPAddress(val string) (string, error) {
+	var ip = net.ParseIP(strings.TrimSpace(val))
+	if ip != nil {
+		return ip.String(), nil
+	}
+	return "", fmt.Errorf("%s is not an ip address", val)
+}
+
+// ValidateDNSSearch validates domain for resolvconf search configuration.
+// A zero length domain is represented by a dot (.).
+func ValidateDNSSearch(val string) (string, error) {
+	if val = strings.Trim(val, " "); val == "." {
+		return val, nil
+	}
+	return validateDomain(val)
+}
+
+func validateDomain(val string) (string, error) {
+	if alphaRegexp.FindString(val) == "" {
+		return "", fmt.Errorf("%s is not a valid domain", val)
+	}
+	ns := domainRegexp.FindSubmatch([]byte(val))
+	if len(ns) > 0 && len(ns[1]) < 255 {
+		return string(ns[1]), nil
+	}
+	return "", fmt.Errorf("%s is not a valid domain", val)
+}
+
+// ValidateLabel validates that the specified string is a valid label, and returns it.
+// Labels are in the form on key=value.
+func ValidateLabel(val string) (string, error) {
+	if strings.Count(val, "=") < 1 {
+		return "", fmt.Errorf("bad attribute format: %s", val)
+	}
+	return val, nil
+}
+
+// ValidateSingleGenericResource validates that a single entry in the
+// generic resource list is valid.
+// i.e 'GPU=UID1' is valid however 'GPU:UID1' or 'UID1' isn't
+func ValidateSingleGenericResource(val string) (string, error) {
+	if strings.Count(val, "=") < 1 {
+		return "", fmt.Errorf("invalid node-generic-resource format `%s` expected `name=value`", val)
+	}
+	return val, nil
+}
+
+// ParseLink parses and validates the specified string as a link format (name:alias)
+func ParseLink(val string) (string, string, error) {
+	if val == "" {
+		return "", "", fmt.Errorf("empty string specified for links")
+	}
+	arr := strings.Split(val, ":")
+	if len(arr) > 2 {
+		return "", "", fmt.Errorf("bad format for links: %s", val)
+	}
+	if len(arr) == 1 {
+		return val, val, nil
+	}
+	// This is kept because we can actually get a HostConfig with links
+	// from an already created container and the format is not `foo:bar`
+	// but `/foo:/c1/bar`
+	if strings.HasPrefix(arr[0], "/") {
+		_, alias := path.Split(arr[1])
+		return arr[0][1:], alias, nil
+	}
+	return arr[0], arr[1], nil
+}
+
+// MemBytes is a type for human readable memory bytes (like 128M, 2g, etc)
+type MemBytes int64
+
+// String returns the string format of the human readable memory bytes
+func (m *MemBytes) String() string {
+	// NOTE: In spf13/pflag/flag.go, "0" is considered as "zero value" while "0 B" is not.
+	// We return "0" in case value is 0 here so that the default value is hidden.
+	// (Sometimes "default 0 B" is actually misleading)
+	if m.Value() != 0 {
+		return units.BytesSize(float64(m.Value()))
+	}
+	return "0"
+}
+
+// Set sets the value of the MemBytes by passing a string
+func (m *MemBytes) Set(value string) error {
+	val, err := units.RAMInBytes(value)
+	*m = MemBytes(val)
+	return err
+}
+
+// Type returns the type
+func (m *MemBytes) Type() string {
+	return "bytes"
+}
+
+// Value returns the value in int64
+func (m *MemBytes) Value() int64 {
+	return int64(*m)
+}
+
+// UnmarshalJSON is the customized unmarshaler for MemBytes
+func (m *MemBytes) UnmarshalJSON(s []byte) error {
+	if len(s) <= 2 || s[0] != '"' || s[len(s)-1] != '"' {
+		return fmt.Errorf("invalid size: %q", s)
+	}
+	val, err := units.RAMInBytes(string(s[1 : len(s)-1]))
+	*m = MemBytes(val)
+	return err
+}
diff --git a/engine/opts/opts_test.go b/engine/opts/opts_test.go
new file mode 100644
index 00000000..577395ed
--- /dev/null
+++ b/engine/opts/opts_test.go
@@ -0,0 +1,264 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func TestValidateIPAddress(t *testing.T) {
+	if ret, err := ValidateIPAddress(`1.2.3.4`); err != nil || ret == "" {
+		t.Fatalf("ValidateIPAddress(`1.2.3.4`) got %s %s", ret, err)
+	}
+
+	if ret, err := ValidateIPAddress(`127.0.0.1`); err != nil || ret == "" {
+		t.Fatalf("ValidateIPAddress(`127.0.0.1`) got %s %s", ret, err)
+	}
+
+	if ret, err := ValidateIPAddress(`::1`); err != nil || ret == "" {
+		t.Fatalf("ValidateIPAddress(`::1`) got %s %s", ret, err)
+	}
+
+	if ret, err := ValidateIPAddress(`127`); err == nil || ret != "" {
+		t.Fatalf("ValidateIPAddress(`127`) got %s %s", ret, err)
+	}
+
+	if ret, err := ValidateIPAddress(`random invalid string`); err == nil || ret != "" {
+		t.Fatalf("ValidateIPAddress(`random invalid string`) got %s %s", ret, err)
+	}
+
+}
+
+func TestMapOpts(t *testing.T) {
+	tmpMap := make(map[string]string)
+	o := NewMapOpts(tmpMap, logOptsValidator)
+	o.Set("max-size=1")
+	if o.String() != "map[max-size:1]" {
+		t.Errorf("%s != [map[max-size:1]", o.String())
+	}
+
+	o.Set("max-file=2")
+	if len(tmpMap) != 2 {
+		t.Errorf("map length %d != 2", len(tmpMap))
+	}
+
+	if tmpMap["max-file"] != "2" {
+		t.Errorf("max-file = %s != 2", tmpMap["max-file"])
+	}
+
+	if tmpMap["max-size"] != "1" {
+		t.Errorf("max-size = %s != 1", tmpMap["max-size"])
+	}
+	if o.Set("dummy-val=3") == nil {
+		t.Error("validator is not being called")
+	}
+}
+
+func TestListOptsWithoutValidator(t *testing.T) {
+	o := NewListOpts(nil)
+	o.Set("foo")
+	if o.String() != "[foo]" {
+		t.Errorf("%s != [foo]", o.String())
+	}
+	o.Set("bar")
+	if o.Len() != 2 {
+		t.Errorf("%d != 2", o.Len())
+	}
+	o.Set("bar")
+	if o.Len() != 3 {
+		t.Errorf("%d != 3", o.Len())
+	}
+	if !o.Get("bar") {
+		t.Error("o.Get(\"bar\") == false")
+	}
+	if o.Get("baz") {
+		t.Error("o.Get(\"baz\") == true")
+	}
+	o.Delete("foo")
+	if o.String() != "[bar bar]" {
+		t.Errorf("%s != [bar bar]", o.String())
+	}
+	listOpts := o.GetAll()
+	if len(listOpts) != 2 || listOpts[0] != "bar" || listOpts[1] != "bar" {
+		t.Errorf("Expected [[bar bar]], got [%v]", listOpts)
+	}
+	mapListOpts := o.GetMap()
+	if len(mapListOpts) != 1 {
+		t.Errorf("Expected [map[bar:{}]], got [%v]", mapListOpts)
+	}
+
+}
+
+func TestListOptsWithValidator(t *testing.T) {
+	// Re-using logOptsvalidator (used by MapOpts)
+	o := NewListOpts(logOptsValidator)
+	o.Set("foo")
+	if o.String() != "" {
+		t.Errorf(`%s != ""`, o.String())
+	}
+	o.Set("foo=bar")
+	if o.String() != "" {
+		t.Errorf(`%s != ""`, o.String())
+	}
+	o.Set("max-file=2")
+	if o.Len() != 1 {
+		t.Errorf("%d != 1", o.Len())
+	}
+	if !o.Get("max-file=2") {
+		t.Error("o.Get(\"max-file=2\") == false")
+	}
+	if o.Get("baz") {
+		t.Error("o.Get(\"baz\") == true")
+	}
+	o.Delete("max-file=2")
+	if o.String() != "" {
+		t.Errorf(`%s != ""`, o.String())
+	}
+}
+
+func TestValidateDNSSearch(t *testing.T) {
+	valid := []string{
+		`.`,
+		`a`,
+		`a.`,
+		`1.foo`,
+		`17.foo`,
+		`foo.bar`,
+		`foo.bar.baz`,
+		`foo.bar.`,
+		`foo.bar.baz`,
+		`foo1.bar2`,
+		`foo1.bar2.baz`,
+		`1foo.2bar.`,
+		`1foo.2bar.baz`,
+		`foo-1.bar-2`,
+		`foo-1.bar-2.baz`,
+		`foo-1.bar-2.`,
+		`foo-1.bar-2.baz`,
+		`1-foo.2-bar`,
+		`1-foo.2-bar.baz`,
+		`1-foo.2-bar.`,
+		`1-foo.2-bar.baz`,
+	}
+
+	invalid := []string{
+		``,
+		` `,
+		`  `,
+		`17`,
+		`17.`,
+		`.17`,
+		`17-.`,
+		`17-.foo`,
+		`.foo`,
+		`foo-.bar`,
+		`-foo.bar`,
+		`foo.bar-`,
+		`foo.bar-.baz`,
+		`foo.-bar`,
+		`foo.-bar.baz`,
+		`foo.bar.baz.this.should.fail.on.long.name.because.it.is.longer.thanitshouldbethis.should.fail.on.long.name.because.it.is.longer.thanitshouldbethis.should.fail.on.long.name.because.it.is.longer.thanitshouldbethis.should.fail.on.long.name.because.it.is.longer.thanitshouldbe`,
+	}
+
+	for _, domain := range valid {
+		if ret, err := ValidateDNSSearch(domain); err != nil || ret == "" {
+			t.Fatalf("ValidateDNSSearch(`"+domain+"`) got %s %s", ret, err)
+		}
+	}
+
+	for _, domain := range invalid {
+		if ret, err := ValidateDNSSearch(domain); err == nil || ret != "" {
+			t.Fatalf("ValidateDNSSearch(`"+domain+"`) got %s %s", ret, err)
+		}
+	}
+}
+
+func TestValidateLabel(t *testing.T) {
+	if _, err := ValidateLabel("label"); err == nil || err.Error() != "bad attribute format: label" {
+		t.Fatalf("Expected an error [bad attribute format: label], go %v", err)
+	}
+	if actual, err := ValidateLabel("key1=value1"); err != nil || actual != "key1=value1" {
+		t.Fatalf("Expected [key1=value1], got [%v,%v]", actual, err)
+	}
+	// Validate it's working with more than one =
+	if actual, err := ValidateLabel("key1=value1=value2"); err != nil {
+		t.Fatalf("Expected [key1=value1=value2], got [%v,%v]", actual, err)
+	}
+	// Validate it's working with one more
+	if actual, err := ValidateLabel("key1=value1=value2=value3"); err != nil {
+		t.Fatalf("Expected [key1=value1=value2=value2], got [%v,%v]", actual, err)
+	}
+}
+
+func logOptsValidator(val string) (string, error) {
+	allowedKeys := map[string]string{"max-size": "1", "max-file": "2"}
+	vals := strings.Split(val, "=")
+	if allowedKeys[vals[0]] != "" {
+		return val, nil
+	}
+	return "", fmt.Errorf("invalid key %s", vals[0])
+}
+
+func TestNamedListOpts(t *testing.T) {
+	var v []string
+	o := NewNamedListOptsRef("foo-name", &v, nil)
+
+	o.Set("foo")
+	if o.String() != "[foo]" {
+		t.Errorf("%s != [foo]", o.String())
+	}
+	if o.Name() != "foo-name" {
+		t.Errorf("%s != foo-name", o.Name())
+	}
+	if len(v) != 1 {
+		t.Errorf("expected foo to be in the values, got %v", v)
+	}
+}
+
+func TestNamedMapOpts(t *testing.T) {
+	tmpMap := make(map[string]string)
+	o := NewNamedMapOpts("max-name", tmpMap, nil)
+
+	o.Set("max-size=1")
+	if o.String() != "map[max-size:1]" {
+		t.Errorf("%s != [map[max-size:1]", o.String())
+	}
+	if o.Name() != "max-name" {
+		t.Errorf("%s != max-name", o.Name())
+	}
+	if _, exist := tmpMap["max-size"]; !exist {
+		t.Errorf("expected map-size to be in the values, got %v", tmpMap)
+	}
+}
+
+func TestParseLink(t *testing.T) {
+	name, alias, err := ParseLink("name:alias")
+	if err != nil {
+		t.Fatalf("Expected not to error out on a valid name:alias format but got: %v", err)
+	}
+	if name != "name" {
+		t.Fatalf("Link name should have been name, got %s instead", name)
+	}
+	if alias != "alias" {
+		t.Fatalf("Link alias should have been alias, got %s instead", alias)
+	}
+	// short format definition
+	name, alias, err = ParseLink("name")
+	if err != nil {
+		t.Fatalf("Expected not to error out on a valid name only format but got: %v", err)
+	}
+	if name != "name" {
+		t.Fatalf("Link name should have been name, got %s instead", name)
+	}
+	if alias != "name" {
+		t.Fatalf("Link alias should have been name, got %s instead", alias)
+	}
+	// empty string link definition is not allowed
+	if _, _, err := ParseLink(""); err == nil || !strings.Contains(err.Error(), "empty string specified for links") {
+		t.Fatalf("Expected error 'empty string specified for links' but got: %v", err)
+	}
+	// more than two colons are not allowed
+	if _, _, err := ParseLink("link:alias:wrong"); err == nil || !strings.Contains(err.Error(), "bad format for links: link:alias:wrong") {
+		t.Fatalf("Expected error 'bad format for links: link:alias:wrong' but got: %v", err)
+	}
+}
diff --git a/engine/opts/opts_unix.go b/engine/opts/opts_unix.go
new file mode 100644
index 00000000..0c32367c
--- /dev/null
+++ b/engine/opts/opts_unix.go
@@ -0,0 +1,6 @@
+// +build !windows
+
+package opts // import "github.com/docker/docker/opts"
+
+// DefaultHTTPHost Default HTTP Host used if only port is provided to -H flag e.g. dockerd -H tcp://:8080
+const DefaultHTTPHost = "localhost"
diff --git a/engine/opts/opts_windows.go b/engine/opts/opts_windows.go
new file mode 100644
index 00000000..0e1b6c6d
--- /dev/null
+++ b/engine/opts/opts_windows.go
@@ -0,0 +1,56 @@
+package opts // import "github.com/docker/docker/opts"
+
+// TODO Windows. Identify bug in GOLang 1.5.1+ and/or Windows Server 2016 TP5.
+// @jhowardmsft, @swernli.
+//
+// On Windows, this mitigates a problem with the default options of running
+// a docker client against a local docker daemon on TP5.
+//
+// What was found that if the default host is "localhost", even if the client
+// (and daemon as this is local) is not physically on a network, and the DNS
+// cache is flushed (ipconfig /flushdns), then the client will pause for
+// exactly one second when connecting to the daemon for calls. For example
+// using docker run windowsservercore cmd, the CLI will send a create followed
+// by an attach. You see the delay between the attach finishing and the attach
+// being seen by the daemon.
+//
+// Here's some daemon debug logs with additional debug spew put in. The
+// AfterWriteJSON log is the very last thing the daemon does as part of the
+// create call. The POST /attach is the second CLI call. Notice the second
+// time gap.
+//
+// time="2015-11-06T13:38:37.259627400-08:00" level=debug msg="After createRootfs"
+// time="2015-11-06T13:38:37.263626300-08:00" level=debug msg="After setHostConfig"
+// time="2015-11-06T13:38:37.267631200-08:00" level=debug msg="before createContainerPl...."
+// time="2015-11-06T13:38:37.271629500-08:00" level=debug msg=ToDiskLocking....
+// time="2015-11-06T13:38:37.275643200-08:00" level=debug msg="loggin event...."
+// time="2015-11-06T13:38:37.277627600-08:00" level=debug msg="logged event...."
+// time="2015-11-06T13:38:37.279631800-08:00" level=debug msg="In defer func"
+// time="2015-11-06T13:38:37.282628100-08:00" level=debug msg="After daemon.create"
+// time="2015-11-06T13:38:37.286651700-08:00" level=debug msg="return 2"
+// time="2015-11-06T13:38:37.289629500-08:00" level=debug msg="Returned from daemon.ContainerCreate"
+// time="2015-11-06T13:38:37.311629100-08:00" level=debug msg="After WriteJSON"
+// ... 1 second gap here....
+// time="2015-11-06T13:38:38.317866200-08:00" level=debug msg="Calling POST /v1.22/containers/984758282b842f779e805664b2c95d563adc9a979c8a3973e68c807843ee4757/attach"
+// time="2015-11-06T13:38:38.326882500-08:00" level=info msg="POST /v1.22/containers/984758282b842f779e805664b2c95d563adc9a979c8a3973e68c807843ee4757/attach?stderr=1&stdin=1&stdout=1&stream=1"
+//
+// We suspect this is either a bug introduced in GOLang 1.5.1, or that a change
+// in GOLang 1.5.1 (from 1.4.3) is exposing a bug in Windows. In theory,
+// the Windows networking stack is supposed to resolve "localhost" internally,
+// without hitting DNS, or even reading the hosts file (which is why localhost
+// is commented out in the hosts file on Windows).
+//
+// We have validated that working around this using the actual IPv4 localhost
+// address does not cause the delay.
+//
+// This does not occur with the docker client built with 1.4.3 on the same
+// Windows build, regardless of whether the daemon is built using 1.5.1
+// or 1.4.3. It does not occur on Linux. We also verified we see the same thing
+// on a cross-compiled Windows binary (from Linux).
+//
+// Final note: This is a mitigation, not a 'real' fix. It is still susceptible
+// to the delay if a user were to do 'docker run -H=tcp://localhost:2375...'
+// explicitly.
+
+// DefaultHTTPHost Default HTTP Host used if only port is provided to -H flag e.g. dockerd -H tcp://:8080
+const DefaultHTTPHost = "127.0.0.1"
diff --git a/engine/opts/quotedstring.go b/engine/opts/quotedstring.go
new file mode 100644
index 00000000..6c889070
--- /dev/null
+++ b/engine/opts/quotedstring.go
@@ -0,0 +1,37 @@
+package opts // import "github.com/docker/docker/opts"
+
+// QuotedString is a string that may have extra quotes around the value. The
+// quotes are stripped from the value.
+type QuotedString struct {
+	value *string
+}
+
+// Set sets a new value
+func (s *QuotedString) Set(val string) error {
+	*s.value = trimQuotes(val)
+	return nil
+}
+
+// Type returns the type of the value
+func (s *QuotedString) Type() string {
+	return "string"
+}
+
+func (s *QuotedString) String() string {
+	return *s.value
+}
+
+func trimQuotes(value string) string {
+	lastIndex := len(value) - 1
+	for _, char := range []byte{'\'', '"'} {
+		if value[0] == char && value[lastIndex] == char {
+			return value[1:lastIndex]
+		}
+	}
+	return value
+}
+
+// NewQuotedString returns a new quoted string option
+func NewQuotedString(value *string) *QuotedString {
+	return &QuotedString{value: value}
+}
diff --git a/engine/opts/quotedstring_test.go b/engine/opts/quotedstring_test.go
new file mode 100644
index 00000000..89fed6cf
--- /dev/null
+++ b/engine/opts/quotedstring_test.go
@@ -0,0 +1,30 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestQuotedStringSetWithQuotes(t *testing.T) {
+	value := ""
+	qs := NewQuotedString(&value)
+	assert.Check(t, qs.Set(`"something"`))
+	assert.Check(t, is.Equal("something", qs.String()))
+	assert.Check(t, is.Equal("something", value))
+}
+
+func TestQuotedStringSetWithMismatchedQuotes(t *testing.T) {
+	value := ""
+	qs := NewQuotedString(&value)
+	assert.Check(t, qs.Set(`"something'`))
+	assert.Check(t, is.Equal(`"something'`, qs.String()))
+}
+
+func TestQuotedStringSetWithNoQuotes(t *testing.T) {
+	value := ""
+	qs := NewQuotedString(&value)
+	assert.Check(t, qs.Set("something"))
+	assert.Check(t, is.Equal("something", qs.String()))
+}
diff --git a/engine/opts/runtime.go b/engine/opts/runtime.go
new file mode 100644
index 00000000..4b9babf0
--- /dev/null
+++ b/engine/opts/runtime.go
@@ -0,0 +1,79 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+)
+
+// RuntimeOpt defines a map of Runtimes
+type RuntimeOpt struct {
+	name             string
+	stockRuntimeName string
+	values           *map[string]types.Runtime
+}
+
+// NewNamedRuntimeOpt creates a new RuntimeOpt
+func NewNamedRuntimeOpt(name string, ref *map[string]types.Runtime, stockRuntime string) *RuntimeOpt {
+	if ref == nil {
+		ref = &map[string]types.Runtime{}
+	}
+	return &RuntimeOpt{name: name, values: ref, stockRuntimeName: stockRuntime}
+}
+
+// Name returns the name of the NamedListOpts in the configuration.
+func (o *RuntimeOpt) Name() string {
+	return o.name
+}
+
+// Set validates and updates the list of Runtimes
+func (o *RuntimeOpt) Set(val string) error {
+	parts := strings.SplitN(val, "=", 2)
+	if len(parts) != 2 {
+		return fmt.Errorf("invalid runtime argument: %s", val)
+	}
+
+	parts[0] = strings.TrimSpace(parts[0])
+	parts[1] = strings.TrimSpace(parts[1])
+	if parts[0] == "" || parts[1] == "" {
+		return fmt.Errorf("invalid runtime argument: %s", val)
+	}
+
+	parts[0] = strings.ToLower(parts[0])
+	if parts[0] == o.stockRuntimeName {
+		return fmt.Errorf("runtime name '%s' is reserved", o.stockRuntimeName)
+	}
+
+	if _, ok := (*o.values)[parts[0]]; ok {
+		return fmt.Errorf("runtime '%s' was already defined", parts[0])
+	}
+
+	(*o.values)[parts[0]] = types.Runtime{Path: parts[1]}
+
+	return nil
+}
+
+// String returns Runtime values as a string.
+func (o *RuntimeOpt) String() string {
+	var out []string
+	for k := range *o.values {
+		out = append(out, k)
+	}
+
+	return fmt.Sprintf("%v", out)
+}
+
+// GetMap returns a map of Runtimes (name: path)
+func (o *RuntimeOpt) GetMap() map[string]types.Runtime {
+	if o.values != nil {
+		return *o.values
+	}
+
+	return map[string]types.Runtime{}
+}
+
+// Type returns the type of the option
+func (o *RuntimeOpt) Type() string {
+	return "runtime"
+}
diff --git a/engine/opts/ulimit.go b/engine/opts/ulimit.go
new file mode 100644
index 00000000..0e2a3623
--- /dev/null
+++ b/engine/opts/ulimit.go
@@ -0,0 +1,81 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"fmt"
+
+	"github.com/docker/go-units"
+)
+
+// UlimitOpt defines a map of Ulimits
+type UlimitOpt struct {
+	values *map[string]*units.Ulimit
+}
+
+// NewUlimitOpt creates a new UlimitOpt
+func NewUlimitOpt(ref *map[string]*units.Ulimit) *UlimitOpt {
+	if ref == nil {
+		ref = &map[string]*units.Ulimit{}
+	}
+	return &UlimitOpt{ref}
+}
+
+// Set validates a Ulimit and sets its name as a key in UlimitOpt
+func (o *UlimitOpt) Set(val string) error {
+	l, err := units.ParseUlimit(val)
+	if err != nil {
+		return err
+	}
+
+	(*o.values)[l.Name] = l
+
+	return nil
+}
+
+// String returns Ulimit values as a string.
+func (o *UlimitOpt) String() string {
+	var out []string
+	for _, v := range *o.values {
+		out = append(out, v.String())
+	}
+
+	return fmt.Sprintf("%v", out)
+}
+
+// GetList returns a slice of pointers to Ulimits.
+func (o *UlimitOpt) GetList() []*units.Ulimit {
+	var ulimits []*units.Ulimit
+	for _, v := range *o.values {
+		ulimits = append(ulimits, v)
+	}
+
+	return ulimits
+}
+
+// Type returns the option type
+func (o *UlimitOpt) Type() string {
+	return "ulimit"
+}
+
+// NamedUlimitOpt defines a named map of Ulimits
+type NamedUlimitOpt struct {
+	name string
+	UlimitOpt
+}
+
+var _ NamedOption = &NamedUlimitOpt{}
+
+// NewNamedUlimitOpt creates a new NamedUlimitOpt
+func NewNamedUlimitOpt(name string, ref *map[string]*units.Ulimit) *NamedUlimitOpt {
+	if ref == nil {
+		ref = &map[string]*units.Ulimit{}
+	}
+	return &NamedUlimitOpt{
+		name:      name,
+		UlimitOpt: *NewUlimitOpt(ref),
+	}
+}
+
+// Name returns the option name
+func (o *NamedUlimitOpt) Name() string {
+	return o.name
+}
diff --git a/engine/opts/ulimit_test.go b/engine/opts/ulimit_test.go
new file mode 100644
index 00000000..41e12627
--- /dev/null
+++ b/engine/opts/ulimit_test.go
@@ -0,0 +1,42 @@
+package opts // import "github.com/docker/docker/opts"
+
+import (
+	"testing"
+
+	"github.com/docker/go-units"
+)
+
+func TestUlimitOpt(t *testing.T) {
+	ulimitMap := map[string]*units.Ulimit{
+		"nofile": {"nofile", 1024, 512},
+	}
+
+	ulimitOpt := NewUlimitOpt(&ulimitMap)
+
+	expected := "[nofile=512:1024]"
+	if ulimitOpt.String() != expected {
+		t.Fatalf("Expected %v, got %v", expected, ulimitOpt)
+	}
+
+	// Valid ulimit append to opts
+	if err := ulimitOpt.Set("core=1024:1024"); err != nil {
+		t.Fatal(err)
+	}
+
+	// Invalid ulimit type returns an error and do not append to opts
+	if err := ulimitOpt.Set("notavalidtype=1024:1024"); err == nil {
+		t.Fatalf("Expected error on invalid ulimit type")
+	}
+	expected = "[nofile=512:1024 core=1024:1024]"
+	expected2 := "[core=1024:1024 nofile=512:1024]"
+	result := ulimitOpt.String()
+	if result != expected && result != expected2 {
+		t.Fatalf("Expected %v or %v, got %v", expected, expected2, ulimitOpt)
+	}
+
+	// And test GetList
+	ulimits := ulimitOpt.GetList()
+	if len(ulimits) != 2 {
+		t.Fatalf("Expected a ulimit list of 2, got %v", ulimits)
+	}
+}
diff --git a/engine/pkg/README.md b/engine/pkg/README.md
new file mode 100644
index 00000000..755cd968
--- /dev/null
+++ b/engine/pkg/README.md
@@ -0,0 +1,11 @@
+pkg/ is a collection of utility packages used by the Moby project without being specific to its internals.
+
+Utility packages are kept separate from the moby core codebase to keep it as small and concise as possible.
+If some utilities grow larger and their APIs stabilize, they may be moved to their own repository under the
+Moby organization, to facilitate re-use by other projects. However that is not the priority.
+
+The directory `pkg` is named after the same directory in the camlistore project. Since Brad is a core
+Go maintainer, we thought it made sense to copy his methods for organizing Go code :) Thanks Brad!
+
+Because utility packages are small and neatly separated from the rest of the codebase, they are a good
+place to start for aspiring maintainers and contributors. Get in touch if you want to help maintain them!
diff --git a/engine/pkg/aaparser/aaparser.go b/engine/pkg/aaparser/aaparser.go
new file mode 100644
index 00000000..9c12e8db
--- /dev/null
+++ b/engine/pkg/aaparser/aaparser.go
@@ -0,0 +1,89 @@
+// Package aaparser is a convenience package interacting with `apparmor_parser`.
+package aaparser // import "github.com/docker/docker/pkg/aaparser"
+
+import (
+	"fmt"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+const (
+	binary = "apparmor_parser"
+)
+
+// GetVersion returns the major and minor version of apparmor_parser.
+func GetVersion() (int, error) {
+	output, err := cmd("", "--version")
+	if err != nil {
+		return -1, err
+	}
+
+	return parseVersion(output)
+}
+
+// LoadProfile runs `apparmor_parser -Kr` on a specified apparmor profile to
+// replace the profile. The `-K` is necessary to make sure that apparmor_parser
+// doesn't try to write to a read-only filesystem.
+func LoadProfile(profilePath string) error {
+	_, err := cmd("", "-Kr", profilePath)
+	return err
+}
+
+// cmd runs `apparmor_parser` with the passed arguments.
+func cmd(dir string, arg ...string) (string, error) {
+	c := exec.Command(binary, arg...)
+	c.Dir = dir
+
+	output, err := c.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
+	}
+
+	return string(output), nil
+}
+
+// parseVersion takes the output from `apparmor_parser --version` and returns
+// a representation of the {major, minor, patch} version as a single number of
+// the form MMmmPPP {major, minor, patch}.
+func parseVersion(output string) (int, error) {
+	// output is in the form of the following:
+	// AppArmor parser version 2.9.1
+	// Copyright (C) 1999-2008 Novell Inc.
+	// Copyright 2009-2012 Canonical Ltd.
+
+	lines := strings.SplitN(output, "\n", 2)
+	words := strings.Split(lines[0], " ")
+	version := words[len(words)-1]
+
+	// split by major minor version
+	v := strings.Split(version, ".")
+	if len(v) == 0 || len(v) > 3 {
+		return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
+	}
+
+	// Default the versions to 0.
+	var majorVersion, minorVersion, patchLevel int
+
+	majorVersion, err := strconv.Atoi(v[0])
+	if err != nil {
+		return -1, err
+	}
+
+	if len(v) > 1 {
+		minorVersion, err = strconv.Atoi(v[1])
+		if err != nil {
+			return -1, err
+		}
+	}
+	if len(v) > 2 {
+		patchLevel, err = strconv.Atoi(v[2])
+		if err != nil {
+			return -1, err
+		}
+	}
+
+	// major*10^5 + minor*10^3 + patch*10^0
+	numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
+	return numericVersion, nil
+}
diff --git a/engine/pkg/aaparser/aaparser_test.go b/engine/pkg/aaparser/aaparser_test.go
new file mode 100644
index 00000000..6d1f7377
--- /dev/null
+++ b/engine/pkg/aaparser/aaparser_test.go
@@ -0,0 +1,73 @@
+package aaparser // import "github.com/docker/docker/pkg/aaparser"
+
+import (
+	"testing"
+)
+
+type versionExpected struct {
+	output  string
+	version int
+}
+
+func TestParseVersion(t *testing.T) {
+	versions := []versionExpected{
+		{
+			output: `AppArmor parser version 2.10
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 210000,
+		},
+		{
+			output: `AppArmor parser version 2.8
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 208000,
+		},
+		{
+			output: `AppArmor parser version 2.20
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 220000,
+		},
+		{
+			output: `AppArmor parser version 2.05
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 205000,
+		},
+		{
+			output: `AppArmor parser version 2.9.95
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 209095,
+		},
+		{
+			output: `AppArmor parser version 3.14.159
+Copyright (C) 1999-2008 Novell Inc.
+Copyright 2009-2012 Canonical Ltd.
+
+`,
+			version: 314159,
+		},
+	}
+
+	for _, v := range versions {
+		version, err := parseVersion(v.output)
+		if err != nil {
+			t.Fatalf("expected error to be nil for %#v, got: %v", v, err)
+		}
+		if version != v.version {
+			t.Fatalf("expected version to be %d, was %d, for: %#v\n", v.version, version, v)
+		}
+	}
+}
diff --git a/engine/pkg/archive/README.md b/engine/pkg/archive/README.md
new file mode 100644
index 00000000..7307d969
--- /dev/null
+++ b/engine/pkg/archive/README.md
@@ -0,0 +1 @@
+This code provides helper functions for dealing with archive files.
diff --git a/engine/pkg/archive/archive.go b/engine/pkg/archive/archive.go
new file mode 100644
index 00000000..daddebde
--- /dev/null
+++ b/engine/pkg/archive/archive.go
@@ -0,0 +1,1291 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"bufio"
+	"bytes"
+	"compress/bzip2"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/system"
+	"github.com/sirupsen/logrus"
+)
+
+var unpigzPath string
+
+func init() {
+	if path, err := exec.LookPath("unpigz"); err != nil {
+		logrus.Debug("unpigz binary not found in PATH, falling back to go gzip library")
+	} else {
+		logrus.Debugf("Using unpigz binary found at path %s", path)
+		unpigzPath = path
+	}
+}
+
+type (
+	// Compression is the state represents if compressed or not.
+	Compression int
+	// WhiteoutFormat is the format of whiteouts unpacked
+	WhiteoutFormat int
+
+	// TarOptions wraps the tar options.
+	TarOptions struct {
+		IncludeFiles     []string
+		ExcludePatterns  []string
+		Compression      Compression
+		NoLchown         bool
+		UIDMaps          []idtools.IDMap
+		GIDMaps          []idtools.IDMap
+		ChownOpts        *idtools.IDPair
+		IncludeSourceDir bool
+		// WhiteoutFormat is the expected on disk format for whiteout files.
+		// This format will be converted to the standard format on pack
+		// and from the standard format on unpack.
+		WhiteoutFormat WhiteoutFormat
+		// When unpacking, specifies whether overwriting a directory with a
+		// non-directory is allowed and vice versa.
+		NoOverwriteDirNonDir bool
+		// For each include when creating an archive, the included name will be
+		// replaced with the matching name from this map.
+		RebaseNames map[string]string
+		InUserNS    bool
+	}
+)
+
+// Archiver implements the Archiver interface and allows the reuse of most utility functions of
+// this package with a pluggable Untar function. Also, to facilitate the passing of specific id
+// mappings for untar, an Archiver can be created with maps which will then be passed to Untar operations.
+type Archiver struct {
+	Untar         func(io.Reader, string, *TarOptions) error
+	IDMappingsVar *idtools.IDMappings
+}
+
+// NewDefaultArchiver returns a new Archiver without any IDMappings
+func NewDefaultArchiver() *Archiver {
+	return &Archiver{Untar: Untar, IDMappingsVar: &idtools.IDMappings{}}
+}
+
+// breakoutError is used to differentiate errors related to breaking out
+// When testing archive breakout in the unit tests, this error is expected
+// in order for the test to pass.
+type breakoutError error
+
+const (
+	// Uncompressed represents the uncompressed.
+	Uncompressed Compression = iota
+	// Bzip2 is bzip2 compression algorithm.
+	Bzip2
+	// Gzip is gzip compression algorithm.
+	Gzip
+	// Xz is xz compression algorithm.
+	Xz
+)
+
+const (
+	// AUFSWhiteoutFormat is the default format for whiteouts
+	AUFSWhiteoutFormat WhiteoutFormat = iota
+	// OverlayWhiteoutFormat formats whiteout according to the overlay
+	// standard.
+	OverlayWhiteoutFormat
+)
+
+const (
+	modeISDIR  = 040000  // Directory
+	modeISFIFO = 010000  // FIFO
+	modeISREG  = 0100000 // Regular file
+	modeISLNK  = 0120000 // Symbolic link
+	modeISBLK  = 060000  // Block special file
+	modeISCHR  = 020000  // Character special file
+	modeISSOCK = 0140000 // Socket
+)
+
+// IsArchivePath checks if the (possibly compressed) file at the given path
+// starts with a tar file header.
+func IsArchivePath(path string) bool {
+	file, err := os.Open(path)
+	if err != nil {
+		return false
+	}
+	defer file.Close()
+	rdr, err := DecompressStream(file)
+	if err != nil {
+		return false
+	}
+	defer rdr.Close()
+	r := tar.NewReader(rdr)
+	_, err = r.Next()
+	return err == nil
+}
+
+// DetectCompression detects the compression algorithm of the source.
+func DetectCompression(source []byte) Compression {
+	for compression, m := range map[Compression][]byte{
+		Bzip2: {0x42, 0x5A, 0x68},
+		Gzip:  {0x1F, 0x8B, 0x08},
+		Xz:    {0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00},
+	} {
+		if len(source) < len(m) {
+			logrus.Debug("Len too short")
+			continue
+		}
+		if bytes.Equal(m, source[:len(m)]) {
+			return compression
+		}
+	}
+	return Uncompressed
+}
+
+func xzDecompress(ctx context.Context, archive io.Reader) (io.ReadCloser, error) {
+	args := []string{"xz", "-d", "-c", "-q"}
+
+	return cmdStream(exec.CommandContext(ctx, args[0], args[1:]...), archive)
+}
+
+func gzDecompress(ctx context.Context, buf io.Reader) (io.ReadCloser, error) {
+	if unpigzPath == "" {
+		return gzip.NewReader(buf)
+	}
+
+	disablePigzEnv := os.Getenv("MOBY_DISABLE_PIGZ")
+	if disablePigzEnv != "" {
+		if disablePigz, err := strconv.ParseBool(disablePigzEnv); err != nil {
+			return nil, err
+		} else if disablePigz {
+			return gzip.NewReader(buf)
+		}
+	}
+
+	return cmdStream(exec.CommandContext(ctx, unpigzPath, "-d", "-c"), buf)
+}
+
+func wrapReadCloser(readBuf io.ReadCloser, cancel context.CancelFunc) io.ReadCloser {
+	return ioutils.NewReadCloserWrapper(readBuf, func() error {
+		cancel()
+		return readBuf.Close()
+	})
+}
+
+// DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive.
+func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
+	p := pools.BufioReader32KPool
+	buf := p.Get(archive)
+	bs, err := buf.Peek(10)
+	if err != nil && err != io.EOF {
+		// Note: we'll ignore any io.EOF error because there are some odd
+		// cases where the layer.tar file will be empty (zero bytes) and
+		// that results in an io.EOF from the Peek() call. So, in those
+		// cases we'll just treat it as a non-compressed stream and
+		// that means just create an empty layer.
+		// See Issue 18170
+		return nil, err
+	}
+
+	compression := DetectCompression(bs)
+	switch compression {
+	case Uncompressed:
+		readBufWrapper := p.NewReadCloserWrapper(buf, buf)
+		return readBufWrapper, nil
+	case Gzip:
+		ctx, cancel := context.WithCancel(context.Background())
+
+		gzReader, err := gzDecompress(ctx, buf)
+		if err != nil {
+			cancel()
+			return nil, err
+		}
+		readBufWrapper := p.NewReadCloserWrapper(buf, gzReader)
+		return wrapReadCloser(readBufWrapper, cancel), nil
+	case Bzip2:
+		bz2Reader := bzip2.NewReader(buf)
+		readBufWrapper := p.NewReadCloserWrapper(buf, bz2Reader)
+		return readBufWrapper, nil
+	case Xz:
+		ctx, cancel := context.WithCancel(context.Background())
+
+		xzReader, err := xzDecompress(ctx, buf)
+		if err != nil {
+			cancel()
+			return nil, err
+		}
+		readBufWrapper := p.NewReadCloserWrapper(buf, xzReader)
+		return wrapReadCloser(readBufWrapper, cancel), nil
+	default:
+		return nil, fmt.Errorf("Unsupported compression format %s", (&compression).Extension())
+	}
+}
+
+// CompressStream compresses the dest with specified compression algorithm.
+func CompressStream(dest io.Writer, compression Compression) (io.WriteCloser, error) {
+	p := pools.BufioWriter32KPool
+	buf := p.Get(dest)
+	switch compression {
+	case Uncompressed:
+		writeBufWrapper := p.NewWriteCloserWrapper(buf, buf)
+		return writeBufWrapper, nil
+	case Gzip:
+		gzWriter := gzip.NewWriter(dest)
+		writeBufWrapper := p.NewWriteCloserWrapper(buf, gzWriter)
+		return writeBufWrapper, nil
+	case Bzip2, Xz:
+		// archive/bzip2 does not support writing, and there is no xz support at all
+		// However, this is not a problem as docker only currently generates gzipped tars
+		return nil, fmt.Errorf("Unsupported compression format %s", (&compression).Extension())
+	default:
+		return nil, fmt.Errorf("Unsupported compression format %s", (&compression).Extension())
+	}
+}
+
+// TarModifierFunc is a function that can be passed to ReplaceFileTarWrapper to
+// modify the contents or header of an entry in the archive. If the file already
+// exists in the archive the TarModifierFunc will be called with the Header and
+// a reader which will return the files content. If the file does not exist both
+// header and content will be nil.
+type TarModifierFunc func(path string, header *tar.Header, content io.Reader) (*tar.Header, []byte, error)
+
+// ReplaceFileTarWrapper converts inputTarStream to a new tar stream. Files in the
+// tar stream are modified if they match any of the keys in mods.
+func ReplaceFileTarWrapper(inputTarStream io.ReadCloser, mods map[string]TarModifierFunc) io.ReadCloser {
+	pipeReader, pipeWriter := io.Pipe()
+
+	go func() {
+		tarReader := tar.NewReader(inputTarStream)
+		tarWriter := tar.NewWriter(pipeWriter)
+		defer inputTarStream.Close()
+		defer tarWriter.Close()
+
+		modify := func(name string, original *tar.Header, modifier TarModifierFunc, tarReader io.Reader) error {
+			header, data, err := modifier(name, original, tarReader)
+			switch {
+			case err != nil:
+				return err
+			case header == nil:
+				return nil
+			}
+
+			header.Name = name
+			header.Size = int64(len(data))
+			if err := tarWriter.WriteHeader(header); err != nil {
+				return err
+			}
+			if len(data) != 0 {
+				if _, err := tarWriter.Write(data); err != nil {
+					return err
+				}
+			}
+			return nil
+		}
+
+		var err error
+		var originalHeader *tar.Header
+		for {
+			originalHeader, err = tarReader.Next()
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+
+			modifier, ok := mods[originalHeader.Name]
+			if !ok {
+				// No modifiers for this file, copy the header and data
+				if err := tarWriter.WriteHeader(originalHeader); err != nil {
+					pipeWriter.CloseWithError(err)
+					return
+				}
+				if _, err := pools.Copy(tarWriter, tarReader); err != nil {
+					pipeWriter.CloseWithError(err)
+					return
+				}
+				continue
+			}
+			delete(mods, originalHeader.Name)
+
+			if err := modify(originalHeader.Name, originalHeader, modifier, tarReader); err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+		}
+
+		// Apply the modifiers that haven't matched any files in the archive
+		for name, modifier := range mods {
+			if err := modify(name, nil, modifier, nil); err != nil {
+				pipeWriter.CloseWithError(err)
+				return
+			}
+		}
+
+		pipeWriter.Close()
+
+	}()
+	return pipeReader
+}
+
+// Extension returns the extension of a file that uses the specified compression algorithm.
+func (compression *Compression) Extension() string {
+	switch *compression {
+	case Uncompressed:
+		return "tar"
+	case Bzip2:
+		return "tar.bz2"
+	case Gzip:
+		return "tar.gz"
+	case Xz:
+		return "tar.xz"
+	}
+	return ""
+}
+
+// FileInfoHeader creates a populated Header from fi.
+// Compared to archive pkg this function fills in more information.
+// Also, regardless of Go version, this function fills file type bits (e.g. hdr.Mode |= modeISDIR),
+// which have been deleted since Go 1.9 archive/tar.
+func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, error) {
+	hdr, err := tar.FileInfoHeader(fi, link)
+	if err != nil {
+		return nil, err
+	}
+	hdr.Format = tar.FormatPAX
+	hdr.ModTime = hdr.ModTime.Truncate(time.Second)
+	hdr.AccessTime = time.Time{}
+	hdr.ChangeTime = time.Time{}
+	hdr.Mode = fillGo18FileTypeBits(int64(chmodTarEntry(os.FileMode(hdr.Mode))), fi)
+	name, err = canonicalTarName(name, fi.IsDir())
+	if err != nil {
+		return nil, fmt.Errorf("tar: cannot canonicalize path: %v", err)
+	}
+	hdr.Name = name
+	if err := setHeaderForSpecialDevice(hdr, name, fi.Sys()); err != nil {
+		return nil, err
+	}
+	return hdr, nil
+}
+
+// fillGo18FileTypeBits fills type bits which have been removed on Go 1.9 archive/tar
+// https://github.com/golang/go/commit/66b5a2f
+func fillGo18FileTypeBits(mode int64, fi os.FileInfo) int64 {
+	fm := fi.Mode()
+	switch {
+	case fm.IsRegular():
+		mode |= modeISREG
+	case fi.IsDir():
+		mode |= modeISDIR
+	case fm&os.ModeSymlink != 0:
+		mode |= modeISLNK
+	case fm&os.ModeDevice != 0:
+		if fm&os.ModeCharDevice != 0 {
+			mode |= modeISCHR
+		} else {
+			mode |= modeISBLK
+		}
+	case fm&os.ModeNamedPipe != 0:
+		mode |= modeISFIFO
+	case fm&os.ModeSocket != 0:
+		mode |= modeISSOCK
+	}
+	return mode
+}
+
+// ReadSecurityXattrToTarHeader reads security.capability xattr from filesystem
+// to a tar header
+func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
+	capability, _ := system.Lgetxattr(path, "security.capability")
+	if capability != nil {
+		hdr.Xattrs = make(map[string]string)
+		hdr.Xattrs["security.capability"] = string(capability)
+	}
+	return nil
+}
+
+type tarWhiteoutConverter interface {
+	ConvertWrite(*tar.Header, string, os.FileInfo) (*tar.Header, error)
+	ConvertRead(*tar.Header, string) (bool, error)
+}
+
+type tarAppender struct {
+	TarWriter *tar.Writer
+	Buffer    *bufio.Writer
+
+	// for hardlink mapping
+	SeenFiles  map[uint64]string
+	IDMappings *idtools.IDMappings
+	ChownOpts  *idtools.IDPair
+
+	// For packing and unpacking whiteout files in the
+	// non standard format. The whiteout files defined
+	// by the AUFS standard are used as the tar whiteout
+	// standard.
+	WhiteoutConverter tarWhiteoutConverter
+}
+
+func newTarAppender(idMapping *idtools.IDMappings, writer io.Writer, chownOpts *idtools.IDPair) *tarAppender {
+	return &tarAppender{
+		SeenFiles:  make(map[uint64]string),
+		TarWriter:  tar.NewWriter(writer),
+		Buffer:     pools.BufioWriter32KPool.Get(nil),
+		IDMappings: idMapping,
+		ChownOpts:  chownOpts,
+	}
+}
+
+// canonicalTarName provides a platform-independent and consistent posix-style
+//path for files and directories to be archived regardless of the platform.
+func canonicalTarName(name string, isDir bool) (string, error) {
+	name, err := CanonicalTarNameForPath(name)
+	if err != nil {
+		return "", err
+	}
+
+	// suffix with '/' for directories
+	if isDir && !strings.HasSuffix(name, "/") {
+		name += "/"
+	}
+	return name, nil
+}
+
+// addTarFile adds to the tar archive a file from `path` as `name`
+func (ta *tarAppender) addTarFile(path, name string) error {
+	fi, err := os.Lstat(path)
+	if err != nil {
+		return err
+	}
+
+	var link string
+	if fi.Mode()&os.ModeSymlink != 0 {
+		var err error
+		link, err = os.Readlink(path)
+		if err != nil {
+			return err
+		}
+	}
+
+	hdr, err := FileInfoHeader(name, fi, link)
+	if err != nil {
+		return err
+	}
+	if err := ReadSecurityXattrToTarHeader(path, hdr); err != nil {
+		return err
+	}
+
+	// if it's not a directory and has more than 1 link,
+	// it's hard linked, so set the type flag accordingly
+	if !fi.IsDir() && hasHardlinks(fi) {
+		inode, err := getInodeFromStat(fi.Sys())
+		if err != nil {
+			return err
+		}
+		// a link should have a name that it links too
+		// and that linked name should be first in the tar archive
+		if oldpath, ok := ta.SeenFiles[inode]; ok {
+			hdr.Typeflag = tar.TypeLink
+			hdr.Linkname = oldpath
+			hdr.Size = 0 // This Must be here for the writer math to add up!
+		} else {
+			ta.SeenFiles[inode] = name
+		}
+	}
+
+	//check whether the file is overlayfs whiteout
+	//if yes, skip re-mapping container ID mappings.
+	isOverlayWhiteout := fi.Mode()&os.ModeCharDevice != 0 && hdr.Devmajor == 0 && hdr.Devminor == 0
+
+	//handle re-mapping container ID mappings back to host ID mappings before
+	//writing tar headers/files. We skip whiteout files because they were written
+	//by the kernel and already have proper ownership relative to the host
+	if !isOverlayWhiteout &&
+		!strings.HasPrefix(filepath.Base(hdr.Name), WhiteoutPrefix) &&
+		!ta.IDMappings.Empty() {
+		fileIDPair, err := getFileUIDGID(fi.Sys())
+		if err != nil {
+			return err
+		}
+		hdr.Uid, hdr.Gid, err = ta.IDMappings.ToContainer(fileIDPair)
+		if err != nil {
+			return err
+		}
+	}
+
+	// explicitly override with ChownOpts
+	if ta.ChownOpts != nil {
+		hdr.Uid = ta.ChownOpts.UID
+		hdr.Gid = ta.ChownOpts.GID
+	}
+
+	if ta.WhiteoutConverter != nil {
+		wo, err := ta.WhiteoutConverter.ConvertWrite(hdr, path, fi)
+		if err != nil {
+			return err
+		}
+
+		// If a new whiteout file exists, write original hdr, then
+		// replace hdr with wo to be written after. Whiteouts should
+		// always be written after the original. Note the original
+		// hdr may have been updated to be a whiteout with returning
+		// a whiteout header
+		if wo != nil {
+			if err := ta.TarWriter.WriteHeader(hdr); err != nil {
+				return err
+			}
+			if hdr.Typeflag == tar.TypeReg && hdr.Size > 0 {
+				return fmt.Errorf("tar: cannot use whiteout for non-empty file")
+			}
+			hdr = wo
+		}
+	}
+
+	if err := ta.TarWriter.WriteHeader(hdr); err != nil {
+		return err
+	}
+
+	if hdr.Typeflag == tar.TypeReg && hdr.Size > 0 {
+		// We use system.OpenSequential to ensure we use sequential file
+		// access on Windows to avoid depleting the standby list.
+		// On Linux, this equates to a regular os.Open.
+		file, err := system.OpenSequential(path)
+		if err != nil {
+			return err
+		}
+
+		ta.Buffer.Reset(ta.TarWriter)
+		defer ta.Buffer.Reset(nil)
+		_, err = io.Copy(ta.Buffer, file)
+		file.Close()
+		if err != nil {
+			return err
+		}
+		err = ta.Buffer.Flush()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, Lchown bool, chownOpts *idtools.IDPair, inUserns bool) error {
+	// hdr.Mode is in linux format, which we can use for sycalls,
+	// but for os.Foo() calls we need the mode converted to os.FileMode,
+	// so use hdrInfo.Mode() (they differ for e.g. setuid bits)
+	hdrInfo := hdr.FileInfo()
+
+	switch hdr.Typeflag {
+	case tar.TypeDir:
+		// Create directory unless it exists as a directory already.
+		// In that case we just want to merge the two
+		if fi, err := os.Lstat(path); !(err == nil && fi.IsDir()) {
+			if err := os.Mkdir(path, hdrInfo.Mode()); err != nil {
+				return err
+			}
+		}
+
+	case tar.TypeReg, tar.TypeRegA:
+		// Source is regular file. We use system.OpenFileSequential to use sequential
+		// file access to avoid depleting the standby list on Windows.
+		// On Linux, this equates to a regular os.OpenFile
+		file, err := system.OpenFileSequential(path, os.O_CREATE|os.O_WRONLY, hdrInfo.Mode())
+		if err != nil {
+			return err
+		}
+		if _, err := io.Copy(file, reader); err != nil {
+			file.Close()
+			return err
+		}
+		file.Close()
+
+	case tar.TypeBlock, tar.TypeChar:
+		if inUserns { // cannot create devices in a userns
+			return nil
+		}
+		// Handle this is an OS-specific way
+		if err := handleTarTypeBlockCharFifo(hdr, path); err != nil {
+			return err
+		}
+
+	case tar.TypeFifo:
+		// Handle this is an OS-specific way
+		if err := handleTarTypeBlockCharFifo(hdr, path); err != nil {
+			return err
+		}
+
+	case tar.TypeLink:
+		targetPath := filepath.Join(extractDir, hdr.Linkname)
+		// check for hardlink breakout
+		if !strings.HasPrefix(targetPath, extractDir) {
+			return breakoutError(fmt.Errorf("invalid hardlink %q -> %q", targetPath, hdr.Linkname))
+		}
+		if err := os.Link(targetPath, path); err != nil {
+			return err
+		}
+
+	case tar.TypeSymlink:
+		// 	path 				-> hdr.Linkname = targetPath
+		// e.g. /extractDir/path/to/symlink 	-> ../2/file	= /extractDir/path/2/file
+		targetPath := filepath.Join(filepath.Dir(path), hdr.Linkname)
+
+		// the reason we don't need to check symlinks in the path (with FollowSymlinkInScope) is because
+		// that symlink would first have to be created, which would be caught earlier, at this very check:
+		if !strings.HasPrefix(targetPath, extractDir) {
+			return breakoutError(fmt.Errorf("invalid symlink %q -> %q", path, hdr.Linkname))
+		}
+		if err := os.Symlink(hdr.Linkname, path); err != nil {
+			return err
+		}
+
+	case tar.TypeXGlobalHeader:
+		logrus.Debug("PAX Global Extended Headers found and ignored")
+		return nil
+
+	default:
+		return fmt.Errorf("unhandled tar header type %d", hdr.Typeflag)
+	}
+
+	// Lchown is not supported on Windows.
+	if Lchown && runtime.GOOS != "windows" {
+		if chownOpts == nil {
+			chownOpts = &idtools.IDPair{UID: hdr.Uid, GID: hdr.Gid}
+		}
+		if err := os.Lchown(path, chownOpts.UID, chownOpts.GID); err != nil {
+			return err
+		}
+	}
+
+	var errors []string
+	for key, value := range hdr.Xattrs {
+		if err := system.Lsetxattr(path, key, []byte(value), 0); err != nil {
+			if err == syscall.ENOTSUP {
+				// We ignore errors here because not all graphdrivers support
+				// xattrs *cough* old versions of AUFS *cough*. However only
+				// ENOTSUP should be emitted in that case, otherwise we still
+				// bail.
+				errors = append(errors, err.Error())
+				continue
+			}
+			return err
+		}
+
+	}
+
+	if len(errors) > 0 {
+		logrus.WithFields(logrus.Fields{
+			"errors": errors,
+		}).Warn("ignored xattrs in archive: underlying filesystem doesn't support them")
+	}
+
+	// There is no LChmod, so ignore mode for symlink. Also, this
+	// must happen after chown, as that can modify the file mode
+	if err := handleLChmod(hdr, path, hdrInfo); err != nil {
+		return err
+	}
+
+	aTime := hdr.AccessTime
+	if aTime.Before(hdr.ModTime) {
+		// Last access time should never be before last modified time.
+		aTime = hdr.ModTime
+	}
+
+	// system.Chtimes doesn't support a NOFOLLOW flag atm
+	if hdr.Typeflag == tar.TypeLink {
+		if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
+			if err := system.Chtimes(path, aTime, hdr.ModTime); err != nil {
+				return err
+			}
+		}
+	} else if hdr.Typeflag != tar.TypeSymlink {
+		if err := system.Chtimes(path, aTime, hdr.ModTime); err != nil {
+			return err
+		}
+	} else {
+		ts := []syscall.Timespec{timeToTimespec(aTime), timeToTimespec(hdr.ModTime)}
+		if err := system.LUtimesNano(path, ts); err != nil && err != system.ErrNotSupportedPlatform {
+			return err
+		}
+	}
+	return nil
+}
+
+// Tar creates an archive from the directory at `path`, and returns it as a
+// stream of bytes.
+func Tar(path string, compression Compression) (io.ReadCloser, error) {
+	return TarWithOptions(path, &TarOptions{Compression: compression})
+}
+
+// TarWithOptions creates an archive from the directory at `path`, only including files whose relative
+// paths are included in `options.IncludeFiles` (if non-nil) or not in `options.ExcludePatterns`.
+func TarWithOptions(srcPath string, options *TarOptions) (io.ReadCloser, error) {
+
+	// Fix the source path to work with long path names. This is a no-op
+	// on platforms other than Windows.
+	srcPath = fixVolumePathPrefix(srcPath)
+
+	pm, err := fileutils.NewPatternMatcher(options.ExcludePatterns)
+	if err != nil {
+		return nil, err
+	}
+
+	pipeReader, pipeWriter := io.Pipe()
+
+	compressWriter, err := CompressStream(pipeWriter, options.Compression)
+	if err != nil {
+		return nil, err
+	}
+
+	go func() {
+		ta := newTarAppender(
+			idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps),
+			compressWriter,
+			options.ChownOpts,
+		)
+		ta.WhiteoutConverter = getWhiteoutConverter(options.WhiteoutFormat)
+
+		defer func() {
+			// Make sure to check the error on Close.
+			if err := ta.TarWriter.Close(); err != nil {
+				logrus.Errorf("Can't close tar writer: %s", err)
+			}
+			if err := compressWriter.Close(); err != nil {
+				logrus.Errorf("Can't close compress writer: %s", err)
+			}
+			if err := pipeWriter.Close(); err != nil {
+				logrus.Errorf("Can't close pipe writer: %s", err)
+			}
+		}()
+
+		// this buffer is needed for the duration of this piped stream
+		defer pools.BufioWriter32KPool.Put(ta.Buffer)
+
+		// In general we log errors here but ignore them because
+		// during e.g. a diff operation the container can continue
+		// mutating the filesystem and we can see transient errors
+		// from this
+
+		stat, err := os.Lstat(srcPath)
+		if err != nil {
+			return
+		}
+
+		if !stat.IsDir() {
+			// We can't later join a non-dir with any includes because the
+			// 'walk' will error if "file/." is stat-ed and "file" is not a
+			// directory. So, we must split the source path and use the
+			// basename as the include.
+			if len(options.IncludeFiles) > 0 {
+				logrus.Warn("Tar: Can't archive a file with includes")
+			}
+
+			dir, base := SplitPathDirEntry(srcPath)
+			srcPath = dir
+			options.IncludeFiles = []string{base}
+		}
+
+		if len(options.IncludeFiles) == 0 {
+			options.IncludeFiles = []string{"."}
+		}
+
+		seen := make(map[string]bool)
+
+		for _, include := range options.IncludeFiles {
+			rebaseName := options.RebaseNames[include]
+
+			walkRoot := getWalkRoot(srcPath, include)
+			filepath.Walk(walkRoot, func(filePath string, f os.FileInfo, err error) error {
+				if err != nil {
+					logrus.Errorf("Tar: Can't stat file %s to tar: %s", srcPath, err)
+					return nil
+				}
+
+				relFilePath, err := filepath.Rel(srcPath, filePath)
+				if err != nil || (!options.IncludeSourceDir && relFilePath == "." && f.IsDir()) {
+					// Error getting relative path OR we are looking
+					// at the source directory path. Skip in both situations.
+					return nil
+				}
+
+				if options.IncludeSourceDir && include == "." && relFilePath != "." {
+					relFilePath = strings.Join([]string{".", relFilePath}, string(filepath.Separator))
+				}
+
+				skip := false
+
+				// If "include" is an exact match for the current file
+				// then even if there's an "excludePatterns" pattern that
+				// matches it, don't skip it. IOW, assume an explicit 'include'
+				// is asking for that file no matter what - which is true
+				// for some files, like .dockerignore and Dockerfile (sometimes)
+				if include != relFilePath {
+					skip, err = pm.Matches(relFilePath)
+					if err != nil {
+						logrus.Errorf("Error matching %s: %v", relFilePath, err)
+						return err
+					}
+				}
+
+				if skip {
+					// If we want to skip this file and its a directory
+					// then we should first check to see if there's an
+					// excludes pattern (e.g. !dir/file) that starts with this
+					// dir. If so then we can't skip this dir.
+
+					// Its not a dir then so we can just return/skip.
+					if !f.IsDir() {
+						return nil
+					}
+
+					// No exceptions (!...) in patterns so just skip dir
+					if !pm.Exclusions() {
+						return filepath.SkipDir
+					}
+
+					dirSlash := relFilePath + string(filepath.Separator)
+
+					for _, pat := range pm.Patterns() {
+						if !pat.Exclusion() {
+							continue
+						}
+						if strings.HasPrefix(pat.String()+string(filepath.Separator), dirSlash) {
+							// found a match - so can't skip this dir
+							return nil
+						}
+					}
+
+					// No matching exclusion dir so just skip dir
+					return filepath.SkipDir
+				}
+
+				if seen[relFilePath] {
+					return nil
+				}
+				seen[relFilePath] = true
+
+				// Rename the base resource.
+				if rebaseName != "" {
+					var replacement string
+					if rebaseName != string(filepath.Separator) {
+						// Special case the root directory to replace with an
+						// empty string instead so that we don't end up with
+						// double slashes in the paths.
+						replacement = rebaseName
+					}
+
+					relFilePath = strings.Replace(relFilePath, include, replacement, 1)
+				}
+
+				if err := ta.addTarFile(filePath, relFilePath); err != nil {
+					logrus.Errorf("Can't add file %s to tar: %s", filePath, err)
+					// if pipe is broken, stop writing tar stream to it
+					if err == io.ErrClosedPipe {
+						return err
+					}
+				}
+				return nil
+			})
+		}
+	}()
+
+	return pipeReader, nil
+}
+
+// Unpack unpacks the decompressedArchive to dest with options.
+func Unpack(decompressedArchive io.Reader, dest string, options *TarOptions) error {
+	tr := tar.NewReader(decompressedArchive)
+	trBuf := pools.BufioReader32KPool.Get(nil)
+	defer pools.BufioReader32KPool.Put(trBuf)
+
+	var dirs []*tar.Header
+	idMappings := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)
+	rootIDs := idMappings.RootPair()
+	whiteoutConverter := getWhiteoutConverter(options.WhiteoutFormat)
+
+	// Iterate through the files in the archive.
+loop:
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			// end of tar archive
+			break
+		}
+		if err != nil {
+			return err
+		}
+
+		// Normalize name, for safety and for a simple is-root check
+		// This keeps "../" as-is, but normalizes "/../" to "/". Or Windows:
+		// This keeps "..\" as-is, but normalizes "\..\" to "\".
+		hdr.Name = filepath.Clean(hdr.Name)
+
+		for _, exclude := range options.ExcludePatterns {
+			if strings.HasPrefix(hdr.Name, exclude) {
+				continue loop
+			}
+		}
+
+		// After calling filepath.Clean(hdr.Name) above, hdr.Name will now be in
+		// the filepath format for the OS on which the daemon is running. Hence
+		// the check for a slash-suffix MUST be done in an OS-agnostic way.
+		if !strings.HasSuffix(hdr.Name, string(os.PathSeparator)) {
+			// Not the root directory, ensure that the parent directory exists
+			parent := filepath.Dir(hdr.Name)
+			parentPath := filepath.Join(dest, parent)
+			if _, err := os.Lstat(parentPath); err != nil && os.IsNotExist(err) {
+				err = idtools.MkdirAllAndChownNew(parentPath, 0777, rootIDs)
+				if err != nil {
+					return err
+				}
+			}
+		}
+
+		path := filepath.Join(dest, hdr.Name)
+		rel, err := filepath.Rel(dest, path)
+		if err != nil {
+			return err
+		}
+		if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
+			return breakoutError(fmt.Errorf("%q is outside of %q", hdr.Name, dest))
+		}
+
+		// If path exits we almost always just want to remove and replace it
+		// The only exception is when it is a directory *and* the file from
+		// the layer is also a directory. Then we want to merge them (i.e.
+		// just apply the metadata from the layer).
+		if fi, err := os.Lstat(path); err == nil {
+			if options.NoOverwriteDirNonDir && fi.IsDir() && hdr.Typeflag != tar.TypeDir {
+				// If NoOverwriteDirNonDir is true then we cannot replace
+				// an existing directory with a non-directory from the archive.
+				return fmt.Errorf("cannot overwrite directory %q with non-directory %q", path, dest)
+			}
+
+			if options.NoOverwriteDirNonDir && !fi.IsDir() && hdr.Typeflag == tar.TypeDir {
+				// If NoOverwriteDirNonDir is true then we cannot replace
+				// an existing non-directory with a directory from the archive.
+				return fmt.Errorf("cannot overwrite non-directory %q with directory %q", path, dest)
+			}
+
+			if fi.IsDir() && hdr.Name == "." {
+				continue
+			}
+
+			if !(fi.IsDir() && hdr.Typeflag == tar.TypeDir) {
+				if err := os.RemoveAll(path); err != nil {
+					return err
+				}
+			}
+		}
+		trBuf.Reset(tr)
+
+		if err := remapIDs(idMappings, hdr); err != nil {
+			return err
+		}
+
+		if whiteoutConverter != nil {
+			writeFile, err := whiteoutConverter.ConvertRead(hdr, path)
+			if err != nil {
+				return err
+			}
+			if !writeFile {
+				continue
+			}
+		}
+
+		if err := createTarFile(path, dest, hdr, trBuf, !options.NoLchown, options.ChownOpts, options.InUserNS); err != nil {
+			return err
+		}
+
+		// Directory mtimes must be handled at the end to avoid further
+		// file creation in them to modify the directory mtime
+		if hdr.Typeflag == tar.TypeDir {
+			dirs = append(dirs, hdr)
+		}
+	}
+
+	for _, hdr := range dirs {
+		path := filepath.Join(dest, hdr.Name)
+
+		if err := system.Chtimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Untar reads a stream of bytes from `archive`, parses it as a tar archive,
+// and unpacks it into the directory at `dest`.
+// The archive may be compressed with one of the following algorithms:
+//  identity (uncompressed), gzip, bzip2, xz.
+// FIXME: specify behavior when target path exists vs. doesn't exist.
+func Untar(tarArchive io.Reader, dest string, options *TarOptions) error {
+	return untarHandler(tarArchive, dest, options, true)
+}
+
+// UntarUncompressed reads a stream of bytes from `archive`, parses it as a tar archive,
+// and unpacks it into the directory at `dest`.
+// The archive must be an uncompressed stream.
+func UntarUncompressed(tarArchive io.Reader, dest string, options *TarOptions) error {
+	return untarHandler(tarArchive, dest, options, false)
+}
+
+// Handler for teasing out the automatic decompression
+func untarHandler(tarArchive io.Reader, dest string, options *TarOptions, decompress bool) error {
+	if tarArchive == nil {
+		return fmt.Errorf("Empty archive")
+	}
+	dest = filepath.Clean(dest)
+	if options == nil {
+		options = &TarOptions{}
+	}
+	if options.ExcludePatterns == nil {
+		options.ExcludePatterns = []string{}
+	}
+
+	r := tarArchive
+	if decompress {
+		decompressedArchive, err := DecompressStream(tarArchive)
+		if err != nil {
+			return err
+		}
+		defer decompressedArchive.Close()
+		r = decompressedArchive
+	}
+
+	return Unpack(r, dest, options)
+}
+
+// TarUntar is a convenience function which calls Tar and Untar, with the output of one piped into the other.
+// If either Tar or Untar fails, TarUntar aborts and returns the error.
+func (archiver *Archiver) TarUntar(src, dst string) error {
+	logrus.Debugf("TarUntar(%s %s)", src, dst)
+	archive, err := TarWithOptions(src, &TarOptions{Compression: Uncompressed})
+	if err != nil {
+		return err
+	}
+	defer archive.Close()
+	options := &TarOptions{
+		UIDMaps: archiver.IDMappingsVar.UIDs(),
+		GIDMaps: archiver.IDMappingsVar.GIDs(),
+	}
+	return archiver.Untar(archive, dst, options)
+}
+
+// UntarPath untar a file from path to a destination, src is the source tar file path.
+func (archiver *Archiver) UntarPath(src, dst string) error {
+	archive, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer archive.Close()
+	options := &TarOptions{
+		UIDMaps: archiver.IDMappingsVar.UIDs(),
+		GIDMaps: archiver.IDMappingsVar.GIDs(),
+	}
+	return archiver.Untar(archive, dst, options)
+}
+
+// CopyWithTar creates a tar archive of filesystem path `src`, and
+// unpacks it at filesystem path `dst`.
+// The archive is streamed directly with fixed buffering and no
+// intermediary disk IO.
+func (archiver *Archiver) CopyWithTar(src, dst string) error {
+	srcSt, err := os.Stat(src)
+	if err != nil {
+		return err
+	}
+	if !srcSt.IsDir() {
+		return archiver.CopyFileWithTar(src, dst)
+	}
+
+	// if this Archiver is set up with ID mapping we need to create
+	// the new destination directory with the remapped root UID/GID pair
+	// as owner
+	rootIDs := archiver.IDMappingsVar.RootPair()
+	// Create dst, copy src's content into it
+	logrus.Debugf("Creating dest directory: %s", dst)
+	if err := idtools.MkdirAllAndChownNew(dst, 0755, rootIDs); err != nil {
+		return err
+	}
+	logrus.Debugf("Calling TarUntar(%s, %s)", src, dst)
+	return archiver.TarUntar(src, dst)
+}
+
+// CopyFileWithTar emulates the behavior of the 'cp' command-line
+// for a single file. It copies a regular file from path `src` to
+// path `dst`, and preserves all its metadata.
+func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
+	logrus.Debugf("CopyFileWithTar(%s, %s)", src, dst)
+	srcSt, err := os.Stat(src)
+	if err != nil {
+		return err
+	}
+
+	if srcSt.IsDir() {
+		return fmt.Errorf("Can't copy a directory")
+	}
+
+	// Clean up the trailing slash. This must be done in an operating
+	// system specific manner.
+	if dst[len(dst)-1] == os.PathSeparator {
+		dst = filepath.Join(dst, filepath.Base(src))
+	}
+	// Create the holding directory if necessary
+	if err := system.MkdirAll(filepath.Dir(dst), 0700, ""); err != nil {
+		return err
+	}
+
+	r, w := io.Pipe()
+	errC := make(chan error, 1)
+
+	go func() {
+		defer close(errC)
+
+		errC <- func() error {
+			defer w.Close()
+
+			srcF, err := os.Open(src)
+			if err != nil {
+				return err
+			}
+			defer srcF.Close()
+
+			hdr, err := tar.FileInfoHeader(srcSt, "")
+			if err != nil {
+				return err
+			}
+			hdr.Format = tar.FormatPAX
+			hdr.ModTime = hdr.ModTime.Truncate(time.Second)
+			hdr.AccessTime = time.Time{}
+			hdr.ChangeTime = time.Time{}
+			hdr.Name = filepath.Base(dst)
+			hdr.Mode = int64(chmodTarEntry(os.FileMode(hdr.Mode)))
+
+			if err := remapIDs(archiver.IDMappingsVar, hdr); err != nil {
+				return err
+			}
+
+			tw := tar.NewWriter(w)
+			defer tw.Close()
+			if err := tw.WriteHeader(hdr); err != nil {
+				return err
+			}
+			if _, err := io.Copy(tw, srcF); err != nil {
+				return err
+			}
+			return nil
+		}()
+	}()
+	defer func() {
+		if er := <-errC; err == nil && er != nil {
+			err = er
+		}
+	}()
+
+	err = archiver.Untar(r, filepath.Dir(dst), nil)
+	if err != nil {
+		r.CloseWithError(err)
+	}
+	return err
+}
+
+// IDMappings returns the IDMappings of the archiver.
+func (archiver *Archiver) IDMappings() *idtools.IDMappings {
+	return archiver.IDMappingsVar
+}
+
+func remapIDs(idMappings *idtools.IDMappings, hdr *tar.Header) error {
+	ids, err := idMappings.ToHost(idtools.IDPair{UID: hdr.Uid, GID: hdr.Gid})
+	hdr.Uid, hdr.Gid = ids.UID, ids.GID
+	return err
+}
+
+// cmdStream executes a command, and returns its stdout as a stream.
+// If the command fails to run or doesn't complete successfully, an error
+// will be returned, including anything written on stderr.
+func cmdStream(cmd *exec.Cmd, input io.Reader) (io.ReadCloser, error) {
+	cmd.Stdin = input
+	pipeR, pipeW := io.Pipe()
+	cmd.Stdout = pipeW
+	var errBuf bytes.Buffer
+	cmd.Stderr = &errBuf
+
+	// Run the command and return the pipe
+	if err := cmd.Start(); err != nil {
+		return nil, err
+	}
+
+	// Copy stdout to the returned pipe
+	go func() {
+		if err := cmd.Wait(); err != nil {
+			pipeW.CloseWithError(fmt.Errorf("%s: %s", err, errBuf.String()))
+		} else {
+			pipeW.Close()
+		}
+	}()
+
+	return pipeR, nil
+}
+
+// NewTempArchive reads the content of src into a temporary file, and returns the contents
+// of that file as an archive. The archive can only be read once - as soon as reading completes,
+// the file will be deleted.
+func NewTempArchive(src io.Reader, dir string) (*TempArchive, error) {
+	f, err := ioutil.TempFile(dir, "")
+	if err != nil {
+		return nil, err
+	}
+	if _, err := io.Copy(f, src); err != nil {
+		return nil, err
+	}
+	if _, err := f.Seek(0, 0); err != nil {
+		return nil, err
+	}
+	st, err := f.Stat()
+	if err != nil {
+		return nil, err
+	}
+	size := st.Size()
+	return &TempArchive{File: f, Size: size}, nil
+}
+
+// TempArchive is a temporary archive. The archive can only be read once - as soon as reading completes,
+// the file will be deleted.
+type TempArchive struct {
+	*os.File
+	Size   int64 // Pre-computed from Stat().Size() as a convenience
+	read   int64
+	closed bool
+}
+
+// Close closes the underlying file if it's still open, or does a no-op
+// to allow callers to try to close the TempArchive multiple times safely.
+func (archive *TempArchive) Close() error {
+	if archive.closed {
+		return nil
+	}
+
+	archive.closed = true
+
+	return archive.File.Close()
+}
+
+func (archive *TempArchive) Read(data []byte) (int, error) {
+	n, err := archive.File.Read(data)
+	archive.read += int64(n)
+	if err != nil || archive.read == archive.Size {
+		archive.Close()
+		os.Remove(archive.File.Name())
+	}
+	return n, err
+}
diff --git a/engine/pkg/archive/archive_linux.go b/engine/pkg/archive/archive_linux.go
new file mode 100644
index 00000000..970d4d06
--- /dev/null
+++ b/engine/pkg/archive/archive_linux.go
@@ -0,0 +1,92 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/system"
+	"golang.org/x/sys/unix"
+)
+
+func getWhiteoutConverter(format WhiteoutFormat) tarWhiteoutConverter {
+	if format == OverlayWhiteoutFormat {
+		return overlayWhiteoutConverter{}
+	}
+	return nil
+}
+
+type overlayWhiteoutConverter struct{}
+
+func (overlayWhiteoutConverter) ConvertWrite(hdr *tar.Header, path string, fi os.FileInfo) (wo *tar.Header, err error) {
+	// convert whiteouts to AUFS format
+	if fi.Mode()&os.ModeCharDevice != 0 && hdr.Devmajor == 0 && hdr.Devminor == 0 {
+		// we just rename the file and make it normal
+		dir, filename := filepath.Split(hdr.Name)
+		hdr.Name = filepath.Join(dir, WhiteoutPrefix+filename)
+		hdr.Mode = 0600
+		hdr.Typeflag = tar.TypeReg
+		hdr.Size = 0
+	}
+
+	if fi.Mode()&os.ModeDir != 0 {
+		// convert opaque dirs to AUFS format by writing an empty file with the prefix
+		opaque, err := system.Lgetxattr(path, "trusted.overlay.opaque")
+		if err != nil {
+			return nil, err
+		}
+		if len(opaque) == 1 && opaque[0] == 'y' {
+			if hdr.Xattrs != nil {
+				delete(hdr.Xattrs, "trusted.overlay.opaque")
+			}
+
+			// create a header for the whiteout file
+			// it should inherit some properties from the parent, but be a regular file
+			wo = &tar.Header{
+				Typeflag:   tar.TypeReg,
+				Mode:       hdr.Mode & int64(os.ModePerm),
+				Name:       filepath.Join(hdr.Name, WhiteoutOpaqueDir),
+				Size:       0,
+				Uid:        hdr.Uid,
+				Uname:      hdr.Uname,
+				Gid:        hdr.Gid,
+				Gname:      hdr.Gname,
+				AccessTime: hdr.AccessTime,
+				ChangeTime: hdr.ChangeTime,
+			}
+		}
+	}
+
+	return
+}
+
+func (overlayWhiteoutConverter) ConvertRead(hdr *tar.Header, path string) (bool, error) {
+	base := filepath.Base(path)
+	dir := filepath.Dir(path)
+
+	// if a directory is marked as opaque by the AUFS special file, we need to translate that to overlay
+	if base == WhiteoutOpaqueDir {
+		err := unix.Setxattr(dir, "trusted.overlay.opaque", []byte{'y'}, 0)
+		// don't write the file itself
+		return false, err
+	}
+
+	// if a file was deleted and we are using overlay, we need to create a character device
+	if strings.HasPrefix(base, WhiteoutPrefix) {
+		originalBase := base[len(WhiteoutPrefix):]
+		originalPath := filepath.Join(dir, originalBase)
+
+		if err := unix.Mknod(originalPath, unix.S_IFCHR, 0); err != nil {
+			return false, err
+		}
+		if err := os.Chown(originalPath, hdr.Uid, hdr.Gid); err != nil {
+			return false, err
+		}
+
+		// don't write the file itself
+		return false, nil
+	}
+
+	return true, nil
+}
diff --git a/engine/pkg/archive/archive_linux_test.go b/engine/pkg/archive/archive_linux_test.go
new file mode 100644
index 00000000..9422269d
--- /dev/null
+++ b/engine/pkg/archive/archive_linux_test.go
@@ -0,0 +1,162 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"syscall"
+	"testing"
+
+	"github.com/docker/docker/pkg/system"
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+// setupOverlayTestDir creates files in a directory with overlay whiteouts
+// Tree layout
+// .
+// ├── d1     # opaque, 0700
+// │   └── f1 # empty file, 0600
+// ├── d2     # opaque, 0750
+// │   └── f1 # empty file, 0660
+// └── d3     # 0700
+//     └── f1 # whiteout, 0644
+func setupOverlayTestDir(t *testing.T, src string) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	// Create opaque directory containing single file and permission 0700
+	err := os.Mkdir(filepath.Join(src, "d1"), 0700)
+	assert.NilError(t, err)
+
+	err = system.Lsetxattr(filepath.Join(src, "d1"), "trusted.overlay.opaque", []byte("y"), 0)
+	assert.NilError(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(src, "d1", "f1"), []byte{}, 0600)
+	assert.NilError(t, err)
+
+	// Create another opaque directory containing single file but with permission 0750
+	err = os.Mkdir(filepath.Join(src, "d2"), 0750)
+	assert.NilError(t, err)
+
+	err = system.Lsetxattr(filepath.Join(src, "d2"), "trusted.overlay.opaque", []byte("y"), 0)
+	assert.NilError(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(src, "d2", "f1"), []byte{}, 0660)
+	assert.NilError(t, err)
+
+	// Create regular directory with deleted file
+	err = os.Mkdir(filepath.Join(src, "d3"), 0700)
+	assert.NilError(t, err)
+
+	err = system.Mknod(filepath.Join(src, "d3", "f1"), unix.S_IFCHR, 0)
+	assert.NilError(t, err)
+}
+
+func checkOpaqueness(t *testing.T, path string, opaque string) {
+	xattrOpaque, err := system.Lgetxattr(path, "trusted.overlay.opaque")
+	assert.NilError(t, err)
+
+	if string(xattrOpaque) != opaque {
+		t.Fatalf("Unexpected opaque value: %q, expected %q", string(xattrOpaque), opaque)
+	}
+
+}
+
+func checkOverlayWhiteout(t *testing.T, path string) {
+	stat, err := os.Stat(path)
+	assert.NilError(t, err)
+
+	statT, ok := stat.Sys().(*syscall.Stat_t)
+	if !ok {
+		t.Fatalf("Unexpected type: %t, expected *syscall.Stat_t", stat.Sys())
+	}
+	if statT.Rdev != 0 {
+		t.Fatalf("Non-zero device number for whiteout")
+	}
+}
+
+func checkFileMode(t *testing.T, path string, perm os.FileMode) {
+	stat, err := os.Stat(path)
+	assert.NilError(t, err)
+
+	if stat.Mode() != perm {
+		t.Fatalf("Unexpected file mode for %s: %o, expected %o", path, stat.Mode(), perm)
+	}
+}
+
+func TestOverlayTarUntar(t *testing.T) {
+	oldmask, err := system.Umask(0)
+	assert.NilError(t, err)
+	defer system.Umask(oldmask)
+
+	src, err := ioutil.TempDir("", "docker-test-overlay-tar-src")
+	assert.NilError(t, err)
+	defer os.RemoveAll(src)
+
+	setupOverlayTestDir(t, src)
+
+	dst, err := ioutil.TempDir("", "docker-test-overlay-tar-dst")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dst)
+
+	options := &TarOptions{
+		Compression:    Uncompressed,
+		WhiteoutFormat: OverlayWhiteoutFormat,
+	}
+	archive, err := TarWithOptions(src, options)
+	assert.NilError(t, err)
+	defer archive.Close()
+
+	err = Untar(archive, dst, options)
+	assert.NilError(t, err)
+
+	checkFileMode(t, filepath.Join(dst, "d1"), 0700|os.ModeDir)
+	checkFileMode(t, filepath.Join(dst, "d2"), 0750|os.ModeDir)
+	checkFileMode(t, filepath.Join(dst, "d3"), 0700|os.ModeDir)
+	checkFileMode(t, filepath.Join(dst, "d1", "f1"), 0600)
+	checkFileMode(t, filepath.Join(dst, "d2", "f1"), 0660)
+	checkFileMode(t, filepath.Join(dst, "d3", "f1"), os.ModeCharDevice|os.ModeDevice)
+
+	checkOpaqueness(t, filepath.Join(dst, "d1"), "y")
+	checkOpaqueness(t, filepath.Join(dst, "d2"), "y")
+	checkOpaqueness(t, filepath.Join(dst, "d3"), "")
+	checkOverlayWhiteout(t, filepath.Join(dst, "d3", "f1"))
+}
+
+func TestOverlayTarAUFSUntar(t *testing.T) {
+	oldmask, err := system.Umask(0)
+	assert.NilError(t, err)
+	defer system.Umask(oldmask)
+
+	src, err := ioutil.TempDir("", "docker-test-overlay-tar-src")
+	assert.NilError(t, err)
+	defer os.RemoveAll(src)
+
+	setupOverlayTestDir(t, src)
+
+	dst, err := ioutil.TempDir("", "docker-test-overlay-tar-dst")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dst)
+
+	archive, err := TarWithOptions(src, &TarOptions{
+		Compression:    Uncompressed,
+		WhiteoutFormat: OverlayWhiteoutFormat,
+	})
+	assert.NilError(t, err)
+	defer archive.Close()
+
+	err = Untar(archive, dst, &TarOptions{
+		Compression:    Uncompressed,
+		WhiteoutFormat: AUFSWhiteoutFormat,
+	})
+	assert.NilError(t, err)
+
+	checkFileMode(t, filepath.Join(dst, "d1"), 0700|os.ModeDir)
+	checkFileMode(t, filepath.Join(dst, "d1", WhiteoutOpaqueDir), 0700)
+	checkFileMode(t, filepath.Join(dst, "d2"), 0750|os.ModeDir)
+	checkFileMode(t, filepath.Join(dst, "d2", WhiteoutOpaqueDir), 0750)
+	checkFileMode(t, filepath.Join(dst, "d3"), 0700|os.ModeDir)
+	checkFileMode(t, filepath.Join(dst, "d1", "f1"), 0600)
+	checkFileMode(t, filepath.Join(dst, "d2", "f1"), 0660)
+	checkFileMode(t, filepath.Join(dst, "d3", WhiteoutPrefix+"f1"), 0600)
+}
diff --git a/engine/pkg/archive/archive_other.go b/engine/pkg/archive/archive_other.go
new file mode 100644
index 00000000..462dfc63
--- /dev/null
+++ b/engine/pkg/archive/archive_other.go
@@ -0,0 +1,7 @@
+// +build !linux
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+func getWhiteoutConverter(format WhiteoutFormat) tarWhiteoutConverter {
+	return nil
+}
diff --git a/engine/pkg/archive/archive_test.go b/engine/pkg/archive/archive_test.go
new file mode 100644
index 00000000..9f06af99
--- /dev/null
+++ b/engine/pkg/archive/archive_test.go
@@ -0,0 +1,1364 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/ioutils"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+var tmp string
+
+func init() {
+	tmp = "/tmp/"
+	if runtime.GOOS == "windows" {
+		tmp = os.Getenv("TEMP") + `\`
+	}
+}
+
+var defaultArchiver = NewDefaultArchiver()
+
+func defaultTarUntar(src, dst string) error {
+	return defaultArchiver.TarUntar(src, dst)
+}
+
+func defaultUntarPath(src, dst string) error {
+	return defaultArchiver.UntarPath(src, dst)
+}
+
+func defaultCopyFileWithTar(src, dst string) (err error) {
+	return defaultArchiver.CopyFileWithTar(src, dst)
+}
+
+func defaultCopyWithTar(src, dst string) error {
+	return defaultArchiver.CopyWithTar(src, dst)
+}
+
+func TestIsArchivePathDir(t *testing.T) {
+	cmd := exec.Command("sh", "-c", "mkdir -p /tmp/archivedir")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("Fail to create an archive file for test : %s.", output)
+	}
+	if IsArchivePath(tmp + "archivedir") {
+		t.Fatalf("Incorrectly recognised directory as an archive")
+	}
+}
+
+func TestIsArchivePathInvalidFile(t *testing.T) {
+	cmd := exec.Command("sh", "-c", "dd if=/dev/zero bs=1024 count=1 of=/tmp/archive && gzip --stdout /tmp/archive > /tmp/archive.gz")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("Fail to create an archive file for test : %s.", output)
+	}
+	if IsArchivePath(tmp + "archive") {
+		t.Fatalf("Incorrectly recognised invalid tar path as archive")
+	}
+	if IsArchivePath(tmp + "archive.gz") {
+		t.Fatalf("Incorrectly recognised invalid compressed tar path as archive")
+	}
+}
+
+func TestIsArchivePathTar(t *testing.T) {
+	whichTar := "tar"
+	cmdStr := fmt.Sprintf("touch /tmp/archivedata && %s -cf /tmp/archive /tmp/archivedata && gzip --stdout /tmp/archive > /tmp/archive.gz", whichTar)
+	cmd := exec.Command("sh", "-c", cmdStr)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("Fail to create an archive file for test : %s.", output)
+	}
+	if !IsArchivePath(tmp + "/archive") {
+		t.Fatalf("Did not recognise valid tar path as archive")
+	}
+	if !IsArchivePath(tmp + "archive.gz") {
+		t.Fatalf("Did not recognise valid compressed tar path as archive")
+	}
+}
+
+func testDecompressStream(t *testing.T, ext, compressCommand string) io.Reader {
+	cmd := exec.Command("sh", "-c",
+		fmt.Sprintf("touch /tmp/archive && %s /tmp/archive", compressCommand))
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		t.Fatalf("Failed to create an archive file for test : %s.", output)
+	}
+	filename := "archive." + ext
+	archive, err := os.Open(tmp + filename)
+	if err != nil {
+		t.Fatalf("Failed to open file %s: %v", filename, err)
+	}
+	defer archive.Close()
+
+	r, err := DecompressStream(archive)
+	if err != nil {
+		t.Fatalf("Failed to decompress %s: %v", filename, err)
+	}
+	if _, err = ioutil.ReadAll(r); err != nil {
+		t.Fatalf("Failed to read the decompressed stream: %v ", err)
+	}
+	if err = r.Close(); err != nil {
+		t.Fatalf("Failed to close the decompressed stream: %v ", err)
+	}
+
+	return r
+}
+
+func TestDecompressStreamGzip(t *testing.T) {
+	testDecompressStream(t, "gz", "gzip -f")
+}
+
+func TestDecompressStreamBzip2(t *testing.T) {
+	testDecompressStream(t, "bz2", "bzip2 -f")
+}
+
+func TestDecompressStreamXz(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("Xz not present in msys2")
+	}
+	testDecompressStream(t, "xz", "xz -f")
+}
+
+func TestCompressStreamXzUnsupported(t *testing.T) {
+	dest, err := os.Create(tmp + "dest")
+	if err != nil {
+		t.Fatalf("Fail to create the destination file")
+	}
+	defer dest.Close()
+
+	_, err = CompressStream(dest, Xz)
+	if err == nil {
+		t.Fatalf("Should fail as xz is unsupported for compression format.")
+	}
+}
+
+func TestCompressStreamBzip2Unsupported(t *testing.T) {
+	dest, err := os.Create(tmp + "dest")
+	if err != nil {
+		t.Fatalf("Fail to create the destination file")
+	}
+	defer dest.Close()
+
+	_, err = CompressStream(dest, Bzip2)
+	if err == nil {
+		t.Fatalf("Should fail as bzip2 is unsupported for compression format.")
+	}
+}
+
+func TestCompressStreamInvalid(t *testing.T) {
+	dest, err := os.Create(tmp + "dest")
+	if err != nil {
+		t.Fatalf("Fail to create the destination file")
+	}
+	defer dest.Close()
+
+	_, err = CompressStream(dest, -1)
+	if err == nil {
+		t.Fatalf("Should fail as xz is unsupported for compression format.")
+	}
+}
+
+func TestExtensionInvalid(t *testing.T) {
+	compression := Compression(-1)
+	output := compression.Extension()
+	if output != "" {
+		t.Fatalf("The extension of an invalid compression should be an empty string.")
+	}
+}
+
+func TestExtensionUncompressed(t *testing.T) {
+	compression := Uncompressed
+	output := compression.Extension()
+	if output != "tar" {
+		t.Fatalf("The extension of an uncompressed archive should be 'tar'.")
+	}
+}
+func TestExtensionBzip2(t *testing.T) {
+	compression := Bzip2
+	output := compression.Extension()
+	if output != "tar.bz2" {
+		t.Fatalf("The extension of a bzip2 archive should be 'tar.bz2'")
+	}
+}
+func TestExtensionGzip(t *testing.T) {
+	compression := Gzip
+	output := compression.Extension()
+	if output != "tar.gz" {
+		t.Fatalf("The extension of a gzip archive should be 'tar.gz'")
+	}
+}
+func TestExtensionXz(t *testing.T) {
+	compression := Xz
+	output := compression.Extension()
+	if output != "tar.xz" {
+		t.Fatalf("The extension of a xz archive should be 'tar.xz'")
+	}
+}
+
+func TestCmdStreamLargeStderr(t *testing.T) {
+	cmd := exec.Command("sh", "-c", "dd if=/dev/zero bs=1k count=1000 of=/dev/stderr; echo hello")
+	out, err := cmdStream(cmd, nil)
+	if err != nil {
+		t.Fatalf("Failed to start command: %s", err)
+	}
+	errCh := make(chan error)
+	go func() {
+		_, err := io.Copy(ioutil.Discard, out)
+		errCh <- err
+	}()
+	select {
+	case err := <-errCh:
+		if err != nil {
+			t.Fatalf("Command should not have failed (err=%.100s...)", err)
+		}
+	case <-time.After(5 * time.Second):
+		t.Fatalf("Command did not complete in 5 seconds; probable deadlock")
+	}
+}
+
+func TestCmdStreamBad(t *testing.T) {
+	// TODO Windows: Figure out why this is failing in CI but not locally
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows CI machines")
+	}
+	badCmd := exec.Command("sh", "-c", "echo hello; echo >&2 error couldn\\'t reverse the phase pulser; exit 1")
+	out, err := cmdStream(badCmd, nil)
+	if err != nil {
+		t.Fatalf("Failed to start command: %s", err)
+	}
+	if output, err := ioutil.ReadAll(out); err == nil {
+		t.Fatalf("Command should have failed")
+	} else if err.Error() != "exit status 1: error couldn't reverse the phase pulser\n" {
+		t.Fatalf("Wrong error value (%s)", err)
+	} else if s := string(output); s != "hello\n" {
+		t.Fatalf("Command output should be '%s', not '%s'", "hello\\n", output)
+	}
+}
+
+func TestCmdStreamGood(t *testing.T) {
+	cmd := exec.Command("sh", "-c", "echo hello; exit 0")
+	out, err := cmdStream(cmd, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if output, err := ioutil.ReadAll(out); err != nil {
+		t.Fatalf("Command should not have failed (err=%s)", err)
+	} else if s := string(output); s != "hello\n" {
+		t.Fatalf("Command output should be '%s', not '%s'", "hello\\n", output)
+	}
+}
+
+func TestUntarPathWithInvalidDest(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-archive-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tempFolder)
+	invalidDestFolder := filepath.Join(tempFolder, "invalidDest")
+	// Create a src file
+	srcFile := filepath.Join(tempFolder, "src")
+	tarFile := filepath.Join(tempFolder, "src.tar")
+	os.Create(srcFile)
+	os.Create(invalidDestFolder) // being a file (not dir) should cause an error
+
+	// Translate back to Unix semantics as next exec.Command is run under sh
+	srcFileU := srcFile
+	tarFileU := tarFile
+	if runtime.GOOS == "windows" {
+		tarFileU = "/tmp/" + filepath.Base(filepath.Dir(tarFile)) + "/src.tar"
+		srcFileU = "/tmp/" + filepath.Base(filepath.Dir(srcFile)) + "/src"
+	}
+
+	cmd := exec.Command("sh", "-c", "tar cf "+tarFileU+" "+srcFileU)
+	_, err = cmd.CombinedOutput()
+	assert.NilError(t, err)
+
+	err = defaultUntarPath(tarFile, invalidDestFolder)
+	if err == nil {
+		t.Fatalf("UntarPath with invalid destination path should throw an error.")
+	}
+}
+
+func TestUntarPathWithInvalidSrc(t *testing.T) {
+	dest, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatalf("Fail to create the destination file")
+	}
+	defer os.RemoveAll(dest)
+	err = defaultUntarPath("/invalid/path", dest)
+	if err == nil {
+		t.Fatalf("UntarPath with invalid src path should throw an error.")
+	}
+}
+
+func TestUntarPath(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpFolder, err := ioutil.TempDir("", "docker-archive-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpFolder)
+	srcFile := filepath.Join(tmpFolder, "src")
+	tarFile := filepath.Join(tmpFolder, "src.tar")
+	os.Create(filepath.Join(tmpFolder, "src"))
+
+	destFolder := filepath.Join(tmpFolder, "dest")
+	err = os.MkdirAll(destFolder, 0740)
+	if err != nil {
+		t.Fatalf("Fail to create the destination file")
+	}
+
+	// Translate back to Unix semantics as next exec.Command is run under sh
+	srcFileU := srcFile
+	tarFileU := tarFile
+	if runtime.GOOS == "windows" {
+		tarFileU = "/tmp/" + filepath.Base(filepath.Dir(tarFile)) + "/src.tar"
+		srcFileU = "/tmp/" + filepath.Base(filepath.Dir(srcFile)) + "/src"
+	}
+	cmd := exec.Command("sh", "-c", "tar cf "+tarFileU+" "+srcFileU)
+	_, err = cmd.CombinedOutput()
+	assert.NilError(t, err)
+
+	err = defaultUntarPath(tarFile, destFolder)
+	if err != nil {
+		t.Fatalf("UntarPath shouldn't throw an error, %s.", err)
+	}
+	expectedFile := filepath.Join(destFolder, srcFileU)
+	_, err = os.Stat(expectedFile)
+	if err != nil {
+		t.Fatalf("Destination folder should contain the source file but did not.")
+	}
+}
+
+// Do the same test as above but with the destination as file, it should fail
+func TestUntarPathWithDestinationFile(t *testing.T) {
+	tmpFolder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpFolder)
+	srcFile := filepath.Join(tmpFolder, "src")
+	tarFile := filepath.Join(tmpFolder, "src.tar")
+	os.Create(filepath.Join(tmpFolder, "src"))
+
+	// Translate back to Unix semantics as next exec.Command is run under sh
+	srcFileU := srcFile
+	tarFileU := tarFile
+	if runtime.GOOS == "windows" {
+		tarFileU = "/tmp/" + filepath.Base(filepath.Dir(tarFile)) + "/src.tar"
+		srcFileU = "/tmp/" + filepath.Base(filepath.Dir(srcFile)) + "/src"
+	}
+	cmd := exec.Command("sh", "-c", "tar cf "+tarFileU+" "+srcFileU)
+	_, err = cmd.CombinedOutput()
+	if err != nil {
+		t.Fatal(err)
+	}
+	destFile := filepath.Join(tmpFolder, "dest")
+	_, err = os.Create(destFile)
+	if err != nil {
+		t.Fatalf("Fail to create the destination file")
+	}
+	err = defaultUntarPath(tarFile, destFile)
+	if err == nil {
+		t.Fatalf("UntarPath should throw an error if the destination if a file")
+	}
+}
+
+// Do the same test as above but with the destination folder already exists
+// and the destination file is a directory
+// It's working, see https://github.com/docker/docker/issues/10040
+func TestUntarPathWithDestinationSrcFileAsFolder(t *testing.T) {
+	tmpFolder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpFolder)
+	srcFile := filepath.Join(tmpFolder, "src")
+	tarFile := filepath.Join(tmpFolder, "src.tar")
+	os.Create(srcFile)
+
+	// Translate back to Unix semantics as next exec.Command is run under sh
+	srcFileU := srcFile
+	tarFileU := tarFile
+	if runtime.GOOS == "windows" {
+		tarFileU = "/tmp/" + filepath.Base(filepath.Dir(tarFile)) + "/src.tar"
+		srcFileU = "/tmp/" + filepath.Base(filepath.Dir(srcFile)) + "/src"
+	}
+
+	cmd := exec.Command("sh", "-c", "tar cf "+tarFileU+" "+srcFileU)
+	_, err = cmd.CombinedOutput()
+	if err != nil {
+		t.Fatal(err)
+	}
+	destFolder := filepath.Join(tmpFolder, "dest")
+	err = os.MkdirAll(destFolder, 0740)
+	if err != nil {
+		t.Fatalf("Fail to create the destination folder")
+	}
+	// Let's create a folder that will has the same path as the extracted file (from tar)
+	destSrcFileAsFolder := filepath.Join(destFolder, srcFileU)
+	err = os.MkdirAll(destSrcFileAsFolder, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = defaultUntarPath(tarFile, destFolder)
+	if err != nil {
+		t.Fatalf("UntarPath should throw not throw an error if the extracted file already exists and is a folder")
+	}
+}
+
+func TestCopyWithTarInvalidSrc(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(nil)
+	}
+	destFolder := filepath.Join(tempFolder, "dest")
+	invalidSrc := filepath.Join(tempFolder, "doesnotexists")
+	err = os.MkdirAll(destFolder, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = defaultCopyWithTar(invalidSrc, destFolder)
+	if err == nil {
+		t.Fatalf("archiver.CopyWithTar with invalid src path should throw an error.")
+	}
+}
+
+func TestCopyWithTarInexistentDestWillCreateIt(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tempFolder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(nil)
+	}
+	srcFolder := filepath.Join(tempFolder, "src")
+	inexistentDestFolder := filepath.Join(tempFolder, "doesnotexists")
+	err = os.MkdirAll(srcFolder, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = defaultCopyWithTar(srcFolder, inexistentDestFolder)
+	if err != nil {
+		t.Fatalf("CopyWithTar with an inexistent folder shouldn't fail.")
+	}
+	_, err = os.Stat(inexistentDestFolder)
+	if err != nil {
+		t.Fatalf("CopyWithTar with an inexistent folder should create it.")
+	}
+}
+
+// Test CopyWithTar with a file as src
+func TestCopyWithTarSrcFile(t *testing.T) {
+	folder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(folder)
+	dest := filepath.Join(folder, "dest")
+	srcFolder := filepath.Join(folder, "src")
+	src := filepath.Join(folder, filepath.Join("src", "src"))
+	err = os.MkdirAll(srcFolder, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = os.MkdirAll(dest, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ioutil.WriteFile(src, []byte("content"), 0777)
+	err = defaultCopyWithTar(src, dest)
+	if err != nil {
+		t.Fatalf("archiver.CopyWithTar shouldn't throw an error, %s.", err)
+	}
+	_, err = os.Stat(dest)
+	// FIXME Check the content
+	if err != nil {
+		t.Fatalf("Destination file should be the same as the source.")
+	}
+}
+
+// Test CopyWithTar with a folder as src
+func TestCopyWithTarSrcFolder(t *testing.T) {
+	folder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(folder)
+	dest := filepath.Join(folder, "dest")
+	src := filepath.Join(folder, filepath.Join("src", "folder"))
+	err = os.MkdirAll(src, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = os.MkdirAll(dest, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ioutil.WriteFile(filepath.Join(src, "file"), []byte("content"), 0777)
+	err = defaultCopyWithTar(src, dest)
+	if err != nil {
+		t.Fatalf("archiver.CopyWithTar shouldn't throw an error, %s.", err)
+	}
+	_, err = os.Stat(dest)
+	// FIXME Check the content (the file inside)
+	if err != nil {
+		t.Fatalf("Destination folder should contain the source file but did not.")
+	}
+}
+
+func TestCopyFileWithTarInvalidSrc(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tempFolder)
+	destFolder := filepath.Join(tempFolder, "dest")
+	err = os.MkdirAll(destFolder, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	invalidFile := filepath.Join(tempFolder, "doesnotexists")
+	err = defaultCopyFileWithTar(invalidFile, destFolder)
+	if err == nil {
+		t.Fatalf("archiver.CopyWithTar with invalid src path should throw an error.")
+	}
+}
+
+func TestCopyFileWithTarInexistentDestWillCreateIt(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(nil)
+	}
+	defer os.RemoveAll(tempFolder)
+	srcFile := filepath.Join(tempFolder, "src")
+	inexistentDestFolder := filepath.Join(tempFolder, "doesnotexists")
+	_, err = os.Create(srcFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = defaultCopyFileWithTar(srcFile, inexistentDestFolder)
+	if err != nil {
+		t.Fatalf("CopyWithTar with an inexistent folder shouldn't fail.")
+	}
+	_, err = os.Stat(inexistentDestFolder)
+	if err != nil {
+		t.Fatalf("CopyWithTar with an inexistent folder should create it.")
+	}
+	// FIXME Test the src file and content
+}
+
+func TestCopyFileWithTarSrcFolder(t *testing.T) {
+	folder, err := ioutil.TempDir("", "docker-archive-copyfilewithtar-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(folder)
+	dest := filepath.Join(folder, "dest")
+	src := filepath.Join(folder, "srcfolder")
+	err = os.MkdirAll(src, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = os.MkdirAll(dest, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = defaultCopyFileWithTar(src, dest)
+	if err == nil {
+		t.Fatalf("CopyFileWithTar should throw an error with a folder.")
+	}
+}
+
+func TestCopyFileWithTarSrcFile(t *testing.T) {
+	folder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(folder)
+	dest := filepath.Join(folder, "dest")
+	srcFolder := filepath.Join(folder, "src")
+	src := filepath.Join(folder, filepath.Join("src", "src"))
+	err = os.MkdirAll(srcFolder, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = os.MkdirAll(dest, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ioutil.WriteFile(src, []byte("content"), 0777)
+	err = defaultCopyWithTar(src, dest+"/")
+	if err != nil {
+		t.Fatalf("archiver.CopyFileWithTar shouldn't throw an error, %s.", err)
+	}
+	_, err = os.Stat(dest)
+	if err != nil {
+		t.Fatalf("Destination folder should contain the source file but did not.")
+	}
+}
+
+func TestTarFiles(t *testing.T) {
+	// TODO Windows: Figure out how to port this test.
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	// try without hardlinks
+	if err := checkNoChanges(1000, false); err != nil {
+		t.Fatal(err)
+	}
+	// try with hardlinks
+	if err := checkNoChanges(1000, true); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func checkNoChanges(fileNum int, hardlinks bool) error {
+	srcDir, err := ioutil.TempDir("", "docker-test-srcDir")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(srcDir)
+
+	destDir, err := ioutil.TempDir("", "docker-test-destDir")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(destDir)
+
+	_, err = prepareUntarSourceDirectory(fileNum, srcDir, hardlinks)
+	if err != nil {
+		return err
+	}
+
+	err = defaultTarUntar(srcDir, destDir)
+	if err != nil {
+		return err
+	}
+
+	changes, err := ChangesDirs(destDir, srcDir)
+	if err != nil {
+		return err
+	}
+	if len(changes) > 0 {
+		return fmt.Errorf("with %d files and %v hardlinks: expected 0 changes, got %d", fileNum, hardlinks, len(changes))
+	}
+	return nil
+}
+
+func tarUntar(t *testing.T, origin string, options *TarOptions) ([]Change, error) {
+	archive, err := TarWithOptions(origin, options)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer archive.Close()
+
+	buf := make([]byte, 10)
+	if _, err := archive.Read(buf); err != nil {
+		return nil, err
+	}
+	wrap := io.MultiReader(bytes.NewReader(buf), archive)
+
+	detectedCompression := DetectCompression(buf)
+	compression := options.Compression
+	if detectedCompression.Extension() != compression.Extension() {
+		return nil, fmt.Errorf("Wrong compression detected. Actual compression: %s, found %s", compression.Extension(), detectedCompression.Extension())
+	}
+
+	tmp, err := ioutil.TempDir("", "docker-test-untar")
+	if err != nil {
+		return nil, err
+	}
+	defer os.RemoveAll(tmp)
+	if err := Untar(wrap, tmp, nil); err != nil {
+		return nil, err
+	}
+	if _, err := os.Stat(tmp); err != nil {
+		return nil, err
+	}
+
+	return ChangesDirs(origin, tmp)
+}
+
+func TestTarUntar(t *testing.T) {
+	// TODO Windows: Figure out how to fix this test.
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	origin, err := ioutil.TempDir("", "docker-test-untar-origin")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(origin)
+	if err := ioutil.WriteFile(filepath.Join(origin, "1"), []byte("hello world"), 0700); err != nil {
+		t.Fatal(err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(origin, "2"), []byte("welcome!"), 0700); err != nil {
+		t.Fatal(err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(origin, "3"), []byte("will be ignored"), 0700); err != nil {
+		t.Fatal(err)
+	}
+
+	for _, c := range []Compression{
+		Uncompressed,
+		Gzip,
+	} {
+		changes, err := tarUntar(t, origin, &TarOptions{
+			Compression:     c,
+			ExcludePatterns: []string{"3"},
+		})
+
+		if err != nil {
+			t.Fatalf("Error tar/untar for compression %s: %s", c.Extension(), err)
+		}
+
+		if len(changes) != 1 || changes[0].Path != "/3" {
+			t.Fatalf("Unexpected differences after tarUntar: %v", changes)
+		}
+	}
+}
+
+func TestTarWithOptionsChownOptsAlwaysOverridesIdPair(t *testing.T) {
+	origin, err := ioutil.TempDir("", "docker-test-tar-chown-opt")
+	assert.NilError(t, err)
+
+	defer os.RemoveAll(origin)
+	filePath := filepath.Join(origin, "1")
+	err = ioutil.WriteFile(filePath, []byte("hello world"), 0700)
+	assert.NilError(t, err)
+
+	idMaps := []idtools.IDMap{
+		0: {
+			ContainerID: 0,
+			HostID:      0,
+			Size:        65536,
+		},
+		1: {
+			ContainerID: 0,
+			HostID:      100000,
+			Size:        65536,
+		},
+	}
+
+	cases := []struct {
+		opts        *TarOptions
+		expectedUID int
+		expectedGID int
+	}{
+		{&TarOptions{ChownOpts: &idtools.IDPair{UID: 1337, GID: 42}}, 1337, 42},
+		{&TarOptions{ChownOpts: &idtools.IDPair{UID: 100001, GID: 100001}, UIDMaps: idMaps, GIDMaps: idMaps}, 100001, 100001},
+		{&TarOptions{ChownOpts: &idtools.IDPair{UID: 0, GID: 0}, NoLchown: false}, 0, 0},
+		{&TarOptions{ChownOpts: &idtools.IDPair{UID: 1, GID: 1}, NoLchown: true}, 1, 1},
+		{&TarOptions{ChownOpts: &idtools.IDPair{UID: 1000, GID: 1000}, NoLchown: true}, 1000, 1000},
+	}
+	for _, testCase := range cases {
+		reader, err := TarWithOptions(filePath, testCase.opts)
+		assert.NilError(t, err)
+		tr := tar.NewReader(reader)
+		defer reader.Close()
+		for {
+			hdr, err := tr.Next()
+			if err == io.EOF {
+				// end of tar archive
+				break
+			}
+			assert.NilError(t, err)
+			assert.Check(t, is.Equal(hdr.Uid, testCase.expectedUID), "Uid equals expected value")
+			assert.Check(t, is.Equal(hdr.Gid, testCase.expectedGID), "Gid equals expected value")
+		}
+	}
+}
+
+func TestTarWithOptions(t *testing.T) {
+	// TODO Windows: Figure out how to fix this test.
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+	origin, err := ioutil.TempDir("", "docker-test-untar-origin")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := ioutil.TempDir(origin, "folder"); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(origin)
+	if err := ioutil.WriteFile(filepath.Join(origin, "1"), []byte("hello world"), 0700); err != nil {
+		t.Fatal(err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(origin, "2"), []byte("welcome!"), 0700); err != nil {
+		t.Fatal(err)
+	}
+
+	cases := []struct {
+		opts       *TarOptions
+		numChanges int
+	}{
+		{&TarOptions{IncludeFiles: []string{"1"}}, 2},
+		{&TarOptions{ExcludePatterns: []string{"2"}}, 1},
+		{&TarOptions{ExcludePatterns: []string{"1", "folder*"}}, 2},
+		{&TarOptions{IncludeFiles: []string{"1", "1"}}, 2},
+		{&TarOptions{IncludeFiles: []string{"1"}, RebaseNames: map[string]string{"1": "test"}}, 4},
+	}
+	for _, testCase := range cases {
+		changes, err := tarUntar(t, origin, testCase.opts)
+		if err != nil {
+			t.Fatalf("Error tar/untar when testing inclusion/exclusion: %s", err)
+		}
+		if len(changes) != testCase.numChanges {
+			t.Errorf("Expected %d changes, got %d for %+v:",
+				testCase.numChanges, len(changes), testCase.opts)
+		}
+	}
+}
+
+// Some tar archives such as http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev21.tar.gz
+// use PAX Global Extended Headers.
+// Failing prevents the archives from being uncompressed during ADD
+func TestTypeXGlobalHeaderDoesNotFail(t *testing.T) {
+	hdr := tar.Header{Typeflag: tar.TypeXGlobalHeader}
+	tmpDir, err := ioutil.TempDir("", "docker-test-archive-pax-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+	err = createTarFile(filepath.Join(tmpDir, "pax_global_header"), tmpDir, &hdr, nil, true, nil, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+// Some tar have both GNU specific (huge uid) and Ustar specific (long name) things.
+// Not supposed to happen (should use PAX instead of Ustar for long name) but it does and it should still work.
+func TestUntarUstarGnuConflict(t *testing.T) {
+	f, err := os.Open("testdata/broken.tar")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	found := false
+	tr := tar.NewReader(f)
+	// Iterate through the files in the archive.
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			// end of tar archive
+			break
+		}
+		if err != nil {
+			t.Fatal(err)
+		}
+		if hdr.Name == "root/.cpanm/work/1395823785.24209/Plack-1.0030/blib/man3/Plack::Middleware::LighttpdScriptNameFix.3pm" {
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Fatalf("%s not found in the archive", "root/.cpanm/work/1395823785.24209/Plack-1.0030/blib/man3/Plack::Middleware::LighttpdScriptNameFix.3pm")
+	}
+}
+
+func prepareUntarSourceDirectory(numberOfFiles int, targetPath string, makeLinks bool) (int, error) {
+	fileData := []byte("fooo")
+	for n := 0; n < numberOfFiles; n++ {
+		fileName := fmt.Sprintf("file-%d", n)
+		if err := ioutil.WriteFile(filepath.Join(targetPath, fileName), fileData, 0700); err != nil {
+			return 0, err
+		}
+		if makeLinks {
+			if err := os.Link(filepath.Join(targetPath, fileName), filepath.Join(targetPath, fileName+"-link")); err != nil {
+				return 0, err
+			}
+		}
+	}
+	totalSize := numberOfFiles * len(fileData)
+	return totalSize, nil
+}
+
+func BenchmarkTarUntar(b *testing.B) {
+	origin, err := ioutil.TempDir("", "docker-test-untar-origin")
+	if err != nil {
+		b.Fatal(err)
+	}
+	tempDir, err := ioutil.TempDir("", "docker-test-untar-destination")
+	if err != nil {
+		b.Fatal(err)
+	}
+	target := filepath.Join(tempDir, "dest")
+	n, err := prepareUntarSourceDirectory(100, origin, false)
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer os.RemoveAll(origin)
+	defer os.RemoveAll(tempDir)
+
+	b.ResetTimer()
+	b.SetBytes(int64(n))
+	for n := 0; n < b.N; n++ {
+		err := defaultTarUntar(origin, target)
+		if err != nil {
+			b.Fatal(err)
+		}
+		os.RemoveAll(target)
+	}
+}
+
+func BenchmarkTarUntarWithLinks(b *testing.B) {
+	origin, err := ioutil.TempDir("", "docker-test-untar-origin")
+	if err != nil {
+		b.Fatal(err)
+	}
+	tempDir, err := ioutil.TempDir("", "docker-test-untar-destination")
+	if err != nil {
+		b.Fatal(err)
+	}
+	target := filepath.Join(tempDir, "dest")
+	n, err := prepareUntarSourceDirectory(100, origin, true)
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer os.RemoveAll(origin)
+	defer os.RemoveAll(tempDir)
+
+	b.ResetTimer()
+	b.SetBytes(int64(n))
+	for n := 0; n < b.N; n++ {
+		err := defaultTarUntar(origin, target)
+		if err != nil {
+			b.Fatal(err)
+		}
+		os.RemoveAll(target)
+	}
+}
+
+func TestUntarInvalidFilenames(t *testing.T) {
+	// TODO Windows: Figure out how to fix this test.
+	if runtime.GOOS == "windows" {
+		t.Skip("Passes but hits breakoutError: platform and architecture is not supported")
+	}
+	for i, headers := range [][]*tar.Header{
+		{
+			{
+				Name:     "../victim/dotdot",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+		{
+			{
+				// Note the leading slash
+				Name:     "/../victim/slash-dotdot",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+	} {
+		if err := testBreakout("untar", "docker-TestUntarInvalidFilenames", headers); err != nil {
+			t.Fatalf("i=%d. %v", i, err)
+		}
+	}
+}
+
+func TestUntarHardlinkToSymlink(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	skip.If(t, runtime.GOOS == "windows", "hardlinks on Windows")
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	for i, headers := range [][]*tar.Header{
+		{
+			{
+				Name:     "symlink1",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "regfile",
+				Mode:     0644,
+			},
+			{
+				Name:     "symlink2",
+				Typeflag: tar.TypeLink,
+				Linkname: "symlink1",
+				Mode:     0644,
+			},
+			{
+				Name:     "regfile",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+	} {
+		if err := testBreakout("untar", "docker-TestUntarHardlinkToSymlink", headers); err != nil {
+			t.Fatalf("i=%d. %v", i, err)
+		}
+	}
+}
+
+func TestUntarInvalidHardlink(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	if runtime.GOOS == "windows" {
+		t.Skip("hardlinks on Windows")
+	}
+	for i, headers := range [][]*tar.Header{
+		{ // try reading victim/hello (../)
+			{
+				Name:     "dotdot",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (/../)
+			{
+				Name:     "slash-dotdot",
+				Typeflag: tar.TypeLink,
+				// Note the leading slash
+				Linkname: "/../victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try writing victim/file
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "loophole-victim/file",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (hardlink, symlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "symlink",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "loophole-victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // Try reading victim/hello (hardlink, hardlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "hardlink",
+				Typeflag: tar.TypeLink,
+				Linkname: "loophole-victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // Try removing victim directory (hardlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+	} {
+		if err := testBreakout("untar", "docker-TestUntarInvalidHardlink", headers); err != nil {
+			t.Fatalf("i=%d. %v", i, err)
+		}
+	}
+}
+
+func TestUntarInvalidSymlink(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	if runtime.GOOS == "windows" {
+		t.Skip("hardlinks on Windows")
+	}
+	for i, headers := range [][]*tar.Header{
+		{ // try reading victim/hello (../)
+			{
+				Name:     "dotdot",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (/../)
+			{
+				Name:     "slash-dotdot",
+				Typeflag: tar.TypeSymlink,
+				// Note the leading slash
+				Linkname: "/../victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try writing victim/file
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "loophole-victim/file",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (symlink, symlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "symlink",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "loophole-victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (symlink, hardlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "hardlink",
+				Typeflag: tar.TypeLink,
+				Linkname: "loophole-victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try removing victim directory (symlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+		{ // try writing to victim/newdir/newfile with a symlink in the path
+			{
+				// this header needs to be before the next one, or else there is an error
+				Name:     "dir/loophole",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "dir/loophole/newdir/newfile",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+	} {
+		if err := testBreakout("untar", "docker-TestUntarInvalidSymlink", headers); err != nil {
+			t.Fatalf("i=%d. %v", i, err)
+		}
+	}
+}
+
+func TestTempArchiveCloseMultipleTimes(t *testing.T) {
+	reader := ioutil.NopCloser(strings.NewReader("hello"))
+	tempArchive, err := NewTempArchive(reader, "")
+	assert.NilError(t, err)
+	buf := make([]byte, 10)
+	n, err := tempArchive.Read(buf)
+	assert.NilError(t, err)
+	if n != 5 {
+		t.Fatalf("Expected to read 5 bytes. Read %d instead", n)
+	}
+	for i := 0; i < 3; i++ {
+		if err = tempArchive.Close(); err != nil {
+			t.Fatalf("i=%d. Unexpected error closing temp archive: %v", i, err)
+		}
+	}
+}
+
+func TestReplaceFileTarWrapper(t *testing.T) {
+	filesInArchive := 20
+	testcases := []struct {
+		doc       string
+		filename  string
+		modifier  TarModifierFunc
+		expected  string
+		fileCount int
+	}{
+		{
+			doc:       "Modifier creates a new file",
+			filename:  "newfile",
+			modifier:  createModifier(t),
+			expected:  "the new content",
+			fileCount: filesInArchive + 1,
+		},
+		{
+			doc:       "Modifier replaces a file",
+			filename:  "file-2",
+			modifier:  createOrReplaceModifier,
+			expected:  "the new content",
+			fileCount: filesInArchive,
+		},
+		{
+			doc:       "Modifier replaces the last file",
+			filename:  fmt.Sprintf("file-%d", filesInArchive-1),
+			modifier:  createOrReplaceModifier,
+			expected:  "the new content",
+			fileCount: filesInArchive,
+		},
+		{
+			doc:       "Modifier appends to a file",
+			filename:  "file-3",
+			modifier:  appendModifier,
+			expected:  "fooo\nnext line",
+			fileCount: filesInArchive,
+		},
+	}
+
+	for _, testcase := range testcases {
+		sourceArchive, cleanup := buildSourceArchive(t, filesInArchive)
+		defer cleanup()
+
+		resultArchive := ReplaceFileTarWrapper(
+			sourceArchive,
+			map[string]TarModifierFunc{testcase.filename: testcase.modifier})
+
+		actual := readFileFromArchive(t, resultArchive, testcase.filename, testcase.fileCount, testcase.doc)
+		assert.Check(t, is.Equal(testcase.expected, actual), testcase.doc)
+	}
+}
+
+// TestPrefixHeaderReadable tests that files that could be created with the
+// version of this package that was built with <=go17 are still readable.
+func TestPrefixHeaderReadable(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	// https://gist.github.com/stevvooe/e2a790ad4e97425896206c0816e1a882#file-out-go
+	var testFile = []byte("\x1f\x8b\x08\x08\x44\x21\x68\x59\x00\x03\x74\x2e\x74\x61\x72\x00\x4b\xcb\xcf\x67\xa0\x35\x30\x80\x00\x86\x06\x10\x47\x01\xc1\x37\x40\x00\x54\xb6\xb1\xa1\xa9\x99\x09\x48\x25\x1d\x40\x69\x71\x49\x62\x91\x02\xe5\x76\xa1\x79\x84\x21\x91\xd6\x80\x72\xaf\x8f\x82\x51\x30\x0a\x46\x36\x00\x00\xf0\x1c\x1e\x95\x00\x06\x00\x00")
+
+	tmpDir, err := ioutil.TempDir("", "prefix-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+	err = Untar(bytes.NewReader(testFile), tmpDir, nil)
+	assert.NilError(t, err)
+
+	baseName := "foo"
+	pth := strings.Repeat("a", 100-len(baseName)) + "/" + baseName
+
+	_, err = os.Lstat(filepath.Join(tmpDir, pth))
+	assert.NilError(t, err)
+}
+
+func buildSourceArchive(t *testing.T, numberOfFiles int) (io.ReadCloser, func()) {
+	srcDir, err := ioutil.TempDir("", "docker-test-srcDir")
+	assert.NilError(t, err)
+
+	_, err = prepareUntarSourceDirectory(numberOfFiles, srcDir, false)
+	assert.NilError(t, err)
+
+	sourceArchive, err := TarWithOptions(srcDir, &TarOptions{})
+	assert.NilError(t, err)
+	return sourceArchive, func() {
+		os.RemoveAll(srcDir)
+		sourceArchive.Close()
+	}
+}
+
+func createOrReplaceModifier(path string, header *tar.Header, content io.Reader) (*tar.Header, []byte, error) {
+	return &tar.Header{
+		Mode:     0600,
+		Typeflag: tar.TypeReg,
+	}, []byte("the new content"), nil
+}
+
+func createModifier(t *testing.T) TarModifierFunc {
+	return func(path string, header *tar.Header, content io.Reader) (*tar.Header, []byte, error) {
+		assert.Check(t, is.Nil(content))
+		return createOrReplaceModifier(path, header, content)
+	}
+}
+
+func appendModifier(path string, header *tar.Header, content io.Reader) (*tar.Header, []byte, error) {
+	buffer := bytes.Buffer{}
+	if content != nil {
+		if _, err := buffer.ReadFrom(content); err != nil {
+			return nil, nil, err
+		}
+	}
+	buffer.WriteString("\nnext line")
+	return &tar.Header{Mode: 0600, Typeflag: tar.TypeReg}, buffer.Bytes(), nil
+}
+
+func readFileFromArchive(t *testing.T, archive io.ReadCloser, name string, expectedCount int, doc string) string {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	destDir, err := ioutil.TempDir("", "docker-test-destDir")
+	assert.NilError(t, err)
+	defer os.RemoveAll(destDir)
+
+	err = Untar(archive, destDir, nil)
+	assert.NilError(t, err)
+
+	files, _ := ioutil.ReadDir(destDir)
+	assert.Check(t, is.Len(files, expectedCount), doc)
+
+	content, err := ioutil.ReadFile(filepath.Join(destDir, name))
+	assert.Check(t, err)
+	return string(content)
+}
+
+func TestDisablePigz(t *testing.T) {
+	_, err := exec.LookPath("unpigz")
+	if err != nil {
+		t.Log("Test will not check full path when Pigz not installed")
+	}
+
+	os.Setenv("MOBY_DISABLE_PIGZ", "true")
+	defer os.Unsetenv("MOBY_DISABLE_PIGZ")
+
+	r := testDecompressStream(t, "gz", "gzip -f")
+	// For the bufio pool
+	outsideReaderCloserWrapper := r.(*ioutils.ReadCloserWrapper)
+	// For the context canceller
+	contextReaderCloserWrapper := outsideReaderCloserWrapper.Reader.(*ioutils.ReadCloserWrapper)
+
+	assert.Equal(t, reflect.TypeOf(contextReaderCloserWrapper.Reader), reflect.TypeOf(&gzip.Reader{}))
+}
+
+func TestPigz(t *testing.T) {
+	r := testDecompressStream(t, "gz", "gzip -f")
+	// For the bufio pool
+	outsideReaderCloserWrapper := r.(*ioutils.ReadCloserWrapper)
+	// For the context canceller
+	contextReaderCloserWrapper := outsideReaderCloserWrapper.Reader.(*ioutils.ReadCloserWrapper)
+
+	_, err := exec.LookPath("unpigz")
+	if err == nil {
+		t.Log("Tested whether Pigz is used, as it installed")
+		assert.Equal(t, reflect.TypeOf(contextReaderCloserWrapper.Reader), reflect.TypeOf(&io.PipeReader{}))
+	} else {
+		t.Log("Tested whether Pigz is not used, as it not installed")
+		assert.Equal(t, reflect.TypeOf(contextReaderCloserWrapper.Reader), reflect.TypeOf(&gzip.Reader{}))
+	}
+}
diff --git a/engine/pkg/archive/archive_unix.go b/engine/pkg/archive/archive_unix.go
new file mode 100644
index 00000000..e81076c1
--- /dev/null
+++ b/engine/pkg/archive/archive_unix.go
@@ -0,0 +1,114 @@
+// +build !windows
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"errors"
+	"os"
+	"path/filepath"
+	"syscall"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/system"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"golang.org/x/sys/unix"
+)
+
+// fixVolumePathPrefix does platform specific processing to ensure that if
+// the path being passed in is not in a volume path format, convert it to one.
+func fixVolumePathPrefix(srcPath string) string {
+	return srcPath
+}
+
+// getWalkRoot calculates the root path when performing a TarWithOptions.
+// We use a separate function as this is platform specific. On Linux, we
+// can't use filepath.Join(srcPath,include) because this will clean away
+// a trailing "." or "/" which may be important.
+func getWalkRoot(srcPath string, include string) string {
+	return srcPath + string(filepath.Separator) + include
+}
+
+// CanonicalTarNameForPath returns platform-specific filepath
+// to canonical posix-style path for tar archival. p is relative
+// path.
+func CanonicalTarNameForPath(p string) (string, error) {
+	return p, nil // already unix-style
+}
+
+// chmodTarEntry is used to adjust the file permissions used in tar header based
+// on the platform the archival is done.
+
+func chmodTarEntry(perm os.FileMode) os.FileMode {
+	return perm // noop for unix as golang APIs provide perm bits correctly
+}
+
+func setHeaderForSpecialDevice(hdr *tar.Header, name string, stat interface{}) (err error) {
+	s, ok := stat.(*syscall.Stat_t)
+
+	if ok {
+		// Currently go does not fill in the major/minors
+		if s.Mode&unix.S_IFBLK != 0 ||
+			s.Mode&unix.S_IFCHR != 0 {
+			hdr.Devmajor = int64(unix.Major(uint64(s.Rdev))) // nolint: unconvert
+			hdr.Devminor = int64(unix.Minor(uint64(s.Rdev))) // nolint: unconvert
+		}
+	}
+
+	return
+}
+
+func getInodeFromStat(stat interface{}) (inode uint64, err error) {
+	s, ok := stat.(*syscall.Stat_t)
+
+	if ok {
+		inode = s.Ino
+	}
+
+	return
+}
+
+func getFileUIDGID(stat interface{}) (idtools.IDPair, error) {
+	s, ok := stat.(*syscall.Stat_t)
+
+	if !ok {
+		return idtools.IDPair{}, errors.New("cannot convert stat value to syscall.Stat_t")
+	}
+	return idtools.IDPair{UID: int(s.Uid), GID: int(s.Gid)}, nil
+}
+
+// handleTarTypeBlockCharFifo is an OS-specific helper function used by
+// createTarFile to handle the following types of header: Block; Char; Fifo
+func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
+	if rsystem.RunningInUserNS() {
+		// cannot create a device if running in user namespace
+		return nil
+	}
+
+	mode := uint32(hdr.Mode & 07777)
+	switch hdr.Typeflag {
+	case tar.TypeBlock:
+		mode |= unix.S_IFBLK
+	case tar.TypeChar:
+		mode |= unix.S_IFCHR
+	case tar.TypeFifo:
+		mode |= unix.S_IFIFO
+	}
+
+	return system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor)))
+}
+
+func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
+	if hdr.Typeflag == tar.TypeLink {
+		if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
+			if err := os.Chmod(path, hdrInfo.Mode()); err != nil {
+				return err
+			}
+		}
+	} else if hdr.Typeflag != tar.TypeSymlink {
+		if err := os.Chmod(path, hdrInfo.Mode()); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/engine/pkg/archive/archive_unix_test.go b/engine/pkg/archive/archive_unix_test.go
new file mode 100644
index 00000000..808878d0
--- /dev/null
+++ b/engine/pkg/archive/archive_unix_test.go
@@ -0,0 +1,318 @@
+// +build !windows
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"testing"
+
+	"github.com/docker/docker/pkg/system"
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+func TestCanonicalTarNameForPath(t *testing.T) {
+	cases := []struct{ in, expected string }{
+		{"foo", "foo"},
+		{"foo/bar", "foo/bar"},
+		{"foo/dir/", "foo/dir/"},
+	}
+	for _, v := range cases {
+		if out, err := CanonicalTarNameForPath(v.in); err != nil {
+			t.Fatalf("cannot get canonical name for path: %s: %v", v.in, err)
+		} else if out != v.expected {
+			t.Fatalf("wrong canonical tar name. expected:%s got:%s", v.expected, out)
+		}
+	}
+}
+
+func TestCanonicalTarName(t *testing.T) {
+	cases := []struct {
+		in       string
+		isDir    bool
+		expected string
+	}{
+		{"foo", false, "foo"},
+		{"foo", true, "foo/"},
+		{"foo/bar", false, "foo/bar"},
+		{"foo/bar", true, "foo/bar/"},
+	}
+	for _, v := range cases {
+		if out, err := canonicalTarName(v.in, v.isDir); err != nil {
+			t.Fatalf("cannot get canonical name for path: %s: %v", v.in, err)
+		} else if out != v.expected {
+			t.Fatalf("wrong canonical tar name. expected:%s got:%s", v.expected, out)
+		}
+	}
+}
+
+func TestChmodTarEntry(t *testing.T) {
+	cases := []struct {
+		in, expected os.FileMode
+	}{
+		{0000, 0000},
+		{0777, 0777},
+		{0644, 0644},
+		{0755, 0755},
+		{0444, 0444},
+	}
+	for _, v := range cases {
+		if out := chmodTarEntry(v.in); out != v.expected {
+			t.Fatalf("wrong chmod. expected:%v got:%v", v.expected, out)
+		}
+	}
+}
+
+func TestTarWithHardLink(t *testing.T) {
+	origin, err := ioutil.TempDir("", "docker-test-tar-hardlink")
+	assert.NilError(t, err)
+	defer os.RemoveAll(origin)
+
+	err = ioutil.WriteFile(filepath.Join(origin, "1"), []byte("hello world"), 0700)
+	assert.NilError(t, err)
+
+	err = os.Link(filepath.Join(origin, "1"), filepath.Join(origin, "2"))
+	assert.NilError(t, err)
+
+	var i1, i2 uint64
+	i1, err = getNlink(filepath.Join(origin, "1"))
+	assert.NilError(t, err)
+
+	// sanity check that we can hardlink
+	if i1 != 2 {
+		t.Skipf("skipping since hardlinks don't work here; expected 2 links, got %d", i1)
+	}
+
+	dest, err := ioutil.TempDir("", "docker-test-tar-hardlink-dest")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dest)
+
+	// we'll do this in two steps to separate failure
+	fh, err := Tar(origin, Uncompressed)
+	assert.NilError(t, err)
+
+	// ensure we can read the whole thing with no error, before writing back out
+	buf, err := ioutil.ReadAll(fh)
+	assert.NilError(t, err)
+
+	bRdr := bytes.NewReader(buf)
+	err = Untar(bRdr, dest, &TarOptions{Compression: Uncompressed})
+	assert.NilError(t, err)
+
+	i1, err = getInode(filepath.Join(dest, "1"))
+	assert.NilError(t, err)
+
+	i2, err = getInode(filepath.Join(dest, "2"))
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(i1, i2))
+}
+
+func TestTarWithHardLinkAndRebase(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "docker-test-tar-hardlink-rebase")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	origin := filepath.Join(tmpDir, "origin")
+	err = os.Mkdir(origin, 0700)
+	assert.NilError(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(origin, "1"), []byte("hello world"), 0700)
+	assert.NilError(t, err)
+
+	err = os.Link(filepath.Join(origin, "1"), filepath.Join(origin, "2"))
+	assert.NilError(t, err)
+
+	var i1, i2 uint64
+	i1, err = getNlink(filepath.Join(origin, "1"))
+	assert.NilError(t, err)
+
+	// sanity check that we can hardlink
+	if i1 != 2 {
+		t.Skipf("skipping since hardlinks don't work here; expected 2 links, got %d", i1)
+	}
+
+	dest := filepath.Join(tmpDir, "dest")
+	bRdr, err := TarResourceRebase(origin, "origin")
+	assert.NilError(t, err)
+
+	dstDir, srcBase := SplitPathDirEntry(origin)
+	_, dstBase := SplitPathDirEntry(dest)
+	content := RebaseArchiveEntries(bRdr, srcBase, dstBase)
+	err = Untar(content, dstDir, &TarOptions{Compression: Uncompressed, NoLchown: true, NoOverwriteDirNonDir: true})
+	assert.NilError(t, err)
+
+	i1, err = getInode(filepath.Join(dest, "1"))
+	assert.NilError(t, err)
+	i2, err = getInode(filepath.Join(dest, "2"))
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(i1, i2))
+}
+
+func getNlink(path string) (uint64, error) {
+	stat, err := os.Stat(path)
+	if err != nil {
+		return 0, err
+	}
+	statT, ok := stat.Sys().(*syscall.Stat_t)
+	if !ok {
+		return 0, fmt.Errorf("expected type *syscall.Stat_t, got %t", stat.Sys())
+	}
+	// We need this conversion on ARM64
+	return uint64(statT.Nlink), nil
+}
+
+func getInode(path string) (uint64, error) {
+	stat, err := os.Stat(path)
+	if err != nil {
+		return 0, err
+	}
+	statT, ok := stat.Sys().(*syscall.Stat_t)
+	if !ok {
+		return 0, fmt.Errorf("expected type *syscall.Stat_t, got %t", stat.Sys())
+	}
+	return statT.Ino, nil
+}
+
+func TestTarWithBlockCharFifo(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	origin, err := ioutil.TempDir("", "docker-test-tar-hardlink")
+	assert.NilError(t, err)
+
+	defer os.RemoveAll(origin)
+	err = ioutil.WriteFile(filepath.Join(origin, "1"), []byte("hello world"), 0700)
+	assert.NilError(t, err)
+
+	err = system.Mknod(filepath.Join(origin, "2"), unix.S_IFBLK, int(system.Mkdev(int64(12), int64(5))))
+	assert.NilError(t, err)
+	err = system.Mknod(filepath.Join(origin, "3"), unix.S_IFCHR, int(system.Mkdev(int64(12), int64(5))))
+	assert.NilError(t, err)
+	err = system.Mknod(filepath.Join(origin, "4"), unix.S_IFIFO, int(system.Mkdev(int64(12), int64(5))))
+	assert.NilError(t, err)
+
+	dest, err := ioutil.TempDir("", "docker-test-tar-hardlink-dest")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dest)
+
+	// we'll do this in two steps to separate failure
+	fh, err := Tar(origin, Uncompressed)
+	assert.NilError(t, err)
+
+	// ensure we can read the whole thing with no error, before writing back out
+	buf, err := ioutil.ReadAll(fh)
+	assert.NilError(t, err)
+
+	bRdr := bytes.NewReader(buf)
+	err = Untar(bRdr, dest, &TarOptions{Compression: Uncompressed})
+	assert.NilError(t, err)
+
+	changes, err := ChangesDirs(origin, dest)
+	assert.NilError(t, err)
+
+	if len(changes) > 0 {
+		t.Fatalf("Tar with special device (block, char, fifo) should keep them (recreate them when untar) : %v", changes)
+	}
+}
+
+// TestTarUntarWithXattr is Unix as Lsetxattr is not supported on Windows
+func TestTarUntarWithXattr(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	origin, err := ioutil.TempDir("", "docker-test-untar-origin")
+	assert.NilError(t, err)
+	defer os.RemoveAll(origin)
+	err = ioutil.WriteFile(filepath.Join(origin, "1"), []byte("hello world"), 0700)
+	assert.NilError(t, err)
+
+	err = ioutil.WriteFile(filepath.Join(origin, "2"), []byte("welcome!"), 0700)
+	assert.NilError(t, err)
+	err = ioutil.WriteFile(filepath.Join(origin, "3"), []byte("will be ignored"), 0700)
+	assert.NilError(t, err)
+	err = system.Lsetxattr(filepath.Join(origin, "2"), "security.capability", []byte{0x00}, 0)
+	assert.NilError(t, err)
+
+	for _, c := range []Compression{
+		Uncompressed,
+		Gzip,
+	} {
+		changes, err := tarUntar(t, origin, &TarOptions{
+			Compression:     c,
+			ExcludePatterns: []string{"3"},
+		})
+
+		if err != nil {
+			t.Fatalf("Error tar/untar for compression %s: %s", c.Extension(), err)
+		}
+
+		if len(changes) != 1 || changes[0].Path != "/3" {
+			t.Fatalf("Unexpected differences after tarUntar: %v", changes)
+		}
+		capability, _ := system.Lgetxattr(filepath.Join(origin, "2"), "security.capability")
+		if capability == nil && capability[0] != 0x00 {
+			t.Fatalf("Untar should have kept the 'security.capability' xattr.")
+		}
+	}
+}
+
+func TestCopyInfoDestinationPathSymlink(t *testing.T) {
+	tmpDir, _ := getTestTempDirs(t)
+	defer removeAllPaths(tmpDir)
+
+	root := strings.TrimRight(tmpDir, "/") + "/"
+
+	type FileTestData struct {
+		resource FileData
+		file     string
+		expected CopyInfo
+	}
+
+	testData := []FileTestData{
+		//Create a directory: /tmp/archive-copy-test*/dir1
+		//Test will "copy" file1 to dir1
+		{resource: FileData{filetype: Dir, path: "dir1", permissions: 0740}, file: "file1", expected: CopyInfo{Path: root + "dir1/file1", Exists: false, IsDir: false}},
+
+		//Create a symlink directory to dir1: /tmp/archive-copy-test*/dirSymlink -> dir1
+		//Test will "copy" file2 to dirSymlink
+		{resource: FileData{filetype: Symlink, path: "dirSymlink", contents: root + "dir1", permissions: 0600}, file: "file2", expected: CopyInfo{Path: root + "dirSymlink/file2", Exists: false, IsDir: false}},
+
+		//Create a file in tmp directory: /tmp/archive-copy-test*/file1
+		//Test to cover when the full file path already exists.
+		{resource: FileData{filetype: Regular, path: "file1", permissions: 0600}, file: "", expected: CopyInfo{Path: root + "file1", Exists: true}},
+
+		//Create a directory: /tmp/archive-copy*/dir2
+		//Test to cover when the full directory path already exists
+		{resource: FileData{filetype: Dir, path: "dir2", permissions: 0740}, file: "", expected: CopyInfo{Path: root + "dir2", Exists: true, IsDir: true}},
+
+		//Create a symlink to a non-existent target: /tmp/archive-copy*/symlink1 -> noSuchTarget
+		//Negative test to cover symlinking to a target that does not exit
+		{resource: FileData{filetype: Symlink, path: "symlink1", contents: "noSuchTarget", permissions: 0600}, file: "", expected: CopyInfo{Path: root + "noSuchTarget", Exists: false}},
+
+		//Create a file in tmp directory for next test: /tmp/existingfile
+		{resource: FileData{filetype: Regular, path: "existingfile", permissions: 0600}, file: "", expected: CopyInfo{Path: root + "existingfile", Exists: true}},
+
+		//Create a symlink to an existing file: /tmp/archive-copy*/symlink2 -> /tmp/existingfile
+		//Test to cover when the parent directory of a new file is a symlink
+		{resource: FileData{filetype: Symlink, path: "symlink2", contents: "existingfile", permissions: 0600}, file: "", expected: CopyInfo{Path: root + "existingfile", Exists: true}},
+	}
+
+	var dirs []FileData
+	for _, data := range testData {
+		dirs = append(dirs, data.resource)
+	}
+	provisionSampleDir(t, tmpDir, dirs)
+
+	for _, info := range testData {
+		p := filepath.Join(tmpDir, info.resource.path, info.file)
+		ci, err := CopyInfoDestinationPath(p)
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(info.expected, ci))
+	}
+}
diff --git a/engine/pkg/archive/archive_windows.go b/engine/pkg/archive/archive_windows.go
new file mode 100644
index 00000000..69aadd82
--- /dev/null
+++ b/engine/pkg/archive/archive_windows.go
@@ -0,0 +1,77 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/longpath"
+)
+
+// fixVolumePathPrefix does platform specific processing to ensure that if
+// the path being passed in is not in a volume path format, convert it to one.
+func fixVolumePathPrefix(srcPath string) string {
+	return longpath.AddPrefix(srcPath)
+}
+
+// getWalkRoot calculates the root path when performing a TarWithOptions.
+// We use a separate function as this is platform specific.
+func getWalkRoot(srcPath string, include string) string {
+	return filepath.Join(srcPath, include)
+}
+
+// CanonicalTarNameForPath returns platform-specific filepath
+// to canonical posix-style path for tar archival. p is relative
+// path.
+func CanonicalTarNameForPath(p string) (string, error) {
+	// windows: convert windows style relative path with backslashes
+	// into forward slashes. Since windows does not allow '/' or '\'
+	// in file names, it is mostly safe to replace however we must
+	// check just in case
+	if strings.Contains(p, "/") {
+		return "", fmt.Errorf("Windows path contains forward slash: %s", p)
+	}
+	return strings.Replace(p, string(os.PathSeparator), "/", -1), nil
+
+}
+
+// chmodTarEntry is used to adjust the file permissions used in tar header based
+// on the platform the archival is done.
+func chmodTarEntry(perm os.FileMode) os.FileMode {
+	//perm &= 0755 // this 0-ed out tar flags (like link, regular file, directory marker etc.)
+	permPart := perm & os.ModePerm
+	noPermPart := perm &^ os.ModePerm
+	// Add the x bit: make everything +x from windows
+	permPart |= 0111
+	permPart &= 0755
+
+	return noPermPart | permPart
+}
+
+func setHeaderForSpecialDevice(hdr *tar.Header, name string, stat interface{}) (err error) {
+	// do nothing. no notion of Rdev, Nlink in stat on Windows
+	return
+}
+
+func getInodeFromStat(stat interface{}) (inode uint64, err error) {
+	// do nothing. no notion of Inode in stat on Windows
+	return
+}
+
+// handleTarTypeBlockCharFifo is an OS-specific helper function used by
+// createTarFile to handle the following types of header: Block; Char; Fifo
+func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
+	return nil
+}
+
+func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
+	return nil
+}
+
+func getFileUIDGID(stat interface{}) (idtools.IDPair, error) {
+	// no notion of file ownership mapping yet on Windows
+	return idtools.IDPair{UID: 0, GID: 0}, nil
+}
diff --git a/engine/pkg/archive/archive_windows_test.go b/engine/pkg/archive/archive_windows_test.go
new file mode 100644
index 00000000..b3dbb327
--- /dev/null
+++ b/engine/pkg/archive/archive_windows_test.go
@@ -0,0 +1,93 @@
+// +build windows
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestCopyFileWithInvalidDest(t *testing.T) {
+	// TODO Windows: This is currently failing. Not sure what has
+	// recently changed in CopyWithTar as used to pass. Further investigation
+	// is required.
+	t.Skip("Currently fails")
+	folder, err := ioutil.TempDir("", "docker-archive-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(folder)
+	dest := "c:dest"
+	srcFolder := filepath.Join(folder, "src")
+	src := filepath.Join(folder, "src", "src")
+	err = os.MkdirAll(srcFolder, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ioutil.WriteFile(src, []byte("content"), 0777)
+	err = defaultCopyWithTar(src, dest)
+	if err == nil {
+		t.Fatalf("archiver.CopyWithTar should throw an error on invalid dest.")
+	}
+}
+
+func TestCanonicalTarNameForPath(t *testing.T) {
+	cases := []struct {
+		in, expected string
+		shouldFail   bool
+	}{
+		{"foo", "foo", false},
+		{"foo/bar", "___", true}, // unix-styled windows path must fail
+		{`foo\bar`, "foo/bar", false},
+	}
+	for _, v := range cases {
+		if out, err := CanonicalTarNameForPath(v.in); err != nil && !v.shouldFail {
+			t.Fatalf("cannot get canonical name for path: %s: %v", v.in, err)
+		} else if v.shouldFail && err == nil {
+			t.Fatalf("canonical path call should have failed with error. in=%s out=%s", v.in, out)
+		} else if !v.shouldFail && out != v.expected {
+			t.Fatalf("wrong canonical tar name. expected:%s got:%s", v.expected, out)
+		}
+	}
+}
+
+func TestCanonicalTarName(t *testing.T) {
+	cases := []struct {
+		in       string
+		isDir    bool
+		expected string
+	}{
+		{"foo", false, "foo"},
+		{"foo", true, "foo/"},
+		{`foo\bar`, false, "foo/bar"},
+		{`foo\bar`, true, "foo/bar/"},
+	}
+	for _, v := range cases {
+		if out, err := canonicalTarName(v.in, v.isDir); err != nil {
+			t.Fatalf("cannot get canonical name for path: %s: %v", v.in, err)
+		} else if out != v.expected {
+			t.Fatalf("wrong canonical tar name. expected:%s got:%s", v.expected, out)
+		}
+	}
+}
+
+func TestChmodTarEntry(t *testing.T) {
+	cases := []struct {
+		in, expected os.FileMode
+	}{
+		{0000, 0111},
+		{0777, 0755},
+		{0644, 0755},
+		{0755, 0755},
+		{0444, 0555},
+		{0755 | os.ModeDir, 0755 | os.ModeDir},
+		{0755 | os.ModeSymlink, 0755 | os.ModeSymlink},
+	}
+	for _, v := range cases {
+		if out := chmodTarEntry(v.in); out != v.expected {
+			t.Fatalf("wrong chmod. expected:%v got:%v", v.expected, out)
+		}
+	}
+}
diff --git a/engine/pkg/archive/changes.go b/engine/pkg/archive/changes.go
new file mode 100644
index 00000000..43734db5
--- /dev/null
+++ b/engine/pkg/archive/changes.go
@@ -0,0 +1,441 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/system"
+	"github.com/sirupsen/logrus"
+)
+
+// ChangeType represents the change type.
+type ChangeType int
+
+const (
+	// ChangeModify represents the modify operation.
+	ChangeModify = iota
+	// ChangeAdd represents the add operation.
+	ChangeAdd
+	// ChangeDelete represents the delete operation.
+	ChangeDelete
+)
+
+func (c ChangeType) String() string {
+	switch c {
+	case ChangeModify:
+		return "C"
+	case ChangeAdd:
+		return "A"
+	case ChangeDelete:
+		return "D"
+	}
+	return ""
+}
+
+// Change represents a change, it wraps the change type and path.
+// It describes changes of the files in the path respect to the
+// parent layers. The change could be modify, add, delete.
+// This is used for layer diff.
+type Change struct {
+	Path string
+	Kind ChangeType
+}
+
+func (change *Change) String() string {
+	return fmt.Sprintf("%s %s", change.Kind, change.Path)
+}
+
+// for sort.Sort
+type changesByPath []Change
+
+func (c changesByPath) Less(i, j int) bool { return c[i].Path < c[j].Path }
+func (c changesByPath) Len() int           { return len(c) }
+func (c changesByPath) Swap(i, j int)      { c[j], c[i] = c[i], c[j] }
+
+// Gnu tar and the go tar writer don't have sub-second mtime
+// precision, which is problematic when we apply changes via tar
+// files, we handle this by comparing for exact times, *or* same
+// second count and either a or b having exactly 0 nanoseconds
+func sameFsTime(a, b time.Time) bool {
+	return a == b ||
+		(a.Unix() == b.Unix() &&
+			(a.Nanosecond() == 0 || b.Nanosecond() == 0))
+}
+
+func sameFsTimeSpec(a, b syscall.Timespec) bool {
+	return a.Sec == b.Sec &&
+		(a.Nsec == b.Nsec || a.Nsec == 0 || b.Nsec == 0)
+}
+
+// Changes walks the path rw and determines changes for the files in the path,
+// with respect to the parent layers
+func Changes(layers []string, rw string) ([]Change, error) {
+	return changes(layers, rw, aufsDeletedFile, aufsMetadataSkip)
+}
+
+func aufsMetadataSkip(path string) (skip bool, err error) {
+	skip, err = filepath.Match(string(os.PathSeparator)+WhiteoutMetaPrefix+"*", path)
+	if err != nil {
+		skip = true
+	}
+	return
+}
+
+func aufsDeletedFile(root, path string, fi os.FileInfo) (string, error) {
+	f := filepath.Base(path)
+
+	// If there is a whiteout, then the file was removed
+	if strings.HasPrefix(f, WhiteoutPrefix) {
+		originalFile := f[len(WhiteoutPrefix):]
+		return filepath.Join(filepath.Dir(path), originalFile), nil
+	}
+
+	return "", nil
+}
+
+type skipChange func(string) (bool, error)
+type deleteChange func(string, string, os.FileInfo) (string, error)
+
+func changes(layers []string, rw string, dc deleteChange, sc skipChange) ([]Change, error) {
+	var (
+		changes     []Change
+		changedDirs = make(map[string]struct{})
+	)
+
+	err := filepath.Walk(rw, func(path string, f os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Rebase path
+		path, err = filepath.Rel(rw, path)
+		if err != nil {
+			return err
+		}
+
+		// As this runs on the daemon side, file paths are OS specific.
+		path = filepath.Join(string(os.PathSeparator), path)
+
+		// Skip root
+		if path == string(os.PathSeparator) {
+			return nil
+		}
+
+		if sc != nil {
+			if skip, err := sc(path); skip {
+				return err
+			}
+		}
+
+		change := Change{
+			Path: path,
+		}
+
+		deletedFile, err := dc(rw, path, f)
+		if err != nil {
+			return err
+		}
+
+		// Find out what kind of modification happened
+		if deletedFile != "" {
+			change.Path = deletedFile
+			change.Kind = ChangeDelete
+		} else {
+			// Otherwise, the file was added
+			change.Kind = ChangeAdd
+
+			// ...Unless it already existed in a top layer, in which case, it's a modification
+			for _, layer := range layers {
+				stat, err := os.Stat(filepath.Join(layer, path))
+				if err != nil && !os.IsNotExist(err) {
+					return err
+				}
+				if err == nil {
+					// The file existed in the top layer, so that's a modification
+
+					// However, if it's a directory, maybe it wasn't actually modified.
+					// If you modify /foo/bar/baz, then /foo will be part of the changed files only because it's the parent of bar
+					if stat.IsDir() && f.IsDir() {
+						if f.Size() == stat.Size() && f.Mode() == stat.Mode() && sameFsTime(f.ModTime(), stat.ModTime()) {
+							// Both directories are the same, don't record the change
+							return nil
+						}
+					}
+					change.Kind = ChangeModify
+					break
+				}
+			}
+		}
+
+		// If /foo/bar/file.txt is modified, then /foo/bar must be part of the changed files.
+		// This block is here to ensure the change is recorded even if the
+		// modify time, mode and size of the parent directory in the rw and ro layers are all equal.
+		// Check https://github.com/docker/docker/pull/13590 for details.
+		if f.IsDir() {
+			changedDirs[path] = struct{}{}
+		}
+		if change.Kind == ChangeAdd || change.Kind == ChangeDelete {
+			parent := filepath.Dir(path)
+			if _, ok := changedDirs[parent]; !ok && parent != "/" {
+				changes = append(changes, Change{Path: parent, Kind: ChangeModify})
+				changedDirs[parent] = struct{}{}
+			}
+		}
+
+		// Record change
+		changes = append(changes, change)
+		return nil
+	})
+	if err != nil && !os.IsNotExist(err) {
+		return nil, err
+	}
+	return changes, nil
+}
+
+// FileInfo describes the information of a file.
+type FileInfo struct {
+	parent     *FileInfo
+	name       string
+	stat       *system.StatT
+	children   map[string]*FileInfo
+	capability []byte
+	added      bool
+}
+
+// LookUp looks up the file information of a file.
+func (info *FileInfo) LookUp(path string) *FileInfo {
+	// As this runs on the daemon side, file paths are OS specific.
+	parent := info
+	if path == string(os.PathSeparator) {
+		return info
+	}
+
+	pathElements := strings.Split(path, string(os.PathSeparator))
+	for _, elem := range pathElements {
+		if elem != "" {
+			child := parent.children[elem]
+			if child == nil {
+				return nil
+			}
+			parent = child
+		}
+	}
+	return parent
+}
+
+func (info *FileInfo) path() string {
+	if info.parent == nil {
+		// As this runs on the daemon side, file paths are OS specific.
+		return string(os.PathSeparator)
+	}
+	return filepath.Join(info.parent.path(), info.name)
+}
+
+func (info *FileInfo) addChanges(oldInfo *FileInfo, changes *[]Change) {
+
+	sizeAtEntry := len(*changes)
+
+	if oldInfo == nil {
+		// add
+		change := Change{
+			Path: info.path(),
+			Kind: ChangeAdd,
+		}
+		*changes = append(*changes, change)
+		info.added = true
+	}
+
+	// We make a copy so we can modify it to detect additions
+	// also, we only recurse on the old dir if the new info is a directory
+	// otherwise any previous delete/change is considered recursive
+	oldChildren := make(map[string]*FileInfo)
+	if oldInfo != nil && info.isDir() {
+		for k, v := range oldInfo.children {
+			oldChildren[k] = v
+		}
+	}
+
+	for name, newChild := range info.children {
+		oldChild := oldChildren[name]
+		if oldChild != nil {
+			// change?
+			oldStat := oldChild.stat
+			newStat := newChild.stat
+			// Note: We can't compare inode or ctime or blocksize here, because these change
+			// when copying a file into a container. However, that is not generally a problem
+			// because any content change will change mtime, and any status change should
+			// be visible when actually comparing the stat fields. The only time this
+			// breaks down is if some code intentionally hides a change by setting
+			// back mtime
+			if statDifferent(oldStat, newStat) ||
+				!bytes.Equal(oldChild.capability, newChild.capability) {
+				change := Change{
+					Path: newChild.path(),
+					Kind: ChangeModify,
+				}
+				*changes = append(*changes, change)
+				newChild.added = true
+			}
+
+			// Remove from copy so we can detect deletions
+			delete(oldChildren, name)
+		}
+
+		newChild.addChanges(oldChild, changes)
+	}
+	for _, oldChild := range oldChildren {
+		// delete
+		change := Change{
+			Path: oldChild.path(),
+			Kind: ChangeDelete,
+		}
+		*changes = append(*changes, change)
+	}
+
+	// If there were changes inside this directory, we need to add it, even if the directory
+	// itself wasn't changed. This is needed to properly save and restore filesystem permissions.
+	// As this runs on the daemon side, file paths are OS specific.
+	if len(*changes) > sizeAtEntry && info.isDir() && !info.added && info.path() != string(os.PathSeparator) {
+		change := Change{
+			Path: info.path(),
+			Kind: ChangeModify,
+		}
+		// Let's insert the directory entry before the recently added entries located inside this dir
+		*changes = append(*changes, change) // just to resize the slice, will be overwritten
+		copy((*changes)[sizeAtEntry+1:], (*changes)[sizeAtEntry:])
+		(*changes)[sizeAtEntry] = change
+	}
+
+}
+
+// Changes add changes to file information.
+func (info *FileInfo) Changes(oldInfo *FileInfo) []Change {
+	var changes []Change
+
+	info.addChanges(oldInfo, &changes)
+
+	return changes
+}
+
+func newRootFileInfo() *FileInfo {
+	// As this runs on the daemon side, file paths are OS specific.
+	root := &FileInfo{
+		name:     string(os.PathSeparator),
+		children: make(map[string]*FileInfo),
+	}
+	return root
+}
+
+// ChangesDirs compares two directories and generates an array of Change objects describing the changes.
+// If oldDir is "", then all files in newDir will be Add-Changes.
+func ChangesDirs(newDir, oldDir string) ([]Change, error) {
+	var (
+		oldRoot, newRoot *FileInfo
+	)
+	if oldDir == "" {
+		emptyDir, err := ioutil.TempDir("", "empty")
+		if err != nil {
+			return nil, err
+		}
+		defer os.Remove(emptyDir)
+		oldDir = emptyDir
+	}
+	oldRoot, newRoot, err := collectFileInfoForChanges(oldDir, newDir)
+	if err != nil {
+		return nil, err
+	}
+
+	return newRoot.Changes(oldRoot), nil
+}
+
+// ChangesSize calculates the size in bytes of the provided changes, based on newDir.
+func ChangesSize(newDir string, changes []Change) int64 {
+	var (
+		size int64
+		sf   = make(map[uint64]struct{})
+	)
+	for _, change := range changes {
+		if change.Kind == ChangeModify || change.Kind == ChangeAdd {
+			file := filepath.Join(newDir, change.Path)
+			fileInfo, err := os.Lstat(file)
+			if err != nil {
+				logrus.Errorf("Can not stat %q: %s", file, err)
+				continue
+			}
+
+			if fileInfo != nil && !fileInfo.IsDir() {
+				if hasHardlinks(fileInfo) {
+					inode := getIno(fileInfo)
+					if _, ok := sf[inode]; !ok {
+						size += fileInfo.Size()
+						sf[inode] = struct{}{}
+					}
+				} else {
+					size += fileInfo.Size()
+				}
+			}
+		}
+	}
+	return size
+}
+
+// ExportChanges produces an Archive from the provided changes, relative to dir.
+func ExportChanges(dir string, changes []Change, uidMaps, gidMaps []idtools.IDMap) (io.ReadCloser, error) {
+	reader, writer := io.Pipe()
+	go func() {
+		ta := newTarAppender(idtools.NewIDMappingsFromMaps(uidMaps, gidMaps), writer, nil)
+
+		// this buffer is needed for the duration of this piped stream
+		defer pools.BufioWriter32KPool.Put(ta.Buffer)
+
+		sort.Sort(changesByPath(changes))
+
+		// In general we log errors here but ignore them because
+		// during e.g. a diff operation the container can continue
+		// mutating the filesystem and we can see transient errors
+		// from this
+		for _, change := range changes {
+			if change.Kind == ChangeDelete {
+				whiteOutDir := filepath.Dir(change.Path)
+				whiteOutBase := filepath.Base(change.Path)
+				whiteOut := filepath.Join(whiteOutDir, WhiteoutPrefix+whiteOutBase)
+				timestamp := time.Now()
+				hdr := &tar.Header{
+					Name:       whiteOut[1:],
+					Size:       0,
+					ModTime:    timestamp,
+					AccessTime: timestamp,
+					ChangeTime: timestamp,
+				}
+				if err := ta.TarWriter.WriteHeader(hdr); err != nil {
+					logrus.Debugf("Can't write whiteout header: %s", err)
+				}
+			} else {
+				path := filepath.Join(dir, change.Path)
+				if err := ta.addTarFile(path, change.Path[1:]); err != nil {
+					logrus.Debugf("Can't add file %s to tar: %s", path, err)
+				}
+			}
+		}
+
+		// Make sure to check the error on Close.
+		if err := ta.TarWriter.Close(); err != nil {
+			logrus.Debugf("Can't close layer: %s", err)
+		}
+		if err := writer.Close(); err != nil {
+			logrus.Debugf("failed close Changes writer: %s", err)
+		}
+	}()
+	return reader, nil
+}
diff --git a/engine/pkg/archive/changes_linux.go b/engine/pkg/archive/changes_linux.go
new file mode 100644
index 00000000..f8792b3d
--- /dev/null
+++ b/engine/pkg/archive/changes_linux.go
@@ -0,0 +1,286 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"syscall"
+	"unsafe"
+
+	"github.com/docker/docker/pkg/system"
+	"golang.org/x/sys/unix"
+)
+
+// walker is used to implement collectFileInfoForChanges on linux. Where this
+// method in general returns the entire contents of two directory trees, we
+// optimize some FS calls out on linux. In particular, we take advantage of the
+// fact that getdents(2) returns the inode of each file in the directory being
+// walked, which, when walking two trees in parallel to generate a list of
+// changes, can be used to prune subtrees without ever having to lstat(2) them
+// directly. Eliminating stat calls in this way can save up to seconds on large
+// images.
+type walker struct {
+	dir1  string
+	dir2  string
+	root1 *FileInfo
+	root2 *FileInfo
+}
+
+// collectFileInfoForChanges returns a complete representation of the trees
+// rooted at dir1 and dir2, with one important exception: any subtree or
+// leaf where the inode and device numbers are an exact match between dir1
+// and dir2 will be pruned from the results. This method is *only* to be used
+// to generating a list of changes between the two directories, as it does not
+// reflect the full contents.
+func collectFileInfoForChanges(dir1, dir2 string) (*FileInfo, *FileInfo, error) {
+	w := &walker{
+		dir1:  dir1,
+		dir2:  dir2,
+		root1: newRootFileInfo(),
+		root2: newRootFileInfo(),
+	}
+
+	i1, err := os.Lstat(w.dir1)
+	if err != nil {
+		return nil, nil, err
+	}
+	i2, err := os.Lstat(w.dir2)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if err := w.walk("/", i1, i2); err != nil {
+		return nil, nil, err
+	}
+
+	return w.root1, w.root2, nil
+}
+
+// Given a FileInfo, its path info, and a reference to the root of the tree
+// being constructed, register this file with the tree.
+func walkchunk(path string, fi os.FileInfo, dir string, root *FileInfo) error {
+	if fi == nil {
+		return nil
+	}
+	parent := root.LookUp(filepath.Dir(path))
+	if parent == nil {
+		return fmt.Errorf("walkchunk: Unexpectedly no parent for %s", path)
+	}
+	info := &FileInfo{
+		name:     filepath.Base(path),
+		children: make(map[string]*FileInfo),
+		parent:   parent,
+	}
+	cpath := filepath.Join(dir, path)
+	stat, err := system.FromStatT(fi.Sys().(*syscall.Stat_t))
+	if err != nil {
+		return err
+	}
+	info.stat = stat
+	info.capability, _ = system.Lgetxattr(cpath, "security.capability") // lgetxattr(2): fs access
+	parent.children[info.name] = info
+	return nil
+}
+
+// Walk a subtree rooted at the same path in both trees being iterated. For
+// example, /docker/overlay/1234/a/b/c/d and /docker/overlay/8888/a/b/c/d
+func (w *walker) walk(path string, i1, i2 os.FileInfo) (err error) {
+	// Register these nodes with the return trees, unless we're still at the
+	// (already-created) roots:
+	if path != "/" {
+		if err := walkchunk(path, i1, w.dir1, w.root1); err != nil {
+			return err
+		}
+		if err := walkchunk(path, i2, w.dir2, w.root2); err != nil {
+			return err
+		}
+	}
+
+	is1Dir := i1 != nil && i1.IsDir()
+	is2Dir := i2 != nil && i2.IsDir()
+
+	sameDevice := false
+	if i1 != nil && i2 != nil {
+		si1 := i1.Sys().(*syscall.Stat_t)
+		si2 := i2.Sys().(*syscall.Stat_t)
+		if si1.Dev == si2.Dev {
+			sameDevice = true
+		}
+	}
+
+	// If these files are both non-existent, or leaves (non-dirs), we are done.
+	if !is1Dir && !is2Dir {
+		return nil
+	}
+
+	// Fetch the names of all the files contained in both directories being walked:
+	var names1, names2 []nameIno
+	if is1Dir {
+		names1, err = readdirnames(filepath.Join(w.dir1, path)) // getdents(2): fs access
+		if err != nil {
+			return err
+		}
+	}
+	if is2Dir {
+		names2, err = readdirnames(filepath.Join(w.dir2, path)) // getdents(2): fs access
+		if err != nil {
+			return err
+		}
+	}
+
+	// We have lists of the files contained in both parallel directories, sorted
+	// in the same order. Walk them in parallel, generating a unique merged list
+	// of all items present in either or both directories.
+	var names []string
+	ix1 := 0
+	ix2 := 0
+
+	for {
+		if ix1 >= len(names1) {
+			break
+		}
+		if ix2 >= len(names2) {
+			break
+		}
+
+		ni1 := names1[ix1]
+		ni2 := names2[ix2]
+
+		switch bytes.Compare([]byte(ni1.name), []byte(ni2.name)) {
+		case -1: // ni1 < ni2 -- advance ni1
+			// we will not encounter ni1 in names2
+			names = append(names, ni1.name)
+			ix1++
+		case 0: // ni1 == ni2
+			if ni1.ino != ni2.ino || !sameDevice {
+				names = append(names, ni1.name)
+			}
+			ix1++
+			ix2++
+		case 1: // ni1 > ni2 -- advance ni2
+			// we will not encounter ni2 in names1
+			names = append(names, ni2.name)
+			ix2++
+		}
+	}
+	for ix1 < len(names1) {
+		names = append(names, names1[ix1].name)
+		ix1++
+	}
+	for ix2 < len(names2) {
+		names = append(names, names2[ix2].name)
+		ix2++
+	}
+
+	// For each of the names present in either or both of the directories being
+	// iterated, stat the name under each root, and recurse the pair of them:
+	for _, name := range names {
+		fname := filepath.Join(path, name)
+		var cInfo1, cInfo2 os.FileInfo
+		if is1Dir {
+			cInfo1, err = os.Lstat(filepath.Join(w.dir1, fname)) // lstat(2): fs access
+			if err != nil && !os.IsNotExist(err) {
+				return err
+			}
+		}
+		if is2Dir {
+			cInfo2, err = os.Lstat(filepath.Join(w.dir2, fname)) // lstat(2): fs access
+			if err != nil && !os.IsNotExist(err) {
+				return err
+			}
+		}
+		if err = w.walk(fname, cInfo1, cInfo2); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// {name,inode} pairs used to support the early-pruning logic of the walker type
+type nameIno struct {
+	name string
+	ino  uint64
+}
+
+type nameInoSlice []nameIno
+
+func (s nameInoSlice) Len() int           { return len(s) }
+func (s nameInoSlice) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+func (s nameInoSlice) Less(i, j int) bool { return s[i].name < s[j].name }
+
+// readdirnames is a hacked-apart version of the Go stdlib code, exposing inode
+// numbers further up the stack when reading directory contents. Unlike
+// os.Readdirnames, which returns a list of filenames, this function returns a
+// list of {filename,inode} pairs.
+func readdirnames(dirname string) (names []nameIno, err error) {
+	var (
+		size = 100
+		buf  = make([]byte, 4096)
+		nbuf int
+		bufp int
+		nb   int
+	)
+
+	f, err := os.Open(dirname)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	names = make([]nameIno, 0, size) // Empty with room to grow.
+	for {
+		// Refill the buffer if necessary
+		if bufp >= nbuf {
+			bufp = 0
+			nbuf, err = unix.ReadDirent(int(f.Fd()), buf) // getdents on linux
+			if nbuf < 0 {
+				nbuf = 0
+			}
+			if err != nil {
+				return nil, os.NewSyscallError("readdirent", err)
+			}
+			if nbuf <= 0 {
+				break // EOF
+			}
+		}
+
+		// Drain the buffer
+		nb, names = parseDirent(buf[bufp:nbuf], names)
+		bufp += nb
+	}
+
+	sl := nameInoSlice(names)
+	sort.Sort(sl)
+	return sl, nil
+}
+
+// parseDirent is a minor modification of unix.ParseDirent (linux version)
+// which returns {name,inode} pairs instead of just names.
+func parseDirent(buf []byte, names []nameIno) (consumed int, newnames []nameIno) {
+	origlen := len(buf)
+	for len(buf) > 0 {
+		dirent := (*unix.Dirent)(unsafe.Pointer(&buf[0]))
+		buf = buf[dirent.Reclen:]
+		if dirent.Ino == 0 { // File absent in directory.
+			continue
+		}
+		bytes := (*[10000]byte)(unsafe.Pointer(&dirent.Name[0]))
+		var name = string(bytes[0:clen(bytes[:])])
+		if name == "." || name == ".." { // Useless names
+			continue
+		}
+		names = append(names, nameIno{name, dirent.Ino})
+	}
+	return origlen - len(buf), names
+}
+
+func clen(n []byte) int {
+	for i := 0; i < len(n); i++ {
+		if n[i] == 0 {
+			return i
+		}
+	}
+	return len(n)
+}
diff --git a/engine/pkg/archive/changes_other.go b/engine/pkg/archive/changes_other.go
new file mode 100644
index 00000000..ba744741
--- /dev/null
+++ b/engine/pkg/archive/changes_other.go
@@ -0,0 +1,97 @@
+// +build !linux
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/docker/docker/pkg/system"
+)
+
+func collectFileInfoForChanges(oldDir, newDir string) (*FileInfo, *FileInfo, error) {
+	var (
+		oldRoot, newRoot *FileInfo
+		err1, err2       error
+		errs             = make(chan error, 2)
+	)
+	go func() {
+		oldRoot, err1 = collectFileInfo(oldDir)
+		errs <- err1
+	}()
+	go func() {
+		newRoot, err2 = collectFileInfo(newDir)
+		errs <- err2
+	}()
+
+	// block until both routines have returned
+	for i := 0; i < 2; i++ {
+		if err := <-errs; err != nil {
+			return nil, nil, err
+		}
+	}
+
+	return oldRoot, newRoot, nil
+}
+
+func collectFileInfo(sourceDir string) (*FileInfo, error) {
+	root := newRootFileInfo()
+
+	err := filepath.Walk(sourceDir, func(path string, f os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Rebase path
+		relPath, err := filepath.Rel(sourceDir, path)
+		if err != nil {
+			return err
+		}
+
+		// As this runs on the daemon side, file paths are OS specific.
+		relPath = filepath.Join(string(os.PathSeparator), relPath)
+
+		// See https://github.com/golang/go/issues/9168 - bug in filepath.Join.
+		// Temporary workaround. If the returned path starts with two backslashes,
+		// trim it down to a single backslash. Only relevant on Windows.
+		if runtime.GOOS == "windows" {
+			if strings.HasPrefix(relPath, `\\`) {
+				relPath = relPath[1:]
+			}
+		}
+
+		if relPath == string(os.PathSeparator) {
+			return nil
+		}
+
+		parent := root.LookUp(filepath.Dir(relPath))
+		if parent == nil {
+			return fmt.Errorf("collectFileInfo: Unexpectedly no parent for %s", relPath)
+		}
+
+		info := &FileInfo{
+			name:     filepath.Base(relPath),
+			children: make(map[string]*FileInfo),
+			parent:   parent,
+		}
+
+		s, err := system.Lstat(path)
+		if err != nil {
+			return err
+		}
+		info.stat = s
+
+		info.capability, _ = system.Lgetxattr(path, "security.capability")
+
+		parent.children[info.name] = info
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return root, nil
+}
diff --git a/engine/pkg/archive/changes_posix_test.go b/engine/pkg/archive/changes_posix_test.go
new file mode 100644
index 00000000..019a0250
--- /dev/null
+++ b/engine/pkg/archive/changes_posix_test.go
@@ -0,0 +1,127 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"sort"
+	"testing"
+)
+
+func TestHardLinkOrder(t *testing.T) {
+	names := []string{"file1.txt", "file2.txt", "file3.txt"}
+	msg := []byte("Hey y'all")
+
+	// Create dir
+	src, err := ioutil.TempDir("", "docker-hardlink-test-src-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(src)
+	for _, name := range names {
+		func() {
+			fh, err := os.Create(path.Join(src, name))
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer fh.Close()
+			if _, err = fh.Write(msg); err != nil {
+				t.Fatal(err)
+			}
+		}()
+	}
+	// Create dest, with changes that includes hardlinks
+	dest, err := ioutil.TempDir("", "docker-hardlink-test-dest-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	os.RemoveAll(dest) // we just want the name, at first
+	if err := copyDir(src, dest); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dest)
+	for _, name := range names {
+		for i := 0; i < 5; i++ {
+			if err := os.Link(path.Join(dest, name), path.Join(dest, fmt.Sprintf("%s.link%d", name, i))); err != nil {
+				t.Fatal(err)
+			}
+		}
+	}
+
+	// get changes
+	changes, err := ChangesDirs(dest, src)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// sort
+	sort.Sort(changesByPath(changes))
+
+	// ExportChanges
+	ar, err := ExportChanges(dest, changes, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	hdrs, err := walkHeaders(ar)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// reverse sort
+	sort.Sort(sort.Reverse(changesByPath(changes)))
+	// ExportChanges
+	arRev, err := ExportChanges(dest, changes, nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	hdrsRev, err := walkHeaders(arRev)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// line up the two sets
+	sort.Sort(tarHeaders(hdrs))
+	sort.Sort(tarHeaders(hdrsRev))
+
+	// compare Size and LinkName
+	for i := range hdrs {
+		if hdrs[i].Name != hdrsRev[i].Name {
+			t.Errorf("headers - expected name %q; but got %q", hdrs[i].Name, hdrsRev[i].Name)
+		}
+		if hdrs[i].Size != hdrsRev[i].Size {
+			t.Errorf("headers - %q expected size %d; but got %d", hdrs[i].Name, hdrs[i].Size, hdrsRev[i].Size)
+		}
+		if hdrs[i].Typeflag != hdrsRev[i].Typeflag {
+			t.Errorf("headers - %q expected type %d; but got %d", hdrs[i].Name, hdrs[i].Typeflag, hdrsRev[i].Typeflag)
+		}
+		if hdrs[i].Linkname != hdrsRev[i].Linkname {
+			t.Errorf("headers - %q expected linkname %q; but got %q", hdrs[i].Name, hdrs[i].Linkname, hdrsRev[i].Linkname)
+		}
+	}
+
+}
+
+type tarHeaders []tar.Header
+
+func (th tarHeaders) Len() int           { return len(th) }
+func (th tarHeaders) Swap(i, j int)      { th[j], th[i] = th[i], th[j] }
+func (th tarHeaders) Less(i, j int) bool { return th[i].Name < th[j].Name }
+
+func walkHeaders(r io.Reader) ([]tar.Header, error) {
+	t := tar.NewReader(r)
+	var headers []tar.Header
+	for {
+		hdr, err := t.Next()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return headers, err
+		}
+		headers = append(headers, *hdr)
+	}
+	return headers, nil
+}
diff --git a/engine/pkg/archive/changes_test.go b/engine/pkg/archive/changes_test.go
new file mode 100644
index 00000000..f2527cd9
--- /dev/null
+++ b/engine/pkg/archive/changes_test.go
@@ -0,0 +1,504 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"runtime"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/system"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+func max(x, y int) int {
+	if x >= y {
+		return x
+	}
+	return y
+}
+
+func copyDir(src, dst string) error {
+	return exec.Command("cp", "-a", src, dst).Run()
+}
+
+type FileType uint32
+
+const (
+	Regular FileType = iota
+	Dir
+	Symlink
+)
+
+type FileData struct {
+	filetype    FileType
+	path        string
+	contents    string
+	permissions os.FileMode
+}
+
+func createSampleDir(t *testing.T, root string) {
+	files := []FileData{
+		{filetype: Regular, path: "file1", contents: "file1\n", permissions: 0600},
+		{filetype: Regular, path: "file2", contents: "file2\n", permissions: 0666},
+		{filetype: Regular, path: "file3", contents: "file3\n", permissions: 0404},
+		{filetype: Regular, path: "file4", contents: "file4\n", permissions: 0600},
+		{filetype: Regular, path: "file5", contents: "file5\n", permissions: 0600},
+		{filetype: Regular, path: "file6", contents: "file6\n", permissions: 0600},
+		{filetype: Regular, path: "file7", contents: "file7\n", permissions: 0600},
+		{filetype: Dir, path: "dir1", contents: "", permissions: 0740},
+		{filetype: Regular, path: "dir1/file1-1", contents: "file1-1\n", permissions: 01444},
+		{filetype: Regular, path: "dir1/file1-2", contents: "file1-2\n", permissions: 0666},
+		{filetype: Dir, path: "dir2", contents: "", permissions: 0700},
+		{filetype: Regular, path: "dir2/file2-1", contents: "file2-1\n", permissions: 0666},
+		{filetype: Regular, path: "dir2/file2-2", contents: "file2-2\n", permissions: 0666},
+		{filetype: Dir, path: "dir3", contents: "", permissions: 0700},
+		{filetype: Regular, path: "dir3/file3-1", contents: "file3-1\n", permissions: 0666},
+		{filetype: Regular, path: "dir3/file3-2", contents: "file3-2\n", permissions: 0666},
+		{filetype: Dir, path: "dir4", contents: "", permissions: 0700},
+		{filetype: Regular, path: "dir4/file3-1", contents: "file4-1\n", permissions: 0666},
+		{filetype: Regular, path: "dir4/file3-2", contents: "file4-2\n", permissions: 0666},
+		{filetype: Symlink, path: "symlink1", contents: "target1", permissions: 0666},
+		{filetype: Symlink, path: "symlink2", contents: "target2", permissions: 0666},
+		{filetype: Symlink, path: "symlink3", contents: root + "/file1", permissions: 0666},
+		{filetype: Symlink, path: "symlink4", contents: root + "/symlink3", permissions: 0666},
+		{filetype: Symlink, path: "dirSymlink", contents: root + "/dir1", permissions: 0740},
+	}
+	provisionSampleDir(t, root, files)
+}
+
+func provisionSampleDir(t *testing.T, root string, files []FileData) {
+	now := time.Now()
+	for _, info := range files {
+		p := path.Join(root, info.path)
+		if info.filetype == Dir {
+			err := os.MkdirAll(p, info.permissions)
+			assert.NilError(t, err)
+		} else if info.filetype == Regular {
+			err := ioutil.WriteFile(p, []byte(info.contents), info.permissions)
+			assert.NilError(t, err)
+		} else if info.filetype == Symlink {
+			err := os.Symlink(info.contents, p)
+			assert.NilError(t, err)
+		}
+
+		if info.filetype != Symlink {
+			// Set a consistent ctime, atime for all files and dirs
+			err := system.Chtimes(p, now, now)
+			assert.NilError(t, err)
+		}
+	}
+}
+
+func TestChangeString(t *testing.T) {
+	modifyChange := Change{"change", ChangeModify}
+	toString := modifyChange.String()
+	if toString != "C change" {
+		t.Fatalf("String() of a change with ChangeModify Kind should have been %s but was %s", "C change", toString)
+	}
+	addChange := Change{"change", ChangeAdd}
+	toString = addChange.String()
+	if toString != "A change" {
+		t.Fatalf("String() of a change with ChangeAdd Kind should have been %s but was %s", "A change", toString)
+	}
+	deleteChange := Change{"change", ChangeDelete}
+	toString = deleteChange.String()
+	if toString != "D change" {
+		t.Fatalf("String() of a change with ChangeDelete Kind should have been %s but was %s", "D change", toString)
+	}
+}
+
+func TestChangesWithNoChanges(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	// as createSampleDir uses symlinks.
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks on Windows")
+	}
+	rwLayer, err := ioutil.TempDir("", "docker-changes-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(rwLayer)
+	layer, err := ioutil.TempDir("", "docker-changes-test-layer")
+	assert.NilError(t, err)
+	defer os.RemoveAll(layer)
+	createSampleDir(t, layer)
+	changes, err := Changes([]string{layer}, rwLayer)
+	assert.NilError(t, err)
+	if len(changes) != 0 {
+		t.Fatalf("Changes with no difference should have detect no changes, but detected %d", len(changes))
+	}
+}
+
+func TestChangesWithChanges(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	// as createSampleDir uses symlinks.
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks on Windows")
+	}
+	// Mock the readonly layer
+	layer, err := ioutil.TempDir("", "docker-changes-test-layer")
+	assert.NilError(t, err)
+	defer os.RemoveAll(layer)
+	createSampleDir(t, layer)
+	os.MkdirAll(path.Join(layer, "dir1/subfolder"), 0740)
+
+	// Mock the RW layer
+	rwLayer, err := ioutil.TempDir("", "docker-changes-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(rwLayer)
+
+	// Create a folder in RW layer
+	dir1 := path.Join(rwLayer, "dir1")
+	os.MkdirAll(dir1, 0740)
+	deletedFile := path.Join(dir1, ".wh.file1-2")
+	ioutil.WriteFile(deletedFile, []byte{}, 0600)
+	modifiedFile := path.Join(dir1, "file1-1")
+	ioutil.WriteFile(modifiedFile, []byte{0x00}, 01444)
+	// Let's add a subfolder for a newFile
+	subfolder := path.Join(dir1, "subfolder")
+	os.MkdirAll(subfolder, 0740)
+	newFile := path.Join(subfolder, "newFile")
+	ioutil.WriteFile(newFile, []byte{}, 0740)
+
+	changes, err := Changes([]string{layer}, rwLayer)
+	assert.NilError(t, err)
+
+	expectedChanges := []Change{
+		{"/dir1", ChangeModify},
+		{"/dir1/file1-1", ChangeModify},
+		{"/dir1/file1-2", ChangeDelete},
+		{"/dir1/subfolder", ChangeModify},
+		{"/dir1/subfolder/newFile", ChangeAdd},
+	}
+	checkChanges(expectedChanges, changes, t)
+}
+
+// See https://github.com/docker/docker/pull/13590
+func TestChangesWithChangesGH13590(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	// as createSampleDir uses symlinks.
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks on Windows")
+	}
+	baseLayer, err := ioutil.TempDir("", "docker-changes-test.")
+	assert.NilError(t, err)
+	defer os.RemoveAll(baseLayer)
+
+	dir3 := path.Join(baseLayer, "dir1/dir2/dir3")
+	os.MkdirAll(dir3, 07400)
+
+	file := path.Join(dir3, "file.txt")
+	ioutil.WriteFile(file, []byte("hello"), 0666)
+
+	layer, err := ioutil.TempDir("", "docker-changes-test2.")
+	assert.NilError(t, err)
+	defer os.RemoveAll(layer)
+
+	// Test creating a new file
+	if err := copyDir(baseLayer+"/dir1", layer+"/"); err != nil {
+		t.Fatalf("Cmd failed: %q", err)
+	}
+
+	os.Remove(path.Join(layer, "dir1/dir2/dir3/file.txt"))
+	file = path.Join(layer, "dir1/dir2/dir3/file1.txt")
+	ioutil.WriteFile(file, []byte("bye"), 0666)
+
+	changes, err := Changes([]string{baseLayer}, layer)
+	assert.NilError(t, err)
+
+	expectedChanges := []Change{
+		{"/dir1/dir2/dir3", ChangeModify},
+		{"/dir1/dir2/dir3/file1.txt", ChangeAdd},
+	}
+	checkChanges(expectedChanges, changes, t)
+
+	// Now test changing a file
+	layer, err = ioutil.TempDir("", "docker-changes-test3.")
+	assert.NilError(t, err)
+	defer os.RemoveAll(layer)
+
+	if err := copyDir(baseLayer+"/dir1", layer+"/"); err != nil {
+		t.Fatalf("Cmd failed: %q", err)
+	}
+
+	file = path.Join(layer, "dir1/dir2/dir3/file.txt")
+	ioutil.WriteFile(file, []byte("bye"), 0666)
+
+	changes, err = Changes([]string{baseLayer}, layer)
+	assert.NilError(t, err)
+
+	expectedChanges = []Change{
+		{"/dir1/dir2/dir3/file.txt", ChangeModify},
+	}
+	checkChanges(expectedChanges, changes, t)
+}
+
+// Create a directory, copy it, make sure we report no changes between the two
+func TestChangesDirsEmpty(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	// as createSampleDir uses symlinks.
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks on Windows")
+	}
+	src, err := ioutil.TempDir("", "docker-changes-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(src)
+	createSampleDir(t, src)
+	dst := src + "-copy"
+	err = copyDir(src, dst)
+	assert.NilError(t, err)
+	defer os.RemoveAll(dst)
+	changes, err := ChangesDirs(dst, src)
+	assert.NilError(t, err)
+
+	if len(changes) != 0 {
+		t.Fatalf("Reported changes for identical dirs: %v", changes)
+	}
+	os.RemoveAll(src)
+	os.RemoveAll(dst)
+}
+
+func mutateSampleDir(t *testing.T, root string) {
+	// Remove a regular file
+	err := os.RemoveAll(path.Join(root, "file1"))
+	assert.NilError(t, err)
+
+	// Remove a directory
+	err = os.RemoveAll(path.Join(root, "dir1"))
+	assert.NilError(t, err)
+
+	// Remove a symlink
+	err = os.RemoveAll(path.Join(root, "symlink1"))
+	assert.NilError(t, err)
+
+	// Rewrite a file
+	err = ioutil.WriteFile(path.Join(root, "file2"), []byte("fileNN\n"), 0777)
+	assert.NilError(t, err)
+
+	// Replace a file
+	err = os.RemoveAll(path.Join(root, "file3"))
+	assert.NilError(t, err)
+	err = ioutil.WriteFile(path.Join(root, "file3"), []byte("fileMM\n"), 0404)
+	assert.NilError(t, err)
+
+	// Touch file
+	err = system.Chtimes(path.Join(root, "file4"), time.Now().Add(time.Second), time.Now().Add(time.Second))
+	assert.NilError(t, err)
+
+	// Replace file with dir
+	err = os.RemoveAll(path.Join(root, "file5"))
+	assert.NilError(t, err)
+	err = os.MkdirAll(path.Join(root, "file5"), 0666)
+	assert.NilError(t, err)
+
+	// Create new file
+	err = ioutil.WriteFile(path.Join(root, "filenew"), []byte("filenew\n"), 0777)
+	assert.NilError(t, err)
+
+	// Create new dir
+	err = os.MkdirAll(path.Join(root, "dirnew"), 0766)
+	assert.NilError(t, err)
+
+	// Create a new symlink
+	err = os.Symlink("targetnew", path.Join(root, "symlinknew"))
+	assert.NilError(t, err)
+
+	// Change a symlink
+	err = os.RemoveAll(path.Join(root, "symlink2"))
+	assert.NilError(t, err)
+
+	err = os.Symlink("target2change", path.Join(root, "symlink2"))
+	assert.NilError(t, err)
+
+	// Replace dir with file
+	err = os.RemoveAll(path.Join(root, "dir2"))
+	assert.NilError(t, err)
+	err = ioutil.WriteFile(path.Join(root, "dir2"), []byte("dir2\n"), 0777)
+	assert.NilError(t, err)
+
+	// Touch dir
+	err = system.Chtimes(path.Join(root, "dir3"), time.Now().Add(time.Second), time.Now().Add(time.Second))
+	assert.NilError(t, err)
+}
+
+func TestChangesDirsMutated(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	// as createSampleDir uses symlinks.
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks on Windows")
+	}
+	src, err := ioutil.TempDir("", "docker-changes-test")
+	assert.NilError(t, err)
+	createSampleDir(t, src)
+	dst := src + "-copy"
+	err = copyDir(src, dst)
+	assert.NilError(t, err)
+	defer os.RemoveAll(src)
+	defer os.RemoveAll(dst)
+
+	mutateSampleDir(t, dst)
+
+	changes, err := ChangesDirs(dst, src)
+	assert.NilError(t, err)
+
+	sort.Sort(changesByPath(changes))
+
+	expectedChanges := []Change{
+		{"/dir1", ChangeDelete},
+		{"/dir2", ChangeModify},
+		{"/dirnew", ChangeAdd},
+		{"/file1", ChangeDelete},
+		{"/file2", ChangeModify},
+		{"/file3", ChangeModify},
+		{"/file4", ChangeModify},
+		{"/file5", ChangeModify},
+		{"/filenew", ChangeAdd},
+		{"/symlink1", ChangeDelete},
+		{"/symlink2", ChangeModify},
+		{"/symlinknew", ChangeAdd},
+	}
+
+	for i := 0; i < max(len(changes), len(expectedChanges)); i++ {
+		if i >= len(expectedChanges) {
+			t.Fatalf("unexpected change %s\n", changes[i].String())
+		}
+		if i >= len(changes) {
+			t.Fatalf("no change for expected change %s\n", expectedChanges[i].String())
+		}
+		if changes[i].Path == expectedChanges[i].Path {
+			if changes[i] != expectedChanges[i] {
+				t.Fatalf("Wrong change for %s, expected %s, got %s\n", changes[i].Path, changes[i].String(), expectedChanges[i].String())
+			}
+		} else if changes[i].Path < expectedChanges[i].Path {
+			t.Fatalf("unexpected change %s\n", changes[i].String())
+		} else {
+			t.Fatalf("no change for expected change %s != %s\n", expectedChanges[i].String(), changes[i].String())
+		}
+	}
+}
+
+func TestApplyLayer(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	// as createSampleDir uses symlinks.
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks on Windows")
+	}
+	src, err := ioutil.TempDir("", "docker-changes-test")
+	assert.NilError(t, err)
+	createSampleDir(t, src)
+	defer os.RemoveAll(src)
+	dst := src + "-copy"
+	err = copyDir(src, dst)
+	assert.NilError(t, err)
+	mutateSampleDir(t, dst)
+	defer os.RemoveAll(dst)
+
+	changes, err := ChangesDirs(dst, src)
+	assert.NilError(t, err)
+
+	layer, err := ExportChanges(dst, changes, nil, nil)
+	assert.NilError(t, err)
+
+	layerCopy, err := NewTempArchive(layer, "")
+	assert.NilError(t, err)
+
+	_, err = ApplyLayer(src, layerCopy)
+	assert.NilError(t, err)
+
+	changes2, err := ChangesDirs(src, dst)
+	assert.NilError(t, err)
+
+	if len(changes2) != 0 {
+		t.Fatalf("Unexpected differences after reapplying mutation: %v", changes2)
+	}
+}
+
+func TestChangesSizeWithHardlinks(t *testing.T) {
+	// TODO Windows. There may be a way of running this, but turning off for now
+	// as createSampleDir uses symlinks.
+	if runtime.GOOS == "windows" {
+		t.Skip("hardlinks on Windows")
+	}
+	srcDir, err := ioutil.TempDir("", "docker-test-srcDir")
+	assert.NilError(t, err)
+	defer os.RemoveAll(srcDir)
+
+	destDir, err := ioutil.TempDir("", "docker-test-destDir")
+	assert.NilError(t, err)
+	defer os.RemoveAll(destDir)
+
+	creationSize, err := prepareUntarSourceDirectory(100, destDir, true)
+	assert.NilError(t, err)
+
+	changes, err := ChangesDirs(destDir, srcDir)
+	assert.NilError(t, err)
+
+	got := ChangesSize(destDir, changes)
+	if got != int64(creationSize) {
+		t.Errorf("Expected %d bytes of changes, got %d", creationSize, got)
+	}
+}
+
+func TestChangesSizeWithNoChanges(t *testing.T) {
+	size := ChangesSize("/tmp", nil)
+	if size != 0 {
+		t.Fatalf("ChangesSizes with no changes should be 0, was %d", size)
+	}
+}
+
+func TestChangesSizeWithOnlyDeleteChanges(t *testing.T) {
+	changes := []Change{
+		{Path: "deletedPath", Kind: ChangeDelete},
+	}
+	size := ChangesSize("/tmp", changes)
+	if size != 0 {
+		t.Fatalf("ChangesSizes with only delete changes should be 0, was %d", size)
+	}
+}
+
+func TestChangesSize(t *testing.T) {
+	parentPath, err := ioutil.TempDir("", "docker-changes-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(parentPath)
+	addition := path.Join(parentPath, "addition")
+	err = ioutil.WriteFile(addition, []byte{0x01, 0x01, 0x01}, 0744)
+	assert.NilError(t, err)
+	modification := path.Join(parentPath, "modification")
+	err = ioutil.WriteFile(modification, []byte{0x01, 0x01, 0x01}, 0744)
+	assert.NilError(t, err)
+
+	changes := []Change{
+		{Path: "addition", Kind: ChangeAdd},
+		{Path: "modification", Kind: ChangeModify},
+	}
+	size := ChangesSize(parentPath, changes)
+	if size != 6 {
+		t.Fatalf("Expected 6 bytes of changes, got %d", size)
+	}
+}
+
+func checkChanges(expectedChanges, changes []Change, t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	sort.Sort(changesByPath(expectedChanges))
+	sort.Sort(changesByPath(changes))
+	for i := 0; i < max(len(changes), len(expectedChanges)); i++ {
+		if i >= len(expectedChanges) {
+			t.Fatalf("unexpected change %s\n", changes[i].String())
+		}
+		if i >= len(changes) {
+			t.Fatalf("no change for expected change %s\n", expectedChanges[i].String())
+		}
+		if changes[i].Path == expectedChanges[i].Path {
+			if changes[i] != expectedChanges[i] {
+				t.Fatalf("Wrong change for %s, expected %s, got %s\n", changes[i].Path, changes[i].String(), expectedChanges[i].String())
+			}
+		} else if changes[i].Path < expectedChanges[i].Path {
+			t.Fatalf("unexpected change %s\n", changes[i].String())
+		} else {
+			t.Fatalf("no change for expected change %s != %s\n", expectedChanges[i].String(), changes[i].String())
+		}
+	}
+}
diff --git a/engine/pkg/archive/changes_unix.go b/engine/pkg/archive/changes_unix.go
new file mode 100644
index 00000000..c06a209d
--- /dev/null
+++ b/engine/pkg/archive/changes_unix.go
@@ -0,0 +1,37 @@
+// +build !windows
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/docker/docker/pkg/system"
+	"golang.org/x/sys/unix"
+)
+
+func statDifferent(oldStat *system.StatT, newStat *system.StatT) bool {
+	// Don't look at size for dirs, its not a good measure of change
+	if oldStat.Mode() != newStat.Mode() ||
+		oldStat.UID() != newStat.UID() ||
+		oldStat.GID() != newStat.GID() ||
+		oldStat.Rdev() != newStat.Rdev() ||
+		// Don't look at size for dirs, its not a good measure of change
+		(oldStat.Mode()&unix.S_IFDIR != unix.S_IFDIR &&
+			(!sameFsTimeSpec(oldStat.Mtim(), newStat.Mtim()) || (oldStat.Size() != newStat.Size()))) {
+		return true
+	}
+	return false
+}
+
+func (info *FileInfo) isDir() bool {
+	return info.parent == nil || info.stat.Mode()&unix.S_IFDIR != 0
+}
+
+func getIno(fi os.FileInfo) uint64 {
+	return fi.Sys().(*syscall.Stat_t).Ino
+}
+
+func hasHardlinks(fi os.FileInfo) bool {
+	return fi.Sys().(*syscall.Stat_t).Nlink > 1
+}
diff --git a/engine/pkg/archive/changes_windows.go b/engine/pkg/archive/changes_windows.go
new file mode 100644
index 00000000..6555c013
--- /dev/null
+++ b/engine/pkg/archive/changes_windows.go
@@ -0,0 +1,30 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"os"
+
+	"github.com/docker/docker/pkg/system"
+)
+
+func statDifferent(oldStat *system.StatT, newStat *system.StatT) bool {
+
+	// Don't look at size for dirs, its not a good measure of change
+	if oldStat.Mtim() != newStat.Mtim() ||
+		oldStat.Mode() != newStat.Mode() ||
+		oldStat.Size() != newStat.Size() && !oldStat.Mode().IsDir() {
+		return true
+	}
+	return false
+}
+
+func (info *FileInfo) isDir() bool {
+	return info.parent == nil || info.stat.Mode().IsDir()
+}
+
+func getIno(fi os.FileInfo) (inode uint64) {
+	return
+}
+
+func hasHardlinks(fi os.FileInfo) bool {
+	return false
+}
diff --git a/engine/pkg/archive/copy.go b/engine/pkg/archive/copy.go
new file mode 100644
index 00000000..d0f13ca7
--- /dev/null
+++ b/engine/pkg/archive/copy.go
@@ -0,0 +1,472 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"errors"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/system"
+	"github.com/sirupsen/logrus"
+)
+
+// Errors used or returned by this file.
+var (
+	ErrNotDirectory      = errors.New("not a directory")
+	ErrDirNotExists      = errors.New("no such directory")
+	ErrCannotCopyDir     = errors.New("cannot copy directory")
+	ErrInvalidCopySource = errors.New("invalid copy source content")
+)
+
+// PreserveTrailingDotOrSeparator returns the given cleaned path (after
+// processing using any utility functions from the path or filepath stdlib
+// packages) and appends a trailing `/.` or `/` if its corresponding  original
+// path (from before being processed by utility functions from the path or
+// filepath stdlib packages) ends with a trailing `/.` or `/`. If the cleaned
+// path already ends in a `.` path segment, then another is not added. If the
+// clean path already ends in the separator, then another is not added.
+func PreserveTrailingDotOrSeparator(cleanedPath string, originalPath string, sep byte) string {
+	// Ensure paths are in platform semantics
+	cleanedPath = strings.Replace(cleanedPath, "/", string(sep), -1)
+	originalPath = strings.Replace(originalPath, "/", string(sep), -1)
+
+	if !specifiesCurrentDir(cleanedPath) && specifiesCurrentDir(originalPath) {
+		if !hasTrailingPathSeparator(cleanedPath, sep) {
+			// Add a separator if it doesn't already end with one (a cleaned
+			// path would only end in a separator if it is the root).
+			cleanedPath += string(sep)
+		}
+		cleanedPath += "."
+	}
+
+	if !hasTrailingPathSeparator(cleanedPath, sep) && hasTrailingPathSeparator(originalPath, sep) {
+		cleanedPath += string(sep)
+	}
+
+	return cleanedPath
+}
+
+// assertsDirectory returns whether the given path is
+// asserted to be a directory, i.e., the path ends with
+// a trailing '/' or `/.`, assuming a path separator of `/`.
+func assertsDirectory(path string, sep byte) bool {
+	return hasTrailingPathSeparator(path, sep) || specifiesCurrentDir(path)
+}
+
+// hasTrailingPathSeparator returns whether the given
+// path ends with the system's path separator character.
+func hasTrailingPathSeparator(path string, sep byte) bool {
+	return len(path) > 0 && path[len(path)-1] == sep
+}
+
+// specifiesCurrentDir returns whether the given path specifies
+// a "current directory", i.e., the last path segment is `.`.
+func specifiesCurrentDir(path string) bool {
+	return filepath.Base(path) == "."
+}
+
+// SplitPathDirEntry splits the given path between its directory name and its
+// basename by first cleaning the path but preserves a trailing "." if the
+// original path specified the current directory.
+func SplitPathDirEntry(path string) (dir, base string) {
+	cleanedPath := filepath.Clean(filepath.FromSlash(path))
+
+	if specifiesCurrentDir(path) {
+		cleanedPath += string(os.PathSeparator) + "."
+	}
+
+	return filepath.Dir(cleanedPath), filepath.Base(cleanedPath)
+}
+
+// TarResource archives the resource described by the given CopyInfo to a Tar
+// archive. A non-nil error is returned if sourcePath does not exist or is
+// asserted to be a directory but exists as another type of file.
+//
+// This function acts as a convenient wrapper around TarWithOptions, which
+// requires a directory as the source path. TarResource accepts either a
+// directory or a file path and correctly sets the Tar options.
+func TarResource(sourceInfo CopyInfo) (content io.ReadCloser, err error) {
+	return TarResourceRebase(sourceInfo.Path, sourceInfo.RebaseName)
+}
+
+// TarResourceRebase is like TarResource but renames the first path element of
+// items in the resulting tar archive to match the given rebaseName if not "".
+func TarResourceRebase(sourcePath, rebaseName string) (content io.ReadCloser, err error) {
+	sourcePath = normalizePath(sourcePath)
+	if _, err = os.Lstat(sourcePath); err != nil {
+		// Catches the case where the source does not exist or is not a
+		// directory if asserted to be a directory, as this also causes an
+		// error.
+		return
+	}
+
+	// Separate the source path between its directory and
+	// the entry in that directory which we are archiving.
+	sourceDir, sourceBase := SplitPathDirEntry(sourcePath)
+	opts := TarResourceRebaseOpts(sourceBase, rebaseName)
+
+	logrus.Debugf("copying %q from %q", sourceBase, sourceDir)
+	return TarWithOptions(sourceDir, opts)
+}
+
+// TarResourceRebaseOpts does not preform the Tar, but instead just creates the rebase
+// parameters to be sent to TarWithOptions (the TarOptions struct)
+func TarResourceRebaseOpts(sourceBase string, rebaseName string) *TarOptions {
+	filter := []string{sourceBase}
+	return &TarOptions{
+		Compression:      Uncompressed,
+		IncludeFiles:     filter,
+		IncludeSourceDir: true,
+		RebaseNames: map[string]string{
+			sourceBase: rebaseName,
+		},
+	}
+}
+
+// CopyInfo holds basic info about the source
+// or destination path of a copy operation.
+type CopyInfo struct {
+	Path       string
+	Exists     bool
+	IsDir      bool
+	RebaseName string
+}
+
+// CopyInfoSourcePath stats the given path to create a CopyInfo
+// struct representing that resource for the source of an archive copy
+// operation. The given path should be an absolute local path. A source path
+// has all symlinks evaluated that appear before the last path separator ("/"
+// on Unix). As it is to be a copy source, the path must exist.
+func CopyInfoSourcePath(path string, followLink bool) (CopyInfo, error) {
+	// normalize the file path and then evaluate the symbol link
+	// we will use the target file instead of the symbol link if
+	// followLink is set
+	path = normalizePath(path)
+
+	resolvedPath, rebaseName, err := ResolveHostSourcePath(path, followLink)
+	if err != nil {
+		return CopyInfo{}, err
+	}
+
+	stat, err := os.Lstat(resolvedPath)
+	if err != nil {
+		return CopyInfo{}, err
+	}
+
+	return CopyInfo{
+		Path:       resolvedPath,
+		Exists:     true,
+		IsDir:      stat.IsDir(),
+		RebaseName: rebaseName,
+	}, nil
+}
+
+// CopyInfoDestinationPath stats the given path to create a CopyInfo
+// struct representing that resource for the destination of an archive copy
+// operation. The given path should be an absolute local path.
+func CopyInfoDestinationPath(path string) (info CopyInfo, err error) {
+	maxSymlinkIter := 10 // filepath.EvalSymlinks uses 255, but 10 already seems like a lot.
+	path = normalizePath(path)
+	originalPath := path
+
+	stat, err := os.Lstat(path)
+
+	if err == nil && stat.Mode()&os.ModeSymlink == 0 {
+		// The path exists and is not a symlink.
+		return CopyInfo{
+			Path:   path,
+			Exists: true,
+			IsDir:  stat.IsDir(),
+		}, nil
+	}
+
+	// While the path is a symlink.
+	for n := 0; err == nil && stat.Mode()&os.ModeSymlink != 0; n++ {
+		if n > maxSymlinkIter {
+			// Don't follow symlinks more than this arbitrary number of times.
+			return CopyInfo{}, errors.New("too many symlinks in " + originalPath)
+		}
+
+		// The path is a symbolic link. We need to evaluate it so that the
+		// destination of the copy operation is the link target and not the
+		// link itself. This is notably different than CopyInfoSourcePath which
+		// only evaluates symlinks before the last appearing path separator.
+		// Also note that it is okay if the last path element is a broken
+		// symlink as the copy operation should create the target.
+		var linkTarget string
+
+		linkTarget, err = os.Readlink(path)
+		if err != nil {
+			return CopyInfo{}, err
+		}
+
+		if !system.IsAbs(linkTarget) {
+			// Join with the parent directory.
+			dstParent, _ := SplitPathDirEntry(path)
+			linkTarget = filepath.Join(dstParent, linkTarget)
+		}
+
+		path = linkTarget
+		stat, err = os.Lstat(path)
+	}
+
+	if err != nil {
+		// It's okay if the destination path doesn't exist. We can still
+		// continue the copy operation if the parent directory exists.
+		if !os.IsNotExist(err) {
+			return CopyInfo{}, err
+		}
+
+		// Ensure destination parent dir exists.
+		dstParent, _ := SplitPathDirEntry(path)
+
+		parentDirStat, err := os.Stat(dstParent)
+		if err != nil {
+			return CopyInfo{}, err
+		}
+		if !parentDirStat.IsDir() {
+			return CopyInfo{}, ErrNotDirectory
+		}
+
+		return CopyInfo{Path: path}, nil
+	}
+
+	// The path exists after resolving symlinks.
+	return CopyInfo{
+		Path:   path,
+		Exists: true,
+		IsDir:  stat.IsDir(),
+	}, nil
+}
+
+// PrepareArchiveCopy prepares the given srcContent archive, which should
+// contain the archived resource described by srcInfo, to the destination
+// described by dstInfo. Returns the possibly modified content archive along
+// with the path to the destination directory which it should be extracted to.
+func PrepareArchiveCopy(srcContent io.Reader, srcInfo, dstInfo CopyInfo) (dstDir string, content io.ReadCloser, err error) {
+	// Ensure in platform semantics
+	srcInfo.Path = normalizePath(srcInfo.Path)
+	dstInfo.Path = normalizePath(dstInfo.Path)
+
+	// Separate the destination path between its directory and base
+	// components in case the source archive contents need to be rebased.
+	dstDir, dstBase := SplitPathDirEntry(dstInfo.Path)
+	_, srcBase := SplitPathDirEntry(srcInfo.Path)
+
+	switch {
+	case dstInfo.Exists && dstInfo.IsDir:
+		// The destination exists as a directory. No alteration
+		// to srcContent is needed as its contents can be
+		// simply extracted to the destination directory.
+		return dstInfo.Path, ioutil.NopCloser(srcContent), nil
+	case dstInfo.Exists && srcInfo.IsDir:
+		// The destination exists as some type of file and the source
+		// content is a directory. This is an error condition since
+		// you cannot copy a directory to an existing file location.
+		return "", nil, ErrCannotCopyDir
+	case dstInfo.Exists:
+		// The destination exists as some type of file and the source content
+		// is also a file. The source content entry will have to be renamed to
+		// have a basename which matches the destination path's basename.
+		if len(srcInfo.RebaseName) != 0 {
+			srcBase = srcInfo.RebaseName
+		}
+		return dstDir, RebaseArchiveEntries(srcContent, srcBase, dstBase), nil
+	case srcInfo.IsDir:
+		// The destination does not exist and the source content is an archive
+		// of a directory. The archive should be extracted to the parent of
+		// the destination path instead, and when it is, the directory that is
+		// created as a result should take the name of the destination path.
+		// The source content entries will have to be renamed to have a
+		// basename which matches the destination path's basename.
+		if len(srcInfo.RebaseName) != 0 {
+			srcBase = srcInfo.RebaseName
+		}
+		return dstDir, RebaseArchiveEntries(srcContent, srcBase, dstBase), nil
+	case assertsDirectory(dstInfo.Path, os.PathSeparator):
+		// The destination does not exist and is asserted to be created as a
+		// directory, but the source content is not a directory. This is an
+		// error condition since you cannot create a directory from a file
+		// source.
+		return "", nil, ErrDirNotExists
+	default:
+		// The last remaining case is when the destination does not exist, is
+		// not asserted to be a directory, and the source content is not an
+		// archive of a directory. It this case, the destination file will need
+		// to be created when the archive is extracted and the source content
+		// entry will have to be renamed to have a basename which matches the
+		// destination path's basename.
+		if len(srcInfo.RebaseName) != 0 {
+			srcBase = srcInfo.RebaseName
+		}
+		return dstDir, RebaseArchiveEntries(srcContent, srcBase, dstBase), nil
+	}
+
+}
+
+// RebaseArchiveEntries rewrites the given srcContent archive replacing
+// an occurrence of oldBase with newBase at the beginning of entry names.
+func RebaseArchiveEntries(srcContent io.Reader, oldBase, newBase string) io.ReadCloser {
+	if oldBase == string(os.PathSeparator) {
+		// If oldBase specifies the root directory, use an empty string as
+		// oldBase instead so that newBase doesn't replace the path separator
+		// that all paths will start with.
+		oldBase = ""
+	}
+
+	rebased, w := io.Pipe()
+
+	go func() {
+		srcTar := tar.NewReader(srcContent)
+		rebasedTar := tar.NewWriter(w)
+
+		for {
+			hdr, err := srcTar.Next()
+			if err == io.EOF {
+				// Signals end of archive.
+				rebasedTar.Close()
+				w.Close()
+				return
+			}
+			if err != nil {
+				w.CloseWithError(err)
+				return
+			}
+
+			hdr.Name = strings.Replace(hdr.Name, oldBase, newBase, 1)
+			if hdr.Typeflag == tar.TypeLink {
+				hdr.Linkname = strings.Replace(hdr.Linkname, oldBase, newBase, 1)
+			}
+
+			if err = rebasedTar.WriteHeader(hdr); err != nil {
+				w.CloseWithError(err)
+				return
+			}
+
+			if _, err = io.Copy(rebasedTar, srcTar); err != nil {
+				w.CloseWithError(err)
+				return
+			}
+		}
+	}()
+
+	return rebased
+}
+
+// TODO @gupta-ak. These might have to be changed in the future to be
+// continuity driver aware as well to support LCOW.
+
+// CopyResource performs an archive copy from the given source path to the
+// given destination path. The source path MUST exist and the destination
+// path's parent directory must exist.
+func CopyResource(srcPath, dstPath string, followLink bool) error {
+	var (
+		srcInfo CopyInfo
+		err     error
+	)
+
+	// Ensure in platform semantics
+	srcPath = normalizePath(srcPath)
+	dstPath = normalizePath(dstPath)
+
+	// Clean the source and destination paths.
+	srcPath = PreserveTrailingDotOrSeparator(filepath.Clean(srcPath), srcPath, os.PathSeparator)
+	dstPath = PreserveTrailingDotOrSeparator(filepath.Clean(dstPath), dstPath, os.PathSeparator)
+
+	if srcInfo, err = CopyInfoSourcePath(srcPath, followLink); err != nil {
+		return err
+	}
+
+	content, err := TarResource(srcInfo)
+	if err != nil {
+		return err
+	}
+	defer content.Close()
+
+	return CopyTo(content, srcInfo, dstPath)
+}
+
+// CopyTo handles extracting the given content whose
+// entries should be sourced from srcInfo to dstPath.
+func CopyTo(content io.Reader, srcInfo CopyInfo, dstPath string) error {
+	// The destination path need not exist, but CopyInfoDestinationPath will
+	// ensure that at least the parent directory exists.
+	dstInfo, err := CopyInfoDestinationPath(normalizePath(dstPath))
+	if err != nil {
+		return err
+	}
+
+	dstDir, copyArchive, err := PrepareArchiveCopy(content, srcInfo, dstInfo)
+	if err != nil {
+		return err
+	}
+	defer copyArchive.Close()
+
+	options := &TarOptions{
+		NoLchown:             true,
+		NoOverwriteDirNonDir: true,
+	}
+
+	return Untar(copyArchive, dstDir, options)
+}
+
+// ResolveHostSourcePath decides real path need to be copied with parameters such as
+// whether to follow symbol link or not, if followLink is true, resolvedPath will return
+// link target of any symbol link file, else it will only resolve symlink of directory
+// but return symbol link file itself without resolving.
+func ResolveHostSourcePath(path string, followLink bool) (resolvedPath, rebaseName string, err error) {
+	if followLink {
+		resolvedPath, err = filepath.EvalSymlinks(path)
+		if err != nil {
+			return
+		}
+
+		resolvedPath, rebaseName = GetRebaseName(path, resolvedPath)
+	} else {
+		dirPath, basePath := filepath.Split(path)
+
+		// if not follow symbol link, then resolve symbol link of parent dir
+		var resolvedDirPath string
+		resolvedDirPath, err = filepath.EvalSymlinks(dirPath)
+		if err != nil {
+			return
+		}
+		// resolvedDirPath will have been cleaned (no trailing path separators) so
+		// we can manually join it with the base path element.
+		resolvedPath = resolvedDirPath + string(filepath.Separator) + basePath
+		if hasTrailingPathSeparator(path, os.PathSeparator) &&
+			filepath.Base(path) != filepath.Base(resolvedPath) {
+			rebaseName = filepath.Base(path)
+		}
+	}
+	return resolvedPath, rebaseName, nil
+}
+
+// GetRebaseName normalizes and compares path and resolvedPath,
+// return completed resolved path and rebased file name
+func GetRebaseName(path, resolvedPath string) (string, string) {
+	// linkTarget will have been cleaned (no trailing path separators and dot) so
+	// we can manually join it with them
+	var rebaseName string
+	if specifiesCurrentDir(path) &&
+		!specifiesCurrentDir(resolvedPath) {
+		resolvedPath += string(filepath.Separator) + "."
+	}
+
+	if hasTrailingPathSeparator(path, os.PathSeparator) &&
+		!hasTrailingPathSeparator(resolvedPath, os.PathSeparator) {
+		resolvedPath += string(filepath.Separator)
+	}
+
+	if filepath.Base(path) != filepath.Base(resolvedPath) {
+		// In the case where the path had a trailing separator and a symlink
+		// evaluation has changed the last path component, we will need to
+		// rebase the name in the archive that is being copied to match the
+		// originally requested name.
+		rebaseName = filepath.Base(path)
+	}
+	return resolvedPath, rebaseName
+}
diff --git a/engine/pkg/archive/copy_unix.go b/engine/pkg/archive/copy_unix.go
new file mode 100644
index 00000000..3958364f
--- /dev/null
+++ b/engine/pkg/archive/copy_unix.go
@@ -0,0 +1,11 @@
+// +build !windows
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"path/filepath"
+)
+
+func normalizePath(path string) string {
+	return filepath.ToSlash(path)
+}
diff --git a/engine/pkg/archive/copy_unix_test.go b/engine/pkg/archive/copy_unix_test.go
new file mode 100644
index 00000000..739ad0e3
--- /dev/null
+++ b/engine/pkg/archive/copy_unix_test.go
@@ -0,0 +1,958 @@
+// +build !windows
+
+// TODO Windows: Some of these tests may be salvageable and portable to Windows.
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func removeAllPaths(paths ...string) {
+	for _, path := range paths {
+		os.RemoveAll(path)
+	}
+}
+
+func getTestTempDirs(t *testing.T) (tmpDirA, tmpDirB string) {
+	var err error
+
+	tmpDirA, err = ioutil.TempDir("", "archive-copy-test")
+	assert.NilError(t, err)
+
+	tmpDirB, err = ioutil.TempDir("", "archive-copy-test")
+	assert.NilError(t, err)
+
+	return
+}
+
+func isNotDir(err error) bool {
+	return strings.Contains(err.Error(), "not a directory")
+}
+
+func joinTrailingSep(pathElements ...string) string {
+	joined := filepath.Join(pathElements...)
+
+	return fmt.Sprintf("%s%c", joined, filepath.Separator)
+}
+
+func fileContentsEqual(t *testing.T, filenameA, filenameB string) (err error) {
+	t.Logf("checking for equal file contents: %q and %q\n", filenameA, filenameB)
+
+	fileA, err := os.Open(filenameA)
+	if err != nil {
+		return
+	}
+	defer fileA.Close()
+
+	fileB, err := os.Open(filenameB)
+	if err != nil {
+		return
+	}
+	defer fileB.Close()
+
+	hasher := sha256.New()
+
+	if _, err = io.Copy(hasher, fileA); err != nil {
+		return
+	}
+
+	hashA := hasher.Sum(nil)
+	hasher.Reset()
+
+	if _, err = io.Copy(hasher, fileB); err != nil {
+		return
+	}
+
+	hashB := hasher.Sum(nil)
+
+	if !bytes.Equal(hashA, hashB) {
+		err = fmt.Errorf("file content hashes not equal - expected %s, got %s", hex.EncodeToString(hashA), hex.EncodeToString(hashB))
+	}
+
+	return
+}
+
+func dirContentsEqual(t *testing.T, newDir, oldDir string) (err error) {
+	t.Logf("checking for equal directory contents: %q and %q\n", newDir, oldDir)
+
+	var changes []Change
+
+	if changes, err = ChangesDirs(newDir, oldDir); err != nil {
+		return
+	}
+
+	if len(changes) != 0 {
+		err = fmt.Errorf("expected no changes between directories, but got: %v", changes)
+	}
+
+	return
+}
+
+func logDirContents(t *testing.T, dirPath string) {
+	logWalkedPaths := filepath.WalkFunc(func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			t.Errorf("stat error for path %q: %s", path, err)
+			return nil
+		}
+
+		if info.IsDir() {
+			path = joinTrailingSep(path)
+		}
+
+		t.Logf("\t%s", path)
+
+		return nil
+	})
+
+	t.Logf("logging directory contents: %q", dirPath)
+
+	err := filepath.Walk(dirPath, logWalkedPaths)
+	assert.NilError(t, err)
+}
+
+func testCopyHelper(t *testing.T, srcPath, dstPath string) (err error) {
+	t.Logf("copying from %q to %q (not follow symbol link)", srcPath, dstPath)
+
+	return CopyResource(srcPath, dstPath, false)
+}
+
+func testCopyHelperFSym(t *testing.T, srcPath, dstPath string) (err error) {
+	t.Logf("copying from %q to %q (follow symbol link)", srcPath, dstPath)
+
+	return CopyResource(srcPath, dstPath, true)
+}
+
+// Basic assumptions about SRC and DST:
+// 1. SRC must exist.
+// 2. If SRC ends with a trailing separator, it must be a directory.
+// 3. DST parent directory must exist.
+// 4. If DST exists as a file, it must not end with a trailing separator.
+
+// First get these easy error cases out of the way.
+
+// Test for error when SRC does not exist.
+func TestCopyErrSrcNotExists(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	if _, err := CopyInfoSourcePath(filepath.Join(tmpDirA, "file1"), false); !os.IsNotExist(err) {
+		t.Fatalf("expected IsNotExist error, but got %T: %s", err, err)
+	}
+}
+
+// Test for error when SRC ends in a trailing
+// path separator but it exists as a file.
+func TestCopyErrSrcNotDir(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+
+	if _, err := CopyInfoSourcePath(joinTrailingSep(tmpDirA, "file1"), false); !isNotDir(err) {
+		t.Fatalf("expected IsNotDir error, but got %T: %s", err, err)
+	}
+}
+
+// Test for error when SRC is a valid file or directory,
+// but the DST parent directory does not exist.
+func TestCopyErrDstParentNotExists(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+
+	srcInfo := CopyInfo{Path: filepath.Join(tmpDirA, "file1"), Exists: true, IsDir: false}
+
+	// Try with a file source.
+	content, err := TarResource(srcInfo)
+	if err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+	defer content.Close()
+
+	// Copy to a file whose parent does not exist.
+	if err = CopyTo(content, srcInfo, filepath.Join(tmpDirB, "fakeParentDir", "file1")); err == nil {
+		t.Fatal("expected IsNotExist error, but got nil instead")
+	}
+
+	if !os.IsNotExist(err) {
+		t.Fatalf("expected IsNotExist error, but got %T: %s", err, err)
+	}
+
+	// Try with a directory source.
+	srcInfo = CopyInfo{Path: filepath.Join(tmpDirA, "dir1"), Exists: true, IsDir: true}
+
+	content, err = TarResource(srcInfo)
+	if err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+	defer content.Close()
+
+	// Copy to a directory whose parent does not exist.
+	if err = CopyTo(content, srcInfo, joinTrailingSep(tmpDirB, "fakeParentDir", "fakeDstDir")); err == nil {
+		t.Fatal("expected IsNotExist error, but got nil instead")
+	}
+
+	if !os.IsNotExist(err) {
+		t.Fatalf("expected IsNotExist error, but got %T: %s", err, err)
+	}
+}
+
+// Test for error when DST ends in a trailing
+// path separator but exists as a file.
+func TestCopyErrDstNotDir(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	// Try with a file source.
+	srcInfo := CopyInfo{Path: filepath.Join(tmpDirA, "file1"), Exists: true, IsDir: false}
+
+	content, err := TarResource(srcInfo)
+	if err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+	defer content.Close()
+
+	if err = CopyTo(content, srcInfo, joinTrailingSep(tmpDirB, "file1")); err == nil {
+		t.Fatal("expected IsNotDir error, but got nil instead")
+	}
+
+	if !isNotDir(err) {
+		t.Fatalf("expected IsNotDir error, but got %T: %s", err, err)
+	}
+
+	// Try with a directory source.
+	srcInfo = CopyInfo{Path: filepath.Join(tmpDirA, "dir1"), Exists: true, IsDir: true}
+
+	content, err = TarResource(srcInfo)
+	if err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+	defer content.Close()
+
+	if err = CopyTo(content, srcInfo, joinTrailingSep(tmpDirB, "file1")); err == nil {
+		t.Fatal("expected IsNotDir error, but got nil instead")
+	}
+
+	if !isNotDir(err) {
+		t.Fatalf("expected IsNotDir error, but got %T: %s", err, err)
+	}
+}
+
+// Possibilities are reduced to the remaining 10 cases:
+//
+//  case | srcIsDir | onlyDirContents | dstExists | dstIsDir | dstTrSep | action
+// ===================================================================================================
+//   A   |  no      |  -              |  no       |  -       |  no      |  create file
+//   B   |  no      |  -              |  no       |  -       |  yes     |  error
+//   C   |  no      |  -              |  yes      |  no      |  -       |  overwrite file
+//   D   |  no      |  -              |  yes      |  yes     |  -       |  create file in dst dir
+//   E   |  yes     |  no             |  no       |  -       |  -       |  create dir, copy contents
+//   F   |  yes     |  no             |  yes      |  no      |  -       |  error
+//   G   |  yes     |  no             |  yes      |  yes     |  -       |  copy dir and contents
+//   H   |  yes     |  yes            |  no       |  -       |  -       |  create dir, copy contents
+//   I   |  yes     |  yes            |  yes      |  no      |  -       |  error
+//   J   |  yes     |  yes            |  yes      |  yes     |  -       |  copy dir contents
+//
+
+// A. SRC specifies a file and DST (no trailing path separator) doesn't
+//    exist. This should create a file with the name DST and copy the
+//    contents of the source file into it.
+func TestCopyCaseA(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+
+	srcPath := filepath.Join(tmpDirA, "file1")
+	dstPath := filepath.Join(tmpDirB, "itWorks.txt")
+
+	var err error
+
+	if err = testCopyHelper(t, srcPath, dstPath); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, srcPath, dstPath)
+	assert.NilError(t, err)
+	os.Remove(dstPath)
+
+	symlinkPath := filepath.Join(tmpDirA, "symlink3")
+	symlinkPath1 := filepath.Join(tmpDirA, "symlink4")
+	linkTarget := filepath.Join(tmpDirA, "file1")
+
+	if err = testCopyHelperFSym(t, symlinkPath, dstPath); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, linkTarget, dstPath)
+	assert.NilError(t, err)
+	os.Remove(dstPath)
+	if err = testCopyHelperFSym(t, symlinkPath1, dstPath); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, linkTarget, dstPath)
+	assert.NilError(t, err)
+}
+
+// B. SRC specifies a file and DST (with trailing path separator) doesn't
+//    exist. This should cause an error because the copy operation cannot
+//    create a directory when copying a single file.
+func TestCopyCaseB(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+
+	srcPath := filepath.Join(tmpDirA, "file1")
+	dstDir := joinTrailingSep(tmpDirB, "testDir")
+
+	var err error
+
+	if err = testCopyHelper(t, srcPath, dstDir); err == nil {
+		t.Fatal("expected ErrDirNotExists error, but got nil instead")
+	}
+
+	if err != ErrDirNotExists {
+		t.Fatalf("expected ErrDirNotExists error, but got %T: %s", err, err)
+	}
+
+	symlinkPath := filepath.Join(tmpDirA, "symlink3")
+
+	if err = testCopyHelperFSym(t, symlinkPath, dstDir); err == nil {
+		t.Fatal("expected ErrDirNotExists error, but got nil instead")
+	}
+	if err != ErrDirNotExists {
+		t.Fatalf("expected ErrDirNotExists error, but got %T: %s", err, err)
+	}
+
+}
+
+// C. SRC specifies a file and DST exists as a file. This should overwrite
+//    the file at DST with the contents of the source file.
+func TestCopyCaseC(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcPath := filepath.Join(tmpDirA, "file1")
+	dstPath := filepath.Join(tmpDirB, "file2")
+
+	var err error
+
+	// Ensure they start out different.
+	if err = fileContentsEqual(t, srcPath, dstPath); err == nil {
+		t.Fatal("expected different file contents")
+	}
+
+	if err = testCopyHelper(t, srcPath, dstPath); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, srcPath, dstPath)
+	assert.NilError(t, err)
+}
+
+// C. Symbol link following version:
+//    SRC specifies a file and DST exists as a file. This should overwrite
+//    the file at DST with the contents of the source file.
+func TestCopyCaseCFSym(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	symlinkPathBad := filepath.Join(tmpDirA, "symlink1")
+	symlinkPath := filepath.Join(tmpDirA, "symlink3")
+	linkTarget := filepath.Join(tmpDirA, "file1")
+	dstPath := filepath.Join(tmpDirB, "file2")
+
+	var err error
+
+	// first to test broken link
+	if err = testCopyHelperFSym(t, symlinkPathBad, dstPath); err == nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	// test symbol link -> symbol link -> target
+	// Ensure they start out different.
+	if err = fileContentsEqual(t, linkTarget, dstPath); err == nil {
+		t.Fatal("expected different file contents")
+	}
+
+	if err = testCopyHelperFSym(t, symlinkPath, dstPath); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, linkTarget, dstPath)
+	assert.NilError(t, err)
+}
+
+// D. SRC specifies a file and DST exists as a directory. This should place
+//    a copy of the source file inside it using the basename from SRC. Ensure
+//    this works whether DST has a trailing path separator or not.
+func TestCopyCaseD(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcPath := filepath.Join(tmpDirA, "file1")
+	dstDir := filepath.Join(tmpDirB, "dir1")
+	dstPath := filepath.Join(dstDir, "file1")
+
+	var err error
+
+	// Ensure that dstPath doesn't exist.
+	if _, err = os.Stat(dstPath); !os.IsNotExist(err) {
+		t.Fatalf("did not expect dstPath %q to exist", dstPath)
+	}
+
+	if err = testCopyHelper(t, srcPath, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, srcPath, dstPath)
+	assert.NilError(t, err)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	if err = os.MkdirAll(dstDir, os.FileMode(0755)); err != nil {
+		t.Fatalf("unable to make dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "dir1")
+
+	if err = testCopyHelper(t, srcPath, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, srcPath, dstPath)
+	assert.NilError(t, err)
+}
+
+// D. Symbol link following version:
+//    SRC specifies a file and DST exists as a directory. This should place
+//    a copy of the source file inside it using the basename from SRC. Ensure
+//    this works whether DST has a trailing path separator or not.
+func TestCopyCaseDFSym(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcPath := filepath.Join(tmpDirA, "symlink4")
+	linkTarget := filepath.Join(tmpDirA, "file1")
+	dstDir := filepath.Join(tmpDirB, "dir1")
+	dstPath := filepath.Join(dstDir, "symlink4")
+
+	var err error
+
+	// Ensure that dstPath doesn't exist.
+	if _, err = os.Stat(dstPath); !os.IsNotExist(err) {
+		t.Fatalf("did not expect dstPath %q to exist", dstPath)
+	}
+
+	if err = testCopyHelperFSym(t, srcPath, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, linkTarget, dstPath)
+	assert.NilError(t, err)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	if err = os.MkdirAll(dstDir, os.FileMode(0755)); err != nil {
+		t.Fatalf("unable to make dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "dir1")
+
+	if err = testCopyHelperFSym(t, srcPath, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = fileContentsEqual(t, linkTarget, dstPath)
+	assert.NilError(t, err)
+}
+
+// E. SRC specifies a directory and DST does not exist. This should create a
+//    directory at DST and copy the contents of the SRC directory into the DST
+//    directory. Ensure this works whether DST has a trailing path separator or
+//    not.
+func TestCopyCaseE(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+
+	srcDir := filepath.Join(tmpDirA, "dir1")
+	dstDir := filepath.Join(tmpDirB, "testDir")
+
+	var err error
+
+	if err = testCopyHelper(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	if err = dirContentsEqual(t, dstDir, srcDir); err != nil {
+		t.Log("dir contents not equal")
+		logDirContents(t, tmpDirA)
+		logDirContents(t, tmpDirB)
+		t.Fatal(err)
+	}
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "testDir")
+
+	if err = testCopyHelper(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, dstDir, srcDir)
+	assert.NilError(t, err)
+}
+
+// E. Symbol link following version:
+//    SRC specifies a directory and DST does not exist. This should create a
+//    directory at DST and copy the contents of the SRC directory into the DST
+//    directory. Ensure this works whether DST has a trailing path separator or
+//    not.
+func TestCopyCaseEFSym(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+
+	srcDir := filepath.Join(tmpDirA, "dirSymlink")
+	linkTarget := filepath.Join(tmpDirA, "dir1")
+	dstDir := filepath.Join(tmpDirB, "testDir")
+
+	var err error
+
+	if err = testCopyHelperFSym(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	if err = dirContentsEqual(t, dstDir, linkTarget); err != nil {
+		t.Log("dir contents not equal")
+		logDirContents(t, tmpDirA)
+		logDirContents(t, tmpDirB)
+		t.Fatal(err)
+	}
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "testDir")
+
+	if err = testCopyHelperFSym(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, dstDir, linkTarget)
+	assert.NilError(t, err)
+}
+
+// F. SRC specifies a directory and DST exists as a file. This should cause an
+//    error as it is not possible to overwrite a file with a directory.
+func TestCopyCaseF(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcDir := filepath.Join(tmpDirA, "dir1")
+	symSrcDir := filepath.Join(tmpDirA, "dirSymlink")
+	dstFile := filepath.Join(tmpDirB, "file1")
+
+	var err error
+
+	if err = testCopyHelper(t, srcDir, dstFile); err == nil {
+		t.Fatal("expected ErrCannotCopyDir error, but got nil instead")
+	}
+
+	if err != ErrCannotCopyDir {
+		t.Fatalf("expected ErrCannotCopyDir error, but got %T: %s", err, err)
+	}
+
+	// now test with symbol link
+	if err = testCopyHelperFSym(t, symSrcDir, dstFile); err == nil {
+		t.Fatal("expected ErrCannotCopyDir error, but got nil instead")
+	}
+
+	if err != ErrCannotCopyDir {
+		t.Fatalf("expected ErrCannotCopyDir error, but got %T: %s", err, err)
+	}
+}
+
+// G. SRC specifies a directory and DST exists as a directory. This should copy
+//    the SRC directory and all its contents to the DST directory. Ensure this
+//    works whether DST has a trailing path separator or not.
+func TestCopyCaseG(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcDir := filepath.Join(tmpDirA, "dir1")
+	dstDir := filepath.Join(tmpDirB, "dir2")
+	resultDir := filepath.Join(dstDir, "dir1")
+
+	var err error
+
+	if err = testCopyHelper(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, resultDir, srcDir)
+	assert.NilError(t, err)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	if err = os.MkdirAll(dstDir, os.FileMode(0755)); err != nil {
+		t.Fatalf("unable to make dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "dir2")
+
+	if err = testCopyHelper(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, resultDir, srcDir)
+	assert.NilError(t, err)
+}
+
+// G. Symbol link version:
+//    SRC specifies a directory and DST exists as a directory. This should copy
+//    the SRC directory and all its contents to the DST directory. Ensure this
+//    works whether DST has a trailing path separator or not.
+func TestCopyCaseGFSym(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcDir := filepath.Join(tmpDirA, "dirSymlink")
+	linkTarget := filepath.Join(tmpDirA, "dir1")
+	dstDir := filepath.Join(tmpDirB, "dir2")
+	resultDir := filepath.Join(dstDir, "dirSymlink")
+
+	var err error
+
+	if err = testCopyHelperFSym(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, resultDir, linkTarget)
+	assert.NilError(t, err)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	if err = os.MkdirAll(dstDir, os.FileMode(0755)); err != nil {
+		t.Fatalf("unable to make dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "dir2")
+
+	if err = testCopyHelperFSym(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, resultDir, linkTarget)
+	assert.NilError(t, err)
+}
+
+// H. SRC specifies a directory's contents only and DST does not exist. This
+//    should create a directory at DST and copy the contents of the SRC
+//    directory (but not the directory itself) into the DST directory. Ensure
+//    this works whether DST has a trailing path separator or not.
+func TestCopyCaseH(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+
+	srcDir := joinTrailingSep(tmpDirA, "dir1") + "."
+	dstDir := filepath.Join(tmpDirB, "testDir")
+
+	var err error
+
+	if err = testCopyHelper(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	if err = dirContentsEqual(t, dstDir, srcDir); err != nil {
+		t.Log("dir contents not equal")
+		logDirContents(t, tmpDirA)
+		logDirContents(t, tmpDirB)
+		t.Fatal(err)
+	}
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "testDir")
+
+	if err = testCopyHelper(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	if err = dirContentsEqual(t, dstDir, srcDir); err != nil {
+		t.Log("dir contents not equal")
+		logDirContents(t, tmpDirA)
+		logDirContents(t, tmpDirB)
+		t.Fatal(err)
+	}
+}
+
+// H. Symbol link following version:
+//    SRC specifies a directory's contents only and DST does not exist. This
+//    should create a directory at DST and copy the contents of the SRC
+//    directory (but not the directory itself) into the DST directory. Ensure
+//    this works whether DST has a trailing path separator or not.
+func TestCopyCaseHFSym(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+
+	srcDir := joinTrailingSep(tmpDirA, "dirSymlink") + "."
+	linkTarget := filepath.Join(tmpDirA, "dir1")
+	dstDir := filepath.Join(tmpDirB, "testDir")
+
+	var err error
+
+	if err = testCopyHelperFSym(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	if err = dirContentsEqual(t, dstDir, linkTarget); err != nil {
+		t.Log("dir contents not equal")
+		logDirContents(t, tmpDirA)
+		logDirContents(t, tmpDirB)
+		t.Fatal(err)
+	}
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "testDir")
+
+	if err = testCopyHelperFSym(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	if err = dirContentsEqual(t, dstDir, linkTarget); err != nil {
+		t.Log("dir contents not equal")
+		logDirContents(t, tmpDirA)
+		logDirContents(t, tmpDirB)
+		t.Fatal(err)
+	}
+}
+
+// I. SRC specifies a directory's contents only and DST exists as a file. This
+//    should cause an error as it is not possible to overwrite a file with a
+//    directory.
+func TestCopyCaseI(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcDir := joinTrailingSep(tmpDirA, "dir1") + "."
+	symSrcDir := filepath.Join(tmpDirB, "dirSymlink")
+	dstFile := filepath.Join(tmpDirB, "file1")
+
+	var err error
+
+	if err = testCopyHelper(t, srcDir, dstFile); err == nil {
+		t.Fatal("expected ErrCannotCopyDir error, but got nil instead")
+	}
+
+	if err != ErrCannotCopyDir {
+		t.Fatalf("expected ErrCannotCopyDir error, but got %T: %s", err, err)
+	}
+
+	// now try with symbol link of dir
+	if err = testCopyHelperFSym(t, symSrcDir, dstFile); err == nil {
+		t.Fatal("expected ErrCannotCopyDir error, but got nil instead")
+	}
+
+	if err != ErrCannotCopyDir {
+		t.Fatalf("expected ErrCannotCopyDir error, but got %T: %s", err, err)
+	}
+}
+
+// J. SRC specifies a directory's contents only and DST exists as a directory.
+//    This should copy the contents of the SRC directory (but not the directory
+//    itself) into the DST directory. Ensure this works whether DST has a
+//    trailing path separator or not.
+func TestCopyCaseJ(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcDir := joinTrailingSep(tmpDirA, "dir1") + "."
+	dstDir := filepath.Join(tmpDirB, "dir5")
+
+	var err error
+
+	// first to create an empty dir
+	if err = os.MkdirAll(dstDir, os.FileMode(0755)); err != nil {
+		t.Fatalf("unable to make dstDir: %s", err)
+	}
+
+	if err = testCopyHelper(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, dstDir, srcDir)
+	assert.NilError(t, err)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	if err = os.MkdirAll(dstDir, os.FileMode(0755)); err != nil {
+		t.Fatalf("unable to make dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "dir5")
+
+	if err = testCopyHelper(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, dstDir, srcDir)
+	assert.NilError(t, err)
+}
+
+// J. Symbol link following version:
+//    SRC specifies a directory's contents only and DST exists as a directory.
+//    This should copy the contents of the SRC directory (but not the directory
+//    itself) into the DST directory. Ensure this works whether DST has a
+//    trailing path separator or not.
+func TestCopyCaseJFSym(t *testing.T) {
+	tmpDirA, tmpDirB := getTestTempDirs(t)
+	defer removeAllPaths(tmpDirA, tmpDirB)
+
+	// Load A and B with some sample files and directories.
+	createSampleDir(t, tmpDirA)
+	createSampleDir(t, tmpDirB)
+
+	srcDir := joinTrailingSep(tmpDirA, "dirSymlink") + "."
+	linkTarget := filepath.Join(tmpDirA, "dir1")
+	dstDir := filepath.Join(tmpDirB, "dir5")
+
+	var err error
+
+	// first to create an empty dir
+	if err = os.MkdirAll(dstDir, os.FileMode(0755)); err != nil {
+		t.Fatalf("unable to make dstDir: %s", err)
+	}
+
+	if err = testCopyHelperFSym(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, dstDir, linkTarget)
+	assert.NilError(t, err)
+
+	// Now try again but using a trailing path separator for dstDir.
+
+	if err = os.RemoveAll(dstDir); err != nil {
+		t.Fatalf("unable to remove dstDir: %s", err)
+	}
+
+	if err = os.MkdirAll(dstDir, os.FileMode(0755)); err != nil {
+		t.Fatalf("unable to make dstDir: %s", err)
+	}
+
+	dstDir = joinTrailingSep(tmpDirB, "dir5")
+
+	if err = testCopyHelperFSym(t, srcDir, dstDir); err != nil {
+		t.Fatalf("unexpected error %T: %s", err, err)
+	}
+
+	err = dirContentsEqual(t, dstDir, linkTarget)
+	assert.NilError(t, err)
+}
diff --git a/engine/pkg/archive/copy_windows.go b/engine/pkg/archive/copy_windows.go
new file mode 100644
index 00000000..a878d1ba
--- /dev/null
+++ b/engine/pkg/archive/copy_windows.go
@@ -0,0 +1,9 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"path/filepath"
+)
+
+func normalizePath(path string) string {
+	return filepath.FromSlash(path)
+}
diff --git a/engine/pkg/archive/diff.go b/engine/pkg/archive/diff.go
new file mode 100644
index 00000000..fae4b9de
--- /dev/null
+++ b/engine/pkg/archive/diff.go
@@ -0,0 +1,258 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/system"
+	"github.com/sirupsen/logrus"
+)
+
+// UnpackLayer unpack `layer` to a `dest`. The stream `layer` can be
+// compressed or uncompressed.
+// Returns the size in bytes of the contents of the layer.
+func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64, err error) {
+	tr := tar.NewReader(layer)
+	trBuf := pools.BufioReader32KPool.Get(tr)
+	defer pools.BufioReader32KPool.Put(trBuf)
+
+	var dirs []*tar.Header
+	unpackedPaths := make(map[string]struct{})
+
+	if options == nil {
+		options = &TarOptions{}
+	}
+	if options.ExcludePatterns == nil {
+		options.ExcludePatterns = []string{}
+	}
+	idMappings := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)
+
+	aufsTempdir := ""
+	aufsHardlinks := make(map[string]*tar.Header)
+
+	// Iterate through the files in the archive.
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			// end of tar archive
+			break
+		}
+		if err != nil {
+			return 0, err
+		}
+
+		size += hdr.Size
+
+		// Normalize name, for safety and for a simple is-root check
+		hdr.Name = filepath.Clean(hdr.Name)
+
+		// Windows does not support filenames with colons in them. Ignore
+		// these files. This is not a problem though (although it might
+		// appear that it is). Let's suppose a client is running docker pull.
+		// The daemon it points to is Windows. Would it make sense for the
+		// client to be doing a docker pull Ubuntu for example (which has files
+		// with colons in the name under /usr/share/man/man3)? No, absolutely
+		// not as it would really only make sense that they were pulling a
+		// Windows image. However, for development, it is necessary to be able
+		// to pull Linux images which are in the repository.
+		//
+		// TODO Windows. Once the registry is aware of what images are Windows-
+		// specific or Linux-specific, this warning should be changed to an error
+		// to cater for the situation where someone does manage to upload a Linux
+		// image but have it tagged as Windows inadvertently.
+		if runtime.GOOS == "windows" {
+			if strings.Contains(hdr.Name, ":") {
+				logrus.Warnf("Windows: Ignoring %s (is this a Linux image?)", hdr.Name)
+				continue
+			}
+		}
+
+		// Note as these operations are platform specific, so must the slash be.
+		if !strings.HasSuffix(hdr.Name, string(os.PathSeparator)) {
+			// Not the root directory, ensure that the parent directory exists.
+			// This happened in some tests where an image had a tarfile without any
+			// parent directories.
+			parent := filepath.Dir(hdr.Name)
+			parentPath := filepath.Join(dest, parent)
+
+			if _, err := os.Lstat(parentPath); err != nil && os.IsNotExist(err) {
+				err = system.MkdirAll(parentPath, 0600, "")
+				if err != nil {
+					return 0, err
+				}
+			}
+		}
+
+		// Skip AUFS metadata dirs
+		if strings.HasPrefix(hdr.Name, WhiteoutMetaPrefix) {
+			// Regular files inside /.wh..wh.plnk can be used as hardlink targets
+			// We don't want this directory, but we need the files in them so that
+			// such hardlinks can be resolved.
+			if strings.HasPrefix(hdr.Name, WhiteoutLinkDir) && hdr.Typeflag == tar.TypeReg {
+				basename := filepath.Base(hdr.Name)
+				aufsHardlinks[basename] = hdr
+				if aufsTempdir == "" {
+					if aufsTempdir, err = ioutil.TempDir("", "dockerplnk"); err != nil {
+						return 0, err
+					}
+					defer os.RemoveAll(aufsTempdir)
+				}
+				if err := createTarFile(filepath.Join(aufsTempdir, basename), dest, hdr, tr, true, nil, options.InUserNS); err != nil {
+					return 0, err
+				}
+			}
+
+			if hdr.Name != WhiteoutOpaqueDir {
+				continue
+			}
+		}
+		path := filepath.Join(dest, hdr.Name)
+		rel, err := filepath.Rel(dest, path)
+		if err != nil {
+			return 0, err
+		}
+
+		// Note as these operations are platform specific, so must the slash be.
+		if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
+			return 0, breakoutError(fmt.Errorf("%q is outside of %q", hdr.Name, dest))
+		}
+		base := filepath.Base(path)
+
+		if strings.HasPrefix(base, WhiteoutPrefix) {
+			dir := filepath.Dir(path)
+			if base == WhiteoutOpaqueDir {
+				_, err := os.Lstat(dir)
+				if err != nil {
+					return 0, err
+				}
+				err = filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+					if err != nil {
+						if os.IsNotExist(err) {
+							err = nil // parent was deleted
+						}
+						return err
+					}
+					if path == dir {
+						return nil
+					}
+					if _, exists := unpackedPaths[path]; !exists {
+						err := os.RemoveAll(path)
+						return err
+					}
+					return nil
+				})
+				if err != nil {
+					return 0, err
+				}
+			} else {
+				originalBase := base[len(WhiteoutPrefix):]
+				originalPath := filepath.Join(dir, originalBase)
+				if err := os.RemoveAll(originalPath); err != nil {
+					return 0, err
+				}
+			}
+		} else {
+			// If path exits we almost always just want to remove and replace it.
+			// The only exception is when it is a directory *and* the file from
+			// the layer is also a directory. Then we want to merge them (i.e.
+			// just apply the metadata from the layer).
+			if fi, err := os.Lstat(path); err == nil {
+				if !(fi.IsDir() && hdr.Typeflag == tar.TypeDir) {
+					if err := os.RemoveAll(path); err != nil {
+						return 0, err
+					}
+				}
+			}
+
+			trBuf.Reset(tr)
+			srcData := io.Reader(trBuf)
+			srcHdr := hdr
+
+			// Hard links into /.wh..wh.plnk don't work, as we don't extract that directory, so
+			// we manually retarget these into the temporary files we extracted them into
+			if hdr.Typeflag == tar.TypeLink && strings.HasPrefix(filepath.Clean(hdr.Linkname), WhiteoutLinkDir) {
+				linkBasename := filepath.Base(hdr.Linkname)
+				srcHdr = aufsHardlinks[linkBasename]
+				if srcHdr == nil {
+					return 0, fmt.Errorf("Invalid aufs hardlink")
+				}
+				tmpFile, err := os.Open(filepath.Join(aufsTempdir, linkBasename))
+				if err != nil {
+					return 0, err
+				}
+				defer tmpFile.Close()
+				srcData = tmpFile
+			}
+
+			if err := remapIDs(idMappings, srcHdr); err != nil {
+				return 0, err
+			}
+
+			if err := createTarFile(path, dest, srcHdr, srcData, true, nil, options.InUserNS); err != nil {
+				return 0, err
+			}
+
+			// Directory mtimes must be handled at the end to avoid further
+			// file creation in them to modify the directory mtime
+			if hdr.Typeflag == tar.TypeDir {
+				dirs = append(dirs, hdr)
+			}
+			unpackedPaths[path] = struct{}{}
+		}
+	}
+
+	for _, hdr := range dirs {
+		path := filepath.Join(dest, hdr.Name)
+		if err := system.Chtimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
+			return 0, err
+		}
+	}
+
+	return size, nil
+}
+
+// ApplyLayer parses a diff in the standard layer format from `layer`,
+// and applies it to the directory `dest`. The stream `layer` can be
+// compressed or uncompressed.
+// Returns the size in bytes of the contents of the layer.
+func ApplyLayer(dest string, layer io.Reader) (int64, error) {
+	return applyLayerHandler(dest, layer, &TarOptions{}, true)
+}
+
+// ApplyUncompressedLayer parses a diff in the standard layer format from
+// `layer`, and applies it to the directory `dest`. The stream `layer`
+// can only be uncompressed.
+// Returns the size in bytes of the contents of the layer.
+func ApplyUncompressedLayer(dest string, layer io.Reader, options *TarOptions) (int64, error) {
+	return applyLayerHandler(dest, layer, options, false)
+}
+
+// do the bulk load of ApplyLayer, but allow for not calling DecompressStream
+func applyLayerHandler(dest string, layer io.Reader, options *TarOptions, decompress bool) (int64, error) {
+	dest = filepath.Clean(dest)
+
+	// We need to be able to set any perms
+	oldmask, err := system.Umask(0)
+	if err != nil {
+		return 0, err
+	}
+	defer system.Umask(oldmask) // ignore err, ErrNotSupportedPlatform
+
+	if decompress {
+		decompLayer, err := DecompressStream(layer)
+		if err != nil {
+			return 0, err
+		}
+		defer decompLayer.Close()
+		layer = decompLayer
+	}
+	return UnpackLayer(dest, layer, options)
+}
diff --git a/engine/pkg/archive/diff_test.go b/engine/pkg/archive/diff_test.go
new file mode 100644
index 00000000..19f2555e
--- /dev/null
+++ b/engine/pkg/archive/diff_test.go
@@ -0,0 +1,386 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"testing"
+
+	"github.com/docker/docker/pkg/ioutils"
+)
+
+func TestApplyLayerInvalidFilenames(t *testing.T) {
+	// TODO Windows: Figure out how to fix this test.
+	if runtime.GOOS == "windows" {
+		t.Skip("Passes but hits breakoutError: platform and architecture is not supported")
+	}
+	for i, headers := range [][]*tar.Header{
+		{
+			{
+				Name:     "../victim/dotdot",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+		{
+			{
+				// Note the leading slash
+				Name:     "/../victim/slash-dotdot",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+	} {
+		if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidFilenames", headers); err != nil {
+			t.Fatalf("i=%d. %v", i, err)
+		}
+	}
+}
+
+func TestApplyLayerInvalidHardlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("TypeLink support on Windows")
+	}
+	for i, headers := range [][]*tar.Header{
+		{ // try reading victim/hello (../)
+			{
+				Name:     "dotdot",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (/../)
+			{
+				Name:     "slash-dotdot",
+				Typeflag: tar.TypeLink,
+				// Note the leading slash
+				Linkname: "/../victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try writing victim/file
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "loophole-victim/file",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (hardlink, symlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "symlink",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "loophole-victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // Try reading victim/hello (hardlink, hardlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "hardlink",
+				Typeflag: tar.TypeLink,
+				Linkname: "loophole-victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // Try removing victim directory (hardlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeLink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+	} {
+		if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidHardlink", headers); err != nil {
+			t.Fatalf("i=%d. %v", i, err)
+		}
+	}
+}
+
+func TestApplyLayerInvalidSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("TypeSymLink support on Windows")
+	}
+	for i, headers := range [][]*tar.Header{
+		{ // try reading victim/hello (../)
+			{
+				Name:     "dotdot",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (/../)
+			{
+				Name:     "slash-dotdot",
+				Typeflag: tar.TypeSymlink,
+				// Note the leading slash
+				Linkname: "/../victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try writing victim/file
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "loophole-victim/file",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (symlink, symlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "symlink",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "loophole-victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try reading victim/hello (symlink, hardlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "hardlink",
+				Typeflag: tar.TypeLink,
+				Linkname: "loophole-victim/hello",
+				Mode:     0644,
+			},
+		},
+		{ // try removing victim directory (symlink)
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeSymlink,
+				Linkname: "../victim",
+				Mode:     0755,
+			},
+			{
+				Name:     "loophole-victim",
+				Typeflag: tar.TypeReg,
+				Mode:     0644,
+			},
+		},
+	} {
+		if err := testBreakout("applylayer", "docker-TestApplyLayerInvalidSymlink", headers); err != nil {
+			t.Fatalf("i=%d. %v", i, err)
+		}
+	}
+}
+
+func TestApplyLayerWhiteouts(t *testing.T) {
+	// TODO Windows: Figure out why this test fails
+	if runtime.GOOS == "windows" {
+		t.Skip("Failing on Windows")
+	}
+
+	wd, err := ioutil.TempDir("", "graphdriver-test-whiteouts")
+	if err != nil {
+		return
+	}
+	defer os.RemoveAll(wd)
+
+	base := []string{
+		".baz",
+		"bar/",
+		"bar/bax",
+		"bar/bay/",
+		"baz",
+		"foo/",
+		"foo/.abc",
+		"foo/.bcd/",
+		"foo/.bcd/a",
+		"foo/cde/",
+		"foo/cde/def",
+		"foo/cde/efg",
+		"foo/fgh",
+		"foobar",
+	}
+
+	type tcase struct {
+		change, expected []string
+	}
+
+	tcases := []tcase{
+		{
+			base,
+			base,
+		},
+		{
+			[]string{
+				".bay",
+				".wh.baz",
+				"foo/",
+				"foo/.bce",
+				"foo/.wh..wh..opq",
+				"foo/cde/",
+				"foo/cde/efg",
+			},
+			[]string{
+				".bay",
+				".baz",
+				"bar/",
+				"bar/bax",
+				"bar/bay/",
+				"foo/",
+				"foo/.bce",
+				"foo/cde/",
+				"foo/cde/efg",
+				"foobar",
+			},
+		},
+		{
+			[]string{
+				".bay",
+				".wh..baz",
+				".wh.foobar",
+				"foo/",
+				"foo/.abc",
+				"foo/.wh.cde",
+				"bar/",
+			},
+			[]string{
+				".bay",
+				"bar/",
+				"bar/bax",
+				"bar/bay/",
+				"foo/",
+				"foo/.abc",
+				"foo/.bce",
+			},
+		},
+		{
+			[]string{
+				".abc",
+				".wh..wh..opq",
+				"foobar",
+			},
+			[]string{
+				".abc",
+				"foobar",
+			},
+		},
+	}
+
+	for i, tc := range tcases {
+		l, err := makeTestLayer(tc.change)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		_, err = UnpackLayer(wd, l, nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		err = l.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		paths, err := readDirContents(wd)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if !reflect.DeepEqual(tc.expected, paths) {
+			t.Fatalf("invalid files for layer %d: expected %q, got %q", i, tc.expected, paths)
+		}
+	}
+
+}
+
+func makeTestLayer(paths []string) (rc io.ReadCloser, err error) {
+	tmpDir, err := ioutil.TempDir("", "graphdriver-test-mklayer")
+	if err != nil {
+		return
+	}
+	defer func() {
+		if err != nil {
+			os.RemoveAll(tmpDir)
+		}
+	}()
+	for _, p := range paths {
+		if p[len(p)-1] == filepath.Separator {
+			if err = os.MkdirAll(filepath.Join(tmpDir, p), 0700); err != nil {
+				return
+			}
+		} else {
+			if err = ioutil.WriteFile(filepath.Join(tmpDir, p), nil, 0600); err != nil {
+				return
+			}
+		}
+	}
+	archive, err := Tar(tmpDir, Uncompressed)
+	if err != nil {
+		return
+	}
+	return ioutils.NewReadCloserWrapper(archive, func() error {
+		err := archive.Close()
+		os.RemoveAll(tmpDir)
+		return err
+	}), nil
+}
+
+func readDirContents(root string) ([]string, error) {
+	var files []string
+	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if path == root {
+			return nil
+		}
+		rel, err := filepath.Rel(root, path)
+		if err != nil {
+			return err
+		}
+		if info.IsDir() {
+			rel = rel + "/"
+		}
+		files = append(files, rel)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return files, nil
+}
diff --git a/engine/pkg/archive/example_changes.go b/engine/pkg/archive/example_changes.go
new file mode 100644
index 00000000..495db809
--- /dev/null
+++ b/engine/pkg/archive/example_changes.go
@@ -0,0 +1,97 @@
+// +build ignore
+
+// Simple tool to create an archive stream from an old and new directory
+//
+// By default it will stream the comparison of two temporary directories with junk files
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	flDebug  = flag.Bool("D", false, "debugging output")
+	flNewDir = flag.String("newdir", "", "")
+	flOldDir = flag.String("olddir", "", "")
+	log      = logrus.New()
+)
+
+func main() {
+	flag.Usage = func() {
+		fmt.Println("Produce a tar from comparing two directory paths. By default a demo tar is created of around 200 files (including hardlinks)")
+		fmt.Printf("%s [OPTIONS]\n", os.Args[0])
+		flag.PrintDefaults()
+	}
+	flag.Parse()
+	log.Out = os.Stderr
+	if (len(os.Getenv("DEBUG")) > 0) || *flDebug {
+		logrus.SetLevel(logrus.DebugLevel)
+	}
+	var newDir, oldDir string
+
+	if len(*flNewDir) == 0 {
+		var err error
+		newDir, err = ioutil.TempDir("", "docker-test-newDir")
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer os.RemoveAll(newDir)
+		if _, err := prepareUntarSourceDirectory(100, newDir, true); err != nil {
+			log.Fatal(err)
+		}
+	} else {
+		newDir = *flNewDir
+	}
+
+	if len(*flOldDir) == 0 {
+		oldDir, err := ioutil.TempDir("", "docker-test-oldDir")
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer os.RemoveAll(oldDir)
+	} else {
+		oldDir = *flOldDir
+	}
+
+	changes, err := archive.ChangesDirs(newDir, oldDir)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	a, err := archive.ExportChanges(newDir, changes)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer a.Close()
+
+	i, err := io.Copy(os.Stdout, a)
+	if err != nil && err != io.EOF {
+		log.Fatal(err)
+	}
+	fmt.Fprintf(os.Stderr, "wrote archive of %d bytes", i)
+}
+
+func prepareUntarSourceDirectory(numberOfFiles int, targetPath string, makeLinks bool) (int, error) {
+	fileData := []byte("fooo")
+	for n := 0; n < numberOfFiles; n++ {
+		fileName := fmt.Sprintf("file-%d", n)
+		if err := ioutil.WriteFile(path.Join(targetPath, fileName), fileData, 0700); err != nil {
+			return 0, err
+		}
+		if makeLinks {
+			if err := os.Link(path.Join(targetPath, fileName), path.Join(targetPath, fileName+"-link")); err != nil {
+				return 0, err
+			}
+		}
+	}
+	totalSize := numberOfFiles * len(fileData)
+	return totalSize, nil
+}
diff --git a/engine/pkg/archive/testdata/broken.tar b/engine/pkg/archive/testdata/broken.tar
new file mode 100644
index 0000000000000000000000000000000000000000..8f10ea6b87d3eb4fed572349dfe87695603b10a5
GIT binary patch
literal 13824
zcmeHN>rxv>7UtLfn5Q@^l8gXrG&7O_li)0oQBai)6v9rjo&-ixOPXbFo(r;aaqT1Q
zi|o_vJM6y3ey8Um2^?(fm~vH66==Hq^tqqYr_U$~f~3CkaX-4=)VFkfMbAE0zj=1W
zFdGeXOK)!KtrgwSO|!8=t&huAhCPiFI|54|O6#g{AByje_D5`gZ4lbN_tD%y+P?+6
zW}mCyJbT6dM$<6v?SB_8uxS5j5M6u>C%C=+&BoS!{NIK7SFYLLXgq9fL;u??&1{<b
z!#}_wZg2ml(Q4ku|6Mr1+wI?RTv6*d{;+nE;z`#Uja&M}?d`v1Y;E1!|I@Yq)BV#u
zZRWY}#v$rCeY4qI`6s}QfBo-2{9XIYzyF)p1BPLmD~7SzXl<ICn<)Hr)7Wg8EA+uN
z8R)$ABkMn+x5B**AQz@AZr%p}iLBRZHCp{)@9C2rL(>)C_QVb?f0pB4xfD_C1pX2f
z=LE&>$4O)llEszRik&8tAi~^>9~IXb2tQsXkop&XF!hz8gWXO)O@R9>nS~7H1w&*U
zWf1ryXPidjED|qMClc|F!YuB;N}eT-8}IBqwJ!w!F&$m$r;a;(N7!YIEb7h<=ej}&
zT~f;Cd!ZOC&mX2<A4GTBffw2lvz)=7iZ}sRft-@sEaqQf{#!Tbmv}UNOYws<kQA>n
zv4)UvkOa{z8}jxVC6bTq+3^R;Sok8c6EQsN&k9^`&<Ew#qD`%}b*8rzPb79NW<eyv
zG;;IZlOzdu>h(<JHK{@^4$^2KMnN<dnlF+%N4?x!yEL?>Hc32JVwt-Hrj<{`vG3V<
zCk?#){6BW>!9@+(L2u}{Jos}CZh!u_HaA;$dH(--^ZzaF-*=t<t)1ZZ_TOx6-P`}2
z;`c*=-pBr)?ceGOaC`f2H5+$&|NryGzs&BaRh;3_6;m!^cAhw6t_Fs^LF9zVAxgrI
z^Ga)k-uwDmQU6~pk+ZSU)Y0=r|JP`?471rlpV-_&ANVfo{}p;)*~)!ag?rz?DiPkz
zgJxA|FHHi^PMm@5x-%+EOX|<)I2dwy?USjQTU3?9p5ukCpoV5{uPNBif7DBCe`rTT
z3L{~Aebmu%diM|dDB4g^FC<WUE+WY)#i2bARGm(QPg6ky+gB4xV?o;SF&J}3l#mvO
zq_r;P$mfxwX%g4-KI8gEj2)kg<UYjrC=ss`MH?m5{!Y>S5&i^O)@Me!3BwBQ`@=VE
zIl)Fp0<ty)I0-2ZJn%KK`C23*!u80HT~G@An4m7!)liHaUkr(FKmIt@h^+N0?qpNP
zb)^Q!&ZPh_rG6ipy|AHL8rt#X0RtX)B_K(l(2;XbDhqQqxncyFz|$~DdGE_KNW=q4
z9tcjBfg=w6CCH4S_Qq9)$j4<aqV~oHAli25B(_TscWjdrvlWJv1i*BSZy`mO93>MG
z@%2K`G+^8HA?T&;xGZB%_q<@Vt&(_!w-gfXxk@mb9|fb)1BuBGk_ptuvx%G~pq0Kb
zb&?6Szj_3#ClOiI_3vu1e+<T{ZC$E0&A3#piCQy4)rxE8M*h5E#X6Q3R^dW|e6oJA
z6!1m_957RkFrR=qLihlW;C)rguWARo&2;UHs^RULcpxU7Z<CbFRAm&!bB*ofK>mOX
z9k`Og<ag2OH>2B5RmN7LGZ)c;3%E%Ip__9KKUf&G&zD9jkJNr-{ibNby{ds<t*Y>>
zUrSU_0z^Wf<)}gE{Jb22kgArW_I#nO79{eFvL6rZP*4oJ7H%7}fn5i&1ZT@5hDK4~
z(U`5S#`Fws86Z{2P=gP6usiI=mKaOr@4W<f_DdFo`NM}zf>|(?6Ye5$Oayf(LUxEb
zaN*HO8gZBg{sZJ1)pg4>36^kmC*dQ2;oE@^#)cw_*aI^!cM=y1Rqga(?Ey`Mja44@
zco?Vs7`J_y5ir%m6vXp*y&Gb{4lfBvR0R>wjxNBA^zHAzdc;~eK6(s=AB|{$OM8p}
zp9LwiIkAyG5Q$+F3`7h$CPJbL(j-h1h61!ZViYo4dBXOg@lop12w4V<L4&zs_AUbl
zRPBf%7W7VbALtP2MKUWDr*_mV-FCm1snL%p>Yz!&$vL+Po-n0lE6B8Y;6$Ar89(FQ
zU43m0VVC)g+}A0GY(H3=vGXH;5|6sFnZk+NN-WF&+)64KnDBNmlR?P<{j247c6ZGs
zY`hF!K4&Hi(0r~#=6sH0f#>;~|6uT_GuPArovwt~PT&t2-pNh;x9aMe7i;!lK!(<$
z?d`g5*7a@bJ?(y(Y4ln98)|Cinp8V=gdKs-N$TT&k8N344C6y&*H}a~{9Pg&%cB8(
zs3gwCMEH-=;aI?u+)#>TQj}R!`jyO-QsK*KZS|lK9+9#7oV0B(la+@sRbyfJf~*mY
z#+u;OA2B@66aq^nOW6`=t5qYdRV{oFkE8T+GhJI-*NldT<GMfrdYcObq_-4np!UTa
z62ven4N*a=kcA193+2D7wCW<x^TokWivt|3bJDNrb;(Bkcf<u=>tcr!I|PQf({z2i
zZs;`}x~m6ks)bXh@+($$(s>pJ`5X6~16{Ufo<hOp)jft@H;jVNPjA=*VXp3B-qzFy
zZvcLM4LC!MqtjbcU%z2T{o0OY(SNq8vAei$!G_W)rF&L~wiC~4DDQ;3mL2w#n^vCS
zJ2z3;0CO9x>JC(mW1b(MtJcpN$ZBT3r1B`&Cx9{-iF=!{A}z(ob033DW~d!*9$cfm
zVNC%z6l$8Qz0L<amlq9R;(1{~=%L_}f@kJr!Pk!x=@7-loMt$bG^groHAiH&Jk=VR
zR&_E%j4>iPv&`A!8a*yd3zi-in+*e-!2$MiQNyE>1xX!65{vsnGKkf9!|0+OGBAb=
z5*&U!Rl91sZq^%6Di#9<<87G)rv;99!{p6oE&}gq)LXeeJT)kYlsjz{ehkbMY(O`q
zGvc6vviAh-6>EFt+I|*)$Z&%o;(ob2LAmI=<VrwhwM%)lUw7a2hl_E@e5S9hA!K2O
z%kV<}$`HIQz@&<rp86Auh3`cqoVYj(gD*FjqM(QaSH9xFslX{4=lmc_q`SLelwDdl
zSsXkv8&n*U&mS2N$x;^Ut{sAM@~pT`aa;}pvdd?9l=LD4t~s7hOCN!<d3rJ{q1gih
zwI9wi3)?eLpB&F;*iLi8Y#G==o_-#!zTotaB##pVr$ieI75am2f4huK(YoK$DHl^z
zdDpH5p=*JSrw4SK9aJ%OqftW+H5;glLlL=j+0u+{&BX8-j$3L6T<_s^70R$<UVj`6
zQV++DyxoB$gzv!W*&Rhzj|9J@f8ceaGr~=q9TpbcbEoz!t1jjGWESE&D_6fnC5Q^*
zLcqGf1~}Al0cQLed8kWyh0C@?3?`_0Q4tSw9{Bu+`{KT94+*zOAD4*U0aXt7p6*wa
zch-beqmlCpM5a-Idau_$=^me+F%s#p$9ty-XWhfj5o$_1L0O)4jVKlgIA(gi9}bU>
zd);1Ux&vAHF3sW+ZYtInM5`<aS2kpap%%ttM^5u)K4<qEeyJy-FEKBd<Qpm&;ukq0
z)ZeoFsl2gyRpD(ME}sE?_WWCkX_byptn(#;tNuaYLBmiRZsl@Q$ge+em$zy$b=u$J
za#O>7V!gWe@@A3}gzBN4OzKHcFXhsnBZ62vkM}c;c8?C16|}T)I>F_`E4y<`7O_Uv
z_IIGuK3}j6k8x0(NE^)|N^6ztuoF5wcqyCPP4-b>1H5)kQM(q_kYzo37tjs2w1@@5
z)pou5q*BNKlggS#-4TOxF*--bZwQgZIP>8>Wh4R6qJg1trGj7P+M9C-U$bgV0-Bbc
zM}8SyaI1`5o3Hn=gK~dij~yq2v7>PXETRIqq!En36W>+P9az*N;)5;FK054lzkPPH
zcY4hR*Orc{l5us$Y*nZ!(@__9wdDn6|B~BL+;v!B^Cr<A%tOZ-b&(!im(9mvgsY|#
z4dI4!RPSSH<bvyV#mjh^W(ct>(N`)UtH54-56s#rGO&e@Q}~KNY<cNr8n?O<R`Hz0
z1w9pD6oj1ckgHrbR@j#oTzZ0&5jRwv;^>PdQ94MZxA|gP9PSIqe@Ff$9bNNvws)xH
zUYfZ#^MIJly?f4ly_CL`QQoB~o&>3jKAlL=*#tHX$;*%#;^sVnJHGU0={L0dh$?du
z$V*u|2o=sbG6HQV;$?~-5Xh?Gjf~m#{@1wY+1@T!Us<#xZ;2Rn{Y@!B=|jZ;TY#GL
zQet9G=4h_z5?#7$NWf6BJyZ3f$1aFp02S_lpyVtB;|niLX54VbZP`xU1YMSiGnf#!
zBhWBJBLfCg3eCtIG~av^x3Yo4twnBx#0a&E><Z1@4Ne^joS+N^P7<8_aH#Xax|s6v
zl(F~h^x){^%86D^{*Xp9`a61<=;bQtLMx|s5~maABA}<v%pTiQlwtB@+~23YC%vQP
z#NR7t^F!|d+`Ie(6Fzv9ukzn$jFDW@z6LAQ<>6G9&~+z{;Wn%CtG>DYD1(pjqYiYL
oJsf9Rk?Q4-IWqA2mih3}{ZBUT=3UD@m3s}`Yv5i3pOOat4?XSI`2YX_

literal 0
HcmV?d00001

diff --git a/engine/pkg/archive/time_linux.go b/engine/pkg/archive/time_linux.go
new file mode 100644
index 00000000..797143ee
--- /dev/null
+++ b/engine/pkg/archive/time_linux.go
@@ -0,0 +1,16 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"syscall"
+	"time"
+)
+
+func timeToTimespec(time time.Time) (ts syscall.Timespec) {
+	if time.IsZero() {
+		// Return UTIME_OMIT special value
+		ts.Sec = 0
+		ts.Nsec = (1 << 30) - 2
+		return
+	}
+	return syscall.NsecToTimespec(time.UnixNano())
+}
diff --git a/engine/pkg/archive/time_unsupported.go b/engine/pkg/archive/time_unsupported.go
new file mode 100644
index 00000000..f58bf227
--- /dev/null
+++ b/engine/pkg/archive/time_unsupported.go
@@ -0,0 +1,16 @@
+// +build !linux
+
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"syscall"
+	"time"
+)
+
+func timeToTimespec(time time.Time) (ts syscall.Timespec) {
+	nsec := int64(0)
+	if !time.IsZero() {
+		nsec = time.UnixNano()
+	}
+	return syscall.NsecToTimespec(nsec)
+}
diff --git a/engine/pkg/archive/utils_test.go b/engine/pkg/archive/utils_test.go
new file mode 100644
index 00000000..a20f58dd
--- /dev/null
+++ b/engine/pkg/archive/utils_test.go
@@ -0,0 +1,166 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+var testUntarFns = map[string]func(string, io.Reader) error{
+	"untar": func(dest string, r io.Reader) error {
+		return Untar(r, dest, nil)
+	},
+	"applylayer": func(dest string, r io.Reader) error {
+		_, err := ApplyLayer(dest, r)
+		return err
+	},
+}
+
+// testBreakout is a helper function that, within the provided `tmpdir` directory,
+// creates a `victim` folder with a generated `hello` file in it.
+// `untar` extracts to a directory named `dest`, the tar file created from `headers`.
+//
+// Here are the tested scenarios:
+// - removed `victim` folder				(write)
+// - removed files from `victim` folder			(write)
+// - new files in `victim` folder			(write)
+// - modified files in `victim` folder			(write)
+// - file in `dest` with same content as `victim/hello` (read)
+//
+// When using testBreakout make sure you cover one of the scenarios listed above.
+func testBreakout(untarFn string, tmpdir string, headers []*tar.Header) error {
+	tmpdir, err := ioutil.TempDir("", tmpdir)
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(tmpdir)
+
+	dest := filepath.Join(tmpdir, "dest")
+	if err := os.Mkdir(dest, 0755); err != nil {
+		return err
+	}
+
+	victim := filepath.Join(tmpdir, "victim")
+	if err := os.Mkdir(victim, 0755); err != nil {
+		return err
+	}
+	hello := filepath.Join(victim, "hello")
+	helloData, err := time.Now().MarshalText()
+	if err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(hello, helloData, 0644); err != nil {
+		return err
+	}
+	helloStat, err := os.Stat(hello)
+	if err != nil {
+		return err
+	}
+
+	reader, writer := io.Pipe()
+	go func() {
+		t := tar.NewWriter(writer)
+		for _, hdr := range headers {
+			t.WriteHeader(hdr)
+		}
+		t.Close()
+	}()
+
+	untar := testUntarFns[untarFn]
+	if untar == nil {
+		return fmt.Errorf("could not find untar function %q in testUntarFns", untarFn)
+	}
+	if err := untar(dest, reader); err != nil {
+		if _, ok := err.(breakoutError); !ok {
+			// If untar returns an error unrelated to an archive breakout,
+			// then consider this an unexpected error and abort.
+			return err
+		}
+		// Here, untar detected the breakout.
+		// Let's move on verifying that indeed there was no breakout.
+		fmt.Printf("breakoutError: %v\n", err)
+	}
+
+	// Check victim folder
+	f, err := os.Open(victim)
+	if err != nil {
+		// codepath taken if victim folder was removed
+		return fmt.Errorf("archive breakout: error reading %q: %v", victim, err)
+	}
+	defer f.Close()
+
+	// Check contents of victim folder
+	//
+	// We are only interested in getting 2 files from the victim folder, because if all is well
+	// we expect only one result, the `hello` file. If there is a second result, it cannot
+	// hold the same name `hello` and we assume that a new file got created in the victim folder.
+	// That is enough to detect an archive breakout.
+	names, err := f.Readdirnames(2)
+	if err != nil {
+		// codepath taken if victim is not a folder
+		return fmt.Errorf("archive breakout: error reading directory content of %q: %v", victim, err)
+	}
+	for _, name := range names {
+		if name != "hello" {
+			// codepath taken if new file was created in victim folder
+			return fmt.Errorf("archive breakout: new file %q", name)
+		}
+	}
+
+	// Check victim/hello
+	f, err = os.Open(hello)
+	if err != nil {
+		// codepath taken if read permissions were removed
+		return fmt.Errorf("archive breakout: could not lstat %q: %v", hello, err)
+	}
+	defer f.Close()
+	b, err := ioutil.ReadAll(f)
+	if err != nil {
+		return err
+	}
+	fi, err := f.Stat()
+	if err != nil {
+		return err
+	}
+	if helloStat.IsDir() != fi.IsDir() ||
+		// TODO: cannot check for fi.ModTime() change
+		helloStat.Mode() != fi.Mode() ||
+		helloStat.Size() != fi.Size() ||
+		!bytes.Equal(helloData, b) {
+		// codepath taken if hello has been modified
+		return fmt.Errorf("archive breakout: file %q has been modified. Contents: expected=%q, got=%q. FileInfo: expected=%#v, got=%#v", hello, helloData, b, helloStat, fi)
+	}
+
+	// Check that nothing in dest/ has the same content as victim/hello.
+	// Since victim/hello was generated with time.Now(), it is safe to assume
+	// that any file whose content matches exactly victim/hello, managed somehow
+	// to access victim/hello.
+	return filepath.Walk(dest, func(path string, info os.FileInfo, err error) error {
+		if info.IsDir() {
+			if err != nil {
+				// skip directory if error
+				return filepath.SkipDir
+			}
+			// enter directory
+			return nil
+		}
+		if err != nil {
+			// skip file if error
+			return nil
+		}
+		b, err := ioutil.ReadFile(path)
+		if err != nil {
+			// Houston, we have a problem. Aborting (space)walk.
+			return err
+		}
+		if bytes.Equal(helloData, b) {
+			return fmt.Errorf("archive breakout: file %q has been accessed via %q", hello, path)
+		}
+		return nil
+	})
+}
diff --git a/engine/pkg/archive/whiteouts.go b/engine/pkg/archive/whiteouts.go
new file mode 100644
index 00000000..4c072a87
--- /dev/null
+++ b/engine/pkg/archive/whiteouts.go
@@ -0,0 +1,23 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+// Whiteouts are files with a special meaning for the layered filesystem.
+// Docker uses AUFS whiteout files inside exported archives. In other
+// filesystems these files are generated/handled on tar creation/extraction.
+
+// WhiteoutPrefix prefix means file is a whiteout. If this is followed by a
+// filename this means that file has been removed from the base layer.
+const WhiteoutPrefix = ".wh."
+
+// WhiteoutMetaPrefix prefix means whiteout has a special meaning and is not
+// for removing an actual file. Normally these files are excluded from exported
+// archives.
+const WhiteoutMetaPrefix = WhiteoutPrefix + WhiteoutPrefix
+
+// WhiteoutLinkDir is a directory AUFS uses for storing hardlink links to other
+// layers. Normally these should not go into exported archives and all changed
+// hardlinks should be copied to the top layer.
+const WhiteoutLinkDir = WhiteoutMetaPrefix + "plnk"
+
+// WhiteoutOpaqueDir file means directory has been made opaque - meaning
+// readdir calls to this directory do not follow to lower layers.
+const WhiteoutOpaqueDir = WhiteoutMetaPrefix + ".opq"
diff --git a/engine/pkg/archive/wrap.go b/engine/pkg/archive/wrap.go
new file mode 100644
index 00000000..85435694
--- /dev/null
+++ b/engine/pkg/archive/wrap.go
@@ -0,0 +1,59 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"bytes"
+	"io"
+)
+
+// Generate generates a new archive from the content provided
+// as input.
+//
+// `files` is a sequence of path/content pairs. A new file is
+// added to the archive for each pair.
+// If the last pair is incomplete, the file is created with an
+// empty content. For example:
+//
+// Generate("foo.txt", "hello world", "emptyfile")
+//
+// The above call will return an archive with 2 files:
+//  * ./foo.txt with content "hello world"
+//  * ./empty with empty content
+//
+// FIXME: stream content instead of buffering
+// FIXME: specify permissions and other archive metadata
+func Generate(input ...string) (io.Reader, error) {
+	files := parseStringPairs(input...)
+	buf := new(bytes.Buffer)
+	tw := tar.NewWriter(buf)
+	for _, file := range files {
+		name, content := file[0], file[1]
+		hdr := &tar.Header{
+			Name: name,
+			Size: int64(len(content)),
+		}
+		if err := tw.WriteHeader(hdr); err != nil {
+			return nil, err
+		}
+		if _, err := tw.Write([]byte(content)); err != nil {
+			return nil, err
+		}
+	}
+	if err := tw.Close(); err != nil {
+		return nil, err
+	}
+	return buf, nil
+}
+
+func parseStringPairs(input ...string) (output [][2]string) {
+	output = make([][2]string, 0, len(input)/2+1)
+	for i := 0; i < len(input); i += 2 {
+		var pair [2]string
+		pair[0] = input[i]
+		if i+1 < len(input) {
+			pair[1] = input[i+1]
+		}
+		output = append(output, pair)
+	}
+	return
+}
diff --git a/engine/pkg/archive/wrap_test.go b/engine/pkg/archive/wrap_test.go
new file mode 100644
index 00000000..1faa7aed
--- /dev/null
+++ b/engine/pkg/archive/wrap_test.go
@@ -0,0 +1,92 @@
+package archive // import "github.com/docker/docker/pkg/archive"
+
+import (
+	"archive/tar"
+	"bytes"
+	"io"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func TestGenerateEmptyFile(t *testing.T) {
+	archive, err := Generate("emptyFile")
+	assert.NilError(t, err)
+	if archive == nil {
+		t.Fatal("The generated archive should not be nil.")
+	}
+
+	expectedFiles := [][]string{
+		{"emptyFile", ""},
+	}
+
+	tr := tar.NewReader(archive)
+	actualFiles := make([][]string, 0, 10)
+	i := 0
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		assert.NilError(t, err)
+		buf := new(bytes.Buffer)
+		buf.ReadFrom(tr)
+		content := buf.String()
+		actualFiles = append(actualFiles, []string{hdr.Name, content})
+		i++
+	}
+	if len(actualFiles) != len(expectedFiles) {
+		t.Fatalf("Number of expected file %d, got %d.", len(expectedFiles), len(actualFiles))
+	}
+	for i := 0; i < len(expectedFiles); i++ {
+		actual := actualFiles[i]
+		expected := expectedFiles[i]
+		if actual[0] != expected[0] {
+			t.Fatalf("Expected name '%s', Actual name '%s'", expected[0], actual[0])
+		}
+		if actual[1] != expected[1] {
+			t.Fatalf("Expected content '%s', Actual content '%s'", expected[1], actual[1])
+		}
+	}
+}
+
+func TestGenerateWithContent(t *testing.T) {
+	archive, err := Generate("file", "content")
+	assert.NilError(t, err)
+	if archive == nil {
+		t.Fatal("The generated archive should not be nil.")
+	}
+
+	expectedFiles := [][]string{
+		{"file", "content"},
+	}
+
+	tr := tar.NewReader(archive)
+	actualFiles := make([][]string, 0, 10)
+	i := 0
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		assert.NilError(t, err)
+		buf := new(bytes.Buffer)
+		buf.ReadFrom(tr)
+		content := buf.String()
+		actualFiles = append(actualFiles, []string{hdr.Name, content})
+		i++
+	}
+	if len(actualFiles) != len(expectedFiles) {
+		t.Fatalf("Number of expected file %d, got %d.", len(expectedFiles), len(actualFiles))
+	}
+	for i := 0; i < len(expectedFiles); i++ {
+		actual := actualFiles[i]
+		expected := expectedFiles[i]
+		if actual[0] != expected[0] {
+			t.Fatalf("Expected name '%s', Actual name '%s'", expected[0], actual[0])
+		}
+		if actual[1] != expected[1] {
+			t.Fatalf("Expected content '%s', Actual content '%s'", expected[1], actual[1])
+		}
+	}
+}
diff --git a/engine/pkg/authorization/api.go b/engine/pkg/authorization/api.go
new file mode 100644
index 00000000..cc0c12d5
--- /dev/null
+++ b/engine/pkg/authorization/api.go
@@ -0,0 +1,88 @@
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+)
+
+const (
+	// AuthZApiRequest is the url for daemon request authorization
+	AuthZApiRequest = "AuthZPlugin.AuthZReq"
+
+	// AuthZApiResponse is the url for daemon response authorization
+	AuthZApiResponse = "AuthZPlugin.AuthZRes"
+
+	// AuthZApiImplements is the name of the interface all AuthZ plugins implement
+	AuthZApiImplements = "authz"
+)
+
+// PeerCertificate is a wrapper around x509.Certificate which provides a sane
+// encoding/decoding to/from PEM format and JSON.
+type PeerCertificate x509.Certificate
+
+// MarshalJSON returns the JSON encoded pem bytes of a PeerCertificate.
+func (pc *PeerCertificate) MarshalJSON() ([]byte, error) {
+	b := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: pc.Raw})
+	return json.Marshal(b)
+}
+
+// UnmarshalJSON populates a new PeerCertificate struct from JSON data.
+func (pc *PeerCertificate) UnmarshalJSON(b []byte) error {
+	var buf []byte
+	if err := json.Unmarshal(b, &buf); err != nil {
+		return err
+	}
+	derBytes, _ := pem.Decode(buf)
+	c, err := x509.ParseCertificate(derBytes.Bytes)
+	if err != nil {
+		return err
+	}
+	*pc = PeerCertificate(*c)
+	return nil
+}
+
+// Request holds data required for authZ plugins
+type Request struct {
+	// User holds the user extracted by AuthN mechanism
+	User string `json:"User,omitempty"`
+
+	// UserAuthNMethod holds the mechanism used to extract user details (e.g., krb)
+	UserAuthNMethod string `json:"UserAuthNMethod,omitempty"`
+
+	// RequestMethod holds the HTTP method (GET/POST/PUT)
+	RequestMethod string `json:"RequestMethod,omitempty"`
+
+	// RequestUri holds the full HTTP uri (e.g., /v1.21/version)
+	RequestURI string `json:"RequestUri,omitempty"`
+
+	// RequestBody stores the raw request body sent to the docker daemon
+	RequestBody []byte `json:"RequestBody,omitempty"`
+
+	// RequestHeaders stores the raw request headers sent to the docker daemon
+	RequestHeaders map[string]string `json:"RequestHeaders,omitempty"`
+
+	// RequestPeerCertificates stores the request's TLS peer certificates in PEM format
+	RequestPeerCertificates []*PeerCertificate `json:"RequestPeerCertificates,omitempty"`
+
+	// ResponseStatusCode stores the status code returned from docker daemon
+	ResponseStatusCode int `json:"ResponseStatusCode,omitempty"`
+
+	// ResponseBody stores the raw response body sent from docker daemon
+	ResponseBody []byte `json:"ResponseBody,omitempty"`
+
+	// ResponseHeaders stores the response headers sent to the docker daemon
+	ResponseHeaders map[string]string `json:"ResponseHeaders,omitempty"`
+}
+
+// Response represents authZ plugin response
+type Response struct {
+	// Allow indicating whether the user is allowed or not
+	Allow bool `json:"Allow"`
+
+	// Msg stores the authorization message
+	Msg string `json:"Msg,omitempty"`
+
+	// Err stores a message in case there's an error
+	Err string `json:"Err,omitempty"`
+}
diff --git a/engine/pkg/authorization/api_test.go b/engine/pkg/authorization/api_test.go
new file mode 100644
index 00000000..ff364fd0
--- /dev/null
+++ b/engine/pkg/authorization/api_test.go
@@ -0,0 +1,76 @@
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"net/http"
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestPeerCertificateMarshalJSON(t *testing.T) {
+	template := &x509.Certificate{
+		IsCA: true,
+		BasicConstraintsValid: true,
+		SubjectKeyId:          []byte{1, 2, 3},
+		SerialNumber:          big.NewInt(1234),
+		Subject: pkix.Name{
+			Country:      []string{"Earth"},
+			Organization: []string{"Mother Nature"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().AddDate(5, 5, 5),
+
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+	}
+	// generate private key
+	privatekey, err := rsa.GenerateKey(rand.Reader, 2048)
+	assert.NilError(t, err)
+	publickey := &privatekey.PublicKey
+
+	// create a self-signed certificate. template = parent
+	var parent = template
+	raw, err := x509.CreateCertificate(rand.Reader, template, parent, publickey, privatekey)
+	assert.NilError(t, err)
+
+	cert, err := x509.ParseCertificate(raw)
+	assert.NilError(t, err)
+
+	var certs = []*x509.Certificate{cert}
+	addr := "www.authz.com/auth"
+	req, err := http.NewRequest("GET", addr, nil)
+	assert.NilError(t, err)
+
+	req.RequestURI = addr
+	req.TLS = &tls.ConnectionState{}
+	req.TLS.PeerCertificates = certs
+	req.Header.Add("header", "value")
+
+	for _, c := range req.TLS.PeerCertificates {
+		pcObj := PeerCertificate(*c)
+
+		t.Run("Marshalling :", func(t *testing.T) {
+			raw, err = pcObj.MarshalJSON()
+			assert.Assert(t, raw != nil)
+			assert.NilError(t, err)
+		})
+
+		t.Run("UnMarshalling :", func(t *testing.T) {
+			err := pcObj.UnmarshalJSON(raw)
+			assert.Assert(t, is.Nil(err))
+			assert.Equal(t, "Earth", pcObj.Subject.Country[0])
+			assert.Equal(t, true, pcObj.IsCA)
+
+		})
+
+	}
+
+}
diff --git a/engine/pkg/authorization/authz.go b/engine/pkg/authorization/authz.go
new file mode 100644
index 00000000..a1edbcd8
--- /dev/null
+++ b/engine/pkg/authorization/authz.go
@@ -0,0 +1,189 @@
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"mime"
+	"net/http"
+	"strings"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/sirupsen/logrus"
+)
+
+const maxBodySize = 1048576 // 1MB
+
+// NewCtx creates new authZ context, it is used to store authorization information related to a specific docker
+// REST http session
+// A context provides two method:
+// Authenticate Request:
+// Call authZ plugins with current REST request and AuthN response
+// Request contains full HTTP packet sent to the docker daemon
+// https://docs.docker.com/engine/reference/api/
+//
+// Authenticate Response:
+// Call authZ plugins with full info about current REST request, REST response and AuthN response
+// The response from this method may contains content that overrides the daemon response
+// This allows authZ plugins to filter privileged content
+//
+// If multiple authZ plugins are specified, the block/allow decision is based on ANDing all plugin results
+// For response manipulation, the response from each plugin is piped between plugins. Plugin execution order
+// is determined according to daemon parameters
+func NewCtx(authZPlugins []Plugin, user, userAuthNMethod, requestMethod, requestURI string) *Ctx {
+	return &Ctx{
+		plugins:         authZPlugins,
+		user:            user,
+		userAuthNMethod: userAuthNMethod,
+		requestMethod:   requestMethod,
+		requestURI:      requestURI,
+	}
+}
+
+// Ctx stores a single request-response interaction context
+type Ctx struct {
+	user            string
+	userAuthNMethod string
+	requestMethod   string
+	requestURI      string
+	plugins         []Plugin
+	// authReq stores the cached request object for the current transaction
+	authReq *Request
+}
+
+// AuthZRequest authorized the request to the docker daemon using authZ plugins
+func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
+	var body []byte
+	if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
+		var err error
+		body, r.Body, err = drainBody(r.Body)
+		if err != nil {
+			return err
+		}
+	}
+
+	var h bytes.Buffer
+	if err := r.Header.Write(&h); err != nil {
+		return err
+	}
+
+	ctx.authReq = &Request{
+		User:            ctx.user,
+		UserAuthNMethod: ctx.userAuthNMethod,
+		RequestMethod:   ctx.requestMethod,
+		RequestURI:      ctx.requestURI,
+		RequestBody:     body,
+		RequestHeaders:  headers(r.Header),
+	}
+
+	if r.TLS != nil {
+		for _, c := range r.TLS.PeerCertificates {
+			pc := PeerCertificate(*c)
+			ctx.authReq.RequestPeerCertificates = append(ctx.authReq.RequestPeerCertificates, &pc)
+		}
+	}
+
+	for _, plugin := range ctx.plugins {
+		logrus.Debugf("AuthZ request using plugin %s", plugin.Name())
+
+		authRes, err := plugin.AuthZRequest(ctx.authReq)
+		if err != nil {
+			return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err)
+		}
+
+		if !authRes.Allow {
+			return newAuthorizationError(plugin.Name(), authRes.Msg)
+		}
+	}
+
+	return nil
+}
+
+// AuthZResponse authorized and manipulates the response from docker daemon using authZ plugins
+func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
+	ctx.authReq.ResponseStatusCode = rm.StatusCode()
+	ctx.authReq.ResponseHeaders = headers(rm.Header())
+
+	if sendBody(ctx.requestURI, rm.Header()) {
+		ctx.authReq.ResponseBody = rm.RawBody()
+	}
+
+	for _, plugin := range ctx.plugins {
+		logrus.Debugf("AuthZ response using plugin %s", plugin.Name())
+
+		authRes, err := plugin.AuthZResponse(ctx.authReq)
+		if err != nil {
+			return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err)
+		}
+
+		if !authRes.Allow {
+			return newAuthorizationError(plugin.Name(), authRes.Msg)
+		}
+	}
+
+	rm.FlushAll()
+
+	return nil
+}
+
+// drainBody dump the body (if its length is less than 1MB) without modifying the request state
+func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
+	bufReader := bufio.NewReaderSize(body, maxBodySize)
+	newBody := ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() })
+
+	data, err := bufReader.Peek(maxBodySize)
+	// Body size exceeds max body size
+	if err == nil {
+		logrus.Warnf("Request body is larger than: '%d' skipping body", maxBodySize)
+		return nil, newBody, nil
+	}
+	// Body size is less than maximum size
+	if err == io.EOF {
+		return data, newBody, nil
+	}
+	// Unknown error
+	return nil, newBody, err
+}
+
+// sendBody returns true when request/response body should be sent to AuthZPlugin
+func sendBody(url string, header http.Header) bool {
+	// Skip body for auth endpoint
+	if strings.HasSuffix(url, "/auth") {
+		return false
+	}
+
+	// body is sent only for text or json messages
+	contentType, _, err := mime.ParseMediaType(header.Get("Content-Type"))
+	if err != nil {
+		return false
+	}
+
+	return contentType == "application/json"
+}
+
+// headers returns flatten version of the http headers excluding authorization
+func headers(header http.Header) map[string]string {
+	v := make(map[string]string)
+	for k, values := range header {
+		// Skip authorization headers
+		if strings.EqualFold(k, "Authorization") || strings.EqualFold(k, "X-Registry-Config") || strings.EqualFold(k, "X-Registry-Auth") {
+			continue
+		}
+		for _, val := range values {
+			v[k] = val
+		}
+	}
+	return v
+}
+
+// authorizationError represents an authorization deny error
+type authorizationError struct {
+	error
+}
+
+func (authorizationError) Forbidden() {}
+
+func newAuthorizationError(plugin, msg string) authorizationError {
+	return authorizationError{error: fmt.Errorf("authorization denied by plugin %s: %s", plugin, msg)}
+}
diff --git a/engine/pkg/authorization/authz_unix_test.go b/engine/pkg/authorization/authz_unix_test.go
new file mode 100644
index 00000000..cfdb9a00
--- /dev/null
+++ b/engine/pkg/authorization/authz_unix_test.go
@@ -0,0 +1,342 @@
+// +build !windows
+
+// TODO Windows: This uses a Unix socket for testing. This might be possible
+// to port to Windows using a named pipe instead.
+
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/gorilla/mux"
+)
+
+const (
+	pluginAddress = "authz-test-plugin.sock"
+)
+
+func TestAuthZRequestPluginError(t *testing.T) {
+	server := authZPluginTestServer{t: t}
+	server.start()
+	defer server.stop()
+
+	authZPlugin := createTestPlugin(t)
+
+	request := Request{
+		User:           "user",
+		RequestBody:    []byte("sample body"),
+		RequestURI:     "www.authz.com/auth",
+		RequestMethod:  "GET",
+		RequestHeaders: map[string]string{"header": "value"},
+	}
+	server.replayResponse = Response{
+		Err: "an error",
+	}
+
+	actualResponse, err := authZPlugin.AuthZRequest(&request)
+	if err != nil {
+		t.Fatalf("Failed to authorize request %v", err)
+	}
+
+	if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
+		t.Fatal("Response must be equal")
+	}
+	if !reflect.DeepEqual(request, server.recordedRequest) {
+		t.Fatal("Requests must be equal")
+	}
+}
+
+func TestAuthZRequestPlugin(t *testing.T) {
+	server := authZPluginTestServer{t: t}
+	server.start()
+	defer server.stop()
+
+	authZPlugin := createTestPlugin(t)
+
+	request := Request{
+		User:           "user",
+		RequestBody:    []byte("sample body"),
+		RequestURI:     "www.authz.com/auth",
+		RequestMethod:  "GET",
+		RequestHeaders: map[string]string{"header": "value"},
+	}
+	server.replayResponse = Response{
+		Allow: true,
+		Msg:   "Sample message",
+	}
+
+	actualResponse, err := authZPlugin.AuthZRequest(&request)
+	if err != nil {
+		t.Fatalf("Failed to authorize request %v", err)
+	}
+
+	if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
+		t.Fatal("Response must be equal")
+	}
+	if !reflect.DeepEqual(request, server.recordedRequest) {
+		t.Fatal("Requests must be equal")
+	}
+}
+
+func TestAuthZResponsePlugin(t *testing.T) {
+	server := authZPluginTestServer{t: t}
+	server.start()
+	defer server.stop()
+
+	authZPlugin := createTestPlugin(t)
+
+	request := Request{
+		User:        "user",
+		RequestURI:  "something.com/auth",
+		RequestBody: []byte("sample body"),
+	}
+	server.replayResponse = Response{
+		Allow: true,
+		Msg:   "Sample message",
+	}
+
+	actualResponse, err := authZPlugin.AuthZResponse(&request)
+	if err != nil {
+		t.Fatalf("Failed to authorize request %v", err)
+	}
+
+	if !reflect.DeepEqual(server.replayResponse, *actualResponse) {
+		t.Fatal("Response must be equal")
+	}
+	if !reflect.DeepEqual(request, server.recordedRequest) {
+		t.Fatal("Requests must be equal")
+	}
+}
+
+func TestResponseModifier(t *testing.T) {
+	r := httptest.NewRecorder()
+	m := NewResponseModifier(r)
+	m.Header().Set("h1", "v1")
+	m.Write([]byte("body"))
+	m.WriteHeader(http.StatusInternalServerError)
+
+	m.FlushAll()
+	if r.Header().Get("h1") != "v1" {
+		t.Fatalf("Header value must exists %s", r.Header().Get("h1"))
+	}
+	if !reflect.DeepEqual(r.Body.Bytes(), []byte("body")) {
+		t.Fatalf("Body value must exists %s", r.Body.Bytes())
+	}
+	if r.Code != http.StatusInternalServerError {
+		t.Fatalf("Status code must be correct %d", r.Code)
+	}
+}
+
+func TestDrainBody(t *testing.T) {
+	tests := []struct {
+		length             int // length is the message length send to drainBody
+		expectedBodyLength int // expectedBodyLength is the expected body length after drainBody is called
+	}{
+		{10, 10}, // Small message size
+		{maxBodySize - 1, maxBodySize - 1}, // Max message size
+		{maxBodySize * 2, 0},               // Large message size (skip copying body)
+
+	}
+
+	for _, test := range tests {
+		msg := strings.Repeat("a", test.length)
+		body, closer, err := drainBody(ioutil.NopCloser(bytes.NewReader([]byte(msg))))
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(body) != test.expectedBodyLength {
+			t.Fatalf("Body must be copied, actual length: '%d'", len(body))
+		}
+		if closer == nil {
+			t.Fatal("Closer must not be nil")
+		}
+		modified, err := ioutil.ReadAll(closer)
+		if err != nil {
+			t.Fatalf("Error must not be nil: '%v'", err)
+		}
+		if len(modified) != len(msg) {
+			t.Fatalf("Result should not be truncated. Original length: '%d', new length: '%d'", len(msg), len(modified))
+		}
+	}
+}
+
+func TestSendBody(t *testing.T) {
+	var (
+		url       = "nothing.com"
+		testcases = []struct {
+			contentType string
+			expected    bool
+		}{
+			{
+				contentType: "application/json",
+				expected:    true,
+			},
+			{
+				contentType: "Application/json",
+				expected:    true,
+			},
+			{
+				contentType: "application/JSON",
+				expected:    true,
+			},
+			{
+				contentType: "APPLICATION/JSON",
+				expected:    true,
+			},
+			{
+				contentType: "application/json; charset=utf-8",
+				expected:    true,
+			},
+			{
+				contentType: "application/json;charset=utf-8",
+				expected:    true,
+			},
+			{
+				contentType: "application/json; charset=UTF8",
+				expected:    true,
+			},
+			{
+				contentType: "application/json;charset=UTF8",
+				expected:    true,
+			},
+			{
+				contentType: "text/html",
+				expected:    false,
+			},
+			{
+				contentType: "",
+				expected:    false,
+			},
+		}
+	)
+
+	for _, testcase := range testcases {
+		header := http.Header{}
+		header.Set("Content-Type", testcase.contentType)
+
+		if b := sendBody(url, header); b != testcase.expected {
+			t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
+		}
+	}
+}
+
+func TestResponseModifierOverride(t *testing.T) {
+	r := httptest.NewRecorder()
+	m := NewResponseModifier(r)
+	m.Header().Set("h1", "v1")
+	m.Write([]byte("body"))
+	m.WriteHeader(http.StatusInternalServerError)
+
+	overrideHeader := make(http.Header)
+	overrideHeader.Add("h1", "v2")
+	overrideHeaderBytes, err := json.Marshal(overrideHeader)
+	if err != nil {
+		t.Fatalf("override header failed %v", err)
+	}
+
+	m.OverrideHeader(overrideHeaderBytes)
+	m.OverrideBody([]byte("override body"))
+	m.OverrideStatusCode(http.StatusNotFound)
+	m.FlushAll()
+	if r.Header().Get("h1") != "v2" {
+		t.Fatalf("Header value must exists %s", r.Header().Get("h1"))
+	}
+	if !reflect.DeepEqual(r.Body.Bytes(), []byte("override body")) {
+		t.Fatalf("Body value must exists %s", r.Body.Bytes())
+	}
+	if r.Code != http.StatusNotFound {
+		t.Fatalf("Status code must be correct %d", r.Code)
+	}
+}
+
+// createTestPlugin creates a new sample authorization plugin
+func createTestPlugin(t *testing.T) *authorizationPlugin {
+	pwd, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	client, err := plugins.NewClient("unix:///"+path.Join(pwd, pluginAddress), &tlsconfig.Options{InsecureSkipVerify: true})
+	if err != nil {
+		t.Fatalf("Failed to create client %v", err)
+	}
+
+	return &authorizationPlugin{name: "plugin", plugin: client}
+}
+
+// AuthZPluginTestServer is a simple server that implements the authZ plugin interface
+type authZPluginTestServer struct {
+	listener net.Listener
+	t        *testing.T
+	// request stores the request sent from the daemon to the plugin
+	recordedRequest Request
+	// response stores the response sent from the plugin to the daemon
+	replayResponse Response
+	server         *httptest.Server
+}
+
+// start starts the test server that implements the plugin
+func (t *authZPluginTestServer) start() {
+	r := mux.NewRouter()
+	l, err := net.Listen("unix", pluginAddress)
+	if err != nil {
+		t.t.Fatal(err)
+	}
+	t.listener = l
+	r.HandleFunc("/Plugin.Activate", t.activate)
+	r.HandleFunc("/"+AuthZApiRequest, t.auth)
+	r.HandleFunc("/"+AuthZApiResponse, t.auth)
+	t.server = &httptest.Server{
+		Listener: l,
+		Config: &http.Server{
+			Handler: r,
+			Addr:    pluginAddress,
+		},
+	}
+	t.server.Start()
+}
+
+// stop stops the test server that implements the plugin
+func (t *authZPluginTestServer) stop() {
+	t.server.Close()
+	os.Remove(pluginAddress)
+	if t.listener != nil {
+		t.listener.Close()
+	}
+}
+
+// auth is a used to record/replay the authentication api messages
+func (t *authZPluginTestServer) auth(w http.ResponseWriter, r *http.Request) {
+	t.recordedRequest = Request{}
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		t.t.Fatal(err)
+	}
+	r.Body.Close()
+	json.Unmarshal(body, &t.recordedRequest)
+	b, err := json.Marshal(t.replayResponse)
+	if err != nil {
+		t.t.Fatal(err)
+	}
+	w.Write(b)
+}
+
+func (t *authZPluginTestServer) activate(w http.ResponseWriter, r *http.Request) {
+	b, err := json.Marshal(plugins.Manifest{Implements: []string{AuthZApiImplements}})
+	if err != nil {
+		t.t.Fatal(err)
+	}
+	w.Write(b)
+}
diff --git a/engine/pkg/authorization/middleware.go b/engine/pkg/authorization/middleware.go
new file mode 100644
index 00000000..39c2dce8
--- /dev/null
+++ b/engine/pkg/authorization/middleware.go
@@ -0,0 +1,110 @@
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"context"
+	"net/http"
+	"sync"
+
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/sirupsen/logrus"
+)
+
+// Middleware uses a list of plugins to
+// handle authorization in the API requests.
+type Middleware struct {
+	mu      sync.Mutex
+	plugins []Plugin
+}
+
+// NewMiddleware creates a new Middleware
+// with a slice of plugins names.
+func NewMiddleware(names []string, pg plugingetter.PluginGetter) *Middleware {
+	SetPluginGetter(pg)
+	return &Middleware{
+		plugins: newPlugins(names),
+	}
+}
+
+func (m *Middleware) getAuthzPlugins() []Plugin {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.plugins
+}
+
+// SetPlugins sets the plugin used for authorization
+func (m *Middleware) SetPlugins(names []string) {
+	m.mu.Lock()
+	m.plugins = newPlugins(names)
+	m.mu.Unlock()
+}
+
+// RemovePlugin removes a single plugin from this authz middleware chain
+func (m *Middleware) RemovePlugin(name string) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	plugins := m.plugins[:0]
+	for _, authPlugin := range m.plugins {
+		if authPlugin.Name() != name {
+			plugins = append(plugins, authPlugin)
+		}
+	}
+	m.plugins = plugins
+}
+
+// WrapHandler returns a new handler function wrapping the previous one in the request chain.
+func (m *Middleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		plugins := m.getAuthzPlugins()
+		if len(plugins) == 0 {
+			return handler(ctx, w, r, vars)
+		}
+
+		user := ""
+		userAuthNMethod := ""
+
+		// Default authorization using existing TLS connection credentials
+		// FIXME: Non trivial authorization mechanisms (such as advanced certificate validations, kerberos support
+		// and ldap) will be extracted using AuthN feature, which is tracked under:
+		// https://github.com/docker/docker/pull/20883
+		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+			user = r.TLS.PeerCertificates[0].Subject.CommonName
+			userAuthNMethod = "TLS"
+		}
+
+		authCtx := NewCtx(plugins, user, userAuthNMethod, r.Method, r.RequestURI)
+
+		if err := authCtx.AuthZRequest(w, r); err != nil {
+			logrus.Errorf("AuthZRequest for %s %s returned error: %s", r.Method, r.RequestURI, err)
+			return err
+		}
+
+		rw := NewResponseModifier(w)
+
+		var errD error
+
+		if errD = handler(ctx, rw, r, vars); errD != nil {
+			logrus.Errorf("Handler for %s %s returned error: %s", r.Method, r.RequestURI, errD)
+		}
+
+		// There's a chance that the authCtx.plugins was updated. One of the reasons
+		// this can happen is when an authzplugin is disabled.
+		plugins = m.getAuthzPlugins()
+		if len(plugins) == 0 {
+			logrus.Debug("There are no authz plugins in the chain")
+			return nil
+		}
+
+		authCtx.plugins = plugins
+
+		if err := authCtx.AuthZResponse(rw, r); errD == nil && err != nil {
+			logrus.Errorf("AuthZResponse for %s %s returned error: %s", r.Method, r.RequestURI, err)
+			return err
+		}
+
+		if errD != nil {
+			return errD
+		}
+
+		return nil
+	}
+}
diff --git a/engine/pkg/authorization/middleware_test.go b/engine/pkg/authorization/middleware_test.go
new file mode 100644
index 00000000..6afafe08
--- /dev/null
+++ b/engine/pkg/authorization/middleware_test.go
@@ -0,0 +1,53 @@
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/pkg/plugingetter"
+	"gotest.tools/assert"
+)
+
+func TestMiddleware(t *testing.T) {
+	pluginNames := []string{"testPlugin1", "testPlugin2"}
+	var pluginGetter plugingetter.PluginGetter
+	m := NewMiddleware(pluginNames, pluginGetter)
+	authPlugins := m.getAuthzPlugins()
+	assert.Equal(t, 2, len(authPlugins))
+	assert.Equal(t, pluginNames[0], authPlugins[0].Name())
+	assert.Equal(t, pluginNames[1], authPlugins[1].Name())
+}
+
+func TestNewResponseModifier(t *testing.T) {
+	recorder := httptest.NewRecorder()
+	modifier := NewResponseModifier(recorder)
+	modifier.Header().Set("H1", "V1")
+	modifier.Write([]byte("body"))
+	assert.Assert(t, !modifier.Hijacked())
+	modifier.WriteHeader(http.StatusInternalServerError)
+	assert.Assert(t, modifier.RawBody() != nil)
+
+	raw, err := modifier.RawHeaders()
+	assert.Assert(t, raw != nil)
+	assert.NilError(t, err)
+
+	headerData := strings.Split(strings.TrimSpace(string(raw)), ":")
+	assert.Equal(t, "H1", strings.TrimSpace(headerData[0]))
+	assert.Equal(t, "V1", strings.TrimSpace(headerData[1]))
+
+	modifier.Flush()
+	modifier.FlushAll()
+
+	if recorder.Header().Get("H1") != "V1" {
+		t.Fatalf("Header value must exists %s", recorder.Header().Get("H1"))
+	}
+
+}
+
+func setAuthzPlugins(m *Middleware, plugins []Plugin) {
+	m.mu.Lock()
+	m.plugins = plugins
+	m.mu.Unlock()
+}
diff --git a/engine/pkg/authorization/middleware_unix_test.go b/engine/pkg/authorization/middleware_unix_test.go
new file mode 100644
index 00000000..450e7fbb
--- /dev/null
+++ b/engine/pkg/authorization/middleware_unix_test.go
@@ -0,0 +1,66 @@
+// +build !windows
+
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/docker/docker/pkg/plugingetter"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestMiddlewareWrapHandler(t *testing.T) {
+	server := authZPluginTestServer{t: t}
+	server.start()
+	defer server.stop()
+
+	authZPlugin := createTestPlugin(t)
+	pluginNames := []string{authZPlugin.name}
+
+	var pluginGetter plugingetter.PluginGetter
+	middleWare := NewMiddleware(pluginNames, pluginGetter)
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+		return nil
+	}
+
+	authList := []Plugin{authZPlugin}
+	middleWare.SetPlugins([]string{"My Test Plugin"})
+	setAuthzPlugins(middleWare, authList)
+	mdHandler := middleWare.WrapHandler(handler)
+	assert.Assert(t, mdHandler != nil)
+
+	addr := "www.example.com/auth"
+	req, _ := http.NewRequest("GET", addr, nil)
+	req.RequestURI = addr
+	req.Header.Add("header", "value")
+
+	resp := httptest.NewRecorder()
+	ctx := context.Background()
+
+	t.Run("Error Test Case :", func(t *testing.T) {
+		server.replayResponse = Response{
+			Allow: false,
+			Msg:   "Server Auth Not Allowed",
+		}
+		if err := mdHandler(ctx, resp, req, map[string]string{}); err == nil {
+			assert.Assert(t, is.ErrorContains(err, ""))
+		}
+
+	})
+
+	t.Run("Positive Test Case :", func(t *testing.T) {
+		server.replayResponse = Response{
+			Allow: true,
+			Msg:   "Server Auth Allowed",
+		}
+		if err := mdHandler(ctx, resp, req, map[string]string{}); err != nil {
+			assert.NilError(t, err)
+		}
+
+	})
+
+}
diff --git a/engine/pkg/authorization/plugin.go b/engine/pkg/authorization/plugin.go
new file mode 100644
index 00000000..3316fd87
--- /dev/null
+++ b/engine/pkg/authorization/plugin.go
@@ -0,0 +1,118 @@
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"sync"
+
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+)
+
+// Plugin allows third party plugins to authorize requests and responses
+// in the context of docker API
+type Plugin interface {
+	// Name returns the registered plugin name
+	Name() string
+
+	// AuthZRequest authorizes the request from the client to the daemon
+	AuthZRequest(*Request) (*Response, error)
+
+	// AuthZResponse authorizes the response from the daemon to the client
+	AuthZResponse(*Request) (*Response, error)
+}
+
+// newPlugins constructs and initializes the authorization plugins based on plugin names
+func newPlugins(names []string) []Plugin {
+	plugins := []Plugin{}
+	pluginsMap := make(map[string]struct{})
+	for _, name := range names {
+		if _, ok := pluginsMap[name]; ok {
+			continue
+		}
+		pluginsMap[name] = struct{}{}
+		plugins = append(plugins, newAuthorizationPlugin(name))
+	}
+	return plugins
+}
+
+var getter plugingetter.PluginGetter
+
+// SetPluginGetter sets the plugingetter
+func SetPluginGetter(pg plugingetter.PluginGetter) {
+	getter = pg
+}
+
+// GetPluginGetter gets the plugingetter
+func GetPluginGetter() plugingetter.PluginGetter {
+	return getter
+}
+
+// authorizationPlugin is an internal adapter to docker plugin system
+type authorizationPlugin struct {
+	initErr error
+	plugin  *plugins.Client
+	name    string
+	once    sync.Once
+}
+
+func newAuthorizationPlugin(name string) Plugin {
+	return &authorizationPlugin{name: name}
+}
+
+func (a *authorizationPlugin) Name() string {
+	return a.name
+}
+
+// Set the remote for an authz pluginv2
+func (a *authorizationPlugin) SetName(remote string) {
+	a.name = remote
+}
+
+func (a *authorizationPlugin) AuthZRequest(authReq *Request) (*Response, error) {
+	if err := a.initPlugin(); err != nil {
+		return nil, err
+	}
+
+	authRes := &Response{}
+	if err := a.plugin.Call(AuthZApiRequest, authReq, authRes); err != nil {
+		return nil, err
+	}
+
+	return authRes, nil
+}
+
+func (a *authorizationPlugin) AuthZResponse(authReq *Request) (*Response, error) {
+	if err := a.initPlugin(); err != nil {
+		return nil, err
+	}
+
+	authRes := &Response{}
+	if err := a.plugin.Call(AuthZApiResponse, authReq, authRes); err != nil {
+		return nil, err
+	}
+
+	return authRes, nil
+}
+
+// initPlugin initializes the authorization plugin if needed
+func (a *authorizationPlugin) initPlugin() error {
+	// Lazy loading of plugins
+	a.once.Do(func() {
+		if a.plugin == nil {
+			var plugin plugingetter.CompatPlugin
+			var e error
+
+			if pg := GetPluginGetter(); pg != nil {
+				plugin, e = pg.Get(a.name, AuthZApiImplements, plugingetter.Lookup)
+				a.SetName(plugin.Name())
+			} else {
+				plugin, e = plugins.Get(a.name, AuthZApiImplements)
+			}
+			if e != nil {
+				a.initErr = e
+				return
+			}
+			a.plugin = plugin.Client()
+		}
+	})
+	return a.initErr
+}
diff --git a/engine/pkg/authorization/response.go b/engine/pkg/authorization/response.go
new file mode 100644
index 00000000..6b674bc2
--- /dev/null
+++ b/engine/pkg/authorization/response.go
@@ -0,0 +1,210 @@
+package authorization // import "github.com/docker/docker/pkg/authorization"
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+)
+
+// ResponseModifier allows authorization plugins to read and modify the content of the http.response
+type ResponseModifier interface {
+	http.ResponseWriter
+	http.Flusher
+	http.CloseNotifier
+
+	// RawBody returns the current http content
+	RawBody() []byte
+
+	// RawHeaders returns the current content of the http headers
+	RawHeaders() ([]byte, error)
+
+	// StatusCode returns the current status code
+	StatusCode() int
+
+	// OverrideBody replaces the body of the HTTP reply
+	OverrideBody(b []byte)
+
+	// OverrideHeader replaces the headers of the HTTP reply
+	OverrideHeader(b []byte) error
+
+	// OverrideStatusCode replaces the status code of the HTTP reply
+	OverrideStatusCode(statusCode int)
+
+	// FlushAll flushes all data to the HTTP response
+	FlushAll() error
+
+	// Hijacked indicates the response has been hijacked by the Docker daemon
+	Hijacked() bool
+}
+
+// NewResponseModifier creates a wrapper to an http.ResponseWriter to allow inspecting and modifying the content
+func NewResponseModifier(rw http.ResponseWriter) ResponseModifier {
+	return &responseModifier{rw: rw, header: make(http.Header)}
+}
+
+const maxBufferSize = 64 * 1024
+
+// responseModifier is used as an adapter to http.ResponseWriter in order to manipulate and explore
+// the http request/response from docker daemon
+type responseModifier struct {
+	// The original response writer
+	rw http.ResponseWriter
+	// body holds the response body
+	body []byte
+	// header holds the response header
+	header http.Header
+	// statusCode holds the response status code
+	statusCode int
+	// hijacked indicates the request has been hijacked
+	hijacked bool
+}
+
+func (rm *responseModifier) Hijacked() bool {
+	return rm.hijacked
+}
+
+// WriterHeader stores the http status code
+func (rm *responseModifier) WriteHeader(s int) {
+
+	// Use original request if hijacked
+	if rm.hijacked {
+		rm.rw.WriteHeader(s)
+		return
+	}
+
+	rm.statusCode = s
+}
+
+// Header returns the internal http header
+func (rm *responseModifier) Header() http.Header {
+
+	// Use original header if hijacked
+	if rm.hijacked {
+		return rm.rw.Header()
+	}
+
+	return rm.header
+}
+
+// StatusCode returns the http status code
+func (rm *responseModifier) StatusCode() int {
+	return rm.statusCode
+}
+
+// OverrideBody replaces the body of the HTTP response
+func (rm *responseModifier) OverrideBody(b []byte) {
+	rm.body = b
+}
+
+// OverrideStatusCode replaces the status code of the HTTP response
+func (rm *responseModifier) OverrideStatusCode(statusCode int) {
+	rm.statusCode = statusCode
+}
+
+// OverrideHeader replaces the headers of the HTTP response
+func (rm *responseModifier) OverrideHeader(b []byte) error {
+	header := http.Header{}
+	if err := json.Unmarshal(b, &header); err != nil {
+		return err
+	}
+	rm.header = header
+	return nil
+}
+
+// Write stores the byte array inside content
+func (rm *responseModifier) Write(b []byte) (int, error) {
+	if rm.hijacked {
+		return rm.rw.Write(b)
+	}
+
+	if len(rm.body)+len(b) > maxBufferSize {
+		rm.Flush()
+	}
+	rm.body = append(rm.body, b...)
+	return len(b), nil
+}
+
+// Body returns the response body
+func (rm *responseModifier) RawBody() []byte {
+	return rm.body
+}
+
+func (rm *responseModifier) RawHeaders() ([]byte, error) {
+	var b bytes.Buffer
+	if err := rm.header.Write(&b); err != nil {
+		return nil, err
+	}
+	return b.Bytes(), nil
+}
+
+// Hijack returns the internal connection of the wrapped http.ResponseWriter
+func (rm *responseModifier) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+
+	rm.hijacked = true
+	rm.FlushAll()
+
+	hijacker, ok := rm.rw.(http.Hijacker)
+	if !ok {
+		return nil, nil, fmt.Errorf("Internal response writer doesn't support the Hijacker interface")
+	}
+	return hijacker.Hijack()
+}
+
+// CloseNotify uses the internal close notify API of the wrapped http.ResponseWriter
+func (rm *responseModifier) CloseNotify() <-chan bool {
+	closeNotifier, ok := rm.rw.(http.CloseNotifier)
+	if !ok {
+		logrus.Error("Internal response writer doesn't support the CloseNotifier interface")
+		return nil
+	}
+	return closeNotifier.CloseNotify()
+}
+
+// Flush uses the internal flush API of the wrapped http.ResponseWriter
+func (rm *responseModifier) Flush() {
+	flusher, ok := rm.rw.(http.Flusher)
+	if !ok {
+		logrus.Error("Internal response writer doesn't support the Flusher interface")
+		return
+	}
+
+	rm.FlushAll()
+	flusher.Flush()
+}
+
+// FlushAll flushes all data to the HTTP response
+func (rm *responseModifier) FlushAll() error {
+	// Copy the header
+	for k, vv := range rm.header {
+		for _, v := range vv {
+			rm.rw.Header().Add(k, v)
+		}
+	}
+
+	// Copy the status code
+	// Also WriteHeader needs to be done after all the headers
+	// have been copied (above).
+	if rm.statusCode > 0 {
+		rm.rw.WriteHeader(rm.statusCode)
+	}
+
+	var err error
+	if len(rm.body) > 0 {
+		// Write body
+		var n int
+		n, err = rm.rw.Write(rm.body)
+		// TODO(@cpuguy83): there is now a relatively small buffer limit, instead of discarding our buffer here and
+		// allocating again later this should just keep using the same buffer and track the buffer position (like a bytes.Buffer with a fixed size)
+		rm.body = rm.body[n:]
+	}
+
+	// Clean previous data
+	rm.statusCode = 0
+	rm.header = http.Header{}
+	return err
+}
diff --git a/engine/pkg/broadcaster/unbuffered.go b/engine/pkg/broadcaster/unbuffered.go
new file mode 100644
index 00000000..6bb28512
--- /dev/null
+++ b/engine/pkg/broadcaster/unbuffered.go
@@ -0,0 +1,49 @@
+package broadcaster // import "github.com/docker/docker/pkg/broadcaster"
+
+import (
+	"io"
+	"sync"
+)
+
+// Unbuffered accumulates multiple io.WriteCloser by stream.
+type Unbuffered struct {
+	mu      sync.Mutex
+	writers []io.WriteCloser
+}
+
+// Add adds new io.WriteCloser.
+func (w *Unbuffered) Add(writer io.WriteCloser) {
+	w.mu.Lock()
+	w.writers = append(w.writers, writer)
+	w.mu.Unlock()
+}
+
+// Write writes bytes to all writers. Failed writers will be evicted during
+// this call.
+func (w *Unbuffered) Write(p []byte) (n int, err error) {
+	w.mu.Lock()
+	var evict []int
+	for i, sw := range w.writers {
+		if n, err := sw.Write(p); err != nil || n != len(p) {
+			// On error, evict the writer
+			evict = append(evict, i)
+		}
+	}
+	for n, i := range evict {
+		w.writers = append(w.writers[:i-n], w.writers[i-n+1:]...)
+	}
+	w.mu.Unlock()
+	return len(p), nil
+}
+
+// Clean closes and removes all writers. Last non-eol-terminated part of data
+// will be saved.
+func (w *Unbuffered) Clean() error {
+	w.mu.Lock()
+	for _, sw := range w.writers {
+		sw.Close()
+	}
+	w.writers = nil
+	w.mu.Unlock()
+	return nil
+}
diff --git a/engine/pkg/broadcaster/unbuffered_test.go b/engine/pkg/broadcaster/unbuffered_test.go
new file mode 100644
index 00000000..c510584a
--- /dev/null
+++ b/engine/pkg/broadcaster/unbuffered_test.go
@@ -0,0 +1,161 @@
+package broadcaster // import "github.com/docker/docker/pkg/broadcaster"
+
+import (
+	"bytes"
+	"errors"
+	"strings"
+	"testing"
+)
+
+type dummyWriter struct {
+	buffer      bytes.Buffer
+	failOnWrite bool
+}
+
+func (dw *dummyWriter) Write(p []byte) (n int, err error) {
+	if dw.failOnWrite {
+		return 0, errors.New("Fake fail")
+	}
+	return dw.buffer.Write(p)
+}
+
+func (dw *dummyWriter) String() string {
+	return dw.buffer.String()
+}
+
+func (dw *dummyWriter) Close() error {
+	return nil
+}
+
+func TestUnbuffered(t *testing.T) {
+	writer := new(Unbuffered)
+
+	// Test 1: Both bufferA and bufferB should contain "foo"
+	bufferA := &dummyWriter{}
+	writer.Add(bufferA)
+	bufferB := &dummyWriter{}
+	writer.Add(bufferB)
+	writer.Write([]byte("foo"))
+
+	if bufferA.String() != "foo" {
+		t.Errorf("Buffer contains %v", bufferA.String())
+	}
+
+	if bufferB.String() != "foo" {
+		t.Errorf("Buffer contains %v", bufferB.String())
+	}
+
+	// Test2: bufferA and bufferB should contain "foobar",
+	// while bufferC should only contain "bar"
+	bufferC := &dummyWriter{}
+	writer.Add(bufferC)
+	writer.Write([]byte("bar"))
+
+	if bufferA.String() != "foobar" {
+		t.Errorf("Buffer contains %v", bufferA.String())
+	}
+
+	if bufferB.String() != "foobar" {
+		t.Errorf("Buffer contains %v", bufferB.String())
+	}
+
+	if bufferC.String() != "bar" {
+		t.Errorf("Buffer contains %v", bufferC.String())
+	}
+
+	// Test3: Test eviction on failure
+	bufferA.failOnWrite = true
+	writer.Write([]byte("fail"))
+	if bufferA.String() != "foobar" {
+		t.Errorf("Buffer contains %v", bufferA.String())
+	}
+	if bufferC.String() != "barfail" {
+		t.Errorf("Buffer contains %v", bufferC.String())
+	}
+	// Even though we reset the flag, no more writes should go in there
+	bufferA.failOnWrite = false
+	writer.Write([]byte("test"))
+	if bufferA.String() != "foobar" {
+		t.Errorf("Buffer contains %v", bufferA.String())
+	}
+	if bufferC.String() != "barfailtest" {
+		t.Errorf("Buffer contains %v", bufferC.String())
+	}
+
+	// Test4: Test eviction on multiple simultaneous failures
+	bufferB.failOnWrite = true
+	bufferC.failOnWrite = true
+	bufferD := &dummyWriter{}
+	writer.Add(bufferD)
+	writer.Write([]byte("yo"))
+	writer.Write([]byte("ink"))
+	if strings.Contains(bufferB.String(), "yoink") {
+		t.Errorf("bufferB received write. contents: %q", bufferB)
+	}
+	if strings.Contains(bufferC.String(), "yoink") {
+		t.Errorf("bufferC received write. contents: %q", bufferC)
+	}
+	if g, w := bufferD.String(), "yoink"; g != w {
+		t.Errorf("bufferD = %q, want %q", g, w)
+	}
+
+	writer.Clean()
+}
+
+type devNullCloser int
+
+func (d devNullCloser) Close() error {
+	return nil
+}
+
+func (d devNullCloser) Write(buf []byte) (int, error) {
+	return len(buf), nil
+}
+
+// This test checks for races. It is only useful when run with the race detector.
+func TestRaceUnbuffered(t *testing.T) {
+	writer := new(Unbuffered)
+	c := make(chan bool)
+	go func() {
+		writer.Add(devNullCloser(0))
+		c <- true
+	}()
+	writer.Write([]byte("hello"))
+	<-c
+}
+
+func BenchmarkUnbuffered(b *testing.B) {
+	writer := new(Unbuffered)
+	setUpWriter := func() {
+		for i := 0; i < 100; i++ {
+			writer.Add(devNullCloser(0))
+			writer.Add(devNullCloser(0))
+			writer.Add(devNullCloser(0))
+		}
+	}
+	testLine := "Line that thinks that it is log line from docker"
+	var buf bytes.Buffer
+	for i := 0; i < 100; i++ {
+		buf.Write([]byte(testLine + "\n"))
+	}
+	// line without eol
+	buf.Write([]byte(testLine))
+	testText := buf.Bytes()
+	b.SetBytes(int64(5 * len(testText)))
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		b.StopTimer()
+		setUpWriter()
+		b.StartTimer()
+
+		for j := 0; j < 5; j++ {
+			if _, err := writer.Write(testText); err != nil {
+				b.Fatal(err)
+			}
+		}
+
+		b.StopTimer()
+		writer.Clean()
+		b.StartTimer()
+	}
+}
diff --git a/engine/pkg/chrootarchive/archive.go b/engine/pkg/chrootarchive/archive.go
new file mode 100644
index 00000000..47c9a2b9
--- /dev/null
+++ b/engine/pkg/chrootarchive/archive.go
@@ -0,0 +1,73 @@
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/idtools"
+)
+
+// NewArchiver returns a new Archiver which uses chrootarchive.Untar
+func NewArchiver(idMappings *idtools.IDMappings) *archive.Archiver {
+	if idMappings == nil {
+		idMappings = &idtools.IDMappings{}
+	}
+	return &archive.Archiver{
+		Untar:         Untar,
+		IDMappingsVar: idMappings,
+	}
+}
+
+// Untar reads a stream of bytes from `archive`, parses it as a tar archive,
+// and unpacks it into the directory at `dest`.
+// The archive may be compressed with one of the following algorithms:
+//  identity (uncompressed), gzip, bzip2, xz.
+func Untar(tarArchive io.Reader, dest string, options *archive.TarOptions) error {
+	return untarHandler(tarArchive, dest, options, true)
+}
+
+// UntarUncompressed reads a stream of bytes from `archive`, parses it as a tar archive,
+// and unpacks it into the directory at `dest`.
+// The archive must be an uncompressed stream.
+func UntarUncompressed(tarArchive io.Reader, dest string, options *archive.TarOptions) error {
+	return untarHandler(tarArchive, dest, options, false)
+}
+
+// Handler for teasing out the automatic decompression
+func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions, decompress bool) error {
+	if tarArchive == nil {
+		return fmt.Errorf("Empty archive")
+	}
+	if options == nil {
+		options = &archive.TarOptions{}
+	}
+	if options.ExcludePatterns == nil {
+		options.ExcludePatterns = []string{}
+	}
+
+	idMappings := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)
+	rootIDs := idMappings.RootPair()
+
+	dest = filepath.Clean(dest)
+	if _, err := os.Stat(dest); os.IsNotExist(err) {
+		if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil {
+			return err
+		}
+	}
+
+	r := ioutil.NopCloser(tarArchive)
+	if decompress {
+		decompressedArchive, err := archive.DecompressStream(tarArchive)
+		if err != nil {
+			return err
+		}
+		defer decompressedArchive.Close()
+		r = decompressedArchive
+	}
+
+	return invokeUnpack(r, dest, options)
+}
diff --git a/engine/pkg/chrootarchive/archive_test.go b/engine/pkg/chrootarchive/archive_test.go
new file mode 100644
index 00000000..5911a361
--- /dev/null
+++ b/engine/pkg/chrootarchive/archive_test.go
@@ -0,0 +1,413 @@
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"bytes"
+	"fmt"
+	"hash/crc32"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/reexec"
+	"github.com/docker/docker/pkg/system"
+	"gotest.tools/skip"
+)
+
+func init() {
+	reexec.Init()
+}
+
+var chrootArchiver = NewArchiver(nil)
+
+func TarUntar(src, dst string) error {
+	return chrootArchiver.TarUntar(src, dst)
+}
+
+func CopyFileWithTar(src, dst string) (err error) {
+	return chrootArchiver.CopyFileWithTar(src, dst)
+}
+
+func UntarPath(src, dst string) error {
+	return chrootArchiver.UntarPath(src, dst)
+}
+
+func CopyWithTar(src, dst string) error {
+	return chrootArchiver.CopyWithTar(src, dst)
+}
+
+func TestChrootTarUntar(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootTarUntar")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	src := filepath.Join(tmpdir, "src")
+	if err := system.MkdirAll(src, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(src, "toto"), []byte("hello toto"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(src, "lolo"), []byte("hello lolo"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	stream, err := archive.Tar(src, archive.Uncompressed)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dest := filepath.Join(tmpdir, "src")
+	if err := system.MkdirAll(dest, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if err := Untar(stream, dest, &archive.TarOptions{ExcludePatterns: []string{"lolo"}}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// gh#10426: Verify the fix for having a huge excludes list (like on `docker load` with large # of
+// local images)
+func TestChrootUntarWithHugeExcludesList(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootUntarHugeExcludes")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	src := filepath.Join(tmpdir, "src")
+	if err := system.MkdirAll(src, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(src, "toto"), []byte("hello toto"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	stream, err := archive.Tar(src, archive.Uncompressed)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dest := filepath.Join(tmpdir, "dest")
+	if err := system.MkdirAll(dest, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	options := &archive.TarOptions{}
+	//65534 entries of 64-byte strings ~= 4MB of environment space which should overflow
+	//on most systems when passed via environment or command line arguments
+	excludes := make([]string, 65534)
+	for i := 0; i < 65534; i++ {
+		excludes[i] = strings.Repeat(string(i), 64)
+	}
+	options.ExcludePatterns = excludes
+	if err := Untar(stream, dest, options); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestChrootUntarEmptyArchive(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootUntarEmptyArchive")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	if err := Untar(nil, tmpdir, nil); err == nil {
+		t.Fatal("expected error on empty archive")
+	}
+}
+
+func prepareSourceDirectory(numberOfFiles int, targetPath string, makeSymLinks bool) (int, error) {
+	fileData := []byte("fooo")
+	for n := 0; n < numberOfFiles; n++ {
+		fileName := fmt.Sprintf("file-%d", n)
+		if err := ioutil.WriteFile(filepath.Join(targetPath, fileName), fileData, 0700); err != nil {
+			return 0, err
+		}
+		if makeSymLinks {
+			if err := os.Symlink(filepath.Join(targetPath, fileName), filepath.Join(targetPath, fileName+"-link")); err != nil {
+				return 0, err
+			}
+		}
+	}
+	totalSize := numberOfFiles * len(fileData)
+	return totalSize, nil
+}
+
+func getHash(filename string) (uint32, error) {
+	stream, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return 0, err
+	}
+	hash := crc32.NewIEEE()
+	hash.Write(stream)
+	return hash.Sum32(), nil
+}
+
+func compareDirectories(src string, dest string) error {
+	changes, err := archive.ChangesDirs(dest, src)
+	if err != nil {
+		return err
+	}
+	if len(changes) > 0 {
+		return fmt.Errorf("Unexpected differences after untar: %v", changes)
+	}
+	return nil
+}
+
+func compareFiles(src string, dest string) error {
+	srcHash, err := getHash(src)
+	if err != nil {
+		return err
+	}
+	destHash, err := getHash(dest)
+	if err != nil {
+		return err
+	}
+	if srcHash != destHash {
+		return fmt.Errorf("%s is different from %s", src, dest)
+	}
+	return nil
+}
+
+func TestChrootTarUntarWithSymlink(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows", "FIXME: figure out why this is failing")
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootTarUntarWithSymlink")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	src := filepath.Join(tmpdir, "src")
+	if err := system.MkdirAll(src, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := prepareSourceDirectory(10, src, false); err != nil {
+		t.Fatal(err)
+	}
+	dest := filepath.Join(tmpdir, "dest")
+	if err := TarUntar(src, dest); err != nil {
+		t.Fatal(err)
+	}
+	if err := compareDirectories(src, dest); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestChrootCopyWithTar(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows", "FIXME: figure out why this is failing")
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootCopyWithTar")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	src := filepath.Join(tmpdir, "src")
+	if err := system.MkdirAll(src, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := prepareSourceDirectory(10, src, true); err != nil {
+		t.Fatal(err)
+	}
+
+	// Copy directory
+	dest := filepath.Join(tmpdir, "dest")
+	if err := CopyWithTar(src, dest); err != nil {
+		t.Fatal(err)
+	}
+	if err := compareDirectories(src, dest); err != nil {
+		t.Fatal(err)
+	}
+
+	// Copy file
+	srcfile := filepath.Join(src, "file-1")
+	dest = filepath.Join(tmpdir, "destFile")
+	destfile := filepath.Join(dest, "file-1")
+	if err := CopyWithTar(srcfile, destfile); err != nil {
+		t.Fatal(err)
+	}
+	if err := compareFiles(srcfile, destfile); err != nil {
+		t.Fatal(err)
+	}
+
+	// Copy symbolic link
+	srcLinkfile := filepath.Join(src, "file-1-link")
+	dest = filepath.Join(tmpdir, "destSymlink")
+	destLinkfile := filepath.Join(dest, "file-1-link")
+	if err := CopyWithTar(srcLinkfile, destLinkfile); err != nil {
+		t.Fatal(err)
+	}
+	if err := compareFiles(srcLinkfile, destLinkfile); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestChrootCopyFileWithTar(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootCopyFileWithTar")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	src := filepath.Join(tmpdir, "src")
+	if err := system.MkdirAll(src, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := prepareSourceDirectory(10, src, true); err != nil {
+		t.Fatal(err)
+	}
+
+	// Copy directory
+	dest := filepath.Join(tmpdir, "dest")
+	if err := CopyFileWithTar(src, dest); err == nil {
+		t.Fatal("Expected error on copying directory")
+	}
+
+	// Copy file
+	srcfile := filepath.Join(src, "file-1")
+	dest = filepath.Join(tmpdir, "destFile")
+	destfile := filepath.Join(dest, "file-1")
+	if err := CopyFileWithTar(srcfile, destfile); err != nil {
+		t.Fatal(err)
+	}
+	if err := compareFiles(srcfile, destfile); err != nil {
+		t.Fatal(err)
+	}
+
+	// Copy symbolic link
+	srcLinkfile := filepath.Join(src, "file-1-link")
+	dest = filepath.Join(tmpdir, "destSymlink")
+	destLinkfile := filepath.Join(dest, "file-1-link")
+	if err := CopyFileWithTar(srcLinkfile, destLinkfile); err != nil {
+		t.Fatal(err)
+	}
+	if err := compareFiles(srcLinkfile, destLinkfile); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestChrootUntarPath(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows", "FIXME: figure out why this is failing")
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootUntarPath")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	src := filepath.Join(tmpdir, "src")
+	if err := system.MkdirAll(src, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := prepareSourceDirectory(10, src, false); err != nil {
+		t.Fatal(err)
+	}
+	dest := filepath.Join(tmpdir, "dest")
+	// Untar a directory
+	if err := UntarPath(src, dest); err == nil {
+		t.Fatal("Expected error on untaring a directory")
+	}
+
+	// Untar a tar file
+	stream, err := archive.Tar(src, archive.Uncompressed)
+	if err != nil {
+		t.Fatal(err)
+	}
+	buf := new(bytes.Buffer)
+	buf.ReadFrom(stream)
+	tarfile := filepath.Join(tmpdir, "src.tar")
+	if err := ioutil.WriteFile(tarfile, buf.Bytes(), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := UntarPath(tarfile, dest); err != nil {
+		t.Fatal(err)
+	}
+	if err := compareDirectories(src, dest); err != nil {
+		t.Fatal(err)
+	}
+}
+
+type slowEmptyTarReader struct {
+	size      int
+	offset    int
+	chunkSize int
+}
+
+// Read is a slow reader of an empty tar (like the output of "tar c --files-from /dev/null")
+func (s *slowEmptyTarReader) Read(p []byte) (int, error) {
+	time.Sleep(100 * time.Millisecond)
+	count := s.chunkSize
+	if len(p) < s.chunkSize {
+		count = len(p)
+	}
+	for i := 0; i < count; i++ {
+		p[i] = 0
+	}
+	s.offset += count
+	if s.offset > s.size {
+		return count, io.EOF
+	}
+	return count, nil
+}
+
+func TestChrootUntarEmptyArchiveFromSlowReader(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootUntarEmptyArchiveFromSlowReader")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	dest := filepath.Join(tmpdir, "dest")
+	if err := system.MkdirAll(dest, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	stream := &slowEmptyTarReader{size: 10240, chunkSize: 1024}
+	if err := Untar(stream, dest, nil); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestChrootApplyEmptyArchiveFromSlowReader(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootApplyEmptyArchiveFromSlowReader")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	dest := filepath.Join(tmpdir, "dest")
+	if err := system.MkdirAll(dest, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	stream := &slowEmptyTarReader{size: 10240, chunkSize: 1024}
+	if _, err := ApplyLayer(dest, stream); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestChrootApplyDotDotFile(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	tmpdir, err := ioutil.TempDir("", "docker-TestChrootApplyDotDotFile")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	src := filepath.Join(tmpdir, "src")
+	if err := system.MkdirAll(src, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if err := ioutil.WriteFile(filepath.Join(src, "..gitme"), []byte(""), 0644); err != nil {
+		t.Fatal(err)
+	}
+	stream, err := archive.Tar(src, archive.Uncompressed)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dest := filepath.Join(tmpdir, "dest")
+	if err := system.MkdirAll(dest, 0700, ""); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := ApplyLayer(dest, stream); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/pkg/chrootarchive/archive_unix.go b/engine/pkg/chrootarchive/archive_unix.go
new file mode 100644
index 00000000..5df8afd6
--- /dev/null
+++ b/engine/pkg/chrootarchive/archive_unix.go
@@ -0,0 +1,88 @@
+// +build !windows
+
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"bytes"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"runtime"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/reexec"
+)
+
+// untar is the entry-point for docker-untar on re-exec. This is not used on
+// Windows as it does not support chroot, hence no point sandboxing through
+// chroot and rexec.
+func untar() {
+	runtime.LockOSThread()
+	flag.Parse()
+
+	var options *archive.TarOptions
+
+	//read the options from the pipe "ExtraFiles"
+	if err := json.NewDecoder(os.NewFile(3, "options")).Decode(&options); err != nil {
+		fatal(err)
+	}
+
+	if err := chroot(flag.Arg(0)); err != nil {
+		fatal(err)
+	}
+
+	if err := archive.Unpack(os.Stdin, "/", options); err != nil {
+		fatal(err)
+	}
+	// fully consume stdin in case it is zero padded
+	if _, err := flush(os.Stdin); err != nil {
+		fatal(err)
+	}
+
+	os.Exit(0)
+}
+
+func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions) error {
+
+	// We can't pass a potentially large exclude list directly via cmd line
+	// because we easily overrun the kernel's max argument/environment size
+	// when the full image list is passed (e.g. when this is used by
+	// `docker load`). We will marshall the options via a pipe to the
+	// child
+	r, w, err := os.Pipe()
+	if err != nil {
+		return fmt.Errorf("Untar pipe failure: %v", err)
+	}
+
+	cmd := reexec.Command("docker-untar", dest)
+	cmd.Stdin = decompressedArchive
+
+	cmd.ExtraFiles = append(cmd.ExtraFiles, r)
+	output := bytes.NewBuffer(nil)
+	cmd.Stdout = output
+	cmd.Stderr = output
+
+	if err := cmd.Start(); err != nil {
+		w.Close()
+		return fmt.Errorf("Untar error on re-exec cmd: %v", err)
+	}
+	//write the options to the pipe for the untar exec to read
+	if err := json.NewEncoder(w).Encode(options); err != nil {
+		w.Close()
+		return fmt.Errorf("Untar json encode to pipe failed: %v", err)
+	}
+	w.Close()
+
+	if err := cmd.Wait(); err != nil {
+		// when `xz -d -c -q | docker-untar ...` failed on docker-untar side,
+		// we need to exhaust `xz`'s output, otherwise the `xz` side will be
+		// pending on write pipe forever
+		io.Copy(ioutil.Discard, decompressedArchive)
+
+		return fmt.Errorf("Error processing tar file(%v): %s", err, output)
+	}
+	return nil
+}
diff --git a/engine/pkg/chrootarchive/archive_windows.go b/engine/pkg/chrootarchive/archive_windows.go
new file mode 100644
index 00000000..f2973132
--- /dev/null
+++ b/engine/pkg/chrootarchive/archive_windows.go
@@ -0,0 +1,22 @@
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"io"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/longpath"
+)
+
+// chroot is not supported by Windows
+func chroot(path string) error {
+	return nil
+}
+
+func invokeUnpack(decompressedArchive io.ReadCloser,
+	dest string,
+	options *archive.TarOptions) error {
+	// Windows is different to Linux here because Windows does not support
+	// chroot. Hence there is no point sandboxing a chrooted process to
+	// do the unpack. We call inline instead within the daemon process.
+	return archive.Unpack(decompressedArchive, longpath.AddPrefix(dest), options)
+}
diff --git a/engine/pkg/chrootarchive/chroot_linux.go b/engine/pkg/chrootarchive/chroot_linux.go
new file mode 100644
index 00000000..9802fad5
--- /dev/null
+++ b/engine/pkg/chrootarchive/chroot_linux.go
@@ -0,0 +1,113 @@
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/mount"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
+	"golang.org/x/sys/unix"
+)
+
+// chroot on linux uses pivot_root instead of chroot
+// pivot_root takes a new root and an old root.
+// Old root must be a sub-dir of new root, it is where the current rootfs will reside after the call to pivot_root.
+// New root is where the new rootfs is set to.
+// Old root is removed after the call to pivot_root so it is no longer available under the new root.
+// This is similar to how libcontainer sets up a container's rootfs
+func chroot(path string) (err error) {
+	// if the engine is running in a user namespace we need to use actual chroot
+	if rsystem.RunningInUserNS() {
+		return realChroot(path)
+	}
+	if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
+		return fmt.Errorf("Error creating mount namespace before pivot: %v", err)
+	}
+
+	// Make everything in new ns slave.
+	// Don't use `private` here as this could race where the mountns gets a
+	//   reference to a mount and an unmount from the host does not propagate,
+	//   which could potentially cause transient errors for other operations,
+	//   even though this should be relatively small window here `slave` should
+	//   not cause any problems.
+	if err := mount.MakeRSlave("/"); err != nil {
+		return err
+	}
+
+	if mounted, _ := mount.Mounted(path); !mounted {
+		if err := mount.Mount(path, path, "bind", "rbind,rw"); err != nil {
+			return realChroot(path)
+		}
+	}
+
+	// setup oldRoot for pivot_root
+	pivotDir, err := ioutil.TempDir(path, ".pivot_root")
+	if err != nil {
+		return fmt.Errorf("Error setting up pivot dir: %v", err)
+	}
+
+	var mounted bool
+	defer func() {
+		if mounted {
+			// make sure pivotDir is not mounted before we try to remove it
+			if errCleanup := unix.Unmount(pivotDir, unix.MNT_DETACH); errCleanup != nil {
+				if err == nil {
+					err = errCleanup
+				}
+				return
+			}
+		}
+
+		errCleanup := os.Remove(pivotDir)
+		// pivotDir doesn't exist if pivot_root failed and chroot+chdir was successful
+		// because we already cleaned it up on failed pivot_root
+		if errCleanup != nil && !os.IsNotExist(errCleanup) {
+			errCleanup = fmt.Errorf("Error cleaning up after pivot: %v", errCleanup)
+			if err == nil {
+				err = errCleanup
+			}
+		}
+	}()
+
+	if err := unix.PivotRoot(path, pivotDir); err != nil {
+		// If pivot fails, fall back to the normal chroot after cleaning up temp dir
+		if err := os.Remove(pivotDir); err != nil {
+			return fmt.Errorf("Error cleaning up after failed pivot: %v", err)
+		}
+		return realChroot(path)
+	}
+	mounted = true
+
+	// This is the new path for where the old root (prior to the pivot) has been moved to
+	// This dir contains the rootfs of the caller, which we need to remove so it is not visible during extraction
+	pivotDir = filepath.Join("/", filepath.Base(pivotDir))
+
+	if err := unix.Chdir("/"); err != nil {
+		return fmt.Errorf("Error changing to new root: %v", err)
+	}
+
+	// Make the pivotDir (where the old root lives) private so it can be unmounted without propagating to the host
+	if err := unix.Mount("", pivotDir, "", unix.MS_PRIVATE|unix.MS_REC, ""); err != nil {
+		return fmt.Errorf("Error making old root private after pivot: %v", err)
+	}
+
+	// Now unmount the old root so it's no longer visible from the new root
+	if err := unix.Unmount(pivotDir, unix.MNT_DETACH); err != nil {
+		return fmt.Errorf("Error while unmounting old root after pivot: %v", err)
+	}
+	mounted = false
+
+	return nil
+}
+
+func realChroot(path string) error {
+	if err := unix.Chroot(path); err != nil {
+		return fmt.Errorf("Error after fallback to chroot: %v", err)
+	}
+	if err := unix.Chdir("/"); err != nil {
+		return fmt.Errorf("Error changing to new root after chroot: %v", err)
+	}
+	return nil
+}
diff --git a/engine/pkg/chrootarchive/chroot_unix.go b/engine/pkg/chrootarchive/chroot_unix.go
new file mode 100644
index 00000000..9a1ee587
--- /dev/null
+++ b/engine/pkg/chrootarchive/chroot_unix.go
@@ -0,0 +1,12 @@
+// +build !windows,!linux
+
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import "golang.org/x/sys/unix"
+
+func chroot(path string) error {
+	if err := unix.Chroot(path); err != nil {
+		return err
+	}
+	return unix.Chdir("/")
+}
diff --git a/engine/pkg/chrootarchive/diff.go b/engine/pkg/chrootarchive/diff.go
new file mode 100644
index 00000000..7712cc17
--- /dev/null
+++ b/engine/pkg/chrootarchive/diff.go
@@ -0,0 +1,23 @@
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"io"
+
+	"github.com/docker/docker/pkg/archive"
+)
+
+// ApplyLayer parses a diff in the standard layer format from `layer`,
+// and applies it to the directory `dest`. The stream `layer` can only be
+// uncompressed.
+// Returns the size in bytes of the contents of the layer.
+func ApplyLayer(dest string, layer io.Reader) (size int64, err error) {
+	return applyLayerHandler(dest, layer, &archive.TarOptions{}, true)
+}
+
+// ApplyUncompressedLayer parses a diff in the standard layer format from
+// `layer`, and applies it to the directory `dest`. The stream `layer`
+// can only be uncompressed.
+// Returns the size in bytes of the contents of the layer.
+func ApplyUncompressedLayer(dest string, layer io.Reader, options *archive.TarOptions) (int64, error) {
+	return applyLayerHandler(dest, layer, options, false)
+}
diff --git a/engine/pkg/chrootarchive/diff_unix.go b/engine/pkg/chrootarchive/diff_unix.go
new file mode 100644
index 00000000..d96a09f8
--- /dev/null
+++ b/engine/pkg/chrootarchive/diff_unix.go
@@ -0,0 +1,130 @@
+//+build !windows
+
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"bytes"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/reexec"
+	"github.com/docker/docker/pkg/system"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
+)
+
+type applyLayerResponse struct {
+	LayerSize int64 `json:"layerSize"`
+}
+
+// applyLayer is the entry-point for docker-applylayer on re-exec. This is not
+// used on Windows as it does not support chroot, hence no point sandboxing
+// through chroot and rexec.
+func applyLayer() {
+
+	var (
+		tmpDir  string
+		err     error
+		options *archive.TarOptions
+	)
+	runtime.LockOSThread()
+	flag.Parse()
+
+	inUserns := rsystem.RunningInUserNS()
+	if err := chroot(flag.Arg(0)); err != nil {
+		fatal(err)
+	}
+
+	// We need to be able to set any perms
+	oldmask, err := system.Umask(0)
+	defer system.Umask(oldmask)
+	if err != nil {
+		fatal(err)
+	}
+
+	if err := json.Unmarshal([]byte(os.Getenv("OPT")), &options); err != nil {
+		fatal(err)
+	}
+
+	if inUserns {
+		options.InUserNS = true
+	}
+
+	if tmpDir, err = ioutil.TempDir("/", "temp-docker-extract"); err != nil {
+		fatal(err)
+	}
+
+	os.Setenv("TMPDIR", tmpDir)
+	size, err := archive.UnpackLayer("/", os.Stdin, options)
+	os.RemoveAll(tmpDir)
+	if err != nil {
+		fatal(err)
+	}
+
+	encoder := json.NewEncoder(os.Stdout)
+	if err := encoder.Encode(applyLayerResponse{size}); err != nil {
+		fatal(fmt.Errorf("unable to encode layerSize JSON: %s", err))
+	}
+
+	if _, err := flush(os.Stdin); err != nil {
+		fatal(err)
+	}
+
+	os.Exit(0)
+}
+
+// applyLayerHandler parses a diff in the standard layer format from `layer`, and
+// applies it to the directory `dest`. Returns the size in bytes of the
+// contents of the layer.
+func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions, decompress bool) (size int64, err error) {
+	dest = filepath.Clean(dest)
+	if decompress {
+		decompressed, err := archive.DecompressStream(layer)
+		if err != nil {
+			return 0, err
+		}
+		defer decompressed.Close()
+
+		layer = decompressed
+	}
+	if options == nil {
+		options = &archive.TarOptions{}
+		if rsystem.RunningInUserNS() {
+			options.InUserNS = true
+		}
+	}
+	if options.ExcludePatterns == nil {
+		options.ExcludePatterns = []string{}
+	}
+
+	data, err := json.Marshal(options)
+	if err != nil {
+		return 0, fmt.Errorf("ApplyLayer json encode: %v", err)
+	}
+
+	cmd := reexec.Command("docker-applyLayer", dest)
+	cmd.Stdin = layer
+	cmd.Env = append(cmd.Env, fmt.Sprintf("OPT=%s", data))
+
+	outBuf, errBuf := new(bytes.Buffer), new(bytes.Buffer)
+	cmd.Stdout, cmd.Stderr = outBuf, errBuf
+
+	if err = cmd.Run(); err != nil {
+		return 0, fmt.Errorf("ApplyLayer %s stdout: %s stderr: %s", err, outBuf, errBuf)
+	}
+
+	// Stdout should be a valid JSON struct representing an applyLayerResponse.
+	response := applyLayerResponse{}
+	decoder := json.NewDecoder(outBuf)
+	if err = decoder.Decode(&response); err != nil {
+		return 0, fmt.Errorf("unable to decode ApplyLayer JSON response: %s", err)
+	}
+
+	return response.LayerSize, nil
+}
diff --git a/engine/pkg/chrootarchive/diff_windows.go b/engine/pkg/chrootarchive/diff_windows.go
new file mode 100644
index 00000000..8f3f3a4a
--- /dev/null
+++ b/engine/pkg/chrootarchive/diff_windows.go
@@ -0,0 +1,45 @@
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/longpath"
+)
+
+// applyLayerHandler parses a diff in the standard layer format from `layer`, and
+// applies it to the directory `dest`. Returns the size in bytes of the
+// contents of the layer.
+func applyLayerHandler(dest string, layer io.Reader, options *archive.TarOptions, decompress bool) (size int64, err error) {
+	dest = filepath.Clean(dest)
+
+	// Ensure it is a Windows-style volume path
+	dest = longpath.AddPrefix(dest)
+
+	if decompress {
+		decompressed, err := archive.DecompressStream(layer)
+		if err != nil {
+			return 0, err
+		}
+		defer decompressed.Close()
+
+		layer = decompressed
+	}
+
+	tmpDir, err := ioutil.TempDir(os.Getenv("temp"), "temp-docker-extract")
+	if err != nil {
+		return 0, fmt.Errorf("ApplyLayer failed to create temp-docker-extract under %s. %s", dest, err)
+	}
+
+	s, err := archive.UnpackLayer(dest, layer, nil)
+	os.RemoveAll(tmpDir)
+	if err != nil {
+		return 0, fmt.Errorf("ApplyLayer %s failed UnpackLayer to %s: %s", layer, dest, err)
+	}
+
+	return s, nil
+}
diff --git a/engine/pkg/chrootarchive/init_unix.go b/engine/pkg/chrootarchive/init_unix.go
new file mode 100644
index 00000000..a15e4bb8
--- /dev/null
+++ b/engine/pkg/chrootarchive/init_unix.go
@@ -0,0 +1,28 @@
+// +build !windows
+
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/docker/docker/pkg/reexec"
+)
+
+func init() {
+	reexec.Register("docker-applyLayer", applyLayer)
+	reexec.Register("docker-untar", untar)
+}
+
+func fatal(err error) {
+	fmt.Fprint(os.Stderr, err)
+	os.Exit(1)
+}
+
+// flush consumes all the bytes from the reader discarding
+// any errors
+func flush(r io.Reader) (bytes int64, err error) {
+	return io.Copy(ioutil.Discard, r)
+}
diff --git a/engine/pkg/chrootarchive/init_windows.go b/engine/pkg/chrootarchive/init_windows.go
new file mode 100644
index 00000000..15ed874e
--- /dev/null
+++ b/engine/pkg/chrootarchive/init_windows.go
@@ -0,0 +1,4 @@
+package chrootarchive // import "github.com/docker/docker/pkg/chrootarchive"
+
+func init() {
+}
diff --git a/engine/pkg/containerfs/archiver.go b/engine/pkg/containerfs/archiver.go
new file mode 100644
index 00000000..1fb7ff7b
--- /dev/null
+++ b/engine/pkg/containerfs/archiver.go
@@ -0,0 +1,203 @@
+package containerfs // import "github.com/docker/docker/pkg/containerfs"
+
+import (
+	"archive/tar"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/system"
+	"github.com/sirupsen/logrus"
+)
+
+// TarFunc provides a function definition for a custom Tar function
+type TarFunc func(string, *archive.TarOptions) (io.ReadCloser, error)
+
+// UntarFunc provides a function definition for a custom Untar function
+type UntarFunc func(io.Reader, string, *archive.TarOptions) error
+
+// Archiver provides a similar implementation of the archive.Archiver package with the rootfs abstraction
+type Archiver struct {
+	SrcDriver     Driver
+	DstDriver     Driver
+	Tar           TarFunc
+	Untar         UntarFunc
+	IDMappingsVar *idtools.IDMappings
+}
+
+// TarUntar is a convenience function which calls Tar and Untar, with the output of one piped into the other.
+// If either Tar or Untar fails, TarUntar aborts and returns the error.
+func (archiver *Archiver) TarUntar(src, dst string) error {
+	logrus.Debugf("TarUntar(%s %s)", src, dst)
+	tarArchive, err := archiver.Tar(src, &archive.TarOptions{Compression: archive.Uncompressed})
+	if err != nil {
+		return err
+	}
+	defer tarArchive.Close()
+	options := &archive.TarOptions{
+		UIDMaps: archiver.IDMappingsVar.UIDs(),
+		GIDMaps: archiver.IDMappingsVar.GIDs(),
+	}
+	return archiver.Untar(tarArchive, dst, options)
+}
+
+// UntarPath untar a file from path to a destination, src is the source tar file path.
+func (archiver *Archiver) UntarPath(src, dst string) error {
+	tarArchive, err := archiver.SrcDriver.Open(src)
+	if err != nil {
+		return err
+	}
+	defer tarArchive.Close()
+	options := &archive.TarOptions{
+		UIDMaps: archiver.IDMappingsVar.UIDs(),
+		GIDMaps: archiver.IDMappingsVar.GIDs(),
+	}
+	return archiver.Untar(tarArchive, dst, options)
+}
+
+// CopyWithTar creates a tar archive of filesystem path `src`, and
+// unpacks it at filesystem path `dst`.
+// The archive is streamed directly with fixed buffering and no
+// intermediary disk IO.
+func (archiver *Archiver) CopyWithTar(src, dst string) error {
+	srcSt, err := archiver.SrcDriver.Stat(src)
+	if err != nil {
+		return err
+	}
+	if !srcSt.IsDir() {
+		return archiver.CopyFileWithTar(src, dst)
+	}
+
+	// if this archiver is set up with ID mapping we need to create
+	// the new destination directory with the remapped root UID/GID pair
+	// as owner
+	rootIDs := archiver.IDMappingsVar.RootPair()
+	// Create dst, copy src's content into it
+	if err := idtools.MkdirAllAndChownNew(dst, 0755, rootIDs); err != nil {
+		return err
+	}
+	logrus.Debugf("Calling TarUntar(%s, %s)", src, dst)
+	return archiver.TarUntar(src, dst)
+}
+
+// CopyFileWithTar emulates the behavior of the 'cp' command-line
+// for a single file. It copies a regular file from path `src` to
+// path `dst`, and preserves all its metadata.
+func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
+	logrus.Debugf("CopyFileWithTar(%s, %s)", src, dst)
+	srcDriver := archiver.SrcDriver
+	dstDriver := archiver.DstDriver
+
+	srcSt, err := srcDriver.Stat(src)
+	if err != nil {
+		return err
+	}
+
+	if srcSt.IsDir() {
+		return fmt.Errorf("Can't copy a directory")
+	}
+
+	// Clean up the trailing slash. This must be done in an operating
+	// system specific manner.
+	if dst[len(dst)-1] == dstDriver.Separator() {
+		dst = dstDriver.Join(dst, srcDriver.Base(src))
+	}
+
+	// The original call was system.MkdirAll, which is just
+	// os.MkdirAll on not-Windows and changed for Windows.
+	if dstDriver.OS() == "windows" {
+		// Now we are WCOW
+		if err := system.MkdirAll(filepath.Dir(dst), 0700, ""); err != nil {
+			return err
+		}
+	} else {
+		// We can just use the driver.MkdirAll function
+		if err := dstDriver.MkdirAll(dstDriver.Dir(dst), 0700); err != nil {
+			return err
+		}
+	}
+
+	r, w := io.Pipe()
+	errC := make(chan error, 1)
+
+	go func() {
+		defer close(errC)
+		errC <- func() error {
+			defer w.Close()
+
+			srcF, err := srcDriver.Open(src)
+			if err != nil {
+				return err
+			}
+			defer srcF.Close()
+
+			hdr, err := tar.FileInfoHeader(srcSt, "")
+			if err != nil {
+				return err
+			}
+			hdr.Format = tar.FormatPAX
+			hdr.ModTime = hdr.ModTime.Truncate(time.Second)
+			hdr.AccessTime = time.Time{}
+			hdr.ChangeTime = time.Time{}
+			hdr.Name = dstDriver.Base(dst)
+			if dstDriver.OS() == "windows" {
+				hdr.Mode = int64(chmodTarEntry(os.FileMode(hdr.Mode)))
+			} else {
+				hdr.Mode = int64(os.FileMode(hdr.Mode))
+			}
+
+			if err := remapIDs(archiver.IDMappingsVar, hdr); err != nil {
+				return err
+			}
+
+			tw := tar.NewWriter(w)
+			defer tw.Close()
+			if err := tw.WriteHeader(hdr); err != nil {
+				return err
+			}
+			if _, err := io.Copy(tw, srcF); err != nil {
+				return err
+			}
+			return nil
+		}()
+	}()
+	defer func() {
+		if er := <-errC; err == nil && er != nil {
+			err = er
+		}
+	}()
+
+	err = archiver.Untar(r, dstDriver.Dir(dst), nil)
+	if err != nil {
+		r.CloseWithError(err)
+	}
+	return err
+}
+
+// IDMappings returns the IDMappings of the archiver.
+func (archiver *Archiver) IDMappings() *idtools.IDMappings {
+	return archiver.IDMappingsVar
+}
+
+func remapIDs(idMappings *idtools.IDMappings, hdr *tar.Header) error {
+	ids, err := idMappings.ToHost(idtools.IDPair{UID: hdr.Uid, GID: hdr.Gid})
+	hdr.Uid, hdr.Gid = ids.UID, ids.GID
+	return err
+}
+
+// chmodTarEntry is used to adjust the file permissions used in tar header based
+// on the platform the archival is done.
+func chmodTarEntry(perm os.FileMode) os.FileMode {
+	//perm &= 0755 // this 0-ed out tar flags (like link, regular file, directory marker etc.)
+	permPart := perm & os.ModePerm
+	noPermPart := perm &^ os.ModePerm
+	// Add the x bit: make everything +x from windows
+	permPart |= 0111
+	permPart &= 0755
+
+	return noPermPart | permPart
+}
diff --git a/engine/pkg/containerfs/containerfs.go b/engine/pkg/containerfs/containerfs.go
new file mode 100644
index 00000000..7bb1d8c3
--- /dev/null
+++ b/engine/pkg/containerfs/containerfs.go
@@ -0,0 +1,87 @@
+package containerfs // import "github.com/docker/docker/pkg/containerfs"
+
+import (
+	"path/filepath"
+	"runtime"
+
+	"github.com/containerd/continuity/driver"
+	"github.com/containerd/continuity/pathdriver"
+	"github.com/docker/docker/pkg/symlink"
+)
+
+// ContainerFS is that represents a root file system
+type ContainerFS interface {
+	// Path returns the path to the root. Note that this may not exist
+	// on the local system, so the continuity operations must be used
+	Path() string
+
+	// ResolveScopedPath evaluates the given path scoped to the root.
+	// For example, if root=/a, and path=/b/c, then this function would return /a/b/c.
+	// If rawPath is true, then the function will not preform any modifications
+	// before path resolution. Otherwise, the function will clean the given path
+	// by making it an absolute path.
+	ResolveScopedPath(path string, rawPath bool) (string, error)
+
+	Driver
+}
+
+// Driver combines both continuity's Driver and PathDriver interfaces with a Platform
+// field to determine the OS.
+type Driver interface {
+	// OS returns the OS where the rootfs is located. Essentially,
+	// runtime.GOOS for everything aside from LCOW, which is "linux"
+	OS() string
+
+	// Architecture returns the hardware architecture where the
+	// container is located.
+	Architecture() string
+
+	// Driver & PathDriver provide methods to manipulate files & paths
+	driver.Driver
+	pathdriver.PathDriver
+}
+
+// NewLocalContainerFS is a helper function to implement daemon's Mount interface
+// when the graphdriver mount point is a local path on the machine.
+func NewLocalContainerFS(path string) ContainerFS {
+	return &local{
+		path:       path,
+		Driver:     driver.LocalDriver,
+		PathDriver: pathdriver.LocalPathDriver,
+	}
+}
+
+// NewLocalDriver provides file and path drivers for a local file system. They are
+// essentially a wrapper around the `os` and `filepath` functions.
+func NewLocalDriver() Driver {
+	return &local{
+		Driver:     driver.LocalDriver,
+		PathDriver: pathdriver.LocalPathDriver,
+	}
+}
+
+type local struct {
+	path string
+	driver.Driver
+	pathdriver.PathDriver
+}
+
+func (l *local) Path() string {
+	return l.path
+}
+
+func (l *local) ResolveScopedPath(path string, rawPath bool) (string, error) {
+	cleanedPath := path
+	if !rawPath {
+		cleanedPath = cleanScopedPath(path)
+	}
+	return symlink.FollowSymlinkInScope(filepath.Join(l.path, cleanedPath), l.path)
+}
+
+func (l *local) OS() string {
+	return runtime.GOOS
+}
+
+func (l *local) Architecture() string {
+	return runtime.GOARCH
+}
diff --git a/engine/pkg/containerfs/containerfs_unix.go b/engine/pkg/containerfs/containerfs_unix.go
new file mode 100644
index 00000000..6a994595
--- /dev/null
+++ b/engine/pkg/containerfs/containerfs_unix.go
@@ -0,0 +1,10 @@
+// +build !windows
+
+package containerfs // import "github.com/docker/docker/pkg/containerfs"
+
+import "path/filepath"
+
+// cleanScopedPath preappends a to combine with a mnt path.
+func cleanScopedPath(path string) string {
+	return filepath.Join(string(filepath.Separator), path)
+}
diff --git a/engine/pkg/containerfs/containerfs_windows.go b/engine/pkg/containerfs/containerfs_windows.go
new file mode 100644
index 00000000..9fb70846
--- /dev/null
+++ b/engine/pkg/containerfs/containerfs_windows.go
@@ -0,0 +1,15 @@
+package containerfs // import "github.com/docker/docker/pkg/containerfs"
+
+import "path/filepath"
+
+// cleanScopedPath removes the C:\ syntax, and prepares to combine
+// with a volume path
+func cleanScopedPath(path string) string {
+	if len(path) >= 2 {
+		c := path[0]
+		if path[1] == ':' && ('a' <= c && c <= 'z' || 'A' <= c && c <= 'Z') {
+			path = path[2:]
+		}
+	}
+	return filepath.Join(string(filepath.Separator), path)
+}
diff --git a/engine/pkg/devicemapper/devmapper.go b/engine/pkg/devicemapper/devmapper.go
new file mode 100644
index 00000000..63243637
--- /dev/null
+++ b/engine/pkg/devicemapper/devmapper.go
@@ -0,0 +1,826 @@
+// +build linux,cgo
+
+package devicemapper // import "github.com/docker/docker/pkg/devicemapper"
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+	"unsafe"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// Same as DM_DEVICE_* enum values from libdevmapper.h
+// nolint: deadcode
+const (
+	deviceCreate TaskType = iota
+	deviceReload
+	deviceRemove
+	deviceRemoveAll
+	deviceSuspend
+	deviceResume
+	deviceInfo
+	deviceDeps
+	deviceRename
+	deviceVersion
+	deviceStatus
+	deviceTable
+	deviceWaitevent
+	deviceList
+	deviceClear
+	deviceMknodes
+	deviceListVersions
+	deviceTargetMsg
+	deviceSetGeometry
+)
+
+const (
+	addNodeOnResume AddNodeType = iota
+	addNodeOnCreate
+)
+
+// List of errors returned when using devicemapper.
+var (
+	ErrTaskRun              = errors.New("dm_task_run failed")
+	ErrTaskSetName          = errors.New("dm_task_set_name failed")
+	ErrTaskSetMessage       = errors.New("dm_task_set_message failed")
+	ErrTaskSetAddNode       = errors.New("dm_task_set_add_node failed")
+	ErrTaskSetRo            = errors.New("dm_task_set_ro failed")
+	ErrTaskAddTarget        = errors.New("dm_task_add_target failed")
+	ErrTaskSetSector        = errors.New("dm_task_set_sector failed")
+	ErrTaskGetDeps          = errors.New("dm_task_get_deps failed")
+	ErrTaskGetInfo          = errors.New("dm_task_get_info failed")
+	ErrTaskGetDriverVersion = errors.New("dm_task_get_driver_version failed")
+	ErrTaskDeferredRemove   = errors.New("dm_task_deferred_remove failed")
+	ErrTaskSetCookie        = errors.New("dm_task_set_cookie failed")
+	ErrNilCookie            = errors.New("cookie ptr can't be nil")
+	ErrGetBlockSize         = errors.New("Can't get block size")
+	ErrUdevWait             = errors.New("wait on udev cookie failed")
+	ErrSetDevDir            = errors.New("dm_set_dev_dir failed")
+	ErrGetLibraryVersion    = errors.New("dm_get_library_version failed")
+	ErrCreateRemoveTask     = errors.New("Can't create task of type deviceRemove")
+	ErrRunRemoveDevice      = errors.New("running RemoveDevice failed")
+	ErrInvalidAddNode       = errors.New("Invalid AddNode type")
+	ErrBusy                 = errors.New("Device is Busy")
+	ErrDeviceIDExists       = errors.New("Device Id Exists")
+	ErrEnxio                = errors.New("No such device or address")
+	ErrEnoData              = errors.New("No data available")
+)
+
+var (
+	dmSawBusy    bool
+	dmSawExist   bool
+	dmSawEnxio   bool // No Such Device or Address
+	dmSawEnoData bool // No data available
+)
+
+type (
+	// Task represents a devicemapper task (like lvcreate, etc.) ; a task is needed for each ioctl
+	// command to execute.
+	Task struct {
+		unmanaged *cdmTask
+	}
+	// Deps represents dependents (layer) of a device.
+	Deps struct {
+		Count  uint32
+		Filler uint32
+		Device []uint64
+	}
+	// Info represents information about a device.
+	Info struct {
+		Exists         int
+		Suspended      int
+		LiveTable      int
+		InactiveTable  int
+		OpenCount      int32
+		EventNr        uint32
+		Major          uint32
+		Minor          uint32
+		ReadOnly       int
+		TargetCount    int32
+		DeferredRemove int
+	}
+	// TaskType represents a type of task
+	TaskType int
+	// AddNodeType represents a type of node to be added
+	AddNodeType int
+)
+
+// DeviceIDExists returns whether error conveys the information about device Id already
+// exist or not. This will be true if device creation or snap creation
+// operation fails if device or snap device already exists in pool.
+// Current implementation is little crude as it scans the error string
+// for exact pattern match. Replacing it with more robust implementation
+// is desirable.
+func DeviceIDExists(err error) bool {
+	return fmt.Sprint(err) == fmt.Sprint(ErrDeviceIDExists)
+}
+
+func (t *Task) destroy() {
+	if t != nil {
+		DmTaskDestroy(t.unmanaged)
+		runtime.SetFinalizer(t, nil)
+	}
+}
+
+// TaskCreateNamed is a convenience function for TaskCreate when a name
+// will be set on the task as well
+func TaskCreateNamed(t TaskType, name string) (*Task, error) {
+	task := TaskCreate(t)
+	if task == nil {
+		return nil, fmt.Errorf("devicemapper: Can't create task of type %d", int(t))
+	}
+	if err := task.setName(name); err != nil {
+		return nil, fmt.Errorf("devicemapper: Can't set task name %s", name)
+	}
+	return task, nil
+}
+
+// TaskCreate initializes a devicemapper task of tasktype
+func TaskCreate(tasktype TaskType) *Task {
+	Ctask := DmTaskCreate(int(tasktype))
+	if Ctask == nil {
+		return nil
+	}
+	task := &Task{unmanaged: Ctask}
+	runtime.SetFinalizer(task, (*Task).destroy)
+	return task
+}
+
+func (t *Task) run() error {
+	if res := DmTaskRun(t.unmanaged); res != 1 {
+		return ErrTaskRun
+	}
+	runtime.KeepAlive(t)
+	return nil
+}
+
+func (t *Task) setName(name string) error {
+	if res := DmTaskSetName(t.unmanaged, name); res != 1 {
+		return ErrTaskSetName
+	}
+	return nil
+}
+
+func (t *Task) setMessage(message string) error {
+	if res := DmTaskSetMessage(t.unmanaged, message); res != 1 {
+		return ErrTaskSetMessage
+	}
+	return nil
+}
+
+func (t *Task) setSector(sector uint64) error {
+	if res := DmTaskSetSector(t.unmanaged, sector); res != 1 {
+		return ErrTaskSetSector
+	}
+	return nil
+}
+
+func (t *Task) setCookie(cookie *uint, flags uint16) error {
+	if cookie == nil {
+		return ErrNilCookie
+	}
+	if res := DmTaskSetCookie(t.unmanaged, cookie, flags); res != 1 {
+		return ErrTaskSetCookie
+	}
+	return nil
+}
+
+func (t *Task) setAddNode(addNode AddNodeType) error {
+	if addNode != addNodeOnResume && addNode != addNodeOnCreate {
+		return ErrInvalidAddNode
+	}
+	if res := DmTaskSetAddNode(t.unmanaged, addNode); res != 1 {
+		return ErrTaskSetAddNode
+	}
+	return nil
+}
+
+func (t *Task) setRo() error {
+	if res := DmTaskSetRo(t.unmanaged); res != 1 {
+		return ErrTaskSetRo
+	}
+	return nil
+}
+
+func (t *Task) addTarget(start, size uint64, ttype, params string) error {
+	if res := DmTaskAddTarget(t.unmanaged, start, size,
+		ttype, params); res != 1 {
+		return ErrTaskAddTarget
+	}
+	return nil
+}
+
+func (t *Task) getDeps() (*Deps, error) {
+	var deps *Deps
+	if deps = DmTaskGetDeps(t.unmanaged); deps == nil {
+		return nil, ErrTaskGetDeps
+	}
+	return deps, nil
+}
+
+func (t *Task) getInfo() (*Info, error) {
+	info := &Info{}
+	if res := DmTaskGetInfo(t.unmanaged, info); res != 1 {
+		return nil, ErrTaskGetInfo
+	}
+	return info, nil
+}
+
+func (t *Task) getInfoWithDeferred() (*Info, error) {
+	info := &Info{}
+	if res := DmTaskGetInfoWithDeferred(t.unmanaged, info); res != 1 {
+		return nil, ErrTaskGetInfo
+	}
+	return info, nil
+}
+
+func (t *Task) getDriverVersion() (string, error) {
+	res := DmTaskGetDriverVersion(t.unmanaged)
+	if res == "" {
+		return "", ErrTaskGetDriverVersion
+	}
+	return res, nil
+}
+
+func (t *Task) getNextTarget(next unsafe.Pointer) (nextPtr unsafe.Pointer, start uint64,
+	length uint64, targetType string, params string) {
+
+	return DmGetNextTarget(t.unmanaged, next, &start, &length,
+			&targetType, &params),
+		start, length, targetType, params
+}
+
+// UdevWait waits for any processes that are waiting for udev to complete the specified cookie.
+func UdevWait(cookie *uint) error {
+	if res := DmUdevWait(*cookie); res != 1 {
+		logrus.Debugf("devicemapper: Failed to wait on udev cookie %d, %d", *cookie, res)
+		return ErrUdevWait
+	}
+	return nil
+}
+
+// SetDevDir sets the dev folder for the device mapper library (usually /dev).
+func SetDevDir(dir string) error {
+	if res := DmSetDevDir(dir); res != 1 {
+		logrus.Debug("devicemapper: Error dm_set_dev_dir")
+		return ErrSetDevDir
+	}
+	return nil
+}
+
+// GetLibraryVersion returns the device mapper library version.
+func GetLibraryVersion() (string, error) {
+	var version string
+	if res := DmGetLibraryVersion(&version); res != 1 {
+		return "", ErrGetLibraryVersion
+	}
+	return version, nil
+}
+
+// UdevSyncSupported returns whether device-mapper is able to sync with udev
+//
+// This is essential otherwise race conditions can arise where both udev and
+// device-mapper attempt to create and destroy devices.
+func UdevSyncSupported() bool {
+	return DmUdevGetSyncSupport() != 0
+}
+
+// UdevSetSyncSupport allows setting whether the udev sync should be enabled.
+// The return bool indicates the state of whether the sync is enabled.
+func UdevSetSyncSupport(enable bool) bool {
+	if enable {
+		DmUdevSetSyncSupport(1)
+	} else {
+		DmUdevSetSyncSupport(0)
+	}
+
+	return UdevSyncSupported()
+}
+
+// CookieSupported returns whether the version of device-mapper supports the
+// use of cookie's in the tasks.
+// This is largely a lower level call that other functions use.
+func CookieSupported() bool {
+	return DmCookieSupported() != 0
+}
+
+// RemoveDevice is a useful helper for cleaning up a device.
+func RemoveDevice(name string) error {
+	task, err := TaskCreateNamed(deviceRemove, name)
+	if task == nil {
+		return err
+	}
+
+	cookie := new(uint)
+	if err := task.setCookie(cookie, 0); err != nil {
+		return fmt.Errorf("devicemapper: Can not set cookie: %s", err)
+	}
+	defer UdevWait(cookie)
+
+	dmSawBusy = false // reset before the task is run
+	dmSawEnxio = false
+	if err = task.run(); err != nil {
+		if dmSawBusy {
+			return ErrBusy
+		}
+		if dmSawEnxio {
+			return ErrEnxio
+		}
+		return fmt.Errorf("devicemapper: Error running RemoveDevice %s", err)
+	}
+
+	return nil
+}
+
+// RemoveDeviceDeferred is a useful helper for cleaning up a device, but deferred.
+func RemoveDeviceDeferred(name string) error {
+	logrus.Debugf("devicemapper: RemoveDeviceDeferred START(%s)", name)
+	defer logrus.Debugf("devicemapper: RemoveDeviceDeferred END(%s)", name)
+	task, err := TaskCreateNamed(deviceRemove, name)
+	if task == nil {
+		return err
+	}
+
+	if err := DmTaskDeferredRemove(task.unmanaged); err != 1 {
+		return ErrTaskDeferredRemove
+	}
+
+	// set a task cookie and disable library fallback, or else libdevmapper will
+	// disable udev dm rules and delete the symlink under /dev/mapper by itself,
+	// even if the removal is deferred by the kernel.
+	cookie := new(uint)
+	flags := uint16(DmUdevDisableLibraryFallback)
+	if err := task.setCookie(cookie, flags); err != nil {
+		return fmt.Errorf("devicemapper: Can not set cookie: %s", err)
+	}
+
+	// libdevmapper and udev relies on System V semaphore for synchronization,
+	// semaphores created in `task.setCookie` will be cleaned up in `UdevWait`.
+	// So these two function call must come in pairs, otherwise semaphores will
+	// be leaked, and the  limit of number of semaphores defined in `/proc/sys/kernel/sem`
+	// will be reached, which will eventually make all following calls to 'task.SetCookie'
+	// fail.
+	// this call will not wait for the deferred removal's final executing, since no
+	// udev event will be generated, and the semaphore's value will not be incremented
+	// by udev, what UdevWait is just cleaning up the semaphore.
+	defer UdevWait(cookie)
+
+	dmSawEnxio = false
+	if err = task.run(); err != nil {
+		if dmSawEnxio {
+			return ErrEnxio
+		}
+		return fmt.Errorf("devicemapper: Error running RemoveDeviceDeferred %s", err)
+	}
+
+	return nil
+}
+
+// CancelDeferredRemove cancels a deferred remove for a device.
+func CancelDeferredRemove(deviceName string) error {
+	task, err := TaskCreateNamed(deviceTargetMsg, deviceName)
+	if task == nil {
+		return err
+	}
+
+	if err := task.setSector(0); err != nil {
+		return fmt.Errorf("devicemapper: Can't set sector %s", err)
+	}
+
+	if err := task.setMessage(fmt.Sprintf("@cancel_deferred_remove")); err != nil {
+		return fmt.Errorf("devicemapper: Can't set message %s", err)
+	}
+
+	dmSawBusy = false
+	dmSawEnxio = false
+	if err := task.run(); err != nil {
+		// A device might be being deleted already
+		if dmSawBusy {
+			return ErrBusy
+		} else if dmSawEnxio {
+			return ErrEnxio
+		}
+		return fmt.Errorf("devicemapper: Error running CancelDeferredRemove %s", err)
+
+	}
+	return nil
+}
+
+// GetBlockDeviceSize returns the size of a block device identified by the specified file.
+func GetBlockDeviceSize(file *os.File) (uint64, error) {
+	size, err := ioctlBlkGetSize64(file.Fd())
+	if err != nil {
+		logrus.Errorf("devicemapper: Error getblockdevicesize: %s", err)
+		return 0, ErrGetBlockSize
+	}
+	return uint64(size), nil
+}
+
+// BlockDeviceDiscard runs discard for the given path.
+// This is used as a workaround for the kernel not discarding block so
+// on the thin pool when we remove a thinp device, so we do it
+// manually
+func BlockDeviceDiscard(path string) error {
+	file, err := os.OpenFile(path, os.O_RDWR, 0)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	size, err := GetBlockDeviceSize(file)
+	if err != nil {
+		return err
+	}
+
+	if err := ioctlBlkDiscard(file.Fd(), 0, size); err != nil {
+		return err
+	}
+
+	// Without this sometimes the remove of the device that happens after
+	// discard fails with EBUSY.
+	unix.Sync()
+
+	return nil
+}
+
+// CreatePool is the programmatic example of "dmsetup create".
+// It creates a device with the specified poolName, data and metadata file and block size.
+func CreatePool(poolName string, dataFile, metadataFile *os.File, poolBlockSize uint32) error {
+	task, err := TaskCreateNamed(deviceCreate, poolName)
+	if task == nil {
+		return err
+	}
+
+	size, err := GetBlockDeviceSize(dataFile)
+	if err != nil {
+		return fmt.Errorf("devicemapper: Can't get data size %s", err)
+	}
+
+	params := fmt.Sprintf("%s %s %d 32768 1 skip_block_zeroing", metadataFile.Name(), dataFile.Name(), poolBlockSize)
+	if err := task.addTarget(0, size/512, "thin-pool", params); err != nil {
+		return fmt.Errorf("devicemapper: Can't add target %s", err)
+	}
+
+	cookie := new(uint)
+	flags := uint16(DmUdevDisableSubsystemRulesFlag | DmUdevDisableDiskRulesFlag | DmUdevDisableOtherRulesFlag)
+	if err := task.setCookie(cookie, flags); err != nil {
+		return fmt.Errorf("devicemapper: Can't set cookie %s", err)
+	}
+	defer UdevWait(cookie)
+
+	if err := task.run(); err != nil {
+		return fmt.Errorf("devicemapper: Error running deviceCreate (CreatePool) %s", err)
+	}
+
+	return nil
+}
+
+// ReloadPool is the programmatic example of "dmsetup reload".
+// It reloads the table with the specified poolName, data and metadata file and block size.
+func ReloadPool(poolName string, dataFile, metadataFile *os.File, poolBlockSize uint32) error {
+	task, err := TaskCreateNamed(deviceReload, poolName)
+	if task == nil {
+		return err
+	}
+
+	size, err := GetBlockDeviceSize(dataFile)
+	if err != nil {
+		return fmt.Errorf("devicemapper: Can't get data size %s", err)
+	}
+
+	params := fmt.Sprintf("%s %s %d 32768 1 skip_block_zeroing", metadataFile.Name(), dataFile.Name(), poolBlockSize)
+	if err := task.addTarget(0, size/512, "thin-pool", params); err != nil {
+		return fmt.Errorf("devicemapper: Can't add target %s", err)
+	}
+
+	if err := task.run(); err != nil {
+		return fmt.Errorf("devicemapper: Error running ReloadPool %s", err)
+	}
+
+	return nil
+}
+
+// GetDeps is the programmatic example of "dmsetup deps".
+// It outputs a list of devices referenced by the live table for the specified device.
+func GetDeps(name string) (*Deps, error) {
+	task, err := TaskCreateNamed(deviceDeps, name)
+	if task == nil {
+		return nil, err
+	}
+	if err := task.run(); err != nil {
+		return nil, err
+	}
+	return task.getDeps()
+}
+
+// GetInfo is the programmatic example of "dmsetup info".
+// It outputs some brief information about the device.
+func GetInfo(name string) (*Info, error) {
+	task, err := TaskCreateNamed(deviceInfo, name)
+	if task == nil {
+		return nil, err
+	}
+	if err := task.run(); err != nil {
+		return nil, err
+	}
+	return task.getInfo()
+}
+
+// GetInfoWithDeferred is the programmatic example of "dmsetup info", but deferred.
+// It outputs some brief information about the device.
+func GetInfoWithDeferred(name string) (*Info, error) {
+	task, err := TaskCreateNamed(deviceInfo, name)
+	if task == nil {
+		return nil, err
+	}
+	if err := task.run(); err != nil {
+		return nil, err
+	}
+	return task.getInfoWithDeferred()
+}
+
+// GetDriverVersion is the programmatic example of "dmsetup version".
+// It outputs version information of the driver.
+func GetDriverVersion() (string, error) {
+	task := TaskCreate(deviceVersion)
+	if task == nil {
+		return "", fmt.Errorf("devicemapper: Can't create deviceVersion task")
+	}
+	if err := task.run(); err != nil {
+		return "", err
+	}
+	return task.getDriverVersion()
+}
+
+// GetStatus is the programmatic example of "dmsetup status".
+// It outputs status information for the specified device name.
+func GetStatus(name string) (uint64, uint64, string, string, error) {
+	task, err := TaskCreateNamed(deviceStatus, name)
+	if task == nil {
+		logrus.Debugf("devicemapper: GetStatus() Error TaskCreateNamed: %s", err)
+		return 0, 0, "", "", err
+	}
+	if err := task.run(); err != nil {
+		logrus.Debugf("devicemapper: GetStatus() Error Run: %s", err)
+		return 0, 0, "", "", err
+	}
+
+	devinfo, err := task.getInfo()
+	if err != nil {
+		logrus.Debugf("devicemapper: GetStatus() Error GetInfo: %s", err)
+		return 0, 0, "", "", err
+	}
+	if devinfo.Exists == 0 {
+		logrus.Debugf("devicemapper: GetStatus() Non existing device %s", name)
+		return 0, 0, "", "", fmt.Errorf("devicemapper: Non existing device %s", name)
+	}
+
+	_, start, length, targetType, params := task.getNextTarget(unsafe.Pointer(nil))
+	return start, length, targetType, params, nil
+}
+
+// GetTable is the programmatic example for "dmsetup table".
+// It outputs the current table for the specified device name.
+func GetTable(name string) (uint64, uint64, string, string, error) {
+	task, err := TaskCreateNamed(deviceTable, name)
+	if task == nil {
+		logrus.Debugf("devicemapper: GetTable() Error TaskCreateNamed: %s", err)
+		return 0, 0, "", "", err
+	}
+	if err := task.run(); err != nil {
+		logrus.Debugf("devicemapper: GetTable() Error Run: %s", err)
+		return 0, 0, "", "", err
+	}
+
+	devinfo, err := task.getInfo()
+	if err != nil {
+		logrus.Debugf("devicemapper: GetTable() Error GetInfo: %s", err)
+		return 0, 0, "", "", err
+	}
+	if devinfo.Exists == 0 {
+		logrus.Debugf("devicemapper: GetTable() Non existing device %s", name)
+		return 0, 0, "", "", fmt.Errorf("devicemapper: Non existing device %s", name)
+	}
+
+	_, start, length, targetType, params := task.getNextTarget(unsafe.Pointer(nil))
+	return start, length, targetType, params, nil
+}
+
+// SetTransactionID sets a transaction id for the specified device name.
+func SetTransactionID(poolName string, oldID uint64, newID uint64) error {
+	task, err := TaskCreateNamed(deviceTargetMsg, poolName)
+	if task == nil {
+		return err
+	}
+
+	if err := task.setSector(0); err != nil {
+		return fmt.Errorf("devicemapper: Can't set sector %s", err)
+	}
+
+	if err := task.setMessage(fmt.Sprintf("set_transaction_id %d %d", oldID, newID)); err != nil {
+		return fmt.Errorf("devicemapper: Can't set message %s", err)
+	}
+
+	if err := task.run(); err != nil {
+		return fmt.Errorf("devicemapper: Error running SetTransactionID %s", err)
+	}
+	return nil
+}
+
+// SuspendDevice is the programmatic example of "dmsetup suspend".
+// It suspends the specified device.
+func SuspendDevice(name string) error {
+	task, err := TaskCreateNamed(deviceSuspend, name)
+	if task == nil {
+		return err
+	}
+	if err := task.run(); err != nil {
+		return fmt.Errorf("devicemapper: Error running deviceSuspend %s", err)
+	}
+	return nil
+}
+
+// ResumeDevice is the programmatic example of "dmsetup resume".
+// It un-suspends the specified device.
+func ResumeDevice(name string) error {
+	task, err := TaskCreateNamed(deviceResume, name)
+	if task == nil {
+		return err
+	}
+
+	cookie := new(uint)
+	if err := task.setCookie(cookie, 0); err != nil {
+		return fmt.Errorf("devicemapper: Can't set cookie %s", err)
+	}
+	defer UdevWait(cookie)
+
+	if err := task.run(); err != nil {
+		return fmt.Errorf("devicemapper: Error running deviceResume %s", err)
+	}
+
+	return nil
+}
+
+// CreateDevice creates a device with the specified poolName with the specified device id.
+func CreateDevice(poolName string, deviceID int) error {
+	logrus.Debugf("devicemapper: CreateDevice(poolName=%v, deviceID=%v)", poolName, deviceID)
+	task, err := TaskCreateNamed(deviceTargetMsg, poolName)
+	if task == nil {
+		return err
+	}
+
+	if err := task.setSector(0); err != nil {
+		return fmt.Errorf("devicemapper: Can't set sector %s", err)
+	}
+
+	if err := task.setMessage(fmt.Sprintf("create_thin %d", deviceID)); err != nil {
+		return fmt.Errorf("devicemapper: Can't set message %s", err)
+	}
+
+	dmSawExist = false // reset before the task is run
+	if err := task.run(); err != nil {
+		// Caller wants to know about ErrDeviceIDExists so that it can try with a different device id.
+		if dmSawExist {
+			return ErrDeviceIDExists
+		}
+
+		return fmt.Errorf("devicemapper: Error running CreateDevice %s", err)
+
+	}
+	return nil
+}
+
+// DeleteDevice deletes a device with the specified poolName with the specified device id.
+func DeleteDevice(poolName string, deviceID int) error {
+	task, err := TaskCreateNamed(deviceTargetMsg, poolName)
+	if task == nil {
+		return err
+	}
+
+	if err := task.setSector(0); err != nil {
+		return fmt.Errorf("devicemapper: Can't set sector %s", err)
+	}
+
+	if err := task.setMessage(fmt.Sprintf("delete %d", deviceID)); err != nil {
+		return fmt.Errorf("devicemapper: Can't set message %s", err)
+	}
+
+	dmSawBusy = false
+	dmSawEnoData = false
+	if err := task.run(); err != nil {
+		if dmSawBusy {
+			return ErrBusy
+		}
+		if dmSawEnoData {
+			logrus.Debugf("devicemapper: Device(id: %d) from pool(%s) does not exist", deviceID, poolName)
+			return nil
+		}
+		return fmt.Errorf("devicemapper: Error running DeleteDevice %s", err)
+	}
+	return nil
+}
+
+// ActivateDevice activates the device identified by the specified
+// poolName, name and deviceID with the specified size.
+func ActivateDevice(poolName string, name string, deviceID int, size uint64) error {
+	return activateDevice(poolName, name, deviceID, size, "")
+}
+
+// ActivateDeviceWithExternal activates the device identified by the specified
+// poolName, name and deviceID with the specified size.
+func ActivateDeviceWithExternal(poolName string, name string, deviceID int, size uint64, external string) error {
+	return activateDevice(poolName, name, deviceID, size, external)
+}
+
+func activateDevice(poolName string, name string, deviceID int, size uint64, external string) error {
+	task, err := TaskCreateNamed(deviceCreate, name)
+	if task == nil {
+		return err
+	}
+
+	var params string
+	if len(external) > 0 {
+		params = fmt.Sprintf("%s %d %s", poolName, deviceID, external)
+	} else {
+		params = fmt.Sprintf("%s %d", poolName, deviceID)
+	}
+	if err := task.addTarget(0, size/512, "thin", params); err != nil {
+		return fmt.Errorf("devicemapper: Can't add target %s", err)
+	}
+	if err := task.setAddNode(addNodeOnCreate); err != nil {
+		return fmt.Errorf("devicemapper: Can't add node %s", err)
+	}
+
+	cookie := new(uint)
+	if err := task.setCookie(cookie, 0); err != nil {
+		return fmt.Errorf("devicemapper: Can't set cookie %s", err)
+	}
+
+	defer UdevWait(cookie)
+
+	if err := task.run(); err != nil {
+		return fmt.Errorf("devicemapper: Error running deviceCreate (ActivateDevice) %s", err)
+	}
+
+	return nil
+}
+
+// CreateSnapDeviceRaw creates a snapshot device. Caller needs to suspend and resume the origin device if it is active.
+func CreateSnapDeviceRaw(poolName string, deviceID int, baseDeviceID int) error {
+	task, err := TaskCreateNamed(deviceTargetMsg, poolName)
+	if task == nil {
+		return err
+	}
+
+	if err := task.setSector(0); err != nil {
+		return fmt.Errorf("devicemapper: Can't set sector %s", err)
+	}
+
+	if err := task.setMessage(fmt.Sprintf("create_snap %d %d", deviceID, baseDeviceID)); err != nil {
+		return fmt.Errorf("devicemapper: Can't set message %s", err)
+	}
+
+	dmSawExist = false // reset before the task is run
+	if err := task.run(); err != nil {
+		// Caller wants to know about ErrDeviceIDExists so that it can try with a different device id.
+		if dmSawExist {
+			return ErrDeviceIDExists
+		}
+		return fmt.Errorf("devicemapper: Error running deviceCreate (CreateSnapDeviceRaw) %s", err)
+	}
+
+	return nil
+}
+
+// CreateSnapDevice creates a snapshot based on the device identified by the baseName and baseDeviceId,
+func CreateSnapDevice(poolName string, deviceID int, baseName string, baseDeviceID int) error {
+	devinfo, _ := GetInfo(baseName)
+	doSuspend := devinfo != nil && devinfo.Exists != 0
+
+	if doSuspend {
+		if err := SuspendDevice(baseName); err != nil {
+			return err
+		}
+	}
+
+	if err := CreateSnapDeviceRaw(poolName, deviceID, baseDeviceID); err != nil {
+		if doSuspend {
+			if err2 := ResumeDevice(baseName); err2 != nil {
+				return fmt.Errorf("CreateSnapDeviceRaw Error: (%v): ResumeDevice Error: (%v)", err, err2)
+			}
+		}
+		return err
+	}
+
+	if doSuspend {
+		if err := ResumeDevice(baseName); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/engine/pkg/devicemapper/devmapper_log.go b/engine/pkg/devicemapper/devmapper_log.go
new file mode 100644
index 00000000..5a5773d4
--- /dev/null
+++ b/engine/pkg/devicemapper/devmapper_log.go
@@ -0,0 +1,124 @@
+// +build linux,cgo
+
+package devicemapper // import "github.com/docker/docker/pkg/devicemapper"
+
+import "C"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+)
+
+// DevmapperLogger defines methods required to register as a callback for
+// logging events received from devicemapper. Note that devicemapper will send
+// *all* logs regardless to callbacks (including debug logs) so it's
+// recommended to not spam the console with the outputs.
+type DevmapperLogger interface {
+	// DMLog is the logging callback containing all of the information from
+	// devicemapper. The interface is identical to the C libdm counterpart.
+	DMLog(level int, file string, line int, dmError int, message string)
+}
+
+// dmLogger is the current logger in use that is being forwarded our messages.
+var dmLogger DevmapperLogger
+
+// LogInit changes the logging callback called after processing libdm logs for
+// error message information. The default logger simply forwards all logs to
+// logrus. Calling LogInit(nil) disables the calling of callbacks.
+func LogInit(logger DevmapperLogger) {
+	dmLogger = logger
+}
+
+// Due to the way cgo works this has to be in a separate file, as devmapper.go has
+// definitions in the cgo block, which is incompatible with using "//export"
+
+// DevmapperLogCallback exports the devmapper log callback for cgo. Note that
+// because we are using callbacks, this function will be called for *every* log
+// in libdm (even debug ones because there's no way of setting the verbosity
+// level for an external logging callback).
+//export DevmapperLogCallback
+func DevmapperLogCallback(level C.int, file *C.char, line, dmErrnoOrClass C.int, message *C.char) {
+	msg := C.GoString(message)
+
+	// Track what errno libdm saw, because the library only gives us 0 or 1.
+	if level < LogLevelDebug {
+		if strings.Contains(msg, "busy") {
+			dmSawBusy = true
+		}
+
+		if strings.Contains(msg, "File exists") {
+			dmSawExist = true
+		}
+
+		if strings.Contains(msg, "No such device or address") {
+			dmSawEnxio = true
+		}
+		if strings.Contains(msg, "No data available") {
+			dmSawEnoData = true
+		}
+	}
+
+	if dmLogger != nil {
+		dmLogger.DMLog(int(level), C.GoString(file), int(line), int(dmErrnoOrClass), msg)
+	}
+}
+
+// DefaultLogger is the default logger used by pkg/devicemapper. It forwards
+// all logs that are of higher or equal priority to the given level to the
+// corresponding logrus level.
+type DefaultLogger struct {
+	// Level corresponds to the highest libdm level that will be forwarded to
+	// logrus. In order to change this, register a new DefaultLogger.
+	Level int
+}
+
+// DMLog is the logging callback containing all of the information from
+// devicemapper. The interface is identical to the C libdm counterpart.
+func (l DefaultLogger) DMLog(level int, file string, line, dmError int, message string) {
+	if level <= l.Level {
+		// Forward the log to the correct logrus level, if allowed by dmLogLevel.
+		logMsg := fmt.Sprintf("libdevmapper(%d): %s:%d (%d) %s", level, file, line, dmError, message)
+		switch level {
+		case LogLevelFatal, LogLevelErr:
+			logrus.Error(logMsg)
+		case LogLevelWarn:
+			logrus.Warn(logMsg)
+		case LogLevelNotice, LogLevelInfo:
+			logrus.Info(logMsg)
+		case LogLevelDebug:
+			logrus.Debug(logMsg)
+		default:
+			// Don't drop any "unknown" levels.
+			logrus.Info(logMsg)
+		}
+	}
+}
+
+// registerLogCallback registers our own logging callback function for libdm
+// (which is DevmapperLogCallback).
+//
+// Because libdm only gives us {0,1} error codes we need to parse the logs
+// produced by libdm (to set dmSawBusy and so on). Note that by registering a
+// callback using DevmapperLogCallback, libdm will no longer output logs to
+// stderr so we have to log everything ourselves. None of this handling is
+// optional because we depend on log callbacks to parse the logs, and if we
+// don't forward the log information we'll be in a lot of trouble when
+// debugging things.
+func registerLogCallback() {
+	LogWithErrnoInit()
+}
+
+func init() {
+	// Use the default logger by default. We only allow LogLevelFatal by
+	// default, because internally we mask a lot of libdm errors by retrying
+	// and similar tricks. Also, libdm is very chatty and we don't want to
+	// worry users for no reason.
+	dmLogger = DefaultLogger{
+		Level: LogLevelFatal,
+	}
+
+	// Register as early as possible so we don't miss anything.
+	registerLogCallback()
+}
diff --git a/engine/pkg/devicemapper/devmapper_wrapper.go b/engine/pkg/devicemapper/devmapper_wrapper.go
new file mode 100644
index 00000000..0b88f496
--- /dev/null
+++ b/engine/pkg/devicemapper/devmapper_wrapper.go
@@ -0,0 +1,252 @@
+// +build linux,cgo
+
+package devicemapper // import "github.com/docker/docker/pkg/devicemapper"
+
+/*
+#define _GNU_SOURCE
+#include <libdevmapper.h>
+#include <linux/fs.h>   // FIXME: present only for BLKGETSIZE64, maybe we can remove it?
+
+// FIXME: Can't we find a way to do the logging in pure Go?
+extern void DevmapperLogCallback(int level, char *file, int line, int dm_errno_or_class, char *str);
+
+static void	log_cb(int level, const char *file, int line, int dm_errno_or_class, const char *f, ...)
+{
+	char *buffer = NULL;
+	va_list ap;
+	int ret;
+
+	va_start(ap, f);
+	ret = vasprintf(&buffer, f, ap);
+	va_end(ap);
+	if (ret < 0) {
+		// memory allocation failed -- should never happen?
+		return;
+	}
+
+	DevmapperLogCallback(level, (char *)file, line, dm_errno_or_class, buffer);
+	free(buffer);
+}
+
+static void	log_with_errno_init()
+{
+	dm_log_with_errno_init(log_cb);
+}
+*/
+import "C"
+
+import (
+	"reflect"
+	"unsafe"
+)
+
+type (
+	cdmTask C.struct_dm_task
+)
+
+// IOCTL consts
+const (
+	BlkGetSize64 = C.BLKGETSIZE64
+	BlkDiscard   = C.BLKDISCARD
+)
+
+// Devicemapper cookie flags.
+const (
+	DmUdevDisableSubsystemRulesFlag = C.DM_UDEV_DISABLE_SUBSYSTEM_RULES_FLAG
+	DmUdevDisableDiskRulesFlag      = C.DM_UDEV_DISABLE_DISK_RULES_FLAG
+	DmUdevDisableOtherRulesFlag     = C.DM_UDEV_DISABLE_OTHER_RULES_FLAG
+	DmUdevDisableLibraryFallback    = C.DM_UDEV_DISABLE_LIBRARY_FALLBACK
+)
+
+// DeviceMapper mapped functions.
+var (
+	DmGetLibraryVersion       = dmGetLibraryVersionFct
+	DmGetNextTarget           = dmGetNextTargetFct
+	DmSetDevDir               = dmSetDevDirFct
+	DmTaskAddTarget           = dmTaskAddTargetFct
+	DmTaskCreate              = dmTaskCreateFct
+	DmTaskDestroy             = dmTaskDestroyFct
+	DmTaskGetDeps             = dmTaskGetDepsFct
+	DmTaskGetInfo             = dmTaskGetInfoFct
+	DmTaskGetDriverVersion    = dmTaskGetDriverVersionFct
+	DmTaskRun                 = dmTaskRunFct
+	DmTaskSetAddNode          = dmTaskSetAddNodeFct
+	DmTaskSetCookie           = dmTaskSetCookieFct
+	DmTaskSetMessage          = dmTaskSetMessageFct
+	DmTaskSetName             = dmTaskSetNameFct
+	DmTaskSetRo               = dmTaskSetRoFct
+	DmTaskSetSector           = dmTaskSetSectorFct
+	DmUdevWait                = dmUdevWaitFct
+	DmUdevSetSyncSupport      = dmUdevSetSyncSupportFct
+	DmUdevGetSyncSupport      = dmUdevGetSyncSupportFct
+	DmCookieSupported         = dmCookieSupportedFct
+	LogWithErrnoInit          = logWithErrnoInitFct
+	DmTaskDeferredRemove      = dmTaskDeferredRemoveFct
+	DmTaskGetInfoWithDeferred = dmTaskGetInfoWithDeferredFct
+)
+
+func free(p *C.char) {
+	C.free(unsafe.Pointer(p))
+}
+
+func dmTaskDestroyFct(task *cdmTask) {
+	C.dm_task_destroy((*C.struct_dm_task)(task))
+}
+
+func dmTaskCreateFct(taskType int) *cdmTask {
+	return (*cdmTask)(C.dm_task_create(C.int(taskType)))
+}
+
+func dmTaskRunFct(task *cdmTask) int {
+	ret, _ := C.dm_task_run((*C.struct_dm_task)(task))
+	return int(ret)
+}
+
+func dmTaskSetNameFct(task *cdmTask, name string) int {
+	Cname := C.CString(name)
+	defer free(Cname)
+
+	return int(C.dm_task_set_name((*C.struct_dm_task)(task), Cname))
+}
+
+func dmTaskSetMessageFct(task *cdmTask, message string) int {
+	Cmessage := C.CString(message)
+	defer free(Cmessage)
+
+	return int(C.dm_task_set_message((*C.struct_dm_task)(task), Cmessage))
+}
+
+func dmTaskSetSectorFct(task *cdmTask, sector uint64) int {
+	return int(C.dm_task_set_sector((*C.struct_dm_task)(task), C.uint64_t(sector)))
+}
+
+func dmTaskSetCookieFct(task *cdmTask, cookie *uint, flags uint16) int {
+	cCookie := C.uint32_t(*cookie)
+	defer func() {
+		*cookie = uint(cCookie)
+	}()
+	return int(C.dm_task_set_cookie((*C.struct_dm_task)(task), &cCookie, C.uint16_t(flags)))
+}
+
+func dmTaskSetAddNodeFct(task *cdmTask, addNode AddNodeType) int {
+	return int(C.dm_task_set_add_node((*C.struct_dm_task)(task), C.dm_add_node_t(addNode)))
+}
+
+func dmTaskSetRoFct(task *cdmTask) int {
+	return int(C.dm_task_set_ro((*C.struct_dm_task)(task)))
+}
+
+func dmTaskAddTargetFct(task *cdmTask,
+	start, size uint64, ttype, params string) int {
+
+	Cttype := C.CString(ttype)
+	defer free(Cttype)
+
+	Cparams := C.CString(params)
+	defer free(Cparams)
+
+	return int(C.dm_task_add_target((*C.struct_dm_task)(task), C.uint64_t(start), C.uint64_t(size), Cttype, Cparams))
+}
+
+func dmTaskGetDepsFct(task *cdmTask) *Deps {
+	Cdeps := C.dm_task_get_deps((*C.struct_dm_task)(task))
+	if Cdeps == nil {
+		return nil
+	}
+
+	// golang issue: https://github.com/golang/go/issues/11925
+	hdr := reflect.SliceHeader{
+		Data: uintptr(unsafe.Pointer(uintptr(unsafe.Pointer(Cdeps)) + unsafe.Sizeof(*Cdeps))),
+		Len:  int(Cdeps.count),
+		Cap:  int(Cdeps.count),
+	}
+	devices := *(*[]C.uint64_t)(unsafe.Pointer(&hdr))
+
+	deps := &Deps{
+		Count:  uint32(Cdeps.count),
+		Filler: uint32(Cdeps.filler),
+	}
+	for _, device := range devices {
+		deps.Device = append(deps.Device, uint64(device))
+	}
+	return deps
+}
+
+func dmTaskGetInfoFct(task *cdmTask, info *Info) int {
+	Cinfo := C.struct_dm_info{}
+	defer func() {
+		info.Exists = int(Cinfo.exists)
+		info.Suspended = int(Cinfo.suspended)
+		info.LiveTable = int(Cinfo.live_table)
+		info.InactiveTable = int(Cinfo.inactive_table)
+		info.OpenCount = int32(Cinfo.open_count)
+		info.EventNr = uint32(Cinfo.event_nr)
+		info.Major = uint32(Cinfo.major)
+		info.Minor = uint32(Cinfo.minor)
+		info.ReadOnly = int(Cinfo.read_only)
+		info.TargetCount = int32(Cinfo.target_count)
+	}()
+	return int(C.dm_task_get_info((*C.struct_dm_task)(task), &Cinfo))
+}
+
+func dmTaskGetDriverVersionFct(task *cdmTask) string {
+	buffer := C.malloc(128)
+	defer C.free(buffer)
+	res := C.dm_task_get_driver_version((*C.struct_dm_task)(task), (*C.char)(buffer), 128)
+	if res == 0 {
+		return ""
+	}
+	return C.GoString((*C.char)(buffer))
+}
+
+func dmGetNextTargetFct(task *cdmTask, next unsafe.Pointer, start, length *uint64, target, params *string) unsafe.Pointer {
+	var (
+		Cstart, Clength      C.uint64_t
+		CtargetType, Cparams *C.char
+	)
+	defer func() {
+		*start = uint64(Cstart)
+		*length = uint64(Clength)
+		*target = C.GoString(CtargetType)
+		*params = C.GoString(Cparams)
+	}()
+
+	nextp := C.dm_get_next_target((*C.struct_dm_task)(task), next, &Cstart, &Clength, &CtargetType, &Cparams)
+	return nextp
+}
+
+func dmUdevSetSyncSupportFct(syncWithUdev int) {
+	C.dm_udev_set_sync_support(C.int(syncWithUdev))
+}
+
+func dmUdevGetSyncSupportFct() int {
+	return int(C.dm_udev_get_sync_support())
+}
+
+func dmUdevWaitFct(cookie uint) int {
+	return int(C.dm_udev_wait(C.uint32_t(cookie)))
+}
+
+func dmCookieSupportedFct() int {
+	return int(C.dm_cookie_supported())
+}
+
+func logWithErrnoInitFct() {
+	C.log_with_errno_init()
+}
+
+func dmSetDevDirFct(dir string) int {
+	Cdir := C.CString(dir)
+	defer free(Cdir)
+
+	return int(C.dm_set_dev_dir(Cdir))
+}
+
+func dmGetLibraryVersionFct(version *string) int {
+	buffer := C.CString(string(make([]byte, 128)))
+	defer free(buffer)
+	defer func() {
+		*version = C.GoString(buffer)
+	}()
+	return int(C.dm_get_library_version(buffer, 128))
+}
diff --git a/engine/pkg/devicemapper/devmapper_wrapper_dynamic.go b/engine/pkg/devicemapper/devmapper_wrapper_dynamic.go
new file mode 100644
index 00000000..8a1098f7
--- /dev/null
+++ b/engine/pkg/devicemapper/devmapper_wrapper_dynamic.go
@@ -0,0 +1,6 @@
+// +build linux,cgo,!static_build
+
+package devicemapper // import "github.com/docker/docker/pkg/devicemapper"
+
+// #cgo pkg-config: devmapper
+import "C"
diff --git a/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go b/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
new file mode 100644
index 00000000..3d3021c4
--- /dev/null
+++ b/engine/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
@@ -0,0 +1,35 @@
+// +build linux,cgo,!static_build
+// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
+
+package devicemapper // import "github.com/docker/docker/pkg/devicemapper"
+
+/*
+#include <libdevmapper.h>
+*/
+import "C"
+
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation.
+const LibraryDeferredRemovalSupport = true
+
+func dmTaskDeferredRemoveFct(task *cdmTask) int {
+	return int(C.dm_task_deferred_remove((*C.struct_dm_task)(task)))
+}
+
+func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
+	Cinfo := C.struct_dm_info{}
+	defer func() {
+		info.Exists = int(Cinfo.exists)
+		info.Suspended = int(Cinfo.suspended)
+		info.LiveTable = int(Cinfo.live_table)
+		info.InactiveTable = int(Cinfo.inactive_table)
+		info.OpenCount = int32(Cinfo.open_count)
+		info.EventNr = uint32(Cinfo.event_nr)
+		info.Major = uint32(Cinfo.major)
+		info.Minor = uint32(Cinfo.minor)
+		info.ReadOnly = int(Cinfo.read_only)
+		info.TargetCount = int32(Cinfo.target_count)
+		info.DeferredRemove = int(Cinfo.deferred_remove)
+	}()
+	return int(C.dm_task_get_info((*C.struct_dm_task)(task), &Cinfo))
+}
diff --git a/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
new file mode 100644
index 00000000..5dfb369f
--- /dev/null
+++ b/engine/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
@@ -0,0 +1,128 @@
+// +build linux,cgo,!static_build
+// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
+
+package devicemapper
+
+/*
+#cgo LDFLAGS: -ldl
+#include <stdlib.h>
+#include <dlfcn.h>
+#include <libdevmapper.h>
+
+// Yes, I know this looks scary. In order to be able to fill our own internal
+// dm_info with deferred_remove we need to have a struct definition that is
+// correct (regardless of the version of libdm that was used to compile it). To
+// this end, we define struct_backport_dm_info. This code comes from lvm2, and
+// I have verified that the structure has only ever had elements *appended* to
+// it (since 2001).
+//
+// It is also important that this structure be _larger_ than the dm_info that
+// libdevmapper expected. Otherwise libdm might try to write to memory it
+// shouldn't (they don't have a "known size" API).
+struct backport_dm_info {
+	int exists;
+	int suspended;
+	int live_table;
+	int inactive_table;
+	int32_t open_count;
+	uint32_t event_nr;
+	uint32_t major;
+	uint32_t minor;
+	int read_only;
+
+	int32_t target_count;
+
+	int deferred_remove;
+	int internal_suspend;
+
+	// Padding, purely for our own safety. This is to avoid cases where libdm
+	// was updated underneath us and we call into dm_task_get_info() with too
+	// small of a buffer.
+	char _[512];
+};
+
+// We have to wrap this in CGo, because Go really doesn't like function pointers.
+int call_dm_task_deferred_remove(void *fn, struct dm_task *task)
+{
+	int (*_dm_task_deferred_remove)(struct dm_task *task) = fn;
+	return _dm_task_deferred_remove(task);
+}
+*/
+import "C"
+
+import (
+	"unsafe"
+
+	"github.com/sirupsen/logrus"
+)
+
+// dm_task_deferred_remove is not supported by all distributions, due to
+// out-dated versions of devicemapper. However, in the case where the
+// devicemapper library was updated without rebuilding Docker (which can happen
+// in some distributions) then we should attempt to dynamically load the
+// relevant object rather than try to link to it.
+
+// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove.
+// It is nil if dm_task_deferred_remove was not found in the libdevmapper that
+// is currently loaded.
+var dmTaskDeferredRemovePtr unsafe.Pointer
+
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation. This value is fixed during init.
+var LibraryDeferredRemovalSupport bool
+
+func init() {
+	// Clear any errors.
+	var err *C.char
+	C.dlerror()
+
+	// The symbol we want to fetch.
+	symName := C.CString("dm_task_deferred_remove")
+	defer C.free(unsafe.Pointer(symName))
+
+	// See if we can find dm_task_deferred_remove. Since we already are linked
+	// to libdevmapper, we can search our own address space (rather than trying
+	// to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT
+	// is not available in CGO (even if you set _GNU_SOURCE for some reason).
+	// The semantics are identical on glibc.
+	sym := C.dlsym(nil, symName)
+	err = C.dlerror()
+	if err != nil {
+		logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err))
+		return
+	}
+
+	logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym))
+	dmTaskDeferredRemovePtr = sym
+	LibraryDeferredRemovalSupport = true
+}
+
+func dmTaskDeferredRemoveFct(task *cdmTask) int {
+	sym := dmTaskDeferredRemovePtr
+	if sym == nil || !LibraryDeferredRemovalSupport {
+		return -1
+	}
+	return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task)))
+}
+
+func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
+	if !LibraryDeferredRemovalSupport {
+		return -1
+	}
+
+	Cinfo := C.struct_backport_dm_info{}
+	defer func() {
+		info.Exists = int(Cinfo.exists)
+		info.Suspended = int(Cinfo.suspended)
+		info.LiveTable = int(Cinfo.live_table)
+		info.InactiveTable = int(Cinfo.inactive_table)
+		info.OpenCount = int32(Cinfo.open_count)
+		info.EventNr = uint32(Cinfo.event_nr)
+		info.Major = uint32(Cinfo.major)
+		info.Minor = uint32(Cinfo.minor)
+		info.ReadOnly = int(Cinfo.read_only)
+		info.TargetCount = int32(Cinfo.target_count)
+		info.DeferredRemove = int(Cinfo.deferred_remove)
+	}()
+	return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo))))
+}
diff --git a/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
new file mode 100644
index 00000000..8889f0f4
--- /dev/null
+++ b/engine/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
@@ -0,0 +1,17 @@
+// +build linux,cgo
+// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove
+
+package devicemapper // import "github.com/docker/docker/pkg/devicemapper"
+
+// LibraryDeferredRemovalSupport tells if the feature is supported by the
+// current Docker invocation.
+const LibraryDeferredRemovalSupport = false
+
+func dmTaskDeferredRemoveFct(task *cdmTask) int {
+	// Error. Nobody should be calling it.
+	return -1
+}
+
+func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
+	return -1
+}
diff --git a/engine/pkg/devicemapper/ioctl.go b/engine/pkg/devicemapper/ioctl.go
new file mode 100644
index 00000000..ec5a0b33
--- /dev/null
+++ b/engine/pkg/devicemapper/ioctl.go
@@ -0,0 +1,28 @@
+// +build linux,cgo
+
+package devicemapper // import "github.com/docker/docker/pkg/devicemapper"
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+func ioctlBlkGetSize64(fd uintptr) (int64, error) {
+	var size int64
+	if _, _, err := unix.Syscall(unix.SYS_IOCTL, fd, BlkGetSize64, uintptr(unsafe.Pointer(&size))); err != 0 {
+		return 0, err
+	}
+	return size, nil
+}
+
+func ioctlBlkDiscard(fd uintptr, offset, length uint64) error {
+	var r [2]uint64
+	r[0] = offset
+	r[1] = length
+
+	if _, _, err := unix.Syscall(unix.SYS_IOCTL, fd, BlkDiscard, uintptr(unsafe.Pointer(&r[0]))); err != 0 {
+		return err
+	}
+	return nil
+}
diff --git a/engine/pkg/devicemapper/log.go b/engine/pkg/devicemapper/log.go
new file mode 100644
index 00000000..dd330ba4
--- /dev/null
+++ b/engine/pkg/devicemapper/log.go
@@ -0,0 +1,11 @@
+package devicemapper // import "github.com/docker/docker/pkg/devicemapper"
+
+// definitions from lvm2 lib/log/log.h
+const (
+	LogLevelFatal  = 2 + iota // _LOG_FATAL
+	LogLevelErr               // _LOG_ERR
+	LogLevelWarn              // _LOG_WARN
+	LogLevelNotice            // _LOG_NOTICE
+	LogLevelInfo              // _LOG_INFO
+	LogLevelDebug             // _LOG_DEBUG
+)
diff --git a/engine/pkg/directory/directory.go b/engine/pkg/directory/directory.go
new file mode 100644
index 00000000..51d4a6ea
--- /dev/null
+++ b/engine/pkg/directory/directory.go
@@ -0,0 +1,26 @@
+package directory // import "github.com/docker/docker/pkg/directory"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// MoveToSubdir moves all contents of a directory to a subdirectory underneath the original path
+func MoveToSubdir(oldpath, subdir string) error {
+
+	infos, err := ioutil.ReadDir(oldpath)
+	if err != nil {
+		return err
+	}
+	for _, info := range infos {
+		if info.Name() != subdir {
+			oldName := filepath.Join(oldpath, info.Name())
+			newName := filepath.Join(oldpath, subdir, info.Name())
+			if err := os.Rename(oldName, newName); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
diff --git a/engine/pkg/directory/directory_test.go b/engine/pkg/directory/directory_test.go
new file mode 100644
index 00000000..ea62bdf2
--- /dev/null
+++ b/engine/pkg/directory/directory_test.go
@@ -0,0 +1,193 @@
+package directory // import "github.com/docker/docker/pkg/directory"
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"sort"
+	"testing"
+)
+
+// Size of an empty directory should be 0
+func TestSizeEmpty(t *testing.T) {
+	var dir string
+	var err error
+	if dir, err = ioutil.TempDir(os.TempDir(), "testSizeEmptyDirectory"); err != nil {
+		t.Fatalf("failed to create directory: %s", err)
+	}
+
+	var size int64
+	if size, _ = Size(context.Background(), dir); size != 0 {
+		t.Fatalf("empty directory has size: %d", size)
+	}
+}
+
+// Size of a directory with one empty file should be 0
+func TestSizeEmptyFile(t *testing.T) {
+	var dir string
+	var err error
+	if dir, err = ioutil.TempDir(os.TempDir(), "testSizeEmptyFile"); err != nil {
+		t.Fatalf("failed to create directory: %s", err)
+	}
+
+	var file *os.File
+	if file, err = ioutil.TempFile(dir, "file"); err != nil {
+		t.Fatalf("failed to create file: %s", err)
+	}
+
+	var size int64
+	if size, _ = Size(context.Background(), file.Name()); size != 0 {
+		t.Fatalf("directory with one file has size: %d", size)
+	}
+}
+
+// Size of a directory with one 5-byte file should be 5
+func TestSizeNonemptyFile(t *testing.T) {
+	var dir string
+	var err error
+	if dir, err = ioutil.TempDir(os.TempDir(), "testSizeNonemptyFile"); err != nil {
+		t.Fatalf("failed to create directory: %s", err)
+	}
+
+	var file *os.File
+	if file, err = ioutil.TempFile(dir, "file"); err != nil {
+		t.Fatalf("failed to create file: %s", err)
+	}
+
+	d := []byte{97, 98, 99, 100, 101}
+	file.Write(d)
+
+	var size int64
+	if size, _ = Size(context.Background(), file.Name()); size != 5 {
+		t.Fatalf("directory with one 5-byte file has size: %d", size)
+	}
+}
+
+// Size of a directory with one empty directory should be 0
+func TestSizeNestedDirectoryEmpty(t *testing.T) {
+	var dir string
+	var err error
+	if dir, err = ioutil.TempDir(os.TempDir(), "testSizeNestedDirectoryEmpty"); err != nil {
+		t.Fatalf("failed to create directory: %s", err)
+	}
+	if dir, err = ioutil.TempDir(dir, "nested"); err != nil {
+		t.Fatalf("failed to create nested directory: %s", err)
+	}
+
+	var size int64
+	if size, _ = Size(context.Background(), dir); size != 0 {
+		t.Fatalf("directory with one empty directory has size: %d", size)
+	}
+}
+
+// Test directory with 1 file and 1 empty directory
+func TestSizeFileAndNestedDirectoryEmpty(t *testing.T) {
+	var dir string
+	var err error
+	if dir, err = ioutil.TempDir(os.TempDir(), "testSizeFileAndNestedDirectoryEmpty"); err != nil {
+		t.Fatalf("failed to create directory: %s", err)
+	}
+	if dir, err = ioutil.TempDir(dir, "nested"); err != nil {
+		t.Fatalf("failed to create nested directory: %s", err)
+	}
+
+	var file *os.File
+	if file, err = ioutil.TempFile(dir, "file"); err != nil {
+		t.Fatalf("failed to create file: %s", err)
+	}
+
+	d := []byte{100, 111, 99, 107, 101, 114}
+	file.Write(d)
+
+	var size int64
+	if size, _ = Size(context.Background(), dir); size != 6 {
+		t.Fatalf("directory with 6-byte file and empty directory has size: %d", size)
+	}
+}
+
+// Test directory with 1 file and 1 non-empty directory
+func TestSizeFileAndNestedDirectoryNonempty(t *testing.T) {
+	var dir, dirNested string
+	var err error
+	if dir, err = ioutil.TempDir(os.TempDir(), "TestSizeFileAndNestedDirectoryNonempty"); err != nil {
+		t.Fatalf("failed to create directory: %s", err)
+	}
+	if dirNested, err = ioutil.TempDir(dir, "nested"); err != nil {
+		t.Fatalf("failed to create nested directory: %s", err)
+	}
+
+	var file *os.File
+	if file, err = ioutil.TempFile(dir, "file"); err != nil {
+		t.Fatalf("failed to create file: %s", err)
+	}
+
+	data := []byte{100, 111, 99, 107, 101, 114}
+	file.Write(data)
+
+	var nestedFile *os.File
+	if nestedFile, err = ioutil.TempFile(dirNested, "file"); err != nil {
+		t.Fatalf("failed to create file in nested directory: %s", err)
+	}
+
+	nestedData := []byte{100, 111, 99, 107, 101, 114}
+	nestedFile.Write(nestedData)
+
+	var size int64
+	if size, _ = Size(context.Background(), dir); size != 12 {
+		t.Fatalf("directory with 6-byte file and nested directory with 6-byte file has size: %d", size)
+	}
+}
+
+// Test migration of directory to a subdir underneath itself
+func TestMoveToSubdir(t *testing.T) {
+	var outerDir, subDir string
+	var err error
+
+	if outerDir, err = ioutil.TempDir(os.TempDir(), "TestMoveToSubdir"); err != nil {
+		t.Fatalf("failed to create directory: %v", err)
+	}
+
+	if subDir, err = ioutil.TempDir(outerDir, "testSub"); err != nil {
+		t.Fatalf("failed to create subdirectory: %v", err)
+	}
+
+	// write 4 temp files in the outer dir to get moved
+	filesList := []string{"a", "b", "c", "d"}
+	for _, fName := range filesList {
+		if file, err := os.Create(filepath.Join(outerDir, fName)); err != nil {
+			t.Fatalf("couldn't create temp file %q: %v", fName, err)
+		} else {
+			file.WriteString(fName)
+			file.Close()
+		}
+	}
+
+	if err = MoveToSubdir(outerDir, filepath.Base(subDir)); err != nil {
+		t.Fatalf("Error during migration of content to subdirectory: %v", err)
+	}
+	// validate that the files were moved to the subdirectory
+	infos, err := ioutil.ReadDir(subDir)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(infos) != 4 {
+		t.Fatalf("Should be four files in the subdir after the migration: actual length: %d", len(infos))
+	}
+	var results []string
+	for _, info := range infos {
+		results = append(results, info.Name())
+	}
+	sort.Sort(sort.StringSlice(results))
+	if !reflect.DeepEqual(filesList, results) {
+		t.Fatalf("Results after migration do not equal list of files: expected: %v, got: %v", filesList, results)
+	}
+}
+
+// Test a non-existing directory
+func TestSizeNonExistingDirectory(t *testing.T) {
+	if _, err := Size(context.Background(), "/thisdirectoryshouldnotexist/TestSizeNonExistingDirectory"); err == nil {
+		t.Fatalf("error is expected")
+	}
+}
diff --git a/engine/pkg/directory/directory_unix.go b/engine/pkg/directory/directory_unix.go
new file mode 100644
index 00000000..f56dd7a8
--- /dev/null
+++ b/engine/pkg/directory/directory_unix.go
@@ -0,0 +1,54 @@
+// +build linux freebsd darwin
+
+package directory // import "github.com/docker/docker/pkg/directory"
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"syscall"
+)
+
+// Size walks a directory tree and returns its total size in bytes.
+func Size(ctx context.Context, dir string) (size int64, err error) {
+	data := make(map[uint64]struct{})
+	err = filepath.Walk(dir, func(d string, fileInfo os.FileInfo, err error) error {
+		if err != nil {
+			// if dir does not exist, Size() returns the error.
+			// if dir/x disappeared while walking, Size() ignores dir/x.
+			if os.IsNotExist(err) && d != dir {
+				return nil
+			}
+			return err
+		}
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		// Ignore directory sizes
+		if fileInfo == nil {
+			return nil
+		}
+
+		s := fileInfo.Size()
+		if fileInfo.IsDir() || s == 0 {
+			return nil
+		}
+
+		// Check inode to handle hard links correctly
+		inode := fileInfo.Sys().(*syscall.Stat_t).Ino
+		// inode is not a uint64 on all platforms. Cast it to avoid issues.
+		if _, exists := data[inode]; exists {
+			return nil
+		}
+		// inode is not a uint64 on all platforms. Cast it to avoid issues.
+		data[inode] = struct{}{}
+
+		size += s
+
+		return nil
+	})
+	return
+}
diff --git a/engine/pkg/directory/directory_windows.go b/engine/pkg/directory/directory_windows.go
new file mode 100644
index 00000000..f07f2418
--- /dev/null
+++ b/engine/pkg/directory/directory_windows.go
@@ -0,0 +1,42 @@
+package directory // import "github.com/docker/docker/pkg/directory"
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+)
+
+// Size walks a directory tree and returns its total size in bytes.
+func Size(ctx context.Context, dir string) (size int64, err error) {
+	err = filepath.Walk(dir, func(d string, fileInfo os.FileInfo, err error) error {
+		if err != nil {
+			// if dir does not exist, Size() returns the error.
+			// if dir/x disappeared while walking, Size() ignores dir/x.
+			if os.IsNotExist(err) && d != dir {
+				return nil
+			}
+			return err
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		// Ignore directory sizes
+		if fileInfo == nil {
+			return nil
+		}
+
+		s := fileInfo.Size()
+		if fileInfo.IsDir() || s == 0 {
+			return nil
+		}
+
+		size += s
+
+		return nil
+	})
+	return
+}
diff --git a/engine/pkg/discovery/README.md b/engine/pkg/discovery/README.md
new file mode 100644
index 00000000..d8ed9ce7
--- /dev/null
+++ b/engine/pkg/discovery/README.md
@@ -0,0 +1,41 @@
+---
+page_title: Docker discovery
+page_description: discovery
+page_keywords: docker, clustering, discovery
+---
+
+# Discovery
+
+Docker comes with multiple Discovery backends.
+
+## Backends
+
+### Using etcd
+
+Point your Docker Engine instances to a common etcd instance. You can specify
+the address Docker uses to advertise the node using the `--cluster-advertise`
+flag.
+
+```bash
+$ dockerd -H=<node_ip:2376> --cluster-advertise=<node_ip:2376> --cluster-store etcd://<etcd_ip1>,<etcd_ip2>/<path>
+```
+
+### Using consul
+
+Point your Docker Engine instances to a common Consul instance. You can specify
+the address Docker uses to advertise the node using the `--cluster-advertise`
+flag.
+
+```bash
+$ dockerd -H=<node_ip:2376> --cluster-advertise=<node_ip:2376> --cluster-store consul://<consul_ip>/<path>
+```
+
+### Using zookeeper
+
+Point your Docker Engine instances to a common Zookeeper instance. You can specify
+the address Docker uses to advertise the node using the `--cluster-advertise`
+flag.
+
+```bash
+$ dockerd -H=<node_ip:2376> --cluster-advertise=<node_ip:2376> --cluster-store zk://<zk_addr1>,<zk_addr2>/<path>
+```
diff --git a/engine/pkg/discovery/backends.go b/engine/pkg/discovery/backends.go
new file mode 100644
index 00000000..1d038285
--- /dev/null
+++ b/engine/pkg/discovery/backends.go
@@ -0,0 +1,107 @@
+package discovery // import "github.com/docker/docker/pkg/discovery"
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// Backends is a global map of discovery backends indexed by their
+	// associated scheme.
+	backends = make(map[string]Backend)
+)
+
+// Register makes a discovery backend available by the provided scheme.
+// If Register is called twice with the same scheme an error is returned.
+func Register(scheme string, d Backend) error {
+	if _, exists := backends[scheme]; exists {
+		return fmt.Errorf("scheme already registered %s", scheme)
+	}
+	logrus.WithField("name", scheme).Debugf("Registering discovery service")
+	backends[scheme] = d
+	return nil
+}
+
+func parse(rawurl string) (string, string) {
+	parts := strings.SplitN(rawurl, "://", 2)
+
+	// nodes:port,node2:port => nodes://node1:port,node2:port
+	if len(parts) == 1 {
+		return "nodes", parts[0]
+	}
+	return parts[0], parts[1]
+}
+
+// ParseAdvertise parses the --cluster-advertise daemon config which accepts
+// <ip-address>:<port> or <interface-name>:<port>
+func ParseAdvertise(advertise string) (string, error) {
+	var (
+		iface *net.Interface
+		addrs []net.Addr
+		err   error
+	)
+
+	addr, port, err := net.SplitHostPort(advertise)
+
+	if err != nil {
+		return "", fmt.Errorf("invalid --cluster-advertise configuration: %s: %v", advertise, err)
+	}
+
+	ip := net.ParseIP(addr)
+	// If it is a valid ip-address, use it as is
+	if ip != nil {
+		return advertise, nil
+	}
+
+	// If advertise is a valid interface name, get the valid IPv4 address and use it to advertise
+	ifaceName := addr
+	iface, err = net.InterfaceByName(ifaceName)
+	if err != nil {
+		return "", fmt.Errorf("invalid cluster advertise IP address or interface name (%s) : %v", advertise, err)
+	}
+
+	addrs, err = iface.Addrs()
+	if err != nil {
+		return "", fmt.Errorf("unable to get advertise IP address from interface (%s) : %v", advertise, err)
+	}
+
+	if len(addrs) == 0 {
+		return "", fmt.Errorf("no available advertise IP address in interface (%s)", advertise)
+	}
+
+	addr = ""
+	for _, a := range addrs {
+		ip, _, err := net.ParseCIDR(a.String())
+		if err != nil {
+			return "", fmt.Errorf("error deriving advertise ip-address in interface (%s) : %v", advertise, err)
+		}
+		if ip.To4() == nil || ip.IsLoopback() {
+			continue
+		}
+		addr = ip.String()
+		break
+	}
+	if addr == "" {
+		return "", fmt.Errorf("could not find a valid ip-address in interface %s", advertise)
+	}
+
+	addr = net.JoinHostPort(addr, port)
+	return addr, nil
+}
+
+// New returns a new Discovery given a URL, heartbeat and ttl settings.
+// Returns an error if the URL scheme is not supported.
+func New(rawurl string, heartbeat time.Duration, ttl time.Duration, clusterOpts map[string]string) (Backend, error) {
+	scheme, uri := parse(rawurl)
+	if backend, exists := backends[scheme]; exists {
+		logrus.WithFields(logrus.Fields{"name": scheme, "uri": uri}).Debugf("Initializing discovery service")
+		err := backend.Initialize(uri, heartbeat, ttl, clusterOpts)
+		return backend, err
+	}
+
+	return nil, ErrNotSupported
+}
diff --git a/engine/pkg/discovery/discovery.go b/engine/pkg/discovery/discovery.go
new file mode 100644
index 00000000..828c5ca4
--- /dev/null
+++ b/engine/pkg/discovery/discovery.go
@@ -0,0 +1,35 @@
+package discovery // import "github.com/docker/docker/pkg/discovery"
+
+import (
+	"errors"
+	"time"
+)
+
+var (
+	// ErrNotSupported is returned when a discovery service is not supported.
+	ErrNotSupported = errors.New("discovery service not supported")
+
+	// ErrNotImplemented is returned when discovery feature is not implemented
+	// by discovery backend.
+	ErrNotImplemented = errors.New("not implemented in this discovery service")
+)
+
+// Watcher provides watching over a cluster for nodes joining and leaving.
+type Watcher interface {
+	// Watch the discovery for entry changes.
+	// Returns a channel that will receive changes or an error.
+	// Providing a non-nil stopCh can be used to stop watching.
+	Watch(stopCh <-chan struct{}) (<-chan Entries, <-chan error)
+}
+
+// Backend is implemented by discovery backends which manage cluster entries.
+type Backend interface {
+	// Watcher must be provided by every backend.
+	Watcher
+
+	// Initialize the discovery with URIs, a heartbeat, a ttl and optional settings.
+	Initialize(string, time.Duration, time.Duration, map[string]string) error
+
+	// Register to the discovery.
+	Register(string) error
+}
diff --git a/engine/pkg/discovery/discovery_test.go b/engine/pkg/discovery/discovery_test.go
new file mode 100644
index 00000000..ffe8cb91
--- /dev/null
+++ b/engine/pkg/discovery/discovery_test.go
@@ -0,0 +1,137 @@
+package discovery // import "github.com/docker/docker/pkg/discovery"
+
+import (
+	"testing"
+
+	"github.com/go-check/check"
+)
+
+// Hook up gocheck into the "go test" runner.
+func Test(t *testing.T) { check.TestingT(t) }
+
+type DiscoverySuite struct{}
+
+var _ = check.Suite(&DiscoverySuite{})
+
+func (s *DiscoverySuite) TestNewEntry(c *check.C) {
+	entry, err := NewEntry("127.0.0.1:2375")
+	c.Assert(err, check.IsNil)
+	c.Assert(entry.Equals(&Entry{Host: "127.0.0.1", Port: "2375"}), check.Equals, true)
+	c.Assert(entry.String(), check.Equals, "127.0.0.1:2375")
+
+	entry, err = NewEntry("[2001:db8:0:f101::2]:2375")
+	c.Assert(err, check.IsNil)
+	c.Assert(entry.Equals(&Entry{Host: "2001:db8:0:f101::2", Port: "2375"}), check.Equals, true)
+	c.Assert(entry.String(), check.Equals, "[2001:db8:0:f101::2]:2375")
+
+	_, err = NewEntry("127.0.0.1")
+	c.Assert(err, check.NotNil)
+}
+
+func (s *DiscoverySuite) TestParse(c *check.C) {
+	scheme, uri := parse("127.0.0.1:2375")
+	c.Assert(scheme, check.Equals, "nodes")
+	c.Assert(uri, check.Equals, "127.0.0.1:2375")
+
+	scheme, uri = parse("localhost:2375")
+	c.Assert(scheme, check.Equals, "nodes")
+	c.Assert(uri, check.Equals, "localhost:2375")
+
+	scheme, uri = parse("scheme://127.0.0.1:2375")
+	c.Assert(scheme, check.Equals, "scheme")
+	c.Assert(uri, check.Equals, "127.0.0.1:2375")
+
+	scheme, uri = parse("scheme://localhost:2375")
+	c.Assert(scheme, check.Equals, "scheme")
+	c.Assert(uri, check.Equals, "localhost:2375")
+
+	scheme, uri = parse("")
+	c.Assert(scheme, check.Equals, "nodes")
+	c.Assert(uri, check.Equals, "")
+}
+
+func (s *DiscoverySuite) TestCreateEntries(c *check.C) {
+	entries, err := CreateEntries(nil)
+	c.Assert(entries, check.DeepEquals, Entries{})
+	c.Assert(err, check.IsNil)
+
+	entries, err = CreateEntries([]string{"127.0.0.1:2375", "127.0.0.2:2375", "[2001:db8:0:f101::2]:2375", ""})
+	c.Assert(err, check.IsNil)
+	expected := Entries{
+		&Entry{Host: "127.0.0.1", Port: "2375"},
+		&Entry{Host: "127.0.0.2", Port: "2375"},
+		&Entry{Host: "2001:db8:0:f101::2", Port: "2375"},
+	}
+	c.Assert(entries.Equals(expected), check.Equals, true)
+
+	_, err = CreateEntries([]string{"127.0.0.1", "127.0.0.2"})
+	c.Assert(err, check.NotNil)
+}
+
+func (s *DiscoverySuite) TestContainsEntry(c *check.C) {
+	entries, err := CreateEntries([]string{"127.0.0.1:2375", "127.0.0.2:2375", ""})
+	c.Assert(err, check.IsNil)
+	c.Assert(entries.Contains(&Entry{Host: "127.0.0.1", Port: "2375"}), check.Equals, true)
+	c.Assert(entries.Contains(&Entry{Host: "127.0.0.3", Port: "2375"}), check.Equals, false)
+}
+
+func (s *DiscoverySuite) TestEntriesEquality(c *check.C) {
+	entries := Entries{
+		&Entry{Host: "127.0.0.1", Port: "2375"},
+		&Entry{Host: "127.0.0.2", Port: "2375"},
+	}
+
+	// Same
+	c.Assert(entries.Equals(Entries{
+		&Entry{Host: "127.0.0.1", Port: "2375"},
+		&Entry{Host: "127.0.0.2", Port: "2375"},
+	}), check.
+		Equals, true)
+
+	// Different size
+	c.Assert(entries.Equals(Entries{
+		&Entry{Host: "127.0.0.1", Port: "2375"},
+		&Entry{Host: "127.0.0.2", Port: "2375"},
+		&Entry{Host: "127.0.0.3", Port: "2375"},
+	}), check.
+		Equals, false)
+
+	// Different content
+	c.Assert(entries.Equals(Entries{
+		&Entry{Host: "127.0.0.1", Port: "2375"},
+		&Entry{Host: "127.0.0.42", Port: "2375"},
+	}), check.
+		Equals, false)
+
+}
+
+func (s *DiscoverySuite) TestEntriesDiff(c *check.C) {
+	entry1 := &Entry{Host: "1.1.1.1", Port: "1111"}
+	entry2 := &Entry{Host: "2.2.2.2", Port: "2222"}
+	entry3 := &Entry{Host: "3.3.3.3", Port: "3333"}
+	entries := Entries{entry1, entry2}
+
+	// No diff
+	added, removed := entries.Diff(Entries{entry2, entry1})
+	c.Assert(added, check.HasLen, 0)
+	c.Assert(removed, check.HasLen, 0)
+
+	// Add
+	added, removed = entries.Diff(Entries{entry2, entry3, entry1})
+	c.Assert(added, check.HasLen, 1)
+	c.Assert(added.Contains(entry3), check.Equals, true)
+	c.Assert(removed, check.HasLen, 0)
+
+	// Remove
+	added, removed = entries.Diff(Entries{entry2})
+	c.Assert(added, check.HasLen, 0)
+	c.Assert(removed, check.HasLen, 1)
+	c.Assert(removed.Contains(entry1), check.Equals, true)
+
+	// Add and remove
+	added, removed = entries.Diff(Entries{entry1, entry3})
+	c.Assert(added, check.HasLen, 1)
+	c.Assert(added.Contains(entry3), check.Equals, true)
+	c.Assert(removed, check.HasLen, 1)
+	c.Assert(removed.Contains(entry2), check.Equals, true)
+}
diff --git a/engine/pkg/discovery/entry.go b/engine/pkg/discovery/entry.go
new file mode 100644
index 00000000..be06c757
--- /dev/null
+++ b/engine/pkg/discovery/entry.go
@@ -0,0 +1,94 @@
+package discovery // import "github.com/docker/docker/pkg/discovery"
+
+import "net"
+
+// NewEntry creates a new entry.
+func NewEntry(url string) (*Entry, error) {
+	host, port, err := net.SplitHostPort(url)
+	if err != nil {
+		return nil, err
+	}
+	return &Entry{host, port}, nil
+}
+
+// An Entry represents a host.
+type Entry struct {
+	Host string
+	Port string
+}
+
+// Equals returns true if cmp contains the same data.
+func (e *Entry) Equals(cmp *Entry) bool {
+	return e.Host == cmp.Host && e.Port == cmp.Port
+}
+
+// String returns the string form of an entry.
+func (e *Entry) String() string {
+	return net.JoinHostPort(e.Host, e.Port)
+}
+
+// Entries is a list of *Entry with some helpers.
+type Entries []*Entry
+
+// Equals returns true if cmp contains the same data.
+func (e Entries) Equals(cmp Entries) bool {
+	// Check if the file has really changed.
+	if len(e) != len(cmp) {
+		return false
+	}
+	for i := range e {
+		if !e[i].Equals(cmp[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+// Contains returns true if the Entries contain a given Entry.
+func (e Entries) Contains(entry *Entry) bool {
+	for _, curr := range e {
+		if curr.Equals(entry) {
+			return true
+		}
+	}
+	return false
+}
+
+// Diff compares two entries and returns the added and removed entries.
+func (e Entries) Diff(cmp Entries) (Entries, Entries) {
+	added := Entries{}
+	for _, entry := range cmp {
+		if !e.Contains(entry) {
+			added = append(added, entry)
+		}
+	}
+
+	removed := Entries{}
+	for _, entry := range e {
+		if !cmp.Contains(entry) {
+			removed = append(removed, entry)
+		}
+	}
+
+	return added, removed
+}
+
+// CreateEntries returns an array of entries based on the given addresses.
+func CreateEntries(addrs []string) (Entries, error) {
+	entries := Entries{}
+	if addrs == nil {
+		return entries, nil
+	}
+
+	for _, addr := range addrs {
+		if len(addr) == 0 {
+			continue
+		}
+		entry, err := NewEntry(addr)
+		if err != nil {
+			return nil, err
+		}
+		entries = append(entries, entry)
+	}
+	return entries, nil
+}
diff --git a/engine/pkg/discovery/file/file.go b/engine/pkg/discovery/file/file.go
new file mode 100644
index 00000000..1494af48
--- /dev/null
+++ b/engine/pkg/discovery/file/file.go
@@ -0,0 +1,107 @@
+package file // import "github.com/docker/docker/pkg/discovery/file"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/pkg/discovery"
+)
+
+// Discovery is exported
+type Discovery struct {
+	heartbeat time.Duration
+	path      string
+}
+
+func init() {
+	Init()
+}
+
+// Init is exported
+func Init() {
+	discovery.Register("file", &Discovery{})
+}
+
+// Initialize is exported
+func (s *Discovery) Initialize(path string, heartbeat time.Duration, ttl time.Duration, _ map[string]string) error {
+	s.path = path
+	s.heartbeat = heartbeat
+	return nil
+}
+
+func parseFileContent(content []byte) []string {
+	var result []string
+	for _, line := range strings.Split(strings.TrimSpace(string(content)), "\n") {
+		line = strings.TrimSpace(line)
+		// Ignoring line starts with #
+		if strings.HasPrefix(line, "#") {
+			continue
+		}
+		// Inlined # comment also ignored.
+		if strings.Contains(line, "#") {
+			line = line[0:strings.Index(line, "#")]
+			// Trim additional spaces caused by above stripping.
+			line = strings.TrimSpace(line)
+		}
+		result = append(result, discovery.Generate(line)...)
+	}
+	return result
+}
+
+func (s *Discovery) fetch() (discovery.Entries, error) {
+	fileContent, err := ioutil.ReadFile(s.path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read '%s': %v", s.path, err)
+	}
+	return discovery.CreateEntries(parseFileContent(fileContent))
+}
+
+// Watch is exported
+func (s *Discovery) Watch(stopCh <-chan struct{}) (<-chan discovery.Entries, <-chan error) {
+	ch := make(chan discovery.Entries)
+	errCh := make(chan error)
+	ticker := time.NewTicker(s.heartbeat)
+
+	go func() {
+		defer close(errCh)
+		defer close(ch)
+
+		// Send the initial entries if available.
+		currentEntries, err := s.fetch()
+		if err != nil {
+			errCh <- err
+		} else {
+			ch <- currentEntries
+		}
+
+		// Periodically send updates.
+		for {
+			select {
+			case <-ticker.C:
+				newEntries, err := s.fetch()
+				if err != nil {
+					errCh <- err
+					continue
+				}
+
+				// Check if the file has really changed.
+				if !newEntries.Equals(currentEntries) {
+					ch <- newEntries
+				}
+				currentEntries = newEntries
+			case <-stopCh:
+				ticker.Stop()
+				return
+			}
+		}
+	}()
+
+	return ch, errCh
+}
+
+// Register is exported
+func (s *Discovery) Register(addr string) error {
+	return discovery.ErrNotImplemented
+}
diff --git a/engine/pkg/discovery/file/file_test.go b/engine/pkg/discovery/file/file_test.go
new file mode 100644
index 00000000..010e941c
--- /dev/null
+++ b/engine/pkg/discovery/file/file_test.go
@@ -0,0 +1,114 @@
+package file // import "github.com/docker/docker/pkg/discovery/file"
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/pkg/discovery"
+
+	"github.com/go-check/check"
+)
+
+// Hook up gocheck into the "go test" runner.
+func Test(t *testing.T) { check.TestingT(t) }
+
+type DiscoverySuite struct{}
+
+var _ = check.Suite(&DiscoverySuite{})
+
+func (s *DiscoverySuite) TestInitialize(c *check.C) {
+	d := &Discovery{}
+	d.Initialize("/path/to/file", 1000, 0, nil)
+	c.Assert(d.path, check.Equals, "/path/to/file")
+}
+
+func (s *DiscoverySuite) TestNew(c *check.C) {
+	d, err := discovery.New("file:///path/to/file", 0, 0, nil)
+	c.Assert(err, check.IsNil)
+	c.Assert(d.(*Discovery).path, check.Equals, "/path/to/file")
+}
+
+func (s *DiscoverySuite) TestContent(c *check.C) {
+	data := `
+1.1.1.[1:2]:1111
+2.2.2.[2:4]:2222
+`
+	ips := parseFileContent([]byte(data))
+	c.Assert(ips, check.HasLen, 5)
+	c.Assert(ips[0], check.Equals, "1.1.1.1:1111")
+	c.Assert(ips[1], check.Equals, "1.1.1.2:1111")
+	c.Assert(ips[2], check.Equals, "2.2.2.2:2222")
+	c.Assert(ips[3], check.Equals, "2.2.2.3:2222")
+	c.Assert(ips[4], check.Equals, "2.2.2.4:2222")
+}
+
+func (s *DiscoverySuite) TestRegister(c *check.C) {
+	discovery := &Discovery{path: "/path/to/file"}
+	c.Assert(discovery.Register("0.0.0.0"), check.NotNil)
+}
+
+func (s *DiscoverySuite) TestParsingContentsWithComments(c *check.C) {
+	data := `
+### test ###
+1.1.1.1:1111 # inline comment
+# 2.2.2.2:2222
+      ### empty line with comment
+    3.3.3.3:3333
+### test ###
+`
+	ips := parseFileContent([]byte(data))
+	c.Assert(ips, check.HasLen, 2)
+	c.Assert("1.1.1.1:1111", check.Equals, ips[0])
+	c.Assert("3.3.3.3:3333", check.Equals, ips[1])
+}
+
+func (s *DiscoverySuite) TestWatch(c *check.C) {
+	data := `
+1.1.1.1:1111
+2.2.2.2:2222
+`
+	expected := discovery.Entries{
+		&discovery.Entry{Host: "1.1.1.1", Port: "1111"},
+		&discovery.Entry{Host: "2.2.2.2", Port: "2222"},
+	}
+
+	// Create a temporary file and remove it.
+	tmp, err := ioutil.TempFile(os.TempDir(), "discovery-file-test")
+	c.Assert(err, check.IsNil)
+	c.Assert(tmp.Close(), check.IsNil)
+	c.Assert(os.Remove(tmp.Name()), check.IsNil)
+
+	// Set up file discovery.
+	d := &Discovery{}
+	d.Initialize(tmp.Name(), 1000, 0, nil)
+	stopCh := make(chan struct{})
+	ch, errCh := d.Watch(stopCh)
+
+	// Make sure it fires errors since the file doesn't exist.
+	c.Assert(<-errCh, check.NotNil)
+	// We have to drain the error channel otherwise Watch will get stuck.
+	go func() {
+		for range errCh {
+		}
+	}()
+
+	// Write the file and make sure we get the expected value back.
+	c.Assert(ioutil.WriteFile(tmp.Name(), []byte(data), 0600), check.IsNil)
+	c.Assert(<-ch, check.DeepEquals, expected)
+
+	// Add a new entry and look it up.
+	expected = append(expected, &discovery.Entry{Host: "3.3.3.3", Port: "3333"})
+	f, err := os.OpenFile(tmp.Name(), os.O_APPEND|os.O_WRONLY, 0600)
+	c.Assert(err, check.IsNil)
+	c.Assert(f, check.NotNil)
+	_, err = f.WriteString("\n3.3.3.3:3333\n")
+	c.Assert(err, check.IsNil)
+	f.Close()
+	c.Assert(<-ch, check.DeepEquals, expected)
+
+	// Stop and make sure it closes all channels.
+	close(stopCh)
+	c.Assert(<-ch, check.IsNil)
+	c.Assert(<-errCh, check.IsNil)
+}
diff --git a/engine/pkg/discovery/generator.go b/engine/pkg/discovery/generator.go
new file mode 100644
index 00000000..788015fe
--- /dev/null
+++ b/engine/pkg/discovery/generator.go
@@ -0,0 +1,35 @@
+package discovery // import "github.com/docker/docker/pkg/discovery"
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+)
+
+// Generate takes care of IP generation
+func Generate(pattern string) []string {
+	re, _ := regexp.Compile(`\[(.+):(.+)\]`)
+	submatch := re.FindStringSubmatch(pattern)
+	if submatch == nil {
+		return []string{pattern}
+	}
+
+	from, err := strconv.Atoi(submatch[1])
+	if err != nil {
+		return []string{pattern}
+	}
+	to, err := strconv.Atoi(submatch[2])
+	if err != nil {
+		return []string{pattern}
+	}
+
+	template := re.ReplaceAllString(pattern, "%d")
+
+	var result []string
+	for val := from; val <= to; val++ {
+		entry := fmt.Sprintf(template, val)
+		result = append(result, entry)
+	}
+
+	return result
+}
diff --git a/engine/pkg/discovery/generator_test.go b/engine/pkg/discovery/generator_test.go
new file mode 100644
index 00000000..5126df57
--- /dev/null
+++ b/engine/pkg/discovery/generator_test.go
@@ -0,0 +1,53 @@
+package discovery // import "github.com/docker/docker/pkg/discovery"
+
+import (
+	"github.com/go-check/check"
+)
+
+func (s *DiscoverySuite) TestGeneratorNotGenerate(c *check.C) {
+	ips := Generate("127.0.0.1")
+	c.Assert(len(ips), check.Equals, 1)
+	c.Assert(ips[0], check.Equals, "127.0.0.1")
+}
+
+func (s *DiscoverySuite) TestGeneratorWithPortNotGenerate(c *check.C) {
+	ips := Generate("127.0.0.1:8080")
+	c.Assert(len(ips), check.Equals, 1)
+	c.Assert(ips[0], check.Equals, "127.0.0.1:8080")
+}
+
+func (s *DiscoverySuite) TestGeneratorMatchFailedNotGenerate(c *check.C) {
+	ips := Generate("127.0.0.[1]")
+	c.Assert(len(ips), check.Equals, 1)
+	c.Assert(ips[0], check.Equals, "127.0.0.[1]")
+}
+
+func (s *DiscoverySuite) TestGeneratorWithPort(c *check.C) {
+	ips := Generate("127.0.0.[1:11]:2375")
+	c.Assert(len(ips), check.Equals, 11)
+	c.Assert(ips[0], check.Equals, "127.0.0.1:2375")
+	c.Assert(ips[1], check.Equals, "127.0.0.2:2375")
+	c.Assert(ips[2], check.Equals, "127.0.0.3:2375")
+	c.Assert(ips[3], check.Equals, "127.0.0.4:2375")
+	c.Assert(ips[4], check.Equals, "127.0.0.5:2375")
+	c.Assert(ips[5], check.Equals, "127.0.0.6:2375")
+	c.Assert(ips[6], check.Equals, "127.0.0.7:2375")
+	c.Assert(ips[7], check.Equals, "127.0.0.8:2375")
+	c.Assert(ips[8], check.Equals, "127.0.0.9:2375")
+	c.Assert(ips[9], check.Equals, "127.0.0.10:2375")
+	c.Assert(ips[10], check.Equals, "127.0.0.11:2375")
+}
+
+func (s *DiscoverySuite) TestGenerateWithMalformedInputAtRangeStart(c *check.C) {
+	malformedInput := "127.0.0.[x:11]:2375"
+	ips := Generate(malformedInput)
+	c.Assert(len(ips), check.Equals, 1)
+	c.Assert(ips[0], check.Equals, malformedInput)
+}
+
+func (s *DiscoverySuite) TestGenerateWithMalformedInputAtRangeEnd(c *check.C) {
+	malformedInput := "127.0.0.[1:x]:2375"
+	ips := Generate(malformedInput)
+	c.Assert(len(ips), check.Equals, 1)
+	c.Assert(ips[0], check.Equals, malformedInput)
+}
diff --git a/engine/pkg/discovery/kv/kv.go b/engine/pkg/discovery/kv/kv.go
new file mode 100644
index 00000000..30fe6714
--- /dev/null
+++ b/engine/pkg/discovery/kv/kv.go
@@ -0,0 +1,192 @@
+package kv // import "github.com/docker/docker/pkg/discovery/kv"
+
+import (
+	"fmt"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/pkg/discovery"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/docker/libkv"
+	"github.com/docker/libkv/store"
+	"github.com/docker/libkv/store/consul"
+	"github.com/docker/libkv/store/etcd"
+	"github.com/docker/libkv/store/zookeeper"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	defaultDiscoveryPath = "docker/nodes"
+)
+
+// Discovery is exported
+type Discovery struct {
+	backend   store.Backend
+	store     store.Store
+	heartbeat time.Duration
+	ttl       time.Duration
+	prefix    string
+	path      string
+}
+
+func init() {
+	Init()
+}
+
+// Init is exported
+func Init() {
+	// Register to libkv
+	zookeeper.Register()
+	consul.Register()
+	etcd.Register()
+
+	// Register to internal discovery service
+	discovery.Register("zk", &Discovery{backend: store.ZK})
+	discovery.Register("consul", &Discovery{backend: store.CONSUL})
+	discovery.Register("etcd", &Discovery{backend: store.ETCD})
+}
+
+// Initialize is exported
+func (s *Discovery) Initialize(uris string, heartbeat time.Duration, ttl time.Duration, clusterOpts map[string]string) error {
+	var (
+		parts = strings.SplitN(uris, "/", 2)
+		addrs = strings.Split(parts[0], ",")
+		err   error
+	)
+
+	// A custom prefix to the path can be optionally used.
+	if len(parts) == 2 {
+		s.prefix = parts[1]
+	}
+
+	s.heartbeat = heartbeat
+	s.ttl = ttl
+
+	// Use a custom path if specified in discovery options
+	dpath := defaultDiscoveryPath
+	if clusterOpts["kv.path"] != "" {
+		dpath = clusterOpts["kv.path"]
+	}
+
+	s.path = path.Join(s.prefix, dpath)
+
+	var config *store.Config
+	if clusterOpts["kv.cacertfile"] != "" && clusterOpts["kv.certfile"] != "" && clusterOpts["kv.keyfile"] != "" {
+		logrus.Info("Initializing discovery with TLS")
+		tlsConfig, err := tlsconfig.Client(tlsconfig.Options{
+			CAFile:   clusterOpts["kv.cacertfile"],
+			CertFile: clusterOpts["kv.certfile"],
+			KeyFile:  clusterOpts["kv.keyfile"],
+		})
+		if err != nil {
+			return err
+		}
+		config = &store.Config{
+			// Set ClientTLS to trigger https (bug in libkv/etcd)
+			ClientTLS: &store.ClientTLSConfig{
+				CACertFile: clusterOpts["kv.cacertfile"],
+				CertFile:   clusterOpts["kv.certfile"],
+				KeyFile:    clusterOpts["kv.keyfile"],
+			},
+			// The actual TLS config that will be used
+			TLS: tlsConfig,
+		}
+	} else {
+		logrus.Info("Initializing discovery without TLS")
+	}
+
+	// Creates a new store, will ignore options given
+	// if not supported by the chosen store
+	s.store, err = libkv.NewStore(s.backend, addrs, config)
+	return err
+}
+
+// Watch the store until either there's a store error or we receive a stop request.
+// Returns false if we shouldn't attempt watching the store anymore (stop request received).
+func (s *Discovery) watchOnce(stopCh <-chan struct{}, watchCh <-chan []*store.KVPair, discoveryCh chan discovery.Entries, errCh chan error) bool {
+	for {
+		select {
+		case pairs := <-watchCh:
+			if pairs == nil {
+				return true
+			}
+
+			logrus.WithField("discovery", s.backend).Debugf("Watch triggered with %d nodes", len(pairs))
+
+			// Convert `KVPair` into `discovery.Entry`.
+			addrs := make([]string, len(pairs))
+			for _, pair := range pairs {
+				addrs = append(addrs, string(pair.Value))
+			}
+
+			entries, err := discovery.CreateEntries(addrs)
+			if err != nil {
+				errCh <- err
+			} else {
+				discoveryCh <- entries
+			}
+		case <-stopCh:
+			// We were requested to stop watching.
+			return false
+		}
+	}
+}
+
+// Watch is exported
+func (s *Discovery) Watch(stopCh <-chan struct{}) (<-chan discovery.Entries, <-chan error) {
+	ch := make(chan discovery.Entries)
+	errCh := make(chan error)
+
+	go func() {
+		defer close(ch)
+		defer close(errCh)
+
+		// Forever: Create a store watch, watch until we get an error and then try again.
+		// Will only stop if we receive a stopCh request.
+		for {
+			// Create the path to watch if it does not exist yet
+			exists, err := s.store.Exists(s.path)
+			if err != nil {
+				errCh <- err
+			}
+			if !exists {
+				if err := s.store.Put(s.path, []byte(""), &store.WriteOptions{IsDir: true}); err != nil {
+					errCh <- err
+				}
+			}
+
+			// Set up a watch.
+			watchCh, err := s.store.WatchTree(s.path, stopCh)
+			if err != nil {
+				errCh <- err
+			} else {
+				if !s.watchOnce(stopCh, watchCh, ch, errCh) {
+					return
+				}
+			}
+
+			// If we get here it means the store watch channel was closed. This
+			// is unexpected so let's retry later.
+			errCh <- fmt.Errorf("Unexpected watch error")
+			time.Sleep(s.heartbeat)
+		}
+	}()
+	return ch, errCh
+}
+
+// Register is exported
+func (s *Discovery) Register(addr string) error {
+	opts := &store.WriteOptions{TTL: s.ttl}
+	return s.store.Put(path.Join(s.path, addr), []byte(addr), opts)
+}
+
+// Store returns the underlying store used by KV discovery.
+func (s *Discovery) Store() store.Store {
+	return s.store
+}
+
+// Prefix returns the store prefix
+func (s *Discovery) Prefix() string {
+	return s.prefix
+}
diff --git a/engine/pkg/discovery/kv/kv_test.go b/engine/pkg/discovery/kv/kv_test.go
new file mode 100644
index 00000000..79fd91c6
--- /dev/null
+++ b/engine/pkg/discovery/kv/kv_test.go
@@ -0,0 +1,322 @@
+package kv // import "github.com/docker/docker/pkg/discovery/kv"
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/discovery"
+	"github.com/docker/libkv"
+	"github.com/docker/libkv/store"
+	"github.com/go-check/check"
+)
+
+// Hook up gocheck into the "go test" runner.
+func Test(t *testing.T) { check.TestingT(t) }
+
+type DiscoverySuite struct{}
+
+var _ = check.Suite(&DiscoverySuite{})
+
+func (ds *DiscoverySuite) TestInitialize(c *check.C) {
+	storeMock := &FakeStore{
+		Endpoints: []string{"127.0.0.1"},
+	}
+	d := &Discovery{backend: store.CONSUL}
+	d.Initialize("127.0.0.1", 0, 0, nil)
+	d.store = storeMock
+
+	s := d.store.(*FakeStore)
+	c.Assert(s.Endpoints, check.HasLen, 1)
+	c.Assert(s.Endpoints[0], check.Equals, "127.0.0.1")
+	c.Assert(d.path, check.Equals, defaultDiscoveryPath)
+
+	storeMock = &FakeStore{
+		Endpoints: []string{"127.0.0.1:1234"},
+	}
+	d = &Discovery{backend: store.CONSUL}
+	d.Initialize("127.0.0.1:1234/path", 0, 0, nil)
+	d.store = storeMock
+
+	s = d.store.(*FakeStore)
+	c.Assert(s.Endpoints, check.HasLen, 1)
+	c.Assert(s.Endpoints[0], check.Equals, "127.0.0.1:1234")
+	c.Assert(d.path, check.Equals, "path/"+defaultDiscoveryPath)
+
+	storeMock = &FakeStore{
+		Endpoints: []string{"127.0.0.1:1234", "127.0.0.2:1234", "127.0.0.3:1234"},
+	}
+	d = &Discovery{backend: store.CONSUL}
+	d.Initialize("127.0.0.1:1234,127.0.0.2:1234,127.0.0.3:1234/path", 0, 0, nil)
+	d.store = storeMock
+
+	s = d.store.(*FakeStore)
+	c.Assert(s.Endpoints, check.HasLen, 3)
+	c.Assert(s.Endpoints[0], check.Equals, "127.0.0.1:1234")
+	c.Assert(s.Endpoints[1], check.Equals, "127.0.0.2:1234")
+	c.Assert(s.Endpoints[2], check.Equals, "127.0.0.3:1234")
+
+	c.Assert(d.path, check.Equals, "path/"+defaultDiscoveryPath)
+}
+
+// Extremely limited mock store so we can test initialization
+type Mock struct {
+	// Endpoints passed to InitializeMock
+	Endpoints []string
+
+	// Options passed to InitializeMock
+	Options *store.Config
+}
+
+func NewMock(endpoints []string, options *store.Config) (store.Store, error) {
+	s := &Mock{}
+	s.Endpoints = endpoints
+	s.Options = options
+	return s, nil
+}
+func (s *Mock) Put(key string, value []byte, opts *store.WriteOptions) error {
+	return errors.New("Put not supported")
+}
+func (s *Mock) Get(key string) (*store.KVPair, error) {
+	return nil, errors.New("Get not supported")
+}
+func (s *Mock) Delete(key string) error {
+	return errors.New("Delete not supported")
+}
+
+// Exists mock
+func (s *Mock) Exists(key string) (bool, error) {
+	return false, errors.New("Exists not supported")
+}
+
+// Watch mock
+func (s *Mock) Watch(key string, stopCh <-chan struct{}) (<-chan *store.KVPair, error) {
+	return nil, errors.New("Watch not supported")
+}
+
+// WatchTree mock
+func (s *Mock) WatchTree(prefix string, stopCh <-chan struct{}) (<-chan []*store.KVPair, error) {
+	return nil, errors.New("WatchTree not supported")
+}
+
+// NewLock mock
+func (s *Mock) NewLock(key string, options *store.LockOptions) (store.Locker, error) {
+	return nil, errors.New("NewLock not supported")
+}
+
+// List mock
+func (s *Mock) List(prefix string) ([]*store.KVPair, error) {
+	return nil, errors.New("List not supported")
+}
+
+// DeleteTree mock
+func (s *Mock) DeleteTree(prefix string) error {
+	return errors.New("DeleteTree not supported")
+}
+
+// AtomicPut mock
+func (s *Mock) AtomicPut(key string, value []byte, previous *store.KVPair, opts *store.WriteOptions) (bool, *store.KVPair, error) {
+	return false, nil, errors.New("AtomicPut not supported")
+}
+
+// AtomicDelete mock
+func (s *Mock) AtomicDelete(key string, previous *store.KVPair) (bool, error) {
+	return false, errors.New("AtomicDelete not supported")
+}
+
+// Close mock
+func (s *Mock) Close() {
+}
+
+func (ds *DiscoverySuite) TestInitializeWithCerts(c *check.C) {
+	cert := `-----BEGIN CERTIFICATE-----
+MIIDCDCCAfKgAwIBAgIICifG7YeiQOEwCwYJKoZIhvcNAQELMBIxEDAOBgNVBAMT
+B1Rlc3QgQ0EwHhcNMTUxMDAxMjMwMDAwWhcNMjAwOTI5MjMwMDAwWjASMRAwDgYD
+VQQDEwdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1wRC
+O+flnLTK5ImjTurNRHwSejuqGbc4CAvpB0hS+z0QlSs4+zE9h80aC4hz+6caRpds
++J908Q+RvAittMHbpc7VjbZP72G6fiXk7yPPl6C10HhRSoSi3nY+B7F2E8cuz14q
+V2e+ejhWhSrBb/keyXpcyjoW1BOAAJ2TIclRRkICSCZrpXUyXxAvzXfpFXo1RhSb
+UywN11pfiCQzDUN7sPww9UzFHuAHZHoyfTr27XnJYVUerVYrCPq8vqfn//01qz55
+Xs0hvzGdlTFXhuabFtQnKFH5SNwo/fcznhB7rePOwHojxOpXTBepUCIJLbtNnWFT
+V44t9gh5IqIWtoBReQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAAYwEgYDVR0TAQH/
+BAgwBgEB/wIBAjAdBgNVHQ4EFgQUZKUI8IIjIww7X/6hvwggQK4bD24wHwYDVR0j
+BBgwFoAUZKUI8IIjIww7X/6hvwggQK4bD24wCwYJKoZIhvcNAQELA4IBAQDES2cz
+7sCQfDCxCIWH7X8kpi/JWExzUyQEJ0rBzN1m3/x8ySRxtXyGekimBqQwQdFqlwMI
+xzAQKkh3ue8tNSzRbwqMSyH14N1KrSxYS9e9szJHfUasoTpQGPmDmGIoRJuq1h6M
+ej5x1SCJ7GWCR6xEXKUIE9OftXm9TdFzWa7Ja3OHz/mXteii8VXDuZ5ACq6EE5bY
+8sP4gcICfJ5fTrpTlk9FIqEWWQrCGa5wk95PGEj+GJpNogjXQ97wVoo/Y3p1brEn
+t5zjN9PAq4H1fuCMdNNA+p1DHNwd+ELTxcMAnb2ajwHvV6lKPXutrTFc4umJToBX
+FpTxDmJHEV4bzUzh
+-----END CERTIFICATE-----
+`
+	key := `-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1wRCO+flnLTK5ImjTurNRHwSejuqGbc4CAvpB0hS+z0QlSs4
++zE9h80aC4hz+6caRpds+J908Q+RvAittMHbpc7VjbZP72G6fiXk7yPPl6C10HhR
+SoSi3nY+B7F2E8cuz14qV2e+ejhWhSrBb/keyXpcyjoW1BOAAJ2TIclRRkICSCZr
+pXUyXxAvzXfpFXo1RhSbUywN11pfiCQzDUN7sPww9UzFHuAHZHoyfTr27XnJYVUe
+rVYrCPq8vqfn//01qz55Xs0hvzGdlTFXhuabFtQnKFH5SNwo/fcznhB7rePOwHoj
+xOpXTBepUCIJLbtNnWFTV44t9gh5IqIWtoBReQIDAQABAoIBAHSWipORGp/uKFXj
+i/mut776x8ofsAxhnLBARQr93ID+i49W8H7EJGkOfaDjTICYC1dbpGrri61qk8sx
+qX7p3v/5NzKwOIfEpirgwVIqSNYe/ncbxnhxkx6tXtUtFKmEx40JskvSpSYAhmmO
+1XSx0E/PWaEN/nLgX/f1eWJIlxlQkk3QeqL+FGbCXI48DEtlJ9+MzMu4pAwZTpj5
+5qtXo5JJ0jRGfJVPAOznRsYqv864AhMdMIWguzk6EGnbaCWwPcfcn+h9a5LMdony
+MDHfBS7bb5tkF3+AfnVY3IBMVx7YlsD9eAyajlgiKu4zLbwTRHjXgShy+4Oussz0
+ugNGnkECgYEA/hi+McrZC8C4gg6XqK8+9joD8tnyDZDz88BQB7CZqABUSwvjDqlP
+L8hcwo/lzvjBNYGkqaFPUICGWKjeCtd8pPS2DCVXxDQX4aHF1vUur0uYNncJiV3N
+XQz4Iemsa6wnKf6M67b5vMXICw7dw0HZCdIHD1hnhdtDz0uVpeevLZ8CgYEA2KCT
+Y43lorjrbCgMqtlefkr3GJA9dey+hTzCiWEOOqn9RqGoEGUday0sKhiLofOgmN2B
+LEukpKIey8s+Q/cb6lReajDVPDsMweX8i7hz3Wa4Ugp4Xa5BpHqu8qIAE2JUZ7bU
+t88aQAYE58pUF+/Lq1QzAQdrjjzQBx6SrBxieecCgYEAvukoPZEC8mmiN1VvbTX+
+QFHmlZha3QaDxChB+QUe7bMRojEUL/fVnzkTOLuVFqSfxevaI/km9n0ac5KtAchV
+xjp2bTnBb5EUQFqjopYktWA+xO07JRJtMfSEmjZPbbay1kKC7rdTfBm961EIHaRj
+xZUf6M+rOE8964oGrdgdLlECgYEA046GQmx6fh7/82FtdZDRQp9tj3SWQUtSiQZc
+qhO59Lq8mjUXz+MgBuJXxkiwXRpzlbaFB0Bca1fUoYw8o915SrDYf/Zu2OKGQ/qa
+V81sgiVmDuEgycR7YOlbX6OsVUHrUlpwhY3hgfMe6UtkMvhBvHF/WhroBEIJm1pV
+PXZ/CbMCgYEApNWVktFBjOaYfY6SNn4iSts1jgsQbbpglg3kT7PLKjCAhI6lNsbk
+dyT7ut01PL6RaW4SeQWtrJIVQaM6vF3pprMKqlc5XihOGAmVqH7rQx9rtQB5TicL
+BFrwkQE4HQtQBV60hYQUzzlSk44VFDz+jxIEtacRHaomDRh2FtOTz+I=
+-----END RSA PRIVATE KEY-----
+`
+	certFile, err := ioutil.TempFile("", "cert")
+	c.Assert(err, check.IsNil)
+	defer os.Remove(certFile.Name())
+	certFile.Write([]byte(cert))
+	certFile.Close()
+	keyFile, err := ioutil.TempFile("", "key")
+	c.Assert(err, check.IsNil)
+	defer os.Remove(keyFile.Name())
+	keyFile.Write([]byte(key))
+	keyFile.Close()
+
+	libkv.AddStore("mock", NewMock)
+	d := &Discovery{backend: "mock"}
+	err = d.Initialize("127.0.0.3:1234", 0, 0, map[string]string{
+		"kv.cacertfile": certFile.Name(),
+		"kv.certfile":   certFile.Name(),
+		"kv.keyfile":    keyFile.Name(),
+	})
+	c.Assert(err, check.IsNil)
+	s := d.store.(*Mock)
+	c.Assert(s.Options.TLS, check.NotNil)
+	c.Assert(s.Options.TLS.RootCAs, check.NotNil)
+	c.Assert(s.Options.TLS.Certificates, check.HasLen, 1)
+}
+
+func (ds *DiscoverySuite) TestWatch(c *check.C) {
+	mockCh := make(chan []*store.KVPair)
+
+	storeMock := &FakeStore{
+		Endpoints:  []string{"127.0.0.1:1234"},
+		mockKVChan: mockCh,
+	}
+
+	d := &Discovery{backend: store.CONSUL}
+	d.Initialize("127.0.0.1:1234/path", 0, 0, nil)
+	d.store = storeMock
+
+	expected := discovery.Entries{
+		&discovery.Entry{Host: "1.1.1.1", Port: "1111"},
+		&discovery.Entry{Host: "2.2.2.2", Port: "2222"},
+	}
+	kvs := []*store.KVPair{
+		{Key: path.Join("path", defaultDiscoveryPath, "1.1.1.1"), Value: []byte("1.1.1.1:1111")},
+		{Key: path.Join("path", defaultDiscoveryPath, "2.2.2.2"), Value: []byte("2.2.2.2:2222")},
+	}
+
+	stopCh := make(chan struct{})
+	ch, errCh := d.Watch(stopCh)
+
+	// It should fire an error since the first WatchTree call failed.
+	c.Assert(<-errCh, check.ErrorMatches, "test error")
+	// We have to drain the error channel otherwise Watch will get stuck.
+	go func() {
+		for range errCh {
+		}
+	}()
+
+	// Push the entries into the store channel and make sure discovery emits.
+	mockCh <- kvs
+	c.Assert(<-ch, check.DeepEquals, expected)
+
+	// Add a new entry.
+	expected = append(expected, &discovery.Entry{Host: "3.3.3.3", Port: "3333"})
+	kvs = append(kvs, &store.KVPair{Key: path.Join("path", defaultDiscoveryPath, "3.3.3.3"), Value: []byte("3.3.3.3:3333")})
+	mockCh <- kvs
+	c.Assert(<-ch, check.DeepEquals, expected)
+
+	close(mockCh)
+	// Give it enough time to call WatchTree.
+	time.Sleep(3 * time.Second)
+
+	// Stop and make sure it closes all channels.
+	close(stopCh)
+	c.Assert(<-ch, check.IsNil)
+	c.Assert(<-errCh, check.IsNil)
+}
+
+// FakeStore implements store.Store methods. It mocks all store
+// function in a simple, naive way.
+type FakeStore struct {
+	Endpoints  []string
+	Options    *store.Config
+	mockKVChan <-chan []*store.KVPair
+
+	watchTreeCallCount int
+}
+
+func (s *FakeStore) Put(key string, value []byte, options *store.WriteOptions) error {
+	return nil
+}
+
+func (s *FakeStore) Get(key string) (*store.KVPair, error) {
+	return nil, nil
+}
+
+func (s *FakeStore) Delete(key string) error {
+	return nil
+}
+
+func (s *FakeStore) Exists(key string) (bool, error) {
+	return true, nil
+}
+
+func (s *FakeStore) Watch(key string, stopCh <-chan struct{}) (<-chan *store.KVPair, error) {
+	return nil, nil
+}
+
+// WatchTree will fail the first time, and return the mockKVchan afterwards.
+// This is the behavior we need for testing.. If we need 'moar', should update this.
+func (s *FakeStore) WatchTree(directory string, stopCh <-chan struct{}) (<-chan []*store.KVPair, error) {
+	if s.watchTreeCallCount == 0 {
+		s.watchTreeCallCount = 1
+		return nil, errors.New("test error")
+	}
+	// First calls error
+	return s.mockKVChan, nil
+}
+
+func (s *FakeStore) NewLock(key string, options *store.LockOptions) (store.Locker, error) {
+	return nil, nil
+}
+
+func (s *FakeStore) List(directory string) ([]*store.KVPair, error) {
+	return []*store.KVPair{}, nil
+}
+
+func (s *FakeStore) DeleteTree(directory string) error {
+	return nil
+}
+
+func (s *FakeStore) AtomicPut(key string, value []byte, previous *store.KVPair, options *store.WriteOptions) (bool, *store.KVPair, error) {
+	return true, nil, nil
+}
+
+func (s *FakeStore) AtomicDelete(key string, previous *store.KVPair) (bool, error) {
+	return true, nil
+}
+
+func (s *FakeStore) Close() {
+}
diff --git a/engine/pkg/discovery/memory/memory.go b/engine/pkg/discovery/memory/memory.go
new file mode 100644
index 00000000..81f973e2
--- /dev/null
+++ b/engine/pkg/discovery/memory/memory.go
@@ -0,0 +1,93 @@
+package memory // import "github.com/docker/docker/pkg/discovery/memory"
+
+import (
+	"sync"
+	"time"
+
+	"github.com/docker/docker/pkg/discovery"
+)
+
+// Discovery implements a discovery backend that keeps
+// data in memory.
+type Discovery struct {
+	heartbeat time.Duration
+	values    []string
+	mu        sync.Mutex
+}
+
+func init() {
+	Init()
+}
+
+// Init registers the memory backend on demand.
+func Init() {
+	discovery.Register("memory", &Discovery{})
+}
+
+// Initialize sets the heartbeat for the memory backend.
+func (s *Discovery) Initialize(_ string, heartbeat time.Duration, _ time.Duration, _ map[string]string) error {
+	s.heartbeat = heartbeat
+	s.values = make([]string, 0)
+	return nil
+}
+
+// Watch sends periodic discovery updates to a channel.
+func (s *Discovery) Watch(stopCh <-chan struct{}) (<-chan discovery.Entries, <-chan error) {
+	ch := make(chan discovery.Entries)
+	errCh := make(chan error)
+	ticker := time.NewTicker(s.heartbeat)
+
+	go func() {
+		defer close(errCh)
+		defer close(ch)
+
+		// Send the initial entries if available.
+		var currentEntries discovery.Entries
+		var err error
+
+		s.mu.Lock()
+		if len(s.values) > 0 {
+			currentEntries, err = discovery.CreateEntries(s.values)
+		}
+		s.mu.Unlock()
+
+		if err != nil {
+			errCh <- err
+		} else if currentEntries != nil {
+			ch <- currentEntries
+		}
+
+		// Periodically send updates.
+		for {
+			select {
+			case <-ticker.C:
+				s.mu.Lock()
+				newEntries, err := discovery.CreateEntries(s.values)
+				s.mu.Unlock()
+				if err != nil {
+					errCh <- err
+					continue
+				}
+
+				// Check if the file has really changed.
+				if !newEntries.Equals(currentEntries) {
+					ch <- newEntries
+				}
+				currentEntries = newEntries
+			case <-stopCh:
+				ticker.Stop()
+				return
+			}
+		}
+	}()
+
+	return ch, errCh
+}
+
+// Register adds a new address to the discovery.
+func (s *Discovery) Register(addr string) error {
+	s.mu.Lock()
+	s.values = append(s.values, addr)
+	s.mu.Unlock()
+	return nil
+}
diff --git a/engine/pkg/discovery/memory/memory_test.go b/engine/pkg/discovery/memory/memory_test.go
new file mode 100644
index 00000000..1d937f01
--- /dev/null
+++ b/engine/pkg/discovery/memory/memory_test.go
@@ -0,0 +1,48 @@
+package memory // import "github.com/docker/docker/pkg/discovery/memory"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/pkg/discovery"
+	"github.com/go-check/check"
+)
+
+// Hook up gocheck into the "go test" runner.
+func Test(t *testing.T) { check.TestingT(t) }
+
+type discoverySuite struct{}
+
+var _ = check.Suite(&discoverySuite{})
+
+func (s *discoverySuite) TestWatch(c *check.C) {
+	d := &Discovery{}
+	d.Initialize("foo", 1000, 0, nil)
+	stopCh := make(chan struct{})
+	ch, errCh := d.Watch(stopCh)
+
+	// We have to drain the error channel otherwise Watch will get stuck.
+	go func() {
+		for range errCh {
+		}
+	}()
+
+	expected := discovery.Entries{
+		&discovery.Entry{Host: "1.1.1.1", Port: "1111"},
+	}
+
+	c.Assert(d.Register("1.1.1.1:1111"), check.IsNil)
+	c.Assert(<-ch, check.DeepEquals, expected)
+
+	expected = discovery.Entries{
+		&discovery.Entry{Host: "1.1.1.1", Port: "1111"},
+		&discovery.Entry{Host: "2.2.2.2", Port: "2222"},
+	}
+
+	c.Assert(d.Register("2.2.2.2:2222"), check.IsNil)
+	c.Assert(<-ch, check.DeepEquals, expected)
+
+	// Stop and make sure it closes all channels.
+	close(stopCh)
+	c.Assert(<-ch, check.IsNil)
+	c.Assert(<-errCh, check.IsNil)
+}
diff --git a/engine/pkg/discovery/nodes/nodes.go b/engine/pkg/discovery/nodes/nodes.go
new file mode 100644
index 00000000..b1d45aa2
--- /dev/null
+++ b/engine/pkg/discovery/nodes/nodes.go
@@ -0,0 +1,54 @@
+package nodes // import "github.com/docker/docker/pkg/discovery/nodes"
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/pkg/discovery"
+)
+
+// Discovery is exported
+type Discovery struct {
+	entries discovery.Entries
+}
+
+func init() {
+	Init()
+}
+
+// Init is exported
+func Init() {
+	discovery.Register("nodes", &Discovery{})
+}
+
+// Initialize is exported
+func (s *Discovery) Initialize(uris string, _ time.Duration, _ time.Duration, _ map[string]string) error {
+	for _, input := range strings.Split(uris, ",") {
+		for _, ip := range discovery.Generate(input) {
+			entry, err := discovery.NewEntry(ip)
+			if err != nil {
+				return fmt.Errorf("%s, please check you are using the correct discovery (missing token:// ?)", err.Error())
+			}
+			s.entries = append(s.entries, entry)
+		}
+	}
+
+	return nil
+}
+
+// Watch is exported
+func (s *Discovery) Watch(stopCh <-chan struct{}) (<-chan discovery.Entries, <-chan error) {
+	ch := make(chan discovery.Entries)
+	go func() {
+		defer close(ch)
+		ch <- s.entries
+		<-stopCh
+	}()
+	return ch, nil
+}
+
+// Register is exported
+func (s *Discovery) Register(addr string) error {
+	return discovery.ErrNotImplemented
+}
diff --git a/engine/pkg/discovery/nodes/nodes_test.go b/engine/pkg/discovery/nodes/nodes_test.go
new file mode 100644
index 00000000..f9b43ab0
--- /dev/null
+++ b/engine/pkg/discovery/nodes/nodes_test.go
@@ -0,0 +1,51 @@
+package nodes // import "github.com/docker/docker/pkg/discovery/nodes"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/pkg/discovery"
+
+	"github.com/go-check/check"
+)
+
+// Hook up gocheck into the "go test" runner.
+func Test(t *testing.T) { check.TestingT(t) }
+
+type DiscoverySuite struct{}
+
+var _ = check.Suite(&DiscoverySuite{})
+
+func (s *DiscoverySuite) TestInitialize(c *check.C) {
+	d := &Discovery{}
+	d.Initialize("1.1.1.1:1111,2.2.2.2:2222", 0, 0, nil)
+	c.Assert(len(d.entries), check.Equals, 2)
+	c.Assert(d.entries[0].String(), check.Equals, "1.1.1.1:1111")
+	c.Assert(d.entries[1].String(), check.Equals, "2.2.2.2:2222")
+}
+
+func (s *DiscoverySuite) TestInitializeWithPattern(c *check.C) {
+	d := &Discovery{}
+	d.Initialize("1.1.1.[1:2]:1111,2.2.2.[2:4]:2222", 0, 0, nil)
+	c.Assert(len(d.entries), check.Equals, 5)
+	c.Assert(d.entries[0].String(), check.Equals, "1.1.1.1:1111")
+	c.Assert(d.entries[1].String(), check.Equals, "1.1.1.2:1111")
+	c.Assert(d.entries[2].String(), check.Equals, "2.2.2.2:2222")
+	c.Assert(d.entries[3].String(), check.Equals, "2.2.2.3:2222")
+	c.Assert(d.entries[4].String(), check.Equals, "2.2.2.4:2222")
+}
+
+func (s *DiscoverySuite) TestWatch(c *check.C) {
+	d := &Discovery{}
+	d.Initialize("1.1.1.1:1111,2.2.2.2:2222", 0, 0, nil)
+	expected := discovery.Entries{
+		&discovery.Entry{Host: "1.1.1.1", Port: "1111"},
+		&discovery.Entry{Host: "2.2.2.2", Port: "2222"},
+	}
+	ch, _ := d.Watch(nil)
+	c.Assert(expected.Equals(<-ch), check.Equals, true)
+}
+
+func (s *DiscoverySuite) TestRegister(c *check.C) {
+	d := &Discovery{}
+	c.Assert(d.Register("0.0.0.0"), check.NotNil)
+}
diff --git a/engine/pkg/dmesg/dmesg_linux.go b/engine/pkg/dmesg/dmesg_linux.go
new file mode 100644
index 00000000..bc71b5b3
--- /dev/null
+++ b/engine/pkg/dmesg/dmesg_linux.go
@@ -0,0 +1,18 @@
+package dmesg // import "github.com/docker/docker/pkg/dmesg"
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+// Dmesg returns last messages from the kernel log, up to size bytes
+func Dmesg(size int) []byte {
+	t := uintptr(3) // SYSLOG_ACTION_READ_ALL
+	b := make([]byte, size)
+	amt, _, err := unix.Syscall(unix.SYS_SYSLOG, t, uintptr(unsafe.Pointer(&b[0])), uintptr(len(b)))
+	if err != 0 {
+		return []byte{}
+	}
+	return b[:amt]
+}
diff --git a/engine/pkg/dmesg/dmesg_linux_test.go b/engine/pkg/dmesg/dmesg_linux_test.go
new file mode 100644
index 00000000..cc20ff91
--- /dev/null
+++ b/engine/pkg/dmesg/dmesg_linux_test.go
@@ -0,0 +1,9 @@
+package dmesg // import "github.com/docker/docker/pkg/dmesg"
+
+import (
+	"testing"
+)
+
+func TestDmesg(t *testing.T) {
+	t.Logf("dmesg output follows:\n%v", string(Dmesg(512)))
+}
diff --git a/engine/pkg/filenotify/filenotify.go b/engine/pkg/filenotify/filenotify.go
new file mode 100644
index 00000000..8b6cb56f
--- /dev/null
+++ b/engine/pkg/filenotify/filenotify.go
@@ -0,0 +1,40 @@
+// Package filenotify provides a mechanism for watching file(s) for changes.
+// Generally leans on fsnotify, but provides a poll-based notifier which fsnotify does not support.
+// These are wrapped up in a common interface so that either can be used interchangeably in your code.
+package filenotify // import "github.com/docker/docker/pkg/filenotify"
+
+import "github.com/fsnotify/fsnotify"
+
+// FileWatcher is an interface for implementing file notification watchers
+type FileWatcher interface {
+	Events() <-chan fsnotify.Event
+	Errors() <-chan error
+	Add(name string) error
+	Remove(name string) error
+	Close() error
+}
+
+// New tries to use an fs-event watcher, and falls back to the poller if there is an error
+func New() (FileWatcher, error) {
+	if watcher, err := NewEventWatcher(); err == nil {
+		return watcher, nil
+	}
+	return NewPollingWatcher(), nil
+}
+
+// NewPollingWatcher returns a poll-based file watcher
+func NewPollingWatcher() FileWatcher {
+	return &filePoller{
+		events: make(chan fsnotify.Event),
+		errors: make(chan error),
+	}
+}
+
+// NewEventWatcher returns an fs-event based file watcher
+func NewEventWatcher() (FileWatcher, error) {
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return nil, err
+	}
+	return &fsNotifyWatcher{watcher}, nil
+}
diff --git a/engine/pkg/filenotify/fsnotify.go b/engine/pkg/filenotify/fsnotify.go
new file mode 100644
index 00000000..5a737d65
--- /dev/null
+++ b/engine/pkg/filenotify/fsnotify.go
@@ -0,0 +1,18 @@
+package filenotify // import "github.com/docker/docker/pkg/filenotify"
+
+import "github.com/fsnotify/fsnotify"
+
+// fsNotifyWatcher wraps the fsnotify package to satisfy the FileNotifier interface
+type fsNotifyWatcher struct {
+	*fsnotify.Watcher
+}
+
+// Events returns the fsnotify event channel receiver
+func (w *fsNotifyWatcher) Events() <-chan fsnotify.Event {
+	return w.Watcher.Events
+}
+
+// Errors returns the fsnotify error channel receiver
+func (w *fsNotifyWatcher) Errors() <-chan error {
+	return w.Watcher.Errors
+}
diff --git a/engine/pkg/filenotify/poller.go b/engine/pkg/filenotify/poller.go
new file mode 100644
index 00000000..22f18970
--- /dev/null
+++ b/engine/pkg/filenotify/poller.go
@@ -0,0 +1,204 @@
+package filenotify // import "github.com/docker/docker/pkg/filenotify"
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/fsnotify/fsnotify"
+)
+
+var (
+	// errPollerClosed is returned when the poller is closed
+	errPollerClosed = errors.New("poller is closed")
+	// errNoSuchWatch is returned when trying to remove a watch that doesn't exist
+	errNoSuchWatch = errors.New("watch does not exist")
+)
+
+// watchWaitTime is the time to wait between file poll loops
+const watchWaitTime = 200 * time.Millisecond
+
+// filePoller is used to poll files for changes, especially in cases where fsnotify
+// can't be run (e.g. when inotify handles are exhausted)
+// filePoller satisfies the FileWatcher interface
+type filePoller struct {
+	// watches is the list of files currently being polled, close the associated channel to stop the watch
+	watches map[string]chan struct{}
+	// events is the channel to listen to for watch events
+	events chan fsnotify.Event
+	// errors is the channel to listen to for watch errors
+	errors chan error
+	// mu locks the poller for modification
+	mu sync.Mutex
+	// closed is used to specify when the poller has already closed
+	closed bool
+}
+
+// Add adds a filename to the list of watches
+// once added the file is polled for changes in a separate goroutine
+func (w *filePoller) Add(name string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	if w.closed {
+		return errPollerClosed
+	}
+
+	f, err := os.Open(name)
+	if err != nil {
+		return err
+	}
+	fi, err := os.Stat(name)
+	if err != nil {
+		return err
+	}
+
+	if w.watches == nil {
+		w.watches = make(map[string]chan struct{})
+	}
+	if _, exists := w.watches[name]; exists {
+		return fmt.Errorf("watch exists")
+	}
+	chClose := make(chan struct{})
+	w.watches[name] = chClose
+
+	go w.watch(f, fi, chClose)
+	return nil
+}
+
+// Remove stops and removes watch with the specified name
+func (w *filePoller) Remove(name string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	return w.remove(name)
+}
+
+func (w *filePoller) remove(name string) error {
+	if w.closed {
+		return errPollerClosed
+	}
+
+	chClose, exists := w.watches[name]
+	if !exists {
+		return errNoSuchWatch
+	}
+	close(chClose)
+	delete(w.watches, name)
+	return nil
+}
+
+// Events returns the event channel
+// This is used for notifications on events about watched files
+func (w *filePoller) Events() <-chan fsnotify.Event {
+	return w.events
+}
+
+// Errors returns the errors channel
+// This is used for notifications about errors on watched files
+func (w *filePoller) Errors() <-chan error {
+	return w.errors
+}
+
+// Close closes the poller
+// All watches are stopped, removed, and the poller cannot be added to
+func (w *filePoller) Close() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	if w.closed {
+		return nil
+	}
+
+	w.closed = true
+	for name := range w.watches {
+		w.remove(name)
+		delete(w.watches, name)
+	}
+	return nil
+}
+
+// sendEvent publishes the specified event to the events channel
+func (w *filePoller) sendEvent(e fsnotify.Event, chClose <-chan struct{}) error {
+	select {
+	case w.events <- e:
+	case <-chClose:
+		return fmt.Errorf("closed")
+	}
+	return nil
+}
+
+// sendErr publishes the specified error to the errors channel
+func (w *filePoller) sendErr(e error, chClose <-chan struct{}) error {
+	select {
+	case w.errors <- e:
+	case <-chClose:
+		return fmt.Errorf("closed")
+	}
+	return nil
+}
+
+// watch is responsible for polling the specified file for changes
+// upon finding changes to a file or errors, sendEvent/sendErr is called
+func (w *filePoller) watch(f *os.File, lastFi os.FileInfo, chClose chan struct{}) {
+	defer f.Close()
+	for {
+		time.Sleep(watchWaitTime)
+		select {
+		case <-chClose:
+			logrus.Debugf("watch for %s closed", f.Name())
+			return
+		default:
+		}
+
+		fi, err := os.Stat(f.Name())
+		if err != nil {
+			// if we got an error here and lastFi is not set, we can presume that nothing has changed
+			// This should be safe since before `watch()` is called, a stat is performed, there is any error `watch` is not called
+			if lastFi == nil {
+				continue
+			}
+			// If it doesn't exist at this point, it must have been removed
+			// no need to send the error here since this is a valid operation
+			if os.IsNotExist(err) {
+				if err := w.sendEvent(fsnotify.Event{Op: fsnotify.Remove, Name: f.Name()}, chClose); err != nil {
+					return
+				}
+				lastFi = nil
+				continue
+			}
+			// at this point, send the error
+			if err := w.sendErr(err, chClose); err != nil {
+				return
+			}
+			continue
+		}
+
+		if lastFi == nil {
+			if err := w.sendEvent(fsnotify.Event{Op: fsnotify.Create, Name: fi.Name()}, chClose); err != nil {
+				return
+			}
+			lastFi = fi
+			continue
+		}
+
+		if fi.Mode() != lastFi.Mode() {
+			if err := w.sendEvent(fsnotify.Event{Op: fsnotify.Chmod, Name: fi.Name()}, chClose); err != nil {
+				return
+			}
+			lastFi = fi
+			continue
+		}
+
+		if fi.ModTime() != lastFi.ModTime() || fi.Size() != lastFi.Size() {
+			if err := w.sendEvent(fsnotify.Event{Op: fsnotify.Write, Name: fi.Name()}, chClose); err != nil {
+				return
+			}
+			lastFi = fi
+			continue
+		}
+	}
+}
diff --git a/engine/pkg/filenotify/poller_test.go b/engine/pkg/filenotify/poller_test.go
new file mode 100644
index 00000000..a46b60d9
--- /dev/null
+++ b/engine/pkg/filenotify/poller_test.go
@@ -0,0 +1,119 @@
+package filenotify // import "github.com/docker/docker/pkg/filenotify"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/fsnotify/fsnotify"
+)
+
+func TestPollerAddRemove(t *testing.T) {
+	w := NewPollingWatcher()
+
+	if err := w.Add("no-such-file"); err == nil {
+		t.Fatal("should have gotten error when adding a non-existent file")
+	}
+	if err := w.Remove("no-such-file"); err == nil {
+		t.Fatal("should have gotten error when removing non-existent watch")
+	}
+
+	f, err := ioutil.TempFile("", "asdf")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(f.Name())
+
+	if err := w.Add(f.Name()); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := w.Remove(f.Name()); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestPollerEvent(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("No chmod on Windows")
+	}
+	w := NewPollingWatcher()
+
+	f, err := ioutil.TempFile("", "test-poller")
+	if err != nil {
+		t.Fatal("error creating temp file")
+	}
+	defer os.RemoveAll(f.Name())
+	f.Close()
+
+	if err := w.Add(f.Name()); err != nil {
+		t.Fatal(err)
+	}
+
+	select {
+	case <-w.Events():
+		t.Fatal("got event before anything happened")
+	case <-w.Errors():
+		t.Fatal("got error before anything happened")
+	default:
+	}
+
+	if err := ioutil.WriteFile(f.Name(), []byte("hello"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := assertEvent(w, fsnotify.Write); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Chmod(f.Name(), 600); err != nil {
+		t.Fatal(err)
+	}
+	if err := assertEvent(w, fsnotify.Chmod); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := os.Remove(f.Name()); err != nil {
+		t.Fatal(err)
+	}
+	if err := assertEvent(w, fsnotify.Remove); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestPollerClose(t *testing.T) {
+	w := NewPollingWatcher()
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+	// test double-close
+	if err := w.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	f, err := ioutil.TempFile("", "asdf")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(f.Name())
+	if err := w.Add(f.Name()); err == nil {
+		t.Fatal("should have gotten error adding watch for closed watcher")
+	}
+}
+
+func assertEvent(w FileWatcher, eType fsnotify.Op) error {
+	var err error
+	select {
+	case e := <-w.Events():
+		if e.Op != eType {
+			err = fmt.Errorf("got wrong event type, expected %q: %v", eType, e.Op)
+		}
+	case e := <-w.Errors():
+		err = fmt.Errorf("got unexpected error waiting for events %v: %v", eType, e)
+	case <-time.After(watchWaitTime * 3):
+		err = fmt.Errorf("timeout waiting for event %v", eType)
+	}
+	return err
+}
diff --git a/engine/pkg/fileutils/fileutils.go b/engine/pkg/fileutils/fileutils.go
new file mode 100644
index 00000000..28cad499
--- /dev/null
+++ b/engine/pkg/fileutils/fileutils.go
@@ -0,0 +1,298 @@
+package fileutils // import "github.com/docker/docker/pkg/fileutils"
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"text/scanner"
+
+	"github.com/sirupsen/logrus"
+)
+
+// PatternMatcher allows checking paths against a list of patterns
+type PatternMatcher struct {
+	patterns   []*Pattern
+	exclusions bool
+}
+
+// NewPatternMatcher creates a new matcher object for specific patterns that can
+// be used later to match against patterns against paths
+func NewPatternMatcher(patterns []string) (*PatternMatcher, error) {
+	pm := &PatternMatcher{
+		patterns: make([]*Pattern, 0, len(patterns)),
+	}
+	for _, p := range patterns {
+		// Eliminate leading and trailing whitespace.
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+		p = filepath.Clean(p)
+		newp := &Pattern{}
+		if p[0] == '!' {
+			if len(p) == 1 {
+				return nil, errors.New("illegal exclusion pattern: \"!\"")
+			}
+			newp.exclusion = true
+			p = p[1:]
+			pm.exclusions = true
+		}
+		// Do some syntax checking on the pattern.
+		// filepath's Match() has some really weird rules that are inconsistent
+		// so instead of trying to dup their logic, just call Match() for its
+		// error state and if there is an error in the pattern return it.
+		// If this becomes an issue we can remove this since its really only
+		// needed in the error (syntax) case - which isn't really critical.
+		if _, err := filepath.Match(p, "."); err != nil {
+			return nil, err
+		}
+		newp.cleanedPattern = p
+		newp.dirs = strings.Split(p, string(os.PathSeparator))
+		pm.patterns = append(pm.patterns, newp)
+	}
+	return pm, nil
+}
+
+// Matches matches path against all the patterns. Matches is not safe to be
+// called concurrently
+func (pm *PatternMatcher) Matches(file string) (bool, error) {
+	matched := false
+	file = filepath.FromSlash(file)
+	parentPath := filepath.Dir(file)
+	parentPathDirs := strings.Split(parentPath, string(os.PathSeparator))
+
+	for _, pattern := range pm.patterns {
+		negative := false
+
+		if pattern.exclusion {
+			negative = true
+		}
+
+		match, err := pattern.match(file)
+		if err != nil {
+			return false, err
+		}
+
+		if !match && parentPath != "." {
+			// Check to see if the pattern matches one of our parent dirs.
+			if len(pattern.dirs) <= len(parentPathDirs) {
+				match, _ = pattern.match(strings.Join(parentPathDirs[:len(pattern.dirs)], string(os.PathSeparator)))
+			}
+		}
+
+		if match {
+			matched = !negative
+		}
+	}
+
+	if matched {
+		logrus.Debugf("Skipping excluded path: %s", file)
+	}
+
+	return matched, nil
+}
+
+// Exclusions returns true if any of the patterns define exclusions
+func (pm *PatternMatcher) Exclusions() bool {
+	return pm.exclusions
+}
+
+// Patterns returns array of active patterns
+func (pm *PatternMatcher) Patterns() []*Pattern {
+	return pm.patterns
+}
+
+// Pattern defines a single regexp used used to filter file paths.
+type Pattern struct {
+	cleanedPattern string
+	dirs           []string
+	regexp         *regexp.Regexp
+	exclusion      bool
+}
+
+func (p *Pattern) String() string {
+	return p.cleanedPattern
+}
+
+// Exclusion returns true if this pattern defines exclusion
+func (p *Pattern) Exclusion() bool {
+	return p.exclusion
+}
+
+func (p *Pattern) match(path string) (bool, error) {
+
+	if p.regexp == nil {
+		if err := p.compile(); err != nil {
+			return false, filepath.ErrBadPattern
+		}
+	}
+
+	b := p.regexp.MatchString(path)
+
+	return b, nil
+}
+
+func (p *Pattern) compile() error {
+	regStr := "^"
+	pattern := p.cleanedPattern
+	// Go through the pattern and convert it to a regexp.
+	// We use a scanner so we can support utf-8 chars.
+	var scan scanner.Scanner
+	scan.Init(strings.NewReader(pattern))
+
+	sl := string(os.PathSeparator)
+	escSL := sl
+	if sl == `\` {
+		escSL += `\`
+	}
+
+	for scan.Peek() != scanner.EOF {
+		ch := scan.Next()
+
+		if ch == '*' {
+			if scan.Peek() == '*' {
+				// is some flavor of "**"
+				scan.Next()
+
+				// Treat **/ as ** so eat the "/"
+				if string(scan.Peek()) == sl {
+					scan.Next()
+				}
+
+				if scan.Peek() == scanner.EOF {
+					// is "**EOF" - to align with .gitignore just accept all
+					regStr += ".*"
+				} else {
+					// is "**"
+					// Note that this allows for any # of /'s (even 0) because
+					// the .* will eat everything, even /'s
+					regStr += "(.*" + escSL + ")?"
+				}
+			} else {
+				// is "*" so map it to anything but "/"
+				regStr += "[^" + escSL + "]*"
+			}
+		} else if ch == '?' {
+			// "?" is any char except "/"
+			regStr += "[^" + escSL + "]"
+		} else if ch == '.' || ch == '$' {
+			// Escape some regexp special chars that have no meaning
+			// in golang's filepath.Match
+			regStr += `\` + string(ch)
+		} else if ch == '\\' {
+			// escape next char. Note that a trailing \ in the pattern
+			// will be left alone (but need to escape it)
+			if sl == `\` {
+				// On windows map "\" to "\\", meaning an escaped backslash,
+				// and then just continue because filepath.Match on
+				// Windows doesn't allow escaping at all
+				regStr += escSL
+				continue
+			}
+			if scan.Peek() != scanner.EOF {
+				regStr += `\` + string(scan.Next())
+			} else {
+				regStr += `\`
+			}
+		} else {
+			regStr += string(ch)
+		}
+	}
+
+	regStr += "$"
+
+	re, err := regexp.Compile(regStr)
+	if err != nil {
+		return err
+	}
+
+	p.regexp = re
+	return nil
+}
+
+// Matches returns true if file matches any of the patterns
+// and isn't excluded by any of the subsequent patterns.
+func Matches(file string, patterns []string) (bool, error) {
+	pm, err := NewPatternMatcher(patterns)
+	if err != nil {
+		return false, err
+	}
+	file = filepath.Clean(file)
+
+	if file == "." {
+		// Don't let them exclude everything, kind of silly.
+		return false, nil
+	}
+
+	return pm.Matches(file)
+}
+
+// CopyFile copies from src to dst until either EOF is reached
+// on src or an error occurs. It verifies src exists and removes
+// the dst if it exists.
+func CopyFile(src, dst string) (int64, error) {
+	cleanSrc := filepath.Clean(src)
+	cleanDst := filepath.Clean(dst)
+	if cleanSrc == cleanDst {
+		return 0, nil
+	}
+	sf, err := os.Open(cleanSrc)
+	if err != nil {
+		return 0, err
+	}
+	defer sf.Close()
+	if err := os.Remove(cleanDst); err != nil && !os.IsNotExist(err) {
+		return 0, err
+	}
+	df, err := os.Create(cleanDst)
+	if err != nil {
+		return 0, err
+	}
+	defer df.Close()
+	return io.Copy(df, sf)
+}
+
+// ReadSymlinkedDirectory returns the target directory of a symlink.
+// The target of the symbolic link may not be a file.
+func ReadSymlinkedDirectory(path string) (string, error) {
+	var realPath string
+	var err error
+	if realPath, err = filepath.Abs(path); err != nil {
+		return "", fmt.Errorf("unable to get absolute path for %s: %s", path, err)
+	}
+	if realPath, err = filepath.EvalSymlinks(realPath); err != nil {
+		return "", fmt.Errorf("failed to canonicalise path for %s: %s", path, err)
+	}
+	realPathInfo, err := os.Stat(realPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to stat target '%s' of '%s': %s", realPath, path, err)
+	}
+	if !realPathInfo.Mode().IsDir() {
+		return "", fmt.Errorf("canonical path points to a file '%s'", realPath)
+	}
+	return realPath, nil
+}
+
+// CreateIfNotExists creates a file or a directory only if it does not already exist.
+func CreateIfNotExists(path string, isDir bool) error {
+	if _, err := os.Stat(path); err != nil {
+		if os.IsNotExist(err) {
+			if isDir {
+				return os.MkdirAll(path, 0755)
+			}
+			if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+				return err
+			}
+			f, err := os.OpenFile(path, os.O_CREATE, 0755)
+			if err != nil {
+				return err
+			}
+			f.Close()
+		}
+	}
+	return nil
+}
diff --git a/engine/pkg/fileutils/fileutils_darwin.go b/engine/pkg/fileutils/fileutils_darwin.go
new file mode 100644
index 00000000..e40cc271
--- /dev/null
+++ b/engine/pkg/fileutils/fileutils_darwin.go
@@ -0,0 +1,27 @@
+package fileutils // import "github.com/docker/docker/pkg/fileutils"
+
+import (
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+// GetTotalUsedFds returns the number of used File Descriptors by
+// executing `lsof -p PID`
+func GetTotalUsedFds() int {
+	pid := os.Getpid()
+
+	cmd := exec.Command("lsof", "-p", strconv.Itoa(pid))
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return -1
+	}
+
+	outputStr := strings.TrimSpace(string(output))
+
+	fds := strings.Split(outputStr, "\n")
+
+	return len(fds) - 1
+}
diff --git a/engine/pkg/fileutils/fileutils_test.go b/engine/pkg/fileutils/fileutils_test.go
new file mode 100644
index 00000000..4b5f129a
--- /dev/null
+++ b/engine/pkg/fileutils/fileutils_test.go
@@ -0,0 +1,591 @@
+package fileutils // import "github.com/docker/docker/pkg/fileutils"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// CopyFile with invalid src
+func TestCopyFileWithInvalidSrc(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-fileutils-test")
+	defer os.RemoveAll(tempFolder)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bytes, err := CopyFile("/invalid/file/path", path.Join(tempFolder, "dest"))
+	if err == nil {
+		t.Fatal("Should have fail to copy an invalid src file")
+	}
+	if bytes != 0 {
+		t.Fatal("Should have written 0 bytes")
+	}
+
+}
+
+// CopyFile with invalid dest
+func TestCopyFileWithInvalidDest(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-fileutils-test")
+	defer os.RemoveAll(tempFolder)
+	if err != nil {
+		t.Fatal(err)
+	}
+	src := path.Join(tempFolder, "file")
+	err = ioutil.WriteFile(src, []byte("content"), 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bytes, err := CopyFile(src, path.Join(tempFolder, "/invalid/dest/path"))
+	if err == nil {
+		t.Fatal("Should have fail to copy an invalid src file")
+	}
+	if bytes != 0 {
+		t.Fatal("Should have written 0 bytes")
+	}
+
+}
+
+// CopyFile with same src and dest
+func TestCopyFileWithSameSrcAndDest(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-fileutils-test")
+	defer os.RemoveAll(tempFolder)
+	if err != nil {
+		t.Fatal(err)
+	}
+	file := path.Join(tempFolder, "file")
+	err = ioutil.WriteFile(file, []byte("content"), 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bytes, err := CopyFile(file, file)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if bytes != 0 {
+		t.Fatal("Should have written 0 bytes as it is the same file.")
+	}
+}
+
+// CopyFile with same src and dest but path is different and not clean
+func TestCopyFileWithSameSrcAndDestWithPathNameDifferent(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-fileutils-test")
+	defer os.RemoveAll(tempFolder)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testFolder := path.Join(tempFolder, "test")
+	err = os.MkdirAll(testFolder, 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	file := path.Join(testFolder, "file")
+	sameFile := testFolder + "/../test/file"
+	err = ioutil.WriteFile(file, []byte("content"), 0740)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bytes, err := CopyFile(file, sameFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if bytes != 0 {
+		t.Fatal("Should have written 0 bytes as it is the same file.")
+	}
+}
+
+func TestCopyFile(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-fileutils-test")
+	defer os.RemoveAll(tempFolder)
+	if err != nil {
+		t.Fatal(err)
+	}
+	src := path.Join(tempFolder, "src")
+	dest := path.Join(tempFolder, "dest")
+	ioutil.WriteFile(src, []byte("content"), 0777)
+	ioutil.WriteFile(dest, []byte("destContent"), 0777)
+	bytes, err := CopyFile(src, dest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if bytes != 7 {
+		t.Fatalf("Should have written %d bytes but wrote %d", 7, bytes)
+	}
+	actual, err := ioutil.ReadFile(dest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if string(actual) != "content" {
+		t.Fatalf("Dest content was '%s', expected '%s'", string(actual), "content")
+	}
+}
+
+// Reading a symlink to a directory must return the directory
+func TestReadSymlinkedDirectoryExistingDirectory(t *testing.T) {
+	// TODO Windows: Port this test
+	if runtime.GOOS == "windows" {
+		t.Skip("Needs porting to Windows")
+	}
+	var err error
+	if err = os.Mkdir("/tmp/testReadSymlinkToExistingDirectory", 0777); err != nil {
+		t.Errorf("failed to create directory: %s", err)
+	}
+
+	if err = os.Symlink("/tmp/testReadSymlinkToExistingDirectory", "/tmp/dirLinkTest"); err != nil {
+		t.Errorf("failed to create symlink: %s", err)
+	}
+
+	var path string
+	if path, err = ReadSymlinkedDirectory("/tmp/dirLinkTest"); err != nil {
+		t.Fatalf("failed to read symlink to directory: %s", err)
+	}
+
+	if path != "/tmp/testReadSymlinkToExistingDirectory" {
+		t.Fatalf("symlink returned unexpected directory: %s", path)
+	}
+
+	if err = os.Remove("/tmp/testReadSymlinkToExistingDirectory"); err != nil {
+		t.Errorf("failed to remove temporary directory: %s", err)
+	}
+
+	if err = os.Remove("/tmp/dirLinkTest"); err != nil {
+		t.Errorf("failed to remove symlink: %s", err)
+	}
+}
+
+// Reading a non-existing symlink must fail
+func TestReadSymlinkedDirectoryNonExistingSymlink(t *testing.T) {
+	var path string
+	var err error
+	if path, err = ReadSymlinkedDirectory("/tmp/test/foo/Non/ExistingPath"); err == nil {
+		t.Fatalf("error expected for non-existing symlink")
+	}
+
+	if path != "" {
+		t.Fatalf("expected empty path, but '%s' was returned", path)
+	}
+}
+
+// Reading a symlink to a file must fail
+func TestReadSymlinkedDirectoryToFile(t *testing.T) {
+	// TODO Windows: Port this test
+	if runtime.GOOS == "windows" {
+		t.Skip("Needs porting to Windows")
+	}
+	var err error
+	var file *os.File
+
+	if file, err = os.Create("/tmp/testReadSymlinkToFile"); err != nil {
+		t.Fatalf("failed to create file: %s", err)
+	}
+
+	file.Close()
+
+	if err = os.Symlink("/tmp/testReadSymlinkToFile", "/tmp/fileLinkTest"); err != nil {
+		t.Errorf("failed to create symlink: %s", err)
+	}
+
+	var path string
+	if path, err = ReadSymlinkedDirectory("/tmp/fileLinkTest"); err == nil {
+		t.Fatalf("ReadSymlinkedDirectory on a symlink to a file should've failed")
+	}
+
+	if path != "" {
+		t.Fatalf("path should've been empty: %s", path)
+	}
+
+	if err = os.Remove("/tmp/testReadSymlinkToFile"); err != nil {
+		t.Errorf("failed to remove file: %s", err)
+	}
+
+	if err = os.Remove("/tmp/fileLinkTest"); err != nil {
+		t.Errorf("failed to remove symlink: %s", err)
+	}
+}
+
+func TestWildcardMatches(t *testing.T) {
+	match, _ := Matches("fileutils.go", []string{"*"})
+	if !match {
+		t.Errorf("failed to get a wildcard match, got %v", match)
+	}
+}
+
+// A simple pattern match should return true.
+func TestPatternMatches(t *testing.T) {
+	match, _ := Matches("fileutils.go", []string{"*.go"})
+	if !match {
+		t.Errorf("failed to get a match, got %v", match)
+	}
+}
+
+// An exclusion followed by an inclusion should return true.
+func TestExclusionPatternMatchesPatternBefore(t *testing.T) {
+	match, _ := Matches("fileutils.go", []string{"!fileutils.go", "*.go"})
+	if !match {
+		t.Errorf("failed to get true match on exclusion pattern, got %v", match)
+	}
+}
+
+// A folder pattern followed by an exception should return false.
+func TestPatternMatchesFolderExclusions(t *testing.T) {
+	match, _ := Matches("docs/README.md", []string{"docs", "!docs/README.md"})
+	if match {
+		t.Errorf("failed to get a false match on exclusion pattern, got %v", match)
+	}
+}
+
+// A folder pattern followed by an exception should return false.
+func TestPatternMatchesFolderWithSlashExclusions(t *testing.T) {
+	match, _ := Matches("docs/README.md", []string{"docs/", "!docs/README.md"})
+	if match {
+		t.Errorf("failed to get a false match on exclusion pattern, got %v", match)
+	}
+}
+
+// A folder pattern followed by an exception should return false.
+func TestPatternMatchesFolderWildcardExclusions(t *testing.T) {
+	match, _ := Matches("docs/README.md", []string{"docs/*", "!docs/README.md"})
+	if match {
+		t.Errorf("failed to get a false match on exclusion pattern, got %v", match)
+	}
+}
+
+// A pattern followed by an exclusion should return false.
+func TestExclusionPatternMatchesPatternAfter(t *testing.T) {
+	match, _ := Matches("fileutils.go", []string{"*.go", "!fileutils.go"})
+	if match {
+		t.Errorf("failed to get false match on exclusion pattern, got %v", match)
+	}
+}
+
+// A filename evaluating to . should return false.
+func TestExclusionPatternMatchesWholeDirectory(t *testing.T) {
+	match, _ := Matches(".", []string{"*.go"})
+	if match {
+		t.Errorf("failed to get false match on ., got %v", match)
+	}
+}
+
+// A single ! pattern should return an error.
+func TestSingleExclamationError(t *testing.T) {
+	_, err := Matches("fileutils.go", []string{"!"})
+	if err == nil {
+		t.Errorf("failed to get an error for a single exclamation point, got %v", err)
+	}
+}
+
+// Matches with no patterns
+func TestMatchesWithNoPatterns(t *testing.T) {
+	matches, err := Matches("/any/path/there", []string{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if matches {
+		t.Fatalf("Should not have match anything")
+	}
+}
+
+// Matches with malformed patterns
+func TestMatchesWithMalformedPatterns(t *testing.T) {
+	matches, err := Matches("/any/path/there", []string{"["})
+	if err == nil {
+		t.Fatal("Should have failed because of a malformed syntax in the pattern")
+	}
+	if matches {
+		t.Fatalf("Should not have match anything")
+	}
+}
+
+type matchesTestCase struct {
+	pattern string
+	text    string
+	pass    bool
+}
+
+func TestMatches(t *testing.T) {
+	tests := []matchesTestCase{
+		{"**", "file", true},
+		{"**", "file/", true},
+		{"**/", "file", true}, // weird one
+		{"**/", "file/", true},
+		{"**", "/", true},
+		{"**/", "/", true},
+		{"**", "dir/file", true},
+		{"**/", "dir/file", true},
+		{"**", "dir/file/", true},
+		{"**/", "dir/file/", true},
+		{"**/**", "dir/file", true},
+		{"**/**", "dir/file/", true},
+		{"dir/**", "dir/file", true},
+		{"dir/**", "dir/file/", true},
+		{"dir/**", "dir/dir2/file", true},
+		{"dir/**", "dir/dir2/file/", true},
+		{"**/dir2/*", "dir/dir2/file", true},
+		{"**/dir2/*", "dir/dir2/file/", true},
+		{"**/dir2/**", "dir/dir2/dir3/file", true},
+		{"**/dir2/**", "dir/dir2/dir3/file/", true},
+		{"**file", "file", true},
+		{"**file", "dir/file", true},
+		{"**/file", "dir/file", true},
+		{"**file", "dir/dir/file", true},
+		{"**/file", "dir/dir/file", true},
+		{"**/file*", "dir/dir/file", true},
+		{"**/file*", "dir/dir/file.txt", true},
+		{"**/file*txt", "dir/dir/file.txt", true},
+		{"**/file*.txt", "dir/dir/file.txt", true},
+		{"**/file*.txt*", "dir/dir/file.txt", true},
+		{"**/**/*.txt", "dir/dir/file.txt", true},
+		{"**/**/*.txt2", "dir/dir/file.txt", false},
+		{"**/*.txt", "file.txt", true},
+		{"**/**/*.txt", "file.txt", true},
+		{"a**/*.txt", "a/file.txt", true},
+		{"a**/*.txt", "a/dir/file.txt", true},
+		{"a**/*.txt", "a/dir/dir/file.txt", true},
+		{"a/*.txt", "a/dir/file.txt", false},
+		{"a/*.txt", "a/file.txt", true},
+		{"a/*.txt**", "a/file.txt", true},
+		{"a[b-d]e", "ae", false},
+		{"a[b-d]e", "ace", true},
+		{"a[b-d]e", "aae", false},
+		{"a[^b-d]e", "aze", true},
+		{".*", ".foo", true},
+		{".*", "foo", false},
+		{"abc.def", "abcdef", false},
+		{"abc.def", "abc.def", true},
+		{"abc.def", "abcZdef", false},
+		{"abc?def", "abcZdef", true},
+		{"abc?def", "abcdef", false},
+		{"a\\\\", "a\\", true},
+		{"**/foo/bar", "foo/bar", true},
+		{"**/foo/bar", "dir/foo/bar", true},
+		{"**/foo/bar", "dir/dir2/foo/bar", true},
+		{"abc/**", "abc", false},
+		{"abc/**", "abc/def", true},
+		{"abc/**", "abc/def/ghi", true},
+		{"**/.foo", ".foo", true},
+		{"**/.foo", "bar.foo", false},
+	}
+
+	if runtime.GOOS != "windows" {
+		tests = append(tests, []matchesTestCase{
+			{"a\\*b", "a*b", true},
+			{"a\\", "a", false},
+			{"a\\", "a\\", false},
+		}...)
+	}
+
+	for _, test := range tests {
+		desc := fmt.Sprintf("pattern=%q text=%q", test.pattern, test.text)
+		pm, err := NewPatternMatcher([]string{test.pattern})
+		assert.NilError(t, err, desc)
+		res, _ := pm.Matches(test.text)
+		assert.Check(t, is.Equal(test.pass, res), desc)
+	}
+}
+
+func TestCleanPatterns(t *testing.T) {
+	patterns := []string{"docs", "config"}
+	pm, err := NewPatternMatcher(patterns)
+	if err != nil {
+		t.Fatalf("invalid pattern %v", patterns)
+	}
+	cleaned := pm.Patterns()
+	if len(cleaned) != 2 {
+		t.Errorf("expected 2 element slice, got %v", len(cleaned))
+	}
+}
+
+func TestCleanPatternsStripEmptyPatterns(t *testing.T) {
+	patterns := []string{"docs", "config", ""}
+	pm, err := NewPatternMatcher(patterns)
+	if err != nil {
+		t.Fatalf("invalid pattern %v", patterns)
+	}
+	cleaned := pm.Patterns()
+	if len(cleaned) != 2 {
+		t.Errorf("expected 2 element slice, got %v", len(cleaned))
+	}
+}
+
+func TestCleanPatternsExceptionFlag(t *testing.T) {
+	patterns := []string{"docs", "!docs/README.md"}
+	pm, err := NewPatternMatcher(patterns)
+	if err != nil {
+		t.Fatalf("invalid pattern %v", patterns)
+	}
+	if !pm.Exclusions() {
+		t.Errorf("expected exceptions to be true, got %v", pm.Exclusions())
+	}
+}
+
+func TestCleanPatternsLeadingSpaceTrimmed(t *testing.T) {
+	patterns := []string{"docs", "  !docs/README.md"}
+	pm, err := NewPatternMatcher(patterns)
+	if err != nil {
+		t.Fatalf("invalid pattern %v", patterns)
+	}
+	if !pm.Exclusions() {
+		t.Errorf("expected exceptions to be true, got %v", pm.Exclusions())
+	}
+}
+
+func TestCleanPatternsTrailingSpaceTrimmed(t *testing.T) {
+	patterns := []string{"docs", "!docs/README.md  "}
+	pm, err := NewPatternMatcher(patterns)
+	if err != nil {
+		t.Fatalf("invalid pattern %v", patterns)
+	}
+	if !pm.Exclusions() {
+		t.Errorf("expected exceptions to be true, got %v", pm.Exclusions())
+	}
+}
+
+func TestCleanPatternsErrorSingleException(t *testing.T) {
+	patterns := []string{"!"}
+	_, err := NewPatternMatcher(patterns)
+	if err == nil {
+		t.Errorf("expected error on single exclamation point, got %v", err)
+	}
+}
+
+func TestCreateIfNotExistsDir(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-fileutils-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tempFolder)
+
+	folderToCreate := filepath.Join(tempFolder, "tocreate")
+
+	if err := CreateIfNotExists(folderToCreate, true); err != nil {
+		t.Fatal(err)
+	}
+	fileinfo, err := os.Stat(folderToCreate)
+	if err != nil {
+		t.Fatalf("Should have create a folder, got %v", err)
+	}
+
+	if !fileinfo.IsDir() {
+		t.Fatalf("Should have been a dir, seems it's not")
+	}
+}
+
+func TestCreateIfNotExistsFile(t *testing.T) {
+	tempFolder, err := ioutil.TempDir("", "docker-fileutils-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tempFolder)
+
+	fileToCreate := filepath.Join(tempFolder, "file/to/create")
+
+	if err := CreateIfNotExists(fileToCreate, false); err != nil {
+		t.Fatal(err)
+	}
+	fileinfo, err := os.Stat(fileToCreate)
+	if err != nil {
+		t.Fatalf("Should have create a file, got %v", err)
+	}
+
+	if fileinfo.IsDir() {
+		t.Fatalf("Should have been a file, seems it's not")
+	}
+}
+
+// These matchTests are stolen from go's filepath Match tests.
+type matchTest struct {
+	pattern, s string
+	match      bool
+	err        error
+}
+
+var matchTests = []matchTest{
+	{"abc", "abc", true, nil},
+	{"*", "abc", true, nil},
+	{"*c", "abc", true, nil},
+	{"a*", "a", true, nil},
+	{"a*", "abc", true, nil},
+	{"a*", "ab/c", true, nil},
+	{"a*/b", "abc/b", true, nil},
+	{"a*/b", "a/c/b", false, nil},
+	{"a*b*c*d*e*/f", "axbxcxdxe/f", true, nil},
+	{"a*b*c*d*e*/f", "axbxcxdxexxx/f", true, nil},
+	{"a*b*c*d*e*/f", "axbxcxdxe/xxx/f", false, nil},
+	{"a*b*c*d*e*/f", "axbxcxdxexxx/fff", false, nil},
+	{"a*b?c*x", "abxbbxdbxebxczzx", true, nil},
+	{"a*b?c*x", "abxbbxdbxebxczzy", false, nil},
+	{"ab[c]", "abc", true, nil},
+	{"ab[b-d]", "abc", true, nil},
+	{"ab[e-g]", "abc", false, nil},
+	{"ab[^c]", "abc", false, nil},
+	{"ab[^b-d]", "abc", false, nil},
+	{"ab[^e-g]", "abc", true, nil},
+	{"a\\*b", "a*b", true, nil},
+	{"a\\*b", "ab", false, nil},
+	{"a?b", "a☺b", true, nil},
+	{"a[^a]b", "a☺b", true, nil},
+	{"a???b", "a☺b", false, nil},
+	{"a[^a][^a][^a]b", "a☺b", false, nil},
+	{"[a-ζ]*", "α", true, nil},
+	{"*[a-ζ]", "A", false, nil},
+	{"a?b", "a/b", false, nil},
+	{"a*b", "a/b", false, nil},
+	{"[\\]a]", "]", true, nil},
+	{"[\\-]", "-", true, nil},
+	{"[x\\-]", "x", true, nil},
+	{"[x\\-]", "-", true, nil},
+	{"[x\\-]", "z", false, nil},
+	{"[\\-x]", "x", true, nil},
+	{"[\\-x]", "-", true, nil},
+	{"[\\-x]", "a", false, nil},
+	{"[]a]", "]", false, filepath.ErrBadPattern},
+	{"[-]", "-", false, filepath.ErrBadPattern},
+	{"[x-]", "x", false, filepath.ErrBadPattern},
+	{"[x-]", "-", false, filepath.ErrBadPattern},
+	{"[x-]", "z", false, filepath.ErrBadPattern},
+	{"[-x]", "x", false, filepath.ErrBadPattern},
+	{"[-x]", "-", false, filepath.ErrBadPattern},
+	{"[-x]", "a", false, filepath.ErrBadPattern},
+	{"\\", "a", false, filepath.ErrBadPattern},
+	{"[a-b-c]", "a", false, filepath.ErrBadPattern},
+	{"[", "a", false, filepath.ErrBadPattern},
+	{"[^", "a", false, filepath.ErrBadPattern},
+	{"[^bc", "a", false, filepath.ErrBadPattern},
+	{"a[", "a", false, filepath.ErrBadPattern}, // was nil but IMO its wrong
+	{"a[", "ab", false, filepath.ErrBadPattern},
+	{"*x", "xxx", true, nil},
+}
+
+func errp(e error) string {
+	if e == nil {
+		return "<nil>"
+	}
+	return e.Error()
+}
+
+// TestMatch test's our version of filepath.Match, called regexpMatch.
+func TestMatch(t *testing.T) {
+	for _, tt := range matchTests {
+		pattern := tt.pattern
+		s := tt.s
+		if runtime.GOOS == "windows" {
+			if strings.Contains(pattern, "\\") {
+				// no escape allowed on windows.
+				continue
+			}
+			pattern = filepath.Clean(pattern)
+			s = filepath.Clean(s)
+		}
+		ok, err := Matches(s, []string{pattern})
+		if ok != tt.match || err != tt.err {
+			t.Fatalf("Match(%#q, %#q) = %v, %q want %v, %q", pattern, s, ok, errp(err), tt.match, errp(tt.err))
+		}
+	}
+}
diff --git a/engine/pkg/fileutils/fileutils_unix.go b/engine/pkg/fileutils/fileutils_unix.go
new file mode 100644
index 00000000..565396f1
--- /dev/null
+++ b/engine/pkg/fileutils/fileutils_unix.go
@@ -0,0 +1,22 @@
+// +build linux freebsd
+
+package fileutils // import "github.com/docker/docker/pkg/fileutils"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/sirupsen/logrus"
+)
+
+// GetTotalUsedFds Returns the number of used File Descriptors by
+// reading it via /proc filesystem.
+func GetTotalUsedFds() int {
+	if fds, err := ioutil.ReadDir(fmt.Sprintf("/proc/%d/fd", os.Getpid())); err != nil {
+		logrus.Errorf("Error opening /proc/%d/fd: %s", os.Getpid(), err)
+	} else {
+		return len(fds)
+	}
+	return -1
+}
diff --git a/engine/pkg/fileutils/fileutils_windows.go b/engine/pkg/fileutils/fileutils_windows.go
new file mode 100644
index 00000000..3f1ebb65
--- /dev/null
+++ b/engine/pkg/fileutils/fileutils_windows.go
@@ -0,0 +1,7 @@
+package fileutils // import "github.com/docker/docker/pkg/fileutils"
+
+// GetTotalUsedFds Returns the number of used File Descriptors. Not supported
+// on Windows.
+func GetTotalUsedFds() int {
+	return -1
+}
diff --git a/engine/pkg/fsutils/fsutils_linux.go b/engine/pkg/fsutils/fsutils_linux.go
new file mode 100644
index 00000000..104211ad
--- /dev/null
+++ b/engine/pkg/fsutils/fsutils_linux.go
@@ -0,0 +1,86 @@
+package fsutils // import "github.com/docker/docker/pkg/fsutils"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+func locateDummyIfEmpty(path string) (string, error) {
+	children, err := ioutil.ReadDir(path)
+	if err != nil {
+		return "", err
+	}
+	if len(children) != 0 {
+		return "", nil
+	}
+	dummyFile, err := ioutil.TempFile(path, "fsutils-dummy")
+	if err != nil {
+		return "", err
+	}
+	name := dummyFile.Name()
+	err = dummyFile.Close()
+	return name, err
+}
+
+// SupportsDType returns whether the filesystem mounted on path supports d_type
+func SupportsDType(path string) (bool, error) {
+	// locate dummy so that we have at least one dirent
+	dummy, err := locateDummyIfEmpty(path)
+	if err != nil {
+		return false, err
+	}
+	if dummy != "" {
+		defer os.Remove(dummy)
+	}
+
+	visited := 0
+	supportsDType := true
+	fn := func(ent *unix.Dirent) bool {
+		visited++
+		if ent.Type == unix.DT_UNKNOWN {
+			supportsDType = false
+			// stop iteration
+			return true
+		}
+		// continue iteration
+		return false
+	}
+	if err = iterateReadDir(path, fn); err != nil {
+		return false, err
+	}
+	if visited == 0 {
+		return false, fmt.Errorf("did not hit any dirent during iteration %s", path)
+	}
+	return supportsDType, nil
+}
+
+func iterateReadDir(path string, fn func(*unix.Dirent) bool) error {
+	d, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer d.Close()
+	fd := int(d.Fd())
+	buf := make([]byte, 4096)
+	for {
+		nbytes, err := unix.ReadDirent(fd, buf)
+		if err != nil {
+			return err
+		}
+		if nbytes == 0 {
+			break
+		}
+		for off := 0; off < nbytes; {
+			ent := (*unix.Dirent)(unsafe.Pointer(&buf[off]))
+			if stop := fn(ent); stop {
+				return nil
+			}
+			off += int(ent.Reclen)
+		}
+	}
+	return nil
+}
diff --git a/engine/pkg/fsutils/fsutils_linux_test.go b/engine/pkg/fsutils/fsutils_linux_test.go
new file mode 100644
index 00000000..4e5a78b5
--- /dev/null
+++ b/engine/pkg/fsutils/fsutils_linux_test.go
@@ -0,0 +1,92 @@
+// +build linux
+
+package fsutils // import "github.com/docker/docker/pkg/fsutils"
+
+import (
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"testing"
+
+	"golang.org/x/sys/unix"
+)
+
+func testSupportsDType(t *testing.T, expected bool, mkfsCommand string, mkfsArg ...string) {
+	// check whether mkfs is installed
+	if _, err := exec.LookPath(mkfsCommand); err != nil {
+		t.Skipf("%s not installed: %v", mkfsCommand, err)
+	}
+
+	// create a sparse image
+	imageSize := int64(32 * 1024 * 1024)
+	imageFile, err := ioutil.TempFile("", "fsutils-image")
+	if err != nil {
+		t.Fatal(err)
+	}
+	imageFileName := imageFile.Name()
+	defer os.Remove(imageFileName)
+	if _, err = imageFile.Seek(imageSize-1, 0); err != nil {
+		t.Fatal(err)
+	}
+	if _, err = imageFile.Write([]byte{0}); err != nil {
+		t.Fatal(err)
+	}
+	if err = imageFile.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	// create a mountpoint
+	mountpoint, err := ioutil.TempDir("", "fsutils-mountpoint")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(mountpoint)
+
+	// format the image
+	args := append(mkfsArg, imageFileName)
+	t.Logf("Executing `%s %v`", mkfsCommand, args)
+	out, err := exec.Command(mkfsCommand, args...).CombinedOutput()
+	if len(out) > 0 {
+		t.Log(string(out))
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// loopback-mount the image.
+	// for ease of setting up loopback device, we use os/exec rather than unix.Mount
+	out, err = exec.Command("mount", "-o", "loop", imageFileName, mountpoint).CombinedOutput()
+	if len(out) > 0 {
+		t.Log(string(out))
+	}
+	if err != nil {
+		t.Skip("skipping the test because mount failed")
+	}
+	defer func() {
+		if err := unix.Unmount(mountpoint, 0); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// check whether it supports d_type
+	result, err := SupportsDType(mountpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("Supports d_type: %v", result)
+	if result != expected {
+		t.Fatalf("expected %v, got %v", expected, result)
+	}
+}
+
+func TestSupportsDTypeWithFType0XFS(t *testing.T) {
+	testSupportsDType(t, false, "mkfs.xfs", "-m", "crc=0", "-n", "ftype=0")
+}
+
+func TestSupportsDTypeWithFType1XFS(t *testing.T) {
+	testSupportsDType(t, true, "mkfs.xfs", "-m", "crc=0", "-n", "ftype=1")
+}
+
+func TestSupportsDTypeWithExt4(t *testing.T) {
+	testSupportsDType(t, true, "mkfs.ext4")
+}
diff --git a/engine/pkg/homedir/homedir_linux.go b/engine/pkg/homedir/homedir_linux.go
new file mode 100644
index 00000000..ee15ed52
--- /dev/null
+++ b/engine/pkg/homedir/homedir_linux.go
@@ -0,0 +1,21 @@
+package homedir // import "github.com/docker/docker/pkg/homedir"
+
+import (
+	"os"
+
+	"github.com/docker/docker/pkg/idtools"
+)
+
+// GetStatic returns the home directory for the current user without calling
+// os/user.Current(). This is useful for static-linked binary on glibc-based
+// system, because a call to os/user.Current() in a static binary leads to
+// segfault due to a glibc issue that won't be fixed in a short term.
+// (#29344, golang/go#13470, https://sourceware.org/bugzilla/show_bug.cgi?id=19341)
+func GetStatic() (string, error) {
+	uid := os.Getuid()
+	usr, err := idtools.LookupUID(uid)
+	if err != nil {
+		return "", err
+	}
+	return usr.Home, nil
+}
diff --git a/engine/pkg/homedir/homedir_others.go b/engine/pkg/homedir/homedir_others.go
new file mode 100644
index 00000000..75ada2fe
--- /dev/null
+++ b/engine/pkg/homedir/homedir_others.go
@@ -0,0 +1,13 @@
+// +build !linux
+
+package homedir // import "github.com/docker/docker/pkg/homedir"
+
+import (
+	"errors"
+)
+
+// GetStatic is not needed for non-linux systems.
+// (Precisely, it is needed only for glibc-based linux systems.)
+func GetStatic() (string, error) {
+	return "", errors.New("homedir.GetStatic() is not supported on this system")
+}
diff --git a/engine/pkg/homedir/homedir_test.go b/engine/pkg/homedir/homedir_test.go
new file mode 100644
index 00000000..49c42224
--- /dev/null
+++ b/engine/pkg/homedir/homedir_test.go
@@ -0,0 +1,24 @@
+package homedir // import "github.com/docker/docker/pkg/homedir"
+
+import (
+	"path/filepath"
+	"testing"
+)
+
+func TestGet(t *testing.T) {
+	home := Get()
+	if home == "" {
+		t.Fatal("returned home directory is empty")
+	}
+
+	if !filepath.IsAbs(home) {
+		t.Fatalf("returned path is not absolute: %s", home)
+	}
+}
+
+func TestGetShortcutString(t *testing.T) {
+	shortcut := GetShortcutString()
+	if shortcut == "" {
+		t.Fatal("returned shortcut string is empty")
+	}
+}
diff --git a/engine/pkg/homedir/homedir_unix.go b/engine/pkg/homedir/homedir_unix.go
new file mode 100644
index 00000000..d85e1244
--- /dev/null
+++ b/engine/pkg/homedir/homedir_unix.go
@@ -0,0 +1,34 @@
+// +build !windows
+
+package homedir // import "github.com/docker/docker/pkg/homedir"
+
+import (
+	"os"
+
+	"github.com/opencontainers/runc/libcontainer/user"
+)
+
+// Key returns the env var name for the user's home dir based on
+// the platform being run on
+func Key() string {
+	return "HOME"
+}
+
+// Get returns the home directory of the current user with the help of
+// environment variables depending on the target operating system.
+// Returned path should be used with "path/filepath" to form new paths.
+func Get() string {
+	home := os.Getenv(Key())
+	if home == "" {
+		if u, err := user.CurrentUser(); err == nil {
+			return u.Home
+		}
+	}
+	return home
+}
+
+// GetShortcutString returns the string that is shortcut to user's home directory
+// in the native shell of the platform running on.
+func GetShortcutString() string {
+	return "~"
+}
diff --git a/engine/pkg/homedir/homedir_windows.go b/engine/pkg/homedir/homedir_windows.go
new file mode 100644
index 00000000..2f81813b
--- /dev/null
+++ b/engine/pkg/homedir/homedir_windows.go
@@ -0,0 +1,24 @@
+package homedir // import "github.com/docker/docker/pkg/homedir"
+
+import (
+	"os"
+)
+
+// Key returns the env var name for the user's home dir based on
+// the platform being run on
+func Key() string {
+	return "USERPROFILE"
+}
+
+// Get returns the home directory of the current user with the help of
+// environment variables depending on the target operating system.
+// Returned path should be used with "path/filepath" to form new paths.
+func Get() string {
+	return os.Getenv(Key())
+}
+
+// GetShortcutString returns the string that is shortcut to user's home directory
+// in the native shell of the platform running on.
+func GetShortcutString() string {
+	return "%USERPROFILE%" // be careful while using in format functions
+}
diff --git a/engine/pkg/idtools/idtools.go b/engine/pkg/idtools/idtools.go
new file mode 100644
index 00000000..d1f173a3
--- /dev/null
+++ b/engine/pkg/idtools/idtools.go
@@ -0,0 +1,266 @@
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+// IDMap contains a single entry for user namespace range remapping. An array
+// of IDMap entries represents the structure that will be provided to the Linux
+// kernel for creating a user namespace.
+type IDMap struct {
+	ContainerID int `json:"container_id"`
+	HostID      int `json:"host_id"`
+	Size        int `json:"size"`
+}
+
+type subIDRange struct {
+	Start  int
+	Length int
+}
+
+type ranges []subIDRange
+
+func (e ranges) Len() int           { return len(e) }
+func (e ranges) Swap(i, j int)      { e[i], e[j] = e[j], e[i] }
+func (e ranges) Less(i, j int) bool { return e[i].Start < e[j].Start }
+
+const (
+	subuidFileName = "/etc/subuid"
+	subgidFileName = "/etc/subgid"
+)
+
+// MkdirAllAndChown creates a directory (include any along the path) and then modifies
+// ownership to the requested uid/gid.  If the directory already exists, this
+// function will still change ownership to the requested uid/gid pair.
+func MkdirAllAndChown(path string, mode os.FileMode, owner IDPair) error {
+	return mkdirAs(path, mode, owner.UID, owner.GID, true, true)
+}
+
+// MkdirAndChown creates a directory and then modifies ownership to the requested uid/gid.
+// If the directory already exists, this function still changes ownership.
+// Note that unlike os.Mkdir(), this function does not return IsExist error
+// in case path already exists.
+func MkdirAndChown(path string, mode os.FileMode, owner IDPair) error {
+	return mkdirAs(path, mode, owner.UID, owner.GID, false, true)
+}
+
+// MkdirAllAndChownNew creates a directory (include any along the path) and then modifies
+// ownership ONLY of newly created directories to the requested uid/gid. If the
+// directories along the path exist, no change of ownership will be performed
+func MkdirAllAndChownNew(path string, mode os.FileMode, owner IDPair) error {
+	return mkdirAs(path, mode, owner.UID, owner.GID, true, false)
+}
+
+// GetRootUIDGID retrieves the remapped root uid/gid pair from the set of maps.
+// If the maps are empty, then the root uid/gid will default to "real" 0/0
+func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
+	uid, err := toHost(0, uidMap)
+	if err != nil {
+		return -1, -1, err
+	}
+	gid, err := toHost(0, gidMap)
+	if err != nil {
+		return -1, -1, err
+	}
+	return uid, gid, nil
+}
+
+// toContainer takes an id mapping, and uses it to translate a
+// host ID to the remapped ID. If no map is provided, then the translation
+// assumes a 1-to-1 mapping and returns the passed in id
+func toContainer(hostID int, idMap []IDMap) (int, error) {
+	if idMap == nil {
+		return hostID, nil
+	}
+	for _, m := range idMap {
+		if (hostID >= m.HostID) && (hostID <= (m.HostID + m.Size - 1)) {
+			contID := m.ContainerID + (hostID - m.HostID)
+			return contID, nil
+		}
+	}
+	return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", hostID)
+}
+
+// toHost takes an id mapping and a remapped ID, and translates the
+// ID to the mapped host ID. If no map is provided, then the translation
+// assumes a 1-to-1 mapping and returns the passed in id #
+func toHost(contID int, idMap []IDMap) (int, error) {
+	if idMap == nil {
+		return contID, nil
+	}
+	for _, m := range idMap {
+		if (contID >= m.ContainerID) && (contID <= (m.ContainerID + m.Size - 1)) {
+			hostID := m.HostID + (contID - m.ContainerID)
+			return hostID, nil
+		}
+	}
+	return -1, fmt.Errorf("Container ID %d cannot be mapped to a host ID", contID)
+}
+
+// IDPair is a UID and GID pair
+type IDPair struct {
+	UID int
+	GID int
+}
+
+// IDMappings contains a mappings of UIDs and GIDs
+type IDMappings struct {
+	uids []IDMap
+	gids []IDMap
+}
+
+// NewIDMappings takes a requested user and group name and
+// using the data from /etc/sub{uid,gid} ranges, creates the
+// proper uid and gid remapping ranges for that user/group pair
+func NewIDMappings(username, groupname string) (*IDMappings, error) {
+	subuidRanges, err := parseSubuid(username)
+	if err != nil {
+		return nil, err
+	}
+	subgidRanges, err := parseSubgid(groupname)
+	if err != nil {
+		return nil, err
+	}
+	if len(subuidRanges) == 0 {
+		return nil, fmt.Errorf("No subuid ranges found for user %q", username)
+	}
+	if len(subgidRanges) == 0 {
+		return nil, fmt.Errorf("No subgid ranges found for group %q", groupname)
+	}
+
+	return &IDMappings{
+		uids: createIDMap(subuidRanges),
+		gids: createIDMap(subgidRanges),
+	}, nil
+}
+
+// NewIDMappingsFromMaps creates a new mapping from two slices
+// Deprecated: this is a temporary shim while transitioning to IDMapping
+func NewIDMappingsFromMaps(uids []IDMap, gids []IDMap) *IDMappings {
+	return &IDMappings{uids: uids, gids: gids}
+}
+
+// RootPair returns a uid and gid pair for the root user. The error is ignored
+// because a root user always exists, and the defaults are correct when the uid
+// and gid maps are empty.
+func (i *IDMappings) RootPair() IDPair {
+	uid, gid, _ := GetRootUIDGID(i.uids, i.gids)
+	return IDPair{UID: uid, GID: gid}
+}
+
+// ToHost returns the host UID and GID for the container uid, gid.
+// Remapping is only performed if the ids aren't already the remapped root ids
+func (i *IDMappings) ToHost(pair IDPair) (IDPair, error) {
+	var err error
+	target := i.RootPair()
+
+	if pair.UID != target.UID {
+		target.UID, err = toHost(pair.UID, i.uids)
+		if err != nil {
+			return target, err
+		}
+	}
+
+	if pair.GID != target.GID {
+		target.GID, err = toHost(pair.GID, i.gids)
+	}
+	return target, err
+}
+
+// ToContainer returns the container UID and GID for the host uid and gid
+func (i *IDMappings) ToContainer(pair IDPair) (int, int, error) {
+	uid, err := toContainer(pair.UID, i.uids)
+	if err != nil {
+		return -1, -1, err
+	}
+	gid, err := toContainer(pair.GID, i.gids)
+	return uid, gid, err
+}
+
+// Empty returns true if there are no id mappings
+func (i *IDMappings) Empty() bool {
+	return len(i.uids) == 0 && len(i.gids) == 0
+}
+
+// UIDs return the UID mapping
+// TODO: remove this once everything has been refactored to use pairs
+func (i *IDMappings) UIDs() []IDMap {
+	return i.uids
+}
+
+// GIDs return the UID mapping
+// TODO: remove this once everything has been refactored to use pairs
+func (i *IDMappings) GIDs() []IDMap {
+	return i.gids
+}
+
+func createIDMap(subidRanges ranges) []IDMap {
+	idMap := []IDMap{}
+
+	// sort the ranges by lowest ID first
+	sort.Sort(subidRanges)
+	containerID := 0
+	for _, idrange := range subidRanges {
+		idMap = append(idMap, IDMap{
+			ContainerID: containerID,
+			HostID:      idrange.Start,
+			Size:        idrange.Length,
+		})
+		containerID = containerID + idrange.Length
+	}
+	return idMap
+}
+
+func parseSubuid(username string) (ranges, error) {
+	return parseSubidFile(subuidFileName, username)
+}
+
+func parseSubgid(username string) (ranges, error) {
+	return parseSubidFile(subgidFileName, username)
+}
+
+// parseSubidFile will read the appropriate file (/etc/subuid or /etc/subgid)
+// and return all found ranges for a specified username. If the special value
+// "ALL" is supplied for username, then all ranges in the file will be returned
+func parseSubidFile(path, username string) (ranges, error) {
+	var rangeList ranges
+
+	subidFile, err := os.Open(path)
+	if err != nil {
+		return rangeList, err
+	}
+	defer subidFile.Close()
+
+	s := bufio.NewScanner(subidFile)
+	for s.Scan() {
+		if err := s.Err(); err != nil {
+			return rangeList, err
+		}
+
+		text := strings.TrimSpace(s.Text())
+		if text == "" || strings.HasPrefix(text, "#") {
+			continue
+		}
+		parts := strings.Split(text, ":")
+		if len(parts) != 3 {
+			return rangeList, fmt.Errorf("Cannot parse subuid/gid information: Format not correct for %s file", path)
+		}
+		if parts[0] == username || username == "ALL" {
+			startid, err := strconv.Atoi(parts[1])
+			if err != nil {
+				return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
+			}
+			length, err := strconv.Atoi(parts[2])
+			if err != nil {
+				return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
+			}
+			rangeList = append(rangeList, subIDRange{startid, length})
+		}
+	}
+	return rangeList, nil
+}
diff --git a/engine/pkg/idtools/idtools_unix.go b/engine/pkg/idtools/idtools_unix.go
new file mode 100644
index 00000000..1d87ea3b
--- /dev/null
+++ b/engine/pkg/idtools/idtools_unix.go
@@ -0,0 +1,230 @@
+// +build !windows
+
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/runc/libcontainer/user"
+)
+
+var (
+	entOnce   sync.Once
+	getentCmd string
+)
+
+func mkdirAs(path string, mode os.FileMode, ownerUID, ownerGID int, mkAll, chownExisting bool) error {
+	// make an array containing the original path asked for, plus (for mkAll == true)
+	// all path components leading up to the complete path that don't exist before we MkdirAll
+	// so that we can chown all of them properly at the end.  If chownExisting is false, we won't
+	// chown the full directory path if it exists
+	var paths []string
+
+	stat, err := system.Stat(path)
+	if err == nil {
+		if !stat.IsDir() {
+			return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR}
+		}
+		if !chownExisting {
+			return nil
+		}
+
+		// short-circuit--we were called with an existing directory and chown was requested
+		return lazyChown(path, ownerUID, ownerGID, stat)
+	}
+
+	if os.IsNotExist(err) {
+		paths = []string{path}
+	}
+
+	if mkAll {
+		// walk back to "/" looking for directories which do not exist
+		// and add them to the paths array for chown after creation
+		dirPath := path
+		for {
+			dirPath = filepath.Dir(dirPath)
+			if dirPath == "/" {
+				break
+			}
+			if _, err := os.Stat(dirPath); err != nil && os.IsNotExist(err) {
+				paths = append(paths, dirPath)
+			}
+		}
+		if err := system.MkdirAll(path, mode, ""); err != nil {
+			return err
+		}
+	} else {
+		if err := os.Mkdir(path, mode); err != nil && !os.IsExist(err) {
+			return err
+		}
+	}
+	// even if it existed, we will chown the requested path + any subpaths that
+	// didn't exist when we called MkdirAll
+	for _, pathComponent := range paths {
+		if err := lazyChown(pathComponent, ownerUID, ownerGID, nil); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// CanAccess takes a valid (existing) directory and a uid, gid pair and determines
+// if that uid, gid pair has access (execute bit) to the directory
+func CanAccess(path string, pair IDPair) bool {
+	statInfo, err := system.Stat(path)
+	if err != nil {
+		return false
+	}
+	fileMode := os.FileMode(statInfo.Mode())
+	permBits := fileMode.Perm()
+	return accessible(statInfo.UID() == uint32(pair.UID),
+		statInfo.GID() == uint32(pair.GID), permBits)
+}
+
+func accessible(isOwner, isGroup bool, perms os.FileMode) bool {
+	if isOwner && (perms&0100 == 0100) {
+		return true
+	}
+	if isGroup && (perms&0010 == 0010) {
+		return true
+	}
+	if perms&0001 == 0001 {
+		return true
+	}
+	return false
+}
+
+// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username,
+// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+func LookupUser(username string) (user.User, error) {
+	// first try a local system files lookup using existing capabilities
+	usr, err := user.LookupUser(username)
+	if err == nil {
+		return usr, nil
+	}
+	// local files lookup failed; attempt to call `getent` to query configured passwd dbs
+	usr, err = getentUser(fmt.Sprintf("%s %s", "passwd", username))
+	if err != nil {
+		return user.User{}, err
+	}
+	return usr, nil
+}
+
+// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid,
+// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+func LookupUID(uid int) (user.User, error) {
+	// first try a local system files lookup using existing capabilities
+	usr, err := user.LookupUid(uid)
+	if err == nil {
+		return usr, nil
+	}
+	// local files lookup failed; attempt to call `getent` to query configured passwd dbs
+	return getentUser(fmt.Sprintf("%s %d", "passwd", uid))
+}
+
+func getentUser(args string) (user.User, error) {
+	reader, err := callGetent(args)
+	if err != nil {
+		return user.User{}, err
+	}
+	users, err := user.ParsePasswd(reader)
+	if err != nil {
+		return user.User{}, err
+	}
+	if len(users) == 0 {
+		return user.User{}, fmt.Errorf("getent failed to find passwd entry for %q", strings.Split(args, " ")[1])
+	}
+	return users[0], nil
+}
+
+// LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name,
+// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+func LookupGroup(groupname string) (user.Group, error) {
+	// first try a local system files lookup using existing capabilities
+	group, err := user.LookupGroup(groupname)
+	if err == nil {
+		return group, nil
+	}
+	// local files lookup failed; attempt to call `getent` to query configured group dbs
+	return getentGroup(fmt.Sprintf("%s %s", "group", groupname))
+}
+
+// LookupGID uses traditional local system files lookup (from libcontainer/user) on a group ID,
+// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+func LookupGID(gid int) (user.Group, error) {
+	// first try a local system files lookup using existing capabilities
+	group, err := user.LookupGid(gid)
+	if err == nil {
+		return group, nil
+	}
+	// local files lookup failed; attempt to call `getent` to query configured group dbs
+	return getentGroup(fmt.Sprintf("%s %d", "group", gid))
+}
+
+func getentGroup(args string) (user.Group, error) {
+	reader, err := callGetent(args)
+	if err != nil {
+		return user.Group{}, err
+	}
+	groups, err := user.ParseGroup(reader)
+	if err != nil {
+		return user.Group{}, err
+	}
+	if len(groups) == 0 {
+		return user.Group{}, fmt.Errorf("getent failed to find groups entry for %q", strings.Split(args, " ")[1])
+	}
+	return groups[0], nil
+}
+
+func callGetent(args string) (io.Reader, error) {
+	entOnce.Do(func() { getentCmd, _ = resolveBinary("getent") })
+	// if no `getent` command on host, can't do anything else
+	if getentCmd == "" {
+		return nil, fmt.Errorf("")
+	}
+	out, err := execCmd(getentCmd, args)
+	if err != nil {
+		exitCode, errC := system.GetExitCode(err)
+		if errC != nil {
+			return nil, err
+		}
+		switch exitCode {
+		case 1:
+			return nil, fmt.Errorf("getent reported invalid parameters/database unknown")
+		case 2:
+			terms := strings.Split(args, " ")
+			return nil, fmt.Errorf("getent unable to find entry %q in %s database", terms[1], terms[0])
+		case 3:
+			return nil, fmt.Errorf("getent database doesn't support enumeration")
+		default:
+			return nil, err
+		}
+
+	}
+	return bytes.NewReader(out), nil
+}
+
+// lazyChown performs a chown only if the uid/gid don't match what's requested
+// Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the
+// dir is on an NFS share, so don't call chown unless we absolutely must.
+func lazyChown(p string, uid, gid int, stat *system.StatT) error {
+	if stat == nil {
+		var err error
+		stat, err = system.Stat(p)
+		if err != nil {
+			return err
+		}
+	}
+	if stat.UID() == uint32(uid) && stat.GID() == uint32(gid) {
+		return nil
+	}
+	return os.Chown(p, uid, gid)
+}
diff --git a/engine/pkg/idtools/idtools_unix_test.go b/engine/pkg/idtools/idtools_unix_test.go
new file mode 100644
index 00000000..608000a6
--- /dev/null
+++ b/engine/pkg/idtools/idtools_unix_test.go
@@ -0,0 +1,397 @@
+// +build !windows
+
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/user"
+	"path/filepath"
+	"testing"
+
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+	"gotest.tools/skip"
+)
+
+const (
+	tempUser = "tempuser"
+)
+
+type node struct {
+	uid int
+	gid int
+}
+
+func TestMkdirAllAndChown(t *testing.T) {
+	RequiresRoot(t)
+	dirName, err := ioutil.TempDir("", "mkdirall")
+	if err != nil {
+		t.Fatalf("Couldn't create temp dir: %v", err)
+	}
+	defer os.RemoveAll(dirName)
+
+	testTree := map[string]node{
+		"usr":              {0, 0},
+		"usr/bin":          {0, 0},
+		"lib":              {33, 33},
+		"lib/x86_64":       {45, 45},
+		"lib/x86_64/share": {1, 1},
+	}
+
+	if err := buildTree(dirName, testTree); err != nil {
+		t.Fatal(err)
+	}
+
+	// test adding a directory to a pre-existing dir; only the new dir is owned by the uid/gid
+	if err := MkdirAllAndChown(filepath.Join(dirName, "usr", "share"), 0755, IDPair{UID: 99, GID: 99}); err != nil {
+		t.Fatal(err)
+	}
+	testTree["usr/share"] = node{99, 99}
+	verifyTree, err := readTree(dirName, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := compareTrees(testTree, verifyTree); err != nil {
+		t.Fatal(err)
+	}
+
+	// test 2-deep new directories--both should be owned by the uid/gid pair
+	if err := MkdirAllAndChown(filepath.Join(dirName, "lib", "some", "other"), 0755, IDPair{UID: 101, GID: 101}); err != nil {
+		t.Fatal(err)
+	}
+	testTree["lib/some"] = node{101, 101}
+	testTree["lib/some/other"] = node{101, 101}
+	verifyTree, err = readTree(dirName, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := compareTrees(testTree, verifyTree); err != nil {
+		t.Fatal(err)
+	}
+
+	// test a directory that already exists; should be chowned, but nothing else
+	if err := MkdirAllAndChown(filepath.Join(dirName, "usr"), 0755, IDPair{UID: 102, GID: 102}); err != nil {
+		t.Fatal(err)
+	}
+	testTree["usr"] = node{102, 102}
+	verifyTree, err = readTree(dirName, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := compareTrees(testTree, verifyTree); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestMkdirAllAndChownNew(t *testing.T) {
+	RequiresRoot(t)
+	dirName, err := ioutil.TempDir("", "mkdirnew")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dirName)
+
+	testTree := map[string]node{
+		"usr":              {0, 0},
+		"usr/bin":          {0, 0},
+		"lib":              {33, 33},
+		"lib/x86_64":       {45, 45},
+		"lib/x86_64/share": {1, 1},
+	}
+	assert.NilError(t, buildTree(dirName, testTree))
+
+	// test adding a directory to a pre-existing dir; only the new dir is owned by the uid/gid
+	err = MkdirAllAndChownNew(filepath.Join(dirName, "usr", "share"), 0755, IDPair{UID: 99, GID: 99})
+	assert.NilError(t, err)
+
+	testTree["usr/share"] = node{99, 99}
+	verifyTree, err := readTree(dirName, "")
+	assert.NilError(t, err)
+	assert.NilError(t, compareTrees(testTree, verifyTree))
+
+	// test 2-deep new directories--both should be owned by the uid/gid pair
+	err = MkdirAllAndChownNew(filepath.Join(dirName, "lib", "some", "other"), 0755, IDPair{UID: 101, GID: 101})
+	assert.NilError(t, err)
+	testTree["lib/some"] = node{101, 101}
+	testTree["lib/some/other"] = node{101, 101}
+	verifyTree, err = readTree(dirName, "")
+	assert.NilError(t, err)
+	assert.NilError(t, compareTrees(testTree, verifyTree))
+
+	// test a directory that already exists; should NOT be chowned
+	err = MkdirAllAndChownNew(filepath.Join(dirName, "usr"), 0755, IDPair{UID: 102, GID: 102})
+	assert.NilError(t, err)
+	verifyTree, err = readTree(dirName, "")
+	assert.NilError(t, err)
+	assert.NilError(t, compareTrees(testTree, verifyTree))
+}
+
+func TestMkdirAndChown(t *testing.T) {
+	RequiresRoot(t)
+	dirName, err := ioutil.TempDir("", "mkdir")
+	if err != nil {
+		t.Fatalf("Couldn't create temp dir: %v", err)
+	}
+	defer os.RemoveAll(dirName)
+
+	testTree := map[string]node{
+		"usr": {0, 0},
+	}
+	if err := buildTree(dirName, testTree); err != nil {
+		t.Fatal(err)
+	}
+
+	// test a directory that already exists; should just chown to the requested uid/gid
+	if err := MkdirAndChown(filepath.Join(dirName, "usr"), 0755, IDPair{UID: 99, GID: 99}); err != nil {
+		t.Fatal(err)
+	}
+	testTree["usr"] = node{99, 99}
+	verifyTree, err := readTree(dirName, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := compareTrees(testTree, verifyTree); err != nil {
+		t.Fatal(err)
+	}
+
+	// create a subdir under a dir which doesn't exist--should fail
+	if err := MkdirAndChown(filepath.Join(dirName, "usr", "bin", "subdir"), 0755, IDPair{UID: 102, GID: 102}); err == nil {
+		t.Fatalf("Trying to create a directory with Mkdir where the parent doesn't exist should have failed")
+	}
+
+	// create a subdir under an existing dir; should only change the ownership of the new subdir
+	if err := MkdirAndChown(filepath.Join(dirName, "usr", "bin"), 0755, IDPair{UID: 102, GID: 102}); err != nil {
+		t.Fatal(err)
+	}
+	testTree["usr/bin"] = node{102, 102}
+	verifyTree, err = readTree(dirName, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := compareTrees(testTree, verifyTree); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func buildTree(base string, tree map[string]node) error {
+	for path, node := range tree {
+		fullPath := filepath.Join(base, path)
+		if err := os.MkdirAll(fullPath, 0755); err != nil {
+			return fmt.Errorf("Couldn't create path: %s; error: %v", fullPath, err)
+		}
+		if err := os.Chown(fullPath, node.uid, node.gid); err != nil {
+			return fmt.Errorf("Couldn't chown path: %s; error: %v", fullPath, err)
+		}
+	}
+	return nil
+}
+
+func readTree(base, root string) (map[string]node, error) {
+	tree := make(map[string]node)
+
+	dirInfos, err := ioutil.ReadDir(base)
+	if err != nil {
+		return nil, fmt.Errorf("Couldn't read directory entries for %q: %v", base, err)
+	}
+
+	for _, info := range dirInfos {
+		s := &unix.Stat_t{}
+		if err := unix.Stat(filepath.Join(base, info.Name()), s); err != nil {
+			return nil, fmt.Errorf("Can't stat file %q: %v", filepath.Join(base, info.Name()), err)
+		}
+		tree[filepath.Join(root, info.Name())] = node{int(s.Uid), int(s.Gid)}
+		if info.IsDir() {
+			// read the subdirectory
+			subtree, err := readTree(filepath.Join(base, info.Name()), filepath.Join(root, info.Name()))
+			if err != nil {
+				return nil, err
+			}
+			for path, nodeinfo := range subtree {
+				tree[path] = nodeinfo
+			}
+		}
+	}
+	return tree, nil
+}
+
+func compareTrees(left, right map[string]node) error {
+	if len(left) != len(right) {
+		return fmt.Errorf("Trees aren't the same size")
+	}
+	for path, nodeLeft := range left {
+		if nodeRight, ok := right[path]; ok {
+			if nodeRight.uid != nodeLeft.uid || nodeRight.gid != nodeLeft.gid {
+				// mismatch
+				return fmt.Errorf("mismatched ownership for %q: expected: %d:%d, got: %d:%d", path,
+					nodeLeft.uid, nodeLeft.gid, nodeRight.uid, nodeRight.gid)
+			}
+			continue
+		}
+		return fmt.Errorf("right tree didn't contain path %q", path)
+	}
+	return nil
+}
+
+func delUser(t *testing.T, name string) {
+	_, err := execCmd("userdel", name)
+	assert.Check(t, err)
+}
+
+func TestParseSubidFileWithNewlinesAndComments(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "parsesubid")
+	if err != nil {
+		t.Fatal(err)
+	}
+	fnamePath := filepath.Join(tmpDir, "testsubuid")
+	fcontent := `tss:100000:65536
+# empty default subuid/subgid file
+
+dockremap:231072:65536`
+	if err := ioutil.WriteFile(fnamePath, []byte(fcontent), 0644); err != nil {
+		t.Fatal(err)
+	}
+	ranges, err := parseSubidFile(fnamePath, "dockremap")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(ranges) != 1 {
+		t.Fatalf("wanted 1 element in ranges, got %d instead", len(ranges))
+	}
+	if ranges[0].Start != 231072 {
+		t.Fatalf("wanted 231072, got %d instead", ranges[0].Start)
+	}
+	if ranges[0].Length != 65536 {
+		t.Fatalf("wanted 65536, got %d instead", ranges[0].Length)
+	}
+}
+
+func TestGetRootUIDGID(t *testing.T) {
+	uidMap := []IDMap{
+		{
+			ContainerID: 0,
+			HostID:      os.Getuid(),
+			Size:        1,
+		},
+	}
+	gidMap := []IDMap{
+		{
+			ContainerID: 0,
+			HostID:      os.Getgid(),
+			Size:        1,
+		},
+	}
+
+	uid, gid, err := GetRootUIDGID(uidMap, gidMap)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(os.Geteuid(), uid))
+	assert.Check(t, is.Equal(os.Getegid(), gid))
+
+	uidMapError := []IDMap{
+		{
+			ContainerID: 1,
+			HostID:      os.Getuid(),
+			Size:        1,
+		},
+	}
+	_, _, err = GetRootUIDGID(uidMapError, gidMap)
+	assert.Check(t, is.Error(err, "Container ID 0 cannot be mapped to a host ID"))
+}
+
+func TestToContainer(t *testing.T) {
+	uidMap := []IDMap{
+		{
+			ContainerID: 2,
+			HostID:      2,
+			Size:        1,
+		},
+	}
+
+	containerID, err := toContainer(2, uidMap)
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(uidMap[0].ContainerID, containerID))
+}
+
+func TestNewIDMappings(t *testing.T) {
+	RequiresRoot(t)
+	_, _, err := AddNamespaceRangesUser(tempUser)
+	assert.Check(t, err)
+	defer delUser(t, tempUser)
+
+	tempUser, err := user.Lookup(tempUser)
+	assert.Check(t, err)
+
+	gids, err := tempUser.GroupIds()
+	assert.Check(t, err)
+	group, err := user.LookupGroupId(string(gids[0]))
+	assert.Check(t, err)
+
+	idMappings, err := NewIDMappings(tempUser.Username, group.Name)
+	assert.Check(t, err)
+
+	rootUID, rootGID, err := GetRootUIDGID(idMappings.UIDs(), idMappings.GIDs())
+	assert.Check(t, err)
+
+	dirName, err := ioutil.TempDir("", "mkdirall")
+	assert.Check(t, err, "Couldn't create temp directory")
+	defer os.RemoveAll(dirName)
+
+	err = MkdirAllAndChown(dirName, 0700, IDPair{UID: rootUID, GID: rootGID})
+	assert.Check(t, err, "Couldn't change ownership of file path. Got error")
+	assert.Check(t, CanAccess(dirName, idMappings.RootPair()), fmt.Sprintf("Unable to access %s directory with user UID:%d and GID:%d", dirName, rootUID, rootGID))
+}
+
+func TestLookupUserAndGroup(t *testing.T) {
+	RequiresRoot(t)
+	uid, gid, err := AddNamespaceRangesUser(tempUser)
+	assert.Check(t, err)
+	defer delUser(t, tempUser)
+
+	fetchedUser, err := LookupUser(tempUser)
+	assert.Check(t, err)
+
+	fetchedUserByID, err := LookupUID(uid)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual(fetchedUserByID, fetchedUser))
+
+	fetchedGroup, err := LookupGroup(tempUser)
+	assert.Check(t, err)
+
+	fetchedGroupByID, err := LookupGID(gid)
+	assert.Check(t, err)
+	assert.Check(t, is.DeepEqual(fetchedGroupByID, fetchedGroup))
+}
+
+func TestLookupUserAndGroupThatDoesNotExist(t *testing.T) {
+	fakeUser := "fakeuser"
+	_, err := LookupUser(fakeUser)
+	assert.Check(t, is.Error(err, "getent unable to find entry \""+fakeUser+"\" in passwd database"))
+
+	_, err = LookupUID(-1)
+	assert.Check(t, is.ErrorContains(err, ""))
+
+	fakeGroup := "fakegroup"
+	_, err = LookupGroup(fakeGroup)
+	assert.Check(t, is.Error(err, "getent unable to find entry \""+fakeGroup+"\" in group database"))
+
+	_, err = LookupGID(-1)
+	assert.Check(t, is.ErrorContains(err, ""))
+}
+
+// TestMkdirIsNotDir checks that mkdirAs() function (used by MkdirAll...)
+// returns a correct error in case a directory which it is about to create
+// already exists but is a file (rather than a directory).
+func TestMkdirIsNotDir(t *testing.T) {
+	file, err := ioutil.TempFile("", t.Name())
+	if err != nil {
+		t.Fatalf("Couldn't create temp dir: %v", err)
+	}
+	defer os.Remove(file.Name())
+
+	err = mkdirAs(file.Name(), 0755, 0, 0, false, false)
+	assert.Check(t, is.Error(err, "mkdir "+file.Name()+": not a directory"))
+}
+
+func RequiresRoot(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+}
diff --git a/engine/pkg/idtools/idtools_windows.go b/engine/pkg/idtools/idtools_windows.go
new file mode 100644
index 00000000..d72cc289
--- /dev/null
+++ b/engine/pkg/idtools/idtools_windows.go
@@ -0,0 +1,23 @@
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import (
+	"os"
+
+	"github.com/docker/docker/pkg/system"
+)
+
+// Platforms such as Windows do not support the UID/GID concept. So make this
+// just a wrapper around system.MkdirAll.
+func mkdirAs(path string, mode os.FileMode, ownerUID, ownerGID int, mkAll, chownExisting bool) error {
+	if err := system.MkdirAll(path, mode, ""); err != nil {
+		return err
+	}
+	return nil
+}
+
+// CanAccess takes a valid (existing) directory and a uid, gid pair and determines
+// if that uid, gid pair has access (execute bit) to the directory
+// Windows does not require/support this function, so always return true
+func CanAccess(path string, pair IDPair) bool {
+	return true
+}
diff --git a/engine/pkg/idtools/usergroupadd_linux.go b/engine/pkg/idtools/usergroupadd_linux.go
new file mode 100644
index 00000000..6272c5a4
--- /dev/null
+++ b/engine/pkg/idtools/usergroupadd_linux.go
@@ -0,0 +1,164 @@
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import (
+	"fmt"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+)
+
+// add a user and/or group to Linux /etc/passwd, /etc/group using standard
+// Linux distribution commands:
+// adduser --system --shell /bin/false --disabled-login --disabled-password --no-create-home --group <username>
+// useradd -r -s /bin/false <username>
+
+var (
+	once        sync.Once
+	userCommand string
+
+	cmdTemplates = map[string]string{
+		"adduser": "--system --shell /bin/false --no-create-home --disabled-login --disabled-password --group %s",
+		"useradd": "-r -s /bin/false %s",
+		"usermod": "-%s %d-%d %s",
+	}
+
+	idOutRegexp = regexp.MustCompile(`uid=([0-9]+).*gid=([0-9]+)`)
+	// default length for a UID/GID subordinate range
+	defaultRangeLen   = 65536
+	defaultRangeStart = 100000
+	userMod           = "usermod"
+)
+
+// AddNamespaceRangesUser takes a username and uses the standard system
+// utility to create a system user/group pair used to hold the
+// /etc/sub{uid,gid} ranges which will be used for user namespace
+// mapping ranges in containers.
+func AddNamespaceRangesUser(name string) (int, int, error) {
+	if err := addUser(name); err != nil {
+		return -1, -1, fmt.Errorf("Error adding user %q: %v", name, err)
+	}
+
+	// Query the system for the created uid and gid pair
+	out, err := execCmd("id", name)
+	if err != nil {
+		return -1, -1, fmt.Errorf("Error trying to find uid/gid for new user %q: %v", name, err)
+	}
+	matches := idOutRegexp.FindStringSubmatch(strings.TrimSpace(string(out)))
+	if len(matches) != 3 {
+		return -1, -1, fmt.Errorf("Can't find uid, gid from `id` output: %q", string(out))
+	}
+	uid, err := strconv.Atoi(matches[1])
+	if err != nil {
+		return -1, -1, fmt.Errorf("Can't convert found uid (%s) to int: %v", matches[1], err)
+	}
+	gid, err := strconv.Atoi(matches[2])
+	if err != nil {
+		return -1, -1, fmt.Errorf("Can't convert found gid (%s) to int: %v", matches[2], err)
+	}
+
+	// Now we need to create the subuid/subgid ranges for our new user/group (system users
+	// do not get auto-created ranges in subuid/subgid)
+
+	if err := createSubordinateRanges(name); err != nil {
+		return -1, -1, fmt.Errorf("Couldn't create subordinate ID ranges: %v", err)
+	}
+	return uid, gid, nil
+}
+
+func addUser(userName string) error {
+	once.Do(func() {
+		// set up which commands are used for adding users/groups dependent on distro
+		if _, err := resolveBinary("adduser"); err == nil {
+			userCommand = "adduser"
+		} else if _, err := resolveBinary("useradd"); err == nil {
+			userCommand = "useradd"
+		}
+	})
+	if userCommand == "" {
+		return fmt.Errorf("Cannot add user; no useradd/adduser binary found")
+	}
+	args := fmt.Sprintf(cmdTemplates[userCommand], userName)
+	out, err := execCmd(userCommand, args)
+	if err != nil {
+		return fmt.Errorf("Failed to add user with error: %v; output: %q", err, string(out))
+	}
+	return nil
+}
+
+func createSubordinateRanges(name string) error {
+
+	// first, we should verify that ranges weren't automatically created
+	// by the distro tooling
+	ranges, err := parseSubuid(name)
+	if err != nil {
+		return fmt.Errorf("Error while looking for subuid ranges for user %q: %v", name, err)
+	}
+	if len(ranges) == 0 {
+		// no UID ranges; let's create one
+		startID, err := findNextUIDRange()
+		if err != nil {
+			return fmt.Errorf("Can't find available subuid range: %v", err)
+		}
+		out, err := execCmd(userMod, fmt.Sprintf(cmdTemplates[userMod], "v", startID, startID+defaultRangeLen-1, name))
+		if err != nil {
+			return fmt.Errorf("Unable to add subuid range to user: %q; output: %s, err: %v", name, out, err)
+		}
+	}
+
+	ranges, err = parseSubgid(name)
+	if err != nil {
+		return fmt.Errorf("Error while looking for subgid ranges for user %q: %v", name, err)
+	}
+	if len(ranges) == 0 {
+		// no GID ranges; let's create one
+		startID, err := findNextGIDRange()
+		if err != nil {
+			return fmt.Errorf("Can't find available subgid range: %v", err)
+		}
+		out, err := execCmd(userMod, fmt.Sprintf(cmdTemplates[userMod], "w", startID, startID+defaultRangeLen-1, name))
+		if err != nil {
+			return fmt.Errorf("Unable to add subgid range to user: %q; output: %s, err: %v", name, out, err)
+		}
+	}
+	return nil
+}
+
+func findNextUIDRange() (int, error) {
+	ranges, err := parseSubuid("ALL")
+	if err != nil {
+		return -1, fmt.Errorf("Couldn't parse all ranges in /etc/subuid file: %v", err)
+	}
+	sort.Sort(ranges)
+	return findNextRangeStart(ranges)
+}
+
+func findNextGIDRange() (int, error) {
+	ranges, err := parseSubgid("ALL")
+	if err != nil {
+		return -1, fmt.Errorf("Couldn't parse all ranges in /etc/subgid file: %v", err)
+	}
+	sort.Sort(ranges)
+	return findNextRangeStart(ranges)
+}
+
+func findNextRangeStart(rangeList ranges) (int, error) {
+	startID := defaultRangeStart
+	for _, arange := range rangeList {
+		if wouldOverlap(arange, startID) {
+			startID = arange.Start + arange.Length
+		}
+	}
+	return startID, nil
+}
+
+func wouldOverlap(arange subIDRange, ID int) bool {
+	low := ID
+	high := ID + defaultRangeLen
+	if (low >= arange.Start && low <= arange.Start+arange.Length) ||
+		(high <= arange.Start+arange.Length && high >= arange.Start) {
+		return true
+	}
+	return false
+}
diff --git a/engine/pkg/idtools/usergroupadd_unsupported.go b/engine/pkg/idtools/usergroupadd_unsupported.go
new file mode 100644
index 00000000..e7c4d631
--- /dev/null
+++ b/engine/pkg/idtools/usergroupadd_unsupported.go
@@ -0,0 +1,12 @@
+// +build !linux
+
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import "fmt"
+
+// AddNamespaceRangesUser takes a name and finds an unused uid, gid pair
+// and calls the appropriate helper function to add the group and then
+// the user to the group in /etc/group and /etc/passwd respectively.
+func AddNamespaceRangesUser(name string) (int, int, error) {
+	return -1, -1, fmt.Errorf("No support for adding users or groups on this OS")
+}
diff --git a/engine/pkg/idtools/utils_unix.go b/engine/pkg/idtools/utils_unix.go
new file mode 100644
index 00000000..903ac450
--- /dev/null
+++ b/engine/pkg/idtools/utils_unix.go
@@ -0,0 +1,32 @@
+// +build !windows
+
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import (
+	"fmt"
+	"os/exec"
+	"path/filepath"
+	"strings"
+)
+
+func resolveBinary(binname string) (string, error) {
+	binaryPath, err := exec.LookPath(binname)
+	if err != nil {
+		return "", err
+	}
+	resolvedPath, err := filepath.EvalSymlinks(binaryPath)
+	if err != nil {
+		return "", err
+	}
+	//only return no error if the final resolved binary basename
+	//matches what was searched for
+	if filepath.Base(resolvedPath) == binname {
+		return resolvedPath, nil
+	}
+	return "", fmt.Errorf("Binary %q does not resolve to a binary of that name in $PATH (%q)", binname, resolvedPath)
+}
+
+func execCmd(cmd, args string) ([]byte, error) {
+	execCmd := exec.Command(cmd, strings.Split(args, " ")...)
+	return execCmd.CombinedOutput()
+}
diff --git a/engine/pkg/ioutils/buffer.go b/engine/pkg/ioutils/buffer.go
new file mode 100644
index 00000000..466f7929
--- /dev/null
+++ b/engine/pkg/ioutils/buffer.go
@@ -0,0 +1,51 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"errors"
+	"io"
+)
+
+var errBufferFull = errors.New("buffer is full")
+
+type fixedBuffer struct {
+	buf      []byte
+	pos      int
+	lastRead int
+}
+
+func (b *fixedBuffer) Write(p []byte) (int, error) {
+	n := copy(b.buf[b.pos:cap(b.buf)], p)
+	b.pos += n
+
+	if n < len(p) {
+		if b.pos == cap(b.buf) {
+			return n, errBufferFull
+		}
+		return n, io.ErrShortWrite
+	}
+	return n, nil
+}
+
+func (b *fixedBuffer) Read(p []byte) (int, error) {
+	n := copy(p, b.buf[b.lastRead:b.pos])
+	b.lastRead += n
+	return n, nil
+}
+
+func (b *fixedBuffer) Len() int {
+	return b.pos - b.lastRead
+}
+
+func (b *fixedBuffer) Cap() int {
+	return cap(b.buf)
+}
+
+func (b *fixedBuffer) Reset() {
+	b.pos = 0
+	b.lastRead = 0
+	b.buf = b.buf[:0]
+}
+
+func (b *fixedBuffer) String() string {
+	return string(b.buf[b.lastRead:b.pos])
+}
diff --git a/engine/pkg/ioutils/buffer_test.go b/engine/pkg/ioutils/buffer_test.go
new file mode 100644
index 00000000..b8887bfd
--- /dev/null
+++ b/engine/pkg/ioutils/buffer_test.go
@@ -0,0 +1,153 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"bytes"
+	"testing"
+)
+
+func TestFixedBufferCap(t *testing.T) {
+	buf := &fixedBuffer{buf: make([]byte, 0, 5)}
+
+	n := buf.Cap()
+	if n != 5 {
+		t.Fatalf("expected buffer capacity to be 5 bytes, got %d", n)
+	}
+}
+
+func TestFixedBufferLen(t *testing.T) {
+	buf := &fixedBuffer{buf: make([]byte, 0, 10)}
+
+	buf.Write([]byte("hello"))
+	l := buf.Len()
+	if l != 5 {
+		t.Fatalf("expected buffer length to be 5 bytes, got %d", l)
+	}
+
+	buf.Write([]byte("world"))
+	l = buf.Len()
+	if l != 10 {
+		t.Fatalf("expected buffer length to be 10 bytes, got %d", l)
+	}
+
+	// read 5 bytes
+	b := make([]byte, 5)
+	buf.Read(b)
+
+	l = buf.Len()
+	if l != 5 {
+		t.Fatalf("expected buffer length to be 5 bytes, got %d", l)
+	}
+
+	n, err := buf.Write([]byte("i-wont-fit"))
+	if n != 0 {
+		t.Fatalf("expected no bytes to be written to buffer, got %d", n)
+	}
+	if err != errBufferFull {
+		t.Fatalf("expected errBufferFull, got %v", err)
+	}
+
+	l = buf.Len()
+	if l != 5 {
+		t.Fatalf("expected buffer length to still be 5 bytes, got %d", l)
+	}
+
+	buf.Reset()
+	l = buf.Len()
+	if l != 0 {
+		t.Fatalf("expected buffer length to still be 0 bytes, got %d", l)
+	}
+}
+
+func TestFixedBufferString(t *testing.T) {
+	buf := &fixedBuffer{buf: make([]byte, 0, 10)}
+
+	buf.Write([]byte("hello"))
+	buf.Write([]byte("world"))
+
+	out := buf.String()
+	if out != "helloworld" {
+		t.Fatalf("expected output to be \"helloworld\", got %q", out)
+	}
+
+	// read 5 bytes
+	b := make([]byte, 5)
+	buf.Read(b)
+
+	// test that fixedBuffer.String() only returns the part that hasn't been read
+	out = buf.String()
+	if out != "world" {
+		t.Fatalf("expected output to be \"world\", got %q", out)
+	}
+}
+
+func TestFixedBufferWrite(t *testing.T) {
+	buf := &fixedBuffer{buf: make([]byte, 0, 64)}
+	n, err := buf.Write([]byte("hello"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if n != 5 {
+		t.Fatalf("expected 5 bytes written, got %d", n)
+	}
+
+	if string(buf.buf[:5]) != "hello" {
+		t.Fatalf("expected \"hello\", got %q", string(buf.buf[:5]))
+	}
+
+	n, err = buf.Write(bytes.Repeat([]byte{1}, 64))
+	if n != 59 {
+		t.Fatalf("expected 59 bytes written before buffer is full, got %d", n)
+	}
+	if err != errBufferFull {
+		t.Fatalf("expected errBufferFull, got %v - %v", err, buf.buf[:64])
+	}
+}
+
+func TestFixedBufferRead(t *testing.T) {
+	buf := &fixedBuffer{buf: make([]byte, 0, 64)}
+	if _, err := buf.Write([]byte("hello world")); err != nil {
+		t.Fatal(err)
+	}
+
+	b := make([]byte, 5)
+	n, err := buf.Read(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if n != 5 {
+		t.Fatalf("expected 5 bytes read, got %d - %s", n, buf.String())
+	}
+
+	if string(b) != "hello" {
+		t.Fatalf("expected \"hello\", got %q", string(b))
+	}
+
+	n, err = buf.Read(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if n != 5 {
+		t.Fatalf("expected 5 bytes read, got %d", n)
+	}
+
+	if string(b) != " worl" {
+		t.Fatalf("expected \" worl\", got %s", string(b))
+	}
+
+	b = b[:1]
+	n, err = buf.Read(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if n != 1 {
+		t.Fatalf("expected 1 byte read, got %d - %s", n, buf.String())
+	}
+
+	if string(b) != "d" {
+		t.Fatalf("expected \"d\", got %s", string(b))
+	}
+}
diff --git a/engine/pkg/ioutils/bytespipe.go b/engine/pkg/ioutils/bytespipe.go
new file mode 100644
index 00000000..d4bbf3c9
--- /dev/null
+++ b/engine/pkg/ioutils/bytespipe.go
@@ -0,0 +1,186 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"errors"
+	"io"
+	"sync"
+)
+
+// maxCap is the highest capacity to use in byte slices that buffer data.
+const maxCap = 1e6
+
+// minCap is the lowest capacity to use in byte slices that buffer data
+const minCap = 64
+
+// blockThreshold is the minimum number of bytes in the buffer which will cause
+// a write to BytesPipe to block when allocating a new slice.
+const blockThreshold = 1e6
+
+var (
+	// ErrClosed is returned when Write is called on a closed BytesPipe.
+	ErrClosed = errors.New("write to closed BytesPipe")
+
+	bufPools     = make(map[int]*sync.Pool)
+	bufPoolsLock sync.Mutex
+)
+
+// BytesPipe is io.ReadWriteCloser which works similarly to pipe(queue).
+// All written data may be read at most once. Also, BytesPipe allocates
+// and releases new byte slices to adjust to current needs, so the buffer
+// won't be overgrown after peak loads.
+type BytesPipe struct {
+	mu       sync.Mutex
+	wait     *sync.Cond
+	buf      []*fixedBuffer
+	bufLen   int
+	closeErr error // error to return from next Read. set to nil if not closed.
+}
+
+// NewBytesPipe creates new BytesPipe, initialized by specified slice.
+// If buf is nil, then it will be initialized with slice which cap is 64.
+// buf will be adjusted in a way that len(buf) == 0, cap(buf) == cap(buf).
+func NewBytesPipe() *BytesPipe {
+	bp := &BytesPipe{}
+	bp.buf = append(bp.buf, getBuffer(minCap))
+	bp.wait = sync.NewCond(&bp.mu)
+	return bp
+}
+
+// Write writes p to BytesPipe.
+// It can allocate new []byte slices in a process of writing.
+func (bp *BytesPipe) Write(p []byte) (int, error) {
+	bp.mu.Lock()
+
+	written := 0
+loop0:
+	for {
+		if bp.closeErr != nil {
+			bp.mu.Unlock()
+			return written, ErrClosed
+		}
+
+		if len(bp.buf) == 0 {
+			bp.buf = append(bp.buf, getBuffer(64))
+		}
+		// get the last buffer
+		b := bp.buf[len(bp.buf)-1]
+
+		n, err := b.Write(p)
+		written += n
+		bp.bufLen += n
+
+		// errBufferFull is an error we expect to get if the buffer is full
+		if err != nil && err != errBufferFull {
+			bp.wait.Broadcast()
+			bp.mu.Unlock()
+			return written, err
+		}
+
+		// if there was enough room to write all then break
+		if len(p) == n {
+			break
+		}
+
+		// more data: write to the next slice
+		p = p[n:]
+
+		// make sure the buffer doesn't grow too big from this write
+		for bp.bufLen >= blockThreshold {
+			bp.wait.Wait()
+			if bp.closeErr != nil {
+				continue loop0
+			}
+		}
+
+		// add new byte slice to the buffers slice and continue writing
+		nextCap := b.Cap() * 2
+		if nextCap > maxCap {
+			nextCap = maxCap
+		}
+		bp.buf = append(bp.buf, getBuffer(nextCap))
+	}
+	bp.wait.Broadcast()
+	bp.mu.Unlock()
+	return written, nil
+}
+
+// CloseWithError causes further reads from a BytesPipe to return immediately.
+func (bp *BytesPipe) CloseWithError(err error) error {
+	bp.mu.Lock()
+	if err != nil {
+		bp.closeErr = err
+	} else {
+		bp.closeErr = io.EOF
+	}
+	bp.wait.Broadcast()
+	bp.mu.Unlock()
+	return nil
+}
+
+// Close causes further reads from a BytesPipe to return immediately.
+func (bp *BytesPipe) Close() error {
+	return bp.CloseWithError(nil)
+}
+
+// Read reads bytes from BytesPipe.
+// Data could be read only once.
+func (bp *BytesPipe) Read(p []byte) (n int, err error) {
+	bp.mu.Lock()
+	if bp.bufLen == 0 {
+		if bp.closeErr != nil {
+			bp.mu.Unlock()
+			return 0, bp.closeErr
+		}
+		bp.wait.Wait()
+		if bp.bufLen == 0 && bp.closeErr != nil {
+			err := bp.closeErr
+			bp.mu.Unlock()
+			return 0, err
+		}
+	}
+
+	for bp.bufLen > 0 {
+		b := bp.buf[0]
+		read, _ := b.Read(p) // ignore error since fixedBuffer doesn't really return an error
+		n += read
+		bp.bufLen -= read
+
+		if b.Len() == 0 {
+			// it's empty so return it to the pool and move to the next one
+			returnBuffer(b)
+			bp.buf[0] = nil
+			bp.buf = bp.buf[1:]
+		}
+
+		if len(p) == read {
+			break
+		}
+
+		p = p[read:]
+	}
+
+	bp.wait.Broadcast()
+	bp.mu.Unlock()
+	return
+}
+
+func returnBuffer(b *fixedBuffer) {
+	b.Reset()
+	bufPoolsLock.Lock()
+	pool := bufPools[b.Cap()]
+	bufPoolsLock.Unlock()
+	if pool != nil {
+		pool.Put(b)
+	}
+}
+
+func getBuffer(size int) *fixedBuffer {
+	bufPoolsLock.Lock()
+	pool, ok := bufPools[size]
+	if !ok {
+		pool = &sync.Pool{New: func() interface{} { return &fixedBuffer{buf: make([]byte, 0, size)} }}
+		bufPools[size] = pool
+	}
+	bufPoolsLock.Unlock()
+	return pool.Get().(*fixedBuffer)
+}
diff --git a/engine/pkg/ioutils/bytespipe_test.go b/engine/pkg/ioutils/bytespipe_test.go
new file mode 100644
index 00000000..9101f20a
--- /dev/null
+++ b/engine/pkg/ioutils/bytespipe_test.go
@@ -0,0 +1,159 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"crypto/sha1"
+	"encoding/hex"
+	"math/rand"
+	"testing"
+	"time"
+)
+
+func TestBytesPipeRead(t *testing.T) {
+	buf := NewBytesPipe()
+	buf.Write([]byte("12"))
+	buf.Write([]byte("34"))
+	buf.Write([]byte("56"))
+	buf.Write([]byte("78"))
+	buf.Write([]byte("90"))
+	rd := make([]byte, 4)
+	n, err := buf.Read(rd)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if n != 4 {
+		t.Fatalf("Wrong number of bytes read: %d, should be %d", n, 4)
+	}
+	if string(rd) != "1234" {
+		t.Fatalf("Read %s, but must be %s", rd, "1234")
+	}
+	n, err = buf.Read(rd)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if n != 4 {
+		t.Fatalf("Wrong number of bytes read: %d, should be %d", n, 4)
+	}
+	if string(rd) != "5678" {
+		t.Fatalf("Read %s, but must be %s", rd, "5679")
+	}
+	n, err = buf.Read(rd)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if n != 2 {
+		t.Fatalf("Wrong number of bytes read: %d, should be %d", n, 2)
+	}
+	if string(rd[:n]) != "90" {
+		t.Fatalf("Read %s, but must be %s", rd, "90")
+	}
+}
+
+func TestBytesPipeWrite(t *testing.T) {
+	buf := NewBytesPipe()
+	buf.Write([]byte("12"))
+	buf.Write([]byte("34"))
+	buf.Write([]byte("56"))
+	buf.Write([]byte("78"))
+	buf.Write([]byte("90"))
+	if buf.buf[0].String() != "1234567890" {
+		t.Fatalf("Buffer %q, must be %q", buf.buf[0].String(), "1234567890")
+	}
+}
+
+// Write and read in different speeds/chunk sizes and check valid data is read.
+func TestBytesPipeWriteRandomChunks(t *testing.T) {
+	cases := []struct{ iterations, writesPerLoop, readsPerLoop int }{
+		{100, 10, 1},
+		{1000, 10, 5},
+		{1000, 100, 0},
+		{1000, 5, 6},
+		{10000, 50, 25},
+	}
+
+	testMessage := []byte("this is a random string for testing")
+	// random slice sizes to read and write
+	writeChunks := []int{25, 35, 15, 20}
+	readChunks := []int{5, 45, 20, 25}
+
+	for _, c := range cases {
+		// first pass: write directly to hash
+		hash := sha1.New()
+		for i := 0; i < c.iterations*c.writesPerLoop; i++ {
+			if _, err := hash.Write(testMessage[:writeChunks[i%len(writeChunks)]]); err != nil {
+				t.Fatal(err)
+			}
+		}
+		expected := hex.EncodeToString(hash.Sum(nil))
+
+		// write/read through buffer
+		buf := NewBytesPipe()
+		hash.Reset()
+
+		done := make(chan struct{})
+
+		go func() {
+			// random delay before read starts
+			<-time.After(time.Duration(rand.Intn(10)) * time.Millisecond)
+			for i := 0; ; i++ {
+				p := make([]byte, readChunks[(c.iterations*c.readsPerLoop+i)%len(readChunks)])
+				n, _ := buf.Read(p)
+				if n == 0 {
+					break
+				}
+				hash.Write(p[:n])
+			}
+
+			close(done)
+		}()
+
+		for i := 0; i < c.iterations; i++ {
+			for w := 0; w < c.writesPerLoop; w++ {
+				buf.Write(testMessage[:writeChunks[(i*c.writesPerLoop+w)%len(writeChunks)]])
+			}
+		}
+		buf.Close()
+		<-done
+
+		actual := hex.EncodeToString(hash.Sum(nil))
+
+		if expected != actual {
+			t.Fatalf("BytesPipe returned invalid data. Expected checksum %v, got %v", expected, actual)
+		}
+
+	}
+}
+
+func BenchmarkBytesPipeWrite(b *testing.B) {
+	testData := []byte("pretty short line, because why not?")
+	for i := 0; i < b.N; i++ {
+		readBuf := make([]byte, 1024)
+		buf := NewBytesPipe()
+		go func() {
+			var err error
+			for err == nil {
+				_, err = buf.Read(readBuf)
+			}
+		}()
+		for j := 0; j < 1000; j++ {
+			buf.Write(testData)
+		}
+		buf.Close()
+	}
+}
+
+func BenchmarkBytesPipeRead(b *testing.B) {
+	rd := make([]byte, 512)
+	for i := 0; i < b.N; i++ {
+		b.StopTimer()
+		buf := NewBytesPipe()
+		for j := 0; j < 500; j++ {
+			buf.Write(make([]byte, 1024))
+		}
+		b.StartTimer()
+		for j := 0; j < 1000; j++ {
+			if n, _ := buf.Read(rd); n != 512 {
+				b.Fatalf("Wrong number of bytes: %d", n)
+			}
+		}
+	}
+}
diff --git a/engine/pkg/ioutils/fswriters.go b/engine/pkg/ioutils/fswriters.go
new file mode 100644
index 00000000..534d66ac
--- /dev/null
+++ b/engine/pkg/ioutils/fswriters.go
@@ -0,0 +1,162 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// NewAtomicFileWriter returns WriteCloser so that writing to it writes to a
+// temporary file and closing it atomically changes the temporary file to
+// destination path. Writing and closing concurrently is not allowed.
+func NewAtomicFileWriter(filename string, perm os.FileMode) (io.WriteCloser, error) {
+	f, err := ioutil.TempFile(filepath.Dir(filename), ".tmp-"+filepath.Base(filename))
+	if err != nil {
+		return nil, err
+	}
+
+	abspath, err := filepath.Abs(filename)
+	if err != nil {
+		return nil, err
+	}
+	return &atomicFileWriter{
+		f:    f,
+		fn:   abspath,
+		perm: perm,
+	}, nil
+}
+
+// AtomicWriteFile atomically writes data to a file named by filename.
+func AtomicWriteFile(filename string, data []byte, perm os.FileMode) error {
+	f, err := NewAtomicFileWriter(filename, perm)
+	if err != nil {
+		return err
+	}
+	n, err := f.Write(data)
+	if err == nil && n < len(data) {
+		err = io.ErrShortWrite
+		f.(*atomicFileWriter).writeErr = err
+	}
+	if err1 := f.Close(); err == nil {
+		err = err1
+	}
+	return err
+}
+
+type atomicFileWriter struct {
+	f        *os.File
+	fn       string
+	writeErr error
+	perm     os.FileMode
+}
+
+func (w *atomicFileWriter) Write(dt []byte) (int, error) {
+	n, err := w.f.Write(dt)
+	if err != nil {
+		w.writeErr = err
+	}
+	return n, err
+}
+
+func (w *atomicFileWriter) Close() (retErr error) {
+	defer func() {
+		if retErr != nil || w.writeErr != nil {
+			os.Remove(w.f.Name())
+		}
+	}()
+	if err := w.f.Sync(); err != nil {
+		w.f.Close()
+		return err
+	}
+	if err := w.f.Close(); err != nil {
+		return err
+	}
+	if err := os.Chmod(w.f.Name(), w.perm); err != nil {
+		return err
+	}
+	if w.writeErr == nil {
+		return os.Rename(w.f.Name(), w.fn)
+	}
+	return nil
+}
+
+// AtomicWriteSet is used to atomically write a set
+// of files and ensure they are visible at the same time.
+// Must be committed to a new directory.
+type AtomicWriteSet struct {
+	root string
+}
+
+// NewAtomicWriteSet creates a new atomic write set to
+// atomically create a set of files. The given directory
+// is used as the base directory for storing files before
+// commit. If no temporary directory is given the system
+// default is used.
+func NewAtomicWriteSet(tmpDir string) (*AtomicWriteSet, error) {
+	td, err := ioutil.TempDir(tmpDir, "write-set-")
+	if err != nil {
+		return nil, err
+	}
+
+	return &AtomicWriteSet{
+		root: td,
+	}, nil
+}
+
+// WriteFile writes a file to the set, guaranteeing the file
+// has been synced.
+func (ws *AtomicWriteSet) WriteFile(filename string, data []byte, perm os.FileMode) error {
+	f, err := ws.FileWriter(filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm)
+	if err != nil {
+		return err
+	}
+	n, err := f.Write(data)
+	if err == nil && n < len(data) {
+		err = io.ErrShortWrite
+	}
+	if err1 := f.Close(); err == nil {
+		err = err1
+	}
+	return err
+}
+
+type syncFileCloser struct {
+	*os.File
+}
+
+func (w syncFileCloser) Close() error {
+	err := w.File.Sync()
+	if err1 := w.File.Close(); err == nil {
+		err = err1
+	}
+	return err
+}
+
+// FileWriter opens a file writer inside the set. The file
+// should be synced and closed before calling commit.
+func (ws *AtomicWriteSet) FileWriter(name string, flag int, perm os.FileMode) (io.WriteCloser, error) {
+	f, err := os.OpenFile(filepath.Join(ws.root, name), flag, perm)
+	if err != nil {
+		return nil, err
+	}
+	return syncFileCloser{f}, nil
+}
+
+// Cancel cancels the set and removes all temporary data
+// created in the set.
+func (ws *AtomicWriteSet) Cancel() error {
+	return os.RemoveAll(ws.root)
+}
+
+// Commit moves all created files to the target directory. The
+// target directory must not exist and the parent of the target
+// directory must exist.
+func (ws *AtomicWriteSet) Commit(target string) error {
+	return os.Rename(ws.root, target)
+}
+
+// String returns the location the set is writing to.
+func (ws *AtomicWriteSet) String() string {
+	return ws.root
+}
diff --git a/engine/pkg/ioutils/fswriters_test.go b/engine/pkg/ioutils/fswriters_test.go
new file mode 100644
index 00000000..b283045d
--- /dev/null
+++ b/engine/pkg/ioutils/fswriters_test.go
@@ -0,0 +1,132 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+)
+
+var (
+	testMode os.FileMode = 0640
+)
+
+func init() {
+	// Windows does not support full Linux file mode
+	if runtime.GOOS == "windows" {
+		testMode = 0666
+	}
+}
+
+func TestAtomicWriteToFile(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "atomic-writers-test")
+	if err != nil {
+		t.Fatalf("Error when creating temporary directory: %s", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	expected := []byte("barbaz")
+	if err := AtomicWriteFile(filepath.Join(tmpDir, "foo"), expected, testMode); err != nil {
+		t.Fatalf("Error writing to file: %v", err)
+	}
+
+	actual, err := ioutil.ReadFile(filepath.Join(tmpDir, "foo"))
+	if err != nil {
+		t.Fatalf("Error reading from file: %v", err)
+	}
+
+	if !bytes.Equal(actual, expected) {
+		t.Fatalf("Data mismatch, expected %q, got %q", expected, actual)
+	}
+
+	st, err := os.Stat(filepath.Join(tmpDir, "foo"))
+	if err != nil {
+		t.Fatalf("Error statting file: %v", err)
+	}
+	if expected := os.FileMode(testMode); st.Mode() != expected {
+		t.Fatalf("Mode mismatched, expected %o, got %o", expected, st.Mode())
+	}
+}
+
+func TestAtomicWriteSetCommit(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "atomic-writerset-test")
+	if err != nil {
+		t.Fatalf("Error when creating temporary directory: %s", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	if err := os.Mkdir(filepath.Join(tmpDir, "tmp"), 0700); err != nil {
+		t.Fatalf("Error creating tmp directory: %s", err)
+	}
+
+	targetDir := filepath.Join(tmpDir, "target")
+	ws, err := NewAtomicWriteSet(filepath.Join(tmpDir, "tmp"))
+	if err != nil {
+		t.Fatalf("Error creating atomic write set: %s", err)
+	}
+
+	expected := []byte("barbaz")
+	if err := ws.WriteFile("foo", expected, testMode); err != nil {
+		t.Fatalf("Error writing to file: %v", err)
+	}
+
+	if _, err := ioutil.ReadFile(filepath.Join(targetDir, "foo")); err == nil {
+		t.Fatalf("Expected error reading file where should not exist")
+	}
+
+	if err := ws.Commit(targetDir); err != nil {
+		t.Fatalf("Error committing file: %s", err)
+	}
+
+	actual, err := ioutil.ReadFile(filepath.Join(targetDir, "foo"))
+	if err != nil {
+		t.Fatalf("Error reading from file: %v", err)
+	}
+
+	if !bytes.Equal(actual, expected) {
+		t.Fatalf("Data mismatch, expected %q, got %q", expected, actual)
+	}
+
+	st, err := os.Stat(filepath.Join(targetDir, "foo"))
+	if err != nil {
+		t.Fatalf("Error statting file: %v", err)
+	}
+	if expected := os.FileMode(testMode); st.Mode() != expected {
+		t.Fatalf("Mode mismatched, expected %o, got %o", expected, st.Mode())
+	}
+
+}
+
+func TestAtomicWriteSetCancel(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "atomic-writerset-test")
+	if err != nil {
+		t.Fatalf("Error when creating temporary directory: %s", err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	if err := os.Mkdir(filepath.Join(tmpDir, "tmp"), 0700); err != nil {
+		t.Fatalf("Error creating tmp directory: %s", err)
+	}
+
+	ws, err := NewAtomicWriteSet(filepath.Join(tmpDir, "tmp"))
+	if err != nil {
+		t.Fatalf("Error creating atomic write set: %s", err)
+	}
+
+	expected := []byte("barbaz")
+	if err := ws.WriteFile("foo", expected, testMode); err != nil {
+		t.Fatalf("Error writing to file: %v", err)
+	}
+
+	if err := ws.Cancel(); err != nil {
+		t.Fatalf("Error committing file: %s", err)
+	}
+
+	if _, err := ioutil.ReadFile(filepath.Join(tmpDir, "target", "foo")); err == nil {
+		t.Fatalf("Expected error reading file where should not exist")
+	} else if !os.IsNotExist(err) {
+		t.Fatalf("Unexpected error reading file: %s", err)
+	}
+}
diff --git a/engine/pkg/ioutils/readers.go b/engine/pkg/ioutils/readers.go
new file mode 100644
index 00000000..1f657bd3
--- /dev/null
+++ b/engine/pkg/ioutils/readers.go
@@ -0,0 +1,157 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"io"
+)
+
+// ReadCloserWrapper wraps an io.Reader, and implements an io.ReadCloser
+// It calls the given callback function when closed. It should be constructed
+// with NewReadCloserWrapper
+type ReadCloserWrapper struct {
+	io.Reader
+	closer func() error
+}
+
+// Close calls back the passed closer function
+func (r *ReadCloserWrapper) Close() error {
+	return r.closer()
+}
+
+// NewReadCloserWrapper returns a new io.ReadCloser.
+func NewReadCloserWrapper(r io.Reader, closer func() error) io.ReadCloser {
+	return &ReadCloserWrapper{
+		Reader: r,
+		closer: closer,
+	}
+}
+
+type readerErrWrapper struct {
+	reader io.Reader
+	closer func()
+}
+
+func (r *readerErrWrapper) Read(p []byte) (int, error) {
+	n, err := r.reader.Read(p)
+	if err != nil {
+		r.closer()
+	}
+	return n, err
+}
+
+// NewReaderErrWrapper returns a new io.Reader.
+func NewReaderErrWrapper(r io.Reader, closer func()) io.Reader {
+	return &readerErrWrapper{
+		reader: r,
+		closer: closer,
+	}
+}
+
+// HashData returns the sha256 sum of src.
+func HashData(src io.Reader) (string, error) {
+	h := sha256.New()
+	if _, err := io.Copy(h, src); err != nil {
+		return "", err
+	}
+	return "sha256:" + hex.EncodeToString(h.Sum(nil)), nil
+}
+
+// OnEOFReader wraps an io.ReadCloser and a function
+// the function will run at the end of file or close the file.
+type OnEOFReader struct {
+	Rc io.ReadCloser
+	Fn func()
+}
+
+func (r *OnEOFReader) Read(p []byte) (n int, err error) {
+	n, err = r.Rc.Read(p)
+	if err == io.EOF {
+		r.runFunc()
+	}
+	return
+}
+
+// Close closes the file and run the function.
+func (r *OnEOFReader) Close() error {
+	err := r.Rc.Close()
+	r.runFunc()
+	return err
+}
+
+func (r *OnEOFReader) runFunc() {
+	if fn := r.Fn; fn != nil {
+		fn()
+		r.Fn = nil
+	}
+}
+
+// cancelReadCloser wraps an io.ReadCloser with a context for cancelling read
+// operations.
+type cancelReadCloser struct {
+	cancel func()
+	pR     *io.PipeReader // Stream to read from
+	pW     *io.PipeWriter
+}
+
+// NewCancelReadCloser creates a wrapper that closes the ReadCloser when the
+// context is cancelled. The returned io.ReadCloser must be closed when it is
+// no longer needed.
+func NewCancelReadCloser(ctx context.Context, in io.ReadCloser) io.ReadCloser {
+	pR, pW := io.Pipe()
+
+	// Create a context used to signal when the pipe is closed
+	doneCtx, cancel := context.WithCancel(context.Background())
+
+	p := &cancelReadCloser{
+		cancel: cancel,
+		pR:     pR,
+		pW:     pW,
+	}
+
+	go func() {
+		_, err := io.Copy(pW, in)
+		select {
+		case <-ctx.Done():
+			// If the context was closed, p.closeWithError
+			// was already called. Calling it again would
+			// change the error that Read returns.
+		default:
+			p.closeWithError(err)
+		}
+		in.Close()
+	}()
+	go func() {
+		for {
+			select {
+			case <-ctx.Done():
+				p.closeWithError(ctx.Err())
+			case <-doneCtx.Done():
+				return
+			}
+		}
+	}()
+
+	return p
+}
+
+// Read wraps the Read method of the pipe that provides data from the wrapped
+// ReadCloser.
+func (p *cancelReadCloser) Read(buf []byte) (n int, err error) {
+	return p.pR.Read(buf)
+}
+
+// closeWithError closes the wrapper and its underlying reader. It will
+// cause future calls to Read to return err.
+func (p *cancelReadCloser) closeWithError(err error) {
+	p.pW.CloseWithError(err)
+	p.cancel()
+}
+
+// Close closes the wrapper its underlying reader. It will cause
+// future calls to Read to return io.EOF.
+func (p *cancelReadCloser) Close() error {
+	p.closeWithError(io.EOF)
+	return nil
+}
diff --git a/engine/pkg/ioutils/readers_test.go b/engine/pkg/ioutils/readers_test.go
new file mode 100644
index 00000000..e645c78d
--- /dev/null
+++ b/engine/pkg/ioutils/readers_test.go
@@ -0,0 +1,95 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"strings"
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// Implement io.Reader
+type errorReader struct{}
+
+func (r *errorReader) Read(p []byte) (int, error) {
+	return 0, fmt.Errorf("error reader always fail")
+}
+
+func TestReadCloserWrapperClose(t *testing.T) {
+	reader := strings.NewReader("A string reader")
+	wrapper := NewReadCloserWrapper(reader, func() error {
+		return fmt.Errorf("This will be called when closing")
+	})
+	err := wrapper.Close()
+	if err == nil || !strings.Contains(err.Error(), "This will be called when closing") {
+		t.Fatalf("readCloserWrapper should have call the anonymous func and thus, fail.")
+	}
+}
+
+func TestReaderErrWrapperReadOnError(t *testing.T) {
+	called := false
+	reader := &errorReader{}
+	wrapper := NewReaderErrWrapper(reader, func() {
+		called = true
+	})
+	_, err := wrapper.Read([]byte{})
+	assert.Check(t, is.Error(err, "error reader always fail"))
+	if !called {
+		t.Fatalf("readErrWrapper should have call the anonymous function on failure")
+	}
+}
+
+func TestReaderErrWrapperRead(t *testing.T) {
+	reader := strings.NewReader("a string reader.")
+	wrapper := NewReaderErrWrapper(reader, func() {
+		t.Fatalf("readErrWrapper should not have called the anonymous function")
+	})
+	// Read 20 byte (should be ok with the string above)
+	num, err := wrapper.Read(make([]byte, 20))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if num != 16 {
+		t.Fatalf("readerErrWrapper should have read 16 byte, but read %d", num)
+	}
+}
+
+func TestHashData(t *testing.T) {
+	reader := strings.NewReader("hash-me")
+	actual, err := HashData(reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expected := "sha256:4d11186aed035cc624d553e10db358492c84a7cd6b9670d92123c144930450aa"
+	if actual != expected {
+		t.Fatalf("Expecting %s, got %s", expected, actual)
+	}
+}
+
+type perpetualReader struct{}
+
+func (p *perpetualReader) Read(buf []byte) (n int, err error) {
+	for i := 0; i != len(buf); i++ {
+		buf[i] = 'a'
+	}
+	return len(buf), nil
+}
+
+func TestCancelReadCloser(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+	cancelReadCloser := NewCancelReadCloser(ctx, ioutil.NopCloser(&perpetualReader{}))
+	for {
+		var buf [128]byte
+		_, err := cancelReadCloser.Read(buf[:])
+		if err == context.DeadlineExceeded {
+			break
+		} else if err != nil {
+			t.Fatalf("got unexpected error: %v", err)
+		}
+	}
+}
diff --git a/engine/pkg/ioutils/temp_unix.go b/engine/pkg/ioutils/temp_unix.go
new file mode 100644
index 00000000..dc894f91
--- /dev/null
+++ b/engine/pkg/ioutils/temp_unix.go
@@ -0,0 +1,10 @@
+// +build !windows
+
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import "io/ioutil"
+
+// TempDir on Unix systems is equivalent to ioutil.TempDir.
+func TempDir(dir, prefix string) (string, error) {
+	return ioutil.TempDir(dir, prefix)
+}
diff --git a/engine/pkg/ioutils/temp_windows.go b/engine/pkg/ioutils/temp_windows.go
new file mode 100644
index 00000000..ecaba2e3
--- /dev/null
+++ b/engine/pkg/ioutils/temp_windows.go
@@ -0,0 +1,16 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"io/ioutil"
+
+	"github.com/docker/docker/pkg/longpath"
+)
+
+// TempDir is the equivalent of ioutil.TempDir, except that the result is in Windows longpath format.
+func TempDir(dir, prefix string) (string, error) {
+	tempDir, err := ioutil.TempDir(dir, prefix)
+	if err != nil {
+		return "", err
+	}
+	return longpath.AddPrefix(tempDir), nil
+}
diff --git a/engine/pkg/ioutils/writeflusher.go b/engine/pkg/ioutils/writeflusher.go
new file mode 100644
index 00000000..91b8d182
--- /dev/null
+++ b/engine/pkg/ioutils/writeflusher.go
@@ -0,0 +1,92 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"io"
+	"sync"
+)
+
+// WriteFlusher wraps the Write and Flush operation ensuring that every write
+// is a flush. In addition, the Close method can be called to intercept
+// Read/Write calls if the targets lifecycle has already ended.
+type WriteFlusher struct {
+	w           io.Writer
+	flusher     flusher
+	flushed     chan struct{}
+	flushedOnce sync.Once
+	closed      chan struct{}
+	closeLock   sync.Mutex
+}
+
+type flusher interface {
+	Flush()
+}
+
+var errWriteFlusherClosed = io.EOF
+
+func (wf *WriteFlusher) Write(b []byte) (n int, err error) {
+	select {
+	case <-wf.closed:
+		return 0, errWriteFlusherClosed
+	default:
+	}
+
+	n, err = wf.w.Write(b)
+	wf.Flush() // every write is a flush.
+	return n, err
+}
+
+// Flush the stream immediately.
+func (wf *WriteFlusher) Flush() {
+	select {
+	case <-wf.closed:
+		return
+	default:
+	}
+
+	wf.flushedOnce.Do(func() {
+		close(wf.flushed)
+	})
+	wf.flusher.Flush()
+}
+
+// Flushed returns the state of flushed.
+// If it's flushed, return true, or else it return false.
+func (wf *WriteFlusher) Flushed() bool {
+	// BUG(stevvooe): Remove this method. Its use is inherently racy. Seems to
+	// be used to detect whether or a response code has been issued or not.
+	// Another hook should be used instead.
+	var flushed bool
+	select {
+	case <-wf.flushed:
+		flushed = true
+	default:
+	}
+	return flushed
+}
+
+// Close closes the write flusher, disallowing any further writes to the
+// target. After the flusher is closed, all calls to write or flush will
+// result in an error.
+func (wf *WriteFlusher) Close() error {
+	wf.closeLock.Lock()
+	defer wf.closeLock.Unlock()
+
+	select {
+	case <-wf.closed:
+		return errWriteFlusherClosed
+	default:
+		close(wf.closed)
+	}
+	return nil
+}
+
+// NewWriteFlusher returns a new WriteFlusher.
+func NewWriteFlusher(w io.Writer) *WriteFlusher {
+	var fl flusher
+	if f, ok := w.(flusher); ok {
+		fl = f
+	} else {
+		fl = &NopFlusher{}
+	}
+	return &WriteFlusher{w: w, flusher: fl, closed: make(chan struct{}), flushed: make(chan struct{})}
+}
diff --git a/engine/pkg/ioutils/writers.go b/engine/pkg/ioutils/writers.go
new file mode 100644
index 00000000..61c67949
--- /dev/null
+++ b/engine/pkg/ioutils/writers.go
@@ -0,0 +1,66 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import "io"
+
+// NopWriter represents a type which write operation is nop.
+type NopWriter struct{}
+
+func (*NopWriter) Write(buf []byte) (int, error) {
+	return len(buf), nil
+}
+
+type nopWriteCloser struct {
+	io.Writer
+}
+
+func (w *nopWriteCloser) Close() error { return nil }
+
+// NopWriteCloser returns a nopWriteCloser.
+func NopWriteCloser(w io.Writer) io.WriteCloser {
+	return &nopWriteCloser{w}
+}
+
+// NopFlusher represents a type which flush operation is nop.
+type NopFlusher struct{}
+
+// Flush is a nop operation.
+func (f *NopFlusher) Flush() {}
+
+type writeCloserWrapper struct {
+	io.Writer
+	closer func() error
+}
+
+func (r *writeCloserWrapper) Close() error {
+	return r.closer()
+}
+
+// NewWriteCloserWrapper returns a new io.WriteCloser.
+func NewWriteCloserWrapper(r io.Writer, closer func() error) io.WriteCloser {
+	return &writeCloserWrapper{
+		Writer: r,
+		closer: closer,
+	}
+}
+
+// WriteCounter wraps a concrete io.Writer and hold a count of the number
+// of bytes written to the writer during a "session".
+// This can be convenient when write return is masked
+// (e.g., json.Encoder.Encode())
+type WriteCounter struct {
+	Count  int64
+	Writer io.Writer
+}
+
+// NewWriteCounter returns a new WriteCounter.
+func NewWriteCounter(w io.Writer) *WriteCounter {
+	return &WriteCounter{
+		Writer: w,
+	}
+}
+
+func (wc *WriteCounter) Write(p []byte) (count int, err error) {
+	count, err = wc.Writer.Write(p)
+	wc.Count += int64(count)
+	return
+}
diff --git a/engine/pkg/ioutils/writers_test.go b/engine/pkg/ioutils/writers_test.go
new file mode 100644
index 00000000..94d446f9
--- /dev/null
+++ b/engine/pkg/ioutils/writers_test.go
@@ -0,0 +1,65 @@
+package ioutils // import "github.com/docker/docker/pkg/ioutils"
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+)
+
+func TestWriteCloserWrapperClose(t *testing.T) {
+	called := false
+	writer := bytes.NewBuffer([]byte{})
+	wrapper := NewWriteCloserWrapper(writer, func() error {
+		called = true
+		return nil
+	})
+	if err := wrapper.Close(); err != nil {
+		t.Fatal(err)
+	}
+	if !called {
+		t.Fatalf("writeCloserWrapper should have call the anonymous function.")
+	}
+}
+
+func TestNopWriteCloser(t *testing.T) {
+	writer := bytes.NewBuffer([]byte{})
+	wrapper := NopWriteCloser(writer)
+	if err := wrapper.Close(); err != nil {
+		t.Fatal("NopWriteCloser always return nil on Close.")
+	}
+
+}
+
+func TestNopWriter(t *testing.T) {
+	nw := &NopWriter{}
+	l, err := nw.Write([]byte{'c'})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if l != 1 {
+		t.Fatalf("Expected 1 got %d", l)
+	}
+}
+
+func TestWriteCounter(t *testing.T) {
+	dummy1 := "This is a dummy string."
+	dummy2 := "This is another dummy string."
+	totalLength := int64(len(dummy1) + len(dummy2))
+
+	reader1 := strings.NewReader(dummy1)
+	reader2 := strings.NewReader(dummy2)
+
+	var buffer bytes.Buffer
+	wc := NewWriteCounter(&buffer)
+
+	reader1.WriteTo(wc)
+	reader2.WriteTo(wc)
+
+	if wc.Count != totalLength {
+		t.Errorf("Wrong count: %d vs. %d", wc.Count, totalLength)
+	}
+
+	if buffer.String() != dummy1+dummy2 {
+		t.Error("Wrong message written")
+	}
+}
diff --git a/engine/pkg/jsonmessage/jsonmessage.go b/engine/pkg/jsonmessage/jsonmessage.go
new file mode 100644
index 00000000..dd95f367
--- /dev/null
+++ b/engine/pkg/jsonmessage/jsonmessage.go
@@ -0,0 +1,335 @@
+package jsonmessage // import "github.com/docker/docker/pkg/jsonmessage"
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/Nvveen/Gotty"
+	"github.com/docker/docker/pkg/term"
+	"github.com/docker/go-units"
+)
+
+// RFC3339NanoFixed is time.RFC3339Nano with nanoseconds padded using zeros to
+// ensure the formatted time isalways the same number of characters.
+const RFC3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00"
+
+// JSONError wraps a concrete Code and Message, `Code` is
+// is an integer error code, `Message` is the error message.
+type JSONError struct {
+	Code    int    `json:"code,omitempty"`
+	Message string `json:"message,omitempty"`
+}
+
+func (e *JSONError) Error() string {
+	return e.Message
+}
+
+// JSONProgress describes a Progress. terminalFd is the fd of the current terminal,
+// Start is the initial value for the operation. Current is the current status and
+// value of the progress made towards Total. Total is the end value describing when
+// we made 100% progress for an operation.
+type JSONProgress struct {
+	terminalFd uintptr
+	Current    int64 `json:"current,omitempty"`
+	Total      int64 `json:"total,omitempty"`
+	Start      int64 `json:"start,omitempty"`
+	// If true, don't show xB/yB
+	HideCounts bool   `json:"hidecounts,omitempty"`
+	Units      string `json:"units,omitempty"`
+	nowFunc    func() time.Time
+	winSize    int
+}
+
+func (p *JSONProgress) String() string {
+	var (
+		width       = p.width()
+		pbBox       string
+		numbersBox  string
+		timeLeftBox string
+	)
+	if p.Current <= 0 && p.Total <= 0 {
+		return ""
+	}
+	if p.Total <= 0 {
+		switch p.Units {
+		case "":
+			current := units.HumanSize(float64(p.Current))
+			return fmt.Sprintf("%8v", current)
+		default:
+			return fmt.Sprintf("%d %s", p.Current, p.Units)
+		}
+	}
+
+	percentage := int(float64(p.Current)/float64(p.Total)*100) / 2
+	if percentage > 50 {
+		percentage = 50
+	}
+	if width > 110 {
+		// this number can't be negative gh#7136
+		numSpaces := 0
+		if 50-percentage > 0 {
+			numSpaces = 50 - percentage
+		}
+		pbBox = fmt.Sprintf("[%s>%s] ", strings.Repeat("=", percentage), strings.Repeat(" ", numSpaces))
+	}
+
+	switch {
+	case p.HideCounts:
+	case p.Units == "": // no units, use bytes
+		current := units.HumanSize(float64(p.Current))
+		total := units.HumanSize(float64(p.Total))
+
+		numbersBox = fmt.Sprintf("%8v/%v", current, total)
+
+		if p.Current > p.Total {
+			// remove total display if the reported current is wonky.
+			numbersBox = fmt.Sprintf("%8v", current)
+		}
+	default:
+		numbersBox = fmt.Sprintf("%d/%d %s", p.Current, p.Total, p.Units)
+
+		if p.Current > p.Total {
+			// remove total display if the reported current is wonky.
+			numbersBox = fmt.Sprintf("%d %s", p.Current, p.Units)
+		}
+	}
+
+	if p.Current > 0 && p.Start > 0 && percentage < 50 {
+		fromStart := p.now().Sub(time.Unix(p.Start, 0))
+		perEntry := fromStart / time.Duration(p.Current)
+		left := time.Duration(p.Total-p.Current) * perEntry
+		left = (left / time.Second) * time.Second
+
+		if width > 50 {
+			timeLeftBox = " " + left.String()
+		}
+	}
+	return pbBox + numbersBox + timeLeftBox
+}
+
+// shim for testing
+func (p *JSONProgress) now() time.Time {
+	if p.nowFunc == nil {
+		p.nowFunc = func() time.Time {
+			return time.Now().UTC()
+		}
+	}
+	return p.nowFunc()
+}
+
+// shim for testing
+func (p *JSONProgress) width() int {
+	if p.winSize != 0 {
+		return p.winSize
+	}
+	ws, err := term.GetWinsize(p.terminalFd)
+	if err == nil {
+		return int(ws.Width)
+	}
+	return 200
+}
+
+// JSONMessage defines a message struct. It describes
+// the created time, where it from, status, ID of the
+// message. It's used for docker events.
+type JSONMessage struct {
+	Stream          string        `json:"stream,omitempty"`
+	Status          string        `json:"status,omitempty"`
+	Progress        *JSONProgress `json:"progressDetail,omitempty"`
+	ProgressMessage string        `json:"progress,omitempty"` //deprecated
+	ID              string        `json:"id,omitempty"`
+	From            string        `json:"from,omitempty"`
+	Time            int64         `json:"time,omitempty"`
+	TimeNano        int64         `json:"timeNano,omitempty"`
+	Error           *JSONError    `json:"errorDetail,omitempty"`
+	ErrorMessage    string        `json:"error,omitempty"` //deprecated
+	// Aux contains out-of-band data, such as digests for push signing and image id after building.
+	Aux *json.RawMessage `json:"aux,omitempty"`
+}
+
+/* Satisfied by gotty.TermInfo as well as noTermInfo from below */
+type termInfo interface {
+	Parse(attr string, params ...interface{}) (string, error)
+}
+
+type noTermInfo struct{} // canary used when no terminfo.
+
+func (ti *noTermInfo) Parse(attr string, params ...interface{}) (string, error) {
+	return "", fmt.Errorf("noTermInfo")
+}
+
+func clearLine(out io.Writer, ti termInfo) {
+	// el2 (clear whole line) is not exposed by terminfo.
+
+	// First clear line from beginning to cursor
+	if attr, err := ti.Parse("el1"); err == nil {
+		fmt.Fprintf(out, "%s", attr)
+	} else {
+		fmt.Fprintf(out, "\x1b[1K")
+	}
+	// Then clear line from cursor to end
+	if attr, err := ti.Parse("el"); err == nil {
+		fmt.Fprintf(out, "%s", attr)
+	} else {
+		fmt.Fprintf(out, "\x1b[K")
+	}
+}
+
+func cursorUp(out io.Writer, ti termInfo, l int) {
+	if l == 0 { // Should never be the case, but be tolerant
+		return
+	}
+	if attr, err := ti.Parse("cuu", l); err == nil {
+		fmt.Fprintf(out, "%s", attr)
+	} else {
+		fmt.Fprintf(out, "\x1b[%dA", l)
+	}
+}
+
+func cursorDown(out io.Writer, ti termInfo, l int) {
+	if l == 0 { // Should never be the case, but be tolerant
+		return
+	}
+	if attr, err := ti.Parse("cud", l); err == nil {
+		fmt.Fprintf(out, "%s", attr)
+	} else {
+		fmt.Fprintf(out, "\x1b[%dB", l)
+	}
+}
+
+// Display displays the JSONMessage to `out`. `termInfo` is non-nil if `out`
+// is a terminal. If this is the case, it will erase the entire current line
+// when displaying the progressbar.
+func (jm *JSONMessage) Display(out io.Writer, termInfo termInfo) error {
+	if jm.Error != nil {
+		if jm.Error.Code == 401 {
+			return fmt.Errorf("authentication is required")
+		}
+		return jm.Error
+	}
+	var endl string
+	if termInfo != nil && jm.Stream == "" && jm.Progress != nil {
+		clearLine(out, termInfo)
+		endl = "\r"
+		fmt.Fprintf(out, endl)
+	} else if jm.Progress != nil && jm.Progress.String() != "" { //disable progressbar in non-terminal
+		return nil
+	}
+	if jm.TimeNano != 0 {
+		fmt.Fprintf(out, "%s ", time.Unix(0, jm.TimeNano).Format(RFC3339NanoFixed))
+	} else if jm.Time != 0 {
+		fmt.Fprintf(out, "%s ", time.Unix(jm.Time, 0).Format(RFC3339NanoFixed))
+	}
+	if jm.ID != "" {
+		fmt.Fprintf(out, "%s: ", jm.ID)
+	}
+	if jm.From != "" {
+		fmt.Fprintf(out, "(from %s) ", jm.From)
+	}
+	if jm.Progress != nil && termInfo != nil {
+		fmt.Fprintf(out, "%s %s%s", jm.Status, jm.Progress.String(), endl)
+	} else if jm.ProgressMessage != "" { //deprecated
+		fmt.Fprintf(out, "%s %s%s", jm.Status, jm.ProgressMessage, endl)
+	} else if jm.Stream != "" {
+		fmt.Fprintf(out, "%s%s", jm.Stream, endl)
+	} else {
+		fmt.Fprintf(out, "%s%s\n", jm.Status, endl)
+	}
+	return nil
+}
+
+// DisplayJSONMessagesStream displays a json message stream from `in` to `out`, `isTerminal`
+// describes if `out` is a terminal. If this is the case, it will print `\n` at the end of
+// each line and move the cursor while displaying.
+func DisplayJSONMessagesStream(in io.Reader, out io.Writer, terminalFd uintptr, isTerminal bool, auxCallback func(JSONMessage)) error {
+	var (
+		dec = json.NewDecoder(in)
+		ids = make(map[string]int)
+	)
+
+	var termInfo termInfo
+
+	if isTerminal {
+		term := os.Getenv("TERM")
+		if term == "" {
+			term = "vt102"
+		}
+
+		var err error
+		if termInfo, err = gotty.OpenTermInfo(term); err != nil {
+			termInfo = &noTermInfo{}
+		}
+	}
+
+	for {
+		diff := 0
+		var jm JSONMessage
+		if err := dec.Decode(&jm); err != nil {
+			if err == io.EOF {
+				break
+			}
+			return err
+		}
+
+		if jm.Aux != nil {
+			if auxCallback != nil {
+				auxCallback(jm)
+			}
+			continue
+		}
+
+		if jm.Progress != nil {
+			jm.Progress.terminalFd = terminalFd
+		}
+		if jm.ID != "" && (jm.Progress != nil || jm.ProgressMessage != "") {
+			line, ok := ids[jm.ID]
+			if !ok {
+				// NOTE: This approach of using len(id) to
+				// figure out the number of lines of history
+				// only works as long as we clear the history
+				// when we output something that's not
+				// accounted for in the map, such as a line
+				// with no ID.
+				line = len(ids)
+				ids[jm.ID] = line
+				if termInfo != nil {
+					fmt.Fprintf(out, "\n")
+				}
+			}
+			diff = len(ids) - line
+			if termInfo != nil {
+				cursorUp(out, termInfo, diff)
+			}
+		} else {
+			// When outputting something that isn't progress
+			// output, clear the history of previous lines. We
+			// don't want progress entries from some previous
+			// operation to be updated (for example, pull -a
+			// with multiple tags).
+			ids = make(map[string]int)
+		}
+		err := jm.Display(out, termInfo)
+		if jm.ID != "" && termInfo != nil {
+			cursorDown(out, termInfo, diff)
+		}
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+type stream interface {
+	io.Writer
+	FD() uintptr
+	IsTerminal() bool
+}
+
+// DisplayJSONMessagesToStream prints json messages to the output stream
+func DisplayJSONMessagesToStream(in io.Reader, stream stream, auxCallback func(JSONMessage)) error {
+	return DisplayJSONMessagesStream(in, stream, stream.FD(), stream.IsTerminal(), auxCallback)
+}
diff --git a/engine/pkg/jsonmessage/jsonmessage_test.go b/engine/pkg/jsonmessage/jsonmessage_test.go
new file mode 100644
index 00000000..223d9c7f
--- /dev/null
+++ b/engine/pkg/jsonmessage/jsonmessage_test.go
@@ -0,0 +1,298 @@
+package jsonmessage // import "github.com/docker/docker/pkg/jsonmessage"
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/term"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestError(t *testing.T) {
+	je := JSONError{404, "Not found"}
+	assert.Assert(t, is.Error(&je, "Not found"))
+}
+
+func TestProgressString(t *testing.T) {
+	type expected struct {
+		short string
+		long  string
+	}
+
+	shortAndLong := func(short, long string) expected {
+		return expected{short: short, long: long}
+	}
+
+	start := time.Date(2017, 12, 3, 15, 10, 1, 0, time.UTC)
+	timeAfter := func(delta time.Duration) func() time.Time {
+		return func() time.Time {
+			return start.Add(delta)
+		}
+	}
+
+	var testcases = []struct {
+		name     string
+		progress JSONProgress
+		expected expected
+	}{
+		{
+			name: "no progress",
+		},
+		{
+			name:     "progress 1",
+			progress: JSONProgress{Current: 1},
+			expected: shortAndLong("      1B", "      1B"),
+		},
+		{
+			name: "some progress with a start time",
+			progress: JSONProgress{
+				Current: 20,
+				Total:   100,
+				Start:   start.Unix(),
+				nowFunc: timeAfter(time.Second),
+			},
+			expected: shortAndLong(
+				"     20B/100B 4s",
+				"[==========>                                        ]      20B/100B 4s",
+			),
+		},
+		{
+			name:     "some progress without a start time",
+			progress: JSONProgress{Current: 50, Total: 100},
+			expected: shortAndLong(
+				"     50B/100B",
+				"[=========================>                         ]      50B/100B",
+			),
+		},
+		{
+			name:     "current more than total is not negative gh#7136",
+			progress: JSONProgress{Current: 50, Total: 40},
+			expected: shortAndLong(
+				"     50B",
+				"[==================================================>]      50B",
+			),
+		},
+		{
+			name:     "with units",
+			progress: JSONProgress{Current: 50, Total: 100, Units: "units"},
+			expected: shortAndLong(
+				"50/100 units",
+				"[=========================>                         ] 50/100 units",
+			),
+		},
+		{
+			name:     "current more than total with units is not negative ",
+			progress: JSONProgress{Current: 50, Total: 40, Units: "units"},
+			expected: shortAndLong(
+				"50 units",
+				"[==================================================>] 50 units",
+			),
+		},
+		{
+			name:     "hide counts",
+			progress: JSONProgress{Current: 50, Total: 100, HideCounts: true},
+			expected: shortAndLong(
+				"",
+				"[=========================>                         ] ",
+			),
+		},
+	}
+
+	for _, testcase := range testcases {
+		t.Run(testcase.name, func(t *testing.T) {
+			testcase.progress.winSize = 100
+			assert.Equal(t, testcase.progress.String(), testcase.expected.short)
+
+			testcase.progress.winSize = 200
+			assert.Equal(t, testcase.progress.String(), testcase.expected.long)
+		})
+	}
+}
+
+func TestJSONMessageDisplay(t *testing.T) {
+	now := time.Now()
+	messages := map[JSONMessage][]string{
+		// Empty
+		{}: {"\n", "\n"},
+		// Status
+		{
+			Status: "status",
+		}: {
+			"status\n",
+			"status\n",
+		},
+		// General
+		{
+			Time:   now.Unix(),
+			ID:     "ID",
+			From:   "From",
+			Status: "status",
+		}: {
+			fmt.Sprintf("%v ID: (from From) status\n", time.Unix(now.Unix(), 0).Format(RFC3339NanoFixed)),
+			fmt.Sprintf("%v ID: (from From) status\n", time.Unix(now.Unix(), 0).Format(RFC3339NanoFixed)),
+		},
+		// General, with nano precision time
+		{
+			TimeNano: now.UnixNano(),
+			ID:       "ID",
+			From:     "From",
+			Status:   "status",
+		}: {
+			fmt.Sprintf("%v ID: (from From) status\n", time.Unix(0, now.UnixNano()).Format(RFC3339NanoFixed)),
+			fmt.Sprintf("%v ID: (from From) status\n", time.Unix(0, now.UnixNano()).Format(RFC3339NanoFixed)),
+		},
+		// General, with both times Nano is preferred
+		{
+			Time:     now.Unix(),
+			TimeNano: now.UnixNano(),
+			ID:       "ID",
+			From:     "From",
+			Status:   "status",
+		}: {
+			fmt.Sprintf("%v ID: (from From) status\n", time.Unix(0, now.UnixNano()).Format(RFC3339NanoFixed)),
+			fmt.Sprintf("%v ID: (from From) status\n", time.Unix(0, now.UnixNano()).Format(RFC3339NanoFixed)),
+		},
+		// Stream over status
+		{
+			Status: "status",
+			Stream: "stream",
+		}: {
+			"stream",
+			"stream",
+		},
+		// With progress message
+		{
+			Status:          "status",
+			ProgressMessage: "progressMessage",
+		}: {
+			"status progressMessage",
+			"status progressMessage",
+		},
+		// With progress, stream empty
+		{
+			Status:   "status",
+			Stream:   "",
+			Progress: &JSONProgress{Current: 1},
+		}: {
+			"",
+			fmt.Sprintf("%c[1K%c[K\rstatus       1B\r", 27, 27),
+		},
+	}
+
+	// The tests :)
+	for jsonMessage, expectedMessages := range messages {
+		// Without terminal
+		data := bytes.NewBuffer([]byte{})
+		if err := jsonMessage.Display(data, nil); err != nil {
+			t.Fatal(err)
+		}
+		if data.String() != expectedMessages[0] {
+			t.Fatalf("Expected %q,got %q", expectedMessages[0], data.String())
+		}
+		// With terminal
+		data = bytes.NewBuffer([]byte{})
+		if err := jsonMessage.Display(data, &noTermInfo{}); err != nil {
+			t.Fatal(err)
+		}
+		if data.String() != expectedMessages[1] {
+			t.Fatalf("\nExpected %q\n     got %q", expectedMessages[1], data.String())
+		}
+	}
+}
+
+// Test JSONMessage with an Error. It will return an error with the text as error, not the meaning of the HTTP code.
+func TestJSONMessageDisplayWithJSONError(t *testing.T) {
+	data := bytes.NewBuffer([]byte{})
+	jsonMessage := JSONMessage{Error: &JSONError{404, "Can't find it"}}
+
+	err := jsonMessage.Display(data, &noTermInfo{})
+	if err == nil || err.Error() != "Can't find it" {
+		t.Fatalf("Expected a JSONError 404, got %q", err)
+	}
+
+	jsonMessage = JSONMessage{Error: &JSONError{401, "Anything"}}
+	err = jsonMessage.Display(data, &noTermInfo{})
+	assert.Check(t, is.Error(err, "authentication is required"))
+}
+
+func TestDisplayJSONMessagesStreamInvalidJSON(t *testing.T) {
+	var (
+		inFd uintptr
+	)
+	data := bytes.NewBuffer([]byte{})
+	reader := strings.NewReader("This is not a 'valid' JSON []")
+	inFd, _ = term.GetFdInfo(reader)
+
+	if err := DisplayJSONMessagesStream(reader, data, inFd, false, nil); err == nil && err.Error()[:17] != "invalid character" {
+		t.Fatalf("Should have thrown an error (invalid character in ..), got %q", err)
+	}
+}
+
+func TestDisplayJSONMessagesStream(t *testing.T) {
+	var (
+		inFd uintptr
+	)
+
+	messages := map[string][]string{
+		// empty string
+		"": {
+			"",
+			""},
+		// Without progress & ID
+		"{ \"status\": \"status\" }": {
+			"status\n",
+			"status\n",
+		},
+		// Without progress, with ID
+		"{ \"id\": \"ID\",\"status\": \"status\" }": {
+			"ID: status\n",
+			fmt.Sprintf("ID: status\n"),
+		},
+		// With progress
+		"{ \"id\": \"ID\", \"status\": \"status\", \"progress\": \"ProgressMessage\" }": {
+			"ID: status ProgressMessage",
+			fmt.Sprintf("\n%c[%dAID: status ProgressMessage%c[%dB", 27, 1, 27, 1),
+		},
+		// With progressDetail
+		"{ \"id\": \"ID\", \"status\": \"status\", \"progressDetail\": { \"Current\": 1} }": {
+			"", // progressbar is disabled in non-terminal
+			fmt.Sprintf("\n%c[%dA%c[1K%c[K\rID: status       1B\r%c[%dB", 27, 1, 27, 27, 27, 1),
+		},
+	}
+
+	// Use $TERM which is unlikely to exist, forcing DisplayJSONMessageStream to
+	// (hopefully) use &noTermInfo.
+	origTerm := os.Getenv("TERM")
+	os.Setenv("TERM", "xyzzy-non-existent-terminfo")
+
+	for jsonMessage, expectedMessages := range messages {
+		data := bytes.NewBuffer([]byte{})
+		reader := strings.NewReader(jsonMessage)
+		inFd, _ = term.GetFdInfo(reader)
+
+		// Without terminal
+		if err := DisplayJSONMessagesStream(reader, data, inFd, false, nil); err != nil {
+			t.Fatal(err)
+		}
+		if data.String() != expectedMessages[0] {
+			t.Fatalf("Expected an %q, got %q", expectedMessages[0], data.String())
+		}
+
+		// With terminal
+		data = bytes.NewBuffer([]byte{})
+		reader = strings.NewReader(jsonMessage)
+		if err := DisplayJSONMessagesStream(reader, data, inFd, true, nil); err != nil {
+			t.Fatal(err)
+		}
+		if data.String() != expectedMessages[1] {
+			t.Fatalf("\nExpected %q\n     got %q", expectedMessages[1], data.String())
+		}
+	}
+	os.Setenv("TERM", origTerm)
+
+}
diff --git a/engine/pkg/locker/README.md b/engine/pkg/locker/README.md
new file mode 100644
index 00000000..ce787aef
--- /dev/null
+++ b/engine/pkg/locker/README.md
@@ -0,0 +1,65 @@
+Locker
+=====
+
+locker provides a mechanism for creating finer-grained locking to help
+free up more global locks to handle other tasks.
+
+The implementation looks close to a sync.Mutex, however, the user must provide a
+reference to use to refer to the underlying lock when locking and unlocking,
+and unlock may generate an error.
+
+If a lock with a given name does not exist when `Lock` is called, one is
+created.
+Lock references are automatically cleaned up on `Unlock` if nothing else is
+waiting for the lock.
+
+
+## Usage
+
+```go
+package important
+
+import (
+	"sync"
+	"time"
+
+	"github.com/docker/docker/pkg/locker"
+)
+
+type important struct {
+	locks *locker.Locker
+	data  map[string]interface{}
+	mu    sync.Mutex
+}
+
+func (i *important) Get(name string) interface{} {
+	i.locks.Lock(name)
+	defer i.locks.Unlock(name)
+	return i.data[name]
+}
+
+func (i *important) Create(name string, data interface{}) {
+	i.locks.Lock(name)
+	defer i.locks.Unlock(name)
+
+	i.createImportant(data)
+
+	i.mu.Lock()
+	i.data[name] = data
+	i.mu.Unlock()
+}
+
+func (i *important) createImportant(data interface{}) {
+	time.Sleep(10 * time.Second)
+}
+```
+
+For functions dealing with a given name, always lock at the beginning of the
+function (or before doing anything with the underlying state), this ensures any
+other function that is dealing with the same name will block.
+
+When needing to modify the underlying data, use the global lock to ensure nothing
+else is modifying it at the same time.
+Since name lock is already in place, no reads will occur while the modification
+is being performed.
+
diff --git a/engine/pkg/locker/locker.go b/engine/pkg/locker/locker.go
new file mode 100644
index 00000000..dbd47fc4
--- /dev/null
+++ b/engine/pkg/locker/locker.go
@@ -0,0 +1,112 @@
+/*
+Package locker provides a mechanism for creating finer-grained locking to help
+free up more global locks to handle other tasks.
+
+The implementation looks close to a sync.Mutex, however the user must provide a
+reference to use to refer to the underlying lock when locking and unlocking,
+and unlock may generate an error.
+
+If a lock with a given name does not exist when `Lock` is called, one is
+created.
+Lock references are automatically cleaned up on `Unlock` if nothing else is
+waiting for the lock.
+*/
+package locker // import "github.com/docker/docker/pkg/locker"
+
+import (
+	"errors"
+	"sync"
+	"sync/atomic"
+)
+
+// ErrNoSuchLock is returned when the requested lock does not exist
+var ErrNoSuchLock = errors.New("no such lock")
+
+// Locker provides a locking mechanism based on the passed in reference name
+type Locker struct {
+	mu    sync.Mutex
+	locks map[string]*lockCtr
+}
+
+// lockCtr is used by Locker to represent a lock with a given name.
+type lockCtr struct {
+	mu sync.Mutex
+	// waiters is the number of waiters waiting to acquire the lock
+	// this is int32 instead of uint32 so we can add `-1` in `dec()`
+	waiters int32
+}
+
+// inc increments the number of waiters waiting for the lock
+func (l *lockCtr) inc() {
+	atomic.AddInt32(&l.waiters, 1)
+}
+
+// dec decrements the number of waiters waiting on the lock
+func (l *lockCtr) dec() {
+	atomic.AddInt32(&l.waiters, -1)
+}
+
+// count gets the current number of waiters
+func (l *lockCtr) count() int32 {
+	return atomic.LoadInt32(&l.waiters)
+}
+
+// Lock locks the mutex
+func (l *lockCtr) Lock() {
+	l.mu.Lock()
+}
+
+// Unlock unlocks the mutex
+func (l *lockCtr) Unlock() {
+	l.mu.Unlock()
+}
+
+// New creates a new Locker
+func New() *Locker {
+	return &Locker{
+		locks: make(map[string]*lockCtr),
+	}
+}
+
+// Lock locks a mutex with the given name. If it doesn't exist, one is created
+func (l *Locker) Lock(name string) {
+	l.mu.Lock()
+	if l.locks == nil {
+		l.locks = make(map[string]*lockCtr)
+	}
+
+	nameLock, exists := l.locks[name]
+	if !exists {
+		nameLock = &lockCtr{}
+		l.locks[name] = nameLock
+	}
+
+	// increment the nameLock waiters while inside the main mutex
+	// this makes sure that the lock isn't deleted if `Lock` and `Unlock` are called concurrently
+	nameLock.inc()
+	l.mu.Unlock()
+
+	// Lock the nameLock outside the main mutex so we don't block other operations
+	// once locked then we can decrement the number of waiters for this lock
+	nameLock.Lock()
+	nameLock.dec()
+}
+
+// Unlock unlocks the mutex with the given name
+// If the given lock is not being waited on by any other callers, it is deleted
+func (l *Locker) Unlock(name string) error {
+	l.mu.Lock()
+	nameLock, exists := l.locks[name]
+	if !exists {
+		l.mu.Unlock()
+		return ErrNoSuchLock
+	}
+
+	if nameLock.count() == 0 {
+		delete(l.locks, name)
+	}
+	nameLock.Unlock()
+
+	l.mu.Unlock()
+	return nil
+}
diff --git a/engine/pkg/locker/locker_test.go b/engine/pkg/locker/locker_test.go
new file mode 100644
index 00000000..2b0a8a55
--- /dev/null
+++ b/engine/pkg/locker/locker_test.go
@@ -0,0 +1,161 @@
+package locker // import "github.com/docker/docker/pkg/locker"
+
+import (
+	"math/rand"
+	"strconv"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestLockCounter(t *testing.T) {
+	l := &lockCtr{}
+	l.inc()
+
+	if l.waiters != 1 {
+		t.Fatal("counter inc failed")
+	}
+
+	l.dec()
+	if l.waiters != 0 {
+		t.Fatal("counter dec failed")
+	}
+}
+
+func TestLockerLock(t *testing.T) {
+	l := New()
+	l.Lock("test")
+	ctr := l.locks["test"]
+
+	if ctr.count() != 0 {
+		t.Fatalf("expected waiters to be 0, got :%d", ctr.waiters)
+	}
+
+	chDone := make(chan struct{})
+	go func() {
+		l.Lock("test")
+		close(chDone)
+	}()
+
+	chWaiting := make(chan struct{})
+	go func() {
+		for range time.Tick(1 * time.Millisecond) {
+			if ctr.count() == 1 {
+				close(chWaiting)
+				break
+			}
+		}
+	}()
+
+	select {
+	case <-chWaiting:
+	case <-time.After(3 * time.Second):
+		t.Fatal("timed out waiting for lock waiters to be incremented")
+	}
+
+	select {
+	case <-chDone:
+		t.Fatal("lock should not have returned while it was still held")
+	default:
+	}
+
+	if err := l.Unlock("test"); err != nil {
+		t.Fatal(err)
+	}
+
+	select {
+	case <-chDone:
+	case <-time.After(3 * time.Second):
+		t.Fatalf("lock should have completed")
+	}
+
+	if ctr.count() != 0 {
+		t.Fatalf("expected waiters to be 0, got: %d", ctr.count())
+	}
+}
+
+func TestLockerUnlock(t *testing.T) {
+	l := New()
+
+	l.Lock("test")
+	l.Unlock("test")
+
+	chDone := make(chan struct{})
+	go func() {
+		l.Lock("test")
+		close(chDone)
+	}()
+
+	select {
+	case <-chDone:
+	case <-time.After(3 * time.Second):
+		t.Fatalf("lock should not be blocked")
+	}
+}
+
+func TestLockerConcurrency(t *testing.T) {
+	l := New()
+
+	var wg sync.WaitGroup
+	for i := 0; i <= 10000; i++ {
+		wg.Add(1)
+		go func() {
+			l.Lock("test")
+			// if there is a concurrency issue, will very likely panic here
+			l.Unlock("test")
+			wg.Done()
+		}()
+	}
+
+	chDone := make(chan struct{})
+	go func() {
+		wg.Wait()
+		close(chDone)
+	}()
+
+	select {
+	case <-chDone:
+	case <-time.After(10 * time.Second):
+		t.Fatal("timeout waiting for locks to complete")
+	}
+
+	// Since everything has unlocked this should not exist anymore
+	if ctr, exists := l.locks["test"]; exists {
+		t.Fatalf("lock should not exist: %v", ctr)
+	}
+}
+
+func BenchmarkLocker(b *testing.B) {
+	l := New()
+	for i := 0; i < b.N; i++ {
+		l.Lock("test")
+		l.Unlock("test")
+	}
+}
+
+func BenchmarkLockerParallel(b *testing.B) {
+	l := New()
+	b.SetParallelism(128)
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			l.Lock("test")
+			l.Unlock("test")
+		}
+	})
+}
+
+func BenchmarkLockerMoreKeys(b *testing.B) {
+	l := New()
+	var keys []string
+	for i := 0; i < 64; i++ {
+		keys = append(keys, strconv.Itoa(i))
+	}
+	b.SetParallelism(128)
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			k := keys[rand.Intn(len(keys))]
+			l.Lock(k)
+			l.Unlock(k)
+		}
+	})
+}
diff --git a/engine/pkg/longpath/longpath.go b/engine/pkg/longpath/longpath.go
new file mode 100644
index 00000000..4177affb
--- /dev/null
+++ b/engine/pkg/longpath/longpath.go
@@ -0,0 +1,26 @@
+// longpath introduces some constants and helper functions for handling long paths
+// in Windows, which are expected to be prepended with `\\?\` and followed by either
+// a drive letter, a UNC server\share, or a volume identifier.
+
+package longpath // import "github.com/docker/docker/pkg/longpath"
+
+import (
+	"strings"
+)
+
+// Prefix is the longpath prefix for Windows file paths.
+const Prefix = `\\?\`
+
+// AddPrefix will add the Windows long path prefix to the path provided if
+// it does not already have it.
+func AddPrefix(path string) string {
+	if !strings.HasPrefix(path, Prefix) {
+		if strings.HasPrefix(path, `\\`) {
+			// This is a UNC path, so we need to add 'UNC' to the path as well.
+			path = Prefix + `UNC` + path[1:]
+		} else {
+			path = Prefix + path
+		}
+	}
+	return path
+}
diff --git a/engine/pkg/longpath/longpath_test.go b/engine/pkg/longpath/longpath_test.go
new file mode 100644
index 00000000..2bcd008e
--- /dev/null
+++ b/engine/pkg/longpath/longpath_test.go
@@ -0,0 +1,22 @@
+package longpath // import "github.com/docker/docker/pkg/longpath"
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestStandardLongPath(t *testing.T) {
+	c := `C:\simple\path`
+	longC := AddPrefix(c)
+	if !strings.EqualFold(longC, `\\?\C:\simple\path`) {
+		t.Errorf("Wrong long path returned. Original = %s ; Long = %s", c, longC)
+	}
+}
+
+func TestUNCLongPath(t *testing.T) {
+	c := `\\server\share\path`
+	longC := AddPrefix(c)
+	if !strings.EqualFold(longC, `\\?\UNC\server\share\path`) {
+		t.Errorf("Wrong UNC long path returned. Original = %s ; Long = %s", c, longC)
+	}
+}
diff --git a/engine/pkg/loopback/attach_loopback.go b/engine/pkg/loopback/attach_loopback.go
new file mode 100644
index 00000000..94feb8fc
--- /dev/null
+++ b/engine/pkg/loopback/attach_loopback.go
@@ -0,0 +1,137 @@
+// +build linux,cgo
+
+package loopback // import "github.com/docker/docker/pkg/loopback"
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// Loopback related errors
+var (
+	ErrAttachLoopbackDevice   = errors.New("loopback attach failed")
+	ErrGetLoopbackBackingFile = errors.New("Unable to get loopback backing file")
+	ErrSetCapacity            = errors.New("Unable set loopback capacity")
+)
+
+func stringToLoopName(src string) [LoNameSize]uint8 {
+	var dst [LoNameSize]uint8
+	copy(dst[:], src[:])
+	return dst
+}
+
+func getNextFreeLoopbackIndex() (int, error) {
+	f, err := os.OpenFile("/dev/loop-control", os.O_RDONLY, 0644)
+	if err != nil {
+		return 0, err
+	}
+	defer f.Close()
+
+	index, err := ioctlLoopCtlGetFree(f.Fd())
+	if index < 0 {
+		index = 0
+	}
+	return index, err
+}
+
+func openNextAvailableLoopback(index int, sparseFile *os.File) (loopFile *os.File, err error) {
+	// Start looking for a free /dev/loop
+	for {
+		target := fmt.Sprintf("/dev/loop%d", index)
+		index++
+
+		fi, err := os.Stat(target)
+		if err != nil {
+			if os.IsNotExist(err) {
+				logrus.Error("There are no more loopback devices available.")
+			}
+			return nil, ErrAttachLoopbackDevice
+		}
+
+		if fi.Mode()&os.ModeDevice != os.ModeDevice {
+			logrus.Errorf("Loopback device %s is not a block device.", target)
+			continue
+		}
+
+		// OpenFile adds O_CLOEXEC
+		loopFile, err = os.OpenFile(target, os.O_RDWR, 0644)
+		if err != nil {
+			logrus.Errorf("Error opening loopback device: %s", err)
+			return nil, ErrAttachLoopbackDevice
+		}
+
+		// Try to attach to the loop file
+		if err := ioctlLoopSetFd(loopFile.Fd(), sparseFile.Fd()); err != nil {
+			loopFile.Close()
+
+			// If the error is EBUSY, then try the next loopback
+			if err != unix.EBUSY {
+				logrus.Errorf("Cannot set up loopback device %s: %s", target, err)
+				return nil, ErrAttachLoopbackDevice
+			}
+
+			// Otherwise, we keep going with the loop
+			continue
+		}
+		// In case of success, we finished. Break the loop.
+		break
+	}
+
+	// This can't happen, but let's be sure
+	if loopFile == nil {
+		logrus.Errorf("Unreachable code reached! Error attaching %s to a loopback device.", sparseFile.Name())
+		return nil, ErrAttachLoopbackDevice
+	}
+
+	return loopFile, nil
+}
+
+// AttachLoopDevice attaches the given sparse file to the next
+// available loopback device. It returns an opened *os.File.
+func AttachLoopDevice(sparseName string) (loop *os.File, err error) {
+
+	// Try to retrieve the next available loopback device via syscall.
+	// If it fails, we discard error and start looping for a
+	// loopback from index 0.
+	startIndex, err := getNextFreeLoopbackIndex()
+	if err != nil {
+		logrus.Debugf("Error retrieving the next available loopback: %s", err)
+	}
+
+	// OpenFile adds O_CLOEXEC
+	sparseFile, err := os.OpenFile(sparseName, os.O_RDWR, 0644)
+	if err != nil {
+		logrus.Errorf("Error opening sparse file %s: %s", sparseName, err)
+		return nil, ErrAttachLoopbackDevice
+	}
+	defer sparseFile.Close()
+
+	loopFile, err := openNextAvailableLoopback(startIndex, sparseFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// Set the status of the loopback device
+	loopInfo := &loopInfo64{
+		loFileName: stringToLoopName(loopFile.Name()),
+		loOffset:   0,
+		loFlags:    LoFlagsAutoClear,
+	}
+
+	if err := ioctlLoopSetStatus64(loopFile.Fd(), loopInfo); err != nil {
+		logrus.Errorf("Cannot set up loopback device info: %s", err)
+
+		// If the call failed, then free the loopback device
+		if err := ioctlLoopClrFd(loopFile.Fd()); err != nil {
+			logrus.Error("Error while cleaning up the loopback device")
+		}
+		loopFile.Close()
+		return nil, ErrAttachLoopbackDevice
+	}
+
+	return loopFile, nil
+}
diff --git a/engine/pkg/loopback/ioctl.go b/engine/pkg/loopback/ioctl.go
new file mode 100644
index 00000000..612fd00a
--- /dev/null
+++ b/engine/pkg/loopback/ioctl.go
@@ -0,0 +1,48 @@
+// +build linux,cgo
+
+package loopback // import "github.com/docker/docker/pkg/loopback"
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+func ioctlLoopCtlGetFree(fd uintptr) (int, error) {
+	index, err := unix.IoctlGetInt(int(fd), LoopCtlGetFree)
+	if err != nil {
+		return 0, err
+	}
+	return index, nil
+}
+
+func ioctlLoopSetFd(loopFd, sparseFd uintptr) error {
+	return unix.IoctlSetInt(int(loopFd), LoopSetFd, int(sparseFd))
+}
+
+func ioctlLoopSetStatus64(loopFd uintptr, loopInfo *loopInfo64) error {
+	if _, _, err := unix.Syscall(unix.SYS_IOCTL, loopFd, LoopSetStatus64, uintptr(unsafe.Pointer(loopInfo))); err != 0 {
+		return err
+	}
+	return nil
+}
+
+func ioctlLoopClrFd(loopFd uintptr) error {
+	if _, _, err := unix.Syscall(unix.SYS_IOCTL, loopFd, LoopClrFd, 0); err != 0 {
+		return err
+	}
+	return nil
+}
+
+func ioctlLoopGetStatus64(loopFd uintptr) (*loopInfo64, error) {
+	loopInfo := &loopInfo64{}
+
+	if _, _, err := unix.Syscall(unix.SYS_IOCTL, loopFd, LoopGetStatus64, uintptr(unsafe.Pointer(loopInfo))); err != 0 {
+		return nil, err
+	}
+	return loopInfo, nil
+}
+
+func ioctlLoopSetCapacity(loopFd uintptr, value int) error {
+	return unix.IoctlSetInt(int(loopFd), LoopSetCapacity, value)
+}
diff --git a/engine/pkg/loopback/loop_wrapper.go b/engine/pkg/loopback/loop_wrapper.go
new file mode 100644
index 00000000..7206bfb9
--- /dev/null
+++ b/engine/pkg/loopback/loop_wrapper.go
@@ -0,0 +1,52 @@
+// +build linux,cgo
+
+package loopback // import "github.com/docker/docker/pkg/loopback"
+
+/*
+#include <linux/loop.h> // FIXME: present only for defines, maybe we can remove it?
+
+#ifndef LOOP_CTL_GET_FREE
+  #define LOOP_CTL_GET_FREE 0x4C82
+#endif
+
+#ifndef LO_FLAGS_PARTSCAN
+  #define LO_FLAGS_PARTSCAN 8
+#endif
+
+*/
+import "C"
+
+type loopInfo64 struct {
+	loDevice         uint64 /* ioctl r/o */
+	loInode          uint64 /* ioctl r/o */
+	loRdevice        uint64 /* ioctl r/o */
+	loOffset         uint64
+	loSizelimit      uint64 /* bytes, 0 == max available */
+	loNumber         uint32 /* ioctl r/o */
+	loEncryptType    uint32
+	loEncryptKeySize uint32 /* ioctl w/o */
+	loFlags          uint32 /* ioctl r/o */
+	loFileName       [LoNameSize]uint8
+	loCryptName      [LoNameSize]uint8
+	loEncryptKey     [LoKeySize]uint8 /* ioctl w/o */
+	loInit           [2]uint64
+}
+
+// IOCTL consts
+const (
+	LoopSetFd       = C.LOOP_SET_FD
+	LoopCtlGetFree  = C.LOOP_CTL_GET_FREE
+	LoopGetStatus64 = C.LOOP_GET_STATUS64
+	LoopSetStatus64 = C.LOOP_SET_STATUS64
+	LoopClrFd       = C.LOOP_CLR_FD
+	LoopSetCapacity = C.LOOP_SET_CAPACITY
+)
+
+// LOOP consts.
+const (
+	LoFlagsAutoClear = C.LO_FLAGS_AUTOCLEAR
+	LoFlagsReadOnly  = C.LO_FLAGS_READ_ONLY
+	LoFlagsPartScan  = C.LO_FLAGS_PARTSCAN
+	LoKeySize        = C.LO_KEY_SIZE
+	LoNameSize       = C.LO_NAME_SIZE
+)
diff --git a/engine/pkg/loopback/loopback.go b/engine/pkg/loopback/loopback.go
new file mode 100644
index 00000000..086655bc
--- /dev/null
+++ b/engine/pkg/loopback/loopback.go
@@ -0,0 +1,64 @@
+// +build linux,cgo
+
+package loopback // import "github.com/docker/docker/pkg/loopback"
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func getLoopbackBackingFile(file *os.File) (uint64, uint64, error) {
+	loopInfo, err := ioctlLoopGetStatus64(file.Fd())
+	if err != nil {
+		logrus.Errorf("Error get loopback backing file: %s", err)
+		return 0, 0, ErrGetLoopbackBackingFile
+	}
+	return loopInfo.loDevice, loopInfo.loInode, nil
+}
+
+// SetCapacity reloads the size for the loopback device.
+func SetCapacity(file *os.File) error {
+	if err := ioctlLoopSetCapacity(file.Fd(), 0); err != nil {
+		logrus.Errorf("Error loopbackSetCapacity: %s", err)
+		return ErrSetCapacity
+	}
+	return nil
+}
+
+// FindLoopDeviceFor returns a loopback device file for the specified file which
+// is backing file of a loop back device.
+func FindLoopDeviceFor(file *os.File) *os.File {
+	var stat unix.Stat_t
+	err := unix.Stat(file.Name(), &stat)
+	if err != nil {
+		return nil
+	}
+	targetInode := stat.Ino
+	targetDevice := stat.Dev
+
+	for i := 0; true; i++ {
+		path := fmt.Sprintf("/dev/loop%d", i)
+
+		file, err := os.OpenFile(path, os.O_RDWR, 0)
+		if err != nil {
+			if os.IsNotExist(err) {
+				return nil
+			}
+
+			// Ignore all errors until the first not-exist
+			// we want to continue looking for the file
+			continue
+		}
+
+		dev, inode, err := getLoopbackBackingFile(file)
+		if err == nil && dev == targetDevice && inode == targetInode {
+			return file
+		}
+		file.Close()
+	}
+
+	return nil
+}
diff --git a/engine/pkg/mount/flags.go b/engine/pkg/mount/flags.go
new file mode 100644
index 00000000..272363b6
--- /dev/null
+++ b/engine/pkg/mount/flags.go
@@ -0,0 +1,149 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"fmt"
+	"strings"
+)
+
+var flags = map[string]struct {
+	clear bool
+	flag  int
+}{
+	"defaults":      {false, 0},
+	"ro":            {false, RDONLY},
+	"rw":            {true, RDONLY},
+	"suid":          {true, NOSUID},
+	"nosuid":        {false, NOSUID},
+	"dev":           {true, NODEV},
+	"nodev":         {false, NODEV},
+	"exec":          {true, NOEXEC},
+	"noexec":        {false, NOEXEC},
+	"sync":          {false, SYNCHRONOUS},
+	"async":         {true, SYNCHRONOUS},
+	"dirsync":       {false, DIRSYNC},
+	"remount":       {false, REMOUNT},
+	"mand":          {false, MANDLOCK},
+	"nomand":        {true, MANDLOCK},
+	"atime":         {true, NOATIME},
+	"noatime":       {false, NOATIME},
+	"diratime":      {true, NODIRATIME},
+	"nodiratime":    {false, NODIRATIME},
+	"bind":          {false, BIND},
+	"rbind":         {false, RBIND},
+	"unbindable":    {false, UNBINDABLE},
+	"runbindable":   {false, RUNBINDABLE},
+	"private":       {false, PRIVATE},
+	"rprivate":      {false, RPRIVATE},
+	"shared":        {false, SHARED},
+	"rshared":       {false, RSHARED},
+	"slave":         {false, SLAVE},
+	"rslave":        {false, RSLAVE},
+	"relatime":      {false, RELATIME},
+	"norelatime":    {true, RELATIME},
+	"strictatime":   {false, STRICTATIME},
+	"nostrictatime": {true, STRICTATIME},
+}
+
+var validFlags = map[string]bool{
+	"":          true,
+	"size":      true,
+	"mode":      true,
+	"uid":       true,
+	"gid":       true,
+	"nr_inodes": true,
+	"nr_blocks": true,
+	"mpol":      true,
+}
+
+var propagationFlags = map[string]bool{
+	"bind":        true,
+	"rbind":       true,
+	"unbindable":  true,
+	"runbindable": true,
+	"private":     true,
+	"rprivate":    true,
+	"shared":      true,
+	"rshared":     true,
+	"slave":       true,
+	"rslave":      true,
+}
+
+// MergeTmpfsOptions merge mount options to make sure there is no duplicate.
+func MergeTmpfsOptions(options []string) ([]string, error) {
+	// We use collisions maps to remove duplicates.
+	// For flag, the key is the flag value (the key for propagation flag is -1)
+	// For data=value, the key is the data
+	flagCollisions := map[int]bool{}
+	dataCollisions := map[string]bool{}
+
+	var newOptions []string
+	// We process in reverse order
+	for i := len(options) - 1; i >= 0; i-- {
+		option := options[i]
+		if option == "defaults" {
+			continue
+		}
+		if f, ok := flags[option]; ok && f.flag != 0 {
+			// There is only one propagation mode
+			key := f.flag
+			if propagationFlags[option] {
+				key = -1
+			}
+			// Check to see if there is collision for flag
+			if !flagCollisions[key] {
+				// We prepend the option and add to collision map
+				newOptions = append([]string{option}, newOptions...)
+				flagCollisions[key] = true
+			}
+			continue
+		}
+		opt := strings.SplitN(option, "=", 2)
+		if len(opt) != 2 || !validFlags[opt[0]] {
+			return nil, fmt.Errorf("Invalid tmpfs option %q", opt)
+		}
+		if !dataCollisions[opt[0]] {
+			// We prepend the option and add to collision map
+			newOptions = append([]string{option}, newOptions...)
+			dataCollisions[opt[0]] = true
+		}
+	}
+
+	return newOptions, nil
+}
+
+// Parse fstab type mount options into mount() flags
+// and device specific data
+func parseOptions(options string) (int, string) {
+	var (
+		flag int
+		data []string
+	)
+
+	for _, o := range strings.Split(options, ",") {
+		// If the option does not exist in the flags table or the flag
+		// is not supported on the platform,
+		// then it is a data value for a specific fs type
+		if f, exists := flags[o]; exists && f.flag != 0 {
+			if f.clear {
+				flag &= ^f.flag
+			} else {
+				flag |= f.flag
+			}
+		} else {
+			data = append(data, o)
+		}
+	}
+	return flag, strings.Join(data, ",")
+}
+
+// ParseTmpfsOptions parse fstab type mount options into flags and data
+func ParseTmpfsOptions(options string) (int, string, error) {
+	flags, data := parseOptions(options)
+	for _, o := range strings.Split(data, ",") {
+		opt := strings.SplitN(o, "=", 2)
+		if !validFlags[opt[0]] {
+			return 0, "", fmt.Errorf("Invalid tmpfs option %q", opt)
+		}
+	}
+	return flags, data, nil
+}
diff --git a/engine/pkg/mount/flags_freebsd.go b/engine/pkg/mount/flags_freebsd.go
new file mode 100644
index 00000000..ef35ef90
--- /dev/null
+++ b/engine/pkg/mount/flags_freebsd.go
@@ -0,0 +1,49 @@
+// +build freebsd,cgo
+
+package mount // import "github.com/docker/docker/pkg/mount"
+
+/*
+#include <sys/mount.h>
+*/
+import "C"
+
+const (
+	// RDONLY will mount the filesystem as read-only.
+	RDONLY = C.MNT_RDONLY
+
+	// NOSUID will not allow set-user-identifier or set-group-identifier bits to
+	// take effect.
+	NOSUID = C.MNT_NOSUID
+
+	// NOEXEC will not allow execution of any binaries on the mounted file system.
+	NOEXEC = C.MNT_NOEXEC
+
+	// SYNCHRONOUS will allow any I/O to the file system to be done synchronously.
+	SYNCHRONOUS = C.MNT_SYNCHRONOUS
+
+	// NOATIME will not update the file access time when reading from a file.
+	NOATIME = C.MNT_NOATIME
+)
+
+// These flags are unsupported.
+const (
+	BIND        = 0
+	DIRSYNC     = 0
+	MANDLOCK    = 0
+	NODEV       = 0
+	NODIRATIME  = 0
+	UNBINDABLE  = 0
+	RUNBINDABLE = 0
+	PRIVATE     = 0
+	RPRIVATE    = 0
+	SHARED      = 0
+	RSHARED     = 0
+	SLAVE       = 0
+	RSLAVE      = 0
+	RBIND       = 0
+	RELATIVE    = 0
+	RELATIME    = 0
+	REMOUNT     = 0
+	STRICTATIME = 0
+	mntDetach   = 0
+)
diff --git a/engine/pkg/mount/flags_linux.go b/engine/pkg/mount/flags_linux.go
new file mode 100644
index 00000000..a1b199a3
--- /dev/null
+++ b/engine/pkg/mount/flags_linux.go
@@ -0,0 +1,87 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// RDONLY will mount the file system read-only.
+	RDONLY = unix.MS_RDONLY
+
+	// NOSUID will not allow set-user-identifier or set-group-identifier bits to
+	// take effect.
+	NOSUID = unix.MS_NOSUID
+
+	// NODEV will not interpret character or block special devices on the file
+	// system.
+	NODEV = unix.MS_NODEV
+
+	// NOEXEC will not allow execution of any binaries on the mounted file system.
+	NOEXEC = unix.MS_NOEXEC
+
+	// SYNCHRONOUS will allow I/O to the file system to be done synchronously.
+	SYNCHRONOUS = unix.MS_SYNCHRONOUS
+
+	// DIRSYNC will force all directory updates within the file system to be done
+	// synchronously. This affects the following system calls: create, link,
+	// unlink, symlink, mkdir, rmdir, mknod and rename.
+	DIRSYNC = unix.MS_DIRSYNC
+
+	// REMOUNT will attempt to remount an already-mounted file system. This is
+	// commonly used to change the mount flags for a file system, especially to
+	// make a readonly file system writeable. It does not change device or mount
+	// point.
+	REMOUNT = unix.MS_REMOUNT
+
+	// MANDLOCK will force mandatory locks on a filesystem.
+	MANDLOCK = unix.MS_MANDLOCK
+
+	// NOATIME will not update the file access time when reading from a file.
+	NOATIME = unix.MS_NOATIME
+
+	// NODIRATIME will not update the directory access time.
+	NODIRATIME = unix.MS_NODIRATIME
+
+	// BIND remounts a subtree somewhere else.
+	BIND = unix.MS_BIND
+
+	// RBIND remounts a subtree and all possible submounts somewhere else.
+	RBIND = unix.MS_BIND | unix.MS_REC
+
+	// UNBINDABLE creates a mount which cannot be cloned through a bind operation.
+	UNBINDABLE = unix.MS_UNBINDABLE
+
+	// RUNBINDABLE marks the entire mount tree as UNBINDABLE.
+	RUNBINDABLE = unix.MS_UNBINDABLE | unix.MS_REC
+
+	// PRIVATE creates a mount which carries no propagation abilities.
+	PRIVATE = unix.MS_PRIVATE
+
+	// RPRIVATE marks the entire mount tree as PRIVATE.
+	RPRIVATE = unix.MS_PRIVATE | unix.MS_REC
+
+	// SLAVE creates a mount which receives propagation from its master, but not
+	// vice versa.
+	SLAVE = unix.MS_SLAVE
+
+	// RSLAVE marks the entire mount tree as SLAVE.
+	RSLAVE = unix.MS_SLAVE | unix.MS_REC
+
+	// SHARED creates a mount which provides the ability to create mirrors of
+	// that mount such that mounts and unmounts within any of the mirrors
+	// propagate to the other mirrors.
+	SHARED = unix.MS_SHARED
+
+	// RSHARED marks the entire mount tree as SHARED.
+	RSHARED = unix.MS_SHARED | unix.MS_REC
+
+	// RELATIME updates inode access times relative to modify or change time.
+	RELATIME = unix.MS_RELATIME
+
+	// STRICTATIME allows to explicitly request full atime updates.  This makes
+	// it possible for the kernel to default to relatime or noatime but still
+	// allow userspace to override it.
+	STRICTATIME = unix.MS_STRICTATIME
+
+	mntDetach = unix.MNT_DETACH
+)
diff --git a/engine/pkg/mount/flags_unsupported.go b/engine/pkg/mount/flags_unsupported.go
new file mode 100644
index 00000000..cc6c4759
--- /dev/null
+++ b/engine/pkg/mount/flags_unsupported.go
@@ -0,0 +1,31 @@
+// +build !linux,!freebsd freebsd,!cgo
+
+package mount // import "github.com/docker/docker/pkg/mount"
+
+// These flags are unsupported.
+const (
+	BIND        = 0
+	DIRSYNC     = 0
+	MANDLOCK    = 0
+	NOATIME     = 0
+	NODEV       = 0
+	NODIRATIME  = 0
+	NOEXEC      = 0
+	NOSUID      = 0
+	UNBINDABLE  = 0
+	RUNBINDABLE = 0
+	PRIVATE     = 0
+	RPRIVATE    = 0
+	SHARED      = 0
+	RSHARED     = 0
+	SLAVE       = 0
+	RSLAVE      = 0
+	RBIND       = 0
+	RELATIME    = 0
+	RELATIVE    = 0
+	REMOUNT     = 0
+	STRICTATIME = 0
+	SYNCHRONOUS = 0
+	RDONLY      = 0
+	mntDetach   = 0
+)
diff --git a/engine/pkg/mount/mount.go b/engine/pkg/mount/mount.go
new file mode 100644
index 00000000..874aff65
--- /dev/null
+++ b/engine/pkg/mount/mount.go
@@ -0,0 +1,141 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"sort"
+	"strings"
+	"syscall"
+
+	"github.com/sirupsen/logrus"
+)
+
+// FilterFunc is a type defining a callback function
+// to filter out unwanted entries. It takes a pointer
+// to an Info struct (not fully populated, currently
+// only Mountpoint is filled in), and returns two booleans:
+//  - skip: true if the entry should be skipped
+//  - stop: true if parsing should be stopped after the entry
+type FilterFunc func(*Info) (skip, stop bool)
+
+// PrefixFilter discards all entries whose mount points
+// do not start with a prefix specified
+func PrefixFilter(prefix string) FilterFunc {
+	return func(m *Info) (bool, bool) {
+		skip := !strings.HasPrefix(m.Mountpoint, prefix)
+		return skip, false
+	}
+}
+
+// SingleEntryFilter looks for a specific entry
+func SingleEntryFilter(mp string) FilterFunc {
+	return func(m *Info) (bool, bool) {
+		if m.Mountpoint == mp {
+			return false, true // don't skip, stop now
+		}
+		return true, false // skip, keep going
+	}
+}
+
+// ParentsFilter returns all entries whose mount points
+// can be parents of a path specified, discarding others.
+// For example, given `/var/lib/docker/something`, entries
+// like `/var/lib/docker`, `/var` and `/` are returned.
+func ParentsFilter(path string) FilterFunc {
+	return func(m *Info) (bool, bool) {
+		skip := !strings.HasPrefix(path, m.Mountpoint)
+		return skip, false
+	}
+}
+
+// GetMounts retrieves a list of mounts for the current running process,
+// with an optional filter applied (use nil for no filter).
+func GetMounts(f FilterFunc) ([]*Info, error) {
+	return parseMountTable(f)
+}
+
+// Mounted determines if a specified mountpoint has been mounted.
+// On Linux it looks at /proc/self/mountinfo.
+func Mounted(mountpoint string) (bool, error) {
+	entries, err := GetMounts(SingleEntryFilter(mountpoint))
+	if err != nil {
+		return false, err
+	}
+
+	return len(entries) > 0, nil
+}
+
+// Mount will mount filesystem according to the specified configuration, on the
+// condition that the target path is *not* already mounted. Options must be
+// specified like the mount or fstab unix commands: "opt1=val1,opt2=val2". See
+// flags.go for supported option flags.
+func Mount(device, target, mType, options string) error {
+	flag, _ := parseOptions(options)
+	if flag&REMOUNT != REMOUNT {
+		if mounted, err := Mounted(target); err != nil || mounted {
+			return err
+		}
+	}
+	return ForceMount(device, target, mType, options)
+}
+
+// ForceMount will mount a filesystem according to the specified configuration,
+// *regardless* if the target path is not already mounted. Options must be
+// specified like the mount or fstab unix commands: "opt1=val1,opt2=val2". See
+// flags.go for supported option flags.
+func ForceMount(device, target, mType, options string) error {
+	flag, data := parseOptions(options)
+	return mount(device, target, mType, uintptr(flag), data)
+}
+
+// Unmount lazily unmounts a filesystem on supported platforms, otherwise
+// does a normal unmount.
+func Unmount(target string) error {
+	err := unmount(target, mntDetach)
+	if err == syscall.EINVAL {
+		// ignore "not mounted" error
+		err = nil
+	}
+	return err
+}
+
+// RecursiveUnmount unmounts the target and all mounts underneath, starting with
+// the deepsest mount first.
+func RecursiveUnmount(target string) error {
+	mounts, err := parseMountTable(PrefixFilter(target))
+	if err != nil {
+		return err
+	}
+
+	// Make the deepest mount be first
+	sort.Slice(mounts, func(i, j int) bool {
+		return len(mounts[i].Mountpoint) > len(mounts[j].Mountpoint)
+	})
+
+	for i, m := range mounts {
+		logrus.Debugf("Trying to unmount %s", m.Mountpoint)
+		err = unmount(m.Mountpoint, mntDetach)
+		if err != nil {
+			// If the error is EINVAL either this whole package is wrong (invalid flags passed to unmount(2)) or this is
+			// not a mountpoint (which is ok in this case).
+			// Meanwhile calling `Mounted()` is very expensive.
+			//
+			// We've purposefully used `syscall.EINVAL` here instead of `unix.EINVAL` to avoid platform branching
+			// Since `EINVAL` is defined for both Windows and Linux in the `syscall` package (and other platforms),
+			//   this is nicer than defining a custom value that we can refer to in each platform file.
+			if err == syscall.EINVAL {
+				continue
+			}
+			if i == len(mounts)-1 {
+				if mounted, e := Mounted(m.Mountpoint); e != nil || mounted {
+					return err
+				}
+				continue
+			}
+			// This is some submount, we can ignore this error for now, the final unmount will fail if this is a real problem
+			logrus.WithError(err).Warnf("Failed to unmount submount %s", m.Mountpoint)
+			continue
+		}
+
+		logrus.Debugf("Unmounted %s", m.Mountpoint)
+	}
+	return nil
+}
diff --git a/engine/pkg/mount/mount_unix_test.go b/engine/pkg/mount/mount_unix_test.go
new file mode 100644
index 00000000..befff9d5
--- /dev/null
+++ b/engine/pkg/mount/mount_unix_test.go
@@ -0,0 +1,170 @@
+// +build !windows
+
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"os"
+	"path"
+	"testing"
+)
+
+func TestMountOptionsParsing(t *testing.T) {
+	options := "noatime,ro,size=10k"
+
+	flag, data := parseOptions(options)
+
+	if data != "size=10k" {
+		t.Fatalf("Expected size=10 got %s", data)
+	}
+
+	expectedFlag := NOATIME | RDONLY
+
+	if flag != expectedFlag {
+		t.Fatalf("Expected %d got %d", expectedFlag, flag)
+	}
+}
+
+func TestMounted(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+
+	tmp := path.Join(os.TempDir(), "mount-tests")
+	if err := os.MkdirAll(tmp, 0777); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+
+	var (
+		sourceDir  = path.Join(tmp, "source")
+		targetDir  = path.Join(tmp, "target")
+		sourcePath = path.Join(sourceDir, "file.txt")
+		targetPath = path.Join(targetDir, "file.txt")
+	)
+
+	os.Mkdir(sourceDir, 0777)
+	os.Mkdir(targetDir, 0777)
+
+	f, err := os.Create(sourcePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	f.WriteString("hello")
+	f.Close()
+
+	f, err = os.Create(targetPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	f.Close()
+
+	if err := Mount(sourceDir, targetDir, "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(targetDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	mounted, err := Mounted(targetDir)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !mounted {
+		t.Fatalf("Expected %s to be mounted", targetDir)
+	}
+	if _, err := os.Stat(targetDir); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestMountReadonly(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+
+	tmp := path.Join(os.TempDir(), "mount-tests")
+	if err := os.MkdirAll(tmp, 0777); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+
+	var (
+		sourceDir  = path.Join(tmp, "source")
+		targetDir  = path.Join(tmp, "target")
+		sourcePath = path.Join(sourceDir, "file.txt")
+		targetPath = path.Join(targetDir, "file.txt")
+	)
+
+	os.Mkdir(sourceDir, 0777)
+	os.Mkdir(targetDir, 0777)
+
+	f, err := os.Create(sourcePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	f.WriteString("hello")
+	f.Close()
+
+	f, err = os.Create(targetPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	f.Close()
+
+	if err := Mount(sourceDir, targetDir, "none", "bind,ro"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(targetDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	f, err = os.OpenFile(targetPath, os.O_RDWR, 0777)
+	if err == nil {
+		t.Fatal("Should not be able to open a ro file as rw")
+	}
+}
+
+func TestGetMounts(t *testing.T) {
+	mounts, err := GetMounts(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	root := false
+	for _, entry := range mounts {
+		if entry.Mountpoint == "/" {
+			root = true
+		}
+	}
+
+	if !root {
+		t.Fatal("/ should be mounted at least")
+	}
+}
+
+func TestMergeTmpfsOptions(t *testing.T) {
+	options := []string{"noatime", "ro", "size=10k", "defaults", "atime", "defaults", "rw", "rprivate", "size=1024k", "slave"}
+	expected := []string{"atime", "rw", "size=1024k", "slave"}
+	merged, err := MergeTmpfsOptions(options)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(expected) != len(merged) {
+		t.Fatalf("Expected %s got %s", expected, merged)
+	}
+	for index := range merged {
+		if merged[index] != expected[index] {
+			t.Fatalf("Expected %s for the %dth option, got %s", expected, index, merged)
+		}
+	}
+
+	options = []string{"noatime", "ro", "size=10k", "atime", "rw", "rprivate", "size=1024k", "slave", "size"}
+	_, err = MergeTmpfsOptions(options)
+	if err == nil {
+		t.Fatal("Expected error got nil")
+	}
+}
diff --git a/engine/pkg/mount/mounter_freebsd.go b/engine/pkg/mount/mounter_freebsd.go
new file mode 100644
index 00000000..b6ab83a2
--- /dev/null
+++ b/engine/pkg/mount/mounter_freebsd.go
@@ -0,0 +1,60 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+/*
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/_iovec.h>
+#include <sys/mount.h>
+#include <sys/param.h>
+*/
+import "C"
+
+import (
+	"fmt"
+	"strings"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+func allocateIOVecs(options []string) []C.struct_iovec {
+	out := make([]C.struct_iovec, len(options))
+	for i, option := range options {
+		out[i].iov_base = unsafe.Pointer(C.CString(option))
+		out[i].iov_len = C.size_t(len(option) + 1)
+	}
+	return out
+}
+
+func mount(device, target, mType string, flag uintptr, data string) error {
+	isNullFS := false
+
+	xs := strings.Split(data, ",")
+	for _, x := range xs {
+		if x == "bind" {
+			isNullFS = true
+		}
+	}
+
+	options := []string{"fspath", target}
+	if isNullFS {
+		options = append(options, "fstype", "nullfs", "target", device)
+	} else {
+		options = append(options, "fstype", mType, "from", device)
+	}
+	rawOptions := allocateIOVecs(options)
+	for _, rawOption := range rawOptions {
+		defer C.free(rawOption.iov_base)
+	}
+
+	if errno := C.nmount(&rawOptions[0], C.uint(len(options)), C.int(flag)); errno != 0 {
+		reason := C.GoString(C.strerror(*C.__error()))
+		return fmt.Errorf("Failed to call nmount: %s", reason)
+	}
+	return nil
+}
+
+func unmount(target string, flag int) error {
+	return unix.Unmount(target, flag)
+}
diff --git a/engine/pkg/mount/mounter_linux.go b/engine/pkg/mount/mounter_linux.go
new file mode 100644
index 00000000..631daf10
--- /dev/null
+++ b/engine/pkg/mount/mounter_linux.go
@@ -0,0 +1,57 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// ptypes is the set propagation types.
+	ptypes = unix.MS_SHARED | unix.MS_PRIVATE | unix.MS_SLAVE | unix.MS_UNBINDABLE
+
+	// pflags is the full set valid flags for a change propagation call.
+	pflags = ptypes | unix.MS_REC | unix.MS_SILENT
+
+	// broflags is the combination of bind and read only
+	broflags = unix.MS_BIND | unix.MS_RDONLY
+)
+
+// isremount returns true if either device name or flags identify a remount request, false otherwise.
+func isremount(device string, flags uintptr) bool {
+	switch {
+	// We treat device "" and "none" as a remount request to provide compatibility with
+	// requests that don't explicitly set MS_REMOUNT such as those manipulating bind mounts.
+	case flags&unix.MS_REMOUNT != 0, device == "", device == "none":
+		return true
+	default:
+		return false
+	}
+}
+
+func mount(device, target, mType string, flags uintptr, data string) error {
+	oflags := flags &^ ptypes
+	if !isremount(device, flags) || data != "" {
+		// Initial call applying all non-propagation flags for mount
+		// or remount with changed data
+		if err := unix.Mount(device, target, mType, oflags, data); err != nil {
+			return err
+		}
+	}
+
+	if flags&ptypes != 0 {
+		// Change the propagation type.
+		if err := unix.Mount("", target, "", flags&pflags, ""); err != nil {
+			return err
+		}
+	}
+
+	if oflags&broflags == broflags {
+		// Remount the bind to apply read only.
+		return unix.Mount("", target, "", oflags|unix.MS_REMOUNT, "")
+	}
+
+	return nil
+}
+
+func unmount(target string, flag int) error {
+	return unix.Unmount(target, flag)
+}
diff --git a/engine/pkg/mount/mounter_linux_test.go b/engine/pkg/mount/mounter_linux_test.go
new file mode 100644
index 00000000..336f3d5c
--- /dev/null
+++ b/engine/pkg/mount/mounter_linux_test.go
@@ -0,0 +1,228 @@
+// +build linux
+
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+)
+
+func TestMount(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+
+	source, err := ioutil.TempDir("", "mount-test-source-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(source)
+
+	// Ensure we have a known start point by mounting tmpfs with given options
+	if err := Mount("tmpfs", source, "tmpfs", "private"); err != nil {
+		t.Fatal(err)
+	}
+	defer ensureUnmount(t, source)
+	validateMount(t, source, "", "", "")
+	if t.Failed() {
+		t.FailNow()
+	}
+
+	target, err := ioutil.TempDir("", "mount-test-target-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(target)
+
+	tests := []struct {
+		source           string
+		ftype            string
+		options          string
+		expectedOpts     string
+		expectedOptional string
+		expectedVFS      string
+	}{
+		// No options
+		{"tmpfs", "tmpfs", "", "", "", ""},
+		// Default rw / ro test
+		{source, "", "bind", "", "", ""},
+		{source, "", "bind,private", "", "", ""},
+		{source, "", "bind,shared", "", "shared", ""},
+		{source, "", "bind,slave", "", "master", ""},
+		{source, "", "bind,unbindable", "", "unbindable", ""},
+		// Read Write tests
+		{source, "", "bind,rw", "rw", "", ""},
+		{source, "", "bind,rw,private", "rw", "", ""},
+		{source, "", "bind,rw,shared", "rw", "shared", ""},
+		{source, "", "bind,rw,slave", "rw", "master", ""},
+		{source, "", "bind,rw,unbindable", "rw", "unbindable", ""},
+		// Read Only tests
+		{source, "", "bind,ro", "ro", "", ""},
+		{source, "", "bind,ro,private", "ro", "", ""},
+		{source, "", "bind,ro,shared", "ro", "shared", ""},
+		{source, "", "bind,ro,slave", "ro", "master", ""},
+		{source, "", "bind,ro,unbindable", "ro", "unbindable", ""},
+		// Remount tests to change per filesystem options
+		{"", "", "remount,size=128k", "rw", "", "rw,size=128k"},
+		{"", "", "remount,ro,size=128k", "ro", "", "ro,size=128k"},
+	}
+
+	for _, tc := range tests {
+		ftype, options := tc.ftype, tc.options
+		if tc.ftype == "" {
+			ftype = "none"
+		}
+		if tc.options == "" {
+			options = "none"
+		}
+
+		t.Run(fmt.Sprintf("%v-%v", ftype, options), func(t *testing.T) {
+			if strings.Contains(tc.options, "slave") {
+				// Slave requires a shared source
+				if err := MakeShared(source); err != nil {
+					t.Fatal(err)
+				}
+				defer func() {
+					if err := MakePrivate(source); err != nil {
+						t.Fatal(err)
+					}
+				}()
+			}
+			if strings.Contains(tc.options, "remount") {
+				// create a new mount to remount first
+				if err := Mount("tmpfs", target, "tmpfs", ""); err != nil {
+					t.Fatal(err)
+				}
+			}
+			if err := Mount(tc.source, target, tc.ftype, tc.options); err != nil {
+				t.Fatal(err)
+			}
+			defer ensureUnmount(t, target)
+			validateMount(t, target, tc.expectedOpts, tc.expectedOptional, tc.expectedVFS)
+		})
+	}
+}
+
+// ensureUnmount umounts mnt checking for errors
+func ensureUnmount(t *testing.T, mnt string) {
+	if err := Unmount(mnt); err != nil {
+		t.Error(err)
+	}
+}
+
+// validateMount checks that mnt has the given options
+func validateMount(t *testing.T, mnt string, opts, optional, vfs string) {
+	info, err := GetMounts(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	wantedOpts := make(map[string]struct{})
+	if opts != "" {
+		for _, opt := range strings.Split(opts, ",") {
+			wantedOpts[opt] = struct{}{}
+		}
+	}
+
+	wantedOptional := make(map[string]struct{})
+	if optional != "" {
+		for _, opt := range strings.Split(optional, ",") {
+			wantedOptional[opt] = struct{}{}
+		}
+	}
+
+	wantedVFS := make(map[string]struct{})
+	if vfs != "" {
+		for _, opt := range strings.Split(vfs, ",") {
+			wantedVFS[opt] = struct{}{}
+		}
+	}
+
+	mnts := make(map[int]*Info, len(info))
+	for _, mi := range info {
+		mnts[mi.ID] = mi
+	}
+
+	for _, mi := range info {
+		if mi.Mountpoint != mnt {
+			continue
+		}
+
+		// Use parent info as the defaults
+		p := mnts[mi.Parent]
+		pOpts := make(map[string]struct{})
+		if p.Opts != "" {
+			for _, opt := range strings.Split(p.Opts, ",") {
+				pOpts[clean(opt)] = struct{}{}
+			}
+		}
+		pOptional := make(map[string]struct{})
+		if p.Optional != "" {
+			for _, field := range strings.Split(p.Optional, ",") {
+				pOptional[clean(field)] = struct{}{}
+			}
+		}
+
+		// Validate Opts
+		if mi.Opts != "" {
+			for _, opt := range strings.Split(mi.Opts, ",") {
+				opt = clean(opt)
+				if !has(wantedOpts, opt) && !has(pOpts, opt) {
+					t.Errorf("unexpected mount option %q, expected %q", opt, opts)
+				}
+				delete(wantedOpts, opt)
+			}
+		}
+		for opt := range wantedOpts {
+			t.Errorf("missing mount option %q, found %q", opt, mi.Opts)
+		}
+
+		// Validate Optional
+		if mi.Optional != "" {
+			for _, field := range strings.Split(mi.Optional, ",") {
+				field = clean(field)
+				if !has(wantedOptional, field) && !has(pOptional, field) {
+					t.Errorf("unexpected optional field %q, expected %q", field, optional)
+				}
+				delete(wantedOptional, field)
+			}
+		}
+		for field := range wantedOptional {
+			t.Errorf("missing optional field %q, found %q", field, mi.Optional)
+		}
+
+		// Validate VFS if set
+		if vfs != "" {
+			if mi.VfsOpts != "" {
+				for _, opt := range strings.Split(mi.VfsOpts, ",") {
+					opt = clean(opt)
+					if !has(wantedVFS, opt) && opt != "seclabel" { // can be added by selinux
+						t.Errorf("unexpected vfs option %q, expected %q", opt, vfs)
+					}
+					delete(wantedVFS, opt)
+				}
+			}
+			for opt := range wantedVFS {
+				t.Errorf("missing vfs option %q, found %q", opt, mi.VfsOpts)
+			}
+		}
+
+		return
+	}
+
+	t.Errorf("failed to find mount %q", mnt)
+}
+
+// clean strips off any value param after the colon
+func clean(v string) string {
+	return strings.SplitN(v, ":", 2)[0]
+}
+
+// has returns true if key is a member of m
+func has(m map[string]struct{}, key string) bool {
+	_, ok := m[key]
+	return ok
+}
diff --git a/engine/pkg/mount/mounter_unsupported.go b/engine/pkg/mount/mounter_unsupported.go
new file mode 100644
index 00000000..1428dffa
--- /dev/null
+++ b/engine/pkg/mount/mounter_unsupported.go
@@ -0,0 +1,11 @@
+// +build !linux,!freebsd freebsd,!cgo
+
+package mount // import "github.com/docker/docker/pkg/mount"
+
+func mount(device, target, mType string, flag uintptr, data string) error {
+	panic("Not implemented")
+}
+
+func unmount(target string, flag int) error {
+	panic("Not implemented")
+}
diff --git a/engine/pkg/mount/mountinfo.go b/engine/pkg/mount/mountinfo.go
new file mode 100644
index 00000000..ecd03fc0
--- /dev/null
+++ b/engine/pkg/mount/mountinfo.go
@@ -0,0 +1,40 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+// Info reveals information about a particular mounted filesystem. This
+// struct is populated from the content in the /proc/<pid>/mountinfo file.
+type Info struct {
+	// ID is a unique identifier of the mount (may be reused after umount).
+	ID int
+
+	// Parent indicates the ID of the mount parent (or of self for the top of the
+	// mount tree).
+	Parent int
+
+	// Major indicates one half of the device ID which identifies the device class.
+	Major int
+
+	// Minor indicates one half of the device ID which identifies a specific
+	// instance of device.
+	Minor int
+
+	// Root of the mount within the filesystem.
+	Root string
+
+	// Mountpoint indicates the mount point relative to the process's root.
+	Mountpoint string
+
+	// Opts represents mount-specific options.
+	Opts string
+
+	// Optional represents optional fields.
+	Optional string
+
+	// Fstype indicates the type of filesystem, such as EXT3.
+	Fstype string
+
+	// Source indicates filesystem specific information or "none".
+	Source string
+
+	// VfsOpts represents per super block options.
+	VfsOpts string
+}
diff --git a/engine/pkg/mount/mountinfo_freebsd.go b/engine/pkg/mount/mountinfo_freebsd.go
new file mode 100644
index 00000000..36c89dc1
--- /dev/null
+++ b/engine/pkg/mount/mountinfo_freebsd.go
@@ -0,0 +1,55 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+/*
+#include <sys/param.h>
+#include <sys/ucred.h>
+#include <sys/mount.h>
+*/
+import "C"
+
+import (
+	"fmt"
+	"reflect"
+	"unsafe"
+)
+
+// Parse /proc/self/mountinfo because comparing Dev and ino does not work from
+// bind mounts.
+func parseMountTable(filter FilterFunc) ([]*Info, error) {
+	var rawEntries *C.struct_statfs
+
+	count := int(C.getmntinfo(&rawEntries, C.MNT_WAIT))
+	if count == 0 {
+		return nil, fmt.Errorf("Failed to call getmntinfo")
+	}
+
+	var entries []C.struct_statfs
+	header := (*reflect.SliceHeader)(unsafe.Pointer(&entries))
+	header.Cap = count
+	header.Len = count
+	header.Data = uintptr(unsafe.Pointer(rawEntries))
+
+	var out []*Info
+	for _, entry := range entries {
+		var mountinfo Info
+		var skip, stop bool
+		mountinfo.Mountpoint = C.GoString(&entry.f_mntonname[0])
+
+		if filter != nil {
+			// filter out entries we're not interested in
+			skip, stop = filter(p)
+			if skip {
+				continue
+			}
+		}
+
+		mountinfo.Source = C.GoString(&entry.f_mntfromname[0])
+		mountinfo.Fstype = C.GoString(&entry.f_fstypename[0])
+
+		out = append(out, &mountinfo)
+		if stop {
+			break
+		}
+	}
+	return out, nil
+}
diff --git a/engine/pkg/mount/mountinfo_linux.go b/engine/pkg/mount/mountinfo_linux.go
new file mode 100644
index 00000000..c1dba01f
--- /dev/null
+++ b/engine/pkg/mount/mountinfo_linux.go
@@ -0,0 +1,132 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+)
+
+func parseInfoFile(r io.Reader, filter FilterFunc) ([]*Info, error) {
+	s := bufio.NewScanner(r)
+	out := []*Info{}
+	for s.Scan() {
+		if err := s.Err(); err != nil {
+			return nil, err
+		}
+		/*
+		   36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue
+		   (1)(2)(3)   (4)   (5)      (6)      (7)   (8) (9)   (10)         (11)
+
+		   (1) mount ID:  unique identifier of the mount (may be reused after umount)
+		   (2) parent ID:  ID of parent (or of self for the top of the mount tree)
+		   (3) major:minor:  value of st_dev for files on filesystem
+		   (4) root:  root of the mount within the filesystem
+		   (5) mount point:  mount point relative to the process's root
+		   (6) mount options:  per mount options
+		   (7) optional fields:  zero or more fields of the form "tag[:value]"
+		   (8) separator:  marks the end of the optional fields
+		   (9) filesystem type:  name of filesystem of the form "type[.subtype]"
+		   (10) mount source:  filesystem specific information or "none"
+		   (11) super options:  per super block options
+		*/
+
+		text := s.Text()
+		fields := strings.Split(text, " ")
+		numFields := len(fields)
+		if numFields < 10 {
+			// should be at least 10 fields
+			return nil, fmt.Errorf("Parsing '%s' failed: not enough fields (%d)", text, numFields)
+		}
+
+		p := &Info{}
+		// ignore any numbers parsing errors, as there should not be any
+		p.ID, _ = strconv.Atoi(fields[0])
+		p.Parent, _ = strconv.Atoi(fields[1])
+		mm := strings.Split(fields[2], ":")
+		if len(mm) != 2 {
+			return nil, fmt.Errorf("Parsing '%s' failed: unexpected minor:major pair %s", text, mm)
+		}
+		p.Major, _ = strconv.Atoi(mm[0])
+		p.Minor, _ = strconv.Atoi(mm[1])
+
+		p.Root = fields[3]
+		p.Mountpoint = fields[4]
+		p.Opts = fields[5]
+
+		var skip, stop bool
+		if filter != nil {
+			// filter out entries we're not interested in
+			skip, stop = filter(p)
+			if skip {
+				continue
+			}
+		}
+
+		// one or more optional fields, when a separator (-)
+		i := 6
+		for ; i < numFields && fields[i] != "-"; i++ {
+			switch i {
+			case 6:
+				p.Optional = fields[6]
+			default:
+				/* NOTE there might be more optional fields before the such as
+				   fields[7]...fields[N] (where N < sepIndex), although
+				   as of Linux kernel 4.15 the only known ones are
+				   mount propagation flags in fields[6]. The correct
+				   behavior is to ignore any unknown optional fields.
+				*/
+				break
+			}
+		}
+		if i == numFields {
+			return nil, fmt.Errorf("Parsing '%s' failed: missing separator ('-')", text)
+		}
+
+		// There should be 3 fields after the separator...
+		if i+4 > numFields {
+			return nil, fmt.Errorf("Parsing '%s' failed: not enough fields after a separator", text)
+		}
+		// ... but in Linux <= 3.9 mounting a cifs with spaces in a share name
+		// (like "//serv/My Documents") _may_ end up having a space in the last field
+		// of mountinfo (like "unc=//serv/My Documents"). Since kernel 3.10-rc1, cifs
+		// option unc= is ignored,  so a space should not appear. In here we ignore
+		// those "extra" fields caused by extra spaces.
+		p.Fstype = fields[i+1]
+		p.Source = fields[i+2]
+		p.VfsOpts = fields[i+3]
+
+		out = append(out, p)
+		if stop {
+			break
+		}
+	}
+	return out, nil
+}
+
+// Parse /proc/self/mountinfo because comparing Dev and ino does not work from
+// bind mounts
+func parseMountTable(filter FilterFunc) ([]*Info, error) {
+	f, err := os.Open("/proc/self/mountinfo")
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	return parseInfoFile(f, filter)
+}
+
+// PidMountInfo collects the mounts for a specific process ID. If the process
+// ID is unknown, it is better to use `GetMounts` which will inspect
+// "/proc/self/mountinfo" instead.
+func PidMountInfo(pid int) ([]*Info, error) {
+	f, err := os.Open(fmt.Sprintf("/proc/%d/mountinfo", pid))
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	return parseInfoFile(f, nil)
+}
diff --git a/engine/pkg/mount/mountinfo_linux_test.go b/engine/pkg/mount/mountinfo_linux_test.go
new file mode 100644
index 00000000..64411cca
--- /dev/null
+++ b/engine/pkg/mount/mountinfo_linux_test.go
@@ -0,0 +1,508 @@
+// +build linux
+
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"bytes"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+const (
+	fedoraMountinfo = `15 35 0:3 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
+16 35 0:14 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs rw,seclabel
+17 35 0:5 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs rw,seclabel,size=8056484k,nr_inodes=2014121,mode=755
+18 16 0:15 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs securityfs rw
+19 16 0:13 / /sys/fs/selinux rw,relatime shared:8 - selinuxfs selinuxfs rw
+20 17 0:16 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel
+21 17 0:10 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000
+22 35 0:17 / /run rw,nosuid,nodev shared:21 - tmpfs tmpfs rw,seclabel,mode=755
+23 16 0:18 / /sys/fs/cgroup rw,nosuid,nodev,noexec shared:9 - tmpfs tmpfs rw,seclabel,mode=755
+24 23 0:19 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:10 - cgroup cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
+25 16 0:20 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:20 - pstore pstore rw
+26 23 0:21 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,cpuset,clone_children
+27 23 0:22 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:12 - cgroup cgroup rw,cpuacct,cpu,clone_children
+28 23 0:23 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:13 - cgroup cgroup rw,memory,clone_children
+29 23 0:24 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:14 - cgroup cgroup rw,devices,clone_children
+30 23 0:25 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,freezer,clone_children
+31 23 0:26 / /sys/fs/cgroup/net_cls rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,net_cls,clone_children
+32 23 0:27 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,blkio,clone_children
+33 23 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,perf_event,clone_children
+34 23 0:29 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:19 - cgroup cgroup rw,hugetlb,clone_children
+35 1 253:2 / / rw,relatime shared:1 - ext4 /dev/mapper/ssd-root--f20 rw,seclabel,data=ordered
+36 15 0:30 / /proc/sys/fs/binfmt_misc rw,relatime shared:22 - autofs systemd-1 rw,fd=38,pgrp=1,timeout=300,minproto=5,maxproto=5,direct
+37 17 0:12 / /dev/mqueue rw,relatime shared:23 - mqueue mqueue rw,seclabel
+38 35 0:31 / /tmp rw shared:24 - tmpfs tmpfs rw,seclabel
+39 17 0:32 / /dev/hugepages rw,relatime shared:25 - hugetlbfs hugetlbfs rw,seclabel
+40 16 0:7 / /sys/kernel/debug rw,relatime shared:26 - debugfs debugfs rw
+41 16 0:33 / /sys/kernel/config rw,relatime shared:27 - configfs configfs rw
+42 35 0:34 / /var/lib/nfs/rpc_pipefs rw,relatime shared:28 - rpc_pipefs sunrpc rw
+43 15 0:35 / /proc/fs/nfsd rw,relatime shared:29 - nfsd sunrpc rw
+45 35 8:17 / /boot rw,relatime shared:30 - ext4 /dev/sdb1 rw,seclabel,data=ordered
+46 35 253:4 / /home rw,relatime shared:31 - ext4 /dev/mapper/ssd-home rw,seclabel,data=ordered
+47 35 253:5 / /var/lib/libvirt/images rw,noatime,nodiratime shared:32 - ext4 /dev/mapper/ssd-virt rw,seclabel,discard,data=ordered
+48 35 253:12 / /mnt/old rw,relatime shared:33 - ext4 /dev/mapper/HelpDeskRHEL6-FedoraRoot rw,seclabel,data=ordered
+121 22 0:36 / /run/user/1000/gvfs rw,nosuid,nodev,relatime shared:104 - fuse.gvfsd-fuse gvfsd-fuse rw,user_id=1000,group_id=1000
+124 16 0:37 / /sys/fs/fuse/connections rw,relatime shared:107 - fusectl fusectl rw
+165 38 253:3 / /tmp/mnt rw,relatime shared:147 - ext4 /dev/mapper/ssd-root rw,seclabel,data=ordered
+167 35 253:15 / /var/lib/docker/devicemapper/mnt/aae4076022f0e2b80a2afbf8fc6df450c52080191fcef7fb679a73e6f073e5c2 rw,relatime shared:149 - ext4 /dev/mapper/docker-253:2-425882-aae4076022f0e2b80a2afbf8fc6df450c52080191fcef7fb679a73e6f073e5c2 rw,seclabel,discard,stripe=16,data=ordered
+171 35 253:16 / /var/lib/docker/devicemapper/mnt/c71be651f114db95180e472f7871b74fa597ee70a58ccc35cb87139ddea15373 rw,relatime shared:153 - ext4 /dev/mapper/docker-253:2-425882-c71be651f114db95180e472f7871b74fa597ee70a58ccc35cb87139ddea15373 rw,seclabel,discard,stripe=16,data=ordered
+175 35 253:17 / /var/lib/docker/devicemapper/mnt/1bac6ab72862d2d5626560df6197cf12036b82e258c53d981fa29adce6f06c3c rw,relatime shared:157 - ext4 /dev/mapper/docker-253:2-425882-1bac6ab72862d2d5626560df6197cf12036b82e258c53d981fa29adce6f06c3c rw,seclabel,discard,stripe=16,data=ordered
+179 35 253:18 / /var/lib/docker/devicemapper/mnt/d710a357d77158e80d5b2c55710ae07c94e76d34d21ee7bae65ce5418f739b09 rw,relatime shared:161 - ext4 /dev/mapper/docker-253:2-425882-d710a357d77158e80d5b2c55710ae07c94e76d34d21ee7bae65ce5418f739b09 rw,seclabel,discard,stripe=16,data=ordered
+183 35 253:19 / /var/lib/docker/devicemapper/mnt/6479f52366114d5f518db6837254baab48fab39f2ac38d5099250e9a6ceae6c7 rw,relatime shared:165 - ext4 /dev/mapper/docker-253:2-425882-6479f52366114d5f518db6837254baab48fab39f2ac38d5099250e9a6ceae6c7 rw,seclabel,discard,stripe=16,data=ordered
+187 35 253:20 / /var/lib/docker/devicemapper/mnt/8d9df91c4cca5aef49eeb2725292aab324646f723a7feab56be34c2ad08268e1 rw,relatime shared:169 - ext4 /dev/mapper/docker-253:2-425882-8d9df91c4cca5aef49eeb2725292aab324646f723a7feab56be34c2ad08268e1 rw,seclabel,discard,stripe=16,data=ordered
+191 35 253:21 / /var/lib/docker/devicemapper/mnt/c8240b768603d32e920d365dc9d1dc2a6af46cd23e7ae819947f969e1b4ec661 rw,relatime shared:173 - ext4 /dev/mapper/docker-253:2-425882-c8240b768603d32e920d365dc9d1dc2a6af46cd23e7ae819947f969e1b4ec661 rw,seclabel,discard,stripe=16,data=ordered
+195 35 253:22 / /var/lib/docker/devicemapper/mnt/2eb3a01278380bbf3ed12d86ac629eaa70a4351301ee307a5cabe7b5f3b1615f rw,relatime shared:177 - ext4 /dev/mapper/docker-253:2-425882-2eb3a01278380bbf3ed12d86ac629eaa70a4351301ee307a5cabe7b5f3b1615f rw,seclabel,discard,stripe=16,data=ordered
+199 35 253:23 / /var/lib/docker/devicemapper/mnt/37a17fb7c9d9b80821235d5f2662879bd3483915f245f9b49cdaa0e38779b70b rw,relatime shared:181 - ext4 /dev/mapper/docker-253:2-425882-37a17fb7c9d9b80821235d5f2662879bd3483915f245f9b49cdaa0e38779b70b rw,seclabel,discard,stripe=16,data=ordered
+203 35 253:24 / /var/lib/docker/devicemapper/mnt/aea459ae930bf1de913e2f29428fd80ee678a1e962d4080019d9f9774331ee2b rw,relatime shared:185 - ext4 /dev/mapper/docker-253:2-425882-aea459ae930bf1de913e2f29428fd80ee678a1e962d4080019d9f9774331ee2b rw,seclabel,discard,stripe=16,data=ordered
+207 35 253:25 / /var/lib/docker/devicemapper/mnt/928ead0bc06c454bd9f269e8585aeae0a6bd697f46dc8754c2a91309bc810882 rw,relatime shared:189 - ext4 /dev/mapper/docker-253:2-425882-928ead0bc06c454bd9f269e8585aeae0a6bd697f46dc8754c2a91309bc810882 rw,seclabel,discard,stripe=16,data=ordered
+211 35 253:26 / /var/lib/docker/devicemapper/mnt/0f284d18481d671644706e7a7244cbcf63d590d634cc882cb8721821929d0420 rw,relatime shared:193 - ext4 /dev/mapper/docker-253:2-425882-0f284d18481d671644706e7a7244cbcf63d590d634cc882cb8721821929d0420 rw,seclabel,discard,stripe=16,data=ordered
+215 35 253:27 / /var/lib/docker/devicemapper/mnt/d9dd16722ab34c38db2733e23f69e8f4803ce59658250dd63e98adff95d04919 rw,relatime shared:197 - ext4 /dev/mapper/docker-253:2-425882-d9dd16722ab34c38db2733e23f69e8f4803ce59658250dd63e98adff95d04919 rw,seclabel,discard,stripe=16,data=ordered
+219 35 253:28 / /var/lib/docker/devicemapper/mnt/bc4500479f18c2c08c21ad5282e5f826a016a386177d9874c2764751c031d634 rw,relatime shared:201 - ext4 /dev/mapper/docker-253:2-425882-bc4500479f18c2c08c21ad5282e5f826a016a386177d9874c2764751c031d634 rw,seclabel,discard,stripe=16,data=ordered
+223 35 253:29 / /var/lib/docker/devicemapper/mnt/7770c8b24eb3d5cc159a065910076938910d307ab2f5d94e1dc3b24c06ee2c8a rw,relatime shared:205 - ext4 /dev/mapper/docker-253:2-425882-7770c8b24eb3d5cc159a065910076938910d307ab2f5d94e1dc3b24c06ee2c8a rw,seclabel,discard,stripe=16,data=ordered
+227 35 253:30 / /var/lib/docker/devicemapper/mnt/c280cd3d0bf0aa36b478b292279671624cceafc1a67eaa920fa1082601297adf rw,relatime shared:209 - ext4 /dev/mapper/docker-253:2-425882-c280cd3d0bf0aa36b478b292279671624cceafc1a67eaa920fa1082601297adf rw,seclabel,discard,stripe=16,data=ordered
+231 35 253:31 / /var/lib/docker/devicemapper/mnt/8b59a7d9340279f09fea67fd6ad89ddef711e9e7050eb647984f8b5ef006335f rw,relatime shared:213 - ext4 /dev/mapper/docker-253:2-425882-8b59a7d9340279f09fea67fd6ad89ddef711e9e7050eb647984f8b5ef006335f rw,seclabel,discard,stripe=16,data=ordered
+235 35 253:32 / /var/lib/docker/devicemapper/mnt/1a28059f29eda821578b1bb27a60cc71f76f846a551abefabce6efd0146dce9f rw,relatime shared:217 - ext4 /dev/mapper/docker-253:2-425882-1a28059f29eda821578b1bb27a60cc71f76f846a551abefabce6efd0146dce9f rw,seclabel,discard,stripe=16,data=ordered
+239 35 253:33 / /var/lib/docker/devicemapper/mnt/e9aa60c60128cad1 rw,relatime shared:221 - ext4 /dev/mapper/docker-253:2-425882-e9aa60c60128cad1 rw,seclabel,discard,stripe=16,data=ordered
+243 35 253:34 / /var/lib/docker/devicemapper/mnt/5fec11304b6f4713fea7b6ccdcc1adc0a1966187f590fe25a8227428a8df275d-init rw,relatime shared:225 - ext4 /dev/mapper/docker-253:2-425882-5fec11304b6f4713fea7b6ccdcc1adc0a1966187f590fe25a8227428a8df275d-init rw,seclabel,discard,stripe=16,data=ordered
+247 35 253:35 / /var/lib/docker/devicemapper/mnt/5fec11304b6f4713fea7b6ccdcc1adc0a1966187f590fe25a8227428a8df275d rw,relatime shared:229 - ext4 /dev/mapper/docker-253:2-425882-5fec11304b6f4713fea7b6ccdcc1adc0a1966187f590fe25a8227428a8df275d rw,seclabel,discard,stripe=16,data=ordered
+31 21 0:23 / /DATA/foo_bla_bla rw,relatime - cifs //foo/BLA\040BLA\040BLA/ rw,sec=ntlm,cache=loose,unc=\\foo\BLA BLA BLA,username=my_login,domain=mydomain.com,uid=12345678,forceuid,gid=12345678,forcegid,addr=10.1.30.10,file_mode=0755,dir_mode=0755,nounix,rsize=61440,wsize=65536,actimeo=1`
+
+	ubuntuMountInfo = `15 20 0:14 / /sys rw,nosuid,nodev,noexec,relatime - sysfs sysfs rw
+16 20 0:3 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
+17 20 0:5 / /dev rw,relatime - devtmpfs udev rw,size=1015140k,nr_inodes=253785,mode=755
+18 17 0:11 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000
+19 20 0:15 / /run rw,nosuid,noexec,relatime - tmpfs tmpfs rw,size=205044k,mode=755
+20 1 253:0 / / rw,relatime - ext4 /dev/disk/by-label/DOROOT rw,errors=remount-ro,data=ordered
+21 15 0:16 / /sys/fs/cgroup rw,relatime - tmpfs none rw,size=4k,mode=755
+22 15 0:17 / /sys/fs/fuse/connections rw,relatime - fusectl none rw
+23 15 0:6 / /sys/kernel/debug rw,relatime - debugfs none rw
+24 15 0:10 / /sys/kernel/security rw,relatime - securityfs none rw
+25 19 0:18 / /run/lock rw,nosuid,nodev,noexec,relatime - tmpfs none rw,size=5120k
+26 21 0:19 / /sys/fs/cgroup/cpuset rw,relatime - cgroup cgroup rw,cpuset,clone_children
+27 19 0:20 / /run/shm rw,nosuid,nodev,relatime - tmpfs none rw
+28 21 0:21 / /sys/fs/cgroup/cpu rw,relatime - cgroup cgroup rw,cpu
+29 19 0:22 / /run/user rw,nosuid,nodev,noexec,relatime - tmpfs none rw,size=102400k,mode=755
+30 15 0:23 / /sys/fs/pstore rw,relatime - pstore none rw
+31 21 0:24 / /sys/fs/cgroup/cpuacct rw,relatime - cgroup cgroup rw,cpuacct
+32 21 0:25 / /sys/fs/cgroup/memory rw,relatime - cgroup cgroup rw,memory
+33 21 0:26 / /sys/fs/cgroup/devices rw,relatime - cgroup cgroup rw,devices
+34 21 0:27 / /sys/fs/cgroup/freezer rw,relatime - cgroup cgroup rw,freezer
+35 21 0:28 / /sys/fs/cgroup/blkio rw,relatime - cgroup cgroup rw,blkio
+36 21 0:29 / /sys/fs/cgroup/perf_event rw,relatime - cgroup cgroup rw,perf_event
+37 21 0:30 / /sys/fs/cgroup/hugetlb rw,relatime - cgroup cgroup rw,hugetlb
+38 21 0:31 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime - cgroup systemd rw,name=systemd
+39 20 0:32 / /var/lib/docker/aufs/mnt/b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc rw,relatime - aufs none rw,si=caafa54fdc06525
+40 20 0:33 / /var/lib/docker/aufs/mnt/2eed44ac7ce7c75af04f088ed6cb4ce9d164801e91d78c6db65d7ef6d572bba8-init rw,relatime - aufs none rw,si=caafa54f882b525
+41 20 0:34 / /var/lib/docker/aufs/mnt/2eed44ac7ce7c75af04f088ed6cb4ce9d164801e91d78c6db65d7ef6d572bba8 rw,relatime - aufs none rw,si=caafa54f8829525
+42 20 0:35 / /var/lib/docker/aufs/mnt/16f4d7e96dd612903f425bfe856762f291ff2e36a8ecd55a2209b7d7cd81c30b rw,relatime - aufs none rw,si=caafa54f882d525
+43 20 0:36 / /var/lib/docker/aufs/mnt/63ca08b75d7438a9469a5954e003f48ffede73541f6286ce1cb4d7dd4811da7e-init rw,relatime - aufs none rw,si=caafa54f882f525
+44 20 0:37 / /var/lib/docker/aufs/mnt/63ca08b75d7438a9469a5954e003f48ffede73541f6286ce1cb4d7dd4811da7e rw,relatime - aufs none rw,si=caafa54f88ba525
+45 20 0:38 / /var/lib/docker/aufs/mnt/283f35a910233c756409313be71ecd8fcfef0df57108b8d740b61b3e88860452 rw,relatime - aufs none rw,si=caafa54f88b8525
+46 20 0:39 / /var/lib/docker/aufs/mnt/2c6c7253d4090faa3886871fb21bd660609daeb0206588c0602007f7d0f254b1-init rw,relatime - aufs none rw,si=caafa54f88be525
+47 20 0:40 / /var/lib/docker/aufs/mnt/2c6c7253d4090faa3886871fb21bd660609daeb0206588c0602007f7d0f254b1 rw,relatime - aufs none rw,si=caafa54f882c525
+48 20 0:41 / /var/lib/docker/aufs/mnt/de2b538c97d6366cc80e8658547c923ea1d042f85580df379846f36a4df7049d rw,relatime - aufs none rw,si=caafa54f85bb525
+49 20 0:42 / /var/lib/docker/aufs/mnt/94a3d8ed7c27e5b0aa71eba46c736bfb2742afda038e74f2dd6035fb28415b49-init rw,relatime - aufs none rw,si=caafa54fdc00525
+50 20 0:43 / /var/lib/docker/aufs/mnt/94a3d8ed7c27e5b0aa71eba46c736bfb2742afda038e74f2dd6035fb28415b49 rw,relatime - aufs none rw,si=caafa54fbaec525
+51 20 0:44 / /var/lib/docker/aufs/mnt/6ac1cace985c9fc9bea32234de8b36dba49bdd5e29a2972b327ff939d78a6274 rw,relatime - aufs none rw,si=caafa54f8e1a525
+52 20 0:45 / /var/lib/docker/aufs/mnt/dff147033e3a0ef061e1de1ad34256b523d4a8c1fa6bba71a0ab538e8628ff0b-init rw,relatime - aufs none rw,si=caafa54f8e1d525
+53 20 0:46 / /var/lib/docker/aufs/mnt/dff147033e3a0ef061e1de1ad34256b523d4a8c1fa6bba71a0ab538e8628ff0b rw,relatime - aufs none rw,si=caafa54f8e1b525
+54 20 0:47 / /var/lib/docker/aufs/mnt/cabb117d997f0f93519185aea58389a9762770b7496ed0b74a3e4a083fa45902 rw,relatime - aufs none rw,si=caafa54f810a525
+55 20 0:48 / /var/lib/docker/aufs/mnt/e1c8a94ffaa9d532bbbdc6ef771ce8a6c2c06757806ecaf8b68e9108fec65f33-init rw,relatime - aufs none rw,si=caafa54f8529525
+56 20 0:49 / /var/lib/docker/aufs/mnt/e1c8a94ffaa9d532bbbdc6ef771ce8a6c2c06757806ecaf8b68e9108fec65f33 rw,relatime - aufs none rw,si=caafa54f852f525
+57 20 0:50 / /var/lib/docker/aufs/mnt/16a1526fa445b84ce84f89506d219e87fa488a814063baf045d88b02f21166b3 rw,relatime - aufs none rw,si=caafa54f9e1d525
+58 20 0:51 / /var/lib/docker/aufs/mnt/57b9c92e1e368fa7dbe5079f7462e917777829caae732828b003c355fe49da9f-init rw,relatime - aufs none rw,si=caafa54f854d525
+59 20 0:52 / /var/lib/docker/aufs/mnt/57b9c92e1e368fa7dbe5079f7462e917777829caae732828b003c355fe49da9f rw,relatime - aufs none rw,si=caafa54f854e525
+60 20 0:53 / /var/lib/docker/aufs/mnt/e370c3e286bea027917baa0e4d251262681a472a87056e880dfd0513516dffd9 rw,relatime - aufs none rw,si=caafa54f840a525
+61 20 0:54 / /var/lib/docker/aufs/mnt/6b00d3b4f32b41997ec07412b5e18204f82fbe643e7122251cdeb3582abd424e-init rw,relatime - aufs none rw,si=caafa54f8408525
+62 20 0:55 / /var/lib/docker/aufs/mnt/6b00d3b4f32b41997ec07412b5e18204f82fbe643e7122251cdeb3582abd424e rw,relatime - aufs none rw,si=caafa54f8409525
+63 20 0:56 / /var/lib/docker/aufs/mnt/abd0b5ea5d355a67f911475e271924a5388ee60c27185fcd60d095afc4a09dc7 rw,relatime - aufs none rw,si=caafa54f9eb1525
+64 20 0:57 / /var/lib/docker/aufs/mnt/336222effc3f7b89867bb39ff7792ae5412c35c749f127c29159d046b6feedd2-init rw,relatime - aufs none rw,si=caafa54f85bf525
+65 20 0:58 / /var/lib/docker/aufs/mnt/336222effc3f7b89867bb39ff7792ae5412c35c749f127c29159d046b6feedd2 rw,relatime - aufs none rw,si=caafa54f85b8525
+66 20 0:59 / /var/lib/docker/aufs/mnt/912e1bf28b80a09644503924a8a1a4fb8ed10b808ca847bda27a369919aa52fa rw,relatime - aufs none rw,si=caafa54fbaea525
+67 20 0:60 / /var/lib/docker/aufs/mnt/386f722875013b4a875118367abc783fc6617a3cb7cf08b2b4dcf550b4b9c576-init rw,relatime - aufs none rw,si=caafa54f8472525
+68 20 0:61 / /var/lib/docker/aufs/mnt/386f722875013b4a875118367abc783fc6617a3cb7cf08b2b4dcf550b4b9c576 rw,relatime - aufs none rw,si=caafa54f8474525
+69 20 0:62 / /var/lib/docker/aufs/mnt/5aaebb79ef3097dfca377889aeb61a0c9d5e3795117d2b08d0751473c671dfb2 rw,relatime - aufs none rw,si=caafa54f8c5e525
+70 20 0:63 / /var/lib/docker/aufs/mnt/5ba3e493279d01277d583600b81c7c079e691b73c3a2bdea8e4b12a35a418be2-init rw,relatime - aufs none rw,si=caafa54f8c3b525
+71 20 0:64 / /var/lib/docker/aufs/mnt/5ba3e493279d01277d583600b81c7c079e691b73c3a2bdea8e4b12a35a418be2 rw,relatime - aufs none rw,si=caafa54f8c3d525
+72 20 0:65 / /var/lib/docker/aufs/mnt/2777f0763da4de93f8bebbe1595cc77f739806a158657b033eca06f827b6028a rw,relatime - aufs none rw,si=caafa54f8c3e525
+73 20 0:66 / /var/lib/docker/aufs/mnt/5d7445562acf73c6f0ae34c3dd0921d7457de1ba92a587d9e06a44fa209eeb3e-init rw,relatime - aufs none rw,si=caafa54f8c39525
+74 20 0:67 / /var/lib/docker/aufs/mnt/5d7445562acf73c6f0ae34c3dd0921d7457de1ba92a587d9e06a44fa209eeb3e rw,relatime - aufs none rw,si=caafa54f854f525
+75 20 0:68 / /var/lib/docker/aufs/mnt/06400b526ec18b66639c96efc41a84f4ae0b117cb28dafd56be420651b4084a0 rw,relatime - aufs none rw,si=caafa54f840b525
+76 20 0:69 / /var/lib/docker/aufs/mnt/e051d45ec42d8e3e1cc57bb39871a40de486dc123522e9c067fbf2ca6a357785-init rw,relatime - aufs none rw,si=caafa54fdddf525
+77 20 0:70 / /var/lib/docker/aufs/mnt/e051d45ec42d8e3e1cc57bb39871a40de486dc123522e9c067fbf2ca6a357785 rw,relatime - aufs none rw,si=caafa54f854b525
+78 20 0:71 / /var/lib/docker/aufs/mnt/1ff414fa93fd61ec81b0ab7b365a841ff6545accae03cceac702833aaeaf718f rw,relatime - aufs none rw,si=caafa54f8d85525
+79 20 0:72 / /var/lib/docker/aufs/mnt/c661b2f871dd5360e46a2aebf8f970f6d39a2ff64e06979aa0361227c88128b8-init rw,relatime - aufs none rw,si=caafa54f8da3525
+80 20 0:73 / /var/lib/docker/aufs/mnt/c661b2f871dd5360e46a2aebf8f970f6d39a2ff64e06979aa0361227c88128b8 rw,relatime - aufs none rw,si=caafa54f8da2525
+81 20 0:74 / /var/lib/docker/aufs/mnt/b68b1d4fe4d30016c552398e78b379a39f651661d8e1fa5f2460c24a5e723420 rw,relatime - aufs none rw,si=caafa54f8d81525
+82 20 0:75 / /var/lib/docker/aufs/mnt/c5c5979c936cd0153a4c626fa9d69ce4fce7d924cc74fa68b025d2f585031739-init rw,relatime - aufs none rw,si=caafa54f8da1525
+83 20 0:76 / /var/lib/docker/aufs/mnt/c5c5979c936cd0153a4c626fa9d69ce4fce7d924cc74fa68b025d2f585031739 rw,relatime - aufs none rw,si=caafa54f8da0525
+84 20 0:77 / /var/lib/docker/aufs/mnt/53e10b0329afc0e0d3322d31efaed4064139dc7027fe6ae445cffd7104bcc94f rw,relatime - aufs none rw,si=caafa54f8c35525
+85 20 0:78 / /var/lib/docker/aufs/mnt/3bfafd09ff2603e2165efacc2215c1f51afabba6c42d04a68cc2df0e8cc31494-init rw,relatime - aufs none rw,si=caafa54f8db8525
+86 20 0:79 / /var/lib/docker/aufs/mnt/3bfafd09ff2603e2165efacc2215c1f51afabba6c42d04a68cc2df0e8cc31494 rw,relatime - aufs none rw,si=caafa54f8dba525
+87 20 0:80 / /var/lib/docker/aufs/mnt/90fdd2c03eeaf65311f88f4200e18aef6d2772482712d9aea01cd793c64781b5 rw,relatime - aufs none rw,si=caafa54f8315525
+88 20 0:81 / /var/lib/docker/aufs/mnt/7bdf2591c06c154ceb23f5e74b1d03b18fbf6fe96e35fbf539b82d446922442f-init rw,relatime - aufs none rw,si=caafa54f8fc6525
+89 20 0:82 / /var/lib/docker/aufs/mnt/7bdf2591c06c154ceb23f5e74b1d03b18fbf6fe96e35fbf539b82d446922442f rw,relatime - aufs none rw,si=caafa54f8468525
+90 20 0:83 / /var/lib/docker/aufs/mnt/8cf9a993f50f3305abad3da268c0fc44ff78a1e7bba595ef9de963497496c3f9 rw,relatime - aufs none rw,si=caafa54f8c59525
+91 20 0:84 / /var/lib/docker/aufs/mnt/ecc896fd74b21840a8d35e8316b92a08b1b9c83d722a12acff847e9f0ff17173-init rw,relatime - aufs none rw,si=caafa54f846a525
+92 20 0:85 / /var/lib/docker/aufs/mnt/ecc896fd74b21840a8d35e8316b92a08b1b9c83d722a12acff847e9f0ff17173 rw,relatime - aufs none rw,si=caafa54f846b525
+93 20 0:86 / /var/lib/docker/aufs/mnt/d8c8288ec920439a48b5796bab5883ee47a019240da65e8d8f33400c31bac5df rw,relatime - aufs none rw,si=caafa54f8dbf525
+94 20 0:87 / /var/lib/docker/aufs/mnt/ecba66710bcd03199b9398e46c005cd6b68d0266ec81dc8b722a29cc417997c6-init rw,relatime - aufs none rw,si=caafa54f810f525
+95 20 0:88 / /var/lib/docker/aufs/mnt/ecba66710bcd03199b9398e46c005cd6b68d0266ec81dc8b722a29cc417997c6 rw,relatime - aufs none rw,si=caafa54fbae9525
+96 20 0:89 / /var/lib/docker/aufs/mnt/befc1c67600df449dddbe796c0d06da7caff1d2bbff64cde1f0ba82d224996b5 rw,relatime - aufs none rw,si=caafa54f8dab525
+97 20 0:90 / /var/lib/docker/aufs/mnt/c9f470e73d2742629cdc4084a1b2c1a8302914f2aa0d0ec4542371df9a050562-init rw,relatime - aufs none rw,si=caafa54fdc02525
+98 20 0:91 / /var/lib/docker/aufs/mnt/c9f470e73d2742629cdc4084a1b2c1a8302914f2aa0d0ec4542371df9a050562 rw,relatime - aufs none rw,si=caafa54f9eb0525
+99 20 0:92 / /var/lib/docker/aufs/mnt/2a31f10029f04ff9d4381167a9b739609853d7220d55a56cb654779a700ee246 rw,relatime - aufs none rw,si=caafa54f8c37525
+100 20 0:93 / /var/lib/docker/aufs/mnt/8c4261b8e3e4b21ebba60389bd64b6261217e7e6b9fd09e201d5a7f6760f6927-init rw,relatime - aufs none rw,si=caafa54fd173525
+101 20 0:94 / /var/lib/docker/aufs/mnt/8c4261b8e3e4b21ebba60389bd64b6261217e7e6b9fd09e201d5a7f6760f6927 rw,relatime - aufs none rw,si=caafa54f8108525
+102 20 0:95 / /var/lib/docker/aufs/mnt/eaa0f57403a3dc685268f91df3fbcd7a8423cee50e1a9ee5c3e1688d9d676bb4 rw,relatime - aufs none rw,si=caafa54f852d525
+103 20 0:96 / /var/lib/docker/aufs/mnt/9cfe69a2cbffd9bfc7f396d4754f6fe5cc457ef417b277797be3762dfe955a6b-init rw,relatime - aufs none rw,si=caafa54f8d80525
+104 20 0:97 / /var/lib/docker/aufs/mnt/9cfe69a2cbffd9bfc7f396d4754f6fe5cc457ef417b277797be3762dfe955a6b rw,relatime - aufs none rw,si=caafa54f8fc3525
+105 20 0:98 / /var/lib/docker/aufs/mnt/d1b322ae17613c6adee84e709641a9244ac56675244a89a64dc0075075fcbb83 rw,relatime - aufs none rw,si=caafa54f8c58525
+106 20 0:99 / /var/lib/docker/aufs/mnt/d46c2a8e9da7e91ab34fd9c192851c246a4e770a46720bda09e55c7554b9dbbd-init rw,relatime - aufs none rw,si=caafa54f8c63525
+107 20 0:100 / /var/lib/docker/aufs/mnt/d46c2a8e9da7e91ab34fd9c192851c246a4e770a46720bda09e55c7554b9dbbd rw,relatime - aufs none rw,si=caafa54f8c67525
+108 20 0:101 / /var/lib/docker/aufs/mnt/bc9d2a264158f83a617a069bf17cbbf2a2ba453db7d3951d9dc63cc1558b1c2b rw,relatime - aufs none rw,si=caafa54f8dbe525
+109 20 0:102 / /var/lib/docker/aufs/mnt/9e6abb8d72bbeb4d5cf24b96018528015ba830ce42b4859965bd482cbd034e99-init rw,relatime - aufs none rw,si=caafa54f9e0d525
+110 20 0:103 / /var/lib/docker/aufs/mnt/9e6abb8d72bbeb4d5cf24b96018528015ba830ce42b4859965bd482cbd034e99 rw,relatime - aufs none rw,si=caafa54f9e1b525
+111 20 0:104 / /var/lib/docker/aufs/mnt/d4dca7b02569c732e740071e1c654d4ad282de5c41edb619af1f0aafa618be26 rw,relatime - aufs none rw,si=caafa54f8dae525
+112 20 0:105 / /var/lib/docker/aufs/mnt/fea63da40fa1c5ffbad430dde0bc64a8fc2edab09a051fff55b673c40a08f6b7-init rw,relatime - aufs none rw,si=caafa54f8c5c525
+113 20 0:106 / /var/lib/docker/aufs/mnt/fea63da40fa1c5ffbad430dde0bc64a8fc2edab09a051fff55b673c40a08f6b7 rw,relatime - aufs none rw,si=caafa54fd172525
+114 20 0:107 / /var/lib/docker/aufs/mnt/e60c57499c0b198a6734f77f660cdbbd950a5b78aa23f470ca4f0cfcc376abef rw,relatime - aufs none rw,si=caafa54909c4525
+115 20 0:108 / /var/lib/docker/aufs/mnt/099c78e7ccd9c8717471bb1bbfff838c0a9913321ba2f214fbeaf92c678e5b35-init rw,relatime - aufs none rw,si=caafa54909c3525
+116 20 0:109 / /var/lib/docker/aufs/mnt/099c78e7ccd9c8717471bb1bbfff838c0a9913321ba2f214fbeaf92c678e5b35 rw,relatime - aufs none rw,si=caafa54909c7525
+117 20 0:110 / /var/lib/docker/aufs/mnt/2997be666d58b9e71469759bcb8bd9608dad0e533a1a7570a896919ba3388825 rw,relatime - aufs none rw,si=caafa54f8557525
+118 20 0:111 / /var/lib/docker/aufs/mnt/730694eff438ef20569df38dfb38a920969d7ff2170cc9aa7cb32a7ed8147a93-init rw,relatime - aufs none rw,si=caafa54c6e88525
+119 20 0:112 / /var/lib/docker/aufs/mnt/730694eff438ef20569df38dfb38a920969d7ff2170cc9aa7cb32a7ed8147a93 rw,relatime - aufs none rw,si=caafa54c6e8e525
+120 20 0:113 / /var/lib/docker/aufs/mnt/a672a1e2f2f051f6e19ed1dfbe80860a2d774174c49f7c476695f5dd1d5b2f67 rw,relatime - aufs none rw,si=caafa54c6e15525
+121 20 0:114 / /var/lib/docker/aufs/mnt/aba3570e17859f76cf29d282d0d150659c6bd80780fdc52a465ba05245c2a420-init rw,relatime - aufs none rw,si=caafa54f8dad525
+122 20 0:115 / /var/lib/docker/aufs/mnt/aba3570e17859f76cf29d282d0d150659c6bd80780fdc52a465ba05245c2a420 rw,relatime - aufs none rw,si=caafa54f8d84525
+123 20 0:116 / /var/lib/docker/aufs/mnt/2abc86007aca46fb4a817a033e2a05ccacae40b78ea4b03f8ea616b9ada40e2e rw,relatime - aufs none rw,si=caafa54c6e8b525
+124 20 0:117 / /var/lib/docker/aufs/mnt/36352f27f7878e648367a135bd1ec3ed497adcb8ac13577ee892a0bd921d2374-init rw,relatime - aufs none rw,si=caafa54c6e8d525
+125 20 0:118 / /var/lib/docker/aufs/mnt/36352f27f7878e648367a135bd1ec3ed497adcb8ac13577ee892a0bd921d2374 rw,relatime - aufs none rw,si=caafa54f8c34525
+126 20 0:119 / /var/lib/docker/aufs/mnt/2f95ca1a629cea8363b829faa727dd52896d5561f2c96ddee4f697ea2fc872c2 rw,relatime - aufs none rw,si=caafa54c6e8a525
+127 20 0:120 / /var/lib/docker/aufs/mnt/f108c8291654f179ef143a3e07de2b5a34adbc0b28194a0ab17742b6db9a7fb2-init rw,relatime - aufs none rw,si=caafa54f8e19525
+128 20 0:121 / /var/lib/docker/aufs/mnt/f108c8291654f179ef143a3e07de2b5a34adbc0b28194a0ab17742b6db9a7fb2 rw,relatime - aufs none rw,si=caafa54fa8c6525
+129 20 0:122 / /var/lib/docker/aufs/mnt/c1d04dfdf8cccb3676d5a91e84e9b0781ce40623d127d038bcfbe4c761b27401 rw,relatime - aufs none rw,si=caafa54f8c30525
+130 20 0:123 / /var/lib/docker/aufs/mnt/3f4898ffd0e1239aeebf1d1412590cdb7254207fa3883663e2c40cf772e5f05a-init rw,relatime - aufs none rw,si=caafa54c6e1a525
+131 20 0:124 / /var/lib/docker/aufs/mnt/3f4898ffd0e1239aeebf1d1412590cdb7254207fa3883663e2c40cf772e5f05a rw,relatime - aufs none rw,si=caafa54c6e1c525
+132 20 0:125 / /var/lib/docker/aufs/mnt/5ae3b6fccb1539fc02d420e86f3e9637bef5b711fed2ca31a2f426c8f5deddbf rw,relatime - aufs none rw,si=caafa54c4fea525
+133 20 0:126 / /var/lib/docker/aufs/mnt/310bfaf80d57020f2e73b06aeffb0b9b0ca2f54895f88bf5e4d1529ccac58fe0-init rw,relatime - aufs none rw,si=caafa54c6e1e525
+134 20 0:127 / /var/lib/docker/aufs/mnt/310bfaf80d57020f2e73b06aeffb0b9b0ca2f54895f88bf5e4d1529ccac58fe0 rw,relatime - aufs none rw,si=caafa54fa8c0525
+135 20 0:128 / /var/lib/docker/aufs/mnt/f382bd5aaccaf2d04a59089ac7cb12ec87efd769fd0c14d623358fbfd2a3f896 rw,relatime - aufs none rw,si=caafa54c4fec525
+136 20 0:129 / /var/lib/docker/aufs/mnt/50d45e9bb2d779bc6362824085564c7578c231af5ae3b3da116acf7e17d00735-init rw,relatime - aufs none rw,si=caafa54c4fef525
+137 20 0:130 / /var/lib/docker/aufs/mnt/50d45e9bb2d779bc6362824085564c7578c231af5ae3b3da116acf7e17d00735 rw,relatime - aufs none rw,si=caafa54c4feb525
+138 20 0:131 / /var/lib/docker/aufs/mnt/a9c5ee0854dc083b6bf62b7eb1e5291aefbb10702289a446471ce73aba0d5d7d rw,relatime - aufs none rw,si=caafa54909c6525
+139 20 0:134 / /var/lib/docker/aufs/mnt/03a613e7bd5078819d1fd92df4e671c0127559a5e0b5a885cc8d5616875162f0-init rw,relatime - aufs none rw,si=caafa54804fe525
+140 20 0:135 / /var/lib/docker/aufs/mnt/03a613e7bd5078819d1fd92df4e671c0127559a5e0b5a885cc8d5616875162f0 rw,relatime - aufs none rw,si=caafa54804fa525
+141 20 0:136 / /var/lib/docker/aufs/mnt/7ec3277e5c04c907051caf9c9c35889f5fcd6463e5485971b25404566830bb70 rw,relatime - aufs none rw,si=caafa54804f9525
+142 20 0:139 / /var/lib/docker/aufs/mnt/26b5b5d71d79a5b2bfcf8bc4b2280ee829f261eb886745dd90997ed410f7e8b8-init rw,relatime - aufs none rw,si=caafa54c6ef6525
+143 20 0:140 / /var/lib/docker/aufs/mnt/26b5b5d71d79a5b2bfcf8bc4b2280ee829f261eb886745dd90997ed410f7e8b8 rw,relatime - aufs none rw,si=caafa54c6ef5525
+144 20 0:356 / /var/lib/docker/aufs/mnt/e6ecde9e2c18cd3c75f424c67b6d89685cfee0fc67abf2cb6bdc0867eb998026 rw,relatime - aufs none rw,si=caafa548068e525`
+
+	gentooMountinfo = `15 1 8:6 / / rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered
+16 15 0:3 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
+17 15 0:14 / /run rw,nosuid,nodev,relatime - tmpfs tmpfs rw,size=3292172k,mode=755
+18 15 0:5 / /dev rw,nosuid,relatime - devtmpfs udev rw,size=10240k,nr_inodes=4106451,mode=755
+19 18 0:12 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
+20 18 0:10 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000
+21 18 0:15 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw
+22 15 0:16 / /sys rw,nosuid,nodev,noexec,relatime - sysfs sysfs rw
+23 22 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime - debugfs debugfs rw
+24 22 0:17 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime - tmpfs cgroup_root rw,size=10240k,mode=755
+25 24 0:18 / /sys/fs/cgroup/openrc rw,nosuid,nodev,noexec,relatime - cgroup openrc rw,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc
+26 24 0:19 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime - cgroup cpuset rw,cpuset,clone_children
+27 24 0:20 / /sys/fs/cgroup/cpu rw,nosuid,nodev,noexec,relatime - cgroup cpu rw,cpu,clone_children
+28 24 0:21 / /sys/fs/cgroup/cpuacct rw,nosuid,nodev,noexec,relatime - cgroup cpuacct rw,cpuacct,clone_children
+29 24 0:22 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime - cgroup memory rw,memory,clone_children
+30 24 0:23 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime - cgroup devices rw,devices,clone_children
+31 24 0:24 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime - cgroup freezer rw,freezer,clone_children
+32 24 0:25 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime - cgroup blkio rw,blkio,clone_children
+33 15 8:1 / /boot rw,noatime,nodiratime - vfat /dev/sda1 rw,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro
+34 15 8:18 / /mnt/xfs rw,noatime,nodiratime - xfs /dev/sdb2 rw,attr2,inode64,noquota
+35 15 0:26 / /tmp rw,relatime - tmpfs tmpfs rw
+36 16 0:27 / /proc/sys/fs/binfmt_misc rw,nosuid,nodev,noexec,relatime - binfmt_misc binfmt_misc rw
+42 15 0:33 / /var/lib/nfs/rpc_pipefs rw,relatime - rpc_pipefs rpc_pipefs rw
+43 16 0:34 / /proc/fs/nfsd rw,nosuid,nodev,noexec,relatime - nfsd nfsd rw
+44 15 0:35 / /home/tianon/.gvfs rw,nosuid,nodev,relatime - fuse.gvfs-fuse-daemon gvfs-fuse-daemon rw,user_id=1000,group_id=1000
+68 15 0:3336 / /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd rw,relatime - aufs none rw,si=9b4a7640128db39c
+86 68 8:6 /var/lib/docker/containers/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/config.env /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/.dockerenv rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered
+87 68 8:6 /etc/resolv.conf /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/etc/resolv.conf rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered
+88 68 8:6 /var/lib/docker/containers/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/hostname /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/etc/hostname rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered
+89 68 8:6 /var/lib/docker/containers/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/hosts /var/lib/docker/aufs/mnt/3597a1a6d6298c1decc339ebb90aad6f7d6ba2e15af3131b1f85e7ee4787a0cd/etc/hosts rw,noatime,nodiratime - ext4 /dev/sda6 rw,data=ordered
+38 15 0:3384 / /var/lib/docker/aufs/mnt/0292005a9292401bb5197657f2b682d97d8edcb3b72b5e390d2a680139985b55 rw,relatime - aufs none rw,si=9b4a7642b584939c
+39 15 0:3385 / /var/lib/docker/aufs/mnt/59db98c889de5f71b70cfb82c40cbe47b64332f0f56042a2987a9e5df6e5e3aa rw,relatime - aufs none rw,si=9b4a7642b584e39c
+40 15 0:3386 / /var/lib/docker/aufs/mnt/0545f0f2b6548eb9601d08f35a08f5a0a385407d36027a28f58e06e9f61e0278 rw,relatime - aufs none rw,si=9b4a7642b584b39c
+41 15 0:3387 / /var/lib/docker/aufs/mnt/d882cfa16d1aa8fe0331a36e79be3d80b151e49f24fc39a39c3fed1735d5feb5 rw,relatime - aufs none rw,si=9b4a76453040039c
+45 15 0:3388 / /var/lib/docker/aufs/mnt/055ca3befcb1626e74f5344b3398724ff05c0de0e20021683d04305c9e70a3f6 rw,relatime - aufs none rw,si=9b4a76453040739c
+46 15 0:3389 / /var/lib/docker/aufs/mnt/b899e4567a351745d4285e7f1c18fdece75d877deb3041981cd290be348b7aa6 rw,relatime - aufs none rw,si=9b4a7647def4039c
+47 15 0:3390 / /var/lib/docker/aufs/mnt/067ca040292c58954c5129f953219accfae0d40faca26b4d05e76ca76a998f16 rw,relatime - aufs none rw,si=9b4a7647def4239c
+48 15 0:3391 / /var/lib/docker/aufs/mnt/8c995e7cb6e5082742daeea720e340b021d288d25d92e0412c03d200df308a11 rw,relatime - aufs none rw,si=9b4a764479c1639c
+49 15 0:3392 / /var/lib/docker/aufs/mnt/07cc54dfae5b45300efdacdd53cc72c01b9044956a86ce7bff42d087e426096d rw,relatime - aufs none rw,si=9b4a764479c1739c
+50 15 0:3393 / /var/lib/docker/aufs/mnt/0a9c95cf4c589c05b06baa79150b0cc1d8e7102759fe3ce4afaabb8247ca4f85 rw,relatime - aufs none rw,si=9b4a7644059c839c
+51 15 0:3394 / /var/lib/docker/aufs/mnt/468fa98cececcf4e226e8370f18f4f848d63faf287fb8321a07f73086441a3a0 rw,relatime - aufs none rw,si=9b4a7644059ca39c
+52 15 0:3395 / /var/lib/docker/aufs/mnt/0b826192231c5ce066fffb5beff4397337b5fc19a377aa7c6282c7c0ce7f111f rw,relatime - aufs none rw,si=9b4a764479c1339c
+53 15 0:3396 / /var/lib/docker/aufs/mnt/93b8ba1b772fbe79709b909c43ea4b2c30d712e53548f467db1ffdc7a384f196 rw,relatime - aufs none rw,si=9b4a7640798a739c
+54 15 0:3397 / /var/lib/docker/aufs/mnt/0c0d0acfb506859b12ef18cdfef9ebed0b43a611482403564224bde9149d373c rw,relatime - aufs none rw,si=9b4a7640798a039c
+55 15 0:3398 / /var/lib/docker/aufs/mnt/33648c39ab6c7c74af0243d6d6a81b052e9e25ad1e04b19892eb2dde013e358b rw,relatime - aufs none rw,si=9b4a7644b439b39c
+56 15 0:3399 / /var/lib/docker/aufs/mnt/0c12bea97a1c958a3c739fb148536c1c89351d48e885ecda8f0499b5cc44407e rw,relatime - aufs none rw,si=9b4a7640798a239c
+57 15 0:3400 / /var/lib/docker/aufs/mnt/ed443988ce125f172d7512e84a4de2627405990fd767a16adefa8ce700c19ce8 rw,relatime - aufs none rw,si=9b4a7644c8ed339c
+59 15 0:3402 / /var/lib/docker/aufs/mnt/f61612c324ff3c924d3f7a82fb00a0f8d8f73c248c41897061949e9f5ab7e3b1 rw,relatime - aufs none rw,si=9b4a76442810c39c
+60 15 0:3403 / /var/lib/docker/aufs/mnt/0f1ee55c6c4e25027b80de8e64b8b6fb542b3b41aa0caab9261da75752e22bfd rw,relatime - aufs none rw,si=9b4a76442810e39c
+61 15 0:3404 / /var/lib/docker/aufs/mnt/956f6cc4af5785cb3ee6963dcbca668219437d9b28f513290b1453ac64a34f97 rw,relatime - aufs none rw,si=9b4a7644303ec39c
+62 15 0:3405 / /var/lib/docker/aufs/mnt/1099769158c4b4773e2569e38024e8717e400f87a002c41d8cf47cb81b051ba6 rw,relatime - aufs none rw,si=9b4a7644303ee39c
+63 15 0:3406 / /var/lib/docker/aufs/mnt/11890ceb98d4442595b676085cd7b21550ab85c5df841e0fba997ff54e3d522d rw,relatime - aufs none rw,si=9b4a7644303ed39c
+64 15 0:3407 / /var/lib/docker/aufs/mnt/acdb90dc378e8ed2420b43a6d291f1c789a081cd1904018780cc038fcd7aae53 rw,relatime - aufs none rw,si=9b4a76434be2139c
+65 15 0:3408 / /var/lib/docker/aufs/mnt/120e716f19d4714fbe63cc1ed246204f2c1106eefebc6537ba2587d7e7711959 rw,relatime - aufs none rw,si=9b4a76434be2339c
+66 15 0:3409 / /var/lib/docker/aufs/mnt/b197b7fffb61d89e0ba1c40de9a9fc0d912e778b3c1bd828cf981ff37c1963bc rw,relatime - aufs none rw,si=9b4a76434be2039c
+70 15 0:3412 / /var/lib/docker/aufs/mnt/1434b69d2e1bb18a9f0b96b9cdac30132b2688f5d1379f68a39a5e120c2f93eb rw,relatime - aufs none rw,si=9b4a76434be2639c
+71 15 0:3413 / /var/lib/docker/aufs/mnt/16006e83caf33ab5eb0cd6afc92ea2ee8edeff897496b0bb3ec3a75b767374b3 rw,relatime - aufs none rw,si=9b4a7644d790439c
+72 15 0:3414 / /var/lib/docker/aufs/mnt/55bfa5f44e94d27f91f79ba901b118b15098449165c87abf1b53ffff147ff164 rw,relatime - aufs none rw,si=9b4a7644d790239c
+73 15 0:3415 / /var/lib/docker/aufs/mnt/1912b97a07ab21ccd98a2a27bc779bf3cf364a3138afa3c3e6f7f169a3c3eab5 rw,relatime - aufs none rw,si=9b4a76441822739c
+76 15 0:3418 / /var/lib/docker/aufs/mnt/1a7c3292e8879bd91ffd9282e954f643b1db5683093574c248ff14a9609f2f56 rw,relatime - aufs none rw,si=9b4a76438cb7239c
+77 15 0:3419 / /var/lib/docker/aufs/mnt/bb1faaf0d076ddba82c2318305a85f490dafa4e8a8640a8db8ed657c439120cc rw,relatime - aufs none rw,si=9b4a76438cb7339c
+78 15 0:3420 / /var/lib/docker/aufs/mnt/1ab869f21d2241a73ac840c7f988490313f909ac642eba71d092204fec66dd7c rw,relatime - aufs none rw,si=9b4a76438cb7639c
+79 15 0:3421 / /var/lib/docker/aufs/mnt/fd7245b2cfe3890fa5f5b452260e4edf9e7fb7746532ed9d83f7a0d7dbaa610e rw,relatime - aufs none rw,si=9b4a7644bdc0139c
+80 15 0:3422 / /var/lib/docker/aufs/mnt/1e5686c5301f26b9b3cd24e322c608913465cc6c5d0dcd7c5e498d1314747d61 rw,relatime - aufs none rw,si=9b4a7644bdc0639c
+81 15 0:3423 / /var/lib/docker/aufs/mnt/52edf6ee6e40bfec1e9301a4d4a92ab83d144e2ae4ce5099e99df6138cb844bf rw,relatime - aufs none rw,si=9b4a7644bdc0239c
+82 15 0:3424 / /var/lib/docker/aufs/mnt/1ea10fb7085d28cda4904657dff0454e52598d28e1d77e4f2965bbc3666e808f rw,relatime - aufs none rw,si=9b4a76438cb7139c
+83 15 0:3425 / /var/lib/docker/aufs/mnt/9c03e98c3593946dbd4087f8d83f9ca262f4a2efdc952ce60690838b9ba6c526 rw,relatime - aufs none rw,si=9b4a76443020639c
+84 15 0:3426 / /var/lib/docker/aufs/mnt/220a2344d67437602c6d2cee9a98c46be13f82c2a8063919dd2fad52bf2fb7dd rw,relatime - aufs none rw,si=9b4a76434bff339c
+94 15 0:3427 / /var/lib/docker/aufs/mnt/3b32876c5b200312c50baa476ff342248e88c8ea96e6a1032cd53a88738a1cf2 rw,relatime - aufs none rw,si=9b4a76434bff139c
+95 15 0:3428 / /var/lib/docker/aufs/mnt/23ee2b8b0d4ae8db6f6d1e168e2c6f79f8a18f953b09f65e0d22cc1e67a3a6fa rw,relatime - aufs none rw,si=9b4a7646c305c39c
+96 15 0:3429 / /var/lib/docker/aufs/mnt/e86e6daa70b61b57945fa178222615f3c3d6bcef12c9f28e9f8623d44dc2d429 rw,relatime - aufs none rw,si=9b4a7646c305f39c
+97 15 0:3430 / /var/lib/docker/aufs/mnt/2413d07623e80860bb2e9e306fbdee699afd07525785c025c591231e864aa162 rw,relatime - aufs none rw,si=9b4a76434bff039c
+98 15 0:3431 / /var/lib/docker/aufs/mnt/adfd622eb22340fc80b429e5564b125668e260bf9068096c46dd59f1386a4b7d rw,relatime - aufs none rw,si=9b4a7646a7a1039c
+102 15 0:3435 / /var/lib/docker/aufs/mnt/27cd92e7a91d02e2d6b44d16679a00fb6d169b19b88822891084e7fd1a84882d rw,relatime - aufs none rw,si=9b4a7646f25ec39c
+103 15 0:3436 / /var/lib/docker/aufs/mnt/27dfdaf94cfbf45055c748293c37dd68d9140240bff4c646cb09216015914a88 rw,relatime - aufs none rw,si=9b4a7646732f939c
+104 15 0:3437 / /var/lib/docker/aufs/mnt/5ed7524aff68dfbf0fc601cbaeac01bab14391850a973dabf3653282a627920f rw,relatime - aufs none rw,si=9b4a7646732f839c
+105 15 0:3438 / /var/lib/docker/aufs/mnt/2a0d4767e536beb5785b60e071e3ac8e5e812613ab143a9627bee77d0c9ab062 rw,relatime - aufs none rw,si=9b4a7646732fe39c
+106 15 0:3439 / /var/lib/docker/aufs/mnt/dea3fc045d9f4ae51ba952450b948a822cf85c39411489ca5224f6d9a8d02bad rw,relatime - aufs none rw,si=9b4a764012ad839c
+107 15 0:3440 / /var/lib/docker/aufs/mnt/2d140a787160798da60cb67c21b1210054ad4dafecdcf832f015995b9aa99cfd rw,relatime - aufs none rw,si=9b4a764012add39c
+108 15 0:3441 / /var/lib/docker/aufs/mnt/cb190b2a8e984475914430fbad2382e0d20b9b659f8ef83ae8d170cc672e519c rw,relatime - aufs none rw,si=9b4a76454d9c239c
+109 15 0:3442 / /var/lib/docker/aufs/mnt/2f4a012d5a7ffd90256a6e9aa479054b3dddbc3c6a343f26dafbf3196890223b rw,relatime - aufs none rw,si=9b4a76454d9c439c
+110 15 0:3443 / /var/lib/docker/aufs/mnt/63cc77904b80c4ffbf49cb974c5d8733dc52ad7640d3ae87554b325d7312d87f rw,relatime - aufs none rw,si=9b4a76454d9c339c
+111 15 0:3444 / /var/lib/docker/aufs/mnt/30333e872c451482ea2d235ff2192e875bd234006b238ae2bdde3b91a86d7522 rw,relatime - aufs none rw,si=9b4a76422cebf39c
+112 15 0:3445 / /var/lib/docker/aufs/mnt/6c54fc1125da3925cae65b5c9a98f3be55b0a2c2666082e5094a4ba71beb5bff rw,relatime - aufs none rw,si=9b4a7646dd5a439c
+113 15 0:3446 / /var/lib/docker/aufs/mnt/3087d48cb01cda9d0a83a9ca301e6ea40e8593d18c4921be4794c91a420ab9a3 rw,relatime - aufs none rw,si=9b4a7646dd5a739c
+114 15 0:3447 / /var/lib/docker/aufs/mnt/cc2607462a8f55b179a749b144c3fdbb50678e1a4f3065ea04e283e9b1f1d8e2 rw,relatime - aufs none rw,si=9b4a7646dd5a239c
+117 15 0:3450 / /var/lib/docker/aufs/mnt/310c5e8392b29e8658a22e08d96d63936633b7e2c38e8d220047928b00a03d24 rw,relatime - aufs none rw,si=9b4a7647932d739c
+118 15 0:3451 / /var/lib/docker/aufs/mnt/38a1f0029406ba9c3b6058f2f406d8a1d23c855046cf355c91d87d446fcc1460 rw,relatime - aufs none rw,si=9b4a76445abc939c
+119 15 0:3452 / /var/lib/docker/aufs/mnt/42e109ab7914ae997a11ccd860fd18e4d488c50c044c3240423ce15774b8b62e rw,relatime - aufs none rw,si=9b4a76445abca39c
+120 15 0:3453 / /var/lib/docker/aufs/mnt/365d832af0402d052b389c1e9c0d353b48487533d20cd4351df8e24ec4e4f9d8 rw,relatime - aufs none rw,si=9b4a7644066aa39c
+121 15 0:3454 / /var/lib/docker/aufs/mnt/d3fa8a24d695b6cda9b64f96188f701963d28bef0473343f8b212df1a2cf1d2b rw,relatime - aufs none rw,si=9b4a7644066af39c
+122 15 0:3455 / /var/lib/docker/aufs/mnt/37d4f491919abc49a15d0c7a7cc8383f087573525d7d288accd14f0b4af9eae0 rw,relatime - aufs none rw,si=9b4a7644066ad39c
+123 15 0:3456 / /var/lib/docker/aufs/mnt/93902707fe12cbdd0068ce73f2baad4b3a299189b1b19cb5f8a2025e106ae3f5 rw,relatime - aufs none rw,si=9b4a76444445f39c
+126 15 0:3459 / /var/lib/docker/aufs/mnt/3b49291670a625b9bbb329ffba99bf7fa7abff80cefef040f8b89e2b3aad4f9f rw,relatime - aufs none rw,si=9b4a7640798a339c
+127 15 0:3460 / /var/lib/docker/aufs/mnt/8d9c7b943cc8f854f4d0d4ec19f7c16c13b0cc4f67a41472a072648610cecb59 rw,relatime - aufs none rw,si=9b4a76427383039c
+128 15 0:3461 / /var/lib/docker/aufs/mnt/3b6c90036526c376307df71d49c9f5fce334c01b926faa6a78186842de74beac rw,relatime - aufs none rw,si=9b4a7644badd439c
+130 15 0:3463 / /var/lib/docker/aufs/mnt/7b24158eeddfb5d31b7e932e406ea4899fd728344335ff8e0765e89ddeb351dd rw,relatime - aufs none rw,si=9b4a7644badd539c
+131 15 0:3464 / /var/lib/docker/aufs/mnt/3ead6dd5773765c74850cf6c769f21fe65c29d622ffa712664f9f5b80364ce27 rw,relatime - aufs none rw,si=9b4a7642f469939c
+132 15 0:3465 / /var/lib/docker/aufs/mnt/3f825573b29547744a37b65597a9d6d15a8350be4429b7038d126a4c9a8e178f rw,relatime - aufs none rw,si=9b4a7642f469c39c
+133 15 0:3466 / /var/lib/docker/aufs/mnt/f67aaaeb3681e5dcb99a41f847087370bd1c206680cb8c7b6a9819fd6c97a331 rw,relatime - aufs none rw,si=9b4a7647cc25939c
+134 15 0:3467 / /var/lib/docker/aufs/mnt/41afe6cfb3c1fc2280b869db07699da88552786e28793f0bc048a265c01bd942 rw,relatime - aufs none rw,si=9b4a7647cc25c39c
+135 15 0:3468 / /var/lib/docker/aufs/mnt/b8092ea59da34a40b120e8718c3ae9fa8436996edc4fc50e4b99c72dfd81e1af rw,relatime - aufs none rw,si=9b4a76445abc439c
+136 15 0:3469 / /var/lib/docker/aufs/mnt/42c69d2cc179e2684458bb8596a9da6dad182c08eae9b74d5f0e615b399f75a5 rw,relatime - aufs none rw,si=9b4a76455ddbe39c
+137 15 0:3470 / /var/lib/docker/aufs/mnt/ea0871954acd2d62a211ac60e05969622044d4c74597870c4f818fbb0c56b09b rw,relatime - aufs none rw,si=9b4a76455ddbf39c
+138 15 0:3471 / /var/lib/docker/aufs/mnt/4307906b275ab3fc971786b3841ae3217ac85b6756ddeb7ad4ba09cd044c2597 rw,relatime - aufs none rw,si=9b4a76455ddb839c
+139 15 0:3472 / /var/lib/docker/aufs/mnt/4390b872928c53500a5035634f3421622ed6299dc1472b631fc45de9f56dc180 rw,relatime - aufs none rw,si=9b4a76402f2fd39c
+140 15 0:3473 / /var/lib/docker/aufs/mnt/6bb41e78863b85e4aa7da89455314855c8c3bda64e52a583bab15dc1fa2e80c2 rw,relatime - aufs none rw,si=9b4a76402f2fa39c
+141 15 0:3474 / /var/lib/docker/aufs/mnt/4444f583c2a79c66608f4673a32c9c812154f027045fbd558c2d69920c53f835 rw,relatime - aufs none rw,si=9b4a764479dbd39c
+142 15 0:3475 / /var/lib/docker/aufs/mnt/6f11883af4a05ea362e0c54df89058da4859f977efd07b6f539e1f55c1d2a668 rw,relatime - aufs none rw,si=9b4a76402f30b39c
+143 15 0:3476 / /var/lib/docker/aufs/mnt/453490dd32e7c2e9ef906f995d8fb3c2753923d1a5e0ba3fd3296e2e4dc238e7 rw,relatime - aufs none rw,si=9b4a76402f30c39c
+144 15 0:3477 / /var/lib/docker/aufs/mnt/45e5945735ee102b5e891c91650c57ec4b52bb53017d68f02d50ea8a6e230610 rw,relatime - aufs none rw,si=9b4a76423260739c
+147 15 0:3480 / /var/lib/docker/aufs/mnt/4727a64a5553a1125f315b96bed10d3073d6988225a292cce732617c925b56ab rw,relatime - aufs none rw,si=9b4a76443030339c
+150 15 0:3483 / /var/lib/docker/aufs/mnt/4e348b5187b9a567059306afc72d42e0ec5c893b0d4abd547526d5f9b6fb4590 rw,relatime - aufs none rw,si=9b4a7644f5d8c39c
+151 15 0:3484 / /var/lib/docker/aufs/mnt/4efc616bfbc3f906718b052da22e4335f8e9f91ee9b15866ed3a8029645189ef rw,relatime - aufs none rw,si=9b4a7644f5d8939c
+152 15 0:3485 / /var/lib/docker/aufs/mnt/83e730ae9754d5adb853b64735472d98dfa17136b8812ac9cfcd1eba7f4e7d2d rw,relatime - aufs none rw,si=9b4a76469aa7139c
+153 15 0:3486 / /var/lib/docker/aufs/mnt/4fc5ba8a5b333be2b7eefacccb626772eeec0ae8a6975112b56c9fb36c0d342f rw,relatime - aufs none rw,si=9b4a7640128dc39c
+154 15 0:3487 / /var/lib/docker/aufs/mnt/50200d5edff5dfe8d1ef3c78b0bbd709793ac6e936aa16d74ff66f7ea577b6f9 rw,relatime - aufs none rw,si=9b4a7640128da39c
+155 15 0:3488 / /var/lib/docker/aufs/mnt/51e5e51604361448f0b9777f38329f414bc5ba9cf238f26d465ff479bd574b61 rw,relatime - aufs none rw,si=9b4a76444f68939c
+156 15 0:3489 / /var/lib/docker/aufs/mnt/52a142149aa98bba83df8766bbb1c629a97b9799944ead90dd206c4bdf0b8385 rw,relatime - aufs none rw,si=9b4a76444f68b39c
+157 15 0:3490 / /var/lib/docker/aufs/mnt/52dd21a94a00f58a1ed489312fcfffb91578089c76c5650364476f1d5de031bc rw,relatime - aufs none rw,si=9b4a76444f68f39c
+158 15 0:3491 / /var/lib/docker/aufs/mnt/ee562415ddaad353ed22c88d0ca768a0c74bfba6333b6e25c46849ee22d990da rw,relatime - aufs none rw,si=9b4a7640128d839c
+159 15 0:3492 / /var/lib/docker/aufs/mnt/db47a9e87173f7554f550c8a01891de79cf12acdd32e01f95c1a527a08bdfb2c rw,relatime - aufs none rw,si=9b4a764405a1d39c
+160 15 0:3493 / /var/lib/docker/aufs/mnt/55e827bf6d44d930ec0b827c98356eb8b68c3301e2d60d1429aa72e05b4c17df rw,relatime - aufs none rw,si=9b4a764405a1a39c
+162 15 0:3495 / /var/lib/docker/aufs/mnt/578dc4e0a87fc37ec081ca098430499a59639c09f6f12a8f48de29828a091aa6 rw,relatime - aufs none rw,si=9b4a76406d7d439c
+163 15 0:3496 / /var/lib/docker/aufs/mnt/728cc1cb04fa4bc6f7bf7a90980beda6d8fc0beb71630874c0747b994efb0798 rw,relatime - aufs none rw,si=9b4a76444f20e39c
+164 15 0:3497 / /var/lib/docker/aufs/mnt/5850cc4bd9b55aea46c7ad598f1785117607974084ea643580f58ce3222e683a rw,relatime - aufs none rw,si=9b4a7644a824239c
+165 15 0:3498 / /var/lib/docker/aufs/mnt/89443b3f766d5a37bc8b84e29da8b84e6a3ea8486d3cf154e2aae1816516e4a8 rw,relatime - aufs none rw,si=9b4a7644a824139c
+166 15 0:3499 / /var/lib/docker/aufs/mnt/f5ae8fd5a41a337907d16515bc3162525154b59c32314c695ecd092c3b47943d rw,relatime - aufs none rw,si=9b4a7644a824439c
+167 15 0:3500 / /var/lib/docker/aufs/mnt/5a430854f2a03a9e5f7cbc9f3fb46a8ebca526a5b3f435236d8295e5998798f5 rw,relatime - aufs none rw,si=9b4a7647fc82439c
+168 15 0:3501 / /var/lib/docker/aufs/mnt/eda16901ae4cead35070c39845cbf1e10bd6b8cb0ffa7879ae2d8a186e460f91 rw,relatime - aufs none rw,si=9b4a76441e0df39c
+169 15 0:3502 / /var/lib/docker/aufs/mnt/5a593721430c2a51b119ff86a7e06ea2b37e3b4131f8f1344d402b61b0c8d868 rw,relatime - aufs none rw,si=9b4a764248bad39c
+170 15 0:3503 / /var/lib/docker/aufs/mnt/d662ad0a30fbfa902e0962108685b9330597e1ee2abb16dc9462eb5a67fdd23f rw,relatime - aufs none rw,si=9b4a764248bae39c
+171 15 0:3504 / /var/lib/docker/aufs/mnt/5bc9de5c79812843fb36eee96bef1ddba812407861f572e33242f4ee10da2c15 rw,relatime - aufs none rw,si=9b4a764248ba839c
+172 15 0:3505 / /var/lib/docker/aufs/mnt/5e763de8e9b0f7d58d2e12a341e029ab4efb3b99788b175090d8209e971156c1 rw,relatime - aufs none rw,si=9b4a764248baa39c
+173 15 0:3506 / /var/lib/docker/aufs/mnt/b4431dc2739936f1df6387e337f5a0c99cf051900c896bd7fd46a870ce61c873 rw,relatime - aufs none rw,si=9b4a76401263539c
+174 15 0:3507 / /var/lib/docker/aufs/mnt/5f37830e5a02561ab8c67ea3113137ba69f67a60e41c05cb0e7a0edaa1925b24 rw,relatime - aufs none rw,si=9b4a76401263639c
+184 15 0:3508 / /var/lib/docker/aufs/mnt/62ea10b957e6533538a4633a1e1d678502f50ddcdd354b2ca275c54dd7a7793a rw,relatime - aufs none rw,si=9b4a76401263039c
+187 15 0:3509 / /var/lib/docker/aufs/mnt/d56ee9d44195fe390e042fda75ec15af5132adb6d5c69468fa8792f4e54a6953 rw,relatime - aufs none rw,si=9b4a76401263239c
+188 15 0:3510 / /var/lib/docker/aufs/mnt/6a300930673174549c2b62f36c933f0332a20735978c007c805a301f897146c5 rw,relatime - aufs none rw,si=9b4a76455d4c539c
+189 15 0:3511 / /var/lib/docker/aufs/mnt/64496c45c84d348c24d410015456d101601c30cab4d1998c395591caf7e57a70 rw,relatime - aufs none rw,si=9b4a76455d4c639c
+190 15 0:3512 / /var/lib/docker/aufs/mnt/65a6a645883fe97a7422cd5e71ebe0bc17c8e6302a5361edf52e89747387e908 rw,relatime - aufs none rw,si=9b4a76455d4c039c
+191 15 0:3513 / /var/lib/docker/aufs/mnt/672be40695f7b6e13b0a3ed9fc996c73727dede3481f58155950fcfad57ed616 rw,relatime - aufs none rw,si=9b4a76455d4c239c
+192 15 0:3514 / /var/lib/docker/aufs/mnt/d42438acb2bfb2169e1c0d8e917fc824f7c85d336dadb0b0af36dfe0f001b3ba rw,relatime - aufs none rw,si=9b4a7642bfded39c
+193 15 0:3515 / /var/lib/docker/aufs/mnt/b48a54abf26d01cb2ddd908b1ed6034d17397c1341bf0eb2b251a3e5b79be854 rw,relatime - aufs none rw,si=9b4a7642bfdee39c
+194 15 0:3516 / /var/lib/docker/aufs/mnt/76f27134491f052bfb87f59092126e53ef875d6851990e59195a9da16a9412f8 rw,relatime - aufs none rw,si=9b4a7642bfde839c
+195 15 0:3517 / /var/lib/docker/aufs/mnt/6bd626a5462b4f8a8e1cc7d10351326dca97a59b2758e5ea549a4f6350ce8a90 rw,relatime - aufs none rw,si=9b4a7642bfdea39c
+196 15 0:3518 / /var/lib/docker/aufs/mnt/f1fe3549dbd6f5ca615e9139d9b53f0c83a3b825565df37628eacc13e70cbd6d rw,relatime - aufs none rw,si=9b4a7642bfdf539c
+197 15 0:3519 / /var/lib/docker/aufs/mnt/6d0458c8426a9e93d58d0625737e6122e725c9408488ed9e3e649a9984e15c34 rw,relatime - aufs none rw,si=9b4a7642bfdf639c
+198 15 0:3520 / /var/lib/docker/aufs/mnt/6e4c97db83aa82145c9cf2bafc20d500c0b5389643b689e3ae84188c270a48c5 rw,relatime - aufs none rw,si=9b4a7642bfdf039c
+199 15 0:3521 / /var/lib/docker/aufs/mnt/eb94d6498f2c5969eaa9fa11ac2934f1ab90ef88e2d002258dca08e5ba74ea27 rw,relatime - aufs none rw,si=9b4a7642bfdf239c
+200 15 0:3522 / /var/lib/docker/aufs/mnt/fe3f88f0c511608a2eec5f13a98703aa16e55dbf930309723d8a37101f539fe1 rw,relatime - aufs none rw,si=9b4a7642bfc3539c
+201 15 0:3523 / /var/lib/docker/aufs/mnt/6f40c229fb9cad85fabf4b64a2640a5403ec03fe5ac1a57d0609fb8b606b9c83 rw,relatime - aufs none rw,si=9b4a7642bfc3639c
+202 15 0:3524 / /var/lib/docker/aufs/mnt/7513e9131f7a8acf58ff15248237feb767c78732ca46e159f4d791e6ef031dbc rw,relatime - aufs none rw,si=9b4a7642bfc3039c
+203 15 0:3525 / /var/lib/docker/aufs/mnt/79f48b00aa713cdf809c6bb7c7cb911b66e9a8076c81d6c9d2504139984ea2da rw,relatime - aufs none rw,si=9b4a7642bfc3239c
+204 15 0:3526 / /var/lib/docker/aufs/mnt/c3680418350d11358f0a96c676bc5aa74fa00a7c89e629ef5909d3557b060300 rw,relatime - aufs none rw,si=9b4a7642f47cd39c
+205 15 0:3527 / /var/lib/docker/aufs/mnt/7a1744dd350d7fcc0cccb6f1757ca4cbe5453f203a5888b0f1014d96ad5a5ef9 rw,relatime - aufs none rw,si=9b4a7642f47ce39c
+206 15 0:3528 / /var/lib/docker/aufs/mnt/7fa99662db046be9f03c33c35251afda9ccdc0085636bbba1d90592cec3ff68d rw,relatime - aufs none rw,si=9b4a7642f47c839c
+207 15 0:3529 / /var/lib/docker/aufs/mnt/f815021ef20da9c9b056bd1d52d8aaf6e2c0c19f11122fc793eb2b04eb995e35 rw,relatime - aufs none rw,si=9b4a7642f47ca39c
+208 15 0:3530 / /var/lib/docker/aufs/mnt/801086ae3110192d601dfcebdba2db92e86ce6b6a9dba6678ea04488e4513669 rw,relatime - aufs none rw,si=9b4a7642dc6dd39c
+209 15 0:3531 / /var/lib/docker/aufs/mnt/822ba7db69f21daddda87c01cfbfbf73013fc03a879daf96d16cdde6f9b1fbd6 rw,relatime - aufs none rw,si=9b4a7642dc6de39c
+210 15 0:3532 / /var/lib/docker/aufs/mnt/834227c1a950fef8cae3827489129d0dd220541e60c6b731caaa765bf2e6a199 rw,relatime - aufs none rw,si=9b4a7642dc6d839c
+211 15 0:3533 / /var/lib/docker/aufs/mnt/83dccbc385299bd1c7cf19326e791b33a544eea7b4cdfb6db70ea94eed4389fb rw,relatime - aufs none rw,si=9b4a7642dc6da39c
+212 15 0:3534 / /var/lib/docker/aufs/mnt/f1b8e6f0e7c8928b5dcdab944db89306ebcae3e0b32f9ff40d2daa8329f21600 rw,relatime - aufs none rw,si=9b4a7645a126039c
+213 15 0:3535 / /var/lib/docker/aufs/mnt/970efb262c7a020c2404cbcc5b3259efba0d110a786079faeef05bc2952abf3a rw,relatime - aufs none rw,si=9b4a7644c8ed139c
+214 15 0:3536 / /var/lib/docker/aufs/mnt/84b6d73af7450f3117a77e15a5ca1255871fea6182cd8e8a7be6bc744be18c2c rw,relatime - aufs none rw,si=9b4a76406559139c
+215 15 0:3537 / /var/lib/docker/aufs/mnt/88be2716e026bc681b5e63fe7942068773efbd0b6e901ca7ba441412006a96b6 rw,relatime - aufs none rw,si=9b4a76406559339c
+216 15 0:3538 / /var/lib/docker/aufs/mnt/c81939aa166ce50cd8bca5cfbbcc420a78e0318dd5cd7c755209b9166a00a752 rw,relatime - aufs none rw,si=9b4a76406559239c
+217 15 0:3539 / /var/lib/docker/aufs/mnt/e0f241645d64b7dc5ff6a8414087cca226be08fb54ce987d1d1f6350c57083aa rw,relatime - aufs none rw,si=9b4a7647cfc0f39c
+218 15 0:3540 / /var/lib/docker/aufs/mnt/e10e2bf75234ed51d8a6a4bb39e465404fecbe318e54400d3879cdb2b0679c78 rw,relatime - aufs none rw,si=9b4a7647cfc0939c
+219 15 0:3541 / /var/lib/docker/aufs/mnt/8f71d74c8cfc3228b82564aa9f09b2e576cff0083ddfb6aa5cb350346063f080 rw,relatime - aufs none rw,si=9b4a7647cfc0a39c
+220 15 0:3542 / /var/lib/docker/aufs/mnt/9159f1eba2aef7f5205cc18d015cda7f5933cd29bba3b1b8aed5ccb5824c69ee rw,relatime - aufs none rw,si=9b4a76468cedd39c
+221 15 0:3543 / /var/lib/docker/aufs/mnt/932cad71e652e048e500d9fbb5b8ea4fc9a269d42a3134ce527ceef42a2be56b rw,relatime - aufs none rw,si=9b4a76468cede39c
+222 15 0:3544 / /var/lib/docker/aufs/mnt/bf1e1b5f529e8943cc0144ee86dbaaa37885c1ddffcef29537e0078ee7dd316a rw,relatime - aufs none rw,si=9b4a76468ced839c
+223 15 0:3545 / /var/lib/docker/aufs/mnt/949d93ecf3322e09f858ce81d5f4b434068ec44ff84c375de03104f7b45ee955 rw,relatime - aufs none rw,si=9b4a76468ceda39c
+224 15 0:3546 / /var/lib/docker/aufs/mnt/d65c6087f92dc2a3841b5251d2fe9ca07d4c6e5b021597692479740816e4e2a1 rw,relatime - aufs none rw,si=9b4a7645a126239c
+225 15 0:3547 / /var/lib/docker/aufs/mnt/98a0153119d0651c193d053d254f6e16a68345a141baa80c87ae487e9d33f290 rw,relatime - aufs none rw,si=9b4a7640787cf39c
+226 15 0:3548 / /var/lib/docker/aufs/mnt/99daf7fe5847c017392f6e59aa9706b3dfdd9e6d1ba11dae0f7fffde0a60b5e5 rw,relatime - aufs none rw,si=9b4a7640787c839c
+227 15 0:3549 / /var/lib/docker/aufs/mnt/9ad1f2fe8a5599d4e10c5a6effa7f03d932d4e92ee13149031a372087a359079 rw,relatime - aufs none rw,si=9b4a7640787ca39c
+228 15 0:3550 / /var/lib/docker/aufs/mnt/c26d64494da782ddac26f8370d86ac93e7c1666d88a7b99110fc86b35ea6a85d rw,relatime - aufs none rw,si=9b4a7642fc6b539c
+229 15 0:3551 / /var/lib/docker/aufs/mnt/a49e4a8275133c230ec640997f35f172312eb0ea5bd2bbe10abf34aae98f30eb rw,relatime - aufs none rw,si=9b4a7642fc6b639c
+230 15 0:3552 / /var/lib/docker/aufs/mnt/b5e2740c867ed843025f49d84e8d769de9e8e6039b3c8cb0735b5bf358994bc7 rw,relatime - aufs none rw,si=9b4a7642fc6b039c
+231 15 0:3553 / /var/lib/docker/aufs/mnt/a826fdcf3a7039b30570054579b65763db605a314275d7aef31b872c13311b4b rw,relatime - aufs none rw,si=9b4a7642fc6b239c
+232 15 0:3554 / /var/lib/docker/aufs/mnt/addf3025babf5e43b5a3f4a0da7ad863dda3c01fb8365c58fd8d28bb61dc11bc rw,relatime - aufs none rw,si=9b4a76407871d39c
+233 15 0:3555 / /var/lib/docker/aufs/mnt/c5b6c6813ab3e5ebdc6d22cb2a3d3106a62095f2c298be52b07a3b0fa20ff690 rw,relatime - aufs none rw,si=9b4a76407871e39c
+234 15 0:3556 / /var/lib/docker/aufs/mnt/af0609eaaf64e2392060cb46f5a9f3d681a219bb4c651d4f015bf573fbe6c4cf rw,relatime - aufs none rw,si=9b4a76407871839c
+235 15 0:3557 / /var/lib/docker/aufs/mnt/e7f20e3c37ecad39cd90a97cd3549466d0d106ce4f0a930b8495442634fa4a1f rw,relatime - aufs none rw,si=9b4a76407871a39c
+237 15 0:3559 / /var/lib/docker/aufs/mnt/b57a53d440ffd0c1295804fa68cdde35d2fed5409484627e71b9c37e4249fd5c rw,relatime - aufs none rw,si=9b4a76444445a39c
+238 15 0:3560 / /var/lib/docker/aufs/mnt/b5e7d7b8f35e47efbba3d80c5d722f5e7bd43e54c824e54b4a4b351714d36d42 rw,relatime - aufs none rw,si=9b4a7647932d439c
+239 15 0:3561 / /var/lib/docker/aufs/mnt/f1b136def157e9465640658f277f3347de593c6ae76412a2e79f7002f091cae2 rw,relatime - aufs none rw,si=9b4a76445abcd39c
+240 15 0:3562 / /var/lib/docker/aufs/mnt/b750fe79269d2ec9a3c593ef05b4332b1d1a02a62b4accb2c21d589ff2f5f2dc rw,relatime - aufs none rw,si=9b4a7644403b339c
+241 15 0:3563 / /var/lib/docker/aufs/mnt/b89b140cdbc95063761864e0a23346207fa27ee4c5c63a1ae85c9069a9d9cf1d rw,relatime - aufs none rw,si=9b4a7644aa19739c
+242 15 0:3564 / /var/lib/docker/aufs/mnt/bc6a69ed51c07f5228f6b4f161c892e6a949c0e7e86a9c3432049d4c0e5cd298 rw,relatime - aufs none rw,si=9b4a7644aa19139c
+243 15 0:3565 / /var/lib/docker/aufs/mnt/be4e2ba3f136933e239f7cf3d136f484fb9004f1fbdfee24a62a2c7b0ab30670 rw,relatime - aufs none rw,si=9b4a7644aa19339c
+244 15 0:3566 / /var/lib/docker/aufs/mnt/e04ca1a4a5171e30d20f0c92f90a50b8b6f8600af5459c4b4fb25e42e864dfe1 rw,relatime - aufs none rw,si=9b4a7647932d139c
+245 15 0:3567 / /var/lib/docker/aufs/mnt/be61576b31db893129aaffcd3dcb5ce35e49c4b71b30c392a78609a45c7323d8 rw,relatime - aufs none rw,si=9b4a7642d85f739c
+246 15 0:3568 / /var/lib/docker/aufs/mnt/dda42c191e56becf672327658ab84fcb563322db3764b91c2fefe4aaef04c624 rw,relatime - aufs none rw,si=9b4a7642d85f139c
+247 15 0:3569 / /var/lib/docker/aufs/mnt/c0a7995053330f3d88969247a2e72b07e2dd692133f5668a4a35ea3905561072 rw,relatime - aufs none rw,si=9b4a7642d85f339c
+249 15 0:3571 / /var/lib/docker/aufs/mnt/c3594b2e5f08c59ff5ed338a1ba1eceeeb1f7fc5d180068338110c00b1eb8502 rw,relatime - aufs none rw,si=9b4a7642738c739c
+250 15 0:3572 / /var/lib/docker/aufs/mnt/c58dce03a0ab0a7588393880379dc3bce9f96ec08ed3f99cf1555260ff0031e8 rw,relatime - aufs none rw,si=9b4a7642738c139c
+251 15 0:3573 / /var/lib/docker/aufs/mnt/c73e9f1d109c9d14cb36e1c7489df85649be3911116d76c2fd3648ec8fd94e23 rw,relatime - aufs none rw,si=9b4a7642738c339c
+252 15 0:3574 / /var/lib/docker/aufs/mnt/c9eef28c344877cd68aa09e543c0710ab2b305a0ff96dbb859bfa7808c3e8d01 rw,relatime - aufs none rw,si=9b4a7642d85f439c
+253 15 0:3575 / /var/lib/docker/aufs/mnt/feb67148f548d70cb7484f2aaad2a86051cd6867a561741a2f13b552457d666e rw,relatime - aufs none rw,si=9b4a76468c55739c
+254 15 0:3576 / /var/lib/docker/aufs/mnt/cdf1f96c36d35a96041a896bf398ec0f7dc3b0fb0643612a0f4b6ff96e04e1bb rw,relatime - aufs none rw,si=9b4a76468c55139c
+255 15 0:3577 / /var/lib/docker/aufs/mnt/ec6e505872353268451ac4bc034c1df00f3bae4a3ea2261c6e48f7bd5417c1b3 rw,relatime - aufs none rw,si=9b4a76468c55339c
+256 15 0:3578 / /var/lib/docker/aufs/mnt/d6dc8aca64efd90e0bc10274001882d0efb310d42ccbf5712b99b169053b8b1a rw,relatime - aufs none rw,si=9b4a7642738c439c
+257 15 0:3579 / /var/lib/docker/aufs/mnt/d712594e2ff6eaeb895bfd150d694bd1305fb927e7a186b2dab7df2ea95f8f81 rw,relatime - aufs none rw,si=9b4a76401268f39c
+259 15 0:3581 / /var/lib/docker/aufs/mnt/dbfa1174cd78cde2d7410eae442af0b416c4a0e6f87ed4ff1e9f169a0029abc0 rw,relatime - aufs none rw,si=9b4a76401268b39c
+260 15 0:3582 / /var/lib/docker/aufs/mnt/e883f5a82316d7856fbe93ee8c0af5a920b7079619dd95c4ffd88bbd309d28dd rw,relatime - aufs none rw,si=9b4a76468c55439c
+261 15 0:3583 / /var/lib/docker/aufs/mnt/fdec3eff581c4fc2b09f87befa2fa021f3f2d373bea636a87f1fb5b367d6347a rw,relatime - aufs none rw,si=9b4a7644aa1af39c
+262 15 0:3584 / /var/lib/docker/aufs/mnt/ef764e26712184653067ecf7afea18a80854c41331ca0f0ef03e1bacf90a6ffc rw,relatime - aufs none rw,si=9b4a7644aa1a939c
+263 15 0:3585 / /var/lib/docker/aufs/mnt/f3176b40c41fce8ce6942936359a2001a6f1b5c1bb40ee224186db0789ec2f76 rw,relatime - aufs none rw,si=9b4a7644aa1ab39c
+264 15 0:3586 / /var/lib/docker/aufs/mnt/f5daf06785d3565c6dd18ea7d953d9a8b9606107781e63270fe0514508736e6a rw,relatime - aufs none rw,si=9b4a76401268c39c
+58 15 0:3587 / /var/lib/docker/aufs/mnt/cde8c40f6524b7361af4f5ad05bb857dc9ee247c20852ba666195c0739e3a2b8-init rw,relatime - aufs none rw,si=9b4a76444445839c
+67 15 0:3588 / /var/lib/docker/aufs/mnt/cde8c40f6524b7361af4f5ad05bb857dc9ee247c20852ba666195c0739e3a2b8 rw,relatime - aufs none rw,si=9b4a7644badd339c
+265 15 0:3610 / /var/lib/docker/aufs/mnt/e812472cd2c8c4748d1ef71fac4e77e50d661b9349abe66ce3e23511ed44f414 rw,relatime - aufs none rw,si=9b4a76427937d39c
+270 15 0:3615 / /var/lib/docker/aufs/mnt/997636e7c5c9d0d1376a217e295c14c205350b62bc12052804fb5f90abe6f183 rw,relatime - aufs none rw,si=9b4a76406540739c
+273 15 0:3618 / /var/lib/docker/aufs/mnt/d5794d080417b6e52e69227c3873e0e4c1ff0d5a845ebe3860ec2f89a47a2a1e rw,relatime - aufs none rw,si=9b4a76454814039c
+278 15 0:3623 / /var/lib/docker/aufs/mnt/586bdd48baced671bb19bc4d294ec325f26c55545ae267db426424f157d59c48 rw,relatime - aufs none rw,si=9b4a7644b439f39c
+281 15 0:3626 / /var/lib/docker/aufs/mnt/69739d022f89f8586908bbd5edbbdd95ea5256356f177f9ffcc6ef9c0ea752d2 rw,relatime - aufs none rw,si=9b4a7644a0f1b39c
+286 15 0:3631 / /var/lib/docker/aufs/mnt/ff28c27d5f894363993622de26d5dd352dba072f219e4691d6498c19bbbc15a9 rw,relatime - aufs none rw,si=9b4a7642265b339c
+289 15 0:3634 / /var/lib/docker/aufs/mnt/aa128fe0e64fdede333aa48fd9de39530c91a9244a0f0649a3c411c61e372daa rw,relatime - aufs none rw,si=9b4a764012ada39c
+99 15 8:33 / /media/REMOVE\040ME rw,nosuid,nodev,relatime - fuseblk /dev/sdc1 rw,user_id=0,group_id=0,allow_other,blksize=4096`
+)
+
+func TestParseFedoraMountinfo(t *testing.T) {
+	r := bytes.NewBuffer([]byte(fedoraMountinfo))
+	_, err := parseInfoFile(r, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestParseUbuntuMountinfo(t *testing.T) {
+	r := bytes.NewBuffer([]byte(ubuntuMountInfo))
+	_, err := parseInfoFile(r, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestParseGentooMountinfo(t *testing.T) {
+	r := bytes.NewBuffer([]byte(gentooMountinfo))
+	_, err := parseInfoFile(r, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestParseFedoraMountinfoFields(t *testing.T) {
+	r := bytes.NewBuffer([]byte(fedoraMountinfo))
+	infos, err := parseInfoFile(r, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedLength := 58
+	if len(infos) != expectedLength {
+		t.Fatalf("Expected %d entries, got %d", expectedLength, len(infos))
+	}
+	mi := Info{
+		ID:         15,
+		Parent:     35,
+		Major:      0,
+		Minor:      3,
+		Root:       "/",
+		Mountpoint: "/proc",
+		Opts:       "rw,nosuid,nodev,noexec,relatime",
+		Optional:   "shared:5",
+		Fstype:     "proc",
+		Source:     "proc",
+		VfsOpts:    "rw",
+	}
+
+	if *infos[0] != mi {
+		t.Fatalf("expected %#v, got %#v", mi, infos[0])
+	}
+}
+
+func TestParseMountinfoFilters(t *testing.T) {
+	r := bytes.NewReader([]byte(fedoraMountinfo))
+
+	infos, err := parseInfoFile(r, SingleEntryFilter("/sys/fs/cgroup"))
+	assert.NilError(t, err)
+	assert.Equal(t, 1, len(infos))
+
+	r.Reset([]byte(fedoraMountinfo))
+	infos, err = parseInfoFile(r, SingleEntryFilter("nonexistent"))
+	assert.NilError(t, err)
+	assert.Equal(t, 0, len(infos))
+
+	r.Reset([]byte(fedoraMountinfo))
+	infos, err = parseInfoFile(r, PrefixFilter("/sys"))
+	assert.NilError(t, err)
+	// there are 18 entries starting with /sys in fedoraMountinfo
+	assert.Equal(t, 18, len(infos))
+
+	r.Reset([]byte(fedoraMountinfo))
+	infos, err = parseInfoFile(r, PrefixFilter("nonexistent"))
+	assert.NilError(t, err)
+	assert.Equal(t, 0, len(infos))
+
+	r.Reset([]byte(fedoraMountinfo))
+	infos, err = parseInfoFile(r, ParentsFilter("/sys/fs/cgroup/cpu,cpuacct"))
+	assert.NilError(t, err)
+	// there should be 4 results returned: /sys/fs/cgroup/cpu,cpuacct /sys/fs/cgroup /sys /
+	assert.Equal(t, 4, len(infos))
+}
diff --git a/engine/pkg/mount/mountinfo_unsupported.go b/engine/pkg/mount/mountinfo_unsupported.go
new file mode 100644
index 00000000..fd16d3ed
--- /dev/null
+++ b/engine/pkg/mount/mountinfo_unsupported.go
@@ -0,0 +1,12 @@
+// +build !windows,!linux,!freebsd freebsd,!cgo
+
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"fmt"
+	"runtime"
+)
+
+func parseMountTable(f FilterFunc) ([]*Info, error) {
+	return nil, fmt.Errorf("mount.parseMountTable is not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
+}
diff --git a/engine/pkg/mount/mountinfo_windows.go b/engine/pkg/mount/mountinfo_windows.go
new file mode 100644
index 00000000..27e0f697
--- /dev/null
+++ b/engine/pkg/mount/mountinfo_windows.go
@@ -0,0 +1,6 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+func parseMountTable(f FilterFunc) ([]*Info, error) {
+	// Do NOT return an error!
+	return nil, nil
+}
diff --git a/engine/pkg/mount/sharedsubtree_linux.go b/engine/pkg/mount/sharedsubtree_linux.go
new file mode 100644
index 00000000..538f6637
--- /dev/null
+++ b/engine/pkg/mount/sharedsubtree_linux.go
@@ -0,0 +1,67 @@
+package mount // import "github.com/docker/docker/pkg/mount"
+
+// MakeShared ensures a mounted filesystem has the SHARED mount option enabled.
+// See the supported options in flags.go for further reference.
+func MakeShared(mountPoint string) error {
+	return ensureMountedAs(mountPoint, "shared")
+}
+
+// MakeRShared ensures a mounted filesystem has the RSHARED mount option enabled.
+// See the supported options in flags.go for further reference.
+func MakeRShared(mountPoint string) error {
+	return ensureMountedAs(mountPoint, "rshared")
+}
+
+// MakePrivate ensures a mounted filesystem has the PRIVATE mount option enabled.
+// See the supported options in flags.go for further reference.
+func MakePrivate(mountPoint string) error {
+	return ensureMountedAs(mountPoint, "private")
+}
+
+// MakeRPrivate ensures a mounted filesystem has the RPRIVATE mount option
+// enabled. See the supported options in flags.go for further reference.
+func MakeRPrivate(mountPoint string) error {
+	return ensureMountedAs(mountPoint, "rprivate")
+}
+
+// MakeSlave ensures a mounted filesystem has the SLAVE mount option enabled.
+// See the supported options in flags.go for further reference.
+func MakeSlave(mountPoint string) error {
+	return ensureMountedAs(mountPoint, "slave")
+}
+
+// MakeRSlave ensures a mounted filesystem has the RSLAVE mount option enabled.
+// See the supported options in flags.go for further reference.
+func MakeRSlave(mountPoint string) error {
+	return ensureMountedAs(mountPoint, "rslave")
+}
+
+// MakeUnbindable ensures a mounted filesystem has the UNBINDABLE mount option
+// enabled. See the supported options in flags.go for further reference.
+func MakeUnbindable(mountPoint string) error {
+	return ensureMountedAs(mountPoint, "unbindable")
+}
+
+// MakeRUnbindable ensures a mounted filesystem has the RUNBINDABLE mount
+// option enabled. See the supported options in flags.go for further reference.
+func MakeRUnbindable(mountPoint string) error {
+	return ensureMountedAs(mountPoint, "runbindable")
+}
+
+func ensureMountedAs(mountPoint, options string) error {
+	mounted, err := Mounted(mountPoint)
+	if err != nil {
+		return err
+	}
+
+	if !mounted {
+		if err := Mount(mountPoint, mountPoint, "none", "bind,rw"); err != nil {
+			return err
+		}
+	}
+	if _, err = Mounted(mountPoint); err != nil {
+		return err
+	}
+
+	return ForceMount("", mountPoint, "none", options)
+}
diff --git a/engine/pkg/mount/sharedsubtree_linux_test.go b/engine/pkg/mount/sharedsubtree_linux_test.go
new file mode 100644
index 00000000..01951449
--- /dev/null
+++ b/engine/pkg/mount/sharedsubtree_linux_test.go
@@ -0,0 +1,348 @@
+// +build linux
+
+package mount // import "github.com/docker/docker/pkg/mount"
+
+import (
+	"os"
+	"path"
+	"testing"
+
+	"golang.org/x/sys/unix"
+)
+
+// nothing is propagated in or out
+func TestSubtreePrivate(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+
+	tmp := path.Join(os.TempDir(), "mount-tests")
+	if err := os.MkdirAll(tmp, 0777); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+
+	var (
+		sourceDir   = path.Join(tmp, "source")
+		targetDir   = path.Join(tmp, "target")
+		outside1Dir = path.Join(tmp, "outside1")
+		outside2Dir = path.Join(tmp, "outside2")
+
+		outside1Path      = path.Join(outside1Dir, "file.txt")
+		outside2Path      = path.Join(outside2Dir, "file.txt")
+		outside1CheckPath = path.Join(targetDir, "a", "file.txt")
+		outside2CheckPath = path.Join(sourceDir, "b", "file.txt")
+	)
+	if err := os.MkdirAll(path.Join(sourceDir, "a"), 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.MkdirAll(path.Join(sourceDir, "b"), 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(targetDir, 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(outside1Dir, 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(outside2Dir, 0777); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := createFile(outside1Path); err != nil {
+		t.Fatal(err)
+	}
+	if err := createFile(outside2Path); err != nil {
+		t.Fatal(err)
+	}
+
+	// mount the shared directory to a target
+	if err := Mount(sourceDir, targetDir, "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(targetDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// next, make the target private
+	if err := MakePrivate(targetDir); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(targetDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// mount in an outside path to a mounted path inside the _source_
+	if err := Mount(outside1Dir, path.Join(sourceDir, "a"), "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(path.Join(sourceDir, "a")); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// check that this file _does_not_ show in the _target_
+	if _, err := os.Stat(outside1CheckPath); err != nil && !os.IsNotExist(err) {
+		t.Fatal(err)
+	} else if err == nil {
+		t.Fatalf("%q should not be visible, but is", outside1CheckPath)
+	}
+
+	// next mount outside2Dir into the _target_
+	if err := Mount(outside2Dir, path.Join(targetDir, "b"), "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(path.Join(targetDir, "b")); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// check that this file _does_not_ show in the _source_
+	if _, err := os.Stat(outside2CheckPath); err != nil && !os.IsNotExist(err) {
+		t.Fatal(err)
+	} else if err == nil {
+		t.Fatalf("%q should not be visible, but is", outside2CheckPath)
+	}
+}
+
+// Testing that when a target is a shared mount,
+// then child mounts propagate to the source
+func TestSubtreeShared(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+
+	tmp := path.Join(os.TempDir(), "mount-tests")
+	if err := os.MkdirAll(tmp, 0777); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+
+	var (
+		sourceDir  = path.Join(tmp, "source")
+		targetDir  = path.Join(tmp, "target")
+		outsideDir = path.Join(tmp, "outside")
+
+		outsidePath     = path.Join(outsideDir, "file.txt")
+		sourceCheckPath = path.Join(sourceDir, "a", "file.txt")
+	)
+
+	if err := os.MkdirAll(path.Join(sourceDir, "a"), 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(targetDir, 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(outsideDir, 0777); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := createFile(outsidePath); err != nil {
+		t.Fatal(err)
+	}
+
+	// mount the source as shared
+	if err := MakeShared(sourceDir); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(sourceDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// mount the shared directory to a target
+	if err := Mount(sourceDir, targetDir, "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(targetDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// mount in an outside path to a mounted path inside the target
+	if err := Mount(outsideDir, path.Join(targetDir, "a"), "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(path.Join(targetDir, "a")); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// NOW, check that the file from the outside directory is available in the source directory
+	if _, err := os.Stat(sourceCheckPath); err != nil {
+		t.Fatal(err)
+	}
+}
+
+// testing that mounts to a shared source show up in the slave target,
+// and that mounts into a slave target do _not_ show up in the shared source
+func TestSubtreeSharedSlave(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+
+	tmp := path.Join(os.TempDir(), "mount-tests")
+	if err := os.MkdirAll(tmp, 0777); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+
+	var (
+		sourceDir   = path.Join(tmp, "source")
+		targetDir   = path.Join(tmp, "target")
+		outside1Dir = path.Join(tmp, "outside1")
+		outside2Dir = path.Join(tmp, "outside2")
+
+		outside1Path      = path.Join(outside1Dir, "file.txt")
+		outside2Path      = path.Join(outside2Dir, "file.txt")
+		outside1CheckPath = path.Join(targetDir, "a", "file.txt")
+		outside2CheckPath = path.Join(sourceDir, "b", "file.txt")
+	)
+	if err := os.MkdirAll(path.Join(sourceDir, "a"), 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.MkdirAll(path.Join(sourceDir, "b"), 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(targetDir, 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(outside1Dir, 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Mkdir(outside2Dir, 0777); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := createFile(outside1Path); err != nil {
+		t.Fatal(err)
+	}
+	if err := createFile(outside2Path); err != nil {
+		t.Fatal(err)
+	}
+
+	// mount the source as shared
+	if err := MakeShared(sourceDir); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(sourceDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// mount the shared directory to a target
+	if err := Mount(sourceDir, targetDir, "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(targetDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// next, make the target slave
+	if err := MakeSlave(targetDir); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(targetDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// mount in an outside path to a mounted path inside the _source_
+	if err := Mount(outside1Dir, path.Join(sourceDir, "a"), "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(path.Join(sourceDir, "a")); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// check that this file _does_ show in the _target_
+	if _, err := os.Stat(outside1CheckPath); err != nil {
+		t.Fatal(err)
+	}
+
+	// next mount outside2Dir into the _target_
+	if err := Mount(outside2Dir, path.Join(targetDir, "b"), "none", "bind,rw"); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(path.Join(targetDir, "b")); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// check that this file _does_not_ show in the _source_
+	if _, err := os.Stat(outside2CheckPath); err != nil && !os.IsNotExist(err) {
+		t.Fatal(err)
+	} else if err == nil {
+		t.Fatalf("%q should not be visible, but is", outside2CheckPath)
+	}
+}
+
+func TestSubtreeUnbindable(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("root required")
+	}
+
+	tmp := path.Join(os.TempDir(), "mount-tests")
+	if err := os.MkdirAll(tmp, 0777); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmp)
+
+	var (
+		sourceDir = path.Join(tmp, "source")
+		targetDir = path.Join(tmp, "target")
+	)
+	if err := os.MkdirAll(sourceDir, 0777); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.MkdirAll(targetDir, 0777); err != nil {
+		t.Fatal(err)
+	}
+
+	// next, make the source unbindable
+	if err := MakeUnbindable(sourceDir); err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := Unmount(sourceDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// then attempt to mount it to target. It should fail
+	if err := Mount(sourceDir, targetDir, "none", "bind,rw"); err != nil && err != unix.EINVAL {
+		t.Fatal(err)
+	} else if err == nil {
+		t.Fatalf("%q should not have been bindable", sourceDir)
+	}
+	defer func() {
+		if err := Unmount(targetDir); err != nil {
+			t.Fatal(err)
+		}
+	}()
+}
+
+func createFile(path string) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	f.WriteString("hello world!")
+	return f.Close()
+}
diff --git a/engine/pkg/namesgenerator/cmd/names-generator/main.go b/engine/pkg/namesgenerator/cmd/names-generator/main.go
new file mode 100644
index 00000000..7fd5955b
--- /dev/null
+++ b/engine/pkg/namesgenerator/cmd/names-generator/main.go
@@ -0,0 +1,14 @@
+package main
+
+import (
+	"fmt"
+	"math/rand"
+	"time"
+
+	"github.com/docker/docker/pkg/namesgenerator"
+)
+
+func main() {
+	rand.Seed(time.Now().UnixNano())
+	fmt.Println(namesgenerator.GetRandomName(0))
+}
diff --git a/engine/pkg/namesgenerator/names-generator.go b/engine/pkg/namesgenerator/names-generator.go
new file mode 100644
index 00000000..c995b438
--- /dev/null
+++ b/engine/pkg/namesgenerator/names-generator.go
@@ -0,0 +1,645 @@
+package namesgenerator // import "github.com/docker/docker/pkg/namesgenerator"
+
+import (
+	"fmt"
+	"math/rand"
+)
+
+var (
+	left = [...]string{
+		"admiring",
+		"adoring",
+		"affectionate",
+		"agitated",
+		"amazing",
+		"angry",
+		"awesome",
+		"blissful",
+		"boring",
+		"brave",
+		"clever",
+		"cocky",
+		"compassionate",
+		"competent",
+		"condescending",
+		"confident",
+		"cranky",
+		"dazzling",
+		"determined",
+		"distracted",
+		"dreamy",
+		"eager",
+		"ecstatic",
+		"elastic",
+		"elated",
+		"elegant",
+		"eloquent",
+		"epic",
+		"fervent",
+		"festive",
+		"flamboyant",
+		"focused",
+		"friendly",
+		"frosty",
+		"gallant",
+		"gifted",
+		"goofy",
+		"gracious",
+		"happy",
+		"hardcore",
+		"heuristic",
+		"hopeful",
+		"hungry",
+		"infallible",
+		"inspiring",
+		"jolly",
+		"jovial",
+		"keen",
+		"kind",
+		"laughing",
+		"loving",
+		"lucid",
+		"mystifying",
+		"modest",
+		"musing",
+		"naughty",
+		"nervous",
+		"nifty",
+		"nostalgic",
+		"objective",
+		"optimistic",
+		"peaceful",
+		"pedantic",
+		"pensive",
+		"practical",
+		"priceless",
+		"quirky",
+		"quizzical",
+		"relaxed",
+		"reverent",
+		"romantic",
+		"sad",
+		"serene",
+		"sharp",
+		"silly",
+		"sleepy",
+		"stoic",
+		"stupefied",
+		"suspicious",
+		"tender",
+		"thirsty",
+		"trusting",
+		"unruffled",
+		"upbeat",
+		"vibrant",
+		"vigilant",
+		"vigorous",
+		"wizardly",
+		"wonderful",
+		"xenodochial",
+		"youthful",
+		"zealous",
+		"zen",
+	}
+
+	// Docker, starting from 0.7.x, generates names from notable scientists and hackers.
+	// Please, for any amazing man that you add to the list, consider adding an equally amazing woman to it, and vice versa.
+	right = [...]string{
+		// Muhammad ibn Jābir al-Ḥarrānī al-Battānī was a founding father of astronomy. https://en.wikipedia.org/wiki/Mu%E1%B8%A5ammad_ibn_J%C4%81bir_al-%E1%B8%A4arr%C4%81n%C4%AB_al-Batt%C4%81n%C4%AB
+		"albattani",
+
+		// Frances E. Allen, became the first female IBM Fellow in 1989. In 2006, she became the first female recipient of the ACM's Turing Award. https://en.wikipedia.org/wiki/Frances_E._Allen
+		"allen",
+
+		// June Almeida - Scottish virologist who took the first pictures of the rubella virus - https://en.wikipedia.org/wiki/June_Almeida
+		"almeida",
+
+		// Maria Gaetana Agnesi - Italian mathematician, philosopher, theologian and humanitarian. She was the first woman to write a mathematics handbook and the first woman appointed as a Mathematics Professor at a University. https://en.wikipedia.org/wiki/Maria_Gaetana_Agnesi
+		"agnesi",
+
+		// Archimedes was a physicist, engineer and mathematician who invented too many things to list them here. https://en.wikipedia.org/wiki/Archimedes
+		"archimedes",
+
+		// Maria Ardinghelli - Italian translator, mathematician and physicist - https://en.wikipedia.org/wiki/Maria_Ardinghelli
+		"ardinghelli",
+
+		// Aryabhata - Ancient Indian mathematician-astronomer during 476-550 CE https://en.wikipedia.org/wiki/Aryabhata
+		"aryabhata",
+
+		// Wanda Austin - Wanda Austin is the President and CEO of The Aerospace Corporation, a leading architect for the US security space programs. https://en.wikipedia.org/wiki/Wanda_Austin
+		"austin",
+
+		// Charles Babbage invented the concept of a programmable computer. https://en.wikipedia.org/wiki/Charles_Babbage.
+		"babbage",
+
+		// Stefan Banach - Polish mathematician, was one of the founders of modern functional analysis. https://en.wikipedia.org/wiki/Stefan_Banach
+		"banach",
+
+		// John Bardeen co-invented the transistor - https://en.wikipedia.org/wiki/John_Bardeen
+		"bardeen",
+
+		// Jean Bartik, born Betty Jean Jennings, was one of the original programmers for the ENIAC computer. https://en.wikipedia.org/wiki/Jean_Bartik
+		"bartik",
+
+		// Laura Bassi, the world's first female professor https://en.wikipedia.org/wiki/Laura_Bassi
+		"bassi",
+
+		// Hugh Beaver, British engineer, founder of the Guinness Book of World Records https://en.wikipedia.org/wiki/Hugh_Beaver
+		"beaver",
+
+		// Alexander Graham Bell - an eminent Scottish-born scientist, inventor, engineer and innovator who is credited with inventing the first practical telephone - https://en.wikipedia.org/wiki/Alexander_Graham_Bell
+		"bell",
+
+		// Karl Friedrich Benz - a German automobile engineer. Inventor of the first practical motorcar. https://en.wikipedia.org/wiki/Karl_Benz
+		"benz",
+
+		// Homi J Bhabha - was an Indian nuclear physicist, founding director, and professor of physics at the Tata Institute of Fundamental Research. Colloquially known as "father of Indian nuclear programme"- https://en.wikipedia.org/wiki/Homi_J._Bhabha
+		"bhabha",
+
+		// Bhaskara II - Ancient Indian mathematician-astronomer whose work on calculus predates Newton and Leibniz by over half a millennium - https://en.wikipedia.org/wiki/Bh%C4%81skara_II#Calculus
+		"bhaskara",
+
+		// Elizabeth Blackwell - American doctor and first American woman to receive a medical degree - https://en.wikipedia.org/wiki/Elizabeth_Blackwell
+		"blackwell",
+
+		// Niels Bohr is the father of quantum theory. https://en.wikipedia.org/wiki/Niels_Bohr.
+		"bohr",
+
+		// Kathleen Booth, she's credited with writing the first assembly language. https://en.wikipedia.org/wiki/Kathleen_Booth
+		"booth",
+
+		// Anita Borg - Anita Borg was the founding director of the Institute for Women and Technology (IWT). https://en.wikipedia.org/wiki/Anita_Borg
+		"borg",
+
+		// Satyendra Nath Bose - He provided the foundation for Bose–Einstein statistics and the theory of the Bose–Einstein condensate. - https://en.wikipedia.org/wiki/Satyendra_Nath_Bose
+		"bose",
+
+		// Evelyn Boyd Granville - She was one of the first African-American woman to receive a Ph.D. in mathematics; she earned it in 1949 from Yale University. https://en.wikipedia.org/wiki/Evelyn_Boyd_Granville
+		"boyd",
+
+		// Brahmagupta - Ancient Indian mathematician during 598-670 CE who gave rules to compute with zero - https://en.wikipedia.org/wiki/Brahmagupta#Zero
+		"brahmagupta",
+
+		// Walter Houser Brattain co-invented the transistor - https://en.wikipedia.org/wiki/Walter_Houser_Brattain
+		"brattain",
+
+		// Emmett Brown invented time travel. https://en.wikipedia.org/wiki/Emmett_Brown (thanks Brian Goff)
+		"brown",
+
+		// Rachel Carson - American marine biologist and conservationist, her book Silent Spring and other writings are credited with advancing the global environmental movement. https://en.wikipedia.org/wiki/Rachel_Carson
+		"carson",
+
+		// Subrahmanyan Chandrasekhar - Astrophysicist known for his mathematical theory on different stages and evolution in structures of the stars. He has won nobel prize for physics - https://en.wikipedia.org/wiki/Subrahmanyan_Chandrasekhar
+		"chandrasekhar",
+
+		// Sergey Alexeyevich Chaplygin (Russian: Серге́й Алексе́евич Чаплы́гин; April 5, 1869 – October 8, 1942) was a Russian and Soviet physicist, mathematician, and mechanical engineer. He is known for mathematical formulas such as Chaplygin's equation and for a hypothetical substance in cosmology called Chaplygin gas, named after him. https://en.wikipedia.org/wiki/Sergey_Chaplygin
+		"chaplygin",
+
+		// Asima Chatterjee was an indian organic chemist noted for her research on vinca alkaloids, development of drugs for treatment of epilepsy and malaria - https://en.wikipedia.org/wiki/Asima_Chatterjee
+		"chatterjee",
+
+		// Pafnuty Chebyshev - Russian mathematician. He is known fo his works on probability, statistics, mechanics, analytical geometry and number theory https://en.wikipedia.org/wiki/Pafnuty_Chebyshev
+		"chebyshev",
+
+		// Claude Shannon - The father of information theory and founder of digital circuit design theory. (https://en.wikipedia.org/wiki/Claude_Shannon)
+		"shannon",
+
+		// Joan Clarke - Bletchley Park code breaker during the Second World War who pioneered techniques that remained top secret for decades. Also an accomplished numismatist https://en.wikipedia.org/wiki/Joan_Clarke
+		"clarke",
+
+		// Jane Colden - American botanist widely considered the first female American botanist - https://en.wikipedia.org/wiki/Jane_Colden
+		"colden",
+
+		// Gerty Theresa Cori - American biochemist who became the third woman—and first American woman—to win a Nobel Prize in science, and the first woman to be awarded the Nobel Prize in Physiology or Medicine. Cori was born in Prague. https://en.wikipedia.org/wiki/Gerty_Cori
+		"cori",
+
+		// Seymour Roger Cray was an American electrical engineer and supercomputer architect who designed a series of computers that were the fastest in the world for decades. https://en.wikipedia.org/wiki/Seymour_Cray
+		"cray",
+
+		// This entry reflects a husband and wife team who worked together:
+		// Joan Curran was a Welsh scientist who developed radar and invented chaff, a radar countermeasure. https://en.wikipedia.org/wiki/Joan_Curran
+		// Samuel Curran was an Irish physicist who worked alongside his wife during WWII and invented the proximity fuse. https://en.wikipedia.org/wiki/Samuel_Curran
+		"curran",
+
+		// Marie Curie discovered radioactivity. https://en.wikipedia.org/wiki/Marie_Curie.
+		"curie",
+
+		// Charles Darwin established the principles of natural evolution. https://en.wikipedia.org/wiki/Charles_Darwin.
+		"darwin",
+
+		// Leonardo Da Vinci invented too many things to list here. https://en.wikipedia.org/wiki/Leonardo_da_Vinci.
+		"davinci",
+
+		// Edsger Wybe Dijkstra was a Dutch computer scientist and mathematical scientist. https://en.wikipedia.org/wiki/Edsger_W._Dijkstra.
+		"dijkstra",
+
+		// Donna Dubinsky - played an integral role in the development of personal digital assistants (PDAs) serving as CEO of Palm, Inc. and co-founding Handspring. https://en.wikipedia.org/wiki/Donna_Dubinsky
+		"dubinsky",
+
+		// Annie Easley - She was a leading member of the team which developed software for the Centaur rocket stage and one of the first African-Americans in her field. https://en.wikipedia.org/wiki/Annie_Easley
+		"easley",
+
+		// Thomas Alva Edison, prolific inventor https://en.wikipedia.org/wiki/Thomas_Edison
+		"edison",
+
+		// Albert Einstein invented the general theory of relativity. https://en.wikipedia.org/wiki/Albert_Einstein
+		"einstein",
+
+		// Gertrude Elion - American biochemist, pharmacologist and the 1988 recipient of the Nobel Prize in Medicine - https://en.wikipedia.org/wiki/Gertrude_Elion
+		"elion",
+
+		// Alexandra Asanovna Elbakyan (Russian: Алекса́ндра Аса́новна Элбакя́н) is a Kazakhstani graduate student, computer programmer, internet pirate in hiding, and the creator of the site Sci-Hub. Nature has listed her in 2016 in the top ten people that mattered in science, and Ars Technica has compared her to Aaron Swartz. - https://en.wikipedia.org/wiki/Alexandra_Elbakyan
+		"elbakyan",
+
+		// Douglas Engelbart gave the mother of all demos: https://en.wikipedia.org/wiki/Douglas_Engelbart
+		"engelbart",
+
+		// Euclid invented geometry. https://en.wikipedia.org/wiki/Euclid
+		"euclid",
+
+		// Leonhard Euler invented large parts of modern mathematics. https://de.wikipedia.org/wiki/Leonhard_Euler
+		"euler",
+
+		// Pierre de Fermat pioneered several aspects of modern mathematics. https://en.wikipedia.org/wiki/Pierre_de_Fermat
+		"fermat",
+
+		// Enrico Fermi invented the first nuclear reactor. https://en.wikipedia.org/wiki/Enrico_Fermi.
+		"fermi",
+
+		// Richard Feynman was a key contributor to quantum mechanics and particle physics. https://en.wikipedia.org/wiki/Richard_Feynman
+		"feynman",
+
+		// Benjamin Franklin is famous for his experiments in electricity and the invention of the lightning rod.
+		"franklin",
+
+		// Galileo was a founding father of modern astronomy, and faced politics and obscurantism to establish scientific truth.  https://en.wikipedia.org/wiki/Galileo_Galilei
+		"galileo",
+
+		// William Henry "Bill" Gates III is an American business magnate, philanthropist, investor, computer programmer, and inventor. https://en.wikipedia.org/wiki/Bill_Gates
+		"gates",
+
+		// Adele Goldberg, was one of the designers and developers of the Smalltalk language. https://en.wikipedia.org/wiki/Adele_Goldberg_(computer_scientist)
+		"goldberg",
+
+		// Adele Goldstine, born Adele Katz, wrote the complete technical description for the first electronic digital computer, ENIAC. https://en.wikipedia.org/wiki/Adele_Goldstine
+		"goldstine",
+
+		// Shafi Goldwasser is a computer scientist known for creating theoretical foundations of modern cryptography. Winner of 2012 ACM Turing Award. https://en.wikipedia.org/wiki/Shafi_Goldwasser
+		"goldwasser",
+
+		// James Golick, all around gangster.
+		"golick",
+
+		// Jane Goodall - British primatologist, ethologist, and anthropologist who is considered to be the world's foremost expert on chimpanzees - https://en.wikipedia.org/wiki/Jane_Goodall
+		"goodall",
+
+		// Lois Haibt - American computer scientist, part of the team at IBM that developed FORTRAN - https://en.wikipedia.org/wiki/Lois_Haibt
+		"haibt",
+
+		// Margaret Hamilton - Director of the Software Engineering Division of the MIT Instrumentation Laboratory, which developed on-board flight software for the Apollo space program. https://en.wikipedia.org/wiki/Margaret_Hamilton_(scientist)
+		"hamilton",
+
+		// Stephen Hawking pioneered the field of cosmology by combining general relativity and quantum mechanics. https://en.wikipedia.org/wiki/Stephen_Hawking
+		"hawking",
+
+		// Werner Heisenberg was a founding father of quantum mechanics. https://en.wikipedia.org/wiki/Werner_Heisenberg
+		"heisenberg",
+
+		// Grete Hermann was a German philosopher noted for her philosophical work on the foundations of quantum mechanics. https://en.wikipedia.org/wiki/Grete_Hermann
+		"hermann",
+
+		// Jaroslav Heyrovský was the inventor of the polarographic method, father of the electroanalytical method, and recipient of the Nobel Prize in 1959. His main field of work was polarography. https://en.wikipedia.org/wiki/Jaroslav_Heyrovsk%C3%BD
+		"heyrovsky",
+
+		// Dorothy Hodgkin was a British biochemist, credited with the development of protein crystallography. She was awarded the Nobel Prize in Chemistry in 1964. https://en.wikipedia.org/wiki/Dorothy_Hodgkin
+		"hodgkin",
+
+		// Erna Schneider Hoover revolutionized modern communication by inventing a computerized telephone switching method. https://en.wikipedia.org/wiki/Erna_Schneider_Hoover
+		"hoover",
+
+		// Grace Hopper developed the first compiler for a computer programming language and  is credited with popularizing the term "debugging" for fixing computer glitches. https://en.wikipedia.org/wiki/Grace_Hopper
+		"hopper",
+
+		// Frances Hugle, she was an American scientist, engineer, and inventor who contributed to the understanding of semiconductors, integrated circuitry, and the unique electrical principles of microscopic materials. https://en.wikipedia.org/wiki/Frances_Hugle
+		"hugle",
+
+		// Hypatia - Greek Alexandrine Neoplatonist philosopher in Egypt who was one of the earliest mothers of mathematics - https://en.wikipedia.org/wiki/Hypatia
+		"hypatia",
+
+		// Mary Jackson, American mathematician and aerospace engineer who earned the highest title within NASA's engineering department - https://en.wikipedia.org/wiki/Mary_Jackson_(engineer)
+		"jackson",
+
+		// Yeong-Sil Jang was a Korean scientist and astronomer during the Joseon Dynasty; he invented the first metal printing press and water gauge. https://en.wikipedia.org/wiki/Jang_Yeong-sil
+		"jang",
+
+		// Betty Jennings - one of the original programmers of the ENIAC. https://en.wikipedia.org/wiki/ENIAC - https://en.wikipedia.org/wiki/Jean_Bartik
+		"jennings",
+
+		// Mary Lou Jepsen, was the founder and chief technology officer of One Laptop Per Child (OLPC), and the founder of Pixel Qi. https://en.wikipedia.org/wiki/Mary_Lou_Jepsen
+		"jepsen",
+
+		// Katherine Coleman Goble Johnson - American physicist and mathematician contributed to the NASA. https://en.wikipedia.org/wiki/Katherine_Johnson
+		"johnson",
+
+		// Irène Joliot-Curie - French scientist who was awarded the Nobel Prize for Chemistry in 1935. Daughter of Marie and Pierre Curie. https://en.wikipedia.org/wiki/Ir%C3%A8ne_Joliot-Curie
+		"joliot",
+
+		// Karen Spärck Jones came up with the concept of inverse document frequency, which is used in most search engines today. https://en.wikipedia.org/wiki/Karen_Sp%C3%A4rck_Jones
+		"jones",
+
+		// A. P. J. Abdul Kalam - is an Indian scientist aka Missile Man of India for his work on the development of ballistic missile and launch vehicle technology - https://en.wikipedia.org/wiki/A._P._J._Abdul_Kalam
+		"kalam",
+
+		// Sergey Petrovich Kapitsa (Russian: Серге́й Петро́вич Капи́ца; 14 February 1928 – 14 August 2012) was a Russian physicist and demographer. He was best known as host of the popular and long-running Russian scientific TV show, Evident, but Incredible. His father was the Nobel laureate Soviet-era physicist Pyotr Kapitsa, and his brother was the geographer and Antarctic explorer Andrey Kapitsa. - https://en.wikipedia.org/wiki/Sergey_Kapitsa
+		"kapitsa",
+
+		// Susan Kare, created the icons and many of the interface elements for the original Apple Macintosh in the 1980s, and was an original employee of NeXT, working as the Creative Director. https://en.wikipedia.org/wiki/Susan_Kare
+		"kare",
+
+		// Mstislav Keldysh - a Soviet scientist in the field of mathematics and mechanics, academician of the USSR Academy of Sciences (1946), President of the USSR Academy of Sciences (1961–1975), three times Hero of Socialist Labor (1956, 1961, 1971), fellow of the Royal Society of Edinburgh (1968). https://en.wikipedia.org/wiki/Mstislav_Keldysh
+		"keldysh",
+
+		// Mary Kenneth Keller, Sister Mary Kenneth Keller became the first American woman to earn a PhD in Computer Science in 1965. https://en.wikipedia.org/wiki/Mary_Kenneth_Keller
+		"keller",
+
+		// Johannes Kepler, German astronomer known for his three laws of planetary motion - https://en.wikipedia.org/wiki/Johannes_Kepler
+		"kepler",
+
+		// Har Gobind Khorana - Indian-American biochemist who shared the 1968 Nobel Prize for Physiology - https://en.wikipedia.org/wiki/Har_Gobind_Khorana
+		"khorana",
+
+		// Jack Kilby invented silicone integrated circuits and gave Silicon Valley its name. - https://en.wikipedia.org/wiki/Jack_Kilby
+		"kilby",
+
+		// Maria Kirch - German astronomer and first woman to discover a comet - https://en.wikipedia.org/wiki/Maria_Margarethe_Kirch
+		"kirch",
+
+		// Donald Knuth - American computer scientist, author of "The Art of Computer Programming" and creator of the TeX typesetting system. https://en.wikipedia.org/wiki/Donald_Knuth
+		"knuth",
+
+		// Sophie Kowalevski - Russian mathematician responsible for important original contributions to analysis, differential equations and mechanics - https://en.wikipedia.org/wiki/Sofia_Kovalevskaya
+		"kowalevski",
+
+		// Marie-Jeanne de Lalande - French astronomer, mathematician and cataloguer of stars - https://en.wikipedia.org/wiki/Marie-Jeanne_de_Lalande
+		"lalande",
+
+		// Hedy Lamarr - Actress and inventor. The principles of her work are now incorporated into modern Wi-Fi, CDMA and Bluetooth technology. https://en.wikipedia.org/wiki/Hedy_Lamarr
+		"lamarr",
+
+		// Leslie B. Lamport - American computer scientist. Lamport is best known for his seminal work in distributed systems and was the winner of the 2013 Turing Award. https://en.wikipedia.org/wiki/Leslie_Lamport
+		"lamport",
+
+		// Mary Leakey - British paleoanthropologist who discovered the first fossilized Proconsul skull - https://en.wikipedia.org/wiki/Mary_Leakey
+		"leakey",
+
+		// Henrietta Swan Leavitt - she was an American astronomer who discovered the relation between the luminosity and the period of Cepheid variable stars. https://en.wikipedia.org/wiki/Henrietta_Swan_Leavitt
+		"leavitt",
+
+		// Daniel Lewin - Mathematician, Akamai co-founder, soldier, 9/11 victim-- Developed optimization techniques for routing traffic on the internet. Died attempting to stop the 9-11 hijackers. https://en.wikipedia.org/wiki/Daniel_Lewin
+		"lewin",
+
+		// Ruth Lichterman - one of the original programmers of the ENIAC. https://en.wikipedia.org/wiki/ENIAC - https://en.wikipedia.org/wiki/Ruth_Teitelbaum
+		"lichterman",
+
+		// Barbara Liskov - co-developed the Liskov substitution principle. Liskov was also the winner of the Turing Prize in 2008. - https://en.wikipedia.org/wiki/Barbara_Liskov
+		"liskov",
+
+		// Ada Lovelace invented the first algorithm. https://en.wikipedia.org/wiki/Ada_Lovelace (thanks James Turnbull)
+		"lovelace",
+
+		// Auguste and Louis Lumière - the first filmmakers in history - https://en.wikipedia.org/wiki/Auguste_and_Louis_Lumi%C3%A8re
+		"lumiere",
+
+		// Mahavira - Ancient Indian mathematician during 9th century AD who discovered basic algebraic identities - https://en.wikipedia.org/wiki/Mah%C4%81v%C4%ABra_(mathematician)
+		"mahavira",
+
+		// Maria Mayer - American theoretical physicist and Nobel laureate in Physics for proposing the nuclear shell model of the atomic nucleus - https://en.wikipedia.org/wiki/Maria_Mayer
+		"mayer",
+
+		// John McCarthy invented LISP: https://en.wikipedia.org/wiki/John_McCarthy_(computer_scientist)
+		"mccarthy",
+
+		// Barbara McClintock - a distinguished American cytogeneticist, 1983 Nobel Laureate in Physiology or Medicine for discovering transposons. https://en.wikipedia.org/wiki/Barbara_McClintock
+		"mcclintock",
+
+		// Malcolm McLean invented the modern shipping container: https://en.wikipedia.org/wiki/Malcom_McLean
+		"mclean",
+
+		// Kay McNulty - one of the original programmers of the ENIAC. https://en.wikipedia.org/wiki/ENIAC - https://en.wikipedia.org/wiki/Kathleen_Antonelli
+		"mcnulty",
+
+		// Dmitri Mendeleev - a chemist and inventor. He formulated the Periodic Law, created a farsighted version of the periodic table of elements, and used it to correct the properties of some already discovered elements and also to predict the properties of eight elements yet to be discovered. https://en.wikipedia.org/wiki/Dmitri_Mendeleev
+		"mendeleev",
+
+		// Lise Meitner - Austrian/Swedish physicist who was involved in the discovery of nuclear fission. The element meitnerium is named after her - https://en.wikipedia.org/wiki/Lise_Meitner
+		"meitner",
+
+		// Carla Meninsky, was the game designer and programmer for Atari 2600 games Dodge 'Em and Warlords. https://en.wikipedia.org/wiki/Carla_Meninsky
+		"meninsky",
+
+		// Johanna Mestorf - German prehistoric archaeologist and first female museum director in Germany - https://en.wikipedia.org/wiki/Johanna_Mestorf
+		"mestorf",
+
+		// Marvin Minsky - Pioneer in Artificial Intelligence, co-founder of the MIT's AI Lab, won the Turing Award in 1969. https://en.wikipedia.org/wiki/Marvin_Minsky
+		"minsky",
+
+		// Maryam Mirzakhani - an Iranian mathematician and the first woman to win the Fields Medal. https://en.wikipedia.org/wiki/Maryam_Mirzakhani
+		"mirzakhani",
+
+		// Samuel Morse - contributed to the invention of a single-wire telegraph system based on European telegraphs and was a co-developer of the Morse code - https://en.wikipedia.org/wiki/Samuel_Morse
+		"morse",
+
+		// Ian Murdock - founder of the Debian project - https://en.wikipedia.org/wiki/Ian_Murdock
+		"murdock",
+
+		// John von Neumann - todays computer architectures are based on the von Neumann architecture. https://en.wikipedia.org/wiki/Von_Neumann_architecture
+		"neumann",
+
+		// Isaac Newton invented classic mechanics and modern optics. https://en.wikipedia.org/wiki/Isaac_Newton
+		"newton",
+
+		// Florence Nightingale, more prominently known as a nurse, was also the first female member of the Royal Statistical Society and a pioneer in statistical graphics https://en.wikipedia.org/wiki/Florence_Nightingale#Statistics_and_sanitary_reform
+		"nightingale",
+
+		// Alfred Nobel - a Swedish chemist, engineer, innovator, and armaments manufacturer (inventor of dynamite) - https://en.wikipedia.org/wiki/Alfred_Nobel
+		"nobel",
+
+		// Emmy Noether, German mathematician. Noether's Theorem is named after her. https://en.wikipedia.org/wiki/Emmy_Noether
+		"noether",
+
+		// Poppy Northcutt. Poppy Northcutt was the first woman to work as part of NASA’s Mission Control. http://www.businessinsider.com/poppy-northcutt-helped-apollo-astronauts-2014-12?op=1
+		"northcutt",
+
+		// Robert Noyce invented silicone integrated circuits and gave Silicon Valley its name. - https://en.wikipedia.org/wiki/Robert_Noyce
+		"noyce",
+
+		// Panini - Ancient Indian linguist and grammarian from 4th century CE who worked on the world's first formal system - https://en.wikipedia.org/wiki/P%C4%81%E1%B9%87ini#Comparison_with_modern_formal_systems
+		"panini",
+
+		// Ambroise Pare invented modern surgery. https://en.wikipedia.org/wiki/Ambroise_Par%C3%A9
+		"pare",
+
+		// Louis Pasteur discovered vaccination, fermentation and pasteurization. https://en.wikipedia.org/wiki/Louis_Pasteur.
+		"pasteur",
+
+		// Cecilia Payne-Gaposchkin was an astronomer and astrophysicist who, in 1925, proposed in her Ph.D. thesis an explanation for the composition of stars in terms of the relative abundances of hydrogen and helium. https://en.wikipedia.org/wiki/Cecilia_Payne-Gaposchkin
+		"payne",
+
+		// Radia Perlman is a software designer and network engineer and most famous for her invention of the spanning-tree protocol (STP). https://en.wikipedia.org/wiki/Radia_Perlman
+		"perlman",
+
+		// Rob Pike was a key contributor to Unix, Plan 9, the X graphic system, utf-8, and the Go programming language. https://en.wikipedia.org/wiki/Rob_Pike
+		"pike",
+
+		// Henri Poincaré made fundamental contributions in several fields of mathematics. https://en.wikipedia.org/wiki/Henri_Poincar%C3%A9
+		"poincare",
+
+		// Laura Poitras is a director and producer whose work, made possible by open source crypto tools, advances the causes of truth and freedom of information by reporting disclosures by whistleblowers such as Edward Snowden. https://en.wikipedia.org/wiki/Laura_Poitras
+		"poitras",
+
+		// Tat’yana Avenirovna Proskuriakova (Russian: Татья́на Авени́ровна Проскуряко́ва) (January 23 [O.S. January 10] 1909 – August 30, 1985) was a Russian-American Mayanist scholar and archaeologist who contributed significantly to the deciphering of Maya hieroglyphs, the writing system of the pre-Columbian Maya civilization of Mesoamerica. https://en.wikipedia.org/wiki/Tatiana_Proskouriakoff
+		"proskuriakova",
+
+		// Claudius Ptolemy - a Greco-Egyptian writer of Alexandria, known as a mathematician, astronomer, geographer, astrologer, and poet of a single epigram in the Greek Anthology - https://en.wikipedia.org/wiki/Ptolemy
+		"ptolemy",
+
+		// C. V. Raman - Indian physicist who won the Nobel Prize in 1930 for proposing the Raman effect. - https://en.wikipedia.org/wiki/C._V._Raman
+		"raman",
+
+		// Srinivasa Ramanujan - Indian mathematician and autodidact who made extraordinary contributions to mathematical analysis, number theory, infinite series, and continued fractions. - https://en.wikipedia.org/wiki/Srinivasa_Ramanujan
+		"ramanujan",
+
+		// Sally Kristen Ride was an American physicist and astronaut. She was the first American woman in space, and the youngest American astronaut. https://en.wikipedia.org/wiki/Sally_Ride
+		"ride",
+
+		// Rita Levi-Montalcini - Won Nobel Prize in Physiology or Medicine jointly with colleague Stanley Cohen for the discovery of nerve growth factor (https://en.wikipedia.org/wiki/Rita_Levi-Montalcini)
+		"montalcini",
+
+		// Dennis Ritchie - co-creator of UNIX and the C programming language. - https://en.wikipedia.org/wiki/Dennis_Ritchie
+		"ritchie",
+
+		// Wilhelm Conrad Röntgen - German physicist who was awarded the first Nobel Prize in Physics in 1901 for the discovery of X-rays (Röntgen rays). https://en.wikipedia.org/wiki/Wilhelm_R%C3%B6ntgen
+		"roentgen",
+
+		// Rosalind Franklin - British biophysicist and X-ray crystallographer whose research was critical to the understanding of DNA - https://en.wikipedia.org/wiki/Rosalind_Franklin
+		"rosalind",
+
+		// Meghnad Saha - Indian astrophysicist best known for his development of the Saha equation, used to describe chemical and physical conditions in stars - https://en.wikipedia.org/wiki/Meghnad_Saha
+		"saha",
+
+		// Jean E. Sammet developed FORMAC, the first widely used computer language for symbolic manipulation of mathematical formulas. https://en.wikipedia.org/wiki/Jean_E._Sammet
+		"sammet",
+
+		// Carol Shaw - Originally an Atari employee, Carol Shaw is said to be the first female video game designer. https://en.wikipedia.org/wiki/Carol_Shaw_(video_game_designer)
+		"shaw",
+
+		// Dame Stephanie "Steve" Shirley - Founded a software company in 1962 employing women working from home. https://en.wikipedia.org/wiki/Steve_Shirley
+		"shirley",
+
+		// William Shockley co-invented the transistor - https://en.wikipedia.org/wiki/William_Shockley
+		"shockley",
+
+		// Françoise Barré-Sinoussi - French virologist and Nobel Prize Laureate in Physiology or Medicine; her work was fundamental in identifying HIV as the cause of AIDS. https://en.wikipedia.org/wiki/Fran%C3%A7oise_Barr%C3%A9-Sinoussi
+		"sinoussi",
+
+		// Betty Snyder - one of the original programmers of the ENIAC. https://en.wikipedia.org/wiki/ENIAC - https://en.wikipedia.org/wiki/Betty_Holberton
+		"snyder",
+
+		// Frances Spence - one of the original programmers of the ENIAC. https://en.wikipedia.org/wiki/ENIAC - https://en.wikipedia.org/wiki/Frances_Spence
+		"spence",
+
+		// Richard Matthew Stallman - the founder of the Free Software movement, the GNU project, the Free Software Foundation, and the League for Programming Freedom. He also invented the concept of copyleft to protect the ideals of this movement, and enshrined this concept in the widely-used GPL (General Public License) for software. https://en.wikiquote.org/wiki/Richard_Stallman
+		"stallman",
+
+		// Lina Solomonovna Stern (or Shtern; Russian: Лина Соломоновна Штерн; 26 August 1878 – 7 March 1968) was a Soviet biochemist, physiologist and humanist whose medical discoveries saved thousands of lives at the fronts of World War II. She is best known for her pioneering work on blood–brain barrier, which she described as hemato-encephalic barrier in 1921. https://en.wikipedia.org/wiki/Lina_Stern
+		"shtern",
+
+		// Michael Stonebraker is a database research pioneer and architect of Ingres, Postgres, VoltDB and SciDB. Winner of 2014 ACM Turing Award. https://en.wikipedia.org/wiki/Michael_Stonebraker
+		"stonebraker",
+
+		// Janese Swanson (with others) developed the first of the Carmen Sandiego games. She went on to found Girl Tech. https://en.wikipedia.org/wiki/Janese_Swanson
+		"swanson",
+
+		// Aaron Swartz was influential in creating RSS, Markdown, Creative Commons, Reddit, and much of the internet as we know it today. He was devoted to freedom of information on the web. https://en.wikiquote.org/wiki/Aaron_Swartz
+		"swartz",
+
+		// Bertha Swirles was a theoretical physicist who made a number of contributions to early quantum theory. https://en.wikipedia.org/wiki/Bertha_Swirles
+		"swirles",
+
+		// Valentina Tereshkova is a russian engineer, cosmonaut and politician. She was the first woman flying to space in 1963. In 2013, at the age of 76, she offered to go on a one-way mission to mars. https://en.wikipedia.org/wiki/Valentina_Tereshkova
+		"tereshkova",
+
+		// Nikola Tesla invented the AC electric system and every gadget ever used by a James Bond villain. https://en.wikipedia.org/wiki/Nikola_Tesla
+		"tesla",
+
+		// Ken Thompson - co-creator of UNIX and the C programming language - https://en.wikipedia.org/wiki/Ken_Thompson
+		"thompson",
+
+		// Linus Torvalds invented Linux and Git. https://en.wikipedia.org/wiki/Linus_Torvalds
+		"torvalds",
+
+		// Alan Turing was a founding father of computer science. https://en.wikipedia.org/wiki/Alan_Turing.
+		"turing",
+
+		// Varahamihira - Ancient Indian mathematician who discovered trigonometric formulae during 505-587 CE - https://en.wikipedia.org/wiki/Var%C4%81hamihira#Contributions
+		"varahamihira",
+
+		// Dorothy Vaughan was a NASA mathematician and computer programmer on the SCOUT launch vehicle program that put America's first satellites into space - https://en.wikipedia.org/wiki/Dorothy_Vaughan
+		"vaughan",
+
+		// Sir Mokshagundam Visvesvaraya - is a notable Indian engineer.  He is a recipient of the Indian Republic's highest honour, the Bharat Ratna, in 1955. On his birthday, 15 September is celebrated as Engineer's Day in India in his memory - https://en.wikipedia.org/wiki/Visvesvaraya
+		"visvesvaraya",
+
+		// Christiane Nüsslein-Volhard - German biologist, won Nobel Prize in Physiology or Medicine in 1995 for research on the genetic control of embryonic development. https://en.wikipedia.org/wiki/Christiane_N%C3%BCsslein-Volhard
+		"volhard",
+
+		// Cédric Villani - French mathematician, won Fields Medal, Fermat Prize and Poincaré Price for his work in differential geometry and statistical mechanics. https://en.wikipedia.org/wiki/C%C3%A9dric_Villani
+		"villani",
+
+		// Marlyn Wescoff - one of the original programmers of the ENIAC. https://en.wikipedia.org/wiki/ENIAC - https://en.wikipedia.org/wiki/Marlyn_Meltzer
+		"wescoff",
+
+		// Andrew Wiles - Notable British mathematician who proved the enigmatic Fermat's Last Theorem - https://en.wikipedia.org/wiki/Andrew_Wiles
+		"wiles",
+
+		// Roberta Williams, did pioneering work in graphical adventure games for personal computers, particularly the King's Quest series. https://en.wikipedia.org/wiki/Roberta_Williams
+		"williams",
+
+		// Sophie Wilson designed the first Acorn Micro-Computer and the instruction set for ARM processors. https://en.wikipedia.org/wiki/Sophie_Wilson
+		"wilson",
+
+		// Jeannette Wing - co-developed the Liskov substitution principle. - https://en.wikipedia.org/wiki/Jeannette_Wing
+		"wing",
+
+		// Steve Wozniak invented the Apple I and Apple II. https://en.wikipedia.org/wiki/Steve_Wozniak
+		"wozniak",
+
+		// The Wright brothers, Orville and Wilbur - credited with inventing and building the world's first successful airplane and making the first controlled, powered and sustained heavier-than-air human flight - https://en.wikipedia.org/wiki/Wright_brothers
+		"wright",
+
+		// Rosalyn Sussman Yalow - Rosalyn Sussman Yalow was an American medical physicist, and a co-winner of the 1977 Nobel Prize in Physiology or Medicine for development of the radioimmunoassay technique. https://en.wikipedia.org/wiki/Rosalyn_Sussman_Yalow
+		"yalow",
+
+		// Ada Yonath - an Israeli crystallographer, the first woman from the Middle East to win a Nobel prize in the sciences. https://en.wikipedia.org/wiki/Ada_Yonath
+		"yonath",
+
+		// Nikolay Yegorovich Zhukovsky (Russian: Никола́й Его́рович Жуко́вский, January 17 1847 – March 17, 1921) was a Russian scientist, mathematician and engineer, and a founding father of modern aero- and hydrodynamics. Whereas contemporary scientists scoffed at the idea of human flight, Zhukovsky was the first to undertake the study of airflow. He is often called the Father of Russian Aviation. https://en.wikipedia.org/wiki/Nikolay_Yegorovich_Zhukovsky
+		"zhukovsky",
+	}
+)
+
+// GetRandomName generates a random name from the list of adjectives and surnames in this package
+// formatted as "adjective_surname". For example 'focused_turing'. If retry is non-zero, a random
+// integer between 0 and 10 will be added to the end of the name, e.g `focused_turing3`
+func GetRandomName(retry int) string {
+begin:
+	name := fmt.Sprintf("%s_%s", left[rand.Intn(len(left))], right[rand.Intn(len(right))])
+	if name == "boring_wozniak" /* Steve Wozniak is not boring */ {
+		goto begin
+	}
+
+	if retry > 0 {
+		name = fmt.Sprintf("%s%d", name, rand.Intn(10))
+	}
+	return name
+}
diff --git a/engine/pkg/namesgenerator/names-generator_test.go b/engine/pkg/namesgenerator/names-generator_test.go
new file mode 100644
index 00000000..6ee31e9c
--- /dev/null
+++ b/engine/pkg/namesgenerator/names-generator_test.go
@@ -0,0 +1,27 @@
+package namesgenerator // import "github.com/docker/docker/pkg/namesgenerator"
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestNameFormat(t *testing.T) {
+	name := GetRandomName(0)
+	if !strings.Contains(name, "_") {
+		t.Fatalf("Generated name does not contain an underscore")
+	}
+	if strings.ContainsAny(name, "0123456789") {
+		t.Fatalf("Generated name contains numbers!")
+	}
+}
+
+func TestNameRetries(t *testing.T) {
+	name := GetRandomName(1)
+	if !strings.Contains(name, "_") {
+		t.Fatalf("Generated name does not contain an underscore")
+	}
+	if !strings.ContainsAny(name, "0123456789") {
+		t.Fatalf("Generated name doesn't contain a number")
+	}
+
+}
diff --git a/engine/pkg/parsers/kernel/kernel.go b/engine/pkg/parsers/kernel/kernel.go
new file mode 100644
index 00000000..94780ef6
--- /dev/null
+++ b/engine/pkg/parsers/kernel/kernel.go
@@ -0,0 +1,74 @@
+// +build !windows
+
+// Package kernel provides helper function to get, parse and compare kernel
+// versions for different platforms.
+package kernel // import "github.com/docker/docker/pkg/parsers/kernel"
+
+import (
+	"errors"
+	"fmt"
+)
+
+// VersionInfo holds information about the kernel.
+type VersionInfo struct {
+	Kernel int    // Version of the kernel (e.g. 4.1.2-generic -> 4)
+	Major  int    // Major part of the kernel version (e.g. 4.1.2-generic -> 1)
+	Minor  int    // Minor part of the kernel version (e.g. 4.1.2-generic -> 2)
+	Flavor string // Flavor of the kernel version (e.g. 4.1.2-generic -> generic)
+}
+
+func (k *VersionInfo) String() string {
+	return fmt.Sprintf("%d.%d.%d%s", k.Kernel, k.Major, k.Minor, k.Flavor)
+}
+
+// CompareKernelVersion compares two kernel.VersionInfo structs.
+// Returns -1 if a < b, 0 if a == b, 1 it a > b
+func CompareKernelVersion(a, b VersionInfo) int {
+	if a.Kernel < b.Kernel {
+		return -1
+	} else if a.Kernel > b.Kernel {
+		return 1
+	}
+
+	if a.Major < b.Major {
+		return -1
+	} else if a.Major > b.Major {
+		return 1
+	}
+
+	if a.Minor < b.Minor {
+		return -1
+	} else if a.Minor > b.Minor {
+		return 1
+	}
+
+	return 0
+}
+
+// ParseRelease parses a string and creates a VersionInfo based on it.
+func ParseRelease(release string) (*VersionInfo, error) {
+	var (
+		kernel, major, minor, parsed int
+		flavor, partial              string
+	)
+
+	// Ignore error from Sscanf to allow an empty flavor.  Instead, just
+	// make sure we got all the version numbers.
+	parsed, _ = fmt.Sscanf(release, "%d.%d%s", &kernel, &major, &partial)
+	if parsed < 2 {
+		return nil, errors.New("Can't parse kernel version " + release)
+	}
+
+	// sometimes we have 3.12.25-gentoo, but sometimes we just have 3.12-1-amd64
+	parsed, _ = fmt.Sscanf(partial, ".%d%s", &minor, &flavor)
+	if parsed < 1 {
+		flavor = partial
+	}
+
+	return &VersionInfo{
+		Kernel: kernel,
+		Major:  major,
+		Minor:  minor,
+		Flavor: flavor,
+	}, nil
+}
diff --git a/engine/pkg/parsers/kernel/kernel_darwin.go b/engine/pkg/parsers/kernel/kernel_darwin.go
new file mode 100644
index 00000000..6e599eeb
--- /dev/null
+++ b/engine/pkg/parsers/kernel/kernel_darwin.go
@@ -0,0 +1,56 @@
+// +build darwin
+
+// Package kernel provides helper function to get, parse and compare kernel
+// versions for different platforms.
+package kernel // import "github.com/docker/docker/pkg/parsers/kernel"
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"github.com/mattn/go-shellwords"
+)
+
+// GetKernelVersion gets the current kernel version.
+func GetKernelVersion() (*VersionInfo, error) {
+	release, err := getRelease()
+	if err != nil {
+		return nil, err
+	}
+
+	return ParseRelease(release)
+}
+
+// getRelease uses `system_profiler SPSoftwareDataType` to get OSX kernel version
+func getRelease() (string, error) {
+	cmd := exec.Command("system_profiler", "SPSoftwareDataType")
+	osName, err := cmd.Output()
+	if err != nil {
+		return "", err
+	}
+
+	var release string
+	data := strings.Split(string(osName), "\n")
+	for _, line := range data {
+		if strings.Contains(line, "Kernel Version") {
+			// It has the format like '      Kernel Version: Darwin 14.5.0'
+			content := strings.SplitN(line, ":", 2)
+			if len(content) != 2 {
+				return "", fmt.Errorf("Kernel Version is invalid")
+			}
+
+			prettyNames, err := shellwords.Parse(content[1])
+			if err != nil {
+				return "", fmt.Errorf("Kernel Version is invalid: %s", err.Error())
+			}
+
+			if len(prettyNames) != 2 {
+				return "", fmt.Errorf("Kernel Version needs to be 'Darwin x.x.x' ")
+			}
+			release = prettyNames[1]
+		}
+	}
+
+	return release, nil
+}
diff --git a/engine/pkg/parsers/kernel/kernel_unix.go b/engine/pkg/parsers/kernel/kernel_unix.go
new file mode 100644
index 00000000..8a9aa312
--- /dev/null
+++ b/engine/pkg/parsers/kernel/kernel_unix.go
@@ -0,0 +1,35 @@
+// +build linux freebsd openbsd
+
+// Package kernel provides helper function to get, parse and compare kernel
+// versions for different platforms.
+package kernel // import "github.com/docker/docker/pkg/parsers/kernel"
+
+import (
+	"bytes"
+
+	"github.com/sirupsen/logrus"
+)
+
+// GetKernelVersion gets the current kernel version.
+func GetKernelVersion() (*VersionInfo, error) {
+	uts, err := uname()
+	if err != nil {
+		return nil, err
+	}
+
+	// Remove the \x00 from the release for Atoi to parse correctly
+	return ParseRelease(string(uts.Release[:bytes.IndexByte(uts.Release[:], 0)]))
+}
+
+// CheckKernelVersion checks if current kernel is newer than (or equal to)
+// the given version.
+func CheckKernelVersion(k, major, minor int) bool {
+	if v, err := GetKernelVersion(); err != nil {
+		logrus.Warnf("error getting kernel version: %s", err)
+	} else {
+		if CompareKernelVersion(*v, VersionInfo{Kernel: k, Major: major, Minor: minor}) < 0 {
+			return false
+		}
+	}
+	return true
+}
diff --git a/engine/pkg/parsers/kernel/kernel_unix_test.go b/engine/pkg/parsers/kernel/kernel_unix_test.go
new file mode 100644
index 00000000..2f36490c
--- /dev/null
+++ b/engine/pkg/parsers/kernel/kernel_unix_test.go
@@ -0,0 +1,96 @@
+// +build !windows
+
+package kernel // import "github.com/docker/docker/pkg/parsers/kernel"
+
+import (
+	"fmt"
+	"testing"
+)
+
+func assertParseRelease(t *testing.T, release string, b *VersionInfo, result int) {
+	var (
+		a *VersionInfo
+	)
+	a, _ = ParseRelease(release)
+
+	if r := CompareKernelVersion(*a, *b); r != result {
+		t.Fatalf("Unexpected kernel version comparison result for (%v,%v). Found %d, expected %d", release, b, r, result)
+	}
+	if a.Flavor != b.Flavor {
+		t.Fatalf("Unexpected parsed kernel flavor.  Found %s, expected %s", a.Flavor, b.Flavor)
+	}
+}
+
+// TestParseRelease tests the ParseRelease() function
+func TestParseRelease(t *testing.T) {
+	assertParseRelease(t, "3.8.0", &VersionInfo{Kernel: 3, Major: 8, Minor: 0}, 0)
+	assertParseRelease(t, "3.4.54.longterm-1", &VersionInfo{Kernel: 3, Major: 4, Minor: 54, Flavor: ".longterm-1"}, 0)
+	assertParseRelease(t, "3.4.54.longterm-1", &VersionInfo{Kernel: 3, Major: 4, Minor: 54, Flavor: ".longterm-1"}, 0)
+	assertParseRelease(t, "3.8.0-19-generic", &VersionInfo{Kernel: 3, Major: 8, Minor: 0, Flavor: "-19-generic"}, 0)
+	assertParseRelease(t, "3.12.8tag", &VersionInfo{Kernel: 3, Major: 12, Minor: 8, Flavor: "tag"}, 0)
+	assertParseRelease(t, "3.12-1-amd64", &VersionInfo{Kernel: 3, Major: 12, Minor: 0, Flavor: "-1-amd64"}, 0)
+	assertParseRelease(t, "3.8.0", &VersionInfo{Kernel: 4, Major: 8, Minor: 0}, -1)
+	// Errors
+	invalids := []string{
+		"3",
+		"a",
+		"a.a",
+		"a.a.a-a",
+	}
+	for _, invalid := range invalids {
+		expectedMessage := fmt.Sprintf("Can't parse kernel version %v", invalid)
+		if _, err := ParseRelease(invalid); err == nil || err.Error() != expectedMessage {
+
+		}
+	}
+}
+
+func assertKernelVersion(t *testing.T, a, b VersionInfo, result int) {
+	if r := CompareKernelVersion(a, b); r != result {
+		t.Fatalf("Unexpected kernel version comparison result. Found %d, expected %d", r, result)
+	}
+}
+
+// TestCompareKernelVersion tests the CompareKernelVersion() function
+func TestCompareKernelVersion(t *testing.T) {
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		0)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 2, Major: 6, Minor: 0},
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		-1)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		VersionInfo{Kernel: 2, Major: 6, Minor: 0},
+		1)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		0)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 8, Minor: 5},
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		1)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 0, Minor: 20},
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		-1)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 7, Minor: 20},
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		-1)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 8, Minor: 20},
+		VersionInfo{Kernel: 3, Major: 7, Minor: 0},
+		1)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 8, Minor: 20},
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		1)
+	assertKernelVersion(t,
+		VersionInfo{Kernel: 3, Major: 8, Minor: 0},
+		VersionInfo{Kernel: 3, Major: 8, Minor: 20},
+		-1)
+}
diff --git a/engine/pkg/parsers/kernel/kernel_windows.go b/engine/pkg/parsers/kernel/kernel_windows.go
new file mode 100644
index 00000000..b7b15a1f
--- /dev/null
+++ b/engine/pkg/parsers/kernel/kernel_windows.go
@@ -0,0 +1,51 @@
+package kernel // import "github.com/docker/docker/pkg/parsers/kernel"
+
+import (
+	"fmt"
+
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/registry"
+)
+
+// VersionInfo holds information about the kernel.
+type VersionInfo struct {
+	kvi   string // Version of the kernel (e.g. 6.1.7601.17592 -> 6)
+	major int    // Major part of the kernel version (e.g. 6.1.7601.17592 -> 1)
+	minor int    // Minor part of the kernel version (e.g. 6.1.7601.17592 -> 7601)
+	build int    // Build number of the kernel version (e.g. 6.1.7601.17592 -> 17592)
+}
+
+func (k *VersionInfo) String() string {
+	return fmt.Sprintf("%d.%d %d (%s)", k.major, k.minor, k.build, k.kvi)
+}
+
+// GetKernelVersion gets the current kernel version.
+func GetKernelVersion() (*VersionInfo, error) {
+
+	KVI := &VersionInfo{"Unknown", 0, 0, 0}
+
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion`, registry.QUERY_VALUE)
+	if err != nil {
+		return KVI, err
+	}
+	defer k.Close()
+
+	blex, _, err := k.GetStringValue("BuildLabEx")
+	if err != nil {
+		return KVI, err
+	}
+	KVI.kvi = blex
+
+	// Important - docker.exe MUST be manifested for this API to return
+	// the correct information.
+	dwVersion, err := windows.GetVersion()
+	if err != nil {
+		return KVI, err
+	}
+
+	KVI.major = int(dwVersion & 0xFF)
+	KVI.minor = int((dwVersion & 0XFF00) >> 8)
+	KVI.build = int((dwVersion & 0xFFFF0000) >> 16)
+
+	return KVI, nil
+}
diff --git a/engine/pkg/parsers/kernel/uname_linux.go b/engine/pkg/parsers/kernel/uname_linux.go
new file mode 100644
index 00000000..212ff450
--- /dev/null
+++ b/engine/pkg/parsers/kernel/uname_linux.go
@@ -0,0 +1,17 @@
+package kernel // import "github.com/docker/docker/pkg/parsers/kernel"
+
+import "golang.org/x/sys/unix"
+
+// Utsname represents the system name structure.
+// It is passthrough for unix.Utsname in order to make it portable with
+// other platforms where it is not available.
+type Utsname unix.Utsname
+
+func uname() (*unix.Utsname, error) {
+	uts := &unix.Utsname{}
+
+	if err := unix.Uname(uts); err != nil {
+		return nil, err
+	}
+	return uts, nil
+}
diff --git a/engine/pkg/parsers/kernel/uname_solaris.go b/engine/pkg/parsers/kernel/uname_solaris.go
new file mode 100644
index 00000000..b2139b60
--- /dev/null
+++ b/engine/pkg/parsers/kernel/uname_solaris.go
@@ -0,0 +1,14 @@
+package kernel // import "github.com/docker/docker/pkg/parsers/kernel"
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+func uname() (*unix.Utsname, error) {
+	uts := &unix.Utsname{}
+
+	if err := unix.Uname(uts); err != nil {
+		return nil, err
+	}
+	return uts, nil
+}
diff --git a/engine/pkg/parsers/kernel/uname_unsupported.go b/engine/pkg/parsers/kernel/uname_unsupported.go
new file mode 100644
index 00000000..97906e4c
--- /dev/null
+++ b/engine/pkg/parsers/kernel/uname_unsupported.go
@@ -0,0 +1,18 @@
+// +build !linux
+
+package kernel // import "github.com/docker/docker/pkg/parsers/kernel"
+
+import (
+	"errors"
+)
+
+// Utsname represents the system name structure.
+// It is defined here to make it portable as it is available on linux but not
+// on windows.
+type Utsname struct {
+	Release [65]byte
+}
+
+func uname() (*Utsname, error) {
+	return nil, errors.New("Kernel version detection is available only on linux")
+}
diff --git a/engine/pkg/parsers/operatingsystem/operatingsystem_linux.go b/engine/pkg/parsers/operatingsystem/operatingsystem_linux.go
new file mode 100644
index 00000000..b251d6ae
--- /dev/null
+++ b/engine/pkg/parsers/operatingsystem/operatingsystem_linux.go
@@ -0,0 +1,77 @@
+// Package operatingsystem provides helper function to get the operating system
+// name for different platforms.
+package operatingsystem // import "github.com/docker/docker/pkg/parsers/operatingsystem"
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/mattn/go-shellwords"
+)
+
+var (
+	// file to use to detect if the daemon is running in a container
+	proc1Cgroup = "/proc/1/cgroup"
+
+	// file to check to determine Operating System
+	etcOsRelease = "/etc/os-release"
+
+	// used by stateless systems like Clear Linux
+	altOsRelease = "/usr/lib/os-release"
+)
+
+// GetOperatingSystem gets the name of the current operating system.
+func GetOperatingSystem() (string, error) {
+	osReleaseFile, err := os.Open(etcOsRelease)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return "", fmt.Errorf("Error opening %s: %v", etcOsRelease, err)
+		}
+		osReleaseFile, err = os.Open(altOsRelease)
+		if err != nil {
+			return "", fmt.Errorf("Error opening %s: %v", altOsRelease, err)
+		}
+	}
+	defer osReleaseFile.Close()
+
+	var prettyName string
+	scanner := bufio.NewScanner(osReleaseFile)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "PRETTY_NAME=") {
+			data := strings.SplitN(line, "=", 2)
+			prettyNames, err := shellwords.Parse(data[1])
+			if err != nil {
+				return "", fmt.Errorf("PRETTY_NAME is invalid: %s", err.Error())
+			}
+			if len(prettyNames) != 1 {
+				return "", fmt.Errorf("PRETTY_NAME needs to be enclosed by quotes if they have spaces: %s", data[1])
+			}
+			prettyName = prettyNames[0]
+		}
+	}
+	if prettyName != "" {
+		return prettyName, nil
+	}
+	// If not set, defaults to PRETTY_NAME="Linux"
+	// c.f. http://www.freedesktop.org/software/systemd/man/os-release.html
+	return "Linux", nil
+}
+
+// IsContainerized returns true if we are running inside a container.
+func IsContainerized() (bool, error) {
+	b, err := ioutil.ReadFile(proc1Cgroup)
+	if err != nil {
+		return false, err
+	}
+	for _, line := range bytes.Split(b, []byte{'\n'}) {
+		if len(line) > 0 && !bytes.HasSuffix(line, []byte{'/'}) && !bytes.HasSuffix(line, []byte("init.scope")) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
diff --git a/engine/pkg/parsers/operatingsystem/operatingsystem_unix.go b/engine/pkg/parsers/operatingsystem/operatingsystem_unix.go
new file mode 100644
index 00000000..f4792d37
--- /dev/null
+++ b/engine/pkg/parsers/operatingsystem/operatingsystem_unix.go
@@ -0,0 +1,25 @@
+// +build freebsd darwin
+
+package operatingsystem // import "github.com/docker/docker/pkg/parsers/operatingsystem"
+
+import (
+	"errors"
+	"os/exec"
+)
+
+// GetOperatingSystem gets the name of the current operating system.
+func GetOperatingSystem() (string, error) {
+	cmd := exec.Command("uname", "-s")
+	osName, err := cmd.Output()
+	if err != nil {
+		return "", err
+	}
+	return string(osName), nil
+}
+
+// IsContainerized returns true if we are running inside a container.
+// No-op on FreeBSD and Darwin, always returns false.
+func IsContainerized() (bool, error) {
+	// TODO: Implement jail detection for freeBSD
+	return false, errors.New("Cannot detect if we are in container")
+}
diff --git a/engine/pkg/parsers/operatingsystem/operatingsystem_unix_test.go b/engine/pkg/parsers/operatingsystem/operatingsystem_unix_test.go
new file mode 100644
index 00000000..d10ed4cd
--- /dev/null
+++ b/engine/pkg/parsers/operatingsystem/operatingsystem_unix_test.go
@@ -0,0 +1,247 @@
+// +build linux freebsd
+
+package operatingsystem // import "github.com/docker/docker/pkg/parsers/operatingsystem"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestGetOperatingSystem(t *testing.T) {
+	var backup = etcOsRelease
+
+	invalids := []struct {
+		content       string
+		errorExpected string
+	}{
+		{
+			`PRETTY_NAME=Source Mage GNU/Linux
+PRETTY_NAME=Ubuntu 14.04.LTS`,
+			"PRETTY_NAME needs to be enclosed by quotes if they have spaces: Source Mage GNU/Linux",
+		},
+		{
+			`PRETTY_NAME="Ubuntu Linux
+PRETTY_NAME=Ubuntu 14.04.LTS`,
+			"PRETTY_NAME is invalid: invalid command line string",
+		},
+		{
+			`PRETTY_NAME=Ubuntu'
+PRETTY_NAME=Ubuntu 14.04.LTS`,
+			"PRETTY_NAME is invalid: invalid command line string",
+		},
+		{
+			`PRETTY_NAME'
+PRETTY_NAME=Ubuntu 14.04.LTS`,
+			"PRETTY_NAME needs to be enclosed by quotes if they have spaces: Ubuntu 14.04.LTS",
+		},
+	}
+
+	valids := []struct {
+		content  string
+		expected string
+	}{
+		{
+			`NAME="Ubuntu"
+PRETTY_NAME_AGAIN="Ubuntu 14.04.LTS"
+VERSION="14.04, Trusty Tahr"
+ID=ubuntu
+ID_LIKE=debian
+VERSION_ID="14.04"
+HOME_URL="http://www.ubuntu.com/"
+SUPPORT_URL="http://help.ubuntu.com/"
+BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"`,
+			"Linux",
+		},
+		{
+			`NAME="Ubuntu"
+VERSION="14.04, Trusty Tahr"
+ID=ubuntu
+ID_LIKE=debian
+VERSION_ID="14.04"
+HOME_URL="http://www.ubuntu.com/"
+SUPPORT_URL="http://help.ubuntu.com/"
+BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"`,
+			"Linux",
+		},
+		{
+			`NAME=Gentoo
+ID=gentoo
+PRETTY_NAME="Gentoo/Linux"
+ANSI_COLOR="1;32"
+HOME_URL="http://www.gentoo.org/"
+SUPPORT_URL="http://www.gentoo.org/main/en/support.xml"
+BUG_REPORT_URL="https://bugs.gentoo.org/"
+`,
+			"Gentoo/Linux",
+		},
+		{
+			`NAME="Ubuntu"
+VERSION="14.04, Trusty Tahr"
+ID=ubuntu
+ID_LIKE=debian
+PRETTY_NAME="Ubuntu 14.04 LTS"
+VERSION_ID="14.04"
+HOME_URL="http://www.ubuntu.com/"
+SUPPORT_URL="http://help.ubuntu.com/"
+BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"`,
+			"Ubuntu 14.04 LTS",
+		},
+		{
+			`NAME="Ubuntu"
+VERSION="14.04, Trusty Tahr"
+ID=ubuntu
+ID_LIKE=debian
+PRETTY_NAME='Ubuntu 14.04 LTS'`,
+			"Ubuntu 14.04 LTS",
+		},
+		{
+			`PRETTY_NAME=Source
+NAME="Source Mage"`,
+			"Source",
+		},
+		{
+			`PRETTY_NAME=Source
+PRETTY_NAME="Source Mage"`,
+			"Source Mage",
+		},
+	}
+
+	dir := os.TempDir()
+	etcOsRelease = filepath.Join(dir, "etcOsRelease")
+
+	defer func() {
+		os.Remove(etcOsRelease)
+		etcOsRelease = backup
+	}()
+
+	for _, elt := range invalids {
+		if err := ioutil.WriteFile(etcOsRelease, []byte(elt.content), 0600); err != nil {
+			t.Fatalf("failed to write to %s: %v", etcOsRelease, err)
+		}
+		s, err := GetOperatingSystem()
+		if err == nil || err.Error() != elt.errorExpected {
+			t.Fatalf("Expected an error %q, got %q (err: %v)", elt.errorExpected, s, err)
+		}
+	}
+
+	for _, elt := range valids {
+		if err := ioutil.WriteFile(etcOsRelease, []byte(elt.content), 0600); err != nil {
+			t.Fatalf("failed to write to %s: %v", etcOsRelease, err)
+		}
+		s, err := GetOperatingSystem()
+		if err != nil || s != elt.expected {
+			t.Fatalf("Expected %q, got %q (err: %v)", elt.expected, s, err)
+		}
+	}
+}
+
+func TestIsContainerized(t *testing.T) {
+	var (
+		backup                                = proc1Cgroup
+		nonContainerizedProc1Cgroupsystemd226 = []byte(`9:memory:/init.scope
+8:net_cls,net_prio:/
+7:cpuset:/
+6:freezer:/
+5:devices:/init.scope
+4:blkio:/init.scope
+3:cpu,cpuacct:/init.scope
+2:perf_event:/
+1:name=systemd:/init.scope
+`)
+		nonContainerizedProc1Cgroup = []byte(`14:name=systemd:/
+13:hugetlb:/
+12:net_prio:/
+11:perf_event:/
+10:bfqio:/
+9:blkio:/
+8:net_cls:/
+7:freezer:/
+6:devices:/
+5:memory:/
+4:cpuacct:/
+3:cpu:/
+2:cpuset:/
+`)
+		containerizedProc1Cgroup = []byte(`9:perf_event:/docker/3cef1b53c50b0fa357d994f8a1a8cd783c76bbf4f5dd08b226e38a8bd331338d
+8:blkio:/docker/3cef1b53c50b0fa357d994f8a1a8cd783c76bbf4f5dd08b226e38a8bd331338d
+7:net_cls:/
+6:freezer:/docker/3cef1b53c50b0fa357d994f8a1a8cd783c76bbf4f5dd08b226e38a8bd331338d
+5:devices:/docker/3cef1b53c50b0fa357d994f8a1a8cd783c76bbf4f5dd08b226e38a8bd331338d
+4:memory:/docker/3cef1b53c50b0fa357d994f8a1a8cd783c76bbf4f5dd08b226e38a8bd331338d
+3:cpuacct:/docker/3cef1b53c50b0fa357d994f8a1a8cd783c76bbf4f5dd08b226e38a8bd331338d
+2:cpu:/docker/3cef1b53c50b0fa357d994f8a1a8cd783c76bbf4f5dd08b226e38a8bd331338d
+1:cpuset:/`)
+	)
+
+	dir := os.TempDir()
+	proc1Cgroup = filepath.Join(dir, "proc1Cgroup")
+
+	defer func() {
+		os.Remove(proc1Cgroup)
+		proc1Cgroup = backup
+	}()
+
+	if err := ioutil.WriteFile(proc1Cgroup, nonContainerizedProc1Cgroup, 0600); err != nil {
+		t.Fatalf("failed to write to %s: %v", proc1Cgroup, err)
+	}
+	inContainer, err := IsContainerized()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if inContainer {
+		t.Fatal("Wrongly assuming containerized")
+	}
+
+	if err := ioutil.WriteFile(proc1Cgroup, nonContainerizedProc1Cgroupsystemd226, 0600); err != nil {
+		t.Fatalf("failed to write to %s: %v", proc1Cgroup, err)
+	}
+	inContainer, err = IsContainerized()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if inContainer {
+		t.Fatal("Wrongly assuming containerized for systemd /init.scope cgroup layout")
+	}
+
+	if err := ioutil.WriteFile(proc1Cgroup, containerizedProc1Cgroup, 0600); err != nil {
+		t.Fatalf("failed to write to %s: %v", proc1Cgroup, err)
+	}
+	inContainer, err = IsContainerized()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !inContainer {
+		t.Fatal("Wrongly assuming non-containerized")
+	}
+}
+
+func TestOsReleaseFallback(t *testing.T) {
+	var backup = etcOsRelease
+	var altBackup = altOsRelease
+	dir := os.TempDir()
+	etcOsRelease = filepath.Join(dir, "etcOsRelease")
+	altOsRelease = filepath.Join(dir, "altOsRelease")
+
+	defer func() {
+		os.Remove(dir)
+		etcOsRelease = backup
+		altOsRelease = altBackup
+	}()
+	content := `NAME=Gentoo
+ID=gentoo
+PRETTY_NAME="Gentoo/Linux"
+ANSI_COLOR="1;32"
+HOME_URL="http://www.gentoo.org/"
+SUPPORT_URL="http://www.gentoo.org/main/en/support.xml"
+BUG_REPORT_URL="https://bugs.gentoo.org/"
+`
+	if err := ioutil.WriteFile(altOsRelease, []byte(content), 0600); err != nil {
+		t.Fatalf("failed to write to %s: %v", etcOsRelease, err)
+	}
+	s, err := GetOperatingSystem()
+	if err != nil || s != "Gentoo/Linux" {
+		t.Fatalf("Expected %q, got %q (err: %v)", "Gentoo/Linux", s, err)
+	}
+}
diff --git a/engine/pkg/parsers/operatingsystem/operatingsystem_windows.go b/engine/pkg/parsers/operatingsystem/operatingsystem_windows.go
new file mode 100644
index 00000000..372de514
--- /dev/null
+++ b/engine/pkg/parsers/operatingsystem/operatingsystem_windows.go
@@ -0,0 +1,51 @@
+package operatingsystem // import "github.com/docker/docker/pkg/parsers/operatingsystem"
+
+import (
+	"fmt"
+
+	"golang.org/x/sys/windows/registry"
+)
+
+// GetOperatingSystem gets the name of the current operating system.
+func GetOperatingSystem() (string, error) {
+
+	// Default return value
+	ret := "Unknown Operating System"
+
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion`, registry.QUERY_VALUE)
+	if err != nil {
+		return ret, err
+	}
+	defer k.Close()
+
+	pn, _, err := k.GetStringValue("ProductName")
+	if err != nil {
+		return ret, err
+	}
+	ret = pn
+
+	ri, _, err := k.GetStringValue("ReleaseId")
+	if err != nil {
+		return ret, err
+	}
+	ret = fmt.Sprintf("%s Version %s", ret, ri)
+
+	cbn, _, err := k.GetStringValue("CurrentBuildNumber")
+	if err != nil {
+		return ret, err
+	}
+
+	ubr, _, err := k.GetIntegerValue("UBR")
+	if err != nil {
+		return ret, err
+	}
+	ret = fmt.Sprintf("%s (OS Build %s.%d)", ret, cbn, ubr)
+
+	return ret, nil
+}
+
+// IsContainerized returns true if we are running inside a container.
+// No-op on Windows, always returns false.
+func IsContainerized() (bool, error) {
+	return false, nil
+}
diff --git a/engine/pkg/parsers/parsers.go b/engine/pkg/parsers/parsers.go
new file mode 100644
index 00000000..c4186a4c
--- /dev/null
+++ b/engine/pkg/parsers/parsers.go
@@ -0,0 +1,69 @@
+// Package parsers provides helper functions to parse and validate different type
+// of string. It can be hosts, unix addresses, tcp addresses, filters, kernel
+// operating system versions.
+package parsers // import "github.com/docker/docker/pkg/parsers"
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+// ParseKeyValueOpt parses and validates the specified string as a key/value pair (key=value)
+func ParseKeyValueOpt(opt string) (string, string, error) {
+	parts := strings.SplitN(opt, "=", 2)
+	if len(parts) != 2 {
+		return "", "", fmt.Errorf("Unable to parse key/value option: %s", opt)
+	}
+	return strings.TrimSpace(parts[0]), strings.TrimSpace(parts[1]), nil
+}
+
+// ParseUintList parses and validates the specified string as the value
+// found in some cgroup file (e.g. `cpuset.cpus`, `cpuset.mems`), which could be
+// one of the formats below. Note that duplicates are actually allowed in the
+// input string. It returns a `map[int]bool` with available elements from `val`
+// set to `true`.
+// Supported formats:
+//     7
+//     1-6
+//     0,3-4,7,8-10
+//     0-0,0,1-7
+//     03,1-3      <- this is gonna get parsed as [1,2,3]
+//     3,2,1
+//     0-2,3,1
+func ParseUintList(val string) (map[int]bool, error) {
+	if val == "" {
+		return map[int]bool{}, nil
+	}
+
+	availableInts := make(map[int]bool)
+	split := strings.Split(val, ",")
+	errInvalidFormat := fmt.Errorf("invalid format: %s", val)
+
+	for _, r := range split {
+		if !strings.Contains(r, "-") {
+			v, err := strconv.Atoi(r)
+			if err != nil {
+				return nil, errInvalidFormat
+			}
+			availableInts[v] = true
+		} else {
+			split := strings.SplitN(r, "-", 2)
+			min, err := strconv.Atoi(split[0])
+			if err != nil {
+				return nil, errInvalidFormat
+			}
+			max, err := strconv.Atoi(split[1])
+			if err != nil {
+				return nil, errInvalidFormat
+			}
+			if max < min {
+				return nil, errInvalidFormat
+			}
+			for i := min; i <= max; i++ {
+				availableInts[i] = true
+			}
+		}
+	}
+	return availableInts, nil
+}
diff --git a/engine/pkg/parsers/parsers_test.go b/engine/pkg/parsers/parsers_test.go
new file mode 100644
index 00000000..a70093f1
--- /dev/null
+++ b/engine/pkg/parsers/parsers_test.go
@@ -0,0 +1,70 @@
+package parsers // import "github.com/docker/docker/pkg/parsers"
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestParseKeyValueOpt(t *testing.T) {
+	invalids := map[string]string{
+		"":    "Unable to parse key/value option: ",
+		"key": "Unable to parse key/value option: key",
+	}
+	for invalid, expectedError := range invalids {
+		if _, _, err := ParseKeyValueOpt(invalid); err == nil || err.Error() != expectedError {
+			t.Fatalf("Expected error %v for %v, got %v", expectedError, invalid, err)
+		}
+	}
+	valids := map[string][]string{
+		"key=value":               {"key", "value"},
+		" key = value ":           {"key", "value"},
+		"key=value1=value2":       {"key", "value1=value2"},
+		" key = value1 = value2 ": {"key", "value1 = value2"},
+	}
+	for valid, expectedKeyValue := range valids {
+		key, value, err := ParseKeyValueOpt(valid)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if key != expectedKeyValue[0] || value != expectedKeyValue[1] {
+			t.Fatalf("Expected {%v: %v} got {%v: %v}", expectedKeyValue[0], expectedKeyValue[1], key, value)
+		}
+	}
+}
+
+func TestParseUintList(t *testing.T) {
+	valids := map[string]map[int]bool{
+		"":             {},
+		"7":            {7: true},
+		"1-6":          {1: true, 2: true, 3: true, 4: true, 5: true, 6: true},
+		"0-7":          {0: true, 1: true, 2: true, 3: true, 4: true, 5: true, 6: true, 7: true},
+		"0,3-4,7,8-10": {0: true, 3: true, 4: true, 7: true, 8: true, 9: true, 10: true},
+		"0-0,0,1-4":    {0: true, 1: true, 2: true, 3: true, 4: true},
+		"03,1-3":       {1: true, 2: true, 3: true},
+		"3,2,1":        {1: true, 2: true, 3: true},
+		"0-2,3,1":      {0: true, 1: true, 2: true, 3: true},
+	}
+	for k, v := range valids {
+		out, err := ParseUintList(k)
+		if err != nil {
+			t.Fatalf("Expected not to fail, got %v", err)
+		}
+		if !reflect.DeepEqual(out, v) {
+			t.Fatalf("Expected %v, got %v", v, out)
+		}
+	}
+
+	invalids := []string{
+		"this",
+		"1--",
+		"1-10,,10",
+		"10-1",
+		"-1",
+		"-1,0",
+	}
+	for _, v := range invalids {
+		if out, err := ParseUintList(v); err == nil {
+			t.Fatalf("Expected failure with %s but got %v", v, out)
+		}
+	}
+}
diff --git a/engine/pkg/pidfile/pidfile.go b/engine/pkg/pidfile/pidfile.go
new file mode 100644
index 00000000..0617a89e
--- /dev/null
+++ b/engine/pkg/pidfile/pidfile.go
@@ -0,0 +1,53 @@
+// Package pidfile provides structure and helper functions to create and remove
+// PID file. A PID file is usually a file used to store the process ID of a
+// running process.
+package pidfile // import "github.com/docker/docker/pkg/pidfile"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/docker/docker/pkg/system"
+)
+
+// PIDFile is a file used to store the process ID of a running process.
+type PIDFile struct {
+	path string
+}
+
+func checkPIDFileAlreadyExists(path string) error {
+	if pidByte, err := ioutil.ReadFile(path); err == nil {
+		pidString := strings.TrimSpace(string(pidByte))
+		if pid, err := strconv.Atoi(pidString); err == nil {
+			if processExists(pid) {
+				return fmt.Errorf("pid file found, ensure docker is not running or delete %s", path)
+			}
+		}
+	}
+	return nil
+}
+
+// New creates a PIDfile using the specified path.
+func New(path string) (*PIDFile, error) {
+	if err := checkPIDFileAlreadyExists(path); err != nil {
+		return nil, err
+	}
+	// Note MkdirAll returns nil if a directory already exists
+	if err := system.MkdirAll(filepath.Dir(path), os.FileMode(0755), ""); err != nil {
+		return nil, err
+	}
+	if err := ioutil.WriteFile(path, []byte(fmt.Sprintf("%d", os.Getpid())), 0644); err != nil {
+		return nil, err
+	}
+
+	return &PIDFile{path: path}, nil
+}
+
+// Remove removes the PIDFile.
+func (file PIDFile) Remove() error {
+	return os.Remove(file.path)
+}
diff --git a/engine/pkg/pidfile/pidfile_darwin.go b/engine/pkg/pidfile/pidfile_darwin.go
new file mode 100644
index 00000000..92746aa7
--- /dev/null
+++ b/engine/pkg/pidfile/pidfile_darwin.go
@@ -0,0 +1,14 @@
+// +build darwin
+
+package pidfile // import "github.com/docker/docker/pkg/pidfile"
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+func processExists(pid int) bool {
+	// OS X does not have a proc filesystem.
+	// Use kill -0 pid to judge if the process exists.
+	err := unix.Kill(pid, 0)
+	return err == nil
+}
diff --git a/engine/pkg/pidfile/pidfile_test.go b/engine/pkg/pidfile/pidfile_test.go
new file mode 100644
index 00000000..cd9878e1
--- /dev/null
+++ b/engine/pkg/pidfile/pidfile_test.go
@@ -0,0 +1,38 @@
+package pidfile // import "github.com/docker/docker/pkg/pidfile"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestNewAndRemove(t *testing.T) {
+	dir, err := ioutil.TempDir(os.TempDir(), "test-pidfile")
+	if err != nil {
+		t.Fatal("Could not create test directory")
+	}
+
+	path := filepath.Join(dir, "testfile")
+	file, err := New(path)
+	if err != nil {
+		t.Fatal("Could not create test file", err)
+	}
+
+	_, err = New(path)
+	if err == nil {
+		t.Fatal("Test file creation not blocked")
+	}
+
+	if err := file.Remove(); err != nil {
+		t.Fatal("Could not delete created test file")
+	}
+}
+
+func TestRemoveInvalidPath(t *testing.T) {
+	file := PIDFile{path: filepath.Join("foo", "bar")}
+
+	if err := file.Remove(); err == nil {
+		t.Fatal("Non-existing file doesn't give an error on delete")
+	}
+}
diff --git a/engine/pkg/pidfile/pidfile_unix.go b/engine/pkg/pidfile/pidfile_unix.go
new file mode 100644
index 00000000..cc6696d2
--- /dev/null
+++ b/engine/pkg/pidfile/pidfile_unix.go
@@ -0,0 +1,16 @@
+// +build !windows,!darwin
+
+package pidfile // import "github.com/docker/docker/pkg/pidfile"
+
+import (
+	"os"
+	"path/filepath"
+	"strconv"
+)
+
+func processExists(pid int) bool {
+	if _, err := os.Stat(filepath.Join("/proc", strconv.Itoa(pid))); err == nil {
+		return true
+	}
+	return false
+}
diff --git a/engine/pkg/pidfile/pidfile_windows.go b/engine/pkg/pidfile/pidfile_windows.go
new file mode 100644
index 00000000..1c5e6cb6
--- /dev/null
+++ b/engine/pkg/pidfile/pidfile_windows.go
@@ -0,0 +1,25 @@
+package pidfile // import "github.com/docker/docker/pkg/pidfile"
+
+import (
+	"golang.org/x/sys/windows"
+)
+
+const (
+	processQueryLimitedInformation = 0x1000
+
+	stillActive = 259
+)
+
+func processExists(pid int) bool {
+	h, err := windows.OpenProcess(processQueryLimitedInformation, false, uint32(pid))
+	if err != nil {
+		return false
+	}
+	var c uint32
+	err = windows.GetExitCodeProcess(h, &c)
+	windows.Close(h)
+	if err != nil {
+		return c == stillActive
+	}
+	return true
+}
diff --git a/engine/pkg/platform/architecture_linux.go b/engine/pkg/platform/architecture_linux.go
new file mode 100644
index 00000000..a260a23f
--- /dev/null
+++ b/engine/pkg/platform/architecture_linux.go
@@ -0,0 +1,18 @@
+// Package platform provides helper function to get the runtime architecture
+// for different platforms.
+package platform // import "github.com/docker/docker/pkg/platform"
+
+import (
+	"bytes"
+
+	"golang.org/x/sys/unix"
+)
+
+// runtimeArchitecture gets the name of the current architecture (x86, x86_64, …)
+func runtimeArchitecture() (string, error) {
+	utsname := &unix.Utsname{}
+	if err := unix.Uname(utsname); err != nil {
+		return "", err
+	}
+	return string(utsname.Machine[:bytes.IndexByte(utsname.Machine[:], 0)]), nil
+}
diff --git a/engine/pkg/platform/architecture_unix.go b/engine/pkg/platform/architecture_unix.go
new file mode 100644
index 00000000..d51f6869
--- /dev/null
+++ b/engine/pkg/platform/architecture_unix.go
@@ -0,0 +1,20 @@
+// +build freebsd darwin
+
+// Package platform provides helper function to get the runtime architecture
+// for different platforms.
+package platform // import "github.com/docker/docker/pkg/platform"
+
+import (
+	"os/exec"
+	"strings"
+)
+
+// runtimeArchitecture gets the name of the current architecture (x86, x86_64, i86pc, sun4v, ...)
+func runtimeArchitecture() (string, error) {
+	cmd := exec.Command("/usr/bin/uname", "-m")
+	machine, err := cmd.Output()
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(machine)), nil
+}
diff --git a/engine/pkg/platform/architecture_windows.go b/engine/pkg/platform/architecture_windows.go
new file mode 100644
index 00000000..a25f1bc5
--- /dev/null
+++ b/engine/pkg/platform/architecture_windows.go
@@ -0,0 +1,60 @@
+package platform // import "github.com/docker/docker/pkg/platform"
+
+import (
+	"fmt"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var (
+	modkernel32       = windows.NewLazySystemDLL("kernel32.dll")
+	procGetSystemInfo = modkernel32.NewProc("GetSystemInfo")
+)
+
+// see http://msdn.microsoft.com/en-us/library/windows/desktop/ms724958(v=vs.85).aspx
+type systeminfo struct {
+	wProcessorArchitecture      uint16
+	wReserved                   uint16
+	dwPageSize                  uint32
+	lpMinimumApplicationAddress uintptr
+	lpMaximumApplicationAddress uintptr
+	dwActiveProcessorMask       uintptr
+	dwNumberOfProcessors        uint32
+	dwProcessorType             uint32
+	dwAllocationGranularity     uint32
+	wProcessorLevel             uint16
+	wProcessorRevision          uint16
+}
+
+// Constants
+const (
+	ProcessorArchitecture64   = 9 // PROCESSOR_ARCHITECTURE_AMD64
+	ProcessorArchitectureIA64 = 6 // PROCESSOR_ARCHITECTURE_IA64
+	ProcessorArchitecture32   = 0 // PROCESSOR_ARCHITECTURE_INTEL
+	ProcessorArchitectureArm  = 5 // PROCESSOR_ARCHITECTURE_ARM
+)
+
+// runtimeArchitecture gets the name of the current architecture (x86, x86_64, …)
+func runtimeArchitecture() (string, error) {
+	var sysinfo systeminfo
+	syscall.Syscall(procGetSystemInfo.Addr(), 1, uintptr(unsafe.Pointer(&sysinfo)), 0, 0)
+	switch sysinfo.wProcessorArchitecture {
+	case ProcessorArchitecture64, ProcessorArchitectureIA64:
+		return "x86_64", nil
+	case ProcessorArchitecture32:
+		return "i686", nil
+	case ProcessorArchitectureArm:
+		return "arm", nil
+	default:
+		return "", fmt.Errorf("Unknown processor architecture")
+	}
+}
+
+// NumProcs returns the number of processors on the system
+func NumProcs() uint32 {
+	var sysinfo systeminfo
+	syscall.Syscall(procGetSystemInfo.Addr(), 1, uintptr(unsafe.Pointer(&sysinfo)), 0, 0)
+	return sysinfo.dwNumberOfProcessors
+}
diff --git a/engine/pkg/platform/platform.go b/engine/pkg/platform/platform.go
new file mode 100644
index 00000000..f6b02b73
--- /dev/null
+++ b/engine/pkg/platform/platform.go
@@ -0,0 +1,23 @@
+package platform // import "github.com/docker/docker/pkg/platform"
+
+import (
+	"runtime"
+
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// Architecture holds the runtime architecture of the process.
+	Architecture string
+	// OSType holds the runtime operating system type (Linux, …) of the process.
+	OSType string
+)
+
+func init() {
+	var err error
+	Architecture, err = runtimeArchitecture()
+	if err != nil {
+		logrus.Errorf("Could not read system architecture info: %v", err)
+	}
+	OSType = runtime.GOOS
+}
diff --git a/engine/pkg/plugingetter/getter.go b/engine/pkg/plugingetter/getter.go
new file mode 100644
index 00000000..370e0d5b
--- /dev/null
+++ b/engine/pkg/plugingetter/getter.go
@@ -0,0 +1,52 @@
+package plugingetter // import "github.com/docker/docker/pkg/plugingetter"
+
+import (
+	"net"
+	"time"
+
+	"github.com/docker/docker/pkg/plugins"
+)
+
+const (
+	// Lookup doesn't update RefCount
+	Lookup = 0
+	// Acquire increments RefCount
+	Acquire = 1
+	// Release decrements RefCount
+	Release = -1
+)
+
+// CompatPlugin is an abstraction to handle both v2(new) and v1(legacy) plugins.
+type CompatPlugin interface {
+	Name() string
+	ScopedPath(string) string
+	IsV1() bool
+	PluginWithV1Client
+}
+
+// PluginWithV1Client is a plugin that directly utilizes the v1/http plugin client
+type PluginWithV1Client interface {
+	Client() *plugins.Client
+}
+
+// PluginAddr is a plugin that exposes the socket address for creating custom clients rather than the built-in `*plugins.Client`
+type PluginAddr interface {
+	Addr() net.Addr
+	Timeout() time.Duration
+	Protocol() string
+}
+
+// CountedPlugin is a plugin which is reference counted.
+type CountedPlugin interface {
+	Acquire()
+	Release()
+	CompatPlugin
+}
+
+// PluginGetter is the interface implemented by Store
+type PluginGetter interface {
+	Get(name, capability string, mode int) (CompatPlugin, error)
+	GetAllByCap(capability string) ([]CompatPlugin, error)
+	GetAllManagedPluginsByCap(capability string) []CompatPlugin
+	Handle(capability string, callback func(string, *plugins.Client))
+}
diff --git a/engine/pkg/plugins/client.go b/engine/pkg/plugins/client.go
new file mode 100644
index 00000000..03533053
--- /dev/null
+++ b/engine/pkg/plugins/client.go
@@ -0,0 +1,242 @@
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/plugins/transport"
+	"github.com/docker/go-connections/sockets"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	defaultTimeOut = 30
+)
+
+func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) {
+	tr := &http.Transport{}
+
+	if tlsConfig != nil {
+		c, err := tlsconfig.Client(*tlsConfig)
+		if err != nil {
+			return nil, err
+		}
+		tr.TLSClientConfig = c
+	}
+
+	u, err := url.Parse(addr)
+	if err != nil {
+		return nil, err
+	}
+	socket := u.Host
+	if socket == "" {
+		// valid local socket addresses have the host empty.
+		socket = u.Path
+	}
+	if err := sockets.ConfigureTransport(tr, u.Scheme, socket); err != nil {
+		return nil, err
+	}
+	scheme := httpScheme(u)
+
+	return transport.NewHTTPTransport(tr, scheme, socket), nil
+}
+
+// NewClient creates a new plugin client (http).
+func NewClient(addr string, tlsConfig *tlsconfig.Options) (*Client, error) {
+	clientTransport, err := newTransport(addr, tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+	return newClientWithTransport(clientTransport, 0), nil
+}
+
+// NewClientWithTimeout creates a new plugin client (http).
+func NewClientWithTimeout(addr string, tlsConfig *tlsconfig.Options, timeout time.Duration) (*Client, error) {
+	clientTransport, err := newTransport(addr, tlsConfig)
+	if err != nil {
+		return nil, err
+	}
+	return newClientWithTransport(clientTransport, timeout), nil
+}
+
+// newClientWithTransport creates a new plugin client with a given transport.
+func newClientWithTransport(tr transport.Transport, timeout time.Duration) *Client {
+	return &Client{
+		http: &http.Client{
+			Transport: tr,
+			Timeout:   timeout,
+		},
+		requestFactory: tr,
+	}
+}
+
+// Client represents a plugin client.
+type Client struct {
+	http           *http.Client // http client to use
+	requestFactory transport.RequestFactory
+}
+
+// RequestOpts is the set of options that can be passed into a request
+type RequestOpts struct {
+	Timeout time.Duration
+}
+
+// WithRequestTimeout sets a timeout duration for plugin requests
+func WithRequestTimeout(t time.Duration) func(*RequestOpts) {
+	return func(o *RequestOpts) {
+		o.Timeout = t
+	}
+}
+
+// Call calls the specified method with the specified arguments for the plugin.
+// It will retry for 30 seconds if a failure occurs when calling.
+func (c *Client) Call(serviceMethod string, args, ret interface{}) error {
+	return c.CallWithOptions(serviceMethod, args, ret)
+}
+
+// CallWithOptions is just like call except it takes options
+func (c *Client) CallWithOptions(serviceMethod string, args interface{}, ret interface{}, opts ...func(*RequestOpts)) error {
+	var buf bytes.Buffer
+	if args != nil {
+		if err := json.NewEncoder(&buf).Encode(args); err != nil {
+			return err
+		}
+	}
+	body, err := c.callWithRetry(serviceMethod, &buf, true, opts...)
+	if err != nil {
+		return err
+	}
+	defer body.Close()
+	if ret != nil {
+		if err := json.NewDecoder(body).Decode(&ret); err != nil {
+			logrus.Errorf("%s: error reading plugin resp: %v", serviceMethod, err)
+			return err
+		}
+	}
+	return nil
+}
+
+// Stream calls the specified method with the specified arguments for the plugin and returns the response body
+func (c *Client) Stream(serviceMethod string, args interface{}) (io.ReadCloser, error) {
+	var buf bytes.Buffer
+	if err := json.NewEncoder(&buf).Encode(args); err != nil {
+		return nil, err
+	}
+	return c.callWithRetry(serviceMethod, &buf, true)
+}
+
+// SendFile calls the specified method, and passes through the IO stream
+func (c *Client) SendFile(serviceMethod string, data io.Reader, ret interface{}) error {
+	body, err := c.callWithRetry(serviceMethod, data, true)
+	if err != nil {
+		return err
+	}
+	defer body.Close()
+	if err := json.NewDecoder(body).Decode(&ret); err != nil {
+		logrus.Errorf("%s: error reading plugin resp: %v", serviceMethod, err)
+		return err
+	}
+	return nil
+}
+
+func (c *Client) callWithRetry(serviceMethod string, data io.Reader, retry bool, reqOpts ...func(*RequestOpts)) (io.ReadCloser, error) {
+	var retries int
+	start := time.Now()
+
+	var opts RequestOpts
+	for _, o := range reqOpts {
+		o(&opts)
+	}
+
+	for {
+		req, err := c.requestFactory.NewRequest(serviceMethod, data)
+		if err != nil {
+			return nil, err
+		}
+
+		cancelRequest := func() {}
+		if opts.Timeout > 0 {
+			var ctx context.Context
+			ctx, cancelRequest = context.WithTimeout(req.Context(), opts.Timeout)
+			req = req.WithContext(ctx)
+		}
+
+		resp, err := c.http.Do(req)
+		if err != nil {
+			cancelRequest()
+			if !retry {
+				return nil, err
+			}
+
+			timeOff := backoff(retries)
+			if abort(start, timeOff) {
+				return nil, err
+			}
+			retries++
+			logrus.Warnf("Unable to connect to plugin: %s%s: %v, retrying in %v", req.URL.Host, req.URL.Path, err, timeOff)
+			time.Sleep(timeOff)
+			continue
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			b, err := ioutil.ReadAll(resp.Body)
+			resp.Body.Close()
+			cancelRequest()
+			if err != nil {
+				return nil, &statusError{resp.StatusCode, serviceMethod, err.Error()}
+			}
+
+			// Plugins' Response(s) should have an Err field indicating what went
+			// wrong. Try to unmarshal into ResponseErr. Otherwise fallback to just
+			// return the string(body)
+			type responseErr struct {
+				Err string
+			}
+			remoteErr := responseErr{}
+			if err := json.Unmarshal(b, &remoteErr); err == nil {
+				if remoteErr.Err != "" {
+					return nil, &statusError{resp.StatusCode, serviceMethod, remoteErr.Err}
+				}
+			}
+			// old way...
+			return nil, &statusError{resp.StatusCode, serviceMethod, string(b)}
+		}
+		return ioutils.NewReadCloserWrapper(resp.Body, func() error {
+			err := resp.Body.Close()
+			cancelRequest()
+			return err
+		}), nil
+	}
+}
+
+func backoff(retries int) time.Duration {
+	b, max := 1, defaultTimeOut
+	for b < max && retries > 0 {
+		b *= 2
+		retries--
+	}
+	if b > max {
+		b = max
+	}
+	return time.Duration(b) * time.Second
+}
+
+func abort(start time.Time, timeOff time.Duration) bool {
+	return timeOff+time.Since(start) >= time.Duration(defaultTimeOut)*time.Second
+}
+
+func httpScheme(u *url.URL) string {
+	scheme := u.Scheme
+	if scheme != "https" {
+		scheme = "http"
+	}
+	return scheme
+}
diff --git a/engine/pkg/plugins/client_test.go b/engine/pkg/plugins/client_test.go
new file mode 100644
index 00000000..c3a48922
--- /dev/null
+++ b/engine/pkg/plugins/client_test.go
@@ -0,0 +1,277 @@
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/plugins/transport"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var (
+	mux    *http.ServeMux
+	server *httptest.Server
+)
+
+func setupRemotePluginServer() string {
+	mux = http.NewServeMux()
+	server = httptest.NewServer(mux)
+	return server.URL
+}
+
+func teardownRemotePluginServer() {
+	if server != nil {
+		server.Close()
+	}
+}
+
+func TestFailedConnection(t *testing.T) {
+	c, _ := NewClient("tcp://127.0.0.1:1", &tlsconfig.Options{InsecureSkipVerify: true})
+	_, err := c.callWithRetry("Service.Method", nil, false)
+	if err == nil {
+		t.Fatal("Unexpected successful connection")
+	}
+}
+
+func TestFailOnce(t *testing.T) {
+	addr := setupRemotePluginServer()
+	defer teardownRemotePluginServer()
+
+	failed := false
+	mux.HandleFunc("/Test.FailOnce", func(w http.ResponseWriter, r *http.Request) {
+		if !failed {
+			failed = true
+			panic("Plugin not ready")
+		}
+	})
+
+	c, _ := NewClient(addr, &tlsconfig.Options{InsecureSkipVerify: true})
+	b := strings.NewReader("body")
+	_, err := c.callWithRetry("Test.FailOnce", b, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestEchoInputOutput(t *testing.T) {
+	addr := setupRemotePluginServer()
+	defer teardownRemotePluginServer()
+
+	m := Manifest{[]string{"VolumeDriver", "NetworkDriver"}}
+
+	mux.HandleFunc("/Test.Echo", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" {
+			t.Fatalf("Expected POST, got %s\n", r.Method)
+		}
+
+		header := w.Header()
+		header.Set("Content-Type", transport.VersionMimetype)
+
+		io.Copy(w, r.Body)
+	})
+
+	c, _ := NewClient(addr, &tlsconfig.Options{InsecureSkipVerify: true})
+	var output Manifest
+	err := c.Call("Test.Echo", m, &output)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assert.Check(t, is.DeepEqual(m, output))
+	err = c.Call("Test.Echo", nil, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestBackoff(t *testing.T) {
+	cases := []struct {
+		retries    int
+		expTimeOff time.Duration
+	}{
+		{0, time.Duration(1)},
+		{1, time.Duration(2)},
+		{2, time.Duration(4)},
+		{4, time.Duration(16)},
+		{6, time.Duration(30)},
+		{10, time.Duration(30)},
+	}
+
+	for _, c := range cases {
+		s := c.expTimeOff * time.Second
+		if d := backoff(c.retries); d != s {
+			t.Fatalf("Retry %v, expected %v, was %v\n", c.retries, s, d)
+		}
+	}
+}
+
+func TestAbortRetry(t *testing.T) {
+	cases := []struct {
+		timeOff  time.Duration
+		expAbort bool
+	}{
+		{time.Duration(1), false},
+		{time.Duration(2), false},
+		{time.Duration(10), false},
+		{time.Duration(30), true},
+		{time.Duration(40), true},
+	}
+
+	for _, c := range cases {
+		s := c.timeOff * time.Second
+		if a := abort(time.Now(), s); a != c.expAbort {
+			t.Fatalf("Duration %v, expected %v, was %v\n", c.timeOff, s, a)
+		}
+	}
+}
+
+func TestClientScheme(t *testing.T) {
+	cases := map[string]string{
+		"tcp://127.0.0.1:8080":          "http",
+		"unix:///usr/local/plugins/foo": "http",
+		"http://127.0.0.1:8080":         "http",
+		"https://127.0.0.1:8080":        "https",
+	}
+
+	for addr, scheme := range cases {
+		u, err := url.Parse(addr)
+		if err != nil {
+			t.Fatal(err)
+		}
+		s := httpScheme(u)
+
+		if s != scheme {
+			t.Fatalf("URL scheme mismatch, expected %s, got %s", scheme, s)
+		}
+	}
+}
+
+func TestNewClientWithTimeout(t *testing.T) {
+	addr := setupRemotePluginServer()
+	defer teardownRemotePluginServer()
+
+	m := Manifest{[]string{"VolumeDriver", "NetworkDriver"}}
+
+	mux.HandleFunc("/Test.Echo", func(w http.ResponseWriter, r *http.Request) {
+		time.Sleep(time.Duration(600) * time.Millisecond)
+		io.Copy(w, r.Body)
+	})
+
+	// setting timeout of 500ms
+	timeout := time.Duration(500) * time.Millisecond
+	c, _ := NewClientWithTimeout(addr, &tlsconfig.Options{InsecureSkipVerify: true}, timeout)
+	var output Manifest
+	err := c.Call("Test.Echo", m, &output)
+	if err == nil {
+		t.Fatal("Expected timeout error")
+	}
+}
+
+func TestClientStream(t *testing.T) {
+	addr := setupRemotePluginServer()
+	defer teardownRemotePluginServer()
+
+	m := Manifest{[]string{"VolumeDriver", "NetworkDriver"}}
+	var output Manifest
+
+	mux.HandleFunc("/Test.Echo", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" {
+			t.Fatalf("Expected POST, got %s", r.Method)
+		}
+
+		header := w.Header()
+		header.Set("Content-Type", transport.VersionMimetype)
+
+		io.Copy(w, r.Body)
+	})
+
+	c, _ := NewClient(addr, &tlsconfig.Options{InsecureSkipVerify: true})
+	body, err := c.Stream("Test.Echo", m)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer body.Close()
+	if err := json.NewDecoder(body).Decode(&output); err != nil {
+		t.Fatalf("Test.Echo: error reading plugin resp: %v", err)
+	}
+	assert.Check(t, is.DeepEqual(m, output))
+}
+
+func TestClientSendFile(t *testing.T) {
+	addr := setupRemotePluginServer()
+	defer teardownRemotePluginServer()
+
+	m := Manifest{[]string{"VolumeDriver", "NetworkDriver"}}
+	var output Manifest
+	var buf bytes.Buffer
+	if err := json.NewEncoder(&buf).Encode(m); err != nil {
+		t.Fatal(err)
+	}
+	mux.HandleFunc("/Test.Echo", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" {
+			t.Fatalf("Expected POST, got %s\n", r.Method)
+		}
+
+		header := w.Header()
+		header.Set("Content-Type", transport.VersionMimetype)
+
+		io.Copy(w, r.Body)
+	})
+
+	c, _ := NewClient(addr, &tlsconfig.Options{InsecureSkipVerify: true})
+	if err := c.SendFile("Test.Echo", &buf, &output); err != nil {
+		t.Fatal(err)
+	}
+	assert.Check(t, is.DeepEqual(m, output))
+}
+
+func TestClientWithRequestTimeout(t *testing.T) {
+	timeout := 1 * time.Millisecond
+	testHandler := func(w http.ResponseWriter, r *http.Request) {
+		time.Sleep(timeout + 1*time.Millisecond)
+		w.WriteHeader(http.StatusOK)
+	}
+
+	srv := httptest.NewServer(http.HandlerFunc(testHandler))
+	defer srv.Close()
+
+	client := &Client{http: srv.Client(), requestFactory: &testRequestWrapper{srv}}
+	_, err := client.callWithRetry("/Plugin.Hello", nil, false, WithRequestTimeout(timeout))
+	assert.Assert(t, is.ErrorContains(err, ""), "expected error")
+
+	err = errors.Cause(err)
+
+	switch e := err.(type) {
+	case *url.Error:
+		err = e.Err
+	}
+	assert.DeepEqual(t, context.DeadlineExceeded, err)
+}
+
+type testRequestWrapper struct {
+	*httptest.Server
+}
+
+func (w *testRequestWrapper) NewRequest(path string, data io.Reader) (*http.Request, error) {
+	req, err := http.NewRequest("POST", path, data)
+	if err != nil {
+		return nil, err
+	}
+	u, err := url.Parse(w.Server.URL)
+	if err != nil {
+		return nil, err
+	}
+	req.URL = u
+	return req, nil
+}
diff --git a/engine/pkg/plugins/discovery.go b/engine/pkg/plugins/discovery.go
new file mode 100644
index 00000000..4b79bd29
--- /dev/null
+++ b/engine/pkg/plugins/discovery.go
@@ -0,0 +1,154 @@
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/pkg/errors"
+)
+
+var (
+	// ErrNotFound plugin not found
+	ErrNotFound = errors.New("plugin not found")
+	socketsPath = "/run/docker/plugins"
+)
+
+// localRegistry defines a registry that is local (using unix socket).
+type localRegistry struct{}
+
+func newLocalRegistry() localRegistry {
+	return localRegistry{}
+}
+
+// Scan scans all the plugin paths and returns all the names it found
+func Scan() ([]string, error) {
+	var names []string
+	dirEntries, err := ioutil.ReadDir(socketsPath)
+	if err != nil && !os.IsNotExist(err) {
+		return nil, errors.Wrap(err, "error reading dir entries")
+	}
+
+	for _, fi := range dirEntries {
+		if fi.IsDir() {
+			fi, err = os.Stat(filepath.Join(socketsPath, fi.Name(), fi.Name()+".sock"))
+			if err != nil {
+				continue
+			}
+		}
+
+		if fi.Mode()&os.ModeSocket != 0 {
+			names = append(names, strings.TrimSuffix(filepath.Base(fi.Name()), filepath.Ext(fi.Name())))
+		}
+	}
+
+	for _, p := range specsPaths {
+		dirEntries, err := ioutil.ReadDir(p)
+		if err != nil && !os.IsNotExist(err) {
+			return nil, errors.Wrap(err, "error reading dir entries")
+		}
+
+		for _, fi := range dirEntries {
+			if fi.IsDir() {
+				infos, err := ioutil.ReadDir(filepath.Join(p, fi.Name()))
+				if err != nil {
+					continue
+				}
+
+				for _, info := range infos {
+					if strings.TrimSuffix(info.Name(), filepath.Ext(info.Name())) == fi.Name() {
+						fi = info
+						break
+					}
+				}
+			}
+
+			ext := filepath.Ext(fi.Name())
+			switch ext {
+			case ".spec", ".json":
+				plugin := strings.TrimSuffix(fi.Name(), ext)
+				names = append(names, plugin)
+			default:
+			}
+		}
+	}
+	return names, nil
+}
+
+// Plugin returns the plugin registered with the given name (or returns an error).
+func (l *localRegistry) Plugin(name string) (*Plugin, error) {
+	socketpaths := pluginPaths(socketsPath, name, ".sock")
+
+	for _, p := range socketpaths {
+		if fi, err := os.Stat(p); err == nil && fi.Mode()&os.ModeSocket != 0 {
+			return NewLocalPlugin(name, "unix://"+p), nil
+		}
+	}
+
+	var txtspecpaths []string
+	for _, p := range specsPaths {
+		txtspecpaths = append(txtspecpaths, pluginPaths(p, name, ".spec")...)
+		txtspecpaths = append(txtspecpaths, pluginPaths(p, name, ".json")...)
+	}
+
+	for _, p := range txtspecpaths {
+		if _, err := os.Stat(p); err == nil {
+			if strings.HasSuffix(p, ".json") {
+				return readPluginJSONInfo(name, p)
+			}
+			return readPluginInfo(name, p)
+		}
+	}
+	return nil, errors.Wrapf(ErrNotFound, "could not find plugin %s in v1 plugin registry", name)
+}
+
+func readPluginInfo(name, path string) (*Plugin, error) {
+	content, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	addr := strings.TrimSpace(string(content))
+
+	u, err := url.Parse(addr)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(u.Scheme) == 0 {
+		return nil, fmt.Errorf("Unknown protocol")
+	}
+
+	return NewLocalPlugin(name, addr), nil
+}
+
+func readPluginJSONInfo(name, path string) (*Plugin, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	var p Plugin
+	if err := json.NewDecoder(f).Decode(&p); err != nil {
+		return nil, err
+	}
+	p.name = name
+	if p.TLSConfig != nil && len(p.TLSConfig.CAFile) == 0 {
+		p.TLSConfig.InsecureSkipVerify = true
+	}
+	p.activateWait = sync.NewCond(&sync.Mutex{})
+
+	return &p, nil
+}
+
+func pluginPaths(base, name, ext string) []string {
+	return []string{
+		filepath.Join(base, name+ext),
+		filepath.Join(base, name, name+ext),
+	}
+}
diff --git a/engine/pkg/plugins/discovery_test.go b/engine/pkg/plugins/discovery_test.go
new file mode 100644
index 00000000..28fda41b
--- /dev/null
+++ b/engine/pkg/plugins/discovery_test.go
@@ -0,0 +1,152 @@
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func Setup(t *testing.T) (string, func()) {
+	tmpdir, err := ioutil.TempDir("", "docker-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	backup := socketsPath
+	socketsPath = tmpdir
+	specsPaths = []string{tmpdir}
+
+	return tmpdir, func() {
+		socketsPath = backup
+		os.RemoveAll(tmpdir)
+	}
+}
+
+func TestFileSpecPlugin(t *testing.T) {
+	tmpdir, unregister := Setup(t)
+	defer unregister()
+
+	cases := []struct {
+		path string
+		name string
+		addr string
+		fail bool
+	}{
+		// TODO Windows: Factor out the unix:// variants.
+		{filepath.Join(tmpdir, "echo.spec"), "echo", "unix://var/lib/docker/plugins/echo.sock", false},
+		{filepath.Join(tmpdir, "echo", "echo.spec"), "echo", "unix://var/lib/docker/plugins/echo.sock", false},
+		{filepath.Join(tmpdir, "foo.spec"), "foo", "tcp://localhost:8080", false},
+		{filepath.Join(tmpdir, "foo", "foo.spec"), "foo", "tcp://localhost:8080", false},
+		{filepath.Join(tmpdir, "bar.spec"), "bar", "localhost:8080", true}, // unknown transport
+	}
+
+	for _, c := range cases {
+		if err := os.MkdirAll(filepath.Dir(c.path), 0755); err != nil {
+			t.Fatal(err)
+		}
+		if err := ioutil.WriteFile(c.path, []byte(c.addr), 0644); err != nil {
+			t.Fatal(err)
+		}
+
+		r := newLocalRegistry()
+		p, err := r.Plugin(c.name)
+		if c.fail && err == nil {
+			continue
+		}
+
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if p.name != c.name {
+			t.Fatalf("Expected plugin `%s`, got %s\n", c.name, p.name)
+		}
+
+		if p.Addr != c.addr {
+			t.Fatalf("Expected plugin addr `%s`, got %s\n", c.addr, p.Addr)
+		}
+
+		if !p.TLSConfig.InsecureSkipVerify {
+			t.Fatalf("Expected TLS verification to be skipped")
+		}
+	}
+}
+
+func TestFileJSONSpecPlugin(t *testing.T) {
+	tmpdir, unregister := Setup(t)
+	defer unregister()
+
+	p := filepath.Join(tmpdir, "example.json")
+	spec := `{
+  "Name": "plugin-example",
+  "Addr": "https://example.com/docker/plugin",
+  "TLSConfig": {
+    "CAFile": "/usr/shared/docker/certs/example-ca.pem",
+    "CertFile": "/usr/shared/docker/certs/example-cert.pem",
+    "KeyFile": "/usr/shared/docker/certs/example-key.pem"
+	}
+}`
+
+	if err := ioutil.WriteFile(p, []byte(spec), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	r := newLocalRegistry()
+	plugin, err := r.Plugin("example")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected, actual := "example", plugin.name; expected != actual {
+		t.Fatalf("Expected plugin %q, got %s\n", expected, actual)
+	}
+
+	if plugin.Addr != "https://example.com/docker/plugin" {
+		t.Fatalf("Expected plugin addr `https://example.com/docker/plugin`, got %s\n", plugin.Addr)
+	}
+
+	if plugin.TLSConfig.CAFile != "/usr/shared/docker/certs/example-ca.pem" {
+		t.Fatalf("Expected plugin CA `/usr/shared/docker/certs/example-ca.pem`, got %s\n", plugin.TLSConfig.CAFile)
+	}
+
+	if plugin.TLSConfig.CertFile != "/usr/shared/docker/certs/example-cert.pem" {
+		t.Fatalf("Expected plugin Certificate `/usr/shared/docker/certs/example-cert.pem`, got %s\n", plugin.TLSConfig.CertFile)
+	}
+
+	if plugin.TLSConfig.KeyFile != "/usr/shared/docker/certs/example-key.pem" {
+		t.Fatalf("Expected plugin Key `/usr/shared/docker/certs/example-key.pem`, got %s\n", plugin.TLSConfig.KeyFile)
+	}
+}
+
+func TestFileJSONSpecPluginWithoutTLSConfig(t *testing.T) {
+	tmpdir, unregister := Setup(t)
+	defer unregister()
+
+	p := filepath.Join(tmpdir, "example.json")
+	spec := `{
+  "Name": "plugin-example",
+  "Addr": "https://example.com/docker/plugin"
+}`
+
+	if err := ioutil.WriteFile(p, []byte(spec), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	r := newLocalRegistry()
+	plugin, err := r.Plugin("example")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if expected, actual := "example", plugin.name; expected != actual {
+		t.Fatalf("Expected plugin %q, got %s\n", expected, actual)
+	}
+
+	if plugin.Addr != "https://example.com/docker/plugin" {
+		t.Fatalf("Expected plugin addr `https://example.com/docker/plugin`, got %s\n", plugin.Addr)
+	}
+
+	if plugin.TLSConfig != nil {
+		t.Fatalf("Expected plugin TLSConfig nil, got %v\n", plugin.TLSConfig)
+	}
+}
diff --git a/engine/pkg/plugins/discovery_unix.go b/engine/pkg/plugins/discovery_unix.go
new file mode 100644
index 00000000..58058f28
--- /dev/null
+++ b/engine/pkg/plugins/discovery_unix.go
@@ -0,0 +1,5 @@
+// +build !windows
+
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+var specsPaths = []string{"/etc/docker/plugins", "/usr/lib/docker/plugins"}
diff --git a/engine/pkg/plugins/discovery_unix_test.go b/engine/pkg/plugins/discovery_unix_test.go
new file mode 100644
index 00000000..b4aefc83
--- /dev/null
+++ b/engine/pkg/plugins/discovery_unix_test.go
@@ -0,0 +1,159 @@
+// +build !windows
+
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os"
+	"path/filepath"
+	"reflect"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func TestLocalSocket(t *testing.T) {
+	// TODO Windows: Enable a similar version for Windows named pipes
+	tmpdir, unregister := Setup(t)
+	defer unregister()
+
+	cases := []string{
+		filepath.Join(tmpdir, "echo.sock"),
+		filepath.Join(tmpdir, "echo", "echo.sock"),
+	}
+
+	for _, c := range cases {
+		if err := os.MkdirAll(filepath.Dir(c), 0755); err != nil {
+			t.Fatal(err)
+		}
+
+		l, err := net.Listen("unix", c)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		r := newLocalRegistry()
+		p, err := r.Plugin("echo")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		pp, err := r.Plugin("echo")
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !reflect.DeepEqual(p, pp) {
+			t.Fatalf("Expected %v, was %v\n", p, pp)
+		}
+
+		if p.name != "echo" {
+			t.Fatalf("Expected plugin `echo`, got %s\n", p.name)
+		}
+
+		addr := fmt.Sprintf("unix://%s", c)
+		if p.Addr != addr {
+			t.Fatalf("Expected plugin addr `%s`, got %s\n", addr, p.Addr)
+		}
+		if !p.TLSConfig.InsecureSkipVerify {
+			t.Fatalf("Expected TLS verification to be skipped")
+		}
+		l.Close()
+	}
+}
+
+func TestScan(t *testing.T) {
+	tmpdir, unregister := Setup(t)
+	defer unregister()
+
+	pluginNames, err := Scan()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if pluginNames != nil {
+		t.Fatal("Plugin names should be empty.")
+	}
+
+	path := filepath.Join(tmpdir, "echo.spec")
+	addr := "unix://var/lib/docker/plugins/echo.sock"
+	name := "echo"
+
+	err = os.MkdirAll(filepath.Dir(path), 0755)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = ioutil.WriteFile(path, []byte(addr), 0644)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	r := newLocalRegistry()
+	p, err := r.Plugin(name)
+	assert.NilError(t, err)
+
+	pluginNamesNotEmpty, err := Scan()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(pluginNamesNotEmpty) != 1 {
+		t.Fatalf("expected 1 plugin entry: %v", pluginNamesNotEmpty)
+	}
+	if p.Name() != pluginNamesNotEmpty[0] {
+		t.Fatalf("Unable to scan plugin with name %s", p.name)
+	}
+}
+
+func TestScanNotPlugins(t *testing.T) {
+	tmpdir, unregister := Setup(t)
+	defer unregister()
+
+	// not that `Setup()` above sets the sockets path and spec path dirs, which
+	// `Scan()` uses to find plugins to the returned `tmpdir`
+
+	notPlugin := filepath.Join(tmpdir, "not-a-plugin")
+	if err := os.MkdirAll(notPlugin, 0700); err != nil {
+		t.Fatal(err)
+	}
+
+	// this is named differently than the dir it's in, so the scanner should ignore it
+	l, err := net.Listen("unix", filepath.Join(notPlugin, "foo.sock"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer l.Close()
+
+	// same let's test a spec path
+	f, err := os.Create(filepath.Join(notPlugin, "foo.spec"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	names, err := Scan()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(names) != 0 {
+		t.Fatalf("expected no plugins, got %v", names)
+	}
+
+	// Just as a sanity check, let's make an entry that the scanner should read
+	f, err = os.Create(filepath.Join(notPlugin, "not-a-plugin.spec"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	names, err = Scan()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(names) != 1 {
+		t.Fatalf("expected 1 entry in result: %v", names)
+	}
+	if names[0] != "not-a-plugin" {
+		t.Fatalf("expected plugin named `not-a-plugin`, got: %s", names[0])
+	}
+}
diff --git a/engine/pkg/plugins/discovery_windows.go b/engine/pkg/plugins/discovery_windows.go
new file mode 100644
index 00000000..f0af3477
--- /dev/null
+++ b/engine/pkg/plugins/discovery_windows.go
@@ -0,0 +1,8 @@
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"os"
+	"path/filepath"
+)
+
+var specsPaths = []string{filepath.Join(os.Getenv("programdata"), "docker", "plugins")}
diff --git a/engine/pkg/plugins/errors.go b/engine/pkg/plugins/errors.go
new file mode 100644
index 00000000..6735c304
--- /dev/null
+++ b/engine/pkg/plugins/errors.go
@@ -0,0 +1,33 @@
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"fmt"
+	"net/http"
+)
+
+type statusError struct {
+	status int
+	method string
+	err    string
+}
+
+// Error returns a formatted string for this error type
+func (e *statusError) Error() string {
+	return fmt.Sprintf("%s: %v", e.method, e.err)
+}
+
+// IsNotFound indicates if the passed in error is from an http.StatusNotFound from the plugin
+func IsNotFound(err error) bool {
+	return isStatusError(err, http.StatusNotFound)
+}
+
+func isStatusError(err error, status int) bool {
+	if err == nil {
+		return false
+	}
+	e, ok := err.(*statusError)
+	if !ok {
+		return false
+	}
+	return e.status == status
+}
diff --git a/engine/pkg/plugins/plugin_test.go b/engine/pkg/plugins/plugin_test.go
new file mode 100644
index 00000000..ce98078f
--- /dev/null
+++ b/engine/pkg/plugins/plugin_test.go
@@ -0,0 +1,154 @@
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"path/filepath"
+	"runtime"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/plugins/transport"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+const (
+	fruitPlugin     = "fruit"
+	fruitImplements = "apple"
+)
+
+// regression test for deadlock in handlers
+func TestPluginAddHandler(t *testing.T) {
+	// make a plugin which is pre-activated
+	p := &Plugin{activateWait: sync.NewCond(&sync.Mutex{})}
+	p.Manifest = &Manifest{Implements: []string{"bananas"}}
+	storage.plugins["qwerty"] = p
+
+	testActive(t, p)
+	Handle("bananas", func(_ string, _ *Client) {})
+	testActive(t, p)
+}
+
+func TestPluginWaitBadPlugin(t *testing.T) {
+	p := &Plugin{activateWait: sync.NewCond(&sync.Mutex{})}
+	p.activateErr = errors.New("some junk happened")
+	testActive(t, p)
+}
+
+func testActive(t *testing.T, p *Plugin) {
+	done := make(chan struct{})
+	go func() {
+		p.waitActive()
+		close(done)
+	}()
+
+	select {
+	case <-time.After(100 * time.Millisecond):
+		_, f, l, _ := runtime.Caller(1)
+		t.Fatalf("%s:%d: deadlock in waitActive", filepath.Base(f), l)
+	case <-done:
+	}
+}
+
+func TestGet(t *testing.T) {
+	p := &Plugin{name: fruitPlugin, activateWait: sync.NewCond(&sync.Mutex{})}
+	p.Manifest = &Manifest{Implements: []string{fruitImplements}}
+	storage.plugins[fruitPlugin] = p
+
+	plugin, err := Get(fruitPlugin, fruitImplements)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if p.Name() != plugin.Name() {
+		t.Fatalf("No matching plugin with name %s found", plugin.Name())
+	}
+	if plugin.Client() != nil {
+		t.Fatal("expected nil Client but found one")
+	}
+	if !plugin.IsV1() {
+		t.Fatal("Expected true for V1 plugin")
+	}
+
+	// check negative case where plugin fruit doesn't implement banana
+	_, err = Get("fruit", "banana")
+	assert.Equal(t, errors.Cause(err), ErrNotImplements)
+
+	// check negative case where plugin vegetable doesn't exist
+	_, err = Get("vegetable", "potato")
+	assert.Equal(t, errors.Cause(err), ErrNotFound)
+}
+
+func TestPluginWithNoManifest(t *testing.T) {
+	addr := setupRemotePluginServer()
+	defer teardownRemotePluginServer()
+
+	m := Manifest{[]string{fruitImplements}}
+	var buf bytes.Buffer
+	if err := json.NewEncoder(&buf).Encode(m); err != nil {
+		t.Fatal(err)
+	}
+
+	mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" {
+			t.Fatalf("Expected POST, got %s\n", r.Method)
+		}
+
+		header := w.Header()
+		header.Set("Content-Type", transport.VersionMimetype)
+
+		io.Copy(w, &buf)
+	})
+
+	p := &Plugin{
+		name:         fruitPlugin,
+		activateWait: sync.NewCond(&sync.Mutex{}),
+		Addr:         addr,
+		TLSConfig:    &tlsconfig.Options{InsecureSkipVerify: true},
+	}
+	storage.plugins[fruitPlugin] = p
+
+	plugin, err := Get(fruitPlugin, fruitImplements)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if p.Name() != plugin.Name() {
+		t.Fatalf("No matching plugin with name %s found", plugin.Name())
+	}
+}
+
+func TestGetAll(t *testing.T) {
+	tmpdir, unregister := Setup(t)
+	defer unregister()
+
+	p := filepath.Join(tmpdir, "example.json")
+	spec := `{
+	"Name": "example",
+	"Addr": "https://example.com/docker/plugin"
+}`
+
+	if err := ioutil.WriteFile(p, []byte(spec), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	r := newLocalRegistry()
+	plugin, err := r.Plugin("example")
+	if err != nil {
+		t.Fatal(err)
+	}
+	plugin.Manifest = &Manifest{Implements: []string{"apple"}}
+	storage.plugins["example"] = plugin
+
+	fetchedPlugins, err := GetAll("apple")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if fetchedPlugins[0].Name() != plugin.Name() {
+		t.Fatalf("Expected to get plugin with name %s", plugin.Name())
+	}
+}
diff --git a/engine/pkg/plugins/pluginrpc-gen/README.md b/engine/pkg/plugins/pluginrpc-gen/README.md
new file mode 100644
index 00000000..5f6a421f
--- /dev/null
+++ b/engine/pkg/plugins/pluginrpc-gen/README.md
@@ -0,0 +1,58 @@
+Plugin RPC Generator
+====================
+
+Generates go code from a Go interface definition for proxying between the plugin
+API and the subsystem being extended.
+
+## Usage
+
+Given an interface definition:
+
+```go
+type volumeDriver interface {
+	Create(name string, opts opts) (err error)
+	Remove(name string) (err error)
+	Path(name string) (mountpoint string, err error)
+	Mount(name string) (mountpoint string, err error)
+	Unmount(name string) (err error)
+}
+```
+
+**Note**: All function options and return values must be named in the definition.
+
+Run the generator:
+
+```bash
+$ pluginrpc-gen --type volumeDriver --name VolumeDriver -i volumes/drivers/extpoint.go -o volumes/drivers/proxy.go
+```
+
+Where:
+- `--type` is the name of the interface to use
+- `--name` is the subsystem that the plugin "Implements"
+- `-i` is the input file containing the interface definition
+- `-o` is the output file where the generated code should go
+
+**Note**: The generated code will use the same package name as the one defined in the input file
+
+Optionally, you can skip functions on the interface that should not be
+implemented in the generated proxy code by passing in the function name to `--skip`.
+This flag can be specified multiple times.
+
+You can also add build tags that should be prepended to the generated code by
+supplying `--tag`. This flag can be specified multiple times.
+
+## Known issues
+
+## go-generate
+
+You can also use this with go-generate, which is pretty awesome.  
+To do so, place the code at the top of the file which contains the interface
+definition (i.e., the input file):
+
+```go
+//go:generate pluginrpc-gen -i $GOFILE -o proxy.go -type volumeDriver -name VolumeDriver
+```
+
+Then cd to the package dir and run `go generate`
+
+**Note**: the `pluginrpc-gen` binary must be within your `$PATH`
diff --git a/engine/pkg/plugins/pluginrpc-gen/fixtures/foo.go b/engine/pkg/plugins/pluginrpc-gen/fixtures/foo.go
new file mode 100644
index 00000000..d27e28eb
--- /dev/null
+++ b/engine/pkg/plugins/pluginrpc-gen/fixtures/foo.go
@@ -0,0 +1,83 @@
+package foo // import "github.com/docker/docker/pkg/plugins/pluginrpc-gen/fixtures"
+
+import (
+	aliasedio "io"
+
+	"github.com/docker/docker/pkg/plugins/pluginrpc-gen/fixtures/otherfixture"
+)
+
+type wobble struct {
+	Some      string
+	Val       string
+	Inception *wobble
+}
+
+// Fooer is an empty interface used for tests.
+type Fooer interface{}
+
+// Fooer2 is an interface used for tests.
+type Fooer2 interface {
+	Foo()
+}
+
+// Fooer3 is an interface used for tests.
+type Fooer3 interface {
+	Foo()
+	Bar(a string)
+	Baz(a string) (err error)
+	Qux(a, b string) (val string, err error)
+	Wobble() (w *wobble)
+	Wiggle() (w wobble)
+	WiggleWobble(a []*wobble, b []wobble, c map[string]*wobble, d map[*wobble]wobble, e map[string][]wobble, f []*otherfixture.Spaceship) (g map[*wobble]wobble, h [][]*wobble, i otherfixture.Spaceship, j *otherfixture.Spaceship, k map[*otherfixture.Spaceship]otherfixture.Spaceship, l []otherfixture.Spaceship)
+}
+
+// Fooer4 is an interface used for tests.
+type Fooer4 interface {
+	Foo() error
+}
+
+// Bar is an interface used for tests.
+type Bar interface {
+	Boo(a string, b string) (s string, err error)
+}
+
+// Fooer5 is an interface used for tests.
+type Fooer5 interface {
+	Foo()
+	Bar
+}
+
+// Fooer6 is an interface used for tests.
+type Fooer6 interface {
+	Foo(a otherfixture.Spaceship)
+}
+
+// Fooer7 is an interface used for tests.
+type Fooer7 interface {
+	Foo(a *otherfixture.Spaceship)
+}
+
+// Fooer8 is an interface used for tests.
+type Fooer8 interface {
+	Foo(a map[string]otherfixture.Spaceship)
+}
+
+// Fooer9 is an interface used for tests.
+type Fooer9 interface {
+	Foo(a map[string]*otherfixture.Spaceship)
+}
+
+// Fooer10 is an interface used for tests.
+type Fooer10 interface {
+	Foo(a []otherfixture.Spaceship)
+}
+
+// Fooer11 is an interface used for tests.
+type Fooer11 interface {
+	Foo(a []*otherfixture.Spaceship)
+}
+
+// Fooer12 is an interface used for tests.
+type Fooer12 interface {
+	Foo(a aliasedio.Reader)
+}
diff --git a/engine/pkg/plugins/pluginrpc-gen/fixtures/otherfixture/spaceship.go b/engine/pkg/plugins/pluginrpc-gen/fixtures/otherfixture/spaceship.go
new file mode 100644
index 00000000..c603f677
--- /dev/null
+++ b/engine/pkg/plugins/pluginrpc-gen/fixtures/otherfixture/spaceship.go
@@ -0,0 +1,4 @@
+package otherfixture // import "github.com/docker/docker/pkg/plugins/pluginrpc-gen/fixtures/otherfixture"
+
+// Spaceship is a fixture for tests
+type Spaceship struct{}
diff --git a/engine/pkg/plugins/pluginrpc-gen/main.go b/engine/pkg/plugins/pluginrpc-gen/main.go
new file mode 100644
index 00000000..e77a7d45
--- /dev/null
+++ b/engine/pkg/plugins/pluginrpc-gen/main.go
@@ -0,0 +1,91 @@
+package main
+
+import (
+	"bytes"
+	"flag"
+	"fmt"
+	"go/format"
+	"io/ioutil"
+	"os"
+	"unicode"
+	"unicode/utf8"
+)
+
+type stringSet struct {
+	values map[string]struct{}
+}
+
+func (s stringSet) String() string {
+	return ""
+}
+
+func (s stringSet) Set(value string) error {
+	s.values[value] = struct{}{}
+	return nil
+}
+func (s stringSet) GetValues() map[string]struct{} {
+	return s.values
+}
+
+var (
+	typeName   = flag.String("type", "", "interface type to generate plugin rpc proxy for")
+	rpcName    = flag.String("name", *typeName, "RPC name, set if different from type")
+	inputFile  = flag.String("i", "", "input file path")
+	outputFile = flag.String("o", *inputFile+"_proxy.go", "output file path")
+
+	skipFuncs   map[string]struct{}
+	flSkipFuncs = stringSet{make(map[string]struct{})}
+
+	flBuildTags = stringSet{make(map[string]struct{})}
+)
+
+func errorOut(msg string, err error) {
+	if err == nil {
+		return
+	}
+	fmt.Fprintf(os.Stderr, "%s: %v\n", msg, err)
+	os.Exit(1)
+}
+
+func checkFlags() error {
+	if *outputFile == "" {
+		return fmt.Errorf("missing required flag `-o`")
+	}
+	if *inputFile == "" {
+		return fmt.Errorf("missing required flag `-i`")
+	}
+	return nil
+}
+
+func main() {
+	flag.Var(flSkipFuncs, "skip", "skip parsing for function")
+	flag.Var(flBuildTags, "tag", "build tags to add to generated files")
+	flag.Parse()
+	skipFuncs = flSkipFuncs.GetValues()
+
+	errorOut("error", checkFlags())
+
+	pkg, err := Parse(*inputFile, *typeName)
+	errorOut(fmt.Sprintf("error parsing requested type %s", *typeName), err)
+
+	var analysis = struct {
+		InterfaceType string
+		RPCName       string
+		BuildTags     map[string]struct{}
+		*ParsedPkg
+	}{toLower(*typeName), *rpcName, flBuildTags.GetValues(), pkg}
+	var buf bytes.Buffer
+
+	errorOut("parser error", generatedTempl.Execute(&buf, analysis))
+	src, err := format.Source(buf.Bytes())
+	errorOut("error formatting generated source:\n"+buf.String(), err)
+	errorOut("error writing file", ioutil.WriteFile(*outputFile, src, 0644))
+}
+
+func toLower(s string) string {
+	if s == "" {
+		return ""
+	}
+	r, n := utf8.DecodeRuneInString(s)
+	return string(unicode.ToLower(r)) + s[n:]
+}
diff --git a/engine/pkg/plugins/pluginrpc-gen/parser.go b/engine/pkg/plugins/pluginrpc-gen/parser.go
new file mode 100644
index 00000000..6c547e18
--- /dev/null
+++ b/engine/pkg/plugins/pluginrpc-gen/parser.go
@@ -0,0 +1,263 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"path"
+	"reflect"
+	"strings"
+)
+
+var errBadReturn = errors.New("found return arg with no name: all args must be named")
+
+type errUnexpectedType struct {
+	expected string
+	actual   interface{}
+}
+
+func (e errUnexpectedType) Error() string {
+	return fmt.Sprintf("got wrong type expecting %s, got: %v", e.expected, reflect.TypeOf(e.actual))
+}
+
+// ParsedPkg holds information about a package that has been parsed,
+// its name and the list of functions.
+type ParsedPkg struct {
+	Name      string
+	Functions []function
+	Imports   []importSpec
+}
+
+type function struct {
+	Name    string
+	Args    []arg
+	Returns []arg
+	Doc     string
+}
+
+type arg struct {
+	Name            string
+	ArgType         string
+	PackageSelector string
+}
+
+func (a *arg) String() string {
+	return a.Name + " " + a.ArgType
+}
+
+type importSpec struct {
+	Name string
+	Path string
+}
+
+func (s *importSpec) String() string {
+	var ss string
+	if len(s.Name) != 0 {
+		ss += s.Name
+	}
+	ss += s.Path
+	return ss
+}
+
+// Parse parses the given file for an interface definition with the given name.
+func Parse(filePath string, objName string) (*ParsedPkg, error) {
+	fs := token.NewFileSet()
+	pkg, err := parser.ParseFile(fs, filePath, nil, parser.AllErrors)
+	if err != nil {
+		return nil, err
+	}
+	p := &ParsedPkg{}
+	p.Name = pkg.Name.Name
+	obj, exists := pkg.Scope.Objects[objName]
+	if !exists {
+		return nil, fmt.Errorf("could not find object %s in %s", objName, filePath)
+	}
+	if obj.Kind != ast.Typ {
+		return nil, fmt.Errorf("exected type, got %s", obj.Kind)
+	}
+	spec, ok := obj.Decl.(*ast.TypeSpec)
+	if !ok {
+		return nil, errUnexpectedType{"*ast.TypeSpec", obj.Decl}
+	}
+	iface, ok := spec.Type.(*ast.InterfaceType)
+	if !ok {
+		return nil, errUnexpectedType{"*ast.InterfaceType", spec.Type}
+	}
+
+	p.Functions, err = parseInterface(iface)
+	if err != nil {
+		return nil, err
+	}
+
+	// figure out what imports will be needed
+	imports := make(map[string]importSpec)
+	for _, f := range p.Functions {
+		args := append(f.Args, f.Returns...)
+		for _, arg := range args {
+			if len(arg.PackageSelector) == 0 {
+				continue
+			}
+
+			for _, i := range pkg.Imports {
+				if i.Name != nil {
+					if i.Name.Name != arg.PackageSelector {
+						continue
+					}
+					imports[i.Path.Value] = importSpec{Name: arg.PackageSelector, Path: i.Path.Value}
+					break
+				}
+
+				_, name := path.Split(i.Path.Value)
+				splitName := strings.Split(name, "-")
+				if len(splitName) > 1 {
+					name = splitName[len(splitName)-1]
+				}
+				// import paths have quotes already added in, so need to remove them for name comparison
+				name = strings.TrimPrefix(name, `"`)
+				name = strings.TrimSuffix(name, `"`)
+				if name == arg.PackageSelector {
+					imports[i.Path.Value] = importSpec{Path: i.Path.Value}
+					break
+				}
+			}
+		}
+	}
+
+	for _, spec := range imports {
+		p.Imports = append(p.Imports, spec)
+	}
+
+	return p, nil
+}
+
+func parseInterface(iface *ast.InterfaceType) ([]function, error) {
+	var functions []function
+	for _, field := range iface.Methods.List {
+		switch f := field.Type.(type) {
+		case *ast.FuncType:
+			method, err := parseFunc(field)
+			if err != nil {
+				return nil, err
+			}
+			if method == nil {
+				continue
+			}
+			functions = append(functions, *method)
+		case *ast.Ident:
+			spec, ok := f.Obj.Decl.(*ast.TypeSpec)
+			if !ok {
+				return nil, errUnexpectedType{"*ast.TypeSpec", f.Obj.Decl}
+			}
+			iface, ok := spec.Type.(*ast.InterfaceType)
+			if !ok {
+				return nil, errUnexpectedType{"*ast.TypeSpec", spec.Type}
+			}
+			funcs, err := parseInterface(iface)
+			if err != nil {
+				fmt.Println(err)
+				continue
+			}
+			functions = append(functions, funcs...)
+		default:
+			return nil, errUnexpectedType{"*astFuncType or *ast.Ident", f}
+		}
+	}
+	return functions, nil
+}
+
+func parseFunc(field *ast.Field) (*function, error) {
+	f := field.Type.(*ast.FuncType)
+	method := &function{Name: field.Names[0].Name}
+	if _, exists := skipFuncs[method.Name]; exists {
+		fmt.Println("skipping:", method.Name)
+		return nil, nil
+	}
+	if f.Params != nil {
+		args, err := parseArgs(f.Params.List)
+		if err != nil {
+			return nil, err
+		}
+		method.Args = args
+	}
+	if f.Results != nil {
+		returns, err := parseArgs(f.Results.List)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing function returns for %q: %v", method.Name, err)
+		}
+		method.Returns = returns
+	}
+	return method, nil
+}
+
+func parseArgs(fields []*ast.Field) ([]arg, error) {
+	var args []arg
+	for _, f := range fields {
+		if len(f.Names) == 0 {
+			return nil, errBadReturn
+		}
+		for _, name := range f.Names {
+			p, err := parseExpr(f.Type)
+			if err != nil {
+				return nil, err
+			}
+			args = append(args, arg{name.Name, p.value, p.pkg})
+		}
+	}
+	return args, nil
+}
+
+type parsedExpr struct {
+	value string
+	pkg   string
+}
+
+func parseExpr(e ast.Expr) (parsedExpr, error) {
+	var parsed parsedExpr
+	switch i := e.(type) {
+	case *ast.Ident:
+		parsed.value += i.Name
+	case *ast.StarExpr:
+		p, err := parseExpr(i.X)
+		if err != nil {
+			return parsed, err
+		}
+		parsed.value += "*"
+		parsed.value += p.value
+		parsed.pkg = p.pkg
+	case *ast.SelectorExpr:
+		p, err := parseExpr(i.X)
+		if err != nil {
+			return parsed, err
+		}
+		parsed.pkg = p.value
+		parsed.value += p.value + "."
+		parsed.value += i.Sel.Name
+	case *ast.MapType:
+		parsed.value += "map["
+		p, err := parseExpr(i.Key)
+		if err != nil {
+			return parsed, err
+		}
+		parsed.value += p.value
+		parsed.value += "]"
+		p, err = parseExpr(i.Value)
+		if err != nil {
+			return parsed, err
+		}
+		parsed.value += p.value
+		parsed.pkg = p.pkg
+	case *ast.ArrayType:
+		parsed.value += "[]"
+		p, err := parseExpr(i.Elt)
+		if err != nil {
+			return parsed, err
+		}
+		parsed.value += p.value
+		parsed.pkg = p.pkg
+	default:
+		return parsed, errUnexpectedType{"*ast.Ident or *ast.StarExpr", i}
+	}
+	return parsed, nil
+}
diff --git a/engine/pkg/plugins/pluginrpc-gen/parser_test.go b/engine/pkg/plugins/pluginrpc-gen/parser_test.go
new file mode 100644
index 00000000..fe7fa5ad
--- /dev/null
+++ b/engine/pkg/plugins/pluginrpc-gen/parser_test.go
@@ -0,0 +1,222 @@
+package main
+
+import (
+	"fmt"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+const testFixture = "fixtures/foo.go"
+
+func TestParseEmptyInterface(t *testing.T) {
+	pkg, err := Parse(testFixture, "Fooer")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertName(t, "foo", pkg.Name)
+	assertNum(t, 0, len(pkg.Functions))
+}
+
+func TestParseNonInterfaceType(t *testing.T) {
+	_, err := Parse(testFixture, "wobble")
+	if _, ok := err.(errUnexpectedType); !ok {
+		t.Fatal("expected type error when parsing non-interface type")
+	}
+}
+
+func TestParseWithOneFunction(t *testing.T) {
+	pkg, err := Parse(testFixture, "Fooer2")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertName(t, "foo", pkg.Name)
+	assertNum(t, 1, len(pkg.Functions))
+	assertName(t, "Foo", pkg.Functions[0].Name)
+	assertNum(t, 0, len(pkg.Functions[0].Args))
+	assertNum(t, 0, len(pkg.Functions[0].Returns))
+}
+
+func TestParseWithMultipleFuncs(t *testing.T) {
+	pkg, err := Parse(testFixture, "Fooer3")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertName(t, "foo", pkg.Name)
+	assertNum(t, 7, len(pkg.Functions))
+
+	f := pkg.Functions[0]
+	assertName(t, "Foo", f.Name)
+	assertNum(t, 0, len(f.Args))
+	assertNum(t, 0, len(f.Returns))
+
+	f = pkg.Functions[1]
+	assertName(t, "Bar", f.Name)
+	assertNum(t, 1, len(f.Args))
+	assertNum(t, 0, len(f.Returns))
+	arg := f.Args[0]
+	assertName(t, "a", arg.Name)
+	assertName(t, "string", arg.ArgType)
+
+	f = pkg.Functions[2]
+	assertName(t, "Baz", f.Name)
+	assertNum(t, 1, len(f.Args))
+	assertNum(t, 1, len(f.Returns))
+	arg = f.Args[0]
+	assertName(t, "a", arg.Name)
+	assertName(t, "string", arg.ArgType)
+	arg = f.Returns[0]
+	assertName(t, "err", arg.Name)
+	assertName(t, "error", arg.ArgType)
+
+	f = pkg.Functions[3]
+	assertName(t, "Qux", f.Name)
+	assertNum(t, 2, len(f.Args))
+	assertNum(t, 2, len(f.Returns))
+	arg = f.Args[0]
+	assertName(t, "a", f.Args[0].Name)
+	assertName(t, "string", f.Args[0].ArgType)
+	arg = f.Args[1]
+	assertName(t, "b", arg.Name)
+	assertName(t, "string", arg.ArgType)
+	arg = f.Returns[0]
+	assertName(t, "val", arg.Name)
+	assertName(t, "string", arg.ArgType)
+	arg = f.Returns[1]
+	assertName(t, "err", arg.Name)
+	assertName(t, "error", arg.ArgType)
+
+	f = pkg.Functions[4]
+	assertName(t, "Wobble", f.Name)
+	assertNum(t, 0, len(f.Args))
+	assertNum(t, 1, len(f.Returns))
+	arg = f.Returns[0]
+	assertName(t, "w", arg.Name)
+	assertName(t, "*wobble", arg.ArgType)
+
+	f = pkg.Functions[5]
+	assertName(t, "Wiggle", f.Name)
+	assertNum(t, 0, len(f.Args))
+	assertNum(t, 1, len(f.Returns))
+	arg = f.Returns[0]
+	assertName(t, "w", arg.Name)
+	assertName(t, "wobble", arg.ArgType)
+
+	f = pkg.Functions[6]
+	assertName(t, "WiggleWobble", f.Name)
+	assertNum(t, 6, len(f.Args))
+	assertNum(t, 6, len(f.Returns))
+	expectedArgs := [][]string{
+		{"a", "[]*wobble"},
+		{"b", "[]wobble"},
+		{"c", "map[string]*wobble"},
+		{"d", "map[*wobble]wobble"},
+		{"e", "map[string][]wobble"},
+		{"f", "[]*otherfixture.Spaceship"},
+	}
+	for i, arg := range f.Args {
+		assertName(t, expectedArgs[i][0], arg.Name)
+		assertName(t, expectedArgs[i][1], arg.ArgType)
+	}
+	expectedReturns := [][]string{
+		{"g", "map[*wobble]wobble"},
+		{"h", "[][]*wobble"},
+		{"i", "otherfixture.Spaceship"},
+		{"j", "*otherfixture.Spaceship"},
+		{"k", "map[*otherfixture.Spaceship]otherfixture.Spaceship"},
+		{"l", "[]otherfixture.Spaceship"},
+	}
+	for i, ret := range f.Returns {
+		assertName(t, expectedReturns[i][0], ret.Name)
+		assertName(t, expectedReturns[i][1], ret.ArgType)
+	}
+}
+
+func TestParseWithUnnamedReturn(t *testing.T) {
+	_, err := Parse(testFixture, "Fooer4")
+	if !strings.HasSuffix(err.Error(), errBadReturn.Error()) {
+		t.Fatalf("expected ErrBadReturn, got %v", err)
+	}
+}
+
+func TestEmbeddedInterface(t *testing.T) {
+	pkg, err := Parse(testFixture, "Fooer5")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertName(t, "foo", pkg.Name)
+	assertNum(t, 2, len(pkg.Functions))
+
+	f := pkg.Functions[0]
+	assertName(t, "Foo", f.Name)
+	assertNum(t, 0, len(f.Args))
+	assertNum(t, 0, len(f.Returns))
+
+	f = pkg.Functions[1]
+	assertName(t, "Boo", f.Name)
+	assertNum(t, 2, len(f.Args))
+	assertNum(t, 2, len(f.Returns))
+
+	arg := f.Args[0]
+	assertName(t, "a", arg.Name)
+	assertName(t, "string", arg.ArgType)
+
+	arg = f.Args[1]
+	assertName(t, "b", arg.Name)
+	assertName(t, "string", arg.ArgType)
+
+	arg = f.Returns[0]
+	assertName(t, "s", arg.Name)
+	assertName(t, "string", arg.ArgType)
+
+	arg = f.Returns[1]
+	assertName(t, "err", arg.Name)
+	assertName(t, "error", arg.ArgType)
+}
+
+func TestParsedImports(t *testing.T) {
+	cases := []string{"Fooer6", "Fooer7", "Fooer8", "Fooer9", "Fooer10", "Fooer11"}
+	for _, testCase := range cases {
+		pkg, err := Parse(testFixture, testCase)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		assertNum(t, 1, len(pkg.Imports))
+		importPath := strings.Split(pkg.Imports[0].Path, "/")
+		assertName(t, "otherfixture\"", importPath[len(importPath)-1])
+		assertName(t, "", pkg.Imports[0].Name)
+	}
+}
+
+func TestAliasedImports(t *testing.T) {
+	pkg, err := Parse(testFixture, "Fooer12")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertNum(t, 1, len(pkg.Imports))
+	assertName(t, "aliasedio", pkg.Imports[0].Name)
+}
+
+func assertName(t *testing.T, expected, actual string) {
+	if expected != actual {
+		fatalOut(t, fmt.Sprintf("expected name to be `%s`, got: %s", expected, actual))
+	}
+}
+
+func assertNum(t *testing.T, expected, actual int) {
+	if expected != actual {
+		fatalOut(t, fmt.Sprintf("expected number to be %d, got: %d", expected, actual))
+	}
+}
+
+func fatalOut(t *testing.T, msg string) {
+	_, file, ln, _ := runtime.Caller(2)
+	t.Fatalf("%s:%d: %s", filepath.Base(file), ln, msg)
+}
diff --git a/engine/pkg/plugins/pluginrpc-gen/template.go b/engine/pkg/plugins/pluginrpc-gen/template.go
new file mode 100644
index 00000000..50ed9293
--- /dev/null
+++ b/engine/pkg/plugins/pluginrpc-gen/template.go
@@ -0,0 +1,118 @@
+package main
+
+import (
+	"strings"
+	"text/template"
+)
+
+func printArgs(args []arg) string {
+	var argStr []string
+	for _, arg := range args {
+		argStr = append(argStr, arg.String())
+	}
+	return strings.Join(argStr, ", ")
+}
+
+func buildImports(specs []importSpec) string {
+	if len(specs) == 0 {
+		return `import "errors"`
+	}
+	imports := "import(\n"
+	imports += "\t\"errors\"\n"
+	for _, i := range specs {
+		imports += "\t" + i.String() + "\n"
+	}
+	imports += ")"
+	return imports
+}
+
+func marshalType(t string) string {
+	switch t {
+	case "error":
+		// convert error types to plain strings to ensure the values are encoded/decoded properly
+		return "string"
+	default:
+		return t
+	}
+}
+
+func isErr(t string) bool {
+	switch t {
+	case "error":
+		return true
+	default:
+		return false
+	}
+}
+
+// Need to use this helper due to issues with go-vet
+func buildTag(s string) string {
+	return "+build " + s
+}
+
+var templFuncs = template.FuncMap{
+	"printArgs":   printArgs,
+	"marshalType": marshalType,
+	"isErr":       isErr,
+	"lower":       strings.ToLower,
+	"title":       title,
+	"tag":         buildTag,
+	"imports":     buildImports,
+}
+
+func title(s string) string {
+	if strings.ToLower(s) == "id" {
+		return "ID"
+	}
+	return strings.Title(s)
+}
+
+var generatedTempl = template.Must(template.New("rpc_cient").Funcs(templFuncs).Parse(`
+// generated code - DO NOT EDIT
+{{ range $k, $v := .BuildTags }}
+	// {{ tag $k }} {{ end }}
+
+package {{ .Name }}
+
+{{ imports .Imports }}
+
+type client interface{
+	Call(string, interface{}, interface{}) error
+}
+
+type {{ .InterfaceType }}Proxy struct {
+	client
+}
+
+{{ range .Functions }}
+	type {{ $.InterfaceType }}Proxy{{ .Name }}Request struct{
+		{{ range .Args }}
+			{{ title .Name }} {{ .ArgType }} {{ end }}
+	}
+
+	type {{ $.InterfaceType }}Proxy{{ .Name }}Response struct{
+		{{ range .Returns }}
+			{{ title .Name }} {{ marshalType .ArgType }} {{ end }}
+	}
+
+	func (pp *{{ $.InterfaceType }}Proxy) {{ .Name }}({{ printArgs .Args }}) ({{ printArgs .Returns }}) {
+		var(
+			req {{ $.InterfaceType }}Proxy{{ .Name }}Request
+			ret {{ $.InterfaceType }}Proxy{{ .Name }}Response
+		)
+		{{ range .Args }}
+			req.{{ title .Name }} = {{ lower .Name }} {{ end }}
+		if err = pp.Call("{{ $.RPCName }}.{{ .Name }}", req, &ret); err != nil {
+			return
+		}
+		{{ range $r := .Returns }}
+			{{ if isErr .ArgType }}
+				if ret.{{ title .Name }} != "" {
+					{{ lower .Name }} = errors.New(ret.{{ title .Name }})
+				} {{ end }}
+			{{ if isErr .ArgType | not }} {{ lower .Name }} = ret.{{ title .Name }} {{ end }} {{ end }}
+
+		return
+	}
+{{ end }}
+`))
diff --git a/engine/pkg/plugins/plugins.go b/engine/pkg/plugins/plugins.go
new file mode 100644
index 00000000..6962079d
--- /dev/null
+++ b/engine/pkg/plugins/plugins.go
@@ -0,0 +1,337 @@
+// Package plugins provides structures and helper functions to manage Docker
+// plugins.
+//
+// Docker discovers plugins by looking for them in the plugin directory whenever
+// a user or container tries to use one by name. UNIX domain socket files must
+// be located under /run/docker/plugins, whereas spec files can be located
+// either under /etc/docker/plugins or /usr/lib/docker/plugins. This is handled
+// by the Registry interface, which lets you list all plugins or get a plugin by
+// its name if it exists.
+//
+// The plugins need to implement an HTTP server and bind this to the UNIX socket
+// or the address specified in the spec files.
+// A handshake is send at /Plugin.Activate, and plugins are expected to return
+// a Manifest with a list of of Docker subsystems which this plugin implements.
+//
+// In order to use a plugins, you can use the ``Get`` with the name of the
+// plugin and the subsystem it implements.
+//
+//	plugin, err := plugins.Get("example", "VolumeDriver")
+//	if err != nil {
+//		return fmt.Errorf("Error looking up volume plugin example: %v", err)
+//	}
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+import (
+	"errors"
+	"sync"
+	"time"
+
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/sirupsen/logrus"
+)
+
+// ProtocolSchemeHTTPV1 is the name of the protocol used for interacting with plugins using this package.
+const ProtocolSchemeHTTPV1 = "moby.plugins.http/v1"
+
+var (
+	// ErrNotImplements is returned if the plugin does not implement the requested driver.
+	ErrNotImplements = errors.New("Plugin does not implement the requested driver")
+)
+
+type plugins struct {
+	sync.Mutex
+	plugins map[string]*Plugin
+}
+
+type extpointHandlers struct {
+	sync.RWMutex
+	extpointHandlers map[string][]func(string, *Client)
+}
+
+var (
+	storage  = plugins{plugins: make(map[string]*Plugin)}
+	handlers = extpointHandlers{extpointHandlers: make(map[string][]func(string, *Client))}
+)
+
+// Manifest lists what a plugin implements.
+type Manifest struct {
+	// List of subsystem the plugin implements.
+	Implements []string
+}
+
+// Plugin is the definition of a docker plugin.
+type Plugin struct {
+	// Name of the plugin
+	name string
+	// Address of the plugin
+	Addr string
+	// TLS configuration of the plugin
+	TLSConfig *tlsconfig.Options
+	// Client attached to the plugin
+	client *Client
+	// Manifest of the plugin (see above)
+	Manifest *Manifest `json:"-"`
+
+	// wait for activation to finish
+	activateWait *sync.Cond
+	// error produced by activation
+	activateErr error
+	// keeps track of callback handlers run against this plugin
+	handlersRun bool
+}
+
+// Name returns the name of the plugin.
+func (p *Plugin) Name() string {
+	return p.name
+}
+
+// Client returns a ready-to-use plugin client that can be used to communicate with the plugin.
+func (p *Plugin) Client() *Client {
+	return p.client
+}
+
+// Protocol returns the protocol name/version used for plugins in this package.
+func (p *Plugin) Protocol() string {
+	return ProtocolSchemeHTTPV1
+}
+
+// IsV1 returns true for V1 plugins and false otherwise.
+func (p *Plugin) IsV1() bool {
+	return true
+}
+
+// NewLocalPlugin creates a new local plugin.
+func NewLocalPlugin(name, addr string) *Plugin {
+	return &Plugin{
+		name: name,
+		Addr: addr,
+		// TODO: change to nil
+		TLSConfig:    &tlsconfig.Options{InsecureSkipVerify: true},
+		activateWait: sync.NewCond(&sync.Mutex{}),
+	}
+}
+
+func (p *Plugin) activate() error {
+	p.activateWait.L.Lock()
+
+	if p.activated() {
+		p.runHandlers()
+		p.activateWait.L.Unlock()
+		return p.activateErr
+	}
+
+	p.activateErr = p.activateWithLock()
+
+	p.runHandlers()
+	p.activateWait.L.Unlock()
+	p.activateWait.Broadcast()
+	return p.activateErr
+}
+
+// runHandlers runs the registered handlers for the implemented plugin types
+// This should only be run after activation, and while the activation lock is held.
+func (p *Plugin) runHandlers() {
+	if !p.activated() {
+		return
+	}
+
+	handlers.RLock()
+	if !p.handlersRun {
+		for _, iface := range p.Manifest.Implements {
+			hdlrs, handled := handlers.extpointHandlers[iface]
+			if !handled {
+				continue
+			}
+			for _, handler := range hdlrs {
+				handler(p.name, p.client)
+			}
+		}
+		p.handlersRun = true
+	}
+	handlers.RUnlock()
+
+}
+
+// activated returns if the plugin has already been activated.
+// This should only be called with the activation lock held
+func (p *Plugin) activated() bool {
+	return p.Manifest != nil
+}
+
+func (p *Plugin) activateWithLock() error {
+	c, err := NewClient(p.Addr, p.TLSConfig)
+	if err != nil {
+		return err
+	}
+	p.client = c
+
+	m := new(Manifest)
+	if err = p.client.Call("Plugin.Activate", nil, m); err != nil {
+		return err
+	}
+
+	p.Manifest = m
+	return nil
+}
+
+func (p *Plugin) waitActive() error {
+	p.activateWait.L.Lock()
+	for !p.activated() && p.activateErr == nil {
+		p.activateWait.Wait()
+	}
+	p.activateWait.L.Unlock()
+	return p.activateErr
+}
+
+func (p *Plugin) implements(kind string) bool {
+	if p.Manifest == nil {
+		return false
+	}
+	for _, driver := range p.Manifest.Implements {
+		if driver == kind {
+			return true
+		}
+	}
+	return false
+}
+
+func load(name string) (*Plugin, error) {
+	return loadWithRetry(name, true)
+}
+
+func loadWithRetry(name string, retry bool) (*Plugin, error) {
+	registry := newLocalRegistry()
+	start := time.Now()
+
+	var retries int
+	for {
+		pl, err := registry.Plugin(name)
+		if err != nil {
+			if !retry {
+				return nil, err
+			}
+
+			timeOff := backoff(retries)
+			if abort(start, timeOff) {
+				return nil, err
+			}
+			retries++
+			logrus.Warnf("Unable to locate plugin: %s, retrying in %v", name, timeOff)
+			time.Sleep(timeOff)
+			continue
+		}
+
+		storage.Lock()
+		if pl, exists := storage.plugins[name]; exists {
+			storage.Unlock()
+			return pl, pl.activate()
+		}
+		storage.plugins[name] = pl
+		storage.Unlock()
+
+		err = pl.activate()
+
+		if err != nil {
+			storage.Lock()
+			delete(storage.plugins, name)
+			storage.Unlock()
+		}
+
+		return pl, err
+	}
+}
+
+func get(name string) (*Plugin, error) {
+	storage.Lock()
+	pl, ok := storage.plugins[name]
+	storage.Unlock()
+	if ok {
+		return pl, pl.activate()
+	}
+	return load(name)
+}
+
+// Get returns the plugin given the specified name and requested implementation.
+func Get(name, imp string) (*Plugin, error) {
+	pl, err := get(name)
+	if err != nil {
+		return nil, err
+	}
+	if err := pl.waitActive(); err == nil && pl.implements(imp) {
+		logrus.Debugf("%s implements: %s", name, imp)
+		return pl, nil
+	}
+	return nil, ErrNotImplements
+}
+
+// Handle adds the specified function to the extpointHandlers.
+func Handle(iface string, fn func(string, *Client)) {
+	handlers.Lock()
+	hdlrs, ok := handlers.extpointHandlers[iface]
+	if !ok {
+		hdlrs = []func(string, *Client){}
+	}
+
+	hdlrs = append(hdlrs, fn)
+	handlers.extpointHandlers[iface] = hdlrs
+
+	storage.Lock()
+	for _, p := range storage.plugins {
+		p.activateWait.L.Lock()
+		if p.activated() && p.implements(iface) {
+			p.handlersRun = false
+		}
+		p.activateWait.L.Unlock()
+	}
+	storage.Unlock()
+
+	handlers.Unlock()
+}
+
+// GetAll returns all the plugins for the specified implementation
+func GetAll(imp string) ([]*Plugin, error) {
+	pluginNames, err := Scan()
+	if err != nil {
+		return nil, err
+	}
+
+	type plLoad struct {
+		pl  *Plugin
+		err error
+	}
+
+	chPl := make(chan *plLoad, len(pluginNames))
+	var wg sync.WaitGroup
+	for _, name := range pluginNames {
+		storage.Lock()
+		pl, ok := storage.plugins[name]
+		storage.Unlock()
+		if ok {
+			chPl <- &plLoad{pl, nil}
+			continue
+		}
+
+		wg.Add(1)
+		go func(name string) {
+			defer wg.Done()
+			pl, err := loadWithRetry(name, false)
+			chPl <- &plLoad{pl, err}
+		}(name)
+	}
+
+	wg.Wait()
+	close(chPl)
+
+	var out []*Plugin
+	for pl := range chPl {
+		if pl.err != nil {
+			logrus.Error(pl.err)
+			continue
+		}
+		if err := pl.pl.waitActive(); err == nil && pl.pl.implements(imp) {
+			out = append(out, pl.pl)
+		}
+	}
+	return out, nil
+}
diff --git a/engine/pkg/plugins/plugins_unix.go b/engine/pkg/plugins/plugins_unix.go
new file mode 100644
index 00000000..cdfbe934
--- /dev/null
+++ b/engine/pkg/plugins/plugins_unix.go
@@ -0,0 +1,9 @@
+// +build !windows
+
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+// ScopedPath returns the path scoped to the plugin's rootfs.
+// For v1 plugins, this always returns the path unchanged as v1 plugins run directly on the host.
+func (p *Plugin) ScopedPath(s string) string {
+	return s
+}
diff --git a/engine/pkg/plugins/plugins_windows.go b/engine/pkg/plugins/plugins_windows.go
new file mode 100644
index 00000000..ddf1d786
--- /dev/null
+++ b/engine/pkg/plugins/plugins_windows.go
@@ -0,0 +1,7 @@
+package plugins // import "github.com/docker/docker/pkg/plugins"
+
+// ScopedPath returns the path scoped to the plugin's rootfs.
+// For v1 plugins, this always returns the path unchanged as v1 plugins run directly on the host.
+func (p *Plugin) ScopedPath(s string) string {
+	return s
+}
diff --git a/engine/pkg/plugins/transport/http.go b/engine/pkg/plugins/transport/http.go
new file mode 100644
index 00000000..76d3bdb7
--- /dev/null
+++ b/engine/pkg/plugins/transport/http.go
@@ -0,0 +1,36 @@
+package transport // import "github.com/docker/docker/pkg/plugins/transport"
+
+import (
+	"io"
+	"net/http"
+)
+
+// httpTransport holds an http.RoundTripper
+// and information about the scheme and address the transport
+// sends request to.
+type httpTransport struct {
+	http.RoundTripper
+	scheme string
+	addr   string
+}
+
+// NewHTTPTransport creates a new httpTransport.
+func NewHTTPTransport(r http.RoundTripper, scheme, addr string) Transport {
+	return httpTransport{
+		RoundTripper: r,
+		scheme:       scheme,
+		addr:         addr,
+	}
+}
+
+// NewRequest creates a new http.Request and sets the URL
+// scheme and address with the transport's fields.
+func (t httpTransport) NewRequest(path string, data io.Reader) (*http.Request, error) {
+	req, err := newHTTPRequest(path, data)
+	if err != nil {
+		return nil, err
+	}
+	req.URL.Scheme = t.scheme
+	req.URL.Host = t.addr
+	return req, nil
+}
diff --git a/engine/pkg/plugins/transport/http_test.go b/engine/pkg/plugins/transport/http_test.go
new file mode 100644
index 00000000..78ab2372
--- /dev/null
+++ b/engine/pkg/plugins/transport/http_test.go
@@ -0,0 +1,21 @@
+package transport // import "github.com/docker/docker/pkg/plugins/transport"
+
+import (
+	"io"
+	"net/http"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestHTTPTransport(t *testing.T) {
+	var r io.Reader
+	roundTripper := &http.Transport{}
+	newTransport := NewHTTPTransport(roundTripper, "http", "0.0.0.0")
+	request, err := newTransport.NewRequest("", r)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Check(t, is.Equal("POST", request.Method))
+}
diff --git a/engine/pkg/plugins/transport/transport.go b/engine/pkg/plugins/transport/transport.go
new file mode 100644
index 00000000..9cb13335
--- /dev/null
+++ b/engine/pkg/plugins/transport/transport.go
@@ -0,0 +1,36 @@
+package transport // import "github.com/docker/docker/pkg/plugins/transport"
+
+import (
+	"io"
+	"net/http"
+	"strings"
+)
+
+// VersionMimetype is the Content-Type the engine sends to plugins.
+const VersionMimetype = "application/vnd.docker.plugins.v1.2+json"
+
+// RequestFactory defines an interface that
+// transports can implement to create new requests.
+type RequestFactory interface {
+	NewRequest(path string, data io.Reader) (*http.Request, error)
+}
+
+// Transport defines an interface that plugin transports
+// must implement.
+type Transport interface {
+	http.RoundTripper
+	RequestFactory
+}
+
+// newHTTPRequest creates a new request with a path and a body.
+func newHTTPRequest(path string, data io.Reader) (*http.Request, error) {
+	if !strings.HasPrefix(path, "/") {
+		path = "/" + path
+	}
+	req, err := http.NewRequest("POST", path, data)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Add("Accept", VersionMimetype)
+	return req, nil
+}
diff --git a/engine/pkg/pools/pools.go b/engine/pkg/pools/pools.go
new file mode 100644
index 00000000..46339c28
--- /dev/null
+++ b/engine/pkg/pools/pools.go
@@ -0,0 +1,137 @@
+// Package pools provides a collection of pools which provide various
+// data types with buffers. These can be used to lower the number of
+// memory allocations and reuse buffers.
+//
+// New pools should be added to this package to allow them to be
+// shared across packages.
+//
+// Utility functions which operate on pools should be added to this
+// package to allow them to be reused.
+package pools // import "github.com/docker/docker/pkg/pools"
+
+import (
+	"bufio"
+	"io"
+	"sync"
+
+	"github.com/docker/docker/pkg/ioutils"
+)
+
+const buffer32K = 32 * 1024
+
+var (
+	// BufioReader32KPool is a pool which returns bufio.Reader with a 32K buffer.
+	BufioReader32KPool = newBufioReaderPoolWithSize(buffer32K)
+	// BufioWriter32KPool is a pool which returns bufio.Writer with a 32K buffer.
+	BufioWriter32KPool = newBufioWriterPoolWithSize(buffer32K)
+	buffer32KPool      = newBufferPoolWithSize(buffer32K)
+)
+
+// BufioReaderPool is a bufio reader that uses sync.Pool.
+type BufioReaderPool struct {
+	pool sync.Pool
+}
+
+// newBufioReaderPoolWithSize is unexported because new pools should be
+// added here to be shared where required.
+func newBufioReaderPoolWithSize(size int) *BufioReaderPool {
+	return &BufioReaderPool{
+		pool: sync.Pool{
+			New: func() interface{} { return bufio.NewReaderSize(nil, size) },
+		},
+	}
+}
+
+// Get returns a bufio.Reader which reads from r. The buffer size is that of the pool.
+func (bufPool *BufioReaderPool) Get(r io.Reader) *bufio.Reader {
+	buf := bufPool.pool.Get().(*bufio.Reader)
+	buf.Reset(r)
+	return buf
+}
+
+// Put puts the bufio.Reader back into the pool.
+func (bufPool *BufioReaderPool) Put(b *bufio.Reader) {
+	b.Reset(nil)
+	bufPool.pool.Put(b)
+}
+
+type bufferPool struct {
+	pool sync.Pool
+}
+
+func newBufferPoolWithSize(size int) *bufferPool {
+	return &bufferPool{
+		pool: sync.Pool{
+			New: func() interface{} { return make([]byte, size) },
+		},
+	}
+}
+
+func (bp *bufferPool) Get() []byte {
+	return bp.pool.Get().([]byte)
+}
+
+func (bp *bufferPool) Put(b []byte) {
+	bp.pool.Put(b)
+}
+
+// Copy is a convenience wrapper which uses a buffer to avoid allocation in io.Copy.
+func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
+	buf := buffer32KPool.Get()
+	written, err = io.CopyBuffer(dst, src, buf)
+	buffer32KPool.Put(buf)
+	return
+}
+
+// NewReadCloserWrapper returns a wrapper which puts the bufio.Reader back
+// into the pool and closes the reader if it's an io.ReadCloser.
+func (bufPool *BufioReaderPool) NewReadCloserWrapper(buf *bufio.Reader, r io.Reader) io.ReadCloser {
+	return ioutils.NewReadCloserWrapper(r, func() error {
+		if readCloser, ok := r.(io.ReadCloser); ok {
+			readCloser.Close()
+		}
+		bufPool.Put(buf)
+		return nil
+	})
+}
+
+// BufioWriterPool is a bufio writer that uses sync.Pool.
+type BufioWriterPool struct {
+	pool sync.Pool
+}
+
+// newBufioWriterPoolWithSize is unexported because new pools should be
+// added here to be shared where required.
+func newBufioWriterPoolWithSize(size int) *BufioWriterPool {
+	return &BufioWriterPool{
+		pool: sync.Pool{
+			New: func() interface{} { return bufio.NewWriterSize(nil, size) },
+		},
+	}
+}
+
+// Get returns a bufio.Writer which writes to w. The buffer size is that of the pool.
+func (bufPool *BufioWriterPool) Get(w io.Writer) *bufio.Writer {
+	buf := bufPool.pool.Get().(*bufio.Writer)
+	buf.Reset(w)
+	return buf
+}
+
+// Put puts the bufio.Writer back into the pool.
+func (bufPool *BufioWriterPool) Put(b *bufio.Writer) {
+	b.Reset(nil)
+	bufPool.pool.Put(b)
+}
+
+// NewWriteCloserWrapper returns a wrapper which puts the bufio.Writer back
+// into the pool and closes the writer if it's an io.Writecloser.
+func (bufPool *BufioWriterPool) NewWriteCloserWrapper(buf *bufio.Writer, w io.Writer) io.WriteCloser {
+	return ioutils.NewWriteCloserWrapper(w, func() error {
+		buf.Flush()
+		if writeCloser, ok := w.(io.WriteCloser); ok {
+			writeCloser.Close()
+		}
+		bufPool.Put(buf)
+		return nil
+	})
+}
diff --git a/engine/pkg/pools/pools_test.go b/engine/pkg/pools/pools_test.go
new file mode 100644
index 00000000..7ff01ce3
--- /dev/null
+++ b/engine/pkg/pools/pools_test.go
@@ -0,0 +1,163 @@
+package pools // import "github.com/docker/docker/pkg/pools"
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestBufioReaderPoolGetWithNoReaderShouldCreateOne(t *testing.T) {
+	reader := BufioReader32KPool.Get(nil)
+	if reader == nil {
+		t.Fatalf("BufioReaderPool should have create a bufio.Reader but did not.")
+	}
+}
+
+func TestBufioReaderPoolPutAndGet(t *testing.T) {
+	sr := bufio.NewReader(strings.NewReader("foobar"))
+	reader := BufioReader32KPool.Get(sr)
+	if reader == nil {
+		t.Fatalf("BufioReaderPool should not return a nil reader.")
+	}
+	// verify the first 3 byte
+	buf1 := make([]byte, 3)
+	_, err := reader.Read(buf1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if actual := string(buf1); actual != "foo" {
+		t.Fatalf("The first letter should have been 'foo' but was %v", actual)
+	}
+	BufioReader32KPool.Put(reader)
+	// Try to read the next 3 bytes
+	_, err = sr.Read(make([]byte, 3))
+	if err == nil || err != io.EOF {
+		t.Fatalf("The buffer should have been empty, issue an EOF error.")
+	}
+}
+
+type simpleReaderCloser struct {
+	io.Reader
+	closed bool
+}
+
+func (r *simpleReaderCloser) Close() error {
+	r.closed = true
+	return nil
+}
+
+func TestNewReadCloserWrapperWithAReadCloser(t *testing.T) {
+	br := bufio.NewReader(strings.NewReader(""))
+	sr := &simpleReaderCloser{
+		Reader: strings.NewReader("foobar"),
+		closed: false,
+	}
+	reader := BufioReader32KPool.NewReadCloserWrapper(br, sr)
+	if reader == nil {
+		t.Fatalf("NewReadCloserWrapper should not return a nil reader.")
+	}
+	// Verify the content of reader
+	buf := make([]byte, 3)
+	_, err := reader.Read(buf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if actual := string(buf); actual != "foo" {
+		t.Fatalf("The first 3 letter should have been 'foo' but were %v", actual)
+	}
+	reader.Close()
+	// Read 3 more bytes "bar"
+	_, err = reader.Read(buf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if actual := string(buf); actual != "bar" {
+		t.Fatalf("The first 3 letter should have been 'bar' but were %v", actual)
+	}
+	if !sr.closed {
+		t.Fatalf("The ReaderCloser should have been closed, it is not.")
+	}
+}
+
+func TestBufioWriterPoolGetWithNoReaderShouldCreateOne(t *testing.T) {
+	writer := BufioWriter32KPool.Get(nil)
+	if writer == nil {
+		t.Fatalf("BufioWriterPool should have create a bufio.Writer but did not.")
+	}
+}
+
+func TestBufioWriterPoolPutAndGet(t *testing.T) {
+	buf := new(bytes.Buffer)
+	bw := bufio.NewWriter(buf)
+	writer := BufioWriter32KPool.Get(bw)
+	assert.Assert(t, writer != nil)
+
+	written, err := writer.Write([]byte("foobar"))
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(6, written))
+
+	// Make sure we Flush all the way ?
+	writer.Flush()
+	bw.Flush()
+	assert.Check(t, is.Len(buf.Bytes(), 6))
+	// Reset the buffer
+	buf.Reset()
+	BufioWriter32KPool.Put(writer)
+	// Try to write something
+	if _, err = writer.Write([]byte("barfoo")); err != nil {
+		t.Fatal(err)
+	}
+	// If we now try to flush it, it should panic (the writer is nil)
+	// recover it
+	defer func() {
+		if r := recover(); r == nil {
+			t.Fatal("Trying to flush the writter should have 'paniced', did not.")
+		}
+	}()
+	writer.Flush()
+}
+
+type simpleWriterCloser struct {
+	io.Writer
+	closed bool
+}
+
+func (r *simpleWriterCloser) Close() error {
+	r.closed = true
+	return nil
+}
+
+func TestNewWriteCloserWrapperWithAWriteCloser(t *testing.T) {
+	buf := new(bytes.Buffer)
+	bw := bufio.NewWriter(buf)
+	sw := &simpleWriterCloser{
+		Writer: new(bytes.Buffer),
+		closed: false,
+	}
+	bw.Flush()
+	writer := BufioWriter32KPool.NewWriteCloserWrapper(bw, sw)
+	if writer == nil {
+		t.Fatalf("BufioReaderPool should not return a nil writer.")
+	}
+	written, err := writer.Write([]byte("foobar"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if written != 6 {
+		t.Fatalf("Should have written 6 bytes, but wrote %v bytes", written)
+	}
+	writer.Close()
+	if !sw.closed {
+		t.Fatalf("The ReaderCloser should have been closed, it is not.")
+	}
+}
+
+func TestBufferPoolPutAndGet(t *testing.T) {
+	buf := buffer32KPool.Get()
+	buffer32KPool.Put(buf)
+}
diff --git a/engine/pkg/progress/progress.go b/engine/pkg/progress/progress.go
new file mode 100644
index 00000000..9aea5919
--- /dev/null
+++ b/engine/pkg/progress/progress.go
@@ -0,0 +1,89 @@
+package progress // import "github.com/docker/docker/pkg/progress"
+
+import (
+	"fmt"
+)
+
+// Progress represents the progress of a transfer.
+type Progress struct {
+	ID string
+
+	// Progress contains a Message or...
+	Message string
+
+	// ...progress of an action
+	Action  string
+	Current int64
+	Total   int64
+
+	// If true, don't show xB/yB
+	HideCounts bool
+	// If not empty, use units instead of bytes for counts
+	Units string
+
+	// Aux contains extra information not presented to the user, such as
+	// digests for push signing.
+	Aux interface{}
+
+	LastUpdate bool
+}
+
+// Output is an interface for writing progress information. It's
+// like a writer for progress, but we don't call it Writer because
+// that would be confusing next to ProgressReader (also, because it
+// doesn't implement the io.Writer interface).
+type Output interface {
+	WriteProgress(Progress) error
+}
+
+type chanOutput chan<- Progress
+
+func (out chanOutput) WriteProgress(p Progress) error {
+	out <- p
+	return nil
+}
+
+// ChanOutput returns an Output that writes progress updates to the
+// supplied channel.
+func ChanOutput(progressChan chan<- Progress) Output {
+	return chanOutput(progressChan)
+}
+
+type discardOutput struct{}
+
+func (discardOutput) WriteProgress(Progress) error {
+	return nil
+}
+
+// DiscardOutput returns an Output that discards progress
+func DiscardOutput() Output {
+	return discardOutput{}
+}
+
+// Update is a convenience function to write a progress update to the channel.
+func Update(out Output, id, action string) {
+	out.WriteProgress(Progress{ID: id, Action: action})
+}
+
+// Updatef is a convenience function to write a printf-formatted progress update
+// to the channel.
+func Updatef(out Output, id, format string, a ...interface{}) {
+	Update(out, id, fmt.Sprintf(format, a...))
+}
+
+// Message is a convenience function to write a progress message to the channel.
+func Message(out Output, id, message string) {
+	out.WriteProgress(Progress{ID: id, Message: message})
+}
+
+// Messagef is a convenience function to write a printf-formatted progress
+// message to the channel.
+func Messagef(out Output, id, format string, a ...interface{}) {
+	Message(out, id, fmt.Sprintf(format, a...))
+}
+
+// Aux sends auxiliary information over a progress interface, which will not be
+// formatted for the UI. This is used for things such as push signing.
+func Aux(out Output, a interface{}) {
+	out.WriteProgress(Progress{Aux: a})
+}
diff --git a/engine/pkg/progress/progressreader.go b/engine/pkg/progress/progressreader.go
new file mode 100644
index 00000000..7ca07dc6
--- /dev/null
+++ b/engine/pkg/progress/progressreader.go
@@ -0,0 +1,66 @@
+package progress // import "github.com/docker/docker/pkg/progress"
+
+import (
+	"io"
+	"time"
+
+	"golang.org/x/time/rate"
+)
+
+// Reader is a Reader with progress bar.
+type Reader struct {
+	in          io.ReadCloser // Stream to read from
+	out         Output        // Where to send progress bar to
+	size        int64
+	current     int64
+	lastUpdate  int64
+	id          string
+	action      string
+	rateLimiter *rate.Limiter
+}
+
+// NewProgressReader creates a new ProgressReader.
+func NewProgressReader(in io.ReadCloser, out Output, size int64, id, action string) *Reader {
+	return &Reader{
+		in:          in,
+		out:         out,
+		size:        size,
+		id:          id,
+		action:      action,
+		rateLimiter: rate.NewLimiter(rate.Every(100*time.Millisecond), 1),
+	}
+}
+
+func (p *Reader) Read(buf []byte) (n int, err error) {
+	read, err := p.in.Read(buf)
+	p.current += int64(read)
+	updateEvery := int64(1024 * 512) //512kB
+	if p.size > 0 {
+		// Update progress for every 1% read if 1% < 512kB
+		if increment := int64(0.01 * float64(p.size)); increment < updateEvery {
+			updateEvery = increment
+		}
+	}
+	if p.current-p.lastUpdate > updateEvery || err != nil {
+		p.updateProgress(err != nil && read == 0)
+		p.lastUpdate = p.current
+	}
+
+	return read, err
+}
+
+// Close closes the progress reader and its underlying reader.
+func (p *Reader) Close() error {
+	if p.current < p.size {
+		// print a full progress bar when closing prematurely
+		p.current = p.size
+		p.updateProgress(false)
+	}
+	return p.in.Close()
+}
+
+func (p *Reader) updateProgress(last bool) {
+	if last || p.current == p.size || p.rateLimiter.Allow() {
+		p.out.WriteProgress(Progress{ID: p.id, Action: p.action, Current: p.current, Total: p.size, LastUpdate: last})
+	}
+}
diff --git a/engine/pkg/progress/progressreader_test.go b/engine/pkg/progress/progressreader_test.go
new file mode 100644
index 00000000..e7081cc1
--- /dev/null
+++ b/engine/pkg/progress/progressreader_test.go
@@ -0,0 +1,75 @@
+package progress // import "github.com/docker/docker/pkg/progress"
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"testing"
+)
+
+func TestOutputOnPrematureClose(t *testing.T) {
+	content := []byte("TESTING")
+	reader := ioutil.NopCloser(bytes.NewReader(content))
+	progressChan := make(chan Progress, 10)
+
+	pr := NewProgressReader(reader, ChanOutput(progressChan), int64(len(content)), "Test", "Read")
+
+	part := make([]byte, 4)
+	_, err := io.ReadFull(pr, part)
+	if err != nil {
+		pr.Close()
+		t.Fatal(err)
+	}
+
+drainLoop:
+	for {
+		select {
+		case <-progressChan:
+		default:
+			break drainLoop
+		}
+	}
+
+	pr.Close()
+
+	select {
+	case <-progressChan:
+	default:
+		t.Fatalf("Expected some output when closing prematurely")
+	}
+}
+
+func TestCompleteSilently(t *testing.T) {
+	content := []byte("TESTING")
+	reader := ioutil.NopCloser(bytes.NewReader(content))
+	progressChan := make(chan Progress, 10)
+
+	pr := NewProgressReader(reader, ChanOutput(progressChan), int64(len(content)), "Test", "Read")
+
+	out, err := ioutil.ReadAll(pr)
+	if err != nil {
+		pr.Close()
+		t.Fatal(err)
+	}
+	if string(out) != "TESTING" {
+		pr.Close()
+		t.Fatalf("Unexpected output %q from reader", string(out))
+	}
+
+drainLoop:
+	for {
+		select {
+		case <-progressChan:
+		default:
+			break drainLoop
+		}
+	}
+
+	pr.Close()
+
+	select {
+	case <-progressChan:
+		t.Fatalf("Should have closed silently when read is complete")
+	default:
+	}
+}
diff --git a/engine/pkg/pubsub/publisher.go b/engine/pkg/pubsub/publisher.go
new file mode 100644
index 00000000..76033ed9
--- /dev/null
+++ b/engine/pkg/pubsub/publisher.go
@@ -0,0 +1,121 @@
+package pubsub // import "github.com/docker/docker/pkg/pubsub"
+
+import (
+	"sync"
+	"time"
+)
+
+var wgPool = sync.Pool{New: func() interface{} { return new(sync.WaitGroup) }}
+
+// NewPublisher creates a new pub/sub publisher to broadcast messages.
+// The duration is used as the send timeout as to not block the publisher publishing
+// messages to other clients if one client is slow or unresponsive.
+// The buffer is used when creating new channels for subscribers.
+func NewPublisher(publishTimeout time.Duration, buffer int) *Publisher {
+	return &Publisher{
+		buffer:      buffer,
+		timeout:     publishTimeout,
+		subscribers: make(map[subscriber]topicFunc),
+	}
+}
+
+type subscriber chan interface{}
+type topicFunc func(v interface{}) bool
+
+// Publisher is basic pub/sub structure. Allows to send events and subscribe
+// to them. Can be safely used from multiple goroutines.
+type Publisher struct {
+	m           sync.RWMutex
+	buffer      int
+	timeout     time.Duration
+	subscribers map[subscriber]topicFunc
+}
+
+// Len returns the number of subscribers for the publisher
+func (p *Publisher) Len() int {
+	p.m.RLock()
+	i := len(p.subscribers)
+	p.m.RUnlock()
+	return i
+}
+
+// Subscribe adds a new subscriber to the publisher returning the channel.
+func (p *Publisher) Subscribe() chan interface{} {
+	return p.SubscribeTopic(nil)
+}
+
+// SubscribeTopic adds a new subscriber that filters messages sent by a topic.
+func (p *Publisher) SubscribeTopic(topic topicFunc) chan interface{} {
+	ch := make(chan interface{}, p.buffer)
+	p.m.Lock()
+	p.subscribers[ch] = topic
+	p.m.Unlock()
+	return ch
+}
+
+// SubscribeTopicWithBuffer adds a new subscriber that filters messages sent by a topic.
+// The returned channel has a buffer of the specified size.
+func (p *Publisher) SubscribeTopicWithBuffer(topic topicFunc, buffer int) chan interface{} {
+	ch := make(chan interface{}, buffer)
+	p.m.Lock()
+	p.subscribers[ch] = topic
+	p.m.Unlock()
+	return ch
+}
+
+// Evict removes the specified subscriber from receiving any more messages.
+func (p *Publisher) Evict(sub chan interface{}) {
+	p.m.Lock()
+	delete(p.subscribers, sub)
+	close(sub)
+	p.m.Unlock()
+}
+
+// Publish sends the data in v to all subscribers currently registered with the publisher.
+func (p *Publisher) Publish(v interface{}) {
+	p.m.RLock()
+	if len(p.subscribers) == 0 {
+		p.m.RUnlock()
+		return
+	}
+
+	wg := wgPool.Get().(*sync.WaitGroup)
+	for sub, topic := range p.subscribers {
+		wg.Add(1)
+		go p.sendTopic(sub, topic, v, wg)
+	}
+	wg.Wait()
+	wgPool.Put(wg)
+	p.m.RUnlock()
+}
+
+// Close closes the channels to all subscribers registered with the publisher.
+func (p *Publisher) Close() {
+	p.m.Lock()
+	for sub := range p.subscribers {
+		delete(p.subscribers, sub)
+		close(sub)
+	}
+	p.m.Unlock()
+}
+
+func (p *Publisher) sendTopic(sub subscriber, topic topicFunc, v interface{}, wg *sync.WaitGroup) {
+	defer wg.Done()
+	if topic != nil && !topic(v) {
+		return
+	}
+
+	// send under a select as to not block if the receiver is unavailable
+	if p.timeout > 0 {
+		select {
+		case sub <- v:
+		case <-time.After(p.timeout):
+		}
+		return
+	}
+
+	select {
+	case sub <- v:
+	default:
+	}
+}
diff --git a/engine/pkg/pubsub/publisher_test.go b/engine/pkg/pubsub/publisher_test.go
new file mode 100644
index 00000000..98e15824
--- /dev/null
+++ b/engine/pkg/pubsub/publisher_test.go
@@ -0,0 +1,142 @@
+package pubsub // import "github.com/docker/docker/pkg/pubsub"
+
+import (
+	"fmt"
+	"testing"
+	"time"
+)
+
+func TestSendToOneSub(t *testing.T) {
+	p := NewPublisher(100*time.Millisecond, 10)
+	c := p.Subscribe()
+
+	p.Publish("hi")
+
+	msg := <-c
+	if msg.(string) != "hi" {
+		t.Fatalf("expected message hi but received %v", msg)
+	}
+}
+
+func TestSendToMultipleSubs(t *testing.T) {
+	p := NewPublisher(100*time.Millisecond, 10)
+	var subs []chan interface{}
+	subs = append(subs, p.Subscribe(), p.Subscribe(), p.Subscribe())
+
+	p.Publish("hi")
+
+	for _, c := range subs {
+		msg := <-c
+		if msg.(string) != "hi" {
+			t.Fatalf("expected message hi but received %v", msg)
+		}
+	}
+}
+
+func TestEvictOneSub(t *testing.T) {
+	p := NewPublisher(100*time.Millisecond, 10)
+	s1 := p.Subscribe()
+	s2 := p.Subscribe()
+
+	p.Evict(s1)
+	p.Publish("hi")
+	if _, ok := <-s1; ok {
+		t.Fatal("expected s1 to not receive the published message")
+	}
+
+	msg := <-s2
+	if msg.(string) != "hi" {
+		t.Fatalf("expected message hi but received %v", msg)
+	}
+}
+
+func TestClosePublisher(t *testing.T) {
+	p := NewPublisher(100*time.Millisecond, 10)
+	var subs []chan interface{}
+	subs = append(subs, p.Subscribe(), p.Subscribe(), p.Subscribe())
+	p.Close()
+
+	for _, c := range subs {
+		if _, ok := <-c; ok {
+			t.Fatal("expected all subscriber channels to be closed")
+		}
+	}
+}
+
+const sampleText = "test"
+
+type testSubscriber struct {
+	dataCh chan interface{}
+	ch     chan error
+}
+
+func (s *testSubscriber) Wait() error {
+	return <-s.ch
+}
+
+func newTestSubscriber(p *Publisher) *testSubscriber {
+	ts := &testSubscriber{
+		dataCh: p.Subscribe(),
+		ch:     make(chan error),
+	}
+	go func() {
+		for data := range ts.dataCh {
+			s, ok := data.(string)
+			if !ok {
+				ts.ch <- fmt.Errorf("Unexpected type %T", data)
+				break
+			}
+			if s != sampleText {
+				ts.ch <- fmt.Errorf("Unexpected text %s", s)
+				break
+			}
+		}
+		close(ts.ch)
+	}()
+	return ts
+}
+
+// for testing with -race
+func TestPubSubRace(t *testing.T) {
+	p := NewPublisher(0, 1024)
+	var subs []*testSubscriber
+	for j := 0; j < 50; j++ {
+		subs = append(subs, newTestSubscriber(p))
+	}
+	for j := 0; j < 1000; j++ {
+		p.Publish(sampleText)
+	}
+	time.AfterFunc(1*time.Second, func() {
+		for _, s := range subs {
+			p.Evict(s.dataCh)
+		}
+	})
+	for _, s := range subs {
+		s.Wait()
+	}
+}
+
+func BenchmarkPubSub(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		b.StopTimer()
+		p := NewPublisher(0, 1024)
+		var subs []*testSubscriber
+		for j := 0; j < 50; j++ {
+			subs = append(subs, newTestSubscriber(p))
+		}
+		b.StartTimer()
+		for j := 0; j < 1000; j++ {
+			p.Publish(sampleText)
+		}
+		time.AfterFunc(1*time.Second, func() {
+			for _, s := range subs {
+				p.Evict(s.dataCh)
+			}
+		})
+		for _, s := range subs {
+			if err := s.Wait(); err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
diff --git a/engine/pkg/reexec/README.md b/engine/pkg/reexec/README.md
new file mode 100644
index 00000000..6658f69b
--- /dev/null
+++ b/engine/pkg/reexec/README.md
@@ -0,0 +1,5 @@
+# reexec
+
+The `reexec` package facilitates the busybox style reexec of the docker binary that we require because 
+of the forking limitations of using Go.  Handlers can be registered with a name and the argv 0 of 
+the exec of the binary will be used to find and execute custom init paths.
diff --git a/engine/pkg/reexec/command_linux.go b/engine/pkg/reexec/command_linux.go
new file mode 100644
index 00000000..efea7179
--- /dev/null
+++ b/engine/pkg/reexec/command_linux.go
@@ -0,0 +1,28 @@
+package reexec // import "github.com/docker/docker/pkg/reexec"
+
+import (
+	"os/exec"
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// Self returns the path to the current process's binary.
+// Returns "/proc/self/exe".
+func Self() string {
+	return "/proc/self/exe"
+}
+
+// Command returns *exec.Cmd which has Path as current binary. Also it setting
+// SysProcAttr.Pdeathsig to SIGTERM.
+// This will use the in-memory version (/proc/self/exe) of the current binary,
+// it is thus safe to delete or replace the on-disk binary (os.Args[0]).
+func Command(args ...string) *exec.Cmd {
+	return &exec.Cmd{
+		Path: Self(),
+		Args: args,
+		SysProcAttr: &syscall.SysProcAttr{
+			Pdeathsig: unix.SIGTERM,
+		},
+	}
+}
diff --git a/engine/pkg/reexec/command_unix.go b/engine/pkg/reexec/command_unix.go
new file mode 100644
index 00000000..ceaabbde
--- /dev/null
+++ b/engine/pkg/reexec/command_unix.go
@@ -0,0 +1,23 @@
+// +build freebsd darwin
+
+package reexec // import "github.com/docker/docker/pkg/reexec"
+
+import (
+	"os/exec"
+)
+
+// Self returns the path to the current process's binary.
+// Uses os.Args[0].
+func Self() string {
+	return naiveSelf()
+}
+
+// Command returns *exec.Cmd which has Path as current binary.
+// For example if current binary is "docker" at "/usr/bin/", then cmd.Path will
+// be set to "/usr/bin/docker".
+func Command(args ...string) *exec.Cmd {
+	return &exec.Cmd{
+		Path: Self(),
+		Args: args,
+	}
+}
diff --git a/engine/pkg/reexec/command_unsupported.go b/engine/pkg/reexec/command_unsupported.go
new file mode 100644
index 00000000..e7eed242
--- /dev/null
+++ b/engine/pkg/reexec/command_unsupported.go
@@ -0,0 +1,16 @@
+// +build !linux,!windows,!freebsd,!darwin
+
+package reexec // import "github.com/docker/docker/pkg/reexec"
+
+import (
+	"os/exec"
+)
+
+func Self() string {
+	return ""
+}
+
+// Command is unsupported on operating systems apart from Linux, Windows, and Darwin.
+func Command(args ...string) *exec.Cmd {
+	return nil
+}
diff --git a/engine/pkg/reexec/command_windows.go b/engine/pkg/reexec/command_windows.go
new file mode 100644
index 00000000..43822689
--- /dev/null
+++ b/engine/pkg/reexec/command_windows.go
@@ -0,0 +1,21 @@
+package reexec // import "github.com/docker/docker/pkg/reexec"
+
+import (
+	"os/exec"
+)
+
+// Self returns the path to the current process's binary.
+// Uses os.Args[0].
+func Self() string {
+	return naiveSelf()
+}
+
+// Command returns *exec.Cmd which has Path as current binary.
+// For example if current binary is "docker.exe" at "C:\", then cmd.Path will
+// be set to "C:\docker.exe".
+func Command(args ...string) *exec.Cmd {
+	return &exec.Cmd{
+		Path: Self(),
+		Args: args,
+	}
+}
diff --git a/engine/pkg/reexec/reexec.go b/engine/pkg/reexec/reexec.go
new file mode 100644
index 00000000..f8ccddd5
--- /dev/null
+++ b/engine/pkg/reexec/reexec.go
@@ -0,0 +1,47 @@
+package reexec // import "github.com/docker/docker/pkg/reexec"
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+var registeredInitializers = make(map[string]func())
+
+// Register adds an initialization func under the specified name
+func Register(name string, initializer func()) {
+	if _, exists := registeredInitializers[name]; exists {
+		panic(fmt.Sprintf("reexec func already registered under name %q", name))
+	}
+
+	registeredInitializers[name] = initializer
+}
+
+// Init is called as the first part of the exec process and returns true if an
+// initialization function was called.
+func Init() bool {
+	initializer, exists := registeredInitializers[os.Args[0]]
+	if exists {
+		initializer()
+
+		return true
+	}
+	return false
+}
+
+func naiveSelf() string {
+	name := os.Args[0]
+	if filepath.Base(name) == name {
+		if lp, err := exec.LookPath(name); err == nil {
+			return lp
+		}
+	}
+	// handle conversion of relative paths to absolute
+	if absName, err := filepath.Abs(name); err == nil {
+		return absName
+	}
+	// if we couldn't get absolute name, return original
+	// (NOTE: Go only errors on Abs() if os.Getwd fails)
+	return name
+}
diff --git a/engine/pkg/reexec/reexec_test.go b/engine/pkg/reexec/reexec_test.go
new file mode 100644
index 00000000..44675e7b
--- /dev/null
+++ b/engine/pkg/reexec/reexec_test.go
@@ -0,0 +1,52 @@
+package reexec // import "github.com/docker/docker/pkg/reexec"
+
+import (
+	"os"
+	"os/exec"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func init() {
+	Register("reexec", func() {
+		panic("Return Error")
+	})
+	Init()
+}
+
+func TestRegister(t *testing.T) {
+	defer func() {
+		if r := recover(); r != nil {
+			assert.Equal(t, `reexec func already registered under name "reexec"`, r)
+		}
+	}()
+	Register("reexec", func() {})
+}
+
+func TestCommand(t *testing.T) {
+	cmd := Command("reexec")
+	w, err := cmd.StdinPipe()
+	assert.NilError(t, err, "Error on pipe creation: %v", err)
+	defer w.Close()
+
+	err = cmd.Start()
+	assert.NilError(t, err, "Error on re-exec cmd: %v", err)
+	err = cmd.Wait()
+	assert.Error(t, err, "exit status 2")
+}
+
+func TestNaiveSelf(t *testing.T) {
+	if os.Getenv("TEST_CHECK") == "1" {
+		os.Exit(2)
+	}
+	cmd := exec.Command(naiveSelf(), "-test.run=TestNaiveSelf")
+	cmd.Env = append(os.Environ(), "TEST_CHECK=1")
+	err := cmd.Start()
+	assert.NilError(t, err, "Unable to start command")
+	err = cmd.Wait()
+	assert.Error(t, err, "exit status 2")
+
+	os.Args[0] = "mkdir"
+	assert.Check(t, naiveSelf() != os.Args[0])
+}
diff --git a/engine/pkg/signal/README.md b/engine/pkg/signal/README.md
new file mode 100644
index 00000000..2b237a59
--- /dev/null
+++ b/engine/pkg/signal/README.md
@@ -0,0 +1 @@
+This package provides helper functions for dealing with signals across various operating systems
\ No newline at end of file
diff --git a/engine/pkg/signal/signal.go b/engine/pkg/signal/signal.go
new file mode 100644
index 00000000..88ef7b5e
--- /dev/null
+++ b/engine/pkg/signal/signal.go
@@ -0,0 +1,54 @@
+// Package signal provides helper functions for dealing with signals across
+// various operating systems.
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+	"strconv"
+	"strings"
+	"syscall"
+)
+
+// CatchAll catches all signals and relays them to the specified channel.
+func CatchAll(sigc chan os.Signal) {
+	var handledSigs []os.Signal
+	for _, s := range SignalMap {
+		handledSigs = append(handledSigs, s)
+	}
+	signal.Notify(sigc, handledSigs...)
+}
+
+// StopCatch stops catching the signals and closes the specified channel.
+func StopCatch(sigc chan os.Signal) {
+	signal.Stop(sigc)
+	close(sigc)
+}
+
+// ParseSignal translates a string to a valid syscall signal.
+// It returns an error if the signal map doesn't include the given signal.
+func ParseSignal(rawSignal string) (syscall.Signal, error) {
+	s, err := strconv.Atoi(rawSignal)
+	if err == nil {
+		if s == 0 {
+			return -1, fmt.Errorf("Invalid signal: %s", rawSignal)
+		}
+		return syscall.Signal(s), nil
+	}
+	signal, ok := SignalMap[strings.TrimPrefix(strings.ToUpper(rawSignal), "SIG")]
+	if !ok {
+		return -1, fmt.Errorf("Invalid signal: %s", rawSignal)
+	}
+	return signal, nil
+}
+
+// ValidSignalForPlatform returns true if a signal is valid on the platform
+func ValidSignalForPlatform(sig syscall.Signal) bool {
+	for _, v := range SignalMap {
+		if v == sig {
+			return true
+		}
+	}
+	return false
+}
diff --git a/engine/pkg/signal/signal_darwin.go b/engine/pkg/signal/signal_darwin.go
new file mode 100644
index 00000000..ee5501e3
--- /dev/null
+++ b/engine/pkg/signal/signal_darwin.go
@@ -0,0 +1,41 @@
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"syscall"
+)
+
+// SignalMap is a map of Darwin signals.
+var SignalMap = map[string]syscall.Signal{
+	"ABRT":   syscall.SIGABRT,
+	"ALRM":   syscall.SIGALRM,
+	"BUG":    syscall.SIGBUS,
+	"CHLD":   syscall.SIGCHLD,
+	"CONT":   syscall.SIGCONT,
+	"EMT":    syscall.SIGEMT,
+	"FPE":    syscall.SIGFPE,
+	"HUP":    syscall.SIGHUP,
+	"ILL":    syscall.SIGILL,
+	"INFO":   syscall.SIGINFO,
+	"INT":    syscall.SIGINT,
+	"IO":     syscall.SIGIO,
+	"IOT":    syscall.SIGIOT,
+	"KILL":   syscall.SIGKILL,
+	"PIPE":   syscall.SIGPIPE,
+	"PROF":   syscall.SIGPROF,
+	"QUIT":   syscall.SIGQUIT,
+	"SEGV":   syscall.SIGSEGV,
+	"STOP":   syscall.SIGSTOP,
+	"SYS":    syscall.SIGSYS,
+	"TERM":   syscall.SIGTERM,
+	"TRAP":   syscall.SIGTRAP,
+	"TSTP":   syscall.SIGTSTP,
+	"TTIN":   syscall.SIGTTIN,
+	"TTOU":   syscall.SIGTTOU,
+	"URG":    syscall.SIGURG,
+	"USR1":   syscall.SIGUSR1,
+	"USR2":   syscall.SIGUSR2,
+	"VTALRM": syscall.SIGVTALRM,
+	"WINCH":  syscall.SIGWINCH,
+	"XCPU":   syscall.SIGXCPU,
+	"XFSZ":   syscall.SIGXFSZ,
+}
diff --git a/engine/pkg/signal/signal_freebsd.go b/engine/pkg/signal/signal_freebsd.go
new file mode 100644
index 00000000..764f90e2
--- /dev/null
+++ b/engine/pkg/signal/signal_freebsd.go
@@ -0,0 +1,43 @@
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"syscall"
+)
+
+// SignalMap is a map of FreeBSD signals.
+var SignalMap = map[string]syscall.Signal{
+	"ABRT":   syscall.SIGABRT,
+	"ALRM":   syscall.SIGALRM,
+	"BUF":    syscall.SIGBUS,
+	"CHLD":   syscall.SIGCHLD,
+	"CONT":   syscall.SIGCONT,
+	"EMT":    syscall.SIGEMT,
+	"FPE":    syscall.SIGFPE,
+	"HUP":    syscall.SIGHUP,
+	"ILL":    syscall.SIGILL,
+	"INFO":   syscall.SIGINFO,
+	"INT":    syscall.SIGINT,
+	"IO":     syscall.SIGIO,
+	"IOT":    syscall.SIGIOT,
+	"KILL":   syscall.SIGKILL,
+	"LWP":    syscall.SIGLWP,
+	"PIPE":   syscall.SIGPIPE,
+	"PROF":   syscall.SIGPROF,
+	"QUIT":   syscall.SIGQUIT,
+	"SEGV":   syscall.SIGSEGV,
+	"STOP":   syscall.SIGSTOP,
+	"SYS":    syscall.SIGSYS,
+	"TERM":   syscall.SIGTERM,
+	"THR":    syscall.SIGTHR,
+	"TRAP":   syscall.SIGTRAP,
+	"TSTP":   syscall.SIGTSTP,
+	"TTIN":   syscall.SIGTTIN,
+	"TTOU":   syscall.SIGTTOU,
+	"URG":    syscall.SIGURG,
+	"USR1":   syscall.SIGUSR1,
+	"USR2":   syscall.SIGUSR2,
+	"VTALRM": syscall.SIGVTALRM,
+	"WINCH":  syscall.SIGWINCH,
+	"XCPU":   syscall.SIGXCPU,
+	"XFSZ":   syscall.SIGXFSZ,
+}
diff --git a/engine/pkg/signal/signal_linux.go b/engine/pkg/signal/signal_linux.go
new file mode 100644
index 00000000..caed97c9
--- /dev/null
+++ b/engine/pkg/signal/signal_linux.go
@@ -0,0 +1,81 @@
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+const (
+	sigrtmin = 34
+	sigrtmax = 64
+)
+
+// SignalMap is a map of Linux signals.
+var SignalMap = map[string]syscall.Signal{
+	"ABRT":     unix.SIGABRT,
+	"ALRM":     unix.SIGALRM,
+	"BUS":      unix.SIGBUS,
+	"CHLD":     unix.SIGCHLD,
+	"CLD":      unix.SIGCLD,
+	"CONT":     unix.SIGCONT,
+	"FPE":      unix.SIGFPE,
+	"HUP":      unix.SIGHUP,
+	"ILL":      unix.SIGILL,
+	"INT":      unix.SIGINT,
+	"IO":       unix.SIGIO,
+	"IOT":      unix.SIGIOT,
+	"KILL":     unix.SIGKILL,
+	"PIPE":     unix.SIGPIPE,
+	"POLL":     unix.SIGPOLL,
+	"PROF":     unix.SIGPROF,
+	"PWR":      unix.SIGPWR,
+	"QUIT":     unix.SIGQUIT,
+	"SEGV":     unix.SIGSEGV,
+	"STKFLT":   unix.SIGSTKFLT,
+	"STOP":     unix.SIGSTOP,
+	"SYS":      unix.SIGSYS,
+	"TERM":     unix.SIGTERM,
+	"TRAP":     unix.SIGTRAP,
+	"TSTP":     unix.SIGTSTP,
+	"TTIN":     unix.SIGTTIN,
+	"TTOU":     unix.SIGTTOU,
+	"URG":      unix.SIGURG,
+	"USR1":     unix.SIGUSR1,
+	"USR2":     unix.SIGUSR2,
+	"VTALRM":   unix.SIGVTALRM,
+	"WINCH":    unix.SIGWINCH,
+	"XCPU":     unix.SIGXCPU,
+	"XFSZ":     unix.SIGXFSZ,
+	"RTMIN":    sigrtmin,
+	"RTMIN+1":  sigrtmin + 1,
+	"RTMIN+2":  sigrtmin + 2,
+	"RTMIN+3":  sigrtmin + 3,
+	"RTMIN+4":  sigrtmin + 4,
+	"RTMIN+5":  sigrtmin + 5,
+	"RTMIN+6":  sigrtmin + 6,
+	"RTMIN+7":  sigrtmin + 7,
+	"RTMIN+8":  sigrtmin + 8,
+	"RTMIN+9":  sigrtmin + 9,
+	"RTMIN+10": sigrtmin + 10,
+	"RTMIN+11": sigrtmin + 11,
+	"RTMIN+12": sigrtmin + 12,
+	"RTMIN+13": sigrtmin + 13,
+	"RTMIN+14": sigrtmin + 14,
+	"RTMIN+15": sigrtmin + 15,
+	"RTMAX-14": sigrtmax - 14,
+	"RTMAX-13": sigrtmax - 13,
+	"RTMAX-12": sigrtmax - 12,
+	"RTMAX-11": sigrtmax - 11,
+	"RTMAX-10": sigrtmax - 10,
+	"RTMAX-9":  sigrtmax - 9,
+	"RTMAX-8":  sigrtmax - 8,
+	"RTMAX-7":  sigrtmax - 7,
+	"RTMAX-6":  sigrtmax - 6,
+	"RTMAX-5":  sigrtmax - 5,
+	"RTMAX-4":  sigrtmax - 4,
+	"RTMAX-3":  sigrtmax - 3,
+	"RTMAX-2":  sigrtmax - 2,
+	"RTMAX-1":  sigrtmax - 1,
+	"RTMAX":    sigrtmax,
+}
diff --git a/engine/pkg/signal/signal_linux_test.go b/engine/pkg/signal/signal_linux_test.go
new file mode 100644
index 00000000..9a021e21
--- /dev/null
+++ b/engine/pkg/signal/signal_linux_test.go
@@ -0,0 +1,59 @@
+// +build darwin linux
+
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"os"
+	"syscall"
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCatchAll(t *testing.T) {
+	sigs := make(chan os.Signal, 1)
+	CatchAll(sigs)
+	defer StopCatch(sigs)
+
+	listOfSignals := map[string]string{
+		"CONT": syscall.SIGCONT.String(),
+		"HUP":  syscall.SIGHUP.String(),
+		"CHLD": syscall.SIGCHLD.String(),
+		"ILL":  syscall.SIGILL.String(),
+		"FPE":  syscall.SIGFPE.String(),
+		"CLD":  syscall.SIGCLD.String(),
+	}
+
+	for sigStr := range listOfSignals {
+		signal, ok := SignalMap[sigStr]
+		if ok {
+			go func() {
+				time.Sleep(1 * time.Millisecond)
+				syscall.Kill(syscall.Getpid(), signal)
+			}()
+
+			s := <-sigs
+			assert.Check(t, is.Equal(s.String(), signal.String()))
+		}
+
+	}
+}
+
+func TestStopCatch(t *testing.T) {
+	signal := SignalMap["HUP"]
+	channel := make(chan os.Signal, 1)
+	CatchAll(channel)
+	go func() {
+
+		time.Sleep(1 * time.Millisecond)
+		syscall.Kill(syscall.Getpid(), signal)
+	}()
+	signalString := <-channel
+	assert.Check(t, is.Equal(signalString.String(), signal.String()))
+
+	StopCatch(channel)
+	_, ok := <-channel
+	assert.Check(t, is.Equal(ok, false))
+}
diff --git a/engine/pkg/signal/signal_test.go b/engine/pkg/signal/signal_test.go
new file mode 100644
index 00000000..0bfcf6ce
--- /dev/null
+++ b/engine/pkg/signal/signal_test.go
@@ -0,0 +1,34 @@
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"syscall"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestParseSignal(t *testing.T) {
+	_, checkAtoiError := ParseSignal("0")
+	assert.Check(t, is.Error(checkAtoiError, "Invalid signal: 0"))
+
+	_, error := ParseSignal("SIG")
+	assert.Check(t, is.Error(error, "Invalid signal: SIG"))
+
+	for sigStr := range SignalMap {
+		responseSignal, error := ParseSignal(sigStr)
+		assert.Check(t, error)
+		signal := SignalMap[sigStr]
+		assert.Check(t, is.DeepEqual(signal, responseSignal))
+	}
+}
+
+func TestValidSignalForPlatform(t *testing.T) {
+	isValidSignal := ValidSignalForPlatform(syscall.Signal(0))
+	assert.Check(t, is.Equal(false, isValidSignal))
+
+	for _, sigN := range SignalMap {
+		isValidSignal = ValidSignalForPlatform(syscall.Signal(sigN))
+		assert.Check(t, is.Equal(true, isValidSignal))
+	}
+}
diff --git a/engine/pkg/signal/signal_unix.go b/engine/pkg/signal/signal_unix.go
new file mode 100644
index 00000000..a2aa4248
--- /dev/null
+++ b/engine/pkg/signal/signal_unix.go
@@ -0,0 +1,21 @@
+// +build !windows
+
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"syscall"
+)
+
+// Signals used in cli/command (no windows equivalent, use
+// invalid signals so they don't get handled)
+
+const (
+	// SIGCHLD is a signal sent to a process when a child process terminates, is interrupted, or resumes after being interrupted.
+	SIGCHLD = syscall.SIGCHLD
+	// SIGWINCH is a signal sent to a process when its controlling terminal changes its size
+	SIGWINCH = syscall.SIGWINCH
+	// SIGPIPE is a signal sent to a process when a pipe is written to before the other end is open for reading
+	SIGPIPE = syscall.SIGPIPE
+	// DefaultStopSignal is the syscall signal used to stop a container in unix systems.
+	DefaultStopSignal = "SIGTERM"
+)
diff --git a/engine/pkg/signal/signal_unsupported.go b/engine/pkg/signal/signal_unsupported.go
new file mode 100644
index 00000000..1fd25a83
--- /dev/null
+++ b/engine/pkg/signal/signal_unsupported.go
@@ -0,0 +1,10 @@
+// +build !linux,!darwin,!freebsd,!windows
+
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"syscall"
+)
+
+// SignalMap is an empty map of signals for unsupported platform.
+var SignalMap = map[string]syscall.Signal{}
diff --git a/engine/pkg/signal/signal_windows.go b/engine/pkg/signal/signal_windows.go
new file mode 100644
index 00000000..65752f24
--- /dev/null
+++ b/engine/pkg/signal/signal_windows.go
@@ -0,0 +1,26 @@
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"syscall"
+)
+
+// Signals used in cli/command (no windows equivalent, use
+// invalid signals so they don't get handled)
+const (
+	SIGCHLD  = syscall.Signal(0xff)
+	SIGWINCH = syscall.Signal(0xff)
+	SIGPIPE  = syscall.Signal(0xff)
+	// DefaultStopSignal is the syscall signal used to stop a container in windows systems.
+	DefaultStopSignal = "15"
+)
+
+// SignalMap is a map of "supported" signals. As per the comment in GOLang's
+// ztypes_windows.go: "More invented values for signals". Windows doesn't
+// really support signals in any way, shape or form that Unix does.
+//
+// We have these so that docker kill can be used to gracefully (TERM) and
+// forcibly (KILL) terminate a container on Windows.
+var SignalMap = map[string]syscall.Signal{
+	"KILL": syscall.SIGKILL,
+	"TERM": syscall.SIGTERM,
+}
diff --git a/engine/pkg/signal/testfiles/main.go b/engine/pkg/signal/testfiles/main.go
new file mode 100644
index 00000000..e56854c7
--- /dev/null
+++ b/engine/pkg/signal/testfiles/main.go
@@ -0,0 +1,43 @@
+package main
+
+import (
+	"os"
+	"syscall"
+	"time"
+
+	"github.com/docker/docker/pkg/signal"
+	"github.com/sirupsen/logrus"
+)
+
+func main() {
+	sigmap := map[string]os.Signal{
+		"TERM": syscall.SIGTERM,
+		"QUIT": syscall.SIGQUIT,
+		"INT":  os.Interrupt,
+	}
+	signal.Trap(func() {
+		time.Sleep(time.Second)
+		os.Exit(99)
+	}, logrus.StandardLogger())
+	go func() {
+		p, err := os.FindProcess(os.Getpid())
+		if err != nil {
+			panic(err)
+		}
+		s := os.Getenv("SIGNAL_TYPE")
+		multiple := os.Getenv("IF_MULTIPLE")
+		switch s {
+		case "TERM", "INT":
+			if multiple == "1" {
+				for {
+					p.Signal(sigmap[s])
+				}
+			} else {
+				p.Signal(sigmap[s])
+			}
+		case "QUIT":
+			p.Signal(sigmap[s])
+		}
+	}()
+	time.Sleep(2 * time.Second)
+}
diff --git a/engine/pkg/signal/trap.go b/engine/pkg/signal/trap.go
new file mode 100644
index 00000000..2a6e69fb
--- /dev/null
+++ b/engine/pkg/signal/trap.go
@@ -0,0 +1,104 @@
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"fmt"
+	"os"
+	gosignal "os/signal"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync/atomic"
+	"syscall"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+// Trap sets up a simplified signal "trap", appropriate for common
+// behavior expected from a vanilla unix command-line tool in general
+// (and the Docker engine in particular).
+//
+// * If SIGINT or SIGTERM are received, `cleanup` is called, then the process is terminated.
+// * If SIGINT or SIGTERM are received 3 times before cleanup is complete, then cleanup is
+//   skipped and the process is terminated immediately (allows force quit of stuck daemon)
+// * A SIGQUIT always causes an exit without cleanup, with a goroutine dump preceding exit.
+// * Ignore SIGPIPE events. These are generated by systemd when journald is restarted while
+//   the docker daemon is not restarted and also running under systemd.
+//   Fixes https://github.com/docker/docker/issues/19728
+//
+func Trap(cleanup func(), logger interface {
+	Info(args ...interface{})
+}) {
+	c := make(chan os.Signal, 1)
+	// we will handle INT, TERM, QUIT, SIGPIPE here
+	signals := []os.Signal{os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGPIPE}
+	gosignal.Notify(c, signals...)
+	go func() {
+		interruptCount := uint32(0)
+		for sig := range c {
+			if sig == syscall.SIGPIPE {
+				continue
+			}
+
+			go func(sig os.Signal) {
+				logger.Info(fmt.Sprintf("Processing signal '%v'", sig))
+				switch sig {
+				case os.Interrupt, syscall.SIGTERM:
+					if atomic.LoadUint32(&interruptCount) < 3 {
+						// Initiate the cleanup only once
+						if atomic.AddUint32(&interruptCount, 1) == 1 {
+							// Call the provided cleanup handler
+							cleanup()
+							os.Exit(0)
+						} else {
+							return
+						}
+					} else {
+						// 3 SIGTERM/INT signals received; force exit without cleanup
+						logger.Info("Forcing docker daemon shutdown without cleanup; 3 interrupts received")
+					}
+				case syscall.SIGQUIT:
+					DumpStacks("")
+					logger.Info("Forcing docker daemon shutdown without cleanup on SIGQUIT")
+				}
+				//for the SIGINT/TERM, and SIGQUIT non-clean shutdown case, exit with 128 + signal #
+				os.Exit(128 + int(sig.(syscall.Signal)))
+			}(sig)
+		}
+	}()
+}
+
+const stacksLogNameTemplate = "goroutine-stacks-%s.log"
+
+// DumpStacks appends the runtime stack into file in dir and returns full path
+// to that file.
+func DumpStacks(dir string) (string, error) {
+	var (
+		buf       []byte
+		stackSize int
+	)
+	bufferLen := 16384
+	for stackSize == len(buf) {
+		buf = make([]byte, bufferLen)
+		stackSize = runtime.Stack(buf, true)
+		bufferLen *= 2
+	}
+	buf = buf[:stackSize]
+	var f *os.File
+	if dir != "" {
+		path := filepath.Join(dir, fmt.Sprintf(stacksLogNameTemplate, strings.Replace(time.Now().Format(time.RFC3339), ":", "", -1)))
+		var err error
+		f, err = os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0666)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to open file to write the goroutine stacks")
+		}
+		defer f.Close()
+		defer f.Sync()
+	} else {
+		f = os.Stderr
+	}
+	if _, err := f.Write(buf); err != nil {
+		return "", errors.Wrap(err, "failed to write goroutine stacks")
+	}
+	return f.Name(), nil
+}
diff --git a/engine/pkg/signal/trap_linux_test.go b/engine/pkg/signal/trap_linux_test.go
new file mode 100644
index 00000000..14d15431
--- /dev/null
+++ b/engine/pkg/signal/trap_linux_test.go
@@ -0,0 +1,82 @@
+// +build linux
+
+package signal // import "github.com/docker/docker/pkg/signal"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"syscall"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func buildTestBinary(t *testing.T, tmpdir string, prefix string) (string, string) {
+	tmpDir, err := ioutil.TempDir(tmpdir, prefix)
+	assert.NilError(t, err)
+	exePath := tmpDir + "/" + prefix
+	wd, _ := os.Getwd()
+	testHelperCode := wd + "/testfiles/main.go"
+	cmd := exec.Command("go", "build", "-o", exePath, testHelperCode)
+	err = cmd.Run()
+	assert.NilError(t, err)
+	return exePath, tmpDir
+}
+
+func TestTrap(t *testing.T) {
+	var sigmap = []struct {
+		name     string
+		signal   os.Signal
+		multiple bool
+	}{
+		{"TERM", syscall.SIGTERM, false},
+		{"QUIT", syscall.SIGQUIT, true},
+		{"INT", os.Interrupt, false},
+		{"TERM", syscall.SIGTERM, true},
+		{"INT", os.Interrupt, true},
+	}
+	exePath, tmpDir := buildTestBinary(t, "", "main")
+	defer os.RemoveAll(tmpDir)
+
+	for _, v := range sigmap {
+		cmd := exec.Command(exePath)
+		cmd.Env = append(os.Environ(), fmt.Sprintf("SIGNAL_TYPE=%s", v.name))
+		if v.multiple {
+			cmd.Env = append(cmd.Env, "IF_MULTIPLE=1")
+		}
+		err := cmd.Start()
+		assert.NilError(t, err)
+		err = cmd.Wait()
+		if e, ok := err.(*exec.ExitError); ok {
+			code := e.Sys().(syscall.WaitStatus).ExitStatus()
+			if v.multiple {
+				assert.Check(t, is.DeepEqual(128+int(v.signal.(syscall.Signal)), code))
+			} else {
+				assert.Check(t, is.Equal(99, code))
+			}
+			continue
+		}
+		t.Fatal("process didn't end with any error")
+	}
+
+}
+
+func TestDumpStacks(t *testing.T) {
+	directory, err := ioutil.TempDir("", "test-dump-tasks")
+	assert.Check(t, err)
+	defer os.RemoveAll(directory)
+	dumpPath, err := DumpStacks(directory)
+	assert.Check(t, err)
+	readFile, _ := ioutil.ReadFile(dumpPath)
+	fileData := string(readFile)
+	assert.Check(t, is.Contains(fileData, "goroutine"))
+}
+
+func TestDumpStacksWithEmptyInput(t *testing.T) {
+	path, err := DumpStacks("")
+	assert.Check(t, err)
+	assert.Check(t, is.Equal(os.Stderr.Name(), path))
+}
diff --git a/engine/pkg/stdcopy/stdcopy.go b/engine/pkg/stdcopy/stdcopy.go
new file mode 100644
index 00000000..8f6e0a73
--- /dev/null
+++ b/engine/pkg/stdcopy/stdcopy.go
@@ -0,0 +1,190 @@
+package stdcopy // import "github.com/docker/docker/pkg/stdcopy"
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"sync"
+)
+
+// StdType is the type of standard stream
+// a writer can multiplex to.
+type StdType byte
+
+const (
+	// Stdin represents standard input stream type.
+	Stdin StdType = iota
+	// Stdout represents standard output stream type.
+	Stdout
+	// Stderr represents standard error steam type.
+	Stderr
+	// Systemerr represents errors originating from the system that make it
+	// into the multiplexed stream.
+	Systemerr
+
+	stdWriterPrefixLen = 8
+	stdWriterFdIndex   = 0
+	stdWriterSizeIndex = 4
+
+	startingBufLen = 32*1024 + stdWriterPrefixLen + 1
+)
+
+var bufPool = &sync.Pool{New: func() interface{} { return bytes.NewBuffer(nil) }}
+
+// stdWriter is wrapper of io.Writer with extra customized info.
+type stdWriter struct {
+	io.Writer
+	prefix byte
+}
+
+// Write sends the buffer to the underneath writer.
+// It inserts the prefix header before the buffer,
+// so stdcopy.StdCopy knows where to multiplex the output.
+// It makes stdWriter to implement io.Writer.
+func (w *stdWriter) Write(p []byte) (n int, err error) {
+	if w == nil || w.Writer == nil {
+		return 0, errors.New("Writer not instantiated")
+	}
+	if p == nil {
+		return 0, nil
+	}
+
+	header := [stdWriterPrefixLen]byte{stdWriterFdIndex: w.prefix}
+	binary.BigEndian.PutUint32(header[stdWriterSizeIndex:], uint32(len(p)))
+	buf := bufPool.Get().(*bytes.Buffer)
+	buf.Write(header[:])
+	buf.Write(p)
+
+	n, err = w.Writer.Write(buf.Bytes())
+	n -= stdWriterPrefixLen
+	if n < 0 {
+		n = 0
+	}
+
+	buf.Reset()
+	bufPool.Put(buf)
+	return
+}
+
+// NewStdWriter instantiates a new Writer.
+// Everything written to it will be encapsulated using a custom format,
+// and written to the underlying `w` stream.
+// This allows multiple write streams (e.g. stdout and stderr) to be muxed into a single connection.
+// `t` indicates the id of the stream to encapsulate.
+// It can be stdcopy.Stdin, stdcopy.Stdout, stdcopy.Stderr.
+func NewStdWriter(w io.Writer, t StdType) io.Writer {
+	return &stdWriter{
+		Writer: w,
+		prefix: byte(t),
+	}
+}
+
+// StdCopy is a modified version of io.Copy.
+//
+// StdCopy will demultiplex `src`, assuming that it contains two streams,
+// previously multiplexed together using a StdWriter instance.
+// As it reads from `src`, StdCopy will write to `dstout` and `dsterr`.
+//
+// StdCopy will read until it hits EOF on `src`. It will then return a nil error.
+// In other words: if `err` is non nil, it indicates a real underlying error.
+//
+// `written` will hold the total number of bytes written to `dstout` and `dsterr`.
+func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, err error) {
+	var (
+		buf       = make([]byte, startingBufLen)
+		bufLen    = len(buf)
+		nr, nw    int
+		er, ew    error
+		out       io.Writer
+		frameSize int
+	)
+
+	for {
+		// Make sure we have at least a full header
+		for nr < stdWriterPrefixLen {
+			var nr2 int
+			nr2, er = src.Read(buf[nr:])
+			nr += nr2
+			if er == io.EOF {
+				if nr < stdWriterPrefixLen {
+					return written, nil
+				}
+				break
+			}
+			if er != nil {
+				return 0, er
+			}
+		}
+
+		stream := StdType(buf[stdWriterFdIndex])
+		// Check the first byte to know where to write
+		switch stream {
+		case Stdin:
+			fallthrough
+		case Stdout:
+			// Write on stdout
+			out = dstout
+		case Stderr:
+			// Write on stderr
+			out = dsterr
+		case Systemerr:
+			// If we're on Systemerr, we won't write anywhere.
+			// NB: if this code changes later, make sure you don't try to write
+			// to outstream if Systemerr is the stream
+			out = nil
+		default:
+			return 0, fmt.Errorf("Unrecognized input header: %d", buf[stdWriterFdIndex])
+		}
+
+		// Retrieve the size of the frame
+		frameSize = int(binary.BigEndian.Uint32(buf[stdWriterSizeIndex : stdWriterSizeIndex+4]))
+
+		// Check if the buffer is big enough to read the frame.
+		// Extend it if necessary.
+		if frameSize+stdWriterPrefixLen > bufLen {
+			buf = append(buf, make([]byte, frameSize+stdWriterPrefixLen-bufLen+1)...)
+			bufLen = len(buf)
+		}
+
+		// While the amount of bytes read is less than the size of the frame + header, we keep reading
+		for nr < frameSize+stdWriterPrefixLen {
+			var nr2 int
+			nr2, er = src.Read(buf[nr:])
+			nr += nr2
+			if er == io.EOF {
+				if nr < frameSize+stdWriterPrefixLen {
+					return written, nil
+				}
+				break
+			}
+			if er != nil {
+				return 0, er
+			}
+		}
+
+		// we might have an error from the source mixed up in our multiplexed
+		// stream. if we do, return it.
+		if stream == Systemerr {
+			return written, fmt.Errorf("error from daemon in stream: %s", string(buf[stdWriterPrefixLen:frameSize+stdWriterPrefixLen]))
+		}
+
+		// Write the retrieved frame (without header)
+		nw, ew = out.Write(buf[stdWriterPrefixLen : frameSize+stdWriterPrefixLen])
+		if ew != nil {
+			return 0, ew
+		}
+
+		// If the frame has not been fully written: error
+		if nw != frameSize {
+			return 0, io.ErrShortWrite
+		}
+		written += int64(nw)
+
+		// Move the rest of the buffer to the beginning
+		copy(buf, buf[frameSize+stdWriterPrefixLen:])
+		// Move the index
+		nr -= frameSize + stdWriterPrefixLen
+	}
+}
diff --git a/engine/pkg/stdcopy/stdcopy_test.go b/engine/pkg/stdcopy/stdcopy_test.go
new file mode 100644
index 00000000..63edb855
--- /dev/null
+++ b/engine/pkg/stdcopy/stdcopy_test.go
@@ -0,0 +1,289 @@
+package stdcopy // import "github.com/docker/docker/pkg/stdcopy"
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+)
+
+func TestNewStdWriter(t *testing.T) {
+	writer := NewStdWriter(ioutil.Discard, Stdout)
+	if writer == nil {
+		t.Fatalf("NewStdWriter with an invalid StdType should not return nil.")
+	}
+}
+
+func TestWriteWithUninitializedStdWriter(t *testing.T) {
+	writer := stdWriter{
+		Writer: nil,
+		prefix: byte(Stdout),
+	}
+	n, err := writer.Write([]byte("Something here"))
+	if n != 0 || err == nil {
+		t.Fatalf("Should fail when given an incomplete or uninitialized StdWriter")
+	}
+}
+
+func TestWriteWithNilBytes(t *testing.T) {
+	writer := NewStdWriter(ioutil.Discard, Stdout)
+	n, err := writer.Write(nil)
+	if err != nil {
+		t.Fatalf("Shouldn't have fail when given no data")
+	}
+	if n > 0 {
+		t.Fatalf("Write should have written 0 byte, but has written %d", n)
+	}
+}
+
+func TestWrite(t *testing.T) {
+	writer := NewStdWriter(ioutil.Discard, Stdout)
+	data := []byte("Test StdWrite.Write")
+	n, err := writer.Write(data)
+	if err != nil {
+		t.Fatalf("Error while writing with StdWrite")
+	}
+	if n != len(data) {
+		t.Fatalf("Write should have written %d byte but wrote %d.", len(data), n)
+	}
+}
+
+type errWriter struct {
+	n   int
+	err error
+}
+
+func (f *errWriter) Write(buf []byte) (int, error) {
+	return f.n, f.err
+}
+
+func TestWriteWithWriterError(t *testing.T) {
+	expectedError := errors.New("expected")
+	expectedReturnedBytes := 10
+	writer := NewStdWriter(&errWriter{
+		n:   stdWriterPrefixLen + expectedReturnedBytes,
+		err: expectedError}, Stdout)
+	data := []byte("This won't get written, sigh")
+	n, err := writer.Write(data)
+	if err != expectedError {
+		t.Fatalf("Didn't get expected error.")
+	}
+	if n != expectedReturnedBytes {
+		t.Fatalf("Didn't get expected written bytes %d, got %d.",
+			expectedReturnedBytes, n)
+	}
+}
+
+func TestWriteDoesNotReturnNegativeWrittenBytes(t *testing.T) {
+	writer := NewStdWriter(&errWriter{n: -1}, Stdout)
+	data := []byte("This won't get written, sigh")
+	actual, _ := writer.Write(data)
+	if actual != 0 {
+		t.Fatalf("Expected returned written bytes equal to 0, got %d", actual)
+	}
+}
+
+func getSrcBuffer(stdOutBytes, stdErrBytes []byte) (buffer *bytes.Buffer, err error) {
+	buffer = new(bytes.Buffer)
+	dstOut := NewStdWriter(buffer, Stdout)
+	_, err = dstOut.Write(stdOutBytes)
+	if err != nil {
+		return
+	}
+	dstErr := NewStdWriter(buffer, Stderr)
+	_, err = dstErr.Write(stdErrBytes)
+	return
+}
+
+func TestStdCopyWriteAndRead(t *testing.T) {
+	stdOutBytes := []byte(strings.Repeat("o", startingBufLen))
+	stdErrBytes := []byte(strings.Repeat("e", startingBufLen))
+	buffer, err := getSrcBuffer(stdOutBytes, stdErrBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	written, err := StdCopy(ioutil.Discard, ioutil.Discard, buffer)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedTotalWritten := len(stdOutBytes) + len(stdErrBytes)
+	if written != int64(expectedTotalWritten) {
+		t.Fatalf("Expected to have total of %d bytes written, got %d", expectedTotalWritten, written)
+	}
+}
+
+type customReader struct {
+	n            int
+	err          error
+	totalCalls   int
+	correctCalls int
+	src          *bytes.Buffer
+}
+
+func (f *customReader) Read(buf []byte) (int, error) {
+	f.totalCalls++
+	if f.totalCalls <= f.correctCalls {
+		return f.src.Read(buf)
+	}
+	return f.n, f.err
+}
+
+func TestStdCopyReturnsErrorReadingHeader(t *testing.T) {
+	expectedError := errors.New("error")
+	reader := &customReader{
+		err: expectedError}
+	written, err := StdCopy(ioutil.Discard, ioutil.Discard, reader)
+	if written != 0 {
+		t.Fatalf("Expected 0 bytes read, got %d", written)
+	}
+	if err != expectedError {
+		t.Fatalf("Didn't get expected error")
+	}
+}
+
+func TestStdCopyReturnsErrorReadingFrame(t *testing.T) {
+	expectedError := errors.New("error")
+	stdOutBytes := []byte(strings.Repeat("o", startingBufLen))
+	stdErrBytes := []byte(strings.Repeat("e", startingBufLen))
+	buffer, err := getSrcBuffer(stdOutBytes, stdErrBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	reader := &customReader{
+		correctCalls: 1,
+		n:            stdWriterPrefixLen + 1,
+		err:          expectedError,
+		src:          buffer}
+	written, err := StdCopy(ioutil.Discard, ioutil.Discard, reader)
+	if written != 0 {
+		t.Fatalf("Expected 0 bytes read, got %d", written)
+	}
+	if err != expectedError {
+		t.Fatalf("Didn't get expected error")
+	}
+}
+
+func TestStdCopyDetectsCorruptedFrame(t *testing.T) {
+	stdOutBytes := []byte(strings.Repeat("o", startingBufLen))
+	stdErrBytes := []byte(strings.Repeat("e", startingBufLen))
+	buffer, err := getSrcBuffer(stdOutBytes, stdErrBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	reader := &customReader{
+		correctCalls: 1,
+		n:            stdWriterPrefixLen + 1,
+		err:          io.EOF,
+		src:          buffer}
+	written, err := StdCopy(ioutil.Discard, ioutil.Discard, reader)
+	if written != startingBufLen {
+		t.Fatalf("Expected %d bytes read, got %d", startingBufLen, written)
+	}
+	if err != nil {
+		t.Fatal("Didn't get nil error")
+	}
+}
+
+func TestStdCopyWithInvalidInputHeader(t *testing.T) {
+	dstOut := NewStdWriter(ioutil.Discard, Stdout)
+	dstErr := NewStdWriter(ioutil.Discard, Stderr)
+	src := strings.NewReader("Invalid input")
+	_, err := StdCopy(dstOut, dstErr, src)
+	if err == nil {
+		t.Fatal("StdCopy with invalid input header should fail.")
+	}
+}
+
+func TestStdCopyWithCorruptedPrefix(t *testing.T) {
+	data := []byte{0x01, 0x02, 0x03}
+	src := bytes.NewReader(data)
+	written, err := StdCopy(nil, nil, src)
+	if err != nil {
+		t.Fatalf("StdCopy should not return an error with corrupted prefix.")
+	}
+	if written != 0 {
+		t.Fatalf("StdCopy should have written 0, but has written %d", written)
+	}
+}
+
+func TestStdCopyReturnsWriteErrors(t *testing.T) {
+	stdOutBytes := []byte(strings.Repeat("o", startingBufLen))
+	stdErrBytes := []byte(strings.Repeat("e", startingBufLen))
+	buffer, err := getSrcBuffer(stdOutBytes, stdErrBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedError := errors.New("expected")
+
+	dstOut := &errWriter{err: expectedError}
+
+	written, err := StdCopy(dstOut, ioutil.Discard, buffer)
+	if written != 0 {
+		t.Fatalf("StdCopy should have written 0, but has written %d", written)
+	}
+	if err != expectedError {
+		t.Fatalf("Didn't get expected error, got %v", err)
+	}
+}
+
+func TestStdCopyDetectsNotFullyWrittenFrames(t *testing.T) {
+	stdOutBytes := []byte(strings.Repeat("o", startingBufLen))
+	stdErrBytes := []byte(strings.Repeat("e", startingBufLen))
+	buffer, err := getSrcBuffer(stdOutBytes, stdErrBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	dstOut := &errWriter{n: startingBufLen - 10}
+
+	written, err := StdCopy(dstOut, ioutil.Discard, buffer)
+	if written != 0 {
+		t.Fatalf("StdCopy should have return 0 written bytes, but returned %d", written)
+	}
+	if err != io.ErrShortWrite {
+		t.Fatalf("Didn't get expected io.ErrShortWrite error")
+	}
+}
+
+// TestStdCopyReturnsErrorFromSystem tests that StdCopy correctly returns an
+// error, when that error is muxed into the Systemerr stream.
+func TestStdCopyReturnsErrorFromSystem(t *testing.T) {
+	// write in the basic messages, just so there's some fluff in there
+	stdOutBytes := []byte(strings.Repeat("o", startingBufLen))
+	stdErrBytes := []byte(strings.Repeat("e", startingBufLen))
+	buffer, err := getSrcBuffer(stdOutBytes, stdErrBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// add in an error message on the Systemerr stream
+	systemErrBytes := []byte(strings.Repeat("S", startingBufLen))
+	systemWriter := NewStdWriter(buffer, Systemerr)
+	_, err = systemWriter.Write(systemErrBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// now copy and demux. we should expect an error containing the string we
+	// wrote out
+	_, err = StdCopy(ioutil.Discard, ioutil.Discard, buffer)
+	if err == nil {
+		t.Fatal("expected error, got none")
+	}
+	if !strings.Contains(err.Error(), string(systemErrBytes)) {
+		t.Fatal("expected error to contain message")
+	}
+}
+
+func BenchmarkWrite(b *testing.B) {
+	w := NewStdWriter(ioutil.Discard, Stdout)
+	data := []byte("Test line for testing stdwriter performance\n")
+	data = bytes.Repeat(data, 100)
+	b.SetBytes(int64(len(data)))
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		if _, err := w.Write(data); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
diff --git a/engine/pkg/streamformatter/streamformatter.go b/engine/pkg/streamformatter/streamformatter.go
new file mode 100644
index 00000000..04917d49
--- /dev/null
+++ b/engine/pkg/streamformatter/streamformatter.go
@@ -0,0 +1,159 @@
+// Package streamformatter provides helper functions to format a stream.
+package streamformatter // import "github.com/docker/docker/pkg/streamformatter"
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/progress"
+)
+
+const streamNewline = "\r\n"
+
+type jsonProgressFormatter struct{}
+
+func appendNewline(source []byte) []byte {
+	return append(source, []byte(streamNewline)...)
+}
+
+// FormatStatus formats the specified objects according to the specified format (and id).
+func FormatStatus(id, format string, a ...interface{}) []byte {
+	str := fmt.Sprintf(format, a...)
+	b, err := json.Marshal(&jsonmessage.JSONMessage{ID: id, Status: str})
+	if err != nil {
+		return FormatError(err)
+	}
+	return appendNewline(b)
+}
+
+// FormatError formats the error as a JSON object
+func FormatError(err error) []byte {
+	jsonError, ok := err.(*jsonmessage.JSONError)
+	if !ok {
+		jsonError = &jsonmessage.JSONError{Message: err.Error()}
+	}
+	if b, err := json.Marshal(&jsonmessage.JSONMessage{Error: jsonError, ErrorMessage: err.Error()}); err == nil {
+		return appendNewline(b)
+	}
+	return []byte(`{"error":"format error"}` + streamNewline)
+}
+
+func (sf *jsonProgressFormatter) formatStatus(id, format string, a ...interface{}) []byte {
+	return FormatStatus(id, format, a...)
+}
+
+// formatProgress formats the progress information for a specified action.
+func (sf *jsonProgressFormatter) formatProgress(id, action string, progress *jsonmessage.JSONProgress, aux interface{}) []byte {
+	if progress == nil {
+		progress = &jsonmessage.JSONProgress{}
+	}
+	var auxJSON *json.RawMessage
+	if aux != nil {
+		auxJSONBytes, err := json.Marshal(aux)
+		if err != nil {
+			return nil
+		}
+		auxJSON = new(json.RawMessage)
+		*auxJSON = auxJSONBytes
+	}
+	b, err := json.Marshal(&jsonmessage.JSONMessage{
+		Status:          action,
+		ProgressMessage: progress.String(),
+		Progress:        progress,
+		ID:              id,
+		Aux:             auxJSON,
+	})
+	if err != nil {
+		return nil
+	}
+	return appendNewline(b)
+}
+
+type rawProgressFormatter struct{}
+
+func (sf *rawProgressFormatter) formatStatus(id, format string, a ...interface{}) []byte {
+	return []byte(fmt.Sprintf(format, a...) + streamNewline)
+}
+
+func (sf *rawProgressFormatter) formatProgress(id, action string, progress *jsonmessage.JSONProgress, aux interface{}) []byte {
+	if progress == nil {
+		progress = &jsonmessage.JSONProgress{}
+	}
+	endl := "\r"
+	if progress.String() == "" {
+		endl += "\n"
+	}
+	return []byte(action + " " + progress.String() + endl)
+}
+
+// NewProgressOutput returns a progress.Output object that can be passed to
+// progress.NewProgressReader.
+func NewProgressOutput(out io.Writer) progress.Output {
+	return &progressOutput{sf: &rawProgressFormatter{}, out: out, newLines: true}
+}
+
+// NewJSONProgressOutput returns a progress.Output that that formats output
+// using JSON objects
+func NewJSONProgressOutput(out io.Writer, newLines bool) progress.Output {
+	return &progressOutput{sf: &jsonProgressFormatter{}, out: out, newLines: newLines}
+}
+
+type formatProgress interface {
+	formatStatus(id, format string, a ...interface{}) []byte
+	formatProgress(id, action string, progress *jsonmessage.JSONProgress, aux interface{}) []byte
+}
+
+type progressOutput struct {
+	sf       formatProgress
+	out      io.Writer
+	newLines bool
+}
+
+// WriteProgress formats progress information from a ProgressReader.
+func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+	var formatted []byte
+	if prog.Message != "" {
+		formatted = out.sf.formatStatus(prog.ID, prog.Message)
+	} else {
+		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
+		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+	}
+	_, err := out.out.Write(formatted)
+	if err != nil {
+		return err
+	}
+
+	if out.newLines && prog.LastUpdate {
+		_, err = out.out.Write(out.sf.formatStatus("", ""))
+		return err
+	}
+
+	return nil
+}
+
+// AuxFormatter is a streamFormatter that writes aux progress messages
+type AuxFormatter struct {
+	io.Writer
+}
+
+// Emit emits the given interface as an aux progress message
+func (sf *AuxFormatter) Emit(id string, aux interface{}) error {
+	auxJSONBytes, err := json.Marshal(aux)
+	if err != nil {
+		return err
+	}
+	auxJSON := new(json.RawMessage)
+	*auxJSON = auxJSONBytes
+	msgJSON, err := json.Marshal(&jsonmessage.JSONMessage{ID: id, Aux: auxJSON})
+	if err != nil {
+		return err
+	}
+	msgJSON = appendNewline(msgJSON)
+	n, err := sf.Writer.Write(msgJSON)
+	if n != len(msgJSON) {
+		return io.ErrShortWrite
+	}
+	return err
+}
diff --git a/engine/pkg/streamformatter/streamformatter_test.go b/engine/pkg/streamformatter/streamformatter_test.go
new file mode 100644
index 00000000..f630699d
--- /dev/null
+++ b/engine/pkg/streamformatter/streamformatter_test.go
@@ -0,0 +1,112 @@
+package streamformatter // import "github.com/docker/docker/pkg/streamformatter"
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestRawProgressFormatterFormatStatus(t *testing.T) {
+	sf := rawProgressFormatter{}
+	res := sf.formatStatus("ID", "%s%d", "a", 1)
+	assert.Check(t, is.Equal("a1\r\n", string(res)))
+}
+
+func TestRawProgressFormatterFormatProgress(t *testing.T) {
+	sf := rawProgressFormatter{}
+	jsonProgress := &jsonmessage.JSONProgress{
+		Current: 15,
+		Total:   30,
+		Start:   1,
+	}
+	res := sf.formatProgress("id", "action", jsonProgress, nil)
+	out := string(res)
+	assert.Check(t, strings.HasPrefix(out, "action [===="))
+	assert.Check(t, is.Contains(out, "15B/30B"))
+	assert.Check(t, strings.HasSuffix(out, "\r"))
+}
+
+func TestFormatStatus(t *testing.T) {
+	res := FormatStatus("ID", "%s%d", "a", 1)
+	expected := `{"status":"a1","id":"ID"}` + streamNewline
+	assert.Check(t, is.Equal(expected, string(res)))
+}
+
+func TestFormatError(t *testing.T) {
+	res := FormatError(errors.New("Error for formatter"))
+	expected := `{"errorDetail":{"message":"Error for formatter"},"error":"Error for formatter"}` + "\r\n"
+	assert.Check(t, is.Equal(expected, string(res)))
+}
+
+func TestFormatJSONError(t *testing.T) {
+	err := &jsonmessage.JSONError{Code: 50, Message: "Json error"}
+	res := FormatError(err)
+	expected := `{"errorDetail":{"code":50,"message":"Json error"},"error":"Json error"}` + streamNewline
+	assert.Check(t, is.Equal(expected, string(res)))
+}
+
+func TestJsonProgressFormatterFormatProgress(t *testing.T) {
+	sf := &jsonProgressFormatter{}
+	jsonProgress := &jsonmessage.JSONProgress{
+		Current: 15,
+		Total:   30,
+		Start:   1,
+	}
+	aux := "aux message"
+	res := sf.formatProgress("id", "action", jsonProgress, aux)
+	msg := &jsonmessage.JSONMessage{}
+
+	assert.NilError(t, json.Unmarshal(res, msg))
+
+	rawAux := json.RawMessage(`"` + aux + `"`)
+	expected := &jsonmessage.JSONMessage{
+		ID:       "id",
+		Status:   "action",
+		Aux:      &rawAux,
+		Progress: jsonProgress,
+	}
+	assert.DeepEqual(t, msg, expected, cmpJSONMessageOpt())
+}
+
+func cmpJSONMessageOpt() cmp.Option {
+	progressMessagePath := func(path cmp.Path) bool {
+		return path.String() == "ProgressMessage"
+	}
+	return cmp.Options{
+		cmpopts.IgnoreUnexported(jsonmessage.JSONProgress{}),
+		// Ignore deprecated property that is a derivative of Progress
+		cmp.FilterPath(progressMessagePath, cmp.Ignore()),
+	}
+}
+
+func TestJsonProgressFormatterFormatStatus(t *testing.T) {
+	sf := jsonProgressFormatter{}
+	res := sf.formatStatus("ID", "%s%d", "a", 1)
+	assert.Check(t, is.Equal(`{"status":"a1","id":"ID"}`+streamNewline, string(res)))
+}
+
+func TestNewJSONProgressOutput(t *testing.T) {
+	b := bytes.Buffer{}
+	b.Write(FormatStatus("id", "Downloading"))
+	_ = NewJSONProgressOutput(&b, false)
+	assert.Check(t, is.Equal(`{"status":"Downloading","id":"id"}`+streamNewline, b.String()))
+}
+
+func TestAuxFormatterEmit(t *testing.T) {
+	b := bytes.Buffer{}
+	aux := &AuxFormatter{Writer: &b}
+	sampleAux := &struct {
+		Data string
+	}{"Additional data"}
+	err := aux.Emit("", sampleAux)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(`{"aux":{"Data":"Additional data"}}`+streamNewline, b.String()))
+}
diff --git a/engine/pkg/streamformatter/streamwriter.go b/engine/pkg/streamformatter/streamwriter.go
new file mode 100644
index 00000000..1473ed97
--- /dev/null
+++ b/engine/pkg/streamformatter/streamwriter.go
@@ -0,0 +1,47 @@
+package streamformatter // import "github.com/docker/docker/pkg/streamformatter"
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/docker/docker/pkg/jsonmessage"
+)
+
+type streamWriter struct {
+	io.Writer
+	lineFormat func([]byte) string
+}
+
+func (sw *streamWriter) Write(buf []byte) (int, error) {
+	formattedBuf := sw.format(buf)
+	n, err := sw.Writer.Write(formattedBuf)
+	if n != len(formattedBuf) {
+		return n, io.ErrShortWrite
+	}
+	return len(buf), err
+}
+
+func (sw *streamWriter) format(buf []byte) []byte {
+	msg := &jsonmessage.JSONMessage{Stream: sw.lineFormat(buf)}
+	b, err := json.Marshal(msg)
+	if err != nil {
+		return FormatError(err)
+	}
+	return appendNewline(b)
+}
+
+// NewStdoutWriter returns a writer which formats the output as json message
+// representing stdout lines
+func NewStdoutWriter(out io.Writer) io.Writer {
+	return &streamWriter{Writer: out, lineFormat: func(buf []byte) string {
+		return string(buf)
+	}}
+}
+
+// NewStderrWriter returns a writer which formats the output as json message
+// representing stderr lines
+func NewStderrWriter(out io.Writer) io.Writer {
+	return &streamWriter{Writer: out, lineFormat: func(buf []byte) string {
+		return "\033[91m" + string(buf) + "\033[0m"
+	}}
+}
diff --git a/engine/pkg/streamformatter/streamwriter_test.go b/engine/pkg/streamformatter/streamwriter_test.go
new file mode 100644
index 00000000..5b679f2c
--- /dev/null
+++ b/engine/pkg/streamformatter/streamwriter_test.go
@@ -0,0 +1,35 @@
+package streamformatter // import "github.com/docker/docker/pkg/streamformatter"
+
+import (
+	"bytes"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestStreamWriterStdout(t *testing.T) {
+	buffer := &bytes.Buffer{}
+	content := "content"
+	sw := NewStdoutWriter(buffer)
+	size, err := sw.Write([]byte(content))
+
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(content), size))
+
+	expected := `{"stream":"content"}` + streamNewline
+	assert.Check(t, is.Equal(expected, buffer.String()))
+}
+
+func TestStreamWriterStderr(t *testing.T) {
+	buffer := &bytes.Buffer{}
+	content := "content"
+	sw := NewStderrWriter(buffer)
+	size, err := sw.Write([]byte(content))
+
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(len(content), size))
+
+	expected := `{"stream":"\u001b[91mcontent\u001b[0m"}` + streamNewline
+	assert.Check(t, is.Equal(expected, buffer.String()))
+}
diff --git a/engine/pkg/stringid/README.md b/engine/pkg/stringid/README.md
new file mode 100644
index 00000000..37a5098f
--- /dev/null
+++ b/engine/pkg/stringid/README.md
@@ -0,0 +1 @@
+This package provides helper functions for dealing with string identifiers
diff --git a/engine/pkg/stringid/stringid.go b/engine/pkg/stringid/stringid.go
new file mode 100644
index 00000000..fa7d9166
--- /dev/null
+++ b/engine/pkg/stringid/stringid.go
@@ -0,0 +1,99 @@
+// Package stringid provides helper functions for dealing with string identifiers
+package stringid // import "github.com/docker/docker/pkg/stringid"
+
+import (
+	cryptorand "crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"math"
+	"math/big"
+	"math/rand"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+)
+
+const shortLen = 12
+
+var (
+	validShortID = regexp.MustCompile("^[a-f0-9]{12}$")
+	validHex     = regexp.MustCompile(`^[a-f0-9]{64}$`)
+)
+
+// IsShortID determines if an arbitrary string *looks like* a short ID.
+func IsShortID(id string) bool {
+	return validShortID.MatchString(id)
+}
+
+// TruncateID returns a shorthand version of a string identifier for convenience.
+// A collision with other shorthands is very unlikely, but possible.
+// In case of a collision a lookup with TruncIndex.Get() will fail, and the caller
+// will need to use a longer prefix, or the full-length Id.
+func TruncateID(id string) string {
+	if i := strings.IndexRune(id, ':'); i >= 0 {
+		id = id[i+1:]
+	}
+	if len(id) > shortLen {
+		id = id[:shortLen]
+	}
+	return id
+}
+
+func generateID(r io.Reader) string {
+	b := make([]byte, 32)
+	for {
+		if _, err := io.ReadFull(r, b); err != nil {
+			panic(err) // This shouldn't happen
+		}
+		id := hex.EncodeToString(b)
+		// if we try to parse the truncated for as an int and we don't have
+		// an error then the value is all numeric and causes issues when
+		// used as a hostname. ref #3869
+		if _, err := strconv.ParseInt(TruncateID(id), 10, 64); err == nil {
+			continue
+		}
+		return id
+	}
+}
+
+// GenerateRandomID returns a unique id.
+func GenerateRandomID() string {
+	return generateID(cryptorand.Reader)
+}
+
+// GenerateNonCryptoID generates unique id without using cryptographically
+// secure sources of random.
+// It helps you to save entropy.
+func GenerateNonCryptoID() string {
+	return generateID(readerFunc(rand.Read))
+}
+
+// ValidateID checks whether an ID string is a valid image ID.
+func ValidateID(id string) error {
+	if ok := validHex.MatchString(id); !ok {
+		return fmt.Errorf("image ID %q is invalid", id)
+	}
+	return nil
+}
+
+func init() {
+	// safely set the seed globally so we generate random ids. Tries to use a
+	// crypto seed before falling back to time.
+	var seed int64
+	if cryptoseed, err := cryptorand.Int(cryptorand.Reader, big.NewInt(math.MaxInt64)); err != nil {
+		// This should not happen, but worst-case fallback to time-based seed.
+		seed = time.Now().UnixNano()
+	} else {
+		seed = cryptoseed.Int64()
+	}
+
+	rand.Seed(seed)
+}
+
+type readerFunc func(p []byte) (int, error)
+
+func (fn readerFunc) Read(p []byte) (int, error) {
+	return fn(p)
+}
diff --git a/engine/pkg/stringid/stringid_test.go b/engine/pkg/stringid/stringid_test.go
new file mode 100644
index 00000000..a7ccd5fa
--- /dev/null
+++ b/engine/pkg/stringid/stringid_test.go
@@ -0,0 +1,72 @@
+package stringid // import "github.com/docker/docker/pkg/stringid"
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestGenerateRandomID(t *testing.T) {
+	id := GenerateRandomID()
+
+	if len(id) != 64 {
+		t.Fatalf("Id returned is incorrect: %s", id)
+	}
+}
+
+func TestGenerateNonCryptoID(t *testing.T) {
+	id := GenerateNonCryptoID()
+
+	if len(id) != 64 {
+		t.Fatalf("Id returned is incorrect: %s", id)
+	}
+}
+
+func TestShortenId(t *testing.T) {
+	id := "90435eec5c4e124e741ef731e118be2fc799a68aba0466ec17717f24ce2ae6a2"
+	truncID := TruncateID(id)
+	if truncID != "90435eec5c4e" {
+		t.Fatalf("Id returned is incorrect: truncate on %s returned %s", id, truncID)
+	}
+}
+
+func TestShortenSha256Id(t *testing.T) {
+	id := "sha256:4e38e38c8ce0b8d9041a9c4fefe786631d1416225e13b0bfe8cfa2321aec4bba"
+	truncID := TruncateID(id)
+	if truncID != "4e38e38c8ce0" {
+		t.Fatalf("Id returned is incorrect: truncate on %s returned %s", id, truncID)
+	}
+}
+
+func TestShortenIdEmpty(t *testing.T) {
+	id := ""
+	truncID := TruncateID(id)
+	if len(truncID) > len(id) {
+		t.Fatalf("Id returned is incorrect: truncate on %s returned %s", id, truncID)
+	}
+}
+
+func TestShortenIdInvalid(t *testing.T) {
+	id := "1234"
+	truncID := TruncateID(id)
+	if len(truncID) != len(id) {
+		t.Fatalf("Id returned is incorrect: truncate on %s returned %s", id, truncID)
+	}
+}
+
+func TestIsShortIDNonHex(t *testing.T) {
+	id := "some non-hex value"
+	if IsShortID(id) {
+		t.Fatalf("%s is not a short ID", id)
+	}
+}
+
+func TestIsShortIDNotCorrectSize(t *testing.T) {
+	id := strings.Repeat("a", shortLen+1)
+	if IsShortID(id) {
+		t.Fatalf("%s is not a short ID", id)
+	}
+	id = strings.Repeat("a", shortLen-1)
+	if IsShortID(id) {
+		t.Fatalf("%s is not a short ID", id)
+	}
+}
diff --git a/engine/pkg/symlink/LICENSE.APACHE b/engine/pkg/symlink/LICENSE.APACHE
new file mode 100644
index 00000000..b9fbf3c9
--- /dev/null
+++ b/engine/pkg/symlink/LICENSE.APACHE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2014-2017 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/engine/pkg/symlink/LICENSE.BSD b/engine/pkg/symlink/LICENSE.BSD
new file mode 100644
index 00000000..4c056c5e
--- /dev/null
+++ b/engine/pkg/symlink/LICENSE.BSD
@@ -0,0 +1,27 @@
+Copyright (c) 2014-2017 The Docker & Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/engine/pkg/symlink/README.md b/engine/pkg/symlink/README.md
new file mode 100644
index 00000000..8dba54fd
--- /dev/null
+++ b/engine/pkg/symlink/README.md
@@ -0,0 +1,6 @@
+Package symlink implements EvalSymlinksInScope which is an extension of filepath.EvalSymlinks,
+as well as a Windows long-path aware version of filepath.EvalSymlinks
+from the [Go standard library](https://golang.org/pkg/path/filepath).
+
+The code from filepath.EvalSymlinks has been adapted in fs.go.
+Please read the LICENSE.BSD file that governs fs.go and LICENSE.APACHE for fs_test.go.
diff --git a/engine/pkg/symlink/fs.go b/engine/pkg/symlink/fs.go
new file mode 100644
index 00000000..7b894cde
--- /dev/null
+++ b/engine/pkg/symlink/fs.go
@@ -0,0 +1,144 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE.BSD file.
+
+// This code is a modified version of path/filepath/symlink.go from the Go standard library.
+
+package symlink // import "github.com/docker/docker/pkg/symlink"
+
+import (
+	"bytes"
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/system"
+)
+
+// FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an
+// absolute path. This function handles paths in a platform-agnostic manner.
+func FollowSymlinkInScope(path, root string) (string, error) {
+	path, err := filepath.Abs(filepath.FromSlash(path))
+	if err != nil {
+		return "", err
+	}
+	root, err = filepath.Abs(filepath.FromSlash(root))
+	if err != nil {
+		return "", err
+	}
+	return evalSymlinksInScope(path, root)
+}
+
+// evalSymlinksInScope will evaluate symlinks in `path` within a scope `root` and return
+// a result guaranteed to be contained within the scope `root`, at the time of the call.
+// Symlinks in `root` are not evaluated and left as-is.
+// Errors encountered while attempting to evaluate symlinks in path will be returned.
+// Non-existing paths are valid and do not constitute an error.
+// `path` has to contain `root` as a prefix, or else an error will be returned.
+// Trying to break out from `root` does not constitute an error.
+//
+// Example:
+//   If /foo/bar -> /outside,
+//   FollowSymlinkInScope("/foo/bar", "/foo") == "/foo/outside" instead of "/outside"
+//
+// IMPORTANT: it is the caller's responsibility to call evalSymlinksInScope *after* relevant symlinks
+// are created and not to create subsequently, additional symlinks that could potentially make a
+// previously-safe path, unsafe. Example: if /foo/bar does not exist, evalSymlinksInScope("/foo/bar", "/foo")
+// would return "/foo/bar". If one makes /foo/bar a symlink to /baz subsequently, then "/foo/bar" should
+// no longer be considered safely contained in "/foo".
+func evalSymlinksInScope(path, root string) (string, error) {
+	root = filepath.Clean(root)
+	if path == root {
+		return path, nil
+	}
+	if !strings.HasPrefix(path, root) {
+		return "", errors.New("evalSymlinksInScope: " + path + " is not in " + root)
+	}
+	const maxIter = 255
+	originalPath := path
+	// given root of "/a" and path of "/a/b/../../c" we want path to be "/b/../../c"
+	path = path[len(root):]
+	if root == string(filepath.Separator) {
+		path = string(filepath.Separator) + path
+	}
+	if !strings.HasPrefix(path, string(filepath.Separator)) {
+		return "", errors.New("evalSymlinksInScope: " + path + " is not in " + root)
+	}
+	path = filepath.Clean(path)
+	// consume path by taking each frontmost path element,
+	// expanding it if it's a symlink, and appending it to b
+	var b bytes.Buffer
+	// b here will always be considered to be the "current absolute path inside
+	// root" when we append paths to it, we also append a slash and use
+	// filepath.Clean after the loop to trim the trailing slash
+	for n := 0; path != ""; n++ {
+		if n > maxIter {
+			return "", errors.New("evalSymlinksInScope: too many links in " + originalPath)
+		}
+
+		// find next path component, p
+		i := strings.IndexRune(path, filepath.Separator)
+		var p string
+		if i == -1 {
+			p, path = path, ""
+		} else {
+			p, path = path[:i], path[i+1:]
+		}
+
+		if p == "" {
+			continue
+		}
+
+		// this takes a b.String() like "b/../" and a p like "c" and turns it
+		// into "/b/../c" which then gets filepath.Cleaned into "/c" and then
+		// root gets prepended and we Clean again (to remove any trailing slash
+		// if the first Clean gave us just "/")
+		cleanP := filepath.Clean(string(filepath.Separator) + b.String() + p)
+		if isDriveOrRoot(cleanP) {
+			// never Lstat "/" itself, or drive letters on Windows
+			b.Reset()
+			continue
+		}
+		fullP := filepath.Clean(root + cleanP)
+
+		fi, err := os.Lstat(fullP)
+		if os.IsNotExist(err) {
+			// if p does not exist, accept it
+			b.WriteString(p)
+			b.WriteRune(filepath.Separator)
+			continue
+		}
+		if err != nil {
+			return "", err
+		}
+		if fi.Mode()&os.ModeSymlink == 0 {
+			b.WriteString(p)
+			b.WriteRune(filepath.Separator)
+			continue
+		}
+
+		// it's a symlink, put it at the front of path
+		dest, err := os.Readlink(fullP)
+		if err != nil {
+			return "", err
+		}
+		if system.IsAbs(dest) {
+			b.Reset()
+		}
+		path = dest + string(filepath.Separator) + path
+	}
+
+	// see note above on "fullP := ..." for why this is double-cleaned and
+	// what's happening here
+	return filepath.Clean(root + filepath.Clean(string(filepath.Separator)+b.String())), nil
+}
+
+// EvalSymlinks returns the path name after the evaluation of any symbolic
+// links.
+// If path is relative the result will be relative to the current directory,
+// unless one of the components is an absolute symbolic link.
+// This version has been updated to support long paths prepended with `\\?\`.
+func EvalSymlinks(path string) (string, error) {
+	return evalSymlinks(path)
+}
diff --git a/engine/pkg/symlink/fs_unix.go b/engine/pkg/symlink/fs_unix.go
new file mode 100644
index 00000000..c6dafcb0
--- /dev/null
+++ b/engine/pkg/symlink/fs_unix.go
@@ -0,0 +1,15 @@
+// +build !windows
+
+package symlink // import "github.com/docker/docker/pkg/symlink"
+
+import (
+	"path/filepath"
+)
+
+func evalSymlinks(path string) (string, error) {
+	return filepath.EvalSymlinks(path)
+}
+
+func isDriveOrRoot(p string) bool {
+	return p == string(filepath.Separator)
+}
diff --git a/engine/pkg/symlink/fs_unix_test.go b/engine/pkg/symlink/fs_unix_test.go
new file mode 100644
index 00000000..9ed1dd70
--- /dev/null
+++ b/engine/pkg/symlink/fs_unix_test.go
@@ -0,0 +1,407 @@
+// +build !windows
+
+// Licensed under the Apache License, Version 2.0; See LICENSE.APACHE
+
+package symlink // import "github.com/docker/docker/pkg/symlink"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+// TODO Windows: This needs some serious work to port to Windows. For now,
+// turning off testing in this package.
+
+type dirOrLink struct {
+	path   string
+	target string
+}
+
+func makeFs(tmpdir string, fs []dirOrLink) error {
+	for _, s := range fs {
+		s.path = filepath.Join(tmpdir, s.path)
+		if s.target == "" {
+			os.MkdirAll(s.path, 0755)
+			continue
+		}
+		if err := os.MkdirAll(filepath.Dir(s.path), 0755); err != nil {
+			return err
+		}
+		if err := os.Symlink(s.target, s.path); err != nil && !os.IsExist(err) {
+			return err
+		}
+	}
+	return nil
+}
+
+func testSymlink(tmpdir, path, expected, scope string) error {
+	rewrite, err := FollowSymlinkInScope(filepath.Join(tmpdir, path), filepath.Join(tmpdir, scope))
+	if err != nil {
+		return err
+	}
+	expected, err = filepath.Abs(filepath.Join(tmpdir, expected))
+	if err != nil {
+		return err
+	}
+	if expected != rewrite {
+		return fmt.Errorf("Expected %q got %q", expected, rewrite)
+	}
+	return nil
+}
+
+func TestFollowSymlinkAbsolute(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkAbsolute")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	if err := makeFs(tmpdir, []dirOrLink{{path: "testdata/fs/a/d", target: "/b"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "testdata/fs/a/d/c/data", "testdata/b/c/data", "testdata"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkRelativePath(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkRelativePath")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	if err := makeFs(tmpdir, []dirOrLink{{path: "testdata/fs/i", target: "a"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "testdata/fs/i", "testdata/fs/a", "testdata"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkSkipSymlinksOutsideScope(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkSkipSymlinksOutsideScope")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	if err := makeFs(tmpdir, []dirOrLink{
+		{path: "linkdir", target: "realdir"},
+		{path: "linkdir/foo/bar"},
+	}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "linkdir/foo/bar", "linkdir/foo/bar", "linkdir/foo"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkInvalidScopePathPair(t *testing.T) {
+	if _, err := FollowSymlinkInScope("toto", "testdata"); err == nil {
+		t.Fatal("expected an error")
+	}
+}
+
+func TestFollowSymlinkLastLink(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkLastLink")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	if err := makeFs(tmpdir, []dirOrLink{{path: "testdata/fs/a/d", target: "/b"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "testdata/fs/a/d", "testdata/b", "testdata"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkRelativeLinkChangeScope(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkRelativeLinkChangeScope")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	if err := makeFs(tmpdir, []dirOrLink{{path: "testdata/fs/a/e", target: "../b"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "testdata/fs/a/e/c/data", "testdata/fs/b/c/data", "testdata"); err != nil {
+		t.Fatal(err)
+	}
+	// avoid letting allowing symlink e lead us to ../b
+	// normalize to the "testdata/fs/a"
+	if err := testSymlink(tmpdir, "testdata/fs/a/e", "testdata/fs/a/b", "testdata/fs/a"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkDeepRelativeLinkChangeScope(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkDeepRelativeLinkChangeScope")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	if err := makeFs(tmpdir, []dirOrLink{{path: "testdata/fs/a/f", target: "../../../../test"}}); err != nil {
+		t.Fatal(err)
+	}
+	// avoid letting symlink f lead us out of the "testdata" scope
+	// we don't normalize because symlink f is in scope and there is no
+	// information leak
+	if err := testSymlink(tmpdir, "testdata/fs/a/f", "testdata/test", "testdata"); err != nil {
+		t.Fatal(err)
+	}
+	// avoid letting symlink f lead us out of the "testdata/fs" scope
+	// we don't normalize because symlink f is in scope and there is no
+	// information leak
+	if err := testSymlink(tmpdir, "testdata/fs/a/f", "testdata/fs/test", "testdata/fs"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkRelativeLinkChain(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkRelativeLinkChain")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	// avoid letting symlink g (pointed at by symlink h) take out of scope
+	// TODO: we should probably normalize to scope here because ../[....]/root
+	// is out of scope and we leak information
+	if err := makeFs(tmpdir, []dirOrLink{
+		{path: "testdata/fs/b/h", target: "../g"},
+		{path: "testdata/fs/g", target: "../../../../../../../../../../../../root"},
+	}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "testdata/fs/b/h", "testdata/root", "testdata"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkBreakoutPath(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkBreakoutPath")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	// avoid letting symlink -> ../directory/file escape from scope
+	// normalize to "testdata/fs/j"
+	if err := makeFs(tmpdir, []dirOrLink{{path: "testdata/fs/j/k", target: "../i/a"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "testdata/fs/j/k", "testdata/fs/j/i/a", "testdata/fs/j"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkToRoot(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkToRoot")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	// make sure we don't allow escaping to /
+	// normalize to dir
+	if err := makeFs(tmpdir, []dirOrLink{{path: "foo", target: "/"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "foo", "", ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkSlashDotdot(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkSlashDotdot")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	tmpdir = filepath.Join(tmpdir, "dir", "subdir")
+
+	// make sure we don't allow escaping to /
+	// normalize to dir
+	if err := makeFs(tmpdir, []dirOrLink{{path: "foo", target: "/../../"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "foo", "", ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkDotdot(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkDotdot")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+	tmpdir = filepath.Join(tmpdir, "dir", "subdir")
+
+	// make sure we stay in scope without leaking information
+	// this also checks for escaping to /
+	// normalize to dir
+	if err := makeFs(tmpdir, []dirOrLink{{path: "foo", target: "../../"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "foo", "", ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkRelativePath2(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkRelativePath2")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	if err := makeFs(tmpdir, []dirOrLink{{path: "bar/foo", target: "baz/target"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "bar/foo", "bar/baz/target", ""); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkScopeLink(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkScopeLink")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	if err := makeFs(tmpdir, []dirOrLink{
+		{path: "root2"},
+		{path: "root", target: "root2"},
+		{path: "root2/foo", target: "../bar"},
+	}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "root/foo", "root/bar", "root"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkRootScope(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkRootScope")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	expected, err := filepath.EvalSymlinks(tmpdir)
+	if err != nil {
+		t.Fatal(err)
+	}
+	rewrite, err := FollowSymlinkInScope(tmpdir, "/")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if rewrite != expected {
+		t.Fatalf("expected %q got %q", expected, rewrite)
+	}
+}
+
+func TestFollowSymlinkEmpty(t *testing.T) {
+	res, err := FollowSymlinkInScope("", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	wd, err := os.Getwd()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if res != wd {
+		t.Fatalf("expected %q got %q", wd, res)
+	}
+}
+
+func TestFollowSymlinkCircular(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkCircular")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	if err := makeFs(tmpdir, []dirOrLink{{path: "root/foo", target: "foo"}}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "root/foo", "", "root"); err == nil {
+		t.Fatal("expected an error for foo -> foo")
+	}
+
+	if err := makeFs(tmpdir, []dirOrLink{
+		{path: "root/bar", target: "baz"},
+		{path: "root/baz", target: "../bak"},
+		{path: "root/bak", target: "/bar"},
+	}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "root/foo", "", "root"); err == nil {
+		t.Fatal("expected an error for bar -> baz -> bak -> bar")
+	}
+}
+
+func TestFollowSymlinkComplexChainWithTargetPathsContainingLinks(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkComplexChainWithTargetPathsContainingLinks")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	if err := makeFs(tmpdir, []dirOrLink{
+		{path: "root2"},
+		{path: "root", target: "root2"},
+		{path: "root/a", target: "r/s"},
+		{path: "root/r", target: "../root/t"},
+		{path: "root/root/t/s/b", target: "/../u"},
+		{path: "root/u/c", target: "."},
+		{path: "root/u/x/y", target: "../v"},
+		{path: "root/u/v", target: "/../w"},
+	}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "root/a/b/c/x/y/z", "root/w/z", "root"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkBreakoutNonExistent(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkBreakoutNonExistent")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	if err := makeFs(tmpdir, []dirOrLink{
+		{path: "root/slash", target: "/"},
+		{path: "root/sym", target: "/idontexist/../slash"},
+	}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "root/sym/file", "root/file", "root"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFollowSymlinkNoLexicalCleaning(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "TestFollowSymlinkNoLexicalCleaning")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	if err := makeFs(tmpdir, []dirOrLink{
+		{path: "root/sym", target: "/foo/bar"},
+		{path: "root/hello", target: "/sym/../baz"},
+	}); err != nil {
+		t.Fatal(err)
+	}
+	if err := testSymlink(tmpdir, "root/hello", "root/foo/baz", "root"); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/pkg/symlink/fs_windows.go b/engine/pkg/symlink/fs_windows.go
new file mode 100644
index 00000000..75476171
--- /dev/null
+++ b/engine/pkg/symlink/fs_windows.go
@@ -0,0 +1,169 @@
+package symlink // import "github.com/docker/docker/pkg/symlink"
+
+import (
+	"bytes"
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/pkg/longpath"
+	"golang.org/x/sys/windows"
+)
+
+func toShort(path string) (string, error) {
+	p, err := windows.UTF16FromString(path)
+	if err != nil {
+		return "", err
+	}
+	b := p // GetShortPathName says we can reuse buffer
+	n, err := windows.GetShortPathName(&p[0], &b[0], uint32(len(b)))
+	if err != nil {
+		return "", err
+	}
+	if n > uint32(len(b)) {
+		b = make([]uint16, n)
+		if _, err = windows.GetShortPathName(&p[0], &b[0], uint32(len(b))); err != nil {
+			return "", err
+		}
+	}
+	return windows.UTF16ToString(b), nil
+}
+
+func toLong(path string) (string, error) {
+	p, err := windows.UTF16FromString(path)
+	if err != nil {
+		return "", err
+	}
+	b := p // GetLongPathName says we can reuse buffer
+	n, err := windows.GetLongPathName(&p[0], &b[0], uint32(len(b)))
+	if err != nil {
+		return "", err
+	}
+	if n > uint32(len(b)) {
+		b = make([]uint16, n)
+		n, err = windows.GetLongPathName(&p[0], &b[0], uint32(len(b)))
+		if err != nil {
+			return "", err
+		}
+	}
+	b = b[:n]
+	return windows.UTF16ToString(b), nil
+}
+
+func evalSymlinks(path string) (string, error) {
+	path, err := walkSymlinks(path)
+	if err != nil {
+		return "", err
+	}
+
+	p, err := toShort(path)
+	if err != nil {
+		return "", err
+	}
+	p, err = toLong(p)
+	if err != nil {
+		return "", err
+	}
+	// windows.GetLongPathName does not change the case of the drive letter,
+	// but the result of EvalSymlinks must be unique, so we have
+	// EvalSymlinks(`c:\a`) == EvalSymlinks(`C:\a`).
+	// Make drive letter upper case.
+	if len(p) >= 2 && p[1] == ':' && 'a' <= p[0] && p[0] <= 'z' {
+		p = string(p[0]+'A'-'a') + p[1:]
+	} else if len(p) >= 6 && p[5] == ':' && 'a' <= p[4] && p[4] <= 'z' {
+		p = p[:3] + string(p[4]+'A'-'a') + p[5:]
+	}
+	return filepath.Clean(p), nil
+}
+
+const utf8RuneSelf = 0x80
+
+func walkSymlinks(path string) (string, error) {
+	const maxIter = 255
+	originalPath := path
+	// consume path by taking each frontmost path element,
+	// expanding it if it's a symlink, and appending it to b
+	var b bytes.Buffer
+	for n := 0; path != ""; n++ {
+		if n > maxIter {
+			return "", errors.New("EvalSymlinks: too many links in " + originalPath)
+		}
+
+		// A path beginning with `\\?\` represents the root, so automatically
+		// skip that part and begin processing the next segment.
+		if strings.HasPrefix(path, longpath.Prefix) {
+			b.WriteString(longpath.Prefix)
+			path = path[4:]
+			continue
+		}
+
+		// find next path component, p
+		var i = -1
+		for j, c := range path {
+			if c < utf8RuneSelf && os.IsPathSeparator(uint8(c)) {
+				i = j
+				break
+			}
+		}
+		var p string
+		if i == -1 {
+			p, path = path, ""
+		} else {
+			p, path = path[:i], path[i+1:]
+		}
+
+		if p == "" {
+			if b.Len() == 0 {
+				// must be absolute path
+				b.WriteRune(filepath.Separator)
+			}
+			continue
+		}
+
+		// If this is the first segment after the long path prefix, accept the
+		// current segment as a volume root or UNC share and move on to the next.
+		if b.String() == longpath.Prefix {
+			b.WriteString(p)
+			b.WriteRune(filepath.Separator)
+			continue
+		}
+
+		fi, err := os.Lstat(b.String() + p)
+		if err != nil {
+			return "", err
+		}
+		if fi.Mode()&os.ModeSymlink == 0 {
+			b.WriteString(p)
+			if path != "" || (b.Len() == 2 && len(p) == 2 && p[1] == ':') {
+				b.WriteRune(filepath.Separator)
+			}
+			continue
+		}
+
+		// it's a symlink, put it at the front of path
+		dest, err := os.Readlink(b.String() + p)
+		if err != nil {
+			return "", err
+		}
+		if filepath.IsAbs(dest) || os.IsPathSeparator(dest[0]) {
+			b.Reset()
+		}
+		path = dest + string(filepath.Separator) + path
+	}
+	return filepath.Clean(b.String()), nil
+}
+
+func isDriveOrRoot(p string) bool {
+	if p == string(filepath.Separator) {
+		return true
+	}
+
+	length := len(p)
+	if length >= 2 {
+		if p[length-1] == ':' && (('a' <= p[length-2] && p[length-2] <= 'z') || ('A' <= p[length-2] && p[length-2] <= 'Z')) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/engine/pkg/sysinfo/README.md b/engine/pkg/sysinfo/README.md
new file mode 100644
index 00000000..c1530cef
--- /dev/null
+++ b/engine/pkg/sysinfo/README.md
@@ -0,0 +1 @@
+SysInfo stores information about which features a kernel supports.
diff --git a/engine/pkg/sysinfo/numcpu.go b/engine/pkg/sysinfo/numcpu.go
new file mode 100644
index 00000000..eea2d25b
--- /dev/null
+++ b/engine/pkg/sysinfo/numcpu.go
@@ -0,0 +1,12 @@
+// +build !linux,!windows
+
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+import (
+	"runtime"
+)
+
+// NumCPU returns the number of CPUs
+func NumCPU() int {
+	return runtime.NumCPU()
+}
diff --git a/engine/pkg/sysinfo/numcpu_linux.go b/engine/pkg/sysinfo/numcpu_linux.go
new file mode 100644
index 00000000..5f6c6df8
--- /dev/null
+++ b/engine/pkg/sysinfo/numcpu_linux.go
@@ -0,0 +1,42 @@
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+import (
+	"runtime"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+// numCPU queries the system for the count of threads available
+// for use to this process.
+//
+// Issues two syscalls.
+// Returns 0 on errors. Use |runtime.NumCPU| in that case.
+func numCPU() int {
+	// Gets the affinity mask for a process: The very one invoking this function.
+	pid, _, _ := unix.RawSyscall(unix.SYS_GETPID, 0, 0, 0)
+
+	var mask [1024 / 64]uintptr
+	_, _, err := unix.RawSyscall(unix.SYS_SCHED_GETAFFINITY, pid, uintptr(len(mask)*8), uintptr(unsafe.Pointer(&mask[0])))
+	if err != 0 {
+		return 0
+	}
+
+	// For every available thread a bit is set in the mask.
+	ncpu := 0
+	for _, e := range mask {
+		if e == 0 {
+			continue
+		}
+		ncpu += int(popcnt(uint64(e)))
+	}
+	return ncpu
+}
+
+// NumCPU returns the number of CPUs which are currently online
+func NumCPU() int {
+	if ncpu := numCPU(); ncpu > 0 {
+		return ncpu
+	}
+	return runtime.NumCPU()
+}
diff --git a/engine/pkg/sysinfo/numcpu_windows.go b/engine/pkg/sysinfo/numcpu_windows.go
new file mode 100644
index 00000000..13523f67
--- /dev/null
+++ b/engine/pkg/sysinfo/numcpu_windows.go
@@ -0,0 +1,35 @@
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+import (
+	"runtime"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var (
+	kernel32               = windows.NewLazySystemDLL("kernel32.dll")
+	getCurrentProcess      = kernel32.NewProc("GetCurrentProcess")
+	getProcessAffinityMask = kernel32.NewProc("GetProcessAffinityMask")
+)
+
+func numCPU() int {
+	// Gets the affinity mask for a process
+	var mask, sysmask uintptr
+	currentProcess, _, _ := getCurrentProcess.Call()
+	ret, _, _ := getProcessAffinityMask.Call(currentProcess, uintptr(unsafe.Pointer(&mask)), uintptr(unsafe.Pointer(&sysmask)))
+	if ret == 0 {
+		return 0
+	}
+	// For every available thread a bit is set in the mask.
+	ncpu := int(popcnt(uint64(mask)))
+	return ncpu
+}
+
+// NumCPU returns the number of CPUs which are currently online
+func NumCPU() int {
+	if ncpu := numCPU(); ncpu > 0 {
+		return ncpu
+	}
+	return runtime.NumCPU()
+}
diff --git a/engine/pkg/sysinfo/sysinfo.go b/engine/pkg/sysinfo/sysinfo.go
new file mode 100644
index 00000000..8fc0ecc2
--- /dev/null
+++ b/engine/pkg/sysinfo/sysinfo.go
@@ -0,0 +1,144 @@
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+import "github.com/docker/docker/pkg/parsers"
+
+// SysInfo stores information about which features a kernel supports.
+// TODO Windows: Factor out platform specific capabilities.
+type SysInfo struct {
+	// Whether the kernel supports AppArmor or not
+	AppArmor bool
+	// Whether the kernel supports Seccomp or not
+	Seccomp bool
+
+	cgroupMemInfo
+	cgroupCPUInfo
+	cgroupBlkioInfo
+	cgroupCpusetInfo
+	cgroupPids
+
+	// Whether IPv4 forwarding is supported or not, if this was disabled, networking will not work
+	IPv4ForwardingDisabled bool
+
+	// Whether bridge-nf-call-iptables is supported or not
+	BridgeNFCallIPTablesDisabled bool
+
+	// Whether bridge-nf-call-ip6tables is supported or not
+	BridgeNFCallIP6TablesDisabled bool
+
+	// Whether the cgroup has the mountpoint of "devices" or not
+	CgroupDevicesEnabled bool
+}
+
+type cgroupMemInfo struct {
+	// Whether memory limit is supported or not
+	MemoryLimit bool
+
+	// Whether swap limit is supported or not
+	SwapLimit bool
+
+	// Whether soft limit is supported or not
+	MemoryReservation bool
+
+	// Whether OOM killer disable is supported or not
+	OomKillDisable bool
+
+	// Whether memory swappiness is supported or not
+	MemorySwappiness bool
+
+	// Whether kernel memory limit is supported or not
+	KernelMemory bool
+}
+
+type cgroupCPUInfo struct {
+	// Whether CPU shares is supported or not
+	CPUShares bool
+
+	// Whether CPU CFS(Completely Fair Scheduler) period is supported or not
+	CPUCfsPeriod bool
+
+	// Whether CPU CFS(Completely Fair Scheduler) quota is supported or not
+	CPUCfsQuota bool
+
+	// Whether CPU real-time period is supported or not
+	CPURealtimePeriod bool
+
+	// Whether CPU real-time runtime is supported or not
+	CPURealtimeRuntime bool
+}
+
+type cgroupBlkioInfo struct {
+	// Whether Block IO weight is supported or not
+	BlkioWeight bool
+
+	// Whether Block IO weight_device is supported or not
+	BlkioWeightDevice bool
+
+	// Whether Block IO read limit in bytes per second is supported or not
+	BlkioReadBpsDevice bool
+
+	// Whether Block IO write limit in bytes per second is supported or not
+	BlkioWriteBpsDevice bool
+
+	// Whether Block IO read limit in IO per second is supported or not
+	BlkioReadIOpsDevice bool
+
+	// Whether Block IO write limit in IO per second is supported or not
+	BlkioWriteIOpsDevice bool
+}
+
+type cgroupCpusetInfo struct {
+	// Whether Cpuset is supported or not
+	Cpuset bool
+
+	// Available Cpuset's cpus
+	Cpus string
+
+	// Available Cpuset's memory nodes
+	Mems string
+}
+
+type cgroupPids struct {
+	// Whether Pids Limit is supported or not
+	PidsLimit bool
+}
+
+// IsCpusetCpusAvailable returns `true` if the provided string set is contained
+// in cgroup's cpuset.cpus set, `false` otherwise.
+// If error is not nil a parsing error occurred.
+func (c cgroupCpusetInfo) IsCpusetCpusAvailable(provided string) (bool, error) {
+	return isCpusetListAvailable(provided, c.Cpus)
+}
+
+// IsCpusetMemsAvailable returns `true` if the provided string set is contained
+// in cgroup's cpuset.mems set, `false` otherwise.
+// If error is not nil a parsing error occurred.
+func (c cgroupCpusetInfo) IsCpusetMemsAvailable(provided string) (bool, error) {
+	return isCpusetListAvailable(provided, c.Mems)
+}
+
+func isCpusetListAvailable(provided, available string) (bool, error) {
+	parsedProvided, err := parsers.ParseUintList(provided)
+	if err != nil {
+		return false, err
+	}
+	parsedAvailable, err := parsers.ParseUintList(available)
+	if err != nil {
+		return false, err
+	}
+	for k := range parsedProvided {
+		if !parsedAvailable[k] {
+			return false, nil
+		}
+	}
+	return true, nil
+}
+
+// Returns bit count of 1, used by NumCPU
+func popcnt(x uint64) (n byte) {
+	x -= (x >> 1) & 0x5555555555555555
+	x = (x>>2)&0x3333333333333333 + x&0x3333333333333333
+	x += x >> 4
+	x &= 0x0f0f0f0f0f0f0f0f
+	x *= 0x0101010101010101
+	return byte(x >> 56)
+}
diff --git a/engine/pkg/sysinfo/sysinfo_linux.go b/engine/pkg/sysinfo/sysinfo_linux.go
new file mode 100644
index 00000000..dde5be19
--- /dev/null
+++ b/engine/pkg/sysinfo/sysinfo_linux.go
@@ -0,0 +1,254 @@
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func findCgroupMountpoints() (map[string]string, error) {
+	cgMounts, err := cgroups.GetCgroupMounts(false)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to parse cgroup information: %v", err)
+	}
+	mps := make(map[string]string)
+	for _, m := range cgMounts {
+		for _, ss := range m.Subsystems {
+			mps[ss] = m.Mountpoint
+		}
+	}
+	return mps, nil
+}
+
+// New returns a new SysInfo, using the filesystem to detect which features
+// the kernel supports. If `quiet` is `false` warnings are printed in logs
+// whenever an error occurs or misconfigurations are present.
+func New(quiet bool) *SysInfo {
+	sysInfo := &SysInfo{}
+	cgMounts, err := findCgroupMountpoints()
+	if err != nil {
+		logrus.Warnf("Failed to parse cgroup information: %v", err)
+	} else {
+		sysInfo.cgroupMemInfo = checkCgroupMem(cgMounts, quiet)
+		sysInfo.cgroupCPUInfo = checkCgroupCPU(cgMounts, quiet)
+		sysInfo.cgroupBlkioInfo = checkCgroupBlkioInfo(cgMounts, quiet)
+		sysInfo.cgroupCpusetInfo = checkCgroupCpusetInfo(cgMounts, quiet)
+		sysInfo.cgroupPids = checkCgroupPids(quiet)
+	}
+
+	_, ok := cgMounts["devices"]
+	sysInfo.CgroupDevicesEnabled = ok
+
+	sysInfo.IPv4ForwardingDisabled = !readProcBool("/proc/sys/net/ipv4/ip_forward")
+	sysInfo.BridgeNFCallIPTablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-iptables")
+	sysInfo.BridgeNFCallIP6TablesDisabled = !readProcBool("/proc/sys/net/bridge/bridge-nf-call-ip6tables")
+
+	// Check if AppArmor is supported.
+	if _, err := os.Stat("/sys/kernel/security/apparmor"); !os.IsNotExist(err) {
+		sysInfo.AppArmor = true
+	}
+
+	// Check if Seccomp is supported, via CONFIG_SECCOMP.
+	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+			sysInfo.Seccomp = true
+		}
+	}
+
+	return sysInfo
+}
+
+// checkCgroupMem reads the memory information from the memory cgroup mount point.
+func checkCgroupMem(cgMounts map[string]string, quiet bool) cgroupMemInfo {
+	mountPoint, ok := cgMounts["memory"]
+	if !ok {
+		if !quiet {
+			logrus.Warn("Your kernel does not support cgroup memory limit")
+		}
+		return cgroupMemInfo{}
+	}
+
+	swapLimit := cgroupEnabled(mountPoint, "memory.memsw.limit_in_bytes")
+	if !quiet && !swapLimit {
+		logrus.Warn("Your kernel does not support swap memory limit")
+	}
+	memoryReservation := cgroupEnabled(mountPoint, "memory.soft_limit_in_bytes")
+	if !quiet && !memoryReservation {
+		logrus.Warn("Your kernel does not support memory reservation")
+	}
+	oomKillDisable := cgroupEnabled(mountPoint, "memory.oom_control")
+	if !quiet && !oomKillDisable {
+		logrus.Warn("Your kernel does not support oom control")
+	}
+	memorySwappiness := cgroupEnabled(mountPoint, "memory.swappiness")
+	if !quiet && !memorySwappiness {
+		logrus.Warn("Your kernel does not support memory swappiness")
+	}
+	kernelMemory := cgroupEnabled(mountPoint, "memory.kmem.limit_in_bytes")
+	if !quiet && !kernelMemory {
+		logrus.Warn("Your kernel does not support kernel memory limit")
+	}
+
+	return cgroupMemInfo{
+		MemoryLimit:       true,
+		SwapLimit:         swapLimit,
+		MemoryReservation: memoryReservation,
+		OomKillDisable:    oomKillDisable,
+		MemorySwappiness:  memorySwappiness,
+		KernelMemory:      kernelMemory,
+	}
+}
+
+// checkCgroupCPU reads the cpu information from the cpu cgroup mount point.
+func checkCgroupCPU(cgMounts map[string]string, quiet bool) cgroupCPUInfo {
+	mountPoint, ok := cgMounts["cpu"]
+	if !ok {
+		if !quiet {
+			logrus.Warn("Unable to find cpu cgroup in mounts")
+		}
+		return cgroupCPUInfo{}
+	}
+
+	cpuShares := cgroupEnabled(mountPoint, "cpu.shares")
+	if !quiet && !cpuShares {
+		logrus.Warn("Your kernel does not support cgroup cpu shares")
+	}
+
+	cpuCfsPeriod := cgroupEnabled(mountPoint, "cpu.cfs_period_us")
+	if !quiet && !cpuCfsPeriod {
+		logrus.Warn("Your kernel does not support cgroup cfs period")
+	}
+
+	cpuCfsQuota := cgroupEnabled(mountPoint, "cpu.cfs_quota_us")
+	if !quiet && !cpuCfsQuota {
+		logrus.Warn("Your kernel does not support cgroup cfs quotas")
+	}
+
+	cpuRealtimePeriod := cgroupEnabled(mountPoint, "cpu.rt_period_us")
+	if !quiet && !cpuRealtimePeriod {
+		logrus.Warn("Your kernel does not support cgroup rt period")
+	}
+
+	cpuRealtimeRuntime := cgroupEnabled(mountPoint, "cpu.rt_runtime_us")
+	if !quiet && !cpuRealtimeRuntime {
+		logrus.Warn("Your kernel does not support cgroup rt runtime")
+	}
+
+	return cgroupCPUInfo{
+		CPUShares:          cpuShares,
+		CPUCfsPeriod:       cpuCfsPeriod,
+		CPUCfsQuota:        cpuCfsQuota,
+		CPURealtimePeriod:  cpuRealtimePeriod,
+		CPURealtimeRuntime: cpuRealtimeRuntime,
+	}
+}
+
+// checkCgroupBlkioInfo reads the blkio information from the blkio cgroup mount point.
+func checkCgroupBlkioInfo(cgMounts map[string]string, quiet bool) cgroupBlkioInfo {
+	mountPoint, ok := cgMounts["blkio"]
+	if !ok {
+		if !quiet {
+			logrus.Warn("Unable to find blkio cgroup in mounts")
+		}
+		return cgroupBlkioInfo{}
+	}
+
+	weight := cgroupEnabled(mountPoint, "blkio.weight")
+	if !quiet && !weight {
+		logrus.Warn("Your kernel does not support cgroup blkio weight")
+	}
+
+	weightDevice := cgroupEnabled(mountPoint, "blkio.weight_device")
+	if !quiet && !weightDevice {
+		logrus.Warn("Your kernel does not support cgroup blkio weight_device")
+	}
+
+	readBpsDevice := cgroupEnabled(mountPoint, "blkio.throttle.read_bps_device")
+	if !quiet && !readBpsDevice {
+		logrus.Warn("Your kernel does not support cgroup blkio throttle.read_bps_device")
+	}
+
+	writeBpsDevice := cgroupEnabled(mountPoint, "blkio.throttle.write_bps_device")
+	if !quiet && !writeBpsDevice {
+		logrus.Warn("Your kernel does not support cgroup blkio throttle.write_bps_device")
+	}
+	readIOpsDevice := cgroupEnabled(mountPoint, "blkio.throttle.read_iops_device")
+	if !quiet && !readIOpsDevice {
+		logrus.Warn("Your kernel does not support cgroup blkio throttle.read_iops_device")
+	}
+
+	writeIOpsDevice := cgroupEnabled(mountPoint, "blkio.throttle.write_iops_device")
+	if !quiet && !writeIOpsDevice {
+		logrus.Warn("Your kernel does not support cgroup blkio throttle.write_iops_device")
+	}
+	return cgroupBlkioInfo{
+		BlkioWeight:          weight,
+		BlkioWeightDevice:    weightDevice,
+		BlkioReadBpsDevice:   readBpsDevice,
+		BlkioWriteBpsDevice:  writeBpsDevice,
+		BlkioReadIOpsDevice:  readIOpsDevice,
+		BlkioWriteIOpsDevice: writeIOpsDevice,
+	}
+}
+
+// checkCgroupCpusetInfo reads the cpuset information from the cpuset cgroup mount point.
+func checkCgroupCpusetInfo(cgMounts map[string]string, quiet bool) cgroupCpusetInfo {
+	mountPoint, ok := cgMounts["cpuset"]
+	if !ok {
+		if !quiet {
+			logrus.Warn("Unable to find cpuset cgroup in mounts")
+		}
+		return cgroupCpusetInfo{}
+	}
+
+	cpus, err := ioutil.ReadFile(path.Join(mountPoint, "cpuset.cpus"))
+	if err != nil {
+		return cgroupCpusetInfo{}
+	}
+
+	mems, err := ioutil.ReadFile(path.Join(mountPoint, "cpuset.mems"))
+	if err != nil {
+		return cgroupCpusetInfo{}
+	}
+
+	return cgroupCpusetInfo{
+		Cpuset: true,
+		Cpus:   strings.TrimSpace(string(cpus)),
+		Mems:   strings.TrimSpace(string(mems)),
+	}
+}
+
+// checkCgroupPids reads the pids information from the pids cgroup mount point.
+func checkCgroupPids(quiet bool) cgroupPids {
+	_, err := cgroups.FindCgroupMountpoint("pids")
+	if err != nil {
+		if !quiet {
+			logrus.Warn(err)
+		}
+		return cgroupPids{}
+	}
+
+	return cgroupPids{
+		PidsLimit: true,
+	}
+}
+
+func cgroupEnabled(mountPoint, name string) bool {
+	_, err := os.Stat(path.Join(mountPoint, name))
+	return err == nil
+}
+
+func readProcBool(path string) bool {
+	val, err := ioutil.ReadFile(path)
+	if err != nil {
+		return false
+	}
+	return strings.TrimSpace(string(val)) == "1"
+}
diff --git a/engine/pkg/sysinfo/sysinfo_linux_test.go b/engine/pkg/sysinfo/sysinfo_linux_test.go
new file mode 100644
index 00000000..13a07fbc
--- /dev/null
+++ b/engine/pkg/sysinfo/sysinfo_linux_test.go
@@ -0,0 +1,104 @@
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+import (
+	"io/ioutil"
+	"os"
+	"path"
+	"path/filepath"
+	"testing"
+
+	"golang.org/x/sys/unix"
+	"gotest.tools/assert"
+)
+
+func TestReadProcBool(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "test-sysinfo-proc")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	procFile := filepath.Join(tmpDir, "read-proc-bool")
+	err = ioutil.WriteFile(procFile, []byte("1"), 0644)
+	assert.NilError(t, err)
+
+	if !readProcBool(procFile) {
+		t.Fatal("expected proc bool to be true, got false")
+	}
+
+	if err := ioutil.WriteFile(procFile, []byte("0"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if readProcBool(procFile) {
+		t.Fatal("expected proc bool to be false, got true")
+	}
+
+	if readProcBool(path.Join(tmpDir, "no-exist")) {
+		t.Fatal("should be false for non-existent entry")
+	}
+
+}
+
+func TestCgroupEnabled(t *testing.T) {
+	cgroupDir, err := ioutil.TempDir("", "cgroup-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(cgroupDir)
+
+	if cgroupEnabled(cgroupDir, "test") {
+		t.Fatal("cgroupEnabled should be false")
+	}
+
+	err = ioutil.WriteFile(path.Join(cgroupDir, "test"), []byte{}, 0644)
+	assert.NilError(t, err)
+
+	if !cgroupEnabled(cgroupDir, "test") {
+		t.Fatal("cgroupEnabled should be true")
+	}
+}
+
+func TestNew(t *testing.T) {
+	sysInfo := New(false)
+	assert.Assert(t, sysInfo != nil)
+	checkSysInfo(t, sysInfo)
+
+	sysInfo = New(true)
+	assert.Assert(t, sysInfo != nil)
+	checkSysInfo(t, sysInfo)
+}
+
+func checkSysInfo(t *testing.T, sysInfo *SysInfo) {
+	// Check if Seccomp is supported, via CONFIG_SECCOMP.then sysInfo.Seccomp must be TRUE , else FALSE
+	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+			assert.Assert(t, sysInfo.Seccomp)
+		}
+	} else {
+		assert.Assert(t, !sysInfo.Seccomp)
+	}
+}
+
+func TestNewAppArmorEnabled(t *testing.T) {
+	// Check if AppArmor is supported. then it must be TRUE , else FALSE
+	if _, err := os.Stat("/sys/kernel/security/apparmor"); err != nil {
+		t.Skip("App Armor Must be Enabled")
+	}
+
+	sysInfo := New(true)
+	assert.Assert(t, sysInfo.AppArmor)
+}
+
+func TestNewAppArmorDisabled(t *testing.T) {
+	// Check if AppArmor is supported. then it must be TRUE , else FALSE
+	if _, err := os.Stat("/sys/kernel/security/apparmor"); !os.IsNotExist(err) {
+		t.Skip("App Armor Must be Disabled")
+	}
+
+	sysInfo := New(true)
+	assert.Assert(t, !sysInfo.AppArmor)
+}
+
+func TestNumCPU(t *testing.T) {
+	cpuNumbers := NumCPU()
+	if cpuNumbers <= 0 {
+		t.Fatal("CPU returned must be greater than zero")
+	}
+}
diff --git a/engine/pkg/sysinfo/sysinfo_test.go b/engine/pkg/sysinfo/sysinfo_test.go
new file mode 100644
index 00000000..6a118b63
--- /dev/null
+++ b/engine/pkg/sysinfo/sysinfo_test.go
@@ -0,0 +1,26 @@
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+import "testing"
+
+func TestIsCpusetListAvailable(t *testing.T) {
+	cases := []struct {
+		provided  string
+		available string
+		res       bool
+		err       bool
+	}{
+		{"1", "0-4", true, false},
+		{"01,3", "0-4", true, false},
+		{"", "0-7", true, false},
+		{"1--42", "0-7", false, true},
+		{"1-42", "00-1,8,,9", false, true},
+		{"1,41-42", "43,45", false, false},
+		{"0-3", "", false, false},
+	}
+	for _, c := range cases {
+		r, err := isCpusetListAvailable(c.provided, c.available)
+		if (c.err && err == nil) && r != c.res {
+			t.Fatalf("Expected pair: %v, %v for %s, %s. Got %v, %v instead", c.res, c.err, c.provided, c.available, (c.err && err == nil), r)
+		}
+	}
+}
diff --git a/engine/pkg/sysinfo/sysinfo_unix.go b/engine/pkg/sysinfo/sysinfo_unix.go
new file mode 100644
index 00000000..23cc695f
--- /dev/null
+++ b/engine/pkg/sysinfo/sysinfo_unix.go
@@ -0,0 +1,9 @@
+// +build !linux,!windows
+
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+// New returns an empty SysInfo for non linux for now.
+func New(quiet bool) *SysInfo {
+	sysInfo := &SysInfo{}
+	return sysInfo
+}
diff --git a/engine/pkg/sysinfo/sysinfo_windows.go b/engine/pkg/sysinfo/sysinfo_windows.go
new file mode 100644
index 00000000..5f68524e
--- /dev/null
+++ b/engine/pkg/sysinfo/sysinfo_windows.go
@@ -0,0 +1,7 @@
+package sysinfo // import "github.com/docker/docker/pkg/sysinfo"
+
+// New returns an empty SysInfo for windows for now.
+func New(quiet bool) *SysInfo {
+	sysInfo := &SysInfo{}
+	return sysInfo
+}
diff --git a/engine/pkg/system/chtimes.go b/engine/pkg/system/chtimes.go
new file mode 100644
index 00000000..c26a4e24
--- /dev/null
+++ b/engine/pkg/system/chtimes.go
@@ -0,0 +1,31 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"os"
+	"time"
+)
+
+// Chtimes changes the access time and modified time of a file at the given path
+func Chtimes(name string, atime time.Time, mtime time.Time) error {
+	unixMinTime := time.Unix(0, 0)
+	unixMaxTime := maxTime
+
+	// If the modified time is prior to the Unix Epoch, or after the
+	// end of Unix Time, os.Chtimes has undefined behavior
+	// default to Unix Epoch in this case, just in case
+
+	if atime.Before(unixMinTime) || atime.After(unixMaxTime) {
+		atime = unixMinTime
+	}
+
+	if mtime.Before(unixMinTime) || mtime.After(unixMaxTime) {
+		mtime = unixMinTime
+	}
+
+	if err := os.Chtimes(name, atime, mtime); err != nil {
+		return err
+	}
+
+	// Take platform specific action for setting create time.
+	return setCTime(name, mtime)
+}
diff --git a/engine/pkg/system/chtimes_test.go b/engine/pkg/system/chtimes_test.go
new file mode 100644
index 00000000..5a3f98e1
--- /dev/null
+++ b/engine/pkg/system/chtimes_test.go
@@ -0,0 +1,94 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+// prepareTempFile creates a temporary file in a temporary directory.
+func prepareTempFile(t *testing.T) (string, string) {
+	dir, err := ioutil.TempDir("", "docker-system-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	file := filepath.Join(dir, "exist")
+	if err := ioutil.WriteFile(file, []byte("hello"), 0644); err != nil {
+		t.Fatal(err)
+	}
+	return file, dir
+}
+
+// TestChtimes tests Chtimes on a tempfile. Test only mTime, because aTime is OS dependent
+func TestChtimes(t *testing.T) {
+	file, dir := prepareTempFile(t)
+	defer os.RemoveAll(dir)
+
+	beforeUnixEpochTime := time.Unix(0, 0).Add(-100 * time.Second)
+	unixEpochTime := time.Unix(0, 0)
+	afterUnixEpochTime := time.Unix(100, 0)
+	unixMaxTime := maxTime
+
+	// Test both aTime and mTime set to Unix Epoch
+	Chtimes(file, unixEpochTime, unixEpochTime)
+
+	f, err := os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if f.ModTime() != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, f.ModTime())
+	}
+
+	// Test aTime before Unix Epoch and mTime set to Unix Epoch
+	Chtimes(file, beforeUnixEpochTime, unixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if f.ModTime() != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, f.ModTime())
+	}
+
+	// Test aTime set to Unix Epoch and mTime before Unix Epoch
+	Chtimes(file, unixEpochTime, beforeUnixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if f.ModTime() != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, f.ModTime())
+	}
+
+	// Test both aTime and mTime set to after Unix Epoch (valid time)
+	Chtimes(file, afterUnixEpochTime, afterUnixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if f.ModTime() != afterUnixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", afterUnixEpochTime, f.ModTime())
+	}
+
+	// Test both aTime and mTime set to Unix max time
+	Chtimes(file, unixMaxTime, unixMaxTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if f.ModTime().Truncate(time.Second) != unixMaxTime.Truncate(time.Second) {
+		t.Fatalf("Expected: %s, got: %s", unixMaxTime.Truncate(time.Second), f.ModTime().Truncate(time.Second))
+	}
+}
diff --git a/engine/pkg/system/chtimes_unix.go b/engine/pkg/system/chtimes_unix.go
new file mode 100644
index 00000000..259138a4
--- /dev/null
+++ b/engine/pkg/system/chtimes_unix.go
@@ -0,0 +1,14 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"time"
+)
+
+//setCTime will set the create time on a file. On Unix, the create
+//time is updated as a side effect of setting the modified time, so
+//no action is required.
+func setCTime(path string, ctime time.Time) error {
+	return nil
+}
diff --git a/engine/pkg/system/chtimes_unix_test.go b/engine/pkg/system/chtimes_unix_test.go
new file mode 100644
index 00000000..e25232c7
--- /dev/null
+++ b/engine/pkg/system/chtimes_unix_test.go
@@ -0,0 +1,91 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"os"
+	"syscall"
+	"testing"
+	"time"
+)
+
+// TestChtimesLinux tests Chtimes access time on a tempfile on Linux
+func TestChtimesLinux(t *testing.T) {
+	file, dir := prepareTempFile(t)
+	defer os.RemoveAll(dir)
+
+	beforeUnixEpochTime := time.Unix(0, 0).Add(-100 * time.Second)
+	unixEpochTime := time.Unix(0, 0)
+	afterUnixEpochTime := time.Unix(100, 0)
+	unixMaxTime := maxTime
+
+	// Test both aTime and mTime set to Unix Epoch
+	Chtimes(file, unixEpochTime, unixEpochTime)
+
+	f, err := os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	stat := f.Sys().(*syscall.Stat_t)
+	aTime := time.Unix(int64(stat.Atim.Sec), int64(stat.Atim.Nsec))
+	if aTime != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, aTime)
+	}
+
+	// Test aTime before Unix Epoch and mTime set to Unix Epoch
+	Chtimes(file, beforeUnixEpochTime, unixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	stat = f.Sys().(*syscall.Stat_t)
+	aTime = time.Unix(int64(stat.Atim.Sec), int64(stat.Atim.Nsec))
+	if aTime != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, aTime)
+	}
+
+	// Test aTime set to Unix Epoch and mTime before Unix Epoch
+	Chtimes(file, unixEpochTime, beforeUnixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	stat = f.Sys().(*syscall.Stat_t)
+	aTime = time.Unix(int64(stat.Atim.Sec), int64(stat.Atim.Nsec))
+	if aTime != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, aTime)
+	}
+
+	// Test both aTime and mTime set to after Unix Epoch (valid time)
+	Chtimes(file, afterUnixEpochTime, afterUnixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	stat = f.Sys().(*syscall.Stat_t)
+	aTime = time.Unix(int64(stat.Atim.Sec), int64(stat.Atim.Nsec))
+	if aTime != afterUnixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", afterUnixEpochTime, aTime)
+	}
+
+	// Test both aTime and mTime set to Unix max time
+	Chtimes(file, unixMaxTime, unixMaxTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	stat = f.Sys().(*syscall.Stat_t)
+	aTime = time.Unix(int64(stat.Atim.Sec), int64(stat.Atim.Nsec))
+	if aTime.Truncate(time.Second) != unixMaxTime.Truncate(time.Second) {
+		t.Fatalf("Expected: %s, got: %s", unixMaxTime.Truncate(time.Second), aTime.Truncate(time.Second))
+	}
+}
diff --git a/engine/pkg/system/chtimes_windows.go b/engine/pkg/system/chtimes_windows.go
new file mode 100644
index 00000000..d3a115ff
--- /dev/null
+++ b/engine/pkg/system/chtimes_windows.go
@@ -0,0 +1,26 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"time"
+
+	"golang.org/x/sys/windows"
+)
+
+//setCTime will set the create time on a file. On Windows, this requires
+//calling SetFileTime and explicitly including the create time.
+func setCTime(path string, ctime time.Time) error {
+	ctimespec := windows.NsecToTimespec(ctime.UnixNano())
+	pathp, e := windows.UTF16PtrFromString(path)
+	if e != nil {
+		return e
+	}
+	h, e := windows.CreateFile(pathp,
+		windows.FILE_WRITE_ATTRIBUTES, windows.FILE_SHARE_WRITE, nil,
+		windows.OPEN_EXISTING, windows.FILE_FLAG_BACKUP_SEMANTICS, 0)
+	if e != nil {
+		return e
+	}
+	defer windows.Close(h)
+	c := windows.NsecToFiletime(windows.TimespecToNsec(ctimespec))
+	return windows.SetFileTime(h, &c, nil, nil)
+}
diff --git a/engine/pkg/system/chtimes_windows_test.go b/engine/pkg/system/chtimes_windows_test.go
new file mode 100644
index 00000000..d91e4bc6
--- /dev/null
+++ b/engine/pkg/system/chtimes_windows_test.go
@@ -0,0 +1,86 @@
+// +build windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"os"
+	"syscall"
+	"testing"
+	"time"
+)
+
+// TestChtimesWindows tests Chtimes access time on a tempfile on Windows
+func TestChtimesWindows(t *testing.T) {
+	file, dir := prepareTempFile(t)
+	defer os.RemoveAll(dir)
+
+	beforeUnixEpochTime := time.Unix(0, 0).Add(-100 * time.Second)
+	unixEpochTime := time.Unix(0, 0)
+	afterUnixEpochTime := time.Unix(100, 0)
+	unixMaxTime := maxTime
+
+	// Test both aTime and mTime set to Unix Epoch
+	Chtimes(file, unixEpochTime, unixEpochTime)
+
+	f, err := os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	aTime := time.Unix(0, f.Sys().(*syscall.Win32FileAttributeData).LastAccessTime.Nanoseconds())
+	if aTime != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, aTime)
+	}
+
+	// Test aTime before Unix Epoch and mTime set to Unix Epoch
+	Chtimes(file, beforeUnixEpochTime, unixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	aTime = time.Unix(0, f.Sys().(*syscall.Win32FileAttributeData).LastAccessTime.Nanoseconds())
+	if aTime != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, aTime)
+	}
+
+	// Test aTime set to Unix Epoch and mTime before Unix Epoch
+	Chtimes(file, unixEpochTime, beforeUnixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	aTime = time.Unix(0, f.Sys().(*syscall.Win32FileAttributeData).LastAccessTime.Nanoseconds())
+	if aTime != unixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", unixEpochTime, aTime)
+	}
+
+	// Test both aTime and mTime set to after Unix Epoch (valid time)
+	Chtimes(file, afterUnixEpochTime, afterUnixEpochTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	aTime = time.Unix(0, f.Sys().(*syscall.Win32FileAttributeData).LastAccessTime.Nanoseconds())
+	if aTime != afterUnixEpochTime {
+		t.Fatalf("Expected: %s, got: %s", afterUnixEpochTime, aTime)
+	}
+
+	// Test both aTime and mTime set to Unix max time
+	Chtimes(file, unixMaxTime, unixMaxTime)
+
+	f, err = os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	aTime = time.Unix(0, f.Sys().(*syscall.Win32FileAttributeData).LastAccessTime.Nanoseconds())
+	if aTime.Truncate(time.Second) != unixMaxTime.Truncate(time.Second) {
+		t.Fatalf("Expected: %s, got: %s", unixMaxTime.Truncate(time.Second), aTime.Truncate(time.Second))
+	}
+}
diff --git a/engine/pkg/system/errors.go b/engine/pkg/system/errors.go
new file mode 100644
index 00000000..2573d716
--- /dev/null
+++ b/engine/pkg/system/errors.go
@@ -0,0 +1,13 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"errors"
+)
+
+var (
+	// ErrNotSupportedPlatform means the platform is not supported.
+	ErrNotSupportedPlatform = errors.New("platform and architecture is not supported")
+
+	// ErrNotSupportedOperatingSystem means the operating system is not supported.
+	ErrNotSupportedOperatingSystem = errors.New("operating system is not supported")
+)
diff --git a/engine/pkg/system/exitcode.go b/engine/pkg/system/exitcode.go
new file mode 100644
index 00000000..4ba8fe35
--- /dev/null
+++ b/engine/pkg/system/exitcode.go
@@ -0,0 +1,19 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"fmt"
+	"os/exec"
+	"syscall"
+)
+
+// GetExitCode returns the ExitStatus of the specified error if its type is
+// exec.ExitError, returns 0 and an error otherwise.
+func GetExitCode(err error) (int, error) {
+	exitCode := 0
+	if exiterr, ok := err.(*exec.ExitError); ok {
+		if procExit, ok := exiterr.Sys().(syscall.WaitStatus); ok {
+			return procExit.ExitStatus(), nil
+		}
+	}
+	return exitCode, fmt.Errorf("failed to get exit code")
+}
diff --git a/engine/pkg/system/filesys.go b/engine/pkg/system/filesys.go
new file mode 100644
index 00000000..adeb1630
--- /dev/null
+++ b/engine/pkg/system/filesys.go
@@ -0,0 +1,67 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// MkdirAllWithACL is a wrapper for MkdirAll on unix systems.
+func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
+	return MkdirAll(path, perm, sddl)
+}
+
+// MkdirAll creates a directory named path along with any necessary parents,
+// with permission specified by attribute perm for all dir created.
+func MkdirAll(path string, perm os.FileMode, sddl string) error {
+	return os.MkdirAll(path, perm)
+}
+
+// IsAbs is a platform-specific wrapper for filepath.IsAbs.
+func IsAbs(path string) bool {
+	return filepath.IsAbs(path)
+}
+
+// The functions below here are wrappers for the equivalents in the os and ioutils packages.
+// They are passthrough on Unix platforms, and only relevant on Windows.
+
+// CreateSequential creates the named file with mode 0666 (before umask), truncating
+// it if it already exists. If successful, methods on the returned
+// File can be used for I/O; the associated file descriptor has mode
+// O_RDWR.
+// If there is an error, it will be of type *PathError.
+func CreateSequential(name string) (*os.File, error) {
+	return os.Create(name)
+}
+
+// OpenSequential opens the named file for reading. If successful, methods on
+// the returned file can be used for reading; the associated file
+// descriptor has mode O_RDONLY.
+// If there is an error, it will be of type *PathError.
+func OpenSequential(name string) (*os.File, error) {
+	return os.Open(name)
+}
+
+// OpenFileSequential is the generalized open call; most users will use Open
+// or Create instead. It opens the named file with specified flag
+// (O_RDONLY etc.) and perm, (0666 etc.) if applicable. If successful,
+// methods on the returned File can be used for I/O.
+// If there is an error, it will be of type *PathError.
+func OpenFileSequential(name string, flag int, perm os.FileMode) (*os.File, error) {
+	return os.OpenFile(name, flag, perm)
+}
+
+// TempFileSequential creates a new temporary file in the directory dir
+// with a name beginning with prefix, opens the file for reading
+// and writing, and returns the resulting *os.File.
+// If dir is the empty string, TempFile uses the default directory
+// for temporary files (see os.TempDir).
+// Multiple programs calling TempFile simultaneously
+// will not choose the same file. The caller can use f.Name()
+// to find the pathname of the file. It is the caller's responsibility
+// to remove the file when no longer needed.
+func TempFileSequential(dir, prefix string) (f *os.File, err error) {
+	return ioutil.TempFile(dir, prefix)
+}
diff --git a/engine/pkg/system/filesys_windows.go b/engine/pkg/system/filesys_windows.go
new file mode 100644
index 00000000..a1f6013f
--- /dev/null
+++ b/engine/pkg/system/filesys_windows.go
@@ -0,0 +1,296 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+	"unsafe"
+
+	winio "github.com/Microsoft/go-winio"
+	"golang.org/x/sys/windows"
+)
+
+const (
+	// SddlAdministratorsLocalSystem is local administrators plus NT AUTHORITY\System
+	SddlAdministratorsLocalSystem = "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
+	// SddlNtvmAdministratorsLocalSystem is NT VIRTUAL MACHINE\Virtual Machines plus local administrators plus NT AUTHORITY\System
+	SddlNtvmAdministratorsLocalSystem = "D:P(A;OICI;GA;;;S-1-5-83-0)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
+)
+
+// MkdirAllWithACL is a wrapper for MkdirAll that creates a directory
+// with an appropriate SDDL defined ACL.
+func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
+	return mkdirall(path, true, sddl)
+}
+
+// MkdirAll implementation that is volume path aware for Windows.
+func MkdirAll(path string, _ os.FileMode, sddl string) error {
+	return mkdirall(path, false, sddl)
+}
+
+// mkdirall is a custom version of os.MkdirAll modified for use on Windows
+// so that it is both volume path aware, and can create a directory with
+// a DACL.
+func mkdirall(path string, applyACL bool, sddl string) error {
+	if re := regexp.MustCompile(`^\\\\\?\\Volume{[a-z0-9-]+}$`); re.MatchString(path) {
+		return nil
+	}
+
+	// The rest of this method is largely copied from os.MkdirAll and should be kept
+	// as-is to ensure compatibility.
+
+	// Fast path: if we can tell whether path is a directory or file, stop with success or error.
+	dir, err := os.Stat(path)
+	if err == nil {
+		if dir.IsDir() {
+			return nil
+		}
+		return &os.PathError{
+			Op:   "mkdir",
+			Path: path,
+			Err:  syscall.ENOTDIR,
+		}
+	}
+
+	// Slow path: make sure parent exists and then call Mkdir for path.
+	i := len(path)
+	for i > 0 && os.IsPathSeparator(path[i-1]) { // Skip trailing path separator.
+		i--
+	}
+
+	j := i
+	for j > 0 && !os.IsPathSeparator(path[j-1]) { // Scan backward over element.
+		j--
+	}
+
+	if j > 1 {
+		// Create parent
+		err = mkdirall(path[0:j-1], false, sddl)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Parent now exists; invoke os.Mkdir or mkdirWithACL and use its result.
+	if applyACL {
+		err = mkdirWithACL(path, sddl)
+	} else {
+		err = os.Mkdir(path, 0)
+	}
+
+	if err != nil {
+		// Handle arguments like "foo/." by
+		// double-checking that directory doesn't exist.
+		dir, err1 := os.Lstat(path)
+		if err1 == nil && dir.IsDir() {
+			return nil
+		}
+		return err
+	}
+	return nil
+}
+
+// mkdirWithACL creates a new directory. If there is an error, it will be of
+// type *PathError. .
+//
+// This is a modified and combined version of os.Mkdir and windows.Mkdir
+// in golang to cater for creating a directory am ACL permitting full
+// access, with inheritance, to any subfolder/file for Built-in Administrators
+// and Local System.
+func mkdirWithACL(name string, sddl string) error {
+	sa := windows.SecurityAttributes{Length: 0}
+	sd, err := winio.SddlToSecurityDescriptor(sddl)
+	if err != nil {
+		return &os.PathError{Op: "mkdir", Path: name, Err: err}
+	}
+	sa.Length = uint32(unsafe.Sizeof(sa))
+	sa.InheritHandle = 1
+	sa.SecurityDescriptor = uintptr(unsafe.Pointer(&sd[0]))
+
+	namep, err := windows.UTF16PtrFromString(name)
+	if err != nil {
+		return &os.PathError{Op: "mkdir", Path: name, Err: err}
+	}
+
+	e := windows.CreateDirectory(namep, &sa)
+	if e != nil {
+		return &os.PathError{Op: "mkdir", Path: name, Err: e}
+	}
+	return nil
+}
+
+// IsAbs is a platform-specific wrapper for filepath.IsAbs. On Windows,
+// golang filepath.IsAbs does not consider a path \windows\system32 as absolute
+// as it doesn't start with a drive-letter/colon combination. However, in
+// docker we need to verify things such as WORKDIR /windows/system32 in
+// a Dockerfile (which gets translated to \windows\system32 when being processed
+// by the daemon. This SHOULD be treated as absolute from a docker processing
+// perspective.
+func IsAbs(path string) bool {
+	if !filepath.IsAbs(path) {
+		if !strings.HasPrefix(path, string(os.PathSeparator)) {
+			return false
+		}
+	}
+	return true
+}
+
+// The origin of the functions below here are the golang OS and windows packages,
+// slightly modified to only cope with files, not directories due to the
+// specific use case.
+//
+// The alteration is to allow a file on Windows to be opened with
+// FILE_FLAG_SEQUENTIAL_SCAN (particular for docker load), to avoid eating
+// the standby list, particularly when accessing large files such as layer.tar.
+
+// CreateSequential creates the named file with mode 0666 (before umask), truncating
+// it if it already exists. If successful, methods on the returned
+// File can be used for I/O; the associated file descriptor has mode
+// O_RDWR.
+// If there is an error, it will be of type *PathError.
+func CreateSequential(name string) (*os.File, error) {
+	return OpenFileSequential(name, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0)
+}
+
+// OpenSequential opens the named file for reading. If successful, methods on
+// the returned file can be used for reading; the associated file
+// descriptor has mode O_RDONLY.
+// If there is an error, it will be of type *PathError.
+func OpenSequential(name string) (*os.File, error) {
+	return OpenFileSequential(name, os.O_RDONLY, 0)
+}
+
+// OpenFileSequential is the generalized open call; most users will use Open
+// or Create instead.
+// If there is an error, it will be of type *PathError.
+func OpenFileSequential(name string, flag int, _ os.FileMode) (*os.File, error) {
+	if name == "" {
+		return nil, &os.PathError{Op: "open", Path: name, Err: syscall.ENOENT}
+	}
+	r, errf := windowsOpenFileSequential(name, flag, 0)
+	if errf == nil {
+		return r, nil
+	}
+	return nil, &os.PathError{Op: "open", Path: name, Err: errf}
+}
+
+func windowsOpenFileSequential(name string, flag int, _ os.FileMode) (file *os.File, err error) {
+	r, e := windowsOpenSequential(name, flag|windows.O_CLOEXEC, 0)
+	if e != nil {
+		return nil, e
+	}
+	return os.NewFile(uintptr(r), name), nil
+}
+
+func makeInheritSa() *windows.SecurityAttributes {
+	var sa windows.SecurityAttributes
+	sa.Length = uint32(unsafe.Sizeof(sa))
+	sa.InheritHandle = 1
+	return &sa
+}
+
+func windowsOpenSequential(path string, mode int, _ uint32) (fd windows.Handle, err error) {
+	if len(path) == 0 {
+		return windows.InvalidHandle, windows.ERROR_FILE_NOT_FOUND
+	}
+	pathp, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return windows.InvalidHandle, err
+	}
+	var access uint32
+	switch mode & (windows.O_RDONLY | windows.O_WRONLY | windows.O_RDWR) {
+	case windows.O_RDONLY:
+		access = windows.GENERIC_READ
+	case windows.O_WRONLY:
+		access = windows.GENERIC_WRITE
+	case windows.O_RDWR:
+		access = windows.GENERIC_READ | windows.GENERIC_WRITE
+	}
+	if mode&windows.O_CREAT != 0 {
+		access |= windows.GENERIC_WRITE
+	}
+	if mode&windows.O_APPEND != 0 {
+		access &^= windows.GENERIC_WRITE
+		access |= windows.FILE_APPEND_DATA
+	}
+	sharemode := uint32(windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE)
+	var sa *windows.SecurityAttributes
+	if mode&windows.O_CLOEXEC == 0 {
+		sa = makeInheritSa()
+	}
+	var createmode uint32
+	switch {
+	case mode&(windows.O_CREAT|windows.O_EXCL) == (windows.O_CREAT | windows.O_EXCL):
+		createmode = windows.CREATE_NEW
+	case mode&(windows.O_CREAT|windows.O_TRUNC) == (windows.O_CREAT | windows.O_TRUNC):
+		createmode = windows.CREATE_ALWAYS
+	case mode&windows.O_CREAT == windows.O_CREAT:
+		createmode = windows.OPEN_ALWAYS
+	case mode&windows.O_TRUNC == windows.O_TRUNC:
+		createmode = windows.TRUNCATE_EXISTING
+	default:
+		createmode = windows.OPEN_EXISTING
+	}
+	// Use FILE_FLAG_SEQUENTIAL_SCAN rather than FILE_ATTRIBUTE_NORMAL as implemented in golang.
+	//https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
+	const fileFlagSequentialScan = 0x08000000 // FILE_FLAG_SEQUENTIAL_SCAN
+	h, e := windows.CreateFile(pathp, access, sharemode, sa, createmode, fileFlagSequentialScan, 0)
+	return h, e
+}
+
+// Helpers for TempFileSequential
+var rand uint32
+var randmu sync.Mutex
+
+func reseed() uint32 {
+	return uint32(time.Now().UnixNano() + int64(os.Getpid()))
+}
+func nextSuffix() string {
+	randmu.Lock()
+	r := rand
+	if r == 0 {
+		r = reseed()
+	}
+	r = r*1664525 + 1013904223 // constants from Numerical Recipes
+	rand = r
+	randmu.Unlock()
+	return strconv.Itoa(int(1e9 + r%1e9))[1:]
+}
+
+// TempFileSequential is a copy of ioutil.TempFile, modified to use sequential
+// file access. Below is the original comment from golang:
+// TempFile creates a new temporary file in the directory dir
+// with a name beginning with prefix, opens the file for reading
+// and writing, and returns the resulting *os.File.
+// If dir is the empty string, TempFile uses the default directory
+// for temporary files (see os.TempDir).
+// Multiple programs calling TempFile simultaneously
+// will not choose the same file. The caller can use f.Name()
+// to find the pathname of the file. It is the caller's responsibility
+// to remove the file when no longer needed.
+func TempFileSequential(dir, prefix string) (f *os.File, err error) {
+	if dir == "" {
+		dir = os.TempDir()
+	}
+
+	nconflict := 0
+	for i := 0; i < 10000; i++ {
+		name := filepath.Join(dir, prefix+nextSuffix())
+		f, err = OpenFileSequential(name, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
+		if os.IsExist(err) {
+			if nconflict++; nconflict > 10 {
+				randmu.Lock()
+				rand = reseed()
+				randmu.Unlock()
+			}
+			continue
+		}
+		break
+	}
+	return
+}
diff --git a/engine/pkg/system/init.go b/engine/pkg/system/init.go
new file mode 100644
index 00000000..a17597aa
--- /dev/null
+++ b/engine/pkg/system/init.go
@@ -0,0 +1,22 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"syscall"
+	"time"
+	"unsafe"
+)
+
+// Used by chtimes
+var maxTime time.Time
+
+func init() {
+	// chtimes initialization
+	if unsafe.Sizeof(syscall.Timespec{}.Nsec) == 8 {
+		// This is a 64 bit timespec
+		// os.Chtimes limits time to the following
+		maxTime = time.Unix(0, 1<<63-1)
+	} else {
+		// This is a 32 bit timespec
+		maxTime = time.Unix(1<<31-1, 0)
+	}
+}
diff --git a/engine/pkg/system/init_unix.go b/engine/pkg/system/init_unix.go
new file mode 100644
index 00000000..4996a67c
--- /dev/null
+++ b/engine/pkg/system/init_unix.go
@@ -0,0 +1,7 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+// InitLCOW does nothing since LCOW is a windows only feature
+func InitLCOW(experimental bool) {
+}
diff --git a/engine/pkg/system/init_windows.go b/engine/pkg/system/init_windows.go
new file mode 100644
index 00000000..4910ff69
--- /dev/null
+++ b/engine/pkg/system/init_windows.go
@@ -0,0 +1,12 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+// lcowSupported determines if Linux Containers on Windows are supported.
+var lcowSupported = false
+
+// InitLCOW sets whether LCOW is supported or not
+func InitLCOW(experimental bool) {
+	v := GetOSVersion()
+	if experimental && v.Build >= 16299 {
+		lcowSupported = true
+	}
+}
diff --git a/engine/pkg/system/lcow.go b/engine/pkg/system/lcow.go
new file mode 100644
index 00000000..5be3e218
--- /dev/null
+++ b/engine/pkg/system/lcow.go
@@ -0,0 +1,32 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"runtime"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// IsOSSupported determines if an operating system is supported by the host
+func IsOSSupported(os string) bool {
+	if strings.EqualFold(runtime.GOOS, os) {
+		return true
+	}
+	if LCOWSupported() && strings.EqualFold(os, "linux") {
+		return true
+	}
+	return false
+}
+
+// ValidatePlatform determines if a platform structure is valid.
+// TODO This is a temporary windows-only function, should be replaced by
+// comparison of worker capabilities
+func ValidatePlatform(platform specs.Platform) error {
+	if runtime.GOOS == "windows" {
+		if !(platform.OS == runtime.GOOS || (LCOWSupported() && platform.OS == "linux")) {
+			return errors.Errorf("unsupported os %s", platform.OS)
+		}
+	}
+	return nil
+}
diff --git a/engine/pkg/system/lcow_unix.go b/engine/pkg/system/lcow_unix.go
new file mode 100644
index 00000000..26397fb8
--- /dev/null
+++ b/engine/pkg/system/lcow_unix.go
@@ -0,0 +1,8 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+// LCOWSupported returns true if Linux containers on Windows are supported.
+func LCOWSupported() bool {
+	return false
+}
diff --git a/engine/pkg/system/lcow_windows.go b/engine/pkg/system/lcow_windows.go
new file mode 100644
index 00000000..f0139df8
--- /dev/null
+++ b/engine/pkg/system/lcow_windows.go
@@ -0,0 +1,6 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+// LCOWSupported returns true if Linux containers on Windows are supported.
+func LCOWSupported() bool {
+	return lcowSupported
+}
diff --git a/engine/pkg/system/lstat_unix.go b/engine/pkg/system/lstat_unix.go
new file mode 100644
index 00000000..7477995f
--- /dev/null
+++ b/engine/pkg/system/lstat_unix.go
@@ -0,0 +1,19 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"syscall"
+)
+
+// Lstat takes a path to a file and returns
+// a system.StatT type pertaining to that file.
+//
+// Throws an error if the file does not exist
+func Lstat(path string) (*StatT, error) {
+	s := &syscall.Stat_t{}
+	if err := syscall.Lstat(path, s); err != nil {
+		return nil, err
+	}
+	return fromStatT(s)
+}
diff --git a/engine/pkg/system/lstat_unix_test.go b/engine/pkg/system/lstat_unix_test.go
new file mode 100644
index 00000000..9fb4a191
--- /dev/null
+++ b/engine/pkg/system/lstat_unix_test.go
@@ -0,0 +1,30 @@
+// +build linux freebsd
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"os"
+	"testing"
+)
+
+// TestLstat tests Lstat for existing and non existing files
+func TestLstat(t *testing.T) {
+	file, invalid, _, dir := prepareFiles(t)
+	defer os.RemoveAll(dir)
+
+	statFile, err := Lstat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if statFile == nil {
+		t.Fatal("returned empty stat for existing file")
+	}
+
+	statInvalid, err := Lstat(invalid)
+	if err == nil {
+		t.Fatal("did not return error for non-existing file")
+	}
+	if statInvalid != nil {
+		t.Fatal("returned non-nil stat for non-existing file")
+	}
+}
diff --git a/engine/pkg/system/lstat_windows.go b/engine/pkg/system/lstat_windows.go
new file mode 100644
index 00000000..359c791d
--- /dev/null
+++ b/engine/pkg/system/lstat_windows.go
@@ -0,0 +1,14 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "os"
+
+// Lstat calls os.Lstat to get a fileinfo interface back.
+// This is then copied into our own locally defined structure.
+func Lstat(path string) (*StatT, error) {
+	fi, err := os.Lstat(path)
+	if err != nil {
+		return nil, err
+	}
+
+	return fromStatT(&fi)
+}
diff --git a/engine/pkg/system/meminfo.go b/engine/pkg/system/meminfo.go
new file mode 100644
index 00000000..6667eb84
--- /dev/null
+++ b/engine/pkg/system/meminfo.go
@@ -0,0 +1,17 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+// MemInfo contains memory statistics of the host system.
+type MemInfo struct {
+	// Total usable RAM (i.e. physical RAM minus a few reserved bits and the
+	// kernel binary code).
+	MemTotal int64
+
+	// Amount of free memory.
+	MemFree int64
+
+	// Total amount of swap space available.
+	SwapTotal int64
+
+	// Amount of swap space that is currently unused.
+	SwapFree int64
+}
diff --git a/engine/pkg/system/meminfo_linux.go b/engine/pkg/system/meminfo_linux.go
new file mode 100644
index 00000000..d79e8b07
--- /dev/null
+++ b/engine/pkg/system/meminfo_linux.go
@@ -0,0 +1,65 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"bufio"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/docker/go-units"
+)
+
+// ReadMemInfo retrieves memory statistics of the host system and returns a
+// MemInfo type.
+func ReadMemInfo() (*MemInfo, error) {
+	file, err := os.Open("/proc/meminfo")
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+	return parseMemInfo(file)
+}
+
+// parseMemInfo parses the /proc/meminfo file into
+// a MemInfo object given an io.Reader to the file.
+// Throws error if there are problems reading from the file
+func parseMemInfo(reader io.Reader) (*MemInfo, error) {
+	meminfo := &MemInfo{}
+	scanner := bufio.NewScanner(reader)
+	for scanner.Scan() {
+		// Expected format: ["MemTotal:", "1234", "kB"]
+		parts := strings.Fields(scanner.Text())
+
+		// Sanity checks: Skip malformed entries.
+		if len(parts) < 3 || parts[2] != "kB" {
+			continue
+		}
+
+		// Convert to bytes.
+		size, err := strconv.Atoi(parts[1])
+		if err != nil {
+			continue
+		}
+		bytes := int64(size) * units.KiB
+
+		switch parts[0] {
+		case "MemTotal:":
+			meminfo.MemTotal = bytes
+		case "MemFree:":
+			meminfo.MemFree = bytes
+		case "SwapTotal:":
+			meminfo.SwapTotal = bytes
+		case "SwapFree:":
+			meminfo.SwapFree = bytes
+		}
+
+	}
+
+	// Handle errors that may have occurred during the reading of the file.
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	return meminfo, nil
+}
diff --git a/engine/pkg/system/meminfo_unix_test.go b/engine/pkg/system/meminfo_unix_test.go
new file mode 100644
index 00000000..c3690d63
--- /dev/null
+++ b/engine/pkg/system/meminfo_unix_test.go
@@ -0,0 +1,40 @@
+// +build linux freebsd
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/docker/go-units"
+)
+
+// TestMemInfo tests parseMemInfo with a static meminfo string
+func TestMemInfo(t *testing.T) {
+	const input = `
+	MemTotal:      1 kB
+	MemFree:       2 kB
+	SwapTotal:     3 kB
+	SwapFree:      4 kB
+	Malformed1:
+	Malformed2:    1
+	Malformed3:    2 MB
+	Malformed4:    X kB
+	`
+	meminfo, err := parseMemInfo(strings.NewReader(input))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if meminfo.MemTotal != 1*units.KiB {
+		t.Fatalf("Unexpected MemTotal: %d", meminfo.MemTotal)
+	}
+	if meminfo.MemFree != 2*units.KiB {
+		t.Fatalf("Unexpected MemFree: %d", meminfo.MemFree)
+	}
+	if meminfo.SwapTotal != 3*units.KiB {
+		t.Fatalf("Unexpected SwapTotal: %d", meminfo.SwapTotal)
+	}
+	if meminfo.SwapFree != 4*units.KiB {
+		t.Fatalf("Unexpected SwapFree: %d", meminfo.SwapFree)
+	}
+}
diff --git a/engine/pkg/system/meminfo_unsupported.go b/engine/pkg/system/meminfo_unsupported.go
new file mode 100644
index 00000000..56f44942
--- /dev/null
+++ b/engine/pkg/system/meminfo_unsupported.go
@@ -0,0 +1,8 @@
+// +build !linux,!windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+// ReadMemInfo is not supported on platforms other than linux and windows.
+func ReadMemInfo() (*MemInfo, error) {
+	return nil, ErrNotSupportedPlatform
+}
diff --git a/engine/pkg/system/meminfo_windows.go b/engine/pkg/system/meminfo_windows.go
new file mode 100644
index 00000000..6ed93f2f
--- /dev/null
+++ b/engine/pkg/system/meminfo_windows.go
@@ -0,0 +1,45 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+var (
+	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
+
+	procGlobalMemoryStatusEx = modkernel32.NewProc("GlobalMemoryStatusEx")
+)
+
+// https://msdn.microsoft.com/en-us/library/windows/desktop/aa366589(v=vs.85).aspx
+// https://msdn.microsoft.com/en-us/library/windows/desktop/aa366770(v=vs.85).aspx
+type memorystatusex struct {
+	dwLength                uint32
+	dwMemoryLoad            uint32
+	ullTotalPhys            uint64
+	ullAvailPhys            uint64
+	ullTotalPageFile        uint64
+	ullAvailPageFile        uint64
+	ullTotalVirtual         uint64
+	ullAvailVirtual         uint64
+	ullAvailExtendedVirtual uint64
+}
+
+// ReadMemInfo retrieves memory statistics of the host system and returns a
+//  MemInfo type.
+func ReadMemInfo() (*MemInfo, error) {
+	msi := &memorystatusex{
+		dwLength: 64,
+	}
+	r1, _, _ := procGlobalMemoryStatusEx.Call(uintptr(unsafe.Pointer(msi)))
+	if r1 == 0 {
+		return &MemInfo{}, nil
+	}
+	return &MemInfo{
+		MemTotal:  int64(msi.ullTotalPhys),
+		MemFree:   int64(msi.ullAvailPhys),
+		SwapTotal: int64(msi.ullTotalPageFile),
+		SwapFree:  int64(msi.ullAvailPageFile),
+	}, nil
+}
diff --git a/engine/pkg/system/mknod.go b/engine/pkg/system/mknod.go
new file mode 100644
index 00000000..b132482e
--- /dev/null
+++ b/engine/pkg/system/mknod.go
@@ -0,0 +1,22 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// Mknod creates a filesystem node (file, device special file or named pipe) named path
+// with attributes specified by mode and dev.
+func Mknod(path string, mode uint32, dev int) error {
+	return unix.Mknod(path, mode, dev)
+}
+
+// Mkdev is used to build the value of linux devices (in /dev/) which specifies major
+// and minor number of the newly created device special file.
+// Linux device nodes are a bit weird due to backwards compat with 16 bit device nodes.
+// They are, from low to high: the lower 8 bits of the minor, then 12 bits of the major,
+// then the top 12 bits of the minor.
+func Mkdev(major int64, minor int64) uint32 {
+	return uint32(unix.Mkdev(uint32(major), uint32(minor)))
+}
diff --git a/engine/pkg/system/mknod_windows.go b/engine/pkg/system/mknod_windows.go
new file mode 100644
index 00000000..ec89d7a1
--- /dev/null
+++ b/engine/pkg/system/mknod_windows.go
@@ -0,0 +1,11 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+// Mknod is not implemented on Windows.
+func Mknod(path string, mode uint32, dev int) error {
+	return ErrNotSupportedPlatform
+}
+
+// Mkdev is not implemented on Windows.
+func Mkdev(major int64, minor int64) uint32 {
+	panic("Mkdev not implemented on Windows.")
+}
diff --git a/engine/pkg/system/path.go b/engine/pkg/system/path.go
new file mode 100644
index 00000000..a3d957af
--- /dev/null
+++ b/engine/pkg/system/path.go
@@ -0,0 +1,60 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"fmt"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/containerd/continuity/pathdriver"
+)
+
+const defaultUnixPathEnv = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+// DefaultPathEnv is unix style list of directories to search for
+// executables. Each directory is separated from the next by a colon
+// ':' character .
+func DefaultPathEnv(os string) string {
+	if runtime.GOOS == "windows" {
+		if os != runtime.GOOS {
+			return defaultUnixPathEnv
+		}
+		// Deliberately empty on Windows containers on Windows as the default path will be set by
+		// the container. Docker has no context of what the default path should be.
+		return ""
+	}
+	return defaultUnixPathEnv
+
+}
+
+// CheckSystemDriveAndRemoveDriveLetter verifies that a path, if it includes a drive letter,
+// is the system drive.
+// On Linux: this is a no-op.
+// On Windows: this does the following>
+// CheckSystemDriveAndRemoveDriveLetter verifies and manipulates a Windows path.
+// This is used, for example, when validating a user provided path in docker cp.
+// If a drive letter is supplied, it must be the system drive. The drive letter
+// is always removed. Also, it translates it to OS semantics (IOW / to \). We
+// need the path in this syntax so that it can ultimately be concatenated with
+// a Windows long-path which doesn't support drive-letters. Examples:
+// C:			--> Fail
+// C:\			--> \
+// a			--> a
+// /a			--> \a
+// d:\			--> Fail
+func CheckSystemDriveAndRemoveDriveLetter(path string, driver pathdriver.PathDriver) (string, error) {
+	if runtime.GOOS != "windows" || LCOWSupported() {
+		return path, nil
+	}
+
+	if len(path) == 2 && string(path[1]) == ":" {
+		return "", fmt.Errorf("No relative path specified in %q", path)
+	}
+	if !driver.IsAbs(path) || len(path) < 2 {
+		return filepath.FromSlash(path), nil
+	}
+	if string(path[1]) == ":" && !strings.EqualFold(string(path[0]), "c") {
+		return "", fmt.Errorf("The specified path is not on the system drive (C:)")
+	}
+	return filepath.FromSlash(path[2:]), nil
+}
diff --git a/engine/pkg/system/path_windows_test.go b/engine/pkg/system/path_windows_test.go
new file mode 100644
index 00000000..974707eb
--- /dev/null
+++ b/engine/pkg/system/path_windows_test.go
@@ -0,0 +1,83 @@
+// +build windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"testing"
+
+	"github.com/containerd/continuity/pathdriver"
+)
+
+// TestCheckSystemDriveAndRemoveDriveLetter tests CheckSystemDriveAndRemoveDriveLetter
+func TestCheckSystemDriveAndRemoveDriveLetter(t *testing.T) {
+	// Fails if not C drive.
+	_, err := CheckSystemDriveAndRemoveDriveLetter(`d:\`, pathdriver.LocalPathDriver)
+	if err == nil || (err != nil && err.Error() != "The specified path is not on the system drive (C:)") {
+		t.Fatalf("Expected error for d:")
+	}
+
+	// Single character is unchanged
+	var path string
+	if path, err = CheckSystemDriveAndRemoveDriveLetter("z", pathdriver.LocalPathDriver); err != nil {
+		t.Fatalf("Single character should pass")
+	}
+	if path != "z" {
+		t.Fatalf("Single character should be unchanged")
+	}
+
+	// Two characters without colon is unchanged
+	if path, err = CheckSystemDriveAndRemoveDriveLetter("AB", pathdriver.LocalPathDriver); err != nil {
+		t.Fatalf("2 characters without colon should pass")
+	}
+	if path != "AB" {
+		t.Fatalf("2 characters without colon should be unchanged")
+	}
+
+	// Abs path without drive letter
+	if path, err = CheckSystemDriveAndRemoveDriveLetter(`\l`, pathdriver.LocalPathDriver); err != nil {
+		t.Fatalf("abs path no drive letter should pass")
+	}
+	if path != `\l` {
+		t.Fatalf("abs path without drive letter should be unchanged")
+	}
+
+	// Abs path without drive letter, linux style
+	if path, err = CheckSystemDriveAndRemoveDriveLetter(`/l`, pathdriver.LocalPathDriver); err != nil {
+		t.Fatalf("abs path no drive letter linux style should pass")
+	}
+	if path != `\l` {
+		t.Fatalf("abs path without drive letter linux failed %s", path)
+	}
+
+	// Drive-colon should be stripped
+	if path, err = CheckSystemDriveAndRemoveDriveLetter(`c:\`, pathdriver.LocalPathDriver); err != nil {
+		t.Fatalf("An absolute path should pass")
+	}
+	if path != `\` {
+		t.Fatalf(`An absolute path should have been shortened to \ %s`, path)
+	}
+
+	// Verify with a linux-style path
+	if path, err = CheckSystemDriveAndRemoveDriveLetter(`c:/`, pathdriver.LocalPathDriver); err != nil {
+		t.Fatalf("An absolute path should pass")
+	}
+	if path != `\` {
+		t.Fatalf(`A linux style absolute path should have been shortened to \ %s`, path)
+	}
+
+	// Failure on c:
+	if path, err = CheckSystemDriveAndRemoveDriveLetter(`c:`, pathdriver.LocalPathDriver); err == nil {
+		t.Fatalf("c: should fail")
+	}
+	if err.Error() != `No relative path specified in "c:"` {
+		t.Fatalf(path, err)
+	}
+
+	// Failure on d:
+	if path, err = CheckSystemDriveAndRemoveDriveLetter(`d:`, pathdriver.LocalPathDriver); err == nil {
+		t.Fatalf("c: should fail")
+	}
+	if err.Error() != `No relative path specified in "d:"` {
+		t.Fatalf(path, err)
+	}
+}
diff --git a/engine/pkg/system/process_unix.go b/engine/pkg/system/process_unix.go
new file mode 100644
index 00000000..0195a891
--- /dev/null
+++ b/engine/pkg/system/process_unix.go
@@ -0,0 +1,24 @@
+// +build linux freebsd darwin
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// IsProcessAlive returns true if process with a given pid is running.
+func IsProcessAlive(pid int) bool {
+	err := unix.Kill(pid, syscall.Signal(0))
+	if err == nil || err == unix.EPERM {
+		return true
+	}
+
+	return false
+}
+
+// KillProcess force-stops a process.
+func KillProcess(pid int) {
+	unix.Kill(pid, unix.SIGKILL)
+}
diff --git a/engine/pkg/system/process_windows.go b/engine/pkg/system/process_windows.go
new file mode 100644
index 00000000..4e70c97b
--- /dev/null
+++ b/engine/pkg/system/process_windows.go
@@ -0,0 +1,18 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "os"
+
+// IsProcessAlive returns true if process with a given pid is running.
+func IsProcessAlive(pid int) bool {
+	_, err := os.FindProcess(pid)
+
+	return err == nil
+}
+
+// KillProcess force-stops a process.
+func KillProcess(pid int) {
+	p, err := os.FindProcess(pid)
+	if err == nil {
+		p.Kill()
+	}
+}
diff --git a/engine/pkg/system/rm.go b/engine/pkg/system/rm.go
new file mode 100644
index 00000000..02e4d262
--- /dev/null
+++ b/engine/pkg/system/rm.go
@@ -0,0 +1,80 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"os"
+	"syscall"
+	"time"
+
+	"github.com/docker/docker/pkg/mount"
+	"github.com/pkg/errors"
+)
+
+// EnsureRemoveAll wraps `os.RemoveAll` to check for specific errors that can
+// often be remedied.
+// Only use `EnsureRemoveAll` if you really want to make every effort to remove
+// a directory.
+//
+// Because of the way `os.Remove` (and by extension `os.RemoveAll`) works, there
+// can be a race between reading directory entries and then actually attempting
+// to remove everything in the directory.
+// These types of errors do not need to be returned since it's ok for the dir to
+// be gone we can just retry the remove operation.
+//
+// This should not return a `os.ErrNotExist` kind of error under any circumstances
+func EnsureRemoveAll(dir string) error {
+	notExistErr := make(map[string]bool)
+
+	// track retries
+	exitOnErr := make(map[string]int)
+	maxRetry := 50
+
+	// Attempt to unmount anything beneath this dir first
+	mount.RecursiveUnmount(dir)
+
+	for {
+		err := os.RemoveAll(dir)
+		if err == nil {
+			return err
+		}
+
+		pe, ok := err.(*os.PathError)
+		if !ok {
+			return err
+		}
+
+		if os.IsNotExist(err) {
+			if notExistErr[pe.Path] {
+				return err
+			}
+			notExistErr[pe.Path] = true
+
+			// There is a race where some subdir can be removed but after the parent
+			//   dir entries have been read.
+			// So the path could be from `os.Remove(subdir)`
+			// If the reported non-existent path is not the passed in `dir` we
+			// should just retry, but otherwise return with no error.
+			if pe.Path == dir {
+				return nil
+			}
+			continue
+		}
+
+		if pe.Err != syscall.EBUSY {
+			return err
+		}
+
+		if mounted, _ := mount.Mounted(pe.Path); mounted {
+			if e := mount.Unmount(pe.Path); e != nil {
+				if mounted, _ := mount.Mounted(pe.Path); mounted {
+					return errors.Wrapf(e, "error while removing %s", dir)
+				}
+			}
+		}
+
+		if exitOnErr[pe.Path] == maxRetry {
+			return err
+		}
+		exitOnErr[pe.Path]++
+		time.Sleep(100 * time.Millisecond)
+	}
+}
diff --git a/engine/pkg/system/rm_test.go b/engine/pkg/system/rm_test.go
new file mode 100644
index 00000000..0448aac6
--- /dev/null
+++ b/engine/pkg/system/rm_test.go
@@ -0,0 +1,84 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/mount"
+	"gotest.tools/skip"
+)
+
+func TestEnsureRemoveAllNotExist(t *testing.T) {
+	// should never return an error for a non-existent path
+	if err := EnsureRemoveAll("/non/existent/path"); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestEnsureRemoveAllWithDir(t *testing.T) {
+	dir, err := ioutil.TempDir("", "test-ensure-removeall-with-dir")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := EnsureRemoveAll(dir); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestEnsureRemoveAllWithFile(t *testing.T) {
+	tmp, err := ioutil.TempFile("", "test-ensure-removeall-with-dir")
+	if err != nil {
+		t.Fatal(err)
+	}
+	tmp.Close()
+	if err := EnsureRemoveAll(tmp.Name()); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestEnsureRemoveAllWithMount(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows", "mount not supported on Windows")
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+
+	dir1, err := ioutil.TempDir("", "test-ensure-removeall-with-dir1")
+	if err != nil {
+		t.Fatal(err)
+	}
+	dir2, err := ioutil.TempDir("", "test-ensure-removeall-with-dir2")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir2)
+
+	bindDir := filepath.Join(dir1, "bind")
+	if err := os.MkdirAll(bindDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := mount.Mount(dir2, bindDir, "none", "bind"); err != nil {
+		t.Fatal(err)
+	}
+
+	done := make(chan struct{})
+	go func() {
+		err = EnsureRemoveAll(dir1)
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		if err != nil {
+			t.Fatal(err)
+		}
+	case <-time.After(5 * time.Second):
+		t.Fatal("timeout waiting for EnsureRemoveAll to finish")
+	}
+
+	if _, err := os.Stat(dir1); !os.IsNotExist(err) {
+		t.Fatalf("expected %q to not exist", dir1)
+	}
+}
diff --git a/engine/pkg/system/stat_darwin.go b/engine/pkg/system/stat_darwin.go
new file mode 100644
index 00000000..c1c0ee9f
--- /dev/null
+++ b/engine/pkg/system/stat_darwin.go
@@ -0,0 +1,13 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
+func fromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return &StatT{size: s.Size,
+		mode: uint32(s.Mode),
+		uid:  s.Uid,
+		gid:  s.Gid,
+		rdev: uint64(s.Rdev),
+		mtim: s.Mtimespec}, nil
+}
diff --git a/engine/pkg/system/stat_freebsd.go b/engine/pkg/system/stat_freebsd.go
new file mode 100644
index 00000000..c1c0ee9f
--- /dev/null
+++ b/engine/pkg/system/stat_freebsd.go
@@ -0,0 +1,13 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
+func fromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return &StatT{size: s.Size,
+		mode: uint32(s.Mode),
+		uid:  s.Uid,
+		gid:  s.Gid,
+		rdev: uint64(s.Rdev),
+		mtim: s.Mtimespec}, nil
+}
diff --git a/engine/pkg/system/stat_linux.go b/engine/pkg/system/stat_linux.go
new file mode 100644
index 00000000..98c9eb18
--- /dev/null
+++ b/engine/pkg/system/stat_linux.go
@@ -0,0 +1,19 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
+func fromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return &StatT{size: s.Size,
+		mode: s.Mode,
+		uid:  s.Uid,
+		gid:  s.Gid,
+		rdev: s.Rdev,
+		mtim: s.Mtim}, nil
+}
+
+// FromStatT converts a syscall.Stat_t type to a system.Stat_t type
+// This is exposed on Linux as pkg/archive/changes uses it.
+func FromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return fromStatT(s)
+}
diff --git a/engine/pkg/system/stat_openbsd.go b/engine/pkg/system/stat_openbsd.go
new file mode 100644
index 00000000..756b92d1
--- /dev/null
+++ b/engine/pkg/system/stat_openbsd.go
@@ -0,0 +1,13 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
+func fromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return &StatT{size: s.Size,
+		mode: uint32(s.Mode),
+		uid:  s.Uid,
+		gid:  s.Gid,
+		rdev: uint64(s.Rdev),
+		mtim: s.Mtim}, nil
+}
diff --git a/engine/pkg/system/stat_solaris.go b/engine/pkg/system/stat_solaris.go
new file mode 100644
index 00000000..756b92d1
--- /dev/null
+++ b/engine/pkg/system/stat_solaris.go
@@ -0,0 +1,13 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
+func fromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return &StatT{size: s.Size,
+		mode: uint32(s.Mode),
+		uid:  s.Uid,
+		gid:  s.Gid,
+		rdev: uint64(s.Rdev),
+		mtim: s.Mtim}, nil
+}
diff --git a/engine/pkg/system/stat_unix.go b/engine/pkg/system/stat_unix.go
new file mode 100644
index 00000000..3d7e2ebb
--- /dev/null
+++ b/engine/pkg/system/stat_unix.go
@@ -0,0 +1,65 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"syscall"
+)
+
+// StatT type contains status of a file. It contains metadata
+// like permission, owner, group, size, etc about a file.
+type StatT struct {
+	mode uint32
+	uid  uint32
+	gid  uint32
+	rdev uint64
+	size int64
+	mtim syscall.Timespec
+}
+
+// Mode returns file's permission mode.
+func (s StatT) Mode() uint32 {
+	return s.mode
+}
+
+// UID returns file's user id of owner.
+func (s StatT) UID() uint32 {
+	return s.uid
+}
+
+// GID returns file's group id of owner.
+func (s StatT) GID() uint32 {
+	return s.gid
+}
+
+// Rdev returns file's device ID (if it's special file).
+func (s StatT) Rdev() uint64 {
+	return s.rdev
+}
+
+// Size returns file's size.
+func (s StatT) Size() int64 {
+	return s.size
+}
+
+// Mtim returns file's last modification time.
+func (s StatT) Mtim() syscall.Timespec {
+	return s.mtim
+}
+
+// IsDir reports whether s describes a directory.
+func (s StatT) IsDir() bool {
+	return s.mode&syscall.S_IFDIR != 0
+}
+
+// Stat takes a path to a file and returns
+// a system.StatT type pertaining to that file.
+//
+// Throws an error if the file does not exist
+func Stat(path string) (*StatT, error) {
+	s := &syscall.Stat_t{}
+	if err := syscall.Stat(path, s); err != nil {
+		return nil, err
+	}
+	return fromStatT(s)
+}
diff --git a/engine/pkg/system/stat_unix_test.go b/engine/pkg/system/stat_unix_test.go
new file mode 100644
index 00000000..44e048f2
--- /dev/null
+++ b/engine/pkg/system/stat_unix_test.go
@@ -0,0 +1,40 @@
+// +build linux freebsd
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"os"
+	"syscall"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+// TestFromStatT tests fromStatT for a tempfile
+func TestFromStatT(t *testing.T) {
+	file, _, _, dir := prepareFiles(t)
+	defer os.RemoveAll(dir)
+
+	stat := &syscall.Stat_t{}
+	err := syscall.Lstat(file, stat)
+	assert.NilError(t, err)
+
+	s, err := fromStatT(stat)
+	assert.NilError(t, err)
+
+	if stat.Mode != s.Mode() {
+		t.Fatal("got invalid mode")
+	}
+	if stat.Uid != s.UID() {
+		t.Fatal("got invalid uid")
+	}
+	if stat.Gid != s.GID() {
+		t.Fatal("got invalid gid")
+	}
+	if stat.Rdev != s.Rdev() {
+		t.Fatal("got invalid rdev")
+	}
+	if stat.Mtim != s.Mtim() {
+		t.Fatal("got invalid mtim")
+	}
+}
diff --git a/engine/pkg/system/stat_windows.go b/engine/pkg/system/stat_windows.go
new file mode 100644
index 00000000..b2456cb8
--- /dev/null
+++ b/engine/pkg/system/stat_windows.go
@@ -0,0 +1,49 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"os"
+	"time"
+)
+
+// StatT type contains status of a file. It contains metadata
+// like permission, size, etc about a file.
+type StatT struct {
+	mode os.FileMode
+	size int64
+	mtim time.Time
+}
+
+// Size returns file's size.
+func (s StatT) Size() int64 {
+	return s.size
+}
+
+// Mode returns file's permission mode.
+func (s StatT) Mode() os.FileMode {
+	return os.FileMode(s.mode)
+}
+
+// Mtim returns file's last modification time.
+func (s StatT) Mtim() time.Time {
+	return time.Time(s.mtim)
+}
+
+// Stat takes a path to a file and returns
+// a system.StatT type pertaining to that file.
+//
+// Throws an error if the file does not exist
+func Stat(path string) (*StatT, error) {
+	fi, err := os.Stat(path)
+	if err != nil {
+		return nil, err
+	}
+	return fromStatT(&fi)
+}
+
+// fromStatT converts a os.FileInfo type to a system.StatT type
+func fromStatT(fi *os.FileInfo) (*StatT, error) {
+	return &StatT{
+		size: (*fi).Size(),
+		mode: (*fi).Mode(),
+		mtim: (*fi).ModTime()}, nil
+}
diff --git a/engine/pkg/system/syscall_unix.go b/engine/pkg/system/syscall_unix.go
new file mode 100644
index 00000000..919a412a
--- /dev/null
+++ b/engine/pkg/system/syscall_unix.go
@@ -0,0 +1,17 @@
+// +build linux freebsd
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import "golang.org/x/sys/unix"
+
+// Unmount is a platform-specific helper function to call
+// the unmount syscall.
+func Unmount(dest string) error {
+	return unix.Unmount(dest, 0)
+}
+
+// CommandLineToArgv should not be used on Unix.
+// It simply returns commandLine in the only element in the returned array.
+func CommandLineToArgv(commandLine string) ([]string, error) {
+	return []string{commandLine}, nil
+}
diff --git a/engine/pkg/system/syscall_windows.go b/engine/pkg/system/syscall_windows.go
new file mode 100644
index 00000000..ee7e0256
--- /dev/null
+++ b/engine/pkg/system/syscall_windows.go
@@ -0,0 +1,127 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"fmt"
+	"unsafe"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+var (
+	ntuserApiset       = windows.NewLazyDLL("ext-ms-win-ntuser-window-l1-1-0")
+	procGetVersionExW  = modkernel32.NewProc("GetVersionExW")
+	procGetProductInfo = modkernel32.NewProc("GetProductInfo")
+)
+
+// OSVersion is a wrapper for Windows version information
+// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
+type OSVersion struct {
+	Version      uint32
+	MajorVersion uint8
+	MinorVersion uint8
+	Build        uint16
+}
+
+// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
+type osVersionInfoEx struct {
+	OSVersionInfoSize uint32
+	MajorVersion      uint32
+	MinorVersion      uint32
+	BuildNumber       uint32
+	PlatformID        uint32
+	CSDVersion        [128]uint16
+	ServicePackMajor  uint16
+	ServicePackMinor  uint16
+	SuiteMask         uint16
+	ProductType       byte
+	Reserve           byte
+}
+
+// GetOSVersion gets the operating system version on Windows. Note that
+// docker.exe must be manifested to get the correct version information.
+func GetOSVersion() OSVersion {
+	var err error
+	osv := OSVersion{}
+	osv.Version, err = windows.GetVersion()
+	if err != nil {
+		// GetVersion never fails.
+		panic(err)
+	}
+	osv.MajorVersion = uint8(osv.Version & 0xFF)
+	osv.MinorVersion = uint8(osv.Version >> 8 & 0xFF)
+	osv.Build = uint16(osv.Version >> 16)
+	return osv
+}
+
+func (osv OSVersion) ToString() string {
+	return fmt.Sprintf("%d.%d.%d", osv.MajorVersion, osv.MinorVersion, osv.Build)
+}
+
+// IsWindowsClient returns true if the SKU is client
+// @engine maintainers - this function should not be removed or modified as it
+// is used to enforce licensing restrictions on Windows.
+func IsWindowsClient() bool {
+	osviex := &osVersionInfoEx{OSVersionInfoSize: 284}
+	r1, _, err := procGetVersionExW.Call(uintptr(unsafe.Pointer(osviex)))
+	if r1 == 0 {
+		logrus.Warnf("GetVersionExW failed - assuming server SKU: %v", err)
+		return false
+	}
+	const verNTWorkstation = 0x00000001
+	return osviex.ProductType == verNTWorkstation
+}
+
+// IsIoTCore returns true if the currently running image is based off of
+// Windows 10 IoT Core.
+// @engine maintainers - this function should not be removed or modified as it
+// is used to enforce licensing restrictions on Windows.
+func IsIoTCore() bool {
+	var returnedProductType uint32
+	r1, _, err := procGetProductInfo.Call(6, 1, 0, 0, uintptr(unsafe.Pointer(&returnedProductType)))
+	if r1 == 0 {
+		logrus.Warnf("GetProductInfo failed - assuming this is not IoT: %v", err)
+		return false
+	}
+	const productIoTUAP = 0x0000007B
+	const productIoTUAPCommercial = 0x00000083
+	return returnedProductType == productIoTUAP || returnedProductType == productIoTUAPCommercial
+}
+
+// Unmount is a platform-specific helper function to call
+// the unmount syscall. Not supported on Windows
+func Unmount(dest string) error {
+	return nil
+}
+
+// CommandLineToArgv wraps the Windows syscall to turn a commandline into an argument array.
+func CommandLineToArgv(commandLine string) ([]string, error) {
+	var argc int32
+
+	argsPtr, err := windows.UTF16PtrFromString(commandLine)
+	if err != nil {
+		return nil, err
+	}
+
+	argv, err := windows.CommandLineToArgv(argsPtr, &argc)
+	if err != nil {
+		return nil, err
+	}
+	defer windows.LocalFree(windows.Handle(uintptr(unsafe.Pointer(argv))))
+
+	newArgs := make([]string, argc)
+	for i, v := range (*argv)[:argc] {
+		newArgs[i] = string(windows.UTF16ToString((*v)[:]))
+	}
+
+	return newArgs, nil
+}
+
+// HasWin32KSupport determines whether containers that depend on win32k can
+// run on this machine. Win32k is the driver used to implement windowing.
+func HasWin32KSupport() bool {
+	// For now, check for ntuser API support on the host. In the future, a host
+	// may support win32k in containers even if the host does not support ntuser
+	// APIs.
+	return ntuserApiset.Load() == nil
+}
diff --git a/engine/pkg/system/syscall_windows_test.go b/engine/pkg/system/syscall_windows_test.go
new file mode 100644
index 00000000..8e78ba62
--- /dev/null
+++ b/engine/pkg/system/syscall_windows_test.go
@@ -0,0 +1,9 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "testing"
+
+func TestHasWin32KSupport(t *testing.T) {
+	s := HasWin32KSupport() // make sure this doesn't panic
+
+	t.Logf("win32k: %v", s) // will be different on different platforms -- informative only
+}
diff --git a/engine/pkg/system/umask.go b/engine/pkg/system/umask.go
new file mode 100644
index 00000000..9912a2ba
--- /dev/null
+++ b/engine/pkg/system/umask.go
@@ -0,0 +1,13 @@
+// +build !windows
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// Umask sets current process's file mode creation mask to newmask
+// and returns oldmask.
+func Umask(newmask int) (oldmask int, err error) {
+	return unix.Umask(newmask), nil
+}
diff --git a/engine/pkg/system/umask_windows.go b/engine/pkg/system/umask_windows.go
new file mode 100644
index 00000000..fc62388c
--- /dev/null
+++ b/engine/pkg/system/umask_windows.go
@@ -0,0 +1,7 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+// Umask is not supported on the windows platform.
+func Umask(newmask int) (oldmask int, err error) {
+	// should not be called on cli code path
+	return 0, ErrNotSupportedPlatform
+}
diff --git a/engine/pkg/system/utimes_freebsd.go b/engine/pkg/system/utimes_freebsd.go
new file mode 100644
index 00000000..ed1b9fad
--- /dev/null
+++ b/engine/pkg/system/utimes_freebsd.go
@@ -0,0 +1,24 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+// LUtimesNano is used to change access and modification time of the specified path.
+// It's used for symbol link file because unix.UtimesNano doesn't support a NOFOLLOW flag atm.
+func LUtimesNano(path string, ts []syscall.Timespec) error {
+	var _path *byte
+	_path, err := unix.BytePtrFromString(path)
+	if err != nil {
+		return err
+	}
+
+	if _, _, err := unix.Syscall(unix.SYS_LUTIMES, uintptr(unsafe.Pointer(_path)), uintptr(unsafe.Pointer(&ts[0])), 0); err != 0 && err != unix.ENOSYS {
+		return err
+	}
+
+	return nil
+}
diff --git a/engine/pkg/system/utimes_linux.go b/engine/pkg/system/utimes_linux.go
new file mode 100644
index 00000000..0afe8545
--- /dev/null
+++ b/engine/pkg/system/utimes_linux.go
@@ -0,0 +1,25 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+// LUtimesNano is used to change access and modification time of the specified path.
+// It's used for symbol link file because unix.UtimesNano doesn't support a NOFOLLOW flag atm.
+func LUtimesNano(path string, ts []syscall.Timespec) error {
+	atFdCwd := unix.AT_FDCWD
+
+	var _path *byte
+	_path, err := unix.BytePtrFromString(path)
+	if err != nil {
+		return err
+	}
+	if _, _, err := unix.Syscall6(unix.SYS_UTIMENSAT, uintptr(atFdCwd), uintptr(unsafe.Pointer(_path)), uintptr(unsafe.Pointer(&ts[0])), unix.AT_SYMLINK_NOFOLLOW, 0, 0); err != 0 && err != unix.ENOSYS {
+		return err
+	}
+
+	return nil
+}
diff --git a/engine/pkg/system/utimes_unix_test.go b/engine/pkg/system/utimes_unix_test.go
new file mode 100644
index 00000000..cc0e7cbf
--- /dev/null
+++ b/engine/pkg/system/utimes_unix_test.go
@@ -0,0 +1,68 @@
+// +build linux freebsd
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"syscall"
+	"testing"
+)
+
+// prepareFiles creates files for testing in the temp directory
+func prepareFiles(t *testing.T) (string, string, string, string) {
+	dir, err := ioutil.TempDir("", "docker-system-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	file := filepath.Join(dir, "exist")
+	if err := ioutil.WriteFile(file, []byte("hello"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	invalid := filepath.Join(dir, "doesnt-exist")
+
+	symlink := filepath.Join(dir, "symlink")
+	if err := os.Symlink(file, symlink); err != nil {
+		t.Fatal(err)
+	}
+
+	return file, invalid, symlink, dir
+}
+
+func TestLUtimesNano(t *testing.T) {
+	file, invalid, symlink, dir := prepareFiles(t)
+	defer os.RemoveAll(dir)
+
+	before, err := os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ts := []syscall.Timespec{{Sec: 0, Nsec: 0}, {Sec: 0, Nsec: 0}}
+	if err := LUtimesNano(symlink, ts); err != nil {
+		t.Fatal(err)
+	}
+
+	symlinkInfo, err := os.Lstat(symlink)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if before.ModTime().Unix() == symlinkInfo.ModTime().Unix() {
+		t.Fatal("The modification time of the symlink should be different")
+	}
+
+	fileInfo, err := os.Stat(file)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if before.ModTime().Unix() != fileInfo.ModTime().Unix() {
+		t.Fatal("The modification time of the file should be same")
+	}
+
+	if err := LUtimesNano(invalid, ts); err == nil {
+		t.Fatal("Doesn't return an error on a non-existing file")
+	}
+}
diff --git a/engine/pkg/system/utimes_unsupported.go b/engine/pkg/system/utimes_unsupported.go
new file mode 100644
index 00000000..095e072e
--- /dev/null
+++ b/engine/pkg/system/utimes_unsupported.go
@@ -0,0 +1,10 @@
+// +build !linux,!freebsd
+
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// LUtimesNano is only supported on linux and freebsd.
+func LUtimesNano(path string, ts []syscall.Timespec) error {
+	return ErrNotSupportedPlatform
+}
diff --git a/engine/pkg/system/xattrs_linux.go b/engine/pkg/system/xattrs_linux.go
new file mode 100644
index 00000000..66d4895b
--- /dev/null
+++ b/engine/pkg/system/xattrs_linux.go
@@ -0,0 +1,29 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "golang.org/x/sys/unix"
+
+// Lgetxattr retrieves the value of the extended attribute identified by attr
+// and associated with the given path in the file system.
+// It will returns a nil slice and nil error if the xattr is not set.
+func Lgetxattr(path string, attr string) ([]byte, error) {
+	dest := make([]byte, 128)
+	sz, errno := unix.Lgetxattr(path, attr, dest)
+	if errno == unix.ENODATA {
+		return nil, nil
+	}
+	if errno == unix.ERANGE {
+		dest = make([]byte, sz)
+		sz, errno = unix.Lgetxattr(path, attr, dest)
+	}
+	if errno != nil {
+		return nil, errno
+	}
+
+	return dest[:sz], nil
+}
+
+// Lsetxattr sets the value of the extended attribute identified by attr
+// and associated with the given path in the file system.
+func Lsetxattr(path string, attr string, data []byte, flags int) error {
+	return unix.Lsetxattr(path, attr, data, flags)
+}
diff --git a/engine/pkg/system/xattrs_unsupported.go b/engine/pkg/system/xattrs_unsupported.go
new file mode 100644
index 00000000..d780a90c
--- /dev/null
+++ b/engine/pkg/system/xattrs_unsupported.go
@@ -0,0 +1,13 @@
+// +build !linux
+
+package system // import "github.com/docker/docker/pkg/system"
+
+// Lgetxattr is not supported on platforms other than linux.
+func Lgetxattr(path string, attr string) ([]byte, error) {
+	return nil, ErrNotSupportedPlatform
+}
+
+// Lsetxattr is not supported on platforms other than linux.
+func Lsetxattr(path string, attr string, data []byte, flags int) error {
+	return ErrNotSupportedPlatform
+}
diff --git a/engine/pkg/tailfile/tailfile.go b/engine/pkg/tailfile/tailfile.go
new file mode 100644
index 00000000..e8358937
--- /dev/null
+++ b/engine/pkg/tailfile/tailfile.go
@@ -0,0 +1,66 @@
+// Package tailfile provides helper functions to read the nth lines of any
+// ReadSeeker.
+package tailfile // import "github.com/docker/docker/pkg/tailfile"
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"os"
+)
+
+const blockSize = 1024
+
+var eol = []byte("\n")
+
+// ErrNonPositiveLinesNumber is an error returned if the lines number was negative.
+var ErrNonPositiveLinesNumber = errors.New("The number of lines to extract from the file must be positive")
+
+//TailFile returns last n lines of reader f (could be a nil).
+func TailFile(f io.ReadSeeker, n int) ([][]byte, error) {
+	if n <= 0 {
+		return nil, ErrNonPositiveLinesNumber
+	}
+	size, err := f.Seek(0, os.SEEK_END)
+	if err != nil {
+		return nil, err
+	}
+	block := -1
+	var data []byte
+	var cnt int
+	for {
+		var b []byte
+		step := int64(block * blockSize)
+		left := size + step // how many bytes to beginning
+		if left < 0 {
+			if _, err := f.Seek(0, os.SEEK_SET); err != nil {
+				return nil, err
+			}
+			b = make([]byte, blockSize+left)
+			if _, err := f.Read(b); err != nil {
+				return nil, err
+			}
+			data = append(b, data...)
+			break
+		} else {
+			b = make([]byte, blockSize)
+			if _, err := f.Seek(left, os.SEEK_SET); err != nil {
+				return nil, err
+			}
+			if _, err := f.Read(b); err != nil {
+				return nil, err
+			}
+			data = append(b, data...)
+		}
+		cnt += bytes.Count(b, eol)
+		if cnt > n {
+			break
+		}
+		block--
+	}
+	lines := bytes.Split(data, eol)
+	if n < len(lines) {
+		return lines[len(lines)-n-1 : len(lines)-1], nil
+	}
+	return lines[:len(lines)-1], nil
+}
diff --git a/engine/pkg/tailfile/tailfile_test.go b/engine/pkg/tailfile/tailfile_test.go
new file mode 100644
index 00000000..c74bb02e
--- /dev/null
+++ b/engine/pkg/tailfile/tailfile_test.go
@@ -0,0 +1,148 @@
+package tailfile // import "github.com/docker/docker/pkg/tailfile"
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+func TestTailFile(t *testing.T) {
+	f, err := ioutil.TempFile("", "tail-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	defer os.RemoveAll(f.Name())
+	testFile := []byte(`first line
+second line
+third line
+fourth line
+fifth line
+next first line
+next second line
+next third line
+next fourth line
+next fifth line
+last first line
+next first line
+next second line
+next third line
+next fourth line
+next fifth line
+next first line
+next second line
+next third line
+next fourth line
+next fifth line
+last second line
+last third line
+last fourth line
+last fifth line
+truncated line`)
+	if _, err := f.Write(testFile); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := f.Seek(0, os.SEEK_SET); err != nil {
+		t.Fatal(err)
+	}
+	expected := []string{"last fourth line", "last fifth line"}
+	res, err := TailFile(f, 2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, l := range res {
+		t.Logf("%s", l)
+		if expected[i] != string(l) {
+			t.Fatalf("Expected line %s, got %s", expected[i], l)
+		}
+	}
+}
+
+func TestTailFileManyLines(t *testing.T) {
+	f, err := ioutil.TempFile("", "tail-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	defer os.RemoveAll(f.Name())
+	testFile := []byte(`first line
+second line
+truncated line`)
+	if _, err := f.Write(testFile); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := f.Seek(0, os.SEEK_SET); err != nil {
+		t.Fatal(err)
+	}
+	expected := []string{"first line", "second line"}
+	res, err := TailFile(f, 10000)
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, l := range res {
+		t.Logf("%s", l)
+		if expected[i] != string(l) {
+			t.Fatalf("Expected line %s, got %s", expected[i], l)
+		}
+	}
+}
+
+func TestTailEmptyFile(t *testing.T) {
+	f, err := ioutil.TempFile("", "tail-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	defer os.RemoveAll(f.Name())
+	res, err := TailFile(f, 10000)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(res) != 0 {
+		t.Fatal("Must be empty slice from empty file")
+	}
+}
+
+func TestTailNegativeN(t *testing.T) {
+	f, err := ioutil.TempFile("", "tail-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	defer os.RemoveAll(f.Name())
+	testFile := []byte(`first line
+second line
+truncated line`)
+	if _, err := f.Write(testFile); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := f.Seek(0, os.SEEK_SET); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := TailFile(f, -1); err != ErrNonPositiveLinesNumber {
+		t.Fatalf("Expected ErrNonPositiveLinesNumber, got %s", err)
+	}
+	if _, err := TailFile(f, 0); err != ErrNonPositiveLinesNumber {
+		t.Fatalf("Expected ErrNonPositiveLinesNumber, got %s", err)
+	}
+}
+
+func BenchmarkTail(b *testing.B) {
+	f, err := ioutil.TempFile("", "tail-test")
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer f.Close()
+	defer os.RemoveAll(f.Name())
+	for i := 0; i < 10000; i++ {
+		if _, err := f.Write([]byte("tailfile pretty interesting line\n")); err != nil {
+			b.Fatal(err)
+		}
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		if _, err := TailFile(f, 1000); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
diff --git a/engine/pkg/tarsum/builder_context.go b/engine/pkg/tarsum/builder_context.go
new file mode 100644
index 00000000..bc7d84df
--- /dev/null
+++ b/engine/pkg/tarsum/builder_context.go
@@ -0,0 +1,21 @@
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+// BuilderContext is an interface extending TarSum by adding the Remove method.
+// In general there was concern about adding this method to TarSum itself
+// so instead it is being added just to "BuilderContext" which will then
+// only be used during the .dockerignore file processing
+// - see builder/evaluator.go
+type BuilderContext interface {
+	TarSum
+	Remove(string)
+}
+
+func (bc *tarSum) Remove(filename string) {
+	for i, fis := range bc.sums {
+		if fis.Name() == filename {
+			bc.sums = append(bc.sums[:i], bc.sums[i+1:]...)
+			// Note, we don't just return because there could be
+			// more than one with this name
+		}
+	}
+}
diff --git a/engine/pkg/tarsum/builder_context_test.go b/engine/pkg/tarsum/builder_context_test.go
new file mode 100644
index 00000000..86adb442
--- /dev/null
+++ b/engine/pkg/tarsum/builder_context_test.go
@@ -0,0 +1,67 @@
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+// Try to remove tarsum (in the BuilderContext) that do not exists, won't change a thing
+func TestTarSumRemoveNonExistent(t *testing.T) {
+	filename := "testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar"
+	reader, err := os.Open(filename)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer reader.Close()
+
+	ts, err := NewTarSum(reader, false, Version0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Read and discard bytes so that it populates sums
+	_, err = io.Copy(ioutil.Discard, ts)
+	if err != nil {
+		t.Errorf("failed to read from %s: %s", filename, err)
+	}
+
+	expected := len(ts.GetSums())
+
+	ts.(BuilderContext).Remove("")
+	ts.(BuilderContext).Remove("Anything")
+
+	if len(ts.GetSums()) != expected {
+		t.Fatalf("Expected %v sums, go %v.", expected, ts.GetSums())
+	}
+}
+
+// Remove a tarsum (in the BuilderContext)
+func TestTarSumRemove(t *testing.T) {
+	filename := "testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar"
+	reader, err := os.Open(filename)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer reader.Close()
+
+	ts, err := NewTarSum(reader, false, Version0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Read and discard bytes so that it populates sums
+	_, err = io.Copy(ioutil.Discard, ts)
+	if err != nil {
+		t.Errorf("failed to read from %s: %s", filename, err)
+	}
+
+	expected := len(ts.GetSums()) - 1
+
+	ts.(BuilderContext).Remove("etc/sudoers")
+
+	if len(ts.GetSums()) != expected {
+		t.Fatalf("Expected %v sums, go %v.", expected, len(ts.GetSums()))
+	}
+}
diff --git a/engine/pkg/tarsum/fileinfosums.go b/engine/pkg/tarsum/fileinfosums.go
new file mode 100644
index 00000000..01d4ed59
--- /dev/null
+++ b/engine/pkg/tarsum/fileinfosums.go
@@ -0,0 +1,133 @@
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+import (
+	"runtime"
+	"sort"
+	"strings"
+)
+
+// FileInfoSumInterface provides an interface for accessing file checksum
+// information within a tar file. This info is accessed through interface
+// so the actual name and sum cannot be melded with.
+type FileInfoSumInterface interface {
+	// File name
+	Name() string
+	// Checksum of this particular file and its headers
+	Sum() string
+	// Position of file in the tar
+	Pos() int64
+}
+
+type fileInfoSum struct {
+	name string
+	sum  string
+	pos  int64
+}
+
+func (fis fileInfoSum) Name() string {
+	return fis.name
+}
+func (fis fileInfoSum) Sum() string {
+	return fis.sum
+}
+func (fis fileInfoSum) Pos() int64 {
+	return fis.pos
+}
+
+// FileInfoSums provides a list of FileInfoSumInterfaces.
+type FileInfoSums []FileInfoSumInterface
+
+// GetFile returns the first FileInfoSumInterface with a matching name.
+func (fis FileInfoSums) GetFile(name string) FileInfoSumInterface {
+	// We do case insensitive matching on Windows as c:\APP and c:\app are
+	// the same. See issue #33107.
+	for i := range fis {
+		if (runtime.GOOS == "windows" && strings.EqualFold(fis[i].Name(), name)) ||
+			(runtime.GOOS != "windows" && fis[i].Name() == name) {
+			return fis[i]
+		}
+	}
+	return nil
+}
+
+// GetAllFile returns a FileInfoSums with all matching names.
+func (fis FileInfoSums) GetAllFile(name string) FileInfoSums {
+	f := FileInfoSums{}
+	for i := range fis {
+		if fis[i].Name() == name {
+			f = append(f, fis[i])
+		}
+	}
+	return f
+}
+
+// GetDuplicatePaths returns a FileInfoSums with all duplicated paths.
+func (fis FileInfoSums) GetDuplicatePaths() (dups FileInfoSums) {
+	seen := make(map[string]int, len(fis)) // allocate earl. no need to grow this map.
+	for i := range fis {
+		f := fis[i]
+		if _, ok := seen[f.Name()]; ok {
+			dups = append(dups, f)
+		} else {
+			seen[f.Name()] = 0
+		}
+	}
+	return dups
+}
+
+// Len returns the size of the FileInfoSums.
+func (fis FileInfoSums) Len() int { return len(fis) }
+
+// Swap swaps two FileInfoSum values if a FileInfoSums list.
+func (fis FileInfoSums) Swap(i, j int) { fis[i], fis[j] = fis[j], fis[i] }
+
+// SortByPos sorts FileInfoSums content by position.
+func (fis FileInfoSums) SortByPos() {
+	sort.Sort(byPos{fis})
+}
+
+// SortByNames sorts FileInfoSums content by name.
+func (fis FileInfoSums) SortByNames() {
+	sort.Sort(byName{fis})
+}
+
+// SortBySums sorts FileInfoSums content by sums.
+func (fis FileInfoSums) SortBySums() {
+	dups := fis.GetDuplicatePaths()
+	if len(dups) > 0 {
+		sort.Sort(bySum{fis, dups})
+	} else {
+		sort.Sort(bySum{fis, nil})
+	}
+}
+
+// byName is a sort.Sort helper for sorting by file names.
+// If names are the same, order them by their appearance in the tar archive
+type byName struct{ FileInfoSums }
+
+func (bn byName) Less(i, j int) bool {
+	if bn.FileInfoSums[i].Name() == bn.FileInfoSums[j].Name() {
+		return bn.FileInfoSums[i].Pos() < bn.FileInfoSums[j].Pos()
+	}
+	return bn.FileInfoSums[i].Name() < bn.FileInfoSums[j].Name()
+}
+
+// bySum is a sort.Sort helper for sorting by the sums of all the fileinfos in the tar archive
+type bySum struct {
+	FileInfoSums
+	dups FileInfoSums
+}
+
+func (bs bySum) Less(i, j int) bool {
+	if bs.dups != nil && bs.FileInfoSums[i].Name() == bs.FileInfoSums[j].Name() {
+		return bs.FileInfoSums[i].Pos() < bs.FileInfoSums[j].Pos()
+	}
+	return bs.FileInfoSums[i].Sum() < bs.FileInfoSums[j].Sum()
+}
+
+// byPos is a sort.Sort helper for sorting by the sums of all the fileinfos by their original order
+type byPos struct{ FileInfoSums }
+
+func (bp byPos) Less(i, j int) bool {
+	return bp.FileInfoSums[i].Pos() < bp.FileInfoSums[j].Pos()
+}
diff --git a/engine/pkg/tarsum/fileinfosums_test.go b/engine/pkg/tarsum/fileinfosums_test.go
new file mode 100644
index 00000000..e6ebd9cc
--- /dev/null
+++ b/engine/pkg/tarsum/fileinfosums_test.go
@@ -0,0 +1,62 @@
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+import "testing"
+
+func newFileInfoSums() FileInfoSums {
+	return FileInfoSums{
+		fileInfoSum{name: "file3", sum: "2abcdef1234567890", pos: 2},
+		fileInfoSum{name: "dup1", sum: "deadbeef1", pos: 5},
+		fileInfoSum{name: "file1", sum: "0abcdef1234567890", pos: 0},
+		fileInfoSum{name: "file4", sum: "3abcdef1234567890", pos: 3},
+		fileInfoSum{name: "dup1", sum: "deadbeef0", pos: 4},
+		fileInfoSum{name: "file2", sum: "1abcdef1234567890", pos: 1},
+	}
+}
+
+func TestSortFileInfoSums(t *testing.T) {
+	dups := newFileInfoSums().GetAllFile("dup1")
+	if len(dups) != 2 {
+		t.Errorf("expected length 2, got %d", len(dups))
+	}
+	dups.SortByNames()
+	if dups[0].Pos() != 4 {
+		t.Errorf("sorted dups should be ordered by position. Expected 4, got %d", dups[0].Pos())
+	}
+
+	fis := newFileInfoSums()
+	expected := "0abcdef1234567890"
+	fis.SortBySums()
+	got := fis[0].Sum()
+	if got != expected {
+		t.Errorf("Expected %q, got %q", expected, got)
+	}
+
+	fis = newFileInfoSums()
+	expected = "dup1"
+	fis.SortByNames()
+	gotFis := fis[0]
+	if gotFis.Name() != expected {
+		t.Errorf("Expected %q, got %q", expected, gotFis.Name())
+	}
+	// since a duplicate is first, ensure it is ordered first by position too
+	if gotFis.Pos() != 4 {
+		t.Errorf("Expected %d, got %d", 4, gotFis.Pos())
+	}
+
+	fis = newFileInfoSums()
+	fis.SortByPos()
+	if fis[0].Pos() != 0 {
+		t.Error("sorted fileInfoSums by Pos should order them by position.")
+	}
+
+	fis = newFileInfoSums()
+	expected = "deadbeef1"
+	gotFileInfoSum := fis.GetFile("dup1")
+	if gotFileInfoSum.Sum() != expected {
+		t.Errorf("Expected %q, got %q", expected, gotFileInfoSum)
+	}
+	if fis.GetFile("noPresent") != nil {
+		t.Error("Should have return nil if name not found.")
+	}
+
+}
diff --git a/engine/pkg/tarsum/tarsum.go b/engine/pkg/tarsum/tarsum.go
new file mode 100644
index 00000000..5542e1b2
--- /dev/null
+++ b/engine/pkg/tarsum/tarsum.go
@@ -0,0 +1,301 @@
+// Package tarsum provides algorithms to perform checksum calculation on
+// filesystem layers.
+//
+// The transportation of filesystems, regarding Docker, is done with tar(1)
+// archives. There are a variety of tar serialization formats [2], and a key
+// concern here is ensuring a repeatable checksum given a set of inputs from a
+// generic tar archive. Types of transportation include distribution to and from a
+// registry endpoint, saving and loading through commands or Docker daemon APIs,
+// transferring the build context from client to Docker daemon, and committing the
+// filesystem of a container to become an image.
+//
+// As tar archives are used for transit, but not preserved in many situations, the
+// focus of the algorithm is to ensure the integrity of the preserved filesystem,
+// while maintaining a deterministic accountability. This includes neither
+// constraining the ordering or manipulation of the files during the creation or
+// unpacking of the archive, nor include additional metadata state about the file
+// system attributes.
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"crypto"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"hash"
+	"io"
+	"path"
+	"strings"
+)
+
+const (
+	buf8K  = 8 * 1024
+	buf16K = 16 * 1024
+	buf32K = 32 * 1024
+)
+
+// NewTarSum creates a new interface for calculating a fixed time checksum of a
+// tar archive.
+//
+// This is used for calculating checksums of layers of an image, in some cases
+// including the byte payload of the image's json metadata as well, and for
+// calculating the checksums for buildcache.
+func NewTarSum(r io.Reader, dc bool, v Version) (TarSum, error) {
+	return NewTarSumHash(r, dc, v, DefaultTHash)
+}
+
+// NewTarSumHash creates a new TarSum, providing a THash to use rather than
+// the DefaultTHash.
+func NewTarSumHash(r io.Reader, dc bool, v Version, tHash THash) (TarSum, error) {
+	headerSelector, err := getTarHeaderSelector(v)
+	if err != nil {
+		return nil, err
+	}
+	ts := &tarSum{Reader: r, DisableCompression: dc, tarSumVersion: v, headerSelector: headerSelector, tHash: tHash}
+	err = ts.initTarSum()
+	return ts, err
+}
+
+// NewTarSumForLabel creates a new TarSum using the provided TarSum version+hash label.
+func NewTarSumForLabel(r io.Reader, disableCompression bool, label string) (TarSum, error) {
+	parts := strings.SplitN(label, "+", 2)
+	if len(parts) != 2 {
+		return nil, errors.New("tarsum label string should be of the form: {tarsum_version}+{hash_name}")
+	}
+
+	versionName, hashName := parts[0], parts[1]
+
+	version, ok := tarSumVersionsByName[versionName]
+	if !ok {
+		return nil, fmt.Errorf("unknown TarSum version name: %q", versionName)
+	}
+
+	hashConfig, ok := standardHashConfigs[hashName]
+	if !ok {
+		return nil, fmt.Errorf("unknown TarSum hash name: %q", hashName)
+	}
+
+	tHash := NewTHash(hashConfig.name, hashConfig.hash.New)
+
+	return NewTarSumHash(r, disableCompression, version, tHash)
+}
+
+// TarSum is the generic interface for calculating fixed time
+// checksums of a tar archive.
+type TarSum interface {
+	io.Reader
+	GetSums() FileInfoSums
+	Sum([]byte) string
+	Version() Version
+	Hash() THash
+}
+
+// tarSum struct is the structure for a Version0 checksum calculation.
+type tarSum struct {
+	io.Reader
+	tarR               *tar.Reader
+	tarW               *tar.Writer
+	writer             writeCloseFlusher
+	bufTar             *bytes.Buffer
+	bufWriter          *bytes.Buffer
+	bufData            []byte
+	h                  hash.Hash
+	tHash              THash
+	sums               FileInfoSums
+	fileCounter        int64
+	currentFile        string
+	finished           bool
+	first              bool
+	DisableCompression bool              // false by default. When false, the output gzip compressed.
+	tarSumVersion      Version           // this field is not exported so it can not be mutated during use
+	headerSelector     tarHeaderSelector // handles selecting and ordering headers for files in the archive
+}
+
+func (ts tarSum) Hash() THash {
+	return ts.tHash
+}
+
+func (ts tarSum) Version() Version {
+	return ts.tarSumVersion
+}
+
+// THash provides a hash.Hash type generator and its name.
+type THash interface {
+	Hash() hash.Hash
+	Name() string
+}
+
+// NewTHash is a convenience method for creating a THash.
+func NewTHash(name string, h func() hash.Hash) THash {
+	return simpleTHash{n: name, h: h}
+}
+
+type tHashConfig struct {
+	name string
+	hash crypto.Hash
+}
+
+var (
+	// NOTE: DO NOT include MD5 or SHA1, which are considered insecure.
+	standardHashConfigs = map[string]tHashConfig{
+		"sha256": {name: "sha256", hash: crypto.SHA256},
+		"sha512": {name: "sha512", hash: crypto.SHA512},
+	}
+)
+
+// DefaultTHash is default TarSum hashing algorithm - "sha256".
+var DefaultTHash = NewTHash("sha256", sha256.New)
+
+type simpleTHash struct {
+	n string
+	h func() hash.Hash
+}
+
+func (sth simpleTHash) Name() string    { return sth.n }
+func (sth simpleTHash) Hash() hash.Hash { return sth.h() }
+
+func (ts *tarSum) encodeHeader(h *tar.Header) error {
+	for _, elem := range ts.headerSelector.selectHeaders(h) {
+		// Ignore these headers to be compatible with versions
+		// before go 1.10
+		if elem[0] == "gname" || elem[0] == "uname" {
+			elem[1] = ""
+		}
+		if _, err := ts.h.Write([]byte(elem[0] + elem[1])); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (ts *tarSum) initTarSum() error {
+	ts.bufTar = bytes.NewBuffer([]byte{})
+	ts.bufWriter = bytes.NewBuffer([]byte{})
+	ts.tarR = tar.NewReader(ts.Reader)
+	ts.tarW = tar.NewWriter(ts.bufTar)
+	if !ts.DisableCompression {
+		ts.writer = gzip.NewWriter(ts.bufWriter)
+	} else {
+		ts.writer = &nopCloseFlusher{Writer: ts.bufWriter}
+	}
+	if ts.tHash == nil {
+		ts.tHash = DefaultTHash
+	}
+	ts.h = ts.tHash.Hash()
+	ts.h.Reset()
+	ts.first = true
+	ts.sums = FileInfoSums{}
+	return nil
+}
+
+func (ts *tarSum) Read(buf []byte) (int, error) {
+	if ts.finished {
+		return ts.bufWriter.Read(buf)
+	}
+	if len(ts.bufData) < len(buf) {
+		switch {
+		case len(buf) <= buf8K:
+			ts.bufData = make([]byte, buf8K)
+		case len(buf) <= buf16K:
+			ts.bufData = make([]byte, buf16K)
+		case len(buf) <= buf32K:
+			ts.bufData = make([]byte, buf32K)
+		default:
+			ts.bufData = make([]byte, len(buf))
+		}
+	}
+	buf2 := ts.bufData[:len(buf)]
+
+	n, err := ts.tarR.Read(buf2)
+	if err != nil {
+		if err == io.EOF {
+			if _, err := ts.h.Write(buf2[:n]); err != nil {
+				return 0, err
+			}
+			if !ts.first {
+				ts.sums = append(ts.sums, fileInfoSum{name: ts.currentFile, sum: hex.EncodeToString(ts.h.Sum(nil)), pos: ts.fileCounter})
+				ts.fileCounter++
+				ts.h.Reset()
+			} else {
+				ts.first = false
+			}
+
+			if _, err := ts.tarW.Write(buf2[:n]); err != nil {
+				return 0, err
+			}
+
+			currentHeader, err := ts.tarR.Next()
+			if err != nil {
+				if err == io.EOF {
+					if err := ts.tarW.Close(); err != nil {
+						return 0, err
+					}
+					if _, err := io.Copy(ts.writer, ts.bufTar); err != nil {
+						return 0, err
+					}
+					if err := ts.writer.Close(); err != nil {
+						return 0, err
+					}
+					ts.finished = true
+					return ts.bufWriter.Read(buf)
+				}
+				return 0, err
+			}
+
+			ts.currentFile = path.Join(".", path.Join("/", currentHeader.Name))
+			if err := ts.encodeHeader(currentHeader); err != nil {
+				return 0, err
+			}
+			if err := ts.tarW.WriteHeader(currentHeader); err != nil {
+				return 0, err
+			}
+
+			if _, err := io.Copy(ts.writer, ts.bufTar); err != nil {
+				return 0, err
+			}
+			ts.writer.Flush()
+
+			return ts.bufWriter.Read(buf)
+		}
+		return 0, err
+	}
+
+	// Filling the hash buffer
+	if _, err = ts.h.Write(buf2[:n]); err != nil {
+		return 0, err
+	}
+
+	// Filling the tar writer
+	if _, err = ts.tarW.Write(buf2[:n]); err != nil {
+		return 0, err
+	}
+
+	// Filling the output writer
+	if _, err = io.Copy(ts.writer, ts.bufTar); err != nil {
+		return 0, err
+	}
+	ts.writer.Flush()
+
+	return ts.bufWriter.Read(buf)
+}
+
+func (ts *tarSum) Sum(extra []byte) string {
+	ts.sums.SortBySums()
+	h := ts.tHash.Hash()
+	if extra != nil {
+		h.Write(extra)
+	}
+	for _, fis := range ts.sums {
+		h.Write([]byte(fis.Sum()))
+	}
+	checksum := ts.Version().String() + "+" + ts.tHash.Name() + ":" + hex.EncodeToString(h.Sum(nil))
+	return checksum
+}
+
+func (ts *tarSum) GetSums() FileInfoSums {
+	return ts.sums
+}
diff --git a/engine/pkg/tarsum/tarsum_spec.md b/engine/pkg/tarsum/tarsum_spec.md
new file mode 100644
index 00000000..89b2e49f
--- /dev/null
+++ b/engine/pkg/tarsum/tarsum_spec.md
@@ -0,0 +1,230 @@
+page_title: TarSum checksum specification
+page_description: Documentation for algorithms used in the TarSum checksum calculation
+page_keywords: docker, checksum, validation, tarsum
+
+# TarSum Checksum Specification
+
+## Abstract
+
+This document describes the algorithms used in performing the TarSum checksum
+calculation on filesystem layers, the need for this method over existing
+methods, and the versioning of this calculation.
+
+## Warning
+
+This checksum algorithm is for best-effort comparison of file trees with fuzzy logic.
+
+This is _not_ a cryptographic attestation, and should not be considered secure.
+
+## Introduction
+
+The transportation of filesystems, regarding Docker, is done with tar(1)
+archives. There are a variety of tar serialization formats [2], and a key
+concern here is ensuring a repeatable checksum given a set of inputs from a
+generic tar archive. Types of transportation include distribution to and from a
+registry endpoint, saving and loading through commands or Docker daemon APIs,
+transferring the build context from client to Docker daemon, and committing the
+filesystem of a container to become an image.
+
+As tar archives are used for transit, but not preserved in many situations, the
+focus of the algorithm is to ensure the integrity of the preserved filesystem,
+while maintaining a deterministic accountability. This includes neither
+constraining the ordering or manipulation of the files during the creation or
+unpacking of the archive, nor include additional metadata state about the file
+system attributes.
+
+## Intended Audience
+
+This document is outlining the methods used for consistent checksum calculation
+for filesystems transported via tar archives.
+
+Auditing these methodologies is an open and iterative process. This document
+should accommodate the review of source code. Ultimately, this document should
+be the starting point of further refinements to the algorithm and its future
+versions.
+
+## Concept
+
+The checksum mechanism must ensure the integrity and assurance of the
+filesystem payload.
+
+## Checksum Algorithm Profile
+
+A checksum mechanism must define the following operations and attributes:
+
+* Associated hashing cipher - used to checksum each file payload and attribute
+  information.
+* Checksum list - each file of the filesystem archive has its checksum
+  calculated from the payload and attributes of the file. The final checksum is
+  calculated from this list, with specific ordering.
+* Version - as the algorithm adapts to requirements, there are behaviors of the
+  algorithm to manage by versioning.
+* Archive being calculated - the tar archive having its checksum calculated
+
+## Elements of TarSum checksum
+
+The calculated sum output is a text string. The elements included in the output
+of the calculated sum comprise the information needed for validation of the sum
+(TarSum version and hashing cipher used) and the expected checksum in hexadecimal
+form.
+
+There are two delimiters used:
+* '+' separates TarSum version from hashing cipher
+* ':' separates calculation mechanics from expected hash
+
+Example:
+
+```
+	"tarsum.v1+sha256:220a60ecd4a3c32c282622a625a54db9ba0ff55b5ba9c29c7064a2bc358b6a3e"
+	|         |       \                                                               |
+	|         |        \                                                              |
+	|_version_|_cipher__|__                                                           |
+	|                      \                                                          |
+	|_calculation_mechanics_|______________________expected_sum_______________________|
+```
+
+## Versioning
+
+Versioning was introduced [0] to accommodate differences in calculation needed,
+and ability to maintain reverse compatibility.
+
+The general algorithm will be describe further in the 'Calculation'.
+
+### Version0
+
+This is the initial version of TarSum.
+
+Its element in the TarSum checksum string is `tarsum`.
+
+### Version1
+
+Its element in the TarSum checksum is `tarsum.v1`.
+
+The notable changes in this version:
+* Exclusion of file `mtime` from the file information headers, in each file
+  checksum calculation
+* Inclusion of extended attributes (`xattrs`. Also seen as `SCHILY.xattr.` prefixed Pax
+  tar file info headers) keys and values in each file checksum calculation
+
+### VersionDev
+
+*Do not use unless validating refinements to the checksum algorithm*
+
+Its element in the TarSum checksum is `tarsum.dev`.
+
+This is a floating place holder for a next version and grounds for testing
+changes. The methods used for calculation are subject to change without notice,
+and this version is for testing and not for production use.
+
+## Ciphers
+
+The official default and standard hashing cipher used in the calculation mechanic
+is `sha256`. This refers to SHA256 hash algorithm as defined in FIPS 180-4.
+
+Though the TarSum algorithm itself is not exclusively bound to the single
+hashing cipher `sha256`, support for alternate hashing ciphers was later added
+[1]. Use cases for alternate cipher could include future-proofing TarSum
+checksum format and using faster cipher hashes for tar filesystem checksums.
+
+## Calculation
+
+### Requirement
+
+As mentioned earlier, the calculation is such that it takes into consideration
+the lifecycle of the tar archive. In that the tar archive is not an immutable,
+permanent artifact. Otherwise options like relying on a known hashing cipher
+checksum of the archive itself would be reliable enough. The tar archive of the
+filesystem is used as a transportation medium for Docker images, and the
+archive is discarded once its contents are extracted. Therefore, for consistent
+validation items such as order of files in the tar archive and time stamps are
+subject to change once an image is received.
+
+### Process
+
+The method is typically iterative due to reading tar info headers from the
+archive stream, though this is not a strict requirement.
+
+#### Files
+
+Each file in the tar archive have their contents (headers and body) checksummed
+individually using the designated associated hashing cipher. The ordered
+headers of the file are written to the checksum calculation first, and then the
+payload of the file body.
+
+The resulting checksum of the file is appended to the list of file sums. The
+sum is encoded as a string of the hexadecimal digest. Additionally, the file
+name and position in the archive is kept as reference for special ordering.
+
+#### Headers
+
+The following headers are read, in this
+order ( and the corresponding representation of its value):
+* 'name' - string
+* 'mode' - string of the base10 integer
+* 'uid' - string of the integer
+* 'gid' - string of the integer
+* 'size' - string of the integer
+* 'mtime' (_Version0 only_) - string of integer of the seconds since 1970-01-01 00:00:00 UTC
+* 'typeflag' - string of the char
+* 'linkname' - string
+* 'uname' - string
+* 'gname' - string
+* 'devmajor' - string of the integer
+* 'devminor' - string of the integer
+
+For >= Version1, the extended attribute headers ("SCHILY.xattr." prefixed pax
+headers) included after the above list. These xattrs key/values are first
+sorted by the keys.
+
+#### Header Format
+
+The ordered headers are written to the hash in the format of
+
+	"{.key}{.value}"
+
+with no newline.
+
+#### Body
+
+After the order headers of the file have been added to the checksum for the
+file, the body of the file is written to the hash.
+
+#### List of file sums
+
+The list of file sums is sorted by the string of the hexadecimal digest.
+
+If there are two files in the tar with matching paths, the order of occurrence
+for that path is reflected for the sums of the corresponding file header and
+body.
+
+#### Final Checksum
+
+Begin with a fresh or initial state of the associated hash cipher. If there is
+additional payload to include in the TarSum calculation for the archive, it is
+written first. Then each checksum from the ordered list of file sums is written
+to the hash.
+
+The resulting digest is formatted per the Elements of TarSum checksum,
+including the TarSum version, the associated hash cipher and the hexadecimal
+encoded checksum digest.
+
+## Security Considerations
+
+The initial version of TarSum has undergone one update that could invalidate
+handcrafted tar archives. The tar archive format supports appending of files
+with same names as prior files in the archive. The latter file will clobber the
+prior file of the same path. Due to this the algorithm now accounts for files
+with matching paths, and orders the list of file sums accordingly [3].
+
+## Footnotes
+
+* [0] Versioning https://github.com/docker/docker/commit/747f89cd327db9d50251b17797c4d825162226d0
+* [1] Alternate ciphers https://github.com/docker/docker/commit/4e9925d780665149b8bc940d5ba242ada1973c4e
+* [2] Tar http://en.wikipedia.org/wiki/Tar_%28computing%29
+* [3] Name collision https://github.com/docker/docker/commit/c5e6362c53cbbc09ddbabd5a7323e04438b57d31
+
+## Acknowledgments
+
+Joffrey F (shin-) and Guillaume J. Charmes (creack) on the initial work of the
+TarSum calculation.
+
diff --git a/engine/pkg/tarsum/tarsum_test.go b/engine/pkg/tarsum/tarsum_test.go
new file mode 100644
index 00000000..435b91c7
--- /dev/null
+++ b/engine/pkg/tarsum/tarsum_test.go
@@ -0,0 +1,657 @@
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"crypto/md5"
+	"crypto/rand"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+type testLayer struct {
+	filename string
+	options  *sizedOptions
+	jsonfile string
+	gzip     bool
+	tarsum   string
+	version  Version
+	hash     THash
+}
+
+var testLayers = []testLayer{
+	{
+		filename: "testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar",
+		jsonfile: "testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/json",
+		version:  Version0,
+		tarsum:   "tarsum+sha256:4095cc12fa5fdb1ab2760377e1cd0c4ecdd3e61b4f9b82319d96fcea6c9a41c6"},
+	{
+		filename: "testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar",
+		jsonfile: "testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/json",
+		version:  VersionDev,
+		tarsum:   "tarsum.dev+sha256:db56e35eec6ce65ba1588c20ba6b1ea23743b59e81fb6b7f358ccbde5580345c"},
+	{
+		filename: "testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar",
+		jsonfile: "testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/json",
+		gzip:     true,
+		tarsum:   "tarsum+sha256:4095cc12fa5fdb1ab2760377e1cd0c4ecdd3e61b4f9b82319d96fcea6c9a41c6"},
+	{
+		// Tests existing version of TarSum when xattrs are present
+		filename: "testdata/xattr/layer.tar",
+		jsonfile: "testdata/xattr/json",
+		version:  Version0,
+		tarsum:   "tarsum+sha256:07e304a8dbcb215b37649fde1a699f8aeea47e60815707f1cdf4d55d25ff6ab4"},
+	{
+		// Tests next version of TarSum when xattrs are present
+		filename: "testdata/xattr/layer.tar",
+		jsonfile: "testdata/xattr/json",
+		version:  VersionDev,
+		tarsum:   "tarsum.dev+sha256:6c58917892d77b3b357b0f9ad1e28e1f4ae4de3a8006bd3beb8beda214d8fd16"},
+	{
+		filename: "testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/layer.tar",
+		jsonfile: "testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/json",
+		tarsum:   "tarsum+sha256:c66bd5ec9f87b8f4c6135ca37684618f486a3dd1d113b138d0a177bfa39c2571"},
+	{
+		options: &sizedOptions{1, 1024 * 1024, false, false}, // a 1mb file (in memory)
+		tarsum:  "tarsum+sha256:8bf12d7e67c51ee2e8306cba569398b1b9f419969521a12ffb9d8875e8836738"},
+	{
+		// this tar has two files with the same path
+		filename: "testdata/collision/collision-0.tar",
+		tarsum:   "tarsum+sha256:7cabb5e9128bb4a93ff867b9464d7c66a644ae51ea2e90e6ef313f3bef93f077"},
+	{
+		// this tar has the same two files (with the same path), but reversed order. ensuring is has different hash than above
+		filename: "testdata/collision/collision-1.tar",
+		tarsum:   "tarsum+sha256:805fd393cfd58900b10c5636cf9bab48b2406d9b66523122f2352620c85dc7f9"},
+	{
+		// this tar has newer of collider-0.tar, ensuring is has different hash
+		filename: "testdata/collision/collision-2.tar",
+		tarsum:   "tarsum+sha256:85d2b8389f077659d78aca898f9e632ed9161f553f144aef100648eac540147b"},
+	{
+		// this tar has newer of collider-1.tar, ensuring is has different hash
+		filename: "testdata/collision/collision-3.tar",
+		tarsum:   "tarsum+sha256:cbe4dee79fe979d69c16c2bccd032e3205716a562f4a3c1ca1cbeed7b256eb19"},
+	{
+		options: &sizedOptions{1, 1024 * 1024, false, false}, // a 1mb file (in memory)
+		tarsum:  "tarsum+md5:0d7529ec7a8360155b48134b8e599f53",
+		hash:    md5THash,
+	},
+	{
+		options: &sizedOptions{1, 1024 * 1024, false, false}, // a 1mb file (in memory)
+		tarsum:  "tarsum+sha1:f1fee39c5925807ff75ef1925e7a23be444ba4df",
+		hash:    sha1Hash,
+	},
+	{
+		options: &sizedOptions{1, 1024 * 1024, false, false}, // a 1mb file (in memory)
+		tarsum:  "tarsum+sha224:6319390c0b061d639085d8748b14cd55f697cf9313805218b21cf61c",
+		hash:    sha224Hash,
+	},
+	{
+		options: &sizedOptions{1, 1024 * 1024, false, false}, // a 1mb file (in memory)
+		tarsum:  "tarsum+sha384:a578ce3ce29a2ae03b8ed7c26f47d0f75b4fc849557c62454be4b5ffd66ba021e713b48ce71e947b43aab57afd5a7636",
+		hash:    sha384Hash,
+	},
+	{
+		options: &sizedOptions{1, 1024 * 1024, false, false}, // a 1mb file (in memory)
+		tarsum:  "tarsum+sha512:e9bfb90ca5a4dfc93c46ee061a5cf9837de6d2fdf82544d6460d3147290aecfabf7b5e415b9b6e72db9b8941f149d5d69fb17a394cbfaf2eac523bd9eae21855",
+		hash:    sha512Hash,
+	},
+}
+
+type sizedOptions struct {
+	num      int64
+	size     int64
+	isRand   bool
+	realFile bool
+}
+
+// make a tar:
+// * num is the number of files the tar should have
+// * size is the bytes per file
+// * isRand is whether the contents of the files should be a random chunk (otherwise it's all zeros)
+// * realFile will write to a TempFile, instead of an in memory buffer
+func sizedTar(opts sizedOptions) io.Reader {
+	var (
+		fh  io.ReadWriter
+		err error
+	)
+	if opts.realFile {
+		fh, err = ioutil.TempFile("", "tarsum")
+		if err != nil {
+			return nil
+		}
+	} else {
+		fh = bytes.NewBuffer([]byte{})
+	}
+	tarW := tar.NewWriter(fh)
+	defer tarW.Close()
+	for i := int64(0); i < opts.num; i++ {
+		err := tarW.WriteHeader(&tar.Header{
+			Name: fmt.Sprintf("/testdata%d", i),
+			Mode: 0755,
+			Uid:  0,
+			Gid:  0,
+			Size: opts.size,
+		})
+		if err != nil {
+			return nil
+		}
+		var rBuf []byte
+		if opts.isRand {
+			rBuf = make([]byte, 8)
+			_, err = rand.Read(rBuf)
+			if err != nil {
+				return nil
+			}
+		} else {
+			rBuf = []byte{0, 0, 0, 0, 0, 0, 0, 0}
+		}
+
+		for i := int64(0); i < opts.size/int64(8); i++ {
+			tarW.Write(rBuf)
+		}
+	}
+	return fh
+}
+
+func emptyTarSum(gzip bool) (TarSum, error) {
+	reader, writer := io.Pipe()
+	tarWriter := tar.NewWriter(writer)
+
+	// Immediately close tarWriter and write-end of the
+	// Pipe in a separate goroutine so we don't block.
+	go func() {
+		tarWriter.Close()
+		writer.Close()
+	}()
+
+	return NewTarSum(reader, !gzip, Version0)
+}
+
+// Test errors on NewTarsumForLabel
+func TestNewTarSumForLabelInvalid(t *testing.T) {
+	reader := strings.NewReader("")
+
+	if _, err := NewTarSumForLabel(reader, true, "invalidlabel"); err == nil {
+		t.Fatalf("Expected an error, got nothing.")
+	}
+
+	if _, err := NewTarSumForLabel(reader, true, "invalid+sha256"); err == nil {
+		t.Fatalf("Expected an error, got nothing.")
+	}
+	if _, err := NewTarSumForLabel(reader, true, "tarsum.v1+invalid"); err == nil {
+		t.Fatalf("Expected an error, got nothing.")
+	}
+}
+
+func TestNewTarSumForLabel(t *testing.T) {
+
+	layer := testLayers[0]
+
+	reader, err := os.Open(layer.filename)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer reader.Close()
+
+	label := strings.Split(layer.tarsum, ":")[0]
+	ts, err := NewTarSumForLabel(reader, false, label)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Make sure it actually worked by reading a little bit of it
+	nbByteToRead := 8 * 1024
+	dBuf := make([]byte, nbByteToRead)
+	_, err = ts.Read(dBuf)
+	if err != nil {
+		t.Errorf("failed to read %vKB from %s: %s", nbByteToRead, layer.filename, err)
+	}
+}
+
+// TestEmptyTar tests that tarsum does not fail to read an empty tar
+// and correctly returns the hex digest of an empty hash.
+func TestEmptyTar(t *testing.T) {
+	// Test without gzip.
+	ts, err := emptyTarSum(false)
+	assert.NilError(t, err)
+
+	zeroBlock := make([]byte, 1024)
+	buf := new(bytes.Buffer)
+
+	n, err := io.Copy(buf, ts)
+	assert.NilError(t, err)
+
+	if n != int64(len(zeroBlock)) || !bytes.Equal(buf.Bytes(), zeroBlock) {
+		t.Fatalf("tarSum did not write the correct number of zeroed bytes: %d", n)
+	}
+
+	expectedSum := ts.Version().String() + "+sha256:" + hex.EncodeToString(sha256.New().Sum(nil))
+	resultSum := ts.Sum(nil)
+
+	if resultSum != expectedSum {
+		t.Fatalf("expected [%s] but got [%s]", expectedSum, resultSum)
+	}
+
+	// Test with gzip.
+	ts, err = emptyTarSum(true)
+	assert.NilError(t, err)
+	buf.Reset()
+
+	_, err = io.Copy(buf, ts)
+	assert.NilError(t, err)
+
+	bufgz := new(bytes.Buffer)
+	gz := gzip.NewWriter(bufgz)
+	n, err = io.Copy(gz, bytes.NewBuffer(zeroBlock))
+	assert.NilError(t, err)
+	gz.Close()
+	gzBytes := bufgz.Bytes()
+
+	if n != int64(len(zeroBlock)) || !bytes.Equal(buf.Bytes(), gzBytes) {
+		t.Fatalf("tarSum did not write the correct number of gzipped-zeroed bytes: %d", n)
+	}
+
+	resultSum = ts.Sum(nil)
+
+	if resultSum != expectedSum {
+		t.Fatalf("expected [%s] but got [%s]", expectedSum, resultSum)
+	}
+
+	// Test without ever actually writing anything.
+	if ts, err = NewTarSum(bytes.NewReader([]byte{}), true, Version0); err != nil {
+		t.Fatal(err)
+	}
+
+	resultSum = ts.Sum(nil)
+	assert.Check(t, is.Equal(expectedSum, resultSum))
+}
+
+var (
+	md5THash   = NewTHash("md5", md5.New)
+	sha1Hash   = NewTHash("sha1", sha1.New)
+	sha224Hash = NewTHash("sha224", sha256.New224)
+	sha384Hash = NewTHash("sha384", sha512.New384)
+	sha512Hash = NewTHash("sha512", sha512.New)
+)
+
+// Test all the build-in read size : buf8K, buf16K, buf32K and more
+func TestTarSumsReadSize(t *testing.T) {
+	// Test always on the same layer (that is big enough)
+	layer := testLayers[0]
+
+	for i := 0; i < 5; i++ {
+
+		reader, err := os.Open(layer.filename)
+		if err != nil {
+			t.Fatal(err)
+		}
+		defer reader.Close()
+
+		ts, err := NewTarSum(reader, false, layer.version)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Read and discard bytes so that it populates sums
+		nbByteToRead := (i + 1) * 8 * 1024
+		dBuf := make([]byte, nbByteToRead)
+		_, err = ts.Read(dBuf)
+		if err != nil {
+			t.Errorf("failed to read %vKB from %s: %s", nbByteToRead, layer.filename, err)
+			continue
+		}
+	}
+}
+
+func TestTarSums(t *testing.T) {
+	for _, layer := range testLayers {
+		var (
+			fh  io.Reader
+			err error
+		)
+		if len(layer.filename) > 0 {
+			fh, err = os.Open(layer.filename)
+			if err != nil {
+				t.Errorf("failed to open %s: %s", layer.filename, err)
+				continue
+			}
+		} else if layer.options != nil {
+			fh = sizedTar(*layer.options)
+		} else {
+			// What else is there to test?
+			t.Errorf("what to do with %#v", layer)
+			continue
+		}
+		if file, ok := fh.(*os.File); ok {
+			defer file.Close()
+		}
+
+		var ts TarSum
+		if layer.hash == nil {
+			//                           double negatives!
+			ts, err = NewTarSum(fh, !layer.gzip, layer.version)
+		} else {
+			ts, err = NewTarSumHash(fh, !layer.gzip, layer.version, layer.hash)
+		}
+		if err != nil {
+			t.Errorf("%q :: %q", err, layer.filename)
+			continue
+		}
+
+		// Read variable number of bytes to test dynamic buffer
+		dBuf := make([]byte, 1)
+		_, err = ts.Read(dBuf)
+		if err != nil {
+			t.Errorf("failed to read 1B from %s: %s", layer.filename, err)
+			continue
+		}
+		dBuf = make([]byte, 16*1024)
+		_, err = ts.Read(dBuf)
+		if err != nil {
+			t.Errorf("failed to read 16KB from %s: %s", layer.filename, err)
+			continue
+		}
+
+		// Read and discard remaining bytes
+		_, err = io.Copy(ioutil.Discard, ts)
+		if err != nil {
+			t.Errorf("failed to copy from %s: %s", layer.filename, err)
+			continue
+		}
+		var gotSum string
+		if len(layer.jsonfile) > 0 {
+			jfh, err := os.Open(layer.jsonfile)
+			if err != nil {
+				t.Errorf("failed to open %s: %s", layer.jsonfile, err)
+				continue
+			}
+			defer jfh.Close()
+
+			buf, err := ioutil.ReadAll(jfh)
+			if err != nil {
+				t.Errorf("failed to readAll %s: %s", layer.jsonfile, err)
+				continue
+			}
+			gotSum = ts.Sum(buf)
+		} else {
+			gotSum = ts.Sum(nil)
+		}
+
+		if layer.tarsum != gotSum {
+			t.Errorf("expecting [%s], but got [%s]", layer.tarsum, gotSum)
+		}
+		var expectedHashName string
+		if layer.hash != nil {
+			expectedHashName = layer.hash.Name()
+		} else {
+			expectedHashName = DefaultTHash.Name()
+		}
+		if expectedHashName != ts.Hash().Name() {
+			t.Errorf("expecting hash [%v], but got [%s]", expectedHashName, ts.Hash().Name())
+		}
+	}
+}
+
+func TestIteration(t *testing.T) {
+	headerTests := []struct {
+		expectedSum string // TODO(vbatts) it would be nice to get individual sums of each
+		version     Version
+		hdr         *tar.Header
+		data        []byte
+	}{
+		{
+			"tarsum+sha256:626c4a2e9a467d65c33ae81f7f3dedd4de8ccaee72af73223c4bc4718cbc7bbd",
+			Version0,
+			&tar.Header{
+				Name:     "file.txt",
+				Size:     0,
+				Typeflag: tar.TypeReg,
+				Devminor: 0,
+				Devmajor: 0,
+			},
+			[]byte(""),
+		},
+		{
+			"tarsum.dev+sha256:6ffd43a1573a9913325b4918e124ee982a99c0f3cba90fc032a65f5e20bdd465",
+			VersionDev,
+			&tar.Header{
+				Name:     "file.txt",
+				Size:     0,
+				Typeflag: tar.TypeReg,
+				Devminor: 0,
+				Devmajor: 0,
+			},
+			[]byte(""),
+		},
+		{
+			"tarsum.dev+sha256:862964db95e0fa7e42836ae4caab3576ab1df8d275720a45bdd01a5a3730cc63",
+			VersionDev,
+			&tar.Header{
+				Name:     "another.txt",
+				Uid:      1000,
+				Gid:      1000,
+				Uname:    "slartibartfast",
+				Gname:    "users",
+				Size:     4,
+				Typeflag: tar.TypeReg,
+				Devminor: 0,
+				Devmajor: 0,
+			},
+			[]byte("test"),
+		},
+		{
+			"tarsum.dev+sha256:4b1ba03544b49d96a32bacc77f8113220bd2f6a77e7e6d1e7b33cd87117d88e7",
+			VersionDev,
+			&tar.Header{
+				Name:     "xattrs.txt",
+				Uid:      1000,
+				Gid:      1000,
+				Uname:    "slartibartfast",
+				Gname:    "users",
+				Size:     4,
+				Typeflag: tar.TypeReg,
+				Xattrs: map[string]string{
+					"user.key1": "value1",
+					"user.key2": "value2",
+				},
+			},
+			[]byte("test"),
+		},
+		{
+			"tarsum.dev+sha256:410b602c898bd4e82e800050f89848fc2cf20fd52aa59c1ce29df76b878b84a6",
+			VersionDev,
+			&tar.Header{
+				Name:     "xattrs.txt",
+				Uid:      1000,
+				Gid:      1000,
+				Uname:    "slartibartfast",
+				Gname:    "users",
+				Size:     4,
+				Typeflag: tar.TypeReg,
+				Xattrs: map[string]string{
+					"user.KEY1": "value1", // adding different case to ensure different sum
+					"user.key2": "value2",
+				},
+			},
+			[]byte("test"),
+		},
+		{
+			"tarsum+sha256:b1f97eab73abd7593c245e51070f9fbdb1824c6b00a0b7a3d7f0015cd05e9e86",
+			Version0,
+			&tar.Header{
+				Name:     "xattrs.txt",
+				Uid:      1000,
+				Gid:      1000,
+				Uname:    "slartibartfast",
+				Gname:    "users",
+				Size:     4,
+				Typeflag: tar.TypeReg,
+				Xattrs: map[string]string{
+					"user.NOT": "CALCULATED",
+				},
+			},
+			[]byte("test"),
+		},
+	}
+	for _, htest := range headerTests {
+		s, err := renderSumForHeader(htest.version, htest.hdr, htest.data)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if s != htest.expectedSum {
+			t.Errorf("expected sum: %q, got: %q", htest.expectedSum, s)
+		}
+	}
+
+}
+
+func renderSumForHeader(v Version, h *tar.Header, data []byte) (string, error) {
+	buf := bytes.NewBuffer(nil)
+	// first build our test tar
+	tw := tar.NewWriter(buf)
+	if err := tw.WriteHeader(h); err != nil {
+		return "", err
+	}
+	if _, err := tw.Write(data); err != nil {
+		return "", err
+	}
+	tw.Close()
+
+	ts, err := NewTarSum(buf, true, v)
+	if err != nil {
+		return "", err
+	}
+	tr := tar.NewReader(ts)
+	for {
+		hdr, err := tr.Next()
+		if hdr == nil || err == io.EOF {
+			// Signals the end of the archive.
+			break
+		}
+		if err != nil {
+			return "", err
+		}
+		if _, err = io.Copy(ioutil.Discard, tr); err != nil {
+			return "", err
+		}
+	}
+	return ts.Sum(nil), nil
+}
+
+func Benchmark9kTar(b *testing.B) {
+	buf := bytes.NewBuffer([]byte{})
+	fh, err := os.Open("testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar")
+	if err != nil {
+		b.Error(err)
+		return
+	}
+	defer fh.Close()
+
+	n, err := io.Copy(buf, fh)
+	if err != nil {
+		b.Error(err)
+		return
+	}
+
+	reader := bytes.NewReader(buf.Bytes())
+
+	b.SetBytes(n)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		reader.Seek(0, 0)
+		ts, err := NewTarSum(reader, true, Version0)
+		if err != nil {
+			b.Error(err)
+			return
+		}
+		io.Copy(ioutil.Discard, ts)
+		ts.Sum(nil)
+	}
+}
+
+func Benchmark9kTarGzip(b *testing.B) {
+	buf := bytes.NewBuffer([]byte{})
+	fh, err := os.Open("testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar")
+	if err != nil {
+		b.Error(err)
+		return
+	}
+	defer fh.Close()
+
+	n, err := io.Copy(buf, fh)
+	if err != nil {
+		b.Error(err)
+		return
+	}
+
+	reader := bytes.NewReader(buf.Bytes())
+
+	b.SetBytes(n)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		reader.Seek(0, 0)
+		ts, err := NewTarSum(reader, false, Version0)
+		if err != nil {
+			b.Error(err)
+			return
+		}
+		io.Copy(ioutil.Discard, ts)
+		ts.Sum(nil)
+	}
+}
+
+// this is a single big file in the tar archive
+func Benchmark1mbSingleFileTar(b *testing.B) {
+	benchmarkTar(b, sizedOptions{1, 1024 * 1024, true, true}, false)
+}
+
+// this is a single big file in the tar archive
+func Benchmark1mbSingleFileTarGzip(b *testing.B) {
+	benchmarkTar(b, sizedOptions{1, 1024 * 1024, true, true}, true)
+}
+
+// this is 1024 1k files in the tar archive
+func Benchmark1kFilesTar(b *testing.B) {
+	benchmarkTar(b, sizedOptions{1024, 1024, true, true}, false)
+}
+
+// this is 1024 1k files in the tar archive
+func Benchmark1kFilesTarGzip(b *testing.B) {
+	benchmarkTar(b, sizedOptions{1024, 1024, true, true}, true)
+}
+
+func benchmarkTar(b *testing.B, opts sizedOptions, isGzip bool) {
+	var fh *os.File
+	tarReader := sizedTar(opts)
+	if br, ok := tarReader.(*os.File); ok {
+		fh = br
+	}
+	defer os.Remove(fh.Name())
+	defer fh.Close()
+
+	b.SetBytes(opts.size * opts.num)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		ts, err := NewTarSum(fh, !isGzip, Version0)
+		if err != nil {
+			b.Error(err)
+			return
+		}
+		io.Copy(ioutil.Discard, ts)
+		ts.Sum(nil)
+		fh.Seek(0, 0)
+	}
+}
diff --git a/engine/pkg/tarsum/testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/json b/engine/pkg/tarsum/testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/json
new file mode 100644
index 00000000..48e2af34
--- /dev/null
+++ b/engine/pkg/tarsum/testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/json
@@ -0,0 +1 @@
+{"id":"46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457","parent":"def3f9165934325dfd027c86530b2ea49bb57a0963eb1336b3a0415ff6fd56de","created":"2014-04-07T02:45:52.610504484Z","container":"e0f07f8d72cae171a3dcc35859960e7e956e0628bce6fedc4122bf55b2c287c7","container_config":{"Hostname":"88807319f25e","Domainname":"","User":"","Memory":0,"MemorySwap":0,"CpuShares":0,"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["HOME=/","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","sed -ri 's/^(%wheel.*)(ALL)$/\\1NOPASSWD: \\2/' /etc/sudoers"],"Image":"def3f9165934325dfd027c86530b2ea49bb57a0963eb1336b3a0415ff6fd56de","Volumes":null,"WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"OnBuild":[]},"docker_version":"0.9.1-dev","config":{"Hostname":"88807319f25e","Domainname":"","User":"","Memory":0,"MemorySwap":0,"CpuShares":0,"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["HOME=/","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":null,"Image":"def3f9165934325dfd027c86530b2ea49bb57a0963eb1336b3a0415ff6fd56de","Volumes":null,"WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"OnBuild":[]},"architecture":"amd64","os":"linux","Size":3425}
\ No newline at end of file
diff --git a/engine/pkg/tarsum/testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar b/engine/pkg/tarsum/testdata/46af0962ab5afeb5ce6740d4d91652e69206fc991fd5328c1a94d364ad00e457/layer.tar
new file mode 100644
index 0000000000000000000000000000000000000000..dfd5c204aea77673f13fdd2f81cb4af1c155c00c
GIT binary patch
literal 9216
zcmeHMYfsx)8s=;H6|bl&iYAZ?p-5<1$(y*vYHk~c?XX{vu}|<Bd>fzRr1|&zyvK1!
zQq)nWWVPA}63Myvy*}^F5Qtg*V8=g=M!Ru&adFTnf40B*^q|=~Z#CM@#>M%EgGRH_
zXtfULV#j(J_Jz`34wZgZ*0ym!%kRHL9{_(p&BZRoHJYu)<>loz?$!PU{9Bjp<^i?p
zS)Tg!r=9Az$G@(0Ao6^75%A;qpMSV)ukcqQn%1X5y|oh!_xLmZX`y%GUBmQG;D6af
z{a@yPg@1D=8t(B&ZtcXgE2ck=f9pf*x&ANlU$J}L#UB59rsJ=#>(otde**vZ1?PXJ
z)y|dM<InY9CYzAG>h8z!Kfh=;zN!B|J)*y8)L$Hbq5c2K_rK=l{{8R8czxwV#$Odd
zDsuJ8oS)h8`+U3IsNVOszdy8F?XCC!X1jHMK)Xr!XT8koFP{Hz-;!IxPhJ$Ib48h#
zYv~t}ms6n-7Nk?ki-cxgF4IDhpT@D51d2R$2x=V)%F|Svhif#KI>gHaB|@O7JU(A%
zo>KEP56(cuboN&-&LROexgfmf&txD1^0c9NNVQI5N~dNwm64!nnnQFH317=JF`{vu
zi^$WUtCWHQq4Y!Yy@W{<dJq(dNIaUSSTR`hY#}RB8VT-?d0J$O^&|eBgi?_a9V14V
z5iDX^Y@*TYcqTb@jw|VBhfH^q;%O_Ao)SjOPlheq5_^6q6QR!NE-kQIz-}=WIqL*1
zC<JBV#qi1dOyr@LDIBvCneALgf$!z;J9|PTTEcHZ8hbKPCxjzsL|zc&LP0L!Pz#Tp
zZS=V}`Vjwobb7XHkN;(lUAm^JYS!@4`u4fL<@BDPQ?br!#Gfr=<Sim&-N;EOU;v;@
zjx|ix@O&bC=;Gyz8X|=ju$Vz%J9F`9!mD&R8~0ucsF4G5cDSlhuWOBJG;rJ+p+cR&
z9(cUM<CK15M3~h(!-Jh>oRoV29sUd<=@!~sJ;!ok8>_qYfz|Ch12+9P6$8i`#qvqS
zhsLT-8QL!zwhRx(aXaYF&PwD5LL<VTfEYw};v`s#9N3dD!|`Wl@Cjn;>Om%T#Ds>)
z<wj2ZG?~gr?D;MOgX$^>{YV0A><g8f>qPL*aFLnz9*n<Mw>fyl@!I3_Ss=Y=MKNEA
zG8|$lPj#9`#(W1sgCgK@f)P?2A)0uPB8Gf6TLITOAl@|29e$jAvBox=W-QCrr59N%
zK<cgOvnb$fK<<isCJ`Z9+z^>g$7Xy=69F7QR_X7D_-i2hs*J)6%&RIBr9LDPPP_-?
z-X`DPuwzY(j+Gk=rWL_Msf<o@Sh`8$PKIOalOZy`ng&umRf?#M9aj_)RCl~XMSEba
z*(GsW7zBA;n2izIE$b5Nk93cvQe|OV51p>vvp-prW$3W(MwPPgEZO^EI!{*XIAuLp
zlpj9k85vO{{2kR4hD{4c;~{+QmhNVfq;xeepJc>QQ@QJfEkdQVBbPJuiA~nsv9l~O
zrN&UpxC9i`6;rQ>v?7%WUrr@(gXOs4JE=IN=}4(?RS=2GEd9-ogTEiuP>Fqyb6;vM
ziV-Q;Z|ZT?Vz^rPk?`^}6a`cC_=9V1=*>jc&y0jq{h|=m&BK+Jpv}ea1?sKVi^Gj`
zk<9K<afSZo^ht;eK}<)TVQ+|1+jZPg&$^?Vp*tB^eVc9^cj7w#w#gZcZYSdoeeT*_
zXG}f!z9cz%nddLpbi}opMs5?oE&At#$++4XzC8<Nrq{W*y4^9b<z;7bH?qIOjvpEJ
zdYm9wI$e7(aXvao7-u-(lfG@aw`04H^K$FD$P4%T9Q#9*J!^c&6s2PLzU|v%r^81h
zYh=UN&iw=tKDxof-)A>*;4?gK^?Jl6-g0L4kQcX>OZUHi{>Odi#u~f!gnqSdCpW{f
zGr2q31WO6O$i;nz9#NH-D^8Rv6Xcv%<q8WE*8}lYb8AOC<spYVtr;DzmNN!o5YrJi
zH6D-VA!e7VL=p<9Y1(EOsro*>XFkhmyBsZ;8k2<zQC9=3^jx5I#>ftd;fPtN1v+`G
zPRv~5E)wm1y}~(Py<rXB^sUZ~GqA5a!+zfybkXk2B|0)yM+DPNQRkV%<UnfrWSW^-
zisuGM#}pzpi(%dt4};}kx19gHWKj(|7}}D>9Gw<jmuJ5>K;`;9K2C_2#(Rc=qFBTa
z>?ZUNHvSmq9G9)M%0u+CW!J=jv1~Cl<Gp3=UvEQRhM~x`Cj8Her<-?RNE{T`^xS4^
zRCOh+mK_DFvYyxIxv17?RRS?{m>z-avUIImk%<&=a9uI;2EY~~stiCKTsh|Oow<5;
z$eY1%WV!B_?iFikc)C2TV46YQucl=WfmM#jY|<aIc-gsSK$aQ;G}CE}vx=l#GXe~*
zAMmJ!sf@v6i6td#cwLoiv@EK}iLRT6(FsiBDcjfD#k!Zau-;Nfg$4f4FkcRGWmvDt
z=Jp-&1iaK>_4sK>Njf)j#u#Y{x@V_A!c2<g&{$u4i#-d<G<!=XKJjL&K(7&qNHxy@
kg?Z-W@U2Yzs6gDyoHpqXx84x<+r0<&9@u-}|I!2h0b4xwV*mgE

literal 0
HcmV?d00001

diff --git a/engine/pkg/tarsum/testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/json b/engine/pkg/tarsum/testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/json
new file mode 100644
index 00000000..af57be01
--- /dev/null
+++ b/engine/pkg/tarsum/testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/json
@@ -0,0 +1 @@
+{"id":"511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158","comment":"Imported from -","created":"2013-06-13T14:03:50.821769-07:00","container_config":{"Hostname":"","Domainname":"","User":"","Memory":0,"MemorySwap":0,"CpuShares":0,"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"","Volumes":null,"WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"OnBuild":null},"docker_version":"0.4.0","architecture":"x86_64","Size":0}
\ No newline at end of file
diff --git a/engine/pkg/tarsum/testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/layer.tar b/engine/pkg/tarsum/testdata/511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158/layer.tar
new file mode 100644
index 0000000000000000000000000000000000000000..880b3f2c56a3e5e42a7db3b7cc020f95c15104a6
GIT binary patch
literal 1536
zcmdPXXP`MSFfcJNH#KE2fB<wFB+6iDWN2z;Vr*z;3{q!qVra~uU`lhB0WBykE=eo`
aT1ly0=$@n0yixt5Aut*Oqai@!5C8x-dJkIw

literal 0
HcmV?d00001

diff --git a/engine/pkg/tarsum/testdata/collision/collision-0.tar b/engine/pkg/tarsum/testdata/collision/collision-0.tar
new file mode 100644
index 0000000000000000000000000000000000000000..1c636b3bc7647b67e25e8258a8b08f577ee7ffd4
GIT binary patch
literal 10240
zcmeIxF$zL441nRxo}x!c``UT|2RBD?tYATKdaa({s_<}mI29`VSyBj1!&j28w~KTR
zZ4tefmh3j@cYc*xM6u4Rv)=pYM6I245~H2xdbhuqnr36<aZa_C^%sBD*KZD8$!V@-
zGxUfI*HIu3w*Mj6&;C31zvH(rt@nrH?!^8t9vl!r009ILKmY**5I_I{1Q0*~0R#|0
Y009ILKmY**5I_I{1Q0*~fqxTt0#kD-)Bpeg

literal 0
HcmV?d00001

diff --git a/engine/pkg/tarsum/testdata/collision/collision-1.tar b/engine/pkg/tarsum/testdata/collision/collision-1.tar
new file mode 100644
index 0000000000000000000000000000000000000000..b411be9785765b4dd9a4131e409bbfa6c1830ee4
GIT binary patch
literal 10240
zcmeIxF$zL441nRxo}x!c``UT|2RBD?tYATKdaa({s_<}mI29`VSyBj1!&j28w~KTR
zZ4tefmh3j@cYc*xM6u4Rv)+ebMXjCGiP6q;z1!bQO|vobIHy|6`isBn>o<q4><`D?
zX*2YQ4A)U054Qh4y3hVk?0?5^Us~rh*TViU9vl!r009ILKmY**5I_I{1Q0*~0R#|0
Y009ILKmY**5I_I{1Q0*~fqxTt0{2EK)Bpeg

literal 0
HcmV?d00001

diff --git a/engine/pkg/tarsum/testdata/collision/collision-2.tar b/engine/pkg/tarsum/testdata/collision/collision-2.tar
new file mode 100644
index 0000000000000000000000000000000000000000..7b5c04a9644808851fcccab5c3c240bf342abd93
GIT binary patch
literal 10240
zcmeIuF%E+;425COJw=XS2L~?Dp<74P5hRe1I+e8NZ(w35>V(Abzr};)<mnry=O711
zOKNv1!<wYqxvWZRvFIAjJtY%0t29c`gL|#dzvtY&LXc12<vj2I_;0^|dFsvW-d-P<
zQ&*%M0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tg_0zz=~h
D#i|sa

literal 0
HcmV?d00001

diff --git a/engine/pkg/tarsum/testdata/collision/collision-3.tar b/engine/pkg/tarsum/testdata/collision/collision-3.tar
new file mode 100644
index 0000000000000000000000000000000000000000..f8c64586d2dcc4d38a87df60e86658d38ff39c92
GIT binary patch
literal 10240
zcmeIuF%E+;425COJw=XS2NTW{q#_|Pk-+&$J9PkcLSp#e;=ywA^iA{fmYbt3$z9s8
zq1WH}S+yjw=o-!4QxrApw3DDW_xe7+m73QOWFK>_<@(2e`|Ha`Z>GG~@_KYd${~ON
w0tg_000IagfB*srAb<b@2q1s}0tg_000IagfB*srAb<b@2q1s}0tlQ495R;`HUIzs

literal 0
HcmV?d00001

diff --git a/engine/pkg/tarsum/testdata/xattr/json b/engine/pkg/tarsum/testdata/xattr/json
new file mode 100644
index 00000000..288441a9
--- /dev/null
+++ b/engine/pkg/tarsum/testdata/xattr/json
@@ -0,0 +1 @@
+{"id":"4439c3c7f847954100b42b267e7e5529cac1d6934db082f65795c5ca2e594d93","parent":"73b164f4437db87e96e90083c73a6592f549646ae2ec00ed33c6b9b49a5c4470","created":"2014-05-16T17:19:44.091534414Z","container":"5f92fb06cc58f357f0cde41394e2bbbb664e663974b2ac1693ab07b7a306749b","container_config":{"Hostname":"9565c6517a0e","Domainname":"","User":"","Memory":0,"MemorySwap":0,"CpuShares":0,"Cpuset":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["HOME=/","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","setcap 'cap_setgid,cap_setuid+ep' ./file \u0026\u0026 getcap ./file"],"Image":"73b164f4437db87e96e90083c73a6592f549646ae2ec00ed33c6b9b49a5c4470","Volumes":null,"WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"OnBuild":[]},"docker_version":"0.11.1-dev","config":{"Hostname":"9565c6517a0e","Domainname":"","User":"","Memory":0,"MemorySwap":0,"CpuShares":0,"Cpuset":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":null,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["HOME=/","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":null,"Image":"73b164f4437db87e96e90083c73a6592f549646ae2ec00ed33c6b9b49a5c4470","Volumes":null,"WorkingDir":"","Entrypoint":null,"NetworkDisabled":false,"OnBuild":[]},"architecture":"amd64","os":"linux","Size":0}
\ No newline at end of file
diff --git a/engine/pkg/tarsum/testdata/xattr/layer.tar b/engine/pkg/tarsum/testdata/xattr/layer.tar
new file mode 100644
index 0000000000000000000000000000000000000000..819351d42f41430bf402b3c672b571e3eaf8b095
GIT binary patch
literal 2560
zcmWGYtnf%pOi3*&)-yCRu(Z@q%gjk-pe`_g00tbifq}UpgQ1bJv8joPiJ_SpgMp!u
zxuGe8LIri5f!(yy;*!K7pwqC+5-*DGIpTE=s7h0Fg<xk7PoGG=io}wVBE90&<kF(d
zl1jbg#Dc`6%p4%omXU#h=>VE5xzPBd+@To)G|2840byWhU|?oqf;;~Mb02E{2kHRk
de~R-YhD)#rjPU%AB}7JrMnhmU1V%^*0091(G-Ch&

literal 0
HcmV?d00001

diff --git a/engine/pkg/tarsum/versioning.go b/engine/pkg/tarsum/versioning.go
new file mode 100644
index 00000000..aa1f1718
--- /dev/null
+++ b/engine/pkg/tarsum/versioning.go
@@ -0,0 +1,158 @@
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+import (
+	"archive/tar"
+	"errors"
+	"io"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+// Version is used for versioning of the TarSum algorithm
+// based on the prefix of the hash used
+// i.e. "tarsum+sha256:e58fcf7418d4390dec8e8fb69d88c06ec07039d651fedd3aa72af9972e7d046b"
+type Version int
+
+// Prefix of "tarsum"
+const (
+	Version0 Version = iota
+	Version1
+	// VersionDev this constant will be either the latest or an unsettled next-version of the TarSum calculation
+	VersionDev
+)
+
+// WriteV1Header writes a tar header to a writer in V1 tarsum format.
+func WriteV1Header(h *tar.Header, w io.Writer) {
+	for _, elem := range v1TarHeaderSelect(h) {
+		w.Write([]byte(elem[0] + elem[1]))
+	}
+}
+
+// VersionLabelForChecksum returns the label for the given tarsum
+// checksum, i.e., everything before the first `+` character in
+// the string or an empty string if no label separator is found.
+func VersionLabelForChecksum(checksum string) string {
+	// Checksums are in the form: {versionLabel}+{hashID}:{hex}
+	sepIndex := strings.Index(checksum, "+")
+	if sepIndex < 0 {
+		return ""
+	}
+	return checksum[:sepIndex]
+}
+
+// GetVersions gets a list of all known tarsum versions.
+func GetVersions() []Version {
+	v := []Version{}
+	for k := range tarSumVersions {
+		v = append(v, k)
+	}
+	return v
+}
+
+var (
+	tarSumVersions = map[Version]string{
+		Version0:   "tarsum",
+		Version1:   "tarsum.v1",
+		VersionDev: "tarsum.dev",
+	}
+	tarSumVersionsByName = map[string]Version{
+		"tarsum":     Version0,
+		"tarsum.v1":  Version1,
+		"tarsum.dev": VersionDev,
+	}
+)
+
+func (tsv Version) String() string {
+	return tarSumVersions[tsv]
+}
+
+// GetVersionFromTarsum returns the Version from the provided string.
+func GetVersionFromTarsum(tarsum string) (Version, error) {
+	tsv := tarsum
+	if strings.Contains(tarsum, "+") {
+		tsv = strings.SplitN(tarsum, "+", 2)[0]
+	}
+	for v, s := range tarSumVersions {
+		if s == tsv {
+			return v, nil
+		}
+	}
+	return -1, ErrNotVersion
+}
+
+// Errors that may be returned by functions in this package
+var (
+	ErrNotVersion            = errors.New("string does not include a TarSum Version")
+	ErrVersionNotImplemented = errors.New("TarSum Version is not yet implemented")
+)
+
+// tarHeaderSelector is the interface which different versions
+// of tarsum should use for selecting and ordering tar headers
+// for each item in the archive.
+type tarHeaderSelector interface {
+	selectHeaders(h *tar.Header) (orderedHeaders [][2]string)
+}
+
+type tarHeaderSelectFunc func(h *tar.Header) (orderedHeaders [][2]string)
+
+func (f tarHeaderSelectFunc) selectHeaders(h *tar.Header) (orderedHeaders [][2]string) {
+	return f(h)
+}
+
+func v0TarHeaderSelect(h *tar.Header) (orderedHeaders [][2]string) {
+	return [][2]string{
+		{"name", h.Name},
+		{"mode", strconv.FormatInt(h.Mode, 10)},
+		{"uid", strconv.Itoa(h.Uid)},
+		{"gid", strconv.Itoa(h.Gid)},
+		{"size", strconv.FormatInt(h.Size, 10)},
+		{"mtime", strconv.FormatInt(h.ModTime.UTC().Unix(), 10)},
+		{"typeflag", string([]byte{h.Typeflag})},
+		{"linkname", h.Linkname},
+		{"uname", h.Uname},
+		{"gname", h.Gname},
+		{"devmajor", strconv.FormatInt(h.Devmajor, 10)},
+		{"devminor", strconv.FormatInt(h.Devminor, 10)},
+	}
+}
+
+func v1TarHeaderSelect(h *tar.Header) (orderedHeaders [][2]string) {
+	// Get extended attributes.
+	xAttrKeys := make([]string, len(h.Xattrs))
+	for k := range h.Xattrs {
+		xAttrKeys = append(xAttrKeys, k)
+	}
+	sort.Strings(xAttrKeys)
+
+	// Make the slice with enough capacity to hold the 11 basic headers
+	// we want from the v0 selector plus however many xattrs we have.
+	orderedHeaders = make([][2]string, 0, 11+len(xAttrKeys))
+
+	// Copy all headers from v0 excluding the 'mtime' header (the 5th element).
+	v0headers := v0TarHeaderSelect(h)
+	orderedHeaders = append(orderedHeaders, v0headers[0:5]...)
+	orderedHeaders = append(orderedHeaders, v0headers[6:]...)
+
+	// Finally, append the sorted xattrs.
+	for _, k := range xAttrKeys {
+		orderedHeaders = append(orderedHeaders, [2]string{k, h.Xattrs[k]})
+	}
+
+	return
+}
+
+var registeredHeaderSelectors = map[Version]tarHeaderSelectFunc{
+	Version0:   v0TarHeaderSelect,
+	Version1:   v1TarHeaderSelect,
+	VersionDev: v1TarHeaderSelect,
+}
+
+func getTarHeaderSelector(v Version) (tarHeaderSelector, error) {
+	headerSelector, ok := registeredHeaderSelectors[v]
+	if !ok {
+		return nil, ErrVersionNotImplemented
+	}
+
+	return headerSelector, nil
+}
diff --git a/engine/pkg/tarsum/versioning_test.go b/engine/pkg/tarsum/versioning_test.go
new file mode 100644
index 00000000..79b9cc91
--- /dev/null
+++ b/engine/pkg/tarsum/versioning_test.go
@@ -0,0 +1,98 @@
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+import (
+	"testing"
+)
+
+func TestVersionLabelForChecksum(t *testing.T) {
+	version := VersionLabelForChecksum("tarsum+sha256:deadbeef")
+	if version != "tarsum" {
+		t.Fatalf("Version should have been 'tarsum', was %v", version)
+	}
+	version = VersionLabelForChecksum("tarsum.v1+sha256:deadbeef")
+	if version != "tarsum.v1" {
+		t.Fatalf("Version should have been 'tarsum.v1', was %v", version)
+	}
+	version = VersionLabelForChecksum("something+somethingelse")
+	if version != "something" {
+		t.Fatalf("Version should have been 'something', was %v", version)
+	}
+	version = VersionLabelForChecksum("invalidChecksum")
+	if version != "" {
+		t.Fatalf("Version should have been empty, was %v", version)
+	}
+}
+
+func TestVersion(t *testing.T) {
+	expected := "tarsum"
+	var v Version
+	if v.String() != expected {
+		t.Errorf("expected %q, got %q", expected, v.String())
+	}
+
+	expected = "tarsum.v1"
+	v = 1
+	if v.String() != expected {
+		t.Errorf("expected %q, got %q", expected, v.String())
+	}
+
+	expected = "tarsum.dev"
+	v = 2
+	if v.String() != expected {
+		t.Errorf("expected %q, got %q", expected, v.String())
+	}
+}
+
+func TestGetVersion(t *testing.T) {
+	testSet := []struct {
+		Str      string
+		Expected Version
+	}{
+		{"tarsum+sha256:e58fcf7418d4390dec8e8fb69d88c06ec07039d651fedd3aa72af9972e7d046b", Version0},
+		{"tarsum+sha256", Version0},
+		{"tarsum", Version0},
+		{"tarsum.dev", VersionDev},
+		{"tarsum.dev+sha256:deadbeef", VersionDev},
+	}
+
+	for _, ts := range testSet {
+		v, err := GetVersionFromTarsum(ts.Str)
+		if err != nil {
+			t.Fatalf("%q : %s", err, ts.Str)
+		}
+		if v != ts.Expected {
+			t.Errorf("expected %d (%q), got %d (%q)", ts.Expected, ts.Expected, v, v)
+		}
+	}
+
+	// test one that does not exist, to ensure it errors
+	str := "weak+md5:abcdeabcde"
+	_, err := GetVersionFromTarsum(str)
+	if err != ErrNotVersion {
+		t.Fatalf("%q : %s", err, str)
+	}
+}
+
+func TestGetVersions(t *testing.T) {
+	expected := []Version{
+		Version0,
+		Version1,
+		VersionDev,
+	}
+	versions := GetVersions()
+	if len(versions) != len(expected) {
+		t.Fatalf("Expected %v versions, got %v", len(expected), len(versions))
+	}
+	if !containsVersion(versions, expected[0]) || !containsVersion(versions, expected[1]) || !containsVersion(versions, expected[2]) {
+		t.Fatalf("Expected [%v], got [%v]", expected, versions)
+	}
+}
+
+func containsVersion(versions []Version, version Version) bool {
+	for _, v := range versions {
+		if v == version {
+			return true
+		}
+	}
+	return false
+}
diff --git a/engine/pkg/tarsum/writercloser.go b/engine/pkg/tarsum/writercloser.go
new file mode 100644
index 00000000..c4c45a35
--- /dev/null
+++ b/engine/pkg/tarsum/writercloser.go
@@ -0,0 +1,22 @@
+package tarsum // import "github.com/docker/docker/pkg/tarsum"
+
+import (
+	"io"
+)
+
+type writeCloseFlusher interface {
+	io.WriteCloser
+	Flush() error
+}
+
+type nopCloseFlusher struct {
+	io.Writer
+}
+
+func (n *nopCloseFlusher) Close() error {
+	return nil
+}
+
+func (n *nopCloseFlusher) Flush() error {
+	return nil
+}
diff --git a/engine/pkg/term/ascii.go b/engine/pkg/term/ascii.go
new file mode 100644
index 00000000..87bca8d4
--- /dev/null
+++ b/engine/pkg/term/ascii.go
@@ -0,0 +1,66 @@
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"fmt"
+	"strings"
+)
+
+// ASCII list the possible supported ASCII key sequence
+var ASCII = []string{
+	"ctrl-@",
+	"ctrl-a",
+	"ctrl-b",
+	"ctrl-c",
+	"ctrl-d",
+	"ctrl-e",
+	"ctrl-f",
+	"ctrl-g",
+	"ctrl-h",
+	"ctrl-i",
+	"ctrl-j",
+	"ctrl-k",
+	"ctrl-l",
+	"ctrl-m",
+	"ctrl-n",
+	"ctrl-o",
+	"ctrl-p",
+	"ctrl-q",
+	"ctrl-r",
+	"ctrl-s",
+	"ctrl-t",
+	"ctrl-u",
+	"ctrl-v",
+	"ctrl-w",
+	"ctrl-x",
+	"ctrl-y",
+	"ctrl-z",
+	"ctrl-[",
+	"ctrl-\\",
+	"ctrl-]",
+	"ctrl-^",
+	"ctrl-_",
+}
+
+// ToBytes converts a string representing a suite of key-sequence to the corresponding ASCII code.
+func ToBytes(keys string) ([]byte, error) {
+	codes := []byte{}
+next:
+	for _, key := range strings.Split(keys, ",") {
+		if len(key) != 1 {
+			for code, ctrl := range ASCII {
+				if ctrl == key {
+					codes = append(codes, byte(code))
+					continue next
+				}
+			}
+			if key == "DEL" {
+				codes = append(codes, 127)
+			} else {
+				return nil, fmt.Errorf("Unknown character: '%s'", key)
+			}
+		} else {
+			codes = append(codes, key[0])
+		}
+	}
+	return codes, nil
+}
diff --git a/engine/pkg/term/ascii_test.go b/engine/pkg/term/ascii_test.go
new file mode 100644
index 00000000..665ab155
--- /dev/null
+++ b/engine/pkg/term/ascii_test.go
@@ -0,0 +1,25 @@
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestToBytes(t *testing.T) {
+	codes, err := ToBytes("ctrl-a,a")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]byte{1, 97}, codes))
+
+	_, err = ToBytes("shift-z")
+	assert.Check(t, is.ErrorContains(err, ""))
+
+	codes, err = ToBytes("ctrl-@,ctrl-[,~,ctrl-o")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]byte{0, 27, 126, 15}, codes))
+
+	codes, err = ToBytes("DEL,+")
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual([]byte{127, 43}, codes))
+}
diff --git a/engine/pkg/term/proxy.go b/engine/pkg/term/proxy.go
new file mode 100644
index 00000000..da733e58
--- /dev/null
+++ b/engine/pkg/term/proxy.go
@@ -0,0 +1,78 @@
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"io"
+)
+
+// EscapeError is special error which returned by a TTY proxy reader's Read()
+// method in case its detach escape sequence is read.
+type EscapeError struct{}
+
+func (EscapeError) Error() string {
+	return "read escape sequence"
+}
+
+// escapeProxy is used only for attaches with a TTY. It is used to proxy
+// stdin keypresses from the underlying reader and look for the passed in
+// escape key sequence to signal a detach.
+type escapeProxy struct {
+	escapeKeys   []byte
+	escapeKeyPos int
+	r            io.Reader
+}
+
+// NewEscapeProxy returns a new TTY proxy reader which wraps the given reader
+// and detects when the specified escape keys are read, in which case the Read
+// method will return an error of type EscapeError.
+func NewEscapeProxy(r io.Reader, escapeKeys []byte) io.Reader {
+	return &escapeProxy{
+		escapeKeys: escapeKeys,
+		r:          r,
+	}
+}
+
+func (r *escapeProxy) Read(buf []byte) (int, error) {
+	nr, err := r.r.Read(buf)
+
+	if len(r.escapeKeys) == 0 {
+		return nr, err
+	}
+
+	preserve := func() {
+		// this preserves the original key presses in the passed in buffer
+		nr += r.escapeKeyPos
+		preserve := make([]byte, 0, r.escapeKeyPos+len(buf))
+		preserve = append(preserve, r.escapeKeys[:r.escapeKeyPos]...)
+		preserve = append(preserve, buf...)
+		r.escapeKeyPos = 0
+		copy(buf[0:nr], preserve)
+	}
+
+	if nr != 1 || err != nil {
+		if r.escapeKeyPos > 0 {
+			preserve()
+		}
+		return nr, err
+	}
+
+	if buf[0] != r.escapeKeys[r.escapeKeyPos] {
+		if r.escapeKeyPos > 0 {
+			preserve()
+		}
+		return nr, nil
+	}
+
+	if r.escapeKeyPos == len(r.escapeKeys)-1 {
+		return 0, EscapeError{}
+	}
+
+	// Looks like we've got an escape key, but we need to match again on the next
+	// read.
+	// Store the current escape key we found so we can look for the next one on
+	// the next read.
+	// Since this is an escape key, make sure we don't let the caller read it
+	// If later on we find that this is not the escape sequence, we'll add the
+	// keys back
+	r.escapeKeyPos++
+	return nr - r.escapeKeyPos, nil
+}
diff --git a/engine/pkg/term/proxy_test.go b/engine/pkg/term/proxy_test.go
new file mode 100644
index 00000000..df588fe1
--- /dev/null
+++ b/engine/pkg/term/proxy_test.go
@@ -0,0 +1,115 @@
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"bytes"
+	"fmt"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestEscapeProxyRead(t *testing.T) {
+	escapeKeys, _ := ToBytes("")
+	keys, _ := ToBytes("a")
+	reader := NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf := make([]byte, len(keys))
+	nr, err := reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, len(keys), fmt.Sprintf("nr %d should be equal to the number of %d", nr, len(keys)))
+	assert.DeepEqual(t, keys, buf)
+
+	keys, _ = ToBytes("a,b,c")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, len(keys))
+	nr, err = reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, len(keys), fmt.Sprintf("nr %d should be equal to the number of %d", nr, len(keys)))
+	assert.DeepEqual(t, keys, buf)
+
+	keys, _ = ToBytes("")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, len(keys))
+	nr, err = reader.Read(buf)
+	assert.Assert(t, is.ErrorContains(err, ""), "Should throw error when no keys are to read")
+	assert.Equal(t, nr, 0, "nr should be zero")
+	assert.Check(t, is.Len(keys, 0))
+	assert.Check(t, is.Len(buf, 0))
+
+	escapeKeys, _ = ToBytes("DEL")
+	keys, _ = ToBytes("a,b,c,+")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, len(keys))
+	nr, err = reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, len(keys), fmt.Sprintf("nr %d should be equal to the number of %d", nr, len(keys)))
+	assert.DeepEqual(t, keys, buf)
+
+	keys, _ = ToBytes("")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, len(keys))
+	nr, err = reader.Read(buf)
+	assert.Assert(t, is.ErrorContains(err, ""), "Should throw error when no keys are to read")
+	assert.Equal(t, nr, 0, "nr should be zero")
+	assert.Check(t, is.Len(keys, 0))
+	assert.Check(t, is.Len(buf, 0))
+
+	escapeKeys, _ = ToBytes("ctrl-x,ctrl-@")
+	keys, _ = ToBytes("DEL")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, len(keys))
+	nr, err = reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, 1, fmt.Sprintf("nr %d should be equal to the number of 1", nr))
+	assert.DeepEqual(t, keys, buf)
+
+	escapeKeys, _ = ToBytes("ctrl-c")
+	keys, _ = ToBytes("ctrl-c")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, len(keys))
+	nr, err = reader.Read(buf)
+	assert.Error(t, err, "read escape sequence")
+	assert.Equal(t, nr, 0, "nr should be equal to 0")
+	assert.DeepEqual(t, keys, buf)
+
+	escapeKeys, _ = ToBytes("ctrl-c,ctrl-z")
+	keys, _ = ToBytes("ctrl-c,ctrl-z")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, 1)
+	nr, err = reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, 0, "nr should be equal to 0")
+	assert.DeepEqual(t, keys[0:1], buf)
+	nr, err = reader.Read(buf)
+	assert.Error(t, err, "read escape sequence")
+	assert.Equal(t, nr, 0, "nr should be equal to 0")
+	assert.DeepEqual(t, keys[1:], buf)
+
+	escapeKeys, _ = ToBytes("ctrl-c,ctrl-z")
+	keys, _ = ToBytes("ctrl-c,DEL,+")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, 1)
+	nr, err = reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, 0, "nr should be equal to 0")
+	assert.DeepEqual(t, keys[0:1], buf)
+	buf = make([]byte, len(keys))
+	nr, err = reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, len(keys), fmt.Sprintf("nr should be equal to %d", len(keys)))
+	assert.DeepEqual(t, keys, buf)
+
+	escapeKeys, _ = ToBytes("ctrl-c,ctrl-z")
+	keys, _ = ToBytes("ctrl-c,DEL")
+	reader = NewEscapeProxy(bytes.NewReader(keys), escapeKeys)
+	buf = make([]byte, 1)
+	nr, err = reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, 0, "nr should be equal to 0")
+	assert.DeepEqual(t, keys[0:1], buf)
+	buf = make([]byte, len(keys))
+	nr, err = reader.Read(buf)
+	assert.NilError(t, err)
+	assert.Equal(t, nr, len(keys), fmt.Sprintf("nr should be equal to %d", len(keys)))
+	assert.DeepEqual(t, keys, buf)
+}
diff --git a/engine/pkg/term/tc.go b/engine/pkg/term/tc.go
new file mode 100644
index 00000000..01bcaa8a
--- /dev/null
+++ b/engine/pkg/term/tc.go
@@ -0,0 +1,20 @@
+// +build !windows
+
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+func tcget(fd uintptr, p *Termios) syscall.Errno {
+	_, _, err := unix.Syscall(unix.SYS_IOCTL, fd, uintptr(getTermios), uintptr(unsafe.Pointer(p)))
+	return err
+}
+
+func tcset(fd uintptr, p *Termios) syscall.Errno {
+	_, _, err := unix.Syscall(unix.SYS_IOCTL, fd, setTermios, uintptr(unsafe.Pointer(p)))
+	return err
+}
diff --git a/engine/pkg/term/term.go b/engine/pkg/term/term.go
new file mode 100644
index 00000000..0589a955
--- /dev/null
+++ b/engine/pkg/term/term.go
@@ -0,0 +1,124 @@
+// +build !windows
+
+// Package term provides structures and helper functions to work with
+// terminal (state, sizes).
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/signal"
+
+	"golang.org/x/sys/unix"
+)
+
+var (
+	// ErrInvalidState is returned if the state of the terminal is invalid.
+	ErrInvalidState = errors.New("Invalid terminal state")
+)
+
+// State represents the state of the terminal.
+type State struct {
+	termios Termios
+}
+
+// Winsize represents the size of the terminal window.
+type Winsize struct {
+	Height uint16
+	Width  uint16
+	x      uint16
+	y      uint16
+}
+
+// StdStreams returns the standard streams (stdin, stdout, stderr).
+func StdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) {
+	return os.Stdin, os.Stdout, os.Stderr
+}
+
+// GetFdInfo returns the file descriptor for an os.File and indicates whether the file represents a terminal.
+func GetFdInfo(in interface{}) (uintptr, bool) {
+	var inFd uintptr
+	var isTerminalIn bool
+	if file, ok := in.(*os.File); ok {
+		inFd = file.Fd()
+		isTerminalIn = IsTerminal(inFd)
+	}
+	return inFd, isTerminalIn
+}
+
+// IsTerminal returns true if the given file descriptor is a terminal.
+func IsTerminal(fd uintptr) bool {
+	var termios Termios
+	return tcget(fd, &termios) == 0
+}
+
+// RestoreTerminal restores the terminal connected to the given file descriptor
+// to a previous state.
+func RestoreTerminal(fd uintptr, state *State) error {
+	if state == nil {
+		return ErrInvalidState
+	}
+	if err := tcset(fd, &state.termios); err != 0 {
+		return err
+	}
+	return nil
+}
+
+// SaveState saves the state of the terminal connected to the given file descriptor.
+func SaveState(fd uintptr) (*State, error) {
+	var oldState State
+	if err := tcget(fd, &oldState.termios); err != 0 {
+		return nil, err
+	}
+
+	return &oldState, nil
+}
+
+// DisableEcho applies the specified state to the terminal connected to the file
+// descriptor, with echo disabled.
+func DisableEcho(fd uintptr, state *State) error {
+	newState := state.termios
+	newState.Lflag &^= unix.ECHO
+
+	if err := tcset(fd, &newState); err != 0 {
+		return err
+	}
+	handleInterrupt(fd, state)
+	return nil
+}
+
+// SetRawTerminal puts the terminal connected to the given file descriptor into
+// raw mode and returns the previous state. On UNIX, this puts both the input
+// and output into raw mode. On Windows, it only puts the input into raw mode.
+func SetRawTerminal(fd uintptr) (*State, error) {
+	oldState, err := MakeRaw(fd)
+	if err != nil {
+		return nil, err
+	}
+	handleInterrupt(fd, oldState)
+	return oldState, err
+}
+
+// SetRawTerminalOutput puts the output of terminal connected to the given file
+// descriptor into raw mode. On UNIX, this does nothing and returns nil for the
+// state. On Windows, it disables LF -> CRLF translation.
+func SetRawTerminalOutput(fd uintptr) (*State, error) {
+	return nil, nil
+}
+
+func handleInterrupt(fd uintptr, state *State) {
+	sigchan := make(chan os.Signal, 1)
+	signal.Notify(sigchan, os.Interrupt)
+	go func() {
+		for range sigchan {
+			// quit cleanly and the new terminal item is on a new line
+			fmt.Println()
+			signal.Stop(sigchan)
+			close(sigchan)
+			RestoreTerminal(fd, state)
+			os.Exit(1)
+		}
+	}()
+}
diff --git a/engine/pkg/term/term_linux_test.go b/engine/pkg/term/term_linux_test.go
new file mode 100644
index 00000000..272395a1
--- /dev/null
+++ b/engine/pkg/term/term_linux_test.go
@@ -0,0 +1,117 @@
+//+build linux
+
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"gotest.tools/assert"
+)
+
+// RequiresRoot skips tests that require root, unless the test.root flag has
+// been set
+func RequiresRoot(t *testing.T) {
+	if os.Getuid() != 0 {
+		t.Skip("skipping test that requires root")
+		return
+	}
+}
+
+func newTtyForTest(t *testing.T) (*os.File, error) {
+	RequiresRoot(t)
+	return os.OpenFile("/dev/tty", os.O_RDWR, os.ModeDevice)
+}
+
+func newTempFile() (*os.File, error) {
+	return ioutil.TempFile(os.TempDir(), "temp")
+}
+
+func TestGetWinsize(t *testing.T) {
+	tty, err := newTtyForTest(t)
+	defer tty.Close()
+	assert.NilError(t, err)
+	winSize, err := GetWinsize(tty.Fd())
+	assert.NilError(t, err)
+	assert.Assert(t, winSize != nil)
+
+	newSize := Winsize{Width: 200, Height: 200, x: winSize.x, y: winSize.y}
+	err = SetWinsize(tty.Fd(), &newSize)
+	assert.NilError(t, err)
+	winSize, err = GetWinsize(tty.Fd())
+	assert.NilError(t, err)
+	assert.DeepEqual(t, *winSize, newSize, cmpWinsize)
+}
+
+var cmpWinsize = cmp.AllowUnexported(Winsize{})
+
+func TestSetWinsize(t *testing.T) {
+	tty, err := newTtyForTest(t)
+	defer tty.Close()
+	assert.NilError(t, err)
+	winSize, err := GetWinsize(tty.Fd())
+	assert.NilError(t, err)
+	assert.Assert(t, winSize != nil)
+	newSize := Winsize{Width: 200, Height: 200, x: winSize.x, y: winSize.y}
+	err = SetWinsize(tty.Fd(), &newSize)
+	assert.NilError(t, err)
+	winSize, err = GetWinsize(tty.Fd())
+	assert.NilError(t, err)
+	assert.DeepEqual(t, *winSize, newSize, cmpWinsize)
+}
+
+func TestGetFdInfo(t *testing.T) {
+	tty, err := newTtyForTest(t)
+	defer tty.Close()
+	assert.NilError(t, err)
+	inFd, isTerminal := GetFdInfo(tty)
+	assert.Equal(t, inFd, tty.Fd())
+	assert.Equal(t, isTerminal, true)
+	tmpFile, err := newTempFile()
+	assert.NilError(t, err)
+	defer tmpFile.Close()
+	inFd, isTerminal = GetFdInfo(tmpFile)
+	assert.Equal(t, inFd, tmpFile.Fd())
+	assert.Equal(t, isTerminal, false)
+}
+
+func TestIsTerminal(t *testing.T) {
+	tty, err := newTtyForTest(t)
+	defer tty.Close()
+	assert.NilError(t, err)
+	isTerminal := IsTerminal(tty.Fd())
+	assert.Equal(t, isTerminal, true)
+	tmpFile, err := newTempFile()
+	assert.NilError(t, err)
+	defer tmpFile.Close()
+	isTerminal = IsTerminal(tmpFile.Fd())
+	assert.Equal(t, isTerminal, false)
+}
+
+func TestSaveState(t *testing.T) {
+	tty, err := newTtyForTest(t)
+	defer tty.Close()
+	assert.NilError(t, err)
+	state, err := SaveState(tty.Fd())
+	assert.NilError(t, err)
+	assert.Assert(t, state != nil)
+	tty, err = newTtyForTest(t)
+	assert.NilError(t, err)
+	defer tty.Close()
+	err = RestoreTerminal(tty.Fd(), state)
+	assert.NilError(t, err)
+}
+
+func TestDisableEcho(t *testing.T) {
+	tty, err := newTtyForTest(t)
+	defer tty.Close()
+	assert.NilError(t, err)
+	state, err := SetRawTerminal(tty.Fd())
+	defer RestoreTerminal(tty.Fd(), state)
+	assert.NilError(t, err)
+	assert.Assert(t, state != nil)
+	err = DisableEcho(tty.Fd(), state)
+	assert.NilError(t, err)
+}
diff --git a/engine/pkg/term/term_windows.go b/engine/pkg/term/term_windows.go
new file mode 100644
index 00000000..64ead3c5
--- /dev/null
+++ b/engine/pkg/term/term_windows.go
@@ -0,0 +1,228 @@
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"io"
+	"os"
+	"os/signal"
+	"syscall" // used for STD_INPUT_HANDLE, STD_OUTPUT_HANDLE and STD_ERROR_HANDLE
+
+	"github.com/Azure/go-ansiterm/winterm"
+	"github.com/docker/docker/pkg/term/windows"
+)
+
+// State holds the console mode for the terminal.
+type State struct {
+	mode uint32
+}
+
+// Winsize is used for window size.
+type Winsize struct {
+	Height uint16
+	Width  uint16
+}
+
+// vtInputSupported is true if winterm.ENABLE_VIRTUAL_TERMINAL_INPUT is supported by the console
+var vtInputSupported bool
+
+// StdStreams returns the standard streams (stdin, stdout, stderr).
+func StdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) {
+	// Turn on VT handling on all std handles, if possible. This might
+	// fail, in which case we will fall back to terminal emulation.
+	var emulateStdin, emulateStdout, emulateStderr bool
+	fd := os.Stdin.Fd()
+	if mode, err := winterm.GetConsoleMode(fd); err == nil {
+		// Validate that winterm.ENABLE_VIRTUAL_TERMINAL_INPUT is supported, but do not set it.
+		if err = winterm.SetConsoleMode(fd, mode|winterm.ENABLE_VIRTUAL_TERMINAL_INPUT); err != nil {
+			emulateStdin = true
+		} else {
+			vtInputSupported = true
+		}
+		// Unconditionally set the console mode back even on failure because SetConsoleMode
+		// remembers invalid bits on input handles.
+		winterm.SetConsoleMode(fd, mode)
+	}
+
+	fd = os.Stdout.Fd()
+	if mode, err := winterm.GetConsoleMode(fd); err == nil {
+		// Validate winterm.DISABLE_NEWLINE_AUTO_RETURN is supported, but do not set it.
+		if err = winterm.SetConsoleMode(fd, mode|winterm.ENABLE_VIRTUAL_TERMINAL_PROCESSING|winterm.DISABLE_NEWLINE_AUTO_RETURN); err != nil {
+			emulateStdout = true
+		} else {
+			winterm.SetConsoleMode(fd, mode|winterm.ENABLE_VIRTUAL_TERMINAL_PROCESSING)
+		}
+	}
+
+	fd = os.Stderr.Fd()
+	if mode, err := winterm.GetConsoleMode(fd); err == nil {
+		// Validate winterm.DISABLE_NEWLINE_AUTO_RETURN is supported, but do not set it.
+		if err = winterm.SetConsoleMode(fd, mode|winterm.ENABLE_VIRTUAL_TERMINAL_PROCESSING|winterm.DISABLE_NEWLINE_AUTO_RETURN); err != nil {
+			emulateStderr = true
+		} else {
+			winterm.SetConsoleMode(fd, mode|winterm.ENABLE_VIRTUAL_TERMINAL_PROCESSING)
+		}
+	}
+
+	if os.Getenv("ConEmuANSI") == "ON" || os.Getenv("ConsoleZVersion") != "" {
+		// The ConEmu and ConsoleZ terminals emulate ANSI on output streams well.
+		emulateStdin = true
+		emulateStdout = false
+		emulateStderr = false
+	}
+
+	// Temporarily use STD_INPUT_HANDLE, STD_OUTPUT_HANDLE and
+	// STD_ERROR_HANDLE from syscall rather than x/sys/windows as long as
+	// go-ansiterm hasn't switch to x/sys/windows.
+	// TODO: switch back to x/sys/windows once go-ansiterm has switched
+	if emulateStdin {
+		stdIn = windowsconsole.NewAnsiReader(syscall.STD_INPUT_HANDLE)
+	} else {
+		stdIn = os.Stdin
+	}
+
+	if emulateStdout {
+		stdOut = windowsconsole.NewAnsiWriter(syscall.STD_OUTPUT_HANDLE)
+	} else {
+		stdOut = os.Stdout
+	}
+
+	if emulateStderr {
+		stdErr = windowsconsole.NewAnsiWriter(syscall.STD_ERROR_HANDLE)
+	} else {
+		stdErr = os.Stderr
+	}
+
+	return
+}
+
+// GetFdInfo returns the file descriptor for an os.File and indicates whether the file represents a terminal.
+func GetFdInfo(in interface{}) (uintptr, bool) {
+	return windowsconsole.GetHandleInfo(in)
+}
+
+// GetWinsize returns the window size based on the specified file descriptor.
+func GetWinsize(fd uintptr) (*Winsize, error) {
+	info, err := winterm.GetConsoleScreenBufferInfo(fd)
+	if err != nil {
+		return nil, err
+	}
+
+	winsize := &Winsize{
+		Width:  uint16(info.Window.Right - info.Window.Left + 1),
+		Height: uint16(info.Window.Bottom - info.Window.Top + 1),
+	}
+
+	return winsize, nil
+}
+
+// IsTerminal returns true if the given file descriptor is a terminal.
+func IsTerminal(fd uintptr) bool {
+	return windowsconsole.IsConsole(fd)
+}
+
+// RestoreTerminal restores the terminal connected to the given file descriptor
+// to a previous state.
+func RestoreTerminal(fd uintptr, state *State) error {
+	return winterm.SetConsoleMode(fd, state.mode)
+}
+
+// SaveState saves the state of the terminal connected to the given file descriptor.
+func SaveState(fd uintptr) (*State, error) {
+	mode, e := winterm.GetConsoleMode(fd)
+	if e != nil {
+		return nil, e
+	}
+
+	return &State{mode: mode}, nil
+}
+
+// DisableEcho disables echo for the terminal connected to the given file descriptor.
+// -- See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683462(v=vs.85).aspx
+func DisableEcho(fd uintptr, state *State) error {
+	mode := state.mode
+	mode &^= winterm.ENABLE_ECHO_INPUT
+	mode |= winterm.ENABLE_PROCESSED_INPUT | winterm.ENABLE_LINE_INPUT
+	err := winterm.SetConsoleMode(fd, mode)
+	if err != nil {
+		return err
+	}
+
+	// Register an interrupt handler to catch and restore prior state
+	restoreAtInterrupt(fd, state)
+	return nil
+}
+
+// SetRawTerminal puts the terminal connected to the given file descriptor into
+// raw mode and returns the previous state. On UNIX, this puts both the input
+// and output into raw mode. On Windows, it only puts the input into raw mode.
+func SetRawTerminal(fd uintptr) (*State, error) {
+	state, err := MakeRaw(fd)
+	if err != nil {
+		return nil, err
+	}
+
+	// Register an interrupt handler to catch and restore prior state
+	restoreAtInterrupt(fd, state)
+	return state, err
+}
+
+// SetRawTerminalOutput puts the output of terminal connected to the given file
+// descriptor into raw mode. On UNIX, this does nothing and returns nil for the
+// state. On Windows, it disables LF -> CRLF translation.
+func SetRawTerminalOutput(fd uintptr) (*State, error) {
+	state, err := SaveState(fd)
+	if err != nil {
+		return nil, err
+	}
+
+	// Ignore failures, since winterm.DISABLE_NEWLINE_AUTO_RETURN might not be supported on this
+	// version of Windows.
+	winterm.SetConsoleMode(fd, state.mode|winterm.DISABLE_NEWLINE_AUTO_RETURN)
+	return state, err
+}
+
+// MakeRaw puts the terminal (Windows Console) connected to the given file descriptor into raw
+// mode and returns the previous state of the terminal so that it can be restored.
+func MakeRaw(fd uintptr) (*State, error) {
+	state, err := SaveState(fd)
+	if err != nil {
+		return nil, err
+	}
+
+	mode := state.mode
+
+	// See
+	// -- https://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx
+	// -- https://msdn.microsoft.com/en-us/library/windows/desktop/ms683462(v=vs.85).aspx
+
+	// Disable these modes
+	mode &^= winterm.ENABLE_ECHO_INPUT
+	mode &^= winterm.ENABLE_LINE_INPUT
+	mode &^= winterm.ENABLE_MOUSE_INPUT
+	mode &^= winterm.ENABLE_WINDOW_INPUT
+	mode &^= winterm.ENABLE_PROCESSED_INPUT
+
+	// Enable these modes
+	mode |= winterm.ENABLE_EXTENDED_FLAGS
+	mode |= winterm.ENABLE_INSERT_MODE
+	mode |= winterm.ENABLE_QUICK_EDIT_MODE
+	if vtInputSupported {
+		mode |= winterm.ENABLE_VIRTUAL_TERMINAL_INPUT
+	}
+
+	err = winterm.SetConsoleMode(fd, mode)
+	if err != nil {
+		return nil, err
+	}
+	return state, nil
+}
+
+func restoreAtInterrupt(fd uintptr, state *State) {
+	sigchan := make(chan os.Signal, 1)
+	signal.Notify(sigchan, os.Interrupt)
+
+	go func() {
+		_ = <-sigchan
+		RestoreTerminal(fd, state)
+		os.Exit(0)
+	}()
+}
diff --git a/engine/pkg/term/termios_bsd.go b/engine/pkg/term/termios_bsd.go
new file mode 100644
index 00000000..48b16f52
--- /dev/null
+++ b/engine/pkg/term/termios_bsd.go
@@ -0,0 +1,42 @@
+// +build darwin freebsd openbsd netbsd
+
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+const (
+	getTermios = unix.TIOCGETA
+	setTermios = unix.TIOCSETA
+)
+
+// Termios is the Unix API for terminal I/O.
+type Termios unix.Termios
+
+// MakeRaw put the terminal connected to the given file descriptor into raw
+// mode and returns the previous state of the terminal so that it can be
+// restored.
+func MakeRaw(fd uintptr) (*State, error) {
+	var oldState State
+	if _, _, err := unix.Syscall(unix.SYS_IOCTL, fd, getTermios, uintptr(unsafe.Pointer(&oldState.termios))); err != 0 {
+		return nil, err
+	}
+
+	newState := oldState.termios
+	newState.Iflag &^= (unix.IGNBRK | unix.BRKINT | unix.PARMRK | unix.ISTRIP | unix.INLCR | unix.IGNCR | unix.ICRNL | unix.IXON)
+	newState.Oflag &^= unix.OPOST
+	newState.Lflag &^= (unix.ECHO | unix.ECHONL | unix.ICANON | unix.ISIG | unix.IEXTEN)
+	newState.Cflag &^= (unix.CSIZE | unix.PARENB)
+	newState.Cflag |= unix.CS8
+	newState.Cc[unix.VMIN] = 1
+	newState.Cc[unix.VTIME] = 0
+
+	if _, _, err := unix.Syscall(unix.SYS_IOCTL, fd, setTermios, uintptr(unsafe.Pointer(&newState))); err != 0 {
+		return nil, err
+	}
+
+	return &oldState, nil
+}
diff --git a/engine/pkg/term/termios_linux.go b/engine/pkg/term/termios_linux.go
new file mode 100644
index 00000000..6d4c63fd
--- /dev/null
+++ b/engine/pkg/term/termios_linux.go
@@ -0,0 +1,39 @@
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+const (
+	getTermios = unix.TCGETS
+	setTermios = unix.TCSETS
+)
+
+// Termios is the Unix API for terminal I/O.
+type Termios unix.Termios
+
+// MakeRaw put the terminal connected to the given file descriptor into raw
+// mode and returns the previous state of the terminal so that it can be
+// restored.
+func MakeRaw(fd uintptr) (*State, error) {
+	termios, err := unix.IoctlGetTermios(int(fd), getTermios)
+	if err != nil {
+		return nil, err
+	}
+
+	var oldState State
+	oldState.termios = Termios(*termios)
+
+	termios.Iflag &^= (unix.IGNBRK | unix.BRKINT | unix.PARMRK | unix.ISTRIP | unix.INLCR | unix.IGNCR | unix.ICRNL | unix.IXON)
+	termios.Oflag &^= unix.OPOST
+	termios.Lflag &^= (unix.ECHO | unix.ECHONL | unix.ICANON | unix.ISIG | unix.IEXTEN)
+	termios.Cflag &^= (unix.CSIZE | unix.PARENB)
+	termios.Cflag |= unix.CS8
+	termios.Cc[unix.VMIN] = 1
+	termios.Cc[unix.VTIME] = 0
+
+	if err := unix.IoctlSetTermios(int(fd), setTermios, termios); err != nil {
+		return nil, err
+	}
+	return &oldState, nil
+}
diff --git a/engine/pkg/term/windows/ansi_reader.go b/engine/pkg/term/windows/ansi_reader.go
new file mode 100644
index 00000000..1d7c452c
--- /dev/null
+++ b/engine/pkg/term/windows/ansi_reader.go
@@ -0,0 +1,263 @@
+// +build windows
+
+package windowsconsole // import "github.com/docker/docker/pkg/term/windows"
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"unsafe"
+
+	ansiterm "github.com/Azure/go-ansiterm"
+	"github.com/Azure/go-ansiterm/winterm"
+)
+
+const (
+	escapeSequence = ansiterm.KEY_ESC_CSI
+)
+
+// ansiReader wraps a standard input file (e.g., os.Stdin) providing ANSI sequence translation.
+type ansiReader struct {
+	file     *os.File
+	fd       uintptr
+	buffer   []byte
+	cbBuffer int
+	command  []byte
+}
+
+// NewAnsiReader returns an io.ReadCloser that provides VT100 terminal emulation on top of a
+// Windows console input handle.
+func NewAnsiReader(nFile int) io.ReadCloser {
+	initLogger()
+	file, fd := winterm.GetStdFile(nFile)
+	return &ansiReader{
+		file:    file,
+		fd:      fd,
+		command: make([]byte, 0, ansiterm.ANSI_MAX_CMD_LENGTH),
+		buffer:  make([]byte, 0),
+	}
+}
+
+// Close closes the wrapped file.
+func (ar *ansiReader) Close() (err error) {
+	return ar.file.Close()
+}
+
+// Fd returns the file descriptor of the wrapped file.
+func (ar *ansiReader) Fd() uintptr {
+	return ar.fd
+}
+
+// Read reads up to len(p) bytes of translated input events into p.
+func (ar *ansiReader) Read(p []byte) (int, error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+
+	// Previously read bytes exist, read as much as we can and return
+	if len(ar.buffer) > 0 {
+		logger.Debugf("Reading previously cached bytes")
+
+		originalLength := len(ar.buffer)
+		copiedLength := copy(p, ar.buffer)
+
+		if copiedLength == originalLength {
+			ar.buffer = make([]byte, 0, len(p))
+		} else {
+			ar.buffer = ar.buffer[copiedLength:]
+		}
+
+		logger.Debugf("Read from cache p[%d]: % x", copiedLength, p)
+		return copiedLength, nil
+	}
+
+	// Read and translate key events
+	events, err := readInputEvents(ar.fd, len(p))
+	if err != nil {
+		return 0, err
+	} else if len(events) == 0 {
+		logger.Debug("No input events detected")
+		return 0, nil
+	}
+
+	keyBytes := translateKeyEvents(events, []byte(escapeSequence))
+
+	// Save excess bytes and right-size keyBytes
+	if len(keyBytes) > len(p) {
+		logger.Debugf("Received %d keyBytes, only room for %d bytes", len(keyBytes), len(p))
+		ar.buffer = keyBytes[len(p):]
+		keyBytes = keyBytes[:len(p)]
+	} else if len(keyBytes) == 0 {
+		logger.Debug("No key bytes returned from the translator")
+		return 0, nil
+	}
+
+	copiedLength := copy(p, keyBytes)
+	if copiedLength != len(keyBytes) {
+		return 0, errors.New("unexpected copy length encountered")
+	}
+
+	logger.Debugf("Read        p[%d]: % x", copiedLength, p)
+	logger.Debugf("Read keyBytes[%d]: % x", copiedLength, keyBytes)
+	return copiedLength, nil
+}
+
+// readInputEvents polls until at least one event is available.
+func readInputEvents(fd uintptr, maxBytes int) ([]winterm.INPUT_RECORD, error) {
+	// Determine the maximum number of records to retrieve
+	// -- Cast around the type system to obtain the size of a single INPUT_RECORD.
+	//    unsafe.Sizeof requires an expression vs. a type-reference; the casting
+	//    tricks the type system into believing it has such an expression.
+	recordSize := int(unsafe.Sizeof(*((*winterm.INPUT_RECORD)(unsafe.Pointer(&maxBytes)))))
+	countRecords := maxBytes / recordSize
+	if countRecords > ansiterm.MAX_INPUT_EVENTS {
+		countRecords = ansiterm.MAX_INPUT_EVENTS
+	} else if countRecords == 0 {
+		countRecords = 1
+	}
+	logger.Debugf("[windows] readInputEvents: Reading %v records (buffer size %v, record size %v)", countRecords, maxBytes, recordSize)
+
+	// Wait for and read input events
+	events := make([]winterm.INPUT_RECORD, countRecords)
+	nEvents := uint32(0)
+	eventsExist, err := winterm.WaitForSingleObject(fd, winterm.WAIT_INFINITE)
+	if err != nil {
+		return nil, err
+	}
+
+	if eventsExist {
+		err = winterm.ReadConsoleInput(fd, events, &nEvents)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Return a slice restricted to the number of returned records
+	logger.Debugf("[windows] readInputEvents: Read %v events", nEvents)
+	return events[:nEvents], nil
+}
+
+// KeyEvent Translation Helpers
+
+var arrowKeyMapPrefix = map[uint16]string{
+	winterm.VK_UP:    "%s%sA",
+	winterm.VK_DOWN:  "%s%sB",
+	winterm.VK_RIGHT: "%s%sC",
+	winterm.VK_LEFT:  "%s%sD",
+}
+
+var keyMapPrefix = map[uint16]string{
+	winterm.VK_UP:     "\x1B[%sA",
+	winterm.VK_DOWN:   "\x1B[%sB",
+	winterm.VK_RIGHT:  "\x1B[%sC",
+	winterm.VK_LEFT:   "\x1B[%sD",
+	winterm.VK_HOME:   "\x1B[1%s~", // showkey shows ^[[1
+	winterm.VK_END:    "\x1B[4%s~", // showkey shows ^[[4
+	winterm.VK_INSERT: "\x1B[2%s~",
+	winterm.VK_DELETE: "\x1B[3%s~",
+	winterm.VK_PRIOR:  "\x1B[5%s~",
+	winterm.VK_NEXT:   "\x1B[6%s~",
+	winterm.VK_F1:     "",
+	winterm.VK_F2:     "",
+	winterm.VK_F3:     "\x1B[13%s~",
+	winterm.VK_F4:     "\x1B[14%s~",
+	winterm.VK_F5:     "\x1B[15%s~",
+	winterm.VK_F6:     "\x1B[17%s~",
+	winterm.VK_F7:     "\x1B[18%s~",
+	winterm.VK_F8:     "\x1B[19%s~",
+	winterm.VK_F9:     "\x1B[20%s~",
+	winterm.VK_F10:    "\x1B[21%s~",
+	winterm.VK_F11:    "\x1B[23%s~",
+	winterm.VK_F12:    "\x1B[24%s~",
+}
+
+// translateKeyEvents converts the input events into the appropriate ANSI string.
+func translateKeyEvents(events []winterm.INPUT_RECORD, escapeSequence []byte) []byte {
+	var buffer bytes.Buffer
+	for _, event := range events {
+		if event.EventType == winterm.KEY_EVENT && event.KeyEvent.KeyDown != 0 {
+			buffer.WriteString(keyToString(&event.KeyEvent, escapeSequence))
+		}
+	}
+
+	return buffer.Bytes()
+}
+
+// keyToString maps the given input event record to the corresponding string.
+func keyToString(keyEvent *winterm.KEY_EVENT_RECORD, escapeSequence []byte) string {
+	if keyEvent.UnicodeChar == 0 {
+		return formatVirtualKey(keyEvent.VirtualKeyCode, keyEvent.ControlKeyState, escapeSequence)
+	}
+
+	_, alt, control := getControlKeys(keyEvent.ControlKeyState)
+	if control {
+		// TODO(azlinux): Implement following control sequences
+		// <Ctrl>-D  Signals the end of input from the keyboard; also exits current shell.
+		// <Ctrl>-H  Deletes the first character to the left of the cursor. Also called the ERASE key.
+		// <Ctrl>-Q  Restarts printing after it has been stopped with <Ctrl>-s.
+		// <Ctrl>-S  Suspends printing on the screen (does not stop the program).
+		// <Ctrl>-U  Deletes all characters on the current line. Also called the KILL key.
+		// <Ctrl>-E  Quits current command and creates a core
+
+	}
+
+	// <Alt>+Key generates ESC N Key
+	if !control && alt {
+		return ansiterm.KEY_ESC_N + strings.ToLower(string(keyEvent.UnicodeChar))
+	}
+
+	return string(keyEvent.UnicodeChar)
+}
+
+// formatVirtualKey converts a virtual key (e.g., up arrow) into the appropriate ANSI string.
+func formatVirtualKey(key uint16, controlState uint32, escapeSequence []byte) string {
+	shift, alt, control := getControlKeys(controlState)
+	modifier := getControlKeysModifier(shift, alt, control)
+
+	if format, ok := arrowKeyMapPrefix[key]; ok {
+		return fmt.Sprintf(format, escapeSequence, modifier)
+	}
+
+	if format, ok := keyMapPrefix[key]; ok {
+		return fmt.Sprintf(format, modifier)
+	}
+
+	return ""
+}
+
+// getControlKeys extracts the shift, alt, and ctrl key states.
+func getControlKeys(controlState uint32) (shift, alt, control bool) {
+	shift = 0 != (controlState & winterm.SHIFT_PRESSED)
+	alt = 0 != (controlState & (winterm.LEFT_ALT_PRESSED | winterm.RIGHT_ALT_PRESSED))
+	control = 0 != (controlState & (winterm.LEFT_CTRL_PRESSED | winterm.RIGHT_CTRL_PRESSED))
+	return shift, alt, control
+}
+
+// getControlKeysModifier returns the ANSI modifier for the given combination of control keys.
+func getControlKeysModifier(shift, alt, control bool) string {
+	if shift && alt && control {
+		return ansiterm.KEY_CONTROL_PARAM_8
+	}
+	if alt && control {
+		return ansiterm.KEY_CONTROL_PARAM_7
+	}
+	if shift && control {
+		return ansiterm.KEY_CONTROL_PARAM_6
+	}
+	if control {
+		return ansiterm.KEY_CONTROL_PARAM_5
+	}
+	if shift && alt {
+		return ansiterm.KEY_CONTROL_PARAM_4
+	}
+	if alt {
+		return ansiterm.KEY_CONTROL_PARAM_3
+	}
+	if shift {
+		return ansiterm.KEY_CONTROL_PARAM_2
+	}
+	return ""
+}
diff --git a/engine/pkg/term/windows/ansi_writer.go b/engine/pkg/term/windows/ansi_writer.go
new file mode 100644
index 00000000..7799a03f
--- /dev/null
+++ b/engine/pkg/term/windows/ansi_writer.go
@@ -0,0 +1,64 @@
+// +build windows
+
+package windowsconsole // import "github.com/docker/docker/pkg/term/windows"
+
+import (
+	"io"
+	"os"
+
+	ansiterm "github.com/Azure/go-ansiterm"
+	"github.com/Azure/go-ansiterm/winterm"
+)
+
+// ansiWriter wraps a standard output file (e.g., os.Stdout) providing ANSI sequence translation.
+type ansiWriter struct {
+	file           *os.File
+	fd             uintptr
+	infoReset      *winterm.CONSOLE_SCREEN_BUFFER_INFO
+	command        []byte
+	escapeSequence []byte
+	inAnsiSequence bool
+	parser         *ansiterm.AnsiParser
+}
+
+// NewAnsiWriter returns an io.Writer that provides VT100 terminal emulation on top of a
+// Windows console output handle.
+func NewAnsiWriter(nFile int) io.Writer {
+	initLogger()
+	file, fd := winterm.GetStdFile(nFile)
+	info, err := winterm.GetConsoleScreenBufferInfo(fd)
+	if err != nil {
+		return nil
+	}
+
+	parser := ansiterm.CreateParser("Ground", winterm.CreateWinEventHandler(fd, file))
+	logger.Infof("newAnsiWriter: parser %p", parser)
+
+	aw := &ansiWriter{
+		file:           file,
+		fd:             fd,
+		infoReset:      info,
+		command:        make([]byte, 0, ansiterm.ANSI_MAX_CMD_LENGTH),
+		escapeSequence: []byte(ansiterm.KEY_ESC_CSI),
+		parser:         parser,
+	}
+
+	logger.Infof("newAnsiWriter: aw.parser %p", aw.parser)
+	logger.Infof("newAnsiWriter: %v", aw)
+	return aw
+}
+
+func (aw *ansiWriter) Fd() uintptr {
+	return aw.fd
+}
+
+// Write writes len(p) bytes from p to the underlying data stream.
+func (aw *ansiWriter) Write(p []byte) (total int, err error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+
+	logger.Infof("Write: % x", p)
+	logger.Infof("Write: %s", string(p))
+	return aw.parser.Parse(p)
+}
diff --git a/engine/pkg/term/windows/console.go b/engine/pkg/term/windows/console.go
new file mode 100644
index 00000000..52740197
--- /dev/null
+++ b/engine/pkg/term/windows/console.go
@@ -0,0 +1,35 @@
+// +build windows
+
+package windowsconsole // import "github.com/docker/docker/pkg/term/windows"
+
+import (
+	"os"
+
+	"github.com/Azure/go-ansiterm/winterm"
+)
+
+// GetHandleInfo returns file descriptor and bool indicating whether the file is a console.
+func GetHandleInfo(in interface{}) (uintptr, bool) {
+	switch t := in.(type) {
+	case *ansiReader:
+		return t.Fd(), true
+	case *ansiWriter:
+		return t.Fd(), true
+	}
+
+	var inFd uintptr
+	var isTerminal bool
+
+	if file, ok := in.(*os.File); ok {
+		inFd = file.Fd()
+		isTerminal = IsConsole(inFd)
+	}
+	return inFd, isTerminal
+}
+
+// IsConsole returns true if the given file descriptor is a Windows Console.
+// The code assumes that GetConsoleMode will return an error for file descriptors that are not a console.
+func IsConsole(fd uintptr) bool {
+	_, e := winterm.GetConsoleMode(fd)
+	return e == nil
+}
diff --git a/engine/pkg/term/windows/windows.go b/engine/pkg/term/windows/windows.go
new file mode 100644
index 00000000..3e5593ca
--- /dev/null
+++ b/engine/pkg/term/windows/windows.go
@@ -0,0 +1,33 @@
+// These files implement ANSI-aware input and output streams for use by the Docker Windows client.
+// When asked for the set of standard streams (e.g., stdin, stdout, stderr), the code will create
+// and return pseudo-streams that convert ANSI sequences to / from Windows Console API calls.
+
+package windowsconsole // import "github.com/docker/docker/pkg/term/windows"
+
+import (
+	"io/ioutil"
+	"os"
+	"sync"
+
+	"github.com/Azure/go-ansiterm"
+	"github.com/sirupsen/logrus"
+)
+
+var logger *logrus.Logger
+var initOnce sync.Once
+
+func initLogger() {
+	initOnce.Do(func() {
+		logFile := ioutil.Discard
+
+		if isDebugEnv := os.Getenv(ansiterm.LogEnv); isDebugEnv == "1" {
+			logFile, _ = os.Create("ansiReaderWriter.log")
+		}
+
+		logger = &logrus.Logger{
+			Out:       logFile,
+			Formatter: new(logrus.TextFormatter),
+			Level:     logrus.DebugLevel,
+		}
+	})
+}
diff --git a/engine/pkg/term/windows/windows_test.go b/engine/pkg/term/windows/windows_test.go
new file mode 100644
index 00000000..80cda601
--- /dev/null
+++ b/engine/pkg/term/windows/windows_test.go
@@ -0,0 +1,3 @@
+// This file is necessary to pass the Docker tests.
+
+package windowsconsole // import "github.com/docker/docker/pkg/term/windows"
diff --git a/engine/pkg/term/winsize.go b/engine/pkg/term/winsize.go
new file mode 100644
index 00000000..a19663ad
--- /dev/null
+++ b/engine/pkg/term/winsize.go
@@ -0,0 +1,20 @@
+// +build !windows
+
+package term // import "github.com/docker/docker/pkg/term"
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+// GetWinsize returns the window size based on the specified file descriptor.
+func GetWinsize(fd uintptr) (*Winsize, error) {
+	uws, err := unix.IoctlGetWinsize(int(fd), unix.TIOCGWINSZ)
+	ws := &Winsize{Height: uws.Row, Width: uws.Col, x: uws.Xpixel, y: uws.Ypixel}
+	return ws, err
+}
+
+// SetWinsize tries to set the specified window size for the specified file descriptor.
+func SetWinsize(fd uintptr, ws *Winsize) error {
+	uws := &unix.Winsize{Row: ws.Height, Col: ws.Width, Xpixel: ws.x, Ypixel: ws.y}
+	return unix.IoctlSetWinsize(int(fd), unix.TIOCSWINSZ, uws)
+}
diff --git a/engine/pkg/truncindex/truncindex.go b/engine/pkg/truncindex/truncindex.go
new file mode 100644
index 00000000..d5c840cf
--- /dev/null
+++ b/engine/pkg/truncindex/truncindex.go
@@ -0,0 +1,139 @@
+// Package truncindex provides a general 'index tree', used by Docker
+// in order to be able to reference containers by only a few unambiguous
+// characters of their id.
+package truncindex // import "github.com/docker/docker/pkg/truncindex"
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/tchap/go-patricia/patricia"
+)
+
+var (
+	// ErrEmptyPrefix is an error returned if the prefix was empty.
+	ErrEmptyPrefix = errors.New("Prefix can't be empty")
+
+	// ErrIllegalChar is returned when a space is in the ID
+	ErrIllegalChar = errors.New("illegal character: ' '")
+
+	// ErrNotExist is returned when ID or its prefix not found in index.
+	ErrNotExist = errors.New("ID does not exist")
+)
+
+// ErrAmbiguousPrefix is returned if the prefix was ambiguous
+// (multiple ids for the prefix).
+type ErrAmbiguousPrefix struct {
+	prefix string
+}
+
+func (e ErrAmbiguousPrefix) Error() string {
+	return fmt.Sprintf("Multiple IDs found with provided prefix: %s", e.prefix)
+}
+
+// TruncIndex allows the retrieval of string identifiers by any of their unique prefixes.
+// This is used to retrieve image and container IDs by more convenient shorthand prefixes.
+type TruncIndex struct {
+	sync.RWMutex
+	trie *patricia.Trie
+	ids  map[string]struct{}
+}
+
+// NewTruncIndex creates a new TruncIndex and initializes with a list of IDs.
+func NewTruncIndex(ids []string) (idx *TruncIndex) {
+	idx = &TruncIndex{
+		ids: make(map[string]struct{}),
+
+		// Change patricia max prefix per node length,
+		// because our len(ID) always 64
+		trie: patricia.NewTrie(patricia.MaxPrefixPerNode(64)),
+	}
+	for _, id := range ids {
+		idx.addID(id)
+	}
+	return
+}
+
+func (idx *TruncIndex) addID(id string) error {
+	if strings.Contains(id, " ") {
+		return ErrIllegalChar
+	}
+	if id == "" {
+		return ErrEmptyPrefix
+	}
+	if _, exists := idx.ids[id]; exists {
+		return fmt.Errorf("id already exists: '%s'", id)
+	}
+	idx.ids[id] = struct{}{}
+	if inserted := idx.trie.Insert(patricia.Prefix(id), struct{}{}); !inserted {
+		return fmt.Errorf("failed to insert id: %s", id)
+	}
+	return nil
+}
+
+// Add adds a new ID to the TruncIndex.
+func (idx *TruncIndex) Add(id string) error {
+	idx.Lock()
+	defer idx.Unlock()
+	return idx.addID(id)
+}
+
+// Delete removes an ID from the TruncIndex. If there are multiple IDs
+// with the given prefix, an error is thrown.
+func (idx *TruncIndex) Delete(id string) error {
+	idx.Lock()
+	defer idx.Unlock()
+	if _, exists := idx.ids[id]; !exists || id == "" {
+		return fmt.Errorf("no such id: '%s'", id)
+	}
+	delete(idx.ids, id)
+	if deleted := idx.trie.Delete(patricia.Prefix(id)); !deleted {
+		return fmt.Errorf("no such id: '%s'", id)
+	}
+	return nil
+}
+
+// Get retrieves an ID from the TruncIndex. If there are multiple IDs
+// with the given prefix, an error is thrown.
+func (idx *TruncIndex) Get(s string) (string, error) {
+	if s == "" {
+		return "", ErrEmptyPrefix
+	}
+	var (
+		id string
+	)
+	subTreeVisitFunc := func(prefix patricia.Prefix, item patricia.Item) error {
+		if id != "" {
+			// we haven't found the ID if there are two or more IDs
+			id = ""
+			return ErrAmbiguousPrefix{prefix: string(prefix)}
+		}
+		id = string(prefix)
+		return nil
+	}
+
+	idx.RLock()
+	defer idx.RUnlock()
+	if err := idx.trie.VisitSubtree(patricia.Prefix(s), subTreeVisitFunc); err != nil {
+		return "", err
+	}
+	if id != "" {
+		return id, nil
+	}
+	return "", ErrNotExist
+}
+
+// Iterate iterates over all stored IDs and passes each of them to the given
+// handler. Take care that the handler method does not call any public
+// method on truncindex as the internal locking is not reentrant/recursive
+// and will result in deadlock.
+func (idx *TruncIndex) Iterate(handler func(id string)) {
+	idx.Lock()
+	defer idx.Unlock()
+	idx.trie.Visit(func(prefix patricia.Prefix, item patricia.Item) error {
+		handler(string(prefix))
+		return nil
+	})
+}
diff --git a/engine/pkg/truncindex/truncindex_test.go b/engine/pkg/truncindex/truncindex_test.go
new file mode 100644
index 00000000..e2590179
--- /dev/null
+++ b/engine/pkg/truncindex/truncindex_test.go
@@ -0,0 +1,453 @@
+package truncindex // import "github.com/docker/docker/pkg/truncindex"
+
+import (
+	"math/rand"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/stringid"
+)
+
+// Test the behavior of TruncIndex, an index for querying IDs from a non-conflicting prefix.
+func TestTruncIndex(t *testing.T) {
+	var ids []string
+	index := NewTruncIndex(ids)
+	// Get on an empty index
+	if _, err := index.Get("foobar"); err == nil {
+		t.Fatal("Get on an empty index should return an error")
+	}
+
+	// Spaces should be illegal in an id
+	if err := index.Add("I have a space"); err == nil {
+		t.Fatalf("Adding an id with ' ' should return an error")
+	}
+
+	id := "99b36c2c326ccc11e726eee6ee78a0baf166ef96"
+	// Add an id
+	if err := index.Add(id); err != nil {
+		t.Fatal(err)
+	}
+
+	// Add an empty id (should fail)
+	if err := index.Add(""); err == nil {
+		t.Fatalf("Adding an empty id should return an error")
+	}
+
+	// Get a non-existing id
+	assertIndexGet(t, index, "abracadabra", "", true)
+	// Get an empty id
+	assertIndexGet(t, index, "", "", true)
+	// Get the exact id
+	assertIndexGet(t, index, id, id, false)
+	// The first letter should match
+	assertIndexGet(t, index, id[:1], id, false)
+	// The first half should match
+	assertIndexGet(t, index, id[:len(id)/2], id, false)
+	// The second half should NOT match
+	assertIndexGet(t, index, id[len(id)/2:], "", true)
+
+	id2 := id[:6] + "blabla"
+	// Add an id
+	if err := index.Add(id2); err != nil {
+		t.Fatal(err)
+	}
+	// Both exact IDs should work
+	assertIndexGet(t, index, id, id, false)
+	assertIndexGet(t, index, id2, id2, false)
+
+	// 6 characters or less should conflict
+	assertIndexGet(t, index, id[:6], "", true)
+	assertIndexGet(t, index, id[:4], "", true)
+	assertIndexGet(t, index, id[:1], "", true)
+
+	// An ambiguous id prefix should return an error
+	if _, err := index.Get(id[:4]); err == nil {
+		t.Fatal("An ambiguous id prefix should return an error")
+	}
+
+	// 7 characters should NOT conflict
+	assertIndexGet(t, index, id[:7], id, false)
+	assertIndexGet(t, index, id2[:7], id2, false)
+
+	// Deleting a non-existing id should return an error
+	if err := index.Delete("non-existing"); err == nil {
+		t.Fatalf("Deleting a non-existing id should return an error")
+	}
+
+	// Deleting an empty id should return an error
+	if err := index.Delete(""); err == nil {
+		t.Fatal("Deleting an empty id should return an error")
+	}
+
+	// Deleting id2 should remove conflicts
+	if err := index.Delete(id2); err != nil {
+		t.Fatal(err)
+	}
+	// id2 should no longer work
+	assertIndexGet(t, index, id2, "", true)
+	assertIndexGet(t, index, id2[:7], "", true)
+	assertIndexGet(t, index, id2[:11], "", true)
+
+	// conflicts between id and id2 should be gone
+	assertIndexGet(t, index, id[:6], id, false)
+	assertIndexGet(t, index, id[:4], id, false)
+	assertIndexGet(t, index, id[:1], id, false)
+
+	// non-conflicting substrings should still not conflict
+	assertIndexGet(t, index, id[:7], id, false)
+	assertIndexGet(t, index, id[:15], id, false)
+	assertIndexGet(t, index, id, id, false)
+
+	assertIndexIterate(t)
+	assertIndexIterateDoNotPanic(t)
+}
+
+func assertIndexIterate(t *testing.T) {
+	ids := []string{
+		"19b36c2c326ccc11e726eee6ee78a0baf166ef96",
+		"28b36c2c326ccc11e726eee6ee78a0baf166ef96",
+		"37b36c2c326ccc11e726eee6ee78a0baf166ef96",
+		"46b36c2c326ccc11e726eee6ee78a0baf166ef96",
+	}
+
+	index := NewTruncIndex(ids)
+
+	index.Iterate(func(targetId string) {
+		for _, id := range ids {
+			if targetId == id {
+				return
+			}
+		}
+
+		t.Fatalf("An unknown ID '%s'", targetId)
+	})
+}
+
+func assertIndexIterateDoNotPanic(t *testing.T) {
+	ids := []string{
+		"19b36c2c326ccc11e726eee6ee78a0baf166ef96",
+		"28b36c2c326ccc11e726eee6ee78a0baf166ef96",
+	}
+
+	index := NewTruncIndex(ids)
+	iterationStarted := make(chan bool, 1)
+
+	go func() {
+		<-iterationStarted
+		index.Delete("19b36c2c326ccc11e726eee6ee78a0baf166ef96")
+	}()
+
+	index.Iterate(func(targetId string) {
+		if targetId == "19b36c2c326ccc11e726eee6ee78a0baf166ef96" {
+			iterationStarted <- true
+			time.Sleep(100 * time.Millisecond)
+		}
+	})
+}
+
+func assertIndexGet(t *testing.T, index *TruncIndex, input, expectedResult string, expectError bool) {
+	if result, err := index.Get(input); err != nil && !expectError {
+		t.Fatalf("Unexpected error getting '%s': %s", input, err)
+	} else if err == nil && expectError {
+		t.Fatalf("Getting '%s' should return an error, not '%s'", input, result)
+	} else if result != expectedResult {
+		t.Fatalf("Getting '%s' returned '%s' instead of '%s'", input, result, expectedResult)
+	}
+}
+
+func BenchmarkTruncIndexAdd100(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 100; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexAdd250(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 250; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexAdd500(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 500; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexGet100(b *testing.B) {
+	var testSet []string
+	var testKeys []string
+	for i := 0; i < 100; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	index := NewTruncIndex([]string{})
+	for _, id := range testSet {
+		if err := index.Add(id); err != nil {
+			b.Fatal(err)
+		}
+		l := rand.Intn(12) + 12
+		testKeys = append(testKeys, id[:l])
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		for _, id := range testKeys {
+			if res, err := index.Get(id); err != nil {
+				b.Fatal(res, err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexGet250(b *testing.B) {
+	var testSet []string
+	var testKeys []string
+	for i := 0; i < 250; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	index := NewTruncIndex([]string{})
+	for _, id := range testSet {
+		if err := index.Add(id); err != nil {
+			b.Fatal(err)
+		}
+		l := rand.Intn(12) + 12
+		testKeys = append(testKeys, id[:l])
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		for _, id := range testKeys {
+			if res, err := index.Get(id); err != nil {
+				b.Fatal(res, err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexGet500(b *testing.B) {
+	var testSet []string
+	var testKeys []string
+	for i := 0; i < 500; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	index := NewTruncIndex([]string{})
+	for _, id := range testSet {
+		if err := index.Add(id); err != nil {
+			b.Fatal(err)
+		}
+		l := rand.Intn(12) + 12
+		testKeys = append(testKeys, id[:l])
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		for _, id := range testKeys {
+			if res, err := index.Get(id); err != nil {
+				b.Fatal(res, err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexDelete100(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 100; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		b.StopTimer()
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+		b.StartTimer()
+		for _, id := range testSet {
+			if err := index.Delete(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexDelete250(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 250; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		b.StopTimer()
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+		b.StartTimer()
+		for _, id := range testSet {
+			if err := index.Delete(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexDelete500(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 500; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		b.StopTimer()
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+		b.StartTimer()
+		for _, id := range testSet {
+			if err := index.Delete(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexNew100(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 100; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		NewTruncIndex(testSet)
+	}
+}
+
+func BenchmarkTruncIndexNew250(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 250; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		NewTruncIndex(testSet)
+	}
+}
+
+func BenchmarkTruncIndexNew500(b *testing.B) {
+	var testSet []string
+	for i := 0; i < 500; i++ {
+		testSet = append(testSet, stringid.GenerateNonCryptoID())
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		NewTruncIndex(testSet)
+	}
+}
+
+func BenchmarkTruncIndexAddGet100(b *testing.B) {
+	var testSet []string
+	var testKeys []string
+	for i := 0; i < 500; i++ {
+		id := stringid.GenerateNonCryptoID()
+		testSet = append(testSet, id)
+		l := rand.Intn(12) + 12
+		testKeys = append(testKeys, id[:l])
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+		for _, id := range testKeys {
+			if res, err := index.Get(id); err != nil {
+				b.Fatal(res, err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexAddGet250(b *testing.B) {
+	var testSet []string
+	var testKeys []string
+	for i := 0; i < 500; i++ {
+		id := stringid.GenerateNonCryptoID()
+		testSet = append(testSet, id)
+		l := rand.Intn(12) + 12
+		testKeys = append(testKeys, id[:l])
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+		for _, id := range testKeys {
+			if res, err := index.Get(id); err != nil {
+				b.Fatal(res, err)
+			}
+		}
+	}
+}
+
+func BenchmarkTruncIndexAddGet500(b *testing.B) {
+	var testSet []string
+	var testKeys []string
+	for i := 0; i < 500; i++ {
+		id := stringid.GenerateNonCryptoID()
+		testSet = append(testSet, id)
+		l := rand.Intn(12) + 12
+		testKeys = append(testKeys, id[:l])
+	}
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		index := NewTruncIndex([]string{})
+		for _, id := range testSet {
+			if err := index.Add(id); err != nil {
+				b.Fatal(err)
+			}
+		}
+		for _, id := range testKeys {
+			if res, err := index.Get(id); err != nil {
+				b.Fatal(res, err)
+			}
+		}
+	}
+}
diff --git a/engine/pkg/urlutil/urlutil.go b/engine/pkg/urlutil/urlutil.go
new file mode 100644
index 00000000..9cf348c7
--- /dev/null
+++ b/engine/pkg/urlutil/urlutil.go
@@ -0,0 +1,52 @@
+// Package urlutil provides helper function to check urls kind.
+// It supports http urls, git urls and transport url (tcp://, …)
+package urlutil // import "github.com/docker/docker/pkg/urlutil"
+
+import (
+	"regexp"
+	"strings"
+)
+
+var (
+	validPrefixes = map[string][]string{
+		"url": {"http://", "https://"},
+
+		// The github.com/ prefix is a special case used to treat context-paths
+		// starting with `github.com` as a git URL if the given path does not
+		// exist locally. The "github.com/" prefix is kept for backward compatibility,
+		// and is a legacy feature.
+		//
+		// Going forward, no additional prefixes should be added, and users should
+		// be encouraged to use explicit URLs (https://github.com/user/repo.git) instead.
+		"git":       {"git://", "github.com/", "git@"},
+		"transport": {"tcp://", "tcp+tls://", "udp://", "unix://", "unixgram://"},
+	}
+	urlPathWithFragmentSuffix = regexp.MustCompile(".git(?:#.+)?$")
+)
+
+// IsURL returns true if the provided str is an HTTP(S) URL.
+func IsURL(str string) bool {
+	return checkURL(str, "url")
+}
+
+// IsGitURL returns true if the provided str is a git repository URL.
+func IsGitURL(str string) bool {
+	if IsURL(str) && urlPathWithFragmentSuffix.MatchString(str) {
+		return true
+	}
+	return checkURL(str, "git")
+}
+
+// IsTransportURL returns true if the provided str is a transport (tcp, tcp+tls, udp, unix) URL.
+func IsTransportURL(str string) bool {
+	return checkURL(str, "transport")
+}
+
+func checkURL(str, kind string) bool {
+	for _, prefix := range validPrefixes[kind] {
+		if strings.HasPrefix(str, prefix) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/engine/pkg/urlutil/urlutil_test.go b/engine/pkg/urlutil/urlutil_test.go
new file mode 100644
index 00000000..66603683
--- /dev/null
+++ b/engine/pkg/urlutil/urlutil_test.go
@@ -0,0 +1,56 @@
+package urlutil // import "github.com/docker/docker/pkg/urlutil"
+
+import "testing"
+
+var (
+	gitUrls = []string{
+		"git://github.com/docker/docker",
+		"git@github.com:docker/docker.git",
+		"git@bitbucket.org:atlassianlabs/atlassian-docker.git",
+		"https://github.com/docker/docker.git",
+		"http://github.com/docker/docker.git",
+		"http://github.com/docker/docker.git#branch",
+		"http://github.com/docker/docker.git#:dir",
+	}
+	incompleteGitUrls = []string{
+		"github.com/docker/docker",
+	}
+	invalidGitUrls = []string{
+		"http://github.com/docker/docker.git:#branch",
+	}
+	transportUrls = []string{
+		"tcp://example.com",
+		"tcp+tls://example.com",
+		"udp://example.com",
+		"unix:///example",
+		"unixgram:///example",
+	}
+)
+
+func TestIsGIT(t *testing.T) {
+	for _, url := range gitUrls {
+		if !IsGitURL(url) {
+			t.Fatalf("%q should be detected as valid Git url", url)
+		}
+	}
+
+	for _, url := range incompleteGitUrls {
+		if !IsGitURL(url) {
+			t.Fatalf("%q should be detected as valid Git url", url)
+		}
+	}
+
+	for _, url := range invalidGitUrls {
+		if IsGitURL(url) {
+			t.Fatalf("%q should not be detected as valid Git prefix", url)
+		}
+	}
+}
+
+func TestIsTransport(t *testing.T) {
+	for _, url := range transportUrls {
+		if !IsTransportURL(url) {
+			t.Fatalf("%q should be detected as valid Transport url", url)
+		}
+	}
+}
diff --git a/engine/pkg/useragent/README.md b/engine/pkg/useragent/README.md
new file mode 100644
index 00000000..d9cb367d
--- /dev/null
+++ b/engine/pkg/useragent/README.md
@@ -0,0 +1 @@
+This package provides helper functions to pack version information into a single User-Agent header.
diff --git a/engine/pkg/useragent/useragent.go b/engine/pkg/useragent/useragent.go
new file mode 100644
index 00000000..22db8212
--- /dev/null
+++ b/engine/pkg/useragent/useragent.go
@@ -0,0 +1,55 @@
+// Package useragent provides helper functions to pack
+// version information into a single User-Agent header.
+package useragent // import "github.com/docker/docker/pkg/useragent"
+
+import (
+	"strings"
+)
+
+// VersionInfo is used to model UserAgent versions.
+type VersionInfo struct {
+	Name    string
+	Version string
+}
+
+func (vi *VersionInfo) isValid() bool {
+	const stopChars = " \t\r\n/"
+	name := vi.Name
+	vers := vi.Version
+	if len(name) == 0 || strings.ContainsAny(name, stopChars) {
+		return false
+	}
+	if len(vers) == 0 || strings.ContainsAny(vers, stopChars) {
+		return false
+	}
+	return true
+}
+
+// AppendVersions converts versions to a string and appends the string to the string base.
+//
+// Each VersionInfo will be converted to a string in the format of
+// "product/version", where the "product" is get from the name field, while
+// version is get from the version field. Several pieces of version information
+// will be concatenated and separated by space.
+//
+// Example:
+// AppendVersions("base", VersionInfo{"foo", "1.0"}, VersionInfo{"bar", "2.0"})
+// results in "base foo/1.0 bar/2.0".
+func AppendVersions(base string, versions ...VersionInfo) string {
+	if len(versions) == 0 {
+		return base
+	}
+
+	verstrs := make([]string, 0, 1+len(versions))
+	if len(base) > 0 {
+		verstrs = append(verstrs, base)
+	}
+
+	for _, v := range versions {
+		if !v.isValid() {
+			continue
+		}
+		verstrs = append(verstrs, v.Name+"/"+v.Version)
+	}
+	return strings.Join(verstrs, " ")
+}
diff --git a/engine/pkg/useragent/useragent_test.go b/engine/pkg/useragent/useragent_test.go
new file mode 100644
index 00000000..76868dc8
--- /dev/null
+++ b/engine/pkg/useragent/useragent_test.go
@@ -0,0 +1,31 @@
+package useragent // import "github.com/docker/docker/pkg/useragent"
+
+import "testing"
+
+func TestVersionInfo(t *testing.T) {
+	vi := VersionInfo{"foo", "bar"}
+	if !vi.isValid() {
+		t.Fatalf("VersionInfo should be valid")
+	}
+	vi = VersionInfo{"", "bar"}
+	if vi.isValid() {
+		t.Fatalf("Expected VersionInfo to be invalid")
+	}
+	vi = VersionInfo{"foo", ""}
+	if vi.isValid() {
+		t.Fatalf("Expected VersionInfo to be invalid")
+	}
+}
+
+func TestAppendVersions(t *testing.T) {
+	vis := []VersionInfo{
+		{"foo", "1.0"},
+		{"bar", "0.1"},
+		{"pi", "3.1.4"},
+	}
+	v := AppendVersions("base", vis...)
+	expect := "base foo/1.0 bar/0.1 pi/3.1.4"
+	if v != expect {
+		t.Fatalf("expected %q, got %q", expect, v)
+	}
+}
diff --git a/engine/plugin/backend_linux.go b/engine/plugin/backend_linux.go
new file mode 100644
index 00000000..044e14b0
--- /dev/null
+++ b/engine/plugin/backend_linux.go
@@ -0,0 +1,876 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/docker/distribution/manifest/schema2"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/distribution"
+	progressutils "github.com/docker/docker/distribution/utils"
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/dockerversion"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/authorization"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/pools"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/plugin/v2"
+	refstore "github.com/docker/docker/reference"
+	"github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var acceptedPluginFilterTags = map[string]bool{
+	"enabled":    true,
+	"capability": true,
+}
+
+// Disable deactivates a plugin. This means resources (volumes, networks) cant use them.
+func (pm *Manager) Disable(refOrID string, config *types.PluginDisableConfig) error {
+	p, err := pm.config.Store.GetV2Plugin(refOrID)
+	if err != nil {
+		return err
+	}
+	pm.mu.RLock()
+	c := pm.cMap[p]
+	pm.mu.RUnlock()
+
+	if !config.ForceDisable && p.GetRefCount() > 0 {
+		return errors.WithStack(inUseError(p.Name()))
+	}
+
+	for _, typ := range p.GetTypes() {
+		if typ.Capability == authorization.AuthZApiImplements {
+			pm.config.AuthzMiddleware.RemovePlugin(p.Name())
+		}
+	}
+
+	if err := pm.disable(p, c); err != nil {
+		return err
+	}
+	pm.publisher.Publish(EventDisable{Plugin: p.PluginObj})
+	pm.config.LogPluginEvent(p.GetID(), refOrID, "disable")
+	return nil
+}
+
+// Enable activates a plugin, which implies that they are ready to be used by containers.
+func (pm *Manager) Enable(refOrID string, config *types.PluginEnableConfig) error {
+	p, err := pm.config.Store.GetV2Plugin(refOrID)
+	if err != nil {
+		return err
+	}
+
+	c := &controller{timeoutInSecs: config.Timeout}
+	if err := pm.enable(p, c, false); err != nil {
+		return err
+	}
+	pm.publisher.Publish(EventEnable{Plugin: p.PluginObj})
+	pm.config.LogPluginEvent(p.GetID(), refOrID, "enable")
+	return nil
+}
+
+// Inspect examines a plugin config
+func (pm *Manager) Inspect(refOrID string) (tp *types.Plugin, err error) {
+	p, err := pm.config.Store.GetV2Plugin(refOrID)
+	if err != nil {
+		return nil, err
+	}
+
+	return &p.PluginObj, nil
+}
+
+func (pm *Manager) pull(ctx context.Context, ref reference.Named, config *distribution.ImagePullConfig, outStream io.Writer) error {
+	if outStream != nil {
+		// Include a buffer so that slow client connections don't affect
+		// transfer performance.
+		progressChan := make(chan progress.Progress, 100)
+
+		writesDone := make(chan struct{})
+
+		defer func() {
+			close(progressChan)
+			<-writesDone
+		}()
+
+		var cancelFunc context.CancelFunc
+		ctx, cancelFunc = context.WithCancel(ctx)
+
+		go func() {
+			progressutils.WriteDistributionProgress(cancelFunc, outStream, progressChan)
+			close(writesDone)
+		}()
+
+		config.ProgressOutput = progress.ChanOutput(progressChan)
+	} else {
+		config.ProgressOutput = progress.DiscardOutput()
+	}
+	return distribution.Pull(ctx, ref, config)
+}
+
+type tempConfigStore struct {
+	config       []byte
+	configDigest digest.Digest
+}
+
+func (s *tempConfigStore) Put(c []byte) (digest.Digest, error) {
+	dgst := digest.FromBytes(c)
+
+	s.config = c
+	s.configDigest = dgst
+
+	return dgst, nil
+}
+
+func (s *tempConfigStore) Get(d digest.Digest) ([]byte, error) {
+	if d != s.configDigest {
+		return nil, errNotFound("digest not found")
+	}
+	return s.config, nil
+}
+
+func (s *tempConfigStore) RootFSFromConfig(c []byte) (*image.RootFS, error) {
+	return configToRootFS(c)
+}
+
+func (s *tempConfigStore) PlatformFromConfig(c []byte) (*specs.Platform, error) {
+	// TODO: LCOW/Plugins. This will need revisiting. For now use the runtime OS
+	return &specs.Platform{OS: runtime.GOOS}, nil
+}
+
+func computePrivileges(c types.PluginConfig) types.PluginPrivileges {
+	var privileges types.PluginPrivileges
+	if c.Network.Type != "null" && c.Network.Type != "bridge" && c.Network.Type != "" {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "network",
+			Description: "permissions to access a network",
+			Value:       []string{c.Network.Type},
+		})
+	}
+	if c.IpcHost {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "host ipc namespace",
+			Description: "allow access to host ipc namespace",
+			Value:       []string{"true"},
+		})
+	}
+	if c.PidHost {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "host pid namespace",
+			Description: "allow access to host pid namespace",
+			Value:       []string{"true"},
+		})
+	}
+	for _, mount := range c.Mounts {
+		if mount.Source != nil {
+			privileges = append(privileges, types.PluginPrivilege{
+				Name:        "mount",
+				Description: "host path to mount",
+				Value:       []string{*mount.Source},
+			})
+		}
+	}
+	for _, device := range c.Linux.Devices {
+		if device.Path != nil {
+			privileges = append(privileges, types.PluginPrivilege{
+				Name:        "device",
+				Description: "host device to access",
+				Value:       []string{*device.Path},
+			})
+		}
+	}
+	if c.Linux.AllowAllDevices {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "allow-all-devices",
+			Description: "allow 'rwm' access to all devices",
+			Value:       []string{"true"},
+		})
+	}
+	if len(c.Linux.Capabilities) > 0 {
+		privileges = append(privileges, types.PluginPrivilege{
+			Name:        "capabilities",
+			Description: "list of additional capabilities required",
+			Value:       c.Linux.Capabilities,
+		})
+	}
+
+	return privileges
+}
+
+// Privileges pulls a plugin config and computes the privileges required to install it.
+func (pm *Manager) Privileges(ctx context.Context, ref reference.Named, metaHeader http.Header, authConfig *types.AuthConfig) (types.PluginPrivileges, error) {
+	// create image store instance
+	cs := &tempConfigStore{}
+
+	// DownloadManager not defined because only pulling configuration.
+	pluginPullConfig := &distribution.ImagePullConfig{
+		Config: distribution.Config{
+			MetaHeaders:      metaHeader,
+			AuthConfig:       authConfig,
+			RegistryService:  pm.config.RegistryService,
+			ImageEventLogger: func(string, string, string) {},
+			ImageStore:       cs,
+		},
+		Schema2Types: distribution.PluginTypes,
+	}
+
+	if err := pm.pull(ctx, ref, pluginPullConfig, nil); err != nil {
+		return nil, err
+	}
+
+	if cs.config == nil {
+		return nil, errors.New("no configuration pulled")
+	}
+	var config types.PluginConfig
+	if err := json.Unmarshal(cs.config, &config); err != nil {
+		return nil, errdefs.System(err)
+	}
+
+	return computePrivileges(config), nil
+}
+
+// Upgrade upgrades a plugin
+func (pm *Manager) Upgrade(ctx context.Context, ref reference.Named, name string, metaHeader http.Header, authConfig *types.AuthConfig, privileges types.PluginPrivileges, outStream io.Writer) (err error) {
+	p, err := pm.config.Store.GetV2Plugin(name)
+	if err != nil {
+		return err
+	}
+
+	if p.IsEnabled() {
+		return errors.Wrap(enabledError(p.Name()), "plugin must be disabled before upgrading")
+	}
+
+	pm.muGC.RLock()
+	defer pm.muGC.RUnlock()
+
+	// revalidate because Pull is public
+	if _, err := reference.ParseNormalizedNamed(name); err != nil {
+		return errors.Wrapf(errdefs.InvalidParameter(err), "failed to parse %q", name)
+	}
+
+	tmpRootFSDir, err := ioutil.TempDir(pm.tmpDir(), ".rootfs")
+	if err != nil {
+		return errors.Wrap(errdefs.System(err), "error preparing upgrade")
+	}
+	defer os.RemoveAll(tmpRootFSDir)
+
+	dm := &downloadManager{
+		tmpDir:    tmpRootFSDir,
+		blobStore: pm.blobStore,
+	}
+
+	pluginPullConfig := &distribution.ImagePullConfig{
+		Config: distribution.Config{
+			MetaHeaders:      metaHeader,
+			AuthConfig:       authConfig,
+			RegistryService:  pm.config.RegistryService,
+			ImageEventLogger: pm.config.LogPluginEvent,
+			ImageStore:       dm,
+		},
+		DownloadManager: dm, // todo: reevaluate if possible to substitute distribution/xfer dependencies instead
+		Schema2Types:    distribution.PluginTypes,
+	}
+
+	err = pm.pull(ctx, ref, pluginPullConfig, outStream)
+	if err != nil {
+		go pm.GC()
+		return err
+	}
+
+	if err := pm.upgradePlugin(p, dm.configDigest, dm.blobs, tmpRootFSDir, &privileges); err != nil {
+		return err
+	}
+	p.PluginObj.PluginReference = ref.String()
+	return nil
+}
+
+// Pull pulls a plugin, check if the correct privileges are provided and install the plugin.
+func (pm *Manager) Pull(ctx context.Context, ref reference.Named, name string, metaHeader http.Header, authConfig *types.AuthConfig, privileges types.PluginPrivileges, outStream io.Writer, opts ...CreateOpt) (err error) {
+	pm.muGC.RLock()
+	defer pm.muGC.RUnlock()
+
+	// revalidate because Pull is public
+	nameref, err := reference.ParseNormalizedNamed(name)
+	if err != nil {
+		return errors.Wrapf(errdefs.InvalidParameter(err), "failed to parse %q", name)
+	}
+	name = reference.FamiliarString(reference.TagNameOnly(nameref))
+
+	if err := pm.config.Store.validateName(name); err != nil {
+		return errdefs.InvalidParameter(err)
+	}
+
+	tmpRootFSDir, err := ioutil.TempDir(pm.tmpDir(), ".rootfs")
+	if err != nil {
+		return errors.Wrap(errdefs.System(err), "error preparing pull")
+	}
+	defer os.RemoveAll(tmpRootFSDir)
+
+	dm := &downloadManager{
+		tmpDir:    tmpRootFSDir,
+		blobStore: pm.blobStore,
+	}
+
+	pluginPullConfig := &distribution.ImagePullConfig{
+		Config: distribution.Config{
+			MetaHeaders:      metaHeader,
+			AuthConfig:       authConfig,
+			RegistryService:  pm.config.RegistryService,
+			ImageEventLogger: pm.config.LogPluginEvent,
+			ImageStore:       dm,
+		},
+		DownloadManager: dm, // todo: reevaluate if possible to substitute distribution/xfer dependencies instead
+		Schema2Types:    distribution.PluginTypes,
+	}
+
+	err = pm.pull(ctx, ref, pluginPullConfig, outStream)
+	if err != nil {
+		go pm.GC()
+		return err
+	}
+
+	refOpt := func(p *v2.Plugin) {
+		p.PluginObj.PluginReference = ref.String()
+	}
+	optsList := make([]CreateOpt, 0, len(opts)+1)
+	optsList = append(optsList, opts...)
+	optsList = append(optsList, refOpt)
+
+	p, err := pm.createPlugin(name, dm.configDigest, dm.blobs, tmpRootFSDir, &privileges, optsList...)
+	if err != nil {
+		return err
+	}
+
+	pm.publisher.Publish(EventCreate{Plugin: p.PluginObj})
+	return nil
+}
+
+// List displays the list of plugins and associated metadata.
+func (pm *Manager) List(pluginFilters filters.Args) ([]types.Plugin, error) {
+	if err := pluginFilters.Validate(acceptedPluginFilterTags); err != nil {
+		return nil, err
+	}
+
+	enabledOnly := false
+	disabledOnly := false
+	if pluginFilters.Contains("enabled") {
+		if pluginFilters.ExactMatch("enabled", "true") {
+			enabledOnly = true
+		} else if pluginFilters.ExactMatch("enabled", "false") {
+			disabledOnly = true
+		} else {
+			return nil, invalidFilter{"enabled", pluginFilters.Get("enabled")}
+		}
+	}
+
+	plugins := pm.config.Store.GetAll()
+	out := make([]types.Plugin, 0, len(plugins))
+
+next:
+	for _, p := range plugins {
+		if enabledOnly && !p.PluginObj.Enabled {
+			continue
+		}
+		if disabledOnly && p.PluginObj.Enabled {
+			continue
+		}
+		if pluginFilters.Contains("capability") {
+			for _, f := range p.GetTypes() {
+				if !pluginFilters.Match("capability", f.Capability) {
+					continue next
+				}
+			}
+		}
+		out = append(out, p.PluginObj)
+	}
+	return out, nil
+}
+
+// Push pushes a plugin to the store.
+func (pm *Manager) Push(ctx context.Context, name string, metaHeader http.Header, authConfig *types.AuthConfig, outStream io.Writer) error {
+	p, err := pm.config.Store.GetV2Plugin(name)
+	if err != nil {
+		return err
+	}
+
+	ref, err := reference.ParseNormalizedNamed(p.Name())
+	if err != nil {
+		return errors.Wrapf(err, "plugin has invalid name %v for push", p.Name())
+	}
+
+	var po progress.Output
+	if outStream != nil {
+		// Include a buffer so that slow client connections don't affect
+		// transfer performance.
+		progressChan := make(chan progress.Progress, 100)
+
+		writesDone := make(chan struct{})
+
+		defer func() {
+			close(progressChan)
+			<-writesDone
+		}()
+
+		var cancelFunc context.CancelFunc
+		ctx, cancelFunc = context.WithCancel(ctx)
+
+		go func() {
+			progressutils.WriteDistributionProgress(cancelFunc, outStream, progressChan)
+			close(writesDone)
+		}()
+
+		po = progress.ChanOutput(progressChan)
+	} else {
+		po = progress.DiscardOutput()
+	}
+
+	// TODO: replace these with manager
+	is := &pluginConfigStore{
+		pm:     pm,
+		plugin: p,
+	}
+	lss := make(map[string]distribution.PushLayerProvider)
+	lss[runtime.GOOS] = &pluginLayerProvider{
+		pm:     pm,
+		plugin: p,
+	}
+	rs := &pluginReference{
+		name:     ref,
+		pluginID: p.Config,
+	}
+
+	uploadManager := xfer.NewLayerUploadManager(3)
+
+	imagePushConfig := &distribution.ImagePushConfig{
+		Config: distribution.Config{
+			MetaHeaders:      metaHeader,
+			AuthConfig:       authConfig,
+			ProgressOutput:   po,
+			RegistryService:  pm.config.RegistryService,
+			ReferenceStore:   rs,
+			ImageEventLogger: pm.config.LogPluginEvent,
+			ImageStore:       is,
+			RequireSchema2:   true,
+		},
+		ConfigMediaType: schema2.MediaTypePluginConfig,
+		LayerStores:     lss,
+		UploadManager:   uploadManager,
+	}
+
+	return distribution.Push(ctx, ref, imagePushConfig)
+}
+
+type pluginReference struct {
+	name     reference.Named
+	pluginID digest.Digest
+}
+
+func (r *pluginReference) References(id digest.Digest) []reference.Named {
+	if r.pluginID != id {
+		return nil
+	}
+	return []reference.Named{r.name}
+}
+
+func (r *pluginReference) ReferencesByName(ref reference.Named) []refstore.Association {
+	return []refstore.Association{
+		{
+			Ref: r.name,
+			ID:  r.pluginID,
+		},
+	}
+}
+
+func (r *pluginReference) Get(ref reference.Named) (digest.Digest, error) {
+	if r.name.String() != ref.String() {
+		return digest.Digest(""), refstore.ErrDoesNotExist
+	}
+	return r.pluginID, nil
+}
+
+func (r *pluginReference) AddTag(ref reference.Named, id digest.Digest, force bool) error {
+	// Read only, ignore
+	return nil
+}
+func (r *pluginReference) AddDigest(ref reference.Canonical, id digest.Digest, force bool) error {
+	// Read only, ignore
+	return nil
+}
+func (r *pluginReference) Delete(ref reference.Named) (bool, error) {
+	// Read only, ignore
+	return false, nil
+}
+
+type pluginConfigStore struct {
+	pm     *Manager
+	plugin *v2.Plugin
+}
+
+func (s *pluginConfigStore) Put([]byte) (digest.Digest, error) {
+	return digest.Digest(""), errors.New("cannot store config on push")
+}
+
+func (s *pluginConfigStore) Get(d digest.Digest) ([]byte, error) {
+	if s.plugin.Config != d {
+		return nil, errors.New("plugin not found")
+	}
+	rwc, err := s.pm.blobStore.Get(d)
+	if err != nil {
+		return nil, err
+	}
+	defer rwc.Close()
+	return ioutil.ReadAll(rwc)
+}
+
+func (s *pluginConfigStore) RootFSFromConfig(c []byte) (*image.RootFS, error) {
+	return configToRootFS(c)
+}
+
+func (s *pluginConfigStore) PlatformFromConfig(c []byte) (*specs.Platform, error) {
+	// TODO: LCOW/Plugins. This will need revisiting. For now use the runtime OS
+	return &specs.Platform{OS: runtime.GOOS}, nil
+}
+
+type pluginLayerProvider struct {
+	pm     *Manager
+	plugin *v2.Plugin
+}
+
+func (p *pluginLayerProvider) Get(id layer.ChainID) (distribution.PushLayer, error) {
+	rootFS := rootFSFromPlugin(p.plugin.PluginObj.Config.Rootfs)
+	var i int
+	for i = 1; i <= len(rootFS.DiffIDs); i++ {
+		if layer.CreateChainID(rootFS.DiffIDs[:i]) == id {
+			break
+		}
+	}
+	if i > len(rootFS.DiffIDs) {
+		return nil, errors.New("layer not found")
+	}
+	return &pluginLayer{
+		pm:      p.pm,
+		diffIDs: rootFS.DiffIDs[:i],
+		blobs:   p.plugin.Blobsums[:i],
+	}, nil
+}
+
+type pluginLayer struct {
+	pm      *Manager
+	diffIDs []layer.DiffID
+	blobs   []digest.Digest
+}
+
+func (l *pluginLayer) ChainID() layer.ChainID {
+	return layer.CreateChainID(l.diffIDs)
+}
+
+func (l *pluginLayer) DiffID() layer.DiffID {
+	return l.diffIDs[len(l.diffIDs)-1]
+}
+
+func (l *pluginLayer) Parent() distribution.PushLayer {
+	if len(l.diffIDs) == 1 {
+		return nil
+	}
+	return &pluginLayer{
+		pm:      l.pm,
+		diffIDs: l.diffIDs[:len(l.diffIDs)-1],
+		blobs:   l.blobs[:len(l.diffIDs)-1],
+	}
+}
+
+func (l *pluginLayer) Open() (io.ReadCloser, error) {
+	return l.pm.blobStore.Get(l.blobs[len(l.diffIDs)-1])
+}
+
+func (l *pluginLayer) Size() (int64, error) {
+	return l.pm.blobStore.Size(l.blobs[len(l.diffIDs)-1])
+}
+
+func (l *pluginLayer) MediaType() string {
+	return schema2.MediaTypeLayer
+}
+
+func (l *pluginLayer) Release() {
+	// Nothing needs to be release, no references held
+}
+
+// Remove deletes plugin's root directory.
+func (pm *Manager) Remove(name string, config *types.PluginRmConfig) error {
+	p, err := pm.config.Store.GetV2Plugin(name)
+	pm.mu.RLock()
+	c := pm.cMap[p]
+	pm.mu.RUnlock()
+
+	if err != nil {
+		return err
+	}
+
+	if !config.ForceRemove {
+		if p.GetRefCount() > 0 {
+			return inUseError(p.Name())
+		}
+		if p.IsEnabled() {
+			return enabledError(p.Name())
+		}
+	}
+
+	if p.IsEnabled() {
+		if err := pm.disable(p, c); err != nil {
+			logrus.Errorf("failed to disable plugin '%s': %s", p.Name(), err)
+		}
+	}
+
+	defer func() {
+		go pm.GC()
+	}()
+
+	id := p.GetID()
+	pluginDir := filepath.Join(pm.config.Root, id)
+
+	if err := mount.RecursiveUnmount(pluginDir); err != nil {
+		return errors.Wrap(err, "error unmounting plugin data")
+	}
+
+	if err := atomicRemoveAll(pluginDir); err != nil {
+		return err
+	}
+
+	pm.config.Store.Remove(p)
+	pm.config.LogPluginEvent(id, name, "remove")
+	pm.publisher.Publish(EventRemove{Plugin: p.PluginObj})
+	return nil
+}
+
+// Set sets plugin args
+func (pm *Manager) Set(name string, args []string) error {
+	p, err := pm.config.Store.GetV2Plugin(name)
+	if err != nil {
+		return err
+	}
+	if err := p.Set(args); err != nil {
+		return err
+	}
+	return pm.save(p)
+}
+
+// CreateFromContext creates a plugin from the given pluginDir which contains
+// both the rootfs and the config.json and a repoName with optional tag.
+func (pm *Manager) CreateFromContext(ctx context.Context, tarCtx io.ReadCloser, options *types.PluginCreateOptions) (err error) {
+	pm.muGC.RLock()
+	defer pm.muGC.RUnlock()
+
+	ref, err := reference.ParseNormalizedNamed(options.RepoName)
+	if err != nil {
+		return errors.Wrapf(err, "failed to parse reference %v", options.RepoName)
+	}
+	if _, ok := ref.(reference.Canonical); ok {
+		return errors.Errorf("canonical references are not permitted")
+	}
+	name := reference.FamiliarString(reference.TagNameOnly(ref))
+
+	if err := pm.config.Store.validateName(name); err != nil { // fast check, real check is in createPlugin()
+		return err
+	}
+
+	tmpRootFSDir, err := ioutil.TempDir(pm.tmpDir(), ".rootfs")
+	if err != nil {
+		return errors.Wrap(err, "failed to create temp directory")
+	}
+	defer os.RemoveAll(tmpRootFSDir)
+
+	var configJSON []byte
+	rootFS := splitConfigRootFSFromTar(tarCtx, &configJSON)
+
+	rootFSBlob, err := pm.blobStore.New()
+	if err != nil {
+		return err
+	}
+	defer rootFSBlob.Close()
+	gzw := gzip.NewWriter(rootFSBlob)
+	layerDigester := digest.Canonical.Digester()
+	rootFSReader := io.TeeReader(rootFS, io.MultiWriter(gzw, layerDigester.Hash()))
+
+	if err := chrootarchive.Untar(rootFSReader, tmpRootFSDir, nil); err != nil {
+		return err
+	}
+	if err := rootFS.Close(); err != nil {
+		return err
+	}
+
+	if configJSON == nil {
+		return errors.New("config not found")
+	}
+
+	if err := gzw.Close(); err != nil {
+		return errors.Wrap(err, "error closing gzip writer")
+	}
+
+	var config types.PluginConfig
+	if err := json.Unmarshal(configJSON, &config); err != nil {
+		return errors.Wrap(err, "failed to parse config")
+	}
+
+	if err := pm.validateConfig(config); err != nil {
+		return err
+	}
+
+	pm.mu.Lock()
+	defer pm.mu.Unlock()
+
+	rootFSBlobsum, err := rootFSBlob.Commit()
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err != nil {
+			go pm.GC()
+		}
+	}()
+
+	config.Rootfs = &types.PluginConfigRootfs{
+		Type:    "layers",
+		DiffIds: []string{layerDigester.Digest().String()},
+	}
+
+	config.DockerVersion = dockerversion.Version
+
+	configBlob, err := pm.blobStore.New()
+	if err != nil {
+		return err
+	}
+	defer configBlob.Close()
+	if err := json.NewEncoder(configBlob).Encode(config); err != nil {
+		return errors.Wrap(err, "error encoding json config")
+	}
+	configBlobsum, err := configBlob.Commit()
+	if err != nil {
+		return err
+	}
+
+	p, err := pm.createPlugin(name, configBlobsum, []digest.Digest{rootFSBlobsum}, tmpRootFSDir, nil)
+	if err != nil {
+		return err
+	}
+	p.PluginObj.PluginReference = name
+
+	pm.publisher.Publish(EventCreate{Plugin: p.PluginObj})
+	pm.config.LogPluginEvent(p.PluginObj.ID, name, "create")
+
+	return nil
+}
+
+func (pm *Manager) validateConfig(config types.PluginConfig) error {
+	return nil // TODO:
+}
+
+func splitConfigRootFSFromTar(in io.ReadCloser, config *[]byte) io.ReadCloser {
+	pr, pw := io.Pipe()
+	go func() {
+		tarReader := tar.NewReader(in)
+		tarWriter := tar.NewWriter(pw)
+		defer in.Close()
+
+		hasRootFS := false
+
+		for {
+			hdr, err := tarReader.Next()
+			if err == io.EOF {
+				if !hasRootFS {
+					pw.CloseWithError(errors.Wrap(err, "no rootfs found"))
+					return
+				}
+				// Signals end of archive.
+				tarWriter.Close()
+				pw.Close()
+				return
+			}
+			if err != nil {
+				pw.CloseWithError(errors.Wrap(err, "failed to read from tar"))
+				return
+			}
+
+			content := io.Reader(tarReader)
+			name := path.Clean(hdr.Name)
+			if path.IsAbs(name) {
+				name = name[1:]
+			}
+			if name == configFileName {
+				dt, err := ioutil.ReadAll(content)
+				if err != nil {
+					pw.CloseWithError(errors.Wrapf(err, "failed to read %s", configFileName))
+					return
+				}
+				*config = dt
+			}
+			if parts := strings.Split(name, "/"); len(parts) != 0 && parts[0] == rootFSFileName {
+				hdr.Name = path.Clean(path.Join(parts[1:]...))
+				if hdr.Typeflag == tar.TypeLink && strings.HasPrefix(strings.ToLower(hdr.Linkname), rootFSFileName+"/") {
+					hdr.Linkname = hdr.Linkname[len(rootFSFileName)+1:]
+				}
+				if err := tarWriter.WriteHeader(hdr); err != nil {
+					pw.CloseWithError(errors.Wrap(err, "error writing tar header"))
+					return
+				}
+				if _, err := pools.Copy(tarWriter, content); err != nil {
+					pw.CloseWithError(errors.Wrap(err, "error copying tar data"))
+					return
+				}
+				hasRootFS = true
+			} else {
+				io.Copy(ioutil.Discard, content)
+			}
+		}
+	}()
+	return pr
+}
+
+func atomicRemoveAll(dir string) error {
+	renamed := dir + "-removing"
+
+	err := os.Rename(dir, renamed)
+	switch {
+	case os.IsNotExist(err), err == nil:
+		// even if `dir` doesn't exist, we can still try and remove `renamed`
+	case os.IsExist(err):
+		// Some previous remove failed, check if the origin dir exists
+		if e := system.EnsureRemoveAll(renamed); e != nil {
+			return errors.Wrap(err, "rename target already exists and could not be removed")
+		}
+		if _, err := os.Stat(dir); os.IsNotExist(err) {
+			// origin doesn't exist, nothing left to do
+			return nil
+		}
+
+		// attempt to rename again
+		if err := os.Rename(dir, renamed); err != nil {
+			return errors.Wrap(err, "failed to rename dir for atomic removal")
+		}
+	default:
+		return errors.Wrap(err, "failed to rename dir for atomic removal")
+	}
+
+	if err := system.EnsureRemoveAll(renamed); err != nil {
+		os.Rename(renamed, dir)
+		return err
+	}
+	return nil
+}
diff --git a/engine/plugin/backend_linux_test.go b/engine/plugin/backend_linux_test.go
new file mode 100644
index 00000000..81cf2ebb
--- /dev/null
+++ b/engine/plugin/backend_linux_test.go
@@ -0,0 +1,81 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestAtomicRemoveAllNormal(t *testing.T) {
+	dir, err := ioutil.TempDir("", "atomic-remove-with-normal")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir) // just try to make sure this gets cleaned up
+
+	if err := atomicRemoveAll(dir); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := os.Stat(dir); !os.IsNotExist(err) {
+		t.Fatalf("dir should be gone: %v", err)
+	}
+	if _, err := os.Stat(dir + "-removing"); !os.IsNotExist(err) {
+		t.Fatalf("dir should be gone: %v", err)
+	}
+}
+
+func TestAtomicRemoveAllAlreadyExists(t *testing.T) {
+	dir, err := ioutil.TempDir("", "atomic-remove-already-exists")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir) // just try to make sure this gets cleaned up
+
+	if err := os.MkdirAll(dir+"-removing", 0755); err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir + "-removing")
+
+	if err := atomicRemoveAll(dir); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := os.Stat(dir); !os.IsNotExist(err) {
+		t.Fatalf("dir should be gone: %v", err)
+	}
+	if _, err := os.Stat(dir + "-removing"); !os.IsNotExist(err) {
+		t.Fatalf("dir should be gone: %v", err)
+	}
+}
+
+func TestAtomicRemoveAllNotExist(t *testing.T) {
+	if err := atomicRemoveAll("/not-exist"); err != nil {
+		t.Fatal(err)
+	}
+
+	dir, err := ioutil.TempDir("", "atomic-remove-already-exists")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir) // just try to make sure this gets cleaned up
+
+	// create the removing dir, but not the "real" one
+	foo := filepath.Join(dir, "foo")
+	removing := dir + "-removing"
+	if err := os.MkdirAll(removing, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := atomicRemoveAll(dir); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := os.Stat(foo); !os.IsNotExist(err) {
+		t.Fatalf("dir should be gone: %v", err)
+	}
+	if _, err := os.Stat(removing); !os.IsNotExist(err) {
+		t.Fatalf("dir should be gone: %v", err)
+	}
+}
diff --git a/engine/plugin/backend_unsupported.go b/engine/plugin/backend_unsupported.go
new file mode 100644
index 00000000..c0666e85
--- /dev/null
+++ b/engine/plugin/backend_unsupported.go
@@ -0,0 +1,72 @@
+// +build !linux
+
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net/http"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+)
+
+var errNotSupported = errors.New("plugins are not supported on this platform")
+
+// Disable deactivates a plugin, which implies that they cannot be used by containers.
+func (pm *Manager) Disable(name string, config *types.PluginDisableConfig) error {
+	return errNotSupported
+}
+
+// Enable activates a plugin, which implies that they are ready to be used by containers.
+func (pm *Manager) Enable(name string, config *types.PluginEnableConfig) error {
+	return errNotSupported
+}
+
+// Inspect examines a plugin config
+func (pm *Manager) Inspect(refOrID string) (tp *types.Plugin, err error) {
+	return nil, errNotSupported
+}
+
+// Privileges pulls a plugin config and computes the privileges required to install it.
+func (pm *Manager) Privileges(ctx context.Context, ref reference.Named, metaHeader http.Header, authConfig *types.AuthConfig) (types.PluginPrivileges, error) {
+	return nil, errNotSupported
+}
+
+// Pull pulls a plugin, check if the correct privileges are provided and install the plugin.
+func (pm *Manager) Pull(ctx context.Context, ref reference.Named, name string, metaHeader http.Header, authConfig *types.AuthConfig, privileges types.PluginPrivileges, out io.Writer, opts ...CreateOpt) error {
+	return errNotSupported
+}
+
+// Upgrade pulls a plugin, check if the correct privileges are provided and install the plugin.
+func (pm *Manager) Upgrade(ctx context.Context, ref reference.Named, name string, metaHeader http.Header, authConfig *types.AuthConfig, privileges types.PluginPrivileges, outStream io.Writer) error {
+	return errNotSupported
+}
+
+// List displays the list of plugins and associated metadata.
+func (pm *Manager) List(pluginFilters filters.Args) ([]types.Plugin, error) {
+	return nil, errNotSupported
+}
+
+// Push pushes a plugin to the store.
+func (pm *Manager) Push(ctx context.Context, name string, metaHeader http.Header, authConfig *types.AuthConfig, out io.Writer) error {
+	return errNotSupported
+}
+
+// Remove deletes plugin's root directory.
+func (pm *Manager) Remove(name string, config *types.PluginRmConfig) error {
+	return errNotSupported
+}
+
+// Set sets plugin args
+func (pm *Manager) Set(name string, args []string) error {
+	return errNotSupported
+}
+
+// CreateFromContext creates a plugin from the given pluginDir which contains
+// both the rootfs and the config.json and a repoName with optional tag.
+func (pm *Manager) CreateFromContext(ctx context.Context, tarCtx io.ReadCloser, options *types.PluginCreateOptions) error {
+	return errNotSupported
+}
diff --git a/engine/plugin/blobstore.go b/engine/plugin/blobstore.go
new file mode 100644
index 00000000..a24e7bdf
--- /dev/null
+++ b/engine/plugin/blobstore.go
@@ -0,0 +1,190 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"github.com/docker/docker/distribution/xfer"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/pkg/progress"
+	"github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type blobstore interface {
+	New() (WriteCommitCloser, error)
+	Get(dgst digest.Digest) (io.ReadCloser, error)
+	Size(dgst digest.Digest) (int64, error)
+}
+
+type basicBlobStore struct {
+	path string
+}
+
+func newBasicBlobStore(p string) (*basicBlobStore, error) {
+	tmpdir := filepath.Join(p, "tmp")
+	if err := os.MkdirAll(tmpdir, 0700); err != nil {
+		return nil, errors.Wrapf(err, "failed to mkdir %v", p)
+	}
+	return &basicBlobStore{path: p}, nil
+}
+
+func (b *basicBlobStore) New() (WriteCommitCloser, error) {
+	f, err := ioutil.TempFile(filepath.Join(b.path, "tmp"), ".insertion")
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create temp file")
+	}
+	return newInsertion(f), nil
+}
+
+func (b *basicBlobStore) Get(dgst digest.Digest) (io.ReadCloser, error) {
+	return os.Open(filepath.Join(b.path, string(dgst.Algorithm()), dgst.Hex()))
+}
+
+func (b *basicBlobStore) Size(dgst digest.Digest) (int64, error) {
+	stat, err := os.Stat(filepath.Join(b.path, string(dgst.Algorithm()), dgst.Hex()))
+	if err != nil {
+		return 0, err
+	}
+	return stat.Size(), nil
+}
+
+func (b *basicBlobStore) gc(whitelist map[digest.Digest]struct{}) {
+	for _, alg := range []string{string(digest.Canonical)} {
+		items, err := ioutil.ReadDir(filepath.Join(b.path, alg))
+		if err != nil {
+			continue
+		}
+		for _, fi := range items {
+			if _, exists := whitelist[digest.Digest(alg+":"+fi.Name())]; !exists {
+				p := filepath.Join(b.path, alg, fi.Name())
+				err := os.RemoveAll(p)
+				logrus.Debugf("cleaned up blob %v: %v", p, err)
+			}
+		}
+	}
+
+}
+
+// WriteCommitCloser defines object that can be committed to blobstore.
+type WriteCommitCloser interface {
+	io.WriteCloser
+	Commit() (digest.Digest, error)
+}
+
+type insertion struct {
+	io.Writer
+	f        *os.File
+	digester digest.Digester
+	closed   bool
+}
+
+func newInsertion(tempFile *os.File) *insertion {
+	digester := digest.Canonical.Digester()
+	return &insertion{f: tempFile, digester: digester, Writer: io.MultiWriter(tempFile, digester.Hash())}
+}
+
+func (i *insertion) Commit() (digest.Digest, error) {
+	p := i.f.Name()
+	d := filepath.Join(filepath.Join(p, "../../"))
+	i.f.Sync()
+	defer os.RemoveAll(p)
+	if err := i.f.Close(); err != nil {
+		return "", err
+	}
+	i.closed = true
+	dgst := i.digester.Digest()
+	if err := os.MkdirAll(filepath.Join(d, string(dgst.Algorithm())), 0700); err != nil {
+		return "", errors.Wrapf(err, "failed to mkdir %v", d)
+	}
+	if err := os.Rename(p, filepath.Join(d, string(dgst.Algorithm()), dgst.Hex())); err != nil {
+		return "", errors.Wrapf(err, "failed to rename %v", p)
+	}
+	return dgst, nil
+}
+
+func (i *insertion) Close() error {
+	if i.closed {
+		return nil
+	}
+	defer os.RemoveAll(i.f.Name())
+	return i.f.Close()
+}
+
+type downloadManager struct {
+	blobStore    blobstore
+	tmpDir       string
+	blobs        []digest.Digest
+	configDigest digest.Digest
+}
+
+func (dm *downloadManager) Download(ctx context.Context, initialRootFS image.RootFS, os string, layers []xfer.DownloadDescriptor, progressOutput progress.Output) (image.RootFS, func(), error) {
+	for _, l := range layers {
+		b, err := dm.blobStore.New()
+		if err != nil {
+			return initialRootFS, nil, err
+		}
+		defer b.Close()
+		rc, _, err := l.Download(ctx, progressOutput)
+		if err != nil {
+			return initialRootFS, nil, errors.Wrap(err, "failed to download")
+		}
+		defer rc.Close()
+		r := io.TeeReader(rc, b)
+		inflatedLayerData, err := archive.DecompressStream(r)
+		if err != nil {
+			return initialRootFS, nil, err
+		}
+		defer inflatedLayerData.Close()
+		digester := digest.Canonical.Digester()
+		if _, err := chrootarchive.ApplyLayer(dm.tmpDir, io.TeeReader(inflatedLayerData, digester.Hash())); err != nil {
+			return initialRootFS, nil, err
+		}
+		initialRootFS.Append(layer.DiffID(digester.Digest()))
+		d, err := b.Commit()
+		if err != nil {
+			return initialRootFS, nil, err
+		}
+		dm.blobs = append(dm.blobs, d)
+	}
+	return initialRootFS, nil, nil
+}
+
+func (dm *downloadManager) Put(dt []byte) (digest.Digest, error) {
+	b, err := dm.blobStore.New()
+	if err != nil {
+		return "", err
+	}
+	defer b.Close()
+	n, err := b.Write(dt)
+	if err != nil {
+		return "", err
+	}
+	if n != len(dt) {
+		return "", io.ErrShortWrite
+	}
+	d, err := b.Commit()
+	dm.configDigest = d
+	return d, err
+}
+
+func (dm *downloadManager) Get(d digest.Digest) ([]byte, error) {
+	return nil, fmt.Errorf("digest not found")
+}
+func (dm *downloadManager) RootFSFromConfig(c []byte) (*image.RootFS, error) {
+	return configToRootFS(c)
+}
+func (dm *downloadManager) PlatformFromConfig(c []byte) (*specs.Platform, error) {
+	// TODO: LCOW/Plugins. This will need revisiting. For now use the runtime OS
+	return &specs.Platform{OS: runtime.GOOS}, nil
+}
diff --git a/engine/plugin/defs.go b/engine/plugin/defs.go
new file mode 100644
index 00000000..31f7c6bc
--- /dev/null
+++ b/engine/plugin/defs.go
@@ -0,0 +1,50 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"sync"
+
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/plugin/v2"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Store manages the plugin inventory in memory and on-disk
+type Store struct {
+	sync.RWMutex
+	plugins  map[string]*v2.Plugin
+	specOpts map[string][]SpecOpt
+	/* handlers are necessary for transition path of legacy plugins
+	 * to the new model. Legacy plugins use Handle() for registering an
+	 * activation callback.*/
+	handlers map[string][]func(string, *plugins.Client)
+}
+
+// NewStore creates a Store.
+func NewStore() *Store {
+	return &Store{
+		plugins:  make(map[string]*v2.Plugin),
+		specOpts: make(map[string][]SpecOpt),
+		handlers: make(map[string][]func(string, *plugins.Client)),
+	}
+}
+
+// SpecOpt is used for subsystems that need to modify the runtime spec of a plugin
+type SpecOpt func(*specs.Spec)
+
+// CreateOpt is used to configure specific plugin details when created
+type CreateOpt func(p *v2.Plugin)
+
+// WithSwarmService is a CreateOpt that flags the passed in a plugin as a plugin
+// managed by swarm
+func WithSwarmService(id string) CreateOpt {
+	return func(p *v2.Plugin) {
+		p.SwarmServiceID = id
+	}
+}
+
+// WithSpecMounts is a SpecOpt which appends the provided mounts to the runtime spec
+func WithSpecMounts(mounts []specs.Mount) SpecOpt {
+	return func(s *specs.Spec) {
+		s.Mounts = append(s.Mounts, mounts...)
+	}
+}
diff --git a/engine/plugin/errors.go b/engine/plugin/errors.go
new file mode 100644
index 00000000..44d99b39
--- /dev/null
+++ b/engine/plugin/errors.go
@@ -0,0 +1,66 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import "fmt"
+
+type errNotFound string
+
+func (name errNotFound) Error() string {
+	return fmt.Sprintf("plugin %q not found", string(name))
+}
+
+func (errNotFound) NotFound() {}
+
+type errAmbiguous string
+
+func (name errAmbiguous) Error() string {
+	return fmt.Sprintf("multiple plugins found for %q", string(name))
+}
+
+func (name errAmbiguous) InvalidParameter() {}
+
+type errDisabled string
+
+func (name errDisabled) Error() string {
+	return fmt.Sprintf("plugin %s found but disabled", string(name))
+}
+
+func (name errDisabled) Conflict() {}
+
+type invalidFilter struct {
+	filter string
+	value  []string
+}
+
+func (e invalidFilter) Error() string {
+	msg := "Invalid filter '" + e.filter
+	if len(e.value) > 0 {
+		msg += fmt.Sprintf("=%s", e.value)
+	}
+	return msg + "'"
+}
+
+func (invalidFilter) InvalidParameter() {}
+
+type inUseError string
+
+func (e inUseError) Error() string {
+	return "plugin " + string(e) + " is in use"
+}
+
+func (inUseError) Conflict() {}
+
+type enabledError string
+
+func (e enabledError) Error() string {
+	return "plugin " + string(e) + " is enabled"
+}
+
+func (enabledError) Conflict() {}
+
+type alreadyExistsError string
+
+func (e alreadyExistsError) Error() string {
+	return "plugin " + string(e) + " already exists"
+}
+
+func (alreadyExistsError) Conflict() {}
diff --git a/engine/plugin/events.go b/engine/plugin/events.go
new file mode 100644
index 00000000..d204340a
--- /dev/null
+++ b/engine/plugin/events.go
@@ -0,0 +1,111 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"fmt"
+	"reflect"
+
+	"github.com/docker/docker/api/types"
+)
+
+// Event is emitted for actions performed on the plugin manager
+type Event interface {
+	matches(Event) bool
+}
+
+// EventCreate is an event which is emitted when a plugin is created
+// This is either by pull or create from context.
+//
+// Use the `Interfaces` field to match only plugins that implement a specific
+// interface.
+// These are matched against using "or" logic.
+// If no interfaces are listed, all are matched.
+type EventCreate struct {
+	Interfaces map[string]bool
+	Plugin     types.Plugin
+}
+
+func (e EventCreate) matches(observed Event) bool {
+	oe, ok := observed.(EventCreate)
+	if !ok {
+		return false
+	}
+	if len(e.Interfaces) == 0 {
+		return true
+	}
+
+	var ifaceMatch bool
+	for _, in := range oe.Plugin.Config.Interface.Types {
+		if e.Interfaces[in.Capability] {
+			ifaceMatch = true
+			break
+		}
+	}
+	return ifaceMatch
+}
+
+// EventRemove is an event which is emitted when a plugin is removed
+// It maches on the passed in plugin's ID only.
+type EventRemove struct {
+	Plugin types.Plugin
+}
+
+func (e EventRemove) matches(observed Event) bool {
+	oe, ok := observed.(EventRemove)
+	if !ok {
+		return false
+	}
+	return e.Plugin.ID == oe.Plugin.ID
+}
+
+// EventDisable is an event that is emitted when a plugin is disabled
+// It maches on the passed in plugin's ID only.
+type EventDisable struct {
+	Plugin types.Plugin
+}
+
+func (e EventDisable) matches(observed Event) bool {
+	oe, ok := observed.(EventDisable)
+	if !ok {
+		return false
+	}
+	return e.Plugin.ID == oe.Plugin.ID
+}
+
+// EventEnable is an event that is emitted when a plugin is disabled
+// It maches on the passed in plugin's ID only.
+type EventEnable struct {
+	Plugin types.Plugin
+}
+
+func (e EventEnable) matches(observed Event) bool {
+	oe, ok := observed.(EventEnable)
+	if !ok {
+		return false
+	}
+	return e.Plugin.ID == oe.Plugin.ID
+}
+
+// SubscribeEvents provides an event channel to listen for structured events from
+// the plugin manager actions, CRUD operations.
+// The caller must call the returned `cancel()` function once done with the channel
+// or this will leak resources.
+func (pm *Manager) SubscribeEvents(buffer int, watchEvents ...Event) (eventCh <-chan interface{}, cancel func()) {
+	topic := func(i interface{}) bool {
+		observed, ok := i.(Event)
+		if !ok {
+			panic(fmt.Sprintf("unexpected type passed to event channel: %v", reflect.TypeOf(i)))
+		}
+		for _, e := range watchEvents {
+			if e.matches(observed) {
+				return true
+			}
+		}
+		// If no specific events are specified always assume a matched event
+		// If some events were specified and none matched above, then the event
+		// doesn't match
+		return watchEvents == nil
+	}
+	ch := pm.publisher.SubscribeTopicWithBuffer(topic, buffer)
+	cancelFunc := func() { pm.publisher.Evict(ch) }
+	return ch, cancelFunc
+}
diff --git a/engine/plugin/executor/containerd/containerd.go b/engine/plugin/executor/containerd/containerd.go
new file mode 100644
index 00000000..8f1c8a4a
--- /dev/null
+++ b/engine/plugin/executor/containerd/containerd.go
@@ -0,0 +1,175 @@
+package containerd // import "github.com/docker/docker/plugin/executor/containerd"
+
+import (
+	"context"
+	"io"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/cio"
+	"github.com/containerd/containerd/runtime/linux/runctypes"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/libcontainerd"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// pluginNamespace is the name used for the plugins namespace
+const pluginNamespace = "plugins.moby"
+
+// ExitHandler represents an object that is called when the exit event is received from containerd
+type ExitHandler interface {
+	HandleExitEvent(id string) error
+}
+
+// Client is used by the exector to perform operations.
+// TODO(@cpuguy83): This should really just be based off the containerd client interface.
+// However right now this whole package is tied to github.com/docker/docker/libcontainerd
+type Client interface {
+	Create(ctx context.Context, containerID string, spec *specs.Spec, runtimeOptions interface{}) error
+	Restore(ctx context.Context, containerID string, attachStdio libcontainerd.StdioCallback) (alive bool, pid int, err error)
+	Status(ctx context.Context, containerID string) (libcontainerd.Status, error)
+	Delete(ctx context.Context, containerID string) error
+	DeleteTask(ctx context.Context, containerID string) (uint32, time.Time, error)
+	Start(ctx context.Context, containerID, checkpointDir string, withStdin bool, attachStdio libcontainerd.StdioCallback) (pid int, err error)
+	SignalProcess(ctx context.Context, containerID, processID string, signal int) error
+}
+
+// New creates a new containerd plugin executor
+func New(rootDir string, remote libcontainerd.Remote, exitHandler ExitHandler) (*Executor, error) {
+	e := &Executor{
+		rootDir:     rootDir,
+		exitHandler: exitHandler,
+	}
+	client, err := remote.NewClient(pluginNamespace, e)
+	if err != nil {
+		return nil, errors.Wrap(err, "error creating containerd exec client")
+	}
+	e.client = client
+	return e, nil
+}
+
+// Executor is the containerd client implementation of a plugin executor
+type Executor struct {
+	rootDir     string
+	client      Client
+	exitHandler ExitHandler
+}
+
+// deleteTaskAndContainer deletes plugin task and then plugin container from containerd
+func deleteTaskAndContainer(ctx context.Context, cli Client, id string) {
+	_, _, err := cli.DeleteTask(ctx, id)
+	if err != nil && !errdefs.IsNotFound(err) {
+		logrus.WithError(err).WithField("id", id).Error("failed to delete plugin task from containerd")
+	}
+
+	err = cli.Delete(ctx, id)
+	if err != nil && !errdefs.IsNotFound(err) {
+		logrus.WithError(err).WithField("id", id).Error("failed to delete plugin container from containerd")
+	}
+}
+
+// Create creates a new container
+func (e *Executor) Create(id string, spec specs.Spec, stdout, stderr io.WriteCloser) error {
+	opts := runctypes.RuncOptions{
+		RuntimeRoot: filepath.Join(e.rootDir, "runtime-root"),
+	}
+	ctx := context.Background()
+	err := e.client.Create(ctx, id, &spec, &opts)
+	if err != nil {
+		status, err2 := e.client.Status(ctx, id)
+		if err2 != nil {
+			if !errdefs.IsNotFound(err2) {
+				logrus.WithError(err2).WithField("id", id).Warn("Received an error while attempting to read plugin status")
+			}
+		} else {
+			if status != libcontainerd.StatusRunning && status != libcontainerd.StatusUnknown {
+				if err2 := e.client.Delete(ctx, id); err2 != nil && !errdefs.IsNotFound(err2) {
+					logrus.WithError(err2).WithField("plugin", id).Error("Error cleaning up containerd container")
+				}
+				err = e.client.Create(ctx, id, &spec, &opts)
+			}
+		}
+
+		if err != nil {
+			return errors.Wrap(err, "error creating containerd container")
+		}
+	}
+
+	_, err = e.client.Start(ctx, id, "", false, attachStreamsFunc(stdout, stderr))
+	if err != nil {
+		deleteTaskAndContainer(ctx, e.client, id)
+	}
+	return err
+}
+
+// Restore restores a container
+func (e *Executor) Restore(id string, stdout, stderr io.WriteCloser) (bool, error) {
+	alive, _, err := e.client.Restore(context.Background(), id, attachStreamsFunc(stdout, stderr))
+	if err != nil && !errdefs.IsNotFound(err) {
+		return false, err
+	}
+	if !alive {
+		deleteTaskAndContainer(context.Background(), e.client, id)
+	}
+	return alive, nil
+}
+
+// IsRunning returns if the container with the given id is running
+func (e *Executor) IsRunning(id string) (bool, error) {
+	status, err := e.client.Status(context.Background(), id)
+	return status == libcontainerd.StatusRunning, err
+}
+
+// Signal sends the specified signal to the container
+func (e *Executor) Signal(id string, signal int) error {
+	return e.client.SignalProcess(context.Background(), id, libcontainerd.InitProcessName, signal)
+}
+
+// ProcessEvent handles events from containerd
+// All events are ignored except the exit event, which is sent of to the stored handler
+func (e *Executor) ProcessEvent(id string, et libcontainerd.EventType, ei libcontainerd.EventInfo) error {
+	switch et {
+	case libcontainerd.EventExit:
+		deleteTaskAndContainer(context.Background(), e.client, id)
+		return e.exitHandler.HandleExitEvent(ei.ContainerID)
+	}
+	return nil
+}
+
+type rio struct {
+	cio.IO
+
+	wg sync.WaitGroup
+}
+
+func (c *rio) Wait() {
+	c.wg.Wait()
+	c.IO.Wait()
+}
+
+func attachStreamsFunc(stdout, stderr io.WriteCloser) libcontainerd.StdioCallback {
+	return func(iop *cio.DirectIO) (cio.IO, error) {
+		if iop.Stdin != nil {
+			iop.Stdin.Close()
+			// closing stdin shouldn't be needed here, it should never be open
+			panic("plugin stdin shouldn't have been created!")
+		}
+
+		rio := &rio{IO: iop}
+		rio.wg.Add(2)
+		go func() {
+			io.Copy(stdout, iop.Stdout)
+			stdout.Close()
+			rio.wg.Done()
+		}()
+		go func() {
+			io.Copy(stderr, iop.Stderr)
+			stderr.Close()
+			rio.wg.Done()
+		}()
+		return rio, nil
+	}
+}
diff --git a/engine/plugin/executor/containerd/containerd_test.go b/engine/plugin/executor/containerd/containerd_test.go
new file mode 100644
index 00000000..e27063b1
--- /dev/null
+++ b/engine/plugin/executor/containerd/containerd_test.go
@@ -0,0 +1,148 @@
+package containerd
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/libcontainerd"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+)
+
+func TestLifeCycle(t *testing.T) {
+	t.Parallel()
+
+	mock := newMockClient()
+	exec, cleanup := setupTest(t, mock, mock)
+	defer cleanup()
+
+	id := "test-create"
+	mock.simulateStartError(true, id)
+	err := exec.Create(id, specs.Spec{}, nil, nil)
+	assert.Assert(t, err != nil)
+	mock.simulateStartError(false, id)
+
+	err = exec.Create(id, specs.Spec{}, nil, nil)
+	assert.Assert(t, err)
+	running, _ := exec.IsRunning(id)
+	assert.Assert(t, running)
+
+	// create with the same ID
+	err = exec.Create(id, specs.Spec{}, nil, nil)
+	assert.Assert(t, err != nil)
+
+	mock.HandleExitEvent(id) // simulate a plugin that exits
+
+	err = exec.Create(id, specs.Spec{}, nil, nil)
+	assert.Assert(t, err)
+}
+
+func setupTest(t *testing.T, client Client, eh ExitHandler) (*Executor, func()) {
+	rootDir, err := ioutil.TempDir("", "test-daemon")
+	assert.Assert(t, err)
+	assert.Assert(t, client != nil)
+	assert.Assert(t, eh != nil)
+
+	return &Executor{
+			rootDir:     rootDir,
+			client:      client,
+			exitHandler: eh,
+		}, func() {
+			assert.Assert(t, os.RemoveAll(rootDir))
+		}
+}
+
+type mockClient struct {
+	mu           sync.Mutex
+	containers   map[string]bool
+	errorOnStart map[string]bool
+}
+
+func newMockClient() *mockClient {
+	return &mockClient{
+		containers:   make(map[string]bool),
+		errorOnStart: make(map[string]bool),
+	}
+}
+
+func (c *mockClient) Create(ctx context.Context, id string, _ *specs.Spec, _ interface{}) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if _, ok := c.containers[id]; ok {
+		return errors.New("exists")
+	}
+
+	c.containers[id] = false
+	return nil
+}
+
+func (c *mockClient) Restore(ctx context.Context, id string, attachStdio libcontainerd.StdioCallback) (alive bool, pid int, err error) {
+	return false, 0, nil
+}
+
+func (c *mockClient) Status(ctx context.Context, id string) (libcontainerd.Status, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	running, ok := c.containers[id]
+	if !ok {
+		return libcontainerd.StatusUnknown, errors.New("not found")
+	}
+	if running {
+		return libcontainerd.StatusRunning, nil
+	}
+	return libcontainerd.StatusStopped, nil
+}
+
+func (c *mockClient) Delete(ctx context.Context, id string) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	delete(c.containers, id)
+	return nil
+}
+
+func (c *mockClient) DeleteTask(ctx context.Context, id string) (uint32, time.Time, error) {
+	return 0, time.Time{}, nil
+}
+
+func (c *mockClient) Start(ctx context.Context, id, checkpointDir string, withStdin bool, attachStdio libcontainerd.StdioCallback) (pid int, err error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if _, ok := c.containers[id]; !ok {
+		return 0, errors.New("not found")
+	}
+
+	if c.errorOnStart[id] {
+		return 0, errors.New("some startup error")
+	}
+	c.containers[id] = true
+	return 1, nil
+}
+
+func (c *mockClient) SignalProcess(ctx context.Context, containerID, processID string, signal int) error {
+	return nil
+}
+
+func (c *mockClient) simulateStartError(sim bool, id string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if sim {
+		c.errorOnStart[id] = sim
+		return
+	}
+	delete(c.errorOnStart, id)
+}
+
+func (c *mockClient) HandleExitEvent(id string) error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	delete(c.containers, id)
+	return nil
+}
diff --git a/engine/plugin/manager.go b/engine/plugin/manager.go
new file mode 100644
index 00000000..c6f89612
--- /dev/null
+++ b/engine/plugin/manager.go
@@ -0,0 +1,384 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"regexp"
+	"sort"
+	"strings"
+	"sync"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/image"
+	"github.com/docker/docker/layer"
+	"github.com/docker/docker/pkg/authorization"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/pubsub"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/plugin/v2"
+	"github.com/docker/docker/registry"
+	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const configFileName = "config.json"
+const rootFSFileName = "rootfs"
+
+var validFullID = regexp.MustCompile(`^([a-f0-9]{64})$`)
+
+// Executor is the interface that the plugin manager uses to interact with for starting/stopping plugins
+type Executor interface {
+	Create(id string, spec specs.Spec, stdout, stderr io.WriteCloser) error
+	IsRunning(id string) (bool, error)
+	Restore(id string, stdout, stderr io.WriteCloser) (alive bool, err error)
+	Signal(id string, signal int) error
+}
+
+func (pm *Manager) restorePlugin(p *v2.Plugin, c *controller) error {
+	if p.IsEnabled() {
+		return pm.restore(p, c)
+	}
+	return nil
+}
+
+type eventLogger func(id, name, action string)
+
+// ManagerConfig defines configuration needed to start new manager.
+type ManagerConfig struct {
+	Store              *Store // remove
+	RegistryService    registry.Service
+	LiveRestoreEnabled bool // TODO: remove
+	LogPluginEvent     eventLogger
+	Root               string
+	ExecRoot           string
+	CreateExecutor     ExecutorCreator
+	AuthzMiddleware    *authorization.Middleware
+}
+
+// ExecutorCreator is used in the manager config to pass in an `Executor`
+type ExecutorCreator func(*Manager) (Executor, error)
+
+// Manager controls the plugin subsystem.
+type Manager struct {
+	config    ManagerConfig
+	mu        sync.RWMutex // protects cMap
+	muGC      sync.RWMutex // protects blobstore deletions
+	cMap      map[*v2.Plugin]*controller
+	blobStore *basicBlobStore
+	publisher *pubsub.Publisher
+	executor  Executor
+}
+
+// controller represents the manager's control on a plugin.
+type controller struct {
+	restart       bool
+	exitChan      chan bool
+	timeoutInSecs int
+}
+
+// pluginRegistryService ensures that all resolved repositories
+// are of the plugin class.
+type pluginRegistryService struct {
+	registry.Service
+}
+
+func (s pluginRegistryService) ResolveRepository(name reference.Named) (repoInfo *registry.RepositoryInfo, err error) {
+	repoInfo, err = s.Service.ResolveRepository(name)
+	if repoInfo != nil {
+		repoInfo.Class = "plugin"
+	}
+	return
+}
+
+// NewManager returns a new plugin manager.
+func NewManager(config ManagerConfig) (*Manager, error) {
+	if config.RegistryService != nil {
+		config.RegistryService = pluginRegistryService{config.RegistryService}
+	}
+	manager := &Manager{
+		config: config,
+	}
+	for _, dirName := range []string{manager.config.Root, manager.config.ExecRoot, manager.tmpDir()} {
+		if err := os.MkdirAll(dirName, 0700); err != nil {
+			return nil, errors.Wrapf(err, "failed to mkdir %v", dirName)
+		}
+	}
+	var err error
+	manager.executor, err = config.CreateExecutor(manager)
+	if err != nil {
+		return nil, err
+	}
+
+	manager.blobStore, err = newBasicBlobStore(filepath.Join(manager.config.Root, "storage/blobs"))
+	if err != nil {
+		return nil, err
+	}
+
+	manager.cMap = make(map[*v2.Plugin]*controller)
+	if err := manager.reload(); err != nil {
+		return nil, errors.Wrap(err, "failed to restore plugins")
+	}
+
+	manager.publisher = pubsub.NewPublisher(0, 0)
+	return manager, nil
+}
+
+func (pm *Manager) tmpDir() string {
+	return filepath.Join(pm.config.Root, "tmp")
+}
+
+// HandleExitEvent is called when the executor receives the exit event
+// In the future we may change this, but for now all we care about is the exit event.
+func (pm *Manager) HandleExitEvent(id string) error {
+	p, err := pm.config.Store.GetV2Plugin(id)
+	if err != nil {
+		return err
+	}
+
+	if err := os.RemoveAll(filepath.Join(pm.config.ExecRoot, id)); err != nil && !os.IsNotExist(err) {
+		logrus.WithError(err).WithField("id", id).Error("Could not remove plugin bundle dir")
+	}
+
+	pm.mu.RLock()
+	c := pm.cMap[p]
+	if c.exitChan != nil {
+		close(c.exitChan)
+		c.exitChan = nil // ignore duplicate events (containerd issue #2299)
+	}
+	restart := c.restart
+	pm.mu.RUnlock()
+
+	if restart {
+		pm.enable(p, c, true)
+	} else {
+		if err := mount.RecursiveUnmount(filepath.Join(pm.config.Root, id)); err != nil {
+			return errors.Wrap(err, "error cleaning up plugin mounts")
+		}
+	}
+	return nil
+}
+
+func handleLoadError(err error, id string) {
+	if err == nil {
+		return
+	}
+	logger := logrus.WithError(err).WithField("id", id)
+	if os.IsNotExist(errors.Cause(err)) {
+		// Likely some error while removing on an older version of docker
+		logger.Warn("missing plugin config, skipping: this may be caused due to a failed remove and requires manual cleanup.")
+		return
+	}
+	logger.Error("error loading plugin, skipping")
+}
+
+func (pm *Manager) reload() error { // todo: restore
+	dir, err := ioutil.ReadDir(pm.config.Root)
+	if err != nil {
+		return errors.Wrapf(err, "failed to read %v", pm.config.Root)
+	}
+	plugins := make(map[string]*v2.Plugin)
+	for _, v := range dir {
+		if validFullID.MatchString(v.Name()) {
+			p, err := pm.loadPlugin(v.Name())
+			if err != nil {
+				handleLoadError(err, v.Name())
+				continue
+			}
+			plugins[p.GetID()] = p
+		} else {
+			if validFullID.MatchString(strings.TrimSuffix(v.Name(), "-removing")) {
+				// There was likely some error while removing this plugin, let's try to remove again here
+				if err := system.EnsureRemoveAll(v.Name()); err != nil {
+					logrus.WithError(err).WithField("id", v.Name()).Warn("error while attempting to clean up previously removed plugin")
+				}
+			}
+		}
+	}
+
+	pm.config.Store.SetAll(plugins)
+
+	var wg sync.WaitGroup
+	wg.Add(len(plugins))
+	for _, p := range plugins {
+		c := &controller{exitChan: make(chan bool)}
+		pm.mu.Lock()
+		pm.cMap[p] = c
+		pm.mu.Unlock()
+
+		go func(p *v2.Plugin) {
+			defer wg.Done()
+			if err := pm.restorePlugin(p, c); err != nil {
+				logrus.WithError(err).WithField("id", p.GetID()).Error("Failed to restore plugin")
+				return
+			}
+
+			if p.Rootfs != "" {
+				p.Rootfs = filepath.Join(pm.config.Root, p.PluginObj.ID, "rootfs")
+			}
+
+			// We should only enable rootfs propagation for certain plugin types that need it.
+			for _, typ := range p.PluginObj.Config.Interface.Types {
+				if (typ.Capability == "volumedriver" || typ.Capability == "graphdriver") && typ.Prefix == "docker" && strings.HasPrefix(typ.Version, "1.") {
+					if p.PluginObj.Config.PropagatedMount != "" {
+						propRoot := filepath.Join(filepath.Dir(p.Rootfs), "propagated-mount")
+
+						// check if we need to migrate an older propagated mount from before
+						// these mounts were stored outside the plugin rootfs
+						if _, err := os.Stat(propRoot); os.IsNotExist(err) {
+							rootfsProp := filepath.Join(p.Rootfs, p.PluginObj.Config.PropagatedMount)
+							if _, err := os.Stat(rootfsProp); err == nil {
+								if err := os.Rename(rootfsProp, propRoot); err != nil {
+									logrus.WithError(err).WithField("dir", propRoot).Error("error migrating propagated mount storage")
+								}
+							}
+						}
+
+						if err := os.MkdirAll(propRoot, 0755); err != nil {
+							logrus.Errorf("failed to create PropagatedMount directory at %s: %v", propRoot, err)
+						}
+					}
+				}
+			}
+
+			pm.save(p)
+			requiresManualRestore := !pm.config.LiveRestoreEnabled && p.IsEnabled()
+
+			if requiresManualRestore {
+				// if liveRestore is not enabled, the plugin will be stopped now so we should enable it
+				if err := pm.enable(p, c, true); err != nil {
+					logrus.WithError(err).WithField("id", p.GetID()).Error("failed to enable plugin")
+				}
+			}
+		}(p)
+	}
+	wg.Wait()
+	return nil
+}
+
+// Get looks up the requested plugin in the store.
+func (pm *Manager) Get(idOrName string) (*v2.Plugin, error) {
+	return pm.config.Store.GetV2Plugin(idOrName)
+}
+
+func (pm *Manager) loadPlugin(id string) (*v2.Plugin, error) {
+	p := filepath.Join(pm.config.Root, id, configFileName)
+	dt, err := ioutil.ReadFile(p)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error reading %v", p)
+	}
+	var plugin v2.Plugin
+	if err := json.Unmarshal(dt, &plugin); err != nil {
+		return nil, errors.Wrapf(err, "error decoding %v", p)
+	}
+	return &plugin, nil
+}
+
+func (pm *Manager) save(p *v2.Plugin) error {
+	pluginJSON, err := json.Marshal(p)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal plugin json")
+	}
+	if err := ioutils.AtomicWriteFile(filepath.Join(pm.config.Root, p.GetID(), configFileName), pluginJSON, 0600); err != nil {
+		return errors.Wrap(err, "failed to write atomically plugin json")
+	}
+	return nil
+}
+
+// GC cleans up unreferenced blobs. This is recommended to run in a goroutine
+func (pm *Manager) GC() {
+	pm.muGC.Lock()
+	defer pm.muGC.Unlock()
+
+	whitelist := make(map[digest.Digest]struct{})
+	for _, p := range pm.config.Store.GetAll() {
+		whitelist[p.Config] = struct{}{}
+		for _, b := range p.Blobsums {
+			whitelist[b] = struct{}{}
+		}
+	}
+
+	pm.blobStore.gc(whitelist)
+}
+
+type logHook struct{ id string }
+
+func (logHook) Levels() []logrus.Level {
+	return logrus.AllLevels
+}
+
+func (l logHook) Fire(entry *logrus.Entry) error {
+	entry.Data = logrus.Fields{"plugin": l.id}
+	return nil
+}
+
+func makeLoggerStreams(id string) (stdout, stderr io.WriteCloser) {
+	logger := logrus.New()
+	logger.Hooks.Add(logHook{id})
+	return logger.WriterLevel(logrus.InfoLevel), logger.WriterLevel(logrus.ErrorLevel)
+}
+
+func validatePrivileges(requiredPrivileges, privileges types.PluginPrivileges) error {
+	if !isEqual(requiredPrivileges, privileges, isEqualPrivilege) {
+		return errors.New("incorrect privileges")
+	}
+
+	return nil
+}
+
+func isEqual(arrOne, arrOther types.PluginPrivileges, compare func(x, y types.PluginPrivilege) bool) bool {
+	if len(arrOne) != len(arrOther) {
+		return false
+	}
+
+	sort.Sort(arrOne)
+	sort.Sort(arrOther)
+
+	for i := 1; i < arrOne.Len(); i++ {
+		if !compare(arrOne[i], arrOther[i]) {
+			return false
+		}
+	}
+
+	return true
+}
+
+func isEqualPrivilege(a, b types.PluginPrivilege) bool {
+	if a.Name != b.Name {
+		return false
+	}
+
+	return reflect.DeepEqual(a.Value, b.Value)
+}
+
+func configToRootFS(c []byte) (*image.RootFS, error) {
+	var pluginConfig types.PluginConfig
+	if err := json.Unmarshal(c, &pluginConfig); err != nil {
+		return nil, err
+	}
+	// validation for empty rootfs is in distribution code
+	if pluginConfig.Rootfs == nil {
+		return nil, nil
+	}
+
+	return rootFSFromPlugin(pluginConfig.Rootfs), nil
+}
+
+func rootFSFromPlugin(pluginfs *types.PluginConfigRootfs) *image.RootFS {
+	rootFS := image.RootFS{
+		Type:    pluginfs.Type,
+		DiffIDs: make([]layer.DiffID, len(pluginfs.DiffIds)),
+	}
+	for i := range pluginfs.DiffIds {
+		rootFS.DiffIDs[i] = layer.DiffID(pluginfs.DiffIds[i])
+	}
+
+	return &rootFS
+}
diff --git a/engine/plugin/manager_linux.go b/engine/plugin/manager_linux.go
new file mode 100644
index 00000000..3c6f9c55
--- /dev/null
+++ b/engine/plugin/manager_linux.go
@@ -0,0 +1,335 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"encoding/json"
+	"net"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/daemon/initlayer"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/containerfs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/plugin/v2"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+func (pm *Manager) enable(p *v2.Plugin, c *controller, force bool) error {
+	p.Rootfs = filepath.Join(pm.config.Root, p.PluginObj.ID, "rootfs")
+	if p.IsEnabled() && !force {
+		return errors.Wrap(enabledError(p.Name()), "plugin already enabled")
+	}
+	spec, err := p.InitSpec(pm.config.ExecRoot)
+	if err != nil {
+		return err
+	}
+
+	c.restart = true
+	c.exitChan = make(chan bool)
+
+	pm.mu.Lock()
+	pm.cMap[p] = c
+	pm.mu.Unlock()
+
+	var propRoot string
+	if p.PluginObj.Config.PropagatedMount != "" {
+		propRoot = filepath.Join(filepath.Dir(p.Rootfs), "propagated-mount")
+
+		if err := os.MkdirAll(propRoot, 0755); err != nil {
+			logrus.Errorf("failed to create PropagatedMount directory at %s: %v", propRoot, err)
+		}
+
+		if err := mount.MakeRShared(propRoot); err != nil {
+			return errors.Wrap(err, "error setting up propagated mount dir")
+		}
+	}
+
+	rootFS := containerfs.NewLocalContainerFS(filepath.Join(pm.config.Root, p.PluginObj.ID, rootFSFileName))
+	if err := initlayer.Setup(rootFS, idtools.IDPair{UID: 0, GID: 0}); err != nil {
+		return errors.WithStack(err)
+	}
+
+	stdout, stderr := makeLoggerStreams(p.GetID())
+	if err := pm.executor.Create(p.GetID(), *spec, stdout, stderr); err != nil {
+		if p.PluginObj.Config.PropagatedMount != "" {
+			if err := mount.Unmount(propRoot); err != nil {
+				logrus.Warnf("Could not unmount %s: %v", propRoot, err)
+			}
+		}
+		return errors.WithStack(err)
+	}
+	return pm.pluginPostStart(p, c)
+}
+
+func (pm *Manager) pluginPostStart(p *v2.Plugin, c *controller) error {
+	sockAddr := filepath.Join(pm.config.ExecRoot, p.GetID(), p.GetSocket())
+	p.SetTimeout(time.Duration(c.timeoutInSecs) * time.Second)
+	addr := &net.UnixAddr{Net: "unix", Name: sockAddr}
+	p.SetAddr(addr)
+
+	if p.Protocol() == plugins.ProtocolSchemeHTTPV1 {
+		client, err := plugins.NewClientWithTimeout(addr.Network()+"://"+addr.String(), nil, p.Timeout())
+		if err != nil {
+			c.restart = false
+			shutdownPlugin(p, c.exitChan, pm.executor)
+			return errors.WithStack(err)
+		}
+
+		p.SetPClient(client)
+	}
+
+	// Initial sleep before net Dial to allow plugin to listen on socket.
+	time.Sleep(500 * time.Millisecond)
+	maxRetries := 3
+	var retries int
+	for {
+		// net dial into the unix socket to see if someone's listening.
+		conn, err := net.Dial("unix", sockAddr)
+		if err == nil {
+			conn.Close()
+			break
+		}
+
+		time.Sleep(3 * time.Second)
+		retries++
+
+		if retries > maxRetries {
+			logrus.Debugf("error net dialing plugin: %v", err)
+			c.restart = false
+			// While restoring plugins, we need to explicitly set the state to disabled
+			pm.config.Store.SetState(p, false)
+			shutdownPlugin(p, c.exitChan, pm.executor)
+			return err
+		}
+
+	}
+	pm.config.Store.SetState(p, true)
+	pm.config.Store.CallHandler(p)
+
+	return pm.save(p)
+}
+
+func (pm *Manager) restore(p *v2.Plugin, c *controller) error {
+	stdout, stderr := makeLoggerStreams(p.GetID())
+	alive, err := pm.executor.Restore(p.GetID(), stdout, stderr)
+	if err != nil {
+		return err
+	}
+
+	if pm.config.LiveRestoreEnabled {
+		if !alive {
+			return pm.enable(p, c, true)
+		}
+
+		c.exitChan = make(chan bool)
+		c.restart = true
+		pm.mu.Lock()
+		pm.cMap[p] = c
+		pm.mu.Unlock()
+		return pm.pluginPostStart(p, c)
+	}
+
+	if alive {
+		// TODO(@cpuguy83): Should we always just re-attach to the running plugin instead of doing this?
+		c.restart = false
+		shutdownPlugin(p, c.exitChan, pm.executor)
+	}
+
+	return nil
+}
+
+func shutdownPlugin(p *v2.Plugin, ec chan bool, executor Executor) {
+	pluginID := p.GetID()
+
+	err := executor.Signal(pluginID, int(unix.SIGTERM))
+	if err != nil {
+		logrus.Errorf("Sending SIGTERM to plugin failed with error: %v", err)
+	} else {
+		select {
+		case <-ec:
+			logrus.Debug("Clean shutdown of plugin")
+		case <-time.After(time.Second * 10):
+			logrus.Debug("Force shutdown plugin")
+			if err := executor.Signal(pluginID, int(unix.SIGKILL)); err != nil {
+				logrus.Errorf("Sending SIGKILL to plugin failed with error: %v", err)
+			}
+			select {
+			case <-ec:
+				logrus.Debug("SIGKILL plugin shutdown")
+			case <-time.After(time.Second * 10):
+				logrus.Debug("Force shutdown plugin FAILED")
+			}
+		}
+	}
+}
+
+func (pm *Manager) disable(p *v2.Plugin, c *controller) error {
+	if !p.IsEnabled() {
+		return errors.Wrap(errDisabled(p.Name()), "plugin is already disabled")
+	}
+
+	c.restart = false
+	shutdownPlugin(p, c.exitChan, pm.executor)
+	pm.config.Store.SetState(p, false)
+	return pm.save(p)
+}
+
+// Shutdown stops all plugins and called during daemon shutdown.
+func (pm *Manager) Shutdown() {
+	plugins := pm.config.Store.GetAll()
+	for _, p := range plugins {
+		pm.mu.RLock()
+		c := pm.cMap[p]
+		pm.mu.RUnlock()
+
+		if pm.config.LiveRestoreEnabled && p.IsEnabled() {
+			logrus.Debug("Plugin active when liveRestore is set, skipping shutdown")
+			continue
+		}
+		if pm.executor != nil && p.IsEnabled() {
+			c.restart = false
+			shutdownPlugin(p, c.exitChan, pm.executor)
+		}
+	}
+	if err := mount.RecursiveUnmount(pm.config.Root); err != nil {
+		logrus.WithError(err).Warn("error cleaning up plugin mounts")
+	}
+}
+
+func (pm *Manager) upgradePlugin(p *v2.Plugin, configDigest digest.Digest, blobsums []digest.Digest, tmpRootFSDir string, privileges *types.PluginPrivileges) (err error) {
+	config, err := pm.setupNewPlugin(configDigest, blobsums, privileges)
+	if err != nil {
+		return err
+	}
+
+	pdir := filepath.Join(pm.config.Root, p.PluginObj.ID)
+	orig := filepath.Join(pdir, "rootfs")
+
+	// Make sure nothing is mounted
+	// This could happen if the plugin was disabled with `-f` with active mounts.
+	// If there is anything in `orig` is still mounted, this should error out.
+	if err := mount.RecursiveUnmount(orig); err != nil {
+		return errdefs.System(err)
+	}
+
+	backup := orig + "-old"
+	if err := os.Rename(orig, backup); err != nil {
+		return errors.Wrap(errdefs.System(err), "error backing up plugin data before upgrade")
+	}
+
+	defer func() {
+		if err != nil {
+			if rmErr := os.RemoveAll(orig); rmErr != nil && !os.IsNotExist(rmErr) {
+				logrus.WithError(rmErr).WithField("dir", backup).Error("error cleaning up after failed upgrade")
+				return
+			}
+			if mvErr := os.Rename(backup, orig); mvErr != nil {
+				err = errors.Wrap(mvErr, "error restoring old plugin root on upgrade failure")
+			}
+			if rmErr := os.RemoveAll(tmpRootFSDir); rmErr != nil && !os.IsNotExist(rmErr) {
+				logrus.WithError(rmErr).WithField("plugin", p.Name()).Errorf("error cleaning up plugin upgrade dir: %s", tmpRootFSDir)
+			}
+		} else {
+			if rmErr := os.RemoveAll(backup); rmErr != nil && !os.IsNotExist(rmErr) {
+				logrus.WithError(rmErr).WithField("dir", backup).Error("error cleaning up old plugin root after successful upgrade")
+			}
+
+			p.Config = configDigest
+			p.Blobsums = blobsums
+		}
+	}()
+
+	if err := os.Rename(tmpRootFSDir, orig); err != nil {
+		return errors.Wrap(errdefs.System(err), "error upgrading")
+	}
+
+	p.PluginObj.Config = config
+	err = pm.save(p)
+	return errors.Wrap(err, "error saving upgraded plugin config")
+}
+
+func (pm *Manager) setupNewPlugin(configDigest digest.Digest, blobsums []digest.Digest, privileges *types.PluginPrivileges) (types.PluginConfig, error) {
+	configRC, err := pm.blobStore.Get(configDigest)
+	if err != nil {
+		return types.PluginConfig{}, err
+	}
+	defer configRC.Close()
+
+	var config types.PluginConfig
+	dec := json.NewDecoder(configRC)
+	if err := dec.Decode(&config); err != nil {
+		return types.PluginConfig{}, errors.Wrapf(err, "failed to parse config")
+	}
+	if dec.More() {
+		return types.PluginConfig{}, errors.New("invalid config json")
+	}
+
+	requiredPrivileges := computePrivileges(config)
+	if err != nil {
+		return types.PluginConfig{}, err
+	}
+	if privileges != nil {
+		if err := validatePrivileges(requiredPrivileges, *privileges); err != nil {
+			return types.PluginConfig{}, err
+		}
+	}
+
+	return config, nil
+}
+
+// createPlugin creates a new plugin. take lock before calling.
+func (pm *Manager) createPlugin(name string, configDigest digest.Digest, blobsums []digest.Digest, rootFSDir string, privileges *types.PluginPrivileges, opts ...CreateOpt) (p *v2.Plugin, err error) {
+	if err := pm.config.Store.validateName(name); err != nil { // todo: this check is wrong. remove store
+		return nil, errdefs.InvalidParameter(err)
+	}
+
+	config, err := pm.setupNewPlugin(configDigest, blobsums, privileges)
+	if err != nil {
+		return nil, err
+	}
+
+	p = &v2.Plugin{
+		PluginObj: types.Plugin{
+			Name:   name,
+			ID:     stringid.GenerateRandomID(),
+			Config: config,
+		},
+		Config:   configDigest,
+		Blobsums: blobsums,
+	}
+	p.InitEmptySettings()
+	for _, o := range opts {
+		o(p)
+	}
+
+	pdir := filepath.Join(pm.config.Root, p.PluginObj.ID)
+	if err := os.MkdirAll(pdir, 0700); err != nil {
+		return nil, errors.Wrapf(err, "failed to mkdir %v", pdir)
+	}
+
+	defer func() {
+		if err != nil {
+			os.RemoveAll(pdir)
+		}
+	}()
+
+	if err := os.Rename(rootFSDir, filepath.Join(pdir, rootFSFileName)); err != nil {
+		return nil, errors.Wrap(err, "failed to rename rootfs")
+	}
+
+	if err := pm.save(p); err != nil {
+		return nil, err
+	}
+
+	pm.config.Store.Add(p) // todo: remove
+
+	return p, nil
+}
diff --git a/engine/plugin/manager_linux_test.go b/engine/plugin/manager_linux_test.go
new file mode 100644
index 00000000..fd8fa852
--- /dev/null
+++ b/engine/plugin/manager_linux_test.go
@@ -0,0 +1,279 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"io"
+	"io/ioutil"
+	"net"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/system"
+	"github.com/docker/docker/plugin/v2"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"gotest.tools/skip"
+)
+
+func TestManagerWithPluginMounts(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	root, err := ioutil.TempDir("", "test-store-with-plugin-mounts")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer system.EnsureRemoveAll(root)
+
+	s := NewStore()
+	managerRoot := filepath.Join(root, "manager")
+	p1 := newTestPlugin(t, "test1", "testcap", managerRoot)
+
+	p2 := newTestPlugin(t, "test2", "testcap", managerRoot)
+	p2.PluginObj.Enabled = true
+
+	m, err := NewManager(
+		ManagerConfig{
+			Store:          s,
+			Root:           managerRoot,
+			ExecRoot:       filepath.Join(root, "exec"),
+			CreateExecutor: func(*Manager) (Executor, error) { return nil, nil },
+			LogPluginEvent: func(_, _, _ string) {},
+		})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := s.Add(p1); err != nil {
+		t.Fatal(err)
+	}
+	if err := s.Add(p2); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a mount to simulate a plugin that has created it's own mounts
+	p2Mount := filepath.Join(p2.Rootfs, "testmount")
+	if err := os.MkdirAll(p2Mount, 0755); err != nil {
+		t.Fatal(err)
+	}
+	if err := mount.Mount("tmpfs", p2Mount, "tmpfs", ""); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := m.Remove(p1.GetID(), &types.PluginRmConfig{ForceRemove: true}); err != nil {
+		t.Fatal(err)
+	}
+	if mounted, err := mount.Mounted(p2Mount); !mounted || err != nil {
+		t.Fatalf("expected %s to be mounted, err: %v", p2Mount, err)
+	}
+}
+
+func newTestPlugin(t *testing.T, name, cap, root string) *v2.Plugin {
+	id := stringid.GenerateNonCryptoID()
+	rootfs := filepath.Join(root, id)
+	if err := os.MkdirAll(rootfs, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	p := v2.Plugin{PluginObj: types.Plugin{ID: id, Name: name}}
+	p.Rootfs = rootfs
+	iType := types.PluginInterfaceType{Capability: cap, Prefix: "docker", Version: "1.0"}
+	i := types.PluginConfigInterface{Socket: "plugin.sock", Types: []types.PluginInterfaceType{iType}}
+	p.PluginObj.Config.Interface = i
+	p.PluginObj.ID = id
+
+	return &p
+}
+
+type simpleExecutor struct {
+}
+
+func (e *simpleExecutor) Create(id string, spec specs.Spec, stdout, stderr io.WriteCloser) error {
+	return errors.New("Create failed")
+}
+
+func (e *simpleExecutor) Restore(id string, stdout, stderr io.WriteCloser) (bool, error) {
+	return false, nil
+}
+
+func (e *simpleExecutor) IsRunning(id string) (bool, error) {
+	return false, nil
+}
+
+func (e *simpleExecutor) Signal(id string, signal int) error {
+	return nil
+}
+
+func TestCreateFailed(t *testing.T) {
+	root, err := ioutil.TempDir("", "test-create-failed")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer system.EnsureRemoveAll(root)
+
+	s := NewStore()
+	managerRoot := filepath.Join(root, "manager")
+	p := newTestPlugin(t, "create", "testcreate", managerRoot)
+
+	m, err := NewManager(
+		ManagerConfig{
+			Store:          s,
+			Root:           managerRoot,
+			ExecRoot:       filepath.Join(root, "exec"),
+			CreateExecutor: func(*Manager) (Executor, error) { return &simpleExecutor{}, nil },
+			LogPluginEvent: func(_, _, _ string) {},
+		})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := s.Add(p); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := m.enable(p, &controller{}, false); err == nil {
+		t.Fatalf("expected Create failed error, got %v", err)
+	}
+
+	if err := m.Remove(p.GetID(), &types.PluginRmConfig{ForceRemove: true}); err != nil {
+		t.Fatal(err)
+	}
+}
+
+type executorWithRunning struct {
+	m         *Manager
+	root      string
+	exitChans map[string]chan struct{}
+}
+
+func (e *executorWithRunning) Create(id string, spec specs.Spec, stdout, stderr io.WriteCloser) error {
+	sockAddr := filepath.Join(e.root, id, "plugin.sock")
+	ch := make(chan struct{})
+	if e.exitChans == nil {
+		e.exitChans = make(map[string]chan struct{})
+	}
+	e.exitChans[id] = ch
+	listenTestPlugin(sockAddr, ch)
+	return nil
+}
+
+func (e *executorWithRunning) IsRunning(id string) (bool, error) {
+	return true, nil
+}
+func (e *executorWithRunning) Restore(id string, stdout, stderr io.WriteCloser) (bool, error) {
+	return true, nil
+}
+
+func (e *executorWithRunning) Signal(id string, signal int) error {
+	ch := e.exitChans[id]
+	ch <- struct{}{}
+	<-ch
+	e.m.HandleExitEvent(id)
+	return nil
+}
+
+func TestPluginAlreadyRunningOnStartup(t *testing.T) {
+	t.Parallel()
+
+	root, err := ioutil.TempDir("", t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer system.EnsureRemoveAll(root)
+
+	for _, test := range []struct {
+		desc   string
+		config ManagerConfig
+	}{
+		{
+			desc: "live-restore-disabled",
+			config: ManagerConfig{
+				LogPluginEvent: func(_, _, _ string) {},
+			},
+		},
+		{
+			desc: "live-restore-enabled",
+			config: ManagerConfig{
+				LogPluginEvent:     func(_, _, _ string) {},
+				LiveRestoreEnabled: true,
+			},
+		},
+	} {
+		t.Run(test.desc, func(t *testing.T) {
+			config := test.config
+			desc := test.desc
+			t.Parallel()
+
+			p := newTestPlugin(t, desc, desc, config.Root)
+			p.PluginObj.Enabled = true
+
+			// Need a short-ish path here so we don't run into unix socket path length issues.
+			config.ExecRoot, err = ioutil.TempDir("", "plugintest")
+
+			executor := &executorWithRunning{root: config.ExecRoot}
+			config.CreateExecutor = func(m *Manager) (Executor, error) { executor.m = m; return executor, nil }
+
+			if err := executor.Create(p.GetID(), specs.Spec{}, nil, nil); err != nil {
+				t.Fatal(err)
+			}
+
+			root := filepath.Join(root, desc)
+			config.Root = filepath.Join(root, "manager")
+			if err := os.MkdirAll(filepath.Join(config.Root, p.GetID()), 0755); err != nil {
+				t.Fatal(err)
+			}
+
+			if !p.IsEnabled() {
+				t.Fatal("plugin should be enabled")
+			}
+			if err := (&Manager{config: config}).save(p); err != nil {
+				t.Fatal(err)
+			}
+
+			s := NewStore()
+			config.Store = s
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer system.EnsureRemoveAll(config.ExecRoot)
+
+			m, err := NewManager(config)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer m.Shutdown()
+
+			p = s.GetAll()[p.GetID()] // refresh `p` with what the manager knows
+			if p.Client() == nil {
+				t.Fatal("plugin client should not be nil")
+			}
+		})
+	}
+}
+
+func listenTestPlugin(sockAddr string, exit chan struct{}) (net.Listener, error) {
+	if err := os.MkdirAll(filepath.Dir(sockAddr), 0755); err != nil {
+		return nil, err
+	}
+	l, err := net.Listen("unix", sockAddr)
+	if err != nil {
+		return nil, err
+	}
+	go func() {
+		for {
+			conn, err := l.Accept()
+			if err != nil {
+				return
+			}
+			conn.Close()
+		}
+	}()
+	go func() {
+		<-exit
+		l.Close()
+		os.Remove(sockAddr)
+		exit <- struct{}{}
+	}()
+	return l, nil
+}
diff --git a/engine/plugin/manager_test.go b/engine/plugin/manager_test.go
new file mode 100644
index 00000000..62ccf214
--- /dev/null
+++ b/engine/plugin/manager_test.go
@@ -0,0 +1,55 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+)
+
+func TestValidatePrivileges(t *testing.T) {
+	testData := map[string]struct {
+		requiredPrivileges types.PluginPrivileges
+		privileges         types.PluginPrivileges
+		result             bool
+	}{
+		"diff-len": {
+			requiredPrivileges: []types.PluginPrivilege{
+				{Name: "Privilege1", Description: "Description", Value: []string{"abc", "def", "ghi"}},
+			},
+			privileges: []types.PluginPrivilege{
+				{Name: "Privilege1", Description: "Description", Value: []string{"abc", "def", "ghi"}},
+				{Name: "Privilege2", Description: "Description", Value: []string{"123", "456", "789"}},
+			},
+			result: false,
+		},
+		"diff-value": {
+			requiredPrivileges: []types.PluginPrivilege{
+				{Name: "Privilege1", Description: "Description", Value: []string{"abc", "def", "GHI"}},
+				{Name: "Privilege2", Description: "Description", Value: []string{"123", "456", "***"}},
+			},
+			privileges: []types.PluginPrivilege{
+				{Name: "Privilege1", Description: "Description", Value: []string{"abc", "def", "ghi"}},
+				{Name: "Privilege2", Description: "Description", Value: []string{"123", "456", "789"}},
+			},
+			result: false,
+		},
+		"diff-order-but-same-value": {
+			requiredPrivileges: []types.PluginPrivilege{
+				{Name: "Privilege1", Description: "Description", Value: []string{"abc", "def", "GHI"}},
+				{Name: "Privilege2", Description: "Description", Value: []string{"123", "456", "789"}},
+			},
+			privileges: []types.PluginPrivilege{
+				{Name: "Privilege2", Description: "Description", Value: []string{"123", "456", "789"}},
+				{Name: "Privilege1", Description: "Description", Value: []string{"GHI", "abc", "def"}},
+			},
+			result: true,
+		},
+	}
+
+	for key, data := range testData {
+		err := validatePrivileges(data.requiredPrivileges, data.privileges)
+		if (err == nil) != data.result {
+			t.Fatalf("Test item %s expected result to be %t, got %t", key, data.result, (err == nil))
+		}
+	}
+}
diff --git a/engine/plugin/manager_windows.go b/engine/plugin/manager_windows.go
new file mode 100644
index 00000000..90cc52c9
--- /dev/null
+++ b/engine/plugin/manager_windows.go
@@ -0,0 +1,28 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/plugin/v2"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func (pm *Manager) enable(p *v2.Plugin, c *controller, force bool) error {
+	return fmt.Errorf("Not implemented")
+}
+
+func (pm *Manager) initSpec(p *v2.Plugin) (*specs.Spec, error) {
+	return nil, fmt.Errorf("Not implemented")
+}
+
+func (pm *Manager) disable(p *v2.Plugin, c *controller) error {
+	return fmt.Errorf("Not implemented")
+}
+
+func (pm *Manager) restore(p *v2.Plugin, c *controller) error {
+	return fmt.Errorf("Not implemented")
+}
+
+// Shutdown plugins
+func (pm *Manager) Shutdown() {
+}
diff --git a/engine/plugin/store.go b/engine/plugin/store.go
new file mode 100644
index 00000000..8e96c11d
--- /dev/null
+++ b/engine/plugin/store.go
@@ -0,0 +1,291 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/plugin/v2"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+/* allowV1PluginsFallback determines daemon's support for V1 plugins.
+ * When the time comes to remove support for V1 plugins, flipping
+ * this bool is all that will be needed.
+ */
+const allowV1PluginsFallback = true
+
+/* defaultAPIVersion is the version of the plugin API for volume, network,
+   IPAM and authz. This is a very stable API. When we update this API, then
+   pluginType should include a version. e.g. "networkdriver/2.0".
+*/
+const defaultAPIVersion = "1.0"
+
+// GetV2Plugin retrieves a plugin by name, id or partial ID.
+func (ps *Store) GetV2Plugin(refOrID string) (*v2.Plugin, error) {
+	ps.RLock()
+	defer ps.RUnlock()
+
+	id, err := ps.resolvePluginID(refOrID)
+	if err != nil {
+		return nil, err
+	}
+
+	p, idOk := ps.plugins[id]
+	if !idOk {
+		return nil, errors.WithStack(errNotFound(id))
+	}
+
+	return p, nil
+}
+
+// validateName returns error if name is already reserved. always call with lock and full name
+func (ps *Store) validateName(name string) error {
+	for _, p := range ps.plugins {
+		if p.Name() == name {
+			return alreadyExistsError(name)
+		}
+	}
+	return nil
+}
+
+// GetAll retrieves all plugins.
+func (ps *Store) GetAll() map[string]*v2.Plugin {
+	ps.RLock()
+	defer ps.RUnlock()
+	return ps.plugins
+}
+
+// SetAll initialized plugins during daemon restore.
+func (ps *Store) SetAll(plugins map[string]*v2.Plugin) {
+	ps.Lock()
+	defer ps.Unlock()
+
+	for _, p := range plugins {
+		ps.setSpecOpts(p)
+	}
+	ps.plugins = plugins
+}
+
+func (ps *Store) getAllByCap(capability string) []plugingetter.CompatPlugin {
+	ps.RLock()
+	defer ps.RUnlock()
+
+	result := make([]plugingetter.CompatPlugin, 0, 1)
+	for _, p := range ps.plugins {
+		if p.IsEnabled() {
+			if _, err := p.FilterByCap(capability); err == nil {
+				result = append(result, p)
+			}
+		}
+	}
+	return result
+}
+
+// SetState sets the active state of the plugin and updates plugindb.
+func (ps *Store) SetState(p *v2.Plugin, state bool) {
+	ps.Lock()
+	defer ps.Unlock()
+
+	p.PluginObj.Enabled = state
+}
+
+func (ps *Store) setSpecOpts(p *v2.Plugin) {
+	var specOpts []SpecOpt
+	for _, typ := range p.GetTypes() {
+		opts, ok := ps.specOpts[typ.String()]
+		if ok {
+			specOpts = append(specOpts, opts...)
+		}
+	}
+
+	p.SetSpecOptModifier(func(s *specs.Spec) {
+		for _, o := range specOpts {
+			o(s)
+		}
+	})
+}
+
+// Add adds a plugin to memory and plugindb.
+// An error will be returned if there is a collision.
+func (ps *Store) Add(p *v2.Plugin) error {
+	ps.Lock()
+	defer ps.Unlock()
+
+	if v, exist := ps.plugins[p.GetID()]; exist {
+		return fmt.Errorf("plugin %q has the same ID %s as %q", p.Name(), p.GetID(), v.Name())
+	}
+
+	ps.setSpecOpts(p)
+
+	ps.plugins[p.GetID()] = p
+	return nil
+}
+
+// Remove removes a plugin from memory and plugindb.
+func (ps *Store) Remove(p *v2.Plugin) {
+	ps.Lock()
+	delete(ps.plugins, p.GetID())
+	ps.Unlock()
+}
+
+// Get returns an enabled plugin matching the given name and capability.
+func (ps *Store) Get(name, capability string, mode int) (plugingetter.CompatPlugin, error) {
+	// Lookup using new model.
+	if ps != nil {
+		p, err := ps.GetV2Plugin(name)
+		if err == nil {
+			if p.IsEnabled() {
+				fp, err := p.FilterByCap(capability)
+				if err != nil {
+					return nil, err
+				}
+				p.AddRefCount(mode)
+				return fp, nil
+			}
+
+			// Plugin was found but it is disabled, so we should not fall back to legacy plugins
+			// but we should error out right away
+			return nil, errDisabled(name)
+		}
+		if _, ok := errors.Cause(err).(errNotFound); !ok {
+			return nil, err
+		}
+	}
+
+	if !allowV1PluginsFallback {
+		return nil, errNotFound(name)
+	}
+
+	p, err := plugins.Get(name, capability)
+	if err == nil {
+		return p, nil
+	}
+	if errors.Cause(err) == plugins.ErrNotFound {
+		return nil, errNotFound(name)
+	}
+	return nil, errors.Wrap(errdefs.System(err), "legacy plugin")
+}
+
+// GetAllManagedPluginsByCap returns a list of managed plugins matching the given capability.
+func (ps *Store) GetAllManagedPluginsByCap(capability string) []plugingetter.CompatPlugin {
+	return ps.getAllByCap(capability)
+}
+
+// GetAllByCap returns a list of enabled plugins matching the given capability.
+func (ps *Store) GetAllByCap(capability string) ([]plugingetter.CompatPlugin, error) {
+	result := make([]plugingetter.CompatPlugin, 0, 1)
+
+	/* Daemon start always calls plugin.Init thereby initializing a store.
+	 * So store on experimental builds can never be nil, even while
+	 * handling legacy plugins. However, there are legacy plugin unit
+	 * tests where the volume subsystem directly talks with the plugin,
+	 * bypassing the daemon. For such tests, this check is necessary.
+	 */
+	if ps != nil {
+		ps.RLock()
+		result = ps.getAllByCap(capability)
+		ps.RUnlock()
+	}
+
+	// Lookup with legacy model
+	if allowV1PluginsFallback {
+		pl, err := plugins.GetAll(capability)
+		if err != nil {
+			return nil, errors.Wrap(errdefs.System(err), "legacy plugin")
+		}
+		for _, p := range pl {
+			result = append(result, p)
+		}
+	}
+	return result, nil
+}
+
+func pluginType(cap string) string {
+	return fmt.Sprintf("docker.%s/%s", strings.ToLower(cap), defaultAPIVersion)
+}
+
+// Handle sets a callback for a given capability. It is only used by network
+// and ipam drivers during plugin registration. The callback registers the
+// driver with the subsystem (network, ipam).
+func (ps *Store) Handle(capability string, callback func(string, *plugins.Client)) {
+	typ := pluginType(capability)
+
+	// Register callback with new plugin model.
+	ps.Lock()
+	handlers, ok := ps.handlers[typ]
+	if !ok {
+		handlers = []func(string, *plugins.Client){}
+	}
+	handlers = append(handlers, callback)
+	ps.handlers[typ] = handlers
+	ps.Unlock()
+
+	// Register callback with legacy plugin model.
+	if allowV1PluginsFallback {
+		plugins.Handle(capability, callback)
+	}
+}
+
+// RegisterRuntimeOpt stores a list of SpecOpts for the provided capability.
+// These options are applied to the runtime spec before a plugin is started for the specified capability.
+func (ps *Store) RegisterRuntimeOpt(cap string, opts ...SpecOpt) {
+	ps.Lock()
+	defer ps.Unlock()
+	typ := pluginType(cap)
+	ps.specOpts[typ] = append(ps.specOpts[typ], opts...)
+}
+
+// CallHandler calls the registered callback. It is invoked during plugin enable.
+func (ps *Store) CallHandler(p *v2.Plugin) {
+	for _, typ := range p.GetTypes() {
+		for _, handler := range ps.handlers[typ.String()] {
+			handler(p.Name(), p.Client())
+		}
+	}
+}
+
+func (ps *Store) resolvePluginID(idOrName string) (string, error) {
+	ps.RLock() // todo: fix
+	defer ps.RUnlock()
+
+	if validFullID.MatchString(idOrName) {
+		return idOrName, nil
+	}
+
+	ref, err := reference.ParseNormalizedNamed(idOrName)
+	if err != nil {
+		return "", errors.WithStack(errNotFound(idOrName))
+	}
+	if _, ok := ref.(reference.Canonical); ok {
+		logrus.Warnf("canonical references cannot be resolved: %v", reference.FamiliarString(ref))
+		return "", errors.WithStack(errNotFound(idOrName))
+	}
+
+	ref = reference.TagNameOnly(ref)
+
+	for _, p := range ps.plugins {
+		if p.PluginObj.Name == reference.FamiliarString(ref) {
+			return p.PluginObj.ID, nil
+		}
+	}
+
+	var found *v2.Plugin
+	for id, p := range ps.plugins { // this can be optimized
+		if strings.HasPrefix(id, idOrName) {
+			if found != nil {
+				return "", errors.WithStack(errAmbiguous(idOrName))
+			}
+			found = p
+		}
+	}
+	if found == nil {
+		return "", errors.WithStack(errNotFound(idOrName))
+	}
+	return found.PluginObj.ID, nil
+}
diff --git a/engine/plugin/store_test.go b/engine/plugin/store_test.go
new file mode 100644
index 00000000..14b484f7
--- /dev/null
+++ b/engine/plugin/store_test.go
@@ -0,0 +1,64 @@
+package plugin // import "github.com/docker/docker/plugin"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/plugin/v2"
+)
+
+func TestFilterByCapNeg(t *testing.T) {
+	p := v2.Plugin{PluginObj: types.Plugin{Name: "test:latest"}}
+	iType := types.PluginInterfaceType{Capability: "volumedriver", Prefix: "docker", Version: "1.0"}
+	i := types.PluginConfigInterface{Socket: "plugins.sock", Types: []types.PluginInterfaceType{iType}}
+	p.PluginObj.Config.Interface = i
+
+	_, err := p.FilterByCap("foobar")
+	if err == nil {
+		t.Fatalf("expected inadequate error, got %v", err)
+	}
+}
+
+func TestFilterByCapPos(t *testing.T) {
+	p := v2.Plugin{PluginObj: types.Plugin{Name: "test:latest"}}
+
+	iType := types.PluginInterfaceType{Capability: "volumedriver", Prefix: "docker", Version: "1.0"}
+	i := types.PluginConfigInterface{Socket: "plugins.sock", Types: []types.PluginInterfaceType{iType}}
+	p.PluginObj.Config.Interface = i
+
+	_, err := p.FilterByCap("volumedriver")
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+}
+
+func TestStoreGetPluginNotMatchCapRefs(t *testing.T) {
+	s := NewStore()
+	p := v2.Plugin{PluginObj: types.Plugin{Name: "test:latest"}}
+
+	iType := types.PluginInterfaceType{Capability: "whatever", Prefix: "docker", Version: "1.0"}
+	i := types.PluginConfigInterface{Socket: "plugins.sock", Types: []types.PluginInterfaceType{iType}}
+	p.PluginObj.Config.Interface = i
+
+	if err := s.Add(&p); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := s.Get("test", "volumedriver", plugingetter.Acquire); err == nil {
+		t.Fatal("exepcted error when getting plugin that doesn't match the passed in capability")
+	}
+
+	if refs := p.GetRefCount(); refs != 0 {
+		t.Fatalf("reference count should be 0, got: %d", refs)
+	}
+
+	p.PluginObj.Enabled = true
+	if _, err := s.Get("test", "volumedriver", plugingetter.Acquire); err == nil {
+		t.Fatal("exepcted error when getting plugin that doesn't match the passed in capability")
+	}
+
+	if refs := p.GetRefCount(); refs != 0 {
+		t.Fatalf("reference count should be 0, got: %d", refs)
+	}
+}
diff --git a/engine/plugin/v2/plugin.go b/engine/plugin/v2/plugin.go
new file mode 100644
index 00000000..6852511c
--- /dev/null
+++ b/engine/plugin/v2/plugin.go
@@ -0,0 +1,311 @@
+package v2 // import "github.com/docker/docker/plugin/v2"
+
+import (
+	"fmt"
+	"net"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/opencontainers/go-digest"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Plugin represents an individual plugin.
+type Plugin struct {
+	mu        sync.RWMutex
+	PluginObj types.Plugin `json:"plugin"` // todo: embed struct
+	pClient   *plugins.Client
+	refCount  int
+	Rootfs    string // TODO: make private
+
+	Config   digest.Digest
+	Blobsums []digest.Digest
+
+	modifyRuntimeSpec func(*specs.Spec)
+
+	SwarmServiceID string
+	timeout        time.Duration
+	addr           net.Addr
+}
+
+const defaultPluginRuntimeDestination = "/run/docker/plugins"
+
+// ErrInadequateCapability indicates that the plugin did not have the requested capability.
+type ErrInadequateCapability struct {
+	cap string
+}
+
+func (e ErrInadequateCapability) Error() string {
+	return fmt.Sprintf("plugin does not provide %q capability", e.cap)
+}
+
+// ScopedPath returns the path scoped to the plugin rootfs
+func (p *Plugin) ScopedPath(s string) string {
+	if p.PluginObj.Config.PropagatedMount != "" && strings.HasPrefix(s, p.PluginObj.Config.PropagatedMount) {
+		// re-scope to the propagated mount path on the host
+		return filepath.Join(filepath.Dir(p.Rootfs), "propagated-mount", strings.TrimPrefix(s, p.PluginObj.Config.PropagatedMount))
+	}
+	return filepath.Join(p.Rootfs, s)
+}
+
+// Client returns the plugin client.
+// Deprecated: use p.Addr() and manually create the client
+func (p *Plugin) Client() *plugins.Client {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	return p.pClient
+}
+
+// SetPClient set the plugin client.
+// Deprecated: Hardcoded plugin client is deprecated
+func (p *Plugin) SetPClient(client *plugins.Client) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	p.pClient = client
+}
+
+// IsV1 returns true for V1 plugins and false otherwise.
+func (p *Plugin) IsV1() bool {
+	return false
+}
+
+// Name returns the plugin name.
+func (p *Plugin) Name() string {
+	return p.PluginObj.Name
+}
+
+// FilterByCap query the plugin for a given capability.
+func (p *Plugin) FilterByCap(capability string) (*Plugin, error) {
+	capability = strings.ToLower(capability)
+	for _, typ := range p.PluginObj.Config.Interface.Types {
+		if typ.Capability == capability && typ.Prefix == "docker" {
+			return p, nil
+		}
+	}
+	return nil, ErrInadequateCapability{capability}
+}
+
+// InitEmptySettings initializes empty settings for a plugin.
+func (p *Plugin) InitEmptySettings() {
+	p.PluginObj.Settings.Mounts = make([]types.PluginMount, len(p.PluginObj.Config.Mounts))
+	copy(p.PluginObj.Settings.Mounts, p.PluginObj.Config.Mounts)
+	p.PluginObj.Settings.Devices = make([]types.PluginDevice, len(p.PluginObj.Config.Linux.Devices))
+	copy(p.PluginObj.Settings.Devices, p.PluginObj.Config.Linux.Devices)
+	p.PluginObj.Settings.Env = make([]string, 0, len(p.PluginObj.Config.Env))
+	for _, env := range p.PluginObj.Config.Env {
+		if env.Value != nil {
+			p.PluginObj.Settings.Env = append(p.PluginObj.Settings.Env, fmt.Sprintf("%s=%s", env.Name, *env.Value))
+		}
+	}
+	p.PluginObj.Settings.Args = make([]string, len(p.PluginObj.Config.Args.Value))
+	copy(p.PluginObj.Settings.Args, p.PluginObj.Config.Args.Value)
+}
+
+// Set is used to pass arguments to the plugin.
+func (p *Plugin) Set(args []string) error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if p.PluginObj.Enabled {
+		return fmt.Errorf("cannot set on an active plugin, disable plugin before setting")
+	}
+
+	sets, err := newSettables(args)
+	if err != nil {
+		return err
+	}
+
+	// TODO(vieux): lots of code duplication here, needs to be refactored.
+
+next:
+	for _, s := range sets {
+		// range over all the envs in the config
+		for _, env := range p.PluginObj.Config.Env {
+			// found the env in the config
+			if env.Name == s.name {
+				// is it settable ?
+				if ok, err := s.isSettable(allowedSettableFieldsEnv, env.Settable); err != nil {
+					return err
+				} else if !ok {
+					return fmt.Errorf("%q is not settable", s.prettyName())
+				}
+				// is it, so lets update the settings in memory
+				updateSettingsEnv(&p.PluginObj.Settings.Env, &s)
+				continue next
+			}
+		}
+
+		// range over all the mounts in the config
+		for _, mount := range p.PluginObj.Config.Mounts {
+			// found the mount in the config
+			if mount.Name == s.name {
+				// is it settable ?
+				if ok, err := s.isSettable(allowedSettableFieldsMounts, mount.Settable); err != nil {
+					return err
+				} else if !ok {
+					return fmt.Errorf("%q is not settable", s.prettyName())
+				}
+
+				// it is, so lets update the settings in memory
+				if mount.Source == nil {
+					return fmt.Errorf("Plugin config has no mount source")
+				}
+				*mount.Source = s.value
+				continue next
+			}
+		}
+
+		// range over all the devices in the config
+		for _, device := range p.PluginObj.Config.Linux.Devices {
+			// found the device in the config
+			if device.Name == s.name {
+				// is it settable ?
+				if ok, err := s.isSettable(allowedSettableFieldsDevices, device.Settable); err != nil {
+					return err
+				} else if !ok {
+					return fmt.Errorf("%q is not settable", s.prettyName())
+				}
+
+				// it is, so lets update the settings in memory
+				if device.Path == nil {
+					return fmt.Errorf("Plugin config has no device path")
+				}
+				*device.Path = s.value
+				continue next
+			}
+		}
+
+		// found the name in the config
+		if p.PluginObj.Config.Args.Name == s.name {
+			// is it settable ?
+			if ok, err := s.isSettable(allowedSettableFieldsArgs, p.PluginObj.Config.Args.Settable); err != nil {
+				return err
+			} else if !ok {
+				return fmt.Errorf("%q is not settable", s.prettyName())
+			}
+
+			// it is, so lets update the settings in memory
+			p.PluginObj.Settings.Args = strings.Split(s.value, " ")
+			continue next
+		}
+
+		return fmt.Errorf("setting %q not found in the plugin configuration", s.name)
+	}
+
+	return nil
+}
+
+// IsEnabled returns the active state of the plugin.
+func (p *Plugin) IsEnabled() bool {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	return p.PluginObj.Enabled
+}
+
+// GetID returns the plugin's ID.
+func (p *Plugin) GetID() string {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	return p.PluginObj.ID
+}
+
+// GetSocket returns the plugin socket.
+func (p *Plugin) GetSocket() string {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	return p.PluginObj.Config.Interface.Socket
+}
+
+// GetTypes returns the interface types of a plugin.
+func (p *Plugin) GetTypes() []types.PluginInterfaceType {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	return p.PluginObj.Config.Interface.Types
+}
+
+// GetRefCount returns the reference count.
+func (p *Plugin) GetRefCount() int {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	return p.refCount
+}
+
+// AddRefCount adds to reference count.
+func (p *Plugin) AddRefCount(count int) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	p.refCount += count
+}
+
+// Acquire increments the plugin's reference count
+// This should be followed up by `Release()` when the plugin is no longer in use.
+func (p *Plugin) Acquire() {
+	p.AddRefCount(plugingetter.Acquire)
+}
+
+// Release decrements the plugin's reference count
+// This should only be called when the plugin is no longer in use, e.g. with
+// via `Acquire()` or getter.Get("name", "type", plugingetter.Acquire)
+func (p *Plugin) Release() {
+	p.AddRefCount(plugingetter.Release)
+}
+
+// SetSpecOptModifier sets the function to use to modify the generated
+// runtime spec.
+func (p *Plugin) SetSpecOptModifier(f func(*specs.Spec)) {
+	p.mu.Lock()
+	p.modifyRuntimeSpec = f
+	p.mu.Unlock()
+}
+
+// Timeout gets the currently configured connection timeout.
+// This should be used when dialing the plugin.
+func (p *Plugin) Timeout() time.Duration {
+	p.mu.RLock()
+	t := p.timeout
+	p.mu.RUnlock()
+	return t
+}
+
+// SetTimeout sets the timeout to use for dialing.
+func (p *Plugin) SetTimeout(t time.Duration) {
+	p.mu.Lock()
+	p.timeout = t
+	p.mu.Unlock()
+}
+
+// Addr returns the net.Addr to use to connect to the plugin socket
+func (p *Plugin) Addr() net.Addr {
+	p.mu.RLock()
+	addr := p.addr
+	p.mu.RUnlock()
+	return addr
+}
+
+// SetAddr sets the plugin address which can be used for dialing the plugin.
+func (p *Plugin) SetAddr(addr net.Addr) {
+	p.mu.Lock()
+	p.addr = addr
+	p.mu.Unlock()
+}
+
+// Protocol is the protocol that should be used for interacting with the plugin.
+func (p *Plugin) Protocol() string {
+	if p.PluginObj.Config.Interface.ProtocolScheme != "" {
+		return p.PluginObj.Config.Interface.ProtocolScheme
+	}
+	return plugins.ProtocolSchemeHTTPV1
+}
diff --git a/engine/plugin/v2/plugin_linux.go b/engine/plugin/v2/plugin_linux.go
new file mode 100644
index 00000000..58c432fc
--- /dev/null
+++ b/engine/plugin/v2/plugin_linux.go
@@ -0,0 +1,141 @@
+package v2 // import "github.com/docker/docker/plugin/v2"
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/oci"
+	"github.com/docker/docker/pkg/system"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+)
+
+// InitSpec creates an OCI spec from the plugin's config.
+func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
+	s := oci.DefaultSpec()
+
+	s.Root = &specs.Root{
+		Path:     p.Rootfs,
+		Readonly: false, // TODO: all plugins should be readonly? settable in config?
+	}
+
+	userMounts := make(map[string]struct{}, len(p.PluginObj.Settings.Mounts))
+	for _, m := range p.PluginObj.Settings.Mounts {
+		userMounts[m.Destination] = struct{}{}
+	}
+
+	execRoot = filepath.Join(execRoot, p.PluginObj.ID)
+	if err := os.MkdirAll(execRoot, 0700); err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	if p.PluginObj.Config.PropagatedMount != "" {
+		pRoot := filepath.Join(filepath.Dir(p.Rootfs), "propagated-mount")
+		s.Mounts = append(s.Mounts, specs.Mount{
+			Source:      pRoot,
+			Destination: p.PluginObj.Config.PropagatedMount,
+			Type:        "bind",
+			Options:     []string{"rbind", "rw", "rshared"},
+		})
+		s.Linux.RootfsPropagation = "rshared"
+	}
+
+	mounts := append(p.PluginObj.Config.Mounts, types.PluginMount{
+		Source:      &execRoot,
+		Destination: defaultPluginRuntimeDestination,
+		Type:        "bind",
+		Options:     []string{"rbind", "rshared"},
+	})
+
+	if p.PluginObj.Config.Network.Type != "" {
+		// TODO: if net == bridge, use libnetwork controller to create a new plugin-specific bridge, bind mount /etc/hosts and /etc/resolv.conf look at the docker code (allocateNetwork, initialize)
+		if p.PluginObj.Config.Network.Type == "host" {
+			oci.RemoveNamespace(&s, specs.LinuxNamespaceType("network"))
+		}
+		etcHosts := "/etc/hosts"
+		resolvConf := "/etc/resolv.conf"
+		mounts = append(mounts,
+			types.PluginMount{
+				Source:      &etcHosts,
+				Destination: etcHosts,
+				Type:        "bind",
+				Options:     []string{"rbind", "ro"},
+			},
+			types.PluginMount{
+				Source:      &resolvConf,
+				Destination: resolvConf,
+				Type:        "bind",
+				Options:     []string{"rbind", "ro"},
+			})
+	}
+	if p.PluginObj.Config.PidHost {
+		oci.RemoveNamespace(&s, specs.LinuxNamespaceType("pid"))
+	}
+
+	if p.PluginObj.Config.IpcHost {
+		oci.RemoveNamespace(&s, specs.LinuxNamespaceType("ipc"))
+	}
+
+	for _, mnt := range mounts {
+		m := specs.Mount{
+			Destination: mnt.Destination,
+			Type:        mnt.Type,
+			Options:     mnt.Options,
+		}
+		if mnt.Source == nil {
+			return nil, errors.New("mount source is not specified")
+		}
+		m.Source = *mnt.Source
+		s.Mounts = append(s.Mounts, m)
+	}
+
+	for i, m := range s.Mounts {
+		if strings.HasPrefix(m.Destination, "/dev/") {
+			if _, ok := userMounts[m.Destination]; ok {
+				s.Mounts = append(s.Mounts[:i], s.Mounts[i+1:]...)
+			}
+		}
+	}
+
+	if p.PluginObj.Config.Linux.AllowAllDevices {
+		s.Linux.Resources.Devices = []specs.LinuxDeviceCgroup{{Allow: true, Access: "rwm"}}
+	}
+	for _, dev := range p.PluginObj.Settings.Devices {
+		path := *dev.Path
+		d, dPermissions, err := oci.DevicesFromPath(path, path, "rwm")
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+		s.Linux.Devices = append(s.Linux.Devices, d...)
+		s.Linux.Resources.Devices = append(s.Linux.Resources.Devices, dPermissions...)
+	}
+
+	envs := make([]string, 1, len(p.PluginObj.Settings.Env)+1)
+	envs[0] = "PATH=" + system.DefaultPathEnv(runtime.GOOS)
+	envs = append(envs, p.PluginObj.Settings.Env...)
+
+	args := append(p.PluginObj.Config.Entrypoint, p.PluginObj.Settings.Args...)
+	cwd := p.PluginObj.Config.WorkDir
+	if len(cwd) == 0 {
+		cwd = "/"
+	}
+	s.Process.Terminal = false
+	s.Process.Args = args
+	s.Process.Cwd = cwd
+	s.Process.Env = envs
+
+	caps := s.Process.Capabilities
+	caps.Bounding = append(caps.Bounding, p.PluginObj.Config.Linux.Capabilities...)
+	caps.Permitted = append(caps.Permitted, p.PluginObj.Config.Linux.Capabilities...)
+	caps.Inheritable = append(caps.Inheritable, p.PluginObj.Config.Linux.Capabilities...)
+	caps.Effective = append(caps.Effective, p.PluginObj.Config.Linux.Capabilities...)
+
+	if p.modifyRuntimeSpec != nil {
+		p.modifyRuntimeSpec(&s)
+	}
+
+	return &s, nil
+}
diff --git a/engine/plugin/v2/plugin_unsupported.go b/engine/plugin/v2/plugin_unsupported.go
new file mode 100644
index 00000000..5242fe12
--- /dev/null
+++ b/engine/plugin/v2/plugin_unsupported.go
@@ -0,0 +1,14 @@
+// +build !linux
+
+package v2 // import "github.com/docker/docker/plugin/v2"
+
+import (
+	"errors"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// InitSpec creates an OCI spec from the plugin's config.
+func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
+	return nil, errors.New("not supported")
+}
diff --git a/engine/plugin/v2/settable.go b/engine/plugin/v2/settable.go
new file mode 100644
index 00000000..efda5647
--- /dev/null
+++ b/engine/plugin/v2/settable.go
@@ -0,0 +1,102 @@
+package v2 // import "github.com/docker/docker/plugin/v2"
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+)
+
+type settable struct {
+	name  string
+	field string
+	value string
+}
+
+var (
+	allowedSettableFieldsEnv     = []string{"value"}
+	allowedSettableFieldsArgs    = []string{"value"}
+	allowedSettableFieldsDevices = []string{"path"}
+	allowedSettableFieldsMounts  = []string{"source"}
+
+	errMultipleFields = errors.New("multiple fields are settable, one must be specified")
+	errInvalidFormat  = errors.New("invalid format, must be <name>[.<field>][=<value>]")
+)
+
+func newSettables(args []string) ([]settable, error) {
+	sets := make([]settable, 0, len(args))
+	for _, arg := range args {
+		set, err := newSettable(arg)
+		if err != nil {
+			return nil, err
+		}
+		sets = append(sets, set)
+	}
+	return sets, nil
+}
+
+func newSettable(arg string) (settable, error) {
+	var set settable
+	if i := strings.Index(arg, "="); i == 0 {
+		return set, errInvalidFormat
+	} else if i < 0 {
+		set.name = arg
+	} else {
+		set.name = arg[:i]
+		set.value = arg[i+1:]
+	}
+
+	if i := strings.LastIndex(set.name, "."); i > 0 {
+		set.field = set.name[i+1:]
+		set.name = arg[:i]
+	}
+
+	return set, nil
+}
+
+// prettyName return name.field if there is a field, otherwise name.
+func (set *settable) prettyName() string {
+	if set.field != "" {
+		return fmt.Sprintf("%s.%s", set.name, set.field)
+	}
+	return set.name
+}
+
+func (set *settable) isSettable(allowedSettableFields []string, settable []string) (bool, error) {
+	if set.field == "" {
+		if len(settable) == 1 {
+			// if field is not specified and there only one settable, default to it.
+			set.field = settable[0]
+		} else if len(settable) > 1 {
+			return false, errMultipleFields
+		}
+	}
+
+	isAllowed := false
+	for _, allowedSettableField := range allowedSettableFields {
+		if set.field == allowedSettableField {
+			isAllowed = true
+			break
+		}
+	}
+
+	if isAllowed {
+		for _, settableField := range settable {
+			if set.field == settableField {
+				return true, nil
+			}
+		}
+	}
+
+	return false, nil
+}
+
+func updateSettingsEnv(env *[]string, set *settable) {
+	for i, e := range *env {
+		if parts := strings.SplitN(e, "=", 2); parts[0] == set.name {
+			(*env)[i] = fmt.Sprintf("%s=%s", set.name, set.value)
+			return
+		}
+	}
+
+	*env = append(*env, fmt.Sprintf("%s=%s", set.name, set.value))
+}
diff --git a/engine/plugin/v2/settable_test.go b/engine/plugin/v2/settable_test.go
new file mode 100644
index 00000000..f2bb0a48
--- /dev/null
+++ b/engine/plugin/v2/settable_test.go
@@ -0,0 +1,91 @@
+package v2 // import "github.com/docker/docker/plugin/v2"
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestNewSettable(t *testing.T) {
+	contexts := []struct {
+		arg   string
+		name  string
+		field string
+		value string
+		err   error
+	}{
+		{"name=value", "name", "", "value", nil},
+		{"name", "name", "", "", nil},
+		{"name.field=value", "name", "field", "value", nil},
+		{"name.field", "name", "field", "", nil},
+		{"=value", "", "", "", errInvalidFormat},
+		{"=", "", "", "", errInvalidFormat},
+	}
+
+	for _, c := range contexts {
+		s, err := newSettable(c.arg)
+		if err != c.err {
+			t.Fatalf("expected error to be %v, got %v", c.err, err)
+		}
+
+		if s.name != c.name {
+			t.Fatalf("expected name to be %q, got %q", c.name, s.name)
+		}
+
+		if s.field != c.field {
+			t.Fatalf("expected field to be %q, got %q", c.field, s.field)
+		}
+
+		if s.value != c.value {
+			t.Fatalf("expected value to be %q, got %q", c.value, s.value)
+		}
+
+	}
+}
+
+func TestIsSettable(t *testing.T) {
+	contexts := []struct {
+		allowedSettableFields []string
+		set                   settable
+		settable              []string
+		result                bool
+		err                   error
+	}{
+		{allowedSettableFieldsEnv, settable{}, []string{}, false, nil},
+		{allowedSettableFieldsEnv, settable{field: "value"}, []string{}, false, nil},
+		{allowedSettableFieldsEnv, settable{}, []string{"value"}, true, nil},
+		{allowedSettableFieldsEnv, settable{field: "value"}, []string{"value"}, true, nil},
+		{allowedSettableFieldsEnv, settable{field: "foo"}, []string{"value"}, false, nil},
+		{allowedSettableFieldsEnv, settable{field: "foo"}, []string{"foo"}, false, nil},
+		{allowedSettableFieldsEnv, settable{}, []string{"value1", "value2"}, false, errMultipleFields},
+	}
+
+	for _, c := range contexts {
+		if res, err := c.set.isSettable(c.allowedSettableFields, c.settable); res != c.result {
+			t.Fatalf("expected result to be %t, got %t", c.result, res)
+		} else if err != c.err {
+			t.Fatalf("expected error to be %v, got %v", c.err, err)
+		}
+	}
+}
+
+func TestUpdateSettingsEnv(t *testing.T) {
+	contexts := []struct {
+		env    []string
+		set    settable
+		newEnv []string
+	}{
+		{[]string{}, settable{name: "DEBUG", value: "1"}, []string{"DEBUG=1"}},
+		{[]string{"DEBUG=0"}, settable{name: "DEBUG", value: "1"}, []string{"DEBUG=1"}},
+		{[]string{"FOO=0"}, settable{name: "DEBUG", value: "1"}, []string{"FOO=0", "DEBUG=1"}},
+		{[]string{"FOO=0", "DEBUG=0"}, settable{name: "DEBUG", value: "1"}, []string{"FOO=0", "DEBUG=1"}},
+		{[]string{"FOO=0", "DEBUG=0", "BAR=1"}, settable{name: "DEBUG", value: "1"}, []string{"FOO=0", "DEBUG=1", "BAR=1"}},
+	}
+
+	for _, c := range contexts {
+		updateSettingsEnv(&c.env, &c.set)
+
+		if !reflect.DeepEqual(c.env, c.newEnv) {
+			t.Fatalf("expected env to be %q, got %q", c.newEnv, c.env)
+		}
+	}
+}
diff --git a/engine/poule.yml b/engine/poule.yml
new file mode 100644
index 00000000..fe1cb3d1
--- /dev/null
+++ b/engine/poule.yml
@@ -0,0 +1,129 @@
+# Add a "status/0-triage" to every newly opened pull request.
+- triggers:
+      pull_request: [ opened ]
+  operations:
+      - type:       label
+        filters: {
+            ~labels: [ "status/0-triage", "status/1-design-review", "status/2-code-review", "status/3-docs-review", "status/4-merge" ],
+        }
+        settings: {
+            patterns: {
+                status/0-triage:     [ ".*" ],
+            }
+        }
+
+# For every newly created or modified issue, assign label based on matching regexp using the `label`
+# operation, as well as an Engine-specific version label using `version-label`.
+- triggers:
+      issues:       [ edited, opened, reopened ]
+  operations:
+      - type:       label
+        settings: {
+            patterns: {
+                area/builder:        [ "dockerfile", "docker build" ],
+                area/distribution:   [ "docker login", "docker logout", "docker pull", "docker push", "docker search" ],
+                area/plugins:        [ "docker plugin" ],
+                area/networking:     [ "docker network", "ipvs", "vxlan" ],
+                area/runtime:        [ "oci runtime error" ],
+                area/security/trust: [ "docker_content_trust" ],
+                area/swarm:          [ "docker node", "docker swarm", "docker service create", "docker service inspect", "docker service logs", "docker service ls", "docker service ps", "docker service rm", "docker service scale", "docker service update" ],
+                platform/desktop:    [ "docker for mac", "docker for windows" ],
+                platform/freebsd:    [ "freebsd" ],
+                platform/windows:    [ "nanoserver", "windowsservercore", "windows server" ],
+                platform/arm:        [ "raspberry", "raspbian", "rpi", "beaglebone", "pine64" ],
+            }
+        }
+      - type:       version-label
+
+# Labeling a PR with `rebuild/<configuration>` triggers a rebuild job for the associated
+# configuration. The label is automatically removed after the rebuild is initiated. There's no such
+# thing as "templating" in this configuration, so we need one operation for each type of
+# configuration that can be triggered.
+- triggers:
+      pull_request: [ labeled ]
+  operations:
+      - type:       rebuild
+        settings: {
+            # When configurations are empty, the `rebuild` operation rebuilds all the currently
+            # known statuses for that pull request.
+            configurations: [],
+            label:          "rebuild/*",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ arm ],
+            label:          "rebuild/arm",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ experimental ],
+            label:          "rebuild/experimental",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ janky ],
+            label:          "rebuild/janky",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ powerpc ],
+            label:          "rebuild/powerpc",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ userns ],
+            label:          "rebuild/userns",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ vendor ],
+            label:          "rebuild/vendor",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ win2lin ],
+            label:          "rebuild/win2lin",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ windowsRS1 ],
+            label:          "rebuild/windowsRS1",
+        }
+      - type:       rebuild
+        settings: {
+            configurations: [ z ],
+            label:          "rebuild/z",
+        }
+
+# Once a day, randomly assign pull requests older than 2 weeks.
+- schedule:         "@daily"
+  operations:
+      - type:       random-assign
+        filters: {
+            age:    "2w",
+            is:     "pr",
+        }
+        settings: {
+            users: [
+                "aaronlehmann",
+                "akihirosuda",
+                "coolljt0725",
+                "cpuguy83",
+                "crosbymichael",
+                "dnephin",
+                "duglin",
+                "fntlnz",
+                "johnstep",
+                "justincormack",
+                "mhbauer",
+                "mlaventure",
+                "runcom",
+                "stevvooe",
+                "thajeztah",
+                "tiborvass",
+                "tonistiigi",
+                "vdemeester",
+                "vieux",
+                "yongtang",
+            ]
+        }
diff --git a/engine/profiles/apparmor/apparmor.go b/engine/profiles/apparmor/apparmor.go
new file mode 100644
index 00000000..b021668c
--- /dev/null
+++ b/engine/profiles/apparmor/apparmor.go
@@ -0,0 +1,114 @@
+// +build linux
+
+package apparmor // import "github.com/docker/docker/profiles/apparmor"
+
+import (
+	"bufio"
+	"io"
+	"io/ioutil"
+	"os"
+	"path"
+	"strings"
+	"text/template"
+
+	"github.com/docker/docker/pkg/aaparser"
+)
+
+var (
+	// profileDirectory is the file store for apparmor profiles and macros.
+	profileDirectory = "/etc/apparmor.d"
+)
+
+// profileData holds information about the given profile for generation.
+type profileData struct {
+	// Name is profile name.
+	Name string
+	// Imports defines the apparmor functions to import, before defining the profile.
+	Imports []string
+	// InnerImports defines the apparmor functions to import in the profile.
+	InnerImports []string
+	// Version is the {major, minor, patch} version of apparmor_parser as a single number.
+	Version int
+}
+
+// generateDefault creates an apparmor profile from ProfileData.
+func (p *profileData) generateDefault(out io.Writer) error {
+	compiled, err := template.New("apparmor_profile").Parse(baseTemplate)
+	if err != nil {
+		return err
+	}
+
+	if macroExists("tunables/global") {
+		p.Imports = append(p.Imports, "#include <tunables/global>")
+	} else {
+		p.Imports = append(p.Imports, "@{PROC}=/proc/")
+	}
+
+	if macroExists("abstractions/base") {
+		p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
+	}
+
+	ver, err := aaparser.GetVersion()
+	if err != nil {
+		return err
+	}
+	p.Version = ver
+
+	return compiled.Execute(out, p)
+}
+
+// macrosExists checks if the passed macro exists.
+func macroExists(m string) bool {
+	_, err := os.Stat(path.Join(profileDirectory, m))
+	return err == nil
+}
+
+// InstallDefault generates a default profile in a temp directory determined by
+// os.TempDir(), then loads the profile into the kernel using 'apparmor_parser'.
+func InstallDefault(name string) error {
+	p := profileData{
+		Name: name,
+	}
+
+	// Install to a temporary directory.
+	f, err := ioutil.TempFile("", name)
+	if err != nil {
+		return err
+	}
+	profilePath := f.Name()
+
+	defer f.Close()
+	defer os.Remove(profilePath)
+
+	if err := p.generateDefault(f); err != nil {
+		return err
+	}
+
+	return aaparser.LoadProfile(profilePath)
+}
+
+// IsLoaded checks if a profile with the given name has been loaded into the
+// kernel.
+func IsLoaded(name string) (bool, error) {
+	file, err := os.Open("/sys/kernel/security/apparmor/profiles")
+	if err != nil {
+		return false, err
+	}
+	defer file.Close()
+
+	r := bufio.NewReader(file)
+	for {
+		p, err := r.ReadString('\n')
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return false, err
+		}
+		if strings.HasPrefix(p, name+" ") {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
diff --git a/engine/profiles/apparmor/template.go b/engine/profiles/apparmor/template.go
new file mode 100644
index 00000000..c00a3f70
--- /dev/null
+++ b/engine/profiles/apparmor/template.go
@@ -0,0 +1,44 @@
+// +build linux
+
+package apparmor // import "github.com/docker/docker/profiles/apparmor"
+
+// baseTemplate defines the default apparmor profile for containers.
+const baseTemplate = `
+{{range $value := .Imports}}
+{{$value}}
+{{end}}
+
+profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
+{{range $value := .InnerImports}}
+  {{$value}}
+{{end}}
+
+  network,
+  capability,
+  file,
+  umount,
+
+  deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)
+  # deny write to files not in /proc/<number>/** or /proc/sys/**
+  deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
+  deny @{PROC}/sys/[^k]** w,  # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
+  deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w,  # deny everything except shm* in /proc/sys/kernel/
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/kcore rwklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+
+{{if ge .Version 208095}}
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer={{.Name}},
+{{end}}
+}
+`
diff --git a/engine/profiles/seccomp/default.json b/engine/profiles/seccomp/default.json
new file mode 100755
index 00000000..5717c00c
--- /dev/null
+++ b/engine/profiles/seccomp/default.json
@@ -0,0 +1,751 @@
+{
+	"defaultAction": "SCMP_ACT_ERRNO",
+	"archMap": [
+		{
+			"architecture": "SCMP_ARCH_X86_64",
+			"subArchitectures": [
+				"SCMP_ARCH_X86",
+				"SCMP_ARCH_X32"
+			]
+		},
+		{
+			"architecture": "SCMP_ARCH_AARCH64",
+			"subArchitectures": [
+				"SCMP_ARCH_ARM"
+			]
+		},
+		{
+			"architecture": "SCMP_ARCH_MIPS64",
+			"subArchitectures": [
+				"SCMP_ARCH_MIPS",
+				"SCMP_ARCH_MIPS64N32"
+			]
+		},
+		{
+			"architecture": "SCMP_ARCH_MIPS64N32",
+			"subArchitectures": [
+				"SCMP_ARCH_MIPS",
+				"SCMP_ARCH_MIPS64"
+			]
+		},
+		{
+			"architecture": "SCMP_ARCH_MIPSEL64",
+			"subArchitectures": [
+				"SCMP_ARCH_MIPSEL",
+				"SCMP_ARCH_MIPSEL64N32"
+			]
+		},
+		{
+			"architecture": "SCMP_ARCH_MIPSEL64N32",
+			"subArchitectures": [
+				"SCMP_ARCH_MIPSEL",
+				"SCMP_ARCH_MIPSEL64"
+			]
+		},
+		{
+			"architecture": "SCMP_ARCH_S390X",
+			"subArchitectures": [
+				"SCMP_ARCH_S390"
+			]
+		}
+	],
+	"syscalls": [
+		{
+			"names": [
+				"accept",
+				"accept4",
+				"access",
+				"adjtimex",
+				"alarm",
+				"bind",
+				"brk",
+				"capget",
+				"capset",
+				"chdir",
+				"chmod",
+				"chown",
+				"chown32",
+				"clock_getres",
+				"clock_gettime",
+				"clock_nanosleep",
+				"close",
+				"connect",
+				"copy_file_range",
+				"creat",
+				"dup",
+				"dup2",
+				"dup3",
+				"epoll_create",
+				"epoll_create1",
+				"epoll_ctl",
+				"epoll_ctl_old",
+				"epoll_pwait",
+				"epoll_wait",
+				"epoll_wait_old",
+				"eventfd",
+				"eventfd2",
+				"execve",
+				"execveat",
+				"exit",
+				"exit_group",
+				"faccessat",
+				"fadvise64",
+				"fadvise64_64",
+				"fallocate",
+				"fanotify_mark",
+				"fchdir",
+				"fchmod",
+				"fchmodat",
+				"fchown",
+				"fchown32",
+				"fchownat",
+				"fcntl",
+				"fcntl64",
+				"fdatasync",
+				"fgetxattr",
+				"flistxattr",
+				"flock",
+				"fork",
+				"fremovexattr",
+				"fsetxattr",
+				"fstat",
+				"fstat64",
+				"fstatat64",
+				"fstatfs",
+				"fstatfs64",
+				"fsync",
+				"ftruncate",
+				"ftruncate64",
+				"futex",
+				"futimesat",
+				"getcpu",
+				"getcwd",
+				"getdents",
+				"getdents64",
+				"getegid",
+				"getegid32",
+				"geteuid",
+				"geteuid32",
+				"getgid",
+				"getgid32",
+				"getgroups",
+				"getgroups32",
+				"getitimer",
+				"getpeername",
+				"getpgid",
+				"getpgrp",
+				"getpid",
+				"getppid",
+				"getpriority",
+				"getrandom",
+				"getresgid",
+				"getresgid32",
+				"getresuid",
+				"getresuid32",
+				"getrlimit",
+				"get_robust_list",
+				"getrusage",
+				"getsid",
+				"getsockname",
+				"getsockopt",
+				"get_thread_area",
+				"gettid",
+				"gettimeofday",
+				"getuid",
+				"getuid32",
+				"getxattr",
+				"inotify_add_watch",
+				"inotify_init",
+				"inotify_init1",
+				"inotify_rm_watch",
+				"io_cancel",
+				"ioctl",
+				"io_destroy",
+				"io_getevents",
+				"ioprio_get",
+				"ioprio_set",
+				"io_setup",
+				"io_submit",
+				"ipc",
+				"kill",
+				"lchown",
+				"lchown32",
+				"lgetxattr",
+				"link",
+				"linkat",
+				"listen",
+				"listxattr",
+				"llistxattr",
+				"_llseek",
+				"lremovexattr",
+				"lseek",
+				"lsetxattr",
+				"lstat",
+				"lstat64",
+				"madvise",
+				"memfd_create",
+				"mincore",
+				"mkdir",
+				"mkdirat",
+				"mknod",
+				"mknodat",
+				"mlock",
+				"mlock2",
+				"mlockall",
+				"mmap",
+				"mmap2",
+				"mprotect",
+				"mq_getsetattr",
+				"mq_notify",
+				"mq_open",
+				"mq_timedreceive",
+				"mq_timedsend",
+				"mq_unlink",
+				"mremap",
+				"msgctl",
+				"msgget",
+				"msgrcv",
+				"msgsnd",
+				"msync",
+				"munlock",
+				"munlockall",
+				"munmap",
+				"nanosleep",
+				"newfstatat",
+				"_newselect",
+				"open",
+				"openat",
+				"pause",
+				"pipe",
+				"pipe2",
+				"poll",
+				"ppoll",
+				"prctl",
+				"pread64",
+				"preadv",
+				"preadv2",
+				"prlimit64",
+				"pselect6",
+				"pwrite64",
+				"pwritev",
+				"pwritev2",
+				"read",
+				"readahead",
+				"readlink",
+				"readlinkat",
+				"readv",
+				"recv",
+				"recvfrom",
+				"recvmmsg",
+				"recvmsg",
+				"remap_file_pages",
+				"removexattr",
+				"rename",
+				"renameat",
+				"renameat2",
+				"restart_syscall",
+				"rmdir",
+				"rt_sigaction",
+				"rt_sigpending",
+				"rt_sigprocmask",
+				"rt_sigqueueinfo",
+				"rt_sigreturn",
+				"rt_sigsuspend",
+				"rt_sigtimedwait",
+				"rt_tgsigqueueinfo",
+				"sched_getaffinity",
+				"sched_getattr",
+				"sched_getparam",
+				"sched_get_priority_max",
+				"sched_get_priority_min",
+				"sched_getscheduler",
+				"sched_rr_get_interval",
+				"sched_setaffinity",
+				"sched_setattr",
+				"sched_setparam",
+				"sched_setscheduler",
+				"sched_yield",
+				"seccomp",
+				"select",
+				"semctl",
+				"semget",
+				"semop",
+				"semtimedop",
+				"send",
+				"sendfile",
+				"sendfile64",
+				"sendmmsg",
+				"sendmsg",
+				"sendto",
+				"setfsgid",
+				"setfsgid32",
+				"setfsuid",
+				"setfsuid32",
+				"setgid",
+				"setgid32",
+				"setgroups",
+				"setgroups32",
+				"setitimer",
+				"setpgid",
+				"setpriority",
+				"setregid",
+				"setregid32",
+				"setresgid",
+				"setresgid32",
+				"setresuid",
+				"setresuid32",
+				"setreuid",
+				"setreuid32",
+				"setrlimit",
+				"set_robust_list",
+				"setsid",
+				"setsockopt",
+				"set_thread_area",
+				"set_tid_address",
+				"setuid",
+				"setuid32",
+				"setxattr",
+				"shmat",
+				"shmctl",
+				"shmdt",
+				"shmget",
+				"shutdown",
+				"sigaltstack",
+				"signalfd",
+				"signalfd4",
+				"sigreturn",
+				"socket",
+				"socketcall",
+				"socketpair",
+				"splice",
+				"stat",
+				"stat64",
+				"statfs",
+				"statfs64",
+				"statx",
+				"symlink",
+				"symlinkat",
+				"sync",
+				"sync_file_range",
+				"syncfs",
+				"sysinfo",
+				"syslog",
+				"tee",
+				"tgkill",
+				"time",
+				"timer_create",
+				"timer_delete",
+				"timerfd_create",
+				"timerfd_gettime",
+				"timerfd_settime",
+				"timer_getoverrun",
+				"timer_gettime",
+				"timer_settime",
+				"times",
+				"tkill",
+				"truncate",
+				"truncate64",
+				"ugetrlimit",
+				"umask",
+				"uname",
+				"unlink",
+				"unlinkat",
+				"utime",
+				"utimensat",
+				"utimes",
+				"vfork",
+				"vmsplice",
+				"wait4",
+				"waitid",
+				"waitpid",
+				"write",
+				"writev"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"personality"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 0,
+					"value": 0,
+					"valueTwo": 0,
+					"op": "SCMP_CMP_EQ"
+				}
+			],
+			"comment": "",
+			"includes": {},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"personality"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 0,
+					"value": 8,
+					"valueTwo": 0,
+					"op": "SCMP_CMP_EQ"
+				}
+			],
+			"comment": "",
+			"includes": {},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"personality"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 0,
+					"value": 131072,
+					"valueTwo": 0,
+					"op": "SCMP_CMP_EQ"
+				}
+			],
+			"comment": "",
+			"includes": {},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"personality"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 0,
+					"value": 131080,
+					"valueTwo": 0,
+					"op": "SCMP_CMP_EQ"
+				}
+			],
+			"comment": "",
+			"includes": {},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"personality"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 0,
+					"value": 4294967295,
+					"valueTwo": 0,
+					"op": "SCMP_CMP_EQ"
+				}
+			],
+			"comment": "",
+			"includes": {},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"sync_file_range2"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"arches": [
+					"ppc64le"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"arm_fadvise64_64",
+				"arm_sync_file_range",
+				"sync_file_range2",
+				"breakpoint",
+				"cacheflush",
+				"set_tls"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"arches": [
+					"arm",
+					"arm64"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"arch_prctl"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"arches": [
+					"amd64",
+					"x32"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"modify_ldt"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"arches": [
+					"amd64",
+					"x32",
+					"x86"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"s390_pci_mmio_read",
+				"s390_pci_mmio_write",
+				"s390_runtime_instr"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"arches": [
+					"s390",
+					"s390x"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"open_by_handle_at"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_DAC_READ_SEARCH"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"bpf",
+				"clone",
+				"fanotify_init",
+				"lookup_dcookie",
+				"mount",
+				"name_to_handle_at",
+				"perf_event_open",
+				"quotactl",
+				"setdomainname",
+				"sethostname",
+				"setns",
+				"umount",
+				"umount2",
+				"unshare"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_ADMIN"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"clone"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 0,
+					"value": 2080505856,
+					"valueTwo": 0,
+					"op": "SCMP_CMP_MASKED_EQ"
+				}
+			],
+			"comment": "",
+			"includes": {},
+			"excludes": {
+				"caps": [
+					"CAP_SYS_ADMIN"
+				],
+				"arches": [
+					"s390",
+					"s390x"
+				]
+			}
+		},
+		{
+			"names": [
+				"clone"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [
+				{
+					"index": 1,
+					"value": 2080505856,
+					"valueTwo": 0,
+					"op": "SCMP_CMP_MASKED_EQ"
+				}
+			],
+			"comment": "s390 parameter ordering for clone is different",
+			"includes": {
+				"arches": [
+					"s390",
+					"s390x"
+				]
+			},
+			"excludes": {
+				"caps": [
+					"CAP_SYS_ADMIN"
+				]
+			}
+		},
+		{
+			"names": [
+				"reboot"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_BOOT"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"chroot"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_CHROOT"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"delete_module",
+				"init_module",
+				"finit_module",
+				"query_module"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_MODULE"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"acct"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_PACCT"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"kcmp",
+				"process_vm_readv",
+				"process_vm_writev",
+				"ptrace"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_PTRACE"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"iopl",
+				"ioperm"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_RAWIO"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"settimeofday",
+				"stime",
+				"clock_settime"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_TIME"
+				]
+			},
+			"excludes": {}
+		},
+		{
+			"names": [
+				"vhangup"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"args": [],
+			"comment": "",
+			"includes": {
+				"caps": [
+					"CAP_SYS_TTY_CONFIG"
+				]
+			},
+			"excludes": {}
+		}
+	]
+}
\ No newline at end of file
diff --git a/engine/profiles/seccomp/fixtures/example.json b/engine/profiles/seccomp/fixtures/example.json
new file mode 100755
index 00000000..674ca50f
--- /dev/null
+++ b/engine/profiles/seccomp/fixtures/example.json
@@ -0,0 +1,27 @@
+{
+    "defaultAction": "SCMP_ACT_ERRNO",
+    "syscalls": [
+        {
+            "name": "clone",
+            "action": "SCMP_ACT_ALLOW",
+            "args": [
+                {
+                    "index": 0,
+                    "value": 2080505856,
+                    "valueTwo": 0,
+                    "op": "SCMP_CMP_MASKED_EQ"
+                }
+            ]
+        },
+        {
+            "name": "open",
+            "action": "SCMP_ACT_ALLOW",
+            "args": []
+        },
+        {
+            "name": "close",
+            "action": "SCMP_ACT_ALLOW",
+            "args": []
+        }
+    ]
+}
diff --git a/engine/profiles/seccomp/generate.go b/engine/profiles/seccomp/generate.go
new file mode 100644
index 00000000..32f22bb3
--- /dev/null
+++ b/engine/profiles/seccomp/generate.go
@@ -0,0 +1,32 @@
+// +build ignore
+
+package main
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/docker/profiles/seccomp"
+)
+
+// saves the default seccomp profile as a json file so people can use it as a
+// base for their own custom profiles
+func main() {
+	wd, err := os.Getwd()
+	if err != nil {
+		panic(err)
+	}
+	f := filepath.Join(wd, "default.json")
+
+	// write the default profile to the file
+	b, err := json.MarshalIndent(seccomp.DefaultProfile(), "", "\t")
+	if err != nil {
+		panic(err)
+	}
+
+	if err := ioutil.WriteFile(f, b, 0644); err != nil {
+		panic(err)
+	}
+}
diff --git a/engine/profiles/seccomp/seccomp.go b/engine/profiles/seccomp/seccomp.go
new file mode 100644
index 00000000..4438670a
--- /dev/null
+++ b/engine/profiles/seccomp/seccomp.go
@@ -0,0 +1,160 @@
+// +build linux
+
+package seccomp // import "github.com/docker/docker/profiles/seccomp"
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	libseccomp "github.com/seccomp/libseccomp-golang"
+)
+
+//go:generate go run -tags 'seccomp' generate.go
+
+// GetDefaultProfile returns the default seccomp profile.
+func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+	return setupSeccomp(DefaultProfile(), rs)
+}
+
+// LoadProfile takes a json string and decodes the seccomp profile.
+func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+	var config types.Seccomp
+	if err := json.Unmarshal([]byte(body), &config); err != nil {
+		return nil, fmt.Errorf("Decoding seccomp profile failed: %v", err)
+	}
+	return setupSeccomp(&config, rs)
+}
+
+var nativeToSeccomp = map[string]types.Arch{
+	"amd64":       types.ArchX86_64,
+	"arm64":       types.ArchAARCH64,
+	"mips64":      types.ArchMIPS64,
+	"mips64n32":   types.ArchMIPS64N32,
+	"mipsel64":    types.ArchMIPSEL64,
+	"mipsel64n32": types.ArchMIPSEL64N32,
+	"s390x":       types.ArchS390X,
+}
+
+// inSlice tests whether a string is contained in a slice of strings or not.
+// Comparison is case sensitive
+func inSlice(slice []string, s string) bool {
+	for _, ss := range slice {
+		if s == ss {
+			return true
+		}
+	}
+	return false
+}
+
+func setupSeccomp(config *types.Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) {
+	if config == nil {
+		return nil, nil
+	}
+
+	// No default action specified, no syscalls listed, assume seccomp disabled
+	if config.DefaultAction == "" && len(config.Syscalls) == 0 {
+		return nil, nil
+	}
+
+	newConfig := &specs.LinuxSeccomp{}
+
+	var arch string
+	var native, err = libseccomp.GetNativeArch()
+	if err == nil {
+		arch = native.String()
+	}
+
+	if len(config.Architectures) != 0 && len(config.ArchMap) != 0 {
+		return nil, errors.New("'architectures' and 'archMap' were specified in the seccomp profile, use either 'architectures' or 'archMap'")
+	}
+
+	// if config.Architectures == 0 then libseccomp will figure out the architecture to use
+	if len(config.Architectures) != 0 {
+		for _, a := range config.Architectures {
+			newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a))
+		}
+	}
+
+	if len(config.ArchMap) != 0 {
+		for _, a := range config.ArchMap {
+			seccompArch, ok := nativeToSeccomp[arch]
+			if ok {
+				if a.Arch == seccompArch {
+					newConfig.Architectures = append(newConfig.Architectures, specs.Arch(a.Arch))
+					for _, sa := range a.SubArches {
+						newConfig.Architectures = append(newConfig.Architectures, specs.Arch(sa))
+					}
+					break
+				}
+			}
+		}
+	}
+
+	newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
+
+Loop:
+	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
+	for _, call := range config.Syscalls {
+		if len(call.Excludes.Arches) > 0 {
+			if inSlice(call.Excludes.Arches, arch) {
+				continue Loop
+			}
+		}
+		if len(call.Excludes.Caps) > 0 {
+			for _, c := range call.Excludes.Caps {
+				if inSlice(rs.Process.Capabilities.Bounding, c) {
+					continue Loop
+				}
+			}
+		}
+		if len(call.Includes.Arches) > 0 {
+			if !inSlice(call.Includes.Arches, arch) {
+				continue Loop
+			}
+		}
+		if len(call.Includes.Caps) > 0 {
+			for _, c := range call.Includes.Caps {
+				if !inSlice(rs.Process.Capabilities.Bounding, c) {
+					continue Loop
+				}
+			}
+		}
+
+		if call.Name != "" && len(call.Names) != 0 {
+			return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
+		}
+
+		if call.Name != "" {
+			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
+		}
+
+		for _, n := range call.Names {
+			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
+		}
+	}
+
+	return newConfig, nil
+}
+
+func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
+	newCall := specs.LinuxSyscall{
+		Names:  []string{name},
+		Action: specs.LinuxSeccompAction(action),
+	}
+
+	// Loop through all the arguments of the syscall and convert them
+	for _, arg := range args {
+		newArg := specs.LinuxSeccompArg{
+			Index:    arg.Index,
+			Value:    arg.Value,
+			ValueTwo: arg.ValueTwo,
+			Op:       specs.LinuxSeccompOperator(arg.Op),
+		}
+
+		newCall.Args = append(newCall.Args, newArg)
+	}
+	return newCall
+}
diff --git a/engine/profiles/seccomp/seccomp_default.go b/engine/profiles/seccomp/seccomp_default.go
new file mode 100644
index 00000000..be29aa4f
--- /dev/null
+++ b/engine/profiles/seccomp/seccomp_default.go
@@ -0,0 +1,640 @@
+// +build linux,seccomp
+
+package seccomp // import "github.com/docker/docker/profiles/seccomp"
+
+import (
+	"github.com/docker/docker/api/types"
+	"golang.org/x/sys/unix"
+)
+
+func arches() []types.Architecture {
+	return []types.Architecture{
+		{
+			Arch:      types.ArchX86_64,
+			SubArches: []types.Arch{types.ArchX86, types.ArchX32},
+		},
+		{
+			Arch:      types.ArchAARCH64,
+			SubArches: []types.Arch{types.ArchARM},
+		},
+		{
+			Arch:      types.ArchMIPS64,
+			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64N32},
+		},
+		{
+			Arch:      types.ArchMIPS64N32,
+			SubArches: []types.Arch{types.ArchMIPS, types.ArchMIPS64},
+		},
+		{
+			Arch:      types.ArchMIPSEL64,
+			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64N32},
+		},
+		{
+			Arch:      types.ArchMIPSEL64N32,
+			SubArches: []types.Arch{types.ArchMIPSEL, types.ArchMIPSEL64},
+		},
+		{
+			Arch:      types.ArchS390X,
+			SubArches: []types.Arch{types.ArchS390},
+		},
+	}
+}
+
+// DefaultProfile defines the whitelist for the default seccomp profile.
+func DefaultProfile() *types.Seccomp {
+	syscalls := []*types.Syscall{
+		{
+			Names: []string{
+				"accept",
+				"accept4",
+				"access",
+				"adjtimex",
+				"alarm",
+				"bind",
+				"brk",
+				"capget",
+				"capset",
+				"chdir",
+				"chmod",
+				"chown",
+				"chown32",
+				"clock_getres",
+				"clock_gettime",
+				"clock_nanosleep",
+				"close",
+				"connect",
+				"copy_file_range",
+				"creat",
+				"dup",
+				"dup2",
+				"dup3",
+				"epoll_create",
+				"epoll_create1",
+				"epoll_ctl",
+				"epoll_ctl_old",
+				"epoll_pwait",
+				"epoll_wait",
+				"epoll_wait_old",
+				"eventfd",
+				"eventfd2",
+				"execve",
+				"execveat",
+				"exit",
+				"exit_group",
+				"faccessat",
+				"fadvise64",
+				"fadvise64_64",
+				"fallocate",
+				"fanotify_mark",
+				"fchdir",
+				"fchmod",
+				"fchmodat",
+				"fchown",
+				"fchown32",
+				"fchownat",
+				"fcntl",
+				"fcntl64",
+				"fdatasync",
+				"fgetxattr",
+				"flistxattr",
+				"flock",
+				"fork",
+				"fremovexattr",
+				"fsetxattr",
+				"fstat",
+				"fstat64",
+				"fstatat64",
+				"fstatfs",
+				"fstatfs64",
+				"fsync",
+				"ftruncate",
+				"ftruncate64",
+				"futex",
+				"futimesat",
+				"getcpu",
+				"getcwd",
+				"getdents",
+				"getdents64",
+				"getegid",
+				"getegid32",
+				"geteuid",
+				"geteuid32",
+				"getgid",
+				"getgid32",
+				"getgroups",
+				"getgroups32",
+				"getitimer",
+				"getpeername",
+				"getpgid",
+				"getpgrp",
+				"getpid",
+				"getppid",
+				"getpriority",
+				"getrandom",
+				"getresgid",
+				"getresgid32",
+				"getresuid",
+				"getresuid32",
+				"getrlimit",
+				"get_robust_list",
+				"getrusage",
+				"getsid",
+				"getsockname",
+				"getsockopt",
+				"get_thread_area",
+				"gettid",
+				"gettimeofday",
+				"getuid",
+				"getuid32",
+				"getxattr",
+				"inotify_add_watch",
+				"inotify_init",
+				"inotify_init1",
+				"inotify_rm_watch",
+				"io_cancel",
+				"ioctl",
+				"io_destroy",
+				"io_getevents",
+				"ioprio_get",
+				"ioprio_set",
+				"io_setup",
+				"io_submit",
+				"ipc",
+				"kill",
+				"lchown",
+				"lchown32",
+				"lgetxattr",
+				"link",
+				"linkat",
+				"listen",
+				"listxattr",
+				"llistxattr",
+				"_llseek",
+				"lremovexattr",
+				"lseek",
+				"lsetxattr",
+				"lstat",
+				"lstat64",
+				"madvise",
+				"memfd_create",
+				"mincore",
+				"mkdir",
+				"mkdirat",
+				"mknod",
+				"mknodat",
+				"mlock",
+				"mlock2",
+				"mlockall",
+				"mmap",
+				"mmap2",
+				"mprotect",
+				"mq_getsetattr",
+				"mq_notify",
+				"mq_open",
+				"mq_timedreceive",
+				"mq_timedsend",
+				"mq_unlink",
+				"mremap",
+				"msgctl",
+				"msgget",
+				"msgrcv",
+				"msgsnd",
+				"msync",
+				"munlock",
+				"munlockall",
+				"munmap",
+				"nanosleep",
+				"newfstatat",
+				"_newselect",
+				"open",
+				"openat",
+				"pause",
+				"pipe",
+				"pipe2",
+				"poll",
+				"ppoll",
+				"prctl",
+				"pread64",
+				"preadv",
+				"preadv2",
+				"prlimit64",
+				"pselect6",
+				"pwrite64",
+				"pwritev",
+				"pwritev2",
+				"read",
+				"readahead",
+				"readlink",
+				"readlinkat",
+				"readv",
+				"recv",
+				"recvfrom",
+				"recvmmsg",
+				"recvmsg",
+				"remap_file_pages",
+				"removexattr",
+				"rename",
+				"renameat",
+				"renameat2",
+				"restart_syscall",
+				"rmdir",
+				"rt_sigaction",
+				"rt_sigpending",
+				"rt_sigprocmask",
+				"rt_sigqueueinfo",
+				"rt_sigreturn",
+				"rt_sigsuspend",
+				"rt_sigtimedwait",
+				"rt_tgsigqueueinfo",
+				"sched_getaffinity",
+				"sched_getattr",
+				"sched_getparam",
+				"sched_get_priority_max",
+				"sched_get_priority_min",
+				"sched_getscheduler",
+				"sched_rr_get_interval",
+				"sched_setaffinity",
+				"sched_setattr",
+				"sched_setparam",
+				"sched_setscheduler",
+				"sched_yield",
+				"seccomp",
+				"select",
+				"semctl",
+				"semget",
+				"semop",
+				"semtimedop",
+				"send",
+				"sendfile",
+				"sendfile64",
+				"sendmmsg",
+				"sendmsg",
+				"sendto",
+				"setfsgid",
+				"setfsgid32",
+				"setfsuid",
+				"setfsuid32",
+				"setgid",
+				"setgid32",
+				"setgroups",
+				"setgroups32",
+				"setitimer",
+				"setpgid",
+				"setpriority",
+				"setregid",
+				"setregid32",
+				"setresgid",
+				"setresgid32",
+				"setresuid",
+				"setresuid32",
+				"setreuid",
+				"setreuid32",
+				"setrlimit",
+				"set_robust_list",
+				"setsid",
+				"setsockopt",
+				"set_thread_area",
+				"set_tid_address",
+				"setuid",
+				"setuid32",
+				"setxattr",
+				"shmat",
+				"shmctl",
+				"shmdt",
+				"shmget",
+				"shutdown",
+				"sigaltstack",
+				"signalfd",
+				"signalfd4",
+				"sigreturn",
+				"socket",
+				"socketcall",
+				"socketpair",
+				"splice",
+				"stat",
+				"stat64",
+				"statfs",
+				"statfs64",
+				"statx",
+				"symlink",
+				"symlinkat",
+				"sync",
+				"sync_file_range",
+				"syncfs",
+				"sysinfo",
+				"syslog",
+				"tee",
+				"tgkill",
+				"time",
+				"timer_create",
+				"timer_delete",
+				"timerfd_create",
+				"timerfd_gettime",
+				"timerfd_settime",
+				"timer_getoverrun",
+				"timer_gettime",
+				"timer_settime",
+				"times",
+				"tkill",
+				"truncate",
+				"truncate64",
+				"ugetrlimit",
+				"umask",
+				"uname",
+				"unlink",
+				"unlinkat",
+				"utime",
+				"utimensat",
+				"utimes",
+				"vfork",
+				"vmsplice",
+				"wait4",
+				"waitid",
+				"waitpid",
+				"write",
+				"writev",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
+		{
+			Names:  []string{"personality"},
+			Action: types.ActAllow,
+			Args: []*types.Arg{
+				{
+					Index: 0,
+					Value: 0x0,
+					Op:    types.OpEqualTo,
+				},
+			},
+		},
+		{
+			Names:  []string{"personality"},
+			Action: types.ActAllow,
+			Args: []*types.Arg{
+				{
+					Index: 0,
+					Value: 0x0008,
+					Op:    types.OpEqualTo,
+				},
+			},
+		},
+		{
+			Names:  []string{"personality"},
+			Action: types.ActAllow,
+			Args: []*types.Arg{
+				{
+					Index: 0,
+					Value: 0x20000,
+					Op:    types.OpEqualTo,
+				},
+			},
+		},
+		{
+			Names:  []string{"personality"},
+			Action: types.ActAllow,
+			Args: []*types.Arg{
+				{
+					Index: 0,
+					Value: 0x20008,
+					Op:    types.OpEqualTo,
+				},
+			},
+		},
+		{
+			Names:  []string{"personality"},
+			Action: types.ActAllow,
+			Args: []*types.Arg{
+				{
+					Index: 0,
+					Value: 0xffffffff,
+					Op:    types.OpEqualTo,
+				},
+			},
+		},
+		{
+			Names: []string{
+				"sync_file_range2",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Arches: []string{"ppc64le"},
+			},
+		},
+		{
+			Names: []string{
+				"arm_fadvise64_64",
+				"arm_sync_file_range",
+				"sync_file_range2",
+				"breakpoint",
+				"cacheflush",
+				"set_tls",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Arches: []string{"arm", "arm64"},
+			},
+		},
+		{
+			Names: []string{
+				"arch_prctl",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Arches: []string{"amd64", "x32"},
+			},
+		},
+		{
+			Names: []string{
+				"modify_ldt",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Arches: []string{"amd64", "x32", "x86"},
+			},
+		},
+		{
+			Names: []string{
+				"s390_pci_mmio_read",
+				"s390_pci_mmio_write",
+				"s390_runtime_instr",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Arches: []string{"s390", "s390x"},
+			},
+		},
+		{
+			Names: []string{
+				"open_by_handle_at",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_DAC_READ_SEARCH"},
+			},
+		},
+		{
+			Names: []string{
+				"bpf",
+				"clone",
+				"fanotify_init",
+				"lookup_dcookie",
+				"mount",
+				"name_to_handle_at",
+				"perf_event_open",
+				"quotactl",
+				"setdomainname",
+				"sethostname",
+				"setns",
+				"umount",
+				"umount2",
+				"unshare",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_ADMIN"},
+			},
+		},
+		{
+			Names: []string{
+				"clone",
+			},
+			Action: types.ActAllow,
+			Args: []*types.Arg{
+				{
+					Index:    0,
+					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+					ValueTwo: 0,
+					Op:       types.OpMaskedEqual,
+				},
+			},
+			Excludes: types.Filter{
+				Caps:   []string{"CAP_SYS_ADMIN"},
+				Arches: []string{"s390", "s390x"},
+			},
+		},
+		{
+			Names: []string{
+				"clone",
+			},
+			Action: types.ActAllow,
+			Args: []*types.Arg{
+				{
+					Index:    1,
+					Value:    unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET,
+					ValueTwo: 0,
+					Op:       types.OpMaskedEqual,
+				},
+			},
+			Comment: "s390 parameter ordering for clone is different",
+			Includes: types.Filter{
+				Arches: []string{"s390", "s390x"},
+			},
+			Excludes: types.Filter{
+				Caps: []string{"CAP_SYS_ADMIN"},
+			},
+		},
+		{
+			Names: []string{
+				"reboot",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_BOOT"},
+			},
+		},
+		{
+			Names: []string{
+				"chroot",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_CHROOT"},
+			},
+		},
+		{
+			Names: []string{
+				"delete_module",
+				"init_module",
+				"finit_module",
+				"query_module",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_MODULE"},
+			},
+		},
+		{
+			Names: []string{
+				"acct",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_PACCT"},
+			},
+		},
+		{
+			Names: []string{
+				"kcmp",
+				"process_vm_readv",
+				"process_vm_writev",
+				"ptrace",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_PTRACE"},
+			},
+		},
+		{
+			Names: []string{
+				"iopl",
+				"ioperm",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_RAWIO"},
+			},
+		},
+		{
+			Names: []string{
+				"settimeofday",
+				"stime",
+				"clock_settime",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_TIME"},
+			},
+		},
+		{
+			Names: []string{
+				"vhangup",
+			},
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+			Includes: types.Filter{
+				Caps: []string{"CAP_SYS_TTY_CONFIG"},
+			},
+		},
+	}
+
+	return &types.Seccomp{
+		DefaultAction: types.ActErrno,
+		ArchMap:       arches(),
+		Syscalls:      syscalls,
+	}
+}
diff --git a/engine/profiles/seccomp/seccomp_test.go b/engine/profiles/seccomp/seccomp_test.go
new file mode 100644
index 00000000..b0b63ea8
--- /dev/null
+++ b/engine/profiles/seccomp/seccomp_test.go
@@ -0,0 +1,32 @@
+// +build linux
+
+package seccomp // import "github.com/docker/docker/profiles/seccomp"
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/docker/oci"
+)
+
+func TestLoadProfile(t *testing.T) {
+	f, err := ioutil.ReadFile("fixtures/example.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	rs := oci.DefaultSpec()
+	if _, err := LoadProfile(string(f), &rs); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestLoadDefaultProfile(t *testing.T) {
+	f, err := ioutil.ReadFile("default.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	rs := oci.DefaultSpec()
+	if _, err := LoadProfile(string(f), &rs); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/profiles/seccomp/seccomp_unsupported.go b/engine/profiles/seccomp/seccomp_unsupported.go
new file mode 100644
index 00000000..67e06401
--- /dev/null
+++ b/engine/profiles/seccomp/seccomp_unsupported.go
@@ -0,0 +1,12 @@
+// +build linux,!seccomp
+
+package seccomp // import "github.com/docker/docker/profiles/seccomp"
+
+import (
+	"github.com/docker/docker/api/types"
+)
+
+// DefaultProfile returns a nil pointer on unsupported systems.
+func DefaultProfile() *types.Seccomp {
+	return nil
+}
diff --git a/engine/project/ARM.md b/engine/project/ARM.md
new file mode 100644
index 00000000..c876231d
--- /dev/null
+++ b/engine/project/ARM.md
@@ -0,0 +1,45 @@
+# ARM support
+
+The ARM support should be considered experimental. It will be extended step by step in the coming weeks.
+
+Building a Docker Development Image works in the same fashion as for Intel platform (x86-64).
+Currently we have initial support for 32bit ARMv7 devices.
+
+To work with the Docker Development Image you have to clone the Docker/Docker repo on a supported device.
+It needs to have a Docker Engine installed to build the Docker Development Image.
+
+From the root of the Docker/Docker repo one can use make to execute the following make targets:
+- make validate
+- make binary
+- make build
+- make deb
+- make bundles
+- make default
+- make shell
+- make test-unit
+- make test-integration
+- make
+
+The Makefile does include logic to determine on which OS and architecture the Docker Development Image is built.
+Based on OS and architecture it chooses the correct Dockerfile.
+For the ARM 32bit architecture it uses `Dockerfile.armhf`.
+
+So for example in order to build a Docker binary one has to:
+1. clone the Docker/Docker repository on an ARM device `git clone https://github.com/docker/docker.git`  
+2. change into the checked out repository with `cd docker`  
+3. execute `make binary` to create a Docker Engine binary for ARM  
+
+## Kernel modules
+A few libnetwork integration tests require that the kernel be
+configured with "dummy" network interface and has the module
+loaded. However, the dummy module may be not loaded automatically.
+
+To load the kernel module permanently, run these commands as `root`.
+
+    modprobe dummy
+    echo "dummy" >> /etc/modules
+
+On some systems you also have to sync your kernel modules.
+
+    oc-sync-kernel-modules
+    depmod
diff --git a/engine/project/BRANCHES-AND-TAGS.md b/engine/project/BRANCHES-AND-TAGS.md
new file mode 100644
index 00000000..1c6f2325
--- /dev/null
+++ b/engine/project/BRANCHES-AND-TAGS.md
@@ -0,0 +1,35 @@
+Branches and tags
+=================
+
+Note: details of the release process for the Engine are documented in the
+[RELEASE-CHECKLIST](https://github.com/docker/docker/blob/master/project/RELEASE-CHECKLIST.md).
+
+# Branches
+
+The docker/docker repository should normally have only three living branches at all time, including
+the regular `master` branch:
+
+## `docs` branch
+
+The `docs` branch supports documentation updates between product releases. This branch allow us to
+decouple documentation releases from product releases.
+
+## `release` branch
+
+The `release` branch contains the last _released_ version of the code for the project.
+
+The `release` branch is only updated at each public release of the project. The mechanism for this
+is that the release is materialized by a pull request against the `release` branch which lives for
+the duration of the code freeze period. When this pull request is merged, the `release` branch gets
+updated, and its new state is tagged accordingly.
+
+# Tags
+
+Any public release of a compiled binary, with the logical exception of nightly builds, should have
+a corresponding tag in the repository.
+
+The general format of a tag is `vX.Y.Z[-suffix[N]]`:
+
+- All of `X`, `Y`, `Z` must be specified (example: `v1.0.0`)
+- First release candidate for version `1.8.0` should be tagged `v1.8.0-rc1`
+- Second alpha release of a product should be tagged `v1.0.0-alpha1`
diff --git a/engine/project/CONTRIBUTING.md b/engine/project/CONTRIBUTING.md
new file mode 120000
index 00000000..44fcc634
--- /dev/null
+++ b/engine/project/CONTRIBUTING.md
@@ -0,0 +1 @@
+../CONTRIBUTING.md
\ No newline at end of file
diff --git a/engine/project/GOVERNANCE.md b/engine/project/GOVERNANCE.md
new file mode 100644
index 00000000..4b52989a
--- /dev/null
+++ b/engine/project/GOVERNANCE.md
@@ -0,0 +1,120 @@
+# Moby project governance
+
+Moby projects are governed by the [Moby Technical Steering Committee (TSC)](https://github.com/moby/tsc).
+See the Moby TSC [charter](https://github.com/moby/tsc/blob/master/README.md) for
+further information on the role of the TSC and procedures for escalation
+of technical issues or concerns.
+
+Contact [any Moby TSC member](https://github.com/moby/tsc/blob/master/MEMBERS.md) with your questions/concerns about the governance or a specific technical 
+issue that you feel requires escalation.
+
+## Project maintainers
+
+The current maintainers of the moby/moby repository are listed in the
+[MAINTAINERS](/MAINTAINERS) file.
+
+There are different types of maintainers, with different responsibilities, but
+all maintainers have 3 things in common:
+
+ 1. They share responsibility in the project's success.
+ 2. They have made a long-term, recurring time investment to improve the project.
+ 3. They spend that time doing whatever needs to be done, not necessarily what is the most interesting or fun.
+
+Maintainers are often under-appreciated, because their work is less visible.
+It's easy to recognize a really cool and technically advanced feature. It's harder
+to appreciate the absence of bugs, the slow but steady improvement in stability,
+or the reliability of a release process. But those things distinguish a good
+project from a great one.
+
+### Adding maintainers
+
+Maintainers are first and foremost contributors who have shown their
+commitment to the long term success of a project. Contributors who want to
+become maintainers first demonstrate commitment to the project by contributing
+code, reviewing others' work, and triaging issues on a regular basis for at
+least three months.
+
+The contributions alone don't make you a maintainer. You need to earn the
+trust of the current maintainers and other project contributors, that your
+decisions and actions are in the best interest of the project.
+
+Periodically, the existing maintainers curate a list of contributors who have
+shown regular activity on the project over the prior months. From this
+list, maintainer candidates are selected and proposed on the maintainers
+mailing list.
+
+After a candidate is announced on the maintainers mailing list, the
+existing maintainers discuss the candidate over the next 5 business days,
+provide feedback, and vote. At least 66% of the current maintainers must
+vote in the affirmative.
+
+If a candidate is approved, a maintainer contacts the candidate to
+invite them to open a pull request that adds the contributor to
+the MAINTAINERS file. The candidate becomes a maintainer once the pull
+request is merged.
+
+### Removing maintainers
+
+Maintainers can be removed from the project, either at their own request
+or due to [project inactivity](#inactive-maintainer-policy).
+
+#### How to step down
+
+Life priorities, interests, and passions can change. If you're a maintainer but
+feel you must remove yourself from the list, inform other maintainers that you
+intend to step down, and if possible, help find someone to pick up your work.
+At the very least, ensure your work can be continued where you left off.
+
+After you've informed other maintainers, create a pull request to remove
+yourself from the MAINTAINERS file.
+
+#### Inactive maintainer policy
+
+An existing maintainer can be removed if they do not show significant activity
+on the project. Periodically, the maintainers review the list of maintainers
+and their activity over the last three months.
+
+If a maintainer has shown insufficient activity over this period, a project
+representative will contact the maintainer to ask if they want to continue
+being a maintainer. If the maintainer decides to step down as a maintainer,
+they open a pull request to be removed from the MAINTAINERS file.
+
+If the maintainer wants to continue in this role, but is unable to perform the
+required duties, they can be removed with a vote by at least 66% of the current
+maintainers. The maintainer under discussion will not be allowed to vote. An
+e-mail is sent to the mailing list, inviting maintainers of the project to
+vote. The voting period is five business days. Issues related to a maintainer's
+performance should be discussed with them among the other maintainers so that
+they are not surprised by a pull request removing them. This discussion should
+be handled objectively with no ad hominem attacks.
+
+## Project decision making
+
+Short answer: **Everything is a pull request**.
+
+The Moby core engine project is an open-source project with an open design
+philosophy. This means that the repository is the source of truth for **every**
+aspect of the project, including its philosophy, design, road map, and APIs.
+*If it's part of the project, it's in the repo. If it's in the repo, it's part
+of the project.*
+
+As a result, each decision can be expressed as a change to the repository. An
+implementation change is expressed as a change to the source code. An API
+change is a change to the API specification. A philosophy change is a change
+to the philosophy manifesto, and so on.
+
+All decisions affecting the moby/moby repository, both big and small, follow
+the same steps:
+
+ * **Step 1**: Open a pull request. Anyone can do this.
+
+ * **Step 2**: Discuss the pull request. Anyone can do this.
+
+ * **Step 3**: Maintainers merge, close or reject the pull request.
+
+Pull requests are reviewed by the current maintainers of the moby/moby
+repository. Weekly meetings are organized to are organized to synchronously
+discuss tricky PRs, as well as design and architecture decisions.. When
+technical agreement cannot be reached among the maintainers of the project,
+escalation or concerns can be raised by opening an issue to be handled
+by the [Moby Technical Steering Committee](https://github.com/moby/tsc).
diff --git a/engine/project/IRC-ADMINISTRATION.md b/engine/project/IRC-ADMINISTRATION.md
new file mode 100644
index 00000000..824a14bd
--- /dev/null
+++ b/engine/project/IRC-ADMINISTRATION.md
@@ -0,0 +1,37 @@
+# Freenode IRC Administration Guidelines and Tips
+
+This is not meant to be a general "Here's how to IRC" document, so if you're
+looking for that, check Google instead. ♥
+
+If you've been charged with helping maintain one of Docker's now many IRC
+channels, this might turn out to be useful.  If there's information that you
+wish you'd known about how a particular channel is organized, you should add
+deets here! :)
+
+## `ChanServ`
+
+Most channel maintenance happens by talking to Freenode's `ChanServ` bot.  For
+example, `/msg ChanServ ACCESS <channel> LIST` will show you a list of everyone
+with "access" privileges for a particular channel.
+
+A similar command is used to give someone a particular access level.  For
+example, to add a new maintainer to the `#docker-maintainers` access list so
+that they can contribute to the discussions (after they've been merged
+appropriately in a `MAINTAINERS` file, of course), one would use `/msg ChanServ
+ACCESS #docker-maintainers ADD <nick> maintainer`.
+
+To setup a new channel with a similar `maintainer` access template, use a
+command like `/msg ChanServ TEMPLATE <channel> maintainer +AV` (`+A` for letting
+them view the `ACCESS LIST`, `+V` for auto-voice; see `/msg ChanServ HELP FLAGS`
+for more details).
+
+## Troubleshooting
+
+The most common cause of not-getting-auto-`+v` woes is people not being
+`IDENTIFY`ed with `NickServ` (or their current nickname not being `GROUP`ed with
+their main nickname) -- often manifested by `ChanServ` responding to an `ACCESS
+ADD` request with something like `xyz is not registered.`.
+
+This is easily fixed by doing `/msg NickServ IDENTIFY OldNick SecretPassword`
+followed by `/msg NickServ GROUP` to group the two nicknames together.  See
+`/msg NickServ HELP GROUP` for more information.
diff --git a/engine/project/ISSUE-TRIAGE.md b/engine/project/ISSUE-TRIAGE.md
new file mode 100644
index 00000000..5ef2d317
--- /dev/null
+++ b/engine/project/ISSUE-TRIAGE.md
@@ -0,0 +1,132 @@
+Triaging of issues
+------------------
+
+Triage provides an important way to contribute to an open source project.  Triage helps ensure issues resolve quickly by:
+
+- Describing the issue's intent and purpose is conveyed precisely. This is necessary because it can be difficult for an issue to explain how an end user experiences a problem and what actions they took.
+- Giving a contributor the information they need before they commit to resolving an issue.
+- Lowering the issue count by preventing duplicate issues.
+- Streamlining the development process by preventing duplicate discussions.
+
+If you don't have time to code, consider helping with triage. The community will thank you for saving them time by spending some of yours.
+
+### 1. Ensure the issue contains basic information
+
+Before triaging an issue very far, make sure that the issue's author provided the standard issue information. This will help you make an educated recommendation on how this to categorize the issue. Standard information that *must* be included in most issues are things such as:
+
+-   the output of `docker version`
+-   the output of `docker info`
+-   the output of `uname -a`
+-   a reproducible case if this is a bug, Dockerfiles FTW
+-   host distribution and version ( ubuntu 14.04, RHEL, fedora 23 )
+-   page URL if this is a docs issue or the name of a man page
+
+Depending on the issue, you might not feel all this information is needed. Use your best judgement.  If you cannot triage an issue using what its author provided, explain kindly to the author that they must provide the above information to clarify the problem.
+
+If the author provides the standard information but you are still unable to triage the issue, request additional information. Do this kindly and politely because you are asking for more of the author's time.
+
+If the author does not respond requested information within the timespan of a week, close the issue with a kind note stating that the author can request for the issue to be
+reopened when the necessary information is provided.
+
+### 2. Classify the Issue
+
+An issue can have multiple of the following labels. Typically, a properly classified issue should
+have:
+
+- One label identifying its kind (`kind/*`).
+- One or multiple labels identifying the functional areas of interest (`area/*`).
+- Where applicable, one label categorizing its difficulty (`exp/*`).
+
+#### Issue kind
+
+| Kind             | Description                                                                                                                     |
+|------------------|---------------------------------------------------------------------------------------------------------------------------------|
+| kind/bug         | Bugs are bugs. The cause may or may not be known at triage time so debugging should be taken account into the time estimate.    |
+| kind/enhancement | Enhancements are not bugs or new features but can drastically improve usability or performance of a project component.           |
+| kind/feature     | Functionality or other elements that the project does not currently support.  Features are new and shiny.                       |
+| kind/question    | Contains a user or contributor question requiring a response.                                                                   |
+
+#### Functional area
+
+| Area                      |
+|---------------------------|
+| area/api                  |
+| area/builder              |
+| area/bundles              |
+| area/cli                  |
+| area/daemon               |
+| area/distribution         |
+| area/docs                 |
+| area/kernel               |
+| area/logging              |
+| area/networking           |
+| area/plugins              |
+| area/project              |
+| area/runtime              |
+| area/security             |
+| area/security/apparmor    |
+| area/security/seccomp     |
+| area/security/selinux     |
+| area/security/trust       |
+| area/storage              |
+| area/storage/aufs         |
+| area/storage/btrfs        |
+| area/storage/devicemapper |
+| area/storage/overlay      |
+| area/storage/zfs          |
+| area/swarm                |
+| area/testing              |
+| area/volumes              |
+
+#### Platform
+
+| Platform                  |
+|---------------------------|
+| platform/arm              |
+| platform/darwin           |
+| platform/ibm-power        |
+| platform/ibm-z            |
+| platform/windows          |
+
+#### Experience level
+
+Experience level is a way for a contributor to find an issue based on their
+skill set.  Experience types are applied to the issue or pull request using
+labels.
+
+| Level            | Experience level guideline                                                                                                                                                  |
+|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| exp/beginner     | New to Docker, and possibly Golang, and is looking to help while learning the basics.                                                                                       |
+| exp/intermediate | Comfortable with golang and understands the core concepts of Docker and looking to dive deeper into the project.                                                            |
+| exp/expert       | Proficient with Docker and Golang and has been following, and active in, the community to understand the rationale behind design decisions and where the project is headed. |
+
+As the table states, these labels are meant as guidelines. You might have
+written a whole plugin for Docker in a personal project and never contributed to
+Docker. With that kind of experience, you could take on an <strong
+class="gh-label expert">exp/expert</strong> level task.
+
+#### Triage status
+
+To communicate the triage status with other collaborators, you can apply status
+labels to issues. These labels prevent duplicating effort.
+
+| Status                        | Description                                                                                                                                                                 |
+|-------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| status/confirmed              | You triaged the issue, and were able to reproduce the issue. Always leave a comment how you reproduced, so that the person working on resolving the issue has a way to set up a test-case.
+| status/accepted               | Apply to enhancements / feature requests that we think are good to have. Adding this label helps contributors find things to work on.
+| status/more-info-needed       | Apply this to issues that are missing information (e.g. no `docker version` or `docker info` output, or no steps to reproduce), or require feedback from the reporter. If the issue is not updated after a week, it can generally be closed.
+| status/needs-attention        | Apply this label if an issue (or PR) needs more eyes.
+
+### 3. Prioritizing issue
+
+When, and only when, an issue is attached to a specific milestone, the issue can be labeled with the
+following labels to indicate their degree of priority (from more urgent to less urgent).
+
+| Priority    | Description                                                                                                                       |
+|-------------|-----------------------------------------------------------------------------------------------------------------------------------|
+| priority/P0 | Urgent: Security, critical bugs, blocking issues. P0 basically means drop everything you are doing until this issue is addressed. |
+| priority/P1 | Important: P1 issues are a top priority and a must-have for the next release.                                                     |
+| priority/P2 | Normal priority: default priority applied.                                                                                        |
+| priority/P3 | Best effort: those are nice to have / minor issues.                                                                               |
+
+And that's it. That should be all the information required for a new or existing contributor to come in a resolve an issue.
diff --git a/engine/project/PACKAGE-REPO-MAINTENANCE.md b/engine/project/PACKAGE-REPO-MAINTENANCE.md
new file mode 100644
index 00000000..458384a3
--- /dev/null
+++ b/engine/project/PACKAGE-REPO-MAINTENANCE.md
@@ -0,0 +1,74 @@
+# Apt & Yum Repository Maintenance
+## A maintainer's guide to managing Docker's package repos
+
+### How to clean up old experimental debs and rpms
+
+We release debs and rpms for experimental nightly, so these can build up.
+To remove old experimental debs and rpms, and _ONLY_ keep the latest, follow the
+steps below.
+
+1. Checkout docker master
+
+2. Run clean scripts
+
+```bash
+docker build --rm --force-rm -t docker-dev:master .
+docker run --rm -it --privileged \
+    -v /path/to/your/repos/dir:/volumes/repos \
+    -v $HOME/.gnupg:/root/.gnupg \
+    -e GPG_PASSPHRASE \
+    -e DOCKER_RELEASE_DIR=/volumes/repos \
+    docker-dev:master hack/make.sh clean-apt-repo clean-yum-repo generate-index-listing sign-repos
+```
+
+3. Upload the changed repos to `s3` (if you host on s3)
+
+4. Purge the cache, PURGE the cache, PURGE THE CACHE!
+
+### How to get out of a sticky situation
+
+Sh\*t happens. We know. Below are steps to get out of any "hash-sum mismatch" or
+"gpg sig error" or the likes error that might happen to the apt repo.
+
+**NOTE:** These are apt repo specific, have had no experience with anything similar
+happening to the yum repo in the past so you can rest easy.
+
+For each step listed below, move on to the next if the previous didn't work.
+Otherwise CELEBRATE!
+
+1. Purge the cache.
+
+2. Did you remember to sign the debs after releasing?
+
+Re-sign the repo with your gpg key:
+
+```bash
+docker build --rm --force-rm -t docker-dev:master .
+docker run --rm -it --privileged \
+    -v /path/to/your/repos/dir:/volumes/repos \
+    -v $HOME/.gnupg:/root/.gnupg \
+    -e GPG_PASSPHRASE \
+    -e DOCKER_RELEASE_DIR=/volumes/repos \
+    docker-dev:master hack/make.sh sign-repos
+```
+
+Upload the changed repo to `s3` (if that is where you host)
+
+PURGE THE CACHE.
+
+3. Run Jess' magical, save all, only in case of extreme emergencies, "you are
+going to have to break this glass to get it" script.
+
+```bash
+docker build --rm --force-rm -t docker-dev:master .
+docker run --rm -it --privileged \
+    -v /path/to/your/repos/dir:/volumes/repos \
+    -v $HOME/.gnupg:/root/.gnupg \
+    -e GPG_PASSPHRASE \
+    -e DOCKER_RELEASE_DIR=/volumes/repos \
+    docker-dev:master hack/make.sh update-apt-repo generate-index-listing sign-repos
+```
+
+4. Upload the changed repo to `s3` (if that is where you host)
+
+PURGE THE CACHE.
diff --git a/engine/project/PACKAGERS.md b/engine/project/PACKAGERS.md
new file mode 100644
index 00000000..a5b0018b
--- /dev/null
+++ b/engine/project/PACKAGERS.md
@@ -0,0 +1,307 @@
+# Dear Packager,
+
+If you are looking to make Docker available on your favorite software
+distribution, this document is for you. It summarizes the requirements for
+building and running the Docker client and the Docker daemon.
+
+## Getting Started
+
+We want to help you package Docker successfully. Before doing any packaging, a
+good first step is to introduce yourself on the [docker-dev mailing
+list](https://groups.google.com/d/forum/docker-dev), explain what you're trying
+to achieve, and tell us how we can help. Don't worry, we don't bite! There might
+even be someone already working on packaging for the same distro!
+
+You can also join the IRC channel - #docker and #docker-dev on Freenode are both
+active and friendly.
+
+We like to refer to Tianon ("@tianon" on GitHub and "tianon" on IRC) as our
+"Packagers Relations", since he's always working to make sure our packagers have
+a good, healthy upstream to work with (both in our communication and in our
+build scripts). If you're having any kind of trouble, feel free to ping him
+directly. He also likes to keep track of what distributions we have packagers
+for, so feel free to reach out to him even just to say "Hi!"
+
+## Package Name
+
+If possible, your package should be called "docker". If that name is already
+taken, a second choice is "docker-engine". Another possible choice is "docker.io".
+
+## Official Build vs Distro Build
+
+The Docker project maintains its own build and release toolchain. It is pretty
+neat and entirely based on Docker (surprise!). This toolchain is the canonical
+way to build Docker. We encourage you to give it a try, and if the circumstances
+allow you to use it, we recommend that you do.
+
+You might not be able to use the official build toolchain - usually because your
+distribution has a toolchain and packaging policy of its own. We get it! Your
+house, your rules. The rest of this document should give you the information you
+need to package Docker your way, without denaturing it in the process.
+
+## Build Dependencies
+
+To build Docker, you will need the following:
+
+* A recent version of Git and Mercurial
+* Go version 1.6 or later
+* A clean checkout of the source added to a valid [Go
+  workspace](https://golang.org/doc/code.html#Workspaces) under the path
+  *src/github.com/docker/docker* (unless you plan to use `AUTO_GOPATH`,
+  explained in more detail below)
+
+To build the Docker daemon, you will additionally need:
+
+* An amd64/x86_64 machine running Linux
+* SQLite version 3.7.9 or later
+* libdevmapper version 1.02.68-cvs (2012-01-26) or later from lvm2 version
+  2.02.89 or later
+* btrfs-progs version 3.16.1 or later (unless using an older version is
+  absolutely necessary, in which case 3.8 is the minimum)
+* libseccomp version 2.2.1 or later (for build tag seccomp)
+
+Be sure to also check out Docker's Dockerfile for the most up-to-date list of
+these build-time dependencies.
+
+### Go Dependencies
+
+All Go dependencies are vendored under "./vendor". They are used by the official
+build, so the source of truth for the current version of each dependency is
+whatever is in "./vendor".
+
+To use the vendored dependencies, simply make sure the path to "./vendor" is
+included in `GOPATH` (or use `AUTO_GOPATH`, as explained below).
+
+If you would rather (or must, due to distro policy) package these dependencies
+yourself, take a look at "vendor.conf" for an easy-to-parse list of the
+exact version for each.
+
+NOTE: if you're not able to package the exact version (to the exact commit) of a
+given dependency, please get in touch so we can remediate! Who knows what
+discrepancies can be caused by even the slightest deviation. We promise to do
+our best to make everybody happy.
+
+## Stripping Binaries
+
+Please, please, please do not strip any compiled binaries. This is really
+important.
+
+In our own testing, stripping the resulting binaries sometimes results in a
+binary that appears to work, but more often causes random panics, segfaults, and
+other issues. Even if the binary appears to work, please don't strip.
+
+See the following quotes from Dave Cheney, which explain this position better
+from the upstream Golang perspective.
+
+### [go issue #5855, comment #3](https://code.google.com/p/go/issues/detail?id=5855#c3)
+
+> Super super important: Do not strip go binaries or archives. It isn't tested,
+> often breaks, and doesn't work.
+
+### [launchpad golang issue #1200255, comment #8](https://bugs.launchpad.net/ubuntu/+source/golang/+bug/1200255/comments/8)
+
+> To quote myself: "Please do not strip Go binaries, it is not supported, not
+> tested, is often broken, and doesn't do what you want"
+>
+> To unpack that a bit
+>
+> * not supported, as in, we don't support it, and recommend against it when
+>   asked
+> * not tested, we don't test stripped binaries as part of the build CI process
+> * is often broken, stripping a go binary will produce anywhere from no, to
+>   subtle, to outright execution failure, see above
+
+### [launchpad golang issue #1200255, comment #13](https://bugs.launchpad.net/ubuntu/+source/golang/+bug/1200255/comments/13)
+
+> To clarify my previous statements.
+>
+> * I do not disagree with the debian policy, it is there for a good reason
+> * Having said that, it stripping Go binaries doesn't work, and nobody is
+>   looking at making it work, so there is that.
+>
+> Thanks for patching the build formula.
+
+## Building Docker
+
+Please use our build script ("./hack/make.sh") for all your compilation of
+Docker. If there's something you need that it isn't doing, or something it could
+be doing to make your life as a packager easier, please get in touch with Tianon
+and help us rectify the situation. Chances are good that other packagers have
+probably run into the same problems and a fix might already be in the works, but
+none of us will know for sure unless you harass Tianon about it. :)
+
+All the commands listed within this section should be run with the Docker source
+checkout as the current working directory.
+
+### `AUTO_GOPATH`
+
+If you'd rather not be bothered with the hassles that setting up `GOPATH`
+appropriately can be, and prefer to just get a "build that works", you should
+add something similar to this to whatever script or process you're using to
+build Docker:
+
+```bash
+export AUTO_GOPATH=1
+```
+
+This will cause the build scripts to set up a reasonable `GOPATH` that
+automatically and properly includes both docker/docker from the local
+directory, and the local "./vendor" directory as necessary.
+
+### `DOCKER_BUILDTAGS`
+
+If you're building a binary that may need to be used on platforms that include
+AppArmor, you will need to set `DOCKER_BUILDTAGS` as follows:
+```bash
+export DOCKER_BUILDTAGS='apparmor'
+```
+
+If you're building a binary that may need to be used on platforms that include
+SELinux, you will need to use the `selinux` build tag:
+```bash
+export DOCKER_BUILDTAGS='selinux'
+```
+
+If you're building a binary that may need to be used on platforms that include
+seccomp, you will need to use the `seccomp` build tag:
+```bash
+export DOCKER_BUILDTAGS='seccomp'
+```
+
+There are build tags for disabling graphdrivers as well. By default, support
+for all graphdrivers are built in.
+
+To disable btrfs:
+```bash
+export DOCKER_BUILDTAGS='exclude_graphdriver_btrfs'
+```
+
+To disable devicemapper:
+```bash
+export DOCKER_BUILDTAGS='exclude_graphdriver_devicemapper'
+```
+
+To disable aufs:
+```bash
+export DOCKER_BUILDTAGS='exclude_graphdriver_aufs'
+```
+
+NOTE: if you need to set more than one build tag, space separate them:
+```bash
+export DOCKER_BUILDTAGS='apparmor selinux exclude_graphdriver_aufs'
+```
+
+### Static Daemon
+
+If it is feasible within the constraints of your distribution, you should
+seriously consider packaging Docker as a single static binary. A good comparison
+is Busybox, which is often packaged statically as a feature to enable mass
+portability. Because of the unique way Docker operates, being similarly static
+is a "feature".
+
+To build a static Docker daemon binary, run the following command (first
+ensuring that all the necessary libraries are available in static form for
+linking - see the "Build Dependencies" section above, and the relevant lines
+within Docker's own Dockerfile that set up our official build environment):
+
+```bash
+./hack/make.sh binary
+```
+
+This will create a static binary under
+"./bundles/$VERSION/binary/docker-$VERSION", where "$VERSION" is the contents of
+the file "./VERSION". This binary is usually installed somewhere like
+"/usr/bin/docker".
+
+### Dynamic Daemon / Client-only Binary
+
+If you are only interested in a Docker client binary, you can build using:
+
+```bash
+./hack/make.sh binary-client
+```
+
+If you need to (due to distro policy, distro library availability, or for other
+reasons) create a dynamically compiled daemon binary, or if you are only
+interested in creating a client binary for Docker, use something similar to the
+following:
+
+```bash
+./hack/make.sh dynbinary-client
+```
+
+This will create "./bundles/$VERSION/dynbinary-client/docker-$VERSION", which for
+client-only builds is the important file to grab and install as appropriate.
+
+## System Dependencies
+
+### Runtime Dependencies
+
+To function properly, the Docker daemon needs the following software to be
+installed and available at runtime:
+
+* iptables version 1.4 or later
+* procps (or similar provider of a "ps" executable)
+* e2fsprogs version 1.4.12 or later (in use: mkfs.ext4, tune2fs)
+* xfsprogs (in use: mkfs.xfs)
+* XZ Utils version 4.9 or later
+* a [properly
+  mounted](https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount)
+  cgroupfs hierarchy (having a single, all-encompassing "cgroup" mount point
+  [is](https://github.com/docker/docker/issues/2683)
+  [not](https://github.com/docker/docker/issues/3485)
+  [sufficient](https://github.com/docker/docker/issues/4568))
+
+Additionally, the Docker client needs the following software to be installed and
+available at runtime:
+
+* Git version 1.7 or later
+
+### Kernel Requirements
+
+The Docker daemon has very specific kernel requirements. Most pre-packaged
+kernels already include the necessary options enabled. If you are building your
+own kernel, you will either need to discover the options necessary via trial and
+error, or check out the [Gentoo
+ebuild](https://github.com/tianon/docker-overlay/blob/master/app-emulation/docker/docker-9999.ebuild),
+in which a list is maintained (and if there are any issues or discrepancies in
+that list, please contact Tianon so they can be rectified).
+
+Note that in client mode, there are no specific kernel requirements, and that
+the client will even run on alternative platforms such as Mac OS X / Darwin.
+
+### Optional Dependencies
+
+Some of Docker's features are activated by using optional command-line flags or
+by having support for them in the kernel or userspace. A few examples include:
+
+* AUFS graph driver (requires AUFS patches/support enabled in the kernel, and at
+  least the "auplink" utility from aufs-tools)
+* BTRFS graph driver (requires BTRFS support enabled in the kernel)
+* ZFS graph driver (requires userspace zfs-utils and a corresponding kernel module)
+* Libseccomp to allow running seccomp profiles with containers
+
+## Daemon Init Script
+
+Docker expects to run as a daemon at machine startup. Your package will need to
+include a script for your distro's process supervisor of choice. Be sure to
+check out the "contrib/init" folder in case a suitable init script already
+exists (and if one does not, contact Tianon about whether it might be
+appropriate for your distro's init script to live there too!).
+
+In general, Docker should be run as root, similar to the following:
+
+```bash
+dockerd
+```
+
+Generally, a `DOCKER_OPTS` variable of some kind is available for adding more
+flags (such as changing the graph driver to use BTRFS, switching the location of
+"/var/lib/docker", etc).
+
+## Communicate
+
+As a final note, please do feel free to reach out to Tianon at any time for
+pretty much anything. He really does love hearing from our packagers and wants
+to make sure we're not being a "hostile upstream". As should be a given, we
+appreciate the work our packagers do to make sure we have broad distribution!
diff --git a/engine/project/PATCH-RELEASES.md b/engine/project/PATCH-RELEASES.md
new file mode 100644
index 00000000..548db9ab
--- /dev/null
+++ b/engine/project/PATCH-RELEASES.md
@@ -0,0 +1,68 @@
+# Docker patch (bugfix) release process
+
+Patch releases (the 'Z' in vX.Y.Z) are intended to fix major issues in a
+release. Docker open source projects follow these procedures when creating a
+patch release;
+
+After each release (both "major" (vX.Y.0) and "patch" releases (vX.Y.Z)), a
+patch release milestone (vX.Y.Z + 1) is created.
+
+The creation of a patch release milestone is no obligation to actually
+*create* a patch release. The purpose of these milestones is to collect
+issues and pull requests that can *justify* a patch release;
+
+- Any maintainer is allowed to add issues and PR's to the milestone, when
+  doing so, preferably leave a comment on the issue or PR explaining *why*
+  you think it should be considered for inclusion in a patch release.
+- Issues introduced in version vX.Y.0 get added to milestone X.Y.Z+1
+- Only *regressions* should be added. Issues *discovered* in version vX.Y.0,
+  but already present in version vX.Y-1.Z should not be added, unless
+  critical.
+- Patch releases can *only* contain bug-fixes. New features should
+  *never* be added to a patch release.
+
+The release captain of the "major" (X.Y.0) release, is also responsible for
+patch releases. The release captain, together with another maintainer, will
+review issues and PRs on the milestone, and assigns `priority/`labels. These
+review sessions take place on a weekly basis, more frequent if needed:
+
+- A P0 priority is assigned to critical issues. A maintainer *must* be
+  assigned to these issues. Maintainers should strive to fix a P0 within a week.
+- A P1 priority is assigned to major issues, but not critical. A maintainer
+  *must* be assigned to these issues.
+- P2 and P3 priorities are assigned to other issues. A maintainer can be
+  assigned.
+- Non-critical issues and PR's can be removed from the milestone. Minor
+  changes, such as typo-fixes or omissions in the documentation can be
+  considered for inclusion in a patch release.
+
+## Deciding if a patch release should be done
+
+- Only a P0 can justify to proceed with the patch release.
+- P1, P2, and P3 issues/PR's should not influence the decision, and
+  should be moved to the X.Y.Z+1 milestone, or removed from the
+  milestone.
+
+> **Note**: If the next "major" release is imminent, the release captain
+> can decide to cancel a patch release, and include the patches in the
+> upcoming major release.
+
+> **Note**: Security releases are also "patch releases", but follow
+> a different procedure. Security releases are developed in a private
+> repository, released and tested under embargo before they become
+> publicly available.
+
+## Deciding on the content of a patch release
+
+When the criteria for moving forward with a patch release are met, the release
+manager will decide on the exact content of the release.
+
+- Fixes to all P0 issues *must* be included in the release.
+- Fixes to *some* P1, P2, and P3 issues *may* be included as part of the patch
+  release depending on the severity of the issue and the risk associated with
+  the patch.
+
+Any code delivered as part of a patch release should make life easier for a
+significant amount of users with zero chance of degrading anybody's experience.
+A good rule of thumb for that is to limit cherry-picking to small patches, which
+fix well-understood issues, and which come with verifiable tests.
diff --git a/engine/project/PRINCIPLES.md b/engine/project/PRINCIPLES.md
new file mode 100644
index 00000000..53f03018
--- /dev/null
+++ b/engine/project/PRINCIPLES.md
@@ -0,0 +1,19 @@
+# Docker principles
+
+In the design and development of Docker we try to follow these principles:
+
+(Work in progress)
+
+* Don't try to replace every tool. Instead, be an ingredient to improve them.
+* Less code is better.
+* Fewer components are better. Do you really need to add one more class?
+* 50 lines of straightforward, readable code is better than 10 lines of magic that nobody can understand.
+* Don't do later what you can do now. "//FIXME: refactor" is not acceptable in new code.
+* When hesitating between 2 options, choose the one that is easier to reverse.
+* No is temporary, Yes is forever. If you're not sure about a new feature, say no. You can change your mind later.
+* Containers must be portable to the greatest possible number of machines. Be suspicious of any change which makes machines less interchangeable.
+* The less moving parts in a container, the better.
+* Don't merge it unless you document it.
+* Don't document it unless you can keep it up-to-date.
+* Don't merge it unless you test it!
+* Everyone's problem is slightly different. Focus on the part that is the same for everyone, and solve that.
diff --git a/engine/project/README.md b/engine/project/README.md
new file mode 100644
index 00000000..0eb5e589
--- /dev/null
+++ b/engine/project/README.md
@@ -0,0 +1,24 @@
+# Hacking on Docker
+
+The `project/` directory holds information and tools for everyone involved in the process of creating and
+distributing Docker, specifically:
+
+## Guides
+
+If you're a *contributor* or aspiring contributor, you should read [CONTRIBUTING.md](../CONTRIBUTING.md).
+
+If you're a *maintainer* or aspiring maintainer, you should read [MAINTAINERS](../MAINTAINERS).
+
+If you're a *packager* or aspiring packager, you should read [PACKAGERS.md](./PACKAGERS.md).
+
+If you're a maintainer in charge of a *release*, you should read [RELEASE-CHECKLIST.md](./RELEASE-CHECKLIST.md).
+
+## Roadmap
+
+A high-level roadmap is available at [ROADMAP.md](../ROADMAP.md).
+
+
+## Build tools
+
+[hack/make.sh](../hack/make.sh) is the primary build tool for docker. It is used for compiling the official binary,
+running the test suite, and pushing releases.
diff --git a/engine/project/RELEASE-PROCESS.md b/engine/project/RELEASE-PROCESS.md
new file mode 100644
index 00000000..8270a6ef
--- /dev/null
+++ b/engine/project/RELEASE-PROCESS.md
@@ -0,0 +1,78 @@
+# Docker Release Process
+
+This document describes how the Docker project is released. The Docker project
+release process targets the Engine, Compose, Kitematic, Machine, Swarm,
+Distribution, Notary and their underlying dependencies (libnetwork, libkv,
+etc...).
+
+Step-by-step technical details of the process are described in 
+[RELEASE-CHECKLIST.md](https://github.com/docker/docker/blob/master/project/RELEASE-CHECKLIST.md).
+
+## Release cycle
+
+The Docker project follows a **time-based release cycle** and ships every nine
+weeks. A release cycle starts the same day the previous release cycle ends.
+
+The first six weeks of the cycle are dedicated to development and review. During
+this phase, new features and bugfixes submitted to any of the projects are
+**eligible** to be shipped as part of the next release. No changeset submitted
+during this period is however guaranteed to be merged for the current release
+cycle.
+
+## The freeze period
+
+Six weeks after the beginning of the cycle, the codebase is officially frozen
+and the codebase reaches a state close to the final release. A Release Candidate
+(RC) gets created at the same time. The freeze period is used to find bugs and
+get feedback on the state of the RC before the release.
+
+During this freeze period, while the `master` branch will continue its normal
+development cycle, no new features are accepted into the RC. As bugs are fixed
+in `master` the release owner will selectively 'cherry-pick' critical ones to
+be included into the RC. As the RC changes, new ones are made available for the
+community to test and review.
+
+This period lasts for three weeks.
+
+## How to maximize chances of being merged before the freeze date?
+
+First of all, there is never a guarantee that a specific changeset is going to
+be merged. However there are different actions to follow to maximize the chances
+for a changeset to be merged:
+
+- The team gives priority to review the PRs aligned with the Roadmap (usually
+defined by a ROADMAP.md file at the root of the repository).
+- The earlier a PR is opened, the more time the maintainers have to review. For
+example, if a PR is opened the day before the freeze date, it’s very unlikely
+that it will be merged for the release.
+- Constant communication with the maintainers (mailing-list, IRC, GitHub issues,
+etc.) allows to get early feedback on the design before getting into the
+implementation, which usually reduces the time needed to discuss a changeset.
+- If the code is commented, fully tested and by extension follows every single
+rules defined by the [CONTRIBUTING guide](
+https://github.com/docker/docker/blob/master/CONTRIBUTING.md), this will help
+the maintainers by speeding up the review.
+
+## The release
+
+At the end of the freeze (nine weeks after the start of the cycle), all the
+projects are released together.
+
+```
+                                        Codebase              Release
+Start of                                is frozen             (end of the
+the Cycle                               (7th week)            9th week)
++---------------------------------------+---------------------+
+|                                       |                     |
+|           Development phase           |    Freeze phase     |
+|                                       |                     |
++---------------------------------------+---------------------+
+                   6 weeks                      3 weeks
+<---------------------------------------><-------------------->
+```
+
+## Exceptions
+
+If a critical issue is found at the end of the freeze period and more time is
+needed to address it, the release will be pushed back. When a release gets
+pushed back, the next release cycle gets delayed as well.
diff --git a/engine/project/REVIEWING.md b/engine/project/REVIEWING.md
new file mode 100644
index 00000000..cac3f5d7
--- /dev/null
+++ b/engine/project/REVIEWING.md
@@ -0,0 +1,246 @@
+# Pull request reviewing process
+
+## Labels
+
+Labels are carefully picked to optimize for:
+
+ - Readability: maintainers must immediately know the state of a PR
+ - Filtering simplicity: different labels represent many different aspects of
+   the reviewing work, and can even be targeted at different maintainers groups.
+
+A pull request should only be attributed labels documented in this section: other labels that may
+exist on the repository should apply to issues.
+
+### DCO labels
+
+ * `dco/no`: automatically set by a bot when one of the commits lacks proper signature
+
+### Status labels
+
+ * `status/0-triage`
+ * `status/1-design-review`
+ * `status/2-code-review`
+ * `status/3-docs-review`
+ * `status/4-ready-to-merge`
+
+Special status labels:
+
+ * `status/failing-ci`: indicates that the PR in its current state fails the test suite
+ * `status/needs-attention`: calls for a collective discussion during a review session
+
+### Impact labels (apply to merged pull requests)
+
+ * `impact/api`
+ * `impact/changelog`
+ * `impact/cli`
+ * `impact/deprecation`
+ * `impact/distribution`
+ * `impact/dockerfile`
+
+### Process labels (apply to merged pull requests)
+
+Process labels are to assist in preparing (patch) releases. These labels should only be used for pull requests.
+
+Label                           | Use for
+------------------------------- | -------------------------------------------------------------------------
+`process/cherry-pick`           | PRs that should be cherry-picked in the bump/release branch. These pull-requests must also be assigned to a milestone.
+`process/cherry-picked`         | PRs that have been cherry-picked. This label is helpful to find PR's that have been added to release-candidates, and to update the change log
+`process/docs-cherry-pick`      | PRs that should be cherry-picked in the docs branch. Only apply this label for changes that apply to the *current* release, and generic documentation fixes, such as Markdown and spelling fixes.
+`process/docs-cherry-picked`    | PRs that have been cherry-picked in the docs branch
+`process/merge-to-master`       | PRs that are opened directly on the bump/release branch, but also need to be merged back to "master"
+`process/merged-to-master`      | PRs that have been merged back to "master"
+
+
+## Workflow
+
+An opened pull request can be in 1 of 5 distinct states, for each of which there is a corresponding
+label that needs to be applied.
+
+### Triage - `status/0-triage`
+
+Maintainers are expected to triage new incoming pull requests by removing the `status/0-triage`
+label and adding the correct labels (e.g. `status/1-design-review`) before any other interaction
+with the PR. The starting label may potentially skip some steps depending on the kind of pull
+request: use your best judgement.
+
+Maintainers should perform an initial, high-level, overview of the pull request before moving it to
+the next appropriate stage:
+
+ - Has DCO
+ - Contains sufficient justification (e.g., usecases) for the proposed change
+ - References the GitHub issue it fixes (if any) in the commit or the first GitHub comment
+
+Possible transitions from this state:
+
+ * Close: e.g., unresponsive contributor without DCO
+ * `status/1-design-review`: general case
+ * `status/2-code-review`: e.g. trivial bugfix
+ * `status/3-docs-review`: non-proposal documentation-only change
+
+### Design review - `status/1-design-review`
+
+Maintainers are expected to comment on the design of the pull request.  Review of documentation is
+expected only in the context of design validation, not for stylistic changes.
+
+Ideally, documentation should reflect the expected behavior of the code.  No code review should
+take place in this step.
+
+There are no strict rules on the way a design is validated: we usually aim for a consensus,
+although a single maintainer approval is often sufficient for obviously reasonable changes. In
+general, strong disagreement expressed by any of the maintainers should not be taken lightly.
+
+Once design is approved, a maintainer should make sure to remove this label and add the next one.
+
+Possible transitions from this state:
+
+ * Close: design rejected
+ * `status/2-code-review`: general case
+ * `status/3-docs-review`: proposals with only documentation changes
+
+### Code review - `status/2-code-review`
+
+Maintainers are expected to review the code and ensure that it is good quality and in accordance
+with the documentation in the PR.
+
+New testcases are expected to be added. Ideally, those testcases should fail when the new code is
+absent, and pass when present. The testcases should strive to test as many variants, code paths, as
+possible to ensure maximum coverage.
+
+Changes to code must be reviewed and approved (LGTM'd) by a minimum of two code maintainers. When
+the author of a PR is a maintainer, he still needs the approval of two other maintainers.
+
+Once code is approved according to the rules of the subsystem, a maintainer should make sure to
+remove this label and add the next one. If documentation is absent but expected, maintainers should
+ask for documentation and move to status `status/3-docs-review` for docs maintainer to follow.
+
+Possible transitions from this state:
+
+ * Close
+ * `status/1-design-review`: new design concerns are raised
+ * `status/3-docs-review`: general case
+ * `status/4-ready-to-merge`: change not impacting documentation
+
+### Docs review - `status/3-docs-review`
+
+Maintainers are expected to review the documentation in its bigger context, ensuring consistency,
+completeness, validity, and breadth of coverage across all existing and new documentation.
+
+They should ask for any editorial change that makes the documentation more consistent and easier to
+understand.
+
+The docker/docker repository only contains _reference documentation_, all
+"narrative" documentation is kept in a [unified documentation
+repository](https://github.com/docker/docker.github.io). Reviewers must
+therefore verify which parts of the documentation need to be updated. Any
+contribution that may require changing the narrative should get the
+`impact/documentation` label: this is the signal for documentation maintainers
+that a change will likely need to happen on the unified documentation
+repository. When in doubt, it’s better to add the label and leave it to
+documentation maintainers to decide whether it’s ok to skip. In all cases,
+leave a comment to explain what documentation changes you think might be needed.
+
+- If the pull request does not impact the documentation at all, the docs review
+  step is skipped, and the pull request is ready to merge.
+- If the changes in
+  the pull request require changes to the reference documentation (either
+  command-line reference, or API reference), those changes must be included as
+  part of the pull request and will be reviewed now. Keep in mind that the
+  narrative documentation may contain output examples of commands, so may need
+  to be updated as well, in which case the `impact/documentation` label must
+  be applied.
+- If the PR has the `impact/documentation` label, merging is delayed until a
+  documentation maintainer acknowledges that a corresponding documentation PR
+  (or issue) is opened on the documentation repository. Once a documentation
+  maintainer acknowledges the change, she/he will move the PR to `status/4-merge`
+  for a code maintainer to push the green button.
+
+Changes and additions to docs must be reviewed and approved (LGTM'd) by a minimum of two docs
+sub-project maintainers. If the docs change originates with a docs maintainer, only one additional
+LGTM is required (since we assume a docs maintainer approves of their own PR).
+
+Once documentation is approved, a maintainer should make sure to remove this label and
+add the next one.
+
+Possible transitions from this state:
+
+ * Close
+ * `status/1-design-review`: new design concerns are raised
+ * `status/2-code-review`: requires more code changes
+ * `status/4-ready-to-merge`: general case
+
+### Merge - `status/4-ready-to-merge`
+
+Maintainers are expected to merge this pull request as soon as possible. They can ask for a rebase
+or carry the pull request themselves.
+
+Possible transitions from this state:
+
+ * Merge: general case
+ * Close: carry PR
+
+After merging a pull request, the maintainer should consider applying one or multiple impact labels
+to ease future classification:
+
+ * `impact/api` signifies the patch impacted the Engine API
+ * `impact/changelog` signifies the change is significant enough to make it in the changelog
+ * `impact/cli` signifies the patch impacted a CLI command
+ * `impact/dockerfile` signifies the patch impacted the Dockerfile syntax
+ * `impact/deprecation` signifies the patch participates in deprecating an existing feature
+
+### Close
+
+If a pull request is closed it is expected that sufficient justification will be provided. In
+particular, if there are alternative ways of achieving the same net result then those needs to be
+spelled out. If the pull request is trying to solve a use case that is not one that we (as a
+community) want to support then a justification for why should be provided.
+
+The number of maintainers it takes to decide and close a PR is deliberately left unspecified. We
+assume that the group of maintainers is bound by mutual trust and respect, and that opposition from
+any single maintainer should be taken into consideration. Similarly, we expect maintainers to
+justify their reasoning and to accept debating.
+
+## Escalation process
+
+Despite the previously described reviewing process, some PR might not show any progress for various
+reasons:
+
+ - No strong opinion for or against the proposed patch
+ - Debates about the proper way to solve the problem at hand
+ - Lack of consensus
+ - ...
+
+All these will eventually lead to stalled PR, where no apparent progress is made across several
+weeks, or even months.
+
+Maintainers should use their best judgement and apply the `status/needs-attention` label. It must
+be used sparingly, as each PR with such label will be discussed by a group of maintainers during a
+review session. The goal of that session is to agree on one of the following outcomes for the PR:
+
+ * Close, explaining the rationale for not pursuing further
+ * Continue, either by pushing the PR further in the workflow, or by deciding to carry the patch
+   (ideally, a maintainer should be immediately assigned to make sure that the PR keeps continued
+   attention)
+ * Escalate to Solomon by formulating a few specific questions on which his answers will allow
+   maintainers to decide.
+
+## Milestones
+
+Typically, every merged pull request get shipped naturally with the next release cut from the
+`master` branch (either the next minor or major version, as indicated by the
+[`VERSION`](https://github.com/docker/docker/blob/master/VERSION) file at the root of the
+repository). However, the time-based nature of the release process provides no guarantee that a
+given pull request will get merged in time. In other words, all open pull requests are implicitly
+considered part of the next minor or major release milestone, and this won't be materialized on
+GitHub.
+
+A merged pull request must be attached to the milestone corresponding to the release in which it
+will be shipped: this is both useful for tracking, and to help the release manager with the
+changelog generation.
+
+An open pull request may exceptionally get attached to a milestone to express a particular intent to
+get it merged in time for that release. This may for example be the case for an important feature to
+be included in a minor release, or a critical bugfix to be included in a patch release.
+
+Finally, and as documented by the [`PATCH-RELEASES.md`](PATCH-RELEASES.md) process, the existence of
+a milestone is not a guarantee that a release will happen, as some milestones will be created purely
+for the purpose of bookkeeping
diff --git a/engine/project/TOOLS.md b/engine/project/TOOLS.md
new file mode 100644
index 00000000..dda0fc03
--- /dev/null
+++ b/engine/project/TOOLS.md
@@ -0,0 +1,63 @@
+# Tools
+
+This page describes the tools we use and infrastructure that is in place for
+the Docker project.
+
+### CI
+
+The Docker project uses [Jenkins](https://jenkins.dockerproject.org/) as our
+continuous integration server. Each Pull Request to Docker is tested by running the 
+equivalent of `make all`. We chose Jenkins because we can host it ourselves and
+we run Docker in Docker to test.
+
+#### Leeroy
+
+Leeroy is a Go application which integrates Jenkins with 
+GitHub pull requests. Leeroy uses 
+[GitHub hooks](https://developer.github.com/v3/repos/hooks/) 
+to listen for pull request notifications and starts jobs on your Jenkins 
+server.  Using the Jenkins
+[notification plugin](https://wiki.jenkins-ci.org/display/JENKINS/Notification+Plugin),
+Leeroy updates the pull request using GitHub's 
+[status API](https://developer.github.com/v3/repos/statuses/)
+with pending, success, failure, or error statuses.
+
+The leeroy repository is maintained at
+[github.com/docker/leeroy](https://github.com/docker/leeroy).
+
+#### GordonTheTurtle IRC Bot
+
+The GordonTheTurtle IRC Bot lives in the
+[#docker-maintainers](https://botbot.me/freenode/docker-maintainers/) channel
+on Freenode. He is built in Go and is based off the project at
+[github.com/fabioxgn/go-bot](https://github.com/fabioxgn/go-bot). 
+
+His main command is `!rebuild`, which rebuilds a given Pull Request for a repository.
+This command works by integrating with Leroy. He has a few other commands too, such 
+as `!gif` or `!godoc`, but we are always looking for more fun commands to add.
+
+The gordon-bot repository is maintained at
+[github.com/docker/gordon-bot](https://github.com/docker/gordon-bot)
+
+### NSQ
+
+We use [NSQ](https://github.com/bitly/nsq) for various aspects of the project
+infrastructure.
+
+#### Hooks
+
+The hooks project,
+[github.com/crosbymichael/hooks](https://github.com/crosbymichael/hooks),
+is a small Go application that manages web hooks from github, hub.docker.com, or
+other third party services.
+
+It can be used for listening to github webhooks & pushing them to a queue,
+archiving hooks to rethinkdb for processing, and broadcasting hooks to various
+jobs.
+
+#### Docker Master Binaries
+
+One of the things queued from the Hooks are the building of the Master
+Binaries. This happens on every push to the master branch of Docker. The
+repository for this is maintained at
+[github.com/docker/docker-bb](https://github.com/docker/docker-bb).
diff --git a/engine/reference/errors.go b/engine/reference/errors.go
new file mode 100644
index 00000000..2d294c67
--- /dev/null
+++ b/engine/reference/errors.go
@@ -0,0 +1,25 @@
+package reference // import "github.com/docker/docker/reference"
+
+type notFoundError string
+
+func (e notFoundError) Error() string {
+	return string(e)
+}
+
+func (notFoundError) NotFound() {}
+
+type invalidTagError string
+
+func (e invalidTagError) Error() string {
+	return string(e)
+}
+
+func (invalidTagError) InvalidParameter() {}
+
+type conflictingTagError string
+
+func (e conflictingTagError) Error() string {
+	return string(e)
+}
+
+func (conflictingTagError) Conflict() {}
diff --git a/engine/reference/store.go b/engine/reference/store.go
new file mode 100644
index 00000000..b01051bf
--- /dev/null
+++ b/engine/reference/store.go
@@ -0,0 +1,343 @@
+package reference // import "github.com/docker/docker/reference"
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"sync"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+var (
+	// ErrDoesNotExist is returned if a reference is not found in the
+	// store.
+	ErrDoesNotExist notFoundError = "reference does not exist"
+)
+
+// An Association is a tuple associating a reference with an image ID.
+type Association struct {
+	Ref reference.Named
+	ID  digest.Digest
+}
+
+// Store provides the set of methods which can operate on a reference store.
+type Store interface {
+	References(id digest.Digest) []reference.Named
+	ReferencesByName(ref reference.Named) []Association
+	AddTag(ref reference.Named, id digest.Digest, force bool) error
+	AddDigest(ref reference.Canonical, id digest.Digest, force bool) error
+	Delete(ref reference.Named) (bool, error)
+	Get(ref reference.Named) (digest.Digest, error)
+}
+
+type store struct {
+	mu sync.RWMutex
+	// jsonPath is the path to the file where the serialized tag data is
+	// stored.
+	jsonPath string
+	// Repositories is a map of repositories, indexed by name.
+	Repositories map[string]repository
+	// referencesByIDCache is a cache of references indexed by ID, to speed
+	// up References.
+	referencesByIDCache map[digest.Digest]map[string]reference.Named
+}
+
+// Repository maps tags to digests. The key is a stringified Reference,
+// including the repository name.
+type repository map[string]digest.Digest
+
+type lexicalRefs []reference.Named
+
+func (a lexicalRefs) Len() int      { return len(a) }
+func (a lexicalRefs) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+func (a lexicalRefs) Less(i, j int) bool {
+	return a[i].String() < a[j].String()
+}
+
+type lexicalAssociations []Association
+
+func (a lexicalAssociations) Len() int      { return len(a) }
+func (a lexicalAssociations) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+func (a lexicalAssociations) Less(i, j int) bool {
+	return a[i].Ref.String() < a[j].Ref.String()
+}
+
+// NewReferenceStore creates a new reference store, tied to a file path where
+// the set of references are serialized in JSON format.
+func NewReferenceStore(jsonPath string) (Store, error) {
+	abspath, err := filepath.Abs(jsonPath)
+	if err != nil {
+		return nil, err
+	}
+
+	store := &store{
+		jsonPath:            abspath,
+		Repositories:        make(map[string]repository),
+		referencesByIDCache: make(map[digest.Digest]map[string]reference.Named),
+	}
+	// Load the json file if it exists, otherwise create it.
+	if err := store.reload(); os.IsNotExist(err) {
+		if err := store.save(); err != nil {
+			return nil, err
+		}
+	} else if err != nil {
+		return nil, err
+	}
+	return store, nil
+}
+
+// AddTag adds a tag reference to the store. If force is set to true, existing
+// references can be overwritten. This only works for tags, not digests.
+func (store *store) AddTag(ref reference.Named, id digest.Digest, force bool) error {
+	if _, isCanonical := ref.(reference.Canonical); isCanonical {
+		return errors.WithStack(invalidTagError("refusing to create a tag with a digest reference"))
+	}
+	return store.addReference(reference.TagNameOnly(ref), id, force)
+}
+
+// AddDigest adds a digest reference to the store.
+func (store *store) AddDigest(ref reference.Canonical, id digest.Digest, force bool) error {
+	return store.addReference(ref, id, force)
+}
+
+func favorDigest(originalRef reference.Named) (reference.Named, error) {
+	ref := originalRef
+	// If the reference includes a digest and a tag, we must store only the
+	// digest.
+	canonical, isCanonical := originalRef.(reference.Canonical)
+	_, isNamedTagged := originalRef.(reference.NamedTagged)
+
+	if isCanonical && isNamedTagged {
+		trimmed, err := reference.WithDigest(reference.TrimNamed(canonical), canonical.Digest())
+		if err != nil {
+			// should never happen
+			return originalRef, err
+		}
+		ref = trimmed
+	}
+	return ref, nil
+}
+
+func (store *store) addReference(ref reference.Named, id digest.Digest, force bool) error {
+	ref, err := favorDigest(ref)
+	if err != nil {
+		return err
+	}
+
+	refName := reference.FamiliarName(ref)
+	refStr := reference.FamiliarString(ref)
+
+	if refName == string(digest.Canonical) {
+		return errors.WithStack(invalidTagError("refusing to create an ambiguous tag using digest algorithm as name"))
+	}
+
+	store.mu.Lock()
+	defer store.mu.Unlock()
+
+	repository, exists := store.Repositories[refName]
+	if !exists || repository == nil {
+		repository = make(map[string]digest.Digest)
+		store.Repositories[refName] = repository
+	}
+
+	oldID, exists := repository[refStr]
+
+	if exists {
+		// force only works for tags
+		if digested, isDigest := ref.(reference.Canonical); isDigest {
+			return errors.WithStack(conflictingTagError("Cannot overwrite digest " + digested.Digest().String()))
+		}
+
+		if !force {
+			return errors.WithStack(
+				conflictingTagError(
+					fmt.Sprintf("Conflict: Tag %s is already set to image %s, if you want to replace it, please use the force option", refStr, oldID.String()),
+				),
+			)
+		}
+
+		if store.referencesByIDCache[oldID] != nil {
+			delete(store.referencesByIDCache[oldID], refStr)
+			if len(store.referencesByIDCache[oldID]) == 0 {
+				delete(store.referencesByIDCache, oldID)
+			}
+		}
+	}
+
+	repository[refStr] = id
+	if store.referencesByIDCache[id] == nil {
+		store.referencesByIDCache[id] = make(map[string]reference.Named)
+	}
+	store.referencesByIDCache[id][refStr] = ref
+
+	return store.save()
+}
+
+// Delete deletes a reference from the store. It returns true if a deletion
+// happened, or false otherwise.
+func (store *store) Delete(ref reference.Named) (bool, error) {
+	ref, err := favorDigest(ref)
+	if err != nil {
+		return false, err
+	}
+
+	ref = reference.TagNameOnly(ref)
+
+	refName := reference.FamiliarName(ref)
+	refStr := reference.FamiliarString(ref)
+
+	store.mu.Lock()
+	defer store.mu.Unlock()
+
+	repository, exists := store.Repositories[refName]
+	if !exists {
+		return false, ErrDoesNotExist
+	}
+
+	if id, exists := repository[refStr]; exists {
+		delete(repository, refStr)
+		if len(repository) == 0 {
+			delete(store.Repositories, refName)
+		}
+		if store.referencesByIDCache[id] != nil {
+			delete(store.referencesByIDCache[id], refStr)
+			if len(store.referencesByIDCache[id]) == 0 {
+				delete(store.referencesByIDCache, id)
+			}
+		}
+		return true, store.save()
+	}
+
+	return false, ErrDoesNotExist
+}
+
+// Get retrieves an item from the store by reference
+func (store *store) Get(ref reference.Named) (digest.Digest, error) {
+	if canonical, ok := ref.(reference.Canonical); ok {
+		// If reference contains both tag and digest, only
+		// lookup by digest as it takes precedence over
+		// tag, until tag/digest combos are stored.
+		if _, ok := ref.(reference.Tagged); ok {
+			var err error
+			ref, err = reference.WithDigest(reference.TrimNamed(canonical), canonical.Digest())
+			if err != nil {
+				return "", err
+			}
+		}
+	} else {
+		ref = reference.TagNameOnly(ref)
+	}
+
+	refName := reference.FamiliarName(ref)
+	refStr := reference.FamiliarString(ref)
+
+	store.mu.RLock()
+	defer store.mu.RUnlock()
+
+	repository, exists := store.Repositories[refName]
+	if !exists || repository == nil {
+		return "", ErrDoesNotExist
+	}
+
+	id, exists := repository[refStr]
+	if !exists {
+		return "", ErrDoesNotExist
+	}
+
+	return id, nil
+}
+
+// References returns a slice of references to the given ID. The slice
+// will be nil if there are no references to this ID.
+func (store *store) References(id digest.Digest) []reference.Named {
+	store.mu.RLock()
+	defer store.mu.RUnlock()
+
+	// Convert the internal map to an array for two reasons:
+	// 1) We must not return a mutable
+	// 2) It would be ugly to expose the extraneous map keys to callers.
+
+	var references []reference.Named
+	for _, ref := range store.referencesByIDCache[id] {
+		references = append(references, ref)
+	}
+
+	sort.Sort(lexicalRefs(references))
+
+	return references
+}
+
+// ReferencesByName returns the references for a given repository name.
+// If there are no references known for this repository name,
+// ReferencesByName returns nil.
+func (store *store) ReferencesByName(ref reference.Named) []Association {
+	refName := reference.FamiliarName(ref)
+
+	store.mu.RLock()
+	defer store.mu.RUnlock()
+
+	repository, exists := store.Repositories[refName]
+	if !exists {
+		return nil
+	}
+
+	var associations []Association
+	for refStr, refID := range repository {
+		ref, err := reference.ParseNormalizedNamed(refStr)
+		if err != nil {
+			// Should never happen
+			return nil
+		}
+		associations = append(associations,
+			Association{
+				Ref: ref,
+				ID:  refID,
+			})
+	}
+
+	sort.Sort(lexicalAssociations(associations))
+
+	return associations
+}
+
+func (store *store) save() error {
+	// Store the json
+	jsonData, err := json.Marshal(store)
+	if err != nil {
+		return err
+	}
+	return ioutils.AtomicWriteFile(store.jsonPath, jsonData, 0600)
+}
+
+func (store *store) reload() error {
+	f, err := os.Open(store.jsonPath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	if err := json.NewDecoder(f).Decode(&store); err != nil {
+		return err
+	}
+
+	for _, repository := range store.Repositories {
+		for refStr, refID := range repository {
+			ref, err := reference.ParseNormalizedNamed(refStr)
+			if err != nil {
+				// Should never happen
+				continue
+			}
+			if store.referencesByIDCache[refID] == nil {
+				store.referencesByIDCache[refID] = make(map[string]reference.Named)
+			}
+			store.referencesByIDCache[refID][refStr] = ref
+		}
+	}
+
+	return nil
+}
diff --git a/engine/reference/store_test.go b/engine/reference/store_test.go
new file mode 100644
index 00000000..1ce674cb
--- /dev/null
+++ b/engine/reference/store_test.go
@@ -0,0 +1,350 @@
+package reference // import "github.com/docker/docker/reference"
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/docker/distribution/reference"
+	"github.com/opencontainers/go-digest"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+var (
+	saveLoadTestCases = map[string]digest.Digest{
+		"registry:5000/foobar:HEAD":                                                        "sha256:470022b8af682154f57a2163d030eb369549549cba00edc69e1b99b46bb924d6",
+		"registry:5000/foobar:alternate":                                                   "sha256:ae300ebc4a4f00693702cfb0a5e0b7bc527b353828dc86ad09fb95c8a681b793",
+		"registry:5000/foobar:latest":                                                      "sha256:6153498b9ac00968d71b66cca4eac37e990b5f9eb50c26877eb8799c8847451b",
+		"registry:5000/foobar:master":                                                      "sha256:6c9917af4c4e05001b346421959d7ea81b6dc9d25718466a37a6add865dfd7fc",
+		"jess/hollywood:latest":                                                            "sha256:ae7a5519a0a55a2d4ef20ddcbd5d0ca0888a1f7ab806acc8e2a27baf46f529fe",
+		"registry@sha256:367eb40fd0330a7e464777121e39d2f5b3e8e23a1e159342e53ab05c9e4d94e6": "sha256:24126a56805beb9711be5f4590cc2eb55ab8d4a85ebd618eed72bb19fc50631c",
+		"busybox:latest": "sha256:91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c",
+	}
+
+	marshalledSaveLoadTestCases = []byte(`{"Repositories":{"busybox":{"busybox:latest":"sha256:91e54dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c"},"jess/hollywood":{"jess/hollywood:latest":"sha256:ae7a5519a0a55a2d4ef20ddcbd5d0ca0888a1f7ab806acc8e2a27baf46f529fe"},"registry":{"registry@sha256:367eb40fd0330a7e464777121e39d2f5b3e8e23a1e159342e53ab05c9e4d94e6":"sha256:24126a56805beb9711be5f4590cc2eb55ab8d4a85ebd618eed72bb19fc50631c"},"registry:5000/foobar":{"registry:5000/foobar:HEAD":"sha256:470022b8af682154f57a2163d030eb369549549cba00edc69e1b99b46bb924d6","registry:5000/foobar:alternate":"sha256:ae300ebc4a4f00693702cfb0a5e0b7bc527b353828dc86ad09fb95c8a681b793","registry:5000/foobar:latest":"sha256:6153498b9ac00968d71b66cca4eac37e990b5f9eb50c26877eb8799c8847451b","registry:5000/foobar:master":"sha256:6c9917af4c4e05001b346421959d7ea81b6dc9d25718466a37a6add865dfd7fc"}}}`)
+)
+
+func TestLoad(t *testing.T) {
+	jsonFile, err := ioutil.TempFile("", "tag-store-test")
+	if err != nil {
+		t.Fatalf("error creating temp file: %v", err)
+	}
+	defer os.RemoveAll(jsonFile.Name())
+
+	// Write canned json to the temp file
+	_, err = jsonFile.Write(marshalledSaveLoadTestCases)
+	if err != nil {
+		t.Fatalf("error writing to temp file: %v", err)
+	}
+	jsonFile.Close()
+
+	store, err := NewReferenceStore(jsonFile.Name())
+	if err != nil {
+		t.Fatalf("error creating tag store: %v", err)
+	}
+
+	for refStr, expectedID := range saveLoadTestCases {
+		ref, err := reference.ParseNormalizedNamed(refStr)
+		if err != nil {
+			t.Fatalf("failed to parse reference: %v", err)
+		}
+		id, err := store.Get(ref)
+		if err != nil {
+			t.Fatalf("could not find reference %s: %v", refStr, err)
+		}
+		if id != expectedID {
+			t.Fatalf("expected %s - got %s", expectedID, id)
+		}
+	}
+}
+
+func TestSave(t *testing.T) {
+	jsonFile, err := ioutil.TempFile("", "tag-store-test")
+	assert.NilError(t, err)
+
+	_, err = jsonFile.Write([]byte(`{}`))
+	assert.NilError(t, err)
+	jsonFile.Close()
+	defer os.RemoveAll(jsonFile.Name())
+
+	store, err := NewReferenceStore(jsonFile.Name())
+	if err != nil {
+		t.Fatalf("error creating tag store: %v", err)
+	}
+
+	for refStr, id := range saveLoadTestCases {
+		ref, err := reference.ParseNormalizedNamed(refStr)
+		if err != nil {
+			t.Fatalf("failed to parse reference: %v", err)
+		}
+		if canonical, ok := ref.(reference.Canonical); ok {
+			err = store.AddDigest(canonical, id, false)
+			if err != nil {
+				t.Fatalf("could not add digest reference %s: %v", refStr, err)
+			}
+		} else {
+			err = store.AddTag(ref, id, false)
+			if err != nil {
+				t.Fatalf("could not add reference %s: %v", refStr, err)
+			}
+		}
+	}
+
+	jsonBytes, err := ioutil.ReadFile(jsonFile.Name())
+	if err != nil {
+		t.Fatalf("could not read json file: %v", err)
+	}
+
+	if !bytes.Equal(jsonBytes, marshalledSaveLoadTestCases) {
+		t.Fatalf("save output did not match expectations\nexpected:\n%s\ngot:\n%s", marshalledSaveLoadTestCases, jsonBytes)
+	}
+}
+
+func TestAddDeleteGet(t *testing.T) {
+	jsonFile, err := ioutil.TempFile("", "tag-store-test")
+	if err != nil {
+		t.Fatalf("error creating temp file: %v", err)
+	}
+	_, err = jsonFile.Write([]byte(`{}`))
+	jsonFile.Close()
+	defer os.RemoveAll(jsonFile.Name())
+
+	store, err := NewReferenceStore(jsonFile.Name())
+	if err != nil {
+		t.Fatalf("error creating tag store: %v", err)
+	}
+
+	testImageID1 := digest.Digest("sha256:9655aef5fd742a1b4e1b7b163aa9f1c76c186304bf39102283d80927c916ca9c")
+	testImageID2 := digest.Digest("sha256:9655aef5fd742a1b4e1b7b163aa9f1c76c186304bf39102283d80927c916ca9d")
+	testImageID3 := digest.Digest("sha256:9655aef5fd742a1b4e1b7b163aa9f1c76c186304bf39102283d80927c916ca9e")
+
+	// Try adding a reference with no tag or digest
+	nameOnly, err := reference.ParseNormalizedNamed("username/repo")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	if err = store.AddTag(nameOnly, testImageID1, false); err != nil {
+		t.Fatalf("error adding to store: %v", err)
+	}
+
+	// Add a few references
+	ref1, err := reference.ParseNormalizedNamed("username/repo1:latest")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	if err = store.AddTag(ref1, testImageID1, false); err != nil {
+		t.Fatalf("error adding to store: %v", err)
+	}
+
+	ref2, err := reference.ParseNormalizedNamed("username/repo1:old")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	if err = store.AddTag(ref2, testImageID2, false); err != nil {
+		t.Fatalf("error adding to store: %v", err)
+	}
+
+	ref3, err := reference.ParseNormalizedNamed("username/repo1:alias")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	if err = store.AddTag(ref3, testImageID1, false); err != nil {
+		t.Fatalf("error adding to store: %v", err)
+	}
+
+	ref4, err := reference.ParseNormalizedNamed("username/repo2:latest")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	if err = store.AddTag(ref4, testImageID2, false); err != nil {
+		t.Fatalf("error adding to store: %v", err)
+	}
+
+	ref5, err := reference.ParseNormalizedNamed("username/repo3@sha256:58153dfb11794fad694460162bf0cb0a4fa710cfa3f60979c177d920813e267c")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	if err = store.AddDigest(ref5.(reference.Canonical), testImageID2, false); err != nil {
+		t.Fatalf("error adding to store: %v", err)
+	}
+
+	// Attempt to overwrite with force == false
+	if err = store.AddTag(ref4, testImageID3, false); err == nil || !strings.HasPrefix(err.Error(), "Conflict:") {
+		t.Fatalf("did not get expected error on overwrite attempt - got %v", err)
+	}
+	// Repeat to overwrite with force == true
+	if err = store.AddTag(ref4, testImageID3, true); err != nil {
+		t.Fatalf("failed to force tag overwrite: %v", err)
+	}
+
+	// Check references so far
+	id, err := store.Get(nameOnly)
+	if err != nil {
+		t.Fatalf("Get returned error: %v", err)
+	}
+	if id != testImageID1 {
+		t.Fatalf("id mismatch: got %s instead of %s", id.String(), testImageID1.String())
+	}
+
+	id, err = store.Get(ref1)
+	if err != nil {
+		t.Fatalf("Get returned error: %v", err)
+	}
+	if id != testImageID1 {
+		t.Fatalf("id mismatch: got %s instead of %s", id.String(), testImageID1.String())
+	}
+
+	id, err = store.Get(ref2)
+	if err != nil {
+		t.Fatalf("Get returned error: %v", err)
+	}
+	if id != testImageID2 {
+		t.Fatalf("id mismatch: got %s instead of %s", id.String(), testImageID2.String())
+	}
+
+	id, err = store.Get(ref3)
+	if err != nil {
+		t.Fatalf("Get returned error: %v", err)
+	}
+	if id != testImageID1 {
+		t.Fatalf("id mismatch: got %s instead of %s", id.String(), testImageID1.String())
+	}
+
+	id, err = store.Get(ref4)
+	if err != nil {
+		t.Fatalf("Get returned error: %v", err)
+	}
+	if id != testImageID3 {
+		t.Fatalf("id mismatch: got %s instead of %s", id.String(), testImageID3.String())
+	}
+
+	id, err = store.Get(ref5)
+	if err != nil {
+		t.Fatalf("Get returned error: %v", err)
+	}
+	if id != testImageID2 {
+		t.Fatalf("id mismatch: got %s instead of %s", id.String(), testImageID3.String())
+	}
+
+	// Get should return ErrDoesNotExist for a nonexistent repo
+	nonExistRepo, err := reference.ParseNormalizedNamed("username/nonexistrepo:latest")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	if _, err = store.Get(nonExistRepo); err != ErrDoesNotExist {
+		t.Fatal("Expected ErrDoesNotExist from Get")
+	}
+
+	// Get should return ErrDoesNotExist for a nonexistent tag
+	nonExistTag, err := reference.ParseNormalizedNamed("username/repo1:nonexist")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	if _, err = store.Get(nonExistTag); err != ErrDoesNotExist {
+		t.Fatal("Expected ErrDoesNotExist from Get")
+	}
+
+	// Check References
+	refs := store.References(testImageID1)
+	if len(refs) != 3 {
+		t.Fatal("unexpected number of references")
+	}
+	// Looking for the references in this order verifies that they are
+	// returned lexically sorted.
+	if refs[0].String() != ref3.String() {
+		t.Fatalf("unexpected reference: %v", refs[0].String())
+	}
+	if refs[1].String() != ref1.String() {
+		t.Fatalf("unexpected reference: %v", refs[1].String())
+	}
+	if refs[2].String() != nameOnly.String()+":latest" {
+		t.Fatalf("unexpected reference: %v", refs[2].String())
+	}
+
+	// Check ReferencesByName
+	repoName, err := reference.ParseNormalizedNamed("username/repo1")
+	if err != nil {
+		t.Fatalf("could not parse reference: %v", err)
+	}
+	associations := store.ReferencesByName(repoName)
+	if len(associations) != 3 {
+		t.Fatal("unexpected number of associations")
+	}
+	// Looking for the associations in this order verifies that they are
+	// returned lexically sorted.
+	if associations[0].Ref.String() != ref3.String() {
+		t.Fatalf("unexpected reference: %v", associations[0].Ref.String())
+	}
+	if associations[0].ID != testImageID1 {
+		t.Fatalf("unexpected reference: %v", associations[0].Ref.String())
+	}
+	if associations[1].Ref.String() != ref1.String() {
+		t.Fatalf("unexpected reference: %v", associations[1].Ref.String())
+	}
+	if associations[1].ID != testImageID1 {
+		t.Fatalf("unexpected reference: %v", associations[1].Ref.String())
+	}
+	if associations[2].Ref.String() != ref2.String() {
+		t.Fatalf("unexpected reference: %v", associations[2].Ref.String())
+	}
+	if associations[2].ID != testImageID2 {
+		t.Fatalf("unexpected reference: %v", associations[2].Ref.String())
+	}
+
+	// Delete should return ErrDoesNotExist for a nonexistent repo
+	if _, err = store.Delete(nonExistRepo); err != ErrDoesNotExist {
+		t.Fatal("Expected ErrDoesNotExist from Delete")
+	}
+
+	// Delete should return ErrDoesNotExist for a nonexistent tag
+	if _, err = store.Delete(nonExistTag); err != ErrDoesNotExist {
+		t.Fatal("Expected ErrDoesNotExist from Delete")
+	}
+
+	// Delete a few references
+	if deleted, err := store.Delete(ref1); err != nil || !deleted {
+		t.Fatal("Delete failed")
+	}
+	if _, err := store.Get(ref1); err != ErrDoesNotExist {
+		t.Fatal("Expected ErrDoesNotExist from Get")
+	}
+	if deleted, err := store.Delete(ref5); err != nil || !deleted {
+		t.Fatal("Delete failed")
+	}
+	if _, err := store.Get(ref5); err != ErrDoesNotExist {
+		t.Fatal("Expected ErrDoesNotExist from Get")
+	}
+	if deleted, err := store.Delete(nameOnly); err != nil || !deleted {
+		t.Fatal("Delete failed")
+	}
+	if _, err := store.Get(nameOnly); err != ErrDoesNotExist {
+		t.Fatal("Expected ErrDoesNotExist from Get")
+	}
+}
+
+func TestInvalidTags(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "tag-store-test")
+	assert.NilError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	store, err := NewReferenceStore(filepath.Join(tmpDir, "repositories.json"))
+	assert.NilError(t, err)
+	id := digest.Digest("sha256:470022b8af682154f57a2163d030eb369549549cba00edc69e1b99b46bb924d6")
+
+	// sha256 as repo name
+	ref, err := reference.ParseNormalizedNamed("sha256:abc")
+	assert.NilError(t, err)
+	err = store.AddTag(ref, id, true)
+	assert.Check(t, is.ErrorContains(err, ""))
+
+	// setting digest as a tag
+	ref, err = reference.ParseNormalizedNamed("registry@sha256:367eb40fd0330a7e464777121e39d2f5b3e8e23a1e159342e53ab05c9e4d94e6")
+	assert.NilError(t, err)
+
+	err = store.AddTag(ref, id, true)
+	assert.Check(t, is.ErrorContains(err, ""))
+}
diff --git a/engine/registry/auth.go b/engine/registry/auth.go
new file mode 100644
index 00000000..1f2043a0
--- /dev/null
+++ b/engine/registry/auth.go
@@ -0,0 +1,296 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/distribution/registry/client/auth/challenge"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// AuthClientID is used the ClientID used for the token server
+	AuthClientID = "docker"
+)
+
+// loginV1 tries to register/login to the v1 registry server.
+func loginV1(authConfig *types.AuthConfig, apiEndpoint APIEndpoint, userAgent string) (string, string, error) {
+	registryEndpoint := apiEndpoint.ToV1Endpoint(userAgent, nil)
+	serverAddress := registryEndpoint.String()
+
+	logrus.Debugf("attempting v1 login to registry endpoint %s", serverAddress)
+
+	if serverAddress == "" {
+		return "", "", errdefs.System(errors.New("server Error: Server Address not set"))
+	}
+
+	req, err := http.NewRequest("GET", serverAddress+"users/", nil)
+	if err != nil {
+		return "", "", err
+	}
+	req.SetBasicAuth(authConfig.Username, authConfig.Password)
+	resp, err := registryEndpoint.client.Do(req)
+	if err != nil {
+		// fallback when request could not be completed
+		return "", "", fallbackError{
+			err: err,
+		}
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", "", errdefs.System(err)
+	}
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		return "Login Succeeded", "", nil
+	case http.StatusUnauthorized:
+		return "", "", errdefs.Unauthorized(errors.New("Wrong login/password, please try again"))
+	case http.StatusForbidden:
+		// *TODO: Use registry configuration to determine what this says, if anything?
+		return "", "", errdefs.Forbidden(errors.Errorf("Login: Account is not active. Please see the documentation of the registry %s for instructions how to activate it.", serverAddress))
+	case http.StatusInternalServerError:
+		logrus.Errorf("%s returned status code %d. Response Body :\n%s", req.URL.String(), resp.StatusCode, body)
+		return "", "", errdefs.System(errors.New("Internal Server Error"))
+	}
+	return "", "", errdefs.System(errors.Errorf("Login: %s (Code: %d; Headers: %s)", body,
+		resp.StatusCode, resp.Header))
+}
+
+type loginCredentialStore struct {
+	authConfig *types.AuthConfig
+}
+
+func (lcs loginCredentialStore) Basic(*url.URL) (string, string) {
+	return lcs.authConfig.Username, lcs.authConfig.Password
+}
+
+func (lcs loginCredentialStore) RefreshToken(*url.URL, string) string {
+	return lcs.authConfig.IdentityToken
+}
+
+func (lcs loginCredentialStore) SetRefreshToken(u *url.URL, service, token string) {
+	lcs.authConfig.IdentityToken = token
+}
+
+type staticCredentialStore struct {
+	auth *types.AuthConfig
+}
+
+// NewStaticCredentialStore returns a credential store
+// which always returns the same credential values.
+func NewStaticCredentialStore(auth *types.AuthConfig) auth.CredentialStore {
+	return staticCredentialStore{
+		auth: auth,
+	}
+}
+
+func (scs staticCredentialStore) Basic(*url.URL) (string, string) {
+	if scs.auth == nil {
+		return "", ""
+	}
+	return scs.auth.Username, scs.auth.Password
+}
+
+func (scs staticCredentialStore) RefreshToken(*url.URL, string) string {
+	if scs.auth == nil {
+		return ""
+	}
+	return scs.auth.IdentityToken
+}
+
+func (scs staticCredentialStore) SetRefreshToken(*url.URL, string, string) {
+}
+
+type fallbackError struct {
+	err error
+}
+
+func (err fallbackError) Error() string {
+	return err.err.Error()
+}
+
+// loginV2 tries to login to the v2 registry server. The given registry
+// endpoint will be pinged to get authorization challenges. These challenges
+// will be used to authenticate against the registry to validate credentials.
+func loginV2(authConfig *types.AuthConfig, endpoint APIEndpoint, userAgent string) (string, string, error) {
+	logrus.Debugf("attempting v2 login to registry endpoint %s", strings.TrimRight(endpoint.URL.String(), "/")+"/v2/")
+
+	modifiers := Headers(userAgent, nil)
+	authTransport := transport.NewTransport(NewTransport(endpoint.TLSConfig), modifiers...)
+
+	credentialAuthConfig := *authConfig
+	creds := loginCredentialStore{
+		authConfig: &credentialAuthConfig,
+	}
+
+	loginClient, foundV2, err := v2AuthHTTPClient(endpoint.URL, authTransport, modifiers, creds, nil)
+	if err != nil {
+		return "", "", err
+	}
+
+	endpointStr := strings.TrimRight(endpoint.URL.String(), "/") + "/v2/"
+	req, err := http.NewRequest("GET", endpointStr, nil)
+	if err != nil {
+		if !foundV2 {
+			err = fallbackError{err: err}
+		}
+		return "", "", err
+	}
+
+	resp, err := loginClient.Do(req)
+	if err != nil {
+		err = translateV2AuthError(err)
+		if !foundV2 {
+			err = fallbackError{err: err}
+		}
+
+		return "", "", err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return "Login Succeeded", credentialAuthConfig.IdentityToken, nil
+	}
+
+	// TODO(dmcgowan): Attempt to further interpret result, status code and error code string
+	err = errors.Errorf("login attempt to %s failed with status: %d %s", endpointStr, resp.StatusCode, http.StatusText(resp.StatusCode))
+	if !foundV2 {
+		err = fallbackError{err: err}
+	}
+	return "", "", err
+}
+
+func v2AuthHTTPClient(endpoint *url.URL, authTransport http.RoundTripper, modifiers []transport.RequestModifier, creds auth.CredentialStore, scopes []auth.Scope) (*http.Client, bool, error) {
+	challengeManager, foundV2, err := PingV2Registry(endpoint, authTransport)
+	if err != nil {
+		if !foundV2 {
+			err = fallbackError{err: err}
+		}
+		return nil, foundV2, err
+	}
+
+	tokenHandlerOptions := auth.TokenHandlerOptions{
+		Transport:     authTransport,
+		Credentials:   creds,
+		OfflineAccess: true,
+		ClientID:      AuthClientID,
+		Scopes:        scopes,
+	}
+	tokenHandler := auth.NewTokenHandlerWithOptions(tokenHandlerOptions)
+	basicHandler := auth.NewBasicHandler(creds)
+	modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
+	tr := transport.NewTransport(authTransport, modifiers...)
+
+	return &http.Client{
+		Transport: tr,
+		Timeout:   15 * time.Second,
+	}, foundV2, nil
+
+}
+
+// ConvertToHostname converts a registry url which has http|https prepended
+// to just an hostname.
+func ConvertToHostname(url string) string {
+	stripped := url
+	if strings.HasPrefix(url, "http://") {
+		stripped = strings.TrimPrefix(url, "http://")
+	} else if strings.HasPrefix(url, "https://") {
+		stripped = strings.TrimPrefix(url, "https://")
+	}
+
+	nameParts := strings.SplitN(stripped, "/", 2)
+
+	return nameParts[0]
+}
+
+// ResolveAuthConfig matches an auth configuration to a server address or a URL
+func ResolveAuthConfig(authConfigs map[string]types.AuthConfig, index *registrytypes.IndexInfo) types.AuthConfig {
+	configKey := GetAuthConfigKey(index)
+	// First try the happy case
+	if c, found := authConfigs[configKey]; found || index.Official {
+		return c
+	}
+
+	// Maybe they have a legacy config file, we will iterate the keys converting
+	// them to the new format and testing
+	for registry, ac := range authConfigs {
+		if configKey == ConvertToHostname(registry) {
+			return ac
+		}
+	}
+
+	// When all else fails, return an empty auth config
+	return types.AuthConfig{}
+}
+
+// PingResponseError is used when the response from a ping
+// was received but invalid.
+type PingResponseError struct {
+	Err error
+}
+
+func (err PingResponseError) Error() string {
+	return err.Err.Error()
+}
+
+// PingV2Registry attempts to ping a v2 registry and on success return a
+// challenge manager for the supported authentication types and
+// whether v2 was confirmed by the response. If a response is received but
+// cannot be interpreted a PingResponseError will be returned.
+// nolint: interfacer
+func PingV2Registry(endpoint *url.URL, transport http.RoundTripper) (challenge.Manager, bool, error) {
+	var (
+		foundV2   = false
+		v2Version = auth.APIVersion{
+			Type:    "registry",
+			Version: "2.0",
+		}
+	)
+
+	pingClient := &http.Client{
+		Transport: transport,
+		Timeout:   15 * time.Second,
+	}
+	endpointStr := strings.TrimRight(endpoint.String(), "/") + "/v2/"
+	req, err := http.NewRequest("GET", endpointStr, nil)
+	if err != nil {
+		return nil, false, err
+	}
+	resp, err := pingClient.Do(req)
+	if err != nil {
+		return nil, false, err
+	}
+	defer resp.Body.Close()
+
+	versions := auth.APIVersions(resp, DefaultRegistryVersionHeader)
+	for _, pingVersion := range versions {
+		if pingVersion == v2Version {
+			// The version header indicates we're definitely
+			// talking to a v2 registry. So don't allow future
+			// fallbacks to the v1 protocol.
+
+			foundV2 = true
+			break
+		}
+	}
+
+	challengeManager := challenge.NewSimpleManager()
+	if err := challengeManager.AddResponse(resp); err != nil {
+		return nil, foundV2, PingResponseError{
+			Err: err,
+		}
+	}
+
+	return challengeManager, foundV2, nil
+}
diff --git a/engine/registry/auth_test.go b/engine/registry/auth_test.go
new file mode 100644
index 00000000..f8f3e199
--- /dev/null
+++ b/engine/registry/auth_test.go
@@ -0,0 +1,120 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+)
+
+func buildAuthConfigs() map[string]types.AuthConfig {
+	authConfigs := map[string]types.AuthConfig{}
+
+	for _, registry := range []string{"testIndex", IndexServer} {
+		authConfigs[registry] = types.AuthConfig{
+			Username: "docker-user",
+			Password: "docker-pass",
+		}
+	}
+
+	return authConfigs
+}
+
+func TestSameAuthDataPostSave(t *testing.T) {
+	authConfigs := buildAuthConfigs()
+	authConfig := authConfigs["testIndex"]
+	if authConfig.Username != "docker-user" {
+		t.Fail()
+	}
+	if authConfig.Password != "docker-pass" {
+		t.Fail()
+	}
+	if authConfig.Auth != "" {
+		t.Fail()
+	}
+}
+
+func TestResolveAuthConfigIndexServer(t *testing.T) {
+	authConfigs := buildAuthConfigs()
+	indexConfig := authConfigs[IndexServer]
+
+	officialIndex := &registrytypes.IndexInfo{
+		Official: true,
+	}
+	privateIndex := &registrytypes.IndexInfo{
+		Official: false,
+	}
+
+	resolved := ResolveAuthConfig(authConfigs, officialIndex)
+	assertEqual(t, resolved, indexConfig, "Expected ResolveAuthConfig to return IndexServer")
+
+	resolved = ResolveAuthConfig(authConfigs, privateIndex)
+	assertNotEqual(t, resolved, indexConfig, "Expected ResolveAuthConfig to not return IndexServer")
+}
+
+func TestResolveAuthConfigFullURL(t *testing.T) {
+	authConfigs := buildAuthConfigs()
+
+	registryAuth := types.AuthConfig{
+		Username: "foo-user",
+		Password: "foo-pass",
+	}
+	localAuth := types.AuthConfig{
+		Username: "bar-user",
+		Password: "bar-pass",
+	}
+	officialAuth := types.AuthConfig{
+		Username: "baz-user",
+		Password: "baz-pass",
+	}
+	authConfigs[IndexServer] = officialAuth
+
+	expectedAuths := map[string]types.AuthConfig{
+		"registry.example.com": registryAuth,
+		"localhost:8000":       localAuth,
+		"registry.com":         localAuth,
+	}
+
+	validRegistries := map[string][]string{
+		"registry.example.com": {
+			"https://registry.example.com/v1/",
+			"http://registry.example.com/v1/",
+			"registry.example.com",
+			"registry.example.com/v1/",
+		},
+		"localhost:8000": {
+			"https://localhost:8000/v1/",
+			"http://localhost:8000/v1/",
+			"localhost:8000",
+			"localhost:8000/v1/",
+		},
+		"registry.com": {
+			"https://registry.com/v1/",
+			"http://registry.com/v1/",
+			"registry.com",
+			"registry.com/v1/",
+		},
+	}
+
+	for configKey, registries := range validRegistries {
+		configured, ok := expectedAuths[configKey]
+		if !ok {
+			t.Fail()
+		}
+		index := &registrytypes.IndexInfo{
+			Name: configKey,
+		}
+		for _, registry := range registries {
+			authConfigs[registry] = configured
+			resolved := ResolveAuthConfig(authConfigs, index)
+			if resolved.Username != configured.Username || resolved.Password != configured.Password {
+				t.Errorf("%s -> %v != %v\n", registry, resolved, configured)
+			}
+			delete(authConfigs, registry)
+			resolved = ResolveAuthConfig(authConfigs, index)
+			if resolved.Username == configured.Username || resolved.Password == configured.Password {
+				t.Errorf("%s -> %v == %v\n", registry, resolved, configured)
+			}
+		}
+	}
+}
diff --git a/engine/registry/config.go b/engine/registry/config.go
new file mode 100644
index 00000000..de5a526b
--- /dev/null
+++ b/engine/registry/config.go
@@ -0,0 +1,442 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// ServiceOptions holds command line options.
+type ServiceOptions struct {
+	AllowNondistributableArtifacts []string `json:"allow-nondistributable-artifacts,omitempty"`
+	Mirrors                        []string `json:"registry-mirrors,omitempty"`
+	InsecureRegistries             []string `json:"insecure-registries,omitempty"`
+
+	// V2Only controls access to legacy registries.  If it is set to true via the
+	// command line flag the daemon will not attempt to contact v1 legacy registries
+	V2Only bool `json:"disable-legacy-registry,omitempty"`
+}
+
+// serviceConfig holds daemon configuration for the registry service.
+type serviceConfig struct {
+	registrytypes.ServiceConfig
+	V2Only bool
+}
+
+var (
+	// DefaultNamespace is the default namespace
+	DefaultNamespace = "docker.io"
+	// DefaultRegistryVersionHeader is the name of the default HTTP header
+	// that carries Registry version info
+	DefaultRegistryVersionHeader = "Docker-Distribution-Api-Version"
+
+	// IndexHostname is the index hostname
+	IndexHostname = "index.docker.io"
+	// IndexServer is used for user auth and image search
+	IndexServer = "https://" + IndexHostname + "/v1/"
+	// IndexName is the name of the index
+	IndexName = "docker.io"
+
+	// DefaultV2Registry is the URI of the default v2 registry
+	DefaultV2Registry = &url.URL{
+		Scheme: "https",
+		Host:   "registry-1.docker.io",
+	}
+)
+
+var (
+	// ErrInvalidRepositoryName is an error returned if the repository name did
+	// not have the correct form
+	ErrInvalidRepositoryName = errors.New("Invalid repository name (ex: \"registry.domain.tld/myrepos\")")
+
+	emptyServiceConfig, _ = newServiceConfig(ServiceOptions{})
+)
+
+var (
+	validHostPortRegex = regexp.MustCompile(`^` + reference.DomainRegexp.String() + `$`)
+)
+
+// for mocking in unit tests
+var lookupIP = net.LookupIP
+
+// newServiceConfig returns a new instance of ServiceConfig
+func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
+	config := &serviceConfig{
+		ServiceConfig: registrytypes.ServiceConfig{
+			InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0),
+			IndexConfigs:          make(map[string]*registrytypes.IndexInfo),
+			// Hack: Bypass setting the mirrors to IndexConfigs since they are going away
+			// and Mirrors are only for the official registry anyways.
+		},
+		V2Only: options.V2Only,
+	}
+	if err := config.LoadAllowNondistributableArtifacts(options.AllowNondistributableArtifacts); err != nil {
+		return nil, err
+	}
+	if err := config.LoadMirrors(options.Mirrors); err != nil {
+		return nil, err
+	}
+	if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}
+
+// LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config.
+func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error {
+	cidrs := map[string]*registrytypes.NetIPNet{}
+	hostnames := map[string]bool{}
+
+	for _, r := range registries {
+		if _, err := ValidateIndexName(r); err != nil {
+			return err
+		}
+		if validateNoScheme(r) != nil {
+			return fmt.Errorf("allow-nondistributable-artifacts registry %s should not contain '://'", r)
+		}
+
+		if _, ipnet, err := net.ParseCIDR(r); err == nil {
+			// Valid CIDR.
+			cidrs[ipnet.String()] = (*registrytypes.NetIPNet)(ipnet)
+		} else if err := validateHostPort(r); err == nil {
+			// Must be `host:port` if not CIDR.
+			hostnames[r] = true
+		} else {
+			return fmt.Errorf("allow-nondistributable-artifacts registry %s is not valid: %v", r, err)
+		}
+	}
+
+	config.AllowNondistributableArtifactsCIDRs = make([]*(registrytypes.NetIPNet), 0)
+	for _, c := range cidrs {
+		config.AllowNondistributableArtifactsCIDRs = append(config.AllowNondistributableArtifactsCIDRs, c)
+	}
+
+	config.AllowNondistributableArtifactsHostnames = make([]string, 0)
+	for h := range hostnames {
+		config.AllowNondistributableArtifactsHostnames = append(config.AllowNondistributableArtifactsHostnames, h)
+	}
+
+	return nil
+}
+
+// LoadMirrors loads mirrors to config, after removing duplicates.
+// Returns an error if mirrors contains an invalid mirror.
+func (config *serviceConfig) LoadMirrors(mirrors []string) error {
+	mMap := map[string]struct{}{}
+	unique := []string{}
+
+	for _, mirror := range mirrors {
+		m, err := ValidateMirror(mirror)
+		if err != nil {
+			return err
+		}
+		if _, exist := mMap[m]; !exist {
+			mMap[m] = struct{}{}
+			unique = append(unique, m)
+		}
+	}
+
+	config.Mirrors = unique
+
+	// Configure public registry since mirrors may have changed.
+	config.IndexConfigs[IndexName] = &registrytypes.IndexInfo{
+		Name:     IndexName,
+		Mirrors:  config.Mirrors,
+		Secure:   true,
+		Official: true,
+	}
+
+	return nil
+}
+
+// LoadInsecureRegistries loads insecure registries to config
+func (config *serviceConfig) LoadInsecureRegistries(registries []string) error {
+	// Localhost is by default considered as an insecure registry
+	// This is a stop-gap for people who are running a private registry on localhost (especially on Boot2docker).
+	//
+	// TODO: should we deprecate this once it is easier for people to set up a TLS registry or change
+	// daemon flags on boot2docker?
+	registries = append(registries, "127.0.0.0/8")
+
+	// Store original InsecureRegistryCIDRs and IndexConfigs
+	// Clean InsecureRegistryCIDRs and IndexConfigs in config, as passed registries has all insecure registry info.
+	originalCIDRs := config.ServiceConfig.InsecureRegistryCIDRs
+	originalIndexInfos := config.ServiceConfig.IndexConfigs
+
+	config.ServiceConfig.InsecureRegistryCIDRs = make([]*registrytypes.NetIPNet, 0)
+	config.ServiceConfig.IndexConfigs = make(map[string]*registrytypes.IndexInfo)
+
+skip:
+	for _, r := range registries {
+		// validate insecure registry
+		if _, err := ValidateIndexName(r); err != nil {
+			// before returning err, roll back to original data
+			config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs
+			config.ServiceConfig.IndexConfigs = originalIndexInfos
+			return err
+		}
+		if strings.HasPrefix(strings.ToLower(r), "http://") {
+			logrus.Warnf("insecure registry %s should not contain 'http://' and 'http://' has been removed from the insecure registry config", r)
+			r = r[7:]
+		} else if strings.HasPrefix(strings.ToLower(r), "https://") {
+			logrus.Warnf("insecure registry %s should not contain 'https://' and 'https://' has been removed from the insecure registry config", r)
+			r = r[8:]
+		} else if validateNoScheme(r) != nil {
+			// Insecure registry should not contain '://'
+			// before returning err, roll back to original data
+			config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs
+			config.ServiceConfig.IndexConfigs = originalIndexInfos
+			return fmt.Errorf("insecure registry %s should not contain '://'", r)
+		}
+		// Check if CIDR was passed to --insecure-registry
+		_, ipnet, err := net.ParseCIDR(r)
+		if err == nil {
+			// Valid CIDR. If ipnet is already in config.InsecureRegistryCIDRs, skip.
+			data := (*registrytypes.NetIPNet)(ipnet)
+			for _, value := range config.InsecureRegistryCIDRs {
+				if value.IP.String() == data.IP.String() && value.Mask.String() == data.Mask.String() {
+					continue skip
+				}
+			}
+			// ipnet is not found, add it in config.InsecureRegistryCIDRs
+			config.InsecureRegistryCIDRs = append(config.InsecureRegistryCIDRs, data)
+
+		} else {
+			if err := validateHostPort(r); err != nil {
+				config.ServiceConfig.InsecureRegistryCIDRs = originalCIDRs
+				config.ServiceConfig.IndexConfigs = originalIndexInfos
+				return fmt.Errorf("insecure registry %s is not valid: %v", r, err)
+
+			}
+			// Assume `host:port` if not CIDR.
+			config.IndexConfigs[r] = &registrytypes.IndexInfo{
+				Name:     r,
+				Mirrors:  make([]string, 0),
+				Secure:   false,
+				Official: false,
+			}
+		}
+	}
+
+	// Configure public registry.
+	config.IndexConfigs[IndexName] = &registrytypes.IndexInfo{
+		Name:     IndexName,
+		Mirrors:  config.Mirrors,
+		Secure:   true,
+		Official: true,
+	}
+
+	return nil
+}
+
+// allowNondistributableArtifacts returns true if the provided hostname is part of the list of registries
+// that allow push of nondistributable artifacts.
+//
+// The list can contain elements with CIDR notation to specify a whole subnet. If the subnet contains an IP
+// of the registry specified by hostname, true is returned.
+//
+// hostname should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
+// or an IP address. If it is a domain name, then it will be resolved to IP addresses for matching. If
+// resolution fails, CIDR matching is not performed.
+func allowNondistributableArtifacts(config *serviceConfig, hostname string) bool {
+	for _, h := range config.AllowNondistributableArtifactsHostnames {
+		if h == hostname {
+			return true
+		}
+	}
+
+	return isCIDRMatch(config.AllowNondistributableArtifactsCIDRs, hostname)
+}
+
+// isSecureIndex returns false if the provided indexName is part of the list of insecure registries
+// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
+//
+// The list of insecure registries can contain an element with CIDR notation to specify a whole subnet.
+// If the subnet contains one of the IPs of the registry specified by indexName, the latter is considered
+// insecure.
+//
+// indexName should be a URL.Host (`host:port` or `host`) where the `host` part can be either a domain name
+// or an IP address. If it is a domain name, then it will be resolved in order to check if the IP is contained
+// in a subnet. If the resolving is not successful, isSecureIndex will only try to match hostname to any element
+// of insecureRegistries.
+func isSecureIndex(config *serviceConfig, indexName string) bool {
+	// Check for configured index, first.  This is needed in case isSecureIndex
+	// is called from anything besides newIndexInfo, in order to honor per-index configurations.
+	if index, ok := config.IndexConfigs[indexName]; ok {
+		return index.Secure
+	}
+
+	return !isCIDRMatch(config.InsecureRegistryCIDRs, indexName)
+}
+
+// isCIDRMatch returns true if URLHost matches an element of cidrs. URLHost is a URL.Host (`host:port` or `host`)
+// where the `host` part can be either a domain name or an IP address. If it is a domain name, then it will be
+// resolved to IP addresses for matching. If resolution fails, false is returned.
+func isCIDRMatch(cidrs []*registrytypes.NetIPNet, URLHost string) bool {
+	host, _, err := net.SplitHostPort(URLHost)
+	if err != nil {
+		// Assume URLHost is of the form `host` without the port and go on.
+		host = URLHost
+	}
+
+	addrs, err := lookupIP(host)
+	if err != nil {
+		ip := net.ParseIP(host)
+		if ip != nil {
+			addrs = []net.IP{ip}
+		}
+
+		// if ip == nil, then `host` is neither an IP nor it could be looked up,
+		// either because the index is unreachable, or because the index is behind an HTTP proxy.
+		// So, len(addrs) == 0 and we're not aborting.
+	}
+
+	// Try CIDR notation only if addrs has any elements, i.e. if `host`'s IP could be determined.
+	for _, addr := range addrs {
+		for _, ipnet := range cidrs {
+			// check if the addr falls in the subnet
+			if (*net.IPNet)(ipnet).Contains(addr) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+// ValidateMirror validates an HTTP(S) registry mirror
+func ValidateMirror(val string) (string, error) {
+	uri, err := url.Parse(val)
+	if err != nil {
+		return "", fmt.Errorf("invalid mirror: %q is not a valid URI", val)
+	}
+	if uri.Scheme != "http" && uri.Scheme != "https" {
+		return "", fmt.Errorf("invalid mirror: unsupported scheme %q in %q", uri.Scheme, uri)
+	}
+	if (uri.Path != "" && uri.Path != "/") || uri.RawQuery != "" || uri.Fragment != "" {
+		return "", fmt.Errorf("invalid mirror: path, query, or fragment at end of the URI %q", uri)
+	}
+	if uri.User != nil {
+		// strip password from output
+		uri.User = url.UserPassword(uri.User.Username(), "xxxxx")
+		return "", fmt.Errorf("invalid mirror: username/password not allowed in URI %q", uri)
+	}
+	return strings.TrimSuffix(val, "/") + "/", nil
+}
+
+// ValidateIndexName validates an index name.
+func ValidateIndexName(val string) (string, error) {
+	// TODO: upstream this to check to reference package
+	if val == "index.docker.io" {
+		val = "docker.io"
+	}
+	if strings.HasPrefix(val, "-") || strings.HasSuffix(val, "-") {
+		return "", fmt.Errorf("invalid index name (%s). Cannot begin or end with a hyphen", val)
+	}
+	return val, nil
+}
+
+func validateNoScheme(reposName string) error {
+	if strings.Contains(reposName, "://") {
+		// It cannot contain a scheme!
+		return ErrInvalidRepositoryName
+	}
+	return nil
+}
+
+func validateHostPort(s string) error {
+	// Split host and port, and in case s can not be splitted, assume host only
+	host, port, err := net.SplitHostPort(s)
+	if err != nil {
+		host = s
+		port = ""
+	}
+	// If match against the `host:port` pattern fails,
+	// it might be `IPv6:port`, which will be captured by net.ParseIP(host)
+	if !validHostPortRegex.MatchString(s) && net.ParseIP(host) == nil {
+		return fmt.Errorf("invalid host %q", host)
+	}
+	if port != "" {
+		v, err := strconv.Atoi(port)
+		if err != nil {
+			return err
+		}
+		if v < 0 || v > 65535 {
+			return fmt.Errorf("invalid port %q", port)
+		}
+	}
+	return nil
+}
+
+// newIndexInfo returns IndexInfo configuration from indexName
+func newIndexInfo(config *serviceConfig, indexName string) (*registrytypes.IndexInfo, error) {
+	var err error
+	indexName, err = ValidateIndexName(indexName)
+	if err != nil {
+		return nil, err
+	}
+
+	// Return any configured index info, first.
+	if index, ok := config.IndexConfigs[indexName]; ok {
+		return index, nil
+	}
+
+	// Construct a non-configured index info.
+	index := &registrytypes.IndexInfo{
+		Name:     indexName,
+		Mirrors:  make([]string, 0),
+		Official: false,
+	}
+	index.Secure = isSecureIndex(config, indexName)
+	return index, nil
+}
+
+// GetAuthConfigKey special-cases using the full index address of the official
+// index as the AuthConfig key, and uses the (host)name[:port] for private indexes.
+func GetAuthConfigKey(index *registrytypes.IndexInfo) string {
+	if index.Official {
+		return IndexServer
+	}
+	return index.Name
+}
+
+// newRepositoryInfo validates and breaks down a repository name into a RepositoryInfo
+func newRepositoryInfo(config *serviceConfig, name reference.Named) (*RepositoryInfo, error) {
+	index, err := newIndexInfo(config, reference.Domain(name))
+	if err != nil {
+		return nil, err
+	}
+	official := !strings.ContainsRune(reference.FamiliarName(name), '/')
+
+	return &RepositoryInfo{
+		Name:     reference.TrimNamed(name),
+		Index:    index,
+		Official: official,
+	}, nil
+}
+
+// ParseRepositoryInfo performs the breakdown of a repository name into a RepositoryInfo, but
+// lacks registry configuration.
+func ParseRepositoryInfo(reposName reference.Named) (*RepositoryInfo, error) {
+	return newRepositoryInfo(emptyServiceConfig, reposName)
+}
+
+// ParseSearchIndexInfo will use repository name to get back an indexInfo.
+func ParseSearchIndexInfo(reposName string) (*registrytypes.IndexInfo, error) {
+	indexName, _ := splitReposSearchTerm(reposName)
+
+	indexInfo, err := newIndexInfo(emptyServiceConfig, indexName)
+	if err != nil {
+		return nil, err
+	}
+	return indexInfo, nil
+}
diff --git a/engine/registry/config_test.go b/engine/registry/config_test.go
new file mode 100644
index 00000000..30a257e3
--- /dev/null
+++ b/engine/registry/config_test.go
@@ -0,0 +1,381 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"reflect"
+	"sort"
+	"strings"
+	"testing"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestLoadAllowNondistributableArtifacts(t *testing.T) {
+	testCases := []struct {
+		registries []string
+		cidrStrs   []string
+		hostnames  []string
+		err        string
+	}{
+		{
+			registries: []string{"1.2.3.0/24"},
+			cidrStrs:   []string{"1.2.3.0/24"},
+		},
+		{
+			registries: []string{"2001:db8::/120"},
+			cidrStrs:   []string{"2001:db8::/120"},
+		},
+		{
+			registries: []string{"127.0.0.1"},
+			hostnames:  []string{"127.0.0.1"},
+		},
+		{
+			registries: []string{"127.0.0.1:8080"},
+			hostnames:  []string{"127.0.0.1:8080"},
+		},
+		{
+			registries: []string{"2001:db8::1"},
+			hostnames:  []string{"2001:db8::1"},
+		},
+		{
+			registries: []string{"[2001:db8::1]:80"},
+			hostnames:  []string{"[2001:db8::1]:80"},
+		},
+		{
+			registries: []string{"[2001:db8::1]:80"},
+			hostnames:  []string{"[2001:db8::1]:80"},
+		},
+		{
+			registries: []string{"1.2.3.0/24", "2001:db8::/120", "127.0.0.1", "127.0.0.1:8080"},
+			cidrStrs:   []string{"1.2.3.0/24", "2001:db8::/120"},
+			hostnames:  []string{"127.0.0.1", "127.0.0.1:8080"},
+		},
+
+		{
+			registries: []string{"http://mytest.com"},
+			err:        "allow-nondistributable-artifacts registry http://mytest.com should not contain '://'",
+		},
+		{
+			registries: []string{"https://mytest.com"},
+			err:        "allow-nondistributable-artifacts registry https://mytest.com should not contain '://'",
+		},
+		{
+			registries: []string{"HTTP://mytest.com"},
+			err:        "allow-nondistributable-artifacts registry HTTP://mytest.com should not contain '://'",
+		},
+		{
+			registries: []string{"svn://mytest.com"},
+			err:        "allow-nondistributable-artifacts registry svn://mytest.com should not contain '://'",
+		},
+		{
+			registries: []string{"-invalid-registry"},
+			err:        "Cannot begin or end with a hyphen",
+		},
+		{
+			registries: []string{`mytest-.com`},
+			err:        `allow-nondistributable-artifacts registry mytest-.com is not valid: invalid host "mytest-.com"`,
+		},
+		{
+			registries: []string{`1200:0000:AB00:1234:0000:2552:7777:1313:8080`},
+			err:        `allow-nondistributable-artifacts registry 1200:0000:AB00:1234:0000:2552:7777:1313:8080 is not valid: invalid host "1200:0000:AB00:1234:0000:2552:7777:1313:8080"`,
+		},
+		{
+			registries: []string{`mytest.com:500000`},
+			err:        `allow-nondistributable-artifacts registry mytest.com:500000 is not valid: invalid port "500000"`,
+		},
+		{
+			registries: []string{`"mytest.com"`},
+			err:        `allow-nondistributable-artifacts registry "mytest.com" is not valid: invalid host "\"mytest.com\""`,
+		},
+		{
+			registries: []string{`"mytest.com:5000"`},
+			err:        `allow-nondistributable-artifacts registry "mytest.com:5000" is not valid: invalid host "\"mytest.com"`,
+		},
+	}
+	for _, testCase := range testCases {
+		config := emptyServiceConfig
+		err := config.LoadAllowNondistributableArtifacts(testCase.registries)
+		if testCase.err == "" {
+			if err != nil {
+				t.Fatalf("expect no error, got '%s'", err)
+			}
+
+			var cidrStrs []string
+			for _, c := range config.AllowNondistributableArtifactsCIDRs {
+				cidrStrs = append(cidrStrs, c.String())
+			}
+
+			sort.Strings(testCase.cidrStrs)
+			sort.Strings(cidrStrs)
+			if (len(testCase.cidrStrs) > 0 || len(cidrStrs) > 0) && !reflect.DeepEqual(testCase.cidrStrs, cidrStrs) {
+				t.Fatalf("expect AllowNondistributableArtifactsCIDRs to be '%+v', got '%+v'", testCase.cidrStrs, cidrStrs)
+			}
+
+			sort.Strings(testCase.hostnames)
+			sort.Strings(config.AllowNondistributableArtifactsHostnames)
+			if (len(testCase.hostnames) > 0 || len(config.AllowNondistributableArtifactsHostnames) > 0) && !reflect.DeepEqual(testCase.hostnames, config.AllowNondistributableArtifactsHostnames) {
+				t.Fatalf("expect AllowNondistributableArtifactsHostnames to be '%+v', got '%+v'", testCase.hostnames, config.AllowNondistributableArtifactsHostnames)
+			}
+		} else {
+			if err == nil {
+				t.Fatalf("expect error '%s', got no error", testCase.err)
+			}
+			if !strings.Contains(err.Error(), testCase.err) {
+				t.Fatalf("expect error '%s', got '%s'", testCase.err, err)
+			}
+		}
+	}
+}
+
+func TestValidateMirror(t *testing.T) {
+	valid := []string{
+		"http://mirror-1.com",
+		"http://mirror-1.com/",
+		"https://mirror-1.com",
+		"https://mirror-1.com/",
+		"http://localhost",
+		"https://localhost",
+		"http://localhost:5000",
+		"https://localhost:5000",
+		"http://127.0.0.1",
+		"https://127.0.0.1",
+		"http://127.0.0.1:5000",
+		"https://127.0.0.1:5000",
+	}
+
+	invalid := []string{
+		"!invalid!://%as%",
+		"ftp://mirror-1.com",
+		"http://mirror-1.com/?q=foo",
+		"http://mirror-1.com/v1/",
+		"http://mirror-1.com/v1/?q=foo",
+		"http://mirror-1.com/v1/?q=foo#frag",
+		"http://mirror-1.com?q=foo",
+		"https://mirror-1.com#frag",
+		"https://mirror-1.com/#frag",
+		"http://foo:bar@mirror-1.com/",
+		"https://mirror-1.com/v1/",
+		"https://mirror-1.com/v1/#",
+		"https://mirror-1.com?q",
+	}
+
+	for _, address := range valid {
+		if ret, err := ValidateMirror(address); err != nil || ret == "" {
+			t.Errorf("ValidateMirror(`"+address+"`) got %s %s", ret, err)
+		}
+	}
+
+	for _, address := range invalid {
+		if ret, err := ValidateMirror(address); err == nil || ret != "" {
+			t.Errorf("ValidateMirror(`"+address+"`) got %s %s", ret, err)
+		}
+	}
+}
+
+func TestLoadInsecureRegistries(t *testing.T) {
+	testCases := []struct {
+		registries []string
+		index      string
+		err        string
+	}{
+		{
+			registries: []string{"127.0.0.1"},
+			index:      "127.0.0.1",
+		},
+		{
+			registries: []string{"127.0.0.1:8080"},
+			index:      "127.0.0.1:8080",
+		},
+		{
+			registries: []string{"2001:db8::1"},
+			index:      "2001:db8::1",
+		},
+		{
+			registries: []string{"[2001:db8::1]:80"},
+			index:      "[2001:db8::1]:80",
+		},
+		{
+			registries: []string{"http://mytest.com"},
+			index:      "mytest.com",
+		},
+		{
+			registries: []string{"https://mytest.com"},
+			index:      "mytest.com",
+		},
+		{
+			registries: []string{"HTTP://mytest.com"},
+			index:      "mytest.com",
+		},
+		{
+			registries: []string{"svn://mytest.com"},
+			err:        "insecure registry svn://mytest.com should not contain '://'",
+		},
+		{
+			registries: []string{"-invalid-registry"},
+			err:        "Cannot begin or end with a hyphen",
+		},
+		{
+			registries: []string{`mytest-.com`},
+			err:        `insecure registry mytest-.com is not valid: invalid host "mytest-.com"`,
+		},
+		{
+			registries: []string{`1200:0000:AB00:1234:0000:2552:7777:1313:8080`},
+			err:        `insecure registry 1200:0000:AB00:1234:0000:2552:7777:1313:8080 is not valid: invalid host "1200:0000:AB00:1234:0000:2552:7777:1313:8080"`,
+		},
+		{
+			registries: []string{`mytest.com:500000`},
+			err:        `insecure registry mytest.com:500000 is not valid: invalid port "500000"`,
+		},
+		{
+			registries: []string{`"mytest.com"`},
+			err:        `insecure registry "mytest.com" is not valid: invalid host "\"mytest.com\""`,
+		},
+		{
+			registries: []string{`"mytest.com:5000"`},
+			err:        `insecure registry "mytest.com:5000" is not valid: invalid host "\"mytest.com"`,
+		},
+	}
+	for _, testCase := range testCases {
+		config := emptyServiceConfig
+		err := config.LoadInsecureRegistries(testCase.registries)
+		if testCase.err == "" {
+			if err != nil {
+				t.Fatalf("expect no error, got '%s'", err)
+			}
+			match := false
+			for index := range config.IndexConfigs {
+				if index == testCase.index {
+					match = true
+				}
+			}
+			if !match {
+				t.Fatalf("expect index configs to contain '%s', got %+v", testCase.index, config.IndexConfigs)
+			}
+		} else {
+			if err == nil {
+				t.Fatalf("expect error '%s', got no error", testCase.err)
+			}
+			if !strings.Contains(err.Error(), testCase.err) {
+				t.Fatalf("expect error '%s', got '%s'", testCase.err, err)
+			}
+		}
+	}
+}
+
+func TestNewServiceConfig(t *testing.T) {
+	testCases := []struct {
+		opts   ServiceOptions
+		errStr string
+	}{
+		{
+			ServiceOptions{},
+			"",
+		},
+		{
+			ServiceOptions{
+				Mirrors: []string{"example.com:5000"},
+			},
+			`invalid mirror: unsupported scheme "example.com" in "example.com:5000"`,
+		},
+		{
+			ServiceOptions{
+				Mirrors: []string{"http://example.com:5000"},
+			},
+			"",
+		},
+		{
+			ServiceOptions{
+				InsecureRegistries: []string{"[fe80::]/64"},
+			},
+			`insecure registry [fe80::]/64 is not valid: invalid host "[fe80::]/64"`,
+		},
+		{
+			ServiceOptions{
+				InsecureRegistries: []string{"102.10.8.1/24"},
+			},
+			"",
+		},
+		{
+			ServiceOptions{
+				AllowNondistributableArtifacts: []string{"[fe80::]/64"},
+			},
+			`allow-nondistributable-artifacts registry [fe80::]/64 is not valid: invalid host "[fe80::]/64"`,
+		},
+		{
+			ServiceOptions{
+				AllowNondistributableArtifacts: []string{"102.10.8.1/24"},
+			},
+			"",
+		},
+	}
+
+	for _, testCase := range testCases {
+		_, err := newServiceConfig(testCase.opts)
+		if testCase.errStr != "" {
+			assert.Check(t, is.Error(err, testCase.errStr))
+		} else {
+			assert.Check(t, err)
+		}
+	}
+}
+
+func TestValidateIndexName(t *testing.T) {
+	valid := []struct {
+		index  string
+		expect string
+	}{
+		{
+			index:  "index.docker.io",
+			expect: "docker.io",
+		},
+		{
+			index:  "example.com",
+			expect: "example.com",
+		},
+		{
+			index:  "127.0.0.1:8080",
+			expect: "127.0.0.1:8080",
+		},
+		{
+			index:  "mytest-1.com",
+			expect: "mytest-1.com",
+		},
+		{
+			index:  "mirror-1.com/v1/?q=foo",
+			expect: "mirror-1.com/v1/?q=foo",
+		},
+	}
+
+	for _, testCase := range valid {
+		result, err := ValidateIndexName(testCase.index)
+		if assert.Check(t, err) {
+			assert.Check(t, is.Equal(testCase.expect, result))
+		}
+
+	}
+
+}
+
+func TestValidateIndexNameWithError(t *testing.T) {
+	invalid := []struct {
+		index string
+		err   string
+	}{
+		{
+			index: "docker.io-",
+			err:   "invalid index name (docker.io-). Cannot begin or end with a hyphen",
+		},
+		{
+			index: "-example.com",
+			err:   "invalid index name (-example.com). Cannot begin or end with a hyphen",
+		},
+		{
+			index: "mirror-1.com/v1/?q=foo-",
+			err:   "invalid index name (mirror-1.com/v1/?q=foo-). Cannot begin or end with a hyphen",
+		},
+	}
+	for _, testCase := range invalid {
+		_, err := ValidateIndexName(testCase.index)
+		assert.Check(t, is.Error(err, testCase.err))
+	}
+}
diff --git a/engine/registry/config_unix.go b/engine/registry/config_unix.go
new file mode 100644
index 00000000..20fb47bc
--- /dev/null
+++ b/engine/registry/config_unix.go
@@ -0,0 +1,16 @@
+// +build !windows
+
+package registry // import "github.com/docker/docker/registry"
+
+var (
+	// CertsDir is the directory where certificates are stored
+	CertsDir = "/etc/docker/certs.d"
+)
+
+// cleanPath is used to ensure that a directory name is valid on the target
+// platform. It will be passed in something *similar* to a URL such as
+// https:/index.docker.io/v1. Not all platforms support directory names
+// which contain those characters (such as : on Windows)
+func cleanPath(s string) string {
+	return s
+}
diff --git a/engine/registry/config_windows.go b/engine/registry/config_windows.go
new file mode 100644
index 00000000..6de0508f
--- /dev/null
+++ b/engine/registry/config_windows.go
@@ -0,0 +1,18 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// CertsDir is the directory where certificates are stored
+var CertsDir = os.Getenv("programdata") + `\docker\certs.d`
+
+// cleanPath is used to ensure that a directory name is valid on the target
+// platform. It will be passed in something *similar* to a URL such as
+// https:\index.docker.io\v1. Not all platforms support directory names
+// which contain those characters (such as : on Windows)
+func cleanPath(s string) string {
+	return filepath.FromSlash(strings.Replace(s, ":", "", -1))
+}
diff --git a/engine/registry/endpoint_test.go b/engine/registry/endpoint_test.go
new file mode 100644
index 00000000..9268c3a4
--- /dev/null
+++ b/engine/registry/endpoint_test.go
@@ -0,0 +1,78 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+)
+
+func TestEndpointParse(t *testing.T) {
+	testData := []struct {
+		str      string
+		expected string
+	}{
+		{IndexServer, IndexServer},
+		{"http://0.0.0.0:5000/v1/", "http://0.0.0.0:5000/v1/"},
+		{"http://0.0.0.0:5000", "http://0.0.0.0:5000/v1/"},
+		{"0.0.0.0:5000", "https://0.0.0.0:5000/v1/"},
+		{"http://0.0.0.0:5000/nonversion/", "http://0.0.0.0:5000/nonversion/v1/"},
+		{"http://0.0.0.0:5000/v0/", "http://0.0.0.0:5000/v0/v1/"},
+	}
+	for _, td := range testData {
+		e, err := newV1EndpointFromStr(td.str, nil, "", nil)
+		if err != nil {
+			t.Errorf("%q: %s", td.str, err)
+		}
+		if e == nil {
+			t.Logf("something's fishy, endpoint for %q is nil", td.str)
+			continue
+		}
+		if e.String() != td.expected {
+			t.Errorf("expected %q, got %q", td.expected, e.String())
+		}
+	}
+}
+
+func TestEndpointParseInvalid(t *testing.T) {
+	testData := []string{
+		"http://0.0.0.0:5000/v2/",
+	}
+	for _, td := range testData {
+		e, err := newV1EndpointFromStr(td, nil, "", nil)
+		if err == nil {
+			t.Errorf("expected error parsing %q: parsed as %q", td, e)
+		}
+	}
+}
+
+// Ensure that a registry endpoint that responds with a 401 only is determined
+// to be a valid v1 registry endpoint
+func TestValidateEndpoint(t *testing.T) {
+	requireBasicAuthHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("WWW-Authenticate", `Basic realm="localhost"`)
+		w.WriteHeader(http.StatusUnauthorized)
+	})
+
+	// Make a test server which should validate as a v1 server.
+	testServer := httptest.NewServer(requireBasicAuthHandler)
+	defer testServer.Close()
+
+	testServerURL, err := url.Parse(testServer.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	testEndpoint := V1Endpoint{
+		URL:    testServerURL,
+		client: HTTPClient(NewTransport(nil)),
+	}
+
+	if err = validateEndpoint(&testEndpoint); err != nil {
+		t.Fatal(err)
+	}
+
+	if testEndpoint.URL.Scheme != "http" {
+		t.Fatalf("expecting to validate endpoint as http, got url %s", testEndpoint.String())
+	}
+}
diff --git a/engine/registry/endpoint_v1.go b/engine/registry/endpoint_v1.go
new file mode 100644
index 00000000..832fdb95
--- /dev/null
+++ b/engine/registry/endpoint_v1.go
@@ -0,0 +1,198 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/docker/distribution/registry/client/transport"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/sirupsen/logrus"
+)
+
+// V1Endpoint stores basic information about a V1 registry endpoint.
+type V1Endpoint struct {
+	client   *http.Client
+	URL      *url.URL
+	IsSecure bool
+}
+
+// NewV1Endpoint parses the given address to return a registry endpoint.
+func NewV1Endpoint(index *registrytypes.IndexInfo, userAgent string, metaHeaders http.Header) (*V1Endpoint, error) {
+	tlsConfig, err := newTLSConfig(index.Name, index.Secure)
+	if err != nil {
+		return nil, err
+	}
+
+	endpoint, err := newV1EndpointFromStr(GetAuthConfigKey(index), tlsConfig, userAgent, metaHeaders)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := validateEndpoint(endpoint); err != nil {
+		return nil, err
+	}
+
+	return endpoint, nil
+}
+
+func validateEndpoint(endpoint *V1Endpoint) error {
+	logrus.Debugf("pinging registry endpoint %s", endpoint)
+
+	// Try HTTPS ping to registry
+	endpoint.URL.Scheme = "https"
+	if _, err := endpoint.Ping(); err != nil {
+		if endpoint.IsSecure {
+			// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
+			// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
+			return fmt.Errorf("invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
+		}
+
+		// If registry is insecure and HTTPS failed, fallback to HTTP.
+		logrus.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
+		endpoint.URL.Scheme = "http"
+
+		var err2 error
+		if _, err2 = endpoint.Ping(); err2 == nil {
+			return nil
+		}
+
+		return fmt.Errorf("invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
+	}
+
+	return nil
+}
+
+func newV1Endpoint(address url.URL, tlsConfig *tls.Config, userAgent string, metaHeaders http.Header) *V1Endpoint {
+	endpoint := &V1Endpoint{
+		IsSecure: tlsConfig == nil || !tlsConfig.InsecureSkipVerify,
+		URL:      new(url.URL),
+	}
+
+	*endpoint.URL = address
+
+	// TODO(tiborvass): make sure a ConnectTimeout transport is used
+	tr := NewTransport(tlsConfig)
+	endpoint.client = HTTPClient(transport.NewTransport(tr, Headers(userAgent, metaHeaders)...))
+	return endpoint
+}
+
+// trimV1Address trims the version off the address and returns the
+// trimmed address or an error if there is a non-V1 version.
+func trimV1Address(address string) (string, error) {
+	var (
+		chunks        []string
+		apiVersionStr string
+	)
+
+	if strings.HasSuffix(address, "/") {
+		address = address[:len(address)-1]
+	}
+
+	chunks = strings.Split(address, "/")
+	apiVersionStr = chunks[len(chunks)-1]
+	if apiVersionStr == "v1" {
+		return strings.Join(chunks[:len(chunks)-1], "/"), nil
+	}
+
+	for k, v := range apiVersions {
+		if k != APIVersion1 && apiVersionStr == v {
+			return "", fmt.Errorf("unsupported V1 version path %s", apiVersionStr)
+		}
+	}
+
+	return address, nil
+}
+
+func newV1EndpointFromStr(address string, tlsConfig *tls.Config, userAgent string, metaHeaders http.Header) (*V1Endpoint, error) {
+	if !strings.HasPrefix(address, "http://") && !strings.HasPrefix(address, "https://") {
+		address = "https://" + address
+	}
+
+	address, err := trimV1Address(address)
+	if err != nil {
+		return nil, err
+	}
+
+	uri, err := url.Parse(address)
+	if err != nil {
+		return nil, err
+	}
+
+	endpoint := newV1Endpoint(*uri, tlsConfig, userAgent, metaHeaders)
+	if err != nil {
+		return nil, err
+	}
+
+	return endpoint, nil
+}
+
+// Get the formatted URL for the root of this registry Endpoint
+func (e *V1Endpoint) String() string {
+	return e.URL.String() + "/v1/"
+}
+
+// Path returns a formatted string for the URL
+// of this endpoint with the given path appended.
+func (e *V1Endpoint) Path(path string) string {
+	return e.URL.String() + "/v1/" + path
+}
+
+// Ping returns a PingResult which indicates whether the registry is standalone or not.
+func (e *V1Endpoint) Ping() (PingResult, error) {
+	logrus.Debugf("attempting v1 ping for registry endpoint %s", e)
+
+	if e.String() == IndexServer {
+		// Skip the check, we know this one is valid
+		// (and we never want to fallback to http in case of error)
+		return PingResult{Standalone: false}, nil
+	}
+
+	req, err := http.NewRequest("GET", e.Path("_ping"), nil)
+	if err != nil {
+		return PingResult{Standalone: false}, err
+	}
+
+	resp, err := e.client.Do(req)
+	if err != nil {
+		return PingResult{Standalone: false}, err
+	}
+
+	defer resp.Body.Close()
+
+	jsonString, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return PingResult{Standalone: false}, fmt.Errorf("error while reading the http response: %s", err)
+	}
+
+	// If the header is absent, we assume true for compatibility with earlier
+	// versions of the registry. default to true
+	info := PingResult{
+		Standalone: true,
+	}
+	if err := json.Unmarshal(jsonString, &info); err != nil {
+		logrus.Debugf("Error unmarshaling the _ping PingResult: %s", err)
+		// don't stop here. Just assume sane defaults
+	}
+	if hdr := resp.Header.Get("X-Docker-Registry-Version"); hdr != "" {
+		logrus.Debugf("Registry version header: '%s'", hdr)
+		info.Version = hdr
+	}
+	logrus.Debugf("PingResult.Version: %q", info.Version)
+
+	standalone := resp.Header.Get("X-Docker-Registry-Standalone")
+	logrus.Debugf("Registry standalone header: '%s'", standalone)
+	// Accepted values are "true" (case-insensitive) and "1".
+	if strings.EqualFold(standalone, "true") || standalone == "1" {
+		info.Standalone = true
+	} else if len(standalone) > 0 {
+		// there is a header set, and it is not "true" or "1", so assume fails
+		info.Standalone = false
+	}
+	logrus.Debugf("PingResult.Standalone: %t", info.Standalone)
+	return info, nil
+}
diff --git a/engine/registry/errors.go b/engine/registry/errors.go
new file mode 100644
index 00000000..5bab02e5
--- /dev/null
+++ b/engine/registry/errors.go
@@ -0,0 +1,31 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"net/url"
+
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/docker/errdefs"
+)
+
+type notFoundError string
+
+func (e notFoundError) Error() string {
+	return string(e)
+}
+
+func (notFoundError) NotFound() {}
+
+func translateV2AuthError(err error) error {
+	switch e := err.(type) {
+	case *url.Error:
+		switch e2 := e.Err.(type) {
+		case errcode.Error:
+			switch e2.Code {
+			case errcode.ErrorCodeUnauthorized:
+				return errdefs.Unauthorized(err)
+			}
+		}
+	}
+
+	return err
+}
diff --git a/engine/registry/registry.go b/engine/registry/registry.go
new file mode 100644
index 00000000..7a84bbfb
--- /dev/null
+++ b/engine/registry/registry.go
@@ -0,0 +1,191 @@
+// Package registry contains client primitives to interact with a remote Docker registry.
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/go-connections/sockets"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// ErrAlreadyExists is an error returned if an image being pushed
+	// already exists on the remote side
+	ErrAlreadyExists = errors.New("Image already exists")
+)
+
+func newTLSConfig(hostname string, isSecure bool) (*tls.Config, error) {
+	// PreferredServerCipherSuites should have no effect
+	tlsConfig := tlsconfig.ServerDefault()
+
+	tlsConfig.InsecureSkipVerify = !isSecure
+
+	if isSecure && CertsDir != "" {
+		hostDir := filepath.Join(CertsDir, cleanPath(hostname))
+		logrus.Debugf("hostDir: %s", hostDir)
+		if err := ReadCertsDirectory(tlsConfig, hostDir); err != nil {
+			return nil, err
+		}
+	}
+
+	return tlsConfig, nil
+}
+
+func hasFile(files []os.FileInfo, name string) bool {
+	for _, f := range files {
+		if f.Name() == name {
+			return true
+		}
+	}
+	return false
+}
+
+// ReadCertsDirectory reads the directory for TLS certificates
+// including roots and certificate pairs and updates the
+// provided TLS configuration.
+func ReadCertsDirectory(tlsConfig *tls.Config, directory string) error {
+	fs, err := ioutil.ReadDir(directory)
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	for _, f := range fs {
+		if strings.HasSuffix(f.Name(), ".crt") {
+			if tlsConfig.RootCAs == nil {
+				systemPool, err := tlsconfig.SystemCertPool()
+				if err != nil {
+					return fmt.Errorf("unable to get system cert pool: %v", err)
+				}
+				tlsConfig.RootCAs = systemPool
+			}
+			logrus.Debugf("crt: %s", filepath.Join(directory, f.Name()))
+			data, err := ioutil.ReadFile(filepath.Join(directory, f.Name()))
+			if err != nil {
+				return err
+			}
+			tlsConfig.RootCAs.AppendCertsFromPEM(data)
+		}
+		if strings.HasSuffix(f.Name(), ".cert") {
+			certName := f.Name()
+			keyName := certName[:len(certName)-5] + ".key"
+			logrus.Debugf("cert: %s", filepath.Join(directory, f.Name()))
+			if !hasFile(fs, keyName) {
+				return fmt.Errorf("missing key %s for client certificate %s. Note that CA certificates should use the extension .crt", keyName, certName)
+			}
+			cert, err := tls.LoadX509KeyPair(filepath.Join(directory, certName), filepath.Join(directory, keyName))
+			if err != nil {
+				return err
+			}
+			tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+		}
+		if strings.HasSuffix(f.Name(), ".key") {
+			keyName := f.Name()
+			certName := keyName[:len(keyName)-4] + ".cert"
+			logrus.Debugf("key: %s", filepath.Join(directory, f.Name()))
+			if !hasFile(fs, certName) {
+				return fmt.Errorf("Missing client certificate %s for key %s", certName, keyName)
+			}
+		}
+	}
+
+	return nil
+}
+
+// Headers returns request modifiers with a User-Agent and metaHeaders
+func Headers(userAgent string, metaHeaders http.Header) []transport.RequestModifier {
+	modifiers := []transport.RequestModifier{}
+	if userAgent != "" {
+		modifiers = append(modifiers, transport.NewHeaderRequestModifier(http.Header{
+			"User-Agent": []string{userAgent},
+		}))
+	}
+	if metaHeaders != nil {
+		modifiers = append(modifiers, transport.NewHeaderRequestModifier(metaHeaders))
+	}
+	return modifiers
+}
+
+// HTTPClient returns an HTTP client structure which uses the given transport
+// and contains the necessary headers for redirected requests
+func HTTPClient(transport http.RoundTripper) *http.Client {
+	return &http.Client{
+		Transport:     transport,
+		CheckRedirect: addRequiredHeadersToRedirectedRequests,
+	}
+}
+
+func trustedLocation(req *http.Request) bool {
+	var (
+		trusteds = []string{"docker.com", "docker.io"}
+		hostname = strings.SplitN(req.Host, ":", 2)[0]
+	)
+	if req.URL.Scheme != "https" {
+		return false
+	}
+
+	for _, trusted := range trusteds {
+		if hostname == trusted || strings.HasSuffix(hostname, "."+trusted) {
+			return true
+		}
+	}
+	return false
+}
+
+// addRequiredHeadersToRedirectedRequests adds the necessary redirection headers
+// for redirected requests
+func addRequiredHeadersToRedirectedRequests(req *http.Request, via []*http.Request) error {
+	if via != nil && via[0] != nil {
+		if trustedLocation(req) && trustedLocation(via[0]) {
+			req.Header = via[0].Header
+			return nil
+		}
+		for k, v := range via[0].Header {
+			if k != "Authorization" {
+				for _, vv := range v {
+					req.Header.Add(k, vv)
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// NewTransport returns a new HTTP transport. If tlsConfig is nil, it uses the
+// default TLS configuration.
+func NewTransport(tlsConfig *tls.Config) *http.Transport {
+	if tlsConfig == nil {
+		tlsConfig = tlsconfig.ServerDefault()
+	}
+
+	direct := &net.Dialer{
+		Timeout:   30 * time.Second,
+		KeepAlive: 30 * time.Second,
+		DualStack: true,
+	}
+
+	base := &http.Transport{
+		Proxy:               http.ProxyFromEnvironment,
+		Dial:                direct.Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+		TLSClientConfig:     tlsConfig,
+		// TODO(dmcgowan): Call close idle connections when complete and use keep alive
+		DisableKeepAlives: true,
+	}
+
+	proxyDialer, err := sockets.DialerFromEnvironment(direct)
+	if err == nil {
+		base.Dial = proxyDialer.Dial
+	}
+	return base
+}
diff --git a/engine/registry/registry_mock_test.go b/engine/registry/registry_mock_test.go
new file mode 100644
index 00000000..bf17eb9f
--- /dev/null
+++ b/engine/registry/registry_mock_test.go
@@ -0,0 +1,476 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/gorilla/mux"
+
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	testHTTPServer  *httptest.Server
+	testHTTPSServer *httptest.Server
+	testLayers      = map[string]map[string]string{
+		"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20": {
+			"json": `{"id":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+				"comment":"test base image","created":"2013-03-23T12:53:11.10432-07:00",
+				"container_config":{"Hostname":"","User":"","Memory":0,"MemorySwap":0,
+				"CpuShares":0,"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,
+				"Tty":false,"OpenStdin":false,"StdinOnce":false,
+				"Env":null,"Cmd":null,"Dns":null,"Image":"","Volumes":null,
+				"VolumesFrom":"","Entrypoint":null},"Size":424242}`,
+			"checksum_simple": "sha256:1ac330d56e05eef6d438586545ceff7550d3bdcb6b19961f12c5ba714ee1bb37",
+			"checksum_tarsum": "tarsum+sha256:4409a0685741ca86d38df878ed6f8cbba4c99de5dc73cd71aef04be3bb70be7c",
+			"ancestry":        `["77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20"]`,
+			"layer": string([]byte{
+				0x1f, 0x8b, 0x08, 0x08, 0x0e, 0xb0, 0xee, 0x51, 0x02, 0x03, 0x6c, 0x61, 0x79, 0x65,
+				0x72, 0x2e, 0x74, 0x61, 0x72, 0x00, 0xed, 0xd2, 0x31, 0x0e, 0xc2, 0x30, 0x0c, 0x05,
+				0x50, 0xcf, 0x9c, 0xc2, 0x27, 0x48, 0xed, 0x38, 0x4e, 0xce, 0x13, 0x44, 0x2b, 0x66,
+				0x62, 0x24, 0x8e, 0x4f, 0xa0, 0x15, 0x63, 0xb6, 0x20, 0x21, 0xfc, 0x96, 0xbf, 0x78,
+				0xb0, 0xf5, 0x1d, 0x16, 0x98, 0x8e, 0x88, 0x8a, 0x2a, 0xbe, 0x33, 0xef, 0x49, 0x31,
+				0xed, 0x79, 0x40, 0x8e, 0x5c, 0x44, 0x85, 0x88, 0x33, 0x12, 0x73, 0x2c, 0x02, 0xa8,
+				0xf0, 0x05, 0xf7, 0x66, 0xf5, 0xd6, 0x57, 0x69, 0xd7, 0x7a, 0x19, 0xcd, 0xf5, 0xb1,
+				0x6d, 0x1b, 0x1f, 0xf9, 0xba, 0xe3, 0x93, 0x3f, 0x22, 0x2c, 0xb6, 0x36, 0x0b, 0xf6,
+				0xb0, 0xa9, 0xfd, 0xe7, 0x94, 0x46, 0xfd, 0xeb, 0xd1, 0x7f, 0x2c, 0xc4, 0xd2, 0xfb,
+				0x97, 0xfe, 0x02, 0x80, 0xe4, 0xfd, 0x4f, 0x77, 0xae, 0x6d, 0x3d, 0x81, 0x73, 0xce,
+				0xb9, 0x7f, 0xf3, 0x04, 0x41, 0xc1, 0xab, 0xc6, 0x00, 0x0a, 0x00, 0x00,
+			}),
+		},
+		"42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d": {
+			"json": `{"id":"42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+				"parent":"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+				"comment":"test base image","created":"2013-03-23T12:55:11.10432-07:00",
+				"container_config":{"Hostname":"","User":"","Memory":0,"MemorySwap":0,
+				"CpuShares":0,"AttachStdin":false,"AttachStdout":false,"AttachStderr":false,
+				"Tty":false,"OpenStdin":false,"StdinOnce":false,
+				"Env":null,"Cmd":null,"Dns":null,"Image":"","Volumes":null,
+				"VolumesFrom":"","Entrypoint":null},"Size":424242}`,
+			"checksum_simple": "sha256:bea7bf2e4bacd479344b737328db47b18880d09096e6674165533aa994f5e9f2",
+			"checksum_tarsum": "tarsum+sha256:68fdb56fb364f074eec2c9b3f85ca175329c4dcabc4a6a452b7272aa613a07a2",
+			"ancestry": `["42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+				"77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20"]`,
+			"layer": string([]byte{
+				0x1f, 0x8b, 0x08, 0x08, 0xbd, 0xb3, 0xee, 0x51, 0x02, 0x03, 0x6c, 0x61, 0x79, 0x65,
+				0x72, 0x2e, 0x74, 0x61, 0x72, 0x00, 0xed, 0xd1, 0x31, 0x0e, 0xc2, 0x30, 0x0c, 0x05,
+				0x50, 0xcf, 0x9c, 0xc2, 0x27, 0x48, 0x9d, 0x38, 0x8e, 0xcf, 0x53, 0x51, 0xaa, 0x56,
+				0xea, 0x44, 0x82, 0xc4, 0xf1, 0x09, 0xb4, 0xea, 0x98, 0x2d, 0x48, 0x08, 0xbf, 0xe5,
+				0x2f, 0x1e, 0xfc, 0xf5, 0xdd, 0x00, 0xdd, 0x11, 0x91, 0x8a, 0xe0, 0x27, 0xd3, 0x9e,
+				0x14, 0xe2, 0x9e, 0x07, 0xf4, 0xc1, 0x2b, 0x0b, 0xfb, 0xa4, 0x82, 0xe4, 0x3d, 0x93,
+				0x02, 0x0a, 0x7c, 0xc1, 0x23, 0x97, 0xf1, 0x5e, 0x5f, 0xc9, 0xcb, 0x38, 0xb5, 0xee,
+				0xea, 0xd9, 0x3c, 0xb7, 0x4b, 0xbe, 0x7b, 0x9c, 0xf9, 0x23, 0xdc, 0x50, 0x6e, 0xb9,
+				0xb8, 0xf2, 0x2c, 0x5d, 0xf7, 0x4f, 0x31, 0xb6, 0xf6, 0x4f, 0xc7, 0xfe, 0x41, 0x55,
+				0x63, 0xdd, 0x9f, 0x89, 0x09, 0x90, 0x6c, 0xff, 0xee, 0xae, 0xcb, 0xba, 0x4d, 0x17,
+				0x30, 0xc6, 0x18, 0xf3, 0x67, 0x5e, 0xc1, 0xed, 0x21, 0x5d, 0x00, 0x0a, 0x00, 0x00,
+			}),
+		},
+	}
+	testRepositories = map[string]map[string]string{
+		"foo42/bar": {
+			"latest": "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+			"test":   "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+		},
+	}
+	mockHosts = map[string][]net.IP{
+		"":            {net.ParseIP("0.0.0.0")},
+		"localhost":   {net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
+		"example.com": {net.ParseIP("42.42.42.42")},
+		"other.com":   {net.ParseIP("43.43.43.43")},
+	}
+)
+
+func init() {
+	r := mux.NewRouter()
+
+	// /v1/
+	r.HandleFunc("/v1/_ping", handlerGetPing).Methods("GET")
+	r.HandleFunc("/v1/images/{image_id:[^/]+}/{action:json|layer|ancestry}", handlerGetImage).Methods("GET")
+	r.HandleFunc("/v1/images/{image_id:[^/]+}/{action:json|layer|checksum}", handlerPutImage).Methods("PUT")
+	r.HandleFunc("/v1/repositories/{repository:.+}/tags", handlerGetDeleteTags).Methods("GET", "DELETE")
+	r.HandleFunc("/v1/repositories/{repository:.+}/tags/{tag:.+}", handlerGetTag).Methods("GET")
+	r.HandleFunc("/v1/repositories/{repository:.+}/tags/{tag:.+}", handlerPutTag).Methods("PUT")
+	r.HandleFunc("/v1/users{null:.*}", handlerUsers).Methods("GET", "POST", "PUT")
+	r.HandleFunc("/v1/repositories/{repository:.+}{action:/images|/}", handlerImages).Methods("GET", "PUT", "DELETE")
+	r.HandleFunc("/v1/repositories/{repository:.+}/auth", handlerAuth).Methods("PUT")
+	r.HandleFunc("/v1/search", handlerSearch).Methods("GET")
+
+	// /v2/
+	r.HandleFunc("/v2/version", handlerGetPing).Methods("GET")
+
+	testHTTPServer = httptest.NewServer(handlerAccessLog(r))
+	testHTTPSServer = httptest.NewTLSServer(handlerAccessLog(r))
+
+	// override net.LookupIP
+	lookupIP = func(host string) ([]net.IP, error) {
+		if host == "127.0.0.1" {
+			// I believe in future Go versions this will fail, so let's fix it later
+			return net.LookupIP(host)
+		}
+		for h, addrs := range mockHosts {
+			if host == h {
+				return addrs, nil
+			}
+			for _, addr := range addrs {
+				if addr.String() == host {
+					return []net.IP{addr}, nil
+				}
+			}
+		}
+		return nil, errors.New("lookup: no such host")
+	}
+}
+
+func handlerAccessLog(handler http.Handler) http.Handler {
+	logHandler := func(w http.ResponseWriter, r *http.Request) {
+		logrus.Debugf("%s \"%s %s\"", r.RemoteAddr, r.Method, r.URL)
+		handler.ServeHTTP(w, r)
+	}
+	return http.HandlerFunc(logHandler)
+}
+
+func makeURL(req string) string {
+	return testHTTPServer.URL + req
+}
+
+func makeHTTPSURL(req string) string {
+	return testHTTPSServer.URL + req
+}
+
+func makeIndex(req string) *registrytypes.IndexInfo {
+	index := &registrytypes.IndexInfo{
+		Name: makeURL(req),
+	}
+	return index
+}
+
+func makeHTTPSIndex(req string) *registrytypes.IndexInfo {
+	index := &registrytypes.IndexInfo{
+		Name: makeHTTPSURL(req),
+	}
+	return index
+}
+
+func makePublicIndex() *registrytypes.IndexInfo {
+	index := &registrytypes.IndexInfo{
+		Name:     IndexServer,
+		Secure:   true,
+		Official: true,
+	}
+	return index
+}
+
+func makeServiceConfig(mirrors []string, insecureRegistries []string) (*serviceConfig, error) {
+	options := ServiceOptions{
+		Mirrors:            mirrors,
+		InsecureRegistries: insecureRegistries,
+	}
+
+	return newServiceConfig(options)
+}
+
+func writeHeaders(w http.ResponseWriter) {
+	h := w.Header()
+	h.Add("Server", "docker-tests/mock")
+	h.Add("Expires", "-1")
+	h.Add("Content-Type", "application/json")
+	h.Add("Pragma", "no-cache")
+	h.Add("Cache-Control", "no-cache")
+	h.Add("X-Docker-Registry-Version", "0.0.0")
+	h.Add("X-Docker-Registry-Config", "mock")
+}
+
+func writeResponse(w http.ResponseWriter, message interface{}, code int) {
+	writeHeaders(w)
+	w.WriteHeader(code)
+	body, err := json.Marshal(message)
+	if err != nil {
+		io.WriteString(w, err.Error())
+		return
+	}
+	w.Write(body)
+}
+
+func readJSON(r *http.Request, dest interface{}) error {
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		return err
+	}
+	return json.Unmarshal(body, dest)
+}
+
+func apiError(w http.ResponseWriter, message string, code int) {
+	body := map[string]string{
+		"error": message,
+	}
+	writeResponse(w, body, code)
+}
+
+func assertEqual(t *testing.T, a interface{}, b interface{}, message string) {
+	if a == b {
+		return
+	}
+	if len(message) == 0 {
+		message = fmt.Sprintf("%v != %v", a, b)
+	}
+	t.Fatal(message)
+}
+
+func assertNotEqual(t *testing.T, a interface{}, b interface{}, message string) {
+	if a != b {
+		return
+	}
+	if len(message) == 0 {
+		message = fmt.Sprintf("%v == %v", a, b)
+	}
+	t.Fatal(message)
+}
+
+// Similar to assertEqual, but does not stop test
+func checkEqual(t *testing.T, a interface{}, b interface{}, messagePrefix string) {
+	if a == b {
+		return
+	}
+	message := fmt.Sprintf("%v != %v", a, b)
+	if len(messagePrefix) != 0 {
+		message = messagePrefix + ": " + message
+	}
+	t.Error(message)
+}
+
+// Similar to assertNotEqual, but does not stop test
+func checkNotEqual(t *testing.T, a interface{}, b interface{}, messagePrefix string) {
+	if a != b {
+		return
+	}
+	message := fmt.Sprintf("%v == %v", a, b)
+	if len(messagePrefix) != 0 {
+		message = messagePrefix + ": " + message
+	}
+	t.Error(message)
+}
+
+func requiresAuth(w http.ResponseWriter, r *http.Request) bool {
+	writeCookie := func() {
+		value := fmt.Sprintf("FAKE-SESSION-%d", time.Now().UnixNano())
+		cookie := &http.Cookie{Name: "session", Value: value, MaxAge: 3600}
+		http.SetCookie(w, cookie)
+		//FIXME(sam): this should be sent only on Index routes
+		value = fmt.Sprintf("FAKE-TOKEN-%d", time.Now().UnixNano())
+		w.Header().Add("X-Docker-Token", value)
+	}
+	if len(r.Cookies()) > 0 {
+		writeCookie()
+		return true
+	}
+	if len(r.Header.Get("Authorization")) > 0 {
+		writeCookie()
+		return true
+	}
+	w.Header().Add("WWW-Authenticate", "token")
+	apiError(w, "Wrong auth", 401)
+	return false
+}
+
+func handlerGetPing(w http.ResponseWriter, r *http.Request) {
+	writeResponse(w, true, 200)
+}
+
+func handlerGetImage(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	vars := mux.Vars(r)
+	layer, exists := testLayers[vars["image_id"]]
+	if !exists {
+		http.NotFound(w, r)
+		return
+	}
+	writeHeaders(w)
+	layerSize := len(layer["layer"])
+	w.Header().Add("X-Docker-Size", strconv.Itoa(layerSize))
+	io.WriteString(w, layer[vars["action"]])
+}
+
+func handlerPutImage(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	vars := mux.Vars(r)
+	imageID := vars["image_id"]
+	action := vars["action"]
+	layer, exists := testLayers[imageID]
+	if !exists {
+		if action != "json" {
+			http.NotFound(w, r)
+			return
+		}
+		layer = make(map[string]string)
+		testLayers[imageID] = layer
+	}
+	if checksum := r.Header.Get("X-Docker-Checksum"); checksum != "" {
+		if checksum != layer["checksum_simple"] && checksum != layer["checksum_tarsum"] {
+			apiError(w, "Wrong checksum", 400)
+			return
+		}
+	}
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		apiError(w, fmt.Sprintf("Error: %s", err), 500)
+		return
+	}
+	layer[action] = string(body)
+	writeResponse(w, true, 200)
+}
+
+func handlerGetDeleteTags(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	repositoryName, err := reference.WithName(mux.Vars(r)["repository"])
+	if err != nil {
+		apiError(w, "Could not parse repository", 400)
+		return
+	}
+	tags, exists := testRepositories[repositoryName.String()]
+	if !exists {
+		apiError(w, "Repository not found", 404)
+		return
+	}
+	if r.Method == "DELETE" {
+		delete(testRepositories, repositoryName.String())
+		writeResponse(w, true, 200)
+		return
+	}
+	writeResponse(w, tags, 200)
+}
+
+func handlerGetTag(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	vars := mux.Vars(r)
+	repositoryName, err := reference.WithName(vars["repository"])
+	if err != nil {
+		apiError(w, "Could not parse repository", 400)
+		return
+	}
+	tagName := vars["tag"]
+	tags, exists := testRepositories[repositoryName.String()]
+	if !exists {
+		apiError(w, "Repository not found", 404)
+		return
+	}
+	tag, exists := tags[tagName]
+	if !exists {
+		apiError(w, "Tag not found", 404)
+		return
+	}
+	writeResponse(w, tag, 200)
+}
+
+func handlerPutTag(w http.ResponseWriter, r *http.Request) {
+	if !requiresAuth(w, r) {
+		return
+	}
+	vars := mux.Vars(r)
+	repositoryName, err := reference.WithName(vars["repository"])
+	if err != nil {
+		apiError(w, "Could not parse repository", 400)
+		return
+	}
+	tagName := vars["tag"]
+	tags, exists := testRepositories[repositoryName.String()]
+	if !exists {
+		tags = make(map[string]string)
+		testRepositories[repositoryName.String()] = tags
+	}
+	tagValue := ""
+	readJSON(r, tagValue)
+	tags[tagName] = tagValue
+	writeResponse(w, true, 200)
+}
+
+func handlerUsers(w http.ResponseWriter, r *http.Request) {
+	code := 200
+	if r.Method == "POST" {
+		code = 201
+	} else if r.Method == "PUT" {
+		code = 204
+	}
+	writeResponse(w, "", code)
+}
+
+func handlerImages(w http.ResponseWriter, r *http.Request) {
+	u, _ := url.Parse(testHTTPServer.URL)
+	w.Header().Add("X-Docker-Endpoints", fmt.Sprintf("%s 	,  %s ", u.Host, "test.example.com"))
+	w.Header().Add("X-Docker-Token", fmt.Sprintf("FAKE-SESSION-%d", time.Now().UnixNano()))
+	if r.Method == "PUT" {
+		if strings.HasSuffix(r.URL.Path, "images") {
+			writeResponse(w, "", 204)
+			return
+		}
+		writeResponse(w, "", 200)
+		return
+	}
+	if r.Method == "DELETE" {
+		writeResponse(w, "", 204)
+		return
+	}
+	var images []map[string]string
+	for imageID, layer := range testLayers {
+		image := make(map[string]string)
+		image["id"] = imageID
+		image["checksum"] = layer["checksum_tarsum"]
+		image["Tag"] = "latest"
+		images = append(images, image)
+	}
+	writeResponse(w, images, 200)
+}
+
+func handlerAuth(w http.ResponseWriter, r *http.Request) {
+	writeResponse(w, "OK", 200)
+}
+
+func handlerSearch(w http.ResponseWriter, r *http.Request) {
+	result := &registrytypes.SearchResults{
+		Query:      "fakequery",
+		NumResults: 1,
+		Results:    []registrytypes.SearchResult{{Name: "fakeimage", StarCount: 42}},
+	}
+	writeResponse(w, result, 200)
+}
+
+func TestPing(t *testing.T) {
+	res, err := http.Get(makeURL("/v1/_ping"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, res.StatusCode, 200, "")
+	assertEqual(t, res.Header.Get("X-Docker-Registry-Config"), "mock",
+		"This is not a Mocked Registry")
+}
+
+/* Uncomment this to test Mocked Registry locally with curl
+ * WARNING: Don't push on the repos uncommented, it'll block the tests
+ *
+func TestWait(t *testing.T) {
+	logrus.Println("Test HTTP server ready and waiting:", testHTTPServer.URL)
+	c := make(chan int)
+	<-c
+}
+
+//*/
diff --git a/engine/registry/registry_test.go b/engine/registry/registry_test.go
new file mode 100644
index 00000000..b7459471
--- /dev/null
+++ b/engine/registry/registry_test.go
@@ -0,0 +1,934 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/client/transport"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"gotest.tools/assert"
+	"gotest.tools/skip"
+)
+
+var (
+	token = []string{"fake-token"}
+)
+
+const (
+	imageID = "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d"
+	REPO    = "foo42/bar"
+)
+
+func spawnTestRegistrySession(t *testing.T) *Session {
+	authConfig := &types.AuthConfig{}
+	endpoint, err := NewV1Endpoint(makeIndex("/v1/"), "", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	userAgent := "docker test client"
+	var tr http.RoundTripper = debugTransport{NewTransport(nil), t.Log}
+	tr = transport.NewTransport(AuthTransport(tr, authConfig, false), Headers(userAgent, nil)...)
+	client := HTTPClient(tr)
+	r, err := NewSession(client, authConfig, endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// In a normal scenario for the v1 registry, the client should send a `X-Docker-Token: true`
+	// header while authenticating, in order to retrieve a token that can be later used to
+	// perform authenticated actions.
+	//
+	// The mock v1 registry does not support that, (TODO(tiborvass): support it), instead,
+	// it will consider authenticated any request with the header `X-Docker-Token: fake-token`.
+	//
+	// Because we know that the client's transport is an `*authTransport` we simply cast it,
+	// in order to set the internal cached token to the fake token, and thus send that fake token
+	// upon every subsequent requests.
+	r.client.Transport.(*authTransport).token = token
+	return r
+}
+
+func TestPingRegistryEndpoint(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	testPing := func(index *registrytypes.IndexInfo, expectedStandalone bool, assertMessage string) {
+		ep, err := NewV1Endpoint(index, "", nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		regInfo, err := ep.Ping()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		assertEqual(t, regInfo.Standalone, expectedStandalone, assertMessage)
+	}
+
+	testPing(makeIndex("/v1/"), true, "Expected standalone to be true (default)")
+	testPing(makeHTTPSIndex("/v1/"), true, "Expected standalone to be true (default)")
+	testPing(makePublicIndex(), false, "Expected standalone to be false for public index")
+}
+
+func TestEndpoint(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	// Simple wrapper to fail test if err != nil
+	expandEndpoint := func(index *registrytypes.IndexInfo) *V1Endpoint {
+		endpoint, err := NewV1Endpoint(index, "", nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		return endpoint
+	}
+
+	assertInsecureIndex := func(index *registrytypes.IndexInfo) {
+		index.Secure = true
+		_, err := NewV1Endpoint(index, "", nil)
+		assertNotEqual(t, err, nil, index.Name+": Expected error for insecure index")
+		assertEqual(t, strings.Contains(err.Error(), "insecure-registry"), true, index.Name+": Expected insecure-registry  error for insecure index")
+		index.Secure = false
+	}
+
+	assertSecureIndex := func(index *registrytypes.IndexInfo) {
+		index.Secure = true
+		_, err := NewV1Endpoint(index, "", nil)
+		assertNotEqual(t, err, nil, index.Name+": Expected cert error for secure index")
+		assertEqual(t, strings.Contains(err.Error(), "certificate signed by unknown authority"), true, index.Name+": Expected cert error for secure index")
+		index.Secure = false
+	}
+
+	index := &registrytypes.IndexInfo{}
+	index.Name = makeURL("/v1/")
+	endpoint := expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name, "Expected endpoint to be "+index.Name)
+	assertInsecureIndex(index)
+
+	index.Name = makeURL("")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name+"/v1/", index.Name+": Expected endpoint to be "+index.Name+"/v1/")
+	assertInsecureIndex(index)
+
+	httpURL := makeURL("")
+	index.Name = strings.SplitN(httpURL, "://", 2)[1]
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), httpURL+"/v1/", index.Name+": Expected endpoint to be "+httpURL+"/v1/")
+	assertInsecureIndex(index)
+
+	index.Name = makeHTTPSURL("/v1/")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name, "Expected endpoint to be "+index.Name)
+	assertSecureIndex(index)
+
+	index.Name = makeHTTPSURL("")
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), index.Name+"/v1/", index.Name+": Expected endpoint to be "+index.Name+"/v1/")
+	assertSecureIndex(index)
+
+	httpsURL := makeHTTPSURL("")
+	index.Name = strings.SplitN(httpsURL, "://", 2)[1]
+	endpoint = expandEndpoint(index)
+	assertEqual(t, endpoint.String(), httpsURL+"/v1/", index.Name+": Expected endpoint to be "+httpsURL+"/v1/")
+	assertSecureIndex(index)
+
+	badEndpoints := []string{
+		"http://127.0.0.1/v1/",
+		"https://127.0.0.1/v1/",
+		"http://127.0.0.1",
+		"https://127.0.0.1",
+		"127.0.0.1",
+	}
+	for _, address := range badEndpoints {
+		index.Name = address
+		_, err := NewV1Endpoint(index, "", nil)
+		checkNotEqual(t, err, nil, "Expected error while expanding bad endpoint")
+	}
+}
+
+func TestGetRemoteHistory(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	hist, err := r.GetRemoteHistory(imageID, makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, len(hist), 2, "Expected 2 images in history")
+	assertEqual(t, hist[0], imageID, "Expected "+imageID+"as first ancestry")
+	assertEqual(t, hist[1], "77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+		"Unexpected second ancestry")
+}
+
+func TestLookupRemoteImage(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	err := r.LookupRemoteImage(imageID, makeURL("/v1/"))
+	assertEqual(t, err, nil, "Expected error of remote lookup to nil")
+	if err := r.LookupRemoteImage("abcdef", makeURL("/v1/")); err == nil {
+		t.Fatal("Expected error of remote lookup to not nil")
+	}
+}
+
+func TestGetRemoteImageJSON(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	json, size, err := r.GetRemoteImageJSON(imageID, makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, size, int64(154), "Expected size 154")
+	if len(json) == 0 {
+		t.Fatal("Expected non-empty json")
+	}
+
+	_, _, err = r.GetRemoteImageJSON("abcdef", makeURL("/v1/"))
+	if err == nil {
+		t.Fatal("Expected image not found error")
+	}
+}
+
+func TestGetRemoteImageLayer(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	data, err := r.GetRemoteImageLayer(imageID, makeURL("/v1/"), 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if data == nil {
+		t.Fatal("Expected non-nil data result")
+	}
+
+	_, err = r.GetRemoteImageLayer("abcdef", makeURL("/v1/"), 0)
+	if err == nil {
+		t.Fatal("Expected image not found error")
+	}
+}
+
+func TestGetRemoteTag(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	repoRef, err := reference.ParseNormalizedNamed(REPO)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tag, err := r.GetRemoteTag([]string{makeURL("/v1/")}, repoRef, "test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, tag, imageID, "Expected tag test to map to "+imageID)
+
+	bazRef, err := reference.ParseNormalizedNamed("foo42/baz")
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = r.GetRemoteTag([]string{makeURL("/v1/")}, bazRef, "foo")
+	if err != ErrRepoNotFound {
+		t.Fatal("Expected ErrRepoNotFound error when fetching tag for bogus repo")
+	}
+}
+
+func TestGetRemoteTags(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	repoRef, err := reference.ParseNormalizedNamed(REPO)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tags, err := r.GetRemoteTags([]string{makeURL("/v1/")}, repoRef)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, len(tags), 2, "Expected two tags")
+	assertEqual(t, tags["latest"], imageID, "Expected tag latest to map to "+imageID)
+	assertEqual(t, tags["test"], imageID, "Expected tag test to map to "+imageID)
+
+	bazRef, err := reference.ParseNormalizedNamed("foo42/baz")
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = r.GetRemoteTags([]string{makeURL("/v1/")}, bazRef)
+	if err != ErrRepoNotFound {
+		t.Fatal("Expected ErrRepoNotFound error when fetching tags for bogus repo")
+	}
+}
+
+func TestGetRepositoryData(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	parsedURL, err := url.Parse(makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	host := "http://" + parsedURL.Host + "/v1/"
+	repoRef, err := reference.ParseNormalizedNamed(REPO)
+	if err != nil {
+		t.Fatal(err)
+	}
+	data, err := r.GetRepositoryData(repoRef)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assertEqual(t, len(data.ImgList), 2, "Expected 2 images in ImgList")
+	assertEqual(t, len(data.Endpoints), 2,
+		fmt.Sprintf("Expected 2 endpoints in Endpoints, found %d instead", len(data.Endpoints)))
+	assertEqual(t, data.Endpoints[0], host,
+		fmt.Sprintf("Expected first endpoint to be %s but found %s instead", host, data.Endpoints[0]))
+	assertEqual(t, data.Endpoints[1], "http://test.example.com/v1/",
+		fmt.Sprintf("Expected first endpoint to be http://test.example.com/v1/ but found %s instead", data.Endpoints[1]))
+
+}
+
+func TestPushImageJSONRegistry(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	imgData := &ImgData{
+		ID:       "77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+		Checksum: "sha256:1ac330d56e05eef6d438586545ceff7550d3bdcb6b19961f12c5ba714ee1bb37",
+	}
+
+	err := r.PushImageJSONRegistry(imgData, []byte{0x42, 0xdf, 0x0}, makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestPushImageLayerRegistry(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	layer := strings.NewReader("")
+	_, _, err := r.PushImageLayerRegistry(imageID, layer, makeURL("/v1/"), []byte{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestParseRepositoryInfo(t *testing.T) {
+	type staticRepositoryInfo struct {
+		Index         *registrytypes.IndexInfo
+		RemoteName    string
+		CanonicalName string
+		LocalName     string
+		Official      bool
+	}
+
+	expectedRepoInfos := map[string]staticRepositoryInfo{
+		"fooo/bar": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "fooo/bar",
+			LocalName:     "fooo/bar",
+			CanonicalName: "docker.io/fooo/bar",
+			Official:      false,
+		},
+		"library/ubuntu": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu",
+			LocalName:     "ubuntu",
+			CanonicalName: "docker.io/library/ubuntu",
+			Official:      true,
+		},
+		"nonlibrary/ubuntu": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "nonlibrary/ubuntu",
+			LocalName:     "nonlibrary/ubuntu",
+			CanonicalName: "docker.io/nonlibrary/ubuntu",
+			Official:      false,
+		},
+		"ubuntu": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu",
+			LocalName:     "ubuntu",
+			CanonicalName: "docker.io/library/ubuntu",
+			Official:      true,
+		},
+		"other/library": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "other/library",
+			LocalName:     "other/library",
+			CanonicalName: "docker.io/other/library",
+			Official:      false,
+		},
+		"127.0.0.1:8000/private/moonbase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "127.0.0.1:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "127.0.0.1:8000/private/moonbase",
+			CanonicalName: "127.0.0.1:8000/private/moonbase",
+			Official:      false,
+		},
+		"127.0.0.1:8000/privatebase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "127.0.0.1:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "127.0.0.1:8000/privatebase",
+			CanonicalName: "127.0.0.1:8000/privatebase",
+			Official:      false,
+		},
+		"localhost:8000/private/moonbase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "localhost:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "localhost:8000/private/moonbase",
+			CanonicalName: "localhost:8000/private/moonbase",
+			Official:      false,
+		},
+		"localhost:8000/privatebase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "localhost:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "localhost:8000/privatebase",
+			CanonicalName: "localhost:8000/privatebase",
+			Official:      false,
+		},
+		"example.com/private/moonbase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "example.com",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "example.com/private/moonbase",
+			CanonicalName: "example.com/private/moonbase",
+			Official:      false,
+		},
+		"example.com/privatebase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "example.com",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "example.com/privatebase",
+			CanonicalName: "example.com/privatebase",
+			Official:      false,
+		},
+		"example.com:8000/private/moonbase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "example.com:8000",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "example.com:8000/private/moonbase",
+			CanonicalName: "example.com:8000/private/moonbase",
+			Official:      false,
+		},
+		"example.com:8000/privatebase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "example.com:8000",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "example.com:8000/privatebase",
+			CanonicalName: "example.com:8000/privatebase",
+			Official:      false,
+		},
+		"localhost/private/moonbase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "localhost",
+				Official: false,
+			},
+			RemoteName:    "private/moonbase",
+			LocalName:     "localhost/private/moonbase",
+			CanonicalName: "localhost/private/moonbase",
+			Official:      false,
+		},
+		"localhost/privatebase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     "localhost",
+				Official: false,
+			},
+			RemoteName:    "privatebase",
+			LocalName:     "localhost/privatebase",
+			CanonicalName: "localhost/privatebase",
+			Official:      false,
+		},
+		IndexName + "/public/moonbase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "public/moonbase",
+			LocalName:     "public/moonbase",
+			CanonicalName: "docker.io/public/moonbase",
+			Official:      false,
+		},
+		"index." + IndexName + "/public/moonbase": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "public/moonbase",
+			LocalName:     "public/moonbase",
+			CanonicalName: "docker.io/public/moonbase",
+			Official:      false,
+		},
+		"ubuntu-12.04-base": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "docker.io/library/ubuntu-12.04-base",
+			Official:      true,
+		},
+		IndexName + "/ubuntu-12.04-base": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "docker.io/library/ubuntu-12.04-base",
+			Official:      true,
+		},
+		"index." + IndexName + "/ubuntu-12.04-base": {
+			Index: &registrytypes.IndexInfo{
+				Name:     IndexName,
+				Official: true,
+			},
+			RemoteName:    "library/ubuntu-12.04-base",
+			LocalName:     "ubuntu-12.04-base",
+			CanonicalName: "docker.io/library/ubuntu-12.04-base",
+			Official:      true,
+		},
+	}
+
+	for reposName, expectedRepoInfo := range expectedRepoInfos {
+		named, err := reference.ParseNormalizedNamed(reposName)
+		if err != nil {
+			t.Error(err)
+		}
+
+		repoInfo, err := ParseRepositoryInfo(named)
+		if err != nil {
+			t.Error(err)
+		} else {
+			checkEqual(t, repoInfo.Index.Name, expectedRepoInfo.Index.Name, reposName)
+			checkEqual(t, reference.Path(repoInfo.Name), expectedRepoInfo.RemoteName, reposName)
+			checkEqual(t, reference.FamiliarName(repoInfo.Name), expectedRepoInfo.LocalName, reposName)
+			checkEqual(t, repoInfo.Name.Name(), expectedRepoInfo.CanonicalName, reposName)
+			checkEqual(t, repoInfo.Index.Official, expectedRepoInfo.Index.Official, reposName)
+			checkEqual(t, repoInfo.Official, expectedRepoInfo.Official, reposName)
+		}
+	}
+}
+
+func TestNewIndexInfo(t *testing.T) {
+	testIndexInfo := func(config *serviceConfig, expectedIndexInfos map[string]*registrytypes.IndexInfo) {
+		for indexName, expectedIndexInfo := range expectedIndexInfos {
+			index, err := newIndexInfo(config, indexName)
+			if err != nil {
+				t.Fatal(err)
+			} else {
+				checkEqual(t, index.Name, expectedIndexInfo.Name, indexName+" name")
+				checkEqual(t, index.Official, expectedIndexInfo.Official, indexName+" is official")
+				checkEqual(t, index.Secure, expectedIndexInfo.Secure, indexName+" is secure")
+				checkEqual(t, len(index.Mirrors), len(expectedIndexInfo.Mirrors), indexName+" mirrors")
+			}
+		}
+	}
+
+	config := emptyServiceConfig
+	var noMirrors []string
+	expectedIndexInfos := map[string]*registrytypes.IndexInfo{
+		IndexName: {
+			Name:     IndexName,
+			Official: true,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"index." + IndexName: {
+			Name:     IndexName,
+			Official: true,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
+
+	publicMirrors := []string{"http://mirror1.local", "http://mirror2.local"}
+	var err error
+	config, err = makeServiceConfig(publicMirrors, []string{"example.com"})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedIndexInfos = map[string]*registrytypes.IndexInfo{
+		IndexName: {
+			Name:     IndexName,
+			Official: true,
+			Secure:   true,
+			Mirrors:  publicMirrors,
+		},
+		"index." + IndexName: {
+			Name:     IndexName,
+			Official: true,
+			Secure:   true,
+			Mirrors:  publicMirrors,
+		},
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"example.com:5000": {
+			Name:     "example.com:5000",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1": {
+			Name:     "127.0.0.1",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"other.com": {
+			Name:     "other.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
+
+	config, err = makeServiceConfig(nil, []string{"42.42.0.0/16"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedIndexInfos = map[string]*registrytypes.IndexInfo{
+		"example.com": {
+			Name:     "example.com",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"example.com:5000": {
+			Name:     "example.com:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1": {
+			Name:     "127.0.0.1",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"127.0.0.1:5000": {
+			Name:     "127.0.0.1:5000",
+			Official: false,
+			Secure:   false,
+			Mirrors:  noMirrors,
+		},
+		"other.com": {
+			Name:     "other.com",
+			Official: false,
+			Secure:   true,
+			Mirrors:  noMirrors,
+		},
+	}
+	testIndexInfo(config, expectedIndexInfos)
+}
+
+func TestMirrorEndpointLookup(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	containsMirror := func(endpoints []APIEndpoint) bool {
+		for _, pe := range endpoints {
+			if pe.URL.Host == "my.mirror" {
+				return true
+			}
+		}
+		return false
+	}
+	cfg, err := makeServiceConfig([]string{"https://my.mirror"}, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := DefaultService{config: cfg}
+
+	imageName, err := reference.WithName(IndexName + "/test/image")
+	if err != nil {
+		t.Error(err)
+	}
+	pushAPIEndpoints, err := s.LookupPushEndpoints(reference.Domain(imageName))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if containsMirror(pushAPIEndpoints) {
+		t.Fatal("Push endpoint should not contain mirror")
+	}
+
+	pullAPIEndpoints, err := s.LookupPullEndpoints(reference.Domain(imageName))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !containsMirror(pullAPIEndpoints) {
+		t.Fatal("Pull endpoint should contain mirror")
+	}
+}
+
+func TestPushRegistryTag(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	repoRef, err := reference.ParseNormalizedNamed(REPO)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = r.PushRegistryTag(repoRef, imageID, "stable", makeURL("/v1/"))
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestPushImageJSONIndex(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	imgData := []*ImgData{
+		{
+			ID:       "77dbf71da1d00e3fbddc480176eac8994025630c6590d11cfc8fe1209c2a1d20",
+			Checksum: "sha256:1ac330d56e05eef6d438586545ceff7550d3bdcb6b19961f12c5ba714ee1bb37",
+		},
+		{
+			ID:       "42d718c941f5c532ac049bf0b0ab53f0062f09a03afd4aa4a02c098e46032b9d",
+			Checksum: "sha256:bea7bf2e4bacd479344b737328db47b18880d09096e6674165533aa994f5e9f2",
+		},
+	}
+	repoRef, err := reference.ParseNormalizedNamed(REPO)
+	if err != nil {
+		t.Fatal(err)
+	}
+	repoData, err := r.PushImageJSONIndex(repoRef, imgData, false, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if repoData == nil {
+		t.Fatal("Expected RepositoryData object")
+	}
+	repoData, err = r.PushImageJSONIndex(repoRef, imgData, true, []string{r.indexEndpoint.String()})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if repoData == nil {
+		t.Fatal("Expected RepositoryData object")
+	}
+}
+
+func TestSearchRepositories(t *testing.T) {
+	r := spawnTestRegistrySession(t)
+	results, err := r.SearchRepositories("fakequery", 25)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if results == nil {
+		t.Fatal("Expected non-nil SearchResults object")
+	}
+	assertEqual(t, results.NumResults, 1, "Expected 1 search results")
+	assertEqual(t, results.Query, "fakequery", "Expected 'fakequery' as query")
+	assertEqual(t, results.Results[0].StarCount, 42, "Expected 'fakeimage' to have 42 stars")
+}
+
+func TestTrustedLocation(t *testing.T) {
+	for _, url := range []string{"http://example.com", "https://example.com:7777", "http://docker.io", "http://test.docker.com", "https://fakedocker.com"} {
+		req, _ := http.NewRequest("GET", url, nil)
+		assert.Check(t, !trustedLocation(req))
+	}
+
+	for _, url := range []string{"https://docker.io", "https://test.docker.com:80"} {
+		req, _ := http.NewRequest("GET", url, nil)
+		assert.Check(t, trustedLocation(req))
+	}
+}
+
+func TestAddRequiredHeadersToRedirectedRequests(t *testing.T) {
+	for _, urls := range [][]string{
+		{"http://docker.io", "https://docker.com"},
+		{"https://foo.docker.io:7777", "http://bar.docker.com"},
+		{"https://foo.docker.io", "https://example.com"},
+	} {
+		reqFrom, _ := http.NewRequest("GET", urls[0], nil)
+		reqFrom.Header.Add("Content-Type", "application/json")
+		reqFrom.Header.Add("Authorization", "super_secret")
+		reqTo, _ := http.NewRequest("GET", urls[1], nil)
+
+		addRequiredHeadersToRedirectedRequests(reqTo, []*http.Request{reqFrom})
+
+		if len(reqTo.Header) != 1 {
+			t.Fatalf("Expected 1 headers, got %d", len(reqTo.Header))
+		}
+
+		if reqTo.Header.Get("Content-Type") != "application/json" {
+			t.Fatal("'Content-Type' should be 'application/json'")
+		}
+
+		if reqTo.Header.Get("Authorization") != "" {
+			t.Fatal("'Authorization' should be empty")
+		}
+	}
+
+	for _, urls := range [][]string{
+		{"https://docker.io", "https://docker.com"},
+		{"https://foo.docker.io:7777", "https://bar.docker.com"},
+	} {
+		reqFrom, _ := http.NewRequest("GET", urls[0], nil)
+		reqFrom.Header.Add("Content-Type", "application/json")
+		reqFrom.Header.Add("Authorization", "super_secret")
+		reqTo, _ := http.NewRequest("GET", urls[1], nil)
+
+		addRequiredHeadersToRedirectedRequests(reqTo, []*http.Request{reqFrom})
+
+		if len(reqTo.Header) != 2 {
+			t.Fatalf("Expected 2 headers, got %d", len(reqTo.Header))
+		}
+
+		if reqTo.Header.Get("Content-Type") != "application/json" {
+			t.Fatal("'Content-Type' should be 'application/json'")
+		}
+
+		if reqTo.Header.Get("Authorization") != "super_secret" {
+			t.Fatal("'Authorization' should be 'super_secret'")
+		}
+	}
+}
+
+func TestAllowNondistributableArtifacts(t *testing.T) {
+	tests := []struct {
+		addr       string
+		registries []string
+		expected   bool
+	}{
+		{IndexName, nil, false},
+		{"example.com", []string{}, false},
+		{"example.com", []string{"example.com"}, true},
+		{"localhost", []string{"localhost:5000"}, false},
+		{"localhost:5000", []string{"localhost:5000"}, true},
+		{"localhost", []string{"example.com"}, false},
+		{"127.0.0.1:5000", []string{"127.0.0.1:5000"}, true},
+		{"localhost", nil, false},
+		{"localhost:5000", nil, false},
+		{"127.0.0.1", nil, false},
+		{"localhost", []string{"example.com"}, false},
+		{"127.0.0.1", []string{"example.com"}, false},
+		{"example.com", nil, false},
+		{"example.com", []string{"example.com"}, true},
+		{"127.0.0.1", []string{"example.com"}, false},
+		{"127.0.0.1:5000", []string{"example.com"}, false},
+		{"example.com:5000", []string{"42.42.0.0/16"}, true},
+		{"example.com", []string{"42.42.0.0/16"}, true},
+		{"example.com:5000", []string{"42.42.42.42/8"}, true},
+		{"127.0.0.1:5000", []string{"127.0.0.0/8"}, true},
+		{"42.42.42.42:5000", []string{"42.1.1.1/8"}, true},
+		{"invalid.domain.com", []string{"42.42.0.0/16"}, false},
+		{"invalid.domain.com", []string{"invalid.domain.com"}, true},
+		{"invalid.domain.com:5000", []string{"invalid.domain.com"}, false},
+		{"invalid.domain.com:5000", []string{"invalid.domain.com:5000"}, true},
+	}
+	for _, tt := range tests {
+		config, err := newServiceConfig(ServiceOptions{
+			AllowNondistributableArtifacts: tt.registries,
+		})
+		if err != nil {
+			t.Error(err)
+		}
+		if v := allowNondistributableArtifacts(config, tt.addr); v != tt.expected {
+			t.Errorf("allowNondistributableArtifacts failed for %q %v, expected %v got %v", tt.addr, tt.registries, tt.expected, v)
+		}
+	}
+}
+
+func TestIsSecureIndex(t *testing.T) {
+	tests := []struct {
+		addr               string
+		insecureRegistries []string
+		expected           bool
+	}{
+		{IndexName, nil, true},
+		{"example.com", []string{}, true},
+		{"example.com", []string{"example.com"}, false},
+		{"localhost", []string{"localhost:5000"}, false},
+		{"localhost:5000", []string{"localhost:5000"}, false},
+		{"localhost", []string{"example.com"}, false},
+		{"127.0.0.1:5000", []string{"127.0.0.1:5000"}, false},
+		{"localhost", nil, false},
+		{"localhost:5000", nil, false},
+		{"127.0.0.1", nil, false},
+		{"localhost", []string{"example.com"}, false},
+		{"127.0.0.1", []string{"example.com"}, false},
+		{"example.com", nil, true},
+		{"example.com", []string{"example.com"}, false},
+		{"127.0.0.1", []string{"example.com"}, false},
+		{"127.0.0.1:5000", []string{"example.com"}, false},
+		{"example.com:5000", []string{"42.42.0.0/16"}, false},
+		{"example.com", []string{"42.42.0.0/16"}, false},
+		{"example.com:5000", []string{"42.42.42.42/8"}, false},
+		{"127.0.0.1:5000", []string{"127.0.0.0/8"}, false},
+		{"42.42.42.42:5000", []string{"42.1.1.1/8"}, false},
+		{"invalid.domain.com", []string{"42.42.0.0/16"}, true},
+		{"invalid.domain.com", []string{"invalid.domain.com"}, false},
+		{"invalid.domain.com:5000", []string{"invalid.domain.com"}, true},
+		{"invalid.domain.com:5000", []string{"invalid.domain.com:5000"}, false},
+	}
+	for _, tt := range tests {
+		config, err := makeServiceConfig(nil, tt.insecureRegistries)
+		if err != nil {
+			t.Error(err)
+		}
+		if sec := isSecureIndex(config, tt.addr); sec != tt.expected {
+			t.Errorf("isSecureIndex failed for %q %v, expected %v got %v", tt.addr, tt.insecureRegistries, tt.expected, sec)
+		}
+	}
+}
+
+type debugTransport struct {
+	http.RoundTripper
+	log func(...interface{})
+}
+
+func (tr debugTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	dump, err := httputil.DumpRequestOut(req, false)
+	if err != nil {
+		tr.log("could not dump request")
+	}
+	tr.log(string(dump))
+	resp, err := tr.RoundTripper.RoundTrip(req)
+	if err != nil {
+		return nil, err
+	}
+	dump, err = httputil.DumpResponse(resp, false)
+	if err != nil {
+		tr.log("could not dump response")
+	}
+	tr.log(string(dump))
+	return resp, err
+}
diff --git a/engine/registry/resumable/resumablerequestreader.go b/engine/registry/resumable/resumablerequestreader.go
new file mode 100644
index 00000000..8e97a1a4
--- /dev/null
+++ b/engine/registry/resumable/resumablerequestreader.go
@@ -0,0 +1,96 @@
+package resumable // import "github.com/docker/docker/registry/resumable"
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+type requestReader struct {
+	client          *http.Client
+	request         *http.Request
+	lastRange       int64
+	totalSize       int64
+	currentResponse *http.Response
+	failures        uint32
+	maxFailures     uint32
+	waitDuration    time.Duration
+}
+
+// NewRequestReader makes it possible to resume reading a request's body transparently
+// maxfail is the number of times we retry to make requests again (not resumes)
+// totalsize is the total length of the body; auto detect if not provided
+func NewRequestReader(c *http.Client, r *http.Request, maxfail uint32, totalsize int64) io.ReadCloser {
+	return &requestReader{client: c, request: r, maxFailures: maxfail, totalSize: totalsize, waitDuration: 5 * time.Second}
+}
+
+// NewRequestReaderWithInitialResponse makes it possible to resume
+// reading the body of an already initiated request.
+func NewRequestReaderWithInitialResponse(c *http.Client, r *http.Request, maxfail uint32, totalsize int64, initialResponse *http.Response) io.ReadCloser {
+	return &requestReader{client: c, request: r, maxFailures: maxfail, totalSize: totalsize, currentResponse: initialResponse, waitDuration: 5 * time.Second}
+}
+
+func (r *requestReader) Read(p []byte) (n int, err error) {
+	if r.client == nil || r.request == nil {
+		return 0, fmt.Errorf("client and request can't be nil")
+	}
+	isFreshRequest := false
+	if r.lastRange != 0 && r.currentResponse == nil {
+		readRange := fmt.Sprintf("bytes=%d-%d", r.lastRange, r.totalSize)
+		r.request.Header.Set("Range", readRange)
+		time.Sleep(r.waitDuration)
+	}
+	if r.currentResponse == nil {
+		r.currentResponse, err = r.client.Do(r.request)
+		isFreshRequest = true
+	}
+	if err != nil && r.failures+1 != r.maxFailures {
+		r.cleanUpResponse()
+		r.failures++
+		time.Sleep(time.Duration(r.failures) * r.waitDuration)
+		return 0, nil
+	} else if err != nil {
+		r.cleanUpResponse()
+		return 0, err
+	}
+	if r.currentResponse.StatusCode == 416 && r.lastRange == r.totalSize && r.currentResponse.ContentLength == 0 {
+		r.cleanUpResponse()
+		return 0, io.EOF
+	} else if r.currentResponse.StatusCode != 206 && r.lastRange != 0 && isFreshRequest {
+		r.cleanUpResponse()
+		return 0, fmt.Errorf("the server doesn't support byte ranges")
+	}
+	if r.totalSize == 0 {
+		r.totalSize = r.currentResponse.ContentLength
+	} else if r.totalSize <= 0 {
+		r.cleanUpResponse()
+		return 0, fmt.Errorf("failed to auto detect content length")
+	}
+	n, err = r.currentResponse.Body.Read(p)
+	r.lastRange += int64(n)
+	if err != nil {
+		r.cleanUpResponse()
+	}
+	if err != nil && err != io.EOF {
+		logrus.Infof("encountered error during pull and clearing it before resume: %s", err)
+		err = nil
+	}
+	return n, err
+}
+
+func (r *requestReader) Close() error {
+	r.cleanUpResponse()
+	r.client = nil
+	r.request = nil
+	return nil
+}
+
+func (r *requestReader) cleanUpResponse() {
+	if r.currentResponse != nil {
+		r.currentResponse.Body.Close()
+		r.currentResponse = nil
+	}
+}
diff --git a/engine/registry/resumable/resumablerequestreader_test.go b/engine/registry/resumable/resumablerequestreader_test.go
new file mode 100644
index 00000000..c72c210e
--- /dev/null
+++ b/engine/registry/resumable/resumablerequestreader_test.go
@@ -0,0 +1,257 @@
+package resumable // import "github.com/docker/docker/registry/resumable"
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestResumableRequestHeaderSimpleErrors(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, "Hello, world !")
+	}))
+	defer ts.Close()
+
+	client := &http.Client{}
+
+	var req *http.Request
+	req, err := http.NewRequest("GET", ts.URL, nil)
+	assert.NilError(t, err)
+
+	resreq := &requestReader{}
+	_, err = resreq.Read([]byte{})
+	assert.Check(t, is.Error(err, "client and request can't be nil"))
+
+	resreq = &requestReader{
+		client:    client,
+		request:   req,
+		totalSize: -1,
+	}
+	_, err = resreq.Read([]byte{})
+	assert.Check(t, is.Error(err, "failed to auto detect content length"))
+}
+
+// Not too much failures, bails out after some wait
+func TestResumableRequestHeaderNotTooMuchFailures(t *testing.T) {
+	client := &http.Client{}
+
+	var badReq *http.Request
+	badReq, err := http.NewRequest("GET", "I'm not an url", nil)
+	assert.NilError(t, err)
+
+	resreq := &requestReader{
+		client:       client,
+		request:      badReq,
+		failures:     0,
+		maxFailures:  2,
+		waitDuration: 10 * time.Millisecond,
+	}
+	read, err := resreq.Read([]byte{})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(0, read))
+}
+
+// Too much failures, returns the error
+func TestResumableRequestHeaderTooMuchFailures(t *testing.T) {
+	client := &http.Client{}
+
+	var badReq *http.Request
+	badReq, err := http.NewRequest("GET", "I'm not an url", nil)
+	assert.NilError(t, err)
+
+	resreq := &requestReader{
+		client:      client,
+		request:     badReq,
+		failures:    0,
+		maxFailures: 1,
+	}
+	defer resreq.Close()
+
+	expectedError := `Get I%27m%20not%20an%20url: unsupported protocol scheme ""`
+	read, err := resreq.Read([]byte{})
+	assert.Check(t, is.Error(err, expectedError))
+	assert.Check(t, is.Equal(0, read))
+}
+
+type errorReaderCloser struct{}
+
+func (errorReaderCloser) Close() error { return nil }
+
+func (errorReaderCloser) Read(p []byte) (n int, err error) {
+	return 0, fmt.Errorf("An error occurred")
+}
+
+// If an unknown error is encountered, return 0, nil and log it
+func TestResumableRequestReaderWithReadError(t *testing.T) {
+	var req *http.Request
+	req, err := http.NewRequest("GET", "", nil)
+	assert.NilError(t, err)
+
+	client := &http.Client{}
+
+	response := &http.Response{
+		Status:        "500 Internal Server",
+		StatusCode:    500,
+		ContentLength: 0,
+		Close:         true,
+		Body:          errorReaderCloser{},
+	}
+
+	resreq := &requestReader{
+		client:          client,
+		request:         req,
+		currentResponse: response,
+		lastRange:       1,
+		totalSize:       1,
+	}
+	defer resreq.Close()
+
+	buf := make([]byte, 1)
+	read, err := resreq.Read(buf)
+	assert.NilError(t, err)
+
+	assert.Check(t, is.Equal(0, read))
+}
+
+func TestResumableRequestReaderWithEOFWith416Response(t *testing.T) {
+	var req *http.Request
+	req, err := http.NewRequest("GET", "", nil)
+	assert.NilError(t, err)
+
+	client := &http.Client{}
+
+	response := &http.Response{
+		Status:        "416 Requested Range Not Satisfiable",
+		StatusCode:    416,
+		ContentLength: 0,
+		Close:         true,
+		Body:          ioutil.NopCloser(strings.NewReader("")),
+	}
+
+	resreq := &requestReader{
+		client:          client,
+		request:         req,
+		currentResponse: response,
+		lastRange:       1,
+		totalSize:       1,
+	}
+	defer resreq.Close()
+
+	buf := make([]byte, 1)
+	_, err = resreq.Read(buf)
+	assert.Check(t, is.Error(err, io.EOF.Error()))
+}
+
+func TestResumableRequestReaderWithServerDoesntSupportByteRanges(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("Range") == "" {
+			t.Fatalf("Expected a Range HTTP header, got nothing")
+		}
+	}))
+	defer ts.Close()
+
+	var req *http.Request
+	req, err := http.NewRequest("GET", ts.URL, nil)
+	assert.NilError(t, err)
+
+	client := &http.Client{}
+
+	resreq := &requestReader{
+		client:    client,
+		request:   req,
+		lastRange: 1,
+	}
+	defer resreq.Close()
+
+	buf := make([]byte, 2)
+	_, err = resreq.Read(buf)
+	assert.Check(t, is.Error(err, "the server doesn't support byte ranges"))
+}
+
+func TestResumableRequestReaderWithZeroTotalSize(t *testing.T) {
+	srvtxt := "some response text data"
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, srvtxt)
+	}))
+	defer ts.Close()
+
+	var req *http.Request
+	req, err := http.NewRequest("GET", ts.URL, nil)
+	assert.NilError(t, err)
+
+	client := &http.Client{}
+	retries := uint32(5)
+
+	resreq := NewRequestReader(client, req, retries, 0)
+	defer resreq.Close()
+
+	data, err := ioutil.ReadAll(resreq)
+	assert.NilError(t, err)
+
+	resstr := strings.TrimSuffix(string(data), "\n")
+	assert.Check(t, is.Equal(srvtxt, resstr))
+}
+
+func TestResumableRequestReader(t *testing.T) {
+	srvtxt := "some response text data"
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, srvtxt)
+	}))
+	defer ts.Close()
+
+	var req *http.Request
+	req, err := http.NewRequest("GET", ts.URL, nil)
+	assert.NilError(t, err)
+
+	client := &http.Client{}
+	retries := uint32(5)
+	imgSize := int64(len(srvtxt))
+
+	resreq := NewRequestReader(client, req, retries, imgSize)
+	defer resreq.Close()
+
+	data, err := ioutil.ReadAll(resreq)
+	assert.NilError(t, err)
+
+	resstr := strings.TrimSuffix(string(data), "\n")
+	assert.Check(t, is.Equal(srvtxt, resstr))
+}
+
+func TestResumableRequestReaderWithInitialResponse(t *testing.T) {
+	srvtxt := "some response text data"
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintln(w, srvtxt)
+	}))
+	defer ts.Close()
+
+	var req *http.Request
+	req, err := http.NewRequest("GET", ts.URL, nil)
+	assert.NilError(t, err)
+
+	client := &http.Client{}
+	retries := uint32(5)
+	imgSize := int64(len(srvtxt))
+
+	res, err := client.Do(req)
+	assert.NilError(t, err)
+
+	resreq := NewRequestReaderWithInitialResponse(client, req, retries, imgSize, res)
+	defer resreq.Close()
+
+	data, err := ioutil.ReadAll(resreq)
+	assert.NilError(t, err)
+
+	resstr := strings.TrimSuffix(string(data), "\n")
+	assert.Check(t, is.Equal(srvtxt, resstr))
+}
diff --git a/engine/registry/service.go b/engine/registry/service.go
new file mode 100644
index 00000000..b441970f
--- /dev/null
+++ b/engine/registry/service.go
@@ -0,0 +1,328 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"context"
+	"crypto/tls"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// DefaultSearchLimit is the default value for maximum number of returned search results.
+	DefaultSearchLimit = 25
+)
+
+// Service is the interface defining what a registry service should implement.
+type Service interface {
+	Auth(ctx context.Context, authConfig *types.AuthConfig, userAgent string) (status, token string, err error)
+	LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error)
+	LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error)
+	ResolveRepository(name reference.Named) (*RepositoryInfo, error)
+	Search(ctx context.Context, term string, limit int, authConfig *types.AuthConfig, userAgent string, headers map[string][]string) (*registrytypes.SearchResults, error)
+	ServiceConfig() *registrytypes.ServiceConfig
+	TLSConfig(hostname string) (*tls.Config, error)
+	LoadAllowNondistributableArtifacts([]string) error
+	LoadMirrors([]string) error
+	LoadInsecureRegistries([]string) error
+}
+
+// DefaultService is a registry service. It tracks configuration data such as a list
+// of mirrors.
+type DefaultService struct {
+	config *serviceConfig
+	mu     sync.Mutex
+}
+
+// NewService returns a new instance of DefaultService ready to be
+// installed into an engine.
+func NewService(options ServiceOptions) (*DefaultService, error) {
+	config, err := newServiceConfig(options)
+
+	return &DefaultService{config: config}, err
+}
+
+// ServiceConfig returns the public registry service configuration.
+func (s *DefaultService) ServiceConfig() *registrytypes.ServiceConfig {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	servConfig := registrytypes.ServiceConfig{
+		AllowNondistributableArtifactsCIDRs:     make([]*(registrytypes.NetIPNet), 0),
+		AllowNondistributableArtifactsHostnames: make([]string, 0),
+		InsecureRegistryCIDRs:                   make([]*(registrytypes.NetIPNet), 0),
+		IndexConfigs:                            make(map[string]*(registrytypes.IndexInfo)),
+		Mirrors:                                 make([]string, 0),
+	}
+
+	// construct a new ServiceConfig which will not retrieve s.Config directly,
+	// and look up items in s.config with mu locked
+	servConfig.AllowNondistributableArtifactsCIDRs = append(servConfig.AllowNondistributableArtifactsCIDRs, s.config.ServiceConfig.AllowNondistributableArtifactsCIDRs...)
+	servConfig.AllowNondistributableArtifactsHostnames = append(servConfig.AllowNondistributableArtifactsHostnames, s.config.ServiceConfig.AllowNondistributableArtifactsHostnames...)
+	servConfig.InsecureRegistryCIDRs = append(servConfig.InsecureRegistryCIDRs, s.config.ServiceConfig.InsecureRegistryCIDRs...)
+
+	for key, value := range s.config.ServiceConfig.IndexConfigs {
+		servConfig.IndexConfigs[key] = value
+	}
+
+	servConfig.Mirrors = append(servConfig.Mirrors, s.config.ServiceConfig.Mirrors...)
+
+	return &servConfig
+}
+
+// LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries for Service.
+func (s *DefaultService) LoadAllowNondistributableArtifacts(registries []string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	return s.config.LoadAllowNondistributableArtifacts(registries)
+}
+
+// LoadMirrors loads registry mirrors for Service
+func (s *DefaultService) LoadMirrors(mirrors []string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	return s.config.LoadMirrors(mirrors)
+}
+
+// LoadInsecureRegistries loads insecure registries for Service
+func (s *DefaultService) LoadInsecureRegistries(registries []string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	return s.config.LoadInsecureRegistries(registries)
+}
+
+// Auth contacts the public registry with the provided credentials,
+// and returns OK if authentication was successful.
+// It can be used to verify the validity of a client's credentials.
+func (s *DefaultService) Auth(ctx context.Context, authConfig *types.AuthConfig, userAgent string) (status, token string, err error) {
+	// TODO Use ctx when searching for repositories
+	serverAddress := authConfig.ServerAddress
+	if serverAddress == "" {
+		serverAddress = IndexServer
+	}
+	if !strings.HasPrefix(serverAddress, "https://") && !strings.HasPrefix(serverAddress, "http://") {
+		serverAddress = "https://" + serverAddress
+	}
+	u, err := url.Parse(serverAddress)
+	if err != nil {
+		return "", "", errdefs.InvalidParameter(errors.Errorf("unable to parse server address: %v", err))
+	}
+
+	endpoints, err := s.LookupPushEndpoints(u.Host)
+	if err != nil {
+		return "", "", errdefs.InvalidParameter(err)
+	}
+
+	for _, endpoint := range endpoints {
+		login := loginV2
+		if endpoint.Version == APIVersion1 {
+			login = loginV1
+		}
+
+		status, token, err = login(authConfig, endpoint, userAgent)
+		if err == nil {
+			return
+		}
+		if fErr, ok := err.(fallbackError); ok {
+			err = fErr.err
+			logrus.Infof("Error logging in to %s endpoint, trying next endpoint: %v", endpoint.Version, err)
+			continue
+		}
+
+		return "", "", err
+	}
+
+	return "", "", err
+}
+
+// splitReposSearchTerm breaks a search term into an index name and remote name
+func splitReposSearchTerm(reposName string) (string, string) {
+	nameParts := strings.SplitN(reposName, "/", 2)
+	var indexName, remoteName string
+	if len(nameParts) == 1 || (!strings.Contains(nameParts[0], ".") &&
+		!strings.Contains(nameParts[0], ":") && nameParts[0] != "localhost") {
+		// This is a Docker Index repos (ex: samalba/hipache or ubuntu)
+		// 'docker.io'
+		indexName = IndexName
+		remoteName = reposName
+	} else {
+		indexName = nameParts[0]
+		remoteName = nameParts[1]
+	}
+	return indexName, remoteName
+}
+
+// Search queries the public registry for images matching the specified
+// search terms, and returns the results.
+func (s *DefaultService) Search(ctx context.Context, term string, limit int, authConfig *types.AuthConfig, userAgent string, headers map[string][]string) (*registrytypes.SearchResults, error) {
+	// TODO Use ctx when searching for repositories
+	if err := validateNoScheme(term); err != nil {
+		return nil, err
+	}
+
+	indexName, remoteName := splitReposSearchTerm(term)
+
+	// Search is a long-running operation, just lock s.config to avoid block others.
+	s.mu.Lock()
+	index, err := newIndexInfo(s.config, indexName)
+	s.mu.Unlock()
+
+	if err != nil {
+		return nil, err
+	}
+
+	// *TODO: Search multiple indexes.
+	endpoint, err := NewV1Endpoint(index, userAgent, http.Header(headers))
+	if err != nil {
+		return nil, err
+	}
+
+	var client *http.Client
+	if authConfig != nil && authConfig.IdentityToken != "" && authConfig.Username != "" {
+		creds := NewStaticCredentialStore(authConfig)
+		scopes := []auth.Scope{
+			auth.RegistryScope{
+				Name:    "catalog",
+				Actions: []string{"search"},
+			},
+		}
+
+		modifiers := Headers(userAgent, nil)
+		v2Client, foundV2, err := v2AuthHTTPClient(endpoint.URL, endpoint.client.Transport, modifiers, creds, scopes)
+		if err != nil {
+			if fErr, ok := err.(fallbackError); ok {
+				logrus.Errorf("Cannot use identity token for search, v2 auth not supported: %v", fErr.err)
+			} else {
+				return nil, err
+			}
+		} else if foundV2 {
+			// Copy non transport http client features
+			v2Client.Timeout = endpoint.client.Timeout
+			v2Client.CheckRedirect = endpoint.client.CheckRedirect
+			v2Client.Jar = endpoint.client.Jar
+
+			logrus.Debugf("using v2 client for search to %s", endpoint.URL)
+			client = v2Client
+		}
+	}
+
+	if client == nil {
+		client = endpoint.client
+		if err := authorizeClient(client, authConfig, endpoint); err != nil {
+			return nil, err
+		}
+	}
+
+	r := newSession(client, authConfig, endpoint)
+
+	if index.Official {
+		localName := remoteName
+		if strings.HasPrefix(localName, "library/") {
+			// If pull "library/foo", it's stored locally under "foo"
+			localName = strings.SplitN(localName, "/", 2)[1]
+		}
+
+		return r.SearchRepositories(localName, limit)
+	}
+	return r.SearchRepositories(remoteName, limit)
+}
+
+// ResolveRepository splits a repository name into its components
+// and configuration of the associated registry.
+func (s *DefaultService) ResolveRepository(name reference.Named) (*RepositoryInfo, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return newRepositoryInfo(s.config, name)
+}
+
+// APIEndpoint represents a remote API endpoint
+type APIEndpoint struct {
+	Mirror                         bool
+	URL                            *url.URL
+	Version                        APIVersion
+	AllowNondistributableArtifacts bool
+	Official                       bool
+	TrimHostname                   bool
+	TLSConfig                      *tls.Config
+}
+
+// ToV1Endpoint returns a V1 API endpoint based on the APIEndpoint
+func (e APIEndpoint) ToV1Endpoint(userAgent string, metaHeaders http.Header) *V1Endpoint {
+	return newV1Endpoint(*e.URL, e.TLSConfig, userAgent, metaHeaders)
+}
+
+// TLSConfig constructs a client TLS configuration based on server defaults
+func (s *DefaultService) TLSConfig(hostname string) (*tls.Config, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	return newTLSConfig(hostname, isSecureIndex(s.config, hostname))
+}
+
+// tlsConfig constructs a client TLS configuration based on server defaults
+func (s *DefaultService) tlsConfig(hostname string) (*tls.Config, error) {
+	return newTLSConfig(hostname, isSecureIndex(s.config, hostname))
+}
+
+func (s *DefaultService) tlsConfigForMirror(mirrorURL *url.URL) (*tls.Config, error) {
+	return s.tlsConfig(mirrorURL.Host)
+}
+
+// LookupPullEndpoints creates a list of endpoints to try to pull from, in order of preference.
+// It gives preference to v2 endpoints over v1, mirrors over the actual
+// registry, and HTTPS over plain HTTP.
+func (s *DefaultService) LookupPullEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	return s.lookupEndpoints(hostname)
+}
+
+// LookupPushEndpoints creates a list of endpoints to try to push to, in order of preference.
+// It gives preference to v2 endpoints over v1, and HTTPS over plain HTTP.
+// Mirrors are not included.
+func (s *DefaultService) LookupPushEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	allEndpoints, err := s.lookupEndpoints(hostname)
+	if err == nil {
+		for _, endpoint := range allEndpoints {
+			if !endpoint.Mirror {
+				endpoints = append(endpoints, endpoint)
+			}
+		}
+	}
+	return endpoints, err
+}
+
+func (s *DefaultService) lookupEndpoints(hostname string) (endpoints []APIEndpoint, err error) {
+	endpoints, err = s.lookupV2Endpoints(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	if s.config.V2Only {
+		return endpoints, nil
+	}
+
+	legacyEndpoints, err := s.lookupV1Endpoints(hostname)
+	if err != nil {
+		return nil, err
+	}
+	endpoints = append(endpoints, legacyEndpoints...)
+
+	return endpoints, nil
+}
diff --git a/engine/registry/service_v1.go b/engine/registry/service_v1.go
new file mode 100644
index 00000000..d955ec51
--- /dev/null
+++ b/engine/registry/service_v1.go
@@ -0,0 +1,40 @@
+package registry // import "github.com/docker/docker/registry"
+
+import "net/url"
+
+func (s *DefaultService) lookupV1Endpoints(hostname string) (endpoints []APIEndpoint, err error) {
+	if hostname == DefaultNamespace || hostname == DefaultV2Registry.Host || hostname == IndexHostname {
+		return []APIEndpoint{}, nil
+	}
+
+	tlsConfig, err := s.tlsConfig(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	endpoints = []APIEndpoint{
+		{
+			URL: &url.URL{
+				Scheme: "https",
+				Host:   hostname,
+			},
+			Version:      APIVersion1,
+			TrimHostname: true,
+			TLSConfig:    tlsConfig,
+		},
+	}
+
+	if tlsConfig.InsecureSkipVerify {
+		endpoints = append(endpoints, APIEndpoint{ // or this
+			URL: &url.URL{
+				Scheme: "http",
+				Host:   hostname,
+			},
+			Version:      APIVersion1,
+			TrimHostname: true,
+			// used to check if supposed to be secure via InsecureSkipVerify
+			TLSConfig: tlsConfig,
+		})
+	}
+	return endpoints, nil
+}
diff --git a/engine/registry/service_v1_test.go b/engine/registry/service_v1_test.go
new file mode 100644
index 00000000..11861f7c
--- /dev/null
+++ b/engine/registry/service_v1_test.go
@@ -0,0 +1,32 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"os"
+	"testing"
+
+	"gotest.tools/skip"
+)
+
+func TestLookupV1Endpoints(t *testing.T) {
+	skip.If(t, os.Getuid() != 0, "skipping test that requires root")
+	s, err := NewService(ServiceOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cases := []struct {
+		hostname    string
+		expectedLen int
+	}{
+		{"example.com", 1},
+		{DefaultNamespace, 0},
+		{DefaultV2Registry.Host, 0},
+		{IndexHostname, 0},
+	}
+
+	for _, c := range cases {
+		if ret, err := s.lookupV1Endpoints(c.hostname); err != nil || len(ret) != c.expectedLen {
+			t.Errorf("lookupV1Endpoints(`"+c.hostname+"`) returned %+v and %+v", ret, err)
+		}
+	}
+}
diff --git a/engine/registry/service_v2.go b/engine/registry/service_v2.go
new file mode 100644
index 00000000..3a56dc91
--- /dev/null
+++ b/engine/registry/service_v2.go
@@ -0,0 +1,82 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"net/url"
+	"strings"
+
+	"github.com/docker/go-connections/tlsconfig"
+)
+
+func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, err error) {
+	tlsConfig := tlsconfig.ServerDefault()
+	if hostname == DefaultNamespace || hostname == IndexHostname {
+		// v2 mirrors
+		for _, mirror := range s.config.Mirrors {
+			if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
+				mirror = "https://" + mirror
+			}
+			mirrorURL, err := url.Parse(mirror)
+			if err != nil {
+				return nil, err
+			}
+			mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL)
+			if err != nil {
+				return nil, err
+			}
+			endpoints = append(endpoints, APIEndpoint{
+				URL: mirrorURL,
+				// guess mirrors are v2
+				Version:      APIVersion2,
+				Mirror:       true,
+				TrimHostname: true,
+				TLSConfig:    mirrorTLSConfig,
+			})
+		}
+		// v2 registry
+		endpoints = append(endpoints, APIEndpoint{
+			URL:          DefaultV2Registry,
+			Version:      APIVersion2,
+			Official:     true,
+			TrimHostname: true,
+			TLSConfig:    tlsConfig,
+		})
+
+		return endpoints, nil
+	}
+
+	ana := allowNondistributableArtifacts(s.config, hostname)
+
+	tlsConfig, err = s.tlsConfig(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	endpoints = []APIEndpoint{
+		{
+			URL: &url.URL{
+				Scheme: "https",
+				Host:   hostname,
+			},
+			Version: APIVersion2,
+			AllowNondistributableArtifacts: ana,
+			TrimHostname:                   true,
+			TLSConfig:                      tlsConfig,
+		},
+	}
+
+	if tlsConfig.InsecureSkipVerify {
+		endpoints = append(endpoints, APIEndpoint{
+			URL: &url.URL{
+				Scheme: "http",
+				Host:   hostname,
+			},
+			Version: APIVersion2,
+			AllowNondistributableArtifacts: ana,
+			TrimHostname:                   true,
+			// used to check if supposed to be secure via InsecureSkipVerify
+			TLSConfig: tlsConfig,
+		})
+	}
+
+	return endpoints, nil
+}
diff --git a/engine/registry/session.go b/engine/registry/session.go
new file mode 100644
index 00000000..ef142995
--- /dev/null
+++ b/engine/registry/session.go
@@ -0,0 +1,779 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"bytes"
+	"crypto/sha256"
+	// this is required for some certificates
+	_ "crypto/sha512"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/http/cookiejar"
+	"net/url"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/docker/distribution/reference"
+	"github.com/docker/distribution/registry/api/errcode"
+	"github.com/docker/docker/api/types"
+	registrytypes "github.com/docker/docker/api/types/registry"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/jsonmessage"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/pkg/tarsum"
+	"github.com/docker/docker/registry/resumable"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// ErrRepoNotFound is returned if the repository didn't exist on the
+	// remote side
+	ErrRepoNotFound notFoundError = "Repository not found"
+)
+
+// A Session is used to communicate with a V1 registry
+type Session struct {
+	indexEndpoint *V1Endpoint
+	client        *http.Client
+	// TODO(tiborvass): remove authConfig
+	authConfig *types.AuthConfig
+	id         string
+}
+
+type authTransport struct {
+	http.RoundTripper
+	*types.AuthConfig
+
+	alwaysSetBasicAuth bool
+	token              []string
+
+	mu     sync.Mutex                      // guards modReq
+	modReq map[*http.Request]*http.Request // original -> modified
+}
+
+// AuthTransport handles the auth layer when communicating with a v1 registry (private or official)
+//
+// For private v1 registries, set alwaysSetBasicAuth to true.
+//
+// For the official v1 registry, if there isn't already an Authorization header in the request,
+// but there is an X-Docker-Token header set to true, then Basic Auth will be used to set the Authorization header.
+// After sending the request with the provided base http.RoundTripper, if an X-Docker-Token header, representing
+// a token, is present in the response, then it gets cached and sent in the Authorization header of all subsequent
+// requests.
+//
+// If the server sends a token without the client having requested it, it is ignored.
+//
+// This RoundTripper also has a CancelRequest method important for correct timeout handling.
+func AuthTransport(base http.RoundTripper, authConfig *types.AuthConfig, alwaysSetBasicAuth bool) http.RoundTripper {
+	if base == nil {
+		base = http.DefaultTransport
+	}
+	return &authTransport{
+		RoundTripper:       base,
+		AuthConfig:         authConfig,
+		alwaysSetBasicAuth: alwaysSetBasicAuth,
+		modReq:             make(map[*http.Request]*http.Request),
+	}
+}
+
+// cloneRequest returns a clone of the provided *http.Request.
+// The clone is a shallow copy of the struct and its Header map.
+func cloneRequest(r *http.Request) *http.Request {
+	// shallow copy of the struct
+	r2 := new(http.Request)
+	*r2 = *r
+	// deep copy of the Header
+	r2.Header = make(http.Header, len(r.Header))
+	for k, s := range r.Header {
+		r2.Header[k] = append([]string(nil), s...)
+	}
+
+	return r2
+}
+
+// RoundTrip changes an HTTP request's headers to add the necessary
+// authentication-related headers
+func (tr *authTransport) RoundTrip(orig *http.Request) (*http.Response, error) {
+	// Authorization should not be set on 302 redirect for untrusted locations.
+	// This logic mirrors the behavior in addRequiredHeadersToRedirectedRequests.
+	// As the authorization logic is currently implemented in RoundTrip,
+	// a 302 redirect is detected by looking at the Referrer header as go http package adds said header.
+	// This is safe as Docker doesn't set Referrer in other scenarios.
+	if orig.Header.Get("Referer") != "" && !trustedLocation(orig) {
+		return tr.RoundTripper.RoundTrip(orig)
+	}
+
+	req := cloneRequest(orig)
+	tr.mu.Lock()
+	tr.modReq[orig] = req
+	tr.mu.Unlock()
+
+	if tr.alwaysSetBasicAuth {
+		if tr.AuthConfig == nil {
+			return nil, errors.New("unexpected error: empty auth config")
+		}
+		req.SetBasicAuth(tr.Username, tr.Password)
+		return tr.RoundTripper.RoundTrip(req)
+	}
+
+	// Don't override
+	if req.Header.Get("Authorization") == "" {
+		if req.Header.Get("X-Docker-Token") == "true" && tr.AuthConfig != nil && len(tr.Username) > 0 {
+			req.SetBasicAuth(tr.Username, tr.Password)
+		} else if len(tr.token) > 0 {
+			req.Header.Set("Authorization", "Token "+strings.Join(tr.token, ","))
+		}
+	}
+	resp, err := tr.RoundTripper.RoundTrip(req)
+	if err != nil {
+		delete(tr.modReq, orig)
+		return nil, err
+	}
+	if len(resp.Header["X-Docker-Token"]) > 0 {
+		tr.token = resp.Header["X-Docker-Token"]
+	}
+	resp.Body = &ioutils.OnEOFReader{
+		Rc: resp.Body,
+		Fn: func() {
+			tr.mu.Lock()
+			delete(tr.modReq, orig)
+			tr.mu.Unlock()
+		},
+	}
+	return resp, nil
+}
+
+// CancelRequest cancels an in-flight request by closing its connection.
+func (tr *authTransport) CancelRequest(req *http.Request) {
+	type canceler interface {
+		CancelRequest(*http.Request)
+	}
+	if cr, ok := tr.RoundTripper.(canceler); ok {
+		tr.mu.Lock()
+		modReq := tr.modReq[req]
+		delete(tr.modReq, req)
+		tr.mu.Unlock()
+		cr.CancelRequest(modReq)
+	}
+}
+
+func authorizeClient(client *http.Client, authConfig *types.AuthConfig, endpoint *V1Endpoint) error {
+	var alwaysSetBasicAuth bool
+
+	// If we're working with a standalone private registry over HTTPS, send Basic Auth headers
+	// alongside all our requests.
+	if endpoint.String() != IndexServer && endpoint.URL.Scheme == "https" {
+		info, err := endpoint.Ping()
+		if err != nil {
+			return err
+		}
+		if info.Standalone && authConfig != nil {
+			logrus.Debugf("Endpoint %s is eligible for private registry. Enabling decorator.", endpoint.String())
+			alwaysSetBasicAuth = true
+		}
+	}
+
+	// Annotate the transport unconditionally so that v2 can
+	// properly fallback on v1 when an image is not found.
+	client.Transport = AuthTransport(client.Transport, authConfig, alwaysSetBasicAuth)
+
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		return errors.New("cookiejar.New is not supposed to return an error")
+	}
+	client.Jar = jar
+
+	return nil
+}
+
+func newSession(client *http.Client, authConfig *types.AuthConfig, endpoint *V1Endpoint) *Session {
+	return &Session{
+		authConfig:    authConfig,
+		client:        client,
+		indexEndpoint: endpoint,
+		id:            stringid.GenerateRandomID(),
+	}
+}
+
+// NewSession creates a new session
+// TODO(tiborvass): remove authConfig param once registry client v2 is vendored
+func NewSession(client *http.Client, authConfig *types.AuthConfig, endpoint *V1Endpoint) (*Session, error) {
+	if err := authorizeClient(client, authConfig, endpoint); err != nil {
+		return nil, err
+	}
+
+	return newSession(client, authConfig, endpoint), nil
+}
+
+// ID returns this registry session's ID.
+func (r *Session) ID() string {
+	return r.id
+}
+
+// GetRemoteHistory retrieves the history of a given image from the registry.
+// It returns a list of the parent's JSON files (including the requested image).
+func (r *Session) GetRemoteHistory(imgID, registry string) ([]string, error) {
+	res, err := r.client.Get(registry + "images/" + imgID + "/ancestry")
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		if res.StatusCode == 401 {
+			return nil, errcode.ErrorCodeUnauthorized.WithArgs()
+		}
+		return nil, newJSONError(fmt.Sprintf("Server error: %d trying to fetch remote history for %s", res.StatusCode, imgID), res)
+	}
+
+	var history []string
+	if err := json.NewDecoder(res.Body).Decode(&history); err != nil {
+		return nil, fmt.Errorf("Error while reading the http response: %v", err)
+	}
+
+	logrus.Debugf("Ancestry: %v", history)
+	return history, nil
+}
+
+// LookupRemoteImage checks if an image exists in the registry
+func (r *Session) LookupRemoteImage(imgID, registry string) error {
+	res, err := r.client.Get(registry + "images/" + imgID + "/json")
+	if err != nil {
+		return err
+	}
+	res.Body.Close()
+	if res.StatusCode != 200 {
+		return newJSONError(fmt.Sprintf("HTTP code %d", res.StatusCode), res)
+	}
+	return nil
+}
+
+// GetRemoteImageJSON retrieves an image's JSON metadata from the registry.
+func (r *Session) GetRemoteImageJSON(imgID, registry string) ([]byte, int64, error) {
+	res, err := r.client.Get(registry + "images/" + imgID + "/json")
+	if err != nil {
+		return nil, -1, fmt.Errorf("Failed to download json: %s", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		return nil, -1, newJSONError(fmt.Sprintf("HTTP code %d", res.StatusCode), res)
+	}
+	// if the size header is not present, then set it to '-1'
+	imageSize := int64(-1)
+	if hdr := res.Header.Get("X-Docker-Size"); hdr != "" {
+		imageSize, err = strconv.ParseInt(hdr, 10, 64)
+		if err != nil {
+			return nil, -1, err
+		}
+	}
+
+	jsonString, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, -1, fmt.Errorf("Failed to parse downloaded json: %v (%s)", err, jsonString)
+	}
+	return jsonString, imageSize, nil
+}
+
+// GetRemoteImageLayer retrieves an image layer from the registry
+func (r *Session) GetRemoteImageLayer(imgID, registry string, imgSize int64) (io.ReadCloser, error) {
+	var (
+		statusCode = 0
+		res        *http.Response
+		err        error
+		imageURL   = fmt.Sprintf("%simages/%s/layer", registry, imgID)
+	)
+
+	req, err := http.NewRequest("GET", imageURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("Error while getting from the server: %v", err)
+	}
+
+	res, err = r.client.Do(req)
+	if err != nil {
+		logrus.Debugf("Error contacting registry %s: %v", registry, err)
+		// the only case err != nil && res != nil is https://golang.org/src/net/http/client.go#L515
+		if res != nil {
+			if res.Body != nil {
+				res.Body.Close()
+			}
+			statusCode = res.StatusCode
+		}
+		return nil, fmt.Errorf("Server error: Status %d while fetching image layer (%s)",
+			statusCode, imgID)
+	}
+
+	if res.StatusCode != 200 {
+		res.Body.Close()
+		return nil, fmt.Errorf("Server error: Status %d while fetching image layer (%s)",
+			res.StatusCode, imgID)
+	}
+
+	if res.Header.Get("Accept-Ranges") == "bytes" && imgSize > 0 {
+		logrus.Debug("server supports resume")
+		return resumable.NewRequestReaderWithInitialResponse(r.client, req, 5, imgSize, res), nil
+	}
+	logrus.Debug("server doesn't support resume")
+	return res.Body, nil
+}
+
+// GetRemoteTag retrieves the tag named in the askedTag argument from the given
+// repository. It queries each of the registries supplied in the registries
+// argument, and returns data from the first one that answers the query
+// successfully.
+func (r *Session) GetRemoteTag(registries []string, repositoryRef reference.Named, askedTag string) (string, error) {
+	repository := reference.Path(repositoryRef)
+
+	if strings.Count(repository, "/") == 0 {
+		// This will be removed once the registry supports auto-resolution on
+		// the "library" namespace
+		repository = "library/" + repository
+	}
+	for _, host := range registries {
+		endpoint := fmt.Sprintf("%srepositories/%s/tags/%s", host, repository, askedTag)
+		res, err := r.client.Get(endpoint)
+		if err != nil {
+			return "", err
+		}
+
+		logrus.Debugf("Got status code %d from %s", res.StatusCode, endpoint)
+		defer res.Body.Close()
+
+		if res.StatusCode == 404 {
+			return "", ErrRepoNotFound
+		}
+		if res.StatusCode != 200 {
+			continue
+		}
+
+		var tagID string
+		if err := json.NewDecoder(res.Body).Decode(&tagID); err != nil {
+			return "", err
+		}
+		return tagID, nil
+	}
+	return "", fmt.Errorf("Could not reach any registry endpoint")
+}
+
+// GetRemoteTags retrieves all tags from the given repository. It queries each
+// of the registries supplied in the registries argument, and returns data from
+// the first one that answers the query successfully. It returns a map with
+// tag names as the keys and image IDs as the values.
+func (r *Session) GetRemoteTags(registries []string, repositoryRef reference.Named) (map[string]string, error) {
+	repository := reference.Path(repositoryRef)
+
+	if strings.Count(repository, "/") == 0 {
+		// This will be removed once the registry supports auto-resolution on
+		// the "library" namespace
+		repository = "library/" + repository
+	}
+	for _, host := range registries {
+		endpoint := fmt.Sprintf("%srepositories/%s/tags", host, repository)
+		res, err := r.client.Get(endpoint)
+		if err != nil {
+			return nil, err
+		}
+
+		logrus.Debugf("Got status code %d from %s", res.StatusCode, endpoint)
+		defer res.Body.Close()
+
+		if res.StatusCode == 404 {
+			return nil, ErrRepoNotFound
+		}
+		if res.StatusCode != 200 {
+			continue
+		}
+
+		result := make(map[string]string)
+		if err := json.NewDecoder(res.Body).Decode(&result); err != nil {
+			return nil, err
+		}
+		return result, nil
+	}
+	return nil, fmt.Errorf("Could not reach any registry endpoint")
+}
+
+func buildEndpointsList(headers []string, indexEp string) ([]string, error) {
+	var endpoints []string
+	parsedURL, err := url.Parse(indexEp)
+	if err != nil {
+		return nil, err
+	}
+	var urlScheme = parsedURL.Scheme
+	// The registry's URL scheme has to match the Index'
+	for _, ep := range headers {
+		epList := strings.Split(ep, ",")
+		for _, epListElement := range epList {
+			endpoints = append(
+				endpoints,
+				fmt.Sprintf("%s://%s/v1/", urlScheme, strings.TrimSpace(epListElement)))
+		}
+	}
+	return endpoints, nil
+}
+
+// GetRepositoryData returns lists of images and endpoints for the repository
+func (r *Session) GetRepositoryData(name reference.Named) (*RepositoryData, error) {
+	repositoryTarget := fmt.Sprintf("%srepositories/%s/images", r.indexEndpoint.String(), reference.Path(name))
+
+	logrus.Debugf("[registry] Calling GET %s", repositoryTarget)
+
+	req, err := http.NewRequest("GET", repositoryTarget, nil)
+	if err != nil {
+		return nil, err
+	}
+	// this will set basic auth in r.client.Transport and send cached X-Docker-Token headers for all subsequent requests
+	req.Header.Set("X-Docker-Token", "true")
+	res, err := r.client.Do(req)
+	if err != nil {
+		// check if the error is because of i/o timeout
+		// and return a non-obtuse error message for users
+		// "Get https://index.docker.io/v1/repositories/library/busybox/images: i/o timeout"
+		// was a top search on the docker user forum
+		if isTimeout(err) {
+			return nil, fmt.Errorf("network timed out while trying to connect to %s. You may want to check your internet connection or if you are behind a proxy", repositoryTarget)
+		}
+		return nil, fmt.Errorf("Error while pulling image: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode == 401 {
+		return nil, errcode.ErrorCodeUnauthorized.WithArgs()
+	}
+	// TODO: Right now we're ignoring checksums in the response body.
+	// In the future, we need to use them to check image validity.
+	if res.StatusCode == 404 {
+		return nil, newJSONError(fmt.Sprintf("HTTP code: %d", res.StatusCode), res)
+	} else if res.StatusCode != 200 {
+		errBody, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			logrus.Debugf("Error reading response body: %s", err)
+		}
+		return nil, newJSONError(fmt.Sprintf("Error: Status %d trying to pull repository %s: %q", res.StatusCode, reference.Path(name), errBody), res)
+	}
+
+	var endpoints []string
+	if res.Header.Get("X-Docker-Endpoints") != "" {
+		endpoints, err = buildEndpointsList(res.Header["X-Docker-Endpoints"], r.indexEndpoint.String())
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// Assume the endpoint is on the same host
+		endpoints = append(endpoints, fmt.Sprintf("%s://%s/v1/", r.indexEndpoint.URL.Scheme, req.URL.Host))
+	}
+
+	remoteChecksums := []*ImgData{}
+	if err := json.NewDecoder(res.Body).Decode(&remoteChecksums); err != nil {
+		return nil, err
+	}
+
+	// Forge a better object from the retrieved data
+	imgsData := make(map[string]*ImgData, len(remoteChecksums))
+	for _, elem := range remoteChecksums {
+		imgsData[elem.ID] = elem
+	}
+
+	return &RepositoryData{
+		ImgList:   imgsData,
+		Endpoints: endpoints,
+	}, nil
+}
+
+// PushImageChecksumRegistry uploads checksums for an image
+func (r *Session) PushImageChecksumRegistry(imgData *ImgData, registry string) error {
+	u := registry + "images/" + imgData.ID + "/checksum"
+
+	logrus.Debugf("[registry] Calling PUT %s", u)
+
+	req, err := http.NewRequest("PUT", u, nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("X-Docker-Checksum", imgData.Checksum)
+	req.Header.Set("X-Docker-Checksum-Payload", imgData.ChecksumPayload)
+
+	res, err := r.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("Failed to upload metadata: %v", err)
+	}
+	defer res.Body.Close()
+	if len(res.Cookies()) > 0 {
+		r.client.Jar.SetCookies(req.URL, res.Cookies())
+	}
+	if res.StatusCode != 200 {
+		errBody, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return fmt.Errorf("HTTP code %d while uploading metadata and error when trying to parse response body: %s", res.StatusCode, err)
+		}
+		var jsonBody map[string]string
+		if err := json.Unmarshal(errBody, &jsonBody); err != nil {
+			errBody = []byte(err.Error())
+		} else if jsonBody["error"] == "Image already exists" {
+			return ErrAlreadyExists
+		}
+		return fmt.Errorf("HTTP code %d while uploading metadata: %q", res.StatusCode, errBody)
+	}
+	return nil
+}
+
+// PushImageJSONRegistry pushes JSON metadata for a local image to the registry
+func (r *Session) PushImageJSONRegistry(imgData *ImgData, jsonRaw []byte, registry string) error {
+
+	u := registry + "images/" + imgData.ID + "/json"
+
+	logrus.Debugf("[registry] Calling PUT %s", u)
+
+	req, err := http.NewRequest("PUT", u, bytes.NewReader(jsonRaw))
+	if err != nil {
+		return err
+	}
+	req.Header.Add("Content-type", "application/json")
+
+	res, err := r.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("Failed to upload metadata: %s", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode == 401 && strings.HasPrefix(registry, "http://") {
+		return newJSONError("HTTP code 401, Docker will not send auth headers over HTTP.", res)
+	}
+	if res.StatusCode != 200 {
+		errBody, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return newJSONError(fmt.Sprintf("HTTP code %d while uploading metadata and error when trying to parse response body: %s", res.StatusCode, err), res)
+		}
+		var jsonBody map[string]string
+		if err := json.Unmarshal(errBody, &jsonBody); err != nil {
+			errBody = []byte(err.Error())
+		} else if jsonBody["error"] == "Image already exists" {
+			return ErrAlreadyExists
+		}
+		return newJSONError(fmt.Sprintf("HTTP code %d while uploading metadata: %q", res.StatusCode, errBody), res)
+	}
+	return nil
+}
+
+// PushImageLayerRegistry sends the checksum of an image layer to the registry
+func (r *Session) PushImageLayerRegistry(imgID string, layer io.Reader, registry string, jsonRaw []byte) (checksum string, checksumPayload string, err error) {
+	u := registry + "images/" + imgID + "/layer"
+
+	logrus.Debugf("[registry] Calling PUT %s", u)
+
+	tarsumLayer, err := tarsum.NewTarSum(layer, false, tarsum.Version0)
+	if err != nil {
+		return "", "", err
+	}
+	h := sha256.New()
+	h.Write(jsonRaw)
+	h.Write([]byte{'\n'})
+	checksumLayer := io.TeeReader(tarsumLayer, h)
+
+	req, err := http.NewRequest("PUT", u, checksumLayer)
+	if err != nil {
+		return "", "", err
+	}
+	req.Header.Add("Content-Type", "application/octet-stream")
+	req.ContentLength = -1
+	req.TransferEncoding = []string{"chunked"}
+	res, err := r.client.Do(req)
+	if err != nil {
+		return "", "", fmt.Errorf("Failed to upload layer: %v", err)
+	}
+	if rc, ok := layer.(io.Closer); ok {
+		if err := rc.Close(); err != nil {
+			return "", "", err
+		}
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != 200 {
+		errBody, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return "", "", newJSONError(fmt.Sprintf("HTTP code %d while uploading metadata and error when trying to parse response body: %s", res.StatusCode, err), res)
+		}
+		return "", "", newJSONError(fmt.Sprintf("Received HTTP code %d while uploading layer: %q", res.StatusCode, errBody), res)
+	}
+
+	checksumPayload = "sha256:" + hex.EncodeToString(h.Sum(nil))
+	return tarsumLayer.Sum(jsonRaw), checksumPayload, nil
+}
+
+// PushRegistryTag pushes a tag on the registry.
+// Remote has the format '<user>/<repo>
+func (r *Session) PushRegistryTag(remote reference.Named, revision, tag, registry string) error {
+	// "jsonify" the string
+	revision = "\"" + revision + "\""
+	path := fmt.Sprintf("repositories/%s/tags/%s", reference.Path(remote), tag)
+
+	req, err := http.NewRequest("PUT", registry+path, strings.NewReader(revision))
+	if err != nil {
+		return err
+	}
+	req.Header.Add("Content-type", "application/json")
+	req.ContentLength = int64(len(revision))
+	res, err := r.client.Do(req)
+	if err != nil {
+		return err
+	}
+	res.Body.Close()
+	if res.StatusCode != 200 && res.StatusCode != 201 {
+		return newJSONError(fmt.Sprintf("Internal server error: %d trying to push tag %s on %s", res.StatusCode, tag, reference.Path(remote)), res)
+	}
+	return nil
+}
+
+// PushImageJSONIndex uploads an image list to the repository
+func (r *Session) PushImageJSONIndex(remote reference.Named, imgList []*ImgData, validate bool, regs []string) (*RepositoryData, error) {
+	cleanImgList := []*ImgData{}
+	if validate {
+		for _, elem := range imgList {
+			if elem.Checksum != "" {
+				cleanImgList = append(cleanImgList, elem)
+			}
+		}
+	} else {
+		cleanImgList = imgList
+	}
+
+	imgListJSON, err := json.Marshal(cleanImgList)
+	if err != nil {
+		return nil, err
+	}
+	var suffix string
+	if validate {
+		suffix = "images"
+	}
+	u := fmt.Sprintf("%srepositories/%s/%s", r.indexEndpoint.String(), reference.Path(remote), suffix)
+	logrus.Debugf("[registry] PUT %s", u)
+	logrus.Debugf("Image list pushed to index:\n%s", imgListJSON)
+	headers := map[string][]string{
+		"Content-type": {"application/json"},
+		// this will set basic auth in r.client.Transport and send cached X-Docker-Token headers for all subsequent requests
+		"X-Docker-Token": {"true"},
+	}
+	if validate {
+		headers["X-Docker-Endpoints"] = regs
+	}
+
+	// Redirect if necessary
+	var res *http.Response
+	for {
+		if res, err = r.putImageRequest(u, headers, imgListJSON); err != nil {
+			return nil, err
+		}
+		if !shouldRedirect(res) {
+			break
+		}
+		res.Body.Close()
+		u = res.Header.Get("Location")
+		logrus.Debugf("Redirected to %s", u)
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode == 401 {
+		return nil, errcode.ErrorCodeUnauthorized.WithArgs()
+	}
+
+	var tokens, endpoints []string
+	if !validate {
+		if res.StatusCode != 200 && res.StatusCode != 201 {
+			errBody, err := ioutil.ReadAll(res.Body)
+			if err != nil {
+				logrus.Debugf("Error reading response body: %s", err)
+			}
+			return nil, newJSONError(fmt.Sprintf("Error: Status %d trying to push repository %s: %q", res.StatusCode, reference.Path(remote), errBody), res)
+		}
+		tokens = res.Header["X-Docker-Token"]
+		logrus.Debugf("Auth token: %v", tokens)
+
+		if res.Header.Get("X-Docker-Endpoints") == "" {
+			return nil, fmt.Errorf("Index response didn't contain any endpoints")
+		}
+		endpoints, err = buildEndpointsList(res.Header["X-Docker-Endpoints"], r.indexEndpoint.String())
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		if res.StatusCode != 204 {
+			errBody, err := ioutil.ReadAll(res.Body)
+			if err != nil {
+				logrus.Debugf("Error reading response body: %s", err)
+			}
+			return nil, newJSONError(fmt.Sprintf("Error: Status %d trying to push checksums %s: %q", res.StatusCode, reference.Path(remote), errBody), res)
+		}
+	}
+
+	return &RepositoryData{
+		Endpoints: endpoints,
+	}, nil
+}
+
+func (r *Session) putImageRequest(u string, headers map[string][]string, body []byte) (*http.Response, error) {
+	req, err := http.NewRequest("PUT", u, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	req.ContentLength = int64(len(body))
+	for k, v := range headers {
+		req.Header[k] = v
+	}
+	response, err := r.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return response, nil
+}
+
+func shouldRedirect(response *http.Response) bool {
+	return response.StatusCode >= 300 && response.StatusCode < 400
+}
+
+// SearchRepositories performs a search against the remote repository
+func (r *Session) SearchRepositories(term string, limit int) (*registrytypes.SearchResults, error) {
+	if limit < 1 || limit > 100 {
+		return nil, errdefs.InvalidParameter(errors.Errorf("Limit %d is outside the range of [1, 100]", limit))
+	}
+	logrus.Debugf("Index server: %s", r.indexEndpoint)
+	u := r.indexEndpoint.String() + "search?q=" + url.QueryEscape(term) + "&n=" + url.QueryEscape(fmt.Sprintf("%d", limit))
+
+	req, err := http.NewRequest("GET", u, nil)
+	if err != nil {
+		return nil, errors.Wrap(errdefs.InvalidParameter(err), "Error building request")
+	}
+	// Have the AuthTransport send authentication, when logged in.
+	req.Header.Set("X-Docker-Token", "true")
+	res, err := r.client.Do(req)
+	if err != nil {
+		return nil, errdefs.System(err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		return nil, newJSONError(fmt.Sprintf("Unexpected status code %d", res.StatusCode), res)
+	}
+	result := new(registrytypes.SearchResults)
+	return result, errors.Wrap(json.NewDecoder(res.Body).Decode(result), "error decoding registry search results")
+}
+
+func isTimeout(err error) bool {
+	type timeout interface {
+		Timeout() bool
+	}
+	e := err
+	switch urlErr := err.(type) {
+	case *url.Error:
+		e = urlErr.Err
+	}
+	t, ok := e.(timeout)
+	return ok && t.Timeout()
+}
+
+func newJSONError(msg string, res *http.Response) error {
+	return &jsonmessage.JSONError{
+		Message: msg,
+		Code:    res.StatusCode,
+	}
+}
diff --git a/engine/registry/types.go b/engine/registry/types.go
new file mode 100644
index 00000000..28ed2bfa
--- /dev/null
+++ b/engine/registry/types.go
@@ -0,0 +1,70 @@
+package registry // import "github.com/docker/docker/registry"
+
+import (
+	"github.com/docker/distribution/reference"
+	registrytypes "github.com/docker/docker/api/types/registry"
+)
+
+// RepositoryData tracks the image list, list of endpoints for a repository
+type RepositoryData struct {
+	// ImgList is a list of images in the repository
+	ImgList map[string]*ImgData
+	// Endpoints is a list of endpoints returned in X-Docker-Endpoints
+	Endpoints []string
+}
+
+// ImgData is used to transfer image checksums to and from the registry
+type ImgData struct {
+	// ID is an opaque string that identifies the image
+	ID              string `json:"id"`
+	Checksum        string `json:"checksum,omitempty"`
+	ChecksumPayload string `json:"-"`
+	Tag             string `json:",omitempty"`
+}
+
+// PingResult contains the information returned when pinging a registry. It
+// indicates the registry's version and whether the registry claims to be a
+// standalone registry.
+type PingResult struct {
+	// Version is the registry version supplied by the registry in an HTTP
+	// header
+	Version string `json:"version"`
+	// Standalone is set to true if the registry indicates it is a
+	// standalone registry in the X-Docker-Registry-Standalone
+	// header
+	Standalone bool `json:"standalone"`
+}
+
+// APIVersion is an integral representation of an API version (presently
+// either 1 or 2)
+type APIVersion int
+
+func (av APIVersion) String() string {
+	return apiVersions[av]
+}
+
+// API Version identifiers.
+const (
+	_                      = iota
+	APIVersion1 APIVersion = iota
+	APIVersion2
+)
+
+var apiVersions = map[APIVersion]string{
+	APIVersion1: "v1",
+	APIVersion2: "v2",
+}
+
+// RepositoryInfo describes a repository
+type RepositoryInfo struct {
+	Name reference.Named
+	// Index points to registry information
+	Index *registrytypes.IndexInfo
+	// Official indicates whether the repository is considered official.
+	// If the registry is official, and the normalized name does not
+	// contain a '/' (e.g. "foo"), then it is considered an official repo.
+	Official bool
+	// Class represents the class of the repository, such as "plugin"
+	// or "image".
+	Class string
+}
diff --git a/engine/reports/2017-05-01.md b/engine/reports/2017-05-01.md
new file mode 100644
index 00000000..366f4fce
--- /dev/null
+++ b/engine/reports/2017-05-01.md
@@ -0,0 +1,35 @@
+# Development Report for May 01, 2017
+
+This is the 1st report, since the Moby project was announced at DockerCon. Thank you to everyone that stayed an extra day to attend the summit on Thursday.
+
+## Daily Meeting
+
+A daily meeting is hosted on [slack](https://dockercommunity.slack.com/) every business day at 9am PST on the channel `#moby-project`.
+During this meeting, we are talking about the [tasks](https://github.com/moby/moby/issues/32867) needed to be done for splitting moby and docker.
+
+## Topics discussed last week
+
+### The moby tool
+
+The moby tool currently lives at [https://github.com/moby/tool](https://github.com/moby/tool), it's only a temporary place and will soon be merged in [https://github.com/moby/moby](https://github.com/moby/moby).
+
+### The CLI split
+
+Ongoing work to split the Docker CLI into [https://github.com/docker/cli](https://github.com/docker/cli) is happening [here](https://github.com/moby/moby/pull/32694).
+We are almost done, it should be merged soon.
+
+### Mailing list
+
+Slack works great for synchronous communication, but we need to place for async discussion. A mailing list is currently being setup.
+
+### Find a good and non-confusing home for the remaining monolith
+
+Lots of discussion and progress made on this topic, see [here](https://github.com/moby/moby/issues/32871). The work will start this week.
+
+## Componentization
+
+So far only work on the builder happened regarding the componentization effort.
+
+### builder
+
+The builder dev report can be found [here](builder/2017-05-01.md)
diff --git a/engine/reports/2017-05-08.md b/engine/reports/2017-05-08.md
new file mode 100644
index 00000000..7f033354
--- /dev/null
+++ b/engine/reports/2017-05-08.md
@@ -0,0 +1,34 @@
+# Development Report for May 08, 2017
+
+## Daily Meeting
+
+A daily meeting is hosted on [slack](https://dockercommunity.slack.com) every business day at 9am PST on the channel `#moby-project`.
+During this meeting, we are talking about the [tasks](https://github.com/moby/moby/issues/32867) needed to be done for splitting moby and docker.
+
+## Topics discussed last week
+
+### The CLI split
+
+The Docker CLI was successfully moved to [https://github.com/docker/cli](https://github.com/docker/cli) last week thanks to @tiborvass
+The Docker CLI is now compiled from the [Dockerfile](https://github.com/moby/moby/blob/a762ceace4e8c1c7ce4fb582789af9d8074be3e1/Dockerfile#L248)
+
+### Mailing list
+
+Discourse is available at [forums.mobyproject.org](https://forums.mobyproject.org/) thanks to @thaJeztah. mailing-list mode is enabled, so once you register there, you will received every new threads / messages via email. So far, 3 categories were created: Architecture, Meta & Support. The last step missing is to setup an email address to be able to start a new thread via email.
+
+### Find a place for `/pkg`
+
+Lots of discussion and progress made on this [topic](https://github.com/moby/moby/issues/32989) thanks to @dnephin. [Here is the list](https://gist.github.com/dnephin/35dc10f6b6b7017f058a71908b301d38) proposed to split/reorganize the pkgs.
+
+### Find a good and non-confusing home for the remaining monolith
+
+@cpuguy83 is leading the effort [here](https://github.com/moby/moby/pull/33022). It's still WIP but the way we are experimenting with is to reorganise directories within the moby/moby.
+
+## Componentization
+
+So far only work on the builder, by @tonistiigi, happened regarding the componentization effort.
+
+### builder
+
+The builder dev report can be found [here](builder/2017-05-08.md)
+
diff --git a/engine/reports/2017-05-15.md b/engine/reports/2017-05-15.md
new file mode 100644
index 00000000..7556f9cc
--- /dev/null
+++ b/engine/reports/2017-05-15.md
@@ -0,0 +1,52 @@
+# Development Report for May 15, 2017
+
+## Daily Meeting
+
+A daily meeting is hosted on [slack](https://dockercommunity.slack.com) every business day at 9am PST on the channel `#moby-project`.
+During this meeting, we are talking about the [tasks](https://github.com/moby/moby/issues/32867) needed to be done for splitting moby and docker.
+
+## Topics discussed last week
+
+### The CLI split
+
+Work is in progress to move the "opts" package to the docker/cli repository. The package, was merged into the docker/cli
+repository through [docker/cli#82](https://github.com/docker/cli/pull/82), preserving Git history, and parts that are not
+used in Moby have been removed through [moby/moby#33198](https://github.com/moby/moby/pull/33198).
+
+### Find a good and non-confusing home for the remaining monolith
+
+Discussion on this topic is still ongoing, and possible approaches are looked into. The active discussion has moved
+from GitHub to [https://forums.mobyproject.org/](https://forums.mobyproject.org/t/topic-find-a-good-an-non-confusing-home-for-the-remaining-monolith/37)
+
+### Find a place for `/pkg`
+
+Concerns were raised about moving packages to separate repositories, and it was decided to put some extra effort into
+breaking up / removing existing packages that likely are not good candidates to become a standalone project.
+
+### Update integration-cli tests
+
+With the removal of the CLI from the moby repository, new pull requests will have to be tested using API tests instead
+of using the CLI. Discussion took place whether or not these tests should use the API `client` package, or be completely
+independent, and make raw HTTP calls.
+
+A topic was created on the forum to discuss options: [evolution of testing](https://forums.mobyproject.org/t/evolution-of-testing-moby/38)
+
+
+### Proposal: split &amp; containerize hack/validate 
+
+[@AkihiroSuda](https://github.com/AkihiroSuda) is proposing to split and containerize the `hack/validate` script and 
+[started a topic on the forum](https://forums.mobyproject.org/t/proposal-split-containerize-hack-validate/32). An initial
+proposal to add validation functionality to `vndr` (the vendoring tool in use) was rejected upstream, so alternative
+approaches were discussed.
+
+
+### Special Interest Groups
+
+A "SIG" category was created on the forums to provide a home for Special Interest Groups. The first SIG, [LinuxKit 
+Security](https://forums.mobyproject.org/t/about-the-linuxkit-security-category/44) was started (thanks 
+[@riyazdf](https://github.com/riyazdf)).
+
+
+### Builder
+
+The builder dev report can be found [here](builder/2017-05-15.md)
diff --git a/engine/reports/2017-06-05.md b/engine/reports/2017-06-05.md
new file mode 100644
index 00000000..63679ed0
--- /dev/null
+++ b/engine/reports/2017-06-05.md
@@ -0,0 +1,36 @@
+# Development Report for June 5, 2017
+
+## Daily Meeting
+
+A daily meeting is hosted on [slack](https://dockercommunity.slack.com) every business day at 9am PST on the channel `#moby-project`.
+Lots of discussion happened during this meeting to kickstart the project, but now that we have the forums, we see less activity there.
+We are discussing the future of this meeting [here](https://forums.mobyproject.org/t/of-standups-future), we will possibility move the meeting
+to weekly.
+
+## Topics discussed last week
+
+### The CLI split
+
+Thanks to @tiborvass, the man pages, docs and completion scripts were imported to `github.com/docker/cli` [last week](https://github.com/docker/cli/pull/147)
+Once everything is finalised, we will remove them from `github.com/moby/moby`
+
+### Find a good and non-confusing home for the remaining monolith
+
+Discussion on this topic is still ongoing, and possible approaches are looked into. The active discussion has moved
+from GitHub to [https://forums.mobyproject.org/](https://forums.mobyproject.org/t/topic-find-a-good-an-non-confusing-home-for-the-remaining-monolith)
+
+
+### Find a place for `/pkg`
+
+Thanks to @dnephin this topic in on-going, you can follow progress [here](https://github.com/moby/moby/issues/32989)
+Many pkgs were reorganised last week, and more to come this week.
+
+
+### Builder
+
+The builder dev report can be found [here](builder/2017-06-05.md)
+
+
+### LinuxKit
+
+The LinuxKit dev report can be found [here](https://github.com/linuxkit/linuxkit/blob/master/reports/2017-06-03.md)
diff --git a/engine/reports/2017-06-12.md b/engine/reports/2017-06-12.md
new file mode 100644
index 00000000..8aef38c6
--- /dev/null
+++ b/engine/reports/2017-06-12.md
@@ -0,0 +1,78 @@
+# Development Report for June 12, 2017
+
+## Moby Summit
+
+The next Moby Summit will be at Docker HQ on June 19th, register [here](https://www.eventbrite.com/e/moby-summit-tickets-34483396768)
+
+## Daily Meeting
+
+### The CLI split
+
+Manpages and docs yaml files can now be generated on [docker/cli](https://github.com/docker/cli).
+Man pages, docs and completion scripts will be removed next week thanks to @tiborvass 
+
+### Find a good and non-confusing home for the remaining monolith
+
+Lot's of dicussion happened on the [forums](https://forums.mobyproject.org/t/topic-find-a-good-an-non-confusing-home-for-the-remaining-monolith)
+We should expect to do those changes after the moby summit. We contacted github to work with them so we have a smooth move.
+
+### Moby tool
+
+`moby` tool docs were moved from [LinuxKit](https://github.com/linuxkit/linuxkit) to the [moby tool repo](https://github.com/moby/tool) thanks to @justincormack
+
+### Custom golang URLs
+
+More discussions on the [forums](https://forums.mobyproject.org/t/cutoms-golang-urls), no agreement for now.
+
+### Buildkit
+
+[Proposal](https://github.com/moby/moby/issues/32925)
+
+More updates to the [POC repo](https://github.com/tonistiigi/buildkit_poc). It now contains binaries for the daemon and client. Examples directory shows a way for invoking a build job by generating the internal low-level build graph definition with a helper binary(as there is not support for frontends yet). The grpc control server binary can be built in two versions, one that connects to containerD socket and other that doesn't have any external dependencies.
+
+If you have questions or want to help, stop by the issues section of that repo or the proposal in moby/moby.
+
+#### Typed Dockerfile parsing
+
+[PR](https://github.com/moby/moby/pull/33492)
+
+New PR that enables parsing Dockerfiles into typed structures so they can be preprocessed to eliminate unnecessary build stages and reused with different kinds of dispatchers.
+
+#### Long running session & incremental file sending
+
+[PR ](https://github.com/moby/moby/pull/32677) 
+
+Same status as last week. The PR went through one pass of review from @dnephin and has been rebased again. Maintainers are encouraged to give this one a review so it can be included in `v17.07` release.
+
+
+#### Quality: Dependency interface switch
+
+[Move file copying from the daemon to the builder](https://github.com/moby/moby/pull/33454) PR is waiting for a second review. 
+
+#### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+[Provide advanced .dockeringore use-cases](https://github.com/moby/moby/issues/12886) [2](https://github.com/moby/moby/issues/12886#issuecomment-306247989)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+#### Builder features currently in code-review:
+
+[Warn/deprecate continuing on empty lines in `Dockerfile`](https://github.com/moby/moby/pull/29161)
+
+[Fix behavior of absolute paths in .dockerignore](https://github.com/moby/moby/pull/32088)
+
+#### Backlog
+
+[Build secrets](https://github.com/moby/moby/issues/33343) has not got much traction. If you want this feature to become a reality, please make yourself heard.
diff --git a/engine/reports/2017-06-26.md b/engine/reports/2017-06-26.md
new file mode 100644
index 00000000..e12533ae
--- /dev/null
+++ b/engine/reports/2017-06-26.md
@@ -0,0 +1,120 @@
+# Development Report for June 26, 2017
+
+## Moby Summit
+
+The Moby Summit held in San Francisco was very active and well attended ([blog](http://mobyproject.org/blog/2017/06/26/moby-summit-recap/) / [linuxkit table notes](https://github.com/linuxkit/linuxkit/blob/master/reports/2017-06-19-summit.md) [#2090](https://github.com/linuxkit/linuxkit/pull/2090) [#2033](https://github.com/linuxkit/linuxkit/pull/2033) [@mgoelzer] [@justincormack]). 
+
+## Container Engine
+
+Thanks to @fabiokung there is no container locks anymore on `docker ps` [#31273](https://github.com/moby/moby/pull/31273)
+
+## BuildKit
+
+[Repo](https://github.com/moby/buildkit)
+[Proposal](https://github.com/moby/moby/issues/32925)
+
+New development repo is open at https://github.com/moby/buildkit
+
+The readme file provides examples how to get started. You can see an example of building BuildKit with BuildKit.
+
+There are lots of new issues opened as well to track the missing functionality. You are welcomed to help on any of them or discuss the design there.
+
+Last week most of the work was done on improving the `llb` client library for more complicated use cases and providing traces and interactive progress of executed build jobs.
+
+The `llb` client package is a go library that helps you to generate the build definition graph. It uses chained methods to make it easy to describe what steps need to be running. Mounts can be added to the execution steps for defining multiple inputs or outputs. To prepare the graph, you just have to call `Marshal()` on a leaf node that will generate the protobuf definition for everything required to build that node.
+
+### Typed Dockerfile parsing
+
+[PR](https://github.com/moby/moby/pull/33492)
+
+This PR that enables parsing Dockerfiles into typed structures so they can be preprocessed to eliminate unnecessary build stages and reused with different kinds of dispatchers(eg. BuildKit).
+
+The PR had some review and updates in last week. Should be ready to code review soon.
+
+### Merged: Long running session & incremental file sending
+
+[PR](https://github.com/moby/moby/pull/32677) 
+
+Incremental context sending PR was merged and is expected to land in `v17.07`.
+
+This feature experimental feature lets you skip sending the build context to the daemon on repeated builder invocations during development. Currently, this feature requires a CLI flag `--stream=true`. If this flag is used, one first builder invocation full build context is sent to the daemon. On a second attempt, only the changed files are transferred.
+
+Previous build context is saved in the build cache, and you can see how much space it takes form `docker system df`. Build cache will be automatically garbage collected and can also be manually cleared with `docker prune`.
+
+### Quality: Dependency interface switch
+
+[Move file copying from the daemon to the builder](https://github.com/moby/moby/pull/33454) PR was merged.
+
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+[Provide advanced .dockeringore use-cases](https://github.com/moby/moby/issues/12886) [2](https://github.com/moby/moby/issues/12886#issuecomment-306247989)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other builder PRs merged last week
+
+[Warn/deprecate continuing on empty lines in `Dockerfile`](https://github.com/moby/moby/pull/29161)
+
+[Fix behavior of absolute paths in .dockerignore](https://github.com/moby/moby/pull/32088)
+
+[fix copy —from conflict with force pull](https://github.com/moby/moby/pull/33735)
+
+### Builder features currently in code-review:
+
+[Fix handling of remote "git@" notation](https://github.com/moby/moby/pull/33696)
+
+[builder: Emit a BuildResult after squashing.](https://github.com/moby/moby/pull/33824)
+
+[Fix shallow git clone in docker-build](https://github.com/moby/moby/pull/33704)
+
+### Backlog
+
+[Build secrets](https://github.com/moby/moby/issues/33343) has not got much traction. If you want this feature to become a reality, please make yourself heard.
+
+## LinuxKit
+
+* **Kernel GPG verification:** The kernel compilation containers now verify the GPG and SHA256
+  checksums before building the binaries. ([#2062](https://github.com/linuxkit/linuxkit/issues/2062) [#2083](https://github.com/linuxkit/linuxkit/issues/2083) [@mscribe] [@justincormack] [@rn] [@riyazdf]).
+  The base Alpine build image now includes `gnupg` to support this feature ([#2091](https://github.com/linuxkit/linuxkit/issues/2091) [@riyazdf] [@rn]).
+
+* **Security SIG on Landlock:** The third Moby Security SIG focussed on the [Landlock](https://github.com/landlock-lsm) security module that provides unprivileged fine-grained sandboxing to applications.  There are videos and forum links ([#2087](https://github.com/linuxkit/linuxkit/issues/2087) [#2089](https://github.com/linuxkit/linuxkit/issues/2089) [#2073](https://github.com/linuxkit/linuxkit/issues/2073) [@riyazdf]).
+
+* **Networking drivers now modules:** The kernels have been updated to 4.11.6/4.9.33/4.4.73, and many drivers are now loaded as modules to speed up boot-time ([#2095](https://github.com/linuxkit/linuxkit/issues/2095) [#2061](https://github.com/linuxkit/linuxkit/issues/2061) [@rn] [@justincormack] [@tych0])
+
+- **Whaley important update:** The ASCII logo was updated and we fondly wave goodbye to the waves. ([#2084](https://github.com/linuxkit/linuxkit/issues/2084) [@thaJeztah] [@rn])
+
+- **Containerised getty and sshd:** The login services now run in their own mount namespace, which was confusing people since they were expecting it to be on the host filesystem.  This is now being addressed via a reminder in the `motd` upon login ([#2078](https://github.com/linuxkit/linuxkit/issues/2078) [#2097](https://github.com/linuxkit/linuxkit/issues/2097) [@deitch] [@ijc] [@justincormack] [@riyazdf] [@rn])
+
+- **Hardened user copying:** The RFC on ensuring that we use a hardened kernel/userspace copying system was closed, as it is enabled by default on all our modern kernels and a regression test is included by default ([#2086](https://github.com/linuxkit/linuxkit/issues/2086) [@fntlnz] [@riyazdf]).
+
+- **Vultr provider:** There is an ongoing effort to add a metadata provider for [Vultr](http://vultr.com) ([#2101](https://github.com/linuxkit/linuxkit/issues/2101) [@furious-luke] [@justincormack]).
+
+### Packages and Projects
+
+- Simplified Makefiles for packages ([#2080](https://github.com/linuxkit/linuxkit/issues/2080) [@justincormack] [@rn])
+- The MirageOS SDK is integrating many upstream changes from dependent libraries, for the DHCP client ([#2070](https://github.com/linuxkit/linuxkit/issues/2070) [#2072](https://github.com/linuxkit/linuxkit/issues/2072) [@samoht] [@talex5] [@avsm]).
+
+### Documentation and Tests
+
+- A comprehensive test suite for containerd is now integrated into LinuxKit tests ([#2062](https://github.com/linuxkit/linuxkit/issues/2062) [@AkihiroSuda] [@justincormack] [@rn])
+- Fix documentation links ([#2074](https://github.com/linuxkit/linuxkit/issues/2074) [@ndauten] [@justincormack])
+- Update RTF version ([#2077](https://github.com/linuxkit/linuxkit/issues/2077) [@justincormack])
+- tests: add build test for Docker for Mac blueprint ([#2093](https://github.com/linuxkit/linuxkit/issues/2093) [@riyazdf] [@MagnusS])
+- Disable Qemu EFI ISO test for now ([#2100](https://github.com/linuxkit/linuxkit/issues/2100) [@justincormack])
+- The CI whitelists and ACLs were updated ([linuxkit-ci#11](https://github.com/linuxkit/linuxkit-ce/issues/11) [linuxkit-ci#15](https://github.com/linuxkit/linuxkit-ce/issues/15) [linuxkit/linuxkit-ci#10](https://github.com/linuxkit/linuxkit-ce/issues/10) [@rn] [@justincormack])
+- Fix spelling errors ([#2079](https://github.com/linuxkit/linuxkit/issues/2079) [@ndauten])
+- Fix typo in dev report ([#2094](https://github.com/linuxkit/linuxkit/issues/2094) [@justincormack])
+- Fix dead Link to VMWare File ([#2082](https://github.com/linuxkit/linuxkit/issues/2082) [@davefreitag])
\ No newline at end of file
diff --git a/engine/reports/builder/2017-05-01.md b/engine/reports/builder/2017-05-01.md
new file mode 100644
index 00000000..73d1c493
--- /dev/null
+++ b/engine/reports/builder/2017-05-01.md
@@ -0,0 +1,47 @@
+# Development Report for May 01, 2017
+
+### buildkit
+
+As part of the goals of [Moby](https://github.com/moby/moby#transitioning-to-moby) to split the current platform into reusable components and to provide a future vision for the builder component new [buildkit proposal](https://github.com/moby/moby/issues/32925) was opened with early design draft.
+
+Buildkit is a library providing the core essentials of running a build process using isolated sandboxed commands. It is designed for extensibility and customization. Buildkit supports multiple build declaration formats(frontends) and multiple ways for outputting build results(not just docker images). It doesn't make decisions for a specific worker, snapshot or exporter implementations.
+
+It is designed to help find the most efficient way to process build tasks and intelligently cache them for repeated invocations. 
+
+### Quality: Dependency interface switch
+
+To improve quality and performance, a new [proposal was made for switching the dependency interface](https://github.com/moby/moby/issues/32904) for current builder package. That should fix the current problems with data leakage and conflicts caused by daemon state cleanup scripts.
+
+@dnephin is in progress of refactoring current builder code to logical areas as a preparation work for updating this interface.
+
+Merged as part of this effort:
+
+- [Refactor Dockerfile.parser and directive](https://github.com/moby/moby/pull/32580)
+- [Refactor builder dispatch state](https://github.com/moby/moby/pull/32600)
+- [Use a bytes.Buffer for shell_words string concat](https://github.com/moby/moby/pull/32601)
+- [Refactor `Builder.commit()`](https://github.com/moby/moby/pull/32772)
+- [Remove b.escapeToken, create ShellLex](https://github.com/moby/moby/pull/32858)
+
+### New feature: Long running session
+
+PR for [adding long-running session between daemon and cli](https://github.com/moby/moby/pull/32677) that enabled advanced features like incremental context send, build credentials from the client, ssh forwarding etc. is looking for initial design review. It is currently open if features implemented on top of it would use a specific transport implementation on the wire or a generic interface(current implementation). @tonistiigi is working on adding persistent cache capabilities that are currently missing from that PR. It also needs to be figured out how the [cli split](https://github.com/moby/moby/pull/32694) will affect features like this. 
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+These proposals have gotten mostly positive feedback for now. We will leave them open for a couple of more weeks and then decide what actions to take in a maintainers meeting. Also, if you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other new builder features currently in code-review:
+
+[`docker build --iidfile` to capture the ID of the build result](https://github.com/moby/moby/pull/32406) 
+
+[Allow builds from any git remote ref](https://github.com/moby/moby/pull/32502)
+
+### Backlog:
+
+[Build secrets](https://github.com/moby/moby/pull/30637) will be brought up again in next maintainer's meeting to evaluate how to move on with this, if any other proposals have changed the objective and if we should wait for swarm secrets to be available first.
diff --git a/engine/reports/builder/2017-05-08.md b/engine/reports/builder/2017-05-08.md
new file mode 100644
index 00000000..d9396ab7
--- /dev/null
+++ b/engine/reports/builder/2017-05-08.md
@@ -0,0 +1,57 @@
+# Development Report for May 08, 2017
+
+
+### Quality: Dependency interface switch
+
+Proposal for [switching the dependency interface](https://github.com/moby/moby/issues/32904) for current builder package. That should fix the current problems with data leakage and conflicts caused by daemon state cleanup scripts.
+
+Merged as part of this effort:
+
+- [Move dispatch state to a new struct](https://github.com/moby/moby/pull/32952)
+- [Cleanup unnecessary mutate then revert of b.runConfig](https://github.com/moby/moby/pull/32773)
+
+In review:
+- [Refactor builder probe cache and container backend](https://github.com/moby/moby/pull/33061)
+- [Expose GetImage interface for builder](https://github.com/moby/moby/pull/33054)
+
+### Merged: docker build --iidfile
+
+[`docker build --iidfile` to capture the ID of the build result](https://github.com/moby/moby/pull/32406). New option can be used by the CLI applications to get back the image ID of build result. API users can use the `Aux` messages in progress stream to also get the IDs for intermediate build stages, for example to share them for build cache.
+
+### New feature: Long running session
+
+PR for [adding long-running session between daemon and cli](https://github.com/moby/moby/pull/32677) that enables advanced features like incremental context send, build credentials from the client, ssh forwarding etc.
+
+@simonferquel proposed a [grpc-only version of that interface](https://github.com/moby/moby/pull/33047) that should simplify the setup needed for describing new features for the session. Looking for design reviews.
+
+The feature also needs to be reworked after CLI split.
+
+### buildkit
+
+Not much progress [apart from some design discussion](https://github.com/moby/moby/issues/32925). Next step would be to open up a repo.
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other new builder features currently in code-review:
+
+[Allow builds from any git remote ref](https://github.com/moby/moby/pull/32502)
+
+[Fix a case where using FROM scratch as NAME would fail](https://github.com/moby/moby/pull/32997)
+
+### Backlog:
+
+[Build secrets](https://github.com/moby/moby/pull/30637) will be brought up again in next maintainer's meeting to evaluate how to move on with this, if any other proposals have changed the objective and if we should wait for swarm secrets to be available first.
diff --git a/engine/reports/builder/2017-05-15.md b/engine/reports/builder/2017-05-15.md
new file mode 100644
index 00000000..cfc742f3
--- /dev/null
+++ b/engine/reports/builder/2017-05-15.md
@@ -0,0 +1,64 @@
+# Development Report for May 15, 2017
+
+### Multi-stage builds fixes coming in 17.06-rc1
+
+Some bugs were discovered in new multi-stage build feature, release in 17.05. 
+
+When using an image name directly in `COPY --from` without defining a build stage, the data associated with that image was not properly cleaned up.
+
+If a second was based on `scratch` image, the metadata from the previous stage didn't get reset, forcing the user to clear it manually with extra commands.
+
+Fixes for these are merged for the next release, everyone is welcomed to test it once `17.06-rc1` is out.
+
+- [Fix resetting image metadata between stages for scratch case](https://github.com/moby/moby/pull/33179)
+- [Fix releasing implicit mounts](https://github.com/moby/moby/pull/33090)
+- [Fix a case where using FROM scratch as NAME would fail](https://github.com/moby/moby/pull/32997)
+
+
+### Quality: Dependency interface switch
+
+Work continues on making the builder dependency interface more stable. This week methods for getting access to source image were swapped out to a new version that keeps a reference to image data until build job has complete.
+
+Merged as part of this effort:
+
+- [Expose GetImage interface for builder](https://github.com/moby/moby/pull/33054)
+
+In review:
+- [Refactor builder probe cache and container backend](https://github.com/moby/moby/pull/33061)
+- [Refactor COPY/ADD dispatchers](https://github.com/moby/moby/pull/33116)
+
+
+### New feature: Long running session
+
+PR for [adding long-running session between daemon and cli](https://github.com/moby/moby/pull/32677) that enables advanced features like incremental context send, build credentials from the client, ssh forwarding etc.
+
+@simonferquel updated a [grpc-only version of that interface](https://github.com/moby/moby/pull/33047) and mostly seems that consensus was achieved for using only grpc transport. @tonistiigi finished up persistent cache layer and garbage collection for file transfers. The PR now needs to be split up because CLI has moved. Once that is done, the main PR should be ready for review early this week.
+
+### Merged: Specifying any remote ref in git checkout URLs
+
+Building from git sources now allows [specifying any remote ref](https://github.com/moby/moby/pull/32502). For example, to build a pull request from GitHub you can use: `docker build git://github.com/moby/moby#pull/32502/head`.
+
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other new builder features currently in code-review:
+
+-
+
+### Backlog:
+
+[Build secrets](https://github.com/moby/moby/pull/30637) will be brought up again in next maintainer's meeting to evaluate how to move on with this, if any other proposals have changed the objective and if we should wait for swarm secrets to be available first.
diff --git a/engine/reports/builder/2017-05-22.md b/engine/reports/builder/2017-05-22.md
new file mode 100644
index 00000000..29ecc6bb
--- /dev/null
+++ b/engine/reports/builder/2017-05-22.md
@@ -0,0 +1,47 @@
+# Development Report for May 22, 2017
+
+### New feature: Long running session
+
+PR for [adding long-running session between daemon and cli](https://github.com/moby/moby/pull/32677) that enables advanced features like incremental context send, build credentials from the client, ssh forwarding etc. is ready for reviews. This is blocking many new features like token signing, not pulling unnecessary context files, exposing sources outside working directory etc.
+
+
+### Quality: Dependency interface switch
+
+Work continues on making the builder dependency interface more stable.
+
+Merged as part of this effort this week:
+
+- [Refactor COPY/ADD dispatchers](https://github.com/moby/moby/pull/33116)
+
+In review:
+- [Refactor builder probe cache and container backend](https://github.com/moby/moby/pull/33061)
+
+### Buildkit
+
+[Diff and snapshot services](https://github.com/containerd/containerd/pull/849) were added to containerd. This is a required dependency for [buildkit](https://github.com/moby/moby/issues/32925).
+
+### Proposals discussed in maintainers meeting
+
+New builder proposals were discussed in maintainers meeting. The decision was to give 2 more weeks for anyone to post feedback to [IMPORT/EXPORT commands](https://github.com/moby/moby/issues/32100) and [`RUN --mount`](https://github.com/moby/moby/issues/32507) and accept them for development if nothing significant comes up.
+
+Build secrets and its possible overlap with [--mount](https://github.com/moby/moby/issues/32507) was discussed as well. The decision was to create a [new issue](https://github.com/moby/moby/issues/33343)(as the [old PR](https://github.com/moby/moby/pull/30637) is closed) to track this and avoid it from blocking `--mount` implementation. 
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other new builder features currently in code-review:
+
+-
diff --git a/engine/reports/builder/2017-05-29.md b/engine/reports/builder/2017-05-29.md
new file mode 100644
index 00000000..33043d9f
--- /dev/null
+++ b/engine/reports/builder/2017-05-29.md
@@ -0,0 +1,52 @@
+# Development Report for May 29, 2017
+
+### New feature: Long running session
+
+PR for [adding long-running session between daemon and cli](https://github.com/moby/moby/pull/32677) that enables advanced features like incremental context send, build credentials from the client, ssh forwarding, etc. is ready for reviews. It is blocking many new features like the token signing, not pulling unnecessary context files, exposing sources outside working directory, etc. Maintainers are encouraged to give this one a review!
+
+
+### Quality: Dependency interface switch
+
+Work continues on making the builder dependency interface more stable.
+
+Merged as part of this effort this week:
+
+- [Refactor builder probe cache and container backend](https://github.com/moby/moby/pull/33061)
+
+@dnephin continues working on the copy/export aspects of the interface.
+
+### Buildkit
+
+Some initial proof of concept code for [buildkit](https://github.com/moby/moby/issues/32925) has been pushed to https://github.com/tonistiigi/buildkit_poc . It's in a very early exploratory stage. Current development has been about providing concurrent references based access to the snapshot data that is backed by containerd. More info should follow in next weeks, including hopefully opening up an official repo. If you have questions or want to help, stop by the issues section of that repo or the proposal in moby/moby.
+
+### Proposals discussed in maintainers meeting
+
+Reminder from last week: New builder proposals were discussed in maintainers meeting. The decision was to give 2 more weeks for anyone to post feedback to [IMPORT/EXPORT commands](https://github.com/moby/moby/issues/32100) and [`RUN --mount`](https://github.com/moby/moby/issues/32507) and accept them for development if nothing significant comes up.
+
+New issue about [build secrets](https://github.com/moby/moby/issues/33343) has not got much traction. If you want this feature to become a reality please make yourself heard.
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other new builder features currently in code-review:
+
+[Fix canceling builder on chunked requests](https://github.com/moby/moby/pull/33363)
+
+[Fix parser directive refactoring](https://github.com/moby/moby/pull/33436)
+
+[Warn/deprecate continuing on empty lines in `Dockerfile`](https://github.com/moby/moby/pull/29161)
+
+[Fix behavior of absolute paths in .dockerignore](https://github.com/moby/moby/pull/32088)
\ No newline at end of file
diff --git a/engine/reports/builder/2017-06-05.md b/engine/reports/builder/2017-06-05.md
new file mode 100644
index 00000000..3746c263
--- /dev/null
+++ b/engine/reports/builder/2017-06-05.md
@@ -0,0 +1,58 @@
+# Development Report for June 5, 2017
+
+### New feature: Long running session
+
+Similarly to last week, the PR for [adding long-running session between daemon and cli](https://github.com/moby/moby/pull/32677) is waiting for reviews.  It is blocking many new features like the token signing, not pulling unnecessary context files, exposing sources outside working directory, etc. Maintainers are encouraged to give this one a review so it can be included in `v17.07` release.
+
+
+### Quality: Dependency interface switch
+
+Work continues on making the builder dependency interface more stable.
+
+PRs currently in review as part of this effort:
+
+- [Move file copying from the daemon to the builder](https://github.com/moby/moby/pull/33454)
+
+This PR is the core of the update that removes the need to track active containers and instead of lets builder hold references to layers while it's running.
+
+Related to this, @simonferquel opened a [WIP PR](https://github.com/moby/moby/pull/33492) that introduces typed Dockerfile parsing. This enables making [decisions about dependencies](https://github.com/moby/moby/issues/32550#issuecomment-297867334) between build stages and reusing Dockerfile parsing as a buildkit frontend.
+
+### Buildkit
+
+Some initial proof of concept code for [buildkit](https://github.com/moby/moby/issues/32925) has been pushed to https://github.com/tonistiigi/buildkit_poc . It's in a very early exploratory stage. Current codebase includes libraries for getting concurrency safe references to containerd snapshots using a centralized cache management instance. There is a sample source implementation for pulling images to these snapshots and executing jobs with runc on top of them. There is also some utility code for concurrent execution and progress stream handling. More info should follow in next weeks, including hopefully opening up an official repo. If you have questions or want to help, stop by the issues section of that repo or the proposal in moby/moby.
+
+### Proposals discussed in maintainers meeting
+
+Reminder from last week: New builder proposals were discussed in maintainers meeting. The decision was to give two more weeks for anyone to post feedback to [IMPORT/EXPORT commands](https://github.com/moby/moby/issues/32100) and [`RUN --mount`](https://github.com/moby/moby/issues/32507) and accept them for development if nothing significant comes up. It is the last week to post your feedback on these proposals or the comments in them. You can also volunteer to implement them.
+
+A new issue about [build secrets](https://github.com/moby/moby/issues/33343) has not got much traction. If you want this feature to become a reality, please make yourself heard.
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+[Provide advanced .dockeringore use-cases](https://github.com/moby/moby/issues/12886) [2](https://github.com/moby/moby/issues/12886#issuecomment-306247989)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other builder PRs merged last week
+
+[Fix canceling builder on chunked requests](https://github.com/moby/moby/pull/33363)
+
+[Fix parser directive refactoring](https://github.com/moby/moby/pull/33436)
+
+### Builder features currently in code-review:
+
+[Warn/deprecate continuing on empty lines in `Dockerfile`](https://github.com/moby/moby/pull/29161)
+
+[Fix behavior of absolute paths in .dockerignore](https://github.com/moby/moby/pull/32088)
\ No newline at end of file
diff --git a/engine/reports/builder/2017-06-12.md b/engine/reports/builder/2017-06-12.md
new file mode 100644
index 00000000..df5d801e
--- /dev/null
+++ b/engine/reports/builder/2017-06-12.md
@@ -0,0 +1,58 @@
+# Development Report for June 12, 2017
+
+
+### Buildkit
+
+[Proposal](https://github.com/moby/moby/issues/32925)
+
+More updates to the [POC repo](https://github.com/tonistiigi/buildkit_poc). It now contains binaries for the daemon and client. Examples directory shows a way for invoking a build job by generating the internal low-level build graph definition with a helper binary(as there is not support for frontends yet). The grpc control server binary can be built in two versions, one that connects to containerD socket and other that doesn't have any external dependencies.
+
+If you have questions or want to help, stop by the issues section of that repo or the proposal in moby/moby.
+
+### Typed Dockerfile parsing
+
+[PR](https://github.com/moby/moby/pull/33492)
+
+New PR that enables parsing Dockerfiles into typed structures so they can be preprocessed to eliminate unnecessary build stages and reused with different kinds of dispatchers.
+
+### Long running session & incremental file sending
+
+[PR ](https://github.com/moby/moby/pull/32677) 
+
+Same status as last week. The PR went through one pass of review from @dnephin and has been rebased again. Maintainers are encouraged to give this one a review so it can be included in `v17.07` release.
+
+
+### Quality: Dependency interface switch
+
+[Move file copying from the daemon to the builder](https://github.com/moby/moby/pull/33454) PR is waiting for a second review. 
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+[Provide advanced .dockeringore use-cases](https://github.com/moby/moby/issues/12886) [2](https://github.com/moby/moby/issues/12886#issuecomment-306247989)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other builder PRs merged last week
+
+
+### Builder features currently in code-review:
+
+[Warn/deprecate continuing on empty lines in `Dockerfile`](https://github.com/moby/moby/pull/29161)
+
+[Fix behavior of absolute paths in .dockerignore](https://github.com/moby/moby/pull/32088)
+
+### Backlog
+
+[Build secrets](https://github.com/moby/moby/issues/33343) has not got much traction. If you want this feature to become a reality, please make yourself heard.
\ No newline at end of file
diff --git a/engine/reports/builder/2017-06-26.md b/engine/reports/builder/2017-06-26.md
new file mode 100644
index 00000000..e0ba95a7
--- /dev/null
+++ b/engine/reports/builder/2017-06-26.md
@@ -0,0 +1,78 @@
+# Development Report for June 26, 2017
+
+
+### BuildKit
+
+[Repo](https://github.com/moby/buildkit)
+[Proposal](https://github.com/moby/moby/issues/32925)
+
+New development repo is open at https://github.com/moby/buildkit
+
+The readme file provides examples how to get started. You can see an example of building BuildKit with BuildKit.
+
+There are lots of new issues opened as well to track the missing functionality. You are welcomed to help on any of them or discuss the design there.
+
+Last week most of the work was done on improving the `llb` client library for more complicated use cases and providing traces and interactive progress of executed build jobs.
+
+The `llb` client package is a go library that helps you to generate the build definition graph. It uses chained methods to make it easy to describe what steps need to be running. Mounts can be added to the execution steps for defining multiple inputs or outputs. To prepare the graph, you just have to call `Marshal()` on a leaf node that will generate the protobuf definition for everything required to build that node.
+
+### Typed Dockerfile parsing
+
+[PR](https://github.com/moby/moby/pull/33492)
+
+This PR that enables parsing Dockerfiles into typed structures so they can be preprocessed to eliminate unnecessary build stages and reused with different kinds of dispatchers(eg. BuildKit).
+
+The PR had some review and updates in last week. Should be ready to code review soon.
+
+### Merged: Long running session & incremental file sending
+
+[PR](https://github.com/moby/moby/pull/32677) 
+
+Incremental context sending PR was merged and is expected to land in `v17.07`.
+
+This feature experimental feature lets you skip sending the build context to the daemon on repeated builder invocations during development. Currently, this feature requires a CLI flag `--stream=true`. If this flag is used, one first builder invocation full build context is sent to the daemon. On a second attempt, only the changed files are transferred.
+
+Previous build context is saved in the build cache, and you can see how much space it takes form `docker system df`. Build cache will be automatically garbage collected and can also be manually cleared with `docker prune`.
+
+### Quality: Dependency interface switch
+
+[Move file copying from the daemon to the builder](https://github.com/moby/moby/pull/33454) PR was merged.
+
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+[Provide advanced .dockeringore use-cases](https://github.com/moby/moby/issues/12886) [2](https://github.com/moby/moby/issues/12886#issuecomment-306247989)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other builder PRs merged last week
+
+[Warn/deprecate continuing on empty lines in `Dockerfile`](https://github.com/moby/moby/pull/29161)
+
+[Fix behavior of absolute paths in .dockerignore](https://github.com/moby/moby/pull/32088)
+
+[fix copy —from conflict with force pull](https://github.com/moby/moby/pull/33735)
+
+### Builder features currently in code-review:
+
+[Fix handling of remote "git@" notation](https://github.com/moby/moby/pull/33696)
+
+[builder: Emit a BuildResult after squashing.](https://github.com/moby/moby/pull/33824)
+
+[Fix shallow git clone in docker-build](https://github.com/moby/moby/pull/33704)
+
+### Backlog
+
+[Build secrets](https://github.com/moby/moby/issues/33343) has not got much traction. If you want this feature to become a reality, please make yourself heard.
\ No newline at end of file
diff --git a/engine/reports/builder/2017-07-10.md b/engine/reports/builder/2017-07-10.md
new file mode 100644
index 00000000..76aeee0f
--- /dev/null
+++ b/engine/reports/builder/2017-07-10.md
@@ -0,0 +1,65 @@
+# Development Report for July 10, 2017
+
+
+### BuildKit
+
+[Repo](https://github.com/moby/buildkit)
+[Proposal](https://github.com/moby/moby/issues/32925)
+
+Many new features have been added since the last report.
+
+The build definition solver was updated to detect the identical parts of the graph sent by different clients and synchronize their processing. This is important when multiple targets of the same project are built at the same time and removes any duplication of work.
+
+Running build jobs now has support for graceful canceling and clear error reporting in case some build steps fail or are canceled. Bugs that may have left state dir in an inconsistent state of server shutdown were fixed.
+
+`buildctl du` command now shows all the information about allocated and in-use snapshots. It also shows the total space used and total reclaimable space. All snapshots are now persistent, and state is not lost with server restarts.
+
+New metadata package was implemented that other packages can use to add persistent and searchable metadata to individual snapshots. First users of that feature are the content blobs mapping on pull, size cache for `du` and instruction cache. There is also a new debug command `buildctl debug dump-metadata` to inspect what data is being stored.
+
+The first version of instruction cache was implemented. This caching scheme has many benefits compared to the current `docker build` caching as it doesn't require all data to be locally available to determine the cache match. The interface for the cache implementation is much simpler and could be implemented remotely as it only needs to store the cache keys and doesn't need to understand or compare their values. Content-based caching will be implemented on top of this work later.
+
+Separate source implementation for git repositories is currently in review. Using this source for accessing source code in git repositories has many performance and caching advantages. All the build jobs using the same git remote will use a shared local repository where updates will be pulled. All the nodes based on a git source will be cached using the commit ID of the current checkout.
+
+Next areas to be worked on will be implementing first exporters for getting access to the build artifacts and porting over the client session/incremental-send feature from `17.07-ce`.
+
+### Typed Dockerfile parsing
+
+[PR](https://github.com/moby/moby/pull/33492)
+
+The PR is in code review and waiting for feedback. Hopefully ready to be merged this week.
+
+### Quality: Dependency interface switch
+
+No updates for this week. Metadata commands need to be updated but it is probably easier to do it after https://github.com/moby/moby/pull/33492 has been merged.
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+[Provide advanced .dockeringore use-cases](https://github.com/moby/moby/issues/12886) [2](https://github.com/moby/moby/issues/12886#issuecomment-306247989)
+
+New: [RFC: Distributed BuildKit](https://github.com/moby/buildkit/issues/62)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Other builder PRs merged last week
+
+[build: fix add from remote url](https://github.com/moby/moby/pull/33851)
+
+### Builder features currently in code-review:
+
+[Fix shallow git clone in docker-build](https://github.com/moby/moby/pull/33704)
+
+### Backlog
+
+[Build secrets](https://github.com/moby/moby/issues/33343) has not got much traction. If you want this feature to become a reality, please make yourself heard.
\ No newline at end of file
diff --git a/engine/reports/builder/2017-07-17.md b/engine/reports/builder/2017-07-17.md
new file mode 100644
index 00000000..96cc8d18
--- /dev/null
+++ b/engine/reports/builder/2017-07-17.md
@@ -0,0 +1,79 @@
+# Development Report for July 17, 2017
+
+
+### BuildKit
+
+[Repo](https://github.com/moby/buildkit)
+[Proposal](https://github.com/moby/moby/issues/32925)
+
+Following features were added last week:
+
+#### Git source
+
+Source code from git repositories can now be accessed directly, similarly for images can be accessed, without the need to execute `git clone`. This has many performance and caching advantages. It accesses the remote repository using shallow fetches to only pull the required data and a uses a shared bare repository for intermediate cache between build invocations. The instruction cache for the git source is based on a commit hash and not string arguments. This means that you can always be sure that you are building the correct source and that you never build the same source twice.
+
+#### Containerd exporter
+
+Exporters are used for getting build artifacts out of buildkit. The first exporter that was implemented allows exposing the image to containerd so it can be run and pushed with `ctr` tool. `buildctl` has `--exporter` flag for specifying the exporter and `--exporter-opt` for custom values passed to the exporter. In the case of image exporter an image name can be specified.
+
+For example:
+
+```
+go run ./examples/buildkit2/buildkit.go | buildctl build --exporter image --exporter-opt name=docker.io/moby/buildkit:dev
+```
+
+Accessing from ctr/dist:
+
+```
+ctr --namespace buildkit images ls
+ctr --namespace buildkit rootfs unpack <manifest-sha>
+ctr --namespace buildkit run -t docker.io/moby/buildkit:dev id ash
+```
+
+#### Local source
+
+Buildkit now supports building from local sources. Snapshot of the local source files is created similarly to `docker build` build context. The implementation is based on the [incremental context send](https://github.com/moby/moby/pull/32677) feature in `docker-v17.07`. To use in `buildctl` the source definition needs to define a name for local endpoint, and `buildctl build` command provides a mapping from this name to a local directory with a `--local` flag.
+
+```
+go run ./examples/buildkit3/buildkit.go --local  | buildctl build --local buildkit-src=.
+``` 
+
+### Typed Dockerfile parsing
+
+[PR](https://github.com/moby/moby/pull/33492)
+
+Didn't manage to merge this PR yet. Still in code-review.
+
+
+### Feedback for `RUN --mount` / `COPY --chown`
+
+There was some new discussion around [`RUN --mount`](https://github.com/moby/moby/issues/32507) or [`COPY --chown`](https://github.com/moby/moby/issues/30110) feature. Currently, it seems that it may be best to try the shared cache capabilities described in `RUN --mount` in https://github.com/moby/buildkit first(it already supports the generic mounting capabilities). So to unblock the people waiting only on the file owner change features it may make sense to implement `COPY --chown` first. Another related candidate for `v17.08` release is https://github.com/moby/moby/issues/32816. 
+
+
+### Proposals for new Dockerfile features that need design feedback:
+
+[Add IMPORT/EXPORT commands to Dockerfile](https://github.com/moby/moby/issues/32100)
+
+[Add `DOCKEROS/DOCKERARCH` default ARG to Dockerfile](https://github.com/moby/moby/issues/32487)
+
+[Add support for `RUN --mount`](https://github.com/moby/moby/issues/32507)
+
+[DAG image builder](https://github.com/moby/moby/issues/32550)
+
+[Option to export the hash of the build context](https://github.com/moby/moby/issues/32963) (new)
+
+[Allow --cache-from=*](https://github.com/moby/moby/issues/33002#issuecomment-299041162) (new)
+
+[Provide advanced .dockeringore use-cases](https://github.com/moby/moby/issues/12886) [2](https://github.com/moby/moby/issues/12886#issuecomment-306247989)
+
+New: [RFC: Distributed BuildKit](https://github.com/moby/buildkit/issues/62)
+
+If you are interested in implementing any of them, leave a comment on the specific issues.
+
+### Builder features currently in code-review:
+
+[Fix shallow git clone in docker-build](https://github.com/moby/moby/pull/33704)
+
+### Backlog
+
+[Build secrets](https://github.com/moby/moby/issues/33343) has not got much traction. If you want this feature to become a reality, please make yourself heard.
\ No newline at end of file
diff --git a/engine/restartmanager/restartmanager.go b/engine/restartmanager/restartmanager.go
new file mode 100644
index 00000000..6468ccf7
--- /dev/null
+++ b/engine/restartmanager/restartmanager.go
@@ -0,0 +1,133 @@
+package restartmanager // import "github.com/docker/docker/restartmanager"
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+const (
+	backoffMultiplier = 2
+	defaultTimeout    = 100 * time.Millisecond
+	maxRestartTimeout = 1 * time.Minute
+)
+
+// ErrRestartCanceled is returned when the restart manager has been
+// canceled and will no longer restart the container.
+var ErrRestartCanceled = errors.New("restart canceled")
+
+// RestartManager defines object that controls container restarting rules.
+type RestartManager interface {
+	Cancel() error
+	ShouldRestart(exitCode uint32, hasBeenManuallyStopped bool, executionDuration time.Duration) (bool, chan error, error)
+}
+
+type restartManager struct {
+	sync.Mutex
+	sync.Once
+	policy       container.RestartPolicy
+	restartCount int
+	timeout      time.Duration
+	active       bool
+	cancel       chan struct{}
+	canceled     bool
+}
+
+// New returns a new restartManager based on a policy.
+func New(policy container.RestartPolicy, restartCount int) RestartManager {
+	return &restartManager{policy: policy, restartCount: restartCount, cancel: make(chan struct{})}
+}
+
+func (rm *restartManager) SetPolicy(policy container.RestartPolicy) {
+	rm.Lock()
+	rm.policy = policy
+	rm.Unlock()
+}
+
+func (rm *restartManager) ShouldRestart(exitCode uint32, hasBeenManuallyStopped bool, executionDuration time.Duration) (bool, chan error, error) {
+	if rm.policy.IsNone() {
+		return false, nil, nil
+	}
+	rm.Lock()
+	unlockOnExit := true
+	defer func() {
+		if unlockOnExit {
+			rm.Unlock()
+		}
+	}()
+
+	if rm.canceled {
+		return false, nil, ErrRestartCanceled
+	}
+
+	if rm.active {
+		return false, nil, fmt.Errorf("invalid call on an active restart manager")
+	}
+	// if the container ran for more than 10s, regardless of status and policy reset the
+	// the timeout back to the default.
+	if executionDuration.Seconds() >= 10 {
+		rm.timeout = 0
+	}
+	switch {
+	case rm.timeout == 0:
+		rm.timeout = defaultTimeout
+	case rm.timeout < maxRestartTimeout:
+		rm.timeout *= backoffMultiplier
+	}
+	if rm.timeout > maxRestartTimeout {
+		rm.timeout = maxRestartTimeout
+	}
+
+	var restart bool
+	switch {
+	case rm.policy.IsAlways():
+		restart = true
+	case rm.policy.IsUnlessStopped() && !hasBeenManuallyStopped:
+		restart = true
+	case rm.policy.IsOnFailure():
+		// the default value of 0 for MaximumRetryCount means that we will not enforce a maximum count
+		if max := rm.policy.MaximumRetryCount; max == 0 || rm.restartCount < max {
+			restart = exitCode != 0
+		}
+	}
+
+	if !restart {
+		rm.active = false
+		return false, nil, nil
+	}
+
+	rm.restartCount++
+
+	unlockOnExit = false
+	rm.active = true
+	rm.Unlock()
+
+	ch := make(chan error)
+	go func() {
+		select {
+		case <-rm.cancel:
+			ch <- ErrRestartCanceled
+			close(ch)
+		case <-time.After(rm.timeout):
+			rm.Lock()
+			close(ch)
+			rm.active = false
+			rm.Unlock()
+		}
+	}()
+
+	return true, ch, nil
+}
+
+func (rm *restartManager) Cancel() error {
+	rm.Do(func() {
+		rm.Lock()
+		rm.canceled = true
+		close(rm.cancel)
+		rm.Unlock()
+	})
+	return nil
+}
diff --git a/engine/restartmanager/restartmanager_test.go b/engine/restartmanager/restartmanager_test.go
new file mode 100644
index 00000000..4b6f3024
--- /dev/null
+++ b/engine/restartmanager/restartmanager_test.go
@@ -0,0 +1,36 @@
+package restartmanager // import "github.com/docker/docker/restartmanager"
+
+import (
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+func TestRestartManagerTimeout(t *testing.T) {
+	rm := New(container.RestartPolicy{Name: "always"}, 0).(*restartManager)
+	var duration = time.Duration(1 * time.Second)
+	should, _, err := rm.ShouldRestart(0, false, duration)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !should {
+		t.Fatal("container should be restarted")
+	}
+	if rm.timeout != defaultTimeout {
+		t.Fatalf("restart manager should have a timeout of 100 ms but has %s", rm.timeout)
+	}
+}
+
+func TestRestartManagerTimeoutReset(t *testing.T) {
+	rm := New(container.RestartPolicy{Name: "always"}, 0).(*restartManager)
+	rm.timeout = 5 * time.Second
+	var duration = time.Duration(10 * time.Second)
+	_, _, err := rm.ShouldRestart(0, false, duration)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if rm.timeout != defaultTimeout {
+		t.Fatalf("restart manager should have a timeout of 100 ms but has %s", rm.timeout)
+	}
+}
diff --git a/engine/runconfig/config.go b/engine/runconfig/config.go
new file mode 100644
index 00000000..cbacf47d
--- /dev/null
+++ b/engine/runconfig/config.go
@@ -0,0 +1,81 @@
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"encoding/json"
+	"io"
+
+	"github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/pkg/sysinfo"
+)
+
+// ContainerDecoder implements httputils.ContainerDecoder
+// calling DecodeContainerConfig.
+type ContainerDecoder struct{}
+
+// DecodeConfig makes ContainerDecoder to implement httputils.ContainerDecoder
+func (r ContainerDecoder) DecodeConfig(src io.Reader) (*container.Config, *container.HostConfig, *networktypes.NetworkingConfig, error) {
+	return decodeContainerConfig(src)
+}
+
+// DecodeHostConfig makes ContainerDecoder to implement httputils.ContainerDecoder
+func (r ContainerDecoder) DecodeHostConfig(src io.Reader) (*container.HostConfig, error) {
+	return decodeHostConfig(src)
+}
+
+// decodeContainerConfig decodes a json encoded config into a ContainerConfigWrapper
+// struct and returns both a Config and a HostConfig struct
+// Be aware this function is not checking whether the resulted structs are nil,
+// it's your business to do so
+func decodeContainerConfig(src io.Reader) (*container.Config, *container.HostConfig, *networktypes.NetworkingConfig, error) {
+	var w ContainerConfigWrapper
+
+	decoder := json.NewDecoder(src)
+	if err := decoder.Decode(&w); err != nil {
+		return nil, nil, nil, err
+	}
+
+	hc := w.getHostConfig()
+
+	// Perform platform-specific processing of Volumes and Binds.
+	if w.Config != nil && hc != nil {
+
+		// Initialize the volumes map if currently nil
+		if w.Config.Volumes == nil {
+			w.Config.Volumes = make(map[string]struct{})
+		}
+	}
+
+	// Certain parameters need daemon-side validation that cannot be done
+	// on the client, as only the daemon knows what is valid for the platform.
+	if err := validateNetMode(w.Config, hc); err != nil {
+		return nil, nil, nil, err
+	}
+
+	// Validate isolation
+	if err := validateIsolation(hc); err != nil {
+		return nil, nil, nil, err
+	}
+
+	// Validate QoS
+	if err := validateQoS(hc); err != nil {
+		return nil, nil, nil, err
+	}
+
+	// Validate Resources
+	if err := validateResources(hc, sysinfo.New(true)); err != nil {
+		return nil, nil, nil, err
+	}
+
+	// Validate Privileged
+	if err := validatePrivileged(hc); err != nil {
+		return nil, nil, nil, err
+	}
+
+	// Validate ReadonlyRootfs
+	if err := validateReadonlyRootfs(hc); err != nil {
+		return nil, nil, nil, err
+	}
+
+	return w.Config, hc, w.NetworkingConfig, nil
+}
diff --git a/engine/runconfig/config_test.go b/engine/runconfig/config_test.go
new file mode 100644
index 00000000..67d38696
--- /dev/null
+++ b/engine/runconfig/config_test.go
@@ -0,0 +1,190 @@
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/strslice"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+type f struct {
+	file       string
+	entrypoint strslice.StrSlice
+}
+
+func TestDecodeContainerConfig(t *testing.T) {
+
+	var (
+		fixtures []f
+		image    string
+	)
+
+	if runtime.GOOS != "windows" {
+		image = "ubuntu"
+		fixtures = []f{
+			{"fixtures/unix/container_config_1_14.json", strslice.StrSlice{}},
+			{"fixtures/unix/container_config_1_17.json", strslice.StrSlice{"bash"}},
+			{"fixtures/unix/container_config_1_19.json", strslice.StrSlice{"bash"}},
+		}
+	} else {
+		image = "windows"
+		fixtures = []f{
+			{"fixtures/windows/container_config_1_19.json", strslice.StrSlice{"cmd"}},
+		}
+	}
+
+	for _, f := range fixtures {
+		b, err := ioutil.ReadFile(f.file)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		c, h, _, err := decodeContainerConfig(bytes.NewReader(b))
+		if err != nil {
+			t.Fatal(fmt.Errorf("Error parsing %s: %v", f, err))
+		}
+
+		if c.Image != image {
+			t.Fatalf("Expected %s image, found %s\n", image, c.Image)
+		}
+
+		if len(c.Entrypoint) != len(f.entrypoint) {
+			t.Fatalf("Expected %v, found %v\n", f.entrypoint, c.Entrypoint)
+		}
+
+		if h != nil && h.Memory != 1000 {
+			t.Fatalf("Expected memory to be 1000, found %d\n", h.Memory)
+		}
+	}
+}
+
+// TestDecodeContainerConfigIsolation validates isolation passed
+// to the daemon in the hostConfig structure. Note this is platform specific
+// as to what level of container isolation is supported.
+func TestDecodeContainerConfigIsolation(t *testing.T) {
+
+	// An Invalid isolation level
+	if _, _, _, err := callDecodeContainerConfigIsolation("invalid"); err != nil {
+		if !strings.Contains(err.Error(), `Invalid isolation: "invalid"`) {
+			t.Fatal(err)
+		}
+	}
+
+	// Blank isolation (== default)
+	if _, _, _, err := callDecodeContainerConfigIsolation(""); err != nil {
+		t.Fatal("Blank isolation should have succeeded")
+	}
+
+	// Default isolation
+	if _, _, _, err := callDecodeContainerConfigIsolation("default"); err != nil {
+		t.Fatal("default isolation should have succeeded")
+	}
+
+	// Process isolation (Valid on Windows only)
+	if runtime.GOOS == "windows" {
+		if _, _, _, err := callDecodeContainerConfigIsolation("process"); err != nil {
+			t.Fatal("process isolation should have succeeded")
+		}
+	} else {
+		if _, _, _, err := callDecodeContainerConfigIsolation("process"); err != nil {
+			if !strings.Contains(err.Error(), `Invalid isolation: "process"`) {
+				t.Fatal(err)
+			}
+		}
+	}
+
+	// Hyper-V Containers isolation (Valid on Windows only)
+	if runtime.GOOS == "windows" {
+		if _, _, _, err := callDecodeContainerConfigIsolation("hyperv"); err != nil {
+			t.Fatal("hyperv isolation should have succeeded")
+		}
+	} else {
+		if _, _, _, err := callDecodeContainerConfigIsolation("hyperv"); err != nil {
+			if !strings.Contains(err.Error(), `Invalid isolation: "hyperv"`) {
+				t.Fatal(err)
+			}
+		}
+	}
+}
+
+// callDecodeContainerConfigIsolation is a utility function to call
+// DecodeContainerConfig for validating isolation
+func callDecodeContainerConfigIsolation(isolation string) (*container.Config, *container.HostConfig, *networktypes.NetworkingConfig, error) {
+	var (
+		b   []byte
+		err error
+	)
+	w := ContainerConfigWrapper{
+		Config: &container.Config{},
+		HostConfig: &container.HostConfig{
+			NetworkMode: "none",
+			Isolation:   container.Isolation(isolation)},
+	}
+	if b, err = json.Marshal(w); err != nil {
+		return nil, nil, nil, fmt.Errorf("Error on marshal %s", err.Error())
+	}
+	return decodeContainerConfig(bytes.NewReader(b))
+}
+
+type decodeConfigTestcase struct {
+	doc                string
+	wrapper            ContainerConfigWrapper
+	expectedErr        string
+	expectedConfig     *container.Config
+	expectedHostConfig *container.HostConfig
+	goos               string
+}
+
+func runDecodeContainerConfigTestCase(testcase decodeConfigTestcase) func(t *testing.T) {
+	return func(t *testing.T) {
+		raw := marshal(t, testcase.wrapper, testcase.doc)
+		config, hostConfig, _, err := decodeContainerConfig(bytes.NewReader(raw))
+		if testcase.expectedErr != "" {
+			if !assert.Check(t, is.ErrorContains(err, "")) {
+				return
+			}
+			assert.Check(t, is.Contains(err.Error(), testcase.expectedErr))
+			return
+		}
+		assert.Check(t, err)
+		assert.Check(t, is.DeepEqual(testcase.expectedConfig, config))
+		assert.Check(t, is.DeepEqual(testcase.expectedHostConfig, hostConfig))
+	}
+}
+
+func marshal(t *testing.T, w ContainerConfigWrapper, doc string) []byte {
+	b, err := json.Marshal(w)
+	assert.NilError(t, err, "%s: failed to encode config wrapper", doc)
+	return b
+}
+
+func containerWrapperWithVolume(volume string) ContainerConfigWrapper {
+	return ContainerConfigWrapper{
+		Config: &container.Config{
+			Volumes: map[string]struct{}{
+				volume: {},
+			},
+		},
+		HostConfig: &container.HostConfig{},
+	}
+}
+
+func containerWrapperWithBind(bind string) ContainerConfigWrapper {
+	return ContainerConfigWrapper{
+		Config: &container.Config{
+			Volumes: map[string]struct{}{},
+		},
+		HostConfig: &container.HostConfig{
+			Binds: []string{bind},
+		},
+	}
+}
diff --git a/engine/runconfig/config_unix.go b/engine/runconfig/config_unix.go
new file mode 100644
index 00000000..65e8d6fc
--- /dev/null
+++ b/engine/runconfig/config_unix.go
@@ -0,0 +1,59 @@
+// +build !windows
+
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+)
+
+// ContainerConfigWrapper is a Config wrapper that holds the container Config (portable)
+// and the corresponding HostConfig (non-portable).
+type ContainerConfigWrapper struct {
+	*container.Config
+	InnerHostConfig       *container.HostConfig          `json:"HostConfig,omitempty"`
+	Cpuset                string                         `json:",omitempty"` // Deprecated. Exported for backwards compatibility.
+	NetworkingConfig      *networktypes.NetworkingConfig `json:"NetworkingConfig,omitempty"`
+	*container.HostConfig                                // Deprecated. Exported to read attributes from json that are not in the inner host config structure.
+}
+
+// getHostConfig gets the HostConfig of the Config.
+// It's mostly there to handle Deprecated fields of the ContainerConfigWrapper
+func (w *ContainerConfigWrapper) getHostConfig() *container.HostConfig {
+	hc := w.HostConfig
+
+	if hc == nil && w.InnerHostConfig != nil {
+		hc = w.InnerHostConfig
+	} else if w.InnerHostConfig != nil {
+		if hc.Memory != 0 && w.InnerHostConfig.Memory == 0 {
+			w.InnerHostConfig.Memory = hc.Memory
+		}
+		if hc.MemorySwap != 0 && w.InnerHostConfig.MemorySwap == 0 {
+			w.InnerHostConfig.MemorySwap = hc.MemorySwap
+		}
+		if hc.CPUShares != 0 && w.InnerHostConfig.CPUShares == 0 {
+			w.InnerHostConfig.CPUShares = hc.CPUShares
+		}
+		if hc.CpusetCpus != "" && w.InnerHostConfig.CpusetCpus == "" {
+			w.InnerHostConfig.CpusetCpus = hc.CpusetCpus
+		}
+
+		if hc.VolumeDriver != "" && w.InnerHostConfig.VolumeDriver == "" {
+			w.InnerHostConfig.VolumeDriver = hc.VolumeDriver
+		}
+
+		hc = w.InnerHostConfig
+	}
+
+	if hc != nil {
+		if w.Cpuset != "" && hc.CpusetCpus == "" {
+			hc.CpusetCpus = w.Cpuset
+		}
+	}
+
+	// Make sure NetworkMode has an acceptable value. We do this to ensure
+	// backwards compatible API behavior.
+	SetDefaultNetModeIfBlank(hc)
+
+	return hc
+}
diff --git a/engine/runconfig/config_windows.go b/engine/runconfig/config_windows.go
new file mode 100644
index 00000000..cced59d4
--- /dev/null
+++ b/engine/runconfig/config_windows.go
@@ -0,0 +1,19 @@
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+)
+
+// ContainerConfigWrapper is a Config wrapper that holds the container Config (portable)
+// and the corresponding HostConfig (non-portable).
+type ContainerConfigWrapper struct {
+	*container.Config
+	HostConfig       *container.HostConfig          `json:"HostConfig,omitempty"`
+	NetworkingConfig *networktypes.NetworkingConfig `json:"NetworkingConfig,omitempty"`
+}
+
+// getHostConfig gets the HostConfig of the Config.
+func (w *ContainerConfigWrapper) getHostConfig() *container.HostConfig {
+	return w.HostConfig
+}
diff --git a/engine/runconfig/errors.go b/engine/runconfig/errors.go
new file mode 100644
index 00000000..038fe396
--- /dev/null
+++ b/engine/runconfig/errors.go
@@ -0,0 +1,42 @@
+package runconfig // import "github.com/docker/docker/runconfig"
+
+const (
+	// ErrConflictContainerNetworkAndLinks conflict between --net=container and links
+	ErrConflictContainerNetworkAndLinks validationError = "conflicting options: container type network can't be used with links. This would result in undefined behavior"
+	// ErrConflictSharedNetwork conflict between private and other networks
+	ErrConflictSharedNetwork validationError = "container sharing network namespace with another container or host cannot be connected to any other network"
+	// ErrConflictHostNetwork conflict from being disconnected from host network or connected to host network.
+	ErrConflictHostNetwork validationError = "container cannot be disconnected from host network or connected to host network"
+	// ErrConflictNoNetwork conflict between private and other networks
+	ErrConflictNoNetwork validationError = "container cannot be connected to multiple networks with one of the networks in private (none) mode"
+	// ErrConflictNetworkAndDNS conflict between --dns and the network mode
+	ErrConflictNetworkAndDNS validationError = "conflicting options: dns and the network mode"
+	// ErrConflictNetworkHostname conflict between the hostname and the network mode
+	ErrConflictNetworkHostname validationError = "conflicting options: hostname and the network mode"
+	// ErrConflictHostNetworkAndLinks conflict between --net=host and links
+	ErrConflictHostNetworkAndLinks validationError = "conflicting options: host type networking can't be used with links. This would result in undefined behavior"
+	// ErrConflictContainerNetworkAndMac conflict between the mac address and the network mode
+	ErrConflictContainerNetworkAndMac validationError = "conflicting options: mac-address and the network mode"
+	// ErrConflictNetworkHosts conflict between add-host and the network mode
+	ErrConflictNetworkHosts validationError = "conflicting options: custom host-to-IP mapping and the network mode"
+	// ErrConflictNetworkPublishPorts conflict between the publish options and the network mode
+	ErrConflictNetworkPublishPorts validationError = "conflicting options: port publishing and the container type network mode"
+	// ErrConflictNetworkExposePorts conflict between the expose option and the network mode
+	ErrConflictNetworkExposePorts validationError = "conflicting options: port exposing and the container type network mode"
+	// ErrUnsupportedNetworkAndIP conflict between network mode and requested ip address
+	ErrUnsupportedNetworkAndIP validationError = "user specified IP address is supported on user defined networks only"
+	// ErrUnsupportedNetworkNoSubnetAndIP conflict between network with no configured subnet and requested ip address
+	ErrUnsupportedNetworkNoSubnetAndIP validationError = "user specified IP address is supported only when connecting to networks with user configured subnets"
+	// ErrUnsupportedNetworkAndAlias conflict between network mode and alias
+	ErrUnsupportedNetworkAndAlias validationError = "network-scoped alias is supported only for containers in user defined networks"
+	// ErrConflictUTSHostname conflict between the hostname and the UTS mode
+	ErrConflictUTSHostname validationError = "conflicting options: hostname and the UTS mode"
+)
+
+type validationError string
+
+func (e validationError) Error() string {
+	return string(e)
+}
+
+func (e validationError) InvalidParameter() {}
diff --git a/engine/runconfig/fixtures/unix/container_config_1_14.json b/engine/runconfig/fixtures/unix/container_config_1_14.json
new file mode 100644
index 00000000..b08334c0
--- /dev/null
+++ b/engine/runconfig/fixtures/unix/container_config_1_14.json
@@ -0,0 +1,30 @@
+{
+     "Hostname":"",
+     "Domainname": "",
+     "User":"",
+     "Memory": 1000,
+     "MemorySwap":0,
+     "CpuShares": 512,
+     "Cpuset": "0,1",
+     "AttachStdin":false,
+     "AttachStdout":true,
+     "AttachStderr":true,
+     "PortSpecs":null,
+     "Tty":false,
+     "OpenStdin":false,
+     "StdinOnce":false,
+     "Env":null,
+     "Cmd":[
+             "bash"
+     ],
+     "Image":"ubuntu",
+     "Volumes":{
+             "/tmp": {}
+     },
+     "WorkingDir":"",
+     "NetworkDisabled": false,
+     "ExposedPorts":{
+             "22/tcp": {}
+     },
+     "RestartPolicy": { "Name": "always" }
+}
diff --git a/engine/runconfig/fixtures/unix/container_config_1_17.json b/engine/runconfig/fixtures/unix/container_config_1_17.json
new file mode 100644
index 00000000..0d780877
--- /dev/null
+++ b/engine/runconfig/fixtures/unix/container_config_1_17.json
@@ -0,0 +1,50 @@
+{
+     "Hostname": "",
+     "Domainname": "",
+     "User": "",
+     "Memory": 1000,
+     "MemorySwap": 0,
+     "CpuShares": 512,
+     "Cpuset": "0,1",
+     "AttachStdin": false,
+     "AttachStdout": true,
+     "AttachStderr": true,
+     "Tty": false,
+     "OpenStdin": false,
+     "StdinOnce": false,
+     "Env": null,
+     "Cmd": [
+             "date"
+     ],
+     "Entrypoint": "bash",
+     "Image": "ubuntu",
+     "Volumes": {
+             "/tmp": {}
+     },
+     "WorkingDir": "",
+     "NetworkDisabled": false,
+     "MacAddress": "12:34:56:78:9a:bc",
+     "ExposedPorts": {
+             "22/tcp": {}
+     },
+     "SecurityOpt": [""],
+     "HostConfig": {
+       "Binds": ["/tmp:/tmp"],
+       "Links": ["redis3:redis"],
+       "LxcConf": {"lxc.utsname":"docker"},
+       "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+       "PublishAllPorts": false,
+       "Privileged": false,
+       "ReadonlyRootfs": false,
+       "Dns": ["8.8.8.8"],
+       "DnsSearch": [""],
+       "DnsOptions": [""],
+       "ExtraHosts": null,
+       "VolumesFrom": ["parent", "other:ro"],
+       "CapAdd": ["NET_ADMIN"],
+       "CapDrop": ["MKNOD"],
+       "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+       "NetworkMode": "bridge",
+       "Devices": []
+    }
+}
diff --git a/engine/runconfig/fixtures/unix/container_config_1_19.json b/engine/runconfig/fixtures/unix/container_config_1_19.json
new file mode 100644
index 00000000..de49cf32
--- /dev/null
+++ b/engine/runconfig/fixtures/unix/container_config_1_19.json
@@ -0,0 +1,58 @@
+{
+     "Hostname": "",
+     "Domainname": "",
+     "User": "",
+     "AttachStdin": false,
+     "AttachStdout": true,
+     "AttachStderr": true,
+     "Tty": false,
+     "OpenStdin": false,
+     "StdinOnce": false,
+     "Env": null,
+     "Cmd": [
+             "date"
+     ],
+     "Entrypoint": "bash",
+     "Image": "ubuntu",
+     "Labels": {
+             "com.example.vendor": "Acme",
+             "com.example.license": "GPL",
+             "com.example.version": "1.0"
+     },
+     "Volumes": {
+             "/tmp": {}
+     },
+     "WorkingDir": "",
+     "NetworkDisabled": false,
+     "MacAddress": "12:34:56:78:9a:bc",
+     "ExposedPorts": {
+             "22/tcp": {}
+     },
+     "HostConfig": {
+       "Binds": ["/tmp:/tmp"],
+       "Links": ["redis3:redis"],
+       "LxcConf": {"lxc.utsname":"docker"},
+       "Memory": 1000,
+       "MemorySwap": 0,
+       "CpuShares": 512,
+       "CpusetCpus": "0,1",
+       "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+       "PublishAllPorts": false,
+       "Privileged": false,
+       "ReadonlyRootfs": false,
+       "Dns": ["8.8.8.8"],
+       "DnsSearch": [""],
+       "DnsOptions": [""],
+       "ExtraHosts": null,
+       "VolumesFrom": ["parent", "other:ro"],
+       "CapAdd": ["NET_ADMIN"],
+       "CapDrop": ["MKNOD"],
+       "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+       "NetworkMode": "bridge",
+       "Devices": [],
+       "Ulimits": [{}],
+       "LogConfig": { "Type": "json-file", "Config": {} },
+       "SecurityOpt": [""],
+       "CgroupParent": ""
+    }
+}
diff --git a/engine/runconfig/fixtures/unix/container_hostconfig_1_14.json b/engine/runconfig/fixtures/unix/container_hostconfig_1_14.json
new file mode 100644
index 00000000..c72ac91c
--- /dev/null
+++ b/engine/runconfig/fixtures/unix/container_hostconfig_1_14.json
@@ -0,0 +1,18 @@
+{
+    "Binds": ["/tmp:/tmp"],
+    "ContainerIDFile": "",
+    "LxcConf": [],
+    "Privileged": false,
+    "PortBindings": {
+        "80/tcp": [
+            {
+                "HostIp": "0.0.0.0",
+                "HostPort": "49153"
+            }
+        ]
+    },
+    "Links": ["/name:alias"],
+    "PublishAllPorts": false,
+    "CapAdd": ["NET_ADMIN"],
+    "CapDrop": ["MKNOD"]
+}
diff --git a/engine/runconfig/fixtures/unix/container_hostconfig_1_19.json b/engine/runconfig/fixtures/unix/container_hostconfig_1_19.json
new file mode 100644
index 00000000..5ca8aa7e
--- /dev/null
+++ b/engine/runconfig/fixtures/unix/container_hostconfig_1_19.json
@@ -0,0 +1,30 @@
+{
+    "Binds": ["/tmp:/tmp"],
+    "Links": ["redis3:redis"],
+    "LxcConf": {"lxc.utsname":"docker"},
+    "Memory": 0,
+    "MemorySwap": 0,
+    "CpuShares": 512,
+    "CpuPeriod": 100000,
+    "CpusetCpus": "0,1",
+    "CpusetMems": "0,1",
+    "BlkioWeight": 300,
+    "OomKillDisable": false,
+    "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+    "PublishAllPorts": false,
+    "Privileged": false,
+    "ReadonlyRootfs": false,
+    "Dns": ["8.8.8.8"],
+    "DnsSearch": [""],
+    "ExtraHosts": null,
+    "VolumesFrom": ["parent", "other:ro"],
+    "CapAdd": ["NET_ADMIN"],
+    "CapDrop": ["MKNOD"],
+    "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+    "NetworkMode": "bridge",
+    "Devices": [],
+    "Ulimits": [{}],
+    "LogConfig": { "Type": "json-file", "Config": {} },
+    "SecurityOpt": [""],
+    "CgroupParent": ""
+}
diff --git a/engine/runconfig/fixtures/windows/container_config_1_19.json b/engine/runconfig/fixtures/windows/container_config_1_19.json
new file mode 100644
index 00000000..724320c7
--- /dev/null
+++ b/engine/runconfig/fixtures/windows/container_config_1_19.json
@@ -0,0 +1,58 @@
+{
+     "Hostname": "",
+     "Domainname": "",
+     "User": "",
+     "AttachStdin": false,
+     "AttachStdout": true,
+     "AttachStderr": true,
+     "Tty": false,
+     "OpenStdin": false,
+     "StdinOnce": false,
+     "Env": null,
+     "Cmd": [
+             "date"
+     ],
+     "Entrypoint": "cmd",
+     "Image": "windows",
+     "Labels": {
+             "com.example.vendor": "Acme",
+             "com.example.license": "GPL",
+             "com.example.version": "1.0"
+     },
+     "Volumes": {
+             "c:/windows": {}
+     },
+     "WorkingDir": "",
+     "NetworkDisabled": false,
+     "MacAddress": "12:34:56:78:9a:bc",
+     "ExposedPorts": {
+             "22/tcp": {}
+     },
+     "HostConfig": {
+       "Binds": ["c:/windows:d:/tmp"],
+       "Links": ["redis3:redis"],
+       "LxcConf": {"lxc.utsname":"docker"},
+       "Memory": 1000,
+       "MemorySwap": 0,
+       "CpuShares": 512,
+       "CpusetCpus": "0,1",
+       "PortBindings": { "22/tcp": [{ "HostPort": "11022" }] },
+       "PublishAllPorts": false,
+       "Privileged": false,
+       "ReadonlyRootfs": false,
+       "Dns": ["8.8.8.8"],
+       "DnsSearch": [""],
+       "DnsOptions": [""],
+       "ExtraHosts": null,
+       "VolumesFrom": ["parent", "other:ro"],
+       "CapAdd": ["NET_ADMIN"],
+       "CapDrop": ["MKNOD"],
+       "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 },
+       "NetworkMode": "default",
+       "Devices": [],
+       "Ulimits": [{}],
+       "LogConfig": { "Type": "json-file", "Config": {} },
+       "SecurityOpt": [""],
+       "CgroupParent": ""
+    }
+}
diff --git a/engine/runconfig/hostconfig.go b/engine/runconfig/hostconfig.go
new file mode 100644
index 00000000..7d99e5ac
--- /dev/null
+++ b/engine/runconfig/hostconfig.go
@@ -0,0 +1,79 @@
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"encoding/json"
+	"io"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+// DecodeHostConfig creates a HostConfig based on the specified Reader.
+// It assumes the content of the reader will be JSON, and decodes it.
+func decodeHostConfig(src io.Reader) (*container.HostConfig, error) {
+	decoder := json.NewDecoder(src)
+
+	var w ContainerConfigWrapper
+	if err := decoder.Decode(&w); err != nil {
+		return nil, err
+	}
+
+	hc := w.getHostConfig()
+	return hc, nil
+}
+
+// SetDefaultNetModeIfBlank changes the NetworkMode in a HostConfig structure
+// to default if it is not populated. This ensures backwards compatibility after
+// the validation of the network mode was moved from the docker CLI to the
+// docker daemon.
+func SetDefaultNetModeIfBlank(hc *container.HostConfig) {
+	if hc != nil {
+		if hc.NetworkMode == container.NetworkMode("") {
+			hc.NetworkMode = container.NetworkMode("default")
+		}
+	}
+}
+
+// validateNetContainerMode ensures that the various combinations of requested
+// network settings wrt container mode are valid.
+func validateNetContainerMode(c *container.Config, hc *container.HostConfig) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+	parts := strings.Split(string(hc.NetworkMode), ":")
+	if parts[0] == "container" {
+		if len(parts) < 2 || parts[1] == "" {
+			return validationError("Invalid network mode: invalid container format container:<name|id>")
+		}
+	}
+
+	if hc.NetworkMode.IsContainer() && c.Hostname != "" {
+		return ErrConflictNetworkHostname
+	}
+
+	if hc.NetworkMode.IsContainer() && len(hc.Links) > 0 {
+		return ErrConflictContainerNetworkAndLinks
+	}
+
+	if hc.NetworkMode.IsContainer() && len(hc.DNS) > 0 {
+		return ErrConflictNetworkAndDNS
+	}
+
+	if hc.NetworkMode.IsContainer() && len(hc.ExtraHosts) > 0 {
+		return ErrConflictNetworkHosts
+	}
+
+	if (hc.NetworkMode.IsContainer() || hc.NetworkMode.IsHost()) && c.MacAddress != "" {
+		return ErrConflictContainerNetworkAndMac
+	}
+
+	if hc.NetworkMode.IsContainer() && (len(hc.PortBindings) > 0 || hc.PublishAllPorts) {
+		return ErrConflictNetworkPublishPorts
+	}
+
+	if hc.NetworkMode.IsContainer() && len(c.ExposedPorts) > 0 {
+		return ErrConflictNetworkExposePorts
+	}
+	return nil
+}
diff --git a/engine/runconfig/hostconfig_test.go b/engine/runconfig/hostconfig_test.go
new file mode 100644
index 00000000..b04cbc6b
--- /dev/null
+++ b/engine/runconfig/hostconfig_test.go
@@ -0,0 +1,273 @@
+// +build !windows
+
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/sysinfo"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+// TODO Windows: This will need addressing for a Windows daemon.
+func TestNetworkModeTest(t *testing.T) {
+	networkModes := map[container.NetworkMode][]bool{
+		// private, bridge, host, container, none, default
+		"":                         {true, false, false, false, false, false},
+		"something:weird":          {true, false, false, false, false, false},
+		"bridge":                   {true, true, false, false, false, false},
+		DefaultDaemonNetworkMode(): {true, true, false, false, false, false},
+		"host":           {false, false, true, false, false, false},
+		"container:name": {false, false, false, true, false, false},
+		"none":           {true, false, false, false, true, false},
+		"default":        {true, false, false, false, false, true},
+	}
+	networkModeNames := map[container.NetworkMode]string{
+		"":                         "",
+		"something:weird":          "something:weird",
+		"bridge":                   "bridge",
+		DefaultDaemonNetworkMode(): "bridge",
+		"host":           "host",
+		"container:name": "container",
+		"none":           "none",
+		"default":        "default",
+	}
+	for networkMode, state := range networkModes {
+		if networkMode.IsPrivate() != state[0] {
+			t.Fatalf("NetworkMode.IsPrivate for %v should have been %v but was %v", networkMode, state[0], networkMode.IsPrivate())
+		}
+		if networkMode.IsBridge() != state[1] {
+			t.Fatalf("NetworkMode.IsBridge for %v should have been %v but was %v", networkMode, state[1], networkMode.IsBridge())
+		}
+		if networkMode.IsHost() != state[2] {
+			t.Fatalf("NetworkMode.IsHost for %v should have been %v but was %v", networkMode, state[2], networkMode.IsHost())
+		}
+		if networkMode.IsContainer() != state[3] {
+			t.Fatalf("NetworkMode.IsContainer for %v should have been %v but was %v", networkMode, state[3], networkMode.IsContainer())
+		}
+		if networkMode.IsNone() != state[4] {
+			t.Fatalf("NetworkMode.IsNone for %v should have been %v but was %v", networkMode, state[4], networkMode.IsNone())
+		}
+		if networkMode.IsDefault() != state[5] {
+			t.Fatalf("NetworkMode.IsDefault for %v should have been %v but was %v", networkMode, state[5], networkMode.IsDefault())
+		}
+		if networkMode.NetworkName() != networkModeNames[networkMode] {
+			t.Fatalf("Expected name %v, got %v", networkModeNames[networkMode], networkMode.NetworkName())
+		}
+	}
+}
+
+func TestIpcModeTest(t *testing.T) {
+	ipcModes := map[container.IpcMode]struct {
+		private   bool
+		host      bool
+		container bool
+		shareable bool
+		valid     bool
+		ctrName   string
+	}{
+		"":                      {valid: true},
+		"private":               {private: true, valid: true},
+		"something:weird":       {},
+		":weird":                {},
+		"host":                  {host: true, valid: true},
+		"container":             {},
+		"container:":            {container: true, valid: true, ctrName: ""},
+		"container:name":        {container: true, valid: true, ctrName: "name"},
+		"container:name1:name2": {container: true, valid: true, ctrName: "name1:name2"},
+		"shareable":             {shareable: true, valid: true},
+	}
+
+	for ipcMode, state := range ipcModes {
+		assert.Check(t, is.Equal(state.private, ipcMode.IsPrivate()), "IpcMode.IsPrivate() parsing failed for %q", ipcMode)
+		assert.Check(t, is.Equal(state.host, ipcMode.IsHost()), "IpcMode.IsHost()  parsing failed for %q", ipcMode)
+		assert.Check(t, is.Equal(state.container, ipcMode.IsContainer()), "IpcMode.IsContainer()  parsing failed for %q", ipcMode)
+		assert.Check(t, is.Equal(state.shareable, ipcMode.IsShareable()), "IpcMode.IsShareable()  parsing failed for %q", ipcMode)
+		assert.Check(t, is.Equal(state.valid, ipcMode.Valid()), "IpcMode.Valid()  parsing failed for %q", ipcMode)
+		assert.Check(t, is.Equal(state.ctrName, ipcMode.Container()), "IpcMode.Container() parsing failed for %q", ipcMode)
+	}
+}
+
+func TestUTSModeTest(t *testing.T) {
+	utsModes := map[container.UTSMode][]bool{
+		// private, host, valid
+		"":                {true, false, true},
+		"something:weird": {true, false, false},
+		"host":            {false, true, true},
+		"host:name":       {true, false, true},
+	}
+	for utsMode, state := range utsModes {
+		if utsMode.IsPrivate() != state[0] {
+			t.Fatalf("UtsMode.IsPrivate for %v should have been %v but was %v", utsMode, state[0], utsMode.IsPrivate())
+		}
+		if utsMode.IsHost() != state[1] {
+			t.Fatalf("UtsMode.IsHost for %v should have been %v but was %v", utsMode, state[1], utsMode.IsHost())
+		}
+		if utsMode.Valid() != state[2] {
+			t.Fatalf("UtsMode.Valid for %v should have been %v but was %v", utsMode, state[2], utsMode.Valid())
+		}
+	}
+}
+
+func TestUsernsModeTest(t *testing.T) {
+	usrensMode := map[container.UsernsMode][]bool{
+		// private, host, valid
+		"":                {true, false, true},
+		"something:weird": {true, false, false},
+		"host":            {false, true, true},
+		"host:name":       {true, false, true},
+	}
+	for usernsMode, state := range usrensMode {
+		if usernsMode.IsPrivate() != state[0] {
+			t.Fatalf("UsernsMode.IsPrivate for %v should have been %v but was %v", usernsMode, state[0], usernsMode.IsPrivate())
+		}
+		if usernsMode.IsHost() != state[1] {
+			t.Fatalf("UsernsMode.IsHost for %v should have been %v but was %v", usernsMode, state[1], usernsMode.IsHost())
+		}
+		if usernsMode.Valid() != state[2] {
+			t.Fatalf("UsernsMode.Valid for %v should have been %v but was %v", usernsMode, state[2], usernsMode.Valid())
+		}
+	}
+}
+
+func TestPidModeTest(t *testing.T) {
+	pidModes := map[container.PidMode][]bool{
+		// private, host, valid
+		"":                {true, false, true},
+		"something:weird": {true, false, false},
+		"host":            {false, true, true},
+		"host:name":       {true, false, true},
+	}
+	for pidMode, state := range pidModes {
+		if pidMode.IsPrivate() != state[0] {
+			t.Fatalf("PidMode.IsPrivate for %v should have been %v but was %v", pidMode, state[0], pidMode.IsPrivate())
+		}
+		if pidMode.IsHost() != state[1] {
+			t.Fatalf("PidMode.IsHost for %v should have been %v but was %v", pidMode, state[1], pidMode.IsHost())
+		}
+		if pidMode.Valid() != state[2] {
+			t.Fatalf("PidMode.Valid for %v should have been %v but was %v", pidMode, state[2], pidMode.Valid())
+		}
+	}
+}
+
+func TestRestartPolicy(t *testing.T) {
+	restartPolicies := map[container.RestartPolicy][]bool{
+		// none, always, failure
+		{}: {true, false, false},
+		{Name: "something", MaximumRetryCount: 0}:  {false, false, false},
+		{Name: "no", MaximumRetryCount: 0}:         {true, false, false},
+		{Name: "always", MaximumRetryCount: 0}:     {false, true, false},
+		{Name: "on-failure", MaximumRetryCount: 0}: {false, false, true},
+	}
+	for restartPolicy, state := range restartPolicies {
+		if restartPolicy.IsNone() != state[0] {
+			t.Fatalf("RestartPolicy.IsNone for %v should have been %v but was %v", restartPolicy, state[0], restartPolicy.IsNone())
+		}
+		if restartPolicy.IsAlways() != state[1] {
+			t.Fatalf("RestartPolicy.IsAlways for %v should have been %v but was %v", restartPolicy, state[1], restartPolicy.IsAlways())
+		}
+		if restartPolicy.IsOnFailure() != state[2] {
+			t.Fatalf("RestartPolicy.IsOnFailure for %v should have been %v but was %v", restartPolicy, state[2], restartPolicy.IsOnFailure())
+		}
+	}
+}
+func TestDecodeHostConfig(t *testing.T) {
+	fixtures := []struct {
+		file string
+	}{
+		{"fixtures/unix/container_hostconfig_1_14.json"},
+		{"fixtures/unix/container_hostconfig_1_19.json"},
+	}
+
+	for _, f := range fixtures {
+		b, err := ioutil.ReadFile(f.file)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		c, err := decodeHostConfig(bytes.NewReader(b))
+		if err != nil {
+			t.Fatal(fmt.Errorf("Error parsing %s: %v", f, err))
+		}
+
+		assert.Check(t, !c.Privileged)
+
+		if l := len(c.Binds); l != 1 {
+			t.Fatalf("Expected 1 bind, found %d\n", l)
+		}
+
+		if len(c.CapAdd) != 1 && c.CapAdd[0] != "NET_ADMIN" {
+			t.Fatalf("Expected CapAdd NET_ADMIN, got %v", c.CapAdd)
+		}
+
+		if len(c.CapDrop) != 1 && c.CapDrop[0] != "NET_ADMIN" {
+			t.Fatalf("Expected CapDrop NET_ADMIN, got %v", c.CapDrop)
+		}
+	}
+}
+
+func TestValidateResources(t *testing.T) {
+	type resourceTest struct {
+		ConfigCPURealtimePeriod   int64
+		ConfigCPURealtimeRuntime  int64
+		SysInfoCPURealtimePeriod  bool
+		SysInfoCPURealtimeRuntime bool
+		ErrorExpected             bool
+		FailureMsg                string
+	}
+
+	tests := []resourceTest{
+		{
+			ConfigCPURealtimePeriod:   1000,
+			ConfigCPURealtimeRuntime:  1000,
+			SysInfoCPURealtimePeriod:  true,
+			SysInfoCPURealtimeRuntime: true,
+			ErrorExpected:             false,
+			FailureMsg:                "Expected valid configuration",
+		},
+		{
+			ConfigCPURealtimePeriod:   5000,
+			ConfigCPURealtimeRuntime:  5000,
+			SysInfoCPURealtimePeriod:  false,
+			SysInfoCPURealtimeRuntime: true,
+			ErrorExpected:             true,
+			FailureMsg:                "Expected failure when cpu-rt-period is set but kernel doesn't support it",
+		},
+		{
+			ConfigCPURealtimePeriod:   5000,
+			ConfigCPURealtimeRuntime:  5000,
+			SysInfoCPURealtimePeriod:  true,
+			SysInfoCPURealtimeRuntime: false,
+			ErrorExpected:             true,
+			FailureMsg:                "Expected failure when cpu-rt-runtime is set but kernel doesn't support it",
+		},
+		{
+			ConfigCPURealtimePeriod:   5000,
+			ConfigCPURealtimeRuntime:  10000,
+			SysInfoCPURealtimePeriod:  true,
+			SysInfoCPURealtimeRuntime: false,
+			ErrorExpected:             true,
+			FailureMsg:                "Expected failure when cpu-rt-runtime is greater than cpu-rt-period",
+		},
+	}
+
+	for _, rt := range tests {
+		var hc container.HostConfig
+		hc.Resources.CPURealtimePeriod = rt.ConfigCPURealtimePeriod
+		hc.Resources.CPURealtimeRuntime = rt.ConfigCPURealtimeRuntime
+
+		var si sysinfo.SysInfo
+		si.CPURealtimePeriod = rt.SysInfoCPURealtimePeriod
+		si.CPURealtimeRuntime = rt.SysInfoCPURealtimeRuntime
+
+		if err := validateResources(&hc, &si); (err != nil) != rt.ErrorExpected {
+			t.Fatal(rt.FailureMsg, err)
+		}
+	}
+}
diff --git a/engine/runconfig/hostconfig_unix.go b/engine/runconfig/hostconfig_unix.go
new file mode 100644
index 00000000..e579b06d
--- /dev/null
+++ b/engine/runconfig/hostconfig_unix.go
@@ -0,0 +1,110 @@
+// +build !windows
+
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/sysinfo"
+)
+
+// DefaultDaemonNetworkMode returns the default network stack the daemon should
+// use.
+func DefaultDaemonNetworkMode() container.NetworkMode {
+	return container.NetworkMode("bridge")
+}
+
+// IsPreDefinedNetwork indicates if a network is predefined by the daemon
+func IsPreDefinedNetwork(network string) bool {
+	n := container.NetworkMode(network)
+	return n.IsBridge() || n.IsHost() || n.IsNone() || n.IsDefault()
+}
+
+// validateNetMode ensures that the various combinations of requested
+// network settings are valid.
+func validateNetMode(c *container.Config, hc *container.HostConfig) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+
+	err := validateNetContainerMode(c, hc)
+	if err != nil {
+		return err
+	}
+
+	if hc.UTSMode.IsHost() && c.Hostname != "" {
+		return ErrConflictUTSHostname
+	}
+
+	if hc.NetworkMode.IsHost() && len(hc.Links) > 0 {
+		return ErrConflictHostNetworkAndLinks
+	}
+
+	return nil
+}
+
+// validateIsolation performs platform specific validation of
+// isolation in the hostconfig structure. Linux only supports "default"
+// which is LXC container isolation
+func validateIsolation(hc *container.HostConfig) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+	if !hc.Isolation.IsValid() {
+		return fmt.Errorf("Invalid isolation: %q - %s only supports 'default'", hc.Isolation, runtime.GOOS)
+	}
+	return nil
+}
+
+// validateQoS performs platform specific validation of the QoS settings
+func validateQoS(hc *container.HostConfig) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+
+	if hc.IOMaximumBandwidth != 0 {
+		return fmt.Errorf("Invalid QoS settings: %s does not support configuration of maximum bandwidth", runtime.GOOS)
+	}
+
+	if hc.IOMaximumIOps != 0 {
+		return fmt.Errorf("Invalid QoS settings: %s does not support configuration of maximum IOPs", runtime.GOOS)
+	}
+	return nil
+}
+
+// validateResources performs platform specific validation of the resource settings
+// cpu-rt-runtime and cpu-rt-period can not be greater than their parent, cpu-rt-runtime requires sys_nice
+func validateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+
+	if hc.Resources.CPURealtimePeriod > 0 && !si.CPURealtimePeriod {
+		return fmt.Errorf("Your kernel does not support cgroup cpu real-time period")
+	}
+
+	if hc.Resources.CPURealtimeRuntime > 0 && !si.CPURealtimeRuntime {
+		return fmt.Errorf("Your kernel does not support cgroup cpu real-time runtime")
+	}
+
+	if hc.Resources.CPURealtimePeriod != 0 && hc.Resources.CPURealtimeRuntime != 0 && hc.Resources.CPURealtimeRuntime > hc.Resources.CPURealtimePeriod {
+		return fmt.Errorf("cpu real-time runtime cannot be higher than cpu real-time period")
+	}
+	return nil
+}
+
+// validatePrivileged performs platform specific validation of the Privileged setting
+func validatePrivileged(hc *container.HostConfig) error {
+	return nil
+}
+
+// validateReadonlyRootfs performs platform specific validation of the ReadonlyRootfs setting
+func validateReadonlyRootfs(hc *container.HostConfig) error {
+	return nil
+}
diff --git a/engine/runconfig/hostconfig_windows.go b/engine/runconfig/hostconfig_windows.go
new file mode 100644
index 00000000..33a4668a
--- /dev/null
+++ b/engine/runconfig/hostconfig_windows.go
@@ -0,0 +1,96 @@
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/pkg/sysinfo"
+)
+
+// DefaultDaemonNetworkMode returns the default network stack the daemon should
+// use.
+func DefaultDaemonNetworkMode() container.NetworkMode {
+	return container.NetworkMode("nat")
+}
+
+// IsPreDefinedNetwork indicates if a network is predefined by the daemon
+func IsPreDefinedNetwork(network string) bool {
+	return !container.NetworkMode(network).IsUserDefined()
+}
+
+// validateNetMode ensures that the various combinations of requested
+// network settings are valid.
+func validateNetMode(c *container.Config, hc *container.HostConfig) error {
+	if hc == nil {
+		return nil
+	}
+
+	err := validateNetContainerMode(c, hc)
+	if err != nil {
+		return err
+	}
+
+	if hc.NetworkMode.IsContainer() && hc.Isolation.IsHyperV() {
+		return fmt.Errorf("Using the network stack of another container is not supported while using Hyper-V Containers")
+	}
+
+	return nil
+}
+
+// validateIsolation performs platform specific validation of the
+// isolation in the hostconfig structure. Windows supports 'default' (or
+// blank), 'process', or 'hyperv'.
+func validateIsolation(hc *container.HostConfig) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+	if !hc.Isolation.IsValid() {
+		return fmt.Errorf("Invalid isolation: %q. Windows supports 'default', 'process', or 'hyperv'", hc.Isolation)
+	}
+	return nil
+}
+
+// validateQoS performs platform specific validation of the Qos settings
+func validateQoS(hc *container.HostConfig) error {
+	return nil
+}
+
+// validateResources performs platform specific validation of the resource settings
+func validateResources(hc *container.HostConfig, si *sysinfo.SysInfo) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+	if hc.Resources.CPURealtimePeriod != 0 {
+		return fmt.Errorf("Windows does not support CPU real-time period")
+	}
+	if hc.Resources.CPURealtimeRuntime != 0 {
+		return fmt.Errorf("Windows does not support CPU real-time runtime")
+	}
+	return nil
+}
+
+// validatePrivileged performs platform specific validation of the Privileged setting
+func validatePrivileged(hc *container.HostConfig) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+	if hc.Privileged {
+		return fmt.Errorf("Windows does not support privileged mode")
+	}
+	return nil
+}
+
+// validateReadonlyRootfs performs platform specific validation of the ReadonlyRootfs setting
+func validateReadonlyRootfs(hc *container.HostConfig) error {
+	// We may not be passed a host config, such as in the case of docker commit
+	if hc == nil {
+		return nil
+	}
+	if hc.ReadonlyRootfs {
+		return fmt.Errorf("Windows does not support root filesystem in read-only mode")
+	}
+	return nil
+}
diff --git a/engine/runconfig/hostconfig_windows_test.go b/engine/runconfig/hostconfig_windows_test.go
new file mode 100644
index 00000000..d7a480f3
--- /dev/null
+++ b/engine/runconfig/hostconfig_windows_test.go
@@ -0,0 +1,17 @@
+// +build windows
+
+package runconfig // import "github.com/docker/docker/runconfig"
+
+import (
+	"testing"
+
+	"github.com/docker/docker/api/types/container"
+)
+
+func TestValidatePrivileged(t *testing.T) {
+	expected := "Windows does not support privileged mode"
+	err := validatePrivileged(&container.HostConfig{Privileged: true})
+	if err == nil || err.Error() != expected {
+		t.Fatalf("Expected %s", expected)
+	}
+}
diff --git a/engine/runconfig/opts/parse.go b/engine/runconfig/opts/parse.go
new file mode 100644
index 00000000..8f7baeb6
--- /dev/null
+++ b/engine/runconfig/opts/parse.go
@@ -0,0 +1,20 @@
+package opts // import "github.com/docker/docker/runconfig/opts"
+
+import (
+	"strings"
+)
+
+// ConvertKVStringsToMap converts ["key=value"] to {"key":"value"}
+func ConvertKVStringsToMap(values []string) map[string]string {
+	result := make(map[string]string, len(values))
+	for _, value := range values {
+		kv := strings.SplitN(value, "=", 2)
+		if len(kv) == 1 {
+			result[kv[0]] = ""
+		} else {
+			result[kv[0]] = kv[1]
+		}
+	}
+
+	return result
+}
diff --git a/engine/vendor.conf b/engine/vendor.conf
new file mode 100644
index 00000000..dd026d14
--- /dev/null
+++ b/engine/vendor.conf
@@ -0,0 +1,164 @@
+# the following lines are in sorted order, FYI
+github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109
+github.com/Microsoft/hcsshim v0.6.11
+github.com/Microsoft/go-winio v0.4.8
+github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
+github.com/go-check/check 4ed411733c5785b40214c70bce814c3a3a689609 https://github.com/cpuguy83/check.git
+github.com/golang/gddo 9b12a26f3fbd7397dee4e20939ddca719d840d2a
+github.com/gorilla/context v1.1
+github.com/gorilla/mux v1.1
+github.com/Microsoft/opengcs v0.3.6
+github.com/kr/pty 5cf931ef8f
+github.com/mattn/go-shellwords v1.0.3
+github.com/sirupsen/logrus v1.0.3
+github.com/tchap/go-patricia v2.2.6
+github.com/vdemeester/shakers 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3
+golang.org/x/net 0ed95abb35c445290478a5348a7b38bb154135fd
+golang.org/x/sys 37707fdb30a5b38865cfb95e5aab41707daec7fd
+github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
+github.com/docker/go-connections 7beb39f0b969b075d1325fecb092faf27fd357b6
+golang.org/x/text f72d8390a633d5dfb0cc84043294db9f6c935756
+gotest.tools v2.1.0
+github.com/google/go-cmp v0.2.0
+
+github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5
+github.com/imdario/mergo v0.3.5
+golang.org/x/sync fd80eb99c8f653c847d294a001bdf2a3a6f768f5
+
+# buildkit
+github.com/moby/buildkit 98f1604134f945d48538ffca0e18662337b4a850
+github.com/tonistiigi/fsutil 8abad97ee3969cdf5e9c367f46adba2c212b3ddb
+github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
+github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
+github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716
+github.com/opentracing-contrib/go-stdlib  b1a47cfbdd7543e70e9ef3e73d0802ad306cc1cc
+github.com/mitchellh/hashstructure 2bca23e0e452137f789efbc8610126fd8b94f73b
+
+#get libnetwork packages
+
+# When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy accordingly
+github.com/docker/libnetwork d00ceed44cc447c77f25cdf5d59e83163bdcb4c9
+github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
+github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
+github.com/hashicorp/go-msgpack 71c2886f5a673a35f909803f38ece5810165097b
+github.com/hashicorp/memberlist 3d8438da9589e7b608a83ffac1ef8211486bcb7c
+github.com/sean-/seed e2103e2c35297fb7e17febb81e49b312087a2372
+github.com/hashicorp/go-sockaddr 6d291a969b86c4b633730bfc6b8b9d64c3aafed9
+github.com/hashicorp/go-multierror fcdddc395df1ddf4247c69bd436e84cfa0733f7e
+github.com/hashicorp/serf 598c54895cc5a7b1a24a398d635e8c0ea0959870
+github.com/docker/libkv 1d8431073ae03cdaedb198a89722f3aab6d418ef
+github.com/vishvananda/netns 604eaf189ee867d8c147fafc28def2394e878d25
+github.com/vishvananda/netlink b2de5d10e38ecce8607e6b438b6d174f389a004e
+
+# When updating, consider updating TOMLV_COMMIT in hack/dockerfile/install/tomlv accordingly
+github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895
+github.com/samuel/go-zookeeper d0e0d8e11f318e000a8cc434616d69e329edc374
+github.com/deckarep/golang-set ef32fa3046d9f249d399f98ebaf9be944430fd1d
+github.com/coreos/etcd v3.2.1
+github.com/coreos/go-semver v0.2.0
+github.com/ugorji/go f1f1a805ed361a0e078bb537e4ea78cd37dcf065
+github.com/hashicorp/consul v0.5.2
+github.com/boltdb/bolt fff57c100f4dea1905678da7e90d92429dff2904
+github.com/miekg/dns v1.0.7
+github.com/ishidawataru/sctp 07191f837fedd2f13d1ec7b5f885f0f3ec54b1cb
+
+# get graph and distribution packages
+github.com/docker/distribution 83389a148052d74ac602f5f1d62f86ff2f3c4aa5
+github.com/vbatts/tar-split v0.10.2
+github.com/opencontainers/go-digest v1.0.0-rc1
+
+# get go-zfs packages
+github.com/mistifyio/go-zfs 22c9b32c84eb0d0c6f4043b6e90fc94073de92fa
+github.com/pborman/uuid v1.0
+
+google.golang.org/grpc v1.12.0
+
+# This does not need to match RUNC_COMMIT as it is used for helper packages but should be newer or equal
+github.com/opencontainers/runc ad0f5255060d36872be04de22f8731f38ef2d7b1
+github.com/opencontainers/runtime-spec v1.0.1
+github.com/opencontainers/image-spec v1.0.1
+github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
+
+# libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)
+github.com/coreos/go-systemd v17
+github.com/godbus/dbus v4.0.0
+github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
+github.com/golang/protobuf v1.1.0
+
+# gelf logging driver deps
+github.com/Graylog2/go-gelf 4143646226541087117ff2f83334ea48b3201841
+
+github.com/fluent/fluent-logger-golang v1.3.0
+# fluent-logger-golang deps
+github.com/philhofer/fwd 98c11a7a6ec829d672b03833c3d69a7fae1ca972
+github.com/tinylib/msgp 3b556c64540842d4f82967be066a7f7fffc3adad
+
+# fsnotify
+github.com/fsnotify/fsnotify 4da3e2cfbabc9f751898f250b49f2439785783a1
+
+# awslogs deps
+github.com/aws/aws-sdk-go v1.12.66
+github.com/go-ini/ini v1.25.4
+github.com/jmespath/go-jmespath 0b12d6b521d83fc7f755e7cfc1b1fbdd35a01a74
+
+# logentries
+github.com/bsphere/le_go 7a984a84b5492ae539b79b62fb4a10afc63c7bcf
+
+# gcplogs deps
+golang.org/x/oauth2 ec22f46f877b4505e0117eeaab541714644fdd28
+google.golang.org/api de943baf05a022a8f921b544b7827bacaba1aed5
+go.opencensus.io v0.11.0
+cloud.google.com/go v0.23.0
+github.com/googleapis/gax-go v2.0.0
+google.golang.org/genproto 694d95ba50e67b2e363f3483057db5d4910c18f9
+
+# containerd
+github.com/containerd/containerd b41633746ed4833f52c3c071e8edcfa2713e5677
+github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
+github.com/containerd/continuity d3c23511c1bf5851696cba83143d9cbcd666869b
+github.com/containerd/cgroups fe281dd265766145e943a034aa41086474ea6130
+github.com/containerd/console 5d1b48d6114b8c9666f0c8b916f871af97b0a761
+github.com/containerd/go-runc f271fa2021de855d4d918dbef83c5fe19db1bdd
+github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
+github.com/containerd/ttrpc 94dde388801693c54f88a6596f713b51a8b30b2d
+github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
+
+# cluster
+github.com/docker/swarmkit 8852e8840e30d69db0b39a4a3d6447362e17c64f
+github.com/gogo/protobuf v1.0.0
+github.com/cloudflare/cfssl 7fb22c8cba7ecaf98e4082d22d65800cf45e042a
+github.com/fernet/fernet-go 1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2
+github.com/google/certificate-transparency d90e65c3a07988180c5b1ece71791c0b6506826e
+golang.org/x/crypto 1a580b3eff7814fc9b40602fd35256c63b50f491
+golang.org/x/time a4bde12657593d5e90d0533a3e4fd95e635124cb
+github.com/hashicorp/go-memdb cb9a474f84cc5e41b273b20c6927680b2a8776ad
+github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git
+github.com/hashicorp/golang-lru a0d98a5f288019575c6d1f4bb1573fef2d1fcdc4
+github.com/coreos/pkg fa29b1d70f0beaddd4c7021607cc3c3be8ce94b8
+github.com/pivotal-golang/clock 3fd3c1944c59d9742e1cd333672181cd1a6f9fa0
+github.com/prometheus/client_golang 52437c81da6b127a9925d17eb3a382a2e5fd395e
+github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
+github.com/prometheus/client_model fa8ad6fec33561be4280a8f0514318c79d7f6cb6
+github.com/prometheus/common ebdfc6da46522d58825777cf1f90490a5b1ef1d8
+github.com/prometheus/procfs abf152e5f3e97f2fafac028d2cc06c1feb87ffa5
+github.com/matttproud/golang_protobuf_extensions v1.0.0
+github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9
+github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0
+
+# cli
+github.com/spf13/cobra v0.0.3
+github.com/spf13/pflag v1.0.1
+github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+github.com/Nvveen/Gotty a8b993ba6abdb0e0c12b0125c603323a71c7790c https://github.com/ijc25/Gotty
+
+# metrics
+github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18
+
+github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
+
+
+# archive/tar (for Go 1.10, see https://github.com/golang/go/issues/24787)
+# mkdir -p ./vendor/archive
+# git clone -b go-1.10 --depth=1 git@github.com:kolyshkin/go-tar.git ./vendor/archive/tar
+# vndr # to clean up test files
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/LICENSE b/engine/vendor/github.com/Graylog2/go-gelf/LICENSE
new file mode 100644
index 00000000..bc756ae3
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/LICENSE
@@ -0,0 +1,21 @@
+Copyright 2012 SocialCode
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/README.md b/engine/vendor/github.com/Graylog2/go-gelf/README.md
new file mode 100644
index 00000000..81d56121
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/README.md
@@ -0,0 +1,117 @@
+go-gelf - GELF Library and Writer for Go
+========================================
+
+[GELF] (Graylog Extended Log Format) is an application-level logging
+protocol that avoids many of the shortcomings of [syslog]. While it
+can be run over any stream or datagram transport protocol, it has
+special support ([chunking]) to allow long messages to be split over
+multiple datagrams.
+
+Versions
+--------
+
+In order to enable versionning of this package with Go, this project
+is using GoPkg.in. The default branch of this project will be v1
+for some time to prevent breaking clients. We encourage all project
+to change their imports to the new GoPkg.in URIs as soon as possible.
+
+To see up to date code, make sure to switch to the master branch.
+
+v1.0.0
+------
+
+This implementation currently supports UDP and TCP as a transport
+protocol. TLS is unsupported.
+
+The library provides an API that applications can use to log messages
+directly to a Graylog server and an `io.Writer` that can be used to
+redirect the standard library's log messages (`os.Stdout`) to a
+Graylog server.
+
+[GELF]: http://docs.graylog.org/en/2.2/pages/gelf.html
+[syslog]: https://tools.ietf.org/html/rfc5424
+[chunking]: http://docs.graylog.org/en/2.2/pages/gelf.html#chunked-gelf
+
+
+Installing
+----------
+
+go-gelf is go get-able:
+
+    go get gopkg.in/Graylog2/go-gelf.v1/gelf
+
+    or
+
+    go get github.com/Graylog2/go-gelf/gelf
+
+This will get you version 1.0.0, with only UDP support and legacy API.
+Newer versions are available through GoPkg.in:
+
+    go get gopkg.in/Graylog2/go-gelf.v2/gelf
+
+Usage
+-----
+
+The easiest way to integrate graylog logging into your go app is by
+having your `main` function (or even `init`) call `log.SetOutput()`.
+By using an `io.MultiWriter`, we can log to both stdout and graylog -
+giving us both centralized and local logs.  (Redundancy is nice).
+
+```golang
+package main
+
+import (
+  "flag"
+  "gopkg.in/Graylog2/go-gelf.v2/gelf"
+  "io"
+  "log"
+  "os"
+)
+
+func main() {
+  var graylogAddr string
+
+  flag.StringVar(&graylogAddr, "graylog", "", "graylog server addr")
+  flag.Parse()
+
+  if graylogAddr != "" {
+          // If using UDP
+    gelfWriter, err := gelf.NewUDPWriter(graylogAddr)
+          // If using TCP
+          //gelfWriter, err := gelf.NewTCPWriter(graylogAddr)
+    if err != nil {
+      log.Fatalf("gelf.NewWriter: %s", err)
+    }
+    // log to both stderr and graylog2
+    log.SetOutput(io.MultiWriter(os.Stderr, gelfWriter))
+    log.Printf("logging to stderr & graylog2@'%s'", graylogAddr)
+  }
+
+  // From here on out, any calls to log.Print* functions
+  // will appear on stdout, and be sent over UDP or TCP to the
+  // specified Graylog2 server.
+
+  log.Printf("Hello gray World")
+
+  // ...
+}
+```
+The above program can be invoked as:
+
+    go run test.go -graylog=localhost:12201
+
+When using UDP messages may be dropped or re-ordered. However, Graylog
+server availability will not impact application performance; there is
+a small, fixed overhead per log call regardless of whether the target
+server is reachable or not.
+
+
+To Do
+-----
+
+- WriteMessage example
+
+License
+-------
+
+go-gelf is offered under the MIT license, see LICENSE for details.
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/gelf/message.go b/engine/vendor/github.com/Graylog2/go-gelf/gelf/message.go
new file mode 100644
index 00000000..4e5a05ec
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/gelf/message.go
@@ -0,0 +1,147 @@
+package gelf
+
+import (
+	"bytes"
+	"encoding/json"
+	"time"
+)
+
+// Message represents the contents of the GELF message.  It is gzipped
+// before sending.
+type Message struct {
+	Version  string                 `json:"version"`
+	Host     string                 `json:"host"`
+	Short    string                 `json:"short_message"`
+	Full     string                 `json:"full_message,omitempty"`
+	TimeUnix float64                `json:"timestamp"`
+	Level    int32                  `json:"level,omitempty"`
+	Facility string                 `json:"facility,omitempty"`
+	Extra    map[string]interface{} `json:"-"`
+	RawExtra json.RawMessage        `json:"-"`
+}
+
+// Syslog severity levels
+const (
+	LOG_EMERG   = 0
+	LOG_ALERT   = 1
+	LOG_CRIT    = 2
+	LOG_ERR     = 3
+	LOG_WARNING = 4
+	LOG_NOTICE  = 5
+	LOG_INFO    = 6
+	LOG_DEBUG   = 7
+)
+
+func (m *Message) MarshalJSONBuf(buf *bytes.Buffer) error {
+	b, err := json.Marshal(m)
+	if err != nil {
+		return err
+	}
+	// write up until the final }
+	if _, err = buf.Write(b[:len(b)-1]); err != nil {
+		return err
+	}
+	if len(m.Extra) > 0 {
+		eb, err := json.Marshal(m.Extra)
+		if err != nil {
+			return err
+		}
+		// merge serialized message + serialized extra map
+		if err = buf.WriteByte(','); err != nil {
+			return err
+		}
+		// write serialized extra bytes, without enclosing quotes
+		if _, err = buf.Write(eb[1 : len(eb)-1]); err != nil {
+			return err
+		}
+	}
+
+	if len(m.RawExtra) > 0 {
+		if err := buf.WriteByte(','); err != nil {
+			return err
+		}
+
+		// write serialized extra bytes, without enclosing quotes
+		if _, err = buf.Write(m.RawExtra[1 : len(m.RawExtra)-1]); err != nil {
+			return err
+		}
+	}
+
+	// write final closing quotes
+	return buf.WriteByte('}')
+}
+
+func (m *Message) UnmarshalJSON(data []byte) error {
+	i := make(map[string]interface{}, 16)
+	if err := json.Unmarshal(data, &i); err != nil {
+		return err
+	}
+	for k, v := range i {
+		if k[0] == '_' {
+			if m.Extra == nil {
+				m.Extra = make(map[string]interface{}, 1)
+			}
+			m.Extra[k] = v
+			continue
+		}
+		switch k {
+		case "version":
+			m.Version = v.(string)
+		case "host":
+			m.Host = v.(string)
+		case "short_message":
+			m.Short = v.(string)
+		case "full_message":
+			m.Full = v.(string)
+		case "timestamp":
+			m.TimeUnix = v.(float64)
+		case "level":
+			m.Level = int32(v.(float64))
+		case "facility":
+			m.Facility = v.(string)
+		}
+	}
+	return nil
+}
+
+func (m *Message) toBytes() (messageBytes []byte, err error) {
+	buf := newBuffer()
+	defer bufPool.Put(buf)
+	if err = m.MarshalJSONBuf(buf); err != nil {
+		return nil, err
+	}
+	messageBytes = buf.Bytes()
+	return messageBytes, nil
+}
+
+func constructMessage(p []byte, hostname string, facility string, file string, line int) (m *Message) {
+	// remove trailing and leading whitespace
+	p = bytes.TrimSpace(p)
+
+	// If there are newlines in the message, use the first line
+	// for the short message and set the full message to the
+	// original input.  If the input has no newlines, stick the
+	// whole thing in Short.
+	short := p
+	full := []byte("")
+	if i := bytes.IndexRune(p, '\n'); i > 0 {
+		short = p[:i]
+		full = p
+	}
+
+	m = &Message{
+		Version:  "1.1",
+		Host:     hostname,
+		Short:    string(short),
+		Full:     string(full),
+		TimeUnix: float64(time.Now().Unix()),
+		Level:    6, // info
+		Facility: facility,
+		Extra: map[string]interface{}{
+			"_file": file,
+			"_line": line,
+		},
+	}
+
+	return m
+}
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/gelf/reader.go b/engine/vendor/github.com/Graylog2/go-gelf/gelf/reader.go
new file mode 100644
index 00000000..ff719fc7
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/gelf/reader.go
@@ -0,0 +1,140 @@
+// Copyright 2012 SocialCode. All rights reserved.
+// Use of this source code is governed by the MIT
+// license that can be found in the LICENSE file.
+
+package gelf
+
+import (
+	"bytes"
+	"compress/gzip"
+	"compress/zlib"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"strings"
+	"sync"
+)
+
+type Reader struct {
+	mu   sync.Mutex
+	conn net.Conn
+}
+
+func NewReader(addr string) (*Reader, error) {
+	var err error
+	udpAddr, err := net.ResolveUDPAddr("udp", addr)
+	if err != nil {
+		return nil, fmt.Errorf("ResolveUDPAddr('%s'): %s", addr, err)
+	}
+
+	conn, err := net.ListenUDP("udp", udpAddr)
+	if err != nil {
+		return nil, fmt.Errorf("ListenUDP: %s", err)
+	}
+
+	r := new(Reader)
+	r.conn = conn
+	return r, nil
+}
+
+func (r *Reader) Addr() string {
+	return r.conn.LocalAddr().String()
+}
+
+// FIXME: this will discard data if p isn't big enough to hold the
+// full message.
+func (r *Reader) Read(p []byte) (int, error) {
+	msg, err := r.ReadMessage()
+	if err != nil {
+		return -1, err
+	}
+
+	var data string
+
+	if msg.Full == "" {
+		data = msg.Short
+	} else {
+		data = msg.Full
+	}
+
+	return strings.NewReader(data).Read(p)
+}
+
+func (r *Reader) ReadMessage() (*Message, error) {
+	cBuf := make([]byte, ChunkSize)
+	var (
+		err        error
+		n, length  int
+		cid, ocid  []byte
+		seq, total uint8
+		cHead      []byte
+		cReader    io.Reader
+		chunks     [][]byte
+	)
+
+	for got := 0; got < 128 && (total == 0 || got < int(total)); got++ {
+		if n, err = r.conn.Read(cBuf); err != nil {
+			return nil, fmt.Errorf("Read: %s", err)
+		}
+		cHead, cBuf = cBuf[:2], cBuf[:n]
+
+		if bytes.Equal(cHead, magicChunked) {
+			//fmt.Printf("chunked %v\n", cBuf[:14])
+			cid, seq, total = cBuf[2:2+8], cBuf[2+8], cBuf[2+8+1]
+			if ocid != nil && !bytes.Equal(cid, ocid) {
+				return nil, fmt.Errorf("out-of-band message %v (awaited %v)", cid, ocid)
+			} else if ocid == nil {
+				ocid = cid
+				chunks = make([][]byte, total)
+			}
+			n = len(cBuf) - chunkedHeaderLen
+			//fmt.Printf("setting chunks[%d]: %d\n", seq, n)
+			chunks[seq] = append(make([]byte, 0, n), cBuf[chunkedHeaderLen:]...)
+			length += n
+		} else { //not chunked
+			if total > 0 {
+				return nil, fmt.Errorf("out-of-band message (not chunked)")
+			}
+			break
+		}
+	}
+	//fmt.Printf("\nchunks: %v\n", chunks)
+
+	if length > 0 {
+		if cap(cBuf) < length {
+			cBuf = append(cBuf, make([]byte, 0, length-cap(cBuf))...)
+		}
+		cBuf = cBuf[:0]
+		for i := range chunks {
+			//fmt.Printf("appending %d %v\n", i, chunks[i])
+			cBuf = append(cBuf, chunks[i]...)
+		}
+		cHead = cBuf[:2]
+	}
+
+	// the data we get from the wire is compressed
+	if bytes.Equal(cHead, magicGzip) {
+		cReader, err = gzip.NewReader(bytes.NewReader(cBuf))
+	} else if cHead[0] == magicZlib[0] &&
+		(int(cHead[0])*256+int(cHead[1]))%31 == 0 {
+		// zlib is slightly more complicated, but correct
+		cReader, err = zlib.NewReader(bytes.NewReader(cBuf))
+	} else {
+		// compliance with https://github.com/Graylog2/graylog2-server
+		// treating all messages as uncompressed if  they are not gzip, zlib or
+		// chunked
+		cReader = bytes.NewReader(cBuf)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("NewReader: %s", err)
+	}
+
+	msg := new(Message)
+	if err := json.NewDecoder(cReader).Decode(&msg); err != nil {
+		return nil, fmt.Errorf("json.Unmarshal: %s", err)
+	}
+
+	return msg, nil
+}
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/gelf/tcpreader.go b/engine/vendor/github.com/Graylog2/go-gelf/gelf/tcpreader.go
new file mode 100644
index 00000000..74255ec3
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/gelf/tcpreader.go
@@ -0,0 +1,156 @@
+package gelf
+
+import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"net"
+	"time"
+)
+
+type TCPReader struct {
+	listener *net.TCPListener
+	conn     net.Conn
+	messages chan []byte
+}
+
+type connChannels struct {
+	drop    chan string
+	confirm chan string
+}
+
+func newTCPReader(addr string) (*TCPReader, chan string, chan string, error) {
+	var err error
+	tcpAddr, err := net.ResolveTCPAddr("tcp", addr)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("ResolveTCPAddr('%s'): %s", addr, err)
+	}
+
+	listener, err := net.ListenTCP("tcp", tcpAddr)
+	if err != nil {
+		return nil, nil, nil, fmt.Errorf("ListenTCP: %s", err)
+	}
+
+	r := &TCPReader{
+		listener: listener,
+		messages: make(chan []byte, 100), // Make a buffered channel with at most 100 messages
+	}
+
+	closeSignal := make(chan string, 1)
+	doneSignal := make(chan string, 1)
+
+	go r.listenUntilCloseSignal(closeSignal, doneSignal)
+
+	return r, closeSignal, doneSignal, nil
+}
+
+func (r *TCPReader) accepter(connections chan net.Conn) {
+	for {
+		conn, err := r.listener.Accept()
+		if err != nil {
+			break
+		}
+		connections <- conn
+	}
+}
+
+func (r *TCPReader) listenUntilCloseSignal(closeSignal chan string, doneSignal chan string) {
+	defer func() { doneSignal <- "done" }()
+	defer r.listener.Close()
+	var conns []connChannels
+	connectionsChannel := make(chan net.Conn, 1)
+	go r.accepter(connectionsChannel)
+	for {
+		select {
+		case conn := <-connectionsChannel:
+			dropSignal := make(chan string, 1)
+			dropConfirm := make(chan string, 1)
+			channels := connChannels{drop: dropSignal, confirm: dropConfirm}
+			go handleConnection(conn, r.messages, dropSignal, dropConfirm)
+			conns = append(conns, channels)
+		default:
+		}
+
+		select {
+		case sig := <-closeSignal:
+			if sig == "stop" || sig == "drop" {
+				if len(conns) >= 1 {
+					for _, s := range conns {
+						if s.drop != nil {
+							s.drop <- "drop"
+							<-s.confirm
+							conns = append(conns[:0], conns[1:]...)
+						}
+					}
+					if sig == "stop" {
+						return
+					}
+				} else if sig == "stop" {
+					closeSignal <- "stop"
+				}
+				if sig == "drop" {
+					doneSignal <- "done"
+				}
+			}
+		default:
+		}
+	}
+}
+
+func (r *TCPReader) addr() string {
+	return r.listener.Addr().String()
+}
+
+func handleConnection(conn net.Conn, messages chan<- []byte, dropSignal chan string, dropConfirm chan string) {
+	defer func() { dropConfirm <- "done" }()
+	defer conn.Close()
+	reader := bufio.NewReader(conn)
+
+	var b []byte
+	var err error
+	drop := false
+	canDrop := false
+
+	for {
+		conn.SetDeadline(time.Now().Add(2 * time.Second))
+		if b, err = reader.ReadBytes(0); err != nil {
+			if drop {
+				return
+			}
+		} else if len(b) > 0 {
+			messages <- b
+			canDrop = true
+			if drop {
+				return
+			}
+		} else if drop {
+			return
+		}
+		select {
+		case sig := <-dropSignal:
+			if sig == "drop" {
+				drop = true
+				time.Sleep(1 * time.Second)
+				if canDrop {
+					return
+				}
+			}
+		default:
+		}
+	}
+}
+
+func (r *TCPReader) readMessage() (*Message, error) {
+	b := <-r.messages
+
+	var msg Message
+	if err := json.Unmarshal(b[:len(b)-1], &msg); err != nil {
+		return nil, fmt.Errorf("json.Unmarshal: %s", err)
+	}
+
+	return &msg, nil
+}
+
+func (r *TCPReader) Close() {
+	r.listener.Close()
+}
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/gelf/tcpwriter.go b/engine/vendor/github.com/Graylog2/go-gelf/gelf/tcpwriter.go
new file mode 100644
index 00000000..da1390d1
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/gelf/tcpwriter.go
@@ -0,0 +1,105 @@
+package gelf
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"sync"
+	"time"
+)
+
+const (
+	DefaultMaxReconnect   = 3
+	DefaultReconnectDelay = 1
+)
+
+type TCPWriter struct {
+	GelfWriter
+	mu             sync.Mutex
+	MaxReconnect   int
+	ReconnectDelay time.Duration
+}
+
+func NewTCPWriter(addr string) (*TCPWriter, error) {
+	var err error
+	w := new(TCPWriter)
+	w.MaxReconnect = DefaultMaxReconnect
+	w.ReconnectDelay = DefaultReconnectDelay
+	w.proto = "tcp"
+	w.addr = addr
+
+	if w.conn, err = net.Dial("tcp", addr); err != nil {
+		return nil, err
+	}
+	if w.hostname, err = os.Hostname(); err != nil {
+		return nil, err
+	}
+
+	return w, nil
+}
+
+// WriteMessage sends the specified message to the GELF server
+// specified in the call to New().  It assumes all the fields are
+// filled out appropriately.  In general, clients will want to use
+// Write, rather than WriteMessage.
+func (w *TCPWriter) WriteMessage(m *Message) (err error) {
+	messageBytes, err := m.toBytes()
+	if err != nil {
+		return err
+	}
+
+	messageBytes = append(messageBytes, 0)
+
+	n, err := w.writeToSocketWithReconnectAttempts(messageBytes)
+	if err != nil {
+		return err
+	}
+	if n != len(messageBytes) {
+		return fmt.Errorf("bad write (%d/%d)", n, len(messageBytes))
+	}
+
+	return nil
+}
+
+func (w *TCPWriter) Write(p []byte) (n int, err error) {
+	file, line := getCallerIgnoringLogMulti(1)
+
+	m := constructMessage(p, w.hostname, w.Facility, file, line)
+
+	if err = w.WriteMessage(m); err != nil {
+		return 0, err
+	}
+
+	return len(p), nil
+}
+
+func (w *TCPWriter) writeToSocketWithReconnectAttempts(zBytes []byte) (n int, err error) {
+	var errConn error
+	var i int
+
+	w.mu.Lock()
+	for i = 0; i <= w.MaxReconnect; i++ {
+		errConn = nil
+
+		if w.conn != nil {
+			n, err = w.conn.Write(zBytes)
+		} else {
+			err = fmt.Errorf("Connection was nil, will attempt reconnect")
+		}
+		if err != nil {
+			time.Sleep(w.ReconnectDelay * time.Second)
+			w.conn, errConn = net.Dial("tcp", w.addr)
+		} else {
+			break
+		}
+	}
+	w.mu.Unlock()
+
+	if i > w.MaxReconnect {
+		return 0, fmt.Errorf("Maximum reconnection attempts was reached; giving up")
+	}
+	if errConn != nil {
+		return 0, fmt.Errorf("Write Failed: %s\nReconnection failed: %s", err, errConn)
+	}
+	return n, nil
+}
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/gelf/udpwriter.go b/engine/vendor/github.com/Graylog2/go-gelf/gelf/udpwriter.go
new file mode 100644
index 00000000..23bbd5e5
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/gelf/udpwriter.go
@@ -0,0 +1,231 @@
+// Copyright 2012 SocialCode. All rights reserved.
+// Use of this source code is governed by the MIT
+// license that can be found in the LICENSE file.
+
+package gelf
+
+import (
+	"bytes"
+	"compress/flate"
+	"compress/gzip"
+	"compress/zlib"
+	"crypto/rand"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"path"
+	"sync"
+)
+
+type UDPWriter struct {
+	GelfWriter
+	CompressionLevel int // one of the consts from compress/flate
+	CompressionType  CompressType
+}
+
+// What compression type the writer should use when sending messages
+// to the graylog2 server
+type CompressType int
+
+const (
+	CompressGzip CompressType = iota
+	CompressZlib
+	CompressNone
+)
+
+// Used to control GELF chunking.  Should be less than (MTU - len(UDP
+// header)).
+//
+// TODO: generate dynamically using Path MTU Discovery?
+const (
+	ChunkSize        = 1420
+	chunkedHeaderLen = 12
+	chunkedDataLen   = ChunkSize - chunkedHeaderLen
+)
+
+var (
+	magicChunked = []byte{0x1e, 0x0f}
+	magicZlib    = []byte{0x78}
+	magicGzip    = []byte{0x1f, 0x8b}
+)
+
+// numChunks returns the number of GELF chunks necessary to transmit
+// the given compressed buffer.
+func numChunks(b []byte) int {
+	lenB := len(b)
+	if lenB <= ChunkSize {
+		return 1
+	}
+	return len(b)/chunkedDataLen + 1
+}
+
+// New returns a new GELF Writer.  This writer can be used to send the
+// output of the standard Go log functions to a central GELF server by
+// passing it to log.SetOutput()
+func NewUDPWriter(addr string) (*UDPWriter, error) {
+	var err error
+	w := new(UDPWriter)
+	w.CompressionLevel = flate.BestSpeed
+
+	if w.conn, err = net.Dial("udp", addr); err != nil {
+		return nil, err
+	}
+	if w.hostname, err = os.Hostname(); err != nil {
+		return nil, err
+	}
+
+	w.Facility = path.Base(os.Args[0])
+
+	return w, nil
+}
+
+// writes the gzip compressed byte array to the connection as a series
+// of GELF chunked messages.  The format is documented at
+// http://docs.graylog.org/en/2.1/pages/gelf.html as:
+//
+//     2-byte magic (0x1e 0x0f), 8 byte id, 1 byte sequence id, 1 byte
+//     total, chunk-data
+func (w *GelfWriter) writeChunked(zBytes []byte) (err error) {
+	b := make([]byte, 0, ChunkSize)
+	buf := bytes.NewBuffer(b)
+	nChunksI := numChunks(zBytes)
+	if nChunksI > 128 {
+		return fmt.Errorf("msg too large, would need %d chunks", nChunksI)
+	}
+	nChunks := uint8(nChunksI)
+	// use urandom to get a unique message id
+	msgId := make([]byte, 8)
+	n, err := io.ReadFull(rand.Reader, msgId)
+	if err != nil || n != 8 {
+		return fmt.Errorf("rand.Reader: %d/%s", n, err)
+	}
+
+	bytesLeft := len(zBytes)
+	for i := uint8(0); i < nChunks; i++ {
+		buf.Reset()
+		// manually write header.  Don't care about
+		// host/network byte order, because the spec only
+		// deals in individual bytes.
+		buf.Write(magicChunked) //magic
+		buf.Write(msgId)
+		buf.WriteByte(i)
+		buf.WriteByte(nChunks)
+		// slice out our chunk from zBytes
+		chunkLen := chunkedDataLen
+		if chunkLen > bytesLeft {
+			chunkLen = bytesLeft
+		}
+		off := int(i) * chunkedDataLen
+		chunk := zBytes[off : off+chunkLen]
+		buf.Write(chunk)
+
+		// write this chunk, and make sure the write was good
+		n, err := w.conn.Write(buf.Bytes())
+		if err != nil {
+			return fmt.Errorf("Write (chunk %d/%d): %s", i,
+				nChunks, err)
+		}
+		if n != len(buf.Bytes()) {
+			return fmt.Errorf("Write len: (chunk %d/%d) (%d/%d)",
+				i, nChunks, n, len(buf.Bytes()))
+		}
+
+		bytesLeft -= chunkLen
+	}
+
+	if bytesLeft != 0 {
+		return fmt.Errorf("error: %d bytes left after sending", bytesLeft)
+	}
+	return nil
+}
+
+// 1k bytes buffer by default
+var bufPool = sync.Pool{
+	New: func() interface{} {
+		return bytes.NewBuffer(make([]byte, 0, 1024))
+	},
+}
+
+func newBuffer() *bytes.Buffer {
+	b := bufPool.Get().(*bytes.Buffer)
+	if b != nil {
+		b.Reset()
+		return b
+	}
+	return bytes.NewBuffer(nil)
+}
+
+// WriteMessage sends the specified message to the GELF server
+// specified in the call to New().  It assumes all the fields are
+// filled out appropriately.  In general, clients will want to use
+// Write, rather than WriteMessage.
+func (w *UDPWriter) WriteMessage(m *Message) (err error) {
+	mBuf := newBuffer()
+	defer bufPool.Put(mBuf)
+	if err = m.MarshalJSONBuf(mBuf); err != nil {
+		return err
+	}
+	mBytes := mBuf.Bytes()
+
+	var (
+		zBuf   *bytes.Buffer
+		zBytes []byte
+	)
+
+	var zw io.WriteCloser
+	switch w.CompressionType {
+	case CompressGzip:
+		zBuf = newBuffer()
+		defer bufPool.Put(zBuf)
+		zw, err = gzip.NewWriterLevel(zBuf, w.CompressionLevel)
+	case CompressZlib:
+		zBuf = newBuffer()
+		defer bufPool.Put(zBuf)
+		zw, err = zlib.NewWriterLevel(zBuf, w.CompressionLevel)
+	case CompressNone:
+		zBytes = mBytes
+	default:
+		panic(fmt.Sprintf("unknown compression type %d",
+			w.CompressionType))
+	}
+	if zw != nil {
+		if err != nil {
+			return
+		}
+		if _, err = zw.Write(mBytes); err != nil {
+			zw.Close()
+			return
+		}
+		zw.Close()
+		zBytes = zBuf.Bytes()
+	}
+
+	if numChunks(zBytes) > 1 {
+		return w.writeChunked(zBytes)
+	}
+	n, err := w.conn.Write(zBytes)
+	if err != nil {
+		return
+	}
+	if n != len(zBytes) {
+		return fmt.Errorf("bad write (%d/%d)", n, len(zBytes))
+	}
+
+	return nil
+}
+
+// Write encodes the given string in a GELF message and sends it to
+// the server specified in New().
+func (w *UDPWriter) Write(p []byte) (n int, err error) {
+	// 1 for the function that called us.
+	file, line := getCallerIgnoringLogMulti(1)
+
+	m := constructMessage(p, w.hostname, w.Facility, file, line)
+
+	if err = w.WriteMessage(m); err != nil {
+		return 0, err
+	}
+
+	return len(p), nil
+}
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/gelf/utils.go b/engine/vendor/github.com/Graylog2/go-gelf/gelf/utils.go
new file mode 100644
index 00000000..6f1c9f7c
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/gelf/utils.go
@@ -0,0 +1,41 @@
+package gelf
+
+import (
+	"runtime"
+	"strings"
+)
+
+// getCaller returns the filename and the line info of a function
+// further down in the call stack.  Passing 0 in as callDepth would
+// return info on the function calling getCallerIgnoringLog, 1 the
+// parent function, and so on.  Any suffixes passed to getCaller are
+// path fragments like "/pkg/log/log.go", and functions in the call
+// stack from that file are ignored.
+func getCaller(callDepth int, suffixesToIgnore ...string) (file string, line int) {
+	// bump by 1 to ignore the getCaller (this) stackframe
+	callDepth++
+outer:
+	for {
+		var ok bool
+		_, file, line, ok = runtime.Caller(callDepth)
+		if !ok {
+			file = "???"
+			line = 0
+			break
+		}
+
+		for _, s := range suffixesToIgnore {
+			if strings.HasSuffix(file, s) {
+				callDepth++
+				continue outer
+			}
+		}
+		break
+	}
+	return
+}
+
+func getCallerIgnoringLogMulti(callDepth int) (string, int) {
+	// the +1 is to ignore this (getCallerIgnoringLogMulti) frame
+	return getCaller(callDepth+1, "/pkg/log/log.go", "/pkg/io/multi.go")
+}
diff --git a/engine/vendor/github.com/Graylog2/go-gelf/gelf/writer.go b/engine/vendor/github.com/Graylog2/go-gelf/gelf/writer.go
new file mode 100644
index 00000000..153be2c3
--- /dev/null
+++ b/engine/vendor/github.com/Graylog2/go-gelf/gelf/writer.go
@@ -0,0 +1,34 @@
+// Copyright 2012 SocialCode. All rights reserved.
+// Use of this source code is governed by the MIT
+// license that can be found in the LICENSE file.
+
+package gelf
+
+import (
+	"net"
+)
+
+type Writer interface {
+	Close() error
+	Write([]byte) (int, error)
+	WriteMessage(*Message) error
+}
+
+// Writer implements io.Writer and is used to send both discrete
+// messages to a graylog2 server, or data from a stream-oriented
+// interface (like the functions in log).
+type GelfWriter struct {
+	addr     string
+	conn     net.Conn
+	hostname string
+	Facility string // defaults to current process name
+	proto    string
+}
+
+// Close connection and interrupt blocked Read or Write operations
+func (w *GelfWriter) Close() error {
+	if w.conn == nil {
+		return nil
+	}
+	return w.conn.Close()
+}
diff --git a/engine/vendor/github.com/Nvveen/Gotty/LICENSE b/engine/vendor/github.com/Nvveen/Gotty/LICENSE
new file mode 100644
index 00000000..0b71c973
--- /dev/null
+++ b/engine/vendor/github.com/Nvveen/Gotty/LICENSE
@@ -0,0 +1,26 @@
+Copyright (c) 2012, Neal van Veen (nealvanveen@gmail.com)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met: 
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer. 
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution. 
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+The views and conclusions contained in the software and documentation are those
+of the authors and should not be interpreted as representing official policies, 
+either expressed or implied, of the FreeBSD Project.
diff --git a/engine/vendor/github.com/Nvveen/Gotty/README b/engine/vendor/github.com/Nvveen/Gotty/README
new file mode 100644
index 00000000..a6b0d9a8
--- /dev/null
+++ b/engine/vendor/github.com/Nvveen/Gotty/README
@@ -0,0 +1,5 @@
+Gotty is a library written in Go that determines and reads termcap database
+files to produce an interface for interacting with the capabilities of a
+terminal.
+See the godoc documentation or the source code for more information about
+function usage.
diff --git a/engine/vendor/github.com/Nvveen/Gotty/attributes.go b/engine/vendor/github.com/Nvveen/Gotty/attributes.go
new file mode 100644
index 00000000..a4c005fa
--- /dev/null
+++ b/engine/vendor/github.com/Nvveen/Gotty/attributes.go
@@ -0,0 +1,514 @@
+// Copyright 2012 Neal van Veen. All rights reserved.
+// Usage of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package gotty
+
+// Boolean capabilities
+var BoolAttr = [...]string{
+	"auto_left_margin", "bw",
+	"auto_right_margin", "am",
+	"no_esc_ctlc", "xsb",
+	"ceol_standout_glitch", "xhp",
+	"eat_newline_glitch", "xenl",
+	"erase_overstrike", "eo",
+	"generic_type", "gn",
+	"hard_copy", "hc",
+	"has_meta_key", "km",
+	"has_status_line", "hs",
+	"insert_null_glitch", "in",
+	"memory_above", "da",
+	"memory_below", "db",
+	"move_insert_mode", "mir",
+	"move_standout_mode", "msgr",
+	"over_strike", "os",
+	"status_line_esc_ok", "eslok",
+	"dest_tabs_magic_smso", "xt",
+	"tilde_glitch", "hz",
+	"transparent_underline", "ul",
+	"xon_xoff", "nxon",
+	"needs_xon_xoff", "nxon",
+	"prtr_silent", "mc5i",
+	"hard_cursor", "chts",
+	"non_rev_rmcup", "nrrmc",
+	"no_pad_char", "npc",
+	"non_dest_scroll_region", "ndscr",
+	"can_change", "ccc",
+	"back_color_erase", "bce",
+	"hue_lightness_saturation", "hls",
+	"col_addr_glitch", "xhpa",
+	"cr_cancels_micro_mode", "crxm",
+	"has_print_wheel", "daisy",
+	"row_addr_glitch", "xvpa",
+	"semi_auto_right_margin", "sam",
+	"cpi_changes_res", "cpix",
+	"lpi_changes_res", "lpix",
+	"backspaces_with_bs", "",
+	"crt_no_scrolling", "",
+	"no_correctly_working_cr", "",
+	"gnu_has_meta_key", "",
+	"linefeed_is_newline", "",
+	"has_hardware_tabs", "",
+	"return_does_clr_eol", "",
+}
+
+// Numerical capabilities
+var NumAttr = [...]string{
+	"columns", "cols",
+	"init_tabs", "it",
+	"lines", "lines",
+	"lines_of_memory", "lm",
+	"magic_cookie_glitch", "xmc",
+	"padding_baud_rate", "pb",
+	"virtual_terminal", "vt",
+	"width_status_line", "wsl",
+	"num_labels", "nlab",
+	"label_height", "lh",
+	"label_width", "lw",
+	"max_attributes", "ma",
+	"maximum_windows", "wnum",
+	"max_colors", "colors",
+	"max_pairs", "pairs",
+	"no_color_video", "ncv",
+	"buffer_capacity", "bufsz",
+	"dot_vert_spacing", "spinv",
+	"dot_horz_spacing", "spinh",
+	"max_micro_address", "maddr",
+	"max_micro_jump", "mjump",
+	"micro_col_size", "mcs",
+	"micro_line_size", "mls",
+	"number_of_pins", "npins",
+	"output_res_char", "orc",
+	"output_res_line", "orl",
+	"output_res_horz_inch", "orhi",
+	"output_res_vert_inch", "orvi",
+	"print_rate", "cps",
+	"wide_char_size", "widcs",
+	"buttons", "btns",
+	"bit_image_entwining", "bitwin",
+	"bit_image_type", "bitype",
+	"magic_cookie_glitch_ul", "",
+	"carriage_return_delay", "",
+	"new_line_delay", "",
+	"backspace_delay", "",
+	"horizontal_tab_delay", "",
+	"number_of_function_keys", "",
+}
+
+// String capabilities
+var StrAttr = [...]string{
+	"back_tab", "cbt",
+	"bell", "bel",
+	"carriage_return", "cr",
+	"change_scroll_region", "csr",
+	"clear_all_tabs", "tbc",
+	"clear_screen", "clear",
+	"clr_eol", "el",
+	"clr_eos", "ed",
+	"column_address", "hpa",
+	"command_character", "cmdch",
+	"cursor_address", "cup",
+	"cursor_down", "cud1",
+	"cursor_home", "home",
+	"cursor_invisible", "civis",
+	"cursor_left", "cub1",
+	"cursor_mem_address", "mrcup",
+	"cursor_normal", "cnorm",
+	"cursor_right", "cuf1",
+	"cursor_to_ll", "ll",
+	"cursor_up", "cuu1",
+	"cursor_visible", "cvvis",
+	"delete_character", "dch1",
+	"delete_line", "dl1",
+	"dis_status_line", "dsl",
+	"down_half_line", "hd",
+	"enter_alt_charset_mode", "smacs",
+	"enter_blink_mode", "blink",
+	"enter_bold_mode", "bold",
+	"enter_ca_mode", "smcup",
+	"enter_delete_mode", "smdc",
+	"enter_dim_mode", "dim",
+	"enter_insert_mode", "smir",
+	"enter_secure_mode", "invis",
+	"enter_protected_mode", "prot",
+	"enter_reverse_mode", "rev",
+	"enter_standout_mode", "smso",
+	"enter_underline_mode", "smul",
+	"erase_chars", "ech",
+	"exit_alt_charset_mode", "rmacs",
+	"exit_attribute_mode", "sgr0",
+	"exit_ca_mode", "rmcup",
+	"exit_delete_mode", "rmdc",
+	"exit_insert_mode", "rmir",
+	"exit_standout_mode", "rmso",
+	"exit_underline_mode", "rmul",
+	"flash_screen", "flash",
+	"form_feed", "ff",
+	"from_status_line", "fsl",
+	"init_1string", "is1",
+	"init_2string", "is2",
+	"init_3string", "is3",
+	"init_file", "if",
+	"insert_character", "ich1",
+	"insert_line", "il1",
+	"insert_padding", "ip",
+	"key_backspace", "kbs",
+	"key_catab", "ktbc",
+	"key_clear", "kclr",
+	"key_ctab", "kctab",
+	"key_dc", "kdch1",
+	"key_dl", "kdl1",
+	"key_down", "kcud1",
+	"key_eic", "krmir",
+	"key_eol", "kel",
+	"key_eos", "ked",
+	"key_f0", "kf0",
+	"key_f1", "kf1",
+	"key_f10", "kf10",
+	"key_f2", "kf2",
+	"key_f3", "kf3",
+	"key_f4", "kf4",
+	"key_f5", "kf5",
+	"key_f6", "kf6",
+	"key_f7", "kf7",
+	"key_f8", "kf8",
+	"key_f9", "kf9",
+	"key_home", "khome",
+	"key_ic", "kich1",
+	"key_il", "kil1",
+	"key_left", "kcub1",
+	"key_ll", "kll",
+	"key_npage", "knp",
+	"key_ppage", "kpp",
+	"key_right", "kcuf1",
+	"key_sf", "kind",
+	"key_sr", "kri",
+	"key_stab", "khts",
+	"key_up", "kcuu1",
+	"keypad_local", "rmkx",
+	"keypad_xmit", "smkx",
+	"lab_f0", "lf0",
+	"lab_f1", "lf1",
+	"lab_f10", "lf10",
+	"lab_f2", "lf2",
+	"lab_f3", "lf3",
+	"lab_f4", "lf4",
+	"lab_f5", "lf5",
+	"lab_f6", "lf6",
+	"lab_f7", "lf7",
+	"lab_f8", "lf8",
+	"lab_f9", "lf9",
+	"meta_off", "rmm",
+	"meta_on", "smm",
+	"newline", "_glitch",
+	"pad_char", "npc",
+	"parm_dch", "dch",
+	"parm_delete_line", "dl",
+	"parm_down_cursor", "cud",
+	"parm_ich", "ich",
+	"parm_index", "indn",
+	"parm_insert_line", "il",
+	"parm_left_cursor", "cub",
+	"parm_right_cursor", "cuf",
+	"parm_rindex", "rin",
+	"parm_up_cursor", "cuu",
+	"pkey_key", "pfkey",
+	"pkey_local", "pfloc",
+	"pkey_xmit", "pfx",
+	"print_screen", "mc0",
+	"prtr_off", "mc4",
+	"prtr_on", "mc5",
+	"repeat_char", "rep",
+	"reset_1string", "rs1",
+	"reset_2string", "rs2",
+	"reset_3string", "rs3",
+	"reset_file", "rf",
+	"restore_cursor", "rc",
+	"row_address", "mvpa",
+	"save_cursor", "row_address",
+	"scroll_forward", "ind",
+	"scroll_reverse", "ri",
+	"set_attributes", "sgr",
+	"set_tab", "hts",
+	"set_window", "wind",
+	"tab", "s_magic_smso",
+	"to_status_line", "tsl",
+	"underline_char", "uc",
+	"up_half_line", "hu",
+	"init_prog", "iprog",
+	"key_a1", "ka1",
+	"key_a3", "ka3",
+	"key_b2", "kb2",
+	"key_c1", "kc1",
+	"key_c3", "kc3",
+	"prtr_non", "mc5p",
+	"char_padding", "rmp",
+	"acs_chars", "acsc",
+	"plab_norm", "pln",
+	"key_btab", "kcbt",
+	"enter_xon_mode", "smxon",
+	"exit_xon_mode", "rmxon",
+	"enter_am_mode", "smam",
+	"exit_am_mode", "rmam",
+	"xon_character", "xonc",
+	"xoff_character", "xoffc",
+	"ena_acs", "enacs",
+	"label_on", "smln",
+	"label_off", "rmln",
+	"key_beg", "kbeg",
+	"key_cancel", "kcan",
+	"key_close", "kclo",
+	"key_command", "kcmd",
+	"key_copy", "kcpy",
+	"key_create", "kcrt",
+	"key_end", "kend",
+	"key_enter", "kent",
+	"key_exit", "kext",
+	"key_find", "kfnd",
+	"key_help", "khlp",
+	"key_mark", "kmrk",
+	"key_message", "kmsg",
+	"key_move", "kmov",
+	"key_next", "knxt",
+	"key_open", "kopn",
+	"key_options", "kopt",
+	"key_previous", "kprv",
+	"key_print", "kprt",
+	"key_redo", "krdo",
+	"key_reference", "kref",
+	"key_refresh", "krfr",
+	"key_replace", "krpl",
+	"key_restart", "krst",
+	"key_resume", "kres",
+	"key_save", "ksav",
+	"key_suspend", "kspd",
+	"key_undo", "kund",
+	"key_sbeg", "kBEG",
+	"key_scancel", "kCAN",
+	"key_scommand", "kCMD",
+	"key_scopy", "kCPY",
+	"key_screate", "kCRT",
+	"key_sdc", "kDC",
+	"key_sdl", "kDL",
+	"key_select", "kslt",
+	"key_send", "kEND",
+	"key_seol", "kEOL",
+	"key_sexit", "kEXT",
+	"key_sfind", "kFND",
+	"key_shelp", "kHLP",
+	"key_shome", "kHOM",
+	"key_sic", "kIC",
+	"key_sleft", "kLFT",
+	"key_smessage", "kMSG",
+	"key_smove", "kMOV",
+	"key_snext", "kNXT",
+	"key_soptions", "kOPT",
+	"key_sprevious", "kPRV",
+	"key_sprint", "kPRT",
+	"key_sredo", "kRDO",
+	"key_sreplace", "kRPL",
+	"key_sright", "kRIT",
+	"key_srsume", "kRES",
+	"key_ssave", "kSAV",
+	"key_ssuspend", "kSPD",
+	"key_sundo", "kUND",
+	"req_for_input", "rfi",
+	"key_f11", "kf11",
+	"key_f12", "kf12",
+	"key_f13", "kf13",
+	"key_f14", "kf14",
+	"key_f15", "kf15",
+	"key_f16", "kf16",
+	"key_f17", "kf17",
+	"key_f18", "kf18",
+	"key_f19", "kf19",
+	"key_f20", "kf20",
+	"key_f21", "kf21",
+	"key_f22", "kf22",
+	"key_f23", "kf23",
+	"key_f24", "kf24",
+	"key_f25", "kf25",
+	"key_f26", "kf26",
+	"key_f27", "kf27",
+	"key_f28", "kf28",
+	"key_f29", "kf29",
+	"key_f30", "kf30",
+	"key_f31", "kf31",
+	"key_f32", "kf32",
+	"key_f33", "kf33",
+	"key_f34", "kf34",
+	"key_f35", "kf35",
+	"key_f36", "kf36",
+	"key_f37", "kf37",
+	"key_f38", "kf38",
+	"key_f39", "kf39",
+	"key_f40", "kf40",
+	"key_f41", "kf41",
+	"key_f42", "kf42",
+	"key_f43", "kf43",
+	"key_f44", "kf44",
+	"key_f45", "kf45",
+	"key_f46", "kf46",
+	"key_f47", "kf47",
+	"key_f48", "kf48",
+	"key_f49", "kf49",
+	"key_f50", "kf50",
+	"key_f51", "kf51",
+	"key_f52", "kf52",
+	"key_f53", "kf53",
+	"key_f54", "kf54",
+	"key_f55", "kf55",
+	"key_f56", "kf56",
+	"key_f57", "kf57",
+	"key_f58", "kf58",
+	"key_f59", "kf59",
+	"key_f60", "kf60",
+	"key_f61", "kf61",
+	"key_f62", "kf62",
+	"key_f63", "kf63",
+	"clr_bol", "el1",
+	"clear_margins", "mgc",
+	"set_left_margin", "smgl",
+	"set_right_margin", "smgr",
+	"label_format", "fln",
+	"set_clock", "sclk",
+	"display_clock", "dclk",
+	"remove_clock", "rmclk",
+	"create_window", "cwin",
+	"goto_window", "wingo",
+	"hangup", "hup",
+	"dial_phone", "dial",
+	"quick_dial", "qdial",
+	"tone", "tone",
+	"pulse", "pulse",
+	"flash_hook", "hook",
+	"fixed_pause", "pause",
+	"wait_tone", "wait",
+	"user0", "u0",
+	"user1", "u1",
+	"user2", "u2",
+	"user3", "u3",
+	"user4", "u4",
+	"user5", "u5",
+	"user6", "u6",
+	"user7", "u7",
+	"user8", "u8",
+	"user9", "u9",
+	"orig_pair", "op",
+	"orig_colors", "oc",
+	"initialize_color", "initc",
+	"initialize_pair", "initp",
+	"set_color_pair", "scp",
+	"set_foreground", "setf",
+	"set_background", "setb",
+	"change_char_pitch", "cpi",
+	"change_line_pitch", "lpi",
+	"change_res_horz", "chr",
+	"change_res_vert", "cvr",
+	"define_char", "defc",
+	"enter_doublewide_mode", "swidm",
+	"enter_draft_quality", "sdrfq",
+	"enter_italics_mode", "sitm",
+	"enter_leftward_mode", "slm",
+	"enter_micro_mode", "smicm",
+	"enter_near_letter_quality", "snlq",
+	"enter_normal_quality", "snrmq",
+	"enter_shadow_mode", "sshm",
+	"enter_subscript_mode", "ssubm",
+	"enter_superscript_mode", "ssupm",
+	"enter_upward_mode", "sum",
+	"exit_doublewide_mode", "rwidm",
+	"exit_italics_mode", "ritm",
+	"exit_leftward_mode", "rlm",
+	"exit_micro_mode", "rmicm",
+	"exit_shadow_mode", "rshm",
+	"exit_subscript_mode", "rsubm",
+	"exit_superscript_mode", "rsupm",
+	"exit_upward_mode", "rum",
+	"micro_column_address", "mhpa",
+	"micro_down", "mcud1",
+	"micro_left", "mcub1",
+	"micro_right", "mcuf1",
+	"micro_row_address", "mvpa",
+	"micro_up", "mcuu1",
+	"order_of_pins", "porder",
+	"parm_down_micro", "mcud",
+	"parm_left_micro", "mcub",
+	"parm_right_micro", "mcuf",
+	"parm_up_micro", "mcuu",
+	"select_char_set", "scs",
+	"set_bottom_margin", "smgb",
+	"set_bottom_margin_parm", "smgbp",
+	"set_left_margin_parm", "smglp",
+	"set_right_margin_parm", "smgrp",
+	"set_top_margin", "smgt",
+	"set_top_margin_parm", "smgtp",
+	"start_bit_image", "sbim",
+	"start_char_set_def", "scsd",
+	"stop_bit_image", "rbim",
+	"stop_char_set_def", "rcsd",
+	"subscript_characters", "subcs",
+	"superscript_characters", "supcs",
+	"these_cause_cr", "docr",
+	"zero_motion", "zerom",
+	"char_set_names", "csnm",
+	"key_mouse", "kmous",
+	"mouse_info", "minfo",
+	"req_mouse_pos", "reqmp",
+	"get_mouse", "getm",
+	"set_a_foreground", "setaf",
+	"set_a_background", "setab",
+	"pkey_plab", "pfxl",
+	"device_type", "devt",
+	"code_set_init", "csin",
+	"set0_des_seq", "s0ds",
+	"set1_des_seq", "s1ds",
+	"set2_des_seq", "s2ds",
+	"set3_des_seq", "s3ds",
+	"set_lr_margin", "smglr",
+	"set_tb_margin", "smgtb",
+	"bit_image_repeat", "birep",
+	"bit_image_newline", "binel",
+	"bit_image_carriage_return", "bicr",
+	"color_names", "colornm",
+	"define_bit_image_region", "defbi",
+	"end_bit_image_region", "endbi",
+	"set_color_band", "setcolor",
+	"set_page_length", "slines",
+	"display_pc_char", "dispc",
+	"enter_pc_charset_mode", "smpch",
+	"exit_pc_charset_mode", "rmpch",
+	"enter_scancode_mode", "smsc",
+	"exit_scancode_mode", "rmsc",
+	"pc_term_options", "pctrm",
+	"scancode_escape", "scesc",
+	"alt_scancode_esc", "scesa",
+	"enter_horizontal_hl_mode", "ehhlm",
+	"enter_left_hl_mode", "elhlm",
+	"enter_low_hl_mode", "elohlm",
+	"enter_right_hl_mode", "erhlm",
+	"enter_top_hl_mode", "ethlm",
+	"enter_vertical_hl_mode", "evhlm",
+	"set_a_attributes", "sgr1",
+	"set_pglen_inch", "slength",
+	"termcap_init2", "",
+	"termcap_reset", "",
+	"linefeed_if_not_lf", "",
+	"backspace_if_not_bs", "",
+	"other_non_function_keys", "",
+	"arrow_key_map", "",
+	"acs_ulcorner", "",
+	"acs_llcorner", "",
+	"acs_urcorner", "",
+	"acs_lrcorner", "",
+	"acs_ltee", "",
+	"acs_rtee", "",
+	"acs_btee", "",
+	"acs_ttee", "",
+	"acs_hline", "",
+	"acs_vline", "",
+	"acs_plus", "",
+	"memory_lock", "",
+	"memory_unlock", "",
+	"box_chars_1", "",
+}
diff --git a/engine/vendor/github.com/Nvveen/Gotty/gotty.go b/engine/vendor/github.com/Nvveen/Gotty/gotty.go
new file mode 100644
index 00000000..c329778a
--- /dev/null
+++ b/engine/vendor/github.com/Nvveen/Gotty/gotty.go
@@ -0,0 +1,244 @@
+// Copyright 2012 Neal van Veen. All rights reserved.
+// Usage of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Gotty is a Go-package for reading and parsing the terminfo database
+package gotty
+
+// TODO add more concurrency to name lookup, look for more opportunities.
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"os"
+	"path"
+	"reflect"
+	"strings"
+	"sync"
+)
+
+// Open a terminfo file by the name given and construct a TermInfo object.
+// If something went wrong reading the terminfo database file, an error is
+// returned.
+func OpenTermInfo(termName string) (*TermInfo, error) {
+	if len(termName) == 0 {
+		return nil, errors.New("No termname given")
+	}
+	// Find the environment variables
+	if termloc := os.Getenv("TERMINFO"); len(termloc) > 0 {
+		return readTermInfo(path.Join(termloc, string(termName[0]), termName))
+	} else {
+		// Search like ncurses
+		locations := []string{}
+		if h := os.Getenv("HOME"); len(h) > 0 {
+			locations = append(locations, path.Join(h, ".terminfo"))
+		}
+		locations = append(locations,
+			"/etc/terminfo/",
+			"/lib/terminfo/",
+			"/usr/share/terminfo/")
+		for _, str := range locations {
+			term, err := readTermInfo(path.Join(str, string(termName[0]), termName))
+			if err == nil {
+				return term, nil
+			}
+		}
+		return nil, errors.New("No terminfo file(-location) found")
+	}
+}
+
+// Open a terminfo file from the environment variable containing the current
+// terminal name and construct a TermInfo object. If something went wrong
+// reading the terminfo database file, an error is returned.
+func OpenTermInfoEnv() (*TermInfo, error) {
+	termenv := os.Getenv("TERM")
+	return OpenTermInfo(termenv)
+}
+
+// Return an attribute by the name attr provided. If none can be found,
+// an error is returned.
+func (term *TermInfo) GetAttribute(attr string) (stacker, error) {
+	// Channel to store the main value in.
+	var value stacker
+	// Add a blocking WaitGroup
+	var block sync.WaitGroup
+	// Keep track of variable being written.
+	written := false
+	// Function to put into goroutine.
+	f := func(ats interface{}) {
+		var ok bool
+		var v stacker
+		// Switch on type of map to use and assign value to it.
+		switch reflect.TypeOf(ats).Elem().Kind() {
+		case reflect.Bool:
+			v, ok = ats.(map[string]bool)[attr]
+		case reflect.Int16:
+			v, ok = ats.(map[string]int16)[attr]
+		case reflect.String:
+			v, ok = ats.(map[string]string)[attr]
+		}
+		// If ok, a value is found, so we can write.
+		if ok {
+			value = v
+			written = true
+		}
+		// Goroutine is done
+		block.Done()
+	}
+	block.Add(3)
+	// Go for all 3 attribute lists.
+	go f(term.boolAttributes)
+	go f(term.numAttributes)
+	go f(term.strAttributes)
+	// Wait until every goroutine is done.
+	block.Wait()
+	// If a value has been written, return it.
+	if written {
+		return value, nil
+	}
+	// Otherwise, error.
+	return nil, fmt.Errorf("Erorr finding attribute")
+}
+
+// Return an attribute by the name attr provided. If none can be found,
+// an error is returned. A name is first converted to its termcap value.
+func (term *TermInfo) GetAttributeName(name string) (stacker, error) {
+	tc := GetTermcapName(name)
+	return term.GetAttribute(tc)
+}
+
+// A utility function that finds and returns the termcap equivalent of a
+// variable name.
+func GetTermcapName(name string) string {
+	// Termcap name
+	var tc string
+	// Blocking group
+	var wait sync.WaitGroup
+	// Function to put into a goroutine
+	f := func(attrs []string) {
+		// Find the string corresponding to the name
+		for i, s := range attrs {
+			if s == name {
+				tc = attrs[i+1]
+			}
+		}
+		// Goroutine is finished
+		wait.Done()
+	}
+	wait.Add(3)
+	// Go for all 3 attribute lists
+	go f(BoolAttr[:])
+	go f(NumAttr[:])
+	go f(StrAttr[:])
+	// Wait until every goroutine is done
+	wait.Wait()
+	// Return the termcap name
+	return tc
+}
+
+// This function takes a path to a terminfo file and reads it in binary
+// form to construct the actual TermInfo file.
+func readTermInfo(path string) (*TermInfo, error) {
+	// Open the terminfo file
+	file, err := os.Open(path)
+	defer file.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	// magic, nameSize, boolSize, nrSNum, nrOffsetsStr, strSize
+	// Header is composed of the magic 0432 octal number, size of the name
+	// section, size of the boolean section, the amount of number values,
+	// the number of offsets of strings, and the size of the string section.
+	var header [6]int16
+	// Byte array is used to read in byte values
+	var byteArray []byte
+	// Short array is used to read in short values
+	var shArray []int16
+	// TermInfo object to store values
+	var term TermInfo
+
+	// Read in the header
+	err = binary.Read(file, binary.LittleEndian, &header)
+	if err != nil {
+		return nil, err
+	}
+	// If magic number isn't there or isn't correct, we have the wrong filetype
+	if header[0] != 0432 {
+		return nil, errors.New(fmt.Sprintf("Wrong filetype"))
+	}
+
+	// Read in the names
+	byteArray = make([]byte, header[1])
+	err = binary.Read(file, binary.LittleEndian, &byteArray)
+	if err != nil {
+		return nil, err
+	}
+	term.Names = strings.Split(string(byteArray), "|")
+
+	// Read in the booleans
+	byteArray = make([]byte, header[2])
+	err = binary.Read(file, binary.LittleEndian, &byteArray)
+	if err != nil {
+		return nil, err
+	}
+	term.boolAttributes = make(map[string]bool)
+	for i, b := range byteArray {
+		if b == 1 {
+			term.boolAttributes[BoolAttr[i*2+1]] = true
+		}
+	}
+	// If the number of bytes read is not even, a byte for alignment is added
+	// We know the header is an even number of bytes so only need to check the
+	// total of the names and booleans.
+	if (header[1]+header[2])%2 != 0 {
+		err = binary.Read(file, binary.LittleEndian, make([]byte, 1))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Read in shorts
+	shArray = make([]int16, header[3])
+	err = binary.Read(file, binary.LittleEndian, &shArray)
+	if err != nil {
+		return nil, err
+	}
+	term.numAttributes = make(map[string]int16)
+	for i, n := range shArray {
+		if n != 0377 && n > -1 {
+			term.numAttributes[NumAttr[i*2+1]] = n
+		}
+	}
+
+	// Read the offsets into the short array
+	shArray = make([]int16, header[4])
+	err = binary.Read(file, binary.LittleEndian, &shArray)
+	if err != nil {
+		return nil, err
+	}
+	// Read the actual strings in the byte array
+	byteArray = make([]byte, header[5])
+	err = binary.Read(file, binary.LittleEndian, &byteArray)
+	if err != nil {
+		return nil, err
+	}
+	term.strAttributes = make(map[string]string)
+	// We get an offset, and then iterate until the string is null-terminated
+	for i, offset := range shArray {
+		if offset > -1 {
+			if int(offset) >= len(byteArray) {
+				return nil, errors.New("array out of bounds reading string section")
+			}
+			r := bytes.IndexByte(byteArray[offset:], 0)
+			if r == -1 {
+				return nil, errors.New("missing nul byte reading string section")
+			}
+			r += int(offset)
+			term.strAttributes[StrAttr[i*2+1]] = string(byteArray[offset:r])
+		}
+	}
+	return &term, nil
+}
diff --git a/engine/vendor/github.com/Nvveen/Gotty/parser.go b/engine/vendor/github.com/Nvveen/Gotty/parser.go
new file mode 100644
index 00000000..a9d5d23c
--- /dev/null
+++ b/engine/vendor/github.com/Nvveen/Gotty/parser.go
@@ -0,0 +1,362 @@
+// Copyright 2012 Neal van Veen. All rights reserved.
+// Usage of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package gotty
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+var exp = [...]string{
+	"%%",
+	"%c",
+	"%s",
+	"%p(\\d)",
+	"%P([A-z])",
+	"%g([A-z])",
+	"%'(.)'",
+	"%{([0-9]+)}",
+	"%l",
+	"%\\+|%-|%\\*|%/|%m",
+	"%&|%\\||%\\^",
+	"%=|%>|%<",
+	"%A|%O",
+	"%!|%~",
+	"%i",
+	"%(:[\\ #\\-\\+]{0,4})?(\\d+\\.\\d+|\\d+)?[doxXs]",
+	"%\\?(.*?);",
+}
+
+var regex *regexp.Regexp
+var staticVar map[byte]stacker
+
+// Parses the attribute that is received with name attr and parameters params.
+func (term *TermInfo) Parse(attr string, params ...interface{}) (string, error) {
+	// Get the attribute name first.
+	iface, err := term.GetAttribute(attr)
+	str, ok := iface.(string)
+	if err != nil {
+		return "", err
+	}
+	if !ok {
+		return str, errors.New("Only string capabilities can be parsed.")
+	}
+	// Construct the hidden parser struct so we can use a recursive stack based
+	// parser.
+	ps := &parser{}
+	// Dynamic variables only exist in this context.
+	ps.dynamicVar = make(map[byte]stacker, 26)
+	ps.parameters = make([]stacker, len(params))
+	// Convert the parameters to insert them into the parser struct.
+	for i, x := range params {
+		ps.parameters[i] = x
+	}
+	// Recursively walk and return.
+	result, err := ps.walk(str)
+	return result, err
+}
+
+// Parses the attribute that is received with name attr and parameters params.
+// Only works on full name of a capability that is given, which it uses to
+// search for the termcap name.
+func (term *TermInfo) ParseName(attr string, params ...interface{}) (string, error) {
+	tc := GetTermcapName(attr)
+	return term.Parse(tc, params)
+}
+
+// Identify each token in a stack based manner and do the actual parsing.
+func (ps *parser) walk(attr string) (string, error) {
+	// We use a buffer to get the modified string.
+	var buf bytes.Buffer
+	// Next, find and identify all tokens by their indices and strings.
+	tokens := regex.FindAllStringSubmatch(attr, -1)
+	if len(tokens) == 0 {
+		return attr, nil
+	}
+	indices := regex.FindAllStringIndex(attr, -1)
+	q := 0 // q counts the matches of one token
+	// Iterate through the string per character.
+	for i := 0; i < len(attr); i++ {
+		// If the current position is an identified token, execute the following
+		// steps.
+		if q < len(indices) && i >= indices[q][0] && i < indices[q][1] {
+			// Switch on token.
+			switch {
+			case tokens[q][0][:2] == "%%":
+				// Literal percentage character.
+				buf.WriteByte('%')
+			case tokens[q][0][:2] == "%c":
+				// Pop a character.
+				c, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				buf.WriteByte(c.(byte))
+			case tokens[q][0][:2] == "%s":
+				// Pop a string.
+				str, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				if _, ok := str.(string); !ok {
+					return buf.String(), errors.New("Stack head is not a string")
+				}
+				buf.WriteString(str.(string))
+			case tokens[q][0][:2] == "%p":
+				// Push a parameter on the stack.
+				index, err := strconv.ParseInt(tokens[q][1], 10, 8)
+				index--
+				if err != nil {
+					return buf.String(), err
+				}
+				if int(index) >= len(ps.parameters) {
+					return buf.String(), errors.New("Parameters index out of bound")
+				}
+				ps.st.push(ps.parameters[index])
+			case tokens[q][0][:2] == "%P":
+				// Pop a variable from the stack as a dynamic or static variable.
+				val, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				index := tokens[q][2]
+				if len(index) > 1 {
+					errorStr := fmt.Sprintf("%s is not a valid dynamic variables index",
+						index)
+					return buf.String(), errors.New(errorStr)
+				}
+				// Specify either dynamic or static.
+				if index[0] >= 'a' && index[0] <= 'z' {
+					ps.dynamicVar[index[0]] = val
+				} else if index[0] >= 'A' && index[0] <= 'Z' {
+					staticVar[index[0]] = val
+				}
+			case tokens[q][0][:2] == "%g":
+				// Push a variable from the stack as a dynamic or static variable.
+				index := tokens[q][3]
+				if len(index) > 1 {
+					errorStr := fmt.Sprintf("%s is not a valid static variables index",
+						index)
+					return buf.String(), errors.New(errorStr)
+				}
+				var val stacker
+				if index[0] >= 'a' && index[0] <= 'z' {
+					val = ps.dynamicVar[index[0]]
+				} else if index[0] >= 'A' && index[0] <= 'Z' {
+					val = staticVar[index[0]]
+				}
+				ps.st.push(val)
+			case tokens[q][0][:2] == "%'":
+				// Push a character constant.
+				con := tokens[q][4]
+				if len(con) > 1 {
+					errorStr := fmt.Sprintf("%s is not a valid character constant", con)
+					return buf.String(), errors.New(errorStr)
+				}
+				ps.st.push(con[0])
+			case tokens[q][0][:2] == "%{":
+				// Push an integer constant.
+				con, err := strconv.ParseInt(tokens[q][5], 10, 32)
+				if err != nil {
+					return buf.String(), err
+				}
+				ps.st.push(con)
+			case tokens[q][0][:2] == "%l":
+				// Push the length of the string that is popped from the stack.
+				popStr, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				if _, ok := popStr.(string); !ok {
+					errStr := fmt.Sprintf("Stack head is not a string")
+					return buf.String(), errors.New(errStr)
+				}
+				ps.st.push(len(popStr.(string)))
+			case tokens[q][0][:2] == "%?":
+				// If-then-else construct. First, the whole string is identified and
+				// then inside this substring, we can specify which parts to switch on.
+				ifReg, _ := regexp.Compile("%\\?(.*)%t(.*)%e(.*);|%\\?(.*)%t(.*);")
+				ifTokens := ifReg.FindStringSubmatch(tokens[q][0])
+				var (
+					ifStr string
+					err   error
+				)
+				// Parse the if-part to determine if-else.
+				if len(ifTokens[1]) > 0 {
+					ifStr, err = ps.walk(ifTokens[1])
+				} else { // else
+					ifStr, err = ps.walk(ifTokens[4])
+				}
+				// Return any errors
+				if err != nil {
+					return buf.String(), err
+				} else if len(ifStr) > 0 {
+					// Self-defined limitation, not sure if this is correct, but didn't
+					// seem like it.
+					return buf.String(), errors.New("If-clause cannot print statements")
+				}
+				var thenStr string
+				// Pop the first value that is set by parsing the if-clause.
+				choose, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				// Switch to if or else.
+				if choose.(int) == 0 && len(ifTokens[1]) > 0 {
+					thenStr, err = ps.walk(ifTokens[3])
+				} else if choose.(int) != 0 {
+					if len(ifTokens[1]) > 0 {
+						thenStr, err = ps.walk(ifTokens[2])
+					} else {
+						thenStr, err = ps.walk(ifTokens[5])
+					}
+				}
+				if err != nil {
+					return buf.String(), err
+				}
+				buf.WriteString(thenStr)
+			case tokens[q][0][len(tokens[q][0])-1] == 'd': // Fallthrough for printing
+				fallthrough
+			case tokens[q][0][len(tokens[q][0])-1] == 'o': // digits.
+				fallthrough
+			case tokens[q][0][len(tokens[q][0])-1] == 'x':
+				fallthrough
+			case tokens[q][0][len(tokens[q][0])-1] == 'X':
+				fallthrough
+			case tokens[q][0][len(tokens[q][0])-1] == 's':
+				token := tokens[q][0]
+				// Remove the : that comes before a flag.
+				if token[1] == ':' {
+					token = token[:1] + token[2:]
+				}
+				digit, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				// The rest is determined like the normal formatted prints.
+				digitStr := fmt.Sprintf(token, digit.(int))
+				buf.WriteString(digitStr)
+			case tokens[q][0][:2] == "%i":
+				// Increment the parameters by one.
+				if len(ps.parameters) < 2 {
+					return buf.String(), errors.New("Not enough parameters to increment.")
+				}
+				val1, val2 := ps.parameters[0].(int), ps.parameters[1].(int)
+				val1++
+				val2++
+				ps.parameters[0], ps.parameters[1] = val1, val2
+			default:
+				// The rest of the tokens is a special case, where two values are
+				// popped and then operated on by the token that comes after them.
+				op1, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				op2, err := ps.st.pop()
+				if err != nil {
+					return buf.String(), err
+				}
+				var result stacker
+				switch tokens[q][0][:2] {
+				case "%+":
+					// Addition
+					result = op2.(int) + op1.(int)
+				case "%-":
+					// Subtraction
+					result = op2.(int) - op1.(int)
+				case "%*":
+					// Multiplication
+					result = op2.(int) * op1.(int)
+				case "%/":
+					// Division
+					result = op2.(int) / op1.(int)
+				case "%m":
+					// Modulo
+					result = op2.(int) % op1.(int)
+				case "%&":
+					// Bitwise AND
+					result = op2.(int) & op1.(int)
+				case "%|":
+					// Bitwise OR
+					result = op2.(int) | op1.(int)
+				case "%^":
+					// Bitwise XOR
+					result = op2.(int) ^ op1.(int)
+				case "%=":
+					// Equals
+					result = op2 == op1
+				case "%>":
+					// Greater-than
+					result = op2.(int) > op1.(int)
+				case "%<":
+					// Lesser-than
+					result = op2.(int) < op1.(int)
+				case "%A":
+					// Logical AND
+					result = op2.(bool) && op1.(bool)
+				case "%O":
+					// Logical OR
+					result = op2.(bool) || op1.(bool)
+				case "%!":
+					// Logical complement
+					result = !op1.(bool)
+				case "%~":
+					// Bitwise complement
+					result = ^(op1.(int))
+				}
+				ps.st.push(result)
+			}
+
+			i = indices[q][1] - 1
+			q++
+		} else {
+			// We are not "inside" a token, so just skip until the end or the next
+			// token, and add all characters to the buffer.
+			j := i
+			if q != len(indices) {
+				for !(j >= indices[q][0] && j < indices[q][1]) {
+					j++
+				}
+			} else {
+				j = len(attr)
+			}
+			buf.WriteString(string(attr[i:j]))
+			i = j
+		}
+	}
+	// Return the buffer as a string.
+	return buf.String(), nil
+}
+
+// Push a stacker-value onto the stack.
+func (st *stack) push(s stacker) {
+	*st = append(*st, s)
+}
+
+// Pop a stacker-value from the stack.
+func (st *stack) pop() (stacker, error) {
+	if len(*st) == 0 {
+		return nil, errors.New("Stack is empty.")
+	}
+	newStack := make(stack, len(*st)-1)
+	val := (*st)[len(*st)-1]
+	copy(newStack, (*st)[:len(*st)-1])
+	*st = newStack
+	return val, nil
+}
+
+// Initialize regexes and the static vars (that don't get changed between
+// calls.
+func init() {
+	// Initialize the main regex.
+	expStr := strings.Join(exp[:], "|")
+	regex, _ = regexp.Compile(expStr)
+	// Initialize the static variables.
+	staticVar = make(map[byte]stacker, 26)
+}
diff --git a/engine/vendor/github.com/Nvveen/Gotty/types.go b/engine/vendor/github.com/Nvveen/Gotty/types.go
new file mode 100644
index 00000000..9bcc65e9
--- /dev/null
+++ b/engine/vendor/github.com/Nvveen/Gotty/types.go
@@ -0,0 +1,23 @@
+// Copyright 2012 Neal van Veen. All rights reserved.
+// Usage of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package gotty
+
+type TermInfo struct {
+	boolAttributes map[string]bool
+	numAttributes  map[string]int16
+	strAttributes  map[string]string
+	// The various names of the TermInfo file.
+	Names []string
+}
+
+type stacker interface {
+}
+type stack []stacker
+
+type parser struct {
+	st         stack
+	parameters []stacker
+	dynamicVar map[byte]stacker
+}
diff --git a/engine/vendor/github.com/containerd/continuity/LICENSE b/engine/vendor/github.com/containerd/continuity/LICENSE
new file mode 100644
index 00000000..8f71f43f
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/LICENSE
@@ -0,0 +1,202 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
diff --git a/engine/vendor/github.com/containerd/continuity/README.md b/engine/vendor/github.com/containerd/continuity/README.md
new file mode 100644
index 00000000..0e91ce07
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/README.md
@@ -0,0 +1,74 @@
+# continuity
+
+[![GoDoc](https://godoc.org/github.com/containerd/continuity?status.svg)](https://godoc.org/github.com/containerd/continuity)
+[![Build Status](https://travis-ci.org/containerd/continuity.svg?branch=master)](https://travis-ci.org/containerd/continuity)
+
+A transport-agnostic, filesystem metadata manifest system
+
+This project is a staging area for experiments in providing transport agnostic
+metadata storage.
+
+Please see https://github.com/opencontainers/specs/issues/11 for more details.
+
+## Manifest Format
+
+A continuity manifest encodes filesystem metadata in Protocol Buffers.
+Please refer to [proto/manifest.proto](proto/manifest.proto).
+
+## Usage
+
+Build:
+
+```console
+$ make
+```
+
+Create a manifest (of this repo itself):
+
+```console
+$ ./bin/continuity build . > /tmp/a.pb
+```
+
+Dump a manifest:
+
+```console
+$ ./bin/continuity ls /tmp/a.pb
+...
+-rw-rw-r--      270 B   /.gitignore
+-rw-rw-r--      88 B    /.mailmap
+-rw-rw-r--      187 B   /.travis.yml
+-rw-rw-r--      359 B   /AUTHORS
+-rw-rw-r--      11 kB   /LICENSE
+-rw-rw-r--      1.5 kB  /Makefile
+...
+-rw-rw-r--      986 B   /testutil_test.go
+drwxrwxr-x      0 B     /version
+-rw-rw-r--      478 B   /version/version.go
+```
+
+Verify a manifest:
+
+```console
+$ ./bin/continuity verify . /tmp/a.pb
+```
+
+Break the directory and restore using the manifest:
+```console
+$ chmod 777 Makefile
+$ ./bin/continuity verify . /tmp/a.pb
+2017/06/23 08:00:34 error verifying manifest: resource "/Makefile" has incorrect mode: -rwxrwxrwx != -rw-rw-r--
+$ ./bin/continuity apply . /tmp/a.pb
+$ stat -c %a Makefile
+664
+$ ./bin/continuity verify . /tmp/a.pb
+```
+
+
+## Contribution Guide
+### Building Proto Package
+
+If you change the proto file you will need to rebuild the generated Go with `go generate`.
+
+```console
+$ go generate ./proto
+```
diff --git a/engine/vendor/github.com/containerd/continuity/devices/devices.go b/engine/vendor/github.com/containerd/continuity/devices/devices.go
new file mode 100644
index 00000000..70864070
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/devices/devices.go
@@ -0,0 +1,5 @@
+package devices
+
+import "fmt"
+
+var ErrNotSupported = fmt.Errorf("not supported")
diff --git a/engine/vendor/github.com/containerd/continuity/devices/devices_unix.go b/engine/vendor/github.com/containerd/continuity/devices/devices_unix.go
new file mode 100644
index 00000000..97fe6b19
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/devices/devices_unix.go
@@ -0,0 +1,58 @@
+// +build linux darwin freebsd solaris
+
+package devices
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+func DeviceInfo(fi os.FileInfo) (uint64, uint64, error) {
+	sys, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return 0, 0, fmt.Errorf("cannot extract device from os.FileInfo")
+	}
+
+	dev := uint64(sys.Rdev)
+	return uint64(unix.Major(dev)), uint64(unix.Minor(dev)), nil
+}
+
+// mknod provides a shortcut for syscall.Mknod
+func Mknod(p string, mode os.FileMode, maj, min int) error {
+	var (
+		m   = syscallMode(mode.Perm())
+		dev uint64
+	)
+
+	if mode&os.ModeDevice != 0 {
+		dev = unix.Mkdev(uint32(maj), uint32(min))
+
+		if mode&os.ModeCharDevice != 0 {
+			m |= unix.S_IFCHR
+		} else {
+			m |= unix.S_IFBLK
+		}
+	} else if mode&os.ModeNamedPipe != 0 {
+		m |= unix.S_IFIFO
+	}
+
+	return unix.Mknod(p, m, int(dev))
+}
+
+// syscallMode returns the syscall-specific mode bits from Go's portable mode bits.
+func syscallMode(i os.FileMode) (o uint32) {
+	o |= uint32(i.Perm())
+	if i&os.ModeSetuid != 0 {
+		o |= unix.S_ISUID
+	}
+	if i&os.ModeSetgid != 0 {
+		o |= unix.S_ISGID
+	}
+	if i&os.ModeSticky != 0 {
+		o |= unix.S_ISVTX
+	}
+	return
+}
diff --git a/engine/vendor/github.com/containerd/continuity/devices/devices_windows.go b/engine/vendor/github.com/containerd/continuity/devices/devices_windows.go
new file mode 100644
index 00000000..6099d1d7
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/devices/devices_windows.go
@@ -0,0 +1,11 @@
+package devices
+
+import (
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+func DeviceInfo(fi os.FileInfo) (uint64, uint64, error) {
+	return 0, 0, errors.Wrap(ErrNotSupported, "cannot get device info on windows")
+}
diff --git a/engine/vendor/github.com/containerd/continuity/driver/driver.go b/engine/vendor/github.com/containerd/continuity/driver/driver.go
new file mode 100644
index 00000000..6a0f76db
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/driver/driver.go
@@ -0,0 +1,158 @@
+package driver
+
+import (
+	"fmt"
+	"io"
+	"os"
+)
+
+var ErrNotSupported = fmt.Errorf("not supported")
+
+// Driver provides all of the system-level functions in a common interface.
+// The context should call these with full paths and should never use the `os`
+// package or any other package to access resources on the filesystem. This
+// mechanism let's us carefully control access to the context and maintain
+// path and resource integrity. It also gives us an interface to reason about
+// direct resource access.
+//
+// Implementations don't need to do much other than meet the interface. For
+// example, it is not required to wrap os.FileInfo to return correct paths for
+// the call to Name().
+type Driver interface {
+	// Note that Open() returns a File interface instead of *os.File. This
+	// is because os.File is a struct, so if Open was to return *os.File,
+	// the only way to fulfill the interface would be to call os.Open()
+	Open(path string) (File, error)
+	OpenFile(path string, flag int, perm os.FileMode) (File, error)
+
+	Stat(path string) (os.FileInfo, error)
+	Lstat(path string) (os.FileInfo, error)
+	Readlink(p string) (string, error)
+	Mkdir(path string, mode os.FileMode) error
+	Remove(path string) error
+
+	Link(oldname, newname string) error
+	Lchmod(path string, mode os.FileMode) error
+	Lchown(path string, uid, gid int64) error
+	Symlink(oldname, newname string) error
+
+	MkdirAll(path string, perm os.FileMode) error
+	RemoveAll(path string) error
+
+	// TODO(aaronl): These methods might move outside the main Driver
+	// interface in the future as more platforms are added.
+	Mknod(path string, mode os.FileMode, major int, minor int) error
+	Mkfifo(path string, mode os.FileMode) error
+}
+
+// File is the interface for interacting with files returned by continuity's Open
+// This is needed since os.File is a struct, instead of an interface, so it can't
+// be used.
+type File interface {
+	io.ReadWriteCloser
+	io.Seeker
+	Readdir(n int) ([]os.FileInfo, error)
+}
+
+func NewSystemDriver() (Driver, error) {
+	// TODO(stevvooe): Consider having this take a "hint" path argument, which
+	// would be the context root. The hint could be used to resolve required
+	// filesystem support when assembling the driver to use.
+	return &driver{}, nil
+}
+
+// XAttrDriver should be implemented on operation systems and filesystems that
+// have xattr support for regular files and directories.
+type XAttrDriver interface {
+	// Getxattr returns all of the extended attributes for the file at path.
+	// Typically, this takes a syscall call to Listxattr and Getxattr.
+	Getxattr(path string) (map[string][]byte, error)
+
+	// Setxattr sets all of the extended attributes on file at path, following
+	// any symbolic links, if necessary. All attributes on the target are
+	// replaced by the values from attr. If the operation fails to set any
+	// attribute, those already applied will not be rolled back.
+	Setxattr(path string, attr map[string][]byte) error
+}
+
+// LXAttrDriver should be implemented by drivers on operating systems and
+// filesystems that support setting and getting extended attributes on
+// symbolic links. If this is not implemented, extended attributes will be
+// ignored on symbolic links.
+type LXAttrDriver interface {
+	// LGetxattr returns all of the extended attributes for the file at path
+	// and does not follow symlinks. Typically, this takes a syscall call to
+	// Llistxattr and Lgetxattr.
+	LGetxattr(path string) (map[string][]byte, error)
+
+	// LSetxattr sets all of the extended attributes on file at path, without
+	// following symbolic links. All attributes on the target are replaced by
+	// the values from attr. If the operation fails to set any attribute,
+	// those already applied will not be rolled back.
+	LSetxattr(path string, attr map[string][]byte) error
+}
+
+type DeviceInfoDriver interface {
+	DeviceInfo(fi os.FileInfo) (maj uint64, min uint64, err error)
+}
+
+// driver is a simple default implementation that sends calls out to the "os"
+// package. Extend the "driver" type in system-specific files to add support,
+// such as xattrs, which can add support at compile time.
+type driver struct{}
+
+var _ File = &os.File{}
+
+// LocalDriver is the exported Driver struct for convenience.
+var LocalDriver Driver = &driver{}
+
+func (d *driver) Open(p string) (File, error) {
+	return os.Open(p)
+}
+
+func (d *driver) OpenFile(path string, flag int, perm os.FileMode) (File, error) {
+	return os.OpenFile(path, flag, perm)
+}
+
+func (d *driver) Stat(p string) (os.FileInfo, error) {
+	return os.Stat(p)
+}
+
+func (d *driver) Lstat(p string) (os.FileInfo, error) {
+	return os.Lstat(p)
+}
+
+func (d *driver) Mkdir(p string, mode os.FileMode) error {
+	return os.Mkdir(p, mode)
+}
+
+// Remove is used to unlink files and remove directories.
+// This is following the golang os package api which
+// combines the operations into a higher level Remove
+// function. If explicit unlinking or directory removal
+// to mirror system call is required, they should be
+// split up at that time.
+func (d *driver) Remove(path string) error {
+	return os.Remove(path)
+}
+
+func (d *driver) Link(oldname, newname string) error {
+	return os.Link(oldname, newname)
+}
+
+func (d *driver) Lchown(name string, uid, gid int64) error {
+	// TODO: error out if uid excesses int bit width?
+	return os.Lchown(name, int(uid), int(gid))
+}
+
+func (d *driver) Symlink(oldname, newname string) error {
+	return os.Symlink(oldname, newname)
+}
+
+func (d *driver) MkdirAll(path string, perm os.FileMode) error {
+	return os.MkdirAll(path, perm)
+}
+
+func (d *driver) RemoveAll(path string) error {
+	return os.RemoveAll(path)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/driver/driver_unix.go b/engine/vendor/github.com/containerd/continuity/driver/driver_unix.go
new file mode 100644
index 00000000..67493ade
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/driver/driver_unix.go
@@ -0,0 +1,127 @@
+// +build linux darwin freebsd solaris
+
+package driver
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+
+	"github.com/containerd/continuity/devices"
+	"github.com/containerd/continuity/sysx"
+)
+
+func (d *driver) Mknod(path string, mode os.FileMode, major, minor int) error {
+	return devices.Mknod(path, mode, major, minor)
+}
+
+func (d *driver) Mkfifo(path string, mode os.FileMode) error {
+	if mode&os.ModeNamedPipe == 0 {
+		return errors.New("mode passed to Mkfifo does not have the named pipe bit set")
+	}
+	// mknod with a mode that has ModeNamedPipe set creates a fifo, not a
+	// device.
+	return devices.Mknod(path, mode, 0, 0)
+}
+
+// Lchmod changes the mode of an file not following symlinks.
+func (d *driver) Lchmod(path string, mode os.FileMode) (err error) {
+	if !filepath.IsAbs(path) {
+		path, err = filepath.Abs(path)
+		if err != nil {
+			return
+		}
+	}
+
+	return sysx.Fchmodat(0, path, uint32(mode), sysx.AtSymlinkNofollow)
+}
+
+// Getxattr returns all of the extended attributes for the file at path p.
+func (d *driver) Getxattr(p string) (map[string][]byte, error) {
+	xattrs, err := sysx.Listxattr(p)
+	if err != nil {
+		return nil, fmt.Errorf("listing %s xattrs: %v", p, err)
+	}
+
+	sort.Strings(xattrs)
+	m := make(map[string][]byte, len(xattrs))
+
+	for _, attr := range xattrs {
+		value, err := sysx.Getxattr(p, attr)
+		if err != nil {
+			return nil, fmt.Errorf("getting %q xattr on %s: %v", attr, p, err)
+		}
+
+		// NOTE(stevvooe): This append/copy tricky relies on unique
+		// xattrs. Break this out into an alloc/copy if xattrs are no
+		// longer unique.
+		m[attr] = append(m[attr], value...)
+	}
+
+	return m, nil
+}
+
+// Setxattr sets all of the extended attributes on file at path, following
+// any symbolic links, if necessary. All attributes on the target are
+// replaced by the values from attr. If the operation fails to set any
+// attribute, those already applied will not be rolled back.
+func (d *driver) Setxattr(path string, attrMap map[string][]byte) error {
+	for attr, value := range attrMap {
+		if err := sysx.Setxattr(path, attr, value, 0); err != nil {
+			return fmt.Errorf("error setting xattr %q on %s: %v", attr, path, err)
+		}
+	}
+
+	return nil
+}
+
+// LGetxattr returns all of the extended attributes for the file at path p
+// not following symbolic links.
+func (d *driver) LGetxattr(p string) (map[string][]byte, error) {
+	xattrs, err := sysx.LListxattr(p)
+	if err != nil {
+		return nil, fmt.Errorf("listing %s xattrs: %v", p, err)
+	}
+
+	sort.Strings(xattrs)
+	m := make(map[string][]byte, len(xattrs))
+
+	for _, attr := range xattrs {
+		value, err := sysx.LGetxattr(p, attr)
+		if err != nil {
+			return nil, fmt.Errorf("getting %q xattr on %s: %v", attr, p, err)
+		}
+
+		// NOTE(stevvooe): This append/copy tricky relies on unique
+		// xattrs. Break this out into an alloc/copy if xattrs are no
+		// longer unique.
+		m[attr] = append(m[attr], value...)
+	}
+
+	return m, nil
+}
+
+// LSetxattr sets all of the extended attributes on file at path, not
+// following any symbolic links. All attributes on the target are
+// replaced by the values from attr. If the operation fails to set any
+// attribute, those already applied will not be rolled back.
+func (d *driver) LSetxattr(path string, attrMap map[string][]byte) error {
+	for attr, value := range attrMap {
+		if err := sysx.LSetxattr(path, attr, value, 0); err != nil {
+			return fmt.Errorf("error setting xattr %q on %s: %v", attr, path, err)
+		}
+	}
+
+	return nil
+}
+
+func (d *driver) DeviceInfo(fi os.FileInfo) (maj uint64, min uint64, err error) {
+	return devices.DeviceInfo(fi)
+}
+
+// Readlink was forked on Windows to fix a Golang bug, use the "os" package here
+func (d *driver) Readlink(p string) (string, error) {
+	return os.Readlink(p)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/driver/driver_windows.go b/engine/vendor/github.com/containerd/continuity/driver/driver_windows.go
new file mode 100644
index 00000000..21c9cf96
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/driver/driver_windows.go
@@ -0,0 +1,28 @@
+package driver
+
+import (
+	"os"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+)
+
+func (d *driver) Mknod(path string, mode os.FileMode, major, minor int) error {
+	return errors.Wrap(ErrNotSupported, "cannot create device node on Windows")
+}
+
+func (d *driver) Mkfifo(path string, mode os.FileMode) error {
+	return errors.Wrap(ErrNotSupported, "cannot create fifo on Windows")
+}
+
+// Lchmod changes the mode of an file not following symlinks.
+func (d *driver) Lchmod(path string, mode os.FileMode) (err error) {
+	// TODO: Use Window's equivalent
+	return os.Chmod(path, mode)
+}
+
+// Readlink is forked in order to support Volume paths which are used
+// in container layers.
+func (d *driver) Readlink(p string) (string, error) {
+	return sysx.Readlink(p)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/driver/utils.go b/engine/vendor/github.com/containerd/continuity/driver/utils.go
new file mode 100644
index 00000000..9e0edd7b
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/driver/utils.go
@@ -0,0 +1,74 @@
+package driver
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"sort"
+)
+
+// ReadFile works the same as ioutil.ReadFile with the Driver abstraction
+func ReadFile(r Driver, filename string) ([]byte, error) {
+	f, err := r.Open(filename)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	data, err := ioutil.ReadAll(f)
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}
+
+// WriteFile works the same as ioutil.WriteFile with the Driver abstraction
+func WriteFile(r Driver, filename string, data []byte, perm os.FileMode) error {
+	f, err := r.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	n, err := f.Write(data)
+	if err != nil {
+		return err
+	} else if n != len(data) {
+		return io.ErrShortWrite
+	}
+
+	return nil
+}
+
+// ReadDir works the same as ioutil.ReadDir with the Driver abstraction
+func ReadDir(r Driver, dirname string) ([]os.FileInfo, error) {
+	f, err := r.Open(dirname)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	dirs, err := f.Readdir(-1)
+	if err != nil {
+		return nil, err
+	}
+
+	sort.Sort(fileInfos(dirs))
+	return dirs, nil
+}
+
+// Simple implementation of the sort.Interface for os.FileInfo
+type fileInfos []os.FileInfo
+
+func (fis fileInfos) Len() int {
+	return len(fis)
+}
+
+func (fis fileInfos) Less(i, j int) bool {
+	return fis[i].Name() < fis[j].Name()
+}
+
+func (fis fileInfos) Swap(i, j int) {
+	fis[i], fis[j] = fis[j], fis[i]
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/copy.go b/engine/vendor/github.com/containerd/continuity/fs/copy.go
new file mode 100644
index 00000000..2ac474b9
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/copy.go
@@ -0,0 +1,121 @@
+package fs
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/pkg/errors"
+)
+
+var bufferPool = &sync.Pool{
+	New: func() interface{} {
+		buffer := make([]byte, 32*1024)
+		return &buffer
+	},
+}
+
+// CopyDir copies the directory from src to dst.
+// Most efficient copy of files is attempted.
+func CopyDir(dst, src string) error {
+	inodes := map[uint64]string{}
+	return copyDirectory(dst, src, inodes)
+}
+
+func copyDirectory(dst, src string, inodes map[uint64]string) error {
+	stat, err := os.Stat(src)
+	if err != nil {
+		return errors.Wrapf(err, "failed to stat %s", src)
+	}
+	if !stat.IsDir() {
+		return errors.Errorf("source is not directory")
+	}
+
+	if st, err := os.Stat(dst); err != nil {
+		if err := os.Mkdir(dst, stat.Mode()); err != nil {
+			return errors.Wrapf(err, "failed to mkdir %s", dst)
+		}
+	} else if !st.IsDir() {
+		return errors.Errorf("cannot copy to non-directory: %s", dst)
+	} else {
+		if err := os.Chmod(dst, stat.Mode()); err != nil {
+			return errors.Wrapf(err, "failed to chmod on %s", dst)
+		}
+	}
+
+	fis, err := ioutil.ReadDir(src)
+	if err != nil {
+		return errors.Wrapf(err, "failed to read %s", src)
+	}
+
+	if err := copyFileInfo(stat, dst); err != nil {
+		return errors.Wrapf(err, "failed to copy file info for %s", dst)
+	}
+
+	for _, fi := range fis {
+		source := filepath.Join(src, fi.Name())
+		target := filepath.Join(dst, fi.Name())
+
+		switch {
+		case fi.IsDir():
+			if err := copyDirectory(target, source, inodes); err != nil {
+				return err
+			}
+			continue
+		case (fi.Mode() & os.ModeType) == 0:
+			link, err := getLinkSource(target, fi, inodes)
+			if err != nil {
+				return errors.Wrap(err, "failed to get hardlink")
+			}
+			if link != "" {
+				if err := os.Link(link, target); err != nil {
+					return errors.Wrap(err, "failed to create hard link")
+				}
+			} else if err := CopyFile(target, source); err != nil {
+				return errors.Wrap(err, "failed to copy files")
+			}
+		case (fi.Mode() & os.ModeSymlink) == os.ModeSymlink:
+			link, err := os.Readlink(source)
+			if err != nil {
+				return errors.Wrapf(err, "failed to read link: %s", source)
+			}
+			if err := os.Symlink(link, target); err != nil {
+				return errors.Wrapf(err, "failed to create symlink: %s", target)
+			}
+		case (fi.Mode() & os.ModeDevice) == os.ModeDevice:
+			if err := copyDevice(target, fi); err != nil {
+				return errors.Wrapf(err, "failed to create device")
+			}
+		default:
+			// TODO: Support pipes and sockets
+			return errors.Wrapf(err, "unsupported mode %s", fi.Mode())
+		}
+		if err := copyFileInfo(fi, target); err != nil {
+			return errors.Wrap(err, "failed to copy file info")
+		}
+
+		if err := copyXAttrs(target, source); err != nil {
+			return errors.Wrap(err, "failed to copy xattrs")
+		}
+	}
+
+	return nil
+}
+
+// CopyFile copies the source file to the target.
+// The most efficient means of copying is used for the platform.
+func CopyFile(target, source string) error {
+	src, err := os.Open(source)
+	if err != nil {
+		return errors.Wrapf(err, "failed to open source %s", source)
+	}
+	defer src.Close()
+	tgt, err := os.Create(target)
+	if err != nil {
+		return errors.Wrapf(err, "failed to open target %s", target)
+	}
+	defer tgt.Close()
+
+	return copyFileContent(tgt, src)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/copy_linux.go b/engine/vendor/github.com/containerd/continuity/fs/copy_linux.go
new file mode 100644
index 00000000..b244e318
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/copy_linux.go
@@ -0,0 +1,101 @@
+package fs
+
+import (
+	"io"
+	"os"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+func copyFileInfo(fi os.FileInfo, name string) error {
+	st := fi.Sys().(*syscall.Stat_t)
+	if err := os.Lchown(name, int(st.Uid), int(st.Gid)); err != nil {
+		if os.IsPermission(err) {
+			// Normally if uid/gid are the same this would be a no-op, but some
+			// filesystems may still return EPERM... for instance NFS does this.
+			// In such a case, this is not an error.
+			if dstStat, err2 := os.Lstat(name); err2 == nil {
+				st2 := dstStat.Sys().(*syscall.Stat_t)
+				if st.Uid == st2.Uid && st.Gid == st2.Gid {
+					err = nil
+				}
+			}
+		}
+		if err != nil {
+			return errors.Wrapf(err, "failed to chown %s", name)
+		}
+	}
+
+	if (fi.Mode() & os.ModeSymlink) != os.ModeSymlink {
+		if err := os.Chmod(name, fi.Mode()); err != nil {
+			return errors.Wrapf(err, "failed to chmod %s", name)
+		}
+	}
+
+	timespec := []unix.Timespec{unix.Timespec(StatAtime(st)), unix.Timespec(StatMtime(st))}
+	if err := unix.UtimesNanoAt(unix.AT_FDCWD, name, timespec, unix.AT_SYMLINK_NOFOLLOW); err != nil {
+		return errors.Wrapf(err, "failed to utime %s", name)
+	}
+
+	return nil
+}
+
+func copyFileContent(dst, src *os.File) error {
+	st, err := src.Stat()
+	if err != nil {
+		return errors.Wrap(err, "unable to stat source")
+	}
+
+	size := st.Size()
+	first := true
+	srcFd := int(src.Fd())
+	dstFd := int(dst.Fd())
+
+	for size > 0 {
+		n, err := unix.CopyFileRange(srcFd, nil, dstFd, nil, int(size), 0)
+		if err != nil {
+			if (err != unix.ENOSYS && err != unix.EXDEV) || !first {
+				return errors.Wrap(err, "copy file range failed")
+			}
+
+			buf := bufferPool.Get().(*[]byte)
+			_, err = io.CopyBuffer(dst, src, *buf)
+			bufferPool.Put(buf)
+			return errors.Wrap(err, "userspace copy failed")
+		}
+
+		first = false
+		size -= int64(n)
+	}
+
+	return nil
+}
+
+func copyXAttrs(dst, src string) error {
+	xattrKeys, err := sysx.LListxattr(src)
+	if err != nil {
+		return errors.Wrapf(err, "failed to list xattrs on %s", src)
+	}
+	for _, xattr := range xattrKeys {
+		data, err := sysx.LGetxattr(src, xattr)
+		if err != nil {
+			return errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+		}
+		if err := sysx.LSetxattr(dst, xattr, data, 0); err != nil {
+			return errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+		}
+	}
+
+	return nil
+}
+
+func copyDevice(dst string, fi os.FileInfo) error {
+	st, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return errors.New("unsupported stat type")
+	}
+	return unix.Mknod(dst, uint32(fi.Mode()), int(st.Rdev))
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/copy_unix.go b/engine/vendor/github.com/containerd/continuity/fs/copy_unix.go
new file mode 100644
index 00000000..29cbb81e
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/copy_unix.go
@@ -0,0 +1,80 @@
+// +build solaris darwin freebsd
+
+package fs
+
+import (
+	"io"
+	"os"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+func copyFileInfo(fi os.FileInfo, name string) error {
+	st := fi.Sys().(*syscall.Stat_t)
+	if err := os.Lchown(name, int(st.Uid), int(st.Gid)); err != nil {
+		if os.IsPermission(err) {
+			// Normally if uid/gid are the same this would be a no-op, but some
+			// filesystems may still return EPERM... for instance NFS does this.
+			// In such a case, this is not an error.
+			if dstStat, err2 := os.Lstat(name); err2 == nil {
+				st2 := dstStat.Sys().(*syscall.Stat_t)
+				if st.Uid == st2.Uid && st.Gid == st2.Gid {
+					err = nil
+				}
+			}
+		}
+		if err != nil {
+			return errors.Wrapf(err, "failed to chown %s", name)
+		}
+	}
+
+	if (fi.Mode() & os.ModeSymlink) != os.ModeSymlink {
+		if err := os.Chmod(name, fi.Mode()); err != nil {
+			return errors.Wrapf(err, "failed to chmod %s", name)
+		}
+	}
+
+	timespec := []syscall.Timespec{StatAtime(st), StatMtime(st)}
+	if err := syscall.UtimesNano(name, timespec); err != nil {
+		return errors.Wrapf(err, "failed to utime %s", name)
+	}
+
+	return nil
+}
+
+func copyFileContent(dst, src *os.File) error {
+	buf := bufferPool.Get().(*[]byte)
+	_, err := io.CopyBuffer(dst, src, *buf)
+	bufferPool.Put(buf)
+
+	return err
+}
+
+func copyXAttrs(dst, src string) error {
+	xattrKeys, err := sysx.LListxattr(src)
+	if err != nil {
+		return errors.Wrapf(err, "failed to list xattrs on %s", src)
+	}
+	for _, xattr := range xattrKeys {
+		data, err := sysx.LGetxattr(src, xattr)
+		if err != nil {
+			return errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src)
+		}
+		if err := sysx.LSetxattr(dst, xattr, data, 0); err != nil {
+			return errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst)
+		}
+	}
+
+	return nil
+}
+
+func copyDevice(dst string, fi os.FileInfo) error {
+	st, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return errors.New("unsupported stat type")
+	}
+	return unix.Mknod(dst, uint32(fi.Mode()), int(st.Rdev))
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/copy_windows.go b/engine/vendor/github.com/containerd/continuity/fs/copy_windows.go
new file mode 100644
index 00000000..6fb3de57
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/copy_windows.go
@@ -0,0 +1,33 @@
+package fs
+
+import (
+	"io"
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+func copyFileInfo(fi os.FileInfo, name string) error {
+	if err := os.Chmod(name, fi.Mode()); err != nil {
+		return errors.Wrapf(err, "failed to chmod %s", name)
+	}
+
+	// TODO: copy windows specific metadata
+
+	return nil
+}
+
+func copyFileContent(dst, src *os.File) error {
+	buf := bufferPool.Get().(*[]byte)
+	_, err := io.CopyBuffer(dst, src, *buf)
+	bufferPool.Put(buf)
+	return err
+}
+
+func copyXAttrs(dst, src string) error {
+	return nil
+}
+
+func copyDevice(dst string, fi os.FileInfo) error {
+	return errors.New("device copy not supported")
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/diff.go b/engine/vendor/github.com/containerd/continuity/fs/diff.go
new file mode 100644
index 00000000..f2300e84
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/diff.go
@@ -0,0 +1,310 @@
+package fs
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sync/errgroup"
+
+	"github.com/sirupsen/logrus"
+)
+
+// ChangeKind is the type of modification that
+// a change is making.
+type ChangeKind int
+
+const (
+	// ChangeKindUnmodified represents an unmodified
+	// file
+	ChangeKindUnmodified = iota
+
+	// ChangeKindAdd represents an addition of
+	// a file
+	ChangeKindAdd
+
+	// ChangeKindModify represents a change to
+	// an existing file
+	ChangeKindModify
+
+	// ChangeKindDelete represents a delete of
+	// a file
+	ChangeKindDelete
+)
+
+func (k ChangeKind) String() string {
+	switch k {
+	case ChangeKindUnmodified:
+		return "unmodified"
+	case ChangeKindAdd:
+		return "add"
+	case ChangeKindModify:
+		return "modify"
+	case ChangeKindDelete:
+		return "delete"
+	default:
+		return ""
+	}
+}
+
+// Change represents single change between a diff and its parent.
+type Change struct {
+	Kind ChangeKind
+	Path string
+}
+
+// ChangeFunc is the type of function called for each change
+// computed during a directory changes calculation.
+type ChangeFunc func(ChangeKind, string, os.FileInfo, error) error
+
+// Changes computes changes between two directories calling the
+// given change function for each computed change. The first
+// directory is intended to the base directory and second
+// directory the changed directory.
+//
+// The change callback is called by the order of path names and
+// should be appliable in that order.
+//  Due to this apply ordering, the following is true
+//  - Removed directory trees only create a single change for the root
+//    directory removed. Remaining changes are implied.
+//  - A directory which is modified to become a file will not have
+//    delete entries for sub-path items, their removal is implied
+//    by the removal of the parent directory.
+//
+// Opaque directories will not be treated specially and each file
+// removed from the base directory will show up as a removal.
+//
+// File content comparisons will be done on files which have timestamps
+// which may have been truncated. If either of the files being compared
+// has a zero value nanosecond value, each byte will be compared for
+// differences. If 2 files have the same seconds value but different
+// nanosecond values where one of those values is zero, the files will
+// be considered unchanged if the content is the same. This behavior
+// is to account for timestamp truncation during archiving.
+func Changes(ctx context.Context, a, b string, changeFn ChangeFunc) error {
+	if a == "" {
+		logrus.Debugf("Using single walk diff for %s", b)
+		return addDirChanges(ctx, changeFn, b)
+	} else if diffOptions := detectDirDiff(b, a); diffOptions != nil {
+		logrus.Debugf("Using single walk diff for %s from %s", diffOptions.diffDir, a)
+		return diffDirChanges(ctx, changeFn, a, diffOptions)
+	}
+
+	logrus.Debugf("Using double walk diff for %s from %s", b, a)
+	return doubleWalkDiff(ctx, changeFn, a, b)
+}
+
+func addDirChanges(ctx context.Context, changeFn ChangeFunc, root string) error {
+	return filepath.Walk(root, func(path string, f os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Rebase path
+		path, err = filepath.Rel(root, path)
+		if err != nil {
+			return err
+		}
+
+		path = filepath.Join(string(os.PathSeparator), path)
+
+		// Skip root
+		if path == string(os.PathSeparator) {
+			return nil
+		}
+
+		return changeFn(ChangeKindAdd, path, f, nil)
+	})
+}
+
+// diffDirOptions is used when the diff can be directly calculated from
+// a diff directory to its base, without walking both trees.
+type diffDirOptions struct {
+	diffDir      string
+	skipChange   func(string) (bool, error)
+	deleteChange func(string, string, os.FileInfo) (string, error)
+}
+
+// diffDirChanges walks the diff directory and compares changes against the base.
+func diffDirChanges(ctx context.Context, changeFn ChangeFunc, base string, o *diffDirOptions) error {
+	changedDirs := make(map[string]struct{})
+	return filepath.Walk(o.diffDir, func(path string, f os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Rebase path
+		path, err = filepath.Rel(o.diffDir, path)
+		if err != nil {
+			return err
+		}
+
+		path = filepath.Join(string(os.PathSeparator), path)
+
+		// Skip root
+		if path == string(os.PathSeparator) {
+			return nil
+		}
+
+		// TODO: handle opaqueness, start new double walker at this
+		// location to get deletes, and skip tree in single walker
+
+		if o.skipChange != nil {
+			if skip, err := o.skipChange(path); skip {
+				return err
+			}
+		}
+
+		var kind ChangeKind
+
+		deletedFile, err := o.deleteChange(o.diffDir, path, f)
+		if err != nil {
+			return err
+		}
+
+		// Find out what kind of modification happened
+		if deletedFile != "" {
+			path = deletedFile
+			kind = ChangeKindDelete
+			f = nil
+		} else {
+			// Otherwise, the file was added
+			kind = ChangeKindAdd
+
+			// ...Unless it already existed in a base, in which case, it's a modification
+			stat, err := os.Stat(filepath.Join(base, path))
+			if err != nil && !os.IsNotExist(err) {
+				return err
+			}
+			if err == nil {
+				// The file existed in the base, so that's a modification
+
+				// However, if it's a directory, maybe it wasn't actually modified.
+				// If you modify /foo/bar/baz, then /foo will be part of the changed files only because it's the parent of bar
+				if stat.IsDir() && f.IsDir() {
+					if f.Size() == stat.Size() && f.Mode() == stat.Mode() && sameFsTime(f.ModTime(), stat.ModTime()) {
+						// Both directories are the same, don't record the change
+						return nil
+					}
+				}
+				kind = ChangeKindModify
+			}
+		}
+
+		// If /foo/bar/file.txt is modified, then /foo/bar must be part of the changed files.
+		// This block is here to ensure the change is recorded even if the
+		// modify time, mode and size of the parent directory in the rw and ro layers are all equal.
+		// Check https://github.com/docker/docker/pull/13590 for details.
+		if f.IsDir() {
+			changedDirs[path] = struct{}{}
+		}
+		if kind == ChangeKindAdd || kind == ChangeKindDelete {
+			parent := filepath.Dir(path)
+			if _, ok := changedDirs[parent]; !ok && parent != "/" {
+				pi, err := os.Stat(filepath.Join(o.diffDir, parent))
+				if err := changeFn(ChangeKindModify, parent, pi, err); err != nil {
+					return err
+				}
+				changedDirs[parent] = struct{}{}
+			}
+		}
+
+		return changeFn(kind, path, f, nil)
+	})
+}
+
+// doubleWalkDiff walks both directories to create a diff
+func doubleWalkDiff(ctx context.Context, changeFn ChangeFunc, a, b string) (err error) {
+	g, ctx := errgroup.WithContext(ctx)
+
+	var (
+		c1 = make(chan *currentPath)
+		c2 = make(chan *currentPath)
+
+		f1, f2 *currentPath
+		rmdir  string
+	)
+	g.Go(func() error {
+		defer close(c1)
+		return pathWalk(ctx, a, c1)
+	})
+	g.Go(func() error {
+		defer close(c2)
+		return pathWalk(ctx, b, c2)
+	})
+	g.Go(func() error {
+		for c1 != nil || c2 != nil {
+			if f1 == nil && c1 != nil {
+				f1, err = nextPath(ctx, c1)
+				if err != nil {
+					return err
+				}
+				if f1 == nil {
+					c1 = nil
+				}
+			}
+
+			if f2 == nil && c2 != nil {
+				f2, err = nextPath(ctx, c2)
+				if err != nil {
+					return err
+				}
+				if f2 == nil {
+					c2 = nil
+				}
+			}
+			if f1 == nil && f2 == nil {
+				continue
+			}
+
+			var f os.FileInfo
+			k, p := pathChange(f1, f2)
+			switch k {
+			case ChangeKindAdd:
+				if rmdir != "" {
+					rmdir = ""
+				}
+				f = f2.f
+				f2 = nil
+			case ChangeKindDelete:
+				// Check if this file is already removed by being
+				// under of a removed directory
+				if rmdir != "" && strings.HasPrefix(f1.path, rmdir) {
+					f1 = nil
+					continue
+				} else if f1.f.IsDir() {
+					rmdir = f1.path + string(os.PathSeparator)
+				} else if rmdir != "" {
+					rmdir = ""
+				}
+				f1 = nil
+			case ChangeKindModify:
+				same, err := sameFile(f1, f2)
+				if err != nil {
+					return err
+				}
+				if f1.f.IsDir() && !f2.f.IsDir() {
+					rmdir = f1.path + string(os.PathSeparator)
+				} else if rmdir != "" {
+					rmdir = ""
+				}
+				f = f2.f
+				f1 = nil
+				f2 = nil
+				if same {
+					if !isLinked(f) {
+						continue
+					}
+					k = ChangeKindUnmodified
+				}
+			}
+			if err := changeFn(k, p, f, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+
+	return g.Wait()
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/diff_unix.go b/engine/vendor/github.com/containerd/continuity/fs/diff_unix.go
new file mode 100644
index 00000000..37518144
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/diff_unix.go
@@ -0,0 +1,58 @@
+// +build !windows
+
+package fs
+
+import (
+	"bytes"
+	"os"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+)
+
+// detectDirDiff returns diff dir options if a directory could
+// be found in the mount info for upper which is the direct
+// diff with the provided lower directory
+func detectDirDiff(upper, lower string) *diffDirOptions {
+	// TODO: get mount options for upper
+	// TODO: detect AUFS
+	// TODO: detect overlay
+	return nil
+}
+
+// compareSysStat returns whether the stats are equivalent,
+// whether the files are considered the same file, and
+// an error
+func compareSysStat(s1, s2 interface{}) (bool, error) {
+	ls1, ok := s1.(*syscall.Stat_t)
+	if !ok {
+		return false, nil
+	}
+	ls2, ok := s2.(*syscall.Stat_t)
+	if !ok {
+		return false, nil
+	}
+
+	return ls1.Mode == ls2.Mode && ls1.Uid == ls2.Uid && ls1.Gid == ls2.Gid && ls1.Rdev == ls2.Rdev, nil
+}
+
+func compareCapabilities(p1, p2 string) (bool, error) {
+	c1, err := sysx.LGetxattr(p1, "security.capability")
+	if err != nil && err != sysx.ENODATA {
+		return false, errors.Wrapf(err, "failed to get xattr for %s", p1)
+	}
+	c2, err := sysx.LGetxattr(p2, "security.capability")
+	if err != nil && err != sysx.ENODATA {
+		return false, errors.Wrapf(err, "failed to get xattr for %s", p2)
+	}
+	return bytes.Equal(c1, c2), nil
+}
+
+func isLinked(f os.FileInfo) bool {
+	s, ok := f.Sys().(*syscall.Stat_t)
+	if !ok {
+		return false
+	}
+	return !f.IsDir() && s.Nlink > 1
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/diff_windows.go b/engine/vendor/github.com/containerd/continuity/fs/diff_windows.go
new file mode 100644
index 00000000..8eed3650
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/diff_windows.go
@@ -0,0 +1,32 @@
+package fs
+
+import (
+	"os"
+
+	"golang.org/x/sys/windows"
+)
+
+func detectDirDiff(upper, lower string) *diffDirOptions {
+	return nil
+}
+
+func compareSysStat(s1, s2 interface{}) (bool, error) {
+	f1, ok := s1.(windows.Win32FileAttributeData)
+	if !ok {
+		return false, nil
+	}
+	f2, ok := s2.(windows.Win32FileAttributeData)
+	if !ok {
+		return false, nil
+	}
+	return f1.FileAttributes == f2.FileAttributes, nil
+}
+
+func compareCapabilities(p1, p2 string) (bool, error) {
+	// TODO: Use windows equivalent
+	return true, nil
+}
+
+func isLinked(os.FileInfo) bool {
+	return false
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/dtype_linux.go b/engine/vendor/github.com/containerd/continuity/fs/dtype_linux.go
new file mode 100644
index 00000000..cc06573f
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/dtype_linux.go
@@ -0,0 +1,87 @@
+// +build linux
+
+package fs
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"syscall"
+	"unsafe"
+)
+
+func locateDummyIfEmpty(path string) (string, error) {
+	children, err := ioutil.ReadDir(path)
+	if err != nil {
+		return "", err
+	}
+	if len(children) != 0 {
+		return "", nil
+	}
+	dummyFile, err := ioutil.TempFile(path, "fsutils-dummy")
+	if err != nil {
+		return "", err
+	}
+	name := dummyFile.Name()
+	err = dummyFile.Close()
+	return name, err
+}
+
+// SupportsDType returns whether the filesystem mounted on path supports d_type
+func SupportsDType(path string) (bool, error) {
+	// locate dummy so that we have at least one dirent
+	dummy, err := locateDummyIfEmpty(path)
+	if err != nil {
+		return false, err
+	}
+	if dummy != "" {
+		defer os.Remove(dummy)
+	}
+
+	visited := 0
+	supportsDType := true
+	fn := func(ent *syscall.Dirent) bool {
+		visited++
+		if ent.Type == syscall.DT_UNKNOWN {
+			supportsDType = false
+			// stop iteration
+			return true
+		}
+		// continue iteration
+		return false
+	}
+	if err = iterateReadDir(path, fn); err != nil {
+		return false, err
+	}
+	if visited == 0 {
+		return false, fmt.Errorf("did not hit any dirent during iteration %s", path)
+	}
+	return supportsDType, nil
+}
+
+func iterateReadDir(path string, fn func(*syscall.Dirent) bool) error {
+	d, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer d.Close()
+	fd := int(d.Fd())
+	buf := make([]byte, 4096)
+	for {
+		nbytes, err := syscall.ReadDirent(fd, buf)
+		if err != nil {
+			return err
+		}
+		if nbytes == 0 {
+			break
+		}
+		for off := 0; off < nbytes; {
+			ent := (*syscall.Dirent)(unsafe.Pointer(&buf[off]))
+			if stop := fn(ent); stop {
+				return nil
+			}
+			off += int(ent.Reclen)
+		}
+	}
+	return nil
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/du.go b/engine/vendor/github.com/containerd/continuity/fs/du.go
new file mode 100644
index 00000000..26f53331
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/du.go
@@ -0,0 +1,22 @@
+package fs
+
+import "context"
+
+// Usage of disk information
+type Usage struct {
+	Inodes int64
+	Size   int64
+}
+
+// DiskUsage counts the number of inodes and disk usage for the resources under
+// path.
+func DiskUsage(roots ...string) (Usage, error) {
+	return diskUsage(roots...)
+}
+
+// DiffUsage counts the numbers of inodes and disk usage in the
+// diff between the 2 directories. The first path is intended
+// as the base directory and the second as the changed directory.
+func DiffUsage(ctx context.Context, a, b string) (Usage, error) {
+	return diffUsage(ctx, a, b)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/du_unix.go b/engine/vendor/github.com/containerd/continuity/fs/du_unix.go
new file mode 100644
index 00000000..fe3426d2
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/du_unix.go
@@ -0,0 +1,88 @@
+// +build !windows
+
+package fs
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"syscall"
+)
+
+type inode struct {
+	// TODO(stevvooe): Can probably reduce memory usage by not tracking
+	// device, but we can leave this right for now.
+	dev, ino uint64
+}
+
+func newInode(stat *syscall.Stat_t) inode {
+	return inode{
+		// Dev is uint32 on darwin/bsd, uint64 on linux/solaris
+		dev: uint64(stat.Dev), // nolint: unconvert
+		// Ino is uint32 on bsd, uint64 on darwin/linux/solaris
+		ino: uint64(stat.Ino), // nolint: unconvert
+	}
+}
+
+func diskUsage(roots ...string) (Usage, error) {
+
+	var (
+		size   int64
+		inodes = map[inode]struct{}{} // expensive!
+	)
+
+	for _, root := range roots {
+		if err := filepath.Walk(root, func(path string, fi os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+
+			inoKey := newInode(fi.Sys().(*syscall.Stat_t))
+			if _, ok := inodes[inoKey]; !ok {
+				inodes[inoKey] = struct{}{}
+				size += fi.Size()
+			}
+
+			return nil
+		}); err != nil {
+			return Usage{}, err
+		}
+	}
+
+	return Usage{
+		Inodes: int64(len(inodes)),
+		Size:   size,
+	}, nil
+}
+
+func diffUsage(ctx context.Context, a, b string) (Usage, error) {
+	var (
+		size   int64
+		inodes = map[inode]struct{}{} // expensive!
+	)
+
+	if err := Changes(ctx, a, b, func(kind ChangeKind, _ string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if kind == ChangeKindAdd || kind == ChangeKindModify {
+			inoKey := newInode(fi.Sys().(*syscall.Stat_t))
+			if _, ok := inodes[inoKey]; !ok {
+				inodes[inoKey] = struct{}{}
+				size += fi.Size()
+			}
+
+			return nil
+
+		}
+		return nil
+	}); err != nil {
+		return Usage{}, err
+	}
+
+	return Usage{
+		Inodes: int64(len(inodes)),
+		Size:   size,
+	}, nil
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/du_windows.go b/engine/vendor/github.com/containerd/continuity/fs/du_windows.go
new file mode 100644
index 00000000..3f852fc1
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/du_windows.go
@@ -0,0 +1,60 @@
+// +build windows
+
+package fs
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+)
+
+func diskUsage(roots ...string) (Usage, error) {
+	var (
+		size int64
+	)
+
+	// TODO(stevvooe): Support inodes (or equivalent) for windows.
+
+	for _, root := range roots {
+		if err := filepath.Walk(root, func(path string, fi os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+
+			size += fi.Size()
+			return nil
+		}); err != nil {
+			return Usage{}, err
+		}
+	}
+
+	return Usage{
+		Size: size,
+	}, nil
+}
+
+func diffUsage(ctx context.Context, a, b string) (Usage, error) {
+	var (
+		size int64
+	)
+
+	if err := Changes(ctx, a, b, func(kind ChangeKind, _ string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if kind == ChangeKindAdd || kind == ChangeKindModify {
+			size += fi.Size()
+
+			return nil
+
+		}
+		return nil
+	}); err != nil {
+		return Usage{}, err
+	}
+
+	return Usage{
+		Size: size,
+	}, nil
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/hardlink.go b/engine/vendor/github.com/containerd/continuity/fs/hardlink.go
new file mode 100644
index 00000000..38da9381
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/hardlink.go
@@ -0,0 +1,27 @@
+package fs
+
+import "os"
+
+// GetLinkInfo returns an identifier representing the node a hardlink is pointing
+// to. If the file is not hard linked then 0 will be returned.
+func GetLinkInfo(fi os.FileInfo) (uint64, bool) {
+	return getLinkInfo(fi)
+}
+
+// getLinkSource returns a path for the given name and
+// file info to its link source in the provided inode
+// map. If the given file name is not in the map and
+// has other links, it is added to the inode map
+// to be a source for other link locations.
+func getLinkSource(name string, fi os.FileInfo, inodes map[uint64]string) (string, error) {
+	inode, isHardlink := getLinkInfo(fi)
+	if !isHardlink {
+		return "", nil
+	}
+
+	path, ok := inodes[inode]
+	if !ok {
+		inodes[inode] = name
+	}
+	return path, nil
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/hardlink_unix.go b/engine/vendor/github.com/containerd/continuity/fs/hardlink_unix.go
new file mode 100644
index 00000000..a6f99778
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/hardlink_unix.go
@@ -0,0 +1,18 @@
+// +build !windows
+
+package fs
+
+import (
+	"os"
+	"syscall"
+)
+
+func getLinkInfo(fi os.FileInfo) (uint64, bool) {
+	s, ok := fi.Sys().(*syscall.Stat_t)
+	if !ok {
+		return 0, false
+	}
+
+	// Ino is uint32 on bsd, uint64 on darwin/linux/solaris
+	return uint64(s.Ino), !fi.IsDir() && s.Nlink > 1 // nolint: unconvert
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/hardlink_windows.go b/engine/vendor/github.com/containerd/continuity/fs/hardlink_windows.go
new file mode 100644
index 00000000..ad8845a7
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/hardlink_windows.go
@@ -0,0 +1,7 @@
+package fs
+
+import "os"
+
+func getLinkInfo(fi os.FileInfo) (uint64, bool) {
+	return 0, false
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/path.go b/engine/vendor/github.com/containerd/continuity/fs/path.go
new file mode 100644
index 00000000..13fb8263
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/path.go
@@ -0,0 +1,276 @@
+package fs
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+var (
+	errTooManyLinks = errors.New("too many links")
+)
+
+type currentPath struct {
+	path     string
+	f        os.FileInfo
+	fullPath string
+}
+
+func pathChange(lower, upper *currentPath) (ChangeKind, string) {
+	if lower == nil {
+		if upper == nil {
+			panic("cannot compare nil paths")
+		}
+		return ChangeKindAdd, upper.path
+	}
+	if upper == nil {
+		return ChangeKindDelete, lower.path
+	}
+	// TODO: compare by directory
+
+	switch i := strings.Compare(lower.path, upper.path); {
+	case i < 0:
+		// File in lower that is not in upper
+		return ChangeKindDelete, lower.path
+	case i > 0:
+		// File in upper that is not in lower
+		return ChangeKindAdd, upper.path
+	default:
+		return ChangeKindModify, upper.path
+	}
+}
+
+func sameFile(f1, f2 *currentPath) (bool, error) {
+	if os.SameFile(f1.f, f2.f) {
+		return true, nil
+	}
+
+	equalStat, err := compareSysStat(f1.f.Sys(), f2.f.Sys())
+	if err != nil || !equalStat {
+		return equalStat, err
+	}
+
+	if eq, err := compareCapabilities(f1.fullPath, f2.fullPath); err != nil || !eq {
+		return eq, err
+	}
+
+	// If not a directory also check size, modtime, and content
+	if !f1.f.IsDir() {
+		if f1.f.Size() != f2.f.Size() {
+			return false, nil
+		}
+		t1 := f1.f.ModTime()
+		t2 := f2.f.ModTime()
+
+		if t1.Unix() != t2.Unix() {
+			return false, nil
+		}
+
+		// If the timestamp may have been truncated in both of the
+		// files, check content of file to determine difference
+		if t1.Nanosecond() == 0 && t2.Nanosecond() == 0 {
+			var eq bool
+			if (f1.f.Mode() & os.ModeSymlink) == os.ModeSymlink {
+				eq, err = compareSymlinkTarget(f1.fullPath, f2.fullPath)
+			} else if f1.f.Size() > 0 {
+				eq, err = compareFileContent(f1.fullPath, f2.fullPath)
+			}
+			if err != nil || !eq {
+				return eq, err
+			}
+		} else if t1.Nanosecond() != t2.Nanosecond() {
+			return false, nil
+		}
+	}
+
+	return true, nil
+}
+
+func compareSymlinkTarget(p1, p2 string) (bool, error) {
+	t1, err := os.Readlink(p1)
+	if err != nil {
+		return false, err
+	}
+	t2, err := os.Readlink(p2)
+	if err != nil {
+		return false, err
+	}
+	return t1 == t2, nil
+}
+
+const compareChuckSize = 32 * 1024
+
+// compareFileContent compares the content of 2 same sized files
+// by comparing each byte.
+func compareFileContent(p1, p2 string) (bool, error) {
+	f1, err := os.Open(p1)
+	if err != nil {
+		return false, err
+	}
+	defer f1.Close()
+	f2, err := os.Open(p2)
+	if err != nil {
+		return false, err
+	}
+	defer f2.Close()
+
+	b1 := make([]byte, compareChuckSize)
+	b2 := make([]byte, compareChuckSize)
+	for {
+		n1, err1 := f1.Read(b1)
+		if err1 != nil && err1 != io.EOF {
+			return false, err1
+		}
+		n2, err2 := f2.Read(b2)
+		if err2 != nil && err2 != io.EOF {
+			return false, err2
+		}
+		if n1 != n2 || !bytes.Equal(b1[:n1], b2[:n2]) {
+			return false, nil
+		}
+		if err1 == io.EOF && err2 == io.EOF {
+			return true, nil
+		}
+	}
+}
+
+func pathWalk(ctx context.Context, root string, pathC chan<- *currentPath) error {
+	return filepath.Walk(root, func(path string, f os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Rebase path
+		path, err = filepath.Rel(root, path)
+		if err != nil {
+			return err
+		}
+
+		path = filepath.Join(string(os.PathSeparator), path)
+
+		// Skip root
+		if path == string(os.PathSeparator) {
+			return nil
+		}
+
+		p := &currentPath{
+			path:     path,
+			f:        f,
+			fullPath: filepath.Join(root, path),
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case pathC <- p:
+			return nil
+		}
+	})
+}
+
+func nextPath(ctx context.Context, pathC <-chan *currentPath) (*currentPath, error) {
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case p := <-pathC:
+		return p, nil
+	}
+}
+
+// RootPath joins a path with a root, evaluating and bounding any
+// symlink to the root directory.
+func RootPath(root, path string) (string, error) {
+	if path == "" {
+		return root, nil
+	}
+	var linksWalked int // to protect against cycles
+	for {
+		i := linksWalked
+		newpath, err := walkLinks(root, path, &linksWalked)
+		if err != nil {
+			return "", err
+		}
+		path = newpath
+		if i == linksWalked {
+			newpath = filepath.Join("/", newpath)
+			if path == newpath {
+				return filepath.Join(root, newpath), nil
+			}
+			path = newpath
+		}
+	}
+}
+
+func walkLink(root, path string, linksWalked *int) (newpath string, islink bool, err error) {
+	if *linksWalked > 255 {
+		return "", false, errTooManyLinks
+	}
+
+	path = filepath.Join("/", path)
+	if path == "/" {
+		return path, false, nil
+	}
+	realPath := filepath.Join(root, path)
+
+	fi, err := os.Lstat(realPath)
+	if err != nil {
+		// If path does not yet exist, treat as non-symlink
+		if os.IsNotExist(err) {
+			return path, false, nil
+		}
+		return "", false, err
+	}
+	if fi.Mode()&os.ModeSymlink == 0 {
+		return path, false, nil
+	}
+	newpath, err = os.Readlink(realPath)
+	if err != nil {
+		return "", false, err
+	}
+	if filepath.IsAbs(newpath) && strings.HasPrefix(newpath, root) {
+		newpath = newpath[:len(root)]
+		if !strings.HasPrefix(newpath, "/") {
+			newpath = "/" + newpath
+		}
+	}
+	*linksWalked++
+	return newpath, true, nil
+}
+
+func walkLinks(root, path string, linksWalked *int) (string, error) {
+	switch dir, file := filepath.Split(path); {
+	case dir == "":
+		newpath, _, err := walkLink(root, file, linksWalked)
+		return newpath, err
+	case file == "":
+		if os.IsPathSeparator(dir[len(dir)-1]) {
+			if dir == "/" {
+				return dir, nil
+			}
+			return walkLinks(root, dir[:len(dir)-1], linksWalked)
+		}
+		newpath, _, err := walkLink(root, dir, linksWalked)
+		return newpath, err
+	default:
+		newdir, err := walkLinks(root, dir, linksWalked)
+		if err != nil {
+			return "", err
+		}
+		newpath, islink, err := walkLink(root, filepath.Join(newdir, file), linksWalked)
+		if err != nil {
+			return "", err
+		}
+		if !islink {
+			return newpath, nil
+		}
+		if filepath.IsAbs(newpath) {
+			return newpath, nil
+		}
+		return filepath.Join(newdir, newpath), nil
+	}
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/stat_bsd.go b/engine/vendor/github.com/containerd/continuity/fs/stat_bsd.go
new file mode 100644
index 00000000..a1b776fd
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/stat_bsd.go
@@ -0,0 +1,28 @@
+// +build darwin freebsd
+
+package fs
+
+import (
+	"syscall"
+	"time"
+)
+
+// StatAtime returns the access time from a stat struct
+func StatAtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Atimespec
+}
+
+// StatCtime returns the created time from a stat struct
+func StatCtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Ctimespec
+}
+
+// StatMtime returns the modified time from a stat struct
+func StatMtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Mtimespec
+}
+
+// StatATimeAsTime returns the access time as a time.Time
+func StatATimeAsTime(st *syscall.Stat_t) time.Time {
+	return time.Unix(int64(st.Atimespec.Sec), int64(st.Atimespec.Nsec)) // nolint: unconvert
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/stat_linux.go b/engine/vendor/github.com/containerd/continuity/fs/stat_linux.go
new file mode 100644
index 00000000..1dbb0212
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/stat_linux.go
@@ -0,0 +1,27 @@
+package fs
+
+import (
+	"syscall"
+	"time"
+)
+
+// StatAtime returns the Atim
+func StatAtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Atim
+}
+
+// StatCtime returns the Ctim
+func StatCtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Ctim
+}
+
+// StatMtime returns the Mtim
+func StatMtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Mtim
+}
+
+// StatATimeAsTime returns st.Atim as a time.Time
+func StatATimeAsTime(st *syscall.Stat_t) time.Time {
+	// The int64 conversions ensure the line compiles for 32-bit systems as well.
+	return time.Unix(int64(st.Atim.Sec), int64(st.Atim.Nsec)) // nolint: unconvert
+}
diff --git a/engine/vendor/github.com/containerd/continuity/fs/time.go b/engine/vendor/github.com/containerd/continuity/fs/time.go
new file mode 100644
index 00000000..c336f4d8
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/fs/time.go
@@ -0,0 +1,13 @@
+package fs
+
+import "time"
+
+// Gnu tar and the go tar writer don't have sub-second mtime
+// precision, which is problematic when we apply changes via tar
+// files, we handle this by comparing for exact times, *or* same
+// second count and either a or b having exactly 0 nanoseconds
+func sameFsTime(a, b time.Time) bool {
+	return a == b ||
+		(a.Unix() == b.Unix() &&
+			(a.Nanosecond() == 0 || b.Nanosecond() == 0))
+}
diff --git a/engine/vendor/github.com/containerd/continuity/pathdriver/path_driver.go b/engine/vendor/github.com/containerd/continuity/pathdriver/path_driver.go
new file mode 100644
index 00000000..b43d55fe
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/pathdriver/path_driver.go
@@ -0,0 +1,85 @@
+package pathdriver
+
+import (
+	"path/filepath"
+)
+
+// PathDriver provides all of the path manipulation functions in a common
+// interface. The context should call these and never use the `filepath`
+// package or any other package to manipulate paths.
+type PathDriver interface {
+	Join(paths ...string) string
+	IsAbs(path string) bool
+	Rel(base, target string) (string, error)
+	Base(path string) string
+	Dir(path string) string
+	Clean(path string) string
+	Split(path string) (dir, file string)
+	Separator() byte
+	Abs(path string) (string, error)
+	Walk(string, filepath.WalkFunc) error
+	FromSlash(path string) string
+	ToSlash(path string) string
+	Match(pattern, name string) (matched bool, err error)
+}
+
+// pathDriver is a simple default implementation calls the filepath package.
+type pathDriver struct{}
+
+// LocalPathDriver is the exported pathDriver struct for convenience.
+var LocalPathDriver PathDriver = &pathDriver{}
+
+func (*pathDriver) Join(paths ...string) string {
+	return filepath.Join(paths...)
+}
+
+func (*pathDriver) IsAbs(path string) bool {
+	return filepath.IsAbs(path)
+}
+
+func (*pathDriver) Rel(base, target string) (string, error) {
+	return filepath.Rel(base, target)
+}
+
+func (*pathDriver) Base(path string) string {
+	return filepath.Base(path)
+}
+
+func (*pathDriver) Dir(path string) string {
+	return filepath.Dir(path)
+}
+
+func (*pathDriver) Clean(path string) string {
+	return filepath.Clean(path)
+}
+
+func (*pathDriver) Split(path string) (dir, file string) {
+	return filepath.Split(path)
+}
+
+func (*pathDriver) Separator() byte {
+	return filepath.Separator
+}
+
+func (*pathDriver) Abs(path string) (string, error) {
+	return filepath.Abs(path)
+}
+
+// Note that filepath.Walk calls os.Stat, so if the context wants to
+// to call Driver.Stat() for Walk, they need to create a new struct that
+// overrides this method.
+func (*pathDriver) Walk(root string, walkFn filepath.WalkFunc) error {
+	return filepath.Walk(root, walkFn)
+}
+
+func (*pathDriver) FromSlash(path string) string {
+	return filepath.FromSlash(path)
+}
+
+func (*pathDriver) ToSlash(path string) string {
+	return filepath.ToSlash(path)
+}
+
+func (*pathDriver) Match(pattern, name string) (bool, error) {
+	return filepath.Match(pattern, name)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/syscallx/syscall_unix.go b/engine/vendor/github.com/containerd/continuity/syscallx/syscall_unix.go
new file mode 100644
index 00000000..4205d1e8
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/syscallx/syscall_unix.go
@@ -0,0 +1,10 @@
+// +build !windows
+
+package syscallx
+
+import "syscall"
+
+// Readlink returns the destination of the named symbolic link.
+func Readlink(path string, buf []byte) (n int, err error) {
+	return syscall.Readlink(path, buf)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/syscallx/syscall_windows.go b/engine/vendor/github.com/containerd/continuity/syscallx/syscall_windows.go
new file mode 100644
index 00000000..9637a287
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/syscallx/syscall_windows.go
@@ -0,0 +1,96 @@
+package syscallx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+type reparseDataBuffer struct {
+	ReparseTag        uint32
+	ReparseDataLength uint16
+	Reserved          uint16
+
+	// GenericReparseBuffer
+	reparseBuffer byte
+}
+
+type mountPointReparseBuffer struct {
+	SubstituteNameOffset uint16
+	SubstituteNameLength uint16
+	PrintNameOffset      uint16
+	PrintNameLength      uint16
+	PathBuffer           [1]uint16
+}
+
+type symbolicLinkReparseBuffer struct {
+	SubstituteNameOffset uint16
+	SubstituteNameLength uint16
+	PrintNameOffset      uint16
+	PrintNameLength      uint16
+	Flags                uint32
+	PathBuffer           [1]uint16
+}
+
+const (
+	_IO_REPARSE_TAG_MOUNT_POINT = 0xA0000003
+	_SYMLINK_FLAG_RELATIVE      = 1
+)
+
+// Readlink returns the destination of the named symbolic link.
+func Readlink(path string, buf []byte) (n int, err error) {
+	fd, err := syscall.CreateFile(syscall.StringToUTF16Ptr(path), syscall.GENERIC_READ, 0, nil, syscall.OPEN_EXISTING,
+		syscall.FILE_FLAG_OPEN_REPARSE_POINT|syscall.FILE_FLAG_BACKUP_SEMANTICS, 0)
+	if err != nil {
+		return -1, err
+	}
+	defer syscall.CloseHandle(fd)
+
+	rdbbuf := make([]byte, syscall.MAXIMUM_REPARSE_DATA_BUFFER_SIZE)
+	var bytesReturned uint32
+	err = syscall.DeviceIoControl(fd, syscall.FSCTL_GET_REPARSE_POINT, nil, 0, &rdbbuf[0], uint32(len(rdbbuf)), &bytesReturned, nil)
+	if err != nil {
+		return -1, err
+	}
+
+	rdb := (*reparseDataBuffer)(unsafe.Pointer(&rdbbuf[0]))
+	var s string
+	switch rdb.ReparseTag {
+	case syscall.IO_REPARSE_TAG_SYMLINK:
+		data := (*symbolicLinkReparseBuffer)(unsafe.Pointer(&rdb.reparseBuffer))
+		p := (*[0xffff]uint16)(unsafe.Pointer(&data.PathBuffer[0]))
+		s = syscall.UTF16ToString(p[data.SubstituteNameOffset/2 : (data.SubstituteNameOffset+data.SubstituteNameLength)/2])
+		if data.Flags&_SYMLINK_FLAG_RELATIVE == 0 {
+			if len(s) >= 4 && s[:4] == `\??\` {
+				s = s[4:]
+				switch {
+				case len(s) >= 2 && s[1] == ':': // \??\C:\foo\bar
+					// do nothing
+				case len(s) >= 4 && s[:4] == `UNC\`: // \??\UNC\foo\bar
+					s = `\\` + s[4:]
+				default:
+					// unexpected; do nothing
+				}
+			} else {
+				// unexpected; do nothing
+			}
+		}
+	case _IO_REPARSE_TAG_MOUNT_POINT:
+		data := (*mountPointReparseBuffer)(unsafe.Pointer(&rdb.reparseBuffer))
+		p := (*[0xffff]uint16)(unsafe.Pointer(&data.PathBuffer[0]))
+		s = syscall.UTF16ToString(p[data.SubstituteNameOffset/2 : (data.SubstituteNameOffset+data.SubstituteNameLength)/2])
+		if len(s) >= 4 && s[:4] == `\??\` { // \??\C:\foo\bar
+			if len(s) < 48 || s[:11] != `\??\Volume{` {
+				s = s[4:]
+			}
+		} else {
+			// unexpected; do nothing
+		}
+	default:
+		// the path is not a symlink or junction but another type of reparse
+		// point
+		return -1, syscall.ENOENT
+	}
+	n = copy(buf, []byte(s))
+
+	return n, nil
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/asm.s b/engine/vendor/github.com/containerd/continuity/sysx/asm.s
new file mode 100644
index 00000000..8ed2fdb9
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/asm.s
@@ -0,0 +1,10 @@
+// Copyright 2014 The Go Authors.  All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !gccgo
+
+#include "textflag.h"
+
+TEXT ·use(SB),NOSPLIT,$0
+	RET
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin.go b/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin.go
new file mode 100644
index 00000000..e3ae2b7b
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin.go
@@ -0,0 +1,18 @@
+package sysx
+
+const (
+	// AtSymlinkNoFollow defined from AT_SYMLINK_NOFOLLOW in <sys/fcntl.h>
+	AtSymlinkNofollow = 0x20
+)
+
+const (
+
+	// SYS_FCHMODAT defined from golang.org/sys/unix
+	SYS_FCHMODAT = 467
+)
+
+// These functions will be generated by generate.sh
+//    $ GOOS=darwin GOARCH=386 ./generate.sh chmod
+//    $ GOOS=darwin GOARCH=amd64 ./generate.sh chmod
+
+//sys  Fchmodat(dirfd int, path string, mode uint32, flags int) (err error)
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin_386.go b/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin_386.go
new file mode 100644
index 00000000..5a8cf5b5
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin_386.go
@@ -0,0 +1,25 @@
+// mksyscall.pl -l32 chmod_darwin.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall6(SYS_FCHMODAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
+	use(unsafe.Pointer(_p0))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin_amd64.go b/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin_amd64.go
new file mode 100644
index 00000000..3287d1d5
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/chmod_darwin_amd64.go
@@ -0,0 +1,25 @@
+// mksyscall.pl chmod_darwin.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall6(SYS_FCHMODAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
+	use(unsafe.Pointer(_p0))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/chmod_freebsd.go b/engine/vendor/github.com/containerd/continuity/sysx/chmod_freebsd.go
new file mode 100644
index 00000000..b64a708b
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/chmod_freebsd.go
@@ -0,0 +1,17 @@
+package sysx
+
+const (
+	// AtSymlinkNoFollow defined from AT_SYMLINK_NOFOLLOW in <sys/fcntl.h>
+	AtSymlinkNofollow = 0x200
+)
+
+const (
+
+	// SYS_FCHMODAT defined from golang.org/sys/unix
+	SYS_FCHMODAT = 490
+)
+
+// These functions will be generated by generate.sh
+//    $ GOOS=freebsd GOARCH=amd64 ./generate.sh chmod
+
+//sys  Fchmodat(dirfd int, path string, mode uint32, flags int) (err error)
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/chmod_freebsd_amd64.go b/engine/vendor/github.com/containerd/continuity/sysx/chmod_freebsd_amd64.go
new file mode 100644
index 00000000..5a271abb
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/chmod_freebsd_amd64.go
@@ -0,0 +1,25 @@
+// mksyscall.pl chmod_freebsd.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall6(SYS_FCHMODAT, uintptr(dirfd), uintptr(unsafe.Pointer(_p0)), uintptr(mode), uintptr(flags), 0, 0)
+	use(unsafe.Pointer(_p0))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/chmod_linux.go b/engine/vendor/github.com/containerd/continuity/sysx/chmod_linux.go
new file mode 100644
index 00000000..89df6d38
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/chmod_linux.go
@@ -0,0 +1,12 @@
+package sysx
+
+import "syscall"
+
+const (
+	// AtSymlinkNoFollow defined from AT_SYMLINK_NOFOLLOW in /usr/include/linux/fcntl.h
+	AtSymlinkNofollow = 0x100
+)
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) error {
+	return syscall.Fchmodat(dirfd, path, mode, flags)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/chmod_solaris.go b/engine/vendor/github.com/containerd/continuity/sysx/chmod_solaris.go
new file mode 100644
index 00000000..3ba6e5ed
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/chmod_solaris.go
@@ -0,0 +1,11 @@
+package sysx
+
+import "golang.org/x/sys/unix"
+
+const (
+	AtSymlinkNofollow = unix.AT_SYMLINK_NOFOLLOW
+)
+
+func Fchmodat(dirfd int, path string, mode uint32, flags int) error {
+	return unix.Fchmodat(dirfd, path, mode, flags)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/file_posix.go b/engine/vendor/github.com/containerd/continuity/sysx/file_posix.go
new file mode 100644
index 00000000..d0784f81
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/file_posix.go
@@ -0,0 +1,112 @@
+package sysx
+
+import (
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/continuity/syscallx"
+)
+
+// Readlink returns the destination of the named symbolic link.
+// If there is an error, it will be of type *PathError.
+func Readlink(name string) (string, error) {
+	for len := 128; ; len *= 2 {
+		b := make([]byte, len)
+		n, e := fixCount(syscallx.Readlink(fixLongPath(name), b))
+		if e != nil {
+			return "", &os.PathError{Op: "readlink", Path: name, Err: e}
+		}
+		if n < len {
+			return string(b[0:n]), nil
+		}
+	}
+}
+
+// Many functions in package syscall return a count of -1 instead of 0.
+// Using fixCount(call()) instead of call() corrects the count.
+func fixCount(n int, err error) (int, error) {
+	if n < 0 {
+		n = 0
+	}
+	return n, err
+}
+
+// fixLongPath returns the extended-length (\\?\-prefixed) form of
+// path when needed, in order to avoid the default 260 character file
+// path limit imposed by Windows. If path is not easily converted to
+// the extended-length form (for example, if path is a relative path
+// or contains .. elements), or is short enough, fixLongPath returns
+// path unmodified.
+//
+// See https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx#maxpath
+func fixLongPath(path string) string {
+	// Do nothing (and don't allocate) if the path is "short".
+	// Empirically (at least on the Windows Server 2013 builder),
+	// the kernel is arbitrarily okay with < 248 bytes. That
+	// matches what the docs above say:
+	// "When using an API to create a directory, the specified
+	// path cannot be so long that you cannot append an 8.3 file
+	// name (that is, the directory name cannot exceed MAX_PATH
+	// minus 12)." Since MAX_PATH is 260, 260 - 12 = 248.
+	//
+	// The MSDN docs appear to say that a normal path that is 248 bytes long
+	// will work; empirically the path must be less then 248 bytes long.
+	if len(path) < 248 {
+		// Don't fix. (This is how Go 1.7 and earlier worked,
+		// not automatically generating the \\?\ form)
+		return path
+	}
+
+	// The extended form begins with \\?\, as in
+	// \\?\c:\windows\foo.txt or \\?\UNC\server\share\foo.txt.
+	// The extended form disables evaluation of . and .. path
+	// elements and disables the interpretation of / as equivalent
+	// to \. The conversion here rewrites / to \ and elides
+	// . elements as well as trailing or duplicate separators. For
+	// simplicity it avoids the conversion entirely for relative
+	// paths or paths containing .. elements. For now,
+	// \\server\share paths are not converted to
+	// \\?\UNC\server\share paths because the rules for doing so
+	// are less well-specified.
+	if len(path) >= 2 && path[:2] == `\\` {
+		// Don't canonicalize UNC paths.
+		return path
+	}
+	if !filepath.IsAbs(path) {
+		// Relative path
+		return path
+	}
+
+	const prefix = `\\?`
+
+	pathbuf := make([]byte, len(prefix)+len(path)+len(`\`))
+	copy(pathbuf, prefix)
+	n := len(path)
+	r, w := 0, len(prefix)
+	for r < n {
+		switch {
+		case os.IsPathSeparator(path[r]):
+			// empty block
+			r++
+		case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])):
+			// /./
+			r++
+		case r+1 < n && path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])):
+			// /../ is currently unhandled
+			return path
+		default:
+			pathbuf[w] = '\\'
+			w++
+			for ; r < n && !os.IsPathSeparator(path[r]); r++ {
+				pathbuf[w] = path[r]
+				w++
+			}
+		}
+	}
+	// A drive's root directory needs a trailing \
+	if w == len(`\\?\c:`) {
+		pathbuf[w] = '\\'
+		w++
+	}
+	return string(pathbuf[:w])
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/nodata_linux.go b/engine/vendor/github.com/containerd/continuity/sysx/nodata_linux.go
new file mode 100644
index 00000000..fc47ddb8
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/nodata_linux.go
@@ -0,0 +1,7 @@
+package sysx
+
+import (
+	"syscall"
+)
+
+const ENODATA = syscall.ENODATA
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/nodata_solaris.go b/engine/vendor/github.com/containerd/continuity/sysx/nodata_solaris.go
new file mode 100644
index 00000000..53cc8e06
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/nodata_solaris.go
@@ -0,0 +1,8 @@
+package sysx
+
+import (
+	"syscall"
+)
+
+// This should actually be a set that contains ENOENT and EPERM
+const ENODATA = syscall.ENOENT
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/nodata_unix.go b/engine/vendor/github.com/containerd/continuity/sysx/nodata_unix.go
new file mode 100644
index 00000000..7e685120
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/nodata_unix.go
@@ -0,0 +1,9 @@
+// +build darwin freebsd
+
+package sysx
+
+import (
+	"syscall"
+)
+
+const ENODATA = syscall.ENOATTR
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/sys.go b/engine/vendor/github.com/containerd/continuity/sysx/sys.go
new file mode 100644
index 00000000..0bb16762
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/sys.go
@@ -0,0 +1,37 @@
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+var _zero uintptr
+
+// use is a no-op, but the compiler cannot see that it is.
+// Calling use(p) ensures that p is kept live until that point.
+//go:noescape
+func use(p unsafe.Pointer)
+
+// Do the interface allocations only once for common
+// Errno values.
+var (
+	errEAGAIN error = syscall.EAGAIN
+	errEINVAL error = syscall.EINVAL
+	errENOENT error = syscall.ENOENT
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return nil
+	case syscall.EAGAIN:
+		return errEAGAIN
+	case syscall.EINVAL:
+		return errEINVAL
+	case syscall.ENOENT:
+		return errENOENT
+	}
+	return e
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr.go
new file mode 100644
index 00000000..20937c2d
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr.go
@@ -0,0 +1,67 @@
+package sysx
+
+import (
+	"bytes"
+	"fmt"
+	"syscall"
+)
+
+const defaultXattrBufferSize = 5
+
+var ErrNotSupported = fmt.Errorf("not supported")
+
+type listxattrFunc func(path string, dest []byte) (int, error)
+
+func listxattrAll(path string, listFunc listxattrFunc) ([]string, error) {
+	var p []byte // nil on first execution
+
+	for {
+		n, err := listFunc(path, p) // first call gets buffer size.
+		if err != nil {
+			return nil, err
+		}
+
+		if n > len(p) {
+			p = make([]byte, n)
+			continue
+		}
+
+		p = p[:n]
+
+		ps := bytes.Split(bytes.TrimSuffix(p, []byte{0}), []byte{0})
+		var entries []string
+		for _, p := range ps {
+			s := string(p)
+			if s != "" {
+				entries = append(entries, s)
+			}
+		}
+
+		return entries, nil
+	}
+}
+
+type getxattrFunc func(string, string, []byte) (int, error)
+
+func getxattrAll(path, attr string, getFunc getxattrFunc) ([]byte, error) {
+	p := make([]byte, defaultXattrBufferSize)
+	for {
+		n, err := getFunc(path, attr, p)
+		if err != nil {
+			if errno, ok := err.(syscall.Errno); ok && errno == syscall.ERANGE {
+				p = make([]byte, len(p)*2) // this can't be ideal.
+				continue                   // try again!
+			}
+
+			return nil, err
+		}
+
+		// realloc to correct size and repeat
+		if n > len(p) {
+			p = make([]byte, n)
+			continue
+		}
+
+		return p[:n], nil
+	}
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin.go
new file mode 100644
index 00000000..1164a7d1
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin.go
@@ -0,0 +1,71 @@
+package sysx
+
+// These functions will be generated by generate.sh
+//    $ GOOS=darwin GOARCH=386 ./generate.sh xattr
+//    $ GOOS=darwin GOARCH=amd64 ./generate.sh xattr
+
+//sys  getxattr(path string, attr string, dest []byte, pos int, options int) (sz int, err error)
+//sys  setxattr(path string, attr string, data []byte, flags int) (err error)
+//sys  removexattr(path string, attr string, options int) (err error)
+//sys  listxattr(path string, dest []byte, options int) (sz int, err error)
+//sys  Fchmodat(dirfd int, path string, mode uint32, flags int) (err error)
+
+const (
+	xattrNoFollow = 0x01
+)
+
+func listxattrFollow(path string, dest []byte) (sz int, err error) {
+	return listxattr(path, dest, 0)
+}
+
+// Listxattr calls syscall getxattr
+func Listxattr(path string) ([]string, error) {
+	return listxattrAll(path, listxattrFollow)
+}
+
+// Removexattr calls syscall getxattr
+func Removexattr(path string, attr string) (err error) {
+	return removexattr(path, attr, 0)
+}
+
+// Setxattr calls syscall setxattr
+func Setxattr(path string, attr string, data []byte, flags int) (err error) {
+	return setxattr(path, attr, data, flags)
+}
+
+func getxattrFollow(path, attr string, dest []byte) (sz int, err error) {
+	return getxattr(path, attr, dest, 0, 0)
+}
+
+// Getxattr calls syscall getxattr
+func Getxattr(path, attr string) ([]byte, error) {
+	return getxattrAll(path, attr, getxattrFollow)
+}
+
+func listxattrNoFollow(path string, dest []byte) (sz int, err error) {
+	return listxattr(path, dest, xattrNoFollow)
+}
+
+// LListxattr calls syscall listxattr with XATTR_NOFOLLOW
+func LListxattr(path string) ([]string, error) {
+	return listxattrAll(path, listxattrNoFollow)
+}
+
+// LRemovexattr calls syscall removexattr with XATTR_NOFOLLOW
+func LRemovexattr(path string, attr string) (err error) {
+	return removexattr(path, attr, xattrNoFollow)
+}
+
+// Setxattr calls syscall setxattr with XATTR_NOFOLLOW
+func LSetxattr(path string, attr string, data []byte, flags int) (err error) {
+	return setxattr(path, attr, data, flags|xattrNoFollow)
+}
+
+func getxattrNoFollow(path, attr string, dest []byte) (sz int, err error) {
+	return getxattr(path, attr, dest, 0, xattrNoFollow)
+}
+
+// LGetxattr calls syscall getxattr with XATTR_NOFOLLOW
+func LGetxattr(path, attr string) ([]byte, error) {
+	return getxattrAll(path, attr, getxattrNoFollow)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin_386.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin_386.go
new file mode 100644
index 00000000..aa896b57
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin_386.go
@@ -0,0 +1,111 @@
+// mksyscall.pl -l32 xattr_darwin.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func getxattr(path string, attr string, dest []byte, pos int, options int) (sz int, err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	var _p2 unsafe.Pointer
+	if len(dest) > 0 {
+		_p2 = unsafe.Pointer(&dest[0])
+	} else {
+		_p2 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(_p2), uintptr(len(dest)), uintptr(pos), uintptr(options))
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	sz = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func setxattr(path string, attr string, data []byte, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	var _p2 unsafe.Pointer
+	if len(data) > 0 {
+		_p2 = unsafe.Pointer(&data[0])
+	} else {
+		_p2 = unsafe.Pointer(&_zero)
+	}
+	_, _, e1 := syscall.Syscall6(syscall.SYS_SETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(_p2), uintptr(len(data)), uintptr(flags), 0)
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func removexattr(path string, attr string, options int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall(syscall.SYS_REMOVEXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(options))
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func listxattr(path string, dest []byte, options int) (sz int, err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 unsafe.Pointer
+	if len(dest) > 0 {
+		_p1 = unsafe.Pointer(&dest[0])
+	} else {
+		_p1 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall.Syscall6(syscall.SYS_LISTXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(_p1), uintptr(len(dest)), uintptr(options), 0, 0)
+	use(unsafe.Pointer(_p0))
+	sz = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin_amd64.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin_amd64.go
new file mode 100644
index 00000000..6ff27e27
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr_darwin_amd64.go
@@ -0,0 +1,111 @@
+// mksyscall.pl xattr_darwin.go
+// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+
+package sysx
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func getxattr(path string, attr string, dest []byte, pos int, options int) (sz int, err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	var _p2 unsafe.Pointer
+	if len(dest) > 0 {
+		_p2 = unsafe.Pointer(&dest[0])
+	} else {
+		_p2 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(_p2), uintptr(len(dest)), uintptr(pos), uintptr(options))
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	sz = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func setxattr(path string, attr string, data []byte, flags int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	var _p2 unsafe.Pointer
+	if len(data) > 0 {
+		_p2 = unsafe.Pointer(&data[0])
+	} else {
+		_p2 = unsafe.Pointer(&_zero)
+	}
+	_, _, e1 := syscall.Syscall6(syscall.SYS_SETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(_p2), uintptr(len(data)), uintptr(flags), 0)
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func removexattr(path string, attr string, options int) (err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = syscall.BytePtrFromString(attr)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall.Syscall(syscall.SYS_REMOVEXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(options))
+	use(unsafe.Pointer(_p0))
+	use(unsafe.Pointer(_p1))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func listxattr(path string, dest []byte, options int) (sz int, err error) {
+	var _p0 *byte
+	_p0, err = syscall.BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	var _p1 unsafe.Pointer
+	if len(dest) > 0 {
+		_p1 = unsafe.Pointer(&dest[0])
+	} else {
+		_p1 = unsafe.Pointer(&_zero)
+	}
+	r0, _, e1 := syscall.Syscall6(syscall.SYS_LISTXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(_p1), uintptr(len(dest)), uintptr(options), 0, 0)
+	use(unsafe.Pointer(_p0))
+	sz = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr_freebsd.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr_freebsd.go
new file mode 100644
index 00000000..e8017d31
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr_freebsd.go
@@ -0,0 +1,12 @@
+package sysx
+
+import (
+	"errors"
+)
+
+// Initial stub version for FreeBSD. FreeBSD has a different
+// syscall API from Darwin and Linux for extended attributes;
+// it is also not widely used. It is not exposed at all by the
+// Go syscall package, so we need to implement directly eventually.
+
+var unsupported = errors.New("extended attributes unsupported on FreeBSD")
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr_linux.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr_linux.go
new file mode 100644
index 00000000..311b896d
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr_linux.go
@@ -0,0 +1,44 @@
+package sysx
+
+import "golang.org/x/sys/unix"
+
+// Listxattr calls syscall listxattr and reads all content
+// and returns a string array
+func Listxattr(path string) ([]string, error) {
+	return listxattrAll(path, unix.Listxattr)
+}
+
+// Removexattr calls syscall removexattr
+func Removexattr(path string, attr string) (err error) {
+	return unix.Removexattr(path, attr)
+}
+
+// Setxattr calls syscall setxattr
+func Setxattr(path string, attr string, data []byte, flags int) (err error) {
+	return unix.Setxattr(path, attr, data, flags)
+}
+
+// Getxattr calls syscall getxattr
+func Getxattr(path, attr string) ([]byte, error) {
+	return getxattrAll(path, attr, unix.Getxattr)
+}
+
+// LListxattr lists xattrs, not following symlinks
+func LListxattr(path string) ([]string, error) {
+	return listxattrAll(path, unix.Llistxattr)
+}
+
+// LRemovexattr removes an xattr, not following symlinks
+func LRemovexattr(path string, attr string) (err error) {
+	return unix.Lremovexattr(path, attr)
+}
+
+// LSetxattr sets an xattr, not following symlinks
+func LSetxattr(path string, attr string, data []byte, flags int) (err error) {
+	return unix.Lsetxattr(path, attr, data, flags)
+}
+
+// LGetxattr gets an xattr, not following symlinks
+func LGetxattr(path, attr string) ([]byte, error) {
+	return getxattrAll(path, attr, unix.Lgetxattr)
+}
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr_openbsd.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr_openbsd.go
new file mode 100644
index 00000000..72361997
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr_openbsd.go
@@ -0,0 +1,7 @@
+package sysx
+
+import (
+	"errors"
+)
+
+var unsupported = errors.New("extended attributes unsupported on OpenBSD")
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr_solaris.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr_solaris.go
new file mode 100644
index 00000000..fc523fcb
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr_solaris.go
@@ -0,0 +1,12 @@
+package sysx
+
+import (
+	"errors"
+)
+
+// Initial stub version for Solaris. Solaris has a different
+// syscall API from Darwin and Linux for extended attributes;
+// it is also not widely used. It is not exposed at all by the
+// Go syscall package, so we need to implement directly eventually.
+
+var unsupported = errors.New("extended attributes unsupported on Solaris")
diff --git a/engine/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go b/engine/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go
new file mode 100644
index 00000000..c8389bc1
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/sysx/xattr_unsupported.go
@@ -0,0 +1,44 @@
+// +build freebsd openbsd solaris
+
+package sysx
+
+// Listxattr calls syscall listxattr and reads all content
+// and returns a string array
+func Listxattr(path string) ([]string, error) {
+	return []string{}, nil
+}
+
+// Removexattr calls syscall removexattr
+func Removexattr(path string, attr string) (err error) {
+	return unsupported
+}
+
+// Setxattr calls syscall setxattr
+func Setxattr(path string, attr string, data []byte, flags int) (err error) {
+	return unsupported
+}
+
+// Getxattr calls syscall getxattr
+func Getxattr(path, attr string) ([]byte, error) {
+	return []byte{}, unsupported
+}
+
+// LListxattr lists xattrs, not following symlinks
+func LListxattr(path string) ([]string, error) {
+	return []string{}, nil
+}
+
+// LRemovexattr removes an xattr, not following symlinks
+func LRemovexattr(path string, attr string) (err error) {
+	return unsupported
+}
+
+// LSetxattr sets an xattr, not following symlinks
+func LSetxattr(path string, attr string, data []byte, flags int) (err error) {
+	return unsupported
+}
+
+// LGetxattr gets an xattr, not following symlinks
+func LGetxattr(path, attr string) ([]byte, error) {
+	return []byte{}, nil
+}
diff --git a/engine/vendor/github.com/containerd/continuity/vendor.conf b/engine/vendor/github.com/containerd/continuity/vendor.conf
new file mode 100644
index 00000000..7c80deec
--- /dev/null
+++ b/engine/vendor/github.com/containerd/continuity/vendor.conf
@@ -0,0 +1,13 @@
+bazil.org/fuse 371fbbdaa8987b715bdd21d6adc4c9b20155f748
+github.com/dustin/go-humanize bb3d318650d48840a39aa21a027c6630e198e626
+github.com/golang/protobuf 1e59b77b52bf8e4b449a57e6f79f21226d571845
+github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+github.com/opencontainers/go-digest 279bed98673dd5bef374d3b6e4b09e2af76183bf
+github.com/pkg/errors f15c970de5b76fac0b59abb32d62c17cc7bed265
+github.com/sirupsen/logrus 89742aefa4b206dcf400792f3bd35b542998eb3b
+github.com/spf13/cobra 2da4a54c5ceefcee7ca5dd0eea1e18a3b6366489
+github.com/spf13/pflag 4c012f6dcd9546820e378d0bdda4d8fc772cdfea
+golang.org/x/crypto 9f005a07e0d31d45e6656d241bb5c0f2efd4bc94
+golang.org/x/net a337091b0525af65de94df2eb7e98bd9962dcbe2
+golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
+golang.org/x/sys 665f6529cca930e27b831a0d1dafffbe1c172924
diff --git a/engine/vendor/github.com/containerd/go-runc/LICENSE b/engine/vendor/github.com/containerd/go-runc/LICENSE
new file mode 100644
index 00000000..261eeb9e
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/engine/vendor/github.com/containerd/go-runc/README.md b/engine/vendor/github.com/containerd/go-runc/README.md
new file mode 100644
index 00000000..239601f1
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/README.md
@@ -0,0 +1,14 @@
+# go-runc
+
+[![Build Status](https://travis-ci.org/containerd/go-runc.svg?branch=master)](https://travis-ci.org/containerd/go-runc)
+
+
+This is a package for consuming the [runc](https://github.com/opencontainers/runc) binary in your Go applications.
+It tries to expose all the settings and features of the runc CLI.  If there is something missing then add it, its opensource!
+
+This needs runc @ [a9610f2c0](https://github.com/opencontainers/runc/commit/a9610f2c0237d2636d05a031ec8659a70e75ffeb)
+or greater.
+
+## Docs
+
+Docs can be found at [godoc.org](https://godoc.org/github.com/containerd/go-runc).
diff --git a/engine/vendor/github.com/containerd/go-runc/command_linux.go b/engine/vendor/github.com/containerd/go-runc/command_linux.go
new file mode 100644
index 00000000..d97400d0
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/command_linux.go
@@ -0,0 +1,39 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"context"
+	"os/exec"
+	"syscall"
+)
+
+func (r *Runc) command(context context.Context, args ...string) *exec.Cmd {
+	command := r.Command
+	if command == "" {
+		command = DefaultCommand
+	}
+	cmd := exec.CommandContext(context, command, append(r.args(), args...)...)
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Setpgid: r.Setpgid,
+	}
+	if r.PdeathSignal != 0 {
+		cmd.SysProcAttr.Pdeathsig = r.PdeathSignal
+	}
+
+	return cmd
+}
diff --git a/engine/vendor/github.com/containerd/go-runc/command_other.go b/engine/vendor/github.com/containerd/go-runc/command_other.go
new file mode 100644
index 00000000..5209a14f
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/command_other.go
@@ -0,0 +1,32 @@
+// +build !linux
+
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"context"
+	"os/exec"
+)
+
+func (r *Runc) command(context context.Context, args ...string) *exec.Cmd {
+	command := r.Command
+	if command == "" {
+		command = DefaultCommand
+	}
+	return exec.CommandContext(context, command, append(r.args(), args...)...)
+}
diff --git a/engine/vendor/github.com/containerd/go-runc/console.go b/engine/vendor/github.com/containerd/go-runc/console.go
new file mode 100644
index 00000000..dc7b82ea
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/console.go
@@ -0,0 +1,157 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/console"
+	"golang.org/x/sys/unix"
+)
+
+// NewConsoleSocket creates a new unix socket at the provided path to accept a
+// pty master created by runc for use by the container
+func NewConsoleSocket(path string) (*Socket, error) {
+	abs, err := filepath.Abs(path)
+	if err != nil {
+		return nil, err
+	}
+	addr, err := net.ResolveUnixAddr("unix", abs)
+	if err != nil {
+		return nil, err
+	}
+	l, err := net.ListenUnix("unix", addr)
+	if err != nil {
+		return nil, err
+	}
+	return &Socket{
+		l: l,
+	}, nil
+}
+
+// NewTempConsoleSocket returns a temp console socket for use with a container
+// On Close(), the socket is deleted
+func NewTempConsoleSocket() (*Socket, error) {
+	dir, err := ioutil.TempDir("", "pty")
+	if err != nil {
+		return nil, err
+	}
+	abs, err := filepath.Abs(filepath.Join(dir, "pty.sock"))
+	if err != nil {
+		return nil, err
+	}
+	addr, err := net.ResolveUnixAddr("unix", abs)
+	if err != nil {
+		return nil, err
+	}
+	l, err := net.ListenUnix("unix", addr)
+	if err != nil {
+		return nil, err
+	}
+	return &Socket{
+		l:     l,
+		rmdir: true,
+	}, nil
+}
+
+// Socket is a unix socket that accepts the pty master created by runc
+type Socket struct {
+	rmdir bool
+	l     *net.UnixListener
+}
+
+// Path returns the path to the unix socket on disk
+func (c *Socket) Path() string {
+	return c.l.Addr().String()
+}
+
+// recvFd waits for a file descriptor to be sent over the given AF_UNIX
+// socket. The file name of the remote file descriptor will be recreated
+// locally (it is sent as non-auxiliary data in the same payload).
+func recvFd(socket *net.UnixConn) (*os.File, error) {
+	const MaxNameLen = 4096
+	var oobSpace = unix.CmsgSpace(4)
+
+	name := make([]byte, MaxNameLen)
+	oob := make([]byte, oobSpace)
+
+	n, oobn, _, _, err := socket.ReadMsgUnix(name, oob)
+	if err != nil {
+		return nil, err
+	}
+
+	if n >= MaxNameLen || oobn != oobSpace {
+		return nil, fmt.Errorf("recvfd: incorrect number of bytes read (n=%d oobn=%d)", n, oobn)
+	}
+
+	// Truncate.
+	name = name[:n]
+	oob = oob[:oobn]
+
+	scms, err := unix.ParseSocketControlMessage(oob)
+	if err != nil {
+		return nil, err
+	}
+	if len(scms) != 1 {
+		return nil, fmt.Errorf("recvfd: number of SCMs is not 1: %d", len(scms))
+	}
+	scm := scms[0]
+
+	fds, err := unix.ParseUnixRights(&scm)
+	if err != nil {
+		return nil, err
+	}
+	if len(fds) != 1 {
+		return nil, fmt.Errorf("recvfd: number of fds is not 1: %d", len(fds))
+	}
+	fd := uintptr(fds[0])
+
+	return os.NewFile(fd, string(name)), nil
+}
+
+// ReceiveMaster blocks until the socket receives the pty master
+func (c *Socket) ReceiveMaster() (console.Console, error) {
+	conn, err := c.l.Accept()
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+	uc, ok := conn.(*net.UnixConn)
+	if !ok {
+		return nil, fmt.Errorf("received connection which was not a unix socket")
+	}
+	f, err := recvFd(uc)
+	if err != nil {
+		return nil, err
+	}
+	return console.ConsoleFromFile(f)
+}
+
+// Close closes the unix socket
+func (c *Socket) Close() error {
+	err := c.l.Close()
+	if c.rmdir {
+		if rerr := os.RemoveAll(filepath.Dir(c.Path())); err == nil {
+			err = rerr
+		}
+	}
+	return err
+}
diff --git a/engine/vendor/github.com/containerd/go-runc/container.go b/engine/vendor/github.com/containerd/go-runc/container.go
new file mode 100644
index 00000000..107381a5
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/container.go
@@ -0,0 +1,30 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import "time"
+
+// Container hold information for a runc container
+type Container struct {
+	ID          string            `json:"id"`
+	Pid         int               `json:"pid"`
+	Status      string            `json:"status"`
+	Bundle      string            `json:"bundle"`
+	Rootfs      string            `json:"rootfs"`
+	Created     time.Time         `json:"created"`
+	Annotations map[string]string `json:"annotations"`
+}
diff --git a/engine/vendor/github.com/containerd/go-runc/events.go b/engine/vendor/github.com/containerd/go-runc/events.go
new file mode 100644
index 00000000..d610aeb3
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/events.go
@@ -0,0 +1,100 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+type Event struct {
+	// Type are the event type generated by runc
+	// If the type is "error" then check the Err field on the event for
+	// the actual error
+	Type  string `json:"type"`
+	ID    string `json:"id"`
+	Stats *Stats `json:"data,omitempty"`
+	// Err has a read error if we were unable to decode the event from runc
+	Err error `json:"-"`
+}
+
+type Stats struct {
+	Cpu     Cpu                `json:"cpu"`
+	Memory  Memory             `json:"memory"`
+	Pids    Pids               `json:"pids"`
+	Blkio   Blkio              `json:"blkio"`
+	Hugetlb map[string]Hugetlb `json:"hugetlb"`
+}
+
+type Hugetlb struct {
+	Usage   uint64 `json:"usage,omitempty"`
+	Max     uint64 `json:"max,omitempty"`
+	Failcnt uint64 `json:"failcnt"`
+}
+
+type BlkioEntry struct {
+	Major uint64 `json:"major,omitempty"`
+	Minor uint64 `json:"minor,omitempty"`
+	Op    string `json:"op,omitempty"`
+	Value uint64 `json:"value,omitempty"`
+}
+
+type Blkio struct {
+	IoServiceBytesRecursive []BlkioEntry `json:"ioServiceBytesRecursive,omitempty"`
+	IoServicedRecursive     []BlkioEntry `json:"ioServicedRecursive,omitempty"`
+	IoQueuedRecursive       []BlkioEntry `json:"ioQueueRecursive,omitempty"`
+	IoServiceTimeRecursive  []BlkioEntry `json:"ioServiceTimeRecursive,omitempty"`
+	IoWaitTimeRecursive     []BlkioEntry `json:"ioWaitTimeRecursive,omitempty"`
+	IoMergedRecursive       []BlkioEntry `json:"ioMergedRecursive,omitempty"`
+	IoTimeRecursive         []BlkioEntry `json:"ioTimeRecursive,omitempty"`
+	SectorsRecursive        []BlkioEntry `json:"sectorsRecursive,omitempty"`
+}
+
+type Pids struct {
+	Current uint64 `json:"current,omitempty"`
+	Limit   uint64 `json:"limit,omitempty"`
+}
+
+type Throttling struct {
+	Periods          uint64 `json:"periods,omitempty"`
+	ThrottledPeriods uint64 `json:"throttledPeriods,omitempty"`
+	ThrottledTime    uint64 `json:"throttledTime,omitempty"`
+}
+
+type CpuUsage struct {
+	// Units: nanoseconds.
+	Total  uint64   `json:"total,omitempty"`
+	Percpu []uint64 `json:"percpu,omitempty"`
+	Kernel uint64   `json:"kernel"`
+	User   uint64   `json:"user"`
+}
+
+type Cpu struct {
+	Usage      CpuUsage   `json:"usage,omitempty"`
+	Throttling Throttling `json:"throttling,omitempty"`
+}
+
+type MemoryEntry struct {
+	Limit   uint64 `json:"limit"`
+	Usage   uint64 `json:"usage,omitempty"`
+	Max     uint64 `json:"max,omitempty"`
+	Failcnt uint64 `json:"failcnt"`
+}
+
+type Memory struct {
+	Cache     uint64            `json:"cache,omitempty"`
+	Usage     MemoryEntry       `json:"usage,omitempty"`
+	Swap      MemoryEntry       `json:"swap,omitempty"`
+	Kernel    MemoryEntry       `json:"kernel,omitempty"`
+	KernelTCP MemoryEntry       `json:"kernelTCP,omitempty"`
+	Raw       map[string]uint64 `json:"raw,omitempty"`
+}
diff --git a/engine/vendor/github.com/containerd/go-runc/io.go b/engine/vendor/github.com/containerd/go-runc/io.go
new file mode 100644
index 00000000..1b59a7ef
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/io.go
@@ -0,0 +1,229 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"io"
+	"os"
+	"os/exec"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+type IO interface {
+	io.Closer
+	Stdin() io.WriteCloser
+	Stdout() io.ReadCloser
+	Stderr() io.ReadCloser
+	Set(*exec.Cmd)
+}
+
+type StartCloser interface {
+	CloseAfterStart() error
+}
+
+// NewPipeIO creates pipe pairs to be used with runc
+func NewPipeIO(uid, gid int) (i IO, err error) {
+	var pipes []*pipe
+	// cleanup in case of an error
+	defer func() {
+		if err != nil {
+			for _, p := range pipes {
+				p.Close()
+			}
+		}
+	}()
+	stdin, err := newPipe()
+	if err != nil {
+		return nil, err
+	}
+	pipes = append(pipes, stdin)
+	if err = unix.Fchown(int(stdin.r.Fd()), uid, gid); err != nil {
+		return nil, errors.Wrap(err, "failed to chown stdin")
+	}
+
+	stdout, err := newPipe()
+	if err != nil {
+		return nil, err
+	}
+	pipes = append(pipes, stdout)
+	if err = unix.Fchown(int(stdout.w.Fd()), uid, gid); err != nil {
+		return nil, errors.Wrap(err, "failed to chown stdout")
+	}
+
+	stderr, err := newPipe()
+	if err != nil {
+		return nil, err
+	}
+	pipes = append(pipes, stderr)
+	if err = unix.Fchown(int(stderr.w.Fd()), uid, gid); err != nil {
+		return nil, errors.Wrap(err, "failed to chown stderr")
+	}
+
+	return &pipeIO{
+		in:  stdin,
+		out: stdout,
+		err: stderr,
+	}, nil
+}
+
+func newPipe() (*pipe, error) {
+	r, w, err := os.Pipe()
+	if err != nil {
+		return nil, err
+	}
+	return &pipe{
+		r: r,
+		w: w,
+	}, nil
+}
+
+type pipe struct {
+	r *os.File
+	w *os.File
+}
+
+func (p *pipe) Close() error {
+	err := p.r.Close()
+	if werr := p.w.Close(); err == nil {
+		err = werr
+	}
+	return err
+}
+
+type pipeIO struct {
+	in  *pipe
+	out *pipe
+	err *pipe
+}
+
+func (i *pipeIO) Stdin() io.WriteCloser {
+	return i.in.w
+}
+
+func (i *pipeIO) Stdout() io.ReadCloser {
+	return i.out.r
+}
+
+func (i *pipeIO) Stderr() io.ReadCloser {
+	return i.err.r
+}
+
+func (i *pipeIO) Close() error {
+	var err error
+	for _, v := range []*pipe{
+		i.in,
+		i.out,
+		i.err,
+	} {
+		if cerr := v.Close(); err == nil {
+			err = cerr
+		}
+	}
+	return err
+}
+
+func (i *pipeIO) CloseAfterStart() error {
+	for _, f := range []*os.File{
+		i.out.w,
+		i.err.w,
+	} {
+		f.Close()
+	}
+	return nil
+}
+
+// Set sets the io to the exec.Cmd
+func (i *pipeIO) Set(cmd *exec.Cmd) {
+	cmd.Stdin = i.in.r
+	cmd.Stdout = i.out.w
+	cmd.Stderr = i.err.w
+}
+
+func NewSTDIO() (IO, error) {
+	return &stdio{}, nil
+}
+
+type stdio struct {
+}
+
+func (s *stdio) Close() error {
+	return nil
+}
+
+func (s *stdio) Set(cmd *exec.Cmd) {
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+}
+
+func (s *stdio) Stdin() io.WriteCloser {
+	return os.Stdin
+}
+
+func (s *stdio) Stdout() io.ReadCloser {
+	return os.Stdout
+}
+
+func (s *stdio) Stderr() io.ReadCloser {
+	return os.Stderr
+}
+
+// NewNullIO returns IO setup for /dev/null use with runc
+func NewNullIO() (IO, error) {
+	f, err := os.Open(os.DevNull)
+	if err != nil {
+		return nil, err
+	}
+	return &nullIO{
+		devNull: f,
+	}, nil
+}
+
+type nullIO struct {
+	devNull *os.File
+}
+
+func (n *nullIO) Close() error {
+	// this should be closed after start but if not
+	// make sure we close the file but don't return the error
+	n.devNull.Close()
+	return nil
+}
+
+func (n *nullIO) Stdin() io.WriteCloser {
+	return nil
+}
+
+func (n *nullIO) Stdout() io.ReadCloser {
+	return nil
+}
+
+func (n *nullIO) Stderr() io.ReadCloser {
+	return nil
+}
+
+func (n *nullIO) Set(c *exec.Cmd) {
+	// don't set STDIN here
+	c.Stdout = n.devNull
+	c.Stderr = n.devNull
+}
+
+func (n *nullIO) CloseAfterStart() error {
+	return n.devNull.Close()
+}
diff --git a/engine/vendor/github.com/containerd/go-runc/monitor.go b/engine/vendor/github.com/containerd/go-runc/monitor.go
new file mode 100644
index 00000000..ff06a3fc
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/monitor.go
@@ -0,0 +1,76 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"os/exec"
+	"syscall"
+	"time"
+)
+
+var Monitor ProcessMonitor = &defaultMonitor{}
+
+type Exit struct {
+	Timestamp time.Time
+	Pid       int
+	Status    int
+}
+
+// ProcessMonitor is an interface for process monitoring
+//
+// It allows daemons using go-runc to have a SIGCHLD handler
+// to handle exits without introducing races between the handler
+// and go's exec.Cmd
+// These methods should match the methods exposed by exec.Cmd to provide
+// a consistent experience for the caller
+type ProcessMonitor interface {
+	Start(*exec.Cmd) (chan Exit, error)
+	Wait(*exec.Cmd, chan Exit) (int, error)
+}
+
+type defaultMonitor struct {
+}
+
+func (m *defaultMonitor) Start(c *exec.Cmd) (chan Exit, error) {
+	if err := c.Start(); err != nil {
+		return nil, err
+	}
+	ec := make(chan Exit, 1)
+	go func() {
+		var status int
+		if err := c.Wait(); err != nil {
+			status = 255
+			if exitErr, ok := err.(*exec.ExitError); ok {
+				if ws, ok := exitErr.Sys().(syscall.WaitStatus); ok {
+					status = ws.ExitStatus()
+				}
+			}
+		}
+		ec <- Exit{
+			Timestamp: time.Now(),
+			Pid:       c.Process.Pid,
+			Status:    status,
+		}
+		close(ec)
+	}()
+	return ec, nil
+}
+
+func (m *defaultMonitor) Wait(c *exec.Cmd, ec chan Exit) (int, error) {
+	e := <-ec
+	return e.Status, nil
+}
diff --git a/engine/vendor/github.com/containerd/go-runc/runc.go b/engine/vendor/github.com/containerd/go-runc/runc.go
new file mode 100644
index 00000000..e4cf98e8
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/runc.go
@@ -0,0 +1,703 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Format is the type of log formatting options avaliable
+type Format string
+
+// TopBody represents the structured data of the full ps output
+type TopResults struct {
+	// Processes running in the container, where each is process is an array of values corresponding to the headers
+	Processes [][]string `json:"Processes"`
+
+	// Headers are the names of the columns
+	Headers []string `json:"Headers"`
+}
+
+const (
+	none Format = ""
+	JSON Format = "json"
+	Text Format = "text"
+	// DefaultCommand is the default command for Runc
+	DefaultCommand = "runc"
+)
+
+// Runc is the client to the runc cli
+type Runc struct {
+	//If command is empty, DefaultCommand is used
+	Command       string
+	Root          string
+	Debug         bool
+	Log           string
+	LogFormat     Format
+	PdeathSignal  syscall.Signal
+	Setpgid       bool
+	Criu          string
+	SystemdCgroup bool
+}
+
+// List returns all containers created inside the provided runc root directory
+func (r *Runc) List(context context.Context) ([]*Container, error) {
+	data, err := cmdOutput(r.command(context, "list", "--format=json"), false)
+	if err != nil {
+		return nil, err
+	}
+	var out []*Container
+	if err := json.Unmarshal(data, &out); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// State returns the state for the container provided by id
+func (r *Runc) State(context context.Context, id string) (*Container, error) {
+	data, err := cmdOutput(r.command(context, "state", id), true)
+	if err != nil {
+		return nil, fmt.Errorf("%s: %s", err, data)
+	}
+	var c Container
+	if err := json.Unmarshal(data, &c); err != nil {
+		return nil, err
+	}
+	return &c, nil
+}
+
+type ConsoleSocket interface {
+	Path() string
+}
+
+type CreateOpts struct {
+	IO
+	// PidFile is a path to where a pid file should be created
+	PidFile       string
+	ConsoleSocket ConsoleSocket
+	Detach        bool
+	NoPivot       bool
+	NoNewKeyring  bool
+	ExtraFiles    []*os.File
+}
+
+func (o *CreateOpts) args() (out []string, err error) {
+	if o.PidFile != "" {
+		abs, err := filepath.Abs(o.PidFile)
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, "--pid-file", abs)
+	}
+	if o.ConsoleSocket != nil {
+		out = append(out, "--console-socket", o.ConsoleSocket.Path())
+	}
+	if o.NoPivot {
+		out = append(out, "--no-pivot")
+	}
+	if o.NoNewKeyring {
+		out = append(out, "--no-new-keyring")
+	}
+	if o.Detach {
+		out = append(out, "--detach")
+	}
+	if o.ExtraFiles != nil {
+		out = append(out, "--preserve-fds", strconv.Itoa(len(o.ExtraFiles)))
+	}
+	return out, nil
+}
+
+// Create creates a new container and returns its pid if it was created successfully
+func (r *Runc) Create(context context.Context, id, bundle string, opts *CreateOpts) error {
+	args := []string{"create", "--bundle", bundle}
+	if opts != nil {
+		oargs, err := opts.args()
+		if err != nil {
+			return err
+		}
+		args = append(args, oargs...)
+	}
+	cmd := r.command(context, append(args, id)...)
+	if opts != nil && opts.IO != nil {
+		opts.Set(cmd)
+	}
+	cmd.ExtraFiles = opts.ExtraFiles
+
+	if cmd.Stdout == nil && cmd.Stderr == nil {
+		data, err := cmdOutput(cmd, true)
+		if err != nil {
+			return fmt.Errorf("%s: %s", err, data)
+		}
+		return nil
+	}
+	ec, err := Monitor.Start(cmd)
+	if err != nil {
+		return err
+	}
+	if opts != nil && opts.IO != nil {
+		if c, ok := opts.IO.(StartCloser); ok {
+			if err := c.CloseAfterStart(); err != nil {
+				return err
+			}
+		}
+	}
+	status, err := Monitor.Wait(cmd, ec)
+	if err == nil && status != 0 {
+		err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
+	}
+	return err
+}
+
+// Start will start an already created container
+func (r *Runc) Start(context context.Context, id string) error {
+	return r.runOrError(r.command(context, "start", id))
+}
+
+type ExecOpts struct {
+	IO
+	PidFile       string
+	ConsoleSocket ConsoleSocket
+	Detach        bool
+}
+
+func (o *ExecOpts) args() (out []string, err error) {
+	if o.ConsoleSocket != nil {
+		out = append(out, "--console-socket", o.ConsoleSocket.Path())
+	}
+	if o.Detach {
+		out = append(out, "--detach")
+	}
+	if o.PidFile != "" {
+		abs, err := filepath.Abs(o.PidFile)
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, "--pid-file", abs)
+	}
+	return out, nil
+}
+
+// Exec executres and additional process inside the container based on a full
+// OCI Process specification
+func (r *Runc) Exec(context context.Context, id string, spec specs.Process, opts *ExecOpts) error {
+	f, err := ioutil.TempFile("", "runc-process")
+	if err != nil {
+		return err
+	}
+	defer os.Remove(f.Name())
+	err = json.NewEncoder(f).Encode(spec)
+	f.Close()
+	if err != nil {
+		return err
+	}
+	args := []string{"exec", "--process", f.Name()}
+	if opts != nil {
+		oargs, err := opts.args()
+		if err != nil {
+			return err
+		}
+		args = append(args, oargs...)
+	}
+	cmd := r.command(context, append(args, id)...)
+	if opts != nil && opts.IO != nil {
+		opts.Set(cmd)
+	}
+	if cmd.Stdout == nil && cmd.Stderr == nil {
+		data, err := cmdOutput(cmd, true)
+		if err != nil {
+			return fmt.Errorf("%s: %s", err, data)
+		}
+		return nil
+	}
+	ec, err := Monitor.Start(cmd)
+	if err != nil {
+		return err
+	}
+	if opts != nil && opts.IO != nil {
+		if c, ok := opts.IO.(StartCloser); ok {
+			if err := c.CloseAfterStart(); err != nil {
+				return err
+			}
+		}
+	}
+	status, err := Monitor.Wait(cmd, ec)
+	if err == nil && status != 0 {
+		err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
+	}
+	return err
+}
+
+// Run runs the create, start, delete lifecycle of the container
+// and returns its exit status after it has exited
+func (r *Runc) Run(context context.Context, id, bundle string, opts *CreateOpts) (int, error) {
+	args := []string{"run", "--bundle", bundle}
+	if opts != nil {
+		oargs, err := opts.args()
+		if err != nil {
+			return -1, err
+		}
+		args = append(args, oargs...)
+	}
+	cmd := r.command(context, append(args, id)...)
+	if opts != nil && opts.IO != nil {
+		opts.Set(cmd)
+	}
+	ec, err := Monitor.Start(cmd)
+	if err != nil {
+		return -1, err
+	}
+	return Monitor.Wait(cmd, ec)
+}
+
+type DeleteOpts struct {
+	Force bool
+}
+
+func (o *DeleteOpts) args() (out []string) {
+	if o.Force {
+		out = append(out, "--force")
+	}
+	return out
+}
+
+// Delete deletes the container
+func (r *Runc) Delete(context context.Context, id string, opts *DeleteOpts) error {
+	args := []string{"delete"}
+	if opts != nil {
+		args = append(args, opts.args()...)
+	}
+	return r.runOrError(r.command(context, append(args, id)...))
+}
+
+// KillOpts specifies options for killing a container and its processes
+type KillOpts struct {
+	All bool
+}
+
+func (o *KillOpts) args() (out []string) {
+	if o.All {
+		out = append(out, "--all")
+	}
+	return out
+}
+
+// Kill sends the specified signal to the container
+func (r *Runc) Kill(context context.Context, id string, sig int, opts *KillOpts) error {
+	args := []string{
+		"kill",
+	}
+	if opts != nil {
+		args = append(args, opts.args()...)
+	}
+	return r.runOrError(r.command(context, append(args, id, strconv.Itoa(sig))...))
+}
+
+// Stats return the stats for a container like cpu, memory, and io
+func (r *Runc) Stats(context context.Context, id string) (*Stats, error) {
+	cmd := r.command(context, "events", "--stats", id)
+	rd, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+	ec, err := Monitor.Start(cmd)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		rd.Close()
+		Monitor.Wait(cmd, ec)
+	}()
+	var e Event
+	if err := json.NewDecoder(rd).Decode(&e); err != nil {
+		return nil, err
+	}
+	return e.Stats, nil
+}
+
+// Events returns an event stream from runc for a container with stats and OOM notifications
+func (r *Runc) Events(context context.Context, id string, interval time.Duration) (chan *Event, error) {
+	cmd := r.command(context, "events", fmt.Sprintf("--interval=%ds", int(interval.Seconds())), id)
+	rd, err := cmd.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+	ec, err := Monitor.Start(cmd)
+	if err != nil {
+		rd.Close()
+		return nil, err
+	}
+	var (
+		dec = json.NewDecoder(rd)
+		c   = make(chan *Event, 128)
+	)
+	go func() {
+		defer func() {
+			close(c)
+			rd.Close()
+			Monitor.Wait(cmd, ec)
+		}()
+		for {
+			var e Event
+			if err := dec.Decode(&e); err != nil {
+				if err == io.EOF {
+					return
+				}
+				e = Event{
+					Type: "error",
+					Err:  err,
+				}
+			}
+			c <- &e
+		}
+	}()
+	return c, nil
+}
+
+// Pause the container with the provided id
+func (r *Runc) Pause(context context.Context, id string) error {
+	return r.runOrError(r.command(context, "pause", id))
+}
+
+// Resume the container with the provided id
+func (r *Runc) Resume(context context.Context, id string) error {
+	return r.runOrError(r.command(context, "resume", id))
+}
+
+// Ps lists all the processes inside the container returning their pids
+func (r *Runc) Ps(context context.Context, id string) ([]int, error) {
+	data, err := cmdOutput(r.command(context, "ps", "--format", "json", id), true)
+	if err != nil {
+		return nil, fmt.Errorf("%s: %s", err, data)
+	}
+	var pids []int
+	if err := json.Unmarshal(data, &pids); err != nil {
+		return nil, err
+	}
+	return pids, nil
+}
+
+// Top lists all the processes inside the container returning the full ps data
+func (r *Runc) Top(context context.Context, id string, psOptions string) (*TopResults, error) {
+	data, err := cmdOutput(r.command(context, "ps", "--format", "table", id, psOptions), true)
+	if err != nil {
+		return nil, fmt.Errorf("%s: %s", err, data)
+	}
+
+	topResults, err := parsePSOutput(data)
+	if err != nil {
+		return nil, fmt.Errorf("%s: ", err)
+	}
+	return topResults, nil
+}
+
+type CheckpointOpts struct {
+	// ImagePath is the path for saving the criu image file
+	ImagePath string
+	// WorkDir is the working directory for criu
+	WorkDir string
+	// ParentPath is the path for previous image files from a pre-dump
+	ParentPath string
+	// AllowOpenTCP allows open tcp connections to be checkpointed
+	AllowOpenTCP bool
+	// AllowExternalUnixSockets allows external unix sockets to be checkpointed
+	AllowExternalUnixSockets bool
+	// AllowTerminal allows the terminal(pty) to be checkpointed with a container
+	AllowTerminal bool
+	// CriuPageServer is the address:port for the criu page server
+	CriuPageServer string
+	// FileLocks handle file locks held by the container
+	FileLocks bool
+	// Cgroups is the cgroup mode for how to handle the checkpoint of a container's cgroups
+	Cgroups CgroupMode
+	// EmptyNamespaces creates a namespace for the container but does not save its properties
+	// Provide the namespaces you wish to be checkpointed without their settings on restore
+	EmptyNamespaces []string
+}
+
+type CgroupMode string
+
+const (
+	Soft   CgroupMode = "soft"
+	Full   CgroupMode = "full"
+	Strict CgroupMode = "strict"
+)
+
+func (o *CheckpointOpts) args() (out []string) {
+	if o.ImagePath != "" {
+		out = append(out, "--image-path", o.ImagePath)
+	}
+	if o.WorkDir != "" {
+		out = append(out, "--work-path", o.WorkDir)
+	}
+	if o.ParentPath != "" {
+		out = append(out, "--parent-path", o.ParentPath)
+	}
+	if o.AllowOpenTCP {
+		out = append(out, "--tcp-established")
+	}
+	if o.AllowExternalUnixSockets {
+		out = append(out, "--ext-unix-sk")
+	}
+	if o.AllowTerminal {
+		out = append(out, "--shell-job")
+	}
+	if o.CriuPageServer != "" {
+		out = append(out, "--page-server", o.CriuPageServer)
+	}
+	if o.FileLocks {
+		out = append(out, "--file-locks")
+	}
+	if string(o.Cgroups) != "" {
+		out = append(out, "--manage-cgroups-mode", string(o.Cgroups))
+	}
+	for _, ns := range o.EmptyNamespaces {
+		out = append(out, "--empty-ns", ns)
+	}
+	return out
+}
+
+type CheckpointAction func([]string) []string
+
+// LeaveRunning keeps the container running after the checkpoint has been completed
+func LeaveRunning(args []string) []string {
+	return append(args, "--leave-running")
+}
+
+// PreDump allows a pre-dump of the checkpoint to be made and completed later
+func PreDump(args []string) []string {
+	return append(args, "--pre-dump")
+}
+
+// Checkpoint allows you to checkpoint a container using criu
+func (r *Runc) Checkpoint(context context.Context, id string, opts *CheckpointOpts, actions ...CheckpointAction) error {
+	args := []string{"checkpoint"}
+	if opts != nil {
+		args = append(args, opts.args()...)
+	}
+	for _, a := range actions {
+		args = a(args)
+	}
+	return r.runOrError(r.command(context, append(args, id)...))
+}
+
+type RestoreOpts struct {
+	CheckpointOpts
+	IO
+
+	Detach        bool
+	PidFile       string
+	NoSubreaper   bool
+	NoPivot       bool
+	ConsoleSocket ConsoleSocket
+}
+
+func (o *RestoreOpts) args() ([]string, error) {
+	out := o.CheckpointOpts.args()
+	if o.Detach {
+		out = append(out, "--detach")
+	}
+	if o.PidFile != "" {
+		abs, err := filepath.Abs(o.PidFile)
+		if err != nil {
+			return nil, err
+		}
+		out = append(out, "--pid-file", abs)
+	}
+	if o.ConsoleSocket != nil {
+		out = append(out, "--console-socket", o.ConsoleSocket.Path())
+	}
+	if o.NoPivot {
+		out = append(out, "--no-pivot")
+	}
+	if o.NoSubreaper {
+		out = append(out, "-no-subreaper")
+	}
+	return out, nil
+}
+
+// Restore restores a container with the provide id from an existing checkpoint
+func (r *Runc) Restore(context context.Context, id, bundle string, opts *RestoreOpts) (int, error) {
+	args := []string{"restore"}
+	if opts != nil {
+		oargs, err := opts.args()
+		if err != nil {
+			return -1, err
+		}
+		args = append(args, oargs...)
+	}
+	args = append(args, "--bundle", bundle)
+	cmd := r.command(context, append(args, id)...)
+	if opts != nil && opts.IO != nil {
+		opts.Set(cmd)
+	}
+	ec, err := Monitor.Start(cmd)
+	if err != nil {
+		return -1, err
+	}
+	if opts != nil && opts.IO != nil {
+		if c, ok := opts.IO.(StartCloser); ok {
+			if err := c.CloseAfterStart(); err != nil {
+				return -1, err
+			}
+		}
+	}
+	return Monitor.Wait(cmd, ec)
+}
+
+// Update updates the current container with the provided resource spec
+func (r *Runc) Update(context context.Context, id string, resources *specs.LinuxResources) error {
+	buf := getBuf()
+	defer putBuf(buf)
+
+	if err := json.NewEncoder(buf).Encode(resources); err != nil {
+		return err
+	}
+	args := []string{"update", "--resources", "-", id}
+	cmd := r.command(context, args...)
+	cmd.Stdin = buf
+	return r.runOrError(cmd)
+}
+
+var ErrParseRuncVersion = errors.New("unable to parse runc version")
+
+type Version struct {
+	Runc   string
+	Commit string
+	Spec   string
+}
+
+// Version returns the runc and runtime-spec versions
+func (r *Runc) Version(context context.Context) (Version, error) {
+	data, err := cmdOutput(r.command(context, "--version"), false)
+	if err != nil {
+		return Version{}, err
+	}
+	return parseVersion(data)
+}
+
+func parseVersion(data []byte) (Version, error) {
+	var v Version
+	parts := strings.Split(strings.TrimSpace(string(data)), "\n")
+	if len(parts) != 3 {
+		return v, ErrParseRuncVersion
+	}
+
+	for i, p := range []struct {
+		dest  *string
+		split string
+	}{
+		{
+			dest:  &v.Runc,
+			split: "version ",
+		},
+		{
+			dest:  &v.Commit,
+			split: ": ",
+		},
+		{
+			dest:  &v.Spec,
+			split: ": ",
+		},
+	} {
+		p2 := strings.Split(parts[i], p.split)
+		if len(p2) != 2 {
+			return v, fmt.Errorf("unable to parse version line %q", parts[i])
+		}
+		*p.dest = p2[1]
+	}
+	return v, nil
+}
+
+func (r *Runc) args() (out []string) {
+	if r.Root != "" {
+		out = append(out, "--root", r.Root)
+	}
+	if r.Debug {
+		out = append(out, "--debug")
+	}
+	if r.Log != "" {
+		out = append(out, "--log", r.Log)
+	}
+	if r.LogFormat != none {
+		out = append(out, "--log-format", string(r.LogFormat))
+	}
+	if r.Criu != "" {
+		out = append(out, "--criu", r.Criu)
+	}
+	if r.SystemdCgroup {
+		out = append(out, "--systemd-cgroup")
+	}
+	return out
+}
+
+// runOrError will run the provided command.  If an error is
+// encountered and neither Stdout or Stderr was set the error and the
+// stderr of the command will be returned in the format of <error>:
+// <stderr>
+func (r *Runc) runOrError(cmd *exec.Cmd) error {
+	if cmd.Stdout != nil || cmd.Stderr != nil {
+		ec, err := Monitor.Start(cmd)
+		if err != nil {
+			return err
+		}
+		status, err := Monitor.Wait(cmd, ec)
+		if err == nil && status != 0 {
+			err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
+		}
+		return err
+	}
+	data, err := cmdOutput(cmd, true)
+	if err != nil {
+		return fmt.Errorf("%s: %s", err, data)
+	}
+	return nil
+}
+
+func cmdOutput(cmd *exec.Cmd, combined bool) ([]byte, error) {
+	b := getBuf()
+	defer putBuf(b)
+
+	cmd.Stdout = b
+	if combined {
+		cmd.Stderr = b
+	}
+	ec, err := Monitor.Start(cmd)
+	if err != nil {
+		return nil, err
+	}
+
+	status, err := Monitor.Wait(cmd, ec)
+	if err == nil && status != 0 {
+		err = fmt.Errorf("%s did not terminate sucessfully", cmd.Args[0])
+	}
+
+	return b.Bytes(), err
+}
diff --git a/engine/vendor/github.com/containerd/go-runc/utils.go b/engine/vendor/github.com/containerd/go-runc/utils.go
new file mode 100644
index 00000000..cc0af3fe
--- /dev/null
+++ b/engine/vendor/github.com/containerd/go-runc/utils.go
@@ -0,0 +1,107 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package runc
+
+import (
+	"bytes"
+	"io/ioutil"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+)
+
+// ReadPidFile reads the pid file at the provided path and returns
+// the pid or an error if the read and conversion is unsuccessful
+func ReadPidFile(path string) (int, error) {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return -1, err
+	}
+	return strconv.Atoi(string(data))
+}
+
+const exitSignalOffset = 128
+
+// exitStatus returns the correct exit status for a process based on if it
+// was signaled or exited cleanly
+func exitStatus(status syscall.WaitStatus) int {
+	if status.Signaled() {
+		return exitSignalOffset + int(status.Signal())
+	}
+	return status.ExitStatus()
+}
+
+var bytesBufferPool = sync.Pool{
+	New: func() interface{} {
+		return bytes.NewBuffer(nil)
+	},
+}
+
+func getBuf() *bytes.Buffer {
+	return bytesBufferPool.Get().(*bytes.Buffer)
+}
+
+func putBuf(b *bytes.Buffer) {
+	b.Reset()
+	bytesBufferPool.Put(b)
+}
+
+// fieldsASCII is similar to strings.Fields but only allows ASCII whitespaces
+func fieldsASCII(s string) []string {
+	fn := func(r rune) bool {
+		switch r {
+		case '\t', '\n', '\f', '\r', ' ':
+			return true
+		}
+		return false
+	}
+	return strings.FieldsFunc(s, fn)
+}
+
+// parsePSOutput parses the runtime's ps raw output and returns a TopResults
+func parsePSOutput(output []byte) (*TopResults, error) {
+	topResults := &TopResults{}
+
+	lines := strings.Split(string(output), "\n")
+	topResults.Headers = fieldsASCII(lines[0])
+
+	pidIndex := -1
+	for i, name := range topResults.Headers {
+		if name == "PID" {
+			pidIndex = i
+		}
+	}
+
+	for _, line := range lines[1:] {
+		if len(line) == 0 {
+			continue
+		}
+
+		fields := fieldsASCII(line)
+
+		if fields[pidIndex] == "-" {
+			continue
+		}
+
+		process := fields[:len(topResults.Headers)-1]
+		process = append(process, strings.Join(fields[len(topResults.Headers)-1:], " "))
+		topResults.Processes = append(topResults.Processes, process)
+
+	}
+	return topResults, nil
+}
diff --git a/engine/vendor/github.com/containerd/ttrpc/LICENSE b/engine/vendor/github.com/containerd/ttrpc/LICENSE
new file mode 100644
index 00000000..261eeb9e
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/engine/vendor/github.com/containerd/ttrpc/README.md b/engine/vendor/github.com/containerd/ttrpc/README.md
new file mode 100644
index 00000000..d1eed6b1
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/README.md
@@ -0,0 +1,52 @@
+# ttrpc
+
+[![Build Status](https://travis-ci.org/containerd/ttrpc.svg?branch=master)](https://travis-ci.org/containerd/ttrpc)
+
+GRPC for low-memory environments.
+
+The existing grpc-go project requires a lot of memory overhead for importing
+packages and at runtime. While this is great for many services with low density
+requirements, this can be a problem when running a large number of services on
+a single machine or on a machine with a small amount of memory.
+
+Using the same GRPC definitions, this project reduces the binary size and
+protocol overhead required. We do this by eliding the `net/http`, `net/http2`
+and `grpc` package used by grpc replacing it with a lightweight framing
+protocol. The result are smaller binaries that use less resident memory with
+the same ease of use as GRPC.
+
+Please note that while this project supports generating either end of the
+protocol, the generated service definitions will be incompatible with regular
+GRPC services, as they do not speak the same protocol.
+
+# Usage
+
+Create a gogo vanity binary (see
+[`cmd/protoc-gen-gogottrpc/main.go`](cmd/protoc-gen-gogottrpc/main.go) for an
+example with the ttrpc plugin enabled.
+
+It's recommended to use [`protobuild`](https://github.com//stevvooe/protobuild)
+to build the protobufs for this project, but this will work with protoc
+directly, if required.
+
+# Differences from GRPC
+
+- The protocol stack has been replaced with a lighter protocol that doesn't
+  require http, http2 and tls.
+- The client and server interface are identical whereas in GRPC there is a
+  client and server interface that are different.
+- The Go stdlib context package is used instead.
+- No support for streams yet.
+
+# Status
+
+Very new. YMMV.
+
+TODO:
+
+- [X] Plumb error codes and GRPC status
+- [X] Remove use of any type and dependency on typeurl package
+- [X] Ensure that protocol can support streaming in the future
+- [ ] Document protocol layout
+- [ ] Add testing under concurrent load to ensure
+- [ ] Verify connection error handling
diff --git a/engine/vendor/github.com/containerd/ttrpc/channel.go b/engine/vendor/github.com/containerd/ttrpc/channel.go
new file mode 100644
index 00000000..22f5496b
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/channel.go
@@ -0,0 +1,154 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import (
+	"bufio"
+	"context"
+	"encoding/binary"
+	"io"
+	"net"
+	"sync"
+
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+const (
+	messageHeaderLength = 10
+	messageLengthMax    = 4 << 20
+)
+
+type messageType uint8
+
+const (
+	messageTypeRequest  messageType = 0x1
+	messageTypeResponse messageType = 0x2
+)
+
+// messageHeader represents the fixed-length message header of 10 bytes sent
+// with every request.
+type messageHeader struct {
+	Length   uint32      // length excluding this header. b[:4]
+	StreamID uint32      // identifies which request stream message is a part of. b[4:8]
+	Type     messageType // message type b[8]
+	Flags    uint8       // reserved          b[9]
+}
+
+func readMessageHeader(p []byte, r io.Reader) (messageHeader, error) {
+	_, err := io.ReadFull(r, p[:messageHeaderLength])
+	if err != nil {
+		return messageHeader{}, err
+	}
+
+	return messageHeader{
+		Length:   binary.BigEndian.Uint32(p[:4]),
+		StreamID: binary.BigEndian.Uint32(p[4:8]),
+		Type:     messageType(p[8]),
+		Flags:    p[9],
+	}, nil
+}
+
+func writeMessageHeader(w io.Writer, p []byte, mh messageHeader) error {
+	binary.BigEndian.PutUint32(p[:4], mh.Length)
+	binary.BigEndian.PutUint32(p[4:8], mh.StreamID)
+	p[8] = byte(mh.Type)
+	p[9] = mh.Flags
+
+	_, err := w.Write(p[:])
+	return err
+}
+
+var buffers sync.Pool
+
+type channel struct {
+	conn  net.Conn
+	bw    *bufio.Writer
+	br    *bufio.Reader
+	hrbuf [messageHeaderLength]byte // avoid alloc when reading header
+	hwbuf [messageHeaderLength]byte
+}
+
+func newChannel(conn net.Conn) *channel {
+	return &channel{
+		conn: conn,
+		bw:   bufio.NewWriter(conn),
+		br:   bufio.NewReader(conn),
+	}
+}
+
+// recv a message from the channel. The returned buffer contains the message.
+//
+// If a valid grpc status is returned, the message header
+// returned will be valid and caller should send that along to
+// the correct consumer. The bytes on the underlying channel
+// will be discarded.
+func (ch *channel) recv(ctx context.Context) (messageHeader, []byte, error) {
+	mh, err := readMessageHeader(ch.hrbuf[:], ch.br)
+	if err != nil {
+		return messageHeader{}, nil, err
+	}
+
+	if mh.Length > uint32(messageLengthMax) {
+		if _, err := ch.br.Discard(int(mh.Length)); err != nil {
+			return mh, nil, errors.Wrapf(err, "failed to discard after receiving oversized message")
+		}
+
+		return mh, nil, status.Errorf(codes.ResourceExhausted, "message length %v exceed maximum message size of %v", mh.Length, messageLengthMax)
+	}
+
+	p := ch.getmbuf(int(mh.Length))
+	if _, err := io.ReadFull(ch.br, p); err != nil {
+		return messageHeader{}, nil, errors.Wrapf(err, "failed reading message")
+	}
+
+	return mh, p, nil
+}
+
+func (ch *channel) send(ctx context.Context, streamID uint32, t messageType, p []byte) error {
+	if err := writeMessageHeader(ch.bw, ch.hwbuf[:], messageHeader{Length: uint32(len(p)), StreamID: streamID, Type: t}); err != nil {
+		return err
+	}
+
+	_, err := ch.bw.Write(p)
+	if err != nil {
+		return err
+	}
+
+	return ch.bw.Flush()
+}
+
+func (ch *channel) getmbuf(size int) []byte {
+	// we can't use the standard New method on pool because we want to allocate
+	// based on size.
+	b, ok := buffers.Get().(*[]byte)
+	if !ok || cap(*b) < size {
+		// TODO(stevvooe): It may be better to allocate these in fixed length
+		// buckets to reduce fragmentation but its not clear that would help
+		// with performance. An ilogb approach or similar would work well.
+		bb := make([]byte, size)
+		b = &bb
+	} else {
+		*b = (*b)[:size]
+	}
+	return *b
+}
+
+func (ch *channel) putmbuf(p []byte) {
+	buffers.Put(&p)
+}
diff --git a/engine/vendor/github.com/containerd/ttrpc/client.go b/engine/vendor/github.com/containerd/ttrpc/client.go
new file mode 100644
index 00000000..ede2e6b7
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/client.go
@@ -0,0 +1,280 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import (
+	"context"
+	"io"
+	"net"
+	"os"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/gogo/protobuf/proto"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc/status"
+)
+
+// ErrClosed is returned by client methods when the underlying connection is
+// closed.
+var ErrClosed = errors.New("ttrpc: closed")
+
+type Client struct {
+	codec   codec
+	conn    net.Conn
+	channel *channel
+	calls   chan *callRequest
+
+	closed    chan struct{}
+	closeOnce sync.Once
+	closeFunc func()
+	done      chan struct{}
+	err       error
+}
+
+func NewClient(conn net.Conn) *Client {
+	c := &Client{
+		codec:     codec{},
+		conn:      conn,
+		channel:   newChannel(conn),
+		calls:     make(chan *callRequest),
+		closed:    make(chan struct{}),
+		done:      make(chan struct{}),
+		closeFunc: func() {},
+	}
+
+	go c.run()
+	return c
+}
+
+type callRequest struct {
+	ctx  context.Context
+	req  *Request
+	resp *Response  // response will be written back here
+	errs chan error // error written here on completion
+}
+
+func (c *Client) Call(ctx context.Context, service, method string, req, resp interface{}) error {
+	payload, err := c.codec.Marshal(req)
+	if err != nil {
+		return err
+	}
+
+	var (
+		creq = &Request{
+			Service: service,
+			Method:  method,
+			Payload: payload,
+		}
+
+		cresp = &Response{}
+	)
+
+	if err := c.dispatch(ctx, creq, cresp); err != nil {
+		return err
+	}
+
+	if err := c.codec.Unmarshal(cresp.Payload, resp); err != nil {
+		return err
+	}
+
+	if cresp.Status == nil {
+		return errors.New("no status provided on response")
+	}
+
+	return status.ErrorProto(cresp.Status)
+}
+
+func (c *Client) dispatch(ctx context.Context, req *Request, resp *Response) error {
+	errs := make(chan error, 1)
+	call := &callRequest{
+		req:  req,
+		resp: resp,
+		errs: errs,
+	}
+
+	select {
+	case c.calls <- call:
+	case <-c.done:
+		return c.err
+	}
+
+	select {
+	case err := <-errs:
+		return filterCloseErr(err)
+	case <-c.done:
+		return c.err
+	}
+}
+
+func (c *Client) Close() error {
+	c.closeOnce.Do(func() {
+		close(c.closed)
+	})
+
+	return nil
+}
+
+// OnClose allows a close func to be called when the server is closed
+func (c *Client) OnClose(closer func()) {
+	c.closeFunc = closer
+}
+
+type message struct {
+	messageHeader
+	p   []byte
+	err error
+}
+
+func (c *Client) run() {
+	var (
+		streamID    uint32 = 1
+		waiters            = make(map[uint32]*callRequest)
+		calls              = c.calls
+		incoming           = make(chan *message)
+		shutdown           = make(chan struct{})
+		shutdownErr error
+	)
+
+	go func() {
+		defer close(shutdown)
+
+		// start one more goroutine to recv messages without blocking.
+		for {
+			mh, p, err := c.channel.recv(context.TODO())
+			if err != nil {
+				_, ok := status.FromError(err)
+				if !ok {
+					// treat all errors that are not an rpc status as terminal.
+					// all others poison the connection.
+					shutdownErr = err
+					return
+				}
+			}
+			select {
+			case incoming <- &message{
+				messageHeader: mh,
+				p:             p[:mh.Length],
+				err:           err,
+			}:
+			case <-c.done:
+				return
+			}
+		}
+	}()
+
+	defer c.conn.Close()
+	defer close(c.done)
+	defer c.closeFunc()
+
+	for {
+		select {
+		case call := <-calls:
+			if err := c.send(call.ctx, streamID, messageTypeRequest, call.req); err != nil {
+				call.errs <- err
+				continue
+			}
+
+			waiters[streamID] = call
+			streamID += 2 // enforce odd client initiated request ids
+		case msg := <-incoming:
+			call, ok := waiters[msg.StreamID]
+			if !ok {
+				logrus.Errorf("ttrpc: received message for unknown channel %v", msg.StreamID)
+				continue
+			}
+
+			call.errs <- c.recv(call.resp, msg)
+			delete(waiters, msg.StreamID)
+		case <-shutdown:
+			if shutdownErr != nil {
+				shutdownErr = filterCloseErr(shutdownErr)
+			} else {
+				shutdownErr = ErrClosed
+			}
+
+			shutdownErr = errors.Wrapf(shutdownErr, "ttrpc: client shutting down")
+
+			c.err = shutdownErr
+			for _, waiter := range waiters {
+				waiter.errs <- shutdownErr
+			}
+			c.Close()
+			return
+		case <-c.closed:
+			if c.err == nil {
+				c.err = ErrClosed
+			}
+			// broadcast the shutdown error to the remaining waiters.
+			for _, waiter := range waiters {
+				waiter.errs <- c.err
+			}
+			return
+		}
+	}
+}
+
+func (c *Client) send(ctx context.Context, streamID uint32, mtype messageType, msg interface{}) error {
+	p, err := c.codec.Marshal(msg)
+	if err != nil {
+		return err
+	}
+
+	return c.channel.send(ctx, streamID, mtype, p)
+}
+
+func (c *Client) recv(resp *Response, msg *message) error {
+	if msg.err != nil {
+		return msg.err
+	}
+
+	if msg.Type != messageTypeResponse {
+		return errors.New("unkown message type received")
+	}
+
+	defer c.channel.putmbuf(msg.p)
+	return proto.Unmarshal(msg.p, resp)
+}
+
+// filterCloseErr rewrites EOF and EPIPE errors to ErrClosed. Use when
+// returning from call or handling errors from main read loop.
+//
+// This purposely ignores errors with a wrapped cause.
+func filterCloseErr(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	if err == io.EOF {
+		return ErrClosed
+	}
+
+	if strings.Contains(err.Error(), "use of closed network connection") {
+		return ErrClosed
+	}
+
+	// if we have an epipe on a write, we cast to errclosed
+	if oerr, ok := err.(*net.OpError); ok && oerr.Op == "write" {
+		if serr, ok := oerr.Err.(*os.SyscallError); ok && serr.Err == syscall.EPIPE {
+			return ErrClosed
+		}
+	}
+
+	return err
+}
diff --git a/engine/vendor/github.com/containerd/ttrpc/codec.go b/engine/vendor/github.com/containerd/ttrpc/codec.go
new file mode 100644
index 00000000..b4aac2fa
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/codec.go
@@ -0,0 +1,42 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import (
+	"github.com/gogo/protobuf/proto"
+	"github.com/pkg/errors"
+)
+
+type codec struct{}
+
+func (c codec) Marshal(msg interface{}) ([]byte, error) {
+	switch v := msg.(type) {
+	case proto.Message:
+		return proto.Marshal(v)
+	default:
+		return nil, errors.Errorf("ttrpc: cannot marshal unknown type: %T", msg)
+	}
+}
+
+func (c codec) Unmarshal(p []byte, msg interface{}) error {
+	switch v := msg.(type) {
+	case proto.Message:
+		return proto.Unmarshal(p, v)
+	default:
+		return errors.Errorf("ttrpc: cannot unmarshal into unknown type: %T", msg)
+	}
+}
diff --git a/engine/vendor/github.com/containerd/ttrpc/config.go b/engine/vendor/github.com/containerd/ttrpc/config.go
new file mode 100644
index 00000000..019b7a09
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/config.go
@@ -0,0 +1,39 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import "github.com/pkg/errors"
+
+type serverConfig struct {
+	handshaker Handshaker
+}
+
+type ServerOpt func(*serverConfig) error
+
+// WithServerHandshaker can be passed to NewServer to ensure that the
+// handshaker is called before every connection attempt.
+//
+// Only one handshaker is allowed per server.
+func WithServerHandshaker(handshaker Handshaker) ServerOpt {
+	return func(c *serverConfig) error {
+		if c.handshaker != nil {
+			return errors.New("only one handshaker allowed per server")
+		}
+		c.handshaker = handshaker
+		return nil
+	}
+}
diff --git a/engine/vendor/github.com/containerd/ttrpc/handshake.go b/engine/vendor/github.com/containerd/ttrpc/handshake.go
new file mode 100644
index 00000000..a424b67a
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/handshake.go
@@ -0,0 +1,50 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import (
+	"context"
+	"net"
+)
+
+// Handshaker defines the interface for connection handshakes performed on the
+// server or client when first connecting.
+type Handshaker interface {
+	// Handshake should confirm or decorate a connection that may be incoming
+	// to a server or outgoing from a client.
+	//
+	// If this returns without an error, the caller should use the connection
+	// in place of the original connection.
+	//
+	// The second return value can contain credential specific data, such as
+	// unix socket credentials or TLS information.
+	//
+	// While we currently only have implementations on the server-side, this
+	// interface should be sufficient to implement similar handshakes on the
+	// client-side.
+	Handshake(ctx context.Context, conn net.Conn) (net.Conn, interface{}, error)
+}
+
+type handshakerFunc func(ctx context.Context, conn net.Conn) (net.Conn, interface{}, error)
+
+func (fn handshakerFunc) Handshake(ctx context.Context, conn net.Conn) (net.Conn, interface{}, error) {
+	return fn(ctx, conn)
+}
+
+func noopHandshake(ctx context.Context, conn net.Conn) (net.Conn, interface{}, error) {
+	return conn, nil, nil
+}
diff --git a/engine/vendor/github.com/containerd/ttrpc/server.go b/engine/vendor/github.com/containerd/ttrpc/server.go
new file mode 100644
index 00000000..1a518b1b
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/server.go
@@ -0,0 +1,456 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import (
+	"context"
+	"io"
+	"math/rand"
+	"net"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+var (
+	ErrServerClosed = errors.New("ttrpc: server closed")
+)
+
+type Server struct {
+	config   *serverConfig
+	services *serviceSet
+	codec    codec
+
+	mu          sync.Mutex
+	listeners   map[net.Listener]struct{}
+	connections map[*serverConn]struct{} // all connections to current state
+	done        chan struct{}            // marks point at which we stop serving requests
+}
+
+func NewServer(opts ...ServerOpt) (*Server, error) {
+	config := &serverConfig{}
+	for _, opt := range opts {
+		if err := opt(config); err != nil {
+			return nil, err
+		}
+	}
+
+	return &Server{
+		config:      config,
+		services:    newServiceSet(),
+		done:        make(chan struct{}),
+		listeners:   make(map[net.Listener]struct{}),
+		connections: make(map[*serverConn]struct{}),
+	}, nil
+}
+
+func (s *Server) Register(name string, methods map[string]Method) {
+	s.services.register(name, methods)
+}
+
+func (s *Server) Serve(ctx context.Context, l net.Listener) error {
+	s.addListener(l)
+	defer s.closeListener(l)
+
+	var (
+		backoff    time.Duration
+		handshaker = s.config.handshaker
+	)
+
+	if handshaker == nil {
+		handshaker = handshakerFunc(noopHandshake)
+	}
+
+	for {
+		conn, err := l.Accept()
+		if err != nil {
+			select {
+			case <-s.done:
+				return ErrServerClosed
+			default:
+			}
+
+			if terr, ok := err.(interface {
+				Temporary() bool
+			}); ok && terr.Temporary() {
+				if backoff == 0 {
+					backoff = time.Millisecond
+				} else {
+					backoff *= 2
+				}
+
+				if max := time.Second; backoff > max {
+					backoff = max
+				}
+
+				sleep := time.Duration(rand.Int63n(int64(backoff)))
+				logrus.WithError(err).Errorf("ttrpc: failed accept; backoff %v", sleep)
+				time.Sleep(sleep)
+				continue
+			}
+
+			return err
+		}
+
+		backoff = 0
+
+		approved, handshake, err := handshaker.Handshake(ctx, conn)
+		if err != nil {
+			logrus.WithError(err).Errorf("ttrpc: refusing connection after handshake")
+			conn.Close()
+			continue
+		}
+
+		sc := s.newConn(approved, handshake)
+		go sc.run(ctx)
+	}
+}
+
+func (s *Server) Shutdown(ctx context.Context) error {
+	s.mu.Lock()
+	lnerr := s.closeListeners()
+	select {
+	case <-s.done:
+	default:
+		// protected by mutex
+		close(s.done)
+	}
+	s.mu.Unlock()
+
+	ticker := time.NewTicker(200 * time.Millisecond)
+	defer ticker.Stop()
+	for {
+		if s.closeIdleConns() {
+			return lnerr
+		}
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
+	}
+}
+
+// Close the server without waiting for active connections.
+func (s *Server) Close() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	select {
+	case <-s.done:
+	default:
+		// protected by mutex
+		close(s.done)
+	}
+
+	err := s.closeListeners()
+	for c := range s.connections {
+		c.close()
+		delete(s.connections, c)
+	}
+
+	return err
+}
+
+func (s *Server) addListener(l net.Listener) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.listeners[l] = struct{}{}
+}
+
+func (s *Server) closeListener(l net.Listener) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	return s.closeListenerLocked(l)
+}
+
+func (s *Server) closeListenerLocked(l net.Listener) error {
+	defer delete(s.listeners, l)
+	return l.Close()
+}
+
+func (s *Server) closeListeners() error {
+	var err error
+	for l := range s.listeners {
+		if cerr := s.closeListenerLocked(l); cerr != nil && err == nil {
+			err = cerr
+		}
+	}
+	return err
+}
+
+func (s *Server) addConnection(c *serverConn) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.connections[c] = struct{}{}
+}
+
+func (s *Server) closeIdleConns() bool {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	quiescent := true
+	for c := range s.connections {
+		st, ok := c.getState()
+		if !ok || st != connStateIdle {
+			quiescent = false
+			continue
+		}
+		c.close()
+		delete(s.connections, c)
+	}
+	return quiescent
+}
+
+type connState int
+
+const (
+	connStateActive = iota + 1 // outstanding requests
+	connStateIdle              // no requests
+	connStateClosed            // closed connection
+)
+
+func (cs connState) String() string {
+	switch cs {
+	case connStateActive:
+		return "active"
+	case connStateIdle:
+		return "idle"
+	case connStateClosed:
+		return "closed"
+	default:
+		return "unknown"
+	}
+}
+
+func (s *Server) newConn(conn net.Conn, handshake interface{}) *serverConn {
+	c := &serverConn{
+		server:    s,
+		conn:      conn,
+		handshake: handshake,
+		shutdown:  make(chan struct{}),
+	}
+	c.setState(connStateIdle)
+	s.addConnection(c)
+	return c
+}
+
+type serverConn struct {
+	server    *Server
+	conn      net.Conn
+	handshake interface{} // data from handshake, not used for now
+	state     atomic.Value
+
+	shutdownOnce sync.Once
+	shutdown     chan struct{} // forced shutdown, used by close
+}
+
+func (c *serverConn) getState() (connState, bool) {
+	cs, ok := c.state.Load().(connState)
+	return cs, ok
+}
+
+func (c *serverConn) setState(newstate connState) {
+	c.state.Store(newstate)
+}
+
+func (c *serverConn) close() error {
+	c.shutdownOnce.Do(func() {
+		close(c.shutdown)
+	})
+
+	return nil
+}
+
+func (c *serverConn) run(sctx context.Context) {
+	type (
+		request struct {
+			id  uint32
+			req *Request
+		}
+
+		response struct {
+			id   uint32
+			resp *Response
+		}
+	)
+
+	var (
+		ch          = newChannel(c.conn)
+		ctx, cancel = context.WithCancel(sctx)
+		active      int
+		state       connState = connStateIdle
+		responses             = make(chan response)
+		requests              = make(chan request)
+		recvErr               = make(chan error, 1)
+		shutdown              = c.shutdown
+		done                  = make(chan struct{})
+	)
+
+	defer c.conn.Close()
+	defer cancel()
+	defer close(done)
+
+	go func(recvErr chan error) {
+		defer close(recvErr)
+		sendImmediate := func(id uint32, st *status.Status) bool {
+			select {
+			case responses <- response{
+				// even though we've had an invalid stream id, we send it
+				// back on the same stream id so the client knows which
+				// stream id was bad.
+				id: id,
+				resp: &Response{
+					Status: st.Proto(),
+				},
+			}:
+				return true
+			case <-c.shutdown:
+				return false
+			case <-done:
+				return false
+			}
+		}
+
+		for {
+			select {
+			case <-c.shutdown:
+				return
+			case <-done:
+				return
+			default: // proceed
+			}
+
+			mh, p, err := ch.recv(ctx)
+			if err != nil {
+				status, ok := status.FromError(err)
+				if !ok {
+					recvErr <- err
+					return
+				}
+
+				// in this case, we send an error for that particular message
+				// when the status is defined.
+				if !sendImmediate(mh.StreamID, status) {
+					return
+				}
+
+				continue
+			}
+
+			if mh.Type != messageTypeRequest {
+				// we must ignore this for future compat.
+				continue
+			}
+
+			var req Request
+			if err := c.server.codec.Unmarshal(p, &req); err != nil {
+				ch.putmbuf(p)
+				if !sendImmediate(mh.StreamID, status.Newf(codes.InvalidArgument, "unmarshal request error: %v", err)) {
+					return
+				}
+				continue
+			}
+			ch.putmbuf(p)
+
+			if mh.StreamID%2 != 1 {
+				// enforce odd client initiated identifiers.
+				if !sendImmediate(mh.StreamID, status.Newf(codes.InvalidArgument, "StreamID must be odd for client initiated streams")) {
+					return
+				}
+				continue
+			}
+
+			// Forward the request to the main loop. We don't wait on s.done
+			// because we have already accepted the client request.
+			select {
+			case requests <- request{
+				id:  mh.StreamID,
+				req: &req,
+			}:
+			case <-done:
+				return
+			}
+		}
+	}(recvErr)
+
+	for {
+		newstate := state
+		switch {
+		case active > 0:
+			newstate = connStateActive
+			shutdown = nil
+		case active == 0:
+			newstate = connStateIdle
+			shutdown = c.shutdown // only enable this branch in idle mode
+		}
+
+		if newstate != state {
+			c.setState(newstate)
+			state = newstate
+		}
+
+		select {
+		case request := <-requests:
+			active++
+			go func(id uint32) {
+				p, status := c.server.services.call(ctx, request.req.Service, request.req.Method, request.req.Payload)
+				resp := &Response{
+					Status:  status.Proto(),
+					Payload: p,
+				}
+
+				select {
+				case responses <- response{
+					id:   id,
+					resp: resp,
+				}:
+				case <-done:
+				}
+			}(request.id)
+		case response := <-responses:
+			p, err := c.server.codec.Marshal(response.resp)
+			if err != nil {
+				logrus.WithError(err).Error("failed marshaling response")
+				return
+			}
+
+			if err := ch.send(ctx, response.id, messageTypeResponse, p); err != nil {
+				logrus.WithError(err).Error("failed sending message on channel")
+				return
+			}
+
+			active--
+		case err := <-recvErr:
+			// TODO(stevvooe): Not wildly clear what we should do in this
+			// branch. Basically, it means that we are no longer receiving
+			// requests due to a terminal error.
+			recvErr = nil // connection is now "closing"
+			if err != nil && err != io.EOF {
+				logrus.WithError(err).Error("error receiving message")
+			}
+		case <-shutdown:
+			return
+		}
+	}
+}
diff --git a/engine/vendor/github.com/containerd/ttrpc/services.go b/engine/vendor/github.com/containerd/ttrpc/services.go
new file mode 100644
index 00000000..e9096382
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/services.go
@@ -0,0 +1,150 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import (
+	"context"
+	"io"
+	"os"
+	"path"
+
+	"github.com/gogo/protobuf/proto"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+type Method func(ctx context.Context, unmarshal func(interface{}) error) (interface{}, error)
+
+type ServiceDesc struct {
+	Methods map[string]Method
+
+	// TODO(stevvooe): Add stream support.
+}
+
+type serviceSet struct {
+	services map[string]ServiceDesc
+}
+
+func newServiceSet() *serviceSet {
+	return &serviceSet{
+		services: make(map[string]ServiceDesc),
+	}
+}
+
+func (s *serviceSet) register(name string, methods map[string]Method) {
+	if _, ok := s.services[name]; ok {
+		panic(errors.Errorf("duplicate service %v registered", name))
+	}
+
+	s.services[name] = ServiceDesc{
+		Methods: methods,
+	}
+}
+
+func (s *serviceSet) call(ctx context.Context, serviceName, methodName string, p []byte) ([]byte, *status.Status) {
+	p, err := s.dispatch(ctx, serviceName, methodName, p)
+	st, ok := status.FromError(err)
+	if !ok {
+		st = status.New(convertCode(err), err.Error())
+	}
+
+	return p, st
+}
+
+func (s *serviceSet) dispatch(ctx context.Context, serviceName, methodName string, p []byte) ([]byte, error) {
+	method, err := s.resolve(serviceName, methodName)
+	if err != nil {
+		return nil, err
+	}
+
+	unmarshal := func(obj interface{}) error {
+		switch v := obj.(type) {
+		case proto.Message:
+			if err := proto.Unmarshal(p, v); err != nil {
+				return status.Errorf(codes.Internal, "ttrpc: error unmarshaling payload: %v", err.Error())
+			}
+		default:
+			return status.Errorf(codes.Internal, "ttrpc: error unsupported request type: %T", v)
+		}
+		return nil
+	}
+
+	resp, err := method(ctx, unmarshal)
+	if err != nil {
+		return nil, err
+	}
+
+	switch v := resp.(type) {
+	case proto.Message:
+		r, err := proto.Marshal(v)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "ttrpc: error marshaling payload: %v", err.Error())
+		}
+
+		return r, nil
+	default:
+		return nil, status.Errorf(codes.Internal, "ttrpc: error unsupported response type: %T", v)
+	}
+}
+
+func (s *serviceSet) resolve(service, method string) (Method, error) {
+	srv, ok := s.services[service]
+	if !ok {
+		return nil, status.Errorf(codes.NotFound, "service %v", service)
+	}
+
+	mthd, ok := srv.Methods[method]
+	if !ok {
+		return nil, status.Errorf(codes.NotFound, "method %v", method)
+	}
+
+	return mthd, nil
+}
+
+// convertCode maps stdlib go errors into grpc space.
+//
+// This is ripped from the grpc-go code base.
+func convertCode(err error) codes.Code {
+	switch err {
+	case nil:
+		return codes.OK
+	case io.EOF:
+		return codes.OutOfRange
+	case io.ErrClosedPipe, io.ErrNoProgress, io.ErrShortBuffer, io.ErrShortWrite, io.ErrUnexpectedEOF:
+		return codes.FailedPrecondition
+	case os.ErrInvalid:
+		return codes.InvalidArgument
+	case context.Canceled:
+		return codes.Canceled
+	case context.DeadlineExceeded:
+		return codes.DeadlineExceeded
+	}
+	switch {
+	case os.IsExist(err):
+		return codes.AlreadyExists
+	case os.IsNotExist(err):
+		return codes.NotFound
+	case os.IsPermission(err):
+		return codes.PermissionDenied
+	}
+	return codes.Unknown
+}
+
+func fullPath(service, method string) string {
+	return "/" + path.Join("/", service, method)
+}
diff --git a/engine/vendor/github.com/containerd/ttrpc/types.go b/engine/vendor/github.com/containerd/ttrpc/types.go
new file mode 100644
index 00000000..1f7969e5
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/types.go
@@ -0,0 +1,42 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import (
+	"fmt"
+
+	spb "google.golang.org/genproto/googleapis/rpc/status"
+)
+
+type Request struct {
+	Service string `protobuf:"bytes,1,opt,name=service,proto3"`
+	Method  string `protobuf:"bytes,2,opt,name=method,proto3"`
+	Payload []byte `protobuf:"bytes,3,opt,name=payload,proto3"`
+}
+
+func (r *Request) Reset()         { *r = Request{} }
+func (r *Request) String() string { return fmt.Sprintf("%+#v", r) }
+func (r *Request) ProtoMessage()  {}
+
+type Response struct {
+	Status  *spb.Status `protobuf:"bytes,1,opt,name=status,proto3"`
+	Payload []byte      `protobuf:"bytes,2,opt,name=payload,proto3"`
+}
+
+func (r *Response) Reset()         { *r = Response{} }
+func (r *Response) String() string { return fmt.Sprintf("%+#v", r) }
+func (r *Response) ProtoMessage()  {}
diff --git a/engine/vendor/github.com/containerd/ttrpc/unixcreds_linux.go b/engine/vendor/github.com/containerd/ttrpc/unixcreds_linux.go
new file mode 100644
index 00000000..a471bd36
--- /dev/null
+++ b/engine/vendor/github.com/containerd/ttrpc/unixcreds_linux.go
@@ -0,0 +1,108 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package ttrpc
+
+import (
+	"context"
+	"net"
+	"os"
+	"syscall"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+type UnixCredentialsFunc func(*unix.Ucred) error
+
+func (fn UnixCredentialsFunc) Handshake(ctx context.Context, conn net.Conn) (net.Conn, interface{}, error) {
+	uc, err := requireUnixSocket(conn)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "ttrpc.UnixCredentialsFunc: require unix socket")
+	}
+
+	rs, err := uc.SyscallConn()
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "ttrpc.UnixCredentialsFunc: (net.UnixConn).SyscallConn failed")
+	}
+	var (
+		ucred    *unix.Ucred
+		ucredErr error
+	)
+	if err := rs.Control(func(fd uintptr) {
+		ucred, ucredErr = unix.GetsockoptUcred(int(fd), unix.SOL_SOCKET, unix.SO_PEERCRED)
+	}); err != nil {
+		return nil, nil, errors.Wrapf(err, "ttrpc.UnixCredentialsFunc: (*syscall.RawConn).Control failed")
+	}
+
+	if ucredErr != nil {
+		return nil, nil, errors.Wrapf(err, "ttrpc.UnixCredentialsFunc: failed to retrieve socket peer credentials")
+	}
+
+	if err := fn(ucred); err != nil {
+		return nil, nil, errors.Wrapf(err, "ttrpc.UnixCredentialsFunc: credential check failed")
+	}
+
+	return uc, ucred, nil
+}
+
+// UnixSocketRequireUidGid requires specific *effective* UID/GID, rather than the real UID/GID.
+//
+// For example, if a daemon binary is owned by the root (UID 0) with SUID bit but running as an
+// unprivileged user (UID 1001), the effective UID becomes 0, and the real UID becomes 1001.
+// So calling this function with uid=0 allows a connection from effective UID 0 but rejects
+// a connection from effective UID 1001.
+//
+// See socket(7), SO_PEERCRED: "The returned credentials are those that were in effect at the time of the call to connect(2) or socketpair(2)."
+func UnixSocketRequireUidGid(uid, gid int) UnixCredentialsFunc {
+	return func(ucred *unix.Ucred) error {
+		return requireUidGid(ucred, uid, gid)
+	}
+}
+
+func UnixSocketRequireRoot() UnixCredentialsFunc {
+	return UnixSocketRequireUidGid(0, 0)
+}
+
+// UnixSocketRequireSameUser resolves the current effective unix user and returns a
+// UnixCredentialsFunc that will validate incoming unix connections against the
+// current credentials.
+//
+// This is useful when using abstract sockets that are accessible by all users.
+func UnixSocketRequireSameUser() UnixCredentialsFunc {
+	euid, egid := os.Geteuid(), os.Getegid()
+	return UnixSocketRequireUidGid(euid, egid)
+}
+
+func requireRoot(ucred *unix.Ucred) error {
+	return requireUidGid(ucred, 0, 0)
+}
+
+func requireUidGid(ucred *unix.Ucred, uid, gid int) error {
+	if (uid != -1 && uint32(uid) != ucred.Uid) || (gid != -1 && uint32(gid) != ucred.Gid) {
+		return errors.Wrap(syscall.EPERM, "ttrpc: invalid credentials")
+	}
+	return nil
+}
+
+func requireUnixSocket(conn net.Conn) (*net.UnixConn, error) {
+	uc, ok := conn.(*net.UnixConn)
+	if !ok {
+		return nil, errors.New("a unix socket connection is required")
+	}
+
+	return uc, nil
+}
diff --git a/engine/vendor/github.com/fernet/fernet-go/License b/engine/vendor/github.com/fernet/fernet-go/License
new file mode 100644
index 00000000..14214fbe
--- /dev/null
+++ b/engine/vendor/github.com/fernet/fernet-go/License
@@ -0,0 +1,20 @@
+Copyright © 2013 Keith Rarick
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/engine/vendor/github.com/fernet/fernet-go/Readme b/engine/vendor/github.com/fernet/fernet-go/Readme
new file mode 100644
index 00000000..50cc26cf
--- /dev/null
+++ b/engine/vendor/github.com/fernet/fernet-go/Readme
@@ -0,0 +1,22 @@
+Fernet takes a user-provided *message* (an arbitrary sequence of
+bytes), a *key* (256 bits), and the current time, and produces a
+*token*, which contains the message in a form that can't be read
+or altered without the key.
+
+This package is compatible with the other implementations at
+https://github.com/fernet. They can exchange tokens freely among
+each other.
+
+Documentation: http://godoc.org/github.com/fernet/fernet-go
+
+
+INSTALL
+
+	$ go get github.com/fernet/fernet-go
+
+
+For more information and background, see the Fernet spec at
+https://github.com/fernet/spec.
+
+Fernet is distributed under the terms of the MIT license.
+See the License file for details.
diff --git a/engine/vendor/github.com/fernet/fernet-go/fernet.go b/engine/vendor/github.com/fernet/fernet-go/fernet.go
new file mode 100644
index 00000000..8549e69c
--- /dev/null
+++ b/engine/vendor/github.com/fernet/fernet-go/fernet.go
@@ -0,0 +1,168 @@
+// Package fernet takes a user-provided message (an arbitrary
+// sequence of bytes), a key (256 bits), and the current time,
+// and produces a token, which contains the message in a form
+// that can't be read or altered without the key.
+//
+// For more information and background, see the Fernet spec
+// at https://github.com/fernet/spec.
+//
+// Subdirectories in this package provide command-line tools
+// for working with Fernet keys and tokens.
+package fernet
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/base64"
+	"encoding/binary"
+	"io"
+	"time"
+)
+
+const (
+	version      byte = 0x80
+	tsOffset          = 1
+	ivOffset          = tsOffset + 8
+	payOffset         = ivOffset + aes.BlockSize
+	overhead          = 1 + 8 + aes.BlockSize + sha256.Size // ver + ts + iv + hmac
+	maxClockSkew      = 60 * time.Second
+)
+
+var encoding = base64.URLEncoding
+
+// generates a token from msg, writes it into tok, and returns the
+// number of bytes generated, which is encodedLen(msg).
+// len(tok) must be >= encodedLen(len(msg))
+func gen(tok, msg, iv []byte, ts time.Time, k *Key) int {
+	tok[0] = version
+	binary.BigEndian.PutUint64(tok[tsOffset:], uint64(ts.Unix()))
+	copy(tok[ivOffset:], iv)
+	p := tok[payOffset:]
+	n := pad(p, msg, aes.BlockSize)
+	bc, _ := aes.NewCipher(k.cryptBytes())
+	cipher.NewCBCEncrypter(bc, iv).CryptBlocks(p[:n], p[:n])
+	genhmac(p[n:n], tok[:payOffset+n], k.signBytes())
+	return payOffset + n + sha256.Size
+}
+
+// token length for input msg of length n, not including base64
+func encodedLen(n int) int {
+	const k = aes.BlockSize
+	return n/k*k + k + overhead
+}
+
+// max msg length for tok of length n, for binary token (no base64)
+// upper bound; not exact
+func decodedLen(n int) int {
+	return n - overhead
+}
+
+// if msg is nil, decrypts in place and returns a slice of tok.
+func verify(msg, tok []byte, ttl time.Duration, now time.Time, k *Key) []byte {
+	if len(tok) < 1 || tok[0] != version {
+		return nil
+	}
+	ts := time.Unix(int64(binary.BigEndian.Uint64(tok[1:])), 0)
+	if ttl >= 0 && (now.After(ts.Add(ttl)) || ts.After(now.Add(maxClockSkew))) {
+		return nil
+	}
+	n := len(tok) - sha256.Size
+	var hmac [sha256.Size]byte
+	genhmac(hmac[:0], tok[:n], k.signBytes())
+	if subtle.ConstantTimeCompare(tok[n:], hmac[:]) != 1 {
+		return nil
+	}
+	pay := tok[payOffset : len(tok)-sha256.Size]
+	if len(pay)%aes.BlockSize != 0 {
+		return nil
+	}
+	if msg != nil {
+		copy(msg, pay)
+		pay = msg
+	}
+	bc, _ := aes.NewCipher(k.cryptBytes())
+	iv := tok[9:][:aes.BlockSize]
+	cipher.NewCBCDecrypter(bc, iv).CryptBlocks(pay, pay)
+	return unpad(pay)
+}
+
+// Pads p to a multiple of k using PKCS #7 standard block padding.
+// See http://tools.ietf.org/html/rfc5652#section-6.3.
+func pad(q, p []byte, k int) int {
+	n := len(p)/k*k + k
+	copy(q, p)
+	c := byte(n - len(p))
+	for i := len(p); i < n; i++ {
+		q[i] = c
+	}
+	return n
+}
+
+// Removes PKCS #7 standard block padding from p.
+// See http://tools.ietf.org/html/rfc5652#section-6.3.
+// This function is the inverse of pad.
+// If the padding is not well-formed, unpad returns nil.
+func unpad(p []byte) []byte {
+	c := p[len(p)-1]
+	for i := len(p) - int(c); i < len(p); i++ {
+		if i < 0 || p[i] != c {
+			return nil
+		}
+	}
+	return p[:len(p)-int(c)]
+}
+
+func b64enc(src []byte) []byte {
+	dst := make([]byte, encoding.EncodedLen(len(src)))
+	encoding.Encode(dst, src)
+	return dst
+}
+
+func b64dec(src []byte) []byte {
+	dst := make([]byte, encoding.DecodedLen(len(src)))
+	n, err := encoding.Decode(dst, src)
+	if err != nil {
+		return nil
+	}
+	return dst[:n]
+}
+
+func genhmac(q, p, k []byte) {
+	h := hmac.New(sha256.New, k)
+	h.Write(p)
+	h.Sum(q)
+}
+
+// EncryptAndSign encrypts and signs msg with key k and returns the resulting
+// fernet token. If msg contains text, the text should be encoded
+// with UTF-8 to follow fernet convention.
+func EncryptAndSign(msg []byte, k *Key) (tok []byte, err error) {
+	iv := make([]byte, aes.BlockSize)
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+	b := make([]byte, encodedLen(len(msg)))
+	n := gen(b, msg, iv, time.Now(), k)
+	tok = make([]byte, encoding.EncodedLen(n))
+	encoding.Encode(tok, b[:n])
+	return tok, nil
+}
+
+// VerifyAndDecrypt verifies that tok is a valid fernet token that was signed
+// with a key in k at most ttl time ago only if ttl is greater than zero.
+// Returns the message contained in tok if tok is valid, otherwise nil.
+func VerifyAndDecrypt(tok []byte, ttl time.Duration, k []*Key) (msg []byte) {
+	b := make([]byte, encoding.DecodedLen(len(tok)))
+	n, _ := encoding.Decode(b, tok)
+	for _, k1 := range k {
+		msg = verify(nil, b[:n], ttl, time.Now(), k1)
+		if msg != nil {
+			return msg
+		}
+	}
+	return nil
+}
diff --git a/engine/vendor/github.com/fernet/fernet-go/key.go b/engine/vendor/github.com/fernet/fernet-go/key.go
new file mode 100644
index 00000000..595217ed
--- /dev/null
+++ b/engine/vendor/github.com/fernet/fernet-go/key.go
@@ -0,0 +1,91 @@
+package fernet
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"io"
+)
+
+var (
+	errKeyLen = errors.New("fernet: key decodes to wrong size")
+	errNoKeys = errors.New("fernet: no keys provided")
+)
+
+// Key represents a key.
+type Key [32]byte
+
+func (k *Key) cryptBytes() []byte {
+	return k[len(k)/2:]
+}
+
+func (k *Key) signBytes() []byte {
+	return k[:len(k)/2]
+}
+
+// Generate initializes k with pseudorandom data from package crypto/rand.
+func (k *Key) Generate() error {
+	_, err := io.ReadFull(rand.Reader, k[:])
+	return err
+}
+
+// Encode returns the URL-safe base64 encoding of k.
+func (k *Key) Encode() string {
+	return encoding.EncodeToString(k[:])
+}
+
+// DecodeKey decodes a key from s and returns it. The key can be in
+// hexadecimal, standard base64, or URL-safe base64.
+func DecodeKey(s string) (*Key, error) {
+	var b []byte
+	var err error
+	if s == "" {
+		return nil, errors.New("empty key")
+	}
+	if len(s) == hex.EncodedLen(len(Key{})) {
+		b, err = hex.DecodeString(s)
+	} else {
+		b, err = base64.StdEncoding.DecodeString(s)
+		if err != nil {
+			b, err = base64.URLEncoding.DecodeString(s)
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+	if len(b) != len(Key{}) {
+		return nil, errKeyLen
+	}
+	k := new(Key)
+	copy(k[:], b)
+	return k, nil
+}
+
+// DecodeKeys decodes each element of a using DecodeKey and returns the
+// resulting keys. Requires at least one key.
+func DecodeKeys(a ...string) ([]*Key, error) {
+	if len(a) == 0 {
+		return nil, errNoKeys
+	}
+	var err error
+	ks := make([]*Key, len(a))
+	for i, s := range a {
+		ks[i], err = DecodeKey(s)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return ks, nil
+}
+
+// MustDecodeKeys is like DecodeKeys, but panics if an error occurs.
+// It simplifies safe initialization of global variables holding
+// keys.
+func MustDecodeKeys(a ...string) []*Key {
+	k, err := DecodeKeys(a...)
+	if err != nil {
+		panic(err)
+	}
+	return k
+}
diff --git a/engine/vendor/github.com/golang/gddo/LICENSE b/engine/vendor/github.com/golang/gddo/LICENSE
new file mode 100644
index 00000000..65d761bc
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2013 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/engine/vendor/github.com/golang/gddo/README.markdown b/engine/vendor/github.com/golang/gddo/README.markdown
new file mode 100644
index 00000000..7194f4c0
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/README.markdown
@@ -0,0 +1,44 @@
+This project is the source for http://godoc.org/
+
+[![GoDoc](https://godoc.org/github.com/golang/gddo?status.svg)](http://godoc.org/github.com/golang/gddo)
+[![Build
+Status](https://travis-ci.org/golang/gddo.svg?branch=master)](https://travis-ci.org/golang/gddo)
+
+The code in this project is designed to be used by godoc.org. Send mail to
+golang-dev@googlegroups.com if you want to discuss other uses of the code.
+
+## Feedback
+
+Send ideas and questions to golang-dev@googlegroups.com. Request features and
+report bugs using the [GitHub Issue
+Tracker](https://github.com/golang/gddo/issues/new).
+
+## Contributions
+
+Contributions to this project are welcome, though please [file an
+issue](https://github.com/golang/gddo/issues/new). before starting work on
+anything major.
+
+**We do not accept GitHub pull requests**
+
+Please refer to the [Contribution
+Guidelines](https://golang.org/doc/contribute.html) on how to submit changes.
+
+We use https://go-review.googlesource.com to review change submissions.
+
+## Getting the Source
+
+To get started contributing to this project, clone the repository from its
+canonical location
+
+```
+git clone https://go.googlesource.com/gddo $GOPATH/src/github.com/golang/gddo
+```
+
+Information on how to set up a local environment is available at
+https://github.com/golang/gddo/wiki/Development-Environment-Setup.
+
+## More Documentation
+
+More documentation about this project is available on the
+[wiki](https://github.com/golang/gddo/wiki).
diff --git a/engine/vendor/github.com/golang/gddo/httputil/buster.go b/engine/vendor/github.com/golang/gddo/httputil/buster.go
new file mode 100644
index 00000000..beab151a
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/httputil/buster.go
@@ -0,0 +1,95 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file or at
+// https://developers.google.com/open-source/licenses/bsd.
+
+package httputil
+
+import (
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+)
+
+type busterWriter struct {
+	headerMap http.Header
+	status    int
+	io.Writer
+}
+
+func (bw *busterWriter) Header() http.Header {
+	return bw.headerMap
+}
+
+func (bw *busterWriter) WriteHeader(status int) {
+	bw.status = status
+}
+
+// CacheBusters maintains a cache of cache busting tokens for static resources served by Handler.
+type CacheBusters struct {
+	Handler http.Handler
+
+	mu     sync.Mutex
+	tokens map[string]string
+}
+
+func sanitizeTokenRune(r rune) rune {
+	if r <= ' ' || r >= 127 {
+		return -1
+	}
+	// Convert percent encoding reserved characters to '-'.
+	if strings.ContainsRune("!#$&'()*+,/:;=?@[]", r) {
+		return '-'
+	}
+	return r
+}
+
+// Get returns the cache busting token for path. If the token is not already
+// cached, Get issues a HEAD request on handler and uses the response ETag and
+// Last-Modified headers to compute a token.
+func (cb *CacheBusters) Get(path string) string {
+	cb.mu.Lock()
+	if cb.tokens == nil {
+		cb.tokens = make(map[string]string)
+	}
+	token, ok := cb.tokens[path]
+	cb.mu.Unlock()
+	if ok {
+		return token
+	}
+
+	w := busterWriter{
+		Writer:    ioutil.Discard,
+		headerMap: make(http.Header),
+	}
+	r := &http.Request{URL: &url.URL{Path: path}, Method: "HEAD"}
+	cb.Handler.ServeHTTP(&w, r)
+
+	if w.status == 200 {
+		token = w.headerMap.Get("Etag")
+		if token == "" {
+			token = w.headerMap.Get("Last-Modified")
+		}
+		token = strings.Trim(token, `" `)
+		token = strings.Map(sanitizeTokenRune, token)
+	}
+
+	cb.mu.Lock()
+	cb.tokens[path] = token
+	cb.mu.Unlock()
+
+	return token
+}
+
+// AppendQueryParam appends the token as a query parameter to path.
+func (cb *CacheBusters) AppendQueryParam(path string, name string) string {
+	token := cb.Get(path)
+	if token == "" {
+		return path
+	}
+	return path + "?" + name + "=" + token
+}
diff --git a/engine/vendor/github.com/golang/gddo/httputil/header/header.go b/engine/vendor/github.com/golang/gddo/httputil/header/header.go
new file mode 100644
index 00000000..0f1572e3
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/httputil/header/header.go
@@ -0,0 +1,298 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file or at
+// https://developers.google.com/open-source/licenses/bsd.
+
+// Package header provides functions for parsing HTTP headers.
+package header
+
+import (
+	"net/http"
+	"strings"
+	"time"
+)
+
+// Octet types from RFC 2616.
+var octetTypes [256]octetType
+
+type octetType byte
+
+const (
+	isToken octetType = 1 << iota
+	isSpace
+)
+
+func init() {
+	// OCTET      = <any 8-bit sequence of data>
+	// CHAR       = <any US-ASCII character (octets 0 - 127)>
+	// CTL        = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
+	// CR         = <US-ASCII CR, carriage return (13)>
+	// LF         = <US-ASCII LF, linefeed (10)>
+	// SP         = <US-ASCII SP, space (32)>
+	// HT         = <US-ASCII HT, horizontal-tab (9)>
+	// <">        = <US-ASCII double-quote mark (34)>
+	// CRLF       = CR LF
+	// LWS        = [CRLF] 1*( SP | HT )
+	// TEXT       = <any OCTET except CTLs, but including LWS>
+	// separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <">
+	//              | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT
+	// token      = 1*<any CHAR except CTLs or separators>
+	// qdtext     = <any TEXT except <">>
+
+	for c := 0; c < 256; c++ {
+		var t octetType
+		isCtl := c <= 31 || c == 127
+		isChar := 0 <= c && c <= 127
+		isSeparator := strings.IndexRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) >= 0
+		if strings.IndexRune(" \t\r\n", rune(c)) >= 0 {
+			t |= isSpace
+		}
+		if isChar && !isCtl && !isSeparator {
+			t |= isToken
+		}
+		octetTypes[c] = t
+	}
+}
+
+// Copy returns a shallow copy of the header.
+func Copy(header http.Header) http.Header {
+	h := make(http.Header)
+	for k, vs := range header {
+		h[k] = vs
+	}
+	return h
+}
+
+var timeLayouts = []string{"Mon, 02 Jan 2006 15:04:05 GMT", time.RFC850, time.ANSIC}
+
+// ParseTime parses the header as time. The zero value is returned if the
+// header is not present or there is an error parsing the
+// header.
+func ParseTime(header http.Header, key string) time.Time {
+	if s := header.Get(key); s != "" {
+		for _, layout := range timeLayouts {
+			if t, err := time.Parse(layout, s); err == nil {
+				return t.UTC()
+			}
+		}
+	}
+	return time.Time{}
+}
+
+// ParseList parses a comma separated list of values. Commas are ignored in
+// quoted strings. Quoted values are not unescaped or unquoted. Whitespace is
+// trimmed.
+func ParseList(header http.Header, key string) []string {
+	var result []string
+	for _, s := range header[http.CanonicalHeaderKey(key)] {
+		begin := 0
+		end := 0
+		escape := false
+		quote := false
+		for i := 0; i < len(s); i++ {
+			b := s[i]
+			switch {
+			case escape:
+				escape = false
+				end = i + 1
+			case quote:
+				switch b {
+				case '\\':
+					escape = true
+				case '"':
+					quote = false
+				}
+				end = i + 1
+			case b == '"':
+				quote = true
+				end = i + 1
+			case octetTypes[b]&isSpace != 0:
+				if begin == end {
+					begin = i + 1
+					end = begin
+				}
+			case b == ',':
+				if begin < end {
+					result = append(result, s[begin:end])
+				}
+				begin = i + 1
+				end = begin
+			default:
+				end = i + 1
+			}
+		}
+		if begin < end {
+			result = append(result, s[begin:end])
+		}
+	}
+	return result
+}
+
+// ParseValueAndParams parses a comma separated list of values with optional
+// semicolon separated name-value pairs. Content-Type and Content-Disposition
+// headers are in this format.
+func ParseValueAndParams(header http.Header, key string) (value string, params map[string]string) {
+	params = make(map[string]string)
+	s := header.Get(key)
+	value, s = expectTokenSlash(s)
+	if value == "" {
+		return
+	}
+	value = strings.ToLower(value)
+	s = skipSpace(s)
+	for strings.HasPrefix(s, ";") {
+		var pkey string
+		pkey, s = expectToken(skipSpace(s[1:]))
+		if pkey == "" {
+			return
+		}
+		if !strings.HasPrefix(s, "=") {
+			return
+		}
+		var pvalue string
+		pvalue, s = expectTokenOrQuoted(s[1:])
+		if pvalue == "" {
+			return
+		}
+		pkey = strings.ToLower(pkey)
+		params[pkey] = pvalue
+		s = skipSpace(s)
+	}
+	return
+}
+
+// AcceptSpec describes an Accept* header.
+type AcceptSpec struct {
+	Value string
+	Q     float64
+}
+
+// ParseAccept parses Accept* headers.
+func ParseAccept(header http.Header, key string) (specs []AcceptSpec) {
+loop:
+	for _, s := range header[key] {
+		for {
+			var spec AcceptSpec
+			spec.Value, s = expectTokenSlash(s)
+			if spec.Value == "" {
+				continue loop
+			}
+			spec.Q = 1.0
+			s = skipSpace(s)
+			if strings.HasPrefix(s, ";") {
+				s = skipSpace(s[1:])
+				if !strings.HasPrefix(s, "q=") {
+					continue loop
+				}
+				spec.Q, s = expectQuality(s[2:])
+				if spec.Q < 0.0 {
+					continue loop
+				}
+			}
+			specs = append(specs, spec)
+			s = skipSpace(s)
+			if !strings.HasPrefix(s, ",") {
+				continue loop
+			}
+			s = skipSpace(s[1:])
+		}
+	}
+	return
+}
+
+func skipSpace(s string) (rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		if octetTypes[s[i]]&isSpace == 0 {
+			break
+		}
+	}
+	return s[i:]
+}
+
+func expectToken(s string) (token, rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		if octetTypes[s[i]]&isToken == 0 {
+			break
+		}
+	}
+	return s[:i], s[i:]
+}
+
+func expectTokenSlash(s string) (token, rest string) {
+	i := 0
+	for ; i < len(s); i++ {
+		b := s[i]
+		if (octetTypes[b]&isToken == 0) && b != '/' {
+			break
+		}
+	}
+	return s[:i], s[i:]
+}
+
+func expectQuality(s string) (q float64, rest string) {
+	switch {
+	case len(s) == 0:
+		return -1, ""
+	case s[0] == '0':
+		q = 0
+	case s[0] == '1':
+		q = 1
+	default:
+		return -1, ""
+	}
+	s = s[1:]
+	if !strings.HasPrefix(s, ".") {
+		return q, s
+	}
+	s = s[1:]
+	i := 0
+	n := 0
+	d := 1
+	for ; i < len(s); i++ {
+		b := s[i]
+		if b < '0' || b > '9' {
+			break
+		}
+		n = n*10 + int(b) - '0'
+		d *= 10
+	}
+	return q + float64(n)/float64(d), s[i:]
+}
+
+func expectTokenOrQuoted(s string) (value string, rest string) {
+	if !strings.HasPrefix(s, "\"") {
+		return expectToken(s)
+	}
+	s = s[1:]
+	for i := 0; i < len(s); i++ {
+		switch s[i] {
+		case '"':
+			return s[:i], s[i+1:]
+		case '\\':
+			p := make([]byte, len(s)-1)
+			j := copy(p, s[:i])
+			escape := true
+			for i = i + 1; i < len(s); i++ {
+				b := s[i]
+				switch {
+				case escape:
+					escape = false
+					p[j] = b
+					j++
+				case b == '\\':
+					escape = true
+				case b == '"':
+					return string(p[:j]), s[i+1:]
+				default:
+					p[j] = b
+					j++
+				}
+			}
+			return "", ""
+		}
+	}
+	return "", ""
+}
diff --git a/engine/vendor/github.com/golang/gddo/httputil/httputil.go b/engine/vendor/github.com/golang/gddo/httputil/httputil.go
new file mode 100644
index 00000000..a03717c0
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/httputil/httputil.go
@@ -0,0 +1,25 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file or at
+// https://developers.google.com/open-source/licenses/bsd.
+
+// Package httputil is a toolkit for the Go net/http package.
+package httputil
+
+import (
+	"net"
+	"net/http"
+)
+
+// StripPort removes the port specification from an address.
+func StripPort(s string) string {
+	if h, _, err := net.SplitHostPort(s); err == nil {
+		s = h
+	}
+	return s
+}
+
+// Error defines a type for a function that accepts a ResponseWriter for
+// a Request with the HTTP status code and error.
+type Error func(w http.ResponseWriter, r *http.Request, status int, err error)
diff --git a/engine/vendor/github.com/golang/gddo/httputil/negotiate.go b/engine/vendor/github.com/golang/gddo/httputil/negotiate.go
new file mode 100644
index 00000000..6af3e4ca
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/httputil/negotiate.go
@@ -0,0 +1,79 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file or at
+// https://developers.google.com/open-source/licenses/bsd.
+
+package httputil
+
+import (
+	"github.com/golang/gddo/httputil/header"
+	"net/http"
+	"strings"
+)
+
+// NegotiateContentEncoding returns the best offered content encoding for the
+// request's Accept-Encoding header. If two offers match with equal weight and
+// then the offer earlier in the list is preferred. If no offers are
+// acceptable, then "" is returned.
+func NegotiateContentEncoding(r *http.Request, offers []string) string {
+	bestOffer := "identity"
+	bestQ := -1.0
+	specs := header.ParseAccept(r.Header, "Accept-Encoding")
+	for _, offer := range offers {
+		for _, spec := range specs {
+			if spec.Q > bestQ &&
+				(spec.Value == "*" || spec.Value == offer) {
+				bestQ = spec.Q
+				bestOffer = offer
+			}
+		}
+	}
+	if bestQ == 0 {
+		bestOffer = ""
+	}
+	return bestOffer
+}
+
+// NegotiateContentType returns the best offered content type for the request's
+// Accept header. If two offers match with equal weight, then the more specific
+// offer is preferred.  For example, text/* trumps */*. If two offers match
+// with equal weight and specificity, then the offer earlier in the list is
+// preferred. If no offers match, then defaultOffer is returned.
+func NegotiateContentType(r *http.Request, offers []string, defaultOffer string) string {
+	bestOffer := defaultOffer
+	bestQ := -1.0
+	bestWild := 3
+	specs := header.ParseAccept(r.Header, "Accept")
+	for _, offer := range offers {
+		for _, spec := range specs {
+			switch {
+			case spec.Q == 0.0:
+				// ignore
+			case spec.Q < bestQ:
+				// better match found
+			case spec.Value == "*/*":
+				if spec.Q > bestQ || bestWild > 2 {
+					bestQ = spec.Q
+					bestWild = 2
+					bestOffer = offer
+				}
+			case strings.HasSuffix(spec.Value, "/*"):
+				if strings.HasPrefix(offer, spec.Value[:len(spec.Value)-1]) &&
+					(spec.Q > bestQ || bestWild > 1) {
+					bestQ = spec.Q
+					bestWild = 1
+					bestOffer = offer
+				}
+			default:
+				if spec.Value == offer &&
+					(spec.Q > bestQ || bestWild > 0) {
+					bestQ = spec.Q
+					bestWild = 0
+					bestOffer = offer
+				}
+			}
+		}
+	}
+	return bestOffer
+}
diff --git a/engine/vendor/github.com/golang/gddo/httputil/respbuf.go b/engine/vendor/github.com/golang/gddo/httputil/respbuf.go
new file mode 100644
index 00000000..051af211
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/httputil/respbuf.go
@@ -0,0 +1,58 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file or at
+// https://developers.google.com/open-source/licenses/bsd.
+
+package httputil
+
+import (
+	"bytes"
+	"net/http"
+	"strconv"
+)
+
+// ResponseBuffer is the current response being composed by its owner.
+// It implements http.ResponseWriter and io.WriterTo.
+type ResponseBuffer struct {
+	buf    bytes.Buffer
+	status int
+	header http.Header
+}
+
+// Write implements the http.ResponseWriter interface.
+func (rb *ResponseBuffer) Write(p []byte) (int, error) {
+	return rb.buf.Write(p)
+}
+
+// WriteHeader implements the http.ResponseWriter interface.
+func (rb *ResponseBuffer) WriteHeader(status int) {
+	rb.status = status
+}
+
+// Header implements the http.ResponseWriter interface.
+func (rb *ResponseBuffer) Header() http.Header {
+	if rb.header == nil {
+		rb.header = make(http.Header)
+	}
+	return rb.header
+}
+
+// WriteTo implements the io.WriterTo interface.
+func (rb *ResponseBuffer) WriteTo(w http.ResponseWriter) error {
+	for k, v := range rb.header {
+		w.Header()[k] = v
+	}
+	if rb.buf.Len() > 0 {
+		w.Header().Set("Content-Length", strconv.Itoa(rb.buf.Len()))
+	}
+	if rb.status != 0 {
+		w.WriteHeader(rb.status)
+	}
+	if rb.buf.Len() > 0 {
+		if _, err := w.Write(rb.buf.Bytes()); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/engine/vendor/github.com/golang/gddo/httputil/static.go b/engine/vendor/github.com/golang/gddo/httputil/static.go
new file mode 100644
index 00000000..6610dde0
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/httputil/static.go
@@ -0,0 +1,265 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file or at
+// https://developers.google.com/open-source/licenses/bsd.
+
+package httputil
+
+import (
+	"bytes"
+	"crypto/sha1"
+	"errors"
+	"fmt"
+	"github.com/golang/gddo/httputil/header"
+	"io"
+	"io/ioutil"
+	"mime"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+// StaticServer serves static files.
+type StaticServer struct {
+	// Dir specifies the location of the directory containing the files to serve.
+	Dir string
+
+	// MaxAge specifies the maximum age for the cache control and expiration
+	// headers.
+	MaxAge time.Duration
+
+	// Error specifies the function used to generate error responses. If Error
+	// is nil, then http.Error is used to generate error responses.
+	Error Error
+
+	// MIMETypes is a map from file extensions to MIME types.
+	MIMETypes map[string]string
+
+	mu    sync.Mutex
+	etags map[string]string
+}
+
+func (ss *StaticServer) resolve(fname string) string {
+	if path.IsAbs(fname) {
+		panic("Absolute path not allowed when creating a StaticServer handler")
+	}
+	dir := ss.Dir
+	if dir == "" {
+		dir = "."
+	}
+	fname = filepath.FromSlash(fname)
+	return filepath.Join(dir, fname)
+}
+
+func (ss *StaticServer) mimeType(fname string) string {
+	ext := path.Ext(fname)
+	var mimeType string
+	if ss.MIMETypes != nil {
+		mimeType = ss.MIMETypes[ext]
+	}
+	if mimeType == "" {
+		mimeType = mime.TypeByExtension(ext)
+	}
+	if mimeType == "" {
+		mimeType = "application/octet-stream"
+	}
+	return mimeType
+}
+
+func (ss *StaticServer) openFile(fname string) (io.ReadCloser, int64, string, error) {
+	f, err := os.Open(fname)
+	if err != nil {
+		return nil, 0, "", err
+	}
+	fi, err := f.Stat()
+	if err != nil {
+		f.Close()
+		return nil, 0, "", err
+	}
+	const modeType = os.ModeDir | os.ModeSymlink | os.ModeNamedPipe | os.ModeSocket | os.ModeDevice
+	if fi.Mode()&modeType != 0 {
+		f.Close()
+		return nil, 0, "", errors.New("not a regular file")
+	}
+	return f, fi.Size(), ss.mimeType(fname), nil
+}
+
+// FileHandler returns a handler that serves a single file. The file is
+// specified by a slash separated path relative to the static server's Dir
+// field.
+func (ss *StaticServer) FileHandler(fileName string) http.Handler {
+	id := fileName
+	fileName = ss.resolve(fileName)
+	return &staticHandler{
+		ss:   ss,
+		id:   func(_ string) string { return id },
+		open: func(_ string) (io.ReadCloser, int64, string, error) { return ss.openFile(fileName) },
+	}
+}
+
+// DirectoryHandler returns a handler that serves files from a directory tree.
+// The directory is specified by a slash separated path relative to the static
+// server's Dir field.
+func (ss *StaticServer) DirectoryHandler(prefix, dirName string) http.Handler {
+	if !strings.HasSuffix(prefix, "/") {
+		prefix += "/"
+	}
+	idBase := dirName
+	dirName = ss.resolve(dirName)
+	return &staticHandler{
+		ss: ss,
+		id: func(p string) string {
+			if !strings.HasPrefix(p, prefix) {
+				return "."
+			}
+			return path.Join(idBase, p[len(prefix):])
+		},
+		open: func(p string) (io.ReadCloser, int64, string, error) {
+			if !strings.HasPrefix(p, prefix) {
+				return nil, 0, "", errors.New("request url does not match directory prefix")
+			}
+			p = p[len(prefix):]
+			return ss.openFile(filepath.Join(dirName, filepath.FromSlash(p)))
+		},
+	}
+}
+
+// FilesHandler returns a handler that serves the concatentation of the
+// specified files. The files are specified by slash separated paths relative
+// to the static server's Dir field.
+func (ss *StaticServer) FilesHandler(fileNames ...string) http.Handler {
+
+	// todo: cache concatenated files on disk and serve from there.
+
+	mimeType := ss.mimeType(fileNames[0])
+	var buf []byte
+	var openErr error
+
+	for _, fileName := range fileNames {
+		p, err := ioutil.ReadFile(ss.resolve(fileName))
+		if err != nil {
+			openErr = err
+			buf = nil
+			break
+		}
+		buf = append(buf, p...)
+	}
+
+	id := strings.Join(fileNames, " ")
+
+	return &staticHandler{
+		ss: ss,
+		id: func(_ string) string { return id },
+		open: func(p string) (io.ReadCloser, int64, string, error) {
+			return ioutil.NopCloser(bytes.NewReader(buf)), int64(len(buf)), mimeType, openErr
+		},
+	}
+}
+
+type staticHandler struct {
+	id   func(fname string) string
+	open func(p string) (io.ReadCloser, int64, string, error)
+	ss   *StaticServer
+}
+
+func (h *staticHandler) error(w http.ResponseWriter, r *http.Request, status int, err error) {
+	http.Error(w, http.StatusText(status), status)
+}
+
+func (h *staticHandler) etag(p string) (string, error) {
+	id := h.id(p)
+
+	h.ss.mu.Lock()
+	if h.ss.etags == nil {
+		h.ss.etags = make(map[string]string)
+	}
+	etag := h.ss.etags[id]
+	h.ss.mu.Unlock()
+
+	if etag != "" {
+		return etag, nil
+	}
+
+	// todo: if a concurrent goroutine is calculating the hash, then wait for
+	// it instead of computing it again here.
+
+	rc, _, _, err := h.open(p)
+	if err != nil {
+		return "", err
+	}
+
+	defer rc.Close()
+
+	w := sha1.New()
+	_, err = io.Copy(w, rc)
+	if err != nil {
+		return "", err
+	}
+
+	etag = fmt.Sprintf(`"%x"`, w.Sum(nil))
+
+	h.ss.mu.Lock()
+	h.ss.etags[id] = etag
+	h.ss.mu.Unlock()
+
+	return etag, nil
+}
+
+func (h *staticHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	p := path.Clean(r.URL.Path)
+	if p != r.URL.Path {
+		http.Redirect(w, r, p, 301)
+		return
+	}
+
+	etag, err := h.etag(p)
+	if err != nil {
+		h.error(w, r, http.StatusNotFound, err)
+		return
+	}
+
+	maxAge := h.ss.MaxAge
+	if maxAge == 0 {
+		maxAge = 24 * time.Hour
+	}
+	if r.FormValue("v") != "" {
+		maxAge = 365 * 24 * time.Hour
+	}
+
+	cacheControl := fmt.Sprintf("public, max-age=%d", maxAge/time.Second)
+
+	for _, e := range header.ParseList(r.Header, "If-None-Match") {
+		if e == etag {
+			w.Header().Set("Cache-Control", cacheControl)
+			w.Header().Set("Etag", etag)
+			w.WriteHeader(http.StatusNotModified)
+			return
+		}
+	}
+
+	rc, cl, ct, err := h.open(p)
+	if err != nil {
+		h.error(w, r, http.StatusNotFound, err)
+		return
+	}
+	defer rc.Close()
+
+	w.Header().Set("Cache-Control", cacheControl)
+	w.Header().Set("Etag", etag)
+	if ct != "" {
+		w.Header().Set("Content-Type", ct)
+	}
+	if cl != 0 {
+		w.Header().Set("Content-Length", strconv.FormatInt(cl, 10))
+	}
+	w.WriteHeader(http.StatusOK)
+	if r.Method != "HEAD" {
+		io.Copy(w, rc)
+	}
+}
diff --git a/engine/vendor/github.com/golang/gddo/httputil/transport.go b/engine/vendor/github.com/golang/gddo/httputil/transport.go
new file mode 100644
index 00000000..fdad3b47
--- /dev/null
+++ b/engine/vendor/github.com/golang/gddo/httputil/transport.go
@@ -0,0 +1,87 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file or at
+// https://developers.google.com/open-source/licenses/bsd.
+
+// This file implements a http.RoundTripper that authenticates
+// requests issued against api.github.com endpoint.
+
+package httputil
+
+import (
+	"net/http"
+	"net/url"
+)
+
+// AuthTransport is an implementation of http.RoundTripper that authenticates
+// with the GitHub API.
+//
+// When both a token and client credentials are set, the latter is preferred.
+type AuthTransport struct {
+	UserAgent          string
+	GithubToken        string
+	GithubClientID     string
+	GithubClientSecret string
+	Base               http.RoundTripper
+}
+
+// RoundTrip implements the http.RoundTripper interface.
+func (t *AuthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	var reqCopy *http.Request
+	if t.UserAgent != "" {
+		reqCopy = copyRequest(req)
+		reqCopy.Header.Set("User-Agent", t.UserAgent)
+	}
+	if req.URL.Host == "api.github.com" && req.URL.Scheme == "https" {
+		switch {
+		case t.GithubClientID != "" && t.GithubClientSecret != "":
+			if reqCopy == nil {
+				reqCopy = copyRequest(req)
+			}
+			if reqCopy.URL.RawQuery == "" {
+				reqCopy.URL.RawQuery = "client_id=" + t.GithubClientID + "&client_secret=" + t.GithubClientSecret
+			} else {
+				reqCopy.URL.RawQuery += "&client_id=" + t.GithubClientID + "&client_secret=" + t.GithubClientSecret
+			}
+		case t.GithubToken != "":
+			if reqCopy == nil {
+				reqCopy = copyRequest(req)
+			}
+			reqCopy.Header.Set("Authorization", "token "+t.GithubToken)
+		}
+	}
+	if reqCopy != nil {
+		return t.base().RoundTrip(reqCopy)
+	}
+	return t.base().RoundTrip(req)
+}
+
+// CancelRequest cancels an in-flight request by closing its connection.
+func (t *AuthTransport) CancelRequest(req *http.Request) {
+	type canceler interface {
+		CancelRequest(req *http.Request)
+	}
+	if cr, ok := t.base().(canceler); ok {
+		cr.CancelRequest(req)
+	}
+}
+
+func (t *AuthTransport) base() http.RoundTripper {
+	if t.Base != nil {
+		return t.Base
+	}
+	return http.DefaultTransport
+}
+
+func copyRequest(req *http.Request) *http.Request {
+	req2 := new(http.Request)
+	*req2 = *req
+	req2.URL = new(url.URL)
+	*req2.URL = *req.URL
+	req2.Header = make(http.Header, len(req.Header))
+	for k, s := range req.Header {
+		req2.Header[k] = append([]string(nil), s...)
+	}
+	return req2
+}
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/LICENSE b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/LICENSE
new file mode 100644
index 00000000..abe5fe17
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2016, gRPC Ecosystem
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of grpc-opentracing nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/PATENTS b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/PATENTS
new file mode 100644
index 00000000..5cfe0175
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/PATENTS
@@ -0,0 +1,23 @@
+Additional IP Rights Grant (Patents)
+
+"This implementation" means the copyrightable works distributed by
+Google as part of the GRPC project.
+
+Google hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section)
+patent license to make, have made, use, offer to sell, sell, import,
+transfer and otherwise run, modify and propagate the contents of this
+implementation of GRPC, where such license applies only to those patent
+claims, both currently owned or controlled by Google and acquired in
+the future, licensable by Google that are necessarily infringed by this
+implementation of GRPC.  This grant does not include claims that would be
+infringed only as a consequence of further modification of this
+implementation.  If you or your agent or exclusive licensee institute or
+order or agree to the institution of patent litigation against any
+entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that this implementation of GRPC or any code incorporated within this
+implementation of GRPC constitutes direct or contributory patent
+infringement, or inducement of patent infringement, then any patent
+rights granted to you under this License for this implementation of GRPC
+shall terminate as of the date such litigation is filed.
+Status API Training Shop Blog About
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/README.rst b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/README.rst
new file mode 100644
index 00000000..1d44e691
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/README.rst
@@ -0,0 +1,25 @@
+################
+GRPC-OpenTracing
+################
+
+This package enables distributed tracing in GRPC clients and servers via `The OpenTracing Project`_: a set of consistent, expressive, vendor-neutral APIs for distributed tracing and context propagation.
+
+Once a production system contends with real concurrency or splits into many services, crucial (and formerly easy) tasks become difficult: user-facing latency optimization, root-cause analysis of backend errors, communication about distinct pieces of a now-distributed system, etc. Distributed tracing follows a request on its journey from inception to completion from mobile/browser all the way to the microservices. 
+
+As core services and libraries adopt OpenTracing, the application builder is no longer burdened with the task of adding basic tracing instrumentation to their own code. In this way, developers can build their applications with the tools they prefer and benefit from built-in tracing instrumentation. OpenTracing implementations exist for major distributed tracing systems and can be bound or swapped with a one-line configuration change.
+
+*******************
+Further Information
+*******************
+
+If you’re interested in learning more about the OpenTracing standard, join the conversation on our `mailing list`_ or `Gitter`_.
+
+If you want to learn more about the underlying API for your platform, visit the `source code`_. 
+
+If you would like to implement OpenTracing in your project and need help, feel free to send us a note at `community@opentracing.io`_.
+
+.. _The OpenTracing Project: http://opentracing.io/
+.. _source code: https://github.com/opentracing/
+.. _mailing list: http://opentracing.us13.list-manage.com/subscribe?u=180afe03860541dae59e84153&id=19117aa6cd
+.. _Gitter: https://gitter.im/opentracing/public
+.. _community@opentracing.io: community@opentracing.io
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/README.md b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/README.md
new file mode 100644
index 00000000..78c49dbb
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/README.md
@@ -0,0 +1,57 @@
+# OpenTracing support for gRPC in Go
+
+The `otgrpc` package makes it easy to add OpenTracing support to gRPC-based
+systems in Go.
+
+## Installation
+
+```
+go get github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc
+```
+
+## Documentation
+
+See the basic usage examples below and the [package documentation on
+godoc.org](https://godoc.org/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc).
+
+## Client-side usage example
+
+Wherever you call `grpc.Dial`:
+
+```go
+// You must have some sort of OpenTracing Tracer instance on hand.
+var tracer opentracing.Tracer = ...
+...
+
+// Set up a connection to the server peer.
+conn, err := grpc.Dial(
+    address,
+    ... // other options
+    grpc.WithUnaryInterceptor(
+        otgrpc.OpenTracingClientInterceptor(tracer)),
+    grpc.WithStreamInterceptor(
+        otgrpc.OpenTracingStreamClientInterceptor(tracer)))
+
+// All future RPC activity involving `conn` will be automatically traced.
+```
+
+## Server-side usage example
+
+Wherever you call `grpc.NewServer`:
+
+```go
+// You must have some sort of OpenTracing Tracer instance on hand.
+var tracer opentracing.Tracer = ...
+...
+
+// Initialize the gRPC server.
+s := grpc.NewServer(
+    ... // other options
+    grpc.UnaryInterceptor(
+        otgrpc.OpenTracingServerInterceptor(tracer)),
+    grpc.StreamInterceptor(
+        otgrpc.OpenTracingStreamServerInterceptor(tracer)))
+
+// All future RPC activity involving `s` will be automatically traced.
+```
+
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/client.go b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/client.go
new file mode 100644
index 00000000..3414e55c
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/client.go
@@ -0,0 +1,239 @@
+package otgrpc
+
+import (
+	"github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"github.com/opentracing/opentracing-go/log"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+	"io"
+	"runtime"
+	"sync/atomic"
+)
+
+// OpenTracingClientInterceptor returns a grpc.UnaryClientInterceptor suitable
+// for use in a grpc.Dial call.
+//
+// For example:
+//
+//     conn, err := grpc.Dial(
+//         address,
+//         ...,  // (existing DialOptions)
+//         grpc.WithUnaryInterceptor(otgrpc.OpenTracingClientInterceptor(tracer)))
+//
+// All gRPC client spans will inject the OpenTracing SpanContext into the gRPC
+// metadata; they will also look in the context.Context for an active
+// in-process parent Span and establish a ChildOf reference if such a parent
+// Span could be found.
+func OpenTracingClientInterceptor(tracer opentracing.Tracer, optFuncs ...Option) grpc.UnaryClientInterceptor {
+	otgrpcOpts := newOptions()
+	otgrpcOpts.apply(optFuncs...)
+	return func(
+		ctx context.Context,
+		method string,
+		req, resp interface{},
+		cc *grpc.ClientConn,
+		invoker grpc.UnaryInvoker,
+		opts ...grpc.CallOption,
+	) error {
+		var err error
+		var parentCtx opentracing.SpanContext
+		if parent := opentracing.SpanFromContext(ctx); parent != nil {
+			parentCtx = parent.Context()
+		}
+		if otgrpcOpts.inclusionFunc != nil &&
+			!otgrpcOpts.inclusionFunc(parentCtx, method, req, resp) {
+			return invoker(ctx, method, req, resp, cc, opts...)
+		}
+		clientSpan := tracer.StartSpan(
+			method,
+			opentracing.ChildOf(parentCtx),
+			ext.SpanKindRPCClient,
+			gRPCComponentTag,
+		)
+		defer clientSpan.Finish()
+		ctx = injectSpanContext(ctx, tracer, clientSpan)
+		if otgrpcOpts.logPayloads {
+			clientSpan.LogFields(log.Object("gRPC request", req))
+		}
+		err = invoker(ctx, method, req, resp, cc, opts...)
+		if err == nil {
+			if otgrpcOpts.logPayloads {
+				clientSpan.LogFields(log.Object("gRPC response", resp))
+			}
+		} else {
+			SetSpanTags(clientSpan, err, true)
+			clientSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+		}
+		if otgrpcOpts.decorator != nil {
+			otgrpcOpts.decorator(clientSpan, method, req, resp, err)
+		}
+		return err
+	}
+}
+
+// OpenTracingStreamClientInterceptor returns a grpc.StreamClientInterceptor suitable
+// for use in a grpc.Dial call. The interceptor instruments streaming RPCs by creating
+// a single span to correspond to the lifetime of the RPC's stream.
+//
+// For example:
+//
+//     conn, err := grpc.Dial(
+//         address,
+//         ...,  // (existing DialOptions)
+//         grpc.WithStreamInterceptor(otgrpc.OpenTracingStreamClientInterceptor(tracer)))
+//
+// All gRPC client spans will inject the OpenTracing SpanContext into the gRPC
+// metadata; they will also look in the context.Context for an active
+// in-process parent Span and establish a ChildOf reference if such a parent
+// Span could be found.
+func OpenTracingStreamClientInterceptor(tracer opentracing.Tracer, optFuncs ...Option) grpc.StreamClientInterceptor {
+	otgrpcOpts := newOptions()
+	otgrpcOpts.apply(optFuncs...)
+	return func(
+		ctx context.Context,
+		desc *grpc.StreamDesc,
+		cc *grpc.ClientConn,
+		method string,
+		streamer grpc.Streamer,
+		opts ...grpc.CallOption,
+	) (grpc.ClientStream, error) {
+		var err error
+		var parentCtx opentracing.SpanContext
+		if parent := opentracing.SpanFromContext(ctx); parent != nil {
+			parentCtx = parent.Context()
+		}
+		if otgrpcOpts.inclusionFunc != nil &&
+			!otgrpcOpts.inclusionFunc(parentCtx, method, nil, nil) {
+			return streamer(ctx, desc, cc, method, opts...)
+		}
+
+		clientSpan := tracer.StartSpan(
+			method,
+			opentracing.ChildOf(parentCtx),
+			ext.SpanKindRPCClient,
+			gRPCComponentTag,
+		)
+		ctx = injectSpanContext(ctx, tracer, clientSpan)
+		cs, err := streamer(ctx, desc, cc, method, opts...)
+		if err != nil {
+			clientSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+			SetSpanTags(clientSpan, err, true)
+			clientSpan.Finish()
+			return cs, err
+		}
+		return newOpenTracingClientStream(cs, method, desc, clientSpan, otgrpcOpts), nil
+	}
+}
+
+func newOpenTracingClientStream(cs grpc.ClientStream, method string, desc *grpc.StreamDesc, clientSpan opentracing.Span, otgrpcOpts *options) grpc.ClientStream {
+	finishChan := make(chan struct{})
+
+	isFinished := new(int32)
+	*isFinished = 0
+	finishFunc := func(err error) {
+		// The current OpenTracing specification forbids finishing a span more than
+		// once. Since we have multiple code paths that could concurrently call
+		// `finishFunc`, we need to add some sort of synchronization to guard against
+		// multiple finishing.
+		if !atomic.CompareAndSwapInt32(isFinished, 0, 1) {
+			return
+		}
+		close(finishChan)
+		defer clientSpan.Finish()
+		if err != nil {
+			clientSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+			SetSpanTags(clientSpan, err, true)
+		}
+		if otgrpcOpts.decorator != nil {
+			otgrpcOpts.decorator(clientSpan, method, nil, nil, err)
+		}
+	}
+	go func() {
+		select {
+		case <-finishChan:
+			// The client span is being finished by another code path; hence, no
+			// action is necessary.
+		case <-cs.Context().Done():
+			finishFunc(cs.Context().Err())
+		}
+	}()
+	otcs := &openTracingClientStream{
+		ClientStream: cs,
+		desc:         desc,
+		finishFunc:   finishFunc,
+	}
+
+	// The `ClientStream` interface allows one to omit calling `Recv` if it's
+	// known that the result will be `io.EOF`. See
+	// http://stackoverflow.com/q/42915337
+	// In such cases, there's nothing that triggers the span to finish. We,
+	// therefore, set a finalizer so that the span and the context goroutine will
+	// at least be cleaned up when the garbage collector is run.
+	runtime.SetFinalizer(otcs, func(otcs *openTracingClientStream) {
+		otcs.finishFunc(nil)
+	})
+	return otcs
+}
+
+type openTracingClientStream struct {
+	grpc.ClientStream
+	desc       *grpc.StreamDesc
+	finishFunc func(error)
+}
+
+func (cs *openTracingClientStream) Header() (metadata.MD, error) {
+	md, err := cs.ClientStream.Header()
+	if err != nil {
+		cs.finishFunc(err)
+	}
+	return md, err
+}
+
+func (cs *openTracingClientStream) SendMsg(m interface{}) error {
+	err := cs.ClientStream.SendMsg(m)
+	if err != nil {
+		cs.finishFunc(err)
+	}
+	return err
+}
+
+func (cs *openTracingClientStream) RecvMsg(m interface{}) error {
+	err := cs.ClientStream.RecvMsg(m)
+	if err == io.EOF {
+		cs.finishFunc(nil)
+		return err
+	} else if err != nil {
+		cs.finishFunc(err)
+		return err
+	}
+	if !cs.desc.ServerStreams {
+		cs.finishFunc(nil)
+	}
+	return err
+}
+
+func (cs *openTracingClientStream) CloseSend() error {
+	err := cs.ClientStream.CloseSend()
+	if err != nil {
+		cs.finishFunc(err)
+	}
+	return err
+}
+
+func injectSpanContext(ctx context.Context, tracer opentracing.Tracer, clientSpan opentracing.Span) context.Context {
+	md, ok := metadata.FromOutgoingContext(ctx)
+	if !ok {
+		md = metadata.New(nil)
+	} else {
+		md = md.Copy()
+	}
+	mdWriter := metadataReaderWriter{md}
+	err := tracer.Inject(clientSpan.Context(), opentracing.HTTPHeaders, mdWriter)
+	// We have no better place to record an error than the Span itself :-/
+	if err != nil {
+		clientSpan.LogFields(log.String("event", "Tracer.Inject() failed"), log.Error(err))
+	}
+	return metadata.NewOutgoingContext(ctx, md)
+}
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/errors.go b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/errors.go
new file mode 100644
index 00000000..41a6346f
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/errors.go
@@ -0,0 +1,69 @@
+package otgrpc
+
+import (
+	"github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// A Class is a set of types of outcomes (including errors) that will often
+// be handled in the same way.
+type Class string
+
+const (
+	Unknown Class = "0xx"
+	// Success represents outcomes that achieved the desired results.
+	Success Class = "2xx"
+	// ClientError represents errors that were the client's fault.
+	ClientError Class = "4xx"
+	// ServerError represents errors that were the server's fault.
+	ServerError Class = "5xx"
+)
+
+// ErrorClass returns the class of the given error
+func ErrorClass(err error) Class {
+	if s, ok := status.FromError(err); ok {
+		switch s.Code() {
+		// Success or "success"
+		case codes.OK, codes.Canceled:
+			return Success
+
+		// Client errors
+		case codes.InvalidArgument, codes.NotFound, codes.AlreadyExists,
+			codes.PermissionDenied, codes.Unauthenticated, codes.FailedPrecondition,
+			codes.OutOfRange:
+			return ClientError
+
+		// Server errors
+		case codes.DeadlineExceeded, codes.ResourceExhausted, codes.Aborted,
+			codes.Unimplemented, codes.Internal, codes.Unavailable, codes.DataLoss:
+			return ServerError
+
+		// Not sure
+		case codes.Unknown:
+			fallthrough
+		default:
+			return Unknown
+		}
+	}
+	return Unknown
+}
+
+// SetSpanTags sets one or more tags on the given span according to the
+// error.
+func SetSpanTags(span opentracing.Span, err error, client bool) {
+	c := ErrorClass(err)
+	code := codes.Unknown
+	if s, ok := status.FromError(err); ok {
+		code = s.Code()
+	}
+	span.SetTag("response_code", code)
+	span.SetTag("response_class", c)
+	if err == nil {
+		return
+	}
+	if client || c == ServerError {
+		ext.Error.Set(span, true)
+	}
+}
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/options.go b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/options.go
new file mode 100644
index 00000000..903e8382
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/options.go
@@ -0,0 +1,76 @@
+package otgrpc
+
+import "github.com/opentracing/opentracing-go"
+
+// Option instances may be used in OpenTracing(Server|Client)Interceptor
+// initialization.
+//
+// See this post about the "functional options" pattern:
+// http://dave.cheney.net/2014/10/17/functional-options-for-friendly-apis
+type Option func(o *options)
+
+// LogPayloads returns an Option that tells the OpenTracing instrumentation to
+// try to log application payloads in both directions.
+func LogPayloads() Option {
+	return func(o *options) {
+		o.logPayloads = true
+	}
+}
+
+// SpanInclusionFunc provides an optional mechanism to decide whether or not
+// to trace a given gRPC call. Return true to create a Span and initiate
+// tracing, false to not create a Span and not trace.
+//
+// parentSpanCtx may be nil if no parent could be extraction from either the Go
+// context.Context (on the client) or the RPC (on the server).
+type SpanInclusionFunc func(
+	parentSpanCtx opentracing.SpanContext,
+	method string,
+	req, resp interface{}) bool
+
+// IncludingSpans binds a IncludeSpanFunc to the options
+func IncludingSpans(inclusionFunc SpanInclusionFunc) Option {
+	return func(o *options) {
+		o.inclusionFunc = inclusionFunc
+	}
+}
+
+// SpanDecoratorFunc provides an (optional) mechanism for otgrpc users to add
+// arbitrary tags/logs/etc to the opentracing.Span associated with client
+// and/or server RPCs.
+type SpanDecoratorFunc func(
+	span opentracing.Span,
+	method string,
+	req, resp interface{},
+	grpcError error)
+
+// SpanDecorator binds a function that decorates gRPC Spans.
+func SpanDecorator(decorator SpanDecoratorFunc) Option {
+	return func(o *options) {
+		o.decorator = decorator
+	}
+}
+
+// The internal-only options struct. Obviously overkill at the moment; but will
+// scale well as production use dictates other configuration and tuning
+// parameters.
+type options struct {
+	logPayloads bool
+	decorator   SpanDecoratorFunc
+	// May be nil.
+	inclusionFunc SpanInclusionFunc
+}
+
+// newOptions returns the default options.
+func newOptions() *options {
+	return &options{
+		logPayloads:   false,
+		inclusionFunc: nil,
+	}
+}
+
+func (o *options) apply(opts ...Option) {
+	for _, opt := range opts {
+		opt(o)
+	}
+}
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/package.go b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/package.go
new file mode 100644
index 00000000..4ff3d199
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/package.go
@@ -0,0 +1,5 @@
+// Package otgrpc provides OpenTracing support for any gRPC client or server.
+//
+// See the README for simple usage examples:
+// https://github.com/grpc-ecosystem/grpc-opentracing/blob/master/go/otgrpc/README.md
+package otgrpc
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/server.go b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/server.go
new file mode 100644
index 00000000..62cf54d2
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/server.go
@@ -0,0 +1,141 @@
+package otgrpc
+
+import (
+	"github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"github.com/opentracing/opentracing-go/log"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+// OpenTracingServerInterceptor returns a grpc.UnaryServerInterceptor suitable
+// for use in a grpc.NewServer call.
+//
+// For example:
+//
+//     s := grpc.NewServer(
+//         ...,  // (existing ServerOptions)
+//         grpc.UnaryInterceptor(otgrpc.OpenTracingServerInterceptor(tracer)))
+//
+// All gRPC server spans will look for an OpenTracing SpanContext in the gRPC
+// metadata; if found, the server span will act as the ChildOf that RPC
+// SpanContext.
+//
+// Root or not, the server Span will be embedded in the context.Context for the
+// application-specific gRPC handler(s) to access.
+func OpenTracingServerInterceptor(tracer opentracing.Tracer, optFuncs ...Option) grpc.UnaryServerInterceptor {
+	otgrpcOpts := newOptions()
+	otgrpcOpts.apply(optFuncs...)
+	return func(
+		ctx context.Context,
+		req interface{},
+		info *grpc.UnaryServerInfo,
+		handler grpc.UnaryHandler,
+	) (resp interface{}, err error) {
+		spanContext, err := extractSpanContext(ctx, tracer)
+		if err != nil && err != opentracing.ErrSpanContextNotFound {
+			// TODO: establish some sort of error reporting mechanism here. We
+			// don't know where to put such an error and must rely on Tracer
+			// implementations to do something appropriate for the time being.
+		}
+		if otgrpcOpts.inclusionFunc != nil &&
+			!otgrpcOpts.inclusionFunc(spanContext, info.FullMethod, req, nil) {
+			return handler(ctx, req)
+		}
+		serverSpan := tracer.StartSpan(
+			info.FullMethod,
+			ext.RPCServerOption(spanContext),
+			gRPCComponentTag,
+		)
+		defer serverSpan.Finish()
+
+		ctx = opentracing.ContextWithSpan(ctx, serverSpan)
+		if otgrpcOpts.logPayloads {
+			serverSpan.LogFields(log.Object("gRPC request", req))
+		}
+		resp, err = handler(ctx, req)
+		if err == nil {
+			if otgrpcOpts.logPayloads {
+				serverSpan.LogFields(log.Object("gRPC response", resp))
+			}
+		} else {
+			SetSpanTags(serverSpan, err, false)
+			serverSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+		}
+		if otgrpcOpts.decorator != nil {
+			otgrpcOpts.decorator(serverSpan, info.FullMethod, req, resp, err)
+		}
+		return resp, err
+	}
+}
+
+// OpenTracingStreamServerInterceptor returns a grpc.StreamServerInterceptor suitable
+// for use in a grpc.NewServer call. The interceptor instruments streaming RPCs by
+// creating a single span to correspond to the lifetime of the RPC's stream.
+//
+// For example:
+//
+//     s := grpc.NewServer(
+//         ...,  // (existing ServerOptions)
+//         grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(tracer)))
+//
+// All gRPC server spans will look for an OpenTracing SpanContext in the gRPC
+// metadata; if found, the server span will act as the ChildOf that RPC
+// SpanContext.
+//
+// Root or not, the server Span will be embedded in the context.Context for the
+// application-specific gRPC handler(s) to access.
+func OpenTracingStreamServerInterceptor(tracer opentracing.Tracer, optFuncs ...Option) grpc.StreamServerInterceptor {
+	otgrpcOpts := newOptions()
+	otgrpcOpts.apply(optFuncs...)
+	return func(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+		spanContext, err := extractSpanContext(ss.Context(), tracer)
+		if err != nil && err != opentracing.ErrSpanContextNotFound {
+			// TODO: establish some sort of error reporting mechanism here. We
+			// don't know where to put such an error and must rely on Tracer
+			// implementations to do something appropriate for the time being.
+		}
+		if otgrpcOpts.inclusionFunc != nil &&
+			!otgrpcOpts.inclusionFunc(spanContext, info.FullMethod, nil, nil) {
+			return handler(srv, ss)
+		}
+
+		serverSpan := tracer.StartSpan(
+			info.FullMethod,
+			ext.RPCServerOption(spanContext),
+			gRPCComponentTag,
+		)
+		defer serverSpan.Finish()
+		ss = &openTracingServerStream{
+			ServerStream: ss,
+			ctx:          opentracing.ContextWithSpan(ss.Context(), serverSpan),
+		}
+		err = handler(srv, ss)
+		if err != nil {
+			SetSpanTags(serverSpan, err, false)
+			serverSpan.LogFields(log.String("event", "error"), log.String("message", err.Error()))
+		}
+		if otgrpcOpts.decorator != nil {
+			otgrpcOpts.decorator(serverSpan, info.FullMethod, nil, nil, err)
+		}
+		return err
+	}
+}
+
+type openTracingServerStream struct {
+	grpc.ServerStream
+	ctx context.Context
+}
+
+func (ss *openTracingServerStream) Context() context.Context {
+	return ss.ctx
+}
+
+func extractSpanContext(ctx context.Context, tracer opentracing.Tracer) (opentracing.SpanContext, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		md = metadata.New(nil)
+	}
+	return tracer.Extract(opentracing.HTTPHeaders, metadataReaderWriter{md})
+}
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/shared.go b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/shared.go
new file mode 100644
index 00000000..9abd5eaa
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc/shared.go
@@ -0,0 +1,42 @@
+package otgrpc
+
+import (
+	"strings"
+
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"google.golang.org/grpc/metadata"
+)
+
+var (
+	// Morally a const:
+	gRPCComponentTag = opentracing.Tag{string(ext.Component), "gRPC"}
+)
+
+// metadataReaderWriter satisfies both the opentracing.TextMapReader and
+// opentracing.TextMapWriter interfaces.
+type metadataReaderWriter struct {
+	metadata.MD
+}
+
+func (w metadataReaderWriter) Set(key, val string) {
+	// The GRPC HPACK implementation rejects any uppercase keys here.
+	//
+	// As such, since the HTTP_HEADERS format is case-insensitive anyway, we
+	// blindly lowercase the key (which is guaranteed to work in the
+	// Inject/Extract sense per the OpenTracing spec).
+	key = strings.ToLower(key)
+	w.MD[key] = append(w.MD[key], val)
+}
+
+func (w metadataReaderWriter) ForeachKey(handler func(key, val string) error) error {
+	for k, vals := range w.MD {
+		for _, v := range vals {
+			if err := handler(k, v); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/README.md b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/README.md
new file mode 100644
index 00000000..843acd9a
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/README.md
@@ -0,0 +1,4 @@
+The repo has moved.
+-------------------
+
+https://github.com/opentracing-contrib/python-grpc
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/command_line.proto b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/command_line.proto
new file mode 100644
index 00000000..b2367a72
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/command_line.proto
@@ -0,0 +1,15 @@
+syntax = "proto3";
+
+package command_line;
+
+service CommandLine {
+  rpc Echo(CommandRequest) returns (CommandResponse) {}
+}
+
+message CommandRequest {
+  string text = 1;
+}
+
+message CommandResponse {
+  string text = 1;
+}
diff --git a/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/store.proto b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/store.proto
new file mode 100644
index 00000000..6822d985
--- /dev/null
+++ b/engine/vendor/github.com/grpc-ecosystem/grpc-opentracing/python/examples/protos/store.proto
@@ -0,0 +1,37 @@
+syntax = "proto3";
+
+package store;
+
+service Store {
+  rpc AddItem(AddItemRequest) returns (Empty) {}
+  rpc AddItems(stream AddItemRequest) returns (Empty) {}
+  rpc RemoveItem(RemoveItemRequest) returns (RemoveItemResponse) {}
+  rpc RemoveItems(stream RemoveItemRequest) returns (RemoveItemResponse) {}
+  rpc ListInventory(Empty) returns (stream QuantityResponse) {}
+  rpc QueryQuantity(QueryItemRequest) returns (QuantityResponse) {}
+  rpc QueryQuantities(stream QueryItemRequest) 
+                          returns (stream QuantityResponse) {}
+}
+
+message Empty {}
+
+message AddItemRequest {
+  string name = 1;
+}
+
+message RemoveItemRequest {
+  string name = 1;
+}
+
+message RemoveItemResponse {
+  bool was_successful = 1;
+}
+
+message QueryItemRequest {
+  string name = 1;
+}
+
+message QuantityResponse {
+  string name = 1;
+  int32 count = 2;
+}
diff --git a/engine/vendor/github.com/hashicorp/go-immutable-radix/LICENSE b/engine/vendor/github.com/hashicorp/go-immutable-radix/LICENSE
new file mode 100644
index 00000000..e87a115e
--- /dev/null
+++ b/engine/vendor/github.com/hashicorp/go-immutable-radix/LICENSE
@@ -0,0 +1,363 @@
+Mozilla Public License, version 2.0
+
+1. Definitions
+
+1.1. "Contributor"
+
+     means each individual or legal entity that creates, contributes to the
+     creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+
+     means the combination of the Contributions of others (if any) used by a
+     Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+
+     means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+
+     means Source Code Form to which the initial Contributor has attached the
+     notice in Exhibit A, the Executable Form of such Source Code Form, and
+     Modifications of such Source Code Form, in each case including portions
+     thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+     means
+
+     a. that the initial Contributor has attached the notice described in
+        Exhibit B to the Covered Software; or
+
+     b. that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the terms of
+        a Secondary License.
+
+1.6. "Executable Form"
+
+     means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+
+     means a work that combines Covered Software with other material, in a
+     separate file or files, that is not Covered Software.
+
+1.8. "License"
+
+     means this document.
+
+1.9. "Licensable"
+
+     means having the right to grant, to the maximum extent possible, whether
+     at the time of the initial grant or subsequently, any and all of the
+     rights conveyed by this License.
+
+1.10. "Modifications"
+
+     means any of the following:
+
+     a. any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered Software; or
+
+     b. any new file in Source Code Form that contains any Covered Software.
+
+1.11. "Patent Claims" of a Contributor
+
+      means any patent claim(s), including without limitation, method,
+      process, and apparatus claims, in any patent Licensable by such
+      Contributor that would be infringed, but for the grant of the License,
+      by the making, using, selling, offering for sale, having made, import,
+      or transfer of either its Contributions or its Contributor Version.
+
+1.12. "Secondary License"
+
+      means either the GNU General Public License, Version 2.0, the GNU Lesser
+      General Public License, Version 2.1, the GNU Affero General Public
+      License, Version 3.0, or any later versions of those licenses.
+
+1.13. "Source Code Form"
+
+      means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+
+      means an individual or a legal entity exercising rights under this
+      License. For legal entities, "You" includes any entity that controls, is
+      controlled by, or is under common control with You. For purposes of this
+      definition, "control" means (a) the power, direct or indirect, to cause
+      the direction or management of such entity, whether by contract or
+      otherwise, or (b) ownership of more than fifty percent (50%) of the
+      outstanding shares or beneficial ownership of such entity.
+
+
+2. License Grants and Conditions
+
+2.1. Grants
+
+     Each Contributor hereby grants You a world-wide, royalty-free,
+     non-exclusive license:
+
+     a. under intellectual property rights (other than patent or trademark)
+        Licensable by such Contributor to use, reproduce, make available,
+        modify, display, perform, distribute, and otherwise exploit its
+        Contributions, either on an unmodified basis, with Modifications, or
+        as part of a Larger Work; and
+
+     b. under Patent Claims of such Contributor to make, use, sell, offer for
+        sale, have made, import, and otherwise transfer either its
+        Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+     The licenses granted in Section 2.1 with respect to any Contribution
+     become effective for each Contribution on the date the Contributor first
+     distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+     The licenses granted in this Section 2 are the only rights granted under
+     this License. No additional rights or licenses will be implied from the
+     distribution or licensing of Covered Software under this License.
+     Notwithstanding Section 2.1(b) above, no patent license is granted by a
+     Contributor:
+
+     a. for any code that a Contributor has removed from Covered Software; or
+
+     b. for infringements caused by: (i) Your and any other third party's
+        modifications of Covered Software, or (ii) the combination of its
+        Contributions with other software (except as part of its Contributor
+        Version); or
+
+     c. under Patent Claims infringed by Covered Software in the absence of
+        its Contributions.
+
+     This License does not grant any rights in the trademarks, service marks,
+     or logos of any Contributor (except as may be necessary to comply with
+     the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+     No Contributor makes additional grants as a result of Your choice to
+     distribute the Covered Software under a subsequent version of this
+     License (see Section 10.2) or under the terms of a Secondary License (if
+     permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+     Each Contributor represents that the Contributor believes its
+     Contributions are its original creation(s) or it has sufficient rights to
+     grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+     This License is not intended to limit any rights You have under
+     applicable copyright doctrines of fair use, fair dealing, or other
+     equivalents.
+
+2.7. Conditions
+
+     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+     Section 2.1.
+
+
+3. Responsibilities
+
+3.1. Distribution of Source Form
+
+     All distribution of Covered Software in Source Code Form, including any
+     Modifications that You create or to which You contribute, must be under
+     the terms of this License. You must inform recipients that the Source
+     Code Form of the Covered Software is governed by the terms of this
+     License, and how they can obtain a copy of this License. You may not
+     attempt to alter or restrict the recipients' rights in the Source Code
+     Form.
+
+3.2. Distribution of Executable Form
+
+     If You distribute Covered Software in Executable Form then:
+
+     a. such Covered Software must also be made available in Source Code Form,
+        as described in Section 3.1, and You must inform recipients of the
+        Executable Form how they can obtain a copy of such Source Code Form by
+        reasonable means in a timely manner, at a charge no more than the cost
+        of distribution to the recipient; and
+
+     b. You may distribute such Executable Form under the terms of this
+        License, or sublicense it under different terms, provided that the
+        license for the Executable Form does not attempt to limit or alter the
+        recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+     You may create and distribute a Larger Work under terms of Your choice,
+     provided that You also comply with the requirements of this License for
+     the Covered Software. If the Larger Work is a combination of Covered
+     Software with a work governed by one or more Secondary Licenses, and the
+     Covered Software is not Incompatible With Secondary Licenses, this
+     License permits You to additionally distribute such Covered Software
+     under the terms of such Secondary License(s), so that the recipient of
+     the Larger Work may, at their option, further distribute the Covered
+     Software under the terms of either this License or such Secondary
+     License(s).
+
+3.4. Notices
+
+     You may not remove or alter the substance of any license notices
+     (including copyright notices, patent notices, disclaimers of warranty, or
+     limitations of liability) contained within the Source Code Form of the
+     Covered Software, except that You may alter any license notices to the
+     extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+     You may choose to offer, and to charge a fee for, warranty, support,
+     indemnity or liability obligations to one or more recipients of Covered
+     Software. However, You may do so only on Your own behalf, and not on
+     behalf of any Contributor. You must make it absolutely clear that any
+     such warranty, support, indemnity, or liability obligation is offered by
+     You alone, and You hereby agree to indemnify every Contributor for any
+     liability incurred by such Contributor as a result of warranty, support,
+     indemnity or liability terms You offer. You may include additional
+     disclaimers of warranty and limitations of liability specific to any
+     jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+
+   If it is impossible for You to comply with any of the terms of this License
+   with respect to some or all of the Covered Software due to statute,
+   judicial order, or regulation then You must: (a) comply with the terms of
+   this License to the maximum extent possible; and (b) describe the
+   limitations and the code they affect. Such description must be placed in a
+   text file included with all distributions of the Covered Software under
+   this License. Except to the extent prohibited by statute or regulation,
+   such description must be sufficiently detailed for a recipient of ordinary
+   skill to be able to understand it.
+
+5. Termination
+
+5.1. The rights granted under this License will terminate automatically if You
+     fail to comply with any of its terms. However, if You become compliant,
+     then the rights granted under this License from a particular Contributor
+     are reinstated (a) provisionally, unless and until such Contributor
+     explicitly and finally terminates Your grants, and (b) on an ongoing
+     basis, if such Contributor fails to notify You of the non-compliance by
+     some reasonable means prior to 60 days after You have come back into
+     compliance. Moreover, Your grants from a particular Contributor are
+     reinstated on an ongoing basis if such Contributor notifies You of the
+     non-compliance by some reasonable means, this is the first time You have
+     received notice of non-compliance with this License from such
+     Contributor, and You become compliant prior to 30 days after Your receipt
+     of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+     infringement claim (excluding declaratory judgment actions,
+     counter-claims, and cross-claims) alleging that a Contributor Version
+     directly or indirectly infringes any patent, then the rights granted to
+     You by any and all Contributors for the Covered Software under Section
+     2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
+     license agreements (excluding distributors and resellers) which have been
+     validly granted by You or Your distributors under this License prior to
+     termination shall survive termination.
+
+6. Disclaimer of Warranty
+
+   Covered Software is provided under this License on an "as is" basis,
+   without warranty of any kind, either expressed, implied, or statutory,
+   including, without limitation, warranties that the Covered Software is free
+   of defects, merchantable, fit for a particular purpose or non-infringing.
+   The entire risk as to the quality and performance of the Covered Software
+   is with You. Should any Covered Software prove defective in any respect,
+   You (not any Contributor) assume the cost of any necessary servicing,
+   repair, or correction. This disclaimer of warranty constitutes an essential
+   part of this License. No use of  any Covered Software is authorized under
+   this License except under this disclaimer.
+
+7. Limitation of Liability
+
+   Under no circumstances and under no legal theory, whether tort (including
+   negligence), contract, or otherwise, shall any Contributor, or anyone who
+   distributes Covered Software as permitted above, be liable to You for any
+   direct, indirect, special, incidental, or consequential damages of any
+   character including, without limitation, damages for lost profits, loss of
+   goodwill, work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses, even if such party shall have been
+   informed of the possibility of such damages. This limitation of liability
+   shall not apply to liability for death or personal injury resulting from
+   such party's negligence to the extent applicable law prohibits such
+   limitation. Some jurisdictions do not allow the exclusion or limitation of
+   incidental or consequential damages, so this exclusion and limitation may
+   not apply to You.
+
+8. Litigation
+
+   Any litigation relating to this License may be brought only in the courts
+   of a jurisdiction where the defendant maintains its principal place of
+   business and such litigation shall be governed by laws of that
+   jurisdiction, without reference to its conflict-of-law provisions. Nothing
+   in this Section shall prevent a party's ability to bring cross-claims or
+   counter-claims.
+
+9. Miscellaneous
+
+   This License represents the complete agreement concerning the subject
+   matter hereof. If any provision of this License is held to be
+   unenforceable, such provision shall be reformed only to the extent
+   necessary to make it enforceable. Any law or regulation which provides that
+   the language of a contract shall be construed against the drafter shall not
+   be used to construe this License against a Contributor.
+
+
+10. Versions of the License
+
+10.1. New Versions
+
+      Mozilla Foundation is the license steward. Except as provided in Section
+      10.3, no one other than the license steward has the right to modify or
+      publish new versions of this License. Each version will be given a
+      distinguishing version number.
+
+10.2. Effect of New Versions
+
+      You may distribute the Covered Software under the terms of the version
+      of the License under which You originally received the Covered Software,
+      or under the terms of any subsequent version published by the license
+      steward.
+
+10.3. Modified Versions
+
+      If you create software not governed by this License, and you want to
+      create a new license for such software, you may create and use a
+      modified version of this License if you rename the license and remove
+      any references to the name of the license steward (except to note that
+      such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+      Licenses If You choose to distribute Source Code Form that is
+      Incompatible With Secondary Licenses under the terms of this version of
+      the License, the notice described in Exhibit B of this License must be
+      attached.
+
+Exhibit A - Source Code Form License Notice
+
+      This Source Code Form is subject to the
+      terms of the Mozilla Public License, v.
+      2.0. If a copy of the MPL was not
+      distributed with this file, You can
+      obtain one at
+      http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file,
+then You may include the notice in a location (such as a LICENSE file in a
+relevant directory) where a recipient would be likely to look for such a
+notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+
+      This Source Code Form is "Incompatible
+      With Secondary Licenses", as defined by
+      the Mozilla Public License, v. 2.0.
+
diff --git a/engine/vendor/github.com/hashicorp/go-immutable-radix/README.md b/engine/vendor/github.com/hashicorp/go-immutable-radix/README.md
new file mode 100644
index 00000000..8910fcc0
--- /dev/null
+++ b/engine/vendor/github.com/hashicorp/go-immutable-radix/README.md
@@ -0,0 +1,41 @@
+go-immutable-radix [![Build Status](https://travis-ci.org/hashicorp/go-immutable-radix.png)](https://travis-ci.org/hashicorp/go-immutable-radix)
+=========
+
+Provides the `iradix` package that implements an immutable [radix tree](http://en.wikipedia.org/wiki/Radix_tree).
+The package only provides a single `Tree` implementation, optimized for sparse nodes.
+
+As a radix tree, it provides the following:
+ * O(k) operations. In many cases, this can be faster than a hash table since
+   the hash function is an O(k) operation, and hash tables have very poor cache locality.
+ * Minimum / Maximum value lookups
+ * Ordered iteration
+
+A tree supports using a transaction to batch multiple updates (insert, delete)
+in a more efficient manner than performing each operation one at a time.
+
+For a mutable variant, see [go-radix](https://github.com/armon/go-radix).
+
+Documentation
+=============
+
+The full documentation is available on [Godoc](http://godoc.org/github.com/hashicorp/go-immutable-radix).
+
+Example
+=======
+
+Below is a simple example of usage
+
+```go
+// Create a tree
+r := iradix.New()
+r, _, _ = r.Insert([]byte("foo"), 1)
+r, _, _ = r.Insert([]byte("bar"), 2)
+r, _, _ = r.Insert([]byte("foobar"), 2)
+
+// Find the longest prefix match
+m, _, _ := r.Root().LongestPrefix([]byte("foozip"))
+if string(m) != "foo" {
+    panic("should be foo")
+}
+```
+
diff --git a/engine/vendor/github.com/hashicorp/go-immutable-radix/edges.go b/engine/vendor/github.com/hashicorp/go-immutable-radix/edges.go
new file mode 100644
index 00000000..a6367477
--- /dev/null
+++ b/engine/vendor/github.com/hashicorp/go-immutable-radix/edges.go
@@ -0,0 +1,21 @@
+package iradix
+
+import "sort"
+
+type edges []edge
+
+func (e edges) Len() int {
+	return len(e)
+}
+
+func (e edges) Less(i, j int) bool {
+	return e[i].label < e[j].label
+}
+
+func (e edges) Swap(i, j int) {
+	e[i], e[j] = e[j], e[i]
+}
+
+func (e edges) Sort() {
+	sort.Sort(e)
+}
diff --git a/engine/vendor/github.com/hashicorp/go-immutable-radix/iradix.go b/engine/vendor/github.com/hashicorp/go-immutable-radix/iradix.go
new file mode 100644
index 00000000..c7172c40
--- /dev/null
+++ b/engine/vendor/github.com/hashicorp/go-immutable-radix/iradix.go
@@ -0,0 +1,657 @@
+package iradix
+
+import (
+	"bytes"
+	"strings"
+
+	"github.com/hashicorp/golang-lru/simplelru"
+)
+
+const (
+	// defaultModifiedCache is the default size of the modified node
+	// cache used per transaction. This is used to cache the updates
+	// to the nodes near the root, while the leaves do not need to be
+	// cached. This is important for very large transactions to prevent
+	// the modified cache from growing to be enormous. This is also used
+	// to set the max size of the mutation notify maps since those should
+	// also be bounded in a similar way.
+	defaultModifiedCache = 8192
+)
+
+// Tree implements an immutable radix tree. This can be treated as a
+// Dictionary abstract data type. The main advantage over a standard
+// hash map is prefix-based lookups and ordered iteration. The immutability
+// means that it is safe to concurrently read from a Tree without any
+// coordination.
+type Tree struct {
+	root *Node
+	size int
+}
+
+// New returns an empty Tree
+func New() *Tree {
+	t := &Tree{
+		root: &Node{
+			mutateCh: make(chan struct{}),
+		},
+	}
+	return t
+}
+
+// Len is used to return the number of elements in the tree
+func (t *Tree) Len() int {
+	return t.size
+}
+
+// Txn is a transaction on the tree. This transaction is applied
+// atomically and returns a new tree when committed. A transaction
+// is not thread safe, and should only be used by a single goroutine.
+type Txn struct {
+	// root is the modified root for the transaction.
+	root *Node
+
+	// snap is a snapshot of the root node for use if we have to run the
+	// slow notify algorithm.
+	snap *Node
+
+	// size tracks the size of the tree as it is modified during the
+	// transaction.
+	size int
+
+	// writable is a cache of writable nodes that have been created during
+	// the course of the transaction. This allows us to re-use the same
+	// nodes for further writes and avoid unnecessary copies of nodes that
+	// have never been exposed outside the transaction. This will only hold
+	// up to defaultModifiedCache number of entries.
+	writable *simplelru.LRU
+
+	// trackChannels is used to hold channels that need to be notified to
+	// signal mutation of the tree. This will only hold up to
+	// defaultModifiedCache number of entries, after which we will set the
+	// trackOverflow flag, which will cause us to use a more expensive
+	// algorithm to perform the notifications. Mutation tracking is only
+	// performed if trackMutate is true.
+	trackChannels map[chan struct{}]struct{}
+	trackOverflow bool
+	trackMutate   bool
+}
+
+// Txn starts a new transaction that can be used to mutate the tree
+func (t *Tree) Txn() *Txn {
+	txn := &Txn{
+		root: t.root,
+		snap: t.root,
+		size: t.size,
+	}
+	return txn
+}
+
+// TrackMutate can be used to toggle if mutations are tracked. If this is enabled
+// then notifications will be issued for affected internal nodes and leaves when
+// the transaction is committed.
+func (t *Txn) TrackMutate(track bool) {
+	t.trackMutate = track
+}
+
+// trackChannel safely attempts to track the given mutation channel, setting the
+// overflow flag if we can no longer track any more. This limits the amount of
+// state that will accumulate during a transaction and we have a slower algorithm
+// to switch to if we overflow.
+func (t *Txn) trackChannel(ch chan struct{}) {
+	// In overflow, make sure we don't store any more objects.
+	if t.trackOverflow {
+		return
+	}
+
+	// If this would overflow the state we reject it and set the flag (since
+	// we aren't tracking everything that's required any longer).
+	if len(t.trackChannels) >= defaultModifiedCache {
+		// Mark that we are in the overflow state
+		t.trackOverflow = true
+
+		// Clear the map so that the channels can be garbage collected. It is
+		// safe to do this since we have already overflowed and will be using
+		// the slow notify algorithm.
+		t.trackChannels = nil
+		return
+	}
+
+	// Create the map on the fly when we need it.
+	if t.trackChannels == nil {
+		t.trackChannels = make(map[chan struct{}]struct{})
+	}
+
+	// Otherwise we are good to track it.
+	t.trackChannels[ch] = struct{}{}
+}
+
+// writeNode returns a node to be modified, if the current node has already been
+// modified during the course of the transaction, it is used in-place. Set
+// forLeafUpdate to true if you are getting a write node to update the leaf,
+// which will set leaf mutation tracking appropriately as well.
+func (t *Txn) writeNode(n *Node, forLeafUpdate bool) *Node {
+	// Ensure the writable set exists.
+	if t.writable == nil {
+		lru, err := simplelru.NewLRU(defaultModifiedCache, nil)
+		if err != nil {
+			panic(err)
+		}
+		t.writable = lru
+	}
+
+	// If this node has already been modified, we can continue to use it
+	// during this transaction. We know that we don't need to track it for
+	// a node update since the node is writable, but if this is for a leaf
+	// update we track it, in case the initial write to this node didn't
+	// update the leaf.
+	if _, ok := t.writable.Get(n); ok {
+		if t.trackMutate && forLeafUpdate && n.leaf != nil {
+			t.trackChannel(n.leaf.mutateCh)
+		}
+		return n
+	}
+
+	// Mark this node as being mutated.
+	if t.trackMutate {
+		t.trackChannel(n.mutateCh)
+	}
+
+	// Mark its leaf as being mutated, if appropriate.
+	if t.trackMutate && forLeafUpdate && n.leaf != nil {
+		t.trackChannel(n.leaf.mutateCh)
+	}
+
+	// Copy the existing node. If you have set forLeafUpdate it will be
+	// safe to replace this leaf with another after you get your node for
+	// writing. You MUST replace it, because the channel associated with
+	// this leaf will be closed when this transaction is committed.
+	nc := &Node{
+		mutateCh: make(chan struct{}),
+		leaf:     n.leaf,
+	}
+	if n.prefix != nil {
+		nc.prefix = make([]byte, len(n.prefix))
+		copy(nc.prefix, n.prefix)
+	}
+	if len(n.edges) != 0 {
+		nc.edges = make([]edge, len(n.edges))
+		copy(nc.edges, n.edges)
+	}
+
+	// Mark this node as writable.
+	t.writable.Add(nc, nil)
+	return nc
+}
+
+// Visit all the nodes in the tree under n, and add their mutateChannels to the transaction
+// Returns the size of the subtree visited
+func (t *Txn) trackChannelsAndCount(n *Node) int {
+	// Count only leaf nodes
+	leaves := 0
+	if n.leaf != nil {
+		leaves = 1
+	}
+	// Mark this node as being mutated.
+	if t.trackMutate {
+		t.trackChannel(n.mutateCh)
+	}
+
+	// Mark its leaf as being mutated, if appropriate.
+	if t.trackMutate && n.leaf != nil {
+		t.trackChannel(n.leaf.mutateCh)
+	}
+
+	// Recurse on the children
+	for _, e := range n.edges {
+		leaves += t.trackChannelsAndCount(e.node)
+	}
+	return leaves
+}
+
+// mergeChild is called to collapse the given node with its child. This is only
+// called when the given node is not a leaf and has a single edge.
+func (t *Txn) mergeChild(n *Node) {
+	// Mark the child node as being mutated since we are about to abandon
+	// it. We don't need to mark the leaf since we are retaining it if it
+	// is there.
+	e := n.edges[0]
+	child := e.node
+	if t.trackMutate {
+		t.trackChannel(child.mutateCh)
+	}
+
+	// Merge the nodes.
+	n.prefix = concat(n.prefix, child.prefix)
+	n.leaf = child.leaf
+	if len(child.edges) != 0 {
+		n.edges = make([]edge, len(child.edges))
+		copy(n.edges, child.edges)
+	} else {
+		n.edges = nil
+	}
+}
+
+// insert does a recursive insertion
+func (t *Txn) insert(n *Node, k, search []byte, v interface{}) (*Node, interface{}, bool) {
+	// Handle key exhaustion
+	if len(search) == 0 {
+		var oldVal interface{}
+		didUpdate := false
+		if n.isLeaf() {
+			oldVal = n.leaf.val
+			didUpdate = true
+		}
+
+		nc := t.writeNode(n, true)
+		nc.leaf = &leafNode{
+			mutateCh: make(chan struct{}),
+			key:      k,
+			val:      v,
+		}
+		return nc, oldVal, didUpdate
+	}
+
+	// Look for the edge
+	idx, child := n.getEdge(search[0])
+
+	// No edge, create one
+	if child == nil {
+		e := edge{
+			label: search[0],
+			node: &Node{
+				mutateCh: make(chan struct{}),
+				leaf: &leafNode{
+					mutateCh: make(chan struct{}),
+					key:      k,
+					val:      v,
+				},
+				prefix: search,
+			},
+		}
+		nc := t.writeNode(n, false)
+		nc.addEdge(e)
+		return nc, nil, false
+	}
+
+	// Determine longest prefix of the search key on match
+	commonPrefix := longestPrefix(search, child.prefix)
+	if commonPrefix == len(child.prefix) {
+		search = search[commonPrefix:]
+		newChild, oldVal, didUpdate := t.insert(child, k, search, v)
+		if newChild != nil {
+			nc := t.writeNode(n, false)
+			nc.edges[idx].node = newChild
+			return nc, oldVal, didUpdate
+		}
+		return nil, oldVal, didUpdate
+	}
+
+	// Split the node
+	nc := t.writeNode(n, false)
+	splitNode := &Node{
+		mutateCh: make(chan struct{}),
+		prefix:   search[:commonPrefix],
+	}
+	nc.replaceEdge(edge{
+		label: search[0],
+		node:  splitNode,
+	})
+
+	// Restore the existing child node
+	modChild := t.writeNode(child, false)
+	splitNode.addEdge(edge{
+		label: modChild.prefix[commonPrefix],
+		node:  modChild,
+	})
+	modChild.prefix = modChild.prefix[commonPrefix:]
+
+	// Create a new leaf node
+	leaf := &leafNode{
+		mutateCh: make(chan struct{}),
+		key:      k,
+		val:      v,
+	}
+
+	// If the new key is a subset, add to to this node
+	search = search[commonPrefix:]
+	if len(search) == 0 {
+		splitNode.leaf = leaf
+		return nc, nil, false
+	}
+
+	// Create a new edge for the node
+	splitNode.addEdge(edge{
+		label: search[0],
+		node: &Node{
+			mutateCh: make(chan struct{}),
+			leaf:     leaf,
+			prefix:   search,
+		},
+	})
+	return nc, nil, false
+}
+
+// delete does a recursive deletion
+func (t *Txn) delete(parent, n *Node, search []byte) (*Node, *leafNode) {
+	// Check for key exhaustion
+	if len(search) == 0 {
+		if !n.isLeaf() {
+			return nil, nil
+		}
+
+		// Remove the leaf node
+		nc := t.writeNode(n, true)
+		nc.leaf = nil
+
+		// Check if this node should be merged
+		if n != t.root && len(nc.edges) == 1 {
+			t.mergeChild(nc)
+		}
+		return nc, n.leaf
+	}
+
+	// Look for an edge
+	label := search[0]
+	idx, child := n.getEdge(label)
+	if child == nil || !bytes.HasPrefix(search, child.prefix) {
+		return nil, nil
+	}
+
+	// Consume the search prefix
+	search = search[len(child.prefix):]
+	newChild, leaf := t.delete(n, child, search)
+	if newChild == nil {
+		return nil, nil
+	}
+
+	// Copy this node. WATCH OUT - it's safe to pass "false" here because we
+	// will only ADD a leaf via nc.mergeChild() if there isn't one due to
+	// the !nc.isLeaf() check in the logic just below. This is pretty subtle,
+	// so be careful if you change any of the logic here.
+	nc := t.writeNode(n, false)
+
+	// Delete the edge if the node has no edges
+	if newChild.leaf == nil && len(newChild.edges) == 0 {
+		nc.delEdge(label)
+		if n != t.root && len(nc.edges) == 1 && !nc.isLeaf() {
+			t.mergeChild(nc)
+		}
+	} else {
+		nc.edges[idx].node = newChild
+	}
+	return nc, leaf
+}
+
+// delete does a recursive deletion
+func (t *Txn) deletePrefix(parent, n *Node, search []byte) (*Node, int) {
+	// Check for key exhaustion
+	if len(search) == 0 {
+		nc := t.writeNode(n, true)
+		if n.isLeaf() {
+			nc.leaf = nil
+		}
+		nc.edges = nil
+		return nc, t.trackChannelsAndCount(n)
+	}
+
+	// Look for an edge
+	label := search[0]
+	idx, child := n.getEdge(label)
+	// We make sure that either the child node's prefix starts with the search term, or the search term starts with the child node's prefix
+	// Need to do both so that we can delete prefixes that don't correspond to any node in the tree
+	if child == nil || (!bytes.HasPrefix(child.prefix, search) && !bytes.HasPrefix(search, child.prefix)) {
+		return nil, 0
+	}
+
+	// Consume the search prefix
+	if len(child.prefix) > len(search) {
+		search = []byte("")
+	} else {
+		search = search[len(child.prefix):]
+	}
+	newChild, numDeletions := t.deletePrefix(n, child, search)
+	if newChild == nil {
+		return nil, 0
+	}
+	// Copy this node. WATCH OUT - it's safe to pass "false" here because we
+	// will only ADD a leaf via nc.mergeChild() if there isn't one due to
+	// the !nc.isLeaf() check in the logic just below. This is pretty subtle,
+	// so be careful if you change any of the logic here.
+
+	nc := t.writeNode(n, false)
+
+	// Delete the edge if the node has no edges
+	if newChild.leaf == nil && len(newChild.edges) == 0 {
+		nc.delEdge(label)
+		if n != t.root && len(nc.edges) == 1 && !nc.isLeaf() {
+			t.mergeChild(nc)
+		}
+	} else {
+		nc.edges[idx].node = newChild
+	}
+	return nc, numDeletions
+}
+
+// Insert is used to add or update a given key. The return provides
+// the previous value and a bool indicating if any was set.
+func (t *Txn) Insert(k []byte, v interface{}) (interface{}, bool) {
+	newRoot, oldVal, didUpdate := t.insert(t.root, k, k, v)
+	if newRoot != nil {
+		t.root = newRoot
+	}
+	if !didUpdate {
+		t.size++
+	}
+	return oldVal, didUpdate
+}
+
+// Delete is used to delete a given key. Returns the old value if any,
+// and a bool indicating if the key was set.
+func (t *Txn) Delete(k []byte) (interface{}, bool) {
+	newRoot, leaf := t.delete(nil, t.root, k)
+	if newRoot != nil {
+		t.root = newRoot
+	}
+	if leaf != nil {
+		t.size--
+		return leaf.val, true
+	}
+	return nil, false
+}
+
+// DeletePrefix is used to delete an entire subtree that matches the prefix
+// This will delete all nodes under that prefix
+func (t *Txn) DeletePrefix(prefix []byte) bool {
+	newRoot, numDeletions := t.deletePrefix(nil, t.root, prefix)
+	if newRoot != nil {
+		t.root = newRoot
+		t.size = t.size - numDeletions
+		return true
+	}
+	return false
+
+}
+
+// Root returns the current root of the radix tree within this
+// transaction. The root is not safe across insert and delete operations,
+// but can be used to read the current state during a transaction.
+func (t *Txn) Root() *Node {
+	return t.root
+}
+
+// Get is used to lookup a specific key, returning
+// the value and if it was found
+func (t *Txn) Get(k []byte) (interface{}, bool) {
+	return t.root.Get(k)
+}
+
+// GetWatch is used to lookup a specific key, returning
+// the watch channel, value and if it was found
+func (t *Txn) GetWatch(k []byte) (<-chan struct{}, interface{}, bool) {
+	return t.root.GetWatch(k)
+}
+
+// Commit is used to finalize the transaction and return a new tree. If mutation
+// tracking is turned on then notifications will also be issued.
+func (t *Txn) Commit() *Tree {
+	nt := t.CommitOnly()
+	if t.trackMutate {
+		t.Notify()
+	}
+	return nt
+}
+
+// CommitOnly is used to finalize the transaction and return a new tree, but
+// does not issue any notifications until Notify is called.
+func (t *Txn) CommitOnly() *Tree {
+	nt := &Tree{t.root, t.size}
+	t.writable = nil
+	return nt
+}
+
+// slowNotify does a complete comparison of the before and after trees in order
+// to trigger notifications. This doesn't require any additional state but it
+// is very expensive to compute.
+func (t *Txn) slowNotify() {
+	snapIter := t.snap.rawIterator()
+	rootIter := t.root.rawIterator()
+	for snapIter.Front() != nil || rootIter.Front() != nil {
+		// If we've exhausted the nodes in the old snapshot, we know
+		// there's nothing remaining to notify.
+		if snapIter.Front() == nil {
+			return
+		}
+		snapElem := snapIter.Front()
+
+		// If we've exhausted the nodes in the new root, we know we need
+		// to invalidate everything that remains in the old snapshot. We
+		// know from the loop condition there's something in the old
+		// snapshot.
+		if rootIter.Front() == nil {
+			close(snapElem.mutateCh)
+			if snapElem.isLeaf() {
+				close(snapElem.leaf.mutateCh)
+			}
+			snapIter.Next()
+			continue
+		}
+
+		// Do one string compare so we can check the various conditions
+		// below without repeating the compare.
+		cmp := strings.Compare(snapIter.Path(), rootIter.Path())
+
+		// If the snapshot is behind the root, then we must have deleted
+		// this node during the transaction.
+		if cmp < 0 {
+			close(snapElem.mutateCh)
+			if snapElem.isLeaf() {
+				close(snapElem.leaf.mutateCh)
+			}
+			snapIter.Next()
+			continue
+		}
+
+		// If the snapshot is ahead of the root, then we must have added
+		// this node during the transaction.
+		if cmp > 0 {
+			rootIter.Next()
+			continue
+		}
+
+		// If we have the same path, then we need to see if we mutated a
+		// node and possibly the leaf.
+		rootElem := rootIter.Front()
+		if snapElem != rootElem {
+			close(snapElem.mutateCh)
+			if snapElem.leaf != nil && (snapElem.leaf != rootElem.leaf) {
+				close(snapElem.leaf.mutateCh)
+			}
+		}
+		snapIter.Next()
+		rootIter.Next()
+	}
+}
+
+// Notify is used along with TrackMutate to trigger notifications. This must
+// only be done once a transaction is committed via CommitOnly, and it is called
+// automatically by Commit.
+func (t *Txn) Notify() {
+	if !t.trackMutate {
+		return
+	}
+
+	// If we've overflowed the tracking state we can't use it in any way and
+	// need to do a full tree compare.
+	if t.trackOverflow {
+		t.slowNotify()
+	} else {
+		for ch := range t.trackChannels {
+			close(ch)
+		}
+	}
+
+	// Clean up the tracking state so that a re-notify is safe (will trigger
+	// the else clause above which will be a no-op).
+	t.trackChannels = nil
+	t.trackOverflow = false
+}
+
+// Insert is used to add or update a given key. The return provides
+// the new tree, previous value and a bool indicating if any was set.
+func (t *Tree) Insert(k []byte, v interface{}) (*Tree, interface{}, bool) {
+	txn := t.Txn()
+	old, ok := txn.Insert(k, v)
+	return txn.Commit(), old, ok
+}
+
+// Delete is used to delete a given key. Returns the new tree,
+// old value if any, and a bool indicating if the key was set.
+func (t *Tree) Delete(k []byte) (*Tree, interface{}, bool) {
+	txn := t.Txn()
+	old, ok := txn.Delete(k)
+	return txn.Commit(), old, ok
+}
+
+// DeletePrefix is used to delete all nodes starting with a given prefix. Returns the new tree,
+// and a bool indicating if the prefix matched any nodes
+func (t *Tree) DeletePrefix(k []byte) (*Tree, bool) {
+	txn := t.Txn()
+	ok := txn.DeletePrefix(k)
+	return txn.Commit(), ok
+}
+
+// Root returns the root node of the tree which can be used for richer
+// query operations.
+func (t *Tree) Root() *Node {
+	return t.root
+}
+
+// Get is used to lookup a specific key, returning
+// the value and if it was found
+func (t *Tree) Get(k []byte) (interface{}, bool) {
+	return t.root.Get(k)
+}
+
+// longestPrefix finds the length of the shared prefix
+// of two strings
+func longestPrefix(k1, k2 []byte) int {
+	max := len(k1)
+	if l := len(k2); l < max {
+		max = l
+	}
+	var i int
+	for i = 0; i < max; i++ {
+		if k1[i] != k2[i] {
+			break
+		}
+	}
+	return i
+}
+
+// concat two byte slices, returning a third new copy
+func concat(a, b []byte) []byte {
+	c := make([]byte, len(a)+len(b))
+	copy(c, a)
+	copy(c[len(a):], b)
+	return c
+}
diff --git a/engine/vendor/github.com/hashicorp/go-immutable-radix/iter.go b/engine/vendor/github.com/hashicorp/go-immutable-radix/iter.go
new file mode 100644
index 00000000..9815e025
--- /dev/null
+++ b/engine/vendor/github.com/hashicorp/go-immutable-radix/iter.go
@@ -0,0 +1,91 @@
+package iradix
+
+import "bytes"
+
+// Iterator is used to iterate over a set of nodes
+// in pre-order
+type Iterator struct {
+	node  *Node
+	stack []edges
+}
+
+// SeekPrefixWatch is used to seek the iterator to a given prefix
+// and returns the watch channel of the finest granularity
+func (i *Iterator) SeekPrefixWatch(prefix []byte) (watch <-chan struct{}) {
+	// Wipe the stack
+	i.stack = nil
+	n := i.node
+	watch = n.mutateCh
+	search := prefix
+	for {
+		// Check for key exhaution
+		if len(search) == 0 {
+			i.node = n
+			return
+		}
+
+		// Look for an edge
+		_, n = n.getEdge(search[0])
+		if n == nil {
+			i.node = nil
+			return
+		}
+
+		// Update to the finest granularity as the search makes progress
+		watch = n.mutateCh
+
+		// Consume the search prefix
+		if bytes.HasPrefix(search, n.prefix) {
+			search = search[len(n.prefix):]
+
+		} else if bytes.HasPrefix(n.prefix, search) {
+			i.node = n
+			return
+		} else {
+			i.node = nil
+			return
+		}
+	}
+}
+
+// SeekPrefix is used to seek the iterator to a given prefix
+func (i *Iterator) SeekPrefix(prefix []byte) {
+	i.SeekPrefixWatch(prefix)
+}
+
+// Next returns the next node in order
+func (i *Iterator) Next() ([]byte, interface{}, bool) {
+	// Initialize our stack if needed
+	if i.stack == nil && i.node != nil {
+		i.stack = []edges{
+			edges{
+				edge{node: i.node},
+			},
+		}
+	}
+
+	for len(i.stack) > 0 {
+		// Inspect the last element of the stack
+		n := len(i.stack)
+		last := i.stack[n-1]
+		elem := last[0].node
+
+		// Update the stack
+		if len(last) > 1 {
+			i.stack[n-1] = last[1:]
+		} else {
+			i.stack = i.stack[:n-1]
+		}
+
+		// Push the edges onto the frontier
+		if len(elem.edges) > 0 {
+			i.stack = append(i.stack, elem.edges)
+		}
+
+		// Return the leaf values if any
+		if elem.leaf != nil {
+			return elem.leaf.key, elem.leaf.val, true
+		}
+	}
+	return nil, nil, false
+}
diff --git a/engine/vendor/github.com/hashicorp/go-immutable-radix/node.go b/engine/vendor/github.com/hashicorp/go-immutable-radix/node.go
new file mode 100644
index 00000000..ef494fa7
--- /dev/null
+++ b/engine/vendor/github.com/hashicorp/go-immutable-radix/node.go
@@ -0,0 +1,352 @@
+package iradix
+
+import (
+	"bytes"
+	"sort"
+)
+
+// WalkFn is used when walking the tree. Takes a
+// key and value, returning if iteration should
+// be terminated.
+type WalkFn func(k []byte, v interface{}) bool
+
+// leafNode is used to represent a value
+type leafNode struct {
+	mutateCh chan struct{}
+	key      []byte
+	val      interface{}
+}
+
+// edge is used to represent an edge node
+type edge struct {
+	label byte
+	node  *Node
+}
+
+// Node is an immutable node in the radix tree
+type Node struct {
+	// mutateCh is closed if this node is modified
+	mutateCh chan struct{}
+
+	// leaf is used to store possible leaf
+	leaf *leafNode
+
+	// prefix is the common prefix we ignore
+	prefix []byte
+
+	// Edges should be stored in-order for iteration.
+	// We avoid a fully materialized slice to save memory,
+	// since in most cases we expect to be sparse
+	edges edges
+}
+
+func (n *Node) isLeaf() bool {
+	return n.leaf != nil
+}
+
+func (n *Node) addEdge(e edge) {
+	num := len(n.edges)
+	idx := sort.Search(num, func(i int) bool {
+		return n.edges[i].label >= e.label
+	})
+	n.edges = append(n.edges, e)
+	if idx != num {
+		copy(n.edges[idx+1:], n.edges[idx:num])
+		n.edges[idx] = e
+	}
+}
+
+func (n *Node) replaceEdge(e edge) {
+	num := len(n.edges)
+	idx := sort.Search(num, func(i int) bool {
+		return n.edges[i].label >= e.label
+	})
+	if idx < num && n.edges[idx].label == e.label {
+		n.edges[idx].node = e.node
+		return
+	}
+	panic("replacing missing edge")
+}
+
+func (n *Node) getEdge(label byte) (int, *Node) {
+	num := len(n.edges)
+	idx := sort.Search(num, func(i int) bool {
+		return n.edges[i].label >= label
+	})
+	if idx < num && n.edges[idx].label == label {
+		return idx, n.edges[idx].node
+	}
+	return -1, nil
+}
+
+func (n *Node) delEdge(label byte) {
+	num := len(n.edges)
+	idx := sort.Search(num, func(i int) bool {
+		return n.edges[i].label >= label
+	})
+	if idx < num && n.edges[idx].label == label {
+		copy(n.edges[idx:], n.edges[idx+1:])
+		n.edges[len(n.edges)-1] = edge{}
+		n.edges = n.edges[:len(n.edges)-1]
+	}
+}
+
+func (n *Node) GetWatch(k []byte) (<-chan struct{}, interface{}, bool) {
+	search := k
+	watch := n.mutateCh
+	for {
+		// Check for key exhaustion
+		if len(search) == 0 {
+			if n.isLeaf() {
+				return n.leaf.mutateCh, n.leaf.val, true
+			}
+			break
+		}
+
+		// Look for an edge
+		_, n = n.getEdge(search[0])
+		if n == nil {
+			break
+		}
+
+		// Update to the finest granularity as the search makes progress
+		watch = n.mutateCh
+
+		// Consume the search prefix
+		if bytes.HasPrefix(search, n.prefix) {
+			search = search[len(n.prefix):]
+		} else {
+			break
+		}
+	}
+	return watch, nil, false
+}
+
+func (n *Node) Get(k []byte) (interface{}, bool) {
+	_, val, ok := n.GetWatch(k)
+	return val, ok
+}
+
+// LongestPrefix is like Get, but instead of an
+// exact match, it will return the longest prefix match.
+func (n *Node) LongestPrefix(k []byte) ([]byte, interface{}, bool) {
+	var last *leafNode
+	search := k
+	for {
+		// Look for a leaf node
+		if n.isLeaf() {
+			last = n.leaf
+		}
+
+		// Check for key exhaution
+		if len(search) == 0 {
+			break
+		}
+
+		// Look for an edge
+		_, n = n.getEdge(search[0])
+		if n == nil {
+			break
+		}
+
+		// Consume the search prefix
+		if bytes.HasPrefix(search, n.prefix) {
+			search = search[len(n.prefix):]
+		} else {
+			break
+		}
+	}
+	if last != nil {
+		return last.key, last.val, true
+	}
+	return nil, nil, false
+}
+
+// Minimum is used to return the minimum value in the tree
+func (n *Node) Minimum() ([]byte, interface{}, bool) {
+	for {
+		if n.isLeaf() {
+			return n.leaf.key, n.leaf.val, true
+		}
+		if len(n.edges) > 0 {
+			n = n.edges[0].node
+		} else {
+			break
+		}
+	}
+	return nil, nil, false
+}
+
+// Maximum is used to return the maximum value in the tree
+func (n *Node) Maximum() ([]byte, interface{}, bool) {
+	for {
+		if num := len(n.edges); num > 0 {
+			n = n.edges[num-1].node
+			continue
+		}
+		if n.isLeaf() {
+			return n.leaf.key, n.leaf.val, true
+		} else {
+			break
+		}
+	}
+	return nil, nil, false
+}
+
+// Iterator is used to return an iterator at
+// the given node to walk the tree
+func (n *Node) Iterator() *Iterator {
+	return &Iterator{node: n}
+}
+
+// rawIterator is used to return a raw iterator at the given node to walk the
+// tree.
+func (n *Node) rawIterator() *rawIterator {
+	iter := &rawIterator{node: n}
+	iter.Next()
+	return iter
+}
+
+// Walk is used to walk the tree
+func (n *Node) Walk(fn WalkFn) {
+	recursiveWalk(n, fn)
+}
+
+// WalkPrefix is used to walk the tree under a prefix
+func (n *Node) WalkPrefix(prefix []byte, fn WalkFn) {
+	search := prefix
+	for {
+		// Check for key exhaution
+		if len(search) == 0 {
+			recursiveWalk(n, fn)
+			return
+		}
+
+		// Look for an edge
+		_, n = n.getEdge(search[0])
+		if n == nil {
+			break
+		}
+
+		// Consume the search prefix
+		if bytes.HasPrefix(search, n.prefix) {
+			search = search[len(n.prefix):]
+
+		} else if bytes.HasPrefix(n.prefix, search) {
+			// Child may be under our search prefix
+			recursiveWalk(n, fn)
+			return
+		} else {
+			break
+		}
+	}
+}
+
+// WalkPath is used to walk the tree, but only visiting nodes
+// from the root down to a given leaf. Where WalkPrefix walks
+// all the entries *under* the given prefix, this walks the
+// entries *above* the given prefix.
+func (n *Node) WalkPath(path []byte, fn WalkFn) {
+	search := path
+	for {
+		// Visit the leaf values if any
+		if n.leaf != nil && fn(n.leaf.key, n.leaf.val) {
+			return
+		}
+
+		// Check for key exhaution
+		if len(search) == 0 {
+			return
+		}
+
+		// Look for an edge
+		_, n = n.getEdge(search[0])
+		if n == nil {
+			return
+		}
+
+		// Consume the search prefix
+		if bytes.HasPrefix(search, n.prefix) {
+			search = search[len(n.prefix):]
+		} else {
+			break
+		}
+	}
+}
+
+func (n *Node) Seek(prefix []byte) *Seeker {
+	search := prefix
+	p := &pos{n: n}
+	for {
+		// Check for key exhaution
+		if len(search) == 0 {
+			return &Seeker{p}
+		}
+
+		num := len(n.edges)
+		idx := sort.Search(num, func(i int) bool {
+			return n.edges[i].label >= search[0]
+		})
+		p.current = idx
+		if idx < len(n.edges) {
+			n = n.edges[idx].node
+			if bytes.HasPrefix(search, n.prefix) && len(n.edges) > 0 {
+				search = search[len(n.prefix):]
+				p.current++
+				p = &pos{n: n, prev: p}
+				continue
+			}
+		}
+		p.current++
+		return &Seeker{p}
+	}
+}
+
+type Seeker struct {
+	*pos
+}
+
+type pos struct {
+	n       *Node
+	current int
+	prev    *pos
+	isLeaf  bool
+}
+
+func (s *Seeker) Next() (k []byte, v interface{}, ok bool) {
+	if s.current >= len(s.n.edges) {
+		if s.prev == nil {
+			return nil, nil, false
+		}
+		s.pos = s.prev
+		return s.Next()
+	}
+
+	edge := s.n.edges[s.current]
+	s.current++
+	if edge.node.leaf != nil && !s.isLeaf {
+		s.isLeaf = true
+		s.current--
+		return edge.node.leaf.key, edge.node.leaf.val, true
+	}
+	s.isLeaf = false
+	s.pos = &pos{n: edge.node, prev: s.pos}
+	return s.Next()
+}
+
+// recursiveWalk is used to do a pre-order walk of a node
+// recursively. Returns true if the walk should be aborted
+func recursiveWalk(n *Node, fn WalkFn) bool {
+	// Visit the leaf values if any
+	if n.leaf != nil && fn(n.leaf.key, n.leaf.val) {
+		return true
+	}
+
+	// Recurse on the children
+	for _, e := range n.edges {
+		if recursiveWalk(e.node, fn) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/engine/vendor/github.com/hashicorp/go-immutable-radix/raw_iter.go b/engine/vendor/github.com/hashicorp/go-immutable-radix/raw_iter.go
new file mode 100644
index 00000000..04814c13
--- /dev/null
+++ b/engine/vendor/github.com/hashicorp/go-immutable-radix/raw_iter.go
@@ -0,0 +1,78 @@
+package iradix
+
+// rawIterator visits each of the nodes in the tree, even the ones that are not
+// leaves. It keeps track of the effective path (what a leaf at a given node
+// would be called), which is useful for comparing trees.
+type rawIterator struct {
+	// node is the starting node in the tree for the iterator.
+	node *Node
+
+	// stack keeps track of edges in the frontier.
+	stack []rawStackEntry
+
+	// pos is the current position of the iterator.
+	pos *Node
+
+	// path is the effective path of the current iterator position,
+	// regardless of whether the current node is a leaf.
+	path string
+}
+
+// rawStackEntry is used to keep track of the cumulative common path as well as
+// its associated edges in the frontier.
+type rawStackEntry struct {
+	path  string
+	edges edges
+}
+
+// Front returns the current node that has been iterated to.
+func (i *rawIterator) Front() *Node {
+	return i.pos
+}
+
+// Path returns the effective path of the current node, even if it's not actually
+// a leaf.
+func (i *rawIterator) Path() string {
+	return i.path
+}
+
+// Next advances the iterator to the next node.
+func (i *rawIterator) Next() {
+	// Initialize our stack if needed.
+	if i.stack == nil && i.node != nil {
+		i.stack = []rawStackEntry{
+			rawStackEntry{
+				edges: edges{
+					edge{node: i.node},
+				},
+			},
+		}
+	}
+
+	for len(i.stack) > 0 {
+		// Inspect the last element of the stack.
+		n := len(i.stack)
+		last := i.stack[n-1]
+		elem := last.edges[0].node
+
+		// Update the stack.
+		if len(last.edges) > 1 {
+			i.stack[n-1].edges = last.edges[1:]
+		} else {
+			i.stack = i.stack[:n-1]
+		}
+
+		// Push the edges onto the frontier.
+		if len(elem.edges) > 0 {
+			path := last.path + string(elem.prefix)
+			i.stack = append(i.stack, rawStackEntry{path, elem.edges})
+		}
+
+		i.pos = elem
+		i.path = last.path + string(elem.prefix)
+		return
+	}
+
+	i.pos = nil
+	i.path = ""
+}
diff --git a/engine/vendor/github.com/ishidawataru/sctp/LICENSE b/engine/vendor/github.com/ishidawataru/sctp/LICENSE
new file mode 100644
index 00000000..8dada3ed
--- /dev/null
+++ b/engine/vendor/github.com/ishidawataru/sctp/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/engine/vendor/github.com/ishidawataru/sctp/README.md b/engine/vendor/github.com/ishidawataru/sctp/README.md
new file mode 100644
index 00000000..574ececa
--- /dev/null
+++ b/engine/vendor/github.com/ishidawataru/sctp/README.md
@@ -0,0 +1,18 @@
+Stream Control Transmission Protocol (SCTP)
+----
+
+[![Build Status](https://travis-ci.org/ishidawataru/sctp.svg?branch=master)](https://travis-ci.org/ishidawataru/sctp/builds)
+
+Examples
+----
+
+See `example/sctp.go`
+
+```go
+$ cd example
+$ go build
+$ # run example SCTP server
+$ ./example -server -port 1000 -ip 10.10.0.1,10.20.0.1
+$ # run example SCTP client
+$ ./example -port 1000 -ip 10.10.0.1,10.20.0.1
+```
diff --git a/engine/vendor/github.com/ishidawataru/sctp/sctp.go b/engine/vendor/github.com/ishidawataru/sctp/sctp.go
new file mode 100644
index 00000000..cac1a889
--- /dev/null
+++ b/engine/vendor/github.com/ishidawataru/sctp/sctp.go
@@ -0,0 +1,656 @@
+package sctp
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"syscall"
+	"time"
+	"unsafe"
+)
+
+const (
+	SOL_SCTP = 132
+
+	SCTP_BINDX_ADD_ADDR = 0x01
+	SCTP_BINDX_REM_ADDR = 0x02
+
+	MSG_NOTIFICATION = 0x8000
+)
+
+const (
+	SCTP_RTOINFO = iota
+	SCTP_ASSOCINFO
+	SCTP_INITMSG
+	SCTP_NODELAY
+	SCTP_AUTOCLOSE
+	SCTP_SET_PEER_PRIMARY_ADDR
+	SCTP_PRIMARY_ADDR
+	SCTP_ADAPTATION_LAYER
+	SCTP_DISABLE_FRAGMENTS
+	SCTP_PEER_ADDR_PARAMS
+	SCTP_DEFAULT_SENT_PARAM
+	SCTP_EVENTS
+	SCTP_I_WANT_MAPPED_V4_ADDR
+	SCTP_MAXSEG
+	SCTP_STATUS
+	SCTP_GET_PEER_ADDR_INFO
+	SCTP_DELAYED_ACK_TIME
+	SCTP_DELAYED_ACK  = SCTP_DELAYED_ACK_TIME
+	SCTP_DELAYED_SACK = SCTP_DELAYED_ACK_TIME
+
+	SCTP_SOCKOPT_BINDX_ADD = 100
+	SCTP_SOCKOPT_BINDX_REM = 101
+	SCTP_SOCKOPT_PEELOFF   = 102
+	SCTP_GET_PEER_ADDRS    = 108
+	SCTP_GET_LOCAL_ADDRS   = 109
+	SCTP_SOCKOPT_CONNECTX  = 110
+	SCTP_SOCKOPT_CONNECTX3 = 111
+)
+
+const (
+	SCTP_EVENT_DATA_IO = 1 << iota
+	SCTP_EVENT_ASSOCIATION
+	SCTP_EVENT_ADDRESS
+	SCTP_EVENT_SEND_FAILURE
+	SCTP_EVENT_PEER_ERROR
+	SCTP_EVENT_SHUTDOWN
+	SCTP_EVENT_PARTIAL_DELIVERY
+	SCTP_EVENT_ADAPTATION_LAYER
+	SCTP_EVENT_AUTHENTICATION
+	SCTP_EVENT_SENDER_DRY
+
+	SCTP_EVENT_ALL = SCTP_EVENT_DATA_IO | SCTP_EVENT_ASSOCIATION | SCTP_EVENT_ADDRESS | SCTP_EVENT_SEND_FAILURE | SCTP_EVENT_PEER_ERROR | SCTP_EVENT_SHUTDOWN | SCTP_EVENT_PARTIAL_DELIVERY | SCTP_EVENT_ADAPTATION_LAYER | SCTP_EVENT_AUTHENTICATION | SCTP_EVENT_SENDER_DRY
+)
+
+type SCTPNotificationType int
+
+const (
+	SCTP_SN_TYPE_BASE = SCTPNotificationType(iota + (1 << 15))
+	SCTP_ASSOC_CHANGE
+	SCTP_PEER_ADDR_CHANGE
+	SCTP_SEND_FAILED
+	SCTP_REMOTE_ERROR
+	SCTP_SHUTDOWN_EVENT
+	SCTP_PARTIAL_DELIVERY_EVENT
+	SCTP_ADAPTATION_INDICATION
+	SCTP_AUTHENTICATION_INDICATION
+	SCTP_SENDER_DRY_EVENT
+)
+
+type NotificationHandler func([]byte) error
+
+type EventSubscribe struct {
+	DataIO          uint8
+	Association     uint8
+	Address         uint8
+	SendFailure     uint8
+	PeerError       uint8
+	Shutdown        uint8
+	PartialDelivery uint8
+	AdaptationLayer uint8
+	Authentication  uint8
+	SenderDry       uint8
+}
+
+const (
+	SCTP_CMSG_INIT = iota
+	SCTP_CMSG_SNDRCV
+	SCTP_CMSG_SNDINFO
+	SCTP_CMSG_RCVINFO
+	SCTP_CMSG_NXTINFO
+)
+
+const (
+	SCTP_UNORDERED = 1 << iota
+	SCTP_ADDR_OVER
+	SCTP_ABORT
+	SCTP_SACK_IMMEDIATELY
+	SCTP_EOF
+)
+
+const (
+	SCTP_MAX_STREAM = 0xffff
+)
+
+type InitMsg struct {
+	NumOstreams    uint16
+	MaxInstreams   uint16
+	MaxAttempts    uint16
+	MaxInitTimeout uint16
+}
+
+type SndRcvInfo struct {
+	Stream  uint16
+	SSN     uint16
+	Flags   uint16
+	_       uint16
+	PPID    uint32
+	Context uint32
+	TTL     uint32
+	TSN     uint32
+	CumTSN  uint32
+	AssocID int32
+}
+
+type SndInfo struct {
+	SID     uint16
+	Flags   uint16
+	PPID    uint32
+	Context uint32
+	AssocID int32
+}
+
+type GetAddrsOld struct {
+	AssocID int32
+	AddrNum int32
+	Addrs   uintptr
+}
+
+type NotificationHeader struct {
+	Type   uint16
+	Flags  uint16
+	Length uint32
+}
+
+type SCTPState uint16
+
+const (
+	SCTP_COMM_UP = SCTPState(iota)
+	SCTP_COMM_LOST
+	SCTP_RESTART
+	SCTP_SHUTDOWN_COMP
+	SCTP_CANT_STR_ASSOC
+)
+
+var nativeEndian binary.ByteOrder
+var sndRcvInfoSize uintptr
+
+func init() {
+	i := uint16(1)
+	if *(*byte)(unsafe.Pointer(&i)) == 0 {
+		nativeEndian = binary.BigEndian
+	} else {
+		nativeEndian = binary.LittleEndian
+	}
+	info := SndRcvInfo{}
+	sndRcvInfoSize = unsafe.Sizeof(info)
+}
+
+func toBuf(v interface{}) []byte {
+	var buf bytes.Buffer
+	binary.Write(&buf, nativeEndian, v)
+	return buf.Bytes()
+}
+
+func htons(h uint16) uint16 {
+	if nativeEndian == binary.LittleEndian {
+		return (h << 8 & 0xff00) | (h >> 8 & 0xff)
+	}
+	return h
+}
+
+var ntohs = htons
+
+func setNumOstreams(fd, num int) error {
+	param := InitMsg{
+		NumOstreams: uint16(num),
+	}
+	optlen := unsafe.Sizeof(param)
+	_, _, err := setsockopt(fd, SCTP_INITMSG, uintptr(unsafe.Pointer(&param)), uintptr(optlen))
+	return err
+}
+
+type SCTPAddr struct {
+	IP   []net.IP
+	Port int
+}
+
+func (a *SCTPAddr) ToRawSockAddrBuf() []byte {
+	buf := []byte{}
+	p := htons(uint16(a.Port))
+	for _, ip := range a.IP {
+		if ip.To4() != nil {
+			s := syscall.RawSockaddrInet4{
+				Family: syscall.AF_INET,
+				Port:   p,
+			}
+			copy(s.Addr[:], ip.To4())
+			buf = append(buf, toBuf(s)...)
+		} else {
+			s := syscall.RawSockaddrInet6{
+				Family: syscall.AF_INET6,
+				Port:   p,
+			}
+			copy(s.Addr[:], ip)
+			buf = append(buf, toBuf(s)...)
+		}
+	}
+	return buf
+}
+
+func (a *SCTPAddr) String() string {
+	var b bytes.Buffer
+
+	for n, i := range a.IP {
+		if a.IP[n].To4() != nil {
+			b.WriteString(i.String())
+		} else if a.IP[n].To16() != nil {
+			b.WriteRune('[')
+			b.WriteString(i.String())
+			b.WriteRune(']')
+		}
+		if n < len(a.IP)-1 {
+			b.WriteRune('/')
+		}
+	}
+	b.WriteRune(':')
+	b.WriteString(strconv.Itoa(a.Port))
+	return b.String()
+}
+
+func (a *SCTPAddr) Network() string { return "sctp" }
+
+func ResolveSCTPAddr(network, addrs string) (*SCTPAddr, error) {
+	tcpnet := ""
+	switch network {
+	case "", "sctp":
+	case "sctp4":
+		tcpnet = "tcp4"
+	case "sctp6":
+		tcpnet = "tcp6"
+	default:
+		return nil, fmt.Errorf("invalid net: %s", network)
+	}
+	elems := strings.Split(addrs, "/")
+	if len(elems) == 0 {
+		return nil, fmt.Errorf("invalid input: %s", addrs)
+	}
+	ipaddrs := make([]net.IP, 0, len(elems))
+	for _, e := range elems[:len(elems)-1] {
+		tcpa, err := net.ResolveTCPAddr(tcpnet, e+":")
+		if err != nil {
+			return nil, err
+		}
+		ipaddrs = append(ipaddrs, tcpa.IP)
+	}
+	tcpa, err := net.ResolveTCPAddr(tcpnet, elems[len(elems)-1])
+	if err != nil {
+		return nil, err
+	}
+	if tcpa.IP != nil {
+		ipaddrs = append(ipaddrs, tcpa.IP)
+	} else {
+		ipaddrs = nil
+	}
+	return &SCTPAddr{
+		IP:   ipaddrs,
+		Port: tcpa.Port,
+	}, nil
+}
+
+func SCTPConnect(fd int, addr *SCTPAddr) (int, error) {
+	buf := addr.ToRawSockAddrBuf()
+	param := GetAddrsOld{
+		AddrNum: int32(len(buf)),
+		Addrs:   uintptr(uintptr(unsafe.Pointer(&buf[0]))),
+	}
+	optlen := unsafe.Sizeof(param)
+	_, _, err := getsockopt(fd, SCTP_SOCKOPT_CONNECTX3, uintptr(unsafe.Pointer(&param)), uintptr(unsafe.Pointer(&optlen)))
+	if err == nil {
+		return int(param.AssocID), nil
+	} else if err != syscall.ENOPROTOOPT {
+		return 0, err
+	}
+	r0, _, err := setsockopt(fd, SCTP_SOCKOPT_CONNECTX, uintptr(unsafe.Pointer(&buf[0])), uintptr(len(buf)))
+	return int(r0), err
+}
+
+func SCTPBind(fd int, addr *SCTPAddr, flags int) error {
+	var option uintptr
+	switch flags {
+	case SCTP_BINDX_ADD_ADDR:
+		option = SCTP_SOCKOPT_BINDX_ADD
+	case SCTP_BINDX_REM_ADDR:
+		option = SCTP_SOCKOPT_BINDX_REM
+	default:
+		return syscall.EINVAL
+	}
+
+	buf := addr.ToRawSockAddrBuf()
+	_, _, err := setsockopt(fd, option, uintptr(unsafe.Pointer(&buf[0])), uintptr(len(buf)))
+	return err
+}
+
+type SCTPConn struct {
+	_fd                 int32
+	notificationHandler NotificationHandler
+}
+
+func (c *SCTPConn) fd() int {
+	return int(atomic.LoadInt32(&c._fd))
+}
+
+func NewSCTPConn(fd int, handler NotificationHandler) *SCTPConn {
+	conn := &SCTPConn{
+		_fd:                 int32(fd),
+		notificationHandler: handler,
+	}
+	return conn
+}
+
+func (c *SCTPConn) Write(b []byte) (int, error) {
+	return c.SCTPWrite(b, nil)
+}
+
+func (c *SCTPConn) Read(b []byte) (int, error) {
+	n, _, err := c.SCTPRead(b)
+	if n < 0 {
+		n = 0
+	}
+	return n, err
+}
+
+func (c *SCTPConn) SetInitMsg(numOstreams, maxInstreams, maxAttempts, maxInitTimeout int) error {
+	param := InitMsg{
+		NumOstreams:    uint16(numOstreams),
+		MaxInstreams:   uint16(maxInstreams),
+		MaxAttempts:    uint16(maxAttempts),
+		MaxInitTimeout: uint16(maxInitTimeout),
+	}
+	optlen := unsafe.Sizeof(param)
+	_, _, err := setsockopt(c.fd(), SCTP_INITMSG, uintptr(unsafe.Pointer(&param)), uintptr(optlen))
+	return err
+}
+
+func (c *SCTPConn) SubscribeEvents(flags int) error {
+	var d, a, ad, sf, p, sh, pa, ada, au, se uint8
+	if flags&SCTP_EVENT_DATA_IO > 0 {
+		d = 1
+	}
+	if flags&SCTP_EVENT_ASSOCIATION > 0 {
+		a = 1
+	}
+	if flags&SCTP_EVENT_ADDRESS > 0 {
+		ad = 1
+	}
+	if flags&SCTP_EVENT_SEND_FAILURE > 0 {
+		sf = 1
+	}
+	if flags&SCTP_EVENT_PEER_ERROR > 0 {
+		p = 1
+	}
+	if flags&SCTP_EVENT_SHUTDOWN > 0 {
+		sh = 1
+	}
+	if flags&SCTP_EVENT_PARTIAL_DELIVERY > 0 {
+		pa = 1
+	}
+	if flags&SCTP_EVENT_ADAPTATION_LAYER > 0 {
+		ada = 1
+	}
+	if flags&SCTP_EVENT_AUTHENTICATION > 0 {
+		au = 1
+	}
+	if flags&SCTP_EVENT_SENDER_DRY > 0 {
+		se = 1
+	}
+	param := EventSubscribe{
+		DataIO:          d,
+		Association:     a,
+		Address:         ad,
+		SendFailure:     sf,
+		PeerError:       p,
+		Shutdown:        sh,
+		PartialDelivery: pa,
+		AdaptationLayer: ada,
+		Authentication:  au,
+		SenderDry:       se,
+	}
+	optlen := unsafe.Sizeof(param)
+	_, _, err := setsockopt(c.fd(), SCTP_EVENTS, uintptr(unsafe.Pointer(&param)), uintptr(optlen))
+	return err
+}
+
+func (c *SCTPConn) SubscribedEvents() (int, error) {
+	param := EventSubscribe{}
+	optlen := unsafe.Sizeof(param)
+	_, _, err := getsockopt(c.fd(), SCTP_EVENTS, uintptr(unsafe.Pointer(&param)), uintptr(unsafe.Pointer(&optlen)))
+	if err != nil {
+		return 0, err
+	}
+	var flags int
+	if param.DataIO > 0 {
+		flags |= SCTP_EVENT_DATA_IO
+	}
+	if param.Association > 0 {
+		flags |= SCTP_EVENT_ASSOCIATION
+	}
+	if param.Address > 0 {
+		flags |= SCTP_EVENT_ADDRESS
+	}
+	if param.SendFailure > 0 {
+		flags |= SCTP_EVENT_SEND_FAILURE
+	}
+	if param.PeerError > 0 {
+		flags |= SCTP_EVENT_PEER_ERROR
+	}
+	if param.Shutdown > 0 {
+		flags |= SCTP_EVENT_SHUTDOWN
+	}
+	if param.PartialDelivery > 0 {
+		flags |= SCTP_EVENT_PARTIAL_DELIVERY
+	}
+	if param.AdaptationLayer > 0 {
+		flags |= SCTP_EVENT_ADAPTATION_LAYER
+	}
+	if param.Authentication > 0 {
+		flags |= SCTP_EVENT_AUTHENTICATION
+	}
+	if param.SenderDry > 0 {
+		flags |= SCTP_EVENT_SENDER_DRY
+	}
+	return flags, nil
+}
+
+func (c *SCTPConn) SetDefaultSentParam(info *SndRcvInfo) error {
+	optlen := unsafe.Sizeof(*info)
+	_, _, err := setsockopt(c.fd(), SCTP_DEFAULT_SENT_PARAM, uintptr(unsafe.Pointer(info)), uintptr(optlen))
+	return err
+}
+
+func (c *SCTPConn) GetDefaultSentParam() (*SndRcvInfo, error) {
+	info := &SndRcvInfo{}
+	optlen := unsafe.Sizeof(*info)
+	_, _, err := getsockopt(c.fd(), SCTP_DEFAULT_SENT_PARAM, uintptr(unsafe.Pointer(info)), uintptr(unsafe.Pointer(&optlen)))
+	return info, err
+}
+
+func resolveFromRawAddr(ptr unsafe.Pointer, n int) (*SCTPAddr, error) {
+	addr := &SCTPAddr{
+		IP: make([]net.IP, n),
+	}
+
+	switch family := (*(*syscall.RawSockaddrAny)(ptr)).Addr.Family; family {
+	case syscall.AF_INET:
+		addr.Port = int(ntohs(uint16((*(*syscall.RawSockaddrInet4)(ptr)).Port)))
+		tmp := syscall.RawSockaddrInet4{}
+		size := unsafe.Sizeof(tmp)
+		for i := 0; i < n; i++ {
+			a := *(*syscall.RawSockaddrInet4)(unsafe.Pointer(
+				uintptr(ptr) + size*uintptr(i)))
+			addr.IP[i] = a.Addr[:]
+		}
+	case syscall.AF_INET6:
+		addr.Port = int(ntohs(uint16((*(*syscall.RawSockaddrInet4)(ptr)).Port)))
+		tmp := syscall.RawSockaddrInet6{}
+		size := unsafe.Sizeof(tmp)
+		for i := 0; i < n; i++ {
+			a := *(*syscall.RawSockaddrInet6)(unsafe.Pointer(
+				uintptr(ptr) + size*uintptr(i)))
+			addr.IP[i] = a.Addr[:]
+		}
+	default:
+		return nil, fmt.Errorf("unknown address family: %d", family)
+	}
+	return addr, nil
+}
+
+func sctpGetAddrs(fd, id, optname int) (*SCTPAddr, error) {
+
+	type getaddrs struct {
+		assocId int32
+		addrNum uint32
+		addrs   [4096]byte
+	}
+	param := getaddrs{
+		assocId: int32(id),
+	}
+	optlen := unsafe.Sizeof(param)
+	_, _, err := getsockopt(fd, uintptr(optname), uintptr(unsafe.Pointer(&param)), uintptr(unsafe.Pointer(&optlen)))
+	if err != nil {
+		return nil, err
+	}
+	return resolveFromRawAddr(unsafe.Pointer(&param.addrs), int(param.addrNum))
+}
+
+func (c *SCTPConn) SCTPGetPrimaryPeerAddr() (*SCTPAddr, error) {
+
+	type sctpGetSetPrim struct {
+		assocId int32
+		addrs   [128]byte
+	}
+	param := sctpGetSetPrim{
+		assocId: int32(0),
+	}
+	optlen := unsafe.Sizeof(param)
+	_, _, err := getsockopt(c.fd(), SCTP_PRIMARY_ADDR, uintptr(unsafe.Pointer(&param)), uintptr(unsafe.Pointer(&optlen)))
+	if err != nil {
+		return nil, err
+	}
+	return resolveFromRawAddr(unsafe.Pointer(&param.addrs), 1)
+}
+
+func (c *SCTPConn) SCTPLocalAddr(id int) (*SCTPAddr, error) {
+	return sctpGetAddrs(c.fd(), id, SCTP_GET_LOCAL_ADDRS)
+}
+
+func (c *SCTPConn) SCTPRemoteAddr(id int) (*SCTPAddr, error) {
+	return sctpGetAddrs(c.fd(), id, SCTP_GET_PEER_ADDRS)
+}
+
+func (c *SCTPConn) LocalAddr() net.Addr {
+	addr, err := sctpGetAddrs(c.fd(), 0, SCTP_GET_LOCAL_ADDRS)
+	if err != nil {
+		return nil
+	}
+	return addr
+}
+
+func (c *SCTPConn) RemoteAddr() net.Addr {
+	addr, err := sctpGetAddrs(c.fd(), 0, SCTP_GET_PEER_ADDRS)
+	if err != nil {
+		return nil
+	}
+	return addr
+}
+
+func (c *SCTPConn) PeelOff(id int) (*SCTPConn, error) {
+	type peeloffArg struct {
+		assocId int32
+		sd      int
+	}
+	param := peeloffArg{
+		assocId: int32(id),
+	}
+	optlen := unsafe.Sizeof(param)
+	_, _, err := getsockopt(c.fd(), SCTP_SOCKOPT_PEELOFF, uintptr(unsafe.Pointer(&param)), uintptr(unsafe.Pointer(&optlen)))
+	if err != nil {
+		return nil, err
+	}
+	return &SCTPConn{_fd: int32(param.sd)}, nil
+}
+
+func (c *SCTPConn) SetDeadline(t time.Time) error {
+	return syscall.EOPNOTSUPP
+}
+
+func (c *SCTPConn) SetReadDeadline(t time.Time) error {
+	return syscall.EOPNOTSUPP
+}
+
+func (c *SCTPConn) SetWriteDeadline(t time.Time) error {
+	return syscall.EOPNOTSUPP
+}
+
+type SCTPListener struct {
+	fd int
+	m  sync.Mutex
+}
+
+func (ln *SCTPListener) Addr() net.Addr {
+	laddr, err := sctpGetAddrs(ln.fd, 0, SCTP_GET_LOCAL_ADDRS)
+	if err != nil {
+		return nil
+	}
+	return laddr
+}
+
+type SCTPSndRcvInfoWrappedConn struct {
+	conn *SCTPConn
+}
+
+func NewSCTPSndRcvInfoWrappedConn(conn *SCTPConn) *SCTPSndRcvInfoWrappedConn {
+	conn.SubscribeEvents(SCTP_EVENT_DATA_IO)
+	return &SCTPSndRcvInfoWrappedConn{conn}
+}
+
+func (c *SCTPSndRcvInfoWrappedConn) Write(b []byte) (int, error) {
+	if len(b) < int(sndRcvInfoSize) {
+		return 0, syscall.EINVAL
+	}
+	info := (*SndRcvInfo)(unsafe.Pointer(&b[0]))
+	n, err := c.conn.SCTPWrite(b[sndRcvInfoSize:], info)
+	return n + int(sndRcvInfoSize), err
+}
+
+func (c *SCTPSndRcvInfoWrappedConn) Read(b []byte) (int, error) {
+	if len(b) < int(sndRcvInfoSize) {
+		return 0, syscall.EINVAL
+	}
+	n, info, err := c.conn.SCTPRead(b[sndRcvInfoSize:])
+	if err != nil {
+		return n, err
+	}
+	copy(b, toBuf(info))
+	return n + int(sndRcvInfoSize), err
+}
+
+func (c *SCTPSndRcvInfoWrappedConn) Close() error {
+	return c.conn.Close()
+}
+
+func (c *SCTPSndRcvInfoWrappedConn) LocalAddr() net.Addr {
+	return c.conn.LocalAddr()
+}
+
+func (c *SCTPSndRcvInfoWrappedConn) RemoteAddr() net.Addr {
+	return c.conn.RemoteAddr()
+}
+
+func (c *SCTPSndRcvInfoWrappedConn) SetDeadline(t time.Time) error {
+	return c.conn.SetDeadline(t)
+}
+
+func (c *SCTPSndRcvInfoWrappedConn) SetReadDeadline(t time.Time) error {
+	return c.conn.SetReadDeadline(t)
+}
+
+func (c *SCTPSndRcvInfoWrappedConn) SetWriteDeadline(t time.Time) error {
+	return c.conn.SetWriteDeadline(t)
+}
diff --git a/engine/vendor/github.com/ishidawataru/sctp/sctp_linux.go b/engine/vendor/github.com/ishidawataru/sctp/sctp_linux.go
new file mode 100644
index 00000000..f93ab862
--- /dev/null
+++ b/engine/vendor/github.com/ishidawataru/sctp/sctp_linux.go
@@ -0,0 +1,227 @@
+// +build linux,!386
+
+package sctp
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"sync/atomic"
+	"syscall"
+	"unsafe"
+)
+
+func setsockopt(fd int, optname, optval, optlen uintptr) (uintptr, uintptr, error) {
+	// FIXME: syscall.SYS_SETSOCKOPT is undefined on 386
+	r0, r1, errno := syscall.Syscall6(syscall.SYS_SETSOCKOPT,
+		uintptr(fd),
+		SOL_SCTP,
+		optname,
+		optval,
+		optlen,
+		0)
+	if errno != 0 {
+		return r0, r1, errno
+	}
+	return r0, r1, nil
+}
+
+func getsockopt(fd int, optname, optval, optlen uintptr) (uintptr, uintptr, error) {
+	// FIXME: syscall.SYS_GETSOCKOPT is undefined on 386
+	r0, r1, errno := syscall.Syscall6(syscall.SYS_GETSOCKOPT,
+		uintptr(fd),
+		SOL_SCTP,
+		optname,
+		optval,
+		optlen,
+		0)
+	if errno != 0 {
+		return r0, r1, errno
+	}
+	return r0, r1, nil
+}
+
+func (c *SCTPConn) SCTPWrite(b []byte, info *SndRcvInfo) (int, error) {
+	var cbuf []byte
+	if info != nil {
+		cmsgBuf := toBuf(info)
+		hdr := &syscall.Cmsghdr{
+			Level: syscall.IPPROTO_SCTP,
+			Type:  SCTP_CMSG_SNDRCV,
+		}
+
+		// bitwidth of hdr.Len is platform-specific,
+		// so we use hdr.SetLen() rather than directly setting hdr.Len
+		hdr.SetLen(syscall.CmsgSpace(len(cmsgBuf)))
+		cbuf = append(toBuf(hdr), cmsgBuf...)
+	}
+	return syscall.SendmsgN(c.fd(), b, cbuf, nil, 0)
+}
+
+func parseSndRcvInfo(b []byte) (*SndRcvInfo, error) {
+	msgs, err := syscall.ParseSocketControlMessage(b)
+	if err != nil {
+		return nil, err
+	}
+	for _, m := range msgs {
+		if m.Header.Level == syscall.IPPROTO_SCTP {
+			switch m.Header.Type {
+			case SCTP_CMSG_SNDRCV:
+				return (*SndRcvInfo)(unsafe.Pointer(&m.Data[0])), nil
+			}
+		}
+	}
+	return nil, nil
+}
+
+func (c *SCTPConn) SCTPRead(b []byte) (int, *SndRcvInfo, error) {
+	oob := make([]byte, 254)
+	for {
+		n, oobn, recvflags, _, err := syscall.Recvmsg(c.fd(), b, oob, 0)
+		if err != nil {
+			return n, nil, err
+		}
+
+		if n == 0 && oobn == 0 {
+			return 0, nil, io.EOF
+		}
+
+		if recvflags&MSG_NOTIFICATION > 0 && c.notificationHandler != nil {
+			if err := c.notificationHandler(b[:n]); err != nil {
+				return 0, nil, err
+			}
+		} else {
+			var info *SndRcvInfo
+			if oobn > 0 {
+				info, err = parseSndRcvInfo(oob[:oobn])
+			}
+			return n, info, err
+		}
+	}
+}
+
+func (c *SCTPConn) Close() error {
+	if c != nil {
+		fd := atomic.SwapInt32(&c._fd, -1)
+		if fd > 0 {
+			info := &SndRcvInfo{
+				Flags: SCTP_EOF,
+			}
+			c.SCTPWrite(nil, info)
+			syscall.Shutdown(int(fd), syscall.SHUT_RDWR)
+			return syscall.Close(int(fd))
+		}
+	}
+	return syscall.EBADF
+}
+
+func ListenSCTP(net string, laddr *SCTPAddr) (*SCTPListener, error) {
+	af := syscall.AF_INET
+	switch net {
+	case "sctp":
+		hasv6 := func(addr *SCTPAddr) bool {
+			if addr == nil {
+				return false
+			}
+			for _, ip := range addr.IP {
+				if ip.To4() == nil {
+					return true
+				}
+			}
+			return false
+		}
+		if hasv6(laddr) {
+			af = syscall.AF_INET6
+		}
+	case "sctp4":
+	case "sctp6":
+		af = syscall.AF_INET6
+	default:
+		return nil, fmt.Errorf("invalid net: %s", net)
+	}
+
+	sock, err := syscall.Socket(
+		af,
+		syscall.SOCK_STREAM,
+		syscall.IPPROTO_SCTP,
+	)
+	if err != nil {
+		return nil, err
+	}
+	err = setNumOstreams(sock, SCTP_MAX_STREAM)
+	if err != nil {
+		return nil, err
+	}
+	if laddr != nil && len(laddr.IP) != 0 {
+		err := SCTPBind(sock, laddr, SCTP_BINDX_ADD_ADDR)
+		if err != nil {
+			return nil, err
+		}
+	}
+	err = syscall.Listen(sock, syscall.SOMAXCONN)
+	if err != nil {
+		return nil, err
+	}
+	return &SCTPListener{
+		fd: sock,
+	}, nil
+}
+
+func (ln *SCTPListener) Accept() (net.Conn, error) {
+	fd, _, err := syscall.Accept4(ln.fd, 0)
+	return NewSCTPConn(fd, nil), err
+}
+
+func (ln *SCTPListener) Close() error {
+	syscall.Shutdown(ln.fd, syscall.SHUT_RDWR)
+	return syscall.Close(ln.fd)
+}
+
+func DialSCTP(net string, laddr, raddr *SCTPAddr) (*SCTPConn, error) {
+	af := syscall.AF_INET
+	switch net {
+	case "sctp":
+		hasv6 := func(addr *SCTPAddr) bool {
+			if addr == nil {
+				return false
+			}
+			for _, ip := range addr.IP {
+				if ip.To4() == nil {
+					return true
+				}
+			}
+			return false
+		}
+		if hasv6(laddr) || hasv6(raddr) {
+			af = syscall.AF_INET6
+		}
+	case "sctp4":
+	case "sctp6":
+		af = syscall.AF_INET6
+	default:
+		return nil, fmt.Errorf("invalid net: %s", net)
+	}
+	sock, err := syscall.Socket(
+		af,
+		syscall.SOCK_STREAM,
+		syscall.IPPROTO_SCTP,
+	)
+	if err != nil {
+		return nil, err
+	}
+	err = setNumOstreams(sock, SCTP_MAX_STREAM)
+	if err != nil {
+		return nil, err
+	}
+	if laddr != nil {
+		err := SCTPBind(sock, laddr, SCTP_BINDX_ADD_ADDR)
+		if err != nil {
+			return nil, err
+		}
+	}
+	_, err = SCTPConnect(sock, raddr)
+	if err != nil {
+		return nil, err
+	}
+	return NewSCTPConn(sock, nil), nil
+}
diff --git a/engine/vendor/github.com/ishidawataru/sctp/sctp_unsupported.go b/engine/vendor/github.com/ishidawataru/sctp/sctp_unsupported.go
new file mode 100644
index 00000000..adcbf78b
--- /dev/null
+++ b/engine/vendor/github.com/ishidawataru/sctp/sctp_unsupported.go
@@ -0,0 +1,47 @@
+// +build !linux linux,386
+
+package sctp
+
+import (
+	"errors"
+	"net"
+	"runtime"
+)
+
+var ErrUnsupported = errors.New("SCTP is unsupported on " + runtime.GOOS + "/" + runtime.GOARCH)
+
+func setsockopt(fd int, optname, optval, optlen uintptr) (uintptr, uintptr, error) {
+	return 0, 0, ErrUnsupported
+}
+
+func getsockopt(fd int, optname, optval, optlen uintptr) (uintptr, uintptr, error) {
+	return 0, 0, ErrUnsupported
+}
+
+func (c *SCTPConn) SCTPWrite(b []byte, info *SndRcvInfo) (int, error) {
+	return 0, ErrUnsupported
+}
+
+func (c *SCTPConn) SCTPRead(b []byte) (int, *SndRcvInfo, error) {
+	return 0, nil, ErrUnsupported
+}
+
+func (c *SCTPConn) Close() error {
+	return ErrUnsupported
+}
+
+func ListenSCTP(net string, laddr *SCTPAddr) (*SCTPListener, error) {
+	return nil, ErrUnsupported
+}
+
+func (ln *SCTPListener) Accept() (net.Conn, error) {
+	return nil, ErrUnsupported
+}
+
+func (ln *SCTPListener) Close() error {
+	return ErrUnsupported
+}
+
+func DialSCTP(net string, laddr, raddr *SCTPAddr) (*SCTPConn, error) {
+	return nil, ErrUnsupported
+}
diff --git a/engine/vendor/github.com/moby/buildkit/LICENSE b/engine/vendor/github.com/moby/buildkit/LICENSE
new file mode 100644
index 00000000..261eeb9e
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/engine/vendor/github.com/moby/buildkit/README.md b/engine/vendor/github.com/moby/buildkit/README.md
new file mode 100644
index 00000000..10b2b0e6
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/README.md
@@ -0,0 +1,274 @@
+[![asciicinema example](https://asciinema.org/a/gPEIEo1NzmDTUu2bEPsUboqmU.png)](https://asciinema.org/a/gPEIEo1NzmDTUu2bEPsUboqmU)
+
+
+## BuildKit
+
+[![GoDoc](https://godoc.org/github.com/moby/buildkit?status.svg)](https://godoc.org/github.com/moby/buildkit/client/llb)
+[![Build Status](https://travis-ci.org/moby/buildkit.svg?branch=master)](https://travis-ci.org/moby/buildkit)
+[![Go Report Card](https://goreportcard.com/badge/github.com/moby/buildkit)](https://goreportcard.com/report/github.com/moby/buildkit)
+
+
+BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.
+
+Key features:
+- Automatic garbage collection
+- Extendable frontend formats
+- Concurrent dependency resolution
+- Efficient instruction caching
+- Build cache import/export
+- Nested build job invocations
+- Distributable workers
+- Multiple output formats
+- Pluggable architecture
+- Execution without root privileges
+
+
+Read the proposal from https://github.com/moby/moby/issues/32925
+
+Introductory blog post https://blog.mobyproject.org/introducing-buildkit-17e056cc5317
+
+### Used by
+
+[Moby](https://github.com/moby/moby/pull/37151)
+
+[img](https://github.com/genuinetools/img)
+
+[OpenFaaS Cloud](https://github.com/openfaas/openfaas-cloud)
+
+[container build interface](https://github.com/containerbuilding/cbi)
+
+### Quick start
+
+Dependencies:
+- [runc](https://github.com/opencontainers/runc)
+- [containerd](https://github.com/containerd/containerd) (if you want to use containerd worker)
+
+
+The following command installs `buildkitd` and `buildctl` to `/usr/local/bin`:
+
+```bash
+$ make && sudo make install
+```
+
+You can also use `make binaries-all` to prepare `buildkitd.containerd_only` and `buildkitd.oci_only`.
+
+#### Starting the buildkitd daemon:
+
+```
+buildkitd --debug --root /var/lib/buildkit
+```
+
+The buildkitd daemon supports two worker backends: OCI (runc) and containerd.
+
+By default, the OCI (runc) worker is used.
+You can set `--oci-worker=false --containerd-worker=true` to use the containerd worker.
+
+We are open to adding more backends.
+
+#### Exploring LLB
+
+BuildKit builds are based on a binary intermediate format called LLB that is used for defining the dependency graph for processes running part of your build. tl;dr: LLB is to Dockerfile what LLVM IR is to C.
+
+- Marshaled as Protobuf messages
+- Concurrently executable
+- Efficiently cacheable
+- Vendor-neutral (i.e. non-Dockerfile languages can be easily implemented)
+
+See [`solver/pb/ops.proto`](./solver/pb/ops.proto) for the format definition.
+
+Currently, following high-level languages has been implemented for LLB:
+
+- Dockerfile (See [Exploring Dockerfiles](#exploring-dockerfiles))
+- (open a PR to add your own language)
+
+For understanding the basics of LLB, `examples/buildkit*` directory contains scripts that define how to build different configurations of BuildKit itself and its dependencies using the `client` package. Running one of these scripts generates a protobuf definition of a build graph. Note that the script itself does not execute any steps of the build.
+
+You can use `buildctl debug dump-llb` to see what data is in this definition. Add `--dot` to generate dot layout.
+
+```bash
+go run examples/buildkit0/buildkit.go | buildctl debug dump-llb | jq .
+```
+
+To start building use `buildctl build` command. The example script accepts `--with-containerd` flag to choose if containerd binaries and support should be included in the end result as well. 
+
+```bash
+go run examples/buildkit0/buildkit.go | buildctl build
+```
+
+`buildctl build` will show interactive progress bar by default while the build job is running. It will also show you the path to the trace file that contains all information about the timing of the individual steps and logs.
+
+Different versions of the example scripts show different ways of describing the build definition for this project to show the capabilities of the library. New versions have been added when new features have become available.
+
+- `./examples/buildkit0` - uses only exec operations, defines a full stage per component.
+- `./examples/buildkit1` - cloning git repositories has been separated for extra concurrency.
+- `./examples/buildkit2` - uses git sources directly instead of running `git clone`, allowing better performance and much safer caching.
+- `./examples/buildkit3` - allows using local source files for separate components eg. `./buildkit3 --runc=local | buildctl build --local runc-src=some/local/path`  
+- `./examples/dockerfile2llb` - can be used to convert a Dockerfile to LLB for debugging purposes
+- `./examples/gobuild` - shows how to use nested invocation to generate LLB for Go package internal dependencies
+
+
+#### Exploring Dockerfiles
+
+Frontends are components that run inside BuildKit and convert any build definition to LLB. There is a special frontend called gateway (gateway.v0) that allows using any image as a frontend.
+
+During development, Dockerfile frontend (dockerfile.v0) is also part of the BuildKit repo. In the future, this will be moved out, and Dockerfiles can be built using an external image.
+
+##### Building a Dockerfile with `buildctl`
+
+```
+buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=.
+buildctl build --frontend=dockerfile.v0 --local context=. --local dockerfile=. --frontend-opt target=foo --frontend-opt build-arg:foo=bar
+```
+
+`--local` exposes local source files from client to the builder. `context` and `dockerfile` are the names Dockerfile frontend looks for build context and Dockerfile location.
+
+##### build-using-dockerfile utility
+
+For people familiar with `docker build` command, there is an example wrapper utility in `./examples/build-using-dockerfile` that allows building Dockerfiles with BuildKit using a syntax similar to `docker build`.
+
+```
+go build ./examples/build-using-dockerfile && sudo install build-using-dockerfile /usr/local/bin
+
+build-using-dockerfile -t myimage .
+build-using-dockerfile -t mybuildkit -f ./hack/dockerfiles/test.Dockerfile .
+
+# build-using-dockerfile will automatically load the resulting image to Docker
+docker inspect myimage
+```
+
+##### Building a Dockerfile using [external frontend](https://hub.docker.com/r/tonistiigi/dockerfile/tags/):
+
+During development, an external version of the Dockerfile frontend is pushed to https://hub.docker.com/r/tonistiigi/dockerfile that can be used with the gateway frontend. The source for the external frontend is currently located in `./frontend/dockerfile/cmd/dockerfile-frontend` but will move out of this repository in the future ([#163](https://github.com/moby/buildkit/issues/163)). For automatic build from master branch of this repository `tonistiigi/dockerfile:master` image can be used.
+
+```
+buildctl build --frontend=gateway.v0 --frontend-opt=source=tonistiigi/dockerfile --local context=. --local dockerfile=.
+buildctl build --frontend gateway.v0 --frontend-opt=source=tonistiigi/dockerfile --frontend-opt=context=git://github.com/moby/moby --frontend-opt build-arg:APT_MIRROR=cdn-fastly.deb.debian.org
+````
+
+### Exporters
+
+By default, the build result and intermediate cache will only remain internally in BuildKit. Exporter needs to be specified to retrieve the result.
+
+##### Exporting resulting image to containerd
+
+The containerd worker needs to be used
+
+```
+buildctl build ... --exporter=image --exporter-opt name=docker.io/username/image
+ctr --namespace=buildkit images ls
+```
+
+##### Push resulting image to registry
+
+```
+buildctl build ... --exporter=image --exporter-opt name=docker.io/username/image --exporter-opt push=true
+```
+
+If credentials are required, `buildctl` will attempt to read Docker configuration file.
+
+
+##### Exporting build result back to client
+
+The local client will copy the files directly to the client. This is useful if BuildKit is being used for building something else than container images.
+
+```
+buildctl build ... --exporter=local --exporter-opt output=path/to/output-dir
+```
+
+##### Exporting built image to Docker
+
+```
+# exported tarball is also compatible with OCI spec
+buildctl build ... --exporter=docker --exporter-opt name=myimage | docker load
+```
+
+##### Exporting [OCI Image Format](https://github.com/opencontainers/image-spec) tarball to client
+
+```
+buildctl build ... --exporter=oci --exporter-opt output=path/to/output.tar
+buildctl build ... --exporter=oci > output.tar
+```
+
+### Other
+
+#### View build cache
+
+```
+buildctl du -v
+```
+
+#### Show enabled workers
+
+```
+buildctl debug workers -v
+```
+
+### Running containerized buildkit
+
+BuildKit can also be used by running the `buildkitd` daemon inside a Docker container and accessing it remotely. The client tool `buildctl` is also available for Mac and Windows.
+
+To run daemon in a container:
+
+```
+docker run -d --privileged -p 1234:1234 tonistiigi/buildkit --addr tcp://0.0.0.0:1234
+export BUILDKIT_HOST=tcp://0.0.0.0:1234
+buildctl build --help
+```
+
+The `tonistiigi/buildkit` image can be built locally using the Dockerfile in `./hack/dockerfiles/test.Dockerfile`.
+
+### Opentracing support
+
+BuildKit supports opentracing for buildkitd gRPC API and buildctl commands. To capture the trace to [Jaeger](https://github.com/jaegertracing/jaeger), set `JAEGER_TRACE` environment variable to the collection address.
+
+
+```
+docker run -d -p6831:6831/udp -p16686:16686 jaegertracing/all-in-one:latest
+export JAEGER_TRACE=0.0.0.0:6831
+# restart buildkitd and buildctl so they know JAEGER_TRACE
+# any buildctl command should be traced to http://127.0.0.1:16686/
+```
+
+
+### Supported runc version
+
+During development, BuildKit is tested with the version of runc that is being used by the containerd repository. Please refer to [runc.md](https://github.com/containerd/containerd/blob/v1.1.0/RUNC.md) for more information.
+
+### Running BuildKit without root privileges
+
+Please refer to [`docs/rootless.md`](docs/rootless.md).
+
+### Contributing
+
+Running tests:
+
+```bash
+make test
+```
+
+This runs all unit and integration tests in a containerized environment. Locally, every package can be tested separately with standard Go tools, but integration tests are skipped if local user doesn't have enough permissions or worker binaries are not installed.
+
+```
+# test a specific package only
+make test TESTPKGS=./client
+
+# run a specific test with all worker combinations
+make test TESTPKGS=./client TESTFLAGS="--run /TestCallDiskUsage -v" 
+
+# run all integration tests with a specific worker
+# supported workers: oci, oci-rootless, containerd, containerd-1.0
+make test TESTPKGS=./client TESTFLAGS="--run //worker=containerd -v" 
+```
+
+Updating vendored dependencies:
+
+```bash
+# update vendor.conf
+make vendor
+```
+
+Validating your updates before submission:
+
+```bash
+make validate-all
+```
diff --git a/engine/vendor/github.com/moby/buildkit/api/services/control/control.pb.go b/engine/vendor/github.com/moby/buildkit/api/services/control/control.pb.go
new file mode 100644
index 00000000..9df84f12
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/api/services/control/control.pb.go
@@ -0,0 +1,4589 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: control.proto
+
+/*
+	Package moby_buildkit_v1 is a generated protocol buffer package.
+
+	It is generated from these files:
+		control.proto
+
+	It has these top-level messages:
+		PruneRequest
+		DiskUsageRequest
+		DiskUsageResponse
+		UsageRecord
+		SolveRequest
+		CacheOptions
+		SolveResponse
+		StatusRequest
+		StatusResponse
+		Vertex
+		VertexStatus
+		VertexLog
+		BytesMessage
+		ListWorkersRequest
+		ListWorkersResponse
+*/
+package moby_buildkit_v1
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+import _ "github.com/golang/protobuf/ptypes/timestamp"
+import pb "github.com/moby/buildkit/solver/pb"
+import moby_buildkit_v1_types "github.com/moby/buildkit/api/types"
+
+import time "time"
+import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest"
+
+import context "golang.org/x/net/context"
+import grpc "google.golang.org/grpc"
+
+import types "github.com/gogo/protobuf/types"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+var _ = time.Kitchen
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type PruneRequest struct {
+}
+
+func (m *PruneRequest) Reset()                    { *m = PruneRequest{} }
+func (m *PruneRequest) String() string            { return proto.CompactTextString(m) }
+func (*PruneRequest) ProtoMessage()               {}
+func (*PruneRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{0} }
+
+type DiskUsageRequest struct {
+	Filter string `protobuf:"bytes,1,opt,name=filter,proto3" json:"filter,omitempty"`
+}
+
+func (m *DiskUsageRequest) Reset()                    { *m = DiskUsageRequest{} }
+func (m *DiskUsageRequest) String() string            { return proto.CompactTextString(m) }
+func (*DiskUsageRequest) ProtoMessage()               {}
+func (*DiskUsageRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{1} }
+
+func (m *DiskUsageRequest) GetFilter() string {
+	if m != nil {
+		return m.Filter
+	}
+	return ""
+}
+
+type DiskUsageResponse struct {
+	Record []*UsageRecord `protobuf:"bytes,1,rep,name=record" json:"record,omitempty"`
+}
+
+func (m *DiskUsageResponse) Reset()                    { *m = DiskUsageResponse{} }
+func (m *DiskUsageResponse) String() string            { return proto.CompactTextString(m) }
+func (*DiskUsageResponse) ProtoMessage()               {}
+func (*DiskUsageResponse) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{2} }
+
+func (m *DiskUsageResponse) GetRecord() []*UsageRecord {
+	if m != nil {
+		return m.Record
+	}
+	return nil
+}
+
+type UsageRecord struct {
+	ID          string     `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Mutable     bool       `protobuf:"varint,2,opt,name=Mutable,proto3" json:"Mutable,omitempty"`
+	InUse       bool       `protobuf:"varint,3,opt,name=InUse,proto3" json:"InUse,omitempty"`
+	Size_       int64      `protobuf:"varint,4,opt,name=Size,proto3" json:"Size,omitempty"`
+	Parent      string     `protobuf:"bytes,5,opt,name=Parent,proto3" json:"Parent,omitempty"`
+	CreatedAt   time.Time  `protobuf:"bytes,6,opt,name=CreatedAt,stdtime" json:"CreatedAt"`
+	LastUsedAt  *time.Time `protobuf:"bytes,7,opt,name=LastUsedAt,stdtime" json:"LastUsedAt,omitempty"`
+	UsageCount  int64      `protobuf:"varint,8,opt,name=UsageCount,proto3" json:"UsageCount,omitempty"`
+	Description string     `protobuf:"bytes,9,opt,name=Description,proto3" json:"Description,omitempty"`
+}
+
+func (m *UsageRecord) Reset()                    { *m = UsageRecord{} }
+func (m *UsageRecord) String() string            { return proto.CompactTextString(m) }
+func (*UsageRecord) ProtoMessage()               {}
+func (*UsageRecord) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{3} }
+
+func (m *UsageRecord) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *UsageRecord) GetMutable() bool {
+	if m != nil {
+		return m.Mutable
+	}
+	return false
+}
+
+func (m *UsageRecord) GetInUse() bool {
+	if m != nil {
+		return m.InUse
+	}
+	return false
+}
+
+func (m *UsageRecord) GetSize_() int64 {
+	if m != nil {
+		return m.Size_
+	}
+	return 0
+}
+
+func (m *UsageRecord) GetParent() string {
+	if m != nil {
+		return m.Parent
+	}
+	return ""
+}
+
+func (m *UsageRecord) GetCreatedAt() time.Time {
+	if m != nil {
+		return m.CreatedAt
+	}
+	return time.Time{}
+}
+
+func (m *UsageRecord) GetLastUsedAt() *time.Time {
+	if m != nil {
+		return m.LastUsedAt
+	}
+	return nil
+}
+
+func (m *UsageRecord) GetUsageCount() int64 {
+	if m != nil {
+		return m.UsageCount
+	}
+	return 0
+}
+
+func (m *UsageRecord) GetDescription() string {
+	if m != nil {
+		return m.Description
+	}
+	return ""
+}
+
+type SolveRequest struct {
+	Ref           string            `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	Definition    *pb.Definition    `protobuf:"bytes,2,opt,name=Definition" json:"Definition,omitempty"`
+	Exporter      string            `protobuf:"bytes,3,opt,name=Exporter,proto3" json:"Exporter,omitempty"`
+	ExporterAttrs map[string]string `protobuf:"bytes,4,rep,name=ExporterAttrs" json:"ExporterAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Session       string            `protobuf:"bytes,5,opt,name=Session,proto3" json:"Session,omitempty"`
+	Frontend      string            `protobuf:"bytes,6,opt,name=Frontend,proto3" json:"Frontend,omitempty"`
+	FrontendAttrs map[string]string `protobuf:"bytes,7,rep,name=FrontendAttrs" json:"FrontendAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Cache         CacheOptions      `protobuf:"bytes,8,opt,name=Cache" json:"Cache"`
+}
+
+func (m *SolveRequest) Reset()                    { *m = SolveRequest{} }
+func (m *SolveRequest) String() string            { return proto.CompactTextString(m) }
+func (*SolveRequest) ProtoMessage()               {}
+func (*SolveRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{4} }
+
+func (m *SolveRequest) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetDefinition() *pb.Definition {
+	if m != nil {
+		return m.Definition
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetExporter() string {
+	if m != nil {
+		return m.Exporter
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetExporterAttrs() map[string]string {
+	if m != nil {
+		return m.ExporterAttrs
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetSession() string {
+	if m != nil {
+		return m.Session
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetFrontend() string {
+	if m != nil {
+		return m.Frontend
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetFrontendAttrs() map[string]string {
+	if m != nil {
+		return m.FrontendAttrs
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetCache() CacheOptions {
+	if m != nil {
+		return m.Cache
+	}
+	return CacheOptions{}
+}
+
+type CacheOptions struct {
+	ExportRef   string            `protobuf:"bytes,1,opt,name=ExportRef,proto3" json:"ExportRef,omitempty"`
+	ImportRefs  []string          `protobuf:"bytes,2,rep,name=ImportRefs" json:"ImportRefs,omitempty"`
+	ExportAttrs map[string]string `protobuf:"bytes,3,rep,name=ExportAttrs" json:"ExportAttrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *CacheOptions) Reset()                    { *m = CacheOptions{} }
+func (m *CacheOptions) String() string            { return proto.CompactTextString(m) }
+func (*CacheOptions) ProtoMessage()               {}
+func (*CacheOptions) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{5} }
+
+func (m *CacheOptions) GetExportRef() string {
+	if m != nil {
+		return m.ExportRef
+	}
+	return ""
+}
+
+func (m *CacheOptions) GetImportRefs() []string {
+	if m != nil {
+		return m.ImportRefs
+	}
+	return nil
+}
+
+func (m *CacheOptions) GetExportAttrs() map[string]string {
+	if m != nil {
+		return m.ExportAttrs
+	}
+	return nil
+}
+
+type SolveResponse struct {
+	ExporterResponse map[string]string `protobuf:"bytes,1,rep,name=ExporterResponse" json:"ExporterResponse,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *SolveResponse) Reset()                    { *m = SolveResponse{} }
+func (m *SolveResponse) String() string            { return proto.CompactTextString(m) }
+func (*SolveResponse) ProtoMessage()               {}
+func (*SolveResponse) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{6} }
+
+func (m *SolveResponse) GetExporterResponse() map[string]string {
+	if m != nil {
+		return m.ExporterResponse
+	}
+	return nil
+}
+
+type StatusRequest struct {
+	Ref string `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+}
+
+func (m *StatusRequest) Reset()                    { *m = StatusRequest{} }
+func (m *StatusRequest) String() string            { return proto.CompactTextString(m) }
+func (*StatusRequest) ProtoMessage()               {}
+func (*StatusRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{7} }
+
+func (m *StatusRequest) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+type StatusResponse struct {
+	Vertexes []*Vertex       `protobuf:"bytes,1,rep,name=vertexes" json:"vertexes,omitempty"`
+	Statuses []*VertexStatus `protobuf:"bytes,2,rep,name=statuses" json:"statuses,omitempty"`
+	Logs     []*VertexLog    `protobuf:"bytes,3,rep,name=logs" json:"logs,omitempty"`
+}
+
+func (m *StatusResponse) Reset()                    { *m = StatusResponse{} }
+func (m *StatusResponse) String() string            { return proto.CompactTextString(m) }
+func (*StatusResponse) ProtoMessage()               {}
+func (*StatusResponse) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{8} }
+
+func (m *StatusResponse) GetVertexes() []*Vertex {
+	if m != nil {
+		return m.Vertexes
+	}
+	return nil
+}
+
+func (m *StatusResponse) GetStatuses() []*VertexStatus {
+	if m != nil {
+		return m.Statuses
+	}
+	return nil
+}
+
+func (m *StatusResponse) GetLogs() []*VertexLog {
+	if m != nil {
+		return m.Logs
+	}
+	return nil
+}
+
+type Vertex struct {
+	Digest    github_com_opencontainers_go_digest.Digest   `protobuf:"bytes,1,opt,name=digest,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"digest"`
+	Inputs    []github_com_opencontainers_go_digest.Digest `protobuf:"bytes,2,rep,name=inputs,customtype=github.com/opencontainers/go-digest.Digest" json:"inputs"`
+	Name      string                                       `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	Cached    bool                                         `protobuf:"varint,4,opt,name=cached,proto3" json:"cached,omitempty"`
+	Started   *time.Time                                   `protobuf:"bytes,5,opt,name=started,stdtime" json:"started,omitempty"`
+	Completed *time.Time                                   `protobuf:"bytes,6,opt,name=completed,stdtime" json:"completed,omitempty"`
+	Error     string                                       `protobuf:"bytes,7,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (m *Vertex) Reset()                    { *m = Vertex{} }
+func (m *Vertex) String() string            { return proto.CompactTextString(m) }
+func (*Vertex) ProtoMessage()               {}
+func (*Vertex) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{9} }
+
+func (m *Vertex) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *Vertex) GetCached() bool {
+	if m != nil {
+		return m.Cached
+	}
+	return false
+}
+
+func (m *Vertex) GetStarted() *time.Time {
+	if m != nil {
+		return m.Started
+	}
+	return nil
+}
+
+func (m *Vertex) GetCompleted() *time.Time {
+	if m != nil {
+		return m.Completed
+	}
+	return nil
+}
+
+func (m *Vertex) GetError() string {
+	if m != nil {
+		return m.Error
+	}
+	return ""
+}
+
+type VertexStatus struct {
+	ID      string                                     `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Vertex  github_com_opencontainers_go_digest.Digest `protobuf:"bytes,2,opt,name=vertex,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"vertex"`
+	Name    string                                     `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	Current int64                                      `protobuf:"varint,4,opt,name=current,proto3" json:"current,omitempty"`
+	Total   int64                                      `protobuf:"varint,5,opt,name=total,proto3" json:"total,omitempty"`
+	// TODO: add started, completed
+	Timestamp time.Time  `protobuf:"bytes,6,opt,name=timestamp,stdtime" json:"timestamp"`
+	Started   *time.Time `protobuf:"bytes,7,opt,name=started,stdtime" json:"started,omitempty"`
+	Completed *time.Time `protobuf:"bytes,8,opt,name=completed,stdtime" json:"completed,omitempty"`
+}
+
+func (m *VertexStatus) Reset()                    { *m = VertexStatus{} }
+func (m *VertexStatus) String() string            { return proto.CompactTextString(m) }
+func (*VertexStatus) ProtoMessage()               {}
+func (*VertexStatus) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{10} }
+
+func (m *VertexStatus) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *VertexStatus) GetName() string {
+	if m != nil {
+		return m.Name
+	}
+	return ""
+}
+
+func (m *VertexStatus) GetCurrent() int64 {
+	if m != nil {
+		return m.Current
+	}
+	return 0
+}
+
+func (m *VertexStatus) GetTotal() int64 {
+	if m != nil {
+		return m.Total
+	}
+	return 0
+}
+
+func (m *VertexStatus) GetTimestamp() time.Time {
+	if m != nil {
+		return m.Timestamp
+	}
+	return time.Time{}
+}
+
+func (m *VertexStatus) GetStarted() *time.Time {
+	if m != nil {
+		return m.Started
+	}
+	return nil
+}
+
+func (m *VertexStatus) GetCompleted() *time.Time {
+	if m != nil {
+		return m.Completed
+	}
+	return nil
+}
+
+type VertexLog struct {
+	Vertex    github_com_opencontainers_go_digest.Digest `protobuf:"bytes,1,opt,name=vertex,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"vertex"`
+	Timestamp time.Time                                  `protobuf:"bytes,2,opt,name=timestamp,stdtime" json:"timestamp"`
+	Stream    int64                                      `protobuf:"varint,3,opt,name=stream,proto3" json:"stream,omitempty"`
+	Msg       []byte                                     `protobuf:"bytes,4,opt,name=msg,proto3" json:"msg,omitempty"`
+}
+
+func (m *VertexLog) Reset()                    { *m = VertexLog{} }
+func (m *VertexLog) String() string            { return proto.CompactTextString(m) }
+func (*VertexLog) ProtoMessage()               {}
+func (*VertexLog) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{11} }
+
+func (m *VertexLog) GetTimestamp() time.Time {
+	if m != nil {
+		return m.Timestamp
+	}
+	return time.Time{}
+}
+
+func (m *VertexLog) GetStream() int64 {
+	if m != nil {
+		return m.Stream
+	}
+	return 0
+}
+
+func (m *VertexLog) GetMsg() []byte {
+	if m != nil {
+		return m.Msg
+	}
+	return nil
+}
+
+type BytesMessage struct {
+	Data []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *BytesMessage) Reset()                    { *m = BytesMessage{} }
+func (m *BytesMessage) String() string            { return proto.CompactTextString(m) }
+func (*BytesMessage) ProtoMessage()               {}
+func (*BytesMessage) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{12} }
+
+func (m *BytesMessage) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+type ListWorkersRequest struct {
+	Filter []string `protobuf:"bytes,1,rep,name=filter" json:"filter,omitempty"`
+}
+
+func (m *ListWorkersRequest) Reset()                    { *m = ListWorkersRequest{} }
+func (m *ListWorkersRequest) String() string            { return proto.CompactTextString(m) }
+func (*ListWorkersRequest) ProtoMessage()               {}
+func (*ListWorkersRequest) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{13} }
+
+func (m *ListWorkersRequest) GetFilter() []string {
+	if m != nil {
+		return m.Filter
+	}
+	return nil
+}
+
+type ListWorkersResponse struct {
+	Record []*moby_buildkit_v1_types.WorkerRecord `protobuf:"bytes,1,rep,name=record" json:"record,omitempty"`
+}
+
+func (m *ListWorkersResponse) Reset()                    { *m = ListWorkersResponse{} }
+func (m *ListWorkersResponse) String() string            { return proto.CompactTextString(m) }
+func (*ListWorkersResponse) ProtoMessage()               {}
+func (*ListWorkersResponse) Descriptor() ([]byte, []int) { return fileDescriptorControl, []int{14} }
+
+func (m *ListWorkersResponse) GetRecord() []*moby_buildkit_v1_types.WorkerRecord {
+	if m != nil {
+		return m.Record
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*PruneRequest)(nil), "moby.buildkit.v1.PruneRequest")
+	proto.RegisterType((*DiskUsageRequest)(nil), "moby.buildkit.v1.DiskUsageRequest")
+	proto.RegisterType((*DiskUsageResponse)(nil), "moby.buildkit.v1.DiskUsageResponse")
+	proto.RegisterType((*UsageRecord)(nil), "moby.buildkit.v1.UsageRecord")
+	proto.RegisterType((*SolveRequest)(nil), "moby.buildkit.v1.SolveRequest")
+	proto.RegisterType((*CacheOptions)(nil), "moby.buildkit.v1.CacheOptions")
+	proto.RegisterType((*SolveResponse)(nil), "moby.buildkit.v1.SolveResponse")
+	proto.RegisterType((*StatusRequest)(nil), "moby.buildkit.v1.StatusRequest")
+	proto.RegisterType((*StatusResponse)(nil), "moby.buildkit.v1.StatusResponse")
+	proto.RegisterType((*Vertex)(nil), "moby.buildkit.v1.Vertex")
+	proto.RegisterType((*VertexStatus)(nil), "moby.buildkit.v1.VertexStatus")
+	proto.RegisterType((*VertexLog)(nil), "moby.buildkit.v1.VertexLog")
+	proto.RegisterType((*BytesMessage)(nil), "moby.buildkit.v1.BytesMessage")
+	proto.RegisterType((*ListWorkersRequest)(nil), "moby.buildkit.v1.ListWorkersRequest")
+	proto.RegisterType((*ListWorkersResponse)(nil), "moby.buildkit.v1.ListWorkersResponse")
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// Client API for Control service
+
+type ControlClient interface {
+	DiskUsage(ctx context.Context, in *DiskUsageRequest, opts ...grpc.CallOption) (*DiskUsageResponse, error)
+	Prune(ctx context.Context, in *PruneRequest, opts ...grpc.CallOption) (Control_PruneClient, error)
+	Solve(ctx context.Context, in *SolveRequest, opts ...grpc.CallOption) (*SolveResponse, error)
+	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (Control_StatusClient, error)
+	Session(ctx context.Context, opts ...grpc.CallOption) (Control_SessionClient, error)
+	ListWorkers(ctx context.Context, in *ListWorkersRequest, opts ...grpc.CallOption) (*ListWorkersResponse, error)
+}
+
+type controlClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewControlClient(cc *grpc.ClientConn) ControlClient {
+	return &controlClient{cc}
+}
+
+func (c *controlClient) DiskUsage(ctx context.Context, in *DiskUsageRequest, opts ...grpc.CallOption) (*DiskUsageResponse, error) {
+	out := new(DiskUsageResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.Control/DiskUsage", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlClient) Prune(ctx context.Context, in *PruneRequest, opts ...grpc.CallOption) (Control_PruneClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_Control_serviceDesc.Streams[0], c.cc, "/moby.buildkit.v1.Control/Prune", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &controlPruneClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type Control_PruneClient interface {
+	Recv() (*UsageRecord, error)
+	grpc.ClientStream
+}
+
+type controlPruneClient struct {
+	grpc.ClientStream
+}
+
+func (x *controlPruneClient) Recv() (*UsageRecord, error) {
+	m := new(UsageRecord)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *controlClient) Solve(ctx context.Context, in *SolveRequest, opts ...grpc.CallOption) (*SolveResponse, error) {
+	out := new(SolveResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.Control/Solve", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *controlClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (Control_StatusClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_Control_serviceDesc.Streams[1], c.cc, "/moby.buildkit.v1.Control/Status", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &controlStatusClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type Control_StatusClient interface {
+	Recv() (*StatusResponse, error)
+	grpc.ClientStream
+}
+
+type controlStatusClient struct {
+	grpc.ClientStream
+}
+
+func (x *controlStatusClient) Recv() (*StatusResponse, error) {
+	m := new(StatusResponse)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *controlClient) Session(ctx context.Context, opts ...grpc.CallOption) (Control_SessionClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_Control_serviceDesc.Streams[2], c.cc, "/moby.buildkit.v1.Control/Session", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &controlSessionClient{stream}
+	return x, nil
+}
+
+type Control_SessionClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type controlSessionClient struct {
+	grpc.ClientStream
+}
+
+func (x *controlSessionClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *controlSessionClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *controlClient) ListWorkers(ctx context.Context, in *ListWorkersRequest, opts ...grpc.CallOption) (*ListWorkersResponse, error) {
+	out := new(ListWorkersResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.Control/ListWorkers", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Server API for Control service
+
+type ControlServer interface {
+	DiskUsage(context.Context, *DiskUsageRequest) (*DiskUsageResponse, error)
+	Prune(*PruneRequest, Control_PruneServer) error
+	Solve(context.Context, *SolveRequest) (*SolveResponse, error)
+	Status(*StatusRequest, Control_StatusServer) error
+	Session(Control_SessionServer) error
+	ListWorkers(context.Context, *ListWorkersRequest) (*ListWorkersResponse, error)
+}
+
+func RegisterControlServer(s *grpc.Server, srv ControlServer) {
+	s.RegisterService(&_Control_serviceDesc, srv)
+}
+
+func _Control_DiskUsage_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DiskUsageRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServer).DiskUsage(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.Control/DiskUsage",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServer).DiskUsage(ctx, req.(*DiskUsageRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Control_Prune_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(PruneRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(ControlServer).Prune(m, &controlPruneServer{stream})
+}
+
+type Control_PruneServer interface {
+	Send(*UsageRecord) error
+	grpc.ServerStream
+}
+
+type controlPruneServer struct {
+	grpc.ServerStream
+}
+
+func (x *controlPruneServer) Send(m *UsageRecord) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func _Control_Solve_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SolveRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServer).Solve(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.Control/Solve",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServer).Solve(ctx, req.(*SolveRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _Control_Status_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(StatusRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(ControlServer).Status(m, &controlStatusServer{stream})
+}
+
+type Control_StatusServer interface {
+	Send(*StatusResponse) error
+	grpc.ServerStream
+}
+
+type controlStatusServer struct {
+	grpc.ServerStream
+}
+
+func (x *controlStatusServer) Send(m *StatusResponse) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func _Control_Session_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(ControlServer).Session(&controlSessionServer{stream})
+}
+
+type Control_SessionServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type controlSessionServer struct {
+	grpc.ServerStream
+}
+
+func (x *controlSessionServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *controlSessionServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func _Control_ListWorkers_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListWorkersRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ControlServer).ListWorkers(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.Control/ListWorkers",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ControlServer).ListWorkers(ctx, req.(*ListWorkersRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _Control_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.buildkit.v1.Control",
+	HandlerType: (*ControlServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "DiskUsage",
+			Handler:    _Control_DiskUsage_Handler,
+		},
+		{
+			MethodName: "Solve",
+			Handler:    _Control_Solve_Handler,
+		},
+		{
+			MethodName: "ListWorkers",
+			Handler:    _Control_ListWorkers_Handler,
+		},
+	},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "Prune",
+			Handler:       _Control_Prune_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "Status",
+			Handler:       _Control_Status_Handler,
+			ServerStreams: true,
+		},
+		{
+			StreamName:    "Session",
+			Handler:       _Control_Session_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "control.proto",
+}
+
+func (m *PruneRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PruneRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	return i, nil
+}
+
+func (m *DiskUsageRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DiskUsageRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Filter)))
+		i += copy(dAtA[i:], m.Filter)
+	}
+	return i, nil
+}
+
+func (m *DiskUsageResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DiskUsageResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Record) > 0 {
+		for _, msg := range m.Record {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *UsageRecord) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *UsageRecord) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if m.Mutable {
+		dAtA[i] = 0x10
+		i++
+		if m.Mutable {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.InUse {
+		dAtA[i] = 0x18
+		i++
+		if m.InUse {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.Size_ != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Size_))
+	}
+	if len(m.Parent) > 0 {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Parent)))
+		i += copy(dAtA[i:], m.Parent)
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(m.CreatedAt)))
+	n1, err := types.StdTimeMarshalTo(m.CreatedAt, dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n1
+	if m.LastUsedAt != nil {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.LastUsedAt)))
+		n2, err := types.StdTimeMarshalTo(*m.LastUsedAt, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	if m.UsageCount != 0 {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.UsageCount))
+	}
+	if len(m.Description) > 0 {
+		dAtA[i] = 0x4a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Description)))
+		i += copy(dAtA[i:], m.Description)
+	}
+	return i, nil
+}
+
+func (m *SolveRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SolveRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ref) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Ref)))
+		i += copy(dAtA[i:], m.Ref)
+	}
+	if m.Definition != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Definition.Size()))
+		n3, err := m.Definition.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n3
+	}
+	if len(m.Exporter) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Exporter)))
+		i += copy(dAtA[i:], m.Exporter)
+	}
+	if len(m.ExporterAttrs) > 0 {
+		for k, _ := range m.ExporterAttrs {
+			dAtA[i] = 0x22
+			i++
+			v := m.ExporterAttrs[k]
+			mapSize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			i = encodeVarintControl(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.Session) > 0 {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Session)))
+		i += copy(dAtA[i:], m.Session)
+	}
+	if len(m.Frontend) > 0 {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Frontend)))
+		i += copy(dAtA[i:], m.Frontend)
+	}
+	if len(m.FrontendAttrs) > 0 {
+		for k, _ := range m.FrontendAttrs {
+			dAtA[i] = 0x3a
+			i++
+			v := m.FrontendAttrs[k]
+			mapSize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			i = encodeVarintControl(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	dAtA[i] = 0x42
+	i++
+	i = encodeVarintControl(dAtA, i, uint64(m.Cache.Size()))
+	n4, err := m.Cache.MarshalTo(dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n4
+	return i, nil
+}
+
+func (m *CacheOptions) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CacheOptions) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ExportRef) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.ExportRef)))
+		i += copy(dAtA[i:], m.ExportRef)
+	}
+	if len(m.ImportRefs) > 0 {
+		for _, s := range m.ImportRefs {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.ExportAttrs) > 0 {
+		for k, _ := range m.ExportAttrs {
+			dAtA[i] = 0x1a
+			i++
+			v := m.ExportAttrs[k]
+			mapSize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			i = encodeVarintControl(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *SolveResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SolveResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ExporterResponse) > 0 {
+		for k, _ := range m.ExporterResponse {
+			dAtA[i] = 0xa
+			i++
+			v := m.ExporterResponse[k]
+			mapSize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			i = encodeVarintControl(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *StatusRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatusRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ref) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Ref)))
+		i += copy(dAtA[i:], m.Ref)
+	}
+	return i, nil
+}
+
+func (m *StatusResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *StatusResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Vertexes) > 0 {
+		for _, msg := range m.Vertexes {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Statuses) > 0 {
+		for _, msg := range m.Statuses {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Logs) > 0 {
+		for _, msg := range m.Logs {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *Vertex) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Vertex) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Digest) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Digest)))
+		i += copy(dAtA[i:], m.Digest)
+	}
+	if len(m.Inputs) > 0 {
+		for _, s := range m.Inputs {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Name) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Name)))
+		i += copy(dAtA[i:], m.Name)
+	}
+	if m.Cached {
+		dAtA[i] = 0x20
+		i++
+		if m.Cached {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.Started != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.Started)))
+		n5, err := types.StdTimeMarshalTo(*m.Started, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n5
+	}
+	if m.Completed != nil {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.Completed)))
+		n6, err := types.StdTimeMarshalTo(*m.Completed, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	if len(m.Error) > 0 {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Error)))
+		i += copy(dAtA[i:], m.Error)
+	}
+	return i, nil
+}
+
+func (m *VertexStatus) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VertexStatus) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if len(m.Vertex) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Vertex)))
+		i += copy(dAtA[i:], m.Vertex)
+	}
+	if len(m.Name) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Name)))
+		i += copy(dAtA[i:], m.Name)
+	}
+	if m.Current != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Current))
+	}
+	if m.Total != 0 {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Total))
+	}
+	dAtA[i] = 0x32
+	i++
+	i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(m.Timestamp)))
+	n7, err := types.StdTimeMarshalTo(m.Timestamp, dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n7
+	if m.Started != nil {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.Started)))
+		n8, err := types.StdTimeMarshalTo(*m.Started, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	if m.Completed != nil {
+		dAtA[i] = 0x42
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(*m.Completed)))
+		n9, err := types.StdTimeMarshalTo(*m.Completed, dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n9
+	}
+	return i, nil
+}
+
+func (m *VertexLog) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *VertexLog) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Vertex) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Vertex)))
+		i += copy(dAtA[i:], m.Vertex)
+	}
+	dAtA[i] = 0x12
+	i++
+	i = encodeVarintControl(dAtA, i, uint64(types.SizeOfStdTime(m.Timestamp)))
+	n10, err := types.StdTimeMarshalTo(m.Timestamp, dAtA[i:])
+	if err != nil {
+		return 0, err
+	}
+	i += n10
+	if m.Stream != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(m.Stream))
+	}
+	if len(m.Msg) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Msg)))
+		i += copy(dAtA[i:], m.Msg)
+	}
+	return i, nil
+}
+
+func (m *BytesMessage) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BytesMessage) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Data) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintControl(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func (m *ListWorkersRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ListWorkersRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		for _, s := range m.Filter {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *ListWorkersResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ListWorkersResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Record) > 0 {
+		for _, msg := range m.Record {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintControl(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeVarintControl(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *PruneRequest) Size() (n int) {
+	var l int
+	_ = l
+	return n
+}
+
+func (m *DiskUsageRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Filter)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *DiskUsageResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Record) > 0 {
+		for _, e := range m.Record {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *UsageRecord) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Mutable {
+		n += 2
+	}
+	if m.InUse {
+		n += 2
+	}
+	if m.Size_ != 0 {
+		n += 1 + sovControl(uint64(m.Size_))
+	}
+	l = len(m.Parent)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = types.SizeOfStdTime(m.CreatedAt)
+	n += 1 + l + sovControl(uint64(l))
+	if m.LastUsedAt != nil {
+		l = types.SizeOfStdTime(*m.LastUsedAt)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.UsageCount != 0 {
+		n += 1 + sovControl(uint64(m.UsageCount))
+	}
+	l = len(m.Description)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *SolveRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Definition != nil {
+		l = m.Definition.Size()
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Exporter)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if len(m.ExporterAttrs) > 0 {
+		for k, v := range m.ExporterAttrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			n += mapEntrySize + 1 + sovControl(uint64(mapEntrySize))
+		}
+	}
+	l = len(m.Session)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Frontend)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if len(m.FrontendAttrs) > 0 {
+		for k, v := range m.FrontendAttrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			n += mapEntrySize + 1 + sovControl(uint64(mapEntrySize))
+		}
+	}
+	l = m.Cache.Size()
+	n += 1 + l + sovControl(uint64(l))
+	return n
+}
+
+func (m *CacheOptions) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ExportRef)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if len(m.ImportRefs) > 0 {
+		for _, s := range m.ImportRefs {
+			l = len(s)
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	if len(m.ExportAttrs) > 0 {
+		for k, v := range m.ExportAttrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			n += mapEntrySize + 1 + sovControl(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *SolveResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.ExporterResponse) > 0 {
+		for k, v := range m.ExporterResponse {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovControl(uint64(len(k))) + 1 + len(v) + sovControl(uint64(len(v)))
+			n += mapEntrySize + 1 + sovControl(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *StatusRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *StatusResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Vertexes) > 0 {
+		for _, e := range m.Vertexes {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	if len(m.Statuses) > 0 {
+		for _, e := range m.Statuses {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	if len(m.Logs) > 0 {
+		for _, e := range m.Logs {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Vertex) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Digest)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if len(m.Inputs) > 0 {
+		for _, s := range m.Inputs {
+			l = len(s)
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	l = len(m.Name)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Cached {
+		n += 2
+	}
+	if m.Started != nil {
+		l = types.SizeOfStdTime(*m.Started)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Completed != nil {
+		l = types.SizeOfStdTime(*m.Completed)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Error)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *VertexStatus) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Vertex)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = len(m.Name)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Current != 0 {
+		n += 1 + sovControl(uint64(m.Current))
+	}
+	if m.Total != 0 {
+		n += 1 + sovControl(uint64(m.Total))
+	}
+	l = types.SizeOfStdTime(m.Timestamp)
+	n += 1 + l + sovControl(uint64(l))
+	if m.Started != nil {
+		l = types.SizeOfStdTime(*m.Started)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	if m.Completed != nil {
+		l = types.SizeOfStdTime(*m.Completed)
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *VertexLog) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Vertex)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	l = types.SizeOfStdTime(m.Timestamp)
+	n += 1 + l + sovControl(uint64(l))
+	if m.Stream != 0 {
+		n += 1 + sovControl(uint64(m.Stream))
+	}
+	l = len(m.Msg)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *BytesMessage) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovControl(uint64(l))
+	}
+	return n
+}
+
+func (m *ListWorkersRequest) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		for _, s := range m.Filter {
+			l = len(s)
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *ListWorkersResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Record) > 0 {
+		for _, e := range m.Record {
+			l = e.Size()
+			n += 1 + l + sovControl(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovControl(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozControl(x uint64) (n int) {
+	return sovControl(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *PruneRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PruneRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PruneRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DiskUsageRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DiskUsageRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DiskUsageRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Filter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Filter = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DiskUsageResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DiskUsageResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DiskUsageResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Record", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Record = append(m.Record, &UsageRecord{})
+			if err := m.Record[len(m.Record)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *UsageRecord) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: UsageRecord: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: UsageRecord: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Mutable", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Mutable = bool(v != 0)
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InUse", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.InUse = bool(v != 0)
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Size_", wireType)
+			}
+			m.Size_ = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Size_ |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Parent", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Parent = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CreatedAt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := types.StdTimeUnmarshal(&m.CreatedAt, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LastUsedAt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LastUsedAt == nil {
+				m.LastUsedAt = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.LastUsedAt, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field UsageCount", wireType)
+			}
+			m.UsageCount = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.UsageCount |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 9:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Description = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SolveRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SolveRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SolveRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Definition", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Definition == nil {
+				m.Definition = &pb.Definition{}
+			}
+			if err := m.Definition.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Exporter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Exporter = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExporterAttrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExporterAttrs == nil {
+				m.ExporterAttrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipControl(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthControl
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.ExporterAttrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Session", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Session = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Frontend", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Frontend = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FrontendAttrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FrontendAttrs == nil {
+				m.FrontendAttrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipControl(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthControl
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.FrontendAttrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Cache", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Cache.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CacheOptions) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CacheOptions: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CacheOptions: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExportRef", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExportRef = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ImportRefs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ImportRefs = append(m.ImportRefs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExportAttrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExportAttrs == nil {
+				m.ExportAttrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipControl(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthControl
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.ExportAttrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SolveResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SolveResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SolveResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExporterResponse", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExporterResponse == nil {
+				m.ExporterResponse = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowControl
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthControl
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipControl(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthControl
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.ExporterResponse[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatusRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatusRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatusRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *StatusResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: StatusResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: StatusResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Vertexes", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Vertexes = append(m.Vertexes, &Vertex{})
+			if err := m.Vertexes[len(m.Vertexes)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Statuses", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Statuses = append(m.Statuses, &VertexStatus{})
+			if err := m.Statuses[len(m.Statuses)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Logs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Logs = append(m.Logs, &VertexLog{})
+			if err := m.Logs[len(m.Logs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Vertex) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Vertex: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Vertex: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Digest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Digest = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Inputs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Inputs = append(m.Inputs, github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Cached", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Cached = bool(v != 0)
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Started", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Started == nil {
+				m.Started = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.Started, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Completed", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Completed == nil {
+				m.Completed = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.Completed, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Error = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VertexStatus) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VertexStatus: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VertexStatus: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Vertex", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Vertex = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Name = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Current", wireType)
+			}
+			m.Current = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Current |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Total", wireType)
+			}
+			m.Total = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Total |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Timestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := types.StdTimeUnmarshal(&m.Timestamp, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Started", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Started == nil {
+				m.Started = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.Started, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Completed", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Completed == nil {
+				m.Completed = new(time.Time)
+			}
+			if err := types.StdTimeUnmarshal(m.Completed, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *VertexLog) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: VertexLog: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: VertexLog: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Vertex", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Vertex = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Timestamp", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := types.StdTimeUnmarshal(&m.Timestamp, dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stream", wireType)
+			}
+			m.Stream = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Stream |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Msg", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Msg = append(m.Msg[:0], dAtA[iNdEx:postIndex]...)
+			if m.Msg == nil {
+				m.Msg = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *BytesMessage) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BytesMessage: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BytesMessage: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ListWorkersRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ListWorkersRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ListWorkersRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Filter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Filter = append(m.Filter, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ListWorkersResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ListWorkersResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ListWorkersResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Record", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthControl
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Record = append(m.Record, &moby_buildkit_v1_types.WorkerRecord{})
+			if err := m.Record[len(m.Record)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipControl(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthControl
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipControl(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowControl
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowControl
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthControl
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowControl
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipControl(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthControl = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowControl   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("control.proto", fileDescriptorControl) }
+
+var fileDescriptorControl = []byte{
+	// 1176 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0x4d, 0x6f, 0x23, 0x45,
+	0x13, 0x7e, 0xc7, 0x76, 0xfc, 0x51, 0x76, 0xa2, 0xbc, 0x0d, 0xac, 0x46, 0x03, 0x24, 0x66, 0x00,
+	0xc9, 0x5a, 0xed, 0xce, 0x64, 0x03, 0x2b, 0xa1, 0x08, 0xad, 0x76, 0x1d, 0x2f, 0x22, 0x51, 0x22,
+	0x96, 0xce, 0x86, 0x95, 0xb8, 0x8d, 0xed, 0x8e, 0x77, 0x14, 0x7b, 0x7a, 0xe8, 0xee, 0x09, 0x6b,
+	0x7e, 0x05, 0x07, 0xfe, 0x09, 0x07, 0xce, 0x1c, 0x90, 0xf6, 0xc8, 0x99, 0x43, 0x16, 0xe5, 0x0e,
+	0xbf, 0x01, 0xf5, 0xc7, 0xd8, 0xed, 0xd8, 0xf9, 0xdc, 0x53, 0xba, 0x2a, 0x4f, 0x3d, 0x53, 0x5d,
+	0x4f, 0xb9, 0xab, 0x60, 0xb9, 0x47, 0x13, 0xc1, 0xe8, 0x30, 0x48, 0x19, 0x15, 0x14, 0xad, 0x8e,
+	0x68, 0x77, 0x1c, 0x74, 0xb3, 0x78, 0xd8, 0x3f, 0x8e, 0x45, 0x70, 0xf2, 0xc0, 0xbb, 0x3f, 0x88,
+	0xc5, 0xcb, 0xac, 0x1b, 0xf4, 0xe8, 0x28, 0x1c, 0xd0, 0x01, 0x0d, 0x15, 0xb0, 0x9b, 0x1d, 0x29,
+	0x4b, 0x19, 0xea, 0xa4, 0x09, 0xbc, 0xf5, 0x01, 0xa5, 0x83, 0x21, 0x99, 0xa2, 0x44, 0x3c, 0x22,
+	0x5c, 0x44, 0xa3, 0xd4, 0x00, 0xee, 0x59, 0x7c, 0xf2, 0x63, 0x61, 0xfe, 0xb1, 0x90, 0xd3, 0xe1,
+	0x09, 0x61, 0x61, 0xda, 0x0d, 0x69, 0xca, 0x0d, 0x3a, 0xbc, 0x10, 0x1d, 0xa5, 0x71, 0x28, 0xc6,
+	0x29, 0xe1, 0xe1, 0x8f, 0x94, 0x1d, 0x13, 0xa6, 0x03, 0xfc, 0x15, 0x68, 0x3c, 0x63, 0x59, 0x42,
+	0x30, 0xf9, 0x21, 0x23, 0x5c, 0xf8, 0x77, 0x61, 0xb5, 0x13, 0xf3, 0xe3, 0x43, 0x1e, 0x0d, 0x72,
+	0x1f, 0xba, 0x03, 0xe5, 0xa3, 0x78, 0x28, 0x08, 0x73, 0x9d, 0xa6, 0xd3, 0xaa, 0x61, 0x63, 0xf9,
+	0xbb, 0xf0, 0x7f, 0x0b, 0xcb, 0x53, 0x9a, 0x70, 0x82, 0x1e, 0x42, 0x99, 0x91, 0x1e, 0x65, 0x7d,
+	0xd7, 0x69, 0x16, 0x5b, 0xf5, 0xcd, 0x0f, 0x83, 0xf3, 0x25, 0x0a, 0x4c, 0x80, 0x04, 0x61, 0x03,
+	0xf6, 0x7f, 0x2f, 0x40, 0xdd, 0xf2, 0xa3, 0x15, 0x28, 0xec, 0x74, 0xcc, 0xf7, 0x0a, 0x3b, 0x1d,
+	0xe4, 0x42, 0x65, 0x3f, 0x13, 0x51, 0x77, 0x48, 0xdc, 0x42, 0xd3, 0x69, 0x55, 0x71, 0x6e, 0xa2,
+	0x77, 0x61, 0x69, 0x27, 0x39, 0xe4, 0xc4, 0x2d, 0x2a, 0xbf, 0x36, 0x10, 0x82, 0xd2, 0x41, 0xfc,
+	0x13, 0x71, 0x4b, 0x4d, 0xa7, 0x55, 0xc4, 0xea, 0x2c, 0xef, 0xf1, 0x2c, 0x62, 0x24, 0x11, 0xee,
+	0x92, 0xbe, 0x87, 0xb6, 0x50, 0x1b, 0x6a, 0xdb, 0x8c, 0x44, 0x82, 0xf4, 0x9f, 0x08, 0xb7, 0xdc,
+	0x74, 0x5a, 0xf5, 0x4d, 0x2f, 0xd0, 0xba, 0x04, 0xb9, 0x2e, 0xc1, 0xf3, 0x5c, 0x97, 0x76, 0xf5,
+	0xf5, 0xe9, 0xfa, 0xff, 0x7e, 0x7e, 0xb3, 0xee, 0xe0, 0x69, 0x18, 0x7a, 0x0c, 0xb0, 0x17, 0x71,
+	0x71, 0xc8, 0x15, 0x49, 0xe5, 0x4a, 0x92, 0x92, 0x22, 0xb0, 0x62, 0xd0, 0x1a, 0x80, 0x2a, 0xc0,
+	0x36, 0xcd, 0x12, 0xe1, 0x56, 0x55, 0xde, 0x96, 0x07, 0x35, 0xa1, 0xde, 0x21, 0xbc, 0xc7, 0xe2,
+	0x54, 0xc4, 0x34, 0x71, 0x6b, 0xea, 0x0a, 0xb6, 0xcb, 0xff, 0xa5, 0x04, 0x8d, 0x03, 0xd9, 0x14,
+	0xb9, 0x70, 0xab, 0x50, 0xc4, 0xe4, 0xc8, 0x54, 0x51, 0x1e, 0x51, 0x00, 0xd0, 0x21, 0x47, 0x71,
+	0x12, 0x2b, 0x8e, 0x82, 0x4a, 0x73, 0x25, 0x48, 0xbb, 0xc1, 0xd4, 0x8b, 0x2d, 0x04, 0xf2, 0xa0,
+	0xfa, 0xf4, 0x55, 0x4a, 0x99, 0x14, 0xbf, 0xa8, 0x68, 0x26, 0x36, 0x7a, 0x01, 0xcb, 0xf9, 0xf9,
+	0x89, 0x10, 0x8c, 0xbb, 0x25, 0x25, 0xf8, 0x83, 0x79, 0xc1, 0xed, 0xa4, 0x82, 0x99, 0x98, 0xa7,
+	0x89, 0x60, 0x63, 0x3c, 0xcb, 0x23, 0xb5, 0x3e, 0x20, 0x9c, 0xcb, 0x0c, 0xb5, 0x50, 0xb9, 0x29,
+	0xd3, 0xf9, 0x8a, 0xd1, 0x44, 0x90, 0xa4, 0xaf, 0x84, 0xaa, 0xe1, 0x89, 0x2d, 0xd3, 0xc9, 0xcf,
+	0x3a, 0x9d, 0xca, 0xb5, 0xd2, 0x99, 0x89, 0x31, 0xe9, 0xcc, 0xf8, 0xd0, 0x16, 0x2c, 0x6d, 0x47,
+	0xbd, 0x97, 0x44, 0x69, 0x52, 0xdf, 0x5c, 0x9b, 0x27, 0x54, 0xff, 0xfe, 0x46, 0x89, 0xc0, 0xdb,
+	0x25, 0xd9, 0x1e, 0x58, 0x87, 0x78, 0x8f, 0x01, 0xcd, 0xdf, 0x57, 0xea, 0x72, 0x4c, 0xc6, 0xb9,
+	0x2e, 0xc7, 0x64, 0x2c, 0x9b, 0xf8, 0x24, 0x1a, 0x66, 0xba, 0xb9, 0x6b, 0x58, 0x1b, 0x5b, 0x85,
+	0x2f, 0x1c, 0xc9, 0x30, 0x9f, 0xe2, 0x4d, 0x18, 0xfc, 0x37, 0x0e, 0x34, 0xec, 0x0c, 0xd1, 0x07,
+	0x50, 0xd3, 0x49, 0x4d, 0x9b, 0x63, 0xea, 0x90, 0x7d, 0xb8, 0x33, 0x32, 0x06, 0x77, 0x0b, 0xcd,
+	0x62, 0xab, 0x86, 0x2d, 0x0f, 0xfa, 0x16, 0xea, 0x1a, 0xac, 0xab, 0x5c, 0x54, 0x55, 0x0e, 0x2f,
+	0x2f, 0x4a, 0x60, 0x45, 0xe8, 0x1a, 0xdb, 0x1c, 0xde, 0x23, 0x58, 0x3d, 0x0f, 0xb8, 0xd1, 0x0d,
+	0x7f, 0x73, 0x60, 0xd9, 0x88, 0x6a, 0x5e, 0xa1, 0x28, 0x67, 0x24, 0x2c, 0xf7, 0x99, 0xf7, 0xe8,
+	0xe1, 0x85, 0xfd, 0xa0, 0x61, 0xc1, 0xf9, 0x38, 0x9d, 0xef, 0x1c, 0x9d, 0xb7, 0x0d, 0xef, 0x2d,
+	0x84, 0xde, 0x28, 0xf3, 0x8f, 0x60, 0xf9, 0x40, 0x44, 0x22, 0xe3, 0x17, 0xfe, 0x64, 0xfd, 0x5f,
+	0x1d, 0x58, 0xc9, 0x31, 0xe6, 0x76, 0x9f, 0x43, 0xf5, 0x84, 0x30, 0x41, 0x5e, 0x11, 0x6e, 0x6e,
+	0xe5, 0xce, 0xdf, 0xea, 0x3b, 0x85, 0xc0, 0x13, 0x24, 0xda, 0x82, 0x2a, 0x57, 0x3c, 0x44, 0xcb,
+	0xba, 0xb0, 0x95, 0x75, 0x94, 0xf9, 0xde, 0x04, 0x8f, 0x42, 0x28, 0x0d, 0xe9, 0x20, 0x57, 0xfb,
+	0xfd, 0x8b, 0xe2, 0xf6, 0xe8, 0x00, 0x2b, 0xa0, 0x7f, 0x5a, 0x80, 0xb2, 0xf6, 0xa1, 0x5d, 0x28,
+	0xf7, 0xe3, 0x01, 0xe1, 0x42, 0xdf, 0xaa, 0xbd, 0x29, 0x7f, 0x20, 0x7f, 0x9d, 0xae, 0xdf, 0xb5,
+	0x66, 0x15, 0x4d, 0x49, 0x22, 0x27, 0x6b, 0x14, 0x27, 0x84, 0xf1, 0x70, 0x40, 0xef, 0xeb, 0x90,
+	0xa0, 0xa3, 0xfe, 0x60, 0xc3, 0x20, 0xb9, 0xe2, 0x24, 0xcd, 0x84, 0x69, 0xcc, 0xdb, 0x71, 0x69,
+	0x06, 0x39, 0x22, 0x92, 0x68, 0x44, 0xcc, 0xbb, 0xa6, 0xce, 0x72, 0x44, 0xf4, 0x64, 0xdf, 0xf6,
+	0xd5, 0xe0, 0xa8, 0x62, 0x63, 0xa1, 0x2d, 0xa8, 0x70, 0x11, 0x31, 0x41, 0xfa, 0xea, 0x49, 0xba,
+	0xce, 0xdb, 0x9e, 0x07, 0xa0, 0x47, 0x50, 0xeb, 0xd1, 0x51, 0x3a, 0x24, 0x32, 0xba, 0x7c, 0xcd,
+	0xe8, 0x69, 0x88, 0xec, 0x1e, 0xc2, 0x18, 0x65, 0x6a, 0xaa, 0xd4, 0xb0, 0x36, 0xfc, 0x7f, 0x0b,
+	0xd0, 0xb0, 0xc5, 0x9a, 0x9b, 0x98, 0xbb, 0x50, 0xd6, 0xd2, 0xeb, 0xae, 0xbb, 0x5d, 0xa9, 0x34,
+	0xc3, 0xc2, 0x52, 0xb9, 0x50, 0xe9, 0x65, 0x4c, 0x8d, 0x53, 0x3d, 0x64, 0x73, 0x53, 0x26, 0x2c,
+	0xa8, 0x88, 0x86, 0xaa, 0x54, 0x45, 0xac, 0x0d, 0x39, 0x65, 0x27, 0xbb, 0xcd, 0xcd, 0xa6, 0xec,
+	0x24, 0xcc, 0x96, 0xa1, 0xf2, 0x56, 0x32, 0x54, 0x6f, 0x2c, 0x83, 0xff, 0x87, 0x03, 0xb5, 0x49,
+	0x97, 0x5b, 0xd5, 0x75, 0xde, 0xba, 0xba, 0x33, 0x95, 0x29, 0xdc, 0xae, 0x32, 0x77, 0xa0, 0xcc,
+	0x05, 0x23, 0xd1, 0x48, 0x69, 0x54, 0xc4, 0xc6, 0x92, 0xef, 0xc9, 0x88, 0x0f, 0x94, 0x42, 0x0d,
+	0x2c, 0x8f, 0xbe, 0x0f, 0x8d, 0xf6, 0x58, 0x10, 0xbe, 0x4f, 0xb8, 0x5c, 0x2e, 0xa4, 0xb6, 0xfd,
+	0x48, 0x44, 0xea, 0x1e, 0x0d, 0xac, 0xce, 0xfe, 0x3d, 0x40, 0x7b, 0x31, 0x17, 0x2f, 0xd4, 0xa6,
+	0xc8, 0x17, 0xed, 0x81, 0x45, 0x6b, 0x0f, 0x3c, 0x80, 0x77, 0x66, 0xd0, 0xe6, 0x95, 0xfa, 0xf2,
+	0xdc, 0x26, 0xf8, 0xc9, 0xfc, 0xab, 0xa1, 0x16, 0xd2, 0x40, 0x07, 0xce, 0x2e, 0x84, 0x9b, 0xff,
+	0x14, 0xa1, 0xb2, 0xad, 0x77, 0x6d, 0xf4, 0x1c, 0x6a, 0x93, 0x45, 0x13, 0xf9, 0xf3, 0x34, 0xe7,
+	0x37, 0x56, 0xef, 0xe3, 0x4b, 0x31, 0x26, 0xbf, 0xaf, 0x61, 0x49, 0xad, 0xbe, 0x68, 0xc1, 0x33,
+	0x68, 0xef, 0xc4, 0xde, 0xe5, 0x2b, 0xec, 0x86, 0x23, 0x99, 0xd4, 0x0c, 0x59, 0xc4, 0x64, 0x2f,
+	0x1b, 0xde, 0xfa, 0x15, 0xc3, 0x07, 0xed, 0x43, 0xd9, 0xfc, 0x9c, 0x17, 0x41, 0xed, 0x49, 0xe1,
+	0x35, 0x2f, 0x06, 0x68, 0xb2, 0x0d, 0x07, 0xed, 0x4f, 0x36, 0xa9, 0x45, 0xa9, 0xd9, 0x6d, 0xe0,
+	0x5d, 0xf1, 0xff, 0x96, 0xb3, 0xe1, 0xa0, 0xef, 0xa1, 0x6e, 0x09, 0x8d, 0x16, 0x08, 0x3a, 0xdf,
+	0x35, 0xde, 0xa7, 0x57, 0xa0, 0x74, 0xb2, 0xed, 0xc6, 0xeb, 0xb3, 0x35, 0xe7, 0xcf, 0xb3, 0x35,
+	0xe7, 0xef, 0xb3, 0x35, 0xa7, 0x5b, 0x56, 0x7d, 0xff, 0xd9, 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff,
+	0xe1, 0xef, 0xcc, 0xf5, 0x6f, 0x0d, 0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/moby/buildkit/api/services/control/control.proto b/engine/vendor/github.com/moby/buildkit/api/services/control/control.proto
new file mode 100644
index 00000000..8d61c7eb
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/api/services/control/control.proto
@@ -0,0 +1,121 @@
+syntax = "proto3";
+
+package moby.buildkit.v1;
+
+// The control API is currently considered experimental and may break in a backwards
+// incompatible way.
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+import "google/protobuf/timestamp.proto";
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+import "github.com/moby/buildkit/api/types/worker.proto";
+
+option (gogoproto.sizer_all) = true;
+option (gogoproto.marshaler_all) = true;
+option (gogoproto.unmarshaler_all) = true;
+
+service Control {
+	rpc DiskUsage(DiskUsageRequest) returns (DiskUsageResponse);
+	rpc Prune(PruneRequest) returns (stream UsageRecord);
+	rpc Solve(SolveRequest) returns (SolveResponse);
+	rpc Status(StatusRequest) returns (stream StatusResponse);
+	rpc Session(stream BytesMessage) returns (stream BytesMessage);
+	rpc ListWorkers(ListWorkersRequest) returns (ListWorkersResponse);
+	// rpc Info(InfoRequest) returns (InfoResponse);
+}
+
+message PruneRequest {
+	// TODO: filter
+}
+
+message DiskUsageRequest {
+	string filter = 1; // FIXME: this should be containerd-compatible repeated string?
+}
+
+message DiskUsageResponse {
+	repeated UsageRecord record = 1;
+}
+
+message UsageRecord {
+	string ID = 1;
+	bool Mutable = 2;
+	bool InUse = 3;
+	int64 Size = 4;
+	string Parent = 5;
+	google.protobuf.Timestamp CreatedAt = 6 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+	google.protobuf.Timestamp LastUsedAt = 7 [(gogoproto.stdtime) = true];
+	int64 UsageCount = 8;
+	string Description = 9;
+}
+
+message SolveRequest {
+	string Ref = 1;
+	pb.Definition Definition = 2;
+	string Exporter = 3;
+	map<string, string> ExporterAttrs = 4;
+	string Session = 5;
+	string Frontend = 6;
+	map<string, string> FrontendAttrs = 7;
+	CacheOptions Cache = 8 [(gogoproto.nullable) = false];
+}
+
+message CacheOptions {
+	string ExportRef = 1;
+	repeated string ImportRefs = 2;
+	map<string, string> ExportAttrs = 3;
+}
+
+message SolveResponse {
+	map<string, string> ExporterResponse = 1;
+}
+
+message StatusRequest {
+	string Ref = 1;
+}
+
+message StatusResponse {
+	repeated Vertex vertexes = 1;
+	repeated VertexStatus statuses = 2;
+	repeated VertexLog logs = 3;
+}
+
+message Vertex {
+	string digest = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	repeated string inputs = 2 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	string name = 3;
+	bool cached = 4;
+	google.protobuf.Timestamp started = 5 [(gogoproto.stdtime) = true ];
+	google.protobuf.Timestamp completed = 6 [(gogoproto.stdtime) = true ];
+	string error = 7; // typed errors?
+}
+
+message VertexStatus {
+	string ID = 1;
+	string vertex = 2 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	string name = 3;
+	int64 current = 4;
+	int64 total = 5;
+	// TODO: add started, completed
+	google.protobuf.Timestamp timestamp = 6 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+	google.protobuf.Timestamp started = 7 [(gogoproto.stdtime) = true ];
+	google.protobuf.Timestamp completed = 8 [(gogoproto.stdtime) = true ];
+}
+
+message VertexLog {
+	string vertex = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	google.protobuf.Timestamp timestamp = 2 [(gogoproto.stdtime) = true, (gogoproto.nullable) = false];
+	int64 stream = 3;
+	bytes msg = 4;
+}
+
+message BytesMessage {
+	bytes data = 1;
+}
+
+message ListWorkersRequest {
+	repeated string filter = 1; // containerd style
+}
+
+message ListWorkersResponse {
+	repeated moby.buildkit.v1.types.WorkerRecord record = 1;
+}
\ No newline at end of file
diff --git a/engine/vendor/github.com/moby/buildkit/api/services/control/generate.go b/engine/vendor/github.com/moby/buildkit/api/services/control/generate.go
new file mode 100644
index 00000000..1c161155
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/api/services/control/generate.go
@@ -0,0 +1,3 @@
+package moby_buildkit_v1
+
+//go:generate protoc -I=. -I=../../../vendor/ -I=../../../../../../ --gogo_out=plugins=grpc:. control.proto
diff --git a/engine/vendor/github.com/moby/buildkit/api/types/generate.go b/engine/vendor/github.com/moby/buildkit/api/types/generate.go
new file mode 100644
index 00000000..84007df1
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/api/types/generate.go
@@ -0,0 +1,3 @@
+package moby_buildkit_v1_types
+
+//go:generate protoc -I=. -I=../../vendor/ -I=../../../../../ --gogo_out=plugins=grpc:. worker.proto
diff --git a/engine/vendor/github.com/moby/buildkit/api/types/worker.pb.go b/engine/vendor/github.com/moby/buildkit/api/types/worker.pb.go
new file mode 100644
index 00000000..46c8538f
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/api/types/worker.pb.go
@@ -0,0 +1,523 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: worker.proto
+
+/*
+	Package moby_buildkit_v1_types is a generated protocol buffer package.
+
+	It is generated from these files:
+		worker.proto
+
+	It has these top-level messages:
+		WorkerRecord
+*/
+package moby_buildkit_v1_types
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+import pb "github.com/moby/buildkit/solver/pb"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type WorkerRecord struct {
+	ID        string            `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Labels    map[string]string `protobuf:"bytes,2,rep,name=Labels" json:"Labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Platforms []pb.Platform     `protobuf:"bytes,3,rep,name=platforms" json:"platforms"`
+}
+
+func (m *WorkerRecord) Reset()                    { *m = WorkerRecord{} }
+func (m *WorkerRecord) String() string            { return proto.CompactTextString(m) }
+func (*WorkerRecord) ProtoMessage()               {}
+func (*WorkerRecord) Descriptor() ([]byte, []int) { return fileDescriptorWorker, []int{0} }
+
+func (m *WorkerRecord) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *WorkerRecord) GetLabels() map[string]string {
+	if m != nil {
+		return m.Labels
+	}
+	return nil
+}
+
+func (m *WorkerRecord) GetPlatforms() []pb.Platform {
+	if m != nil {
+		return m.Platforms
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*WorkerRecord)(nil), "moby.buildkit.v1.types.WorkerRecord")
+}
+func (m *WorkerRecord) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WorkerRecord) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintWorker(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if len(m.Labels) > 0 {
+		for k, _ := range m.Labels {
+			dAtA[i] = 0x12
+			i++
+			v := m.Labels[k]
+			mapSize := 1 + len(k) + sovWorker(uint64(len(k))) + 1 + len(v) + sovWorker(uint64(len(v)))
+			i = encodeVarintWorker(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintWorker(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintWorker(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.Platforms) > 0 {
+		for _, msg := range m.Platforms {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintWorker(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeVarintWorker(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *WorkerRecord) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovWorker(uint64(l))
+	}
+	if len(m.Labels) > 0 {
+		for k, v := range m.Labels {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovWorker(uint64(len(k))) + 1 + len(v) + sovWorker(uint64(len(v)))
+			n += mapEntrySize + 1 + sovWorker(uint64(mapEntrySize))
+		}
+	}
+	if len(m.Platforms) > 0 {
+		for _, e := range m.Platforms {
+			l = e.Size()
+			n += 1 + l + sovWorker(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovWorker(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozWorker(x uint64) (n int) {
+	return sovWorker(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *WorkerRecord) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowWorker
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: WorkerRecord: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: WorkerRecord: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthWorker
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthWorker
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Labels == nil {
+				m.Labels = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowWorker
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowWorker
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthWorker
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowWorker
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthWorker
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipWorker(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthWorker
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Labels[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Platforms", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthWorker
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Platforms = append(m.Platforms, pb.Platform{})
+			if err := m.Platforms[len(m.Platforms)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipWorker(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthWorker
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipWorker(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowWorker
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowWorker
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthWorker
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowWorker
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipWorker(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthWorker = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowWorker   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("worker.proto", fileDescriptorWorker) }
+
+var fileDescriptorWorker = []byte{
+	// 273 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x8f, 0x41, 0x4b, 0xf3, 0x40,
+	0x10, 0x86, 0xbf, 0x4d, 0x3e, 0x0b, 0xdd, 0x06, 0x91, 0x45, 0x24, 0xe4, 0x10, 0x8b, 0xa7, 0x1e,
+	0x74, 0xb6, 0xea, 0x45, 0x3d, 0x96, 0x0a, 0x16, 0x3c, 0x48, 0x2e, 0x9e, 0xb3, 0xed, 0x36, 0x86,
+	0x24, 0xce, 0xb2, 0xd9, 0x44, 0xf2, 0x0f, 0x7b, 0xf4, 0xe2, 0x55, 0x24, 0xbf, 0x44, 0xba, 0x89,
+	0x98, 0x83, 0xb7, 0x79, 0x87, 0x67, 0x1e, 0xde, 0xa1, 0xde, 0x1b, 0xea, 0x4c, 0x6a, 0x50, 0x1a,
+	0x0d, 0xb2, 0x93, 0x02, 0x45, 0x03, 0xa2, 0x4a, 0xf3, 0x4d, 0x96, 0x1a, 0xa8, 0x2f, 0xc1, 0x34,
+	0x4a, 0x96, 0xc1, 0x45, 0x92, 0x9a, 0x97, 0x4a, 0xc0, 0x1a, 0x0b, 0x9e, 0x60, 0x82, 0xdc, 0xe2,
+	0xa2, 0xda, 0xda, 0x64, 0x83, 0x9d, 0x3a, 0x4d, 0x70, 0x3e, 0xc0, 0xf7, 0x46, 0xfe, 0x63, 0xe4,
+	0x25, 0xe6, 0xb5, 0xd4, 0x5c, 0x09, 0x8e, 0xaa, 0xec, 0xe8, 0xb3, 0x0f, 0x42, 0xbd, 0x67, 0xdb,
+	0x22, 0x92, 0x6b, 0xd4, 0x1b, 0x76, 0x48, 0x9d, 0xd5, 0xd2, 0x27, 0x53, 0x32, 0x1b, 0x47, 0xce,
+	0x6a, 0xc9, 0x1e, 0xe8, 0xe8, 0x31, 0x16, 0x32, 0x2f, 0x7d, 0x67, 0xea, 0xce, 0x26, 0x57, 0x73,
+	0xf8, 0xbb, 0x26, 0x0c, 0x2d, 0xd0, 0x9d, 0xdc, 0xbf, 0x1a, 0xdd, 0x44, 0xfd, 0x3d, 0x9b, 0xd3,
+	0xb1, 0xca, 0x63, 0xb3, 0x45, 0x5d, 0x94, 0xbe, 0x6b, 0x65, 0x1e, 0x28, 0x01, 0x4f, 0xfd, 0x72,
+	0xf1, 0x7f, 0xf7, 0x79, 0xfa, 0x2f, 0xfa, 0x85, 0x82, 0x5b, 0x3a, 0x19, 0x88, 0xd8, 0x11, 0x75,
+	0x33, 0xd9, 0xf4, 0xdd, 0xf6, 0x23, 0x3b, 0xa6, 0x07, 0x75, 0x9c, 0x57, 0xd2, 0x77, 0xec, 0xae,
+	0x0b, 0x77, 0xce, 0x0d, 0x59, 0x78, 0xbb, 0x36, 0x24, 0xef, 0x6d, 0x48, 0xbe, 0xda, 0x90, 0x88,
+	0x91, 0x7d, 0xf6, 0xfa, 0x3b, 0x00, 0x00, 0xff, 0xff, 0xa9, 0x5c, 0x8f, 0x26, 0x71, 0x01, 0x00,
+	0x00,
+}
diff --git a/engine/vendor/github.com/moby/buildkit/api/types/worker.proto b/engine/vendor/github.com/moby/buildkit/api/types/worker.proto
new file mode 100644
index 00000000..b1376b74
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/api/types/worker.proto
@@ -0,0 +1,16 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.types;
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+
+option (gogoproto.sizer_all) = true;
+option (gogoproto.marshaler_all) = true;
+option (gogoproto.unmarshaler_all) = true;
+
+message WorkerRecord {
+	string ID = 1;
+	map<string, string> Labels = 2;
+	repeated pb.Platform platforms = 3 [(gogoproto.nullable) = false];
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go b/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go
new file mode 100644
index 00000000..cf89a5f2
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.go
@@ -0,0 +1,634 @@
+package contenthash
+
+import (
+	"bytes"
+	"context"
+	"crypto/sha256"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"sync"
+
+	"github.com/containerd/continuity/fs"
+	"github.com/docker/docker/pkg/locker"
+	iradix "github.com/hashicorp/go-immutable-radix"
+	"github.com/hashicorp/golang-lru/simplelru"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/snapshot"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+)
+
+var errNotFound = errors.Errorf("not found")
+
+var defaultManager *cacheManager
+var defaultManagerOnce sync.Once
+
+const keyContentHash = "buildkit.contenthash.v0"
+
+func getDefaultManager() *cacheManager {
+	defaultManagerOnce.Do(func() {
+		lru, _ := simplelru.NewLRU(20, nil) // error is impossible on positive size
+		defaultManager = &cacheManager{lru: lru, locker: locker.New()}
+	})
+	return defaultManager
+}
+
+// Layout in the radix tree: Every path is saved by cleaned absolute unix path.
+// Directories have 2 records, one contains digest for directory header, other
+// the recursive digest for directory contents. "/dir/" is the record for
+// header, "/dir" is for contents. For the root node "" (empty string) is the
+// key for root, "/" for the root header
+
+func Checksum(ctx context.Context, ref cache.ImmutableRef, path string) (digest.Digest, error) {
+	return getDefaultManager().Checksum(ctx, ref, path)
+}
+
+func GetCacheContext(ctx context.Context, md *metadata.StorageItem) (CacheContext, error) {
+	return getDefaultManager().GetCacheContext(ctx, md)
+}
+
+func SetCacheContext(ctx context.Context, md *metadata.StorageItem, cc CacheContext) error {
+	return getDefaultManager().SetCacheContext(ctx, md, cc)
+}
+
+type CacheContext interface {
+	Checksum(ctx context.Context, ref cache.Mountable, p string) (digest.Digest, error)
+	HandleChange(kind fsutil.ChangeKind, p string, fi os.FileInfo, err error) error
+}
+
+type Hashed interface {
+	Digest() digest.Digest
+}
+
+type cacheManager struct {
+	locker *locker.Locker
+	lru    *simplelru.LRU
+	lruMu  sync.Mutex
+}
+
+func (cm *cacheManager) Checksum(ctx context.Context, ref cache.ImmutableRef, p string) (digest.Digest, error) {
+	cc, err := cm.GetCacheContext(ctx, ensureOriginMetadata(ref.Metadata()))
+	if err != nil {
+		return "", nil
+	}
+	return cc.Checksum(ctx, ref, p)
+}
+
+func (cm *cacheManager) GetCacheContext(ctx context.Context, md *metadata.StorageItem) (CacheContext, error) {
+	cm.locker.Lock(md.ID())
+	cm.lruMu.Lock()
+	v, ok := cm.lru.Get(md.ID())
+	cm.lruMu.Unlock()
+	if ok {
+		cm.locker.Unlock(md.ID())
+		return v.(*cacheContext), nil
+	}
+	cc, err := newCacheContext(md)
+	if err != nil {
+		cm.locker.Unlock(md.ID())
+		return nil, err
+	}
+	cm.lruMu.Lock()
+	cm.lru.Add(md.ID(), cc)
+	cm.lruMu.Unlock()
+	cm.locker.Unlock(md.ID())
+	return cc, nil
+}
+
+func (cm *cacheManager) SetCacheContext(ctx context.Context, md *metadata.StorageItem, cci CacheContext) error {
+	cc, ok := cci.(*cacheContext)
+	if !ok {
+		return errors.Errorf("invalid cachecontext: %T", cc)
+	}
+	if md.ID() != cc.md.ID() {
+		cc = &cacheContext{
+			md:       md,
+			tree:     cci.(*cacheContext).tree,
+			dirtyMap: map[string]struct{}{},
+		}
+	} else {
+		if err := cc.save(); err != nil {
+			return err
+		}
+	}
+	cm.lruMu.Lock()
+	cm.lru.Add(md.ID(), cc)
+	cm.lruMu.Unlock()
+	return nil
+}
+
+type cacheContext struct {
+	mu    sync.RWMutex
+	md    *metadata.StorageItem
+	tree  *iradix.Tree
+	dirty bool // needs to be persisted to disk
+
+	// used in HandleChange
+	txn      *iradix.Txn
+	node     *iradix.Node
+	dirtyMap map[string]struct{}
+}
+
+type mount struct {
+	mountable cache.Mountable
+	mountPath string
+	unmount   func() error
+}
+
+func (m *mount) mount(ctx context.Context) (string, error) {
+	if m.mountPath != "" {
+		return m.mountPath, nil
+	}
+	mounts, err := m.mountable.Mount(ctx, true)
+	if err != nil {
+		return "", err
+	}
+
+	lm := snapshot.LocalMounter(mounts)
+
+	mp, err := lm.Mount()
+	if err != nil {
+		return "", err
+	}
+
+	m.mountPath = mp
+	m.unmount = lm.Unmount
+	return mp, nil
+}
+
+func (m *mount) clean() error {
+	if m.mountPath != "" {
+		if err := m.unmount(); err != nil {
+			return err
+		}
+		m.mountPath = ""
+	}
+	return nil
+}
+
+func newCacheContext(md *metadata.StorageItem) (*cacheContext, error) {
+	cc := &cacheContext{
+		md:       md,
+		tree:     iradix.New(),
+		dirtyMap: map[string]struct{}{},
+	}
+	if err := cc.load(); err != nil {
+		return nil, err
+	}
+	return cc, nil
+}
+
+func (cc *cacheContext) load() error {
+	dt, err := cc.md.GetExternal(keyContentHash)
+	if err != nil {
+		return nil
+	}
+
+	var l CacheRecords
+	if err := l.Unmarshal(dt); err != nil {
+		return err
+	}
+
+	txn := cc.tree.Txn()
+	for _, p := range l.Paths {
+		txn.Insert([]byte(p.Path), p.Record)
+	}
+	cc.tree = txn.Commit()
+	return nil
+}
+
+func (cc *cacheContext) save() error {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+
+	if cc.txn != nil {
+		cc.commitActiveTransaction()
+	}
+
+	var l CacheRecords
+	node := cc.tree.Root()
+	node.Walk(func(k []byte, v interface{}) bool {
+		l.Paths = append(l.Paths, &CacheRecordWithPath{
+			Path:   string(k),
+			Record: v.(*CacheRecord),
+		})
+		return false
+	})
+
+	dt, err := l.Marshal()
+	if err != nil {
+		return err
+	}
+
+	return cc.md.SetExternal(keyContentHash, dt)
+}
+
+// HandleChange notifies the source about a modification operation
+func (cc *cacheContext) HandleChange(kind fsutil.ChangeKind, p string, fi os.FileInfo, err error) (retErr error) {
+	p = path.Join("/", filepath.ToSlash(p))
+	if p == "/" {
+		p = ""
+	}
+	k := convertPathToKey([]byte(p))
+
+	deleteDir := func(cr *CacheRecord) {
+		if cr.Type == CacheRecordTypeDir {
+			cc.node.WalkPrefix(append(k, 0), func(k []byte, v interface{}) bool {
+				cc.txn.Delete(k)
+				return false
+			})
+		}
+	}
+
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+	if cc.txn == nil {
+		cc.txn = cc.tree.Txn()
+		cc.node = cc.tree.Root()
+
+		// root is not called by HandleChange. need to fake it
+		if _, ok := cc.node.Get([]byte{0}); !ok {
+			cc.txn.Insert([]byte{0}, &CacheRecord{
+				Type:   CacheRecordTypeDirHeader,
+				Digest: digest.FromBytes(nil),
+			})
+			cc.txn.Insert([]byte(""), &CacheRecord{
+				Type: CacheRecordTypeDir,
+			})
+		}
+	}
+
+	if kind == fsutil.ChangeKindDelete {
+		v, ok := cc.txn.Delete(k)
+		if ok {
+			deleteDir(v.(*CacheRecord))
+		}
+		d := path.Dir(p)
+		if d == "/" {
+			d = ""
+		}
+		cc.dirtyMap[d] = struct{}{}
+		return
+	}
+
+	stat, ok := fi.Sys().(*fsutil.Stat)
+	if !ok {
+		return errors.Errorf("%s invalid change without stat information", p)
+	}
+
+	h, ok := fi.(Hashed)
+	if !ok {
+		return errors.Errorf("invalid fileinfo: %s", p)
+	}
+
+	v, ok := cc.node.Get(k)
+	if ok {
+		deleteDir(v.(*CacheRecord))
+	}
+
+	cr := &CacheRecord{
+		Type: CacheRecordTypeFile,
+	}
+	if fi.Mode()&os.ModeSymlink != 0 {
+		cr.Type = CacheRecordTypeSymlink
+		cr.Linkname = filepath.ToSlash(stat.Linkname)
+	}
+	if fi.IsDir() {
+		cr.Type = CacheRecordTypeDirHeader
+		cr2 := &CacheRecord{
+			Type: CacheRecordTypeDir,
+		}
+		cc.txn.Insert(k, cr2)
+		k = append(k, 0)
+		p += "/"
+	}
+	cr.Digest = h.Digest()
+	cc.txn.Insert(k, cr)
+	d := path.Dir(p)
+	if d == "/" {
+		d = ""
+	}
+	cc.dirtyMap[d] = struct{}{}
+
+	return nil
+}
+
+func (cc *cacheContext) Checksum(ctx context.Context, mountable cache.Mountable, p string) (digest.Digest, error) {
+	m := &mount{mountable: mountable}
+	defer m.clean()
+
+	const maxSymlinkLimit = 255
+	i := 0
+	for {
+		if i > maxSymlinkLimit {
+			return "", errors.Errorf("too many symlinks: %s", p)
+		}
+		cr, err := cc.checksumNoFollow(ctx, m, p)
+		if err != nil {
+			return "", err
+		}
+		if cr.Type == CacheRecordTypeSymlink {
+			link := cr.Linkname
+			if !path.IsAbs(cr.Linkname) {
+				link = path.Join(path.Dir(p), link)
+			}
+			i++
+			p = link
+		} else {
+			return cr.Digest, nil
+		}
+	}
+}
+
+func (cc *cacheContext) checksumNoFollow(ctx context.Context, m *mount, p string) (*CacheRecord, error) {
+	p = path.Join("/", filepath.ToSlash(p))
+	if p == "/" {
+		p = ""
+	}
+
+	cc.mu.RLock()
+	if cc.txn == nil {
+		root := cc.tree.Root()
+		cc.mu.RUnlock()
+		v, ok := root.Get(convertPathToKey([]byte(p)))
+		if ok {
+			cr := v.(*CacheRecord)
+			if cr.Digest != "" {
+				return cr, nil
+			}
+		}
+	} else {
+		cc.mu.RUnlock()
+	}
+
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+
+	if cc.txn != nil {
+		cc.commitActiveTransaction()
+	}
+
+	defer func() {
+		if cc.dirty {
+			go cc.save()
+			cc.dirty = false
+		}
+	}()
+
+	return cc.lazyChecksum(ctx, m, p)
+}
+
+func (cc *cacheContext) commitActiveTransaction() {
+	for d := range cc.dirtyMap {
+		addParentToMap(d, cc.dirtyMap)
+	}
+	for d := range cc.dirtyMap {
+		k := convertPathToKey([]byte(d))
+		if _, ok := cc.txn.Get(k); ok {
+			cc.txn.Insert(k, &CacheRecord{Type: CacheRecordTypeDir})
+		}
+	}
+	cc.tree = cc.txn.Commit()
+	cc.node = nil
+	cc.dirtyMap = map[string]struct{}{}
+	cc.txn = nil
+}
+
+func (cc *cacheContext) lazyChecksum(ctx context.Context, m *mount, p string) (*CacheRecord, error) {
+	root := cc.tree.Root()
+	if cc.needsScan(root, p) {
+		if err := cc.scanPath(ctx, m, p); err != nil {
+			return nil, err
+		}
+	}
+	k := convertPathToKey([]byte(p))
+	txn := cc.tree.Txn()
+	root = txn.Root()
+	cr, updated, err := cc.checksum(ctx, root, txn, m, k)
+	if err != nil {
+		return nil, err
+	}
+	cc.tree = txn.Commit()
+	cc.dirty = updated
+	return cr, err
+}
+
+func (cc *cacheContext) checksum(ctx context.Context, root *iradix.Node, txn *iradix.Txn, m *mount, k []byte) (*CacheRecord, bool, error) {
+	v, ok := root.Get(k)
+
+	if !ok {
+		return nil, false, errors.Wrapf(errNotFound, "%s not found", convertKeyToPath(k))
+	}
+	cr := v.(*CacheRecord)
+
+	if cr.Digest != "" {
+		return cr, false, nil
+	}
+	var dgst digest.Digest
+
+	switch cr.Type {
+	case CacheRecordTypeDir:
+		h := sha256.New()
+		next := append(k, 0)
+		iter := root.Seek(next)
+		subk := next
+		ok := true
+		for {
+			if !ok || !bytes.HasPrefix(subk, next) {
+				break
+			}
+			h.Write(bytes.TrimPrefix(subk, k))
+
+			subcr, _, err := cc.checksum(ctx, root, txn, m, subk)
+			if err != nil {
+				return nil, false, err
+			}
+
+			h.Write([]byte(subcr.Digest))
+
+			if subcr.Type == CacheRecordTypeDir { // skip subfiles
+				next := append(subk, 0, 0xff)
+				iter = root.Seek(next)
+			}
+			subk, _, ok = iter.Next()
+		}
+		dgst = digest.NewDigest(digest.SHA256, h)
+
+	default:
+		p := string(convertKeyToPath(bytes.TrimSuffix(k, []byte{0})))
+
+		target, err := m.mount(ctx)
+		if err != nil {
+			return nil, false, err
+		}
+
+		// no FollowSymlinkInScope because invalid paths should not be inserted
+		fp := filepath.Join(target, filepath.FromSlash(p))
+
+		fi, err := os.Lstat(fp)
+		if err != nil {
+			return nil, false, err
+		}
+
+		dgst, err = prepareDigest(fp, p, fi)
+		if err != nil {
+			return nil, false, err
+		}
+	}
+
+	cr2 := &CacheRecord{
+		Digest:   dgst,
+		Type:     cr.Type,
+		Linkname: cr.Linkname,
+	}
+
+	txn.Insert(k, cr2)
+
+	return cr2, true, nil
+}
+
+func (cc *cacheContext) needsScan(root *iradix.Node, p string) bool {
+	if p == "/" {
+		p = ""
+	}
+	if _, ok := root.Get(convertPathToKey([]byte(p))); !ok {
+		if p == "" {
+			return true
+		}
+		return cc.needsScan(root, path.Clean(path.Dir(p)))
+	}
+	return false
+}
+
+func (cc *cacheContext) scanPath(ctx context.Context, m *mount, p string) (retErr error) {
+	p = path.Join("/", p)
+	d, _ := path.Split(p)
+
+	mp, err := m.mount(ctx)
+	if err != nil {
+		return err
+	}
+
+	parentPath, err := fs.RootPath(mp, filepath.FromSlash(d))
+	if err != nil {
+		return err
+	}
+
+	n := cc.tree.Root()
+	txn := cc.tree.Txn()
+
+	err = filepath.Walk(parentPath, func(path string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return errors.Wrapf(err, "failed to walk %s", path)
+		}
+		rel, err := filepath.Rel(mp, path)
+		if err != nil {
+			return err
+		}
+		k := []byte(filepath.Join("/", filepath.ToSlash(rel)))
+		if string(k) == "/" {
+			k = []byte{}
+		}
+		k = convertPathToKey(k)
+		if _, ok := n.Get(k); !ok {
+			cr := &CacheRecord{
+				Type: CacheRecordTypeFile,
+			}
+			if fi.Mode()&os.ModeSymlink != 0 {
+				cr.Type = CacheRecordTypeSymlink
+				link, err := os.Readlink(path)
+				if err != nil {
+					return err
+				}
+				cr.Linkname = filepath.ToSlash(link)
+			}
+			if fi.IsDir() {
+				cr.Type = CacheRecordTypeDirHeader
+				cr2 := &CacheRecord{
+					Type: CacheRecordTypeDir,
+				}
+				txn.Insert(k, cr2)
+				k = append(k, 0)
+			}
+			txn.Insert(k, cr)
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	cc.tree = txn.Commit()
+	return nil
+}
+
+func prepareDigest(fp, p string, fi os.FileInfo) (digest.Digest, error) {
+	h, err := NewFileHash(fp, fi)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to create hash for %s", p)
+	}
+	if fi.Mode().IsRegular() && fi.Size() > 0 {
+		// TODO: would be nice to put the contents to separate hash first
+		// so it can be cached for hardlinks
+		f, err := os.Open(fp)
+		if err != nil {
+			return "", errors.Wrapf(err, "failed to open %s", p)
+		}
+		defer f.Close()
+		if _, err := poolsCopy(h, f); err != nil {
+			return "", errors.Wrapf(err, "failed to copy file data for %s", p)
+		}
+	}
+	return digest.NewDigest(digest.SHA256, h), nil
+}
+
+func addParentToMap(d string, m map[string]struct{}) {
+	if d == "" {
+		return
+	}
+	d = path.Dir(d)
+	if d == "/" {
+		d = ""
+	}
+	m[d] = struct{}{}
+	addParentToMap(d, m)
+}
+
+func ensureOriginMetadata(md *metadata.StorageItem) *metadata.StorageItem {
+	v := md.Get("cache.equalMutable") // TODO: const
+	if v == nil {
+		return md
+	}
+	var mutable string
+	if err := v.Unmarshal(&mutable); err != nil {
+		return md
+	}
+	si, ok := md.Storage().Get(mutable)
+	if ok {
+		return si
+	}
+	return md
+}
+
+var pool32K = sync.Pool{
+	New: func() interface{} { return make([]byte, 32*1024) }, // 32K
+}
+
+func poolsCopy(dst io.Writer, src io.Reader) (written int64, err error) {
+	buf := pool32K.Get().([]byte)
+	written, err = io.CopyBuffer(dst, src, buf)
+	pool32K.Put(buf)
+	return
+}
+
+func convertPathToKey(p []byte) []byte {
+	return bytes.Replace([]byte(p), []byte("/"), []byte{0}, -1)
+}
+
+func convertKeyToPath(p []byte) []byte {
+	return bytes.Replace([]byte(p), []byte{0}, []byte("/"), -1)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.pb.go b/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.pb.go
new file mode 100644
index 00000000..31dcce95
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.pb.go
@@ -0,0 +1,755 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: checksum.proto
+
+/*
+	Package contenthash is a generated protocol buffer package.
+
+	It is generated from these files:
+		checksum.proto
+
+	It has these top-level messages:
+		CacheRecord
+		CacheRecordWithPath
+		CacheRecords
+*/
+package contenthash
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+
+import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type CacheRecordType int32
+
+const (
+	CacheRecordTypeFile      CacheRecordType = 0
+	CacheRecordTypeDir       CacheRecordType = 1
+	CacheRecordTypeDirHeader CacheRecordType = 2
+	CacheRecordTypeSymlink   CacheRecordType = 3
+)
+
+var CacheRecordType_name = map[int32]string{
+	0: "FILE",
+	1: "DIR",
+	2: "DIR_HEADER",
+	3: "SYMLINK",
+}
+var CacheRecordType_value = map[string]int32{
+	"FILE":       0,
+	"DIR":        1,
+	"DIR_HEADER": 2,
+	"SYMLINK":    3,
+}
+
+func (x CacheRecordType) String() string {
+	return proto.EnumName(CacheRecordType_name, int32(x))
+}
+func (CacheRecordType) EnumDescriptor() ([]byte, []int) { return fileDescriptorChecksum, []int{0} }
+
+type CacheRecord struct {
+	Digest   github_com_opencontainers_go_digest.Digest `protobuf:"bytes,1,opt,name=digest,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"digest"`
+	Type     CacheRecordType                            `protobuf:"varint,2,opt,name=type,proto3,enum=contenthash.CacheRecordType" json:"type,omitempty"`
+	Linkname string                                     `protobuf:"bytes,3,opt,name=linkname,proto3" json:"linkname,omitempty"`
+}
+
+func (m *CacheRecord) Reset()                    { *m = CacheRecord{} }
+func (m *CacheRecord) String() string            { return proto.CompactTextString(m) }
+func (*CacheRecord) ProtoMessage()               {}
+func (*CacheRecord) Descriptor() ([]byte, []int) { return fileDescriptorChecksum, []int{0} }
+
+func (m *CacheRecord) GetType() CacheRecordType {
+	if m != nil {
+		return m.Type
+	}
+	return CacheRecordTypeFile
+}
+
+func (m *CacheRecord) GetLinkname() string {
+	if m != nil {
+		return m.Linkname
+	}
+	return ""
+}
+
+type CacheRecordWithPath struct {
+	Path   string       `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
+	Record *CacheRecord `protobuf:"bytes,2,opt,name=record" json:"record,omitempty"`
+}
+
+func (m *CacheRecordWithPath) Reset()                    { *m = CacheRecordWithPath{} }
+func (m *CacheRecordWithPath) String() string            { return proto.CompactTextString(m) }
+func (*CacheRecordWithPath) ProtoMessage()               {}
+func (*CacheRecordWithPath) Descriptor() ([]byte, []int) { return fileDescriptorChecksum, []int{1} }
+
+func (m *CacheRecordWithPath) GetPath() string {
+	if m != nil {
+		return m.Path
+	}
+	return ""
+}
+
+func (m *CacheRecordWithPath) GetRecord() *CacheRecord {
+	if m != nil {
+		return m.Record
+	}
+	return nil
+}
+
+type CacheRecords struct {
+	Paths []*CacheRecordWithPath `protobuf:"bytes,1,rep,name=paths" json:"paths,omitempty"`
+}
+
+func (m *CacheRecords) Reset()                    { *m = CacheRecords{} }
+func (m *CacheRecords) String() string            { return proto.CompactTextString(m) }
+func (*CacheRecords) ProtoMessage()               {}
+func (*CacheRecords) Descriptor() ([]byte, []int) { return fileDescriptorChecksum, []int{2} }
+
+func (m *CacheRecords) GetPaths() []*CacheRecordWithPath {
+	if m != nil {
+		return m.Paths
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*CacheRecord)(nil), "contenthash.CacheRecord")
+	proto.RegisterType((*CacheRecordWithPath)(nil), "contenthash.CacheRecordWithPath")
+	proto.RegisterType((*CacheRecords)(nil), "contenthash.CacheRecords")
+	proto.RegisterEnum("contenthash.CacheRecordType", CacheRecordType_name, CacheRecordType_value)
+}
+func (m *CacheRecord) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CacheRecord) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Digest) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintChecksum(dAtA, i, uint64(len(m.Digest)))
+		i += copy(dAtA[i:], m.Digest)
+	}
+	if m.Type != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintChecksum(dAtA, i, uint64(m.Type))
+	}
+	if len(m.Linkname) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintChecksum(dAtA, i, uint64(len(m.Linkname)))
+		i += copy(dAtA[i:], m.Linkname)
+	}
+	return i, nil
+}
+
+func (m *CacheRecordWithPath) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CacheRecordWithPath) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Path) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintChecksum(dAtA, i, uint64(len(m.Path)))
+		i += copy(dAtA[i:], m.Path)
+	}
+	if m.Record != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintChecksum(dAtA, i, uint64(m.Record.Size()))
+		n1, err := m.Record.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n1
+	}
+	return i, nil
+}
+
+func (m *CacheRecords) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CacheRecords) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Paths) > 0 {
+		for _, msg := range m.Paths {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintChecksum(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeVarintChecksum(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CacheRecord) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Digest)
+	if l > 0 {
+		n += 1 + l + sovChecksum(uint64(l))
+	}
+	if m.Type != 0 {
+		n += 1 + sovChecksum(uint64(m.Type))
+	}
+	l = len(m.Linkname)
+	if l > 0 {
+		n += 1 + l + sovChecksum(uint64(l))
+	}
+	return n
+}
+
+func (m *CacheRecordWithPath) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	if l > 0 {
+		n += 1 + l + sovChecksum(uint64(l))
+	}
+	if m.Record != nil {
+		l = m.Record.Size()
+		n += 1 + l + sovChecksum(uint64(l))
+	}
+	return n
+}
+
+func (m *CacheRecords) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Paths) > 0 {
+		for _, e := range m.Paths {
+			l = e.Size()
+			n += 1 + l + sovChecksum(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovChecksum(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozChecksum(x uint64) (n int) {
+	return sovChecksum(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *CacheRecord) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowChecksum
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CacheRecord: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CacheRecord: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Digest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowChecksum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthChecksum
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Digest = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			m.Type = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowChecksum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Type |= (CacheRecordType(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Linkname", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowChecksum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthChecksum
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Linkname = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipChecksum(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthChecksum
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CacheRecordWithPath) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowChecksum
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CacheRecordWithPath: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CacheRecordWithPath: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowChecksum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthChecksum
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Record", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowChecksum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthChecksum
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Record == nil {
+				m.Record = &CacheRecord{}
+			}
+			if err := m.Record.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipChecksum(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthChecksum
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CacheRecords) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowChecksum
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CacheRecords: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CacheRecords: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Paths", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowChecksum
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthChecksum
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Paths = append(m.Paths, &CacheRecordWithPath{})
+			if err := m.Paths[len(m.Paths)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipChecksum(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthChecksum
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipChecksum(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowChecksum
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowChecksum
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowChecksum
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthChecksum
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowChecksum
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipChecksum(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthChecksum = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowChecksum   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("checksum.proto", fileDescriptorChecksum) }
+
+var fileDescriptorChecksum = []byte{
+	// 418 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x92, 0xc1, 0x6a, 0xd4, 0x40,
+	0x18, 0xc7, 0x77, 0xba, 0xeb, 0xaa, 0xdf, 0x4a, 0x0d, 0x53, 0x68, 0xc3, 0x50, 0xb2, 0xe3, 0x5e,
+	0x5c, 0x8a, 0xcd, 0x96, 0x08, 0xde, 0xad, 0xd9, 0xa5, 0xd1, 0x2a, 0x32, 0x15, 0x44, 0x3c, 0x48,
+	0x36, 0x3b, 0x66, 0x42, 0x9b, 0x4c, 0x48, 0x66, 0x0f, 0xfb, 0x06, 0x92, 0x93, 0x2f, 0x90, 0x93,
+	0x82, 0xef, 0xe0, 0x5d, 0xe8, 0xd1, 0xb3, 0x87, 0x22, 0xeb, 0x8b, 0x48, 0x26, 0x55, 0x42, 0xca,
+	0x9e, 0xe6, 0xfb, 0x66, 0x7e, 0xdf, 0xff, 0xff, 0x9f, 0x61, 0x60, 0x3b, 0x10, 0x3c, 0x38, 0xcf,
+	0x97, 0xb1, 0x9d, 0x66, 0x52, 0x49, 0x3c, 0x08, 0x64, 0xa2, 0x78, 0xa2, 0x84, 0x9f, 0x0b, 0x72,
+	0x18, 0x46, 0x4a, 0x2c, 0xe7, 0x76, 0x20, 0xe3, 0x49, 0x28, 0x43, 0x39, 0xd1, 0xcc, 0x7c, 0xf9,
+	0x51, 0x77, 0xba, 0xd1, 0x55, 0x3d, 0x3b, 0xfa, 0x86, 0x60, 0xf0, 0xcc, 0x0f, 0x04, 0x67, 0x3c,
+	0x90, 0xd9, 0x02, 0x3f, 0x87, 0xfe, 0x22, 0x0a, 0x79, 0xae, 0x4c, 0x44, 0xd1, 0xf8, 0xee, 0xb1,
+	0x73, 0x79, 0x35, 0xec, 0xfc, 0xba, 0x1a, 0x1e, 0x34, 0x64, 0x65, 0xca, 0x93, 0xca, 0xd2, 0x8f,
+	0x12, 0x9e, 0xe5, 0x93, 0x50, 0x1e, 0xd6, 0x23, 0xb6, 0xab, 0x17, 0x76, 0xad, 0x80, 0x8f, 0xa0,
+	0xa7, 0x56, 0x29, 0x37, 0xb7, 0x28, 0x1a, 0x6f, 0x3b, 0xfb, 0x76, 0x23, 0xa6, 0xdd, 0xf0, 0x7c,
+	0xb3, 0x4a, 0x39, 0xd3, 0x24, 0x26, 0x70, 0xe7, 0x22, 0x4a, 0xce, 0x13, 0x3f, 0xe6, 0x66, 0xb7,
+	0xf2, 0x67, 0xff, 0xfb, 0xd1, 0x7b, 0xd8, 0x69, 0x0c, 0xbd, 0x8d, 0x94, 0x78, 0xed, 0x2b, 0x81,
+	0x31, 0xf4, 0x52, 0x5f, 0x89, 0x3a, 0x2e, 0xd3, 0x35, 0x3e, 0x82, 0x7e, 0xa6, 0x29, 0x6d, 0x3d,
+	0x70, 0xcc, 0x4d, 0xd6, 0xec, 0x9a, 0x1b, 0xcd, 0xe0, 0x5e, 0x63, 0x3b, 0xc7, 0x4f, 0xe0, 0x56,
+	0xa5, 0x94, 0x9b, 0x88, 0x76, 0xc7, 0x03, 0x87, 0x6e, 0x12, 0xf8, 0x17, 0x83, 0xd5, 0xf8, 0xc1,
+	0x0f, 0x04, 0xf7, 0x5b, 0x57, 0xc3, 0x0f, 0xa0, 0x37, 0xf3, 0x4e, 0xa7, 0x46, 0x87, 0xec, 0x15,
+	0x25, 0xdd, 0x69, 0x1d, 0xcf, 0xa2, 0x0b, 0x8e, 0x87, 0xd0, 0x75, 0x3d, 0x66, 0x20, 0xb2, 0x5b,
+	0x94, 0x14, 0xb7, 0x08, 0x37, 0xca, 0xf0, 0x23, 0x00, 0xd7, 0x63, 0x1f, 0x4e, 0xa6, 0x4f, 0xdd,
+	0x29, 0x33, 0xb6, 0xc8, 0x7e, 0x51, 0x52, 0xf3, 0x26, 0x77, 0xc2, 0xfd, 0x05, 0xcf, 0xf0, 0x43,
+	0xb8, 0x7d, 0xf6, 0xee, 0xe5, 0xa9, 0xf7, 0xea, 0x85, 0xd1, 0x25, 0xa4, 0x28, 0xe9, 0x6e, 0x0b,
+	0x3d, 0x5b, 0xc5, 0xd5, 0xbb, 0x92, 0xbd, 0x4f, 0x5f, 0xac, 0xce, 0xf7, 0xaf, 0x56, 0x3b, 0xf3,
+	0xb1, 0x71, 0xb9, 0xb6, 0xd0, 0xcf, 0xb5, 0x85, 0x7e, 0xaf, 0x2d, 0xf4, 0xf9, 0x8f, 0xd5, 0x99,
+	0xf7, 0xf5, 0x7f, 0x79, 0xfc, 0x37, 0x00, 0x00, 0xff, 0xff, 0x55, 0xf2, 0x2e, 0x06, 0x7d, 0x02,
+	0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.proto b/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.proto
new file mode 100644
index 00000000..d6e524ea
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/contenthash/checksum.proto
@@ -0,0 +1,30 @@
+syntax = "proto3";
+
+package contenthash;
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+
+enum CacheRecordType {
+	option (gogoproto.goproto_enum_prefix) = false;
+	option (gogoproto.enum_customname) = "CacheRecordType";
+
+	FILE = 0 [(gogoproto.enumvalue_customname) = "CacheRecordTypeFile"];
+	DIR = 1 [(gogoproto.enumvalue_customname) = "CacheRecordTypeDir"];
+	DIR_HEADER = 2 [(gogoproto.enumvalue_customname) = "CacheRecordTypeDirHeader"];
+	SYMLINK = 3 [(gogoproto.enumvalue_customname) = "CacheRecordTypeSymlink"];
+}
+
+message CacheRecord {
+	string digest = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	CacheRecordType type = 2;
+	string linkname = 3;
+}
+
+message CacheRecordWithPath {
+	string path = 1;
+	CacheRecord record = 2;
+}
+
+message CacheRecords {
+	repeated CacheRecordWithPath paths = 1;
+}
\ No newline at end of file
diff --git a/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash.go b/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash.go
new file mode 100644
index 00000000..46c15cc6
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash.go
@@ -0,0 +1,98 @@
+package contenthash
+
+import (
+	"archive/tar"
+	"crypto/sha256"
+	"hash"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/tonistiigi/fsutil"
+)
+
+// NewFileHash returns new hash that is used for the builder cache keys
+func NewFileHash(path string, fi os.FileInfo) (hash.Hash, error) {
+	var link string
+	if fi.Mode()&os.ModeSymlink != 0 {
+		var err error
+		link, err = os.Readlink(path)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	stat := &fsutil.Stat{
+		Mode:     uint32(fi.Mode()),
+		Size_:    fi.Size(),
+		ModTime:  fi.ModTime().UnixNano(),
+		Linkname: link,
+	}
+
+	if fi.Mode()&os.ModeSymlink != 0 {
+		stat.Mode = stat.Mode | 0777
+	}
+
+	if err := setUnixOpt(path, fi, stat); err != nil {
+		return nil, err
+	}
+	return NewFromStat(stat)
+}
+
+func NewFromStat(stat *fsutil.Stat) (hash.Hash, error) {
+	fi := &statInfo{stat}
+	hdr, err := tar.FileInfoHeader(fi, stat.Linkname)
+	if err != nil {
+		return nil, err
+	}
+	hdr.Name = "" // note: empty name is different from current has in docker build. Name is added on recursive directory scan instead
+	hdr.Mode = int64(chmodWindowsTarEntry(os.FileMode(hdr.Mode)))
+	hdr.Devmajor = stat.Devmajor
+	hdr.Devminor = stat.Devminor
+
+	if len(stat.Xattrs) > 0 {
+		hdr.Xattrs = make(map[string]string, len(stat.Xattrs))
+		for k, v := range stat.Xattrs {
+			hdr.Xattrs[k] = string(v)
+		}
+	}
+	// fmt.Printf("hdr: %#v\n", hdr)
+	tsh := &tarsumHash{hdr: hdr, Hash: sha256.New()}
+	tsh.Reset() // initialize header
+	return tsh, nil
+}
+
+type tarsumHash struct {
+	hash.Hash
+	hdr *tar.Header
+}
+
+// Reset resets the Hash to its initial state.
+func (tsh *tarsumHash) Reset() {
+	// comply with hash.Hash and reset to the state hash had before any writes
+	tsh.Hash.Reset()
+	WriteV1TarsumHeaders(tsh.hdr, tsh.Hash)
+}
+
+type statInfo struct {
+	*fsutil.Stat
+}
+
+func (s *statInfo) Name() string {
+	return filepath.Base(s.Stat.Path)
+}
+func (s *statInfo) Size() int64 {
+	return s.Stat.Size_
+}
+func (s *statInfo) Mode() os.FileMode {
+	return os.FileMode(s.Stat.Mode)
+}
+func (s *statInfo) ModTime() time.Time {
+	return time.Unix(s.Stat.ModTime/1e9, s.Stat.ModTime%1e9)
+}
+func (s *statInfo) IsDir() bool {
+	return s.Mode().IsDir()
+}
+func (s *statInfo) Sys() interface{} {
+	return s.Stat
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash_unix.go b/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash_unix.go
new file mode 100644
index 00000000..0939112c
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash_unix.go
@@ -0,0 +1,47 @@
+// +build !windows
+
+package contenthash
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/tonistiigi/fsutil"
+
+	"golang.org/x/sys/unix"
+)
+
+func chmodWindowsTarEntry(perm os.FileMode) os.FileMode {
+	return perm
+}
+
+func setUnixOpt(path string, fi os.FileInfo, stat *fsutil.Stat) error {
+	s := fi.Sys().(*syscall.Stat_t)
+
+	stat.Uid = s.Uid
+	stat.Gid = s.Gid
+
+	if !fi.IsDir() {
+		if s.Mode&syscall.S_IFBLK != 0 ||
+			s.Mode&syscall.S_IFCHR != 0 {
+			stat.Devmajor = int64(unix.Major(uint64(s.Rdev)))
+			stat.Devminor = int64(unix.Minor(uint64(s.Rdev)))
+		}
+	}
+
+	attrs, err := sysx.LListxattr(path)
+	if err != nil {
+		return err
+	}
+	if len(attrs) > 0 {
+		stat.Xattrs = map[string][]byte{}
+		for _, attr := range attrs {
+			v, err := sysx.LGetxattr(path, attr)
+			if err == nil {
+				stat.Xattrs[attr] = v
+			}
+		}
+	}
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash_windows.go b/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash_windows.go
new file mode 100644
index 00000000..340954aa
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/contenthash/filehash_windows.go
@@ -0,0 +1,23 @@
+// +build windows
+
+package contenthash
+
+import (
+	"os"
+
+	"github.com/tonistiigi/fsutil"
+)
+
+// chmodWindowsTarEntry is used to adjust the file permissions used in tar
+// header based on the platform the archival is done.
+func chmodWindowsTarEntry(perm os.FileMode) os.FileMode {
+	perm &= 0755
+	// Add the x bit: make everything +x from windows
+	perm |= 0111
+
+	return perm
+}
+
+func setUnixOpt(path string, fi os.FileInfo, stat *fsutil.Stat) error {
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/contenthash/generate.go b/engine/vendor/github.com/moby/buildkit/cache/contenthash/generate.go
new file mode 100644
index 00000000..e4bd2c50
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/contenthash/generate.go
@@ -0,0 +1,3 @@
+package contenthash
+
+//go:generate protoc -I=. -I=../../vendor/ --gogofaster_out=. checksum.proto
diff --git a/engine/vendor/github.com/moby/buildkit/cache/contenthash/tarsum.go b/engine/vendor/github.com/moby/buildkit/cache/contenthash/tarsum.go
new file mode 100644
index 00000000..601c41ec
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/contenthash/tarsum.go
@@ -0,0 +1,60 @@
+package contenthash
+
+import (
+	"archive/tar"
+	"io"
+	"sort"
+	"strconv"
+)
+
+// WriteV1TarsumHeaders writes a tar header to a writer in V1 tarsum format.
+func WriteV1TarsumHeaders(h *tar.Header, w io.Writer) {
+	for _, elem := range v1TarHeaderSelect(h) {
+		w.Write([]byte(elem[0] + elem[1]))
+	}
+}
+
+// Functions below are from docker legacy tarsum implementation.
+// There is no valid technical reason to continue using them.
+
+func v0TarHeaderSelect(h *tar.Header) (orderedHeaders [][2]string) {
+	return [][2]string{
+		{"name", h.Name},
+		{"mode", strconv.FormatInt(h.Mode, 10)},
+		{"uid", strconv.Itoa(h.Uid)},
+		{"gid", strconv.Itoa(h.Gid)},
+		{"size", strconv.FormatInt(h.Size, 10)},
+		{"mtime", strconv.FormatInt(h.ModTime.UTC().Unix(), 10)},
+		{"typeflag", string([]byte{h.Typeflag})},
+		{"linkname", h.Linkname},
+		{"uname", h.Uname},
+		{"gname", h.Gname},
+		{"devmajor", strconv.FormatInt(h.Devmajor, 10)},
+		{"devminor", strconv.FormatInt(h.Devminor, 10)},
+	}
+}
+
+func v1TarHeaderSelect(h *tar.Header) (orderedHeaders [][2]string) {
+	// Get extended attributes.
+	xAttrKeys := make([]string, len(h.Xattrs))
+	for k := range h.Xattrs {
+		xAttrKeys = append(xAttrKeys, k)
+	}
+	sort.Strings(xAttrKeys)
+
+	// Make the slice with enough capacity to hold the 11 basic headers
+	// we want from the v0 selector plus however many xattrs we have.
+	orderedHeaders = make([][2]string, 0, 11+len(xAttrKeys))
+
+	// Copy all headers from v0 excluding the 'mtime' header (the 5th element).
+	v0headers := v0TarHeaderSelect(h)
+	orderedHeaders = append(orderedHeaders, v0headers[0:5]...)
+	orderedHeaders = append(orderedHeaders, v0headers[6:]...)
+
+	// Finally, append the sorted xattrs.
+	for _, k := range xAttrKeys {
+		orderedHeaders = append(orderedHeaders, [2]string{k, h.Xattrs[k]})
+	}
+
+	return
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/fsutil.go b/engine/vendor/github.com/moby/buildkit/cache/fsutil.go
new file mode 100644
index 00000000..ec757d5e
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/fsutil.go
@@ -0,0 +1,71 @@
+package cache
+
+import (
+	"context"
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/containerd/continuity/fs"
+	"github.com/moby/buildkit/snapshot"
+)
+
+type ReadRequest struct {
+	Filename string
+	Range    *FileRange
+}
+
+type FileRange struct {
+	Offset int
+	Length int
+}
+
+func ReadFile(ctx context.Context, ref ImmutableRef, req ReadRequest) ([]byte, error) {
+	mount, err := ref.Mount(ctx, true)
+	if err != nil {
+		return nil, err
+	}
+
+	lm := snapshot.LocalMounter(mount)
+
+	root, err := lm.Mount()
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if lm != nil {
+			lm.Unmount()
+		}
+	}()
+
+	fp, err := fs.RootPath(root, req.Filename)
+	if err != nil {
+		return nil, err
+	}
+
+	var dt []byte
+
+	if req.Range == nil {
+		dt, err = ioutil.ReadFile(fp)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		f, err := os.Open(fp)
+		if err != nil {
+			return nil, err
+		}
+		dt, err = ioutil.ReadAll(io.NewSectionReader(f, int64(req.Range.Offset), int64(req.Range.Length)))
+		f.Close()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if err := lm.Unmount(); err != nil {
+		return nil, err
+	}
+	lm = nil
+	return dt, err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/gc.go b/engine/vendor/github.com/moby/buildkit/cache/gc.go
new file mode 100644
index 00000000..31a98b93
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/gc.go
@@ -0,0 +1,27 @@
+package cache
+
+import (
+	"context"
+	"errors"
+	"time"
+)
+
+// GCPolicy defines policy for garbage collection
+type GCPolicy struct {
+	MaxSize         uint64
+	MaxKeepDuration time.Duration
+}
+
+// // CachePolicy defines policy for keeping a resource in cache
+// type CachePolicy struct {
+// 	Priority int
+// 	LastUsed time.Time
+// }
+//
+// func defaultCachePolicy() CachePolicy {
+// 	return CachePolicy{Priority: 10, LastUsed: time.Now()}
+// }
+
+func (cm *cacheManager) GC(ctx context.Context) error {
+	return errors.New("GC not implemented")
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/manager.go b/engine/vendor/github.com/moby/buildkit/cache/manager.go
new file mode 100644
index 00000000..cf096e57
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/manager.go
@@ -0,0 +1,573 @@
+package cache
+
+import (
+	"context"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/snapshots"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+var (
+	ErrLocked   = errors.New("locked")
+	errNotFound = errors.New("not found")
+	errInvalid  = errors.New("invalid")
+)
+
+type ManagerOpt struct {
+	Snapshotter   snapshot.SnapshotterBase
+	GCPolicy      GCPolicy
+	MetadataStore *metadata.Store
+}
+
+type Accessor interface {
+	Get(ctx context.Context, id string, opts ...RefOption) (ImmutableRef, error)
+	GetFromSnapshotter(ctx context.Context, id string, opts ...RefOption) (ImmutableRef, error)
+	New(ctx context.Context, s ImmutableRef, opts ...RefOption) (MutableRef, error)
+	GetMutable(ctx context.Context, id string) (MutableRef, error) // Rebase?
+}
+
+type Controller interface {
+	DiskUsage(ctx context.Context, info client.DiskUsageInfo) ([]*client.UsageInfo, error)
+	Prune(ctx context.Context, ch chan client.UsageInfo) error
+	GC(ctx context.Context) error
+}
+
+type Manager interface {
+	Accessor
+	Controller
+	Close() error
+}
+
+type cacheManager struct {
+	records map[string]*cacheRecord
+	mu      sync.Mutex
+	ManagerOpt
+	md *metadata.Store
+
+	muPrune sync.Mutex // make sure parallel prune is not allowed so there will not be inconsistent results
+}
+
+func NewManager(opt ManagerOpt) (Manager, error) {
+	cm := &cacheManager{
+		ManagerOpt: opt,
+		md:         opt.MetadataStore,
+		records:    make(map[string]*cacheRecord),
+	}
+
+	if err := cm.init(context.TODO()); err != nil {
+		return nil, err
+	}
+
+	// cm.scheduleGC(5 * time.Minute)
+
+	return cm, nil
+}
+
+// init loads all snapshots from metadata state and tries to load the records
+// from the snapshotter. If snaphot can't be found, metadata is deleted as well.
+func (cm *cacheManager) init(ctx context.Context) error {
+	items, err := cm.md.All()
+	if err != nil {
+		return err
+	}
+
+	for _, si := range items {
+		if _, err := cm.getRecord(ctx, si.ID(), false); err != nil {
+			logrus.Debugf("could not load snapshot %s: %v", si.ID(), err)
+			cm.md.Clear(si.ID())
+			// TODO: make sure content is deleted as well
+		}
+	}
+	return nil
+}
+
+// Close closes the manager and releases the metadata database lock. No other
+// method should be called after Close.
+func (cm *cacheManager) Close() error {
+	// TODO: allocate internal context and cancel it here
+	return cm.md.Close()
+}
+
+// Get returns an immutable snapshot reference for ID
+func (cm *cacheManager) Get(ctx context.Context, id string, opts ...RefOption) (ImmutableRef, error) {
+	cm.mu.Lock()
+	defer cm.mu.Unlock()
+	return cm.get(ctx, id, false, opts...)
+}
+
+// Get returns an immutable snapshot reference for ID
+func (cm *cacheManager) GetFromSnapshotter(ctx context.Context, id string, opts ...RefOption) (ImmutableRef, error) {
+	cm.mu.Lock()
+	defer cm.mu.Unlock()
+	return cm.get(ctx, id, true, opts...)
+}
+
+// get requires manager lock to be taken
+func (cm *cacheManager) get(ctx context.Context, id string, fromSnapshotter bool, opts ...RefOption) (ImmutableRef, error) {
+	rec, err := cm.getRecord(ctx, id, fromSnapshotter, opts...)
+	if err != nil {
+		return nil, err
+	}
+	rec.mu.Lock()
+	defer rec.mu.Unlock()
+
+	if rec.mutable {
+		if len(rec.refs) != 0 {
+			return nil, errors.Wrapf(ErrLocked, "%s is locked", id)
+		}
+		if rec.equalImmutable != nil {
+			return rec.equalImmutable.ref(), nil
+		}
+		return rec.mref().commit(ctx)
+	}
+
+	return rec.ref(), nil
+}
+
+// getRecord returns record for id. Requires manager lock.
+func (cm *cacheManager) getRecord(ctx context.Context, id string, fromSnapshotter bool, opts ...RefOption) (cr *cacheRecord, retErr error) {
+	if rec, ok := cm.records[id]; ok {
+		if rec.isDead() {
+			return nil, errNotFound
+		}
+		return rec, nil
+	}
+
+	md, ok := cm.md.Get(id)
+	if !ok && !fromSnapshotter {
+		return nil, errNotFound
+	}
+	if mutableID := getEqualMutable(md); mutableID != "" {
+		mutable, err := cm.getRecord(ctx, mutableID, fromSnapshotter)
+		if err != nil {
+			// check loading mutable deleted record from disk
+			if errors.Cause(err) == errNotFound {
+				cm.md.Clear(id)
+			}
+			return nil, err
+		}
+		rec := &cacheRecord{
+			mu:           &sync.Mutex{},
+			cm:           cm,
+			refs:         make(map[Mountable]struct{}),
+			parent:       mutable.Parent(),
+			md:           md,
+			equalMutable: &mutableRef{cacheRecord: mutable},
+		}
+		mutable.equalImmutable = &immutableRef{cacheRecord: rec}
+		cm.records[id] = rec
+		return rec, nil
+	}
+
+	info, err := cm.Snapshotter.Stat(ctx, id)
+	if err != nil {
+		return nil, errors.Wrap(errNotFound, err.Error())
+	}
+
+	var parent ImmutableRef
+	if info.Parent != "" {
+		parent, err = cm.get(ctx, info.Parent, fromSnapshotter, opts...)
+		if err != nil {
+			return nil, err
+		}
+		defer func() {
+			if retErr != nil {
+				parent.Release(context.TODO())
+			}
+		}()
+	}
+
+	rec := &cacheRecord{
+		mu:      &sync.Mutex{},
+		mutable: info.Kind != snapshots.KindCommitted,
+		cm:      cm,
+		refs:    make(map[Mountable]struct{}),
+		parent:  parent,
+		md:      md,
+	}
+
+	// the record was deleted but we crashed before data on disk was removed
+	if getDeleted(md) {
+		if err := rec.remove(ctx, true); err != nil {
+			return nil, err
+		}
+		return nil, errNotFound
+	}
+
+	if err := initializeMetadata(rec, opts...); err != nil {
+		if parent != nil {
+			parent.Release(context.TODO())
+		}
+		return nil, err
+	}
+
+	cm.records[id] = rec
+	return rec, nil
+}
+
+func (cm *cacheManager) New(ctx context.Context, s ImmutableRef, opts ...RefOption) (MutableRef, error) {
+	id := identity.NewID()
+
+	var parent ImmutableRef
+	var parentID string
+	if s != nil {
+		var err error
+		parent, err = cm.Get(ctx, s.ID())
+		if err != nil {
+			return nil, err
+		}
+		if err := parent.Finalize(ctx, true); err != nil {
+			return nil, err
+		}
+		parentID = parent.ID()
+	}
+
+	if err := cm.Snapshotter.Prepare(ctx, id, parentID); err != nil {
+		if parent != nil {
+			parent.Release(context.TODO())
+		}
+		return nil, errors.Wrapf(err, "failed to prepare %s", id)
+	}
+
+	md, _ := cm.md.Get(id)
+
+	rec := &cacheRecord{
+		mu:      &sync.Mutex{},
+		mutable: true,
+		cm:      cm,
+		refs:    make(map[Mountable]struct{}),
+		parent:  parent,
+		md:      md,
+	}
+
+	if err := initializeMetadata(rec, opts...); err != nil {
+		if parent != nil {
+			parent.Release(context.TODO())
+		}
+		return nil, err
+	}
+
+	cm.mu.Lock()
+	defer cm.mu.Unlock()
+
+	cm.records[id] = rec // TODO: save to db
+
+	return rec.mref(), nil
+}
+func (cm *cacheManager) GetMutable(ctx context.Context, id string) (MutableRef, error) {
+	cm.mu.Lock()
+	defer cm.mu.Unlock()
+
+	rec, err := cm.getRecord(ctx, id, false)
+	if err != nil {
+		return nil, err
+	}
+
+	rec.mu.Lock()
+	defer rec.mu.Unlock()
+	if !rec.mutable {
+		return nil, errors.Wrapf(errInvalid, "%s is not mutable", id)
+	}
+
+	if len(rec.refs) != 0 {
+		return nil, errors.Wrapf(ErrLocked, "%s is locked", id)
+	}
+
+	if rec.equalImmutable != nil {
+		if len(rec.equalImmutable.refs) != 0 {
+			return nil, errors.Wrapf(ErrLocked, "%s is locked", id)
+		}
+		delete(cm.records, rec.equalImmutable.ID())
+		if err := rec.equalImmutable.remove(ctx, false); err != nil {
+			return nil, err
+		}
+		rec.equalImmutable = nil
+	}
+
+	return rec.mref(), nil
+}
+
+func (cm *cacheManager) Prune(ctx context.Context, ch chan client.UsageInfo) error {
+	cm.muPrune.Lock()
+	defer cm.muPrune.Unlock()
+	return cm.prune(ctx, ch)
+}
+
+func (cm *cacheManager) prune(ctx context.Context, ch chan client.UsageInfo) error {
+	var toDelete []*cacheRecord
+	cm.mu.Lock()
+
+	for _, cr := range cm.records {
+		cr.mu.Lock()
+
+		// ignore duplicates that share data
+		if cr.equalImmutable != nil && len(cr.equalImmutable.refs) > 0 || cr.equalMutable != nil && len(cr.refs) == 0 {
+			cr.mu.Unlock()
+			continue
+		}
+
+		if cr.isDead() {
+			cr.mu.Unlock()
+			continue
+		}
+
+		if len(cr.refs) == 0 {
+			cr.dead = true
+			toDelete = append(toDelete, cr)
+		}
+
+		// mark metadata as deleted in case we crash before cleanup finished
+		if err := setDeleted(cr.md); err != nil {
+			cr.mu.Unlock()
+			cm.mu.Unlock()
+			return err
+		}
+		cr.mu.Unlock()
+	}
+
+	cm.mu.Unlock()
+
+	if len(toDelete) == 0 {
+		return nil
+	}
+
+	var err error
+	for _, cr := range toDelete {
+		cr.mu.Lock()
+
+		usageCount, lastUsedAt := getLastUsed(cr.md)
+
+		c := client.UsageInfo{
+			ID:          cr.ID(),
+			Mutable:     cr.mutable,
+			InUse:       len(cr.refs) > 0,
+			Size:        getSize(cr.md),
+			CreatedAt:   GetCreatedAt(cr.md),
+			Description: GetDescription(cr.md),
+			LastUsedAt:  lastUsedAt,
+			UsageCount:  usageCount,
+		}
+
+		if cr.parent != nil {
+			c.Parent = cr.parent.ID()
+		}
+
+		if c.Size == sizeUnknown {
+			cr.mu.Unlock() // all the non-prune modifications already protected by cr.dead
+			s, err := cr.Size(ctx)
+			if err != nil {
+				return err
+			}
+			c.Size = s
+			cr.mu.Lock()
+		}
+
+		if cr.equalImmutable != nil {
+			if err1 := cr.equalImmutable.remove(ctx, false); err == nil {
+				err = err1
+			}
+		}
+		if err1 := cr.remove(ctx, true); err == nil {
+			err = err1
+		}
+
+		if err == nil && ch != nil {
+			ch <- c
+		}
+		cr.mu.Unlock()
+	}
+	if err != nil {
+		return err
+	}
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+		return cm.prune(ctx, ch)
+	}
+}
+
+func (cm *cacheManager) DiskUsage(ctx context.Context, opt client.DiskUsageInfo) ([]*client.UsageInfo, error) {
+	cm.mu.Lock()
+
+	type cacheUsageInfo struct {
+		refs        int
+		parent      string
+		size        int64
+		mutable     bool
+		createdAt   time.Time
+		usageCount  int
+		lastUsedAt  *time.Time
+		description string
+		doubleRef   bool
+	}
+
+	m := make(map[string]*cacheUsageInfo, len(cm.records))
+	rescan := make(map[string]struct{}, len(cm.records))
+
+	for id, cr := range cm.records {
+		cr.mu.Lock()
+		// ignore duplicates that share data
+		if cr.equalImmutable != nil && len(cr.equalImmutable.refs) > 0 || cr.equalMutable != nil && len(cr.refs) == 0 {
+			cr.mu.Unlock()
+			continue
+		}
+
+		usageCount, lastUsedAt := getLastUsed(cr.md)
+		c := &cacheUsageInfo{
+			refs:        len(cr.refs),
+			mutable:     cr.mutable,
+			size:        getSize(cr.md),
+			createdAt:   GetCreatedAt(cr.md),
+			usageCount:  usageCount,
+			lastUsedAt:  lastUsedAt,
+			description: GetDescription(cr.md),
+			doubleRef:   cr.equalImmutable != nil,
+		}
+		if cr.parent != nil {
+			c.parent = cr.parent.ID()
+		}
+		if cr.mutable && c.refs > 0 {
+			c.size = 0 // size can not be determined because it is changing
+		}
+		m[id] = c
+		rescan[id] = struct{}{}
+		cr.mu.Unlock()
+	}
+	cm.mu.Unlock()
+
+	for {
+		if len(rescan) == 0 {
+			break
+		}
+		for id := range rescan {
+			v := m[id]
+			if v.refs == 0 && v.parent != "" {
+				m[v.parent].refs--
+				if v.doubleRef {
+					m[v.parent].refs--
+				}
+				rescan[v.parent] = struct{}{}
+			}
+			delete(rescan, id)
+		}
+	}
+
+	var du []*client.UsageInfo
+	for id, cr := range m {
+		if opt.Filter != "" && !strings.HasPrefix(id, opt.Filter) {
+			continue
+		}
+
+		c := &client.UsageInfo{
+			ID:          id,
+			Mutable:     cr.mutable,
+			InUse:       cr.refs > 0,
+			Size:        cr.size,
+			Parent:      cr.parent,
+			CreatedAt:   cr.createdAt,
+			Description: cr.description,
+			LastUsedAt:  cr.lastUsedAt,
+			UsageCount:  cr.usageCount,
+		}
+		du = append(du, c)
+	}
+
+	eg, ctx := errgroup.WithContext(ctx)
+
+	for _, d := range du {
+		if d.Size == sizeUnknown {
+			func(d *client.UsageInfo) {
+				eg.Go(func() error {
+					ref, err := cm.Get(ctx, d.ID)
+					if err != nil {
+						d.Size = 0
+						return nil
+					}
+					s, err := ref.Size(ctx)
+					if err != nil {
+						return err
+					}
+					d.Size = s
+					return ref.Release(context.TODO())
+				})
+			}(d)
+		}
+	}
+
+	if err := eg.Wait(); err != nil {
+		return du, err
+	}
+
+	return du, nil
+}
+
+func IsLocked(err error) bool {
+	return errors.Cause(err) == ErrLocked
+}
+
+func IsNotFound(err error) bool {
+	return errors.Cause(err) == errNotFound
+}
+
+type RefOption func(withMetadata) error
+
+type cachePolicy int
+
+const (
+	cachePolicyDefault cachePolicy = iota
+	cachePolicyRetain
+)
+
+type withMetadata interface {
+	Metadata() *metadata.StorageItem
+}
+
+func HasCachePolicyRetain(m withMetadata) bool {
+	return getCachePolicy(m.Metadata()) == cachePolicyRetain
+}
+
+func CachePolicyRetain(m withMetadata) error {
+	return queueCachePolicy(m.Metadata(), cachePolicyRetain)
+}
+
+func WithDescription(descr string) RefOption {
+	return func(m withMetadata) error {
+		return queueDescription(m.Metadata(), descr)
+	}
+}
+
+func WithCreationTime(tm time.Time) RefOption {
+	return func(m withMetadata) error {
+		return queueCreatedAt(m.Metadata(), tm)
+	}
+}
+
+func initializeMetadata(m withMetadata, opts ...RefOption) error {
+	md := m.Metadata()
+	if tm := GetCreatedAt(md); !tm.IsZero() {
+		return nil
+	}
+
+	if err := queueCreatedAt(md, time.Now()); err != nil {
+		return err
+	}
+
+	for _, opt := range opts {
+		if err := opt(m); err != nil {
+			return err
+		}
+	}
+
+	return md.Commit()
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/metadata.go b/engine/vendor/github.com/moby/buildkit/cache/metadata.go
new file mode 100644
index 00000000..787b5a5b
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/metadata.go
@@ -0,0 +1,206 @@
+package cache
+
+import (
+	"time"
+
+	"github.com/boltdb/bolt"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/pkg/errors"
+)
+
+const sizeUnknown int64 = -1
+const keySize = "snapshot.size"
+const keyEqualMutable = "cache.equalMutable"
+const keyCachePolicy = "cache.cachePolicy"
+const keyDescription = "cache.description"
+const keyCreatedAt = "cache.createdAt"
+const keyLastUsedAt = "cache.lastUsedAt"
+const keyUsageCount = "cache.usageCount"
+
+const keyDeleted = "cache.deleted"
+
+func setDeleted(si *metadata.StorageItem) error {
+	v, err := metadata.NewValue(true)
+	if err != nil {
+		return errors.Wrap(err, "failed to create size value")
+	}
+	si.Update(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyDeleted, v)
+	})
+	return nil
+}
+
+func getDeleted(si *metadata.StorageItem) bool {
+	v := si.Get(keyDeleted)
+	if v == nil {
+		return false
+	}
+	var deleted bool
+	if err := v.Unmarshal(&deleted); err != nil {
+		return false
+	}
+	return deleted
+}
+
+func setSize(si *metadata.StorageItem, s int64) error {
+	v, err := metadata.NewValue(s)
+	if err != nil {
+		return errors.Wrap(err, "failed to create size value")
+	}
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keySize, v)
+	})
+	return nil
+}
+
+func getSize(si *metadata.StorageItem) int64 {
+	v := si.Get(keySize)
+	if v == nil {
+		return sizeUnknown
+	}
+	var size int64
+	if err := v.Unmarshal(&size); err != nil {
+		return sizeUnknown
+	}
+	return size
+}
+
+func getEqualMutable(si *metadata.StorageItem) string {
+	v := si.Get(keyEqualMutable)
+	if v == nil {
+		return ""
+	}
+	var str string
+	if err := v.Unmarshal(&str); err != nil {
+		return ""
+	}
+	return str
+}
+
+func setEqualMutable(si *metadata.StorageItem, s string) error {
+	v, err := metadata.NewValue(s)
+	if err != nil {
+		return errors.Wrapf(err, "failed to create %s meta value", keyEqualMutable)
+	}
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyEqualMutable, v)
+	})
+	return nil
+}
+
+func clearEqualMutable(si *metadata.StorageItem) error {
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyEqualMutable, nil)
+	})
+	return nil
+}
+
+func queueCachePolicy(si *metadata.StorageItem, p cachePolicy) error {
+	v, err := metadata.NewValue(p)
+	if err != nil {
+		return errors.Wrap(err, "failed to create cachePolicy value")
+	}
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyCachePolicy, v)
+	})
+	return nil
+}
+
+func getCachePolicy(si *metadata.StorageItem) cachePolicy {
+	v := si.Get(keyCachePolicy)
+	if v == nil {
+		return cachePolicyDefault
+	}
+	var p cachePolicy
+	if err := v.Unmarshal(&p); err != nil {
+		return cachePolicyDefault
+	}
+	return p
+}
+
+func queueDescription(si *metadata.StorageItem, descr string) error {
+	v, err := metadata.NewValue(descr)
+	if err != nil {
+		return errors.Wrap(err, "failed to create description value")
+	}
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyDescription, v)
+	})
+	return nil
+}
+
+func GetDescription(si *metadata.StorageItem) string {
+	v := si.Get(keyDescription)
+	if v == nil {
+		return ""
+	}
+	var str string
+	if err := v.Unmarshal(&str); err != nil {
+		return ""
+	}
+	return str
+}
+
+func queueCreatedAt(si *metadata.StorageItem, tm time.Time) error {
+	v, err := metadata.NewValue(tm.UnixNano())
+	if err != nil {
+		return errors.Wrap(err, "failed to create createdAt value")
+	}
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyCreatedAt, v)
+	})
+	return nil
+}
+
+func GetCreatedAt(si *metadata.StorageItem) time.Time {
+	v := si.Get(keyCreatedAt)
+	if v == nil {
+		return time.Time{}
+	}
+	var tm int64
+	if err := v.Unmarshal(&tm); err != nil {
+		return time.Time{}
+	}
+	return time.Unix(tm/1e9, tm%1e9)
+}
+
+func getLastUsed(si *metadata.StorageItem) (int, *time.Time) {
+	v := si.Get(keyUsageCount)
+	if v == nil {
+		return 0, nil
+	}
+	var usageCount int
+	if err := v.Unmarshal(&usageCount); err != nil {
+		return 0, nil
+	}
+	v = si.Get(keyLastUsedAt)
+	if v == nil {
+		return usageCount, nil
+	}
+	var lastUsedTs int64
+	if err := v.Unmarshal(&lastUsedTs); err != nil || lastUsedTs == 0 {
+		return usageCount, nil
+	}
+	tm := time.Unix(lastUsedTs/1e9, lastUsedTs%1e9)
+	return usageCount, &tm
+}
+
+func updateLastUsed(si *metadata.StorageItem) error {
+	count, _ := getLastUsed(si)
+	count++
+
+	v, err := metadata.NewValue(count)
+	if err != nil {
+		return errors.Wrap(err, "failed to create usageCount value")
+	}
+	v2, err := metadata.NewValue(time.Now().UnixNano())
+	if err != nil {
+		return errors.Wrap(err, "failed to create lastUsedAt value")
+	}
+	return si.Update(func(b *bolt.Bucket) error {
+		if err := si.SetValue(b, keyUsageCount, v); err != nil {
+			return err
+		}
+		return si.SetValue(b, keyLastUsedAt, v2)
+	})
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/metadata/metadata.go b/engine/vendor/github.com/moby/buildkit/cache/metadata/metadata.go
new file mode 100644
index 00000000..461ff6cf
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/metadata/metadata.go
@@ -0,0 +1,382 @@
+package metadata
+
+import (
+	"bytes"
+	"encoding/json"
+	"strings"
+	"sync"
+
+	"github.com/boltdb/bolt"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	mainBucket     = "_main"
+	indexBucket    = "_index"
+	externalBucket = "_external"
+)
+
+var errNotFound = errors.Errorf("not found")
+
+type Store struct {
+	db *bolt.DB
+}
+
+func NewStore(dbPath string) (*Store, error) {
+	db, err := bolt.Open(dbPath, 0600, nil)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to open database file %s", dbPath)
+	}
+	return &Store{db: db}, nil
+}
+
+func (s *Store) DB() *bolt.DB {
+	return s.db
+}
+
+func (s *Store) All() ([]*StorageItem, error) {
+	var out []*StorageItem
+	err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(mainBucket))
+		if b == nil {
+			return nil
+		}
+		return b.ForEach(func(key, _ []byte) error {
+			b := b.Bucket(key)
+			if b == nil {
+				return nil
+			}
+			si, err := newStorageItem(string(key), b, s)
+			if err != nil {
+				return err
+			}
+			out = append(out, si)
+			return nil
+		})
+	})
+	return out, err
+}
+
+func (s *Store) Probe(index string) (bool, error) {
+	var exists bool
+	err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(indexBucket))
+		if b == nil {
+			return nil
+		}
+		main := tx.Bucket([]byte(mainBucket))
+		if main == nil {
+			return nil
+		}
+		search := []byte(indexKey(index, ""))
+		c := b.Cursor()
+		k, _ := c.Seek(search)
+		if k != nil && bytes.HasPrefix(k, search) {
+			exists = true
+		}
+		return nil
+	})
+	return exists, err
+}
+
+func (s *Store) Search(index string) ([]*StorageItem, error) {
+	var out []*StorageItem
+	err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(indexBucket))
+		if b == nil {
+			return nil
+		}
+		main := tx.Bucket([]byte(mainBucket))
+		if main == nil {
+			return nil
+		}
+		index = indexKey(index, "")
+		c := b.Cursor()
+		k, _ := c.Seek([]byte(index))
+		for {
+			if k != nil && strings.HasPrefix(string(k), index) {
+				itemID := strings.TrimPrefix(string(k), index)
+				k, _ = c.Next()
+				b := main.Bucket([]byte(itemID))
+				if b == nil {
+					logrus.Errorf("index pointing to missing record %s", itemID)
+					continue
+				}
+				si, err := newStorageItem(itemID, b, s)
+				if err != nil {
+					return err
+				}
+				out = append(out, si)
+			} else {
+				break
+			}
+		}
+		return nil
+	})
+	return out, err
+}
+
+func (s *Store) View(id string, fn func(b *bolt.Bucket) error) error {
+	return s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(mainBucket))
+		if b == nil {
+			return errors.WithStack(errNotFound)
+		}
+		b = b.Bucket([]byte(id))
+		if b == nil {
+			return errors.WithStack(errNotFound)
+		}
+		return fn(b)
+	})
+}
+
+func (s *Store) Clear(id string) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		external := tx.Bucket([]byte(externalBucket))
+		if external != nil {
+			external.DeleteBucket([]byte(id))
+		}
+		main := tx.Bucket([]byte(mainBucket))
+		if main == nil {
+			return nil
+		}
+		b := main.Bucket([]byte(id))
+		if b == nil {
+			return nil
+		}
+		si, err := newStorageItem(id, b, s)
+		if err != nil {
+			return err
+		}
+		if indexes := si.Indexes(); len(indexes) > 0 {
+			b := tx.Bucket([]byte(indexBucket))
+			if b != nil {
+				for _, index := range indexes {
+					if err := b.Delete([]byte(indexKey(index, id))); err != nil {
+						return err
+					}
+				}
+			}
+		}
+		return main.DeleteBucket([]byte(id))
+	})
+}
+
+func (s *Store) Update(id string, fn func(b *bolt.Bucket) error) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.CreateBucketIfNotExists([]byte(mainBucket))
+		if err != nil {
+			return err
+		}
+		b, err = b.CreateBucketIfNotExists([]byte(id))
+		if err != nil {
+			return err
+		}
+		return fn(b)
+	})
+}
+
+func (s *Store) Get(id string) (*StorageItem, bool) {
+	empty := func() *StorageItem {
+		si, _ := newStorageItem(id, nil, s)
+		return si
+	}
+	tx, err := s.db.Begin(false)
+	if err != nil {
+		return empty(), false
+	}
+	defer tx.Rollback()
+	b := tx.Bucket([]byte(mainBucket))
+	if b == nil {
+		return empty(), false
+	}
+	b = b.Bucket([]byte(id))
+	if b == nil {
+		return empty(), false
+	}
+	si, _ := newStorageItem(id, b, s)
+	return si, true
+}
+
+func (s *Store) Close() error {
+	return s.db.Close()
+}
+
+type StorageItem struct {
+	id      string
+	values  map[string]*Value
+	queue   []func(*bolt.Bucket) error
+	storage *Store
+	mu      sync.RWMutex
+}
+
+func newStorageItem(id string, b *bolt.Bucket, s *Store) (*StorageItem, error) {
+	si := &StorageItem{
+		id:      id,
+		storage: s,
+		values:  make(map[string]*Value),
+	}
+	if b != nil {
+		if err := b.ForEach(func(k, v []byte) error {
+			var sv Value
+			if len(v) > 0 {
+				if err := json.Unmarshal(v, &sv); err != nil {
+					return err
+				}
+				si.values[string(k)] = &sv
+			}
+			return nil
+		}); err != nil {
+			return si, err
+		}
+	}
+	return si, nil
+}
+
+func (s *StorageItem) Storage() *Store { // TODO: used in local source. how to remove this?
+	return s.storage
+}
+
+func (s *StorageItem) ID() string {
+	return s.id
+}
+
+func (s *StorageItem) View(fn func(b *bolt.Bucket) error) error {
+	return s.storage.View(s.id, fn)
+}
+
+func (s *StorageItem) Update(fn func(b *bolt.Bucket) error) error {
+	return s.storage.Update(s.id, fn)
+}
+
+func (s *StorageItem) Keys() []string {
+	keys := make([]string, 0, len(s.values))
+	for k := range s.values {
+		keys = append(keys, k)
+	}
+	return keys
+}
+
+func (s *StorageItem) Get(k string) *Value {
+	s.mu.RLock()
+	v := s.values[k]
+	s.mu.RUnlock()
+	return v
+}
+
+func (s *StorageItem) GetExternal(k string) ([]byte, error) {
+	var dt []byte
+	err := s.storage.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(externalBucket))
+		if b == nil {
+			return errors.WithStack(errNotFound)
+		}
+		b = b.Bucket([]byte(s.id))
+		if b == nil {
+			return errors.WithStack(errNotFound)
+		}
+		dt = b.Get([]byte(k))
+		if dt == nil {
+			return errors.WithStack(errNotFound)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return dt, nil
+}
+
+func (s *StorageItem) SetExternal(k string, dt []byte) error {
+	return s.storage.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.CreateBucketIfNotExists([]byte(externalBucket))
+		if err != nil {
+			return err
+		}
+		b, err = b.CreateBucketIfNotExists([]byte(s.id))
+		if err != nil {
+			return err
+		}
+		return b.Put([]byte(k), dt)
+	})
+}
+
+func (s *StorageItem) Queue(fn func(b *bolt.Bucket) error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.queue = append(s.queue, fn)
+}
+
+func (s *StorageItem) Commit() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.Update(func(b *bolt.Bucket) error {
+		for _, fn := range s.queue {
+			if err := fn(b); err != nil {
+				return err
+			}
+		}
+		s.queue = s.queue[:0]
+		return nil
+	})
+}
+
+func (s *StorageItem) Indexes() (out []string) {
+	for _, v := range s.values {
+		if v.Index != "" {
+			out = append(out, v.Index)
+		}
+	}
+	return
+}
+
+func (s *StorageItem) SetValue(b *bolt.Bucket, key string, v *Value) error {
+	if v == nil {
+		if err := b.Put([]byte(key), nil); err != nil {
+			return err
+		}
+		delete(s.values, key)
+		return nil
+	}
+	dt, err := json.Marshal(v)
+	if err != nil {
+		return err
+	}
+	if err := b.Put([]byte(key), dt); err != nil {
+		return err
+	}
+	if v.Index != "" {
+		b, err := b.Tx().CreateBucketIfNotExists([]byte(indexBucket))
+		if err != nil {
+			return err
+		}
+		if err := b.Put([]byte(indexKey(v.Index, s.ID())), []byte{}); err != nil {
+			return err
+		}
+	}
+	s.values[key] = v
+	return nil
+}
+
+type Value struct {
+	Value json.RawMessage `json:"value,omitempty"`
+	Index string          `json:"index,omitempty"`
+}
+
+func NewValue(v interface{}) (*Value, error) {
+	dt, err := json.Marshal(v)
+	if err != nil {
+		return nil, err
+	}
+	return &Value{Value: json.RawMessage(dt)}, nil
+}
+
+func (v *Value) Unmarshal(target interface{}) error {
+	err := json.Unmarshal(v.Value, target)
+	return err
+}
+
+func indexKey(index, target string) string {
+	return index + "::" + target
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/refs.go b/engine/vendor/github.com/moby/buildkit/cache/refs.go
new file mode 100644
index 00000000..af92b809
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/refs.go
@@ -0,0 +1,387 @@
+package cache
+
+import (
+	"context"
+	"sync"
+
+	"github.com/containerd/containerd/mount"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/util/flightcontrol"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Ref is a reference to cacheable objects.
+type Ref interface {
+	Mountable
+	ID() string
+	Release(context.Context) error
+	Size(ctx context.Context) (int64, error)
+	Metadata() *metadata.StorageItem
+}
+
+type ImmutableRef interface {
+	Ref
+	Parent() ImmutableRef
+	Finalize(ctx context.Context, commit bool) error // Make sure reference is flushed to driver
+	Clone() ImmutableRef
+}
+
+type MutableRef interface {
+	Ref
+	Commit(context.Context) (ImmutableRef, error)
+}
+
+type Mountable interface {
+	Mount(ctx context.Context, readonly bool) (snapshot.Mountable, error)
+}
+
+type cacheRecord struct {
+	cm *cacheManager
+	mu *sync.Mutex // the mutex is shared by records sharing data
+
+	mutable bool
+	refs    map[Mountable]struct{}
+	parent  ImmutableRef
+	md      *metadata.StorageItem
+
+	// dead means record is marked as deleted
+	dead bool
+
+	view      string
+	viewMount snapshot.Mountable
+
+	sizeG flightcontrol.Group
+
+	// these are filled if multiple refs point to same data
+	equalMutable   *mutableRef
+	equalImmutable *immutableRef
+}
+
+// hold ref lock before calling
+func (cr *cacheRecord) ref() *immutableRef {
+	ref := &immutableRef{cacheRecord: cr}
+	cr.refs[ref] = struct{}{}
+	return ref
+}
+
+// hold ref lock before calling
+func (cr *cacheRecord) mref() *mutableRef {
+	ref := &mutableRef{cacheRecord: cr}
+	cr.refs[ref] = struct{}{}
+	return ref
+}
+
+// hold ref lock before calling
+func (cr *cacheRecord) isDead() bool {
+	return cr.dead || (cr.equalImmutable != nil && cr.equalImmutable.dead) || (cr.equalMutable != nil && cr.equalMutable.dead)
+}
+
+func (cr *cacheRecord) Size(ctx context.Context) (int64, error) {
+	// this expects that usage() is implemented lazily
+	s, err := cr.sizeG.Do(ctx, cr.ID(), func(ctx context.Context) (interface{}, error) {
+		cr.mu.Lock()
+		s := getSize(cr.md)
+		if s != sizeUnknown {
+			cr.mu.Unlock()
+			return s, nil
+		}
+		driverID := cr.ID()
+		if cr.equalMutable != nil {
+			driverID = cr.equalMutable.ID()
+		}
+		cr.mu.Unlock()
+		usage, err := cr.cm.ManagerOpt.Snapshotter.Usage(ctx, driverID)
+		if err != nil {
+			cr.mu.Lock()
+			isDead := cr.isDead()
+			cr.mu.Unlock()
+			if isDead {
+				return int64(0), nil
+			}
+			return s, errors.Wrapf(err, "failed to get usage for %s", cr.ID())
+		}
+		cr.mu.Lock()
+		setSize(cr.md, usage.Size)
+		if err := cr.md.Commit(); err != nil {
+			cr.mu.Unlock()
+			return s, err
+		}
+		cr.mu.Unlock()
+		return usage.Size, nil
+	})
+	return s.(int64), err
+}
+
+func (cr *cacheRecord) Parent() ImmutableRef {
+	if cr.parent == nil {
+		return nil
+	}
+	p := cr.parent.(*immutableRef)
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return p.ref()
+}
+
+func (cr *cacheRecord) Mount(ctx context.Context, readonly bool) (snapshot.Mountable, error) {
+	cr.mu.Lock()
+	defer cr.mu.Unlock()
+
+	if cr.mutable {
+		m, err := cr.cm.Snapshotter.Mounts(ctx, cr.ID())
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to mount %s", cr.ID())
+		}
+		if readonly {
+			m = setReadonly(m)
+		}
+		return m, nil
+	}
+
+	if cr.equalMutable != nil && readonly {
+		m, err := cr.cm.Snapshotter.Mounts(ctx, cr.equalMutable.ID())
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to mount %s", cr.equalMutable.ID())
+		}
+		return setReadonly(m), nil
+	}
+
+	if err := cr.finalize(ctx, true); err != nil {
+		return nil, err
+	}
+	if cr.viewMount == nil { // TODO: handle this better
+		cr.view = identity.NewID()
+		m, err := cr.cm.Snapshotter.View(ctx, cr.view, cr.ID())
+		if err != nil {
+			cr.view = ""
+			return nil, errors.Wrapf(err, "failed to mount %s", cr.ID())
+		}
+		cr.viewMount = m
+	}
+	return cr.viewMount, nil
+}
+
+// call when holding the manager lock
+func (cr *cacheRecord) remove(ctx context.Context, removeSnapshot bool) error {
+	delete(cr.cm.records, cr.ID())
+	if cr.parent != nil {
+		if err := cr.parent.(*immutableRef).release(ctx); err != nil {
+			return err
+		}
+	}
+	if removeSnapshot {
+		if err := cr.cm.Snapshotter.Remove(ctx, cr.ID()); err != nil {
+			return err
+		}
+	}
+	if err := cr.cm.md.Clear(cr.ID()); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (cr *cacheRecord) ID() string {
+	return cr.md.ID()
+}
+
+type immutableRef struct {
+	*cacheRecord
+}
+
+type mutableRef struct {
+	*cacheRecord
+}
+
+func (sr *immutableRef) Clone() ImmutableRef {
+	sr.mu.Lock()
+	ref := sr.ref()
+	sr.mu.Unlock()
+	return ref
+}
+
+func (sr *immutableRef) Release(ctx context.Context) error {
+	sr.cm.mu.Lock()
+	defer sr.cm.mu.Unlock()
+
+	sr.mu.Lock()
+	defer sr.mu.Unlock()
+
+	return sr.release(ctx)
+}
+
+func (sr *immutableRef) release(ctx context.Context) error {
+	delete(sr.refs, sr)
+
+	if len(sr.refs) == 0 {
+		updateLastUsed(sr.md)
+		if sr.viewMount != nil { // TODO: release viewMount earlier if possible
+			if err := sr.cm.Snapshotter.Remove(ctx, sr.view); err != nil {
+				return err
+			}
+			sr.view = ""
+			sr.viewMount = nil
+		}
+
+		if sr.equalMutable != nil {
+			sr.equalMutable.release(ctx)
+		}
+		// go sr.cm.GC()
+	}
+
+	return nil
+}
+
+func (sr *immutableRef) Finalize(ctx context.Context, b bool) error {
+	sr.mu.Lock()
+	defer sr.mu.Unlock()
+
+	return sr.finalize(ctx, b)
+}
+
+func (cr *cacheRecord) Metadata() *metadata.StorageItem {
+	return cr.md
+}
+
+func (cr *cacheRecord) finalize(ctx context.Context, commit bool) error {
+	mutable := cr.equalMutable
+	if mutable == nil {
+		return nil
+	}
+	if !commit {
+		if HasCachePolicyRetain(mutable) {
+			CachePolicyRetain(mutable)
+			return mutable.Metadata().Commit()
+		}
+		return nil
+	}
+	err := cr.cm.Snapshotter.Commit(ctx, cr.ID(), mutable.ID())
+	if err != nil {
+		return errors.Wrapf(err, "failed to commit %s", mutable.ID())
+	}
+	mutable.dead = true
+	go func() {
+		cr.cm.mu.Lock()
+		defer cr.cm.mu.Unlock()
+		if err := mutable.remove(context.TODO(), false); err != nil {
+			logrus.Error(err)
+		}
+	}()
+	cr.equalMutable = nil
+	clearEqualMutable(cr.md)
+	return cr.md.Commit()
+}
+
+func (sr *mutableRef) commit(ctx context.Context) (ImmutableRef, error) {
+	if !sr.mutable || len(sr.refs) == 0 {
+		return nil, errors.Wrapf(errInvalid, "invalid mutable ref")
+	}
+
+	id := identity.NewID()
+	md, _ := sr.cm.md.Get(id)
+
+	rec := &cacheRecord{
+		mu:           sr.mu,
+		cm:           sr.cm,
+		parent:       sr.Parent(),
+		equalMutable: sr,
+		refs:         make(map[Mountable]struct{}),
+		md:           md,
+	}
+
+	if descr := GetDescription(sr.md); descr != "" {
+		if err := queueDescription(md, descr); err != nil {
+			return nil, err
+		}
+	}
+
+	if err := initializeMetadata(rec); err != nil {
+		return nil, err
+	}
+
+	sr.cm.records[id] = rec
+
+	if err := sr.md.Commit(); err != nil {
+		return nil, err
+	}
+
+	setSize(md, sizeUnknown)
+	setEqualMutable(md, sr.ID())
+	if err := md.Commit(); err != nil {
+		return nil, err
+	}
+
+	ref := rec.ref()
+	sr.equalImmutable = ref
+	return ref, nil
+}
+
+func (sr *mutableRef) Commit(ctx context.Context) (ImmutableRef, error) {
+	sr.cm.mu.Lock()
+	defer sr.cm.mu.Unlock()
+
+	sr.mu.Lock()
+	defer sr.mu.Unlock()
+
+	return sr.commit(ctx)
+}
+
+func (sr *mutableRef) Release(ctx context.Context) error {
+	sr.cm.mu.Lock()
+	defer sr.cm.mu.Unlock()
+
+	sr.mu.Lock()
+	defer sr.mu.Unlock()
+
+	return sr.release(ctx)
+}
+
+func (sr *mutableRef) release(ctx context.Context) error {
+	delete(sr.refs, sr)
+	if getCachePolicy(sr.md) != cachePolicyRetain {
+		if sr.equalImmutable != nil {
+			if getCachePolicy(sr.equalImmutable.md) == cachePolicyRetain {
+				return nil
+			}
+			if err := sr.equalImmutable.remove(ctx, false); err != nil {
+				return err
+			}
+		}
+		if sr.parent != nil {
+			if err := sr.parent.(*immutableRef).release(ctx); err != nil {
+				return err
+			}
+		}
+		return sr.remove(ctx, true)
+	} else {
+		updateLastUsed(sr.md)
+	}
+	return nil
+}
+
+func setReadonly(mounts snapshot.Mountable) snapshot.Mountable {
+	return &readOnlyMounter{mounts}
+}
+
+type readOnlyMounter struct {
+	snapshot.Mountable
+}
+
+func (m *readOnlyMounter) Mount() ([]mount.Mount, error) {
+	mounts, err := m.Mountable.Mount()
+	if err != nil {
+		return nil, err
+	}
+	for i, m := range mounts {
+		opts := make([]string, 0, len(m.Options))
+		for _, opt := range m.Options {
+			if opt != "rw" {
+				opts = append(opts, opt)
+			}
+		}
+		opts = append(opts, "ro")
+		mounts[i].Options = opts
+	}
+	return mounts, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/export.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/export.go
new file mode 100644
index 00000000..e40b8de2
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/export.go
@@ -0,0 +1,128 @@
+package remotecache
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/images"
+	v1 "github.com/moby/buildkit/cache/remotecache/v1"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/util/contentutil"
+	"github.com/moby/buildkit/util/progress"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type ResolveCacheExporterFunc func(ctx context.Context, typ, target string) (Exporter, error)
+
+func oneOffProgress(ctx context.Context, id string) func(err error) error {
+	pw, _, _ := progress.FromContext(ctx)
+	now := time.Now()
+	st := progress.Status{
+		Started: &now,
+	}
+	pw.Write(id, st)
+	return func(err error) error {
+		now := time.Now()
+		st.Completed = &now
+		pw.Write(id, st)
+		pw.Close()
+		return err
+	}
+}
+
+type Exporter interface {
+	solver.CacheExporterTarget
+	Finalize(ctx context.Context) error
+}
+
+type contentCacheExporter struct {
+	solver.CacheExporterTarget
+	chains   *v1.CacheChains
+	ingester content.Ingester
+}
+
+func NewExporter(ingester content.Ingester) Exporter {
+	cc := v1.NewCacheChains()
+	return &contentCacheExporter{CacheExporterTarget: cc, chains: cc, ingester: ingester}
+}
+
+func (ce *contentCacheExporter) Finalize(ctx context.Context) error {
+	return export(ctx, ce.ingester, ce.chains)
+}
+
+func export(ctx context.Context, ingester content.Ingester, cc *v1.CacheChains) error {
+	config, descs, err := cc.Marshal()
+	if err != nil {
+		return err
+	}
+
+	// own type because oci type can't be pushed and docker type doesn't have annotations
+	type manifestList struct {
+		specs.Versioned
+
+		MediaType string `json:"mediaType,omitempty"`
+
+		// Manifests references platform specific manifests.
+		Manifests []ocispec.Descriptor `json:"manifests"`
+	}
+
+	var mfst manifestList
+	mfst.SchemaVersion = 2
+	mfst.MediaType = images.MediaTypeDockerSchema2ManifestList
+
+	for _, l := range config.Layers {
+		dgstPair, ok := descs[l.Blob]
+		if !ok {
+			return errors.Errorf("missing blob %s", l.Blob)
+		}
+		layerDone := oneOffProgress(ctx, fmt.Sprintf("writing layer %s", l.Blob))
+		if err := contentutil.Copy(ctx, ingester, dgstPair.Provider, dgstPair.Descriptor); err != nil {
+			return layerDone(errors.Wrap(err, "error writing layer blob"))
+		}
+		layerDone(nil)
+		mfst.Manifests = append(mfst.Manifests, dgstPair.Descriptor)
+	}
+
+	dt, err := json.Marshal(config)
+	if err != nil {
+		return err
+	}
+	dgst := digest.FromBytes(dt)
+	desc := ocispec.Descriptor{
+		Digest:    dgst,
+		Size:      int64(len(dt)),
+		MediaType: v1.CacheConfigMediaTypeV0,
+	}
+	configDone := oneOffProgress(ctx, fmt.Sprintf("writing config %s", dgst))
+	if err := content.WriteBlob(ctx, ingester, dgst.String(), bytes.NewReader(dt), desc); err != nil {
+		return configDone(errors.Wrap(err, "error writing config blob"))
+	}
+	configDone(nil)
+
+	mfst.Manifests = append(mfst.Manifests, desc)
+
+	dt, err = json.Marshal(mfst)
+	if err != nil {
+		return errors.Wrap(err, "failed to marshal manifest")
+	}
+	dgst = digest.FromBytes(dt)
+
+	desc = ocispec.Descriptor{
+		Digest:    dgst,
+		Size:      int64(len(dt)),
+		MediaType: mfst.MediaType,
+	}
+	mfstDone := oneOffProgress(ctx, fmt.Sprintf("writing manifest %s", dgst))
+	if err := content.WriteBlob(ctx, ingester, dgst.String(), bytes.NewReader(dt), desc); err != nil {
+		return mfstDone(errors.Wrap(err, "error writing manifest blob"))
+	}
+	mfstDone(nil)
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/import.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/import.go
new file mode 100644
index 00000000..a76762e6
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/import.go
@@ -0,0 +1,98 @@
+package remotecache
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+
+	"github.com/containerd/containerd/content"
+	v1 "github.com/moby/buildkit/cache/remotecache/v1"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/worker"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// ResolveCacheImporterFunc returns importer and descriptor.
+// Currently typ needs to be an empty string.
+type ResolveCacheImporterFunc func(ctx context.Context, typ, ref string) (Importer, ocispec.Descriptor, error)
+
+type Importer interface {
+	Resolve(ctx context.Context, desc ocispec.Descriptor, id string, w worker.Worker) (solver.CacheManager, error)
+}
+
+func NewImporter(provider content.Provider) Importer {
+	return &contentCacheImporter{provider: provider}
+}
+
+type contentCacheImporter struct {
+	provider content.Provider
+}
+
+func (ci *contentCacheImporter) Resolve(ctx context.Context, desc ocispec.Descriptor, id string, w worker.Worker) (solver.CacheManager, error) {
+	dt, err := readBlob(ctx, ci.provider, desc)
+	if err != nil {
+		return nil, err
+	}
+
+	var mfst ocispec.Index
+	if err := json.Unmarshal(dt, &mfst); err != nil {
+		return nil, err
+	}
+
+	allLayers := v1.DescriptorProvider{}
+
+	var configDesc ocispec.Descriptor
+
+	for _, m := range mfst.Manifests {
+		if m.MediaType == v1.CacheConfigMediaTypeV0 {
+			configDesc = m
+			continue
+		}
+		allLayers[m.Digest] = v1.DescriptorProviderPair{
+			Descriptor: m,
+			Provider:   ci.provider,
+		}
+	}
+
+	if configDesc.Digest == "" {
+		return nil, errors.Errorf("invalid build cache from %+v", desc)
+	}
+
+	dt, err = readBlob(ctx, ci.provider, configDesc)
+	if err != nil {
+		return nil, err
+	}
+
+	cc := v1.NewCacheChains()
+	if err := v1.Parse(dt, allLayers, cc); err != nil {
+		return nil, err
+	}
+
+	keysStorage, resultStorage, err := v1.NewCacheKeyStorage(cc, w)
+	if err != nil {
+		return nil, err
+	}
+	return solver.NewCacheManager(id, keysStorage, resultStorage), nil
+}
+
+func readBlob(ctx context.Context, provider content.Provider, desc ocispec.Descriptor) ([]byte, error) {
+	maxBlobSize := int64(1 << 20)
+	if desc.Size > maxBlobSize {
+		return nil, errors.Errorf("blob %s is too large (%d > %d)", desc.Digest, desc.Size, maxBlobSize)
+	}
+	dt, err := content.ReadBlob(ctx, provider, desc)
+	if err != nil {
+		// NOTE: even if err == EOF, we might have got expected dt here.
+		// For instance, http.Response.Body is known to return non-zero bytes with EOF.
+		if err == io.EOF {
+			if dtDigest := desc.Digest.Algorithm().FromBytes(dt); dtDigest != desc.Digest {
+				err = errors.Wrapf(err, "got EOF, expected %s (%d bytes), got %s (%d bytes)",
+					desc.Digest, desc.Size, dtDigest, len(dt))
+			} else {
+				err = nil
+			}
+		}
+	}
+	return dt, err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/registry/registry.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/registry/registry.go
new file mode 100644
index 00000000..fa9dc1a7
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/registry/registry.go
@@ -0,0 +1,73 @@
+package registry
+
+import (
+	"context"
+	"time"
+
+	"github.com/containerd/containerd/remotes"
+	"github.com/containerd/containerd/remotes/docker"
+	"github.com/moby/buildkit/cache/remotecache"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
+	"github.com/moby/buildkit/util/contentutil"
+	"github.com/moby/buildkit/util/tracing"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+func ResolveCacheExporterFunc(sm *session.Manager) remotecache.ResolveCacheExporterFunc {
+	return func(ctx context.Context, typ, ref string) (remotecache.Exporter, error) {
+		if typ != "" {
+			return nil, errors.Errorf("unsupported cache exporter type: %s", typ)
+		}
+		remote := newRemoteResolver(ctx, sm)
+		pusher, err := remote.Pusher(ctx, ref)
+		if err != nil {
+			return nil, err
+		}
+		return remotecache.NewExporter(contentutil.FromPusher(pusher)), nil
+	}
+}
+
+func ResolveCacheImporterFunc(sm *session.Manager) remotecache.ResolveCacheImporterFunc {
+	return func(ctx context.Context, typ, ref string) (remotecache.Importer, specs.Descriptor, error) {
+		if typ != "" {
+			return nil, specs.Descriptor{}, errors.Errorf("unsupported cache importer type: %s", typ)
+		}
+		remote := newRemoteResolver(ctx, sm)
+		xref, desc, err := remote.Resolve(ctx, ref)
+		if err != nil {
+			return nil, specs.Descriptor{}, err
+		}
+		fetcher, err := remote.Fetcher(ctx, xref)
+		if err != nil {
+			return nil, specs.Descriptor{}, err
+		}
+		return remotecache.NewImporter(contentutil.FromFetcher(fetcher)), desc, nil
+	}
+}
+
+func newRemoteResolver(ctx context.Context, sm *session.Manager) remotes.Resolver {
+	return docker.NewResolver(docker.ResolverOptions{
+		Client:      tracing.DefaultClient,
+		Credentials: getCredentialsFunc(ctx, sm),
+	})
+}
+
+func getCredentialsFunc(ctx context.Context, sm *session.Manager) func(string) (string, string, error) {
+	id := session.FromContext(ctx)
+	if id == "" {
+		return nil
+	}
+	return func(host string) (string, string, error) {
+		timeoutCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		caller, err := sm.Get(timeoutCtx, id)
+		if err != nil {
+			return "", "", err
+		}
+
+		return auth.CredentialsFunc(context.TODO(), caller)(host)
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/cachestorage.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/cachestorage.go
new file mode 100644
index 00000000..27b19587
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/cachestorage.go
@@ -0,0 +1,247 @@
+package cacheimport
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/worker"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+func NewCacheKeyStorage(cc *CacheChains, w worker.Worker) (solver.CacheKeyStorage, solver.CacheResultStorage, error) {
+	storage := &cacheKeyStorage{
+		byID:     map[string]*itemWithOutgoingLinks{},
+		byItem:   map[*item]string{},
+		byResult: map[string]map[string]struct{}{},
+	}
+
+	for _, it := range cc.items {
+		if _, err := addItemToStorage(storage, it); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	results := &cacheResultStorage{
+		w:        w,
+		byID:     storage.byID,
+		byResult: storage.byResult,
+	}
+
+	return storage, results, nil
+}
+
+func addItemToStorage(k *cacheKeyStorage, it *item) (*itemWithOutgoingLinks, error) {
+	if id, ok := k.byItem[it]; ok {
+		if id == "" {
+			return nil, errors.Errorf("invalid loop")
+		}
+		return k.byID[id], nil
+	}
+
+	var id string
+	if len(it.links) == 0 {
+		id = it.dgst.String()
+	} else {
+		id = identity.NewID()
+	}
+
+	k.byItem[it] = ""
+
+	for i, m := range it.links {
+		for l := range m {
+			src, err := addItemToStorage(k, l.src)
+			if err != nil {
+				return nil, err
+			}
+			cl := nlink{
+				input:    i,
+				dgst:     it.dgst,
+				selector: l.selector,
+			}
+			src.links[cl] = append(src.links[cl], id)
+		}
+	}
+
+	k.byItem[it] = id
+
+	itl := &itemWithOutgoingLinks{
+		item:  it,
+		links: map[nlink][]string{},
+	}
+
+	k.byID[id] = itl
+
+	if res := it.result; res != nil {
+		resultID := remoteID(res)
+		ids, ok := k.byResult[resultID]
+		if !ok {
+			ids = map[string]struct{}{}
+			k.byResult[resultID] = ids
+		}
+		ids[id] = struct{}{}
+	}
+	return itl, nil
+}
+
+type cacheKeyStorage struct {
+	byID     map[string]*itemWithOutgoingLinks
+	byItem   map[*item]string
+	byResult map[string]map[string]struct{}
+}
+
+type itemWithOutgoingLinks struct {
+	*item
+	links map[nlink][]string
+}
+
+func (cs *cacheKeyStorage) Exists(id string) bool {
+	_, ok := cs.byID[id]
+	return ok
+}
+
+func (cs *cacheKeyStorage) Walk(func(id string) error) error {
+	return nil
+}
+
+func (cs *cacheKeyStorage) WalkResults(id string, fn func(solver.CacheResult) error) error {
+	it, ok := cs.byID[id]
+	if !ok {
+		return nil
+	}
+	if res := it.result; res != nil {
+		return fn(solver.CacheResult{ID: remoteID(res), CreatedAt: it.resultTime})
+	}
+	return nil
+}
+
+func (cs *cacheKeyStorage) Load(id string, resultID string) (solver.CacheResult, error) {
+	it, ok := cs.byID[id]
+	if !ok {
+		return solver.CacheResult{}, nil
+	}
+	if res := it.result; res != nil {
+		return solver.CacheResult{ID: remoteID(res), CreatedAt: it.resultTime}, nil
+	}
+	return solver.CacheResult{}, nil
+}
+
+func (cs *cacheKeyStorage) AddResult(id string, res solver.CacheResult) error {
+	return nil
+}
+
+func (cs *cacheKeyStorage) Release(resultID string) error {
+	return nil
+}
+func (cs *cacheKeyStorage) AddLink(id string, link solver.CacheInfoLink, target string) error {
+	return nil
+}
+func (cs *cacheKeyStorage) WalkLinks(id string, link solver.CacheInfoLink, fn func(id string) error) error {
+	it, ok := cs.byID[id]
+	if !ok {
+		return nil
+	}
+	for _, id := range it.links[nlink{
+		dgst:     outputKey(link.Digest, int(link.Output)),
+		input:    int(link.Input),
+		selector: link.Selector.String(),
+	}] {
+		if err := fn(id); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// TODO:
+func (cs *cacheKeyStorage) WalkBacklinks(id string, fn func(id string, link solver.CacheInfoLink) error) error {
+	return nil
+}
+
+func (cs *cacheKeyStorage) WalkIDsByResult(id string, fn func(id string) error) error {
+	ids := cs.byResult[id]
+	for id := range ids {
+		if err := fn(id); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (cs *cacheKeyStorage) HasLink(id string, link solver.CacheInfoLink, target string) bool {
+	l := nlink{
+		dgst:     outputKey(link.Digest, int(link.Output)),
+		input:    int(link.Input),
+		selector: link.Selector.String(),
+	}
+	if it, ok := cs.byID[id]; ok {
+		for _, id := range it.links[l] {
+			if id == target {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+type cacheResultStorage struct {
+	w        worker.Worker
+	byID     map[string]*itemWithOutgoingLinks
+	byResult map[string]map[string]struct{}
+}
+
+func (cs *cacheResultStorage) Save(res solver.Result) (solver.CacheResult, error) {
+	return solver.CacheResult{}, errors.Errorf("importer is immutable")
+}
+
+func (cs *cacheResultStorage) Load(ctx context.Context, res solver.CacheResult) (solver.Result, error) {
+	remote, err := cs.LoadRemote(ctx, res)
+	if err != nil {
+		return nil, err
+	}
+
+	ref, err := cs.w.FromRemote(ctx, remote)
+	if err != nil {
+		return nil, err
+	}
+	return worker.NewWorkerRefResult(ref, cs.w), nil
+}
+
+func (cs *cacheResultStorage) LoadRemote(ctx context.Context, res solver.CacheResult) (*solver.Remote, error) {
+	if r := cs.byResultID(res.ID); r != nil {
+		return r, nil
+	}
+	return nil, errors.WithStack(solver.ErrNotFound)
+}
+
+func (cs *cacheResultStorage) Exists(id string) bool {
+	return cs.byResultID(id) != nil
+}
+
+func (cs *cacheResultStorage) byResultID(resultID string) *solver.Remote {
+	m, ok := cs.byResult[resultID]
+	if !ok || len(m) == 0 {
+		return nil
+	}
+
+	for id := range m {
+		it, ok := cs.byID[id]
+		if ok {
+			if r := it.result; r != nil {
+				return r
+			}
+		}
+	}
+
+	return nil
+}
+
+// unique ID per remote. this ID is not stable.
+func remoteID(r *solver.Remote) string {
+	dgstr := digest.Canonical.Digester()
+	for _, desc := range r.Descriptors {
+		dgstr.Hash().Write([]byte(desc.Digest))
+	}
+	return dgstr.Digest().String()
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/chains.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/chains.go
new file mode 100644
index 00000000..52806b9c
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/chains.go
@@ -0,0 +1,127 @@
+package cacheimport
+
+import (
+	"time"
+
+	"github.com/containerd/containerd/content"
+	"github.com/moby/buildkit/solver"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func NewCacheChains() *CacheChains {
+	return &CacheChains{visited: map[interface{}]struct{}{}}
+}
+
+type CacheChains struct {
+	items   []*item
+	visited map[interface{}]struct{}
+}
+
+func (c *CacheChains) Add(dgst digest.Digest) solver.CacheExporterRecord {
+	it := &item{c: c, dgst: dgst}
+	c.items = append(c.items, it)
+	return it
+}
+
+func (c *CacheChains) Visit(v interface{}) {
+	c.visited[v] = struct{}{}
+}
+
+func (c *CacheChains) Visited(v interface{}) bool {
+	_, ok := c.visited[v]
+	return ok
+}
+
+func (c *CacheChains) normalize() error {
+	st := &normalizeState{
+		added: map[*item]*item{},
+		links: map[*item]map[nlink]map[digest.Digest]struct{}{},
+		byKey: map[digest.Digest]*item{},
+	}
+
+	for _, it := range c.items {
+		_, err := normalizeItem(it, st)
+		if err != nil {
+			return err
+		}
+	}
+
+	items := make([]*item, 0, len(st.byKey))
+	for _, it := range st.byKey {
+		items = append(items, it)
+	}
+	c.items = items
+	return nil
+}
+
+func (c *CacheChains) Marshal() (*CacheConfig, DescriptorProvider, error) {
+	if err := c.normalize(); err != nil {
+		return nil, nil, err
+	}
+
+	st := &marshalState{
+		chainsByID:    map[string]int{},
+		descriptors:   DescriptorProvider{},
+		recordsByItem: map[*item]int{},
+	}
+
+	for _, it := range c.items {
+		if err := marshalItem(it, st); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	cc := CacheConfig{
+		Layers:  st.layers,
+		Records: st.records,
+	}
+	sortConfig(&cc)
+
+	return &cc, st.descriptors, nil
+}
+
+type DescriptorProvider map[digest.Digest]DescriptorProviderPair
+
+type DescriptorProviderPair struct {
+	Descriptor ocispec.Descriptor
+	Provider   content.Provider
+}
+
+type item struct {
+	c    *CacheChains
+	dgst digest.Digest
+
+	result     *solver.Remote
+	resultTime time.Time
+
+	links []map[link]struct{}
+}
+
+type link struct {
+	src      *item
+	selector string
+}
+
+func (c *item) AddResult(createdAt time.Time, result *solver.Remote) {
+	c.resultTime = createdAt
+	c.result = result
+}
+
+func (c *item) LinkFrom(rec solver.CacheExporterRecord, index int, selector string) {
+	src, ok := rec.(*item)
+	if !ok {
+		return
+	}
+
+	for {
+		if index < len(c.links) {
+			break
+		}
+		c.links = append(c.links, map[link]struct{}{})
+	}
+
+	c.links[index][link{src: src, selector: selector}] = struct{}{}
+}
+
+var _ solver.CacheExporterTarget = &CacheChains{}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/doc.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/doc.go
new file mode 100644
index 00000000..4cff8114
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/doc.go
@@ -0,0 +1,50 @@
+package cacheimport
+
+// Distibutable build cache
+//
+// Main manifest is OCI image index
+// https://github.com/opencontainers/image-spec/blob/master/image-index.md .
+// Manifests array contains descriptors to the cache layers and one instance of
+// build cache config with media type application/vnd.buildkit.cacheconfig.v0 .
+// The cache layer descripts need to have an annotation with uncompressed digest
+// to allow deduplication on extraction and optionally "buildkit/createdat"
+// annotation to support maintaining original timestamps.
+//
+// Cache config file layout:
+//
+//{
+//  "layers": [
+//    {
+//      "blob": "sha256:deadbeef",    <- digest of layer blob in index
+//      "parent": -1                  <- index of parent layer, -1 if no parent
+//    },
+//    {
+//      "blob": "sha256:deadbeef",
+//      "parent": 0
+//    }
+//  ],
+//
+//  "records": [
+//    {
+//      "digest": "sha256:deadbeef",   <- base digest for the record
+//    },
+//    {
+//      "digest": "sha256:deadbeef",
+//      "output": 1,                   <- optional output index
+//      "layers": [                    <- optional array or layer chains
+//        {
+//          "createdat": "",
+//          "layer": 1,                <- index to the layer
+//        }
+//      ],
+//      "inputs": [                    <- dependant records
+//        [                            <- index of the dependency (0)
+//          {
+//            "selector": "sel",       <- optional selector
+//            "link": 0,               <- index to the dependant record
+//          }
+//        ]
+//      ]
+//    }
+//  ]
+// }
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/parse.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/parse.go
new file mode 100644
index 00000000..8aa6929e
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/parse.go
@@ -0,0 +1,102 @@
+package cacheimport
+
+import (
+	"encoding/json"
+
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/util/contentutil"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+func Parse(configJSON []byte, provider DescriptorProvider, t solver.CacheExporterTarget) error {
+	var config CacheConfig
+	if err := json.Unmarshal(configJSON, &config); err != nil {
+		return err
+	}
+
+	cache := map[int]solver.CacheExporterRecord{}
+
+	for i := range config.Records {
+		if _, err := parseRecord(config, i, provider, t, cache); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func parseRecord(cc CacheConfig, idx int, provider DescriptorProvider, t solver.CacheExporterTarget, cache map[int]solver.CacheExporterRecord) (solver.CacheExporterRecord, error) {
+	if r, ok := cache[idx]; ok {
+		if r == nil {
+			return nil, errors.Errorf("invalid looping record")
+		}
+		return r, nil
+	}
+
+	if idx < 0 || idx >= len(cc.Records) {
+		return nil, errors.Errorf("invalid record ID: %d", idx)
+	}
+	rec := cc.Records[idx]
+
+	r := t.Add(rec.Digest)
+	cache[idx] = nil
+	for i, inputs := range rec.Inputs {
+		for _, inp := range inputs {
+			src, err := parseRecord(cc, inp.LinkIndex, provider, t, cache)
+			if err != nil {
+				return nil, err
+			}
+			r.LinkFrom(src, i, inp.Selector)
+		}
+	}
+
+	for _, res := range rec.Results {
+		visited := map[int]struct{}{}
+		remote, err := getRemoteChain(cc.Layers, res.LayerIndex, provider, visited)
+		if err != nil {
+			return nil, err
+		}
+		r.AddResult(res.CreatedAt, remote)
+	}
+
+	cache[idx] = r
+	return r, nil
+}
+
+func getRemoteChain(layers []CacheLayer, idx int, provider DescriptorProvider, visited map[int]struct{}) (*solver.Remote, error) {
+	if _, ok := visited[idx]; ok {
+		return nil, errors.Errorf("invalid looping layer")
+	}
+	visited[idx] = struct{}{}
+
+	if idx < 0 || idx >= len(layers) {
+		return nil, errors.Errorf("invalid layer index %d", idx)
+	}
+
+	l := layers[idx]
+
+	descPair, ok := provider[l.Blob]
+	if !ok {
+		return nil, errors.Errorf("missing blob for %s", l.Blob)
+	}
+
+	var r *solver.Remote
+	if l.ParentIndex != -1 {
+		var err error
+		r, err = getRemoteChain(layers, l.ParentIndex, provider, visited)
+		if err != nil {
+			return nil, err
+		}
+		r.Descriptors = append(r.Descriptors, descPair.Descriptor)
+		mp := contentutil.NewMultiProvider(r.Provider)
+		mp.Add(descPair.Descriptor.Digest, descPair.Provider)
+		r.Provider = mp
+		return r, nil
+	}
+	return &solver.Remote{
+		Descriptors: []ocispec.Descriptor{descPair.Descriptor},
+		Provider:    descPair.Provider,
+	}, nil
+
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/spec.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/spec.go
new file mode 100644
index 00000000..4c6bc0bb
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/spec.go
@@ -0,0 +1,35 @@
+package cacheimport
+
+import (
+	"time"
+
+	digest "github.com/opencontainers/go-digest"
+)
+
+const CacheConfigMediaTypeV0 = "application/vnd.buildkit.cacheconfig.v0"
+
+type CacheConfig struct {
+	Layers  []CacheLayer  `json:"layers,omitempty"`
+	Records []CacheRecord `json:"records,omitempty"`
+}
+
+type CacheLayer struct {
+	Blob        digest.Digest `json:"blob,omitempty"`
+	ParentIndex int           `json:"parent,omitempty"`
+}
+
+type CacheRecord struct {
+	Results []CacheResult  `json:"layers,omitempty"`
+	Digest  digest.Digest  `json:"digest,omitempty"`
+	Inputs  [][]CacheInput `json:"inputs,omitempty"`
+}
+
+type CacheResult struct {
+	LayerIndex int       `json:"layer"`
+	CreatedAt  time.Time `json:"createdAt,omitempty"`
+}
+
+type CacheInput struct {
+	Selector  string `json:"selector,omitempty"`
+	LinkIndex int    `json:"link"`
+}
diff --git a/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/utils.go b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/utils.go
new file mode 100644
index 00000000..665eb330
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/cache/remotecache/v1/utils.go
@@ -0,0 +1,306 @@
+package cacheimport
+
+import (
+	"fmt"
+	"sort"
+
+	"github.com/containerd/containerd/content"
+	"github.com/moby/buildkit/solver"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// sortConfig sorts the config structure to make sure it is deterministic
+func sortConfig(cc *CacheConfig) {
+	type indexedLayer struct {
+		oldIndex int
+		newIndex int
+		l        CacheLayer
+	}
+
+	unsortedLayers := make([]*indexedLayer, len(cc.Layers))
+	sortedLayers := make([]*indexedLayer, len(cc.Layers))
+
+	for i, l := range cc.Layers {
+		il := &indexedLayer{oldIndex: i, l: l}
+		unsortedLayers[i] = il
+		sortedLayers[i] = il
+	}
+	sort.Slice(sortedLayers, func(i, j int) bool {
+		li := sortedLayers[i].l
+		lj := sortedLayers[j].l
+		if li.Blob == lj.Blob {
+			return li.ParentIndex < lj.ParentIndex
+		}
+		return li.Blob < lj.Blob
+	})
+	for i, l := range sortedLayers {
+		l.newIndex = i
+	}
+
+	layers := make([]CacheLayer, len(sortedLayers))
+	for i, l := range sortedLayers {
+		if pID := l.l.ParentIndex; pID != -1 {
+			l.l.ParentIndex = unsortedLayers[pID].newIndex
+		}
+		layers[i] = l.l
+	}
+
+	type indexedRecord struct {
+		oldIndex int
+		newIndex int
+		r        CacheRecord
+	}
+
+	unsortedRecords := make([]*indexedRecord, len(cc.Records))
+	sortedRecords := make([]*indexedRecord, len(cc.Records))
+
+	for i, r := range cc.Records {
+		ir := &indexedRecord{oldIndex: i, r: r}
+		unsortedRecords[i] = ir
+		sortedRecords[i] = ir
+	}
+	sort.Slice(sortedRecords, func(i, j int) bool {
+		ri := sortedRecords[i].r
+		rj := sortedRecords[j].r
+		if ri.Digest != rj.Digest {
+			return ri.Digest < rj.Digest
+		}
+		if len(ri.Inputs) != len(ri.Inputs) {
+			return len(ri.Inputs) < len(ri.Inputs)
+		}
+		for i, inputs := range ri.Inputs {
+			if len(ri.Inputs[i]) != len(rj.Inputs[i]) {
+				return len(ri.Inputs[i]) < len(rj.Inputs[i])
+			}
+			for j := range inputs {
+				if ri.Inputs[i][j].Selector != rj.Inputs[i][j].Selector {
+					return ri.Inputs[i][j].Selector != rj.Inputs[i][j].Selector
+				}
+				return cc.Records[ri.Inputs[i][j].LinkIndex].Digest < cc.Records[rj.Inputs[i][j].LinkIndex].Digest
+			}
+		}
+		return ri.Digest < rj.Digest
+	})
+	for i, l := range sortedRecords {
+		l.newIndex = i
+	}
+
+	records := make([]CacheRecord, len(sortedRecords))
+	for i, r := range sortedRecords {
+		for j := range r.r.Results {
+			r.r.Results[j].LayerIndex = unsortedLayers[r.r.Results[j].LayerIndex].newIndex
+		}
+		for j, inputs := range r.r.Inputs {
+			for k := range inputs {
+				r.r.Inputs[j][k].LinkIndex = unsortedRecords[r.r.Inputs[j][k].LinkIndex].newIndex
+			}
+			sort.Slice(inputs, func(i, j int) bool {
+				return inputs[i].LinkIndex < inputs[j].LinkIndex
+			})
+		}
+		records[i] = r.r
+	}
+
+	cc.Layers = layers
+	cc.Records = records
+}
+
+func outputKey(dgst digest.Digest, idx int) digest.Digest {
+	return digest.FromBytes([]byte(fmt.Sprintf("%s@%d", dgst, idx)))
+}
+
+type nlink struct {
+	dgst     digest.Digest
+	input    int
+	selector string
+}
+type normalizeState struct {
+	added map[*item]*item
+	links map[*item]map[nlink]map[digest.Digest]struct{}
+	byKey map[digest.Digest]*item
+	next  int
+}
+
+func normalizeItem(it *item, state *normalizeState) (*item, error) {
+	if it2, ok := state.added[it]; ok {
+		return it2, nil
+	}
+
+	if len(it.links) == 0 {
+		id := it.dgst
+		if it2, ok := state.byKey[id]; ok {
+			state.added[it] = it2
+			return it2, nil
+		}
+		state.byKey[id] = it
+		state.added[it] = it
+		return nil, nil
+	}
+
+	matches := map[digest.Digest]struct{}{}
+
+	// check if there is already a matching record
+	for i, m := range it.links {
+		if len(m) == 0 {
+			return nil, errors.Errorf("invalid incomplete links")
+		}
+		for l := range m {
+			nl := nlink{dgst: it.dgst, input: i, selector: l.selector}
+			it2, err := normalizeItem(l.src, state)
+			if err != nil {
+				return nil, err
+			}
+			links := state.links[it2][nl]
+			if i == 0 {
+				for id := range links {
+					matches[id] = struct{}{}
+				}
+			} else {
+				for id := range matches {
+					if _, ok := links[id]; !ok {
+						delete(matches, id)
+					}
+				}
+			}
+		}
+	}
+
+	var id digest.Digest
+
+	links := it.links
+
+	if len(matches) > 0 {
+		for m := range matches {
+			if id == "" || id > m {
+				id = m
+			}
+		}
+	} else {
+		// keep tmp IDs deterministic
+		state.next++
+		id = digest.FromBytes([]byte(fmt.Sprintf("%d", state.next)))
+		state.byKey[id] = it
+		it.links = make([]map[link]struct{}, len(it.links))
+		for i := range it.links {
+			it.links[i] = map[link]struct{}{}
+		}
+	}
+
+	it2 := state.byKey[id]
+	state.added[it] = it2
+
+	for i, m := range links {
+		for l := range m {
+			subIt, err := normalizeItem(l.src, state)
+			if err != nil {
+				return nil, err
+			}
+			it2.links[i][link{src: subIt, selector: l.selector}] = struct{}{}
+
+			nl := nlink{dgst: it.dgst, input: i, selector: l.selector}
+			if _, ok := state.links[subIt]; !ok {
+				state.links[subIt] = map[nlink]map[digest.Digest]struct{}{}
+			}
+			if _, ok := state.links[subIt][nl]; !ok {
+				state.links[subIt][nl] = map[digest.Digest]struct{}{}
+			}
+			state.links[subIt][nl][id] = struct{}{}
+		}
+	}
+
+	return it2, nil
+}
+
+type marshalState struct {
+	layers      []CacheLayer
+	chainsByID  map[string]int
+	descriptors DescriptorProvider
+
+	records       []CacheRecord
+	recordsByItem map[*item]int
+}
+
+func marshalRemote(r *solver.Remote, state *marshalState) string {
+	if len(r.Descriptors) == 0 {
+		return ""
+	}
+	type Remote struct {
+		Descriptors []ocispec.Descriptor
+		Provider    content.Provider
+	}
+	var parentID string
+	if len(r.Descriptors) > 1 {
+		r2 := &solver.Remote{
+			Descriptors: r.Descriptors[:len(r.Descriptors)-1],
+			Provider:    r.Provider,
+		}
+		parentID = marshalRemote(r2, state)
+	}
+	desc := r.Descriptors[len(r.Descriptors)-1]
+
+	state.descriptors[desc.Digest] = DescriptorProviderPair{
+		Descriptor: desc,
+		Provider:   r.Provider,
+	}
+
+	id := desc.Digest.String() + parentID
+
+	if _, ok := state.chainsByID[id]; ok {
+		return id
+	}
+
+	state.chainsByID[id] = len(state.layers)
+	l := CacheLayer{
+		Blob:        desc.Digest,
+		ParentIndex: -1,
+	}
+	if parentID != "" {
+		l.ParentIndex = state.chainsByID[parentID]
+	}
+	state.layers = append(state.layers, l)
+	return id
+}
+
+func marshalItem(it *item, state *marshalState) error {
+	if _, ok := state.recordsByItem[it]; ok {
+		return nil
+	}
+
+	rec := CacheRecord{
+		Digest: it.dgst,
+		Inputs: make([][]CacheInput, len(it.links)),
+	}
+
+	for i, m := range it.links {
+		for l := range m {
+			if err := marshalItem(l.src, state); err != nil {
+				return err
+			}
+			idx, ok := state.recordsByItem[l.src]
+			if !ok {
+				return errors.Errorf("invalid source record: %v", l.src)
+			}
+			rec.Inputs[i] = append(rec.Inputs[i], CacheInput{
+				Selector:  l.selector,
+				LinkIndex: idx,
+			})
+		}
+	}
+
+	if it.result != nil {
+		id := marshalRemote(it.result, state)
+		if id != "" {
+			idx, ok := state.chainsByID[id]
+			if !ok {
+				return errors.Errorf("parent chainid not found")
+			}
+			rec.Results = append(rec.Results, CacheResult{LayerIndex: idx, CreatedAt: it.resultTime})
+		}
+	}
+
+	state.recordsByItem[it] = len(state.records)
+	state.records = append(state.records, rec)
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/client.go b/engine/vendor/github.com/moby/buildkit/client/client.go
new file mode 100644
index 00000000..403ed52a
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/client.go
@@ -0,0 +1,132 @@
+package client
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/util/appdefaults"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+)
+
+type Client struct {
+	conn *grpc.ClientConn
+}
+
+type ClientOpt interface{}
+
+// New returns a new buildkit client. Address can be empty for the system-default address.
+func New(ctx context.Context, address string, opts ...ClientOpt) (*Client, error) {
+	gopts := []grpc.DialOption{
+		grpc.WithDialer(dialer),
+		grpc.FailOnNonTempDialError(true),
+	}
+	needWithInsecure := true
+	for _, o := range opts {
+		if _, ok := o.(*withBlockOpt); ok {
+			gopts = append(gopts, grpc.WithBlock(), grpc.FailOnNonTempDialError(true))
+		}
+		if credInfo, ok := o.(*withCredentials); ok {
+			opt, err := loadCredentials(credInfo)
+			if err != nil {
+				return nil, err
+			}
+			gopts = append(gopts, opt)
+			needWithInsecure = false
+		}
+		if wt, ok := o.(*withTracer); ok {
+			gopts = append(gopts,
+				grpc.WithUnaryInterceptor(otgrpc.OpenTracingClientInterceptor(wt.tracer, otgrpc.LogPayloads())),
+				grpc.WithStreamInterceptor(otgrpc.OpenTracingStreamClientInterceptor(wt.tracer)))
+		}
+	}
+	if needWithInsecure {
+		gopts = append(gopts, grpc.WithInsecure())
+	}
+	if address == "" {
+		address = appdefaults.Address
+	}
+
+	conn, err := grpc.DialContext(ctx, address, gopts...)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to dial %q . make sure buildkitd is running", address)
+	}
+	c := &Client{
+		conn: conn,
+	}
+	return c, nil
+}
+
+func (c *Client) controlClient() controlapi.ControlClient {
+	return controlapi.NewControlClient(c.conn)
+}
+
+func (c *Client) Close() error {
+	return c.conn.Close()
+}
+
+type withBlockOpt struct{}
+
+func WithBlock() ClientOpt {
+	return &withBlockOpt{}
+}
+
+type withCredentials struct {
+	ServerName string
+	CACert     string
+	Cert       string
+	Key        string
+}
+
+// WithCredentials configures the TLS parameters of the client.
+// Arguments:
+// * serverName: specifies the name of the target server
+// * ca:				 specifies the filepath of the CA certificate to use for verification
+// * cert:			 specifies the filepath of the client certificate
+// * key:				 specifies the filepath of the client key
+func WithCredentials(serverName, ca, cert, key string) ClientOpt {
+	return &withCredentials{serverName, ca, cert, key}
+}
+
+func loadCredentials(opts *withCredentials) (grpc.DialOption, error) {
+	ca, err := ioutil.ReadFile(opts.CACert)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not read ca certificate")
+	}
+
+	certPool := x509.NewCertPool()
+	if ok := certPool.AppendCertsFromPEM(ca); !ok {
+		return nil, errors.New("failed to append ca certs")
+	}
+
+	cfg := &tls.Config{
+		ServerName: opts.ServerName,
+		RootCAs:    certPool,
+	}
+
+	// we will produce an error if the user forgot about either cert or key if at least one is specified
+	if opts.Cert != "" || opts.Key != "" {
+		cert, err := tls.LoadX509KeyPair(opts.Cert, opts.Key)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not read certificate/key")
+		}
+		cfg.Certificates = []tls.Certificate{cert}
+		cfg.BuildNameToCertificate()
+	}
+
+	return grpc.WithTransportCredentials(credentials.NewTLS(cfg)), nil
+}
+
+func WithTracer(t opentracing.Tracer) ClientOpt {
+	return &withTracer{t}
+}
+
+type withTracer struct {
+	tracer opentracing.Tracer
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/client_unix.go b/engine/vendor/github.com/moby/buildkit/client/client_unix.go
new file mode 100644
index 00000000..93afb956
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/client_unix.go
@@ -0,0 +1,19 @@
+// +build !windows
+
+package client
+
+import (
+	"net"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+func dialer(address string, timeout time.Duration) (net.Conn, error) {
+	addrParts := strings.SplitN(address, "://", 2)
+	if len(addrParts) != 2 {
+		return nil, errors.Errorf("invalid address %s", address)
+	}
+	return net.DialTimeout(addrParts[0], addrParts[1], timeout)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/client_windows.go b/engine/vendor/github.com/moby/buildkit/client/client_windows.go
new file mode 100644
index 00000000..75905f52
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/client_windows.go
@@ -0,0 +1,24 @@
+package client
+
+import (
+	"net"
+	"strings"
+	"time"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/pkg/errors"
+)
+
+func dialer(address string, timeout time.Duration) (net.Conn, error) {
+	addrParts := strings.SplitN(address, "://", 2)
+	if len(addrParts) != 2 {
+		return nil, errors.Errorf("invalid address %s", address)
+	}
+	switch addrParts[0] {
+	case "npipe":
+		address = strings.Replace(addrParts[1], "/", "\\", 0)
+		return winio.DialPipe(address, &timeout)
+	default:
+		return net.DialTimeout(addrParts[0], addrParts[1], timeout)
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/diskusage.go b/engine/vendor/github.com/moby/buildkit/client/diskusage.go
new file mode 100644
index 00000000..5ed50432
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/diskusage.go
@@ -0,0 +1,73 @@
+package client
+
+import (
+	"context"
+	"sort"
+	"time"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/pkg/errors"
+)
+
+type UsageInfo struct {
+	ID      string
+	Mutable bool
+	InUse   bool
+	Size    int64
+
+	CreatedAt   time.Time
+	LastUsedAt  *time.Time
+	UsageCount  int
+	Parent      string
+	Description string
+}
+
+func (c *Client) DiskUsage(ctx context.Context, opts ...DiskUsageOption) ([]*UsageInfo, error) {
+	info := &DiskUsageInfo{}
+	for _, o := range opts {
+		o(info)
+	}
+
+	req := &controlapi.DiskUsageRequest{Filter: info.Filter}
+	resp, err := c.controlClient().DiskUsage(ctx, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to call diskusage")
+	}
+
+	var du []*UsageInfo
+
+	for _, d := range resp.Record {
+		du = append(du, &UsageInfo{
+			ID:          d.ID,
+			Mutable:     d.Mutable,
+			InUse:       d.InUse,
+			Size:        d.Size_,
+			Parent:      d.Parent,
+			CreatedAt:   d.CreatedAt,
+			Description: d.Description,
+			UsageCount:  int(d.UsageCount),
+			LastUsedAt:  d.LastUsedAt,
+		})
+	}
+
+	sort.Slice(du, func(i, j int) bool {
+		if du[i].Size == du[j].Size {
+			return du[i].ID > du[j].ID
+		}
+		return du[i].Size > du[j].Size
+	})
+
+	return du, nil
+}
+
+type DiskUsageOption func(*DiskUsageInfo)
+
+type DiskUsageInfo struct {
+	Filter string
+}
+
+func WithFilter(f string) DiskUsageOption {
+	return func(di *DiskUsageInfo) {
+		di.Filter = f
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/exporters.go b/engine/vendor/github.com/moby/buildkit/client/exporters.go
new file mode 100644
index 00000000..4160d92a
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/exporters.go
@@ -0,0 +1,8 @@
+package client
+
+const (
+	ExporterImage  = "image"
+	ExporterLocal  = "local"
+	ExporterOCI    = "oci"
+	ExporterDocker = "docker"
+)
diff --git a/engine/vendor/github.com/moby/buildkit/client/graph.go b/engine/vendor/github.com/moby/buildkit/client/graph.go
new file mode 100644
index 00000000..141a393c
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/graph.go
@@ -0,0 +1,45 @@
+package client
+
+import (
+	"time"
+
+	digest "github.com/opencontainers/go-digest"
+)
+
+type Vertex struct {
+	Digest    digest.Digest
+	Inputs    []digest.Digest
+	Name      string
+	Started   *time.Time
+	Completed *time.Time
+	Cached    bool
+	Error     string
+}
+
+type VertexStatus struct {
+	ID        string
+	Vertex    digest.Digest
+	Name      string
+	Total     int64
+	Current   int64
+	Timestamp time.Time
+	Started   *time.Time
+	Completed *time.Time
+}
+
+type VertexLog struct {
+	Vertex    digest.Digest
+	Stream    int
+	Data      []byte
+	Timestamp time.Time
+}
+
+type SolveStatus struct {
+	Vertexes []*Vertex
+	Statuses []*VertexStatus
+	Logs     []*VertexLog
+}
+
+type SolveResponse struct {
+	ExporterResponse map[string]string
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/llb/exec.go b/engine/vendor/github.com/moby/buildkit/client/llb/exec.go
new file mode 100644
index 00000000..9dec170f
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/llb/exec.go
@@ -0,0 +1,409 @@
+package llb
+
+import (
+	_ "crypto/sha256"
+	"sort"
+
+	"github.com/moby/buildkit/solver/pb"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type Meta struct {
+	Args     []string
+	Env      EnvList
+	Cwd      string
+	User     string
+	ProxyEnv *ProxyEnv
+}
+
+func NewExecOp(root Output, meta Meta, readOnly bool, c Constraints) *ExecOp {
+	e := &ExecOp{meta: meta, constraints: c}
+	rootMount := &mount{
+		target:   pb.RootMount,
+		source:   root,
+		readonly: readOnly,
+	}
+	e.mounts = append(e.mounts, rootMount)
+	if readOnly {
+		e.root = root
+	} else {
+		o := &output{vertex: e, getIndex: e.getMountIndexFn(rootMount)}
+		if p := c.Platform; p != nil {
+			o.platform = p
+		}
+		e.root = o
+	}
+	rootMount.output = e.root
+	return e
+}
+
+type mount struct {
+	target       string
+	readonly     bool
+	source       Output
+	output       Output
+	selector     string
+	cacheID      string
+	tmpfs        bool
+	cacheSharing CacheMountSharingMode
+	// hasOutput bool
+}
+
+type ExecOp struct {
+	MarshalCache
+	root        Output
+	mounts      []*mount
+	meta        Meta
+	constraints Constraints
+	isValidated bool
+}
+
+func (e *ExecOp) AddMount(target string, source Output, opt ...MountOption) Output {
+	m := &mount{
+		target: target,
+		source: source,
+	}
+	for _, o := range opt {
+		o(m)
+	}
+	e.mounts = append(e.mounts, m)
+	if m.readonly {
+		m.output = source
+	} else if m.tmpfs {
+		m.output = &output{vertex: e, err: errors.Errorf("tmpfs mount for %s can't be used as a parent", target)}
+	} else {
+		o := &output{vertex: e, getIndex: e.getMountIndexFn(m)}
+		if p := e.constraints.Platform; p != nil {
+			o.platform = p
+		}
+		m.output = o
+	}
+	e.Store(nil, nil, nil)
+	e.isValidated = false
+	return m.output
+}
+
+func (e *ExecOp) GetMount(target string) Output {
+	for _, m := range e.mounts {
+		if m.target == target {
+			return m.output
+		}
+	}
+	return nil
+}
+
+func (e *ExecOp) Validate() error {
+	if e.isValidated {
+		return nil
+	}
+	if len(e.meta.Args) == 0 {
+		return errors.Errorf("arguments are required")
+	}
+	if e.meta.Cwd == "" {
+		return errors.Errorf("working directory is required")
+	}
+	for _, m := range e.mounts {
+		if m.source != nil {
+			if err := m.source.Vertex().Validate(); err != nil {
+				return err
+			}
+		}
+	}
+	e.isValidated = true
+	return nil
+}
+
+func (e *ExecOp) Marshal(c *Constraints) (digest.Digest, []byte, *pb.OpMetadata, error) {
+	if e.Cached(c) {
+		return e.Load()
+	}
+	if err := e.Validate(); err != nil {
+		return "", nil, nil, err
+	}
+	// make sure mounts are sorted
+	sort.Slice(e.mounts, func(i, j int) bool {
+		return e.mounts[i].target < e.mounts[j].target
+	})
+
+	peo := &pb.ExecOp{
+		Meta: &pb.Meta{
+			Args: e.meta.Args,
+			Env:  e.meta.Env.ToArray(),
+			Cwd:  e.meta.Cwd,
+			User: e.meta.User,
+		},
+	}
+
+	if p := e.meta.ProxyEnv; p != nil {
+		peo.Meta.ProxyEnv = &pb.ProxyEnv{
+			HttpProxy:  p.HttpProxy,
+			HttpsProxy: p.HttpsProxy,
+			FtpProxy:   p.FtpProxy,
+			NoProxy:    p.NoProxy,
+		}
+	}
+
+	pop, md := MarshalConstraints(c, &e.constraints)
+	pop.Op = &pb.Op_Exec{
+		Exec: peo,
+	}
+
+	outIndex := 0
+	for _, m := range e.mounts {
+		inputIndex := pb.InputIndex(len(pop.Inputs))
+		if m.source != nil {
+			if m.tmpfs {
+				return "", nil, nil, errors.Errorf("tmpfs mounts must use scratch")
+			}
+			inp, err := m.source.ToInput(c)
+			if err != nil {
+				return "", nil, nil, err
+			}
+
+			newInput := true
+
+			for i, inp2 := range pop.Inputs {
+				if *inp == *inp2 {
+					inputIndex = pb.InputIndex(i)
+					newInput = false
+					break
+				}
+			}
+
+			if newInput {
+				pop.Inputs = append(pop.Inputs, inp)
+			}
+		} else {
+			inputIndex = pb.Empty
+		}
+
+		outputIndex := pb.OutputIndex(-1)
+		if !m.readonly && m.cacheID == "" && !m.tmpfs {
+			outputIndex = pb.OutputIndex(outIndex)
+			outIndex++
+		}
+
+		pm := &pb.Mount{
+			Input:    inputIndex,
+			Dest:     m.target,
+			Readonly: m.readonly,
+			Output:   outputIndex,
+			Selector: m.selector,
+		}
+		if m.cacheID != "" {
+			pm.MountType = pb.MountType_CACHE
+			pm.CacheOpt = &pb.CacheOpt{
+				ID: m.cacheID,
+			}
+			switch m.cacheSharing {
+			case CacheMountShared:
+				pm.CacheOpt.Sharing = pb.CacheSharingOpt_SHARED
+			case CacheMountPrivate:
+				pm.CacheOpt.Sharing = pb.CacheSharingOpt_PRIVATE
+			case CacheMountLocked:
+				pm.CacheOpt.Sharing = pb.CacheSharingOpt_LOCKED
+			}
+		}
+		if m.tmpfs {
+			pm.MountType = pb.MountType_TMPFS
+		}
+		peo.Mounts = append(peo.Mounts, pm)
+	}
+
+	dt, err := pop.Marshal()
+	if err != nil {
+		return "", nil, nil, err
+	}
+	e.Store(dt, md, c)
+	return e.Load()
+}
+
+func (e *ExecOp) Output() Output {
+	return e.root
+}
+
+func (e *ExecOp) Inputs() (inputs []Output) {
+	mm := map[Output]struct{}{}
+	for _, m := range e.mounts {
+		if m.source != nil {
+			mm[m.source] = struct{}{}
+		}
+	}
+	for o := range mm {
+		inputs = append(inputs, o)
+	}
+	return
+}
+
+func (e *ExecOp) getMountIndexFn(m *mount) func() (pb.OutputIndex, error) {
+	return func() (pb.OutputIndex, error) {
+		// make sure mounts are sorted
+		sort.Slice(e.mounts, func(i, j int) bool {
+			return e.mounts[i].target < e.mounts[j].target
+		})
+
+		i := 0
+		for _, m2 := range e.mounts {
+			if m2.readonly || m2.cacheID != "" {
+				continue
+			}
+			if m == m2 {
+				return pb.OutputIndex(i), nil
+			}
+			i++
+		}
+		return pb.OutputIndex(0), errors.Errorf("invalid mount: %s", m.target)
+	}
+}
+
+type ExecState struct {
+	State
+	exec *ExecOp
+}
+
+func (e ExecState) AddMount(target string, source State, opt ...MountOption) State {
+	return source.WithOutput(e.exec.AddMount(target, source.Output(), opt...))
+}
+
+func (e ExecState) GetMount(target string) State {
+	return NewState(e.exec.GetMount(target))
+}
+
+func (e ExecState) Root() State {
+	return e.State
+}
+
+type MountOption func(*mount)
+
+func Readonly(m *mount) {
+	m.readonly = true
+}
+
+func SourcePath(src string) MountOption {
+	return func(m *mount) {
+		m.selector = src
+	}
+}
+
+func AsPersistentCacheDir(id string, sharing CacheMountSharingMode) MountOption {
+	return func(m *mount) {
+		m.cacheID = id
+		m.cacheSharing = sharing
+	}
+}
+
+func Tmpfs() MountOption {
+	return func(m *mount) {
+		m.tmpfs = true
+	}
+}
+
+type RunOption interface {
+	SetRunOption(es *ExecInfo)
+}
+
+type runOptionFunc func(*ExecInfo)
+
+func (fn runOptionFunc) SetRunOption(ei *ExecInfo) {
+	fn(ei)
+}
+
+func Shlex(str string) RunOption {
+	return Shlexf(str)
+}
+func Shlexf(str string, v ...interface{}) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = shlexf(str, v...)(ei.State)
+	})
+}
+
+func Args(a []string) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = args(a...)(ei.State)
+	})
+}
+
+func AddEnv(key, value string) RunOption {
+	return AddEnvf(key, value)
+}
+
+func AddEnvf(key, value string, v ...interface{}) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.AddEnvf(key, value, v...)
+	})
+}
+
+func User(str string) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.User(str)
+	})
+}
+
+func Dir(str string) RunOption {
+	return Dirf(str)
+}
+func Dirf(str string, v ...interface{}) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.Dirf(str, v...)
+	})
+}
+
+func Reset(s State) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.Reset(s)
+	})
+}
+
+func With(so ...StateOption) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.State = ei.State.With(so...)
+	})
+}
+
+func AddMount(dest string, mountState State, opts ...MountOption) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.Mounts = append(ei.Mounts, MountInfo{dest, mountState.Output(), opts})
+	})
+}
+
+func ReadonlyRootFS() RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.ReadonlyRootFS = true
+	})
+}
+
+func WithProxy(ps ProxyEnv) RunOption {
+	return runOptionFunc(func(ei *ExecInfo) {
+		ei.ProxyEnv = &ps
+	})
+}
+
+type ExecInfo struct {
+	constraintsWrapper
+	State          State
+	Mounts         []MountInfo
+	ReadonlyRootFS bool
+	ProxyEnv       *ProxyEnv
+}
+
+type MountInfo struct {
+	Target string
+	Source Output
+	Opts   []MountOption
+}
+
+type ProxyEnv struct {
+	HttpProxy  string
+	HttpsProxy string
+	FtpProxy   string
+	NoProxy    string
+}
+
+type CacheMountSharingMode int
+
+const (
+	CacheMountShared CacheMountSharingMode = iota
+	CacheMountPrivate
+	CacheMountLocked
+)
diff --git a/engine/vendor/github.com/moby/buildkit/client/llb/imagemetaresolver/resolver.go b/engine/vendor/github.com/moby/buildkit/client/llb/imagemetaresolver/resolver.go
new file mode 100644
index 00000000..09d4aec1
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/llb/imagemetaresolver/resolver.go
@@ -0,0 +1,92 @@
+package imagemetaresolver
+
+import (
+	"context"
+	"net/http"
+	"sync"
+
+	"github.com/containerd/containerd/remotes"
+	"github.com/containerd/containerd/remotes/docker"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/util/contentutil"
+	"github.com/moby/buildkit/util/imageutil"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+var defaultImageMetaResolver llb.ImageMetaResolver
+var defaultImageMetaResolverOnce sync.Once
+
+var WithDefault = llb.ImageOptionFunc(func(ii *llb.ImageInfo) {
+	llb.WithMetaResolver(Default()).SetImageOption(ii)
+})
+
+type imageMetaResolverOpts struct {
+	platform *specs.Platform
+}
+
+type ImageMetaResolverOpt func(o *imageMetaResolverOpts)
+
+func WithDefaultPlatform(p *specs.Platform) ImageMetaResolverOpt {
+	return func(o *imageMetaResolverOpts) {
+		o.platform = p
+	}
+}
+
+func New(with ...ImageMetaResolverOpt) llb.ImageMetaResolver {
+	var opts imageMetaResolverOpts
+	for _, f := range with {
+		f(&opts)
+	}
+	return &imageMetaResolver{
+		resolver: docker.NewResolver(docker.ResolverOptions{
+			Client: http.DefaultClient,
+		}),
+		platform: opts.platform,
+		buffer:   contentutil.NewBuffer(),
+		cache:    map[string]resolveResult{},
+		locker:   locker.New(),
+	}
+}
+
+func Default() llb.ImageMetaResolver {
+	defaultImageMetaResolverOnce.Do(func() {
+		defaultImageMetaResolver = New()
+	})
+	return defaultImageMetaResolver
+}
+
+type imageMetaResolver struct {
+	resolver remotes.Resolver
+	buffer   contentutil.Buffer
+	platform *specs.Platform
+	locker   *locker.Locker
+	cache    map[string]resolveResult
+}
+
+type resolveResult struct {
+	config []byte
+	dgst   digest.Digest
+}
+
+func (imr *imageMetaResolver) ResolveImageConfig(ctx context.Context, ref string, platform *specs.Platform) (digest.Digest, []byte, error) {
+	imr.locker.Lock(ref)
+	defer imr.locker.Unlock(ref)
+
+	if res, ok := imr.cache[ref]; ok {
+		return res.dgst, res.config, nil
+	}
+
+	if platform == nil {
+		platform = imr.platform
+	}
+
+	dgst, config, err := imageutil.Config(ctx, ref, imr.resolver, imr.buffer, platform)
+	if err != nil {
+		return "", nil, err
+	}
+
+	imr.cache[ref] = resolveResult{dgst: dgst, config: config}
+	return dgst, config, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/llb/marshal.go b/engine/vendor/github.com/moby/buildkit/client/llb/marshal.go
new file mode 100644
index 00000000..65a352fa
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/llb/marshal.go
@@ -0,0 +1,112 @@
+package llb
+
+import (
+	"io"
+	"io/ioutil"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/moby/buildkit/solver/pb"
+	digest "github.com/opencontainers/go-digest"
+)
+
+// Definition is the LLB definition structure with per-vertex metadata entries
+// Corresponds to the Definition structure defined in solver/pb.Definition.
+type Definition struct {
+	Def      [][]byte
+	Metadata map[digest.Digest]pb.OpMetadata
+}
+
+func (def *Definition) ToPB() *pb.Definition {
+	md := make(map[digest.Digest]pb.OpMetadata)
+	for k, v := range def.Metadata {
+		md[k] = v
+	}
+	return &pb.Definition{
+		Def:      def.Def,
+		Metadata: md,
+	}
+}
+
+func (def *Definition) FromPB(x *pb.Definition) {
+	def.Def = x.Def
+	def.Metadata = make(map[digest.Digest]pb.OpMetadata)
+	for k, v := range x.Metadata {
+		def.Metadata[k] = v
+	}
+}
+
+func WriteTo(def *Definition, w io.Writer) error {
+	b, err := def.ToPB().Marshal()
+	if err != nil {
+		return err
+	}
+	_, err = w.Write(b)
+	return err
+}
+
+func ReadFrom(r io.Reader) (*Definition, error) {
+	b, err := ioutil.ReadAll(r)
+	if err != nil {
+		return nil, err
+	}
+	var pbDef pb.Definition
+	if err := pbDef.Unmarshal(b); err != nil {
+		return nil, err
+	}
+	var def Definition
+	def.FromPB(&pbDef)
+	return &def, nil
+}
+
+func MarshalConstraints(base, override *Constraints) (*pb.Op, *pb.OpMetadata) {
+	c := *base
+	c.WorkerConstraints = append([]string{}, c.WorkerConstraints...)
+
+	if p := override.Platform; p != nil {
+		c.Platform = p
+	}
+
+	for _, wc := range override.WorkerConstraints {
+		c.WorkerConstraints = append(c.WorkerConstraints, wc)
+	}
+
+	c.Metadata = mergeMetadata(c.Metadata, override.Metadata)
+
+	if c.Platform == nil {
+		defaultPlatform := platforms.Normalize(platforms.DefaultSpec())
+		c.Platform = &defaultPlatform
+	}
+
+	return &pb.Op{
+		Platform: &pb.Platform{
+			OS:           c.Platform.OS,
+			Architecture: c.Platform.Architecture,
+			Variant:      c.Platform.Variant,
+			OSVersion:    c.Platform.OSVersion,
+			OSFeatures:   c.Platform.OSFeatures,
+		},
+		Constraints: &pb.WorkerConstraints{
+			Filter: c.WorkerConstraints,
+		},
+	}, &c.Metadata
+}
+
+type MarshalCache struct {
+	digest      digest.Digest
+	dt          []byte
+	md          *pb.OpMetadata
+	constraints *Constraints
+}
+
+func (mc *MarshalCache) Cached(c *Constraints) bool {
+	return mc.dt != nil && mc.constraints == c
+}
+func (mc *MarshalCache) Load() (digest.Digest, []byte, *pb.OpMetadata, error) {
+	return mc.digest, mc.dt, mc.md, nil
+}
+func (mc *MarshalCache) Store(dt []byte, md *pb.OpMetadata, c *Constraints) {
+	mc.digest = digest.FromBytes(dt)
+	mc.dt = dt
+	mc.md = md
+	mc.constraints = c
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/llb/meta.go b/engine/vendor/github.com/moby/buildkit/client/llb/meta.go
new file mode 100644
index 00000000..22aea097
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/llb/meta.go
@@ -0,0 +1,170 @@
+package llb
+
+import (
+	"fmt"
+	"path"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/google/shlex"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type contextKeyT string
+
+var (
+	keyArgs     = contextKeyT("llb.exec.args")
+	keyDir      = contextKeyT("llb.exec.dir")
+	keyEnv      = contextKeyT("llb.exec.env")
+	keyUser     = contextKeyT("llb.exec.user")
+	keyPlatform = contextKeyT("llb.platform")
+)
+
+func addEnv(key, value string) StateOption {
+	return addEnvf(key, value)
+}
+
+func addEnvf(key, value string, v ...interface{}) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyEnv, getEnv(s).AddOrReplace(key, fmt.Sprintf(value, v...)))
+	}
+}
+
+func dir(str string) StateOption {
+	return dirf(str)
+}
+
+func dirf(str string, v ...interface{}) StateOption {
+	return func(s State) State {
+		value := fmt.Sprintf(str, v...)
+		if !path.IsAbs(value) {
+			prev := getDir(s)
+			if prev == "" {
+				prev = "/"
+			}
+			value = path.Join(prev, value)
+		}
+		return s.WithValue(keyDir, value)
+	}
+}
+
+func user(str string) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyUser, str)
+	}
+}
+
+func reset(s_ State) StateOption {
+	return func(s State) State {
+		s = NewState(s.Output())
+		s.ctx = s_.ctx
+		return s
+	}
+}
+
+func getEnv(s State) EnvList {
+	v := s.Value(keyEnv)
+	if v != nil {
+		return v.(EnvList)
+	}
+	return EnvList{}
+}
+
+func getDir(s State) string {
+	v := s.Value(keyDir)
+	if v != nil {
+		return v.(string)
+	}
+	return ""
+}
+
+func getArgs(s State) []string {
+	v := s.Value(keyArgs)
+	if v != nil {
+		return v.([]string)
+	}
+	return nil
+}
+
+func getUser(s State) string {
+	v := s.Value(keyUser)
+	if v != nil {
+		return v.(string)
+	}
+	return ""
+}
+
+func args(args ...string) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyArgs, args)
+	}
+}
+
+func shlexf(str string, v ...interface{}) StateOption {
+	return func(s State) State {
+		arg, err := shlex.Split(fmt.Sprintf(str, v...))
+		if err != nil {
+			// TODO: handle error
+		}
+		return args(arg...)(s)
+	}
+}
+
+func platform(p specs.Platform) StateOption {
+	return func(s State) State {
+		return s.WithValue(keyPlatform, platforms.Normalize(p))
+	}
+}
+
+func getPlatform(s State) *specs.Platform {
+	v := s.Value(keyPlatform)
+	if v != nil {
+		p := v.(specs.Platform)
+		return &p
+	}
+	return nil
+}
+
+type EnvList []KeyValue
+
+type KeyValue struct {
+	key   string
+	value string
+}
+
+func (e EnvList) AddOrReplace(k, v string) EnvList {
+	e = e.Delete(k)
+	e = append(e, KeyValue{key: k, value: v})
+	return e
+}
+
+func (e EnvList) Delete(k string) EnvList {
+	e = append([]KeyValue(nil), e...)
+	if i, ok := e.Index(k); ok {
+		return append(e[:i], e[i+1:]...)
+	}
+	return e
+}
+
+func (e EnvList) Get(k string) (string, bool) {
+	if index, ok := e.Index(k); ok {
+		return e[index].value, true
+	}
+	return "", false
+}
+
+func (e EnvList) Index(k string) (int, bool) {
+	for i, kv := range e {
+		if kv.key == k {
+			return i, true
+		}
+	}
+	return -1, false
+}
+
+func (e EnvList) ToArray() []string {
+	out := make([]string, 0, len(e))
+	for _, kv := range e {
+		out = append(out, kv.key+"="+kv.value)
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/llb/resolver.go b/engine/vendor/github.com/moby/buildkit/client/llb/resolver.go
new file mode 100644
index 00000000..b539b115
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/llb/resolver.go
@@ -0,0 +1,18 @@
+package llb
+
+import (
+	"context"
+
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func WithMetaResolver(mr ImageMetaResolver) ImageOption {
+	return ImageOptionFunc(func(ii *ImageInfo) {
+		ii.metaResolver = mr
+	})
+}
+
+type ImageMetaResolver interface {
+	ResolveImageConfig(ctx context.Context, ref string, platform *specs.Platform) (digest.Digest, []byte, error)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/llb/source.go b/engine/vendor/github.com/moby/buildkit/client/llb/source.go
new file mode 100644
index 00000000..5b4aa9bf
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/llb/source.go
@@ -0,0 +1,363 @@
+package llb
+
+import (
+	"context"
+	_ "crypto/sha256"
+	"encoding/json"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/docker/distribution/reference"
+	"github.com/moby/buildkit/solver/pb"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type SourceOp struct {
+	MarshalCache
+	id          string
+	attrs       map[string]string
+	output      Output
+	constraints Constraints
+	err         error
+}
+
+func NewSource(id string, attrs map[string]string, c Constraints) *SourceOp {
+	s := &SourceOp{
+		id:          id,
+		attrs:       attrs,
+		constraints: c,
+	}
+	s.output = &output{vertex: s, platform: c.Platform}
+	return s
+}
+
+func (s *SourceOp) Validate() error {
+	if s.err != nil {
+		return s.err
+	}
+	if s.id == "" {
+		return errors.Errorf("source identifier can't be empty")
+	}
+	return nil
+}
+
+func (s *SourceOp) Marshal(constraints *Constraints) (digest.Digest, []byte, *pb.OpMetadata, error) {
+	if s.Cached(constraints) {
+		return s.Load()
+	}
+	if err := s.Validate(); err != nil {
+		return "", nil, nil, err
+	}
+
+	if strings.HasPrefix(s.id, "local://") {
+		if _, hasSession := s.attrs[pb.AttrLocalSessionID]; !hasSession {
+			uid := s.constraints.LocalUniqueID
+			if uid == "" {
+				uid = constraints.LocalUniqueID
+			}
+			s.attrs[pb.AttrLocalUniqueID] = uid
+		}
+	}
+	proto, md := MarshalConstraints(constraints, &s.constraints)
+
+	proto.Op = &pb.Op_Source{
+		Source: &pb.SourceOp{Identifier: s.id, Attrs: s.attrs},
+	}
+	dt, err := proto.Marshal()
+	if err != nil {
+		return "", nil, nil, err
+	}
+
+	s.Store(dt, md, constraints)
+	return s.Load()
+}
+
+func (s *SourceOp) Output() Output {
+	return s.output
+}
+
+func (s *SourceOp) Inputs() []Output {
+	return nil
+}
+
+func Image(ref string, opts ...ImageOption) State {
+	r, err := reference.ParseNormalizedNamed(ref)
+	if err == nil {
+		ref = reference.TagNameOnly(r).String()
+	}
+	var info ImageInfo
+	for _, opt := range opts {
+		opt.SetImageOption(&info)
+	}
+	src := NewSource("docker-image://"+ref, nil, info.Constraints) // controversial
+	if err != nil {
+		src.err = err
+	}
+	if info.metaResolver != nil {
+		_, dt, err := info.metaResolver.ResolveImageConfig(context.TODO(), ref, info.Constraints.Platform)
+		if err != nil {
+			src.err = err
+		} else {
+			var img struct {
+				Config struct {
+					Env        []string `json:"Env,omitempty"`
+					WorkingDir string   `json:"WorkingDir,omitempty"`
+					User       string   `json:"User,omitempty"`
+				} `json:"config,omitempty"`
+			}
+			if err := json.Unmarshal(dt, &img); err != nil {
+				src.err = err
+			} else {
+				st := NewState(src.Output())
+				for _, env := range img.Config.Env {
+					parts := strings.SplitN(env, "=", 2)
+					if len(parts[0]) > 0 {
+						var v string
+						if len(parts) > 1 {
+							v = parts[1]
+						}
+						st = st.AddEnv(parts[0], v)
+					}
+				}
+				st = st.Dir(img.Config.WorkingDir)
+				return st
+			}
+		}
+	}
+	return NewState(src.Output())
+}
+
+type ImageOption interface {
+	SetImageOption(*ImageInfo)
+}
+
+type ImageOptionFunc func(*ImageInfo)
+
+func (fn ImageOptionFunc) SetImageOption(ii *ImageInfo) {
+	fn(ii)
+}
+
+type ImageInfo struct {
+	constraintsWrapper
+	metaResolver ImageMetaResolver
+}
+
+func Git(remote, ref string, opts ...GitOption) State {
+	url := ""
+
+	for _, prefix := range []string{
+		"http://", "https://", "git://", "git@",
+	} {
+		if strings.HasPrefix(remote, prefix) {
+			url = strings.Split(remote, "#")[0]
+			remote = strings.TrimPrefix(remote, prefix)
+		}
+	}
+
+	id := remote
+
+	if ref != "" {
+		id += "#" + ref
+	}
+
+	gi := &GitInfo{}
+	for _, o := range opts {
+		o.SetGitOption(gi)
+	}
+	attrs := map[string]string{}
+	if gi.KeepGitDir {
+		attrs[pb.AttrKeepGitDir] = "true"
+	}
+	if url != "" {
+		attrs[pb.AttrFullRemoteURL] = url
+	}
+	source := NewSource("git://"+id, attrs, gi.Constraints)
+	return NewState(source.Output())
+}
+
+type GitOption interface {
+	SetGitOption(*GitInfo)
+}
+type gitOptionFunc func(*GitInfo)
+
+func (fn gitOptionFunc) SetGitOption(gi *GitInfo) {
+	fn(gi)
+}
+
+type GitInfo struct {
+	constraintsWrapper
+	KeepGitDir bool
+}
+
+func KeepGitDir() GitOption {
+	return gitOptionFunc(func(gi *GitInfo) {
+		gi.KeepGitDir = true
+	})
+}
+
+func Scratch() State {
+	return NewState(nil)
+}
+
+func Local(name string, opts ...LocalOption) State {
+	gi := &LocalInfo{}
+
+	for _, o := range opts {
+		o.SetLocalOption(gi)
+	}
+	attrs := map[string]string{}
+	if gi.SessionID != "" {
+		attrs[pb.AttrLocalSessionID] = gi.SessionID
+	}
+	if gi.IncludePatterns != "" {
+		attrs[pb.AttrIncludePatterns] = gi.IncludePatterns
+	}
+	if gi.FollowPaths != "" {
+		attrs[pb.AttrFollowPaths] = gi.FollowPaths
+	}
+	if gi.ExcludePatterns != "" {
+		attrs[pb.AttrExcludePatterns] = gi.ExcludePatterns
+	}
+	if gi.SharedKeyHint != "" {
+		attrs[pb.AttrSharedKeyHint] = gi.SharedKeyHint
+	}
+
+	source := NewSource("local://"+name, attrs, gi.Constraints)
+	return NewState(source.Output())
+}
+
+type LocalOption interface {
+	SetLocalOption(*LocalInfo)
+}
+
+type localOptionFunc func(*LocalInfo)
+
+func (fn localOptionFunc) SetLocalOption(li *LocalInfo) {
+	fn(li)
+}
+
+func SessionID(id string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		li.SessionID = id
+	})
+}
+
+func IncludePatterns(p []string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		if len(p) == 0 {
+			li.IncludePatterns = ""
+			return
+		}
+		dt, _ := json.Marshal(p) // empty on error
+		li.IncludePatterns = string(dt)
+	})
+}
+
+func FollowPaths(p []string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		if len(p) == 0 {
+			li.FollowPaths = ""
+			return
+		}
+		dt, _ := json.Marshal(p) // empty on error
+		li.FollowPaths = string(dt)
+	})
+}
+
+func ExcludePatterns(p []string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		if len(p) == 0 {
+			li.ExcludePatterns = ""
+			return
+		}
+		dt, _ := json.Marshal(p) // empty on error
+		li.ExcludePatterns = string(dt)
+	})
+}
+
+func SharedKeyHint(h string) LocalOption {
+	return localOptionFunc(func(li *LocalInfo) {
+		li.SharedKeyHint = h
+	})
+}
+
+type LocalInfo struct {
+	constraintsWrapper
+	SessionID       string
+	IncludePatterns string
+	ExcludePatterns string
+	FollowPaths     string
+	SharedKeyHint   string
+}
+
+func HTTP(url string, opts ...HTTPOption) State {
+	hi := &HTTPInfo{}
+	for _, o := range opts {
+		o.SetHTTPOption(hi)
+	}
+	attrs := map[string]string{}
+	if hi.Checksum != "" {
+		attrs[pb.AttrHTTPChecksum] = hi.Checksum.String()
+	}
+	if hi.Filename != "" {
+		attrs[pb.AttrHTTPFilename] = hi.Filename
+	}
+	if hi.Perm != 0 {
+		attrs[pb.AttrHTTPPerm] = "0" + strconv.FormatInt(int64(hi.Perm), 8)
+	}
+	if hi.UID != 0 {
+		attrs[pb.AttrHTTPUID] = strconv.Itoa(hi.UID)
+	}
+	if hi.UID != 0 {
+		attrs[pb.AttrHTTPGID] = strconv.Itoa(hi.GID)
+	}
+
+	source := NewSource(url, attrs, hi.Constraints)
+	return NewState(source.Output())
+}
+
+type HTTPInfo struct {
+	constraintsWrapper
+	Checksum digest.Digest
+	Filename string
+	Perm     int
+	UID      int
+	GID      int
+}
+
+type HTTPOption interface {
+	SetHTTPOption(*HTTPInfo)
+}
+
+type httpOptionFunc func(*HTTPInfo)
+
+func (fn httpOptionFunc) SetHTTPOption(hi *HTTPInfo) {
+	fn(hi)
+}
+
+func Checksum(dgst digest.Digest) HTTPOption {
+	return httpOptionFunc(func(hi *HTTPInfo) {
+		hi.Checksum = dgst
+	})
+}
+
+func Chmod(perm os.FileMode) HTTPOption {
+	return httpOptionFunc(func(hi *HTTPInfo) {
+		hi.Perm = int(perm) & 0777
+	})
+}
+
+func Filename(name string) HTTPOption {
+	return httpOptionFunc(func(hi *HTTPInfo) {
+		hi.Filename = name
+	})
+}
+
+func Chown(uid, gid int) HTTPOption {
+	return httpOptionFunc(func(hi *HTTPInfo) {
+		hi.UID = uid
+		hi.GID = gid
+	})
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/llb/state.go b/engine/vendor/github.com/moby/buildkit/client/llb/state.go
new file mode 100644
index 00000000..a0a98500
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/llb/state.go
@@ -0,0 +1,396 @@
+package llb
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/system"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type StateOption func(State) State
+
+type Output interface {
+	ToInput(*Constraints) (*pb.Input, error)
+	Vertex() Vertex
+}
+
+type Vertex interface {
+	Validate() error
+	Marshal(*Constraints) (digest.Digest, []byte, *pb.OpMetadata, error)
+	Output() Output
+	Inputs() []Output
+}
+
+func NewState(o Output) State {
+	s := State{
+		out: o,
+		ctx: context.Background(),
+	}
+	s = dir("/")(s)
+	s = addEnv("PATH", system.DefaultPathEnv)(s)
+	s = s.ensurePlatform()
+	return s
+}
+
+type State struct {
+	out  Output
+	ctx  context.Context
+	opts []ConstraintsOpt
+}
+
+func (s State) ensurePlatform() State {
+	if o, ok := s.out.(interface {
+		Platform() *specs.Platform
+	}); ok {
+		if p := o.Platform(); p != nil {
+			s = platform(*p)(s)
+		}
+	}
+	return s
+}
+
+func (s State) WithValue(k, v interface{}) State {
+	return State{
+		out: s.out,
+		ctx: context.WithValue(s.ctx, k, v),
+	}
+}
+
+func (s State) Value(k interface{}) interface{} {
+	return s.ctx.Value(k)
+}
+
+func (s State) SetMarhalDefaults(co ...ConstraintsOpt) State {
+	s.opts = co
+	return s
+}
+
+func (s State) Marshal(co ...ConstraintsOpt) (*Definition, error) {
+	def := &Definition{
+		Metadata: make(map[digest.Digest]pb.OpMetadata, 0),
+	}
+	if s.Output() == nil {
+		return def, nil
+	}
+
+	defaultPlatform := platforms.Normalize(platforms.DefaultSpec())
+	c := &Constraints{
+		Platform:      &defaultPlatform,
+		LocalUniqueID: identity.NewID(),
+	}
+	for _, o := range append(s.opts, co...) {
+		o.SetConstraintsOption(c)
+	}
+
+	def, err := marshal(s.Output().Vertex(), def, map[digest.Digest]struct{}{}, map[Vertex]struct{}{}, c)
+	if err != nil {
+		return def, err
+	}
+	inp, err := s.Output().ToInput(c)
+	if err != nil {
+		return def, err
+	}
+	proto := &pb.Op{Inputs: []*pb.Input{inp}}
+	dt, err := proto.Marshal()
+	if err != nil {
+		return def, err
+	}
+	def.Def = append(def.Def, dt)
+	return def, nil
+}
+
+func marshal(v Vertex, def *Definition, cache map[digest.Digest]struct{}, vertexCache map[Vertex]struct{}, c *Constraints) (*Definition, error) {
+	if _, ok := vertexCache[v]; ok {
+		return def, nil
+	}
+	for _, inp := range v.Inputs() {
+		var err error
+		def, err = marshal(inp.Vertex(), def, cache, vertexCache, c)
+		if err != nil {
+			return def, err
+		}
+	}
+
+	dgst, dt, opMeta, err := v.Marshal(c)
+	if err != nil {
+		return def, err
+	}
+	vertexCache[v] = struct{}{}
+	if opMeta != nil {
+		def.Metadata[dgst] = mergeMetadata(def.Metadata[dgst], *opMeta)
+	}
+	if _, ok := cache[dgst]; ok {
+		return def, nil
+	}
+	def.Def = append(def.Def, dt)
+	cache[dgst] = struct{}{}
+	return def, nil
+}
+
+func (s State) Validate() error {
+	return s.Output().Vertex().Validate()
+}
+
+func (s State) Output() Output {
+	return s.out
+}
+
+func (s State) WithOutput(o Output) State {
+	s = State{
+		out: o,
+		ctx: s.ctx,
+	}
+	s = s.ensurePlatform()
+	return s
+}
+
+func (s State) Run(ro ...RunOption) ExecState {
+	ei := &ExecInfo{State: s}
+	if p := s.GetPlatform(); p != nil {
+		ei.Constraints.Platform = p
+	}
+	for _, o := range ro {
+		o.SetRunOption(ei)
+	}
+	meta := Meta{
+		Args:     getArgs(ei.State),
+		Cwd:      getDir(ei.State),
+		Env:      getEnv(ei.State),
+		User:     getUser(ei.State),
+		ProxyEnv: ei.ProxyEnv,
+	}
+
+	exec := NewExecOp(s.Output(), meta, ei.ReadonlyRootFS, ei.Constraints)
+	for _, m := range ei.Mounts {
+		exec.AddMount(m.Target, m.Source, m.Opts...)
+	}
+
+	return ExecState{
+		State: s.WithOutput(exec.Output()),
+		exec:  exec,
+	}
+}
+
+func (s State) AddEnv(key, value string) State {
+	return s.AddEnvf(key, value)
+}
+
+func (s State) AddEnvf(key, value string, v ...interface{}) State {
+	return addEnvf(key, value, v...)(s)
+}
+
+func (s State) Dir(str string) State {
+	return s.Dirf(str)
+}
+func (s State) Dirf(str string, v ...interface{}) State {
+	return dirf(str, v...)(s)
+}
+
+func (s State) GetEnv(key string) (string, bool) {
+	return getEnv(s).Get(key)
+}
+
+func (s State) GetDir() string {
+	return getDir(s)
+}
+
+func (s State) GetArgs() []string {
+	return getArgs(s)
+}
+
+func (s State) Reset(s2 State) State {
+	return reset(s2)(s)
+}
+
+func (s State) User(v string) State {
+	return user(v)(s)
+}
+
+func (s State) Platform(p specs.Platform) State {
+	return platform(p)(s)
+}
+
+func (s State) GetPlatform() *specs.Platform {
+	return getPlatform(s)
+}
+
+func (s State) With(so ...StateOption) State {
+	for _, o := range so {
+		s = o(s)
+	}
+	return s
+}
+
+type output struct {
+	vertex   Vertex
+	getIndex func() (pb.OutputIndex, error)
+	err      error
+	platform *specs.Platform
+}
+
+func (o *output) ToInput(c *Constraints) (*pb.Input, error) {
+	if o.err != nil {
+		return nil, o.err
+	}
+	var index pb.OutputIndex
+	if o.getIndex != nil {
+		var err error
+		index, err = o.getIndex()
+		if err != nil {
+			return nil, err
+		}
+	}
+	dgst, _, _, err := o.vertex.Marshal(c)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.Input{Digest: dgst, Index: index}, nil
+}
+
+func (o *output) Vertex() Vertex {
+	return o.vertex
+}
+
+func (o *output) Platform() *specs.Platform {
+	return o.platform
+}
+
+type ConstraintsOpt interface {
+	SetConstraintsOption(*Constraints)
+	RunOption
+	LocalOption
+	HTTPOption
+	ImageOption
+	GitOption
+}
+
+type constraintsOptFunc func(m *Constraints)
+
+func (fn constraintsOptFunc) SetConstraintsOption(m *Constraints) {
+	fn(m)
+}
+
+func (fn constraintsOptFunc) SetRunOption(ei *ExecInfo) {
+	ei.applyConstraints(fn)
+}
+
+func (fn constraintsOptFunc) SetLocalOption(li *LocalInfo) {
+	li.applyConstraints(fn)
+}
+
+func (fn constraintsOptFunc) SetHTTPOption(hi *HTTPInfo) {
+	hi.applyConstraints(fn)
+}
+
+func (fn constraintsOptFunc) SetImageOption(ii *ImageInfo) {
+	ii.applyConstraints(fn)
+}
+
+func (fn constraintsOptFunc) SetGitOption(gi *GitInfo) {
+	gi.applyConstraints(fn)
+}
+
+func mergeMetadata(m1, m2 pb.OpMetadata) pb.OpMetadata {
+	if m2.IgnoreCache {
+		m1.IgnoreCache = true
+	}
+	if len(m2.Description) > 0 {
+		if m1.Description == nil {
+			m1.Description = make(map[string]string)
+		}
+		for k, v := range m2.Description {
+			m1.Description[k] = v
+		}
+	}
+	if m2.ExportCache != nil {
+		m1.ExportCache = m2.ExportCache
+	}
+
+	return m1
+}
+
+var IgnoreCache = constraintsOptFunc(func(c *Constraints) {
+	c.Metadata.IgnoreCache = true
+})
+
+func WithDescription(m map[string]string) ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		c.Metadata.Description = m
+	})
+}
+
+// WithExportCache forces results for this vertex to be exported with the cache
+func WithExportCache() ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		c.Metadata.ExportCache = &pb.ExportCache{Value: true}
+	})
+}
+
+// WithoutExportCache sets results for this vertex to be not exported with
+// the cache
+func WithoutExportCache() ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		// ExportCache with value false means to disable exporting
+		c.Metadata.ExportCache = &pb.ExportCache{Value: false}
+	})
+}
+
+// WithoutDefaultExportCache resets the cache export for the vertex to use
+// the default defined by the build configuration.
+func WithoutDefaultExportCache() ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		// nil means no vertex based config has been set
+		c.Metadata.ExportCache = nil
+	})
+}
+
+type constraintsWrapper struct {
+	Constraints
+}
+
+func (cw *constraintsWrapper) applyConstraints(f func(c *Constraints)) {
+	f(&cw.Constraints)
+}
+
+type Constraints struct {
+	Platform          *specs.Platform
+	WorkerConstraints []string
+	Metadata          pb.OpMetadata
+	LocalUniqueID     string
+}
+
+func Platform(p specs.Platform) ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		c.Platform = &p
+	})
+}
+
+func LocalUniqueID(v string) ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		c.LocalUniqueID = v
+	})
+}
+
+var (
+	LinuxAmd64   = Platform(specs.Platform{OS: "linux", Architecture: "amd64"})
+	LinuxArmhf   = Platform(specs.Platform{OS: "linux", Architecture: "arm", Variant: "v7"})
+	LinuxArm     = LinuxArmhf
+	LinuxArmel   = Platform(specs.Platform{OS: "linux", Architecture: "arm", Variant: "v6"})
+	LinuxArm64   = Platform(specs.Platform{OS: "linux", Architecture: "arm64"})
+	LinuxS390x   = Platform(specs.Platform{OS: "linux", Architecture: "s390x"})
+	LinuxPpc64le = Platform(specs.Platform{OS: "linux", Architecture: "ppc64le"})
+	Darwin       = Platform(specs.Platform{OS: "darwin", Architecture: "amd64"})
+	Windows      = Platform(specs.Platform{OS: "windows", Architecture: "amd64"})
+)
+
+func Require(filters ...string) ConstraintsOpt {
+	return constraintsOptFunc(func(c *Constraints) {
+		for _, f := range filters {
+			c.WorkerConstraints = append(c.WorkerConstraints, f)
+		}
+	})
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/prune.go b/engine/vendor/github.com/moby/buildkit/client/prune.go
new file mode 100644
index 00000000..b3c1edcd
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/prune.go
@@ -0,0 +1,50 @@
+package client
+
+import (
+	"context"
+	"io"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/pkg/errors"
+)
+
+func (c *Client) Prune(ctx context.Context, ch chan UsageInfo, opts ...PruneOption) error {
+	info := &PruneInfo{}
+	for _, o := range opts {
+		o(info)
+	}
+
+	req := &controlapi.PruneRequest{}
+	cl, err := c.controlClient().Prune(ctx, req)
+	if err != nil {
+		return errors.Wrap(err, "failed to call prune")
+	}
+
+	for {
+		d, err := cl.Recv()
+		if err != nil {
+			if err == io.EOF {
+				return nil
+			}
+			return err
+		}
+		if ch != nil {
+			ch <- UsageInfo{
+				ID:          d.ID,
+				Mutable:     d.Mutable,
+				InUse:       d.InUse,
+				Size:        d.Size_,
+				Parent:      d.Parent,
+				CreatedAt:   d.CreatedAt,
+				Description: d.Description,
+				UsageCount:  int(d.UsageCount),
+				LastUsedAt:  d.LastUsedAt,
+			}
+		}
+	}
+}
+
+type PruneOption func(*PruneInfo)
+
+type PruneInfo struct {
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/solve.go b/engine/vendor/github.com/moby/buildkit/client/solve.go
new file mode 100644
index 00000000..972b6b3e
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/solve.go
@@ -0,0 +1,251 @@
+package client
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/filesync"
+	"github.com/moby/buildkit/session/grpchijack"
+	"github.com/moby/buildkit/solver/pb"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+type SolveOpt struct {
+	Exporter          string
+	ExporterAttrs     map[string]string
+	ExporterOutput    io.WriteCloser // for ExporterOCI and ExporterDocker
+	ExporterOutputDir string         // for ExporterLocal
+	LocalDirs         map[string]string
+	SharedKey         string
+	Frontend          string
+	FrontendAttrs     map[string]string
+	ExportCache       string
+	ExportCacheAttrs  map[string]string
+	ImportCache       []string
+	Session           []session.Attachable
+}
+
+// Solve calls Solve on the controller.
+// def must be nil if (and only if) opt.Frontend is set.
+func (c *Client) Solve(ctx context.Context, def *llb.Definition, opt SolveOpt, statusChan chan *SolveStatus) (*SolveResponse, error) {
+	defer func() {
+		if statusChan != nil {
+			close(statusChan)
+		}
+	}()
+
+	if opt.Frontend == "" && def == nil {
+		return nil, errors.New("invalid empty definition")
+	}
+	if opt.Frontend != "" && def != nil {
+		return nil, errors.Errorf("invalid definition for frontend %s", opt.Frontend)
+	}
+
+	syncedDirs, err := prepareSyncedDirs(def, opt.LocalDirs)
+	if err != nil {
+		return nil, err
+	}
+
+	ref := identity.NewID()
+	eg, ctx := errgroup.WithContext(ctx)
+
+	statusContext, cancelStatus := context.WithCancel(context.Background())
+	defer cancelStatus()
+
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		statusContext = opentracing.ContextWithSpan(statusContext, span)
+	}
+
+	s, err := session.NewSession(statusContext, defaultSessionName(), opt.SharedKey)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create session")
+	}
+
+	if len(syncedDirs) > 0 {
+		s.Allow(filesync.NewFSSyncProvider(syncedDirs))
+	}
+
+	for _, a := range opt.Session {
+		s.Allow(a)
+	}
+
+	switch opt.Exporter {
+	case ExporterLocal:
+		if opt.ExporterOutput != nil {
+			return nil, errors.New("output file writer is not supported by local exporter")
+		}
+		if opt.ExporterOutputDir == "" {
+			return nil, errors.New("output directory is required for local exporter")
+		}
+		s.Allow(filesync.NewFSSyncTargetDir(opt.ExporterOutputDir))
+	case ExporterOCI, ExporterDocker:
+		if opt.ExporterOutputDir != "" {
+			return nil, errors.Errorf("output directory %s is not supported by %s exporter", opt.ExporterOutputDir, opt.Exporter)
+		}
+		if opt.ExporterOutput == nil {
+			return nil, errors.Errorf("output file writer is required for %s exporter", opt.Exporter)
+		}
+		s.Allow(filesync.NewFSSyncTarget(opt.ExporterOutput))
+	default:
+		if opt.ExporterOutput != nil {
+			return nil, errors.Errorf("output file writer is not supported by %s exporter", opt.Exporter)
+		}
+		if opt.ExporterOutputDir != "" {
+			return nil, errors.Errorf("output directory %s is not supported by %s exporter", opt.ExporterOutputDir, opt.Exporter)
+		}
+	}
+
+	eg.Go(func() error {
+		return s.Run(statusContext, grpchijack.Dialer(c.controlClient()))
+	})
+
+	var res *SolveResponse
+	eg.Go(func() error {
+		defer func() { // make sure the Status ends cleanly on build errors
+			go func() {
+				<-time.After(3 * time.Second)
+				cancelStatus()
+			}()
+			logrus.Debugf("stopping session")
+			s.Close()
+		}()
+		var pbd *pb.Definition
+		if def != nil {
+			pbd = def.ToPB()
+		}
+		resp, err := c.controlClient().Solve(ctx, &controlapi.SolveRequest{
+			Ref:           ref,
+			Definition:    pbd,
+			Exporter:      opt.Exporter,
+			ExporterAttrs: opt.ExporterAttrs,
+			Session:       s.ID(),
+			Frontend:      opt.Frontend,
+			FrontendAttrs: opt.FrontendAttrs,
+			Cache: controlapi.CacheOptions{
+				ExportRef:   opt.ExportCache,
+				ImportRefs:  opt.ImportCache,
+				ExportAttrs: opt.ExportCacheAttrs,
+			},
+		})
+		if err != nil {
+			return errors.Wrap(err, "failed to solve")
+		}
+		res = &SolveResponse{
+			ExporterResponse: resp.ExporterResponse,
+		}
+		return nil
+	})
+
+	eg.Go(func() error {
+		stream, err := c.controlClient().Status(statusContext, &controlapi.StatusRequest{
+			Ref: ref,
+		})
+		if err != nil {
+			return errors.Wrap(err, "failed to get status")
+		}
+		for {
+			resp, err := stream.Recv()
+			if err != nil {
+				if err == io.EOF {
+					return nil
+				}
+				return errors.Wrap(err, "failed to receive status")
+			}
+			s := SolveStatus{}
+			for _, v := range resp.Vertexes {
+				s.Vertexes = append(s.Vertexes, &Vertex{
+					Digest:    v.Digest,
+					Inputs:    v.Inputs,
+					Name:      v.Name,
+					Started:   v.Started,
+					Completed: v.Completed,
+					Error:     v.Error,
+					Cached:    v.Cached,
+				})
+			}
+			for _, v := range resp.Statuses {
+				s.Statuses = append(s.Statuses, &VertexStatus{
+					ID:        v.ID,
+					Vertex:    v.Vertex,
+					Name:      v.Name,
+					Total:     v.Total,
+					Current:   v.Current,
+					Timestamp: v.Timestamp,
+					Started:   v.Started,
+					Completed: v.Completed,
+				})
+			}
+			for _, v := range resp.Logs {
+				s.Logs = append(s.Logs, &VertexLog{
+					Vertex:    v.Vertex,
+					Stream:    int(v.Stream),
+					Data:      v.Msg,
+					Timestamp: v.Timestamp,
+				})
+			}
+			if statusChan != nil {
+				statusChan <- &s
+			}
+		}
+	})
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+func prepareSyncedDirs(def *llb.Definition, localDirs map[string]string) ([]filesync.SyncedDir, error) {
+	for _, d := range localDirs {
+		fi, err := os.Stat(d)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not find %s", d)
+		}
+		if !fi.IsDir() {
+			return nil, errors.Errorf("%s not a directory", d)
+		}
+	}
+	dirs := make([]filesync.SyncedDir, 0, len(localDirs))
+	if def == nil {
+		for name, d := range localDirs {
+			dirs = append(dirs, filesync.SyncedDir{Name: name, Dir: d})
+		}
+	} else {
+		for _, dt := range def.Def {
+			var op pb.Op
+			if err := (&op).Unmarshal(dt); err != nil {
+				return nil, errors.Wrap(err, "failed to parse llb proto op")
+			}
+			if src := op.GetSource(); src != nil {
+				if strings.HasPrefix(src.Identifier, "local://") { // TODO: just make a type property
+					name := strings.TrimPrefix(src.Identifier, "local://")
+					d, ok := localDirs[name]
+					if !ok {
+						return nil, errors.Errorf("local directory %s not enabled", name)
+					}
+					dirs = append(dirs, filesync.SyncedDir{Name: name, Dir: d}) // TODO: excludes
+				}
+			}
+		}
+	}
+	return dirs, nil
+}
+
+func defaultSessionName() string {
+	wd, err := os.Getwd()
+	if err != nil {
+		return "unknown"
+	}
+	return filepath.Base(wd)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/client/workers.go b/engine/vendor/github.com/moby/buildkit/client/workers.go
new file mode 100644
index 00000000..e70dcbc6
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/client/workers.go
@@ -0,0 +1,53 @@
+package client
+
+import (
+	"context"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/solver/pb"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type WorkerInfo struct {
+	ID        string
+	Labels    map[string]string
+	Platforms []specs.Platform
+}
+
+func (c *Client) ListWorkers(ctx context.Context, opts ...ListWorkersOption) ([]*WorkerInfo, error) {
+	info := &ListWorkersInfo{}
+	for _, o := range opts {
+		o(info)
+	}
+
+	req := &controlapi.ListWorkersRequest{Filter: info.Filter}
+	resp, err := c.controlClient().ListWorkers(ctx, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to list workers")
+	}
+
+	var wi []*WorkerInfo
+
+	for _, w := range resp.Record {
+		wi = append(wi, &WorkerInfo{
+			ID:        w.ID,
+			Labels:    w.Labels,
+			Platforms: pb.ToSpecPlatforms(w.Platforms),
+		})
+	}
+
+	return wi, nil
+}
+
+type ListWorkersOption func(*ListWorkersInfo)
+
+type ListWorkersInfo struct {
+	Filter []string
+}
+
+func WithWorkerFilter(f []string) ListWorkersOption {
+	return func(wi *ListWorkersInfo) {
+		wi.Filter = f
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/control/control.go b/engine/vendor/github.com/moby/buildkit/control/control.go
new file mode 100644
index 00000000..b59c1eec
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/control/control.go
@@ -0,0 +1,304 @@
+package control
+
+import (
+	"context"
+
+	"github.com/docker/distribution/reference"
+	controlapi "github.com/moby/buildkit/api/services/control"
+	apitypes "github.com/moby/buildkit/api/types"
+	"github.com/moby/buildkit/cache/remotecache"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/exporter"
+	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/grpchijack"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/llbsolver"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/worker"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+)
+
+type ResolveCacheExporterFunc func(ctx context.Context, typ, target string) (remotecache.Exporter, error)
+
+type Opt struct {
+	SessionManager           *session.Manager
+	WorkerController         *worker.Controller
+	Frontends                map[string]frontend.Frontend
+	CacheKeyStorage          solver.CacheKeyStorage
+	ResolveCacheExporterFunc remotecache.ResolveCacheExporterFunc
+	ResolveCacheImporterFunc remotecache.ResolveCacheImporterFunc
+}
+
+type Controller struct { // TODO: ControlService
+	opt    Opt
+	solver *llbsolver.Solver
+}
+
+func NewController(opt Opt) (*Controller, error) {
+	solver, err := llbsolver.New(opt.WorkerController, opt.Frontends, opt.CacheKeyStorage, opt.ResolveCacheImporterFunc)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create solver")
+	}
+
+	c := &Controller{
+		opt:    opt,
+		solver: solver,
+	}
+	return c, nil
+}
+
+func (c *Controller) Register(server *grpc.Server) error {
+	controlapi.RegisterControlServer(server, c)
+	return nil
+}
+
+func (c *Controller) DiskUsage(ctx context.Context, r *controlapi.DiskUsageRequest) (*controlapi.DiskUsageResponse, error) {
+	resp := &controlapi.DiskUsageResponse{}
+	workers, err := c.opt.WorkerController.List()
+	if err != nil {
+		return nil, err
+	}
+	for _, w := range workers {
+		du, err := w.DiskUsage(ctx, client.DiskUsageInfo{
+			Filter: r.Filter,
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		for _, r := range du {
+			resp.Record = append(resp.Record, &controlapi.UsageRecord{
+				// TODO: add worker info
+				ID:          r.ID,
+				Mutable:     r.Mutable,
+				InUse:       r.InUse,
+				Size_:       r.Size,
+				Parent:      r.Parent,
+				UsageCount:  int64(r.UsageCount),
+				Description: r.Description,
+				CreatedAt:   r.CreatedAt,
+				LastUsedAt:  r.LastUsedAt,
+			})
+		}
+	}
+	return resp, nil
+}
+
+func (c *Controller) Prune(req *controlapi.PruneRequest, stream controlapi.Control_PruneServer) error {
+	ch := make(chan client.UsageInfo)
+
+	eg, ctx := errgroup.WithContext(stream.Context())
+	workers, err := c.opt.WorkerController.List()
+	if err != nil {
+		return errors.Wrap(err, "failed to list workers for prune")
+	}
+
+	for _, w := range workers {
+		func(w worker.Worker) {
+			eg.Go(func() error {
+				return w.Prune(ctx, ch)
+			})
+		}(w)
+	}
+
+	eg2, _ := errgroup.WithContext(stream.Context())
+
+	eg2.Go(func() error {
+		defer close(ch)
+		return eg.Wait()
+	})
+
+	eg2.Go(func() error {
+		for r := range ch {
+			if err := stream.Send(&controlapi.UsageRecord{
+				// TODO: add worker info
+				ID:          r.ID,
+				Mutable:     r.Mutable,
+				InUse:       r.InUse,
+				Size_:       r.Size,
+				Parent:      r.Parent,
+				UsageCount:  int64(r.UsageCount),
+				Description: r.Description,
+				CreatedAt:   r.CreatedAt,
+				LastUsedAt:  r.LastUsedAt,
+			}); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+
+	return eg2.Wait()
+}
+
+func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*controlapi.SolveResponse, error) {
+	ctx = session.NewContext(ctx, req.Session)
+
+	var expi exporter.ExporterInstance
+	// TODO: multiworker
+	// This is actually tricky, as the exporter should come from the worker that has the returned reference. We may need to delay this so that the solver loads this.
+	w, err := c.opt.WorkerController.GetDefault()
+	if err != nil {
+		return nil, err
+	}
+	if req.Exporter != "" {
+		exp, err := w.Exporter(req.Exporter)
+		if err != nil {
+			return nil, err
+		}
+		expi, err = exp.Resolve(ctx, req.ExporterAttrs)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var cacheExporter remotecache.Exporter
+	if ref := req.Cache.ExportRef; ref != "" && c.opt.ResolveCacheExporterFunc != nil {
+		parsed, err := reference.ParseNormalizedNamed(ref)
+		if err != nil {
+			return nil, err
+		}
+		exportCacheRef := reference.TagNameOnly(parsed).String()
+		typ := "" // unimplemented yet (typically registry)
+		cacheExporter, err = c.opt.ResolveCacheExporterFunc(ctx, typ, exportCacheRef)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var importCacheRefs []string
+	for _, ref := range req.Cache.ImportRefs {
+		parsed, err := reference.ParseNormalizedNamed(ref)
+		if err != nil {
+			return nil, err
+		}
+		importCacheRefs = append(importCacheRefs, reference.TagNameOnly(parsed).String())
+	}
+
+	resp, err := c.solver.Solve(ctx, req.Ref, frontend.SolveRequest{
+		Frontend:        req.Frontend,
+		Definition:      req.Definition,
+		FrontendOpt:     req.FrontendAttrs,
+		ImportCacheRefs: importCacheRefs,
+	}, llbsolver.ExporterRequest{
+		Exporter:        expi,
+		CacheExporter:   cacheExporter,
+		CacheExportMode: parseCacheExporterOpt(req.Cache.ExportAttrs),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &controlapi.SolveResponse{
+		ExporterResponse: resp.ExporterResponse,
+	}, nil
+}
+
+func (c *Controller) Status(req *controlapi.StatusRequest, stream controlapi.Control_StatusServer) error {
+	ch := make(chan *client.SolveStatus, 8)
+
+	eg, ctx := errgroup.WithContext(stream.Context())
+	eg.Go(func() error {
+		return c.solver.Status(ctx, req.Ref, ch)
+	})
+
+	eg.Go(func() error {
+		for {
+			ss, ok := <-ch
+			if !ok {
+				return nil
+			}
+			sr := controlapi.StatusResponse{}
+			for _, v := range ss.Vertexes {
+				sr.Vertexes = append(sr.Vertexes, &controlapi.Vertex{
+					Digest:    v.Digest,
+					Inputs:    v.Inputs,
+					Name:      v.Name,
+					Started:   v.Started,
+					Completed: v.Completed,
+					Error:     v.Error,
+					Cached:    v.Cached,
+				})
+			}
+			for _, v := range ss.Statuses {
+				sr.Statuses = append(sr.Statuses, &controlapi.VertexStatus{
+					ID:        v.ID,
+					Vertex:    v.Vertex,
+					Name:      v.Name,
+					Current:   v.Current,
+					Total:     v.Total,
+					Timestamp: v.Timestamp,
+					Started:   v.Started,
+					Completed: v.Completed,
+				})
+			}
+			for _, v := range ss.Logs {
+				sr.Logs = append(sr.Logs, &controlapi.VertexLog{
+					Vertex:    v.Vertex,
+					Stream:    int64(v.Stream),
+					Msg:       v.Data,
+					Timestamp: v.Timestamp,
+				})
+			}
+			if err := stream.SendMsg(&sr); err != nil {
+				return err
+			}
+		}
+	})
+
+	return eg.Wait()
+}
+
+func (c *Controller) Session(stream controlapi.Control_SessionServer) error {
+	logrus.Debugf("session started")
+	conn, closeCh, opts := grpchijack.Hijack(stream)
+	defer conn.Close()
+
+	ctx, cancel := context.WithCancel(stream.Context())
+	go func() {
+		<-closeCh
+		cancel()
+	}()
+
+	err := c.opt.SessionManager.HandleConn(ctx, conn, opts)
+	logrus.Debugf("session finished: %v", err)
+	return err
+}
+
+func (c *Controller) ListWorkers(ctx context.Context, r *controlapi.ListWorkersRequest) (*controlapi.ListWorkersResponse, error) {
+	resp := &controlapi.ListWorkersResponse{}
+	workers, err := c.opt.WorkerController.List(r.Filter...)
+	if err != nil {
+		return nil, err
+	}
+	for _, w := range workers {
+		resp.Record = append(resp.Record, &apitypes.WorkerRecord{
+			ID:        w.ID(),
+			Labels:    w.Labels(),
+			Platforms: pb.PlatformsFromSpec(w.Platforms()),
+		})
+	}
+	return resp, nil
+}
+
+func parseCacheExporterOpt(opt map[string]string) solver.CacheExportMode {
+	for k, v := range opt {
+		switch k {
+		case "mode":
+			switch v {
+			case "min":
+				return solver.CacheExportModeMin
+			case "max":
+				return solver.CacheExportModeMax
+			default:
+				logrus.Debugf("skipping incalid cache export mode: %s", v)
+			}
+		default:
+			logrus.Warnf("skipping invalid cache export opt: %s", v)
+		}
+	}
+	return solver.CacheExportModeMin
+}
diff --git a/engine/vendor/github.com/moby/buildkit/executor/executor.go b/engine/vendor/github.com/moby/buildkit/executor/executor.go
new file mode 100644
index 00000000..6c897926
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/executor/executor.go
@@ -0,0 +1,30 @@
+package executor
+
+import (
+	"context"
+	"io"
+
+	"github.com/moby/buildkit/cache"
+)
+
+type Meta struct {
+	Args           []string
+	Env            []string
+	User           string
+	Cwd            string
+	Tty            bool
+	ReadonlyRootFS bool
+	// DisableNetworking bool
+}
+
+type Mount struct {
+	Src      cache.Mountable
+	Selector string
+	Dest     string
+	Readonly bool
+}
+
+type Executor interface {
+	// TODO: add stdout/err
+	Exec(ctx context.Context, meta Meta, rootfs cache.Mountable, mounts []Mount, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error
+}
diff --git a/engine/vendor/github.com/moby/buildkit/executor/oci/hosts.go b/engine/vendor/github.com/moby/buildkit/executor/oci/hosts.go
new file mode 100644
index 00000000..b7be99cc
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/executor/oci/hosts.go
@@ -0,0 +1,38 @@
+package oci
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+const hostsContent = `
+127.0.0.1	localhost
+::1	localhost ip6-localhost ip6-loopback
+`
+
+func GetHostsFile(ctx context.Context, stateDir string) (string, error) {
+	p := filepath.Join(stateDir, "hosts")
+	_, err := g.Do(ctx, stateDir, func(ctx context.Context) (interface{}, error) {
+		_, err := os.Stat(p)
+		if err == nil {
+			return "", nil
+		}
+		if !os.IsNotExist(err) {
+			return "", err
+		}
+		if err := ioutil.WriteFile(p+".tmp", []byte(hostsContent), 0644); err != nil {
+			return "", err
+		}
+
+		if err := os.Rename(p+".tmp", p); err != nil {
+			return "", err
+		}
+		return "", nil
+	})
+	if err != nil {
+		return "", err
+	}
+	return p, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/executor/oci/mounts.go b/engine/vendor/github.com/moby/buildkit/executor/oci/mounts.go
new file mode 100644
index 00000000..a0fe8a9f
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/executor/oci/mounts.go
@@ -0,0 +1,68 @@
+package oci
+
+import (
+	"context"
+
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// MountOpts sets oci spec specific info for mount points
+type MountOpts func([]specs.Mount) []specs.Mount
+
+//GetMounts returns default required for buildkit
+// https://github.com/moby/buildkit/issues/429
+func GetMounts(ctx context.Context, mountOpts ...MountOpts) []specs.Mount {
+	mounts := []specs.Mount{
+		{
+			Destination: "/proc",
+			Type:        "proc",
+			Source:      "proc",
+		},
+		{
+			Destination: "/dev",
+			Type:        "tmpfs",
+			Source:      "tmpfs",
+			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
+		},
+		{
+			Destination: "/dev/pts",
+			Type:        "devpts",
+			Source:      "devpts",
+			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
+		},
+		{
+			Destination: "/dev/shm",
+			Type:        "tmpfs",
+			Source:      "shm",
+			Options:     []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
+		},
+		{
+			Destination: "/dev/mqueue",
+			Type:        "mqueue",
+			Source:      "mqueue",
+			Options:     []string{"nosuid", "noexec", "nodev"},
+		},
+		{
+			Destination: "/sys",
+			Type:        "sysfs",
+			Source:      "sysfs",
+			Options:     []string{"nosuid", "noexec", "nodev", "ro"},
+		},
+	}
+	for _, o := range mountOpts {
+		mounts = o(mounts)
+	}
+	return mounts
+}
+
+func withROBind(src, dest string) func(m []specs.Mount) []specs.Mount {
+	return func(m []specs.Mount) []specs.Mount {
+		m = append(m, specs.Mount{
+			Destination: dest,
+			Type:        "bind",
+			Source:      src,
+			Options:     []string{"rbind", "ro"},
+		})
+		return m
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/executor/oci/resolvconf.go b/engine/vendor/github.com/moby/buildkit/executor/oci/resolvconf.go
new file mode 100644
index 00000000..f22eceed
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/executor/oci/resolvconf.go
@@ -0,0 +1,81 @@
+package oci
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/libnetwork/resolvconf"
+	"github.com/moby/buildkit/util/flightcontrol"
+)
+
+var g flightcontrol.Group
+var notFirstRun bool
+var lastNotEmpty bool
+
+func GetResolvConf(ctx context.Context, stateDir string) (string, error) {
+	p := filepath.Join(stateDir, "resolv.conf")
+	_, err := g.Do(ctx, stateDir, func(ctx context.Context) (interface{}, error) {
+		generate := !notFirstRun
+		notFirstRun = true
+
+		if !generate {
+			fi, err := os.Stat(p)
+			if err != nil {
+				if !os.IsNotExist(err) {
+					return "", err
+				}
+				generate = true
+			}
+			if !generate {
+				fiMain, err := os.Stat("/etc/resolv.conf")
+				if err != nil {
+					if !os.IsNotExist(err) {
+						return nil, err
+					}
+					if lastNotEmpty {
+						generate = true
+						lastNotEmpty = false
+					}
+				} else {
+					if fi.ModTime().Before(fiMain.ModTime()) {
+						generate = true
+					}
+				}
+			}
+		}
+
+		if !generate {
+			return "", nil
+		}
+
+		var dt []byte
+		f, err := resolvconf.Get()
+		if err != nil {
+			if !os.IsNotExist(err) {
+				return "", err
+			}
+		} else {
+			dt = f.Content
+		}
+
+		f, err = resolvconf.FilterResolvDNS(dt, true)
+		if err != nil {
+			return "", err
+		}
+
+		if err := ioutil.WriteFile(p+".tmp", f.Content, 0644); err != nil {
+			return "", err
+		}
+
+		if err := os.Rename(p+".tmp", p); err != nil {
+			return "", err
+		}
+		return "", nil
+	})
+	if err != nil {
+		return "", err
+	}
+	return p, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go b/engine/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go
new file mode 100644
index 00000000..c628b5ca
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/executor/oci/spec_unix.go
@@ -0,0 +1,163 @@
+// +build !windows
+
+package oci
+
+import (
+	"context"
+	"path"
+	"sync"
+
+	"github.com/containerd/containerd/containers"
+	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/oci"
+	"github.com/mitchellh/hashstructure"
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/snapshot"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+)
+
+// Ideally we don't have to import whole containerd just for the default spec
+
+// GenerateSpec generates spec using containerd functionality.
+func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mount, id, resolvConf, hostsFile string, opts ...oci.SpecOpts) (*specs.Spec, func(), error) {
+	c := &containers.Container{
+		ID: id,
+	}
+	_, ok := namespaces.Namespace(ctx)
+	if !ok {
+		ctx = namespaces.WithNamespace(ctx, "buildkit")
+	}
+
+	opts = append(opts,
+		oci.WithHostNamespace(specs.NetworkNamespace),
+	)
+
+	// Note that containerd.GenerateSpec is namespaced so as to make
+	// specs.Linux.CgroupsPath namespaced
+	s, err := oci.GenerateSpec(ctx, nil, c, opts...)
+	if err != nil {
+		return nil, nil, err
+	}
+	s.Process.Args = meta.Args
+	s.Process.Env = meta.Env
+	s.Process.Cwd = meta.Cwd
+
+	s.Mounts = GetMounts(ctx,
+		withROBind(resolvConf, "/etc/resolv.conf"),
+		withROBind(hostsFile, "/etc/hosts"),
+	)
+	// TODO: User
+
+	sm := &submounts{}
+
+	var releasers []func() error
+	releaseAll := func() {
+		sm.cleanup()
+		for _, f := range releasers {
+			f()
+		}
+	}
+
+	for _, m := range mounts {
+		if m.Src == nil {
+			return nil, nil, errors.Errorf("mount %s has no source", m.Dest)
+		}
+		mountable, err := m.Src.Mount(ctx, m.Readonly)
+		if err != nil {
+			releaseAll()
+			return nil, nil, errors.Wrapf(err, "failed to mount %s", m.Dest)
+		}
+		mounts, err := mountable.Mount()
+		if err != nil {
+			releaseAll()
+			return nil, nil, errors.WithStack(err)
+		}
+		releasers = append(releasers, mountable.Release)
+		for _, mount := range mounts {
+			mount, err = sm.subMount(mount, m.Selector)
+			if err != nil {
+				releaseAll()
+				return nil, nil, err
+			}
+			s.Mounts = append(s.Mounts, specs.Mount{
+				Destination: m.Dest,
+				Type:        mount.Type,
+				Source:      mount.Source,
+				Options:     mount.Options,
+			})
+		}
+	}
+
+	return s, releaseAll, nil
+}
+
+type mountRef struct {
+	mount   mount.Mount
+	unmount func() error
+}
+
+type submounts struct {
+	m map[uint64]mountRef
+}
+
+func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error) {
+	if path.Join("/", subPath) == "/" {
+		return m, nil
+	}
+	if s.m == nil {
+		s.m = map[uint64]mountRef{}
+	}
+	h, err := hashstructure.Hash(m, nil)
+	if err != nil {
+		return mount.Mount{}, nil
+	}
+	if mr, ok := s.m[h]; ok {
+		return sub(mr.mount, subPath), nil
+	}
+
+	lm := snapshot.LocalMounterWithMounts([]mount.Mount{m})
+
+	mp, err := lm.Mount()
+	if err != nil {
+		return mount.Mount{}, err
+	}
+
+	opts := []string{"rbind"}
+	for _, opt := range m.Options {
+		if opt == "ro" {
+			opts = append(opts, opt)
+		}
+	}
+
+	s.m[h] = mountRef{
+		mount: mount.Mount{
+			Source:  mp,
+			Type:    "bind",
+			Options: opts,
+		},
+		unmount: lm.Unmount,
+	}
+
+	return sub(s.m[h].mount, subPath), nil
+}
+
+func (s *submounts) cleanup() {
+	var wg sync.WaitGroup
+	wg.Add(len(s.m))
+	for _, m := range s.m {
+		func(m mountRef) {
+			go func() {
+				m.unmount()
+				wg.Done()
+			}()
+		}(m)
+	}
+	wg.Wait()
+}
+
+func sub(m mount.Mount, subPath string) mount.Mount {
+	m.Source = path.Join(m.Source, subPath)
+	return m
+}
diff --git a/engine/vendor/github.com/moby/buildkit/executor/oci/user.go b/engine/vendor/github.com/moby/buildkit/executor/oci/user.go
new file mode 100644
index 00000000..ac5dbebd
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/executor/oci/user.go
@@ -0,0 +1,107 @@
+package oci
+
+import (
+	"context"
+	"errors"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/containerd/containerd/containers"
+	containerdoci "github.com/containerd/containerd/oci"
+	"github.com/containerd/continuity/fs"
+	"github.com/opencontainers/runc/libcontainer/user"
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func GetUser(ctx context.Context, root, username string) (uint32, uint32, []uint32, error) {
+	// fast path from uid/gid
+	if uid, gid, err := ParseUIDGID(username); err == nil {
+		return uid, gid, nil, nil
+	}
+
+	passwdPath, err := user.GetPasswdPath()
+	if err != nil {
+		return 0, 0, nil, err
+	}
+	groupPath, err := user.GetGroupPath()
+	if err != nil {
+		return 0, 0, nil, err
+	}
+	passwdFile, err := openUserFile(root, passwdPath)
+	if err == nil {
+		defer passwdFile.Close()
+	}
+	groupFile, err := openUserFile(root, groupPath)
+	if err == nil {
+		defer groupFile.Close()
+	}
+
+	execUser, err := user.GetExecUser(username, nil, passwdFile, groupFile)
+	if err != nil {
+		return 0, 0, nil, err
+	}
+	var sgids []uint32
+	for _, g := range execUser.Sgids {
+		sgids = append(sgids, uint32(g))
+	}
+	return uint32(execUser.Uid), uint32(execUser.Gid), sgids, nil
+}
+
+// ParseUIDGID takes the fast path to parse UID and GID if and only if they are both provided
+func ParseUIDGID(str string) (uid uint32, gid uint32, err error) {
+	if str == "" {
+		return 0, 0, nil
+	}
+	parts := strings.SplitN(str, ":", 2)
+	if len(parts) == 1 {
+		return 0, 0, errors.New("groups ID is not provided")
+	}
+	if uid, err = parseUID(parts[0]); err != nil {
+		return 0, 0, err
+	}
+	if gid, err = parseUID(parts[1]); err != nil {
+		return 0, 0, err
+	}
+	return
+}
+
+func openUserFile(root, p string) (*os.File, error) {
+	p, err := fs.RootPath(root, p)
+	if err != nil {
+		return nil, err
+	}
+	return os.Open(p)
+}
+
+func parseUID(str string) (uint32, error) {
+	if str == "root" {
+		return 0, nil
+	}
+	uid, err := strconv.ParseUint(str, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	return uint32(uid), nil
+}
+
+// WithUIDGID allows the UID and GID for the Process to be set
+// FIXME: This is a temporeray fix for the missing supplementary GIDs from containerd
+// once the PR in containerd is merged we should remove this function.
+func WithUIDGID(uid, gid uint32, sgids []uint32) containerdoci.SpecOpts {
+	return func(_ context.Context, _ containerdoci.Client, _ *containers.Container, s *containerdoci.Spec) error {
+		setProcess(s)
+		s.Process.User.UID = uid
+		s.Process.User.GID = gid
+		s.Process.User.AdditionalGids = sgids
+		return nil
+	}
+}
+
+// setProcess sets Process to empty if unset
+// FIXME: Same on this one. Need to be removed after containerd fix merged
+func setProcess(s *containerdoci.Spec) {
+	if s.Process == nil {
+		s.Process = &specs.Process{}
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go b/engine/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
new file mode 100644
index 00000000..5225d5fc
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/executor/runcexecutor/executor.go
@@ -0,0 +1,247 @@
+package runcexecutor
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/containerd/containerd/contrib/seccomp"
+	"github.com/containerd/containerd/mount"
+	containerdoci "github.com/containerd/containerd/oci"
+	"github.com/containerd/continuity/fs"
+	runc "github.com/containerd/go-runc"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/executor/oci"
+	"github.com/moby/buildkit/identity"
+	rootlessspecconv "github.com/moby/buildkit/util/rootless/specconv"
+	"github.com/moby/buildkit/util/system"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type Opt struct {
+	// root directory
+	Root              string
+	CommandCandidates []string
+	// without root privileges (has nothing to do with Opt.Root directory)
+	Rootless bool
+}
+
+var defaultCommandCandidates = []string{"buildkit-runc", "runc"}
+
+type runcExecutor struct {
+	runc     *runc.Runc
+	root     string
+	cmd      string
+	rootless bool
+}
+
+func New(opt Opt) (executor.Executor, error) {
+	cmds := opt.CommandCandidates
+	if cmds == nil {
+		cmds = defaultCommandCandidates
+	}
+
+	var cmd string
+	var found bool
+	for _, cmd = range cmds {
+		if _, err := exec.LookPath(cmd); err == nil {
+			found = true
+			break
+		}
+	}
+	if !found {
+		return nil, errors.Errorf("failed to find %s binary", cmd)
+	}
+
+	root := opt.Root
+
+	if err := os.MkdirAll(root, 0700); err != nil {
+		return nil, errors.Wrapf(err, "failed to create %s", root)
+	}
+
+	root, err := filepath.Abs(root)
+	if err != nil {
+		return nil, err
+	}
+	root, err = filepath.EvalSymlinks(root)
+	if err != nil {
+		return nil, err
+	}
+
+	runtime := &runc.Runc{
+		Command:      cmd,
+		Log:          filepath.Join(root, "runc-log.json"),
+		LogFormat:    runc.JSON,
+		PdeathSignal: syscall.SIGKILL,
+		Setpgid:      true,
+		// we don't execute runc with --rootless=(true|false) explicitly,
+		// so as to support non-runc runtimes
+	}
+
+	w := &runcExecutor{
+		runc:     runtime,
+		root:     root,
+		rootless: opt.Rootless,
+	}
+	return w, nil
+}
+
+func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.Mountable, mounts []executor.Mount, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error {
+
+	resolvConf, err := oci.GetResolvConf(ctx, w.root)
+	if err != nil {
+		return err
+	}
+
+	hostsFile, err := oci.GetHostsFile(ctx, w.root)
+	if err != nil {
+		return err
+	}
+
+	mountable, err := root.Mount(ctx, false)
+	if err != nil {
+		return err
+	}
+
+	rootMount, err := mountable.Mount()
+	if err != nil {
+		return err
+	}
+	defer mountable.Release()
+
+	id := identity.NewID()
+	bundle := filepath.Join(w.root, id)
+
+	if err := os.Mkdir(bundle, 0700); err != nil {
+		return err
+	}
+	defer os.RemoveAll(bundle)
+	rootFSPath := filepath.Join(bundle, "rootfs")
+	if err := os.Mkdir(rootFSPath, 0700); err != nil {
+		return err
+	}
+	if err := mount.All(rootMount, rootFSPath); err != nil {
+		return err
+	}
+	defer mount.Unmount(rootFSPath, 0)
+
+	uid, gid, sgids, err := oci.GetUser(ctx, rootFSPath, meta.User)
+	if err != nil {
+		return err
+	}
+
+	f, err := os.Create(filepath.Join(bundle, "config.json"))
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	opts := []containerdoci.SpecOpts{oci.WithUIDGID(uid, gid, sgids)}
+	if system.SeccompSupported() {
+		opts = append(opts, seccomp.WithDefaultProfile())
+	}
+	if meta.ReadonlyRootFS {
+		opts = append(opts, containerdoci.WithRootFSReadonly())
+	}
+	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, opts...)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	spec.Root.Path = rootFSPath
+	if _, ok := root.(cache.ImmutableRef); ok { // TODO: pass in with mount, not ref type
+		spec.Root.Readonly = true
+	}
+
+	newp, err := fs.RootPath(rootFSPath, meta.Cwd)
+	if err != nil {
+		return errors.Wrapf(err, "working dir %s points to invalid target", newp)
+	}
+	if err := os.MkdirAll(newp, 0700); err != nil {
+		return errors.Wrapf(err, "failed to create working directory %s", newp)
+	}
+
+	if err := setOOMScoreAdj(spec); err != nil {
+		return err
+	}
+	if w.rootless {
+		if err := rootlessspecconv.ToRootless(spec); err != nil {
+			return err
+		}
+	}
+
+	if err := json.NewEncoder(f).Encode(spec); err != nil {
+		return err
+	}
+
+	logrus.Debugf("> running %s %v", id, meta.Args)
+
+	status, err := w.runc.Run(ctx, id, bundle, &runc.CreateOpts{
+		IO: &forwardIO{stdin: stdin, stdout: stdout, stderr: stderr},
+	})
+	logrus.Debugf("< completed %s %v %v", id, status, err)
+	if status != 0 {
+		select {
+		case <-ctx.Done():
+			// runc can't report context.Cancelled directly
+			return errors.Wrapf(ctx.Err(), "exit code %d", status)
+		default:
+		}
+		return errors.Errorf("exit code %d", status)
+	}
+
+	return err
+}
+
+type forwardIO struct {
+	stdin          io.ReadCloser
+	stdout, stderr io.WriteCloser
+}
+
+func (s *forwardIO) Close() error {
+	return nil
+}
+
+func (s *forwardIO) Set(cmd *exec.Cmd) {
+	cmd.Stdin = s.stdin
+	cmd.Stdout = s.stdout
+	cmd.Stderr = s.stderr
+}
+
+func (s *forwardIO) Stdin() io.WriteCloser {
+	return nil
+}
+
+func (s *forwardIO) Stdout() io.ReadCloser {
+	return nil
+}
+
+func (s *forwardIO) Stderr() io.ReadCloser {
+	return nil
+}
+
+// setOOMScoreAdj comes from https://github.com/genuinetools/img/blob/2fabe60b7dc4623aa392b515e013bbc69ad510ab/executor/runc/executor.go#L182-L192
+func setOOMScoreAdj(spec *specs.Spec) error {
+	// Set the oom_score_adj of our children containers to that of the current process.
+	b, err := ioutil.ReadFile("/proc/self/oom_score_adj")
+	if err != nil {
+		return errors.Wrap(err, "failed to read /proc/self/oom_score_adj")
+	}
+	s := strings.TrimSpace(string(b))
+	oom, err := strconv.Atoi(s)
+	if err != nil {
+		return errors.Wrapf(err, "failed to parse %s as int", s)
+	}
+	spec.Process.OOMScoreAdj = &oom
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/exporter/exporter.go b/engine/vendor/github.com/moby/buildkit/exporter/exporter.go
new file mode 100644
index 00000000..48c6a3bc
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/exporter/exporter.go
@@ -0,0 +1,16 @@
+package exporter
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/cache"
+)
+
+type Exporter interface {
+	Resolve(context.Context, map[string]string) (ExporterInstance, error)
+}
+
+type ExporterInstance interface {
+	Name() string
+	Export(context.Context, cache.ImmutableRef, map[string][]byte) (map[string]string, error)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go
new file mode 100644
index 00000000..947eef43
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go
@@ -0,0 +1,310 @@
+package builder
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"encoding/json"
+	"regexp"
+	"strings"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/docker/builder/dockerignore"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb"
+	"github.com/moby/buildkit/frontend/gateway/client"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+const (
+	LocalNameContext      = "context"
+	LocalNameDockerfile   = "dockerfile"
+	keyTarget             = "target"
+	keyFilename           = "filename"
+	keyCacheFrom          = "cache-from"
+	exporterImageConfig   = "containerimage.config"
+	defaultDockerfileName = "Dockerfile"
+	dockerignoreFilename  = ".dockerignore"
+	buildArgPrefix        = "build-arg:"
+	labelPrefix           = "label:"
+	keyNoCache            = "no-cache"
+	keyTargetPlatform     = "platform"
+)
+
+var httpPrefix = regexp.MustCompile("^https?://")
+var gitUrlPathWithFragmentSuffix = regexp.MustCompile("\\.git(?:#.+)?$")
+
+func Build(ctx context.Context, c client.Client) (*client.Result, error) {
+	opts := c.BuildOpts().Opts
+
+	defaultBuildPlatform := platforms.DefaultSpec()
+	if workers := c.BuildOpts().Workers; len(workers) > 0 && len(workers[0].Platforms) > 0 {
+		defaultBuildPlatform = workers[0].Platforms[0]
+	}
+
+	buildPlatforms := []specs.Platform{defaultBuildPlatform}
+	targetPlatform := platforms.DefaultSpec()
+	if v := opts[keyTargetPlatform]; v != "" {
+		var err error
+		targetPlatform, err = platforms.Parse(v)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to parse target platform %s", v)
+		}
+	}
+
+	filename := opts[keyFilename]
+	if filename == "" {
+		filename = defaultDockerfileName
+	}
+
+	var ignoreCache []string
+	if v, ok := opts[keyNoCache]; ok {
+		if v == "" {
+			ignoreCache = []string{} // means all stages
+		} else {
+			ignoreCache = strings.Split(v, ",")
+		}
+	}
+
+	src := llb.Local(LocalNameDockerfile,
+		llb.IncludePatterns([]string{filename}),
+		llb.SessionID(c.BuildOpts().SessionID),
+		llb.SharedKeyHint(defaultDockerfileName),
+	)
+	var buildContext *llb.State
+	isScratchContext := false
+	if st, ok := detectGitContext(opts[LocalNameContext]); ok {
+		src = *st
+		buildContext = &src
+	} else if httpPrefix.MatchString(opts[LocalNameContext]) {
+		httpContext := llb.HTTP(opts[LocalNameContext], llb.Filename("context"))
+		def, err := httpContext.Marshal()
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to marshal httpcontext")
+		}
+		res, err := c.Solve(ctx, client.SolveRequest{
+			Definition: def.ToPB(),
+		})
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to resolve httpcontext")
+		}
+
+		ref, err := res.SingleRef()
+		if err != nil {
+			return nil, err
+		}
+
+		dt, err := ref.ReadFile(ctx, client.ReadRequest{
+			Filename: "context",
+			Range: &client.FileRange{
+				Length: 1024,
+			},
+		})
+		if err != nil {
+			return nil, errors.Errorf("failed to read downloaded context")
+		}
+		if isArchive(dt) {
+			unpack := llb.Image(dockerfile2llb.CopyImage).
+				Run(llb.Shlex("copy --unpack /src/context /out/"), llb.ReadonlyRootFS())
+			unpack.AddMount("/src", httpContext, llb.Readonly)
+			src = unpack.AddMount("/out", llb.Scratch())
+			buildContext = &src
+		} else {
+			filename = "context"
+			src = httpContext
+			buildContext = &src
+			isScratchContext = true
+		}
+	}
+
+	def, err := src.Marshal()
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to marshal local source")
+	}
+
+	eg, ctx2 := errgroup.WithContext(ctx)
+	var dtDockerfile []byte
+	eg.Go(func() error {
+		res, err := c.Solve(ctx2, client.SolveRequest{
+			Definition: def.ToPB(),
+		})
+		if err != nil {
+			return errors.Wrapf(err, "failed to resolve dockerfile")
+		}
+
+		ref, err := res.SingleRef()
+		if err != nil {
+			return err
+		}
+
+		dtDockerfile, err = ref.ReadFile(ctx2, client.ReadRequest{
+			Filename: filename,
+		})
+		if err != nil {
+			return errors.Wrapf(err, "failed to read dockerfile")
+		}
+		return nil
+	})
+	var excludes []string
+	if !isScratchContext {
+		eg.Go(func() error {
+			dockerignoreState := buildContext
+			if dockerignoreState == nil {
+				st := llb.Local(LocalNameContext,
+					llb.SessionID(c.BuildOpts().SessionID),
+					llb.IncludePatterns([]string{dockerignoreFilename}),
+					llb.SharedKeyHint(dockerignoreFilename),
+				)
+				dockerignoreState = &st
+			}
+			def, err := dockerignoreState.Marshal()
+			if err != nil {
+				return err
+			}
+			res, err := c.Solve(ctx2, client.SolveRequest{
+				Definition: def.ToPB(),
+			})
+			if err != nil {
+				return err
+			}
+			ref, err := res.SingleRef()
+			if err != nil {
+				return err
+			}
+			dtDockerignore, err := ref.ReadFile(ctx2, client.ReadRequest{
+				Filename: dockerignoreFilename,
+			})
+			if err == nil {
+				excludes, err = dockerignore.ReadAll(bytes.NewBuffer(dtDockerignore))
+				if err != nil {
+					return errors.Wrap(err, "failed to parse dockerignore")
+				}
+			}
+			return nil
+		})
+	}
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	if _, ok := opts["cmdline"]; !ok {
+		ref, cmdline, ok := dockerfile2llb.DetectSyntax(bytes.NewBuffer(dtDockerfile))
+		if ok {
+			return forwardGateway(ctx, c, ref, cmdline)
+		}
+	}
+
+	st, img, err := dockerfile2llb.Dockerfile2LLB(ctx, dtDockerfile, dockerfile2llb.ConvertOpt{
+		Target:         opts[keyTarget],
+		MetaResolver:   c,
+		BuildArgs:      filter(opts, buildArgPrefix),
+		Labels:         filter(opts, labelPrefix),
+		SessionID:      c.BuildOpts().SessionID,
+		BuildContext:   buildContext,
+		Excludes:       excludes,
+		IgnoreCache:    ignoreCache,
+		TargetPlatform: &targetPlatform,
+		BuildPlatforms: buildPlatforms,
+	})
+
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to create LLB definition")
+	}
+
+	def, err = st.Marshal()
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to marshal LLB definition")
+	}
+
+	config, err := json.Marshal(img)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to marshal image config")
+	}
+
+	var cacheFrom []string
+	if cacheFromStr := opts[keyCacheFrom]; cacheFromStr != "" {
+		cacheFrom = strings.Split(cacheFromStr, ",")
+	}
+
+	res, err := c.Solve(ctx, client.SolveRequest{
+		Definition:      def.ToPB(),
+		ImportCacheRefs: cacheFrom,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	res.AddMeta(exporterImageConfig, config)
+
+	return res, nil
+}
+
+func forwardGateway(ctx context.Context, c client.Client, ref string, cmdline string) (*client.Result, error) {
+	opts := c.BuildOpts().Opts
+	if opts == nil {
+		opts = map[string]string{}
+	}
+	opts["cmdline"] = cmdline
+	opts["source"] = ref
+	return c.Solve(ctx, client.SolveRequest{
+		Frontend:    "gateway.v0",
+		FrontendOpt: opts,
+	})
+}
+
+func filter(opt map[string]string, key string) map[string]string {
+	m := map[string]string{}
+	for k, v := range opt {
+		if strings.HasPrefix(k, key) {
+			m[strings.TrimPrefix(k, key)] = v
+		}
+	}
+	return m
+}
+
+func detectGitContext(ref string) (*llb.State, bool) {
+	found := false
+	if httpPrefix.MatchString(ref) && gitUrlPathWithFragmentSuffix.MatchString(ref) {
+		found = true
+	}
+
+	for _, prefix := range []string{"git://", "github.com/", "git@"} {
+		if strings.HasPrefix(ref, prefix) {
+			found = true
+			break
+		}
+	}
+	if !found {
+		return nil, false
+	}
+
+	parts := strings.SplitN(ref, "#", 2)
+	branch := ""
+	if len(parts) > 1 {
+		branch = parts[1]
+	}
+	st := llb.Git(parts[0], branch)
+	return &st, true
+}
+
+func isArchive(header []byte) bool {
+	for _, m := range [][]byte{
+		{0x42, 0x5A, 0x68},                   // bzip2
+		{0x1F, 0x8B, 0x08},                   // gzip
+		{0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00}, // xz
+	} {
+		if len(header) < len(m) {
+			continue
+		}
+		if bytes.Equal(m, header[:len(m)]) {
+			return true
+		}
+	}
+
+	r := tar.NewReader(bytes.NewBuffer(header))
+	_, err := r.Next()
+	return err == nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/command/command.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/command/command.go
new file mode 100644
index 00000000..f23c6874
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/command/command.go
@@ -0,0 +1,46 @@
+// Package command contains the set of Dockerfile commands.
+package command
+
+// Define constants for the command strings
+const (
+	Add         = "add"
+	Arg         = "arg"
+	Cmd         = "cmd"
+	Copy        = "copy"
+	Entrypoint  = "entrypoint"
+	Env         = "env"
+	Expose      = "expose"
+	From        = "from"
+	Healthcheck = "healthcheck"
+	Label       = "label"
+	Maintainer  = "maintainer"
+	Onbuild     = "onbuild"
+	Run         = "run"
+	Shell       = "shell"
+	StopSignal  = "stopsignal"
+	User        = "user"
+	Volume      = "volume"
+	Workdir     = "workdir"
+)
+
+// Commands is list of all Dockerfile commands
+var Commands = map[string]struct{}{
+	Add:         {},
+	Arg:         {},
+	Cmd:         {},
+	Copy:        {},
+	Entrypoint:  {},
+	Env:         {},
+	Expose:      {},
+	From:        {},
+	Healthcheck: {},
+	Label:       {},
+	Maintainer:  {},
+	Onbuild:     {},
+	Run:         {},
+	Shell:       {},
+	StopSignal:  {},
+	User:        {},
+	Volume:      {},
+	Workdir:     {},
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go
new file mode 100644
index 00000000..983672f6
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert.go
@@ -0,0 +1,1030 @@
+package dockerfile2llb
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/url"
+	"path"
+	"path/filepath"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/pkg/signal"
+	"github.com/docker/go-connections/nat"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/client/llb/imagemetaresolver"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/moby/buildkit/frontend/dockerfile/parser"
+	"github.com/moby/buildkit/frontend/dockerfile/shell"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+const (
+	emptyImageName   = "scratch"
+	localNameContext = "context"
+	historyComment   = "buildkit.dockerfile.v0"
+
+	CopyImage = "tonistiigi/copy:v0.1.3@sha256:e57a3b4d6240f55bac26b655d2cfb751f8b9412d6f7bb1f787e946391fb4b21b"
+)
+
+type ConvertOpt struct {
+	Target       string
+	MetaResolver llb.ImageMetaResolver
+	BuildArgs    map[string]string
+	Labels       map[string]string
+	SessionID    string
+	BuildContext *llb.State
+	Excludes     []string
+	// IgnoreCache contains names of the stages that should not use build cache.
+	// Empty slice means ignore cache for all stages. Nil doesn't disable cache.
+	IgnoreCache []string
+	// CacheIDNamespace scopes the IDs for different cache mounts
+	CacheIDNamespace string
+	TargetPlatform   *specs.Platform
+	BuildPlatforms   []specs.Platform
+}
+
+func Dockerfile2LLB(ctx context.Context, dt []byte, opt ConvertOpt) (*llb.State, *Image, error) {
+	if len(dt) == 0 {
+		return nil, nil, errors.Errorf("the Dockerfile cannot be empty")
+	}
+
+	if opt.TargetPlatform != nil && opt.BuildPlatforms == nil {
+		opt.BuildPlatforms = []specs.Platform{*opt.TargetPlatform}
+	}
+	if len(opt.BuildPlatforms) == 0 {
+		opt.BuildPlatforms = []specs.Platform{platforms.DefaultSpec()}
+	}
+	implicitTargetPlatform := false
+	if opt.TargetPlatform == nil {
+		implicitTargetPlatform = true
+		opt.TargetPlatform = &opt.BuildPlatforms[0]
+	}
+
+	dockerfile, err := parser.Parse(bytes.NewReader(dt))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	proxyEnv := proxyEnvFromBuildArgs(opt.BuildArgs)
+
+	stages, metaArgs, err := instructions.Parse(dockerfile.AST)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	optMetaArgs := []instructions.KeyValuePairOptional{}
+	for _, metaArg := range metaArgs {
+		optMetaArgs = append(optMetaArgs, setKVValue(metaArg.KeyValuePairOptional, opt.BuildArgs))
+	}
+
+	shlex := shell.NewLex(dockerfile.EscapeToken)
+
+	metaResolver := opt.MetaResolver
+	if metaResolver == nil {
+		metaResolver = imagemetaresolver.Default()
+	}
+
+	allDispatchStates := newDispatchStates()
+
+	// set base state for every image
+	for _, st := range stages {
+		name, err := shlex.ProcessWord(st.BaseName, toEnvList(optMetaArgs, nil))
+		if err != nil {
+			return nil, nil, err
+		}
+		if name == "" {
+			return nil, nil, errors.Errorf("base name (%s) should not be blank", st.BaseName)
+		}
+		st.BaseName = name
+
+		ds := &dispatchState{
+			stage:    st,
+			deps:     make(map[*dispatchState]struct{}),
+			ctxPaths: make(map[string]struct{}),
+		}
+
+		if v := st.Platform; v != "" {
+			v, err := shlex.ProcessWord(v, toEnvList(optMetaArgs, nil))
+			if err != nil {
+				return nil, nil, errors.Wrapf(err, "failed to process arguments for platform %s", v)
+			}
+
+			p, err := platforms.Parse(v)
+			if err != nil {
+				return nil, nil, errors.Wrapf(err, "failed to parse platform %s", v)
+			}
+			ds.platform = &p
+		}
+
+		allDispatchStates.addState(ds)
+		if opt.IgnoreCache != nil {
+			if len(opt.IgnoreCache) == 0 {
+				ds.ignoreCache = true
+			} else if st.Name != "" {
+				for _, n := range opt.IgnoreCache {
+					if strings.EqualFold(n, st.Name) {
+						ds.ignoreCache = true
+					}
+				}
+			}
+		}
+	}
+
+	var target *dispatchState
+	if opt.Target == "" {
+		target = allDispatchStates.lastTarget()
+	} else {
+		var ok bool
+		target, ok = allDispatchStates.findStateByName(opt.Target)
+		if !ok {
+			return nil, nil, errors.Errorf("target stage %s could not be found", opt.Target)
+		}
+	}
+
+	// fill dependencies to stages so unreachable ones can avoid loading image configs
+	for _, d := range allDispatchStates.states {
+		d.commands = make([]command, len(d.stage.Commands))
+		for i, cmd := range d.stage.Commands {
+			newCmd, err := toCommand(cmd, allDispatchStates)
+			if err != nil {
+				return nil, nil, err
+			}
+			d.commands[i] = newCmd
+			for _, src := range newCmd.sources {
+				if src != nil {
+					d.deps[src] = struct{}{}
+					if src.unregistered {
+						allDispatchStates.addState(src)
+					}
+				}
+			}
+		}
+	}
+
+	eg, ctx := errgroup.WithContext(ctx)
+	for i, d := range allDispatchStates.states {
+		reachable := isReachable(target, d)
+		// resolve image config for every stage
+		if d.base == nil {
+			if d.stage.BaseName == emptyImageName {
+				d.state = llb.Scratch()
+				d.image = emptyImage(*opt.TargetPlatform)
+				continue
+			}
+			func(i int, d *dispatchState) {
+				eg.Go(func() error {
+					ref, err := reference.ParseNormalizedNamed(d.stage.BaseName)
+					if err != nil {
+						return err
+					}
+					platform := d.platform
+					if platform == nil {
+						platform = opt.TargetPlatform
+					}
+					d.stage.BaseName = reference.TagNameOnly(ref).String()
+					var isScratch bool
+					if metaResolver != nil && reachable {
+						dgst, dt, err := metaResolver.ResolveImageConfig(ctx, d.stage.BaseName, platform)
+						if err == nil { // handle the error while builder is actually running
+							var img Image
+							if err := json.Unmarshal(dt, &img); err != nil {
+								return err
+							}
+							img.Created = nil
+							// if there is no explicit target platform, try to match based on image config
+							if d.platform == nil && implicitTargetPlatform {
+								p := autoDetectPlatform(img, *platform, opt.BuildPlatforms)
+								platform = &p
+							}
+							d.image = img
+							if dgst != "" {
+								ref, err = reference.WithDigest(ref, dgst)
+								if err != nil {
+									return err
+								}
+							}
+							d.stage.BaseName = ref.String()
+							_ = ref
+							if len(img.RootFS.DiffIDs) == 0 {
+								isScratch = true
+							}
+						}
+					}
+					if isScratch {
+						d.state = llb.Scratch()
+					} else {
+						d.state = llb.Image(d.stage.BaseName, dfCmd(d.stage.SourceCode), llb.Platform(*platform))
+					}
+					return nil
+				})
+			}(i, d)
+		}
+	}
+
+	if err := eg.Wait(); err != nil {
+		return nil, nil, err
+	}
+
+	buildContext := &mutableOutput{}
+	ctxPaths := map[string]struct{}{}
+
+	for _, d := range allDispatchStates.states {
+		if !isReachable(target, d) {
+			continue
+		}
+		if d.base != nil {
+			d.state = d.base.state
+			d.image = clone(d.base.image)
+		}
+
+		// initialize base metadata from image conf
+		for _, env := range d.image.Config.Env {
+			parts := strings.SplitN(env, "=", 2)
+			v := ""
+			if len(parts) > 1 {
+				v = parts[1]
+			}
+			if err := dispatchEnv(d, &instructions.EnvCommand{Env: []instructions.KeyValuePair{{Key: parts[0], Value: v}}}, false); err != nil {
+				return nil, nil, err
+			}
+		}
+		if d.image.Config.WorkingDir != "" {
+			if err = dispatchWorkdir(d, &instructions.WorkdirCommand{Path: d.image.Config.WorkingDir}, false); err != nil {
+				return nil, nil, err
+			}
+		}
+		if d.image.Config.User != "" {
+			if err = dispatchUser(d, &instructions.UserCommand{User: d.image.Config.User}, false); err != nil {
+				return nil, nil, err
+			}
+		}
+
+		opt := dispatchOpt{
+			allDispatchStates: allDispatchStates,
+			metaArgs:          optMetaArgs,
+			buildArgValues:    opt.BuildArgs,
+			shlex:             shlex,
+			sessionID:         opt.SessionID,
+			buildContext:      llb.NewState(buildContext),
+			proxyEnv:          proxyEnv,
+			cacheIDNamespace:  opt.CacheIDNamespace,
+			buildPlatforms:    opt.BuildPlatforms,
+			targetPlatform:    *opt.TargetPlatform,
+		}
+
+		if err = dispatchOnBuild(d, d.image.Config.OnBuild, opt); err != nil {
+			return nil, nil, err
+		}
+
+		for _, cmd := range d.commands {
+			if err := dispatch(d, cmd, opt); err != nil {
+				return nil, nil, err
+			}
+		}
+
+		for p := range d.ctxPaths {
+			ctxPaths[p] = struct{}{}
+		}
+	}
+
+	if len(opt.Labels) != 0 && target.image.Config.Labels == nil {
+		target.image.Config.Labels = make(map[string]string, len(opt.Labels))
+	}
+	for k, v := range opt.Labels {
+		target.image.Config.Labels[k] = v
+	}
+
+	opts := []llb.LocalOption{
+		llb.SessionID(opt.SessionID),
+		llb.ExcludePatterns(opt.Excludes),
+		llb.SharedKeyHint(localNameContext),
+	}
+	if includePatterns := normalizeContextPaths(ctxPaths); includePatterns != nil {
+		opts = append(opts, llb.FollowPaths(includePatterns))
+	}
+	bc := llb.Local(localNameContext, opts...)
+	if opt.BuildContext != nil {
+		bc = *opt.BuildContext
+	}
+	buildContext.Output = bc.Output()
+
+	st := target.state.SetMarhalDefaults(llb.Platform(*opt.TargetPlatform))
+
+	if !implicitTargetPlatform {
+		target.image.OS = opt.TargetPlatform.OS
+		target.image.Architecture = opt.TargetPlatform.Architecture
+	}
+
+	return &st, &target.image, nil
+}
+
+func toCommand(ic instructions.Command, allDispatchStates *dispatchStates) (command, error) {
+	cmd := command{Command: ic}
+	if c, ok := ic.(*instructions.CopyCommand); ok {
+		if c.From != "" {
+			var stn *dispatchState
+			index, err := strconv.Atoi(c.From)
+			if err != nil {
+				stn, ok = allDispatchStates.findStateByName(c.From)
+				if !ok {
+					stn = &dispatchState{
+						stage:        instructions.Stage{BaseName: c.From},
+						deps:         make(map[*dispatchState]struct{}),
+						unregistered: true,
+					}
+				}
+			} else {
+				stn, err = allDispatchStates.findStateByIndex(index)
+				if err != nil {
+					return command{}, err
+				}
+			}
+			cmd.sources = []*dispatchState{stn}
+		}
+	}
+
+	if ok := detectRunMount(&cmd, allDispatchStates); ok {
+		return cmd, nil
+	}
+
+	return cmd, nil
+}
+
+type dispatchOpt struct {
+	allDispatchStates *dispatchStates
+	metaArgs          []instructions.KeyValuePairOptional
+	buildArgValues    map[string]string
+	shlex             *shell.Lex
+	sessionID         string
+	buildContext      llb.State
+	proxyEnv          *llb.ProxyEnv
+	cacheIDNamespace  string
+	targetPlatform    specs.Platform
+	buildPlatforms    []specs.Platform
+}
+
+func dispatch(d *dispatchState, cmd command, opt dispatchOpt) error {
+	if ex, ok := cmd.Command.(instructions.SupportsSingleWordExpansion); ok {
+		err := ex.Expand(func(word string) (string, error) {
+			return opt.shlex.ProcessWord(word, toEnvList(d.buildArgs, d.image.Config.Env))
+		})
+		if err != nil {
+			return err
+		}
+	}
+
+	var err error
+	switch c := cmd.Command.(type) {
+	case *instructions.MaintainerCommand:
+		err = dispatchMaintainer(d, c)
+	case *instructions.EnvCommand:
+		err = dispatchEnv(d, c, true)
+	case *instructions.RunCommand:
+		err = dispatchRun(d, c, opt.proxyEnv, cmd.sources, opt)
+	case *instructions.WorkdirCommand:
+		err = dispatchWorkdir(d, c, true)
+	case *instructions.AddCommand:
+		err = dispatchCopy(d, c.SourcesAndDest, opt.buildContext, true, c, "", opt)
+		if err == nil {
+			for _, src := range c.Sources() {
+				d.ctxPaths[path.Join("/", filepath.ToSlash(src))] = struct{}{}
+			}
+		}
+	case *instructions.LabelCommand:
+		err = dispatchLabel(d, c)
+	case *instructions.OnbuildCommand:
+		err = dispatchOnbuild(d, c)
+	case *instructions.CmdCommand:
+		err = dispatchCmd(d, c)
+	case *instructions.EntrypointCommand:
+		err = dispatchEntrypoint(d, c)
+	case *instructions.HealthCheckCommand:
+		err = dispatchHealthcheck(d, c)
+	case *instructions.ExposeCommand:
+		err = dispatchExpose(d, c, opt.shlex)
+	case *instructions.UserCommand:
+		err = dispatchUser(d, c, true)
+	case *instructions.VolumeCommand:
+		err = dispatchVolume(d, c)
+	case *instructions.StopSignalCommand:
+		err = dispatchStopSignal(d, c)
+	case *instructions.ShellCommand:
+		err = dispatchShell(d, c)
+	case *instructions.ArgCommand:
+		err = dispatchArg(d, c, opt.metaArgs, opt.buildArgValues)
+	case *instructions.CopyCommand:
+		l := opt.buildContext
+		if len(cmd.sources) != 0 {
+			l = cmd.sources[0].state
+		}
+		err = dispatchCopy(d, c.SourcesAndDest, l, false, c, c.Chown, opt)
+		if err == nil && len(cmd.sources) == 0 {
+			for _, src := range c.Sources() {
+				d.ctxPaths[path.Join("/", filepath.ToSlash(src))] = struct{}{}
+			}
+		}
+	default:
+	}
+	return err
+}
+
+type dispatchState struct {
+	state        llb.State
+	image        Image
+	platform     *specs.Platform
+	stage        instructions.Stage
+	base         *dispatchState
+	deps         map[*dispatchState]struct{}
+	buildArgs    []instructions.KeyValuePairOptional
+	commands     []command
+	ctxPaths     map[string]struct{}
+	ignoreCache  bool
+	cmdSet       bool
+	unregistered bool
+}
+
+type dispatchStates struct {
+	states       []*dispatchState
+	statesByName map[string]*dispatchState
+}
+
+func newDispatchStates() *dispatchStates {
+	return &dispatchStates{statesByName: map[string]*dispatchState{}}
+}
+
+func (dss *dispatchStates) addState(ds *dispatchState) {
+	dss.states = append(dss.states, ds)
+
+	if d, ok := dss.statesByName[ds.stage.BaseName]; ok {
+		ds.base = d
+	}
+	if ds.stage.Name != "" {
+		dss.statesByName[strings.ToLower(ds.stage.Name)] = ds
+	}
+}
+
+func (dss *dispatchStates) findStateByName(name string) (*dispatchState, bool) {
+	ds, ok := dss.statesByName[strings.ToLower(name)]
+	return ds, ok
+}
+
+func (dss *dispatchStates) findStateByIndex(index int) (*dispatchState, error) {
+	if index < 0 || index >= len(dss.states) {
+		return nil, errors.Errorf("invalid stage index %d", index)
+	}
+
+	return dss.states[index], nil
+}
+
+func (dss *dispatchStates) lastTarget() *dispatchState {
+	return dss.states[len(dss.states)-1]
+}
+
+type command struct {
+	instructions.Command
+	sources []*dispatchState
+}
+
+func dispatchOnBuild(d *dispatchState, triggers []string, opt dispatchOpt) error {
+	for _, trigger := range triggers {
+		ast, err := parser.Parse(strings.NewReader(trigger))
+		if err != nil {
+			return err
+		}
+		if len(ast.AST.Children) != 1 {
+			return errors.New("onbuild trigger should be a single expression")
+		}
+		ic, err := instructions.ParseCommand(ast.AST.Children[0])
+		if err != nil {
+			return err
+		}
+		cmd, err := toCommand(ic, opt.allDispatchStates)
+		if err != nil {
+			return err
+		}
+		if err := dispatch(d, cmd, opt); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func dispatchEnv(d *dispatchState, c *instructions.EnvCommand, commit bool) error {
+	commitMessage := bytes.NewBufferString("ENV")
+	for _, e := range c.Env {
+		commitMessage.WriteString(" " + e.String())
+		d.state = d.state.AddEnv(e.Key, e.Value)
+		d.image.Config.Env = addEnv(d.image.Config.Env, e.Key, e.Value, true)
+	}
+	if commit {
+		return commitToHistory(&d.image, commitMessage.String(), false, nil)
+	}
+	return nil
+}
+
+func dispatchRun(d *dispatchState, c *instructions.RunCommand, proxy *llb.ProxyEnv, sources []*dispatchState, dopt dispatchOpt) error {
+	var args []string = c.CmdLine
+	if c.PrependShell {
+		args = withShell(d.image, args)
+	} else if d.image.Config.Entrypoint != nil {
+		args = append(d.image.Config.Entrypoint, args...)
+	}
+	opt := []llb.RunOption{llb.Args(args)}
+	for _, arg := range d.buildArgs {
+		opt = append(opt, llb.AddEnv(arg.Key, arg.ValueString()))
+	}
+	opt = append(opt, dfCmd(c))
+	if d.ignoreCache {
+		opt = append(opt, llb.IgnoreCache)
+	}
+	if proxy != nil {
+		opt = append(opt, llb.WithProxy(*proxy))
+	}
+
+	runMounts, err := dispatchRunMounts(d, c, sources, dopt)
+	if err != nil {
+		return err
+	}
+	opt = append(opt, runMounts...)
+
+	d.state = d.state.Run(opt...).Root()
+	return commitToHistory(&d.image, "RUN "+runCommandString(args, d.buildArgs), true, &d.state)
+}
+
+func dispatchWorkdir(d *dispatchState, c *instructions.WorkdirCommand, commit bool) error {
+	d.state = d.state.Dir(c.Path)
+	wd := c.Path
+	if !path.IsAbs(c.Path) {
+		wd = path.Join("/", d.image.Config.WorkingDir, wd)
+	}
+	d.image.Config.WorkingDir = wd
+	if commit {
+		return commitToHistory(&d.image, "WORKDIR "+wd, false, nil)
+	}
+	return nil
+}
+
+func dispatchCopy(d *dispatchState, c instructions.SourcesAndDest, sourceState llb.State, isAddCommand bool, cmdToPrint interface{}, chown string, opt dispatchOpt) error {
+	// TODO: this should use CopyOp instead. Current implementation is inefficient
+	img := llb.Image(CopyImage, llb.Platform(opt.buildPlatforms[0]))
+
+	dest := path.Join(".", pathRelativeToWorkingDir(d.state, c.Dest()))
+	if c.Dest() == "." || c.Dest()[len(c.Dest())-1] == filepath.Separator {
+		dest += string(filepath.Separator)
+	}
+	args := []string{"copy"}
+	unpack := isAddCommand
+
+	mounts := make([]llb.RunOption, 0, len(c.Sources()))
+	if chown != "" {
+		args = append(args, fmt.Sprintf("--chown=%s", chown))
+		_, _, err := parseUser(chown)
+		if err != nil {
+			mounts = append(mounts, llb.AddMount("/etc/passwd", d.state, llb.SourcePath("/etc/passwd"), llb.Readonly))
+			mounts = append(mounts, llb.AddMount("/etc/group", d.state, llb.SourcePath("/etc/group"), llb.Readonly))
+		}
+	}
+
+	commitMessage := bytes.NewBufferString("")
+	if isAddCommand {
+		commitMessage.WriteString("ADD")
+	} else {
+		commitMessage.WriteString("COPY")
+	}
+
+	for i, src := range c.Sources() {
+		commitMessage.WriteString(" " + src)
+		if strings.HasPrefix(src, "http://") || strings.HasPrefix(src, "https://") {
+			if !isAddCommand {
+				return errors.New("source can't be a URL for COPY")
+			}
+
+			// Resources from remote URLs are not decompressed.
+			// https://docs.docker.com/engine/reference/builder/#add
+			//
+			// Note: mixing up remote archives and local archives in a single ADD instruction
+			// would result in undefined behavior: https://github.com/moby/buildkit/pull/387#discussion_r189494717
+			unpack = false
+			u, err := url.Parse(src)
+			f := "__unnamed__"
+			if err == nil {
+				if base := path.Base(u.Path); base != "." && base != "/" {
+					f = base
+				}
+			}
+			target := path.Join(fmt.Sprintf("/src-%d", i), f)
+			args = append(args, target)
+			mounts = append(mounts, llb.AddMount(path.Dir(target), llb.HTTP(src, llb.Filename(f), dfCmd(c)), llb.Readonly))
+		} else {
+			d, f := splitWildcards(src)
+			targetCmd := fmt.Sprintf("/src-%d", i)
+			targetMount := targetCmd
+			if f == "" {
+				f = path.Base(src)
+				targetMount = path.Join(targetMount, f)
+			}
+			targetCmd = path.Join(targetCmd, f)
+			args = append(args, targetCmd)
+			mounts = append(mounts, llb.AddMount(targetMount, sourceState, llb.SourcePath(d), llb.Readonly))
+		}
+	}
+
+	commitMessage.WriteString(" " + c.Dest())
+
+	args = append(args, dest)
+	if unpack {
+		args = append(args[:1], append([]string{"--unpack"}, args[1:]...)...)
+	}
+
+	runOpt := []llb.RunOption{llb.Args(args), llb.Dir("/dest"), llb.ReadonlyRootFS(), dfCmd(cmdToPrint)}
+	if d.ignoreCache {
+		runOpt = append(runOpt, llb.IgnoreCache)
+	}
+	run := img.Run(append(runOpt, mounts...)...)
+	d.state = run.AddMount("/dest", d.state).Platform(opt.targetPlatform)
+
+	return commitToHistory(&d.image, commitMessage.String(), true, &d.state)
+}
+
+func dispatchMaintainer(d *dispatchState, c *instructions.MaintainerCommand) error {
+	d.image.Author = c.Maintainer
+	return commitToHistory(&d.image, fmt.Sprintf("MAINTAINER %v", c.Maintainer), false, nil)
+}
+
+func dispatchLabel(d *dispatchState, c *instructions.LabelCommand) error {
+	commitMessage := bytes.NewBufferString("LABEL")
+	if d.image.Config.Labels == nil {
+		d.image.Config.Labels = make(map[string]string, len(c.Labels))
+	}
+	for _, v := range c.Labels {
+		d.image.Config.Labels[v.Key] = v.Value
+		commitMessage.WriteString(" " + v.String())
+	}
+	return commitToHistory(&d.image, commitMessage.String(), false, nil)
+}
+
+func dispatchOnbuild(d *dispatchState, c *instructions.OnbuildCommand) error {
+	d.image.Config.OnBuild = append(d.image.Config.OnBuild, c.Expression)
+	return nil
+}
+
+func dispatchCmd(d *dispatchState, c *instructions.CmdCommand) error {
+	var args []string = c.CmdLine
+	if c.PrependShell {
+		args = withShell(d.image, args)
+	}
+	d.image.Config.Cmd = args
+	d.image.Config.ArgsEscaped = true
+	d.cmdSet = true
+	return commitToHistory(&d.image, fmt.Sprintf("CMD %q", args), false, nil)
+}
+
+func dispatchEntrypoint(d *dispatchState, c *instructions.EntrypointCommand) error {
+	var args []string = c.CmdLine
+	if c.PrependShell {
+		args = withShell(d.image, args)
+	}
+	d.image.Config.Entrypoint = args
+	if !d.cmdSet {
+		d.image.Config.Cmd = nil
+	}
+	return commitToHistory(&d.image, fmt.Sprintf("ENTRYPOINT %q", args), false, nil)
+}
+
+func dispatchHealthcheck(d *dispatchState, c *instructions.HealthCheckCommand) error {
+	d.image.Config.Healthcheck = &HealthConfig{
+		Test:        c.Health.Test,
+		Interval:    c.Health.Interval,
+		Timeout:     c.Health.Timeout,
+		StartPeriod: c.Health.StartPeriod,
+		Retries:     c.Health.Retries,
+	}
+	return commitToHistory(&d.image, fmt.Sprintf("HEALTHCHECK %q", d.image.Config.Healthcheck), false, nil)
+}
+
+func dispatchExpose(d *dispatchState, c *instructions.ExposeCommand, shlex *shell.Lex) error {
+	ports := []string{}
+	for _, p := range c.Ports {
+		ps, err := shlex.ProcessWords(p, toEnvList(d.buildArgs, d.image.Config.Env))
+		if err != nil {
+			return err
+		}
+		ports = append(ports, ps...)
+	}
+	c.Ports = ports
+
+	ps, _, err := nat.ParsePortSpecs(c.Ports)
+	if err != nil {
+		return err
+	}
+
+	if d.image.Config.ExposedPorts == nil {
+		d.image.Config.ExposedPorts = make(map[string]struct{})
+	}
+	for p := range ps {
+		d.image.Config.ExposedPorts[string(p)] = struct{}{}
+	}
+
+	return commitToHistory(&d.image, fmt.Sprintf("EXPOSE %v", ps), false, nil)
+}
+
+func dispatchUser(d *dispatchState, c *instructions.UserCommand, commit bool) error {
+	d.state = d.state.User(c.User)
+	d.image.Config.User = c.User
+	if commit {
+		return commitToHistory(&d.image, fmt.Sprintf("USER %v", c.User), false, nil)
+	}
+	return nil
+}
+
+func dispatchVolume(d *dispatchState, c *instructions.VolumeCommand) error {
+	if d.image.Config.Volumes == nil {
+		d.image.Config.Volumes = map[string]struct{}{}
+	}
+	for _, v := range c.Volumes {
+		if v == "" {
+			return errors.New("VOLUME specified can not be an empty string")
+		}
+		d.image.Config.Volumes[v] = struct{}{}
+	}
+	return commitToHistory(&d.image, fmt.Sprintf("VOLUME %v", c.Volumes), false, nil)
+}
+
+func dispatchStopSignal(d *dispatchState, c *instructions.StopSignalCommand) error {
+	if _, err := signal.ParseSignal(c.Signal); err != nil {
+		return err
+	}
+	d.image.Config.StopSignal = c.Signal
+	return commitToHistory(&d.image, fmt.Sprintf("STOPSIGNAL %v", c.Signal), false, nil)
+}
+
+func dispatchShell(d *dispatchState, c *instructions.ShellCommand) error {
+	d.image.Config.Shell = c.Shell
+	return commitToHistory(&d.image, fmt.Sprintf("SHELL %v", c.Shell), false, nil)
+}
+
+func dispatchArg(d *dispatchState, c *instructions.ArgCommand, metaArgs []instructions.KeyValuePairOptional, buildArgValues map[string]string) error {
+	commitStr := "ARG " + c.Key
+	buildArg := setKVValue(c.KeyValuePairOptional, buildArgValues)
+
+	if c.Value != nil {
+		commitStr += "=" + *c.Value
+	}
+	if buildArg.Value == nil {
+		for _, ma := range metaArgs {
+			if ma.Key == buildArg.Key {
+				buildArg.Value = ma.Value
+			}
+		}
+	}
+
+	d.buildArgs = append(d.buildArgs, buildArg)
+	return commitToHistory(&d.image, commitStr, false, nil)
+}
+
+func pathRelativeToWorkingDir(s llb.State, p string) string {
+	if path.IsAbs(p) {
+		return p
+	}
+	return path.Join(s.GetDir(), p)
+}
+
+func splitWildcards(name string) (string, string) {
+	i := 0
+	for ; i < len(name); i++ {
+		ch := name[i]
+		if ch == '\\' {
+			i++
+		} else if ch == '*' || ch == '?' || ch == '[' {
+			break
+		}
+	}
+	if i == len(name) {
+		return name, ""
+	}
+
+	base := path.Base(name[:i])
+	if name[:i] == "" || strings.HasSuffix(name[:i], string(filepath.Separator)) {
+		base = ""
+	}
+	return path.Dir(name[:i]), base + name[i:]
+}
+
+func addEnv(env []string, k, v string, override bool) []string {
+	gotOne := false
+	for i, envVar := range env {
+		envParts := strings.SplitN(envVar, "=", 2)
+		compareFrom := envParts[0]
+		if shell.EqualEnvKeys(compareFrom, k) {
+			if override {
+				env[i] = k + "=" + v
+			}
+			gotOne = true
+			break
+		}
+	}
+	if !gotOne {
+		env = append(env, k+"="+v)
+	}
+	return env
+}
+
+func setKVValue(kvpo instructions.KeyValuePairOptional, values map[string]string) instructions.KeyValuePairOptional {
+	if v, ok := values[kvpo.Key]; ok {
+		kvpo.Value = &v
+	}
+	return kvpo
+}
+
+func toEnvList(args []instructions.KeyValuePairOptional, env []string) []string {
+	for _, arg := range args {
+		env = addEnv(env, arg.Key, arg.ValueString(), false)
+	}
+	return env
+}
+
+func dfCmd(cmd interface{}) llb.ConstraintsOpt {
+	// TODO: add fmt.Stringer to instructions.Command to remove interface{}
+	var cmdStr string
+	if cmd, ok := cmd.(fmt.Stringer); ok {
+		cmdStr = cmd.String()
+	}
+	if cmd, ok := cmd.(string); ok {
+		cmdStr = cmd
+	}
+	return llb.WithDescription(map[string]string{
+		"com.docker.dockerfile.v1.command": cmdStr,
+	})
+}
+
+func runCommandString(args []string, buildArgs []instructions.KeyValuePairOptional) string {
+	var tmpBuildEnv []string
+	for _, arg := range buildArgs {
+		tmpBuildEnv = append(tmpBuildEnv, arg.Key+"="+arg.ValueString())
+	}
+	if len(tmpBuildEnv) > 0 {
+		tmpBuildEnv = append([]string{fmt.Sprintf("|%d", len(tmpBuildEnv))}, tmpBuildEnv...)
+	}
+
+	return strings.Join(append(tmpBuildEnv, args...), " ")
+}
+
+func commitToHistory(img *Image, msg string, withLayer bool, st *llb.State) error {
+	if st != nil {
+		msg += " # buildkit"
+	}
+
+	img.History = append(img.History, specs.History{
+		CreatedBy:  msg,
+		Comment:    historyComment,
+		EmptyLayer: !withLayer,
+	})
+	return nil
+}
+
+func isReachable(from, to *dispatchState) (ret bool) {
+	if from == nil {
+		return false
+	}
+	if from == to || isReachable(from.base, to) {
+		return true
+	}
+	for d := range from.deps {
+		if isReachable(d, to) {
+			return true
+		}
+	}
+	return false
+}
+
+func parseUser(str string) (uid uint32, gid uint32, err error) {
+	if str == "" {
+		return 0, 0, nil
+	}
+	parts := strings.SplitN(str, ":", 2)
+	for i, v := range parts {
+		switch i {
+		case 0:
+			uid, err = parseUID(v)
+			if err != nil {
+				return 0, 0, err
+			}
+			if len(parts) == 1 {
+				gid = uid
+			}
+		case 1:
+			gid, err = parseUID(v)
+			if err != nil {
+				return 0, 0, err
+			}
+		}
+	}
+	return
+}
+
+func parseUID(str string) (uint32, error) {
+	if str == "root" {
+		return 0, nil
+	}
+	uid, err := strconv.ParseUint(str, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	return uint32(uid), nil
+}
+
+func normalizeContextPaths(paths map[string]struct{}) []string {
+	pathSlice := make([]string, 0, len(paths))
+	for p := range paths {
+		if p == "/" {
+			return nil
+		}
+		pathSlice = append(pathSlice, p)
+	}
+
+	toDelete := map[string]struct{}{}
+	for i := range pathSlice {
+		for j := range pathSlice {
+			if i == j {
+				continue
+			}
+			if strings.HasPrefix(pathSlice[j], pathSlice[i]+"/") {
+				delete(paths, pathSlice[j])
+			}
+		}
+	}
+
+	toSort := make([]string, 0, len(paths))
+	for p := range paths {
+		if _, ok := toDelete[p]; !ok {
+			toSort = append(toSort, path.Join(".", p))
+		}
+	}
+	sort.Slice(toSort, func(i, j int) bool {
+		return toSort[i] < toSort[j]
+	})
+	return toSort
+}
+
+func proxyEnvFromBuildArgs(args map[string]string) *llb.ProxyEnv {
+	pe := &llb.ProxyEnv{}
+	isNil := true
+	for k, v := range args {
+		if strings.EqualFold(k, "http_proxy") {
+			pe.HttpProxy = v
+			isNil = false
+		}
+		if strings.EqualFold(k, "https_proxy") {
+			pe.HttpsProxy = v
+			isNil = false
+		}
+		if strings.EqualFold(k, "ftp_proxy") {
+			pe.FtpProxy = v
+			isNil = false
+		}
+		if strings.EqualFold(k, "no_proxy") {
+			pe.NoProxy = v
+			isNil = false
+		}
+	}
+	if isNil {
+		return nil
+	}
+	return pe
+}
+
+type mutableOutput struct {
+	llb.Output
+}
+
+func withShell(img Image, args []string) []string {
+	var shell []string
+	if len(img.Config.Shell) > 0 {
+		shell = append([]string{}, img.Config.Shell...)
+	} else {
+		shell = defaultShell()
+	}
+	return append(shell, strings.Join(args, " "))
+}
+
+func autoDetectPlatform(img Image, target specs.Platform, supported []specs.Platform) specs.Platform {
+	os := img.OS
+	arch := img.Architecture
+	if target.OS == os && target.Architecture == arch {
+		return target
+	}
+	for _, p := range supported {
+		if p.OS == os && p.Architecture == arch {
+			return p
+		}
+	}
+	return target
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_norunmount.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_norunmount.go
new file mode 100644
index 00000000..d7643405
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_norunmount.go
@@ -0,0 +1,16 @@
+// +build !dfrunmount,!dfextall
+
+package dockerfile2llb
+
+import (
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+)
+
+func detectRunMount(cmd *command, allDispatchStates *dispatchStates) bool {
+	return false
+}
+
+func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*dispatchState, opt dispatchOpt) ([]llb.RunOption, error) {
+	return nil, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_runmount.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_runmount.go
new file mode 100644
index 00000000..aea61b36
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/convert_runmount.go
@@ -0,0 +1,85 @@
+// +build dfrunmount dfextall
+
+package dockerfile2llb
+
+import (
+	"path"
+	"path/filepath"
+
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerfile/instructions"
+	"github.com/pkg/errors"
+)
+
+func detectRunMount(cmd *command, allDispatchStates *dispatchStates) bool {
+	if c, ok := cmd.Command.(*instructions.RunCommand); ok {
+		mounts := instructions.GetMounts(c)
+		sources := make([]*dispatchState, len(mounts))
+		for i, mount := range mounts {
+			if mount.From == "" && mount.Type == instructions.MountTypeCache {
+				mount.From = emptyImageName
+			}
+			from := mount.From
+			if from == "" || mount.Type == instructions.MountTypeTmpfs {
+				continue
+			}
+			stn, ok := allDispatchStates.findStateByName(from)
+			if !ok {
+				stn = &dispatchState{
+					stage:        instructions.Stage{BaseName: from},
+					deps:         make(map[*dispatchState]struct{}),
+					unregistered: true,
+				}
+			}
+			sources[i] = stn
+		}
+		cmd.sources = sources
+		return true
+	}
+
+	return false
+}
+
+func dispatchRunMounts(d *dispatchState, c *instructions.RunCommand, sources []*dispatchState, opt dispatchOpt) ([]llb.RunOption, error) {
+	var out []llb.RunOption
+	mounts := instructions.GetMounts(c)
+
+	for i, mount := range mounts {
+		if mount.From == "" && mount.Type == instructions.MountTypeCache {
+			mount.From = emptyImageName
+		}
+		st := opt.buildContext
+		if mount.From != "" {
+			st = sources[i].state
+		}
+		var mountOpts []llb.MountOption
+		if mount.Type == instructions.MountTypeTmpfs {
+			st = llb.Scratch()
+			mountOpts = append(mountOpts, llb.Tmpfs())
+		}
+		if mount.ReadOnly {
+			mountOpts = append(mountOpts, llb.Readonly)
+		}
+		if mount.Type == instructions.MountTypeCache {
+			sharing := llb.CacheMountShared
+			if mount.CacheSharing == instructions.MountSharingPrivate {
+				sharing = llb.CacheMountPrivate
+			}
+			if mount.CacheSharing == instructions.MountSharingLocked {
+				sharing = llb.CacheMountLocked
+			}
+			mountOpts = append(mountOpts, llb.AsPersistentCacheDir(opt.cacheIDNamespace+"/"+mount.CacheID, sharing))
+		}
+		target := path.Join("/", mount.Target)
+		if target == "/" {
+			return nil, errors.Errorf("invalid mount target %q", mount.Target)
+		}
+		if src := path.Join("/", mount.Source); src != "/" {
+			mountOpts = append(mountOpts, llb.SourcePath(src))
+		}
+		out = append(out, llb.AddMount(target, st, mountOpts...))
+
+		d.ctxPaths[path.Join("/", filepath.ToSlash(mount.Source))] = struct{}{}
+	}
+	return out, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/defaultshell_unix.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/defaultshell_unix.go
new file mode 100644
index 00000000..b5d541d1
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/defaultshell_unix.go
@@ -0,0 +1,7 @@
+// +build !windows
+
+package dockerfile2llb
+
+func defaultShell() []string {
+	return []string{"/bin/sh", "-c"}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/defaultshell_windows.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/defaultshell_windows.go
new file mode 100644
index 00000000..7693e050
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/defaultshell_windows.go
@@ -0,0 +1,7 @@
+// +build windows
+
+package dockerfile2llb
+
+func defaultShell() []string {
+	return []string{"cmd", "/S", "/C"}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/directives.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/directives.go
new file mode 100644
index 00000000..cf06b5ad
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/directives.go
@@ -0,0 +1,38 @@
+package dockerfile2llb
+
+import (
+	"bufio"
+	"io"
+	"regexp"
+	"strings"
+)
+
+const keySyntax = "syntax"
+
+var reDirective = regexp.MustCompile(`^#\s*([a-zA-Z][a-zA-Z0-9]*)\s*=\s*(.+?)\s*$`)
+
+func DetectSyntax(r io.Reader) (string, string, bool) {
+	directives := ParseDirectives(r)
+	if len(directives) == 0 {
+		return "", "", false
+	}
+	v, ok := directives[keySyntax]
+	if !ok {
+		return "", "", false
+	}
+	p := strings.SplitN(v, " ", 2)
+	return p[0], v, true
+}
+
+func ParseDirectives(r io.Reader) map[string]string {
+	m := map[string]string{}
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		match := reDirective.FindStringSubmatch(s.Text())
+		if len(match) == 0 {
+			return m
+		}
+		m[strings.ToLower(match[1])] = match[2]
+	}
+	return m
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/image.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/image.go
new file mode 100644
index 00000000..6085d1e4
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/dockerfile2llb/image.go
@@ -0,0 +1,74 @@
+package dockerfile2llb
+
+import (
+	"time"
+
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/moby/buildkit/util/system"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// HealthConfig holds configuration settings for the HEALTHCHECK feature.
+type HealthConfig struct {
+	// Test is the test to perform to check that the container is healthy.
+	// An empty slice means to inherit the default.
+	// The options are:
+	// {} : inherit healthcheck
+	// {"NONE"} : disable healthcheck
+	// {"CMD", args...} : exec arguments directly
+	// {"CMD-SHELL", command} : run command with system's default shell
+	Test []string `json:",omitempty"`
+
+	// Zero means to inherit. Durations are expressed as integer nanoseconds.
+	Interval    time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
+	Timeout     time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
+	StartPeriod time.Duration `json:",omitempty"` // The start period for the container to initialize before the retries starts to count down.
+
+	// Retries is the number of consecutive failures needed to consider a container as unhealthy.
+	// Zero means inherit.
+	Retries int `json:",omitempty"`
+}
+
+type ImageConfig struct {
+	specs.ImageConfig
+
+	Healthcheck *HealthConfig `json:",omitempty"` // Healthcheck describes how to check the container is healthy
+	ArgsEscaped bool          `json:",omitempty"` // True if command is already escaped (Windows specific)
+
+	//	NetworkDisabled bool                `json:",omitempty"` // Is network disabled
+	//	MacAddress      string              `json:",omitempty"` // Mac Address of the container
+	OnBuild     []string          // ONBUILD metadata that were defined on the image Dockerfile
+	StopTimeout *int              `json:",omitempty"` // Timeout (in seconds) to stop a container
+	Shell       strslice.StrSlice `json:",omitempty"` // Shell for shell-form of RUN, CMD, ENTRYPOINT
+}
+
+// Image is the JSON structure which describes some basic information about the image.
+// This provides the `application/vnd.oci.image.config.v1+json` mediatype when marshalled to JSON.
+type Image struct {
+	specs.Image
+
+	// Config defines the execution parameters which should be used as a base when running a container using the image.
+	Config ImageConfig `json:"config,omitempty"`
+}
+
+func clone(src Image) Image {
+	img := src
+	img.Config = src.Config
+	img.Config.Env = append([]string{}, src.Config.Env...)
+	img.Config.Cmd = append([]string{}, src.Config.Cmd...)
+	img.Config.Entrypoint = append([]string{}, src.Config.Entrypoint...)
+	return img
+}
+
+func emptyImage(platform specs.Platform) Image {
+	img := Image{
+		Image: specs.Image{
+			Architecture: platform.Architecture,
+			OS:           platform.OS,
+		},
+	}
+	img.RootFS.Type = "layers"
+	img.Config.WorkingDir = "/"
+	img.Config.Env = []string{"PATH=" + system.DefaultPathEnv}
+	return img
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/bflag.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/bflag.go
new file mode 100644
index 00000000..d8bf7473
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/bflag.go
@@ -0,0 +1,200 @@
+package instructions
+
+import (
+	"fmt"
+	"strings"
+)
+
+// FlagType is the type of the build flag
+type FlagType int
+
+const (
+	boolType FlagType = iota
+	stringType
+	stringsType
+)
+
+// BFlags contains all flags information for the builder
+type BFlags struct {
+	Args  []string // actual flags/args from cmd line
+	flags map[string]*Flag
+	used  map[string]*Flag
+	Err   error
+}
+
+// Flag contains all information for a flag
+type Flag struct {
+	bf           *BFlags
+	name         string
+	flagType     FlagType
+	Value        string
+	StringValues []string
+}
+
+// NewBFlags returns the new BFlags struct
+func NewBFlags() *BFlags {
+	return &BFlags{
+		flags: make(map[string]*Flag),
+		used:  make(map[string]*Flag),
+	}
+}
+
+// NewBFlagsWithArgs returns the new BFlags struct with Args set to args
+func NewBFlagsWithArgs(args []string) *BFlags {
+	flags := NewBFlags()
+	flags.Args = args
+	return flags
+}
+
+// AddBool adds a bool flag to BFlags
+// Note, any error will be generated when Parse() is called (see Parse).
+func (bf *BFlags) AddBool(name string, def bool) *Flag {
+	flag := bf.addFlag(name, boolType)
+	if flag == nil {
+		return nil
+	}
+	if def {
+		flag.Value = "true"
+	} else {
+		flag.Value = "false"
+	}
+	return flag
+}
+
+// AddString adds a string flag to BFlags
+// Note, any error will be generated when Parse() is called (see Parse).
+func (bf *BFlags) AddString(name string, def string) *Flag {
+	flag := bf.addFlag(name, stringType)
+	if flag == nil {
+		return nil
+	}
+	flag.Value = def
+	return flag
+}
+
+// AddStrings adds a string flag to BFlags that can match multiple values
+func (bf *BFlags) AddStrings(name string) *Flag {
+	flag := bf.addFlag(name, stringsType)
+	if flag == nil {
+		return nil
+	}
+	return flag
+}
+
+// addFlag is a generic func used by the other AddXXX() func
+// to add a new flag to the BFlags struct.
+// Note, any error will be generated when Parse() is called (see Parse).
+func (bf *BFlags) addFlag(name string, flagType FlagType) *Flag {
+	if _, ok := bf.flags[name]; ok {
+		bf.Err = fmt.Errorf("Duplicate flag defined: %s", name)
+		return nil
+	}
+
+	newFlag := &Flag{
+		bf:       bf,
+		name:     name,
+		flagType: flagType,
+	}
+	bf.flags[name] = newFlag
+
+	return newFlag
+}
+
+// IsUsed checks if the flag is used
+func (fl *Flag) IsUsed() bool {
+	if _, ok := fl.bf.used[fl.name]; ok {
+		return true
+	}
+	return false
+}
+
+// IsTrue checks if a bool flag is true
+func (fl *Flag) IsTrue() bool {
+	if fl.flagType != boolType {
+		// Should never get here
+		panic(fmt.Errorf("Trying to use IsTrue on a non-boolean: %s", fl.name))
+	}
+	return fl.Value == "true"
+}
+
+// Parse parses and checks if the BFlags is valid.
+// Any error noticed during the AddXXX() funcs will be generated/returned
+// here.  We do this because an error during AddXXX() is more like a
+// compile time error so it doesn't matter too much when we stop our
+// processing as long as we do stop it, so this allows the code
+// around AddXXX() to be just:
+//     defFlag := AddString("description", "")
+// w/o needing to add an if-statement around each one.
+func (bf *BFlags) Parse() error {
+	// If there was an error while defining the possible flags
+	// go ahead and bubble it back up here since we didn't do it
+	// earlier in the processing
+	if bf.Err != nil {
+		return fmt.Errorf("Error setting up flags: %s", bf.Err)
+	}
+
+	for _, arg := range bf.Args {
+		if !strings.HasPrefix(arg, "--") {
+			return fmt.Errorf("Arg should start with -- : %s", arg)
+		}
+
+		if arg == "--" {
+			return nil
+		}
+
+		arg = arg[2:]
+		value := ""
+
+		index := strings.Index(arg, "=")
+		if index >= 0 {
+			value = arg[index+1:]
+			arg = arg[:index]
+		}
+
+		flag, ok := bf.flags[arg]
+		if !ok {
+			return fmt.Errorf("Unknown flag: %s", arg)
+		}
+
+		if _, ok = bf.used[arg]; ok && flag.flagType != stringsType {
+			return fmt.Errorf("Duplicate flag specified: %s", arg)
+		}
+
+		bf.used[arg] = flag
+
+		switch flag.flagType {
+		case boolType:
+			// value == "" is only ok if no "=" was specified
+			if index >= 0 && value == "" {
+				return fmt.Errorf("Missing a value on flag: %s", arg)
+			}
+
+			lower := strings.ToLower(value)
+			if lower == "" {
+				flag.Value = "true"
+			} else if lower == "true" || lower == "false" {
+				flag.Value = lower
+			} else {
+				return fmt.Errorf("Expecting boolean value for flag %s, not: %s", arg, value)
+			}
+
+		case stringType:
+			if index < 0 {
+				return fmt.Errorf("Missing a value on flag: %s", arg)
+			}
+			flag.Value = value
+
+		case stringsType:
+			if index < 0 {
+				return fmt.Errorf("Missing a value on flag: %s", arg)
+			}
+			flag.StringValues = append(flag.StringValues, value)
+
+		default:
+			panic("No idea what kind of flag we have! Should never get here!")
+		}
+
+	}
+
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands.go
new file mode 100644
index 00000000..28b34f68
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands.go
@@ -0,0 +1,446 @@
+package instructions
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/strslice"
+)
+
+// KeyValuePair represent an arbitrary named value (useful in slice instead of map[string] string to preserve ordering)
+type KeyValuePair struct {
+	Key   string
+	Value string
+}
+
+func (kvp *KeyValuePair) String() string {
+	return kvp.Key + "=" + kvp.Value
+}
+
+// KeyValuePairOptional is the same as KeyValuePair but Value is optional
+type KeyValuePairOptional struct {
+	Key   string
+	Value *string
+}
+
+func (kvpo *KeyValuePairOptional) ValueString() string {
+	v := ""
+	if kvpo.Value != nil {
+		v = *kvpo.Value
+	}
+	return v
+}
+
+// Command is implemented by every command present in a dockerfile
+type Command interface {
+	Name() string
+}
+
+// KeyValuePairs is a slice of KeyValuePair
+type KeyValuePairs []KeyValuePair
+
+// withNameAndCode is the base of every command in a Dockerfile (String() returns its source code)
+type withNameAndCode struct {
+	code string
+	name string
+}
+
+func (c *withNameAndCode) String() string {
+	return c.code
+}
+
+// Name of the command
+func (c *withNameAndCode) Name() string {
+	return c.name
+}
+
+func newWithNameAndCode(req parseRequest) withNameAndCode {
+	return withNameAndCode{code: strings.TrimSpace(req.original), name: req.command}
+}
+
+// SingleWordExpander is a provider for variable expansion where 1 word => 1 output
+type SingleWordExpander func(word string) (string, error)
+
+// SupportsSingleWordExpansion interface marks a command as supporting variable expansion
+type SupportsSingleWordExpansion interface {
+	Expand(expander SingleWordExpander) error
+}
+
+// PlatformSpecific adds platform checks to a command
+type PlatformSpecific interface {
+	CheckPlatform(platform string) error
+}
+
+func expandKvp(kvp KeyValuePair, expander SingleWordExpander) (KeyValuePair, error) {
+	key, err := expander(kvp.Key)
+	if err != nil {
+		return KeyValuePair{}, err
+	}
+	value, err := expander(kvp.Value)
+	if err != nil {
+		return KeyValuePair{}, err
+	}
+	return KeyValuePair{Key: key, Value: value}, nil
+}
+func expandKvpsInPlace(kvps KeyValuePairs, expander SingleWordExpander) error {
+	for i, kvp := range kvps {
+		newKvp, err := expandKvp(kvp, expander)
+		if err != nil {
+			return err
+		}
+		kvps[i] = newKvp
+	}
+	return nil
+}
+
+func expandSliceInPlace(values []string, expander SingleWordExpander) error {
+	for i, v := range values {
+		newValue, err := expander(v)
+		if err != nil {
+			return err
+		}
+		values[i] = newValue
+	}
+	return nil
+}
+
+// EnvCommand : ENV key1 value1 [keyN valueN...]
+type EnvCommand struct {
+	withNameAndCode
+	Env KeyValuePairs // kvp slice instead of map to preserve ordering
+}
+
+// Expand variables
+func (c *EnvCommand) Expand(expander SingleWordExpander) error {
+	return expandKvpsInPlace(c.Env, expander)
+}
+
+// MaintainerCommand : MAINTAINER maintainer_name
+type MaintainerCommand struct {
+	withNameAndCode
+	Maintainer string
+}
+
+// NewLabelCommand creates a new 'LABEL' command
+func NewLabelCommand(k string, v string, NoExp bool) *LabelCommand {
+	kvp := KeyValuePair{Key: k, Value: v}
+	c := "LABEL "
+	c += kvp.String()
+	nc := withNameAndCode{code: c, name: "label"}
+	cmd := &LabelCommand{
+		withNameAndCode: nc,
+		Labels: KeyValuePairs{
+			kvp,
+		},
+		noExpand: NoExp,
+	}
+	return cmd
+}
+
+// LabelCommand : LABEL some json data describing the image
+//
+// Sets the Label variable foo to bar,
+//
+type LabelCommand struct {
+	withNameAndCode
+	Labels   KeyValuePairs // kvp slice instead of map to preserve ordering
+	noExpand bool
+}
+
+// Expand variables
+func (c *LabelCommand) Expand(expander SingleWordExpander) error {
+	if c.noExpand {
+		return nil
+	}
+	return expandKvpsInPlace(c.Labels, expander)
+}
+
+// SourcesAndDest represent a list of source files and a destination
+type SourcesAndDest []string
+
+// Sources list the source paths
+func (s SourcesAndDest) Sources() []string {
+	res := make([]string, len(s)-1)
+	copy(res, s[:len(s)-1])
+	return res
+}
+
+// Dest path of the operation
+func (s SourcesAndDest) Dest() string {
+	return s[len(s)-1]
+}
+
+// AddCommand : ADD foo /path
+//
+// Add the file 'foo' to '/path'. Tarball and Remote URL (http, https) handling
+// exist here. If you do not wish to have this automatic handling, use COPY.
+//
+type AddCommand struct {
+	withNameAndCode
+	SourcesAndDest
+	Chown string
+}
+
+// Expand variables
+func (c *AddCommand) Expand(expander SingleWordExpander) error {
+	return expandSliceInPlace(c.SourcesAndDest, expander)
+}
+
+// CopyCommand : COPY foo /path
+//
+// Same as 'ADD' but without the tar and remote url handling.
+//
+type CopyCommand struct {
+	withNameAndCode
+	SourcesAndDest
+	From  string
+	Chown string
+}
+
+// Expand variables
+func (c *CopyCommand) Expand(expander SingleWordExpander) error {
+	return expandSliceInPlace(c.SourcesAndDest, expander)
+}
+
+// OnbuildCommand : ONBUILD <some other command>
+type OnbuildCommand struct {
+	withNameAndCode
+	Expression string
+}
+
+// WorkdirCommand : WORKDIR /tmp
+//
+// Set the working directory for future RUN/CMD/etc statements.
+//
+type WorkdirCommand struct {
+	withNameAndCode
+	Path string
+}
+
+// Expand variables
+func (c *WorkdirCommand) Expand(expander SingleWordExpander) error {
+	p, err := expander(c.Path)
+	if err != nil {
+		return err
+	}
+	c.Path = p
+	return nil
+}
+
+// ShellDependantCmdLine represents a cmdline optionally prepended with the shell
+type ShellDependantCmdLine struct {
+	CmdLine      strslice.StrSlice
+	PrependShell bool
+}
+
+// RunCommand : RUN some command yo
+//
+// run a command and commit the image. Args are automatically prepended with
+// the current SHELL which defaults to 'sh -c' under linux or 'cmd /S /C' under
+// Windows, in the event there is only one argument The difference in processing:
+//
+// RUN echo hi          # sh -c echo hi       (Linux)
+// RUN echo hi          # cmd /S /C echo hi   (Windows)
+// RUN [ "echo", "hi" ] # echo hi
+//
+type RunCommand struct {
+	withNameAndCode
+	withExternalData
+	ShellDependantCmdLine
+}
+
+// CmdCommand : CMD foo
+//
+// Set the default command to run in the container (which may be empty).
+// Argument handling is the same as RUN.
+//
+type CmdCommand struct {
+	withNameAndCode
+	ShellDependantCmdLine
+}
+
+// HealthCheckCommand : HEALTHCHECK foo
+//
+// Set the default healthcheck command to run in the container (which may be empty).
+// Argument handling is the same as RUN.
+//
+type HealthCheckCommand struct {
+	withNameAndCode
+	Health *container.HealthConfig
+}
+
+// EntrypointCommand : ENTRYPOINT /usr/sbin/nginx
+//
+// Set the entrypoint to /usr/sbin/nginx. Will accept the CMD as the arguments
+// to /usr/sbin/nginx. Uses the default shell if not in JSON format.
+//
+// Handles command processing similar to CMD and RUN, only req.runConfig.Entrypoint
+// is initialized at newBuilder time instead of through argument parsing.
+//
+type EntrypointCommand struct {
+	withNameAndCode
+	ShellDependantCmdLine
+}
+
+// ExposeCommand : EXPOSE 6667/tcp 7000/tcp
+//
+// Expose ports for links and port mappings. This all ends up in
+// req.runConfig.ExposedPorts for runconfig.
+//
+type ExposeCommand struct {
+	withNameAndCode
+	Ports []string
+}
+
+// UserCommand : USER foo
+//
+// Set the user to 'foo' for future commands and when running the
+// ENTRYPOINT/CMD at container run time.
+//
+type UserCommand struct {
+	withNameAndCode
+	User string
+}
+
+// Expand variables
+func (c *UserCommand) Expand(expander SingleWordExpander) error {
+	p, err := expander(c.User)
+	if err != nil {
+		return err
+	}
+	c.User = p
+	return nil
+}
+
+// VolumeCommand : VOLUME /foo
+//
+// Expose the volume /foo for use. Will also accept the JSON array form.
+//
+type VolumeCommand struct {
+	withNameAndCode
+	Volumes []string
+}
+
+// Expand variables
+func (c *VolumeCommand) Expand(expander SingleWordExpander) error {
+	return expandSliceInPlace(c.Volumes, expander)
+}
+
+// StopSignalCommand : STOPSIGNAL signal
+//
+// Set the signal that will be used to kill the container.
+type StopSignalCommand struct {
+	withNameAndCode
+	Signal string
+}
+
+// Expand variables
+func (c *StopSignalCommand) Expand(expander SingleWordExpander) error {
+	p, err := expander(c.Signal)
+	if err != nil {
+		return err
+	}
+	c.Signal = p
+	return nil
+}
+
+// CheckPlatform checks that the command is supported in the target platform
+func (c *StopSignalCommand) CheckPlatform(platform string) error {
+	if platform == "windows" {
+		return errors.New("The daemon on this platform does not support the command stopsignal")
+	}
+	return nil
+}
+
+// ArgCommand : ARG name[=value]
+//
+// Adds the variable foo to the trusted list of variables that can be passed
+// to builder using the --build-arg flag for expansion/substitution or passing to 'run'.
+// Dockerfile author may optionally set a default value of this variable.
+type ArgCommand struct {
+	withNameAndCode
+	KeyValuePairOptional
+}
+
+// Expand variables
+func (c *ArgCommand) Expand(expander SingleWordExpander) error {
+	p, err := expander(c.Key)
+	if err != nil {
+		return err
+	}
+	c.Key = p
+	if c.Value != nil {
+		p, err = expander(*c.Value)
+		if err != nil {
+			return err
+		}
+		c.Value = &p
+	}
+	return nil
+}
+
+// ShellCommand : SHELL powershell -command
+//
+// Set the non-default shell to use.
+type ShellCommand struct {
+	withNameAndCode
+	Shell strslice.StrSlice
+}
+
+// Stage represents a single stage in a multi-stage build
+type Stage struct {
+	Name       string
+	Commands   []Command
+	BaseName   string
+	SourceCode string
+	Platform   string
+}
+
+// AddCommand to the stage
+func (s *Stage) AddCommand(cmd Command) {
+	// todo: validate cmd type
+	s.Commands = append(s.Commands, cmd)
+}
+
+// IsCurrentStage check if the stage name is the current stage
+func IsCurrentStage(s []Stage, name string) bool {
+	if len(s) == 0 {
+		return false
+	}
+	return s[len(s)-1].Name == name
+}
+
+// CurrentStage return the last stage in a slice
+func CurrentStage(s []Stage) (*Stage, error) {
+	if len(s) == 0 {
+		return nil, errors.New("No build stage in current context")
+	}
+	return &s[len(s)-1], nil
+}
+
+// HasStage looks for the presence of a given stage name
+func HasStage(s []Stage, name string) (int, bool) {
+	for i, stage := range s {
+		// Stage name is case-insensitive by design
+		if strings.EqualFold(stage.Name, name) {
+			return i, true
+		}
+	}
+	return -1, false
+}
+
+type withExternalData struct {
+	m map[interface{}]interface{}
+}
+
+func (c *withExternalData) getExternalValue(k interface{}) interface{} {
+	return c.m[k]
+}
+
+func (c *withExternalData) setExternalValue(k, v interface{}) {
+	if c.m == nil {
+		c.m = map[interface{}]interface{}{}
+	}
+	c.m[k] = v
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_runmount.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_runmount.go
new file mode 100644
index 00000000..569c60bc
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/commands_runmount.go
@@ -0,0 +1,181 @@
+// +build dfrunmount dfextall
+
+package instructions
+
+import (
+	"encoding/csv"
+	"strconv"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+const MountTypeBind = "bind"
+const MountTypeCache = "cache"
+const MountTypeTmpfs = "tmpfs"
+
+var allowedMountTypes = map[string]struct{}{
+	MountTypeBind:  {},
+	MountTypeCache: {},
+	MountTypeTmpfs: {},
+}
+
+const MountSharingShared = "shared"
+const MountSharingPrivate = "private"
+const MountSharingLocked = "locked"
+
+var allowedSharingTypes = map[string]struct{}{
+	MountSharingShared:  {},
+	MountSharingPrivate: {},
+	MountSharingLocked:  {},
+}
+
+type mountsKeyT string
+
+var mountsKey = mountsKeyT("dockerfile/run/mounts")
+
+func init() {
+	parseRunPreHooks = append(parseRunPreHooks, runMountPreHook)
+	parseRunPostHooks = append(parseRunPostHooks, runMountPostHook)
+}
+
+func isValidMountType(s string) bool {
+	_, ok := allowedMountTypes[s]
+	return ok
+}
+
+func runMountPreHook(cmd *RunCommand, req parseRequest) error {
+	st := &mountState{}
+	st.flag = req.flags.AddStrings("mount")
+	cmd.setExternalValue(mountsKey, st)
+	return nil
+}
+
+func runMountPostHook(cmd *RunCommand, req parseRequest) error {
+	st := getMountState(cmd)
+	if st == nil {
+		return errors.Errorf("no mount state")
+	}
+	var mounts []*Mount
+	for _, str := range st.flag.StringValues {
+		m, err := parseMount(str)
+		if err != nil {
+			return err
+		}
+		mounts = append(mounts, m)
+	}
+	st.mounts = mounts
+	return nil
+}
+
+func getMountState(cmd *RunCommand) *mountState {
+	v := cmd.getExternalValue(mountsKey)
+	if v == nil {
+		return nil
+	}
+	return v.(*mountState)
+}
+
+func GetMounts(cmd *RunCommand) []*Mount {
+	return getMountState(cmd).mounts
+}
+
+type mountState struct {
+	flag   *Flag
+	mounts []*Mount
+}
+
+type Mount struct {
+	Type         string
+	From         string
+	Source       string
+	Target       string
+	ReadOnly     bool
+	CacheID      string
+	CacheSharing string
+}
+
+func parseMount(value string) (*Mount, error) {
+	csvReader := csv.NewReader(strings.NewReader(value))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse csv mounts")
+	}
+
+	m := &Mount{Type: MountTypeBind}
+
+	roAuto := true
+
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+		key := strings.ToLower(parts[0])
+
+		if len(parts) == 1 {
+			switch key {
+			case "readonly", "ro":
+				m.ReadOnly = true
+				roAuto = false
+				continue
+			case "readwrite", "rw":
+				m.ReadOnly = false
+				roAuto = false
+				continue
+			}
+		}
+
+		if len(parts) != 2 {
+			return nil, errors.Errorf("invalid field '%s' must be a key=value pair", field)
+		}
+
+		value := parts[1]
+		switch key {
+		case "type":
+			if !isValidMountType(strings.ToLower(value)) {
+				return nil, errors.Errorf("unsupported mount type %q", value)
+			}
+			m.Type = strings.ToLower(value)
+		case "from":
+			m.From = value
+		case "source", "src":
+			m.Source = value
+		case "target", "dst", "destination":
+			m.Target = value
+		case "readonly", "ro":
+			m.ReadOnly, err = strconv.ParseBool(value)
+			if err != nil {
+				return nil, errors.Errorf("invalid value for %s: %s", key, value)
+			}
+			roAuto = false
+		case "readwrite", "rw":
+			rw, err := strconv.ParseBool(value)
+			if err != nil {
+				return nil, errors.Errorf("invalid value for %s: %s", key, value)
+			}
+			m.ReadOnly = !rw
+			roAuto = false
+		case "id":
+			m.CacheID = value
+		case "sharing":
+			if _, ok := allowedSharingTypes[strings.ToLower(value)]; !ok {
+				return nil, errors.Errorf("unsupported sharing value %q", value)
+			}
+			m.CacheSharing = strings.ToLower(value)
+		default:
+			return nil, errors.Errorf("unexpected key '%s' in '%s'", key, field)
+		}
+	}
+
+	if roAuto {
+		if m.Type == MountTypeCache {
+			m.ReadOnly = false
+		} else {
+			m.ReadOnly = true
+		}
+	}
+
+	if m.CacheSharing != "" && m.Type != MountTypeCache {
+		return nil, errors.Errorf("invalid cache sharing set for %v mount", m.Type)
+	}
+
+	return m, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/errors_unix.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/errors_unix.go
new file mode 100644
index 00000000..0b03b34c
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/errors_unix.go
@@ -0,0 +1,9 @@
+// +build !windows
+
+package instructions
+
+import "fmt"
+
+func errNotJSON(command, _ string) error {
+	return fmt.Errorf("%s requires the arguments to be in JSON form", command)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/errors_windows.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/errors_windows.go
new file mode 100644
index 00000000..a4843c5b
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/errors_windows.go
@@ -0,0 +1,27 @@
+package instructions
+
+import (
+	"fmt"
+	"path/filepath"
+	"regexp"
+	"strings"
+)
+
+func errNotJSON(command, original string) error {
+	// For Windows users, give a hint if it looks like it might contain
+	// a path which hasn't been escaped such as ["c:\windows\system32\prog.exe", "-param"],
+	// as JSON must be escaped. Unfortunate...
+	//
+	// Specifically looking for quote-driveletter-colon-backslash, there's no
+	// double backslash and a [] pair. No, this is not perfect, but it doesn't
+	// have to be. It's simply a hint to make life a little easier.
+	extra := ""
+	original = filepath.FromSlash(strings.ToLower(strings.Replace(strings.ToLower(original), strings.ToLower(command)+" ", "", -1)))
+	if len(regexp.MustCompile(`"[a-z]:\\.*`).FindStringSubmatch(original)) > 0 &&
+		!strings.Contains(original, `\\`) &&
+		strings.Contains(original, "[") &&
+		strings.Contains(original, "]") {
+		extra = fmt.Sprintf(`. It looks like '%s' includes a file path without an escaped back-slash. JSON requires back-slashes to be escaped such as ["c:\\path\\to\\file.exe", "/parameter"]`, original)
+	}
+	return fmt.Errorf("%s requires the arguments to be in JSON form%s", command, extra)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/parse.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/parse.go
new file mode 100644
index 00000000..ef174575
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/parse.go
@@ -0,0 +1,649 @@
+package instructions
+
+import (
+	"fmt"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/moby/buildkit/frontend/dockerfile/command"
+	"github.com/moby/buildkit/frontend/dockerfile/parser"
+	"github.com/pkg/errors"
+)
+
+type parseRequest struct {
+	command    string
+	args       []string
+	attributes map[string]bool
+	flags      *BFlags
+	original   string
+}
+
+var parseRunPreHooks []func(*RunCommand, parseRequest) error
+var parseRunPostHooks []func(*RunCommand, parseRequest) error
+
+func nodeArgs(node *parser.Node) []string {
+	result := []string{}
+	for ; node.Next != nil; node = node.Next {
+		arg := node.Next
+		if len(arg.Children) == 0 {
+			result = append(result, arg.Value)
+		} else if len(arg.Children) == 1 {
+			//sub command
+			result = append(result, arg.Children[0].Value)
+			result = append(result, nodeArgs(arg.Children[0])...)
+		}
+	}
+	return result
+}
+
+func newParseRequestFromNode(node *parser.Node) parseRequest {
+	return parseRequest{
+		command:    node.Value,
+		args:       nodeArgs(node),
+		attributes: node.Attributes,
+		original:   node.Original,
+		flags:      NewBFlagsWithArgs(node.Flags),
+	}
+}
+
+// ParseInstruction converts an AST to a typed instruction (either a command or a build stage beginning when encountering a `FROM` statement)
+func ParseInstruction(node *parser.Node) (interface{}, error) {
+	req := newParseRequestFromNode(node)
+	switch node.Value {
+	case command.Env:
+		return parseEnv(req)
+	case command.Maintainer:
+		return parseMaintainer(req)
+	case command.Label:
+		return parseLabel(req)
+	case command.Add:
+		return parseAdd(req)
+	case command.Copy:
+		return parseCopy(req)
+	case command.From:
+		return parseFrom(req)
+	case command.Onbuild:
+		return parseOnBuild(req)
+	case command.Workdir:
+		return parseWorkdir(req)
+	case command.Run:
+		return parseRun(req)
+	case command.Cmd:
+		return parseCmd(req)
+	case command.Healthcheck:
+		return parseHealthcheck(req)
+	case command.Entrypoint:
+		return parseEntrypoint(req)
+	case command.Expose:
+		return parseExpose(req)
+	case command.User:
+		return parseUser(req)
+	case command.Volume:
+		return parseVolume(req)
+	case command.StopSignal:
+		return parseStopSignal(req)
+	case command.Arg:
+		return parseArg(req)
+	case command.Shell:
+		return parseShell(req)
+	}
+
+	return nil, &UnknownInstruction{Instruction: node.Value, Line: node.StartLine}
+}
+
+// ParseCommand converts an AST to a typed Command
+func ParseCommand(node *parser.Node) (Command, error) {
+	s, err := ParseInstruction(node)
+	if err != nil {
+		return nil, err
+	}
+	if c, ok := s.(Command); ok {
+		return c, nil
+	}
+	return nil, errors.Errorf("%T is not a command type", s)
+}
+
+// UnknownInstruction represents an error occurring when a command is unresolvable
+type UnknownInstruction struct {
+	Line        int
+	Instruction string
+}
+
+func (e *UnknownInstruction) Error() string {
+	return fmt.Sprintf("unknown instruction: %s", strings.ToUpper(e.Instruction))
+}
+
+// IsUnknownInstruction checks if the error is an UnknownInstruction or a parseError containing an UnknownInstruction
+func IsUnknownInstruction(err error) bool {
+	_, ok := err.(*UnknownInstruction)
+	if !ok {
+		var pe *parseError
+		if pe, ok = err.(*parseError); ok {
+			_, ok = pe.inner.(*UnknownInstruction)
+		}
+	}
+	return ok
+}
+
+type parseError struct {
+	inner error
+	node  *parser.Node
+}
+
+func (e *parseError) Error() string {
+	return fmt.Sprintf("Dockerfile parse error line %d: %v", e.node.StartLine, e.inner.Error())
+}
+
+// Parse a docker file into a collection of buildable stages
+func Parse(ast *parser.Node) (stages []Stage, metaArgs []ArgCommand, err error) {
+	for _, n := range ast.Children {
+		cmd, err := ParseInstruction(n)
+		if err != nil {
+			return nil, nil, &parseError{inner: err, node: n}
+		}
+		if len(stages) == 0 {
+			// meta arg case
+			if a, isArg := cmd.(*ArgCommand); isArg {
+				metaArgs = append(metaArgs, *a)
+				continue
+			}
+		}
+		switch c := cmd.(type) {
+		case *Stage:
+			stages = append(stages, *c)
+		case Command:
+			stage, err := CurrentStage(stages)
+			if err != nil {
+				return nil, nil, err
+			}
+			stage.AddCommand(c)
+		default:
+			return nil, nil, errors.Errorf("%T is not a command type", cmd)
+		}
+
+	}
+	return stages, metaArgs, nil
+}
+
+func parseKvps(args []string, cmdName string) (KeyValuePairs, error) {
+	if len(args) == 0 {
+		return nil, errAtLeastOneArgument(cmdName)
+	}
+	if len(args)%2 != 0 {
+		// should never get here, but just in case
+		return nil, errTooManyArguments(cmdName)
+	}
+	var res KeyValuePairs
+	for j := 0; j < len(args); j += 2 {
+		if len(args[j]) == 0 {
+			return nil, errBlankCommandNames(cmdName)
+		}
+		name := args[j]
+		value := args[j+1]
+		res = append(res, KeyValuePair{Key: name, Value: value})
+	}
+	return res, nil
+}
+
+func parseEnv(req parseRequest) (*EnvCommand, error) {
+
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+	envs, err := parseKvps(req.args, "ENV")
+	if err != nil {
+		return nil, err
+	}
+	return &EnvCommand{
+		Env:             envs,
+		withNameAndCode: newWithNameAndCode(req),
+	}, nil
+}
+
+func parseMaintainer(req parseRequest) (*MaintainerCommand, error) {
+	if len(req.args) != 1 {
+		return nil, errExactlyOneArgument("MAINTAINER")
+	}
+
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+	return &MaintainerCommand{
+		Maintainer:      req.args[0],
+		withNameAndCode: newWithNameAndCode(req),
+	}, nil
+}
+
+func parseLabel(req parseRequest) (*LabelCommand, error) {
+
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+
+	labels, err := parseKvps(req.args, "LABEL")
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelCommand{
+		Labels:          labels,
+		withNameAndCode: newWithNameAndCode(req),
+	}, nil
+}
+
+func parseAdd(req parseRequest) (*AddCommand, error) {
+	if len(req.args) < 2 {
+		return nil, errNoDestinationArgument("ADD")
+	}
+	flChown := req.flags.AddString("chown", "")
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+	return &AddCommand{
+		SourcesAndDest:  SourcesAndDest(req.args),
+		withNameAndCode: newWithNameAndCode(req),
+		Chown:           flChown.Value,
+	}, nil
+}
+
+func parseCopy(req parseRequest) (*CopyCommand, error) {
+	if len(req.args) < 2 {
+		return nil, errNoDestinationArgument("COPY")
+	}
+	flChown := req.flags.AddString("chown", "")
+	flFrom := req.flags.AddString("from", "")
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+	return &CopyCommand{
+		SourcesAndDest:  SourcesAndDest(req.args),
+		From:            flFrom.Value,
+		withNameAndCode: newWithNameAndCode(req),
+		Chown:           flChown.Value,
+	}, nil
+}
+
+func parseFrom(req parseRequest) (*Stage, error) {
+	stageName, err := parseBuildStageName(req.args)
+	if err != nil {
+		return nil, err
+	}
+
+	flPlatform := req.flags.AddString("platform", "")
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+
+	code := strings.TrimSpace(req.original)
+	return &Stage{
+		BaseName:   req.args[0],
+		Name:       stageName,
+		SourceCode: code,
+		Commands:   []Command{},
+		Platform:   flPlatform.Value,
+	}, nil
+
+}
+
+func parseBuildStageName(args []string) (string, error) {
+	stageName := ""
+	switch {
+	case len(args) == 3 && strings.EqualFold(args[1], "as"):
+		stageName = strings.ToLower(args[2])
+		if ok, _ := regexp.MatchString("^[a-z][a-z0-9-_\\.]*$", stageName); !ok {
+			return "", errors.Errorf("invalid name for build stage: %q, name can't start with a number or contain symbols", stageName)
+		}
+	case len(args) != 1:
+		return "", errors.New("FROM requires either one or three arguments")
+	}
+
+	return stageName, nil
+}
+
+func parseOnBuild(req parseRequest) (*OnbuildCommand, error) {
+	if len(req.args) == 0 {
+		return nil, errAtLeastOneArgument("ONBUILD")
+	}
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+
+	triggerInstruction := strings.ToUpper(strings.TrimSpace(req.args[0]))
+	switch strings.ToUpper(triggerInstruction) {
+	case "ONBUILD":
+		return nil, errors.New("Chaining ONBUILD via `ONBUILD ONBUILD` isn't allowed")
+	case "MAINTAINER", "FROM":
+		return nil, fmt.Errorf("%s isn't allowed as an ONBUILD trigger", triggerInstruction)
+	}
+
+	original := regexp.MustCompile(`(?i)^\s*ONBUILD\s*`).ReplaceAllString(req.original, "")
+	return &OnbuildCommand{
+		Expression:      original,
+		withNameAndCode: newWithNameAndCode(req),
+	}, nil
+
+}
+
+func parseWorkdir(req parseRequest) (*WorkdirCommand, error) {
+	if len(req.args) != 1 {
+		return nil, errExactlyOneArgument("WORKDIR")
+	}
+
+	err := req.flags.Parse()
+	if err != nil {
+		return nil, err
+	}
+	return &WorkdirCommand{
+		Path:            req.args[0],
+		withNameAndCode: newWithNameAndCode(req),
+	}, nil
+
+}
+
+func parseShellDependentCommand(req parseRequest, emptyAsNil bool) ShellDependantCmdLine {
+	args := handleJSONArgs(req.args, req.attributes)
+	cmd := strslice.StrSlice(args)
+	if emptyAsNil && len(cmd) == 0 {
+		cmd = nil
+	}
+	return ShellDependantCmdLine{
+		CmdLine:      cmd,
+		PrependShell: !req.attributes["json"],
+	}
+}
+
+func parseRun(req parseRequest) (*RunCommand, error) {
+	cmd := &RunCommand{}
+
+	for _, fn := range parseRunPreHooks {
+		if err := fn(cmd, req); err != nil {
+			return nil, err
+		}
+	}
+
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+
+	cmd.ShellDependantCmdLine = parseShellDependentCommand(req, false)
+	cmd.withNameAndCode = newWithNameAndCode(req)
+
+	for _, fn := range parseRunPostHooks {
+		if err := fn(cmd, req); err != nil {
+			return nil, err
+		}
+	}
+
+	return cmd, nil
+}
+
+func parseCmd(req parseRequest) (*CmdCommand, error) {
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+	return &CmdCommand{
+		ShellDependantCmdLine: parseShellDependentCommand(req, false),
+		withNameAndCode:       newWithNameAndCode(req),
+	}, nil
+
+}
+
+func parseEntrypoint(req parseRequest) (*EntrypointCommand, error) {
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+
+	cmd := &EntrypointCommand{
+		ShellDependantCmdLine: parseShellDependentCommand(req, true),
+		withNameAndCode:       newWithNameAndCode(req),
+	}
+
+	return cmd, nil
+}
+
+// parseOptInterval(flag) is the duration of flag.Value, or 0 if
+// empty. An error is reported if the value is given and less than minimum duration.
+func parseOptInterval(f *Flag) (time.Duration, error) {
+	s := f.Value
+	if s == "" {
+		return 0, nil
+	}
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		return 0, err
+	}
+	if d < container.MinimumDuration {
+		return 0, fmt.Errorf("Interval %#v cannot be less than %s", f.name, container.MinimumDuration)
+	}
+	return d, nil
+}
+func parseHealthcheck(req parseRequest) (*HealthCheckCommand, error) {
+	if len(req.args) == 0 {
+		return nil, errAtLeastOneArgument("HEALTHCHECK")
+	}
+	cmd := &HealthCheckCommand{
+		withNameAndCode: newWithNameAndCode(req),
+	}
+
+	typ := strings.ToUpper(req.args[0])
+	args := req.args[1:]
+	if typ == "NONE" {
+		if len(args) != 0 {
+			return nil, errors.New("HEALTHCHECK NONE takes no arguments")
+		}
+		test := strslice.StrSlice{typ}
+		cmd.Health = &container.HealthConfig{
+			Test: test,
+		}
+	} else {
+
+		healthcheck := container.HealthConfig{}
+
+		flInterval := req.flags.AddString("interval", "")
+		flTimeout := req.flags.AddString("timeout", "")
+		flStartPeriod := req.flags.AddString("start-period", "")
+		flRetries := req.flags.AddString("retries", "")
+
+		if err := req.flags.Parse(); err != nil {
+			return nil, err
+		}
+
+		switch typ {
+		case "CMD":
+			cmdSlice := handleJSONArgs(args, req.attributes)
+			if len(cmdSlice) == 0 {
+				return nil, errors.New("Missing command after HEALTHCHECK CMD")
+			}
+
+			if !req.attributes["json"] {
+				typ = "CMD-SHELL"
+			}
+
+			healthcheck.Test = strslice.StrSlice(append([]string{typ}, cmdSlice...))
+		default:
+			return nil, fmt.Errorf("Unknown type %#v in HEALTHCHECK (try CMD)", typ)
+		}
+
+		interval, err := parseOptInterval(flInterval)
+		if err != nil {
+			return nil, err
+		}
+		healthcheck.Interval = interval
+
+		timeout, err := parseOptInterval(flTimeout)
+		if err != nil {
+			return nil, err
+		}
+		healthcheck.Timeout = timeout
+
+		startPeriod, err := parseOptInterval(flStartPeriod)
+		if err != nil {
+			return nil, err
+		}
+		healthcheck.StartPeriod = startPeriod
+
+		if flRetries.Value != "" {
+			retries, err := strconv.ParseInt(flRetries.Value, 10, 32)
+			if err != nil {
+				return nil, err
+			}
+			if retries < 1 {
+				return nil, fmt.Errorf("--retries must be at least 1 (not %d)", retries)
+			}
+			healthcheck.Retries = int(retries)
+		} else {
+			healthcheck.Retries = 0
+		}
+
+		cmd.Health = &healthcheck
+	}
+	return cmd, nil
+}
+
+func parseExpose(req parseRequest) (*ExposeCommand, error) {
+	portsTab := req.args
+
+	if len(req.args) == 0 {
+		return nil, errAtLeastOneArgument("EXPOSE")
+	}
+
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+
+	sort.Strings(portsTab)
+	return &ExposeCommand{
+		Ports:           portsTab,
+		withNameAndCode: newWithNameAndCode(req),
+	}, nil
+}
+
+func parseUser(req parseRequest) (*UserCommand, error) {
+	if len(req.args) != 1 {
+		return nil, errExactlyOneArgument("USER")
+	}
+
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+	return &UserCommand{
+		User:            req.args[0],
+		withNameAndCode: newWithNameAndCode(req),
+	}, nil
+}
+
+func parseVolume(req parseRequest) (*VolumeCommand, error) {
+	if len(req.args) == 0 {
+		return nil, errAtLeastOneArgument("VOLUME")
+	}
+
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+
+	cmd := &VolumeCommand{
+		withNameAndCode: newWithNameAndCode(req),
+	}
+
+	for _, v := range req.args {
+		v = strings.TrimSpace(v)
+		if v == "" {
+			return nil, errors.New("VOLUME specified can not be an empty string")
+		}
+		cmd.Volumes = append(cmd.Volumes, v)
+	}
+	return cmd, nil
+
+}
+
+func parseStopSignal(req parseRequest) (*StopSignalCommand, error) {
+	if len(req.args) != 1 {
+		return nil, errExactlyOneArgument("STOPSIGNAL")
+	}
+	sig := req.args[0]
+
+	cmd := &StopSignalCommand{
+		Signal:          sig,
+		withNameAndCode: newWithNameAndCode(req),
+	}
+	return cmd, nil
+
+}
+
+func parseArg(req parseRequest) (*ArgCommand, error) {
+	if len(req.args) != 1 {
+		return nil, errExactlyOneArgument("ARG")
+	}
+
+	kvpo := KeyValuePairOptional{}
+
+	arg := req.args[0]
+	// 'arg' can just be a name or name-value pair. Note that this is different
+	// from 'env' that handles the split of name and value at the parser level.
+	// The reason for doing it differently for 'arg' is that we support just
+	// defining an arg and not assign it a value (while 'env' always expects a
+	// name-value pair). If possible, it will be good to harmonize the two.
+	if strings.Contains(arg, "=") {
+		parts := strings.SplitN(arg, "=", 2)
+		if len(parts[0]) == 0 {
+			return nil, errBlankCommandNames("ARG")
+		}
+
+		kvpo.Key = parts[0]
+		kvpo.Value = &parts[1]
+	} else {
+		kvpo.Key = arg
+	}
+
+	return &ArgCommand{
+		KeyValuePairOptional: kvpo,
+		withNameAndCode:      newWithNameAndCode(req),
+	}, nil
+}
+
+func parseShell(req parseRequest) (*ShellCommand, error) {
+	if err := req.flags.Parse(); err != nil {
+		return nil, err
+	}
+	shellSlice := handleJSONArgs(req.args, req.attributes)
+	switch {
+	case len(shellSlice) == 0:
+		// SHELL []
+		return nil, errAtLeastOneArgument("SHELL")
+	case req.attributes["json"]:
+		// SHELL ["powershell", "-command"]
+
+		return &ShellCommand{
+			Shell:           strslice.StrSlice(shellSlice),
+			withNameAndCode: newWithNameAndCode(req),
+		}, nil
+	default:
+		// SHELL powershell -command - not JSON
+		return nil, errNotJSON("SHELL", req.original)
+	}
+}
+
+func errAtLeastOneArgument(command string) error {
+	return errors.Errorf("%s requires at least one argument", command)
+}
+
+func errExactlyOneArgument(command string) error {
+	return errors.Errorf("%s requires exactly one argument", command)
+}
+
+func errNoDestinationArgument(command string) error {
+	return errors.Errorf("%s requires at least two arguments, but only one was provided. Destination could not be determined.", command)
+}
+
+func errBlankCommandNames(command string) error {
+	return errors.Errorf("%s names can not be blank", command)
+}
+
+func errTooManyArguments(command string) error {
+	return errors.Errorf("Bad input to %s, too many arguments", command)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/support.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/support.go
new file mode 100644
index 00000000..beefe775
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/instructions/support.go
@@ -0,0 +1,19 @@
+package instructions
+
+import "strings"
+
+// handleJSONArgs parses command passed to CMD, ENTRYPOINT, RUN and SHELL instruction in Dockerfile
+// for exec form it returns untouched args slice
+// for shell form it returns concatenated args as the first element of a slice
+func handleJSONArgs(args []string, attributes map[string]bool) []string {
+	if len(args) == 0 {
+		return []string{}
+	}
+
+	if attributes != nil && attributes["json"] {
+		return args
+	}
+
+	// literal string command, not an exec array
+	return []string{strings.Join(args, " ")}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/line_parsers.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/line_parsers.go
new file mode 100644
index 00000000..15f00ce7
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/line_parsers.go
@@ -0,0 +1,368 @@
+package parser
+
+// line parsers are dispatch calls that parse a single unit of text into a
+// Node object which contains the whole statement. Dockerfiles have varied
+// (but not usually unique, see ONBUILD for a unique example) parsing rules
+// per-command, and these unify the processing in a way that makes it
+// manageable.
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+var (
+	errDockerfileNotStringArray = errors.New("when using JSON array syntax, arrays must be comprised of strings only")
+)
+
+const (
+	commandLabel = "LABEL"
+)
+
+// ignore the current argument. This will still leave a command parsed, but
+// will not incorporate the arguments into the ast.
+func parseIgnore(rest string, d *Directive) (*Node, map[string]bool, error) {
+	return &Node{}, nil, nil
+}
+
+// used for onbuild. Could potentially be used for anything that represents a
+// statement with sub-statements.
+//
+// ONBUILD RUN foo bar -> (onbuild (run foo bar))
+//
+func parseSubCommand(rest string, d *Directive) (*Node, map[string]bool, error) {
+	if rest == "" {
+		return nil, nil, nil
+	}
+
+	child, err := newNodeFromLine(rest, d)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return &Node{Children: []*Node{child}}, nil, nil
+}
+
+// helper to parse words (i.e space delimited or quoted strings) in a statement.
+// The quotes are preserved as part of this function and they are stripped later
+// as part of processWords().
+func parseWords(rest string, d *Directive) []string {
+	const (
+		inSpaces = iota // looking for start of a word
+		inWord
+		inQuote
+	)
+
+	words := []string{}
+	phase := inSpaces
+	word := ""
+	quote := '\000'
+	blankOK := false
+	var ch rune
+	var chWidth int
+
+	for pos := 0; pos <= len(rest); pos += chWidth {
+		if pos != len(rest) {
+			ch, chWidth = utf8.DecodeRuneInString(rest[pos:])
+		}
+
+		if phase == inSpaces { // Looking for start of word
+			if pos == len(rest) { // end of input
+				break
+			}
+			if unicode.IsSpace(ch) { // skip spaces
+				continue
+			}
+			phase = inWord // found it, fall through
+		}
+		if (phase == inWord || phase == inQuote) && (pos == len(rest)) {
+			if blankOK || len(word) > 0 {
+				words = append(words, word)
+			}
+			break
+		}
+		if phase == inWord {
+			if unicode.IsSpace(ch) {
+				phase = inSpaces
+				if blankOK || len(word) > 0 {
+					words = append(words, word)
+				}
+				word = ""
+				blankOK = false
+				continue
+			}
+			if ch == '\'' || ch == '"' {
+				quote = ch
+				blankOK = true
+				phase = inQuote
+			}
+			if ch == d.escapeToken {
+				if pos+chWidth == len(rest) {
+					continue // just skip an escape token at end of line
+				}
+				// If we're not quoted and we see an escape token, then always just
+				// add the escape token plus the char to the word, even if the char
+				// is a quote.
+				word += string(ch)
+				pos += chWidth
+				ch, chWidth = utf8.DecodeRuneInString(rest[pos:])
+			}
+			word += string(ch)
+			continue
+		}
+		if phase == inQuote {
+			if ch == quote {
+				phase = inWord
+			}
+			// The escape token is special except for ' quotes - can't escape anything for '
+			if ch == d.escapeToken && quote != '\'' {
+				if pos+chWidth == len(rest) {
+					phase = inWord
+					continue // just skip the escape token at end
+				}
+				pos += chWidth
+				word += string(ch)
+				ch, chWidth = utf8.DecodeRuneInString(rest[pos:])
+			}
+			word += string(ch)
+		}
+	}
+
+	return words
+}
+
+// parse environment like statements. Note that this does *not* handle
+// variable interpolation, which will be handled in the evaluator.
+func parseNameVal(rest string, key string, d *Directive) (*Node, error) {
+	// This is kind of tricky because we need to support the old
+	// variant:   KEY name value
+	// as well as the new one:    KEY name=value ...
+	// The trigger to know which one is being used will be whether we hit
+	// a space or = first.  space ==> old, "=" ==> new
+
+	words := parseWords(rest, d)
+	if len(words) == 0 {
+		return nil, nil
+	}
+
+	// Old format (KEY name value)
+	if !strings.Contains(words[0], "=") {
+		parts := tokenWhitespace.Split(rest, 2)
+		if len(parts) < 2 {
+			return nil, fmt.Errorf(key + " must have two arguments")
+		}
+		return newKeyValueNode(parts[0], parts[1]), nil
+	}
+
+	var rootNode *Node
+	var prevNode *Node
+	for _, word := range words {
+		if !strings.Contains(word, "=") {
+			return nil, fmt.Errorf("Syntax error - can't find = in %q. Must be of the form: name=value", word)
+		}
+
+		parts := strings.SplitN(word, "=", 2)
+		node := newKeyValueNode(parts[0], parts[1])
+		rootNode, prevNode = appendKeyValueNode(node, rootNode, prevNode)
+	}
+
+	return rootNode, nil
+}
+
+func newKeyValueNode(key, value string) *Node {
+	return &Node{
+		Value: key,
+		Next:  &Node{Value: value},
+	}
+}
+
+func appendKeyValueNode(node, rootNode, prevNode *Node) (*Node, *Node) {
+	if rootNode == nil {
+		rootNode = node
+	}
+	if prevNode != nil {
+		prevNode.Next = node
+	}
+
+	prevNode = node.Next
+	return rootNode, prevNode
+}
+
+func parseEnv(rest string, d *Directive) (*Node, map[string]bool, error) {
+	node, err := parseNameVal(rest, "ENV", d)
+	return node, nil, err
+}
+
+func parseLabel(rest string, d *Directive) (*Node, map[string]bool, error) {
+	node, err := parseNameVal(rest, commandLabel, d)
+	return node, nil, err
+}
+
+// parses a statement containing one or more keyword definition(s) and/or
+// value assignments, like `name1 name2= name3="" name4=value`.
+// Note that this is a stricter format than the old format of assignment,
+// allowed by parseNameVal(), in a way that this only allows assignment of the
+// form `keyword=[<value>]` like  `name2=`, `name3=""`, and `name4=value` above.
+// In addition, a keyword definition alone is of the form `keyword` like `name1`
+// above. And the assignments `name2=` and `name3=""` are equivalent and
+// assign an empty value to the respective keywords.
+func parseNameOrNameVal(rest string, d *Directive) (*Node, map[string]bool, error) {
+	words := parseWords(rest, d)
+	if len(words) == 0 {
+		return nil, nil, nil
+	}
+
+	var (
+		rootnode *Node
+		prevNode *Node
+	)
+	for i, word := range words {
+		node := &Node{}
+		node.Value = word
+		if i == 0 {
+			rootnode = node
+		} else {
+			prevNode.Next = node
+		}
+		prevNode = node
+	}
+
+	return rootnode, nil, nil
+}
+
+// parses a whitespace-delimited set of arguments. The result is effectively a
+// linked list of string arguments.
+func parseStringsWhitespaceDelimited(rest string, d *Directive) (*Node, map[string]bool, error) {
+	if rest == "" {
+		return nil, nil, nil
+	}
+
+	node := &Node{}
+	rootnode := node
+	prevnode := node
+	for _, str := range tokenWhitespace.Split(rest, -1) { // use regexp
+		prevnode = node
+		node.Value = str
+		node.Next = &Node{}
+		node = node.Next
+	}
+
+	// XXX to get around regexp.Split *always* providing an empty string at the
+	// end due to how our loop is constructed, nil out the last node in the
+	// chain.
+	prevnode.Next = nil
+
+	return rootnode, nil, nil
+}
+
+// parseString just wraps the string in quotes and returns a working node.
+func parseString(rest string, d *Directive) (*Node, map[string]bool, error) {
+	if rest == "" {
+		return nil, nil, nil
+	}
+	n := &Node{}
+	n.Value = rest
+	return n, nil, nil
+}
+
+// parseJSON converts JSON arrays to an AST.
+func parseJSON(rest string, d *Directive) (*Node, map[string]bool, error) {
+	rest = strings.TrimLeftFunc(rest, unicode.IsSpace)
+	if !strings.HasPrefix(rest, "[") {
+		return nil, nil, fmt.Errorf(`Error parsing "%s" as a JSON array`, rest)
+	}
+
+	var myJSON []interface{}
+	if err := json.NewDecoder(strings.NewReader(rest)).Decode(&myJSON); err != nil {
+		return nil, nil, err
+	}
+
+	var top, prev *Node
+	for _, str := range myJSON {
+		s, ok := str.(string)
+		if !ok {
+			return nil, nil, errDockerfileNotStringArray
+		}
+
+		node := &Node{Value: s}
+		if prev == nil {
+			top = node
+		} else {
+			prev.Next = node
+		}
+		prev = node
+	}
+
+	return top, map[string]bool{"json": true}, nil
+}
+
+// parseMaybeJSON determines if the argument appears to be a JSON array. If
+// so, passes to parseJSON; if not, quotes the result and returns a single
+// node.
+func parseMaybeJSON(rest string, d *Directive) (*Node, map[string]bool, error) {
+	if rest == "" {
+		return nil, nil, nil
+	}
+
+	node, attrs, err := parseJSON(rest, d)
+
+	if err == nil {
+		return node, attrs, nil
+	}
+	if err == errDockerfileNotStringArray {
+		return nil, nil, err
+	}
+
+	node = &Node{}
+	node.Value = rest
+	return node, nil, nil
+}
+
+// parseMaybeJSONToList determines if the argument appears to be a JSON array. If
+// so, passes to parseJSON; if not, attempts to parse it as a whitespace
+// delimited string.
+func parseMaybeJSONToList(rest string, d *Directive) (*Node, map[string]bool, error) {
+	node, attrs, err := parseJSON(rest, d)
+
+	if err == nil {
+		return node, attrs, nil
+	}
+	if err == errDockerfileNotStringArray {
+		return nil, nil, err
+	}
+
+	return parseStringsWhitespaceDelimited(rest, d)
+}
+
+// The HEALTHCHECK command is like parseMaybeJSON, but has an extra type argument.
+func parseHealthConfig(rest string, d *Directive) (*Node, map[string]bool, error) {
+	// Find end of first argument
+	var sep int
+	for ; sep < len(rest); sep++ {
+		if unicode.IsSpace(rune(rest[sep])) {
+			break
+		}
+	}
+	next := sep
+	for ; next < len(rest); next++ {
+		if !unicode.IsSpace(rune(rest[next])) {
+			break
+		}
+	}
+
+	if sep == 0 {
+		return nil, nil, nil
+	}
+
+	typ := rest[:sep]
+	cmd, attrs, err := parseMaybeJSON(rest[next:], d)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return &Node{Value: typ, Next: cmd}, attrs, err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/parser.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/parser.go
new file mode 100644
index 00000000..0453f3a9
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/parser.go
@@ -0,0 +1,327 @@
+// Package parser implements a parser and parse tree dumper for Dockerfiles.
+package parser
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"io"
+	"regexp"
+	"strconv"
+	"strings"
+	"unicode"
+
+	"github.com/moby/buildkit/frontend/dockerfile/command"
+	"github.com/pkg/errors"
+)
+
+// Node is a structure used to represent a parse tree.
+//
+// In the node there are three fields, Value, Next, and Children. Value is the
+// current token's string value. Next is always the next non-child token, and
+// children contains all the children. Here's an example:
+//
+// (value next (child child-next child-next-next) next-next)
+//
+// This data structure is frankly pretty lousy for handling complex languages,
+// but lucky for us the Dockerfile isn't very complicated. This structure
+// works a little more effectively than a "proper" parse tree for our needs.
+//
+type Node struct {
+	Value      string          // actual content
+	Next       *Node           // the next item in the current sexp
+	Children   []*Node         // the children of this sexp
+	Attributes map[string]bool // special attributes for this node
+	Original   string          // original line used before parsing
+	Flags      []string        // only top Node should have this set
+	StartLine  int             // the line in the original dockerfile where the node begins
+	endLine    int             // the line in the original dockerfile where the node ends
+}
+
+// Dump dumps the AST defined by `node` as a list of sexps.
+// Returns a string suitable for printing.
+func (node *Node) Dump() string {
+	str := ""
+	str += node.Value
+
+	if len(node.Flags) > 0 {
+		str += fmt.Sprintf(" %q", node.Flags)
+	}
+
+	for _, n := range node.Children {
+		str += "(" + n.Dump() + ")\n"
+	}
+
+	for n := node.Next; n != nil; n = n.Next {
+		if len(n.Children) > 0 {
+			str += " " + n.Dump()
+		} else {
+			str += " " + strconv.Quote(n.Value)
+		}
+	}
+
+	return strings.TrimSpace(str)
+}
+
+func (node *Node) lines(start, end int) {
+	node.StartLine = start
+	node.endLine = end
+}
+
+// AddChild adds a new child node, and updates line information
+func (node *Node) AddChild(child *Node, startLine, endLine int) {
+	child.lines(startLine, endLine)
+	if node.StartLine < 0 {
+		node.StartLine = startLine
+	}
+	node.endLine = endLine
+	node.Children = append(node.Children, child)
+}
+
+var (
+	dispatch           map[string]func(string, *Directive) (*Node, map[string]bool, error)
+	tokenWhitespace    = regexp.MustCompile(`[\t\v\f\r ]+`)
+	tokenEscapeCommand = regexp.MustCompile(`^#[ \t]*escape[ \t]*=[ \t]*(?P<escapechar>.).*$`)
+	tokenComment       = regexp.MustCompile(`^#.*$`)
+)
+
+// DefaultEscapeToken is the default escape token
+const DefaultEscapeToken = '\\'
+
+// Directive is the structure used during a build run to hold the state of
+// parsing directives.
+type Directive struct {
+	escapeToken           rune           // Current escape token
+	lineContinuationRegex *regexp.Regexp // Current line continuation regex
+	processingComplete    bool           // Whether we are done looking for directives
+	escapeSeen            bool           // Whether the escape directive has been seen
+}
+
+// setEscapeToken sets the default token for escaping characters in a Dockerfile.
+func (d *Directive) setEscapeToken(s string) error {
+	if s != "`" && s != "\\" {
+		return fmt.Errorf("invalid ESCAPE '%s'. Must be ` or \\", s)
+	}
+	d.escapeToken = rune(s[0])
+	d.lineContinuationRegex = regexp.MustCompile(`\` + s + `[ \t]*$`)
+	return nil
+}
+
+// possibleParserDirective looks for parser directives, eg '# escapeToken=<char>'.
+// Parser directives must precede any builder instruction or other comments,
+// and cannot be repeated.
+func (d *Directive) possibleParserDirective(line string) error {
+	if d.processingComplete {
+		return nil
+	}
+
+	tecMatch := tokenEscapeCommand.FindStringSubmatch(strings.ToLower(line))
+	if len(tecMatch) != 0 {
+		for i, n := range tokenEscapeCommand.SubexpNames() {
+			if n == "escapechar" {
+				if d.escapeSeen {
+					return errors.New("only one escape parser directive can be used")
+				}
+				d.escapeSeen = true
+				return d.setEscapeToken(tecMatch[i])
+			}
+		}
+	}
+
+	d.processingComplete = true
+	return nil
+}
+
+// NewDefaultDirective returns a new Directive with the default escapeToken token
+func NewDefaultDirective() *Directive {
+	directive := Directive{}
+	directive.setEscapeToken(string(DefaultEscapeToken))
+	return &directive
+}
+
+func init() {
+	// Dispatch Table. see line_parsers.go for the parse functions.
+	// The command is parsed and mapped to the line parser. The line parser
+	// receives the arguments but not the command, and returns an AST after
+	// reformulating the arguments according to the rules in the parser
+	// functions. Errors are propagated up by Parse() and the resulting AST can
+	// be incorporated directly into the existing AST as a next.
+	dispatch = map[string]func(string, *Directive) (*Node, map[string]bool, error){
+		command.Add:         parseMaybeJSONToList,
+		command.Arg:         parseNameOrNameVal,
+		command.Cmd:         parseMaybeJSON,
+		command.Copy:        parseMaybeJSONToList,
+		command.Entrypoint:  parseMaybeJSON,
+		command.Env:         parseEnv,
+		command.Expose:      parseStringsWhitespaceDelimited,
+		command.From:        parseStringsWhitespaceDelimited,
+		command.Healthcheck: parseHealthConfig,
+		command.Label:       parseLabel,
+		command.Maintainer:  parseString,
+		command.Onbuild:     parseSubCommand,
+		command.Run:         parseMaybeJSON,
+		command.Shell:       parseMaybeJSON,
+		command.StopSignal:  parseString,
+		command.User:        parseString,
+		command.Volume:      parseMaybeJSONToList,
+		command.Workdir:     parseString,
+	}
+}
+
+// newNodeFromLine splits the line into parts, and dispatches to a function
+// based on the command and command arguments. A Node is created from the
+// result of the dispatch.
+func newNodeFromLine(line string, directive *Directive) (*Node, error) {
+	cmd, flags, args, err := splitCommand(line)
+	if err != nil {
+		return nil, err
+	}
+
+	fn := dispatch[cmd]
+	// Ignore invalid Dockerfile instructions
+	if fn == nil {
+		fn = parseIgnore
+	}
+	next, attrs, err := fn(args, directive)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Node{
+		Value:      cmd,
+		Original:   line,
+		Flags:      flags,
+		Next:       next,
+		Attributes: attrs,
+	}, nil
+}
+
+// Result is the result of parsing a Dockerfile
+type Result struct {
+	AST         *Node
+	EscapeToken rune
+	Warnings    []string
+}
+
+// PrintWarnings to the writer
+func (r *Result) PrintWarnings(out io.Writer) {
+	if len(r.Warnings) == 0 {
+		return
+	}
+	fmt.Fprintf(out, strings.Join(r.Warnings, "\n")+"\n")
+}
+
+// Parse reads lines from a Reader, parses the lines into an AST and returns
+// the AST and escape token
+func Parse(rwc io.Reader) (*Result, error) {
+	d := NewDefaultDirective()
+	currentLine := 0
+	root := &Node{StartLine: -1}
+	scanner := bufio.NewScanner(rwc)
+	warnings := []string{}
+
+	var err error
+	for scanner.Scan() {
+		bytesRead := scanner.Bytes()
+		if currentLine == 0 {
+			// First line, strip the byte-order-marker if present
+			bytesRead = bytes.TrimPrefix(bytesRead, utf8bom)
+		}
+		bytesRead, err = processLine(d, bytesRead, true)
+		if err != nil {
+			return nil, err
+		}
+		currentLine++
+
+		startLine := currentLine
+		line, isEndOfLine := trimContinuationCharacter(string(bytesRead), d)
+		if isEndOfLine && line == "" {
+			continue
+		}
+
+		var hasEmptyContinuationLine bool
+		for !isEndOfLine && scanner.Scan() {
+			bytesRead, err := processLine(d, scanner.Bytes(), false)
+			if err != nil {
+				return nil, err
+			}
+			currentLine++
+
+			if isComment(scanner.Bytes()) {
+				// original line was a comment (processLine strips comments)
+				continue
+			}
+			if isEmptyContinuationLine(bytesRead) {
+				hasEmptyContinuationLine = true
+				continue
+			}
+
+			continuationLine := string(bytesRead)
+			continuationLine, isEndOfLine = trimContinuationCharacter(continuationLine, d)
+			line += continuationLine
+		}
+
+		if hasEmptyContinuationLine {
+			warnings = append(warnings, "[WARNING]: Empty continuation line found in:\n    "+line)
+		}
+
+		child, err := newNodeFromLine(line, d)
+		if err != nil {
+			return nil, err
+		}
+		root.AddChild(child, startLine, currentLine)
+	}
+
+	if len(warnings) > 0 {
+		warnings = append(warnings, "[WARNING]: Empty continuation lines will become errors in a future release.")
+	}
+	return &Result{
+		AST:         root,
+		Warnings:    warnings,
+		EscapeToken: d.escapeToken,
+	}, handleScannerError(scanner.Err())
+}
+
+func trimComments(src []byte) []byte {
+	return tokenComment.ReplaceAll(src, []byte{})
+}
+
+func trimWhitespace(src []byte) []byte {
+	return bytes.TrimLeftFunc(src, unicode.IsSpace)
+}
+
+func isComment(line []byte) bool {
+	return tokenComment.Match(trimWhitespace(line))
+}
+
+func isEmptyContinuationLine(line []byte) bool {
+	return len(trimWhitespace(line)) == 0
+}
+
+var utf8bom = []byte{0xEF, 0xBB, 0xBF}
+
+func trimContinuationCharacter(line string, d *Directive) (string, bool) {
+	if d.lineContinuationRegex.MatchString(line) {
+		line = d.lineContinuationRegex.ReplaceAllString(line, "")
+		return line, false
+	}
+	return line, true
+}
+
+// TODO: remove stripLeftWhitespace after deprecation period. It seems silly
+// to preserve whitespace on continuation lines. Why is that done?
+func processLine(d *Directive, token []byte, stripLeftWhitespace bool) ([]byte, error) {
+	if stripLeftWhitespace {
+		token = trimWhitespace(token)
+	}
+	return trimComments(token), d.possibleParserDirective(string(token))
+}
+
+func handleScannerError(err error) error {
+	switch err {
+	case bufio.ErrTooLong:
+		return errors.Errorf("dockerfile line greater than max allowed size of %d", bufio.MaxScanTokenSize-1)
+	default:
+		return err
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/split_command.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/split_command.go
new file mode 100644
index 00000000..171f454f
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/parser/split_command.go
@@ -0,0 +1,118 @@
+package parser
+
+import (
+	"strings"
+	"unicode"
+)
+
+// splitCommand takes a single line of text and parses out the cmd and args,
+// which are used for dispatching to more exact parsing functions.
+func splitCommand(line string) (string, []string, string, error) {
+	var args string
+	var flags []string
+
+	// Make sure we get the same results irrespective of leading/trailing spaces
+	cmdline := tokenWhitespace.Split(strings.TrimSpace(line), 2)
+	cmd := strings.ToLower(cmdline[0])
+
+	if len(cmdline) == 2 {
+		var err error
+		args, flags, err = extractBuilderFlags(cmdline[1])
+		if err != nil {
+			return "", nil, "", err
+		}
+	}
+
+	return cmd, flags, strings.TrimSpace(args), nil
+}
+
+func extractBuilderFlags(line string) (string, []string, error) {
+	// Parses the BuilderFlags and returns the remaining part of the line
+
+	const (
+		inSpaces = iota // looking for start of a word
+		inWord
+		inQuote
+	)
+
+	words := []string{}
+	phase := inSpaces
+	word := ""
+	quote := '\000'
+	blankOK := false
+	var ch rune
+
+	for pos := 0; pos <= len(line); pos++ {
+		if pos != len(line) {
+			ch = rune(line[pos])
+		}
+
+		if phase == inSpaces { // Looking for start of word
+			if pos == len(line) { // end of input
+				break
+			}
+			if unicode.IsSpace(ch) { // skip spaces
+				continue
+			}
+
+			// Only keep going if the next word starts with --
+			if ch != '-' || pos+1 == len(line) || rune(line[pos+1]) != '-' {
+				return line[pos:], words, nil
+			}
+
+			phase = inWord // found something with "--", fall through
+		}
+		if (phase == inWord || phase == inQuote) && (pos == len(line)) {
+			if word != "--" && (blankOK || len(word) > 0) {
+				words = append(words, word)
+			}
+			break
+		}
+		if phase == inWord {
+			if unicode.IsSpace(ch) {
+				phase = inSpaces
+				if word == "--" {
+					return line[pos:], words, nil
+				}
+				if blankOK || len(word) > 0 {
+					words = append(words, word)
+				}
+				word = ""
+				blankOK = false
+				continue
+			}
+			if ch == '\'' || ch == '"' {
+				quote = ch
+				blankOK = true
+				phase = inQuote
+				continue
+			}
+			if ch == '\\' {
+				if pos+1 == len(line) {
+					continue // just skip \ at end
+				}
+				pos++
+				ch = rune(line[pos])
+			}
+			word += string(ch)
+			continue
+		}
+		if phase == inQuote {
+			if ch == quote {
+				phase = inWord
+				continue
+			}
+			if ch == '\\' {
+				if pos+1 == len(line) {
+					phase = inWord
+					continue // just skip \ at end
+				}
+				pos++
+				ch = rune(line[pos])
+			}
+			word += string(ch)
+		}
+	}
+
+	return "", words, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_unix.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_unix.go
new file mode 100644
index 00000000..36903ec5
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_unix.go
@@ -0,0 +1,10 @@
+// +build !windows
+
+package shell
+
+// EqualEnvKeys compare two strings and returns true if they are equal.
+// On Unix this comparison is case sensitive.
+// On Windows this comparison is case insensitive.
+func EqualEnvKeys(from, to string) bool {
+	return from == to
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_windows.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_windows.go
new file mode 100644
index 00000000..010569bb
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/equal_env_windows.go
@@ -0,0 +1,10 @@
+package shell
+
+import "strings"
+
+// EqualEnvKeys compare two strings and returns true if they are equal.
+// On Unix this comparison is case sensitive.
+// On Windows this comparison is case insensitive.
+func EqualEnvKeys(from, to string) bool {
+	return strings.ToUpper(from) == strings.ToUpper(to)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/lex.go b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/lex.go
new file mode 100644
index 00000000..c264459b
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/dockerfile/shell/lex.go
@@ -0,0 +1,373 @@
+package shell
+
+import (
+	"bytes"
+	"strings"
+	"text/scanner"
+	"unicode"
+
+	"github.com/pkg/errors"
+)
+
+// Lex performs shell word splitting and variable expansion.
+//
+// Lex takes a string and an array of env variables and
+// process all quotes (" and ') as well as $xxx and ${xxx} env variable
+// tokens.  Tries to mimic bash shell process.
+// It doesn't support all flavors of ${xx:...} formats but new ones can
+// be added by adding code to the "special ${} format processing" section
+type Lex struct {
+	escapeToken rune
+}
+
+// NewLex creates a new Lex which uses escapeToken to escape quotes.
+func NewLex(escapeToken rune) *Lex {
+	return &Lex{escapeToken: escapeToken}
+}
+
+// ProcessWord will use the 'env' list of environment variables,
+// and replace any env var references in 'word'.
+func (s *Lex) ProcessWord(word string, env []string) (string, error) {
+	word, _, err := s.process(word, env)
+	return word, err
+}
+
+// ProcessWords will use the 'env' list of environment variables,
+// and replace any env var references in 'word' then it will also
+// return a slice of strings which represents the 'word'
+// split up based on spaces - taking into account quotes.  Note that
+// this splitting is done **after** the env var substitutions are done.
+// Note, each one is trimmed to remove leading and trailing spaces (unless
+// they are quoted", but ProcessWord retains spaces between words.
+func (s *Lex) ProcessWords(word string, env []string) ([]string, error) {
+	_, words, err := s.process(word, env)
+	return words, err
+}
+
+func (s *Lex) process(word string, env []string) (string, []string, error) {
+	sw := &shellWord{
+		envs:        env,
+		escapeToken: s.escapeToken,
+	}
+	sw.scanner.Init(strings.NewReader(word))
+	return sw.process(word)
+}
+
+type shellWord struct {
+	scanner     scanner.Scanner
+	envs        []string
+	escapeToken rune
+}
+
+func (sw *shellWord) process(source string) (string, []string, error) {
+	word, words, err := sw.processStopOn(scanner.EOF)
+	if err != nil {
+		err = errors.Wrapf(err, "failed to process %q", source)
+	}
+	return word, words, err
+}
+
+type wordsStruct struct {
+	word   string
+	words  []string
+	inWord bool
+}
+
+func (w *wordsStruct) addChar(ch rune) {
+	if unicode.IsSpace(ch) && w.inWord {
+		if len(w.word) != 0 {
+			w.words = append(w.words, w.word)
+			w.word = ""
+			w.inWord = false
+		}
+	} else if !unicode.IsSpace(ch) {
+		w.addRawChar(ch)
+	}
+}
+
+func (w *wordsStruct) addRawChar(ch rune) {
+	w.word += string(ch)
+	w.inWord = true
+}
+
+func (w *wordsStruct) addString(str string) {
+	var scan scanner.Scanner
+	scan.Init(strings.NewReader(str))
+	for scan.Peek() != scanner.EOF {
+		w.addChar(scan.Next())
+	}
+}
+
+func (w *wordsStruct) addRawString(str string) {
+	w.word += str
+	w.inWord = true
+}
+
+func (w *wordsStruct) getWords() []string {
+	if len(w.word) > 0 {
+		w.words = append(w.words, w.word)
+
+		// Just in case we're called again by mistake
+		w.word = ""
+		w.inWord = false
+	}
+	return w.words
+}
+
+// Process the word, starting at 'pos', and stop when we get to the
+// end of the word or the 'stopChar' character
+func (sw *shellWord) processStopOn(stopChar rune) (string, []string, error) {
+	var result bytes.Buffer
+	var words wordsStruct
+
+	var charFuncMapping = map[rune]func() (string, error){
+		'\'': sw.processSingleQuote,
+		'"':  sw.processDoubleQuote,
+		'$':  sw.processDollar,
+	}
+
+	for sw.scanner.Peek() != scanner.EOF {
+		ch := sw.scanner.Peek()
+
+		if stopChar != scanner.EOF && ch == stopChar {
+			sw.scanner.Next()
+			return result.String(), words.getWords(), nil
+		}
+		if fn, ok := charFuncMapping[ch]; ok {
+			// Call special processing func for certain chars
+			tmp, err := fn()
+			if err != nil {
+				return "", []string{}, err
+			}
+			result.WriteString(tmp)
+
+			if ch == rune('$') {
+				words.addString(tmp)
+			} else {
+				words.addRawString(tmp)
+			}
+		} else {
+			// Not special, just add it to the result
+			ch = sw.scanner.Next()
+
+			if ch == sw.escapeToken {
+				// '\' (default escape token, but ` allowed) escapes, except end of line
+				ch = sw.scanner.Next()
+
+				if ch == scanner.EOF {
+					break
+				}
+
+				words.addRawChar(ch)
+			} else {
+				words.addChar(ch)
+			}
+
+			result.WriteRune(ch)
+		}
+	}
+	if stopChar != scanner.EOF {
+		return "", []string{}, errors.Errorf("unexpected end of statement while looking for matching %s", string(stopChar))
+	}
+	return result.String(), words.getWords(), nil
+}
+
+func (sw *shellWord) processSingleQuote() (string, error) {
+	// All chars between single quotes are taken as-is
+	// Note, you can't escape '
+	//
+	// From the "sh" man page:
+	// Single Quotes
+	//   Enclosing characters in single quotes preserves the literal meaning of
+	//   all the characters (except single quotes, making it impossible to put
+	//   single-quotes in a single-quoted string).
+
+	var result bytes.Buffer
+
+	sw.scanner.Next()
+
+	for {
+		ch := sw.scanner.Next()
+		switch ch {
+		case scanner.EOF:
+			return "", errors.New("unexpected end of statement while looking for matching single-quote")
+		case '\'':
+			return result.String(), nil
+		}
+		result.WriteRune(ch)
+	}
+}
+
+func (sw *shellWord) processDoubleQuote() (string, error) {
+	// All chars up to the next " are taken as-is, even ', except any $ chars
+	// But you can escape " with a \ (or ` if escape token set accordingly)
+	//
+	// From the "sh" man page:
+	// Double Quotes
+	//  Enclosing characters within double quotes preserves the literal meaning
+	//  of all characters except dollarsign ($), backquote (`), and backslash
+	//  (\).  The backslash inside double quotes is historically weird, and
+	//  serves to quote only the following characters:
+	//    $ ` " \ <newline>.
+	//  Otherwise it remains literal.
+
+	var result bytes.Buffer
+
+	sw.scanner.Next()
+
+	for {
+		switch sw.scanner.Peek() {
+		case scanner.EOF:
+			return "", errors.New("unexpected end of statement while looking for matching double-quote")
+		case '"':
+			sw.scanner.Next()
+			return result.String(), nil
+		case '$':
+			value, err := sw.processDollar()
+			if err != nil {
+				return "", err
+			}
+			result.WriteString(value)
+		default:
+			ch := sw.scanner.Next()
+			if ch == sw.escapeToken {
+				switch sw.scanner.Peek() {
+				case scanner.EOF:
+					// Ignore \ at end of word
+					continue
+				case '"', '$', sw.escapeToken:
+					// These chars can be escaped, all other \'s are left as-is
+					// Note: for now don't do anything special with ` chars.
+					// Not sure what to do with them anyway since we're not going
+					// to execute the text in there (not now anyway).
+					ch = sw.scanner.Next()
+				}
+			}
+			result.WriteRune(ch)
+		}
+	}
+}
+
+func (sw *shellWord) processDollar() (string, error) {
+	sw.scanner.Next()
+
+	// $xxx case
+	if sw.scanner.Peek() != '{' {
+		name := sw.processName()
+		if name == "" {
+			return "$", nil
+		}
+		return sw.getEnv(name), nil
+	}
+
+	sw.scanner.Next()
+	switch sw.scanner.Peek() {
+	case scanner.EOF:
+		return "", errors.New("syntax error: missing '}'")
+	case '{', '}', ':':
+		// Invalid ${{xx}, ${:xx}, ${:}. ${} case
+		return "", errors.New("syntax error: bad substitution")
+	}
+	name := sw.processName()
+	ch := sw.scanner.Next()
+	switch ch {
+	case '}':
+		// Normal ${xx} case
+		return sw.getEnv(name), nil
+	case ':':
+		// Special ${xx:...} format processing
+		// Yes it allows for recursive $'s in the ... spot
+		modifier := sw.scanner.Next()
+
+		word, _, err := sw.processStopOn('}')
+		if err != nil {
+			if sw.scanner.Peek() == scanner.EOF {
+				return "", errors.New("syntax error: missing '}'")
+			}
+			return "", err
+		}
+
+		// Grab the current value of the variable in question so we
+		// can use to to determine what to do based on the modifier
+		newValue := sw.getEnv(name)
+
+		switch modifier {
+		case '+':
+			if newValue != "" {
+				newValue = word
+			}
+			return newValue, nil
+
+		case '-':
+			if newValue == "" {
+				newValue = word
+			}
+			return newValue, nil
+
+		default:
+			return "", errors.Errorf("unsupported modifier (%c) in substitution", modifier)
+		}
+	}
+	return "", errors.Errorf("missing ':' in substitution")
+}
+
+func (sw *shellWord) processName() string {
+	// Read in a name (alphanumeric or _)
+	// If it starts with a numeric then just return $#
+	var name bytes.Buffer
+
+	for sw.scanner.Peek() != scanner.EOF {
+		ch := sw.scanner.Peek()
+		if name.Len() == 0 && unicode.IsDigit(ch) {
+			for sw.scanner.Peek() != scanner.EOF && unicode.IsDigit(sw.scanner.Peek()) {
+				// Keep reading until the first non-digit character, or EOF
+				ch = sw.scanner.Next()
+				name.WriteRune(ch)
+			}
+			return name.String()
+		}
+		if name.Len() == 0 && isSpecialParam(ch) {
+			ch = sw.scanner.Next()
+			return string(ch)
+		}
+		if !unicode.IsLetter(ch) && !unicode.IsDigit(ch) && ch != '_' {
+			break
+		}
+		ch = sw.scanner.Next()
+		name.WriteRune(ch)
+	}
+
+	return name.String()
+}
+
+// isSpecialParam checks if the provided character is a special parameters,
+// as defined in http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_05_02
+func isSpecialParam(char rune) bool {
+	switch char {
+	case '@', '*', '#', '?', '-', '$', '!', '0':
+		// Special parameters
+		// http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_05_02
+		return true
+	}
+	return false
+}
+
+func (sw *shellWord) getEnv(name string) string {
+	for _, env := range sw.envs {
+		i := strings.Index(env, "=")
+		if i < 0 {
+			if EqualEnvKeys(name, env) {
+				// Should probably never get here, but just in case treat
+				// it like "var" and "var=" are the same
+				return ""
+			}
+			continue
+		}
+		compareName := env[:i]
+		if !EqualEnvKeys(name, compareName) {
+			continue
+		}
+		return env[i+1:]
+	}
+	return ""
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/frontend.go b/engine/vendor/github.com/moby/buildkit/frontend/frontend.go
new file mode 100644
index 00000000..5bae3d26
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/frontend.go
@@ -0,0 +1,29 @@
+package frontend
+
+import (
+	"context"
+	"io"
+
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/executor"
+	gatewayclient "github.com/moby/buildkit/frontend/gateway/client"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type Frontend interface {
+	Solve(ctx context.Context, llb FrontendLLBBridge, opt map[string]string) (*Result, error)
+}
+
+type FrontendLLBBridge interface {
+	Solve(ctx context.Context, req SolveRequest) (*Result, error)
+	ResolveImageConfig(ctx context.Context, ref string, platform *specs.Platform) (digest.Digest, []byte, error)
+	Exec(ctx context.Context, meta executor.Meta, rootfs cache.ImmutableRef, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error
+}
+
+type SolveRequest = gatewayclient.SolveRequest
+
+type WorkerInfos interface {
+	WorkerInfos() []client.WorkerInfo
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/client/client.go b/engine/vendor/github.com/moby/buildkit/frontend/gateway/client/client.go
new file mode 100644
index 00000000..2198a56b
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/client/client.go
@@ -0,0 +1,52 @@
+package client
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/solver/pb"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type Client interface {
+	Solve(ctx context.Context, req SolveRequest) (*Result, error)
+	ResolveImageConfig(ctx context.Context, ref string, platform *specs.Platform) (digest.Digest, []byte, error)
+	BuildOpts() BuildOpts
+}
+
+type Reference interface {
+	ReadFile(ctx context.Context, req ReadRequest) ([]byte, error)
+	// StatFile(ctx context.Context, req StatRequest) (*StatResponse, error)
+	// ReadDir(ctx context.Context, req ReadDirRequest) ([]*StatResponse, error)
+}
+
+type ReadRequest struct {
+	Filename string
+	Range    *FileRange
+}
+
+type FileRange struct {
+	Offset int
+	Length int
+}
+
+// SolveRequest is same as frontend.SolveRequest but avoiding dependency
+type SolveRequest struct {
+	Definition      *pb.Definition
+	Frontend        string
+	FrontendOpt     map[string]string
+	ImportCacheRefs []string
+}
+
+type WorkerInfo struct {
+	ID        string
+	Labels    map[string]string
+	Platforms []specs.Platform
+}
+
+type BuildOpts struct {
+	Opts      map[string]string
+	SessionID string
+	Workers   []WorkerInfo
+	Product   string
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/client/result.go b/engine/vendor/github.com/moby/buildkit/frontend/gateway/client/result.go
new file mode 100644
index 00000000..bd542284
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/client/result.go
@@ -0,0 +1,54 @@
+package client
+
+import (
+	"context"
+	"sync"
+
+	"github.com/pkg/errors"
+)
+
+type BuildFunc func(context.Context, Client) (*Result, error)
+
+type Result struct {
+	mu       sync.Mutex
+	Ref      Reference
+	Refs     map[string]Reference
+	Metadata map[string][]byte
+}
+
+func NewResult() *Result {
+	return &Result{}
+}
+
+func (r *Result) AddMeta(k string, v []byte) {
+	r.mu.Lock()
+	if r.Metadata == nil {
+		r.Metadata = map[string][]byte{}
+	}
+	r.Metadata[k] = v
+	r.mu.Unlock()
+}
+
+func (r *Result) AddRef(k string, ref Reference) {
+	r.mu.Lock()
+	if r.Refs == nil {
+		r.Refs = map[string]Reference{}
+	}
+	r.Refs[k] = ref
+	r.mu.Unlock()
+}
+
+func (r *Result) SetRef(ref Reference) {
+	r.Ref = ref
+}
+
+func (r *Result) SingleRef() (Reference, error) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if r.Refs != nil && r.Ref == nil {
+		return nil, errors.Errorf("invalid map result")
+	}
+
+	return r.Ref, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go b/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go
new file mode 100644
index 00000000..65597e5e
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/forward.go
@@ -0,0 +1,149 @@
+package forwarder
+
+import (
+	"context"
+	"sync"
+
+	"github.com/moby/buildkit/cache"
+	clienttypes "github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/util/apicaps"
+	"github.com/moby/buildkit/worker"
+	"github.com/pkg/errors"
+)
+
+func llbBridgeToGatewayClient(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string, workerInfos []clienttypes.WorkerInfo) (*bridgeClient, error) {
+	return &bridgeClient{
+		opts:              opts,
+		FrontendLLBBridge: llbBridge,
+		sid:               session.FromContext(ctx),
+		workerInfos:       workerInfos,
+		final:             map[*ref]struct{}{},
+	}, nil
+}
+
+type bridgeClient struct {
+	frontend.FrontendLLBBridge
+	mu           sync.Mutex
+	opts         map[string]string
+	final        map[*ref]struct{}
+	sid          string
+	exporterAttr map[string][]byte
+	refs         []*ref
+	workerInfos  []clienttypes.WorkerInfo
+}
+
+func (c *bridgeClient) Solve(ctx context.Context, req client.SolveRequest) (*client.Result, error) {
+	res, err := c.FrontendLLBBridge.Solve(ctx, frontend.SolveRequest{
+		Definition:      req.Definition,
+		Frontend:        req.Frontend,
+		FrontendOpt:     req.FrontendOpt,
+		ImportCacheRefs: req.ImportCacheRefs,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	cRes := &client.Result{}
+	c.mu.Lock()
+	for k, r := range res.Refs {
+		rr := &ref{r}
+		c.refs = append(c.refs, rr)
+		cRes.AddRef(k, rr)
+	}
+	if r := res.Ref; r != nil {
+		rr := &ref{r}
+		c.refs = append(c.refs, rr)
+		cRes.SetRef(rr)
+	}
+	c.mu.Unlock()
+	cRes.Metadata = res.Metadata
+
+	return cRes, nil
+}
+func (c *bridgeClient) BuildOpts() client.BuildOpts {
+	workers := make([]client.WorkerInfo, 0, len(c.workerInfos))
+	for _, w := range c.workerInfos {
+		workers = append(workers, client.WorkerInfo(w))
+	}
+
+	return client.BuildOpts{
+		Opts:      c.opts,
+		SessionID: c.sid,
+		Workers:   workers,
+		Product:   apicaps.ExportedProduct,
+	}
+}
+
+func (c *bridgeClient) toFrontendResult(r *client.Result) (*frontend.Result, error) {
+	if r == nil {
+		return nil, nil
+	}
+
+	res := &frontend.Result{}
+
+	if r.Refs != nil {
+		res.Refs = make(map[string]solver.CachedResult, len(r.Refs))
+		for k, r := range r.Refs {
+			rr, ok := r.(*ref)
+			if !ok {
+				return nil, errors.Errorf("invalid reference type for forward %T", r)
+			}
+			c.final[rr] = struct{}{}
+			res.Refs[k] = rr.CachedResult
+		}
+	}
+	if r := r.Ref; r != nil {
+		rr, ok := r.(*ref)
+		if !ok {
+			return nil, errors.Errorf("invalid reference type for forward %T", r)
+		}
+		c.final[rr] = struct{}{}
+		res.Ref = rr.CachedResult
+	}
+	res.Metadata = r.Metadata
+
+	return res, nil
+}
+
+func (c *bridgeClient) discard(err error) {
+	for _, r := range c.refs {
+		if r != nil {
+			if _, ok := c.final[r]; !ok || err != nil {
+				r.Release(context.TODO())
+			}
+		}
+	}
+}
+
+type ref struct {
+	solver.CachedResult
+}
+
+func (r *ref) ReadFile(ctx context.Context, req client.ReadRequest) ([]byte, error) {
+	ref, err := r.getImmutableRef()
+	if err != nil {
+		return nil, err
+	}
+	newReq := cache.ReadRequest{
+		Filename: req.Filename,
+	}
+	if r := req.Range; r != nil {
+		newReq.Range = &cache.FileRange{
+			Offset: r.Offset,
+			Length: r.Length,
+		}
+	}
+	return cache.ReadFile(ctx, ref, newReq)
+}
+
+func (r *ref) getImmutableRef() (cache.ImmutableRef, error) {
+	ref, ok := r.CachedResult.Sys().(*worker.WorkerRef)
+	if !ok {
+		return nil, errors.Errorf("invalid ref: %T", r.CachedResult.Sys())
+	}
+	return ref.ImmutableRef, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go b/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go
new file mode 100644
index 00000000..61a187dc
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/forwarder/frontend.go
@@ -0,0 +1,38 @@
+package forwarder
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/frontend/gateway/client"
+)
+
+func NewGatewayForwarder(w frontend.WorkerInfos, f client.BuildFunc) frontend.Frontend {
+	return &GatewayForwarder{
+		workers: w,
+		f:       f,
+	}
+}
+
+type GatewayForwarder struct {
+	workers frontend.WorkerInfos
+	f       client.BuildFunc
+}
+
+func (gf *GatewayForwarder) Solve(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string) (retRes *frontend.Result, retErr error) {
+	c, err := llbBridgeToGatewayClient(ctx, llbBridge, opts, gf.workers.WorkerInfos())
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		c.discard(retErr)
+	}()
+
+	res, err := gf.f(ctx, c)
+	if err != nil {
+		return nil, err
+	}
+
+	return c.toFrontendResult(res)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go b/engine/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go
new file mode 100644
index 00000000..7f6e2c17
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/gateway.go
@@ -0,0 +1,513 @@
+package gateway
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/distribution/reference"
+	apitypes "github.com/moby/buildkit/api/types"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/frontend"
+	pb "github.com/moby/buildkit/frontend/gateway/pb"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/solver"
+	opspb "github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/apicaps"
+	"github.com/moby/buildkit/util/tracing"
+	"github.com/moby/buildkit/worker"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/http2"
+	spb "google.golang.org/genproto/googleapis/rpc/status"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/health"
+	"google.golang.org/grpc/health/grpc_health_v1"
+	"google.golang.org/grpc/status"
+)
+
+const (
+	keySource           = "source"
+	keyDevel            = "gateway-devel"
+	exporterImageConfig = "containerimage.config"
+)
+
+func NewGatewayFrontend(w frontend.WorkerInfos) frontend.Frontend {
+	return &gatewayFrontend{
+		workers: w,
+	}
+}
+
+type gatewayFrontend struct {
+	workers frontend.WorkerInfos
+}
+
+func filterPrefix(opts map[string]string, pfx string) map[string]string {
+	m := map[string]string{}
+	for k, v := range opts {
+		if strings.HasPrefix(k, pfx) {
+			m[strings.TrimPrefix(k, pfx)] = v
+		}
+	}
+	return m
+}
+
+func (gf *gatewayFrontend) Solve(ctx context.Context, llbBridge frontend.FrontendLLBBridge, opts map[string]string) (ret *frontend.Result, retErr error) {
+	source, ok := opts[keySource]
+	if !ok {
+		return nil, errors.Errorf("no source specified for gateway")
+	}
+
+	sid := session.FromContext(ctx)
+
+	_, isDevel := opts[keyDevel]
+	var img specs.Image
+	var rootFS cache.ImmutableRef
+	var readonly bool // TODO: try to switch to read-only by default.
+
+	if isDevel {
+		devRes, err := llbBridge.Solve(session.NewContext(ctx, "gateway:"+sid),
+			frontend.SolveRequest{
+				Frontend:    source,
+				FrontendOpt: filterPrefix(opts, "gateway-"),
+			})
+		if err != nil {
+			return nil, err
+		}
+		defer func() {
+			devRes.EachRef(func(ref solver.CachedResult) error {
+				return ref.Release(context.TODO())
+			})
+		}()
+		if devRes.Ref == nil {
+			return nil, errors.Errorf("development gateway didn't return default result")
+		}
+		workerRef, ok := devRes.Ref.Sys().(*worker.WorkerRef)
+		if !ok {
+			return nil, errors.Errorf("invalid ref: %T", devRes.Ref.Sys())
+		}
+		rootFS = workerRef.ImmutableRef
+		config, ok := devRes.Metadata[exporterImageConfig]
+		if ok {
+			if err := json.Unmarshal(config, &img); err != nil {
+				return nil, err
+			}
+		}
+	} else {
+		sourceRef, err := reference.ParseNormalizedNamed(source)
+		if err != nil {
+			return nil, err
+		}
+
+		dgst, config, err := llbBridge.ResolveImageConfig(ctx, reference.TagNameOnly(sourceRef).String(), nil) // TODO:
+		if err != nil {
+			return nil, err
+		}
+
+		if err := json.Unmarshal(config, &img); err != nil {
+			return nil, err
+		}
+
+		if dgst != "" {
+			sourceRef, err = reference.WithDigest(sourceRef, dgst)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		src := llb.Image(sourceRef.String())
+
+		def, err := src.Marshal()
+		if err != nil {
+			return nil, err
+		}
+
+		res, err := llbBridge.Solve(ctx, frontend.SolveRequest{
+			Definition: def.ToPB(),
+		})
+		if err != nil {
+			return nil, err
+		}
+		defer func() {
+			res.EachRef(func(ref solver.CachedResult) error {
+				return ref.Release(context.TODO())
+			})
+		}()
+		if res.Ref == nil {
+			return nil, errors.Errorf("gateway source didn't return default result")
+
+		}
+		workerRef, ok := res.Ref.Sys().(*worker.WorkerRef)
+		if !ok {
+			return nil, errors.Errorf("invalid ref: %T", res.Ref.Sys())
+		}
+		rootFS = workerRef.ImmutableRef
+	}
+
+	lbf, err := newLLBBridgeForwarder(ctx, llbBridge, gf.workers)
+	defer lbf.conn.Close()
+	if err != nil {
+		return nil, err
+	}
+
+	args := []string{"/run"}
+	env := []string{}
+	cwd := "/"
+	if img.Config.Env != nil {
+		env = img.Config.Env
+	}
+	if img.Config.Entrypoint != nil {
+		args = img.Config.Entrypoint
+	}
+	if img.Config.WorkingDir != "" {
+		cwd = img.Config.WorkingDir
+	}
+	i := 0
+	for k, v := range opts {
+		env = append(env, fmt.Sprintf("BUILDKIT_FRONTEND_OPT_%d", i)+"="+k+"="+v)
+		i++
+	}
+
+	env = append(env, "BUILDKIT_SESSION_ID="+sid)
+
+	dt, err := json.Marshal(gf.workers.WorkerInfos())
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to marshal workers array")
+	}
+	env = append(env, "BUILDKIT_WORKERS="+string(dt))
+
+	defer func() {
+		for _, r := range lbf.refs {
+			if retErr == nil && lbf.result != nil {
+				keep := false
+				lbf.result.EachRef(func(r2 solver.CachedResult) error {
+					if r == r2 {
+						keep = true
+					}
+					return nil
+				})
+				if keep {
+					continue
+				}
+			}
+			r.Release(context.TODO())
+		}
+	}()
+
+	env = append(env, "BUILDKIT_EXPORTEDPRODUCT="+apicaps.ExportedProduct)
+
+	err = llbBridge.Exec(ctx, executor.Meta{
+		Env:            env,
+		Args:           args,
+		Cwd:            cwd,
+		ReadonlyRootFS: readonly,
+	}, rootFS, lbf.Stdin, lbf.Stdout, os.Stderr)
+
+	if lbf.err != nil {
+		return nil, lbf.err
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return lbf.result, nil
+}
+
+func newLLBBridgeForwarder(ctx context.Context, llbBridge frontend.FrontendLLBBridge, workers frontend.WorkerInfos) (*llbBridgeForwarder, error) {
+	lbf := &llbBridgeForwarder{
+		callCtx:   ctx,
+		llbBridge: llbBridge,
+		refs:      map[string]solver.CachedResult{},
+		pipe:      newPipe(),
+		workers:   workers,
+	}
+
+	server := grpc.NewServer()
+	grpc_health_v1.RegisterHealthServer(server, health.NewServer())
+	pb.RegisterLLBBridgeServer(server, lbf)
+
+	go serve(ctx, server, lbf.conn)
+
+	return lbf, nil
+}
+
+type pipe struct {
+	Stdin  io.ReadCloser
+	Stdout io.WriteCloser
+	conn   net.Conn
+}
+
+func newPipe() *pipe {
+	pr1, pw1, _ := os.Pipe()
+	pr2, pw2, _ := os.Pipe()
+	return &pipe{
+		Stdin:  pr1,
+		Stdout: pw2,
+		conn: &conn{
+			Reader: pr2,
+			Writer: pw1,
+			Closer: pw2,
+		},
+	}
+}
+
+type conn struct {
+	io.Reader
+	io.Writer
+	io.Closer
+}
+
+func (s *conn) LocalAddr() net.Addr {
+	return dummyAddr{}
+}
+func (s *conn) RemoteAddr() net.Addr {
+	return dummyAddr{}
+}
+func (s *conn) SetDeadline(t time.Time) error {
+	return nil
+}
+func (s *conn) SetReadDeadline(t time.Time) error {
+	return nil
+}
+func (s *conn) SetWriteDeadline(t time.Time) error {
+	return nil
+}
+
+type dummyAddr struct {
+}
+
+func (d dummyAddr) Network() string {
+	return "pipe"
+}
+
+func (d dummyAddr) String() string {
+	return "localhost"
+}
+
+type llbBridgeForwarder struct {
+	mu        sync.Mutex
+	callCtx   context.Context
+	llbBridge frontend.FrontendLLBBridge
+	refs      map[string]solver.CachedResult
+	// lastRef      solver.CachedResult
+	// lastRefs     map[string]solver.CachedResult
+	// err          error
+	result       *frontend.Result
+	err          error
+	exporterAttr map[string][]byte
+	workers      frontend.WorkerInfos
+	*pipe
+}
+
+func (lbf *llbBridgeForwarder) ResolveImageConfig(ctx context.Context, req *pb.ResolveImageConfigRequest) (*pb.ResolveImageConfigResponse, error) {
+	ctx = tracing.ContextWithSpanFromContext(ctx, lbf.callCtx)
+	var platform *specs.Platform
+	if p := req.Platform; p != nil {
+		platform = &specs.Platform{
+			OS:           p.OS,
+			Architecture: p.Architecture,
+			Variant:      p.Variant,
+			OSVersion:    p.OSVersion,
+			OSFeatures:   p.OSFeatures,
+		}
+	}
+	dgst, dt, err := lbf.llbBridge.ResolveImageConfig(ctx, req.Ref, platform)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.ResolveImageConfigResponse{
+		Digest: dgst,
+		Config: dt,
+	}, nil
+}
+
+func (lbf *llbBridgeForwarder) Solve(ctx context.Context, req *pb.SolveRequest) (*pb.SolveResponse, error) {
+	ctx = tracing.ContextWithSpanFromContext(ctx, lbf.callCtx)
+	res, err := lbf.llbBridge.Solve(ctx, frontend.SolveRequest{
+		Definition:      req.Definition,
+		Frontend:        req.Frontend,
+		FrontendOpt:     req.FrontendOpt,
+		ImportCacheRefs: req.ImportCacheRefs,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if len(res.Refs) > 0 && !req.AllowResultReturn {
+		// this should never happen because old client shouldn't make a map request
+		return nil, errors.Errorf("solve did not return default result")
+	}
+
+	pbRes := &pb.Result{}
+	var defaultID string
+
+	lbf.mu.Lock()
+	if res.Refs != nil {
+		ids := make(map[string]string, len(res.Refs))
+		for k, ref := range res.Refs {
+			id := identity.NewID()
+			if ref == nil {
+				id = ""
+			} else {
+				lbf.refs[id] = ref
+			}
+			ids[k] = id
+		}
+		pbRes.Result = &pb.Result_Refs{Refs: &pb.RefMap{Refs: ids}}
+	} else {
+		id := identity.NewID()
+		if res.Ref == nil {
+			id = ""
+		} else {
+			lbf.refs[id] = res.Ref
+		}
+		defaultID = id
+		pbRes.Result = &pb.Result_Ref{Ref: id}
+	}
+	lbf.mu.Unlock()
+
+	// compatibility mode for older clients
+	if req.Final {
+		exp := map[string][]byte{}
+		if err := json.Unmarshal(req.ExporterAttr, &exp); err != nil {
+			return nil, err
+		}
+
+		for k, v := range res.Metadata {
+			exp[k] = v
+		}
+
+		lbf.result = &frontend.Result{
+			Ref:      lbf.refs[defaultID],
+			Metadata: exp,
+		}
+	}
+
+	resp := &pb.SolveResponse{
+		Result: pbRes,
+	}
+
+	if !req.AllowResultReturn {
+		resp.Ref = defaultID
+	}
+
+	return resp, nil
+}
+func (lbf *llbBridgeForwarder) ReadFile(ctx context.Context, req *pb.ReadFileRequest) (*pb.ReadFileResponse, error) {
+	ctx = tracing.ContextWithSpanFromContext(ctx, lbf.callCtx)
+	lbf.mu.Lock()
+	ref, ok := lbf.refs[req.Ref]
+	lbf.mu.Unlock()
+	if !ok {
+		return nil, errors.Errorf("no such ref: %v", req.Ref)
+	}
+	if ref == nil {
+		return nil, errors.Wrapf(os.ErrNotExist, "%s no found", req.FilePath)
+	}
+	workerRef, ok := ref.Sys().(*worker.WorkerRef)
+	if !ok {
+		return nil, errors.Errorf("invalid ref: %T", ref.Sys())
+	}
+
+	newReq := cache.ReadRequest{
+		Filename: req.FilePath,
+	}
+	if r := req.Range; r != nil {
+		newReq.Range = &cache.FileRange{
+			Offset: int(r.Offset),
+			Length: int(r.Length),
+		}
+	}
+
+	dt, err := cache.ReadFile(ctx, workerRef.ImmutableRef, newReq)
+	if err != nil {
+		return nil, err
+	}
+
+	return &pb.ReadFileResponse{Data: dt}, nil
+}
+
+func (lbf *llbBridgeForwarder) Ping(context.Context, *pb.PingRequest) (*pb.PongResponse, error) {
+
+	workers := lbf.workers.WorkerInfos()
+	pbWorkers := make([]*apitypes.WorkerRecord, 0, len(workers))
+	for _, w := range workers {
+		pbWorkers = append(pbWorkers, &apitypes.WorkerRecord{
+			ID:        w.ID,
+			Labels:    w.Labels,
+			Platforms: opspb.PlatformsFromSpec(w.Platforms),
+		})
+	}
+
+	return &pb.PongResponse{
+		FrontendAPICaps: pb.Caps.All(),
+		Workers:         pbWorkers,
+		// TODO: add LLB info
+	}, nil
+}
+
+func (lbf *llbBridgeForwarder) Return(ctx context.Context, in *pb.ReturnRequest) (*pb.ReturnResponse, error) {
+	if in.Error != nil {
+		lbf.err = status.ErrorProto(&spb.Status{
+			Code:    in.Error.Code,
+			Message: in.Error.Message,
+			// Details: in.Error.Details,
+		})
+	} else {
+		lbf.result = &frontend.Result{
+			Metadata: in.Result.Metadata,
+		}
+
+		switch res := in.Result.Result.(type) {
+		case *pb.Result_Ref:
+			ref, err := lbf.convertRef(res.Ref)
+			if err != nil {
+				return nil, err
+			}
+			lbf.result.Ref = ref
+		case *pb.Result_Refs:
+			m := map[string]solver.CachedResult{}
+			for k, v := range res.Refs.Refs {
+				ref, err := lbf.convertRef(v)
+				if err != nil {
+					return nil, err
+				}
+				m[k] = ref
+			}
+			lbf.result.Refs = m
+		}
+	}
+
+	return &pb.ReturnResponse{}, nil
+}
+
+func (lbf *llbBridgeForwarder) convertRef(id string) (solver.CachedResult, error) {
+	if id == "" {
+		return nil, nil
+	}
+	r, ok := lbf.refs[id]
+	if !ok {
+		return nil, errors.Errorf("return reference %s not found", id)
+	}
+	return r, nil
+}
+
+func serve(ctx context.Context, grpcServer *grpc.Server, conn net.Conn) {
+	go func() {
+		<-ctx.Done()
+		conn.Close()
+	}()
+	logrus.Debugf("serving grpc connection")
+	(&http2.Server{}).ServeConn(conn, &http2.ServeConnOpts{Handler: grpcServer})
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/caps.go b/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/caps.go
new file mode 100644
index 00000000..b5e902b1
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/caps.go
@@ -0,0 +1,64 @@
+package moby_buildkit_v1_frontend
+
+import "github.com/moby/buildkit/util/apicaps"
+
+var Caps apicaps.CapList
+
+// Every backwards or forwards non-compatible change needs to add a new capability row.
+// By default new capabilities should be experimental. After merge a capability is
+// considered immutable. After a capability is marked stable it should not be disabled.
+
+const (
+	CapSolveBase         apicaps.CapID = "solve.base"
+	CapSolveInlineReturn apicaps.CapID = "solve.inlinereturn"
+	CapResolveImage      apicaps.CapID = "resolveimage"
+	CapReadFile          apicaps.CapID = "readfile"
+	CapReturnResult      apicaps.CapID = "return"
+	CapReturnMap         apicaps.CapID = "returnmap"
+)
+
+func init() {
+
+	Caps.Init(apicaps.Cap{
+		ID:      CapSolveBase,
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
+	Caps.Init(apicaps.Cap{
+		ID:         CapSolveInlineReturn,
+		Name:       "inline return from solve",
+		Enabled:    true,
+		Deprecated: true,
+		Status:     apicaps.CapStatusExperimental,
+	})
+
+	Caps.Init(apicaps.Cap{
+		ID:      CapResolveImage,
+		Name:    "resolve remote image config",
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
+	Caps.Init(apicaps.Cap{
+		ID:      CapReadFile,
+		Name:    "read static file",
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
+	Caps.Init(apicaps.Cap{
+		ID:      CapReturnResult,
+		Name:    "return solve result",
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
+	Caps.Init(apicaps.Cap{
+		ID:      CapReturnMap,
+		Name:    "return reference map",
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.pb.go b/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.pb.go
new file mode 100644
index 00000000..27789c60
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.pb.go
@@ -0,0 +1,3360 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: gateway.proto
+
+/*
+	Package moby_buildkit_v1_frontend is a generated protocol buffer package.
+
+	It is generated from these files:
+		gateway.proto
+
+	It has these top-level messages:
+		Result
+		RefMap
+		ReturnRequest
+		ReturnResponse
+		ResolveImageConfigRequest
+		ResolveImageConfigResponse
+		SolveRequest
+		SolveResponse
+		ReadFileRequest
+		FileRange
+		ReadFileResponse
+		PingRequest
+		PongResponse
+*/
+package moby_buildkit_v1_frontend
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+import google_rpc "github.com/gogo/googleapis/google/rpc"
+import pb "github.com/moby/buildkit/solver/pb"
+import moby_buildkit_v1_types "github.com/moby/buildkit/api/types"
+import moby_buildkit_v1_apicaps "github.com/moby/buildkit/util/apicaps/pb"
+
+import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest"
+
+import context "golang.org/x/net/context"
+import grpc "google.golang.org/grpc"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type Result struct {
+	// Types that are valid to be assigned to Result:
+	//	*Result_Ref
+	//	*Result_Refs
+	Result   isResult_Result   `protobuf_oneof:"result"`
+	Metadata map[string][]byte `protobuf:"bytes,10,rep,name=metadata" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *Result) Reset()                    { *m = Result{} }
+func (m *Result) String() string            { return proto.CompactTextString(m) }
+func (*Result) ProtoMessage()               {}
+func (*Result) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{0} }
+
+type isResult_Result interface {
+	isResult_Result()
+	MarshalTo([]byte) (int, error)
+	Size() int
+}
+
+type Result_Ref struct {
+	Ref string `protobuf:"bytes,1,opt,name=ref,proto3,oneof"`
+}
+type Result_Refs struct {
+	Refs *RefMap `protobuf:"bytes,2,opt,name=refs,oneof"`
+}
+
+func (*Result_Ref) isResult_Result()  {}
+func (*Result_Refs) isResult_Result() {}
+
+func (m *Result) GetResult() isResult_Result {
+	if m != nil {
+		return m.Result
+	}
+	return nil
+}
+
+func (m *Result) GetRef() string {
+	if x, ok := m.GetResult().(*Result_Ref); ok {
+		return x.Ref
+	}
+	return ""
+}
+
+func (m *Result) GetRefs() *RefMap {
+	if x, ok := m.GetResult().(*Result_Refs); ok {
+		return x.Refs
+	}
+	return nil
+}
+
+func (m *Result) GetMetadata() map[string][]byte {
+	if m != nil {
+		return m.Metadata
+	}
+	return nil
+}
+
+// XXX_OneofFuncs is for the internal use of the proto package.
+func (*Result) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
+	return _Result_OneofMarshaler, _Result_OneofUnmarshaler, _Result_OneofSizer, []interface{}{
+		(*Result_Ref)(nil),
+		(*Result_Refs)(nil),
+	}
+}
+
+func _Result_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
+	m := msg.(*Result)
+	// result
+	switch x := m.Result.(type) {
+	case *Result_Ref:
+		_ = b.EncodeVarint(1<<3 | proto.WireBytes)
+		_ = b.EncodeStringBytes(x.Ref)
+	case *Result_Refs:
+		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Refs); err != nil {
+			return err
+		}
+	case nil:
+	default:
+		return fmt.Errorf("Result.Result has unexpected type %T", x)
+	}
+	return nil
+}
+
+func _Result_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
+	m := msg.(*Result)
+	switch tag {
+	case 1: // result.ref
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		x, err := b.DecodeStringBytes()
+		m.Result = &Result_Ref{x}
+		return true, err
+	case 2: // result.refs
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(RefMap)
+		err := b.DecodeMessage(msg)
+		m.Result = &Result_Refs{msg}
+		return true, err
+	default:
+		return false, nil
+	}
+}
+
+func _Result_OneofSizer(msg proto.Message) (n int) {
+	m := msg.(*Result)
+	// result
+	switch x := m.Result.(type) {
+	case *Result_Ref:
+		n += proto.SizeVarint(1<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(len(x.Ref)))
+		n += len(x.Ref)
+	case *Result_Refs:
+		s := proto.Size(x.Refs)
+		n += proto.SizeVarint(2<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case nil:
+	default:
+		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
+	}
+	return n
+}
+
+type RefMap struct {
+	Refs map[string]string `protobuf:"bytes,1,rep,name=refs" json:"refs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *RefMap) Reset()                    { *m = RefMap{} }
+func (m *RefMap) String() string            { return proto.CompactTextString(m) }
+func (*RefMap) ProtoMessage()               {}
+func (*RefMap) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{1} }
+
+func (m *RefMap) GetRefs() map[string]string {
+	if m != nil {
+		return m.Refs
+	}
+	return nil
+}
+
+type ReturnRequest struct {
+	Result *Result            `protobuf:"bytes,1,opt,name=result" json:"result,omitempty"`
+	Error  *google_rpc.Status `protobuf:"bytes,2,opt,name=error" json:"error,omitempty"`
+}
+
+func (m *ReturnRequest) Reset()                    { *m = ReturnRequest{} }
+func (m *ReturnRequest) String() string            { return proto.CompactTextString(m) }
+func (*ReturnRequest) ProtoMessage()               {}
+func (*ReturnRequest) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{2} }
+
+func (m *ReturnRequest) GetResult() *Result {
+	if m != nil {
+		return m.Result
+	}
+	return nil
+}
+
+func (m *ReturnRequest) GetError() *google_rpc.Status {
+	if m != nil {
+		return m.Error
+	}
+	return nil
+}
+
+type ReturnResponse struct {
+}
+
+func (m *ReturnResponse) Reset()                    { *m = ReturnResponse{} }
+func (m *ReturnResponse) String() string            { return proto.CompactTextString(m) }
+func (*ReturnResponse) ProtoMessage()               {}
+func (*ReturnResponse) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{3} }
+
+type ResolveImageConfigRequest struct {
+	Ref      string       `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	Platform *pb.Platform `protobuf:"bytes,2,opt,name=Platform" json:"Platform,omitempty"`
+}
+
+func (m *ResolveImageConfigRequest) Reset()                    { *m = ResolveImageConfigRequest{} }
+func (m *ResolveImageConfigRequest) String() string            { return proto.CompactTextString(m) }
+func (*ResolveImageConfigRequest) ProtoMessage()               {}
+func (*ResolveImageConfigRequest) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{4} }
+
+func (m *ResolveImageConfigRequest) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+func (m *ResolveImageConfigRequest) GetPlatform() *pb.Platform {
+	if m != nil {
+		return m.Platform
+	}
+	return nil
+}
+
+type ResolveImageConfigResponse struct {
+	Digest github_com_opencontainers_go_digest.Digest `protobuf:"bytes,1,opt,name=Digest,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"Digest"`
+	Config []byte                                     `protobuf:"bytes,2,opt,name=Config,proto3" json:"Config,omitempty"`
+}
+
+func (m *ResolveImageConfigResponse) Reset()         { *m = ResolveImageConfigResponse{} }
+func (m *ResolveImageConfigResponse) String() string { return proto.CompactTextString(m) }
+func (*ResolveImageConfigResponse) ProtoMessage()    {}
+func (*ResolveImageConfigResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptorGateway, []int{5}
+}
+
+func (m *ResolveImageConfigResponse) GetConfig() []byte {
+	if m != nil {
+		return m.Config
+	}
+	return nil
+}
+
+type SolveRequest struct {
+	Definition        *pb.Definition    `protobuf:"bytes,1,opt,name=Definition" json:"Definition,omitempty"`
+	Frontend          string            `protobuf:"bytes,2,opt,name=Frontend,proto3" json:"Frontend,omitempty"`
+	FrontendOpt       map[string]string `protobuf:"bytes,3,rep,name=FrontendOpt" json:"FrontendOpt,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	ImportCacheRefs   []string          `protobuf:"bytes,4,rep,name=ImportCacheRefs" json:"ImportCacheRefs,omitempty"`
+	AllowResultReturn bool              `protobuf:"varint,5,opt,name=allowResultReturn,proto3" json:"allowResultReturn,omitempty"`
+	// apicaps.CapSolveInlineReturn deprecated
+	Final        bool   `protobuf:"varint,10,opt,name=Final,proto3" json:"Final,omitempty"`
+	ExporterAttr []byte `protobuf:"bytes,11,opt,name=ExporterAttr,proto3" json:"ExporterAttr,omitempty"`
+}
+
+func (m *SolveRequest) Reset()                    { *m = SolveRequest{} }
+func (m *SolveRequest) String() string            { return proto.CompactTextString(m) }
+func (*SolveRequest) ProtoMessage()               {}
+func (*SolveRequest) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{6} }
+
+func (m *SolveRequest) GetDefinition() *pb.Definition {
+	if m != nil {
+		return m.Definition
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetFrontend() string {
+	if m != nil {
+		return m.Frontend
+	}
+	return ""
+}
+
+func (m *SolveRequest) GetFrontendOpt() map[string]string {
+	if m != nil {
+		return m.FrontendOpt
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetImportCacheRefs() []string {
+	if m != nil {
+		return m.ImportCacheRefs
+	}
+	return nil
+}
+
+func (m *SolveRequest) GetAllowResultReturn() bool {
+	if m != nil {
+		return m.AllowResultReturn
+	}
+	return false
+}
+
+func (m *SolveRequest) GetFinal() bool {
+	if m != nil {
+		return m.Final
+	}
+	return false
+}
+
+func (m *SolveRequest) GetExporterAttr() []byte {
+	if m != nil {
+		return m.ExporterAttr
+	}
+	return nil
+}
+
+type SolveResponse struct {
+	// deprecated
+	Ref string `protobuf:"bytes,1,opt,name=ref,proto3" json:"ref,omitempty"`
+	// these fields are returned when allowMapReturn was set
+	Result *Result `protobuf:"bytes,3,opt,name=result" json:"result,omitempty"`
+}
+
+func (m *SolveResponse) Reset()                    { *m = SolveResponse{} }
+func (m *SolveResponse) String() string            { return proto.CompactTextString(m) }
+func (*SolveResponse) ProtoMessage()               {}
+func (*SolveResponse) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{7} }
+
+func (m *SolveResponse) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+func (m *SolveResponse) GetResult() *Result {
+	if m != nil {
+		return m.Result
+	}
+	return nil
+}
+
+type ReadFileRequest struct {
+	Ref      string     `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	FilePath string     `protobuf:"bytes,2,opt,name=FilePath,proto3" json:"FilePath,omitempty"`
+	Range    *FileRange `protobuf:"bytes,3,opt,name=Range" json:"Range,omitempty"`
+}
+
+func (m *ReadFileRequest) Reset()                    { *m = ReadFileRequest{} }
+func (m *ReadFileRequest) String() string            { return proto.CompactTextString(m) }
+func (*ReadFileRequest) ProtoMessage()               {}
+func (*ReadFileRequest) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{8} }
+
+func (m *ReadFileRequest) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+func (m *ReadFileRequest) GetFilePath() string {
+	if m != nil {
+		return m.FilePath
+	}
+	return ""
+}
+
+func (m *ReadFileRequest) GetRange() *FileRange {
+	if m != nil {
+		return m.Range
+	}
+	return nil
+}
+
+type FileRange struct {
+	Offset int64 `protobuf:"varint,1,opt,name=Offset,proto3" json:"Offset,omitempty"`
+	Length int64 `protobuf:"varint,2,opt,name=Length,proto3" json:"Length,omitempty"`
+}
+
+func (m *FileRange) Reset()                    { *m = FileRange{} }
+func (m *FileRange) String() string            { return proto.CompactTextString(m) }
+func (*FileRange) ProtoMessage()               {}
+func (*FileRange) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{9} }
+
+func (m *FileRange) GetOffset() int64 {
+	if m != nil {
+		return m.Offset
+	}
+	return 0
+}
+
+func (m *FileRange) GetLength() int64 {
+	if m != nil {
+		return m.Length
+	}
+	return 0
+}
+
+type ReadFileResponse struct {
+	Data []byte `protobuf:"bytes,1,opt,name=Data,proto3" json:"Data,omitempty"`
+}
+
+func (m *ReadFileResponse) Reset()                    { *m = ReadFileResponse{} }
+func (m *ReadFileResponse) String() string            { return proto.CompactTextString(m) }
+func (*ReadFileResponse) ProtoMessage()               {}
+func (*ReadFileResponse) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{10} }
+
+func (m *ReadFileResponse) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+type PingRequest struct {
+}
+
+func (m *PingRequest) Reset()                    { *m = PingRequest{} }
+func (m *PingRequest) String() string            { return proto.CompactTextString(m) }
+func (*PingRequest) ProtoMessage()               {}
+func (*PingRequest) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{11} }
+
+type PongResponse struct {
+	FrontendAPICaps []moby_buildkit_v1_apicaps.APICap      `protobuf:"bytes,1,rep,name=FrontendAPICaps" json:"FrontendAPICaps"`
+	LLBCaps         []moby_buildkit_v1_apicaps.APICap      `protobuf:"bytes,2,rep,name=LLBCaps" json:"LLBCaps"`
+	Workers         []*moby_buildkit_v1_types.WorkerRecord `protobuf:"bytes,3,rep,name=Workers" json:"Workers,omitempty"`
+}
+
+func (m *PongResponse) Reset()                    { *m = PongResponse{} }
+func (m *PongResponse) String() string            { return proto.CompactTextString(m) }
+func (*PongResponse) ProtoMessage()               {}
+func (*PongResponse) Descriptor() ([]byte, []int) { return fileDescriptorGateway, []int{12} }
+
+func (m *PongResponse) GetFrontendAPICaps() []moby_buildkit_v1_apicaps.APICap {
+	if m != nil {
+		return m.FrontendAPICaps
+	}
+	return nil
+}
+
+func (m *PongResponse) GetLLBCaps() []moby_buildkit_v1_apicaps.APICap {
+	if m != nil {
+		return m.LLBCaps
+	}
+	return nil
+}
+
+func (m *PongResponse) GetWorkers() []*moby_buildkit_v1_types.WorkerRecord {
+	if m != nil {
+		return m.Workers
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Result)(nil), "moby.buildkit.v1.frontend.Result")
+	proto.RegisterType((*RefMap)(nil), "moby.buildkit.v1.frontend.RefMap")
+	proto.RegisterType((*ReturnRequest)(nil), "moby.buildkit.v1.frontend.ReturnRequest")
+	proto.RegisterType((*ReturnResponse)(nil), "moby.buildkit.v1.frontend.ReturnResponse")
+	proto.RegisterType((*ResolveImageConfigRequest)(nil), "moby.buildkit.v1.frontend.ResolveImageConfigRequest")
+	proto.RegisterType((*ResolveImageConfigResponse)(nil), "moby.buildkit.v1.frontend.ResolveImageConfigResponse")
+	proto.RegisterType((*SolveRequest)(nil), "moby.buildkit.v1.frontend.SolveRequest")
+	proto.RegisterType((*SolveResponse)(nil), "moby.buildkit.v1.frontend.SolveResponse")
+	proto.RegisterType((*ReadFileRequest)(nil), "moby.buildkit.v1.frontend.ReadFileRequest")
+	proto.RegisterType((*FileRange)(nil), "moby.buildkit.v1.frontend.FileRange")
+	proto.RegisterType((*ReadFileResponse)(nil), "moby.buildkit.v1.frontend.ReadFileResponse")
+	proto.RegisterType((*PingRequest)(nil), "moby.buildkit.v1.frontend.PingRequest")
+	proto.RegisterType((*PongResponse)(nil), "moby.buildkit.v1.frontend.PongResponse")
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// Client API for LLBBridge service
+
+type LLBBridgeClient interface {
+	// apicaps:CapResolveImage
+	ResolveImageConfig(ctx context.Context, in *ResolveImageConfigRequest, opts ...grpc.CallOption) (*ResolveImageConfigResponse, error)
+	// apicaps:CapSolveBase
+	Solve(ctx context.Context, in *SolveRequest, opts ...grpc.CallOption) (*SolveResponse, error)
+	// apicaps:CapReadFile
+	ReadFile(ctx context.Context, in *ReadFileRequest, opts ...grpc.CallOption) (*ReadFileResponse, error)
+	Ping(ctx context.Context, in *PingRequest, opts ...grpc.CallOption) (*PongResponse, error)
+	Return(ctx context.Context, in *ReturnRequest, opts ...grpc.CallOption) (*ReturnResponse, error)
+}
+
+type lLBBridgeClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewLLBBridgeClient(cc *grpc.ClientConn) LLBBridgeClient {
+	return &lLBBridgeClient{cc}
+}
+
+func (c *lLBBridgeClient) ResolveImageConfig(ctx context.Context, in *ResolveImageConfigRequest, opts ...grpc.CallOption) (*ResolveImageConfigResponse, error) {
+	out := new(ResolveImageConfigResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.frontend.LLBBridge/ResolveImageConfig", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *lLBBridgeClient) Solve(ctx context.Context, in *SolveRequest, opts ...grpc.CallOption) (*SolveResponse, error) {
+	out := new(SolveResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.frontend.LLBBridge/Solve", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *lLBBridgeClient) ReadFile(ctx context.Context, in *ReadFileRequest, opts ...grpc.CallOption) (*ReadFileResponse, error) {
+	out := new(ReadFileResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.frontend.LLBBridge/ReadFile", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *lLBBridgeClient) Ping(ctx context.Context, in *PingRequest, opts ...grpc.CallOption) (*PongResponse, error) {
+	out := new(PongResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.frontend.LLBBridge/Ping", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *lLBBridgeClient) Return(ctx context.Context, in *ReturnRequest, opts ...grpc.CallOption) (*ReturnResponse, error) {
+	out := new(ReturnResponse)
+	err := grpc.Invoke(ctx, "/moby.buildkit.v1.frontend.LLBBridge/Return", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Server API for LLBBridge service
+
+type LLBBridgeServer interface {
+	// apicaps:CapResolveImage
+	ResolveImageConfig(context.Context, *ResolveImageConfigRequest) (*ResolveImageConfigResponse, error)
+	// apicaps:CapSolveBase
+	Solve(context.Context, *SolveRequest) (*SolveResponse, error)
+	// apicaps:CapReadFile
+	ReadFile(context.Context, *ReadFileRequest) (*ReadFileResponse, error)
+	Ping(context.Context, *PingRequest) (*PongResponse, error)
+	Return(context.Context, *ReturnRequest) (*ReturnResponse, error)
+}
+
+func RegisterLLBBridgeServer(s *grpc.Server, srv LLBBridgeServer) {
+	s.RegisterService(&_LLBBridge_serviceDesc, srv)
+}
+
+func _LLBBridge_ResolveImageConfig_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ResolveImageConfigRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(LLBBridgeServer).ResolveImageConfig(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.frontend.LLBBridge/ResolveImageConfig",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(LLBBridgeServer).ResolveImageConfig(ctx, req.(*ResolveImageConfigRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _LLBBridge_Solve_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SolveRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(LLBBridgeServer).Solve(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.frontend.LLBBridge/Solve",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(LLBBridgeServer).Solve(ctx, req.(*SolveRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _LLBBridge_ReadFile_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ReadFileRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(LLBBridgeServer).ReadFile(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.frontend.LLBBridge/ReadFile",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(LLBBridgeServer).ReadFile(ctx, req.(*ReadFileRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _LLBBridge_Ping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(PingRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(LLBBridgeServer).Ping(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.frontend.LLBBridge/Ping",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(LLBBridgeServer).Ping(ctx, req.(*PingRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _LLBBridge_Return_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ReturnRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(LLBBridgeServer).Return(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.buildkit.v1.frontend.LLBBridge/Return",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(LLBBridgeServer).Return(ctx, req.(*ReturnRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _LLBBridge_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.buildkit.v1.frontend.LLBBridge",
+	HandlerType: (*LLBBridgeServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "ResolveImageConfig",
+			Handler:    _LLBBridge_ResolveImageConfig_Handler,
+		},
+		{
+			MethodName: "Solve",
+			Handler:    _LLBBridge_Solve_Handler,
+		},
+		{
+			MethodName: "ReadFile",
+			Handler:    _LLBBridge_ReadFile_Handler,
+		},
+		{
+			MethodName: "Ping",
+			Handler:    _LLBBridge_Ping_Handler,
+		},
+		{
+			MethodName: "Return",
+			Handler:    _LLBBridge_Return_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "gateway.proto",
+}
+
+func (m *Result) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Result) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Result != nil {
+		nn1, err := m.Result.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += nn1
+	}
+	if len(m.Metadata) > 0 {
+		for k, _ := range m.Metadata {
+			dAtA[i] = 0x52
+			i++
+			v := m.Metadata[k]
+			byteSize := 0
+			if len(v) > 0 {
+				byteSize = 1 + len(v) + sovGateway(uint64(len(v)))
+			}
+			mapSize := 1 + len(k) + sovGateway(uint64(len(k))) + byteSize
+			i = encodeVarintGateway(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGateway(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			if len(v) > 0 {
+				dAtA[i] = 0x12
+				i++
+				i = encodeVarintGateway(dAtA, i, uint64(len(v)))
+				i += copy(dAtA[i:], v)
+			}
+		}
+	}
+	return i, nil
+}
+
+func (m *Result_Ref) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	dAtA[i] = 0xa
+	i++
+	i = encodeVarintGateway(dAtA, i, uint64(len(m.Ref)))
+	i += copy(dAtA[i:], m.Ref)
+	return i, nil
+}
+func (m *Result_Refs) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Refs != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Refs.Size()))
+		n2, err := m.Refs.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	return i, nil
+}
+func (m *RefMap) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RefMap) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Refs) > 0 {
+		for k, _ := range m.Refs {
+			dAtA[i] = 0xa
+			i++
+			v := m.Refs[k]
+			mapSize := 1 + len(k) + sovGateway(uint64(len(k))) + 1 + len(v) + sovGateway(uint64(len(v)))
+			i = encodeVarintGateway(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGateway(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGateway(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *ReturnRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReturnRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Result != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Result.Size()))
+		n3, err := m.Result.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n3
+	}
+	if m.Error != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Error.Size()))
+		n4, err := m.Error.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n4
+	}
+	return i, nil
+}
+
+func (m *ReturnResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReturnResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	return i, nil
+}
+
+func (m *ResolveImageConfigRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResolveImageConfigRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ref) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.Ref)))
+		i += copy(dAtA[i:], m.Ref)
+	}
+	if m.Platform != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Platform.Size()))
+		n5, err := m.Platform.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n5
+	}
+	return i, nil
+}
+
+func (m *ResolveImageConfigResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ResolveImageConfigResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Digest) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.Digest)))
+		i += copy(dAtA[i:], m.Digest)
+	}
+	if len(m.Config) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.Config)))
+		i += copy(dAtA[i:], m.Config)
+	}
+	return i, nil
+}
+
+func (m *SolveRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SolveRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Definition != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Definition.Size()))
+		n6, err := m.Definition.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	if len(m.Frontend) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.Frontend)))
+		i += copy(dAtA[i:], m.Frontend)
+	}
+	if len(m.FrontendOpt) > 0 {
+		for k, _ := range m.FrontendOpt {
+			dAtA[i] = 0x1a
+			i++
+			v := m.FrontendOpt[k]
+			mapSize := 1 + len(k) + sovGateway(uint64(len(k))) + 1 + len(v) + sovGateway(uint64(len(v)))
+			i = encodeVarintGateway(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGateway(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGateway(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if len(m.ImportCacheRefs) > 0 {
+		for _, s := range m.ImportCacheRefs {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if m.AllowResultReturn {
+		dAtA[i] = 0x28
+		i++
+		if m.AllowResultReturn {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.Final {
+		dAtA[i] = 0x50
+		i++
+		if m.Final {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if len(m.ExporterAttr) > 0 {
+		dAtA[i] = 0x5a
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.ExporterAttr)))
+		i += copy(dAtA[i:], m.ExporterAttr)
+	}
+	return i, nil
+}
+
+func (m *SolveResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SolveResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ref) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.Ref)))
+		i += copy(dAtA[i:], m.Ref)
+	}
+	if m.Result != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Result.Size()))
+		n7, err := m.Result.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	return i, nil
+}
+
+func (m *ReadFileRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReadFileRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ref) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.Ref)))
+		i += copy(dAtA[i:], m.Ref)
+	}
+	if len(m.FilePath) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.FilePath)))
+		i += copy(dAtA[i:], m.FilePath)
+	}
+	if m.Range != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Range.Size()))
+		n8, err := m.Range.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	return i, nil
+}
+
+func (m *FileRange) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *FileRange) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Offset != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Offset))
+	}
+	if m.Length != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Length))
+	}
+	return i, nil
+}
+
+func (m *ReadFileResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ReadFileResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Data) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func (m *PingRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PingRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	return i, nil
+}
+
+func (m *PongResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *PongResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.FrontendAPICaps) > 0 {
+		for _, msg := range m.FrontendAPICaps {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGateway(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.LLBCaps) > 0 {
+		for _, msg := range m.LLBCaps {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGateway(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Workers) > 0 {
+		for _, msg := range m.Workers {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGateway(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func encodeVarintGateway(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Result) Size() (n int) {
+	var l int
+	_ = l
+	if m.Result != nil {
+		n += m.Result.Size()
+	}
+	if len(m.Metadata) > 0 {
+		for k, v := range m.Metadata {
+			_ = k
+			_ = v
+			l = 0
+			if len(v) > 0 {
+				l = 1 + len(v) + sovGateway(uint64(len(v)))
+			}
+			mapEntrySize := 1 + len(k) + sovGateway(uint64(len(k))) + l
+			n += mapEntrySize + 1 + sovGateway(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *Result_Ref) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Ref)
+	n += 1 + l + sovGateway(uint64(l))
+	return n
+}
+func (m *Result_Refs) Size() (n int) {
+	var l int
+	_ = l
+	if m.Refs != nil {
+		l = m.Refs.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+func (m *RefMap) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Refs) > 0 {
+		for k, v := range m.Refs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGateway(uint64(len(k))) + 1 + len(v) + sovGateway(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGateway(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *ReturnRequest) Size() (n int) {
+	var l int
+	_ = l
+	if m.Result != nil {
+		l = m.Result.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	if m.Error != nil {
+		l = m.Error.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *ReturnResponse) Size() (n int) {
+	var l int
+	_ = l
+	return n
+}
+
+func (m *ResolveImageConfigRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	if m.Platform != nil {
+		l = m.Platform.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *ResolveImageConfigResponse) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Digest)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	l = len(m.Config)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *SolveRequest) Size() (n int) {
+	var l int
+	_ = l
+	if m.Definition != nil {
+		l = m.Definition.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	l = len(m.Frontend)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	if len(m.FrontendOpt) > 0 {
+		for k, v := range m.FrontendOpt {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovGateway(uint64(len(k))) + 1 + len(v) + sovGateway(uint64(len(v)))
+			n += mapEntrySize + 1 + sovGateway(uint64(mapEntrySize))
+		}
+	}
+	if len(m.ImportCacheRefs) > 0 {
+		for _, s := range m.ImportCacheRefs {
+			l = len(s)
+			n += 1 + l + sovGateway(uint64(l))
+		}
+	}
+	if m.AllowResultReturn {
+		n += 2
+	}
+	if m.Final {
+		n += 2
+	}
+	l = len(m.ExporterAttr)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *SolveResponse) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	if m.Result != nil {
+		l = m.Result.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *ReadFileRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	l = len(m.FilePath)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	if m.Range != nil {
+		l = m.Range.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *FileRange) Size() (n int) {
+	var l int
+	_ = l
+	if m.Offset != 0 {
+		n += 1 + sovGateway(uint64(m.Offset))
+	}
+	if m.Length != 0 {
+		n += 1 + sovGateway(uint64(m.Length))
+	}
+	return n
+}
+
+func (m *ReadFileResponse) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *PingRequest) Size() (n int) {
+	var l int
+	_ = l
+	return n
+}
+
+func (m *PongResponse) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.FrontendAPICaps) > 0 {
+		for _, e := range m.FrontendAPICaps {
+			l = e.Size()
+			n += 1 + l + sovGateway(uint64(l))
+		}
+	}
+	if len(m.LLBCaps) > 0 {
+		for _, e := range m.LLBCaps {
+			l = e.Size()
+			n += 1 + l + sovGateway(uint64(l))
+		}
+	}
+	if len(m.Workers) > 0 {
+		for _, e := range m.Workers {
+			l = e.Size()
+			n += 1 + l + sovGateway(uint64(l))
+		}
+	}
+	return n
+}
+
+func sovGateway(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozGateway(x uint64) (n int) {
+	return sovGateway(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *Result) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Result: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Result: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Result = &Result_Ref{string(dAtA[iNdEx:postIndex])}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Refs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &RefMap{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Result = &Result_Refs{v}
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Metadata", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Metadata == nil {
+				m.Metadata = make(map[string][]byte)
+			}
+			var mapkey string
+			mapvalue := []byte{}
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGateway
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGateway
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthGateway
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var mapbyteLen uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGateway
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						mapbyteLen |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intMapbyteLen := int(mapbyteLen)
+					if intMapbyteLen < 0 {
+						return ErrInvalidLengthGateway
+					}
+					postbytesIndex := iNdEx + intMapbyteLen
+					if postbytesIndex > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = make([]byte, mapbyteLen)
+					copy(mapvalue, dAtA[iNdEx:postbytesIndex])
+					iNdEx = postbytesIndex
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipGateway(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthGateway
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Metadata[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *RefMap) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RefMap: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RefMap: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Refs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Refs == nil {
+				m.Refs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGateway
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGateway
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthGateway
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGateway
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthGateway
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipGateway(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthGateway
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Refs[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReturnRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReturnRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReturnRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Result", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Result == nil {
+				m.Result = &Result{}
+			}
+			if err := m.Result.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Error", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Error == nil {
+				m.Error = &google_rpc.Status{}
+			}
+			if err := m.Error.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReturnResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReturnResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReturnResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResolveImageConfigRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResolveImageConfigRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResolveImageConfigRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Platform", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Platform == nil {
+				m.Platform = &pb.Platform{}
+			}
+			if err := m.Platform.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ResolveImageConfigResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ResolveImageConfigResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ResolveImageConfigResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Digest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Digest = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Config", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Config = append(m.Config[:0], dAtA[iNdEx:postIndex]...)
+			if m.Config == nil {
+				m.Config = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SolveRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SolveRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SolveRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Definition", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Definition == nil {
+				m.Definition = &pb.Definition{}
+			}
+			if err := m.Definition.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Frontend", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Frontend = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FrontendOpt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.FrontendOpt == nil {
+				m.FrontendOpt = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowGateway
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGateway
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthGateway
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowGateway
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthGateway
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipGateway(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthGateway
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.FrontendOpt[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ImportCacheRefs", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ImportCacheRefs = append(m.ImportCacheRefs, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AllowResultReturn", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.AllowResultReturn = bool(v != 0)
+		case 10:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Final", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Final = bool(v != 0)
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExporterAttr", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ExporterAttr = append(m.ExporterAttr[:0], dAtA[iNdEx:postIndex]...)
+			if m.ExporterAttr == nil {
+				m.ExporterAttr = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SolveResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SolveResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SolveResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Result", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Result == nil {
+				m.Result = &Result{}
+			}
+			if err := m.Result.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReadFileRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReadFileRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReadFileRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FilePath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FilePath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Range", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Range == nil {
+				m.Range = &FileRange{}
+			}
+			if err := m.Range.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *FileRange) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: FileRange: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: FileRange: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Offset", wireType)
+			}
+			m.Offset = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Offset |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Length", wireType)
+			}
+			m.Length = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Length |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ReadFileResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ReadFileResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ReadFileResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PingRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PingRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PingRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *PongResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: PongResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: PongResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FrontendAPICaps", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FrontendAPICaps = append(m.FrontendAPICaps, moby_buildkit_v1_apicaps.APICap{})
+			if err := m.FrontendAPICaps[len(m.FrontendAPICaps)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LLBCaps", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.LLBCaps = append(m.LLBCaps, moby_buildkit_v1_apicaps.APICap{})
+			if err := m.LLBCaps[len(m.LLBCaps)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Workers", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Workers = append(m.Workers, &moby_buildkit_v1_types.WorkerRecord{})
+			if err := m.Workers[len(m.Workers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipGateway(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthGateway
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowGateway
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipGateway(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthGateway = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowGateway   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("gateway.proto", fileDescriptorGateway) }
+
+var fileDescriptorGateway = []byte{
+	// 969 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x56, 0x4b, 0x6f, 0xdb, 0x46,
+	0x10, 0x0e, 0x4d, 0x49, 0x91, 0x46, 0x52, 0xac, 0x2e, 0x8a, 0x42, 0xe1, 0xc1, 0x51, 0x89, 0x22,
+	0x65, 0xf3, 0x20, 0x51, 0xa5, 0x45, 0xd2, 0x04, 0x48, 0x1b, 0xd9, 0x31, 0xe2, 0x56, 0x41, 0x84,
+	0xcd, 0xc1, 0x40, 0xd0, 0x1e, 0x56, 0xd2, 0x92, 0x26, 0x4c, 0x71, 0xd9, 0xe5, 0xca, 0xae, 0xd0,
+	0x4b, 0xdb, 0x53, 0x7e, 0x5a, 0x8e, 0x3d, 0xf7, 0x10, 0x14, 0xbe, 0xf5, 0x5f, 0x14, 0xfb, 0xa0,
+	0x4c, 0xbf, 0x64, 0xfb, 0xa4, 0x9d, 0xe5, 0x7c, 0x33, 0xdf, 0xce, 0x7c, 0xb3, 0x2b, 0x68, 0x47,
+	0x44, 0xd0, 0x43, 0xb2, 0xf0, 0x33, 0xce, 0x04, 0x43, 0xb7, 0x67, 0x6c, 0xbc, 0xf0, 0xc7, 0xf3,
+	0x38, 0x99, 0xee, 0xc7, 0xc2, 0x3f, 0xf8, 0xda, 0x0f, 0x39, 0x4b, 0x05, 0x4d, 0xa7, 0xce, 0xc3,
+	0x28, 0x16, 0x7b, 0xf3, 0xb1, 0x3f, 0x61, 0xb3, 0x20, 0x62, 0x11, 0x0b, 0x14, 0x62, 0x3c, 0x0f,
+	0x95, 0xa5, 0x0c, 0xb5, 0xd2, 0x91, 0x9c, 0xfe, 0x69, 0xf7, 0x88, 0xb1, 0x28, 0xa1, 0x24, 0x8b,
+	0x73, 0xb3, 0x0c, 0x78, 0x36, 0x09, 0x72, 0x41, 0xc4, 0x3c, 0x37, 0x98, 0x07, 0x25, 0x8c, 0x24,
+	0x12, 0x14, 0x44, 0x82, 0x9c, 0x25, 0x07, 0x94, 0x07, 0xd9, 0x38, 0x60, 0x59, 0xe1, 0x1d, 0x5c,
+	0xe8, 0x4d, 0xb2, 0x38, 0x10, 0x8b, 0x8c, 0xe6, 0xc1, 0x21, 0xe3, 0xfb, 0x94, 0x1b, 0xc0, 0xa3,
+	0x0b, 0x01, 0x73, 0x11, 0x27, 0x12, 0x35, 0x21, 0x59, 0x2e, 0x93, 0xc8, 0x5f, 0x0d, 0x72, 0xff,
+	0xb3, 0xa0, 0x86, 0x69, 0x3e, 0x4f, 0x04, 0x42, 0x60, 0x73, 0x1a, 0x76, 0xad, 0x9e, 0xe5, 0x35,
+	0x5e, 0xdd, 0xc0, 0xd2, 0x40, 0x8f, 0xa1, 0xc2, 0x69, 0x98, 0x77, 0xd7, 0x7a, 0x96, 0xd7, 0xec,
+	0x7f, 0xee, 0x5f, 0x58, 0x3f, 0x1f, 0xd3, 0xf0, 0x35, 0xc9, 0x5e, 0xdd, 0xc0, 0x0a, 0x80, 0x7e,
+	0x82, 0xfa, 0x8c, 0x0a, 0x32, 0x25, 0x82, 0x74, 0xa1, 0x67, 0x7b, 0xcd, 0x7e, 0xb0, 0x12, 0x2c,
+	0x19, 0xf8, 0xaf, 0x0d, 0xe2, 0x65, 0x2a, 0xf8, 0x02, 0x2f, 0x03, 0x38, 0xcf, 0xa0, 0x7d, 0xe2,
+	0x13, 0xea, 0x80, 0xbd, 0x4f, 0x17, 0x9a, 0x2a, 0x96, 0x4b, 0xf4, 0x29, 0x54, 0x0f, 0x48, 0x32,
+	0xa7, 0x8a, 0x69, 0x0b, 0x6b, 0xe3, 0xe9, 0xda, 0x13, 0x6b, 0x50, 0x87, 0x1a, 0x57, 0xe1, 0xdd,
+	0xbf, 0xd4, 0x59, 0x25, 0x4d, 0xf4, 0xbd, 0x39, 0x97, 0xa5, 0xa8, 0xdd, 0xbf, 0xf4, 0x5c, 0xf2,
+	0x27, 0xd7, 0xb4, 0x14, 0xd0, 0x79, 0x0c, 0x8d, 0xe5, 0xd6, 0x65, 0x74, 0x1a, 0x25, 0x3a, 0xae,
+	0x80, 0x36, 0xa6, 0x62, 0xce, 0x53, 0x4c, 0x7f, 0x9d, 0xd3, 0x5c, 0xa0, 0xef, 0x0a, 0x7e, 0x0a,
+	0x7f, 0x59, 0x91, 0xa5, 0x23, 0x36, 0x00, 0xe4, 0x41, 0x95, 0x72, 0xce, 0xb8, 0x69, 0x0f, 0xf2,
+	0xb5, 0xf2, 0x7c, 0x9e, 0x4d, 0xfc, 0xb7, 0x4a, 0x79, 0x58, 0x3b, 0xb8, 0x1d, 0xb8, 0x55, 0x64,
+	0xcd, 0x33, 0x96, 0xe6, 0xd4, 0xdd, 0x85, 0xdb, 0x98, 0x2a, 0xdd, 0xed, 0xcc, 0x48, 0x44, 0x37,
+	0x59, 0x1a, 0xc6, 0x51, 0xc1, 0xa9, 0x03, 0x36, 0x2e, 0xa4, 0x80, 0xe5, 0x12, 0x79, 0x50, 0x1f,
+	0x25, 0x44, 0x84, 0x8c, 0xcf, 0x4c, 0xb6, 0x96, 0x9f, 0x8d, 0xfd, 0x62, 0x0f, 0x2f, 0xbf, 0xba,
+	0x7f, 0x58, 0xe0, 0x9c, 0x17, 0x59, 0xe7, 0x45, 0x3f, 0x42, 0x6d, 0x2b, 0x8e, 0x68, 0xae, 0x8f,
+	0xdb, 0x18, 0xf4, 0x3f, 0x7c, 0xbc, 0x73, 0xe3, 0x9f, 0x8f, 0x77, 0xee, 0x95, 0xd4, 0xcb, 0x32,
+	0x9a, 0x4e, 0x58, 0x2a, 0x48, 0x9c, 0x52, 0x2e, 0xe7, 0xe9, 0xe1, 0x54, 0x41, 0x7c, 0x8d, 0xc4,
+	0x26, 0x02, 0xfa, 0x0c, 0x6a, 0x3a, 0xba, 0xe9, 0xba, 0xb1, 0xdc, 0xf7, 0x36, 0xb4, 0xde, 0x4a,
+	0x02, 0xc5, 0x79, 0x7c, 0x80, 0x2d, 0x1a, 0xc6, 0x69, 0x2c, 0x62, 0x96, 0x9a, 0x3a, 0xdf, 0x92,
+	0xfc, 0x8f, 0x77, 0x71, 0xc9, 0x03, 0x39, 0x50, 0xdf, 0x36, 0x35, 0x37, 0x1d, 0x5c, 0xda, 0xe8,
+	0x1d, 0x34, 0x8b, 0xf5, 0x9b, 0x4c, 0x74, 0x6d, 0xa5, 0xa0, 0x27, 0x2b, 0x9a, 0x56, 0x66, 0xe2,
+	0x97, 0xa0, 0x5a, 0x4e, 0xe5, 0x60, 0xc8, 0x83, 0xf5, 0x9d, 0x59, 0xc6, 0xb8, 0xd8, 0x24, 0x93,
+	0x3d, 0x2a, 0x05, 0xd6, 0xad, 0xf4, 0x6c, 0xaf, 0x81, 0x4f, 0x6f, 0xa3, 0x07, 0xf0, 0x09, 0x49,
+	0x12, 0x76, 0x68, 0x14, 0xa1, 0x7a, 0xdb, 0xad, 0xf6, 0x2c, 0xaf, 0x8e, 0xcf, 0x7e, 0x90, 0x72,
+	0xdc, 0x8e, 0x53, 0x92, 0x74, 0x41, 0x79, 0x68, 0x03, 0xb9, 0xd0, 0x7a, 0xf9, 0x9b, 0x0c, 0x4b,
+	0xf9, 0x0b, 0x21, 0x78, 0xb7, 0xa9, 0x8a, 0x78, 0x62, 0xcf, 0x79, 0x0e, 0x9d, 0xd3, 0x94, 0xaf,
+	0x25, 0xf7, 0x9f, 0xa1, 0x6d, 0xce, 0x6f, 0xfa, 0xdf, 0x29, 0xdd, 0x32, 0xfa, 0x8e, 0x39, 0x1e,
+	0x00, 0xfb, 0x9a, 0x03, 0xe0, 0xfe, 0x0e, 0xeb, 0x98, 0x92, 0xe9, 0x76, 0x9c, 0xd0, 0x8b, 0xa5,
+	0x2b, 0x9b, 0x19, 0x27, 0x74, 0x44, 0xc4, 0xde, 0xb2, 0x99, 0xc6, 0x46, 0x4f, 0xa1, 0x8a, 0x49,
+	0x1a, 0x51, 0x93, 0xfa, 0x8b, 0x15, 0xa9, 0x55, 0x12, 0xe9, 0x8b, 0x35, 0xc4, 0x7d, 0x06, 0x8d,
+	0xe5, 0x9e, 0x94, 0xe2, 0x9b, 0x30, 0xcc, 0xa9, 0x96, 0xb5, 0x8d, 0x8d, 0x25, 0xf7, 0x87, 0x34,
+	0x8d, 0x4c, 0x6a, 0x1b, 0x1b, 0xcb, 0xbd, 0x0b, 0x9d, 0x63, 0xe6, 0xa6, 0x34, 0x08, 0x2a, 0x5b,
+	0xf2, 0xbe, 0xb4, 0x54, 0x1f, 0xd4, 0xda, 0x6d, 0x43, 0x73, 0x14, 0xa7, 0xc5, 0x60, 0xba, 0x47,
+	0x16, 0xb4, 0x46, 0x2c, 0x3d, 0x1e, 0xa7, 0x11, 0xac, 0x17, 0xfd, 0x79, 0x31, 0xda, 0xd9, 0x24,
+	0x59, 0x71, 0xa7, 0xf5, 0xce, 0x1e, 0xc5, 0xbc, 0x00, 0xbe, 0x76, 0x1c, 0x54, 0xe4, 0xe4, 0xe1,
+	0xd3, 0x70, 0xf4, 0x03, 0xdc, 0x1c, 0x0e, 0x07, 0x2a, 0xd2, 0xda, 0xb5, 0x22, 0x15, 0x30, 0xf4,
+	0x1c, 0x6e, 0xee, 0xaa, 0x87, 0x29, 0x37, 0xd3, 0x71, 0x4e, 0x59, 0xd5, 0xfb, 0xe5, 0x6b, 0x37,
+	0x4c, 0x27, 0x8c, 0x4f, 0x71, 0x01, 0xea, 0xbf, 0xaf, 0x40, 0x63, 0x38, 0x1c, 0x0c, 0x78, 0x3c,
+	0x8d, 0x28, 0xfa, 0xd3, 0x02, 0x74, 0xf6, 0x3e, 0x41, 0xdf, 0xac, 0x56, 0xc9, 0xf9, 0x17, 0x9b,
+	0xf3, 0xed, 0x35, 0x51, 0xa6, 0xca, 0xef, 0xa0, 0xaa, 0x54, 0x8c, 0xbe, 0xbc, 0xe2, 0x9c, 0x3b,
+	0xde, 0xe5, 0x8e, 0x26, 0xf6, 0x04, 0xea, 0x85, 0x12, 0xd0, 0xbd, 0x95, 0xf4, 0x4e, 0x08, 0xdd,
+	0xb9, 0x7f, 0x25, 0x5f, 0x93, 0x64, 0x17, 0x2a, 0x52, 0x46, 0xe8, 0xee, 0x0a, 0x50, 0x49, 0x67,
+	0xce, 0xaa, 0x73, 0x9e, 0xd0, 0xdf, 0x2f, 0xf2, 0x49, 0x55, 0x77, 0x8c, 0xb7, 0x92, 0x4f, 0xe9,
+	0xc5, 0x73, 0xbe, 0xba, 0x82, 0xa7, 0x0e, 0x3f, 0x68, 0x7d, 0x38, 0xda, 0xb0, 0xfe, 0x3e, 0xda,
+	0xb0, 0xfe, 0x3d, 0xda, 0xb0, 0xc6, 0x35, 0xf5, 0x9f, 0xe5, 0xd1, 0xff, 0x01, 0x00, 0x00, 0xff,
+	0xff, 0xb8, 0xcb, 0x8c, 0xfa, 0xd6, 0x09, 0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.proto b/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.proto
new file mode 100644
index 00000000..8f40a335
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.proto
@@ -0,0 +1,99 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.frontend;
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+import "github.com/gogo/googleapis/google/rpc/status.proto";
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+import "github.com/moby/buildkit/api/types/worker.proto";
+import "github.com/moby/buildkit/util/apicaps/pb/caps.proto";
+
+option (gogoproto.sizer_all) = true;
+option (gogoproto.marshaler_all) = true;
+option (gogoproto.unmarshaler_all) = true;
+
+service LLBBridge {
+	// apicaps:CapResolveImage
+	rpc ResolveImageConfig(ResolveImageConfigRequest) returns (ResolveImageConfigResponse);
+	// apicaps:CapSolveBase
+	rpc Solve(SolveRequest) returns (SolveResponse);
+	// apicaps:CapReadFile
+	rpc ReadFile(ReadFileRequest) returns (ReadFileResponse);
+	rpc Ping(PingRequest) returns (PongResponse);
+	rpc Return(ReturnRequest) returns (ReturnResponse);
+}
+
+message Result {
+	oneof result {
+		string ref = 1;
+		RefMap refs = 2;
+	}
+	map<string, bytes> metadata = 10;
+}
+
+message RefMap {
+	map<string, string> refs = 1;
+}
+
+message ReturnRequest {
+	Result result = 1;
+	google.rpc.Status error = 2;
+}
+
+message ReturnResponse {
+}
+
+message ResolveImageConfigRequest {
+	string Ref = 1;
+	pb.Platform Platform = 2;
+}
+
+message ResolveImageConfigResponse {
+	string Digest = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	bytes Config = 2;
+}
+
+message SolveRequest {
+	pb.Definition Definition = 1;
+	string Frontend = 2;
+	map<string, string> FrontendOpt = 3;
+	repeated string ImportCacheRefs = 4;
+	bool allowResultReturn = 5;
+	
+	// apicaps.CapSolveInlineReturn deprecated
+	bool Final = 10;
+	bytes ExporterAttr = 11;
+}
+
+message SolveResponse {
+	// deprecated
+	string ref = 1; // can be used by readfile request
+	// deprecated
+/*	bytes ExporterAttr = 2;*/
+	
+	// these fields are returned when allowMapReturn was set
+	Result result = 3;
+}
+
+message ReadFileRequest {
+	string Ref = 1;
+	string FilePath = 2;
+	FileRange Range = 3;
+}
+
+message FileRange {
+	int64 Offset = 1;
+	int64 Length = 2;
+}
+
+message ReadFileResponse {
+	bytes Data = 1;
+}
+
+message PingRequest{
+}
+message PongResponse{
+	repeated moby.buildkit.v1.apicaps.APICap FrontendAPICaps = 1 [(gogoproto.nullable) = false];
+	repeated moby.buildkit.v1.apicaps.APICap LLBCaps = 2 [(gogoproto.nullable) = false];
+	repeated moby.buildkit.v1.types.WorkerRecord Workers = 3;
+}
\ No newline at end of file
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/generate.go b/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/generate.go
new file mode 100644
index 00000000..4ab07c6d
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/gateway/pb/generate.go
@@ -0,0 +1,3 @@
+package moby_buildkit_v1_frontend
+
+//go:generate protoc -I=. -I=../../../vendor/ -I=../../../../../../ --gogo_out=plugins=grpc:. gateway.proto
diff --git a/engine/vendor/github.com/moby/buildkit/frontend/result.go b/engine/vendor/github.com/moby/buildkit/frontend/result.go
new file mode 100644
index 00000000..37715de8
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/frontend/result.go
@@ -0,0 +1,23 @@
+package frontend
+
+import "github.com/moby/buildkit/solver"
+
+type Result struct {
+	Ref      solver.CachedResult
+	Refs     map[string]solver.CachedResult
+	Metadata map[string][]byte
+}
+
+func (r *Result) EachRef(fn func(solver.CachedResult) error) (err error) {
+	if r.Ref != nil {
+		err = fn(r.Ref)
+	}
+	for _, r := range r.Refs {
+		if r != nil {
+			if err1 := fn(r); err1 != nil && err == nil {
+				err = err1
+			}
+		}
+	}
+	return err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/identity/randomid.go b/engine/vendor/github.com/moby/buildkit/identity/randomid.go
new file mode 100644
index 00000000..0eb13527
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/identity/randomid.go
@@ -0,0 +1,53 @@
+package identity
+
+import (
+	cryptorand "crypto/rand"
+	"fmt"
+	"io"
+	"math/big"
+)
+
+var (
+	// idReader is used for random id generation. This declaration allows us to
+	// replace it for testing.
+	idReader = cryptorand.Reader
+)
+
+// parameters for random identifier generation. We can tweak this when there is
+// time for further analysis.
+const (
+	randomIDEntropyBytes = 17
+	randomIDBase         = 36
+
+	// To ensure that all identifiers are fixed length, we make sure they
+	// get padded out or truncated to 25 characters.
+	//
+	// For academics,  f5lxx1zz5pnorynqglhzmsp33  == 2^128 - 1. This value
+	// was calculated from floor(log(2^128-1, 36)) + 1.
+	//
+	// While 128 bits is the largest whole-byte size that fits into 25
+	// base-36 characters, we generate an extra byte of entropy to fill
+	// in the high bits, which would otherwise be 0. This gives us a more
+	// even distribution of the first character.
+	//
+	// See http://mathworld.wolfram.com/NumberLength.html for more information.
+	maxRandomIDLength = 25
+)
+
+// NewID generates a new identifier for use where random identifiers with low
+// collision probability are required.
+//
+// With the parameters in this package, the generated identifier will provide
+// ~129 bits of entropy encoded with base36. Leading padding is added if the
+// string is less 25 bytes. We do not intend to maintain this interface, so
+// identifiers should be treated opaquely.
+func NewID() string {
+	var p [randomIDEntropyBytes]byte
+
+	if _, err := io.ReadFull(idReader, p[:]); err != nil {
+		panic(fmt.Errorf("failed to read random bytes: %v", err))
+	}
+
+	p[0] |= 0x80 // set high bit to avoid the need for padding
+	return (&big.Int{}).SetBytes(p[:]).Text(randomIDBase)[1 : maxRandomIDLength+1]
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/auth/auth.go b/engine/vendor/github.com/moby/buildkit/session/auth/auth.go
new file mode 100644
index 00000000..2b96a7ce
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/auth/auth.go
@@ -0,0 +1,26 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/session"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func CredentialsFunc(ctx context.Context, c session.Caller) func(string) (string, string, error) {
+	return func(host string) (string, string, error) {
+		client := NewAuthClient(c.Conn())
+
+		resp, err := client.Credentials(ctx, &CredentialsRequest{
+			Host: host,
+		})
+		if err != nil {
+			if st, ok := status.FromError(err); ok && st.Code() == codes.Unimplemented {
+				return "", "", nil
+			}
+			return "", "", err
+		}
+		return resp.Username, resp.Secret, nil
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/auth/auth.pb.go b/engine/vendor/github.com/moby/buildkit/session/auth/auth.pb.go
new file mode 100644
index 00000000..8993b85b
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/auth/auth.pb.go
@@ -0,0 +1,673 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: auth.proto
+
+/*
+	Package auth is a generated protocol buffer package.
+
+	It is generated from these files:
+		auth.proto
+
+	It has these top-level messages:
+		CredentialsRequest
+		CredentialsResponse
+*/
+package auth
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strings "strings"
+import reflect "reflect"
+
+import context "golang.org/x/net/context"
+import grpc "google.golang.org/grpc"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type CredentialsRequest struct {
+	Host string `protobuf:"bytes,1,opt,name=Host,proto3" json:"Host,omitempty"`
+}
+
+func (m *CredentialsRequest) Reset()                    { *m = CredentialsRequest{} }
+func (*CredentialsRequest) ProtoMessage()               {}
+func (*CredentialsRequest) Descriptor() ([]byte, []int) { return fileDescriptorAuth, []int{0} }
+
+func (m *CredentialsRequest) GetHost() string {
+	if m != nil {
+		return m.Host
+	}
+	return ""
+}
+
+type CredentialsResponse struct {
+	Username string `protobuf:"bytes,1,opt,name=Username,proto3" json:"Username,omitempty"`
+	Secret   string `protobuf:"bytes,2,opt,name=Secret,proto3" json:"Secret,omitempty"`
+}
+
+func (m *CredentialsResponse) Reset()                    { *m = CredentialsResponse{} }
+func (*CredentialsResponse) ProtoMessage()               {}
+func (*CredentialsResponse) Descriptor() ([]byte, []int) { return fileDescriptorAuth, []int{1} }
+
+func (m *CredentialsResponse) GetUsername() string {
+	if m != nil {
+		return m.Username
+	}
+	return ""
+}
+
+func (m *CredentialsResponse) GetSecret() string {
+	if m != nil {
+		return m.Secret
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*CredentialsRequest)(nil), "moby.filesync.v1.CredentialsRequest")
+	proto.RegisterType((*CredentialsResponse)(nil), "moby.filesync.v1.CredentialsResponse")
+}
+func (this *CredentialsRequest) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*CredentialsRequest)
+	if !ok {
+		that2, ok := that.(CredentialsRequest)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.Host != that1.Host {
+		return false
+	}
+	return true
+}
+func (this *CredentialsResponse) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*CredentialsResponse)
+	if !ok {
+		that2, ok := that.(CredentialsResponse)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if this.Username != that1.Username {
+		return false
+	}
+	if this.Secret != that1.Secret {
+		return false
+	}
+	return true
+}
+func (this *CredentialsRequest) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&auth.CredentialsRequest{")
+	s = append(s, "Host: "+fmt.Sprintf("%#v", this.Host)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func (this *CredentialsResponse) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 6)
+	s = append(s, "&auth.CredentialsResponse{")
+	s = append(s, "Username: "+fmt.Sprintf("%#v", this.Username)+",\n")
+	s = append(s, "Secret: "+fmt.Sprintf("%#v", this.Secret)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringAuth(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// Client API for Auth service
+
+type AuthClient interface {
+	Credentials(ctx context.Context, in *CredentialsRequest, opts ...grpc.CallOption) (*CredentialsResponse, error)
+}
+
+type authClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewAuthClient(cc *grpc.ClientConn) AuthClient {
+	return &authClient{cc}
+}
+
+func (c *authClient) Credentials(ctx context.Context, in *CredentialsRequest, opts ...grpc.CallOption) (*CredentialsResponse, error) {
+	out := new(CredentialsResponse)
+	err := grpc.Invoke(ctx, "/moby.filesync.v1.Auth/Credentials", in, out, c.cc, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// Server API for Auth service
+
+type AuthServer interface {
+	Credentials(context.Context, *CredentialsRequest) (*CredentialsResponse, error)
+}
+
+func RegisterAuthServer(s *grpc.Server, srv AuthServer) {
+	s.RegisterService(&_Auth_serviceDesc, srv)
+}
+
+func _Auth_Credentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CredentialsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServer).Credentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/moby.filesync.v1.Auth/Credentials",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServer).Credentials(ctx, req.(*CredentialsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _Auth_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.Auth",
+	HandlerType: (*AuthServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Credentials",
+			Handler:    _Auth_Credentials_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "auth.proto",
+}
+
+func (m *CredentialsRequest) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CredentialsRequest) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Host) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Host)))
+		i += copy(dAtA[i:], m.Host)
+	}
+	return i, nil
+}
+
+func (m *CredentialsResponse) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CredentialsResponse) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Username) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Username)))
+		i += copy(dAtA[i:], m.Username)
+	}
+	if len(m.Secret) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintAuth(dAtA, i, uint64(len(m.Secret)))
+		i += copy(dAtA[i:], m.Secret)
+	}
+	return i, nil
+}
+
+func encodeVarintAuth(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *CredentialsRequest) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Host)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	return n
+}
+
+func (m *CredentialsResponse) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Username)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	l = len(m.Secret)
+	if l > 0 {
+		n += 1 + l + sovAuth(uint64(l))
+	}
+	return n
+}
+
+func sovAuth(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozAuth(x uint64) (n int) {
+	return sovAuth(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *CredentialsRequest) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CredentialsRequest{`,
+		`Host:` + fmt.Sprintf("%v", this.Host) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *CredentialsResponse) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&CredentialsResponse{`,
+		`Username:` + fmt.Sprintf("%v", this.Username) + `,`,
+		`Secret:` + fmt.Sprintf("%v", this.Secret) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringAuth(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *CredentialsRequest) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialsRequest: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialsRequest: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Host = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuth(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAuth
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CredentialsResponse) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialsResponse: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialsResponse: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Username", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Username = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Secret", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthAuth
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Secret = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipAuth(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthAuth
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipAuth(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowAuth
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowAuth
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthAuth
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowAuth
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipAuth(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthAuth = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowAuth   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("auth.proto", fileDescriptorAuth) }
+
+var fileDescriptorAuth = []byte{
+	// 224 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4a, 0x2c, 0x2d, 0xc9,
+	0xd0, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xc8, 0xcd, 0x4f, 0xaa, 0xd4, 0x4b, 0xcb, 0xcc,
+	0x49, 0x2d, 0xae, 0xcc, 0x4b, 0xd6, 0x2b, 0x33, 0x54, 0xd2, 0xe0, 0x12, 0x72, 0x2e, 0x4a, 0x4d,
+	0x49, 0xcd, 0x2b, 0xc9, 0x4c, 0xcc, 0x29, 0x0e, 0x4a, 0x2d, 0x2c, 0x4d, 0x2d, 0x2e, 0x11, 0x12,
+	0xe2, 0x62, 0xf1, 0xc8, 0x2f, 0x2e, 0x91, 0x60, 0x54, 0x60, 0xd4, 0xe0, 0x0c, 0x02, 0xb3, 0x95,
+	0x3c, 0xb9, 0x84, 0x51, 0x54, 0x16, 0x17, 0xe4, 0xe7, 0x15, 0xa7, 0x0a, 0x49, 0x71, 0x71, 0x84,
+	0x16, 0xa7, 0x16, 0xe5, 0x25, 0xe6, 0xa6, 0x42, 0x95, 0xc3, 0xf9, 0x42, 0x62, 0x5c, 0x6c, 0xc1,
+	0xa9, 0xc9, 0x45, 0xa9, 0x25, 0x12, 0x4c, 0x60, 0x19, 0x28, 0xcf, 0x28, 0x89, 0x8b, 0xc5, 0xb1,
+	0xb4, 0x24, 0x43, 0x28, 0x8a, 0x8b, 0x1b, 0xc9, 0x48, 0x21, 0x15, 0x3d, 0x74, 0xe7, 0xe9, 0x61,
+	0xba, 0x4d, 0x4a, 0x95, 0x80, 0x2a, 0x88, 0xbb, 0x9c, 0x8c, 0x2e, 0x3c, 0x94, 0x63, 0xb8, 0xf1,
+	0x50, 0x8e, 0xe1, 0xc3, 0x43, 0x39, 0xc6, 0x86, 0x47, 0x72, 0x8c, 0x2b, 0x1e, 0xc9, 0x31, 0x9e,
+	0x78, 0x24, 0xc7, 0x78, 0xe1, 0x91, 0x1c, 0xe3, 0x83, 0x47, 0x72, 0x8c, 0x2f, 0x1e, 0xc9, 0x31,
+	0x7c, 0x78, 0x24, 0xc7, 0x38, 0xe1, 0xb1, 0x1c, 0x43, 0x14, 0x0b, 0x28, 0x90, 0x92, 0xd8, 0xc0,
+	0xa1, 0x64, 0x0c, 0x08, 0x00, 0x00, 0xff, 0xff, 0xaa, 0x73, 0xf3, 0xd5, 0x33, 0x01, 0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/auth/auth.proto b/engine/vendor/github.com/moby/buildkit/session/auth/auth.proto
new file mode 100644
index 00000000..59331274
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/auth/auth.proto
@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "auth";
+
+service Auth{
+  rpc Credentials(CredentialsRequest) returns (CredentialsResponse);
+}
+
+
+message CredentialsRequest {
+	string Host = 1;
+}
+
+message CredentialsResponse {
+	string Username = 1;
+	string Secret = 2;
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/auth/generate.go b/engine/vendor/github.com/moby/buildkit/session/auth/generate.go
new file mode 100644
index 00000000..687aa7cc
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/auth/generate.go
@@ -0,0 +1,3 @@
+package auth
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. auth.proto
diff --git a/engine/vendor/github.com/moby/buildkit/session/context.go b/engine/vendor/github.com/moby/buildkit/session/context.go
new file mode 100644
index 00000000..31a29f08
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/context.go
@@ -0,0 +1,22 @@
+package session
+
+import "context"
+
+type contextKeyT string
+
+var contextKey = contextKeyT("buildkit/session-id")
+
+func NewContext(ctx context.Context, id string) context.Context {
+	if id != "" {
+		return context.WithValue(ctx, contextKey, id)
+	}
+	return ctx
+}
+
+func FromContext(ctx context.Context) string {
+	v := ctx.Value(contextKey)
+	if v == nil {
+		return ""
+	}
+	return v.(string)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go b/engine/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go
new file mode 100644
index 00000000..d0f8e76d
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/filesync/diffcopy.go
@@ -0,0 +1,114 @@
+package filesync
+
+import (
+	"bufio"
+	io "io"
+	"os"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/tonistiigi/fsutil"
+	"google.golang.org/grpc"
+)
+
+func sendDiffCopy(stream grpc.Stream, dir string, includes, excludes, followPaths []string, progress progressCb, _map func(*fsutil.Stat) bool) error {
+	return fsutil.Send(stream.Context(), stream, dir, &fsutil.WalkOpt{
+		ExcludePatterns: excludes,
+		IncludePatterns: includes,
+		FollowPaths:     followPaths,
+		Map:             _map,
+	}, progress)
+}
+
+func newStreamWriter(stream grpc.ClientStream) io.WriteCloser {
+	wc := &streamWriterCloser{ClientStream: stream}
+	return &bufferedWriteCloser{Writer: bufio.NewWriter(wc), Closer: wc}
+}
+
+type bufferedWriteCloser struct {
+	*bufio.Writer
+	io.Closer
+}
+
+func (bwc *bufferedWriteCloser) Close() error {
+	if err := bwc.Writer.Flush(); err != nil {
+		return err
+	}
+	return bwc.Closer.Close()
+}
+
+type streamWriterCloser struct {
+	grpc.ClientStream
+}
+
+func (wc *streamWriterCloser) Write(dt []byte) (int, error) {
+	if err := wc.ClientStream.SendMsg(&BytesMessage{Data: dt}); err != nil {
+		return 0, err
+	}
+	return len(dt), nil
+}
+
+func (wc *streamWriterCloser) Close() error {
+	if err := wc.ClientStream.CloseSend(); err != nil {
+		return err
+	}
+	// block until receiver is done
+	var bm BytesMessage
+	if err := wc.ClientStream.RecvMsg(&bm); err != io.EOF {
+		return err
+	}
+	return nil
+}
+
+func recvDiffCopy(ds grpc.Stream, dest string, cu CacheUpdater, progress progressCb) error {
+	st := time.Now()
+	defer func() {
+		logrus.Debugf("diffcopy took: %v", time.Since(st))
+	}()
+	var cf fsutil.ChangeFunc
+	var ch fsutil.ContentHasher
+	if cu != nil {
+		cu.MarkSupported(true)
+		cf = cu.HandleChange
+		ch = cu.ContentHasher()
+	}
+	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+		NotifyHashed:  cf,
+		ContentHasher: ch,
+		ProgressCb:    progress,
+	})
+}
+
+func syncTargetDiffCopy(ds grpc.Stream, dest string) error {
+	if err := os.MkdirAll(dest, 0700); err != nil {
+		return err
+	}
+	return fsutil.Receive(ds.Context(), ds, dest, fsutil.ReceiveOpt{
+		Merge: true,
+		Filter: func() func(*fsutil.Stat) bool {
+			uid := os.Getuid()
+			gid := os.Getgid()
+			return func(st *fsutil.Stat) bool {
+				st.Uid = uint32(uid)
+				st.Gid = uint32(gid)
+				return true
+			}
+		}(),
+	})
+}
+
+func writeTargetFile(ds grpc.Stream, wc io.WriteCloser) error {
+	for {
+		bm := BytesMessage{}
+		if err := ds.RecvMsg(&bm); err != nil {
+			if errors.Cause(err) == io.EOF {
+				return nil
+			}
+			return err
+		}
+		if _, err := wc.Write(bm.Data); err != nil {
+			return err
+		}
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.go b/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.go
new file mode 100644
index 00000000..ee2668f0
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.go
@@ -0,0 +1,289 @@
+package filesync
+
+import (
+	"context"
+	"fmt"
+	io "io"
+	"os"
+	"strings"
+
+	"github.com/moby/buildkit/session"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+const (
+	keyOverrideExcludes = "override-excludes"
+	keyIncludePatterns  = "include-patterns"
+	keyExcludePatterns  = "exclude-patterns"
+	keyFollowPaths      = "followpaths"
+	keyDirName          = "dir-name"
+)
+
+type fsSyncProvider struct {
+	dirs   map[string]SyncedDir
+	p      progressCb
+	doneCh chan error
+}
+
+type SyncedDir struct {
+	Name     string
+	Dir      string
+	Excludes []string
+	Map      func(*fsutil.Stat) bool
+}
+
+// NewFSSyncProvider creates a new provider for sending files from client
+func NewFSSyncProvider(dirs []SyncedDir) session.Attachable {
+	p := &fsSyncProvider{
+		dirs: map[string]SyncedDir{},
+	}
+	for _, d := range dirs {
+		p.dirs[d.Name] = d
+	}
+	return p
+}
+
+func (sp *fsSyncProvider) Register(server *grpc.Server) {
+	RegisterFileSyncServer(server, sp)
+}
+
+func (sp *fsSyncProvider) DiffCopy(stream FileSync_DiffCopyServer) error {
+	return sp.handle("diffcopy", stream)
+}
+func (sp *fsSyncProvider) TarStream(stream FileSync_TarStreamServer) error {
+	return sp.handle("tarstream", stream)
+}
+
+func (sp *fsSyncProvider) handle(method string, stream grpc.ServerStream) (retErr error) {
+	var pr *protocol
+	for _, p := range supportedProtocols {
+		if method == p.name && isProtoSupported(p.name) {
+			pr = &p
+			break
+		}
+	}
+	if pr == nil {
+		return errors.New("failed to negotiate protocol")
+	}
+
+	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
+
+	dirName := ""
+	name, ok := opts[keyDirName]
+	if ok && len(name) > 0 {
+		dirName = name[0]
+	}
+
+	dir, ok := sp.dirs[dirName]
+	if !ok {
+		return errors.Errorf("no access allowed to dir %q", dirName)
+	}
+
+	excludes := opts[keyExcludePatterns]
+	if len(dir.Excludes) != 0 && (len(opts[keyOverrideExcludes]) == 0 || opts[keyOverrideExcludes][0] != "true") {
+		excludes = dir.Excludes
+	}
+	includes := opts[keyIncludePatterns]
+
+	followPaths := opts[keyFollowPaths]
+
+	var progress progressCb
+	if sp.p != nil {
+		progress = sp.p
+		sp.p = nil
+	}
+
+	var doneCh chan error
+	if sp.doneCh != nil {
+		doneCh = sp.doneCh
+		sp.doneCh = nil
+	}
+	err := pr.sendFn(stream, dir.Dir, includes, excludes, followPaths, progress, dir.Map)
+	if doneCh != nil {
+		if err != nil {
+			doneCh <- err
+		}
+		close(doneCh)
+	}
+	return err
+}
+
+func (sp *fsSyncProvider) SetNextProgressCallback(f func(int, bool), doneCh chan error) {
+	sp.p = f
+	sp.doneCh = doneCh
+}
+
+type progressCb func(int, bool)
+
+type protocol struct {
+	name   string
+	sendFn func(stream grpc.Stream, srcDir string, includes, excludes, followPaths []string, progress progressCb, _map func(*fsutil.Stat) bool) error
+	recvFn func(stream grpc.Stream, destDir string, cu CacheUpdater, progress progressCb) error
+}
+
+func isProtoSupported(p string) bool {
+	// TODO: this should be removed after testing if stability is confirmed
+	if override := os.Getenv("BUILD_STREAM_PROTOCOL"); override != "" {
+		return strings.EqualFold(p, override)
+	}
+	return true
+}
+
+var supportedProtocols = []protocol{
+	{
+		name:   "diffcopy",
+		sendFn: sendDiffCopy,
+		recvFn: recvDiffCopy,
+	},
+}
+
+// FSSendRequestOpt defines options for FSSend request
+type FSSendRequestOpt struct {
+	Name             string
+	IncludePatterns  []string
+	ExcludePatterns  []string
+	FollowPaths      []string
+	OverrideExcludes bool // deprecated: this is used by docker/cli for automatically loading .dockerignore from the directory
+	DestDir          string
+	CacheUpdater     CacheUpdater
+	ProgressCb       func(int, bool)
+}
+
+// CacheUpdater is an object capable of sending notifications for the cache hash changes
+type CacheUpdater interface {
+	MarkSupported(bool)
+	HandleChange(fsutil.ChangeKind, string, os.FileInfo, error) error
+	ContentHasher() fsutil.ContentHasher
+}
+
+// FSSync initializes a transfer of files
+func FSSync(ctx context.Context, c session.Caller, opt FSSendRequestOpt) error {
+	var pr *protocol
+	for _, p := range supportedProtocols {
+		if isProtoSupported(p.name) && c.Supports(session.MethodURL(_FileSync_serviceDesc.ServiceName, p.name)) {
+			pr = &p
+			break
+		}
+	}
+	if pr == nil {
+		return errors.New("no fssync handlers")
+	}
+
+	opts := make(map[string][]string)
+	if opt.OverrideExcludes {
+		opts[keyOverrideExcludes] = []string{"true"}
+	}
+
+	if opt.IncludePatterns != nil {
+		opts[keyIncludePatterns] = opt.IncludePatterns
+	}
+
+	if opt.ExcludePatterns != nil {
+		opts[keyExcludePatterns] = opt.ExcludePatterns
+	}
+
+	if opt.FollowPaths != nil {
+		opts[keyFollowPaths] = opt.FollowPaths
+	}
+
+	opts[keyDirName] = []string{opt.Name}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	client := NewFileSyncClient(c.Conn())
+
+	var stream grpc.ClientStream
+
+	ctx = metadata.NewOutgoingContext(ctx, opts)
+
+	switch pr.name {
+	case "tarstream":
+		cc, err := client.TarStream(ctx)
+		if err != nil {
+			return err
+		}
+		stream = cc
+	case "diffcopy":
+		cc, err := client.DiffCopy(ctx)
+		if err != nil {
+			return err
+		}
+		stream = cc
+	default:
+		panic(fmt.Sprintf("invalid protocol: %q", pr.name))
+	}
+
+	return pr.recvFn(stream, opt.DestDir, opt.CacheUpdater, opt.ProgressCb)
+}
+
+// NewFSSyncTargetDir allows writing into a directory
+func NewFSSyncTargetDir(outdir string) session.Attachable {
+	p := &fsSyncTarget{
+		outdir: outdir,
+	}
+	return p
+}
+
+// NewFSSyncTarget allows writing into an io.WriteCloser
+func NewFSSyncTarget(w io.WriteCloser) session.Attachable {
+	p := &fsSyncTarget{
+		outfile: w,
+	}
+	return p
+}
+
+type fsSyncTarget struct {
+	outdir  string
+	outfile io.WriteCloser
+}
+
+func (sp *fsSyncTarget) Register(server *grpc.Server) {
+	RegisterFileSendServer(server, sp)
+}
+
+func (sp *fsSyncTarget) DiffCopy(stream FileSend_DiffCopyServer) error {
+	if sp.outdir != "" {
+		return syncTargetDiffCopy(stream, sp.outdir)
+	}
+	if sp.outfile == nil {
+		return errors.New("empty outfile and outdir")
+	}
+	defer sp.outfile.Close()
+	return writeTargetFile(stream, sp.outfile)
+}
+
+func CopyToCaller(ctx context.Context, srcPath string, c session.Caller, progress func(int, bool)) error {
+	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
+	if !c.Supports(method) {
+		return errors.Errorf("method %s not supported by the client", method)
+	}
+
+	client := NewFileSendClient(c.Conn())
+
+	cc, err := client.DiffCopy(ctx)
+	if err != nil {
+		return err
+	}
+
+	return sendDiffCopy(cc, srcPath, nil, nil, nil, progress, nil)
+}
+
+func CopyFileWriter(ctx context.Context, c session.Caller) (io.WriteCloser, error) {
+	method := session.MethodURL(_FileSend_serviceDesc.ServiceName, "diffcopy")
+	if !c.Supports(method) {
+		return nil, errors.Errorf("method %s not supported by the client", method)
+	}
+
+	client := NewFileSendClient(c.Conn())
+
+	cc, err := client.DiffCopy(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return newStreamWriter(cc), nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go b/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go
new file mode 100644
index 00000000..4a9697e3
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.pb.go
@@ -0,0 +1,644 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: filesync.proto
+
+/*
+Package filesync is a generated protocol buffer package.
+
+It is generated from these files:
+	filesync.proto
+
+It has these top-level messages:
+	BytesMessage
+*/
+package filesync
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+
+import context "golang.org/x/net/context"
+import grpc "google.golang.org/grpc"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// BytesMessage contains a chunk of byte data
+type BytesMessage struct {
+	Data []byte `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *BytesMessage) Reset()                    { *m = BytesMessage{} }
+func (*BytesMessage) ProtoMessage()               {}
+func (*BytesMessage) Descriptor() ([]byte, []int) { return fileDescriptorFilesync, []int{0} }
+
+func (m *BytesMessage) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*BytesMessage)(nil), "moby.filesync.v1.BytesMessage")
+}
+func (this *BytesMessage) Equal(that interface{}) bool {
+	if that == nil {
+		return this == nil
+	}
+
+	that1, ok := that.(*BytesMessage)
+	if !ok {
+		that2, ok := that.(BytesMessage)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		return this == nil
+	} else if this == nil {
+		return false
+	}
+	if !bytes.Equal(this.Data, that1.Data) {
+		return false
+	}
+	return true
+}
+func (this *BytesMessage) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 5)
+	s = append(s, "&filesync.BytesMessage{")
+	s = append(s, "Data: "+fmt.Sprintf("%#v", this.Data)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringFilesync(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConn
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion4
+
+// Client API for FileSync service
+
+type FileSyncClient interface {
+	DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSync_DiffCopyClient, error)
+	TarStream(ctx context.Context, opts ...grpc.CallOption) (FileSync_TarStreamClient, error)
+}
+
+type fileSyncClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewFileSyncClient(cc *grpc.ClientConn) FileSyncClient {
+	return &fileSyncClient{cc}
+}
+
+func (c *fileSyncClient) DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSync_DiffCopyClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_FileSync_serviceDesc.Streams[0], c.cc, "/moby.filesync.v1.FileSync/DiffCopy", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSyncDiffCopyClient{stream}
+	return x, nil
+}
+
+type FileSync_DiffCopyClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSyncDiffCopyClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSyncDiffCopyClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSyncDiffCopyClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *fileSyncClient) TarStream(ctx context.Context, opts ...grpc.CallOption) (FileSync_TarStreamClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_FileSync_serviceDesc.Streams[1], c.cc, "/moby.filesync.v1.FileSync/TarStream", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSyncTarStreamClient{stream}
+	return x, nil
+}
+
+type FileSync_TarStreamClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSyncTarStreamClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSyncTarStreamClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSyncTarStreamClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// Server API for FileSync service
+
+type FileSyncServer interface {
+	DiffCopy(FileSync_DiffCopyServer) error
+	TarStream(FileSync_TarStreamServer) error
+}
+
+func RegisterFileSyncServer(s *grpc.Server, srv FileSyncServer) {
+	s.RegisterService(&_FileSync_serviceDesc, srv)
+}
+
+func _FileSync_DiffCopy_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSyncServer).DiffCopy(&fileSyncDiffCopyServer{stream})
+}
+
+type FileSync_DiffCopyServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSyncDiffCopyServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSyncDiffCopyServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSyncDiffCopyServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func _FileSync_TarStream_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSyncServer).TarStream(&fileSyncTarStreamServer{stream})
+}
+
+type FileSync_TarStreamServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSyncTarStreamServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSyncTarStreamServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSyncTarStreamServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _FileSync_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.FileSync",
+	HandlerType: (*FileSyncServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "DiffCopy",
+			Handler:       _FileSync_DiffCopy_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+		{
+			StreamName:    "TarStream",
+			Handler:       _FileSync_TarStream_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "filesync.proto",
+}
+
+// Client API for FileSend service
+
+type FileSendClient interface {
+	DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSend_DiffCopyClient, error)
+}
+
+type fileSendClient struct {
+	cc *grpc.ClientConn
+}
+
+func NewFileSendClient(cc *grpc.ClientConn) FileSendClient {
+	return &fileSendClient{cc}
+}
+
+func (c *fileSendClient) DiffCopy(ctx context.Context, opts ...grpc.CallOption) (FileSend_DiffCopyClient, error) {
+	stream, err := grpc.NewClientStream(ctx, &_FileSend_serviceDesc.Streams[0], c.cc, "/moby.filesync.v1.FileSend/DiffCopy", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &fileSendDiffCopyClient{stream}
+	return x, nil
+}
+
+type FileSend_DiffCopyClient interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ClientStream
+}
+
+type fileSendDiffCopyClient struct {
+	grpc.ClientStream
+}
+
+func (x *fileSendDiffCopyClient) Send(m *BytesMessage) error {
+	return x.ClientStream.SendMsg(m)
+}
+
+func (x *fileSendDiffCopyClient) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// Server API for FileSend service
+
+type FileSendServer interface {
+	DiffCopy(FileSend_DiffCopyServer) error
+}
+
+func RegisterFileSendServer(s *grpc.Server, srv FileSendServer) {
+	s.RegisterService(&_FileSend_serviceDesc, srv)
+}
+
+func _FileSend_DiffCopy_Handler(srv interface{}, stream grpc.ServerStream) error {
+	return srv.(FileSendServer).DiffCopy(&fileSendDiffCopyServer{stream})
+}
+
+type FileSend_DiffCopyServer interface {
+	Send(*BytesMessage) error
+	Recv() (*BytesMessage, error)
+	grpc.ServerStream
+}
+
+type fileSendDiffCopyServer struct {
+	grpc.ServerStream
+}
+
+func (x *fileSendDiffCopyServer) Send(m *BytesMessage) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func (x *fileSendDiffCopyServer) Recv() (*BytesMessage, error) {
+	m := new(BytesMessage)
+	if err := x.ServerStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+var _FileSend_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "moby.filesync.v1.FileSend",
+	HandlerType: (*FileSendServer)(nil),
+	Methods:     []grpc.MethodDesc{},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "DiffCopy",
+			Handler:       _FileSend_DiffCopy_Handler,
+			ServerStreams: true,
+			ClientStreams: true,
+		},
+	},
+	Metadata: "filesync.proto",
+}
+
+func (m *BytesMessage) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BytesMessage) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Data) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintFilesync(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func encodeVarintFilesync(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *BytesMessage) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovFilesync(uint64(l))
+	}
+	return n
+}
+
+func sovFilesync(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozFilesync(x uint64) (n int) {
+	return sovFilesync(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *BytesMessage) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&BytesMessage{`,
+		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringFilesync(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *BytesMessage) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowFilesync
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BytesMessage: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BytesMessage: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthFilesync
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipFilesync(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthFilesync
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipFilesync(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowFilesync
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowFilesync
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthFilesync
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowFilesync
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipFilesync(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthFilesync = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowFilesync   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("filesync.proto", fileDescriptorFilesync) }
+
+var fileDescriptorFilesync = []byte{
+	// 208 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4b, 0xcb, 0xcc, 0x49,
+	0x2d, 0xae, 0xcc, 0x4b, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x12, 0xc8, 0xcd, 0x4f, 0xaa,
+	0xd4, 0x83, 0x0b, 0x96, 0x19, 0x2a, 0x29, 0x71, 0xf1, 0x38, 0x55, 0x96, 0xa4, 0x16, 0xfb, 0xa6,
+	0x16, 0x17, 0x27, 0xa6, 0xa7, 0x0a, 0x09, 0x71, 0xb1, 0xa4, 0x24, 0x96, 0x24, 0x4a, 0x30, 0x2a,
+	0x30, 0x6a, 0xf0, 0x04, 0x81, 0xd9, 0x46, 0xab, 0x19, 0xb9, 0x38, 0xdc, 0x32, 0x73, 0x52, 0x83,
+	0x2b, 0xf3, 0x92, 0x85, 0xfc, 0xb8, 0x38, 0x5c, 0x32, 0xd3, 0xd2, 0x9c, 0xf3, 0x0b, 0x2a, 0x85,
+	0xe4, 0xf4, 0xd0, 0xcd, 0xd3, 0x43, 0x36, 0x4c, 0x8a, 0x80, 0xbc, 0x06, 0xa3, 0x01, 0xa3, 0x90,
+	0x3f, 0x17, 0x67, 0x48, 0x62, 0x51, 0x70, 0x49, 0x51, 0x6a, 0x62, 0x2e, 0x35, 0x0c, 0x34, 0x8a,
+	0x82, 0x3a, 0x36, 0x35, 0x2f, 0x85, 0xda, 0x8e, 0x75, 0x32, 0xbb, 0xf0, 0x50, 0x8e, 0xe1, 0xc6,
+	0x43, 0x39, 0x86, 0x0f, 0x0f, 0xe5, 0x18, 0x1b, 0x1e, 0xc9, 0x31, 0xae, 0x78, 0x24, 0xc7, 0x78,
+	0xe2, 0x91, 0x1c, 0xe3, 0x85, 0x47, 0x72, 0x8c, 0x0f, 0x1e, 0xc9, 0x31, 0xbe, 0x78, 0x24, 0xc7,
+	0xf0, 0xe1, 0x91, 0x1c, 0xe3, 0x84, 0xc7, 0x72, 0x0c, 0x51, 0x1c, 0x30, 0xb3, 0x92, 0xd8, 0xc0,
+	0xc1, 0x6f, 0x0c, 0x08, 0x00, 0x00, 0xff, 0xff, 0x72, 0x81, 0x1a, 0x91, 0x90, 0x01, 0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.proto b/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.proto
new file mode 100644
index 00000000..0ae29373
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/filesync/filesync.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package moby.filesync.v1;
+
+option go_package = "filesync";
+
+service FileSync{
+  rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
+  rpc TarStream(stream BytesMessage) returns (stream BytesMessage);
+}
+
+service FileSend{
+  rpc DiffCopy(stream BytesMessage) returns (stream BytesMessage);
+}
+
+
+// BytesMessage contains a chunk of byte data
+message BytesMessage{
+	bytes data = 1;
+}
\ No newline at end of file
diff --git a/engine/vendor/github.com/moby/buildkit/session/filesync/generate.go b/engine/vendor/github.com/moby/buildkit/session/filesync/generate.go
new file mode 100644
index 00000000..261e8762
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/filesync/generate.go
@@ -0,0 +1,3 @@
+package filesync
+
+//go:generate protoc --gogoslick_out=plugins=grpc:. filesync.proto
diff --git a/engine/vendor/github.com/moby/buildkit/session/grpc.go b/engine/vendor/github.com/moby/buildkit/session/grpc.go
new file mode 100644
index 00000000..2798b6ab
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/grpc.go
@@ -0,0 +1,81 @@
+package session
+
+import (
+	"context"
+	"net"
+	"sync/atomic"
+	"time"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/net/http2"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/health/grpc_health_v1"
+)
+
+func serve(ctx context.Context, grpcServer *grpc.Server, conn net.Conn) {
+	go func() {
+		<-ctx.Done()
+		conn.Close()
+	}()
+	logrus.Debugf("serving grpc connection")
+	(&http2.Server{}).ServeConn(conn, &http2.ServeConnOpts{Handler: grpcServer})
+}
+
+func grpcClientConn(ctx context.Context, conn net.Conn) (context.Context, *grpc.ClientConn, error) {
+	var dialCount int64
+	dialer := grpc.WithDialer(func(addr string, d time.Duration) (net.Conn, error) {
+		if c := atomic.AddInt64(&dialCount, 1); c > 1 {
+			return nil, errors.Errorf("only one connection allowed")
+		}
+		return conn, nil
+	})
+
+	dialOpts := []grpc.DialOption{
+		dialer,
+		grpc.WithInsecure(),
+	}
+
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		tracer := span.Tracer()
+		dialOpts = append(dialOpts,
+			grpc.WithUnaryInterceptor(otgrpc.OpenTracingClientInterceptor(tracer, traceFilter())),
+			grpc.WithStreamInterceptor(otgrpc.OpenTracingStreamClientInterceptor(tracer, traceFilter())),
+		)
+	}
+
+	cc, err := grpc.DialContext(ctx, "", dialOpts...)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to create grpc client")
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	go monitorHealth(ctx, cc, cancel)
+
+	return ctx, cc, nil
+}
+
+func monitorHealth(ctx context.Context, cc *grpc.ClientConn, cancelConn func()) {
+	defer cancelConn()
+	defer cc.Close()
+
+	ticker := time.NewTicker(1 * time.Second)
+	defer ticker.Stop()
+	healthClient := grpc_health_v1.NewHealthClient(cc)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+			_, err := healthClient.Check(ctx, &grpc_health_v1.HealthCheckRequest{})
+			cancel()
+			if err != nil {
+				return
+			}
+		}
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/grpchijack/dial.go b/engine/vendor/github.com/moby/buildkit/session/grpchijack/dial.go
new file mode 100644
index 00000000..151ab549
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/grpchijack/dial.go
@@ -0,0 +1,156 @@
+package grpchijack
+
+import (
+	"context"
+	"io"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/session"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+func Dialer(api controlapi.ControlClient) session.Dialer {
+	return func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
+
+		meta = lowerHeaders(meta)
+
+		md := metadata.MD(meta)
+
+		ctx = metadata.NewOutgoingContext(ctx, md)
+
+		stream, err := api.Session(ctx)
+		if err != nil {
+			return nil, err
+		}
+
+		c, _ := streamToConn(stream)
+		return c, nil
+	}
+}
+
+func streamToConn(stream grpc.Stream) (net.Conn, <-chan struct{}) {
+	closeCh := make(chan struct{})
+	c := &conn{stream: stream, buf: make([]byte, 32*1<<10), closeCh: closeCh}
+	return c, closeCh
+}
+
+type conn struct {
+	stream  grpc.Stream
+	buf     []byte
+	lastBuf []byte
+
+	closedOnce sync.Once
+	readMu     sync.Mutex
+	err        error
+	closeCh    chan struct{}
+}
+
+func (c *conn) Read(b []byte) (n int, err error) {
+	c.readMu.Lock()
+	defer c.readMu.Unlock()
+
+	if c.lastBuf != nil {
+		n := copy(b, c.lastBuf)
+		c.lastBuf = c.lastBuf[n:]
+		if len(c.lastBuf) == 0 {
+			c.lastBuf = nil
+		}
+		return n, nil
+	}
+	m := new(controlapi.BytesMessage)
+	m.Data = c.buf
+
+	if err := c.stream.RecvMsg(m); err != nil {
+		return 0, err
+	}
+	c.buf = m.Data[:cap(m.Data)]
+
+	n = copy(b, m.Data)
+	if n < len(m.Data) {
+		c.lastBuf = m.Data[n:]
+	}
+
+	return n, nil
+}
+
+func (c *conn) Write(b []byte) (int, error) {
+	m := &controlapi.BytesMessage{Data: b}
+	if err := c.stream.SendMsg(m); err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}
+
+func (c *conn) Close() (err error) {
+	c.closedOnce.Do(func() {
+		defer func() {
+			close(c.closeCh)
+		}()
+
+		if cs, ok := c.stream.(grpc.ClientStream); ok {
+			err = cs.CloseSend()
+			if err != nil {
+				return
+			}
+		}
+
+		c.readMu.Lock()
+		for {
+			m := new(controlapi.BytesMessage)
+			m.Data = c.buf
+			err = c.stream.RecvMsg(m)
+			if err != nil {
+				if err != io.EOF {
+					return
+				}
+				err = nil
+				break
+			}
+			c.buf = m.Data[:cap(m.Data)]
+			c.lastBuf = append(c.lastBuf, c.buf...)
+		}
+		c.readMu.Unlock()
+
+	})
+	return nil
+}
+
+func (c *conn) LocalAddr() net.Addr {
+	return dummyAddr{}
+}
+func (c *conn) RemoteAddr() net.Addr {
+	return dummyAddr{}
+}
+func (c *conn) SetDeadline(t time.Time) error {
+	return nil
+}
+func (c *conn) SetReadDeadline(t time.Time) error {
+	return nil
+}
+func (c *conn) SetWriteDeadline(t time.Time) error {
+	return nil
+}
+
+type dummyAddr struct {
+}
+
+func (d dummyAddr) Network() string {
+	return "tcp"
+}
+
+func (d dummyAddr) String() string {
+	return "localhost"
+}
+
+func lowerHeaders(in map[string][]string) map[string][]string {
+	out := map[string][]string{}
+	for k := range in {
+		out[strings.ToLower(k)] = in[k]
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go b/engine/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go
new file mode 100644
index 00000000..6e34b216
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/grpchijack/hijack.go
@@ -0,0 +1,14 @@
+package grpchijack
+
+import (
+	"net"
+
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"google.golang.org/grpc/metadata"
+)
+
+func Hijack(stream controlapi.Control_SessionServer) (net.Conn, <-chan struct{}, map[string][]string) {
+	md, _ := metadata.FromIncomingContext(stream.Context())
+	c, closeCh := streamToConn(stream)
+	return c, closeCh, md
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/manager.go b/engine/vendor/github.com/moby/buildkit/session/manager.go
new file mode 100644
index 00000000..f401c7fb
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/manager.go
@@ -0,0 +1,218 @@
+package session
+
+import (
+	"context"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+)
+
+// Caller can invoke requests on the session
+type Caller interface {
+	Context() context.Context
+	Supports(method string) bool
+	Conn() *grpc.ClientConn
+	Name() string
+	SharedKey() string
+}
+
+type client struct {
+	Session
+	cc        *grpc.ClientConn
+	supported map[string]struct{}
+}
+
+// Manager is a controller for accessing currently active sessions
+type Manager struct {
+	sessions        map[string]*client
+	mu              sync.Mutex
+	updateCondition *sync.Cond
+}
+
+// NewManager returns a new Manager
+func NewManager() (*Manager, error) {
+	sm := &Manager{
+		sessions: make(map[string]*client),
+	}
+	sm.updateCondition = sync.NewCond(&sm.mu)
+	return sm, nil
+}
+
+// HandleHTTPRequest handles an incoming HTTP request
+func (sm *Manager) HandleHTTPRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		return errors.New("handler does not support hijack")
+	}
+
+	id := r.Header.Get(headerSessionID)
+
+	proto := r.Header.Get("Upgrade")
+
+	sm.mu.Lock()
+	if _, ok := sm.sessions[id]; ok {
+		sm.mu.Unlock()
+		return errors.Errorf("session %s already exists", id)
+	}
+
+	if proto == "" {
+		sm.mu.Unlock()
+		return errors.New("no upgrade proto in request")
+	}
+
+	if proto != "h2c" {
+		sm.mu.Unlock()
+		return errors.Errorf("protocol %s not supported", proto)
+	}
+
+	conn, _, err := hijacker.Hijack()
+	if err != nil {
+		sm.mu.Unlock()
+		return errors.Wrap(err, "failed to hijack connection")
+	}
+
+	resp := &http.Response{
+		StatusCode: http.StatusSwitchingProtocols,
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+		Header:     http.Header{},
+	}
+	resp.Header.Set("Connection", "Upgrade")
+	resp.Header.Set("Upgrade", proto)
+
+	// set raw mode
+	conn.Write([]byte{})
+	resp.Write(conn)
+
+	return sm.handleConn(ctx, conn, r.Header)
+}
+
+// HandleConn handles an incoming raw connection
+func (sm *Manager) HandleConn(ctx context.Context, conn net.Conn, opts map[string][]string) error {
+	sm.mu.Lock()
+	return sm.handleConn(ctx, conn, opts)
+}
+
+// caller needs to take lock, this function will release it
+func (sm *Manager) handleConn(ctx context.Context, conn net.Conn, opts map[string][]string) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	opts = canonicalHeaders(opts)
+
+	h := http.Header(opts)
+	id := h.Get(headerSessionID)
+	name := h.Get(headerSessionName)
+	sharedKey := h.Get(headerSessionSharedKey)
+
+	ctx, cc, err := grpcClientConn(ctx, conn)
+	if err != nil {
+		sm.mu.Unlock()
+		return err
+	}
+
+	c := &client{
+		Session: Session{
+			id:        id,
+			name:      name,
+			sharedKey: sharedKey,
+			ctx:       ctx,
+			cancelCtx: cancel,
+			done:      make(chan struct{}),
+		},
+		cc:        cc,
+		supported: make(map[string]struct{}),
+	}
+
+	for _, m := range opts[headerSessionMethod] {
+		c.supported[strings.ToLower(m)] = struct{}{}
+	}
+	sm.sessions[id] = c
+	sm.updateCondition.Broadcast()
+	sm.mu.Unlock()
+
+	defer func() {
+		sm.mu.Lock()
+		delete(sm.sessions, id)
+		sm.mu.Unlock()
+	}()
+
+	<-c.ctx.Done()
+	conn.Close()
+	close(c.done)
+
+	return nil
+}
+
+// Get returns a session by ID
+func (sm *Manager) Get(ctx context.Context, id string) (Caller, error) {
+	// session prefix is used to identify vertexes with different contexts so
+	// they would not collide, but for lookup we don't need the prefix
+	if p := strings.SplitN(id, ":", 2); len(p) == 2 && len(p[1]) > 0 {
+		id = p[1]
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	go func() {
+		select {
+		case <-ctx.Done():
+			sm.updateCondition.Broadcast()
+		}
+	}()
+
+	var c *client
+
+	sm.mu.Lock()
+	for {
+		select {
+		case <-ctx.Done():
+			sm.mu.Unlock()
+			return nil, errors.Wrapf(ctx.Err(), "no active session for %s", id)
+		default:
+		}
+		var ok bool
+		c, ok = sm.sessions[id]
+		if !ok || c.closed() {
+			sm.updateCondition.Wait()
+			continue
+		}
+		sm.mu.Unlock()
+		break
+	}
+
+	return c, nil
+}
+
+func (c *client) Context() context.Context {
+	return c.context()
+}
+
+func (c *client) Name() string {
+	return c.name
+}
+
+func (c *client) SharedKey() string {
+	return c.sharedKey
+}
+
+func (c *client) Supports(url string) bool {
+	_, ok := c.supported[strings.ToLower(url)]
+	return ok
+}
+func (c *client) Conn() *grpc.ClientConn {
+	return c.cc
+}
+
+func canonicalHeaders(in map[string][]string) map[string][]string {
+	out := map[string][]string{}
+	for k := range in {
+		out[http.CanonicalHeaderKey(k)] = in[k]
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/moby/buildkit/session/session.go b/engine/vendor/github.com/moby/buildkit/session/session.go
new file mode 100644
index 00000000..47c95796
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/session/session.go
@@ -0,0 +1,143 @@
+package session
+
+import (
+	"context"
+	"net"
+	"strings"
+
+	"github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc"
+	"github.com/moby/buildkit/identity"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/health"
+	"google.golang.org/grpc/health/grpc_health_v1"
+)
+
+const (
+	headerSessionID        = "X-Docker-Expose-Session-Uuid"
+	headerSessionName      = "X-Docker-Expose-Session-Name"
+	headerSessionSharedKey = "X-Docker-Expose-Session-Sharedkey"
+	headerSessionMethod    = "X-Docker-Expose-Session-Grpc-Method"
+)
+
+// Dialer returns a connection that can be used by the session
+type Dialer func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error)
+
+// Attachable defines a feature that can be expsed on a session
+type Attachable interface {
+	Register(*grpc.Server)
+}
+
+// Session is a long running connection between client and a daemon
+type Session struct {
+	id         string
+	name       string
+	sharedKey  string
+	ctx        context.Context
+	cancelCtx  func()
+	done       chan struct{}
+	grpcServer *grpc.Server
+	conn       net.Conn
+}
+
+// NewSession returns a new long running session
+func NewSession(ctx context.Context, name, sharedKey string) (*Session, error) {
+	id := identity.NewID()
+
+	serverOpts := []grpc.ServerOption{}
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		tracer := span.Tracer()
+		serverOpts = []grpc.ServerOption{
+			grpc.StreamInterceptor(otgrpc.OpenTracingStreamServerInterceptor(span.Tracer(), traceFilter())),
+			grpc.UnaryInterceptor(otgrpc.OpenTracingServerInterceptor(tracer, traceFilter())),
+		}
+	}
+
+	s := &Session{
+		id:         id,
+		name:       name,
+		sharedKey:  sharedKey,
+		grpcServer: grpc.NewServer(serverOpts...),
+	}
+
+	grpc_health_v1.RegisterHealthServer(s.grpcServer, health.NewServer())
+
+	return s, nil
+}
+
+// Allow enable a given service to be reachable through the grpc session
+func (s *Session) Allow(a Attachable) {
+	a.Register(s.grpcServer)
+}
+
+// ID returns unique identifier for the session
+func (s *Session) ID() string {
+	return s.id
+}
+
+// Run activates the session
+func (s *Session) Run(ctx context.Context, dialer Dialer) error {
+	ctx, cancel := context.WithCancel(ctx)
+	s.cancelCtx = cancel
+	s.done = make(chan struct{})
+
+	defer cancel()
+	defer close(s.done)
+
+	meta := make(map[string][]string)
+	meta[headerSessionID] = []string{s.id}
+	meta[headerSessionName] = []string{s.name}
+	meta[headerSessionSharedKey] = []string{s.sharedKey}
+
+	for name, svc := range s.grpcServer.GetServiceInfo() {
+		for _, method := range svc.Methods {
+			meta[headerSessionMethod] = append(meta[headerSessionMethod], MethodURL(name, method.Name))
+		}
+	}
+	conn, err := dialer(ctx, "h2c", meta)
+	if err != nil {
+		return errors.Wrap(err, "failed to dial gRPC")
+	}
+	s.conn = conn
+	serve(ctx, s.grpcServer, conn)
+	return nil
+}
+
+// Close closes the session
+func (s *Session) Close() error {
+	if s.cancelCtx != nil && s.done != nil {
+		if s.conn != nil {
+			s.conn.Close()
+		}
+		s.grpcServer.Stop()
+		<-s.done
+	}
+	return nil
+}
+
+func (s *Session) context() context.Context {
+	return s.ctx
+}
+
+func (s *Session) closed() bool {
+	select {
+	case <-s.context().Done():
+		return true
+	default:
+		return false
+	}
+}
+
+// MethodURL returns a gRPC method URL for service and method name
+func MethodURL(s, m string) string {
+	return "/" + s + "/" + m
+}
+
+func traceFilter() otgrpc.Option {
+	return otgrpc.IncludingSpans(func(parentSpanCtx opentracing.SpanContext,
+		method string,
+		req, resp interface{}) bool {
+		return !strings.HasSuffix(method, "Health/Check")
+	})
+}
diff --git a/engine/vendor/github.com/moby/buildkit/snapshot/blobmapping/snapshotter.go b/engine/vendor/github.com/moby/buildkit/snapshot/blobmapping/snapshotter.go
new file mode 100644
index 00000000..e91241b7
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/snapshot/blobmapping/snapshotter.go
@@ -0,0 +1,129 @@
+package blobmapping
+
+import (
+	"context"
+
+	"github.com/boltdb/bolt"
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/snapshots"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/snapshot"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+const blobKey = "blobmapping.blob"
+
+type Opt struct {
+	Content       content.Store
+	Snapshotter   snapshot.SnapshotterBase
+	MetadataStore *metadata.Store
+}
+
+type Info struct {
+	snapshots.Info
+	Blob string
+}
+
+type DiffPair struct {
+	Blobsum digest.Digest
+	DiffID  digest.Digest
+}
+
+// this snapshotter keeps an internal mapping between a snapshot and a blob
+
+type Snapshotter struct {
+	snapshot.SnapshotterBase
+	opt Opt
+}
+
+func NewSnapshotter(opt Opt) snapshot.Snapshotter {
+	s := &Snapshotter{
+		SnapshotterBase: opt.Snapshotter,
+		opt:             opt,
+	}
+
+	return s
+}
+
+// Remove also removes a reference to a blob. If it is a last reference then it deletes it the blob as well
+// Remove is not safe to be called concurrently
+func (s *Snapshotter) Remove(ctx context.Context, key string) error {
+	_, blob, err := s.GetBlob(ctx, key)
+	if err != nil {
+		return err
+	}
+
+	blobs, err := s.opt.MetadataStore.Search(index(blob))
+	if err != nil {
+		return err
+	}
+
+	if err := s.SnapshotterBase.Remove(ctx, key); err != nil {
+		return err
+	}
+
+	if len(blobs) == 1 && blobs[0].ID() == key { // last snapshot
+		if err := s.opt.Content.Delete(ctx, blob); err != nil {
+			logrus.Errorf("failed to delete blob %v: %+v", blob, err)
+		}
+	}
+	return nil
+}
+
+func (s *Snapshotter) Usage(ctx context.Context, key string) (snapshots.Usage, error) {
+	u, err := s.SnapshotterBase.Usage(ctx, key)
+	if err != nil {
+		return snapshots.Usage{}, err
+	}
+	_, blob, err := s.GetBlob(ctx, key)
+	if err != nil {
+		return u, err
+	}
+	if blob != "" {
+		info, err := s.opt.Content.Info(ctx, blob)
+		if err != nil {
+			return u, err
+		}
+		(&u).Add(snapshots.Usage{Size: info.Size, Inodes: 1})
+	}
+	return u, nil
+}
+
+func (s *Snapshotter) GetBlob(ctx context.Context, key string) (digest.Digest, digest.Digest, error) {
+	md, _ := s.opt.MetadataStore.Get(key)
+	v := md.Get(blobKey)
+	if v == nil {
+		return "", "", nil
+	}
+	var blob DiffPair
+	if err := v.Unmarshal(&blob); err != nil {
+		return "", "", err
+	}
+	return blob.DiffID, blob.Blobsum, nil
+}
+
+// Validates that there is no blob associated with the snapshot.
+// Checks that there is a blob in the content store.
+// If same blob has already been set then this is a noop.
+func (s *Snapshotter) SetBlob(ctx context.Context, key string, diffID, blobsum digest.Digest) error {
+	_, err := s.opt.Content.Info(ctx, blobsum)
+	if err != nil {
+		return err
+	}
+	md, _ := s.opt.MetadataStore.Get(key)
+
+	v, err := metadata.NewValue(DiffPair{DiffID: diffID, Blobsum: blobsum})
+	if err != nil {
+		return err
+	}
+	v.Index = index(blobsum)
+
+	return md.Update(func(b *bolt.Bucket) error {
+		return md.SetValue(b, blobKey, v)
+	})
+}
+
+func index(blob digest.Digest) string {
+	return "blobmap::" + blob.String()
+}
diff --git a/engine/vendor/github.com/moby/buildkit/snapshot/localmounter.go b/engine/vendor/github.com/moby/buildkit/snapshot/localmounter.go
new file mode 100644
index 00000000..18e2411c
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/snapshot/localmounter.go
@@ -0,0 +1,72 @@
+package snapshot
+
+import (
+	"io/ioutil"
+	"os"
+	"sync"
+
+	"github.com/containerd/containerd/mount"
+	"github.com/pkg/errors"
+)
+
+type Mounter interface {
+	Mount() (string, error)
+	Unmount() error
+}
+
+// LocalMounter is a helper for mounting mountfactory to temporary path. In
+// addition it can mount binds without privileges
+func LocalMounter(mountable Mountable) Mounter {
+	return &localMounter{mountable: mountable}
+}
+
+// LocalMounterWithMounts is a helper for mounting to temporary path. In
+// addition it can mount binds without privileges
+func LocalMounterWithMounts(mounts []mount.Mount) Mounter {
+	return &localMounter{mounts: mounts}
+}
+
+type localMounter struct {
+	mu        sync.Mutex
+	mounts    []mount.Mount
+	mountable Mountable
+	target    string
+}
+
+func (lm *localMounter) Mount() (string, error) {
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	if lm.mounts == nil {
+		mounts, err := lm.mountable.Mount()
+		if err != nil {
+			return "", err
+		}
+		lm.mounts = mounts
+	}
+
+	if len(lm.mounts) == 1 && (lm.mounts[0].Type == "bind" || lm.mounts[0].Type == "rbind") {
+		ro := false
+		for _, opt := range lm.mounts[0].Options {
+			if opt == "ro" {
+				ro = true
+				break
+			}
+		}
+		if !ro {
+			return lm.mounts[0].Source, nil
+		}
+	}
+
+	dir, err := ioutil.TempDir("", "buildkit-mount")
+	if err != nil {
+		return "", errors.Wrap(err, "failed to create temp dir")
+	}
+
+	if err := mount.All(lm.mounts, dir); err != nil {
+		os.RemoveAll(dir)
+		return "", errors.Wrapf(err, "failed to mount %s: %+v", dir, lm.mounts)
+	}
+	lm.target = dir
+	return dir, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go b/engine/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go
new file mode 100644
index 00000000..c44e435e
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/snapshot/localmounter_unix.go
@@ -0,0 +1,29 @@
+// +build !windows
+
+package snapshot
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/containerd/containerd/mount"
+)
+
+func (lm *localMounter) Unmount() error {
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	if lm.target != "" {
+		if err := mount.Unmount(lm.target, syscall.MNT_DETACH); err != nil {
+			return err
+		}
+		os.RemoveAll(lm.target)
+		lm.target = ""
+	}
+
+	if lm.mountable != nil {
+		return lm.mountable.Release()
+	}
+
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/snapshot/localmounter_windows.go b/engine/vendor/github.com/moby/buildkit/snapshot/localmounter_windows.go
new file mode 100644
index 00000000..4e1287b0
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/snapshot/localmounter_windows.go
@@ -0,0 +1,26 @@
+package snapshot
+
+import (
+	"os"
+
+	"github.com/containerd/containerd/mount"
+)
+
+func (lm *localMounter) Unmount() error {
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	if lm.target != "" {
+		if err := mount.Unmount(lm.target, 0); err != nil {
+			return err
+		}
+		os.RemoveAll(lm.target)
+		lm.target = ""
+	}
+
+	if lm.mountable != nil {
+		return lm.mountable.Release()
+	}
+
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/snapshot/snapshotter.go b/engine/vendor/github.com/moby/buildkit/snapshot/snapshotter.go
new file mode 100644
index 00000000..ad7fcaf2
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/snapshot/snapshotter.go
@@ -0,0 +1,137 @@
+package snapshot
+
+import (
+	"context"
+	"sync"
+
+	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/snapshots"
+	digest "github.com/opencontainers/go-digest"
+)
+
+type Mountable interface {
+	// ID() string
+	Mount() ([]mount.Mount, error)
+	Release() error
+}
+
+type SnapshotterBase interface {
+	Mounts(ctx context.Context, key string) (Mountable, error)
+	Prepare(ctx context.Context, key, parent string, opts ...snapshots.Opt) error
+	View(ctx context.Context, key, parent string, opts ...snapshots.Opt) (Mountable, error)
+
+	Stat(ctx context.Context, key string) (snapshots.Info, error)
+	Update(ctx context.Context, info snapshots.Info, fieldpaths ...string) (snapshots.Info, error)
+	Usage(ctx context.Context, key string) (snapshots.Usage, error)
+	Commit(ctx context.Context, name, key string, opts ...snapshots.Opt) error
+	Remove(ctx context.Context, key string) error
+	Walk(ctx context.Context, fn func(context.Context, snapshots.Info) error) error
+	Close() error
+}
+
+// Snapshotter defines interface that any snapshot implementation should satisfy
+type Snapshotter interface {
+	Blobmapper
+	SnapshotterBase
+}
+
+type Blobmapper interface {
+	GetBlob(ctx context.Context, key string) (digest.Digest, digest.Digest, error)
+	SetBlob(ctx context.Context, key string, diffID, blob digest.Digest) error
+}
+
+func FromContainerdSnapshotter(s snapshots.Snapshotter) SnapshotterBase {
+	return &fromContainerd{Snapshotter: s}
+}
+
+type fromContainerd struct {
+	snapshots.Snapshotter
+}
+
+func (s *fromContainerd) Mounts(ctx context.Context, key string) (Mountable, error) {
+	mounts, err := s.Snapshotter.Mounts(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+	return &staticMountable{mounts}, nil
+}
+func (s *fromContainerd) Prepare(ctx context.Context, key, parent string, opts ...snapshots.Opt) error {
+	_, err := s.Snapshotter.Prepare(ctx, key, parent, opts...)
+	return err
+}
+func (s *fromContainerd) View(ctx context.Context, key, parent string, opts ...snapshots.Opt) (Mountable, error) {
+	mounts, err := s.Snapshotter.View(ctx, key, parent, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &staticMountable{mounts}, nil
+}
+
+type staticMountable struct {
+	mounts []mount.Mount
+}
+
+func (m *staticMountable) Mount() ([]mount.Mount, error) {
+	return m.mounts, nil
+}
+
+func (cm *staticMountable) Release() error {
+	return nil
+}
+
+// NewContainerdSnapshotter converts snapshotter to containerd snapshotter
+func NewContainerdSnapshotter(s Snapshotter) (snapshots.Snapshotter, func() error) {
+	cs := &containerdSnapshotter{Snapshotter: s}
+	return cs, cs.release
+}
+
+type containerdSnapshotter struct {
+	mu        sync.Mutex
+	releasers []func() error
+	Snapshotter
+}
+
+func (cs *containerdSnapshotter) release() error {
+	cs.mu.Lock()
+	defer cs.mu.Unlock()
+	var err error
+	for _, f := range cs.releasers {
+		if err1 := f(); err != nil && err == nil {
+			err = err1
+		}
+	}
+	return err
+}
+
+func (cs *containerdSnapshotter) returnMounts(mf Mountable) ([]mount.Mount, error) {
+	mounts, err := mf.Mount()
+	if err != nil {
+		return nil, err
+	}
+	cs.mu.Lock()
+	cs.releasers = append(cs.releasers, mf.Release)
+	cs.mu.Unlock()
+	return mounts, nil
+}
+
+func (cs *containerdSnapshotter) Mounts(ctx context.Context, key string) ([]mount.Mount, error) {
+	mf, err := cs.Snapshotter.Mounts(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+	return cs.returnMounts(mf)
+}
+
+func (cs *containerdSnapshotter) Prepare(ctx context.Context, key, parent string, opts ...snapshots.Opt) ([]mount.Mount, error) {
+	if err := cs.Snapshotter.Prepare(ctx, key, parent, opts...); err != nil {
+		return nil, err
+	}
+	return cs.Mounts(ctx, key)
+}
+func (cs *containerdSnapshotter) View(ctx context.Context, key, parent string, opts ...snapshots.Opt) ([]mount.Mount, error) {
+	mf, err := cs.Snapshotter.View(ctx, key, parent, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return cs.returnMounts(mf)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/boltdbcachestorage/storage.go b/engine/vendor/github.com/moby/buildkit/solver/boltdbcachestorage/storage.go
new file mode 100644
index 00000000..8f890449
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/boltdbcachestorage/storage.go
@@ -0,0 +1,449 @@
+package boltdbcachestorage
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+
+	"github.com/boltdb/bolt"
+	"github.com/moby/buildkit/solver"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+const (
+	resultBucket    = "_result"
+	linksBucket     = "_links"
+	byResultBucket  = "_byresult"
+	backlinksBucket = "_backlinks"
+)
+
+type Store struct {
+	db *bolt.DB
+}
+
+func NewStore(dbPath string) (*Store, error) {
+	db, err := bolt.Open(dbPath, 0600, nil)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to open database file %s", dbPath)
+	}
+	if err := db.Update(func(tx *bolt.Tx) error {
+		for _, b := range []string{resultBucket, linksBucket, byResultBucket, backlinksBucket} {
+			if _, err := tx.CreateBucketIfNotExists([]byte(b)); err != nil {
+				return err
+			}
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	db.NoSync = true
+	return &Store{db: db}, nil
+}
+
+func (s *Store) Exists(id string) bool {
+	exists := false
+	err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(linksBucket)).Bucket([]byte(id))
+		exists = b != nil
+		return nil
+	})
+	if err != nil {
+		return false
+	}
+	return exists
+}
+
+func (s *Store) Walk(fn func(id string) error) error {
+	ids := make([]string, 0)
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(linksBucket))
+		c := b.Cursor()
+		for k, v := c.First(); k != nil; k, v = c.Next() {
+			if v == nil {
+				ids = append(ids, string(k))
+			}
+		}
+		return nil
+	}); err != nil {
+		return err
+	}
+	for _, id := range ids {
+		if err := fn(id); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *Store) WalkResults(id string, fn func(solver.CacheResult) error) error {
+	var list []solver.CacheResult
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(resultBucket))
+		if b == nil {
+			return nil
+		}
+		b = b.Bucket([]byte(id))
+		if b == nil {
+			return nil
+		}
+
+		return b.ForEach(func(k, v []byte) error {
+			var res solver.CacheResult
+			if err := json.Unmarshal(v, &res); err != nil {
+				return err
+			}
+			list = append(list, res)
+			return nil
+		})
+	}); err != nil {
+		return err
+	}
+	for _, res := range list {
+		if err := fn(res); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *Store) Load(id string, resultID string) (solver.CacheResult, error) {
+	var res solver.CacheResult
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(resultBucket))
+		if b == nil {
+			return errors.WithStack(solver.ErrNotFound)
+		}
+		b = b.Bucket([]byte(id))
+		if b == nil {
+			return errors.WithStack(solver.ErrNotFound)
+		}
+
+		v := b.Get([]byte(resultID))
+		if v == nil {
+			return errors.WithStack(solver.ErrNotFound)
+		}
+
+		return json.Unmarshal(v, &res)
+	}); err != nil {
+		return solver.CacheResult{}, err
+	}
+	return res, nil
+}
+
+func (s *Store) AddResult(id string, res solver.CacheResult) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.Bucket([]byte(resultBucket)).CreateBucketIfNotExists([]byte(id))
+		if err != nil {
+			return err
+		}
+		dt, err := json.Marshal(res)
+		if err != nil {
+			return err
+		}
+		if err := b.Put([]byte(res.ID), dt); err != nil {
+			return err
+		}
+		b, err = tx.Bucket([]byte(byResultBucket)).CreateBucketIfNotExists([]byte(res.ID))
+		if err != nil {
+			return err
+		}
+		if err := b.Put([]byte(id), []byte{}); err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
+func (s *Store) WalkIDsByResult(resultID string, fn func(string) error) error {
+	ids := map[string]struct{}{}
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(byResultBucket))
+		if b == nil {
+			return nil
+		}
+		b = b.Bucket([]byte(resultID))
+		if b == nil {
+			return nil
+		}
+		return b.ForEach(func(k, v []byte) error {
+			ids[string(k)] = struct{}{}
+			return nil
+		})
+	}); err != nil {
+		return err
+	}
+	for id := range ids {
+		if err := fn(id); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *Store) Release(resultID string) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(byResultBucket))
+		if b == nil {
+			return errors.WithStack(solver.ErrNotFound)
+		}
+		b = b.Bucket([]byte(resultID))
+		if b == nil {
+			return errors.WithStack(solver.ErrNotFound)
+		}
+		if err := b.ForEach(func(k, v []byte) error {
+			return s.releaseHelper(tx, string(k), resultID)
+		}); err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+func (s *Store) releaseHelper(tx *bolt.Tx, id, resultID string) error {
+	results := tx.Bucket([]byte(resultBucket)).Bucket([]byte(id))
+	if results == nil {
+		return nil
+	}
+
+	if err := results.Delete([]byte(resultID)); err != nil {
+		return err
+	}
+
+	ids := tx.Bucket([]byte(byResultBucket))
+
+	ids = ids.Bucket([]byte(resultID))
+	if ids == nil {
+		return nil
+	}
+
+	if err := ids.Delete([]byte(resultID)); err != nil {
+		return err
+	}
+
+	if isEmptyBucket(ids) {
+		if err := tx.Bucket([]byte(byResultBucket)).DeleteBucket([]byte(resultID)); err != nil {
+			return err
+		}
+	}
+
+	links := tx.Bucket([]byte(resultBucket))
+	if results == nil {
+		return nil
+	}
+	links = links.Bucket([]byte(id))
+
+	return s.emptyBranchWithParents(tx, []byte(id))
+}
+
+func (s *Store) emptyBranchWithParents(tx *bolt.Tx, id []byte) error {
+	results := tx.Bucket([]byte(resultBucket)).Bucket(id)
+	if results == nil {
+		return nil
+	}
+
+	isEmptyLinks := true
+	links := tx.Bucket([]byte(linksBucket)).Bucket(id)
+	if links != nil {
+		isEmptyLinks = isEmptyBucket(links)
+	}
+
+	if !isEmptyBucket(results) || !isEmptyLinks {
+		return nil
+	}
+
+	if backlinks := tx.Bucket([]byte(backlinksBucket)).Bucket(id); backlinks != nil {
+		if err := backlinks.ForEach(func(k, v []byte) error {
+			if subLinks := tx.Bucket([]byte(linksBucket)).Bucket(k); subLinks != nil {
+				if err := subLinks.ForEach(func(k, v []byte) error {
+					parts := bytes.Split(k, []byte("@"))
+					if len(parts) != 2 {
+						return errors.Errorf("invalid key %s", k)
+					}
+					if bytes.Equal(id, parts[1]) {
+						return subLinks.Delete(k)
+					}
+					return nil
+				}); err != nil {
+					return err
+				}
+
+				if isEmptyBucket(subLinks) {
+					if err := tx.Bucket([]byte(linksBucket)).DeleteBucket(k); err != nil {
+						return err
+					}
+				}
+			}
+			return s.emptyBranchWithParents(tx, k)
+		}); err != nil {
+			return err
+		}
+		if err := tx.Bucket([]byte(backlinksBucket)).DeleteBucket(id); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *Store) AddLink(id string, link solver.CacheInfoLink, target string) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.Bucket([]byte(linksBucket)).CreateBucketIfNotExists([]byte(id))
+		if err != nil {
+			return err
+		}
+
+		dt, err := json.Marshal(link)
+		if err != nil {
+			return err
+		}
+
+		if err := b.Put(bytes.Join([][]byte{dt, []byte(target)}, []byte("@")), []byte{}); err != nil {
+			return err
+		}
+
+		b, err = tx.Bucket([]byte(backlinksBucket)).CreateBucketIfNotExists([]byte(target))
+		if err != nil {
+			return err
+		}
+
+		if err := b.Put([]byte(id), []byte{}); err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
+func (s *Store) WalkLinks(id string, link solver.CacheInfoLink, fn func(id string) error) error {
+	var links []string
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(linksBucket))
+		if b == nil {
+			return nil
+		}
+		b = b.Bucket([]byte(id))
+		if b == nil {
+			return nil
+		}
+
+		dt, err := json.Marshal(link)
+		if err != nil {
+			return err
+		}
+		index := bytes.Join([][]byte{dt, {}}, []byte("@"))
+		c := b.Cursor()
+		k, _ := c.Seek([]byte(index))
+		for {
+			if k != nil && bytes.HasPrefix(k, index) {
+				target := bytes.TrimPrefix(k, index)
+				links = append(links, string(target))
+				k, _ = c.Next()
+			} else {
+				break
+			}
+		}
+
+		return nil
+	}); err != nil {
+		return err
+	}
+	for _, l := range links {
+		if err := fn(l); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *Store) HasLink(id string, link solver.CacheInfoLink, target string) bool {
+	var v bool
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket([]byte(linksBucket))
+		if b == nil {
+			return nil
+		}
+		b = b.Bucket([]byte(id))
+		if b == nil {
+			return nil
+		}
+
+		dt, err := json.Marshal(link)
+		if err != nil {
+			return err
+		}
+		v = b.Get(bytes.Join([][]byte{dt, []byte(target)}, []byte("@"))) != nil
+		return nil
+	}); err != nil {
+		return false
+	}
+	return v
+}
+
+func (s *Store) WalkBacklinks(id string, fn func(id string, link solver.CacheInfoLink) error) error {
+	var outIDs []string
+	var outLinks []solver.CacheInfoLink
+
+	if err := s.db.View(func(tx *bolt.Tx) error {
+		links := tx.Bucket([]byte(linksBucket))
+		if links == nil {
+			return nil
+		}
+		backLinks := tx.Bucket([]byte(backlinksBucket))
+		if backLinks == nil {
+			return nil
+		}
+		b := backLinks.Bucket([]byte(id))
+		if b == nil {
+			return nil
+		}
+
+		if err := b.ForEach(func(bid, v []byte) error {
+			b = links.Bucket(bid)
+			if b == nil {
+				return nil
+			}
+			if err := b.ForEach(func(k, v []byte) error {
+				parts := bytes.Split(k, []byte("@"))
+				if len(parts) == 2 {
+					if string(parts[1]) != id {
+						return nil
+					}
+					var l solver.CacheInfoLink
+					if err := json.Unmarshal(parts[0], &l); err != nil {
+						return err
+					}
+					l.Digest = digest.FromBytes([]byte(fmt.Sprintf("%s@%d", l.Digest, l.Output)))
+					l.Output = 0
+					outIDs = append(outIDs, string(bid))
+					outLinks = append(outLinks, l)
+				}
+				return nil
+			}); err != nil {
+				return err
+			}
+			return nil
+		}); err != nil {
+			return err
+		}
+
+		return nil
+	}); err != nil {
+		return err
+	}
+
+	for i := range outIDs {
+		if err := fn(outIDs[i], outLinks[i]); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func isEmptyBucket(b *bolt.Bucket) bool {
+	if b == nil {
+		return true
+	}
+	k, _ := b.Cursor().First()
+	return k == nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/cachekey.go b/engine/vendor/github.com/moby/buildkit/solver/cachekey.go
new file mode 100644
index 00000000..3749af0a
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/cachekey.go
@@ -0,0 +1,66 @@
+package solver
+
+import (
+	"sync"
+
+	digest "github.com/opencontainers/go-digest"
+)
+
+// NewCacheKey creates a new cache key for a specific output index
+func NewCacheKey(dgst digest.Digest, output Index) *CacheKey {
+	return &CacheKey{
+		ID:     rootKey(dgst, output).String(),
+		digest: dgst,
+		output: output,
+		ids:    map[*cacheManager]string{},
+	}
+}
+
+// CacheKeyWithSelector combines a cache key with an optional selector digest.
+// Used to limit the matches for dependency cache key.
+type CacheKeyWithSelector struct {
+	Selector digest.Digest
+	CacheKey ExportableCacheKey
+}
+
+type CacheKey struct {
+	mu sync.RWMutex
+
+	ID     string
+	deps   [][]CacheKeyWithSelector // only [][]*inMemoryCacheKey
+	digest digest.Digest
+	output Index
+	ids    map[*cacheManager]string
+
+	indexIDs []string
+}
+
+func (ck *CacheKey) Deps() [][]CacheKeyWithSelector {
+	ck.mu.RLock()
+	defer ck.mu.RUnlock()
+	deps := make([][]CacheKeyWithSelector, len(ck.deps))
+	for i := range ck.deps {
+		deps[i] = append([]CacheKeyWithSelector(nil), ck.deps[i]...)
+	}
+	return deps
+}
+
+func (ck *CacheKey) Digest() digest.Digest {
+	return ck.digest
+}
+func (ck *CacheKey) Output() Index {
+	return ck.output
+}
+
+func (ck *CacheKey) clone() *CacheKey {
+	nk := &CacheKey{
+		ID:     ck.ID,
+		digest: ck.digest,
+		output: ck.output,
+		ids:    map[*cacheManager]string{},
+	}
+	for cm, id := range ck.ids {
+		nk.ids[cm] = id
+	}
+	return nk
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/cachemanager.go b/engine/vendor/github.com/moby/buildkit/solver/cachemanager.go
new file mode 100644
index 00000000..12a92350
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/cachemanager.go
@@ -0,0 +1,270 @@
+package solver
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"github.com/moby/buildkit/identity"
+	digest "github.com/opencontainers/go-digest"
+)
+
+type CacheID string
+
+func NewInMemoryCacheManager() CacheManager {
+	return NewCacheManager(identity.NewID(), NewInMemoryCacheStorage(), NewInMemoryResultStorage())
+}
+
+func NewCacheManager(id string, storage CacheKeyStorage, results CacheResultStorage) CacheManager {
+	cm := &cacheManager{
+		id:      id,
+		backend: storage,
+		results: results,
+	}
+
+	storage.Walk(func(id string) error {
+		return storage.WalkResults(id, func(cr CacheResult) error {
+			if !results.Exists(cr.ID) {
+				storage.Release(cr.ID)
+			}
+			return nil
+		})
+	})
+
+	return cm
+}
+
+type cacheManager struct {
+	mu sync.RWMutex
+	id string
+
+	backend CacheKeyStorage
+	results CacheResultStorage
+}
+
+func (c *cacheManager) ID() string {
+	return c.id
+}
+
+func (c *cacheManager) Query(deps []CacheKeyWithSelector, input Index, dgst digest.Digest, output Index) ([]*CacheKey, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	type dep struct {
+		results map[string]struct{}
+		key     CacheKeyWithSelector
+	}
+
+	allDeps := make([]dep, 0, len(deps))
+	for _, k := range deps {
+		allDeps = append(allDeps, dep{key: k, results: map[string]struct{}{}})
+	}
+
+	allRes := map[string]*CacheKey{}
+	for _, d := range allDeps {
+		if err := c.backend.WalkLinks(c.getID(d.key.CacheKey.CacheKey), CacheInfoLink{input, output, dgst, d.key.Selector}, func(id string) error {
+			d.results[id] = struct{}{}
+			if _, ok := allRes[id]; !ok {
+				allRes[id] = c.newKeyWithID(id, dgst, output)
+			}
+			return nil
+		}); err != nil {
+			return nil, err
+		}
+	}
+
+	// link the results against the keys that didn't exist
+	for id, key := range allRes {
+		for _, d := range allDeps {
+			if _, ok := d.results[id]; !ok {
+				if err := c.backend.AddLink(c.getID(d.key.CacheKey.CacheKey), CacheInfoLink{
+					Input:    input,
+					Output:   output,
+					Digest:   dgst,
+					Selector: d.key.Selector,
+				}, c.getID(key)); err != nil {
+					return nil, err
+				}
+			}
+		}
+	}
+
+	if len(deps) == 0 {
+		if !c.backend.Exists(rootKey(dgst, output).String()) {
+			return nil, nil
+		}
+		return []*CacheKey{c.newRootKey(dgst, output)}, nil
+	}
+
+	keys := make([]*CacheKey, 0, len(deps))
+	for _, k := range allRes {
+		keys = append(keys, k)
+	}
+	return keys, nil
+}
+
+func (c *cacheManager) Records(ck *CacheKey) ([]*CacheRecord, error) {
+	outs := make([]*CacheRecord, 0)
+	if err := c.backend.WalkResults(c.getID(ck), func(r CacheResult) error {
+		if c.results.Exists(r.ID) {
+			outs = append(outs, &CacheRecord{
+				ID:           r.ID,
+				cacheManager: c,
+				key:          ck,
+				CreatedAt:    r.CreatedAt,
+			})
+		} else {
+			c.backend.Release(r.ID)
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return outs, nil
+}
+
+func (c *cacheManager) Load(ctx context.Context, rec *CacheRecord) (Result, error) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	res, err := c.backend.Load(c.getID(rec.key), rec.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	return c.results.Load(ctx, res)
+}
+
+func (c *cacheManager) Save(k *CacheKey, r Result) (*ExportableCacheKey, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	res, err := c.results.Save(r)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := c.backend.AddResult(c.getID(k), res); err != nil {
+		return nil, err
+	}
+
+	if err := c.ensurePersistentKey(k); err != nil {
+		return nil, err
+	}
+
+	rec := &CacheRecord{
+		ID:           res.ID,
+		cacheManager: c,
+		key:          k,
+		CreatedAt:    res.CreatedAt,
+	}
+
+	return &ExportableCacheKey{
+		CacheKey: k,
+		Exporter: &exporter{k: k, record: rec},
+	}, nil
+}
+
+func newKey() *CacheKey {
+	return &CacheKey{ids: map[*cacheManager]string{}}
+}
+
+func (c *cacheManager) newKeyWithID(id string, dgst digest.Digest, output Index) *CacheKey {
+	k := newKey()
+	k.digest = dgst
+	k.output = output
+	k.ID = id
+	k.ids[c] = id
+	return k
+}
+
+func (c *cacheManager) newRootKey(dgst digest.Digest, output Index) *CacheKey {
+	return c.newKeyWithID(rootKey(dgst, output).String(), dgst, output)
+}
+
+func (c *cacheManager) getID(k *CacheKey) string {
+	k.mu.Lock()
+	id, ok := k.ids[c]
+	if ok {
+		k.mu.Unlock()
+		return id
+	}
+	if len(k.deps) == 0 {
+		k.ids[c] = k.ID
+		k.mu.Unlock()
+		return k.ID
+	}
+	id = c.getIDFromDeps(k)
+	k.ids[c] = id
+	k.mu.Unlock()
+	return id
+}
+
+func (c *cacheManager) ensurePersistentKey(k *CacheKey) error {
+	id := c.getID(k)
+	for i, deps := range k.Deps() {
+		for _, ck := range deps {
+			l := CacheInfoLink{
+				Input:    Index(i),
+				Output:   Index(k.Output()),
+				Digest:   k.Digest(),
+				Selector: ck.Selector,
+			}
+			ckID := c.getID(ck.CacheKey.CacheKey)
+			if !c.backend.HasLink(ckID, l, id) {
+				if err := c.ensurePersistentKey(ck.CacheKey.CacheKey); err != nil {
+					return err
+				}
+				if err := c.backend.AddLink(ckID, l, id); err != nil {
+					return err
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (c *cacheManager) getIDFromDeps(k *CacheKey) string {
+	matches := map[string]struct{}{}
+
+	for i, deps := range k.deps {
+		if i == 0 || len(matches) > 0 {
+			for _, ck := range deps {
+				m2 := make(map[string]struct{})
+				if err := c.backend.WalkLinks(c.getID(ck.CacheKey.CacheKey), CacheInfoLink{
+					Input:    Index(i),
+					Output:   Index(k.Output()),
+					Digest:   k.Digest(),
+					Selector: ck.Selector,
+				}, func(id string) error {
+					if i == 0 {
+						matches[id] = struct{}{}
+					} else {
+						m2[id] = struct{}{}
+					}
+					return nil
+				}); err != nil {
+					matches = map[string]struct{}{}
+					break
+				}
+				if i != 0 {
+					for id := range matches {
+						if _, ok := m2[id]; !ok {
+							delete(matches, id)
+						}
+					}
+				}
+			}
+		}
+	}
+
+	for k := range matches {
+		return k
+	}
+
+	return identity.NewID()
+}
+
+func rootKey(dgst digest.Digest, output Index) digest.Digest {
+	return digest.FromBytes([]byte(fmt.Sprintf("%s@%d", dgst, output)))
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/cachestorage.go b/engine/vendor/github.com/moby/buildkit/solver/cachestorage.go
new file mode 100644
index 00000000..65225f75
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/cachestorage.go
@@ -0,0 +1,51 @@
+package solver
+
+import (
+	"context"
+	"time"
+
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+var ErrNotFound = errors.Errorf("not found")
+
+// CacheKeyStorage is interface for persisting cache metadata
+type CacheKeyStorage interface {
+	Exists(id string) bool
+	Walk(fn func(id string) error) error
+
+	WalkResults(id string, fn func(CacheResult) error) error
+	Load(id string, resultID string) (CacheResult, error)
+	AddResult(id string, res CacheResult) error
+	Release(resultID string) error
+	WalkIDsByResult(resultID string, fn func(string) error) error
+
+	AddLink(id string, link CacheInfoLink, target string) error
+	WalkLinks(id string, link CacheInfoLink, fn func(id string) error) error
+	HasLink(id string, link CacheInfoLink, target string) bool
+	WalkBacklinks(id string, fn func(id string, link CacheInfoLink) error) error
+}
+
+// CacheResult is a record for a single solve result
+type CacheResult struct {
+	CreatedAt time.Time
+	ID        string
+}
+
+// CacheInfoLink is a link between two cache keys
+type CacheInfoLink struct {
+	Input    Index         `json:"Input,omitempty"`
+	Output   Index         `json:"Output,omitempty"`
+	Digest   digest.Digest `json:"Digest,omitempty"`
+	Selector digest.Digest `json:"Selector,omitempty"`
+}
+
+// CacheResultStorage is interface for converting cache metadata result to
+// actual solve result
+type CacheResultStorage interface {
+	Save(Result) (CacheResult, error)
+	Load(ctx context.Context, res CacheResult) (Result, error)
+	LoadRemote(ctx context.Context, res CacheResult) (*Remote, error)
+	Exists(id string) bool
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/combinedcache.go b/engine/vendor/github.com/moby/buildkit/solver/combinedcache.go
new file mode 100644
index 00000000..b4205d3e
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/combinedcache.go
@@ -0,0 +1,124 @@
+package solver
+
+import (
+	"context"
+	"strings"
+	"sync"
+
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+func newCombinedCacheManager(cms []CacheManager, main CacheManager) CacheManager {
+	return &combinedCacheManager{cms: cms, main: main}
+}
+
+type combinedCacheManager struct {
+	cms    []CacheManager
+	main   CacheManager
+	id     string
+	idOnce sync.Once
+}
+
+func (cm *combinedCacheManager) ID() string {
+	cm.idOnce.Do(func() {
+		ids := make([]string, len(cm.cms))
+		for i, c := range cm.cms {
+			ids[i] = c.ID()
+		}
+		cm.id = digest.FromBytes([]byte(strings.Join(ids, ","))).String()
+	})
+	return cm.id
+}
+
+func (cm *combinedCacheManager) Query(inp []CacheKeyWithSelector, inputIndex Index, dgst digest.Digest, outputIndex Index) ([]*CacheKey, error) {
+	eg, _ := errgroup.WithContext(context.TODO())
+	keys := make(map[string]*CacheKey, len(cm.cms))
+	var mu sync.Mutex
+	for _, c := range cm.cms {
+		func(c CacheManager) {
+			eg.Go(func() error {
+				recs, err := c.Query(inp, inputIndex, dgst, outputIndex)
+				if err != nil {
+					return err
+				}
+				mu.Lock()
+				for _, r := range recs {
+					if _, ok := keys[r.ID]; !ok || c == cm.main {
+						keys[r.ID] = r
+					}
+				}
+				mu.Unlock()
+				return nil
+			})
+		}(c)
+	}
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	out := make([]*CacheKey, 0, len(keys))
+	for _, k := range keys {
+		out = append(out, k)
+	}
+	return out, nil
+}
+
+func (cm *combinedCacheManager) Load(ctx context.Context, rec *CacheRecord) (Result, error) {
+	res, err := rec.cacheManager.Load(ctx, rec)
+	if err != nil {
+		return nil, err
+	}
+	if _, err := cm.main.Save(rec.key, res); err != nil {
+		return nil, err
+	}
+	return res, nil
+}
+
+func (cm *combinedCacheManager) Save(key *CacheKey, s Result) (*ExportableCacheKey, error) {
+	return cm.main.Save(key, s)
+}
+
+func (cm *combinedCacheManager) Records(ck *CacheKey) ([]*CacheRecord, error) {
+	if len(ck.ids) == 0 {
+		return nil, errors.Errorf("no results")
+	}
+
+	records := map[string]*CacheRecord{}
+	var mu sync.Mutex
+
+	eg, _ := errgroup.WithContext(context.TODO())
+	for c := range ck.ids {
+		func(c *cacheManager) {
+			eg.Go(func() error {
+				recs, err := c.Records(ck)
+				if err != nil {
+					return err
+				}
+				mu.Lock()
+				for _, rec := range recs {
+					if _, ok := records[rec.ID]; !ok || c == cm.main {
+						if c == cm.main {
+							rec.Priority = 1
+						}
+						records[rec.ID] = rec
+					}
+				}
+				mu.Unlock()
+				return nil
+			})
+		}(c)
+	}
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	out := make([]*CacheRecord, 0, len(records))
+	for _, rec := range records {
+		out = append(out, rec)
+	}
+	return out, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/edge.go b/engine/vendor/github.com/moby/buildkit/solver/edge.go
new file mode 100644
index 00000000..1547cf4b
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/edge.go
@@ -0,0 +1,866 @@
+package solver
+
+import (
+	"context"
+	"sync"
+
+	"github.com/moby/buildkit/solver/internal/pipe"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type edgeStatusType int
+
+const (
+	edgeStatusInitial edgeStatusType = iota
+	edgeStatusCacheFast
+	edgeStatusCacheSlow
+	edgeStatusComplete
+)
+
+func (t edgeStatusType) String() string {
+	return []string{"initial", "cache-fast", "cache-slow", "complete"}[t]
+}
+
+func newEdge(ed Edge, op activeOp, index *edgeIndex) *edge {
+	e := &edge{
+		edge:         ed,
+		op:           op,
+		depRequests:  map[pipe.Receiver]*dep{},
+		keyMap:       map[string]*CacheKey{},
+		cacheRecords: map[string]*CacheRecord{},
+		index:        index,
+	}
+	return e
+}
+
+type edge struct {
+	edge Edge
+	op   activeOp
+
+	edgeState
+	depRequests map[pipe.Receiver]*dep
+	deps        []*dep
+
+	cacheMapReq     pipe.Receiver
+	cacheMapDone    bool
+	cacheMapIndex   int
+	cacheMapDigests []digest.Digest
+	execReq         pipe.Receiver
+	err             error
+	cacheRecords    map[string]*CacheRecord
+	keyMap          map[string]*CacheKey
+
+	noCacheMatchPossible      bool
+	allDepsCompletedCacheFast bool
+	allDepsCompletedCacheSlow bool
+	allDepsStateCacheSlow     bool
+	allDepsCompleted          bool
+	hasActiveOutgoing         bool
+
+	releaserCount int
+	keysDidChange bool
+	index         *edgeIndex
+
+	secondaryExporters []expDep
+}
+
+// dep holds state for a dependant edge
+type dep struct {
+	req pipe.Receiver
+	edgeState
+	index             Index
+	keyMap            map[string]*CacheKey
+	desiredState      edgeStatusType
+	e                 *edge
+	slowCacheReq      pipe.Receiver
+	slowCacheComplete bool
+	slowCacheFoundKey bool
+	slowCacheKey      *ExportableCacheKey
+	err               error
+}
+
+// expDep holds secorndary exporter info for dependency
+type expDep struct {
+	index    int
+	cacheKey CacheKeyWithSelector
+}
+
+func newDep(i Index) *dep {
+	return &dep{index: i, keyMap: map[string]*CacheKey{}}
+}
+
+// edgePipe is a pipe for requests between two edges
+type edgePipe struct {
+	*pipe.Pipe
+	From, Target *edge
+	mu           sync.Mutex
+}
+
+// edgeState hold basic mutable state info for an edge
+type edgeState struct {
+	state    edgeStatusType
+	result   *SharedCachedResult
+	cacheMap *CacheMap
+	keys     []ExportableCacheKey
+}
+
+type edgeRequest struct {
+	desiredState edgeStatusType
+	currentState edgeState
+	currentKeys  int
+}
+
+// incrementReferenceCount increases the number of times release needs to be
+// called to release the edge. Called on merging edges.
+func (e *edge) incrementReferenceCount() {
+	e.releaserCount += 1
+}
+
+// release releases the edge resources
+func (e *edge) release() {
+	if e.releaserCount > 0 {
+		e.releaserCount--
+		return
+	}
+	e.index.Release(e)
+	if e.result != nil {
+		go e.result.Release(context.TODO())
+	}
+}
+
+// commitOptions returns parameters for the op execution
+func (e *edge) commitOptions() ([]*CacheKey, []CachedResult) {
+	k := NewCacheKey(e.cacheMap.Digest, e.edge.Index)
+	if len(e.deps) == 0 {
+		keys := make([]*CacheKey, 0, len(e.cacheMapDigests))
+		for _, dgst := range e.cacheMapDigests {
+			keys = append(keys, NewCacheKey(dgst, e.edge.Index))
+		}
+		return keys, nil
+	}
+
+	inputs := make([][]CacheKeyWithSelector, len(e.deps))
+	results := make([]CachedResult, len(e.deps))
+	for i, dep := range e.deps {
+		inputs[i] = append(inputs[i], CacheKeyWithSelector{CacheKey: dep.result.CacheKey(), Selector: e.cacheMap.Deps[i].Selector})
+		if dep.slowCacheKey != nil {
+			inputs[i] = append(inputs[i], CacheKeyWithSelector{CacheKey: *dep.slowCacheKey})
+		}
+		results[i] = dep.result
+	}
+
+	k.deps = inputs
+	return []*CacheKey{k}, results
+}
+
+// isComplete returns true if edge state is final and will never change
+func (e *edge) isComplete() bool {
+	return e.err != nil || e.result != nil
+}
+
+// finishIncoming finalizes the incoming pipe request
+func (e *edge) finishIncoming(req pipe.Sender) {
+	err := e.err
+	if req.Request().Canceled && err == nil {
+		err = context.Canceled
+	}
+	if debugScheduler {
+		logrus.Debugf("finishIncoming %s %v %#v desired=%s", e.edge.Vertex.Name(), err, e.edgeState, req.Request().Payload.(*edgeRequest).desiredState)
+	}
+	req.Finalize(&e.edgeState, err)
+}
+
+// updateIncoming updates the current value of incoming pipe request
+func (e *edge) updateIncoming(req pipe.Sender) {
+	req.Update(&e.edgeState)
+}
+
+// probeCache is called with unprocessed cache keys for dependency
+// if the key could match the edge, the cacheRecords for dependency are filled
+func (e *edge) probeCache(d *dep, depKeys []CacheKeyWithSelector) bool {
+	if len(depKeys) == 0 {
+		return false
+	}
+	if e.op.IgnoreCache() {
+		return false
+	}
+	keys, err := e.op.Cache().Query(depKeys, d.index, e.cacheMap.Digest, e.edge.Index)
+	if err != nil {
+		e.err = errors.Wrap(err, "error on cache query")
+	}
+	found := false
+	for _, k := range keys {
+		if _, ok := d.keyMap[k.ID]; !ok {
+			d.keyMap[k.ID] = k
+			found = true
+		}
+	}
+	return found
+}
+
+// checkDepMatchPossible checks if any cache matches are possible past this point
+func (e *edge) checkDepMatchPossible(dep *dep) {
+	depHasSlowCache := e.cacheMap.Deps[dep.index].ComputeDigestFunc != nil
+	if !e.noCacheMatchPossible && (((!dep.slowCacheFoundKey && dep.slowCacheComplete && depHasSlowCache) || (!depHasSlowCache && dep.state >= edgeStatusCacheSlow)) && len(dep.keys) == 0) {
+		e.noCacheMatchPossible = true
+	}
+}
+
+// slowCacheFunc returns the result based cache func for dependency if it exists
+func (e *edge) slowCacheFunc(dep *dep) ResultBasedCacheFunc {
+	if e.cacheMap == nil {
+		return nil
+	}
+	return e.cacheMap.Deps[int(dep.index)].ComputeDigestFunc
+}
+
+// allDepsHaveKeys checks if all dependencies have at least one key. used for
+// determining if there is enough data for combining cache key for edge
+func (e *edge) allDepsHaveKeys() bool {
+	if e.cacheMap == nil {
+		return false
+	}
+	for _, d := range e.deps {
+		if len(d.keys) == 0 && d.slowCacheKey == nil && d.result == nil {
+			return false
+		}
+	}
+	return true
+}
+
+// depKeys returns all current dependency cache keys
+func (e *edge) currentIndexKey() *CacheKey {
+	if e.cacheMap == nil {
+		return nil
+	}
+
+	keys := make([][]CacheKeyWithSelector, len(e.deps))
+	for i, d := range e.deps {
+		if len(d.keys) == 0 && d.result == nil {
+			return nil
+		}
+		for _, k := range d.keys {
+			keys[i] = append(keys[i], CacheKeyWithSelector{Selector: e.cacheMap.Deps[i].Selector, CacheKey: k})
+		}
+		if d.result != nil {
+			keys[i] = append(keys[i], CacheKeyWithSelector{Selector: e.cacheMap.Deps[i].Selector, CacheKey: d.result.CacheKey()})
+			if d.slowCacheKey != nil {
+				keys[i] = append(keys[i], CacheKeyWithSelector{CacheKey: ExportableCacheKey{CacheKey: d.slowCacheKey.CacheKey, Exporter: &exporter{k: d.slowCacheKey.CacheKey}}})
+			}
+		}
+	}
+
+	k := NewCacheKey(e.cacheMap.Digest, e.edge.Index)
+	k.deps = keys
+
+	return k
+}
+
+// slow cache keys can be computed in 2 phases if there are multiple deps.
+// first evaluate ones that didn't match any definition based keys
+func (e *edge) skipPhase2SlowCache(dep *dep) bool {
+	isPhase1 := false
+	for _, dep := range e.deps {
+		if !dep.slowCacheComplete && e.slowCacheFunc(dep) != nil && len(dep.keyMap) == 0 {
+			isPhase1 = true
+			break
+		}
+	}
+
+	if isPhase1 && !dep.slowCacheComplete && e.slowCacheFunc(dep) != nil && len(dep.keyMap) > 0 {
+		return true
+	}
+	return false
+}
+
+func (e *edge) skipPhase2FastCache(dep *dep) bool {
+	isPhase1 := false
+	for _, dep := range e.deps {
+		if e.cacheMap == nil || len(dep.keyMap) == 0 && ((!dep.slowCacheComplete && e.slowCacheFunc(dep) != nil) || (dep.state < edgeStatusComplete && e.slowCacheFunc(dep) == nil)) {
+			isPhase1 = true
+			break
+		}
+	}
+
+	if isPhase1 && len(dep.keyMap) > 0 {
+		return true
+	}
+	return false
+}
+
+// unpark is called by the scheduler with incoming requests and updates for
+// previous calls.
+// To avoid deadlocks and resource leaks this function needs to follow
+// following rules:
+// 1) this function needs to return unclosed outgoing requests if some incoming
+//    requests were not completed
+// 2) this function may not return outgoing requests if it has completed all
+//    incoming requests
+func (e *edge) unpark(incoming []pipe.Sender, updates, allPipes []pipe.Receiver, f *pipeFactory) {
+	// process all incoming changes
+	depChanged := false
+	for _, upt := range updates {
+		if changed := e.processUpdate(upt); changed {
+			depChanged = true
+		}
+	}
+
+	if depChanged {
+		// the dep responses had changes. need to reevaluate edge state
+		e.recalcCurrentState()
+	}
+
+	desiredState, done := e.respondToIncoming(incoming, allPipes)
+	if done {
+		return
+	}
+
+	// set up new outgoing requests if needed
+	if e.cacheMapReq == nil && (e.cacheMap == nil || len(e.cacheRecords) == 0) {
+		index := e.cacheMapIndex
+		e.cacheMapReq = f.NewFuncRequest(func(ctx context.Context) (interface{}, error) {
+			return e.op.CacheMap(ctx, index)
+		})
+	}
+
+	// execute op
+	if e.execReq == nil && desiredState == edgeStatusComplete {
+		if ok := e.execIfPossible(f); ok {
+			return
+		}
+	}
+
+	if e.execReq == nil {
+		e.createInputRequests(desiredState, f)
+	}
+
+}
+
+func (e *edge) makeExportable(k *CacheKey, records []*CacheRecord) ExportableCacheKey {
+	return ExportableCacheKey{
+		CacheKey: k,
+		Exporter: &exporter{k: k, records: records, override: e.edge.Vertex.Options().ExportCache},
+	}
+}
+
+// processUpdate is called by unpark for every updated pipe request
+func (e *edge) processUpdate(upt pipe.Receiver) (depChanged bool) {
+	// response for cachemap request
+	if upt == e.cacheMapReq && upt.Status().Completed {
+		if err := upt.Status().Err; err != nil {
+			e.cacheMapReq = nil
+			if !upt.Status().Canceled && e.err == nil {
+				e.err = err
+			}
+		} else {
+			resp := upt.Status().Value.(*cacheMapResp)
+			e.cacheMap = resp.CacheMap
+			e.cacheMapDone = resp.complete
+			e.cacheMapIndex++
+			if len(e.deps) == 0 {
+				e.cacheMapDigests = append(e.cacheMapDigests, e.cacheMap.Digest)
+				if !e.op.IgnoreCache() {
+					keys, err := e.op.Cache().Query(nil, 0, e.cacheMap.Digest, e.edge.Index)
+					if err != nil {
+						logrus.Error(errors.Wrap(err, "invalid query response")) // make the build fail for this error
+					} else {
+						for _, k := range keys {
+							records, err := e.op.Cache().Records(k)
+							if err != nil {
+								logrus.Errorf("error receiving cache records: %v", err)
+								continue
+							}
+
+							for _, r := range records {
+								e.cacheRecords[r.ID] = r
+							}
+
+							e.keys = append(e.keys, e.makeExportable(k, records))
+						}
+					}
+				}
+				e.state = edgeStatusCacheSlow
+			}
+			if e.allDepsHaveKeys() {
+				e.keysDidChange = true
+			}
+			// probe keys that were loaded before cache map
+			for i, dep := range e.deps {
+				e.probeCache(dep, withSelector(dep.keys, e.cacheMap.Deps[i].Selector))
+				e.checkDepMatchPossible(dep)
+			}
+			if !e.cacheMapDone {
+				e.cacheMapReq = nil
+			}
+		}
+		return true
+	}
+
+	// response for exec request
+	if upt == e.execReq && upt.Status().Completed {
+		if err := upt.Status().Err; err != nil {
+			e.execReq = nil
+			if !upt.Status().Canceled && e.err == nil {
+				e.err = err
+			}
+		} else {
+			e.result = NewSharedCachedResult(upt.Status().Value.(CachedResult))
+			e.state = edgeStatusComplete
+		}
+		return true
+	}
+
+	// response for requests to dependencies
+	if dep, ok := e.depRequests[upt]; ok { // TODO: ignore canceled
+		if err := upt.Status().Err; !upt.Status().Canceled && upt.Status().Completed && err != nil {
+			if e.err == nil {
+				e.err = err
+			}
+			dep.err = err
+		}
+
+		state := upt.Status().Value.(*edgeState)
+
+		if len(dep.keys) < len(state.keys) {
+			newKeys := state.keys[len(dep.keys):]
+			if e.cacheMap != nil {
+				e.probeCache(dep, withSelector(newKeys, e.cacheMap.Deps[dep.index].Selector))
+				if e.allDepsHaveKeys() {
+					e.keysDidChange = true
+				}
+			}
+			depChanged = true
+		}
+		if dep.state != edgeStatusComplete && state.state == edgeStatusComplete {
+			e.keysDidChange = true
+		}
+
+		recheck := state.state != dep.state
+
+		dep.edgeState = *state
+
+		if recheck && e.cacheMap != nil {
+			e.checkDepMatchPossible(dep)
+			depChanged = true
+		}
+
+		return
+	}
+
+	// response for result based cache function
+	for i, dep := range e.deps {
+		if upt == dep.slowCacheReq && upt.Status().Completed {
+			if err := upt.Status().Err; err != nil {
+				dep.slowCacheReq = nil
+				if !upt.Status().Canceled && e.err == nil {
+					e.err = upt.Status().Err
+				}
+			} else if !dep.slowCacheComplete {
+				k := NewCacheKey(upt.Status().Value.(digest.Digest), -1)
+				dep.slowCacheKey = &ExportableCacheKey{CacheKey: k, Exporter: &exporter{k: k}}
+				slowKeyExp := CacheKeyWithSelector{CacheKey: *dep.slowCacheKey}
+				defKeyExp := CacheKeyWithSelector{CacheKey: dep.result.CacheKey(), Selector: e.cacheMap.Deps[i].Selector}
+				dep.slowCacheFoundKey = e.probeCache(dep, []CacheKeyWithSelector{slowKeyExp})
+
+				// connect def key to slow key
+				e.op.Cache().Query([]CacheKeyWithSelector{defKeyExp, slowKeyExp}, dep.index, e.cacheMap.Digest, e.edge.Index)
+
+				dep.slowCacheComplete = true
+				e.keysDidChange = true
+				e.checkDepMatchPossible(dep) // not matching key here doesn't set nocachematch possible to true
+			}
+			return true
+		}
+	}
+
+	return
+}
+
+// recalcCurrentState is called by unpark to recompute internal state after
+// the state of dependencies has changed
+func (e *edge) recalcCurrentState() {
+	// TODO: fast pass to detect incomplete results
+	newKeys := map[string]*CacheKey{}
+
+	for i, dep := range e.deps {
+		if i == 0 {
+			for id, k := range dep.keyMap {
+				if _, ok := e.keyMap[id]; ok {
+					continue
+				}
+				newKeys[id] = k
+			}
+		} else {
+			for id := range newKeys {
+				if _, ok := dep.keyMap[id]; !ok {
+					delete(newKeys, id)
+				}
+			}
+		}
+		if len(newKeys) == 0 {
+			break
+		}
+	}
+
+	for _, r := range newKeys {
+		// TODO: add all deps automatically
+		mergedKey := r.clone()
+		mergedKey.deps = make([][]CacheKeyWithSelector, len(e.deps))
+		for i, dep := range e.deps {
+			if dep.result != nil {
+				mergedKey.deps[i] = append(mergedKey.deps[i], CacheKeyWithSelector{Selector: e.cacheMap.Deps[i].Selector, CacheKey: dep.result.CacheKey()})
+				if dep.slowCacheKey != nil {
+					mergedKey.deps[i] = append(mergedKey.deps[i], CacheKeyWithSelector{CacheKey: *dep.slowCacheKey})
+				}
+			} else {
+				for _, k := range dep.keys {
+					mergedKey.deps[i] = append(mergedKey.deps[i], CacheKeyWithSelector{Selector: e.cacheMap.Deps[i].Selector, CacheKey: k})
+				}
+			}
+		}
+
+		records, err := e.op.Cache().Records(mergedKey)
+		if err != nil {
+			logrus.Errorf("error receiving cache records: %v", err)
+			continue
+		}
+
+		for _, r := range records {
+			e.cacheRecords[r.ID] = r
+		}
+
+		e.keys = append(e.keys, e.makeExportable(mergedKey, records))
+	}
+
+	// detect lower/upper bound for current state
+	allDepsCompletedCacheFast := e.cacheMap != nil
+	allDepsCompletedCacheSlow := e.cacheMap != nil
+	allDepsStateCacheSlow := true
+	allDepsCompleted := true
+	stLow := edgeStatusInitial    // minimal possible state
+	stHigh := edgeStatusCacheSlow // maximum possible state
+	if e.cacheMap != nil {
+		for _, dep := range e.deps {
+			isSlowIncomplete := e.slowCacheFunc(dep) != nil && (dep.state == edgeStatusCacheSlow || (dep.state == edgeStatusComplete && !dep.slowCacheComplete))
+
+			if dep.state > stLow && len(dep.keyMap) == 0 && !isSlowIncomplete {
+				stLow = dep.state
+				if stLow > edgeStatusCacheSlow {
+					stLow = edgeStatusCacheSlow
+				}
+			}
+			effectiveState := dep.state
+			if dep.state == edgeStatusCacheSlow && isSlowIncomplete {
+				effectiveState = edgeStatusCacheFast
+			}
+			if dep.state == edgeStatusComplete && isSlowIncomplete {
+				effectiveState = edgeStatusCacheFast
+			}
+			if effectiveState < stHigh {
+				stHigh = effectiveState
+			}
+			if isSlowIncomplete || dep.state < edgeStatusComplete {
+				allDepsCompleted = false
+			}
+			if dep.state < edgeStatusCacheFast {
+				allDepsCompletedCacheFast = false
+			}
+			if isSlowIncomplete || dep.state < edgeStatusCacheSlow {
+				allDepsCompletedCacheSlow = false
+			}
+			if dep.state < edgeStatusCacheSlow && len(dep.keys) == 0 {
+				allDepsStateCacheSlow = false
+			}
+		}
+		if stLow > e.state {
+			e.state = stLow
+		}
+		if stHigh > e.state {
+			e.state = stHigh
+		}
+		if !e.cacheMapDone && len(e.keys) == 0 {
+			e.state = edgeStatusInitial
+		}
+
+		e.allDepsCompletedCacheFast = e.cacheMapDone && allDepsCompletedCacheFast
+		e.allDepsCompletedCacheSlow = e.cacheMapDone && allDepsCompletedCacheSlow
+		e.allDepsStateCacheSlow = e.cacheMapDone && allDepsStateCacheSlow
+		e.allDepsCompleted = e.cacheMapDone && allDepsCompleted
+	}
+}
+
+// respondToIncoming responds to all incoming requests. completing or
+// updating them when possible
+func (e *edge) respondToIncoming(incoming []pipe.Sender, allPipes []pipe.Receiver) (edgeStatusType, bool) {
+	// detect the result state for the requests
+	allIncomingCanComplete := true
+	desiredState := e.state
+	allCanceled := true
+
+	// check incoming requests
+	// check if all requests can be either answered or canceled
+	if !e.isComplete() {
+		for _, req := range incoming {
+			if !req.Request().Canceled {
+				allCanceled = false
+				if r := req.Request().Payload.(*edgeRequest); desiredState < r.desiredState {
+					desiredState = r.desiredState
+					if e.hasActiveOutgoing || r.desiredState == edgeStatusComplete || r.currentKeys == len(e.keys) {
+						allIncomingCanComplete = false
+					}
+				}
+			}
+		}
+	}
+
+	// do not set allIncomingCanComplete if active ongoing can modify the state
+	if !allCanceled && e.state < edgeStatusComplete && len(e.keys) == 0 && e.hasActiveOutgoing {
+		allIncomingCanComplete = false
+	}
+
+	if debugScheduler {
+		logrus.Debugf("status state=%s cancomplete=%v hasouts=%v noPossibleCache=%v depsCacheFast=%v keys=%d cacheRecords=%d", e.state, allIncomingCanComplete, e.hasActiveOutgoing, e.noCacheMatchPossible, e.allDepsCompletedCacheFast, len(e.keys), len(e.cacheRecords))
+	}
+
+	if allIncomingCanComplete && e.hasActiveOutgoing {
+		// cancel all current requests
+		for _, p := range allPipes {
+			p.Cancel()
+		}
+
+		// can close all but one requests
+		var leaveOpen pipe.Sender
+		for _, req := range incoming {
+			if !req.Request().Canceled {
+				leaveOpen = req
+				break
+			}
+		}
+		for _, req := range incoming {
+			if leaveOpen == nil || leaveOpen == req {
+				leaveOpen = req
+				continue
+			}
+			e.finishIncoming(req)
+		}
+		return desiredState, true
+	}
+
+	// can complete, finish and return
+	if allIncomingCanComplete && !e.hasActiveOutgoing {
+		for _, req := range incoming {
+			e.finishIncoming(req)
+		}
+		return desiredState, true
+	}
+
+	// update incoming based on current state
+	for _, req := range incoming {
+		r := req.Request().Payload.(*edgeRequest)
+		if req.Request().Canceled {
+			e.finishIncoming(req)
+		} else if !e.hasActiveOutgoing && e.state >= r.desiredState {
+			e.finishIncoming(req)
+		} else if !isEqualState(r.currentState, e.edgeState) && !req.Request().Canceled {
+			e.updateIncoming(req)
+		}
+	}
+	return desiredState, false
+}
+
+// createInputRequests creates new requests for dependencies or async functions
+// that need to complete to continue processing the edge
+func (e *edge) createInputRequests(desiredState edgeStatusType, f *pipeFactory) {
+	// initialize deps state
+	if e.deps == nil {
+		e.depRequests = make(map[pipe.Receiver]*dep)
+		e.deps = make([]*dep, 0, len(e.edge.Vertex.Inputs()))
+		for i := range e.edge.Vertex.Inputs() {
+			e.deps = append(e.deps, newDep(Index(i)))
+		}
+	}
+
+	// cycle all dependencies. set up outgoing requests if needed
+	for _, dep := range e.deps {
+		desiredStateDep := dep.state
+
+		if e.noCacheMatchPossible {
+			desiredStateDep = edgeStatusComplete
+		} else if dep.state == edgeStatusInitial && desiredState > dep.state {
+			desiredStateDep = edgeStatusCacheFast
+		} else if dep.state == edgeStatusCacheFast && desiredState > dep.state {
+			// wait all deps to complete cache fast before continuing with slow cache
+			if (e.allDepsCompletedCacheFast && len(e.keys) == 0) || len(dep.keys) == 0 || e.allDepsHaveKeys() {
+				if !e.skipPhase2FastCache(dep) {
+					desiredStateDep = edgeStatusCacheSlow
+				}
+			}
+		} else if dep.state == edgeStatusCacheSlow && desiredState == edgeStatusComplete {
+			// if all deps have completed cache-slow or content based cache for input is available
+			if (len(dep.keys) == 0 || e.allDepsCompletedCacheSlow || (!e.skipPhase2FastCache(dep) && e.slowCacheFunc(dep) != nil)) && (len(e.cacheRecords) == 0) {
+				if len(dep.keys) == 0 || !e.skipPhase2SlowCache(dep) && e.allDepsStateCacheSlow {
+					desiredStateDep = edgeStatusComplete
+				}
+			}
+		} else if dep.state == edgeStatusCacheSlow && e.slowCacheFunc(dep) != nil && desiredState == edgeStatusCacheSlow {
+			if len(dep.keys) == 0 || !e.skipPhase2SlowCache(dep) && e.allDepsStateCacheSlow {
+				desiredStateDep = edgeStatusComplete
+			}
+		}
+
+		// outgoing request is needed
+		if dep.state < desiredStateDep {
+			addNew := true
+			if dep.req != nil && !dep.req.Status().Completed {
+				if dep.req.Request().(*edgeRequest).desiredState != desiredStateDep {
+					dep.req.Cancel()
+				} else {
+					addNew = false
+				}
+			}
+			if addNew {
+				req := f.NewInputRequest(e.edge.Vertex.Inputs()[int(dep.index)], &edgeRequest{
+					currentState: dep.edgeState,
+					desiredState: desiredStateDep,
+					currentKeys:  len(dep.keys),
+				})
+				e.depRequests[req] = dep
+				dep.req = req
+			}
+		}
+		// initialize function to compute cache key based on dependency result
+		if dep.state == edgeStatusComplete && dep.slowCacheReq == nil && e.slowCacheFunc(dep) != nil && e.cacheMap != nil {
+			fn := e.slowCacheFunc(dep)
+			res := dep.result
+			func(fn ResultBasedCacheFunc, res Result, index Index) {
+				dep.slowCacheReq = f.NewFuncRequest(func(ctx context.Context) (interface{}, error) {
+					return e.op.CalcSlowCache(ctx, index, fn, res)
+				})
+			}(fn, res, dep.index)
+		}
+	}
+}
+
+// execIfPossible creates a request for getting the edge result if there is
+// enough state
+func (e *edge) execIfPossible(f *pipeFactory) bool {
+	if len(e.cacheRecords) > 0 {
+		if e.keysDidChange {
+			e.postpone(f)
+			return true
+		}
+		e.execReq = f.NewFuncRequest(e.loadCache)
+		for req := range e.depRequests {
+			req.Cancel()
+		}
+		return true
+	} else if e.allDepsCompleted {
+		if e.keysDidChange {
+			e.postpone(f)
+			return true
+		}
+		e.execReq = f.NewFuncRequest(e.execOp)
+		return true
+	}
+	return false
+}
+
+// postpone delays exec to next unpark invocation if we have unprocessed keys
+func (e *edge) postpone(f *pipeFactory) {
+	f.NewFuncRequest(func(context.Context) (interface{}, error) {
+		return nil, nil
+	})
+}
+
+// loadCache creates a request to load edge result from cache
+func (e *edge) loadCache(ctx context.Context) (interface{}, error) {
+	recs := make([]*CacheRecord, 0, len(e.cacheRecords))
+	for _, r := range e.cacheRecords {
+		recs = append(recs, r)
+	}
+
+	rec := getBestResult(recs)
+
+	logrus.Debugf("load cache for %s with %s", e.edge.Vertex.Name(), rec.ID)
+	res, err := e.op.LoadCache(ctx, rec)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewCachedResult(res, ExportableCacheKey{CacheKey: rec.key, Exporter: &exporter{k: rec.key, record: rec, edge: e}}), nil
+}
+
+// execOp creates a request to execute the vertex operation
+func (e *edge) execOp(ctx context.Context) (interface{}, error) {
+	cacheKeys, inputs := e.commitOptions()
+	results, subExporters, err := e.op.Exec(ctx, toResultSlice(inputs))
+	if err != nil {
+		return nil, err
+	}
+
+	index := e.edge.Index
+	if len(results) <= int(index) {
+		return nil, errors.Errorf("invalid response from exec need %d index but %d results received", index, len(results))
+	}
+
+	res := results[int(index)]
+
+	for i := range results {
+		if i != int(index) {
+			go results[i].Release(context.TODO())
+		}
+	}
+
+	var exporters []CacheExporter
+
+	for _, cacheKey := range cacheKeys {
+		ck, err := e.op.Cache().Save(cacheKey, res)
+		if err != nil {
+			return nil, err
+		}
+
+		if exp, ok := ck.Exporter.(*exporter); ok {
+			exp.edge = e
+		}
+
+		exps := make([]CacheExporter, 0, len(subExporters))
+		for _, exp := range subExporters {
+			exps = append(exps, exp.Exporter)
+		}
+
+		exporters = append(exporters, ck.Exporter)
+		exporters = append(exporters, exps...)
+	}
+
+	ck := &ExportableCacheKey{
+		CacheKey: cacheKeys[0],
+		Exporter: &mergedExporter{exporters: exporters},
+	}
+
+	return NewCachedResult(res, *ck), nil
+}
+
+func toResultSlice(cres []CachedResult) (out []Result) {
+	out = make([]Result, len(cres))
+	for i := range cres {
+		out[i] = cres[i].(Result)
+	}
+	return out
+}
+
+func isEqualState(s1, s2 edgeState) bool {
+	if s1.state != s2.state || s1.result != s2.result || s1.cacheMap != s2.cacheMap || len(s1.keys) != len(s2.keys) {
+		return false
+	}
+	return true
+}
+
+func withSelector(keys []ExportableCacheKey, selector digest.Digest) []CacheKeyWithSelector {
+	out := make([]CacheKeyWithSelector, len(keys))
+	for i, k := range keys {
+		out[i] = CacheKeyWithSelector{Selector: selector, CacheKey: k}
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/exporter.go b/engine/vendor/github.com/moby/buildkit/solver/exporter.go
new file mode 100644
index 00000000..fa963f41
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/exporter.go
@@ -0,0 +1,208 @@
+package solver
+
+import (
+	"context"
+
+	digest "github.com/opencontainers/go-digest"
+)
+
+type exporter struct {
+	k       *CacheKey
+	records []*CacheRecord
+	record  *CacheRecord
+
+	res      []CacheExporterRecord
+	edge     *edge // for secondaryExporters
+	override *bool
+}
+
+func addBacklinks(t CacheExporterTarget, rec CacheExporterRecord, cm *cacheManager, id string, bkm map[string]CacheExporterRecord) (CacheExporterRecord, error) {
+	if rec == nil {
+		var ok bool
+		rec, ok = bkm[id]
+		if ok {
+			return rec, nil
+		}
+		_ = ok
+	}
+	if err := cm.backend.WalkBacklinks(id, func(id string, link CacheInfoLink) error {
+		if rec == nil {
+			rec = t.Add(link.Digest)
+		}
+		r, ok := bkm[id]
+		if !ok {
+			var err error
+			r, err = addBacklinks(t, nil, cm, id, bkm)
+			if err != nil {
+				return err
+			}
+		}
+		rec.LinkFrom(r, int(link.Input), link.Selector.String())
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	if rec == nil {
+		rec = t.Add(digest.Digest(id))
+	}
+	bkm[id] = rec
+	return rec, nil
+}
+
+type backlinkT struct{}
+
+var backlinkKey = backlinkT{}
+
+func (e *exporter) ExportTo(ctx context.Context, t CacheExporterTarget, opt CacheExportOpt) ([]CacheExporterRecord, error) {
+	var bkm map[string]CacheExporterRecord
+
+	if bk := ctx.Value(backlinkKey); bk == nil {
+		bkm = map[string]CacheExporterRecord{}
+		ctx = context.WithValue(ctx, backlinkKey, bkm)
+	} else {
+		bkm = bk.(map[string]CacheExporterRecord)
+	}
+
+	if t.Visited(e) {
+		return e.res, nil
+	}
+
+	deps := e.k.Deps()
+
+	type expr struct {
+		r        CacheExporterRecord
+		selector digest.Digest
+	}
+
+	rec := t.Add(rootKey(e.k.Digest(), e.k.Output()))
+	allRec := []CacheExporterRecord{rec}
+
+	addRecord := true
+
+	if e.override != nil {
+		addRecord = *e.override
+	}
+
+	if e.record == nil && len(e.k.Deps()) > 0 {
+		e.record = getBestResult(e.records)
+	}
+
+	var remote *Remote
+	if v := e.record; v != nil && len(e.k.Deps()) > 0 && addRecord {
+		cm := v.cacheManager
+		key := cm.getID(v.key)
+		res, err := cm.backend.Load(key, v.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		remote, err = cm.results.LoadRemote(ctx, res)
+		if err != nil {
+			return nil, err
+		}
+
+		if remote == nil && opt.Mode != CacheExportModeRemoteOnly {
+			res, err := cm.results.Load(ctx, res)
+			if err != nil {
+				return nil, err
+			}
+			remote, err = opt.Convert(ctx, res)
+			if err != nil {
+				return nil, err
+			}
+			res.Release(context.TODO())
+		}
+
+		if remote != nil {
+			for _, rec := range allRec {
+				rec.AddResult(v.CreatedAt, remote)
+			}
+		}
+	}
+
+	if remote != nil && opt.Mode == CacheExportModeMin {
+		opt.Mode = CacheExportModeRemoteOnly
+	}
+
+	srcs := make([][]expr, len(deps))
+
+	for i, deps := range deps {
+		for _, dep := range deps {
+			recs, err := dep.CacheKey.Exporter.ExportTo(ctx, t, opt)
+			if err != nil {
+				return nil, nil
+			}
+			for _, r := range recs {
+				srcs[i] = append(srcs[i], expr{r: r, selector: dep.Selector})
+			}
+		}
+	}
+
+	if e.edge != nil {
+		for _, de := range e.edge.secondaryExporters {
+			recs, err := de.cacheKey.CacheKey.Exporter.ExportTo(ctx, t, opt)
+			if err != nil {
+				return nil, nil
+			}
+			for _, r := range recs {
+				srcs[de.index] = append(srcs[de.index], expr{r: r, selector: de.cacheKey.Selector})
+			}
+		}
+	}
+
+	for i, srcs := range srcs {
+		for _, src := range srcs {
+			rec.LinkFrom(src.r, i, src.selector.String())
+		}
+	}
+
+	for cm, id := range e.k.ids {
+		if _, err := addBacklinks(t, rec, cm, id, bkm); err != nil {
+			return nil, err
+		}
+	}
+
+	if v := e.record; v != nil && len(deps) == 0 {
+		cm := v.cacheManager
+		key := cm.getID(v.key)
+		if err := cm.backend.WalkIDsByResult(v.ID, func(id string) error {
+			if id == key {
+				return nil
+			}
+			allRec = append(allRec, t.Add(digest.Digest(id)))
+			return nil
+		}); err != nil {
+			return nil, err
+		}
+	}
+
+	e.res = allRec
+	t.Visit(e)
+
+	return e.res, nil
+}
+
+func getBestResult(records []*CacheRecord) *CacheRecord {
+	var rec *CacheRecord
+	for _, r := range records {
+		if rec == nil || rec.CreatedAt.Before(r.CreatedAt) || (rec.CreatedAt.Equal(r.CreatedAt) && rec.Priority < r.Priority) {
+			rec = r
+		}
+	}
+	return rec
+}
+
+type mergedExporter struct {
+	exporters []CacheExporter
+}
+
+func (e *mergedExporter) ExportTo(ctx context.Context, t CacheExporterTarget, opt CacheExportOpt) (er []CacheExporterRecord, err error) {
+	for _, e := range e.exporters {
+		r, err := e.ExportTo(ctx, t, opt)
+		if err != nil {
+			return nil, err
+		}
+		er = append(er, r...)
+	}
+	return
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/index.go b/engine/vendor/github.com/moby/buildkit/solver/index.go
new file mode 100644
index 00000000..1bb17d89
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/index.go
@@ -0,0 +1,243 @@
+package solver
+
+import (
+	"sync"
+
+	"github.com/moby/buildkit/identity"
+)
+
+// edgeIndex is a synchronous map for detecting edge collisions.
+type edgeIndex struct {
+	mu sync.Mutex
+
+	items    map[string]*indexItem
+	backRefs map[*edge]map[string]struct{}
+}
+
+type indexItem struct {
+	edge  *edge
+	links map[CacheInfoLink]map[string]struct{}
+	deps  map[string]struct{}
+}
+
+func newEdgeIndex() *edgeIndex {
+	return &edgeIndex{
+		items:    map[string]*indexItem{},
+		backRefs: map[*edge]map[string]struct{}{},
+	}
+}
+
+func (ei *edgeIndex) Release(e *edge) {
+	ei.mu.Lock()
+	defer ei.mu.Unlock()
+
+	for id := range ei.backRefs[e] {
+		ei.releaseEdge(id, e)
+	}
+	delete(ei.backRefs, e)
+}
+
+func (ei *edgeIndex) releaseEdge(id string, e *edge) {
+	item, ok := ei.items[id]
+	if !ok {
+		return
+	}
+
+	item.edge = nil
+
+	if len(item.links) == 0 {
+		for d := range item.deps {
+			ei.releaseLink(d, id)
+		}
+		delete(ei.items, id)
+	}
+}
+
+func (ei *edgeIndex) releaseLink(id, target string) {
+	item, ok := ei.items[id]
+	if !ok {
+		return
+	}
+
+	for lid, links := range item.links {
+		for check := range links {
+			if check == target {
+				delete(links, check)
+			}
+		}
+		if len(links) == 0 {
+			delete(item.links, lid)
+		}
+	}
+
+	if item.edge == nil && len(item.links) == 0 {
+		for d := range item.deps {
+			ei.releaseLink(d, id)
+		}
+		delete(ei.items, id)
+	}
+}
+
+func (ei *edgeIndex) LoadOrStore(k *CacheKey, e *edge) *edge {
+	ei.mu.Lock()
+	defer ei.mu.Unlock()
+
+	// get all current edges that match the cachekey
+	ids := ei.getAllMatches(k)
+
+	var oldID string
+	var old *edge
+
+	for _, id := range ids {
+		if item, ok := ei.items[id]; ok {
+			if item.edge != e {
+				oldID = id
+				old = item.edge
+			}
+		}
+	}
+
+	if old != nil && !(!isIgnoreCache(old) && isIgnoreCache(e)) {
+		ei.enforceLinked(oldID, k)
+		return old
+	}
+
+	id := identity.NewID()
+	if len(ids) > 0 {
+		id = ids[0]
+	}
+
+	ei.enforceLinked(id, k)
+
+	ei.items[id].edge = e
+	backRefs, ok := ei.backRefs[e]
+	if !ok {
+		backRefs = map[string]struct{}{}
+		ei.backRefs[e] = backRefs
+	}
+	backRefs[id] = struct{}{}
+
+	return nil
+}
+
+// enforceLinked adds links from current ID to all dep keys
+func (er *edgeIndex) enforceLinked(id string, k *CacheKey) {
+	main, ok := er.items[id]
+	if !ok {
+		main = &indexItem{
+			links: map[CacheInfoLink]map[string]struct{}{},
+			deps:  map[string]struct{}{},
+		}
+		er.items[id] = main
+	}
+
+	deps := k.Deps()
+
+	for i, dd := range deps {
+		for _, d := range dd {
+			ck := d.CacheKey.CacheKey
+			er.enforceIndexID(ck)
+			ll := CacheInfoLink{Input: Index(i), Digest: k.Digest(), Output: k.Output(), Selector: d.Selector}
+			for _, ckID := range ck.indexIDs {
+				if item, ok := er.items[ckID]; ok {
+					links, ok := item.links[ll]
+					if !ok {
+						links = map[string]struct{}{}
+						item.links[ll] = links
+					}
+					links[id] = struct{}{}
+					main.deps[ckID] = struct{}{}
+				}
+			}
+		}
+	}
+}
+
+func (ei *edgeIndex) enforceIndexID(k *CacheKey) {
+	if len(k.indexIDs) > 0 {
+		return
+	}
+
+	matches := ei.getAllMatches(k)
+
+	if len(matches) > 0 {
+		k.indexIDs = matches
+	} else {
+		k.indexIDs = []string{identity.NewID()}
+	}
+
+	for _, id := range k.indexIDs {
+		ei.enforceLinked(id, k)
+	}
+}
+
+func (ei *edgeIndex) getAllMatches(k *CacheKey) []string {
+	deps := k.Deps()
+
+	if len(deps) == 0 {
+		return []string{rootKey(k.Digest(), k.Output()).String()}
+	}
+
+	for _, dd := range deps {
+		for _, k := range dd {
+			ei.enforceIndexID(k.CacheKey.CacheKey)
+		}
+	}
+
+	matches := map[string]struct{}{}
+
+	for i, dd := range deps {
+		if i == 0 {
+			for _, d := range dd {
+				ll := CacheInfoLink{Input: Index(i), Digest: k.Digest(), Output: k.Output(), Selector: d.Selector}
+				for _, ckID := range d.CacheKey.CacheKey.indexIDs {
+					item, ok := ei.items[ckID]
+					if ok {
+						for l := range item.links[ll] {
+							matches[l] = struct{}{}
+						}
+					}
+				}
+			}
+			continue
+		}
+
+		if len(matches) == 0 {
+			break
+		}
+
+		for m := range matches {
+			found := false
+			for _, d := range dd {
+				ll := CacheInfoLink{Input: Index(i), Digest: k.Digest(), Output: k.Output(), Selector: d.Selector}
+				for _, ckID := range d.CacheKey.CacheKey.indexIDs {
+					if l, ok := ei.items[ckID].links[ll]; ok {
+						if _, ok := l[m]; ok {
+							found = true
+							break
+						}
+					}
+				}
+			}
+
+			if !found {
+				delete(matches, m)
+			}
+		}
+	}
+
+	out := make([]string, 0, len(matches))
+
+	for m := range matches {
+		out = append(out, m)
+	}
+
+	return out
+}
+
+func isIgnoreCache(e *edge) bool {
+	if e.edge.Vertex == nil {
+		return false
+	}
+	return e.edge.Vertex.Options().IgnoreCache
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/internal/pipe/pipe.go b/engine/vendor/github.com/moby/buildkit/solver/internal/pipe/pipe.go
new file mode 100644
index 00000000..e61a6b34
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/internal/pipe/pipe.go
@@ -0,0 +1,197 @@
+package pipe
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+
+	"github.com/pkg/errors"
+)
+
+type channel struct {
+	OnSendCompletion func()
+	value            atomic.Value
+	lastValue        interface{}
+}
+
+func (c *channel) Send(v interface{}) {
+	c.value.Store(v)
+	if c.OnSendCompletion != nil {
+		c.OnSendCompletion()
+	}
+}
+
+func (c *channel) Receive() (interface{}, bool) {
+	v := c.value.Load()
+	if c.lastValue == v {
+		return nil, false
+	}
+	c.lastValue = v
+	return v, true
+}
+
+type Pipe struct {
+	Sender              Sender
+	Receiver            Receiver
+	OnReceiveCompletion func()
+	OnSendCompletion    func()
+}
+
+type Request struct {
+	Payload  interface{}
+	Canceled bool
+}
+
+type Sender interface {
+	Request() Request
+	Update(v interface{})
+	Finalize(v interface{}, err error)
+	Status() Status
+}
+
+type Receiver interface {
+	Receive() bool
+	Cancel()
+	Status() Status
+	Request() interface{}
+}
+
+type Status struct {
+	Canceled  bool
+	Completed bool
+	Err       error
+	Value     interface{}
+}
+
+func NewWithFunction(f func(context.Context) (interface{}, error)) (*Pipe, func()) {
+	p := New(Request{})
+
+	ctx, cancel := context.WithCancel(context.TODO())
+
+	p.OnReceiveCompletion = func() {
+		if req := p.Sender.Request(); req.Canceled {
+			cancel()
+		}
+	}
+
+	return p, func() {
+		res, err := f(ctx)
+		if err != nil {
+			p.Sender.Finalize(nil, err)
+			return
+		}
+		p.Sender.Finalize(res, nil)
+	}
+}
+
+func New(req Request) *Pipe {
+	cancelCh := &channel{}
+	roundTripCh := &channel{}
+	pw := &sender{
+		req:         req,
+		recvChannel: cancelCh,
+		sendChannel: roundTripCh,
+	}
+	pr := &receiver{
+		req:         req,
+		recvChannel: roundTripCh,
+		sendChannel: cancelCh,
+	}
+
+	p := &Pipe{
+		Sender:   pw,
+		Receiver: pr,
+	}
+
+	cancelCh.OnSendCompletion = func() {
+		v, ok := cancelCh.Receive()
+		if ok {
+			pw.setRequest(v.(Request))
+		}
+		if p.OnReceiveCompletion != nil {
+			p.OnReceiveCompletion()
+		}
+	}
+
+	roundTripCh.OnSendCompletion = func() {
+		if p.OnSendCompletion != nil {
+			p.OnSendCompletion()
+		}
+	}
+
+	return p
+}
+
+type sender struct {
+	status      Status
+	req         Request
+	recvChannel *channel
+	sendChannel *channel
+	mu          sync.Mutex
+}
+
+func (pw *sender) Status() Status {
+	return pw.status
+}
+
+func (pw *sender) Request() Request {
+	pw.mu.Lock()
+	defer pw.mu.Unlock()
+	return pw.req
+}
+
+func (pw *sender) setRequest(req Request) {
+	pw.mu.Lock()
+	defer pw.mu.Unlock()
+	pw.req = req
+}
+
+func (pw *sender) Update(v interface{}) {
+	pw.status.Value = v
+	pw.sendChannel.Send(pw.status)
+}
+
+func (pw *sender) Finalize(v interface{}, err error) {
+	if v != nil {
+		pw.status.Value = v
+	}
+	pw.status.Err = err
+	pw.status.Completed = true
+	if errors.Cause(err) == context.Canceled && pw.req.Canceled {
+		pw.status.Canceled = true
+	}
+	pw.sendChannel.Send(pw.status)
+}
+
+type receiver struct {
+	status      Status
+	req         Request
+	recvChannel *channel
+	sendChannel *channel
+}
+
+func (pr *receiver) Request() interface{} {
+	return pr.req.Payload
+}
+
+func (pr *receiver) Receive() bool {
+	v, ok := pr.recvChannel.Receive()
+	if !ok {
+		return false
+	}
+	pr.status = v.(Status)
+	return true
+}
+
+func (pr *receiver) Cancel() {
+	req := pr.req
+	if req.Canceled {
+		return
+	}
+	req.Canceled = true
+	pr.sendChannel.Send(req)
+}
+
+func (pr *receiver) Status() Status {
+	return pr.status
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/jobs.go b/engine/vendor/github.com/moby/buildkit/solver/jobs.go
new file mode 100644
index 00000000..bce6c8b8
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/jobs.go
@@ -0,0 +1,774 @@
+package solver
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/util/flightcontrol"
+	"github.com/moby/buildkit/util/progress"
+	"github.com/moby/buildkit/util/tracing"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+// ResolveOpFunc finds an Op implementation for a Vertex
+type ResolveOpFunc func(Vertex, Builder) (Op, error)
+
+type Builder interface {
+	Build(ctx context.Context, e Edge) (CachedResult, error)
+	Call(ctx context.Context, name string, fn func(ctx context.Context) error) error
+}
+
+// Solver provides a shared graph of all the vertexes currently being
+// processed. Every vertex that is being solved needs to be loaded into job
+// first. Vertex operations are invoked and progress tracking happends through
+// jobs.
+type Solver struct {
+	mu      sync.RWMutex
+	jobs    map[string]*Job
+	actives map[digest.Digest]*state
+	opts    SolverOpt
+
+	updateCond *sync.Cond
+	s          *scheduler
+	index      *edgeIndex
+}
+
+type state struct {
+	jobs     map[*Job]struct{}
+	parents  map[digest.Digest]struct{}
+	childVtx map[digest.Digest]struct{}
+
+	mpw   *progress.MultiWriter
+	allPw map[progress.Writer]struct{}
+
+	vtx          Vertex
+	clientVertex client.Vertex
+
+	mu    sync.Mutex
+	op    *sharedOp
+	edges map[Index]*edge
+	opts  SolverOpt
+	index *edgeIndex
+
+	cache     map[string]CacheManager
+	mainCache CacheManager
+	solver    *Solver
+}
+
+func (s *state) getSessionID() string {
+	// TODO: connect with sessionmanager to avoid getting dropped sessions
+	s.mu.Lock()
+	for j := range s.jobs {
+		if j.SessionID != "" {
+			s.mu.Unlock()
+			return j.SessionID
+		}
+	}
+	parents := map[digest.Digest]struct{}{}
+	for p := range s.parents {
+		parents[p] = struct{}{}
+	}
+	s.mu.Unlock()
+
+	for p := range parents {
+		s.solver.mu.Lock()
+		pst, ok := s.solver.actives[p]
+		s.solver.mu.Unlock()
+		if ok {
+			if sessionID := pst.getSessionID(); sessionID != "" {
+				return sessionID
+			}
+		}
+	}
+	return ""
+}
+
+func (s *state) builder() *subBuilder {
+	return &subBuilder{state: s}
+}
+
+func (s *state) getEdge(index Index) *edge {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if e, ok := s.edges[index]; ok {
+		return e
+	}
+
+	if s.op == nil {
+		s.op = newSharedOp(s.opts.ResolveOpFunc, s.opts.DefaultCache, s)
+	}
+
+	e := newEdge(Edge{Index: index, Vertex: s.vtx}, s.op, s.index)
+	s.edges[index] = e
+	return e
+}
+
+func (s *state) setEdge(index Index, newEdge *edge) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	e, ok := s.edges[index]
+	if ok {
+		if e == newEdge {
+			return
+		}
+		e.release()
+	}
+
+	newEdge.incrementReferenceCount()
+	s.edges[index] = newEdge
+}
+
+func (s *state) combinedCacheManager() CacheManager {
+	s.mu.Lock()
+	cms := make([]CacheManager, 0, len(s.cache)+1)
+	cms = append(cms, s.mainCache)
+	for _, cm := range s.cache {
+		cms = append(cms, cm)
+	}
+	s.mu.Unlock()
+
+	if len(cms) == 1 {
+		return s.mainCache
+	}
+
+	return newCombinedCacheManager(cms, s.mainCache)
+}
+
+func (s *state) Release() {
+	for _, e := range s.edges {
+		e.release()
+	}
+	if s.op != nil {
+		s.op.release()
+	}
+}
+
+type subBuilder struct {
+	*state
+	mu        sync.Mutex
+	exporters []ExportableCacheKey
+}
+
+func (sb *subBuilder) Build(ctx context.Context, e Edge) (CachedResult, error) {
+	res, err := sb.solver.subBuild(ctx, e, sb.vtx)
+	if err != nil {
+		return nil, err
+	}
+	sb.mu.Lock()
+	sb.exporters = append(sb.exporters, res.CacheKey())
+	sb.mu.Unlock()
+	return res, nil
+}
+
+func (sb *subBuilder) Call(ctx context.Context, name string, fn func(ctx context.Context) error) error {
+	ctx = progress.WithProgress(ctx, sb.mpw)
+	return inVertexContext(ctx, name, fn)
+}
+
+type Job struct {
+	list *Solver
+	pr   *progress.MultiReader
+	pw   progress.Writer
+
+	progressCloser func()
+	SessionID      string
+}
+
+type SolverOpt struct {
+	ResolveOpFunc ResolveOpFunc
+	DefaultCache  CacheManager
+}
+
+func NewSolver(opts SolverOpt) *Solver {
+	if opts.DefaultCache == nil {
+		opts.DefaultCache = NewInMemoryCacheManager()
+	}
+	jl := &Solver{
+		jobs:    make(map[string]*Job),
+		actives: make(map[digest.Digest]*state),
+		opts:    opts,
+		index:   newEdgeIndex(),
+	}
+	jl.s = newScheduler(jl)
+	jl.updateCond = sync.NewCond(jl.mu.RLocker())
+	return jl
+}
+
+func (jl *Solver) setEdge(e Edge, newEdge *edge) {
+	jl.mu.RLock()
+	defer jl.mu.RUnlock()
+
+	st, ok := jl.actives[e.Vertex.Digest()]
+	if !ok {
+		return
+	}
+
+	st.setEdge(e.Index, newEdge)
+}
+
+func (jl *Solver) getEdge(e Edge) *edge {
+	jl.mu.RLock()
+	defer jl.mu.RUnlock()
+
+	st, ok := jl.actives[e.Vertex.Digest()]
+	if !ok {
+		return nil
+	}
+	return st.getEdge(e.Index)
+}
+
+func (jl *Solver) subBuild(ctx context.Context, e Edge, parent Vertex) (CachedResult, error) {
+	v, err := jl.load(e.Vertex, parent, nil)
+	if err != nil {
+		return nil, err
+	}
+	e.Vertex = v
+	return jl.s.build(ctx, e)
+}
+
+func (jl *Solver) Close() {
+	jl.s.Stop()
+}
+
+func (jl *Solver) load(v, parent Vertex, j *Job) (Vertex, error) {
+	jl.mu.Lock()
+	defer jl.mu.Unlock()
+
+	cache := map[Vertex]Vertex{}
+
+	return jl.loadUnlocked(v, parent, j, cache)
+}
+
+func (jl *Solver) loadUnlocked(v, parent Vertex, j *Job, cache map[Vertex]Vertex) (Vertex, error) {
+	if v, ok := cache[v]; ok {
+		return v, nil
+	}
+	origVtx := v
+
+	inputs := make([]Edge, len(v.Inputs()))
+	for i, e := range v.Inputs() {
+		v, err := jl.loadUnlocked(e.Vertex, parent, j, cache)
+		if err != nil {
+			return nil, err
+		}
+		inputs[i] = Edge{Index: e.Index, Vertex: v}
+	}
+
+	dgst := v.Digest()
+
+	dgstWithoutCache := digest.FromBytes([]byte(fmt.Sprintf("%s-ignorecache", dgst)))
+
+	// if same vertex is already loaded without cache just use that
+	st, ok := jl.actives[dgstWithoutCache]
+
+	if !ok {
+		st, ok = jl.actives[dgst]
+
+		// !ignorecache merges with ignorecache but ignorecache doesn't merge with !ignorecache
+		if ok && !st.vtx.Options().IgnoreCache && v.Options().IgnoreCache {
+			dgst = dgstWithoutCache
+		}
+
+		v = &vertexWithCacheOptions{
+			Vertex: v,
+			dgst:   dgst,
+			inputs: inputs,
+		}
+
+		st, ok = jl.actives[dgst]
+	}
+
+	if !ok {
+		st = &state{
+			opts:         jl.opts,
+			jobs:         map[*Job]struct{}{},
+			parents:      map[digest.Digest]struct{}{},
+			childVtx:     map[digest.Digest]struct{}{},
+			allPw:        map[progress.Writer]struct{}{},
+			mpw:          progress.NewMultiWriter(progress.WithMetadata("vertex", dgst)),
+			vtx:          v,
+			clientVertex: initClientVertex(v),
+			edges:        map[Index]*edge{},
+			index:        jl.index,
+			mainCache:    jl.opts.DefaultCache,
+			cache:        map[string]CacheManager{},
+			solver:       jl,
+		}
+		jl.actives[dgst] = st
+	}
+
+	st.mu.Lock()
+	for _, cache := range v.Options().CacheSources {
+		if cache.ID() != st.mainCache.ID() {
+			if _, ok := st.cache[cache.ID()]; !ok {
+				st.cache[cache.ID()] = cache
+			}
+		}
+	}
+
+	if j != nil {
+		if _, ok := st.jobs[j]; !ok {
+			st.jobs[j] = struct{}{}
+		}
+	}
+	st.mu.Unlock()
+
+	if parent != nil {
+		if _, ok := st.parents[parent.Digest()]; !ok {
+			st.parents[parent.Digest()] = struct{}{}
+			parentState, ok := jl.actives[parent.Digest()]
+			if !ok {
+				return nil, errors.Errorf("inactive parent %s", parent.Digest())
+			}
+			parentState.childVtx[dgst] = struct{}{}
+
+			for id, c := range parentState.cache {
+				st.cache[id] = c
+			}
+		}
+	}
+
+	jl.connectProgressFromState(st, st)
+	cache[origVtx] = v
+	return v, nil
+}
+
+func (jl *Solver) connectProgressFromState(target, src *state) {
+	for j := range src.jobs {
+		if _, ok := target.allPw[j.pw]; !ok {
+			target.mpw.Add(j.pw)
+			target.allPw[j.pw] = struct{}{}
+			j.pw.Write(target.clientVertex.Digest.String(), target.clientVertex)
+		}
+	}
+	for p := range src.parents {
+		jl.connectProgressFromState(target, jl.actives[p])
+	}
+}
+
+func (jl *Solver) NewJob(id string) (*Job, error) {
+	jl.mu.Lock()
+	defer jl.mu.Unlock()
+
+	if _, ok := jl.jobs[id]; ok {
+		return nil, errors.Errorf("job ID %s exists", id)
+	}
+
+	pr, ctx, progressCloser := progress.NewContext(context.Background())
+	pw, _, _ := progress.FromContext(ctx) // TODO: expose progress.Pipe()
+
+	j := &Job{
+		list:           jl,
+		pr:             progress.NewMultiReader(pr),
+		pw:             pw,
+		progressCloser: progressCloser,
+	}
+	jl.jobs[id] = j
+
+	jl.updateCond.Broadcast()
+
+	return j, nil
+}
+
+func (jl *Solver) Get(id string) (*Job, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	go func() {
+		<-ctx.Done()
+		jl.updateCond.Broadcast()
+	}()
+
+	jl.mu.RLock()
+	defer jl.mu.RUnlock()
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, errors.Errorf("no such job %s", id)
+		default:
+		}
+		j, ok := jl.jobs[id]
+		if !ok {
+			jl.updateCond.Wait()
+			continue
+		}
+		return j, nil
+	}
+}
+
+// called with solver lock
+func (jl *Solver) deleteIfUnreferenced(k digest.Digest, st *state) {
+	if len(st.jobs) == 0 && len(st.parents) == 0 {
+		for chKey := range st.childVtx {
+			chState := jl.actives[chKey]
+			delete(chState.parents, k)
+			jl.deleteIfUnreferenced(chKey, chState)
+		}
+		st.Release()
+		delete(jl.actives, k)
+	}
+}
+
+func (j *Job) Build(ctx context.Context, e Edge) (CachedResult, error) {
+	v, err := j.list.load(e.Vertex, nil, j)
+	if err != nil {
+		return nil, err
+	}
+	e.Vertex = v
+	return j.list.s.build(ctx, e)
+}
+
+func (j *Job) Discard() error {
+	defer j.progressCloser()
+
+	j.list.mu.Lock()
+	defer j.list.mu.Unlock()
+
+	j.pw.Close()
+
+	for k, st := range j.list.actives {
+		if _, ok := st.jobs[j]; ok {
+			delete(st.jobs, j)
+			j.list.deleteIfUnreferenced(k, st)
+		}
+		if _, ok := st.allPw[j.pw]; ok {
+			delete(st.allPw, j.pw)
+		}
+	}
+	return nil
+}
+
+func (j *Job) Call(ctx context.Context, name string, fn func(ctx context.Context) error) error {
+	ctx = progress.WithProgress(ctx, j.pw)
+	return inVertexContext(ctx, name, fn)
+}
+
+type cacheMapResp struct {
+	*CacheMap
+	complete bool
+}
+
+type activeOp interface {
+	CacheMap(context.Context, int) (*cacheMapResp, error)
+	LoadCache(ctx context.Context, rec *CacheRecord) (Result, error)
+	Exec(ctx context.Context, inputs []Result) (outputs []Result, exporters []ExportableCacheKey, err error)
+	IgnoreCache() bool
+	Cache() CacheManager
+	CalcSlowCache(context.Context, Index, ResultBasedCacheFunc, Result) (digest.Digest, error)
+}
+
+func newSharedOp(resolver ResolveOpFunc, cacheManager CacheManager, st *state) *sharedOp {
+	so := &sharedOp{
+		resolver:     resolver,
+		st:           st,
+		slowCacheRes: map[Index]digest.Digest{},
+		slowCacheErr: map[Index]error{},
+	}
+	return so
+}
+
+type execRes struct {
+	execRes       []*SharedResult
+	execExporters []ExportableCacheKey
+}
+
+type sharedOp struct {
+	resolver ResolveOpFunc
+	st       *state
+	g        flightcontrol.Group
+
+	opOnce     sync.Once
+	op         Op
+	subBuilder *subBuilder
+	err        error
+
+	execRes *execRes
+	execErr error
+
+	cacheRes  []*CacheMap
+	cacheDone bool
+	cacheErr  error
+
+	slowMu       sync.Mutex
+	slowCacheRes map[Index]digest.Digest
+	slowCacheErr map[Index]error
+}
+
+func (s *sharedOp) IgnoreCache() bool {
+	return s.st.vtx.Options().IgnoreCache
+}
+
+func (s *sharedOp) Cache() CacheManager {
+	return s.st.combinedCacheManager()
+}
+
+func (s *sharedOp) LoadCache(ctx context.Context, rec *CacheRecord) (Result, error) {
+	ctx = progress.WithProgress(ctx, s.st.mpw)
+	// no cache hit. start evaluating the node
+	span, ctx := tracing.StartSpan(ctx, "load cache: "+s.st.vtx.Name())
+	notifyStarted(ctx, &s.st.clientVertex, true)
+	res, err := s.Cache().Load(ctx, rec)
+	tracing.FinishWithError(span, err)
+	notifyCompleted(ctx, &s.st.clientVertex, err, true)
+	return res, err
+}
+
+func (s *sharedOp) CalcSlowCache(ctx context.Context, index Index, f ResultBasedCacheFunc, res Result) (digest.Digest, error) {
+	key, err := s.g.Do(ctx, fmt.Sprintf("slow-compute-%d", index), func(ctx context.Context) (interface{}, error) {
+		s.slowMu.Lock()
+		// TODO: add helpers for these stored values
+		if res := s.slowCacheRes[index]; res != "" {
+			s.slowMu.Unlock()
+			return res, nil
+		}
+		if err := s.slowCacheErr[index]; err != nil {
+			s.slowMu.Unlock()
+			return err, nil
+		}
+		s.slowMu.Unlock()
+		ctx = progress.WithProgress(ctx, s.st.mpw)
+		key, err := f(ctx, res)
+		complete := true
+		if err != nil {
+			canceled := false
+			select {
+			case <-ctx.Done():
+				canceled = true
+			default:
+			}
+			if canceled && errors.Cause(err) == context.Canceled {
+				complete = false
+			}
+		}
+		s.slowMu.Lock()
+		defer s.slowMu.Unlock()
+		if complete {
+			if err == nil {
+				s.slowCacheRes[index] = key
+			}
+			s.slowCacheErr[index] = err
+		}
+		return key, err
+	})
+	if err != nil {
+		return "", err
+	}
+	return key.(digest.Digest), nil
+}
+
+func (s *sharedOp) CacheMap(ctx context.Context, index int) (*cacheMapResp, error) {
+	op, err := s.getOp()
+	if err != nil {
+		return nil, err
+	}
+	res, err := s.g.Do(ctx, "cachemap", func(ctx context.Context) (ret interface{}, retErr error) {
+		if s.cacheRes != nil && s.cacheDone || index < len(s.cacheRes) {
+			return s.cacheRes, nil
+		}
+		if s.cacheErr != nil {
+			return nil, s.cacheErr
+		}
+		ctx = progress.WithProgress(ctx, s.st.mpw)
+		ctx = session.NewContext(ctx, s.st.getSessionID())
+		if len(s.st.vtx.Inputs()) == 0 {
+			// no cache hit. start evaluating the node
+			span, ctx := tracing.StartSpan(ctx, "cache request: "+s.st.vtx.Name())
+			notifyStarted(ctx, &s.st.clientVertex, false)
+			defer func() {
+				tracing.FinishWithError(span, retErr)
+				notifyCompleted(ctx, &s.st.clientVertex, retErr, false)
+			}()
+		}
+		res, done, err := op.CacheMap(ctx, len(s.cacheRes))
+		complete := true
+		if err != nil {
+			canceled := false
+			select {
+			case <-ctx.Done():
+				canceled = true
+			default:
+			}
+			if canceled && errors.Cause(err) == context.Canceled {
+				complete = false
+			}
+		}
+		if complete {
+			if err == nil {
+				s.cacheRes = append(s.cacheRes, res)
+				s.cacheDone = done
+			}
+			s.cacheErr = err
+		}
+		return s.cacheRes, err
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if len(res.([]*CacheMap)) <= index {
+		return s.CacheMap(ctx, index)
+	}
+
+	return &cacheMapResp{CacheMap: res.([]*CacheMap)[index], complete: s.cacheDone}, nil
+}
+
+func (s *sharedOp) Exec(ctx context.Context, inputs []Result) (outputs []Result, exporters []ExportableCacheKey, err error) {
+	op, err := s.getOp()
+	if err != nil {
+		return nil, nil, err
+	}
+	res, err := s.g.Do(ctx, "exec", func(ctx context.Context) (ret interface{}, retErr error) {
+		if s.execRes != nil || s.execErr != nil {
+			return s.execRes, s.execErr
+		}
+
+		ctx = progress.WithProgress(ctx, s.st.mpw)
+		ctx = session.NewContext(ctx, s.st.getSessionID())
+
+		// no cache hit. start evaluating the node
+		span, ctx := tracing.StartSpan(ctx, s.st.vtx.Name())
+		notifyStarted(ctx, &s.st.clientVertex, false)
+		defer func() {
+			tracing.FinishWithError(span, retErr)
+			notifyCompleted(ctx, &s.st.clientVertex, retErr, false)
+		}()
+
+		res, err := op.Exec(ctx, inputs)
+		complete := true
+		if err != nil {
+			canceled := false
+			select {
+			case <-ctx.Done():
+				canceled = true
+			default:
+			}
+			if canceled && errors.Cause(err) == context.Canceled {
+				complete = false
+			}
+		}
+		if complete {
+			if res != nil {
+				var subExporters []ExportableCacheKey
+				s.subBuilder.mu.Lock()
+				if len(s.subBuilder.exporters) > 0 {
+					subExporters = append(subExporters, s.subBuilder.exporters...)
+				}
+				s.subBuilder.mu.Unlock()
+
+				s.execRes = &execRes{execRes: wrapShared(res), execExporters: subExporters}
+			}
+			s.execErr = err
+		}
+		return s.execRes, err
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	r := res.(*execRes)
+	return unwrapShared(r.execRes), r.execExporters, nil
+}
+
+func (s *sharedOp) getOp() (Op, error) {
+	s.opOnce.Do(func() {
+		s.subBuilder = s.st.builder()
+		s.op, s.err = s.resolver(s.st.vtx, s.subBuilder)
+	})
+	if s.err != nil {
+		return nil, s.err
+	}
+	return s.op, nil
+}
+
+func (s *sharedOp) release() {
+	if s.execRes != nil {
+		for _, r := range s.execRes.execRes {
+			go r.Release(context.TODO())
+		}
+	}
+}
+
+func initClientVertex(v Vertex) client.Vertex {
+	inputDigests := make([]digest.Digest, 0, len(v.Inputs()))
+	for _, inp := range v.Inputs() {
+		inputDigests = append(inputDigests, inp.Vertex.Digest())
+	}
+	return client.Vertex{
+		Inputs: inputDigests,
+		Name:   v.Name(),
+		Digest: v.Digest(),
+	}
+}
+
+func wrapShared(inp []Result) []*SharedResult {
+	out := make([]*SharedResult, len(inp))
+	for i, r := range inp {
+		out[i] = NewSharedResult(r)
+	}
+	return out
+}
+
+func unwrapShared(inp []*SharedResult) []Result {
+	out := make([]Result, len(inp))
+	for i, r := range inp {
+		out[i] = r.Clone()
+	}
+	return out
+}
+
+type vertexWithCacheOptions struct {
+	Vertex
+	inputs []Edge
+	dgst   digest.Digest
+}
+
+func (v *vertexWithCacheOptions) Digest() digest.Digest {
+	return v.dgst
+}
+
+func (v *vertexWithCacheOptions) Inputs() []Edge {
+	return v.inputs
+}
+
+func notifyStarted(ctx context.Context, v *client.Vertex, cached bool) {
+	pw, _, _ := progress.FromContext(ctx)
+	defer pw.Close()
+	now := time.Now()
+	v.Started = &now
+	v.Completed = nil
+	v.Cached = cached
+	pw.Write(v.Digest.String(), *v)
+}
+
+func notifyCompleted(ctx context.Context, v *client.Vertex, err error, cached bool) {
+	pw, _, _ := progress.FromContext(ctx)
+	defer pw.Close()
+	now := time.Now()
+	if v.Started == nil {
+		v.Started = &now
+	}
+	v.Completed = &now
+	v.Cached = cached
+	if err != nil {
+		v.Error = err.Error()
+	}
+	pw.Write(v.Digest.String(), *v)
+}
+
+func inVertexContext(ctx context.Context, name string, f func(ctx context.Context) error) error {
+	v := client.Vertex{
+		Digest: digest.FromBytes([]byte(identity.NewID())),
+		Name:   name,
+	}
+	pw, _, ctx := progress.FromContext(ctx, progress.WithMetadata("vertex", v.Digest))
+	notifyStarted(ctx, &v, false)
+	defer pw.Close()
+	err := f(ctx)
+	notifyCompleted(ctx, &v, err, false)
+	return err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go
new file mode 100644
index 00000000..b568d3c8
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/bridge.go
@@ -0,0 +1,191 @@
+package llbsolver
+
+import (
+	"context"
+	"io"
+	"strings"
+	"sync"
+
+	"github.com/docker/distribution/reference"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/remotecache"
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/util/tracing"
+	"github.com/moby/buildkit/worker"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type llbBridge struct {
+	builder              solver.Builder
+	frontends            map[string]frontend.Frontend
+	resolveWorker        func() (worker.Worker, error)
+	resolveCacheImporter remotecache.ResolveCacheImporterFunc
+	cms                  map[string]solver.CacheManager
+	cmsMu                sync.Mutex
+	platforms            []specs.Platform
+}
+
+func (b *llbBridge) Solve(ctx context.Context, req frontend.SolveRequest) (res *frontend.Result, err error) {
+	w, err := b.resolveWorker()
+	if err != nil {
+		return nil, err
+	}
+	var cms []solver.CacheManager
+	for _, ref := range req.ImportCacheRefs {
+		b.cmsMu.Lock()
+		var cm solver.CacheManager
+		if prevCm, ok := b.cms[ref]; !ok {
+			r, err := reference.ParseNormalizedNamed(ref)
+			if err != nil {
+				return nil, err
+			}
+			ref = reference.TagNameOnly(r).String()
+			func(ref string) {
+				cm = newLazyCacheManager(ref, func() (solver.CacheManager, error) {
+					var cmNew solver.CacheManager
+					if err := b.builder.Call(ctx, "importing cache manifest from "+ref, func(ctx context.Context) error {
+						if b.resolveCacheImporter == nil {
+							return errors.New("no cache importer is available")
+						}
+						typ := "" // TODO: support non-registry type
+						ci, desc, err := b.resolveCacheImporter(ctx, typ, ref)
+						if err != nil {
+							return err
+						}
+						cmNew, err = ci.Resolve(ctx, desc, ref, w)
+						return err
+					}); err != nil {
+						return nil, err
+					}
+					return cmNew, nil
+				})
+			}(ref)
+			b.cms[ref] = cm
+		} else {
+			cm = prevCm
+		}
+		cms = append(cms, cm)
+		b.cmsMu.Unlock()
+	}
+
+	if req.Definition != nil && req.Definition.Def != nil {
+		edge, err := Load(req.Definition, WithCacheSources(cms), RuntimePlatforms(b.platforms))
+		if err != nil {
+			return nil, err
+		}
+		ref, err := b.builder.Build(ctx, edge)
+		if err != nil {
+			return nil, err
+		}
+
+		res = &frontend.Result{Ref: ref}
+	}
+	if req.Frontend != "" {
+		f, ok := b.frontends[req.Frontend]
+		if !ok {
+			return nil, errors.Errorf("invalid frontend: %s", req.Frontend)
+		}
+		res, err = f.Solve(ctx, b, req.FrontendOpt)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		if req.Definition == nil || req.Definition.Def == nil {
+			return &frontend.Result{}, nil
+		}
+	}
+
+	if err := res.EachRef(func(r solver.CachedResult) error {
+		wr, ok := r.Sys().(*worker.WorkerRef)
+		if !ok {
+			return errors.Errorf("invalid reference for exporting: %T", r.Sys())
+		}
+		if wr.ImmutableRef != nil {
+			if err := wr.ImmutableRef.Finalize(ctx, false); err != nil {
+				return err
+			}
+		}
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+	return
+}
+
+func (s *llbBridge) Exec(ctx context.Context, meta executor.Meta, root cache.ImmutableRef, stdin io.ReadCloser, stdout, stderr io.WriteCloser) (err error) {
+	w, err := s.resolveWorker()
+	if err != nil {
+		return err
+	}
+	span, ctx := tracing.StartSpan(ctx, strings.Join(meta.Args, " "))
+	err = w.Exec(ctx, meta, root, stdin, stdout, stderr)
+	tracing.FinishWithError(span, err)
+	return err
+}
+
+func (s *llbBridge) ResolveImageConfig(ctx context.Context, ref string, platform *specs.Platform) (digest.Digest, []byte, error) {
+	w, err := s.resolveWorker()
+	if err != nil {
+		return "", nil, err
+	}
+	return w.ResolveImageConfig(ctx, ref, platform)
+}
+
+type lazyCacheManager struct {
+	id   string
+	main solver.CacheManager
+
+	waitCh chan struct{}
+	err    error
+}
+
+func (lcm *lazyCacheManager) ID() string {
+	return lcm.id
+}
+func (lcm *lazyCacheManager) Query(inp []solver.CacheKeyWithSelector, inputIndex solver.Index, dgst digest.Digest, outputIndex solver.Index) ([]*solver.CacheKey, error) {
+	if err := lcm.wait(); err != nil {
+		return nil, err
+	}
+	return lcm.main.Query(inp, inputIndex, dgst, outputIndex)
+}
+func (lcm *lazyCacheManager) Records(ck *solver.CacheKey) ([]*solver.CacheRecord, error) {
+	if err := lcm.wait(); err != nil {
+		return nil, err
+	}
+	return lcm.main.Records(ck)
+}
+func (lcm *lazyCacheManager) Load(ctx context.Context, rec *solver.CacheRecord) (solver.Result, error) {
+	if err := lcm.wait(); err != nil {
+		return nil, err
+	}
+	return lcm.main.Load(ctx, rec)
+}
+func (lcm *lazyCacheManager) Save(key *solver.CacheKey, s solver.Result) (*solver.ExportableCacheKey, error) {
+	if err := lcm.wait(); err != nil {
+		return nil, err
+	}
+	return lcm.main.Save(key, s)
+}
+
+func (lcm *lazyCacheManager) wait() error {
+	<-lcm.waitCh
+	return lcm.err
+}
+
+func newLazyCacheManager(id string, fn func() (solver.CacheManager, error)) solver.CacheManager {
+	lcm := &lazyCacheManager{id: id, waitCh: make(chan struct{})}
+	go func() {
+		defer close(lcm.waitCh)
+		cm, err := fn()
+		if err != nil {
+			lcm.err = err
+			return
+		}
+		lcm.main = cm
+	}()
+	return lcm
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/build.go b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/build.go
new file mode 100644
index 00000000..4b030049
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/build.go
@@ -0,0 +1,132 @@
+package ops
+
+import (
+	"context"
+	"encoding/json"
+	"os"
+
+	"github.com/containerd/continuity/fs"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/worker"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+const buildCacheType = "buildkit.build.v0"
+
+type buildOp struct {
+	op *pb.BuildOp
+	b  frontend.FrontendLLBBridge
+	v  solver.Vertex
+}
+
+func NewBuildOp(v solver.Vertex, op *pb.Op_Build, b frontend.FrontendLLBBridge, _ worker.Worker) (solver.Op, error) {
+	return &buildOp{
+		op: op.Build,
+		b:  b,
+		v:  v,
+	}, nil
+}
+
+func (b *buildOp) CacheMap(ctx context.Context, index int) (*solver.CacheMap, bool, error) {
+	dt, err := json.Marshal(struct {
+		Type string
+		Exec *pb.BuildOp
+	}{
+		Type: buildCacheType,
+		Exec: b.op,
+	})
+	if err != nil {
+		return nil, false, err
+	}
+
+	return &solver.CacheMap{
+		Digest: digest.FromBytes(dt),
+		Deps: make([]struct {
+			Selector          digest.Digest
+			ComputeDigestFunc solver.ResultBasedCacheFunc
+		}, len(b.v.Inputs())),
+	}, true, nil
+}
+
+func (b *buildOp) Exec(ctx context.Context, inputs []solver.Result) (outputs []solver.Result, retErr error) {
+	if b.op.Builder != pb.LLBBuilder {
+		return nil, errors.Errorf("only LLB builder is currently allowed")
+	}
+
+	builderInputs := b.op.Inputs
+	llbDef, ok := builderInputs[pb.LLBDefinitionInput]
+	if !ok {
+		return nil, errors.Errorf("no llb definition input %s found", pb.LLBDefinitionInput)
+	}
+
+	i := int(llbDef.Input)
+	if i >= len(inputs) {
+		return nil, errors.Errorf("invalid index %v", i) // TODO: this should be validated before
+	}
+	inp := inputs[i]
+
+	ref, ok := inp.Sys().(*worker.WorkerRef)
+	if !ok {
+		return nil, errors.Errorf("invalid reference for build %T", inp.Sys())
+	}
+
+	mount, err := ref.ImmutableRef.Mount(ctx, true)
+	if err != nil {
+		return nil, err
+	}
+
+	lm := snapshot.LocalMounter(mount)
+
+	root, err := lm.Mount()
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if retErr != nil && lm != nil {
+			lm.Unmount()
+		}
+	}()
+
+	fn := pb.LLBDefaultDefinitionFile
+	if override, ok := b.op.Attrs[pb.AttrLLBDefinitionFilename]; ok {
+		fn = override
+	}
+
+	newfn, err := fs.RootPath(root, fn)
+	if err != nil {
+		return nil, errors.Wrapf(err, "working dir %s points to invalid target", fn)
+	}
+
+	f, err := os.Open(newfn)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to open %s", newfn)
+	}
+
+	def, err := llb.ReadFrom(f)
+	if err != nil {
+		f.Close()
+		return nil, err
+	}
+	f.Close()
+	lm.Unmount()
+	lm = nil
+
+	newRes, err := b.b.Solve(ctx, frontend.SolveRequest{
+		Definition: def.ToPB(),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	for _, r := range newRes.Refs {
+		r.Release(context.TODO())
+	}
+
+	return []solver.Result{newRes.Ref}, err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/exec.go b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/exec.go
new file mode 100644
index 00000000..b9252275
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/exec.go
@@ -0,0 +1,535 @@
+package ops
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path"
+	"runtime"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/boltdb/bolt"
+	"github.com/containerd/containerd/mount"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/llbsolver"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/progress/logs"
+	"github.com/moby/buildkit/worker"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const execCacheType = "buildkit.exec.v0"
+
+type execOp struct {
+	op        *pb.ExecOp
+	cm        cache.Manager
+	md        *metadata.Store
+	exec      executor.Executor
+	w         worker.Worker
+	numInputs int
+
+	cacheMounts map[string]*cacheRefShare
+}
+
+func NewExecOp(v solver.Vertex, op *pb.Op_Exec, cm cache.Manager, md *metadata.Store, exec executor.Executor, w worker.Worker) (solver.Op, error) {
+	return &execOp{
+		op:          op.Exec,
+		cm:          cm,
+		md:          md,
+		exec:        exec,
+		numInputs:   len(v.Inputs()),
+		w:           w,
+		cacheMounts: map[string]*cacheRefShare{},
+	}, nil
+}
+
+func cloneExecOp(old *pb.ExecOp) pb.ExecOp {
+	n := *old
+	meta := *n.Meta
+	n.Meta = &meta
+	n.Mounts = nil
+	for i := range n.Mounts {
+		m := *n.Mounts[i]
+		n.Mounts = append(n.Mounts, &m)
+	}
+	return n
+}
+
+func (e *execOp) CacheMap(ctx context.Context, index int) (*solver.CacheMap, bool, error) {
+	op := cloneExecOp(e.op)
+	for i := range op.Mounts {
+		op.Mounts[i].Selector = ""
+	}
+	op.Meta.ProxyEnv = nil
+
+	dt, err := json.Marshal(struct {
+		Type string
+		Exec *pb.ExecOp
+		OS   string
+		Arch string
+	}{
+		Type: execCacheType,
+		Exec: &op,
+		OS:   runtime.GOOS,
+		Arch: runtime.GOARCH,
+	})
+	if err != nil {
+		return nil, false, err
+	}
+
+	cm := &solver.CacheMap{
+		Digest: digest.FromBytes(dt),
+		Deps: make([]struct {
+			Selector          digest.Digest
+			ComputeDigestFunc solver.ResultBasedCacheFunc
+		}, e.numInputs),
+	}
+
+	deps, err := e.getMountDeps()
+	if err != nil {
+		return nil, false, err
+	}
+
+	for i, dep := range deps {
+		if len(dep.Selectors) != 0 {
+			dgsts := make([][]byte, 0, len(dep.Selectors))
+			for _, p := range dep.Selectors {
+				dgsts = append(dgsts, []byte(p))
+			}
+			cm.Deps[i].Selector = digest.FromBytes(bytes.Join(dgsts, []byte{0}))
+		}
+		if !dep.NoContentBasedHash {
+			cm.Deps[i].ComputeDigestFunc = llbsolver.NewContentHashFunc(dedupePaths(dep.Selectors))
+		}
+	}
+
+	return cm, true, nil
+}
+
+func dedupePaths(inp []string) []string {
+	old := make(map[string]struct{}, len(inp))
+	for _, p := range inp {
+		old[p] = struct{}{}
+	}
+	paths := make([]string, 0, len(old))
+	for p1 := range old {
+		var skip bool
+		for p2 := range old {
+			if p1 != p2 && strings.HasPrefix(p1, p2) {
+				skip = true
+				break
+			}
+		}
+		if !skip {
+			paths = append(paths, p1)
+		}
+	}
+	sort.Slice(paths, func(i, j int) bool {
+		return paths[i] < paths[j]
+	})
+	return paths
+}
+
+type dep struct {
+	Selectors          []string
+	NoContentBasedHash bool
+}
+
+func (e *execOp) getMountDeps() ([]dep, error) {
+	deps := make([]dep, e.numInputs)
+	for _, m := range e.op.Mounts {
+		if m.Input == pb.Empty {
+			continue
+		}
+		if int(m.Input) >= len(deps) {
+			return nil, errors.Errorf("invalid mountinput %v", m)
+		}
+
+		sel := m.Selector
+		if sel != "" {
+			sel = path.Join("/", sel)
+			deps[m.Input].Selectors = append(deps[m.Input].Selectors, sel)
+		}
+
+		if !m.Readonly || m.Dest == pb.RootMount { // exclude read-only rootfs
+			deps[m.Input].NoContentBasedHash = true
+		}
+	}
+	return deps, nil
+}
+
+func (e *execOp) getRefCacheDir(ctx context.Context, ref cache.ImmutableRef, id string, m *pb.Mount, sharing pb.CacheSharingOpt) (mref cache.MutableRef, err error) {
+
+	key := "cache-dir:" + id
+	if ref != nil {
+		key += ":" + ref.ID()
+	}
+
+	if ref, ok := e.cacheMounts[key]; ok {
+		return ref.clone(), nil
+	}
+	defer func() {
+		if err == nil {
+			share := &cacheRefShare{MutableRef: mref, refs: map[*cacheRef]struct{}{}}
+			e.cacheMounts[key] = share
+			mref = share.clone()
+		}
+	}()
+
+	switch sharing {
+	case pb.CacheSharingOpt_SHARED:
+		return sharedCacheRefs.get(key, func() (cache.MutableRef, error) {
+			return e.getRefCacheDirNoCache(ctx, key, ref, id, m, false)
+		})
+	case pb.CacheSharingOpt_PRIVATE:
+		return e.getRefCacheDirNoCache(ctx, key, ref, id, m, false)
+	case pb.CacheSharingOpt_LOCKED:
+		return e.getRefCacheDirNoCache(ctx, key, ref, id, m, true)
+	default:
+		return nil, errors.Errorf("invalid cache sharing option: %s", sharing.String())
+	}
+
+}
+
+func (e *execOp) getRefCacheDirNoCache(ctx context.Context, key string, ref cache.ImmutableRef, id string, m *pb.Mount, block bool) (cache.MutableRef, error) {
+	makeMutable := func(cache.ImmutableRef) (cache.MutableRef, error) {
+		desc := fmt.Sprintf("cached mount %s from exec %s", m.Dest, strings.Join(e.op.Meta.Args, " "))
+		return e.cm.New(ctx, ref, cache.WithDescription(desc), cache.CachePolicyRetain)
+	}
+
+	cacheRefsLocker.Lock(key)
+	defer cacheRefsLocker.Unlock(key)
+	for {
+		sis, err := e.md.Search(key)
+		if err != nil {
+			return nil, err
+		}
+		locked := false
+		for _, si := range sis {
+			if mRef, err := e.cm.GetMutable(ctx, si.ID()); err == nil {
+				logrus.Debugf("reusing ref for cache dir: %s", mRef.ID())
+				return mRef, nil
+			} else if errors.Cause(err) == cache.ErrLocked {
+				locked = true
+			}
+		}
+		if block && locked {
+			cacheRefsLocker.Unlock(key)
+			select {
+			case <-ctx.Done():
+				cacheRefsLocker.Lock(key)
+				return nil, ctx.Err()
+			case <-time.After(100 * time.Millisecond):
+				cacheRefsLocker.Lock(key)
+			}
+		} else {
+			break
+		}
+	}
+	mRef, err := makeMutable(ref)
+	if err != nil {
+		return nil, err
+	}
+
+	si, _ := e.md.Get(mRef.ID())
+	v, err := metadata.NewValue(key)
+	if err != nil {
+		mRef.Release(context.TODO())
+		return nil, err
+	}
+	v.Index = key
+	if err := si.Update(func(b *bolt.Bucket) error {
+		return si.SetValue(b, key, v)
+	}); err != nil {
+		mRef.Release(context.TODO())
+		return nil, err
+	}
+	return mRef, nil
+}
+
+func (e *execOp) Exec(ctx context.Context, inputs []solver.Result) ([]solver.Result, error) {
+	var mounts []executor.Mount
+	var root cache.Mountable
+	var readonlyRootFS bool
+
+	var outputs []cache.Ref
+
+	defer func() {
+		for _, o := range outputs {
+			if o != nil {
+				go o.Release(context.TODO())
+			}
+		}
+	}()
+
+	// loop over all mounts, fill in mounts, root and outputs
+	for _, m := range e.op.Mounts {
+		var mountable cache.Mountable
+		var ref cache.ImmutableRef
+
+		if m.Dest == pb.RootMount && m.MountType != pb.MountType_BIND {
+			return nil, errors.Errorf("invalid mount type %s for %s", m.MountType.String(), m.Dest)
+		}
+
+		// if mount is based on input validate and load it
+		if m.Input != pb.Empty {
+			if int(m.Input) > len(inputs) {
+				return nil, errors.Errorf("missing input %d", m.Input)
+			}
+			inp := inputs[int(m.Input)]
+			workerRef, ok := inp.Sys().(*worker.WorkerRef)
+			if !ok {
+				return nil, errors.Errorf("invalid reference for exec %T", inp.Sys())
+			}
+			ref = workerRef.ImmutableRef
+			mountable = ref
+		}
+
+		makeMutable := func(cache.ImmutableRef) (cache.MutableRef, error) {
+			desc := fmt.Sprintf("mount %s from exec %s", m.Dest, strings.Join(e.op.Meta.Args, " "))
+			return e.cm.New(ctx, ref, cache.WithDescription(desc))
+		}
+
+		switch m.MountType {
+		case pb.MountType_BIND:
+			// if mount creates an output
+			if m.Output != pb.SkipOutput {
+				// it it is readonly and not root then output is the input
+				if m.Readonly && ref != nil && m.Dest != pb.RootMount {
+					outputs = append(outputs, ref.Clone())
+				} else {
+					// otherwise output and mount is the mutable child
+					active, err := makeMutable(ref)
+					if err != nil {
+						return nil, err
+					}
+					outputs = append(outputs, active)
+					mountable = active
+				}
+			} else if ref == nil {
+				// this case is empty readonly scratch without output that is not really useful for anything but don't error
+				active, err := makeMutable(ref)
+				if err != nil {
+					return nil, err
+				}
+				defer active.Release(context.TODO())
+				mountable = active
+			}
+
+		case pb.MountType_CACHE:
+			if m.CacheOpt == nil {
+				return nil, errors.Errorf("missing cache mount options")
+			}
+			mRef, err := e.getRefCacheDir(ctx, ref, m.CacheOpt.ID, m, m.CacheOpt.Sharing)
+			if err != nil {
+				return nil, err
+			}
+			mountable = mRef
+			defer func() {
+				go mRef.Release(context.TODO())
+			}()
+			if m.Output != pb.SkipOutput && ref != nil {
+				outputs = append(outputs, ref.Clone())
+			}
+
+		case pb.MountType_TMPFS:
+			mountable = newTmpfs()
+
+		default:
+			return nil, errors.Errorf("mount type %s not implemented", m.MountType)
+		}
+
+		// validate that there is a mount
+		if mountable == nil {
+			return nil, errors.Errorf("mount %s has no input", m.Dest)
+		}
+
+		// if dest is root we need mutable ref even if there is no output
+		if m.Dest == pb.RootMount {
+			root = mountable
+			readonlyRootFS = m.Readonly
+			if m.Output == pb.SkipOutput && readonlyRootFS {
+				active, err := makeMutable(ref)
+				if err != nil {
+					return nil, err
+				}
+				defer func() {
+					go active.Release(context.TODO())
+				}()
+				root = active
+			}
+		} else {
+			mounts = append(mounts, executor.Mount{Src: mountable, Dest: m.Dest, Readonly: m.Readonly, Selector: m.Selector})
+		}
+	}
+
+	// sort mounts so parents are mounted first
+	sort.Slice(mounts, func(i, j int) bool {
+		return mounts[i].Dest < mounts[j].Dest
+	})
+
+	meta := executor.Meta{
+		Args:           e.op.Meta.Args,
+		Env:            e.op.Meta.Env,
+		Cwd:            e.op.Meta.Cwd,
+		User:           e.op.Meta.User,
+		ReadonlyRootFS: readonlyRootFS,
+	}
+
+	if e.op.Meta.ProxyEnv != nil {
+		meta.Env = append(meta.Env, proxyEnvList(e.op.Meta.ProxyEnv)...)
+	}
+
+	stdout, stderr := logs.NewLogStreams(ctx, os.Getenv("BUILDKIT_DEBUG_EXEC_OUTPUT") == "1")
+	defer stdout.Close()
+	defer stderr.Close()
+
+	if err := e.exec.Exec(ctx, meta, root, mounts, nil, stdout, stderr); err != nil {
+		return nil, errors.Wrapf(err, "executor failed running %v", meta.Args)
+	}
+
+	refs := []solver.Result{}
+	for i, out := range outputs {
+		if mutable, ok := out.(cache.MutableRef); ok {
+			ref, err := mutable.Commit(ctx)
+			if err != nil {
+				return nil, errors.Wrapf(err, "error committing %s", mutable.ID())
+			}
+			refs = append(refs, worker.NewWorkerRefResult(ref, e.w))
+		} else {
+			refs = append(refs, worker.NewWorkerRefResult(out.(cache.ImmutableRef), e.w))
+		}
+		outputs[i] = nil
+	}
+	return refs, nil
+}
+
+func proxyEnvList(p *pb.ProxyEnv) []string {
+	out := []string{}
+	if v := p.HttpProxy; v != "" {
+		out = append(out, "HTTP_PROXY="+v, "http_proxy="+v)
+	}
+	if v := p.HttpsProxy; v != "" {
+		out = append(out, "HTTPS_PROXY="+v, "https_proxy="+v)
+	}
+	if v := p.FtpProxy; v != "" {
+		out = append(out, "FTP_PROXY="+v, "ftp_proxy="+v)
+	}
+	if v := p.NoProxy; v != "" {
+		out = append(out, "NO_PROXY="+v, "no_proxy="+v)
+	}
+	return out
+}
+
+func newTmpfs() cache.Mountable {
+	return &tmpfs{}
+}
+
+type tmpfs struct {
+}
+
+func (f *tmpfs) Mount(ctx context.Context, readonly bool) (snapshot.Mountable, error) {
+	return &tmpfsMount{readonly: readonly}, nil
+}
+
+type tmpfsMount struct {
+	readonly bool
+}
+
+func (m *tmpfsMount) Mount() ([]mount.Mount, error) {
+	opt := []string{"nosuid"}
+	if m.readonly {
+		opt = append(opt, "ro")
+	}
+	return []mount.Mount{{
+		Type:    "tmpfs",
+		Source:  "tmpfs",
+		Options: opt,
+	}}, nil
+}
+func (m *tmpfsMount) Release() error {
+	return nil
+}
+
+var cacheRefsLocker = locker.New()
+var sharedCacheRefs = &cacheRefs{}
+
+type cacheRefs struct {
+	mu     sync.Mutex
+	shares map[string]*cacheRefShare
+}
+
+func (r *cacheRefs) get(key string, fn func() (cache.MutableRef, error)) (cache.MutableRef, error) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if r.shares == nil {
+		r.shares = map[string]*cacheRefShare{}
+	}
+
+	share, ok := r.shares[key]
+	if ok {
+		return share.clone(), nil
+	}
+
+	mref, err := fn()
+	if err != nil {
+		return nil, err
+	}
+
+	share = &cacheRefShare{MutableRef: mref, main: r, key: key, refs: map[*cacheRef]struct{}{}}
+	r.shares[key] = share
+
+	return share.clone(), nil
+}
+
+type cacheRefShare struct {
+	cache.MutableRef
+	mu   sync.Mutex
+	refs map[*cacheRef]struct{}
+	main *cacheRefs
+	key  string
+}
+
+func (r *cacheRefShare) clone() cache.MutableRef {
+	cacheRef := &cacheRef{cacheRefShare: r}
+	r.mu.Lock()
+	r.refs[cacheRef] = struct{}{}
+	r.mu.Unlock()
+	return cacheRef
+}
+
+func (r *cacheRefShare) release(ctx context.Context) error {
+	if r.main != nil {
+		r.main.mu.Lock()
+		defer r.main.mu.Unlock()
+		delete(r.main.shares, r.key)
+	}
+	return r.MutableRef.Release(ctx)
+}
+
+type cacheRef struct {
+	*cacheRefShare
+}
+
+func (r *cacheRef) Release(ctx context.Context) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	delete(r.refs, r)
+	if len(r.refs) == 0 {
+		return r.release(ctx)
+	}
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/source.go b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/source.go
new file mode 100644
index 00000000..722861ee
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/ops/source.go
@@ -0,0 +1,78 @@
+package ops
+
+import (
+	"context"
+	"sync"
+
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/worker"
+	digest "github.com/opencontainers/go-digest"
+)
+
+const sourceCacheType = "buildkit.source.v0"
+
+type sourceOp struct {
+	mu       sync.Mutex
+	op       *pb.Op_Source
+	platform *pb.Platform
+	sm       *source.Manager
+	src      source.SourceInstance
+	w        worker.Worker
+}
+
+func NewSourceOp(_ solver.Vertex, op *pb.Op_Source, platform *pb.Platform, sm *source.Manager, w worker.Worker) (solver.Op, error) {
+	return &sourceOp{
+		op:       op,
+		sm:       sm,
+		w:        w,
+		platform: platform,
+	}, nil
+}
+
+func (s *sourceOp) instance(ctx context.Context) (source.SourceInstance, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.src != nil {
+		return s.src, nil
+	}
+	id, err := source.FromLLB(s.op, s.platform)
+	if err != nil {
+		return nil, err
+	}
+	src, err := s.sm.Resolve(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+	s.src = src
+	return s.src, nil
+}
+
+func (s *sourceOp) CacheMap(ctx context.Context, index int) (*solver.CacheMap, bool, error) {
+	src, err := s.instance(ctx)
+	if err != nil {
+		return nil, false, err
+	}
+	k, done, err := src.CacheKey(ctx, index)
+	if err != nil {
+		return nil, false, err
+	}
+
+	return &solver.CacheMap{
+		// TODO: add os/arch
+		Digest: digest.FromBytes([]byte(sourceCacheType + ":" + k)),
+	}, done, nil
+}
+
+func (s *sourceOp) Exec(ctx context.Context, _ []solver.Result) (outputs []solver.Result, err error) {
+	src, err := s.instance(ctx)
+	if err != nil {
+		return nil, err
+	}
+	ref, err := src.Snapshot(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return []solver.Result{worker.NewWorkerRefResult(ref, s.w)}, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/llbsolver/result.go b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/result.go
new file mode 100644
index 00000000..7049b868
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/result.go
@@ -0,0 +1,152 @@
+package llbsolver
+
+import (
+	"bytes"
+	"context"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/contenthash"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/worker"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+func NewContentHashFunc(selectors []string) solver.ResultBasedCacheFunc {
+	return func(ctx context.Context, res solver.Result) (digest.Digest, error) {
+		ref, ok := res.Sys().(*worker.WorkerRef)
+		if !ok {
+			return "", errors.Errorf("invalid reference: %T", res)
+		}
+
+		if len(selectors) == 0 {
+			selectors = []string{""}
+		}
+
+		dgsts := make([][]byte, len(selectors))
+
+		eg, ctx := errgroup.WithContext(ctx)
+
+		for i, sel := range selectors {
+			// FIXME(tonistiigi): enabling this parallelization seems to create wrong results for some big inputs(like gobuild)
+			// func(i int) {
+			// 	eg.Go(func() error {
+			dgst, err := contenthash.Checksum(ctx, ref.ImmutableRef, path.Join("/", sel))
+			if err != nil {
+				return "", err
+			}
+			dgsts[i] = []byte(dgst)
+			// return nil
+			// })
+			// }(i)
+		}
+
+		if err := eg.Wait(); err != nil {
+			return "", err
+		}
+
+		return digest.FromBytes(bytes.Join(dgsts, []byte{0})), nil
+	}
+}
+
+func newCacheResultStorage(wc *worker.Controller) solver.CacheResultStorage {
+	return &cacheResultStorage{
+		wc: wc,
+	}
+}
+
+type cacheResultStorage struct {
+	wc *worker.Controller
+}
+
+func (s *cacheResultStorage) Save(res solver.Result) (solver.CacheResult, error) {
+	ref, ok := res.Sys().(*worker.WorkerRef)
+	if !ok {
+		return solver.CacheResult{}, errors.Errorf("invalid result: %T", res.Sys())
+	}
+	if ref.ImmutableRef != nil {
+		if !cache.HasCachePolicyRetain(ref.ImmutableRef) {
+			if err := cache.CachePolicyRetain(ref.ImmutableRef); err != nil {
+				return solver.CacheResult{}, err
+			}
+			ref.ImmutableRef.Metadata().Commit()
+		}
+	}
+	return solver.CacheResult{ID: ref.ID(), CreatedAt: time.Now()}, nil
+}
+func (s *cacheResultStorage) Load(ctx context.Context, res solver.CacheResult) (solver.Result, error) {
+	return s.load(res.ID)
+}
+
+func (s *cacheResultStorage) getWorkerRef(id string) (worker.Worker, string, error) {
+	workerID, refID, err := parseWorkerRef(id)
+	if err != nil {
+		return nil, "", err
+	}
+	w, err := s.wc.Get(workerID)
+	if err != nil {
+		return nil, "", err
+	}
+	return w, refID, nil
+}
+
+func (s *cacheResultStorage) load(id string) (solver.Result, error) {
+	w, refID, err := s.getWorkerRef(id)
+	if err != nil {
+		return nil, err
+	}
+	if refID == "" {
+		return worker.NewWorkerRefResult(nil, w), nil
+	}
+	ref, err := w.LoadRef(refID)
+	if err != nil {
+		return nil, err
+	}
+	return worker.NewWorkerRefResult(ref, w), nil
+}
+
+func (s *cacheResultStorage) LoadRemote(ctx context.Context, res solver.CacheResult) (*solver.Remote, error) {
+	w, refID, err := s.getWorkerRef(res.ID)
+	if err != nil {
+		return nil, err
+	}
+	ref, err := w.LoadRef(refID)
+	if err != nil {
+		return nil, err
+	}
+	defer ref.Release(context.TODO())
+	remote, err := w.GetRemote(ctx, ref, false)
+	if err != nil {
+		return nil, nil // ignore error. loadRemote is best effort
+	}
+	return remote, nil
+}
+func (s *cacheResultStorage) Exists(id string) bool {
+	ref, err := s.load(id)
+	if err != nil {
+		return false
+	}
+	ref.Release(context.TODO())
+	return true
+}
+
+func parseWorkerRef(id string) (string, string, error) {
+	parts := strings.Split(id, "::")
+	if len(parts) != 2 {
+		return "", "", errors.Errorf("invalid workerref id: %s", id)
+	}
+	return parts[0], parts[1], nil
+}
+
+func workerRefConverter(ctx context.Context, res solver.Result) (*solver.Remote, error) {
+	ref, ok := res.Sys().(*worker.WorkerRef)
+	if !ok {
+		return nil, errors.Errorf("invalid result: %T", res.Sys())
+	}
+
+	return ref.Worker.GetRemote(ctx, ref.ImmutableRef, true)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go
new file mode 100644
index 00000000..2e27f533
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/solver.go
@@ -0,0 +1,177 @@
+package llbsolver
+
+import (
+	"context"
+	"time"
+
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/remotecache"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/exporter"
+	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/util/progress"
+	"github.com/moby/buildkit/worker"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type ExporterRequest struct {
+	Exporter        exporter.ExporterInstance
+	CacheExporter   remotecache.Exporter
+	CacheExportMode solver.CacheExportMode
+}
+
+// ResolveWorkerFunc returns default worker for the temporary default non-distributed use cases
+type ResolveWorkerFunc func() (worker.Worker, error)
+
+type Solver struct {
+	solver               *solver.Solver
+	resolveWorker        ResolveWorkerFunc
+	frontends            map[string]frontend.Frontend
+	resolveCacheImporter remotecache.ResolveCacheImporterFunc
+	platforms            []specs.Platform
+}
+
+func New(wc *worker.Controller, f map[string]frontend.Frontend, cacheStore solver.CacheKeyStorage, resolveCI remotecache.ResolveCacheImporterFunc) (*Solver, error) {
+	s := &Solver{
+		resolveWorker:        defaultResolver(wc),
+		frontends:            f,
+		resolveCacheImporter: resolveCI,
+	}
+
+	results := newCacheResultStorage(wc)
+
+	cache := solver.NewCacheManager("local", cacheStore, results)
+
+	// executing is currently only allowed on default worker
+	w, err := wc.GetDefault()
+	if err != nil {
+		return nil, err
+	}
+	s.platforms = w.Platforms()
+
+	s.solver = solver.NewSolver(solver.SolverOpt{
+		ResolveOpFunc: s.resolver(),
+		DefaultCache:  cache,
+	})
+	return s, nil
+}
+
+func (s *Solver) resolver() solver.ResolveOpFunc {
+	return func(v solver.Vertex, b solver.Builder) (solver.Op, error) {
+		w, err := s.resolveWorker()
+		if err != nil {
+			return nil, err
+		}
+		return w.ResolveOp(v, s.Bridge(b))
+	}
+}
+
+func (s *Solver) Bridge(b solver.Builder) frontend.FrontendLLBBridge {
+	return &llbBridge{
+		builder:              b,
+		frontends:            s.frontends,
+		resolveWorker:        s.resolveWorker,
+		resolveCacheImporter: s.resolveCacheImporter,
+		cms:                  map[string]solver.CacheManager{},
+		platforms:            s.platforms,
+	}
+}
+
+func (s *Solver) Solve(ctx context.Context, id string, req frontend.SolveRequest, exp ExporterRequest) (*client.SolveResponse, error) {
+	j, err := s.solver.NewJob(id)
+	if err != nil {
+		return nil, err
+	}
+
+	defer j.Discard()
+
+	j.SessionID = session.FromContext(ctx)
+
+	res, err := s.Bridge(j).Solve(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		res.EachRef(func(ref solver.CachedResult) error {
+			go ref.Release(context.TODO())
+			return nil
+		})
+	}()
+
+	var exporterResponse map[string]string
+	if exp := exp.Exporter; exp != nil {
+		var immutable cache.ImmutableRef
+		if res := res.Ref; res != nil { // FIXME(tonistiigi):
+			workerRef, ok := res.Sys().(*worker.WorkerRef)
+			if !ok {
+				return nil, errors.Errorf("invalid reference: %T", res.Sys())
+			}
+			immutable = workerRef.ImmutableRef
+		}
+
+		if err := j.Call(ctx, exp.Name(), func(ctx context.Context) error {
+			exporterResponse, err = exp.Export(ctx, immutable, res.Metadata)
+			return err
+		}); err != nil {
+			return nil, err
+		}
+	}
+
+	if e := exp.CacheExporter; e != nil {
+		if err := j.Call(ctx, "exporting cache", func(ctx context.Context) error {
+			prepareDone := oneOffProgress(ctx, "preparing build cache for export")
+			if err := res.EachRef(func(res solver.CachedResult) error {
+				_, err := res.CacheKey().Exporter.ExportTo(ctx, e, solver.CacheExportOpt{
+					Convert: workerRefConverter,
+					Mode:    exp.CacheExportMode,
+				})
+				return err
+			}); err != nil {
+				return prepareDone(err)
+			}
+			prepareDone(nil)
+			return e.Finalize(ctx)
+		}); err != nil {
+			return nil, err
+		}
+	}
+
+	return &client.SolveResponse{
+		ExporterResponse: exporterResponse,
+	}, nil
+}
+
+func (s *Solver) Status(ctx context.Context, id string, statusChan chan *client.SolveStatus) error {
+	j, err := s.solver.Get(id)
+	if err != nil {
+		return err
+	}
+	return j.Status(ctx, statusChan)
+}
+
+func defaultResolver(wc *worker.Controller) ResolveWorkerFunc {
+	return func() (worker.Worker, error) {
+		return wc.GetDefault()
+	}
+}
+
+func oneOffProgress(ctx context.Context, id string) func(err error) error {
+	pw, _, _ := progress.FromContext(ctx)
+	now := time.Now()
+	st := progress.Status{
+		Started: &now,
+	}
+	pw.Write(id, st)
+	return func(err error) error {
+		// TODO: set error on status
+		now := time.Now()
+		st.Completed = &now
+		pw.Write(id, st)
+		pw.Close()
+		return err
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go
new file mode 100644
index 00000000..bd04e1ed
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/llbsolver/vertex.go
@@ -0,0 +1,185 @@
+package llbsolver
+
+import (
+	"strings"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/moby/buildkit/solver"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/source"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type vertex struct {
+	sys     interface{}
+	options solver.VertexOptions
+	inputs  []solver.Edge
+	digest  digest.Digest
+	name    string
+}
+
+func (v *vertex) Digest() digest.Digest {
+	return v.digest
+}
+
+func (v *vertex) Sys() interface{} {
+	return v.sys
+}
+
+func (v *vertex) Options() solver.VertexOptions {
+	return v.options
+}
+
+func (v *vertex) Inputs() []solver.Edge {
+	return v.inputs
+}
+
+func (v *vertex) Name() string {
+	return v.name
+}
+
+type LoadOpt func(*pb.Op, *pb.OpMetadata, *solver.VertexOptions) error
+
+func WithCacheSources(cms []solver.CacheManager) LoadOpt {
+	return func(_ *pb.Op, _ *pb.OpMetadata, opt *solver.VertexOptions) error {
+		opt.CacheSources = cms
+		return nil
+	}
+}
+
+func RuntimePlatforms(p []specs.Platform) LoadOpt {
+	var defaultPlatform *pb.Platform
+	pp := make([]specs.Platform, len(p))
+	for i := range p {
+		pp[i] = platforms.Normalize(p[i])
+	}
+	return func(op *pb.Op, _ *pb.OpMetadata, opt *solver.VertexOptions) error {
+		if op.Platform == nil {
+			if defaultPlatform == nil {
+				p := platforms.DefaultSpec()
+				defaultPlatform = &pb.Platform{
+					OS:           p.OS,
+					Architecture: p.Architecture,
+				}
+			}
+			op.Platform = defaultPlatform
+		}
+		if _, ok := op.Op.(*pb.Op_Exec); ok {
+			var found bool
+			for _, pp := range pp {
+				if pp.OS == op.Platform.OS && pp.Architecture == op.Platform.Architecture && pp.Variant == op.Platform.Variant {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return errors.Errorf("runtime execution on platform %s not supported", platforms.Format(specs.Platform{OS: op.Platform.OS, Architecture: op.Platform.Architecture, Variant: op.Platform.Variant}))
+			}
+		}
+		return nil
+	}
+}
+
+func Load(def *pb.Definition, opts ...LoadOpt) (solver.Edge, error) {
+	return loadLLB(def, func(dgst digest.Digest, pbOp *pb.Op, load func(digest.Digest) (solver.Vertex, error)) (solver.Vertex, error) {
+		opMetadata := def.Metadata[dgst]
+		vtx, err := newVertex(dgst, pbOp, &opMetadata, load, opts...)
+		if err != nil {
+			return nil, err
+		}
+		return vtx, nil
+	})
+}
+
+func newVertex(dgst digest.Digest, op *pb.Op, opMeta *pb.OpMetadata, load func(digest.Digest) (solver.Vertex, error), opts ...LoadOpt) (*vertex, error) {
+	opt := solver.VertexOptions{}
+	if opMeta != nil {
+		opt.IgnoreCache = opMeta.IgnoreCache
+		opt.Description = opMeta.Description
+		if opMeta.ExportCache != nil {
+			opt.ExportCache = &opMeta.ExportCache.Value
+		}
+	}
+	for _, fn := range opts {
+		if err := fn(op, opMeta, &opt); err != nil {
+			return nil, err
+		}
+	}
+	vtx := &vertex{sys: op, options: opt, digest: dgst, name: llbOpName(op)}
+	for _, in := range op.Inputs {
+		sub, err := load(in.Digest)
+		if err != nil {
+			return nil, err
+		}
+		vtx.inputs = append(vtx.inputs, solver.Edge{Index: solver.Index(in.Index), Vertex: sub})
+	}
+	return vtx, nil
+}
+
+// loadLLB loads LLB.
+// fn is executed sequentially.
+func loadLLB(def *pb.Definition, fn func(digest.Digest, *pb.Op, func(digest.Digest) (solver.Vertex, error)) (solver.Vertex, error)) (solver.Edge, error) {
+	if len(def.Def) == 0 {
+		return solver.Edge{}, errors.New("invalid empty definition")
+	}
+
+	allOps := make(map[digest.Digest]*pb.Op)
+
+	var dgst digest.Digest
+
+	for _, dt := range def.Def {
+		var op pb.Op
+		if err := (&op).Unmarshal(dt); err != nil {
+			return solver.Edge{}, errors.Wrap(err, "failed to parse llb proto op")
+		}
+		dgst = digest.FromBytes(dt)
+		allOps[dgst] = &op
+	}
+
+	lastOp := allOps[dgst]
+	delete(allOps, dgst)
+	dgst = lastOp.Inputs[0].Digest
+
+	cache := make(map[digest.Digest]solver.Vertex)
+
+	var rec func(dgst digest.Digest) (solver.Vertex, error)
+	rec = func(dgst digest.Digest) (solver.Vertex, error) {
+		if v, ok := cache[dgst]; ok {
+			return v, nil
+		}
+		v, err := fn(dgst, allOps[dgst], rec)
+		if err != nil {
+			return nil, err
+		}
+		cache[dgst] = v
+		return v, nil
+	}
+
+	v, err := rec(dgst)
+	if err != nil {
+		return solver.Edge{}, err
+	}
+	return solver.Edge{Vertex: v, Index: solver.Index(lastOp.Inputs[0].Index)}, nil
+}
+
+func llbOpName(op *pb.Op) string {
+	switch op := op.Op.(type) {
+	case *pb.Op_Source:
+		if id, err := source.FromLLB(op, nil); err == nil {
+			if id, ok := id.(*source.LocalIdentifier); ok {
+				if len(id.IncludePatterns) == 1 {
+					return op.Source.Identifier + " (" + id.IncludePatterns[0] + ")"
+				}
+			}
+		}
+		return op.Source.Identifier
+	case *pb.Op_Exec:
+		return strings.Join(op.Exec.Meta.Args, " ")
+	case *pb.Op_Build:
+		return "build"
+	default:
+		return "unknown"
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/memorycachestorage.go b/engine/vendor/github.com/moby/buildkit/solver/memorycachestorage.go
new file mode 100644
index 00000000..75c8abde
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/memorycachestorage.go
@@ -0,0 +1,307 @@
+package solver
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+func NewInMemoryCacheStorage() CacheKeyStorage {
+	return &inMemoryStore{
+		byID:     map[string]*inMemoryKey{},
+		byResult: map[string]map[string]struct{}{},
+	}
+}
+
+type inMemoryStore struct {
+	mu       sync.RWMutex
+	byID     map[string]*inMemoryKey
+	byResult map[string]map[string]struct{}
+}
+
+type inMemoryKey struct {
+	id        string
+	results   map[string]CacheResult
+	links     map[CacheInfoLink]map[string]struct{}
+	backlinks map[string]struct{}
+}
+
+func (s *inMemoryStore) Exists(id string) bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	if k, ok := s.byID[id]; ok {
+		return len(k.links) > 0 || len(k.results) > 0
+	}
+	return false
+}
+
+func newInMemoryKey(id string) *inMemoryKey {
+	return &inMemoryKey{
+		results:   map[string]CacheResult{},
+		links:     map[CacheInfoLink]map[string]struct{}{},
+		backlinks: map[string]struct{}{},
+		id:        id,
+	}
+}
+
+func (s *inMemoryStore) Walk(fn func(string) error) error {
+	s.mu.RLock()
+	ids := make([]string, 0, len(s.byID))
+	for id := range s.byID {
+		ids = append(ids, id)
+	}
+	s.mu.RUnlock()
+
+	for _, id := range ids {
+		if err := fn(id); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *inMemoryStore) WalkResults(id string, fn func(CacheResult) error) error {
+	s.mu.RLock()
+
+	k, ok := s.byID[id]
+	if !ok {
+		s.mu.RUnlock()
+		return nil
+	}
+	copy := make([]CacheResult, 0, len(k.results))
+	for _, res := range k.results {
+		copy = append(copy, res)
+	}
+	s.mu.RUnlock()
+
+	for _, res := range copy {
+		if err := fn(res); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *inMemoryStore) Load(id string, resultID string) (CacheResult, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	k, ok := s.byID[id]
+	if !ok {
+		return CacheResult{}, errors.Wrapf(ErrNotFound, "no such key %s", id)
+	}
+	r, ok := k.results[resultID]
+	if !ok {
+		return CacheResult{}, errors.WithStack(ErrNotFound)
+	}
+	return r, nil
+}
+
+func (s *inMemoryStore) AddResult(id string, res CacheResult) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	k, ok := s.byID[id]
+	if !ok {
+		k = newInMemoryKey(id)
+		s.byID[id] = k
+	}
+	k.results[res.ID] = res
+	m, ok := s.byResult[res.ID]
+	if !ok {
+		m = map[string]struct{}{}
+		s.byResult[res.ID] = m
+	}
+	m[id] = struct{}{}
+	return nil
+}
+
+func (s *inMemoryStore) WalkIDsByResult(resultID string, fn func(string) error) error {
+	s.mu.Lock()
+
+	ids := map[string]struct{}{}
+	for id := range s.byResult[resultID] {
+		ids[id] = struct{}{}
+	}
+	s.mu.Unlock()
+
+	for id := range ids {
+		if err := fn(id); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *inMemoryStore) Release(resultID string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	ids, ok := s.byResult[resultID]
+	if !ok {
+		return nil
+	}
+
+	for id := range ids {
+		k, ok := s.byID[id]
+		if !ok {
+			continue
+		}
+
+		delete(k.results, resultID)
+		delete(s.byResult[resultID], id)
+		if len(s.byResult[resultID]) == 0 {
+			delete(s.byResult, resultID)
+		}
+
+		s.emptyBranchWithParents(k)
+	}
+
+	return nil
+}
+
+func (s *inMemoryStore) emptyBranchWithParents(k *inMemoryKey) {
+	if len(k.results) != 0 || len(k.links) != 0 {
+		return
+	}
+	for id := range k.backlinks {
+		p, ok := s.byID[id]
+		if !ok {
+			continue
+		}
+		for l := range p.links {
+			delete(p.links[l], k.id)
+			if len(p.links[l]) == 0 {
+				delete(p.links, l)
+			}
+		}
+		s.emptyBranchWithParents(p)
+	}
+
+	delete(s.byID, k.id)
+}
+
+func (s *inMemoryStore) AddLink(id string, link CacheInfoLink, target string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	k, ok := s.byID[id]
+	if !ok {
+		k = newInMemoryKey(id)
+		s.byID[id] = k
+	}
+	k2, ok := s.byID[target]
+	if !ok {
+		k2 = newInMemoryKey(target)
+		s.byID[target] = k2
+	}
+	m, ok := k.links[link]
+	if !ok {
+		m = map[string]struct{}{}
+		k.links[link] = m
+	}
+
+	k2.backlinks[id] = struct{}{}
+	m[target] = struct{}{}
+	return nil
+}
+
+func (s *inMemoryStore) WalkLinks(id string, link CacheInfoLink, fn func(id string) error) error {
+	s.mu.RLock()
+	k, ok := s.byID[id]
+	if !ok {
+		s.mu.RUnlock()
+		return nil
+	}
+	var links []string
+	for target := range k.links[link] {
+		links = append(links, target)
+	}
+	s.mu.RUnlock()
+
+	for _, t := range links {
+		if err := fn(t); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (s *inMemoryStore) HasLink(id string, link CacheInfoLink, target string) bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	if k, ok := s.byID[id]; ok {
+		if v, ok := k.links[link]; ok {
+			if _, ok := v[target]; ok {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (s *inMemoryStore) WalkBacklinks(id string, fn func(id string, link CacheInfoLink) error) error {
+	s.mu.RLock()
+	k, ok := s.byID[id]
+	if !ok {
+		s.mu.RUnlock()
+		return nil
+	}
+	var outIDs []string
+	var outLinks []CacheInfoLink
+	for bid := range k.backlinks {
+		b, ok := s.byID[bid]
+		if !ok {
+			continue
+		}
+		for l, m := range b.links {
+			if _, ok := m[id]; !ok {
+				continue
+			}
+			outIDs = append(outIDs, bid)
+			outLinks = append(outLinks, CacheInfoLink{
+				Digest:   rootKey(l.Digest, l.Output),
+				Input:    l.Input,
+				Selector: l.Selector,
+			})
+		}
+	}
+	s.mu.RUnlock()
+
+	for i := range outIDs {
+		if err := fn(outIDs[i], outLinks[i]); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func NewInMemoryResultStorage() CacheResultStorage {
+	return &inMemoryResultStore{m: &sync.Map{}}
+}
+
+type inMemoryResultStore struct {
+	m *sync.Map
+}
+
+func (s *inMemoryResultStore) Save(r Result) (CacheResult, error) {
+	s.m.Store(r.ID(), r)
+	return CacheResult{ID: r.ID(), CreatedAt: time.Now()}, nil
+}
+
+func (s *inMemoryResultStore) Load(ctx context.Context, res CacheResult) (Result, error) {
+	v, ok := s.m.Load(res.ID)
+	if !ok {
+		return nil, errors.WithStack(ErrNotFound)
+	}
+	return v.(Result), nil
+}
+
+func (s *inMemoryResultStore) LoadRemote(ctx context.Context, res CacheResult) (*Remote, error) {
+	return nil, nil
+}
+
+func (s *inMemoryResultStore) Exists(id string) bool {
+	_, ok := s.m.Load(id)
+	return ok
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/pb/attr.go b/engine/vendor/github.com/moby/buildkit/solver/pb/attr.go
new file mode 100644
index 00000000..6f5f77ff
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/pb/attr.go
@@ -0,0 +1,17 @@
+package pb
+
+const AttrKeepGitDir = "git.keepgitdir"
+const AttrFullRemoteURL = "git.fullurl"
+const AttrLocalSessionID = "local.session"
+const AttrLocalUniqueID = "local.unique"
+const AttrIncludePatterns = "local.includepattern"
+const AttrFollowPaths = "local.followpaths"
+const AttrExcludePatterns = "local.excludepatterns"
+const AttrSharedKeyHint = "local.sharedkeyhint"
+const AttrLLBDefinitionFilename = "llbbuild.filename"
+
+const AttrHTTPChecksum = "http.checksum"
+const AttrHTTPFilename = "http.filename"
+const AttrHTTPPerm = "http.perm"
+const AttrHTTPUID = "http.uid"
+const AttrHTTPGID = "http.gid"
diff --git a/engine/vendor/github.com/moby/buildkit/solver/pb/const.go b/engine/vendor/github.com/moby/buildkit/solver/pb/const.go
new file mode 100644
index 00000000..2cb99510
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/pb/const.go
@@ -0,0 +1,12 @@
+package pb
+
+type InputIndex int64
+type OutputIndex int64
+
+const RootMount = "/"
+const SkipOutput OutputIndex = -1
+const Empty InputIndex = -1
+const LLBBuilder InputIndex = -1
+
+const LLBDefinitionInput = "buildkit.llb.definition"
+const LLBDefaultDefinitionFile = LLBDefinitionInput
diff --git a/engine/vendor/github.com/moby/buildkit/solver/pb/generate.go b/engine/vendor/github.com/moby/buildkit/solver/pb/generate.go
new file mode 100644
index 00000000..c31e148f
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/pb/generate.go
@@ -0,0 +1,3 @@
+package pb
+
+//go:generate protoc -I=. -I=../../vendor/ --gogofaster_out=. ops.proto
diff --git a/engine/vendor/github.com/moby/buildkit/solver/pb/ops.pb.go b/engine/vendor/github.com/moby/buildkit/solver/pb/ops.pb.go
new file mode 100644
index 00000000..881e87c3
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/pb/ops.pb.go
@@ -0,0 +1,4960 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: ops.proto
+
+/*
+	Package pb is a generated protocol buffer package.
+
+	Package pb provides the protobuf definition of LLB: low-level builder instruction.
+	LLB is DAG-structured; Op represents a vertex, and Definition represents a graph.
+
+	It is generated from these files:
+		ops.proto
+
+	It has these top-level messages:
+		Op
+		Platform
+		Input
+		ExecOp
+		Meta
+		Mount
+		CacheOpt
+		CopyOp
+		CopySource
+		SourceOp
+		BuildOp
+		BuildInput
+		OpMetadata
+		ExportCache
+		ProxyEnv
+		WorkerConstraints
+		Definition
+*/
+package pb
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+
+import github_com_opencontainers_go_digest "github.com/opencontainers/go-digest"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// MountType defines a type of a mount from a supported set
+type MountType int32
+
+const (
+	MountType_BIND   MountType = 0
+	MountType_SECRET MountType = 1
+	MountType_SSH    MountType = 2
+	MountType_CACHE  MountType = 3
+	MountType_TMPFS  MountType = 4
+)
+
+var MountType_name = map[int32]string{
+	0: "BIND",
+	1: "SECRET",
+	2: "SSH",
+	3: "CACHE",
+	4: "TMPFS",
+}
+var MountType_value = map[string]int32{
+	"BIND":   0,
+	"SECRET": 1,
+	"SSH":    2,
+	"CACHE":  3,
+	"TMPFS":  4,
+}
+
+func (x MountType) String() string {
+	return proto.EnumName(MountType_name, int32(x))
+}
+func (MountType) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} }
+
+// CacheSharingOpt defines different sharing modes for cache mount
+type CacheSharingOpt int32
+
+const (
+	// SHARED cache mount can be used concurrently by multiple writers
+	CacheSharingOpt_SHARED CacheSharingOpt = 0
+	// PRIVATE creates a new mount if there are multiple writers
+	CacheSharingOpt_PRIVATE CacheSharingOpt = 1
+	// LOCKED pauses second writer until first one releases the mount
+	CacheSharingOpt_LOCKED CacheSharingOpt = 2
+)
+
+var CacheSharingOpt_name = map[int32]string{
+	0: "SHARED",
+	1: "PRIVATE",
+	2: "LOCKED",
+}
+var CacheSharingOpt_value = map[string]int32{
+	"SHARED":  0,
+	"PRIVATE": 1,
+	"LOCKED":  2,
+}
+
+func (x CacheSharingOpt) String() string {
+	return proto.EnumName(CacheSharingOpt_name, int32(x))
+}
+func (CacheSharingOpt) EnumDescriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} }
+
+// Op represents a vertex of the LLB DAG.
+type Op struct {
+	// inputs is a set of input edges.
+	Inputs []*Input `protobuf:"bytes,1,rep,name=inputs" json:"inputs,omitempty"`
+	// Types that are valid to be assigned to Op:
+	//	*Op_Exec
+	//	*Op_Source
+	//	*Op_Copy
+	//	*Op_Build
+	Op          isOp_Op            `protobuf_oneof:"op"`
+	Platform    *Platform          `protobuf:"bytes,10,opt,name=platform" json:"platform,omitempty"`
+	Constraints *WorkerConstraints `protobuf:"bytes,11,opt,name=constraints" json:"constraints,omitempty"`
+}
+
+func (m *Op) Reset()                    { *m = Op{} }
+func (m *Op) String() string            { return proto.CompactTextString(m) }
+func (*Op) ProtoMessage()               {}
+func (*Op) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{0} }
+
+type isOp_Op interface {
+	isOp_Op()
+	MarshalTo([]byte) (int, error)
+	Size() int
+}
+
+type Op_Exec struct {
+	Exec *ExecOp `protobuf:"bytes,2,opt,name=exec,oneof"`
+}
+type Op_Source struct {
+	Source *SourceOp `protobuf:"bytes,3,opt,name=source,oneof"`
+}
+type Op_Copy struct {
+	Copy *CopyOp `protobuf:"bytes,4,opt,name=copy,oneof"`
+}
+type Op_Build struct {
+	Build *BuildOp `protobuf:"bytes,5,opt,name=build,oneof"`
+}
+
+func (*Op_Exec) isOp_Op()   {}
+func (*Op_Source) isOp_Op() {}
+func (*Op_Copy) isOp_Op()   {}
+func (*Op_Build) isOp_Op()  {}
+
+func (m *Op) GetOp() isOp_Op {
+	if m != nil {
+		return m.Op
+	}
+	return nil
+}
+
+func (m *Op) GetInputs() []*Input {
+	if m != nil {
+		return m.Inputs
+	}
+	return nil
+}
+
+func (m *Op) GetExec() *ExecOp {
+	if x, ok := m.GetOp().(*Op_Exec); ok {
+		return x.Exec
+	}
+	return nil
+}
+
+func (m *Op) GetSource() *SourceOp {
+	if x, ok := m.GetOp().(*Op_Source); ok {
+		return x.Source
+	}
+	return nil
+}
+
+func (m *Op) GetCopy() *CopyOp {
+	if x, ok := m.GetOp().(*Op_Copy); ok {
+		return x.Copy
+	}
+	return nil
+}
+
+func (m *Op) GetBuild() *BuildOp {
+	if x, ok := m.GetOp().(*Op_Build); ok {
+		return x.Build
+	}
+	return nil
+}
+
+func (m *Op) GetPlatform() *Platform {
+	if m != nil {
+		return m.Platform
+	}
+	return nil
+}
+
+func (m *Op) GetConstraints() *WorkerConstraints {
+	if m != nil {
+		return m.Constraints
+	}
+	return nil
+}
+
+// XXX_OneofFuncs is for the internal use of the proto package.
+func (*Op) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
+	return _Op_OneofMarshaler, _Op_OneofUnmarshaler, _Op_OneofSizer, []interface{}{
+		(*Op_Exec)(nil),
+		(*Op_Source)(nil),
+		(*Op_Copy)(nil),
+		(*Op_Build)(nil),
+	}
+}
+
+func _Op_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
+	m := msg.(*Op)
+	// op
+	switch x := m.Op.(type) {
+	case *Op_Exec:
+		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Exec); err != nil {
+			return err
+		}
+	case *Op_Source:
+		_ = b.EncodeVarint(3<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Source); err != nil {
+			return err
+		}
+	case *Op_Copy:
+		_ = b.EncodeVarint(4<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Copy); err != nil {
+			return err
+		}
+	case *Op_Build:
+		_ = b.EncodeVarint(5<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Build); err != nil {
+			return err
+		}
+	case nil:
+	default:
+		return fmt.Errorf("Op.Op has unexpected type %T", x)
+	}
+	return nil
+}
+
+func _Op_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
+	m := msg.(*Op)
+	switch tag {
+	case 2: // op.exec
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(ExecOp)
+		err := b.DecodeMessage(msg)
+		m.Op = &Op_Exec{msg}
+		return true, err
+	case 3: // op.source
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(SourceOp)
+		err := b.DecodeMessage(msg)
+		m.Op = &Op_Source{msg}
+		return true, err
+	case 4: // op.copy
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(CopyOp)
+		err := b.DecodeMessage(msg)
+		m.Op = &Op_Copy{msg}
+		return true, err
+	case 5: // op.build
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(BuildOp)
+		err := b.DecodeMessage(msg)
+		m.Op = &Op_Build{msg}
+		return true, err
+	default:
+		return false, nil
+	}
+}
+
+func _Op_OneofSizer(msg proto.Message) (n int) {
+	m := msg.(*Op)
+	// op
+	switch x := m.Op.(type) {
+	case *Op_Exec:
+		s := proto.Size(x.Exec)
+		n += proto.SizeVarint(2<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case *Op_Source:
+		s := proto.Size(x.Source)
+		n += proto.SizeVarint(3<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case *Op_Copy:
+		s := proto.Size(x.Copy)
+		n += proto.SizeVarint(4<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case *Op_Build:
+		s := proto.Size(x.Build)
+		n += proto.SizeVarint(5<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case nil:
+	default:
+		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
+	}
+	return n
+}
+
+// Platform is github.com/opencontainers/image-spec/specs-go/v1.Platform
+type Platform struct {
+	Architecture string   `protobuf:"bytes,1,opt,name=Architecture,proto3" json:"Architecture,omitempty"`
+	OS           string   `protobuf:"bytes,2,opt,name=OS,proto3" json:"OS,omitempty"`
+	Variant      string   `protobuf:"bytes,3,opt,name=Variant,proto3" json:"Variant,omitempty"`
+	OSVersion    string   `protobuf:"bytes,4,opt,name=OSVersion,proto3" json:"OSVersion,omitempty"`
+	OSFeatures   []string `protobuf:"bytes,5,rep,name=OSFeatures" json:"OSFeatures,omitempty"`
+}
+
+func (m *Platform) Reset()                    { *m = Platform{} }
+func (m *Platform) String() string            { return proto.CompactTextString(m) }
+func (*Platform) ProtoMessage()               {}
+func (*Platform) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{1} }
+
+func (m *Platform) GetArchitecture() string {
+	if m != nil {
+		return m.Architecture
+	}
+	return ""
+}
+
+func (m *Platform) GetOS() string {
+	if m != nil {
+		return m.OS
+	}
+	return ""
+}
+
+func (m *Platform) GetVariant() string {
+	if m != nil {
+		return m.Variant
+	}
+	return ""
+}
+
+func (m *Platform) GetOSVersion() string {
+	if m != nil {
+		return m.OSVersion
+	}
+	return ""
+}
+
+func (m *Platform) GetOSFeatures() []string {
+	if m != nil {
+		return m.OSFeatures
+	}
+	return nil
+}
+
+// Input represents an input edge for an Op.
+type Input struct {
+	// digest of the marshaled input Op
+	Digest github_com_opencontainers_go_digest.Digest `protobuf:"bytes,1,opt,name=digest,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"digest"`
+	// output index of the input Op
+	Index OutputIndex `protobuf:"varint,2,opt,name=index,proto3,customtype=OutputIndex" json:"index"`
+}
+
+func (m *Input) Reset()                    { *m = Input{} }
+func (m *Input) String() string            { return proto.CompactTextString(m) }
+func (*Input) ProtoMessage()               {}
+func (*Input) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{2} }
+
+// ExecOp executes a command in a container.
+type ExecOp struct {
+	Meta   *Meta    `protobuf:"bytes,1,opt,name=meta" json:"meta,omitempty"`
+	Mounts []*Mount `protobuf:"bytes,2,rep,name=mounts" json:"mounts,omitempty"`
+}
+
+func (m *ExecOp) Reset()                    { *m = ExecOp{} }
+func (m *ExecOp) String() string            { return proto.CompactTextString(m) }
+func (*ExecOp) ProtoMessage()               {}
+func (*ExecOp) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{3} }
+
+func (m *ExecOp) GetMeta() *Meta {
+	if m != nil {
+		return m.Meta
+	}
+	return nil
+}
+
+func (m *ExecOp) GetMounts() []*Mount {
+	if m != nil {
+		return m.Mounts
+	}
+	return nil
+}
+
+// Meta is a set of arguments for ExecOp.
+// Meta is unrelated to LLB metadata.
+// FIXME: rename (ExecContext? ExecArgs?)
+type Meta struct {
+	Args     []string  `protobuf:"bytes,1,rep,name=args" json:"args,omitempty"`
+	Env      []string  `protobuf:"bytes,2,rep,name=env" json:"env,omitempty"`
+	Cwd      string    `protobuf:"bytes,3,opt,name=cwd,proto3" json:"cwd,omitempty"`
+	User     string    `protobuf:"bytes,4,opt,name=user,proto3" json:"user,omitempty"`
+	ProxyEnv *ProxyEnv `protobuf:"bytes,5,opt,name=proxy_env,json=proxyEnv" json:"proxy_env,omitempty"`
+}
+
+func (m *Meta) Reset()                    { *m = Meta{} }
+func (m *Meta) String() string            { return proto.CompactTextString(m) }
+func (*Meta) ProtoMessage()               {}
+func (*Meta) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{4} }
+
+func (m *Meta) GetArgs() []string {
+	if m != nil {
+		return m.Args
+	}
+	return nil
+}
+
+func (m *Meta) GetEnv() []string {
+	if m != nil {
+		return m.Env
+	}
+	return nil
+}
+
+func (m *Meta) GetCwd() string {
+	if m != nil {
+		return m.Cwd
+	}
+	return ""
+}
+
+func (m *Meta) GetUser() string {
+	if m != nil {
+		return m.User
+	}
+	return ""
+}
+
+func (m *Meta) GetProxyEnv() *ProxyEnv {
+	if m != nil {
+		return m.ProxyEnv
+	}
+	return nil
+}
+
+// Mount specifies how to mount an input Op as a filesystem.
+type Mount struct {
+	Input     InputIndex  `protobuf:"varint,1,opt,name=input,proto3,customtype=InputIndex" json:"input"`
+	Selector  string      `protobuf:"bytes,2,opt,name=selector,proto3" json:"selector,omitempty"`
+	Dest      string      `protobuf:"bytes,3,opt,name=dest,proto3" json:"dest,omitempty"`
+	Output    OutputIndex `protobuf:"varint,4,opt,name=output,proto3,customtype=OutputIndex" json:"output"`
+	Readonly  bool        `protobuf:"varint,5,opt,name=readonly,proto3" json:"readonly,omitempty"`
+	MountType MountType   `protobuf:"varint,6,opt,name=mountType,proto3,enum=pb.MountType" json:"mountType,omitempty"`
+	CacheOpt  *CacheOpt   `protobuf:"bytes,20,opt,name=cacheOpt" json:"cacheOpt,omitempty"`
+}
+
+func (m *Mount) Reset()                    { *m = Mount{} }
+func (m *Mount) String() string            { return proto.CompactTextString(m) }
+func (*Mount) ProtoMessage()               {}
+func (*Mount) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{5} }
+
+func (m *Mount) GetSelector() string {
+	if m != nil {
+		return m.Selector
+	}
+	return ""
+}
+
+func (m *Mount) GetDest() string {
+	if m != nil {
+		return m.Dest
+	}
+	return ""
+}
+
+func (m *Mount) GetReadonly() bool {
+	if m != nil {
+		return m.Readonly
+	}
+	return false
+}
+
+func (m *Mount) GetMountType() MountType {
+	if m != nil {
+		return m.MountType
+	}
+	return MountType_BIND
+}
+
+func (m *Mount) GetCacheOpt() *CacheOpt {
+	if m != nil {
+		return m.CacheOpt
+	}
+	return nil
+}
+
+// CacheOpt defines options specific to cache mounts
+type CacheOpt struct {
+	// ID is an optional namespace for the mount
+	ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	// Sharing is the sharing mode for the mount
+	Sharing CacheSharingOpt `protobuf:"varint,2,opt,name=sharing,proto3,enum=pb.CacheSharingOpt" json:"sharing,omitempty"`
+}
+
+func (m *CacheOpt) Reset()                    { *m = CacheOpt{} }
+func (m *CacheOpt) String() string            { return proto.CompactTextString(m) }
+func (*CacheOpt) ProtoMessage()               {}
+func (*CacheOpt) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{6} }
+
+func (m *CacheOpt) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *CacheOpt) GetSharing() CacheSharingOpt {
+	if m != nil {
+		return m.Sharing
+	}
+	return CacheSharingOpt_SHARED
+}
+
+// CopyOp copies files across Ops.
+type CopyOp struct {
+	Src  []*CopySource `protobuf:"bytes,1,rep,name=src" json:"src,omitempty"`
+	Dest string        `protobuf:"bytes,2,opt,name=dest,proto3" json:"dest,omitempty"`
+}
+
+func (m *CopyOp) Reset()                    { *m = CopyOp{} }
+func (m *CopyOp) String() string            { return proto.CompactTextString(m) }
+func (*CopyOp) ProtoMessage()               {}
+func (*CopyOp) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{7} }
+
+func (m *CopyOp) GetSrc() []*CopySource {
+	if m != nil {
+		return m.Src
+	}
+	return nil
+}
+
+func (m *CopyOp) GetDest() string {
+	if m != nil {
+		return m.Dest
+	}
+	return ""
+}
+
+// CopySource specifies a source for CopyOp.
+type CopySource struct {
+	Input    InputIndex `protobuf:"varint,1,opt,name=input,proto3,customtype=InputIndex" json:"input"`
+	Selector string     `protobuf:"bytes,2,opt,name=selector,proto3" json:"selector,omitempty"`
+}
+
+func (m *CopySource) Reset()                    { *m = CopySource{} }
+func (m *CopySource) String() string            { return proto.CompactTextString(m) }
+func (*CopySource) ProtoMessage()               {}
+func (*CopySource) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{8} }
+
+func (m *CopySource) GetSelector() string {
+	if m != nil {
+		return m.Selector
+	}
+	return ""
+}
+
+// SourceOp specifies a source such as build contexts and images.
+type SourceOp struct {
+	// TODO: use source type or any type instead of URL protocol.
+	// identifier e.g. local://, docker-image://, git://, https://...
+	Identifier string `protobuf:"bytes,1,opt,name=identifier,proto3" json:"identifier,omitempty"`
+	// attrs are defined in attr.go
+	Attrs map[string]string `protobuf:"bytes,2,rep,name=attrs" json:"attrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *SourceOp) Reset()                    { *m = SourceOp{} }
+func (m *SourceOp) String() string            { return proto.CompactTextString(m) }
+func (*SourceOp) ProtoMessage()               {}
+func (*SourceOp) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{9} }
+
+func (m *SourceOp) GetIdentifier() string {
+	if m != nil {
+		return m.Identifier
+	}
+	return ""
+}
+
+func (m *SourceOp) GetAttrs() map[string]string {
+	if m != nil {
+		return m.Attrs
+	}
+	return nil
+}
+
+// BuildOp is used for nested build invocation.
+// BuildOp is experimental and can break without backwards compatibility
+type BuildOp struct {
+	Builder InputIndex             `protobuf:"varint,1,opt,name=builder,proto3,customtype=InputIndex" json:"builder"`
+	Inputs  map[string]*BuildInput `protobuf:"bytes,2,rep,name=inputs" json:"inputs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value"`
+	Def     *Definition            `protobuf:"bytes,3,opt,name=def" json:"def,omitempty"`
+	Attrs   map[string]string      `protobuf:"bytes,4,rep,name=attrs" json:"attrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *BuildOp) Reset()                    { *m = BuildOp{} }
+func (m *BuildOp) String() string            { return proto.CompactTextString(m) }
+func (*BuildOp) ProtoMessage()               {}
+func (*BuildOp) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{10} }
+
+func (m *BuildOp) GetInputs() map[string]*BuildInput {
+	if m != nil {
+		return m.Inputs
+	}
+	return nil
+}
+
+func (m *BuildOp) GetDef() *Definition {
+	if m != nil {
+		return m.Def
+	}
+	return nil
+}
+
+func (m *BuildOp) GetAttrs() map[string]string {
+	if m != nil {
+		return m.Attrs
+	}
+	return nil
+}
+
+// BuildInput is used for BuildOp.
+type BuildInput struct {
+	Input InputIndex `protobuf:"varint,1,opt,name=input,proto3,customtype=InputIndex" json:"input"`
+}
+
+func (m *BuildInput) Reset()                    { *m = BuildInput{} }
+func (m *BuildInput) String() string            { return proto.CompactTextString(m) }
+func (*BuildInput) ProtoMessage()               {}
+func (*BuildInput) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{11} }
+
+// OpMetadata is a per-vertex metadata entry, which can be defined for arbitrary Op vertex and overridable on the run time.
+type OpMetadata struct {
+	// ignore_cache specifies to ignore the cache for this Op.
+	IgnoreCache bool `protobuf:"varint,1,opt,name=ignore_cache,json=ignoreCache,proto3" json:"ignore_cache,omitempty"`
+	// Description can be used for keeping any text fields that builder doesn't parse
+	Description map[string]string `protobuf:"bytes,2,rep,name=description" json:"description,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	// index 3 reserved for WorkerConstraint in previous versions
+	// WorkerConstraint worker_constraint = 3;
+	ExportCache *ExportCache `protobuf:"bytes,4,opt,name=export_cache,json=exportCache" json:"export_cache,omitempty"`
+}
+
+func (m *OpMetadata) Reset()                    { *m = OpMetadata{} }
+func (m *OpMetadata) String() string            { return proto.CompactTextString(m) }
+func (*OpMetadata) ProtoMessage()               {}
+func (*OpMetadata) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{12} }
+
+func (m *OpMetadata) GetIgnoreCache() bool {
+	if m != nil {
+		return m.IgnoreCache
+	}
+	return false
+}
+
+func (m *OpMetadata) GetDescription() map[string]string {
+	if m != nil {
+		return m.Description
+	}
+	return nil
+}
+
+func (m *OpMetadata) GetExportCache() *ExportCache {
+	if m != nil {
+		return m.ExportCache
+	}
+	return nil
+}
+
+type ExportCache struct {
+	Value bool `protobuf:"varint,1,opt,name=Value,proto3" json:"Value,omitempty"`
+}
+
+func (m *ExportCache) Reset()                    { *m = ExportCache{} }
+func (m *ExportCache) String() string            { return proto.CompactTextString(m) }
+func (*ExportCache) ProtoMessage()               {}
+func (*ExportCache) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{13} }
+
+func (m *ExportCache) GetValue() bool {
+	if m != nil {
+		return m.Value
+	}
+	return false
+}
+
+type ProxyEnv struct {
+	HttpProxy  string `protobuf:"bytes,1,opt,name=http_proxy,json=httpProxy,proto3" json:"http_proxy,omitempty"`
+	HttpsProxy string `protobuf:"bytes,2,opt,name=https_proxy,json=httpsProxy,proto3" json:"https_proxy,omitempty"`
+	FtpProxy   string `protobuf:"bytes,3,opt,name=ftp_proxy,json=ftpProxy,proto3" json:"ftp_proxy,omitempty"`
+	NoProxy    string `protobuf:"bytes,4,opt,name=no_proxy,json=noProxy,proto3" json:"no_proxy,omitempty"`
+}
+
+func (m *ProxyEnv) Reset()                    { *m = ProxyEnv{} }
+func (m *ProxyEnv) String() string            { return proto.CompactTextString(m) }
+func (*ProxyEnv) ProtoMessage()               {}
+func (*ProxyEnv) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{14} }
+
+func (m *ProxyEnv) GetHttpProxy() string {
+	if m != nil {
+		return m.HttpProxy
+	}
+	return ""
+}
+
+func (m *ProxyEnv) GetHttpsProxy() string {
+	if m != nil {
+		return m.HttpsProxy
+	}
+	return ""
+}
+
+func (m *ProxyEnv) GetFtpProxy() string {
+	if m != nil {
+		return m.FtpProxy
+	}
+	return ""
+}
+
+func (m *ProxyEnv) GetNoProxy() string {
+	if m != nil {
+		return m.NoProxy
+	}
+	return ""
+}
+
+// WorkerConstraints defines conditions for the worker
+type WorkerConstraints struct {
+	Filter []string `protobuf:"bytes,1,rep,name=filter" json:"filter,omitempty"`
+}
+
+func (m *WorkerConstraints) Reset()                    { *m = WorkerConstraints{} }
+func (m *WorkerConstraints) String() string            { return proto.CompactTextString(m) }
+func (*WorkerConstraints) ProtoMessage()               {}
+func (*WorkerConstraints) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{15} }
+
+func (m *WorkerConstraints) GetFilter() []string {
+	if m != nil {
+		return m.Filter
+	}
+	return nil
+}
+
+// Definition is the LLB definition structure with per-vertex metadata entries
+type Definition struct {
+	// def is a list of marshaled Op messages
+	Def [][]byte `protobuf:"bytes,1,rep,name=def" json:"def,omitempty"`
+	// metadata contains metadata for the each of the Op messages.
+	// A key must be an LLB op digest string. Currently, empty string is not expected as a key, but it may change in the future.
+	Metadata map[github_com_opencontainers_go_digest.Digest]OpMetadata `protobuf:"bytes,2,rep,name=metadata,castkey=github.com/opencontainers/go-digest.Digest" json:"metadata" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value"`
+}
+
+func (m *Definition) Reset()                    { *m = Definition{} }
+func (m *Definition) String() string            { return proto.CompactTextString(m) }
+func (*Definition) ProtoMessage()               {}
+func (*Definition) Descriptor() ([]byte, []int) { return fileDescriptorOps, []int{16} }
+
+func (m *Definition) GetDef() [][]byte {
+	if m != nil {
+		return m.Def
+	}
+	return nil
+}
+
+func (m *Definition) GetMetadata() map[github_com_opencontainers_go_digest.Digest]OpMetadata {
+	if m != nil {
+		return m.Metadata
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Op)(nil), "pb.Op")
+	proto.RegisterType((*Platform)(nil), "pb.Platform")
+	proto.RegisterType((*Input)(nil), "pb.Input")
+	proto.RegisterType((*ExecOp)(nil), "pb.ExecOp")
+	proto.RegisterType((*Meta)(nil), "pb.Meta")
+	proto.RegisterType((*Mount)(nil), "pb.Mount")
+	proto.RegisterType((*CacheOpt)(nil), "pb.CacheOpt")
+	proto.RegisterType((*CopyOp)(nil), "pb.CopyOp")
+	proto.RegisterType((*CopySource)(nil), "pb.CopySource")
+	proto.RegisterType((*SourceOp)(nil), "pb.SourceOp")
+	proto.RegisterType((*BuildOp)(nil), "pb.BuildOp")
+	proto.RegisterType((*BuildInput)(nil), "pb.BuildInput")
+	proto.RegisterType((*OpMetadata)(nil), "pb.OpMetadata")
+	proto.RegisterType((*ExportCache)(nil), "pb.ExportCache")
+	proto.RegisterType((*ProxyEnv)(nil), "pb.ProxyEnv")
+	proto.RegisterType((*WorkerConstraints)(nil), "pb.WorkerConstraints")
+	proto.RegisterType((*Definition)(nil), "pb.Definition")
+	proto.RegisterEnum("pb.MountType", MountType_name, MountType_value)
+	proto.RegisterEnum("pb.CacheSharingOpt", CacheSharingOpt_name, CacheSharingOpt_value)
+}
+func (m *Op) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Op) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Inputs) > 0 {
+		for _, msg := range m.Inputs {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if m.Op != nil {
+		nn1, err := m.Op.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += nn1
+	}
+	if m.Platform != nil {
+		dAtA[i] = 0x52
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Platform.Size()))
+		n2, err := m.Platform.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n2
+	}
+	if m.Constraints != nil {
+		dAtA[i] = 0x5a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Constraints.Size()))
+		n3, err := m.Constraints.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n3
+	}
+	return i, nil
+}
+
+func (m *Op_Exec) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Exec != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Exec.Size()))
+		n4, err := m.Exec.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n4
+	}
+	return i, nil
+}
+func (m *Op_Source) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Source != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Source.Size()))
+		n5, err := m.Source.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n5
+	}
+	return i, nil
+}
+func (m *Op_Copy) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Copy != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Copy.Size()))
+		n6, err := m.Copy.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	return i, nil
+}
+func (m *Op_Build) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Build != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Build.Size()))
+		n7, err := m.Build.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n7
+	}
+	return i, nil
+}
+func (m *Platform) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Platform) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Architecture) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Architecture)))
+		i += copy(dAtA[i:], m.Architecture)
+	}
+	if len(m.OS) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.OS)))
+		i += copy(dAtA[i:], m.OS)
+	}
+	if len(m.Variant) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Variant)))
+		i += copy(dAtA[i:], m.Variant)
+	}
+	if len(m.OSVersion) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.OSVersion)))
+		i += copy(dAtA[i:], m.OSVersion)
+	}
+	if len(m.OSFeatures) > 0 {
+		for _, s := range m.OSFeatures {
+			dAtA[i] = 0x2a
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *Input) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Input) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Digest) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Digest)))
+		i += copy(dAtA[i:], m.Digest)
+	}
+	if m.Index != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Index))
+	}
+	return i, nil
+}
+
+func (m *ExecOp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExecOp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Meta != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Meta.Size()))
+		n8, err := m.Meta.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n8
+	}
+	if len(m.Mounts) > 0 {
+		for _, msg := range m.Mounts {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
+func (m *Meta) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Meta) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Args) > 0 {
+		for _, s := range m.Args {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Env) > 0 {
+		for _, s := range m.Env {
+			dAtA[i] = 0x12
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	if len(m.Cwd) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Cwd)))
+		i += copy(dAtA[i:], m.Cwd)
+	}
+	if len(m.User) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.User)))
+		i += copy(dAtA[i:], m.User)
+	}
+	if m.ProxyEnv != nil {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.ProxyEnv.Size()))
+		n9, err := m.ProxyEnv.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n9
+	}
+	return i, nil
+}
+
+func (m *Mount) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Mount) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Input != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Input))
+	}
+	if len(m.Selector) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Selector)))
+		i += copy(dAtA[i:], m.Selector)
+	}
+	if len(m.Dest) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Dest)))
+		i += copy(dAtA[i:], m.Dest)
+	}
+	if m.Output != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Output))
+	}
+	if m.Readonly {
+		dAtA[i] = 0x28
+		i++
+		if m.Readonly {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.MountType != 0 {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.MountType))
+	}
+	if m.CacheOpt != nil {
+		dAtA[i] = 0xa2
+		i++
+		dAtA[i] = 0x1
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.CacheOpt.Size()))
+		n10, err := m.CacheOpt.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n10
+	}
+	return i, nil
+}
+
+func (m *CacheOpt) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CacheOpt) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if m.Sharing != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Sharing))
+	}
+	return i, nil
+}
+
+func (m *CopyOp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CopyOp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Src) > 0 {
+		for _, msg := range m.Src {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.Dest) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Dest)))
+		i += copy(dAtA[i:], m.Dest)
+	}
+	return i, nil
+}
+
+func (m *CopySource) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *CopySource) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Input != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Input))
+	}
+	if len(m.Selector) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Selector)))
+		i += copy(dAtA[i:], m.Selector)
+	}
+	return i, nil
+}
+
+func (m *SourceOp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *SourceOp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Identifier) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.Identifier)))
+		i += copy(dAtA[i:], m.Identifier)
+	}
+	if len(m.Attrs) > 0 {
+		for k, _ := range m.Attrs {
+			dAtA[i] = 0x12
+			i++
+			v := m.Attrs[k]
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *BuildOp) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BuildOp) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Builder != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Builder))
+	}
+	if len(m.Inputs) > 0 {
+		for k, _ := range m.Inputs {
+			dAtA[i] = 0x12
+			i++
+			v := m.Inputs[k]
+			msgSize := 0
+			if v != nil {
+				msgSize = v.Size()
+				msgSize += 1 + sovOps(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + msgSize
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			if v != nil {
+				dAtA[i] = 0x12
+				i++
+				i = encodeVarintOps(dAtA, i, uint64(v.Size()))
+				n11, err := v.MarshalTo(dAtA[i:])
+				if err != nil {
+					return 0, err
+				}
+				i += n11
+			}
+		}
+	}
+	if m.Def != nil {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Def.Size()))
+		n12, err := m.Def.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n12
+	}
+	if len(m.Attrs) > 0 {
+		for k, _ := range m.Attrs {
+			dAtA[i] = 0x22
+			i++
+			v := m.Attrs[k]
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	return i, nil
+}
+
+func (m *BuildInput) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *BuildInput) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Input != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.Input))
+	}
+	return i, nil
+}
+
+func (m *OpMetadata) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *OpMetadata) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.IgnoreCache {
+		dAtA[i] = 0x8
+		i++
+		if m.IgnoreCache {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if len(m.Description) > 0 {
+		for k, _ := range m.Description {
+			dAtA[i] = 0x12
+			i++
+			v := m.Description[k]
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(v)))
+			i += copy(dAtA[i:], v)
+		}
+	}
+	if m.ExportCache != nil {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(m.ExportCache.Size()))
+		n13, err := m.ExportCache.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n13
+	}
+	return i, nil
+}
+
+func (m *ExportCache) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ExportCache) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Value {
+		dAtA[i] = 0x8
+		i++
+		if m.Value {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	return i, nil
+}
+
+func (m *ProxyEnv) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *ProxyEnv) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.HttpProxy) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.HttpProxy)))
+		i += copy(dAtA[i:], m.HttpProxy)
+	}
+	if len(m.HttpsProxy) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.HttpsProxy)))
+		i += copy(dAtA[i:], m.HttpsProxy)
+	}
+	if len(m.FtpProxy) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.FtpProxy)))
+		i += copy(dAtA[i:], m.FtpProxy)
+	}
+	if len(m.NoProxy) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintOps(dAtA, i, uint64(len(m.NoProxy)))
+		i += copy(dAtA[i:], m.NoProxy)
+	}
+	return i, nil
+}
+
+func (m *WorkerConstraints) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *WorkerConstraints) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		for _, s := range m.Filter {
+			dAtA[i] = 0xa
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
+	return i, nil
+}
+
+func (m *Definition) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Definition) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Def) > 0 {
+		for _, b := range m.Def {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(b)))
+			i += copy(dAtA[i:], b)
+		}
+	}
+	if len(m.Metadata) > 0 {
+		for k, _ := range m.Metadata {
+			dAtA[i] = 0x12
+			i++
+			v := m.Metadata[k]
+			msgSize := 0
+			if (&v) != nil {
+				msgSize = (&v).Size()
+				msgSize += 1 + sovOps(uint64(msgSize))
+			}
+			mapSize := 1 + len(k) + sovOps(uint64(len(k))) + msgSize
+			i = encodeVarintOps(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintOps(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintOps(dAtA, i, uint64((&v).Size()))
+			n14, err := (&v).MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n14
+		}
+	}
+	return i, nil
+}
+
+func encodeVarintOps(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Op) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Inputs) > 0 {
+		for _, e := range m.Inputs {
+			l = e.Size()
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	if m.Op != nil {
+		n += m.Op.Size()
+	}
+	if m.Platform != nil {
+		l = m.Platform.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.Constraints != nil {
+		l = m.Constraints.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *Op_Exec) Size() (n int) {
+	var l int
+	_ = l
+	if m.Exec != nil {
+		l = m.Exec.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+func (m *Op_Source) Size() (n int) {
+	var l int
+	_ = l
+	if m.Source != nil {
+		l = m.Source.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+func (m *Op_Copy) Size() (n int) {
+	var l int
+	_ = l
+	if m.Copy != nil {
+		l = m.Copy.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+func (m *Op_Build) Size() (n int) {
+	var l int
+	_ = l
+	if m.Build != nil {
+		l = m.Build.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+func (m *Platform) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Architecture)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.OS)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.Variant)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.OSVersion)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if len(m.OSFeatures) > 0 {
+		for _, s := range m.OSFeatures {
+			l = len(s)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Input) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Digest)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.Index != 0 {
+		n += 1 + sovOps(uint64(m.Index))
+	}
+	return n
+}
+
+func (m *ExecOp) Size() (n int) {
+	var l int
+	_ = l
+	if m.Meta != nil {
+		l = m.Meta.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if len(m.Mounts) > 0 {
+		for _, e := range m.Mounts {
+			l = e.Size()
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Meta) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Args) > 0 {
+		for _, s := range m.Args {
+			l = len(s)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	if len(m.Env) > 0 {
+		for _, s := range m.Env {
+			l = len(s)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	l = len(m.Cwd)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.User)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.ProxyEnv != nil {
+		l = m.ProxyEnv.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *Mount) Size() (n int) {
+	var l int
+	_ = l
+	if m.Input != 0 {
+		n += 1 + sovOps(uint64(m.Input))
+	}
+	l = len(m.Selector)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.Dest)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.Output != 0 {
+		n += 1 + sovOps(uint64(m.Output))
+	}
+	if m.Readonly {
+		n += 2
+	}
+	if m.MountType != 0 {
+		n += 1 + sovOps(uint64(m.MountType))
+	}
+	if m.CacheOpt != nil {
+		l = m.CacheOpt.Size()
+		n += 2 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *CacheOpt) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if m.Sharing != 0 {
+		n += 1 + sovOps(uint64(m.Sharing))
+	}
+	return n
+}
+
+func (m *CopyOp) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Src) > 0 {
+		for _, e := range m.Src {
+			l = e.Size()
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	l = len(m.Dest)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *CopySource) Size() (n int) {
+	var l int
+	_ = l
+	if m.Input != 0 {
+		n += 1 + sovOps(uint64(m.Input))
+	}
+	l = len(m.Selector)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *SourceOp) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Identifier)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if len(m.Attrs) > 0 {
+		for k, v := range m.Attrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *BuildOp) Size() (n int) {
+	var l int
+	_ = l
+	if m.Builder != 0 {
+		n += 1 + sovOps(uint64(m.Builder))
+	}
+	if len(m.Inputs) > 0 {
+		for k, v := range m.Inputs {
+			_ = k
+			_ = v
+			l = 0
+			if v != nil {
+				l = v.Size()
+				l += 1 + sovOps(uint64(l))
+			}
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + l
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	if m.Def != nil {
+		l = m.Def.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	if len(m.Attrs) > 0 {
+		for k, v := range m.Attrs {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func (m *BuildInput) Size() (n int) {
+	var l int
+	_ = l
+	if m.Input != 0 {
+		n += 1 + sovOps(uint64(m.Input))
+	}
+	return n
+}
+
+func (m *OpMetadata) Size() (n int) {
+	var l int
+	_ = l
+	if m.IgnoreCache {
+		n += 2
+	}
+	if len(m.Description) > 0 {
+		for k, v := range m.Description {
+			_ = k
+			_ = v
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + len(v) + sovOps(uint64(len(v)))
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	if m.ExportCache != nil {
+		l = m.ExportCache.Size()
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *ExportCache) Size() (n int) {
+	var l int
+	_ = l
+	if m.Value {
+		n += 2
+	}
+	return n
+}
+
+func (m *ProxyEnv) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.HttpProxy)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.HttpsProxy)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.FtpProxy)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	l = len(m.NoProxy)
+	if l > 0 {
+		n += 1 + l + sovOps(uint64(l))
+	}
+	return n
+}
+
+func (m *WorkerConstraints) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Filter) > 0 {
+		for _, s := range m.Filter {
+			l = len(s)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *Definition) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Def) > 0 {
+		for _, b := range m.Def {
+			l = len(b)
+			n += 1 + l + sovOps(uint64(l))
+		}
+	}
+	if len(m.Metadata) > 0 {
+		for k, v := range m.Metadata {
+			_ = k
+			_ = v
+			l = v.Size()
+			mapEntrySize := 1 + len(k) + sovOps(uint64(len(k))) + 1 + l + sovOps(uint64(l))
+			n += mapEntrySize + 1 + sovOps(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func sovOps(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozOps(x uint64) (n int) {
+	return sovOps(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *Op) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Op: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Op: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Inputs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Inputs = append(m.Inputs, &Input{})
+			if err := m.Inputs[len(m.Inputs)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Exec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &ExecOp{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Op = &Op_Exec{v}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &SourceOp{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Op = &Op_Source{v}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Copy", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &CopyOp{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Op = &Op_Copy{v}
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Build", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &BuildOp{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.Op = &Op_Build{v}
+			iNdEx = postIndex
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Platform", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Platform == nil {
+				m.Platform = &Platform{}
+			}
+			if err := m.Platform.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Constraints", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Constraints == nil {
+				m.Constraints = &WorkerConstraints{}
+			}
+			if err := m.Constraints.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Platform) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Platform: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Platform: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Architecture", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Architecture = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OS", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OS = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Variant", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Variant = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OSVersion", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OSVersion = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field OSFeatures", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.OSFeatures = append(m.OSFeatures, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Input) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Input: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Input: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Digest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Digest = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Index", wireType)
+			}
+			m.Index = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Index |= (OutputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExecOp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExecOp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExecOp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Meta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Meta == nil {
+				m.Meta = &Meta{}
+			}
+			if err := m.Meta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Mounts", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Mounts = append(m.Mounts, &Mount{})
+			if err := m.Mounts[len(m.Mounts)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Meta) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Meta: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Meta: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Args", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Args = append(m.Args, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Env", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Env = append(m.Env, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Cwd", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Cwd = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field User", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.User = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ProxyEnv", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ProxyEnv == nil {
+				m.ProxyEnv = &ProxyEnv{}
+			}
+			if err := m.ProxyEnv.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Mount) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Mount: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Mount: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Input", wireType)
+			}
+			m.Input = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Input |= (InputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Selector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Dest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Dest = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Output", wireType)
+			}
+			m.Output = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Output |= (OutputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Readonly", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Readonly = bool(v != 0)
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field MountType", wireType)
+			}
+			m.MountType = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.MountType |= (MountType(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 20:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field CacheOpt", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.CacheOpt == nil {
+				m.CacheOpt = &CacheOpt{}
+			}
+			if err := m.CacheOpt.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CacheOpt) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CacheOpt: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CacheOpt: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Sharing", wireType)
+			}
+			m.Sharing = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Sharing |= (CacheSharingOpt(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CopyOp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CopyOp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CopyOp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Src", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Src = append(m.Src, &CopySource{})
+			if err := m.Src[len(m.Src)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Dest", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Dest = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *CopySource) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CopySource: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CopySource: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Input", wireType)
+			}
+			m.Input = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Input |= (InputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selector", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Selector = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *SourceOp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: SourceOp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: SourceOp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Identifier", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Identifier = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Attrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Attrs == nil {
+				m.Attrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Attrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *BuildOp) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BuildOp: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BuildOp: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Builder", wireType)
+			}
+			m.Builder = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Builder |= (InputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Inputs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Inputs == nil {
+				m.Inputs = make(map[string]*BuildInput)
+			}
+			var mapkey string
+			var mapvalue *BuildInput
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var mapmsglen int
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						mapmsglen |= (int(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					if mapmsglen < 0 {
+						return ErrInvalidLengthOps
+					}
+					postmsgIndex := iNdEx + mapmsglen
+					if mapmsglen < 0 {
+						return ErrInvalidLengthOps
+					}
+					if postmsgIndex > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = &BuildInput{}
+					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+						return err
+					}
+					iNdEx = postmsgIndex
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Inputs[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Def", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Def == nil {
+				m.Def = &Definition{}
+			}
+			if err := m.Def.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Attrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Attrs == nil {
+				m.Attrs = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Attrs[mapkey] = mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *BuildInput) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: BuildInput: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: BuildInput: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Input", wireType)
+			}
+			m.Input = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Input |= (InputIndex(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *OpMetadata) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: OpMetadata: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: OpMetadata: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IgnoreCache", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.IgnoreCache = bool(v != 0)
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Description == nil {
+				m.Description = make(map[string]string)
+			}
+			var mapkey string
+			var mapvalue string
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var stringLenmapvalue uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapvalue |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapvalue := int(stringLenmapvalue)
+					if intStringLenmapvalue < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
+					if postStringIndexmapvalue > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
+					iNdEx = postStringIndexmapvalue
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Description[mapkey] = mapvalue
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ExportCache", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.ExportCache == nil {
+				m.ExportCache = &ExportCache{}
+			}
+			if err := m.ExportCache.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ExportCache) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ExportCache: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ExportCache: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Value = bool(v != 0)
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *ProxyEnv) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: ProxyEnv: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: ProxyEnv: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HttpProxy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HttpProxy = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HttpsProxy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.HttpsProxy = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field FtpProxy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.FtpProxy = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NoProxy", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NoProxy = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *WorkerConstraints) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: WorkerConstraints: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: WorkerConstraints: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Filter", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Filter = append(m.Filter, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Definition) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Definition: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Definition: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Def", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Def = append(m.Def, make([]byte, postIndex-iNdEx))
+			copy(m.Def[len(m.Def)-1], dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Metadata", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthOps
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Metadata == nil {
+				m.Metadata = make(map[github_com_opencontainers_go_digest.Digest]OpMetadata)
+			}
+			var mapkey github_com_opencontainers_go_digest.Digest
+			mapvalue := &OpMetadata{}
+			for iNdEx < postIndex {
+				entryPreIndex := iNdEx
+				var wire uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					wire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				fieldNum := int32(wire >> 3)
+				if fieldNum == 1 {
+					var stringLenmapkey uint64
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						stringLenmapkey |= (uint64(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					intStringLenmapkey := int(stringLenmapkey)
+					if intStringLenmapkey < 0 {
+						return ErrInvalidLengthOps
+					}
+					postStringIndexmapkey := iNdEx + intStringLenmapkey
+					if postStringIndexmapkey > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapkey = github_com_opencontainers_go_digest.Digest(dAtA[iNdEx:postStringIndexmapkey])
+					iNdEx = postStringIndexmapkey
+				} else if fieldNum == 2 {
+					var mapmsglen int
+					for shift := uint(0); ; shift += 7 {
+						if shift >= 64 {
+							return ErrIntOverflowOps
+						}
+						if iNdEx >= l {
+							return io.ErrUnexpectedEOF
+						}
+						b := dAtA[iNdEx]
+						iNdEx++
+						mapmsglen |= (int(b) & 0x7F) << shift
+						if b < 0x80 {
+							break
+						}
+					}
+					if mapmsglen < 0 {
+						return ErrInvalidLengthOps
+					}
+					postmsgIndex := iNdEx + mapmsglen
+					if mapmsglen < 0 {
+						return ErrInvalidLengthOps
+					}
+					if postmsgIndex > l {
+						return io.ErrUnexpectedEOF
+					}
+					mapvalue = &OpMetadata{}
+					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
+						return err
+					}
+					iNdEx = postmsgIndex
+				} else {
+					iNdEx = entryPreIndex
+					skippy, err := skipOps(dAtA[iNdEx:])
+					if err != nil {
+						return err
+					}
+					if skippy < 0 {
+						return ErrInvalidLengthOps
+					}
+					if (iNdEx + skippy) > postIndex {
+						return io.ErrUnexpectedEOF
+					}
+					iNdEx += skippy
+				}
+			}
+			m.Metadata[github_com_opencontainers_go_digest.Digest(mapkey)] = *mapvalue
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipOps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthOps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipOps(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowOps
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowOps
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthOps
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowOps
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipOps(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthOps = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowOps   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("ops.proto", fileDescriptorOps) }
+
+var fileDescriptorOps = []byte{
+	// 1203 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x56, 0x4d, 0x8f, 0x1b, 0x45,
+	0x13, 0xde, 0x19, 0x7f, 0xcd, 0xd4, 0x6c, 0x36, 0x7e, 0x3b, 0x79, 0x83, 0x59, 0xc2, 0xae, 0x99,
+	0x20, 0xe4, 0x7c, 0xac, 0x57, 0x32, 0x52, 0x88, 0x38, 0x44, 0xac, 0x3f, 0xa2, 0x35, 0x21, 0x38,
+	0x6a, 0xaf, 0x96, 0x63, 0x34, 0x1e, 0xb7, 0xbd, 0xa3, 0x78, 0xa7, 0x47, 0x3d, 0xed, 0xb0, 0x3e,
+	0x80, 0x44, 0x7e, 0x01, 0x12, 0x12, 0x77, 0x7e, 0x08, 0xf7, 0x1c, 0xb9, 0xc2, 0x21, 0xa0, 0x20,
+	0xf1, 0x3b, 0x50, 0x75, 0xb7, 0x67, 0x66, 0x93, 0x20, 0x25, 0x82, 0x93, 0xbb, 0xab, 0x9e, 0x7a,
+	0xba, 0xea, 0xe9, 0x9a, 0x6a, 0x83, 0xcb, 0x93, 0xb4, 0x9d, 0x08, 0x2e, 0x39, 0xb1, 0x93, 0xc9,
+	0xf6, 0xde, 0x3c, 0x92, 0x27, 0xcb, 0x49, 0x3b, 0xe4, 0xa7, 0xfb, 0x73, 0x3e, 0xe7, 0xfb, 0xca,
+	0x35, 0x59, 0xce, 0xd4, 0x4e, 0x6d, 0xd4, 0x4a, 0x87, 0xf8, 0x3f, 0xd9, 0x60, 0x8f, 0x12, 0xf2,
+	0x01, 0x54, 0xa3, 0x38, 0x59, 0xca, 0xb4, 0x61, 0x35, 0x4b, 0x2d, 0xaf, 0xe3, 0xb6, 0x93, 0x49,
+	0x7b, 0x88, 0x16, 0x6a, 0x1c, 0xa4, 0x09, 0x65, 0x76, 0xc6, 0xc2, 0x86, 0xdd, 0xb4, 0x5a, 0x5e,
+	0x07, 0x10, 0x30, 0x38, 0x63, 0xe1, 0x28, 0x39, 0xdc, 0xa0, 0xca, 0x43, 0x3e, 0x82, 0x6a, 0xca,
+	0x97, 0x22, 0x64, 0x8d, 0x92, 0xc2, 0x6c, 0x22, 0x66, 0xac, 0x2c, 0x0a, 0x65, 0xbc, 0xc8, 0x14,
+	0xf2, 0x64, 0xd5, 0x28, 0xe7, 0x4c, 0x3d, 0x9e, 0xac, 0x34, 0x13, 0x7a, 0xc8, 0x35, 0xa8, 0x4c,
+	0x96, 0xd1, 0x62, 0xda, 0xa8, 0x28, 0x88, 0x87, 0x90, 0x2e, 0x1a, 0x14, 0x46, 0xfb, 0x48, 0x0b,
+	0x9c, 0x64, 0x11, 0xc8, 0x19, 0x17, 0xa7, 0x0d, 0xc8, 0x0f, 0x7c, 0x68, 0x6c, 0x34, 0xf3, 0x92,
+	0x4f, 0xc0, 0x0b, 0x79, 0x9c, 0x4a, 0x11, 0x44, 0xb1, 0x4c, 0x1b, 0x9e, 0x02, 0xff, 0x1f, 0xc1,
+	0x5f, 0x71, 0xf1, 0x98, 0x89, 0x5e, 0xee, 0xa4, 0x45, 0x64, 0xb7, 0x0c, 0x36, 0x4f, 0xfc, 0x1f,
+	0x2d, 0x70, 0xd6, 0xac, 0xc4, 0x87, 0xcd, 0x03, 0x11, 0x9e, 0x44, 0x92, 0x85, 0x72, 0x29, 0x58,
+	0xc3, 0x6a, 0x5a, 0x2d, 0x97, 0x9e, 0xb3, 0x91, 0x2d, 0xb0, 0x47, 0x63, 0x25, 0x94, 0x4b, 0xed,
+	0xd1, 0x98, 0x34, 0xa0, 0x76, 0x1c, 0x88, 0x28, 0x88, 0xa5, 0x52, 0xc6, 0xa5, 0xeb, 0x2d, 0xb9,
+	0x0a, 0xee, 0x68, 0x7c, 0xcc, 0x44, 0x1a, 0xf1, 0x58, 0xe9, 0xe1, 0xd2, 0xdc, 0x40, 0x76, 0x00,
+	0x46, 0xe3, 0x7b, 0x2c, 0x40, 0xd2, 0xb4, 0x51, 0x69, 0x96, 0x5a, 0x2e, 0x2d, 0x58, 0xfc, 0x6f,
+	0xa1, 0xa2, 0xee, 0x88, 0x7c, 0x0e, 0xd5, 0x69, 0x34, 0x67, 0xa9, 0xd4, 0xe9, 0x74, 0x3b, 0xcf,
+	0x9e, 0xef, 0x6e, 0xfc, 0xf6, 0x7c, 0xf7, 0x46, 0xa1, 0x19, 0x78, 0xc2, 0xe2, 0x90, 0xc7, 0x32,
+	0x88, 0x62, 0x26, 0xd2, 0xfd, 0x39, 0xdf, 0xd3, 0x21, 0xed, 0xbe, 0xfa, 0xa1, 0x86, 0x81, 0x5c,
+	0x87, 0x4a, 0x14, 0x4f, 0xd9, 0x99, 0xca, 0xbf, 0xd4, 0xbd, 0x64, 0xa8, 0xbc, 0xd1, 0x52, 0x26,
+	0x4b, 0x39, 0x44, 0x17, 0xd5, 0x08, 0x7f, 0x08, 0x55, 0xdd, 0x02, 0xe4, 0x2a, 0x94, 0x4f, 0x99,
+	0x0c, 0xd4, 0xf1, 0x5e, 0xc7, 0x41, 0x69, 0x1f, 0x30, 0x19, 0x50, 0x65, 0xc5, 0xee, 0x3a, 0xe5,
+	0x4b, 0x94, 0xde, 0xce, 0xbb, 0xeb, 0x01, 0x5a, 0xa8, 0x71, 0xf8, 0xdf, 0x40, 0x19, 0x03, 0x08,
+	0x81, 0x72, 0x20, 0xe6, 0xba, 0x0d, 0x5d, 0xaa, 0xd6, 0xa4, 0x0e, 0x25, 0x16, 0x3f, 0x51, 0xb1,
+	0x2e, 0xc5, 0x25, 0x5a, 0xc2, 0xaf, 0xa7, 0x46, 0x4c, 0x5c, 0x62, 0xdc, 0x32, 0x65, 0xc2, 0x68,
+	0xa8, 0xd6, 0xe4, 0x3a, 0xb8, 0x89, 0xe0, 0x67, 0xab, 0x47, 0x18, 0x5d, 0x29, 0x74, 0x08, 0x1a,
+	0x07, 0xf1, 0x13, 0xea, 0x24, 0x66, 0xe5, 0x7f, 0x67, 0x43, 0x45, 0x25, 0x44, 0x5a, 0x58, 0x7e,
+	0xb2, 0xd4, 0x4a, 0x96, 0xba, 0xc4, 0x94, 0x0f, 0x4a, 0xe8, 0xac, 0x7a, 0x14, 0x7d, 0x1b, 0x9c,
+	0x94, 0x2d, 0x58, 0x28, 0xb9, 0x30, 0x77, 0x9d, 0xed, 0x31, 0x9d, 0x29, 0x5e, 0x87, 0xce, 0x50,
+	0xad, 0xc9, 0x4d, 0xa8, 0x72, 0xa5, 0xa1, 0x4a, 0xf2, 0x1f, 0x94, 0x35, 0x10, 0x24, 0x17, 0x2c,
+	0x98, 0xf2, 0x78, 0xb1, 0x52, 0xa9, 0x3b, 0x34, 0xdb, 0x93, 0x9b, 0xe0, 0x2a, 0xd5, 0x8e, 0x56,
+	0x09, 0x6b, 0x54, 0x9b, 0x56, 0x6b, 0xab, 0x73, 0x21, 0x53, 0x14, 0x8d, 0x34, 0xf7, 0xe3, 0x57,
+	0x12, 0x06, 0xe1, 0x09, 0x1b, 0x25, 0xb2, 0x71, 0x39, 0xd7, 0xa0, 0x67, 0x6c, 0x34, 0xf3, 0xfa,
+	0x43, 0x70, 0xd6, 0x56, 0xec, 0xe0, 0x61, 0xdf, 0xf4, 0xb6, 0x3d, 0xec, 0x93, 0x3d, 0xa8, 0xa5,
+	0x27, 0x81, 0x88, 0xe2, 0xb9, 0x2a, 0x75, 0xab, 0x73, 0x29, 0x23, 0x19, 0x6b, 0x3b, 0x72, 0xad,
+	0x31, 0xfe, 0x5d, 0xa8, 0xea, 0x2f, 0x9a, 0x34, 0xa1, 0x94, 0x8a, 0xd0, 0x4c, 0x95, 0xad, 0xf5,
+	0xa7, 0xae, 0x87, 0x02, 0x45, 0x57, 0x26, 0x95, 0x9d, 0x4b, 0xe5, 0x53, 0x80, 0x1c, 0xf6, 0xdf,
+	0x5c, 0x89, 0xff, 0x83, 0x05, 0xce, 0x7a, 0x18, 0xe1, 0x97, 0x15, 0x4d, 0x59, 0x2c, 0xa3, 0x59,
+	0xc4, 0x84, 0xa9, 0xb3, 0x60, 0x21, 0x7b, 0x50, 0x09, 0xa4, 0x14, 0xeb, 0x86, 0x7d, 0xa7, 0x38,
+	0xc9, 0xda, 0x07, 0xe8, 0x19, 0xc4, 0x52, 0xac, 0xa8, 0x46, 0x6d, 0xdf, 0x01, 0xc8, 0x8d, 0xd8,
+	0x9d, 0x8f, 0xd9, 0xca, 0xb0, 0xe2, 0x92, 0x5c, 0x86, 0xca, 0x93, 0x60, 0xb1, 0x64, 0x26, 0x29,
+	0xbd, 0xf9, 0xd4, 0xbe, 0x63, 0xf9, 0x3f, 0xdb, 0x50, 0x33, 0x93, 0x8d, 0xdc, 0x82, 0x9a, 0x9a,
+	0x6c, 0x26, 0xa3, 0xd7, 0x57, 0xba, 0x86, 0x90, 0xfd, 0x6c, 0x64, 0x17, 0x72, 0x34, 0x54, 0x7a,
+	0x74, 0x9b, 0x1c, 0xf3, 0x01, 0x5e, 0x9a, 0xb2, 0x99, 0x99, 0xcd, 0xea, 0x2a, 0xfa, 0x6c, 0x16,
+	0xc5, 0x91, 0x8c, 0x78, 0x4c, 0xd1, 0x45, 0x6e, 0xad, 0xab, 0x2e, 0x2b, 0xc6, 0x2b, 0x45, 0xc6,
+	0x57, 0x8b, 0x1e, 0x82, 0x57, 0x38, 0xe6, 0x35, 0x55, 0x7f, 0x58, 0xac, 0xda, 0x1c, 0xa9, 0xe8,
+	0xf4, 0xc3, 0x92, 0xab, 0xf0, 0x2f, 0xf4, 0xbb, 0x0d, 0x90, 0x53, 0xbe, 0x79, 0xa7, 0xf8, 0x7f,
+	0x59, 0x00, 0xa3, 0x04, 0x47, 0xce, 0x34, 0x50, 0x13, 0x6a, 0x33, 0x9a, 0xc7, 0x5c, 0xb0, 0x47,
+	0xea, 0x73, 0x50, 0xf1, 0x0e, 0xf5, 0xb4, 0x4d, 0xb5, 0x39, 0x39, 0x00, 0x6f, 0xca, 0xd2, 0x50,
+	0x44, 0x09, 0x0a, 0x66, 0x44, 0xdf, 0xc5, 0x9a, 0x72, 0x9e, 0x76, 0x3f, 0x47, 0x68, 0xad, 0x8a,
+	0x31, 0xa4, 0x03, 0x9b, 0xec, 0x2c, 0xe1, 0x42, 0x9a, 0x53, 0xf4, 0x03, 0x78, 0x51, 0x3f, 0xa5,
+	0x68, 0x57, 0x27, 0x51, 0x8f, 0xe5, 0x9b, 0xed, 0xbb, 0x50, 0x7f, 0x99, 0xf4, 0xad, 0x04, 0xba,
+	0x06, 0x5e, 0x81, 0x1b, 0x81, 0xc7, 0x0a, 0xa8, 0x2b, 0xd4, 0x1b, 0xff, 0x29, 0xbe, 0x70, 0x66,
+	0x16, 0x92, 0xf7, 0x01, 0x4e, 0xa4, 0x4c, 0x1e, 0xa9, 0xe1, 0x68, 0x0e, 0x71, 0xd1, 0xa2, 0x10,
+	0x64, 0x17, 0x3c, 0xdc, 0xa4, 0xc6, 0xaf, 0x0f, 0x54, 0x11, 0xa9, 0x06, 0xbc, 0x07, 0xee, 0x2c,
+	0x0b, 0xd7, 0x03, 0xd0, 0x99, 0xad, 0xa3, 0xdf, 0x05, 0x27, 0xe6, 0xc6, 0xa7, 0x67, 0x75, 0x2d,
+	0xe6, 0xca, 0xe5, 0xdf, 0x84, 0xff, 0xbd, 0xf2, 0x1c, 0x93, 0x2b, 0x50, 0x9d, 0x45, 0x0b, 0xa9,
+	0x3e, 0x09, 0x1c, 0xff, 0x66, 0xe7, 0xff, 0x6a, 0x01, 0xe4, 0xed, 0x8b, 0x8a, 0x60, 0x6f, 0x23,
+	0x66, 0x53, 0xf7, 0xf2, 0x02, 0x9c, 0x53, 0x73, 0x2b, 0xe6, 0xae, 0xae, 0x9e, 0x6f, 0xf9, 0xf6,
+	0xfa, 0xd2, 0x94, 0xa6, 0xfa, 0xc9, 0x7c, 0xfa, 0xfb, 0x5b, 0x3d, 0x99, 0xd9, 0x09, 0xdb, 0xf7,
+	0xe1, 0xc2, 0x39, 0xba, 0x37, 0xfc, 0x1a, 0xf2, 0xce, 0x29, 0x5c, 0xd9, 0x8d, 0xcf, 0xc0, 0xcd,
+	0x46, 0x39, 0x71, 0xa0, 0xdc, 0x1d, 0x7e, 0xd9, 0xaf, 0x6f, 0x10, 0x80, 0xea, 0x78, 0xd0, 0xa3,
+	0x83, 0xa3, 0xba, 0x45, 0x6a, 0x50, 0x1a, 0x8f, 0x0f, 0xeb, 0x36, 0x71, 0xa1, 0xd2, 0x3b, 0xe8,
+	0x1d, 0x0e, 0xea, 0x25, 0x5c, 0x1e, 0x3d, 0x78, 0x78, 0x6f, 0x5c, 0x2f, 0xdf, 0xb8, 0x0d, 0x17,
+	0x5f, 0x9a, 0xcd, 0x2a, 0xfa, 0xf0, 0x80, 0x0e, 0x90, 0xc9, 0x83, 0xda, 0x43, 0x3a, 0x3c, 0x3e,
+	0x38, 0x1a, 0xd4, 0x2d, 0x74, 0x7c, 0x31, 0xea, 0xdd, 0x1f, 0xf4, 0xeb, 0x76, 0xb7, 0xfe, 0xec,
+	0xc5, 0x8e, 0xf5, 0xcb, 0x8b, 0x1d, 0xeb, 0x8f, 0x17, 0x3b, 0xd6, 0xf7, 0x7f, 0xee, 0x6c, 0x4c,
+	0xaa, 0xea, 0x6f, 0xe2, 0xc7, 0x7f, 0x07, 0x00, 0x00, 0xff, 0xff, 0x42, 0x80, 0x11, 0x1b, 0x66,
+	0x0a, 0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/pb/ops.proto b/engine/vendor/github.com/moby/buildkit/solver/pb/ops.proto
new file mode 100644
index 00000000..db44c5a4
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/pb/ops.proto
@@ -0,0 +1,165 @@
+syntax = "proto3";
+
+// Package pb provides the protobuf definition of LLB: low-level builder instruction.
+// LLB is DAG-structured; Op represents a vertex, and Definition represents a graph.
+package pb;
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+
+// Op represents a vertex of the LLB DAG.
+message Op {
+	// inputs is a set of input edges.
+	repeated Input inputs = 1;
+	oneof op {
+		ExecOp exec = 2;
+		SourceOp source = 3;
+		CopyOp copy = 4;
+		BuildOp build = 5;
+	}
+	Platform platform = 10;
+	WorkerConstraints constraints = 11;
+}
+
+// Platform is github.com/opencontainers/image-spec/specs-go/v1.Platform
+message Platform {
+	string Architecture = 1;
+	string OS = 2;
+	string Variant = 3;
+	string OSVersion = 4; // unused
+	repeated string OSFeatures = 5; // unused
+}
+
+// Input represents an input edge for an Op.
+message Input {
+	// digest of the marshaled input Op
+	string digest = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	// output index of the input Op
+	int64 index = 2 [(gogoproto.customtype) = "OutputIndex", (gogoproto.nullable) = false];
+}
+
+// ExecOp executes a command in a container.
+message ExecOp {
+	Meta meta = 1;
+	repeated Mount mounts = 2;
+}
+
+// Meta is a set of arguments for ExecOp.
+// Meta is unrelated to LLB metadata.
+// FIXME: rename (ExecContext? ExecArgs?)
+message Meta {
+	repeated string args = 1;
+	repeated string env = 2;
+	string cwd = 3;
+	string user = 4;
+	ProxyEnv proxy_env = 5;
+}
+
+// Mount specifies how to mount an input Op as a filesystem.
+message Mount {
+	int64 input = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
+	string selector = 2;
+	string dest = 3;
+	int64 output = 4 [(gogoproto.customtype) = "OutputIndex", (gogoproto.nullable) = false];
+	bool readonly = 5;
+	MountType mountType = 6;
+	CacheOpt cacheOpt = 20;
+}
+
+// MountType defines a type of a mount from a supported set
+enum MountType {
+	BIND = 0;
+	SECRET = 1;
+	SSH = 2;
+	CACHE = 3;
+	TMPFS = 4;
+}
+
+// CacheOpt defines options specific to cache mounts
+message CacheOpt {
+	// ID is an optional namespace for the mount
+	string ID = 1;
+	// Sharing is the sharing mode for the mount 
+	CacheSharingOpt sharing = 2;
+}
+
+// CacheSharingOpt defines different sharing modes for cache mount
+enum CacheSharingOpt {
+	// SHARED cache mount can be used concurrently by multiple writers
+	SHARED = 0;
+	// PRIVATE creates a new mount if there are multiple writers
+	PRIVATE = 1;
+	// LOCKED pauses second writer until first one releases the mount
+	LOCKED = 2;
+}
+
+// CopyOp copies files across Ops.
+message CopyOp {
+	repeated CopySource src = 1;
+	string dest = 2;
+}
+
+// CopySource specifies a source for CopyOp.
+message CopySource {
+	int64 input = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
+	string selector = 2;
+}
+
+// SourceOp specifies a source such as build contexts and images.
+message SourceOp {
+	// TODO: use source type or any type instead of URL protocol.
+	// identifier e.g. local://, docker-image://, git://, https://...
+	string identifier = 1;
+	// attrs are defined in attr.go
+	map<string, string> attrs = 2;
+}
+
+// BuildOp is used for nested build invocation.
+// BuildOp is experimental and can break without backwards compatibility
+message BuildOp {
+	int64 builder = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
+	map<string, BuildInput> inputs = 2;
+	Definition def = 3;
+	map<string, string> attrs = 4;
+	// outputs
+}
+
+// BuildInput is used for BuildOp.
+message BuildInput {
+	int64 input = 1 [(gogoproto.customtype) = "InputIndex", (gogoproto.nullable) = false];
+}
+
+// OpMetadata is a per-vertex metadata entry, which can be defined for arbitrary Op vertex and overridable on the run time.
+message OpMetadata {
+	// ignore_cache specifies to ignore the cache for this Op.
+	bool ignore_cache = 1;
+	// Description can be used for keeping any text fields that builder doesn't parse
+	map<string, string> description = 2; 
+	// index 3 reserved for WorkerConstraint in previous versions
+	// WorkerConstraint worker_constraint = 3;
+	ExportCache export_cache = 4;
+}
+
+message ExportCache {
+	bool Value = 1;
+}
+
+message ProxyEnv {
+	string http_proxy = 1;
+	string https_proxy = 2;
+	string ftp_proxy = 3;
+	string no_proxy = 4;
+}
+
+// WorkerConstraints defines conditions for the worker
+message WorkerConstraints {
+	repeated string filter = 1; // containerd-style filter
+}
+
+// Definition is the LLB definition structure with per-vertex metadata entries
+message Definition {
+	// def is a list of marshaled Op messages
+	repeated bytes def = 1;
+	// metadata contains metadata for the each of the Op messages.
+	// A key must be an LLB op digest string. Currently, empty string is not expected as a key, but it may change in the future.
+	map<string, OpMetadata> metadata = 2 [(gogoproto.castkey) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/pb/platform.go b/engine/vendor/github.com/moby/buildkit/solver/pb/platform.go
new file mode 100644
index 00000000..a434aa71
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/pb/platform.go
@@ -0,0 +1,41 @@
+package pb
+
+import (
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func (p *Platform) Spec() specs.Platform {
+	return specs.Platform{
+		OS:           p.OS,
+		Architecture: p.Architecture,
+		Variant:      p.Variant,
+		OSVersion:    p.OSVersion,
+		OSFeatures:   p.OSFeatures,
+	}
+}
+
+func PlatformFromSpec(p specs.Platform) Platform {
+	return Platform{
+		OS:           p.OS,
+		Architecture: p.Architecture,
+		Variant:      p.Variant,
+		OSVersion:    p.OSVersion,
+		OSFeatures:   p.OSFeatures,
+	}
+}
+
+func ToSpecPlatforms(p []Platform) []specs.Platform {
+	out := make([]specs.Platform, 0, len(p))
+	for _, pp := range p {
+		out = append(out, pp.Spec())
+	}
+	return out
+}
+
+func PlatformsFromSpec(p []specs.Platform) []Platform {
+	out := make([]Platform, 0, len(p))
+	for _, pp := range p {
+		out = append(out, PlatformFromSpec(pp))
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/progress.go b/engine/vendor/github.com/moby/buildkit/solver/progress.go
new file mode 100644
index 00000000..14f3f5e0
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/progress.go
@@ -0,0 +1,109 @@
+package solver
+
+import (
+	"context"
+	"io"
+	"time"
+
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/util/progress"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/sirupsen/logrus"
+)
+
+func (j *Job) Status(ctx context.Context, ch chan *client.SolveStatus) error {
+	vs := &vertexStream{cache: map[digest.Digest]*client.Vertex{}}
+	pr := j.pr.Reader(ctx)
+	defer func() {
+		if enc := vs.encore(); len(enc) > 0 {
+			ch <- &client.SolveStatus{Vertexes: enc}
+		}
+		close(ch)
+	}()
+
+	for {
+		p, err := pr.Read(ctx)
+		if err != nil {
+			if err == io.EOF {
+				return nil
+			}
+			return err
+		}
+		ss := &client.SolveStatus{}
+		for _, p := range p {
+			switch v := p.Sys.(type) {
+			case client.Vertex:
+				ss.Vertexes = append(ss.Vertexes, vs.append(v)...)
+
+			case progress.Status:
+				vtx, ok := p.Meta("vertex")
+				if !ok {
+					logrus.Warnf("progress %s status without vertex info", p.ID)
+					continue
+				}
+				vs := &client.VertexStatus{
+					ID:        p.ID,
+					Vertex:    vtx.(digest.Digest),
+					Name:      v.Action,
+					Total:     int64(v.Total),
+					Current:   int64(v.Current),
+					Timestamp: p.Timestamp,
+					Started:   v.Started,
+					Completed: v.Completed,
+				}
+				ss.Statuses = append(ss.Statuses, vs)
+			case client.VertexLog:
+				vtx, ok := p.Meta("vertex")
+				if !ok {
+					logrus.Warnf("progress %s log without vertex info", p.ID)
+					continue
+				}
+				v.Vertex = vtx.(digest.Digest)
+				v.Timestamp = p.Timestamp
+				ss.Logs = append(ss.Logs, &v)
+			}
+		}
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case ch <- ss:
+		}
+	}
+}
+
+type vertexStream struct {
+	cache map[digest.Digest]*client.Vertex
+}
+
+func (vs *vertexStream) append(v client.Vertex) []*client.Vertex {
+	var out []*client.Vertex
+	vs.cache[v.Digest] = &v
+	if v.Started != nil {
+		for _, inp := range v.Inputs {
+			if inpv, ok := vs.cache[inp]; ok {
+				if !inpv.Cached && inpv.Completed == nil {
+					inpv.Cached = true
+					inpv.Started = v.Started
+					inpv.Completed = v.Started
+					out = append(out, vs.append(*inpv)...)
+					delete(vs.cache, inp)
+				}
+			}
+		}
+	}
+	vcopy := v
+	return append(out, &vcopy)
+}
+
+func (vs *vertexStream) encore() []*client.Vertex {
+	var out []*client.Vertex
+	for _, v := range vs.cache {
+		if v.Started != nil && v.Completed == nil {
+			now := time.Now()
+			v.Completed = &now
+			v.Error = context.Canceled.Error()
+			out = append(out, v)
+		}
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/result.go b/engine/vendor/github.com/moby/buildkit/solver/result.go
new file mode 100644
index 00000000..641cf14f
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/result.go
@@ -0,0 +1,105 @@
+package solver
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// SharedResult is a result that can be cloned
+type SharedResult struct {
+	mu   sync.Mutex
+	main Result
+}
+
+func NewSharedResult(main Result) *SharedResult {
+	return &SharedResult{main: main}
+}
+
+func (r *SharedResult) Clone() Result {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	r1, r2 := dup(r.main)
+	r.main = r1
+	return r2
+}
+
+func (r *SharedResult) Release(ctx context.Context) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	return r.main.Release(ctx)
+}
+
+func dup(res Result) (Result, Result) {
+	sem := int64(0)
+	return &splitResult{Result: res, sem: &sem}, &splitResult{Result: res, sem: &sem}
+}
+
+type splitResult struct {
+	Result
+	released int64
+	sem      *int64
+}
+
+func (r *splitResult) Release(ctx context.Context) error {
+	if atomic.AddInt64(&r.released, 1) > 1 {
+		err := errors.Errorf("releasing already released reference")
+		logrus.Error(err)
+		return err
+	}
+	if atomic.AddInt64(r.sem, 1) == 2 {
+		return r.Result.Release(ctx)
+	}
+	return nil
+}
+
+// NewCachedResult combines a result and cache key into cached result
+func NewCachedResult(res Result, k ExportableCacheKey) CachedResult {
+	return &cachedResult{res, k}
+}
+
+type cachedResult struct {
+	Result
+	k ExportableCacheKey
+}
+
+func (cr *cachedResult) CacheKey() ExportableCacheKey {
+	return cr.k
+}
+
+func NewSharedCachedResult(res CachedResult) *SharedCachedResult {
+	return &SharedCachedResult{
+		SharedResult: NewSharedResult(res),
+		CachedResult: res,
+	}
+}
+
+func (r *SharedCachedResult) Clone() CachedResult {
+	return &clonedCachedResult{Result: r.SharedResult.Clone(), cr: r.CachedResult}
+}
+
+func (r *SharedCachedResult) Release(ctx context.Context) error {
+	return r.SharedResult.Release(ctx)
+}
+
+type clonedCachedResult struct {
+	Result
+	cr CachedResult
+}
+
+func (r *clonedCachedResult) ID() string {
+	return r.Result.ID()
+}
+
+func (cr *clonedCachedResult) CacheKey() ExportableCacheKey {
+	return cr.cr.CacheKey()
+}
+
+type SharedCachedResult struct {
+	*SharedResult
+	CachedResult
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/scheduler.go b/engine/vendor/github.com/moby/buildkit/solver/scheduler.go
new file mode 100644
index 00000000..7336f619
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/scheduler.go
@@ -0,0 +1,396 @@
+package solver
+
+import (
+	"context"
+	"sync"
+
+	"github.com/moby/buildkit/solver/internal/pipe"
+	"github.com/moby/buildkit/util/cond"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const debugScheduler = false // TODO: replace with logs in build trace
+
+func newScheduler(ef edgeFactory) *scheduler {
+	s := &scheduler{
+		waitq:    map[*edge]struct{}{},
+		incoming: map[*edge][]*edgePipe{},
+		outgoing: map[*edge][]*edgePipe{},
+
+		stopped: make(chan struct{}),
+		closed:  make(chan struct{}),
+
+		ef: ef,
+	}
+	s.cond = cond.NewStatefulCond(&s.mu)
+
+	go s.loop()
+
+	return s
+}
+
+type dispatcher struct {
+	next *dispatcher
+	e    *edge
+}
+
+type scheduler struct {
+	cond *cond.StatefulCond
+	mu   sync.Mutex
+	muQ  sync.Mutex
+
+	ef edgeFactory
+
+	waitq       map[*edge]struct{}
+	next        *dispatcher
+	last        *dispatcher
+	stopped     chan struct{}
+	stoppedOnce sync.Once
+	closed      chan struct{}
+
+	incoming map[*edge][]*edgePipe
+	outgoing map[*edge][]*edgePipe
+}
+
+func (s *scheduler) Stop() {
+	s.stoppedOnce.Do(func() {
+		close(s.stopped)
+	})
+	<-s.closed
+}
+
+func (s *scheduler) loop() {
+	defer func() {
+		close(s.closed)
+	}()
+
+	go func() {
+		<-s.stopped
+		s.mu.Lock()
+		s.cond.Signal()
+		s.mu.Unlock()
+	}()
+
+	s.mu.Lock()
+	for {
+		select {
+		case <-s.stopped:
+			s.mu.Unlock()
+			return
+		default:
+		}
+		s.muQ.Lock()
+		l := s.next
+		if l != nil {
+			if l == s.last {
+				s.last = nil
+			}
+			s.next = l.next
+			delete(s.waitq, l.e)
+		}
+		s.muQ.Unlock()
+		if l == nil {
+			s.cond.Wait()
+			continue
+		}
+		s.dispatch(l.e)
+	}
+}
+
+// dispatch schedules an edge to be processed
+func (s *scheduler) dispatch(e *edge) {
+	inc := make([]pipe.Sender, len(s.incoming[e]))
+	for i, p := range s.incoming[e] {
+		inc[i] = p.Sender
+	}
+	out := make([]pipe.Receiver, len(s.outgoing[e]))
+	for i, p := range s.outgoing[e] {
+		out[i] = p.Receiver
+	}
+
+	e.hasActiveOutgoing = false
+	updates := []pipe.Receiver{}
+	for _, p := range out {
+		if ok := p.Receive(); ok {
+			updates = append(updates, p)
+		}
+		if !p.Status().Completed {
+			e.hasActiveOutgoing = true
+		}
+	}
+
+	// unpark the edge
+	debugSchedulerPreUnpark(e, inc, updates, out)
+	e.unpark(inc, updates, out, &pipeFactory{s: s, e: e})
+	debugSchedulerPostUnpark(e, inc)
+
+	// set up new requests that didn't complete/were added by this run
+	openIncoming := make([]*edgePipe, 0, len(inc))
+	for _, r := range s.incoming[e] {
+		if !r.Sender.Status().Completed {
+			openIncoming = append(openIncoming, r)
+		}
+	}
+	if len(openIncoming) > 0 {
+		s.incoming[e] = openIncoming
+	} else {
+		delete(s.incoming, e)
+	}
+
+	openOutgoing := make([]*edgePipe, 0, len(out))
+	for _, r := range s.outgoing[e] {
+		if !r.Receiver.Status().Completed {
+			openOutgoing = append(openOutgoing, r)
+		}
+	}
+	if len(openOutgoing) > 0 {
+		s.outgoing[e] = openOutgoing
+	} else {
+		delete(s.outgoing, e)
+	}
+
+	// if keys changed there might be possiblity for merge with other edge
+	if e.keysDidChange {
+		if k := e.currentIndexKey(); k != nil {
+			// skip this if not at least 1 key per dep
+			origEdge := e.index.LoadOrStore(k, e)
+			if origEdge != nil {
+				logrus.Debugf("merging edge %s to %s\n", e.edge.Vertex.Name(), origEdge.edge.Vertex.Name())
+				if s.mergeTo(origEdge, e) {
+					s.ef.setEdge(e.edge, origEdge)
+				}
+			}
+		}
+		e.keysDidChange = false
+	}
+
+	// validation to avoid deadlocks/resource leaks:
+	// TODO: if these start showing up in error reports they can be changed
+	// to error the edge instead. They can only appear from algorithm bugs in
+	// unpark(), not for any external input.
+	if len(openIncoming) > 0 && len(openOutgoing) == 0 {
+		panic("invalid dispatch: return leaving incoming open")
+	}
+	if len(openIncoming) == 0 && len(openOutgoing) > 0 {
+		panic("invalid dispatch: return leaving outgoing open")
+	}
+}
+
+// signal notifies that an edge needs to be processed again
+func (s *scheduler) signal(e *edge) {
+	s.muQ.Lock()
+	if _, ok := s.waitq[e]; !ok {
+		d := &dispatcher{e: e}
+		if s.last == nil {
+			s.next = d
+		} else {
+			s.last.next = d
+		}
+		s.last = d
+		s.waitq[e] = struct{}{}
+		s.cond.Signal()
+	}
+	s.muQ.Unlock()
+}
+
+// build evaluates edge into a result
+func (s *scheduler) build(ctx context.Context, edge Edge) (CachedResult, error) {
+	s.mu.Lock()
+	e := s.ef.getEdge(edge)
+	if e == nil {
+		s.mu.Unlock()
+		return nil, errors.Errorf("invalid request %v for build", edge)
+	}
+
+	wait := make(chan struct{})
+
+	var p *pipe.Pipe
+	p = s.newPipe(e, nil, pipe.Request{Payload: &edgeRequest{desiredState: edgeStatusComplete}})
+	p.OnSendCompletion = func() {
+		p.Receiver.Receive()
+		if p.Receiver.Status().Completed {
+			close(wait)
+		}
+	}
+	s.mu.Unlock()
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	go func() {
+		<-ctx.Done()
+		p.Receiver.Cancel()
+	}()
+
+	<-wait
+
+	if err := p.Receiver.Status().Err; err != nil {
+		return nil, err
+	}
+	return p.Receiver.Status().Value.(*edgeState).result.Clone(), nil
+}
+
+// newPipe creates a new request pipe between two edges
+func (s *scheduler) newPipe(target, from *edge, req pipe.Request) *pipe.Pipe {
+	p := &edgePipe{
+		Pipe:   pipe.New(req),
+		Target: target,
+		From:   from,
+	}
+
+	s.signal(target)
+	if from != nil {
+		p.OnSendCompletion = func() {
+			p.mu.Lock()
+			defer p.mu.Unlock()
+			s.signal(p.From)
+		}
+		s.outgoing[from] = append(s.outgoing[from], p)
+	}
+	s.incoming[target] = append(s.incoming[target], p)
+	p.OnReceiveCompletion = func() {
+		p.mu.Lock()
+		defer p.mu.Unlock()
+		s.signal(p.Target)
+	}
+	return p.Pipe
+}
+
+// newRequestWithFunc creates a new request pipe that invokes a async function
+func (s *scheduler) newRequestWithFunc(e *edge, f func(context.Context) (interface{}, error)) pipe.Receiver {
+	pp, start := pipe.NewWithFunction(f)
+	p := &edgePipe{
+		Pipe: pp,
+		From: e,
+	}
+	p.OnSendCompletion = func() {
+		p.mu.Lock()
+		defer p.mu.Unlock()
+		s.signal(p.From)
+	}
+	s.outgoing[e] = append(s.outgoing[e], p)
+	go start()
+	return p.Receiver
+}
+
+// mergeTo merges the state from one edge to another. source edge is discarded.
+func (s *scheduler) mergeTo(target, src *edge) bool {
+	if !target.edge.Vertex.Options().IgnoreCache && src.edge.Vertex.Options().IgnoreCache {
+		return false
+	}
+	for _, inc := range s.incoming[src] {
+		inc.mu.Lock()
+		inc.Target = target
+		s.incoming[target] = append(s.incoming[target], inc)
+		inc.mu.Unlock()
+	}
+
+	for _, out := range s.outgoing[src] {
+		out.mu.Lock()
+		out.From = target
+		s.outgoing[target] = append(s.outgoing[target], out)
+		out.mu.Unlock()
+		out.Receiver.Cancel()
+	}
+
+	delete(s.incoming, src)
+	delete(s.outgoing, src)
+	s.signal(target)
+
+	for i, d := range src.deps {
+		for _, k := range d.keys {
+			target.secondaryExporters = append(target.secondaryExporters, expDep{i, CacheKeyWithSelector{CacheKey: k, Selector: src.cacheMap.Deps[i].Selector}})
+		}
+		if d.slowCacheKey != nil {
+			target.secondaryExporters = append(target.secondaryExporters, expDep{i, CacheKeyWithSelector{CacheKey: *d.slowCacheKey}})
+		}
+		if d.result != nil {
+			target.secondaryExporters = append(target.secondaryExporters, expDep{i, CacheKeyWithSelector{CacheKey: d.result.CacheKey(), Selector: src.cacheMap.Deps[i].Selector}})
+		}
+	}
+
+	// TODO(tonistiigi): merge cache providers
+
+	return true
+}
+
+// edgeFactory allows access to the edges from a shared graph
+type edgeFactory interface {
+	getEdge(Edge) *edge
+	setEdge(Edge, *edge)
+}
+
+type pipeFactory struct {
+	e *edge
+	s *scheduler
+}
+
+func (pf *pipeFactory) NewInputRequest(ee Edge, req *edgeRequest) pipe.Receiver {
+	target := pf.s.ef.getEdge(ee)
+	if target == nil {
+		panic("failed to get edge") // TODO: return errored pipe
+	}
+	p := pf.s.newPipe(target, pf.e, pipe.Request{Payload: req})
+	if debugScheduler {
+		logrus.Debugf("> newPipe %s %p desiredState=%s", ee.Vertex.Name(), p, req.desiredState)
+	}
+	return p.Receiver
+}
+
+func (pf *pipeFactory) NewFuncRequest(f func(context.Context) (interface{}, error)) pipe.Receiver {
+	p := pf.s.newRequestWithFunc(pf.e, f)
+	if debugScheduler {
+		logrus.Debugf("> newFunc %p", p)
+	}
+	return p
+}
+
+func debugSchedulerPreUnpark(e *edge, inc []pipe.Sender, updates, allPipes []pipe.Receiver) {
+	if !debugScheduler {
+		return
+	}
+	logrus.Debugf(">> unpark %s req=%d upt=%d out=%d state=%s %s", e.edge.Vertex.Name(), len(inc), len(updates), len(allPipes), e.state, e.edge.Vertex.Digest())
+
+	for i, dep := range e.deps {
+		des := edgeStatusInitial
+		if dep.req != nil {
+			des = dep.req.Request().(*edgeRequest).desiredState
+		}
+		logrus.Debugf(":: dep%d %s state=%s des=%s keys=%s hasslowcache=%v", i, e.edge.Vertex.Inputs()[i].Vertex.Name(), dep.state, des, len(dep.keys), e.slowCacheFunc(dep) != nil)
+	}
+
+	for i, in := range inc {
+		req := in.Request()
+		logrus.Debugf("> incoming-%d: %p dstate=%s canceled=%v", i, in, req.Payload.(*edgeRequest).desiredState, req.Canceled)
+	}
+
+	for i, up := range updates {
+		if up == e.cacheMapReq {
+			logrus.Debugf("> update-%d: %p cacheMapReq complete=%v", i, up, up.Status().Completed)
+		} else if up == e.execReq {
+			logrus.Debugf("> update-%d: %p execReq complete=%v", i, up, up.Status().Completed)
+		} else {
+			st, ok := up.Status().Value.(*edgeState)
+			if ok {
+				index := -1
+				if dep, ok := e.depRequests[up]; ok {
+					index = int(dep.index)
+				}
+				logrus.Debugf("> update-%d: %p input-%d keys=%d state=%s", i, up, index, len(st.keys), st.state)
+			} else {
+				logrus.Debugf("> update-%d: unknown", i)
+			}
+		}
+	}
+}
+
+func debugSchedulerPostUnpark(e *edge, inc []pipe.Sender) {
+	if !debugScheduler {
+		return
+	}
+	for i, in := range inc {
+		logrus.Debugf("< incoming-%d: %p completed=%v", i, in, in.Status().Completed)
+	}
+	logrus.Debugf("<< unpark %s\n", e.edge.Vertex.Name())
+}
diff --git a/engine/vendor/github.com/moby/buildkit/solver/types.go b/engine/vendor/github.com/moby/buildkit/solver/types.go
new file mode 100644
index 00000000..5de320b4
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/solver/types.go
@@ -0,0 +1,168 @@
+package solver
+
+import (
+	"context"
+	"time"
+
+	"github.com/containerd/containerd/content"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// Vertex is one node in the build graph
+type Vertex interface {
+	// Digest is a content-addressable vertex identifier
+	Digest() digest.Digest
+	// Sys returns an internal value that is used to execute the vertex. Usually
+	// this is capured by the operation resolver method during solve.
+	Sys() interface{}
+	Options() VertexOptions
+	// Array of edges current vertex depends on.
+	Inputs() []Edge
+	Name() string
+}
+
+// Index is a index value for output edge
+type Index int
+
+// Edge is a path to a specific output of the vertex
+type Edge struct {
+	Index  Index
+	Vertex Vertex
+}
+
+// VertexOptions has optional metadata for the vertex that is not contained in digest
+type VertexOptions struct {
+	IgnoreCache  bool
+	CacheSources []CacheManager
+	Description  map[string]string // text values with no special meaning for solver
+	ExportCache  *bool
+	// WorkerConstraint
+}
+
+// Result is an abstract return value for a solve
+type Result interface {
+	ID() string
+	Release(context.Context) error
+	Sys() interface{}
+}
+
+// CachedResult is a result connected with its cache key
+type CachedResult interface {
+	Result
+	CacheKey() ExportableCacheKey
+}
+
+// CacheExportMode is the type for setting cache exporting modes
+type CacheExportMode int
+
+const (
+	// CacheExportModeMin exports a topmost allowed vertex and its dependencies
+	// that already have transferable layers
+	CacheExportModeMin CacheExportMode = iota
+	// CacheExportModeMax exports all possible non-root vertexes
+	CacheExportModeMax
+	// CacheExportModeRemoteOnly only exports vertexes that already have
+	// transferable layers
+	CacheExportModeRemoteOnly
+)
+
+// CacheExportOpt defines options for exporting build cache
+type CacheExportOpt struct {
+	// Convert can convert a build result to transferable object
+	Convert func(context.Context, Result) (*Remote, error)
+	// Mode defines a cache export algorithm
+	Mode CacheExportMode
+}
+
+// CacheExporter can export the artifacts of the build chain
+type CacheExporter interface {
+	ExportTo(ctx context.Context, t CacheExporterTarget, opt CacheExportOpt) ([]CacheExporterRecord, error)
+}
+
+// CacheExporterTarget defines object capable of receiving exports
+type CacheExporterTarget interface {
+	Add(dgst digest.Digest) CacheExporterRecord
+	Visit(interface{})
+	Visited(interface{}) bool
+}
+
+// CacheExporterRecord is a single object being exported
+type CacheExporterRecord interface {
+	AddResult(createdAt time.Time, result *Remote)
+	LinkFrom(src CacheExporterRecord, index int, selector string)
+}
+
+// Remote is a descriptor or a list of stacked descriptors that can be pulled
+// from a content provider
+// TODO: add closer to keep referenced data from getting deleted
+type Remote struct {
+	Descriptors []ocispec.Descriptor
+	Provider    content.Provider
+}
+
+// CacheLink is a link between two cache records
+type CacheLink struct {
+	Source   digest.Digest `json:",omitempty"`
+	Input    Index         `json:",omitempty"`
+	Output   Index         `json:",omitempty"`
+	Base     digest.Digest `json:",omitempty"`
+	Selector digest.Digest `json:",omitempty"`
+}
+
+// Op is an implementation for running a vertex
+type Op interface {
+	// CacheMap returns structure describing how the operation is cached.
+	// Currently only roots are allowed to return multiple cache maps per op.
+	CacheMap(context.Context, int) (*CacheMap, bool, error)
+	// Exec runs an operation given results from previous operations.
+	Exec(ctx context.Context, inputs []Result) (outputs []Result, err error)
+}
+
+type ResultBasedCacheFunc func(context.Context, Result) (digest.Digest, error)
+
+type CacheMap struct {
+	// Digest is a base digest for operation that needs to be combined with
+	// inputs cache or selectors for dependencies.
+	Digest digest.Digest
+	Deps   []struct {
+		// Optional digest that is merged with the cache key of the input
+		Selector digest.Digest
+		// Optional function that returns a digest for the input based on its
+		// return value
+		ComputeDigestFunc ResultBasedCacheFunc
+	}
+}
+
+// ExportableCacheKey is a cache key connected with an exporter that can export
+// a chain of cacherecords pointing to that key
+type ExportableCacheKey struct {
+	*CacheKey
+	Exporter CacheExporter
+}
+
+// CacheRecord is an identifier for loading in cache
+type CacheRecord struct {
+	ID        string
+	Size      int
+	CreatedAt time.Time
+	Priority  int
+
+	cacheManager *cacheManager
+	key          *CacheKey
+}
+
+// CacheManager implements build cache backend
+type CacheManager interface {
+	// ID is used to identify cache providers that are backed by same source
+	// to avoid duplicate calls to the same provider
+	ID() string
+	// Query searches for cache paths from one cache key to the output of a
+	// possible match.
+	Query(inp []CacheKeyWithSelector, inputIndex Index, dgst digest.Digest, outputIndex Index) ([]*CacheKey, error)
+	Records(ck *CacheKey) ([]*CacheRecord, error)
+	// Load pulls and returns the cached result
+	Load(ctx context.Context, rec *CacheRecord) (Result, error)
+	// Save saves a result based on a cache key
+	Save(key *CacheKey, s Result) (*ExportableCacheKey, error)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/source/git/gitsource.go b/engine/vendor/github.com/moby/buildkit/source/git/gitsource.go
new file mode 100644
index 00000000..e9b1e8c1
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/source/git/gitsource.go
@@ -0,0 +1,406 @@
+package git
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/boltdb/bolt"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/util/progress/logs"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var validHex = regexp.MustCompile(`^[a-f0-9]{40}$`)
+
+type Opt struct {
+	CacheAccessor cache.Accessor
+	MetadataStore *metadata.Store
+}
+
+type gitSource struct {
+	md     *metadata.Store
+	cache  cache.Accessor
+	locker *locker.Locker
+}
+
+func NewSource(opt Opt) (source.Source, error) {
+	gs := &gitSource{
+		md:     opt.MetadataStore,
+		cache:  opt.CacheAccessor,
+		locker: locker.New(),
+	}
+
+	if err := exec.Command("git", "version").Run(); err != nil {
+		return nil, errors.Wrap(err, "failed to find git binary")
+	}
+
+	return gs, nil
+}
+
+func (gs *gitSource) ID() string {
+	return source.GitScheme
+}
+
+// needs to be called with repo lock
+func (gs *gitSource) mountRemote(ctx context.Context, remote string) (target string, release func(), retErr error) {
+	remoteKey := "git-remote::" + remote
+
+	sis, err := gs.md.Search(remoteKey)
+	if err != nil {
+		return "", nil, errors.Wrapf(err, "failed to search metadata for %s", remote)
+	}
+
+	var remoteRef cache.MutableRef
+	for _, si := range sis {
+		remoteRef, err = gs.cache.GetMutable(ctx, si.ID())
+		if err != nil {
+			if cache.IsLocked(err) {
+				// should never really happen as no other function should access this metadata, but lets be graceful
+				logrus.Warnf("mutable ref for %s  %s was locked: %v", remote, si.ID(), err)
+				continue
+			}
+			return "", nil, errors.Wrapf(err, "failed to get mutable ref for %s", remote)
+		}
+		break
+	}
+
+	initializeRepo := false
+	if remoteRef == nil {
+		remoteRef, err = gs.cache.New(ctx, nil, cache.CachePolicyRetain, cache.WithDescription(fmt.Sprintf("shared git repo for %s", remote)))
+		if err != nil {
+			return "", nil, errors.Wrapf(err, "failed to create new mutable for %s", remote)
+		}
+		initializeRepo = true
+	}
+
+	releaseRemoteRef := func() {
+		remoteRef.Release(context.TODO())
+	}
+
+	defer func() {
+		if retErr != nil && remoteRef != nil {
+			releaseRemoteRef()
+		}
+	}()
+
+	mount, err := remoteRef.Mount(ctx, false)
+	if err != nil {
+		return "", nil, err
+	}
+
+	lm := snapshot.LocalMounter(mount)
+	dir, err := lm.Mount()
+	if err != nil {
+		return "", nil, err
+	}
+
+	defer func() {
+		if retErr != nil {
+			lm.Unmount()
+		}
+	}()
+
+	if initializeRepo {
+		if _, err := gitWithinDir(ctx, dir, "", "init", "--bare"); err != nil {
+			return "", nil, errors.Wrapf(err, "failed to init repo at %s", dir)
+		}
+
+		if _, err := gitWithinDir(ctx, dir, "", "remote", "add", "origin", remote); err != nil {
+			return "", nil, errors.Wrapf(err, "failed add origin repo at %s", dir)
+		}
+
+		// same new remote metadata
+		si, _ := gs.md.Get(remoteRef.ID())
+		v, err := metadata.NewValue(remoteKey)
+		v.Index = remoteKey
+		if err != nil {
+			return "", nil, err
+		}
+
+		if err := si.Update(func(b *bolt.Bucket) error {
+			return si.SetValue(b, "git-remote", v)
+		}); err != nil {
+			return "", nil, err
+		}
+	}
+	return dir, func() {
+		lm.Unmount()
+		releaseRemoteRef()
+	}, nil
+}
+
+type gitSourceHandler struct {
+	*gitSource
+	src      source.GitIdentifier
+	cacheKey string
+}
+
+func (gs *gitSource) Resolve(ctx context.Context, id source.Identifier) (source.SourceInstance, error) {
+	gitIdentifier, ok := id.(*source.GitIdentifier)
+	if !ok {
+		return nil, errors.Errorf("invalid git identifier %v", id)
+	}
+
+	return &gitSourceHandler{
+		src:       *gitIdentifier,
+		gitSource: gs,
+	}, nil
+}
+
+func (gs *gitSourceHandler) CacheKey(ctx context.Context, index int) (string, bool, error) {
+	remote := gs.src.Remote
+	ref := gs.src.Ref
+	if ref == "" {
+		ref = "master"
+	}
+	gs.locker.Lock(remote)
+	defer gs.locker.Unlock(remote)
+
+	if isCommitSHA(ref) {
+		gs.cacheKey = ref
+		return ref, true, nil
+	}
+
+	gitDir, unmountGitDir, err := gs.mountRemote(ctx, remote)
+	if err != nil {
+		return "", false, err
+	}
+	defer unmountGitDir()
+
+	// TODO: should we assume that remote tag is immutable? add a timer?
+
+	buf, err := gitWithinDir(ctx, gitDir, "", "ls-remote", "origin", ref)
+	if err != nil {
+		return "", false, errors.Wrapf(err, "failed to fetch remote %s", remote)
+	}
+	out := buf.String()
+	idx := strings.Index(out, "\t")
+	if idx == -1 {
+		return "", false, errors.Errorf("failed to find commit SHA from output: %s", string(out))
+	}
+
+	sha := string(out[:idx])
+	if !isCommitSHA(sha) {
+		return "", false, errors.Errorf("invalid commit sha %q", sha)
+	}
+	gs.cacheKey = sha
+	return sha, true, nil
+}
+
+func (gs *gitSourceHandler) Snapshot(ctx context.Context) (out cache.ImmutableRef, retErr error) {
+	ref := gs.src.Ref
+	if ref == "" {
+		ref = "master"
+	}
+
+	cacheKey := gs.cacheKey
+	if cacheKey == "" {
+		var err error
+		cacheKey, _, err = gs.CacheKey(ctx, 0)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	snapshotKey := "git-snapshot::" + cacheKey + ":" + gs.src.Subdir
+	gs.locker.Lock(snapshotKey)
+	defer gs.locker.Unlock(snapshotKey)
+
+	sis, err := gs.md.Search(snapshotKey)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to search metadata for %s", snapshotKey)
+	}
+	if len(sis) > 0 {
+		return gs.cache.Get(ctx, sis[0].ID())
+	}
+
+	gs.locker.Lock(gs.src.Remote)
+	defer gs.locker.Unlock(gs.src.Remote)
+	gitDir, unmountGitDir, err := gs.mountRemote(ctx, gs.src.Remote)
+	if err != nil {
+		return nil, err
+	}
+	defer unmountGitDir()
+
+	doFetch := true
+	if isCommitSHA(ref) {
+		// skip fetch if commit already exists
+		if _, err := gitWithinDir(ctx, gitDir, "", "cat-file", "-e", ref+"^{commit}"); err == nil {
+			doFetch = false
+		}
+	}
+
+	if doFetch {
+		args := []string{"fetch"}
+		if !isCommitSHA(ref) { // TODO: find a branch from ls-remote?
+			args = append(args, "--depth=1", "--no-tags")
+		} else {
+			if _, err := os.Lstat(filepath.Join(gitDir, "shallow")); err == nil {
+				args = append(args, "--unshallow")
+			}
+		}
+		args = append(args, "origin")
+		if !isCommitSHA(ref) {
+			args = append(args, ref+":tags/"+ref)
+			// local refs are needed so they would be advertised on next fetches
+			// TODO: is there a better way to do this?
+		}
+		if _, err := gitWithinDir(ctx, gitDir, "", args...); err != nil {
+			return nil, errors.Wrapf(err, "failed to fetch remote %s", gs.src.Remote)
+		}
+	}
+
+	checkoutRef, err := gs.cache.New(ctx, nil, cache.WithDescription(fmt.Sprintf("git snapshot for %s#%s", gs.src.Remote, ref)))
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to create new mutable for %s", gs.src.Remote)
+	}
+
+	defer func() {
+		if retErr != nil && checkoutRef != nil {
+			checkoutRef.Release(context.TODO())
+		}
+	}()
+
+	mount, err := checkoutRef.Mount(ctx, false)
+	if err != nil {
+		return nil, err
+	}
+	lm := snapshot.LocalMounter(mount)
+	checkoutDir, err := lm.Mount()
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if retErr != nil && lm != nil {
+			lm.Unmount()
+		}
+	}()
+
+	if gs.src.KeepGitDir {
+		_, err = gitWithinDir(ctx, checkoutDir, "", "init")
+		if err != nil {
+			return nil, err
+		}
+		_, err = gitWithinDir(ctx, checkoutDir, "", "remote", "add", "origin", gitDir)
+		if err != nil {
+			return nil, err
+		}
+		pullref := ref
+		if isCommitSHA(ref) {
+			pullref = "refs/buildkit/" + identity.NewID()
+			_, err = gitWithinDir(ctx, gitDir, "", "update-ref", pullref, ref)
+			if err != nil {
+				return nil, err
+			}
+		}
+		_, err = gitWithinDir(ctx, checkoutDir, "", "fetch", "--depth=1", "origin", pullref)
+		if err != nil {
+			return nil, err
+		}
+		_, err = gitWithinDir(ctx, checkoutDir, checkoutDir, "checkout", "FETCH_HEAD")
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to checkout remote %s", gs.src.Remote)
+		}
+		gitDir = checkoutDir
+	} else {
+		_, err = gitWithinDir(ctx, gitDir, checkoutDir, "checkout", ref, "--", ".")
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to checkout remote %s", gs.src.Remote)
+		}
+	}
+
+	_, err = gitWithinDir(ctx, gitDir, checkoutDir, "submodule", "update", "--init", "--recursive", "--depth=1")
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to update submodules for %s", gs.src.Remote)
+	}
+
+	lm.Unmount()
+	lm = nil
+
+	snap, err := checkoutRef.Commit(ctx)
+	if err != nil {
+		return nil, err
+	}
+	checkoutRef = nil
+
+	defer func() {
+		if retErr != nil {
+			snap.Release(context.TODO())
+		}
+	}()
+
+	si, _ := gs.md.Get(snap.ID())
+	v, err := metadata.NewValue(snapshotKey)
+	v.Index = snapshotKey
+	if err != nil {
+		return nil, err
+	}
+	if err := si.Update(func(b *bolt.Bucket) error {
+		return si.SetValue(b, "git-snapshot", v)
+	}); err != nil {
+		return nil, err
+	}
+
+	return snap, nil
+}
+
+func isCommitSHA(str string) bool {
+	return validHex.MatchString(str)
+}
+
+func gitWithinDir(ctx context.Context, gitDir, workDir string, args ...string) (*bytes.Buffer, error) {
+	a := []string{"--git-dir", gitDir}
+	if workDir != "" {
+		a = append(a, "--work-tree", workDir)
+	}
+	return git(ctx, workDir, append(a, args...)...)
+}
+
+func git(ctx context.Context, dir string, args ...string) (*bytes.Buffer, error) {
+	for {
+		stdout, stderr := logs.NewLogStreams(ctx, false)
+		defer stdout.Close()
+		defer stderr.Close()
+		cmd := exec.Command("git", args...)
+		cmd.Dir = dir // some commands like submodule require this
+		buf := bytes.NewBuffer(nil)
+		errbuf := bytes.NewBuffer(nil)
+		cmd.Stdout = io.MultiWriter(stdout, buf)
+		cmd.Stderr = io.MultiWriter(stderr, errbuf)
+		// remote git commands spawn helper processes that inherit FDs and don't
+		// handle parent death signal so exec.CommandContext can't be used
+		err := runProcessGroup(ctx, cmd)
+		if err != nil {
+			if strings.Contains(errbuf.String(), "--depth") || strings.Contains(errbuf.String(), "shallow") {
+				if newArgs := argsNoDepth(args); len(args) > len(newArgs) {
+					args = newArgs
+					continue
+				}
+			}
+		}
+		return buf, err
+	}
+}
+
+func argsNoDepth(args []string) []string {
+	out := make([]string, 0, len(args))
+	for _, a := range args {
+		if a != "--depth=1" {
+			out = append(out, a)
+		}
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/moby/buildkit/source/git/gitsource_unix.go b/engine/vendor/github.com/moby/buildkit/source/git/gitsource_unix.go
new file mode 100644
index 00000000..4d0e9d89
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/source/git/gitsource_unix.go
@@ -0,0 +1,27 @@
+// +build !windows
+
+package git
+
+import (
+	"context"
+	"os/exec"
+	"syscall"
+)
+
+func runProcessGroup(ctx context.Context, cmd *exec.Cmd) error {
+	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	waitDone := make(chan struct{})
+	go func() {
+		select {
+		case <-ctx.Done():
+			syscall.Kill(-cmd.Process.Pid, syscall.SIGKILL)
+		case <-waitDone:
+		}
+	}()
+	err := cmd.Wait()
+	close(waitDone)
+	return err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/source/git/gitsource_windows.go b/engine/vendor/github.com/moby/buildkit/source/git/gitsource_windows.go
new file mode 100644
index 00000000..3435c8f9
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/source/git/gitsource_windows.go
@@ -0,0 +1,23 @@
+// +build windows
+
+package git
+
+import (
+	"context"
+	"os/exec"
+)
+
+func runProcessGroup(ctx context.Context, cmd *exec.Cmd) error {
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	waitDone := make(chan struct{})
+	go func() {
+		select {
+		case <-ctx.Done():
+			cmd.Process.Kill()
+		case <-waitDone:
+		}
+	}()
+	return cmd.Wait()
+}
diff --git a/engine/vendor/github.com/moby/buildkit/source/gitidentifier.go b/engine/vendor/github.com/moby/buildkit/source/gitidentifier.go
new file mode 100644
index 00000000..9f338343
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/source/gitidentifier.go
@@ -0,0 +1,70 @@
+package source
+
+import (
+	"net/url"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+type GitIdentifier struct {
+	Remote     string
+	Ref        string
+	Subdir     string
+	KeepGitDir bool
+}
+
+func NewGitIdentifier(remoteURL string) (*GitIdentifier, error) {
+	repo := GitIdentifier{}
+
+	if !isGitTransport(remoteURL) {
+		remoteURL = "https://" + remoteURL
+	}
+
+	var fragment string
+	if strings.HasPrefix(remoteURL, "git@") {
+		// git@.. is not an URL, so cannot be parsed as URL
+		parts := strings.SplitN(remoteURL, "#", 2)
+
+		repo.Remote = parts[0]
+		if len(parts) == 2 {
+			fragment = parts[1]
+		}
+		repo.Ref, repo.Subdir = getRefAndSubdir(fragment)
+	} else {
+		u, err := url.Parse(remoteURL)
+		if err != nil {
+			return nil, err
+		}
+
+		repo.Ref, repo.Subdir = getRefAndSubdir(u.Fragment)
+		u.Fragment = ""
+		repo.Remote = u.String()
+	}
+	if repo.Subdir != "" {
+		return nil, errors.Errorf("subdir not supported yet")
+	}
+	return &repo, nil
+}
+
+func (i *GitIdentifier) ID() string {
+	return "git"
+}
+
+// isGitTransport returns true if the provided str is a git transport by inspecting
+// the prefix of the string for known protocols used in git.
+func isGitTransport(str string) bool {
+	return strings.HasPrefix(str, "http://") || strings.HasPrefix(str, "https://") || strings.HasPrefix(str, "git://") || strings.HasPrefix(str, "git@")
+}
+
+func getRefAndSubdir(fragment string) (ref string, subdir string) {
+	refAndDir := strings.SplitN(fragment, ":", 2)
+	ref = "master"
+	if len(refAndDir[0]) != 0 {
+		ref = refAndDir[0]
+	}
+	if len(refAndDir) > 1 && len(refAndDir[1]) != 0 {
+		subdir = refAndDir[1]
+	}
+	return
+}
diff --git a/engine/vendor/github.com/moby/buildkit/source/http/httpsource.go b/engine/vendor/github.com/moby/buildkit/source/http/httpsource.go
new file mode 100644
index 00000000..58c70400
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/source/http/httpsource.go
@@ -0,0 +1,429 @@
+package http
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/json"
+	"fmt"
+	"io"
+	"mime"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/boltdb/bolt"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/util/tracing"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+)
+
+type Opt struct {
+	CacheAccessor cache.Accessor
+	MetadataStore *metadata.Store
+	Transport     http.RoundTripper
+}
+
+type httpSource struct {
+	md     *metadata.Store
+	cache  cache.Accessor
+	locker *locker.Locker
+	client *http.Client
+}
+
+func NewSource(opt Opt) (source.Source, error) {
+	transport := opt.Transport
+	if transport == nil {
+		transport = tracing.DefaultTransport
+	}
+	hs := &httpSource{
+		md:     opt.MetadataStore,
+		cache:  opt.CacheAccessor,
+		locker: locker.New(),
+		client: &http.Client{
+			Transport: transport,
+		},
+	}
+	return hs, nil
+}
+
+func (hs *httpSource) ID() string {
+	return source.HttpsScheme
+}
+
+type httpSourceHandler struct {
+	*httpSource
+	src      source.HttpIdentifier
+	refID    string
+	cacheKey digest.Digest
+}
+
+func (hs *httpSource) Resolve(ctx context.Context, id source.Identifier) (source.SourceInstance, error) {
+	httpIdentifier, ok := id.(*source.HttpIdentifier)
+	if !ok {
+		return nil, errors.Errorf("invalid http identifier %v", id)
+	}
+
+	return &httpSourceHandler{
+		src:        *httpIdentifier,
+		httpSource: hs,
+	}, nil
+}
+
+// urlHash is internal hash the etag is stored by that doesn't leak outside
+// this package.
+func (hs *httpSourceHandler) urlHash() (digest.Digest, error) {
+	dt, err := json.Marshal(struct {
+		Filename       string
+		Perm, UID, GID int
+	}{
+		Filename: getFileName(hs.src.URL, hs.src.Filename, nil),
+		Perm:     hs.src.Perm,
+		UID:      hs.src.UID,
+		GID:      hs.src.GID,
+	})
+	if err != nil {
+		return "", err
+	}
+	return digest.FromBytes(dt), nil
+}
+
+func (hs *httpSourceHandler) formatCacheKey(filename string, dgst digest.Digest, lastModTime string) digest.Digest {
+	dt, err := json.Marshal(struct {
+		Filename       string
+		Perm, UID, GID int
+		Checksum       digest.Digest
+		LastModTime    string `json:",omitempty"`
+	}{
+		Filename:    filename,
+		Perm:        hs.src.Perm,
+		UID:         hs.src.UID,
+		GID:         hs.src.GID,
+		Checksum:    dgst,
+		LastModTime: lastModTime,
+	})
+	if err != nil {
+		return dgst
+	}
+	return digest.FromBytes(dt)
+}
+
+func (hs *httpSourceHandler) CacheKey(ctx context.Context, index int) (string, bool, error) {
+	if hs.src.Checksum != "" {
+		hs.cacheKey = hs.src.Checksum
+		return hs.formatCacheKey(getFileName(hs.src.URL, hs.src.Filename, nil), hs.src.Checksum, "").String(), true, nil
+	}
+
+	uh, err := hs.urlHash()
+	if err != nil {
+		return "", false, nil
+	}
+
+	// look up metadata(previously stored headers) for that URL
+	sis, err := hs.md.Search(uh.String())
+	if err != nil {
+		return "", false, errors.Wrapf(err, "failed to search metadata for %s", uh)
+	}
+
+	req, err := http.NewRequest("GET", hs.src.URL, nil)
+	if err != nil {
+		return "", false, err
+	}
+	req = req.WithContext(ctx)
+	m := map[string]*metadata.StorageItem{}
+
+	if len(sis) > 0 {
+		for _, si := range sis {
+			// if metaDigest := getMetaDigest(si); metaDigest == hs.formatCacheKey("") {
+			if etag := getETag(si); etag != "" {
+				if dgst := getChecksum(si); dgst != "" {
+					m[etag] = si
+					req.Header.Add("If-None-Match", etag)
+				}
+			}
+			// }
+		}
+	}
+
+	resp, err := hs.client.Do(req)
+	if err != nil {
+		return "", false, err
+	}
+	if resp.StatusCode < 200 || resp.StatusCode >= 400 {
+		return "", false, errors.Errorf("invalid response status %d", resp.StatusCode)
+	}
+	if resp.StatusCode == http.StatusNotModified {
+		respETag := resp.Header.Get("ETag")
+		si, ok := m[respETag]
+		if !ok {
+			return "", false, errors.Errorf("invalid not-modified ETag: %v", respETag)
+		}
+		hs.refID = si.ID()
+		dgst := getChecksum(si)
+		if dgst == "" {
+			return "", false, errors.Errorf("invalid metadata change")
+		}
+		modTime := getModTime(si)
+		resp.Body.Close()
+		return hs.formatCacheKey(getFileName(hs.src.URL, hs.src.Filename, resp), dgst, modTime).String(), true, nil
+	}
+
+	ref, dgst, err := hs.save(ctx, resp)
+	if err != nil {
+		return "", false, err
+	}
+	ref.Release(context.TODO())
+
+	hs.cacheKey = dgst
+
+	return hs.formatCacheKey(getFileName(hs.src.URL, hs.src.Filename, resp), dgst, resp.Header.Get("Last-Modified")).String(), true, nil
+}
+
+func (hs *httpSourceHandler) save(ctx context.Context, resp *http.Response) (ref cache.ImmutableRef, dgst digest.Digest, retErr error) {
+	newRef, err := hs.cache.New(ctx, nil, cache.CachePolicyRetain, cache.WithDescription(fmt.Sprintf("http url %s", hs.src.URL)))
+	if err != nil {
+		return nil, "", err
+	}
+
+	releaseRef := func() {
+		newRef.Release(context.TODO())
+	}
+
+	defer func() {
+		if retErr != nil && newRef != nil {
+			releaseRef()
+		}
+	}()
+
+	mount, err := newRef.Mount(ctx, false)
+	if err != nil {
+		return nil, "", err
+	}
+
+	lm := snapshot.LocalMounter(mount)
+	dir, err := lm.Mount()
+	if err != nil {
+		return nil, "", err
+	}
+
+	defer func() {
+		if retErr != nil && lm != nil {
+			lm.Unmount()
+		}
+	}()
+	perm := 0600
+	if hs.src.Perm != 0 {
+		perm = hs.src.Perm
+	}
+	fp := filepath.Join(dir, getFileName(hs.src.URL, hs.src.Filename, resp))
+
+	f, err := os.OpenFile(fp, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, os.FileMode(perm))
+	if err != nil {
+		return nil, "", err
+	}
+	defer func() {
+		if f != nil {
+			f.Close()
+		}
+	}()
+
+	h := sha256.New()
+
+	if _, err := io.Copy(io.MultiWriter(f, h), resp.Body); err != nil {
+		return nil, "", err
+	}
+
+	if err := f.Close(); err != nil {
+		return nil, "", err
+	}
+	f = nil
+
+	if hs.src.UID != 0 || hs.src.GID != 0 {
+		if err := os.Chown(fp, hs.src.UID, hs.src.GID); err != nil {
+			return nil, "", err
+		}
+	}
+
+	mTime := time.Unix(0, 0)
+	lastMod := resp.Header.Get("Last-Modified")
+	if lastMod != "" {
+		if parsedMTime, err := http.ParseTime(lastMod); err == nil {
+			mTime = parsedMTime
+		}
+	}
+
+	if err := os.Chtimes(fp, mTime, mTime); err != nil {
+		return nil, "", err
+	}
+
+	lm.Unmount()
+	lm = nil
+
+	ref, err = newRef.Commit(ctx)
+	if err != nil {
+		return nil, "", err
+	}
+	newRef = nil
+
+	hs.refID = ref.ID()
+	dgst = digest.NewDigest(digest.SHA256, h)
+
+	if respETag := resp.Header.Get("ETag"); respETag != "" {
+		setETag(ref.Metadata(), respETag)
+		uh, err := hs.urlHash()
+		if err != nil {
+			return nil, "", err
+		}
+		setChecksum(ref.Metadata(), uh.String(), dgst)
+		if err := ref.Metadata().Commit(); err != nil {
+			return nil, "", err
+		}
+	}
+
+	if modTime := resp.Header.Get("Last-Modified"); modTime != "" {
+		setModTime(ref.Metadata(), modTime)
+	}
+
+	return ref, dgst, nil
+}
+
+func (hs *httpSourceHandler) Snapshot(ctx context.Context) (cache.ImmutableRef, error) {
+	if hs.refID != "" {
+		ref, err := hs.cache.Get(ctx, hs.refID)
+		if err == nil {
+			return ref, nil
+		}
+	}
+
+	req, err := http.NewRequest("GET", hs.src.URL, nil)
+	if err != nil {
+		return nil, err
+	}
+	req = req.WithContext(ctx)
+
+	resp, err := hs.client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	ref, dgst, err := hs.save(ctx, resp)
+	if err != nil {
+		return nil, err
+	}
+	if dgst != hs.cacheKey {
+		ref.Release(context.TODO())
+		return nil, errors.Errorf("digest mismatch %s: %s", dgst, hs.cacheKey)
+	}
+
+	return ref, nil
+}
+
+const keyETag = "etag"
+const keyChecksum = "http.checksum"
+const keyModTime = "http.modtime"
+
+func setETag(si *metadata.StorageItem, s string) error {
+	v, err := metadata.NewValue(s)
+	if err != nil {
+		return errors.Wrap(err, "failed to create etag value")
+	}
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyETag, v)
+	})
+	return nil
+}
+
+func getETag(si *metadata.StorageItem) string {
+	v := si.Get(keyETag)
+	if v == nil {
+		return ""
+	}
+	var etag string
+	if err := v.Unmarshal(&etag); err != nil {
+		return ""
+	}
+	return etag
+}
+
+func setModTime(si *metadata.StorageItem, s string) error {
+	v, err := metadata.NewValue(s)
+	if err != nil {
+		return errors.Wrap(err, "failed to create modtime value")
+	}
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyModTime, v)
+	})
+	return nil
+}
+
+func getModTime(si *metadata.StorageItem) string {
+	v := si.Get(keyModTime)
+	if v == nil {
+		return ""
+	}
+	var modTime string
+	if err := v.Unmarshal(&modTime); err != nil {
+		return ""
+	}
+	return modTime
+}
+
+func setChecksum(si *metadata.StorageItem, url string, d digest.Digest) error {
+	v, err := metadata.NewValue(d)
+	if err != nil {
+		return errors.Wrap(err, "failed to create checksum value")
+	}
+	v.Index = url
+	si.Queue(func(b *bolt.Bucket) error {
+		return si.SetValue(b, keyChecksum, v)
+	})
+	return nil
+}
+
+func getChecksum(si *metadata.StorageItem) digest.Digest {
+	v := si.Get(keyChecksum)
+	if v == nil {
+		return ""
+	}
+	var dgstStr string
+	if err := v.Unmarshal(&dgstStr); err != nil {
+		return ""
+	}
+	dgst, err := digest.Parse(dgstStr)
+	if err != nil {
+		return ""
+	}
+	return dgst
+}
+
+func getFileName(urlStr, manualFilename string, resp *http.Response) string {
+	if manualFilename != "" {
+		return manualFilename
+	}
+	if resp != nil {
+		if contentDisposition := resp.Header.Get("Content-Disposition"); contentDisposition != "" {
+			if _, params, err := mime.ParseMediaType(contentDisposition); err == nil {
+				if params["filename"] != "" && !strings.HasSuffix(params["filename"], "/") {
+					if filename := filepath.Base(filepath.FromSlash(params["filename"])); filename != "" {
+						return filename
+					}
+				}
+			}
+		}
+	}
+	u, err := url.Parse(urlStr)
+	if err == nil {
+		if base := path.Base(u.Path); base != "." && base != "/" {
+			return base
+		}
+	}
+	return "download"
+}
diff --git a/engine/vendor/github.com/moby/buildkit/source/identifier.go b/engine/vendor/github.com/moby/buildkit/source/identifier.go
new file mode 100644
index 00000000..a4d9f5a0
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/source/identifier.go
@@ -0,0 +1,205 @@
+package source
+
+import (
+	"encoding/json"
+	"strconv"
+	"strings"
+
+	"github.com/containerd/containerd/reference"
+	"github.com/moby/buildkit/solver/pb"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+var (
+	errInvalid  = errors.New("invalid")
+	errNotFound = errors.New("not found")
+)
+
+const (
+	DockerImageScheme = "docker-image"
+	GitScheme         = "git"
+	LocalScheme       = "local"
+	HttpScheme        = "http"
+	HttpsScheme       = "https"
+)
+
+type Identifier interface {
+	ID() string // until sources are in process this string comparison could be avoided
+}
+
+func FromString(s string) (Identifier, error) {
+	// TODO: improve this
+	parts := strings.SplitN(s, "://", 2)
+	if len(parts) != 2 {
+		return nil, errors.Wrapf(errInvalid, "failed to parse %s", s)
+	}
+
+	switch parts[0] {
+	case DockerImageScheme:
+		return NewImageIdentifier(parts[1])
+	case GitScheme:
+		return NewGitIdentifier(parts[1])
+	case LocalScheme:
+		return NewLocalIdentifier(parts[1])
+	case HttpsScheme:
+		return NewHttpIdentifier(parts[1], true)
+	case HttpScheme:
+		return NewHttpIdentifier(parts[1], false)
+	default:
+		return nil, errors.Wrapf(errNotFound, "unknown schema %s", parts[0])
+	}
+}
+func FromLLB(op *pb.Op_Source, platform *pb.Platform) (Identifier, error) {
+	id, err := FromString(op.Source.Identifier)
+	if err != nil {
+		return nil, err
+	}
+	if id, ok := id.(*ImageIdentifier); ok && platform != nil {
+		id.Platform = &specs.Platform{
+			OS:           platform.OS,
+			Architecture: platform.Architecture,
+			Variant:      platform.Variant,
+			OSVersion:    platform.OSVersion,
+			OSFeatures:   platform.OSFeatures,
+		}
+	}
+	if id, ok := id.(*GitIdentifier); ok {
+		for k, v := range op.Source.Attrs {
+			switch k {
+			case pb.AttrKeepGitDir:
+				if v == "true" {
+					id.KeepGitDir = true
+				}
+			case pb.AttrFullRemoteURL:
+				id.Remote = v
+			}
+		}
+	}
+	if id, ok := id.(*LocalIdentifier); ok {
+		for k, v := range op.Source.Attrs {
+			switch k {
+			case pb.AttrLocalSessionID:
+				id.SessionID = v
+				if p := strings.SplitN(v, ":", 2); len(p) == 2 {
+					id.Name = p[0] + "-" + id.Name
+					id.SessionID = p[1]
+				}
+			case pb.AttrIncludePatterns:
+				var patterns []string
+				if err := json.Unmarshal([]byte(v), &patterns); err != nil {
+					return nil, err
+				}
+				id.IncludePatterns = patterns
+			case pb.AttrExcludePatterns:
+				var patterns []string
+				if err := json.Unmarshal([]byte(v), &patterns); err != nil {
+					return nil, err
+				}
+				id.ExcludePatterns = patterns
+			case pb.AttrFollowPaths:
+				var paths []string
+				if err := json.Unmarshal([]byte(v), &paths); err != nil {
+					return nil, err
+				}
+				id.FollowPaths = paths
+			case pb.AttrSharedKeyHint:
+				id.SharedKeyHint = v
+			}
+		}
+	}
+	if id, ok := id.(*HttpIdentifier); ok {
+		for k, v := range op.Source.Attrs {
+			switch k {
+			case pb.AttrHTTPChecksum:
+				dgst, err := digest.Parse(v)
+				if err != nil {
+					return nil, err
+				}
+				id.Checksum = dgst
+			case pb.AttrHTTPFilename:
+				id.Filename = v
+			case pb.AttrHTTPPerm:
+				i, err := strconv.ParseInt(v, 0, 64)
+				if err != nil {
+					return nil, err
+				}
+				id.Perm = int(i)
+			case pb.AttrHTTPUID:
+				i, err := strconv.ParseInt(v, 0, 64)
+				if err != nil {
+					return nil, err
+				}
+				id.UID = int(i)
+			case pb.AttrHTTPGID:
+				i, err := strconv.ParseInt(v, 0, 64)
+				if err != nil {
+					return nil, err
+				}
+				id.GID = int(i)
+			}
+		}
+	}
+	return id, nil
+}
+
+type ImageIdentifier struct {
+	Reference reference.Spec
+	Platform  *specs.Platform
+}
+
+func NewImageIdentifier(str string) (*ImageIdentifier, error) {
+	ref, err := reference.Parse(str)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	if ref.Object == "" {
+		return nil, errors.WithStack(reference.ErrObjectRequired)
+	}
+	return &ImageIdentifier{Reference: ref}, nil
+}
+
+func (_ *ImageIdentifier) ID() string {
+	return DockerImageScheme
+}
+
+type LocalIdentifier struct {
+	Name            string
+	SessionID       string
+	IncludePatterns []string
+	ExcludePatterns []string
+	FollowPaths     []string
+	SharedKeyHint   string
+}
+
+func NewLocalIdentifier(str string) (*LocalIdentifier, error) {
+	return &LocalIdentifier{Name: str}, nil
+}
+
+func (*LocalIdentifier) ID() string {
+	return LocalScheme
+}
+
+func NewHttpIdentifier(str string, tls bool) (*HttpIdentifier, error) {
+	proto := "https://"
+	if !tls {
+		proto = "http://"
+	}
+	return &HttpIdentifier{TLS: tls, URL: proto + str}, nil
+}
+
+type HttpIdentifier struct {
+	TLS      bool
+	URL      string
+	Checksum digest.Digest
+	Filename string
+	Perm     int
+	UID      int
+	GID      int
+}
+
+func (_ *HttpIdentifier) ID() string {
+	return HttpsScheme
+}
diff --git a/engine/vendor/github.com/moby/buildkit/source/local/local.go b/engine/vendor/github.com/moby/buildkit/source/local/local.go
new file mode 100644
index 00000000..1e9ab6a4
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/source/local/local.go
@@ -0,0 +1,249 @@
+package local
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/boltdb/bolt"
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/cache/contenthash"
+	"github.com/moby/buildkit/cache/metadata"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/filesync"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/source"
+	"github.com/moby/buildkit/util/progress"
+	digest "github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/tonistiigi/fsutil"
+	"golang.org/x/time/rate"
+)
+
+const keySharedKey = "local.sharedKey"
+
+type Opt struct {
+	SessionManager *session.Manager
+	CacheAccessor  cache.Accessor
+	MetadataStore  *metadata.Store
+}
+
+func NewSource(opt Opt) (source.Source, error) {
+	ls := &localSource{
+		sm: opt.SessionManager,
+		cm: opt.CacheAccessor,
+		md: opt.MetadataStore,
+	}
+	return ls, nil
+}
+
+type localSource struct {
+	sm *session.Manager
+	cm cache.Accessor
+	md *metadata.Store
+}
+
+func (ls *localSource) ID() string {
+	return source.LocalScheme
+}
+
+func (ls *localSource) Resolve(ctx context.Context, id source.Identifier) (source.SourceInstance, error) {
+	localIdentifier, ok := id.(*source.LocalIdentifier)
+	if !ok {
+		return nil, errors.Errorf("invalid local identifier %v", id)
+	}
+
+	return &localSourceHandler{
+		src:         *localIdentifier,
+		localSource: ls,
+	}, nil
+}
+
+type localSourceHandler struct {
+	src source.LocalIdentifier
+	*localSource
+}
+
+func (ls *localSourceHandler) CacheKey(ctx context.Context, index int) (string, bool, error) {
+	sessionID := ls.src.SessionID
+
+	if sessionID == "" {
+		id := session.FromContext(ctx)
+		if id == "" {
+			return "", false, errors.New("could not access local files without session")
+		}
+		sessionID = id
+	}
+	dt, err := json.Marshal(struct {
+		SessionID       string
+		IncludePatterns []string
+		ExcludePatterns []string
+	}{SessionID: sessionID, IncludePatterns: ls.src.IncludePatterns, ExcludePatterns: ls.src.ExcludePatterns})
+	if err != nil {
+		return "", false, err
+	}
+	return "session:" + ls.src.Name + ":" + digest.FromBytes(dt).String(), true, nil
+}
+
+func (ls *localSourceHandler) Snapshot(ctx context.Context) (out cache.ImmutableRef, retErr error) {
+
+	id := session.FromContext(ctx)
+	if id == "" {
+		return nil, errors.New("could not access local files without session")
+	}
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	caller, err := ls.sm.Get(timeoutCtx, id)
+	if err != nil {
+		return nil, err
+	}
+
+	sharedKey := keySharedKey + ":" + ls.src.Name + ":" + ls.src.SharedKeyHint + ":" + caller.SharedKey() // TODO: replace caller.SharedKey() with source based hint from client(absolute-path+nodeid)
+
+	var mutable cache.MutableRef
+	sis, err := ls.md.Search(sharedKey)
+	if err != nil {
+		return nil, err
+	}
+	for _, si := range sis {
+		if m, err := ls.cm.GetMutable(ctx, si.ID()); err == nil {
+			logrus.Debugf("reusing ref for local: %s", m.ID())
+			mutable = m
+			break
+		}
+	}
+
+	if mutable == nil {
+		m, err := ls.cm.New(ctx, nil, cache.CachePolicyRetain, cache.WithDescription(fmt.Sprintf("local source for %s", ls.src.Name)))
+		if err != nil {
+			return nil, err
+		}
+		mutable = m
+		logrus.Debugf("new ref for local: %s", mutable.ID())
+	}
+
+	defer func() {
+		if retErr != nil && mutable != nil {
+			go mutable.Release(context.TODO())
+		}
+	}()
+
+	mount, err := mutable.Mount(ctx, false)
+	if err != nil {
+		return nil, err
+	}
+
+	lm := snapshot.LocalMounter(mount)
+
+	dest, err := lm.Mount()
+	if err != nil {
+		return nil, err
+	}
+
+	defer func() {
+		if retErr != nil && lm != nil {
+			lm.Unmount()
+		}
+	}()
+
+	cc, err := contenthash.GetCacheContext(ctx, mutable.Metadata())
+	if err != nil {
+		return nil, err
+	}
+
+	opt := filesync.FSSendRequestOpt{
+		Name:             ls.src.Name,
+		IncludePatterns:  ls.src.IncludePatterns,
+		ExcludePatterns:  ls.src.ExcludePatterns,
+		FollowPaths:      ls.src.FollowPaths,
+		OverrideExcludes: false,
+		DestDir:          dest,
+		CacheUpdater:     &cacheUpdater{cc},
+		ProgressCb:       newProgressHandler(ctx, "transferring "+ls.src.Name+":"),
+	}
+
+	if err := filesync.FSSync(ctx, caller, opt); err != nil {
+		return nil, err
+	}
+
+	if err := lm.Unmount(); err != nil {
+		return nil, err
+	}
+	lm = nil
+
+	if err := contenthash.SetCacheContext(ctx, mutable.Metadata(), cc); err != nil {
+		return nil, err
+	}
+
+	// skip storing snapshot by the shared key if it already exists
+	skipStoreSharedKey := false
+	si, _ := ls.md.Get(mutable.ID())
+	if v := si.Get(keySharedKey); v != nil {
+		var str string
+		if err := v.Unmarshal(&str); err != nil {
+			return nil, err
+		}
+		skipStoreSharedKey = str == sharedKey
+	}
+	if !skipStoreSharedKey {
+		v, err := metadata.NewValue(sharedKey)
+		if err != nil {
+			return nil, err
+		}
+		v.Index = sharedKey
+		if err := si.Update(func(b *bolt.Bucket) error {
+			return si.SetValue(b, sharedKey, v)
+		}); err != nil {
+			return nil, err
+		}
+		logrus.Debugf("saved %s as %s", mutable.ID(), sharedKey)
+	}
+
+	snap, err := mutable.Commit(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	mutable = nil // avoid deferred cleanup
+
+	return snap, nil
+}
+
+func newProgressHandler(ctx context.Context, id string) func(int, bool) {
+	limiter := rate.NewLimiter(rate.Every(100*time.Millisecond), 1)
+	pw, _, _ := progress.FromContext(ctx)
+	now := time.Now()
+	st := progress.Status{
+		Started: &now,
+		Action:  "transferring",
+	}
+	pw.Write(id, st)
+	return func(s int, last bool) {
+		if last || limiter.Allow() {
+			st.Current = s
+			if last {
+				now := time.Now()
+				st.Completed = &now
+			}
+			pw.Write(id, st)
+			if last {
+				pw.Close()
+			}
+		}
+	}
+}
+
+type cacheUpdater struct {
+	contenthash.CacheContext
+}
+
+func (cu *cacheUpdater) MarkSupported(bool) {
+}
+
+func (cu *cacheUpdater) ContentHasher() fsutil.ContentHasher {
+	return contenthash.NewFromStat
+}
diff --git a/engine/vendor/github.com/moby/buildkit/source/manager.go b/engine/vendor/github.com/moby/buildkit/source/manager.go
new file mode 100644
index 00000000..e520b6c7
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/source/manager.go
@@ -0,0 +1,48 @@
+package source
+
+import (
+	"context"
+	"sync"
+
+	"github.com/moby/buildkit/cache"
+	"github.com/pkg/errors"
+)
+
+type Source interface {
+	ID() string
+	Resolve(ctx context.Context, id Identifier) (SourceInstance, error)
+}
+
+type SourceInstance interface {
+	CacheKey(ctx context.Context, index int) (string, bool, error)
+	Snapshot(ctx context.Context) (cache.ImmutableRef, error)
+}
+
+type Manager struct {
+	mu      sync.Mutex
+	sources map[string]Source
+}
+
+func NewManager() (*Manager, error) {
+	return &Manager{
+		sources: make(map[string]Source),
+	}, nil
+}
+
+func (sm *Manager) Register(src Source) {
+	sm.mu.Lock()
+	sm.sources[src.ID()] = src
+	sm.mu.Unlock()
+}
+
+func (sm *Manager) Resolve(ctx context.Context, id Identifier) (SourceInstance, error) {
+	sm.mu.Lock()
+	src, ok := sm.sources[id.ID()]
+	sm.mu.Unlock()
+
+	if !ok {
+		return nil, errors.Errorf("no handler for %s", id.ID())
+	}
+
+	return src.Resolve(ctx, id)
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/apicaps/caps.go b/engine/vendor/github.com/moby/buildkit/util/apicaps/caps.go
new file mode 100644
index 00000000..2509b53b
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/apicaps/caps.go
@@ -0,0 +1,161 @@
+package apicaps
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	pb "github.com/moby/buildkit/util/apicaps/pb"
+	"github.com/pkg/errors"
+)
+
+type PBCap = pb.APICap
+
+// ExportedProduct is the name of the product using this package.
+// Users vendoring this library may override it to provide better versioning hints
+// for their users (or set it with a flag to buildkitd).
+var ExportedProduct string
+
+// CapStatus defines the stability properties of a capability
+type CapStatus int
+
+const (
+	// CapStatusStable refers to a capability that should never be changed in
+	// backwards incompatible manner unless there is a serious security issue.
+	CapStatusStable CapStatus = iota
+	// CapStatusExperimental refers to a capability that may be removed in the future.
+	// If incompatible changes are made the previous ID is disabled and new is added.
+	CapStatusExperimental
+	// CapStatusPrerelease is same as CapStatusExperimental that can be used for new
+	// features before they move to stable.
+	CapStatusPrerelease
+)
+
+// CapID is type for capability identifier
+type CapID string
+
+// Cap describes an API feature
+type Cap struct {
+	ID                  CapID
+	Name                string // readable name, may contain spaces but keep in one sentence
+	Status              CapStatus
+	Enabled             bool
+	Deprecated          bool
+	SupportedHint       map[string]string
+	DisabledReason      string
+	DisabledReasonMsg   string
+	DisabledAlternative string
+}
+
+// CapList is a collection of capability definitions
+type CapList struct {
+	m map[CapID]Cap
+}
+
+// Init initializes definition for a new capability.
+// Not safe to be called concurrently with other methods.
+func (l *CapList) Init(cc ...Cap) {
+	if l.m == nil {
+		l.m = make(map[CapID]Cap, len(cc))
+	}
+	for _, c := range cc {
+		l.m[c.ID] = c
+	}
+}
+
+// All reports the configuration of all known capabilities
+func (l *CapList) All() []pb.APICap {
+	out := make([]pb.APICap, 0, len(l.m))
+	for _, c := range l.m {
+		out = append(out, pb.APICap{
+			ID:                  string(c.ID),
+			Enabled:             c.Enabled,
+			Deprecated:          c.Deprecated,
+			DisabledReason:      c.DisabledReason,
+			DisabledReasonMsg:   c.DisabledReasonMsg,
+			DisabledAlternative: c.DisabledAlternative,
+		})
+	}
+	sort.Slice(out, func(i, j int) bool {
+		return out[i].ID < out[j].ID
+	})
+	return out
+}
+
+// CapSet returns a CapSet for an capability configuration
+func (l *CapList) CapSet(caps []pb.APICap) CapSet {
+	m := make(map[string]*pb.APICap, len(caps))
+	for _, c := range caps {
+		if c.ID != "" {
+			m[c.ID] = &c
+		}
+	}
+	return CapSet{
+		list: l,
+		set:  m,
+	}
+}
+
+// CapSet is a configuration for detecting supported capabilities
+type CapSet struct {
+	list *CapList
+	set  map[string]*pb.APICap
+}
+
+// Supports returns an error if capability is not supported
+func (s *CapSet) Supports(id CapID) error {
+	err := &CapError{ID: id}
+	c, ok := s.list.m[id]
+	if !ok {
+		return errors.WithStack(err)
+	}
+	err.Definition = &c
+	state, ok := s.set[string(id)]
+	if !ok {
+		return errors.WithStack(err)
+	}
+	err.State = state
+	if !state.Enabled {
+		return errors.WithStack(err)
+	}
+	return nil
+}
+
+// CapError is an error for unsupported capability
+type CapError struct {
+	ID         CapID
+	Definition *Cap
+	State      *pb.APICap
+}
+
+func (e CapError) Error() string {
+	if e.Definition == nil {
+		return fmt.Sprintf("unknown API capability %s", e.ID)
+	}
+	typ := ""
+	if e.Definition.Status == CapStatusExperimental {
+		typ = "experimental "
+	}
+	if e.Definition.Status == CapStatusPrerelease {
+		typ = "prerelease "
+	}
+	name := ""
+	if e.Definition.Name != "" {
+		name = "(" + e.Definition.Name + ")"
+	}
+	b := &strings.Builder{}
+	fmt.Fprintf(b, "requested %sfeature %s %s", typ, e.ID, name)
+	if e.State == nil {
+		fmt.Fprint(b, " is not supported by build server")
+		if hint, ok := e.Definition.SupportedHint[ExportedProduct]; ok {
+			fmt.Fprintf(b, " (added in %s)", hint)
+		}
+		fmt.Fprintf(b, ", please update %s", ExportedProduct)
+	} else {
+		fmt.Fprint(b, " has been disabled on the build server")
+		if e.State.DisabledReasonMsg != "" {
+			fmt.Fprintf(b, ": %s", e.State.DisabledReasonMsg)
+		}
+	}
+	return b.String()
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/caps.pb.go b/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/caps.pb.go
new file mode 100644
index 00000000..9d4d4880
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/caps.pb.go
@@ -0,0 +1,535 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: caps.proto
+
+/*
+	Package moby_buildkit_v1_apicaps is a generated protocol buffer package.
+
+	It is generated from these files:
+		caps.proto
+
+	It has these top-level messages:
+		APICap
+*/
+package moby_buildkit_v1_apicaps
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+import _ "github.com/gogo/protobuf/gogoproto"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+// APICap defines a capability supported by the service
+type APICap struct {
+	ID                  string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"`
+	Enabled             bool   `protobuf:"varint,2,opt,name=Enabled,proto3" json:"Enabled,omitempty"`
+	Deprecated          bool   `protobuf:"varint,3,opt,name=Deprecated,proto3" json:"Deprecated,omitempty"`
+	DisabledReason      string `protobuf:"bytes,4,opt,name=DisabledReason,proto3" json:"DisabledReason,omitempty"`
+	DisabledReasonMsg   string `protobuf:"bytes,5,opt,name=DisabledReasonMsg,proto3" json:"DisabledReasonMsg,omitempty"`
+	DisabledAlternative string `protobuf:"bytes,6,opt,name=DisabledAlternative,proto3" json:"DisabledAlternative,omitempty"`
+}
+
+func (m *APICap) Reset()                    { *m = APICap{} }
+func (m *APICap) String() string            { return proto.CompactTextString(m) }
+func (*APICap) ProtoMessage()               {}
+func (*APICap) Descriptor() ([]byte, []int) { return fileDescriptorCaps, []int{0} }
+
+func (m *APICap) GetID() string {
+	if m != nil {
+		return m.ID
+	}
+	return ""
+}
+
+func (m *APICap) GetEnabled() bool {
+	if m != nil {
+		return m.Enabled
+	}
+	return false
+}
+
+func (m *APICap) GetDeprecated() bool {
+	if m != nil {
+		return m.Deprecated
+	}
+	return false
+}
+
+func (m *APICap) GetDisabledReason() string {
+	if m != nil {
+		return m.DisabledReason
+	}
+	return ""
+}
+
+func (m *APICap) GetDisabledReasonMsg() string {
+	if m != nil {
+		return m.DisabledReasonMsg
+	}
+	return ""
+}
+
+func (m *APICap) GetDisabledAlternative() string {
+	if m != nil {
+		return m.DisabledAlternative
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*APICap)(nil), "moby.buildkit.v1.apicaps.APICap")
+}
+func (m *APICap) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *APICap) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ID) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintCaps(dAtA, i, uint64(len(m.ID)))
+		i += copy(dAtA[i:], m.ID)
+	}
+	if m.Enabled {
+		dAtA[i] = 0x10
+		i++
+		if m.Enabled {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if m.Deprecated {
+		dAtA[i] = 0x18
+		i++
+		if m.Deprecated {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i++
+	}
+	if len(m.DisabledReason) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintCaps(dAtA, i, uint64(len(m.DisabledReason)))
+		i += copy(dAtA[i:], m.DisabledReason)
+	}
+	if len(m.DisabledReasonMsg) > 0 {
+		dAtA[i] = 0x2a
+		i++
+		i = encodeVarintCaps(dAtA, i, uint64(len(m.DisabledReasonMsg)))
+		i += copy(dAtA[i:], m.DisabledReasonMsg)
+	}
+	if len(m.DisabledAlternative) > 0 {
+		dAtA[i] = 0x32
+		i++
+		i = encodeVarintCaps(dAtA, i, uint64(len(m.DisabledAlternative)))
+		i += copy(dAtA[i:], m.DisabledAlternative)
+	}
+	return i, nil
+}
+
+func encodeVarintCaps(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *APICap) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ID)
+	if l > 0 {
+		n += 1 + l + sovCaps(uint64(l))
+	}
+	if m.Enabled {
+		n += 2
+	}
+	if m.Deprecated {
+		n += 2
+	}
+	l = len(m.DisabledReason)
+	if l > 0 {
+		n += 1 + l + sovCaps(uint64(l))
+	}
+	l = len(m.DisabledReasonMsg)
+	if l > 0 {
+		n += 1 + l + sovCaps(uint64(l))
+	}
+	l = len(m.DisabledAlternative)
+	if l > 0 {
+		n += 1 + l + sovCaps(uint64(l))
+	}
+	return n
+}
+
+func sovCaps(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozCaps(x uint64) (n int) {
+	return sovCaps(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (m *APICap) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowCaps
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: APICap: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: APICap: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowCaps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthCaps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Enabled", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowCaps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Enabled = bool(v != 0)
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Deprecated", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowCaps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.Deprecated = bool(v != 0)
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DisabledReason", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowCaps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthCaps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DisabledReason = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DisabledReasonMsg", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowCaps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthCaps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DisabledReasonMsg = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DisabledAlternative", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowCaps
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthCaps
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.DisabledAlternative = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipCaps(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthCaps
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipCaps(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowCaps
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowCaps
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowCaps
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthCaps
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowCaps
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipCaps(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthCaps = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowCaps   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("caps.proto", fileDescriptorCaps) }
+
+var fileDescriptorCaps = []byte{
+	// 236 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4a, 0x4e, 0x2c, 0x28,
+	0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x92, 0xc8, 0xcd, 0x4f, 0xaa, 0xd4, 0x4b, 0x2a, 0xcd,
+	0xcc, 0x49, 0xc9, 0xce, 0x2c, 0xd1, 0x2b, 0x33, 0xd4, 0x4b, 0x2c, 0xc8, 0x04, 0xc9, 0x4b, 0xe9,
+	0xa6, 0x67, 0x96, 0x64, 0x94, 0x26, 0xe9, 0x25, 0xe7, 0xe7, 0xea, 0xa7, 0xe7, 0xa7, 0xe7, 0xeb,
+	0x83, 0x35, 0x24, 0x95, 0xa6, 0x81, 0x79, 0x60, 0x0e, 0x98, 0x05, 0x31, 0x48, 0xe9, 0x16, 0x23,
+	0x17, 0x9b, 0x63, 0x80, 0xa7, 0x73, 0x62, 0x81, 0x10, 0x1f, 0x17, 0x93, 0xa7, 0x8b, 0x04, 0xa3,
+	0x02, 0xa3, 0x06, 0x67, 0x10, 0x93, 0xa7, 0x8b, 0x90, 0x04, 0x17, 0xbb, 0x6b, 0x5e, 0x62, 0x52,
+	0x4e, 0x6a, 0x8a, 0x04, 0x93, 0x02, 0xa3, 0x06, 0x47, 0x10, 0x8c, 0x2b, 0x24, 0xc7, 0xc5, 0xe5,
+	0x92, 0x5a, 0x50, 0x94, 0x9a, 0x9c, 0x58, 0x92, 0x9a, 0x22, 0xc1, 0x0c, 0x96, 0x44, 0x12, 0x11,
+	0x52, 0xe3, 0xe2, 0x73, 0xc9, 0x2c, 0x06, 0xab, 0x0d, 0x4a, 0x4d, 0x2c, 0xce, 0xcf, 0x93, 0x60,
+	0x01, 0x9b, 0x8a, 0x26, 0x2a, 0xa4, 0xc3, 0x25, 0x88, 0x2a, 0xe2, 0x5b, 0x9c, 0x2e, 0xc1, 0x0a,
+	0x56, 0x8a, 0x29, 0x21, 0x64, 0xc0, 0x25, 0x0c, 0x13, 0x74, 0xcc, 0x29, 0x49, 0x2d, 0xca, 0x4b,
+	0x2c, 0xc9, 0x2c, 0x4b, 0x95, 0x60, 0x03, 0xab, 0xc7, 0x26, 0xe5, 0xc4, 0x73, 0xe2, 0x91, 0x1c,
+	0xe3, 0x85, 0x47, 0x72, 0x8c, 0x0f, 0x1e, 0xc9, 0x31, 0x26, 0xb1, 0x81, 0x7d, 0x6c, 0x0c, 0x08,
+	0x00, 0x00, 0xff, 0xff, 0x02, 0x2d, 0x9e, 0x91, 0x48, 0x01, 0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/caps.proto b/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/caps.proto
new file mode 100644
index 00000000..1e8c0651
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/caps.proto
@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package moby.buildkit.v1.apicaps;
+
+import "github.com/gogo/protobuf/gogoproto/gogo.proto";
+
+option (gogoproto.sizer_all) = true;
+option (gogoproto.marshaler_all) = true;
+option (gogoproto.unmarshaler_all) = true;
+
+// APICap defines a capability supported by the service
+message APICap {
+	string ID = 1;
+	bool Enabled = 2;
+	bool Deprecated = 3; // Unused. May be used for warnings in the future
+	string DisabledReason = 4; // Reason key for detection code
+	string DisabledReasonMsg = 5; // Message to the user
+	string DisabledAlternative = 6; // Identifier that updated client could catch.
+}
\ No newline at end of file
diff --git a/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/generate.go b/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/generate.go
new file mode 100644
index 00000000..281dfabd
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/apicaps/pb/generate.go
@@ -0,0 +1,3 @@
+package moby_buildkit_v1_apicaps
+
+//go:generate protoc -I=. -I=../../../vendor/ -I=../../../../../../ --gogo_out=plugins=grpc:. caps.proto
diff --git a/engine/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_unix.go b/engine/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_unix.go
new file mode 100644
index 00000000..7b907ad3
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_unix.go
@@ -0,0 +1,55 @@
+// +build !windows
+
+package appdefaults
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+const (
+	Address = "unix:///run/buildkit/buildkitd.sock"
+	Root    = "/var/lib/buildkit"
+)
+
+// UserAddress typically returns /run/user/$UID/buildkit/buildkitd.sock
+func UserAddress() string {
+	//  pam_systemd sets XDG_RUNTIME_DIR but not other dirs.
+	xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR")
+	if xdgRuntimeDir != "" {
+		dirs := strings.Split(xdgRuntimeDir, ":")
+		return "unix://" + filepath.Join(dirs[0], "buildkit", "buildkitd.sock")
+	}
+	return Address
+}
+
+// EnsureUserAddressDir sets sticky bit on XDG_RUNTIME_DIR if XDG_RUNTIME_DIR is set.
+// See https://github.com/opencontainers/runc/issues/1694
+func EnsureUserAddressDir() error {
+	xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR")
+	if xdgRuntimeDir != "" {
+		dirs := strings.Split(xdgRuntimeDir, ":")
+		dir := filepath.Join(dirs[0], "buildkit")
+		if err := os.MkdirAll(dir, 0700); err != nil {
+			return err
+		}
+		return os.Chmod(dir, 0700|os.ModeSticky)
+	}
+	return nil
+}
+
+// UserRoot typically returns /home/$USER/.local/share/buildkit
+func UserRoot() string {
+	//  pam_systemd sets XDG_RUNTIME_DIR but not other dirs.
+	xdgDataHome := os.Getenv("XDG_DATA_HOME")
+	if xdgDataHome != "" {
+		dirs := strings.Split(xdgDataHome, ":")
+		return filepath.Join(dirs[0], "buildkit")
+	}
+	home := os.Getenv("HOME")
+	if home != "" {
+		return filepath.Join(home, ".local", "share", "buildkit")
+	}
+	return Root
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_windows.go b/engine/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_windows.go
new file mode 100644
index 00000000..dbc96c80
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/appdefaults/appdefaults_windows.go
@@ -0,0 +1,18 @@
+package appdefaults
+
+const (
+	Address = "npipe:////./pipe/buildkitd"
+	Root    = ".buildstate"
+)
+
+func UserAddress() string {
+	return Address
+}
+
+func EnsureUserAddressDir() error {
+	return nil
+}
+
+func UserRoot() string {
+	return Root
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/cond/cond.go b/engine/vendor/github.com/moby/buildkit/util/cond/cond.go
new file mode 100644
index 00000000..c5e07aec
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/cond/cond.go
@@ -0,0 +1,40 @@
+package cond
+
+import (
+	"sync"
+)
+
+// NewStatefulCond returns a stateful version of sync.Cond . This cond will
+// never block on `Wait()` if `Signal()` has been called after the `Wait()` last
+// returned. This is useful for avoiding to take a lock on `cond.Locker` for
+// signalling.
+func NewStatefulCond(l sync.Locker) *StatefulCond {
+	sc := &StatefulCond{main: l}
+	sc.c = sync.NewCond(&sc.mu)
+	return sc
+}
+
+type StatefulCond struct {
+	main      sync.Locker
+	mu        sync.Mutex
+	c         *sync.Cond
+	signalled bool
+}
+
+func (s *StatefulCond) Wait() {
+	s.main.Unlock()
+	s.mu.Lock()
+	if !s.signalled {
+		s.c.Wait()
+	}
+	s.signalled = false
+	s.mu.Unlock()
+	s.main.Lock()
+}
+
+func (s *StatefulCond) Signal() {
+	s.mu.Lock()
+	s.signalled = true
+	s.c.Signal()
+	s.mu.Unlock()
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/contentutil/buffer.go b/engine/vendor/github.com/moby/buildkit/util/contentutil/buffer.go
new file mode 100644
index 00000000..ac8c8baf
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/contentutil/buffer.go
@@ -0,0 +1,156 @@
+package contentutil
+
+import (
+	"bytes"
+	"context"
+	"io/ioutil"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/errdefs"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+// Buffer is a content provider and ingester that keeps data in memory
+type Buffer interface {
+	content.Provider
+	content.Ingester
+}
+
+// NewBuffer returns a new buffer
+func NewBuffer() Buffer {
+	return &buffer{
+		buffers: map[digest.Digest][]byte{},
+		refs:    map[string]struct{}{},
+	}
+}
+
+type buffer struct {
+	mu      sync.Mutex
+	buffers map[digest.Digest][]byte
+	refs    map[string]struct{}
+}
+
+func (b *buffer) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
+	var wOpts content.WriterOpts
+	for _, opt := range opts {
+		if err := opt(&wOpts); err != nil {
+			return nil, err
+		}
+	}
+	b.mu.Lock()
+	if _, ok := b.refs[wOpts.Ref]; ok {
+		return nil, errors.Wrapf(errdefs.ErrUnavailable, "ref %s locked", wOpts.Ref)
+	}
+	b.mu.Unlock()
+	return &bufferedWriter{
+		main:     b,
+		digester: digest.Canonical.Digester(),
+		buffer:   bytes.NewBuffer(nil),
+		expected: wOpts.Desc.Digest,
+		releaseRef: func() {
+			b.mu.Lock()
+			delete(b.refs, wOpts.Ref)
+			b.mu.Unlock()
+		},
+	}, nil
+}
+
+func (b *buffer) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {
+	r, err := b.getBytesReader(ctx, desc.Digest)
+	if err != nil {
+		return nil, err
+	}
+	return &readerAt{Reader: r, Closer: ioutil.NopCloser(r), size: int64(r.Len())}, nil
+}
+
+func (b *buffer) getBytesReader(ctx context.Context, dgst digest.Digest) (*bytes.Reader, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if dt, ok := b.buffers[dgst]; ok {
+		return bytes.NewReader(dt), nil
+	}
+
+	return nil, errors.Wrapf(errdefs.ErrNotFound, "content %v", dgst)
+}
+
+func (b *buffer) addValue(k digest.Digest, dt []byte) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.buffers[k] = dt
+}
+
+type bufferedWriter struct {
+	main       *buffer
+	ref        string
+	offset     int64
+	total      int64
+	startedAt  time.Time
+	updatedAt  time.Time
+	buffer     *bytes.Buffer
+	expected   digest.Digest
+	digester   digest.Digester
+	releaseRef func()
+}
+
+func (w *bufferedWriter) Write(p []byte) (n int, err error) {
+	n, err = w.buffer.Write(p)
+	w.digester.Hash().Write(p[:n])
+	w.offset += int64(len(p))
+	w.updatedAt = time.Now()
+	return n, err
+}
+
+func (w *bufferedWriter) Close() error {
+	if w.buffer != nil {
+		w.releaseRef()
+		w.buffer = nil
+	}
+	return nil
+}
+
+func (w *bufferedWriter) Status() (content.Status, error) {
+	return content.Status{
+		Ref:       w.ref,
+		Offset:    w.offset,
+		Total:     w.total,
+		StartedAt: w.startedAt,
+		UpdatedAt: w.updatedAt,
+	}, nil
+}
+
+func (w *bufferedWriter) Digest() digest.Digest {
+	return w.digester.Digest()
+}
+
+func (w *bufferedWriter) Commit(ctx context.Context, size int64, expected digest.Digest, opt ...content.Opt) error {
+	if w.buffer == nil {
+		return errors.Errorf("can't commit already committed or closed")
+	}
+	if s := int64(w.buffer.Len()); size > 0 && size != s {
+		return errors.Errorf("unexpected commit size %d, expected %d", s, size)
+	}
+	dgst := w.digester.Digest()
+	if expected != "" && expected != dgst {
+		return errors.Errorf("unexpected digest: %v != %v", dgst, expected)
+	}
+	if w.expected != "" && w.expected != dgst {
+		return errors.Errorf("unexpected digest: %v != %v", dgst, w.expected)
+	}
+	w.main.addValue(dgst, w.buffer.Bytes())
+	return w.Close()
+}
+
+func (w *bufferedWriter) Truncate(size int64) error {
+	if size != 0 {
+		return errors.New("Truncate: unsupported size")
+	}
+	w.offset = 0
+	w.digester.Hash().Reset()
+	w.buffer.Reset()
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/contentutil/copy.go b/engine/vendor/github.com/moby/buildkit/util/contentutil/copy.go
new file mode 100644
index 00000000..a03f16e6
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/contentutil/copy.go
@@ -0,0 +1,43 @@
+package contentutil
+
+import (
+	"context"
+	"io"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/remotes"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+func Copy(ctx context.Context, ingester content.Ingester, provider content.Provider, desc ocispec.Descriptor) error {
+	if _, err := remotes.FetchHandler(ingester, &localFetcher{provider})(ctx, desc); err != nil {
+		return err
+	}
+	return nil
+}
+
+type localFetcher struct {
+	content.Provider
+}
+
+func (f *localFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error) {
+	r, err := f.Provider.ReaderAt(ctx, desc)
+	if err != nil {
+		return nil, err
+	}
+	return &rc{ReaderAt: r}, nil
+}
+
+type rc struct {
+	content.ReaderAt
+	offset int
+}
+
+func (r *rc) Read(b []byte) (int, error) {
+	n, err := r.ReadAt(b, int64(r.offset))
+	r.offset += n
+	if n > 0 && err == io.EOF {
+		err = nil
+	}
+	return n, err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/contentutil/fetcher.go b/engine/vendor/github.com/moby/buildkit/util/contentutil/fetcher.go
new file mode 100644
index 00000000..0c87e647
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/contentutil/fetcher.go
@@ -0,0 +1,70 @@
+package contentutil
+
+import (
+	"context"
+	"io"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/remotes"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+func FromFetcher(f remotes.Fetcher) content.Provider {
+	return &fetchedProvider{
+		f: f,
+	}
+}
+
+type fetchedProvider struct {
+	f remotes.Fetcher
+}
+
+func (p *fetchedProvider) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {
+	rc, err := p.f.Fetch(ctx, desc)
+	if err != nil {
+		return nil, err
+	}
+
+	return &readerAt{Reader: rc, Closer: rc, size: desc.Size}, nil
+}
+
+type readerAt struct {
+	io.Reader
+	io.Closer
+	size   int64
+	offset int64
+}
+
+func (r *readerAt) ReadAt(b []byte, off int64) (int, error) {
+	if ra, ok := r.Reader.(io.ReaderAt); ok {
+		return ra.ReadAt(b, off)
+	}
+
+	if r.offset != off {
+		if seeker, ok := r.Reader.(io.Seeker); ok {
+			if _, err := seeker.Seek(off, io.SeekStart); err != nil {
+				return 0, err
+			}
+			r.offset = off
+		} else {
+			return 0, errors.Errorf("unsupported offset")
+		}
+	}
+
+	var totalN int
+	for len(b) > 0 {
+		n, err := r.Reader.Read(b)
+		r.offset += int64(n)
+		totalN += n
+		b = b[n:]
+		if err != nil {
+			return totalN, err
+		}
+	}
+	return totalN, nil
+}
+
+func (r *readerAt) Size() int64 {
+	return r.size
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/contentutil/multiprovider.go b/engine/vendor/github.com/moby/buildkit/util/contentutil/multiprovider.go
new file mode 100644
index 00000000..fd635ad4
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/contentutil/multiprovider.go
@@ -0,0 +1,44 @@
+package contentutil
+
+import (
+	"context"
+	"sync"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/errdefs"
+	digest "github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+func NewMultiProvider(base content.Provider) *MultiProvider {
+	return &MultiProvider{
+		base: base,
+		sub:  map[digest.Digest]content.Provider{},
+	}
+}
+
+type MultiProvider struct {
+	mu   sync.RWMutex
+	base content.Provider
+	sub  map[digest.Digest]content.Provider
+}
+
+func (mp *MultiProvider) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {
+	mp.mu.RLock()
+	if p, ok := mp.sub[desc.Digest]; ok {
+		mp.mu.RUnlock()
+		return p.ReaderAt(ctx, desc)
+	}
+	mp.mu.RUnlock()
+	if mp.base == nil {
+		return nil, errors.Wrapf(errdefs.ErrNotFound, "content %v", desc.Digest)
+	}
+	return mp.base.ReaderAt(ctx, desc)
+}
+
+func (mp *MultiProvider) Add(dgst digest.Digest, p content.Provider) {
+	mp.mu.Lock()
+	defer mp.mu.Unlock()
+	mp.sub[dgst] = p
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/contentutil/pusher.go b/engine/vendor/github.com/moby/buildkit/util/contentutil/pusher.go
new file mode 100644
index 00000000..ab88128a
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/contentutil/pusher.go
@@ -0,0 +1,58 @@
+package contentutil
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/remotes"
+	"github.com/pkg/errors"
+)
+
+func FromPusher(p remotes.Pusher) content.Ingester {
+	return &pushingIngester{
+		p: p,
+	}
+}
+
+type pushingIngester struct {
+	p remotes.Pusher
+}
+
+// Writer implements content.Ingester. desc.MediaType must be set for manifest blobs.
+func (i *pushingIngester) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
+	var wOpts content.WriterOpts
+	for _, opt := range opts {
+		if err := opt(&wOpts); err != nil {
+			return nil, err
+		}
+	}
+	if wOpts.Ref == "" {
+		return nil, errors.Wrap(errdefs.ErrInvalidArgument, "ref must not be empty")
+	}
+	// pusher requires desc.MediaType to determine the PUT URL, especially for manifest blobs.
+	contentWriter, err := i.p.Push(ctx, wOpts.Desc)
+	if err != nil {
+		return nil, err
+	}
+	return &writer{
+		Writer:           contentWriter,
+		contentWriterRef: wOpts.Ref,
+	}, nil
+}
+
+type writer struct {
+	content.Writer          // returned from pusher.Push
+	contentWriterRef string // ref passed for Writer()
+}
+
+func (w *writer) Status() (content.Status, error) {
+	st, err := w.Writer.Status()
+	if err != nil {
+		return st, err
+	}
+	if w.contentWriterRef != "" {
+		st.Ref = w.contentWriterRef
+	}
+	return st, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/flightcontrol/flightcontrol.go b/engine/vendor/github.com/moby/buildkit/util/flightcontrol/flightcontrol.go
new file mode 100644
index 00000000..e51824a4
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/flightcontrol/flightcontrol.go
@@ -0,0 +1,324 @@
+package flightcontrol
+
+import (
+	"context"
+	"io"
+	"runtime"
+	"sort"
+	"sync"
+	"time"
+
+	"github.com/moby/buildkit/util/progress"
+	"github.com/pkg/errors"
+)
+
+// flightcontrol is like singleflight but with support for cancellation and
+// nested progress reporting
+
+var errRetry = errors.Errorf("retry")
+
+type contextKeyT string
+
+var contextKey = contextKeyT("buildkit/util/flightcontrol.progress")
+
+type Group struct {
+	mu sync.Mutex       // protects m
+	m  map[string]*call // lazily initialized
+}
+
+func (g *Group) Do(ctx context.Context, key string, fn func(ctx context.Context) (interface{}, error)) (v interface{}, err error) {
+	defer func() {
+		if errors.Cause(err) == errRetry {
+			runtime.Gosched()
+			v, err = g.Do(ctx, key, fn)
+		}
+	}()
+	g.mu.Lock()
+	if g.m == nil {
+		g.m = make(map[string]*call)
+	}
+
+	if c, ok := g.m[key]; ok { // register 2nd waiter
+		g.mu.Unlock()
+		return c.wait(ctx)
+	}
+
+	c := newCall(fn)
+	g.m[key] = c
+	go func() {
+		// cleanup after a caller has returned
+		<-c.ready
+		g.mu.Lock()
+		delete(g.m, key)
+		g.mu.Unlock()
+	}()
+	g.mu.Unlock()
+	return c.wait(ctx)
+}
+
+type call struct {
+	mu     sync.Mutex
+	result interface{}
+	err    error
+	ready  chan struct{}
+
+	ctx  *sharedContext
+	ctxs []context.Context
+	fn   func(ctx context.Context) (interface{}, error)
+	once sync.Once
+
+	closeProgressWriter func()
+	progressState       *progressState
+	progressCtx         context.Context
+}
+
+func newCall(fn func(ctx context.Context) (interface{}, error)) *call {
+	c := &call{
+		fn:            fn,
+		ready:         make(chan struct{}),
+		progressState: newProgressState(),
+	}
+	ctx := newContext(c) // newSharedContext
+	pr, pctx, closeProgressWriter := progress.NewContext(context.Background())
+
+	c.progressCtx = pctx
+	c.ctx = ctx
+	c.closeProgressWriter = closeProgressWriter
+
+	go c.progressState.run(pr) // TODO: remove this, wrap writer instead
+
+	return c
+}
+
+func (c *call) run() {
+	defer c.closeProgressWriter()
+	v, err := c.fn(c.ctx)
+	c.mu.Lock()
+	c.result = v
+	c.err = err
+	c.mu.Unlock()
+	close(c.ready)
+}
+
+func (c *call) wait(ctx context.Context) (v interface{}, err error) {
+	c.mu.Lock()
+	// detect case where caller has just returned, let it clean up before
+	select {
+	case <-c.ready: // could return if no error
+		c.mu.Unlock()
+		return nil, errRetry
+	default:
+	}
+
+	pw, ok, ctx := progress.FromContext(ctx)
+	if ok {
+		c.progressState.add(pw)
+	}
+	c.ctxs = append(c.ctxs, ctx)
+
+	c.mu.Unlock()
+
+	go c.once.Do(c.run)
+
+	select {
+	case <-ctx.Done():
+		select {
+		case <-c.ctx.Done():
+			// if this cancelled the last context, then wait for function to shut down
+			// and don't accept any more callers
+			<-c.ready
+			return c.result, c.err
+		default:
+			if ok {
+				c.progressState.close(pw)
+			}
+			return nil, ctx.Err()
+		}
+	case <-c.ready:
+		return c.result, c.err // shared not implemented yet
+	}
+}
+
+func (c *call) Deadline() (deadline time.Time, ok bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	for _, ctx := range c.ctxs {
+		select {
+		case <-ctx.Done():
+		default:
+			dl, ok := ctx.Deadline()
+			if ok {
+				return dl, ok
+			}
+		}
+	}
+	return time.Time{}, false
+}
+
+func (c *call) Done() <-chan struct{} {
+	c.mu.Lock()
+	c.ctx.signal()
+	c.mu.Unlock()
+	return c.ctx.done
+}
+
+func (c *call) Err() error {
+	select {
+	case <-c.ctx.Done():
+		return c.ctx.err
+	default:
+		return nil
+	}
+}
+
+func (c *call) Value(key interface{}) interface{} {
+	if key == contextKey {
+		return c.progressState
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	ctx := c.progressCtx
+	select {
+	case <-ctx.Done():
+	default:
+		if v := ctx.Value(key); v != nil {
+			return v
+		}
+	}
+
+	if len(c.ctxs) > 0 {
+		ctx = c.ctxs[0]
+		select {
+		case <-ctx.Done():
+		default:
+			if v := ctx.Value(key); v != nil {
+				return v
+			}
+		}
+	}
+
+	return nil
+}
+
+type sharedContext struct {
+	*call
+	done chan struct{}
+	err  error
+}
+
+func newContext(c *call) *sharedContext {
+	return &sharedContext{call: c, done: make(chan struct{})}
+}
+
+// call with lock
+func (c *sharedContext) signal() {
+	select {
+	case <-c.done:
+	default:
+		var err error
+		for _, ctx := range c.ctxs {
+			select {
+			case <-ctx.Done():
+				err = ctx.Err()
+			default:
+				return
+			}
+		}
+		c.err = err
+		close(c.done)
+	}
+}
+
+type rawProgressWriter interface {
+	WriteRawProgress(*progress.Progress) error
+	Close() error
+}
+
+type progressState struct {
+	mu      sync.Mutex
+	items   map[string]*progress.Progress
+	writers []rawProgressWriter
+	done    bool
+}
+
+func newProgressState() *progressState {
+	return &progressState{
+		items: make(map[string]*progress.Progress),
+	}
+}
+
+func (ps *progressState) run(pr progress.Reader) {
+	for {
+		p, err := pr.Read(context.TODO())
+		if err != nil {
+			if err == io.EOF {
+				ps.mu.Lock()
+				ps.done = true
+				ps.mu.Unlock()
+				for _, w := range ps.writers {
+					w.Close()
+				}
+			}
+			return
+		}
+		ps.mu.Lock()
+		for _, p := range p {
+			for _, w := range ps.writers {
+				w.WriteRawProgress(p)
+			}
+			ps.items[p.ID] = p
+		}
+		ps.mu.Unlock()
+	}
+}
+
+func (ps *progressState) add(pw progress.Writer) {
+	rw, ok := pw.(rawProgressWriter)
+	if !ok {
+		return
+	}
+	ps.mu.Lock()
+	plist := make([]*progress.Progress, 0, len(ps.items))
+	for _, p := range ps.items {
+		plist = append(plist, p)
+	}
+	sort.Slice(plist, func(i, j int) bool {
+		return plist[i].Timestamp.Before(plist[j].Timestamp)
+	})
+	for _, p := range plist {
+		rw.WriteRawProgress(p)
+	}
+	if ps.done {
+		rw.Close()
+	} else {
+		ps.writers = append(ps.writers, rw)
+	}
+	ps.mu.Unlock()
+}
+
+func (ps *progressState) close(pw progress.Writer) {
+	rw, ok := pw.(rawProgressWriter)
+	if !ok {
+		return
+	}
+	ps.mu.Lock()
+	for i, w := range ps.writers {
+		if w == rw {
+			w.Close()
+			ps.writers = append(ps.writers[:i], ps.writers[i+1:]...)
+			break
+		}
+	}
+	ps.mu.Unlock()
+}
+
+func WriteProgress(ctx context.Context, pw progress.Writer) error {
+	v := ctx.Value(contextKey)
+	p, ok := v.(*progressState)
+	if !ok {
+		return errors.Errorf("invalid context not from flightcontrol")
+	}
+	p.add(pw)
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/imageutil/config.go b/engine/vendor/github.com/moby/buildkit/util/imageutil/config.go
new file mode 100644
index 00000000..356ed53c
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/imageutil/config.go
@@ -0,0 +1,159 @@
+package imageutil
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/images"
+	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/containerd/reference"
+	"github.com/containerd/containerd/remotes"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+type IngesterProvider interface {
+	content.Ingester
+	content.Provider
+}
+
+func Config(ctx context.Context, str string, resolver remotes.Resolver, ingester IngesterProvider, platform *specs.Platform) (digest.Digest, []byte, error) {
+	// TODO: fix containerd to take struct instead of string
+	platformStr := platforms.Default()
+	if platform != nil {
+		platformStr = platforms.Format(*platform)
+	}
+	ref, err := reference.Parse(str)
+	if err != nil {
+		return "", nil, errors.WithStack(err)
+	}
+
+	desc := specs.Descriptor{
+		Digest: ref.Digest(),
+	}
+	if desc.Digest != "" {
+		ra, err := ingester.ReaderAt(ctx, desc)
+		if err == nil {
+			desc.Size = ra.Size()
+			mt, err := DetectManifestMediaType(ra)
+			if err == nil {
+				desc.MediaType = mt
+			}
+		}
+	}
+	// use resolver if desc is incomplete
+	if desc.MediaType == "" {
+		_, desc, err = resolver.Resolve(ctx, ref.String())
+		if err != nil {
+			return "", nil, err
+		}
+	}
+
+	fetcher, err := resolver.Fetcher(ctx, ref.String())
+	if err != nil {
+		return "", nil, err
+	}
+
+	handlers := []images.Handler{
+		remotes.FetchHandler(ingester, fetcher),
+		childrenConfigHandler(ingester, platformStr),
+	}
+	if err := images.Dispatch(ctx, images.Handlers(handlers...), desc); err != nil {
+		return "", nil, err
+	}
+	config, err := images.Config(ctx, ingester, desc, platformStr)
+	if err != nil {
+		return "", nil, err
+	}
+
+	dt, err := content.ReadBlob(ctx, ingester, config)
+	if err != nil {
+		return "", nil, err
+	}
+
+	return desc.Digest, dt, nil
+}
+
+func childrenConfigHandler(provider content.Provider, platform string) images.HandlerFunc {
+	return func(ctx context.Context, desc specs.Descriptor) ([]specs.Descriptor, error) {
+		var descs []specs.Descriptor
+		switch desc.MediaType {
+		case images.MediaTypeDockerSchema2Manifest, specs.MediaTypeImageManifest:
+			p, err := content.ReadBlob(ctx, provider, desc)
+			if err != nil {
+				return nil, err
+			}
+
+			// TODO(stevvooe): We just assume oci manifest, for now. There may be
+			// subtle differences from the docker version.
+			var manifest specs.Manifest
+			if err := json.Unmarshal(p, &manifest); err != nil {
+				return nil, err
+			}
+
+			descs = append(descs, manifest.Config)
+		case images.MediaTypeDockerSchema2ManifestList, specs.MediaTypeImageIndex:
+			p, err := content.ReadBlob(ctx, provider, desc)
+			if err != nil {
+				return nil, err
+			}
+
+			var index specs.Index
+			if err := json.Unmarshal(p, &index); err != nil {
+				return nil, err
+			}
+
+			if platform != "" {
+				pf, err := platforms.Parse(platform)
+				if err != nil {
+					return nil, err
+				}
+				matcher := platforms.NewMatcher(pf)
+
+				for _, d := range index.Manifests {
+					if d.Platform == nil || matcher.Match(*d.Platform) {
+						descs = append(descs, d)
+					}
+				}
+			} else {
+				descs = append(descs, index.Manifests...)
+			}
+		case images.MediaTypeDockerSchema2Config, specs.MediaTypeImageConfig:
+			// childless data types.
+			return nil, nil
+		default:
+			return nil, errors.Errorf("encountered unknown type %v; children may not be fetched", desc.MediaType)
+		}
+
+		return descs, nil
+	}
+}
+
+// specs.MediaTypeImageManifest, // TODO: detect schema1/manifest-list
+func DetectManifestMediaType(ra content.ReaderAt) (string, error) {
+	// TODO: schema1
+
+	p := make([]byte, ra.Size())
+	if _, err := ra.ReadAt(p, 0); err != nil {
+		return "", err
+	}
+
+	var mfst struct {
+		MediaType string          `json:"mediaType"`
+		Config    json.RawMessage `json:"config"`
+	}
+
+	if err := json.Unmarshal(p, &mfst); err != nil {
+		return "", err
+	}
+
+	if mfst.MediaType != "" {
+		return mfst.MediaType, nil
+	}
+	if mfst.Config != nil {
+		return images.MediaTypeDockerSchema2Manifest, nil
+	}
+	return images.MediaTypeDockerSchema2ManifestList, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/progress/logs/logs.go b/engine/vendor/github.com/moby/buildkit/util/progress/logs/logs.go
new file mode 100644
index 00000000..54f6ff89
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/progress/logs/logs.go
@@ -0,0 +1,53 @@
+package logs
+
+import (
+	"context"
+	"io"
+	"os"
+
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/util/progress"
+	"github.com/pkg/errors"
+)
+
+func NewLogStreams(ctx context.Context, printOutput bool) (io.WriteCloser, io.WriteCloser) {
+	return newStreamWriter(ctx, 1, printOutput), newStreamWriter(ctx, 2, printOutput)
+}
+
+func newStreamWriter(ctx context.Context, stream int, printOutput bool) io.WriteCloser {
+	pw, _, _ := progress.FromContext(ctx)
+	return &streamWriter{
+		pw:          pw,
+		stream:      stream,
+		printOutput: printOutput,
+	}
+}
+
+type streamWriter struct {
+	pw          progress.Writer
+	stream      int
+	printOutput bool
+}
+
+func (sw *streamWriter) Write(dt []byte) (int, error) {
+	sw.pw.Write(identity.NewID(), client.VertexLog{
+		Stream: sw.stream,
+		Data:   append([]byte{}, dt...),
+	})
+	if sw.printOutput {
+		switch sw.stream {
+		case 1:
+			return os.Stdout.Write(dt)
+		case 2:
+			return os.Stderr.Write(dt)
+		default:
+			return 0, errors.Errorf("invalid stream %d", sw.stream)
+		}
+	}
+	return len(dt), nil
+}
+
+func (sw *streamWriter) Close() error {
+	return sw.pw.Close()
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/progress/multireader.go b/engine/vendor/github.com/moby/buildkit/util/progress/multireader.go
new file mode 100644
index 00000000..2bd3f2ca
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/progress/multireader.go
@@ -0,0 +1,77 @@
+package progress
+
+import (
+	"context"
+	"io"
+	"sync"
+)
+
+type MultiReader struct {
+	mu          sync.Mutex
+	main        Reader
+	initialized bool
+	done        chan struct{}
+	writers     map[*progressWriter]func()
+}
+
+func NewMultiReader(pr Reader) *MultiReader {
+	mr := &MultiReader{
+		main:    pr,
+		writers: make(map[*progressWriter]func()),
+		done:    make(chan struct{}),
+	}
+	return mr
+}
+
+func (mr *MultiReader) Reader(ctx context.Context) Reader {
+	mr.mu.Lock()
+	defer mr.mu.Unlock()
+
+	pr, ctx, closeWriter := NewContext(ctx)
+	pw, _, ctx := FromContext(ctx)
+
+	w := pw.(*progressWriter)
+	mr.writers[w] = closeWriter
+
+	go func() {
+		select {
+		case <-ctx.Done():
+		case <-mr.done:
+		}
+		mr.mu.Lock()
+		defer mr.mu.Unlock()
+		delete(mr.writers, w)
+	}()
+
+	if !mr.initialized {
+		go mr.handle()
+		mr.initialized = true
+	}
+
+	return pr
+}
+
+func (mr *MultiReader) handle() error {
+	for {
+		p, err := mr.main.Read(context.TODO())
+		if err != nil {
+			if err == io.EOF {
+				mr.mu.Lock()
+				for w, c := range mr.writers {
+					w.Close()
+					c()
+				}
+				mr.mu.Unlock()
+				return nil
+			}
+			return err
+		}
+		mr.mu.Lock()
+		for _, p := range p {
+			for w := range mr.writers {
+				w.writeRawProgress(p)
+			}
+		}
+		mr.mu.Unlock()
+	}
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/progress/multiwriter.go b/engine/vendor/github.com/moby/buildkit/util/progress/multiwriter.go
new file mode 100644
index 00000000..51989368
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/progress/multiwriter.go
@@ -0,0 +1,105 @@
+package progress
+
+import (
+	"sort"
+	"sync"
+	"time"
+)
+
+type rawProgressWriter interface {
+	WriteRawProgress(*Progress) error
+	Close() error
+}
+
+type MultiWriter struct {
+	mu      sync.Mutex
+	items   []*Progress
+	writers map[rawProgressWriter]struct{}
+	done    bool
+	meta    map[string]interface{}
+}
+
+func NewMultiWriter(opts ...WriterOption) *MultiWriter {
+	mw := &MultiWriter{
+		writers: map[rawProgressWriter]struct{}{},
+		meta:    map[string]interface{}{},
+	}
+	for _, o := range opts {
+		o(mw)
+	}
+	return mw
+}
+
+func (ps *MultiWriter) Add(pw Writer) {
+	rw, ok := pw.(rawProgressWriter)
+	if !ok {
+		return
+	}
+	ps.mu.Lock()
+	plist := make([]*Progress, 0, len(ps.items))
+	for _, p := range ps.items {
+		plist = append(plist, p)
+	}
+	sort.Slice(plist, func(i, j int) bool {
+		return plist[i].Timestamp.Before(plist[j].Timestamp)
+	})
+	for _, p := range plist {
+		rw.WriteRawProgress(p)
+	}
+	ps.writers[rw] = struct{}{}
+	ps.mu.Unlock()
+}
+
+func (ps *MultiWriter) Delete(pw Writer) {
+	rw, ok := pw.(rawProgressWriter)
+	if !ok {
+		return
+	}
+
+	ps.mu.Lock()
+	delete(ps.writers, rw)
+	ps.mu.Unlock()
+}
+
+func (ps *MultiWriter) Write(id string, v interface{}) error {
+	p := &Progress{
+		ID:        id,
+		Timestamp: time.Now(),
+		Sys:       v,
+		meta:      ps.meta,
+	}
+	return ps.WriteRawProgress(p)
+}
+
+func (ps *MultiWriter) WriteRawProgress(p *Progress) error {
+	meta := p.meta
+	if len(ps.meta) > 0 {
+		meta = map[string]interface{}{}
+		for k, v := range p.meta {
+			meta[k] = v
+		}
+		for k, v := range ps.meta {
+			if _, ok := meta[k]; !ok {
+				meta[k] = v
+			}
+		}
+	}
+	p.meta = meta
+	return ps.writeRawProgress(p)
+}
+
+func (ps *MultiWriter) writeRawProgress(p *Progress) error {
+	ps.mu.Lock()
+	defer ps.mu.Unlock()
+	ps.items = append(ps.items, p)
+	for w := range ps.writers {
+		if err := w.WriteRawProgress(p); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (ps *MultiWriter) Close() error {
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/progress/progress.go b/engine/vendor/github.com/moby/buildkit/util/progress/progress.go
new file mode 100644
index 00000000..b802716b
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/progress/progress.go
@@ -0,0 +1,252 @@
+package progress
+
+import (
+	"context"
+	"io"
+	"sort"
+	"sync"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+// Progress package provides utility functions for using the context to capture
+// progress of a running function. All progress items written contain an ID
+// that is used to collapse unread messages.
+
+type contextKeyT string
+
+var contextKey = contextKeyT("buildkit/util/progress")
+
+// FromContext returns a progress writer from a context.
+func FromContext(ctx context.Context, opts ...WriterOption) (Writer, bool, context.Context) {
+	v := ctx.Value(contextKey)
+	pw, ok := v.(*progressWriter)
+	if !ok {
+		if pw, ok := v.(*MultiWriter); ok {
+			return pw, true, ctx
+		}
+		return &noOpWriter{}, false, ctx
+	}
+	pw = newWriter(pw)
+	for _, o := range opts {
+		o(pw)
+	}
+	ctx = context.WithValue(ctx, contextKey, pw)
+	return pw, true, ctx
+}
+
+type WriterOption func(Writer)
+
+// NewContext returns a new context and a progress reader that captures all
+// progress items writtern to this context. Last returned parameter is a closer
+// function to signal that no new writes will happen to this context.
+func NewContext(ctx context.Context) (Reader, context.Context, func()) {
+	pr, pw, cancel := pipe()
+	ctx = WithProgress(ctx, pw)
+	return pr, ctx, cancel
+}
+
+func WithProgress(ctx context.Context, pw Writer) context.Context {
+	return context.WithValue(ctx, contextKey, pw)
+}
+
+func WithMetadata(key string, val interface{}) WriterOption {
+	return func(w Writer) {
+		if pw, ok := w.(*progressWriter); ok {
+			pw.meta[key] = val
+		}
+		if pw, ok := w.(*MultiWriter); ok {
+			pw.meta[key] = val
+		}
+	}
+}
+
+type Writer interface {
+	Write(id string, value interface{}) error
+	Close() error
+}
+
+type Reader interface {
+	Read(context.Context) ([]*Progress, error)
+}
+
+type Progress struct {
+	ID        string
+	Timestamp time.Time
+	Sys       interface{}
+	meta      map[string]interface{}
+}
+
+type Status struct {
+	Action    string
+	Current   int
+	Total     int
+	Started   *time.Time
+	Completed *time.Time
+}
+
+type progressReader struct {
+	ctx     context.Context
+	cond    *sync.Cond
+	mu      sync.Mutex
+	writers map[*progressWriter]struct{}
+	dirty   map[string]*Progress
+}
+
+func (pr *progressReader) Read(ctx context.Context) ([]*Progress, error) {
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-done:
+		case <-ctx.Done():
+			pr.cond.Broadcast()
+		}
+	}()
+	pr.mu.Lock()
+	for {
+		select {
+		case <-ctx.Done():
+			pr.mu.Unlock()
+			return nil, ctx.Err()
+		default:
+		}
+		dmap := pr.dirty
+		if len(dmap) == 0 {
+			select {
+			case <-pr.ctx.Done():
+				if len(pr.writers) == 0 {
+					pr.mu.Unlock()
+					return nil, io.EOF
+				}
+			default:
+			}
+			pr.cond.Wait()
+			continue
+		}
+		pr.dirty = make(map[string]*Progress)
+		pr.mu.Unlock()
+
+		out := make([]*Progress, 0, len(dmap))
+		for _, p := range dmap {
+			out = append(out, p)
+		}
+
+		sort.Slice(out, func(i, j int) bool {
+			return out[i].Timestamp.Before(out[j].Timestamp)
+		})
+
+		return out, nil
+	}
+}
+
+func (pr *progressReader) append(pw *progressWriter) {
+	pr.mu.Lock()
+	defer pr.mu.Unlock()
+
+	select {
+	case <-pr.ctx.Done():
+		return
+	default:
+		pr.writers[pw] = struct{}{}
+	}
+}
+
+func pipe() (*progressReader, *progressWriter, func()) {
+	ctx, cancel := context.WithCancel(context.Background())
+	pr := &progressReader{
+		ctx:     ctx,
+		writers: make(map[*progressWriter]struct{}),
+		dirty:   make(map[string]*Progress),
+	}
+	pr.cond = sync.NewCond(&pr.mu)
+	go func() {
+		<-ctx.Done()
+		pr.cond.Broadcast()
+	}()
+	pw := &progressWriter{
+		reader: pr,
+	}
+	return pr, pw, cancel
+}
+
+func newWriter(pw *progressWriter) *progressWriter {
+	meta := make(map[string]interface{})
+	for k, v := range pw.meta {
+		meta[k] = v
+	}
+	pw = &progressWriter{
+		reader: pw.reader,
+		meta:   meta,
+	}
+	pw.reader.append(pw)
+	return pw
+}
+
+type progressWriter struct {
+	done   bool
+	reader *progressReader
+	meta   map[string]interface{}
+}
+
+func (pw *progressWriter) Write(id string, v interface{}) error {
+	if pw.done {
+		return errors.Errorf("writing %s to closed progress writer", id)
+	}
+	return pw.writeRawProgress(&Progress{
+		ID:        id,
+		Timestamp: time.Now(),
+		Sys:       v,
+		meta:      pw.meta,
+	})
+}
+
+func (pw *progressWriter) WriteRawProgress(p *Progress) error {
+	meta := p.meta
+	if len(pw.meta) > 0 {
+		meta = map[string]interface{}{}
+		for k, v := range p.meta {
+			meta[k] = v
+		}
+		for k, v := range pw.meta {
+			if _, ok := meta[k]; !ok {
+				meta[k] = v
+			}
+		}
+	}
+	p.meta = meta
+	return pw.writeRawProgress(p)
+}
+
+func (pw *progressWriter) writeRawProgress(p *Progress) error {
+	pw.reader.mu.Lock()
+	pw.reader.dirty[p.ID] = p
+	pw.reader.cond.Broadcast()
+	pw.reader.mu.Unlock()
+	return nil
+}
+
+func (pw *progressWriter) Close() error {
+	pw.reader.mu.Lock()
+	delete(pw.reader.writers, pw)
+	pw.reader.mu.Unlock()
+	pw.reader.cond.Broadcast()
+	pw.done = true
+	return nil
+}
+
+func (p *Progress) Meta(key string) (interface{}, bool) {
+	v, ok := p.meta[key]
+	return v, ok
+}
+
+type noOpWriter struct{}
+
+func (pw *noOpWriter) Write(_ string, _ interface{}) error {
+	return nil
+}
+
+func (pw *noOpWriter) Close() error {
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/rootless/specconv/specconv_linux.go b/engine/vendor/github.com/moby/buildkit/util/rootless/specconv/specconv_linux.go
new file mode 100644
index 00000000..1b90219f
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/rootless/specconv/specconv_linux.go
@@ -0,0 +1,113 @@
+package specconv
+
+import (
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/system"
+	"github.com/opencontainers/runc/libcontainer/user"
+	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+)
+
+// ToRootless converts spec to be compatible with "rootless" runc.
+// * Adds userns (Note: since we are already in userns, ideally we should not need to do this. runc-side issue is tracked at https://github.com/opencontainers/runc/issues/1837)
+// * Fix up mount flags (same as above)
+// * Replace /sys with bind-mount (FIXME: we don't need to do this if netns is unshared)
+func ToRootless(spec *specs.Spec) error {
+	if !system.RunningInUserNS() {
+		return errors.New("needs to be in user namespace")
+	}
+	uidMap, err := user.CurrentProcessUIDMap()
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	gidMap, err := user.CurrentProcessUIDMap()
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+	return toRootless(spec, uidMap, gidMap)
+}
+
+// toRootless was forked from github.com/opencontainers/runc/libcontainer/specconv
+func toRootless(spec *specs.Spec, uidMap, gidMap []user.IDMap) error {
+	if err := configureUserNS(spec, uidMap, gidMap); err != nil {
+		return err
+	}
+	if err := configureMounts(spec); err != nil {
+		return err
+	}
+
+	// Remove cgroup settings.
+	spec.Linux.Resources = nil
+	spec.Linux.CgroupsPath = ""
+	return nil
+}
+
+// configureUserNS add suserns and the current ID map to the spec.
+// Since we are already in userns, ideally we should not need to add userns.
+// However, currently rootless runc always requires userns to be added.
+// https://github.com/opencontainers/runc/issues/1837
+func configureUserNS(spec *specs.Spec, uidMap, gidMap []user.IDMap) error {
+	spec.Linux.Namespaces = append(spec.Linux.Namespaces, specs.LinuxNamespace{
+		Type: specs.UserNamespace,
+	})
+
+	sort.Slice(uidMap, func(i, j int) bool { return uidMap[i].ID < uidMap[j].ID })
+	uNextContainerID := int64(0)
+	for _, u := range uidMap {
+		spec.Linux.UIDMappings = append(spec.Linux.UIDMappings,
+			specs.LinuxIDMapping{
+				HostID:      uint32(u.ID),
+				ContainerID: uint32(uNextContainerID),
+				Size:        uint32(u.Count),
+			})
+		uNextContainerID += int64(u.Count)
+	}
+	sort.Slice(gidMap, func(i, j int) bool { return gidMap[i].ID < gidMap[j].ID })
+	gNextContainerID := int64(0)
+	for _, g := range gidMap {
+		spec.Linux.GIDMappings = append(spec.Linux.GIDMappings,
+			specs.LinuxIDMapping{
+				HostID:      uint32(g.ID),
+				ContainerID: uint32(gNextContainerID),
+				Size:        uint32(g.Count),
+			})
+		gNextContainerID += int64(g.Count)
+	}
+	return nil
+}
+
+func configureMounts(spec *specs.Spec) error {
+	var mounts []specs.Mount
+	for _, mount := range spec.Mounts {
+		// Ignore all mounts that are under /sys, because we add /sys later.
+		if strings.HasPrefix(mount.Destination, "/sys") {
+			continue
+		}
+
+		// Remove all gid= and uid= mappings.
+		// Since we are already in userns, ideally we should not need to do this.
+		// https://github.com/opencontainers/runc/issues/1837
+		var options []string
+		for _, option := range mount.Options {
+			if !strings.HasPrefix(option, "gid=") && !strings.HasPrefix(option, "uid=") {
+				options = append(options, option)
+			}
+		}
+		mount.Options = options
+		mounts = append(mounts, mount)
+	}
+
+	// Add the sysfs mount as an rbind, because we can't mount /sys unless we have netns.
+	// TODO: keep original /sys mount when we have netns.
+	mounts = append(mounts, specs.Mount{
+		Source:      "/sys",
+		Destination: "/sys",
+		Type:        "none",
+		Options:     []string{"rbind", "nosuid", "noexec", "nodev", "ro"},
+	})
+	spec.Mounts = mounts
+	return nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/system/path_unix.go b/engine/vendor/github.com/moby/buildkit/util/system/path_unix.go
new file mode 100644
index 00000000..c607c4db
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/system/path_unix.go
@@ -0,0 +1,14 @@
+// +build !windows
+
+package system
+
+// DefaultPathEnv is unix style list of directories to search for
+// executables. Each directory is separated from the next by a colon
+// ':' character .
+const DefaultPathEnv = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+// CheckSystemDriveAndRemoveDriveLetter verifies that a path, if it includes a drive letter,
+// is the system drive. This is a no-op on Linux.
+func CheckSystemDriveAndRemoveDriveLetter(path string) (string, error) {
+	return path, nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/system/path_windows.go b/engine/vendor/github.com/moby/buildkit/util/system/path_windows.go
new file mode 100644
index 00000000..cbfe2c15
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/system/path_windows.go
@@ -0,0 +1,37 @@
+// +build windows
+
+package system
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+)
+
+// DefaultPathEnv is deliberately empty on Windows as the default path will be set by
+// the container. Docker has no context of what the default path should be.
+const DefaultPathEnv = ""
+
+// CheckSystemDriveAndRemoveDriveLetter verifies and manipulates a Windows path.
+// This is used, for example, when validating a user provided path in docker cp.
+// If a drive letter is supplied, it must be the system drive. The drive letter
+// is always removed. Also, it translates it to OS semantics (IOW / to \). We
+// need the path in this syntax so that it can ultimately be contatenated with
+// a Windows long-path which doesn't support drive-letters. Examples:
+// C:			--> Fail
+// C:\			--> \
+// a			--> a
+// /a			--> \a
+// d:\			--> Fail
+func CheckSystemDriveAndRemoveDriveLetter(path string) (string, error) {
+	if len(path) == 2 && string(path[1]) == ":" {
+		return "", fmt.Errorf("No relative path specified in %q", path)
+	}
+	if !filepath.IsAbs(path) || len(path) < 2 {
+		return filepath.FromSlash(path), nil
+	}
+	if string(path[1]) == ":" && !strings.EqualFold(string(path[0]), "c") {
+		return "", fmt.Errorf("The specified path is not on the system drive (C:)")
+	}
+	return filepath.FromSlash(path[2:]), nil
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/system/seccomp_linux.go b/engine/vendor/github.com/moby/buildkit/util/system/seccomp_linux.go
new file mode 100644
index 00000000..62afa03f
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/system/seccomp_linux.go
@@ -0,0 +1,29 @@
+// +build linux,seccomp
+
+package system
+
+import (
+	"sync"
+
+	"golang.org/x/sys/unix"
+)
+
+var seccompSupported bool
+var seccompOnce sync.Once
+
+func SeccompSupported() bool {
+	seccompOnce.Do(func() {
+		seccompSupported = getSeccompSupported()
+	})
+	return seccompSupported
+}
+
+func getSeccompSupported() bool {
+	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+			return true
+		}
+	}
+	return false
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/system/seccomp_nolinux.go b/engine/vendor/github.com/moby/buildkit/util/system/seccomp_nolinux.go
new file mode 100644
index 00000000..e348c379
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/system/seccomp_nolinux.go
@@ -0,0 +1,7 @@
+// +build !linux,seccomp
+
+package system
+
+func SeccompSupported() bool {
+	return false
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/system/seccomp_noseccomp.go b/engine/vendor/github.com/moby/buildkit/util/system/seccomp_noseccomp.go
new file mode 100644
index 00000000..84cfb7fa
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/system/seccomp_noseccomp.go
@@ -0,0 +1,7 @@
+// +build !seccomp
+
+package system
+
+func SeccompSupported() bool {
+	return false
+}
diff --git a/engine/vendor/github.com/moby/buildkit/util/tracing/tracing.go b/engine/vendor/github.com/moby/buildkit/util/tracing/tracing.go
new file mode 100644
index 00000000..6af2b8c5
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/util/tracing/tracing.go
@@ -0,0 +1,109 @@
+package tracing
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/opentracing-contrib/go-stdlib/nethttp"
+	opentracing "github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+	"github.com/opentracing/opentracing-go/log"
+)
+
+// StartSpan starts a new span as a child of the span in context.
+// If there is no span in context then this is a no-op.
+// The difference from opentracing.StartSpanFromContext is that this method
+// does not depend on global tracer.
+func StartSpan(ctx context.Context, operationName string, opts ...opentracing.StartSpanOption) (opentracing.Span, context.Context) {
+	parent := opentracing.SpanFromContext(ctx)
+	tracer := opentracing.Tracer(&opentracing.NoopTracer{})
+	if parent != nil {
+		tracer = parent.Tracer()
+		opts = append(opts, opentracing.ChildOf(parent.Context()))
+	}
+	span := tracer.StartSpan(operationName, opts...)
+	if parent != nil {
+		return span, opentracing.ContextWithSpan(ctx, span)
+	}
+	return span, ctx
+}
+
+// FinishWithError finalizes the span and sets the error if one is passed
+func FinishWithError(span opentracing.Span, err error) {
+	if err != nil {
+		fields := []log.Field{
+			log.String("event", "error"),
+			log.String("message", err.Error()),
+		}
+		if _, ok := err.(interface {
+			Cause() error
+		}); ok {
+			fields = append(fields, log.String("stack", fmt.Sprintf("%+v", err)))
+		}
+		span.LogFields(fields...)
+		ext.Error.Set(span, true)
+	}
+	span.Finish()
+}
+
+// ContextWithSpanFromContext sets the tracing span of a context from other
+// context if one is not already set. Alternative would be
+// context.WithoutCancel() that would copy the context but reset ctx.Done
+func ContextWithSpanFromContext(ctx, ctx2 context.Context) context.Context {
+	// if already is a span then noop
+	if span := opentracing.SpanFromContext(ctx); span != nil {
+		return ctx
+	}
+	if span := opentracing.SpanFromContext(ctx2); span != nil {
+		return opentracing.ContextWithSpan(ctx, span)
+	}
+	return ctx
+}
+
+var DefaultTransport http.RoundTripper = &Transport{
+	RoundTripper: &nethttp.Transport{RoundTripper: http.DefaultTransport},
+}
+
+var DefaultClient = &http.Client{
+	Transport: DefaultTransport,
+}
+
+type Transport struct {
+	http.RoundTripper
+}
+
+func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
+	span := opentracing.SpanFromContext(req.Context())
+	if span == nil { // no tracer connected with either request or transport
+		return t.RoundTripper.RoundTrip(req)
+	}
+
+	req, tracer := nethttp.TraceRequest(span.Tracer(), req)
+
+	resp, err := t.RoundTripper.RoundTrip(req)
+	if err != nil {
+		tracer.Finish()
+		return resp, err
+	}
+
+	if req.Method == "HEAD" {
+		tracer.Finish()
+	} else {
+		resp.Body = closeTracker{resp.Body, tracer.Finish}
+	}
+
+	return resp, err
+}
+
+type closeTracker struct {
+	io.ReadCloser
+	finish func()
+}
+
+func (c closeTracker) Close() error {
+	err := c.ReadCloser.Close()
+	c.finish()
+	return err
+}
diff --git a/engine/vendor/github.com/moby/buildkit/vendor.conf b/engine/vendor/github.com/moby/buildkit/vendor.conf
new file mode 100644
index 00000000..9bde31d7
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/vendor.conf
@@ -0,0 +1,69 @@
+github.com/boltdb/bolt e9cf4fae01b5a8ff89d0ec6b32f0d9c9f79aefdd
+github.com/pkg/errors v0.8.0
+
+github.com/stretchr/testify v1.1.4
+github.com/davecgh/go-spew v1.1.0
+github.com/pmezard/go-difflib v1.0.0
+golang.org/x/sys 314a259e304ff91bd6985da2a7149bbf91237993
+
+github.com/containerd/containerd b41633746ed4833f52c3c071e8edcfa2713e5677
+github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
+golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
+github.com/sirupsen/logrus v1.0.0
+google.golang.org/grpc v1.12.0
+github.com/opencontainers/go-digest c9281466c8b2f606084ac71339773efd177436e7
+golang.org/x/net 0ed95abb35c445290478a5348a7b38bb154135fd
+github.com/gogo/protobuf v1.0.0
+github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
+github.com/golang/protobuf v1.1.0
+github.com/containerd/continuity d3c23511c1bf5851696cba83143d9cbcd666869b
+github.com/opencontainers/image-spec v1.0.1
+github.com/opencontainers/runc ad0f5255060d36872be04de22f8731f38ef2d7b1
+github.com/Microsoft/go-winio v0.4.7
+github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
+github.com/opencontainers/runtime-spec v1.0.1
+github.com/containerd/go-runc f271fa2021de855d4d918dbef83c5fe19db1bdd5
+github.com/containerd/console 5d1b48d6114b8c9666f0c8b916f871af97b0a761
+google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
+golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
+github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
+github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
+github.com/Microsoft/hcsshim v0.6.11
+
+github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
+github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b
+github.com/docker/go-units v0.3.1
+github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716
+golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
+
+github.com/docker/docker 71cd53e4a197b303c6ba086bd584ffd67a884281
+github.com/pkg/profile 5b67d428864e92711fcbd2f8629456121a56d91f
+
+github.com/tonistiigi/fsutil 8abad97ee3969cdf5e9c367f46adba2c212b3ddb
+github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git
+github.com/hashicorp/golang-lru a0d98a5f288019575c6d1f4bb1573fef2d1fcdc4
+github.com/mitchellh/hashstructure 2bca23e0e452137f789efbc8610126fd8b94f73b
+github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
+github.com/docker/distribution 30578ca32960a4d368bf6db67b0a33c2a1f3dc6f
+
+github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
+github.com/docker/cli 99576756eb3303b7af8102c502f21a912e3c1af6 https://github.com/tonistiigi/docker-cli.git
+github.com/docker/docker-credential-helpers d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
+github.com/docker/libnetwork 822e5b59d346b7ad0735df2c8e445e9787320e67
+
+
+github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
+github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
+github.com/uber/jaeger-client-go e02c85f9069ea625a96fc4e1afb5e9ac6c569a6d
+github.com/apache/thrift b2a4d4ae21c789b689dd162deb819665567f481c
+github.com/uber/jaeger-lib c48167d9cae5887393dd5e61efd06a4a48b7fbb3
+github.com/codahale/hdrhistogram f8ad88b59a584afeee9d334eff879b104439117b
+
+github.com/opentracing-contrib/go-stdlib b1a47cfbdd7543e70e9ef3e73d0802ad306cc1cc
+
+# used by dockerfile tests
+gotest.tools v2.1.0
+github.com/google/go-cmp v0.2.0
+
+# used by rootless spec conv test
+github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
diff --git a/engine/vendor/github.com/moby/buildkit/worker/filter.go b/engine/vendor/github.com/moby/buildkit/worker/filter.go
new file mode 100644
index 00000000..c94a6265
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/worker/filter.go
@@ -0,0 +1,33 @@
+package worker
+
+import (
+	"strings"
+
+	"github.com/containerd/containerd/filters"
+)
+
+func adaptWorker(w Worker) filters.Adaptor {
+	return filters.AdapterFunc(func(fieldpath []string) (string, bool) {
+		if len(fieldpath) == 0 {
+			return "", false
+		}
+
+		switch fieldpath[0] {
+		case "id":
+			return w.ID(), len(w.ID()) > 0
+		case "labels":
+			return checkMap(fieldpath[1:], w.Labels())
+		}
+
+		return "", false
+	})
+}
+
+func checkMap(fieldpath []string, m map[string]string) (string, bool) {
+	if len(m) == 0 {
+		return "", false
+	}
+
+	value, ok := m[strings.Join(fieldpath, ".")]
+	return value, ok
+}
diff --git a/engine/vendor/github.com/moby/buildkit/worker/result.go b/engine/vendor/github.com/moby/buildkit/worker/result.go
new file mode 100644
index 00000000..9aa6af41
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/worker/result.go
@@ -0,0 +1,40 @@
+package worker
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/solver"
+)
+
+func NewWorkerRefResult(ref cache.ImmutableRef, worker Worker) solver.Result {
+	return &workerRefResult{&WorkerRef{ImmutableRef: ref, Worker: worker}}
+}
+
+type WorkerRef struct {
+	ImmutableRef cache.ImmutableRef
+	Worker       Worker
+}
+
+func (wr *WorkerRef) ID() string {
+	refID := ""
+	if wr.ImmutableRef != nil {
+		refID = wr.ImmutableRef.ID()
+	}
+	return wr.Worker.ID() + "::" + refID
+}
+
+type workerRefResult struct {
+	*WorkerRef
+}
+
+func (r *workerRefResult) Release(ctx context.Context) error {
+	if r.ImmutableRef == nil {
+		return nil
+	}
+	return r.ImmutableRef.Release(ctx)
+}
+
+func (r *workerRefResult) Sys() interface{} {
+	return r.WorkerRef
+}
diff --git a/engine/vendor/github.com/moby/buildkit/worker/worker.go b/engine/vendor/github.com/moby/buildkit/worker/worker.go
new file mode 100644
index 00000000..cd29d5ea
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/worker/worker.go
@@ -0,0 +1,41 @@
+package worker
+
+import (
+	"context"
+	"io"
+
+	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/executor"
+	"github.com/moby/buildkit/exporter"
+	"github.com/moby/buildkit/frontend"
+	"github.com/moby/buildkit/solver"
+	digest "github.com/opencontainers/go-digest"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type Worker interface {
+	// ID needs to be unique in the cluster
+	ID() string
+	Labels() map[string]string
+	Platforms() []specs.Platform
+	LoadRef(id string) (cache.ImmutableRef, error)
+	// ResolveOp resolves Vertex.Sys() to Op implementation.
+	ResolveOp(v solver.Vertex, s frontend.FrontendLLBBridge) (solver.Op, error)
+	ResolveImageConfig(ctx context.Context, ref string, platform *specs.Platform) (digest.Digest, []byte, error)
+	// Exec is similar to executor.Exec but without []mount.Mount
+	Exec(ctx context.Context, meta executor.Meta, rootFS cache.ImmutableRef, stdin io.ReadCloser, stdout, stderr io.WriteCloser) error
+	DiskUsage(ctx context.Context, opt client.DiskUsageInfo) ([]*client.UsageInfo, error)
+	Exporter(name string) (exporter.Exporter, error)
+	Prune(ctx context.Context, ch chan client.UsageInfo) error
+	GetRemote(ctx context.Context, ref cache.ImmutableRef, createIfNeeded bool) (*solver.Remote, error)
+	FromRemote(ctx context.Context, remote *solver.Remote) (cache.ImmutableRef, error)
+}
+
+// Pre-defined label keys
+const (
+	labelPrefix      = "org.mobyproject.buildkit.worker."
+	LabelExecutor    = labelPrefix + "executor"    // "oci" or "containerd"
+	LabelSnapshotter = labelPrefix + "snapshotter" // containerd snapshotter name ("overlay", "native", ...)
+	LabelHostname    = labelPrefix + "hostname"
+)
diff --git a/engine/vendor/github.com/moby/buildkit/worker/workercontroller.go b/engine/vendor/github.com/moby/buildkit/worker/workercontroller.go
new file mode 100644
index 00000000..b07db8f5
--- /dev/null
+++ b/engine/vendor/github.com/moby/buildkit/worker/workercontroller.go
@@ -0,0 +1,77 @@
+package worker
+
+import (
+	"sync"
+
+	"github.com/containerd/containerd/filters"
+	"github.com/moby/buildkit/client"
+	"github.com/pkg/errors"
+)
+
+// Controller holds worker instances.
+// Currently, only local workers are supported.
+type Controller struct {
+	// TODO: define worker interface and support remote ones
+	workers   sync.Map
+	defaultID string
+}
+
+// Add adds a local worker
+func (c *Controller) Add(w Worker) error {
+	c.workers.Store(w.ID(), w)
+	if c.defaultID == "" {
+		c.defaultID = w.ID()
+	}
+	return nil
+}
+
+// List lists workers
+func (c *Controller) List(filterStrings ...string) ([]Worker, error) {
+	filter, err := filters.ParseAll(filterStrings...)
+	if err != nil {
+		return nil, err
+	}
+	var workers []Worker
+	c.workers.Range(func(k, v interface{}) bool {
+		w := v.(Worker)
+		if filter.Match(adaptWorker(w)) {
+			workers = append(workers, w)
+		}
+		return true
+	})
+	return workers, nil
+}
+
+// GetDefault returns the default local worker
+func (c *Controller) GetDefault() (Worker, error) {
+	if c.defaultID == "" {
+		return nil, errors.Errorf("no default worker")
+	}
+	return c.Get(c.defaultID)
+}
+
+func (c *Controller) Get(id string) (Worker, error) {
+	v, ok := c.workers.Load(id)
+	if !ok {
+		return nil, errors.Errorf("worker %s not found", id)
+	}
+	return v.(Worker), nil
+}
+
+// TODO: add Get(Constraint) (*Worker, error)
+
+func (c *Controller) WorkerInfos() []client.WorkerInfo {
+	workers, err := c.List()
+	if err != nil {
+		return nil
+	}
+	out := make([]client.WorkerInfo, 0, len(workers))
+	for _, w := range workers {
+		out = append(out, client.WorkerInfo{
+			ID:        w.ID(),
+			Labels:    w.Labels(),
+			Platforms: w.Platforms(),
+		})
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/LICENSE b/engine/vendor/github.com/tonistiigi/fsutil/LICENSE
new file mode 100644
index 00000000..7df441d9
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/LICENSE
@@ -0,0 +1,22 @@
+MIT
+
+Copyright 2017 Tõnis Tiigi <tonistiigi@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/chtimes_linux.go b/engine/vendor/github.com/tonistiigi/fsutil/chtimes_linux.go
new file mode 100644
index 00000000..74f08a15
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/chtimes_linux.go
@@ -0,0 +1,20 @@
+// +build linux
+
+package fsutil
+
+import (
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+func chtimes(path string, un int64) error {
+	var utimes [2]unix.Timespec
+	utimes[0] = unix.NsecToTimespec(un)
+	utimes[1] = utimes[0]
+
+	if err := unix.UtimesNanoAt(unix.AT_FDCWD, path, utimes[0:], unix.AT_SYMLINK_NOFOLLOW); err != nil {
+		return errors.Wrap(err, "failed call to UtimesNanoAt")
+	}
+
+	return nil
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/chtimes_nolinux.go b/engine/vendor/github.com/tonistiigi/fsutil/chtimes_nolinux.go
new file mode 100644
index 00000000..cdd80ec9
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/chtimes_nolinux.go
@@ -0,0 +1,20 @@
+// +build !linux
+
+package fsutil
+
+import (
+	"os"
+	"time"
+)
+
+func chtimes(path string, un int64) error {
+	mtime := time.Unix(0, un)
+	fi, err := os.Lstat(path)
+	if err != nil {
+		return err
+	}
+	if fi.Mode()&os.ModeSymlink != 0 {
+		return nil
+	}
+	return os.Chtimes(path, mtime, mtime)
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/diff.go b/engine/vendor/github.com/tonistiigi/fsutil/diff.go
new file mode 100644
index 00000000..340a0e48
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/diff.go
@@ -0,0 +1,43 @@
+package fsutil
+
+import (
+	"context"
+	"hash"
+	"os"
+)
+
+type walkerFn func(ctx context.Context, pathC chan<- *currentPath) error
+
+func Changes(ctx context.Context, a, b walkerFn, changeFn ChangeFunc) error {
+	return nil
+}
+
+type HandleChangeFn func(ChangeKind, string, os.FileInfo, error) error
+
+type ContentHasher func(*Stat) (hash.Hash, error)
+
+func GetWalkerFn(root string) walkerFn {
+	return func(ctx context.Context, pathC chan<- *currentPath) error {
+		return Walk(ctx, root, nil, func(path string, f os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+
+			p := &currentPath{
+				path: path,
+				f:    f,
+			}
+
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			case pathC <- p:
+				return nil
+			}
+		})
+	}
+}
+
+func emptyWalker(ctx context.Context, pathC chan<- *currentPath) error {
+	return nil
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/diff_containerd.go b/engine/vendor/github.com/tonistiigi/fsutil/diff_containerd.go
new file mode 100644
index 00000000..2722cef4
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/diff_containerd.go
@@ -0,0 +1,199 @@
+package fsutil
+
+import (
+	"context"
+	"os"
+	"strings"
+
+	"golang.org/x/sync/errgroup"
+)
+
+// Everything below is copied from containerd/fs. TODO: remove duplication @dmcgowan
+
+// Const redefined because containerd/fs doesn't build on !linux
+
+// ChangeKind is the type of modification that
+// a change is making.
+type ChangeKind int
+
+const (
+	// ChangeKindAdd represents an addition of
+	// a file
+	ChangeKindAdd ChangeKind = iota
+
+	// ChangeKindModify represents a change to
+	// an existing file
+	ChangeKindModify
+
+	// ChangeKindDelete represents a delete of
+	// a file
+	ChangeKindDelete
+)
+
+// ChangeFunc is the type of function called for each change
+// computed during a directory changes calculation.
+type ChangeFunc func(ChangeKind, string, os.FileInfo, error) error
+
+type currentPath struct {
+	path string
+	f    os.FileInfo
+	//	fullPath string
+}
+
+// doubleWalkDiff walks both directories to create a diff
+func doubleWalkDiff(ctx context.Context, changeFn ChangeFunc, a, b walkerFn) (err error) {
+	g, ctx := errgroup.WithContext(ctx)
+
+	var (
+		c1 = make(chan *currentPath, 128)
+		c2 = make(chan *currentPath, 128)
+
+		f1, f2 *currentPath
+		rmdir  string
+	)
+	g.Go(func() error {
+		defer close(c1)
+		return a(ctx, c1)
+	})
+	g.Go(func() error {
+		defer close(c2)
+		return b(ctx, c2)
+	})
+	g.Go(func() error {
+	loop0:
+		for c1 != nil || c2 != nil {
+			if f1 == nil && c1 != nil {
+				f1, err = nextPath(ctx, c1)
+				if err != nil {
+					return err
+				}
+				if f1 == nil {
+					c1 = nil
+				}
+			}
+
+			if f2 == nil && c2 != nil {
+				f2, err = nextPath(ctx, c2)
+				if err != nil {
+					return err
+				}
+				if f2 == nil {
+					c2 = nil
+				}
+			}
+			if f1 == nil && f2 == nil {
+				continue
+			}
+
+			var f os.FileInfo
+			k, p := pathChange(f1, f2)
+			switch k {
+			case ChangeKindAdd:
+				if rmdir != "" {
+					rmdir = ""
+				}
+				f = f2.f
+				f2 = nil
+			case ChangeKindDelete:
+				// Check if this file is already removed by being
+				// under of a removed directory
+				if rmdir != "" && strings.HasPrefix(f1.path, rmdir) {
+					f1 = nil
+					continue
+				} else if rmdir == "" && f1.f.IsDir() {
+					rmdir = f1.path + string(os.PathSeparator)
+				} else if rmdir != "" {
+					rmdir = ""
+				}
+				f1 = nil
+			case ChangeKindModify:
+				same, err := sameFile(f1, f2)
+				if err != nil {
+					return err
+				}
+				if f1.f.IsDir() && !f2.f.IsDir() {
+					rmdir = f1.path + string(os.PathSeparator)
+				} else if rmdir != "" {
+					rmdir = ""
+				}
+				f = f2.f
+				f1 = nil
+				f2 = nil
+				if same {
+					continue loop0
+				}
+			}
+			if err := changeFn(k, p, f, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+
+	return g.Wait()
+}
+
+func pathChange(lower, upper *currentPath) (ChangeKind, string) {
+	if lower == nil {
+		if upper == nil {
+			panic("cannot compare nil paths")
+		}
+		return ChangeKindAdd, upper.path
+	}
+	if upper == nil {
+		return ChangeKindDelete, lower.path
+	}
+
+	switch i := ComparePath(lower.path, upper.path); {
+	case i < 0:
+		// File in lower that is not in upper
+		return ChangeKindDelete, lower.path
+	case i > 0:
+		// File in upper that is not in lower
+		return ChangeKindAdd, upper.path
+	default:
+		return ChangeKindModify, upper.path
+	}
+}
+
+func sameFile(f1, f2 *currentPath) (same bool, retErr error) {
+	// If not a directory also check size, modtime, and content
+	if !f1.f.IsDir() {
+		if f1.f.Size() != f2.f.Size() {
+			return false, nil
+		}
+
+		t1 := f1.f.ModTime()
+		t2 := f2.f.ModTime()
+		if t1.UnixNano() != t2.UnixNano() {
+			return false, nil
+		}
+	}
+
+	ls1, ok := f1.f.Sys().(*Stat)
+	if !ok {
+		return false, nil
+	}
+	ls2, ok := f1.f.Sys().(*Stat)
+	if !ok {
+		return false, nil
+	}
+
+	return compareStat(ls1, ls2)
+}
+
+// compareStat returns whether the stats are equivalent,
+// whether the files are considered the same file, and
+// an error
+func compareStat(ls1, ls2 *Stat) (bool, error) {
+	return ls1.Mode == ls2.Mode && ls1.Uid == ls2.Uid && ls1.Gid == ls2.Gid && ls1.Devmajor == ls2.Devmajor && ls1.Devminor == ls2.Devminor && ls1.Linkname == ls2.Linkname, nil
+}
+
+func nextPath(ctx context.Context, pathC <-chan *currentPath) (*currentPath, error) {
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case p := <-pathC:
+		return p, nil
+	}
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/diff_containerd_linux.go b/engine/vendor/github.com/tonistiigi/fsutil/diff_containerd_linux.go
new file mode 100644
index 00000000..4ac7ec5e
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/diff_containerd_linux.go
@@ -0,0 +1,37 @@
+package fsutil
+
+import (
+	"bytes"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+)
+
+// compareSysStat returns whether the stats are equivalent,
+// whether the files are considered the same file, and
+// an error
+func compareSysStat(s1, s2 interface{}) (bool, error) {
+	ls1, ok := s1.(*syscall.Stat_t)
+	if !ok {
+		return false, nil
+	}
+	ls2, ok := s2.(*syscall.Stat_t)
+	if !ok {
+		return false, nil
+	}
+
+	return ls1.Mode == ls2.Mode && ls1.Uid == ls2.Uid && ls1.Gid == ls2.Gid && ls1.Rdev == ls2.Rdev, nil
+}
+
+func compareCapabilities(p1, p2 string) (bool, error) {
+	c1, err := sysx.LGetxattr(p1, "security.capability")
+	if err != nil && err != syscall.ENODATA {
+		return false, errors.Wrapf(err, "failed to get xattr for %s", p1)
+	}
+	c2, err := sysx.LGetxattr(p2, "security.capability")
+	if err != nil && err != syscall.ENODATA {
+		return false, errors.Wrapf(err, "failed to get xattr for %s", p2)
+	}
+	return bytes.Equal(c1, c2), nil
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/diskwriter.go b/engine/vendor/github.com/tonistiigi/fsutil/diskwriter.go
new file mode 100644
index 00000000..aa1974f2
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/diskwriter.go
@@ -0,0 +1,340 @@
+package fsutil
+
+import (
+	"context"
+	"hash"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+type WriteToFunc func(context.Context, string, io.WriteCloser) error
+
+type DiskWriterOpt struct {
+	AsyncDataCb   WriteToFunc
+	SyncDataCb    WriteToFunc
+	NotifyCb      func(ChangeKind, string, os.FileInfo, error) error
+	ContentHasher ContentHasher
+	Filter        FilterFunc
+}
+
+type FilterFunc func(*Stat) bool
+
+type DiskWriter struct {
+	opt  DiskWriterOpt
+	dest string
+
+	wg     sync.WaitGroup
+	ctx    context.Context
+	cancel func()
+	eg     *errgroup.Group
+	filter FilterFunc
+}
+
+func NewDiskWriter(ctx context.Context, dest string, opt DiskWriterOpt) (*DiskWriter, error) {
+	if opt.SyncDataCb == nil && opt.AsyncDataCb == nil {
+		return nil, errors.New("no data callback specified")
+	}
+	if opt.SyncDataCb != nil && opt.AsyncDataCb != nil {
+		return nil, errors.New("can't specify both sync and async data callbacks")
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	eg, ctx := errgroup.WithContext(ctx)
+
+	return &DiskWriter{
+		opt:    opt,
+		dest:   dest,
+		eg:     eg,
+		ctx:    ctx,
+		cancel: cancel,
+		filter: opt.Filter,
+	}, nil
+}
+
+func (dw *DiskWriter) Wait(ctx context.Context) error {
+	return dw.eg.Wait()
+}
+
+func (dw *DiskWriter) HandleChange(kind ChangeKind, p string, fi os.FileInfo, err error) (retErr error) {
+	if err != nil {
+		return err
+	}
+
+	select {
+	case <-dw.ctx.Done():
+		return dw.ctx.Err()
+	default:
+	}
+
+	defer func() {
+		if retErr != nil {
+			dw.cancel()
+		}
+	}()
+
+	destPath := filepath.Join(dw.dest, filepath.FromSlash(p))
+
+	if kind == ChangeKindDelete {
+		// todo: no need to validate if diff is trusted but is it always?
+		if err := os.RemoveAll(destPath); err != nil {
+			return errors.Wrapf(err, "failed to remove: %s", destPath)
+		}
+		if dw.opt.NotifyCb != nil {
+			if err := dw.opt.NotifyCb(kind, p, nil, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	stat, ok := fi.Sys().(*Stat)
+	if !ok {
+		return errors.Errorf("%s invalid change without stat information", p)
+	}
+
+	statCopy := *stat
+
+	if dw.filter != nil {
+		if ok := dw.filter(&statCopy); !ok {
+			return nil
+		}
+	}
+
+	rename := true
+	oldFi, err := os.Lstat(destPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			if kind != ChangeKindAdd {
+				return errors.Wrapf(err, "invalid addition: %s", destPath)
+			}
+			rename = false
+		} else {
+			return errors.Wrapf(err, "failed to stat %s", destPath)
+		}
+	}
+
+	if oldFi != nil && fi.IsDir() && oldFi.IsDir() {
+		if err := rewriteMetadata(destPath, &statCopy); err != nil {
+			return errors.Wrapf(err, "error setting dir metadata for %s", destPath)
+		}
+		return nil
+	}
+
+	newPath := destPath
+	if rename {
+		newPath = filepath.Join(filepath.Dir(destPath), ".tmp."+nextSuffix())
+	}
+
+	isRegularFile := false
+
+	switch {
+	case fi.IsDir():
+		if err := os.Mkdir(newPath, fi.Mode()); err != nil {
+			return errors.Wrapf(err, "failed to create dir %s", newPath)
+		}
+	case fi.Mode()&os.ModeDevice != 0 || fi.Mode()&os.ModeNamedPipe != 0:
+		if err := handleTarTypeBlockCharFifo(newPath, &statCopy); err != nil {
+			return errors.Wrapf(err, "failed to create device %s", newPath)
+		}
+	case fi.Mode()&os.ModeSymlink != 0:
+		if err := os.Symlink(statCopy.Linkname, newPath); err != nil {
+			return errors.Wrapf(err, "failed to symlink %s", newPath)
+		}
+	case statCopy.Linkname != "":
+		if err := os.Link(filepath.Join(dw.dest, statCopy.Linkname), newPath); err != nil {
+			return errors.Wrapf(err, "failed to link %s to %s", newPath, statCopy.Linkname)
+		}
+	default:
+		isRegularFile = true
+		file, err := os.OpenFile(newPath, os.O_CREATE|os.O_WRONLY, fi.Mode()) //todo: windows
+		if err != nil {
+			return errors.Wrapf(err, "failed to create %s", newPath)
+		}
+		if dw.opt.SyncDataCb != nil {
+			if err := dw.processChange(ChangeKindAdd, p, fi, file); err != nil {
+				file.Close()
+				return err
+			}
+			break
+		}
+		if err := file.Close(); err != nil {
+			return errors.Wrapf(err, "failed to close %s", newPath)
+		}
+	}
+
+	if err := rewriteMetadata(newPath, &statCopy); err != nil {
+		return errors.Wrapf(err, "error setting metadata for %s", newPath)
+	}
+
+	if rename {
+		if err := os.Rename(newPath, destPath); err != nil {
+			return errors.Wrapf(err, "failed to rename %s to %s", newPath, destPath)
+		}
+	}
+
+	if isRegularFile {
+		if dw.opt.AsyncDataCb != nil {
+			dw.requestAsyncFileData(p, destPath, fi)
+		}
+	} else {
+		return dw.processChange(kind, p, fi, nil)
+	}
+
+	return nil
+}
+
+func (dw *DiskWriter) requestAsyncFileData(p, dest string, fi os.FileInfo) {
+	// todo: limit worker threads
+	dw.eg.Go(func() error {
+		if err := dw.processChange(ChangeKindAdd, p, fi, &lazyFileWriter{
+			dest: dest,
+		}); err != nil {
+			return err
+		}
+		return chtimes(dest, fi.ModTime().UnixNano()) // TODO: parent dirs
+	})
+}
+
+func (dw *DiskWriter) processChange(kind ChangeKind, p string, fi os.FileInfo, w io.WriteCloser) error {
+	origw := w
+	var hw *hashedWriter
+	if dw.opt.NotifyCb != nil {
+		var err error
+		if hw, err = newHashWriter(dw.opt.ContentHasher, fi, w); err != nil {
+			return err
+		}
+		w = hw
+	}
+	if origw != nil {
+		fn := dw.opt.SyncDataCb
+		if fn == nil && dw.opt.AsyncDataCb != nil {
+			fn = dw.opt.AsyncDataCb
+		}
+		if err := fn(dw.ctx, p, w); err != nil {
+			return err
+		}
+	} else {
+		if hw != nil {
+			hw.Close()
+		}
+	}
+	if hw != nil {
+		return dw.opt.NotifyCb(kind, p, hw, nil)
+	}
+	return nil
+}
+
+type hashedWriter struct {
+	os.FileInfo
+	io.Writer
+	h    hash.Hash
+	w    io.WriteCloser
+	dgst digest.Digest
+}
+
+func newHashWriter(ch ContentHasher, fi os.FileInfo, w io.WriteCloser) (*hashedWriter, error) {
+	stat, ok := fi.Sys().(*Stat)
+	if !ok {
+		return nil, errors.Errorf("invalid change without stat information")
+	}
+
+	h, err := ch(stat)
+	if err != nil {
+		return nil, err
+	}
+	hw := &hashedWriter{
+		FileInfo: fi,
+		Writer:   io.MultiWriter(w, h),
+		h:        h,
+		w:        w,
+	}
+	return hw, nil
+}
+
+func (hw *hashedWriter) Close() error {
+	hw.dgst = digest.NewDigest(digest.SHA256, hw.h)
+	if hw.w != nil {
+		return hw.w.Close()
+	}
+	return nil
+}
+
+func (hw *hashedWriter) Digest() digest.Digest {
+	return hw.dgst
+}
+
+type lazyFileWriter struct {
+	dest     string
+	ctx      context.Context
+	f        *os.File
+	fileMode *os.FileMode
+}
+
+func (lfw *lazyFileWriter) Write(dt []byte) (int, error) {
+	if lfw.f == nil {
+		file, err := os.OpenFile(lfw.dest, os.O_WRONLY, 0) //todo: windows
+		if os.IsPermission(err) {
+			// retry after chmod
+			fi, er := os.Stat(lfw.dest)
+			if er == nil {
+				mode := fi.Mode()
+				lfw.fileMode = &mode
+				er = os.Chmod(lfw.dest, mode|0222)
+				if er == nil {
+					file, err = os.OpenFile(lfw.dest, os.O_WRONLY, 0)
+				}
+			}
+		}
+		if err != nil {
+			return 0, errors.Wrapf(err, "failed to open %s", lfw.dest)
+		}
+		lfw.f = file
+	}
+	return lfw.f.Write(dt)
+}
+
+func (lfw *lazyFileWriter) Close() error {
+	var err error
+	if lfw.f != nil {
+		err = lfw.f.Close()
+	}
+	if err == nil && lfw.fileMode != nil {
+		err = os.Chmod(lfw.dest, *lfw.fileMode)
+	}
+	return err
+}
+
+func mkdev(major int64, minor int64) uint32 {
+	return uint32(((minor & 0xfff00) << 12) | ((major & 0xfff) << 8) | (minor & 0xff))
+}
+
+// Random number state.
+// We generate random temporary file names so that there's a good
+// chance the file doesn't exist yet - keeps the number of tries in
+// TempFile to a minimum.
+var rand uint32
+var randmu sync.Mutex
+
+func reseed() uint32 {
+	return uint32(time.Now().UnixNano() + int64(os.Getpid()))
+}
+
+func nextSuffix() string {
+	randmu.Lock()
+	r := rand
+	if r == 0 {
+		r = reseed()
+	}
+	r = r*1664525 + 1013904223 // constants from Numerical Recipes
+	rand = r
+	randmu.Unlock()
+	return strconv.Itoa(int(1e9 + r%1e9))[1:]
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/diskwriter_unix.go b/engine/vendor/github.com/tonistiigi/fsutil/diskwriter_unix.go
new file mode 100644
index 00000000..19dffabf
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/diskwriter_unix.go
@@ -0,0 +1,51 @@
+// +build !windows
+
+package fsutil
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+)
+
+func rewriteMetadata(p string, stat *Stat) error {
+	for key, value := range stat.Xattrs {
+		sysx.Setxattr(p, key, value, 0)
+	}
+
+	if err := os.Lchown(p, int(stat.Uid), int(stat.Gid)); err != nil {
+		return errors.Wrapf(err, "failed to lchown %s", p)
+	}
+
+	if os.FileMode(stat.Mode)&os.ModeSymlink == 0 {
+		if err := os.Chmod(p, os.FileMode(stat.Mode)); err != nil {
+			return errors.Wrapf(err, "failed to chown %s", p)
+		}
+	}
+
+	if err := chtimes(p, stat.ModTime); err != nil {
+		return errors.Wrapf(err, "failed to chtimes %s", p)
+	}
+
+	return nil
+}
+
+// handleTarTypeBlockCharFifo is an OS-specific helper function used by
+// createTarFile to handle the following types of header: Block; Char; Fifo
+func handleTarTypeBlockCharFifo(path string, stat *Stat) error {
+	mode := uint32(stat.Mode & 07777)
+	if os.FileMode(stat.Mode)&os.ModeCharDevice != 0 {
+		mode |= syscall.S_IFCHR
+	} else if os.FileMode(stat.Mode)&os.ModeNamedPipe != 0 {
+		mode |= syscall.S_IFIFO
+	} else {
+		mode |= syscall.S_IFBLK
+	}
+
+	if err := syscall.Mknod(path, mode, int(mkdev(stat.Devmajor, stat.Devminor))); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/diskwriter_windows.go b/engine/vendor/github.com/tonistiigi/fsutil/diskwriter_windows.go
new file mode 100644
index 00000000..c6d0d7be
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/diskwriter_windows.go
@@ -0,0 +1,17 @@
+// +build windows
+
+package fsutil
+
+import (
+	"github.com/pkg/errors"
+)
+
+func rewriteMetadata(p string, stat *Stat) error {
+	return chtimes(p, stat.ModTime)
+}
+
+// handleTarTypeBlockCharFifo is an OS-specific helper function used by
+// createTarFile to handle the following types of header: Block; Char; Fifo
+func handleTarTypeBlockCharFifo(path string, stat *Stat) error {
+	return errors.New("Not implemented on windows")
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/followlinks.go b/engine/vendor/github.com/tonistiigi/fsutil/followlinks.go
new file mode 100644
index 00000000..ed4af6e8
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/followlinks.go
@@ -0,0 +1,150 @@
+package fsutil
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sort"
+	strings "strings"
+
+	"github.com/pkg/errors"
+)
+
+func FollowLinks(root string, paths []string) ([]string, error) {
+	r := &symlinkResolver{root: root, resolved: map[string]struct{}{}}
+	for _, p := range paths {
+		if err := r.append(p); err != nil {
+			return nil, err
+		}
+	}
+	res := make([]string, 0, len(r.resolved))
+	for r := range r.resolved {
+		res = append(res, r)
+	}
+	sort.Strings(res)
+	return dedupePaths(res), nil
+}
+
+type symlinkResolver struct {
+	root     string
+	resolved map[string]struct{}
+}
+
+func (r *symlinkResolver) append(p string) error {
+	p = filepath.Join(".", p)
+	current := "."
+	for {
+		parts := strings.SplitN(p, string(filepath.Separator), 2)
+		current = filepath.Join(current, parts[0])
+
+		targets, err := r.readSymlink(current, true)
+		if err != nil {
+			return err
+		}
+
+		p = ""
+		if len(parts) == 2 {
+			p = parts[1]
+		}
+
+		if p == "" || targets != nil {
+			if _, ok := r.resolved[current]; ok {
+				return nil
+			}
+		}
+
+		if targets != nil {
+			r.resolved[current] = struct{}{}
+			for _, target := range targets {
+				if err := r.append(filepath.Join(target, p)); err != nil {
+					return err
+				}
+			}
+			return nil
+		}
+
+		if p == "" {
+			r.resolved[current] = struct{}{}
+			return nil
+		}
+	}
+}
+
+func (r *symlinkResolver) readSymlink(p string, allowWildcard bool) ([]string, error) {
+	realPath := filepath.Join(r.root, p)
+	base := filepath.Base(p)
+	if allowWildcard && containsWildcards(base) {
+		fis, err := ioutil.ReadDir(filepath.Dir(realPath))
+		if err != nil {
+			if os.IsNotExist(err) {
+				return nil, nil
+			}
+			return nil, errors.Wrapf(err, "failed to read dir %s", filepath.Dir(realPath))
+		}
+		var out []string
+		for _, f := range fis {
+			if ok, _ := filepath.Match(base, f.Name()); ok {
+				res, err := r.readSymlink(filepath.Join(filepath.Dir(p), f.Name()), false)
+				if err != nil {
+					return nil, err
+				}
+				out = append(out, res...)
+			}
+		}
+		return out, nil
+	}
+
+	fi, err := os.Lstat(realPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, errors.Wrapf(err, "failed to lstat %s", realPath)
+	}
+	if fi.Mode()&os.ModeSymlink == 0 {
+		return nil, nil
+	}
+	link, err := os.Readlink(realPath)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to readlink %s", realPath)
+	}
+	link = filepath.Clean(link)
+	if filepath.IsAbs(link) {
+		return []string{link}, nil
+	}
+	return []string{
+		filepath.Join(string(filepath.Separator), filepath.Join(filepath.Dir(p), link)),
+	}, nil
+}
+
+func containsWildcards(name string) bool {
+	isWindows := runtime.GOOS == "windows"
+	for i := 0; i < len(name); i++ {
+		ch := name[i]
+		if ch == '\\' && !isWindows {
+			i++
+		} else if ch == '*' || ch == '?' || ch == '[' {
+			return true
+		}
+	}
+	return false
+}
+
+// dedupePaths expects input as a sorted list
+func dedupePaths(in []string) []string {
+	out := make([]string, 0, len(in))
+	var last string
+	for _, s := range in {
+		// if one of the paths is root there is no filter
+		if s == "." {
+			return nil
+		}
+		if strings.HasPrefix(s, last+string(filepath.Separator)) {
+			continue
+		}
+		out = append(out, s)
+		last = s
+	}
+	return out
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/generate.go b/engine/vendor/github.com/tonistiigi/fsutil/generate.go
new file mode 100644
index 00000000..e4331956
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/generate.go
@@ -0,0 +1,3 @@
+package fsutil
+
+//go:generate protoc --gogoslick_out=. stat.proto wire.proto
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/hardlinks.go b/engine/vendor/github.com/tonistiigi/fsutil/hardlinks.go
new file mode 100644
index 00000000..e598ead7
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/hardlinks.go
@@ -0,0 +1,46 @@
+package fsutil
+
+import (
+	"os"
+
+	"github.com/pkg/errors"
+)
+
+// Hardlinks validates that all targets for links were part of the changes
+
+type Hardlinks struct {
+	seenFiles map[string]struct{}
+}
+
+func (v *Hardlinks) HandleChange(kind ChangeKind, p string, fi os.FileInfo, err error) error {
+	if err != nil {
+		return err
+	}
+
+	if v.seenFiles == nil {
+		v.seenFiles = make(map[string]struct{})
+	}
+
+	if kind == ChangeKindDelete {
+		return nil
+	}
+
+	stat, ok := fi.Sys().(*Stat)
+	if !ok {
+		return errors.Errorf("invalid change without stat info: %s", p)
+	}
+
+	if fi.IsDir() || fi.Mode()&os.ModeSymlink != 0 {
+		return nil
+	}
+
+	if len(stat.Linkname) > 0 {
+		if _, ok := v.seenFiles[stat.Linkname]; !ok {
+			return errors.Errorf("invalid link %s to unknown path: %q", p, stat.Linkname)
+		}
+	} else {
+		v.seenFiles[p] = struct{}{}
+	}
+
+	return nil
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/readme.md b/engine/vendor/github.com/tonistiigi/fsutil/readme.md
new file mode 100644
index 00000000..5ce685b7
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/readme.md
@@ -0,0 +1,45 @@
+Incremental file directory sync tools in golang.
+
+```
+BENCH_FILE_SIZE=10000 ./bench.test --test.bench .
+BenchmarkCopyWithTar10-4                	    2000	    995242 ns/op
+BenchmarkCopyWithTar50-4                	     300	   4710021 ns/op
+BenchmarkCopyWithTar200-4               	     100	  16627260 ns/op
+BenchmarkCopyWithTar1000-4              	      20	  60031459 ns/op
+BenchmarkCPA10-4                        	    1000	   1678367 ns/op
+BenchmarkCPA50-4                        	     500	   3690306 ns/op
+BenchmarkCPA200-4                       	     200	   9495066 ns/op
+BenchmarkCPA1000-4                      	      50	  29769289 ns/op
+BenchmarkDiffCopy10-4                   	    2000	    943889 ns/op
+BenchmarkDiffCopy50-4                   	     500	   3285950 ns/op
+BenchmarkDiffCopy200-4                  	     200	   8563792 ns/op
+BenchmarkDiffCopy1000-4                 	      50	  29511340 ns/op
+BenchmarkDiffCopyProto10-4              	    2000	    944615 ns/op
+BenchmarkDiffCopyProto50-4              	     500	   3334940 ns/op
+BenchmarkDiffCopyProto200-4             	     200	   9420038 ns/op
+BenchmarkDiffCopyProto1000-4            	      50	  30632429 ns/op
+BenchmarkIncrementalDiffCopy10-4        	    2000	    691993 ns/op
+BenchmarkIncrementalDiffCopy50-4        	    1000	   1304253 ns/op
+BenchmarkIncrementalDiffCopy200-4       	     500	   3306519 ns/op
+BenchmarkIncrementalDiffCopy1000-4      	     200	  10211343 ns/op
+BenchmarkIncrementalDiffCopy5000-4      	      20	  55194427 ns/op
+BenchmarkIncrementalDiffCopy10000-4     	      20	  91759289 ns/op
+BenchmarkIncrementalCopyWithTar10-4     	    2000	   1020258 ns/op
+BenchmarkIncrementalCopyWithTar50-4     	     300	   5348786 ns/op
+BenchmarkIncrementalCopyWithTar200-4    	     100	  19495000 ns/op
+BenchmarkIncrementalCopyWithTar1000-4   	      20	  70338507 ns/op
+BenchmarkIncrementalRsync10-4           	      30	  45215754 ns/op
+BenchmarkIncrementalRsync50-4           	      30	  45837260 ns/op
+BenchmarkIncrementalRsync200-4          	      30	  48780614 ns/op
+BenchmarkIncrementalRsync1000-4         	      20	  54801892 ns/op
+BenchmarkIncrementalRsync5000-4         	      20	  84782542 ns/op
+BenchmarkIncrementalRsync10000-4        	      10	 103355108 ns/op
+BenchmarkRsync10-4                      	      30	  46776470 ns/op
+BenchmarkRsync50-4                      	      30	  48601555 ns/op
+BenchmarkRsync200-4                     	      20	  59642691 ns/op
+BenchmarkRsync1000-4                    	      20	 101343010 ns/op
+BenchmarkGnuTar10-4                     	     500	   3171448 ns/op
+BenchmarkGnuTar50-4                     	     300	   5030296 ns/op
+BenchmarkGnuTar200-4                    	     100	  10464313 ns/op
+BenchmarkGnuTar1000-4                   	      50	  30375257 ns/op
+```
\ No newline at end of file
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/receive.go b/engine/vendor/github.com/tonistiigi/fsutil/receive.go
new file mode 100644
index 00000000..14ccb6c7
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/receive.go
@@ -0,0 +1,269 @@
+package fsutil
+
+import (
+	"context"
+	"io"
+	"os"
+	"sync"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+type ReceiveOpt struct {
+	NotifyHashed  ChangeFunc
+	ContentHasher ContentHasher
+	ProgressCb    func(int, bool)
+	Merge         bool
+	Filter        FilterFunc
+}
+
+func Receive(ctx context.Context, conn Stream, dest string, opt ReceiveOpt) error {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	r := &receiver{
+		conn:          &syncStream{Stream: conn},
+		dest:          dest,
+		files:         make(map[string]uint32),
+		pipes:         make(map[uint32]io.WriteCloser),
+		notifyHashed:  opt.NotifyHashed,
+		contentHasher: opt.ContentHasher,
+		progressCb:    opt.ProgressCb,
+		merge:         opt.Merge,
+		filter:        opt.Filter,
+	}
+	return r.run(ctx)
+}
+
+type receiver struct {
+	dest       string
+	conn       Stream
+	files      map[string]uint32
+	pipes      map[uint32]io.WriteCloser
+	mu         sync.RWMutex
+	muPipes    sync.RWMutex
+	progressCb func(int, bool)
+	merge      bool
+	filter     FilterFunc
+
+	notifyHashed   ChangeFunc
+	contentHasher  ContentHasher
+	orderValidator Validator
+	hlValidator    Hardlinks
+}
+
+type dynamicWalker struct {
+	walkChan chan *currentPath
+	err      error
+	closeCh  chan struct{}
+}
+
+func newDynamicWalker() *dynamicWalker {
+	return &dynamicWalker{
+		walkChan: make(chan *currentPath, 128),
+		closeCh:  make(chan struct{}),
+	}
+}
+
+func (w *dynamicWalker) update(p *currentPath) error {
+	select {
+	case <-w.closeCh:
+		return errors.Wrap(w.err, "walker is closed")
+	default:
+	}
+	if p == nil {
+		close(w.walkChan)
+		return nil
+	}
+	select {
+	case w.walkChan <- p:
+		return nil
+	case <-w.closeCh:
+		return errors.Wrap(w.err, "walker is closed")
+	}
+}
+
+func (w *dynamicWalker) fill(ctx context.Context, pathC chan<- *currentPath) error {
+	for {
+		select {
+		case p, ok := <-w.walkChan:
+			if !ok {
+				return nil
+			}
+			pathC <- p
+		case <-ctx.Done():
+			w.err = ctx.Err()
+			close(w.closeCh)
+			return ctx.Err()
+		}
+	}
+	return nil
+}
+
+func (r *receiver) run(ctx context.Context) error {
+	g, ctx := errgroup.WithContext(ctx)
+
+	dw, err := NewDiskWriter(ctx, r.dest, DiskWriterOpt{
+		AsyncDataCb:   r.asyncDataFunc,
+		NotifyCb:      r.notifyHashed,
+		ContentHasher: r.contentHasher,
+		Filter:        r.filter,
+	})
+	if err != nil {
+		return err
+	}
+
+	w := newDynamicWalker()
+
+	g.Go(func() (retErr error) {
+		defer func() {
+			if retErr != nil {
+				r.conn.SendMsg(&Packet{Type: PACKET_ERR, Data: []byte(retErr.Error())})
+			}
+		}()
+		destWalker := emptyWalker
+		if !r.merge {
+			destWalker = GetWalkerFn(r.dest)
+		}
+		err := doubleWalkDiff(ctx, dw.HandleChange, destWalker, w.fill)
+		if err != nil {
+			return err
+		}
+		if err := dw.Wait(ctx); err != nil {
+			return err
+		}
+		r.conn.SendMsg(&Packet{Type: PACKET_FIN})
+		return nil
+	})
+
+	g.Go(func() error {
+		var i uint32 = 0
+
+		size := 0
+		if r.progressCb != nil {
+			defer func() {
+				r.progressCb(size, true)
+			}()
+		}
+		var p Packet
+		for {
+			p = Packet{Data: p.Data[:0]}
+			if err := r.conn.RecvMsg(&p); err != nil {
+				return err
+			}
+			if r.progressCb != nil {
+				size += p.Size()
+				r.progressCb(size, false)
+			}
+
+			switch p.Type {
+			case PACKET_ERR:
+				return errors.Errorf("error from sender: %s", p.Data)
+			case PACKET_STAT:
+				if p.Stat == nil {
+					if err := w.update(nil); err != nil {
+						return err
+					}
+					break
+				}
+				if fileCanRequestData(os.FileMode(p.Stat.Mode)) {
+					r.mu.Lock()
+					r.files[p.Stat.Path] = i
+					r.mu.Unlock()
+				}
+				i++
+				cp := &currentPath{path: p.Stat.Path, f: &StatInfo{p.Stat}}
+				if err := r.orderValidator.HandleChange(ChangeKindAdd, cp.path, cp.f, nil); err != nil {
+					return err
+				}
+				if err := r.hlValidator.HandleChange(ChangeKindAdd, cp.path, cp.f, nil); err != nil {
+					return err
+				}
+				if err := w.update(cp); err != nil {
+					return err
+				}
+			case PACKET_DATA:
+				r.muPipes.Lock()
+				pw, ok := r.pipes[p.ID]
+				r.muPipes.Unlock()
+				if !ok {
+					return errors.Errorf("invalid file request %s", p.ID)
+				}
+				if len(p.Data) == 0 {
+					if err := pw.Close(); err != nil {
+						return err
+					}
+				} else {
+					if _, err := pw.Write(p.Data); err != nil {
+						return err
+					}
+				}
+			case PACKET_FIN:
+				for {
+					var p Packet
+					if err := r.conn.RecvMsg(&p); err != nil {
+						if err == io.EOF {
+							return nil
+						}
+						return err
+					}
+				}
+			}
+		}
+	})
+	return g.Wait()
+}
+
+func (r *receiver) asyncDataFunc(ctx context.Context, p string, wc io.WriteCloser) error {
+	r.mu.Lock()
+	id, ok := r.files[p]
+	if !ok {
+		r.mu.Unlock()
+		return errors.Errorf("invalid file request %s", p)
+	}
+	delete(r.files, p)
+	r.mu.Unlock()
+
+	wwc := newWrappedWriteCloser(wc)
+	r.muPipes.Lock()
+	r.pipes[id] = wwc
+	r.muPipes.Unlock()
+	if err := r.conn.SendMsg(&Packet{Type: PACKET_REQ, ID: id}); err != nil {
+		return err
+	}
+	err := wwc.Wait(ctx)
+	if err != nil {
+		return err
+	}
+	r.muPipes.Lock()
+	delete(r.pipes, id)
+	r.muPipes.Unlock()
+	return nil
+}
+
+type wrappedWriteCloser struct {
+	io.WriteCloser
+	err  error
+	once sync.Once
+	done chan struct{}
+}
+
+func newWrappedWriteCloser(wc io.WriteCloser) *wrappedWriteCloser {
+	return &wrappedWriteCloser{WriteCloser: wc, done: make(chan struct{})}
+}
+
+func (w *wrappedWriteCloser) Close() error {
+	w.err = w.WriteCloser.Close()
+	w.once.Do(func() { close(w.done) })
+	return w.err
+}
+
+func (w *wrappedWriteCloser) Wait(ctx context.Context) error {
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-w.done:
+		return w.err
+	}
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/send.go b/engine/vendor/github.com/tonistiigi/fsutil/send.go
new file mode 100644
index 00000000..61f6170a
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/send.go
@@ -0,0 +1,208 @@
+package fsutil
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+var bufPool = sync.Pool{
+	New: func() interface{} {
+		return make([]byte, 32*1<<10)
+	},
+}
+
+type Stream interface {
+	RecvMsg(interface{}) error
+	SendMsg(m interface{}) error
+	Context() context.Context
+}
+
+func Send(ctx context.Context, conn Stream, root string, opt *WalkOpt, progressCb func(int, bool)) error {
+	s := &sender{
+		conn:         &syncStream{Stream: conn},
+		root:         root,
+		opt:          opt,
+		files:        make(map[uint32]string),
+		progressCb:   progressCb,
+		sendpipeline: make(chan *sendHandle, 128),
+	}
+	return s.run(ctx)
+}
+
+type sendHandle struct {
+	id   uint32
+	path string
+}
+
+type sender struct {
+	conn            Stream
+	opt             *WalkOpt
+	root            string
+	files           map[uint32]string
+	mu              sync.RWMutex
+	progressCb      func(int, bool)
+	progressCurrent int
+	sendpipeline    chan *sendHandle
+}
+
+func (s *sender) run(ctx context.Context) error {
+	g, ctx := errgroup.WithContext(ctx)
+
+	defer s.updateProgress(0, true)
+
+	g.Go(func() error {
+		err := s.walk(ctx)
+		if err != nil {
+			s.conn.SendMsg(&Packet{Type: PACKET_ERR, Data: []byte(err.Error())})
+		}
+		return err
+	})
+
+	for i := 0; i < 4; i++ {
+		g.Go(func() error {
+			for h := range s.sendpipeline {
+				select {
+				case <-ctx.Done():
+					return ctx.Err()
+				default:
+				}
+				if err := s.sendFile(h); err != nil {
+					return err
+				}
+			}
+			return nil
+		})
+	}
+
+	g.Go(func() error {
+		defer close(s.sendpipeline)
+
+		for {
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			default:
+			}
+			var p Packet
+			if err := s.conn.RecvMsg(&p); err != nil {
+				return err
+			}
+			switch p.Type {
+			case PACKET_ERR:
+				return errors.Errorf("error from receiver: %s", p.Data)
+			case PACKET_REQ:
+				if err := s.queue(p.ID); err != nil {
+					return err
+				}
+			case PACKET_FIN:
+				return s.conn.SendMsg(&Packet{Type: PACKET_FIN})
+			}
+		}
+	})
+
+	return g.Wait()
+}
+
+func (s *sender) updateProgress(size int, last bool) {
+	if s.progressCb != nil {
+		s.progressCurrent += size
+		s.progressCb(s.progressCurrent, last)
+	}
+}
+
+func (s *sender) queue(id uint32) error {
+	s.mu.Lock()
+	p, ok := s.files[id]
+	if !ok {
+		s.mu.Unlock()
+		return errors.Errorf("invalid file id %d", id)
+	}
+	delete(s.files, id)
+	s.mu.Unlock()
+	s.sendpipeline <- &sendHandle{id, p}
+	return nil
+}
+
+func (s *sender) sendFile(h *sendHandle) error {
+	f, err := os.Open(filepath.Join(s.root, h.path))
+	if err == nil {
+		defer f.Close()
+		buf := bufPool.Get().([]byte)
+		defer bufPool.Put(buf)
+		if _, err := io.CopyBuffer(&fileSender{sender: s, id: h.id}, f, buf); err != nil {
+			return err
+		}
+	}
+	return s.conn.SendMsg(&Packet{ID: h.id, Type: PACKET_DATA})
+}
+
+func (s *sender) walk(ctx context.Context) error {
+	var i uint32 = 0
+	err := Walk(ctx, s.root, s.opt, func(path string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		stat, ok := fi.Sys().(*Stat)
+		if !ok {
+			return errors.Wrapf(err, "invalid fileinfo without stat info: %s", path)
+		}
+
+		p := &Packet{
+			Type: PACKET_STAT,
+			Stat: stat,
+		}
+		if fileCanRequestData(os.FileMode(stat.Mode)) {
+			s.mu.Lock()
+			s.files[i] = stat.Path
+			s.mu.Unlock()
+		}
+		i++
+		s.updateProgress(p.Size(), false)
+		return errors.Wrapf(s.conn.SendMsg(p), "failed to send stat %s", path)
+	})
+	if err != nil {
+		return err
+	}
+	return errors.Wrapf(s.conn.SendMsg(&Packet{Type: PACKET_STAT}), "failed to send last stat")
+}
+
+func fileCanRequestData(m os.FileMode) bool {
+	// avoid updating this function as it needs to match between sender/receiver.
+	// version if needed
+	return m&os.ModeType == 0
+}
+
+type fileSender struct {
+	sender *sender
+	id     uint32
+}
+
+func (fs *fileSender) Write(dt []byte) (int, error) {
+	if len(dt) == 0 {
+		return 0, nil
+	}
+	p := &Packet{Type: PACKET_DATA, ID: fs.id, Data: dt}
+	if err := fs.sender.conn.SendMsg(p); err != nil {
+		return 0, err
+	}
+	fs.sender.updateProgress(p.Size(), false)
+	return len(dt), nil
+}
+
+type syncStream struct {
+	Stream
+	mu sync.Mutex
+}
+
+func (ss *syncStream) SendMsg(m interface{}) error {
+	ss.mu.Lock()
+	err := ss.Stream.SendMsg(m)
+	ss.mu.Unlock()
+	return err
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/stat.pb.go b/engine/vendor/github.com/tonistiigi/fsutil/stat.pb.go
new file mode 100644
index 00000000..3f6925e4
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/stat.pb.go
@@ -0,0 +1,931 @@
+// Code generated by protoc-gen-gogo.
+// source: stat.proto
+// DO NOT EDIT!
+
+/*
+	Package fsutil is a generated protocol buffer package.
+
+	It is generated from these files:
+		stat.proto
+		wire.proto
+
+	It has these top-level messages:
+		Stat
+		Packet
+*/
+package fsutil
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+import github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package
+
+type Stat struct {
+	Path    string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
+	Mode    uint32 `protobuf:"varint,2,opt,name=mode,proto3" json:"mode,omitempty"`
+	Uid     uint32 `protobuf:"varint,3,opt,name=uid,proto3" json:"uid,omitempty"`
+	Gid     uint32 `protobuf:"varint,4,opt,name=gid,proto3" json:"gid,omitempty"`
+	Size_   int64  `protobuf:"varint,5,opt,name=size,proto3" json:"size,omitempty"`
+	ModTime int64  `protobuf:"varint,6,opt,name=modTime,proto3" json:"modTime,omitempty"`
+	// int32 typeflag = 7;
+	Linkname string            `protobuf:"bytes,7,opt,name=linkname,proto3" json:"linkname,omitempty"`
+	Devmajor int64             `protobuf:"varint,8,opt,name=devmajor,proto3" json:"devmajor,omitempty"`
+	Devminor int64             `protobuf:"varint,9,opt,name=devminor,proto3" json:"devminor,omitempty"`
+	Xattrs   map[string][]byte `protobuf:"bytes,10,rep,name=xattrs" json:"xattrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+}
+
+func (m *Stat) Reset()                    { *m = Stat{} }
+func (*Stat) ProtoMessage()               {}
+func (*Stat) Descriptor() ([]byte, []int) { return fileDescriptorStat, []int{0} }
+
+func (m *Stat) GetPath() string {
+	if m != nil {
+		return m.Path
+	}
+	return ""
+}
+
+func (m *Stat) GetMode() uint32 {
+	if m != nil {
+		return m.Mode
+	}
+	return 0
+}
+
+func (m *Stat) GetUid() uint32 {
+	if m != nil {
+		return m.Uid
+	}
+	return 0
+}
+
+func (m *Stat) GetGid() uint32 {
+	if m != nil {
+		return m.Gid
+	}
+	return 0
+}
+
+func (m *Stat) GetSize_() int64 {
+	if m != nil {
+		return m.Size_
+	}
+	return 0
+}
+
+func (m *Stat) GetModTime() int64 {
+	if m != nil {
+		return m.ModTime
+	}
+	return 0
+}
+
+func (m *Stat) GetLinkname() string {
+	if m != nil {
+		return m.Linkname
+	}
+	return ""
+}
+
+func (m *Stat) GetDevmajor() int64 {
+	if m != nil {
+		return m.Devmajor
+	}
+	return 0
+}
+
+func (m *Stat) GetDevminor() int64 {
+	if m != nil {
+		return m.Devminor
+	}
+	return 0
+}
+
+func (m *Stat) GetXattrs() map[string][]byte {
+	if m != nil {
+		return m.Xattrs
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Stat)(nil), "fsutil.Stat")
+}
+func (this *Stat) Equal(that interface{}) bool {
+	if that == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	}
+
+	that1, ok := that.(*Stat)
+	if !ok {
+		that2, ok := that.(Stat)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	} else if this == nil {
+		return false
+	}
+	if this.Path != that1.Path {
+		return false
+	}
+	if this.Mode != that1.Mode {
+		return false
+	}
+	if this.Uid != that1.Uid {
+		return false
+	}
+	if this.Gid != that1.Gid {
+		return false
+	}
+	if this.Size_ != that1.Size_ {
+		return false
+	}
+	if this.ModTime != that1.ModTime {
+		return false
+	}
+	if this.Linkname != that1.Linkname {
+		return false
+	}
+	if this.Devmajor != that1.Devmajor {
+		return false
+	}
+	if this.Devminor != that1.Devminor {
+		return false
+	}
+	if len(this.Xattrs) != len(that1.Xattrs) {
+		return false
+	}
+	for i := range this.Xattrs {
+		if !bytes.Equal(this.Xattrs[i], that1.Xattrs[i]) {
+			return false
+		}
+	}
+	return true
+}
+func (this *Stat) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 14)
+	s = append(s, "&fsutil.Stat{")
+	s = append(s, "Path: "+fmt.Sprintf("%#v", this.Path)+",\n")
+	s = append(s, "Mode: "+fmt.Sprintf("%#v", this.Mode)+",\n")
+	s = append(s, "Uid: "+fmt.Sprintf("%#v", this.Uid)+",\n")
+	s = append(s, "Gid: "+fmt.Sprintf("%#v", this.Gid)+",\n")
+	s = append(s, "Size_: "+fmt.Sprintf("%#v", this.Size_)+",\n")
+	s = append(s, "ModTime: "+fmt.Sprintf("%#v", this.ModTime)+",\n")
+	s = append(s, "Linkname: "+fmt.Sprintf("%#v", this.Linkname)+",\n")
+	s = append(s, "Devmajor: "+fmt.Sprintf("%#v", this.Devmajor)+",\n")
+	s = append(s, "Devminor: "+fmt.Sprintf("%#v", this.Devminor)+",\n")
+	keysForXattrs := make([]string, 0, len(this.Xattrs))
+	for k, _ := range this.Xattrs {
+		keysForXattrs = append(keysForXattrs, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForXattrs)
+	mapStringForXattrs := "map[string][]byte{"
+	for _, k := range keysForXattrs {
+		mapStringForXattrs += fmt.Sprintf("%#v: %#v,", k, this.Xattrs[k])
+	}
+	mapStringForXattrs += "}"
+	if this.Xattrs != nil {
+		s = append(s, "Xattrs: "+mapStringForXattrs+",\n")
+	}
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringStat(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+func (m *Stat) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Stat) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Path) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(len(m.Path)))
+		i += copy(dAtA[i:], m.Path)
+	}
+	if m.Mode != 0 {
+		dAtA[i] = 0x10
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Mode))
+	}
+	if m.Uid != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Uid))
+	}
+	if m.Gid != 0 {
+		dAtA[i] = 0x20
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Gid))
+	}
+	if m.Size_ != 0 {
+		dAtA[i] = 0x28
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Size_))
+	}
+	if m.ModTime != 0 {
+		dAtA[i] = 0x30
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.ModTime))
+	}
+	if len(m.Linkname) > 0 {
+		dAtA[i] = 0x3a
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(len(m.Linkname)))
+		i += copy(dAtA[i:], m.Linkname)
+	}
+	if m.Devmajor != 0 {
+		dAtA[i] = 0x40
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Devmajor))
+	}
+	if m.Devminor != 0 {
+		dAtA[i] = 0x48
+		i++
+		i = encodeVarintStat(dAtA, i, uint64(m.Devminor))
+	}
+	if len(m.Xattrs) > 0 {
+		for k, _ := range m.Xattrs {
+			dAtA[i] = 0x52
+			i++
+			v := m.Xattrs[k]
+			byteSize := 0
+			if len(v) > 0 {
+				byteSize = 1 + len(v) + sovStat(uint64(len(v)))
+			}
+			mapSize := 1 + len(k) + sovStat(uint64(len(k))) + byteSize
+			i = encodeVarintStat(dAtA, i, uint64(mapSize))
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintStat(dAtA, i, uint64(len(k)))
+			i += copy(dAtA[i:], k)
+			if len(v) > 0 {
+				dAtA[i] = 0x12
+				i++
+				i = encodeVarintStat(dAtA, i, uint64(len(v)))
+				i += copy(dAtA[i:], v)
+			}
+		}
+	}
+	return i, nil
+}
+
+func encodeFixed64Stat(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Stat(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintStat(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Stat) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.Path)
+	if l > 0 {
+		n += 1 + l + sovStat(uint64(l))
+	}
+	if m.Mode != 0 {
+		n += 1 + sovStat(uint64(m.Mode))
+	}
+	if m.Uid != 0 {
+		n += 1 + sovStat(uint64(m.Uid))
+	}
+	if m.Gid != 0 {
+		n += 1 + sovStat(uint64(m.Gid))
+	}
+	if m.Size_ != 0 {
+		n += 1 + sovStat(uint64(m.Size_))
+	}
+	if m.ModTime != 0 {
+		n += 1 + sovStat(uint64(m.ModTime))
+	}
+	l = len(m.Linkname)
+	if l > 0 {
+		n += 1 + l + sovStat(uint64(l))
+	}
+	if m.Devmajor != 0 {
+		n += 1 + sovStat(uint64(m.Devmajor))
+	}
+	if m.Devminor != 0 {
+		n += 1 + sovStat(uint64(m.Devminor))
+	}
+	if len(m.Xattrs) > 0 {
+		for k, v := range m.Xattrs {
+			_ = k
+			_ = v
+			l = 0
+			if len(v) > 0 {
+				l = 1 + len(v) + sovStat(uint64(len(v)))
+			}
+			mapEntrySize := 1 + len(k) + sovStat(uint64(len(k))) + l
+			n += mapEntrySize + 1 + sovStat(uint64(mapEntrySize))
+		}
+	}
+	return n
+}
+
+func sovStat(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozStat(x uint64) (n int) {
+	return sovStat(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *Stat) String() string {
+	if this == nil {
+		return "nil"
+	}
+	keysForXattrs := make([]string, 0, len(this.Xattrs))
+	for k, _ := range this.Xattrs {
+		keysForXattrs = append(keysForXattrs, k)
+	}
+	github_com_gogo_protobuf_sortkeys.Strings(keysForXattrs)
+	mapStringForXattrs := "map[string][]byte{"
+	for _, k := range keysForXattrs {
+		mapStringForXattrs += fmt.Sprintf("%v: %v,", k, this.Xattrs[k])
+	}
+	mapStringForXattrs += "}"
+	s := strings.Join([]string{`&Stat{`,
+		`Path:` + fmt.Sprintf("%v", this.Path) + `,`,
+		`Mode:` + fmt.Sprintf("%v", this.Mode) + `,`,
+		`Uid:` + fmt.Sprintf("%v", this.Uid) + `,`,
+		`Gid:` + fmt.Sprintf("%v", this.Gid) + `,`,
+		`Size_:` + fmt.Sprintf("%v", this.Size_) + `,`,
+		`ModTime:` + fmt.Sprintf("%v", this.ModTime) + `,`,
+		`Linkname:` + fmt.Sprintf("%v", this.Linkname) + `,`,
+		`Devmajor:` + fmt.Sprintf("%v", this.Devmajor) + `,`,
+		`Devminor:` + fmt.Sprintf("%v", this.Devminor) + `,`,
+		`Xattrs:` + mapStringForXattrs + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringStat(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *Stat) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowStat
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Stat: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Stat: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthStat
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Path = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType)
+			}
+			m.Mode = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Mode |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Uid", wireType)
+			}
+			m.Uid = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Uid |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Gid", wireType)
+			}
+			m.Gid = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Gid |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Size_", wireType)
+			}
+			m.Size_ = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Size_ |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 6:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ModTime", wireType)
+			}
+			m.ModTime = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ModTime |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Linkname", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthStat
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Linkname = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 8:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Devmajor", wireType)
+			}
+			m.Devmajor = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Devmajor |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 9:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Devminor", wireType)
+			}
+			m.Devminor = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Devminor |= (int64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 10:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Xattrs", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthStat
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			var keykey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				keykey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			var stringLenmapkey uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLenmapkey |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLenmapkey := int(stringLenmapkey)
+			if intStringLenmapkey < 0 {
+				return ErrInvalidLengthStat
+			}
+			postStringIndexmapkey := iNdEx + intStringLenmapkey
+			if postStringIndexmapkey > l {
+				return io.ErrUnexpectedEOF
+			}
+			mapkey := string(dAtA[iNdEx:postStringIndexmapkey])
+			iNdEx = postStringIndexmapkey
+			if m.Xattrs == nil {
+				m.Xattrs = make(map[string][]byte)
+			}
+			if iNdEx < postIndex {
+				var valuekey uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowStat
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					valuekey |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				var mapbyteLen uint64
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return ErrIntOverflowStat
+					}
+					if iNdEx >= l {
+						return io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					mapbyteLen |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				intMapbyteLen := int(mapbyteLen)
+				if intMapbyteLen < 0 {
+					return ErrInvalidLengthStat
+				}
+				postbytesIndex := iNdEx + intMapbyteLen
+				if postbytesIndex > l {
+					return io.ErrUnexpectedEOF
+				}
+				mapvalue := make([]byte, mapbyteLen)
+				copy(mapvalue, dAtA[iNdEx:postbytesIndex])
+				iNdEx = postbytesIndex
+				m.Xattrs[mapkey] = mapvalue
+			} else {
+				var mapvalue []byte
+				m.Xattrs[mapkey] = mapvalue
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipStat(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthStat
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipStat(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowStat
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowStat
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthStat
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowStat
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipStat(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthStat = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowStat   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("stat.proto", fileDescriptorStat) }
+
+var fileDescriptorStat = []byte{
+	// 303 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0x4c, 0x91, 0xb1, 0x4e, 0xf3, 0x30,
+	0x14, 0x85, 0x73, 0x9b, 0x36, 0x6d, 0xdd, 0xff, 0x97, 0x90, 0xc5, 0x70, 0xd5, 0xc1, 0x8a, 0x98,
+	0x32, 0xa0, 0x08, 0xc1, 0x02, 0x8c, 0x48, 0xbc, 0x40, 0x60, 0x60, 0x35, 0xb2, 0x29, 0xa6, 0x4d,
+	0x5c, 0x25, 0x4e, 0x45, 0x99, 0x78, 0x04, 0x1e, 0x83, 0xd7, 0x60, 0x63, 0xec, 0xc8, 0x48, 0xcc,
+	0xc2, 0xd8, 0x47, 0x40, 0x76, 0xda, 0xc2, 0x76, 0xce, 0x77, 0x7c, 0x65, 0x9d, 0x7b, 0x09, 0xa9,
+	0x0c, 0x37, 0xe9, 0xbc, 0xd4, 0x46, 0xd3, 0xe8, 0xae, 0xaa, 0x8d, 0x9a, 0x1d, 0xbc, 0x75, 0x48,
+	0xf7, 0xca, 0x70, 0x43, 0x29, 0xe9, 0xce, 0xb9, 0xb9, 0x47, 0x88, 0x21, 0x19, 0x66, 0x5e, 0x3b,
+	0x96, 0x6b, 0x21, 0xb1, 0x13, 0x43, 0xf2, 0x3f, 0xf3, 0x9a, 0xee, 0x91, 0xb0, 0x56, 0x02, 0x43,
+	0x8f, 0x9c, 0x74, 0x64, 0xa2, 0x04, 0x76, 0x5b, 0x32, 0x51, 0xc2, 0xcd, 0x55, 0xea, 0x49, 0x62,
+	0x2f, 0x86, 0x24, 0xcc, 0xbc, 0xa6, 0x48, 0xfa, 0xb9, 0x16, 0xd7, 0x2a, 0x97, 0x18, 0x79, 0xbc,
+	0xb5, 0x74, 0x4c, 0x06, 0x33, 0x55, 0x4c, 0x0b, 0x9e, 0x4b, 0xec, 0xfb, 0xdf, 0x77, 0xde, 0x65,
+	0x42, 0x2e, 0x72, 0xfe, 0xa0, 0x4b, 0x1c, 0xf8, 0xb1, 0x9d, 0xdf, 0x66, 0xaa, 0xd0, 0x25, 0x0e,
+	0x7f, 0x33, 0xe7, 0xe9, 0x11, 0x89, 0x1e, 0xb9, 0x31, 0x65, 0x85, 0x24, 0x0e, 0x93, 0xd1, 0x31,
+	0xa6, 0x6d, 0xdf, 0xd4, 0x75, 0x4d, 0x6f, 0x7c, 0x74, 0x59, 0x98, 0x72, 0x99, 0x6d, 0xde, 0x8d,
+	0xcf, 0xc8, 0xe8, 0x0f, 0x76, 0xa5, 0xa6, 0x72, 0xb9, 0xd9, 0x86, 0x93, 0x74, 0x9f, 0xf4, 0x16,
+	0x7c, 0x56, 0xb7, 0xdb, 0xf8, 0x97, 0xb5, 0xe6, 0xbc, 0x73, 0x0a, 0x17, 0x87, 0xab, 0x86, 0x05,
+	0x1f, 0x0d, 0x0b, 0xd6, 0x0d, 0x83, 0x67, 0xcb, 0xe0, 0xd5, 0x32, 0x78, 0xb7, 0x0c, 0x56, 0x96,
+	0xc1, 0xa7, 0x65, 0xf0, 0x6d, 0x59, 0xb0, 0xb6, 0x0c, 0x5e, 0xbe, 0x58, 0x70, 0x1b, 0xf9, 0x03,
+	0x9c, 0xfc, 0x04, 0x00, 0x00, 0xff, 0xff, 0x19, 0x97, 0x14, 0xf4, 0x8e, 0x01, 0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/stat.proto b/engine/vendor/github.com/tonistiigi/fsutil/stat.proto
new file mode 100644
index 00000000..e2794130
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/stat.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package fsutil;
+
+message Stat {
+  string path = 1;
+  uint32 mode = 2;
+  uint32 uid = 3;
+  uint32 gid = 4;
+  int64 size = 5;
+  int64 modTime = 6;
+  // int32 typeflag = 7;
+  string linkname = 7;
+  int64 devmajor = 8;
+  int64 devminor = 9;
+  map<string, bytes> xattrs = 10;
+}
\ No newline at end of file
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/validator.go b/engine/vendor/github.com/tonistiigi/fsutil/validator.go
new file mode 100644
index 00000000..2bd1287a
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/validator.go
@@ -0,0 +1,92 @@
+package fsutil
+
+import (
+	"os"
+	"path"
+	"runtime"
+	"sort"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+type parent struct {
+	dir  string
+	last string
+}
+
+type Validator struct {
+	parentDirs []parent
+}
+
+func (v *Validator) HandleChange(kind ChangeKind, p string, fi os.FileInfo, err error) (retErr error) {
+	if err != nil {
+		return err
+	}
+	// test that all paths are in order and all parent dirs were present
+	if v.parentDirs == nil {
+		v.parentDirs = make([]parent, 1, 10)
+	}
+	if runtime.GOOS == "windows" {
+		p = strings.Replace(p, "\\", "", -1)
+	}
+	if p != path.Clean(p) {
+		return errors.Errorf("invalid unclean path %s", p)
+	}
+	if path.IsAbs(p) {
+		return errors.Errorf("abolute path %s not allowed", p)
+	}
+	dir := path.Dir(p)
+	base := path.Base(p)
+	if dir == "." {
+		dir = ""
+	}
+	if dir == ".." || strings.HasPrefix(p, "../") {
+		return errors.Errorf("invalid path: %s", p)
+	}
+
+	// find a parent dir from saved records
+	i := sort.Search(len(v.parentDirs), func(i int) bool {
+		return ComparePath(v.parentDirs[len(v.parentDirs)-1-i].dir, dir) <= 0
+	})
+	i = len(v.parentDirs) - 1 - i
+	if i != len(v.parentDirs)-1 { // skipping back to grandparent
+		v.parentDirs = v.parentDirs[:i+1]
+	}
+
+	if dir != v.parentDirs[len(v.parentDirs)-1].dir || v.parentDirs[i].last >= base {
+		return errors.Errorf("changes out of order: %q %q", p, path.Join(v.parentDirs[i].dir, v.parentDirs[i].last))
+	}
+	v.parentDirs[i].last = base
+	if kind != ChangeKindDelete && fi.IsDir() {
+		v.parentDirs = append(v.parentDirs, parent{
+			dir:  path.Join(dir, base),
+			last: "",
+		})
+	}
+	// todo: validate invalid mode combinations
+	return err
+}
+
+func ComparePath(p1, p2 string) int {
+	// byte-by-byte comparison to be compatible with str<>str
+	min := min(len(p1), len(p2))
+	for i := 0; i < min; i++ {
+		switch {
+		case p1[i] == p2[i]:
+			continue
+		case p2[i] != '/' && p1[i] < p2[i] || p1[i] == '/':
+			return -1
+		default:
+			return 1
+		}
+	}
+	return len(p1) - len(p2)
+}
+
+func min(x, y int) int {
+	if x < y {
+		return x
+	}
+	return y
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/walker.go b/engine/vendor/github.com/tonistiigi/fsutil/walker.go
new file mode 100644
index 00000000..aa509914
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/walker.go
@@ -0,0 +1,246 @@
+package fsutil
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/pkg/fileutils"
+	"github.com/pkg/errors"
+)
+
+type WalkOpt struct {
+	IncludePatterns []string
+	ExcludePatterns []string
+	// FollowPaths contains symlinks that are resolved into include patterns
+	// before performing the fs walk
+	FollowPaths []string
+	Map         func(*Stat) bool
+}
+
+func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) error {
+	root, err := filepath.EvalSymlinks(p)
+	if err != nil {
+		return errors.Wrapf(err, "failed to resolve %s", root)
+	}
+	fi, err := os.Stat(root)
+	if err != nil {
+		return errors.Wrapf(err, "failed to stat: %s", root)
+	}
+	if !fi.IsDir() {
+		return errors.Errorf("%s is not a directory", root)
+	}
+
+	var pm *fileutils.PatternMatcher
+	if opt != nil && opt.ExcludePatterns != nil {
+		pm, err = fileutils.NewPatternMatcher(opt.ExcludePatterns)
+		if err != nil {
+			return errors.Wrapf(err, "invalid excludepaths %s", opt.ExcludePatterns)
+		}
+	}
+
+	var includePatterns []string
+	if opt != nil && opt.IncludePatterns != nil {
+		includePatterns = make([]string, len(opt.IncludePatterns))
+		for k := range opt.IncludePatterns {
+			includePatterns[k] = filepath.Clean(opt.IncludePatterns[k])
+		}
+	}
+	if opt != nil && opt.FollowPaths != nil {
+		targets, err := FollowLinks(p, opt.FollowPaths)
+		if err != nil {
+			return err
+		}
+		if targets != nil {
+			includePatterns = append(includePatterns, targets...)
+			includePatterns = dedupePaths(includePatterns)
+		}
+	}
+
+	var lastIncludedDir string
+
+	seenFiles := make(map[uint64]string)
+	return filepath.Walk(root, func(path string, fi os.FileInfo, err error) (retErr error) {
+		if err != nil {
+			if os.IsNotExist(err) {
+				return filepath.SkipDir
+			}
+			return err
+		}
+		defer func() {
+			if retErr != nil && os.IsNotExist(errors.Cause(retErr)) {
+				retErr = filepath.SkipDir
+			}
+		}()
+		origpath := path
+		path, err = filepath.Rel(root, path)
+		if err != nil {
+			return err
+		}
+		// Skip root
+		if path == "." {
+			return nil
+		}
+
+		if opt != nil {
+			if includePatterns != nil {
+				skip := false
+				if lastIncludedDir != "" {
+					if strings.HasPrefix(path, lastIncludedDir+string(filepath.Separator)) {
+						skip = true
+					}
+				}
+
+				if !skip {
+					matched := false
+					partial := true
+					for _, p := range includePatterns {
+						if ok, p := matchPrefix(p, path); ok {
+							matched = true
+							if !p {
+								partial = false
+								break
+							}
+						}
+					}
+					if !matched {
+						if fi.IsDir() {
+							return filepath.SkipDir
+						}
+						return nil
+					}
+					if !partial && fi.IsDir() {
+						lastIncludedDir = path
+					}
+				}
+			}
+			if pm != nil {
+				m, err := pm.Matches(path)
+				if err != nil {
+					return errors.Wrap(err, "failed to match excludepatterns")
+				}
+
+				if m {
+					if fi.IsDir() {
+						if !pm.Exclusions() {
+							return filepath.SkipDir
+						}
+						dirSlash := path + string(filepath.Separator)
+						for _, pat := range pm.Patterns() {
+							if !pat.Exclusion() {
+								continue
+							}
+							patStr := pat.String() + string(filepath.Separator)
+							if strings.HasPrefix(patStr, dirSlash) {
+								goto passedFilter
+							}
+						}
+						return filepath.SkipDir
+					}
+					return nil
+				}
+			}
+		}
+
+	passedFilter:
+		path = filepath.ToSlash(path)
+
+		stat := &Stat{
+			Path:    path,
+			Mode:    uint32(fi.Mode()),
+			ModTime: fi.ModTime().UnixNano(),
+		}
+
+		setUnixOpt(fi, stat, path, seenFiles)
+
+		if !fi.IsDir() {
+			stat.Size_ = fi.Size()
+			if fi.Mode()&os.ModeSymlink != 0 {
+				link, err := os.Readlink(origpath)
+				if err != nil {
+					return errors.Wrapf(err, "failed to readlink %s", origpath)
+				}
+				stat.Linkname = link
+			}
+		}
+		if err := loadXattr(origpath, stat); err != nil {
+			return errors.Wrapf(err, "failed to xattr %s", path)
+		}
+
+		if runtime.GOOS == "windows" {
+			permPart := stat.Mode & uint32(os.ModePerm)
+			noPermPart := stat.Mode &^ uint32(os.ModePerm)
+			// Add the x bit: make everything +x from windows
+			permPart |= 0111
+			permPart &= 0755
+			stat.Mode = noPermPart | permPart
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			if opt != nil && opt.Map != nil {
+				if allowed := opt.Map(stat); !allowed {
+					return nil
+				}
+			}
+			if err := fn(stat.Path, &StatInfo{stat}, nil); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
+
+type StatInfo struct {
+	*Stat
+}
+
+func (s *StatInfo) Name() string {
+	return filepath.Base(s.Stat.Path)
+}
+func (s *StatInfo) Size() int64 {
+	return s.Stat.Size_
+}
+func (s *StatInfo) Mode() os.FileMode {
+	return os.FileMode(s.Stat.Mode)
+}
+func (s *StatInfo) ModTime() time.Time {
+	return time.Unix(s.Stat.ModTime/1e9, s.Stat.ModTime%1e9)
+}
+func (s *StatInfo) IsDir() bool {
+	return s.Mode().IsDir()
+}
+func (s *StatInfo) Sys() interface{} {
+	return s.Stat
+}
+
+func matchPrefix(pattern, name string) (bool, bool) {
+	count := strings.Count(name, string(filepath.Separator))
+	partial := false
+	if strings.Count(pattern, string(filepath.Separator)) > count {
+		pattern = trimUntilIndex(pattern, string(filepath.Separator), count)
+		partial = true
+	}
+	m, _ := filepath.Match(pattern, name)
+	return m, partial
+}
+
+func trimUntilIndex(str, sep string, count int) string {
+	s := str
+	i := 0
+	c := 0
+	for {
+		idx := strings.Index(s, sep)
+		s = s[idx+len(sep):]
+		i += idx + len(sep)
+		c++
+		if c > count {
+			return str[:i-len(sep)]
+		}
+	}
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/walker_unix.go b/engine/vendor/github.com/tonistiigi/fsutil/walker_unix.go
new file mode 100644
index 00000000..7e8ee803
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/walker_unix.go
@@ -0,0 +1,61 @@
+// +build !windows
+
+package fsutil
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/containerd/continuity/sysx"
+	"github.com/pkg/errors"
+)
+
+func loadXattr(origpath string, stat *Stat) error {
+	xattrs, err := sysx.LListxattr(origpath)
+	if err != nil {
+		return errors.Wrapf(err, "failed to xattr %s", origpath)
+	}
+	if len(xattrs) > 0 {
+		m := make(map[string][]byte)
+		for _, key := range xattrs {
+			v, err := sysx.LGetxattr(origpath, key)
+			if err == nil {
+				m[key] = v
+			}
+		}
+		stat.Xattrs = m
+	}
+	return nil
+}
+
+func setUnixOpt(fi os.FileInfo, stat *Stat, path string, seenFiles map[uint64]string) {
+	s := fi.Sys().(*syscall.Stat_t)
+
+	stat.Uid = s.Uid
+	stat.Gid = s.Gid
+
+	if !fi.IsDir() {
+		if s.Mode&syscall.S_IFBLK != 0 ||
+			s.Mode&syscall.S_IFCHR != 0 {
+			stat.Devmajor = int64(major(uint64(s.Rdev)))
+			stat.Devminor = int64(minor(uint64(s.Rdev)))
+		}
+
+		ino := s.Ino
+		if s.Nlink > 1 {
+			if oldpath, ok := seenFiles[ino]; ok {
+				stat.Linkname = oldpath
+				stat.Size_ = 0
+			}
+		}
+		seenFiles[ino] = path
+	}
+}
+
+func major(device uint64) uint64 {
+	return (device >> 8) & 0xfff
+}
+
+func minor(device uint64) uint64 {
+	return (device & 0xff) | ((device >> 12) & 0xfff00)
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/walker_windows.go b/engine/vendor/github.com/tonistiigi/fsutil/walker_windows.go
new file mode 100644
index 00000000..a1a2b455
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/walker_windows.go
@@ -0,0 +1,14 @@
+// +build windows
+
+package fsutil
+
+import (
+	"os"
+)
+
+func loadXattr(_ string, _ *Stat) error {
+	return nil
+}
+
+func setUnixOpt(_ os.FileInfo, _ *Stat, _ string, _ map[uint64]string) {
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/wire.pb.go b/engine/vendor/github.com/tonistiigi/fsutil/wire.pb.go
new file mode 100644
index 00000000..9d334bbd
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/wire.pb.go
@@ -0,0 +1,567 @@
+// Code generated by protoc-gen-gogo.
+// source: wire.proto
+// DO NOT EDIT!
+
+package fsutil
+
+import proto "github.com/gogo/protobuf/proto"
+import fmt "fmt"
+import math "math"
+
+import strconv "strconv"
+
+import bytes "bytes"
+
+import strings "strings"
+import reflect "reflect"
+
+import io "io"
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+type Packet_PacketType int32
+
+const (
+	PACKET_STAT Packet_PacketType = 0
+	PACKET_REQ  Packet_PacketType = 1
+	PACKET_DATA Packet_PacketType = 2
+	PACKET_FIN  Packet_PacketType = 3
+	PACKET_ERR  Packet_PacketType = 4
+)
+
+var Packet_PacketType_name = map[int32]string{
+	0: "PACKET_STAT",
+	1: "PACKET_REQ",
+	2: "PACKET_DATA",
+	3: "PACKET_FIN",
+	4: "PACKET_ERR",
+}
+var Packet_PacketType_value = map[string]int32{
+	"PACKET_STAT": 0,
+	"PACKET_REQ":  1,
+	"PACKET_DATA": 2,
+	"PACKET_FIN":  3,
+	"PACKET_ERR":  4,
+}
+
+func (Packet_PacketType) EnumDescriptor() ([]byte, []int) { return fileDescriptorWire, []int{0, 0} }
+
+type Packet struct {
+	Type Packet_PacketType `protobuf:"varint,1,opt,name=type,proto3,enum=fsutil.Packet_PacketType" json:"type,omitempty"`
+	Stat *Stat             `protobuf:"bytes,2,opt,name=stat" json:"stat,omitempty"`
+	ID   uint32            `protobuf:"varint,3,opt,name=ID,proto3" json:"ID,omitempty"`
+	Data []byte            `protobuf:"bytes,4,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (m *Packet) Reset()                    { *m = Packet{} }
+func (*Packet) ProtoMessage()               {}
+func (*Packet) Descriptor() ([]byte, []int) { return fileDescriptorWire, []int{0} }
+
+func (m *Packet) GetType() Packet_PacketType {
+	if m != nil {
+		return m.Type
+	}
+	return PACKET_STAT
+}
+
+func (m *Packet) GetStat() *Stat {
+	if m != nil {
+		return m.Stat
+	}
+	return nil
+}
+
+func (m *Packet) GetID() uint32 {
+	if m != nil {
+		return m.ID
+	}
+	return 0
+}
+
+func (m *Packet) GetData() []byte {
+	if m != nil {
+		return m.Data
+	}
+	return nil
+}
+
+func init() {
+	proto.RegisterType((*Packet)(nil), "fsutil.Packet")
+	proto.RegisterEnum("fsutil.Packet_PacketType", Packet_PacketType_name, Packet_PacketType_value)
+}
+func (x Packet_PacketType) String() string {
+	s, ok := Packet_PacketType_name[int32(x)]
+	if ok {
+		return s
+	}
+	return strconv.Itoa(int(x))
+}
+func (this *Packet) Equal(that interface{}) bool {
+	if that == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	}
+
+	that1, ok := that.(*Packet)
+	if !ok {
+		that2, ok := that.(Packet)
+		if ok {
+			that1 = &that2
+		} else {
+			return false
+		}
+	}
+	if that1 == nil {
+		if this == nil {
+			return true
+		}
+		return false
+	} else if this == nil {
+		return false
+	}
+	if this.Type != that1.Type {
+		return false
+	}
+	if !this.Stat.Equal(that1.Stat) {
+		return false
+	}
+	if this.ID != that1.ID {
+		return false
+	}
+	if !bytes.Equal(this.Data, that1.Data) {
+		return false
+	}
+	return true
+}
+func (this *Packet) GoString() string {
+	if this == nil {
+		return "nil"
+	}
+	s := make([]string, 0, 8)
+	s = append(s, "&fsutil.Packet{")
+	s = append(s, "Type: "+fmt.Sprintf("%#v", this.Type)+",\n")
+	if this.Stat != nil {
+		s = append(s, "Stat: "+fmt.Sprintf("%#v", this.Stat)+",\n")
+	}
+	s = append(s, "ID: "+fmt.Sprintf("%#v", this.ID)+",\n")
+	s = append(s, "Data: "+fmt.Sprintf("%#v", this.Data)+",\n")
+	s = append(s, "}")
+	return strings.Join(s, "")
+}
+func valueToGoStringWire(v interface{}, typ string) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("func(v %v) *%v { return &v } ( %#v )", typ, typ, pv)
+}
+func (m *Packet) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Packet) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.Type != 0 {
+		dAtA[i] = 0x8
+		i++
+		i = encodeVarintWire(dAtA, i, uint64(m.Type))
+	}
+	if m.Stat != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintWire(dAtA, i, uint64(m.Stat.Size()))
+		n1, err := m.Stat.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n1
+	}
+	if m.ID != 0 {
+		dAtA[i] = 0x18
+		i++
+		i = encodeVarintWire(dAtA, i, uint64(m.ID))
+	}
+	if len(m.Data) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintWire(dAtA, i, uint64(len(m.Data)))
+		i += copy(dAtA[i:], m.Data)
+	}
+	return i, nil
+}
+
+func encodeFixed64Wire(dAtA []byte, offset int, v uint64) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	dAtA[offset+4] = uint8(v >> 32)
+	dAtA[offset+5] = uint8(v >> 40)
+	dAtA[offset+6] = uint8(v >> 48)
+	dAtA[offset+7] = uint8(v >> 56)
+	return offset + 8
+}
+func encodeFixed32Wire(dAtA []byte, offset int, v uint32) int {
+	dAtA[offset] = uint8(v)
+	dAtA[offset+1] = uint8(v >> 8)
+	dAtA[offset+2] = uint8(v >> 16)
+	dAtA[offset+3] = uint8(v >> 24)
+	return offset + 4
+}
+func encodeVarintWire(dAtA []byte, offset int, v uint64) int {
+	for v >= 1<<7 {
+		dAtA[offset] = uint8(v&0x7f | 0x80)
+		v >>= 7
+		offset++
+	}
+	dAtA[offset] = uint8(v)
+	return offset + 1
+}
+func (m *Packet) Size() (n int) {
+	var l int
+	_ = l
+	if m.Type != 0 {
+		n += 1 + sovWire(uint64(m.Type))
+	}
+	if m.Stat != nil {
+		l = m.Stat.Size()
+		n += 1 + l + sovWire(uint64(l))
+	}
+	if m.ID != 0 {
+		n += 1 + sovWire(uint64(m.ID))
+	}
+	l = len(m.Data)
+	if l > 0 {
+		n += 1 + l + sovWire(uint64(l))
+	}
+	return n
+}
+
+func sovWire(x uint64) (n int) {
+	for {
+		n++
+		x >>= 7
+		if x == 0 {
+			break
+		}
+	}
+	return n
+}
+func sozWire(x uint64) (n int) {
+	return sovWire(uint64((x << 1) ^ uint64((int64(x) >> 63))))
+}
+func (this *Packet) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&Packet{`,
+		`Type:` + fmt.Sprintf("%v", this.Type) + `,`,
+		`Stat:` + strings.Replace(fmt.Sprintf("%v", this.Stat), "Stat", "Stat", 1) + `,`,
+		`ID:` + fmt.Sprintf("%v", this.ID) + `,`,
+		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func valueToStringWire(v interface{}) string {
+	rv := reflect.ValueOf(v)
+	if rv.IsNil() {
+		return "nil"
+	}
+	pv := reflect.Indirect(rv).Interface()
+	return fmt.Sprintf("*%v", pv)
+}
+func (m *Packet) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowWire
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: Packet: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: Packet: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Type", wireType)
+			}
+			m.Type = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Type |= (Packet_PacketType(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Stat", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthWire
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Stat == nil {
+				m.Stat = &Stat{}
+			}
+			if err := m.Stat.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ID", wireType)
+			}
+			m.ID = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.ID |= (uint32(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Data", wireType)
+			}
+			var byteLen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				byteLen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if byteLen < 0 {
+				return ErrInvalidLengthWire
+			}
+			postIndex := iNdEx + byteLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Data = append(m.Data[:0], dAtA[iNdEx:postIndex]...)
+			if m.Data == nil {
+				m.Data = []byte{}
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipWire(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthWire
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func skipWire(dAtA []byte) (n int, err error) {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return 0, ErrIntOverflowWire
+			}
+			if iNdEx >= l {
+				return 0, io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		wireType := int(wire & 0x7)
+		switch wireType {
+		case 0:
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				iNdEx++
+				if dAtA[iNdEx-1] < 0x80 {
+					break
+				}
+			}
+			return iNdEx, nil
+		case 1:
+			iNdEx += 8
+			return iNdEx, nil
+		case 2:
+			var length int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return 0, ErrIntOverflowWire
+				}
+				if iNdEx >= l {
+					return 0, io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				length |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			iNdEx += length
+			if length < 0 {
+				return 0, ErrInvalidLengthWire
+			}
+			return iNdEx, nil
+		case 3:
+			for {
+				var innerWire uint64
+				var start int = iNdEx
+				for shift := uint(0); ; shift += 7 {
+					if shift >= 64 {
+						return 0, ErrIntOverflowWire
+					}
+					if iNdEx >= l {
+						return 0, io.ErrUnexpectedEOF
+					}
+					b := dAtA[iNdEx]
+					iNdEx++
+					innerWire |= (uint64(b) & 0x7F) << shift
+					if b < 0x80 {
+						break
+					}
+				}
+				innerWireType := int(innerWire & 0x7)
+				if innerWireType == 4 {
+					break
+				}
+				next, err := skipWire(dAtA[start:])
+				if err != nil {
+					return 0, err
+				}
+				iNdEx = start + next
+			}
+			return iNdEx, nil
+		case 4:
+			return iNdEx, nil
+		case 5:
+			iNdEx += 4
+			return iNdEx, nil
+		default:
+			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
+		}
+	}
+	panic("unreachable")
+}
+
+var (
+	ErrInvalidLengthWire = fmt.Errorf("proto: negative length found during unmarshaling")
+	ErrIntOverflowWire   = fmt.Errorf("proto: integer overflow")
+)
+
+func init() { proto.RegisterFile("wire.proto", fileDescriptorWire) }
+
+var fileDescriptorWire = []byte{
+	// 259 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xe2, 0xe2, 0x2a, 0xcf, 0x2c, 0x4a,
+	0xd5, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x4b, 0x2b, 0x2e, 0x2d, 0xc9, 0xcc, 0x91, 0xe2,
+	0x2a, 0x2e, 0x49, 0x2c, 0x81, 0x88, 0x29, 0xdd, 0x65, 0xe4, 0x62, 0x0b, 0x48, 0x4c, 0xce, 0x4e,
+	0x2d, 0x11, 0xd2, 0xe5, 0x62, 0x29, 0xa9, 0x2c, 0x48, 0x95, 0x60, 0x54, 0x60, 0xd4, 0xe0, 0x33,
+	0x92, 0xd4, 0x83, 0xa8, 0xd6, 0x83, 0xc8, 0x42, 0xa9, 0x90, 0xca, 0x82, 0xd4, 0x20, 0xb0, 0x32,
+	0x21, 0x05, 0x2e, 0x16, 0x90, 0x39, 0x12, 0x4c, 0x0a, 0x8c, 0x1a, 0xdc, 0x46, 0x3c, 0x30, 0xe5,
+	0xc1, 0x25, 0x89, 0x25, 0x41, 0x60, 0x19, 0x21, 0x3e, 0x2e, 0x26, 0x4f, 0x17, 0x09, 0x66, 0x05,
+	0x46, 0x0d, 0xde, 0x20, 0x26, 0x4f, 0x17, 0x21, 0x21, 0x2e, 0x96, 0x94, 0xc4, 0x92, 0x44, 0x09,
+	0x16, 0x05, 0x46, 0x0d, 0x9e, 0x20, 0x30, 0x5b, 0x29, 0x8e, 0x8b, 0x0b, 0x61, 0xb2, 0x10, 0x3f,
+	0x17, 0x77, 0x80, 0xa3, 0xb3, 0xb7, 0x6b, 0x48, 0x7c, 0x70, 0x88, 0x63, 0x88, 0x00, 0x83, 0x10,
+	0x1f, 0x17, 0x17, 0x54, 0x20, 0xc8, 0x35, 0x50, 0x80, 0x11, 0x49, 0x81, 0x8b, 0x63, 0x88, 0xa3,
+	0x00, 0x13, 0x92, 0x02, 0x37, 0x4f, 0x3f, 0x01, 0x66, 0x24, 0xbe, 0x6b, 0x50, 0x90, 0x00, 0x8b,
+	0x93, 0xce, 0x85, 0x87, 0x72, 0x0c, 0x37, 0x1e, 0xca, 0x31, 0x7c, 0x78, 0x28, 0xc7, 0xd8, 0xf0,
+	0x48, 0x8e, 0x71, 0xc5, 0x23, 0x39, 0xc6, 0x13, 0x8f, 0xe4, 0x18, 0x2f, 0x3c, 0x92, 0x63, 0x7c,
+	0xf0, 0x48, 0x8e, 0xf1, 0xc5, 0x23, 0x39, 0x86, 0x0f, 0x8f, 0xe4, 0x18, 0x27, 0x3c, 0x96, 0x63,
+	0x48, 0x62, 0x03, 0x07, 0x8a, 0x31, 0x20, 0x00, 0x00, 0xff, 0xff, 0x8b, 0xce, 0x55, 0x3b, 0x36,
+	0x01, 0x00, 0x00,
+}
diff --git a/engine/vendor/github.com/tonistiigi/fsutil/wire.proto b/engine/vendor/github.com/tonistiigi/fsutil/wire.proto
new file mode 100644
index 00000000..f9b33f31
--- /dev/null
+++ b/engine/vendor/github.com/tonistiigi/fsutil/wire.proto
@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package fsutil;
+
+import "stat.proto";
+
+message Packet {
+  enum PacketType {
+      PACKET_STAT = 0;
+      PACKET_REQ = 1;
+      PACKET_DATA = 2;
+      PACKET_FIN = 3;
+      PACKET_ERR = 4;
+    }
+  PacketType type = 1;
+  Stat stat = 2;
+  uint32 ID = 3;
+  bytes data = 4;
+}
diff --git a/engine/volume/drivers/adapter.go b/engine/volume/drivers/adapter.go
new file mode 100644
index 00000000..f6ee07a0
--- /dev/null
+++ b/engine/volume/drivers/adapter.go
@@ -0,0 +1,176 @@
+package drivers // import "github.com/docker/docker/volume/drivers"
+
+import (
+	"errors"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/volume"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	errNoSuchVolume = errors.New("no such volume")
+)
+
+type volumeDriverAdapter struct {
+	name         string
+	scopePath    func(s string) string
+	capabilities *volume.Capability
+	proxy        volumeDriver
+}
+
+func (a *volumeDriverAdapter) Name() string {
+	return a.name
+}
+
+func (a *volumeDriverAdapter) Create(name string, opts map[string]string) (volume.Volume, error) {
+	if err := a.proxy.Create(name, opts); err != nil {
+		return nil, err
+	}
+	return &volumeAdapter{
+		proxy:      a.proxy,
+		name:       name,
+		driverName: a.name,
+		scopePath:  a.scopePath,
+	}, nil
+}
+
+func (a *volumeDriverAdapter) Remove(v volume.Volume) error {
+	return a.proxy.Remove(v.Name())
+}
+
+func (a *volumeDriverAdapter) List() ([]volume.Volume, error) {
+	ls, err := a.proxy.List()
+	if err != nil {
+		return nil, err
+	}
+
+	var out []volume.Volume
+	for _, vp := range ls {
+		out = append(out, &volumeAdapter{
+			proxy:      a.proxy,
+			name:       vp.Name,
+			scopePath:  a.scopePath,
+			driverName: a.name,
+			eMount:     a.scopePath(vp.Mountpoint),
+		})
+	}
+	return out, nil
+}
+
+func (a *volumeDriverAdapter) Get(name string) (volume.Volume, error) {
+	v, err := a.proxy.Get(name)
+	if err != nil {
+		return nil, err
+	}
+
+	// plugin may have returned no volume and no error
+	if v == nil {
+		return nil, errNoSuchVolume
+	}
+
+	return &volumeAdapter{
+		proxy:      a.proxy,
+		name:       v.Name,
+		driverName: a.Name(),
+		eMount:     v.Mountpoint,
+		createdAt:  v.CreatedAt,
+		status:     v.Status,
+		scopePath:  a.scopePath,
+	}, nil
+}
+
+func (a *volumeDriverAdapter) Scope() string {
+	cap := a.getCapabilities()
+	return cap.Scope
+}
+
+func (a *volumeDriverAdapter) getCapabilities() volume.Capability {
+	if a.capabilities != nil {
+		return *a.capabilities
+	}
+	cap, err := a.proxy.Capabilities()
+	if err != nil {
+		// `GetCapabilities` is a not a required endpoint.
+		// On error assume it's a local-only driver
+		logrus.WithError(err).WithField("driver", a.name).Debug("Volume driver returned an error while trying to query its capabilities, using default capabilities")
+		return volume.Capability{Scope: volume.LocalScope}
+	}
+
+	// don't spam the warn log below just because the plugin didn't provide a scope
+	if len(cap.Scope) == 0 {
+		cap.Scope = volume.LocalScope
+	}
+
+	cap.Scope = strings.ToLower(cap.Scope)
+	if cap.Scope != volume.LocalScope && cap.Scope != volume.GlobalScope {
+		logrus.WithField("driver", a.Name()).WithField("scope", a.Scope).Warn("Volume driver returned an invalid scope")
+		cap.Scope = volume.LocalScope
+	}
+
+	a.capabilities = &cap
+	return cap
+}
+
+type volumeAdapter struct {
+	proxy      volumeDriver
+	name       string
+	scopePath  func(string) string
+	driverName string
+	eMount     string    // ephemeral host volume path
+	createdAt  time.Time // time the directory was created
+	status     map[string]interface{}
+}
+
+type proxyVolume struct {
+	Name       string
+	Mountpoint string
+	CreatedAt  time.Time
+	Status     map[string]interface{}
+}
+
+func (a *volumeAdapter) Name() string {
+	return a.name
+}
+
+func (a *volumeAdapter) DriverName() string {
+	return a.driverName
+}
+
+func (a *volumeAdapter) Path() string {
+	if len(a.eMount) == 0 {
+		mountpoint, _ := a.proxy.Path(a.name)
+		a.eMount = a.scopePath(mountpoint)
+	}
+	return a.eMount
+}
+
+func (a *volumeAdapter) CachedPath() string {
+	return a.eMount
+}
+
+func (a *volumeAdapter) Mount(id string) (string, error) {
+	mountpoint, err := a.proxy.Mount(a.name, id)
+	a.eMount = a.scopePath(mountpoint)
+	return a.eMount, err
+}
+
+func (a *volumeAdapter) Unmount(id string) error {
+	err := a.proxy.Unmount(a.name, id)
+	if err == nil {
+		a.eMount = ""
+	}
+	return err
+}
+
+func (a *volumeAdapter) CreatedAt() (time.Time, error) {
+	return a.createdAt, nil
+}
+func (a *volumeAdapter) Status() map[string]interface{} {
+	out := make(map[string]interface{}, len(a.status))
+	for k, v := range a.status {
+		out[k] = v
+	}
+	return out
+}
diff --git a/engine/volume/drivers/extpoint.go b/engine/volume/drivers/extpoint.go
new file mode 100644
index 00000000..b2131c20
--- /dev/null
+++ b/engine/volume/drivers/extpoint.go
@@ -0,0 +1,235 @@
+//go:generate pluginrpc-gen -i $GOFILE -o proxy.go -type volumeDriver -name VolumeDriver
+
+package drivers // import "github.com/docker/docker/volume/drivers"
+
+import (
+	"fmt"
+	"sort"
+	"sync"
+
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/locker"
+	getter "github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/volume"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+const extName = "VolumeDriver"
+
+// volumeDriver defines the available functions that volume plugins must implement.
+// This interface is only defined to generate the proxy objects.
+// It's not intended to be public or reused.
+// nolint: deadcode
+type volumeDriver interface {
+	// Create a volume with the given name
+	Create(name string, opts map[string]string) (err error)
+	// Remove the volume with the given name
+	Remove(name string) (err error)
+	// Get the mountpoint of the given volume
+	Path(name string) (mountpoint string, err error)
+	// Mount the given volume and return the mountpoint
+	Mount(name, id string) (mountpoint string, err error)
+	// Unmount the given volume
+	Unmount(name, id string) (err error)
+	// List lists all the volumes known to the driver
+	List() (volumes []*proxyVolume, err error)
+	// Get retrieves the volume with the requested name
+	Get(name string) (volume *proxyVolume, err error)
+	// Capabilities gets the list of capabilities of the driver
+	Capabilities() (capabilities volume.Capability, err error)
+}
+
+// Store is an in-memory store for volume drivers
+type Store struct {
+	extensions   map[string]volume.Driver
+	mu           sync.Mutex
+	driverLock   *locker.Locker
+	pluginGetter getter.PluginGetter
+}
+
+// NewStore creates a new volume driver store
+func NewStore(pg getter.PluginGetter) *Store {
+	return &Store{
+		extensions:   make(map[string]volume.Driver),
+		driverLock:   locker.New(),
+		pluginGetter: pg,
+	}
+}
+
+type driverNotFoundError string
+
+func (e driverNotFoundError) Error() string {
+	return "volume driver not found: " + string(e)
+}
+
+func (driverNotFoundError) NotFound() {}
+
+// lookup returns the driver associated with the given name. If a
+// driver with the given name has not been registered it checks if
+// there is a VolumeDriver plugin available with the given name.
+func (s *Store) lookup(name string, mode int) (volume.Driver, error) {
+	if name == "" {
+		return nil, errdefs.InvalidParameter(errors.New("driver name cannot be empty"))
+	}
+	s.driverLock.Lock(name)
+	defer s.driverLock.Unlock(name)
+
+	s.mu.Lock()
+	ext, ok := s.extensions[name]
+	s.mu.Unlock()
+	if ok {
+		return ext, nil
+	}
+	if s.pluginGetter != nil {
+		p, err := s.pluginGetter.Get(name, extName, mode)
+		if err != nil {
+			return nil, errors.Wrap(err, "error looking up volume plugin "+name)
+		}
+
+		d, err := makePluginAdapter(p)
+		if err != nil {
+			return nil, errors.Wrap(err, "error making plugin client")
+		}
+		if err := validateDriver(d); err != nil {
+			if mode > 0 {
+				// Undo any reference count changes from the initial `Get`
+				if _, err := s.pluginGetter.Get(name, extName, mode*-1); err != nil {
+					logrus.WithError(err).WithField("action", "validate-driver").WithField("plugin", name).Error("error releasing reference to plugin")
+				}
+			}
+			return nil, err
+		}
+
+		if p.IsV1() {
+			s.mu.Lock()
+			s.extensions[name] = d
+			s.mu.Unlock()
+		}
+		return d, nil
+	}
+	return nil, driverNotFoundError(name)
+}
+
+func validateDriver(vd volume.Driver) error {
+	scope := vd.Scope()
+	if scope != volume.LocalScope && scope != volume.GlobalScope {
+		return fmt.Errorf("Driver %q provided an invalid capability scope: %s", vd.Name(), scope)
+	}
+	return nil
+}
+
+// Register associates the given driver to the given name, checking if
+// the name is already associated
+func (s *Store) Register(d volume.Driver, name string) bool {
+	if name == "" {
+		return false
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if _, exists := s.extensions[name]; exists {
+		return false
+	}
+
+	if err := validateDriver(d); err != nil {
+		return false
+	}
+
+	s.extensions[name] = d
+	return true
+}
+
+// GetDriver returns a volume driver by its name.
+// If the driver is empty, it looks for the local driver.
+func (s *Store) GetDriver(name string) (volume.Driver, error) {
+	return s.lookup(name, getter.Lookup)
+}
+
+// CreateDriver returns a volume driver by its name and increments RefCount.
+// If the driver is empty, it looks for the local driver.
+func (s *Store) CreateDriver(name string) (volume.Driver, error) {
+	return s.lookup(name, getter.Acquire)
+}
+
+// ReleaseDriver returns a volume driver by its name and decrements RefCount..
+// If the driver is empty, it looks for the local driver.
+func (s *Store) ReleaseDriver(name string) (volume.Driver, error) {
+	return s.lookup(name, getter.Release)
+}
+
+// GetDriverList returns list of volume drivers registered.
+// If no driver is registered, empty string list will be returned.
+func (s *Store) GetDriverList() []string {
+	var driverList []string
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	for driverName := range s.extensions {
+		driverList = append(driverList, driverName)
+	}
+	sort.Strings(driverList)
+	return driverList
+}
+
+// GetAllDrivers lists all the registered drivers
+func (s *Store) GetAllDrivers() ([]volume.Driver, error) {
+	var plugins []getter.CompatPlugin
+	if s.pluginGetter != nil {
+		var err error
+		plugins, err = s.pluginGetter.GetAllByCap(extName)
+		if err != nil {
+			return nil, fmt.Errorf("error listing plugins: %v", err)
+		}
+	}
+	var ds []volume.Driver
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	for _, d := range s.extensions {
+		ds = append(ds, d)
+	}
+
+	for _, p := range plugins {
+		name := p.Name()
+
+		if _, ok := s.extensions[name]; ok {
+			continue
+		}
+
+		ext, err := makePluginAdapter(p)
+		if err != nil {
+			return nil, errors.Wrap(err, "error making plugin client")
+		}
+		if p.IsV1() {
+			s.extensions[name] = ext
+		}
+		ds = append(ds, ext)
+	}
+	return ds, nil
+}
+
+func makePluginAdapter(p getter.CompatPlugin) (*volumeDriverAdapter, error) {
+	if pc, ok := p.(getter.PluginWithV1Client); ok {
+		return &volumeDriverAdapter{name: p.Name(), scopePath: p.ScopedPath, proxy: &volumeDriverProxy{pc.Client()}}, nil
+	}
+
+	pa, ok := p.(getter.PluginAddr)
+	if !ok {
+		return nil, errdefs.System(errors.Errorf("got unknown plugin instance %T", p))
+	}
+
+	if pa.Protocol() != plugins.ProtocolSchemeHTTPV1 {
+		return nil, errors.Errorf("plugin protocol not supported: %s", p)
+	}
+
+	addr := pa.Addr()
+	client, err := plugins.NewClientWithTimeout(addr.Network()+"://"+addr.String(), nil, pa.Timeout())
+	if err != nil {
+		return nil, errors.Wrap(err, "error creating plugin client")
+	}
+
+	return &volumeDriverAdapter{name: p.Name(), scopePath: p.ScopedPath, proxy: &volumeDriverProxy{client}}, nil
+}
diff --git a/engine/volume/drivers/extpoint_test.go b/engine/volume/drivers/extpoint_test.go
new file mode 100644
index 00000000..384742ea
--- /dev/null
+++ b/engine/volume/drivers/extpoint_test.go
@@ -0,0 +1,24 @@
+package drivers // import "github.com/docker/docker/volume/drivers"
+
+import (
+	"testing"
+
+	volumetestutils "github.com/docker/docker/volume/testutils"
+)
+
+func TestGetDriver(t *testing.T) {
+	s := NewStore(nil)
+	_, err := s.GetDriver("missing")
+	if err == nil {
+		t.Fatal("Expected error, was nil")
+	}
+	s.Register(volumetestutils.NewFakeDriver("fake"), "fake")
+
+	d, err := s.GetDriver("fake")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if d.Name() != "fake" {
+		t.Fatalf("Expected fake driver, got %s\n", d.Name())
+	}
+}
diff --git a/engine/volume/drivers/proxy.go b/engine/volume/drivers/proxy.go
new file mode 100644
index 00000000..8a44faed
--- /dev/null
+++ b/engine/volume/drivers/proxy.go
@@ -0,0 +1,255 @@
+// generated code - DO NOT EDIT
+
+package drivers // import "github.com/docker/docker/volume/drivers"
+
+import (
+	"errors"
+	"time"
+
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/volume"
+)
+
+const (
+	longTimeout  = 2 * time.Minute
+	shortTimeout = 1 * time.Minute
+)
+
+type client interface {
+	CallWithOptions(string, interface{}, interface{}, ...func(*plugins.RequestOpts)) error
+}
+
+type volumeDriverProxy struct {
+	client
+}
+
+type volumeDriverProxyCreateRequest struct {
+	Name string
+	Opts map[string]string
+}
+
+type volumeDriverProxyCreateResponse struct {
+	Err string
+}
+
+func (pp *volumeDriverProxy) Create(name string, opts map[string]string) (err error) {
+	var (
+		req volumeDriverProxyCreateRequest
+		ret volumeDriverProxyCreateResponse
+	)
+
+	req.Name = name
+	req.Opts = opts
+
+	if err = pp.CallWithOptions("VolumeDriver.Create", req, &ret, plugins.WithRequestTimeout(longTimeout)); err != nil {
+		return
+	}
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type volumeDriverProxyRemoveRequest struct {
+	Name string
+}
+
+type volumeDriverProxyRemoveResponse struct {
+	Err string
+}
+
+func (pp *volumeDriverProxy) Remove(name string) (err error) {
+	var (
+		req volumeDriverProxyRemoveRequest
+		ret volumeDriverProxyRemoveResponse
+	)
+
+	req.Name = name
+
+	if err = pp.CallWithOptions("VolumeDriver.Remove", req, &ret, plugins.WithRequestTimeout(shortTimeout)); err != nil {
+		return
+	}
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type volumeDriverProxyPathRequest struct {
+	Name string
+}
+
+type volumeDriverProxyPathResponse struct {
+	Mountpoint string
+	Err        string
+}
+
+func (pp *volumeDriverProxy) Path(name string) (mountpoint string, err error) {
+	var (
+		req volumeDriverProxyPathRequest
+		ret volumeDriverProxyPathResponse
+	)
+
+	req.Name = name
+
+	if err = pp.CallWithOptions("VolumeDriver.Path", req, &ret, plugins.WithRequestTimeout(shortTimeout)); err != nil {
+		return
+	}
+
+	mountpoint = ret.Mountpoint
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type volumeDriverProxyMountRequest struct {
+	Name string
+	ID   string
+}
+
+type volumeDriverProxyMountResponse struct {
+	Mountpoint string
+	Err        string
+}
+
+func (pp *volumeDriverProxy) Mount(name string, id string) (mountpoint string, err error) {
+	var (
+		req volumeDriverProxyMountRequest
+		ret volumeDriverProxyMountResponse
+	)
+
+	req.Name = name
+	req.ID = id
+
+	if err = pp.CallWithOptions("VolumeDriver.Mount", req, &ret, plugins.WithRequestTimeout(longTimeout)); err != nil {
+		return
+	}
+
+	mountpoint = ret.Mountpoint
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type volumeDriverProxyUnmountRequest struct {
+	Name string
+	ID   string
+}
+
+type volumeDriverProxyUnmountResponse struct {
+	Err string
+}
+
+func (pp *volumeDriverProxy) Unmount(name string, id string) (err error) {
+	var (
+		req volumeDriverProxyUnmountRequest
+		ret volumeDriverProxyUnmountResponse
+	)
+
+	req.Name = name
+	req.ID = id
+
+	if err = pp.CallWithOptions("VolumeDriver.Unmount", req, &ret, plugins.WithRequestTimeout(shortTimeout)); err != nil {
+		return
+	}
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type volumeDriverProxyListRequest struct {
+}
+
+type volumeDriverProxyListResponse struct {
+	Volumes []*proxyVolume
+	Err     string
+}
+
+func (pp *volumeDriverProxy) List() (volumes []*proxyVolume, err error) {
+	var (
+		req volumeDriverProxyListRequest
+		ret volumeDriverProxyListResponse
+	)
+
+	if err = pp.CallWithOptions("VolumeDriver.List", req, &ret, plugins.WithRequestTimeout(shortTimeout)); err != nil {
+		return
+	}
+
+	volumes = ret.Volumes
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type volumeDriverProxyGetRequest struct {
+	Name string
+}
+
+type volumeDriverProxyGetResponse struct {
+	Volume *proxyVolume
+	Err    string
+}
+
+func (pp *volumeDriverProxy) Get(name string) (volume *proxyVolume, err error) {
+	var (
+		req volumeDriverProxyGetRequest
+		ret volumeDriverProxyGetResponse
+	)
+
+	req.Name = name
+
+	if err = pp.CallWithOptions("VolumeDriver.Get", req, &ret, plugins.WithRequestTimeout(shortTimeout)); err != nil {
+		return
+	}
+
+	volume = ret.Volume
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
+
+type volumeDriverProxyCapabilitiesRequest struct {
+}
+
+type volumeDriverProxyCapabilitiesResponse struct {
+	Capabilities volume.Capability
+	Err          string
+}
+
+func (pp *volumeDriverProxy) Capabilities() (capabilities volume.Capability, err error) {
+	var (
+		req volumeDriverProxyCapabilitiesRequest
+		ret volumeDriverProxyCapabilitiesResponse
+	)
+
+	if err = pp.CallWithOptions("VolumeDriver.Capabilities", req, &ret, plugins.WithRequestTimeout(shortTimeout)); err != nil {
+		return
+	}
+
+	capabilities = ret.Capabilities
+
+	if ret.Err != "" {
+		err = errors.New(ret.Err)
+	}
+
+	return
+}
diff --git a/engine/volume/drivers/proxy_test.go b/engine/volume/drivers/proxy_test.go
new file mode 100644
index 00000000..79af9563
--- /dev/null
+++ b/engine/volume/drivers/proxy_test.go
@@ -0,0 +1,132 @@
+package drivers // import "github.com/docker/docker/volume/drivers"
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/go-connections/tlsconfig"
+)
+
+func TestVolumeRequestError(t *testing.T) {
+	mux := http.NewServeMux()
+	server := httptest.NewServer(mux)
+	defer server.Close()
+
+	mux.HandleFunc("/VolumeDriver.Create", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintln(w, `{"Err": "Cannot create volume"}`)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Remove", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintln(w, `{"Err": "Cannot remove volume"}`)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Mount", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintln(w, `{"Err": "Cannot mount volume"}`)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Unmount", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintln(w, `{"Err": "Cannot unmount volume"}`)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Path", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintln(w, `{"Err": "Unknown volume"}`)
+	})
+
+	mux.HandleFunc("/VolumeDriver.List", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintln(w, `{"Err": "Cannot list volumes"}`)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Get", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		fmt.Fprintln(w, `{"Err": "Cannot get volume"}`)
+	})
+
+	mux.HandleFunc("/VolumeDriver.Capabilities", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/vnd.docker.plugins.v1+json")
+		http.Error(w, "error", 500)
+	})
+
+	u, _ := url.Parse(server.URL)
+	client, err := plugins.NewClient("tcp://"+u.Host, &tlsconfig.Options{InsecureSkipVerify: true})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	driver := volumeDriverProxy{client}
+
+	if err = driver.Create("volume", nil); err == nil {
+		t.Fatal("Expected error, was nil")
+	}
+
+	if !strings.Contains(err.Error(), "Cannot create volume") {
+		t.Fatalf("Unexpected error: %v\n", err)
+	}
+
+	_, err = driver.Mount("volume", "123")
+	if err == nil {
+		t.Fatal("Expected error, was nil")
+	}
+
+	if !strings.Contains(err.Error(), "Cannot mount volume") {
+		t.Fatalf("Unexpected error: %v\n", err)
+	}
+
+	err = driver.Unmount("volume", "123")
+	if err == nil {
+		t.Fatal("Expected error, was nil")
+	}
+
+	if !strings.Contains(err.Error(), "Cannot unmount volume") {
+		t.Fatalf("Unexpected error: %v\n", err)
+	}
+
+	err = driver.Remove("volume")
+	if err == nil {
+		t.Fatal("Expected error, was nil")
+	}
+
+	if !strings.Contains(err.Error(), "Cannot remove volume") {
+		t.Fatalf("Unexpected error: %v\n", err)
+	}
+
+	_, err = driver.Path("volume")
+	if err == nil {
+		t.Fatal("Expected error, was nil")
+	}
+
+	if !strings.Contains(err.Error(), "Unknown volume") {
+		t.Fatalf("Unexpected error: %v\n", err)
+	}
+
+	_, err = driver.List()
+	if err == nil {
+		t.Fatal("Expected error, was nil")
+	}
+	if !strings.Contains(err.Error(), "Cannot list volumes") {
+		t.Fatalf("Unexpected error: %v\n", err)
+	}
+
+	_, err = driver.Get("volume")
+	if err == nil {
+		t.Fatal("Expected error, was nil")
+	}
+	if !strings.Contains(err.Error(), "Cannot get volume") {
+		t.Fatalf("Unexpected error: %v\n", err)
+	}
+
+	_, err = driver.Capabilities()
+	if err == nil {
+		t.Fatal(err)
+	}
+}
diff --git a/engine/volume/local/local.go b/engine/volume/local/local.go
new file mode 100644
index 00000000..d9734742
--- /dev/null
+++ b/engine/volume/local/local.go
@@ -0,0 +1,378 @@
+// Package local provides the default implementation for volumes. It
+// is used to mount data volume containers and directories local to
+// the host server.
+package local // import "github.com/docker/docker/volume/local"
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"sync"
+
+	"github.com/docker/docker/daemon/names"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/mount"
+	"github.com/docker/docker/volume"
+	"github.com/pkg/errors"
+)
+
+// VolumeDataPathName is the name of the directory where the volume data is stored.
+// It uses a very distinctive name to avoid collisions migrating data between
+// Docker versions.
+const (
+	VolumeDataPathName = "_data"
+	volumesPathName    = "volumes"
+)
+
+var (
+	// ErrNotFound is the typed error returned when the requested volume name can't be found
+	ErrNotFound = fmt.Errorf("volume not found")
+	// volumeNameRegex ensures the name assigned for the volume is valid.
+	// This name is used to create the bind directory, so we need to avoid characters that
+	// would make the path to escape the root directory.
+	volumeNameRegex = names.RestrictedNamePattern
+)
+
+type activeMount struct {
+	count   uint64
+	mounted bool
+}
+
+// New instantiates a new Root instance with the provided scope. Scope
+// is the base path that the Root instance uses to store its
+// volumes. The base path is created here if it does not exist.
+func New(scope string, rootIDs idtools.IDPair) (*Root, error) {
+	rootDirectory := filepath.Join(scope, volumesPathName)
+
+	if err := idtools.MkdirAllAndChown(rootDirectory, 0700, rootIDs); err != nil {
+		return nil, err
+	}
+
+	r := &Root{
+		scope:   scope,
+		path:    rootDirectory,
+		volumes: make(map[string]*localVolume),
+		rootIDs: rootIDs,
+	}
+
+	dirs, err := ioutil.ReadDir(rootDirectory)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, d := range dirs {
+		if !d.IsDir() {
+			continue
+		}
+
+		name := filepath.Base(d.Name())
+		v := &localVolume{
+			driverName: r.Name(),
+			name:       name,
+			path:       r.DataPath(name),
+		}
+		r.volumes[name] = v
+		optsFilePath := filepath.Join(rootDirectory, name, "opts.json")
+		if b, err := ioutil.ReadFile(optsFilePath); err == nil {
+			opts := optsConfig{}
+			if err := json.Unmarshal(b, &opts); err != nil {
+				return nil, errors.Wrapf(err, "error while unmarshaling volume options for volume: %s", name)
+			}
+			// Make sure this isn't an empty optsConfig.
+			// This could be empty due to buggy behavior in older versions of Docker.
+			if !reflect.DeepEqual(opts, optsConfig{}) {
+				v.opts = &opts
+			}
+
+			// unmount anything that may still be mounted (for example, from an unclean shutdown)
+			mount.Unmount(v.path)
+		}
+	}
+
+	return r, nil
+}
+
+// Root implements the Driver interface for the volume package and
+// manages the creation/removal of volumes. It uses only standard vfs
+// commands to create/remove dirs within its provided scope.
+type Root struct {
+	m       sync.Mutex
+	scope   string
+	path    string
+	volumes map[string]*localVolume
+	rootIDs idtools.IDPair
+}
+
+// List lists all the volumes
+func (r *Root) List() ([]volume.Volume, error) {
+	var ls []volume.Volume
+	r.m.Lock()
+	for _, v := range r.volumes {
+		ls = append(ls, v)
+	}
+	r.m.Unlock()
+	return ls, nil
+}
+
+// DataPath returns the constructed path of this volume.
+func (r *Root) DataPath(volumeName string) string {
+	return filepath.Join(r.path, volumeName, VolumeDataPathName)
+}
+
+// Name returns the name of Root, defined in the volume package in the DefaultDriverName constant.
+func (r *Root) Name() string {
+	return volume.DefaultDriverName
+}
+
+// Create creates a new volume.Volume with the provided name, creating
+// the underlying directory tree required for this volume in the
+// process.
+func (r *Root) Create(name string, opts map[string]string) (volume.Volume, error) {
+	if err := r.validateName(name); err != nil {
+		return nil, err
+	}
+
+	r.m.Lock()
+	defer r.m.Unlock()
+
+	v, exists := r.volumes[name]
+	if exists {
+		return v, nil
+	}
+
+	path := r.DataPath(name)
+	if err := idtools.MkdirAllAndChown(path, 0755, r.rootIDs); err != nil {
+		return nil, errors.Wrapf(errdefs.System(err), "error while creating volume path '%s'", path)
+	}
+
+	var err error
+	defer func() {
+		if err != nil {
+			os.RemoveAll(filepath.Dir(path))
+		}
+	}()
+
+	v = &localVolume{
+		driverName: r.Name(),
+		name:       name,
+		path:       path,
+	}
+
+	if len(opts) != 0 {
+		if err = setOpts(v, opts); err != nil {
+			return nil, err
+		}
+		var b []byte
+		b, err = json.Marshal(v.opts)
+		if err != nil {
+			return nil, err
+		}
+		if err = ioutil.WriteFile(filepath.Join(filepath.Dir(path), "opts.json"), b, 600); err != nil {
+			return nil, errdefs.System(errors.Wrap(err, "error while persisting volume options"))
+		}
+	}
+
+	r.volumes[name] = v
+	return v, nil
+}
+
+// Remove removes the specified volume and all underlying data. If the
+// given volume does not belong to this driver and an error is
+// returned. The volume is reference counted, if all references are
+// not released then the volume is not removed.
+func (r *Root) Remove(v volume.Volume) error {
+	r.m.Lock()
+	defer r.m.Unlock()
+
+	lv, ok := v.(*localVolume)
+	if !ok {
+		return errdefs.System(errors.Errorf("unknown volume type %T", v))
+	}
+
+	if lv.active.count > 0 {
+		return errdefs.System(errors.Errorf("volume has active mounts"))
+	}
+
+	if err := lv.unmount(); err != nil {
+		return err
+	}
+
+	realPath, err := filepath.EvalSymlinks(lv.path)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return err
+		}
+		realPath = filepath.Dir(lv.path)
+	}
+
+	if !r.scopedPath(realPath) {
+		return errdefs.System(errors.Errorf("Unable to remove a directory outside of the local volume root %s: %s", r.scope, realPath))
+	}
+
+	if err := removePath(realPath); err != nil {
+		return err
+	}
+
+	delete(r.volumes, lv.name)
+	return removePath(filepath.Dir(lv.path))
+}
+
+func removePath(path string) error {
+	if err := os.RemoveAll(path); err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return errdefs.System(errors.Wrapf(err, "error removing volume path '%s'", path))
+	}
+	return nil
+}
+
+// Get looks up the volume for the given name and returns it if found
+func (r *Root) Get(name string) (volume.Volume, error) {
+	r.m.Lock()
+	v, exists := r.volumes[name]
+	r.m.Unlock()
+	if !exists {
+		return nil, ErrNotFound
+	}
+	return v, nil
+}
+
+// Scope returns the local volume scope
+func (r *Root) Scope() string {
+	return volume.LocalScope
+}
+
+type validationError string
+
+func (e validationError) Error() string {
+	return string(e)
+}
+
+func (e validationError) InvalidParameter() {}
+
+func (r *Root) validateName(name string) error {
+	if len(name) == 1 {
+		return validationError("volume name is too short, names should be at least two alphanumeric characters")
+	}
+	if !volumeNameRegex.MatchString(name) {
+		return validationError(fmt.Sprintf("%q includes invalid characters for a local volume name, only %q are allowed. If you intended to pass a host directory, use absolute path", name, names.RestrictedNameChars))
+	}
+	return nil
+}
+
+// localVolume implements the Volume interface from the volume package and
+// represents the volumes created by Root.
+type localVolume struct {
+	m sync.Mutex
+	// unique name of the volume
+	name string
+	// path is the path on the host where the data lives
+	path string
+	// driverName is the name of the driver that created the volume.
+	driverName string
+	// opts is the parsed list of options used to create the volume
+	opts *optsConfig
+	// active refcounts the active mounts
+	active activeMount
+}
+
+// Name returns the name of the given Volume.
+func (v *localVolume) Name() string {
+	return v.name
+}
+
+// DriverName returns the driver that created the given Volume.
+func (v *localVolume) DriverName() string {
+	return v.driverName
+}
+
+// Path returns the data location.
+func (v *localVolume) Path() string {
+	return v.path
+}
+
+// CachedPath returns the data location
+func (v *localVolume) CachedPath() string {
+	return v.path
+}
+
+// Mount implements the localVolume interface, returning the data location.
+// If there are any provided mount options, the resources will be mounted at this point
+func (v *localVolume) Mount(id string) (string, error) {
+	v.m.Lock()
+	defer v.m.Unlock()
+	if v.opts != nil {
+		if !v.active.mounted {
+			if err := v.mount(); err != nil {
+				return "", errdefs.System(err)
+			}
+			v.active.mounted = true
+		}
+		v.active.count++
+	}
+	return v.path, nil
+}
+
+// Unmount dereferences the id, and if it is the last reference will unmount any resources
+// that were previously mounted.
+func (v *localVolume) Unmount(id string) error {
+	v.m.Lock()
+	defer v.m.Unlock()
+
+	// Always decrement the count, even if the unmount fails
+	// Essentially docker doesn't care if this fails, it will send an error, but
+	// ultimately there's nothing that can be done. If we don't decrement the count
+	// this volume can never be removed until a daemon restart occurs.
+	if v.opts != nil {
+		v.active.count--
+	}
+
+	if v.active.count > 0 {
+		return nil
+	}
+
+	return v.unmount()
+}
+
+func (v *localVolume) unmount() error {
+	if v.opts != nil {
+		if err := mount.Unmount(v.path); err != nil {
+			if mounted, mErr := mount.Mounted(v.path); mounted || mErr != nil {
+				return errdefs.System(errors.Wrapf(err, "error while unmounting volume path '%s'", v.path))
+			}
+		}
+		v.active.mounted = false
+	}
+	return nil
+}
+
+func validateOpts(opts map[string]string) error {
+	for opt := range opts {
+		if !validOpts[opt] {
+			return validationError(fmt.Sprintf("invalid option key: %q", opt))
+		}
+	}
+	return nil
+}
+
+func (v *localVolume) Status() map[string]interface{} {
+	return nil
+}
+
+// getAddress finds out address/hostname from options
+func getAddress(opts string) string {
+	optsList := strings.Split(opts, ",")
+	for i := 0; i < len(optsList); i++ {
+		if strings.HasPrefix(optsList[i], "addr=") {
+			addr := strings.SplitN(optsList[i], "=", 2)[1]
+			return addr
+		}
+	}
+	return ""
+}
diff --git a/engine/volume/local/local_test.go b/engine/volume/local/local_test.go
new file mode 100644
index 00000000..4cb47ba0
--- /dev/null
+++ b/engine/volume/local/local_test.go
@@ -0,0 +1,335 @@
+package local // import "github.com/docker/docker/volume/local"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/mount"
+	"gotest.tools/skip"
+)
+
+func TestGetAddress(t *testing.T) {
+	cases := map[string]string{
+		"addr=11.11.11.1":   "11.11.11.1",
+		" ":                 "",
+		"addr=":             "",
+		"addr=2001:db8::68": "2001:db8::68",
+	}
+	for name, success := range cases {
+		v := getAddress(name)
+		if v != success {
+			t.Errorf("Test case failed for %s actual: %s expected : %s", name, v, success)
+		}
+	}
+
+}
+
+func TestRemove(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows", "FIXME: investigate why this test fails on CI")
+	rootDir, err := ioutil.TempDir("", "local-volume-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(rootDir)
+
+	r, err := New(rootDir, idtools.IDPair{UID: os.Geteuid(), GID: os.Getegid()})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	vol, err := r.Create("testing", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := r.Remove(vol); err != nil {
+		t.Fatal(err)
+	}
+
+	vol, err = r.Create("testing2", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := os.RemoveAll(vol.Path()); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := r.Remove(vol); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := os.Stat(vol.Path()); err != nil && !os.IsNotExist(err) {
+		t.Fatal("volume dir not removed")
+	}
+
+	if l, _ := r.List(); len(l) != 0 {
+		t.Fatal("expected there to be no volumes")
+	}
+}
+
+func TestInitializeWithVolumes(t *testing.T) {
+	rootDir, err := ioutil.TempDir("", "local-volume-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(rootDir)
+
+	r, err := New(rootDir, idtools.IDPair{UID: os.Geteuid(), GID: os.Getegid()})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	vol, err := r.Create("testing", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	r, err = New(rootDir, idtools.IDPair{UID: os.Getuid(), GID: os.Getegid()})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	v, err := r.Get(vol.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if v.Path() != vol.Path() {
+		t.Fatal("expected to re-initialize root with existing volumes")
+	}
+}
+
+func TestCreate(t *testing.T) {
+	rootDir, err := ioutil.TempDir("", "local-volume-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(rootDir)
+
+	r, err := New(rootDir, idtools.IDPair{UID: os.Getuid(), GID: os.Getegid()})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cases := map[string]bool{
+		"name":                  true,
+		"name-with-dash":        true,
+		"name_with_underscore":  true,
+		"name/with/slash":       false,
+		"name/with/../../slash": false,
+		"./name":                false,
+		"../name":               false,
+		"./":                    false,
+		"../":                   false,
+		"~":                     false,
+		".":                     false,
+		"..":                    false,
+		"...":                   false,
+	}
+
+	for name, success := range cases {
+		v, err := r.Create(name, nil)
+		if success {
+			if err != nil {
+				t.Fatal(err)
+			}
+			if v.Name() != name {
+				t.Fatalf("Expected volume with name %s, got %s", name, v.Name())
+			}
+		} else {
+			if err == nil {
+				t.Fatalf("Expected error creating volume with name %s, got nil", name)
+			}
+		}
+	}
+
+	r, err = New(rootDir, idtools.IDPair{UID: os.Getuid(), GID: os.Getegid()})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestValidateName(t *testing.T) {
+	r := &Root{}
+	names := map[string]bool{
+		"x":           false,
+		"/testvol":    false,
+		"thing.d":     true,
+		"hello-world": true,
+		"./hello":     false,
+		".hello":      false,
+	}
+
+	for vol, expected := range names {
+		err := r.validateName(vol)
+		if expected && err != nil {
+			t.Fatalf("expected %s to be valid got %v", vol, err)
+		}
+		if !expected && err == nil {
+			t.Fatalf("expected %s to be invalid", vol)
+		}
+	}
+}
+
+func TestCreateWithOpts(t *testing.T) {
+	skip.If(t, runtime.GOOS == "windows")
+	skip.If(t, os.Getuid() != 0, "requires mounts")
+	rootDir, err := ioutil.TempDir("", "local-volume-test")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(rootDir)
+
+	r, err := New(rootDir, idtools.IDPair{UID: os.Getuid(), GID: os.Getegid()})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := r.Create("test", map[string]string{"invalidopt": "notsupported"}); err == nil {
+		t.Fatal("expected invalid opt to cause error")
+	}
+
+	vol, err := r.Create("test", map[string]string{"device": "tmpfs", "type": "tmpfs", "o": "size=1m,uid=1000"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	v := vol.(*localVolume)
+
+	dir, err := v.Mount("1234")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := v.Unmount("1234"); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	mountInfos, err := mount.GetMounts(mount.SingleEntryFilter(dir))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(mountInfos) != 1 {
+		t.Fatalf("expected 1 mount, found %d: %+v", len(mountInfos), mountInfos)
+	}
+
+	info := mountInfos[0]
+	t.Logf("%+v", info)
+	if info.Fstype != "tmpfs" {
+		t.Fatalf("expected tmpfs mount, got %q", info.Fstype)
+	}
+	if info.Source != "tmpfs" {
+		t.Fatalf("expected tmpfs mount, got %q", info.Source)
+	}
+	if !strings.Contains(info.VfsOpts, "uid=1000") {
+		t.Fatalf("expected mount info to have uid=1000: %q", info.VfsOpts)
+	}
+	if !strings.Contains(info.VfsOpts, "size=1024k") {
+		t.Fatalf("expected mount info to have size=1024k: %q", info.VfsOpts)
+	}
+
+	if v.active.count != 1 {
+		t.Fatalf("Expected active mount count to be 1, got %d", v.active.count)
+	}
+
+	// test double mount
+	if _, err := v.Mount("1234"); err != nil {
+		t.Fatal(err)
+	}
+	if v.active.count != 2 {
+		t.Fatalf("Expected active mount count to be 2, got %d", v.active.count)
+	}
+
+	if err := v.Unmount("1234"); err != nil {
+		t.Fatal(err)
+	}
+	if v.active.count != 1 {
+		t.Fatalf("Expected active mount count to be 1, got %d", v.active.count)
+	}
+
+	mounted, err := mount.Mounted(v.path)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !mounted {
+		t.Fatal("expected mount to still be active")
+	}
+
+	r, err = New(rootDir, idtools.IDPair{UID: 0, GID: 0})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	v2, exists := r.volumes["test"]
+	if !exists {
+		t.Fatal("missing volume on restart")
+	}
+
+	if !reflect.DeepEqual(v.opts, v2.opts) {
+		t.Fatal("missing volume options on restart")
+	}
+}
+
+func TestRelaodNoOpts(t *testing.T) {
+	rootDir, err := ioutil.TempDir("", "volume-test-reload-no-opts")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(rootDir)
+
+	r, err := New(rootDir, idtools.IDPair{UID: os.Getuid(), GID: os.Getegid()})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := r.Create("test1", nil); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := r.Create("test2", nil); err != nil {
+		t.Fatal(err)
+	}
+	// make sure a file with `null` (.e.g. empty opts map from older daemon) is ok
+	if err := ioutil.WriteFile(filepath.Join(rootDir, "test2"), []byte("null"), 600); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := r.Create("test3", nil); err != nil {
+		t.Fatal(err)
+	}
+	// make sure an empty opts file doesn't break us too
+	if err := ioutil.WriteFile(filepath.Join(rootDir, "test3"), nil, 600); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := r.Create("test4", map[string]string{}); err != nil {
+		t.Fatal(err)
+	}
+
+	r, err = New(rootDir, idtools.IDPair{UID: os.Getuid(), GID: os.Getegid()})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, name := range []string{"test1", "test2", "test3", "test4"} {
+		v, err := r.Get(name)
+		if err != nil {
+			t.Fatal(err)
+		}
+		lv, ok := v.(*localVolume)
+		if !ok {
+			t.Fatalf("expected *localVolume got: %v", reflect.TypeOf(v))
+		}
+		if lv.opts != nil {
+			t.Fatalf("expected opts to be nil, got: %v", lv.opts)
+		}
+		if _, err := lv.Mount("1234"); err != nil {
+			t.Fatal(err)
+		}
+	}
+}
diff --git a/engine/volume/local/local_unix.go b/engine/volume/local/local_unix.go
new file mode 100644
index 00000000..b1c68b93
--- /dev/null
+++ b/engine/volume/local/local_unix.go
@@ -0,0 +1,99 @@
+// +build linux freebsd
+
+// Package local provides the default implementation for volumes. It
+// is used to mount data volume containers and directories local to
+// the host server.
+package local // import "github.com/docker/docker/volume/local"
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/pkg/errors"
+
+	"github.com/docker/docker/pkg/mount"
+)
+
+var (
+	oldVfsDir = filepath.Join("vfs", "dir")
+
+	validOpts = map[string]bool{
+		"type":   true, // specify the filesystem type for mount, e.g. nfs
+		"o":      true, // generic mount options
+		"device": true, // device to mount from
+	}
+)
+
+type optsConfig struct {
+	MountType   string
+	MountOpts   string
+	MountDevice string
+}
+
+func (o *optsConfig) String() string {
+	return fmt.Sprintf("type='%s' device='%s' o='%s'", o.MountType, o.MountDevice, o.MountOpts)
+}
+
+// scopedPath verifies that the path where the volume is located
+// is under Docker's root and the valid local paths.
+func (r *Root) scopedPath(realPath string) bool {
+	// Volumes path for Docker version >= 1.7
+	if strings.HasPrefix(realPath, filepath.Join(r.scope, volumesPathName)) && realPath != filepath.Join(r.scope, volumesPathName) {
+		return true
+	}
+
+	// Volumes path for Docker version < 1.7
+	if strings.HasPrefix(realPath, filepath.Join(r.scope, oldVfsDir)) {
+		return true
+	}
+
+	return false
+}
+
+func setOpts(v *localVolume, opts map[string]string) error {
+	if len(opts) == 0 {
+		return nil
+	}
+	if err := validateOpts(opts); err != nil {
+		return err
+	}
+
+	v.opts = &optsConfig{
+		MountType:   opts["type"],
+		MountOpts:   opts["o"],
+		MountDevice: opts["device"],
+	}
+	return nil
+}
+
+func (v *localVolume) mount() error {
+	if v.opts.MountDevice == "" {
+		return fmt.Errorf("missing device in volume options")
+	}
+	mountOpts := v.opts.MountOpts
+	if v.opts.MountType == "nfs" {
+		if addrValue := getAddress(v.opts.MountOpts); addrValue != "" && net.ParseIP(addrValue).To4() == nil {
+			ipAddr, err := net.ResolveIPAddr("ip", addrValue)
+			if err != nil {
+				return errors.Wrapf(err, "error resolving passed in nfs address")
+			}
+			mountOpts = strings.Replace(mountOpts, "addr="+addrValue, "addr="+ipAddr.String(), 1)
+		}
+	}
+	err := mount.Mount(v.opts.MountDevice, v.path, v.opts.MountType, mountOpts)
+	return errors.Wrapf(err, "error while mounting volume with options: %s", v.opts)
+}
+
+func (v *localVolume) CreatedAt() (time.Time, error) {
+	fileInfo, err := os.Stat(v.path)
+	if err != nil {
+		return time.Time{}, err
+	}
+	sec, nsec := fileInfo.Sys().(*syscall.Stat_t).Ctim.Unix()
+	return time.Unix(sec, nsec), nil
+}
diff --git a/engine/volume/local/local_windows.go b/engine/volume/local/local_windows.go
new file mode 100644
index 00000000..d96fc0f5
--- /dev/null
+++ b/engine/volume/local/local_windows.go
@@ -0,0 +1,46 @@
+// Package local provides the default implementation for volumes. It
+// is used to mount data volume containers and directories local to
+// the host server.
+package local // import "github.com/docker/docker/volume/local"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+)
+
+type optsConfig struct{}
+
+var validOpts map[string]bool
+
+// scopedPath verifies that the path where the volume is located
+// is under Docker's root and the valid local paths.
+func (r *Root) scopedPath(realPath string) bool {
+	if strings.HasPrefix(realPath, filepath.Join(r.scope, volumesPathName)) && realPath != filepath.Join(r.scope, volumesPathName) {
+		return true
+	}
+	return false
+}
+
+func setOpts(v *localVolume, opts map[string]string) error {
+	if len(opts) > 0 {
+		return fmt.Errorf("options are not supported on this platform")
+	}
+	return nil
+}
+
+func (v *localVolume) mount() error {
+	return nil
+}
+
+func (v *localVolume) CreatedAt() (time.Time, error) {
+	fileInfo, err := os.Stat(v.path)
+	if err != nil {
+		return time.Time{}, err
+	}
+	ft := fileInfo.Sys().(*syscall.Win32FileAttributeData).CreationTime
+	return time.Unix(0, ft.Nanoseconds()), nil
+}
diff --git a/engine/volume/mounts/lcow_parser.go b/engine/volume/mounts/lcow_parser.go
new file mode 100644
index 00000000..bafb7b07
--- /dev/null
+++ b/engine/volume/mounts/lcow_parser.go
@@ -0,0 +1,34 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"errors"
+	"path"
+
+	"github.com/docker/docker/api/types/mount"
+)
+
+var lcowSpecificValidators mountValidator = func(m *mount.Mount) error {
+	if path.Clean(m.Target) == "/" {
+		return ErrVolumeTargetIsRoot
+	}
+	if m.Type == mount.TypeNamedPipe {
+		return errors.New("Linux containers on Windows do not support named pipe mounts")
+	}
+	return nil
+}
+
+type lcowParser struct {
+	windowsParser
+}
+
+func (p *lcowParser) ValidateMountConfig(mnt *mount.Mount) error {
+	return p.validateMountConfigReg(mnt, rxLCOWDestination, lcowSpecificValidators)
+}
+
+func (p *lcowParser) ParseMountRaw(raw, volumeDriver string) (*MountPoint, error) {
+	return p.parseMountRaw(raw, volumeDriver, rxLCOWDestination, false, lcowSpecificValidators)
+}
+
+func (p *lcowParser) ParseMountSpec(cfg mount.Mount) (*MountPoint, error) {
+	return p.parseMountSpec(cfg, rxLCOWDestination, false, lcowSpecificValidators)
+}
diff --git a/engine/volume/mounts/linux_parser.go b/engine/volume/mounts/linux_parser.go
new file mode 100644
index 00000000..8e436aec
--- /dev/null
+++ b/engine/volume/mounts/linux_parser.go
@@ -0,0 +1,417 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"errors"
+	"fmt"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/volume"
+)
+
+type linuxParser struct {
+}
+
+func linuxSplitRawSpec(raw string) ([]string, error) {
+	if strings.Count(raw, ":") > 2 {
+		return nil, errInvalidSpec(raw)
+	}
+
+	arr := strings.SplitN(raw, ":", 3)
+	if arr[0] == "" {
+		return nil, errInvalidSpec(raw)
+	}
+	return arr, nil
+}
+
+func linuxValidateNotRoot(p string) error {
+	p = path.Clean(strings.Replace(p, `\`, `/`, -1))
+	if p == "/" {
+		return ErrVolumeTargetIsRoot
+	}
+	return nil
+}
+func linuxValidateAbsolute(p string) error {
+	p = strings.Replace(p, `\`, `/`, -1)
+	if path.IsAbs(p) {
+		return nil
+	}
+	return fmt.Errorf("invalid mount path: '%s' mount path must be absolute", p)
+}
+func (p *linuxParser) ValidateMountConfig(mnt *mount.Mount) error {
+	// there was something looking like a bug in existing codebase:
+	// - validateMountConfig on linux was called with options skipping bind source existence when calling ParseMountRaw
+	// - but not when calling ParseMountSpec directly... nor when the unit test called it directly
+	return p.validateMountConfigImpl(mnt, true)
+}
+func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSourceExists bool) error {
+	if len(mnt.Target) == 0 {
+		return &errMountConfig{mnt, errMissingField("Target")}
+	}
+
+	if err := linuxValidateNotRoot(mnt.Target); err != nil {
+		return &errMountConfig{mnt, err}
+	}
+
+	if err := linuxValidateAbsolute(mnt.Target); err != nil {
+		return &errMountConfig{mnt, err}
+	}
+
+	switch mnt.Type {
+	case mount.TypeBind:
+		if len(mnt.Source) == 0 {
+			return &errMountConfig{mnt, errMissingField("Source")}
+		}
+		// Don't error out just because the propagation mode is not supported on the platform
+		if opts := mnt.BindOptions; opts != nil {
+			if len(opts.Propagation) > 0 && len(linuxPropagationModes) > 0 {
+				if _, ok := linuxPropagationModes[opts.Propagation]; !ok {
+					return &errMountConfig{mnt, fmt.Errorf("invalid propagation mode: %s", opts.Propagation)}
+				}
+			}
+		}
+		if mnt.VolumeOptions != nil {
+			return &errMountConfig{mnt, errExtraField("VolumeOptions")}
+		}
+
+		if err := linuxValidateAbsolute(mnt.Source); err != nil {
+			return &errMountConfig{mnt, err}
+		}
+
+		if validateBindSourceExists {
+			exists, _, _ := currentFileInfoProvider.fileInfo(mnt.Source)
+			if !exists {
+				return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)}
+			}
+		}
+
+	case mount.TypeVolume:
+		if mnt.BindOptions != nil {
+			return &errMountConfig{mnt, errExtraField("BindOptions")}
+		}
+
+		if len(mnt.Source) == 0 && mnt.ReadOnly {
+			return &errMountConfig{mnt, fmt.Errorf("must not set ReadOnly mode when using anonymous volumes")}
+		}
+	case mount.TypeTmpfs:
+		if len(mnt.Source) != 0 {
+			return &errMountConfig{mnt, errExtraField("Source")}
+		}
+		if _, err := p.ConvertTmpfsOptions(mnt.TmpfsOptions, mnt.ReadOnly); err != nil {
+			return &errMountConfig{mnt, err}
+		}
+	default:
+		return &errMountConfig{mnt, errors.New("mount type unknown")}
+	}
+	return nil
+}
+
+// read-write modes
+var rwModes = map[string]bool{
+	"rw": true,
+	"ro": true,
+}
+
+// label modes
+var linuxLabelModes = map[string]bool{
+	"Z": true,
+	"z": true,
+}
+
+// consistency modes
+var linuxConsistencyModes = map[mount.Consistency]bool{
+	mount.ConsistencyFull:      true,
+	mount.ConsistencyCached:    true,
+	mount.ConsistencyDelegated: true,
+}
+var linuxPropagationModes = map[mount.Propagation]bool{
+	mount.PropagationPrivate:  true,
+	mount.PropagationRPrivate: true,
+	mount.PropagationSlave:    true,
+	mount.PropagationRSlave:   true,
+	mount.PropagationShared:   true,
+	mount.PropagationRShared:  true,
+}
+
+const linuxDefaultPropagationMode = mount.PropagationRPrivate
+
+func linuxGetPropagation(mode string) mount.Propagation {
+	for _, o := range strings.Split(mode, ",") {
+		prop := mount.Propagation(o)
+		if linuxPropagationModes[prop] {
+			return prop
+		}
+	}
+	return linuxDefaultPropagationMode
+}
+
+func linuxHasPropagation(mode string) bool {
+	for _, o := range strings.Split(mode, ",") {
+		if linuxPropagationModes[mount.Propagation(o)] {
+			return true
+		}
+	}
+	return false
+}
+
+func linuxValidMountMode(mode string) bool {
+	if mode == "" {
+		return true
+	}
+
+	rwModeCount := 0
+	labelModeCount := 0
+	propagationModeCount := 0
+	copyModeCount := 0
+	consistencyModeCount := 0
+
+	for _, o := range strings.Split(mode, ",") {
+		switch {
+		case rwModes[o]:
+			rwModeCount++
+		case linuxLabelModes[o]:
+			labelModeCount++
+		case linuxPropagationModes[mount.Propagation(o)]:
+			propagationModeCount++
+		case copyModeExists(o):
+			copyModeCount++
+		case linuxConsistencyModes[mount.Consistency(o)]:
+			consistencyModeCount++
+		default:
+			return false
+		}
+	}
+
+	// Only one string for each mode is allowed.
+	if rwModeCount > 1 || labelModeCount > 1 || propagationModeCount > 1 || copyModeCount > 1 || consistencyModeCount > 1 {
+		return false
+	}
+	return true
+}
+
+func (p *linuxParser) ReadWrite(mode string) bool {
+	if !linuxValidMountMode(mode) {
+		return false
+	}
+
+	for _, o := range strings.Split(mode, ",") {
+		if o == "ro" {
+			return false
+		}
+	}
+	return true
+}
+
+func (p *linuxParser) ParseMountRaw(raw, volumeDriver string) (*MountPoint, error) {
+	arr, err := linuxSplitRawSpec(raw)
+	if err != nil {
+		return nil, err
+	}
+
+	var spec mount.Mount
+	var mode string
+	switch len(arr) {
+	case 1:
+		// Just a destination path in the container
+		spec.Target = arr[0]
+	case 2:
+		if linuxValidMountMode(arr[1]) {
+			// Destination + Mode is not a valid volume - volumes
+			// cannot include a mode. e.g. /foo:rw
+			return nil, errInvalidSpec(raw)
+		}
+		// Host Source Path or Name + Destination
+		spec.Source = arr[0]
+		spec.Target = arr[1]
+	case 3:
+		// HostSourcePath+DestinationPath+Mode
+		spec.Source = arr[0]
+		spec.Target = arr[1]
+		mode = arr[2]
+	default:
+		return nil, errInvalidSpec(raw)
+	}
+
+	if !linuxValidMountMode(mode) {
+		return nil, errInvalidMode(mode)
+	}
+
+	if path.IsAbs(spec.Source) {
+		spec.Type = mount.TypeBind
+	} else {
+		spec.Type = mount.TypeVolume
+	}
+
+	spec.ReadOnly = !p.ReadWrite(mode)
+
+	// cannot assume that if a volume driver is passed in that we should set it
+	if volumeDriver != "" && spec.Type == mount.TypeVolume {
+		spec.VolumeOptions = &mount.VolumeOptions{
+			DriverConfig: &mount.Driver{Name: volumeDriver},
+		}
+	}
+
+	if copyData, isSet := getCopyMode(mode, p.DefaultCopyMode()); isSet {
+		if spec.VolumeOptions == nil {
+			spec.VolumeOptions = &mount.VolumeOptions{}
+		}
+		spec.VolumeOptions.NoCopy = !copyData
+	}
+	if linuxHasPropagation(mode) {
+		spec.BindOptions = &mount.BindOptions{
+			Propagation: linuxGetPropagation(mode),
+		}
+	}
+
+	mp, err := p.parseMountSpec(spec, false)
+	if mp != nil {
+		mp.Mode = mode
+	}
+	if err != nil {
+		err = fmt.Errorf("%v: %v", errInvalidSpec(raw), err)
+	}
+	return mp, err
+}
+func (p *linuxParser) ParseMountSpec(cfg mount.Mount) (*MountPoint, error) {
+	return p.parseMountSpec(cfg, true)
+}
+func (p *linuxParser) parseMountSpec(cfg mount.Mount, validateBindSourceExists bool) (*MountPoint, error) {
+	if err := p.validateMountConfigImpl(&cfg, validateBindSourceExists); err != nil {
+		return nil, err
+	}
+	mp := &MountPoint{
+		RW:          !cfg.ReadOnly,
+		Destination: path.Clean(filepath.ToSlash(cfg.Target)),
+		Type:        cfg.Type,
+		Spec:        cfg,
+	}
+
+	switch cfg.Type {
+	case mount.TypeVolume:
+		if cfg.Source == "" {
+			mp.Name = stringid.GenerateNonCryptoID()
+		} else {
+			mp.Name = cfg.Source
+		}
+		mp.CopyData = p.DefaultCopyMode()
+
+		if cfg.VolumeOptions != nil {
+			if cfg.VolumeOptions.DriverConfig != nil {
+				mp.Driver = cfg.VolumeOptions.DriverConfig.Name
+			}
+			if cfg.VolumeOptions.NoCopy {
+				mp.CopyData = false
+			}
+		}
+	case mount.TypeBind:
+		mp.Source = path.Clean(filepath.ToSlash(cfg.Source))
+		if cfg.BindOptions != nil && len(cfg.BindOptions.Propagation) > 0 {
+			mp.Propagation = cfg.BindOptions.Propagation
+		} else {
+			// If user did not specify a propagation mode, get
+			// default propagation mode.
+			mp.Propagation = linuxDefaultPropagationMode
+		}
+	case mount.TypeTmpfs:
+		// NOP
+	}
+	return mp, nil
+}
+
+func (p *linuxParser) ParseVolumesFrom(spec string) (string, string, error) {
+	if len(spec) == 0 {
+		return "", "", fmt.Errorf("volumes-from specification cannot be an empty string")
+	}
+
+	specParts := strings.SplitN(spec, ":", 2)
+	id := specParts[0]
+	mode := "rw"
+
+	if len(specParts) == 2 {
+		mode = specParts[1]
+		if !linuxValidMountMode(mode) {
+			return "", "", errInvalidMode(mode)
+		}
+		// For now don't allow propagation properties while importing
+		// volumes from data container. These volumes will inherit
+		// the same propagation property as of the original volume
+		// in data container. This probably can be relaxed in future.
+		if linuxHasPropagation(mode) {
+			return "", "", errInvalidMode(mode)
+		}
+		// Do not allow copy modes on volumes-from
+		if _, isSet := getCopyMode(mode, p.DefaultCopyMode()); isSet {
+			return "", "", errInvalidMode(mode)
+		}
+	}
+	return id, mode, nil
+}
+
+func (p *linuxParser) DefaultPropagationMode() mount.Propagation {
+	return linuxDefaultPropagationMode
+}
+
+func (p *linuxParser) ConvertTmpfsOptions(opt *mount.TmpfsOptions, readOnly bool) (string, error) {
+	var rawOpts []string
+	if readOnly {
+		rawOpts = append(rawOpts, "ro")
+	}
+
+	if opt != nil && opt.Mode != 0 {
+		rawOpts = append(rawOpts, fmt.Sprintf("mode=%o", opt.Mode))
+	}
+
+	if opt != nil && opt.SizeBytes != 0 {
+		// calculate suffix here, making this linux specific, but that is
+		// okay, since API is that way anyways.
+
+		// we do this by finding the suffix that divides evenly into the
+		// value, returning the value itself, with no suffix, if it fails.
+		//
+		// For the most part, we don't enforce any semantic to this values.
+		// The operating system will usually align this and enforce minimum
+		// and maximums.
+		var (
+			size   = opt.SizeBytes
+			suffix string
+		)
+		for _, r := range []struct {
+			suffix  string
+			divisor int64
+		}{
+			{"g", 1 << 30},
+			{"m", 1 << 20},
+			{"k", 1 << 10},
+		} {
+			if size%r.divisor == 0 {
+				size = size / r.divisor
+				suffix = r.suffix
+				break
+			}
+		}
+
+		rawOpts = append(rawOpts, fmt.Sprintf("size=%d%s", size, suffix))
+	}
+	return strings.Join(rawOpts, ","), nil
+}
+
+func (p *linuxParser) DefaultCopyMode() bool {
+	return true
+}
+func (p *linuxParser) ValidateVolumeName(name string) error {
+	return nil
+}
+
+func (p *linuxParser) IsBackwardCompatible(m *MountPoint) bool {
+	return len(m.Source) > 0 || m.Driver == volume.DefaultDriverName
+}
+
+func (p *linuxParser) ValidateTmpfsMountDestination(dest string) error {
+	if err := linuxValidateNotRoot(dest); err != nil {
+		return err
+	}
+	return linuxValidateAbsolute(dest)
+}
diff --git a/engine/volume/mounts/mounts.go b/engine/volume/mounts/mounts.go
new file mode 100644
index 00000000..177f4c3d
--- /dev/null
+++ b/engine/volume/mounts/mounts.go
@@ -0,0 +1,181 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"syscall"
+
+	mounttypes "github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/volume"
+	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/pkg/errors"
+)
+
+// MountPoint is the intersection point between a volume and a container. It
+// specifies which volume is to be used and where inside a container it should
+// be mounted.
+//
+// Note that this type is embedded in `container.Container` object and persisted to disk.
+// Changes to this struct need to by synced with on disk state.
+type MountPoint struct {
+	// Source is the source path of the mount.
+	// E.g. `mount --bind /foo /bar`, `/foo` is the `Source`.
+	Source string
+	// Destination is the path relative to the container root (`/`) to the mount point
+	// It is where the `Source` is mounted to
+	Destination string
+	// RW is set to true when the mountpoint should be mounted as read-write
+	RW bool
+	// Name is the name reference to the underlying data defined by `Source`
+	// e.g., the volume name
+	Name string
+	// Driver is the volume driver used to create the volume (if it is a volume)
+	Driver string
+	// Type of mount to use, see `Type<foo>` definitions in github.com/docker/docker/api/types/mount
+	Type mounttypes.Type `json:",omitempty"`
+	// Volume is the volume providing data to this mountpoint.
+	// This is nil unless `Type` is set to `TypeVolume`
+	Volume volume.Volume `json:"-"`
+
+	// Mode is the comma separated list of options supplied by the user when creating
+	// the bind/volume mount.
+	// Note Mode is not used on Windows
+	Mode string `json:"Relabel,omitempty"` // Originally field was `Relabel`"
+
+	// Propagation describes how the mounts are propagated from the host into the
+	// mount point, and vice-versa.
+	// See https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt
+	// Note Propagation is not used on Windows
+	Propagation mounttypes.Propagation `json:",omitempty"` // Mount propagation string
+
+	// Specifies if data should be copied from the container before the first mount
+	// Use a pointer here so we can tell if the user set this value explicitly
+	// This allows us to error out when the user explicitly enabled copy but we can't copy due to the volume being populated
+	CopyData bool `json:"-"`
+	// ID is the opaque ID used to pass to the volume driver.
+	// This should be set by calls to `Mount` and unset by calls to `Unmount`
+	ID string `json:",omitempty"`
+
+	// Sepc is a copy of the API request that created this mount.
+	Spec mounttypes.Mount
+
+	// Some bind mounts should not be automatically created.
+	// (Some are auto-created for backwards-compatability)
+	// This is checked on the API but setting this here prevents race conditions.
+	// where a bind dir existed during validation was removed before reaching the setup code.
+	SkipMountpointCreation bool
+
+	// Track usage of this mountpoint
+	// Specifically needed for containers which are running and calls to `docker cp`
+	// because both these actions require mounting the volumes.
+	active int
+}
+
+// Cleanup frees resources used by the mountpoint
+func (m *MountPoint) Cleanup() error {
+	if m.Volume == nil || m.ID == "" {
+		return nil
+	}
+
+	if err := m.Volume.Unmount(m.ID); err != nil {
+		return errors.Wrapf(err, "error unmounting volume %s", m.Volume.Name())
+	}
+
+	m.active--
+	if m.active == 0 {
+		m.ID = ""
+	}
+	return nil
+}
+
+// Setup sets up a mount point by either mounting the volume if it is
+// configured, or creating the source directory if supplied.
+// The, optional, checkFun parameter allows doing additional checking
+// before creating the source directory on the host.
+func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.IDPair, checkFun func(m *MountPoint) error) (path string, err error) {
+	if m.SkipMountpointCreation {
+		return m.Source, nil
+	}
+
+	defer func() {
+		if err != nil || !label.RelabelNeeded(m.Mode) {
+			return
+		}
+
+		var sourcePath string
+		sourcePath, err = filepath.EvalSymlinks(m.Source)
+		if err != nil {
+			path = ""
+			err = errors.Wrapf(err, "error evaluating symlinks from mount source %q", m.Source)
+			return
+		}
+		err = label.Relabel(sourcePath, mountLabel, label.IsShared(m.Mode))
+		if err == syscall.ENOTSUP {
+			err = nil
+		}
+		if err != nil {
+			path = ""
+			err = errors.Wrapf(err, "error setting label on mount source '%s'", sourcePath)
+		}
+	}()
+
+	if m.Volume != nil {
+		id := m.ID
+		if id == "" {
+			id = stringid.GenerateNonCryptoID()
+		}
+		path, err := m.Volume.Mount(id)
+		if err != nil {
+			return "", errors.Wrapf(err, "error while mounting volume '%s'", m.Source)
+		}
+
+		m.ID = id
+		m.active++
+		return path, nil
+	}
+
+	if len(m.Source) == 0 {
+		return "", fmt.Errorf("Unable to setup mount point, neither source nor volume defined")
+	}
+
+	if m.Type == mounttypes.TypeBind {
+		// Before creating the source directory on the host, invoke checkFun if it's not nil. One of
+		// the use case is to forbid creating the daemon socket as a directory if the daemon is in
+		// the process of shutting down.
+		if checkFun != nil {
+			if err := checkFun(m); err != nil {
+				return "", err
+			}
+		}
+
+		// idtools.MkdirAllNewAs() produces an error if m.Source exists and is a file (not a directory)
+		// also, makes sure that if the directory is created, the correct remapped rootUID/rootGID will own it
+		if err := idtools.MkdirAllAndChownNew(m.Source, 0755, rootIDs); err != nil {
+			if perr, ok := err.(*os.PathError); ok {
+				if perr.Err != syscall.ENOTDIR {
+					return "", errors.Wrapf(err, "error while creating mount source path '%s'", m.Source)
+				}
+			}
+		}
+	}
+	return m.Source, nil
+}
+
+// Path returns the path of a volume in a mount point.
+func (m *MountPoint) Path() string {
+	if m.Volume != nil {
+		return m.Volume.Path()
+	}
+	return m.Source
+}
+
+func errInvalidMode(mode string) error {
+	return errors.Errorf("invalid mode: %v", mode)
+}
+
+func errInvalidSpec(spec string) error {
+	return errors.Errorf("invalid volume specification: '%s'", spec)
+}
diff --git a/engine/volume/mounts/parser.go b/engine/volume/mounts/parser.go
new file mode 100644
index 00000000..73681750
--- /dev/null
+++ b/engine/volume/mounts/parser.go
@@ -0,0 +1,47 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"errors"
+	"runtime"
+
+	"github.com/docker/docker/api/types/mount"
+)
+
+const (
+	// OSLinux is the same as runtime.GOOS on linux
+	OSLinux = "linux"
+	// OSWindows is the same as runtime.GOOS on windows
+	OSWindows = "windows"
+)
+
+// ErrVolumeTargetIsRoot is returned when the target destination is root.
+// It's used by both LCOW and Linux parsers.
+var ErrVolumeTargetIsRoot = errors.New("invalid specification: destination can't be '/'")
+
+// Parser represents a platform specific parser for mount expressions
+type Parser interface {
+	ParseMountRaw(raw, volumeDriver string) (*MountPoint, error)
+	ParseMountSpec(cfg mount.Mount) (*MountPoint, error)
+	ParseVolumesFrom(spec string) (string, string, error)
+	DefaultPropagationMode() mount.Propagation
+	ConvertTmpfsOptions(opt *mount.TmpfsOptions, readOnly bool) (string, error)
+	DefaultCopyMode() bool
+	ValidateVolumeName(name string) error
+	ReadWrite(mode string) bool
+	IsBackwardCompatible(m *MountPoint) bool
+	HasResource(m *MountPoint, absPath string) bool
+	ValidateTmpfsMountDestination(dest string) error
+	ValidateMountConfig(mt *mount.Mount) error
+}
+
+// NewParser creates a parser for a given container OS, depending on the current host OS (linux on a windows host will resolve to an lcowParser)
+func NewParser(containerOS string) Parser {
+	switch containerOS {
+	case OSWindows:
+		return &windowsParser{}
+	}
+	if runtime.GOOS == OSWindows {
+		return &lcowParser{}
+	}
+	return &linuxParser{}
+}
diff --git a/engine/volume/mounts/parser_test.go b/engine/volume/mounts/parser_test.go
new file mode 100644
index 00000000..347f7d9c
--- /dev/null
+++ b/engine/volume/mounts/parser_test.go
@@ -0,0 +1,480 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"io/ioutil"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/mount"
+)
+
+type parseMountRawTestSet struct {
+	valid   []string
+	invalid map[string]string
+}
+
+func TestConvertTmpfsOptions(t *testing.T) {
+	type testCase struct {
+		opt                  mount.TmpfsOptions
+		readOnly             bool
+		expectedSubstrings   []string
+		unexpectedSubstrings []string
+	}
+	cases := []testCase{
+		{
+			opt:                  mount.TmpfsOptions{SizeBytes: 1024 * 1024, Mode: 0700},
+			readOnly:             false,
+			expectedSubstrings:   []string{"size=1m", "mode=700"},
+			unexpectedSubstrings: []string{"ro"},
+		},
+		{
+			opt:                  mount.TmpfsOptions{},
+			readOnly:             true,
+			expectedSubstrings:   []string{"ro"},
+			unexpectedSubstrings: []string{},
+		},
+	}
+	p := &linuxParser{}
+	for _, c := range cases {
+		data, err := p.ConvertTmpfsOptions(&c.opt, c.readOnly)
+		if err != nil {
+			t.Fatalf("could not convert %+v (readOnly: %v) to string: %v",
+				c.opt, c.readOnly, err)
+		}
+		t.Logf("data=%q", data)
+		for _, s := range c.expectedSubstrings {
+			if !strings.Contains(data, s) {
+				t.Fatalf("expected substring: %s, got %v (case=%+v)", s, data, c)
+			}
+		}
+		for _, s := range c.unexpectedSubstrings {
+			if strings.Contains(data, s) {
+				t.Fatalf("unexpected substring: %s, got %v (case=%+v)", s, data, c)
+			}
+		}
+	}
+}
+
+type mockFiProvider struct{}
+
+func (mockFiProvider) fileInfo(path string) (exists, isDir bool, err error) {
+	dirs := map[string]struct{}{
+		`c:\`:                    {},
+		`c:\windows\`:            {},
+		`c:\windows`:             {},
+		`c:\program files`:       {},
+		`c:\Windows`:             {},
+		`c:\Program Files (x86)`: {},
+		`\\?\c:\windows\`:        {},
+	}
+	files := map[string]struct{}{
+		`c:\windows\system32\ntdll.dll`: {},
+	}
+	if _, ok := dirs[path]; ok {
+		return true, true, nil
+	}
+	if _, ok := files[path]; ok {
+		return true, false, nil
+	}
+	return false, false, nil
+}
+
+func TestParseMountRaw(t *testing.T) {
+
+	previousProvider := currentFileInfoProvider
+	defer func() { currentFileInfoProvider = previousProvider }()
+	currentFileInfoProvider = mockFiProvider{}
+	windowsSet := parseMountRawTestSet{
+		valid: []string{
+			`d:\`,
+			`d:`,
+			`d:\path`,
+			`d:\path with space`,
+			`c:\:d:\`,
+			`c:\windows\:d:`,
+			`c:\windows:d:\s p a c e`,
+			`c:\windows:d:\s p a c e:RW`,
+			`c:\program files:d:\s p a c e i n h o s t d i r`,
+			`0123456789name:d:`,
+			`MiXeDcAsEnAmE:d:`,
+			`name:D:`,
+			`name:D::rW`,
+			`name:D::RW`,
+			`name:D::RO`,
+			`c:/:d:/forward/slashes/are/good/too`,
+			`c:/:d:/including with/spaces:ro`,
+			`c:\Windows`,                // With capital
+			`c:\Program Files (x86)`,    // With capitals and brackets
+			`\\?\c:\windows\:d:`,        // Long path handling (source)
+			`c:\windows\:\\?\d:\`,       // Long path handling (target)
+			`\\.\pipe\foo:\\.\pipe\foo`, // named pipe
+			`//./pipe/foo://./pipe/foo`, // named pipe forward slashes
+		},
+		invalid: map[string]string{
+			``:                                 "invalid volume specification: ",
+			`.`:                                "invalid volume specification: ",
+			`..\`:                              "invalid volume specification: ",
+			`c:\:..\`:                          "invalid volume specification: ",
+			`c:\:d:\:xyzzy`:                    "invalid volume specification: ",
+			`c:`:                               "cannot be `c:`",
+			`c:\`:                              "cannot be `c:`",
+			`c:\notexist:d:`:                   `bind mount source path does not exist: c:\notexist`,
+			`c:\windows\system32\ntdll.dll:d:`: `source path must be a directory`,
+			`name<:d:`:                         `invalid volume specification`,
+			`name>:d:`:                         `invalid volume specification`,
+			`name::d:`:                         `invalid volume specification`,
+			`name":d:`:                         `invalid volume specification`,
+			`name\:d:`:                         `invalid volume specification`,
+			`name*:d:`:                         `invalid volume specification`,
+			`name|:d:`:                         `invalid volume specification`,
+			`name?:d:`:                         `invalid volume specification`,
+			`name/:d:`:                         `invalid volume specification`,
+			`d:\pathandmode:rw`:                `invalid volume specification`,
+			`d:\pathandmode:ro`:                `invalid volume specification`,
+			`con:d:`:                           `cannot be a reserved word for Windows filenames`,
+			`PRN:d:`:                           `cannot be a reserved word for Windows filenames`,
+			`aUx:d:`:                           `cannot be a reserved word for Windows filenames`,
+			`nul:d:`:                           `cannot be a reserved word for Windows filenames`,
+			`com1:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`com2:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`com3:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`com4:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`com5:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`com6:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`com7:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`com8:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`com9:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt1:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt2:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt3:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt4:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt5:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt6:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt7:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt8:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt9:d:`:                          `cannot be a reserved word for Windows filenames`,
+			`c:\windows\system32\ntdll.dll`:    `Only directories can be mapped on this platform`,
+			`\\.\pipe\foo:c:\pipe`:             `'c:\pipe' is not a valid pipe path`,
+		},
+	}
+	lcowSet := parseMountRawTestSet{
+		valid: []string{
+			`/foo`,
+			`/foo/`,
+			`/foo bar`,
+			`c:\:/foo`,
+			`c:\windows\:/foo`,
+			`c:\windows:/s p a c e`,
+			`c:\windows:/s p a c e:RW`,
+			`c:\program files:/s p a c e i n h o s t d i r`,
+			`0123456789name:/foo`,
+			`MiXeDcAsEnAmE:/foo`,
+			`name:/foo`,
+			`name:/foo:rW`,
+			`name:/foo:RW`,
+			`name:/foo:RO`,
+			`c:/:/forward/slashes/are/good/too`,
+			`c:/:/including with/spaces:ro`,
+			`/Program Files (x86)`, // With capitals and brackets
+		},
+		invalid: map[string]string{
+			``:                                   "invalid volume specification: ",
+			`.`:                                  "invalid volume specification: ",
+			`c:`:                                 "invalid volume specification: ",
+			`c:\`:                                "invalid volume specification: ",
+			`../`:                                "invalid volume specification: ",
+			`c:\:../`:                            "invalid volume specification: ",
+			`c:\:/foo:xyzzy`:                     "invalid volume specification: ",
+			`/`:                                  "destination can't be '/'",
+			`/..`:                                "destination can't be '/'",
+			`c:\notexist:/foo`:                   `bind mount source path does not exist: c:\notexist`,
+			`c:\windows\system32\ntdll.dll:/foo`: `source path must be a directory`,
+			`name<:/foo`:                         `invalid volume specification`,
+			`name>:/foo`:                         `invalid volume specification`,
+			`name::/foo`:                         `invalid volume specification`,
+			`name":/foo`:                         `invalid volume specification`,
+			`name\:/foo`:                         `invalid volume specification`,
+			`name*:/foo`:                         `invalid volume specification`,
+			`name|:/foo`:                         `invalid volume specification`,
+			`name?:/foo`:                         `invalid volume specification`,
+			`name/:/foo`:                         `invalid volume specification`,
+			`/foo:rw`:                            `invalid volume specification`,
+			`/foo:ro`:                            `invalid volume specification`,
+			`con:/foo`:                           `cannot be a reserved word for Windows filenames`,
+			`PRN:/foo`:                           `cannot be a reserved word for Windows filenames`,
+			`aUx:/foo`:                           `cannot be a reserved word for Windows filenames`,
+			`nul:/foo`:                           `cannot be a reserved word for Windows filenames`,
+			`com1:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`com2:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`com3:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`com4:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`com5:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`com6:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`com7:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`com8:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`com9:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt1:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt2:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt3:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt4:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt5:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt6:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt7:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt8:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`lpt9:/foo`:                          `cannot be a reserved word for Windows filenames`,
+			`\\.\pipe\foo:/foo`:                  `Linux containers on Windows do not support named pipe mounts`,
+		},
+	}
+	linuxSet := parseMountRawTestSet{
+		valid: []string{
+			"/home",
+			"/home:/home",
+			"/home:/something/else",
+			"/with space",
+			"/home:/with space",
+			"relative:/absolute-path",
+			"hostPath:/containerPath:ro",
+			"/hostPath:/containerPath:rw",
+			"/rw:/ro",
+			"/hostPath:/containerPath:shared",
+			"/hostPath:/containerPath:rshared",
+			"/hostPath:/containerPath:slave",
+			"/hostPath:/containerPath:rslave",
+			"/hostPath:/containerPath:private",
+			"/hostPath:/containerPath:rprivate",
+			"/hostPath:/containerPath:ro,shared",
+			"/hostPath:/containerPath:ro,slave",
+			"/hostPath:/containerPath:ro,private",
+			"/hostPath:/containerPath:ro,z,shared",
+			"/hostPath:/containerPath:ro,Z,slave",
+			"/hostPath:/containerPath:Z,ro,slave",
+			"/hostPath:/containerPath:slave,Z,ro",
+			"/hostPath:/containerPath:Z,slave,ro",
+			"/hostPath:/containerPath:slave,ro,Z",
+			"/hostPath:/containerPath:rslave,ro,Z",
+			"/hostPath:/containerPath:ro,rshared,Z",
+			"/hostPath:/containerPath:ro,Z,rprivate",
+		},
+		invalid: map[string]string{
+			"":                                "invalid volume specification",
+			"./":                              "mount path must be absolute",
+			"../":                             "mount path must be absolute",
+			"/:../":                           "mount path must be absolute",
+			"/:path":                          "mount path must be absolute",
+			":":                               "invalid volume specification",
+			"/tmp:":                           "invalid volume specification",
+			":test":                           "invalid volume specification",
+			":/test":                          "invalid volume specification",
+			"tmp:":                            "invalid volume specification",
+			":test:":                          "invalid volume specification",
+			"::":                              "invalid volume specification",
+			":::":                             "invalid volume specification",
+			"/tmp:::":                         "invalid volume specification",
+			":/tmp::":                         "invalid volume specification",
+			"/path:rw":                        "invalid volume specification",
+			"/path:ro":                        "invalid volume specification",
+			"/rw:rw":                          "invalid volume specification",
+			"path:ro":                         "invalid volume specification",
+			"/path:/path:sw":                  `invalid mode`,
+			"/path:/path:rwz":                 `invalid mode`,
+			"/path:/path:ro,rshared,rslave":   `invalid mode`,
+			"/path:/path:ro,z,rshared,rslave": `invalid mode`,
+			"/path:shared":                    "invalid volume specification",
+			"/path:slave":                     "invalid volume specification",
+			"/path:private":                   "invalid volume specification",
+			"name:/absolute-path:shared":      "invalid volume specification",
+			"name:/absolute-path:rshared":     "invalid volume specification",
+			"name:/absolute-path:slave":       "invalid volume specification",
+			"name:/absolute-path:rslave":      "invalid volume specification",
+			"name:/absolute-path:private":     "invalid volume specification",
+			"name:/absolute-path:rprivate":    "invalid volume specification",
+		},
+	}
+
+	linParser := &linuxParser{}
+	winParser := &windowsParser{}
+	lcowParser := &lcowParser{}
+	tester := func(parser Parser, set parseMountRawTestSet) {
+
+		for _, path := range set.valid {
+
+			if _, err := parser.ParseMountRaw(path, "local"); err != nil {
+				t.Errorf("ParseMountRaw(`%q`) should succeed: error %q", path, err)
+			}
+		}
+
+		for path, expectedError := range set.invalid {
+			if mp, err := parser.ParseMountRaw(path, "local"); err == nil {
+				t.Errorf("ParseMountRaw(`%q`) should have failed validation. Err '%v' - MP: %v", path, err, mp)
+			} else {
+				if !strings.Contains(err.Error(), expectedError) {
+					t.Errorf("ParseMountRaw(`%q`) error should contain %q, got %v", path, expectedError, err.Error())
+				}
+			}
+		}
+	}
+	tester(linParser, linuxSet)
+	tester(winParser, windowsSet)
+	tester(lcowParser, lcowSet)
+
+}
+
+// testParseMountRaw is a structure used by TestParseMountRawSplit for
+// specifying test cases for the ParseMountRaw() function.
+type testParseMountRaw struct {
+	bind      string
+	driver    string
+	expType   mount.Type
+	expDest   string
+	expSource string
+	expName   string
+	expDriver string
+	expRW     bool
+	fail      bool
+}
+
+func TestParseMountRawSplit(t *testing.T) {
+	previousProvider := currentFileInfoProvider
+	defer func() { currentFileInfoProvider = previousProvider }()
+	currentFileInfoProvider = mockFiProvider{}
+	windowsCases := []testParseMountRaw{
+		{`c:\:d:`, "local", mount.TypeBind, `d:`, `c:\`, ``, "", true, false},
+		{`c:\:d:\`, "local", mount.TypeBind, `d:\`, `c:\`, ``, "", true, false},
+		{`c:\:d:\:ro`, "local", mount.TypeBind, `d:\`, `c:\`, ``, "", false, false},
+		{`c:\:d:\:rw`, "local", mount.TypeBind, `d:\`, `c:\`, ``, "", true, false},
+		{`c:\:d:\:foo`, "local", mount.TypeBind, `d:\`, `c:\`, ``, "", false, true},
+		{`name:d::rw`, "local", mount.TypeVolume, `d:`, ``, `name`, "local", true, false},
+		{`name:d:`, "local", mount.TypeVolume, `d:`, ``, `name`, "local", true, false},
+		{`name:d::ro`, "local", mount.TypeVolume, `d:`, ``, `name`, "local", false, false},
+		{`name:c:`, "", mount.TypeVolume, ``, ``, ``, "", true, true},
+		{`driver/name:c:`, "", mount.TypeVolume, ``, ``, ``, "", true, true},
+		{`\\.\pipe\foo:\\.\pipe\bar`, "local", mount.TypeNamedPipe, `\\.\pipe\bar`, `\\.\pipe\foo`, "", "", true, false},
+		{`\\.\pipe\foo:c:\foo\bar`, "local", mount.TypeNamedPipe, ``, ``, "", "", true, true},
+		{`c:\foo\bar:\\.\pipe\foo`, "local", mount.TypeNamedPipe, ``, ``, "", "", true, true},
+	}
+	lcowCases := []testParseMountRaw{
+		{`c:\:/foo`, "local", mount.TypeBind, `/foo`, `c:\`, ``, "", true, false},
+		{`c:\:/foo:ro`, "local", mount.TypeBind, `/foo`, `c:\`, ``, "", false, false},
+		{`c:\:/foo:rw`, "local", mount.TypeBind, `/foo`, `c:\`, ``, "", true, false},
+		{`c:\:/foo:foo`, "local", mount.TypeBind, `/foo`, `c:\`, ``, "", false, true},
+		{`name:/foo:rw`, "local", mount.TypeVolume, `/foo`, ``, `name`, "local", true, false},
+		{`name:/foo`, "local", mount.TypeVolume, `/foo`, ``, `name`, "local", true, false},
+		{`name:/foo:ro`, "local", mount.TypeVolume, `/foo`, ``, `name`, "local", false, false},
+		{`name:/`, "", mount.TypeVolume, ``, ``, ``, "", true, true},
+		{`driver/name:/`, "", mount.TypeVolume, ``, ``, ``, "", true, true},
+		{`\\.\pipe\foo:\\.\pipe\bar`, "local", mount.TypeNamedPipe, `\\.\pipe\bar`, `\\.\pipe\foo`, "", "", true, true},
+		{`\\.\pipe\foo:/data`, "local", mount.TypeNamedPipe, ``, ``, "", "", true, true},
+		{`c:\foo\bar:\\.\pipe\foo`, "local", mount.TypeNamedPipe, ``, ``, "", "", true, true},
+	}
+	linuxCases := []testParseMountRaw{
+		{"/tmp:/tmp1", "", mount.TypeBind, "/tmp1", "/tmp", "", "", true, false},
+		{"/tmp:/tmp2:ro", "", mount.TypeBind, "/tmp2", "/tmp", "", "", false, false},
+		{"/tmp:/tmp3:rw", "", mount.TypeBind, "/tmp3", "/tmp", "", "", true, false},
+		{"/tmp:/tmp4:foo", "", mount.TypeBind, "", "", "", "", false, true},
+		{"name:/named1", "", mount.TypeVolume, "/named1", "", "name", "", true, false},
+		{"name:/named2", "external", mount.TypeVolume, "/named2", "", "name", "external", true, false},
+		{"name:/named3:ro", "local", mount.TypeVolume, "/named3", "", "name", "local", false, false},
+		{"local/name:/tmp:rw", "", mount.TypeVolume, "/tmp", "", "local/name", "", true, false},
+		{"/tmp:tmp", "", mount.TypeBind, "", "", "", "", true, true},
+	}
+	linParser := &linuxParser{}
+	winParser := &windowsParser{}
+	lcowParser := &lcowParser{}
+	tester := func(parser Parser, cases []testParseMountRaw) {
+		for i, c := range cases {
+			t.Logf("case %d", i)
+			m, err := parser.ParseMountRaw(c.bind, c.driver)
+			if c.fail {
+				if err == nil {
+					t.Errorf("Expected error, was nil, for spec %s\n", c.bind)
+				}
+				continue
+			}
+
+			if m == nil || err != nil {
+				t.Errorf("ParseMountRaw failed for spec '%s', driver '%s', error '%v'", c.bind, c.driver, err.Error())
+				continue
+			}
+
+			if m.Destination != c.expDest {
+				t.Errorf("Expected destination '%s, was %s', for spec '%s'", c.expDest, m.Destination, c.bind)
+			}
+
+			if m.Source != c.expSource {
+				t.Errorf("Expected source '%s', was '%s', for spec '%s'", c.expSource, m.Source, c.bind)
+			}
+
+			if m.Name != c.expName {
+				t.Errorf("Expected name '%s', was '%s' for spec '%s'", c.expName, m.Name, c.bind)
+			}
+
+			if m.Driver != c.expDriver {
+				t.Errorf("Expected driver '%s', was '%s', for spec '%s'", c.expDriver, m.Driver, c.bind)
+			}
+
+			if m.RW != c.expRW {
+				t.Errorf("Expected RW '%v', was '%v' for spec '%s'", c.expRW, m.RW, c.bind)
+			}
+			if m.Type != c.expType {
+				t.Fatalf("Expected type '%s', was '%s', for spec '%s'", c.expType, m.Type, c.bind)
+			}
+		}
+	}
+
+	tester(linParser, linuxCases)
+	tester(winParser, windowsCases)
+	tester(lcowParser, lcowCases)
+}
+
+func TestParseMountSpec(t *testing.T) {
+	type c struct {
+		input    mount.Mount
+		expected MountPoint
+	}
+	testDir, err := ioutil.TempDir("", "test-mount-config")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(testDir)
+	parser := NewParser(runtime.GOOS)
+	cases := []c{
+		{mount.Mount{Type: mount.TypeBind, Source: testDir, Target: testDestinationPath, ReadOnly: true}, MountPoint{Type: mount.TypeBind, Source: testDir, Destination: testDestinationPath, Propagation: parser.DefaultPropagationMode()}},
+		{mount.Mount{Type: mount.TypeBind, Source: testDir, Target: testDestinationPath}, MountPoint{Type: mount.TypeBind, Source: testDir, Destination: testDestinationPath, RW: true, Propagation: parser.DefaultPropagationMode()}},
+		{mount.Mount{Type: mount.TypeBind, Source: testDir + string(os.PathSeparator), Target: testDestinationPath, ReadOnly: true}, MountPoint{Type: mount.TypeBind, Source: testDir, Destination: testDestinationPath, Propagation: parser.DefaultPropagationMode()}},
+		{mount.Mount{Type: mount.TypeBind, Source: testDir, Target: testDestinationPath + string(os.PathSeparator), ReadOnly: true}, MountPoint{Type: mount.TypeBind, Source: testDir, Destination: testDestinationPath, Propagation: parser.DefaultPropagationMode()}},
+		{mount.Mount{Type: mount.TypeVolume, Target: testDestinationPath}, MountPoint{Type: mount.TypeVolume, Destination: testDestinationPath, RW: true, CopyData: parser.DefaultCopyMode()}},
+		{mount.Mount{Type: mount.TypeVolume, Target: testDestinationPath + string(os.PathSeparator)}, MountPoint{Type: mount.TypeVolume, Destination: testDestinationPath, RW: true, CopyData: parser.DefaultCopyMode()}},
+	}
+
+	for i, c := range cases {
+		t.Logf("case %d", i)
+		mp, err := parser.ParseMountSpec(c.input)
+		if err != nil {
+			t.Error(err)
+		}
+
+		if c.expected.Type != mp.Type {
+			t.Errorf("Expected mount types to match. Expected: '%s', Actual: '%s'", c.expected.Type, mp.Type)
+		}
+		if c.expected.Destination != mp.Destination {
+			t.Errorf("Expected mount destination to match. Expected: '%s', Actual: '%s'", c.expected.Destination, mp.Destination)
+		}
+		if c.expected.Source != mp.Source {
+			t.Errorf("Expected mount source to match. Expected: '%s', Actual: '%s'", c.expected.Source, mp.Source)
+		}
+		if c.expected.RW != mp.RW {
+			t.Errorf("Expected mount writable to match. Expected: '%v', Actual: '%v'", c.expected.RW, mp.RW)
+		}
+		if c.expected.Propagation != mp.Propagation {
+			t.Errorf("Expected mount propagation to match. Expected: '%v', Actual: '%s'", c.expected.Propagation, mp.Propagation)
+		}
+		if c.expected.Driver != mp.Driver {
+			t.Errorf("Expected mount driver to match. Expected: '%v', Actual: '%s'", c.expected.Driver, mp.Driver)
+		}
+		if c.expected.CopyData != mp.CopyData {
+			t.Errorf("Expected mount copy data to match. Expected: '%v', Actual: '%v'", c.expected.CopyData, mp.CopyData)
+		}
+	}
+}
diff --git a/engine/volume/mounts/validate.go b/engine/volume/mounts/validate.go
new file mode 100644
index 00000000..0b715269
--- /dev/null
+++ b/engine/volume/mounts/validate.go
@@ -0,0 +1,28 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"fmt"
+
+	"github.com/docker/docker/api/types/mount"
+	"github.com/pkg/errors"
+)
+
+type errMountConfig struct {
+	mount *mount.Mount
+	err   error
+}
+
+func (e *errMountConfig) Error() string {
+	return fmt.Sprintf("invalid mount config for type %q: %v", e.mount.Type, e.err.Error())
+}
+
+func errBindSourceDoesNotExist(path string) error {
+	return errors.Errorf("bind mount source path does not exist: %s", path)
+}
+
+func errExtraField(name string) error {
+	return errors.Errorf("field %s must not be specified", name)
+}
+func errMissingField(name string) error {
+	return errors.Errorf("field %s must not be empty", name)
+}
diff --git a/engine/volume/mounts/validate_test.go b/engine/volume/mounts/validate_test.go
new file mode 100644
index 00000000..4f838560
--- /dev/null
+++ b/engine/volume/mounts/validate_test.go
@@ -0,0 +1,73 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"errors"
+	"io/ioutil"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/mount"
+)
+
+func TestValidateMount(t *testing.T) {
+	testDir, err := ioutil.TempDir("", "test-validate-mount")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(testDir)
+
+	cases := []struct {
+		input    mount.Mount
+		expected error
+	}{
+		{mount.Mount{Type: mount.TypeVolume}, errMissingField("Target")},
+		{mount.Mount{Type: mount.TypeVolume, Target: testDestinationPath, Source: "hello"}, nil},
+		{mount.Mount{Type: mount.TypeVolume, Target: testDestinationPath}, nil},
+		{mount.Mount{Type: mount.TypeBind}, errMissingField("Target")},
+		{mount.Mount{Type: mount.TypeBind, Target: testDestinationPath}, errMissingField("Source")},
+		{mount.Mount{Type: mount.TypeBind, Target: testDestinationPath, Source: testSourcePath, VolumeOptions: &mount.VolumeOptions{}}, errExtraField("VolumeOptions")},
+
+		{mount.Mount{Type: mount.TypeBind, Source: testDir, Target: testDestinationPath}, nil},
+		{mount.Mount{Type: "invalid", Target: testDestinationPath}, errors.New("mount type unknown")},
+		{mount.Mount{Type: mount.TypeBind, Source: testSourcePath, Target: testDestinationPath}, errBindSourceDoesNotExist(testSourcePath)},
+	}
+
+	lcowCases := []struct {
+		input    mount.Mount
+		expected error
+	}{
+		{mount.Mount{Type: mount.TypeVolume}, errMissingField("Target")},
+		{mount.Mount{Type: mount.TypeVolume, Target: "/foo", Source: "hello"}, nil},
+		{mount.Mount{Type: mount.TypeVolume, Target: "/foo"}, nil},
+		{mount.Mount{Type: mount.TypeBind}, errMissingField("Target")},
+		{mount.Mount{Type: mount.TypeBind, Target: "/foo"}, errMissingField("Source")},
+		{mount.Mount{Type: mount.TypeBind, Target: "/foo", Source: "c:\\foo", VolumeOptions: &mount.VolumeOptions{}}, errExtraField("VolumeOptions")},
+		{mount.Mount{Type: mount.TypeBind, Source: "c:\\foo", Target: "/foo"}, errBindSourceDoesNotExist("c:\\foo")},
+		{mount.Mount{Type: mount.TypeBind, Source: testDir, Target: "/foo"}, nil},
+		{mount.Mount{Type: "invalid", Target: "/foo"}, errors.New("mount type unknown")},
+	}
+	parser := NewParser(runtime.GOOS)
+	for i, x := range cases {
+		err := parser.ValidateMountConfig(&x.input)
+		if err == nil && x.expected == nil {
+			continue
+		}
+		if (err == nil && x.expected != nil) || (x.expected == nil && err != nil) || !strings.Contains(err.Error(), x.expected.Error()) {
+			t.Errorf("expected %q, got %q, case: %d", x.expected, err, i)
+		}
+	}
+	if runtime.GOOS == "windows" {
+		parser = &lcowParser{}
+		for i, x := range lcowCases {
+			err := parser.ValidateMountConfig(&x.input)
+			if err == nil && x.expected == nil {
+				continue
+			}
+			if (err == nil && x.expected != nil) || (x.expected == nil && err != nil) || !strings.Contains(err.Error(), x.expected.Error()) {
+				t.Errorf("expected %q, got %q, case: %d", x.expected, err, i)
+			}
+		}
+	}
+}
diff --git a/engine/volume/mounts/validate_unix_test.go b/engine/volume/mounts/validate_unix_test.go
new file mode 100644
index 00000000..a3193714
--- /dev/null
+++ b/engine/volume/mounts/validate_unix_test.go
@@ -0,0 +1,8 @@
+// +build !windows
+
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+var (
+	testDestinationPath = "/foo"
+	testSourcePath      = "/foo"
+)
diff --git a/engine/volume/mounts/validate_windows_test.go b/engine/volume/mounts/validate_windows_test.go
new file mode 100644
index 00000000..74b40a6c
--- /dev/null
+++ b/engine/volume/mounts/validate_windows_test.go
@@ -0,0 +1,6 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+var (
+	testDestinationPath = `c:\foo`
+	testSourcePath      = `c:\foo`
+)
diff --git a/engine/volume/mounts/volume_copy.go b/engine/volume/mounts/volume_copy.go
new file mode 100644
index 00000000..04056fa5
--- /dev/null
+++ b/engine/volume/mounts/volume_copy.go
@@ -0,0 +1,23 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import "strings"
+
+// {<copy mode>=isEnabled}
+var copyModes = map[string]bool{
+	"nocopy": false,
+}
+
+func copyModeExists(mode string) bool {
+	_, exists := copyModes[mode]
+	return exists
+}
+
+// GetCopyMode gets the copy mode from the mode string for mounts
+func getCopyMode(mode string, def bool) (bool, bool) {
+	for _, o := range strings.Split(mode, ",") {
+		if isEnabled, exists := copyModes[o]; exists {
+			return isEnabled, true
+		}
+	}
+	return def, false
+}
diff --git a/engine/volume/mounts/volume_unix.go b/engine/volume/mounts/volume_unix.go
new file mode 100644
index 00000000..c6d51e07
--- /dev/null
+++ b/engine/volume/mounts/volume_unix.go
@@ -0,0 +1,18 @@
+// +build linux freebsd darwin
+
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+)
+
+func (p *linuxParser) HasResource(m *MountPoint, absolutePath string) bool {
+	relPath, err := filepath.Rel(m.Destination, absolutePath)
+	return err == nil && relPath != ".." && !strings.HasPrefix(relPath, fmt.Sprintf("..%c", filepath.Separator))
+}
+
+func (p *windowsParser) HasResource(m *MountPoint, absolutePath string) bool {
+	return false
+}
diff --git a/engine/volume/mounts/volume_windows.go b/engine/volume/mounts/volume_windows.go
new file mode 100644
index 00000000..773e7db8
--- /dev/null
+++ b/engine/volume/mounts/volume_windows.go
@@ -0,0 +1,8 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+func (p *windowsParser) HasResource(m *MountPoint, absolutePath string) bool {
+	return false
+}
+func (p *linuxParser) HasResource(m *MountPoint, absolutePath string) bool {
+	return false
+}
diff --git a/engine/volume/mounts/windows_parser.go b/engine/volume/mounts/windows_parser.go
new file mode 100644
index 00000000..ac610440
--- /dev/null
+++ b/engine/volume/mounts/windows_parser.go
@@ -0,0 +1,456 @@
+package mounts // import "github.com/docker/docker/volume/mounts"
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"regexp"
+	"runtime"
+	"strings"
+
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/pkg/stringid"
+)
+
+type windowsParser struct {
+}
+
+const (
+	// Spec should be in the format [source:]destination[:mode]
+	//
+	// Examples: c:\foo bar:d:rw
+	//           c:\foo:d:\bar
+	//           myname:d:
+	//           d:\
+	//
+	// Explanation of this regex! Thanks @thaJeztah on IRC and gist for help. See
+	// https://gist.github.com/thaJeztah/6185659e4978789fb2b2. A good place to
+	// test is https://regex-golang.appspot.com/assets/html/index.html
+	//
+	// Useful link for referencing named capturing groups:
+	// http://stackoverflow.com/questions/20750843/using-named-matches-from-go-regex
+	//
+	// There are three match groups: source, destination and mode.
+	//
+
+	// rxHostDir is the first option of a source
+	rxHostDir = `(?:\\\\\?\\)?[a-z]:[\\/](?:[^\\/:*?"<>|\r\n]+[\\/]?)*`
+	// rxName is the second option of a source
+	rxName = `[^\\/:*?"<>|\r\n]+`
+
+	// RXReservedNames are reserved names not possible on Windows
+	rxReservedNames = `(con)|(prn)|(nul)|(aux)|(com[1-9])|(lpt[1-9])`
+
+	// rxPipe is a named path pipe (starts with `\\.\pipe\`, possibly with / instead of \)
+	rxPipe = `[/\\]{2}.[/\\]pipe[/\\][^:*?"<>|\r\n]+`
+	// rxSource is the combined possibilities for a source
+	rxSource = `((?P<source>((` + rxHostDir + `)|(` + rxName + `)|(` + rxPipe + `))):)?`
+
+	// Source. Can be either a host directory, a name, or omitted:
+	//  HostDir:
+	//    -  Essentially using the folder solution from
+	//       https://www.safaribooksonline.com/library/view/regular-expressions-cookbook/9781449327453/ch08s18.html
+	//       but adding case insensitivity.
+	//    -  Must be an absolute path such as c:\path
+	//    -  Can include spaces such as `c:\program files`
+	//    -  And then followed by a colon which is not in the capture group
+	//    -  And can be optional
+	//  Name:
+	//    -  Must not contain invalid NTFS filename characters (https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx)
+	//    -  And then followed by a colon which is not in the capture group
+	//    -  And can be optional
+
+	// rxDestination is the regex expression for the mount destination
+	rxDestination = `(?P<destination>((?:\\\\\?\\)?([a-z]):((?:[\\/][^\\/:*?"<>\r\n]+)*[\\/]?))|(` + rxPipe + `))`
+
+	rxLCOWDestination = `(?P<destination>/(?:[^\\/:*?"<>\r\n]+[/]?)*)`
+	// Destination (aka container path):
+	//    -  Variation on hostdir but can be a drive followed by colon as well
+	//    -  If a path, must be absolute. Can include spaces
+	//    -  Drive cannot be c: (explicitly checked in code, not RegEx)
+
+	// rxMode is the regex expression for the mode of the mount
+	// Mode (optional):
+	//    -  Hopefully self explanatory in comparison to above regex's.
+	//    -  Colon is not in the capture group
+	rxMode = `(:(?P<mode>(?i)ro|rw))?`
+)
+
+type mountValidator func(mnt *mount.Mount) error
+
+func windowsSplitRawSpec(raw, destRegex string) ([]string, error) {
+	specExp := regexp.MustCompile(`^` + rxSource + destRegex + rxMode + `$`)
+	match := specExp.FindStringSubmatch(strings.ToLower(raw))
+
+	// Must have something back
+	if len(match) == 0 {
+		return nil, errInvalidSpec(raw)
+	}
+
+	var split []string
+	matchgroups := make(map[string]string)
+	// Pull out the sub expressions from the named capture groups
+	for i, name := range specExp.SubexpNames() {
+		matchgroups[name] = strings.ToLower(match[i])
+	}
+	if source, exists := matchgroups["source"]; exists {
+		if source != "" {
+			split = append(split, source)
+		}
+	}
+	if destination, exists := matchgroups["destination"]; exists {
+		if destination != "" {
+			split = append(split, destination)
+		}
+	}
+	if mode, exists := matchgroups["mode"]; exists {
+		if mode != "" {
+			split = append(split, mode)
+		}
+	}
+	// Fix #26329. If the destination appears to be a file, and the source is null,
+	// it may be because we've fallen through the possible naming regex and hit a
+	// situation where the user intention was to map a file into a container through
+	// a local volume, but this is not supported by the platform.
+	if matchgroups["source"] == "" && matchgroups["destination"] != "" {
+		volExp := regexp.MustCompile(`^` + rxName + `$`)
+		reservedNameExp := regexp.MustCompile(`^` + rxReservedNames + `$`)
+
+		if volExp.MatchString(matchgroups["destination"]) {
+			if reservedNameExp.MatchString(matchgroups["destination"]) {
+				return nil, fmt.Errorf("volume name %q cannot be a reserved word for Windows filenames", matchgroups["destination"])
+			}
+		} else {
+
+			exists, isDir, _ := currentFileInfoProvider.fileInfo(matchgroups["destination"])
+			if exists && !isDir {
+				return nil, fmt.Errorf("file '%s' cannot be mapped. Only directories can be mapped on this platform", matchgroups["destination"])
+
+			}
+		}
+	}
+	return split, nil
+}
+
+func windowsValidMountMode(mode string) bool {
+	if mode == "" {
+		return true
+	}
+	return rwModes[strings.ToLower(mode)]
+}
+func windowsValidateNotRoot(p string) error {
+	p = strings.ToLower(strings.Replace(p, `/`, `\`, -1))
+	if p == "c:" || p == `c:\` {
+		return fmt.Errorf("destination path cannot be `c:` or `c:\\`: %v", p)
+	}
+	return nil
+}
+
+var windowsSpecificValidators mountValidator = func(mnt *mount.Mount) error {
+	return windowsValidateNotRoot(mnt.Target)
+}
+
+func windowsValidateRegex(p, r string) error {
+	if regexp.MustCompile(`^` + r + `$`).MatchString(strings.ToLower(p)) {
+		return nil
+	}
+	return fmt.Errorf("invalid mount path: '%s'", p)
+}
+func windowsValidateAbsolute(p string) error {
+	if err := windowsValidateRegex(p, rxDestination); err != nil {
+		return fmt.Errorf("invalid mount path: '%s' mount path must be absolute", p)
+	}
+	return nil
+}
+
+func windowsDetectMountType(p string) mount.Type {
+	if strings.HasPrefix(p, `\\.\pipe\`) {
+		return mount.TypeNamedPipe
+	} else if regexp.MustCompile(`^` + rxHostDir + `$`).MatchString(p) {
+		return mount.TypeBind
+	} else {
+		return mount.TypeVolume
+	}
+}
+
+func (p *windowsParser) ReadWrite(mode string) bool {
+	return strings.ToLower(mode) != "ro"
+}
+
+// IsVolumeNameValid checks a volume name in a platform specific manner.
+func (p *windowsParser) ValidateVolumeName(name string) error {
+	nameExp := regexp.MustCompile(`^` + rxName + `$`)
+	if !nameExp.MatchString(name) {
+		return errors.New("invalid volume name")
+	}
+	nameExp = regexp.MustCompile(`^` + rxReservedNames + `$`)
+	if nameExp.MatchString(name) {
+		return fmt.Errorf("volume name %q cannot be a reserved word for Windows filenames", name)
+	}
+	return nil
+}
+func (p *windowsParser) ValidateMountConfig(mnt *mount.Mount) error {
+	return p.validateMountConfigReg(mnt, rxDestination, windowsSpecificValidators)
+}
+
+type fileInfoProvider interface {
+	fileInfo(path string) (exist, isDir bool, err error)
+}
+
+type defaultFileInfoProvider struct {
+}
+
+func (defaultFileInfoProvider) fileInfo(path string) (exist, isDir bool, err error) {
+	fi, err := os.Stat(path)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			return false, false, err
+		}
+		return false, false, nil
+	}
+	return true, fi.IsDir(), nil
+}
+
+var currentFileInfoProvider fileInfoProvider = defaultFileInfoProvider{}
+
+func (p *windowsParser) validateMountConfigReg(mnt *mount.Mount, destRegex string, additionalValidators ...mountValidator) error {
+
+	for _, v := range additionalValidators {
+		if err := v(mnt); err != nil {
+			return &errMountConfig{mnt, err}
+		}
+	}
+	if len(mnt.Target) == 0 {
+		return &errMountConfig{mnt, errMissingField("Target")}
+	}
+
+	if err := windowsValidateRegex(mnt.Target, destRegex); err != nil {
+		return &errMountConfig{mnt, err}
+	}
+
+	switch mnt.Type {
+	case mount.TypeBind:
+		if len(mnt.Source) == 0 {
+			return &errMountConfig{mnt, errMissingField("Source")}
+		}
+		// Don't error out just because the propagation mode is not supported on the platform
+		if opts := mnt.BindOptions; opts != nil {
+			if len(opts.Propagation) > 0 {
+				return &errMountConfig{mnt, fmt.Errorf("invalid propagation mode: %s", opts.Propagation)}
+			}
+		}
+		if mnt.VolumeOptions != nil {
+			return &errMountConfig{mnt, errExtraField("VolumeOptions")}
+		}
+
+		if err := windowsValidateAbsolute(mnt.Source); err != nil {
+			return &errMountConfig{mnt, err}
+		}
+
+		exists, isdir, err := currentFileInfoProvider.fileInfo(mnt.Source)
+		if err != nil {
+			return &errMountConfig{mnt, err}
+		}
+		if !exists {
+			return &errMountConfig{mnt, errBindSourceDoesNotExist(mnt.Source)}
+		}
+		if !isdir {
+			return &errMountConfig{mnt, fmt.Errorf("source path must be a directory")}
+		}
+
+	case mount.TypeVolume:
+		if mnt.BindOptions != nil {
+			return &errMountConfig{mnt, errExtraField("BindOptions")}
+		}
+
+		if len(mnt.Source) == 0 && mnt.ReadOnly {
+			return &errMountConfig{mnt, fmt.Errorf("must not set ReadOnly mode when using anonymous volumes")}
+		}
+
+		if len(mnt.Source) != 0 {
+			if err := p.ValidateVolumeName(mnt.Source); err != nil {
+				return &errMountConfig{mnt, err}
+			}
+		}
+	case mount.TypeNamedPipe:
+		if len(mnt.Source) == 0 {
+			return &errMountConfig{mnt, errMissingField("Source")}
+		}
+
+		if mnt.BindOptions != nil {
+			return &errMountConfig{mnt, errExtraField("BindOptions")}
+		}
+
+		if mnt.ReadOnly {
+			return &errMountConfig{mnt, errExtraField("ReadOnly")}
+		}
+
+		if windowsDetectMountType(mnt.Source) != mount.TypeNamedPipe {
+			return &errMountConfig{mnt, fmt.Errorf("'%s' is not a valid pipe path", mnt.Source)}
+		}
+
+		if windowsDetectMountType(mnt.Target) != mount.TypeNamedPipe {
+			return &errMountConfig{mnt, fmt.Errorf("'%s' is not a valid pipe path", mnt.Target)}
+		}
+	default:
+		return &errMountConfig{mnt, errors.New("mount type unknown")}
+	}
+	return nil
+}
+func (p *windowsParser) ParseMountRaw(raw, volumeDriver string) (*MountPoint, error) {
+	return p.parseMountRaw(raw, volumeDriver, rxDestination, true, windowsSpecificValidators)
+}
+
+func (p *windowsParser) parseMountRaw(raw, volumeDriver, destRegex string, convertTargetToBackslash bool, additionalValidators ...mountValidator) (*MountPoint, error) {
+	arr, err := windowsSplitRawSpec(raw, destRegex)
+	if err != nil {
+		return nil, err
+	}
+
+	var spec mount.Mount
+	var mode string
+	switch len(arr) {
+	case 1:
+		// Just a destination path in the container
+		spec.Target = arr[0]
+	case 2:
+		if windowsValidMountMode(arr[1]) {
+			// Destination + Mode is not a valid volume - volumes
+			// cannot include a mode. e.g. /foo:rw
+			return nil, errInvalidSpec(raw)
+		}
+		// Host Source Path or Name + Destination
+		spec.Source = strings.Replace(arr[0], `/`, `\`, -1)
+		spec.Target = arr[1]
+	case 3:
+		// HostSourcePath+DestinationPath+Mode
+		spec.Source = strings.Replace(arr[0], `/`, `\`, -1)
+		spec.Target = arr[1]
+		mode = arr[2]
+	default:
+		return nil, errInvalidSpec(raw)
+	}
+	if convertTargetToBackslash {
+		spec.Target = strings.Replace(spec.Target, `/`, `\`, -1)
+	}
+
+	if !windowsValidMountMode(mode) {
+		return nil, errInvalidMode(mode)
+	}
+
+	spec.Type = windowsDetectMountType(spec.Source)
+	spec.ReadOnly = !p.ReadWrite(mode)
+
+	// cannot assume that if a volume driver is passed in that we should set it
+	if volumeDriver != "" && spec.Type == mount.TypeVolume {
+		spec.VolumeOptions = &mount.VolumeOptions{
+			DriverConfig: &mount.Driver{Name: volumeDriver},
+		}
+	}
+
+	if copyData, isSet := getCopyMode(mode, p.DefaultCopyMode()); isSet {
+		if spec.VolumeOptions == nil {
+			spec.VolumeOptions = &mount.VolumeOptions{}
+		}
+		spec.VolumeOptions.NoCopy = !copyData
+	}
+
+	mp, err := p.parseMountSpec(spec, destRegex, convertTargetToBackslash, additionalValidators...)
+	if mp != nil {
+		mp.Mode = mode
+	}
+	if err != nil {
+		err = fmt.Errorf("%v: %v", errInvalidSpec(raw), err)
+	}
+	return mp, err
+}
+
+func (p *windowsParser) ParseMountSpec(cfg mount.Mount) (*MountPoint, error) {
+	return p.parseMountSpec(cfg, rxDestination, true, windowsSpecificValidators)
+}
+func (p *windowsParser) parseMountSpec(cfg mount.Mount, destRegex string, convertTargetToBackslash bool, additionalValidators ...mountValidator) (*MountPoint, error) {
+	if err := p.validateMountConfigReg(&cfg, destRegex, additionalValidators...); err != nil {
+		return nil, err
+	}
+	mp := &MountPoint{
+		RW:          !cfg.ReadOnly,
+		Destination: cfg.Target,
+		Type:        cfg.Type,
+		Spec:        cfg,
+	}
+	if convertTargetToBackslash {
+		mp.Destination = strings.Replace(cfg.Target, `/`, `\`, -1)
+	}
+
+	switch cfg.Type {
+	case mount.TypeVolume:
+		if cfg.Source == "" {
+			mp.Name = stringid.GenerateNonCryptoID()
+		} else {
+			mp.Name = cfg.Source
+		}
+		mp.CopyData = p.DefaultCopyMode()
+
+		if cfg.VolumeOptions != nil {
+			if cfg.VolumeOptions.DriverConfig != nil {
+				mp.Driver = cfg.VolumeOptions.DriverConfig.Name
+			}
+			if cfg.VolumeOptions.NoCopy {
+				mp.CopyData = false
+			}
+		}
+	case mount.TypeBind:
+		mp.Source = strings.Replace(cfg.Source, `/`, `\`, -1)
+	case mount.TypeNamedPipe:
+		mp.Source = strings.Replace(cfg.Source, `/`, `\`, -1)
+	}
+	// cleanup trailing `\` except for paths like `c:\`
+	if len(mp.Source) > 3 && mp.Source[len(mp.Source)-1] == '\\' {
+		mp.Source = mp.Source[:len(mp.Source)-1]
+	}
+	if len(mp.Destination) > 3 && mp.Destination[len(mp.Destination)-1] == '\\' {
+		mp.Destination = mp.Destination[:len(mp.Destination)-1]
+	}
+	return mp, nil
+}
+
+func (p *windowsParser) ParseVolumesFrom(spec string) (string, string, error) {
+	if len(spec) == 0 {
+		return "", "", fmt.Errorf("volumes-from specification cannot be an empty string")
+	}
+
+	specParts := strings.SplitN(spec, ":", 2)
+	id := specParts[0]
+	mode := "rw"
+
+	if len(specParts) == 2 {
+		mode = specParts[1]
+		if !windowsValidMountMode(mode) {
+			return "", "", errInvalidMode(mode)
+		}
+
+		// Do not allow copy modes on volumes-from
+		if _, isSet := getCopyMode(mode, p.DefaultCopyMode()); isSet {
+			return "", "", errInvalidMode(mode)
+		}
+	}
+	return id, mode, nil
+}
+
+func (p *windowsParser) DefaultPropagationMode() mount.Propagation {
+	return mount.Propagation("")
+}
+
+func (p *windowsParser) ConvertTmpfsOptions(opt *mount.TmpfsOptions, readOnly bool) (string, error) {
+	return "", fmt.Errorf("%s does not support tmpfs", runtime.GOOS)
+}
+func (p *windowsParser) DefaultCopyMode() bool {
+	return false
+}
+func (p *windowsParser) IsBackwardCompatible(m *MountPoint) bool {
+	return false
+}
+
+func (p *windowsParser) ValidateTmpfsMountDestination(dest string) error {
+	return errors.New("Platform does not support tmpfs")
+}
diff --git a/engine/volume/service/by.go b/engine/volume/service/by.go
new file mode 100644
index 00000000..c5a4638d
--- /dev/null
+++ b/engine/volume/service/by.go
@@ -0,0 +1,89 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/volume"
+)
+
+// By is an interface which is used to implement filtering on volumes.
+type By interface {
+	isBy()
+}
+
+// ByDriver is `By` that filters based on the driver names that are passed in
+func ByDriver(drivers ...string) By {
+	return byDriver(drivers)
+}
+
+type byDriver []string
+
+func (byDriver) isBy() {}
+
+// ByReferenced is a `By` that filters based on if the volume has references
+type ByReferenced bool
+
+func (ByReferenced) isBy() {}
+
+// And creates a `By` combining all the passed in bys using AND logic.
+func And(bys ...By) By {
+	and := make(andCombinator, 0, len(bys))
+	for _, by := range bys {
+		and = append(and, by)
+	}
+	return and
+}
+
+type andCombinator []By
+
+func (andCombinator) isBy() {}
+
+// Or creates a `By` combining all the passed in bys using OR logic.
+func Or(bys ...By) By {
+	or := make(orCombinator, 0, len(bys))
+	for _, by := range bys {
+		or = append(or, by)
+	}
+	return or
+}
+
+type orCombinator []By
+
+func (orCombinator) isBy() {}
+
+// CustomFilter is a `By` that is used by callers to provide custom filtering
+// logic.
+type CustomFilter filterFunc
+
+func (CustomFilter) isBy() {}
+
+// FromList returns a By which sets the initial list of volumes to use
+func FromList(ls *[]volume.Volume, by By) By {
+	return &fromList{by: by, ls: ls}
+}
+
+type fromList struct {
+	by By
+	ls *[]volume.Volume
+}
+
+func (fromList) isBy() {}
+
+func byLabelFilter(filter filters.Args) By {
+	return CustomFilter(func(v volume.Volume) bool {
+		dv, ok := v.(volume.DetailedVolume)
+		if !ok {
+			return false
+		}
+
+		labels := dv.Labels()
+		if !filter.MatchKVList("label", labels) {
+			return false
+		}
+		if filter.Contains("label!") {
+			if filter.MatchKVList("label!", labels) {
+				return false
+			}
+		}
+		return true
+	})
+}
diff --git a/engine/volume/service/convert.go b/engine/volume/service/convert.go
new file mode 100644
index 00000000..2967dc67
--- /dev/null
+++ b/engine/volume/service/convert.go
@@ -0,0 +1,132 @@
+package service
+
+import (
+	"context"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/pkg/directory"
+	"github.com/docker/docker/volume"
+	"github.com/sirupsen/logrus"
+)
+
+// convertOpts are used to pass options to `volumeToAPI`
+type convertOpt interface {
+	isConvertOpt()
+}
+
+type useCachedPath bool
+
+func (useCachedPath) isConvertOpt() {}
+
+type calcSize bool
+
+func (calcSize) isConvertOpt() {}
+
+type pathCacher interface {
+	CachedPath() string
+}
+
+func (s *VolumesService) volumesToAPI(ctx context.Context, volumes []volume.Volume, opts ...convertOpt) []*types.Volume {
+	var (
+		out        = make([]*types.Volume, 0, len(volumes))
+		getSize    bool
+		cachedPath bool
+	)
+
+	for _, o := range opts {
+		switch t := o.(type) {
+		case calcSize:
+			getSize = bool(t)
+		case useCachedPath:
+			cachedPath = bool(t)
+		}
+	}
+	for _, v := range volumes {
+		select {
+		case <-ctx.Done():
+			return nil
+		default:
+		}
+		apiV := volumeToAPIType(v)
+
+		if cachedPath {
+			if vv, ok := v.(pathCacher); ok {
+				apiV.Mountpoint = vv.CachedPath()
+			}
+		} else {
+			apiV.Mountpoint = v.Path()
+		}
+
+		if getSize {
+			p := v.Path()
+			if apiV.Mountpoint == "" {
+				apiV.Mountpoint = p
+			}
+			sz, err := directory.Size(ctx, p)
+			if err != nil {
+				logrus.WithError(err).WithField("volume", v.Name()).Warnf("Failed to determine size of volume")
+				sz = -1
+			}
+			apiV.UsageData = &types.VolumeUsageData{Size: sz, RefCount: int64(s.vs.CountReferences(v))}
+		}
+
+		out = append(out, &apiV)
+	}
+	return out
+}
+
+func volumeToAPIType(v volume.Volume) types.Volume {
+	createdAt, _ := v.CreatedAt()
+	tv := types.Volume{
+		Name:      v.Name(),
+		Driver:    v.DriverName(),
+		CreatedAt: createdAt.Format(time.RFC3339),
+	}
+	if v, ok := v.(volume.DetailedVolume); ok {
+		tv.Labels = v.Labels()
+		tv.Options = v.Options()
+		tv.Scope = v.Scope()
+	}
+	if cp, ok := v.(pathCacher); ok {
+		tv.Mountpoint = cp.CachedPath()
+	}
+	return tv
+}
+
+func filtersToBy(filter filters.Args, acceptedFilters map[string]bool) (By, error) {
+	if err := filter.Validate(acceptedFilters); err != nil {
+		return nil, err
+	}
+	var bys []By
+	if drivers := filter.Get("driver"); len(drivers) > 0 {
+		bys = append(bys, ByDriver(drivers...))
+	}
+	if filter.Contains("name") {
+		bys = append(bys, CustomFilter(func(v volume.Volume) bool {
+			return filter.Match("name", v.Name())
+		}))
+	}
+	bys = append(bys, byLabelFilter(filter))
+
+	if filter.Contains("dangling") {
+		var dangling bool
+		if filter.ExactMatch("dangling", "true") || filter.ExactMatch("dangling", "1") {
+			dangling = true
+		} else if !filter.ExactMatch("dangling", "false") && !filter.ExactMatch("dangling", "0") {
+			return nil, invalidFilter{"dangling", filter.Get("dangling")}
+		}
+		bys = append(bys, ByReferenced(!dangling))
+	}
+
+	var by By
+	switch len(bys) {
+	case 0:
+	case 1:
+		by = bys[0]
+	default:
+		by = And(bys...)
+	}
+	return by, nil
+}
diff --git a/engine/volume/service/db.go b/engine/volume/service/db.go
new file mode 100644
index 00000000..3b31f7bf
--- /dev/null
+++ b/engine/volume/service/db.go
@@ -0,0 +1,95 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"encoding/json"
+
+	"github.com/boltdb/bolt"
+	"github.com/docker/docker/errdefs"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var volumeBucketName = []byte("volumes")
+
+type volumeMetadata struct {
+	Name    string
+	Driver  string
+	Labels  map[string]string
+	Options map[string]string
+}
+
+func (s *VolumeStore) setMeta(name string, meta volumeMetadata) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		return setMeta(tx, name, meta)
+	})
+}
+
+func setMeta(tx *bolt.Tx, name string, meta volumeMetadata) error {
+	metaJSON, err := json.Marshal(meta)
+	if err != nil {
+		return err
+	}
+	b, err := tx.CreateBucketIfNotExists(volumeBucketName)
+	if err != nil {
+		return errors.Wrap(err, "error creating volume bucket")
+	}
+	return errors.Wrap(b.Put([]byte(name), metaJSON), "error setting volume metadata")
+}
+
+func (s *VolumeStore) getMeta(name string) (volumeMetadata, error) {
+	var meta volumeMetadata
+	err := s.db.View(func(tx *bolt.Tx) error {
+		return getMeta(tx, name, &meta)
+	})
+	return meta, err
+}
+
+func getMeta(tx *bolt.Tx, name string, meta *volumeMetadata) error {
+	b := tx.Bucket(volumeBucketName)
+	if b == nil {
+		return errdefs.NotFound(errors.New("volume bucket does not exist"))
+	}
+	val := b.Get([]byte(name))
+	if len(val) == 0 {
+		return nil
+	}
+	if err := json.Unmarshal(val, meta); err != nil {
+		return errors.Wrap(err, "error unmarshaling volume metadata")
+	}
+	return nil
+}
+
+func (s *VolumeStore) removeMeta(name string) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		return removeMeta(tx, name)
+	})
+}
+
+func removeMeta(tx *bolt.Tx, name string) error {
+	b := tx.Bucket(volumeBucketName)
+	return errors.Wrap(b.Delete([]byte(name)), "error removing volume metadata")
+}
+
+// listMeta is used during restore to get the list of volume metadata
+// from the on-disk database.
+// Any errors that occur are only logged.
+func listMeta(tx *bolt.Tx) []volumeMetadata {
+	var ls []volumeMetadata
+	b := tx.Bucket(volumeBucketName)
+	b.ForEach(func(k, v []byte) error {
+		if len(v) == 0 {
+			// don't try to unmarshal an empty value
+			return nil
+		}
+
+		var m volumeMetadata
+		if err := json.Unmarshal(v, &m); err != nil {
+			// Just log the error
+			logrus.Errorf("Error while reading volume metadata for volume %q: %v", string(k), err)
+			return nil
+		}
+		ls = append(ls, m)
+		return nil
+	})
+	return ls
+}
diff --git a/engine/volume/service/db_test.go b/engine/volume/service/db_test.go
new file mode 100644
index 00000000..4cac9176
--- /dev/null
+++ b/engine/volume/service/db_test.go
@@ -0,0 +1,52 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/boltdb/bolt"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestSetGetMeta(t *testing.T) {
+	t.Parallel()
+
+	dir, err := ioutil.TempDir("", "test-set-get")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dir)
+
+	db, err := bolt.Open(filepath.Join(dir, "db"), 0600, &bolt.Options{Timeout: 1 * time.Second})
+	assert.NilError(t, err)
+
+	store := &VolumeStore{db: db}
+
+	_, err = store.getMeta("test")
+	assert.Assert(t, is.ErrorContains(err, ""))
+
+	err = db.Update(func(tx *bolt.Tx) error {
+		_, err := tx.CreateBucket(volumeBucketName)
+		return err
+	})
+	assert.NilError(t, err)
+
+	meta, err := store.getMeta("test")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, volumeMetadata{}, meta)
+
+	testMeta := volumeMetadata{
+		Name:    "test",
+		Driver:  "fake",
+		Labels:  map[string]string{"a": "1", "b": "2"},
+		Options: map[string]string{"foo": "bar"},
+	}
+	err = store.setMeta("test", testMeta)
+	assert.NilError(t, err)
+
+	meta, err = store.getMeta("test")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, testMeta, meta)
+}
diff --git a/engine/volume/service/default_driver.go b/engine/volume/service/default_driver.go
new file mode 100644
index 00000000..1c1d5c54
--- /dev/null
+++ b/engine/volume/service/default_driver.go
@@ -0,0 +1,21 @@
+// +build linux windows
+
+package service // import "github.com/docker/docker/volume/service"
+import (
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/volume"
+	"github.com/docker/docker/volume/drivers"
+	"github.com/docker/docker/volume/local"
+	"github.com/pkg/errors"
+)
+
+func setupDefaultDriver(store *drivers.Store, root string, rootIDs idtools.IDPair) error {
+	d, err := local.New(root, rootIDs)
+	if err != nil {
+		return errors.Wrap(err, "error setting up default driver")
+	}
+	if !store.Register(d, volume.DefaultDriverName) {
+		return errors.New("local volume driver could not be registered")
+	}
+	return nil
+}
diff --git a/engine/volume/service/default_driver_stubs.go b/engine/volume/service/default_driver_stubs.go
new file mode 100644
index 00000000..fdb275eb
--- /dev/null
+++ b/engine/volume/service/default_driver_stubs.go
@@ -0,0 +1,10 @@
+// +build !linux,!windows
+
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/volume/drivers"
+)
+
+func setupDefaultDriver(_ *drivers.Store, _ string, _ idtools.IDPair) error { return nil }
diff --git a/engine/volume/service/errors.go b/engine/volume/service/errors.go
new file mode 100644
index 00000000..ce2d678d
--- /dev/null
+++ b/engine/volume/service/errors.go
@@ -0,0 +1,111 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"fmt"
+	"strings"
+)
+
+const (
+	// errVolumeInUse is a typed error returned when trying to remove a volume that is currently in use by a container
+	errVolumeInUse conflictError = "volume is in use"
+	// errNoSuchVolume is a typed error returned if the requested volume doesn't exist in the volume store
+	errNoSuchVolume notFoundError = "no such volume"
+	// errNameConflict is a typed error returned on create when a volume exists with the given name, but for a different driver
+	errNameConflict conflictError = "volume name must be unique"
+)
+
+type conflictError string
+
+func (e conflictError) Error() string {
+	return string(e)
+}
+func (conflictError) Conflict() {}
+
+type notFoundError string
+
+func (e notFoundError) Error() string {
+	return string(e)
+}
+
+func (notFoundError) NotFound() {}
+
+// OpErr is the error type returned by functions in the store package. It describes
+// the operation, volume name, and error.
+type OpErr struct {
+	// Err is the error that occurred during the operation.
+	Err error
+	// Op is the operation which caused the error, such as "create", or "list".
+	Op string
+	// Name is the name of the resource being requested for this op, typically the volume name or the driver name.
+	Name string
+	// Refs is the list of references associated with the resource.
+	Refs []string
+}
+
+// Error satisfies the built-in error interface type.
+func (e *OpErr) Error() string {
+	if e == nil {
+		return "<nil>"
+	}
+	s := e.Op
+	if e.Name != "" {
+		s = s + " " + e.Name
+	}
+
+	s = s + ": " + e.Err.Error()
+	if len(e.Refs) > 0 {
+		s = s + " - " + "[" + strings.Join(e.Refs, ", ") + "]"
+	}
+	return s
+}
+
+// Cause returns the error the caused this error
+func (e *OpErr) Cause() error {
+	return e.Err
+}
+
+// IsInUse returns a boolean indicating whether the error indicates that a
+// volume is in use
+func IsInUse(err error) bool {
+	return isErr(err, errVolumeInUse)
+}
+
+// IsNotExist returns a boolean indicating whether the error indicates that the volume does not exist
+func IsNotExist(err error) bool {
+	return isErr(err, errNoSuchVolume)
+}
+
+// IsNameConflict returns a boolean indicating whether the error indicates that a
+// volume name is already taken
+func IsNameConflict(err error) bool {
+	return isErr(err, errNameConflict)
+}
+
+type causal interface {
+	Cause() error
+}
+
+func isErr(err error, expected error) bool {
+	switch pe := err.(type) {
+	case nil:
+		return false
+	case causal:
+		return isErr(pe.Cause(), expected)
+	}
+	return err == expected
+}
+
+type invalidFilter struct {
+	filter string
+	value  interface{}
+}
+
+func (e invalidFilter) Error() string {
+	msg := "Invalid filter '" + e.filter
+	if e.value != nil {
+		msg += fmt.Sprintf("=%s", e.value)
+	}
+	return msg + "'"
+}
+
+func (e invalidFilter) InvalidParameter() {}
diff --git a/engine/volume/service/opts/opts.go b/engine/volume/service/opts/opts.go
new file mode 100644
index 00000000..6c7e5f4e
--- /dev/null
+++ b/engine/volume/service/opts/opts.go
@@ -0,0 +1,89 @@
+package opts
+
+// CreateOption is used to pass options in when creating a volume
+type CreateOption func(*CreateConfig)
+
+// CreateConfig is the set of config options that can be set when creating
+// a volume
+type CreateConfig struct {
+	Options   map[string]string
+	Labels    map[string]string
+	Reference string
+}
+
+// WithCreateLabels creates a CreateOption which sets the labels to the
+// passed in value
+func WithCreateLabels(labels map[string]string) CreateOption {
+	return func(cfg *CreateConfig) {
+		cfg.Labels = labels
+	}
+}
+
+// WithCreateOptions creates a CreateOption which sets the options passed
+// to the volume driver when creating a volume to the options passed in.
+func WithCreateOptions(opts map[string]string) CreateOption {
+	return func(cfg *CreateConfig) {
+		cfg.Options = opts
+	}
+}
+
+// WithCreateReference creats a CreateOption which sets a reference to use
+// when creating a volume. This ensures that the volume is created with a reference
+// already attached to it to prevent race conditions with Create and volume cleanup.
+func WithCreateReference(ref string) CreateOption {
+	return func(cfg *CreateConfig) {
+		cfg.Reference = ref
+	}
+}
+
+// GetConfig is used with `GetOption` to set options for the volumes service's
+// `Get` implementation.
+type GetConfig struct {
+	Driver        string
+	Reference     string
+	ResolveStatus bool
+}
+
+// GetOption is passed to the service `Get` add extra details on the get request
+type GetOption func(*GetConfig)
+
+// WithGetDriver provides the driver to get the volume from
+// If no driver is provided to `Get`, first the available metadata is checked
+// to see which driver it belongs to, if that is not available all drivers are
+// probed to find the volume.
+func WithGetDriver(name string) GetOption {
+	return func(o *GetConfig) {
+		o.Driver = name
+	}
+}
+
+// WithGetReference indicates to `Get` to increment the reference count for the
+// retreived volume with the provided reference ID.
+func WithGetReference(ref string) GetOption {
+	return func(o *GetConfig) {
+		o.Reference = ref
+	}
+}
+
+// WithGetResolveStatus indicates to `Get` to also fetch the volume status.
+// This can cause significant overhead in the volume lookup.
+func WithGetResolveStatus(cfg *GetConfig) {
+	cfg.ResolveStatus = true
+}
+
+// RemoveConfig is used by `RemoveOption` to store config options for remove
+type RemoveConfig struct {
+	PurgeOnError bool
+}
+
+// RemoveOption is used to pass options to the volumes service `Remove` implementation
+type RemoveOption func(*RemoveConfig)
+
+// WithPurgeOnError is an option passed to `Remove` which will purge all cached
+// data about a volume even if there was an error while attempting to remove the
+// volume.
+func WithPurgeOnError(b bool) RemoveOption {
+	return func(o *RemoveConfig) {
+		o.PurgeOnError = b
+	}
+}
diff --git a/engine/volume/service/restore.go b/engine/volume/service/restore.go
new file mode 100644
index 00000000..55c66c4f
--- /dev/null
+++ b/engine/volume/service/restore.go
@@ -0,0 +1,85 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"context"
+	"sync"
+
+	"github.com/boltdb/bolt"
+	"github.com/docker/docker/volume"
+	"github.com/sirupsen/logrus"
+)
+
+// restore is called when a new volume store is created.
+// It's primary purpose is to ensure that all drivers' refcounts are set based
+// on known volumes after a restart.
+// This only attempts to track volumes that are actually stored in the on-disk db.
+// It does not probe the available drivers to find anything that may have been added
+// out of band.
+func (s *VolumeStore) restore() {
+	var ls []volumeMetadata
+	s.db.View(func(tx *bolt.Tx) error {
+		ls = listMeta(tx)
+		return nil
+	})
+	ctx := context.Background()
+
+	chRemove := make(chan *volumeMetadata, len(ls))
+	var wg sync.WaitGroup
+	for _, meta := range ls {
+		wg.Add(1)
+		// this is potentially a very slow operation, so do it in a goroutine
+		go func(meta volumeMetadata) {
+			defer wg.Done()
+
+			var v volume.Volume
+			var err error
+			if meta.Driver != "" {
+				v, err = lookupVolume(ctx, s.drivers, meta.Driver, meta.Name)
+				if err != nil && err != errNoSuchVolume {
+					logrus.WithError(err).WithField("driver", meta.Driver).WithField("volume", meta.Name).Warn("Error restoring volume")
+					return
+				}
+				if v == nil {
+					// doesn't exist in the driver, remove it from the db
+					chRemove <- &meta
+					return
+				}
+			} else {
+				v, err = s.getVolume(ctx, meta.Name, meta.Driver)
+				if err != nil {
+					if err == errNoSuchVolume {
+						chRemove <- &meta
+					}
+					return
+				}
+
+				meta.Driver = v.DriverName()
+				if err := s.setMeta(v.Name(), meta); err != nil {
+					logrus.WithError(err).WithField("driver", meta.Driver).WithField("volume", v.Name()).Warn("Error updating volume metadata on restore")
+				}
+			}
+
+			// increment driver refcount
+			s.drivers.CreateDriver(meta.Driver)
+
+			// cache the volume
+			s.globalLock.Lock()
+			s.options[v.Name()] = meta.Options
+			s.labels[v.Name()] = meta.Labels
+			s.names[v.Name()] = v
+			s.refs[v.Name()] = make(map[string]struct{})
+			s.globalLock.Unlock()
+		}(meta)
+	}
+
+	wg.Wait()
+	close(chRemove)
+	s.db.Update(func(tx *bolt.Tx) error {
+		for meta := range chRemove {
+			if err := removeMeta(tx, meta.Name); err != nil {
+				logrus.WithField("volume", meta.Name).Warnf("Error removing stale entry from volume db: %v", err)
+			}
+		}
+		return nil
+	})
+}
diff --git a/engine/volume/service/restore_test.go b/engine/volume/service/restore_test.go
new file mode 100644
index 00000000..95420d95
--- /dev/null
+++ b/engine/volume/service/restore_test.go
@@ -0,0 +1,58 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/volume"
+	volumedrivers "github.com/docker/docker/volume/drivers"
+	"github.com/docker/docker/volume/service/opts"
+	volumetestutils "github.com/docker/docker/volume/testutils"
+	"gotest.tools/assert"
+)
+
+func TestRestore(t *testing.T) {
+	t.Parallel()
+
+	dir, err := ioutil.TempDir("", "test-restore")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dir)
+
+	drivers := volumedrivers.NewStore(nil)
+	driverName := "test-restore"
+	drivers.Register(volumetestutils.NewFakeDriver(driverName), driverName)
+
+	s, err := NewStore(dir, drivers)
+	assert.NilError(t, err)
+	defer s.Shutdown()
+
+	ctx := context.Background()
+	_, err = s.Create(ctx, "test1", driverName)
+	assert.NilError(t, err)
+
+	testLabels := map[string]string{"a": "1"}
+	testOpts := map[string]string{"foo": "bar"}
+	_, err = s.Create(ctx, "test2", driverName, opts.WithCreateOptions(testOpts), opts.WithCreateLabels(testLabels))
+	assert.NilError(t, err)
+
+	s.Shutdown()
+
+	s, err = NewStore(dir, drivers)
+	assert.NilError(t, err)
+
+	v, err := s.Get(ctx, "test1")
+	assert.NilError(t, err)
+
+	dv := v.(volume.DetailedVolume)
+	var nilMap map[string]string
+	assert.DeepEqual(t, nilMap, dv.Options())
+	assert.DeepEqual(t, nilMap, dv.Labels())
+
+	v, err = s.Get(ctx, "test2")
+	assert.NilError(t, err)
+	dv = v.(volume.DetailedVolume)
+	assert.DeepEqual(t, testOpts, dv.Options())
+	assert.DeepEqual(t, testLabels, dv.Labels())
+}
diff --git a/engine/volume/service/service.go b/engine/volume/service/service.go
new file mode 100644
index 00000000..a62a32de
--- /dev/null
+++ b/engine/volume/service/service.go
@@ -0,0 +1,243 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"context"
+	"sync/atomic"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/directory"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/volume"
+	"github.com/docker/docker/volume/drivers"
+	"github.com/docker/docker/volume/service/opts"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type ds interface {
+	GetDriverList() []string
+}
+
+type volumeEventLogger interface {
+	LogVolumeEvent(volumeID, action string, attributes map[string]string)
+}
+
+// VolumesService manages access to volumes
+type VolumesService struct {
+	vs           *VolumeStore
+	ds           ds
+	pruneRunning int32
+	eventLogger  volumeEventLogger
+}
+
+// NewVolumeService creates a new volume service
+func NewVolumeService(root string, pg plugingetter.PluginGetter, rootIDs idtools.IDPair, logger volumeEventLogger) (*VolumesService, error) {
+	ds := drivers.NewStore(pg)
+	if err := setupDefaultDriver(ds, root, rootIDs); err != nil {
+		return nil, err
+	}
+
+	vs, err := NewStore(root, ds)
+	if err != nil {
+		return nil, err
+	}
+	return &VolumesService{vs: vs, ds: ds, eventLogger: logger}, nil
+}
+
+// GetDriverList gets the list of registered volume drivers
+func (s *VolumesService) GetDriverList() []string {
+	return s.ds.GetDriverList()
+}
+
+// Create creates a volume
+func (s *VolumesService) Create(ctx context.Context, name, driverName string, opts ...opts.CreateOption) (*types.Volume, error) {
+	if name == "" {
+		name = stringid.GenerateNonCryptoID()
+	}
+	v, err := s.vs.Create(ctx, name, driverName, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	s.eventLogger.LogVolumeEvent(v.Name(), "create", map[string]string{"driver": v.DriverName()})
+	apiV := volumeToAPIType(v)
+	return &apiV, nil
+}
+
+// Get gets a volume
+func (s *VolumesService) Get(ctx context.Context, name string, getOpts ...opts.GetOption) (*types.Volume, error) {
+	v, err := s.vs.Get(ctx, name, getOpts...)
+	if err != nil {
+		return nil, err
+	}
+	vol := volumeToAPIType(v)
+
+	var cfg opts.GetConfig
+	for _, o := range getOpts {
+		o(&cfg)
+	}
+
+	if cfg.ResolveStatus {
+		vol.Status = v.Status()
+	}
+	return &vol, nil
+}
+
+// Mount mounts the volume
+func (s *VolumesService) Mount(ctx context.Context, vol *types.Volume, ref string) (string, error) {
+	v, err := s.vs.Get(ctx, vol.Name, opts.WithGetDriver(vol.Driver))
+	if err != nil {
+		if IsNotExist(err) {
+			err = errdefs.NotFound(err)
+		}
+		return "", err
+	}
+	return v.Mount(ref)
+}
+
+// Unmount unmounts the volume.
+// Note that depending on the implementation, the volume may still be mounted due to other resources using it.
+func (s *VolumesService) Unmount(ctx context.Context, vol *types.Volume, ref string) error {
+	v, err := s.vs.Get(ctx, vol.Name, opts.WithGetDriver(vol.Driver))
+	if err != nil {
+		if IsNotExist(err) {
+			err = errdefs.NotFound(err)
+		}
+		return err
+	}
+	return v.Unmount(ref)
+}
+
+// Release releases a volume reference
+func (s *VolumesService) Release(ctx context.Context, name string, ref string) error {
+	return s.vs.Release(ctx, name, ref)
+}
+
+// Remove removes a volume
+func (s *VolumesService) Remove(ctx context.Context, name string, rmOpts ...opts.RemoveOption) error {
+	var cfg opts.RemoveConfig
+	for _, o := range rmOpts {
+		o(&cfg)
+	}
+
+	v, err := s.vs.Get(ctx, name)
+	if err != nil {
+		if IsNotExist(err) && cfg.PurgeOnError {
+			return nil
+		}
+		return err
+	}
+
+	err = s.vs.Remove(ctx, v, rmOpts...)
+	if IsNotExist(err) {
+		err = nil
+	} else if IsInUse(err) {
+		err = errdefs.Conflict(err)
+	} else if IsNotExist(err) && cfg.PurgeOnError {
+		err = nil
+	}
+
+	if err == nil {
+		s.eventLogger.LogVolumeEvent(v.Name(), "destroy", map[string]string{"driver": v.DriverName()})
+	}
+	return err
+}
+
+var acceptedPruneFilters = map[string]bool{
+	"label":  true,
+	"label!": true,
+}
+
+var acceptedListFilters = map[string]bool{
+	"dangling": true,
+	"name":     true,
+	"driver":   true,
+	"label":    true,
+}
+
+// LocalVolumesSize gets all local volumes and fetches their size on disk
+// Note that this intentionally skips volumes which have mount options. Typically
+// volumes with mount options are not really local even if they are using the
+// local driver.
+func (s *VolumesService) LocalVolumesSize(ctx context.Context) ([]*types.Volume, error) {
+	ls, _, err := s.vs.Find(ctx, And(ByDriver(volume.DefaultDriverName), CustomFilter(func(v volume.Volume) bool {
+		dv, ok := v.(volume.DetailedVolume)
+		return ok && len(dv.Options()) == 0
+	})))
+	if err != nil {
+		return nil, err
+	}
+	return s.volumesToAPI(ctx, ls, calcSize(true)), nil
+}
+
+// Prune removes (local) volumes which match the past in filter arguments.
+// Note that this intentionally skips volumes with mount options as there would
+// be no space reclaimed in this case.
+func (s *VolumesService) Prune(ctx context.Context, filter filters.Args) (*types.VolumesPruneReport, error) {
+	if !atomic.CompareAndSwapInt32(&s.pruneRunning, 0, 1) {
+		return nil, errdefs.Conflict(errors.New("a prune operation is already running"))
+	}
+	defer atomic.StoreInt32(&s.pruneRunning, 0)
+
+	by, err := filtersToBy(filter, acceptedPruneFilters)
+	if err != nil {
+		return nil, err
+	}
+	ls, _, err := s.vs.Find(ctx, And(ByDriver(volume.DefaultDriverName), ByReferenced(false), by, CustomFilter(func(v volume.Volume) bool {
+		dv, ok := v.(volume.DetailedVolume)
+		return ok && len(dv.Options()) == 0
+	})))
+	if err != nil {
+		return nil, err
+	}
+
+	rep := &types.VolumesPruneReport{VolumesDeleted: make([]string, 0, len(ls))}
+	for _, v := range ls {
+		select {
+		case <-ctx.Done():
+			err := ctx.Err()
+			if err == context.Canceled {
+				err = nil
+			}
+			return rep, err
+		default:
+		}
+
+		vSize, err := directory.Size(ctx, v.Path())
+		if err != nil {
+			logrus.WithField("volume", v.Name()).WithError(err).Warn("could not determine size of volume")
+		}
+		if err := s.vs.Remove(ctx, v); err != nil {
+			logrus.WithError(err).WithField("volume", v.Name()).Warnf("Could not determine size of volume")
+			continue
+		}
+		rep.SpaceReclaimed += uint64(vSize)
+		rep.VolumesDeleted = append(rep.VolumesDeleted, v.Name())
+	}
+	return rep, nil
+}
+
+// List gets the list of volumes which match the past in filters
+// If filters is nil or empty all volumes are returned.
+func (s *VolumesService) List(ctx context.Context, filter filters.Args) (volumesOut []*types.Volume, warnings []string, err error) {
+	by, err := filtersToBy(filter, acceptedListFilters)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	volumes, warnings, err := s.vs.Find(ctx, by)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return s.volumesToAPI(ctx, volumes, useCachedPath(true)), warnings, nil
+}
+
+// Shutdown shuts down the image service and dependencies
+func (s *VolumesService) Shutdown() error {
+	return s.vs.Shutdown()
+}
diff --git a/engine/volume/service/service_linux_test.go b/engine/volume/service/service_linux_test.go
new file mode 100644
index 00000000..ae70d7e2
--- /dev/null
+++ b/engine/volume/service/service_linux_test.go
@@ -0,0 +1,66 @@
+package service
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/docker/docker/volume"
+	volumedrivers "github.com/docker/docker/volume/drivers"
+	"github.com/docker/docker/volume/local"
+	"github.com/docker/docker/volume/service/opts"
+	"github.com/docker/docker/volume/testutils"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestLocalVolumeSize(t *testing.T) {
+	t.Parallel()
+
+	ds := volumedrivers.NewStore(nil)
+	dir, err := ioutil.TempDir("", t.Name())
+	assert.Assert(t, err)
+	defer os.RemoveAll(dir)
+
+	l, err := local.New(dir, idtools.IDPair{UID: os.Getuid(), GID: os.Getegid()})
+	assert.Assert(t, err)
+	assert.Assert(t, ds.Register(l, volume.DefaultDriverName))
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("fake"), "fake"))
+
+	service, cleanup := newTestService(t, ds)
+	defer cleanup()
+
+	ctx := context.Background()
+	v1, err := service.Create(ctx, "test1", volume.DefaultDriverName, opts.WithCreateReference("foo"))
+	assert.Assert(t, err)
+	v2, err := service.Create(ctx, "test2", volume.DefaultDriverName)
+	assert.Assert(t, err)
+	_, err = service.Create(ctx, "test3", "fake")
+	assert.Assert(t, err)
+
+	data := make([]byte, 1024)
+	err = ioutil.WriteFile(filepath.Join(v1.Mountpoint, "data"), data, 0644)
+	assert.Assert(t, err)
+	err = ioutil.WriteFile(filepath.Join(v2.Mountpoint, "data"), data[:1], 0644)
+	assert.Assert(t, err)
+
+	ls, err := service.LocalVolumesSize(ctx)
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(ls, 2))
+
+	for _, v := range ls {
+		switch v.Name {
+		case "test1":
+			assert.Assert(t, is.Equal(v.UsageData.Size, int64(len(data))))
+			assert.Assert(t, is.Equal(v.UsageData.RefCount, int64(1)))
+		case "test2":
+			assert.Assert(t, is.Equal(v.UsageData.Size, int64(len(data[:1]))))
+			assert.Assert(t, is.Equal(v.UsageData.RefCount, int64(0)))
+		default:
+			t.Fatalf("got unexpected volume: %+v", v)
+		}
+	}
+}
diff --git a/engine/volume/service/service_test.go b/engine/volume/service/service_test.go
new file mode 100644
index 00000000..870d19f8
--- /dev/null
+++ b/engine/volume/service/service_test.go
@@ -0,0 +1,253 @@
+package service
+
+import (
+	"context"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/volume"
+	volumedrivers "github.com/docker/docker/volume/drivers"
+	"github.com/docker/docker/volume/service/opts"
+	"github.com/docker/docker/volume/testutils"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestServiceCreate(t *testing.T) {
+	t.Parallel()
+
+	ds := volumedrivers.NewStore(nil)
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("d1"), "d1"))
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("d2"), "d2"))
+
+	ctx := context.Background()
+	service, cleanup := newTestService(t, ds)
+	defer cleanup()
+
+	_, err := service.Create(ctx, "v1", "notexist")
+	assert.Assert(t, errdefs.IsNotFound(err), err)
+
+	v, err := service.Create(ctx, "v1", "d1")
+	assert.Assert(t, err)
+
+	vCopy, err := service.Create(ctx, "v1", "d1")
+	assert.Assert(t, err)
+	assert.Assert(t, is.DeepEqual(v, vCopy))
+
+	_, err = service.Create(ctx, "v1", "d2")
+	assert.Check(t, IsNameConflict(err), err)
+	assert.Check(t, errdefs.IsConflict(err), err)
+
+	assert.Assert(t, service.Remove(ctx, "v1"))
+	_, err = service.Create(ctx, "v1", "d2")
+	assert.Assert(t, err)
+	_, err = service.Create(ctx, "v1", "d2")
+	assert.Assert(t, err)
+
+}
+
+func TestServiceList(t *testing.T) {
+	t.Parallel()
+
+	ds := volumedrivers.NewStore(nil)
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("d1"), "d1"))
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("d2"), "d2"))
+
+	service, cleanup := newTestService(t, ds)
+	defer cleanup()
+
+	ctx := context.Background()
+
+	_, err := service.Create(ctx, "v1", "d1")
+	assert.Assert(t, err)
+	_, err = service.Create(ctx, "v2", "d1")
+	assert.Assert(t, err)
+	_, err = service.Create(ctx, "v3", "d2")
+	assert.Assert(t, err)
+
+	ls, _, err := service.List(ctx, filters.NewArgs(filters.Arg("driver", "d1")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 2))
+
+	ls, _, err = service.List(ctx, filters.NewArgs(filters.Arg("driver", "d2")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 1))
+
+	ls, _, err = service.List(ctx, filters.NewArgs(filters.Arg("driver", "notexist")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 0))
+
+	ls, _, err = service.List(ctx, filters.NewArgs(filters.Arg("dangling", "true")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 3))
+	ls, _, err = service.List(ctx, filters.NewArgs(filters.Arg("dangling", "false")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 0))
+
+	_, err = service.Get(ctx, "v1", opts.WithGetReference("foo"))
+	assert.Assert(t, err)
+	ls, _, err = service.List(ctx, filters.NewArgs(filters.Arg("dangling", "true")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 2))
+	ls, _, err = service.List(ctx, filters.NewArgs(filters.Arg("dangling", "false")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 1))
+
+	ls, _, err = service.List(ctx, filters.NewArgs(filters.Arg("dangling", "false"), filters.Arg("driver", "d2")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 0))
+	ls, _, err = service.List(ctx, filters.NewArgs(filters.Arg("dangling", "true"), filters.Arg("driver", "d2")))
+	assert.Assert(t, err)
+	assert.Check(t, is.Len(ls, 1))
+}
+
+func TestServiceRemove(t *testing.T) {
+	t.Parallel()
+
+	ds := volumedrivers.NewStore(nil)
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("d1"), "d1"))
+
+	service, cleanup := newTestService(t, ds)
+	defer cleanup()
+	ctx := context.Background()
+
+	_, err := service.Create(ctx, "test", "d1")
+	assert.Assert(t, err)
+
+	assert.Assert(t, service.Remove(ctx, "test"))
+	assert.Assert(t, service.Remove(ctx, "test", opts.WithPurgeOnError(true)))
+}
+
+func TestServiceGet(t *testing.T) {
+	t.Parallel()
+
+	ds := volumedrivers.NewStore(nil)
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("d1"), "d1"))
+
+	service, cleanup := newTestService(t, ds)
+	defer cleanup()
+	ctx := context.Background()
+
+	v, err := service.Get(ctx, "notexist")
+	assert.Assert(t, IsNotExist(err))
+	assert.Check(t, v == nil)
+
+	created, err := service.Create(ctx, "test", "d1")
+	assert.Assert(t, err)
+	assert.Assert(t, created != nil)
+
+	v, err = service.Get(ctx, "test")
+	assert.Assert(t, err)
+	assert.Assert(t, is.DeepEqual(created, v))
+
+	v, err = service.Get(ctx, "test", opts.WithGetResolveStatus)
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(v.Status, 1), v.Status)
+
+	v, err = service.Get(ctx, "test", opts.WithGetDriver("notarealdriver"))
+	assert.Assert(t, errdefs.IsConflict(err), err)
+	v, err = service.Get(ctx, "test", opts.WithGetDriver("d1"))
+	assert.Assert(t, err == nil)
+	assert.Assert(t, is.DeepEqual(created, v))
+
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("d2"), "d2"))
+	v, err = service.Get(ctx, "test", opts.WithGetDriver("d2"))
+	assert.Assert(t, errdefs.IsConflict(err), err)
+}
+
+func TestServicePrune(t *testing.T) {
+	t.Parallel()
+
+	ds := volumedrivers.NewStore(nil)
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver(volume.DefaultDriverName), volume.DefaultDriverName))
+	assert.Assert(t, ds.Register(testutils.NewFakeDriver("other"), "other"))
+
+	service, cleanup := newTestService(t, ds)
+	defer cleanup()
+	ctx := context.Background()
+
+	_, err := service.Create(ctx, "test", volume.DefaultDriverName)
+	assert.Assert(t, err)
+	_, err = service.Create(ctx, "test2", "other")
+	assert.Assert(t, err)
+
+	pr, err := service.Prune(ctx, filters.NewArgs(filters.Arg("label", "banana")))
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(pr.VolumesDeleted, 0))
+
+	pr, err = service.Prune(ctx, filters.NewArgs())
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(pr.VolumesDeleted, 1))
+	assert.Assert(t, is.Equal(pr.VolumesDeleted[0], "test"))
+
+	_, err = service.Get(ctx, "test")
+	assert.Assert(t, IsNotExist(err), err)
+
+	v, err := service.Get(ctx, "test2")
+	assert.Assert(t, err)
+	assert.Assert(t, is.Equal(v.Driver, "other"))
+
+	_, err = service.Create(ctx, "test", volume.DefaultDriverName)
+	assert.Assert(t, err)
+
+	pr, err = service.Prune(ctx, filters.NewArgs(filters.Arg("label!", "banana")))
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(pr.VolumesDeleted, 1))
+	assert.Assert(t, is.Equal(pr.VolumesDeleted[0], "test"))
+	v, err = service.Get(ctx, "test2")
+	assert.Assert(t, err)
+	assert.Assert(t, is.Equal(v.Driver, "other"))
+
+	_, err = service.Create(ctx, "test", volume.DefaultDriverName, opts.WithCreateLabels(map[string]string{"banana": ""}))
+	assert.Assert(t, err)
+	pr, err = service.Prune(ctx, filters.NewArgs(filters.Arg("label!", "banana")))
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(pr.VolumesDeleted, 0))
+
+	_, err = service.Create(ctx, "test3", volume.DefaultDriverName, opts.WithCreateLabels(map[string]string{"banana": "split"}))
+	assert.Assert(t, err)
+	pr, err = service.Prune(ctx, filters.NewArgs(filters.Arg("label!", "banana=split")))
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(pr.VolumesDeleted, 1))
+	assert.Assert(t, is.Equal(pr.VolumesDeleted[0], "test"))
+
+	pr, err = service.Prune(ctx, filters.NewArgs(filters.Arg("label", "banana=split")))
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(pr.VolumesDeleted, 1))
+	assert.Assert(t, is.Equal(pr.VolumesDeleted[0], "test3"))
+
+	v, err = service.Create(ctx, "test", volume.DefaultDriverName, opts.WithCreateReference(t.Name()))
+	assert.Assert(t, err)
+
+	pr, err = service.Prune(ctx, filters.NewArgs())
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(pr.VolumesDeleted, 0))
+	assert.Assert(t, service.Release(ctx, v.Name, t.Name()))
+
+	pr, err = service.Prune(ctx, filters.NewArgs())
+	assert.Assert(t, err)
+	assert.Assert(t, is.Len(pr.VolumesDeleted, 1))
+	assert.Assert(t, is.Equal(pr.VolumesDeleted[0], "test"))
+}
+
+func newTestService(t *testing.T, ds *volumedrivers.Store) (*VolumesService, func()) {
+	t.Helper()
+
+	dir, err := ioutil.TempDir("", t.Name())
+	assert.Assert(t, err)
+
+	store, err := NewStore(dir, ds)
+	assert.Assert(t, err)
+	s := &VolumesService{vs: store, eventLogger: dummyEventLogger{}}
+	return s, func() {
+		assert.Check(t, s.Shutdown())
+		assert.Check(t, os.RemoveAll(dir))
+	}
+}
+
+type dummyEventLogger struct{}
+
+func (dummyEventLogger) LogVolumeEvent(_, _ string, _ map[string]string) {}
diff --git a/engine/volume/service/store.go b/engine/volume/service/store.go
new file mode 100644
index 00000000..e7e9d8a3
--- /dev/null
+++ b/engine/volume/service/store.go
@@ -0,0 +1,858 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sync"
+	"time"
+
+	"github.com/pkg/errors"
+
+	"github.com/boltdb/bolt"
+	"github.com/docker/docker/errdefs"
+	"github.com/docker/docker/pkg/locker"
+	"github.com/docker/docker/volume"
+	"github.com/docker/docker/volume/drivers"
+	volumemounts "github.com/docker/docker/volume/mounts"
+	"github.com/docker/docker/volume/service/opts"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	volumeDataDir = "volumes"
+)
+
+type volumeWrapper struct {
+	volume.Volume
+	labels  map[string]string
+	scope   string
+	options map[string]string
+}
+
+func (v volumeWrapper) Options() map[string]string {
+	if v.options == nil {
+		return nil
+	}
+	options := make(map[string]string, len(v.options))
+	for key, value := range v.options {
+		options[key] = value
+	}
+	return options
+}
+
+func (v volumeWrapper) Labels() map[string]string {
+	if v.labels == nil {
+		return nil
+	}
+
+	labels := make(map[string]string, len(v.labels))
+	for key, value := range v.labels {
+		labels[key] = value
+	}
+	return labels
+}
+
+func (v volumeWrapper) Scope() string {
+	return v.scope
+}
+
+func (v volumeWrapper) CachedPath() string {
+	if vv, ok := v.Volume.(interface {
+		CachedPath() string
+	}); ok {
+		return vv.CachedPath()
+	}
+	return v.Volume.Path()
+}
+
+// NewStore creates a new volume store at the given path
+func NewStore(rootPath string, drivers *drivers.Store) (*VolumeStore, error) {
+	vs := &VolumeStore{
+		locks:   &locker.Locker{},
+		names:   make(map[string]volume.Volume),
+		refs:    make(map[string]map[string]struct{}),
+		labels:  make(map[string]map[string]string),
+		options: make(map[string]map[string]string),
+		drivers: drivers,
+	}
+
+	if rootPath != "" {
+		// initialize metadata store
+		volPath := filepath.Join(rootPath, volumeDataDir)
+		if err := os.MkdirAll(volPath, 0750); err != nil {
+			return nil, err
+		}
+
+		var err error
+		vs.db, err = bolt.Open(filepath.Join(volPath, "metadata.db"), 0600, &bolt.Options{Timeout: 1 * time.Second})
+		if err != nil {
+			return nil, errors.Wrap(err, "error while opening volume store metadata database")
+		}
+
+		// initialize volumes bucket
+		if err := vs.db.Update(func(tx *bolt.Tx) error {
+			if _, err := tx.CreateBucketIfNotExists(volumeBucketName); err != nil {
+				return errors.Wrap(err, "error while setting up volume store metadata database")
+			}
+			return nil
+		}); err != nil {
+			return nil, err
+		}
+	}
+
+	vs.restore()
+
+	return vs, nil
+}
+
+func (s *VolumeStore) getNamed(name string) (volume.Volume, bool) {
+	s.globalLock.RLock()
+	v, exists := s.names[name]
+	s.globalLock.RUnlock()
+	return v, exists
+}
+
+func (s *VolumeStore) setNamed(v volume.Volume, ref string) {
+	name := v.Name()
+
+	s.globalLock.Lock()
+	s.names[name] = v
+	if len(ref) > 0 {
+		if s.refs[name] == nil {
+			s.refs[name] = make(map[string]struct{})
+		}
+		s.refs[name][ref] = struct{}{}
+	}
+	s.globalLock.Unlock()
+}
+
+// hasRef returns true if the given name has at least one ref.
+// Callers of this function are expected to hold the name lock.
+func (s *VolumeStore) hasRef(name string) bool {
+	s.globalLock.RLock()
+	l := len(s.refs[name])
+	s.globalLock.RUnlock()
+	return l > 0
+}
+
+// getRefs gets the list of refs for a given name
+// Callers of this function are expected to hold the name lock.
+func (s *VolumeStore) getRefs(name string) []string {
+	s.globalLock.RLock()
+	defer s.globalLock.RUnlock()
+
+	refs := make([]string, 0, len(s.refs[name]))
+	for r := range s.refs[name] {
+		refs = append(refs, r)
+	}
+
+	return refs
+}
+
+// purge allows the cleanup of internal data on docker in case
+// the internal data is out of sync with volumes driver plugins.
+func (s *VolumeStore) purge(ctx context.Context, name string) error {
+	s.globalLock.Lock()
+	defer s.globalLock.Unlock()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+	}
+
+	v, exists := s.names[name]
+	if exists {
+		driverName := v.DriverName()
+		if _, err := s.drivers.ReleaseDriver(driverName); err != nil {
+			logrus.WithError(err).WithField("driver", driverName).Error("Error releasing reference to volume driver")
+		}
+	}
+	if err := s.removeMeta(name); err != nil {
+		logrus.Errorf("Error removing volume metadata for volume %q: %v", name, err)
+	}
+	delete(s.names, name)
+	delete(s.refs, name)
+	delete(s.labels, name)
+	delete(s.options, name)
+	return nil
+}
+
+// VolumeStore is a struct that stores the list of volumes available and keeps track of their usage counts
+type VolumeStore struct {
+	// locks ensures that only one action is being performed on a particular volume at a time without locking the entire store
+	// since actions on volumes can be quite slow, this ensures the store is free to handle requests for other volumes.
+	locks   *locker.Locker
+	drivers *drivers.Store
+	// globalLock is used to protect access to mutable structures used by the store object
+	globalLock sync.RWMutex
+	// names stores the volume name -> volume relationship.
+	// This is used for making lookups faster so we don't have to probe all drivers
+	names map[string]volume.Volume
+	// refs stores the volume name and the list of things referencing it
+	refs map[string]map[string]struct{}
+	// labels stores volume labels for each volume
+	labels map[string]map[string]string
+	// options stores volume options for each volume
+	options map[string]map[string]string
+	db      *bolt.DB
+}
+
+func filterByDriver(names []string) filterFunc {
+	return func(v volume.Volume) bool {
+		for _, name := range names {
+			if name == v.DriverName() {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+func (s *VolumeStore) byReferenced(referenced bool) filterFunc {
+	return func(v volume.Volume) bool {
+		return s.hasRef(v.Name()) == referenced
+	}
+}
+
+func (s *VolumeStore) filter(ctx context.Context, vols *[]volume.Volume, by By) (warnings []string, err error) {
+	// note that this specifically does not support the `FromList` By type.
+	switch f := by.(type) {
+	case nil:
+		if *vols == nil {
+			var ls []volume.Volume
+			ls, warnings, err = s.list(ctx)
+			if err != nil {
+				return warnings, err
+			}
+			*vols = ls
+		}
+	case byDriver:
+		if *vols != nil {
+			filter(vols, filterByDriver([]string(f)))
+			return nil, nil
+		}
+		var ls []volume.Volume
+		ls, warnings, err = s.list(ctx, []string(f)...)
+		if err != nil {
+			return nil, err
+		}
+		*vols = ls
+	case ByReferenced:
+		// TODO(@cpuguy83): It would be nice to optimize this by looking at the list
+		// of referenced volumes, however the locking strategy makes this difficult
+		// without either providing inconsistent data or deadlocks.
+		if *vols == nil {
+			var ls []volume.Volume
+			ls, warnings, err = s.list(ctx)
+			if err != nil {
+				return nil, err
+			}
+			*vols = ls
+		}
+		filter(vols, s.byReferenced(bool(f)))
+	case andCombinator:
+		for _, by := range f {
+			w, err := s.filter(ctx, vols, by)
+			if err != nil {
+				return warnings, err
+			}
+			warnings = append(warnings, w...)
+		}
+	case orCombinator:
+		for _, by := range f {
+			switch by.(type) {
+			case byDriver:
+				var ls []volume.Volume
+				w, err := s.filter(ctx, &ls, by)
+				if err != nil {
+					return warnings, err
+				}
+				warnings = append(warnings, w...)
+			default:
+				ls, w, err := s.list(ctx)
+				if err != nil {
+					return warnings, err
+				}
+				warnings = append(warnings, w...)
+				w, err = s.filter(ctx, &ls, by)
+				if err != nil {
+					return warnings, err
+				}
+				warnings = append(warnings, w...)
+				*vols = append(*vols, ls...)
+			}
+		}
+		unique(vols)
+	case CustomFilter:
+		if *vols == nil {
+			var ls []volume.Volume
+			ls, warnings, err = s.list(ctx)
+			if err != nil {
+				return nil, err
+			}
+			*vols = ls
+		}
+		filter(vols, filterFunc(f))
+	default:
+		return nil, errdefs.InvalidParameter(errors.Errorf("unsupported filter: %T", f))
+	}
+	return warnings, nil
+}
+
+func unique(ls *[]volume.Volume) {
+	names := make(map[string]bool, len(*ls))
+	filter(ls, func(v volume.Volume) bool {
+		if names[v.Name()] {
+			return false
+		}
+		names[v.Name()] = true
+		return true
+	})
+}
+
+// Find lists volumes filtered by the past in filter.
+// If a driver returns a volume that has name which conflicts with another volume from a different driver,
+// the first volume is chosen and the conflicting volume is dropped.
+func (s *VolumeStore) Find(ctx context.Context, by By) (vols []volume.Volume, warnings []string, err error) {
+	logrus.WithField("ByType", fmt.Sprintf("%T", by)).WithField("ByValue", fmt.Sprintf("%+v", by)).Debug("VolumeStore.Find")
+	switch f := by.(type) {
+	case nil, orCombinator, andCombinator, byDriver, ByReferenced, CustomFilter:
+		warnings, err = s.filter(ctx, &vols, by)
+	case fromList:
+		warnings, err = s.filter(ctx, f.ls, f.by)
+	default:
+		// Really shouldn't be possible, but makes sure that any new By's are added to this check.
+		err = errdefs.InvalidParameter(errors.Errorf("unsupported filter type: %T", f))
+	}
+	if err != nil {
+		return nil, nil, &OpErr{Err: err, Op: "list"}
+	}
+
+	var out []volume.Volume
+
+	for _, v := range vols {
+		name := normalizeVolumeName(v.Name())
+
+		s.locks.Lock(name)
+		storedV, exists := s.getNamed(name)
+		// Note: it's not safe to populate the cache here because the volume may have been
+		// deleted before we acquire a lock on its name
+		if exists && storedV.DriverName() != v.DriverName() {
+			logrus.Warnf("Volume name %s already exists for driver %s, not including volume returned by %s", v.Name(), storedV.DriverName(), v.DriverName())
+			s.locks.Unlock(v.Name())
+			continue
+		}
+
+		out = append(out, v)
+		s.locks.Unlock(v.Name())
+	}
+	return out, warnings, nil
+}
+
+type filterFunc func(volume.Volume) bool
+
+func filter(vols *[]volume.Volume, fn filterFunc) {
+	var evict []int
+	for i, v := range *vols {
+		if !fn(v) {
+			evict = append(evict, i)
+		}
+	}
+
+	for n, i := range evict {
+		copy((*vols)[i-n:], (*vols)[i-n+1:])
+		(*vols)[len(*vols)-1] = nil
+		*vols = (*vols)[:len(*vols)-1]
+	}
+}
+
+// list goes through each volume driver and asks for its list of volumes.
+// TODO(@cpuguy83): plumb context through
+func (s *VolumeStore) list(ctx context.Context, driverNames ...string) ([]volume.Volume, []string, error) {
+	var (
+		ls       = []volume.Volume{} // do not return a nil value as this affects filtering
+		warnings []string
+	)
+
+	var dls []volume.Driver
+
+	all, err := s.drivers.GetAllDrivers()
+	if err != nil {
+		return nil, nil, err
+	}
+	if len(driverNames) == 0 {
+		dls = all
+	} else {
+		idx := make(map[string]bool, len(driverNames))
+		for _, name := range driverNames {
+			idx[name] = true
+		}
+		for _, d := range all {
+			if idx[d.Name()] {
+				dls = append(dls, d)
+			}
+		}
+	}
+
+	type vols struct {
+		vols       []volume.Volume
+		err        error
+		driverName string
+	}
+	chVols := make(chan vols, len(dls))
+
+	for _, vd := range dls {
+		go func(d volume.Driver) {
+			vs, err := d.List()
+			if err != nil {
+				chVols <- vols{driverName: d.Name(), err: &OpErr{Err: err, Name: d.Name(), Op: "list"}}
+				return
+			}
+			for i, v := range vs {
+				s.globalLock.RLock()
+				vs[i] = volumeWrapper{v, s.labels[v.Name()], d.Scope(), s.options[v.Name()]}
+				s.globalLock.RUnlock()
+			}
+
+			chVols <- vols{vols: vs}
+		}(vd)
+	}
+
+	badDrivers := make(map[string]struct{})
+	for i := 0; i < len(dls); i++ {
+		vs := <-chVols
+
+		if vs.err != nil {
+			warnings = append(warnings, vs.err.Error())
+			badDrivers[vs.driverName] = struct{}{}
+		}
+		ls = append(ls, vs.vols...)
+	}
+
+	if len(badDrivers) > 0 {
+		s.globalLock.RLock()
+		for _, v := range s.names {
+			if _, exists := badDrivers[v.DriverName()]; exists {
+				ls = append(ls, v)
+			}
+		}
+		s.globalLock.RUnlock()
+	}
+	return ls, warnings, nil
+}
+
+// Create creates a volume with the given name and driver
+// If the volume needs to be created with a reference to prevent race conditions
+// with volume cleanup, make sure to use the `CreateWithReference` option.
+func (s *VolumeStore) Create(ctx context.Context, name, driverName string, createOpts ...opts.CreateOption) (volume.Volume, error) {
+	var cfg opts.CreateConfig
+	for _, o := range createOpts {
+		o(&cfg)
+	}
+
+	name = normalizeVolumeName(name)
+	s.locks.Lock(name)
+	defer s.locks.Unlock(name)
+
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	default:
+	}
+
+	v, err := s.create(ctx, name, driverName, cfg.Options, cfg.Labels)
+	if err != nil {
+		if _, ok := err.(*OpErr); ok {
+			return nil, err
+		}
+		return nil, &OpErr{Err: err, Name: name, Op: "create"}
+	}
+
+	s.setNamed(v, cfg.Reference)
+	return v, nil
+}
+
+// checkConflict checks the local cache for name collisions with the passed in name,
+// for existing volumes with the same name but in a different driver.
+// This is used by `Create` as a best effort to prevent name collisions for volumes.
+// If a matching volume is found that is not a conflict that is returned so the caller
+// does not need to perform an additional lookup.
+// When no matching volume is found, both returns will be nil
+//
+// Note: This does not probe all the drivers for name collisions because v1 plugins
+// are very slow, particularly if the plugin is down, and cause other issues,
+// particularly around locking the store.
+// TODO(cpuguy83): With v2 plugins this shouldn't be a problem. Could also potentially
+// use a connect timeout for this kind of check to ensure we aren't blocking for a
+// long time.
+func (s *VolumeStore) checkConflict(ctx context.Context, name, driverName string) (volume.Volume, error) {
+	// check the local cache
+	v, _ := s.getNamed(name)
+	if v == nil {
+		return nil, nil
+	}
+
+	vDriverName := v.DriverName()
+	var conflict bool
+	if driverName != "" {
+		// Retrieve canonical driver name to avoid inconsistencies (for example
+		// "plugin" vs. "plugin:latest")
+		vd, err := s.drivers.GetDriver(driverName)
+		if err != nil {
+			return nil, err
+		}
+
+		if vDriverName != vd.Name() {
+			conflict = true
+		}
+	}
+
+	// let's check if the found volume ref
+	// is stale by checking with the driver if it still exists
+	exists, err := volumeExists(ctx, s.drivers, v)
+	if err != nil {
+		return nil, errors.Wrapf(errNameConflict, "found reference to volume '%s' in driver '%s', but got an error while checking the driver: %v", name, vDriverName, err)
+	}
+
+	if exists {
+		if conflict {
+			return nil, errors.Wrapf(errNameConflict, "driver '%s' already has volume '%s'", vDriverName, name)
+		}
+		return v, nil
+	}
+
+	if s.hasRef(v.Name()) {
+		// Containers are referencing this volume but it doesn't seem to exist anywhere.
+		// Return a conflict error here, the user can fix this with `docker volume rm -f`
+		return nil, errors.Wrapf(errNameConflict, "found references to volume '%s' in driver '%s' but the volume was not found in the driver -- you may need to remove containers referencing this volume or force remove the volume to re-create it", name, vDriverName)
+	}
+
+	// doesn't exist, so purge it from the cache
+	s.purge(ctx, name)
+	return nil, nil
+}
+
+// volumeExists returns if the volume is still present in the driver.
+// An error is returned if there was an issue communicating with the driver.
+func volumeExists(ctx context.Context, store *drivers.Store, v volume.Volume) (bool, error) {
+	exists, err := lookupVolume(ctx, store, v.DriverName(), v.Name())
+	if err != nil {
+		return false, err
+	}
+	return exists != nil, nil
+}
+
+// create asks the given driver to create a volume with the name/opts.
+// If a volume with the name is already known, it will ask the stored driver for the volume.
+// If the passed in driver name does not match the driver name which is stored
+//  for the given volume name, an error is returned after checking if the reference is stale.
+// If the reference is stale, it will be purged and this create can continue.
+// It is expected that callers of this function hold any necessary locks.
+func (s *VolumeStore) create(ctx context.Context, name, driverName string, opts, labels map[string]string) (volume.Volume, error) {
+	// Validate the name in a platform-specific manner
+
+	// volume name validation is specific to the host os and not on container image
+	// windows/lcow should have an equivalent volumename validation logic so we create a parser for current host OS
+	parser := volumemounts.NewParser(runtime.GOOS)
+	err := parser.ValidateVolumeName(name)
+	if err != nil {
+		return nil, err
+	}
+
+	v, err := s.checkConflict(ctx, name, driverName)
+	if err != nil {
+		return nil, err
+	}
+
+	if v != nil {
+		// there is an existing volume, if we already have this stored locally, return it.
+		// TODO: there could be some inconsistent details such as labels here
+		if vv, _ := s.getNamed(v.Name()); vv != nil {
+			return vv, nil
+		}
+	}
+
+	// Since there isn't a specified driver name, let's see if any of the existing drivers have this volume name
+	if driverName == "" {
+		v, _ = s.getVolume(ctx, name, "")
+		if v != nil {
+			return v, nil
+		}
+	}
+
+	if driverName == "" {
+		driverName = volume.DefaultDriverName
+	}
+	vd, err := s.drivers.CreateDriver(driverName)
+	if err != nil {
+		return nil, &OpErr{Op: "create", Name: name, Err: err}
+	}
+
+	logrus.Debugf("Registering new volume reference: driver %q, name %q", vd.Name(), name)
+	if v, _ = vd.Get(name); v == nil {
+		v, err = vd.Create(name, opts)
+		if err != nil {
+			if _, err := s.drivers.ReleaseDriver(driverName); err != nil {
+				logrus.WithError(err).WithField("driver", driverName).Error("Error releasing reference to volume driver")
+			}
+			return nil, err
+		}
+	}
+
+	s.globalLock.Lock()
+	s.labels[name] = labels
+	s.options[name] = opts
+	s.refs[name] = make(map[string]struct{})
+	s.globalLock.Unlock()
+
+	metadata := volumeMetadata{
+		Name:    name,
+		Driver:  vd.Name(),
+		Labels:  labels,
+		Options: opts,
+	}
+
+	if err := s.setMeta(name, metadata); err != nil {
+		return nil, err
+	}
+	return volumeWrapper{v, labels, vd.Scope(), opts}, nil
+}
+
+// Get looks if a volume with the given name exists and returns it if so
+func (s *VolumeStore) Get(ctx context.Context, name string, getOptions ...opts.GetOption) (volume.Volume, error) {
+	var cfg opts.GetConfig
+	for _, o := range getOptions {
+		o(&cfg)
+	}
+	name = normalizeVolumeName(name)
+	s.locks.Lock(name)
+	defer s.locks.Unlock(name)
+
+	v, err := s.getVolume(ctx, name, cfg.Driver)
+	if err != nil {
+		return nil, &OpErr{Err: err, Name: name, Op: "get"}
+	}
+	if cfg.Driver != "" && v.DriverName() != cfg.Driver {
+		return nil, &OpErr{Name: name, Op: "get", Err: errdefs.Conflict(errors.New("found volume driver does not match passed in driver"))}
+	}
+	s.setNamed(v, cfg.Reference)
+	return v, nil
+}
+
+// getVolume requests the volume, if the driver info is stored it just accesses that driver,
+// if the driver is unknown it probes all drivers until it finds the first volume with that name.
+// it is expected that callers of this function hold any necessary locks
+func (s *VolumeStore) getVolume(ctx context.Context, name, driverName string) (volume.Volume, error) {
+	var meta volumeMetadata
+	meta, err := s.getMeta(name)
+	if err != nil {
+		return nil, err
+	}
+
+	if driverName != "" {
+		if meta.Driver == "" {
+			meta.Driver = driverName
+		}
+		if driverName != meta.Driver {
+			return nil, errdefs.Conflict(errors.New("provided volume driver does not match stored driver"))
+		}
+	}
+
+	if driverName == "" {
+		driverName = meta.Driver
+	}
+	if driverName == "" {
+		s.globalLock.RLock()
+		select {
+		case <-ctx.Done():
+			s.globalLock.RUnlock()
+			return nil, ctx.Err()
+		default:
+		}
+		v, exists := s.names[name]
+		s.globalLock.RUnlock()
+		if exists {
+			meta.Driver = v.DriverName()
+			if err := s.setMeta(name, meta); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	if meta.Driver != "" {
+		vol, err := lookupVolume(ctx, s.drivers, meta.Driver, name)
+		if err != nil {
+			return nil, err
+		}
+		if vol == nil {
+			s.purge(ctx, name)
+			return nil, errNoSuchVolume
+		}
+
+		var scope string
+		vd, err := s.drivers.GetDriver(meta.Driver)
+		if err == nil {
+			scope = vd.Scope()
+		}
+		return volumeWrapper{vol, meta.Labels, scope, meta.Options}, nil
+	}
+
+	logrus.Debugf("Probing all drivers for volume with name: %s", name)
+	drivers, err := s.drivers.GetAllDrivers()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, d := range drivers {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		default:
+		}
+		v, err := d.Get(name)
+		if err != nil || v == nil {
+			continue
+		}
+		meta.Driver = v.DriverName()
+		if err := s.setMeta(name, meta); err != nil {
+			return nil, err
+		}
+		return volumeWrapper{v, meta.Labels, d.Scope(), meta.Options}, nil
+	}
+	return nil, errNoSuchVolume
+}
+
+// lookupVolume gets the specified volume from the specified driver.
+// This will only return errors related to communications with the driver.
+// If the driver returns an error that is not communication related the
+//   error is logged but not returned.
+// If the volume is not found it will return `nil, nil``
+// TODO(@cpuguy83): plumb through the context to lower level components
+func lookupVolume(ctx context.Context, store *drivers.Store, driverName, volumeName string) (volume.Volume, error) {
+	if driverName == "" {
+		driverName = volume.DefaultDriverName
+	}
+	vd, err := store.GetDriver(driverName)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error while checking if volume %q exists in driver %q", volumeName, driverName)
+	}
+	v, err := vd.Get(volumeName)
+	if err != nil {
+		err = errors.Cause(err)
+		if _, ok := err.(net.Error); ok {
+			if v != nil {
+				volumeName = v.Name()
+				driverName = v.DriverName()
+			}
+			return nil, errors.Wrapf(err, "error while checking if volume %q exists in driver %q", volumeName, driverName)
+		}
+
+		// At this point, the error could be anything from the driver, such as "no such volume"
+		// Let's not check an error here, and instead check if the driver returned a volume
+		logrus.WithError(err).WithField("driver", driverName).WithField("volume", volumeName).Debug("Error while looking up volume")
+	}
+	return v, nil
+}
+
+// Remove removes the requested volume. A volume is not removed if it has any refs
+func (s *VolumeStore) Remove(ctx context.Context, v volume.Volume, rmOpts ...opts.RemoveOption) error {
+	var cfg opts.RemoveConfig
+	for _, o := range rmOpts {
+		o(&cfg)
+	}
+
+	name := v.Name()
+	s.locks.Lock(name)
+	defer s.locks.Unlock(name)
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+	}
+
+	if s.hasRef(name) {
+		return &OpErr{Err: errVolumeInUse, Name: name, Op: "remove", Refs: s.getRefs(name)}
+	}
+
+	v, err := s.getVolume(ctx, name, v.DriverName())
+	if err != nil {
+		return err
+	}
+
+	vd, err := s.drivers.GetDriver(v.DriverName())
+	if err != nil {
+		return &OpErr{Err: err, Name: v.DriverName(), Op: "remove"}
+	}
+
+	logrus.Debugf("Removing volume reference: driver %s, name %s", v.DriverName(), name)
+	vol := unwrapVolume(v)
+
+	err = vd.Remove(vol)
+	if err != nil {
+		err = &OpErr{Err: err, Name: name, Op: "remove"}
+	}
+
+	if err == nil || cfg.PurgeOnError {
+		if e := s.purge(ctx, name); e != nil && err == nil {
+			err = e
+		}
+	}
+	return err
+}
+
+// Release releases the specified reference to the volume
+func (s *VolumeStore) Release(ctx context.Context, name string, ref string) error {
+	s.locks.Lock(name)
+	defer s.locks.Unlock(name)
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+	}
+
+	s.globalLock.Lock()
+	defer s.globalLock.Unlock()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+	}
+
+	if s.refs[name] != nil {
+		delete(s.refs[name], ref)
+	}
+	return nil
+}
+
+// CountReferences gives a count of all references for a given volume.
+func (s *VolumeStore) CountReferences(v volume.Volume) int {
+	name := normalizeVolumeName(v.Name())
+
+	s.locks.Lock(name)
+	defer s.locks.Unlock(name)
+	s.globalLock.Lock()
+	defer s.globalLock.Unlock()
+
+	return len(s.refs[name])
+}
+
+func unwrapVolume(v volume.Volume) volume.Volume {
+	if vol, ok := v.(volumeWrapper); ok {
+		return vol.Volume
+	}
+
+	return v
+}
+
+// Shutdown releases all resources used by the volume store
+// It does not make any changes to volumes, drivers, etc.
+func (s *VolumeStore) Shutdown() error {
+	return s.db.Close()
+}
diff --git a/engine/volume/service/store_test.go b/engine/volume/service/store_test.go
new file mode 100644
index 00000000..53345f31
--- /dev/null
+++ b/engine/volume/service/store_test.go
@@ -0,0 +1,421 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/volume"
+	volumedrivers "github.com/docker/docker/volume/drivers"
+	"github.com/docker/docker/volume/service/opts"
+	volumetestutils "github.com/docker/docker/volume/testutils"
+	"github.com/google/go-cmp/cmp"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestCreate(t *testing.T) {
+	t.Parallel()
+
+	s, cleanup := setupTest(t)
+	defer cleanup()
+	s.drivers.Register(volumetestutils.NewFakeDriver("fake"), "fake")
+
+	ctx := context.Background()
+	v, err := s.Create(ctx, "fake1", "fake")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if v.Name() != "fake1" {
+		t.Fatalf("Expected fake1 volume, got %v", v)
+	}
+	if l, _, _ := s.Find(ctx, nil); len(l) != 1 {
+		t.Fatalf("Expected 1 volume in the store, got %v: %v", len(l), l)
+	}
+
+	if _, err := s.Create(ctx, "none", "none"); err == nil {
+		t.Fatalf("Expected unknown driver error, got nil")
+	}
+
+	_, err = s.Create(ctx, "fakeerror", "fake", opts.WithCreateOptions(map[string]string{"error": "create error"}))
+	expected := &OpErr{Op: "create", Name: "fakeerror", Err: errors.New("create error")}
+	if err != nil && err.Error() != expected.Error() {
+		t.Fatalf("Expected create fakeError: create error, got %v", err)
+	}
+}
+
+func TestRemove(t *testing.T) {
+	t.Parallel()
+
+	s, cleanup := setupTest(t)
+	defer cleanup()
+
+	s.drivers.Register(volumetestutils.NewFakeDriver("fake"), "fake")
+	s.drivers.Register(volumetestutils.NewFakeDriver("noop"), "noop")
+
+	ctx := context.Background()
+
+	// doing string compare here since this error comes directly from the driver
+	expected := "no such volume"
+	var v volume.Volume = volumetestutils.NoopVolume{}
+	if err := s.Remove(ctx, v); err == nil || !strings.Contains(err.Error(), expected) {
+		t.Fatalf("Expected error %q, got %v", expected, err)
+	}
+
+	v, err := s.Create(ctx, "fake1", "fake", opts.WithCreateReference("fake"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err := s.Remove(ctx, v); !IsInUse(err) {
+		t.Fatalf("Expected ErrVolumeInUse error, got %v", err)
+	}
+	s.Release(ctx, v.Name(), "fake")
+	if err := s.Remove(ctx, v); err != nil {
+		t.Fatal(err)
+	}
+	if l, _, _ := s.Find(ctx, nil); len(l) != 0 {
+		t.Fatalf("Expected 0 volumes in the store, got %v, %v", len(l), l)
+	}
+}
+
+func TestList(t *testing.T) {
+	t.Parallel()
+
+	dir, err := ioutil.TempDir("", "test-list")
+	assert.NilError(t, err)
+	defer os.RemoveAll(dir)
+
+	drivers := volumedrivers.NewStore(nil)
+	drivers.Register(volumetestutils.NewFakeDriver("fake"), "fake")
+	drivers.Register(volumetestutils.NewFakeDriver("fake2"), "fake2")
+
+	s, err := NewStore(dir, drivers)
+	assert.NilError(t, err)
+
+	ctx := context.Background()
+	if _, err := s.Create(ctx, "test", "fake"); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := s.Create(ctx, "test2", "fake2"); err != nil {
+		t.Fatal(err)
+	}
+
+	ls, _, err := s.Find(ctx, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(ls) != 2 {
+		t.Fatalf("expected 2 volumes, got: %d", len(ls))
+	}
+	if err := s.Shutdown(); err != nil {
+		t.Fatal(err)
+	}
+
+	// and again with a new store
+	s, err = NewStore(dir, drivers)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ls, _, err = s.Find(ctx, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(ls) != 2 {
+		t.Fatalf("expected 2 volumes, got: %d", len(ls))
+	}
+}
+
+func TestFindByDriver(t *testing.T) {
+	t.Parallel()
+	s, cleanup := setupTest(t)
+	defer cleanup()
+
+	assert.Assert(t, s.drivers.Register(volumetestutils.NewFakeDriver("fake"), "fake"))
+	assert.Assert(t, s.drivers.Register(volumetestutils.NewFakeDriver("noop"), "noop"))
+
+	ctx := context.Background()
+	_, err := s.Create(ctx, "fake1", "fake")
+	assert.NilError(t, err)
+
+	_, err = s.Create(ctx, "fake2", "fake")
+	assert.NilError(t, err)
+
+	_, err = s.Create(ctx, "fake3", "noop")
+	assert.NilError(t, err)
+
+	l, _, err := s.Find(ctx, ByDriver("fake"))
+	assert.NilError(t, err)
+	assert.Equal(t, len(l), 2)
+
+	l, _, err = s.Find(ctx, ByDriver("noop"))
+	assert.NilError(t, err)
+	assert.Equal(t, len(l), 1)
+
+	l, _, err = s.Find(ctx, ByDriver("nosuchdriver"))
+	assert.NilError(t, err)
+	assert.Equal(t, len(l), 0)
+}
+
+func TestFindByReferenced(t *testing.T) {
+	t.Parallel()
+	s, cleanup := setupTest(t)
+	defer cleanup()
+
+	s.drivers.Register(volumetestutils.NewFakeDriver("fake"), "fake")
+	s.drivers.Register(volumetestutils.NewFakeDriver("noop"), "noop")
+
+	ctx := context.Background()
+	if _, err := s.Create(ctx, "fake1", "fake", opts.WithCreateReference("volReference")); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := s.Create(ctx, "fake2", "fake"); err != nil {
+		t.Fatal(err)
+	}
+
+	dangling, _, err := s.Find(ctx, ByReferenced(false))
+	assert.Assert(t, err)
+	assert.Assert(t, len(dangling) == 1)
+	assert.Check(t, dangling[0].Name() == "fake2")
+
+	used, _, err := s.Find(ctx, ByReferenced(true))
+	assert.Assert(t, err)
+	assert.Assert(t, len(used) == 1)
+	assert.Check(t, used[0].Name() == "fake1")
+}
+
+func TestDerefMultipleOfSameRef(t *testing.T) {
+	t.Parallel()
+	s, cleanup := setupTest(t)
+	defer cleanup()
+	s.drivers.Register(volumetestutils.NewFakeDriver("fake"), "fake")
+
+	ctx := context.Background()
+	v, err := s.Create(ctx, "fake1", "fake", opts.WithCreateReference("volReference"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := s.Get(ctx, "fake1", opts.WithGetDriver("fake"), opts.WithGetReference("volReference")); err != nil {
+		t.Fatal(err)
+	}
+
+	s.Release(ctx, v.Name(), "volReference")
+	if err := s.Remove(ctx, v); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestCreateKeepOptsLabelsWhenExistsRemotely(t *testing.T) {
+	t.Parallel()
+	s, cleanup := setupTest(t)
+	defer cleanup()
+
+	vd := volumetestutils.NewFakeDriver("fake")
+	s.drivers.Register(vd, "fake")
+
+	// Create a volume in the driver directly
+	if _, err := vd.Create("foo", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	ctx := context.Background()
+	v, err := s.Create(ctx, "foo", "fake", opts.WithCreateLabels(map[string]string{"hello": "world"}))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	switch dv := v.(type) {
+	case volume.DetailedVolume:
+		if dv.Labels()["hello"] != "world" {
+			t.Fatalf("labels don't match")
+		}
+	default:
+		t.Fatalf("got unexpected type: %T", v)
+	}
+}
+
+func TestDefererencePluginOnCreateError(t *testing.T) {
+	t.Parallel()
+
+	var (
+		l   net.Listener
+		err error
+	)
+
+	for i := 32768; l == nil && i < 40000; i++ {
+		l, err = net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", i))
+	}
+	if l == nil {
+		t.Fatalf("could not create listener: %v", err)
+	}
+	defer l.Close()
+
+	s, cleanup := setupTest(t)
+	defer cleanup()
+
+	d := volumetestutils.NewFakeDriver("TestDefererencePluginOnCreateError")
+	p, err := volumetestutils.MakeFakePlugin(d, l)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pg := volumetestutils.NewFakePluginGetter(p)
+	s.drivers = volumedrivers.NewStore(pg)
+
+	ctx := context.Background()
+	// create a good volume so we have a plugin reference
+	_, err = s.Create(ctx, "fake1", d.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Now create another one expecting an error
+	_, err = s.Create(ctx, "fake2", d.Name(), opts.WithCreateOptions(map[string]string{"error": "some error"}))
+	if err == nil || !strings.Contains(err.Error(), "some error") {
+		t.Fatalf("expected an error on create: %v", err)
+	}
+
+	// There should be only 1 plugin reference
+	if refs := volumetestutils.FakeRefs(p); refs != 1 {
+		t.Fatalf("expected 1 plugin reference, got: %d", refs)
+	}
+}
+
+func TestRefDerefRemove(t *testing.T) {
+	t.Parallel()
+
+	driverName := "test-ref-deref-remove"
+	s, cleanup := setupTest(t)
+	defer cleanup()
+	s.drivers.Register(volumetestutils.NewFakeDriver(driverName), driverName)
+
+	ctx := context.Background()
+	v, err := s.Create(ctx, "test", driverName, opts.WithCreateReference("test-ref"))
+	assert.NilError(t, err)
+
+	err = s.Remove(ctx, v)
+	assert.Assert(t, is.ErrorContains(err, ""))
+	assert.Equal(t, errVolumeInUse, err.(*OpErr).Err)
+
+	s.Release(ctx, v.Name(), "test-ref")
+	err = s.Remove(ctx, v)
+	assert.NilError(t, err)
+}
+
+func TestGet(t *testing.T) {
+	t.Parallel()
+
+	driverName := "test-get"
+	s, cleanup := setupTest(t)
+	defer cleanup()
+	s.drivers.Register(volumetestutils.NewFakeDriver(driverName), driverName)
+
+	ctx := context.Background()
+	_, err := s.Get(ctx, "not-exist")
+	assert.Assert(t, is.ErrorContains(err, ""))
+	assert.Equal(t, errNoSuchVolume, err.(*OpErr).Err)
+
+	v1, err := s.Create(ctx, "test", driverName, opts.WithCreateLabels(map[string]string{"a": "1"}))
+	assert.NilError(t, err)
+
+	v2, err := s.Get(ctx, "test")
+	assert.NilError(t, err)
+	assert.DeepEqual(t, v1, v2, cmpVolume)
+
+	dv := v2.(volume.DetailedVolume)
+	assert.Equal(t, "1", dv.Labels()["a"])
+
+	err = s.Remove(ctx, v1)
+	assert.NilError(t, err)
+}
+
+func TestGetWithReference(t *testing.T) {
+	t.Parallel()
+
+	driverName := "test-get-with-ref"
+	s, cleanup := setupTest(t)
+	defer cleanup()
+	s.drivers.Register(volumetestutils.NewFakeDriver(driverName), driverName)
+
+	ctx := context.Background()
+	_, err := s.Get(ctx, "not-exist", opts.WithGetDriver(driverName), opts.WithGetReference("test-ref"))
+	assert.Assert(t, is.ErrorContains(err, ""))
+
+	v1, err := s.Create(ctx, "test", driverName, opts.WithCreateLabels(map[string]string{"a": "1"}))
+	assert.NilError(t, err)
+
+	v2, err := s.Get(ctx, "test", opts.WithGetDriver(driverName), opts.WithGetReference("test-ref"))
+	assert.NilError(t, err)
+	assert.DeepEqual(t, v1, v2, cmpVolume)
+
+	err = s.Remove(ctx, v2)
+	assert.Assert(t, is.ErrorContains(err, ""))
+	assert.Equal(t, errVolumeInUse, err.(*OpErr).Err)
+
+	s.Release(ctx, v2.Name(), "test-ref")
+	err = s.Remove(ctx, v2)
+	assert.NilError(t, err)
+}
+
+var cmpVolume = cmp.AllowUnexported(volumetestutils.FakeVolume{}, volumeWrapper{})
+
+func setupTest(t *testing.T) (*VolumeStore, func()) {
+	t.Helper()
+
+	dirName := strings.Replace(t.Name(), string(os.PathSeparator), "_", -1)
+	dir, err := ioutil.TempDir("", dirName)
+	assert.NilError(t, err)
+
+	cleanup := func() {
+		t.Helper()
+		err := os.RemoveAll(dir)
+		assert.Check(t, err)
+	}
+
+	s, err := NewStore(dir, volumedrivers.NewStore(nil))
+	assert.Check(t, err)
+	return s, func() {
+		s.Shutdown()
+		cleanup()
+	}
+}
+
+func TestFilterFunc(t *testing.T) {
+	testDriver := volumetestutils.NewFakeDriver("test")
+	testVolume, err := testDriver.Create("test", nil)
+	assert.NilError(t, err)
+	testVolume2, err := testDriver.Create("test2", nil)
+	assert.NilError(t, err)
+	testVolume3, err := testDriver.Create("test3", nil)
+	assert.NilError(t, err)
+
+	for _, test := range []struct {
+		vols   []volume.Volume
+		fn     filterFunc
+		desc   string
+		expect []volume.Volume
+	}{
+		{desc: "test nil list", vols: nil, expect: nil, fn: func(volume.Volume) bool { return true }},
+		{desc: "test empty list", vols: []volume.Volume{}, expect: []volume.Volume{}, fn: func(volume.Volume) bool { return true }},
+		{desc: "test filter non-empty to empty", vols: []volume.Volume{testVolume}, expect: []volume.Volume{}, fn: func(volume.Volume) bool { return false }},
+		{desc: "test nothing to fitler non-empty list", vols: []volume.Volume{testVolume}, expect: []volume.Volume{testVolume}, fn: func(volume.Volume) bool { return true }},
+		{desc: "test filter some", vols: []volume.Volume{testVolume, testVolume2}, expect: []volume.Volume{testVolume}, fn: func(v volume.Volume) bool { return v.Name() == testVolume.Name() }},
+		{desc: "test filter middle", vols: []volume.Volume{testVolume, testVolume2, testVolume3}, expect: []volume.Volume{testVolume, testVolume3}, fn: func(v volume.Volume) bool { return v.Name() != testVolume2.Name() }},
+		{desc: "test filter middle and last", vols: []volume.Volume{testVolume, testVolume2, testVolume3}, expect: []volume.Volume{testVolume}, fn: func(v volume.Volume) bool { return v.Name() != testVolume2.Name() && v.Name() != testVolume3.Name() }},
+		{desc: "test filter first and last", vols: []volume.Volume{testVolume, testVolume2, testVolume3}, expect: []volume.Volume{testVolume2}, fn: func(v volume.Volume) bool { return v.Name() != testVolume.Name() && v.Name() != testVolume3.Name() }},
+	} {
+		t.Run(test.desc, func(t *testing.T) {
+			test := test
+			t.Parallel()
+
+			filter(&test.vols, test.fn)
+			assert.DeepEqual(t, test.vols, test.expect, cmpVolume)
+		})
+	}
+}
diff --git a/engine/volume/service/store_unix.go b/engine/volume/service/store_unix.go
new file mode 100644
index 00000000..4ccc4b99
--- /dev/null
+++ b/engine/volume/service/store_unix.go
@@ -0,0 +1,9 @@
+// +build linux freebsd darwin
+
+package service // import "github.com/docker/docker/volume/service"
+
+// normalizeVolumeName is a platform specific function to normalize the name
+// of a volume. This is a no-op on Unix-like platforms
+func normalizeVolumeName(name string) string {
+	return name
+}
diff --git a/engine/volume/service/store_windows.go b/engine/volume/service/store_windows.go
new file mode 100644
index 00000000..bd46a689
--- /dev/null
+++ b/engine/volume/service/store_windows.go
@@ -0,0 +1,12 @@
+package service // import "github.com/docker/docker/volume/service"
+
+import "strings"
+
+// normalizeVolumeName is a platform specific function to normalize the name
+// of a volume. On Windows, as NTFS is case insensitive, under
+// c:\ProgramData\Docker\Volumes\, the folders John and john would be synonymous.
+// Hence we can't allow the volume "John" and "john" to be created as separate
+// volumes.
+func normalizeVolumeName(name string) string {
+	return strings.ToLower(name)
+}
diff --git a/engine/volume/testutils/testutils.go b/engine/volume/testutils/testutils.go
new file mode 100644
index 00000000..0a20a355
--- /dev/null
+++ b/engine/volume/testutils/testutils.go
@@ -0,0 +1,230 @@
+package testutils // import "github.com/docker/docker/volume/testutils"
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/docker/docker/pkg/plugingetter"
+	"github.com/docker/docker/pkg/plugins"
+	"github.com/docker/docker/volume"
+)
+
+// NoopVolume is a volume that doesn't perform any operation
+type NoopVolume struct{}
+
+// Name is the name of the volume
+func (NoopVolume) Name() string { return "noop" }
+
+// DriverName is the name of the driver
+func (NoopVolume) DriverName() string { return "noop" }
+
+// Path is the filesystem path to the volume
+func (NoopVolume) Path() string { return "noop" }
+
+// Mount mounts the volume in the container
+func (NoopVolume) Mount(_ string) (string, error) { return "noop", nil }
+
+// Unmount unmounts the volume from the container
+func (NoopVolume) Unmount(_ string) error { return nil }
+
+// Status provides low-level details about the volume
+func (NoopVolume) Status() map[string]interface{} { return nil }
+
+// CreatedAt provides the time the volume (directory) was created at
+func (NoopVolume) CreatedAt() (time.Time, error) { return time.Now(), nil }
+
+// FakeVolume is a fake volume with a random name
+type FakeVolume struct {
+	name       string
+	driverName string
+	createdAt  time.Time
+}
+
+// NewFakeVolume creates a new fake volume for testing
+func NewFakeVolume(name string, driverName string) volume.Volume {
+	return FakeVolume{name: name, driverName: driverName, createdAt: time.Now()}
+}
+
+// Name is the name of the volume
+func (f FakeVolume) Name() string { return f.name }
+
+// DriverName is the name of the driver
+func (f FakeVolume) DriverName() string { return f.driverName }
+
+// Path is the filesystem path to the volume
+func (FakeVolume) Path() string { return "fake" }
+
+// Mount mounts the volume in the container
+func (FakeVolume) Mount(_ string) (string, error) { return "fake", nil }
+
+// Unmount unmounts the volume from the container
+func (FakeVolume) Unmount(_ string) error { return nil }
+
+// Status provides low-level details about the volume
+func (FakeVolume) Status() map[string]interface{} {
+	return map[string]interface{}{"datakey": "datavalue"}
+}
+
+// CreatedAt provides the time the volume (directory) was created at
+func (f FakeVolume) CreatedAt() (time.Time, error) {
+	return f.createdAt, nil
+}
+
+// FakeDriver is a driver that generates fake volumes
+type FakeDriver struct {
+	name string
+	vols map[string]volume.Volume
+}
+
+// NewFakeDriver creates a new FakeDriver with the specified name
+func NewFakeDriver(name string) volume.Driver {
+	return &FakeDriver{
+		name: name,
+		vols: make(map[string]volume.Volume),
+	}
+}
+
+// Name is the name of the driver
+func (d *FakeDriver) Name() string { return d.name }
+
+// Create initializes a fake volume.
+// It returns an error if the options include an "error" key with a message
+func (d *FakeDriver) Create(name string, opts map[string]string) (volume.Volume, error) {
+	if opts != nil && opts["error"] != "" {
+		return nil, fmt.Errorf(opts["error"])
+	}
+	v := NewFakeVolume(name, d.name)
+	d.vols[name] = v
+	return v, nil
+}
+
+// Remove deletes a volume.
+func (d *FakeDriver) Remove(v volume.Volume) error {
+	if _, exists := d.vols[v.Name()]; !exists {
+		return fmt.Errorf("no such volume")
+	}
+	delete(d.vols, v.Name())
+	return nil
+}
+
+// List lists the volumes
+func (d *FakeDriver) List() ([]volume.Volume, error) {
+	var vols []volume.Volume
+	for _, v := range d.vols {
+		vols = append(vols, v)
+	}
+	return vols, nil
+}
+
+// Get gets the volume
+func (d *FakeDriver) Get(name string) (volume.Volume, error) {
+	if v, exists := d.vols[name]; exists {
+		return v, nil
+	}
+	return nil, fmt.Errorf("no such volume")
+}
+
+// Scope returns the local scope
+func (*FakeDriver) Scope() string {
+	return "local"
+}
+
+type fakePlugin struct {
+	client *plugins.Client
+	name   string
+	refs   int
+}
+
+// MakeFakePlugin creates a fake plugin from the passed in driver
+// Note: currently only "Create" is implemented because that's all that's needed
+// so far. If you need it to test something else, add it here, but probably you
+// shouldn't need to use this except for very specific cases with v2 plugin handling.
+func MakeFakePlugin(d volume.Driver, l net.Listener) (plugingetter.CompatPlugin, error) {
+	c, err := plugins.NewClient(l.Addr().Network()+"://"+l.Addr().String(), nil)
+	if err != nil {
+		return nil, err
+	}
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("/VolumeDriver.Create", func(w http.ResponseWriter, r *http.Request) {
+		createReq := struct {
+			Name string
+			Opts map[string]string
+		}{}
+		if err := json.NewDecoder(r.Body).Decode(&createReq); err != nil {
+			fmt.Fprintf(w, `{"Err": "%s"}`, err.Error())
+			return
+		}
+		_, err := d.Create(createReq.Name, createReq.Opts)
+		if err != nil {
+			fmt.Fprintf(w, `{"Err": "%s"}`, err.Error())
+			return
+		}
+		w.Write([]byte("{}"))
+	})
+
+	go http.Serve(l, mux)
+	return &fakePlugin{client: c, name: d.Name()}, nil
+}
+
+func (p *fakePlugin) Client() *plugins.Client {
+	return p.client
+}
+
+func (p *fakePlugin) Name() string {
+	return p.name
+}
+
+func (p *fakePlugin) IsV1() bool {
+	return false
+}
+
+func (p *fakePlugin) ScopedPath(s string) string {
+	return s
+}
+
+type fakePluginGetter struct {
+	plugins map[string]plugingetter.CompatPlugin
+}
+
+// NewFakePluginGetter returns a plugin getter for fake plugins
+func NewFakePluginGetter(pls ...plugingetter.CompatPlugin) plugingetter.PluginGetter {
+	idx := make(map[string]plugingetter.CompatPlugin, len(pls))
+	for _, p := range pls {
+		idx[p.Name()] = p
+	}
+	return &fakePluginGetter{plugins: idx}
+}
+
+// This ignores the second argument since we only care about volume drivers here,
+// there shouldn't be any other kind of plugin in here
+func (g *fakePluginGetter) Get(name, _ string, mode int) (plugingetter.CompatPlugin, error) {
+	p, ok := g.plugins[name]
+	if !ok {
+		return nil, errors.New("not found")
+	}
+	p.(*fakePlugin).refs += mode
+	return p, nil
+}
+
+func (g *fakePluginGetter) GetAllByCap(capability string) ([]plugingetter.CompatPlugin, error) {
+	panic("GetAllByCap shouldn't be called")
+}
+
+func (g *fakePluginGetter) GetAllManagedPluginsByCap(capability string) []plugingetter.CompatPlugin {
+	panic("GetAllManagedPluginsByCap should not be called")
+}
+
+func (g *fakePluginGetter) Handle(capability string, callback func(string, *plugins.Client)) {
+	panic("Handle should not be called")
+}
+
+// FakeRefs checks ref count on a fake plugin.
+func FakeRefs(p plugingetter.CompatPlugin) int {
+	// this should panic if something other than a `*fakePlugin` is passed in
+	return p.(*fakePlugin).refs
+}
diff --git a/engine/volume/volume.go b/engine/volume/volume.go
new file mode 100644
index 00000000..61c82439
--- /dev/null
+++ b/engine/volume/volume.go
@@ -0,0 +1,69 @@
+package volume // import "github.com/docker/docker/volume"
+
+import (
+	"time"
+)
+
+// DefaultDriverName is the driver name used for the driver
+// implemented in the local package.
+const DefaultDriverName = "local"
+
+// Scopes define if a volume has is cluster-wide (global) or local only.
+// Scopes are returned by the volume driver when it is queried for capabilities and then set on a volume
+const (
+	LocalScope  = "local"
+	GlobalScope = "global"
+)
+
+// Driver is for creating and removing volumes.
+type Driver interface {
+	// Name returns the name of the volume driver.
+	Name() string
+	// Create makes a new volume with the given name.
+	Create(name string, opts map[string]string) (Volume, error)
+	// Remove deletes the volume.
+	Remove(vol Volume) (err error)
+	// List lists all the volumes the driver has
+	List() ([]Volume, error)
+	// Get retrieves the volume with the requested name
+	Get(name string) (Volume, error)
+	// Scope returns the scope of the driver (e.g. `global` or `local`).
+	// Scope determines how the driver is handled at a cluster level
+	Scope() string
+}
+
+// Capability defines a set of capabilities that a driver is able to handle.
+type Capability struct {
+	// Scope is the scope of the driver, `global` or `local`
+	// A `global` scope indicates that the driver manages volumes across the cluster
+	// A `local` scope indicates that the driver only manages volumes resources local to the host
+	// Scope is declared by the driver
+	Scope string
+}
+
+// Volume is a place to store data. It is backed by a specific driver, and can be mounted.
+type Volume interface {
+	// Name returns the name of the volume
+	Name() string
+	// DriverName returns the name of the driver which owns this volume.
+	DriverName() string
+	// Path returns the absolute path to the volume.
+	Path() string
+	// Mount mounts the volume and returns the absolute path to
+	// where it can be consumed.
+	Mount(id string) (string, error)
+	// Unmount unmounts the volume when it is no longer in use.
+	Unmount(id string) error
+	// CreatedAt returns Volume Creation time
+	CreatedAt() (time.Time, error)
+	// Status returns low-level status information about a volume
+	Status() map[string]interface{}
+}
+
+// DetailedVolume wraps a Volume with user-defined labels, options, and cluster scope (e.g., `local` or `global`)
+type DetailedVolume interface {
+	Labels() map[string]string
+	Options() map[string]string
+	Scope() string
+	Volume
+}
-- 
2.30.2